2 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
3 * Authors: Doug Rabson <dfr@rabson.org>
4 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
31 #include "opt_inet6.h"
33 #include <sys/param.h>
34 #include <sys/kernel.h>
37 #include <sys/malloc.h>
39 #include <sys/module.h>
40 #include <sys/mutex.h>
41 #include <kgssapi/gssapi.h>
42 #include <kgssapi/gssapi_impl.h>
47 #define GSS_TOKEN_SENT_BY_ACCEPTOR 1
48 #define GSS_TOKEN_SEALED 2
49 #define GSS_TOKEN_ACCEPTOR_SUBKEY 4
51 static gss_OID_desc krb5_mech_oid =
52 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
59 struct krb5_keyblock {
60 uint16_t kk_type; /* encryption type */
61 struct krb5_data kk_key; /* key data */
66 struct krb5_data ka_addr;
70 * The km_elem array is ordered so that the highest received sequence
71 * number is listed first.
73 struct krb5_msg_order {
77 uint32_t km_jitter_window;
78 uint32_t km_first_seq;
83 struct _gss_ctx_id_t kc_common;
86 uint32_t kc_ctx_flags;
87 uint32_t kc_more_flags;
90 #define COMPAT_OLD_DES3 4
91 #define COMPAT_OLD_DES3_SELECTED 8
92 #define ACCEPTOR_SUBKEY 16
93 struct krb5_address kc_local_address;
94 struct krb5_address kc_remote_address;
95 uint16_t kc_local_port;
96 uint16_t kc_remote_port;
97 struct krb5_keyblock kc_keyblock;
98 struct krb5_keyblock kc_local_subkey;
99 struct krb5_keyblock kc_remote_subkey;
100 volatile uint32_t kc_local_seqnumber;
101 uint32_t kc_remote_seqnumber;
103 uint32_t kc_cksumtype;
104 struct krb5_data kc_source_name;
105 struct krb5_data kc_target_name;
106 uint32_t kc_lifetime;
107 struct krb5_msg_order kc_msg_order;
108 struct krb5_key_state *kc_tokenkey;
109 struct krb5_key_state *kc_encryptkey;
110 struct krb5_key_state *kc_checksumkey;
112 struct krb5_key_state *kc_send_seal_Ke;
113 struct krb5_key_state *kc_send_seal_Ki;
114 struct krb5_key_state *kc_send_seal_Kc;
115 struct krb5_key_state *kc_send_sign_Kc;
117 struct krb5_key_state *kc_recv_seal_Ke;
118 struct krb5_key_state *kc_recv_seal_Ki;
119 struct krb5_key_state *kc_recv_seal_Kc;
120 struct krb5_key_state *kc_recv_sign_Kc;
124 get_uint16(const uint8_t **pp, size_t *lenp)
126 const uint8_t *p = *pp;
132 v = (p[0] << 8) | p[1];
140 get_uint32(const uint8_t **pp, size_t *lenp)
142 const uint8_t *p = *pp;
148 v = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
156 get_data(const uint8_t **pp, size_t *lenp, struct krb5_data *dp)
158 size_t sz = get_uint32(pp, lenp);
161 dp->kd_data = malloc(sz, M_GSSAPI, M_WAITOK);
165 bcopy(*pp, dp->kd_data, sz);
171 delete_data(struct krb5_data *dp)
174 free(dp->kd_data, M_GSSAPI);
181 get_address(const uint8_t **pp, size_t *lenp, struct krb5_address *ka)
184 ka->ka_type = get_uint16(pp, lenp);
185 get_data(pp, lenp, &ka->ka_addr);
189 delete_address(struct krb5_address *ka)
191 delete_data(&ka->ka_addr);
195 get_keyblock(const uint8_t **pp, size_t *lenp, struct krb5_keyblock *kk)
198 kk->kk_type = get_uint16(pp, lenp);
199 get_data(pp, lenp, &kk->kk_key);
203 delete_keyblock(struct krb5_keyblock *kk)
205 if (kk->kk_key.kd_data)
206 bzero(kk->kk_key.kd_data, kk->kk_key.kd_length);
207 delete_data(&kk->kk_key);
211 copy_key(struct krb5_keyblock *from, struct krb5_keyblock **to)
214 if (from->kk_key.kd_length)
221 * Return non-zero if we are initiator.
224 is_initiator(struct krb5_context *kc)
226 return (kc->kc_more_flags & LOCAL);
230 * Return non-zero if we are acceptor.
233 is_acceptor(struct krb5_context *kc)
235 return !(kc->kc_more_flags & LOCAL);
239 get_initiator_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
242 if (is_initiator(kc))
243 copy_key(&kc->kc_local_subkey, kdp);
245 copy_key(&kc->kc_remote_subkey, kdp);
247 copy_key(&kc->kc_keyblock, kdp);
251 get_acceptor_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
254 if (is_initiator(kc))
255 copy_key(&kc->kc_remote_subkey, kdp);
257 copy_key(&kc->kc_local_subkey, kdp);
261 get_keys(struct krb5_context *kc)
263 struct krb5_keyblock *keydata;
264 struct krb5_encryption_class *ec;
265 struct krb5_key_state *key;
269 get_acceptor_subkey(kc, &keydata);
271 if ((kc->kc_more_flags & ACCEPTOR_SUBKEY) == 0)
272 get_initiator_subkey(kc, &keydata);
274 return (GSS_S_FAILURE);
277 * GSS-API treats all DES etypes the same and all DES3 etypes
280 switch (keydata->kk_type) {
281 case ETYPE_DES_CBC_CRC:
282 case ETYPE_DES_CBC_MD4:
283 case ETYPE_DES_CBC_MD5:
284 etype = ETYPE_DES_CBC_CRC;
287 case ETYPE_DES3_CBC_MD5:
288 case ETYPE_DES3_CBC_SHA1:
289 case ETYPE_OLD_DES3_CBC_SHA1:
290 etype = ETYPE_DES3_CBC_SHA1;
294 etype = keydata->kk_type;
297 ec = krb5_find_encryption_class(etype);
299 return (GSS_S_FAILURE);
301 key = krb5_create_key(ec);
302 krb5_set_key(key, keydata->kk_key.kd_data);
303 kc->kc_tokenkey = key;
306 case ETYPE_DES_CBC_CRC:
307 case ETYPE_ARCFOUR_HMAC_MD5:
308 case ETYPE_ARCFOUR_HMAC_MD5_56: {
310 * Single DES and ARCFOUR uses a 'derived' key (XOR
311 * with 0xf0) for encrypting wrap tokens. The original
312 * key is used for checksums and sequence numbers.
