1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
5 * Authors: Doug Rabson <dfr@rabson.org>
6 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32
33 #include "opt_inet6.h"
34
35 #include <sys/param.h>
36 #include <sys/kernel.h>
37 #include <sys/kobj.h>
38 #include <sys/lock.h>
39 #include <sys/malloc.h>
40 #include <sys/mbuf.h>
41 #include <sys/module.h>
42 #include <sys/mutex.h>
43 #include <kgssapi/gssapi.h>
44 #include <kgssapi/gssapi_impl.h>
45
46 #include "kgss_if.h"
47 #include "kcrypto.h"
48
49 #define GSS_TOKEN_SENT_BY_ACCEPTOR 1
50 #define GSS_TOKEN_SEALED 2
51 #define GSS_TOKEN_ACCEPTOR_SUBKEY 4
52
53 static gss_OID_desc krb5_mech_oid =
54 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
55
56 struct krb5_data {
57 size_t kd_length;
58 void *kd_data;
59 };
60
61 struct krb5_keyblock {
62 uint16_t kk_type; /* encryption type */
63 struct krb5_data kk_key; /* key data */
64 };
65
66 struct krb5_address {
67 uint16_t ka_type;
68 struct krb5_data ka_addr;
69 };
70
71 /*
72 * The km_elem array is ordered so that the highest received sequence
73 * number is listed first.
74 */
75 struct krb5_msg_order {
76 uint32_t km_flags;
77 uint32_t km_start;
78 uint32_t km_length;
79 uint32_t km_jitter_window;
80 uint32_t km_first_seq;
81 uint32_t *km_elem;
82 };
83
84 struct krb5_context {
85 struct _gss_ctx_id_t kc_common;
86 struct mtx kc_lock;
87 uint32_t kc_ac_flags;
88 uint32_t kc_ctx_flags;
89 uint32_t kc_more_flags;
90 #define LOCAL 1
91 #define OPEN 2
92 #define COMPAT_OLD_DES3 4
93 #define COMPAT_OLD_DES3_SELECTED 8
94 #define ACCEPTOR_SUBKEY 16
95 struct krb5_address kc_local_address;
96 struct krb5_address kc_remote_address;
97 uint16_t kc_local_port;
98 uint16_t kc_remote_port;
99 struct krb5_keyblock kc_keyblock;
100 struct krb5_keyblock kc_local_subkey;
101 struct krb5_keyblock kc_remote_subkey;
102 volatile uint32_t kc_local_seqnumber;
103 uint32_t kc_remote_seqnumber;
104 uint32_t kc_keytype;
105 uint32_t kc_cksumtype;
106 struct krb5_data kc_source_name;
107 struct krb5_data kc_target_name;
108 uint32_t kc_lifetime;
109 struct krb5_msg_order kc_msg_order;
110 struct krb5_key_state *kc_tokenkey;
111 struct krb5_key_state *kc_encryptkey;
112 struct krb5_key_state *kc_checksumkey;
113
114 struct krb5_key_state *kc_send_seal_Ke;
115 struct krb5_key_state *kc_send_seal_Ki;
116 struct krb5_key_state *kc_send_seal_Kc;
117 struct krb5_key_state *kc_send_sign_Kc;
118
119 struct krb5_key_state *kc_recv_seal_Ke;
120 struct krb5_key_state *kc_recv_seal_Ki;
121 struct krb5_key_state *kc_recv_seal_Kc;
122 struct krb5_key_state *kc_recv_sign_Kc;
123 };
124
125 static uint16_t
126 get_uint16(const uint8_t **pp, size_t *lenp)
127 {
128 const uint8_t *p = *pp;
129 uint16_t v;
130
131 if (*lenp < 2)
132 return (0);
133
134 v = (p[0] << 8) | p[1];
135 *pp = p + 2;
136 *lenp = *lenp - 2;
137
138 return (v);
139 }
140
141 static uint32_t
142 get_uint32(const uint8_t **pp, size_t *lenp)
143 {
144 const uint8_t *p = *pp;
145 uint32_t v;
146
147 if (*lenp < 4)
148 return (0);
149
150 v = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
151 *pp = p + 4;
152 *lenp = *lenp - 4;
153
154 return (v);
155 }
156
157 static void
158 get_data(const uint8_t **pp, size_t *lenp, struct krb5_data *dp)
159 {
160 size_t sz = get_uint32(pp, lenp);
161
162 dp->kd_length = sz;
163 dp->kd_data = malloc(sz, M_GSSAPI, M_WAITOK);
164
165 if (*lenp < sz)
166 sz = *lenp;
167 bcopy(*pp, dp->kd_data, sz);
168 (*pp) += sz;
169 (*lenp) -= sz;
170 }
171
172 static void
173 delete_data(struct krb5_data *dp)
174 {
175 if (dp->kd_data) {
176 free(dp->kd_data, M_GSSAPI);
177 dp->kd_length = 0;
178 dp->kd_data = NULL;
179 }
180 }
181
182 static void
183 get_address(const uint8_t **pp, size_t *lenp, struct krb5_address *ka)
184 {
185
186 ka->ka_type = get_uint16(pp, lenp);
187 get_data(pp, lenp, &ka->ka_addr);
188 }
189
190 static void
191 delete_address(struct krb5_address *ka)
192 {
193 delete_data(&ka->ka_addr);
194 }
195
196 static void
197 get_keyblock(const uint8_t **pp, size_t *lenp, struct krb5_keyblock *kk)
198 {
199
200 kk->kk_type = get_uint16(pp, lenp);
201 get_data(pp, lenp, &kk->kk_key);
202 }
203
204 static void
205 delete_keyblock(struct krb5_keyblock *kk)
206 {
207 if (kk->kk_key.kd_data)
208 bzero(kk->kk_key.kd_data, kk->kk_key.kd_length);
209 delete_data(&kk->kk_key);
210 }
211
212 static void
213 copy_key(struct krb5_keyblock *from, struct krb5_keyblock **to)
214 {
215
216 if (from->kk_key.kd_length)
217 *to = from;
218 else
219 *to = NULL;
220 }
221
222 /*
223 * Return non-zero if we are initiator.
224 */
225 static __inline int
226 is_initiator(struct krb5_context *kc)
227 {
228 return (kc->kc_more_flags & LOCAL);
229 }
230
231 /*
232 * Return non-zero if we are acceptor.
233 */
234 static __inline int
235 is_acceptor(struct krb5_context *kc)
236 {
237 return !(kc->kc_more_flags & LOCAL);
238 }
239
240 static void
241 get_initiator_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
242 {
243
244 if (is_initiator(kc))
245 copy_key(&kc->kc_local_subkey, kdp);
246 else
247 copy_key(&kc->kc_remote_subkey, kdp);
248 if (!*kdp)
249 copy_key(&kc->kc_keyblock, kdp);
250 }
251
252 static void
253 get_acceptor_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
254 {
255
256 if (is_initiator(kc))
257 copy_key(&kc->kc_remote_subkey, kdp);
258 else
259 copy_key(&kc->kc_local_subkey, kdp);
260 }
261
262 static OM_uint32
263 get_keys(struct krb5_context *kc)
264 {
265 struct krb5_keyblock *keydata;
266 struct krb5_encryption_class *ec;
267 struct krb5_key_state *key;
268 int etype;
269
270 keydata = NULL;
271 get_acceptor_subkey(kc, &keydata);
272 if (!keydata)
273 if ((kc->kc_more_flags & ACCEPTOR_SUBKEY) == 0)
274 get_initiator_subkey(kc, &keydata);
275 if (!keydata)
276 return (GSS_S_FAILURE);
277
278 /*
279 * GSS-API treats all DES etypes the same and all DES3 etypes
280 * the same.
281 */
282 switch (keydata->kk_type) {
283 case ETYPE_DES_CBC_CRC:
284 case ETYPE_DES_CBC_MD4:
285 case ETYPE_DES_CBC_MD5:
286 etype = ETYPE_DES_CBC_CRC;
287 break;
288
289 case ETYPE_DES3_CBC_MD5:
290 case ETYPE_DES3_CBC_SHA1:
291 case ETYPE_OLD_DES3_CBC_SHA1:
292 etype = ETYPE_DES3_CBC_SHA1;
293 break;
294
295 default:
296 etype = keydata->kk_type;
297 }
298
299 ec = krb5_find_encryption_class(etype);
300 if (!ec)
301 return (GSS_S_FAILURE);
302
303 key = krb5_create_key(ec);
304 krb5_set_key(key, keydata->kk_key.kd_data);
305 kc->kc_tokenkey = key;
306
307 switch (etype) {
308 case ETYPE_DES_CBC_CRC:
309 case ETYPE_ARCFOUR_HMAC_MD5:
310 case ETYPE_ARCFOUR_HMAC_MD5_56: {
311 /*
312 * Single DES and ARCFOUR uses a 'derived' key (XOR
313 * with 0xf0) for encrypting wrap tokens. The original
314 * key is used for checksums and sequence numbers.
