2 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
3 * Authors: Doug Rabson <dfr@rabson.org>
4 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
31 #include "opt_inet6.h"
33 #include <sys/param.h>
34 #include <sys/kernel.h>
37 #include <sys/malloc.h>
39 #include <sys/module.h>
40 #include <sys/mutex.h>
41 #include <kgssapi/gssapi.h>
42 #include <kgssapi/gssapi_impl.h>
47 #define GSS_TOKEN_SENT_BY_ACCEPTOR 1
48 #define GSS_TOKEN_SEALED 2
49 #define GSS_TOKEN_ACCEPTOR_SUBKEY 4
51 static gss_OID_desc krb5_mech_oid =
52 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
59 struct krb5_keyblock {
60 uint16_t kk_type; /* encryption type */
61 struct krb5_data kk_key; /* key data */
66 struct krb5_data ka_addr;
70 * The km_elem array is ordered so that the highest received sequence
71 * number is listed first.
73 struct krb5_msg_order {
77 uint32_t km_jitter_window;
78 uint32_t km_first_seq;
83 struct _gss_ctx_id_t kc_common;
86 uint32_t kc_ctx_flags;
87 uint32_t kc_more_flags;
90 #define COMPAT_OLD_DES3 4
91 #define COMPAT_OLD_DES3_SELECTED 8
92 #define ACCEPTOR_SUBKEY 16
93 struct krb5_address kc_local_address;
94 struct krb5_address kc_remote_address;
95 uint16_t kc_local_port;
96 uint16_t kc_remote_port;
97 struct krb5_keyblock kc_keyblock;
98 struct krb5_keyblock kc_local_subkey;
99 struct krb5_keyblock kc_remote_subkey;
100 volatile uint32_t kc_local_seqnumber;
101 uint32_t kc_remote_seqnumber;
103 uint32_t kc_cksumtype;
104 struct krb5_data kc_source_name;
105 struct krb5_data kc_target_name;
106 uint32_t kc_lifetime;
107 struct krb5_msg_order kc_msg_order;
108 struct krb5_key_state *kc_tokenkey;
109 struct krb5_key_state *kc_encryptkey;
110 struct krb5_key_state *kc_checksumkey;
112 struct krb5_key_state *kc_send_seal_Ke;
113 struct krb5_key_state *kc_send_seal_Ki;
114 struct krb5_key_state *kc_send_seal_Kc;
115 struct krb5_key_state *kc_send_sign_Kc;
117 struct krb5_key_state *kc_recv_seal_Ke;
118 struct krb5_key_state *kc_recv_seal_Ki;
119 struct krb5_key_state *kc_recv_seal_Kc;
120 struct krb5_key_state *kc_recv_sign_Kc;
124 get_uint16(const uint8_t **pp, size_t *lenp)
126 const uint8_t *p = *pp;
132 v = (p[0] << 8) | p[1];
140 get_uint32(const uint8_t **pp, size_t *lenp)
142 const uint8_t *p = *pp;
148 v = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
156 get_data(const uint8_t **pp, size_t *lenp, struct krb5_data *dp)
158 size_t sz = get_uint32(pp, lenp);
161 dp->kd_data = malloc(sz, M_GSSAPI, M_WAITOK);
165 bcopy(*pp, dp->kd_data, sz);
171 delete_data(struct krb5_data *dp)
174 free(dp->kd_data, M_GSSAPI);
181 get_address(const uint8_t **pp, size_t *lenp, struct krb5_address *ka)
184 ka->ka_type = get_uint16(pp, lenp);
185 get_data(pp, lenp, &ka->ka_addr);
189 delete_address(struct krb5_address *ka)
191 delete_data(&ka->ka_addr);
195 get_keyblock(const uint8_t **pp, size_t *lenp, struct krb5_keyblock *kk)
198 kk->kk_type = get_uint16(pp, lenp);
199 get_data(pp, lenp, &kk->kk_key);
203 delete_keyblock(struct krb5_keyblock *kk)
205 if (kk->kk_key.kd_data)
206 bzero(kk->kk_key.kd_data, kk->kk_key.kd_length);
207 delete_data(&kk->kk_key);
211 copy_key(struct krb5_keyblock *from, struct krb5_keyblock **to)
214 if (from->kk_key.kd_length)
221 * Return non-zero if we are initiator.
224 is_initiator(struct krb5_context *kc)
226 return (kc->kc_more_flags & LOCAL);
230 * Return non-zero if we are acceptor.
233 is_acceptor(struct krb5_context *kc)
235 return !(kc->kc_more_flags & LOCAL);
239 get_initiator_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
242 if (is_initiator(kc))
243 copy_key(&kc->kc_local_subkey, kdp);
245 copy_key(&kc->kc_remote_subkey, kdp);
247 copy_key(&kc->kc_keyblock, kdp);
251 get_acceptor_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
254 if (is_initiator(kc))
255 copy_key(&kc->kc_remote_subkey, kdp);
257 copy_key(&kc->kc_local_subkey, kdp);
261 get_keys(struct krb5_context *kc)
263 struct krb5_keyblock *keydata;
264 struct krb5_encryption_class *ec;
265 struct krb5_key_state *key;
269 get_acceptor_subkey(kc, &keydata);
271 if ((kc->kc_more_flags & ACCEPTOR_SUBKEY) == 0)
272 get_initiator_subkey(kc, &keydata);
274 return (GSS_S_FAILURE);
277 * GSS-API treats all DES etypes the same and all DES3 etypes
280 switch (keydata->kk_type) {
281 case ETYPE_DES_CBC_CRC:
282 case ETYPE_DES_CBC_MD4:
283 case ETYPE_DES_CBC_MD5:
284 etype = ETYPE_DES_CBC_CRC;
287 case ETYPE_DES3_CBC_MD5:
288 case ETYPE_DES3_CBC_SHA1:
289 case ETYPE_OLD_DES3_CBC_SHA1:
290 etype = ETYPE_DES3_CBC_SHA1;
293 etype = keydata->kk_type;
296 ec = krb5_find_encryption_class(etype);
298 return (GSS_S_FAILURE);
300 key = krb5_create_key(ec);
301 krb5_set_key(key, keydata->kk_key.kd_data);
302 kc->kc_tokenkey = key;
305 case ETYPE_DES_CBC_CRC:
306 case ETYPE_ARCFOUR_HMAC_MD5:
307 case ETYPE_ARCFOUR_HMAC_MD5_56: {
309 * Single DES and ARCFOUR uses a 'derived' key (XOR
310 * with 0xf0) for encrypting wrap tokens. The original
311 * key is used for checksums and sequence numbers.
