2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
5 * Authors: Doug Rabson <dfr@rabson.org>
6 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
33 #include "opt_inet6.h"
35 #include <sys/param.h>
36 #include <sys/kernel.h>
39 #include <sys/malloc.h>
41 #include <sys/module.h>
42 #include <sys/mutex.h>
43 #include <kgssapi/gssapi.h>
44 #include <kgssapi/gssapi_impl.h>
49 #define GSS_TOKEN_SENT_BY_ACCEPTOR 1
50 #define GSS_TOKEN_SEALED 2
51 #define GSS_TOKEN_ACCEPTOR_SUBKEY 4
53 static gss_OID_desc krb5_mech_oid =
54 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
61 struct krb5_keyblock {
62 uint16_t kk_type; /* encryption type */
63 struct krb5_data kk_key; /* key data */
68 struct krb5_data ka_addr;
72 * The km_elem array is ordered so that the highest received sequence
73 * number is listed first.
75 struct krb5_msg_order {
79 uint32_t km_jitter_window;
80 uint32_t km_first_seq;
85 struct _gss_ctx_id_t kc_common;
88 uint32_t kc_ctx_flags;
89 uint32_t kc_more_flags;
92 #define COMPAT_OLD_DES3 4
93 #define COMPAT_OLD_DES3_SELECTED 8
94 #define ACCEPTOR_SUBKEY 16
95 struct krb5_address kc_local_address;
96 struct krb5_address kc_remote_address;
97 uint16_t kc_local_port;
98 uint16_t kc_remote_port;
99 struct krb5_keyblock kc_keyblock;
100 struct krb5_keyblock kc_local_subkey;
101 struct krb5_keyblock kc_remote_subkey;
102 volatile uint32_t kc_local_seqnumber;
103 uint32_t kc_remote_seqnumber;
105 uint32_t kc_cksumtype;
106 struct krb5_data kc_source_name;
107 struct krb5_data kc_target_name;
108 uint32_t kc_lifetime;
109 struct krb5_msg_order kc_msg_order;
110 struct krb5_key_state *kc_tokenkey;
111 struct krb5_key_state *kc_encryptkey;
112 struct krb5_key_state *kc_checksumkey;
114 struct krb5_key_state *kc_send_seal_Ke;
115 struct krb5_key_state *kc_send_seal_Ki;
116 struct krb5_key_state *kc_send_seal_Kc;
117 struct krb5_key_state *kc_send_sign_Kc;
119 struct krb5_key_state *kc_recv_seal_Ke;
120 struct krb5_key_state *kc_recv_seal_Ki;
121 struct krb5_key_state *kc_recv_seal_Kc;
122 struct krb5_key_state *kc_recv_sign_Kc;
126 get_uint16(const uint8_t **pp, size_t *lenp)
128 const uint8_t *p = *pp;
134 v = (p[0] << 8) | p[1];
142 get_uint32(const uint8_t **pp, size_t *lenp)
144 const uint8_t *p = *pp;
150 v = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
158 get_data(const uint8_t **pp, size_t *lenp, struct krb5_data *dp)
160 size_t sz = get_uint32(pp, lenp);
163 dp->kd_data = malloc(sz, M_GSSAPI, M_WAITOK);
167 bcopy(*pp, dp->kd_data, sz);
173 delete_data(struct krb5_data *dp)
176 free(dp->kd_data, M_GSSAPI);
183 get_address(const uint8_t **pp, size_t *lenp, struct krb5_address *ka)
186 ka->ka_type = get_uint16(pp, lenp);
187 get_data(pp, lenp, &ka->ka_addr);
191 delete_address(struct krb5_address *ka)
193 delete_data(&ka->ka_addr);
197 get_keyblock(const uint8_t **pp, size_t *lenp, struct krb5_keyblock *kk)
200 kk->kk_type = get_uint16(pp, lenp);
201 get_data(pp, lenp, &kk->kk_key);
205 delete_keyblock(struct krb5_keyblock *kk)
207 if (kk->kk_key.kd_data)
208 bzero(kk->kk_key.kd_data, kk->kk_key.kd_length);
209 delete_data(&kk->kk_key);
213 copy_key(struct krb5_keyblock *from, struct krb5_keyblock **to)
216 if (from->kk_key.kd_length)
223 * Return non-zero if we are initiator.
226 is_initiator(struct krb5_context *kc)
228 return (kc->kc_more_flags & LOCAL);
232 * Return non-zero if we are acceptor.
235 is_acceptor(struct krb5_context *kc)
237 return !(kc->kc_more_flags & LOCAL);
241 get_initiator_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
244 if (is_initiator(kc))
245 copy_key(&kc->kc_local_subkey, kdp);
247 copy_key(&kc->kc_remote_subkey, kdp);
249 copy_key(&kc->kc_keyblock, kdp);
253 get_acceptor_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
256 if (is_initiator(kc))
257 copy_key(&kc->kc_remote_subkey, kdp);
259 copy_key(&kc->kc_local_subkey, kdp);
263 get_keys(struct krb5_context *kc)
265 struct krb5_keyblock *keydata;
266 struct krb5_encryption_class *ec;
267 struct krb5_key_state *key;
271 get_acceptor_subkey(kc, &keydata);
273 if ((kc->kc_more_flags & ACCEPTOR_SUBKEY) == 0)
274 get_initiator_subkey(kc, &keydata);
276 return (GSS_S_FAILURE);
279 * GSS-API treats all DES etypes the same and all DES3 etypes
282 switch (keydata->kk_type) {
283 case ETYPE_DES_CBC_CRC:
284 case ETYPE_DES_CBC_MD4:
285 case ETYPE_DES_CBC_MD5:
286 etype = ETYPE_DES_CBC_CRC;
289 case ETYPE_DES3_CBC_MD5:
290 case ETYPE_DES3_CBC_SHA1:
291 case ETYPE_OLD_DES3_CBC_SHA1:
292 etype = ETYPE_DES3_CBC_SHA1;
296 etype = keydata->kk_type;
299 ec = krb5_find_encryption_class(etype);
301 return (GSS_S_FAILURE);
303 key = krb5_create_key(ec);
304 krb5_set_key(key, keydata->kk_key.kd_data);
305 kc->kc_tokenkey = key;
308 case ETYPE_DES_CBC_CRC:
309 case ETYPE_ARCFOUR_HMAC_MD5:
310 case ETYPE_ARCFOUR_HMAC_MD5_56: {
312 * Single DES and ARCFOUR uses a 'derived' key (XOR
313 * with 0xf0) for encrypting wrap tokens. The original
314 * key is used for checksums and sequence numbers.