315 */
316 struct krb5_key_state *ekey;
317 uint8_t *ekp, *kp;
318 int i;
319
320 ekey = krb5_create_key(ec);
321 ekp = ekey->ks_key;
322 kp = key->ks_key;
323 for (i = 0; i < ec->ec_keylen; i++)
324 ekp[i] = kp[i] ^ 0xf0;
325 krb5_set_key(ekey, ekp);
326 kc->kc_encryptkey = ekey;
327 refcount_acquire(&key->ks_refs);
328 kc->kc_checksumkey = key;
329 break;
330 }
331
332 case ETYPE_DES3_CBC_SHA1:
333 /*
334 * Triple DES uses a RFC 3961 style derived key with
335 * usage number KG_USAGE_SIGN for checksums. The
336 * original key is used for encryption and sequence
337 * numbers.
338 */
339 kc->kc_checksumkey = krb5_get_checksum_key(key, KG_USAGE_SIGN);
340 refcount_acquire(&key->ks_refs);
341 kc->kc_encryptkey = key;
342 break;
343
344 default:
345 /*
346 * We need eight derived keys four for sending and
347 * four for receiving.
348 */
349 if (is_initiator(kc)) {
350 /*
351 * We are initiator.
352 */
353 kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
354 KG_USAGE_INITIATOR_SEAL);
355 kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
356 KG_USAGE_INITIATOR_SEAL);
357 kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
358 KG_USAGE_INITIATOR_SEAL);
359 kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
360 KG_USAGE_INITIATOR_SIGN);
361
362 kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
363 KG_USAGE_ACCEPTOR_SEAL);
364 kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
365 KG_USAGE_ACCEPTOR_SEAL);
366 kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
367 KG_USAGE_ACCEPTOR_SEAL);
368 kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
369 KG_USAGE_ACCEPTOR_SIGN);
370 } else {
371 /*
372 * We are acceptor.
373 */
374 kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
375 KG_USAGE_ACCEPTOR_SEAL);
376 kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
377 KG_USAGE_ACCEPTOR_SEAL);
378 kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
379 KG_USAGE_ACCEPTOR_SEAL);
380 kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
381 KG_USAGE_ACCEPTOR_SIGN);
382
383 kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
384 KG_USAGE_INITIATOR_SEAL);
385 kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
386 KG_USAGE_INITIATOR_SEAL);
387 kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
388 KG_USAGE_INITIATOR_SEAL);
389 kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
390 KG_USAGE_INITIATOR_SIGN);
391 }
392 break;
393 }
394
395 return (GSS_S_COMPLETE);
396 }
397
398 static void
399 krb5_init(gss_ctx_id_t ctx)
400 {
401 struct krb5_context *kc = (struct krb5_context *)ctx;
402
403 mtx_init(&kc->kc_lock, "krb5 gss lock", NULL, MTX_DEF);
404 }
405
406 static OM_uint32
407 krb5_import(gss_ctx_id_t ctx,
408 enum sec_context_format format,
409 const gss_buffer_t context_token)
410 {
411 struct krb5_context *kc = (struct krb5_context *)ctx;
412 OM_uint32 res;
413 const uint8_t *p = (const uint8_t *) context_token->value;
414 size_t len = context_token->length;
415 uint32_t flags;
416 int i;
417
418 /*
419 * We support heimdal 0.6 and heimdal 1.1
420 */
421 if (format != KGSS_HEIMDAL_0_6 && format != KGSS_HEIMDAL_1_1)
422 return (GSS_S_DEFECTIVE_TOKEN);
423
424 #define SC_LOCAL_ADDRESS 1
425 #define SC_REMOTE_ADDRESS 2
426 #define SC_KEYBLOCK 4
427 #define SC_LOCAL_SUBKEY 8
428 #define SC_REMOTE_SUBKEY 16
429
430 /*
431 * Ensure that the token starts with krb5 oid.
432 */
433 if (p[0] != 0x00 || p[1] != krb5_mech_oid.length
434 || len < krb5_mech_oid.length + 2
435 || bcmp(krb5_mech_oid.elements, p + 2,
436 krb5_mech_oid.length))
437 return (GSS_S_DEFECTIVE_TOKEN);
438 p += krb5_mech_oid.length + 2;
439 len -= krb5_mech_oid.length + 2;
440
441 flags = get_uint32(&p, &len);
442 kc->kc_ac_flags = get_uint32(&p, &len);
443 if (flags & SC_LOCAL_ADDRESS)
444 get_address(&p, &len, &kc->kc_local_address);
445 if (flags & SC_REMOTE_ADDRESS)
446 get_address(&p, &len, &kc->kc_remote_address);
447 kc->kc_local_port = get_uint16(&p, &len);
448 kc->kc_remote_port = get_uint16(&p, &len);
449 if (flags & SC_KEYBLOCK)
450 get_keyblock(&p, &len, &kc->kc_keyblock);
451 if (flags & SC_LOCAL_SUBKEY)
452 get_keyblock(&p, &len, &kc->kc_local_subkey);
453 if (flags & SC_REMOTE_SUBKEY)
454 get_keyblock(&p, &len, &kc->kc_remote_subkey);
455 kc->kc_local_seqnumber = get_uint32(&p, &len);
456 kc->kc_remote_seqnumber = get_uint32(&p, &len);
457 kc->kc_keytype = get_uint32(&p, &len);
458 kc->kc_cksumtype = get_uint32(&p, &len);
459 get_data(&p, &len, &kc->kc_source_name);
460 get_data(&p, &len, &kc->kc_target_name);
461 kc->kc_ctx_flags = get_uint32(&p, &len);
462 kc->kc_more_flags = get_uint32(&p, &len);
463 kc->kc_lifetime = get_uint32(&p, &len);
464 /*
465 * Heimdal 1.1 adds the message order stuff.
466 */
467 if (format == KGSS_HEIMDAL_1_1) {
468 kc->kc_msg_order.km_flags = get_uint32(&p, &len);
469 kc->kc_msg_order.km_start = get_uint32(&p, &len);
470 kc->kc_msg_order.km_length = get_uint32(&p, &len);
471 kc->kc_msg_order.km_jitter_window = get_uint32(&p, &len);
472 kc->kc_msg_order.km_first_seq = get_uint32(&p, &len);
473 kc->kc_msg_order.km_elem =
474 malloc(kc->kc_msg_order.km_jitter_window * sizeof(uint32_t),
475 M_GSSAPI, M_WAITOK);
476 for (i = 0; i < kc->kc_msg_order.km_jitter_window; i++)
477 kc->kc_msg_order.km_elem[i] = get_uint32(&p, &len);
478 } else {
479 kc->kc_msg_order.km_flags = 0;
480 }
481
482 res = get_keys(kc);
483 if (GSS_ERROR(res))
484 return (res);
485
486 /*
487 * We don't need these anymore.
488 */
489 delete_keyblock(&kc->kc_keyblock);
490 delete_keyblock(&kc->kc_local_subkey);
491 delete_keyblock(&kc->kc_remote_subkey);
492
493 return (GSS_S_COMPLETE);
494 }
495
496 static void
497 krb5_delete(gss_ctx_id_t ctx, gss_buffer_t output_token)
498 {
499 struct krb5_context *kc = (struct krb5_context *)ctx;
500
501 delete_address(&kc->kc_local_address);
502 delete_address(&kc->kc_remote_address);
503 delete_keyblock(&kc->kc_keyblock);
504 delete_keyblock(&kc->kc_local_subkey);
505 delete_keyblock(&kc->kc_remote_subkey);
506 delete_data(&kc->kc_source_name);
507 delete_data(&kc->kc_target_name);
508 if (kc->kc_msg_order.km_elem)
509 free(kc->kc_msg_order.km_elem, M_GSSAPI);
510 if (output_token) {
511 output_token->length = 0;
512 output_token->value = NULL;
513 }
514 if (kc->kc_tokenkey) {
515 krb5_free_key(kc->kc_tokenkey);
516 if (kc->kc_encryptkey) {
517 krb5_free_key(kc->kc_encryptkey);
518 krb5_free_key(kc->kc_checksumkey);
519 } else {
520 krb5_free_key(kc->kc_send_seal_Ke);
521 krb5_free_key(kc->kc_send_seal_Ki);
522 krb5_free_key(kc->kc_send_seal_Kc);
523 krb5_free_key(kc->kc_send_sign_Kc);
524 krb5_free_key(kc->kc_recv_seal_Ke);
525 krb5_free_key(kc->kc_recv_seal_Ki);
526 krb5_free_key(kc->kc_recv_seal_Kc);
527 krb5_free_key(kc->kc_recv_sign_Kc);
528 }
529 }
530 mtx_destroy(&kc->kc_lock);
531 }
532
533 static gss_OID
534 krb5_mech_type(gss_ctx_id_t ctx)
535 {
536
537 return (&krb5_mech_oid);
538 }
539
540 /*
541 * Make a token with the given type and length (the length includes
542 * the TOK_ID), initialising the token header appropriately. Return a
543 * pointer to the TOK_ID of the token. A new mbuf is allocated with
544 * the framing header plus hlen bytes of space.
