krb5_error_code
gss_krb5int_make_seal_token_v3 (krb5_context context,
krb5_gss_ctx_id_rec *ctx,
const gss_buffer_desc * message,
gss_buffer_t token,
int conf_req_flag, int toktype)
{
size_t bufsize = 16;
unsigned char *outbuf = 0;
krb5_error_code err;
int key_usage;
unsigned char acceptor_flag;
const gss_buffer_desc *message2 = message;
#ifdef CFX_EXERCISE
size_t rrc;
#endif
size_t ec;
unsigned short tok_id;
krb5_checksum sum;
krb5_key key;
krb5_cksumtype cksumtype;
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
? (ctx->initiate
? KG_USAGE_INITIATOR_SEAL
: KG_USAGE_ACCEPTOR_SEAL)
: (ctx->initiate
? KG_USAGE_INITIATOR_SIGN
: KG_USAGE_ACCEPTOR_SIGN));
if (ctx->have_acceptor_subkey) {
key = ctx->acceptor_subkey;
cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
key = ctx->subkey;
cksumtype = ctx->cksumtype;
}
assert(key != NULL);
#ifdef CFX_EXERCISE
{
static int initialized = 0;
if (!initialized) {
srand(time(0));
initialized = 1;
}
}
#endif
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
krb5_data plain;
krb5_enc_data cipher;
size_t ec_max;
/* 300: Adds some slop. */
if (SIZE_MAX - 300 < message->length)
return ENOMEM;
ec_max = SIZE_MAX - message->length - 300;
if (ec_max > 0xffff)
ec_max = 0xffff;
#ifdef CFX_EXERCISE
/* For testing only. For performance, always set ec = 0. */
ec = ec_max & rand();
#else
ec = 0;
#endif
plain.length = message->length + 16 + ec;
plain.data = malloc(message->length + 16 + ec);
if (plain.data == NULL)
return ENOMEM;
/* Get size of ciphertext. */
bufsize = 16 + krb5_encrypt_size (plain.length, key->keyblock.enctype);
/* Allocate space for header plus encrypted data. */
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
free(plain.data);
return ENOMEM;
}
/* TOK_ID */
store_16_be(KG2_TOK_WRAP_MSG, outbuf);
/* flags */
outbuf[2] = (acceptor_flag
| (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
| (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xff;
/* EC */
store_16_be(ec, outbuf+4);
/* RRC */
store_16_be(0, outbuf+6);
store_64_be(ctx->seq_send, outbuf+8);
memcpy(plain.data, message->value, message->length);
if (ec != 0)
memset(plain.data + message->length, 'x', ec);
memcpy(plain.data + message->length + ec, outbuf, 16);
cipher.ciphertext.data = (char *)outbuf + 16;
cipher.ciphertext.length = bufsize - 16;
cipher.enctype = key->keyblock.enctype;
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
zap(plain.data, plain.length);
free(plain.data);
plain.data = 0;
if (err)
goto error;
/* Now that we know we're returning a valid token.... */
ctx->seq_send++;
#ifdef CFX_EXERCISE
rrc = rand() & 0xffff;
if (gss_krb5int_rotate_left(outbuf+16, bufsize-16,
(bufsize-16) - (rrc % (bufsize - 16))))
store_16_be(rrc, outbuf+6);
/* If the rotate fails, don't worry about it. */
#endif
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
krb5_data plain;
size_t cksumsize;
/* Here, message is the application-supplied data; message2 is
what goes into the output token. They may be the same, or
message2 may be empty (for MIC). */
tok_id = KG2_TOK_WRAP_MSG;
wrap_with_checksum:
plain.length = message->length + 16;
plain.data = malloc(message->length + 16);
if (plain.data == NULL)
return ENOMEM;
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
goto error;
assert(cksumsize <= 0xffff);
bufsize = 16 + message2->length + cksumsize;
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
free(plain.data);
plain.data = 0;
err = ENOMEM;
goto error;
}
/* TOK_ID */
store_16_be(tok_id, outbuf);
/* flags */
outbuf[2] = (acceptor_flag