313 struct krb5_key_state *ekey;
317 ekey = krb5_create_key(ec);
320 for (i = 0; i < ec->ec_keylen; i++)
321 ekp[i] = kp[i] ^ 0xf0;
322 krb5_set_key(ekey, ekp);
323 kc->kc_encryptkey = ekey;
324 refcount_acquire(&key->ks_refs);
325 kc->kc_checksumkey = key;
329 case ETYPE_DES3_CBC_SHA1:
331 * Triple DES uses a RFC 3961 style derived key with
332 * usage number KG_USAGE_SIGN for checksums. The
333 * original key is used for encryption and sequence
336 kc->kc_checksumkey = krb5_get_checksum_key(key, KG_USAGE_SIGN);
337 refcount_acquire(&key->ks_refs);
338 kc->kc_encryptkey = key;
343 * We need eight derived keys four for sending and
344 * four for receiving.
346 if (is_initiator(kc)) {
350 kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
351 KG_USAGE_INITIATOR_SEAL);
352 kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
353 KG_USAGE_INITIATOR_SEAL);
354 kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
355 KG_USAGE_INITIATOR_SEAL);
356 kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
357 KG_USAGE_INITIATOR_SIGN);
359 kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
360 KG_USAGE_ACCEPTOR_SEAL);
361 kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
362 KG_USAGE_ACCEPTOR_SEAL);
363 kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
364 KG_USAGE_ACCEPTOR_SEAL);
365 kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
366 KG_USAGE_ACCEPTOR_SIGN);
371 kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
372 KG_USAGE_ACCEPTOR_SEAL);
373 kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
374 KG_USAGE_ACCEPTOR_SEAL);
375 kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
376 KG_USAGE_ACCEPTOR_SEAL);
377 kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
378 KG_USAGE_ACCEPTOR_SIGN);
380 kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
381 KG_USAGE_INITIATOR_SEAL);
382 kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
383 KG_USAGE_INITIATOR_SEAL);
384 kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
385 KG_USAGE_INITIATOR_SEAL);
386 kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
387 KG_USAGE_INITIATOR_SIGN);
392 return (GSS_S_COMPLETE);
396 krb5_init(gss_ctx_id_t ctx)
398 struct krb5_context *kc = (struct krb5_context *)ctx;
400 mtx_init(&kc->kc_lock, "krb5 gss lock", NULL, MTX_DEF);
404 krb5_import(gss_ctx_id_t ctx,
405 enum sec_context_format format,
406 const gss_buffer_t context_token)
408 struct krb5_context *kc = (struct krb5_context *)ctx;
410 const uint8_t *p = (const uint8_t *) context_token->value;
411 size_t len = context_token->length;
416 * We support heimdal 0.6 and heimdal 1.1
418 if (format != KGSS_HEIMDAL_0_6 && format != KGSS_HEIMDAL_1_1)
419 return (GSS_S_DEFECTIVE_TOKEN);
421 #define SC_LOCAL_ADDRESS 1
422 #define SC_REMOTE_ADDRESS 2
423 #define SC_KEYBLOCK 4
424 #define SC_LOCAL_SUBKEY 8
425 #define SC_REMOTE_SUBKEY 16
428 * Ensure that the token starts with krb5 oid.
430 if (p[0] != 0x00 || p[1] != krb5_mech_oid.length
431 || len < krb5_mech_oid.length + 2
432 || bcmp(krb5_mech_oid.elements, p + 2,
433 krb5_mech_oid.length))
434 return (GSS_S_DEFECTIVE_TOKEN);
435 p += krb5_mech_oid.length + 2;
436 len -= krb5_mech_oid.length + 2;
438 flags = get_uint32(&p, &len);
439 kc->kc_ac_flags = get_uint32(&p, &len);
440 if (flags & SC_LOCAL_ADDRESS)
441 get_address(&p, &len, &kc->kc_local_address);
442 if (flags & SC_REMOTE_ADDRESS)
443 get_address(&p, &len, &kc->kc_remote_address);
444 kc->kc_local_port = get_uint16(&p, &len);
445 kc->kc_remote_port = get_uint16(&p, &len);
446 if (flags & SC_KEYBLOCK)
447 get_keyblock(&p, &len, &kc->kc_keyblock);
448 if (flags & SC_LOCAL_SUBKEY)
449 get_keyblock(&p, &len, &kc->kc_local_subkey);
450 if (flags & SC_REMOTE_SUBKEY)
451 get_keyblock(&p, &len, &kc->kc_remote_subkey);
452 kc->kc_local_seqnumber = get_uint32(&p, &len);
453 kc->kc_remote_seqnumber = get_uint32(&p, &len);
454 kc->kc_keytype = get_uint32(&p, &len);
455 kc->kc_cksumtype = get_uint32(&p, &len);
456 get_data(&p, &len, &kc->kc_source_name);
457 get_data(&p, &len, &kc->kc_target_name);
458 kc->kc_ctx_flags = get_uint32(&p, &len);
459 kc->kc_more_flags = get_uint32(&p, &len);
460 kc->kc_lifetime = get_uint32(&p, &len);
462 * Heimdal 1.1 adds the message order stuff.
464 if (format == KGSS_HEIMDAL_1_1) {
465 kc->kc_msg_order.km_flags = get_uint32(&p, &len);
466 kc->kc_msg_order.km_start = get_uint32(&p, &len);
467 kc->kc_msg_order.km_length = get_uint32(&p, &len);
468 kc->kc_msg_order.km_jitter_window = get_uint32(&p, &len);
469 kc->kc_msg_order.km_first_seq = get_uint32(&p, &len);
470 kc->kc_msg_order.km_elem =
471 malloc(kc->kc_msg_order.km_jitter_window * sizeof(uint32_t),
473 for (i = 0; i < kc->kc_msg_order.km_jitter_window; i++)
474 kc->kc_msg_order.km_elem[i] = get_uint32(&p, &len);
476 kc->kc_msg_order.km_flags = 0;
484 * We don't need these anymore.
