xref: /freebsd/sys/kgssapi/krb5/krb5_mech.c (revision aa1a8ff2d6dbc51ef058f46f3db5a8bb77967145)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
5  * Authors: Doug Rabson <dfr@rabson.org>
6  * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  */
29 
30 #include <sys/cdefs.h>
31 #include "opt_inet6.h"
32 
33 #include <sys/param.h>
34 #include <sys/kernel.h>
35 #include <sys/kobj.h>
36 #include <sys/lock.h>
37 #include <sys/malloc.h>
38 #include <sys/mbuf.h>
39 #include <sys/module.h>
40 #include <sys/mutex.h>
41 #include <kgssapi/gssapi.h>
42 #include <kgssapi/gssapi_impl.h>
43 
44 #include "kgss_if.h"
45 #include "kcrypto.h"
46 
47 #define GSS_TOKEN_SENT_BY_ACCEPTOR	1
48 #define GSS_TOKEN_SEALED		2
49 #define GSS_TOKEN_ACCEPTOR_SUBKEY	4
50 
51 static gss_OID_desc krb5_mech_oid =
52 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
53 
54 struct krb5_data {
55 	size_t		kd_length;
56 	void		*kd_data;
57 };
58 
59 struct krb5_keyblock {
60 	uint16_t	kk_type; /* encryption type */
61 	struct krb5_data kk_key; /* key data */
62 };
63 
64 struct krb5_address {
65 	uint16_t	ka_type;
66 	struct krb5_data ka_addr;
67 };
68 
69 /*
70  * The km_elem array is ordered so that the highest received sequence
71  * number is listed first.
72  */
73 struct krb5_msg_order {
74 	uint32_t		km_flags;
75 	uint32_t		km_start;
76 	uint32_t		km_length;
77 	uint32_t		km_jitter_window;
78 	uint32_t		km_first_seq;
79 	uint32_t		*km_elem;
80 };
81 
82 struct krb5_context {
83 	struct _gss_ctx_id_t	kc_common;
84 	struct mtx		kc_lock;
85 	uint32_t		kc_ac_flags;
86 	uint32_t		kc_ctx_flags;
87 	uint32_t		kc_more_flags;
88 #define LOCAL			1
89 #define OPEN			2
90 #define COMPAT_OLD_DES3		4
91 #define COMPAT_OLD_DES3_SELECTED 8
92 #define ACCEPTOR_SUBKEY		16
93 	struct krb5_address	kc_local_address;
94 	struct krb5_address	kc_remote_address;
95 	uint16_t		kc_local_port;
96 	uint16_t		kc_remote_port;
97 	struct krb5_keyblock	kc_keyblock;
98 	struct krb5_keyblock	kc_local_subkey;
99 	struct krb5_keyblock	kc_remote_subkey;
100 	volatile uint32_t	kc_local_seqnumber;
101 	uint32_t		kc_remote_seqnumber;
102 	uint32_t		kc_keytype;
103 	uint32_t		kc_cksumtype;
104 	struct krb5_data	kc_source_name;
105 	struct krb5_data	kc_target_name;
106 	uint32_t		kc_lifetime;
107 	struct krb5_msg_order	kc_msg_order;
108 	struct krb5_key_state	*kc_tokenkey;
109 	struct krb5_key_state	*kc_encryptkey;
110 	struct krb5_key_state	*kc_checksumkey;
111 
112 	struct krb5_key_state	*kc_send_seal_Ke;
113 	struct krb5_key_state	*kc_send_seal_Ki;
114 	struct krb5_key_state	*kc_send_seal_Kc;
115 	struct krb5_key_state	*kc_send_sign_Kc;
116 
117 	struct krb5_key_state	*kc_recv_seal_Ke;
118 	struct krb5_key_state	*kc_recv_seal_Ki;
119 	struct krb5_key_state	*kc_recv_seal_Kc;
120 	struct krb5_key_state	*kc_recv_sign_Kc;
121 };
122 
123 static uint16_t
124 get_uint16(const uint8_t **pp, size_t *lenp)
125 {
126 	const uint8_t *p = *pp;
127 	uint16_t v;
128 
129 	if (*lenp < 2)
130 		return (0);
131 
132 	v = (p[0] << 8) | p[1];
133 	*pp = p + 2;
134 	*lenp = *lenp - 2;
135 
136 	return (v);
137 }
138 
