The good thing is that windows and heimdal both use EC=0
in the non DCE_STYLE case, so we need the windows compat hack
only in DCE_STYLE mode.
metze
#define CFXAcceptorSubkey (1 << 2)
krb5_error_code
#define CFXAcceptorSubkey (1 << 2)
krb5_error_code
-_gsskrb5cfx_wrap_length_cfx(krb5_context context,
+_gsskrb5cfx_wrap_length_cfx(const gsskrb5_ctx context_handle,
+ krb5_context context,
krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
/* Header is concatenated with data before encryption */
input_length += sizeof(gss_cfx_wrap_token_desc);
/* Header is concatenated with data before encryption */
input_length += sizeof(gss_cfx_wrap_token_desc);
- ret = krb5_crypto_getpadsize(context, crypto, &padsize);
+ if (IS_DCE_STYLE(context_handle)) {
+ ret = krb5_crypto_getblocksize(context, crypto, &padsize);
+ } else {
+ ret = krb5_crypto_getpadsize(context, crypto, &padsize);
+ }
- ret = _gsskrb5cfx_wrap_length_cfx(context,
+ ret = _gsskrb5cfx_wrap_length_cfx(context_handle, context,
crypto, conf_req_flag,
input_message_buffer->length,
&wrapped_len, &cksumsize, &padlength);
crypto, conf_req_flag,
input_message_buffer->length,
&wrapped_len, &cksumsize, &padlength);
token->RRC[0] = (rrc >> 8) & 0xFF;
token->RRC[1] = (rrc >> 0) & 0xFF;
token->RRC[0] = (rrc >> 8) & 0xFF;
token->RRC[1] = (rrc >> 0) & 0xFF;
- ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
+ /*
+ * this is really ugly, but needed against windows
+ * for DCERPC, as windows rotates by EC+RRC.
+ */
+ if (IS_DCE_STYLE(context_handle)) {
+ ret = rrc_rotate(cipher.data, cipher.length, rrc+padlength, FALSE);
+ } else {
+ ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
+ }
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
len = input_message_buffer->length;
len -= (p - (u_char *)input_message_buffer->value);
len = input_message_buffer->length;
len -= (p - (u_char *)input_message_buffer->value);
- /* Rotate by RRC; bogus to do this in-place XXX */
- *minor_status = rrc_rotate(p, len, rrc, TRUE);
- if (*minor_status != 0) {
- krb5_crypto_destroy(context, crypto);
- return GSS_S_FAILURE;
- }
-
if (token_flags & CFXSealed) {
if (token_flags & CFXSealed) {
+ /*
+ * this is really ugly, but needed against windows
+ * for DCERPC, as windows rotates by EC+RRC.
+ */
+ if (IS_DCE_STYLE(context_handle)) {
+ *minor_status = rrc_rotate(p, len, rrc+ec, TRUE);
+ } else {
+ *minor_status = rrc_rotate(p, len, rrc, TRUE);
+ }
+ if (*minor_status != 0) {
+ krb5_crypto_destroy(context, crypto);
+ return GSS_S_FAILURE;
+ }
+
ret = krb5_decrypt(context, crypto, usage,
p, len, &data);
if (ret != 0) {
ret = krb5_decrypt(context, crypto, usage,
p, len, &data);
if (ret != 0) {
+ /* Rotate by RRC; bogus to do this in-place XXX */
+ *minor_status = rrc_rotate(p, len, rrc, TRUE);
+ if (*minor_status != 0) {
+ krb5_crypto_destroy(context, crypto);
+ return GSS_S_FAILURE;
+ }
+
/* Determine checksum type */
ret = krb5_crypto_get_checksum_type(context,
crypto, &cksum.cksumtype);
/* Determine checksum type */
ret = krb5_crypto_get_checksum_type(context,
crypto, &cksum.cksumtype);
krb5_error_code
_gsskrb5cfx_wrap_length_cfx (
krb5_error_code
_gsskrb5cfx_wrap_length_cfx (
+ const gsskrb5_ctx /*context_handle*/,
krb5_context /*context*/,
krb5_crypto /*crypto*/,
int /*conf_req_flag*/,
krb5_context /*context*/,
krb5_crypto /*crypto*/,
int /*conf_req_flag*/,