| (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xff;
if (toktype == KG_TOK_WRAP_MSG) {
/* Use 0 for checksum calculation, substitute
checksum length later. */
/* EC */
store_16_be(0, outbuf+4);
/* RRC */
store_16_be(0, outbuf+6);
} else {
/* MIC and DEL store 0xFF in EC and RRC. */
store_16_be(0xffff, outbuf+4);
store_16_be(0xffff, outbuf+6);
}
store_64_be(ctx->seq_send, outbuf+8);
memcpy(plain.data, message->value, message->length);
memcpy(plain.data + message->length, outbuf, 16);
/* Fill in the output token -- data contents, if any, and
space for the checksum. */
if (message2->length)
memcpy(outbuf + 16, message2->value, message2->length);
sum.contents = outbuf + 16 + message2->length;
sum.length = cksumsize;
err = krb5_k_make_checksum(context, cksumtype, key,
key_usage, &plain, &sum);
zap(plain.data, plain.length);
free(plain.data);
plain.data = 0;
if (err) {
zap(outbuf,bufsize);
goto error;
}
if (sum.length != cksumsize)
abort();
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
krb5_free_checksum_contents(context, &sum);
sum.contents = 0;
/* Now that we know we're actually generating the token... */
ctx->seq_send++;
if (toktype == KG_TOK_WRAP_MSG) {
#ifdef CFX_EXERCISE
rrc = rand() & 0xffff;
/* If the rotate fails, don't worry about it. */
if (gss_krb5int_rotate_left(outbuf+16, bufsize-16,
(bufsize-16) - (rrc % (bufsize - 16))))
store_16_be(rrc, outbuf+6);
#endif
/* Fix up EC field. */
store_16_be(cksumsize, outbuf+4);
} else {
store_16_be(0xffff, outbuf+6);
}
} else if (toktype == KG_TOK_MIC_MSG) {
tok_id = KG2_TOK_MIC_MSG;
message2 = &empty_message;
goto wrap_with_checksum;
} else if (toktype == KG_TOK_DEL_CTX) {
tok_id = KG2_TOK_DEL_CTX;
message = message2 = &empty_message;
goto wrap_with_checksum;
} else
abort();
token->value = outbuf;
token->length = bufsize;
return 0;
error:
gssalloc_free(outbuf);
token->value = NULL;
token->length = 0;
return err;
}
int
ksm_rgenerate_out_msg(struct snmp_secmod_outgoing_params *parms)
{
krb5_auth_context auth_context = NULL;
krb5_error_code retcode;
krb5_ccache cc = NULL;
int retval = SNMPERR_SUCCESS;
krb5_data outdata, ivector;
krb5_keyblock *subkey = NULL;
#ifdef MIT_NEW_CRYPTO
krb5_data input;
krb5_enc_data output;
unsigned int numcksumtypes;
krb5_cksumtype *cksumtype_array;
#else /* MIT_NEW_CRYPTO */
krb5_encrypt_block eblock;
#endif /* MIT_NEW_CRYPTO */
size_t blocksize, encrypted_length;
unsigned char *encrypted_data = NULL;
int zero = 0, i;
u_char *cksum_pointer, *endp = *parms->wholeMsg;
krb5_cksumtype cksumtype;
krb5_checksum pdu_checksum;
u_char **wholeMsg = parms->wholeMsg;
size_t *offset = parms->wholeMsgOffset, seq_offset;
struct ksm_secStateRef *ksm_state = (struct ksm_secStateRef *)
parms->secStateRef;
int rc;
DEBUGMSGTL(("ksm", "Starting KSM processing\n"));
outdata.length = 0;
outdata.data = NULL;
ivector.length = 0;
ivector.data = NULL;
pdu_checksum.contents = NULL;
if (!ksm_state) {
/*
* If we don't have a ksm_state, then we're a request. Get a
* credential cache and build a ap_req.
*/
retcode = krb5_cc_default(kcontext, &cc);
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_cc_default failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Set credential cache successfully\n"));
/*
* This seems odd, since we don't need this until later (or earlier,
* depending on how you look at it), but because the most likely
* errors are Kerberos at this point, I'll get this now to save
* time not encoding the rest of the packet.
*
* Also, we need the subkey to encrypt the PDU (if required).