139 static uint32_t
140 get_uint32(const uint8_t **pp, size_t *lenp)
141 {
142 	const uint8_t *p = *pp;
143 	uint32_t v;
144 
145 	if (*lenp < 4)
146 		return (0);
147 
148 	v = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
149 	*pp = p + 4;
150 	*lenp = *lenp - 4;
151 
152 	return (v);
153 }
154 
155 static void
156 get_data(const uint8_t **pp, size_t *lenp, struct krb5_data *dp)
157 {
158 	size_t sz = get_uint32(pp, lenp);
159 
160 	dp->kd_length = sz;
161 	dp->kd_data = malloc(sz, M_GSSAPI, M_WAITOK);
162 
163 	if (*lenp < sz)
164 		sz = *lenp;
165 	bcopy(*pp, dp->kd_data, sz);
166 	(*pp) += sz;
167 	(*lenp) -= sz;
168 }
169 
170 static void
171 delete_data(struct krb5_data *dp)
172 {
173 	if (dp->kd_data) {
174 		free(dp->kd_data, M_GSSAPI);
175 		dp->kd_length = 0;
176 		dp->kd_data = NULL;
177 	}
178 }
179 
180 static void
181 get_address(const uint8_t **pp, size_t *lenp, struct krb5_address *ka)
182 {
183 
184 	ka->ka_type = get_uint16(pp, lenp);
185 	get_data(pp, lenp, &ka->ka_addr);
186 }
187 
188 static void
189 delete_address(struct krb5_address *ka)
190 {
191 	delete_data(&ka->ka_addr);
192 }
193 
194 static void
195 get_keyblock(const uint8_t **pp, size_t *lenp, struct krb5_keyblock *kk)
196 {
197 
198 	kk->kk_type = get_uint16(pp, lenp);
199 	get_data(pp, lenp, &kk->kk_key);
200 }
201 
202 static void
203 delete_keyblock(struct krb5_keyblock *kk)
204 {
205 	if (kk->kk_key.kd_data)
206 		bzero(kk->kk_key.kd_data, kk->kk_key.kd_length);
207 	delete_data(&kk->kk_key);
208 }
209 
210 static void
211 copy_key(struct krb5_keyblock *from, struct krb5_keyblock **to)
212 {
213 
214 	if (from->kk_key.kd_length)
215 		*to = from;
216 	else
217 		*to = NULL;
218 }
219 
220 /*
221  * Return non-zero if we are initiator.
222  */
223 static __inline int
224 is_initiator(struct krb5_context *kc)
225 {
226 	return (kc->kc_more_flags & LOCAL);
227 }
228 
229 /*
230  * Return non-zero if we are acceptor.
231  */
232 static __inline int
233 is_acceptor(struct krb5_context *kc)
234 {
235 	return !(kc->kc_more_flags & LOCAL);
236 }
237 
238 static void
239 get_initiator_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
240 {
241 
242 	if (is_initiator(kc))
243 		copy_key(&kc->kc_local_subkey, kdp);
244 	else
245 		copy_key(&kc->kc_remote_subkey, kdp);
246 	if (!*kdp)
247 		copy_key(&kc->kc_keyblock, kdp);
248 }
249 
250 static void
251 get_acceptor_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
252 {
253 
254 	if (is_initiator(kc))
255 		copy_key(&kc->kc_remote_subkey, kdp);
256 	else
257 		copy_key(&kc->kc_local_subkey, kdp);
258 }
259 
260 static OM_uint32
261 get_keys(struct krb5_context *kc)
262 {
263 	struct krb5_keyblock *keydata;
264 	struct krb5_encryption_class *ec;
265 	struct krb5_key_state *key;
266 	int etype;
267 
268 	keydata = NULL;
269 	get_acceptor_subkey(kc, &keydata);
270 	if (!keydata)
271 		if ((kc->kc_more_flags & ACCEPTOR_SUBKEY) == 0)
272 			get_initiator_subkey(kc, &keydata);
273 	if (!keydata)
274 		return (GSS_S_FAILURE);
275 
276 	/*
277 	 * GSS-API treats all DES etypes the same and all DES3 etypes
278 	 * the same.
