Use AD-KDCIssued to protect RADIUS authdata. Cleanup.

[mech_eap.orig] / wrap_iov.c

diff --git a/wrap_iov.c b/wrap_iov.c
index 754eb0f..ae43ef9 100644 (file)
--- a/wrap_iov.c
+++ b/wrap_iov.c
@@ -55,6 +55,27 @@
 
 #include "gssapiP_eap.h"
 
+unsigned char
+rfc4121Flags(gss_ctx_id_t ctx, int receiving)
+{
+    unsigned char flags;
+    int isAcceptor;
+
+    isAcceptor = !CTX_IS_INITIATOR(ctx);
+    if (receiving)
+        isAcceptor = !isAcceptor;
+
+    flags = 0;
+    if (isAcceptor)
+        flags |= TOK_FLAG_SENDER_IS_ACCEPTOR;
+
+    if ((ctx->flags & CTX_FLAG_KRB_REAUTH_GSS) &&
+        (ctx->gssFlags & GSS_C_MUTUAL_FLAG))
+        flags |= TOK_FLAG_ACCEPTOR_SUBKEY;
+
+    return flags;
+}
+
 OM_uint32
 gssEapWrapOrGetMIC(OM_uint32 *minor,
                    gss_ctx_id_t ctx,
@@ -68,7 +89,7 @@ gssEapWrapOrGetMIC(OM_uint32 *minor,
     gss_iov_buffer_t header;
     gss_iov_buffer_t padding;
     gss_iov_buffer_t trailer;
-    unsigned char acceptorFlag;
+    unsigned char flags;
     unsigned char *outbuf = NULL;
     unsigned char *tbuf = NULL;
     int keyUsage;
@@ -77,19 +98,22 @@ gssEapWrapOrGetMIC(OM_uint32 *minor,
     size_t dataLen, assocDataLen;
     krb5_context krbContext;
 
-    if (!CTX_IS_ESTABLISHED(ctx))
-        return GSS_S_NO_CONTEXT;
+    if (ctx->encryptionType == ENCTYPE_NULL)
+        return GSS_S_UNAVAILABLE;
 
     GSSEAP_KRB_INIT(&krbContext);
 
-    acceptorFlag = CTX_IS_INITIATOR(ctx) ? 0 : TOK_FLAG_SENDER_IS_ACCEPTOR;
-    keyUsage = ((toktype == TOK_TYPE_WRAP)
-                ? (CTX_IS_INITIATOR(ctx)
+    flags = rfc4121Flags(ctx, FALSE);
+
+    if (toktype == TOK_TYPE_WRAP) {
+        keyUsage = CTX_IS_INITIATOR(ctx)
                    ? KEY_USAGE_INITIATOR_SEAL
-                   : KEY_USAGE_ACCEPTOR_SEAL)
-                : (CTX_IS_INITIATOR(ctx)
+                   : KEY_USAGE_ACCEPTOR_SEAL;
+    } else {
+        keyUsage = CTX_IS_INITIATOR(ctx)
                    ? KEY_USAGE_INITIATOR_SIGN
-                   : KEY_USAGE_ACCEPTOR_SIGN));
+                   : KEY_USAGE_ACCEPTOR_SIGN;
+    }
 
     gssEapIovMessageLength(iov, iov_count, &dataLen, &assocDataLen);
 
@@ -167,16 +191,15 @@ gssEapWrapOrGetMIC(OM_uint32 *minor,
         /* TOK_ID */
         store_uint16_be((uint16_t)toktype, outbuf);
         /* flags */
-        outbuf[2] = (acceptorFlag
-                     | (conf_req_flag ? TOK_FLAG_WRAP_CONFIDENTIAL : 0)
-                     | (0 ? TOK_FLAG_ACCEPTOR_SUBKEY : 0));
+        outbuf[2] = flags
+                     | (conf_req_flag ? TOK_FLAG_WRAP_CONFIDENTIAL : 0);
         /* filler */
         outbuf[3] = 0xFF;
         /* EC */
         store_uint16_be(ec, outbuf + 4);
         /* RRC */
         store_uint16_be(0, outbuf + 6);
-        store_64_be(ctx->sendSeq, outbuf + 8);
+        store_uint64_be(ctx->sendSeq, outbuf + 8);
 
         /*
          * EC | copy of header to be encrypted, located in
@@ -241,8 +264,7 @@ gssEapWrapOrGetMIC(OM_uint32 *minor,
         /* TOK_ID */
         store_uint16_be((uint16_t)toktype, outbuf);
         /* flags */
-        outbuf[2] = (acceptorFlag
-                     | (0 ? TOK_FLAG_ACCEPTOR_SUBKEY : 0));
+        outbuf[2] = flags;
         /* filler */
         outbuf[3] = 0xFF;
         if (toktype == TOK_TYPE_WRAP) {
@@ -258,7 +280,7 @@ gssEapWrapOrGetMIC(OM_uint32 *minor,
             store_uint16_be(0xFFFF, outbuf + 4);
             store_uint16_be(0xFFFF, outbuf + 6);
         }
-        store_64_be(ctx->sendSeq, outbuf + 8);
+        store_uint64_be(ctx->sendSeq, outbuf + 8);
 
         code = gssEapSign(krbContext, ctx->checksumType,
                           rrc, &ctx->rfc3961Key, keyUsage,
@@ -277,7 +299,8 @@ gssEapWrapOrGetMIC(OM_uint32 *minor,
     } else if (toktype == TOK_TYPE_MIC) {
         trailer = NULL;
         goto wrap_with_checksum;
-    } else if (toktype == TOK_TYPE_DELETE) {
+    } else if (toktype == TOK_TYPE_DELETE_CONTEXT) {
+        trailer = NULL;
         goto wrap_with_checksum;
     } else {
         abort();
@@ -291,10 +314,7 @@ cleanup:
 
     *minor = code;
 
-    if (code == 0)
-        return GSS_S_FAILURE;
-    else
-        return GSS_S_COMPLETE;
+    return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
 }
 
 OM_uint32
@@ -306,6 +326,9 @@ gss_wrap_iov(OM_uint32 *minor,
              gss_iov_buffer_desc *iov,
              int iov_count)
 {
+    if (!CTX_IS_ESTABLISHED(ctx))
+        return GSS_S_NO_CONTEXT;
+
     return gssEapWrapOrGetMIC(minor, ctx, conf_req_flag, conf_state,
-                             iov, iov_count, TOK_TYPE_WRAP);
+                              iov, iov_count, TOK_TYPE_WRAP);
 }