545 *
546 * Format is as follows:
547 *
548 * 0x60 [APPLICATION 0] SEQUENCE
549 * DER encoded length length of oid + type + inner token length
550 * 0x06 NN <oid data> OID of mechanism type
551 * TT TT TOK_ID
552 * <inner token> data for inner token
553 *
554 * 1: der encoded length
555 */
556 static void *
557 krb5_make_token(char tok_id[2], size_t hlen, size_t len, struct mbuf **mp)
558 {
559 size_t inside_len, len_len, tlen;
560 gss_OID oid = &krb5_mech_oid;
561 struct mbuf *m;
562 uint8_t *p;
563
564 inside_len = 2 + oid->length + len;
565 if (inside_len < 128)
566 len_len = 1;
567 else if (inside_len < 0x100)
568 len_len = 2;
569 else if (inside_len < 0x10000)
570 len_len = 3;
571 else if (inside_len < 0x1000000)
572 len_len = 4;
573 else
574 len_len = 5;
575
576 tlen = 1 + len_len + 2 + oid->length + hlen;
577 KASSERT(tlen <= MLEN, ("token head too large"));
578 MGET(m, M_WAITOK, MT_DATA);
579 M_ALIGN(m, tlen);
580 m->m_len = tlen;
581
582 p = (uint8_t *) m->m_data;
583 *p++ = 0x60;
584 switch (len_len) {
585 case 1:
586 *p++ = inside_len;
587 break;
588 case 2:
589 *p++ = 0x81;
590 *p++ = inside_len;
591 break;
592 case 3:
593 *p++ = 0x82;
594 *p++ = inside_len >> 8;
595 *p++ = inside_len;
596 break;
597 case 4:
598 *p++ = 0x83;
599 *p++ = inside_len >> 16;
600 *p++ = inside_len >> 8;
601 *p++ = inside_len;
602 break;
603 case 5:
604 *p++ = 0x84;
605 *p++ = inside_len >> 24;
606 *p++ = inside_len >> 16;
607 *p++ = inside_len >> 8;
608 *p++ = inside_len;
609 break;
610 }
611
612 *p++ = 0x06;
613 *p++ = oid->length;
614 bcopy(oid->elements, p, oid->length);
615 p += oid->length;
616
617 p[0] = tok_id[0];
618 p[1] = tok_id[1];
619
620 *mp = m;
621
622 return (p);
623 }
624
625 /*
626 * Verify a token, checking the inner token length and mechanism oid.
627 * pointer to the first byte of the TOK_ID. The length of the
628 * encapsulated data is checked to be at least len bytes; the actual
629 * length of the encapsulated data (including TOK_ID) is returned in
630 * *encap_len.
631 *
632 * If can_pullup is TRUE and the token header is fragmented, we will
633 * rearrange it.
634 *
635 * Format is as follows:
636 *
637 * 0x60 [APPLICATION 0] SEQUENCE
638 * DER encoded length length of oid + type + inner token length
639 * 0x06 NN <oid data> OID of mechanism type
640 * TT TT TOK_ID
641 * <inner token> data for inner token
642 *
643 * 1: der encoded length
644 */
645 static void *
646 krb5_verify_token(char tok_id[2], size_t len, struct mbuf **mp,
647 size_t *encap_len, bool_t can_pullup)
648 {
649 struct mbuf *m;
650 size_t tlen, hlen, len_len, inside_len;
651 gss_OID oid = &krb5_mech_oid;
652 uint8_t *p;
653
654 m = *mp;
655 tlen = m_length(m, NULL);
656 if (tlen < 2)
657 return (NULL);
658
659 /*
660 * Ensure that at least the framing part of the token is
661 * contigous.
662 */
663 if (m->m_len < 2) {
664 if (can_pullup)
665 *mp = m = m_pullup(m, 2);
666 else
667 return (NULL);
668 }
669
670 p = m->m_data;
671
672 if (*p++ != 0x60)
673 return (NULL);
674
675 if (*p < 0x80) {
676 inside_len = *p++;
677 len_len = 1;
678 } else {
679 /*
680 * Ensure there is enough space for the DER encoded length.
681 */
682 len_len = (*p & 0x7f) + 1;
683 if (tlen < len_len + 1)
684 return (NULL);
685 if (m->m_len < len_len + 1) {
686 if (can_pullup)
687 *mp = m = m_pullup(m, len_len + 1);
688 else
689 return (NULL);
690 p = m->m_data + 1;
691 }
692
693 switch (*p++) {
694 case 0x81:
695 inside_len = *p++;
696 break;
697
698 case 0x82:
699 inside_len = (p[0] << 8) | p[1];
700 p += 2;
701 break;
702
703 case 0x83:
704 inside_len = (p[0] << 16) | (p[1] << 8) | p[2];
705 p += 3;
706 break;
707
708 case 0x84:
709 inside_len = (p[0] << 24) | (p[1] << 16)
710 | (p[2] << 8) | p[3];
711 p += 4;
712 break;
713
714 default:
715 return (NULL);
716 }
717 }
718
719 if (tlen != inside_len + len_len + 1)
720 return (NULL);
721 if (inside_len < 2 + oid->length + len)
722 return (NULL);
723
724 /*
725 * Now that we know the value of len_len, we can pullup the
726 * whole header. The header is 1 + len_len + 2 + oid->length +
727 * len bytes.
728 */
729 hlen = 1 + len_len + 2 + oid->length + len;
730 if (m->m_len < hlen) {
731 if (can_pullup)
732 *mp = m = m_pullup(m, hlen);
733 else
734 return (NULL);
735 p = m->m_data + 1 + len_len;
736 }
737
738 if (*p++ != 0x06)
739 return (NULL);
740 if (*p++ != oid->length)
741 return (NULL);
742 if (bcmp(oid->elements, p, oid->length))
743 return (NULL);
744 p += oid->length;
745
746 if (p[0] != tok_id[0])
747 return (NULL);
748
749 if (p[1] != tok_id[1])
750 return (NULL);
751
752 *encap_len = inside_len - 2 - oid->length;
753
754 return (p);
755 }
756
757 static void
758 krb5_insert_seq(struct krb5_msg_order *mo, uint32_t seq, int index)
759 {
760 int i;
761
762 if (mo->km_length < mo->km_jitter_window)
763 mo->km_length++;
764
765 for (i = mo->km_length - 1; i > index; i--)
766 mo->km_elem[i] = mo->km_elem[i - 1];
767 mo->km_elem[index] = seq;
768 }
769
770 /*
771 * Check sequence numbers according to RFC 2743 section 1.2.3.
772 */
773 static OM_uint32
774 krb5_sequence_check(struct krb5_context *kc, uint32_t seq)
775 {
776 OM_uint32 res = GSS_S_FAILURE;
777 struct krb5_msg_order *mo = &kc->kc_msg_order;
778 int check_sequence = mo->km_flags & GSS_C_SEQUENCE_FLAG;
779 int check_replay = mo->km_flags & GSS_C_REPLAY_FLAG;
780 int i;
781
782 mtx_lock(&kc->kc_lock);
783
784 /*
785 * Message is in-sequence with no gap.
786 */
787 if (mo->km_length == 0 || seq == mo->km_elem[0] + 1) {
788 /*
789 * This message is received in-sequence with no gaps.
790 */
791 krb5_insert_seq(mo, seq, 0);
792 res = GSS_S_COMPLETE;
793 goto out;
794 }
795
796 if (seq > mo->km_elem[0]) {
797 /*
798 * This message is received in-sequence with a gap.
799 */
800 krb5_insert_seq(mo, seq, 0);
801 if (check_sequence)
802 res = GSS_S_GAP_TOKEN;
803 else
804 res = GSS_S_COMPLETE;
805 goto out;
806 }
807
808 if (seq < mo->km_elem[mo->km_length - 1]) {
809 if (check_replay && !check_sequence)
810 res = GSS_S_OLD_TOKEN;
811 else
812 res = GSS_S_UNSEQ_TOKEN;
813 goto out;
814 }
815
816 for (i = 0; i < mo->km_length; i++) {
817 if (mo->km_elem[i] == seq) {
818 res = GSS_S_DUPLICATE_TOKEN;
819 goto out;
820 }
821 if (mo->km_elem[i] < seq) {
822 /*
823 * We need to insert this seq here,
824 */
825 krb5_insert_seq(mo, seq, i);
826 if (check_replay && !check_sequence)
827 res = GSS_S_COMPLETE;
828 else
829 res = GSS_S_UNSEQ_TOKEN;
830 goto out;
831 }
832 }
833
834 out:
835 mtx_unlock(&kc->kc_lock);
836
837 return (res);
838 }
839
840 static uint8_t sgn_alg_des_md5[] = { 0x00, 0x00 };
841 static uint8_t seal_alg_des[] = { 0x00, 0x00 };
842 static uint8_t sgn_alg_des3_sha1[] = { 0x04, 0x00 };
843 static uint8_t seal_alg_des3[] = { 0x02, 0x00 };
844 static uint8_t seal_alg_rc4[] = { 0x10, 0x00 };
845 static uint8_t sgn_alg_hmac_md5[] = { 0x11, 0x00 };
846
847 /*
848 * Return the size of the inner token given the use of the key's
849 * encryption class. For wrap tokens, the length of the padded
850 * plaintext will be added to this.
