Make some gss-krb5 utility functions take enctypes instead of keys,

and adjust callers.  Fixes a bug where kg_arcfour_docrypt_iov was
passing a keyblock instead of a key to kg_translate_iov after the
enc-perf merge.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22956 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 541a745545bbb17a992de337034f267deee0050d..3b8cc067cda2605915263d71e7b8bf52bf11489d 100644 (file)
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -277,10 +277,10 @@ kg_setup_keys(krb5_context context,
               krb5_key subkey,
               krb5_cksumtype *cksumtype);
 
-int kg_confounder_size (krb5_context context, krb5_key key);
+int kg_confounder_size (krb5_context context, krb5_enctype enctype);
 
 krb5_error_code kg_make_confounder (krb5_context context,
-                                    krb5_key key, unsigned char *buf);
+                                    krb5_enctype enctype, unsigned char *buf);
 
 krb5_error_code kg_encrypt (krb5_context context,
                             krb5_key key, int usage,

diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
index 7a6e5aae8f7a415157fe9adda367832673f69665..d071462c14c0e180737d525933f3c8c9742824ea 100644 (file)
--- a/src/lib/gssapi/krb5/k5seal.c
+++ b/src/lib/gssapi/krb5/k5seal.c
@@ -90,7 +90,7 @@ make_seal_token_v1 (krb5_context context,
     /* create the token buffer */
     /* Do we need confounder? */
     if (do_encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG)))
-        conflen = kg_confounder_size(context, enc);
+        conflen = kg_confounder_size(context, enc->keyblock.enctype);
     else conflen = 0;
 
     if (toktype == KG_TOK_SEAL_MSG) {
@@ -171,7 +171,8 @@ make_seal_token_v1 (krb5_context context,
     }
 
     if (conflen) {
-        if ((code = kg_make_confounder(context, enc, plain))) {
+        if ((code = kg_make_confounder(context, enc->keyblock.enctype,
+                                       plain))) {
             xfree(plain);
             xfree(t);
             return(code);

diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c
index 1a9eac994a7adf7a6ea8fe813de87e20a30b6279..8eb5310c4c50a7c032735ad480c2ec1a10b1e7b5 100644 (file)
--- a/src/lib/gssapi/krb5/k5sealiov.c
+++ b/src/lib/gssapi/krb5/k5sealiov.c
@@ -73,7 +73,7 @@ make_seal_token_v1_iov(krb5_context context,
 
     /* Determine confounder length */
     if (toktype == KG_TOK_WRAP_MSG || conf_req_flag)
-        k5_headerlen = kg_confounder_size(context, ctx->enc);
+        k5_headerlen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
 
     /* Check padding length */
     if (toktype == KG_TOK_WRAP_MSG) {
@@ -175,7 +175,8 @@ make_seal_token_v1_iov(krb5_context context,
     md5cksum.length = k5_trailerlen;
 
     if (k5_headerlen != 0) {
-        code = kg_make_confounder(context, ctx->enc, ptr + 14 + ctx->cksum_size);
+        code = kg_make_confounder(context, ctx->enc->keyblock.enctype,
+                                  ptr + 14 + ctx->cksum_size);
         if (code != 0)
             goto cleanup;
     }
@@ -473,7 +474,7 @@ kg_seal_iov_length(OM_uint32 *minor_status,
         /* Header | Checksum | Confounder | Data | Pad */
         size_t data_size;
 
-        k5_headerlen = kg_confounder_size(context, ctx->enc);
+        k5_headerlen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
 
         data_size = 14 /* Header */ + ctx->cksum_size + k5_headerlen;
 

diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index 2ef59a72245945e51b0b41e244e8a04cbee30224..e96dce89a8ac947c2a6826d7e4af393cb1bbc44b 100644 (file)
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -210,7 +210,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
         if ((sealalg == 0xffff) && ctx->big_endian) {
             token.length = tmsglen;
         } else {
-            conflen = kg_confounder_size(context, ctx->enc);
+            conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
             token.length = tmsglen - conflen - plain[tmsglen-1];
         }
 

diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index d09bf89a45887ecbf5ea3c21191198ebc138edd7..a9896c55bd347e4203917e49c17caededaa0cc0e 100644 (file)
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -180,7 +180,7 @@ kg_unseal_v1_iov(krb5_context context,
                 goto cleanup;
             }
         }
-        conflen = kg_confounder_size(context, ctx->enc);
+        conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
     }
 
