diff --git a/source/heimdal/lib/des/rsa.h b/source/heimdal/lib/des/rsa.h index ea1dba27d8a..137dd9894b6 100644 --- a/source/heimdal/lib/des/rsa.h +++ b/source/heimdal/lib/des/rsa.h @@ -32,7 +32,7 @@ */ /* - * $Id: rsa.h,v 1.4 2006/04/16 19:38:23 lha Exp $ + * $Id: rsa.h,v 1.5 2006/05/07 11:34:02 lha Exp $ */ #ifndef _HEIM_RSA_H @@ -40,6 +40,7 @@ /* symbol renaming */ #define RSA_null_method hc_RSA_null_method +#define RSA_imath_method hc_RSA_imath_method #define RSA_new hc_RSA_new #define RSA_new_method hc_RSA_new_method #define RSA_free hc_RSA_free @@ -128,6 +129,7 @@ struct RSA { */ const RSA_METHOD *RSA_null_method(void); +const RSA_METHOD *RSA_imath_method(void); /* * diff --git a/source/heimdal/lib/gssapi/8003.c b/source/heimdal/lib/gssapi/8003.c index 73ecc90ea83..359bb6e7156 100644 --- a/source/heimdal/lib/gssapi/8003.c +++ b/source/heimdal/lib/gssapi/8003.c @@ -184,14 +184,9 @@ gssapi_krb5_verify_8003_checksum( *minor_status = 0; return GSS_S_BAD_BINDINGS; } - - if(cksum->cksumtype != CKSUMTYPE_GSSAPI) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - + /* XXX should handle checksums > 24 bytes */ - if(cksum->checksum.length < 24) { + if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) { *minor_status = 0; return GSS_S_BAD_BINDINGS; } diff --git a/source/heimdal/lib/gssapi/get_mic.c b/source/heimdal/lib/gssapi/get_mic.c index fc9e9aa1a95..76f69cf41c3 100644 --- a/source/heimdal/lib/gssapi/get_mic.c +++ b/source/heimdal/lib/gssapi/get_mic.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: get_mic.c,v 1.30 2006/04/02 02:12:52 lha Exp $"); +RCSID("$Id: get_mic.c,v 1.31 2006/05/08 09:55:37 lha Exp $"); static OM_uint32 mic_des @@ -172,6 +172,8 @@ mic_des3 tmp = malloc (message_buffer->length + 8); if (tmp == NULL) { free (message_token->value); + message_token->value = NULL; + message_token->length = 0; *minor_status = ENOMEM; return GSS_S_FAILURE; } diff --git a/source/heimdal/lib/krb5/crypto.c b/source/heimdal/lib/krb5/crypto.c index 1a37ec538b1..876cbb5192b 100644 --- a/source/heimdal/lib/krb5/crypto.c +++ b/source/heimdal/lib/krb5/crypto.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: crypto.c,v 1.135 2006/05/05 09:27:24 lha Exp $"); +RCSID("$Id: crypto.c,v 1.138 2006/05/08 13:47:24 lha Exp $"); #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -70,7 +70,6 @@ struct krb5_crypto_data { #define F_PSEUDO 16 /* not a real protocol type */ #define F_SPECIAL 32 /* backwards */ #define F_DISABLED 64 /* enctype/checksum disabled */ -#define F_PADCMS 128 /* padding done like in CMS */ struct salt_type { krb5_salttype type; @@ -1957,7 +1956,9 @@ create_checksum (krb5_context context, } keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { - krb5_clear_error_string (context); + krb5_set_error_string (context, "Checksum type %s is keyed " + "but no crypto context (key) was passed in", + ct->name); return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ } if(keyed_checksum) { @@ -2042,7 +2043,8 @@ verify_checksum(krb5_context context, } keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { - krb5_set_error_string (context, "checksum