851 */
852 static size_t
853 token_length(struct krb5_key_state *key)
854 {
855
856 return (16 + key->ks_class->ec_checksumlen);
857 }
858
859 static OM_uint32
860 krb5_get_mic_old(struct krb5_context *kc, struct mbuf *m,
861 struct mbuf **micp, uint8_t sgn_alg[2])
862 {
863 struct mbuf *mlast, *mic, *tm;
864 uint8_t *p, dir;
865 size_t tlen, mlen, cklen;
866 uint32_t seq;
867 char buf[8];
868
869 mlen = m_length(m, &mlast);
870
871 tlen = token_length(kc->kc_tokenkey);
872 p = krb5_make_token("\x01\x01", tlen, tlen, &mic);
873 p += 2; /* TOK_ID */
874 *p++ = sgn_alg[0]; /* SGN_ALG */
875 *p++ = sgn_alg[1];
876
877 *p++ = 0xff; /* filler */
878 *p++ = 0xff;
879 *p++ = 0xff;
880 *p++ = 0xff;
881
882 /*
883 * SGN_CKSUM:
884 *
885 * Calculate the keyed checksum of the token header plus the
886 * message.
887 */
888 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
889
890 mic->m_len = p - (uint8_t *) mic->m_data;
891 mic->m_next = m;
892 MGET(tm, M_WAITOK, MT_DATA);
893 tm->m_len = cklen;
894 mlast->m_next = tm;
895
896 krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
897 8 + mlen, cklen);
898 bcopy(tm->m_data, p + 8, cklen);
899 mic->m_next = NULL;
900 mlast->m_next = NULL;
901 m_free(tm);
902
903 /*
904 * SND_SEQ:
905 *
906 * Take the four bytes of the sequence number least
907 * significant first followed by four bytes of direction
908 * marker (zero for initiator and 0xff for acceptor). Encrypt
909 * that data using the SGN_CKSUM as IV. Note: ARC4 wants the
910 * sequence number big-endian.
911 */
912 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
913 if (sgn_alg[0] == 0x11) {
914 p[0] = (seq >> 24);
915 p[1] = (seq >> 16);
916 p[2] = (seq >> 8);
917 p[3] = (seq >> 0);
918 } else {
919 p[0] = (seq >> 0);
920 p[1] = (seq >> 8);
921 p[2] = (seq >> 16);
922 p[3] = (seq >> 24);
923 }
924 if (is_initiator(kc)) {
925 dir = 0;
926 } else {
927 dir = 0xff;
928 }
929 p[4] = dir;
930 p[5] = dir;
931 p[6] = dir;
932 p[7] = dir;
933 bcopy(p + 8, buf, 8);
934
935 /*
936 * Set the mic buffer to its final size so that the encrypt
937 * can see the SND_SEQ part.
938 */
939 mic->m_len += 8 + cklen;
940 krb5_encrypt(kc->kc_tokenkey, mic, mic->m_len - cklen - 8, 8, buf, 8);
941
942 *micp = mic;
943 return (GSS_S_COMPLETE);
944 }
945
946 static OM_uint32
947 krb5_get_mic_new(struct krb5_context *kc, struct mbuf *m,
948 struct mbuf **micp)
949 {
950 struct krb5_key_state *key = kc->kc_send_sign_Kc;
951 struct mbuf *mlast, *mic;
952 uint8_t *p;
953 int flags;
954 size_t mlen, cklen;
955 uint32_t seq;
956
957 mlen = m_length(m, &mlast);
958 cklen = key->ks_class->ec_checksumlen;
959
960 KASSERT(16 + cklen <= MLEN, ("checksum too large for an mbuf"));
961 MGET(mic, M_WAITOK, MT_DATA);
962 M_ALIGN(mic, 16 + cklen);
963 mic->m_len = 16 + cklen;
964 p = mic->m_data;
965
966 /* TOK_ID */
967 p[0] = 0x04;
968 p[1] = 0x04;
969
970 /* Flags */
971 flags = 0;
972 if (is_acceptor(kc))
973 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
974 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
975 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
976 p[2] = flags;
977
978 /* Filler */
979 p[3] = 0xff;
980 p[4] = 0xff;
981 p[5] = 0xff;
982 p[6] = 0xff;
983 p[7] = 0xff;
984
985 /* SND_SEQ */
986 p[8] = 0;
987 p[9] = 0;
988 p[10] = 0;
989 p[11] = 0;
990 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
991 p[12] = (seq >> 24);
992 p[13] = (seq >> 16);
993 p[14] = (seq >> 8);
994 p[15] = (seq >> 0);
995
996 /*
997 * SGN_CKSUM:
998 *
999 * Calculate the keyed checksum of the message plus the first
1000 * 16 bytes of the token header.
1001 */
1002 mlast->m_next = mic;
1003 krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1004 mlast->m_next = NULL;
1005
1006 *micp = mic;
1007 return (GSS_S_COMPLETE);
1008 }
1009
1010 static OM_uint32
1011 krb5_get_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1012 gss_qop_t qop_req, struct mbuf *m, struct mbuf **micp)
1013 {
1014 struct krb5_context *kc = (struct krb5_context *)ctx;
1015
1016 *minor_status = 0;
1017
1018 if (qop_req != GSS_C_QOP_DEFAULT)
1019 return (GSS_S_BAD_QOP);
1020
1021 if (time_uptime > kc->kc_lifetime)
1022 return (GSS_S_CONTEXT_EXPIRED);
1023
1024 switch (kc->kc_tokenkey->ks_class->ec_type) {
1025 case ETYPE_DES_CBC_CRC:
1026 return (krb5_get_mic_old(kc, m, micp, sgn_alg_des_md5));
1027
1028 case ETYPE_DES3_CBC_SHA1:
1029 return (krb5_get_mic_old(kc, m, micp, sgn_alg_des3_sha1));
1030
1031 case ETYPE_ARCFOUR_HMAC_MD5:
1032 case ETYPE_ARCFOUR_HMAC_MD5_56:
1033 return (krb5_get_mic_old(kc, m, micp, sgn_alg_hmac_md5));
1034
1035 default:
1036 return (krb5_get_mic_new(kc, m, micp));
1037 }
1038
1039 return (GSS_S_FAILURE);
1040 }
1041
1042 static OM_uint32
1043 krb5_verify_mic_old(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic,
1044 uint8_t sgn_alg[2])
1045 {
1046 struct mbuf *mlast, *tm;
1047 uint8_t *p, *tp, dir;
1048 size_t mlen, tlen, elen;
1049 size_t cklen;
1050 uint32_t seq;
1051
1052 mlen = m_length(m, &mlast);
1053
1054 tlen = token_length(kc->kc_tokenkey);
1055 p = krb5_verify_token("\x01\x01", tlen, &mic, &elen, FALSE);
1056 if (!p)
1057 return (GSS_S_DEFECTIVE_TOKEN);
1058 #if 0
1059 /*
1060 * Disable this check - heimdal-1.1 generates DES3 MIC tokens
1061 * that are 2 bytes too big.
1062 */
1063 if (elen != tlen)
1064 return (GSS_S_DEFECTIVE_TOKEN);
1065 #endif
1066 /* TOK_ID */
1067 p += 2;
1068
1069 /* SGN_ALG */
1070 if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1071 return (GSS_S_DEFECTIVE_TOKEN);
1072 p += 2;
1073
1074 if (p[0] != 0xff || p[1] != 0xff || p[2] != 0xff || p[3] != 0xff)
1075 return (GSS_S_DEFECTIVE_TOKEN);
1076 p += 4;
1077
1078 /*
1079 * SGN_CKSUM:
1080 *
1081 * Calculate the keyed checksum of the token header plus the
1082 * message.
1083 */
1084 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1085 mic->m_len = p - (uint8_t *) mic->m_data;
1086 mic->m_next = m;
1087 MGET(tm, M_WAITOK, MT_DATA);
1088 tm->m_len = cklen;
1089 mlast->m_next = tm;
1090
1091 krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
1092 8 + mlen, cklen);
1093 mic->m_next = NULL;
1094 mlast->m_next = NULL;
1095 if (bcmp(tm->m_data, p + 8, cklen)) {
1096 m_free(tm);
1097 return (GSS_S_BAD_SIG);
1098 }
1099
1100 /*
1101 * SND_SEQ:
1102 *
1103 * Take the four bytes of the sequence number least
1104 * significant first followed by four bytes of direction
1105 * marker (zero for initiator and 0xff for acceptor). Encrypt
1106 * that data using the SGN_CKSUM as IV. Note: ARC4 wants the
1107 * sequence number big-endian.
