summaryrefslogtreecommitdiff
path: root/source4/heimdal
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-05-08 23:30:40 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:05:45 -0500
commitbfff6b0e640b3b3456ec1d9d26da0bd80a08585f (patch)
tree5c4b3154252464e0dc12f8cda6f109b98493724f /source4/heimdal
parentd4b8cb0bb502f6daf0ddf93837779e0a805af7d7 (diff)
downloadsamba-bfff6b0e640b3b3456ec1d9d26da0bd80a08585f.tar.gz
samba-bfff6b0e640b3b3456ec1d9d26da0bd80a08585f.tar.bz2
samba-bfff6b0e640b3b3456ec1d9d26da0bd80a08585f.zip
r15515: Syncronsise with current lorikeet-heimdal.
Andrew Bartlett (This used to be commit 0132312124260f74001546a34ff96db89d72b7f6)
Diffstat (limited to 'source4/heimdal')
-rw-r--r--source4/heimdal/lib/des/rsa.h4
-rw-r--r--source4/heimdal/lib/gssapi/8003.c9
-rw-r--r--source4/heimdal/lib/gssapi/get_mic.c4
-rw-r--r--source4/heimdal/lib/krb5/crypto.c154
-rwxr-xr-xsource4/heimdal/lib/krb5/pkinit.c32
5 files changed, 21 insertions, 182 deletions
diff --git a/source4/heimdal/lib/des/rsa.h b/source4/heimdal/lib/des/rsa.h
index ea1dba27d8..137dd9894b 100644
--- a/source4/heimdal/lib/des/rsa.h
+++ b/source4/heimdal/lib/des/rsa.h
@@ -32,7 +32,7 @@
*/
/*
- * $Id: rsa.h,v 1.4 2006/04/16 19:38:23 lha Exp $
+ * $Id: rsa.h,v 1.5 2006/05/07 11:34:02 lha Exp $
*/
#ifndef _HEIM_RSA_H
@@ -40,6 +40,7 @@
/* symbol renaming */
#define RSA_null_method hc_RSA_null_method
+#define RSA_imath_method hc_RSA_imath_method
#define RSA_new hc_RSA_new
#define RSA_new_method hc_RSA_new_method
#define RSA_free hc_RSA_free
@@ -128,6 +129,7 @@ struct RSA {
*/
const RSA_METHOD *RSA_null_method(void);
+const RSA_METHOD *RSA_imath_method(void);
/*
*
diff --git a/source4/heimdal/lib/gssapi/8003.c b/source4/heimdal/lib/gssapi/8003.c
index 73ecc90ea8..359bb6e715 100644
--- a/source4/heimdal/lib/gssapi/8003.c
+++ b/source4/heimdal/lib/gssapi/8003.c
@@ -184,14 +184,9 @@ gssapi_krb5_verify_8003_checksum(
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
-
- if(cksum->cksumtype != CKSUMTYPE_GSSAPI) {
- *minor_status = 0;
- return GSS_S_BAD_BINDINGS;
- }
-
+
/* XXX should handle checksums > 24 bytes */
- if(cksum->checksum.length < 24) {
+ if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
diff --git a/source4/heimdal/lib/gssapi/get_mic.c b/source4/heimdal/lib/gssapi/get_mic.c
index fc9e9aa1a9..76f69cf41c 100644
--- a/source4/heimdal/lib/gssapi/get_mic.c
+++ b/source4/heimdal/lib/gssapi/get_mic.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: get_mic.c,v 1.30 2006/04/02 02:12:52 lha Exp $");
+RCSID("$Id: get_mic.c,v 1.31 2006/05/08 09:55:37 lha Exp $");
static OM_uint32
mic_des
@@ -172,6 +172,8 @@ mic_des3
tmp = malloc (message_buffer->length + 8);
if (tmp == NULL) {
free (message_token->value);
+ message_token->value = NULL;
+ message_token->length = 0;
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index 1a37ec538b..876cbb5192 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: crypto.c,v 1.135 2006/05/05 09:27:24 lha Exp $");
+RCSID("$Id: crypto.c,v 1.138 2006/05/08 13:47:24 lha Exp $");
#undef CRYPTO_DEBUG
#ifdef CRYPTO_DEBUG
@@ -70,7 +70,6 @@ struct krb5_crypto_data {
#define F_PSEUDO 16 /* not a real protocol type */
#define F_SPECIAL 32 /* backwards */
#define F_DISABLED 64 /* enctype/checksum disabled */
-#define F_PADCMS 128 /* padding done like in CMS */
struct salt_type {
krb5_salttype type;
@@ -1957,7 +1956,9 @@ create_checksum (krb5_context context,