316 struct krb5_key_state *ekey;
320 ekey = krb5_create_key(ec);
323 for (i = 0; i < ec->ec_keylen; i++)
324 ekp[i] = kp[i] ^ 0xf0;
325 krb5_set_key(ekey, ekp);
326 kc->kc_encryptkey = ekey;
327 refcount_acquire(&key->ks_refs);
328 kc->kc_checksumkey = key;
332 case ETYPE_DES3_CBC_SHA1:
334 * Triple DES uses a RFC 3961 style derived key with
335 * usage number KG_USAGE_SIGN for checksums. The
336 * original key is used for encryption and sequence
339 kc->kc_checksumkey = krb5_get_checksum_key(key, KG_USAGE_SIGN);
340 refcount_acquire(&key->ks_refs);
341 kc->kc_encryptkey = key;
346 * We need eight derived keys four for sending and
347 * four for receiving.
349 if (is_initiator(kc)) {
353 kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
354 KG_USAGE_INITIATOR_SEAL);
355 kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
356 KG_USAGE_INITIATOR_SEAL);
357 kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
358 KG_USAGE_INITIATOR_SEAL);
359 kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
360 KG_USAGE_INITIATOR_SIGN);
362 kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
363 KG_USAGE_ACCEPTOR_SEAL);
364 kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
365 KG_USAGE_ACCEPTOR_SEAL);
366 kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
367 KG_USAGE_ACCEPTOR_SEAL);
368 kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
369 KG_USAGE_ACCEPTOR_SIGN);
374 kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
375 KG_USAGE_ACCEPTOR_SEAL);
376 kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
377 KG_USAGE_ACCEPTOR_SEAL);
378 kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
379 KG_USAGE_ACCEPTOR_SEAL);
380 kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
381 KG_USAGE_ACCEPTOR_SIGN);
383 kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
384 KG_USAGE_INITIATOR_SEAL);
385 kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
386 KG_USAGE_INITIATOR_SEAL);
387 kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
388 KG_USAGE_INITIATOR_SEAL);
389 kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
390 KG_USAGE_INITIATOR_SIGN);
395 return (GSS_S_COMPLETE);
399 krb5_init(gss_ctx_id_t ctx)
401 struct krb5_context *kc = (struct krb5_context *)ctx;
403 mtx_init(&kc->kc_lock, "krb5 gss lock", NULL, MTX_DEF);
407 krb5_import(gss_ctx_id_t ctx,
408 enum sec_context_format format,
409 const gss_buffer_t context_token)
411 struct krb5_context *kc = (struct krb5_context *)ctx;
413 const uint8_t *p = (const uint8_t *) context_token->value;
414 size_t len = context_token->length;
419 * We support heimdal 0.6 and heimdal 1.1
421 if (format != KGSS_HEIMDAL_0_6 && format != KGSS_HEIMDAL_1_1)
422 return (GSS_S_DEFECTIVE_TOKEN);
424 #define SC_LOCAL_ADDRESS 1
425 #define SC_REMOTE_ADDRESS 2
426 #define SC_KEYBLOCK 4
427 #define SC_LOCAL_SUBKEY 8
428 #define SC_REMOTE_SUBKEY 16
431 * Ensure that the token starts with krb5 oid.
433 if (p[0] != 0x00 || p[1] != krb5_mech_oid.length
434 || len < krb5_mech_oid.length + 2
435 || bcmp(krb5_mech_oid.elements, p + 2,
436 krb5_mech_oid.length))
437 return (GSS_S_DEFECTIVE_TOKEN);
438 p += krb5_mech_oid.length + 2;
439 len -= krb5_mech_oid.length + 2;
441 flags = get_uint32(&p, &len);
442 kc->kc_ac_flags = get_uint32(&p, &len);
443 if (flags & SC_LOCAL_ADDRESS)
444 get_address(&p, &len, &kc->kc_local_address);
445 if (flags & SC_REMOTE_ADDRESS)
446 get_address(&p, &len, &kc->kc_remote_address);
447 kc->kc_local_port = get_uint16(&p, &len);
448 kc->kc_remote_port = get_uint16(&p, &len);
449 if (flags & SC_KEYBLOCK)
450 get_keyblock(&p, &len, &kc->kc_keyblock);
451 if (flags & SC_LOCAL_SUBKEY)
452 get_keyblock(&p, &len, &kc->kc_local_subkey);
453 if (flags & SC_REMOTE_SUBKEY)
454 get_keyblock(&p, &len, &kc->kc_remote_subkey);
455 kc->kc_local_seqnumber = get_uint32(&p, &len);
456 kc->kc_remote_seqnumber = get_uint32(&p, &len);
457 kc->kc_keytype = get_uint32(&p, &len);
458 kc->kc_cksumtype = get_uint32(&p, &len);
459 get_data(&p, &len, &kc->kc_source_name);
460 get_data(&p, &len, &kc->kc_target_name);
461 kc->kc_ctx_flags = get_uint32(&p, &len);
462 kc->kc_more_flags = get_uint32(&p, &len);
463 kc->kc_lifetime = get_uint32(&p, &len);
465 * Heimdal 1.1 adds the message order stuff.
467 if (format == KGSS_HEIMDAL_1_1) {
468 kc->kc_msg_order.km_flags = get_uint32(&p, &len);
469 kc->kc_msg_order.km_start = get_uint32(&p, &len);
470 kc->kc_msg_order.km_length = get_uint32(&p, &len);
471 kc->kc_msg_order.km_jitter_window = get_uint32(&p, &len);
472 kc->kc_msg_order.km_first_seq = get_uint32(&p, &len);
473 kc->kc_msg_order.km_elem =
474 malloc(kc->kc_msg_order.km_jitter_window * sizeof(uint32_t),
476 for (i = 0; i < kc->kc_msg_order.km_jitter_window; i++)
477 kc->kc_msg_order.km_elem[i] = get_uint32(&p, &len);
479 kc->kc_msg_order.km_flags = 0;
487 * We don't need these anymore.