314 struct krb5_key_state *ekey;
318 ekey = krb5_create_key(ec);
321 for (i = 0; i < ec->ec_keylen; i++)
322 ekp[i] = kp[i] ^ 0xf0;
323 krb5_set_key(ekey, ekp);
324 kc->kc_encryptkey = ekey;
325 refcount_acquire(&key->ks_refs);
326 kc->kc_checksumkey = key;
330 case ETYPE_DES3_CBC_SHA1:
332 * Triple DES uses a RFC 3961 style derived key with
333 * usage number KG_USAGE_SIGN for checksums. The
334 * original key is used for encryption and sequence
337 kc->kc_checksumkey = krb5_get_checksum_key(key, KG_USAGE_SIGN);
338 refcount_acquire(&key->ks_refs);
339 kc->kc_encryptkey = key;
344 * We need eight derived keys four for sending and
345 * four for receiving.
347 if (is_initiator(kc)) {
351 kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
352 KG_USAGE_INITIATOR_SEAL);
353 kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
354 KG_USAGE_INITIATOR_SEAL);
355 kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
356 KG_USAGE_INITIATOR_SEAL);
357 kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
358 KG_USAGE_INITIATOR_SIGN);
360 kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
361 KG_USAGE_ACCEPTOR_SEAL);
362 kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
363 KG_USAGE_ACCEPTOR_SEAL);
364 kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
365 KG_USAGE_ACCEPTOR_SEAL);
366 kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
367 KG_USAGE_ACCEPTOR_SIGN);
372 kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
373 KG_USAGE_ACCEPTOR_SEAL);
374 kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
375 KG_USAGE_ACCEPTOR_SEAL);
376 kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
377 KG_USAGE_ACCEPTOR_SEAL);
378 kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
379 KG_USAGE_ACCEPTOR_SIGN);
381 kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
382 KG_USAGE_INITIATOR_SEAL);
383 kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
384 KG_USAGE_INITIATOR_SEAL);
385 kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
386 KG_USAGE_INITIATOR_SEAL);
387 kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
388 KG_USAGE_INITIATOR_SIGN);
393 return (GSS_S_COMPLETE);
397 krb5_init(gss_ctx_id_t ctx)
399 struct krb5_context *kc = (struct krb5_context *)ctx;
401 mtx_init(&kc->kc_lock, "krb5 gss lock", NULL, MTX_DEF);
405 krb5_import(gss_ctx_id_t ctx,
406 enum sec_context_format format,
407 const gss_buffer_t context_token)
409 struct krb5_context *kc = (struct krb5_context *)ctx;
411 const uint8_t *p = (const uint8_t *) context_token->value;
412 size_t len = context_token->length;
417 * We support heimdal 0.6 and heimdal 1.1
419 if (format != KGSS_HEIMDAL_0_6 && format != KGSS_HEIMDAL_1_1)
420 return (GSS_S_DEFECTIVE_TOKEN);
422 #define SC_LOCAL_ADDRESS 1
423 #define SC_REMOTE_ADDRESS 2
424 #define SC_KEYBLOCK 4
425 #define SC_LOCAL_SUBKEY 8
426 #define SC_REMOTE_SUBKEY 16
429 * Ensure that the token starts with krb5 oid.
431 if (p[0] != 0x00 || p[1] != krb5_mech_oid.length
432 || len < krb5_mech_oid.length + 2
433 || bcmp(krb5_mech_oid.elements, p + 2,
434 krb5_mech_oid.length))
435 return (GSS_S_DEFECTIVE_TOKEN);
436 p += krb5_mech_oid.length + 2;
437 len -= krb5_mech_oid.length + 2;
439 flags = get_uint32(&p, &len);
440 kc->kc_ac_flags = get_uint32(&p, &len);
441 if (flags & SC_LOCAL_ADDRESS)
442 get_address(&p, &len, &kc->kc_local_address);
443 if (flags & SC_REMOTE_ADDRESS)
444 get_address(&p, &len, &kc->kc_remote_address);
445 kc->kc_local_port = get_uint16(&p, &len);
446 kc->kc_remote_port = get_uint16(&p, &len);
447 if (flags & SC_KEYBLOCK)
448 get_keyblock(&p, &len, &kc->kc_keyblock);
449 if (flags & SC_LOCAL_SUBKEY)
450 get_keyblock(&p, &len, &kc->kc_local_subkey);
451 if (flags & SC_REMOTE_SUBKEY)
452 get_keyblock(&p, &len, &kc->kc_remote_subkey);
453 kc->kc_local_seqnumber = get_uint32(&p, &len);
454 kc->kc_remote_seqnumber = get_uint32(&p, &len);
455 kc->kc_keytype = get_uint32(&p, &len);
456 kc->kc_cksumtype = get_uint32(&p, &len);
457 get_data(&p, &len, &kc->kc_source_name);
458 get_data(&p, &len, &kc->kc_target_name);
459 kc->kc_ctx_flags = get_uint32(&p, &len);
460 kc->kc_more_flags = get_uint32(&p, &len);
461 kc->kc_lifetime = get_uint32(&p, &len);
463 * Heimdal 1.1 adds the message order stuff.
465 if (format == KGSS_HEIMDAL_1_1) {
466 kc->kc_msg_order.km_flags = get_uint32(&p, &len);
467 kc->kc_msg_order.km_start = get_uint32(&p, &len);
468 kc->kc_msg_order.km_length = get_uint32(&p, &len);
469 kc->kc_msg_order.km_jitter_window = get_uint32(&p, &len);
470 kc->kc_msg_order.km_first_seq = get_uint32(&p, &len);
471 kc->kc_msg_order.km_elem =
472 malloc(kc->kc_msg_order.km_jitter_window * sizeof(uint32_t),
474 for (i = 0; i < kc->kc_msg_order.km_jitter_window; i++)
475 kc->kc_msg_order.km_elem[i] = get_uint32(&p, &len);
477 kc->kc_msg_order.km_flags = 0;
485 * We don't need these anymore.