1108 */
1109 bcopy(p, tm->m_data, 8);
1110 tm->m_len = 8;
1111 krb5_decrypt(kc->kc_tokenkey, tm, 0, 8, p + 8, 8);
1112
1113 tp = tm->m_data;
1114 if (sgn_alg[0] == 0x11) {
1115 seq = tp[3] | (tp[2] << 8) | (tp[1] << 16) | (tp[0] << 24);
1116 } else {
1117 seq = tp[0] | (tp[1] << 8) | (tp[2] << 16) | (tp[3] << 24);
1118 }
1119
1120 if (is_initiator(kc)) {
1121 dir = 0xff;
1122 } else {
1123 dir = 0;
1124 }
1125 if (tp[4] != dir || tp[5] != dir || tp[6] != dir || tp[7] != dir) {
1126 m_free(tm);
1127 return (GSS_S_DEFECTIVE_TOKEN);
1128 }
1129 m_free(tm);
1130
1131 if (kc->kc_msg_order.km_flags &
1132 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1133 return (krb5_sequence_check(kc, seq));
1134 }
1135
1136 return (GSS_S_COMPLETE);
1137 }
1138
1139 static OM_uint32
1140 krb5_verify_mic_new(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic)
1141 {
1142 OM_uint32 res;
1143 struct krb5_key_state *key = kc->kc_recv_sign_Kc;
1144 struct mbuf *mlast;
1145 uint8_t *p;
1146 int flags;
1147 size_t mlen, cklen;
1148 char buf[32];
1149
1150 mlen = m_length(m, &mlast);
1151 cklen = key->ks_class->ec_checksumlen;
1152
1153 KASSERT(mic->m_next == NULL, ("MIC should be contiguous"));
1154 if (mic->m_len != 16 + cklen)
1155 return (GSS_S_DEFECTIVE_TOKEN);
1156 p = mic->m_data;
1157
1158 /* TOK_ID */
1159 if (p[0] != 0x04)
1160 return (GSS_S_DEFECTIVE_TOKEN);
1161 if (p[1] != 0x04)
1162 return (GSS_S_DEFECTIVE_TOKEN);
1163
1164 /* Flags */
1165 flags = 0;
1166 if (is_initiator(kc))
1167 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1168 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1169 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1170 if (p[2] != flags)
1171 return (GSS_S_DEFECTIVE_TOKEN);
1172
1173 /* Filler */
1174 if (p[3] != 0xff)
1175 return (GSS_S_DEFECTIVE_TOKEN);
1176 if (p[4] != 0xff)
1177 return (GSS_S_DEFECTIVE_TOKEN);
1178 if (p[5] != 0xff)
1179 return (GSS_S_DEFECTIVE_TOKEN);
1180 if (p[6] != 0xff)
1181 return (GSS_S_DEFECTIVE_TOKEN);
1182 if (p[7] != 0xff)
1183 return (GSS_S_DEFECTIVE_TOKEN);
1184
1185 /* SND_SEQ */
1186 if (kc->kc_msg_order.km_flags &
1187 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1188 uint32_t seq;
1189 if (p[8] || p[9] || p[10] || p[11]) {
1190 res = GSS_S_UNSEQ_TOKEN;
1191 } else {
1192 seq = (p[12] << 24) | (p[13] << 16)
1193 | (p[14] << 8) | p[15];
1194 res = krb5_sequence_check(kc, seq);
1195 }
1196 if (GSS_ERROR(res))
1197 return (res);
1198 } else {
1199 res = GSS_S_COMPLETE;
1200 }
1201
1202 /*
1203 * SGN_CKSUM:
1204 *
1205 * Calculate the keyed checksum of the message plus the first
1206 * 16 bytes of the token header.
1207 */
1208 m_copydata(mic, 16, cklen, buf);
1209 mlast->m_next = mic;
1210 krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1211 mlast->m_next = NULL;
1212 if (bcmp(buf, p + 16, cklen)) {
1213 return (GSS_S_BAD_SIG);
1214 }
1215
1216 return (GSS_S_COMPLETE);
1217 }
1218
1219 static OM_uint32
1220 krb5_verify_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1221 struct mbuf *m, struct mbuf *mic, gss_qop_t *qop_state)
1222 {
1223 struct krb5_context *kc = (struct krb5_context *)ctx;
1224
1225 *minor_status = 0;
1226 if (qop_state)
1227 *qop_state = GSS_C_QOP_DEFAULT;
1228
1229 if (time_uptime > kc->kc_lifetime)
1230 return (GSS_S_CONTEXT_EXPIRED);
1231
1232 switch (kc->kc_tokenkey->ks_class->ec_type) {
1233 case ETYPE_DES_CBC_CRC:
1234 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des_md5));
1235
1236 case ETYPE_ARCFOUR_HMAC_MD5:
1237 case ETYPE_ARCFOUR_HMAC_MD5_56:
1238 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_hmac_md5));
1239
1240 case ETYPE_DES3_CBC_SHA1:
1241 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des3_sha1));
1242
1243 default:
1244 return (krb5_verify_mic_new(kc, m, mic));
1245 }
1246
1247 return (GSS_S_FAILURE);
1248 }
1249
1250 static OM_uint32
1251 krb5_wrap_old(struct krb5_context *kc, int conf_req_flag,
1252 struct mbuf **mp, int *conf_state,
1253 uint8_t sgn_alg[2], uint8_t seal_alg[2])
1254 {
1255 struct mbuf *m, *mlast, *tm, *cm, *pm;
1256 size_t mlen, tlen, padlen, datalen;
1257 uint8_t *p, dir;
1258 size_t cklen;
1259 uint8_t buf[8];
1260 uint32_t seq;
1261
1262 /*
1263 * How many trailing pad bytes do we need?
1264 */
1265 m = *mp;
1266 mlen = m_length(m, &mlast);
1267 tlen = kc->kc_tokenkey->ks_class->ec_msgblocklen;
1268 padlen = tlen - (mlen % tlen);
1269
1270 /*
1271 * The data part of the token has eight bytes of random
1272 * confounder prepended and followed by up to eight bytes of
1273 * padding bytes each of which is set to the number of padding
1274 * bytes.
1275 */
1276 datalen = mlen + 8 + padlen;
1277 tlen = token_length(kc->kc_tokenkey);
1278
1279 p = krb5_make_token("\x02\x01", tlen, datalen + tlen, &tm);
1280 p += 2; /* TOK_ID */
1281 *p++ = sgn_alg[0]; /* SGN_ALG */
1282 *p++ = sgn_alg[1];
1283 if (conf_req_flag) {
1284 *p++ = seal_alg[0]; /* SEAL_ALG */
1285 *p++ = seal_alg[1];
1286 } else {
1287 *p++ = 0xff; /* SEAL_ALG = none */
1288 *p++ = 0xff;
1289 }
1290
1291 *p++ = 0xff; /* filler */
1292 *p++ = 0xff;
1293
1294 /*
1295 * Copy the padded message data.
1296 */
1297 if (M_LEADINGSPACE(m) >= 8) {
1298 m->m_data -= 8;
1299 m->m_len += 8;
1300 } else {
1301 MGET(cm, M_WAITOK, MT_DATA);
1302 cm->m_len = 8;
1303 cm->m_next = m;
1304 m = cm;
1305 }
1306 arc4rand(m->m_data, 8, 0);
1307 if (M_TRAILINGSPACE(mlast) >= padlen) {
1308 memset(mlast->m_data + mlast->m_len, padlen, padlen);
1309 mlast->m_len += padlen;
1310 } else {
1311 MGET(pm, M_WAITOK, MT_DATA);
1312 memset(pm->m_data, padlen, padlen);
1313 pm->m_len = padlen;
1314 mlast->m_next = pm;
1315 mlast = pm;
1316 }
1317 tm->m_next = m;
1318
1319 /*
1320 * SGN_CKSUM:
1321 *
1322 * Calculate the keyed checksum of the token header plus the
1323 * padded message. Fiddle with tm->m_len so that we only
1324 * checksum the 8 bytes of head that we care about.
1325 */
1326 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1327 tlen = tm->m_len;
1328 tm->m_len = p - (uint8_t *) tm->m_data;
1329 MGET(cm, M_WAITOK, MT_DATA);
1330 cm->m_len = cklen;
1331 mlast->m_next = cm;
1332 krb5_checksum(kc->kc_checksumkey, 13, tm, tm->m_len - 8,
1333 datalen + 8, cklen);
1334 tm->m_len = tlen;
1335 mlast->m_next = NULL;
1336 bcopy(cm->m_data, p + 8, cklen);
1337 m_free(cm);
1338
1339 /*
1340 * SND_SEQ:
1341 *
1342 * Take the four bytes of the sequence number least
1343 * significant first (most significant first for ARCFOUR)
1344 * followed by four bytes of direction marker (zero for
1345 * initiator and 0xff for acceptor). Encrypt that data using
1346 * the SGN_CKSUM as IV.
1347 */
1348 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1349 if (sgn_alg[0] == 0x11) {
1350 p[0] = (seq >> 24);
1351 p[1] = (seq >> 16);
1352 p[2] = (seq >> 8);
1353 p[3] = (seq >> 0);
1354 } else {
1355 p[0] = (seq >> 0);
1356 p[1] = (seq >> 8);
1357 p[2] = (seq >> 16);
1358 p[3] = (seq >> 24);
1359 }
1360 if (is_initiator(kc)) {
1361 dir = 0;
1362 } else {
1363 dir = 0xff;
1364 }
1365 p[4] = dir;
1366 p[5] = dir;
1367 p[6] = dir;
1368 p[7] = dir;
1369 krb5_encrypt(kc->kc_tokenkey, tm, p - (uint8_t *) tm->m_data,
1370 8, p + 8, 8);
1371
1372 if (conf_req_flag) {
1373 /*
1374 * Encrypt the padded message with an IV of zero for
1375 * DES and DES3, or an IV of the sequence number in
1376 * big-endian format for ARCFOUR.