489 delete_keyblock(&kc->kc_keyblock);
490 delete_keyblock(&kc->kc_local_subkey);
491 delete_keyblock(&kc->kc_remote_subkey);
493 return (GSS_S_COMPLETE);
497 krb5_delete(gss_ctx_id_t ctx, gss_buffer_t output_token)
499 struct krb5_context *kc = (struct krb5_context *)ctx;
501 delete_address(&kc->kc_local_address);
502 delete_address(&kc->kc_remote_address);
503 delete_keyblock(&kc->kc_keyblock);
504 delete_keyblock(&kc->kc_local_subkey);
505 delete_keyblock(&kc->kc_remote_subkey);
506 delete_data(&kc->kc_source_name);
507 delete_data(&kc->kc_target_name);
508 if (kc->kc_msg_order.km_elem)
509 free(kc->kc_msg_order.km_elem, M_GSSAPI);
511 output_token->length = 0;
512 output_token->value = NULL;
514 if (kc->kc_tokenkey) {
515 krb5_free_key(kc->kc_tokenkey);
516 if (kc->kc_encryptkey) {
517 krb5_free_key(kc->kc_encryptkey);
518 krb5_free_key(kc->kc_checksumkey);
520 krb5_free_key(kc->kc_send_seal_Ke);
521 krb5_free_key(kc->kc_send_seal_Ki);
522 krb5_free_key(kc->kc_send_seal_Kc);
523 krb5_free_key(kc->kc_send_sign_Kc);
524 krb5_free_key(kc->kc_recv_seal_Ke);
525 krb5_free_key(kc->kc_recv_seal_Ki);
526 krb5_free_key(kc->kc_recv_seal_Kc);
527 krb5_free_key(kc->kc_recv_sign_Kc);
530 mtx_destroy(&kc->kc_lock);
534 krb5_mech_type(gss_ctx_id_t ctx)
537 return (&krb5_mech_oid);
541 * Make a token with the given type and length (the length includes
542 * the TOK_ID), initialising the token header appropriately. Return a
543 * pointer to the TOK_ID of the token. A new mbuf is allocated with
544 * the framing header plus hlen bytes of space.
546 * Format is as follows:
548 * 0x60 [APPLICATION 0] SEQUENCE
549 * DER encoded length length of oid + type + inner token length
550 * 0x06 NN <oid data> OID of mechanism type
552 * <inner token> data for inner token
554 * 1: der encoded length
557 krb5_make_token(char tok_id[2], size_t hlen, size_t len, struct mbuf **mp)
559 size_t inside_len, len_len, tlen;
560 gss_OID oid = &krb5_mech_oid;
564 inside_len = 2 + oid->length + len;
565 if (inside_len < 128)
567 else if (inside_len < 0x100)
569 else if (inside_len < 0x10000)
571 else if (inside_len < 0x1000000)
576 tlen = 1 + len_len + 2 + oid->length + hlen;
577 KASSERT(tlen <= MLEN, ("token head too large"));
578 MGET(m, M_WAITOK, MT_DATA);
582 p = (uint8_t *) m->m_data;
594 *p++ = inside_len >> 8;
599 *p++ = inside_len >> 16;
600 *p++ = inside_len >> 8;
605 *p++ = inside_len >> 24;
606 *p++ = inside_len >> 16;
607 *p++ = inside_len >> 8;
614 bcopy(oid->elements, p, oid->length);
626 * Verify a token, checking the inner token length and mechanism oid.
627 * pointer to the first byte of the TOK_ID. The length of the
628 * encapsulated data is checked to be at least len bytes; the actual
629 * length of the encapsulated data (including TOK_ID) is returned in
632 * If can_pullup is TRUE and the token header is fragmented, we will
635 * Format is as follows:
637 * 0x60 [APPLICATION 0] SEQUENCE
638 * DER encoded length length of oid + type + inner token length
639 * 0x06 NN <oid data> OID of mechanism type
641 * <inner token> data for inner token
643 * 1: der encoded length
646 krb5_verify_token(char tok_id[2], size_t len, struct mbuf **mp,
647 size_t *encap_len, bool_t can_pullup)
650 size_t tlen, hlen, len_len, inside_len;
651 gss_OID oid = &krb5_mech_oid;
655 tlen = m_length(m, NULL);
660 * Ensure that at least the framing part of the token is
665 *mp = m = m_pullup(m, 2);
680 * Ensure there is enough space for the DER encoded length.
682 len_len = (*p & 0x7f) + 1;
683 if (tlen < len_len + 1)
685 if (m->m_len < len_len + 1) {
687 *mp = m = m_pullup(m, len_len + 1);
699 inside_len = (p[0] << 8) | p[1];
704 inside_len = (p[0] << 16) | (p[1] << 8) | p[2];
709 inside_len = (p[0] << 24) | (p[1] << 16)
710 | (p[2] << 8) | p[3];
719 if (tlen != inside_len + len_len + 1)
721 if (inside_len < 2 + oid->length + len)
725 * Now that we know the value of len_len, we can pullup the
726 * whole header. The header is 1 + len_len + 2 + oid->length +
729 hlen = 1 + len_len + 2 + oid->length + len;
730 if (m->m_len < hlen) {
732 *mp = m = m_pullup(m, hlen);
735 p = m->m_data + 1 + len_len;
740 if (*p++ != oid->length)
742 if (bcmp(oid->elements, p, oid->length))
746 if (p[0] != tok_id[0])
749 if (p[1] != tok_id[1])
752 *encap_len = inside_len - 2 - oid->length;
758 krb5_insert_seq(struct krb5_msg_order *mo, uint32_t seq, int index)
762 if (mo->km_length < mo->km_jitter_window)
765 for (i = mo->km_length - 1; i > index; i--)
766 mo->km_elem[i] = mo->km_elem[i - 1];
767 mo->km_elem[index] = seq;
771 * Check sequence numbers according to RFC 2743 section 1.2.3.
774 krb5_sequence_check(struct krb5_context *kc, uint32_t seq)
776 OM_uint32 res = GSS_S_FAILURE;
777 struct krb5_msg_order *mo = &kc->kc_msg_order;
778 int check_sequence = mo->km_flags & GSS_C_SEQUENCE_FLAG;
779 int check_replay = mo->km_flags & GSS_C_REPLAY_FLAG;
782 mtx_lock(&kc->kc_lock);
785 * Message is in-sequence with no gap.
787 if (mo->km_length == 0 || seq == mo->km_elem[0] + 1) {
789 * This message is received in-sequence with no gaps.
791 krb5_insert_seq(mo, seq, 0);
792 res = GSS_S_COMPLETE;
796 if (seq > mo->km_elem[0]) {
798 * This message is received in-sequence with a gap.
