1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
5 * Authors: Doug Rabson <dfr@rabson.org>
6 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 #include <sys/cdefs.h>
31 #include "opt_inet6.h"
32
33 #include <sys/param.h>
34 #include <sys/kernel.h>
35 #include <sys/kobj.h>
36 #include <sys/lock.h>
37 #include <sys/malloc.h>
38 #include <sys/mbuf.h>
39 #include <sys/module.h>
40 #include <sys/mutex.h>
41 #include <kgssapi/gssapi.h>
42 #include <kgssapi/gssapi_impl.h>
43
44 #include "kgss_if.h"
45 #include "kcrypto.h"
46
47 #define GSS_TOKEN_SENT_BY_ACCEPTOR 1
48 #define GSS_TOKEN_SEALED 2
49 #define GSS_TOKEN_ACCEPTOR_SUBKEY 4
50
51 static gss_OID_desc krb5_mech_oid =
52 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
53
54 struct krb5_data {
55 size_t kd_length;
56 void *kd_data;
57 };
58
59 struct krb5_keyblock {
60 uint16_t kk_type; /* encryption type */
61 struct krb5_data kk_key; /* key data */
62 };
63
64 struct krb5_address {
65 uint16_t ka_type;
66 struct krb5_data ka_addr;
67 };
68
69 /*
70 * The km_elem array is ordered so that the highest received sequence
71 * number is listed first.
72 */
73 struct krb5_msg_order {
74 uint32_t km_flags;
75 uint32_t km_start;
76 uint32_t km_length;
77 uint32_t km_jitter_window;
78 uint32_t km_first_seq;
79 uint32_t *km_elem;
80 };
81
82 struct krb5_context {
83 struct _gss_ctx_id_t kc_common;
84 struct mtx kc_lock;
85 uint32_t kc_ac_flags;
86 uint32_t kc_ctx_flags;
87 uint32_t kc_more_flags;
88 #define LOCAL 1
89 #define OPEN 2
90 #define COMPAT_OLD_DES3 4
91 #define COMPAT_OLD_DES3_SELECTED 8
92 #define ACCEPTOR_SUBKEY 16
93 struct krb5_address kc_local_address;
94 struct krb5_address kc_remote_address;
95 uint16_t kc_local_port;
96 uint16_t kc_remote_port;
97 struct krb5_keyblock kc_keyblock;
98 struct krb5_keyblock kc_local_subkey;
99 struct krb5_keyblock kc_remote_subkey;
100 volatile uint32_t kc_local_seqnumber;
101 uint32_t kc_remote_seqnumber;
102 uint32_t kc_keytype;
103 uint32_t kc_cksumtype;
104 struct krb5_data kc_source_name;
105 struct krb5_data kc_target_name;
106 uint32_t kc_lifetime;
107 struct krb5_msg_order kc_msg_order;
108 struct krb5_key_state *kc_tokenkey;
109 struct krb5_key_state *kc_encryptkey;
110 struct krb5_key_state *kc_checksumkey;
111
112 struct krb5_key_state *kc_send_seal_Ke;
113 struct krb5_key_state *kc_send_seal_Ki;
114 struct krb5_key_state *kc_send_seal_Kc;
115 struct krb5_key_state *kc_send_sign_Kc;
116
117 struct krb5_key_state *kc_recv_seal_Ke;
118 struct krb5_key_state *kc_recv_seal_Ki;
119 struct krb5_key_state *kc_recv_seal_Kc;
120 struct krb5_key_state *kc_recv_sign_Kc;
121 };
122
123 static uint16_t
get_uint16(const uint8_t ** pp,size_t * lenp)124 get_uint16(const uint8_t **pp, size_t *lenp)
125 {
126 const uint8_t *p = *pp;
127 uint16_t v;
128
129 if (*lenp < 2)
130 return (0);
131
132 v = (p[0] << 8) | p[1];
133 *pp = p + 2;
134 *lenp = *lenp - 2;
135
136 return (v);
137 }
138
139 static uint32_t
get_uint32(const uint8_t ** pp,size_t * lenp)140 get_uint32(const uint8_t **pp, size_t *lenp)
141 {
142 const uint8_t *p = *pp;
143 uint32_t v;
144
145 if (*lenp < 4)
146 return (0);
147
148 v = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
149 *pp = p + 4;
150 *lenp = *lenp - 4;
151
152 return (v);
153 }
154
155 static void
get_data(const uint8_t ** pp,size_t * lenp,struct krb5_data * dp)156 get_data(const uint8_t **pp, size_t *lenp, struct krb5_data *dp)
157 {
158 size_t sz = get_uint32(pp, lenp);
159
160 dp->kd_length = sz;
161 dp->kd_data = malloc(sz, M_GSSAPI, M_WAITOK);
162
163 if (*lenp < sz)
164 sz = *lenp;
165 bcopy(*pp, dp->kd_data, sz);
166 (*pp) += sz;
167 (*lenp) -= sz;
168 }
169
170 static void
delete_data(struct krb5_data * dp)171 delete_data(struct krb5_data *dp)
172 {
173 if (dp->kd_data) {
174 free(dp->kd_data, M_GSSAPI);
175 dp->kd_length = 0;
176 dp->kd_data = NULL;
177 }
178 }
179
180 static void
get_address(const uint8_t ** pp,size_t * lenp,struct krb5_address * ka)181 get_address(const uint8_t **pp, size_t *lenp, struct krb5_address *ka)
182 {
183
184 ka->ka_type = get_uint16(pp, lenp);
185 get_data(pp, lenp, &ka->ka_addr);
186 }
187
188 static void
delete_address(struct krb5_address * ka)189 delete_address(struct krb5_address *ka)
190 {
191 delete_data(&ka->ka_addr);
192 }
193
194 static void
get_keyblock(const uint8_t ** pp,size_t * lenp,struct krb5_keyblock * kk)195 get_keyblock(const uint8_t **pp, size_t *lenp, struct krb5_keyblock *kk)
196 {
197
198 kk->kk_type = get_uint16(pp, lenp);
199 get_data(pp, lenp, &kk->kk_key);
200 }
201
202 static void
delete_keyblock(struct krb5_keyblock * kk)203 delete_keyblock(struct krb5_keyblock *kk)
204 {
205 if (kk->kk_key.kd_data)
206 bzero(kk->kk_key.kd_data, kk->kk_key.kd_length);
207 delete_data(&kk->kk_key);
208 }
209
210 static void
copy_key(struct krb5_keyblock * from,struct krb5_keyblock ** to)211 copy_key(struct krb5_keyblock *from, struct krb5_keyblock **to)
212 {
213
214 if (from->kk_key.kd_length)
215 *to = from;
216 else
217 *to = NULL;
218 }
219
220 static void
copy_lucid_key(gss_buffer_desc * from,uint32_t type,struct krb5_keyblock * to)221 copy_lucid_key(gss_buffer_desc *from, uint32_t type, struct krb5_keyblock *to)
222 {
223
224 to->kk_type = type;
225 to->kk_key.kd_length = from->length;
226 if (from->length > 0) {
227 to->kk_key.kd_data = malloc(from->length, M_GSSAPI, M_WAITOK);
228 memcpy(to->kk_key.kd_data, from->value, from->length);
229 }
230 }
231
232 /*
233 * Return non-zero if we are initiator.
234 */
235 static __inline int
is_initiator(struct krb5_context * kc)236 is_initiator(struct krb5_context *kc)
237 {
238 return (kc->kc_more_flags & LOCAL);
239 }
240
241 /*
242 * Return non-zero if we are acceptor.
243 */
244 static __inline int
is_acceptor(struct krb5_context * kc)245 is_acceptor(struct krb5_context *kc)
246 {
247 return !(kc->kc_more_flags & LOCAL);
248 }
249
250 static void
get_initiator_subkey(struct krb5_context * kc,struct krb5_keyblock ** kdp)251 get_initiator_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
252 {
253
254 if (is_initiator(kc))
255 copy_key(&kc->kc_local_subkey, kdp);
256 else
257 copy_key(&kc->kc_remote_subkey, kdp);
258 if (!*kdp)
259 copy_key(&kc->kc_keyblock, kdp);
260 }
261
262 static void
get_acceptor_subkey(struct krb5_context * kc,struct krb5_keyblock ** kdp)263 get_acceptor_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
264 {
265
266 if (is_initiator(kc))
267 copy_key(&kc->kc_remote_subkey, kdp);
268 else
269 copy_key(&kc->kc_local_subkey, kdp);
270 }
271
272 static OM_uint32
get_keys(struct krb5_context * kc)273 get_keys(struct krb5_context *kc)
274 {
275 struct krb5_keyblock *keydata;
276 struct krb5_encryption_class *ec;
277 struct krb5_key_state *key;
278 int etype;
279
280 keydata = NULL;
281 get_acceptor_subkey(kc, &keydata);
282 if (!keydata)
283 if ((kc->kc_more_flags & ACCEPTOR_SUBKEY) == 0)
284 get_initiator_subkey(kc, &keydata);
285 if (!keydata)
286 return (GSS_S_FAILURE);
287
288 /*
289 * GSS-API treats all DES etypes the same and all DES3 etypes
290 * the same.
291 */
292 switch (keydata->kk_type) {
293 case ETYPE_DES_CBC_CRC:
294 case ETYPE_DES_CBC_MD4:
295 case ETYPE_DES_CBC_MD5:
296 etype = ETYPE_DES_CBC_CRC;
297 break;
298
299 case ETYPE_DES3_CBC_MD5:
300 case ETYPE_DES3_CBC_SHA1:
301 case ETYPE_OLD_DES3_CBC_SHA1:
302 etype = ETYPE_DES3_CBC_SHA1;
303 break;
304
305 default:
306 etype = keydata->kk_type;
307 }
308
309 ec = krb5_find_encryption_class(etype);
310 if (!ec)
311 return (GSS_S_FAILURE);
312
313 key = krb5_create_key(ec);
314 krb5_set_key(key, keydata->kk_key.kd_data);
315 kc->kc_tokenkey = key;
316
317 switch (etype) {
318 case ETYPE_DES_CBC_CRC:
319 case ETYPE_ARCFOUR_HMAC_MD5:
320 case ETYPE_ARCFOUR_HMAC_MD5_56: {
321 /*
322 * Single DES and ARCFOUR uses a 'derived' key (XOR
323 * with 0xf0) for encrypting wrap tokens. The original
324 * key is used for checksums and sequence numbers.
