gss_krb5_mech.c source code [codebrowser/bsd/nfs/gss/gss_krb5_mech.c]

1	/*
2	* Copyright (c) 2015 Apple Inc. All rights reserved.
3	*
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. The rights granted to you under the License
10	* may not be used to create, or enable the creation or redistribution of,
11	* unlawful or unlicensed copies of an Apple operating system, or to
12	* circumvent, violate, or enable the circumvention or violation of, any
13	* terms of an Apple operating system software license agreement.
14	*
15	* Please obtain a copy of the License at
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
17	*
18	* The Original Code and all software distributed under the License are
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23	* Please see the License for the specific language governing rights and
24	* limitations under the License.
25	*
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27	*/
28
29	/*
30	* Copyright (c) 1999 Kungliga Tekniska Högskolan
31	* (Royal Institute of Technology, Stockholm, Sweden).
32	* All rights reserved.
33	*
34	* Redistribution and use in source and binary forms, with or without
35	* modification, are permitted provided that the following conditions
36	* are met:
37	*
38	* 1. Redistributions of source code must retain the above copyright
39	* notice, this list of conditions and the following disclaimer.
40	*
41	* 2. Redistributions in binary form must reproduce the above copyright
42	* notice, this list of conditions and the following disclaimer in the
43	* documentation and/or other materials provided with the distribution.
44	*
45	* 3. Neither the name of KTH nor the names of its contributors may be
46	* used to endorse or promote products derived from this software without
47	* specific prior written permission.
48	*
49	* THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
50	* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
51	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
52	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
53	* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
54	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
55	* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
56	* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
57	* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
58	* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
59	* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
60	*/
61
62	#include <stdint.h>
63	#include <sys/param.h>
64	#include <sys/systm.h>
65	#include <sys/kernel.h>
66	#include <sys/malloc.h>
67	#include <sys/kpi_mbuf.h>
68	#include <sys/random.h>
69	#include <mach_assert.h>
70	#include <kern/assert.h>
71	#include <libkern/OSAtomic.h>
72	#include "gss_krb5_mech.h"
73
74	lck_grp_t *gss_krb5_mech_grp;
75
76	typedef struct crypt_walker_ctx {
77	size_t length;
78	const struct ccmode_cbc *ccmode;
79	cccbc_ctx *crypt_ctx;
80	cccbc_iv *iv;
81	} *crypt_walker_ctx_t;
82
83	typedef struct hmac_walker_ctx {
84	const struct ccdigest_info *di;
85	struct cchmac_ctx *hmac_ctx;
86	} *hmac_walker_ctx_t;
87
88	typedef size_t (ccpad_func)(const* struct ccmode_cbc , cccbc_ctx , cccbc_iv *,
89	size_t nbytes, const void , void* *);
90
91	static int krb5_n_fold(const void instr, size_t len, void* *foldstr, size_t size);
92
93	size_t gss_mbuf_len(mbuf_t, size_t);
94	errno_t gss_prepend_mbuf(mbuf_t , uint8_t , size_t);
95	errno_t gss_append_mbuf(mbuf_t, uint8_t *, size_t);
96	errno_t gss_strip_mbuf(mbuf_t, ssize_t);
97	int mbuf_walk(mbuf_t, size_t, size_t, size_t, int ()(void* , uint8_t , uint32_t), void *);
98
99	void do_crypt_init(crypt_walker_ctx_t, int, crypto_ctx_t, cccbc_ctx *);
100	int do_crypt(void , uint8_t , uint32_t);
101	void do_hmac_init(hmac_walker_ctx_t, crypto_ctx_t, void *);
102	int do_hmac(void , uint8_t , uint32_t);
103
104	void krb5_make_usage(uint32_t, uint8_t, uint8_t [KRB5_USAGE_LEN]);
105	void krb5_key_derivation(crypto_ctx_t, const void , size_t, void* **, size_t);
106	void cc_key_schedule_create(crypto_ctx_t);
107	void gss_crypto_ctx_free(crypto_ctx_t);
108	int gss_crypto_ctx_init(struct crypto_ctx *, lucid_context_t);
109
110	errno_t krb5_crypt_mbuf(crypto_ctx_t, mbuf_t , uint32_t, int, cccbc_ctx );
111	int krb5_mic(crypto_ctx_t, gss_buffer_t, gss_buffer_t, gss_buffer_t, uint8_t , int* , int, int*);
112	int krb5_mic_mbuf(crypto_ctx_t, gss_buffer_t, mbuf_t, uint32_t, uint32_t, gss_buffer_t, uint8_t , int* , int, int*);
113
114	uint32_t gss_krb5_cfx_get_mic(uint32_t *, gss_ctx_id_t, gss_qop_t, gss_buffer_t, gss_buffer_t);
115	uint32_t gss_krb5_cfx_verify_mic(uint32_t , gss_ctx_id_t, gss_buffer_t, gss_buffer_t, gss_qop_t );
116	uint32_t gss_krb5_cfx_get_mic_mbuf(uint32_t *, gss_ctx_id_t, gss_qop_t, mbuf_t, size_t, size_t, gss_buffer_t);
117	uint32_t gss_krb5_cfx_verify_mic_mbuf(uint32_t , gss_ctx_id_t, mbuf_t, size_t, size_t, gss_buffer_t, gss_qop_t );
118	errno_t krb5_cfx_crypt_mbuf(crypto_ctx_t, mbuf_t , size_t , int, int);
119	uint32_t gss_krb5_cfx_wrap_mbuf(uint32_t , gss_ctx_id_t, int, gss_qop_t, mbuf_t , size_t, int *);
120	uint32_t gss_krb5_cfx_unwrap_mbuf(uint32_t , gss_ctx_id_t, mbuf_t , size_t, int , gss_qop_t );
121
122	int gss_krb5_mech_is_initialized(void);
123	void gss_krb5_mech_init(void);
124
125	/ Debugging routines /
126	void
127	printmbuf(const char *str, mbuf_t mb, uint32_t offset, uint32_t len)
128	{
129	size_t i;
130	int cout = `1`;
131
132	len = len ? len : ~`0`;
133	printf("%s mbuf = %p offset = %d len = %d:\n", str ? str : "mbuf", mb, offset, len);
134	for (; mb && len; mb = mbuf_next(mb)) {
135	if (offset >= mbuf_len(mb)) {
136	offset -= mbuf_len(mb);
137	continue;
138	}
139	for(i = offset; len && i < mbuf_len(mb); i++) {
140	const char *s = (cout % `8`) ? " " : (cout % `16`) ? " " : "\n";
141	printf("%02x%s", ((uint8_t *)mbuf_data(mb))[i], s);
142	len--;
143	cout++;
144	}
145	offset = `0`;
146	}
147	if ((cout-`1`) % `16`)
148	printf("\n");
149	printf("Count chars %d\n", cout - `1`);
150	}
151
152	void
153	printgbuf(const char *str, gss_buffer_t buf)
154	{
155	size_t i;
156	size_t len = buf->length > `128` ? `128` : buf->length;
157
158	printf("%s: len = %d value = %p\n", str ? str : "buffer", (int)buf->length, buf->value);
159	for (i = `0`; i < len; i++) {
160	const char *s = ((i + `1`) % `8`) ? " " : ((i + `1`) % `16`) ? " " : "\n";
161	printf("%02x%s", ((uint8_t *)buf->value)[i], s);
162	}
163	if (i % `16`)
164	printf("\n");
165	}
166
167	/*
168	* Initialize the data structures for the gss kerberos mech.
169	*/
170	#define GSS_KRB5_NOT_INITIALIZED 0
171	#define GSS_KRB5_INITIALIZING 1
172	#define GSS_KRB5_INITIALIZED 2
173	static volatile uint32_t gss_krb5_mech_initted = GSS_KRB5_NOT_INITIALIZED;
174
175	int
176	gss_krb5_mech_is_initialized(void)
177	{
178	return (gss_krb5_mech_initted == GSS_KRB5_NOT_INITIALIZED);
179	}
180
181	void
182	gss_krb5_mech_init(void)
183	{
184	extern void IOSleep(int);
185
186	/ Once initted always initted /
187	if (gss_krb5_mech_initted == GSS_KRB5_INITIALIZED)
188	return;
189
190	/ make sure we init only once /
191	if (!OSCompareAndSwap(GSS_KRB5_NOT_INITIALIZED, GSS_KRB5_INITIALIZING, &gss_krb5_mech_initted)) {
192	/ wait until initialization is complete /
193	while (!gss_krb5_mech_is_initialized())
194	IOSleep(`10`);
195	return;
196	}
197	gss_krb5_mech_grp = lck_grp_alloc_init("gss_krb5_mech", LCK_GRP_ATTR_NULL);
198	gss_krb5_mech_initted = GSS_KRB5_INITIALIZED;
199	}
200
201	uint32_t
202	gss_release_buffer(uint32_t *minor, gss_buffer_t buf)
203	{
204	if (minor)
205	*minor = `0`;
206	if (buf->value)
207	FREE(buf->value, M_TEMP);
208	buf->value = NULL;
209	buf->length = `0`;
210	return (GSS_S_COMPLETE);
211	}
212
213	/*
214	* GSS mbuf routines
215	*/
216
217	size_t
218	gss_mbuf_len(mbuf_t mb, size_t offset)
219	{
220	size_t len;
221
222	for (len = `0`; mb; mb = mbuf_next(mb))
223	len += mbuf_len(mb);
224	return ((offset > len) ? `0` : len - offset);
225	}
226
227	/*
228	* Split an mbuf in a chain into two mbufs such that the original mbuf
229	* points to the original mbuf and the new mbuf points to the rest of the
230	* chain. The first mbuf length is the first len bytes and the second
231	* mbuf contains the remaining bytes. if len is zero or equals
232	* mbuf_len(mb) the don't create a new mbuf. We are already at an mbuf
233	* boundary. Return the mbuf that starts at the offset.
234	*/
235	static errno_t
236	split_one_mbuf(mbuf_t mb, size_t offset, mbuf_t nmb, int* join)
237	{
238	errno_t error;
239
240	*nmb = mb;
241	/ We don't have an mbuf or we're alread on an mbuf boundary /
242	if (mb == NULL \|\| offset == `0`)
243	return (`0`);
244
245	/ If the mbuf length is offset then the next mbuf is the one we want /
246	if (mbuf_len(mb) == offset) {
247	*nmb = mbuf_next(mb);
248	if (!join)
249	mbuf_setnext(mb, NULL);
250	return (`0`);
251	}
252
253	if (offset > mbuf_len(mb))
254	return (EINVAL);
255
256	error = mbuf_split(mb, offset, MBUF_WAITOK, nmb);
257	if (error)
258	return (error);
259
260	if (mbuf_flags(*nmb) & MBUF_PKTHDR) {
261	/ We don't want to copy the pkthdr. mbuf_split does that. /
262	error = mbuf_setflags_mask(*nmb, ~MBUF_PKTHDR, MBUF_PKTHDR);
263	}
264
265	if (join)
266	/ Join the chain again /
267	mbuf_setnext(mb, *nmb);
268
269	return (`0`);
270	}
271
272	/*
273	* Given an mbuf with an offset and length return the chain such that
274	* offset and offset + *subchain_length are on mbuf boundaries. If
275	* *mbuf_length is less that the length of the chain after offset
276	* return that length in *mbuf_length. The mbuf sub chain starting at
277	* offset is returned in *subchain. If an error occurs return the
278	* corresponding errno. Note if there are less than offset bytes then
279	* subchain will be set to NULL and *subchain_length will be set to
280	* zero. If *subchain_length is 0; then set it to the length of the
281	* chain starting at offset. Join parameter is used to indicate whether
282	* the mbuf chain will be joined again as on chain, just rearranged so
283	* that offset and subchain_length are on mbuf boundaries.
284	*/
285
286	errno_t
287	gss_normalize_mbuf(mbuf_t chain, size_t offset, size_t subchain_length, mbuf_t subchain, mbuf_t tail, int* join)
288	{
289	size_t length = subchain_length ? subchain_length : ~`0`;
290	size_t len;
291	mbuf_t mb, nmb;
292	errno_t error;
293
294	if (tail == NULL)
295	tail = &nmb;
296	*tail = NULL;
297	*subchain = NULL;
298
299	for (len = offset, mb = chain; mb && len > mbuf_len(mb); mb = mbuf_next(mb))
300	len -= mbuf_len(mb);
301
302	/ if we don't have offset bytes just return /
303	if (mb == NULL)
304	return (`0`);
305
306	error = split_one_mbuf(mb, len, subchain, join);
307	if (error)
308	return (error);
309
310	assert(subchain != NULL && *subchain != NULL);
311	assert(offset == `0` ? mb == *subchain : `1`);
312
313	len = gss_mbuf_len(*subchain, `0`);
314	length = (length > len) ? len : length;
315	*subchain_length = length;
316
317	for (len = length, mb = *subchain; mb && len > mbuf_len(mb); mb = mbuf_next(mb))
318	len -= mbuf_len(mb);
319
320	error = split_one_mbuf(mb, len, tail, join);
321
322	return (error);
323	}
324
325	mbuf_t
326	gss_join_mbuf(mbuf_t head, mbuf_t body, mbuf_t tail)
327	{
328	mbuf_t mb;
329
330	for (mb = head; mb && mbuf_next(mb); mb = mbuf_next(mb))
331	;
332	if (mb)
333	mbuf_setnext(mb, body);
334	for (mb = body; mb && mbuf_next(mb); mb = mbuf_next(mb))
335	;
336	if (mb)
337	mbuf_setnext(mb, tail);
338	mb = head ? head : (body ? body : tail);
339	return (mb);
340	}
341
342	/*
343	* Prepend size bytes to the mbuf chain.