     if (header->buffer.length != token_wrapper_len + 14 + cksum_len + conflen) {
@@ -557,7 +557,8 @@ kg_unseal_stream_iov(OM_uint32 *minor_status,
     case KG_TOK_MIC_MSG:
     case KG_TOK_WRAP_MSG:
     case KG_TOK_DEL_CTX:
-        theader->buffer.length += ctx->cksum_size + kg_confounder_size(context, ctx->enc);
+        theader->buffer.length += ctx->cksum_size +
+            kg_confounder_size(context, ctx->enc->keyblock.enctype);
 
         /*
          * we can't set the padding accurately until decryption;

diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c
index 9d4e08ff818f1d2ec1ed1f39f2b52cbd43999b2a..88a55bb8170bbb7f66788746fd7ac58d61160d66 100644 (file)
--- a/src/lib/gssapi/krb5/util_cksum.c
+++ b/src/lib/gssapi/krb5/util_cksum.c
@@ -137,7 +137,7 @@ kg_make_checksum_iov_v1(krb5_context context,
 
     /* Checksum over ( Header | Confounder | Data | Pad ) */
     if (toktype == KG_TOK_WRAP_MSG)
-        conf_len = kg_confounder_size(context, enc);
+        conf_len = kg_confounder_size(context, enc->keyblock.enctype);
 
     /* Checksum output */
     kiov[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;

diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c
index 53e420d9fae0037c71c2751e6e304d704ebe7f60..bfc5f500cb408d9d3cec1411bbf6ee073eaed4e6 100644 (file)
--- a/src/lib/gssapi/krb5/util_crypt.c
+++ b/src/lib/gssapi/krb5/util_crypt.c
@@ -180,17 +180,16 @@ kg_setup_keys(krb5_context context,
 }
 
 int
-kg_confounder_size(context, key)
+kg_confounder_size(context, enctype)
     krb5_context context;
-    krb5_key key;
+    krb5_enctype enctype;
 {
     krb5_error_code code;
     size_t blocksize;
     /* We special case rc4*/
-    if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC ||
-        key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+    if (enctype == ENCTYPE_ARCFOUR_HMAC || enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
         return 8;
-    code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize);
+    code = krb5_c_block_size(context, enctype, &blocksize);
     if (code)
         return(-1); /* XXX */
 
@@ -198,15 +197,15 @@ kg_confounder_size(context, key)
 }
 
 krb5_error_code
-kg_make_confounder(context, key, buf)
+kg_make_confounder(context, enctype, buf)
     krb5_context context;
-    krb5_key key;
+    krb5_enctype enctype;
     unsigned char *buf;
 {
     int confsize;
     krb5_data lrandom;
 
-    confsize = kg_confounder_size(context, key);
+    confsize = kg_confounder_size(context, enctype);
     if (confsize < 0)
         return KRB5_BAD_MSIZE;
 
@@ -375,9 +374,9 @@ cleanup_arcfour:
 
 /* AEAD */
 static krb5_error_code
-kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count)
+kg_translate_iov_v1(context, enctype, iov, iov_count, pkiov, pkiov_count)
     krb5_context context;
-    krb5_key key;
+    krb5_enctype enctype;
     gss_iov_buffer_desc *iov;
     int iov_count;
     krb5_crypto_iov **pkiov;
@@ -393,7 +392,7 @@ kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count)
     *pkiov = NULL;
     *pkiov_count = 0;
 
-    conf_len = kg_confounder_size(context, key);
+    conf_len = kg_confounder_size(context, enctype);
 
     header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
     assert(header != NULL);
@@ -443,12 +442,12 @@ kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count)
 }
 
 static krb5_error_code
-kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pkiov_count)
+kg_translate_iov_v3(context, dce_style, ec, rrc, enctype, iov, iov_count, pkiov, pkiov_count)
     krb5_context context;
     int dce_style;              /* DCE_STYLE indicates actual RRC is EC + RRC */
     size_t ec;                  /* Extra rotate count for DCE_STYLE, pad length otherwise */
     size_t rrc;                 /* Rotate count */
-    krb5_key key;
+    krb5_enctype enctype;
     gss_iov_buffer_desc *iov;
     int iov_count;
     krb5_crypto_iov **pkiov;
@@ -472,13 +471,13 @@ kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pki
     trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
     assert(trailer == NULL || rrc == 0);
 