279 	 */
280 	switch (keydata->kk_type) {
281 	case ETYPE_DES_CBC_CRC:
282 	case ETYPE_DES_CBC_MD4:
283 	case ETYPE_DES_CBC_MD5:
284 		etype = ETYPE_DES_CBC_CRC;
285 		break;
286 
287 	case ETYPE_DES3_CBC_MD5:
288 	case ETYPE_DES3_CBC_SHA1:
289 	case ETYPE_OLD_DES3_CBC_SHA1:
290 		etype = ETYPE_DES3_CBC_SHA1;
291 		break;
292 
293 	default:
294 		etype = keydata->kk_type;
295 	}
296 
297 	ec = krb5_find_encryption_class(etype);
298 	if (!ec)
299 		return (GSS_S_FAILURE);
300 
301 	key = krb5_create_key(ec);
302 	krb5_set_key(key, keydata->kk_key.kd_data);
303 	kc->kc_tokenkey = key;
304 
305 	switch (etype) {
306 	case ETYPE_DES_CBC_CRC:
307 	case ETYPE_ARCFOUR_HMAC_MD5:
308 	case ETYPE_ARCFOUR_HMAC_MD5_56: {
309 		/*
310 		 * Single DES and ARCFOUR uses a 'derived' key (XOR
311 		 * with 0xf0) for encrypting wrap tokens. The original
312 		 * key is used for checksums and sequence numbers.
313 		 */
314 		struct krb5_key_state *ekey;
315 		uint8_t *ekp, *kp;
316 		int i;
317 
318 		ekey = krb5_create_key(ec);
319 		ekp = ekey->ks_key;
320 		kp = key->ks_key;
321 		for (i = 0; i < ec->ec_keylen; i++)
322 			ekp[i] = kp[i] ^ 0xf0;
323 		krb5_set_key(ekey, ekp);
324 		kc->kc_encryptkey = ekey;
325 		refcount_acquire(&key->ks_refs);
326 		kc->kc_checksumkey = key;
327 		break;
328 	}
329 
330 	case ETYPE_DES3_CBC_SHA1:
331 		/*
332 		 * Triple DES uses a RFC 3961 style derived key with
333 		 * usage number KG_USAGE_SIGN for checksums. The
334 		 * original key is used for encryption and sequence
335 		 * numbers.
336 		 */
337 		kc->kc_checksumkey = krb5_get_checksum_key(key, KG_USAGE_SIGN);
338 		refcount_acquire(&key->ks_refs);
339 		kc->kc_encryptkey = key;
340 		break;
341 
342 	default:
343 		/*
344 		 * We need eight derived keys four for sending and
345 		 * four for receiving.
346 		 */
347 		if (is_initiator(kc)) {
348 			/*
349 			 * We are initiator.
350 			 */
351 			kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
352 			    KG_USAGE_INITIATOR_SEAL);
353 			kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
354 			    KG_USAGE_INITIATOR_SEAL);
355 			kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
356 			    KG_USAGE_INITIATOR_SEAL);
357 			kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
358 			    KG_USAGE_INITIATOR_SIGN);
359 
360 			kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
361 			    KG_USAGE_ACCEPTOR_SEAL);
362 			kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
363 			    KG_USAGE_ACCEPTOR_SEAL);
364 			kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
365 			    KG_USAGE_ACCEPTOR_SEAL);
366 			kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
367 			    KG_USAGE_ACCEPTOR_SIGN);
368 		} else {
369 			/*
370 			 * We are acceptor.