325 */
326 struct krb5_key_state *ekey;
327 uint8_t *ekp, *kp;
328 int i;
329
330 ekey = krb5_create_key(ec);
331 ekp = ekey->ks_key;
332 kp = key->ks_key;
333 for (i = 0; i < ec->ec_keylen; i++)
334 ekp[i] = kp[i] ^ 0xf0;
335 krb5_set_key(ekey, ekp);
336 kc->kc_encryptkey = ekey;
337 refcount_acquire(&key->ks_refs);
338 kc->kc_checksumkey = key;
339 break;
340 }
341
342 case ETYPE_DES3_CBC_SHA1:
343 /*
344 * Triple DES uses a RFC 3961 style derived key with
345 * usage number KG_USAGE_SIGN for checksums. The
346 * original key is used for encryption and sequence
347 * numbers.
348 */
349 kc->kc_checksumkey = krb5_get_checksum_key(key, KG_USAGE_SIGN);
350 refcount_acquire(&key->ks_refs);
351 kc->kc_encryptkey = key;
352 break;
353
354 default:
355 /*
356 * We need eight derived keys four for sending and
357 * four for receiving.
358 */
359 if (is_initiator(kc)) {
360 /*
361 * We are initiator.
362 */
363 kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
364 KG_USAGE_INITIATOR_SEAL);
365 kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
366 KG_USAGE_INITIATOR_SEAL);
367 kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
368 KG_USAGE_INITIATOR_SEAL);
369 kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
370 KG_USAGE_INITIATOR_SIGN);
371
372 kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
373 KG_USAGE_ACCEPTOR_SEAL);
374 kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
375 KG_USAGE_ACCEPTOR_SEAL);
376 kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
377 KG_USAGE_ACCEPTOR_SEAL);
378 kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
379 KG_USAGE_ACCEPTOR_SIGN);
380 } else {
381 /*
382 * We are acceptor.
383 */
384 kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
385 KG_USAGE_ACCEPTOR_SEAL);
386 kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
387 KG_USAGE_ACCEPTOR_SEAL);
388 kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
389 KG_USAGE_ACCEPTOR_SEAL);
390 kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
391 KG_USAGE_ACCEPTOR_SIGN);
392
393 kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
394 KG_USAGE_INITIATOR_SEAL);
395 kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
396 KG_USAGE_INITIATOR_SEAL);
397 kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
398 KG_USAGE_INITIATOR_SEAL);
399 kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
400 KG_USAGE_INITIATOR_SIGN);
401 }
402 break;
403 }
404
405 return (GSS_S_COMPLETE);
406 }
407
408 static void
krb5_init(gss_ctx_id_t ctx)409 krb5_init(gss_ctx_id_t ctx)
410 {
411 struct krb5_context *kc = (struct krb5_context *)ctx;
412
413 mtx_init(&kc->kc_lock, "krb5 gss lock", NULL, MTX_DEF);
414 }
415
416 static OM_uint32
krb5_lucid_import(gss_ctx_id_t ctx,enum sec_context_format format,const gss_buffer_t context_token)417 krb5_lucid_import(gss_ctx_id_t ctx,
418 enum sec_context_format format,
419 const gss_buffer_t context_token)
420 {
421 struct krb5_context *kc = (struct krb5_context *)ctx;
422 kgss_lucid_desc *lctx = (kgss_lucid_desc *)context_token;
423 OM_uint32 res;
424
425 kc->kc_more_flags = 0;
426 if (lctx->protocol == 0) {
427 kc->kc_cksumtype = lctx->rfc_sign;
428 kc->kc_keytype = lctx->rfc_seal;
429 copy_lucid_key(&lctx->ctx_key, lctx->ctx_type,
430 &kc->kc_keyblock);
431 } else if (lctx->protocol == 1) {
432 if (lctx->have_subkey != 0) {
433 if (lctx->initiate != 0)
434 copy_lucid_key(&lctx->subkey_key,
435 lctx->subkey_type,
436 &kc->kc_remote_subkey);
437 else
438 copy_lucid_key(&lctx->subkey_key,
439 lctx->subkey_type,
440 &kc->kc_local_subkey);
441 kc->kc_cksumtype = lctx->subkey_type;
442 kc->kc_keytype = lctx->subkey_type;
443 kc->kc_more_flags |= ACCEPTOR_SUBKEY;
444 } else {
445 if (lctx->initiate != 0)
446 copy_lucid_key(&lctx->ctx_key,
447 lctx->ctx_type,
448 &kc->kc_remote_subkey);
449 else
450 copy_lucid_key(&lctx->ctx_key,
451 lctx->ctx_type,
452 &kc->kc_local_subkey);
453 kc->kc_cksumtype = lctx->ctx_type;
454 kc->kc_keytype = lctx->ctx_type;
455 }
456 } else {
457 return (GSS_S_DEFECTIVE_TOKEN);
458 }
459 kc->kc_local_seqnumber = lctx->send_seq;
460 kc->kc_remote_seqnumber = lctx->recv_seq;
461 if (lctx->initiate != 0)
462 kc->kc_more_flags |= LOCAL;
463 kc->kc_lifetime = lctx->endtime;
464 kc->kc_msg_order.km_flags = 0;
465
466 res = get_keys(kc);
467 if (GSS_ERROR(res))
468 return (res);
469
470 /*
471 * We don't need these anymore.
472 */
473 delete_keyblock(&kc->kc_keyblock);
474 delete_keyblock(&kc->kc_local_subkey);
475 delete_keyblock(&kc->kc_remote_subkey);
476
477 return (GSS_S_COMPLETE);
478 }
479
480 static OM_uint32
krb5_import(gss_ctx_id_t ctx,enum sec_context_format format,const gss_buffer_t context_token)481 krb5_import(gss_ctx_id_t ctx,
482 enum sec_context_format format,
483 const gss_buffer_t context_token)
484 {
485 struct krb5_context *kc = (struct krb5_context *)ctx;
486 OM_uint32 res;
487 const uint8_t *p = (const uint8_t *) context_token->value;
488 size_t len = context_token->length;
489 uint32_t flags;
490 int i;
491
492 /* For MIT, just call krb5_lucid_import(). */
493 if (format == MIT_V1)
494 return (krb5_lucid_import(ctx, format, context_token));
495
496 /*
497 * We support heimdal 0.6 and heimdal 1.1
498 */
499 if (format != KGSS_HEIMDAL_0_6 && format != KGSS_HEIMDAL_1_1)
500 return (GSS_S_DEFECTIVE_TOKEN);
501
502 #define SC_LOCAL_ADDRESS 1
503 #define SC_REMOTE_ADDRESS 2
504 #define SC_KEYBLOCK 4
505 #define SC_LOCAL_SUBKEY 8
506 #define SC_REMOTE_SUBKEY 16
507
508 /*
509 * Ensure that the token starts with krb5 oid.
510 */
511 if (p[0] != 0x00 || p[1] != krb5_mech_oid.length
512 || len < krb5_mech_oid.length + 2
513 || bcmp(krb5_mech_oid.elements, p + 2,
514 krb5_mech_oid.length))
515 return (GSS_S_DEFECTIVE_TOKEN);
516 p += krb5_mech_oid.length + 2;
517 len -= krb5_mech_oid.length + 2;
518
519 flags = get_uint32(&p, &len);
520 kc->kc_ac_flags = get_uint32(&p, &len);
521 if (flags & SC_LOCAL_ADDRESS)
522 get_address(&p, &len, &kc->kc_local_address);
523 if (flags & SC_REMOTE_ADDRESS)
524 get_address(&p, &len, &kc->kc_remote_address);
525 kc->kc_local_port = get_uint16(&p, &len);
526 kc->kc_remote_port = get_uint16(&p, &len);
527 if (flags & SC_KEYBLOCK)
528 get_keyblock(&p, &len, &kc->kc_keyblock);
529 if (flags & SC_LOCAL_SUBKEY)
530 get_keyblock(&p, &len, &kc->kc_local_subkey);
531 if (flags & SC_REMOTE_SUBKEY)
532 get_keyblock(&p, &len, &kc->kc_remote_subkey);
533 kc->kc_local_seqnumber = get_uint32(&p, &len);
534 kc->kc_remote_seqnumber = get_uint32(&p, &len);
535 kc->kc_keytype = get_uint32(&p, &len);
536 kc->kc_cksumtype = get_uint32(&p, &len);
537 get_data(&p, &len, &kc->kc_source_name);
538 get_data(&p, &len, &kc->kc_target_name);
539 kc->kc_ctx_flags = get_uint32(&p, &len);
540 kc->kc_more_flags = get_uint32(&p, &len);
541 kc->kc_lifetime = get_uint32(&p, &len);
542 /*
543 * Heimdal 1.1 adds the message order stuff.
544 */
545 if (format == KGSS_HEIMDAL_1_1) {
546 kc->kc_msg_order.km_flags = get_uint32(&p, &len);
547 kc->kc_msg_order.km_start = get_uint32(&p, &len);
548 kc->kc_msg_order.km_length = get_uint32(&p, &len);
549 kc->kc_msg_order.km_jitter_window = get_uint32(&p, &len);
550 kc->kc_msg_order.km_first_seq = get_uint32(&p, &len);
551 kc->kc_msg_order.km_elem =
552 malloc(kc->kc_msg_order.km_jitter_window * sizeof(uint32_t),
553 M_GSSAPI, M_WAITOK);
554 for (i = 0; i < kc->kc_msg_order.km_jitter_window; i++)
555 kc->kc_msg_order.km_elem[i] = get_uint32(&p, &len);
556 } else {
557 kc->kc_msg_order.km_flags = 0;
558 }
559
560 res = get_keys(kc);
561 if (GSS_ERROR(res))
562 return (res);
563
564 /*
565 * We don't need these anymore.
