struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
OM_uint32 maj_stat, min_stat;
- gss_buffer_desc input_token, output_token;
+ gss_buffer_desc associated_data;
+ gss_buffer_desc message;
+ gss_buffer_desc output_header = GSS_C_EMPTY_BUFFER;
int conf_state;
- ssize_t sig_length;
- input_token.length = length;
- input_token.value = data;
-
- maj_stat = gss_wrap(&min_stat,
- gensec_gssapi_state->gssapi_context,
- gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
- GSS_C_QOP_DEFAULT,
- &input_token,
- &conf_state,
- &output_token);
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+ associated_data.length = pdu_length;
+ associated_data.value = discard_const(whole_pdu);
+ } else {
+ associated_data.length = length;
+ associated_data.value = data;
+ }
+
+ message.length = length;
+ message.value = data;
+
+ maj_stat = gss_wrap_ex(&min_stat,
+ gensec_gssapi_state->gssapi_context,
+ gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
+ GSS_C_QOP_DEFAULT,
+ &associated_data,
+ &message,
+ &output_header,
+ &conf_state);
if (GSS_ERROR(maj_stat)) {
- DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap failed: %s\n",
+ DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap Ex failed: %s\n",
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
return NT_STATUS_ACCESS_DENIED;
}
- if (output_token.length < input_token.length) {
- DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n",
- (long)output_token.length, (long)length));
- return NT_STATUS_INTERNAL_ERROR;
- }
- sig_length = output_token.length - input_token.length;
-
- memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);
- *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
-
- dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
+ dump_data_pw("gensec_gssapi_seal_packet: sig\n", output_header.value, output_header.length);
dump_data_pw("gensec_gssapi_seal_packet: clear\n", data, length);
- dump_data_pw("gensec_gssapi_seal_packet: sealed\n", ((uint8_t *)output_token.value) + sig_length, output_token.length - sig_length);
+ dump_data_pw("gensec_gssapi_seal_packet: sealed\n", message.value, message.length);
- gss_release_buffer(&min_stat, &output_token);
+ *sig = data_blob_talloc(mem_ctx, output_header.value, output_header.length);
+
+ gss_release_buffer(&min_stat, &output_header);
if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
&& !conf_state) {
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
OM_uint32 maj_stat, min_stat;
- gss_buffer_desc input_token, output_token;
+ gss_buffer_desc input_header;
+ gss_buffer_desc associated_data;
+ gss_buffer_desc message;
int conf_state;
gss_qop_t qop_state;
- DATA_BLOB in;
dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
- in = data_blob_talloc(mem_ctx, NULL, sig->length + length);
+ input_header.length = sig->length;
+ input_header.value = sig->data;
- memcpy(in.data, sig->data, sig->length);
- memcpy(in.data + sig->length, data, length);
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+ associated_data.length = pdu_length;
+ associated_data.value = discard_const(whole_pdu);
+ } else {
+ associated_data.length = length;
+ associated_data.value = data;
+ }
- input_token.length = in.length;
- input_token.value = in.data;
+ message.length = length;
+ message.value = data;
- maj_stat = gss_unwrap(&min_stat,
- gensec_gssapi_state->gssapi_context,
- &input_token,
- &output_token,
- &conf_state,
- &qop_state);
+ maj_stat = gss_unwrap_ex(&min_stat,
+ gensec_gssapi_state->gssapi_context,
+ &input_header,
+ &associated_data,
+ &message,
+ &conf_state,
+ &qop_state);
if (GSS_ERROR(maj_stat)) {
- DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap failed: %s\n",
+ DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap Ex failed: %s\n",
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
return NT_STATUS_ACCESS_DENIED;
}
-
- if (output_token.length != length) {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- memcpy(data, output_token.value, length);
-
- gss_release_buffer(&min_stat, &output_token);
if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
&& !conf_state) {