diff options
| author | Greg Hudson <ghudson@mit.edu> | 2014-03-10 23:01:40 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2014-03-18 11:58:50 -0400 |
| commit | 23a378046bd8122839e501b3e47bb807b66e1c03 (patch) | |
| tree | 1bcbee8c712ef83f410bbd7f2a7ee37d1792cde7 /src/lib/gssapi/krb5 | |
| parent | 40b105e2e6637d370025b4433dc9e1bda5d3950a (diff) | |
| download | krb5-23a378046bd8122839e501b3e47bb807b66e1c03.tar.gz krb5-23a378046bd8122839e501b3e47bb807b66e1c03.tar.xz krb5-23a378046bd8122839e501b3e47bb807b66e1c03.zip | |
Improve internal API for GSS sequence numbers
Use an opaque structure type instead of a void pointer for the
sequence number state. Rename all functions to use a g_seqstate
prefix rather than a mix of g_order and g_queue. Remove the
unneccessary indirection from the state object parameter in
g_seqstate_check and g_seqstate_free. Return OM_uint32 where we
return a GSS major code, long where we return an errno value, and void
where we can't fail.
Diffstat (limited to 'src/lib/gssapi/krb5')
| -rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 11 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/delete_sec_context.c | 2 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/gssapiP_krb5.h | 2 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/init_sec_context.c | 26 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/k5sealv3.c | 4 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/k5sealv3iov.c | 4 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/k5unseal.c | 2 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/k5unsealiov.c | 2 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/ser_sctx.c | 32 |
9 files changed, 51 insertions, 34 deletions
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index f3a9803cc..af7f0dcd5 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -987,9 +987,14 @@ kg_accept_krb5(minor_status, context_handle, goto fail; } - g_order_init(&(ctx->seqstate), ctx->seq_recv, - (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, - (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto); + code = g_seqstate_init(&ctx->seqstate, ctx->seq_recv, + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, + ctx->proto); + if (code) { + major_status = GSS_S_FAILURE; + goto fail; + } /* DCE_STYLE implies mutual authentication */ if (ctx->gss_flags & GSS_C_DCE_STYLE) diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c index 2bc818a64..89228ca78 100644 --- a/src/lib/gssapi/krb5/delete_sec_context.c +++ b/src/lib/gssapi/krb5/delete_sec_context.c @@ -53,7 +53,7 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token) /* free all the context state */ if (ctx->seqstate) - g_order_free(&(ctx->seqstate)); + g_seqstate_free(ctx->seqstate); if (ctx->enc) krb5_k_free_key(context, ctx->enc); diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index ef71a5aa3..0b199814a 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -223,7 +223,7 @@ typedef struct _krb5_gss_ctx_id_rec { affects the wire encoding. */ uint64_t seq_send; uint64_t seq_recv; - void *seqstate; + g_seqnum_state seqstate; krb5_context k5_context; krb5_auth_context auth_context; gss_OID_desc *mech_used; diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 1bc69ca31..dc4705329 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -639,6 +639,17 @@ kg_new_connection( if (code != 0) goto cleanup; + if (!(ctx->gss_flags & GSS_C_MUTUAL_FLAG)) { + /* There will be no AP-REP, so set up sequence state now. */ + ctx->seq_recv = ctx->seq_send; + code = g_seqstate_init(&ctx->seqstate, ctx->seq_recv, + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, + ctx->proto); + if (code != 0) + goto cleanup; + } + /* compute time_rec */ if (time_rec) { if ((code = krb5_timeofday(context, &now))) @@ -663,10 +674,6 @@ kg_new_connection( ctx->established = 0; major_status = GSS_S_CONTINUE_NEEDED; } else { - ctx->seq_recv = ctx->seq_send; - g_order_init(&(ctx->seqstate), ctx->seq_recv, - (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, - (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, ctx->proto); ctx->gss_flags |= GSS_C_PROT_READY_FLAG; ctx->established = 1; major_status = GSS_S_COMPLETE; @@ -811,9 +818,14 @@ mutual_auth( /* store away the sequence number */ ctx->seq_recv = ap_rep_data->seq_number; - g_order_init(&(ctx->seqstate), ctx->seq_recv, - (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, - (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto); + code = g_seqstate_init(&ctx->seqstate, ctx->seq_recv, + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0, + ctx->proto); + if (code) { + krb5_free_ap_rep_enc_part(context, ap_rep_data); + goto fail; + } if (ap_rep_data->subkey != NULL && (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE) || diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c index 429dc8e33..f3ade5e79 100644 --- a/src/lib/gssapi/krb5/k5sealv3.c +++ b/src/lib/gssapi/krb5/k5sealv3.c @@ -464,7 +464,7 