487 delete_keyblock(&kc->kc_keyblock);
488 delete_keyblock(&kc->kc_local_subkey);
489 delete_keyblock(&kc->kc_remote_subkey);
491 return (GSS_S_COMPLETE);
495 krb5_delete(gss_ctx_id_t ctx, gss_buffer_t output_token)
497 struct krb5_context *kc = (struct krb5_context *)ctx;
499 delete_address(&kc->kc_local_address);
500 delete_address(&kc->kc_remote_address);
501 delete_keyblock(&kc->kc_keyblock);
502 delete_keyblock(&kc->kc_local_subkey);
503 delete_keyblock(&kc->kc_remote_subkey);
504 delete_data(&kc->kc_source_name);
505 delete_data(&kc->kc_target_name);
506 if (kc->kc_msg_order.km_elem)
507 free(kc->kc_msg_order.km_elem, M_GSSAPI);
509 output_token->length = 0;
510 output_token->value = NULL;
512 if (kc->kc_tokenkey) {
513 krb5_free_key(kc->kc_tokenkey);
514 if (kc->kc_encryptkey) {
515 krb5_free_key(kc->kc_encryptkey);
516 krb5_free_key(kc->kc_checksumkey);
518 krb5_free_key(kc->kc_send_seal_Ke);
519 krb5_free_key(kc->kc_send_seal_Ki);
520 krb5_free_key(kc->kc_send_seal_Kc);
521 krb5_free_key(kc->kc_send_sign_Kc);
522 krb5_free_key(kc->kc_recv_seal_Ke);
523 krb5_free_key(kc->kc_recv_seal_Ki);
524 krb5_free_key(kc->kc_recv_seal_Kc);
525 krb5_free_key(kc->kc_recv_sign_Kc);
528 mtx_destroy(&kc->kc_lock);
532 krb5_mech_type(gss_ctx_id_t ctx)
535 return (&krb5_mech_oid);
539 * Make a token with the given type and length (the length includes
540 * the TOK_ID), initialising the token header appropriately. Return a
541 * pointer to the TOK_ID of the token. A new mbuf is allocated with
542 * the framing header plus hlen bytes of space.
544 * Format is as follows:
546 * 0x60 [APPLICATION 0] SEQUENCE
547 * DER encoded length length of oid + type + inner token length
548 * 0x06 NN <oid data> OID of mechanism type
550 * <inner token> data for inner token
552 * 1: der encoded length
555 krb5_make_token(char tok_id[2], size_t hlen, size_t len, struct mbuf **mp)
557 size_t inside_len, len_len, tlen;
558 gss_OID oid = &krb5_mech_oid;
562 inside_len = 2 + oid->length + len;
563 if (inside_len < 128)
565 else if (inside_len < 0x100)
567 else if (inside_len < 0x10000)
569 else if (inside_len < 0x1000000)
574 tlen = 1 + len_len + 2 + oid->length + hlen;
575 KASSERT(tlen <= MLEN, ("token head too large"));
576 MGET(m, M_WAITOK, MT_DATA);
580 p = (uint8_t *) m->m_data;
592 *p++ = inside_len >> 8;
597 *p++ = inside_len >> 16;
598 *p++ = inside_len >> 8;
603 *p++ = inside_len >> 24;
604 *p++ = inside_len >> 16;
605 *p++ = inside_len >> 8;
612 bcopy(oid->elements, p, oid->length);
624 * Verify a token, checking the inner token length and mechanism oid.
625 * pointer to the first byte of the TOK_ID. The length of the
626 * encapsulated data is checked to be at least len bytes; the actual
627 * length of the encapsulated data (including TOK_ID) is returned in
630 * If can_pullup is TRUE and the token header is fragmented, we will
633 * Format is as follows:
635 * 0x60 [APPLICATION 0] SEQUENCE
636 * DER encoded length length of oid + type + inner token length
637 * 0x06 NN <oid data> OID of mechanism type
639 * <inner token> data for inner token
641 * 1: der encoded length
644 krb5_verify_token(char tok_id[2], size_t len, struct mbuf **mp,
645 size_t *encap_len, bool_t can_pullup)
648 size_t tlen, hlen, len_len, inside_len;
649 gss_OID oid = &krb5_mech_oid;
653 tlen = m_length(m, NULL);
658 * Ensure that at least the framing part of the token is
663 *mp = m = m_pullup(m, 2);
678 * Ensure there is enough space for the DER encoded length.
680 len_len = (*p & 0x7f) + 1;
681 if (tlen < len_len + 1)
683 if (m->m_len < len_len + 1) {
685 *mp = m = m_pullup(m, len_len + 1);
697 inside_len = (p[0] << 8) | p[1];
702 inside_len = (p[0] << 16) | (p[1] << 8) | p[2];
707 inside_len = (p[0] << 24) | (p[1] << 16)
708 | (p[2] << 8) | p[3];
717 if (tlen != inside_len + len_len + 1)
719 if (inside_len < 2 + oid->length + len)
723 * Now that we know the value of len_len, we can pullup the
724 * whole header. The header is 1 + len_len + 2 + oid->length +
727 hlen = 1 + len_len + 2 + oid->length + len;
728 if (m->m_len < hlen) {
730 *mp = m = m_pullup(m, hlen);
733 p = m->m_data + 1 + len_len;
738 if (*p++ != oid->length)
740 if (bcmp(oid->elements, p, oid->length))
744 if (p[0] != tok_id[0])
747 if (p[1] != tok_id[1])
750 *encap_len = inside_len - 2 - oid->length;
756 krb5_insert_seq(struct krb5_msg_order *mo, uint32_t seq, int index)
760 if (mo->km_length < mo->km_jitter_window)
763 for (i = mo->km_length - 1; i > index; i--)
764 mo->km_elem[i] = mo->km_elem[i - 1];
765 mo->km_elem[index] = seq;
769 * Check sequence numbers according to RFC 2743 section 1.2.3.
772 krb5_sequence_check(struct krb5_context *kc, uint32_t seq)
774 OM_uint32 res = GSS_S_FAILURE;
775 struct krb5_msg_order *mo = &kc->kc_msg_order;
776 int check_sequence = mo->km_flags & GSS_C_SEQUENCE_FLAG;
777 int check_replay = mo->km_flags & GSS_C_REPLAY_FLAG;
780 mtx_lock(&kc->kc_lock);
783 * Message is in-sequence with no gap.
785 if (mo->km_length == 0 || seq == mo->km_elem[0] + 1) {
787 * This message is received in-sequence with no gaps.
789 krb5_insert_seq(mo, seq, 0);
790 res = GSS_S_COMPLETE;
794 if (seq > mo->km_elem[0]) {
796 * This message is received in-sequence with a gap.
