aboutsummaryrefslogtreecommitdiff
path: root/lib/gssapi/krb5/arcfour.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/gssapi/krb5/arcfour.c')
-rw-r--r--lib/gssapi/krb5/arcfour.c70
1 files changed, 36 insertions, 34 deletions
diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
index d88ec4cddc53..aa03cbe41acb 100644
--- a/lib/gssapi/krb5/arcfour.c
+++ b/lib/gssapi/krb5/arcfour.c
@@ -177,7 +177,7 @@ arcfour_mic_cksum_iov(krb5_context context,
memcpy(ptr + ofs,
padding->buffer.value,
padding->buffer.length);
- ofs += padding->buffer.length;
+ /* ofs += padding->buffer.length; */
}
ret = krb5_crypto_init(context, key, 0, &crypto);
@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
return GSS_S_FAILURE;
}
- cmp = ct_memcmp(cksum_data, p + 8, 8);
+ cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
if (cmp) {
*minor_status = 0;
return GSS_S_BAD_MIC;
@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL)
- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+ cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
else
- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+ cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
memset_s(SND_SEQ, sizeof(SND_SEQ), 0, sizeof(SND_SEQ));
if (cmp != 0) {
@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL)
- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+ cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
else
- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+ cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
if (cmp != 0) {
*minor_status = 0;
@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
- cmp = ct_memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
+ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
if (cmp) {
_gsskrb5_release_buffer(minor_status, output_message_buffer);
*minor_status = 0;
@@ -880,7 +880,13 @@ _gssapi_wrap_iov_length_arcfour(OM_uint32 *minor_status,
}
}
- major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer);
+ if (header == NULL) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
+
+ major_status = _gk_verify_buffers(minor_status, ctx, header,
+ padding, trailer, FALSE);
if (major_status != GSS_S_COMPLETE) {
return major_status;
}
@@ -937,7 +943,8 @@ _gssapi_wrap_iov_arcfour(OM_uint32 *minor_status,
padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
- major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer);
+ major_status = _gk_verify_buffers(minor_status, ctx, header,
+ padding, trailer, FALSE);
if (major_status != GSS_S_COMPLETE) {
return major_status;
}
@@ -974,7 +981,7 @@ _gssapi_wrap_iov_arcfour(OM_uint32 *minor_status,
header_len -= data_len;
}
- if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE) {
+ if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
major_status = _gk_allocate_buffer(minor_status, header,
header_len);
if (major_status != GSS_S_COMPLETE)
@@ -988,7 +995,7 @@ _gssapi_wrap_iov_arcfour(OM_uint32 *minor_status,
}
if (padding) {
- if (GSS_IOV_BUFFER_FLAGS(padding->type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE) {
+ if (GSS_IOV_BUFFER_FLAGS(padding->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
major_status = _gk_allocate_buffer(minor_status, padding, 1);
if (major_status != GSS_S_COMPLETE)
goto failure;
@@ -1181,10 +1188,11 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
/* Check if the packet is correct */
major_status = _gk_verify_buffers(minor_status,
- ctx,
- header,
- padding,
- trailer);
+ ctx,
+ header,
+ padding,
+ trailer,
+ FALSE); /* behaves as stream cipher */
if (major_status != GSS_S_COMPLETE) {
return major_status;
}
@@ -1194,15 +1202,19 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
- if (IS_DCE_STYLE(context)) {
- verify_len = GSS_ARCFOUR_WRAP_TOKEN_SIZE +
- GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE;
- if (header->buffer.length > verify_len) {
- return GSS_S_BAD_MECH;
+ verify_len = header->buffer.length;
+
+ if (!IS_DCE_STYLE(context)) {
+ for (i = 0; i < iov_count; i++) {
+ /* length in header also includes data and padding */
+ if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA)
+ verify_len += iov[i].buffer.length;
}
- } else {
- verify_len = header->buffer.length;
+
+ if (padding)
+ verify_len += padding->buffer.length;
}
+
_p = header->buffer.value;
ret = _gssapi_verify_mech_header(&_p,
@@ -1267,19 +1279,9 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
_gsskrb5_decode_be_om_uint32(snd_seq, &seq_number);
if (ctx->more_flags & LOCAL) {
- cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4);
- } else {
- cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4);
- }
- if (cmp != 0) {
- *minor_status = 0;
- return GSS_S_BAD_MIC;
- }
-
- if (ctx->more_flags & LOCAL) {
- cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4);
+ cmp = (ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4) != 0);
} else {
- cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4);
+ cmp = (ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4) != 0);
}
if (cmp != 0) {
*minor_status = 0;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-27 03:59:02 +0000