566 */
567 delete_keyblock(&kc->kc_keyblock);
568 delete_keyblock(&kc->kc_local_subkey);
569 delete_keyblock(&kc->kc_remote_subkey);
570
571 return (GSS_S_COMPLETE);
572 }
573
574 static void
krb5_delete(gss_ctx_id_t ctx,gss_buffer_t output_token)575 krb5_delete(gss_ctx_id_t ctx, gss_buffer_t output_token)
576 {
577 struct krb5_context *kc = (struct krb5_context *)ctx;
578
579 delete_address(&kc->kc_local_address);
580 delete_address(&kc->kc_remote_address);
581 delete_keyblock(&kc->kc_keyblock);
582 delete_keyblock(&kc->kc_local_subkey);
583 delete_keyblock(&kc->kc_remote_subkey);
584 delete_data(&kc->kc_source_name);
585 delete_data(&kc->kc_target_name);
586 if (kc->kc_msg_order.km_elem)
587 free(kc->kc_msg_order.km_elem, M_GSSAPI);
588 if (output_token) {
589 output_token->length = 0;
590 output_token->value = NULL;
591 }
592 if (kc->kc_tokenkey) {
593 krb5_free_key(kc->kc_tokenkey);
594 if (kc->kc_encryptkey) {
595 krb5_free_key(kc->kc_encryptkey);
596 krb5_free_key(kc->kc_checksumkey);
597 } else {
598 krb5_free_key(kc->kc_send_seal_Ke);
599 krb5_free_key(kc->kc_send_seal_Ki);
600 krb5_free_key(kc->kc_send_seal_Kc);
601 krb5_free_key(kc->kc_send_sign_Kc);
602 krb5_free_key(kc->kc_recv_seal_Ke);
603 krb5_free_key(kc->kc_recv_seal_Ki);
604 krb5_free_key(kc->kc_recv_seal_Kc);
605 krb5_free_key(kc->kc_recv_sign_Kc);
606 }
607 }
608 mtx_destroy(&kc->kc_lock);
609 }
610
611 static gss_OID
krb5_mech_type(gss_ctx_id_t ctx)612 krb5_mech_type(gss_ctx_id_t ctx)
613 {
614
615 return (&krb5_mech_oid);
616 }
617
618 /*
619 * Make a token with the given type and length (the length includes
620 * the TOK_ID), initialising the token header appropriately. Return a
621 * pointer to the TOK_ID of the token. A new mbuf is allocated with
622 * the framing header plus hlen bytes of space.
623 *
624 * Format is as follows:
625 *
626 * 0x60 [APPLICATION 0] SEQUENCE
627 * DER encoded length length of oid + type + inner token length
628 * 0x06 NN <oid data> OID of mechanism type
629 * TT TT TOK_ID
630 * <inner token> data for inner token
631 *
632 * 1: der encoded length
633 */
634 static void *
krb5_make_token(char tok_id[2],size_t hlen,size_t len,struct mbuf ** mp)635 krb5_make_token(char tok_id[2], size_t hlen, size_t len, struct mbuf **mp)
636 {
637 size_t inside_len, len_len, tlen;
638 gss_OID oid = &krb5_mech_oid;
639 struct mbuf *m;
640 uint8_t *p;
641
642 inside_len = 2 + oid->length + len;
643 if (inside_len < 128)
644 len_len = 1;
645 else if (inside_len < 0x100)
646 len_len = 2;
647 else if (inside_len < 0x10000)
648 len_len = 3;
649 else if (inside_len < 0x1000000)
650 len_len = 4;
651 else
652 len_len = 5;
653
654 tlen = 1 + len_len + 2 + oid->length + hlen;
655 KASSERT(tlen <= MLEN, ("token head too large"));
656 MGET(m, M_WAITOK, MT_DATA);
657 M_ALIGN(m, tlen);
658 m->m_len = tlen;
659
660 p = (uint8_t *) m->m_data;
661 *p++ = 0x60;
662 switch (len_len) {
663 case 1:
664 *p++ = inside_len;
665 break;
666 case 2:
667 *p++ = 0x81;
668 *p++ = inside_len;
669 break;
670 case 3:
671 *p++ = 0x82;
672 *p++ = inside_len >> 8;
673 *p++ = inside_len;
674 break;
675 case 4:
676 *p++ = 0x83;
677 *p++ = inside_len >> 16;
678 *p++ = inside_len >> 8;
679 *p++ = inside_len;
680 break;
681 case 5:
682 *p++ = 0x84;
683 *p++ = inside_len >> 24;
684 *p++ = inside_len >> 16;
685 *p++ = inside_len >> 8;
686 *p++ = inside_len;
687 break;
688 }
689
690 *p++ = 0x06;
691 *p++ = oid->length;
692 bcopy(oid->elements, p, oid->length);
693 p += oid->length;
694
695 p[0] = tok_id[0];
696 p[1] = tok_id[1];
697
698 *mp = m;
699
700 return (p);
701 }
702
703 /*
704 * Verify a token, checking the inner token length and mechanism oid.
705 * pointer to the first byte of the TOK_ID. The length of the
706 * encapsulated data is checked to be at least len bytes; the actual
707 * length of the encapsulated data (including TOK_ID) is returned in
708 * *encap_len.
709 *
710 * If can_pullup is TRUE and the token header is fragmented, we will
711 * rearrange it.
712 *
713 * Format is as follows:
714 *
715 * 0x60 [APPLICATION 0] SEQUENCE
716 * DER encoded length length of oid + type + inner token length
717 * 0x06 NN <oid data> OID of mechanism type
718 * TT TT TOK_ID
719 * <inner token> data for inner token
720 *
721 * 1: der encoded length
722 */
723 static void *
krb5_verify_token(char tok_id[2],size_t len,struct mbuf ** mp,size_t * encap_len,bool_t can_pullup)724 krb5_verify_token(char tok_id[2], size_t len, struct mbuf **mp,
725 size_t *encap_len, bool_t can_pullup)
726 {
727 struct mbuf *m;
728 size_t tlen, hlen, len_len, inside_len;
729 gss_OID oid = &krb5_mech_oid;
730 uint8_t *p;
731
732 m = *mp;
733 tlen = m_length(m, NULL);
734 if (tlen < 2)
735 return (NULL);
736
737 /*
738 * Ensure that at least the framing part of the token is
739 * contigous.
740 */
741 if (m->m_len < 2) {
742 if (can_pullup)
743 *mp = m = m_pullup(m, 2);
744 else
745 return (NULL);
746 }
747
748 p = m->m_data;
749
750 if (*p++ != 0x60)
751 return (NULL);
752
753 if (*p < 0x80) {
754 inside_len = *p++;
755 len_len = 1;
756 } else {
757 /*
758 * Ensure there is enough space for the DER encoded length.
759 */
760 len_len = (*p & 0x7f) + 1;
761 if (tlen < len_len + 1)
762 return (NULL);
763 if (m->m_len < len_len + 1) {
764 if (can_pullup)
765 *mp = m = m_pullup(m, len_len + 1);
766 else
767 return (NULL);
768 p = m->m_data + 1;
769 }
770
771 switch (*p++) {
772 case 0x81:
773 inside_len = *p++;
774 break;
775
776 case 0x82:
777 inside_len = (p[0] << 8) | p[1];
778 p += 2;
779 break;
780
781 case 0x83:
782 inside_len = (p[0] << 16) | (p[1] << 8) | p[2];
783 p += 3;
784 break;
785
786 case 0x84:
787 inside_len = (p[0] << 24) | (p[1] << 16)
788 | (p[2] << 8) | p[3];
789 p += 4;
790 break;
791
792 default:
793 return (NULL);
794 }
795 }
796
797 if (tlen != inside_len + len_len + 1)
798 return (NULL);
799 if (inside_len < 2 + oid->length + len)
800 return (NULL);
801
802 /*
803 * Now that we know the value of len_len, we can pullup the
804 * whole header. The header is 1 + len_len + 2 + oid->length +
805 * len bytes.
806 */
807 hlen = 1 + len_len + 2 + oid->length + len;
808 if (m->m_len < hlen) {
809 if (can_pullup)
810 *mp = m = m_pullup(m, hlen);
811 else
812 return (NULL);
813 p = m->m_data + 1 + len_len;
814 }
815
816 if (*p++ != 0x06)
817 return (NULL);
818 if (*p++ != oid->length)
819 return (NULL);
820 if (bcmp(oid->elements, p, oid->length))
821 return (NULL);
822 p += oid->length;
823
824 if (p[0] != tok_id[0])
825 return (NULL);
826
827 if (p[1] != tok_id[1])
828 return (NULL);
829
830 *encap_len = inside_len - 2 - oid->length;
831
832 return (p);
833 }
834
835 static void
krb5_insert_seq(struct krb5_msg_order * mo,uint32_t seq,int index)836 krb5_insert_seq(struct krb5_msg_order *mo, uint32_t seq, int index)
837 {
838 int i;
839
840 if (mo->km_length < mo->km_jitter_window)
841 mo->km_length++;
842
843 for (i = mo->km_length - 1; i > index; i--)
844 mo->km_elem[i] = mo->km_elem[i - 1];
845 mo->km_elem[index] = seq;
846 }
847
848 /*
849 * Check sequence numbers according to RFC 2743 section 1.2.3.
850 */
851 static OM_uint32
krb5_sequence_check(struct krb5_context * kc,uint32_t seq)852 krb5_sequence_check(struct krb5_context *kc, uint32_t seq)
853 {
854 OM_uint32 res = GSS_S_FAILURE;
855 struct krb5_msg_order *mo = &kc->kc_msg_order;
856 int check_sequence = mo->km_flags & GSS_C_SEQUENCE_FLAG;
857 int check_replay = mo->km_flags & GSS_C_REPLAY_FLAG;
858 int i;
859
860 mtx_lock(&kc->kc_lock);
861
862 /*
863 * Message is in-sequence with no gap.