*/
retcode =
krb5_mk_req(kcontext, &auth_context,
AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
(char *) service_name, parms->session->peername, NULL,
cc, &outdata);
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_mk_req failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: ticket retrieved successfully for \"%s/%s\" "
"(may not be actual ticket sname)\n", service_name,
parms->session->peername));
} else {
/*
* Grab the auth_context from our security state reference
*/
auth_context = ksm_state->auth_context;
/*
* Bundle up an AP_REP. Note that we do this only when we
* have a security state reference (which means we're in an agent
* and we're sending a response).
*/
DEBUGMSGTL(("ksm", "KSM: Starting reply processing.\n"));
retcode = krb5_mk_rep(kcontext, auth_context, &outdata);
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_mk_rep failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Finished with krb5_mk_rep()\n"));
}
/*
* If we have to encrypt the PDU, do that now
*/
if (parms->secLevel == SNMP_SEC_LEVEL_AUTHPRIV) {
DEBUGMSGTL(("ksm", "KSM: Starting PDU encryption.\n"));
/*
* It's weird -
*
* If we're on the manager, it's a local subkey (because that's in
* our AP_REQ)
*
* If we're on the agent, it's a remote subkey (because that comes
* FROM the received AP_REQ).
*/
if (ksm_state)
retcode = krb5_auth_con_getremotesubkey(kcontext, auth_context,
&subkey);
else
retcode = krb5_auth_con_getlocalsubkey(kcontext, auth_context,
&subkey);
if (retcode) {
DEBUGMSGTL(("ksm",
"KSM: krb5_auth_con_getlocalsubkey failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
/*
* Note that here we need to handle different things between the
* old and new crypto APIs. First, we need to get the final encrypted
* length of the PDU.
*/
#ifdef MIT_NEW_CRYPTO
retcode = krb5_c_encrypt_length(kcontext, subkey->enctype,
parms->scopedPduLen,
&encrypted_length);
if (retcode) {
DEBUGMSGTL(("ksm",
"Encryption length calculation failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
#else /* MIT_NEW_CRYPTO */
krb5_use_enctype(kcontext, &eblock, subkey->enctype);
retcode = krb5_process_key(kcontext, &eblock, subkey);
if (retcode) {
DEBUGMSGTL(("ksm", "krb5_process_key failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
encrypted_length = krb5_encrypt_size(parms->scopedPduLen,
eblock.crypto_entry);
#endif /* MIT_NEW_CRYPTO */
encrypted_data = malloc(encrypted_length);
if (!encrypted_data) {
DEBUGMSGTL(("ksm",
"KSM: Unable to malloc %d bytes for encrypt "
"buffer: %s\n", parms->scopedPduLen,
strerror(errno)));
retval = SNMPERR_MALLOC;
#ifndef MIT_NEW_CRYPTO
krb5_finish_key(kcontext, &eblock);
#endif /* ! MIT_NEW_CRYPTO */
goto error;
}
/*
* We need to set up a blank initialization vector for the encryption.
* Use a block of all zero's (which is dependent on the block size
* of the encryption method).
*/
#ifdef MIT_NEW_CRYPTO
retcode = krb5_c_block_size(kcontext, subkey->enctype, &blocksize);
if (retcode) {
DEBUGMSGTL(("ksm",
"Unable to determine crypto block size: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
#else /* MIT_NEW_CRYPTO */
blocksize =
krb5_enctype_array[subkey->enctype]->system->block_length;
#endif /* MIT_NEW_CRYPTO */
ivector.data = malloc(blocksize);
if (!ivector.data) {
DEBUGMSGTL(("ksm", "Unable to allocate %d bytes for ivector\n",
blocksize));
retval = SNMPERR_MALLOC;
goto error;
}
ivector.length = blocksize;
memset(ivector.data, 0, blocksize);
/*
* Finally! Do the encryption!
