gss_iov_buffer_t header;
gss_iov_buffer_t padding;
gss_iov_buffer_t trailer;
- unsigned char acceptor_flag;
+ unsigned char acceptorFlag;
unsigned char *outbuf = NULL;
unsigned char *tbuf = NULL;
- int key_usage;
+ int keyUsage;
size_t rrc = 0;
- unsigned int gss_headerlen, gss_trailerlen;
- size_t data_length, assoc_data_length;
+ unsigned int gssHeaderLen, gssTrailerLen;
+ size_t dataLen, assocDataLen;
+ krb5_context krbContext;
if (!CTX_IS_ESTABLISHED(ctx))
return GSS_S_NO_CONTEXT;
- acceptor_flag = CTX_IS_INITIATOR(ctx) ? 0 : TOK_FLAG_SENDER_IS_ACCEPTOR;
- key_usage = ((toktype == TOK_TYPE_WRAP)
- ? (CTX_IS_INITIATOR(ctx)
- ? KEY_USAGE_INITIATOR_SEAL
- : KEY_USAGE_ACCEPTOR_SEAL)
- : (CTX_IS_INITIATOR(ctx)
- ? KEY_USAGE_INITIATOR_SIGN
- : KEY_USAGE_ACCEPTOR_SIGN));
+ if (ctx->encryptionType == ENCTYPE_NULL)
+ return GSS_S_UNAVAILABLE;
- gssEapIovMessageLength(iov, iov_count, &data_length, &assoc_data_length);
+ GSSEAP_KRB_INIT(&krbContext);
+
+ acceptorFlag = CTX_IS_INITIATOR(ctx) ? 0 : TOK_FLAG_SENDER_IS_ACCEPTOR;
+ keyUsage = ((toktype == TOK_TYPE_WRAP)
+ ? (CTX_IS_INITIATOR(ctx)
+ ? KEY_USAGE_INITIATOR_SEAL
+ : KEY_USAGE_ACCEPTOR_SEAL)
+ : (CTX_IS_INITIATOR(ctx)
+ ? KEY_USAGE_INITIATOR_SIGN
+ : KEY_USAGE_ACCEPTOR_SIGN));
+
+ gssEapIovMessageLength(iov, iov_count, &dataLen, &assocDataLen);
header = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
if (header == NULL) {
trailer = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
if (toktype == TOK_TYPE_WRAP && conf_req_flag) {
- unsigned int k5_headerlen, k5_trailerlen, k5_padlen;
+ unsigned int krbHeaderLen, krbTrailerLen, krbPadLen;
size_t ec = 0;
- size_t conf_data_length = data_length - assoc_data_length;
+ size_t confDataLen = dataLen - assocDataLen;
- code = krb5_c_crypto_length(ctx->kerberosCtx, ctx->encryptionType,
- KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen);
+ code = krb5_c_crypto_length(krbContext, ctx->encryptionType,
+ KRB5_CRYPTO_TYPE_HEADER, &krbHeaderLen);
if (code != 0)
goto cleanup;
- code = krb5_c_padding_length(ctx->kerberosCtx, ctx->encryptionType,
- conf_data_length + 16 /* E(Header) */,
- &k5_padlen);
+ code = krb5_c_padding_length(krbContext, ctx->encryptionType,
+ confDataLen + 16 /* E(Header) */,
+ &krbPadLen);
if (code != 0)
goto cleanup;
- if (k5_padlen == 0 && (ctx->gssFlags & GSS_C_DCE_STYLE)) {
+ if (krbPadLen == 0 && (ctx->gssFlags & GSS_C_DCE_STYLE)) {
/* Windows rejects AEAD tokens with non-zero EC */
- code = krb5_c_block_size(ctx->kerberosCtx, ctx->encryptionType, &ec);
+ code = krb5_c_block_size(krbContext, ctx->encryptionType, &ec);
if (code != 0)
goto cleanup;
} else
- ec = k5_padlen;
+ ec = krbPadLen;
- code = krb5_c_crypto_length(ctx->kerberosCtx, ctx->encryptionType,
- KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen);
+ code = krb5_c_crypto_length(krbContext, ctx->encryptionType,
+ KRB5_CRYPTO_TYPE_TRAILER, &krbTrailerLen);
if (code != 0)
goto cleanup;
- gss_headerlen = 16 /* Header */ + k5_headerlen;
- gss_trailerlen = ec + 16 /* E(Header) */ + k5_trailerlen;
+ gssHeaderLen = 16 /* Header */ + krbHeaderLen;
+ gssTrailerLen = ec + 16 /* E(Header) */ + krbTrailerLen;
if (trailer == NULL) {
- rrc = gss_trailerlen;
+ rrc = gssTrailerLen;
/* Workaround for Windows bug where it rotates by EC + RRC */
if (ctx->gssFlags & GSS_C_DCE_STYLE)
rrc -= ec;
- gss_headerlen += gss_trailerlen;
+ gssHeaderLen += gssTrailerLen;
}
if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
- code = gssEapAllocIov(header, (size_t) gss_headerlen);
- } else if (header->buffer.length < gss_headerlen)
+ code = gssEapAllocIov(header, (size_t)gssHeaderLen);
+ } else if (header->buffer.length < gssHeaderLen)
code = KRB5_BAD_MSIZE;
if (code != 0)
goto cleanup;
outbuf = (unsigned char *)header->buffer.value;
- header->buffer.length = (size_t) gss_headerlen;