371 			 */
372 			kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
373 			    KG_USAGE_ACCEPTOR_SEAL);
374 			kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
375 			    KG_USAGE_ACCEPTOR_SEAL);
376 			kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
377 			    KG_USAGE_ACCEPTOR_SEAL);
378 			kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
379 			    KG_USAGE_ACCEPTOR_SIGN);
380 
381 			kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
382 			    KG_USAGE_INITIATOR_SEAL);
383 			kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
384 			    KG_USAGE_INITIATOR_SEAL);
385 			kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
386 			    KG_USAGE_INITIATOR_SEAL);
387 			kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
388 			    KG_USAGE_INITIATOR_SIGN);
389 		}
390 		break;
391 	}
392 
393 	return (GSS_S_COMPLETE);
394 }
395 
396 static void
397 krb5_init(gss_ctx_id_t ctx)
398 {
399 	struct krb5_context *kc = (struct krb5_context *)ctx;
400 
401 	mtx_init(&kc->kc_lock, "krb5 gss lock", NULL, MTX_DEF);
402 }
403 
404 static OM_uint32
405 krb5_import(gss_ctx_id_t ctx,
406     enum sec_context_format format,
407     const gss_buffer_t context_token)
408 {
409 	struct krb5_context *kc = (struct krb5_context *)ctx;
410 	OM_uint32 res;
411 	const uint8_t *p = (const uint8_t *) context_token->value;
412 	size_t len = context_token->length;
413 	uint32_t flags;
414 	int i;
415 
416 	/*
417 	 * We support heimdal 0.6 and heimdal 1.1
418 	 */
419 	if (format != KGSS_HEIMDAL_0_6 && format != KGSS_HEIMDAL_1_1)
420 		return (GSS_S_DEFECTIVE_TOKEN);
421 
422 #define SC_LOCAL_ADDRESS	1
423 #define SC_REMOTE_ADDRESS	2
424 #define SC_KEYBLOCK		4
425 #define SC_LOCAL_SUBKEY		8
426 #define SC_REMOTE_SUBKEY	16
427 
428 	/*
429 	 * Ensure that the token starts with krb5 oid.
430 	 */
431 	if (p[0] != 0x00 || p[1] != krb5_mech_oid.length
432 	    || len < krb5_mech_oid.length + 2
433 	    || bcmp(krb5_mech_oid.elements, p + 2,
434 		krb5_mech_oid.length))
435 		return (GSS_S_DEFECTIVE_TOKEN);
436 	p += krb5_mech_oid.length + 2;
437 	len -= krb5_mech_oid.length + 2;
438 
439 	flags = get_uint32(&p, &len);
440 	kc->kc_ac_flags = get_uint32(&p, &len);
441 	if (flags & SC_LOCAL_ADDRESS)
442 		get_address(&p, &len, &kc->kc_local_address);
443 	if (flags & SC_REMOTE_ADDRESS)
444 		get_address(&p, &len, &kc->kc_remote_address);
445 	kc->kc_local_port = get_uint16(&p, &len);
446 	kc->kc_remote_port = get_uint16(&p, &len);
447 	if (flags & SC_KEYBLOCK)
448 		get_keyblock(&p, &len, &kc->kc_keyblock);
449 	if (flags & SC_LOCAL_SUBKEY)
450 		get_keyblock(&p, &len, &kc->kc_local_subkey);
451 	if (flags & SC_REMOTE_SUBKEY)
452 		get_keyblock(&p, &len, &kc->kc_remote_subkey);
453 	kc->kc_local_seqnumber = get_uint32(&p, &len);
454 	kc->kc_remote_seqnumber = get_uint32(&p, &len);
455 	kc->kc_keytype = get_uint32(&p, &len);
456 	kc->kc_cksumtype = get_uint32(&p, &len);
457 	get_data(&p, &len, &kc->kc_source_name);
458 	get_data(&p, &len, &kc->kc_target_name);
459 	kc->kc_ctx_flags = get_uint32(&p, &len);
460 	kc->kc_more_flags = get_uint32(&p, &len);
461 	kc->kc_lifetime = get_uint32(&p, &len);
462 	/*
463 	 * Heimdal 1.1 adds the message order stuff.
