secgsi: communicate IV length

xrootd · Dec 21, 2018 · 1f2bb42 · 1f2bb42
1 parent c42212e
commit 1f2bb42
Showing 1 changed file with 24 additions and 3 deletions.
diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc
@@ -3150,7 +3150,7 @@ int XrdSecProtocolgsi::ClientDoCert(XrdSutBuffer *br, XrdSutBuffer **bm,
       // Parse the list
       int from = 0;
       while ((from = ciplist.tokenize(cip, from, ':')) != -1) {
-         if (cip.length() > 0) 
+         if (cip.length() > 0)
             if (sessionCF->SupportedCipher(cip.c_str()))
                break;
          cip = "";
@@ -3161,8 +3161,6 @@ int XrdSecProtocolgsi::ClientDoCert(XrdSutBuffer *br, XrdSutBuffer **bm,
          hs->Chain = 0;
          return -1;
       }
-      // Communicate to server
-      br->UpdateBucket(cip, kXRS_cipher_alg);
    } else {
       NOTIFY("WARNING: list of ciphers supported by server missing"
             " - using default");
@@ -3313,6 +3311,17 @@ int XrdSecProtocolgsi::ClientDoCert(XrdSutBuffer *br, XrdSutBuffer **bm,
       return -1;
    }
 
+   //
+   // Communicate the cipher name to server
+   if (hs->RemVers >= XrdSecgsiVersDHsigned) {
+      // Including the length of the IV if supported
+      String cipiv;
+      String::form(cipiv, "%s#%d", cip.c_str(), sessionKey->MaxIVLength());
+      br->UpdateBucket(cipiv, kXRS_cipher_alg);
+   } else {
+      br->UpdateBucket(cip, kXRS_cipher_alg);
+   }
+
    // Deactivate what not needed any longer
    if (hs->RemVers >= XrdSecgsiVersDHsigned) {
       br->Deactivate(kXRS_cipher);
@@ -3641,9 +3650,17 @@ int XrdSecProtocolgsi::ServerDoCert(XrdSutBuffer *br,  XrdSutBuffer **bm,
    }
    //
    // Extract cipher algorithm chosen by the client
+   int lenIV = 0;
    String cip = "";
    if ((bck = br->GetBucket(kXRS_cipher_alg))) {
       bck->ToString(cip);
+      // Extract IV length, if any
+      int piv = cip.find('#');
+      if (piv >= 0) {
+         String siv(cip, piv+1);
+         if (siv.isdigit()) lenIV = siv.atoi();
+         cip.erase(piv);
+      }
       // Parse the list
       if (DefCipher.find(cip) == -1) {
          cmsg = "unsupported cipher chosen by the client";
@@ -3723,6 +3740,10 @@ int XrdSecProtocolgsi::ServerDoCert(XrdSutBuffer *br,  XrdSutBuffer **bm,
          hs->Chain = 0;
          return -1;
       }
+
+      // Set IV length, if any
+      if (lenIV > 0) sessionKey->SetIV(lenIV, (const char *)0);
+
    } else {
       cmsg = "bucket with DH parameters not found or invalid: cannot finalize session cipher";
       return -1;