summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c63
1 files changed, 8 insertions, 55 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index d9f6edc7d7..364c0c3499 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -818,46 +818,6 @@ static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security,
return NT_STATUS_OK;
}
-/* Find out the size of the signature, assuming (incorrectly) that it
- * GSSAPI provides any guarantees as to it's size.
- *
- * This is needed by the DCE/RPC code, which uses AEAD
- * (signed headers, including signature legnth and a sealed body)
- */
-static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size)
-{
- struct gensec_gssapi_state *gensec_gssapi_state = gensec_security->private_data;
- OM_uint32 maj_stat, min_stat;
- OM_uint32 output_size;
- if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
- || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
- gensec_gssapi_state->gss_oid->length) != 0)) {
- DEBUG(1, ("NO sig size available for this mech\n"));
- return 0;
- }
-
- maj_stat = gsskrb5_wrap_size(&min_stat,
- gensec_gssapi_state->gssapi_context,
- gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
- GSS_C_QOP_DEFAULT,
- data_size,
- &output_size);
- if (GSS_ERROR(maj_stat)) {
- TALLOC_CTX *mem_ctx = talloc_new(NULL);
- DEBUG(1, ("gensec_gssapi_sig_size: determinaing signature size with gsskrb5_wrap_size failed: %s\n",
- gssapi_error_string(mem_ctx, maj_stat, min_stat)));
- talloc_free(mem_ctx);
- return 0;
- }
-
- if (output_size < data_size) {
- return 0;
- }
-
- /* The difference between the max output and the max input must be the signature */
- return output_size - data_size;
-}
-
/* Find out the maximum input size negotiated on this connection */
static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security)
@@ -918,14 +878,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
return NT_STATUS_ACCESS_DENIED;
}
- sig_length = gensec_gssapi_sig_size(gensec_security, length);
-
- /* Caller must pad to right boundary */
- if (output_token.length != (length + sig_length)) {
- DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%ld] does not match caller length [%ld] plus sig size [%ld] = [%ld]\n",
- (long)output_token.length, (long)length, (long)sig_length, (long)(length + sig_length)));
+ if (output_token.length < input_token.length) {
+ DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n",
+ (long)output_token.length, (long)length));
return NT_STATUS_INTERNAL_ERROR;
}
+ sig_length = output_token.length - input_token.length;
memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);
*sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
@@ -1021,18 +979,14 @@ static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_securit
return NT_STATUS_ACCESS_DENIED;
}
- if (output_token.length < length) {
+ if (output_token.length < input_token.length) {
+ DEBUG(1, ("gensec_gssapi_sign_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n",
+ (long)output_token.length, (long)length));
return NT_STATUS_INTERNAL_ERROR;
}
- sig_length = gensec_gssapi_sig_size(gensec_security, length);
-
/* Caller must pad to right boundary */
- if (output_token.length != (length + sig_length)) {
- DEBUG(1, ("gensec_gssapi_sign_packet: GSS Wrap length [%ld] does not match caller length [%ld] plus sig size [%ld] = [%ld]\n",
- (long)output_token.length, (long)length, (long)sig_length, (long)(length + sig_length)));
- return NT_STATUS_INTERNAL_ERROR;
- }
+ sig_length = output_token.length - input_token.length;
*sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
@@ -1352,7 +1306,6 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
.update = gensec_gssapi_update,
.session_key = gensec_gssapi_session_key,
.session_info = gensec_gssapi_session_info,
- .sig_size = gensec_gssapi_sig_size,
.sign_packet = gensec_gssapi_sign_packet,
.check_packet = gensec_gssapi_check_packet,
.seal_packet = gensec_gssapi_seal_packet,