344	*/
345	errno_t
346	gss_prepend_mbuf(mbuf_t chain, uint8_t bytes, size_t size)
347	{
348	uint8_t data = mbuf_data(chain);
349	size_t leading = mbuf_leadingspace(*chain);
350	size_t trailing = mbuf_trailingspace(*chain);
351	size_t mlen = mbuf_len(*chain);
352	errno_t error;
353
354	if (size > leading && size <= leading + trailing) {
355	data = memmove(data + size - leading, data, mlen);
356	mbuf_setdata(*chain, data, mlen);
357	}
358
359	error = mbuf_prepend(chain, size, MBUF_WAITOK);
360	if (error)
361	return (error);
362	data = mbuf_data(*chain);
363	memcpy(data, bytes, size);
364
365	return (`0`);
366	}
367
368	errno_t
369	gss_append_mbuf(mbuf_t chain, uint8_t *bytes, size_t size)
370	{
371	size_t len = `0`;
372	mbuf_t mb;
373
374	if (chain == NULL)
375	return (EINVAL);
376
377	for (mb = chain; mb; mb = mbuf_next(mb))
378	len += mbuf_len(mb);
379
380	return (mbuf_copyback(chain, len, size, bytes, MBUF_WAITOK));
381	}
382
383	errno_t
384	gss_strip_mbuf(mbuf_t chain, ssize_t size)
385	{
386	if (chain == NULL)
387	return (EINVAL);
388
389	mbuf_adj(chain, size);
390
391	return (`0`);
392	}
393
394
395	/*
396	* Kerberos mech generic crypto support for mbufs
397	*/
398
399	/*
400	* Walk the mbuf after the given offset calling the passed in crypto function
401	* for len bytes. Note the length, len should be a multiple of the blocksize and
402	* there should be at least len bytes available after the offset in the mbuf chain.
403	* padding should be done before calling this routine.
404	*/
405	int
406	mbuf_walk(mbuf_t mbp, size_t offset, size_t len, size_t blocksize, int (crypto_fn)(void* , uint8_t data, uint32_t length), void *ctx)
407	{
408	mbuf_t mb;
409	size_t mlen, residue;
410	uint8_t *ptr;
411	int error = `0`;
412
413	/ Move to the start of the chain /
414	for (mb = mbp; mb && len > `0`; mb = mbuf_next(mb)) {
415	ptr = mbuf_data(mb);
416	mlen = mbuf_len(mb);
417	if (offset >= mlen) {
418	/ Offset not yet reached /
419	offset -= mlen;
420	continue;
421	}
422	/ Found starting point in chain /
423	ptr += offset;
424	mlen -= offset;
425	offset = `0`;
426
427	/*
428	* Handle the data in this mbuf. If the length to
429	* walk is less than the data in the mbuf, set
430	* the mbuf length left to be the length left
431	*/
432	mlen = mlen < len ? mlen : len;
433	/ Figure out how much is a multple of blocksize /
434	residue = mlen % blocksize;
435	/ And addjust the mleft length to be the largest multiple of blocksized /
436	mlen -= residue;
437	/ run our hash/encrypt/decrpyt function /
438	if (mlen > `0`) {
439	error = crypto_fn(ctx, ptr, mlen);
440	if (error)
441	break;
442	ptr += mlen;
443	len -= mlen;
444	}
445	/*
446	* If we have a residue then to get a full block for our crypto
447	* function, we need to copy the residue into our block size
448	* block and use the next mbuf to get the rest of the data for
449	* the block. N.B. We generally assume that from the offset
450	* passed in, that the total length, len, is a multple of
451	* blocksize and that there are at least len bytes in the chain
452	* from the offset. We also assume there is at least (blocksize
453	* - residue) size data in any next mbuf for residue > 0. If not
454	* we attemp to pullup bytes from down the chain.
455	*/
456	if (residue) {
457	mbuf_t nmb = mbuf_next(mb);
458	uint8_t *nptr = NULL, block[blocksize];
459
460	assert(nmb);
461	len -= residue;
462	offset = blocksize - residue;
463	if (len < offset) {
464	offset = len;
465	/*
466	* We don't have enough bytes so zero the block
467	* so that any trailing bytes will be zero.
468	*/
469	cc_clear(sizeof(block), block);
470	}
471	memcpy(block, ptr, residue);
472	if (len && nmb) {
473	mlen = mbuf_len(nmb);
474	if (mlen < offset) {
475	error = mbuf_pullup(&nmb, offset - mlen);
476	if (error) {
477	mbuf_setnext(mb, NULL);
478	return (error);
479	}
480	}
481	nptr = mbuf_data(nmb);
482	memcpy(block + residue, nptr, offset);
483	}
484	len -= offset;
485	error = crypto_fn(ctx, block, sizeof(block));
486	if (error)
487	break;
488	memcpy(ptr, block, residue);
489	if (nptr)
490	memcpy(nptr, block + residue, offset);
491	}
492	}
493
494	return (error);
495	}
496
497	void
498	do_crypt_init(crypt_walker_ctx_t wctx, int encrypt, crypto_ctx_t cctx, cccbc_ctx *ks)
499	{
500	wctx->ccmode = encrypt ? cctx->enc_mode : cctx->dec_mode;
501
502	wctx->crypt_ctx = ks;
503	MALLOC(wctx->iv, cccbc_iv *, wctx->ccmode->block_size, M_TEMP, M_WAITOK\|M_ZERO);
504	cccbc_set_iv(wctx->ccmode, wctx->iv, NULL);
505	}
506
507	int
508	do_crypt(void walker, uint8_t data, uint32_t len)
509	{
510	struct crypt_walker_ctx *wctx = (crypt_walker_ctx_t)walker;
511	uint32_t nblocks;
512
513	nblocks = len / wctx->ccmode->block_size;
514	assert(len % wctx->ccmode->block_size == `0`);
515	cccbc_update(wctx->ccmode, wctx->crypt_ctx, wctx->iv, nblocks, data, data);
516	wctx->length += len;
517
518	return (`0`);
519	}
520
521	void
522	do_hmac_init(hmac_walker_ctx_t wctx, crypto_ctx_t cctx, void *key)
523	{
524	size_t alloc_size = cchmac_di_size(cctx->di);
525
526	wctx->di = cctx->di;
527	MALLOC(wctx->hmac_ctx, struct cchmac_ctx *, alloc_size, M_TEMP, M_WAITOK\|M_ZERO);
528	cchmac_init(cctx->di, wctx->hmac_ctx, cctx->keylen, key);
529	}
530
531	int
532	do_hmac(void walker, uint8_t data, uint32_t len)
533	{
534	hmac_walker_ctx_t wctx = (hmac_walker_ctx_t)walker;
535
536	cchmac_update(wctx->di, wctx->hmac_ctx, len, data);
537
538	return (`0`);
539	}
540
541
542	int
543	krb5_mic(crypto_ctx_t ctx, gss_buffer_t header, gss_buffer_t bp, gss_buffer_t trailer, uint8_t mic, int* verify, int* ikey, int reverse)
544	{
545	uint8_t digest[ctx->di->output_size];
546	cchmac_di_decl(ctx->di, hmac_ctx);
547	int kdx = (verify == NULL) ? (reverse ? GSS_RCV : GSS_SND) : (reverse ? GSS_SND : GSS_RCV);
548	void *key2use;
549
550	if (ikey) {
551	if (!(ctx->flags & CRYPTO_KS_ALLOCED)) {
552	lck_mtx_lock(ctx->lock);
553	if (!(ctx->flags & CRYPTO_KS_ALLOCED)) {
554	cc_key_schedule_create(ctx);
555	}
556	ctx->flags \|= CRYPTO_KS_ALLOCED;
557	lck_mtx_unlock(ctx->lock);
558	}
559	key2use = ctx->ks.ikey[kdx];
560	} else {
561	key2use = ctx->ckey[kdx];
562	}
563
564	cchmac_init(ctx->di, hmac_ctx, ctx->keylen, key2use);
565
566	if (header) {
567	cchmac_update(ctx->di, hmac_ctx, header->length, header->value);
568	}
569
570	cchmac_update(ctx->di, hmac_ctx, bp->length, bp->value);
571
572	if (trailer) {
573	cchmac_update(ctx->di, hmac_ctx, trailer->length, trailer->value);
574	}
575
576	cchmac_final(ctx->di, hmac_ctx, digest);
577
578	if (verify) {
579	*verify = (memcmp(mic, digest, ctx->digest_size) == `0`);
580	}
581	else
582	memcpy(mic, digest, ctx->digest_size);
583
584	return (`0`);
585	}
586
587	int
588	krb5_mic_mbuf(crypto_ctx_t ctx, gss_buffer_t header,
589	mbuf_t mbp, uint32_t offset, uint32_t len, gss_buffer_t trailer, uint8_t mic, int* verify, int* ikey, int reverse)
590	{
591	struct hmac_walker_ctx wctx;
592	uint8_t digest[ctx->di->output_size];
593	int error;
594	int kdx = (verify == NULL) ? (reverse ? GSS_RCV : GSS_SND) : (reverse ? GSS_SND : GSS_RCV);
595	void *key2use;
596
597	if (ikey) {
598	if (!(ctx->flags & CRYPTO_KS_ALLOCED)) {
599	lck_mtx_lock(ctx->lock);
600	if (!(ctx->flags & CRYPTO_KS_ALLOCED)) {
601	cc_key_schedule_create(ctx);
602	}
603	ctx->flags \|= CRYPTO_KS_ALLOCED;
604	lck_mtx_unlock(ctx->lock);
605	}
606	key2use = ctx->ks.ikey[kdx];
607	} else {
608	key2use = ctx->ckey[kdx];
609	}
610
611	do_hmac_init(&wctx, ctx, key2use);
612
613	if (header) {
614	cchmac_update(ctx->di, wctx.hmac_ctx, header->length, header->value);
615	}
616
617	error = mbuf_walk(mbp, offset, len, `1`, do_hmac, &wctx);
618
619	if (error)
620	return (error);
621	if (trailer)
622	cchmac_update(ctx->di, wctx.hmac_ctx, trailer->length, trailer->value);
623
624	cchmac_final(ctx->di, wctx.hmac_ctx, digest);
625	FREE(wctx.hmac_ctx, M_TEMP);
626
627	if (verify) {
628	*verify = (memcmp(mic, digest, ctx->digest_size) == `0`);
629	if (!*verify)
630	return (EBADRPC);
631	} else
632	memcpy(mic, digest, ctx->digest_size);
633
634	return (`0`);
635	}
636
637	errno_t / __attribute__((optnone)) /
638	krb5_crypt_mbuf(crypto_ctx_t ctx, mbuf_t mbp, uint32_t len, int* encrypt, cccbc_ctx *ks)
639	{
640	struct crypt_walker_ctx wctx;
641	const struct ccmode_cbc *ccmode = encrypt ? ctx->enc_mode : ctx->dec_mode;
642	size_t plen = len;
643	size_t cts_len = `0`;
644	mbuf_t mb, lmb;
645	int error;
646
647	if (!(ctx->flags & CRYPTO_KS_ALLOCED)) {
648	lck_mtx_lock(ctx->lock);
649	if (!(ctx->flags & CRYPTO_KS_ALLOCED)) {
650	cc_key_schedule_create(ctx);
651	}
652	ctx->flags \|= CRYPTO_KS_ALLOCED;
653	lck_mtx_unlock(ctx->lock);
654	}
655	if (!ks)
656	ks = encrypt ? ctx->ks.enc : ctx->ks.dec;
657
658	if ((ctx->flags & CRYPTO_CTS_ENABLE) && ctx->mpad == `1`) {
659	uint8_t block[ccmode->block_size];
660	/ if the length is less than or equal to a blocksize. We just encrypt the block /
661	if (len <= ccmode->block_size) {
662	if (len < ccmode->block_size) {
663	memset(block, `0`, sizeof(block));
664	gss_append_mbuf(*mbp, block, ccmode->block_size);
665	}
666	plen = ccmode->block_size;
667	} else {
668	/ determine where the last two blocks are /
669	uint32_t r = len % ccmode->block_size;
670
671	cts_len = r ? r + ccmode->block_size : `2` * ccmode->block_size;
672	plen = len - cts_len;
673	/ If plen is 0 we only have two blocks to crypt with ccpad below /
674	if (plen == `0`)
675	lmb = *mbp;
676	else {
677	gss_normalize_mbuf(*mbp, `0`, &plen, &mb, &lmb, `0`);
678	assert(*mbp == mb);
679	assert(plen == len - cts_len);