*/
#ifdef MIT_NEW_CRYPTO
input.data = (char *) parms->scopedPdu;
input.length = parms->scopedPduLen;
output.ciphertext.data = (char *) encrypted_data;
output.ciphertext.length = encrypted_length;
retcode =
krb5_c_encrypt(kcontext, subkey, KSM_KEY_USAGE_ENCRYPTION,
&ivector, &input, &output);
#else /* MIT_NEW_CRYPTO */
retcode = krb5_encrypt(kcontext, (krb5_pointer) parms->scopedPdu,
(krb5_pointer) encrypted_data,
parms->scopedPduLen, &eblock, ivector.data);
krb5_finish_key(kcontext, &eblock);
#endif /* MIT_NEW_CRYPTO */
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_encrypt failed: %s\n",
error_message(retcode)));
retval = SNMPERR_KRB5;
snmp_set_detail(error_message(retcode));
goto error;
}
*offset = 0;
rc = asn_realloc_rbuild_string(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
encrypted_data,
encrypted_length);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building encrypted payload failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Encryption complete.\n"));
} else {
/*
* Plaintext PDU (not encrypted)
*/
if (*parms->wholeMsgLen < parms->scopedPduLen) {
DEBUGMSGTL(("ksm", "Not enough room for plaintext PDU.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
}
/*
* Start encoding the msgSecurityParameters
*
* For now, use 0 for the response hint
*/
DEBUGMSGTL(("ksm", "KSM: scopedPdu added to payload\n"));
seq_offset = *offset;
rc = asn_realloc_rbuild_int(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_INTEGER),
(long *) &zero, sizeof(zero));
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_string(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
(u_char *) outdata.data,
outdata.length);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm AP_REQ failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
/*
* Now, we need to pick the "right" checksum algorithm. For old
* crypto, just pick CKSUMTYPE_RSA_MD5_DES; for new crypto, pick
* one of the "approved" ones.
*/
#ifdef MIT_NEW_CRYPTO
retcode = krb5_c_keyed_checksum_types(kcontext, subkey->enctype,
&numcksumtypes, &cksumtype_array);
if (retcode) {
DEBUGMSGTL(("ksm", "Unable to find appropriate keyed checksum: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
if (numcksumtypes <= 0) {
DEBUGMSGTL(("ksm", "We received a list of zero cksumtypes for this "
"enctype (%d)\n", subkey->enctype));
snmp_set_detail("No valid checksum type for this encryption type");
retval = SNMPERR_KRB5;
goto error;
}
/*
* It's not clear to me from the API which checksum you're supposed
* to support, so I'm taking a guess at the first one
*/
cksumtype = cksumtype_array[0];
krb5_free_cksumtypes(kcontext, cksumtype_array);
DEBUGMSGTL(("ksm", "KSM: Choosing checksum type of %d (subkey type "
"of %d)\n", cksumtype, subkey->enctype));
retcode = krb5_c_checksum_length(kcontext, cksumtype, &blocksize);
if (retcode) {
DEBUGMSGTL(("ksm", "Unable to determine checksum length: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
pdu_checksum.length = blocksize;
#else /* MIT_NEW_CRYPTO */
if (ksm_state)
cksumtype = ksm_state->cksumtype;
else
cksumtype = CKSUMTYPE_RSA_MD5_DES;
if (!is_keyed_cksum(cksumtype)) {
DEBUGMSGTL(("ksm", "Checksum type %d is not a keyed checksum\n",
cksumtype));
snmp_set_detail("Checksum is not a keyed checksum");
retval = SNMPERR_KRB5;
goto error;
}
if (!is_coll_proof_cksum(cksumtype)) {
DEBUGMSGTL(("ksm", "Checksum type %d is not a collision-proof "
"checksum\n", cksumtype));
snmp_set_detail("Checksum is not a collision-proof checksum");
retval = SNMPERR_KRB5;
goto error;
}
pdu_checksum.length = krb5_checksum_size(kcontext, cksumtype);
pdu_checksum.checksum_type = cksumtype;
#endif /* MIT_NEW_CRYPTO */
/*
* Note that here, we're just leaving blank space for the checksum;
* we remember where that is, and we'll fill it in later.
*/
*offset += pdu_checksum.length;
memset(*wholeMsg + *parms->wholeMsgLen - *offset, 0, pdu_checksum.length);
cksum_pointer = *wholeMsg + *parms->wholeMsgLen - *offset;
rc = asn_realloc_rbuild_header(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
pdu_checksum.length);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_int(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
(long *) &cksumtype,
sizeof(cksumtype));
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_sequence(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_SEQUENCE |
ASN_CONSTRUCTOR),
*offset - seq_offset);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_header(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
*offset - seq_offset);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Security parameter encoding completed\n"));
/*
* We're done with the KSM security parameters - now we do the global
* header and wrap up the whole PDU.