800 krb5_insert_seq(mo, seq, 0);
802 res = GSS_S_GAP_TOKEN;
804 res = GSS_S_COMPLETE;
808 if (seq < mo->km_elem[mo->km_length - 1]) {
809 if (check_replay && !check_sequence)
810 res = GSS_S_OLD_TOKEN;
812 res = GSS_S_UNSEQ_TOKEN;
816 for (i = 0; i < mo->km_length; i++) {
817 if (mo->km_elem[i] == seq) {
818 res = GSS_S_DUPLICATE_TOKEN;
821 if (mo->km_elem[i] < seq) {
823 * We need to insert this seq here,
825 krb5_insert_seq(mo, seq, i);
826 if (check_replay && !check_sequence)
827 res = GSS_S_COMPLETE;
829 res = GSS_S_UNSEQ_TOKEN;
835 mtx_unlock(&kc->kc_lock);
840 static uint8_t sgn_alg_des_md5[] = { 0x00, 0x00 };
841 static uint8_t seal_alg_des[] = { 0x00, 0x00 };
842 static uint8_t sgn_alg_des3_sha1[] = { 0x04, 0x00 };
843 static uint8_t seal_alg_des3[] = { 0x02, 0x00 };
844 static uint8_t seal_alg_rc4[] = { 0x10, 0x00 };
845 static uint8_t sgn_alg_hmac_md5[] = { 0x11, 0x00 };
848 * Return the size of the inner token given the use of the key's
849 * encryption class. For wrap tokens, the length of the padded
850 * plaintext will be added to this.
853 token_length(struct krb5_key_state *key)
856 return (16 + key->ks_class->ec_checksumlen);
860 krb5_get_mic_old(struct krb5_context *kc, struct mbuf *m,
861 struct mbuf **micp, uint8_t sgn_alg[2])
863 struct mbuf *mlast, *mic, *tm;
865 size_t tlen, mlen, cklen;
869 mlen = m_length(m, &mlast);
871 tlen = token_length(kc->kc_tokenkey);
872 p = krb5_make_token("\x01\x01", tlen, tlen, &mic);
874 *p++ = sgn_alg[0]; /* SGN_ALG */
877 *p++ = 0xff; /* filler */
885 * Calculate the keyed checksum of the token header plus the
888 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
890 mic->m_len = p - (uint8_t *) mic->m_data;
892 MGET(tm, M_WAITOK, MT_DATA);
896 krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
898 bcopy(tm->m_data, p + 8, cklen);
900 mlast->m_next = NULL;
906 * Take the four bytes of the sequence number least
907 * significant first followed by four bytes of direction
908 * marker (zero for initiator and 0xff for acceptor). Encrypt
909 * that data using the SGN_CKSUM as IV. Note: ARC4 wants the
910 * sequence number big-endian.
912 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
913 if (sgn_alg[0] == 0x11) {
924 if (is_initiator(kc)) {
933 bcopy(p + 8, buf, 8);
936 * Set the mic buffer to its final size so that the encrypt
937 * can see the SND_SEQ part.
939 mic->m_len += 8 + cklen;
940 krb5_encrypt(kc->kc_tokenkey, mic, mic->m_len - cklen - 8, 8, buf, 8);
943 return (GSS_S_COMPLETE);
947 krb5_get_mic_new(struct krb5_context *kc, struct mbuf *m,
950 struct krb5_key_state *key = kc->kc_send_sign_Kc;
951 struct mbuf *mlast, *mic;
957 mlen = m_length(m, &mlast);
958 cklen = key->ks_class->ec_checksumlen;
960 KASSERT(16 + cklen <= MLEN, ("checksum too large for an mbuf"));
961 MGET(mic, M_WAITOK, MT_DATA);
962 M_ALIGN(mic, 16 + cklen);
963 mic->m_len = 16 + cklen;
973 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
974 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
975 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
990 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
999 * Calculate the keyed checksum of the message plus the first
1000 * 16 bytes of the token header.
1002 mlast->m_next = mic;
1003 krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1004 mlast->m_next = NULL;
1007 return (GSS_S_COMPLETE);
1011 krb5_get_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1012 gss_qop_t qop_req, struct mbuf *m, struct mbuf **micp)
1014 struct krb5_context *kc = (struct krb5_context *)ctx;
1018 if (qop_req != GSS_C_QOP_DEFAULT)
1019 return (GSS_S_BAD_QOP);
1021 if (time_uptime > kc->kc_lifetime)
1022 return (GSS_S_CONTEXT_EXPIRED);
1024 switch (kc->kc_tokenkey->ks_class->ec_type) {
1025 case ETYPE_DES_CBC_CRC:
1026 return (krb5_get_mic_old(kc, m, micp, sgn_alg_des_md5));
1028 case ETYPE_DES3_CBC_SHA1:
1029 return (krb5_get_mic_old(kc, m, micp, sgn_alg_des3_sha1));
1031 case ETYPE_ARCFOUR_HMAC_MD5:
1032 case ETYPE_ARCFOUR_HMAC_MD5_56:
1033 return (krb5_get_mic_old(kc, m, micp, sgn_alg_hmac_md5));
1036 return (krb5_get_mic_new(kc, m, micp));
1039 return (GSS_S_FAILURE);
1043 krb5_verify_mic_old(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic,
1046 struct mbuf *mlast, *tm;
1047 uint8_t *p, *tp, dir;
1048 size_t mlen, tlen, elen, miclen;
1052 mlen = m_length(m, &mlast);
1054 tlen = token_length(kc->kc_tokenkey);
1055 p = krb5_verify_token("\x01\x01", tlen, &mic, &elen, FALSE);
1057 return (GSS_S_DEFECTIVE_TOKEN);
1060 * Disable this check - heimdal-1.1 generates DES3 MIC tokens
1061 * that are 2 bytes too big.
1064 return (GSS_S_DEFECTIVE_TOKEN);
1070 if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1071 return (GSS_S_DEFECTIVE_TOKEN);
1074 if (p[0] != 0xff || p[1] != 0xff || p[2] != 0xff || p[3] != 0xff)
1075 return (GSS_S_DEFECTIVE_TOKEN);
1081 * Calculate the keyed checksum of the token header plus the
1084 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1085 miclen = mic->m_len;
1086 mic->m_len = p - (uint8_t *) mic->m_data;
1088 MGET(tm, M_WAITOK, MT_DATA);
1092 krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
1095 mlast->m_next = NULL;
1096 if (bcmp(tm->m_data, p + 8, cklen)) {
1098 return (GSS_S_BAD_SIG);
1104 * Take the four bytes of the sequence number least
1105 * significant first followed by four bytes of direction
1106 * marker (zero for initiator and 0xff for acceptor). Encrypt
1107 * that data using the SGN_CKSUM as IV. Note: ARC4 wants the
1108 * sequence number big-endian.