486 delete_keyblock(&kc->kc_keyblock);
487 delete_keyblock(&kc->kc_local_subkey);
488 delete_keyblock(&kc->kc_remote_subkey);
490 return (GSS_S_COMPLETE);
494 krb5_delete(gss_ctx_id_t ctx, gss_buffer_t output_token)
496 struct krb5_context *kc = (struct krb5_context *)ctx;
498 delete_address(&kc->kc_local_address);
499 delete_address(&kc->kc_remote_address);
500 delete_keyblock(&kc->kc_keyblock);
501 delete_keyblock(&kc->kc_local_subkey);
502 delete_keyblock(&kc->kc_remote_subkey);
503 delete_data(&kc->kc_source_name);
504 delete_data(&kc->kc_target_name);
505 if (kc->kc_msg_order.km_elem)
506 free(kc->kc_msg_order.km_elem, M_GSSAPI);
508 output_token->length = 0;
509 output_token->value = NULL;
511 if (kc->kc_tokenkey) {
512 krb5_free_key(kc->kc_tokenkey);
513 if (kc->kc_encryptkey) {
514 krb5_free_key(kc->kc_encryptkey);
515 krb5_free_key(kc->kc_checksumkey);
517 krb5_free_key(kc->kc_send_seal_Ke);
518 krb5_free_key(kc->kc_send_seal_Ki);
519 krb5_free_key(kc->kc_send_seal_Kc);
520 krb5_free_key(kc->kc_send_sign_Kc);
521 krb5_free_key(kc->kc_recv_seal_Ke);
522 krb5_free_key(kc->kc_recv_seal_Ki);
523 krb5_free_key(kc->kc_recv_seal_Kc);
524 krb5_free_key(kc->kc_recv_sign_Kc);
527 mtx_destroy(&kc->kc_lock);
531 krb5_mech_type(gss_ctx_id_t ctx)
534 return (&krb5_mech_oid);
538 * Make a token with the given type and length (the length includes
539 * the TOK_ID), initialising the token header appropriately. Return a
540 * pointer to the TOK_ID of the token. A new mbuf is allocated with
541 * the framing header plus hlen bytes of space.
543 * Format is as follows:
545 * 0x60 [APPLICATION 0] SEQUENCE
546 * DER encoded length length of oid + type + inner token length
547 * 0x06 NN <oid data> OID of mechanism type
549 * <inner token> data for inner token
551 * 1: der encoded length
554 krb5_make_token(char tok_id[2], size_t hlen, size_t len, struct mbuf **mp)
556 size_t inside_len, len_len, tlen;
557 gss_OID oid = &krb5_mech_oid;
561 inside_len = 2 + oid->length + len;
562 if (inside_len < 128)
564 else if (inside_len < 0x100)
566 else if (inside_len < 0x10000)
568 else if (inside_len < 0x1000000)
573 tlen = 1 + len_len + 2 + oid->length + hlen;
574 KASSERT(tlen <= MLEN, ("token head too large"));
575 MGET(m, M_WAITOK, MT_DATA);
579 p = (uint8_t *) m->m_data;
591 *p++ = inside_len >> 8;
596 *p++ = inside_len >> 16;
597 *p++ = inside_len >> 8;
602 *p++ = inside_len >> 24;
603 *p++ = inside_len >> 16;
604 *p++ = inside_len >> 8;
611 bcopy(oid->elements, p, oid->length);
623 * Verify a token, checking the inner token length and mechanism oid.
624 * pointer to the first byte of the TOK_ID. The length of the
625 * encapsulated data is checked to be at least len bytes; the actual
626 * length of the encapsulated data (including TOK_ID) is returned in
629 * If can_pullup is TRUE and the token header is fragmented, we will
632 * Format is as follows:
634 * 0x60 [APPLICATION 0] SEQUENCE
635 * DER encoded length length of oid + type + inner token length
636 * 0x06 NN <oid data> OID of mechanism type
638 * <inner token> data for inner token
640 * 1: der encoded length
643 krb5_verify_token(char tok_id[2], size_t len, struct mbuf **mp,
644 size_t *encap_len, bool_t can_pullup)
647 size_t tlen, hlen, len_len, inside_len;
648 gss_OID oid = &krb5_mech_oid;
652 tlen = m_length(m, NULL);
657 * Ensure that at least the framing part of the token is
662 *mp = m = m_pullup(m, 2);
677 * Ensure there is enough space for the DER encoded length.
679 len_len = (*p & 0x7f) + 1;
680 if (tlen < len_len + 1)
682 if (m->m_len < len_len + 1) {
684 *mp = m = m_pullup(m, len_len + 1);
696 inside_len = (p[0] << 8) | p[1];
701 inside_len = (p[0] << 16) | (p[1] << 8) | p[2];
706 inside_len = (p[0] << 24) | (p[1] << 16)
707 | (p[2] << 8) | p[3];
716 if (tlen != inside_len + len_len + 1)
718 if (inside_len < 2 + oid->length + len)
722 * Now that we know the value of len_len, we can pullup the
723 * whole header. The header is 1 + len_len + 2 + oid->length +
726 hlen = 1 + len_len + 2 + oid->length + len;
727 if (m->m_len < hlen) {
729 *mp = m = m_pullup(m, hlen);
732 p = m->m_data + 1 + len_len;
737 if (*p++ != oid->length)
739 if (bcmp(oid->elements, p, oid->length))
743 if (p[0] != tok_id[0])
746 if (p[1] != tok_id[1])
749 *encap_len = inside_len - 2 - oid->length;
755 krb5_insert_seq(struct krb5_msg_order *mo, uint32_t seq, int index)
759 if (mo->km_length < mo->km_jitter_window)
762 for (i = mo->km_length - 1; i > index; i--)
763 mo->km_elem[i] = mo->km_elem[i - 1];
764 mo->km_elem[index] = seq;
768 * Check sequence numbers according to RFC 2743 section 1.2.3.
771 krb5_sequence_check(struct krb5_context *kc, uint32_t seq)
773 OM_uint32 res = GSS_S_FAILURE;
774 struct krb5_msg_order *mo = &kc->kc_msg_order;
775 int check_sequence = mo->km_flags & GSS_C_SEQUENCE_FLAG;
776 int check_replay = mo->km_flags & GSS_C_REPLAY_FLAG;
779 mtx_lock(&kc->kc_lock);
782 * Message is in-sequence with no gap.
784 if (mo->km_length == 0 || seq == mo->km_elem[0] + 1) {
786 * This message is received in-sequence with no gaps.
788 krb5_insert_seq(mo, seq, 0);
789 res = GSS_S_COMPLETE;
793 if (seq > mo->km_elem[0]) {
795 * This message is received in-sequence with a gap.