798 krb5_insert_seq(mo, seq, 0);
800 res = GSS_S_GAP_TOKEN;
802 res = GSS_S_COMPLETE;
806 if (seq < mo->km_elem[mo->km_length - 1]) {
807 if (check_replay && !check_sequence)
808 res = GSS_S_OLD_TOKEN;
810 res = GSS_S_UNSEQ_TOKEN;
814 for (i = 0; i < mo->km_length; i++) {
815 if (mo->km_elem[i] == seq) {
816 res = GSS_S_DUPLICATE_TOKEN;
819 if (mo->km_elem[i] < seq) {
821 * We need to insert this seq here,
823 krb5_insert_seq(mo, seq, i);
824 if (check_replay && !check_sequence)
825 res = GSS_S_COMPLETE;
827 res = GSS_S_UNSEQ_TOKEN;
833 mtx_unlock(&kc->kc_lock);
838 static uint8_t sgn_alg_des_md5[] = { 0x00, 0x00 };
839 static uint8_t seal_alg_des[] = { 0x00, 0x00 };
840 static uint8_t sgn_alg_des3_sha1[] = { 0x04, 0x00 };
841 static uint8_t seal_alg_des3[] = { 0x02, 0x00 };
842 static uint8_t seal_alg_rc4[] = { 0x10, 0x00 };
843 static uint8_t sgn_alg_hmac_md5[] = { 0x11, 0x00 };
846 * Return the size of the inner token given the use of the key's
847 * encryption class. For wrap tokens, the length of the padded
848 * plaintext will be added to this.
851 token_length(struct krb5_key_state *key)
854 return (16 + key->ks_class->ec_checksumlen);
858 krb5_get_mic_old(struct krb5_context *kc, struct mbuf *m,
859 struct mbuf **micp, uint8_t sgn_alg[2])
861 struct mbuf *mlast, *mic, *tm;
863 size_t tlen, mlen, cklen;
867 mlen = m_length(m, &mlast);
869 tlen = token_length(kc->kc_tokenkey);
870 p = krb5_make_token("\x01\x01", tlen, tlen, &mic);
872 *p++ = sgn_alg[0]; /* SGN_ALG */
875 *p++ = 0xff; /* filler */
883 * Calculate the keyed checksum of the token header plus the
886 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
888 mic->m_len = p - (uint8_t *) mic->m_data;
890 MGET(tm, M_WAITOK, MT_DATA);
894 krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
896 bcopy(tm->m_data, p + 8, cklen);
898 mlast->m_next = NULL;
904 * Take the four bytes of the sequence number least
905 * significant first followed by four bytes of direction
906 * marker (zero for initiator and 0xff for acceptor). Encrypt
907 * that data using the SGN_CKSUM as IV. Note: ARC4 wants the
908 * sequence number big-endian.
910 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
911 if (sgn_alg[0] == 0x11) {
922 if (is_initiator(kc)) {
931 bcopy(p + 8, buf, 8);
934 * Set the mic buffer to its final size so that the encrypt
935 * can see the SND_SEQ part.
937 mic->m_len += 8 + cklen;
938 krb5_encrypt(kc->kc_tokenkey, mic, mic->m_len - cklen - 8, 8, buf, 8);
941 return (GSS_S_COMPLETE);
945 krb5_get_mic_new(struct krb5_context *kc, struct mbuf *m,
948 struct krb5_key_state *key = kc->kc_send_sign_Kc;
949 struct mbuf *mlast, *mic;
955 mlen = m_length(m, &mlast);
956 cklen = key->ks_class->ec_checksumlen;
958 KASSERT(16 + cklen <= MLEN, ("checksum too large for an mbuf"));
959 MGET(mic, M_WAITOK, MT_DATA);
960 M_ALIGN(mic, 16 + cklen);
961 mic->m_len = 16 + cklen;
971 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
972 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
973 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
988 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
997 * Calculate the keyed checksum of the message plus the first
998 * 16 bytes of the token header.
1000 mlast->m_next = mic;
1001 krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1002 mlast->m_next = NULL;
1005 return (GSS_S_COMPLETE);
1009 krb5_get_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1010 gss_qop_t qop_req, struct mbuf *m, struct mbuf **micp)
1012 struct krb5_context *kc = (struct krb5_context *)ctx;
1016 if (qop_req != GSS_C_QOP_DEFAULT)
1017 return (GSS_S_BAD_QOP);
1019 if (time_uptime > kc->kc_lifetime)
1020 return (GSS_S_CONTEXT_EXPIRED);
1022 switch (kc->kc_tokenkey->ks_class->ec_type) {
1023 case ETYPE_DES_CBC_CRC:
1024 return (krb5_get_mic_old(kc, m, micp, sgn_alg_des_md5));
1026 case ETYPE_DES3_CBC_SHA1:
1027 return (krb5_get_mic_old(kc, m, micp, sgn_alg_des3_sha1));
1029 case ETYPE_ARCFOUR_HMAC_MD5:
1030 case ETYPE_ARCFOUR_HMAC_MD5_56:
1031 return (krb5_get_mic_old(kc, m, micp, sgn_alg_hmac_md5));
1034 return (krb5_get_mic_new(kc, m, micp));
1037 return (GSS_S_FAILURE);
1041 krb5_verify_mic_old(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic,
1044 struct mbuf *mlast, *tm;
1045 uint8_t *p, *tp, dir;
1046 size_t mlen, tlen, elen, miclen;
1050 mlen = m_length(m, &mlast);
1052 tlen = token_length(kc->kc_tokenkey);
1053 p = krb5_verify_token("\x01\x01", tlen, &mic, &elen, FALSE);
1055 return (GSS_S_DEFECTIVE_TOKEN);
1058 * Disable this check - heimdal-1.1 generates DES3 MIC tokens
1059 * that are 2 bytes too big.
1062 return (GSS_S_DEFECTIVE_TOKEN);
1068 if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1069 return (GSS_S_DEFECTIVE_TOKEN);
1072 if (p[0] != 0xff || p[1] != 0xff || p[2] != 0xff || p[3] != 0xff)
1073 return (GSS_S_DEFECTIVE_TOKEN);
1079 * Calculate the keyed checksum of the token header plus the
1082 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1083 miclen = mic->m_len;
1084 mic->m_len = p - (uint8_t *) mic->m_data;
1086 MGET(tm, M_WAITOK, MT_DATA);
1090 krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
1093 mlast->m_next = NULL;
1094 if (bcmp(tm->m_data, p + 8, cklen)) {
1096 return (GSS_S_BAD_SIG);
1102 * Take the four bytes of the sequence number least
1103 * significant first followed by four bytes of direction
1104 * marker (zero for initiator and 0xff for acceptor). Encrypt
1105 * that data using the SGN_CKSUM as IV. Note: ARC4 wants the
1106 * sequence number big-endian.