1110 bcopy(p, tm->m_data, 8);
1112 krb5_decrypt(kc->kc_tokenkey, tm, 0, 8, p + 8, 8);
1115 if (sgn_alg[0] == 0x11) {
1116 seq = tp[3] | (tp[2] << 8) | (tp[1] << 16) | (tp[0] << 24);
1118 seq = tp[0] | (tp[1] << 8) | (tp[2] << 16) | (tp[3] << 24);
1121 if (is_initiator(kc)) {
1126 if (tp[4] != dir || tp[5] != dir || tp[6] != dir || tp[7] != dir) {
1128 return (GSS_S_DEFECTIVE_TOKEN);
1132 if (kc->kc_msg_order.km_flags &
1133 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1134 return (krb5_sequence_check(kc, seq));
1137 return (GSS_S_COMPLETE);
1141 krb5_verify_mic_new(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic)
1144 struct krb5_key_state *key = kc->kc_recv_sign_Kc;
1151 mlen = m_length(m, &mlast);
1152 cklen = key->ks_class->ec_checksumlen;
1154 KASSERT(mic->m_next == NULL, ("MIC should be contiguous"));
1155 if (mic->m_len != 16 + cklen)
1156 return (GSS_S_DEFECTIVE_TOKEN);
1161 return (GSS_S_DEFECTIVE_TOKEN);
1163 return (GSS_S_DEFECTIVE_TOKEN);
1167 if (is_initiator(kc))
1168 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1169 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1170 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1172 return (GSS_S_DEFECTIVE_TOKEN);
1176 return (GSS_S_DEFECTIVE_TOKEN);
1178 return (GSS_S_DEFECTIVE_TOKEN);
1180 return (GSS_S_DEFECTIVE_TOKEN);
1182 return (GSS_S_DEFECTIVE_TOKEN);
1184 return (GSS_S_DEFECTIVE_TOKEN);
1187 if (kc->kc_msg_order.km_flags &
1188 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1190 if (p[8] || p[9] || p[10] || p[11]) {
1191 res = GSS_S_UNSEQ_TOKEN;
1193 seq = (p[12] << 24) | (p[13] << 16)
1194 | (p[14] << 8) | p[15];
1195 res = krb5_sequence_check(kc, seq);
1200 res = GSS_S_COMPLETE;
1206 * Calculate the keyed checksum of the message plus the first
1207 * 16 bytes of the token header.
1209 m_copydata(mic, 16, cklen, buf);
1210 mlast->m_next = mic;
1211 krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1212 mlast->m_next = NULL;
1213 if (bcmp(buf, p + 16, cklen)) {
1214 return (GSS_S_BAD_SIG);
1217 return (GSS_S_COMPLETE);
1221 krb5_verify_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1222 struct mbuf *m, struct mbuf *mic, gss_qop_t *qop_state)
1224 struct krb5_context *kc = (struct krb5_context *)ctx;
1228 *qop_state = GSS_C_QOP_DEFAULT;
1230 if (time_uptime > kc->kc_lifetime)
1231 return (GSS_S_CONTEXT_EXPIRED);
1233 switch (kc->kc_tokenkey->ks_class->ec_type) {
1234 case ETYPE_DES_CBC_CRC:
1235 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des_md5));
1237 case ETYPE_ARCFOUR_HMAC_MD5:
1238 case ETYPE_ARCFOUR_HMAC_MD5_56:
1239 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_hmac_md5));
1241 case ETYPE_DES3_CBC_SHA1:
1242 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des3_sha1));
1245 return (krb5_verify_mic_new(kc, m, mic));
1248 return (GSS_S_FAILURE);
1252 krb5_wrap_old(struct krb5_context *kc, int conf_req_flag,
1253 struct mbuf **mp, int *conf_state,
1254 uint8_t sgn_alg[2], uint8_t seal_alg[2])
1256 struct mbuf *m, *mlast, *tm, *cm, *pm;
1257 size_t mlen, tlen, padlen, datalen;
1264 * How many trailing pad bytes do we need?
1267 mlen = m_length(m, &mlast);
1268 tlen = kc->kc_tokenkey->ks_class->ec_msgblocklen;
1269 padlen = tlen - (mlen % tlen);
1272 * The data part of the token has eight bytes of random
1273 * confounder prepended and followed by up to eight bytes of
1274 * padding bytes each of which is set to the number of padding
1277 datalen = mlen + 8 + padlen;
1278 tlen = token_length(kc->kc_tokenkey);
1280 p = krb5_make_token("\x02\x01", tlen, datalen + tlen, &tm);
1281 p += 2; /* TOK_ID */
1282 *p++ = sgn_alg[0]; /* SGN_ALG */
1284 if (conf_req_flag) {
1285 *p++ = seal_alg[0]; /* SEAL_ALG */
1288 *p++ = 0xff; /* SEAL_ALG = none */
1292 *p++ = 0xff; /* filler */
1296 * Copy the padded message data.
1298 if (M_LEADINGSPACE(m) >= 8) {
1302 MGET(cm, M_WAITOK, MT_DATA);
1307 arc4rand(m->m_data, 8, 0);
1308 if (M_TRAILINGSPACE(mlast) >= padlen) {
1309 memset(mlast->m_data + mlast->m_len, padlen, padlen);
1310 mlast->m_len += padlen;
1312 MGET(pm, M_WAITOK, MT_DATA);
1313 memset(pm->m_data, padlen, padlen);
1323 * Calculate the keyed checksum of the token header plus the
1324 * padded message. Fiddle with tm->m_len so that we only
1325 * checksum the 8 bytes of head that we care about.
1327 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1329 tm->m_len = p - (uint8_t *) tm->m_data;
1330 MGET(cm, M_WAITOK, MT_DATA);
1333 krb5_checksum(kc->kc_checksumkey, 13, tm, tm->m_len - 8,
1334 datalen + 8, cklen);
1336 mlast->m_next = NULL;
1337 bcopy(cm->m_data, p + 8, cklen);
1343 * Take the four bytes of the sequence number least
1344 * significant first (most significant first for ARCFOUR)
1345 * followed by four bytes of direction marker (zero for
1346 * initiator and 0xff for acceptor). Encrypt that data using
1347 * the SGN_CKSUM as IV.
