krb5 commit: Eliminate TWRITE macros in GSS library
ghudson at mit.edu
ghudson at mit.edu
Fri Mar 24 15:07:08 EDT 2023
https://github.com/krb5/krb5/commit/bb11cc25e43a0bb39eb4d4b6b39c89e4d662342a
commit bb11cc25e43a0bb39eb4d4b6b39c89e4d662342a
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed Mar 15 16:23:09 2023 -0400
Eliminate TWRITE macros in GSS library
Use dynamic k5buf structures to replace the two uses of the TWRITE_
macros, and replace the uses of TREAD_ macros with the equivalent
pointer assignments.
src/lib/gssapi/generic/gssapiP_generic.h | 32 ----------------
src/lib/gssapi/krb5/accept_sec_context.c | 6 +--
src/lib/gssapi/krb5/init_sec_context.c | 65 ++++++++++++--------------------
src/lib/gssapi/krb5/util_cksum.c | 46 +++++++++-------------
4 files changed, 43 insertions(+), 106 deletions(-)
diff --git a/src/lib/gssapi/generic/gssapiP_generic.h b/src/lib/gssapi/generic/gssapiP_generic.h
index 5d01fb492..3c6bfa53d 100644
--- a/src/lib/gssapi/generic/gssapiP_generic.h
+++ b/src/lib/gssapi/generic/gssapiP_generic.h
@@ -54,38 +54,6 @@
(((o1)->length == (o2)->length) && \
(memcmp((o1)->elements, (o2)->elements, (o1)->length) == 0))
-/* this code knows that an int on the wire is 32 bits. The type of
- num should be at least this big, or the extra shifts may do weird
- things */
-
-#define TWRITE_INT(ptr, num, bigend) \
- if (bigend) store_32_be(num, ptr); else store_32_le(num, ptr); \
- (ptr) += 4;
-
-#define TWRITE_INT16(ptr, num, bigend) \
- if (bigend) store_16_be((num)>>16, ptr); else store_16_le(num, ptr); \
- (ptr) += 2;
-
-#define TREAD_INT(ptr, num, bigend) \
- (num) = ((bigend) ? load_32_be(ptr) : load_32_le(ptr)); \
- (ptr) += 4;
-
-#define TREAD_INT16(ptr, num, bigend) \
- (num) = ((bigend) ? (load_16_be(ptr) << 16) : load_16_le(ptr)); \
- (ptr) += 2;
-
-#define TWRITE_STR(ptr, str, len) \
- memcpy((ptr), (str), (len)); \
- (ptr) += (len);
-
-#define TREAD_STR(ptr, str, len) \
- (str) = (ptr); \
- (ptr) += (len);
-
-#define TWRITE_BUF(ptr, buf, bigend) \
- TWRITE_INT((ptr), (buf).length, (bigend)); \
- TWRITE_STR((ptr), (buf).value, (buf).length);
-
/** malloc wrappers; these may actually do something later */
#define xmalloc(n) malloc(n)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index dd4caf380..b35e11bfb 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -657,7 +657,6 @@ kg_accept_krb5(minor_status, context_handle,
{
krb5_context context;
unsigned char *ptr;
- char *sptr;
krb5_gss_cred_id_t cred = 0;
krb5_data ap_rep, ap_req;
krb5_error_code code;
@@ -788,16 +787,13 @@ kg_accept_krb5(minor_status, context_handle,
} else if (code == G_BAD_TOK_HEADER) {
/* DCE style not encapsulated */
ap_req.length = input_token->length;
- ap_req.data = input_token->value;
mech_used = gss_mech_krb5;
no_encap = 1;
} else {
major_status = GSS_S_DEFECTIVE_TOKEN;
goto fail;
}
-
- sptr = (char *) ptr;
- TREAD_STR(sptr, ap_req.data, ap_req.length);
+ ap_req.data = (char *)ptr;
/* construct the sender_addr */
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 83fd514c1..5748b8434 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -246,14 +246,14 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
{
krb5_error_code code;
krb5_int32 con_flags;
- unsigned char *ptr;
struct gss_checksum_data *data = cksum_data;
krb5_data credmsg;
unsigned int junk;
krb5_data *finished = NULL;
krb5_key send_subkey;
+ struct k5buf buf;
- data->checksum_data.data = 0;
+ data->checksum_data = empty_data();
credmsg.data = 0;
/* build the checksum field */
@@ -291,18 +291,12 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
request */
data->ctx->gss_flags &= ~(GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG);
-
- data->checksum_data.length = 24;
} else {
if (credmsg.length+28 > KRB5_INT16_MAX) {
code = KRB5KRB_ERR_FIELD_TOOLONG;
goto cleanup;
}
-
- data->checksum_data.length = 28+credmsg.length;
}
- } else {
- data->checksum_data.length = 24;
}
#ifdef CFX_EXERCISE
if (data->ctx->auth_context->keyblock != NULL
@@ -335,40 +329,35 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
}
krb5_k_free_key(context, key);
- data->checksum_data.length += 8 + finished->length;
}
- data->checksum_data.length += junk;
-
/* now allocate a buffer to hold the checksum data and
(maybe) KRB_CRED msg */
-
- if ((data->checksum_data.data =
- (char *) xmalloc(data->checksum_data.length)) == NULL) {
- code = ENOMEM;
- goto cleanup;
