#include "gssapiP_krb5.h"
#ifdef HAVE_MEMORY_H
#include <memory.h>
#endif
krb5_error_code
kg_checksum_channel_bindings(krb5_context context, gss_channel_bindings_t cb,
krb5_checksum *cksum)
{
struct k5buf buf;
size_t sumlen;
krb5_data plaind;
krb5_error_code code;
code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &sumlen);
if (code)
return(code);
cksum->checksum_type = CKSUMTYPE_RSA_MD5;
cksum->length = sumlen;
cksum->magic = KV5M_CHECKSUM;
if (cb == GSS_C_NO_CHANNEL_BINDINGS) {
if ((cksum->contents = (krb5_octet *) xmalloc(cksum->length)) == NULL) {
return(ENOMEM);
}
memset(cksum->contents, '\0', cksum->length);
return(0);
}
k5_buf_init_dynamic(&buf);
k5_buf_add_uint32_le(&buf, cb->initiator_addrtype);
k5_buf_add_uint32_le(&buf, cb->initiator_address.length);
k5_buf_add_len(&buf, cb->initiator_address.value,
cb->initiator_address.length);
k5_buf_add_uint32_le(&buf, cb->acceptor_addrtype);
k5_buf_add_uint32_le(&buf, cb->acceptor_address.length);
k5_buf_add_len(&buf, cb->acceptor_address.value,
cb->acceptor_address.length);
k5_buf_add_uint32_le(&buf, cb->application_data.length);
k5_buf_add_len(&buf, cb->application_data.value,
cb->application_data.length);
code = k5_buf_status(&buf);
if (code)
return code;
plaind = make_data(buf.data, buf.len);
code = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, 0, 0,
&plaind, cksum);
k5_buf_free(&buf);
return code;
}
krb5_error_code
kg_make_checksum_iov_v1(krb5_context context,
krb5_cksumtype type,
size_t cksum_len,
krb5_key seq,
krb5_key enc,
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count,
int toktype,
krb5_checksum *checksum)
{
krb5_error_code code;
gss_iov_buffer_desc *header;
krb5_crypto_iov *kiov;
int i = 0, j;
size_t conf_len = 0, token_header_len;
header = kg_locate_header_iov(iov, iov_count, toktype);
assert(header != NULL);
kiov = calloc(iov_count + 3, sizeof(krb5_crypto_iov));
if (kiov == NULL)
return ENOMEM;
if (toktype == KG_TOK_WRAP_MSG)
conf_len = kg_confounder_size(context, enc->keyblock.enctype);
kiov[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
kiov[i].data.length = checksum->length;
kiov[i].data.data = xmalloc(checksum->length);
if (kiov[i].data.data == NULL) {
xfree(kiov);
return ENOMEM;
}
i++;
token_header_len = 16 + cksum_len + conf_len;
kiov[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
kiov[i].data.length = 8;
kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - token_header_len;
i++;
if (toktype == KG_TOK_WRAP_MSG) {
kiov[i].flags = KRB5_CRYPTO_TYPE_DATA;
kiov[i].data.length = conf_len;
kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - conf_len;
i++;
}
for (j = 0; j < iov_count; j++) {
kiov[i].flags = kg_translate_flag_iov(iov[j].type);
kiov[i].data.length = iov[j].buffer.length;
kiov[i].data.data = (char *)iov[j].buffer.value;
i++;
}
code = krb5_k_make_checksum_iov(context, type, seq, sign_usage, kiov, i);
if (code == 0) {
checksum->length = kiov[0].data.length;
checksum->contents = (unsigned char *)kiov[0].data.data;
} else
free(kiov[0].data.data);
xfree(kiov);
return code;
}
static krb5_error_code
checksum_iov_v3(krb5_context context,
krb5_cksumtype type,
size_t rrc,
krb5_key key,
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count,
int toktype,
krb5_boolean verify,
krb5_boolean *valid)
{
krb5_error_code code;
gss_iov_buffer_desc *header;
gss_iov_buffer_desc *trailer;
krb5_crypto_iov *kiov;
size_t kiov_count;
int i = 0, j;
unsigned int k5_checksumlen;
if (verify)
*valid = FALSE;
code = krb5_c_crypto_length(context, key->keyblock.enctype, KRB5_CRYPTO_TYPE_CHECKSUM, &k5_checksumlen);
if (code != 0)
return code;
header = kg_locate_header_iov(iov, iov_count, toktype);
assert(header != NULL);
trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
assert(rrc != 0 || trailer != NULL);
if (trailer == NULL) {
if (rrc != k5_checksumlen)
return KRB5_BAD_MSIZE;
if (header->buffer.length != 16 + k5_checksumlen)
return KRB5_BAD_MSIZE;
} else if (trailer->buffer.length != k5_checksumlen)
return KRB5_BAD_MSIZE;
kiov_count = 2 + iov_count;
kiov = (krb5_crypto_iov *)xmalloc(kiov_count * sizeof(krb5_crypto_iov));
if (kiov == NULL)
return ENOMEM;
for (j = 0; j < iov_count; j++) {
kiov[i].flags = kg_translate_flag_iov(iov[j].type);
kiov[i].data.length = iov[j].buffer.length;
kiov[i].data.data = (char *)iov[j].buffer.value;
i++;
}
kiov[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
kiov[i].data.length = 16;
kiov[i].data.data = (char *)header->buffer.value;
i++;
kiov[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
if (trailer == NULL) {
kiov[i].data.length = header->buffer.length - 16;
kiov[i].data.data = (char *)header->buffer.value + 16;
} else {
kiov[i].data.length = trailer->buffer.length;
kiov[i].data.data = (char *)trailer->buffer.value;
}
i++;
if (verify)
code = krb5_k_verify_checksum_iov(context, type, key, sign_usage, kiov, kiov_count, valid);
else
code = krb5_k_make_checksum_iov(context, type, key, sign_usage, kiov, kiov_count);
xfree(kiov);
return code;
}
krb5_error_code
kg_make_checksum_iov_v3(krb5_context context,
krb5_cksumtype type,
size_t rrc,
krb5_key key,
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count,
int toktype)
{
return checksum_iov_v3(context, type, rrc, key,
sign_usage, iov, iov_count, toktype, 0, NULL);
}
krb5_error_code
kg_verify_checksum_iov_v3(krb5_context context,
krb5_cksumtype type,
size_t rrc,
krb5_key key,
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count,
int toktype,
krb5_boolean *valid)
{
return checksum_iov_v3(context, type, rrc, key,
sign_usage, iov, iov_count, toktype, 1, valid);
}