type %s is keyed, and requires a crypto context", + krb5_set_error_string (context, "Checksum type %s is keyed " + "but no crypto context (key) was passed in", ct->name); return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ } @@ -2391,55 +2393,6 @@ AES_CTS_encrypt(krb5_context context, return 0; } -static krb5_error_code -AES_CBC_encrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ivec) -{ - struct krb5_aes_schedule *aeskey = key->schedule->data; - char local_ivec[AES_BLOCK_SIZE]; - AES_KEY *k; - - if (encryptp) - k = &aeskey->ekey; - else - k = &aeskey->dkey; - - if(ivec == NULL) { - ivec = &local_ivec; - memset(local_ivec, 0, sizeof(local_ivec)); - } - AES_cbc_encrypt(data, data, len, k, ivec, encryptp); - return 0; -} - -/* - * RC2 - */ - -static krb5_error_code -RC2_CBC_encrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ivec) -{ - unsigned char local_ivec[8]; - RC2_KEY *s = key->schedule->data; - if(ivec == NULL) { - ivec = &local_ivec; - memset(local_ivec, 0, sizeof(local_ivec)); - } - RC2_cbc_encrypt(data, data, len, s, ivec, encryptp); - return 0; -} - /* * section 6 of draft-brezak-win2k-krb-rc4-hmac-03 * @@ -2764,51 +2717,6 @@ static struct encryption_type enctype_aes256_cts_hmac_sha1 = { F_DERIVED, AES_CTS_encrypt, }; -static unsigned aes_128_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 2 }; -static heim_oid aes_128_cbc_oid = kcrypto_oid_enc(aes_128_cbc_num); -static struct encryption_type enctype_aes128_cbc_none = { - ETYPE_AES128_CBC_NONE, - "aes128-cbc-none", - &aes_128_cbc_oid, - 16, - 16, - 16, - &keytype_aes128, - &checksum_none, - NULL, - F_PSEUDO|F_PADCMS, - AES_CBC_encrypt, -}; -static unsigned aes_192_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 22 }; -static heim_oid aes_192_cbc_oid = kcrypto_oid_enc(aes_192_cbc_num); -static struct encryption_type enctype_aes192_cbc_none = { - ETYPE_AES192_CBC_NONE, - "aes192-cbc-none", - &aes_192_cbc_oid, - 16, - 16, - 16, - &keytype_aes192, - &checksum_none, - NULL, - F_PSEUDO|F_PADCMS, - AES_CBC_encrypt, -}; -static unsigned aes_256_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 42 }; -static heim_oid aes_256_cbc_oid = kcrypto_oid_enc(aes_256_cbc_num); -static struct encryption_type enctype_aes256_cbc_none = { - ETYPE_AES256_CBC_NONE, - "aes256-cbc-none", - &aes_256_cbc_oid, - 16, - 16, - 16, - &keytype_aes256, - &checksum_none, - NULL, - F_PSEUDO|F_PADCMS, - AES_CBC_encrypt, -}; static struct encryption_type enctype_des_cbc_none = { ETYPE_DES_CBC_NONE, "des-cbc-none", @@ -2848,21 +2756,6 @@ static struct encryption_type enctype_des_pcbc_none = { F_PSEUDO, DES_PCBC_encrypt_key_ivec, }; -static unsigned des_ede3_cbc_num[] = { 1, 2, 840, 113549, 3, 7 }; -static heim_oid des_ede3_cbc_oid = kcrypto_oid_enc(des_ede3_cbc_num); -static struct encryption_type enctype_des3_cbc_none_cms = { - ETYPE_DES3_CBC_NONE_CMS, - "des3-cbc-none-cms", - &des_ede3_cbc_oid, - 8, - 8, - 0, - &keytype_des3_derived, - &checksum_none, - NULL, - F_PSEUDO|F_PADCMS, - DES3_CBC_encrypt, -}; static struct encryption_type enctype_des3_cbc_none = { ETYPE_DES3_CBC_NONE, "des3-cbc-none", @@ -2876,21 +2769,6 @@ static struct encryption_type enctype_des3_cbc_none = { F_PSEUDO, DES3_CBC_encrypt, }; -static unsigned rc2CBC_num[] = { 1, 2, 840, 113549, 3, 2 }; -static heim_oid rc2CBC_oid = kcrypto_oid_enc(rc2CBC_num); -static struct encryption_type enctype_rc2_cbc_none = { - ETYPE_RC2_CBC_NONE, - "rc2-cbc-none", - &rc2CBC_oid, - 8, - 8, - 0, - &keytype_rc2, - &checksum_none, - NULL, - F_PSEUDO|F_PADCMS, - RC2_CBC_encrypt, -}; static struct encryption_type *etypes[] = { &enctype_null, @@ -2903,15 +2781,10 @@ static struct encryption_type *etypes[] = { &enctype_old_des3_cbc_sha1, &enctype_aes128_cts_hmac_sha1, &enctype_aes256_cts_hmac_sha1, - &enctype_aes128_cbc_none, - &enctype_aes192_cbc_none, - &enctype_aes256_cbc_none, &enctype_des_cbc_none, &enctype_des_cfb64_none, &enctype_des_pcbc_none, - &enctype_des3_cbc_none, - &enctype_des3_cbc_none_cms, - &enctype_rc2_cbc_none + &enctype_des3_cbc_none }; static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]); @@ -3234,7 +3107,7 @@ encrypt_internal(krb5_context context, krb5_data *result, void *ivec) { - size_t sz, block_sz, checksum_sz, padsize = 0; + size_t sz, block_sz, checksum_sz; Checksum cksum; unsigned char *p, *q; krb5_error_code ret; @@ -3244,11 +3117,6 @@ encrypt_internal(krb5_context context, sz = et->confoundersize + checksum_sz + len; block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */ - if ((et->flags & F_PADCMS) && et->padsize != 1) { - padsize = et->padsize - (sz % et->padsize); - if (padsize == et->padsize) - block_sz += et->padsize; - } p = calloc(1, block_sz); if(p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); @@ -3281,12 +3149,6 @@ encrypt_internal(krb5_context context, ret = _key_schedule(context, &crypto->key, crypto->params); if(ret) goto fail; - if (et->flags & F_PADCMS) { - int i; - q = p + len + checksum_sz + et->confoundersize; - for (i = 0; i < padsize; i++) - q[i] = padsize; - } #ifdef CRYPTO_DEBUG krb5_crypto_debug(context, 1, block_sz, crypto->key.key); #endif diff --git a/source/heimdal/lib/krb5/pkinit.c b/source/heimdal/lib/krb5/pkinit.c index 7e91946095b..00f7b4ebd9b 100755 --- a/source/heimdal/lib/krb5/pkinit.c +++ b/source/heimdal/lib/krb5/pkinit.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: pkinit.c,v 1.98 2006/05/06 13:24:54 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.99 2006/05/07 12:32:38 lha Exp $"); struct krb5_dh_moduli { char *name; @@ -682,32 +682,10 @@ _krb5_pk_verify_sign(krb5_context context, goto out; } - /* XXX */ - { - hx509_cursor cursor; - - ret = hx509_certs_start_seq(id->hx509ctx, - signer_certs, - &cursor); - if (ret) { - krb5_clear_error_string(context); - goto out; - } - ret = hx509_certs_next_cert(id->hx509ctx, - signer_certs, - cursor, - &(*signer)->cert); - if (ret) { - krb5_clear_error_string(context); - goto out; - } - ret = hx509_certs_end_seq(id->hx509ctx, - signer_certs, - cursor); - if (ret) { - krb5_clear_error_string(context); - goto out; - } + ret = hx509_get_one_cert(id->hx509ctx, signer_certs, &(*signer)->cert); + if (ret) { + krb5_clear_error_string(context); + goto out; } out: