From: Greg Hudson Date: Fri, 8 Jun 2012 21:02:28 +0000 (-0400) Subject: Remove big-endian gss-krb5 support X-Git-Tag: krb5-1.11-alpha1~506 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=103456df347d6ea68b1a6f0657b50d5f23a47a37;p=thirdparty%2Fkrb5.git Remove big-endian gss-krb5 support The big_endian flag in krb5_gss_ctx_id_rec is there for interoperability with a really ancient implementation which we believe is no longer in use. Get rid of it and the code to handle it. ticket: 7166 (new) --- diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 7dca130d53..72b52015b8 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -726,37 +726,16 @@ kg_accept_krb5(minor_status, context_handle, goto fail; } - /* - "Be liberal in what you accept, and - conservative in what you send" - -- rfc1123 - - This code will let this acceptor interoperate with an initiator - using little-endian or big-endian integer encoding. - */ - ptr = (unsigned char *) authdat->checksum->contents; - bigend = 0; - TREAD_INT(ptr, tmp, bigend); + TREAD_INT(ptr, tmp, 0); if (tmp != md5len) { - ptr = (unsigned char *) authdat->checksum->contents; - bigend = 1; - - TREAD_INT(ptr, tmp, bigend); - - if (tmp != md5len) { - code = KG_BAD_LENGTH; - major_status = GSS_S_FAILURE; - goto fail; - } + code = KG_BAD_LENGTH; + major_status = GSS_S_FAILURE; + goto fail; } - /* at this point, bigend is set according to the initiator's - byte order */ - - /* The following section of code attempts to implement the optional channel binding facility as described in RFC2743. @@ -772,7 +751,7 @@ kg_accept_krb5(minor_status, context_handle, if ((code = kg_checksum_channel_bindings(context, input_chan_bindings, - &reqcksum, bigend))) { + &reqcksum))) { major_status = GSS_S_BAD_BINDINGS; goto fail; } @@ -794,7 +773,7 @@ kg_accept_krb5(minor_status, context_handle, xfree(reqcksum.contents); reqcksum.contents = 0; - TREAD_INT(ptr, gss_flags, bigend); + TREAD_INT(ptr, gss_flags, 0); #if 0 gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag; if there's a delegation, we'll set @@ -807,8 +786,8 @@ kg_accept_krb5(minor_status, context_handle, i = authdat->checksum->length - 24; if (i && (gss_flags & GSS_C_DELEG_FLAG)) { if (i >= 4) { - TREAD_INT16(ptr, option_id, bigend); - TREAD_INT16(ptr, option.length, bigend); + TREAD_INT16(ptr, option_id, 0); + TREAD_INT16(ptr, option.length, 0); i -= 4; if (i < option.length || option.length < 0) { @@ -904,7 +883,6 @@ kg_accept_krb5(minor_status, context_handle, GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG | GSS_C_EXTENDED_ERROR_FLAG))); ctx->seed_init = 0; - ctx->big_endian = bigend; ctx->cred_rcache = cred_rcache; /* XXX move this into gss_name_t */ diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 6b7d5307d9..54a536a92c 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -199,7 +199,6 @@ typedef struct _krb5_gss_ctx_id_rec { krb5_magic magic; unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */ unsigned int established : 1; - unsigned int big_endian : 1; unsigned int have_acceptor_subkey : 1; unsigned int seed_init : 1; /* XXX tested but never actually set */ OM_uint32 gss_flags; @@ -253,8 +252,7 @@ OM_uint32 kg_get_defcred krb5_error_code kg_checksum_channel_bindings (krb5_context context, gss_channel_bindings_t cb, - krb5_checksum *cksum, - int bigend); + krb5_checksum *cksum); krb5_error_code kg_make_seq_num (krb5_context context, krb5_key key, diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 07baefa07e..7fb5f71133 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -428,7 +428,7 @@ make_ap_req_v1(context, ctx, cred, k_cred, ad_context, /* compute the hash of the channel bindings */ - if ((code = kg_checksum_channel_bindings(context, chan_bindings, &md5, 0))) + if ((code = kg_checksum_channel_bindings(context, chan_bindings, &md5))) return(code); krb5_auth_con_set_req_cksumtype(context, ctx->auth_context, @@ -585,7 +585,6 @@ kg_new_connection( GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG | GSS_C_EXTENDED_ERROR_FLAG))); ctx->seed_init = 0; - ctx->big_endian = 0; /* all initiators do little-endian, as per spec */ ctx->seqstate = 0; if (req_flags & GSS_C_DCE_STYLE) diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index 41604dc4ed..bd1e2a6d06 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -64,7 +64,6 @@ make_seal_token_v1 (krb5_context context, int sealalg, int do_encrypt, int toktype, - int bigend, gss_OID oid) { krb5_error_code code; @@ -89,7 +88,7 @@ make_seal_token_v1 (krb5_context context, assert((!do_encrypt) || (toktype == KG_TOK_SEAL_MSG)); /* create the token buffer */ /* Do we need confounder? */ - if (do_encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG))) + if (do_encrypt || toktype == KG_TOK_SEAL_MSG) conflen = kg_confounder_size(context, enc->keyblock.enctype); else conflen = 0; @@ -185,18 +184,14 @@ make_seal_token_v1 (krb5_context context, /* compute the checksum */ /* 8 = head of token body as specified by mech spec */ - if (! (data_ptr = - (char *) xmalloc(8 + (bigend ? text->length : msglen)))) { + if (! (data_ptr = xmalloc(8 + msglen))) { xfree(plain); gssalloc_free(t); return(ENOMEM); } (void) memcpy(data_ptr, ptr-2, 8); - if (bigend) - (void) memcpy(data_ptr+8, text->value, text->length); - else - (void) memcpy(data_ptr+8, plain, msglen); - plaind.length = 8 + (bigend ? text->length : msglen); + (void) memcpy(data_ptr+8, plain, msglen); + plaind.length = 8 + msglen; plaind.data = data_ptr; code = krb5_k_make_checksum(context, md5cksum.checksum_type, seq, sign_usage, &plaind, &md5cksum); @@ -360,8 +355,7 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, &ctx->seq_send, ctx->initiate, input_message_buffer, output_message_buffer, ctx->signalg, ctx->cksum_size, ctx->sealalg, - conf_req_flag, toktype, ctx->big_endian, - ctx->mech_used); + conf_req_flag, toktype, ctx->mech_used); break; case 1: code = gss_krb5int_make_seal_token_v3(context, ctx, diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c index ac3d44d8f3..c291e0fb0c 100644 --- a/src/lib/gssapi/krb5/k5sealv3.c +++ b/src/lib/gssapi/krb5/k5sealv3.c @@ -82,8 +82,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, krb5_key key; krb5_cksumtype cksumtype; - assert(ctx->big_endian == 0); - acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR; key_usage = (toktype == KG_TOK_WRAP_MSG ? (ctx->initiate @@ -319,9 +317,6 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, krb5_key key; krb5_cksumtype cksumtype; - if (ctx->big_endian != 0) - goto defective; - if (qop_state) *qop_state = GSS_C_QOP_DEFAULT; diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c index d6829607bd..d7c92875ee 100644 --- a/src/lib/gssapi/krb5/k5sealv3iov.c +++ b/src/lib/gssapi/krb5/k5sealv3iov.c @@ -54,7 +54,6 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context, krb5_cksumtype cksumtype; size_t data_length, assoc_data_length; - assert(ctx->big_endian == 0); assert(ctx->proto == 1); acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR; @@ -300,9 +299,6 @@ gss_krb5int_unseal_v3_iov(krb5_context context, krb5_cksumtype cksumtype; int conf_flag = 0; - if (ctx->big_endian != 0) - return GSS_S_DEFECTIVE_TOKEN; - if (qop_state != NULL) *qop_state = GSS_C_QOP_DEFAULT; diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 935198054d..fa9a3cb167 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -206,12 +206,8 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, plainlen = tmsglen; - if ((sealalg == 0xffff) && ctx->big_endian) { - token.length = tmsglen; - } else { - conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype); - token.length = tmsglen - conflen - plain[tmsglen-1]; - } + conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype); + token.length = tmsglen - conflen - plain[tmsglen-1]; if (token.length) { if ((token.value = (void *) gssalloc_malloc(token.length)) == NULL) { @@ -267,8 +263,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, /* 8 = bytes of token body to be checksummed according to spec */ - if (! (data_ptr = (void *) - xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) { + if (! (data_ptr = xmalloc(8 + plainlen))) { if (sealalg != 0xffff) xfree(plain); if (toktype == KG_TOK_SEAL_MSG) @@ -279,12 +274,9 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, (void) memcpy(data_ptr, ptr-2, 8); - if (ctx->big_endian) - (void) memcpy(data_ptr+8, token.value, token.length); - else - (void) memcpy(data_ptr+8, plain, plainlen); + (void) memcpy(data_ptr+8, plain, plainlen); - plaind.length = 8 + (ctx->big_endian ? token.length : plainlen); + plaind.length = 8 + plainlen; plaind.data = data_ptr; code = krb5_k_make_checksum(context, md5cksum.checksum_type, ctx->seq, sign_usage, @@ -332,9 +324,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, return GSS_S_FAILURE; } - if (! (data_ptr = (void *) - xmalloc(sizeof(ctx->seed) + 8 + - (ctx->big_endian ? token.length : plainlen)))) { + if (! (data_ptr = xmalloc(sizeof(ctx->seed) + 8 + plainlen))) { krb5_free_checksum_contents(context, &md5cksum); if (sealalg == 0) xfree(plain); @@ -345,14 +335,8 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, } (void) memcpy(data_ptr, ptr-2, 8); (void) memcpy(data_ptr+8, ctx->seed, sizeof(ctx->seed)); - if (ctx->big_endian) - (void) memcpy(data_ptr+8+sizeof(ctx->seed), - token.value, token.length); - else - (void) memcpy(data_ptr+8+sizeof(ctx->seed), - plain, plainlen); - plaind.length = 8 + sizeof(ctx->seed) + - (ctx->big_endian ? token.length : plainlen); + (void) memcpy(data_ptr+8+sizeof(ctx->seed), plain, plainlen); + plaind.length = 8 + sizeof(ctx->seed) + plainlen; plaind.data = data_ptr; krb5_free_checksum_contents(context, &md5cksum); code = krb5_k_make_checksum(context, md5cksum.checksum_type, @@ -382,8 +366,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, /* 8 = bytes of token body to be checksummed according to spec */ - if (! (data_ptr = (void *) - xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) { + if (! (data_ptr = xmalloc(8 + plainlen))) { if (sealalg != 0xffff) xfree(plain); if (toktype == KG_TOK_SEAL_MSG) @@ -394,12 +377,9 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, (void) memcpy(data_ptr, ptr-2, 8); - if (ctx->big_endian) - (void) memcpy(data_ptr+8, token.value, token.length); - else - (void) memcpy(data_ptr+8, plain, plainlen); + (void) memcpy(data_ptr+8, plain, plainlen); - plaind.length = 8 + (ctx->big_endian ? token.length : plainlen); + plaind.length = 8 + plainlen; plaind.data = data_ptr; code = krb5_k_make_checksum(context, md5cksum.checksum_type, ctx->seq, sign_usage, diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c index 986ee0616f..87fe34f9d4 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -137,8 +137,6 @@ kg_unseal_v1_iov(krb5_context context, return GSS_S_BAD_SIG; } - assert(ctx->big_endian == 0); - /* decode the message, if SEAL */ if (toktype == KG_TOK_WRAP_MSG) { if (sealalg != 0xFFFF) { diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c index d2945ea555..cba5ae2b1f 100644 --- a/src/lib/gssapi/krb5/ser_sctx.c +++ b/src/lib/gssapi/krb5/ser_sctx.c @@ -245,7 +245,6 @@ kg_ctx_size(kcontext, arg, sizep) * krb5_int32 for KG_CONTEXT * krb5_int32 for initiate. * krb5_int32 for established. - * krb5_int32 for big_endian. * krb5_int32 for have_acceptor_subkey. * krb5_int32 for seed_init. * krb5_int32 for gss_flags. @@ -401,8 +400,6 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) &bp, &remain); (void) krb5_ser_pack_int32((krb5_int32) ctx->established, &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian, - &bp, &remain); (void) krb5_ser_pack_int32((krb5_int32) ctx->have_acceptor_subkey, &bp, &remain); (void) krb5_ser_pack_int32((krb5_int32) ctx->seed_init, @@ -614,8 +611,6 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->established = (int) ibuf; (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->big_endian = (int) ibuf; - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->have_acceptor_subkey = (int) ibuf; (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->seed_init = (int) ibuf; diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c index 5228df3362..4877c71ebb 100644 --- a/src/lib/gssapi/krb5/util_cksum.c +++ b/src/lib/gssapi/krb5/util_cksum.c @@ -28,11 +28,10 @@ /* Checksumming the channel bindings always uses plain MD5. */ krb5_error_code -kg_checksum_channel_bindings(context, cb, cksum, bigend) +kg_checksum_channel_bindings(context, cb, cksum) krb5_context context; gss_channel_bindings_t cb; krb5_checksum *cksum; - int bigend; { size_t len; char *buf = 0; @@ -75,11 +74,11 @@ kg_checksum_channel_bindings(context, cb, cksum, bigend) ptr = buf; - TWRITE_INT(ptr, cb->initiator_addrtype, bigend); - TWRITE_BUF(ptr, cb->initiator_address, bigend); - TWRITE_INT(ptr, cb->acceptor_addrtype, bigend); - TWRITE_BUF(ptr, cb->acceptor_address, bigend); - TWRITE_BUF(ptr, cb->application_data, bigend); + TWRITE_INT(ptr, cb->initiator_addrtype, 0); + TWRITE_BUF(ptr, cb->initiator_address, 0); + TWRITE_INT(ptr, cb->acceptor_addrtype, 0); + TWRITE_BUF(ptr, cb->acceptor_address, 0); + TWRITE_BUF(ptr, cb->application_data, 0); /* checksum the data */ diff --git a/src/util/gss-kernel-lib/kernel_gss.c b/src/util/gss-kernel-lib/kernel_gss.c index a0ad8d09d8..f33b83db7e 100644 --- a/src/util/gss-kernel-lib/kernel_gss.c +++ b/src/util/gss-kernel-lib/kernel_gss.c @@ -116,8 +116,6 @@ import_lucid_sec_context_v1(const gss_krb5_lucid_context_v1_t *lctx, } } - /* Assume the proper krb5 mech and no big-endian compatibility. */ - gctx->big_endian = 0; gctx->seed_init = 0; gctx->established = 1; gctx->mech_used = (gss_OID_desc *)gss_mech_krb5;