1108 bcopy(p, tm->m_data, 8);
1110 krb5_decrypt(kc->kc_tokenkey, tm, 0, 8, p + 8, 8);
1113 if (sgn_alg[0] == 0x11) {
1114 seq = tp[3] | (tp[2] << 8) | (tp[1] << 16) | (tp[0] << 24);
1116 seq = tp[0] | (tp[1] << 8) | (tp[2] << 16) | (tp[3] << 24);
1119 if (is_initiator(kc)) {
1124 if (tp[4] != dir || tp[5] != dir || tp[6] != dir || tp[7] != dir) {
1126 return (GSS_S_DEFECTIVE_TOKEN);
1130 if (kc->kc_msg_order.km_flags &
1131 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1132 return (krb5_sequence_check(kc, seq));
1135 return (GSS_S_COMPLETE);
1139 krb5_verify_mic_new(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic)
1142 struct krb5_key_state *key = kc->kc_recv_sign_Kc;
1149 mlen = m_length(m, &mlast);
1150 cklen = key->ks_class->ec_checksumlen;
1152 KASSERT(mic->m_next == NULL, ("MIC should be contiguous"));
1153 if (mic->m_len != 16 + cklen)
1154 return (GSS_S_DEFECTIVE_TOKEN);
1159 return (GSS_S_DEFECTIVE_TOKEN);
1161 return (GSS_S_DEFECTIVE_TOKEN);
1165 if (is_initiator(kc))
1166 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1167 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1168 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1170 return (GSS_S_DEFECTIVE_TOKEN);
1174 return (GSS_S_DEFECTIVE_TOKEN);
1176 return (GSS_S_DEFECTIVE_TOKEN);
1178 return (GSS_S_DEFECTIVE_TOKEN);
1180 return (GSS_S_DEFECTIVE_TOKEN);
1182 return (GSS_S_DEFECTIVE_TOKEN);
1185 if (kc->kc_msg_order.km_flags &
1186 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1188 if (p[8] || p[9] || p[10] || p[11]) {
1189 res = GSS_S_UNSEQ_TOKEN;
1191 seq = (p[12] << 24) | (p[13] << 16)
1192 | (p[14] << 8) | p[15];
1193 res = krb5_sequence_check(kc, seq);
1198 res = GSS_S_COMPLETE;
1204 * Calculate the keyed checksum of the message plus the first
1205 * 16 bytes of the token header.
1207 m_copydata(mic, 16, cklen, buf);
1208 mlast->m_next = mic;
1209 krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1210 mlast->m_next = NULL;
1211 if (bcmp(buf, p + 16, cklen)) {
1212 return (GSS_S_BAD_SIG);
1215 return (GSS_S_COMPLETE);
1219 krb5_verify_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1220 struct mbuf *m, struct mbuf *mic, gss_qop_t *qop_state)
1222 struct krb5_context *kc = (struct krb5_context *)ctx;
1226 *qop_state = GSS_C_QOP_DEFAULT;
1228 if (time_uptime > kc->kc_lifetime)
1229 return (GSS_S_CONTEXT_EXPIRED);
1231 switch (kc->kc_tokenkey->ks_class->ec_type) {
1232 case ETYPE_DES_CBC_CRC:
1233 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des_md5));
1235 case ETYPE_ARCFOUR_HMAC_MD5:
1236 case ETYPE_ARCFOUR_HMAC_MD5_56:
1237 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_hmac_md5));
1239 case ETYPE_DES3_CBC_SHA1:
1240 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des3_sha1));
1243 return (krb5_verify_mic_new(kc, m, mic));
1246 return (GSS_S_FAILURE);
1250 krb5_wrap_old(struct krb5_context *kc, int conf_req_flag,
1251 struct mbuf **mp, int *conf_state,
1252 uint8_t sgn_alg[2], uint8_t seal_alg[2])
1254 struct mbuf *m, *mlast, *tm, *cm, *pm;
1255 size_t mlen, tlen, padlen, datalen;
1262 * How many trailing pad bytes do we need?
1265 mlen = m_length(m, &mlast);
1266 tlen = kc->kc_tokenkey->ks_class->ec_msgblocklen;
1267 padlen = tlen - (mlen % tlen);
1270 * The data part of the token has eight bytes of random
1271 * confounder prepended and followed by up to eight bytes of
1272 * padding bytes each of which is set to the number of padding
1275 datalen = mlen + 8 + padlen;
1276 tlen = token_length(kc->kc_tokenkey);
1278 p = krb5_make_token("\x02\x01", tlen, datalen + tlen, &tm);
1279 p += 2; /* TOK_ID */
1280 *p++ = sgn_alg[0]; /* SGN_ALG */
1282 if (conf_req_flag) {
1283 *p++ = seal_alg[0]; /* SEAL_ALG */
1286 *p++ = 0xff; /* SEAL_ALG = none */
1290 *p++ = 0xff; /* filler */
1294 * Copy the padded message data.
1296 if (M_LEADINGSPACE(m) >= 8) {
1300 MGET(cm, M_WAITOK, MT_DATA);
1305 arc4rand(m->m_data, 8, 0);
1306 if (M_TRAILINGSPACE(mlast) >= padlen) {
1307 memset(mlast->m_data + mlast->m_len, padlen, padlen);
1308 mlast->m_len += padlen;
1310 MGET(pm, M_WAITOK, MT_DATA);
1311 memset(pm->m_data, padlen, padlen);
1321 * Calculate the keyed checksum of the token header plus the
1322 * padded message. Fiddle with tm->m_len so that we only
1323 * checksum the 8 bytes of head that we care about.
1325 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1327 tm->m_len = p - (uint8_t *) tm->m_data;
1328 MGET(cm, M_WAITOK, MT_DATA);
1331 krb5_checksum(kc->kc_checksumkey, 13, tm, tm->m_len - 8,
1332 datalen + 8, cklen);
1334 mlast->m_next = NULL;
1335 bcopy(cm->m_data, p + 8, cklen);
1341 * Take the four bytes of the sequence number least
1342 * significant first (most signficant first for ARCFOUR)
1343 * followed by four bytes of direction marker (zero for
1344 * initiator and 0xff for acceptor). Encrypt that data using
1345 * the SGN_CKSUM as IV.