680	assert(gss_mbuf_len(mb, `0`) == plen);
681	assert(gss_mbuf_len(lmb, `0`) == cts_len);
682	}
683	}
684	} else if (len % ctx->mpad) {
685	uint8_t pad_block[ctx->mpad];
686	size_t padlen = ctx->mpad - (len % ctx->mpad);
687
688	memset(pad_block, `0`, padlen);
689	error = gss_append_mbuf(*mbp, pad_block, padlen);
690	if (error)
691	return (error);
692	plen = len + padlen;
693	}
694	do_crypt_init(&wctx, encrypt, ctx, ks);
695	if (plen) {
696	error = mbuf_walk(*mbp, `0`, plen, ccmode->block_size, do_crypt, &wctx);
697	if (error)
698	return (error);
699	}
700
701	if ((ctx->flags & CRYPTO_CTS_ENABLE) && cts_len) {
702	uint8_t cts_pad[`2`*ccmode->block_size];
703	ccpad_func do_ccpad = encrypt ? ccpad_cts3_encrypt : ccpad_cts3_decrypt;
704
705	assert(cts_len <= `2`*ccmode->block_size && cts_len > ccmode->block_size);
706	memset(cts_pad, `0`, sizeof(cts_pad));
707	mbuf_copydata(lmb, `0`, cts_len, cts_pad);
708	mbuf_freem(lmb);
709	do_ccpad(ccmode, wctx.crypt_ctx, wctx.iv, cts_len, cts_pad, cts_pad);
710	gss_append_mbuf(*mbp, cts_pad, cts_len);
711	}
712	FREE(wctx.iv, M_TEMP);
713
714	return (`0`);
715	}
716
717	/*
718	* Key derivation routines
719	*/
720
721	static int
722	rr13(unsigned char *buf, size_t len)
723	{
724	size_t bytes = (len + `7`) / `8`;
725	unsigned char tmp[bytes];
726	size_t i;
727
728	if(len == `0`)
729	return `0`;
730
731	{
732	const int bits = `13` % len;
733	const int lbit = len % `8`;
734
735	memcpy(tmp, buf, bytes);
736	if(lbit) {
737	/ pad final byte with inital bits /
738	tmp[bytes - `1`] &= `0xff` << (`8` - lbit);
739	for(i = lbit; i < `8`; i += len)
740	tmp[bytes - `1`] \|= buf[`0`] >> i;
741	}
742	for(i = `0`; i < bytes; i++) {
743	ssize_t bb;
744	ssize_t b1, s1, b2, s2;
745
746	/ calculate first bit position of this byte /
747	bb = `8` * i - bits;
748	while(bb < `0`)
749	bb += len;
750	/ byte offset and shift count /
751	b1 = bb / `8`;
752	s1 = bb % `8`;
753	if((size_t)bb + `8` > bytes * `8`)
754	/ watch for wraparound /
755	s2 = (len + `8` - s1) % `8`;
756	else
757	s2 = `8` - s1;
758	b2 = (b1 + `1`) % bytes;
759	buf[i] = (tmp[b1] << s1) \| (tmp[b2] >> s2);
760	}
761	}
762	return `0`;
763	}
764
765
766	/ Add `b' to `a', both being one's complement numbers. /
767	static void
768	add1(unsigned char a, unsigned* char *b, size_t len)
769	{
770	ssize_t i;
771	int carry = `0`;
772
773	for(i = len - `1`; i >= `0`; i--){
774	int x = a[i] + b[i] + carry;
775	carry = x > `0xff`;
776	a[i] = x & `0xff`;
777	}
778	for(i = len - `1`; carry && i >= `0`; i--){
779	int x = a[i] + carry;
780	carry = x > `0xff`;
781	a[i] = x & `0xff`;
782	}
783	}
784
785
786	static int
787	krb5_n_fold(const void instr, size_t len, void* *foldstr, size_t size)
788	{
789	/ if len < size we need at most N * len bytes, ie < 2 * size;*
790	if len > size we need at most 2 len /
791	int ret = `0`;
792	size_t maxlen = `2` * max(size, len);
793	size_t l = `0`;
794	unsigned char tmp[maxlen];
795	unsigned char buf[len];
796
797	memcpy(buf, instr, len);
798	memset(foldstr, `0`, size);
799	do {
800	memcpy(tmp + l, buf, len);
801	l += len;
802	ret = rr13(buf, len * `8`);
803	if (ret)
804	goto out;
805	while(l >= size) {
806	add1(foldstr, tmp, size);
807	l -= size;
808	if(l == `0`)
809	break;
810	memmove(tmp, tmp + size, l);
811	}
812	} while(l != `0`);
813	out:
814
815	return ret;
816	}
817
818	void
819	krb5_make_usage(uint32_t usage_no, uint8_t suffix, uint8_t usage_string[KRB5_USAGE_LEN])
820	{
821	uint32_t i;
822
823	for (i = `0`; i < `4`; i++)
824	usage_string[i] = ((usage_no >> `8`*(`3`-i)) & `0xff`);
825	usage_string[i] = suffix;
826	}
827
828	void
829	krb5_key_derivation(crypto_ctx_t ctx, const void cons, size_t conslen, void* **dkey, size_t dklen)
830	{
831	size_t blocksize = ctx->enc_mode->block_size;
832	cccbc_iv_decl(blocksize, iv);
833	cccbc_ctx_decl(ctx->enc_mode->size, enc_ctx);
834	size_t ksize = `8`*dklen;
835	size_t nblocks = (ksize + `8`blocksize - `1`) / (`8`blocksize);
836	uint8_t *dkptr;
837	uint8_t block[blocksize];
838
839	MALLOC(dkey, void* , nblocks blocksize, M_TEMP, M_WAITOK \| M_ZERO);
840	dkptr = *dkey;
841
842	krb5_n_fold(cons, conslen, block, blocksize);
843	cccbc_init(ctx->enc_mode, enc_ctx, ctx->keylen, ctx->key);
844	for (size_t i = `0`; i < nblocks; i++) {
845	cccbc_set_iv(ctx->enc_mode, iv, NULL);
846	cccbc_update(ctx->enc_mode, enc_ctx, iv, `1`, block, block);
847	memcpy(dkptr, block, blocksize);
848	dkptr += blocksize;
849	}
850	}
851
852	static void
853	des_make_key(const uint8_t rawkey[`7`], uint8_t deskey[`8`])
854	{
855	uint8_t val = `0`;
856
857	memcpy(deskey, rawkey, `7`);
858	for (int i = `0`; i < `7`; i++)
859	val \|= ((deskey[i] & `1`) << (i+`1`));
860	deskey[`7`] = val;
861	ccdes_key_set_odd_parity(deskey, `8`);
862	}
863
864	static void
865	krb5_3des_key_derivation(crypto_ctx_t ctx, const void cons, size_t conslen, void* **des3key)
866	{
867	const struct ccmode_cbc *cbcmode = ctx->enc_mode;
868	void *rawkey;
869	uint8_t kptr, rptr;
870
871	MALLOC(des3key, void* , `3`cbcmode->block_size, M_TEMP, M_WAITOK \| M_ZERO);
872	krb5_key_derivation(ctx, cons, conslen, &rawkey, `3`*(cbcmode->block_size - `1`));
873	kptr = (uint8_t )des3key;
874	rptr = (uint8_t *)rawkey;
875
876	for (int i = `0`; i < `3`; i++) {
877	des_make_key(rptr, kptr);
878	rptr += cbcmode->block_size - `1`;
879	kptr += cbcmode->block_size;
880	}
881
882	cc_clear(`3`*(cbcmode->block_size - `1`), rawkey);
883	FREE(rawkey, M_TEMP);
884	}
885
886	/*
887	* Create a key schecule
888	*
889	*/
890	void
891	cc_key_schedule_create(crypto_ctx_t ctx)
892	{
893	uint8_t usage_string[KRB5_USAGE_LEN];
894	lucid_context_t lctx = ctx->gss_ctx;
895	void *ekey;
896
897	switch (lctx->key_data.proto) {
898	case `0`: {
899	if (ctx->ks.enc == NULL) {
900	MALLOC(ctx->ks.enc, cccbc_ctx *, ctx->enc_mode->size, M_TEMP, M_WAITOK \| M_ZERO);
901	cccbc_init(ctx->enc_mode, ctx->ks.enc, ctx->keylen, ctx->key);
902	}
903	if (ctx->ks.dec == NULL) {
904	MALLOC(ctx->ks.dec, cccbc_ctx *, ctx->dec_mode->size, M_TEMP, M_WAITOK \| M_ZERO);
905	cccbc_init(ctx->dec_mode, ctx->ks.dec, ctx->keylen, ctx->key);
906	}
907	}
908	case `1`: {
909	if (ctx->ks.enc == NULL) {
910	krb5_make_usage(lctx->initiate ?
911	KRB5_USAGE_INITIATOR_SEAL : KRB5_USAGE_ACCEPTOR_SEAL,
912	`0xAA`, usage_string);
913	krb5_key_derivation(ctx, usage_string, KRB5_USAGE_LEN, &ekey, ctx->keylen);
914	MALLOC(ctx->ks.enc, cccbc_ctx *, ctx->enc_mode->size, M_TEMP, M_WAITOK \| M_ZERO);
915	cccbc_init(ctx->enc_mode, ctx->ks.enc, ctx->keylen, ekey);
916	FREE(ekey, M_TEMP);
917	}
918	if (ctx->ks.dec == NULL) {
919	krb5_make_usage(lctx->initiate ?
920	KRB5_USAGE_ACCEPTOR_SEAL : KRB5_USAGE_INITIATOR_SEAL,
921	`0xAA`, usage_string);
922	krb5_key_derivation(ctx, usage_string, KRB5_USAGE_LEN, &ekey, ctx->keylen);
923	MALLOC(ctx->ks.dec, cccbc_ctx *, ctx->dec_mode->size, M_TEMP, M_WAITOK \| M_ZERO);
924	cccbc_init(ctx->dec_mode, ctx->ks.dec, ctx->keylen, ekey);
925	FREE(ekey, M_TEMP);
926	}
927	if (ctx->ks.ikey[GSS_SND] == NULL) {
928	krb5_make_usage(lctx->initiate ?
929	KRB5_USAGE_INITIATOR_SEAL : KRB5_USAGE_ACCEPTOR_SEAL,
930	`0x55`, usage_string);
931	krb5_key_derivation(ctx, usage_string, KRB5_USAGE_LEN, &ctx->ks.ikey[GSS_SND], ctx->keylen);
932	}
933	if (ctx->ks.ikey[GSS_RCV] == NULL) {
934	krb5_make_usage(lctx->initiate ?
935	KRB5_USAGE_ACCEPTOR_SEAL : KRB5_USAGE_INITIATOR_SEAL,
936	`0x55`, usage_string);
937	krb5_key_derivation(ctx, usage_string, KRB5_USAGE_LEN, &ctx->ks.ikey[GSS_RCV], ctx->keylen);
938	}
939	}
940	}
941	}
942
943	void
944	gss_crypto_ctx_free(crypto_ctx_t ctx)
945	{
946	ctx->ks.ikey[GSS_SND] = NULL;
947	if (ctx->ks.ikey[GSS_RCV] && ctx->key != ctx->ks.ikey[GSS_RCV]) {
948	cc_clear(ctx->keylen, ctx->ks.ikey[GSS_RCV]);
949	FREE(ctx->ks.ikey[GSS_RCV], M_TEMP);
950	}
951	ctx->ks.ikey[GSS_RCV] = NULL;
952	if (ctx->ks.enc) {
953	cccbc_ctx_clear(ctx->enc_mode->size, ctx->ks.enc);
954	FREE(ctx->ks.enc, M_TEMP);
955	ctx->ks.enc = NULL;
956	}
957	if (ctx->ks.dec) {
958	cccbc_ctx_clear(ctx->dec_mode->size, ctx->ks.dec);
959	FREE(ctx->ks.dec, M_TEMP);
960	ctx->ks.dec = NULL;
961	}
962	if (ctx->ckey[GSS_SND] && ctx->ckey[GSS_SND] != ctx->key) {
963	cc_clear(ctx->keylen, ctx->ckey[GSS_SND]);
964	FREE(ctx->ckey[GSS_SND], M_TEMP);
965	}
966	ctx->ckey[GSS_SND] = NULL;
967	if (ctx->ckey[GSS_RCV] && ctx->ckey[GSS_RCV] != ctx->key) {
968	cc_clear(ctx->keylen, ctx->ckey[GSS_RCV]);
969	FREE(ctx->ckey[GSS_RCV], M_TEMP);
970	}
971	ctx->ckey[GSS_RCV] = NULL;
972	ctx->key = NULL;
973	ctx->keylen = `0`;
974	}
975
976	int
977	gss_crypto_ctx_init(struct crypto_ctx *ctx, lucid_context_t lucid)
978	{
979	ctx->gss_ctx = lucid;
980	void *key;
981	uint8_t usage_string[KRB5_USAGE_LEN];
982
983	ctx->keylen = ctx->gss_ctx->ctx_key.key.key_len;
984	key = ctx->gss_ctx->ctx_key.key.key_val;
985	ctx->etype = ctx->gss_ctx->ctx_key.etype;
986	ctx->key = key;
987
988	switch(ctx->etype) {
989	case AES128_CTS_HMAC_SHA1_96:
990	case AES256_CTS_HMAC_SHA1_96:
991	ctx->enc_mode = ccaes_cbc_encrypt_mode();
992	assert(ctx->enc_mode);
993	ctx->dec_mode = ccaes_cbc_decrypt_mode();
994	assert(ctx->dec_mode);
995	ctx->ks.enc = NULL;
996	ctx->ks.dec = NULL;
997	ctx->di = ccsha1_di();
998	assert(ctx->di);
999	ctx->flags = CRYPTO_CTS_ENABLE;
1000	ctx->mpad = `1`;
1001	ctx->digest_size = `12`; / 96 bits /
1002	krb5_make_usage(ctx->gss_ctx->initiate ?
1003	KRB5_USAGE_INITIATOR_SIGN : KRB5_USAGE_ACCEPTOR_SIGN,
1004	`0x99`, usage_string);
1005	krb5_key_derivation(ctx, usage_string, KRB5_USAGE_LEN, &ctx->ckey[GSS_SND], ctx->keylen);
1006	krb5_make_usage(ctx->gss_ctx->initiate ?