1377 */
1378 if (seal_alg[0] == 0x10) {
1379 buf[0] = (seq >> 24);
1380 buf[1] = (seq >> 16);
1381 buf[2] = (seq >> 8);
1382 buf[3] = (seq >> 0);
1383 krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1384 buf, 4);
1385 } else {
1386 krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1387 NULL, 0);
1388 }
1389 }
1390
1391 if (conf_state)
1392 *conf_state = conf_req_flag;
1393
1394 *mp = tm;
1395 return (GSS_S_COMPLETE);
1396 }
1397
1398 static OM_uint32
1399 krb5_wrap_new(struct krb5_context *kc, int conf_req_flag,
1400 struct mbuf **mp, int *conf_state)
1401 {
1402 struct krb5_key_state *Ke = kc->kc_send_seal_Ke;
1403 struct krb5_key_state *Ki = kc->kc_send_seal_Ki;
1404 struct krb5_key_state *Kc = kc->kc_send_seal_Kc;
1405 const struct krb5_encryption_class *ec = Ke->ks_class;
1406 struct mbuf *m, *mlast, *tm;
1407 uint8_t *p;
1408 int flags, EC;
1409 size_t mlen, blen, mblen, cklen, ctlen;
1410 uint32_t seq;
1411 static char zpad[32];
1412
1413 m = *mp;
1414 mlen = m_length(m, &mlast);
1415
1416 blen = ec->ec_blocklen;
1417 mblen = ec->ec_msgblocklen;
1418 cklen = ec->ec_checksumlen;
1419
1420 if (conf_req_flag) {
1421 /*
1422 * For sealed messages, we need space for 16 bytes of
1423 * header, blen confounder, plaintext, padding, copy
1424 * of header and checksum.
1425 *
1426 * We pad to mblen (which may be different from
1427 * blen). If the encryption class is using CTS, mblen
1428 * will be one (i.e. no padding required).
1429 */
1430 if (mblen > 1)
1431 EC = mlen % mblen;
1432 else
1433 EC = 0;
1434 ctlen = blen + mlen + EC + 16;
1435
1436 /*
1437 * Put initial header and confounder before the
1438 * message.
1439 */
1440 M_PREPEND(m, 16 + blen, M_WAITOK);
1441
1442 /*
1443 * Append padding + copy of header and checksum. Try
1444 * to fit this into the end of the original message,
1445 * otherwise allocate a trailer.
1446 */
1447 if (M_TRAILINGSPACE(mlast) >= EC + 16 + cklen) {
1448 tm = NULL;
1449 mlast->m_len += EC + 16 + cklen;
1450 } else {
1451 MGET(tm, M_WAITOK, MT_DATA);
1452 tm->m_len = EC + 16 + cklen;
1453 mlast->m_next = tm;
1454 }
1455 } else {
1456 /*
1457 * For unsealed messages, we need 16 bytes of header
1458 * plus space for the plaintext and a checksum. EC is
1459 * set to the checksum size. We leave space in tm for
1460 * a copy of the header - this will be trimmed later.
1461 */
1462 M_PREPEND(m, 16, M_WAITOK);
1463
1464 MGET(tm, M_WAITOK, MT_DATA);
1465 tm->m_len = cklen + 16;
1466 mlast->m_next = tm;
1467 ctlen = 0;
1468 EC = cklen;
1469 }
1470
1471 p = m->m_data;
1472
1473 /* TOK_ID */
1474 p[0] = 0x05;
1475 p[1] = 0x04;
1476
1477 /* Flags */
1478 flags = 0;
1479 if (conf_req_flag)
1480 flags = GSS_TOKEN_SEALED;
1481 if (is_acceptor(kc))
1482 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1483 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1484 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1485 p[2] = flags;
1486
1487 /* Filler */
1488 p[3] = 0xff;
1489
1490 /* EC + RRC - set to zero initially */
1491 p[4] = 0;
1492 p[5] = 0;
1493 p[6] = 0;
1494 p[7] = 0;
1495
1496 /* SND_SEQ */
1497 p[8] = 0;
1498 p[9] = 0;
1499 p[10] = 0;
1500 p[11] = 0;
1501 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1502 p[12] = (seq >> 24);
1503 p[13] = (seq >> 16);
1504 p[14] = (seq >> 8);
1505 p[15] = (seq >> 0);
1506
1507 if (conf_req_flag) {
1508 /*
1509 * Encrypt according to RFC 4121 section 4.2 and RFC
1510 * 3961 section 5.3. Note: we don't generate tokens
1511 * with RRC values other than zero. If we did, we
1512 * should zero RRC in the copied header.
1513 */
1514 arc4rand(p + 16, blen, 0);
1515 if (EC) {
1516 m_copyback(m, 16 + blen + mlen, EC, zpad);
1517 }
1518 m_copyback(m, 16 + blen + mlen + EC, 16, p);
1519
1520 krb5_checksum(Ki, 0, m, 16, ctlen, cklen);
1521 krb5_encrypt(Ke, m, 16, ctlen, NULL, 0);
1522 } else {
1523 /*
1524 * The plaintext message is followed by a checksum of
1525 * the plaintext plus a version of the header where EC
1526 * and RRC are set to zero. Also, the original EC must
1527 * be our checksum size.
1528 */
1529 bcopy(p, tm->m_data, 16);
1530 krb5_checksum(Kc, 0, m, 16, mlen + 16, cklen);
1531 tm->m_data += 16;
1532 tm->m_len -= 16;
1533 }
1534
1535 /*
1536 * Finally set EC to its actual value
1537 */
1538 p[4] = EC >> 8;
1539 p[5] = EC;
1540
1541 *mp = m;
1542 return (GSS_S_COMPLETE);
1543 }
1544
1545 static OM_uint32
1546 krb5_wrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1547 int conf_req_flag, gss_qop_t qop_req,
1548 struct mbuf **mp, int *conf_state)
1549 {
1550 struct krb5_context *kc = (struct krb5_context *)ctx;
1551
1552 *minor_status = 0;
1553 if (conf_state)
1554 *conf_state = 0;
1555
1556 if (qop_req != GSS_C_QOP_DEFAULT)
1557 return (GSS_S_BAD_QOP);
1558
1559 if (time_uptime > kc->kc_lifetime)
1560 return (GSS_S_CONTEXT_EXPIRED);
1561
1562 switch (kc->kc_tokenkey->ks_class->ec_type) {
1563 case ETYPE_DES_CBC_CRC:
1564 return (krb5_wrap_old(kc, conf_req_flag,
1565 mp, conf_state, sgn_alg_des_md5, seal_alg_des));
1566
1567 case ETYPE_ARCFOUR_HMAC_MD5:
1568 case ETYPE_ARCFOUR_HMAC_MD5_56:
1569 return (krb5_wrap_old(kc, conf_req_flag,
1570 mp, conf_state, sgn_alg_hmac_md5, seal_alg_rc4));
1571
1572 case ETYPE_DES3_CBC_SHA1:
1573 return (krb5_wrap_old(kc, conf_req_flag,
1574 mp, conf_state, sgn_alg_des3_sha1, seal_alg_des3));
1575
1576 default:
1577 return (krb5_wrap_new(kc, conf_req_flag, mp, conf_state));
1578 }
1579
1580 return (GSS_S_FAILURE);
1581 }
1582
1583 static void
1584 m_trim(struct mbuf *m, int len)
1585 {
1586 struct mbuf *n;
1587 int off;
1588
1589 if (m == NULL)
1590 return;
1591 n = m_getptr(m, len, &off);
1592 if (n) {
1593 n->m_len = off;
1594 if (n->m_next) {
1595 m_freem(n->m_next);
1596 n->m_next = NULL;
1597 }
1598 }
1599 }
1600
1601 static OM_uint32
1602 krb5_unwrap_old(struct krb5_context *kc, struct mbuf **mp, int *conf_state,
1603 uint8_t sgn_alg[2], uint8_t seal_alg[2])
1604 {
1605 OM_uint32 res;
1606 struct mbuf *m, *mlast, *hm, *cm, *n;
1607 uint8_t *p, dir;
1608 size_t tlen, elen, datalen, padlen;
1609 size_t cklen;
1610 uint8_t buf[32];
1611 uint32_t seq;
1612 int i, conf;
1613
1614 m = *mp;
1615 m_length(m, &mlast);
1616
1617 tlen = token_length(kc->kc_tokenkey);
1618 cklen = kc->kc_tokenkey->ks_class->ec_checksumlen;
1619
1620 p = krb5_verify_token("\x02\x01", tlen, &m, &elen, TRUE);
1621 *mp = m;
1622 if (!p)
1623 return (GSS_S_DEFECTIVE_TOKEN);
1624 datalen = elen - tlen;
1625
1626 /*
1627 * Trim the framing header first to make life a little easier
1628 * later.