1347 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1348 if (sgn_alg[0] == 0x11) {
1359 if (is_initiator(kc)) {
1368 krb5_encrypt(kc->kc_tokenkey, tm, p - (uint8_t *) tm->m_data,
1371 if (conf_req_flag) {
1373 * Encrypt the padded message with an IV of zero for
1374 * DES and DES3, or an IV of the sequence number in
1375 * big-endian format for ARCFOUR.
1377 if (seal_alg[0] == 0x10) {
1378 buf[0] = (seq >> 24);
1379 buf[1] = (seq >> 16);
1380 buf[2] = (seq >> 8);
1381 buf[3] = (seq >> 0);
1382 krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1385 krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1391 *conf_state = conf_req_flag;
1394 return (GSS_S_COMPLETE);
1398 krb5_wrap_new(struct krb5_context *kc, int conf_req_flag,
1399 struct mbuf **mp, int *conf_state)
1401 struct krb5_key_state *Ke = kc->kc_send_seal_Ke;
1402 struct krb5_key_state *Ki = kc->kc_send_seal_Ki;
1403 struct krb5_key_state *Kc = kc->kc_send_seal_Kc;
1404 const struct krb5_encryption_class *ec = Ke->ks_class;
1405 struct mbuf *m, *mlast, *tm;
1408 size_t mlen, blen, mblen, cklen, ctlen;
1410 static char zpad[32];
1413 mlen = m_length(m, &mlast);
1415 blen = ec->ec_blocklen;
1416 mblen = ec->ec_msgblocklen;
1417 cklen = ec->ec_checksumlen;
1419 if (conf_req_flag) {
1421 * For sealed messages, we need space for 16 bytes of
1422 * header, blen confounder, plaintext, padding, copy
1423 * of header and checksum.
1425 * We pad to mblen (which may be different from
1426 * blen). If the encryption class is using CTS, mblen
1427 * will be one (i.e. no padding required).
1433 ctlen = blen + mlen + EC + 16;
1436 * Put initial header and confounder before the
1439 M_PREPEND(m, 16 + blen, M_WAITOK);
1442 * Append padding + copy of header and checksum. Try
1443 * to fit this into the end of the original message,
1444 * otherwise allocate a trailer.
1446 if (M_TRAILINGSPACE(mlast) >= EC + 16 + cklen) {
1448 mlast->m_len += EC + 16 + cklen;
1450 MGET(tm, M_WAITOK, MT_DATA);
1451 tm->m_len = EC + 16 + cklen;
1456 * For unsealed messages, we need 16 bytes of header
1457 * plus space for the plaintext and a checksum. EC is
1458 * set to the checksum size. We leave space in tm for
1459 * a copy of the header - this will be trimmed later.
1461 M_PREPEND(m, 16, M_WAITOK);
1463 MGET(tm, M_WAITOK, MT_DATA);
1464 tm->m_len = cklen + 16;
1479 flags = GSS_TOKEN_SEALED;
1480 if (is_acceptor(kc))
1481 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1482 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1483 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1489 /* EC + RRC - set to zero initially */
1500 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1501 p[12] = (seq >> 24);
1502 p[13] = (seq >> 16);
1506 if (conf_req_flag) {
1508 * Encrypt according to RFC 4121 section 4.2 and RFC
1509 * 3961 section 5.3. Note: we don't generate tokens
1510 * with RRC values other than zero. If we did, we
1511 * should zero RRC in the copied header.
1513 arc4rand(p + 16, blen, 0);
1515 m_copyback(m, 16 + blen + mlen, EC, zpad);
1517 m_copyback(m, 16 + blen + mlen + EC, 16, p);
1519 krb5_checksum(Ki, 0, m, 16, ctlen, cklen);
1520 krb5_encrypt(Ke, m, 16, ctlen, NULL, 0);
1523 * The plaintext message is followed by a checksum of
1524 * the plaintext plus a version of the header where EC
1525 * and RRC are set to zero. Also, the original EC must
1526 * be our checksum size.
1528 bcopy(p, tm->m_data, 16);
1529 krb5_checksum(Kc, 0, m, 16, mlen + 16, cklen);
1535 * Finally set EC to its actual value
1541 return (GSS_S_COMPLETE);
1545 krb5_wrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1546 int conf_req_flag, gss_qop_t qop_req,
1547 struct mbuf **mp, int *conf_state)
1549 struct krb5_context *kc = (struct krb5_context *)ctx;
1555 if (qop_req != GSS_C_QOP_DEFAULT)
1556 return (GSS_S_BAD_QOP);
1558 if (time_uptime > kc->kc_lifetime)
1559 return (GSS_S_CONTEXT_EXPIRED);
1561 switch (kc->kc_tokenkey->ks_class->ec_type) {
1562 case ETYPE_DES_CBC_CRC:
1563 return (krb5_wrap_old(kc, conf_req_flag,
1564 mp, conf_state, sgn_alg_des_md5, seal_alg_des));
1566 case ETYPE_ARCFOUR_HMAC_MD5:
1567 case ETYPE_ARCFOUR_HMAC_MD5_56:
1568 return (krb5_wrap_old(kc, conf_req_flag,
1569 mp, conf_state, sgn_alg_hmac_md5, seal_alg_rc4));
1571 case ETYPE_DES3_CBC_SHA1:
1572 return (krb5_wrap_old(kc, conf_req_flag,
1573 mp, conf_state, sgn_alg_des3_sha1, seal_alg_des3));
1576 return (krb5_wrap_new(kc, conf_req_flag, mp, conf_state));
1579 return (GSS_S_FAILURE);
1583 m_trim(struct mbuf *m, int len)
1590 n = m_getptr(m, len, &off);
1601 krb5_unwrap_old(struct krb5_context *kc, struct mbuf **mp, int *conf_state,
1602 uint8_t sgn_alg[2], uint8_t seal_alg[2])
1605 struct mbuf *m, *mlast, *hm, *cm, *n;
1607 size_t mlen, tlen, elen, datalen, padlen;
1614 mlen = m_length(m, &mlast);
1616 tlen = token_length(kc->kc_tokenkey);
1617 cklen = kc->kc_tokenkey->ks_class->ec_checksumlen;
1619 p = krb5_verify_token("\x02\x01", tlen, &m, &elen, TRUE);
1622 return (GSS_S_DEFECTIVE_TOKEN);
1623 datalen = elen - tlen;
1626 * Trim the framing header first to make life a little easier
1629 m_adj(m, p - (uint8_t *) m->m_data);
1635 if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1636 return (GSS_S_DEFECTIVE_TOKEN);
1640 if (p[0] == seal_alg[0] && p[1] == seal_alg[1])
1642 else if (p[0] == 0xff && p[1] == 0xff)
1645 return (GSS_S_DEFECTIVE_TOKEN);
1648 if (p[0] != 0xff || p[1] != 0xff)
1649 return (GSS_S_DEFECTIVE_TOKEN);
1655 * Take the four bytes of the sequence number least
1656 * significant first (most significant for ARCFOUR) followed
1657 * by four bytes of direction marker (zero for initiator and
1658 * 0xff for acceptor). Encrypt that data using the SGN_CKSUM
1661 krb5_decrypt(kc->kc_tokenkey, m, 8, 8, p + 8, 8);
1662 if (sgn_alg[0] == 0x11) {
1663 seq = p[3] | (p[2] << 8) | (p[1] << 16) | (p[0] << 24);
1665 seq = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
1668 if (is_initiator(kc)) {
1673 if (p[4] != dir || p[5] != dir || p[6] != dir || p[7] != dir)
1674 return (GSS_S_DEFECTIVE_TOKEN);
1676 if (kc->kc_msg_order.km_flags &
1677 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1678 res = krb5_sequence_check(kc, seq);
1682 res = GSS_S_COMPLETE;
1686 * If the token was encrypted, decode it in-place.