864 */
865 if (mo->km_length == 0 || seq == mo->km_elem[0] + 1) {
866 /*
867 * This message is received in-sequence with no gaps.
868 */
869 krb5_insert_seq(mo, seq, 0);
870 res = GSS_S_COMPLETE;
871 goto out;
872 }
873
874 if (seq > mo->km_elem[0]) {
875 /*
876 * This message is received in-sequence with a gap.
877 */
878 krb5_insert_seq(mo, seq, 0);
879 if (check_sequence)
880 res = GSS_S_GAP_TOKEN;
881 else
882 res = GSS_S_COMPLETE;
883 goto out;
884 }
885
886 if (seq < mo->km_elem[mo->km_length - 1]) {
887 if (check_replay && !check_sequence)
888 res = GSS_S_OLD_TOKEN;
889 else
890 res = GSS_S_UNSEQ_TOKEN;
891 goto out;
892 }
893
894 for (i = 0; i < mo->km_length; i++) {
895 if (mo->km_elem[i] == seq) {
896 res = GSS_S_DUPLICATE_TOKEN;
897 goto out;
898 }
899 if (mo->km_elem[i] < seq) {
900 /*
901 * We need to insert this seq here,
902 */
903 krb5_insert_seq(mo, seq, i);
904 if (check_replay && !check_sequence)
905 res = GSS_S_COMPLETE;
906 else
907 res = GSS_S_UNSEQ_TOKEN;
908 goto out;
909 }
910 }
911
912 out:
913 mtx_unlock(&kc->kc_lock);
914
915 return (res);
916 }
917
918 static uint8_t sgn_alg_des_md5[] = { 0x00, 0x00 };
919 static uint8_t seal_alg_des[] = { 0x00, 0x00 };
920 static uint8_t sgn_alg_des3_sha1[] = { 0x04, 0x00 };
921 static uint8_t seal_alg_des3[] = { 0x02, 0x00 };
922 static uint8_t seal_alg_rc4[] = { 0x10, 0x00 };
923 static uint8_t sgn_alg_hmac_md5[] = { 0x11, 0x00 };
924
925 /*
926 * Return the size of the inner token given the use of the key's
927 * encryption class. For wrap tokens, the length of the padded
928 * plaintext will be added to this.
929 */
930 static size_t
token_length(struct krb5_key_state * key)931 token_length(struct krb5_key_state *key)
932 {
933
934 return (16 + key->ks_class->ec_checksumlen);
935 }
936
937 static OM_uint32
krb5_get_mic_old(struct krb5_context * kc,struct mbuf * m,struct mbuf ** micp,uint8_t sgn_alg[2])938 krb5_get_mic_old(struct krb5_context *kc, struct mbuf *m,
939 struct mbuf **micp, uint8_t sgn_alg[2])
940 {
941 struct mbuf *mlast, *mic, *tm;
942 uint8_t *p, dir;
943 size_t tlen, mlen, cklen;
944 uint32_t seq;
945 char buf[8];
946
947 mlen = m_length(m, &mlast);
948
949 tlen = token_length(kc->kc_tokenkey);
950 p = krb5_make_token("\x01\x01", tlen, tlen, &mic);
951 p += 2; /* TOK_ID */
952 *p++ = sgn_alg[0]; /* SGN_ALG */
953 *p++ = sgn_alg[1];
954
955 *p++ = 0xff; /* filler */
956 *p++ = 0xff;
957 *p++ = 0xff;
958 *p++ = 0xff;
959
960 /*
961 * SGN_CKSUM:
962 *
963 * Calculate the keyed checksum of the token header plus the
964 * message.
965 */
966 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
967
968 mic->m_len = p - (uint8_t *) mic->m_data;
969 mic->m_next = m;
970 MGET(tm, M_WAITOK, MT_DATA);
971 tm->m_len = cklen;
972 mlast->m_next = tm;
973
974 krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
975 8 + mlen, cklen);
976 bcopy(tm->m_data, p + 8, cklen);
977 mic->m_next = NULL;
978 mlast->m_next = NULL;
979 m_free(tm);
980
981 /*
982 * SND_SEQ:
983 *
984 * Take the four bytes of the sequence number least
985 * significant first followed by four bytes of direction
986 * marker (zero for initiator and 0xff for acceptor). Encrypt
987 * that data using the SGN_CKSUM as IV. Note: ARC4 wants the
988 * sequence number big-endian.
989 */
990 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
991 if (sgn_alg[0] == 0x11) {
992 p[0] = (seq >> 24);
993 p[1] = (seq >> 16);
994 p[2] = (seq >> 8);
995 p[3] = (seq >> 0);
996 } else {
997 p[0] = (seq >> 0);
998 p[1] = (seq >> 8);
999 p[2] = (seq >> 16);
1000 p[3] = (seq >> 24);
1001 }
1002 if (is_initiator(kc)) {
1003 dir = 0;
1004 } else {
1005 dir = 0xff;
1006 }
1007 p[4] = dir;
1008 p[5] = dir;
1009 p[6] = dir;
1010 p[7] = dir;
1011 bcopy(p + 8, buf, 8);
1012
1013 /*
1014 * Set the mic buffer to its final size so that the encrypt
1015 * can see the SND_SEQ part.
1016 */
1017 mic->m_len += 8 + cklen;
1018 krb5_encrypt(kc->kc_tokenkey, mic, mic->m_len - cklen - 8, 8, buf, 8);
1019
1020 *micp = mic;
1021 return (GSS_S_COMPLETE);
1022 }
1023
1024 static OM_uint32
krb5_get_mic_new(struct krb5_context * kc,struct mbuf * m,struct mbuf ** micp)1025 krb5_get_mic_new(struct krb5_context *kc, struct mbuf *m,
1026 struct mbuf **micp)
1027 {
1028 struct krb5_key_state *key = kc->kc_send_sign_Kc;
1029 struct mbuf *mlast, *mic;
1030 uint8_t *p;
1031 int flags;
1032 size_t mlen, cklen;
1033 uint32_t seq;
1034
1035 mlen = m_length(m, &mlast);
1036 cklen = key->ks_class->ec_checksumlen;
1037
1038 KASSERT(16 + cklen <= MLEN, ("checksum too large for an mbuf"));
1039 MGET(mic, M_WAITOK, MT_DATA);
1040 M_ALIGN(mic, 16 + cklen);
1041 mic->m_len = 16 + cklen;
1042 p = mic->m_data;
1043
1044 /* TOK_ID */
1045 p[0] = 0x04;
1046 p[1] = 0x04;
1047
1048 /* Flags */
1049 flags = 0;
1050 if (is_acceptor(kc))
1051 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1052 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1053 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1054 p[2] = flags;
1055
1056 /* Filler */
1057 p[3] = 0xff;
1058 p[4] = 0xff;
1059 p[5] = 0xff;
1060 p[6] = 0xff;
1061 p[7] = 0xff;
1062
1063 /* SND_SEQ */
1064 p[8] = 0;
1065 p[9] = 0;
1066 p[10] = 0;
1067 p[11] = 0;
1068 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1069 p[12] = (seq >> 24);
1070 p[13] = (seq >> 16);
1071 p[14] = (seq >> 8);
1072 p[15] = (seq >> 0);
1073
1074 /*
1075 * SGN_CKSUM:
1076 *
1077 * Calculate the keyed checksum of the message plus the first
1078 * 16 bytes of the token header.
1079 */
1080 mlast->m_next = mic;
1081 krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1082 mlast->m_next = NULL;
1083
1084 *micp = mic;
1085 return (GSS_S_COMPLETE);
1086 }
1087
1088 static OM_uint32
krb5_get_mic(gss_ctx_id_t ctx,OM_uint32 * minor_status,gss_qop_t qop_req,struct mbuf * m,struct mbuf ** micp)1089 krb5_get_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1090 gss_qop_t qop_req, struct mbuf *m, struct mbuf **micp)
1091 {
1092 struct krb5_context *kc = (struct krb5_context *)ctx;
1093
1094 *minor_status = 0;
1095
1096 if (qop_req != GSS_C_QOP_DEFAULT)
1097 return (GSS_S_BAD_QOP);
1098
1099 if (time_uptime > kc->kc_lifetime)
1100 return (GSS_S_CONTEXT_EXPIRED);
1101
1102 switch (kc->kc_tokenkey->ks_class->ec_type) {
1103 case ETYPE_DES_CBC_CRC:
1104 return (krb5_get_mic_old(kc, m, micp, sgn_alg_des_md5));
1105
1106 case ETYPE_DES3_CBC_SHA1:
1107 return (krb5_get_mic_old(kc, m, micp, sgn_alg_des3_sha1));
1108
1109 case ETYPE_ARCFOUR_HMAC_MD5:
1110 case ETYPE_ARCFOUR_HMAC_MD5_56:
1111 return (krb5_get_mic_old(kc, m, micp, sgn_alg_hmac_md5));
1112
1113 default:
1114 return (krb5_get_mic_new(kc, m, micp));
1115 }
1116
1117 return (GSS_S_FAILURE);
1118 }
1119
1120 static OM_uint32
krb5_verify_mic_old(struct krb5_context * kc,struct mbuf * m,struct mbuf * mic,uint8_t sgn_alg[2])1121 krb5_verify_mic_old(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic,
1122 uint8_t sgn_alg[2])
1123 {
1124 struct mbuf *mlast, *tm;
1125 uint8_t *p, *tp, dir;
1126 size_t mlen, tlen, elen;
1127 size_t cklen;
1128 uint32_t seq;
1129
1130 mlen = m_length(m, &mlast);
1131
1132 tlen = token_length(kc->kc_tokenkey);
1133 p = krb5_verify_token("\x01\x01", tlen, &mic, &elen, FALSE);
1134 if (!p)
1135 return (GSS_S_DEFECTIVE_TOKEN);
1136 #if 0
1137 /*
1138 * Disable this check - heimdal-1.1 generates DES3 MIC tokens
1139 * that are 2 bytes too big.