1349 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1350 if (sgn_alg[0] == 0x11) {
1361 if (is_initiator(kc)) {
1370 krb5_encrypt(kc->kc_tokenkey, tm, p - (uint8_t *) tm->m_data,
1373 if (conf_req_flag) {
1375 * Encrypt the padded message with an IV of zero for
1376 * DES and DES3, or an IV of the sequence number in
1377 * big-endian format for ARCFOUR.
1379 if (seal_alg[0] == 0x10) {
1380 buf[0] = (seq >> 24);
1381 buf[1] = (seq >> 16);
1382 buf[2] = (seq >> 8);
1383 buf[3] = (seq >> 0);
1384 krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1387 krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1393 *conf_state = conf_req_flag;
1396 return (GSS_S_COMPLETE);
1400 krb5_wrap_new(struct krb5_context *kc, int conf_req_flag,
1401 struct mbuf **mp, int *conf_state)
1403 struct krb5_key_state *Ke = kc->kc_send_seal_Ke;
1404 struct krb5_key_state *Ki = kc->kc_send_seal_Ki;
1405 struct krb5_key_state *Kc = kc->kc_send_seal_Kc;
1406 const struct krb5_encryption_class *ec = Ke->ks_class;
1407 struct mbuf *m, *mlast, *tm;
1410 size_t mlen, blen, mblen, cklen, ctlen;
1412 static char zpad[32];
1415 mlen = m_length(m, &mlast);
1417 blen = ec->ec_blocklen;
1418 mblen = ec->ec_msgblocklen;
1419 cklen = ec->ec_checksumlen;
1421 if (conf_req_flag) {
1423 * For sealed messages, we need space for 16 bytes of
1424 * header, blen confounder, plaintext, padding, copy
1425 * of header and checksum.
1427 * We pad to mblen (which may be different from
1428 * blen). If the encryption class is using CTS, mblen
1429 * will be one (i.e. no padding required).
1435 ctlen = blen + mlen + EC + 16;
1438 * Put initial header and confounder before the
1441 M_PREPEND(m, 16 + blen, M_WAITOK);
1444 * Append padding + copy of header and checksum. Try
1445 * to fit this into the end of the original message,
1446 * otherwise allocate a trailer.
1448 if (M_TRAILINGSPACE(mlast) >= EC + 16 + cklen) {
1450 mlast->m_len += EC + 16 + cklen;
1452 MGET(tm, M_WAITOK, MT_DATA);
1453 tm->m_len = EC + 16 + cklen;
1458 * For unsealed messages, we need 16 bytes of header
1459 * plus space for the plaintext and a checksum. EC is
1460 * set to the checksum size. We leave space in tm for
1461 * a copy of the header - this will be trimmed later.
1463 M_PREPEND(m, 16, M_WAITOK);
1465 MGET(tm, M_WAITOK, MT_DATA);
1466 tm->m_len = cklen + 16;
1481 flags = GSS_TOKEN_SEALED;
1482 if (is_acceptor(kc))
1483 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1484 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1485 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1491 /* EC + RRC - set to zero initially */
1502 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1503 p[12] = (seq >> 24);
1504 p[13] = (seq >> 16);
1508 if (conf_req_flag) {
1510 * Encrypt according to RFC 4121 section 4.2 and RFC
1511 * 3961 section 5.3. Note: we don't generate tokens
1512 * with RRC values other than zero. If we did, we
1513 * should zero RRC in the copied header.
1515 arc4rand(p + 16, blen, 0);
1517 m_copyback(m, 16 + blen + mlen, EC, zpad);
1519 m_copyback(m, 16 + blen + mlen + EC, 16, p);
1521 krb5_checksum(Ki, 0, m, 16, ctlen, cklen);
1522 krb5_encrypt(Ke, m, 16, ctlen, NULL, 0);
1525 * The plaintext message is followed by a checksum of
1526 * the plaintext plus a version of the header where EC
1527 * and RRC are set to zero. Also, the original EC must
1528 * be our checksum size.
1530 bcopy(p, tm->m_data, 16);
1531 krb5_checksum(Kc, 0, m, 16, mlen + 16, cklen);
1537 * Finally set EC to its actual value
1543 return (GSS_S_COMPLETE);
1547 krb5_wrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1548 int conf_req_flag, gss_qop_t qop_req,
1549 struct mbuf **mp, int *conf_state)
1551 struct krb5_context *kc = (struct krb5_context *)ctx;
1557 if (qop_req != GSS_C_QOP_DEFAULT)
1558 return (GSS_S_BAD_QOP);
1560 if (time_uptime > kc->kc_lifetime)
1561 return (GSS_S_CONTEXT_EXPIRED);
1563 switch (kc->kc_tokenkey->ks_class->ec_type) {
1564 case ETYPE_DES_CBC_CRC:
1565 return (krb5_wrap_old(kc, conf_req_flag,
1566 mp, conf_state, sgn_alg_des_md5, seal_alg_des));
1568 case ETYPE_ARCFOUR_HMAC_MD5:
1569 case ETYPE_ARCFOUR_HMAC_MD5_56:
1570 return (krb5_wrap_old(kc, conf_req_flag,
1571 mp, conf_state, sgn_alg_hmac_md5, seal_alg_rc4));
1573 case ETYPE_DES3_CBC_SHA1:
1574 return (krb5_wrap_old(kc, conf_req_flag,
1575 mp, conf_state, sgn_alg_des3_sha1, seal_alg_des3));
1578 return (krb5_wrap_new(kc, conf_req_flag, mp, conf_state));
1581 return (GSS_S_FAILURE);
1585 m_trim(struct mbuf *m, int len)
1592 n = m_getptr(m, len, &off);
1603 krb5_unwrap_old(struct krb5_context *kc, struct mbuf **mp, int *conf_state,
1604 uint8_t sgn_alg[2], uint8_t seal_alg[2])
1607 struct mbuf *m, *mlast, *hm, *cm, *n;
1609 size_t mlen, tlen, elen, datalen, padlen;
1616 mlen = m_length(m, &mlast);
1618 tlen = token_length(kc->kc_tokenkey);
1619 cklen = kc->kc_tokenkey->ks_class->ec_checksumlen;
1621 p = krb5_verify_token("\x02\x01", tlen, &m, &elen, TRUE);
1624 return (GSS_S_DEFECTIVE_TOKEN);
1625 datalen = elen - tlen;
1628 * Trim the framing header first to make life a little easier
1631 m_adj(m, p - (uint8_t *) m->m_data);
1637 if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1638 return (GSS_S_DEFECTIVE_TOKEN);
1642 if (p[0] == seal_alg[0] && p[1] == seal_alg[1])
1644 else if (p[0] == 0xff && p[1] == 0xff)
1647 return (GSS_S_DEFECTIVE_TOKEN);
1650 if (p[0] != 0xff || p[1] != 0xff)
1651 return (GSS_S_DEFECTIVE_TOKEN);
1657 * Take the four bytes of the sequence number least
1658 * significant first (most significant for ARCFOUR) followed
1659 * by four bytes of direction marker (zero for initiator and
1660 * 0xff for acceptor). Encrypt that data using the SGN_CKSUM
1663 krb5_decrypt(kc->kc_tokenkey, m, 8, 8, p + 8, 8);
1664 if (sgn_alg[0] == 0x11) {
1665 seq = p[3] | (p[2] << 8) | (p[1] << 16) | (p[0] << 24);
1667 seq = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
1670 if (is_initiator(kc)) {
1675 if (p[4] != dir || p[5] != dir || p[6] != dir || p[7] != dir)
1676 return (GSS_S_DEFECTIVE_TOKEN);
1678 if (kc->kc_msg_order.km_flags &
1679 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1680 res = krb5_sequence_check(kc, seq);
1684 res = GSS_S_COMPLETE;
1688 * If the token was encrypted, decode it in-place.
