Support connectionless signing and sealing.

In connectionless mode (GSS_C_DATAGRAM_FLAG on) sealing keys ust be rotated for each message.
author: Simo Sorce <simo@redhat.com> 2013-10-17 00:57:55 -0400
committer: Simo Sorce <simo@redhat.com> 2013-10-18 16:29:51 -0400
commit: e3e42a950ada355a41f7dfa1fd4609ef4c102500 (patch)
tree: c0ae7b3df012bb01fc8a3f9a6a4e55c82b1cc911 /src/gss_signseal.c
parent: fd8d8833e2f3496893c970550eecc6449b59b9d5 (diff)
download: gss-ntlmssp-e3e42a950ada355a41f7dfa1fd4609ef4c102500.tar.gz
gss-ntlmssp-e3e42a950ada355a41f7dfa1fd4609ef4c102500.tar.xz
gss-ntlmssp-e3e42a950ada355a41f7dfa1fd4609ef4c102500.zip
1 files changed, 61 insertions, 11 deletions
diff --git a/src/gss_signseal.c b/src/gss_signseal.c
index 5828c2a..e8ec43a 100644
--- a/src/gss_signseal.c
+++ b/src/gss_signseal.c
@@ -20,9 +20,7 @@
 #include <string.h>
 #include <time.h>
 
-#include <gssapi/gssapi.h>
-#include <gssapi/gssapi_ext.h>
-
+#include "gssapi_ntlmssp.h"
 #include "gss_ntlmssp.h"
 
 uint32_t gssntlm_get_mic(uint32_t *minor_status,
@@ -50,6 +48,17 @@ uint32_t gssntlm_get_mic(uint32_t *minor_status,
         return GSS_S_CALL_INACCESSIBLE_READ;
     }
 
+    if (ctx->gss_flags & GSS_C_DATAGRAM_FLAG) {
+        /* must regenerate seal key */
+        retmin = ntlm_seal_regen(&ctx->send.seal_key,
+                                 &ctx->send.seal_handle,
+                                 ctx->send.seq_num);
+        if (retmin) {
+            *minor_status = retmin;
+            return GSS_S_FAILURE;
+        }
+    }
+
     message_token->value = malloc(16);
     if (!message_token->value) {
         *minor_status = ENOMEM;
@@ -70,8 +79,10 @@ uint32_t gssntlm_get_mic(uint32_t *minor_status,
         return GSS_S_FAILURE;
     }
 
-    /* increment seq_num upon succesful signature */
-    ctx->send.seq_num++;
+    if (!(ctx->gss_flags & GSS_C_DATAGRAM_FLAG)) {
+        /* increment seq_num upon succesful signature */
+        ctx->send.seq_num++;
+    }
 
     return GSS_S_COMPLETE;
 }
@@ -102,6 +113,17 @@ uint32_t gssntlm_verify_mic(uint32_t *minor_status,
         *qop_state = GSS_C_QOP_DEFAULT;
     }
 
+    if (ctx->gss_flags & GSS_C_DATAGRAM_FLAG) {
+        /* must regenerate seal key */
+        retmin = ntlm_seal_regen(&ctx->recv.seal_key,
+                                 &ctx->recv.seal_handle,
+                                 ctx->send.seq_num);
+        if (retmin) {
+            *minor_status = retmin;
+            return GSS_S_FAILURE;
+        }
+    }
+
     message.data = message_buffer->value;
     message.length = message_buffer->length;
     retmin = ntlm_sign(&ctx->recv.sign_key, ctx->recv.seq_num,
@@ -116,8 +138,10 @@ uint32_t gssntlm_verify_mic(uint32_t *minor_status,
         return GSS_S_BAD_SIG;
     }
 
-    /* increment seq_num upon succesful signature */
-    ctx->recv.seq_num++;
+    if (!(ctx->gss_flags & GSS_C_DATAGRAM_FLAG)) {
+        /* increment seq_num upon succesful signature */
+        ctx->recv.seq_num++;
+    }
 
     return GSS_S_COMPLETE;
 }
@@ -157,6 +181,17 @@ uint32_t gssntlm_wrap(uint32_t *minor_status,
         /* ignore, always seal */
     }
 
+    if (ctx->gss_flags & GSS_C_DATAGRAM_FLAG) {
+        /* must regenerate seal key */
+        retmin = ntlm_seal_regen(&ctx->send.seal_key,
+                                 &ctx->send.seal_handle,
+                                 ctx->send.seq_num);
+        if (retmin) {
+            *minor_status = retmin;
+            return GSS_S_FAILURE;
+        }
+    }
+
     output_message_buffer->value = malloc(input_message_buffer->length + 16);
     if (!output_message_buffer->value) {
         *minor_status = ENOMEM;
@@ -179,8 +214,10 @@ uint32_t gssntlm_wrap(uint32_t *minor_status,
         return GSS_S_FAILURE;
     }
 
-    /* increment seq_num upon succesful signature */
-    ctx->send.seq_num++;
+    if (!(ctx->gss_flags & GSS_C_DATAGRAM_FLAG)) {
+        /* increment seq_num upon succesful encryption */
+        ctx->send.seq_num++;
+    }
     return GSS_S_COMPLETE;
 }
 
@@ -215,6 +252,17 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status,
         *qop_state = GSS_C_QOP_DEFAULT;
     }
 
+    if (ctx->gss_flags & GSS_C_DATAGRAM_FLAG) {
+        /* must regenerate seal key */
+        retmin = ntlm_seal_regen(&ctx->recv.seal_key,
+                                 &ctx->recv.seal_handle,
+                                 ctx->send.seq_num);
+        if (retmin) {
+            *minor_status = retmin;
+            return GSS_S_FAILURE;
+        }
+    }
+
     output_message_buffer->value = malloc(input_message_buffer->length - 16);
     if (!output_message_buffer->value) {
         *minor_status = ENOMEM;
@@ -240,7 +288,9 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status,
         return GSS_S_BAD_SIG;
     }
 
-    /* increment seq_num upon succesful signature */
-    ctx->send.seq_num++;
+    if (!(ctx->gss_flags & GSS_C_DATAGRAM_FLAG)) {
+        /* increment seq_num upon succesful encryption */
+        ctx->recv.seq_num++;
+    }
     return GSS_S_COMPLETE;
 }
author	Simo Sorce <simo@redhat.com>	2013-10-17 00:57:55 -0400
committer	Simo Sorce <simo@redhat.com>	2013-10-18 16:29:51 -0400
commit	e3e42a950ada355a41f7dfa1fd4609ef4c102500 (patch)
tree	c0ae7b3df012bb01fc8a3f9a6a4e55c82b1cc911 /src/gss_signseal.c
parent	fd8d8833e2f3496893c970550eecc6449b59b9d5 (diff)
download	gss-ntlmssp-e3e42a950ada355a41f7dfa1fd4609ef4c102500.tar.gz gss-ntlmssp-e3e42a950ada355a41f7dfa1fd4609ef4c102500.tar.xz gss-ntlmssp-e3e42a950ada355a41f7dfa1fd4609ef4c102500.zip