1140 */
1141 if (elen != tlen)
1142 return (GSS_S_DEFECTIVE_TOKEN);
1143 #endif
1144 /* TOK_ID */
1145 p += 2;
1146
1147 /* SGN_ALG */
1148 if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1149 return (GSS_S_DEFECTIVE_TOKEN);
1150 p += 2;
1151
1152 if (p[0] != 0xff || p[1] != 0xff || p[2] != 0xff || p[3] != 0xff)
1153 return (GSS_S_DEFECTIVE_TOKEN);
1154 p += 4;
1155
1156 /*
1157 * SGN_CKSUM:
1158 *
1159 * Calculate the keyed checksum of the token header plus the
1160 * message.
1161 */
1162 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1163 mic->m_len = p - (uint8_t *) mic->m_data;
1164 mic->m_next = m;
1165 MGET(tm, M_WAITOK, MT_DATA);
1166 tm->m_len = cklen;
1167 mlast->m_next = tm;
1168
1169 krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
1170 8 + mlen, cklen);
1171 mic->m_next = NULL;
1172 mlast->m_next = NULL;
1173 if (bcmp(tm->m_data, p + 8, cklen)) {
1174 m_free(tm);
1175 return (GSS_S_BAD_SIG);
1176 }
1177
1178 /*
1179 * SND_SEQ:
1180 *
1181 * Take the four bytes of the sequence number least
1182 * significant first followed by four bytes of direction
1183 * marker (zero for initiator and 0xff for acceptor). Encrypt
1184 * that data using the SGN_CKSUM as IV. Note: ARC4 wants the
1185 * sequence number big-endian.
1186 */
1187 bcopy(p, tm->m_data, 8);
1188 tm->m_len = 8;
1189 krb5_decrypt(kc->kc_tokenkey, tm, 0, 8, p + 8, 8);
1190
1191 tp = tm->m_data;
1192 if (sgn_alg[0] == 0x11) {
1193 seq = tp[3] | (tp[2] << 8) | (tp[1] << 16) | (tp[0] << 24);
1194 } else {
1195 seq = tp[0] | (tp[1] << 8) | (tp[2] << 16) | (tp[3] << 24);
1196 }
1197
1198 if (is_initiator(kc)) {
1199 dir = 0xff;
1200 } else {
1201 dir = 0;
1202 }
1203 if (tp[4] != dir || tp[5] != dir || tp[6] != dir || tp[7] != dir) {
1204 m_free(tm);
1205 return (GSS_S_DEFECTIVE_TOKEN);
1206 }
1207 m_free(tm);
1208
1209 if (kc->kc_msg_order.km_flags &
1210 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1211 return (krb5_sequence_check(kc, seq));
1212 }
1213
1214 return (GSS_S_COMPLETE);
1215 }
1216
1217 static OM_uint32
krb5_verify_mic_new(struct krb5_context * kc,struct mbuf * m,struct mbuf * mic)1218 krb5_verify_mic_new(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic)
1219 {
1220 OM_uint32 res;
1221 struct krb5_key_state *key = kc->kc_recv_sign_Kc;
1222 struct mbuf *mlast;
1223 uint8_t *p;
1224 int flags;
1225 size_t mlen, cklen;
1226 char buf[32];
1227
1228 mlen = m_length(m, &mlast);
1229 cklen = key->ks_class->ec_checksumlen;
1230
1231 KASSERT(mic->m_next == NULL, ("MIC should be contiguous"));
1232 if (mic->m_len != 16 + cklen)
1233 return (GSS_S_DEFECTIVE_TOKEN);
1234 p = mic->m_data;
1235
1236 /* TOK_ID */
1237 if (p[0] != 0x04)
1238 return (GSS_S_DEFECTIVE_TOKEN);
1239 if (p[1] != 0x04)
1240 return (GSS_S_DEFECTIVE_TOKEN);
1241
1242 /* Flags */
1243 flags = 0;
1244 if (is_initiator(kc))
1245 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1246 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1247 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1248 if (p[2] != flags)
1249 return (GSS_S_DEFECTIVE_TOKEN);
1250
1251 /* Filler */
1252 if (p[3] != 0xff)
1253 return (GSS_S_DEFECTIVE_TOKEN);
1254 if (p[4] != 0xff)
1255 return (GSS_S_DEFECTIVE_TOKEN);
1256 if (p[5] != 0xff)
1257 return (GSS_S_DEFECTIVE_TOKEN);
1258 if (p[6] != 0xff)
1259 return (GSS_S_DEFECTIVE_TOKEN);
1260 if (p[7] != 0xff)
1261 return (GSS_S_DEFECTIVE_TOKEN);
1262
1263 /* SND_SEQ */
1264 if (kc->kc_msg_order.km_flags &
1265 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1266 uint32_t seq;
1267 if (p[8] || p[9] || p[10] || p[11]) {
1268 res = GSS_S_UNSEQ_TOKEN;
1269 } else {
1270 seq = (p[12] << 24) | (p[13] << 16)
1271 | (p[14] << 8) | p[15];
1272 res = krb5_sequence_check(kc, seq);
1273 }
1274 if (GSS_ERROR(res))
1275 return (res);
1276 } else {
1277 res = GSS_S_COMPLETE;
1278 }
1279
1280 /*
1281 * SGN_CKSUM:
1282 *
1283 * Calculate the keyed checksum of the message plus the first
1284 * 16 bytes of the token header.
1285 */
1286 m_copydata(mic, 16, cklen, buf);
1287 mlast->m_next = mic;
1288 krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1289 mlast->m_next = NULL;
1290 if (bcmp(buf, p + 16, cklen)) {
1291 return (GSS_S_BAD_SIG);
1292 }
1293
1294 return (GSS_S_COMPLETE);
1295 }
1296
1297 static OM_uint32
krb5_verify_mic(gss_ctx_id_t ctx,OM_uint32 * minor_status,struct mbuf * m,struct mbuf * mic,gss_qop_t * qop_state)1298 krb5_verify_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1299 struct mbuf *m, struct mbuf *mic, gss_qop_t *qop_state)
1300 {
1301 struct krb5_context *kc = (struct krb5_context *)ctx;
1302
1303 *minor_status = 0;
1304 if (qop_state)
1305 *qop_state = GSS_C_QOP_DEFAULT;
1306
1307 if (time_uptime > kc->kc_lifetime)
1308 return (GSS_S_CONTEXT_EXPIRED);
1309
1310 switch (kc->kc_tokenkey->ks_class->ec_type) {
1311 case ETYPE_DES_CBC_CRC:
1312 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des_md5));
1313
1314 case ETYPE_ARCFOUR_HMAC_MD5:
1315 case ETYPE_ARCFOUR_HMAC_MD5_56:
1316 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_hmac_md5));
1317
1318 case ETYPE_DES3_CBC_SHA1:
1319 return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des3_sha1));
1320
1321 default:
1322 return (krb5_verify_mic_new(kc, m, mic));
1323 }
1324
1325 return (GSS_S_FAILURE);
1326 }
1327
1328 static OM_uint32
krb5_wrap_old(struct krb5_context * kc,int conf_req_flag,struct mbuf ** mp,int * conf_state,uint8_t sgn_alg[2],uint8_t seal_alg[2])1329 krb5_wrap_old(struct krb5_context *kc, int conf_req_flag,
1330 struct mbuf **mp, int *conf_state,
1331 uint8_t sgn_alg[2], uint8_t seal_alg[2])
1332 {
1333 struct mbuf *m, *mlast, *tm, *cm, *pm;
1334 size_t mlen, tlen, padlen, datalen;
1335 uint8_t *p, dir;
1336 size_t cklen;
1337 uint8_t buf[8];
1338 uint32_t seq;
1339
1340 /*
1341 * How many trailing pad bytes do we need?
1342 */
1343 m = *mp;
1344 mlen = m_length(m, &mlast);
1345 tlen = kc->kc_tokenkey->ks_class->ec_msgblocklen;
1346 padlen = tlen - (mlen % tlen);
1347
1348 /*
1349 * The data part of the token has eight bytes of random
1350 * confounder prepended and followed by up to eight bytes of
1351 * padding bytes each of which is set to the number of padding
1352 * bytes.
1353 */
1354 datalen = mlen + 8 + padlen;
1355 tlen = token_length(kc->kc_tokenkey);
1356
1357 p = krb5_make_token("\x02\x01", tlen, datalen + tlen, &tm);
1358 p += 2; /* TOK_ID */
1359 *p++ = sgn_alg[0]; /* SGN_ALG */
1360 *p++ = sgn_alg[1];
1361 if (conf_req_flag) {
1362 *p++ = seal_alg[0]; /* SEAL_ALG */
1363 *p++ = seal_alg[1];
1364 } else {
1365 *p++ = 0xff; /* SEAL_ALG = none */
1366 *p++ = 0xff;
1367 }
1368
1369 *p++ = 0xff; /* filler */
1370 *p++ = 0xff;
1371
1372 /*
1373 * Copy the padded message data.
1374 */
1375 if (M_LEADINGSPACE(m) >= 8) {
1376 m->m_data -= 8;
1377 m->m_len += 8;
1378 } else {
1379 MGET(cm, M_WAITOK, MT_DATA);
1380 cm->m_len = 8;
1381 cm->m_next = m;
1382 m = cm;
1383 }
1384 arc4rand(m->m_data, 8, 0);
1385 if (M_TRAILINGSPACE(mlast) >= padlen) {
1386 memset(mlast->m_data + mlast->m_len, padlen, padlen);
1387 mlast->m_len += padlen;
1388 } else {
1389 MGET(pm, M_WAITOK, MT_DATA);
1390 memset(pm->m_data, padlen, padlen);
1391 pm->m_len = padlen;
1392 mlast->m_next = pm;
1393 mlast = pm;
1394 }
1395 tm->m_next = m;
1396
1397 /*
1398 * SGN_CKSUM:
1399 *
1400 * Calculate the keyed checksum of the token header plus the
1401 * padded message. Fiddle with tm->m_len so that we only
1402 * checksum the 8 bytes of head that we care about.