797 krb5_insert_seq(mo, seq, 0);
799 res = GSS_S_GAP_TOKEN;
801 res = GSS_S_COMPLETE;
805 if (seq < mo->km_elem[mo->km_length - 1]) {
806 if (check_replay && !check_sequence)
807 res = GSS_S_OLD_TOKEN;
809 res = GSS_S_UNSEQ_TOKEN;
813 for (i = 0; i < mo->km_length; i++) {
814 if (mo->km_elem[i] == seq) {
815 res = GSS_S_DUPLICATE_TOKEN;
818 if (mo->km_elem[i] < seq) {
820 * We need to insert this seq here,
822 krb5_insert_seq(mo, seq, i);
823 if (check_replay && !check_sequence)
824 res = GSS_S_COMPLETE;
826 res = GSS_S_UNSEQ_TOKEN;
832 mtx_unlock(&kc->kc_lock);
837 static uint8_t sgn_alg_des_md5[] = { 0x00, 0x00 };
838 static uint8_t seal_alg_des[] = { 0x00, 0x00 };
839 static uint8_t sgn_alg_des3_sha1[] = { 0x04, 0x00 };
840 static uint8_t seal_alg_des3[] = { 0x02, 0x00 };
841 static uint8_t seal_alg_rc4[] = { 0x10, 0x00 };
842 static uint8_t sgn_alg_hmac_md5[] = { 0x11, 0x00 };
845 * Return the size of the inner token given the use of the key's
846 * encryption class. For wrap tokens, the length of the padded
847 * plaintext will be added to this.
850 token_length(struct krb5_key_state *key)
853 return (16 + key->ks_class->ec_checksumlen);
857 krb5_get_mic_old(struct krb5_context *kc, struct mbuf *m,
858 struct mbuf **micp, uint8_t sgn_alg[2])
860 struct mbuf *mlast, *mic, *tm;
862 size_t tlen, mlen, cklen;
866 mlen = m_length(m, &mlast);
868 tlen = token_length(kc->kc_tokenkey);
869 p = krb5_make_token("\x01\x01", tlen, tlen, &mic);
871 *p++ = sgn_alg[0]; /* SGN_ALG */
874 *p++ = 0xff; /* filler */
882 * Calculate the keyed checksum of the token header plus the
885 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
887 mic->m_len = p - (uint8_t *) mic->m_data;
889 MGET(tm, M_WAITOK, MT_DATA);
893 krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
895 bcopy(tm->m_data, p + 8, cklen);
897 mlast->m_next = NULL;
903 * Take the four bytes of the sequence number least
904 * significant first followed by four bytes of direction
905 * marker (zero for initiator and 0xff for acceptor). Encrypt
906 * that data using the SGN_CKSUM as IV. Note: ARC4 wants the
907 * sequence number big-endian.
909 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
910 if (sgn_alg[0] == 0x11) {
921 if (is_initiator(kc)) {
930 bcopy(p + 8, buf, 8);
933 * Set the mic buffer to its final size so that the encrypt
934 * can see the SND_SEQ part.
936 mic->m_len += 8 + cklen;
937 krb5_encrypt(kc->kc_tokenkey, mic, mic->m_len - cklen - 8, 8, buf, 8);
940 return (GSS_S_COMPLETE);
944 krb5_get_mic_new(struct krb5_context *kc, struct mbuf *m,
947 struct krb5_key_state *key = kc->kc_send_sign_Kc;
948 struct mbuf *mlast, *mic;
954 mlen = m_length(m, &mlast);
955 cklen = key->ks_class->ec_checksumlen;
957 KASSERT(16 + cklen <= MLEN, ("checksum too large for an mbuf"));
958 MGET(mic, M_WAITOK, MT_DATA);
959 M_ALIGN(mic, 16 + cklen);
960 mic->m_len = 16 + cklen;
970 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
971 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
972 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
987 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
996 * Calculate the keyed checksum of the message plus the first
997 * 16 bytes of the token header.
1000 krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1001 mlast->m_next = NULL;
1004 return (GSS_S_COMPLETE);
1008 krb5_get_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1009 gss_qop_t qop_req, struct mbuf *m, struct mbuf **micp)
1011 struct krb5_context *kc = (struct krb5_context *)ctx;
1015 if (qop_req != GSS_C_QOP_DEFAULT)
1016 return (GSS_S_BAD_QOP);
1018 if (time_uptime > kc->kc_lifetime)
1019 return (GSS_S_CONTEXT_EXPIRED);
1021 switch (kc->kc_tokenkey->ks_class->ec_type) {
1022 case ETYPE_DES_CBC_CRC:
1023 return (krb5_get_mic_old(kc, m, micp, sgn_alg_des_md5));
1025 case ETYPE_DES3_CBC_SHA1:
1026 return (krb5_get_mic_old(kc, m, micp, sgn_alg_des3_sha1));
1028 case ETYPE_ARCFOUR_HMAC_MD5:
1029 case ETYPE_ARCFOUR_HMAC_MD5_56:
1030 return (krb5_get_mic_old(kc, m, micp, sgn_alg_hmac_md5));
1033 return (krb5_get_mic_new(kc, m, micp));
1036 return (GSS_S_FAILURE);
1040 krb5_verify_mic_old(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic,
1043 struct mbuf *mlast, *tm;
1044 uint8_t *p, *tp, dir;
1045 size_t mlen, tlen, elen, miclen;
1049 mlen = m_length(m, &mlast);
1051 tlen = token_length(kc->kc_tokenkey);
1052 p = krb5_verify_token("\x01\x01", tlen, &mic, &elen, FALSE);
1054 return (GSS_S_DEFECTIVE_TOKEN);
1057 * Disable this check - heimdal-1.1 generates DES3 MIC tokens
1058 * that are 2 bytes too big.
1061 return (GSS_S_DEFECTIVE_TOKEN);
1067 if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1068 return (GSS_S_DEFECTIVE_TOKEN);
1071 if (p[0] != 0xff || p[1] != 0xff || p[2] != 0xff || p[3] != 0xff)
1072 return (GSS_S_DEFECTIVE_TOKEN);
1078 * Calculate the keyed checksum of the token header plus the
1081 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1082 miclen = mic->m_len;
1083 mic->m_len = p - (uint8_t *) mic->m_data;
1085 MGET(tm, M_WAITOK, MT_DATA);
1089 krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
1092 mlast->m_next = NULL;
1093 if (bcmp(tm->m_data, p + 8, cklen)) {
1095 return (GSS_S_BAD_SIG);
1101 * Take the four bytes of the sequence number least
1102 * significant first followed by four bytes of direction
1103 * marker (zero for initiator and 0xff for acceptor). Encrypt
1104 * that data using the SGN_CKSUM as IV. Note: ARC4 wants the
1105 * sequence number big-endian.