464 	 */
465 	if (format == KGSS_HEIMDAL_1_1) {
466 		kc->kc_msg_order.km_flags = get_uint32(&p, &len);
467 		kc->kc_msg_order.km_start = get_uint32(&p, &len);
468 		kc->kc_msg_order.km_length = get_uint32(&p, &len);
469 		kc->kc_msg_order.km_jitter_window = get_uint32(&p, &len);
470 		kc->kc_msg_order.km_first_seq = get_uint32(&p, &len);
471 		kc->kc_msg_order.km_elem =
472 			malloc(kc->kc_msg_order.km_jitter_window * sizeof(uint32_t),
473 			    M_GSSAPI, M_WAITOK);
474 		for (i = 0; i < kc->kc_msg_order.km_jitter_window; i++)
475 			kc->kc_msg_order.km_elem[i] = get_uint32(&p, &len);
476 	} else {
477 		kc->kc_msg_order.km_flags = 0;
478 	}
479 
480 	res = get_keys(kc);
481 	if (GSS_ERROR(res))
482 		return (res);
483 
484 	/*
485 	 * We don't need these anymore.
486 	 */
487 	delete_keyblock(&kc->kc_keyblock);
488 	delete_keyblock(&kc->kc_local_subkey);
489 	delete_keyblock(&kc->kc_remote_subkey);
490 
491 	return (GSS_S_COMPLETE);
492 }
493 
494 static void
495 krb5_delete(gss_ctx_id_t ctx, gss_buffer_t output_token)
496 {
497 	struct krb5_context *kc = (struct krb5_context *)ctx;
498 
499 	delete_address(&kc->kc_local_address);
500 	delete_address(&kc->kc_remote_address);
501 	delete_keyblock(&kc->kc_keyblock);
502 	delete_keyblock(&kc->kc_local_subkey);
503 	delete_keyblock(&kc->kc_remote_subkey);
504 	delete_data(&kc->kc_source_name);
505 	delete_data(&kc->kc_target_name);
506 	if (kc->kc_msg_order.km_elem)
507 		free(kc->kc_msg_order.km_elem, M_GSSAPI);
508 	if (output_token) {
509 		output_token->length = 0;
510 		output_token->value = NULL;
511 	}
512 	if (kc->kc_tokenkey) {
513 		krb5_free_key(kc->kc_tokenkey);
514 		if (kc->kc_encryptkey) {
515 			krb5_free_key(kc->kc_encryptkey);
516 			krb5_free_key(kc->kc_checksumkey);
517 		} else {
518 			krb5_free_key(kc->kc_send_seal_Ke);
519 			krb5_free_key(kc->kc_send_seal_Ki);
520 			krb5_free_key(kc->kc_send_seal_Kc);
521 			krb5_free_key(kc->kc_send_sign_Kc);
522 			krb5_free_key(kc->kc_recv_seal_Ke);
523 			krb5_free_key(kc->kc_recv_seal_Ki);
524 			krb5_free_key(kc->kc_recv_seal_Kc);
525 			krb5_free_key(kc->kc_recv_sign_Kc);
526 		}
527 	}
528 	mtx_destroy(&kc->kc_lock);
529 }
530 
531 static gss_OID
532 krb5_mech_type(gss_ctx_id_t ctx)
533 {
534 
535 	return (&krb5_mech_oid);
536 }
537 
538 /*
539  * Make a token with the given type and length (the length includes
540  * the TOK_ID), initialising the token header appropriately. Return a
541  * pointer to the TOK_ID of the token.  A new mbuf is allocated with
542  * the framing header plus hlen bytes of space.