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, goto no_mem; memcpy(message_buffer->value, plain.data, message_buffer->length); } - err = g_order_check(&ctx->seqstate, seqnum); + err = g_seqstate_check(ctx->seqstate, seqnum); *minor_status = 0; return err; } else if (toktype == KG_TOK_MIC_MSG) { @@ -501,7 +501,7 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, *minor_status = 0; return GSS_S_BAD_SIG; } - err = g_order_check(&ctx->seqstate, seqnum); + err = g_seqstate_check(ctx->seqstate, seqnum); *minor_status = 0; return err; } else if (toktype == KG_TOK_DEL_CTX) { diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c index 1cf0c2e50..960f31b7e 100644 --- a/src/lib/gssapi/krb5/k5sealv3iov.c +++ b/src/lib/gssapi/krb5/k5sealv3iov.c @@ -428,7 +428,7 @@ gss_krb5int_unseal_v3_iov(krb5_context context, } } - code = g_order_check(&ctx->seqstate, seqnum); + code = g_seqstate_check(ctx->seqstate, seqnum); } else if (toktype == KG_TOK_MIC_MSG) { if (load_16_be(ptr) != KG2_TOK_MIC_MSG) goto defective; @@ -448,7 +448,7 @@ gss_krb5int_unseal_v3_iov(krb5_context context, *minor_status = code; return GSS_S_BAD_SIG; } - code = g_order_check(&ctx->seqstate, seqnum); + code = g_seqstate_check(ctx->seqstate, seqnum); } else if (toktype == KG_TOK_DEL_CTX) { if (load_16_be(ptr) != KG2_TOK_DEL_CTX) goto defective; diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index ef7a745ca..30c12b91e 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -435,7 +435,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, return(GSS_S_BAD_SIG); } - retval = g_order_check(&(ctx->seqstate), (uint64_t)seqnum); + retval = g_seqstate_check(ctx->seqstate, (uint64_t)seqnum); /* success or ordering violation */ diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c index dc01180b1..f7828b89a 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -280,7 +280,7 @@ kg_unseal_v1_iov(krb5_context context, } code = 0; - retval = g_order_check(&ctx->seqstate, (uint64_t)seqnum); + retval = g_seqstate_check(ctx->seqstate, (uint64_t)seqnum); cleanup: krb5_free_checksum_contents(context, &md5cksum); diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c index 8f86acc95..79c4c710e 100644 --- a/src/lib/gssapi/krb5/ser_sctx.c +++ b/src/lib/gssapi/krb5/ser_sctx.c @@ -150,25 +150,25 @@ kg_oid_size(kcontext, arg, sizep) } static krb5_error_code -kg_queue_externalize(kcontext, arg, buffer, lenremain) +kg_seqstate_externalize(kcontext, arg, buffer, lenremain) krb5_context kcontext; - krb5_pointer arg; + g_seqnum_state arg; krb5_octet **buffer; size_t *lenremain; { krb5_error_code err; err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); if (err == 0) - err = g_queue_externalize(arg, buffer, lenremain); + err = g_seqstate_externalize(arg, buffer, lenremain); if (err == 0) err = krb5_ser_pack_int32(KV5M_GSS_QUEUE, buffer, lenremain); return err; } static krb5_error_code -kg_queue_internalize(kcontext, argp, buffer, lenremain) +kg_seqstate_internalize(kcontext, argp, buffer, lenremain) krb5_context kcontext; - krb5_pointer *argp; + g_seqnum_state *argp; krb5_octet **buffer; size_t *lenremain; { @@ -187,18 +187,18 @@ kg_queue_internalize(kcontext, argp, buffer, lenremain) if (ibuf != KV5M_GSS_QUEUE) return (EINVAL); - err = g_queue_internalize(argp, &bp, &remain); + err = g_seqstate_internalize(argp, &bp, &remain); if (err) return err; /* Read in and check our trailing magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) { - g_order_free(argp); + g_seqstate_free(*argp); return (EINVAL); } if (ibuf != KV5M_GSS_QUEUE) { - g_order_free(argp); + g_seqstate_free(*argp); return (EINVAL); } @@ -208,9 +208,9 @@ kg_queue_internalize(kcontext, argp, buffer, lenremain) } static krb5_error_code -kg_queue_size(kcontext, arg, sizep) +kg_seqstate_size(kcontext, arg, sizep) krb5_context kcontext; - krb5_pointer arg; + g_seqnum_state arg; size_t *sizep; { krb5_error_code kret; @@ -219,7 +219,7 @@ kg_queue_size(kcontext, arg, sizep) kret = EINVAL; if (arg) { required = 2*sizeof(krb5_int32); /* For the header and trailer */ - g_queue_size(arg, &required); + g_seqstate_size(arg, &required); kret = 0; *sizep += required; @@ -319,7 +319,7 @@ kg_ctx_size(kcontext, arg, sizep) &required); if (!kret && ctx->seqstate) - kret = kg_queue_size(kcontext, ctx->seqstate, &required); + kret = kg_seqstate_size(kcontext, ctx->seqstate, &required); if (!kret) kret = krb5_size_opaque(kcontext, @@ -468,8 +468,8 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) &bp, &remain); if (!kret && ctx->seqstate) - kret = kg_queue_externalize(kcontext, - ctx->seqstate, &bp, &remain); + kret = kg_seqstate_externalize(kcontext, + ctx->seqstate, &bp, &remain); if (!kret) kret = krb5_externalize_opaque(kcontext, @@ -695,8 +695,8 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) } if (!kret) { - kret = kg_queue_internalize(kcontext, &ctx->seqstate, - &bp, &remain); + kret = kg_seqstate_internalize(kcontext, &ctx->seqstate, + &bp, &remain); if (kret == EINVAL) kret = 0; } |