1107 bcopy(p, tm->m_data, 8);
1109 krb5_decrypt(kc->kc_tokenkey, tm, 0, 8, p + 8, 8);
1112 if (sgn_alg[0] == 0x11) {
1113 seq = tp[3] | (tp[2] << 8) | (tp[1] << 16) | (tp[0] << 24);
1115 seq = tp[0] | (tp[1] << 8) | (tp[2] << 16) | (tp[3] << 24);
1118 if (is_initiator(kc)) {
1123 if (tp[4] != dir || tp[5] != dir || tp[6] != dir || tp[7] != dir) {
1125 return (GSS_S_DEFECTIVE_TOKEN);
1129 if (kc->kc_msg_order.km_flags &
1130 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1131 return (krb5_sequence_check(kc, seq));
1134 return (GSS_S_COMPLETE);
1138 krb5_verify_mic_new(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic)
1141 struct krb5_key_state *key = kc->kc_recv_sign_Kc;
1148 mlen = m_length(m, &mlast);
1149 cklen = key->ks_class->ec_checksumlen;
1151 KASSERT(mic->m_next == NULL, ("MIC should be contiguous"));
1152 if (mic->m_len != 16 + cklen)
1153 return (GSS_S_DEFECTIVE_TOKEN);
1158 return (GSS_S_DEFECTIVE_TOKEN);
1160 return (GSS_S_DEFECTIVE_TOKEN);
1164 if (is_initiator(kc))
1165 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1166 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1167 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1169 return (GSS_S_DEFECTIVE_TOKEN);
1173 return (GSS_S_DEFECTIVE_TOKEN);
1175 return (GSS_S_DEFECTIVE_TOKEN);
1177 return (GSS_S_DEFECTIVE_TOKEN);
1179 return (GSS_S_DEFECTIVE_TOKEN);
1181 return (GSS_S_DEFECTIVE_TOKEN);
1184 if (kc->kc_msg_order.km_flags &
1185 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1187 if (p[8] || p[9] || p[10] || p[11]) {
1188 res = GSS_S_UNSEQ_TOKEN;
1190 seq = (p[12] << 24) | (p[13] << 16)
1191 | (p[14] << 8) | p[15];
1192 res = krb5_sequence_check(kc, seq);
1197 res = GSS_S_COMPLETE;
1203 * Calculate the keyed checksum of the message plus the first
1204 * 16 bytes of the token header.
1206 m_copydata(mic, 16, cklen, buf);
1207 mlast->m_next = mic;
1208 krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1209 mlast->m_next = NULL;
1210 if (bcmp(buf, p + 16, cklen)) {
1211 return (GSS_S_BAD_SIG);
1214 return (GSS_S_COMPLETE);
1218 krb5_verify_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1219 struct mbuf *m, struct mbuf *mic, gss_qop_t *qop_state)
1221 struct krb5_context *kc = (struct krb5_context *)ctx;
1225 *qop_state = GSS_C_QOP_DEFAULT;
1227 if (time_uptime > kc->kc_lifetime)
1228 return (GSS_S_CONTEXT_EXPIRED);
1230 switch (kc->kc_tokenkey->ks_class->ec_type) {
1231 case ETYPE_DES_CBC_CRC:
1232 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des_md5));
1234 case ETYPE_ARCFOUR_HMAC_MD5:
1235 case ETYPE_ARCFOUR_HMAC_MD5_56:
1236 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_hmac_md5));
1238 case ETYPE_DES3_CBC_SHA1:
1239 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des3_sha1));
1242 return (krb5_verify_mic_new(kc, m, mic));
1245 return (GSS_S_FAILURE);
1249 krb5_wrap_old(struct krb5_context *kc, int conf_req_flag,
1250 struct mbuf **mp, int *conf_state,
1251 uint8_t sgn_alg[2], uint8_t seal_alg[2])
1253 struct mbuf *m, *mlast, *tm, *cm, *pm;
1254 size_t mlen, tlen, padlen, datalen;
1261 * How many trailing pad bytes do we need?
1264 mlen = m_length(m, &mlast);
1265 tlen = kc->kc_tokenkey->ks_class->ec_msgblocklen;
1266 padlen = tlen - (mlen % tlen);
1269 * The data part of the token has eight bytes of random
1270 * confounder prepended and followed by up to eight bytes of
1271 * padding bytes each of which is set to the number of padding
1274 datalen = mlen + 8 + padlen;
1275 tlen = token_length(kc->kc_tokenkey);
1277 p = krb5_make_token("\x02\x01", tlen, datalen + tlen, &tm);
1278 p += 2; /* TOK_ID */
1279 *p++ = sgn_alg[0]; /* SGN_ALG */
1281 if (conf_req_flag) {
1282 *p++ = seal_alg[0]; /* SEAL_ALG */
1285 *p++ = 0xff; /* SEAL_ALG = none */
1289 *p++ = 0xff; /* filler */
1293 * Copy the padded message data.
1295 if (M_LEADINGSPACE(m) >= 8) {
1299 MGET(cm, M_WAITOK, MT_DATA);
1304 arc4rand(m->m_data, 8, 0);
1305 if (M_TRAILINGSPACE(mlast) >= padlen) {
1306 memset(mlast->m_data + mlast->m_len, padlen, padlen);
1307 mlast->m_len += padlen;
1309 MGET(pm, M_WAITOK, MT_DATA);
1310 memset(pm->m_data, padlen, padlen);
1320 * Calculate the keyed checksum of the token header plus the
1321 * padded message. Fiddle with tm->m_len so that we only
1322 * checksum the 8 bytes of head that we care about.
1324 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1326 tm->m_len = p - (uint8_t *) tm->m_data;
1327 MGET(cm, M_WAITOK, MT_DATA);
1330 krb5_checksum(kc->kc_checksumkey, 13, tm, tm->m_len - 8,
1331 datalen + 8, cklen);
1333 mlast->m_next = NULL;
1334 bcopy(cm->m_data, p + 8, cklen);
1340 * Take the four bytes of the sequence number least
1341 * significant first (most signficant first for ARCFOUR)
1342 * followed by four bytes of direction marker (zero for
1343 * initiator and 0xff for acceptor). Encrypt that data using
1344 * the SGN_CKSUM as IV.