1629 */
1630 m_adj(m, p - (uint8_t *) m->m_data);
1631
1632 /* TOK_ID */
1633 p += 2;
1634
1635 /* SGN_ALG */
1636 if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1637 return (GSS_S_DEFECTIVE_TOKEN);
1638 p += 2;
1639
1640 /* SEAL_ALG */
1641 if (p[0] == seal_alg[0] && p[1] == seal_alg[1])
1642 conf = 1;
1643 else if (p[0] == 0xff && p[1] == 0xff)
1644 conf = 0;
1645 else
1646 return (GSS_S_DEFECTIVE_TOKEN);
1647 p += 2;
1648
1649 if (p[0] != 0xff || p[1] != 0xff)
1650 return (GSS_S_DEFECTIVE_TOKEN);
1651 p += 2;
1652
1653 /*
1654 * SND_SEQ:
1655 *
1656 * Take the four bytes of the sequence number least
1657 * significant first (most significant for ARCFOUR) followed
1658 * by four bytes of direction marker (zero for initiator and
1659 * 0xff for acceptor). Encrypt that data using the SGN_CKSUM
1660 * as IV.
1661 */
1662 krb5_decrypt(kc->kc_tokenkey, m, 8, 8, p + 8, 8);
1663 if (sgn_alg[0] == 0x11) {
1664 seq = p[3] | (p[2] << 8) | (p[1] << 16) | (p[0] << 24);
1665 } else {
1666 seq = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
1667 }
1668
1669 if (is_initiator(kc)) {
1670 dir = 0xff;
1671 } else {
1672 dir = 0;
1673 }
1674 if (p[4] != dir || p[5] != dir || p[6] != dir || p[7] != dir)
1675 return (GSS_S_DEFECTIVE_TOKEN);
1676
1677 if (kc->kc_msg_order.km_flags &
1678 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1679 res = krb5_sequence_check(kc, seq);
1680 if (GSS_ERROR(res))
1681 return (res);
1682 } else {
1683 res = GSS_S_COMPLETE;
1684 }
1685
1686 /*
1687 * If the token was encrypted, decode it in-place.
1688 */
1689 if (conf) {
1690 /*
1691 * Decrypt the padded message with an IV of zero for
1692 * DES and DES3 or an IV of the big-endian encoded
1693 * sequence number for ARCFOUR.
1694 */
1695 if (seal_alg[0] == 0x10) {
1696 krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1697 datalen, p, 4);
1698 } else {
1699 krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1700 datalen, NULL, 0);
1701 }
1702 }
1703 if (conf_state)
1704 *conf_state = conf;
1705
1706 /*
1707 * Check the trailing pad bytes.
1708 * RFC1964 specifies between 1<->8 bytes, each with a binary value
1709 * equal to the number of bytes.
1710 */
1711 if (mlast->m_len > 0)
1712 padlen = mlast->m_data[mlast->m_len - 1];
1713 else {
1714 n = m_getptr(m, tlen + datalen - 1, &i);
1715 /*
1716 * When the position is exactly equal to the # of data bytes
1717 * in the mbuf list, m_getptr() will return the last mbuf in
1718 * the list and an off == m_len for that mbuf, so that case
1719 * needs to be checked as well as a NULL return.
1720 */
1721 if (n == NULL || n->m_len == i)
1722 return (GSS_S_DEFECTIVE_TOKEN);
1723 padlen = n->m_data[i];
1724 }
1725 if (padlen < 1 || padlen > 8 || padlen > tlen + datalen)
1726 return (GSS_S_DEFECTIVE_TOKEN);
1727 m_copydata(m, tlen + datalen - padlen, padlen, buf);
1728 for (i = 0; i < padlen; i++) {
1729 if (buf[i] != padlen) {
1730 return (GSS_S_DEFECTIVE_TOKEN);
1731 }
1732 }
1733
1734 /*
1735 * SGN_CKSUM:
1736 *
1737 * Calculate the keyed checksum of the token header plus the
1738 * padded message. We do a little mbuf surgery to trim out the
1739 * parts we don't want to checksum.
1740 */
1741 hm = m;
1742 *mp = m = m_split(m, 16 + cklen, M_WAITOK);
1743 mlast = m_last(m);
1744 hm->m_len = 8;
1745 hm->m_next = m;
1746 MGET(cm, M_WAITOK, MT_DATA);
1747 cm->m_len = cklen;
1748 mlast->m_next = cm;
1749
1750 krb5_checksum(kc->kc_checksumkey, 13, hm, 0, datalen + 8, cklen);
1751 hm->m_next = NULL;
1752 mlast->m_next = NULL;
1753
1754 if (bcmp(cm->m_data, hm->m_data + 16, cklen)) {
1755 m_freem(hm);
1756 m_free(cm);
1757 return (GSS_S_BAD_SIG);
1758 }
1759 m_freem(hm);
1760 m_free(cm);
1761
1762 /*
1763 * Trim off the confounder and padding.
1764 */
1765 m_adj(m, 8);
1766 if (mlast->m_len >= padlen) {
1767 mlast->m_len -= padlen;
1768 } else {
1769 m_trim(m, datalen - 8 - padlen);
1770 }
1771
1772 *mp = m;
1773 return (res);
1774 }
1775
1776 static OM_uint32
1777 krb5_unwrap_new(struct krb5_context *kc, struct mbuf **mp, int *conf_state)
1778 {
1779 OM_uint32 res;
1780 struct krb5_key_state *Ke = kc->kc_recv_seal_Ke;
1781 struct krb5_key_state *Ki = kc->kc_recv_seal_Ki;
1782 struct krb5_key_state *Kc = kc->kc_recv_seal_Kc;
1783 const struct krb5_encryption_class *ec = Ke->ks_class;
1784 struct mbuf *m, *mlast, *hm, *cm;
1785 uint8_t *p;
1786 int sealed, flags, EC, RRC;
1787 size_t blen, cklen, ctlen, mlen, plen, tlen;
1788 char buf[32], buf2[32];
1789
1790 m = *mp;
1791 mlen = m_length(m, &mlast);
1792
1793 if (mlen <= 16)
1794 return (GSS_S_DEFECTIVE_TOKEN);
1795 if (m->m_len < 16) {
1796 m = m_pullup(m, 16);
1797 *mp = m;
1798 }
1799 p = m->m_data;
1800
1801 /* TOK_ID */
1802 if (p[0] != 0x05)
1803 return (GSS_S_DEFECTIVE_TOKEN);
1804 if (p[1] != 0x04)
1805 return (GSS_S_DEFECTIVE_TOKEN);
1806
1807 /* Flags */
1808 sealed = p[2] & GSS_TOKEN_SEALED;
1809 flags = sealed;
1810 if (is_initiator(kc))
1811 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1812 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1813 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1814 if (p[2] != flags)
1815 return (GSS_S_DEFECTIVE_TOKEN);
1816
1817 /* Filler */
1818 if (p[3] != 0xff)
1819 return (GSS_S_DEFECTIVE_TOKEN);
1820
1821 /* EC + RRC */
1822 EC = (p[4] << 8) + p[5];
1823 RRC = (p[6] << 8) + p[7];
1824
1825 /* SND_SEQ */
1826 if (kc->kc_msg_order.km_flags &
1827 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1828 uint32_t seq;
1829 if (p[8] || p[9] || p[10] || p[11]) {
1830 res = GSS_S_UNSEQ_TOKEN;
1831 } else {
1832 seq = (p[12] << 24) | (p[13] << 16)
1833 | (p[14] << 8) | p[15];
1834 res = krb5_sequence_check(kc, seq);
1835 }
1836 if (GSS_ERROR(res))
1837 return (res);
1838 } else {
1839 res = GSS_S_COMPLETE;
1840 }
1841
1842 /*
1843 * Separate the header before dealing with RRC. We only need
1844 * to keep the header if the message isn't encrypted.
1845 */
1846 if (sealed) {
1847 hm = NULL;
1848 m_adj(m, 16);
1849 } else {
1850 hm = m;
1851 *mp = m = m_split(m, 16, M_WAITOK);
1852 mlast = m_last(m);
1853 }
1854
1855 /*
1856 * Undo the effects of RRC by rotating left.
1857 */
1858 if (RRC > 0) {
1859 struct mbuf *rm;
1860 size_t rlen;
1861
1862 rlen = mlen - 16;
1863 if (RRC <= sizeof(buf) && m->m_len >= rlen) {
1864 /*
1865 * Simple case, just rearrange the bytes in m.
1866 */
1867 bcopy(m->m_data, buf, RRC);
1868 bcopy(m->m_data + RRC, m->m_data, rlen - RRC);
1869 bcopy(buf, m->m_data + rlen - RRC, RRC);
1870 } else {
1871 /*
1872 * More complicated - rearrange the mbuf
1873 * chain.
1874 */
1875 rm = m;
1876 *mp = m = m_split(m, RRC, M_WAITOK);
1877 m_cat(m, rm);
1878 mlast = rm;
1879 }
1880 }
1881
1882 blen = ec->ec_blocklen;
1883 cklen = ec->ec_checksumlen;
1884 if (sealed) {
1885 /*
1886 * Decrypt according to RFC 4121 section 4.2 and RFC
1887 * 3961 section 5.3. The message must be large enough
1888 * for a blocksize confounder, at least one block of
1889 * cyphertext and a checksum.