1692 * Decrypt the padded message with an IV of zero for
1693 * DES and DES3 or an IV of the big-endian encoded
1694 * sequence number for ARCFOUR.
1696 if (seal_alg[0] == 0x10) {
1697 krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1700 krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1708 * Check the trailing pad bytes.
1709 * RFC1964 specifies between 1<->8 bytes, each with a binary value
1710 * equal to the number of bytes.
1712 if (mlast->m_len > 0)
1713 padlen = mlast->m_data[mlast->m_len - 1];
1715 n = m_getptr(m, tlen + datalen - 1, &i);
1717 * When the position is exactly equal to the # of data bytes
1718 * in the mbuf list, m_getptr() will return the last mbuf in
1719 * the list and an off == m_len for that mbuf, so that case
1720 * needs to be checked as well as a NULL return.
1722 if (n == NULL || n->m_len == i)
1723 return (GSS_S_DEFECTIVE_TOKEN);
1724 padlen = n->m_data[i];
1726 if (padlen < 1 || padlen > 8 || padlen > tlen + datalen)
1727 return (GSS_S_DEFECTIVE_TOKEN);
1728 m_copydata(m, tlen + datalen - padlen, padlen, buf);
1729 for (i = 0; i < padlen; i++) {
1730 if (buf[i] != padlen) {
1731 return (GSS_S_DEFECTIVE_TOKEN);
1738 * Calculate the keyed checksum of the token header plus the
1739 * padded message. We do a little mbuf surgery to trim out the
1740 * parts we don't want to checksum.
1743 *mp = m = m_split(m, 16 + cklen, M_WAITOK);
1747 MGET(cm, M_WAITOK, MT_DATA);
1751 krb5_checksum(kc->kc_checksumkey, 13, hm, 0, datalen + 8, cklen);
1753 mlast->m_next = NULL;
1755 if (bcmp(cm->m_data, hm->m_data + 16, cklen)) {
1758 return (GSS_S_BAD_SIG);
1764 * Trim off the confounder and padding.
1767 if (mlast->m_len >= padlen) {
1768 mlast->m_len -= padlen;
1770 m_trim(m, datalen - 8 - padlen);
1778 krb5_unwrap_new(struct krb5_context *kc, struct mbuf **mp, int *conf_state)
1781 struct krb5_key_state *Ke = kc->kc_recv_seal_Ke;
1782 struct krb5_key_state *Ki = kc->kc_recv_seal_Ki;
1783 struct krb5_key_state *Kc = kc->kc_recv_seal_Kc;
1784 const struct krb5_encryption_class *ec = Ke->ks_class;
1785 struct mbuf *m, *mlast, *hm, *cm;
1787 int sealed, flags, EC, RRC;
1788 size_t blen, cklen, ctlen, mlen, plen, tlen;
1789 char buf[32], buf2[32];
1792 mlen = m_length(m, &mlast);
1795 return (GSS_S_DEFECTIVE_TOKEN);
1796 if (m->m_len < 16) {
1797 m = m_pullup(m, 16);
1804 return (GSS_S_DEFECTIVE_TOKEN);
1806 return (GSS_S_DEFECTIVE_TOKEN);
1809 sealed = p[2] & GSS_TOKEN_SEALED;
1811 if (is_initiator(kc))
1812 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1813 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1814 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1816 return (GSS_S_DEFECTIVE_TOKEN);
1820 return (GSS_S_DEFECTIVE_TOKEN);
1823 EC = (p[4] << 8) + p[5];
1824 RRC = (p[6] << 8) + p[7];
1827 if (kc->kc_msg_order.km_flags &
1828 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1830 if (p[8] || p[9] || p[10] || p[11]) {
1831 res = GSS_S_UNSEQ_TOKEN;
1833 seq = (p[12] << 24) | (p[13] << 16)
1834 | (p[14] << 8) | p[15];
1835 res = krb5_sequence_check(kc, seq);
1840 res = GSS_S_COMPLETE;
1844 * Separate the header before dealing with RRC. We only need
1845 * to keep the header if the message isn't encrypted.
1852 *mp = m = m_split(m, 16, M_WAITOK);
1857 * Undo the effects of RRC by rotating left.
1864 if (RRC <= sizeof(buf) && m->m_len >= rlen) {
1866 * Simple case, just rearrange the bytes in m.
1868 bcopy(m->m_data, buf, RRC);
1869 bcopy(m->m_data + RRC, m->m_data, rlen - RRC);
1870 bcopy(buf, m->m_data + rlen - RRC, RRC);
1873 * More complicated - rearrange the mbuf
1877 *mp = m = m_split(m, RRC, M_WAITOK);
1883 blen = ec->ec_blocklen;
1884 cklen = ec->ec_checksumlen;
1887 * Decrypt according to RFC 4121 section 4.2 and RFC
1888 * 3961 section 5.3. The message must be large enough
1889 * for a blocksize confounder, at least one block of
1890 * cyphertext and a checksum.
1892 if (mlen < 16 + 2*blen + cklen)
1893 return (GSS_S_DEFECTIVE_TOKEN);
1895 ctlen = mlen - 16 - cklen;
1896 krb5_decrypt(Ke, m, 0, ctlen, NULL, 0);
1899 * The size of the plaintext is ctlen minus blocklen
1900 * (for the confounder), 16 (for the copy of the token
1901 * header) and EC (for the filler). The actual
1902 * plaintext starts after the confounder.