1403 */
1404 cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1405 tlen = tm->m_len;
1406 tm->m_len = p - (uint8_t *) tm->m_data;
1407 MGET(cm, M_WAITOK, MT_DATA);
1408 cm->m_len = cklen;
1409 mlast->m_next = cm;
1410 krb5_checksum(kc->kc_checksumkey, 13, tm, tm->m_len - 8,
1411 datalen + 8, cklen);
1412 tm->m_len = tlen;
1413 mlast->m_next = NULL;
1414 bcopy(cm->m_data, p + 8, cklen);
1415 m_free(cm);
1416
1417 /*
1418 * SND_SEQ:
1419 *
1420 * Take the four bytes of the sequence number least
1421 * significant first (most significant first for ARCFOUR)
1422 * followed by four bytes of direction marker (zero for
1423 * initiator and 0xff for acceptor). Encrypt that data using
1424 * the SGN_CKSUM as IV.
1425 */
1426 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1427 if (sgn_alg[0] == 0x11) {
1428 p[0] = (seq >> 24);
1429 p[1] = (seq >> 16);
1430 p[2] = (seq >> 8);
1431 p[3] = (seq >> 0);
1432 } else {
1433 p[0] = (seq >> 0);
1434 p[1] = (seq >> 8);
1435 p[2] = (seq >> 16);
1436 p[3] = (seq >> 24);
1437 }
1438 if (is_initiator(kc)) {
1439 dir = 0;
1440 } else {
1441 dir = 0xff;
1442 }
1443 p[4] = dir;
1444 p[5] = dir;
1445 p[6] = dir;
1446 p[7] = dir;
1447 krb5_encrypt(kc->kc_tokenkey, tm, p - (uint8_t *) tm->m_data,
1448 8, p + 8, 8);
1449
1450 if (conf_req_flag) {
1451 /*
1452 * Encrypt the padded message with an IV of zero for
1453 * DES and DES3, or an IV of the sequence number in
1454 * big-endian format for ARCFOUR.
1455 */
1456 if (seal_alg[0] == 0x10) {
1457 buf[0] = (seq >> 24);
1458 buf[1] = (seq >> 16);
1459 buf[2] = (seq >> 8);
1460 buf[3] = (seq >> 0);
1461 krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1462 buf, 4);
1463 } else {
1464 krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1465 NULL, 0);
1466 }
1467 }
1468
1469 if (conf_state)
1470 *conf_state = conf_req_flag;
1471
1472 *mp = tm;
1473 return (GSS_S_COMPLETE);
1474 }
1475
1476 static OM_uint32
krb5_wrap_new(struct krb5_context * kc,int conf_req_flag,struct mbuf ** mp,int * conf_state)1477 krb5_wrap_new(struct krb5_context *kc, int conf_req_flag,
1478 struct mbuf **mp, int *conf_state)
1479 {
1480 struct krb5_key_state *Ke = kc->kc_send_seal_Ke;
1481 struct krb5_key_state *Ki = kc->kc_send_seal_Ki;
1482 struct krb5_key_state *Kc = kc->kc_send_seal_Kc;
1483 const struct krb5_encryption_class *ec = Ke->ks_class;
1484 struct mbuf *m, *mlast, *tm;
1485 uint8_t *p;
1486 int flags, EC;
1487 size_t mlen, blen, mblen, cklen, ctlen;
1488 uint32_t seq;
1489 static char zpad[32];
1490
1491 m = *mp;
1492 mlen = m_length(m, &mlast);
1493
1494 blen = ec->ec_blocklen;
1495 mblen = ec->ec_msgblocklen;
1496 cklen = ec->ec_checksumlen;
1497
1498 if (conf_req_flag) {
1499 /*
1500 * For sealed messages, we need space for 16 bytes of
1501 * header, blen confounder, plaintext, padding, copy
1502 * of header and checksum.
1503 *
1504 * We pad to mblen (which may be different from
1505 * blen). If the encryption class is using CTS, mblen
1506 * will be one (i.e. no padding required).
1507 */
1508 if (mblen > 1)
1509 EC = mlen % mblen;
1510 else
1511 EC = 0;
1512 ctlen = blen + mlen + EC + 16;
1513
1514 /*
1515 * Put initial header and confounder before the
1516 * message.
1517 */
1518 M_PREPEND(m, 16 + blen, M_WAITOK);
1519
1520 /*
1521 * Append padding + copy of header and checksum. Try
1522 * to fit this into the end of the original message,
1523 * otherwise allocate a trailer.
1524 */
1525 if (M_TRAILINGSPACE(mlast) >= EC + 16 + cklen) {
1526 tm = NULL;
1527 mlast->m_len += EC + 16 + cklen;
1528 } else {
1529 MGET(tm, M_WAITOK, MT_DATA);
1530 tm->m_len = EC + 16 + cklen;
1531 mlast->m_next = tm;
1532 }
1533 } else {
1534 /*
1535 * For unsealed messages, we need 16 bytes of header
1536 * plus space for the plaintext and a checksum. EC is
1537 * set to the checksum size. We leave space in tm for
1538 * a copy of the header - this will be trimmed later.
1539 */
1540 M_PREPEND(m, 16, M_WAITOK);
1541
1542 MGET(tm, M_WAITOK, MT_DATA);
1543 tm->m_len = cklen + 16;
1544 mlast->m_next = tm;
1545 ctlen = 0;
1546 EC = cklen;
1547 }
1548
1549 p = m->m_data;
1550
1551 /* TOK_ID */
1552 p[0] = 0x05;
1553 p[1] = 0x04;
1554
1555 /* Flags */
1556 flags = 0;
1557 if (conf_req_flag)
1558 flags = GSS_TOKEN_SEALED;
1559 if (is_acceptor(kc))
1560 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1561 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1562 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1563 p[2] = flags;
1564
1565 /* Filler */
1566 p[3] = 0xff;
1567
1568 /* EC + RRC - set to zero initially */
1569 p[4] = 0;
1570 p[5] = 0;
1571 p[6] = 0;
1572 p[7] = 0;
1573
1574 /* SND_SEQ */
1575 p[8] = 0;
1576 p[9] = 0;
1577 p[10] = 0;
1578 p[11] = 0;
1579 seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1580 p[12] = (seq >> 24);
1581 p[13] = (seq >> 16);
1582 p[14] = (seq >> 8);
1583 p[15] = (seq >> 0);
1584
1585 if (conf_req_flag) {
1586 /*
1587 * Encrypt according to RFC 4121 section 4.2 and RFC
1588 * 3961 section 5.3. Note: we don't generate tokens
1589 * with RRC values other than zero. If we did, we
1590 * should zero RRC in the copied header.
1591 */
1592 arc4rand(p + 16, blen, 0);
1593 if (EC) {
1594 m_copyback(m, 16 + blen + mlen, EC, zpad);
1595 }
1596 m_copyback(m, 16 + blen + mlen + EC, 16, p);
1597
1598 krb5_checksum(Ki, 0, m, 16, ctlen, cklen);
1599 krb5_encrypt(Ke, m, 16, ctlen, NULL, 0);
1600 } else {
1601 /*
1602 * The plaintext message is followed by a checksum of
1603 * the plaintext plus a version of the header where EC
1604 * and RRC are set to zero. Also, the original EC must
1605 * be our checksum size.
1606 */
1607 bcopy(p, tm->m_data, 16);
1608 krb5_checksum(Kc, 0, m, 16, mlen + 16, cklen);
1609 tm->m_data += 16;
1610 tm->m_len -= 16;
1611 }
1612
1613 /*
1614 * Finally set EC to its actual value
1615 */
1616 p[4] = EC >> 8;
1617 p[5] = EC;
1618
1619 *mp = m;
1620 return (GSS_S_COMPLETE);
1621 }
1622
1623 static OM_uint32
krb5_wrap(gss_ctx_id_t ctx,OM_uint32 * minor_status,int conf_req_flag,gss_qop_t qop_req,struct mbuf ** mp,int * conf_state)1624 krb5_wrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1625 int conf_req_flag, gss_qop_t qop_req,
1626 struct mbuf **mp, int *conf_state)
1627 {
1628 struct krb5_context *kc = (struct krb5_context *)ctx;
1629
1630 *minor_status = 0;
1631 if (conf_state)
1632 *conf_state = 0;
1633
1634 if (qop_req != GSS_C_QOP_DEFAULT)
1635 return (GSS_S_BAD_QOP);
1636
1637 if (time_uptime > kc->kc_lifetime)
1638 return (GSS_S_CONTEXT_EXPIRED);
1639
1640 switch (kc->kc_tokenkey->ks_class->ec_type) {
1641 case ETYPE_DES_CBC_CRC:
1642 return (krb5_wrap_old(kc, conf_req_flag,
1643 mp, conf_state, sgn_alg_des_md5, seal_alg_des));
1644
1645 case ETYPE_ARCFOUR_HMAC_MD5:
1646 case ETYPE_ARCFOUR_HMAC_MD5_56:
1647 return (krb5_wrap_old(kc, conf_req_flag,
1648 mp, conf_state, sgn_alg_hmac_md5, seal_alg_rc4));
1649
1650 case ETYPE_DES3_CBC_SHA1:
1651 return (krb5_wrap_old(kc, conf_req_flag,
1652 mp, conf_state, sgn_alg_des3_sha1, seal_alg_des3));
1653
1654 default:
1655 return (krb5_wrap_new(kc, conf_req_flag, mp, conf_state));
1656 }
1657
1658 return (GSS_S_FAILURE);
1659 }
1660
1661 static void
m_trim(struct mbuf * m,int len)1662 m_trim(struct mbuf *m, int len)
1663 {
1664 struct mbuf *n;
1665 int off;
1666
1667 if (m == NULL)
1668 return;
1669 n = m_getptr(m, len, &off);
1670 if (n) {
1671 n->m_len = off;
1672 if (n->m_next) {
1673 m_freem(n->m_next);
1674 n->m_next = NULL;
1675 }
1676 }
1677 }
1678
1679 static OM_uint32
krb5_unwrap_old(struct krb5_context * kc,struct mbuf ** mp,int * conf_state,uint8_t sgn_alg[2],uint8_t seal_alg[2])1680 krb5_unwrap_old(struct krb5_context *kc, struct mbuf **mp, int *conf_state,
1681 uint8_t sgn_alg[2], uint8_t seal_alg[2])
1682 {
1683 OM_uint32 res;
1684 struct mbuf *m, *mlast, *hm, *cm, *n;
1685 uint8_t *p, dir;
1686 size_t tlen, elen, datalen, padlen;
1687 size_t cklen;
1688 uint8_t buf[32];
1689 uint32_t seq;
1690 int i, conf;
1691
1692 m = *mp;
1693 m_length(m, &mlast);
1694
1695 tlen = token_length(kc->kc_tokenkey);
1696 cklen = kc->kc_tokenkey->ks_class->ec_checksumlen;
1697
1698 p = krb5_verify_token("\x02\x01", tlen, &m, &elen, TRUE);
1699 *mp = m;
1700 if (!p)
1701 return (GSS_S_DEFECTIVE_TOKEN);
1702 datalen = elen - tlen;
1703
1704 /*
1705 * Trim the framing header first to make life a little easier
1706 * later.