1007	KRB5_USAGE_ACCEPTOR_SIGN : KRB5_USAGE_INITIATOR_SIGN,
1008	`0x99`, usage_string);
1009	krb5_key_derivation(ctx, usage_string, KRB5_USAGE_LEN, &ctx->ckey[GSS_RCV], ctx->keylen);
1010	break;
1011	case DES3_CBC_SHA1_KD:
1012	ctx->enc_mode = ccdes3_cbc_encrypt_mode();
1013	assert(ctx->enc_mode);
1014	ctx->dec_mode = ccdes3_cbc_decrypt_mode();
1015	assert(ctx->dec_mode);
1016	ctx->ks.ikey[GSS_SND] = ctx->key;
1017	ctx->ks.ikey[GSS_RCV] = ctx->key;
1018	ctx->di = ccsha1_di();
1019	assert(ctx->di);
1020	ctx->flags = `0`;
1021	ctx->mpad = ctx->enc_mode->block_size;
1022	ctx->digest_size = `20`; / 160 bits /
1023	krb5_make_usage(KRB5_USAGE_ACCEPTOR_SIGN, `0x99`, usage_string);
1024	krb5_3des_key_derivation(ctx, usage_string, KRB5_USAGE_LEN, &ctx->ckey[GSS_SND]);
1025	krb5_3des_key_derivation(ctx, usage_string, KRB5_USAGE_LEN, &ctx->ckey[GSS_RCV]);
1026	break;
1027	default:
1028	return (ENOTSUP);
1029	}
1030
1031	ctx->lock = lck_mtx_alloc_init(gss_krb5_mech_grp, LCK_ATTR_NULL);
1032
1033	return (`0`);
1034	}
1035
1036	/*
1037	* CFX gss support routines
1038	*/
1039	/ From Heimdal cfx.h file RFC 4121 Cryptoo framework extensions /
1040	typedef struct gss_cfx_mic_token_desc_struct
1041	{
1042	uint8_t TOK_ID[`2`]; / 04 04 /
1043	uint8_t Flags;
1044	uint8_t Filler[`5`];
1045	uint8_t SND_SEQ[`8`];
1046	} gss_cfx_mic_token_desc, *gss_cfx_mic_token;
1047
1048	typedef struct gss_cfx_wrap_token_desc_struct
1049	{
1050	uint8_t TOK_ID[`2`]; / 05 04 /
1051	uint8_t Flags;
1052	uint8_t Filler;
1053	uint8_t EC[`2`];
1054	uint8_t RRC[`2`];
1055	uint8_t SND_SEQ[`8`];
1056	} gss_cfx_wrap_token_desc, *gss_cfx_wrap_token;
1057
1058	/ End of cfx.h file /
1059
1060	#define CFXSentByAcceptor (1 << 0)
1061	#define CFXSealed (1 << 1)
1062	#define CFXAcceptorSubkey (1 << 2)
1063
1064	const gss_cfx_mic_token_desc mic_cfx_token = {
1065	.TOK_ID = "\x04\x04",
1066	.Flags = `0`,
1067	.Filler = "\xff\xff\xff\xff\xff",
1068	.SND_SEQ = "\x00\x00\x00\x00\x00\x00\x00\x00"
1069	};
1070
1071	const gss_cfx_wrap_token_desc wrap_cfx_token = {
1072	.TOK_ID = "\x05\04",
1073	.Flags = `0`,
1074	.Filler = `'\xff'`,
1075	.EC = "\x00\x00",
1076	.RRC = "\x00\x00",
1077	.SND_SEQ = "\x00\x00\x00\x00\x00\x00\x00\x00"
1078	};
1079
1080	static int
1081	gss_krb5_cfx_verify_mic_token(gss_ctx_id_t ctx, gss_cfx_mic_token token)
1082	{
1083	int i;
1084	lucid_context_t lctx = &ctx->gss_lucid_ctx;
1085	uint8_t flags = `0`;
1086
1087	if (token->TOK_ID[`0`] != mic_cfx_token.TOK_ID[`0`] \|\| token->TOK_ID[`1`] != mic_cfx_token.TOK_ID[`1`]) {
1088	printf("Bad mic TOK_ID %x %x\n", token->TOK_ID[`0`], token->TOK_ID[`1`]);
1089	return (EBADRPC);
1090	}
1091	if (lctx->initiate)
1092	flags \|= CFXSentByAcceptor;
1093	if (lctx->key_data.lucid_protocol_u.data_4121.acceptor_subkey)
1094	flags \|= CFXAcceptorSubkey;
1095	if (token->Flags != flags) {
1096	printf("Bad flags received %x exptect %x\n", token->Flags, flags);
1097	return (EBADRPC);
1098	}
1099	for (i = `0`; i < `5`; i++) {
1100	if (token->Filler[i] != mic_cfx_token.Filler[i])
1101	break;
1102	}
1103
1104	if (i != `5`) {
1105	printf("Bad mic filler %x @ %d\n", token->Filler[i], i);
1106	return (EBADRPC);
1107	}
1108
1109	return (`0`);
1110	}
1111
1112	uint32_t
1113	gss_krb5_cfx_get_mic(uint32_t minor, /* minor_status /
1114	gss_ctx_id_t ctx, / context_handle /
1115	gss_qop_t qop __unused, / qop_req (ignored) /
1116	gss_buffer_t mbp, / message mbuf /
1117	gss_buffer_t mic / message_token /)
1118	{
1119	gss_cfx_mic_token_desc token;
1120	lucid_context_t lctx = &ctx->gss_lucid_ctx;
1121	crypto_ctx_t cctx = &ctx->gss_cryptor;
1122	gss_buffer_desc header;
1123	uint32_t rv;
1124	uint64_t seq = htonll(lctx->send_seq);
1125
1126	if (minor == NULL)
1127	minor = &rv;
1128	*minor = `0`;
1129	token = mic_cfx_token;
1130	mic->length = sizeof (token) + cctx->digest_size;
1131	MALLOC(mic->value, void *, mic->length, M_TEMP, M_WAITOK \| M_ZERO);
1132	if (!lctx->initiate)
1133	token.Flags \|= CFXSentByAcceptor;
1134	if (lctx->key_data.lucid_protocol_u.data_4121.acceptor_subkey)
1135	token.Flags \|= CFXAcceptorSubkey;
1136	memcpy(&token.SND_SEQ, &seq, sizeof(lctx->send_seq));
1137	lctx->send_seq++; //XXX should only update this below on success? Heimdal seems to do it this way
1138	header.value = &token;
1139	header.length = sizeof (gss_cfx_mic_token_desc);
1140
1141	minor = krb5_mic(cctx, NULL, mbp, &header, (uint8_t )mic->value + sizeof(token), NULL, `0`, `0`);
1142
1143	if (*minor) {
1144	mic->length = `0`;
1145	FREE(mic->value, M_TEMP);
1146	mic->value = NULL;
1147	} else {
1148	memcpy(mic->value, &token, sizeof(token));
1149	}
1150
1151	return (*minor ? GSS_S_FAILURE : GSS_S_COMPLETE);
1152	}
1153
1154	uint32_t
1155	gss_krb5_cfx_verify_mic(uint32_t minor, /* minor_status /
1156	gss_ctx_id_t ctx, / context_handle /
1157	gss_buffer_t mbp, / message_buffer /
1158	gss_buffer_t mic, / message_token /
1159	gss_qop_t qop /* qop_state /)
1160	{
1161	gss_cfx_mic_token token = mic->value;
1162	lucid_context_t lctx = &ctx->gss_lucid_ctx;
1163	crypto_ctx_t cctx = &ctx->gss_cryptor;
1164	uint8_t digest = (uint8_t )mic->value + sizeof (gss_cfx_mic_token_desc);
1165	int verified = `0`;
1166	uint64_t seq;
1167	uint32_t rv;
1168	gss_buffer_desc header;
1169
1170	if (qop)
1171	*qop = GSS_C_QOP_DEFAULT;
1172	if (minor == NULL)
1173	minor = &rv;
1174
1175	if (mic->length != sizeof(gss_cfx_mic_token_desc) + cctx->digest_size) {
1176	printf("mic token wrong length\n");
1177	*minor = EBADRPC;
1178	goto out;
1179	}
1180	*minor = gss_krb5_cfx_verify_mic_token(ctx, token);
1181	if (*minor)
1182	return (GSS_S_FAILURE);
1183	header.value = token;
1184	header.length = sizeof (gss_cfx_mic_token_desc);
1185	*minor = krb5_mic(cctx, NULL, mbp, &header, digest, &verified, `0`, `0`);
1186
1187	if (verified) {
1188	//XXX errors and such? Sequencing and replay? Not supported in RPCSEC_GSS
1189	memcpy(&seq, token->SND_SEQ, sizeof (uint64_t));
1190	seq = ntohll(seq);
1191	lctx->recv_seq = seq;
1192	}
1193
1194	out:
1195	return (verified ? GSS_S_COMPLETE : GSS_S_BAD_SIG);
1196	}
1197
1198	uint32_t
1199	gss_krb5_cfx_get_mic_mbuf(uint32_t minor, /* minor_status /
1200	gss_ctx_id_t ctx, / context_handle /
1201	gss_qop_t qop __unused ,/ qop_req (ignored) /
1202	mbuf_t mbp, / message mbuf /
1203	size_t offset, / offest /
1204	size_t len, / length /
1205	gss_buffer_t mic / message_token /)
1206	{
1207	gss_cfx_mic_token_desc token;
1208	lucid_context_t lctx = &ctx->gss_lucid_ctx;
1209	crypto_ctx_t cctx = &ctx->gss_cryptor;
1210	uint32_t rv;
1211	uint64_t seq = htonll(lctx->send_seq);
1212	gss_buffer_desc header;
1213
1214	if (minor == NULL)
1215	minor = &rv;
1216	*minor = `0`;
1217
1218	token = mic_cfx_token;
1219	mic->length = sizeof (token) + cctx->digest_size;
1220	MALLOC(mic->value, void *, mic->length, M_TEMP, M_WAITOK \| M_ZERO);
1221	if (!lctx->initiate)
1222	token.Flags \|= CFXSentByAcceptor;
1223	if (lctx->key_data.lucid_protocol_u.data_4121.acceptor_subkey)
1224	token.Flags \|= CFXAcceptorSubkey;
1225
1226	memcpy(&token.SND_SEQ, &seq, sizeof(lctx->send_seq));
1227	lctx->send_seq++; //XXX should only update this below on success? Heimdal seems to do it this way
1228
1229	header.length = sizeof(token);
1230	header.value = &token;
1231
1232	len = len ? len : gss_mbuf_len(mbp, offset);
1233	minor = krb5_mic_mbuf(cctx, NULL, mbp, offset, len, &header, (uint8_t )mic->value + sizeof(token), NULL, `0`, `0`);
1234
1235	if (*minor) {
1236	mic->length = `0`;
1237	FREE(mic->value, M_TEMP);
1238	mic->value = NULL;
1239	} else {
1240	memcpy(mic->value, &token, sizeof(token));
1241	}
1242
1243	return (*minor ? GSS_S_FAILURE : GSS_S_COMPLETE);
1244	}
1245
1246
1247	uint32_t
1248	gss_krb5_cfx_verify_mic_mbuf(uint32_t minor, /* minor_status /
1249	gss_ctx_id_t ctx, / context_handle /
1250	mbuf_t mbp, / message_buffer /
1251	size_t offset, / offset /
1252	size_t len, / length /
1253	gss_buffer_t mic, / message_token /
1254	gss_qop_t qop /* qop_state /)
1255	{
1256	gss_cfx_mic_token token = mic->value;
1257	lucid_context_t lctx = &ctx->gss_lucid_ctx;
1258	crypto_ctx_t cctx = &ctx->gss_cryptor;
1259	uint8_t digest = (uint8_t )mic->value + sizeof (gss_cfx_mic_token_desc);
1260	int verified;
1261	uint64_t seq;
1262	uint32_t rv;
1263	gss_buffer_desc header;
1264
1265	if (qop)
1266	*qop = GSS_C_QOP_DEFAULT;
1267
1268	if (minor == NULL)
1269	minor = &rv;
1270
1271	*minor = gss_krb5_cfx_verify_mic_token(ctx, token);
1272	if (*minor)
1273	return (GSS_S_FAILURE);
1274
1275	header.length = sizeof(gss_cfx_mic_token_desc);
1276	header.value = mic->value;
1277
1278	*minor = krb5_mic_mbuf(cctx, NULL, mbp, offset, len, &header, digest, &verified, `0`, `0`);
1279
1280	//XXX errors and such? Sequencing and replay? Not Supported RPCSEC_GSS
1281	memcpy(&seq, token->SND_SEQ, sizeof (uint64_t));
1282	seq = ntohll(seq);
1283	lctx->recv_seq = seq;
1284
1285	return (verified ? GSS_S_COMPLETE : GSS_S_BAD_SIG);
1286	}
1287
1288	errno_t
1289	krb5_cfx_crypt_mbuf(crypto_ctx_t ctx, mbuf_t mbp, size_t len, int encrypt, int reverse)
1290	{
1291	const struct ccmode_cbc *ccmode = encrypt ? ctx->enc_mode : ctx->dec_mode;
1292	uint8_t confounder[ccmode->block_size];
1293	uint8_t digest[ctx->digest_size];
1294	size_t tlen, r = `0`;
1295	errno_t error;
1296
1297	if (encrypt) {
1298	read_random(confounder, ccmode->block_size);
1299	error = gss_prepend_mbuf(mbp, confounder, ccmode->block_size);
1300	if (error)
1301	return (error);
1302	tlen = *len + ccmode->block_size;
1303	if (ctx->mpad > `1`)
1304	r = ctx->mpad - (tlen % ctx->mpad);
1305	/ We expect that r == 0 from krb5_cfx_wrap /
1306	if (r != `0`) {
1307	uint8_t mpad[r];
1308	memset(mpad, `0`, r);
1309	error = gss_append_mbuf(*mbp, mpad, r);
1310	if (error)
1311	return (error);
1312	}
1313	tlen += r;
1314	error = krb5_mic_mbuf(ctx, NULL, *mbp, `0`, tlen, NULL, digest, NULL, `1`, `0`);
1315	if (error)
1316	return (error);
1317	error = krb5_crypt_mbuf(ctx, mbp, tlen, `1`, NULL);
1318	if (error)
1319	return (error);
1320	error = gss_append_mbuf(*mbp, digest, ctx->digest_size);
1321	if (error)
1322	return (error);
1323	*len = tlen + ctx->digest_size;
1324	return (`0`);
1325	} else {
1326	int verf;
1327	cccbc_ctx *ks = NULL;
1328
1329	if (len < ctx->digest_size + sizeof*(confounder))
1330	return (EBADRPC);
1331	tlen = *len - ctx->digest_size;
1332	/ get the digest /
1333	error = mbuf_copydata(*mbp, tlen, ctx->digest_size, digest);
1334	/ Remove the digest from the mbuffer /
1335	error = gss_strip_mbuf(*mbp, -ctx->digest_size);
1336	if (error)
1337	return (error);
1338
1339	if (reverse) {
1340	/*
1341	* Derive a key schedule that the sender can unwrap with. This
1342	* is so that RPCSEC_GSS can restore encrypted arguments for
1343	* resending. We do that because the RPCSEC_GSS sequence number in
1344	* the rpc header is prepended to the body of the message before wrapping.