1904 plen = ctlen - blen - 16 - EC;
1908 * Checksum the padded plaintext.
1910 m_copydata(m, ctlen, cklen, buf);
1911 krb5_checksum(Ki, 0, m, 0, ctlen, cklen);
1912 m_copydata(m, ctlen, cklen, buf2);
1914 if (bcmp(buf, buf2, cklen))
1915 return (GSS_S_BAD_SIG);
1918 * Trim the message back to just plaintext.
1921 tlen = 16 + EC + cklen;
1922 if (mlast->m_len >= tlen) {
1923 mlast->m_len -= tlen;
1929 * The plaintext message is followed by a checksum of
1930 * the plaintext plus a version of the header where EC
1931 * and RRC are set to zero. Also, the original EC must
1932 * be our checksum size.
1934 if (mlen < 16 + cklen || EC != cklen)
1935 return (GSS_S_DEFECTIVE_TOKEN);
1938 * The size of the plaintext is simply the message
1939 * size less header and checksum. The plaintext starts
1940 * right after the header (which we have saved in hm).
1942 plen = mlen - 16 - cklen;
1945 * Insert a copy of the header (with EC and RRC set to
1946 * zero) between the plaintext message and the
1950 p[4] = p[5] = p[6] = p[7] = 0;
1952 cm = m_split(m, plen, M_WAITOK);
1957 bcopy(cm->m_data, buf, cklen);
1958 krb5_checksum(Kc, 0, m, 0, plen + 16, cklen);
1959 if (bcmp(cm->m_data, buf, cklen))
1960 return (GSS_S_BAD_SIG);
1963 * The checksum matches, discard all buf the plaintext.
1965 mlast->m_next = NULL;
1970 *conf_state = (sealed != 0);
1976 krb5_unwrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1977 struct mbuf **mp, int *conf_state, gss_qop_t *qop_state)
1979 struct krb5_context *kc = (struct krb5_context *)ctx;
1984 *qop_state = GSS_C_QOP_DEFAULT;
1988 if (time_uptime > kc->kc_lifetime)
1989 return (GSS_S_CONTEXT_EXPIRED);
1991 switch (kc->kc_tokenkey->ks_class->ec_type) {
1992 case ETYPE_DES_CBC_CRC:
1993 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
1994 sgn_alg_des_md5, seal_alg_des);
1997 case ETYPE_ARCFOUR_HMAC_MD5:
1998 case ETYPE_ARCFOUR_HMAC_MD5_56:
1999 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
2000 sgn_alg_hmac_md5, seal_alg_rc4);
2003 case ETYPE_DES3_CBC_SHA1:
2004 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
2005 sgn_alg_des3_sha1, seal_alg_des3);
2009 maj_stat = krb5_unwrap_new(kc, mp, conf_state);
2013 if (GSS_ERROR(maj_stat)) {
2022 krb5_wrap_size_limit(gss_ctx_id_t ctx, OM_uint32 *minor_status,
2023 int conf_req_flag, gss_qop_t qop_req, OM_uint32 req_output_size,
2024 OM_uint32 *max_input_size)
2026 struct krb5_context *kc = (struct krb5_context *)ctx;
2027 const struct krb5_encryption_class *ec;
2031 *max_input_size = 0;
2033 if (qop_req != GSS_C_QOP_DEFAULT)
2034 return (GSS_S_BAD_QOP);
2036 ec = kc->kc_tokenkey->ks_class;
2037 switch (ec->ec_type) {
2038 case ETYPE_DES_CBC_CRC:
2039 case ETYPE_DES3_CBC_SHA1:
2040 case ETYPE_ARCFOUR_HMAC_MD5:
2041 case ETYPE_ARCFOUR_HMAC_MD5_56:
2043 * up to 5 bytes for [APPLICATION 0] SEQUENCE
2044 * 2 + krb5 oid length
2046 * 8 bytes of confounder
2047 * maximum of 8 bytes of padding
2050 overhead = 5 + 2 + krb5_mech_oid.length;
2051 overhead += 8 + 8 + ec->ec_msgblocklen;
2052 overhead += ec->ec_checksumlen;
2056 if (conf_req_flag) {
2059 * blocklen bytes of confounder
2060 * up to msgblocklen - 1 bytes of padding
2061 * 16 bytes for copy of header
2064 overhead = 16 + ec->ec_blocklen;
2065 overhead += ec->ec_msgblocklen - 1;
2067 overhead += ec->ec_checksumlen;
2070 * 16 bytes of header plus checksum.
2072 overhead = 16 + ec->ec_checksumlen;
2076 *max_input_size = req_output_size - overhead;
2078 return (GSS_S_COMPLETE);
2081 static kobj_method_t krb5_methods[] = {
2082 KOBJMETHOD(kgss_init, krb5_init),
2083 KOBJMETHOD(kgss_import, krb5_import),
2084 KOBJMETHOD(kgss_delete, krb5_delete),
2085 KOBJMETHOD(kgss_mech_type, krb5_mech_type),
2086 KOBJMETHOD(kgss_get_mic, krb5_get_mic),
2087 KOBJMETHOD(kgss_verify_mic, krb5_verify_mic),
2088 KOBJMETHOD(kgss_wrap, krb5_wrap),
2089 KOBJMETHOD(kgss_unwrap, krb5_unwrap),
2090 KOBJMETHOD(kgss_wrap_size_limit, krb5_wrap_size_limit),
2094 static struct kobj_class krb5_class = {
2097 sizeof(struct krb5_context)
2101 * Kernel module glue
2104 kgssapi_krb5_modevent(module_t mod, int type, void *data)
2109 kgss_install_mech(&krb5_mech_oid, "kerberosv5", &krb5_class);
2113 kgss_uninstall_mech(&krb5_mech_oid);
2120 static moduledata_t kgssapi_krb5_mod = {
2122 kgssapi_krb5_modevent,
2125 DECLARE_MODULE(kgssapi_krb5, kgssapi_krb5_mod, SI_SUB_VFS, SI_ORDER_ANY);
2126 MODULE_DEPEND(kgssapi_krb5, kgssapi, 1, 1, 1);
2127 MODULE_DEPEND(kgssapi_krb5, crypto, 1, 1, 1);
2128 MODULE_DEPEND(kgssapi_krb5, rc4, 1, 1, 1);
2129 MODULE_VERSION(kgssapi_krb5, 1);