From 11fcd1b94b801fae4ebee2d03f618a64b0834c2e Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 20 Oct 2009 14:23:32 +0000 Subject: [PATCH] Make some gss-krb5 utility functions take enctypes instead of keys, and adjust callers. Fixes a bug where kg_arcfour_docrypt_iov was passing a keyblock instead of a key to kg_translate_iov after the enc-perf merge. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22956 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/krb5/gssapiP_krb5.h | 4 +- src/lib/gssapi/krb5/k5seal.c | 5 ++- src/lib/gssapi/krb5/k5sealiov.c | 7 ++-- src/lib/gssapi/krb5/k5unseal.c | 2 +- src/lib/gssapi/krb5/k5unsealiov.c | 5 ++- src/lib/gssapi/krb5/util_cksum.c | 2 +- src/lib/gssapi/krb5/util_crypt.c | 55 ++++++++++++++------------- src/lib/gssapi/krb5/wrap_size_limit.c | 2 +- 8 files changed, 44 insertions(+), 38 deletions(-) diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 541a74554..3b8cc067c 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -277,10 +277,10 @@ kg_setup_keys(krb5_context context, krb5_key subkey, krb5_cksumtype *cksumtype); -int kg_confounder_size (krb5_context context, krb5_key key); +int kg_confounder_size (krb5_context context, krb5_enctype enctype); krb5_error_code kg_make_confounder (krb5_context context, - krb5_key key, unsigned char *buf); + krb5_enctype enctype, unsigned char *buf); krb5_error_code kg_encrypt (krb5_context context, krb5_key key, int usage, diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index 7a6e5aae8..d071462c1 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -90,7 +90,7 @@ make_seal_token_v1 (krb5_context context, /* create the token buffer */ /* Do we need confounder? */ if (do_encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG))) - conflen = kg_confounder_size(context, enc); + conflen = kg_confounder_size(context, enc->keyblock.enctype); else conflen = 0; if (toktype == KG_TOK_SEAL_MSG) { @@ -171,7 +171,8 @@ make_seal_token_v1 (krb5_context context, } if (conflen) { - if ((code = kg_make_confounder(context, enc, plain))) { + if ((code = kg_make_confounder(context, enc->keyblock.enctype, + plain))) { xfree(plain); xfree(t); return(code); diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c index 1a9eac994..8eb5310c4 100644 --- a/src/lib/gssapi/krb5/k5sealiov.c +++ b/src/lib/gssapi/krb5/k5sealiov.c @@ -73,7 +73,7 @@ make_seal_token_v1_iov(krb5_context context, /* Determine confounder length */ if (toktype == KG_TOK_WRAP_MSG || conf_req_flag) - k5_headerlen = kg_confounder_size(context, ctx->enc); + k5_headerlen = kg_confounder_size(context, ctx->enc->keyblock.enctype); /* Check padding length */ if (toktype == KG_TOK_WRAP_MSG) { @@ -175,7 +175,8 @@ make_seal_token_v1_iov(krb5_context context, md5cksum.length = k5_trailerlen; if (k5_headerlen != 0) { - code = kg_make_confounder(context, ctx->enc, ptr + 14 + ctx->cksum_size); + code = kg_make_confounder(context, ctx->enc->keyblock.enctype, + ptr + 14 + ctx->cksum_size); if (code != 0) goto cleanup; } @@ -473,7 +474,7 @@ kg_seal_iov_length(OM_uint32 *minor_status, /* Header | Checksum | Confounder | Data | Pad */ size_t data_size; - k5_headerlen = kg_confounder_size(context, ctx->enc); + k5_headerlen = kg_confounder_size(context, ctx->enc->keyblock.enctype); data_size = 14 /* Header */ + ctx->cksum_size + k5_headerlen; diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 2ef59a722..e96dce89a 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -210,7 +210,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, if ((sealalg == 0xffff) && ctx->big_endian) { token.length = tmsglen; } else { - conflen = kg_confounder_size(context, ctx->enc); + conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype); token.length = tmsglen - conflen - plain[tmsglen-1]; } diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c index d09bf89a4..a9896c55b 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -180,7 +180,7 @@ kg_unseal_v1_iov(krb5_context context, goto cleanup; } } - conflen = kg_confounder_size(context, ctx->enc); + conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype); } if (header->buffer.length != token_wrapper_len + 14 + cksum_len + conflen) { @@ -557,7 +557,8 @@ kg_unseal_stream_iov(OM_uint32 *minor_status, case KG_TOK_MIC_MSG: case KG_TOK_WRAP_MSG: case KG_TOK_DEL_CTX: - theader->buffer.length += ctx->cksum_size + kg_confounder_size(context, ctx->enc); + theader->buffer.length += ctx->cksum_size + + kg_confounder_size(context, ctx->enc->keyblock.enctype); /* * we can't set the padding accurately until decryption; diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c index 9d4e08ff8..88a55bb81 100644 --- a/src/lib/gssapi/krb5/util_cksum.c +++ b/src/lib/gssapi/krb5/util_cksum.c @@ -137,7 +137,7 @@ kg_make_checksum_iov_v1(krb5_context context, /* Checksum over ( Header | Confounder | Data | Pad ) */ if (toktype == KG_TOK_WRAP_MSG) - conf_len = kg_confounder_size(context, enc); + conf_len = kg_confounder_size(context, enc->keyblock.enctype); /* Checksum output */ kiov[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM; diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c index 53e420d9f..bfc5f500c 100644 --- a/src/lib/gssapi/krb5/util_crypt.c +++ b/src/lib/gssapi/krb5/util_crypt.c @@ -180,17 +180,16 @@ kg_setup_keys(krb5_context context, } int -kg_confounder_size(context, key) +kg_confounder_size(context, enctype) krb5_context context; - krb5_key key; + krb5_enctype enctype; { krb5_error_code code; size_t blocksize; /* We special case rc4*/ - if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC || - key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) + if (enctype == ENCTYPE_ARCFOUR_HMAC || enctype == ENCTYPE_ARCFOUR_HMAC_EXP) return 8; - code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize); + code = krb5_c_block_size(context, enctype, &blocksize); if (code) return(-1); /* XXX */ @@ -198,15 +197,15 @@ kg_confounder_size(context, key) } krb5_error_code -kg_make_confounder(context, key, buf) +kg_make_confounder(context, enctype, buf) krb5_context context; - krb5_key key; + krb5_enctype enctype; unsigned char *buf; { int confsize; krb5_data lrandom; - confsize = kg_confounder_size(context, key); + confsize = kg_confounder_size(context, enctype); if (confsize < 0) return KRB5_BAD_MSIZE; @@ -375,9 +374,9 @@ cleanup_arcfour: /* AEAD */ static krb5_error_code -kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count) +kg_translate_iov_v1(context, enctype, iov, iov_count, pkiov, pkiov_count) krb5_context context; - krb5_key key; + krb5_enctype enctype; gss_iov_buffer_desc *iov; int iov_count; krb5_crypto_iov **pkiov; @@ -393,7 +392,7 @@ kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count) *pkiov = NULL; *pkiov_count = 0; - conf_len = kg_confounder_size(context, key); + conf_len = kg_confounder_size(context, enctype); header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); assert(header != NULL); @@ -443,12 +442,12 @@ kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count) } static krb5_error_code -kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pkiov_count) +kg_translate_iov_v3(context, dce_style, ec, rrc, enctype, iov, iov_count, pkiov, pkiov_count) krb5_context context; int dce_style; /* DCE_STYLE indicates actual