1345	*/
1346	void *ekey;
1347	uint8_t usage_string[KRB5_USAGE_LEN];
1348	lucid_context_t lctx = ctx->gss_ctx;
1349
1350	krb5_make_usage(lctx->initiate ?
1351	KRB5_USAGE_INITIATOR_SEAL : KRB5_USAGE_ACCEPTOR_SEAL,
1352	`0xAA`, usage_string);
1353	krb5_key_derivation(ctx, usage_string, KRB5_USAGE_LEN, &ekey, ctx->keylen);
1354	MALLOC(ks, cccbc_ctx *, ctx->dec_mode->size, M_TEMP, M_WAITOK \| M_ZERO);
1355	cccbc_init(ctx->dec_mode, ks, ctx->keylen, ekey);
1356	FREE(ekey, M_TEMP);
1357	}
1358	error = krb5_crypt_mbuf(ctx, mbp, tlen, `0`, ks);
1359	FREE(ks, M_TEMP);
1360	if (error)
1361	return (error);
1362	error = krb5_mic_mbuf(ctx, NULL, *mbp, `0`, tlen, NULL, digest, &verf, `1`, reverse);
1363	if (error)
1364	return (error);
1365	if (!verf)
1366	return (EBADRPC);
1367	/ strip off the confounder /
1368	error = gss_strip_mbuf(*mbp, ccmode->block_size);
1369	if (error)
1370	return (error);
1371	*len = tlen - ccmode->block_size;
1372	}
1373	return (`0`);
1374	}
1375
1376	uint32_t
1377	gss_krb5_cfx_wrap_mbuf(uint32_t minor, /* minor_status /
1378	gss_ctx_id_t ctx, / context_handle /
1379	int conf_flag, / conf_req_flag /
1380	gss_qop_t qop __unused, / qop_req /
1381	mbuf_t mbp, /* input/output message_buffer /
1382	size_t len, / mbuf chain length /
1383	int conf /* conf_state /)
1384	{
1385	gss_cfx_wrap_token_desc token;
1386	lucid_context_t lctx = &ctx->gss_lucid_ctx;
1387	crypto_ctx_t cctx = &ctx->gss_cryptor;
1388	int error = `0`;
1389	uint32_t mv;
1390	uint64_t seq = htonll(lctx->send_seq);
1391
1392	if (minor == NULL)
1393	minor = &mv;
1394	if (conf)
1395	*conf = conf_flag;
1396
1397	*minor = `0`;
1398	token = wrap_cfx_token;
1399	if (!lctx->initiate)
1400	token.Flags \|= CFXSentByAcceptor;
1401	if (lctx->key_data.lucid_protocol_u.data_4121.acceptor_subkey)
1402	token.Flags \|= CFXAcceptorSubkey;
1403	memcpy(&token.SND_SEQ, &seq, sizeof(uint64_t));
1404	lctx->send_seq++;
1405	if (conf_flag) {
1406	uint8_t pad[cctx->mpad];
1407	uint16_t plen = `0`;
1408
1409	token.Flags \|= CFXSealed;
1410	memset(pad, `0`, cctx->mpad);
1411	if (cctx->mpad > `1`) {
1412	plen = htons(cctx->mpad - ((len + sizeof (gss_cfx_wrap_token_desc)) % cctx->mpad));
1413	token.EC[`0`] = ((plen >> `8`) & `0xff`);
1414	token.EC[`1`] = (plen & `0xff`);
1415	}
1416	if (plen) {
1417	error = gss_append_mbuf(*mbp, pad, plen);
1418	len += plen;
1419	}
1420	if (error == `0`) {
1421	error = gss_append_mbuf(mbp, (uint8_t )&token, sizeof(gss_cfx_wrap_token_desc));
1422	len += sizeof (gss_cfx_wrap_token_desc);
1423	}
1424	if (error == `0`)
1425	error = krb5_cfx_crypt_mbuf(cctx, mbp, &len, `1`, `0`);
1426	if (error == `0`)
1427	error = gss_prepend_mbuf(mbp, (uint8_t )&token, sizeof*(gss_cfx_wrap_token_desc));
1428	} else {
1429	uint8_t digest[cctx->digest_size];
1430	gss_buffer_desc header;
1431
1432	header.length = sizeof(token);
1433	header.value = &token;
1434
1435	error = krb5_mic_mbuf(cctx, NULL, *mbp, `0`, len, &header, digest, NULL, `1`, `0`);
1436	if (error == `0`) {
1437	error = gss_append_mbuf(*mbp, digest, cctx->digest_size);
1438	if (error == `0`) {
1439	uint16_t plen = htons(cctx->digest_size);
1440	memcpy(token.EC, &plen, `2`);
1441	error = gss_prepend_mbuf(mbp, (uint8_t )&token, sizeof* (gss_cfx_wrap_token_desc));
1442	}
1443	}
1444	}
1445	if (error) {
1446	*minor = error;
1447	return (GSS_S_FAILURE);
1448	}
1449
1450	return (GSS_S_COMPLETE);
1451	}
1452
1453	/*
1454	* Given a wrap token the has a rrc, move the trailer back to the end.
1455	*/
1456	static void
1457	gss_krb5_cfx_unwrap_rrc_mbuf(mbuf_t header, size_t rrc)
1458	{
1459	mbuf_t body, trailer;
1460
1461	gss_normalize_mbuf(header, sizeof(gss_cfx_wrap_token_desc), &rrc, &trailer, &body, `0`);
1462	gss_join_mbuf(header, body, trailer);
1463	}
1464
1465	uint32_t
1466	gss_krb5_cfx_unwrap_mbuf(uint32_t * minor, / minor_status /
1467	gss_ctx_id_t ctx, / context_handle /
1468	mbuf_t mbp, /* input/output message_buffer /
1469	size_t len, / mbuf chain length /
1470	int conf_flag, /* conf_state /
1471	gss_qop_t qop /* qop state /)
1472	{
1473	gss_cfx_wrap_token_desc token;
1474	lucid_context_t lctx = &ctx->gss_lucid_ctx;
1475	crypto_ctx_t cctx = &ctx->gss_cryptor;
1476	int error, conf;
1477	uint16_t ec = `0` , rrc = `0`;
1478	uint64_t seq;
1479	int reverse = (*qop == GSS_C_QOP_REVERSE);
1480	int initiate = lctx->initiate ? (reverse ? `0` : `1`) : (reverse ? `1` : `0`);
1481
1482	error = mbuf_copydata(mbp, `0`, sizeof* (gss_cfx_wrap_token_desc), &token);
1483	gss_strip_mbuf(mbp, sizeof* (gss_cfx_wrap_token_desc));
1484	len -= sizeof (gss_cfx_wrap_token_desc);
1485
1486	/ Check for valid token /
1487	if (token.TOK_ID[`0`] != wrap_cfx_token.TOK_ID[`0`] \|\|
1488	token.TOK_ID[`1`] != wrap_cfx_token.TOK_ID[`1`] \|\|
1489	token.Filler != wrap_cfx_token.Filler) {
1490	printf("Token id does not match\n");
1491	goto badrpc;
1492	}
1493	if ((initiate && !(token.Flags & CFXSentByAcceptor)) \|\|
1494	(lctx->key_data.lucid_protocol_u.data_4121.acceptor_subkey && !(token.Flags & CFXAcceptorSubkey))) {
1495	printf("Bad flags %x\n", token.Flags);
1496	goto badrpc;
1497	}
1498
1499	/ XXX Sequence replay detection /
1500	memcpy(&seq, token.SND_SEQ, sizeof (seq));
1501	seq = ntohll(seq);
1502	lctx->recv_seq = seq;
1503
1504	ec = (token.EC[`0`] << `8`) \| token.EC[`1`];
1505	rrc = (token.RRC[`0`] << `8`) \| token.RRC[`1`];
1506	*qop = GSS_C_QOP_DEFAULT;
1507	conf = ((token.Flags & CFXSealed) == CFXSealed);
1508	if (conf_flag)
1509	*conf_flag = conf;
1510	if (conf) {
1511	gss_cfx_wrap_token_desc etoken;
1512
1513	if (rrc) / Handle Right rotation count /
1514	gss_krb5_cfx_unwrap_rrc_mbuf(*mbp, rrc);
1515	error = krb5_cfx_crypt_mbuf(cctx, mbp, &len, `0`, reverse);
1516	if (error) {
1517	printf("krb5_cfx_crypt_mbuf %d\n", error);
1518	*minor = error;
1519	return (GSS_S_FAILURE);
1520	}
1521	if (len >= sizeof(gss_cfx_wrap_token_desc))
1522	len -= sizeof(gss_cfx_wrap_token_desc);
1523	else
1524	goto badrpc;
1525	mbuf_copydata(mbp, len, sizeof*(gss_cfx_wrap_token_desc), &etoken);
1526	/ Verify etoken with the token wich should be the same, except the rc field is always zero /
1527	token.RRC[`0`] = token.RRC[`1`] = `0`;
1528	if (memcmp(&token, &etoken, sizeof (gss_cfx_wrap_token_desc)) != `0`) {
1529	printf("Encrypted token mismach\n");
1530	goto badrpc;
1531	}
1532	/ strip the encrypted token and any pad bytes /
1533	gss_strip_mbuf(mbp, -(sizeof*(gss_cfx_wrap_token_desc) + ec));
1534	len -= (sizeof(gss_cfx_wrap_token_desc) + ec);
1535	} else {
1536	uint8_t digest[cctx->digest_size];
1537	int verf;
1538	gss_buffer_desc header;
1539
1540	if (ec != cctx->digest_size \|\| len >= cctx->digest_size)
1541	goto badrpc;
1542	len -= cctx->digest_size;
1543	mbuf_copydata(*mbp, len, cctx->digest_size, digest);
1544	gss_strip_mbuf(*mbp, -cctx->digest_size);
1545	/ When calculating the mic header fields ec and rcc must be zero /
1546	token.EC[`0`] = token.EC[`1`] = token.RRC[`0`] = token.RRC[`1`] = `0`;
1547	header.value = &token;
1548	header.length = sizeof(gss_cfx_wrap_token_desc);
1549	error = krb5_mic_mbuf(cctx, NULL, *mbp, `0`, len, &header, digest, &verf, `1`, reverse);
1550	if (error)
1551	goto badrpc;
1552	}
1553	return (GSS_S_COMPLETE);
1554
1555	badrpc:
1556	*minor = EBADRPC;
1557	return (GSS_S_FAILURE);
1558	}
1559
1560	/*
1561	* RFC 1964 3DES support
1562	*/
1563
1564	typedef struct gss_1964_mic_token_desc_struct {
1565	uint8_t TOK_ID[`2`]; / 01 01 /
1566	uint8_t Sign_Alg[`2`];
1567	uint8_t Filler[`4`]; / ff ff ff ff /
1568	} gss_1964_mic_token_desc, *gss_1964_mic_token;
1569
1570	typedef struct gss_1964_wrap_token_desc_struct {
1571	uint8_t TOK_ID[`2`]; / 02 01 /
1572	uint8_t Sign_Alg[`2`];
1573	uint8_t Seal_Alg[`2`];
1574	uint8_t Filler[`2`]; / ff ff /
1575	} gss_1964_wrap_token_desc, *gss_1964_wrap_token;
1576
1577	typedef struct gss_1964_delete_token_desc_struct {
1578	uint8_t TOK_ID[`2`]; / 01 02 /
1579	uint8_t Sign_Alg[`2`];
1580	uint8_t Filler[`4`]; / ff ff ff ff /
1581	} gss_1964_delete_token_desc, *gss_1964_delete_token;
1582
1583	typedef struct gss_1964_header_desc_struct {
1584	uint8_t App0; / 0x60 Application 0 constructed /
1585	uint8_t AppLen[]; / Variable Der length /
1586	} gss_1964_header_desc, *gss_1964_header;
1587
1588	typedef union {
1589	gss_1964_mic_token_desc mic_tok;
1590	gss_1964_wrap_token_desc wrap_tok;
1591	gss_1964_delete_token_desc del_tok;
1592	} gss_1964_tok_type __attribute__((transparent_union));
1593
1594	typedef struct gss_1964_token_body_struct
1595	{
1596	uint8_t OIDType; / 0x06 /
1597	uint8_t OIDLen; / 0x09 /
1598	uint8_t kerb_mech[`9`]; / Der Encode kerberos mech 1.2.840.113554.1.2.2*
1599	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02 /*
1600	gss_1964_tok_type body;
1601	uint8_t SND_SEQ[`8`];
1602	uint8_t Hash[]; / Mic /
1603	} gss_1964_token_body_desc, *gss_1964_token_body;
1604
1605
1606	gss_1964_header_desc tok_1964_header = {
1607	.App0 = `0x60`
1608	};
1609
1610	gss_1964_mic_token_desc mic_1964_token = {
1611	.TOK_ID = "\x01\x01",
1612	.Filler = "\xff\xff\xff\xff"
1613	};
1614
1615	gss_1964_wrap_token_desc wrap_1964_token = {
1616	.TOK_ID = "\x02\x01",
1617	.Filler = "\xff\xff"
1618	};
1619
1620	gss_1964_delete_token_desc del_1964_token = {
1621	.TOK_ID = "\x01\x01",
1622	.Filler = "\xff\xff\xff\xff"
1623	};
1624
1625	gss_1964_token_body_desc body_1964_token = {
1626	.OIDType = `0x06`,
1627	.OIDLen = `0x09`,