1890 */
1891 if (mlen < 16 + 2*blen + cklen)
1892 return (GSS_S_DEFECTIVE_TOKEN);
1893
1894 ctlen = mlen - 16 - cklen;
1895 krb5_decrypt(Ke, m, 0, ctlen, NULL, 0);
1896
1897 /*
1898 * The size of the plaintext is ctlen minus blocklen
1899 * (for the confounder), 16 (for the copy of the token
1900 * header) and EC (for the filler). The actual
1901 * plaintext starts after the confounder.
1902 */
1903 plen = ctlen - blen - 16 - EC;
1904
1905 /*
1906 * Checksum the padded plaintext.
1907 */
1908 m_copydata(m, ctlen, cklen, buf);
1909 krb5_checksum(Ki, 0, m, 0, ctlen, cklen);
1910 m_copydata(m, ctlen, cklen, buf2);
1911
1912 if (bcmp(buf, buf2, cklen))
1913 return (GSS_S_BAD_SIG);
1914
1915 /*
1916 * Trim the message back to just plaintext.
1917 */
1918 m_adj(m, blen);
1919 tlen = 16 + EC + cklen;
1920 if (mlast->m_len >= tlen) {
1921 mlast->m_len -= tlen;
1922 } else {
1923 m_trim(m, plen);
1924 }
1925 } else {
1926 /*
1927 * The plaintext message is followed by a checksum of
1928 * the plaintext plus a version of the header where EC
1929 * and RRC are set to zero. Also, the original EC must
1930 * be our checksum size.
1931 */
1932 if (mlen < 16 + cklen || EC != cklen)
1933 return (GSS_S_DEFECTIVE_TOKEN);
1934
1935 /*
1936 * The size of the plaintext is simply the message
1937 * size less header and checksum. The plaintext starts
1938 * right after the header (which we have saved in hm).
1939 */
1940 plen = mlen - 16 - cklen;
1941
1942 /*
1943 * Insert a copy of the header (with EC and RRC set to
1944 * zero) between the plaintext message and the
1945 * checksum.
1946 */
1947 p = hm->m_data;
1948 p[4] = p[5] = p[6] = p[7] = 0;
1949
1950 cm = m_split(m, plen, M_WAITOK);
1951 mlast = m_last(m);
1952 m->m_next = hm;
1953 hm->m_next = cm;
1954
1955 bcopy(cm->m_data, buf, cklen);
1956 krb5_checksum(Kc, 0, m, 0, plen + 16, cklen);
1957 if (bcmp(cm->m_data, buf, cklen))
1958 return (GSS_S_BAD_SIG);
1959
1960 /*
1961 * The checksum matches, discard all buf the plaintext.
1962 */
1963 mlast->m_next = NULL;
1964 m_freem(hm);
1965 }
1966
1967 if (conf_state)
1968 *conf_state = (sealed != 0);
1969
1970 return (res);
1971 }
1972
1973 static OM_uint32
1974 krb5_unwrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1975 struct mbuf **mp, int *conf_state, gss_qop_t *qop_state)
1976 {
1977 struct krb5_context *kc = (struct krb5_context *)ctx;
1978 OM_uint32 maj_stat;
1979
1980 *minor_status = 0;
1981 if (qop_state)
1982 *qop_state = GSS_C_QOP_DEFAULT;
1983 if (conf_state)
1984 *conf_state = 0;
1985
1986 if (time_uptime > kc->kc_lifetime)
1987 return (GSS_S_CONTEXT_EXPIRED);
1988
1989 switch (kc->kc_tokenkey->ks_class->ec_type) {
1990 case ETYPE_DES_CBC_CRC:
1991 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
1992 sgn_alg_des_md5, seal_alg_des);
1993 break;
1994
1995 case ETYPE_ARCFOUR_HMAC_MD5:
1996 case ETYPE_ARCFOUR_HMAC_MD5_56:
1997 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
1998 sgn_alg_hmac_md5, seal_alg_rc4);
1999 break;
2000
2001 case ETYPE_DES3_CBC_SHA1:
2002 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
2003 sgn_alg_des3_sha1, seal_alg_des3);
2004 break;
2005
2006 default:
2007 maj_stat = krb5_unwrap_new(kc, mp, conf_state);
2008 break;
2009 }
2010
2011 if (GSS_ERROR(maj_stat)) {
2012 m_freem(*mp);
2013 *mp = NULL;
2014 }
2015
2016 return (maj_stat);
2017 }
2018
2019 static OM_uint32
2020 krb5_wrap_size_limit(gss_ctx_id_t ctx, OM_uint32 *minor_status,
2021 int conf_req_flag, gss_qop_t qop_req, OM_uint32 req_output_size,
2022 OM_uint32 *max_input_size)
2023 {
2024 struct krb5_context *kc = (struct krb5_context *)ctx;
2025 const struct krb5_encryption_class *ec;
2026 OM_uint32 overhead;
2027
2028 *minor_status = 0;
2029 *max_input_size = 0;
2030
2031 if (qop_req != GSS_C_QOP_DEFAULT)
2032 return (GSS_S_BAD_QOP);
2033
2034 ec = kc->kc_tokenkey->ks_class;
2035 switch (ec->ec_type) {
2036 case ETYPE_DES_CBC_CRC:
2037 case ETYPE_DES3_CBC_SHA1:
2038 case ETYPE_ARCFOUR_HMAC_MD5:
2039 case ETYPE_ARCFOUR_HMAC_MD5_56:
2040 /*
2041 * up to 5 bytes for [APPLICATION 0] SEQUENCE
2042 * 2 + krb5 oid length
2043 * 8 bytes of header
2044 * 8 bytes of confounder
2045 * maximum of 8 bytes of padding
2046 * checksum
2047 */
2048 overhead = 5 + 2 + krb5_mech_oid.length;
2049 overhead += 8 + 8 + ec->ec_msgblocklen;
2050 overhead += ec->ec_checksumlen;
2051 break;
2052
2053 default:
2054 if (conf_req_flag) {
2055 /*
2056 * 16 byts of header
2057 * blocklen bytes of confounder
2058 * up to msgblocklen - 1 bytes of padding
2059 * 16 bytes for copy of header
2060 * checksum
2061 */
2062 overhead = 16 + ec->ec_blocklen;
2063 overhead += ec->ec_msgblocklen - 1;
2064 overhead += 16;
2065 overhead += ec->ec_checksumlen;
2066 } else {
2067 /*
2068 * 16 bytes of header plus checksum.
2069 */
2070 overhead = 16 + ec->ec_checksumlen;
2071 }
2072 }
2073
2074 *max_input_size = req_output_size - overhead;
2075
2076 return (GSS_S_COMPLETE);
2077 }
2078
2079 static kobj_method_t krb5_methods[] = {
2080 KOBJMETHOD(kgss_init, krb5_init),
2081 KOBJMETHOD(kgss_import, krb5_import),
2082 KOBJMETHOD(kgss_delete, krb5_delete),
2083 KOBJMETHOD(kgss_mech_type, krb5_mech_type),
2084 KOBJMETHOD(kgss_get_mic, krb5_get_mic),
2085 KOBJMETHOD(kgss_verify_mic, krb5_verify_mic),
2086 KOBJMETHOD(kgss_wrap, krb5_wrap),
2087 KOBJMETHOD(kgss_unwrap, krb5_unwrap),
2088 KOBJMETHOD(kgss_wrap_size_limit, krb5_wrap_size_limit),
2089 { 0, 0 }
2090 };
2091
2092 static struct kobj_class krb5_class = {
2093 "kerberosv5",
2094 krb5_methods,
2095 sizeof(struct krb5_context)
2096 };
2097
2098 /*
2099 * Kernel module glue
2100 */
2101 static int
2102 kgssapi_krb5_modevent(module_t mod, int type, void *data)
2103 {
2104
2105 switch (type) {
2106 case MOD_LOAD:
2107 kgss_install_mech(&krb5_mech_oid, "kerberosv5", &krb5_class);
2108 break;
2109
2110 case MOD_UNLOAD:
2111 kgss_uninstall_mech(&krb5_mech_oid);
2112 break;
2113 }
2114
2115 return (0);
2116 }
2117 static moduledata_t kgssapi_krb5_mod = {
2118 "kgssapi_krb5",
2119 kgssapi_krb5_modevent,
2120 NULL,
2121 };
2122 DECLARE_MODULE(kgssapi_krb5, kgssapi_krb5_mod, SI_SUB_VFS, SI_ORDER_ANY);
2123 MODULE_DEPEND(kgssapi_krb5, kgssapi, 1, 1, 1);
2124 MODULE_DEPEND(kgssapi_krb5, crypto, 1, 1, 1);
2125 MODULE_DEPEND(kgssapi_krb5, rc4, 1, 1, 1);
2126 MODULE_VERSION(kgssapi_krb5, 1);
Cache object: bbcd8bb0352d26cc181203fbc16ea345
|