}
keyed_checksum = (ct->flags & F_KEYED) != 0;
if(keyed_checksum && crypto == NULL) {
- krb5_clear_error_string (context);
+ krb5_set_error_string (context, "Checksum type %s is keyed "
+ "but no crypto context (key) was passed in",
+ ct->name);
return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
}
if(keyed_checksum) {
@@ -2042,7 +2043,8 @@ verify_checksum(krb5_context context,
}
keyed_checksum = (ct->flags & F_KEYED) != 0;
if(keyed_checksum && crypto == NULL) {
- krb5_set_error_string (context, "checksum type %s is keyed, and requires a crypto context",
+ krb5_set_error_string (context, "Checksum type %s is keyed "
+ "but no crypto context (key) was passed in",
ct->name);
return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
}
@@ -2391,55 +2393,6 @@ AES_CTS_encrypt(krb5_context context,
return 0;
}
-static krb5_error_code
-AES_CBC_encrypt(krb5_context context,
- struct key_data *key,
- void *data,
- size_t len,
- krb5_boolean encryptp,
- int usage,
- void *ivec)
-{
- struct krb5_aes_schedule *aeskey = key->schedule->data;
- char local_ivec[AES_BLOCK_SIZE];
- AES_KEY *k;
-
- if (encryptp)
- k = &aeskey->ekey;
- else
- k = &aeskey->dkey;
-
- if(ivec == NULL) {
- ivec = &local_ivec;
- memset(local_ivec, 0, sizeof(local_ivec));
- }
- AES_cbc_encrypt(data, data, len, k, ivec, encryptp);
- return 0;
-}
-
-/*
- * RC2
- */
-
-static krb5_error_code
-RC2_CBC_encrypt(krb5_context context,
- struct key_data *key,
- void *data,
- size_t len,
- krb5_boolean encryptp,
- int usage,
- void *ivec)
-{
- unsigned char local_ivec[8];
- RC2_KEY *s = key->schedule->data;
- if(ivec == NULL) {
- ivec = &local_ivec;
- memset(local_ivec, 0, sizeof(local_ivec));
- }
- RC2_cbc_encrypt(data, data, len, s, ivec, encryptp);
- return 0;
-}
-
/*
* section 6 of draft-brezak-win2k-krb-rc4-hmac-03
*
@@ -2764,51 +2717,6 @@ static struct encryption_type enctype_aes256_cts_hmac_sha1 = {
F_DERIVED,
AES_CTS_encrypt,
};
-static unsigned aes_128_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 2 };
-static heim_oid aes_128_cbc_oid = kcrypto_oid_enc(aes_128_cbc_num);
-static struct encryption_type enctype_aes128_cbc_none = {
- ETYPE_AES128_CBC_NONE,
- "aes128-cbc-none",
- &aes_128_cbc_oid,
- 16,
- 16,
- 16,
- &keytype_aes128,
- &checksum_none,
- NULL,
- F_PSEUDO|F_PADCMS,
- AES_CBC_encrypt,
-};
-static unsigned aes_192_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 22 };
-static heim_oid aes_192_cbc_oid = kcrypto_oid_enc(aes_192_cbc_num);
-static struct encryption_type enctype_aes192_cbc_none = {
- ETYPE_AES192_CBC_NONE,
- "aes192-cbc-none",
- &aes_192_cbc_oid,
- 16,
- 16,
- 16,
- &keytype_aes192,
- &checksum_none,
- NULL,
- F_PSEUDO|F_PADCMS,
- AES_CBC_encrypt,
-};
-static unsigned aes_256_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 42 };
-static heim_oid aes_256_cbc_oid = kcrypto_oid_enc(aes_256_cbc_num);
-static struct encryption_type enctype_aes256_cbc_none = {
- ETYPE_AES256_CBC_NONE,
- "aes256-cbc-none",
- &aes_256_cbc_oid,
- 16,
- 16,
- 16,
- &keytype_aes256,
- &checksum_none,
- NULL,
- F_PSEUDO|F_PADCMS,
- AES_CBC_encrypt,
-};
static struct encryption_type enctype_des_cbc_none = {
ETYPE_DES_CBC_NONE,
"des-cbc-none",
@@ -2848,21 +2756,6 @@ static struct encryption_type enctype_des_pcbc_none = {
F_PSEUDO,
DES_PCBC_encrypt_key_ivec,
};
-static unsigned des_ede3_cbc_num[] = { 1, 2, 840, 113549, 3, 7 };