+ k5_buf_init_dynamic(&buf);
+ k5_buf_add_uint32_le(&buf, data->md5.length);
+ k5_buf_add_len(&buf, data->md5.contents, data->md5.length);
+ k5_buf_add_uint32_le(&buf, data->ctx->gss_flags);
+ if (credmsg.data != NULL) {
+ k5_buf_add_uint16_le(&buf, KRB5_GSS_FOR_CREDS_OPTION);
+ k5_buf_add_uint16_le(&buf, credmsg.length);
+ k5_buf_add_len(&buf, credmsg.data, credmsg.length);
}
+ if (data->exts->iakerb.conv != NULL) {
+ k5_buf_add_uint32_be(&buf, KRB5_GSS_EXTS_IAKERB_FINISHED);
+ k5_buf_add_uint32_be(&buf, finished->length);
+ k5_buf_add_len(&buf, finished->data, finished->length);
+ }
+ while (junk--)
+ k5_buf_add_byte(&buf, 'i');
- ptr = (unsigned char *)data->checksum_data.data;
-
- TWRITE_INT(ptr, data->md5.length, 0);
- TWRITE_STR(ptr, data->md5.contents, data->md5.length);
- TWRITE_INT(ptr, data->ctx->gss_flags, 0);
+ code = k5_buf_status(&buf);
+ if (code)
+ goto cleanup;
- if (credmsg.data) {
- TWRITE_INT16(ptr, KRB5_GSS_FOR_CREDS_OPTION, 0);
- TWRITE_INT16(ptr, credmsg.length, 0);
- TWRITE_STR(ptr, credmsg.data, credmsg.length);
- }
- if (data->exts->iakerb.conv) {
- TWRITE_INT(ptr, KRB5_GSS_EXTS_IAKERB_FINISHED, 1);
- TWRITE_INT(ptr, finished->length, 1);
- TWRITE_STR(ptr, finished->data, finished->length);
- }
- if (junk)
- memset(ptr, 'i', junk);
+ data->checksum_data = make_data(buf.data, buf.len);
*out = &data->checksum_data;
code = 0;
+
cleanup:
krb5_free_data_contents(context, &credmsg);
krb5_free_data(context, finished);
@@ -726,7 +715,6 @@ mutual_auth(
{
OM_uint32 major_status;
unsigned char *ptr;
- char *sptr;
krb5_data ap_rep;
krb5_ap_rep_enc_part *ap_rep_data;
krb5_timestamp now;
@@ -775,7 +763,6 @@ mutual_auth(
if (ctx->gss_flags & GSS_C_DCE_STYLE) {
/* Raw AP-REP */
ap_rep.length = input_token->length;
- ap_rep.data = (char *)input_token->value;
} else if (g_verify_token_header(ctx->mech_used,
&(ap_rep.length),
&ptr, KG_TOK_CTX_AP_REP,
@@ -787,9 +774,7 @@ mutual_auth(
/* Handle a KRB_ERROR message from the server */
- sptr = (char *) ptr; /* PC compiler bug */
- TREAD_STR(sptr, ap_rep.data, ap_rep.length);
-
+ ap_rep.data = (char *)ptr;
code = krb5_rd_error(context, &ap_rep, &krb_error);
if (code)
goto fail;
@@ -804,9 +789,7 @@ mutual_auth(
return(GSS_S_DEFECTIVE_TOKEN);
}
}
-
- sptr = (char *) ptr; /* PC compiler bug */
- TREAD_STR(sptr, ap_rep.data, ap_rep.length);
+ ap_rep.data = (char *)ptr;
/* decode the ap_rep */
if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep,
diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c
index 2d6b50b2a..5b8795639 100644
--- a/src/lib/gssapi/krb5/util_cksum.c
+++ b/src/lib/gssapi/krb5/util_cksum.c
@@ -33,9 +33,7 @@ kg_checksum_channel_bindings(context, cb, cksum)
gss_channel_bindings_t cb;
krb5_checksum *cksum;
{
- size_t len;
- char *buf = 0;
- char *ptr;
+ struct k5buf buf;
size_t sumlen;
krb5_data plaind;
krb5_error_code code;
@@ -59,36 +57,28 @@ kg_checksum_channel_bindings(context, cb, cksum)
return(0);
}
- /* create the buffer to checksum into */
-
- len = (sizeof(krb5_int32)*5+
- cb->initiator_address.length+
- cb->acceptor_address.length+
- cb->application_data.length);
-
- if ((buf = (char *) xmalloc(len)) == NULL)
- return(ENOMEM);
-
- /* helper macros. This code currently depends on a long being 32
- bits, and htonl dtrt. */
-
- ptr = buf;
-
- TWRITE_INT(ptr, cb->initiator_addrtype, 0);
- TWRITE_BUF(ptr, cb->initiator_address, 0);
- TWRITE_INT(ptr, cb->acceptor_addrtype, 0);
- TWRITE_BUF(ptr, cb->acceptor_address, 0);
- TWRITE_BUF(ptr, cb->application_data, 0);
+ k5_buf_init_dynamic(&buf);
+ k5_buf_add_uint32_le(&buf, cb->initiator_addrtype);
+ k5_buf_add_uint32_le(&buf, cb->initiator_address.length);
+ k5_buf_add_len(&buf, cb->initiator_address.value,
+ cb->initiator_address.length);
+ k5_buf_add_uint32_le(&buf, cb->acceptor_addrtype);
+ k5_buf_add_uint32_le(&buf, cb->acceptor_address.length);
+ k5_buf_add_len(&buf, cb->acceptor_address.value,
+ cb->acceptor_address.length);
+ k5_buf_add_uint32_le(&buf, cb->application_data.length);
+ k5_buf_add_len(&buf, cb->application_data.value,
+ cb->application_data.length);
+ code = k5_buf_status(&buf);
+ if (code)
+ return code;
/* checksum the data */
- plaind.length = len;
- plaind.data = buf;
-
+ plaind = make_data(buf.data, buf.len);
code = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0,
&plaind, cksum);
- if (buf)
- xfree(buf);
+ k5_buf_free(&buf);
return code;
}
More information about the cvs-krb5
mailing list