-    code = krb5_c_crypto_length(context, key->keyblock.enctype,
-                                KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen);
+    code = krb5_c_crypto_length(context, enctype, KRB5_CRYPTO_TYPE_HEADER,
+                                &k5_headerlen);
     if (code != 0)
         return code;
 
-    code = krb5_c_crypto_length(context, key->keyblock.enctype,
-                                KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen);
+    code = krb5_c_crypto_length(context, enctype, KRB5_CRYPTO_TYPE_TRAILER,
+                                &k5_trailerlen);
     if (code != 0)
         return code;
 
@@ -558,21 +557,23 @@ kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pki
 }
 
 static krb5_error_code
-kg_translate_iov(context, proto, dce_style, ec, rrc, key, iov, iov_count, pkiov, pkiov_count)
+kg_translate_iov(context, proto, dce_style, ec, rrc, enctype, iov, iov_count, pkiov, pkiov_count)
     krb5_context context;
     int proto;                  /* 1 if CFX, 0 for pre-CFX */
     int dce_style;
     size_t ec;
     size_t rrc;
-    krb5_key key;
+    krb5_enctype enctype;
     gss_iov_buffer_desc *iov;
     int iov_count;
     krb5_crypto_iov **pkiov;
     size_t *pkiov_count;
 {
     return proto ?
-        kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pkiov_count) :
-        kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count);
+        kg_translate_iov_v3(context, dce_style, ec, rrc, enctype,
+                            iov, iov_count, pkiov, pkiov_count) :
+        kg_translate_iov_v1(context, enctype, iov, iov_count,
+                            pkiov, pkiov_count);
 }
 
 krb5_error_code
@@ -609,8 +610,9 @@ kg_encrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_coun
         pivd = NULL;
     }
 
-    code = kg_translate_iov(context, proto, dce_style, ec, rrc, key,
-                            iov, iov_count, &kiov, &kiov_count);
+    code = kg_translate_iov(context, proto, dce_style, ec, rrc,
+                            key->keyblock.enctype, iov, iov_count,
+                            &kiov, &kiov_count);
     if (code == 0) {
         code = krb5_k_encrypt_iov(context, key, usage, pivd, kiov, kiov_count);
         free(kiov);
@@ -658,8 +660,9 @@ kg_decrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_coun
         pivd = NULL;
     }
 
-    code = kg_translate_iov(context, proto, dce_style, ec, rrc, key,
-                            iov, iov_count, &kiov, &kiov_count);
+    code = kg_translate_iov(context, proto, dce_style, ec, rrc,
+                            key->keyblock.enctype, iov, iov_count,
+                            &kiov, &kiov_count);
     if (code == 0) {
         code = krb5_k_decrypt_iov(context, key, usage, pivd, kiov, kiov_count);
         free(kiov);
@@ -728,7 +731,7 @@ kg_arcfour_docrypt_iov (krb5_context context,
         goto cleanup_arcfour;
 
     code = kg_translate_iov(context, 0 /* proto */, 0 /* dce_style */,
-                            0 /* ec */, 0 /* rrc */, longterm_key,
+                            0 /* ec */, 0 /* rrc */, longterm_key->enctype,
                             iov, iov_count, &kiov, &kiov_count);
     if (code)
         goto cleanup_arcfour;

diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c
index 0b90bba00b14a1cfcffba3376a239d53b935c6f1..2b62386dadc40edabc7c2e7ac708903b57b19bc0 100644 (file)
--- a/src/lib/gssapi/krb5/wrap_size_limit.c
+++ b/src/lib/gssapi/krb5/wrap_size_limit.c
@@ -165,7 +165,7 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,
     /* Calculate the token size and subtract that from the output size */
     overhead = 7 + ctx->mech_used->length;
     data_size = req_output_size;
-    conflen = kg_confounder_size(ctx->k5_context, ctx->enc);
+    conflen = kg_confounder_size(ctx->k5_context, ctx->enc->keyblock.enctype);
     data_size = (conflen + data_size + 8) & (~(OM_uint32)7);
     ohlen = g_token_size(ctx->mech_used,
                          (unsigned int) (data_size + ctx->cksum_size + 14))