1707 */
1708 m_adj(m, p - (uint8_t *) m->m_data);
1709
1710 /* TOK_ID */
1711 p += 2;
1712
1713 /* SGN_ALG */
1714 if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1715 return (GSS_S_DEFECTIVE_TOKEN);
1716 p += 2;
1717
1718 /* SEAL_ALG */
1719 if (p[0] == seal_alg[0] && p[1] == seal_alg[1])
1720 conf = 1;
1721 else if (p[0] == 0xff && p[1] == 0xff)
1722 conf = 0;
1723 else
1724 return (GSS_S_DEFECTIVE_TOKEN);
1725 p += 2;
1726
1727 if (p[0] != 0xff || p[1] != 0xff)
1728 return (GSS_S_DEFECTIVE_TOKEN);
1729 p += 2;
1730
1731 /*
1732 * SND_SEQ:
1733 *
1734 * Take the four bytes of the sequence number least
1735 * significant first (most significant for ARCFOUR) followed
1736 * by four bytes of direction marker (zero for initiator and
1737 * 0xff for acceptor). Encrypt that data using the SGN_CKSUM
1738 * as IV.
1739 */
1740 krb5_decrypt(kc->kc_tokenkey, m, 8, 8, p + 8, 8);
1741 if (sgn_alg[0] == 0x11) {
1742 seq = p[3] | (p[2] << 8) | (p[1] << 16) | (p[0] << 24);
1743 } else {
1744 seq = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
1745 }
1746
1747 if (is_initiator(kc)) {
1748 dir = 0xff;
1749 } else {
1750 dir = 0;
1751 }
1752 if (p[4] != dir || p[5] != dir || p[6] != dir || p[7] != dir)
1753 return (GSS_S_DEFECTIVE_TOKEN);
1754
1755 if (kc->kc_msg_order.km_flags &
1756 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1757 res = krb5_sequence_check(kc, seq);
1758 if (GSS_ERROR(res))
1759 return (res);
1760 } else {
1761 res = GSS_S_COMPLETE;
1762 }
1763
1764 /*
1765 * If the token was encrypted, decode it in-place.
1766 */
1767 if (conf) {
1768 /*
1769 * Decrypt the padded message with an IV of zero for
1770 * DES and DES3 or an IV of the big-endian encoded
1771 * sequence number for ARCFOUR.
1772 */
1773 if (seal_alg[0] == 0x10) {
1774 krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1775 datalen, p, 4);
1776 } else {
1777 krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1778 datalen, NULL, 0);
1779 }
1780 }
1781 if (conf_state)
1782 *conf_state = conf;
1783
1784 /*
1785 * Check the trailing pad bytes.
1786 * RFC1964 specifies between 1<->8 bytes, each with a binary value
1787 * equal to the number of bytes.
1788 */
1789 if (mlast->m_len > 0)
1790 padlen = mlast->m_data[mlast->m_len - 1];
1791 else {
1792 n = m_getptr(m, tlen + datalen - 1, &i);
1793 /*
1794 * When the position is exactly equal to the # of data bytes
1795 * in the mbuf list, m_getptr() will return the last mbuf in
1796 * the list and an off == m_len for that mbuf, so that case
1797 * needs to be checked as well as a NULL return.
1798 */
1799 if (n == NULL || n->m_len == i)
1800 return (GSS_S_DEFECTIVE_TOKEN);
1801 padlen = n->m_data[i];
1802 }
1803 if (padlen < 1 || padlen > 8 || padlen > tlen + datalen)
1804 return (GSS_S_DEFECTIVE_TOKEN);
1805 m_copydata(m, tlen + datalen - padlen, padlen, buf);
1806 for (i = 0; i < padlen; i++) {
1807 if (buf[i] != padlen) {
1808 return (GSS_S_DEFECTIVE_TOKEN);
1809 }
1810 }
1811
1812 /*
1813 * SGN_CKSUM:
1814 *
1815 * Calculate the keyed checksum of the token header plus the
1816 * padded message. We do a little mbuf surgery to trim out the
1817 * parts we don't want to checksum.
1818 */
1819 hm = m;
1820 *mp = m = m_split(m, 16 + cklen, M_WAITOK);
1821 mlast = m_last(m);
1822 hm->m_len = 8;
1823 hm->m_next = m;
1824 MGET(cm, M_WAITOK, MT_DATA);
1825 cm->m_len = cklen;
1826 mlast->m_next = cm;
1827
1828 krb5_checksum(kc->kc_checksumkey, 13, hm, 0, datalen + 8, cklen);
1829 hm->m_next = NULL;
1830 mlast->m_next = NULL;
1831
1832 if (bcmp(cm->m_data, hm->m_data + 16, cklen)) {
1833 m_freem(hm);
1834 m_free(cm);
1835 return (GSS_S_BAD_SIG);
1836 }
1837 m_freem(hm);
1838 m_free(cm);
1839
1840 /*
1841 * Trim off the confounder and padding.
1842 */
1843 m_adj(m, 8);
1844 if (mlast->m_len >= padlen) {
1845 mlast->m_len -= padlen;
1846 } else {
1847 m_trim(m, datalen - 8 - padlen);
1848 }
1849
1850 *mp = m;
1851 return (res);
1852 }
1853
1854 static OM_uint32
krb5_unwrap_new(struct krb5_context * kc,struct mbuf ** mp,int * conf_state)1855 krb5_unwrap_new(struct krb5_context *kc, struct mbuf **mp, int *conf_state)
1856 {
1857 OM_uint32 res;
1858 struct krb5_key_state *Ke = kc->kc_recv_seal_Ke;
1859 struct krb5_key_state *Ki = kc->kc_recv_seal_Ki;
1860 struct krb5_key_state *Kc = kc->kc_recv_seal_Kc;
1861 const struct krb5_encryption_class *ec = Ke->ks_class;
1862 struct mbuf *m, *mlast, *hm, *cm;
1863 uint8_t *p;
1864 int sealed, flags, EC, RRC;
1865 size_t blen, cklen, ctlen, mlen, plen, tlen;
1866 char buf[32], buf2[32];
1867
1868 m = *mp;
1869 mlen = m_length(m, &mlast);
1870
1871 if (mlen <= 16)
1872 return (GSS_S_DEFECTIVE_TOKEN);
1873 if (m->m_len < 16) {
1874 m = m_pullup(m, 16);
1875 *mp = m;
1876 }
1877 p = m->m_data;
1878
1879 /* TOK_ID */
1880 if (p[0] != 0x05)
1881 return (GSS_S_DEFECTIVE_TOKEN);
1882 if (p[1] != 0x04)
1883 return (GSS_S_DEFECTIVE_TOKEN);
1884
1885 /* Flags */
1886 sealed = p[2] & GSS_TOKEN_SEALED;
1887 flags = sealed;
1888 if (is_initiator(kc))
1889 flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1890 if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1891 flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1892 if (p[2] != flags)
1893 return (GSS_S_DEFECTIVE_TOKEN);
1894
1895 /* Filler */
1896 if (p[3] != 0xff)
1897 return (GSS_S_DEFECTIVE_TOKEN);
1898
1899 /* EC + RRC */
1900 EC = (p[4] << 8) + p[5];
1901 RRC = (p[6] << 8) + p[7];
1902
1903 /* SND_SEQ */
1904 if (kc->kc_msg_order.km_flags &
1905 (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1906 uint32_t seq;
1907 if (p[8] || p[9] || p[10] || p[11]) {
1908 res = GSS_S_UNSEQ_TOKEN;
1909 } else {
1910 seq = (p[12] << 24) | (p[13] << 16)
1911 | (p[14] << 8) | p[15];
1912 res = krb5_sequence_check(kc, seq);
1913 }
1914 if (GSS_ERROR(res))
1915 return (res);
1916 } else {
1917 res = GSS_S_COMPLETE;
1918 }
1919
1920 /*
1921 * Separate the header before dealing with RRC. We only need
1922 * to keep the header if the message isn't encrypted.
1923 */
1924 if (sealed) {
1925 hm = NULL;
1926 m_adj(m, 16);
1927 } else {
1928 hm = m;
1929 *mp = m = m_split(m, 16, M_WAITOK);
1930 mlast = m_last(m);
1931 }
1932
1933 /*
1934 * Undo the effects of RRC by rotating left.
1935 */
1936 if (RRC > 0) {
1937 struct mbuf *rm;
1938 size_t rlen;
1939
1940 rlen = mlen - 16;
1941 if (RRC <= sizeof(buf) && m->m_len >= rlen) {
1942 /*
1943 * Simple case, just rearrange the bytes in m.
1944 */
1945 bcopy(m->m_data, buf, RRC);
1946 bcopy(m->m_data + RRC, m->m_data, rlen - RRC);
1947 bcopy(buf, m->m_data + rlen - RRC, RRC);
1948 } else {
1949 /*
1950 * More complicated - rearrange the mbuf
1951 * chain.