1690 * Decrypt the padded message with an IV of zero for
1691 * DES and DES3 or an IV of the big-endian encoded
1692 * sequence number for ARCFOUR.
1694 if (seal_alg[0] == 0x10) {
1695 krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1698 krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1706 * Check the trailing pad bytes.
1707 * RFC1964 specifies between 1<->8 bytes, each with a binary value
1708 * equal to the number of bytes.
1710 if (mlast->m_len > 0)
1711 padlen = mlast->m_data[mlast->m_len - 1];
1713 n = m_getptr(m, tlen + datalen - 1, &i);
1715 * When the position is exactly equal to the # of data bytes
1716 * in the mbuf list, m_getptr() will return the last mbuf in
1717 * the list and an off == m_len for that mbuf, so that case
1718 * needs to be checked as well as a NULL return.
1720 if (n == NULL || n->m_len == i)
1721 return (GSS_S_DEFECTIVE_TOKEN);
1722 padlen = n->m_data[i];
1724 if (padlen < 1 || padlen > 8 || padlen > tlen + datalen)
1725 return (GSS_S_DEFECTIVE_TOKEN);
1726 m_copydata(m, tlen + datalen - padlen, padlen, buf);
1727 for (i = 0; i < padlen; i++) {
1728 if (buf[i] != padlen) {
1729 return (GSS_S_DEFECTIVE_TOKEN);
1736 * Calculate the keyed checksum of the token header plus the
1737 * padded message. We do a little mbuf surgery to trim out the
1738 * parts we don't want to checksum.
1741 *mp = m = m_split(m, 16 + cklen, M_WAITOK);
1745 MGET(cm, M_WAITOK, MT_DATA);
1749 krb5_checksum(kc->kc_checksumkey, 13, hm, 0, datalen + 8, cklen);
1751 mlast->m_next = NULL;
1753 if (bcmp(cm->m_data, hm->m_data + 16, cklen)) {
1756 return (GSS_S_BAD_SIG);
1762 * Trim off the confounder and padding.
1765 if (mlast->m_len >= padlen) {
1766 mlast->m_len -= padlen;
1768 m_trim(m, datalen - 8 - padlen);
1776 krb5_unwrap_new(struct krb5_context *kc, struct mbuf **mp, int *conf_state)
1779 struct krb5_key_state *Ke = kc->kc_recv_seal_Ke;
1780 struct krb5_key_state *Ki = kc->kc_recv_seal_Ki;
1781 struct krb5_key_state *Kc = kc->kc_recv_seal_Kc;
1782 const struct krb5_encryption_class *ec = Ke->ks_class;
1783 struct mbuf *m, *mlast, *hm, *cm;
1785 int sealed, flags, EC, RRC;
1786 size_t blen, cklen, ctlen, mlen, plen, tlen;
1787 char buf[32], buf2[32];
1790 mlen = m_length(m, &mlast);
1793 return (GSS_S_DEFECTIVE_TOKEN);
1794 if (m->m_len < 16) {
1795 m = m_pullup(m, 16);
1802 return (GSS_S_DEFECTIVE_TOKEN);
1804 return (GSS_S_DEFECTIVE_TOKEN);
1807 sealed = p[2] & GSS_TOKEN_SEALED;
1809 if (is_initiator(kc))
1810 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1811 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1812 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1814 return (GSS_S_DEFECTIVE_TOKEN);
1818 return (GSS_S_DEFECTIVE_TOKEN);
1821 EC = (p[4] << 8) + p[5];
1822 RRC = (p[6] << 8) + p[7];
1825 if (kc->kc_msg_order.km_flags &
1826 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1828 if (p[8] || p[9] || p[10] || p[11]) {
1829 res = GSS_S_UNSEQ_TOKEN;
1831 seq = (p[12] << 24) | (p[13] << 16)
1832 | (p[14] << 8) | p[15];
1833 res = krb5_sequence_check(kc, seq);
1838 res = GSS_S_COMPLETE;
1842 * Separate the header before dealing with RRC. We only need
1843 * to keep the header if the message isn't encrypted.
1850 *mp = m = m_split(m, 16, M_WAITOK);
1855 * Undo the effects of RRC by rotating left.
1862 if (RRC <= sizeof(buf) && m->m_len >= rlen) {
1864 * Simple case, just rearrange the bytes in m.
1866 bcopy(m->m_data, buf, RRC);
1867 bcopy(m->m_data + RRC, m->m_data, rlen - RRC);
1868 bcopy(buf, m->m_data + rlen - RRC, RRC);
1871 * More complicated - rearrange the mbuf
1875 *mp = m = m_split(m, RRC, M_WAITOK);
1881 blen = ec->ec_blocklen;
1882 cklen = ec->ec_checksumlen;
1885 * Decrypt according to RFC 4121 section 4.2 and RFC
1886 * 3961 section 5.3. The message must be large enough
1887 * for a blocksize confounder, at least one block of
1888 * cyphertext and a checksum.
1890 if (mlen < 16 + 2*blen + cklen)
1891 return (GSS_S_DEFECTIVE_TOKEN);
1893 ctlen = mlen - 16 - cklen;
1894 krb5_decrypt(Ke, m, 0, ctlen, NULL, 0);
1897 * The size of the plaintext is ctlen minus blocklen
1898 * (for the confounder), 16 (for the copy of the token
1899 * header) and EC (for the filler). The actual
1900 * plaintext starts after the confounder.
