/* * AEAD unwrap for a single piece of associated data, for compatibility * with MIT and as specified by draft-howard-gssapi-aead-00.txt. * * @ingroup gssapi */ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unwrap_aead(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer, gss_buffer_t input_assoc_buffer, gss_buffer_t output_payload_buffer, int *conf_state, gss_qop_t *qop_state) { OM_uint32 major_status, tmp; gss_iov_buffer_desc iov[3]; memset(iov, 0, sizeof(iov)); iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; iov[0].buffer = *input_message_buffer; iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; if (input_assoc_buffer) iov[1].buffer = *input_assoc_buffer; iov[2].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE; major_status = gss_unwrap_iov(minor_status, context_handle, conf_state, qop_state, iov, 3); if (GSS_ERROR(major_status)) gss_release_iov_buffer(&tmp, &iov[2], 1); else *output_payload_buffer = iov[2].buffer; return major_status; }
static int HandleOP(WrapExt) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, bflags; krb5_data token, header, trailer; gss_ctx_id_t ctx; unsigned char *p; int conf_state, iov_len; gss_iov_buffer_desc iov[6]; ret32(c, hContext); ret32(c, flags); ret32(c, bflags); retdata(c, header); retdata(c, token); retdata(c, trailer); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "wrap: reference to unknown context"); memset(&iov, 0, sizeof(iov)); iov_len = sizeof(iov)/sizeof(iov[0]); if (bflags & WRAP_EXP_ONLY_HEADER) iov_len -= 2; /* skip trailer and padding, aka dce-style */ iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; if (header.length != 0) { iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[1].buffer.length = header.length; iov[1].buffer.value = header.data; } else { iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY; } iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; iov[2].buffer.length = token.length; iov[2].buffer.value = token.data; if (trailer.length != 0) { iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[3].buffer.length = trailer.length; iov[3].buffer.value = trailer.data; } else { iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY; } iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; maj_stat = gss_wrap_iov_length(&min_stat, ctx, flags, 0, &conf_state, iov, iov_len); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_wrap_iov_length failed"); maj_stat = gss_wrap_iov(&min_stat, ctx, flags, 0, &conf_state, iov, iov_len); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_wrap_iov failed"); krb5_data_free(&token); token.length = iov[0].buffer.length + iov[2].buffer.length + iov[4].buffer.length + iov[5].buffer.length; token.data = malloc(token.length); p = token.data; memcpy(p, iov[0].buffer.value, iov[0].buffer.length); p += iov[0].buffer.length; memcpy(p, iov[2].buffer.value, iov[2].buffer.length); p += iov[2].buffer.length; memcpy(p, iov[4].buffer.value, iov[4].buffer.length); p += iov[4].buffer.length; memcpy(p, iov[5].buffer.value, iov[5].buffer.length); p += iov[5].buffer.length; gss_release_iov_buffer(NULL, iov, iov_len); put32(c, 0); /* XXX fix gsm_error */ putdata(c, token); free(token.data); return 0; }
int authenticate_gss_client_wrap_iov(gss_client_state* state, const char* challenge, int protect, int *pad_len) { OM_uint32 maj_stat, min_stat; int iov_count = 3; gss_iov_buffer_desc iov[iov_count]; size_t len = 0; int ret = AUTH_GSS_CONTINUE; int conf_state; unsigned char * data = (unsigned char*)""; // Always clear out the old response if (state->response != NULL) { free(state->response); state->response = NULL; } if (challenge && *challenge) { data = base64_decode(challenge, &len); } iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = data; iov[1].buffer.length = len; iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE; maj_stat = gss_wrap_iov(&min_stat, /* minor_status */ state->context, /* context_handle */ protect, /* conf_req_flag */ GSS_C_QOP_DEFAULT, /* qop_req */ &conf_state, /* conf_state */ iov, /* iov */ iov_count); /* iov_count */ if (maj_stat != GSS_S_COMPLETE) { set_gss_error(maj_stat, min_stat); ret = AUTH_GSS_ERROR; } else { ret = AUTH_GSS_COMPLETE; int index = 4; OM_uint32 stoken_len= 0; int bufsize = iov[0].buffer.length+ iov[1].buffer.length+ iov[2].buffer.length+ sizeof(unsigned int); char * response = (char*)malloc(bufsize); memset(response,0,bufsize); /****************************************************** Per Microsoft 2.2.9.1.2.2.2 for kerberos encrypted data First section of data is a 32-bit unsigned int containing the length of the Security Token followed by the encrypted message. Encrypted data = |32-bit unsigned int|Message| The message must start with the security token, followed by the actual encrypted message. Message = |Security Token|encrypted data|padding iov[0] = security token iov[1] = encrypted message iov[2] = padding ******************************************************/ /* Security Token length */ stoken_len = iov[0].buffer.length; memcpy(response, &stoken_len, sizeof(unsigned int)); /* Security Token */ memcpy(response+index, iov[0].buffer.value, iov[0].buffer.length); index += iov[0].buffer.length; /* Message */ memcpy(response+index, iov[1].buffer.value, iov[1].buffer.length); index += iov[1].buffer.length; /* Padding */ *pad_len = iov[2].buffer.length; if (*pad_len > 0) { memcpy(response+index, iov[2].buffer.value, iov[2].buffer.length); index += iov[2].buffer.length; } /* encode to python returnable string */ state->responseConf = conf_state; state->response = base64_encode((const unsigned char *)response,index); free(response); } (void)gss_release_iov_buffer(&min_stat, iov, iov_count); free(data); return ret; }