1628	.kerb_mech = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02",
1629	};
1630
1631	#define GSS_KRB5_3DES_MAXTOKSZ (sizeof(gss_1964_header_desc) + 5 /* max der length supported */ + sizeof(gss_1964_token_body_desc))
1632
1633	uint32_t gss_krb5_3des_get_mic(uint32_t *, gss_ctx_id_t, gss_qop_t, gss_buffer_t, gss_buffer_t);
1634	uint32_t gss_krb5_3des_verify_mic(uint32_t , gss_ctx_id_t, gss_buffer_t, gss_buffer_t, gss_qop_t );
1635	uint32_t gss_krb5_3des_get_mic_mbuf(uint32_t *, gss_ctx_id_t, gss_qop_t, mbuf_t, size_t, size_t, gss_buffer_t);
1636	uint32_t gss_krb5_3des_verify_mic_mbuf(uint32_t , gss_ctx_id_t, mbuf_t, size_t, size_t, gss_buffer_t, gss_qop_t );
1637	uint32_t gss_krb5_3des_wrap_mbuf(uint32_t , gss_ctx_id_t, int, gss_qop_t, mbuf_t , size_t, int *);
1638	uint32_t gss_krb5_3des_unwrap_mbuf(uint32_t , gss_ctx_id_t, mbuf_t , size_t, int , gss_qop_t );
1639
1640	/*
1641	* Decode an ASN.1 DER length field
1642	*/
1643	static ssize_t
1644	gss_krb5_der_length_get(uint8_t **pp)
1645	{
1646	uint8_t p = pp;
1647	uint32_t flen, len = `0`;
1648
1649	flen = *p & `0x7f`;
1650
1651	if (*p++ & `0x80`) {
1652	if (flen > sizeof(uint32_t))
1653	return (-`1`);
1654	while (flen--)
1655	len = (len << `8`) + *p++;
1656	} else {
1657	len = flen;
1658	}
1659	*pp = p;
1660	return (len);
1661	}
1662
1663	/*
1664	* Determine size of ASN.1 DER length
1665	*/
1666	static int
1667	gss_krb5_der_length_size(int len)
1668	{
1669	return
1670	len < (`1` << `7`) ? `1` :
1671	len < (`1` << `8`) ? `2` :
1672	len < (`1` << `16`) ? `3` :
1673	len < (`1` << `24`) ? `4` : `5`;
1674	}
1675
1676	/*
1677	* Encode an ASN.1 DER length field
1678	*/
1679	static void
1680	gss_krb5_der_length_put(uint8_t *pp, int* len)
1681	{
1682	int sz = gss_krb5_der_length_size(len);
1683	uint8_t p = pp;
1684
1685	if (sz == `1`) {
1686	*p++ = (uint8_t) len;
1687	} else {
1688	*p++ = (uint8_t) ((sz-`1`) \| `0x80`);
1689	sz -= `1`;
1690	while (sz--)
1691	p++ = (uint8_t) ((len >> (sz `8`)) & `0xff`);
1692	}
1693
1694	*pp = p;
1695	}
1696
1697	static void
1698	gss_krb5_3des_token_put(gss_ctx_id_t ctx, gss_1964_tok_type body, gss_buffer_t hash, size_t datalen, gss_buffer_t des3_token)
1699	{
1700	gss_1964_header token;
1701	gss_1964_token_body tokbody;
1702	lucid_context_t lctx = &ctx->gss_lucid_ctx;
1703	crypto_ctx_t cctx = &ctx->gss_cryptor;
1704	uint32_t seq = (uint32_t) (lctx->send_seq++ & `0xffff`);
1705	size_t toklen = sizeof(gss_1964_token_body_desc) + cctx->digest_size;
1706	size_t alloclen = toklen + sizeof (gss_1964_header_desc) + gss_krb5_der_length_size(toklen + datalen);
1707	uint8_t *tokptr;
1708
1709	MALLOC(token, gss_1964_header, alloclen, M_TEMP, M_WAITOK\|M_ZERO);
1710	*token = tok_1964_header;
1711	tokptr = token->AppLen;
1712	gss_krb5_der_length_put(&tokptr, toklen + datalen);
1713	tokbody = (gss_1964_token_body)tokptr;
1714	tokbody = body_1964_token; /* Initalize the token body /
1715	tokbody->body = body; / and now set the body to the token type passed in /
1716	seq = htonl(seq);
1717	for (int i = `0`; i < `4`; i++)
1718	tokbody->SND_SEQ[i] = (uint8_t)((seq >> (i * `8`)) & `0xff`);
1719	for (int i = `4`; i < `8`; i++)
1720	tokbody->SND_SEQ[i] = lctx->initiate ? `0x00` : `0xff`;
1721
1722	size_t blocksize = cctx->enc_mode->block_size;
1723	cccbc_iv_decl(blocksize, iv);
1724	cccbc_ctx_decl(cctx->enc_mode->size, enc_ctx);
1725	cccbc_set_iv(cctx->enc_mode, iv, hash->value);
1726	cccbc_init(cctx->enc_mode, enc_ctx, cctx->keylen, cctx->key);
1727	cccbc_update(cctx->enc_mode, enc_ctx, iv, `1`, tokbody->SND_SEQ, tokbody->SND_SEQ);
1728
1729	assert(hash->length == cctx->digest_size);
1730	memcpy(tokbody->Hash, hash->value, hash->length);
1731	des3_token->length = alloclen;
1732	des3_token->value = token;
1733	}
1734
1735	static int
1736	gss_krb5_3des_token_get(gss_ctx_id_t ctx, gss_buffer_t intok,
1737	gss_1964_tok_type body, gss_buffer_t hash, size_t offset, size_t len, int reverse)
1738	{
1739	gss_1964_header token = intok->value;
1740	gss_1964_token_body tokbody;
1741	lucid_context_t lctx = &ctx->gss_lucid_ctx;
1742	crypto_ctx_t cctx = &ctx->gss_cryptor;
1743	ssize_t length;
1744	size_t toklen;
1745	uint8_t *tokptr;
1746	uint32_t seq;
1747	int initiate;
1748
1749	if (token->App0 != tok_1964_header.App0) {
1750	printf("%s: bad framing\n", __func__);
1751	printgbuf(__func__, intok);
1752	return (EBADRPC);
1753	}
1754	tokptr = token->AppLen;
1755	length = gss_krb5_der_length_get(&tokptr);
1756	if (length < `0`) {
1757	printf("%s: invalid length\n", __func__);
1758	printgbuf(__func__, intok);
1759	return (EBADRPC);
1760	}
1761	toklen = sizeof (gss_1964_header_desc) + gss_krb5_der_length_size(length)
1762	+ sizeof (gss_1964_token_body_desc);
1763
1764	if (intok->length < toklen + cctx->digest_size) {
1765	printf("%s: token to short", __func__);
1766	printf("toklen = %d, length = %d\n", (int)toklen, (int)length);
1767	printgbuf(__func__, intok);
1768	return (EBADRPC);
1769	}
1770
1771	if (offset)
1772	*offset = toklen + cctx->digest_size;
1773
1774	if (len)
1775	len = length - sizeof* (gss_1964_token_body_desc) - cctx->digest_size;
1776
1777	tokbody = (gss_1964_token_body)tokptr;
1778	if (tokbody->OIDType != body_1964_token.OIDType \|\|
1779	tokbody->OIDLen != body_1964_token.OIDLen \|\|
1780	memcmp(tokbody->kerb_mech, body_1964_token.kerb_mech, tokbody->OIDLen) != `0`) {
1781	printf("%s: Invalid mechanism\n", __func__);
1782	printgbuf(__func__, intok);
1783	return (EBADRPC);
1784	}
1785	if (memcmp(&tokbody->body, &body, sizeof(gss_1964_tok_type)) != `0`) {
1786	printf("%s: Invalid body\n", __func__);
1787	printgbuf(__func__, intok);
1788	return (EBADRPC);
1789	}
1790	size_t blocksize = cctx->enc_mode->block_size;
1791	uint8_t *block = tokbody->SND_SEQ;
1792
1793	assert(blocksize == sizeof(tokbody->SND_SEQ));
1794	cccbc_iv_decl(blocksize, iv);
1795	cccbc_ctx_decl(cctx->dec_mode->size, dec_ctx);
1796	cccbc_set_iv(cctx->dec_mode, iv, tokbody->Hash);
1797	cccbc_init(cctx->dec_mode, dec_ctx, cctx->keylen, cctx->key);
1798	cccbc_update(cctx->dec_mode, dec_ctx, iv, `1`, block, block);
1799
1800	initiate = lctx->initiate ? (reverse ? `0` : `1`) : (reverse ? `1` : `0`);
1801	for(int i = `4`; i < `8`; i++) {
1802	if (tokbody->SND_SEQ[i] != (initiate ? `0xff` : `0x00`)) {
1803	printf("%s: Invalid des mac\n", __func__);
1804	printgbuf(__func__, intok);
1805	return (EAUTH);
1806	}
1807	}
1808
1809	memcpy(&seq, tokbody->SND_SEQ, sizeof (uint32_t));
1810
1811	lctx->recv_seq = ntohl(seq);
1812
1813	assert(hash->length >= cctx->digest_size);
1814	memcpy(hash->value, tokbody->Hash, cctx->digest_size);
1815
1816	return (`0`);
1817	}
1818
1819	uint32_t
1820	gss_krb5_3des_get_mic(uint32_t minor, /* minor status /
1821	gss_ctx_id_t ctx, / krb5 context id /
1822	gss_qop_t qop __unused, / qop_req (ignored) /
1823	gss_buffer_t mbp, / message buffer in /
1824	gss_buffer_t mic) / mic token out /
1825	{
1826	gss_1964_mic_token_desc tokbody = mic_1964_token;
1827	crypto_ctx_t cctx = &ctx->gss_cryptor;
1828	gss_buffer_desc hash;
1829	gss_buffer_desc header;
1830	uint8_t hashval[cctx->digest_size];
1831
1832	hash.length = cctx->digest_size;
1833	hash.value = hashval;
1834	tokbody.Sign_Alg[`0`] = `0x04`; / lctx->keydata.lucid_protocol_u.data_1964.sign_alg /
1835	tokbody.Sign_Alg[`1`] = `0x00`;
1836	header.length = sizeof (gss_1964_mic_token_desc);
1837	header.value = & tokbody;
1838
1839	/ Hash the data /
1840	*minor = krb5_mic(cctx, &header, mbp, NULL, hashval, NULL, `0`, `0`);
1841	if (*minor)
1842	return (GSS_S_FAILURE);
1843
1844	/ Make the token /
1845	gss_krb5_3des_token_put(ctx, tokbody, &hash, `0`, mic);
1846
1847	return (GSS_S_COMPLETE);
1848	}
1849
1850	uint32_t
1851	gss_krb5_3des_verify_mic(uint32_t *minor,
1852	gss_ctx_id_t ctx,
1853	gss_buffer_t mbp,
1854	gss_buffer_t mic,
1855	gss_qop_t *qop)
1856	{
1857	crypto_ctx_t cctx = &ctx->gss_cryptor;
1858	uint8_t hashval[cctx->digest_size];
1859	gss_buffer_desc hash;
1860	gss_1964_mic_token_desc mtok = mic_1964_token;
1861	gss_buffer_desc header;
1862	int verf;
1863
1864	mtok.Sign_Alg[`0`] = `0x04`; / lctx->key_data.lucid_protocol_u.data_1964.sign_alg /
1865	mtok.Sign_Alg[`1`] = `0x00`;
1866	hash.length = cctx->digest_size;
1867	hash.value = hashval;
1868	header.length = sizeof(gss_1964_mic_token_desc);
1869	header.value = &mtok;
1870
1871	if (qop)
1872	*qop = GSS_C_QOP_DEFAULT;
1873
1874	*minor = gss_krb5_3des_token_get(ctx, mic, mtok, &hash, NULL, NULL, `0`);
1875	if (*minor)
1876	return (GSS_S_FAILURE);
1877
1878	*minor = krb5_mic(cctx, &header, mbp, NULL, hashval, &verf, `0`, `0`);
1879	if (*minor)
1880	return (GSS_S_FAILURE);
1881
1882	return (verf ? GSS_S_COMPLETE : GSS_S_BAD_SIG);
1883	}
1884
1885	uint32_t
1886	gss_krb5_3des_get_mic_mbuf(uint32_t *minor,
1887	gss_ctx_id_t ctx,
1888	gss_qop_t qop __unused,
1889	mbuf_t mbp,
1890	size_t offset,
1891	size_t len,
1892	gss_buffer_t mic)
1893	{
1894	gss_1964_mic_token_desc tokbody = mic_1964_token;
1895	crypto_ctx_t cctx = &ctx->gss_cryptor;
1896	gss_buffer_desc header;
1897	gss_buffer_desc hash;
1898	uint8_t hashval[cctx->digest_size];
1899
1900	hash.length = cctx->digest_size;
1901	hash.value = hashval;
1902	tokbody.Sign_Alg[`0`] = `0x04`; / lctx->key_data.lucid_protocol_u.data_4121.sign_alg /
1903	tokbody.Sign_Alg[`1`] = `0x00`;
1904	header.length = sizeof (gss_1964_mic_token_desc);
1905	header.value = &tokbody;
1906
1907	/ Hash the data /