1346 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1347 if (sgn_alg[0] == 0x11) {
1358 if (is_initiator(kc)) {
1367 krb5_encrypt(kc->kc_tokenkey, tm, p - (uint8_t *) tm->m_data,
1370 if (conf_req_flag) {
1372 * Encrypt the padded message with an IV of zero for
1373 * DES and DES3, or an IV of the sequence number in
1374 * big-endian format for ARCFOUR.
1376 if (seal_alg[0] == 0x10) {
1377 buf[0] = (seq >> 24);
1378 buf[1] = (seq >> 16);
1379 buf[2] = (seq >> 8);
1380 buf[3] = (seq >> 0);
1381 krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1384 krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1390 *conf_state = conf_req_flag;
1393 return (GSS_S_COMPLETE);
1397 krb5_wrap_new(struct krb5_context *kc, int conf_req_flag,
1398 struct mbuf **mp, int *conf_state)
1400 struct krb5_key_state *Ke = kc->kc_send_seal_Ke;
1401 struct krb5_key_state *Ki = kc->kc_send_seal_Ki;
1402 struct krb5_key_state *Kc = kc->kc_send_seal_Kc;
1403 const struct krb5_encryption_class *ec = Ke->ks_class;
1404 struct mbuf *m, *mlast, *tm;
1407 size_t mlen, blen, mblen, cklen, ctlen;
1409 static char zpad[32];
1412 mlen = m_length(m, &mlast);
1414 blen = ec->ec_blocklen;
1415 mblen = ec->ec_msgblocklen;
1416 cklen = ec->ec_checksumlen;
1418 if (conf_req_flag) {
1420 * For sealed messages, we need space for 16 bytes of
1421 * header, blen confounder, plaintext, padding, copy
1422 * of header and checksum.
1424 * We pad to mblen (which may be different from
1425 * blen). If the encryption class is using CTS, mblen
1426 * will be one (i.e. no padding required).
1432 ctlen = blen + mlen + EC + 16;
1435 * Put initial header and confounder before the
1438 M_PREPEND(m, 16 + blen, M_WAITOK);
1441 * Append padding + copy of header and checksum. Try
1442 * to fit this into the end of the original message,
1443 * otherwise allocate a trailer.
1445 if (M_TRAILINGSPACE(mlast) >= EC + 16 + cklen) {
1447 mlast->m_len += EC + 16 + cklen;
1449 MGET(tm, M_WAITOK, MT_DATA);
1450 tm->m_len = EC + 16 + cklen;
1455 * For unsealed messages, we need 16 bytes of header
1456 * plus space for the plaintext and a checksum. EC is
1457 * set to the checksum size. We leave space in tm for
1458 * a copy of the header - this will be trimmed later.
1460 M_PREPEND(m, 16, M_WAITOK);
1462 MGET(tm, M_WAITOK, MT_DATA);
1463 tm->m_len = cklen + 16;
1478 flags = GSS_TOKEN_SEALED;
1479 if (is_acceptor(kc))
1480 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1481 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1482 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1488 /* EC + RRC - set to zero initially */
1499 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1500 p[12] = (seq >> 24);
1501 p[13] = (seq >> 16);
1505 if (conf_req_flag) {
1507 * Encrypt according to RFC 4121 section 4.2 and RFC
1508 * 3961 section 5.3. Note: we don't generate tokens
1509 * with RRC values other than zero. If we did, we
1510 * should zero RRC in the copied header.
1512 arc4rand(p + 16, blen, 0);
1514 m_copyback(m, 16 + blen + mlen, EC, zpad);
1516 m_copyback(m, 16 + blen + mlen + EC, 16, p);
1518 krb5_checksum(Ki, 0, m, 16, ctlen, cklen);
1519 krb5_encrypt(Ke, m, 16, ctlen, NULL, 0);
1522 * The plaintext message is followed by a checksum of
1523 * the plaintext plus a version of the header where EC
1524 * and RRC are set to zero. Also, the original EC must
1525 * be our checksum size.
1527 bcopy(p, tm->m_data, 16);
1528 krb5_checksum(Kc, 0, m, 16, mlen + 16, cklen);
1534 * Finally set EC to its actual value
1540 return (GSS_S_COMPLETE);
1544 krb5_wrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1545 int conf_req_flag, gss_qop_t qop_req,
1546 struct mbuf **mp, int *conf_state)
1548 struct krb5_context *kc = (struct krb5_context *)ctx;
1554 if (qop_req != GSS_C_QOP_DEFAULT)
1555 return (GSS_S_BAD_QOP);
1557 if (time_uptime > kc->kc_lifetime)
1558 return (GSS_S_CONTEXT_EXPIRED);
1560 switch (kc->kc_tokenkey->ks_class->ec_type) {
1561 case ETYPE_DES_CBC_CRC:
1562 return (krb5_wrap_old(kc, conf_req_flag,
1563 mp, conf_state, sgn_alg_des_md5, seal_alg_des));
1565 case ETYPE_ARCFOUR_HMAC_MD5:
1566 case ETYPE_ARCFOUR_HMAC_MD5_56:
1567 return (krb5_wrap_old(kc, conf_req_flag,
1568 mp, conf_state, sgn_alg_hmac_md5, seal_alg_rc4));
1570 case ETYPE_DES3_CBC_SHA1:
1571 return (krb5_wrap_old(kc, conf_req_flag,
1572 mp, conf_state, sgn_alg_des3_sha1, seal_alg_des3));
1575 return (krb5_wrap_new(kc, conf_req_flag, mp, conf_state));
1578 return (GSS_S_FAILURE);
1582 m_trim(struct mbuf *m, int len)
1587 n = m_getptr(m, len, &off);
1598 krb5_unwrap_old(struct krb5_context *kc, struct mbuf **mp, int *conf_state,
1599 uint8_t sgn_alg[2], uint8_t seal_alg[2])
1602 struct mbuf *m, *mlast, *hm, *cm;
1604 size_t mlen, tlen, elen, datalen, padlen;
1611 mlen = m_length(m, &mlast);
1613 tlen = token_length(kc->kc_tokenkey);
1614 cklen = kc->kc_tokenkey->ks_class->ec_checksumlen;
1616 p = krb5_verify_token("\x02\x01", tlen, &m, &elen, TRUE);
1619 return (GSS_S_DEFECTIVE_TOKEN);
1620 datalen = elen - tlen;
1623 * Trim the framing header first to make life a little easier
1626 m_adj(m, p - (uint8_t *) m->m_data);
1632 if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1633 return (GSS_S_DEFECTIVE_TOKEN);
1637 if (p[0] == seal_alg[0] && p[1] == seal_alg[1])
1639 else if (p[0] == 0xff && p[1] == 0xff)
1642 return (GSS_S_DEFECTIVE_TOKEN);
1645 if (p[0] != 0xff || p[1] != 0xff)
1646 return (GSS_S_DEFECTIVE_TOKEN);
1652 * Take the four bytes of the sequence number least
1653 * significant first (most significant for ARCFOUR) followed
1654 * by four bytes of direction marker (zero for initiator and
1655 * 0xff for acceptor). Encrypt that data using the SGN_CKSUM
1658 krb5_decrypt(kc->kc_tokenkey, m, 8, 8, p + 8, 8);
1659 if (sgn_alg[0] == 0x11) {
1660 seq = p[3] | (p[2] << 8) | (p[1] << 16) | (p[0] << 24);
1662 seq = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
1665 if (is_initiator(kc)) {
1670 if (p[4] != dir || p[5] != dir || p[6] != dir || p[7] != dir)
1671 return (GSS_S_DEFECTIVE_TOKEN);
1673 if (kc->kc_msg_order.km_flags &
1674 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1675 res = krb5_sequence_check(kc, seq);
1679 res = GSS_S_COMPLETE;
1683 * If the token was encrypted, decode it in-place.
