svn rev #21538: branches/mskrb-integ/src/lib/ crypto/ gssapi/krb5/

lhoward@MIT.EDU lhoward at MIT.EDU
Thu Dec 18 09:22:27 EST 2008 

http://src.mit.edu/fisheye/changelog/krb5/?cs=21538
Commit By: lhoward
Log Message:
Fix GSS 3DES IOV



Changed Files:
U   branches/mskrb-integ/src/lib/crypto/etypes.c
U   branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h
U   branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c
U   branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c
U   branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c
U   branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c
Modified: branches/mskrb-integ/src/lib/crypto/etypes.c
===================================================================
--- branches/mskrb-integ/src/lib/crypto/etypes.c	2008-12-18 13:35:57 UTC (rev 21537)
+++ branches/mskrb-integ/src/lib/crypto/etypes.c	2008-12-18 14:22:21 UTC (rev 21538)
@@ -95,7 +95,7 @@
       krb5int_dk_string_to_key,
       NULL, /*PRF*/
       0,
-      NULL  /*AEAD*/ },
+      &krb5int_aead_raw },
 
     { ENCTYPE_DES3_CBC_SHA1,
       "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",

Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h	2008-12-18 13:35:57 UTC (rev 21537)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h	2008-12-18 14:22:21 UTC (rev 21538)
@@ -392,12 +392,13 @@
 
 krb5_error_code kg_make_checksum_iov_v1(krb5_context context,
 		krb5_cksumtype type,
-		int conf_req_flag,
+		size_t token_cksum_len,
 		krb5_keyblock *seq,
 		krb5_keyblock *enc, /* for conf len */
 		krb5_keyusage sign_usage,
 		gss_iov_buffer_desc *iov,
 		int iov_count,
+		int toktype,
 		krb5_checksum *checksum);
 
 krb5_error_code kg_make_checksum_iov_v3(krb5_context context,

Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c	2008-12-18 13:35:57 UTC (rev 21537)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c	2008-12-18 14:22:21 UTC (rev 21538)
@@ -184,8 +184,9 @@
 
     /* compute the checksum */
     code = kg_make_checksum_iov_v1(context, md5cksum.checksum_type,
-				   (k5_headerlen != 0), ctx->seq, ctx->enc,
-				   sign_usage, iov, iov_count, &md5cksum);
+				   ctx->cksum_size, ctx->seq, ctx->enc,
+				   sign_usage, iov, iov_count, toktype,
+				   &md5cksum);
     if (code != 0)
 	goto cleanup;
 

Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c	2008-12-18 13:35:57 UTC (rev 21537)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c	2008-12-18 14:22:21 UTC (rev 21538)
@@ -221,8 +221,9 @@
 
     /* compute the checksum of the message */
     code = kg_make_checksum_iov_v1(context, md5cksum.checksum_type,
-				   conflen != 0, ctx->seq, ctx->enc,
-				   sign_usage, iov, iov_count, &md5cksum);
+				   cksum_len, ctx->seq, ctx->enc,
+				   sign_usage, iov, iov_count, toktype,
+				   &md5cksum);
     if (code != 0) {
 	retval = GSS_S_FAILURE;
 	goto cleanup;
@@ -240,7 +241,7 @@
 	    goto cleanup;
 	}
 
-	cksum.length = signalg == 0 ? 8 : 16;
+	cksum.length = cksum_len;
 	cksum.contents = md5cksum.contents + 16 - cksum.length;
 
 	code = memcmp(cksum.contents, ptr + 14, cksum.length);

Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c	2008-12-18 13:35:57 UTC (rev 21537)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c	2008-12-18 14:22:21 UTC (rev 21538)
@@ -111,12 +111,13 @@
 krb5_error_code
 kg_make_checksum_iov_v1(krb5_context context,
 			krb5_cksumtype type,
-			int conf_req_flag,
+			size_t cksum_len,
 			krb5_keyblock *seq,
 			krb5_keyblock *enc,
 			krb5_keyusage sign_usage,
 			gss_iov_buffer_desc *iov,
 			int iov_count,
+			int toktype,
 			krb5_checksum *checksum)
 {
     krb5_error_code code;
@@ -124,7 +125,7 @@
     krb5_crypto_iov *kiov;
     size_t kiov_count;
     int i = 0, j;
-    size_t conf_len;
+    size_t conf_len = 0, token_header_len;
 
     header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
     assert(header != NULL);
@@ -135,7 +136,8 @@
 	return ENOMEM;
 
     /* Checksum over ( Header | Confounder | Data | Pad ) */
-    conf_len = conf_req_flag ? kg_confounder_size(context, (krb5_keyblock *)enc) : 0;
+    if (toktype == KG_TOK_WRAP_MSG)
+	conf_len = kg_confounder_size(context, (krb5_keyblock *)enc);
 
     /* Checksum output */
     kiov[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
@@ -147,15 +149,17 @@
     }
     i++;
 
+    /* Header | SND_SEQ | SGN_CKSUM | Confounder */
+    token_header_len = 16 + cksum_len + conf_len;
+
     /* Header (calculate from end because of variable length ASN.1 header) */
     kiov[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
     kiov[i].data.length = 8;
-    kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - conf_len -
-			24; /* Header | SND_SEQ | SGN_CKSUM */
+    kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - token_header_len;
     i++;
 
     /* Confounder */
-    if (conf_req_flag) {
+    if (toktype == KG_TOK_WRAP_MSG) {
 	kiov[i].flags = KRB5_CRYPTO_TYPE_DATA;
 	kiov[i].data.length = conf_len;
 	kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - conf_len;

Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c	2008-12-18 13:35:57 UTC (rev 21537)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c	2008-12-18 14:22:21 UTC (rev 21538)
@@ -254,17 +254,17 @@
     int i = 0, j;
     size_t kiov_count;
     krb5_crypto_iov *kiov;
-    size_t confsize;
+    size_t conf_len;
 
     *pkiov = NULL;
     *pkiov_count = 0;
 
-    confsize = kg_confounder_size(context, (krb5_keyblock *)key);
+    conf_len = kg_confounder_size(context, (krb5_keyblock *)key);
 
     header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
     assert(header != NULL);
 
-    if (header->buffer.length < confsize)
+    if (header->buffer.length < conf_len)
 	return KRB5_BAD_MSIZE;
 
     trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
@@ -283,8 +283,8 @@
 
     /* For pre-CFX, the confounder is at the end of the GSS header */
     kiov[i].flags = KRB5_CRYPTO_TYPE_DATA;
-    kiov[i].data.length = confsize;
-    kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - confsize;
+    kiov[i].data.length = conf_len;
+    kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - conf_len;
     i++;
 
     for (j = 0; j < iov_count; j++) {

More information about the cvs-krb5 mailing list