1908	*minor = krb5_mic_mbuf(cctx, &header, mbp, offset, len, NULL, hashval, NULL, `0`, `0`);
1909	if (*minor)
1910	return (GSS_S_FAILURE);
1911
1912	/ Make the token /
1913	gss_krb5_3des_token_put(ctx, tokbody, &hash, `0`, mic);
1914
1915	return (GSS_S_COMPLETE);
1916	}
1917
1918	uint32_t
1919	gss_krb5_3des_verify_mic_mbuf(uint32_t *minor,
1920	gss_ctx_id_t ctx,
1921	mbuf_t mbp,
1922	size_t offset,
1923	size_t len,
1924	gss_buffer_t mic,
1925	gss_qop_t *qop)
1926	{
1927	crypto_ctx_t cctx = &ctx->gss_cryptor;
1928	uint8_t hashval[cctx->digest_size];
1929	gss_buffer_desc header;
1930	gss_buffer_desc hash;
1931	gss_1964_mic_token_desc mtok = mic_1964_token;
1932	int verf;
1933
1934	mtok.Sign_Alg[`0`] = `0x04`; / lctx->key_data.lucic_protocol_u.data1964.sign_alg /
1935	mtok.Sign_Alg[`1`] = `0x00`;
1936	hash.length = cctx->digest_size;
1937	hash.value = hashval;
1938	header.length = sizeof(gss_1964_mic_token_desc);
1939	header.value = &mtok;
1940
1941	if (qop)
1942	*qop = GSS_C_QOP_DEFAULT;
1943
1944	*minor = gss_krb5_3des_token_get(ctx, mic, mtok, &hash, NULL, NULL, `0`);
1945	if (*minor)
1946	return (GSS_S_FAILURE);
1947
1948	*minor = krb5_mic_mbuf(cctx, &header, mbp, offset, len, NULL, hashval, &verf, `0`, `0`);
1949	if (*minor)
1950	return (GSS_S_FAILURE);
1951
1952	return (verf ? GSS_S_COMPLETE : GSS_S_BAD_SIG);
1953	}
1954
1955	uint32_t
1956	gss_krb5_3des_wrap_mbuf(uint32_t *minor,
1957	gss_ctx_id_t ctx,
1958	int conf_flag,
1959	gss_qop_t qop __unused,
1960	mbuf_t *mbp,
1961	size_t len,
1962	int *conf_state)
1963	{
1964	crypto_ctx_t cctx = &ctx->gss_cryptor;
1965	const struct ccmode_cbc *ccmode = cctx->enc_mode;
1966	uint8_t padlen;
1967	uint8_t pad[`8`];
1968	uint8_t confounder[ccmode->block_size];
1969	gss_1964_wrap_token_desc tokbody = wrap_1964_token;
1970	gss_buffer_desc header;
1971	gss_buffer_desc mic;
1972	gss_buffer_desc hash;
1973	uint8_t hashval[cctx->digest_size];
1974
1975	if (conf_state)
1976	*conf_state = conf_flag;
1977
1978	hash.length = cctx->digest_size;
1979	hash.value = hashval;
1980	tokbody.Sign_Alg[`0`] = `0x04`; / lctx->key_data.lucid_protocol_u.data_1964.sign_alg /
1981	tokbody.Sign_Alg[`1`] = `0x00`;
1982	/ conf_flag ? lctx->key_data.lucid_protocol_u.data_1964.seal_alg : 0xffff /
1983	tokbody.Seal_Alg[`0`] = conf_flag ? `0x02` : `0xff`;
1984	tokbody.Seal_Alg[`1`] = conf_flag ? `0x00` : `0xff`;
1985	header.length = sizeof (gss_1964_wrap_token_desc);
1986	header.value = &tokbody;
1987
1988	/ Prepend confounder /
1989	read_random(confounder, ccmode->block_size);
1990	*minor = gss_prepend_mbuf(mbp, confounder, ccmode->block_size);
1991	if (*minor)
1992	return (GSS_S_FAILURE);
1993
1994	/ Append trailer of up to 8 bytes and set pad length in each trailer byte /
1995	padlen = `8` - len % `8`;
1996	for (int i = `0`; i < padlen; i++)
1997	pad[i] = padlen;
1998	minor = gss_append_mbuf(mbp, pad, padlen);
1999	if (*minor)
2000	return (GSS_S_FAILURE);
2001
2002	len += ccmode->block_size + padlen;
2003
2004	/ Hash the data /
2005	minor = krb5_mic_mbuf(cctx, &header, mbp, `0`, len, NULL, hashval, NULL, `0`, `0`);
2006	if (*minor)
2007	return (GSS_S_FAILURE);
2008
2009	/ Make the token /
2010	gss_krb5_3des_token_put(ctx, tokbody, &hash, len, &mic);
2011
2012	if (conf_flag) {
2013	*minor = krb5_crypt_mbuf(cctx, mbp, len, `1`, `0`);
2014	if (*minor)
2015	return (GSS_S_FAILURE);
2016	}
2017
2018	*minor = gss_prepend_mbuf(mbp, mic.value, mic.length);
2019
2020	return (*minor ? GSS_S_FAILURE : GSS_S_COMPLETE);
2021	}
2022
2023	uint32_t
2024	gss_krb5_3des_unwrap_mbuf(uint32_t *minor,
2025	gss_ctx_id_t ctx,
2026	mbuf_t *mbp,
2027	size_t len,
2028	int *conf_state,
2029	gss_qop_t *qop)
2030	{
2031	crypto_ctx_t cctx = &ctx->gss_cryptor;
2032	const struct ccmode_cbc *ccmode = cctx->dec_mode;
2033	size_t length = `0`, offset;
2034	gss_buffer_desc hash;
2035	uint8_t hashval[cctx->digest_size];
2036	gss_buffer_desc itoken;
2037	uint8_t tbuffer[GSS_KRB5_3DES_MAXTOKSZ + cctx->digest_size];
2038	itoken.length = GSS_KRB5_3DES_MAXTOKSZ + cctx->digest_size;
2039	itoken.value = tbuffer;
2040	gss_1964_wrap_token_desc wrap = wrap_1964_token;
2041	gss_buffer_desc header;
2042	uint8_t padlen;
2043	mbuf_t smb, tmb;
2044	int cflag, verified, reverse = `0`;
2045
2046	if (len < GSS_KRB5_3DES_MAXTOKSZ) {
2047	*minor = EBADRPC;
2048	return (GSS_S_FAILURE);
2049	}
2050
2051	if (*qop == GSS_C_QOP_REVERSE)
2052	reverse = `1`;
2053	*qop = GSS_C_QOP_DEFAULT;
2054
2055	minor = mbuf_copydata(mbp, `0`, itoken.length, itoken.value);
2056	if (*minor)
2057	return (GSS_S_FAILURE);
2058
2059	hash.length = cctx->digest_size;
2060	hash.value = hashval;
2061	wrap.Sign_Alg[`0`] = `0x04`;
2062	wrap.Sign_Alg[`1`] = `0x00`;
2063	wrap.Seal_Alg[`0`] = `0x02`;
2064	wrap.Seal_Alg[`1`] = `0x00`;
2065
2066	for (cflag = `1`; cflag >= `0`; cflag--) {
2067	*minor = gss_krb5_3des_token_get(ctx, &itoken, wrap, &hash, &offset, &length, reverse);
2068	if (*minor == `0`)
2069	break;
2070	wrap.Seal_Alg[`0`] = `0xff`;
2071	wrap.Seal_Alg[`0`] = `0xff`;
2072	}
2073	if (*minor)
2074	return (GSS_S_FAILURE);
2075
2076	if (conf_state)
2077	*conf_state = cflag;
2078
2079	/*
2080	* Seperate off the header
2081	*/
2082	minor = gss_normalize_mbuf(mbp, offset, &length, &smb, &tmb, `0`);
2083	if (*minor)
2084	return (GSS_S_FAILURE);
2085
2086	assert(tmb == NULL);
2087
2088	/ Decrypt the chain if needed /
2089	if (cflag) {
2090	*minor = krb5_crypt_mbuf(cctx, &smb, length, `0`, NULL);
2091	if (*minor)
2092	return (GSS_S_FAILURE);
2093	}
2094
2095	/ Verify the mic /
2096	header.length = sizeof(gss_1964_wrap_token_desc);
2097	header.value = &wrap;
2098
2099	*minor = krb5_mic_mbuf(cctx, &header, smb, `0`, length, NULL, hashval, &verified, `0`, `0`);
2100	if (!verified)
2101	return (GSS_S_BAD_SIG);
2102	if (*minor)
2103	return (GSS_S_FAILURE);
2104
2105	/ Get the pad bytes /
2106	*minor = mbuf_copydata(smb, length - `1`, `1`, &padlen);
2107	if (*minor)
2108	return (GSS_S_FAILURE);
2109
2110	/ Strip the confounder and trailing pad bytes /
2111	gss_strip_mbuf(smb, -padlen);
2112	gss_strip_mbuf(smb, ccmode->block_size);
2113
2114	if (*mbp != smb) {
2115	mbuf_freem(*mbp);
2116	*mbp = smb;
2117	}
2118
2119	return (GSS_S_COMPLETE);
2120	}
2121
2122	static const char *
2123	etype_name(etypes etype)
2124	{
2125	switch (etype) {
2126	case DES3_CBC_SHA1_KD:
2127	return ("des3-cbc-sha1");
2128	case AES128_CTS_HMAC_SHA1_96:
2129	return ("aes128-cts-hmac-sha1-96");
2130	case AES256_CTS_HMAC_SHA1_96:
2131	return ("aes-cts-hmac-sha1-96");
2132	default:
2133	return ("unknown enctype");
2134	}
2135	}
2136
2137	static int
2138	supported_etype(uint32_t proto, etypes etype)
2139	{
2140	const char *proto_name;
2141
2142	switch(proto) {
2143	case `0`:
2144	/ RFC 1964 /
2145	proto_name = "RFC 1964 krb5 gss mech";
2146	switch (etype) {
2147	case DES3_CBC_SHA1_KD:
2148	return (`1`);
2149	default:
2150	break;
2151	}
2152	break;
2153	case `1`:
2154	/ RFC 4121 /
2155	proto_name = "RFC 4121 krb5 gss mech";
2156	switch (etype) {
2157	case AES256_CTS_HMAC_SHA1_96:
2158	case AES128_CTS_HMAC_SHA1_96:
2159	return (`1`);
2160	default:
2161	break;
2162	}
2163	break;
2164	default:
2165	proto_name = "Unknown krb5 gss mech";
2166	break;
2167	}
2168	printf("%s: Non supported encryption %s (%d) type for protocol %s (%d)\n",
2169	__func__, etype_name(etype), etype, proto_name, proto);
2170	return (`0`);
2171	}
2172
2173	/*
2174	* Kerberos gss mech entry points
2175	*/
2176	uint32_t
2177	gss_krb5_get_mic(uint32_t minor, /* minor_status /
2178	gss_ctx_id_t ctx, / context_handle /
2179	gss_qop_t qop, / qop_req /
2180	gss_buffer_t mbp, / message buffer /
2181	gss_buffer_t mic / message_token /)
2182	{
2183	uint32_t minor_stat = `0`;
2184
2185	if (minor == NULL)
2186	minor = &minor_stat;
2187	*minor = `0`;
2188
2189	/ Validate context /
2190	if (ctx == NULL \|\| ((lucid_context_version_t)ctx)->version != `1`)
2191	return (GSS_S_NO_CONTEXT);
2192
2193	if (!supported_etype(ctx->gss_lucid_ctx.key_data.proto, ctx->gss_cryptor.etype)) {
2194	*minor = ENOTSUP;
2195	return (GSS_S_FAILURE);
2196	}
2197
2198	switch(ctx->gss_lucid_ctx.key_data.proto) {
2199	case `0`:
2200	/ RFC 1964 DES3 case /
2201	return (gss_krb5_3des_get_mic(minor, ctx, qop, mbp, mic));
2202	case `1`:
2203	/ RFC 4121 CFX case /
2204	return (gss_krb5_cfx_get_mic(minor, ctx, qop, mbp, mic));
2205	}
2206
2207	return (GSS_S_COMPLETE);
2208	}
2209
2210	uint32_t
2211	gss_krb5_verify_mic(uint32_t minor, /* minor_status /
2212	gss_ctx_id_t ctx, / context_handle /
2213	gss_buffer_t mbp, / message_buffer /
2214	gss_buffer_t mic, / message_token /
2215	gss_qop_t qop /* qop_state /)
2216	{
2217	uint32_t minor_stat = `0`;
2218	gss_qop_t qop_val = GSS_C_QOP_DEFAULT;
2219
2220	if (minor == NULL)
2221	minor = &minor_stat;
2222	if (qop == NULL)
2223	qop = &qop_val;
2224
2225	*minor = `0`;
2226
2227	/ Validate context /
2228	if (ctx == NULL \|\| ((lucid_context_version_t)ctx)->version != `1`)
2229	return (GSS_S_NO_CONTEXT);
2230
2231	if (!supported_etype(ctx->gss_lucid_ctx.key_data.proto, ctx->gss_cryptor.etype)) {
2232	*minor = ENOTSUP;
2233	return (GSS_S_FAILURE);
2234	}
2235
2236	switch(ctx->gss_lucid_ctx.key_data.proto) {
2237	case `0`:
2238	/ RFC 1964 DES3 case /
2239	return (gss_krb5_3des_verify_mic(minor, ctx, mbp, mic, qop));
2240	case `1`:
2241	/ RFC 4121 CFX case /
2242	return (gss_krb5_cfx_verify_mic(minor, ctx, mbp, mic, qop));
2243	}
