diff options
author | Luke Howard <lukeh@padl.com> | 2009-11-15 14:30:59 +0000 |
---|---|---|
committer | Luke Howard <lukeh@padl.com> | 2009-11-15 14:30:59 +0000 |
commit | 5900748a40f147861b8b96592df85e596d929472 (patch) | |
tree | 0e72b532e1391a90b2aa8a04bdef7506846f531b | |
parent | a75d41ab900358d1afdc6514e5f2ba69436f6270 (diff) | |
download | krb5-5900748a40f147861b8b96592df85e596d929472.zip krb5-5900748a40f147861b8b96592df85e596d929472.tar.gz krb5-5900748a40f147861b8b96592df85e596d929472.tar.bz2 |
checkpoint
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/iakerb@23192 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/lib/gssapi/krb5/gssapiP_krb5.h | 2 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/init_sec_context.c | 48 |
2 files changed, 41 insertions, 9 deletions
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index d5edb99..0240e69 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -1155,4 +1155,6 @@ iakerb_verify_finished(krb5_context context, const krb5_data *conv, const krb5_data *finished); +#define KRB5_GSS_EXTS_IAKERB_FINISHED 1 + #endif /* _GSSAPIP_KRB5_H_ */ diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index f3dfbcc..8aa8622 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -232,6 +232,7 @@ struct gss_checksum_data { krb5_gss_cred_id_t cred; krb5_checksum md5; krb5_data checksum_data; + krb5_gss_ctx_ext_t exts; }; #ifdef CFX_EXERCISE @@ -247,6 +248,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, struct gss_checksum_data *data = cksum_data; krb5_data credmsg; unsigned int junk; + krb5_data *finished = NULL; + krb5_keyblock *subkey = NULL; data->checksum_data.data = 0; credmsg.data = 0; @@ -279,8 +282,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, data->checksum_data.length = 24; } else { if (credmsg.length+28 > KRB5_INT16_MAX) { - krb5_free_data_contents(context, &credmsg); - return(KRB5KRB_ERR_FIELD_TOOLONG); + code = KRB5KRB_ERR_FIELD_TOOLONG; + goto cleanup; } data->checksum_data.length = 28+credmsg.length; @@ -302,6 +305,26 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, junk = 0; #endif + if (data->exts && data->exts->iakerb_conv) { + krb5_cksumtype cksumtype; + + code = krb5_auth_con_getsendsubkey(context, auth_context, &subkey); + if (code != 0) + goto cleanup; + + code = krb5int_c_mandatory_cksumtype(context, subkey->enctype, + &cksumtype); + if (code != 0) + goto cleanup; + + code = iakerb_make_finished(context, cksumtype, subkey, + data->exts->iakerb_conv, &finished); + if (code != 0) + goto cleanup; + + data->checksum_data.length += 8 + finished->length; + } + data->checksum_data.length += junk; /* now allocate a buffer to hold the checksum data and @@ -309,9 +332,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, if ((data->checksum_data.data = (char *) xmalloc(data->checksum_data.length)) == NULL) { - if (credmsg.data) - krb5_free_data_contents(context, &credmsg); - return(ENOMEM); + code = ENOMEM; + goto cleanup; } ptr = (unsigned char *)data->checksum_data.data; @@ -327,14 +349,21 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context, TWRITE_INT16(ptr, KRB5_GSS_FOR_CREDS_OPTION, 0); TWRITE_INT16(ptr, credmsg.length, 0); TWRITE_STR(ptr, credmsg.data, credmsg.length); - - /* free credmsg data */ - krb5_free_data_contents(context, &credmsg); + } + if (data->exts && data->exts->iakerb_conv) { + TWRITE_INT(ptr, KRB5_GSS_EXTS_IAKERB_FINISHED, 1); + TWRITE_INT(ptr, finished->length, 1); + TWRITE_STR(ptr, finished->data, finished->length); } if (junk) memset(ptr, 'i', junk); *out = &data->checksum_data; - return 0; + code = 0; +cleanup: + krb5_free_data_contents(context, &credmsg); + krb5_free_keyblock(context, subkey); + krb5_free_data(context, finished); + return code; } static krb5_error_code @@ -374,6 +403,7 @@ make_ap_req_v1(context, ctx, cred, k_cred, ad_context, cksum_struct.ctx = ctx; cksum_struct.cred = cred; cksum_struct.checksum_data.data = NULL; + cksum_struct.exts = exts; switch (k_cred->keyblock.enctype) { case ENCTYPE_DES_CBC_CRC: case ENCTYPE_DES_CBC_MD4: |