+ header->buffer.length = (size_t)gssHeaderLen;
if (trailer != NULL) {
if (trailer->type & GSS_IOV_BUFFER_FLAG_ALLOCATE)
- code = gssEapAllocIov(trailer, (size_t) gss_trailerlen);
- else if (trailer->buffer.length < gss_trailerlen)
+ code = gssEapAllocIov(trailer, (size_t)gssTrailerLen);
+ else if (trailer->buffer.length < gssTrailerLen)
code = KRB5_BAD_MSIZE;
if (code != 0)
goto cleanup;
- trailer->buffer.length = (size_t) gss_trailerlen;
+ trailer->buffer.length = (size_t)gssTrailerLen;
}
/* TOK_ID */
store_uint16_be((uint16_t)toktype, outbuf);
/* flags */
- outbuf[2] = (acceptor_flag
+ outbuf[2] = (acceptorFlag
| (conf_req_flag ? TOK_FLAG_WRAP_CONFIDENTIAL : 0)
| (0 ? TOK_FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
store_uint16_be(ec, outbuf + 4);
/* RRC */
store_uint16_be(0, outbuf + 6);
- store_64_be(ctx->sendSeq, outbuf + 8);
+ store_uint64_be(ctx->sendSeq, outbuf + 8);
/*
* EC | copy of header to be encrypted, located in
memset(tbuf, 0xFF, ec);
memcpy(tbuf + ec, header->buffer.value, 16);
- code = gssEapEncrypt(ctx->kerberosCtx,
+ code = gssEapEncrypt(krbContext,
((ctx->gssFlags & GSS_C_DCE_STYLE) != 0),
- ec, rrc, ctx->encryptionKey,
- key_usage, 0, iov, iov_count);
+ ec, rrc, &ctx->rfc3961Key,
+ keyUsage, 0, iov, iov_count);
if (code != 0)
goto cleanup;
} else if (toktype == TOK_TYPE_WRAP && !conf_req_flag) {
wrap_with_checksum:
- gss_headerlen = 16;
+ gssHeaderLen = 16;
- code = krb5_c_crypto_length(ctx->kerberosCtx, ctx->encryptionType,
+ code = krb5_c_crypto_length(krbContext, ctx->encryptionType,
KRB5_CRYPTO_TYPE_CHECKSUM,
- &gss_trailerlen);
+ &gssTrailerLen);
if (code != 0)
goto cleanup;
- assert(gss_trailerlen <= 0xFFFF);
+ assert(gssTrailerLen <= 0xFFFF);
if (trailer == NULL) {
- rrc = gss_trailerlen;
- gss_headerlen += gss_trailerlen;
+ rrc = gssTrailerLen;
+ gssHeaderLen += gssTrailerLen;
}
if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE)
- code = gssEapAllocIov(header, (size_t) gss_headerlen);
- else if (header->buffer.length < gss_headerlen)
+ code = gssEapAllocIov(header, (size_t)gssHeaderLen);
+ else if (header->buffer.length < gssHeaderLen)
code = KRB5_BAD_MSIZE;
if (code != 0)
goto cleanup;
outbuf = (unsigned char *)header->buffer.value;
- header->buffer.length = (size_t) gss_headerlen;
+ header->buffer.length = (size_t)gssHeaderLen;
if (trailer != NULL) {
if (trailer->type & GSS_IOV_BUFFER_FLAG_ALLOCATE)
- code = gssEapAllocIov(trailer, (size_t) gss_trailerlen);
- else if (trailer->buffer.length < gss_trailerlen)
+ code = gssEapAllocIov(trailer, (size_t)gssTrailerLen);
+ else if (trailer->buffer.length < gssTrailerLen)
code = KRB5_BAD_MSIZE;
if (code != 0)
goto cleanup;
- trailer->buffer.length = (size_t) gss_trailerlen;
+ trailer->buffer.length = (size_t)gssTrailerLen;
}
/* TOK_ID */
store_uint16_be((uint16_t)toktype, outbuf);
/* flags */
- outbuf[2] = (acceptor_flag
+ outbuf[2] = (acceptorFlag
| (0 ? TOK_FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xFF;
store_uint16_be(0xFFFF, outbuf + 4);
store_uint16_be(0xFFFF, outbuf + 6);
}
- store_64_be(ctx->sendSeq, outbuf + 8);
+ store_uint64_be(ctx->sendSeq, outbuf + 8);
- code = gssEapSign(ctx->kerberosCtx, ctx->checksumType,
- rrc, ctx->encryptionKey, key_usage,
+ code = gssEapSign(krbContext, 0, /* 0 == pick from crypto */
+ rrc, &ctx->rfc3961Key, keyUsage,
iov, iov_count);
if (code != 0)
goto cleanup;
if (toktype == TOK_TYPE_WRAP) {
/* Fix up EC field */
- store_uint16_be(gss_trailerlen, outbuf + 4);
+ store_uint16_be(gssTrailerLen, outbuf + 4);
/* Fix up RRC field */
store_uint16_be(rrc, outbuf + 6);
}
} else if (toktype == TOK_TYPE_MIC) {
trailer = NULL;
goto wrap_with_checksum;
- } else if (toktype == TOK_TYPE_DELETE) {
+ } else if (toktype == TOK_TYPE_DELETE_CONTEXT) {
+ trailer = NULL;
goto wrap_with_checksum;
} else {
abort();