1687 * Decrypt the padded message with an IV of zero for
1688 * DES and DES3 or an IV of the big-endian encoded
1689 * sequence number for ARCFOUR.
1691 if (seal_alg[0] == 0x10) {
1692 krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1695 krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1703 * Check the trailing pad bytes.
1705 KASSERT(mlast->m_len > 0, ("Unexpected empty mbuf"));
1706 padlen = mlast->m_data[mlast->m_len - 1];
1707 m_copydata(m, tlen + datalen - padlen, padlen, buf);
1708 for (i = 0; i < padlen; i++) {
1709 if (buf[i] != padlen) {
1710 return (GSS_S_DEFECTIVE_TOKEN);
1717 * Calculate the keyed checksum of the token header plus the
1718 * padded message. We do a little mbuf surgery to trim out the
1719 * parts we don't want to checksum.
1722 *mp = m = m_split(m, 16 + cklen, M_WAITOK);
1726 MGET(cm, M_WAITOK, MT_DATA);
1730 krb5_checksum(kc->kc_checksumkey, 13, hm, 0, datalen + 8, cklen);
1732 mlast->m_next = NULL;
1734 if (bcmp(cm->m_data, hm->m_data + 16, cklen)) {
1737 return (GSS_S_BAD_SIG);
1743 * Trim off the confounder and padding.
1746 if (mlast->m_len >= padlen) {
1747 mlast->m_len -= padlen;
1749 m_trim(m, datalen - 8 - padlen);
1757 krb5_unwrap_new(struct krb5_context *kc, struct mbuf **mp, int *conf_state)
1760 struct krb5_key_state *Ke = kc->kc_recv_seal_Ke;
1761 struct krb5_key_state *Ki = kc->kc_recv_seal_Ki;
1762 struct krb5_key_state *Kc = kc->kc_recv_seal_Kc;
1763 const struct krb5_encryption_class *ec = Ke->ks_class;
1764 struct mbuf *m, *mlast, *hm, *cm;
1766 int sealed, flags, EC, RRC;
1767 size_t blen, cklen, ctlen, mlen, plen, tlen;
1768 char buf[32], buf2[32];
1771 mlen = m_length(m, &mlast);
1774 return (GSS_S_DEFECTIVE_TOKEN);
1775 if (m->m_len < 16) {
1776 m = m_pullup(m, 16);
1783 return (GSS_S_DEFECTIVE_TOKEN);
1785 return (GSS_S_DEFECTIVE_TOKEN);
1788 sealed = p[2] & GSS_TOKEN_SEALED;
1790 if (is_initiator(kc))
1791 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1792 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1793 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1795 return (GSS_S_DEFECTIVE_TOKEN);
1799 return (GSS_S_DEFECTIVE_TOKEN);
1802 EC = (p[4] << 8) + p[5];
1803 RRC = (p[6] << 8) + p[7];
1806 if (kc->kc_msg_order.km_flags &
1807 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1809 if (p[8] || p[9] || p[10] || p[11]) {
1810 res = GSS_S_UNSEQ_TOKEN;
1812 seq = (p[12] << 24) | (p[13] << 16)
1813 | (p[14] << 8) | p[15];
1814 res = krb5_sequence_check(kc, seq);
1819 res = GSS_S_COMPLETE;
1823 * Separate the header before dealing with RRC. We only need
1824 * to keep the header if the message isn't encrypted.
1831 *mp = m = m_split(m, 16, M_WAITOK);
1836 * Undo the effects of RRC by rotating left.
1843 if (RRC <= sizeof(buf) && m->m_len >= rlen) {
1845 * Simple case, just rearrange the bytes in m.
1847 bcopy(m->m_data, buf, RRC);
1848 bcopy(m->m_data + RRC, m->m_data, rlen - RRC);
1849 bcopy(buf, m->m_data + rlen - RRC, RRC);
1852 * More complicated - rearrange the mbuf
1856 *mp = m = m_split(m, RRC, M_WAITOK);
1862 blen = ec->ec_blocklen;
1863 cklen = ec->ec_checksumlen;
1866 * Decrypt according to RFC 4121 section 4.2 and RFC
1867 * 3961 section 5.3. The message must be large enough
1868 * for a blocksize confounder, at least one block of
1869 * cyphertext and a checksum.
1871 if (mlen < 16 + 2*blen + cklen)
1872 return (GSS_S_DEFECTIVE_TOKEN);
1874 ctlen = mlen - 16 - cklen;
1875 krb5_decrypt(Ke, m, 0, ctlen, NULL, 0);
1878 * The size of the plaintext is ctlen minus blocklen
1879 * (for the confounder), 16 (for the copy of the token
1880 * header) and EC (for the filler). The actual
1881 * plaintext starts after the confounder.
