* wrap_size_limit.c (krb5_gss_wrap_size_limit): Fix calculation for

confidential CFX tokens.

ticket: 2266
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16107 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 19 insertions, 6 deletions

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 7a02d16fc..61dff02ff 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,8 @@
+2004-02-23  Ken Raeburn  <raeburn@mit.edu>
+
+	* wrap_size_limit.c (krb5_gss_wrap_size_limit): Fix calculation
+	for confidential CFX tokens.
+
 2004-02-09  Ken Raeburn  <raeburn@mit.edu>
 
 	* ser_sctx.c (kg_oid_externalize): Check for errors.
diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c
index 59bf30e4c..b91c7f759 100644
--- a/src/lib/gssapi/krb5/wrap_size_limit.c
+++ b/src/lib/gssapi/krb5/wrap_size_limit.c
@@ -118,19 +118,27 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,
 	if (conf_req_flag) {
 	    while (sz > 0 && krb5_encrypt_size(sz, ctx->enc->enctype) + 16 > req_output_size)
 		sz--;
+	    /* Allow for encrypted copy of header.  */
+	    if (sz > 16)
+		sz -= 16;
+	    else
+		sz = 0;
+#ifdef CFX_EXERCISE
+	    /* Allow for EC padding.  In the MIT implementation, only
+	       added while testing.  */
+	    if (sz > 65535)
+		sz -= 65535;
+	    else
+		sz = 0;
+#endif
 	} else {
+	    /* Allow for token header and checksum.  */
 	    if (sz < 16 + ctx->cksum_size)
 		sz = 0;
 	    else
 		sz -= (16 + ctx->cksum_size);
 	}
 
-	/* While testing only!  */
-	if (sz < 65536)
-	    sz = 0;
-	else
-	    sz -= 65535;
-
 	*max_input_size = sz;
 	*minor_status = 0;
 	return GSS_S_COMPLETE;