1952 */
1953 rm = m;
1954 *mp = m = m_split(m, RRC, M_WAITOK);
1955 m_cat(m, rm);
1956 mlast = rm;
1957 }
1958 }
1959
1960 blen = ec->ec_blocklen;
1961 cklen = ec->ec_checksumlen;
1962 if (sealed) {
1963 /*
1964 * Decrypt according to RFC 4121 section 4.2 and RFC
1965 * 3961 section 5.3. The message must be large enough
1966 * for a blocksize confounder, at least one block of
1967 * cyphertext and a checksum.
1968 */
1969 if (mlen < 16 + 2*blen + cklen)
1970 return (GSS_S_DEFECTIVE_TOKEN);
1971
1972 ctlen = mlen - 16 - cklen;
1973 krb5_decrypt(Ke, m, 0, ctlen, NULL, 0);
1974
1975 /*
1976 * The size of the plaintext is ctlen minus blocklen
1977 * (for the confounder), 16 (for the copy of the token
1978 * header) and EC (for the filler). The actual
1979 * plaintext starts after the confounder.
1980 */
1981 plen = ctlen - blen - 16 - EC;
1982
1983 /*
1984 * Checksum the padded plaintext.
1985 */
1986 m_copydata(m, ctlen, cklen, buf);
1987 krb5_checksum(Ki, 0, m, 0, ctlen, cklen);
1988 m_copydata(m, ctlen, cklen, buf2);
1989
1990 if (bcmp(buf, buf2, cklen))
1991 return (GSS_S_BAD_SIG);
1992
1993 /*
1994 * Trim the message back to just plaintext.
1995 */
1996 m_adj(m, blen);
1997 tlen = 16 + EC + cklen;
1998 if (mlast->m_len >= tlen) {
1999 mlast->m_len -= tlen;
2000 } else {
2001 m_trim(m, plen);
2002 }
2003 } else {
2004 /*
2005 * The plaintext message is followed by a checksum of
2006 * the plaintext plus a version of the header where EC
2007 * and RRC are set to zero. Also, the original EC must
2008 * be our checksum size.
2009 */
2010 if (mlen < 16 + cklen || EC != cklen)
2011 return (GSS_S_DEFECTIVE_TOKEN);
2012
2013 /*
2014 * The size of the plaintext is simply the message
2015 * size less header and checksum. The plaintext starts
2016 * right after the header (which we have saved in hm).
2017 */
2018 plen = mlen - 16 - cklen;
2019
2020 /*
2021 * Insert a copy of the header (with EC and RRC set to
2022 * zero) between the plaintext message and the
2023 * checksum.
2024 */
2025 p = hm->m_data;
2026 p[4] = p[5] = p[6] = p[7] = 0;
2027
2028 cm = m_split(m, plen, M_WAITOK);
2029 mlast = m_last(m);
2030 m->m_next = hm;
2031 hm->m_next = cm;
2032
2033 bcopy(cm->m_data, buf, cklen);
2034 krb5_checksum(Kc, 0, m, 0, plen + 16, cklen);
2035 if (bcmp(cm->m_data, buf, cklen))
2036 return (GSS_S_BAD_SIG);
2037
2038 /*
2039 * The checksum matches, discard all buf the plaintext.
2040 */
2041 mlast->m_next = NULL;
2042 m_freem(hm);
2043 }
2044
2045 if (conf_state)
2046 *conf_state = (sealed != 0);
2047
2048 return (res);
2049 }
2050
2051 static OM_uint32
krb5_unwrap(gss_ctx_id_t ctx,OM_uint32 * minor_status,struct mbuf ** mp,int * conf_state,gss_qop_t * qop_state)2052 krb5_unwrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
2053 struct mbuf **mp, int *conf_state, gss_qop_t *qop_state)
2054 {
2055 struct krb5_context *kc = (struct krb5_context *)ctx;
2056 OM_uint32 maj_stat;
2057
2058 *minor_status = 0;
2059 if (qop_state)
2060 *qop_state = GSS_C_QOP_DEFAULT;
2061 if (conf_state)
2062 *conf_state = 0;
2063
2064 if (time_uptime > kc->kc_lifetime)
2065 return (GSS_S_CONTEXT_EXPIRED);
2066
2067 switch (kc->kc_tokenkey->ks_class->ec_type) {
2068 case ETYPE_DES_CBC_CRC:
2069 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
2070 sgn_alg_des_md5, seal_alg_des);
2071 break;
2072
2073 case ETYPE_ARCFOUR_HMAC_MD5:
2074 case ETYPE_ARCFOUR_HMAC_MD5_56:
2075 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
2076 sgn_alg_hmac_md5, seal_alg_rc4);
2077 break;
2078
2079 case ETYPE_DES3_CBC_SHA1:
2080 maj_stat = krb5_unwrap_old(kc, mp, conf_state,
2081 sgn_alg_des3_sha1, seal_alg_des3);
2082 break;
2083
2084 default:
2085 maj_stat = krb5_unwrap_new(kc, mp, conf_state);
2086 break;
2087 }
2088
2089 if (GSS_ERROR(maj_stat)) {
2090 m_freem(*mp);
2091 *mp = NULL;
2092 }
2093
2094 return (maj_stat);
2095 }
2096
2097 static OM_uint32
krb5_wrap_size_limit(gss_ctx_id_t ctx,OM_uint32 * minor_status,int conf_req_flag,gss_qop_t qop_req,OM_uint32 req_output_size,OM_uint32 * max_input_size)2098 krb5_wrap_size_limit(gss_ctx_id_t ctx, OM_uint32 *minor_status,
2099 int conf_req_flag, gss_qop_t qop_req, OM_uint32 req_output_size,
2100 OM_uint32 *max_input_size)
2101 {
2102 struct krb5_context *kc = (struct krb5_context *)ctx;
2103 const struct krb5_encryption_class *ec;
2104 OM_uint32 overhead;
2105
2106 *minor_status = 0;
2107 *max_input_size = 0;
2108
2109 if (qop_req != GSS_C_QOP_DEFAULT)
2110 return (GSS_S_BAD_QOP);
2111
2112 ec = kc->kc_tokenkey->ks_class;
2113 switch (ec->ec_type) {
2114 case ETYPE_DES_CBC_CRC:
2115 case ETYPE_DES3_CBC_SHA1:
2116 case ETYPE_ARCFOUR_HMAC_MD5:
2117 case ETYPE_ARCFOUR_HMAC_MD5_56:
2118 /*
2119 * up to 5 bytes for [APPLICATION 0] SEQUENCE
2120 * 2 + krb5 oid length
2121 * 8 bytes of header
2122 * 8 bytes of confounder
2123 * maximum of 8 bytes of padding
2124 * checksum
2125 */
2126 overhead = 5 + 2 + krb5_mech_oid.length;
2127 overhead += 8 + 8 + ec->ec_msgblocklen;
2128 overhead += ec->ec_checksumlen;
2129 break;
2130
2131 default:
2132 if (conf_req_flag) {
2133 /*
2134 * 16 byts of header
2135 * blocklen bytes of confounder
2136 * up to msgblocklen - 1 bytes of padding
2137 * 16 bytes for copy of header
2138 * checksum
2139 */
2140 overhead = 16 + ec->ec_blocklen;
2141 overhead += ec->ec_msgblocklen - 1;
2142 overhead += 16;
2143 overhead += ec->ec_checksumlen;
2144 } else {
2145 /*
2146 * 16 bytes of header plus checksum.
2147 */
2148 overhead = 16 + ec->ec_checksumlen;
2149 }
2150 }
2151
2152 *max_input_size = req_output_size - overhead;
2153
2154 return (GSS_S_COMPLETE);
2155 }
2156
2157 static kobj_method_t krb5_methods[] = {
2158 KOBJMETHOD(kgss_init, krb5_init),
2159 KOBJMETHOD(kgss_import, krb5_import),
2160 KOBJMETHOD(kgss_delete, krb5_delete),
2161 KOBJMETHOD(kgss_mech_type, krb5_mech_type),
2162 KOBJMETHOD(kgss_get_mic, krb5_get_mic),
2163 KOBJMETHOD(kgss_verify_mic, krb5_verify_mic),
2164 KOBJMETHOD(kgss_wrap, krb5_wrap),
2165 KOBJMETHOD(kgss_unwrap, krb5_unwrap),
2166 KOBJMETHOD(kgss_wrap_size_limit, krb5_wrap_size_limit),
2167 { 0, 0 }
2168 };
2169
2170 static struct kobj_class krb5_class = {
2171 "kerberosv5",
2172 krb5_methods,
2173 sizeof(struct krb5_context)
2174 };
2175
2176 /*
2177 * Kernel module glue
2178 */
2179 static int
kgssapi_krb5_modevent(module_t mod,int type,void * data)2180 kgssapi_krb5_modevent(module_t mod, int type, void *data)
2181 {
2182
2183 switch (type) {
2184 case MOD_LOAD:
2185 kgss_install_mech(&krb5_mech_oid, "kerberosv5", &krb5_class);
2186 break;
2187
2188 case MOD_UNLOAD:
2189 kgss_uninstall_mech(&krb5_mech_oid);
2190 break;
2191 }
2192
2193 return (0);
2194 }
2195 static moduledata_t kgssapi_krb5_mod = {
2196 "kgssapi_krb5",
2197 kgssapi_krb5_modevent,
2198 NULL,
2199 };
2200 DECLARE_MODULE(kgssapi_krb5, kgssapi_krb5_mod, SI_SUB_VFS, SI_ORDER_ANY);
2201 MODULE_DEPEND(kgssapi_krb5, kgssapi, 1, 1, 1);
2202 MODULE_DEPEND(kgssapi_krb5, crypto, 1, 1, 1);
2203 MODULE_DEPEND(kgssapi_krb5, rc4, 1, 1, 1);
2204 MODULE_VERSION(kgssapi_krb5, 1);
2205