RRC is EC + RRC */ size_t ec; /* Extra rotate count for DCE_STYLE, pad length otherwise */ size_t rrc; /* Rotate count */ - krb5_key key; + krb5_enctype enctype; gss_iov_buffer_desc *iov; int iov_count; krb5_crypto_iov **pkiov; @@ -472,13 +471,13 @@ kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pki trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); assert(trailer == NULL || rrc == 0); - code = krb5_c_crypto_length(context, key->keyblock.enctype, - KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen); + code = krb5_c_crypto_length(context, enctype, KRB5_CRYPTO_TYPE_HEADER, + &k5_headerlen); if (code != 0) return code; - code = krb5_c_crypto_length(context, key->keyblock.enctype, - KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen); + code = krb5_c_crypto_length(context, enctype, KRB5_CRYPTO_TYPE_TRAILER, + &k5_trailerlen); if (code != 0) return code; @@ -558,21 +557,23 @@ kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pki } static krb5_error_code -kg_translate_iov(context, proto, dce_style, ec, rrc, key, iov, iov_count, pkiov, pkiov_count) +kg_translate_iov(context, proto, dce_style, ec, rrc, enctype, iov, iov_count, pkiov, pkiov_count) krb5_context context; int proto; /* 1 if CFX, 0 for pre-CFX */ int dce_style; size_t ec; size_t rrc; - krb5_key key; + krb5_enctype enctype; gss_iov_buffer_desc *iov; int iov_count; krb5_crypto_iov **pkiov; size_t *pkiov_count; { return proto ? - kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pkiov_count) : - kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count); + kg_translate_iov_v3(context, dce_style, ec, rrc, enctype, + iov, iov_count, pkiov, pkiov_count) : + kg_translate_iov_v1(context, enctype, iov, iov_count, + pkiov, pkiov_count); } krb5_error_code @@ -609,8 +610,9 @@ kg_encrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_coun pivd = NULL; } - code = kg_translate_iov(context, proto, dce_style, ec, rrc, key, - iov, iov_count, &kiov, &kiov_count); + code = kg_translate_iov(context, proto, dce_style, ec, rrc, + key->keyblock.enctype, iov, iov_count, + &kiov, &kiov_count); if (code == 0) { code = krb5_k_encrypt_iov(context, key, usage, pivd, kiov, kiov_count); free(kiov); @@ -658,8 +660,9 @@ kg_decrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_coun pivd = NULL; } - code = kg_translate_iov(context, proto, dce_style, ec, rrc, key, - iov, iov_count, &kiov, &kiov_count); + code = kg_translate_iov(context, proto, dce_style, ec, rrc, + key->keyblock.enctype, iov, iov_count, + &kiov, &kiov_count); if (code == 0) { code = krb5_k_decrypt_iov(context, key, usage, pivd, kiov, kiov_count); free(kiov); @@ -728,7 +731,7 @@ kg_arcfour_docrypt_iov (krb5_context context, goto cleanup_arcfour; code = kg_translate_iov(context, 0 /* proto */, 0 /* dce_style */, - 0 /* ec */, 0 /* rrc */, longterm_key, + 0 /* ec */, 0 /* rrc */, longterm_key->enctype, iov, iov_count, &kiov, &kiov_count); if (code) goto cleanup_arcfour; diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c index 0b90bba00..2b62386da 100644 --- a/src/lib/gssapi/krb5/wrap_size_limit.c +++ b/src/lib/gssapi/krb5/wrap_size_limit.c @@ -165,7 +165,7 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, /* Calculate the token size and subtract that from the output size */ overhead = 7 + ctx->mech_used->length; data_size = req_output_size; - conflen = kg_confounder_size(ctx->k5_context, ctx->enc); + conflen = kg_confounder_size(ctx->k5_context, ctx->enc->keyblock.enctype); data_size = (conflen + data_size + 8) & (~(OM_uint32)7); ohlen = g_token_size(ctx->mech_used, (unsigned int) (data_size + ctx->cksum_size + 14)) -- 2.26.2