2244	return (GSS_S_COMPLETE);
2245	}
2246
2247	uint32_t
2248	gss_krb5_get_mic_mbuf(uint32_t minor, /* minor_status /
2249	gss_ctx_id_t ctx, / context_handle /
2250	gss_qop_t qop, / qop_req /
2251	mbuf_t mbp, / message mbuf /
2252	size_t offset, / offest /
2253	size_t len, / length /
2254	gss_buffer_t mic / message_token /)
2255	{
2256	uint32_t minor_stat = `0`;
2257
2258	if (minor == NULL)
2259	minor = &minor_stat;
2260	*minor = `0`;
2261
2262	if (len == `0`)
2263	len = ~(size_t)`0`;
2264
2265	/ Validate context /
2266	if (ctx == NULL \|\| ((lucid_context_version_t)ctx)->version != `1`)
2267	return (GSS_S_NO_CONTEXT);
2268
2269	if (!supported_etype(ctx->gss_lucid_ctx.key_data.proto, ctx->gss_cryptor.etype)) {
2270	*minor = ENOTSUP;
2271	return (GSS_S_FAILURE);
2272	}
2273
2274	switch(ctx->gss_lucid_ctx.key_data.proto) {
2275	case `0`:
2276	/ RFC 1964 DES3 case /
2277	return (gss_krb5_3des_get_mic_mbuf(minor, ctx, qop, mbp, offset, len, mic));
2278	case `1`:
2279	/ RFC 4121 CFX case /
2280	return (gss_krb5_cfx_get_mic_mbuf(minor, ctx, qop, mbp, offset, len, mic));
2281	}
2282
2283	return (GSS_S_COMPLETE);
2284	}
2285
2286	uint32_t
2287	gss_krb5_verify_mic_mbuf(uint32_t minor, /* minor_status /
2288	gss_ctx_id_t ctx, / context_handle /
2289	mbuf_t mbp, / message_buffer /
2290	size_t offset, / offset /
2291	size_t len, / length /
2292	gss_buffer_t mic, / message_token /
2293	gss_qop_t qop /* qop_state /)
2294	{
2295	uint32_t minor_stat = `0`;
2296	gss_qop_t qop_val = GSS_C_QOP_DEFAULT;
2297
2298	if (minor == NULL)
2299	minor = &minor_stat;
2300	if (qop == NULL)
2301	qop = &qop_val;
2302
2303	*minor = `0`;
2304
2305	if (len == `0`)
2306	len = ~(size_t)`0`;
2307
2308	/ Validate context /
2309	if (ctx == NULL \|\| ((lucid_context_version_t)ctx)->version != `1`)
2310	return (GSS_S_NO_CONTEXT);
2311
2312	if (!supported_etype(ctx->gss_lucid_ctx.key_data.proto, ctx->gss_cryptor.etype)) {
2313	*minor = ENOTSUP;
2314	return (GSS_S_FAILURE);
2315	}
2316
2317	switch(ctx->gss_lucid_ctx.key_data.proto) {
2318	case `0`:
2319	/ RFC 1964 DES3 case /
2320	return (gss_krb5_3des_verify_mic_mbuf(minor, ctx, mbp, offset, len, mic, qop));
2321	case `1`:
2322	/ RFC 4121 CFX case /
2323	return (gss_krb5_cfx_verify_mic_mbuf(minor, ctx, mbp, offset, len, mic, qop));
2324	}
2325
2326	return (GSS_S_COMPLETE);
2327	}
2328
2329	uint32_t
2330	gss_krb5_wrap_mbuf(uint32_t minor, /* minor_status /
2331	gss_ctx_id_t ctx, / context_handle /
2332	int conf_flag, / conf_req_flag /
2333	gss_qop_t qop, / qop_req /
2334	mbuf_t mbp, /* input/output message_buffer /
2335	size_t offset, / offset /
2336	size_t len, / length /
2337	int conf_state /* conf state /)
2338	{
2339	uint32_t major, minor_stat = `0`;
2340	mbuf_t smb, tmb;
2341	int conf_val = `0`;
2342
2343	if (minor == NULL)
2344	minor = &minor_stat;
2345	if (conf_state == NULL)
2346	conf_state = &conf_val;
2347
2348	*minor = `0`;
2349
2350	/ Validate context /
2351	if (ctx == NULL \|\| ((lucid_context_version_t)ctx)->version != `1`)
2352	return (GSS_S_NO_CONTEXT);
2353
2354	if (!supported_etype(ctx->gss_lucid_ctx.key_data.proto, ctx->gss_cryptor.etype)) {
2355	*minor = ENOTSUP;
2356	return (GSS_S_FAILURE);
2357	}
2358
2359	gss_normalize_mbuf(*mbp, offset, &len, &smb, &tmb, `0`);
2360
2361	switch(ctx->gss_lucid_ctx.key_data.proto) {
2362	case `0`:
2363	/ RFC 1964 DES3 case /
2364	major = gss_krb5_3des_wrap_mbuf(minor, ctx, conf_flag, qop, &smb, len, conf_state);
2365	break;
2366	case `1`:
2367	/ RFC 4121 CFX case /
2368	major = gss_krb5_cfx_wrap_mbuf(minor, ctx, conf_flag, qop, &smb, len, conf_state);
2369	break;
2370	}
2371
2372	if (offset)
2373	gss_join_mbuf(*mbp, smb, tmb);
2374	else {
2375	*mbp = smb;
2376	gss_join_mbuf(smb, tmb, NULL);
2377	}
2378
2379	return (major);
2380	}
2381
2382	uint32_t
2383	gss_krb5_unwrap_mbuf(uint32_t * minor, / minor_status /
2384	gss_ctx_id_t ctx, / context_handle /
2385	mbuf_t mbp, /* input/output message_buffer /
2386	size_t offset, / offset /
2387	size_t len, / length /
2388	int conf_flag, /* conf_state /
2389	gss_qop_t qop /* qop state /)
2390	{
2391	uint32_t major, minor_stat = `0`;
2392	gss_qop_t qop_val = GSS_C_QOP_DEFAULT;
2393	int conf_val = `0`;
2394	mbuf_t smb, tmb;
2395
2396	if (minor == NULL)
2397	minor = &minor_stat;
2398	if (qop == NULL)
2399	qop = &qop_val;
2400	if (conf_flag == NULL)
2401	conf_flag = &conf_val;
2402
2403	/ Validate context /
2404	if (ctx == NULL \|\| ((lucid_context_version_t)ctx)->version != `1`)
2405	return (GSS_S_NO_CONTEXT);
2406
2407	if (!supported_etype(ctx->gss_lucid_ctx.key_data.proto, ctx->gss_cryptor.etype)) {
2408	*minor = ENOTSUP;
2409	return (GSS_S_FAILURE);
2410	}
2411
2412	gss_normalize_mbuf(*mbp, offset, &len, &smb, &tmb, `0`);
2413
2414	switch(ctx->gss_lucid_ctx.key_data.proto) {
2415	case `0`:
2416	/ RFC 1964 DES3 case /
2417	major = gss_krb5_3des_unwrap_mbuf(minor, ctx, &smb, len, conf_flag, qop);
2418	break;
2419	case `1`:
2420	/ RFC 4121 CFX case /
2421	major = gss_krb5_cfx_unwrap_mbuf(minor, ctx, &smb, len, conf_flag, qop);
2422	break;
2423	}
2424
2425	if (offset)
2426	gss_join_mbuf(*mbp, smb, tmb);
2427	else {
2428	*mbp = smb;
2429	gss_join_mbuf(smb, tmb, NULL);
2430	}
2431
2432	return (major);
2433	}
2434
2435	#include <nfs/xdr_subs.h>
2436
2437	static int
2438	xdr_lucid_context(void *data, size_t length, lucid_context_t lctx)
2439	{
2440	struct xdrbuf xb;
2441	int error = `0`;
2442	uint32_t keylen = `0`;
2443
2444	xb_init_buffer(&xb, data, length);
2445	xb_get_32(error, &xb, lctx->vers);
2446	if (!error && lctx->vers != `1`) {
2447	error = EINVAL;
2448	printf("%s: invalid version %d\n", __func__, (int)lctx->vers);
2449	goto out;
2450	}
2451	xb_get_32(error, &xb, lctx->initiate);
2452	if (error) {
2453	printf("%s: Could not decode initiate\n", __func__);
2454	goto out;
2455	}
2456	xb_get_32(error, &xb, lctx->endtime);
2457	if (error) {
2458	printf("%s: Could not decode endtime\n", __func__);
2459	goto out;
2460	}
2461	xb_get_64(error, &xb, lctx->send_seq);
2462	if (error) {
2463	printf("%s: Could not decode send_seq\n", __func__);
2464	goto out;
2465	}
2466	xb_get_64(error, &xb, lctx->recv_seq);
2467	if (error) {
2468	printf("%s: Could not decode recv_seq\n", __func__);
2469	goto out;
2470	}
2471	xb_get_32(error, &xb, lctx->key_data.proto);
2472	if (error) {
2473	printf("%s: Could not decode mech protocol\n", __func__);
2474	goto out;
2475	}
2476	switch(lctx->key_data.proto) {
2477	case `0`:
2478	xb_get_32(error, &xb, lctx->key_data.lucid_protocol_u.data_1964.sign_alg);
2479	xb_get_32(error, &xb, lctx->key_data.lucid_protocol_u.data_1964.seal_alg);
2480	if (error)
2481	printf("%s: Could not decode rfc1964 sign and seal\n", __func__);
2482	break;
2483	case `1`:
2484	xb_get_32(error, &xb, lctx->key_data.lucid_protocol_u.data_4121.acceptor_subkey);
2485	if (error)
2486	printf("%s: Could not decode rfc4121 acceptor_subkey", __func__);
2487	break;
2488	default:
2489	printf("%s: Invalid mech protocol %d\n", __func__, (int)lctx->key_data.proto);
2490	error = EINVAL;
2491	}
2492	if (error)
2493	goto out;
2494	xb_get_32(error, &xb, lctx->ctx_key.etype);
2495	if (error) {
2496	printf("%s: Could not decode key enctype\n", __func__);
2497	goto out;
2498	}
2499	switch(lctx->ctx_key.etype) {
2500	case DES3_CBC_SHA1_KD:
2501	keylen = `24`;
2502	break;
2503	case AES128_CTS_HMAC_SHA1_96:
2504	keylen = `16`;
2505	break;
2506	case AES256_CTS_HMAC_SHA1_96:
2507	keylen = `32`;
2508	break;
2509	default:
2510	error = ENOTSUP;
2511	goto out;
2512	}
2513	xb_get_32(error, &xb, lctx->ctx_key.key.key_len);
2514	if (error) {
2515	printf("%s: could not decode key length\n", __func__);
2516	goto out;
2517	}
2518	if (lctx->ctx_key.key.key_len != keylen) {
2519	error = EINVAL;
2520	printf("%s: etype = %d keylen = %d expected keylen = %d\n", __func__,
2521	lctx->ctx_key.etype, lctx->ctx_key.key.key_len, keylen);
2522	goto out;
2523	}
2524
2525	lctx->ctx_key.key.key_val = xb_malloc(keylen);
2526	if (lctx->ctx_key.key.key_val == NULL) {
2527	printf("%s: could not get memory for key\n", __func__);
2528	error = ENOMEM;
2529	goto out;
2530	}
2531	error = xb_get_bytes(&xb, (char *)lctx->ctx_key.key.key_val, keylen, `1`);
2532	if (error) {
2533	printf("%s: could get key value\n", __func__);
2534	xb_free(lctx->ctx_key.key.key_val);
2535	}
2536	out:
2537	return (error);
2538	}
2539
2540	gss_ctx_id_t
2541	gss_krb5_make_context(void *data, uint32_t datalen)
2542	{
2543	gss_ctx_id_t ctx;
2544
2545	if (!corecrypto_available())
2546	return (NULL);
2547
2548	gss_krb5_mech_init();
2549	MALLOC(ctx, gss_ctx_id_t, sizeof (struct gss_ctx_id_desc), M_TEMP, M_WAITOK \| M_ZERO);
2550	if (xdr_lucid_context(data, datalen, &ctx->gss_lucid_ctx) \|\|
2551	!supported_etype(ctx->gss_lucid_ctx.key_data.proto, ctx->gss_lucid_ctx.ctx_key.etype)) {
2552	FREE(ctx, M_TEMP);
2553	FREE(data, M_TEMP);
2554	return (NULL);
2555	}
2556
2557	/ Set up crypto context /
2558	gss_crypto_ctx_init(&ctx->gss_cryptor, &ctx->gss_lucid_ctx);
2559	FREE(data, M_TEMP);
2560
2561	return (ctx);
2562	}
2563
2564	void
2565	gss_krb5_destroy_context(gss_ctx_id_t ctx)
2566	{
2567	if (ctx == NULL)
2568	return;
2569	gss_crypto_ctx_free(&ctx->gss_cryptor);
2570	FREE(ctx->gss_lucid_ctx.ctx_key.key.key_val, M_TEMP);
2571	cc_clear(sizeof (lucid_context_t), &ctx->gss_lucid_ctx);
2572	FREE(ctx, M_TEMP);
2573	}
2574

Browse the source code of codebrowser/bsd/nfs/gss/gss_krb5_mech.c