From b88a443caf2e96814fa831fa62fe2022bf0c8f08 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 23 Apr 2015 14:51:00 -0400 Subject: Revert "Use aes-256-gcm rather than aes-128-cbc" This reverts commit e9c92795d87a316ea47f6bf37c9636e86eec57e7. AESGCM is a neat idea but it is not really appropriate to be used in mod_auth_gssapi because we cannot gurantee that the nonce will never be reused. It is not very probable, and it is also not easy to force the server to generate so many encyrpted sessions to have a good chance of a collision that I know of, but better to avoid the whole issue, than risk unforseen cases where it may happen. --- src/mod_auth_gssapi.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/mod_auth_gssapi.c') diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 9cb53ec..db33853 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -668,7 +668,7 @@ static const char *mag_use_s4u2p(cmd_parms *parms, void *mconfig, int on) static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) { struct mag_config *cfg = (struct mag_config *)mconfig; - struct databuf key; + struct databuf keys; unsigned char *val; apr_status_t rc; const char *k; @@ -689,16 +689,16 @@ static const char *mag_sess_key(cmd_parms *parms, void *mconfig, const char *w) return NULL; } - key.length = (int)apr_base64_decode_binary(val, k); - key.value = (unsigned char *)val; + keys.length = (int)apr_base64_decode_binary(val, k); + keys.value = (unsigned char *)val; - if (key.length < 32) { + if (keys.length != 32) { ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, - "Invalid key length, expected >=32 got %d", key.length); + "Invalid key lenght, expected 32 got %d", keys.length); return NULL; } - rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &key); + rc = SEAL_KEY_CREATE(cfg->pool, &cfg->mag_skey, &keys); if (rc != OK) { ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, parms->server, "Failed to import sealing key!"); -- cgit