diff options
Diffstat (limited to 'src/lib/gssapi/krb5/wrap_size_limit.c')
-rw-r--r-- | src/lib/gssapi/krb5/wrap_size_limit.c | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c index f240047103..59e8761873 100644 --- a/src/lib/gssapi/krb5/wrap_size_limit.c +++ b/src/lib/gssapi/krb5/wrap_size_limit.c @@ -111,9 +111,15 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, /* No pseudo-ASN.1 wrapper overhead, so no sequence length and OID. */ OM_uint32 sz = req_output_size; + /* Token header: 16 octets. */ if (conf_req_flag) { - while (sz > 0 && krb5_encrypt_size(sz, ctx->enc->enctype) + 16 > req_output_size) + krb5_enctype enctype; + + enctype = ctx->have_acceptor_subkey ? ctx->acceptor_subkey->enctype + : ctx->subkey->enctype; + + while (sz > 0 && krb5_encrypt_size(sz, enctype) + 16 > req_output_size) sz--; /* Allow for encrypted copy of header. */ if (sz > 16) @@ -129,11 +135,24 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, sz = 0; #endif } else { + krb5_cksumtype cksumtype; + krb5_error_code err; + size_t cksumsize; + + cksumtype = ctx->have_acceptor_subkey ? ctx->acceptor_subkey_cksumtype + : ctx->cksumtype; + + err = krb5_c_checksum_length(ctx->k5_context, cksumtype, &cksumsize); + if (err) { + *minor_status = err; + return GSS_S_FAILURE; + } + /* Allow for token header and checksum. */ - if (sz < 16 + ctx->cksum_size) + if (sz < 16 + cksumsize) sz = 0; else - sz -= (16 + ctx->cksum_size); + sz -= (16 + cksumsize); } *max_input_size = sz; |