1902 plen = ctlen - blen - 16 - EC;
1906 * Checksum the padded plaintext.
1908 m_copydata(m, ctlen, cklen, buf);
1909 krb5_checksum(Ki, 0, m, 0, ctlen, cklen);
1910 m_copydata(m, ctlen, cklen, buf2);
1912 if (bcmp(buf, buf2, cklen))
1913 return (GSS_S_BAD_SIG);
1916 * Trim the message back to just plaintext.
1919 tlen = 16 + EC + cklen;
1920 if (mlast->m_len >= tlen) {
1921 mlast->m_len -= tlen;
1927 * The plaintext message is followed by a checksum of
1928 * the plaintext plus a version of the header where EC
1929 * and RRC are set to zero. Also, the original EC must
1930 * be our checksum size.
1932 if (mlen < 16 + cklen || EC != cklen)
1933 return (GSS_S_DEFECTIVE_TOKEN);
1936 * The size of the plaintext is simply the message
1937 * size less header and checksum. The plaintext starts
1938 * right after the header (which we have saved in hm).
1940 plen = mlen - 16 - cklen;
1943 * Insert a copy of the header (with EC and RRC set to
1944 * zero) between the plaintext message and the
1948 p[4] = p[5] = p[6] = p[7] = 0;
1950 cm = m_split(m, plen, M_WAITOK);
1955 bcopy(cm->m_data, buf, cklen);
1956 krb5_checksum(Kc, 0, m, 0, plen + 16, cklen);
1957 if (bcmp(cm->m_data, buf, cklen))
1958 return (GSS_S_BAD_SIG);
1961 * The checksum matches, discard all buf the plaintext.
1963 mlast->m_next = NULL;
1968 *conf_state = (sealed != 0);
1974 krb5_unwrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1975 struct mbuf **mp, int *conf_state, gss_qop_t *qop_state)
1977 struct krb5_context *kc = (struct krb5_context *)ctx;
1982 *qop_state = GSS_C_QOP_DEFAULT;
1986 if (time_uptime > kc->kc_lifetime)
1987 return (GSS_S_CONTEXT_EXPIRED);
1989 switch (kc->kc_tokenkey->ks_class->ec_type) {
1990 case ETYPE_DES_CBC_CRC:
1991 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
1992 sgn_alg_des_md5, seal_alg_des);
1995 case ETYPE_ARCFOUR_HMAC_MD5:
1996 case ETYPE_ARCFOUR_HMAC_MD5_56:
1997 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
1998 sgn_alg_hmac_md5, seal_alg_rc4);
2001 case ETYPE_DES3_CBC_SHA1:
2002 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
2003 sgn_alg_des3_sha1, seal_alg_des3);
2007 maj_stat = krb5_unwrap_new(kc, mp, conf_state);
2011 if (GSS_ERROR(maj_stat)) {
2020 krb5_wrap_size_limit(gss_ctx_id_t ctx, OM_uint32 *minor_status,
2021 int conf_req_flag, gss_qop_t qop_req, OM_uint32 req_output_size,
2022 OM_uint32 *max_input_size)
2024 struct krb5_context *kc = (struct krb5_context *)ctx;
2025 const struct krb5_encryption_class *ec;
2029 *max_input_size = 0;
2031 if (qop_req != GSS_C_QOP_DEFAULT)
2032 return (GSS_S_BAD_QOP);
2034 ec = kc->kc_tokenkey->ks_class;
2035 switch (ec->ec_type) {
2036 case ETYPE_DES_CBC_CRC:
2037 case ETYPE_DES3_CBC_SHA1:
2038 case ETYPE_ARCFOUR_HMAC_MD5:
2039 case ETYPE_ARCFOUR_HMAC_MD5_56:
2041 * up to 5 bytes for [APPLICATION 0] SEQUENCE
2042 * 2 + krb5 oid length
2044 * 8 bytes of confounder
2045 * maximum of 8 bytes of padding
2048 overhead = 5 + 2 + krb5_mech_oid.length;
2049 overhead += 8 + 8 + ec->ec_msgblocklen;
2050 overhead += ec->ec_checksumlen;
2054 if (conf_req_flag) {
2057 * blocklen bytes of confounder
2058 * up to msgblocklen - 1 bytes of padding
2059 * 16 bytes for copy of header
2062 overhead = 16 + ec->ec_blocklen;
2063 overhead += ec->ec_msgblocklen - 1;
2065 overhead += ec->ec_checksumlen;
2068 * 16 bytes of header plus checksum.
2070 overhead = 16 + ec->ec_checksumlen;
2074 *max_input_size = req_output_size - overhead;
2076 return (GSS_S_COMPLETE);
2079 static kobj_method_t krb5_methods[] = {
2080 KOBJMETHOD(kgss_init, krb5_init),
2081 KOBJMETHOD(kgss_import, krb5_import),
2082 KOBJMETHOD(kgss_delete, krb5_delete),
2083 KOBJMETHOD(kgss_mech_type, krb5_mech_type),
2084 KOBJMETHOD(kgss_get_mic, krb5_get_mic),
2085 KOBJMETHOD(kgss_verify_mic, krb5_verify_mic),
2086 KOBJMETHOD(kgss_wrap, krb5_wrap),
2087 KOBJMETHOD(kgss_unwrap, krb5_unwrap),
2088 KOBJMETHOD(kgss_wrap_size_limit, krb5_wrap_size_limit),
2092 static struct kobj_class krb5_class = {
2095 sizeof(struct krb5_context)
2099 * Kernel module glue
2102 kgssapi_krb5_modevent(module_t mod, int type, void *data)
2107 kgss_install_mech(&krb5_mech_oid, "kerberosv5", &krb5_class);
2111 kgss_uninstall_mech(&krb5_mech_oid);
2118 static moduledata_t kgssapi_krb5_mod = {
2120 kgssapi_krb5_modevent,
2123 DECLARE_MODULE(kgssapi_krb5, kgssapi_krb5_mod, SI_SUB_VFS, SI_ORDER_ANY);
2124 MODULE_DEPEND(kgssapi_krb5, kgssapi, 1, 1, 1);
2125 MODULE_DEPEND(kgssapi_krb5, crypto, 1, 1, 1);
2126 MODULE_DEPEND(kgssapi_krb5, rc4, 1, 1, 1);
2127 MODULE_VERSION(kgssapi_krb5, 1);