-static heim_oid des_ede3_cbc_oid = kcrypto_oid_enc(des_ede3_cbc_num);
-static struct encryption_type enctype_des3_cbc_none_cms = {
- ETYPE_DES3_CBC_NONE_CMS,
- "des3-cbc-none-cms",
- &des_ede3_cbc_oid,
- 8,
- 8,
- 0,
- &keytype_des3_derived,
- &checksum_none,
- NULL,
- F_PSEUDO|F_PADCMS,
- DES3_CBC_encrypt,
-};
static struct encryption_type enctype_des3_cbc_none = {
ETYPE_DES3_CBC_NONE,
"des3-cbc-none",
@@ -2876,21 +2769,6 @@ static struct encryption_type enctype_des3_cbc_none = {
F_PSEUDO,
DES3_CBC_encrypt,
};
-static unsigned rc2CBC_num[] = { 1, 2, 840, 113549, 3, 2 };
-static heim_oid rc2CBC_oid = kcrypto_oid_enc(rc2CBC_num);
-static struct encryption_type enctype_rc2_cbc_none = {
- ETYPE_RC2_CBC_NONE,
- "rc2-cbc-none",
- &rc2CBC_oid,
- 8,
- 8,
- 0,
- &keytype_rc2,
- &checksum_none,
- NULL,
- F_PSEUDO|F_PADCMS,
- RC2_CBC_encrypt,
-};
static struct encryption_type *etypes[] = {
&enctype_null,
@@ -2903,15 +2781,10 @@ static struct encryption_type *etypes[] = {
&enctype_old_des3_cbc_sha1,
&enctype_aes128_cts_hmac_sha1,
&enctype_aes256_cts_hmac_sha1,
- &enctype_aes128_cbc_none,
- &enctype_aes192_cbc_none,
- &enctype_aes256_cbc_none,
&enctype_des_cbc_none,
&enctype_des_cfb64_none,
&enctype_des_pcbc_none,
- &enctype_des3_cbc_none,
- &enctype_des3_cbc_none_cms,
- &enctype_rc2_cbc_none
+ &enctype_des3_cbc_none
};
static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]);
@@ -3234,7 +3107,7 @@ encrypt_internal(krb5_context context,
krb5_data *result,
void *ivec)
{
- size_t sz, block_sz, checksum_sz, padsize = 0;
+ size_t sz, block_sz, checksum_sz;
Checksum cksum;
unsigned char *p, *q;
krb5_error_code ret;
@@ -3244,11 +3117,6 @@ encrypt_internal(krb5_context context,
sz = et->confoundersize + checksum_sz + len;
block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
- if ((et->flags & F_PADCMS) && et->padsize != 1) {
- padsize = et->padsize - (sz % et->padsize);
- if (padsize == et->padsize)
- block_sz += et->padsize;
- }
p = calloc(1, block_sz);
if(p == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
@@ -3281,12 +3149,6 @@ encrypt_internal(krb5_context context,
ret = _key_schedule(context, &crypto->key, crypto->params);
if(ret)
goto fail;
- if (et->flags & F_PADCMS) {
- int i;
- q = p + len + checksum_sz + et->confoundersize;
- for (i = 0; i < padsize; i++)
- q[i] = padsize;
- }
#ifdef CRYPTO_DEBUG
krb5_crypto_debug(context, 1, block_sz, crypto->key.key);
#endif
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index 7e91946095..00f7b4ebd9 100755
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: pkinit.c,v 1.98 2006/05/06 13:24:54 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.99 2006/05/07 12:32:38 lha Exp $");
struct krb5_dh_moduli {
char *name;
@@ -682,32 +682,10 @@ _krb5_pk_verify_sign(krb5_context context,
goto out;
}
- /* XXX */
- {
- hx509_cursor cursor;
-
- ret = hx509_certs_start_seq(id->hx509ctx,
- signer_certs,
- &cursor);
- if (ret) {
- krb5_clear_error_string(context);
- goto out;
- }
- ret = hx509_certs_next_cert(id->hx509ctx,
- signer_certs,
- cursor,
- &(*signer)->cert);
- if (ret) {
- krb5_clear_error_string(context);
- goto out;
- }
- ret = hx509_certs_end_seq(id->hx509ctx,
- signer_certs,
- cursor);
- if (ret) {
- krb5_clear_error_string(context);
- goto out;
- }
+ ret = hx509_get_one_cert(id->hx509ctx, signer_certs, &(*signer)->cert);
+ if (ret) {
+ krb5_clear_error_string(context);
+ goto out;
}
out: