krb5 commit: Remove big-endian gss-krb5 support
Greg Hudson
ghudson at MIT.EDU
Fri Jun 8 17:03:37 EDT 2012
https://github.com/krb5/krb5/commit/103456df347d6ea68b1a6f0657b50d5f23a47a37
commit 103456df347d6ea68b1a6f0657b50d5f23a47a37
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Jun 8 17:02:28 2012 -0400
Remove big-endian gss-krb5 support
The big_endian flag in krb5_gss_ctx_id_rec is there for
interoperability with a really ancient implementation which we believe
is no longer in use. Get rid of it and the code to handle it.
ticket: 7166 (new)
src/lib/gssapi/krb5/accept_sec_context.c | 38 +++++---------------------
src/lib/gssapi/krb5/gssapiP_krb5.h | 4 +--
src/lib/gssapi/krb5/init_sec_context.c | 3 +-
src/lib/gssapi/krb5/k5seal.c | 16 +++--------
src/lib/gssapi/krb5/k5sealv3.c | 5 ---
src/lib/gssapi/krb5/k5sealv3iov.c | 4 ---
src/lib/gssapi/krb5/k5unseal.c | 42 ++++++++----------------------
src/lib/gssapi/krb5/k5unsealiov.c | 2 -
src/lib/gssapi/krb5/ser_sctx.c | 5 ---
src/lib/gssapi/krb5/util_cksum.c | 13 ++++-----
src/util/gss-kernel-lib/kernel_gss.c | 2 -
11 files changed, 32 insertions(+), 102 deletions(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 7dca130..72b5201 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -726,37 +726,16 @@ kg_accept_krb5(minor_status, context_handle,
goto fail;
}
- /*
- "Be liberal in what you accept, and
- conservative in what you send"
- -- rfc1123
-
- This code will let this acceptor interoperate with an initiator
- using little-endian or big-endian integer encoding.
- */
-
ptr = (unsigned char *) authdat->checksum->contents;
- bigend = 0;
- TREAD_INT(ptr, tmp, bigend);
+ TREAD_INT(ptr, tmp, 0);
if (tmp != md5len) {
- ptr = (unsigned char *) authdat->checksum->contents;
- bigend = 1;
-
- TREAD_INT(ptr, tmp, bigend);
-
- if (tmp != md5len) {
- code = KG_BAD_LENGTH;
- major_status = GSS_S_FAILURE;
- goto fail;
- }
+ code = KG_BAD_LENGTH;
+ major_status = GSS_S_FAILURE;
+ goto fail;
}
- /* at this point, bigend is set according to the initiator's
- byte order */
-
-
/*
The following section of code attempts to implement the
optional channel binding facility as described in RFC2743.
@@ -772,7 +751,7 @@ kg_accept_krb5(minor_status, context_handle,
if ((code = kg_checksum_channel_bindings(context,
input_chan_bindings,
- &reqcksum, bigend))) {
+ &reqcksum))) {
major_status = GSS_S_BAD_BINDINGS;
goto fail;
}
@@ -794,7 +773,7 @@ kg_accept_krb5(minor_status, context_handle,
xfree(reqcksum.contents);
reqcksum.contents = 0;
- TREAD_INT(ptr, gss_flags, bigend);
+ TREAD_INT(ptr, gss_flags, 0);
#if 0
gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if
there's a delegation, we'll set
@@ -807,8 +786,8 @@ kg_accept_krb5(minor_status, context_handle,
i = authdat->checksum->length - 24;
if (i && (gss_flags & GSS_C_DELEG_FLAG)) {
if (i >= 4) {
- TREAD_INT16(ptr, option_id, bigend);
- TREAD_INT16(ptr, option.length, bigend);
+ TREAD_INT16(ptr, option_id, 0);
+ TREAD_INT16(ptr, option.length, 0);
i -= 4;
if (i < option.length || option.length < 0) {
@@ -904,7 +883,6 @@ kg_accept_krb5(minor_status, context_handle,
GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG |
GSS_C_EXTENDED_ERROR_FLAG)));
ctx->seed_init = 0;
- ctx->big_endian = bigend;
ctx->cred_rcache = cred_rcache;
/* XXX move this into gss_name_t */
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 6b7d530..54a536a 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -199,7 +199,6 @@ typedef struct _krb5_gss_ctx_id_rec {
krb5_magic magic;
unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */
unsigned int established : 1;
- unsigned int big_endian : 1;
unsigned int have_acceptor_subkey : 1;
unsigned int seed_init : 1; /* XXX tested but never actually set */
OM_uint32 gss_flags;
@@ -253,8 +252,7 @@ OM_uint32 kg_get_defcred
krb5_error_code kg_checksum_channel_bindings
(krb5_context context, gss_channel_bindings_t cb,
- krb5_checksum *cksum,
- int bigend);
+ krb5_checksum *cksum);
krb5_error_code kg_make_seq_num (krb5_context context,
krb5_key key,
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 07baefa..7fb5f71 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -428,7 +428,7 @@ make_ap_req_v1(context, ctx, cred, k_cred, ad_context,
/* compute the hash of the channel bindings */
- if ((code = kg_checksum_channel_bindings(context, chan_bindings, &md5, 0)))
+ if ((code = kg_checksum_channel_bindings(context, chan_bindings, &md5)))
return(code);
krb5_auth_con_set_req_cksumtype(context, ctx->auth_context,
@@ -585,7 +585,6 @@ kg_new_connection(
GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG |
GSS_C_EXTENDED_ERROR_FLAG)));
ctx->seed_init = 0;
- ctx->big_endian = 0; /* all initiators do little-endian, as per spec */
ctx->seqstate = 0;
if (req_flags & GSS_C_DCE_STYLE)
diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
index 41604dc..bd1e2a6 100644
--- a/src/lib/gssapi/krb5/k5seal.c
+++ b/src/lib/gssapi/krb5/k5seal.c
@@ -64,7 +64,6 @@ make_seal_token_v1 (krb5_context context,
int sealalg,
int do_encrypt,
int toktype,
- int bigend,
gss_OID oid)
{
krb5_error_code code;
@@ -89,7 +88,7 @@ make_seal_token_v1 (krb5_context context,
assert((!do_encrypt) || (toktype == KG_TOK_SEAL_MSG));
/* create the token buffer */
/* Do we need confounder? */
- if (do_encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG)))
+ if (do_encrypt || toktype == KG_TOK_SEAL_MSG)
conflen = kg_confounder_size(context, enc->keyblock.enctype);
else conflen = 0;
@@ -185,18 +184,14 @@ make_seal_token_v1 (krb5_context context,
/* compute the checksum */
/* 8 = head of token body as specified by mech spec */
- if (! (data_ptr =
- (char *) xmalloc(8 + (bigend ? text->length : msglen)))) {
+ if (! (data_ptr = xmalloc(8 + msglen))) {
xfree(plain);
gssalloc_free(t);
return(ENOMEM);
}
(void) memcpy(data_ptr, ptr-2, 8);
- if (bigend)
- (void) memcpy(data_ptr+8, text->value, text->length);
- else
- (void) memcpy(data_ptr+8, plain, msglen);
- plaind.length = 8 + (bigend ? text->length : msglen);
+ (void) memcpy(data_ptr+8, plain, msglen);
+ plaind.length = 8 + msglen;
plaind.data = data_ptr;
code = krb5_k_make_checksum(context, md5cksum.checksum_type, seq,
sign_usage, &plaind, &md5cksum);
@@ -360,8 +355,7 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req,
&ctx->seq_send, ctx->initiate,
input_message_buffer, output_message_buffer,
ctx->signalg, ctx->cksum_size, ctx->sealalg,
- conf_req_flag, toktype, ctx->big_endian,
- ctx->mech_used);
+ conf_req_flag, toktype, ctx->mech_used);
break;
case 1:
code = gss_krb5int_make_seal_token_v3(context, ctx,
diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index ac3d44d..c291e0f 100644
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -82,8 +82,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
krb5_key key;
krb5_cksumtype cksumtype;
- assert(ctx->big_endian == 0);
-
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
? (ctx->initiate
@@ -319,9 +317,6 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
krb5_key key;
krb5_cksumtype cksumtype;
- if (ctx->big_endian != 0)
- goto defective;
-
if (qop_state)
*qop_state = GSS_C_QOP_DEFAULT;
diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c
index d682960..d7c9287 100644
--- a/src/lib/gssapi/krb5/k5sealv3iov.c
+++ b/src/lib/gssapi/krb5/k5sealv3iov.c
@@ -54,7 +54,6 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context,
krb5_cksumtype cksumtype;
size_t data_length, assoc_data_length;
- assert(ctx->big_endian == 0);
assert(ctx->proto == 1);
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
@@ -300,9 +299,6 @@ gss_krb5int_unseal_v3_iov(krb5_context context,
krb5_cksumtype cksumtype;
int conf_flag = 0;
- if (ctx->big_endian != 0)
- return GSS_S_DEFECTIVE_TOKEN;
-
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index 9351980..fa9a3cb 100644
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -206,12 +206,8 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
plainlen = tmsglen;
- if ((sealalg == 0xffff) && ctx->big_endian) {
- token.length = tmsglen;
- } else {
- conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
- token.length = tmsglen - conflen - plain[tmsglen-1];
- }
+ conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
+ token.length = tmsglen - conflen - plain[tmsglen-1];
if (token.length) {
if ((token.value = (void *) gssalloc_malloc(token.length)) == NULL) {
@@ -267,8 +263,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
/* 8 = bytes of token body to be checksummed according to spec */
- if (! (data_ptr = (void *)
- xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
+ if (! (data_ptr = xmalloc(8 + plainlen))) {
if (sealalg != 0xffff)
xfree(plain);
if (toktype == KG_TOK_SEAL_MSG)
@@ -279,12 +274,9 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
(void) memcpy(data_ptr, ptr-2, 8);
- if (ctx->big_endian)
- (void) memcpy(data_ptr+8, token.value, token.length);
- else
- (void) memcpy(data_ptr+8, plain, plainlen);
+ (void) memcpy(data_ptr+8, plain, plainlen);
- plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
+ plaind.length = 8 + plainlen;
plaind.data = data_ptr;
code = krb5_k_make_checksum(context, md5cksum.checksum_type,
ctx->seq, sign_usage,
@@ -332,9 +324,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
return GSS_S_FAILURE;
}
- if (! (data_ptr = (void *)
- xmalloc(sizeof(ctx->seed) + 8 +
- (ctx->big_endian ? token.length : plainlen)))) {
+ if (! (data_ptr = xmalloc(sizeof(ctx->seed) + 8 + plainlen))) {
krb5_free_checksum_contents(context, &md5cksum);
if (sealalg == 0)
xfree(plain);
@@ -345,14 +335,8 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
}
(void) memcpy(data_ptr, ptr-2, 8);
(void) memcpy(data_ptr+8, ctx->seed, sizeof(ctx->seed));
- if (ctx->big_endian)
- (void) memcpy(data_ptr+8+sizeof(ctx->seed),
- token.value, token.length);
- else
- (void) memcpy(data_ptr+8+sizeof(ctx->seed),
- plain, plainlen);
- plaind.length = 8 + sizeof(ctx->seed) +
- (ctx->big_endian ? token.length : plainlen);
+ (void) memcpy(data_ptr+8+sizeof(ctx->seed), plain, plainlen);
+ plaind.length = 8 + sizeof(ctx->seed) + plainlen;
plaind.data = data_ptr;
krb5_free_checksum_contents(context, &md5cksum);
code = krb5_k_make_checksum(context, md5cksum.checksum_type,
@@ -382,8 +366,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
/* 8 = bytes of token body to be checksummed according to spec */
- if (! (data_ptr = (void *)
- xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
+ if (! (data_ptr = xmalloc(8 + plainlen))) {
if (sealalg != 0xffff)
xfree(plain);
if (toktype == KG_TOK_SEAL_MSG)
@@ -394,12 +377,9 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
(void) memcpy(data_ptr, ptr-2, 8);
- if (ctx->big_endian)
- (void) memcpy(data_ptr+8, token.value, token.length);
- else
- (void) memcpy(data_ptr+8, plain, plainlen);
+ (void) memcpy(data_ptr+8, plain, plainlen);
- plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
+ plaind.length = 8 + plainlen;
plaind.data = data_ptr;
code = krb5_k_make_checksum(context, md5cksum.checksum_type,
ctx->seq, sign_usage,
diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index 986ee06..87fe34f 100644
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -137,8 +137,6 @@ kg_unseal_v1_iov(krb5_context context,
return GSS_S_BAD_SIG;
}
- assert(ctx->big_endian == 0);
-
/* decode the message, if SEAL */
if (toktype == KG_TOK_WRAP_MSG) {
if (sealalg != 0xFFFF) {
diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c
index d2945ea..cba5ae2 100644
--- a/src/lib/gssapi/krb5/ser_sctx.c
+++ b/src/lib/gssapi/krb5/ser_sctx.c
@@ -245,7 +245,6 @@ kg_ctx_size(kcontext, arg, sizep)
* krb5_int32 for KG_CONTEXT
* krb5_int32 for initiate.
* krb5_int32 for established.
- * krb5_int32 for big_endian.
* krb5_int32 for have_acceptor_subkey.
* krb5_int32 for seed_init.
* krb5_int32 for gss_flags.
@@ -401,8 +400,6 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain)
&bp, &remain);
(void) krb5_ser_pack_int32((krb5_int32) ctx->established,
&bp, &remain);
- (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian,
- &bp, &remain);
(void) krb5_ser_pack_int32((krb5_int32) ctx->have_acceptor_subkey,
&bp, &remain);
(void) krb5_ser_pack_int32((krb5_int32) ctx->seed_init,
@@ -614,8 +611,6 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain)
(void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
ctx->established = (int) ibuf;
(void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- ctx->big_endian = (int) ibuf;
- (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
ctx->have_acceptor_subkey = (int) ibuf;
(void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
ctx->seed_init = (int) ibuf;
diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c
index 5228df3..4877c71 100644
--- a/src/lib/gssapi/krb5/util_cksum.c
+++ b/src/lib/gssapi/krb5/util_cksum.c
@@ -28,11 +28,10 @@
/* Checksumming the channel bindings always uses plain MD5. */
krb5_error_code
-kg_checksum_channel_bindings(context, cb, cksum, bigend)
+kg_checksum_channel_bindings(context, cb, cksum)
krb5_context context;
gss_channel_bindings_t cb;
krb5_checksum *cksum;
- int bigend;
{
size_t len;
char *buf = 0;
@@ -75,11 +74,11 @@ kg_checksum_channel_bindings(context, cb, cksum, bigend)
ptr = buf;
- TWRITE_INT(ptr, cb->initiator_addrtype, bigend);
- TWRITE_BUF(ptr, cb->initiator_address, bigend);
- TWRITE_INT(ptr, cb->acceptor_addrtype, bigend);
- TWRITE_BUF(ptr, cb->acceptor_address, bigend);
- TWRITE_BUF(ptr, cb->application_data, bigend);
+ TWRITE_INT(ptr, cb->initiator_addrtype, 0);
+ TWRITE_BUF(ptr, cb->initiator_address, 0);
+ TWRITE_INT(ptr, cb->acceptor_addrtype, 0);
+ TWRITE_BUF(ptr, cb->acceptor_address, 0);
+ TWRITE_BUF(ptr, cb->application_data, 0);
/* checksum the data */
diff --git a/src/util/gss-kernel-lib/kernel_gss.c b/src/util/gss-kernel-lib/kernel_gss.c
index a0ad8d0..f33b83d 100644
--- a/src/util/gss-kernel-lib/kernel_gss.c
+++ b/src/util/gss-kernel-lib/kernel_gss.c
@@ -116,8 +116,6 @@ import_lucid_sec_context_v1(const gss_krb5_lucid_context_v1_t *lctx,
}
}
- /* Assume the proper krb5 mech and no big-endian compatibility. */
- gctx->big_endian = 0;
gctx->seed_init = 0;
gctx->established = 1;
gctx->mech_used = (gss_OID_desc *)gss_mech_krb5;
More information about the cvs-krb5
mailing list