1883 plen = ctlen - blen - 16 - EC;
1887 * Checksum the padded plaintext.
1889 m_copydata(m, ctlen, cklen, buf);
1890 krb5_checksum(Ki, 0, m, 0, ctlen, cklen);
1891 m_copydata(m, ctlen, cklen, buf2);
1893 if (bcmp(buf, buf2, cklen))
1894 return (GSS_S_BAD_SIG);
1897 * Trim the message back to just plaintext.
1900 tlen = 16 + EC + cklen;
1901 if (mlast->m_len >= tlen) {
1902 mlast->m_len -= tlen;
1908 * The plaintext message is followed by a checksum of
1909 * the plaintext plus a version of the header where EC
1910 * and RRC are set to zero. Also, the original EC must
1911 * be our checksum size.
1913 if (mlen < 16 + cklen || EC != cklen)
1914 return (GSS_S_DEFECTIVE_TOKEN);
1917 * The size of the plaintext is simply the message
1918 * size less header and checksum. The plaintext starts
1919 * right after the header (which we have saved in hm).
1921 plen = mlen - 16 - cklen;
1924 * Insert a copy of the header (with EC and RRC set to
1925 * zero) between the plaintext message and the
1929 p[4] = p[5] = p[6] = p[7] = 0;
1931 cm = m_split(m, plen, M_WAITOK);
1936 bcopy(cm->m_data, buf, cklen);
1937 krb5_checksum(Kc, 0, m, 0, plen + 16, cklen);
1938 if (bcmp(cm->m_data, buf, cklen))
1939 return (GSS_S_BAD_SIG);
1942 * The checksum matches, discard all buf the plaintext.
1944 mlast->m_next = NULL;
1949 *conf_state = (sealed != 0);
1955 krb5_unwrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1956 struct mbuf **mp, int *conf_state, gss_qop_t *qop_state)
1958 struct krb5_context *kc = (struct krb5_context *)ctx;
1963 *qop_state = GSS_C_QOP_DEFAULT;
1967 if (time_uptime > kc->kc_lifetime)
1968 return (GSS_S_CONTEXT_EXPIRED);
1970 switch (kc->kc_tokenkey->ks_class->ec_type) {
1971 case ETYPE_DES_CBC_CRC:
1972 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
1973 sgn_alg_des_md5, seal_alg_des);
1976 case ETYPE_ARCFOUR_HMAC_MD5:
1977 case ETYPE_ARCFOUR_HMAC_MD5_56:
1978 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
1979 sgn_alg_hmac_md5, seal_alg_rc4);
1982 case ETYPE_DES3_CBC_SHA1:
1983 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
1984 sgn_alg_des3_sha1, seal_alg_des3);
1988 maj_stat = krb5_unwrap_new(kc, mp, conf_state);
1992 if (GSS_ERROR(maj_stat)) {
2001 krb5_wrap_size_limit(gss_ctx_id_t ctx, OM_uint32 *minor_status,
2002 int conf_req_flag, gss_qop_t qop_req, OM_uint32 req_output_size,
2003 OM_uint32 *max_input_size)
2005 struct krb5_context *kc = (struct krb5_context *)ctx;
2006 const struct krb5_encryption_class *ec;
2010 *max_input_size = 0;
2012 if (qop_req != GSS_C_QOP_DEFAULT)
2013 return (GSS_S_BAD_QOP);
2015 ec = kc->kc_tokenkey->ks_class;
2016 switch (ec->ec_type) {
2017 case ETYPE_DES_CBC_CRC:
2018 case ETYPE_DES3_CBC_SHA1:
2019 case ETYPE_ARCFOUR_HMAC_MD5:
2020 case ETYPE_ARCFOUR_HMAC_MD5_56:
2022 * up to 5 bytes for [APPLICATION 0] SEQUENCE
2023 * 2 + krb5 oid length
2025 * 8 bytes of confounder
2026 * maximum of 8 bytes of padding
2029 overhead = 5 + 2 + krb5_mech_oid.length;
2030 overhead += 8 + 8 + ec->ec_msgblocklen;
2031 overhead += ec->ec_checksumlen;
2035 if (conf_req_flag) {
2038 * blocklen bytes of confounder
2039 * up to msgblocklen - 1 bytes of padding
2040 * 16 bytes for copy of header
2043 overhead = 16 + ec->ec_blocklen;
2044 overhead += ec->ec_msgblocklen - 1;
2046 overhead += ec->ec_checksumlen;
2049 * 16 bytes of header plus checksum.
2051 overhead = 16 + ec->ec_checksumlen;
2055 *max_input_size = req_output_size - overhead;
2057 return (GSS_S_COMPLETE);
2060 static kobj_method_t krb5_methods[] = {
2061 KOBJMETHOD(kgss_init, krb5_init),
2062 KOBJMETHOD(kgss_import, krb5_import),
2063 KOBJMETHOD(kgss_delete, krb5_delete),
2064 KOBJMETHOD(kgss_mech_type, krb5_mech_type),
2065 KOBJMETHOD(kgss_get_mic, krb5_get_mic),
2066 KOBJMETHOD(kgss_verify_mic, krb5_verify_mic),
2067 KOBJMETHOD(kgss_wrap, krb5_wrap),
2068 KOBJMETHOD(kgss_unwrap, krb5_unwrap),
2069 KOBJMETHOD(kgss_wrap_size_limit, krb5_wrap_size_limit),
2073 static struct kobj_class krb5_class = {
2076 sizeof(struct krb5_context)
2080 * Kernel module glue
2083 kgssapi_krb5_modevent(module_t mod, int type, void *data)
2088 kgss_install_mech(&krb5_mech_oid, "kerberosv5", &krb5_class);
2092 kgss_uninstall_mech(&krb5_mech_oid);
2099 static moduledata_t kgssapi_krb5_mod = {
2101 kgssapi_krb5_modevent,
2104 DECLARE_MODULE(kgssapi_krb5, kgssapi_krb5_mod, SI_SUB_VFS, SI_ORDER_ANY);
2105 MODULE_DEPEND(kgssapi_krb5, kgssapi, 1, 1, 1);
2106 MODULE_DEPEND(kgssapi_krb5, crypto, 1, 1, 1);
2107 MODULE_DEPEND(kgssapi_krb5, rc4, 1, 1, 1);
2108 MODULE_VERSION(kgssapi_krb5, 1);