*/
if (*parms->wholeMsgLen < parms->globalDataLen) {
DEBUGMSGTL(("ksm", "Building global data failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
*offset += parms->globalDataLen;
memcpy(*wholeMsg + *parms->wholeMsgLen - *offset,
parms->globalData, parms->globalDataLen);
rc = asn_realloc_rbuild_sequence(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_SEQUENCE |
ASN_CONSTRUCTOR),
*offset);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building master packet sequence.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: PDU master packet encoding complete.\n"));
/*
* Now we need to checksum the entire PDU (since it's built).
*/
pdu_checksum.contents = malloc(pdu_checksum.length);
if (!pdu_checksum.contents) {
DEBUGMSGTL(("ksm", "Unable to malloc %d bytes for checksum\n",
pdu_checksum.length));
retval = SNMPERR_MALLOC;
goto error;
}
/*
* If we didn't encrypt the packet, we haven't yet got the subkey.
* Get that now.
*/
if (!subkey) {
if (ksm_state)
retcode = krb5_auth_con_getremotesubkey(kcontext, auth_context,
&subkey);
else
retcode = krb5_auth_con_getlocalsubkey(kcontext, auth_context,
&subkey);
if (retcode) {
DEBUGMSGTL(("ksm", "krb5_auth_con_getlocalsubkey failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
}
#ifdef MIT_NEW_CRYPTO
input.data = (char *) (*wholeMsg + *parms->wholeMsgLen - *offset);
input.length = *offset;
retcode = krb5_c_make_checksum(kcontext, cksumtype, subkey,
KSM_KEY_USAGE_CHECKSUM, &input,
&pdu_checksum);
#else /* MIT_NEW_CRYPTO */
retcode = krb5_calculate_checksum(kcontext, cksumtype, *wholeMsg +
*parms->wholeMsgLen - *offset,
*offset,
(krb5_pointer) subkey->contents,
subkey->length, &pdu_checksum);
#endif /* MIT_NEW_CRYPTO */
if (retcode) {
DEBUGMSGTL(("ksm", "Calculate checksum failed: %s\n",
error_message(retcode)));
retval = SNMPERR_KRB5;
snmp_set_detail(error_message(retcode));
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Checksum calculation complete.\n"));
memcpy(cksum_pointer, pdu_checksum.contents, pdu_checksum.length);
DEBUGMSGTL(("ksm", "KSM: Writing checksum of %d bytes at offset %d\n",
pdu_checksum.length, cksum_pointer - (*wholeMsg + 1)));
DEBUGMSGTL(("ksm", "KSM: Checksum:"));
for (i = 0; i < pdu_checksum.length; i++)
DEBUGMSG(("ksm", " %02x",
(unsigned int) pdu_checksum.contents[i]));
DEBUGMSG(("ksm", "\n"));
/*
* If we're _not_ called as part of a response (null ksm_state),
* then save the auth_context for later using our cache routines.
*/
if (!ksm_state) {
if ((retval = ksm_insert_cache(parms->pdu->msgid, auth_context,
(u_char *) parms->secName,
parms->secNameLen)) !=
SNMPERR_SUCCESS)
goto error;
auth_context = NULL;
}
DEBUGMSGTL(("ksm", "KSM processing complete!\n"));
error:
if (pdu_checksum.contents)
#ifdef MIT_NEW_CRYPTO
krb5_free_checksum_contents(kcontext, &pdu_checksum);
#else /* MIT_NEW_CRYPTO */
free(pdu_checksum.contents);
#endif /* MIT_NEW_CRYPTO */
if (ivector.data)
free(ivector.data);
if (subkey)
krb5_free_keyblock(kcontext, subkey);
if (encrypted_data)
free(encrypted_data);
if (cc)
krb5_cc_close(kcontext, cc);
if (auth_context && !ksm_state)
krb5_auth_con_free(kcontext, auth_context);
return retval;
}