543  *
544  * Format is as follows:
545  *
546  *	0x60			[APPLICATION 0] SEQUENCE
547  *	DER encoded length	length of oid + type + inner token length
548  *	0x06 NN <oid data>	OID of mechanism type
549  *	TT TT			TOK_ID
550  *	<inner token>		data for inner token
551  *
552  * 1:		der encoded length
553  */
554 static void *
555 krb5_make_token(char tok_id[2], size_t hlen, size_t len, struct mbuf **mp)
556 {
557 	size_t inside_len, len_len, tlen;
558 	gss_OID oid = &krb5_mech_oid;
559 	struct mbuf *m;
560 	uint8_t *p;
561 
562 	inside_len = 2 + oid->length + len;
563 	if (inside_len < 128)
564 		len_len = 1;
565 	else if (inside_len < 0x100)
566 		len_len = 2;
567 	else if (inside_len < 0x10000)
568 		len_len = 3;
569 	else if (inside_len < 0x1000000)
570 		len_len = 4;
571 	else
572 		len_len = 5;
573 
574 	tlen = 1 + len_len + 2 + oid->length + hlen;
575 	KASSERT(tlen <= MLEN, ("token head too large"));
576 	MGET(m, M_WAITOK, MT_DATA);
577 	M_ALIGN(m, tlen);
578 	m->m_len = tlen;
579 
580 	p = (uint8_t *) m->m_data;
581 	*p++ = 0x60;
582 	switch (len_len) {
583 	case 1:
584 		*p++ = inside_len;
585 		break;
586 	case 2:
587 		*p++ = 0x81;
588 		*p++ = inside_len;
589 		break;
590 	case 3:
591 		*p++ = 0x82;
592 		*p++ = inside_len >> 8;
593 		*p++ = inside_len;
594 		break;
595 	case 4:
596 		*p++ = 0x83;
597 		*p++ = inside_len >> 16;
598 		*p++ = inside_len >> 8;
599 		*p++ = inside_len;
600 		break;
601 	case 5:
602 		*p++ = 0x84;
603 		*p++ = inside_len >> 24;
604 		*p++ = inside_len >> 16;
605 		*p++ = inside_len >> 8;
606 		*p++ = inside_len;
607 		break;
608 	}
609 
610 	*p++ = 0x06;
611 	*p++ = oid->length;
612 	bcopy(oid->elements, p, oid->length);
613 	p += oid->length;
614 
615 	p[0] = tok_id[0];
616 	p[1] = tok_id[1];
617 
618 	*mp = m;
619 
620 	return (p);
621 }
622 
623 /*
624  * Verify a token, checking the inner token length and mechanism oid.
625  * pointer to the first byte of the TOK_ID. The length of the
626  * encapsulated data is checked to be at least len bytes; the actual
627  * length of the encapsulated data (including TOK_ID) is returned in
628  * *encap_len.
629  *
630  * If can_pullup is TRUE and the token header is fragmented, we will
631  * rearrange it.
632  *
633  * Format is as follows:
634  *
635  *	0x60			[APPLICATION 0] SEQUENCE
636  *	DER encoded length	length of oid + type + inner token length
637  *	0x06 NN <oid data>	OID of mechanism type
638  *	TT TT			TOK_ID
639  *	<inner token>		data for inner token
640  *
641  * 1:		der encoded length
642  */
643 static void *
644 krb5_verify_token(char tok_id[2], size_t len, struct mbuf **mp,
645     size_t *encap_len, bool_t can_pullup)
646 {
647 	struct mbuf *m;
648 	size_t tlen, hlen, len_len, inside_len;
649 	gss_OID oid = &krb5_mech_oid;
650 	uint8_t *p;
651 
652 	m = *mp;
653 	tlen = m_length(m, NULL);
654 	if (tlen < 2)
655 		return (NULL);
656 
657 	/*
658 	 * Ensure that at least the framing part of the token is
659 	 * contigous.
660 	 */
661 	if (m->m_len < 2) {
662 		if (can_pullup)
663 			*mp = m = m_pullup(m, 2);
664 		else
665 			return (NULL);
666 	}
667 
668 	p = m->m_data;
669 
670 	if (*p++ != 0x60)
671 		return (NULL);
672 
673 	if (*p < 0x80) {
674 		inside_len = *p++;
675 		len_len = 1;
676 	} else {
677 		/*
678 		 * Ensure there is enough space for the DER encoded length.
679 		 */
680 		len_len = (*p & 0x7f) + 1;
681 		if (tlen < len_len + 1)
682 			return (NULL);
683 		if (m->m_len < len_len + 1) {
684 			if (can_pullup)
685 				*mp = m = m_pullup(m, len_len + 1);
686 			else
687 				return (NULL);
688 			p = m->m_data + 1;
689 		}
690 
691 		switch (*p++) {
692 		case 0x81:
693 			inside_len = *p++;
694 			break;
695 
696 		case 0x82:
697 			inside_len = (p[0] << 8) | p[1];
698 			p += 2;
699 			break;
700 
701 		case 0x83:
702 			inside_len = (p[0] << 16) | (p[1] << 8) | p[2];
703 			p += 3;
704 			break;
705 
706 		case 0x84:
707 			inside_len = (p[0] << 24) | (p[1] << 16)
708 				| (p[2] << 8) | p[3];
709 			p += 4;
710 			break;
711 
712 		default:
713 			return (NULL);
714 		}
715 	}
716 
717 	if (tlen != inside_len + len_len + 1)
718 		return (NULL);
719 	if (inside_len < 2 + oid->length + len)
720 		return (NULL);
721 
722 	/*
723 	 * Now that we know the value of len_len, we can pullup the
724 	 * whole header. The header is 1 + len_len + 2 + oid->length +
725 	 * len bytes.
726 	 */
727 	hlen = 1 + len_len + 2 + oid->length + len;
728 	if (m->m_len < hlen) {
729 		if (can_pullup)
730 			*mp = m = m_pullup(m, hlen);
731 		else
732 			return (NULL);
733 		p = m->m_data + 1 + len_len;
734 	}
735 
736 	if (*p++ != 0x06)
737 		return (NULL);
738 	if (*p++ != oid->length)
739 		return (NULL);
740 	if (bcmp(oid->elements, p, oid->length))
741 		return (NULL);
742 	p += oid->length;
743 
744 	if (p[0] != tok_id[0])
745 		return (NULL);
746 
747 	if (p[1] != tok_id[1])
748 		return (NULL);
749 
750 	*encap_len = inside_len - 2 - oid->length;
751 
752 	return (p);
753 }
754 
755 static void
756 krb5_insert_seq(struct krb5_msg_order *mo, uint32_t seq, int index)
757 {
758 	int i;
759 
760 	if (mo->km_length < mo->km_jitter_window)
761 		mo->km_length++;
762 
763 	for (i = mo->km_length - 1; i > index; i--)
764 		mo->km_elem[i] = mo->km_elem[i - 1];
765 	mo->km_elem[index] = seq;
766 }
767 
768 /*
769  * Check sequence numbers according to RFC 2743 section 1.2.3.
770  */
771 static OM_uint32
772 krb5_sequence_check(struct krb5_context *kc, uint32_t seq)
773 {
774 	OM_uint32 res = GSS_S_FAILURE;
775 	struct krb5_msg_order *mo = &kc->kc_msg_order;
776 	int check_sequence = mo->km_flags & GSS_C_SEQUENCE_FLAG;
777 	int check_replay = mo->km_flags & GSS_C_REPLAY_FLAG;
778 	int i;
779 
780 	mtx_lock(&kc->kc_lock);
781 
782 	/*
783 	 * Message is in-sequence with no gap.
784 	 */
785 	if (mo->km_length == 0 || seq == mo->km_elem[0] + 1) {
786 		/*
787 		 * This message is received in-sequence with no gaps.
788 		 */
789 		krb5_insert_seq(mo, seq, 0);
790 		res = GSS_S_COMPLETE;
791 		goto out;
792 	}
793 
794 	if (seq > mo->km_elem[0]) {
795 		/*
796 		 * This message is received in-sequence with a gap.
797 		 */
798 		krb5_insert_seq(mo, seq, 0);
799 		if (check_sequence)
800 			res = GSS_S_GAP_TOKEN;
801 		else
802 			res = GSS_S_COMPLETE;
803 		goto out;
804 	}
805 
806 	if (seq < mo->km_elem[mo->km_length - 1]) {
807 		if (check_replay && !check_sequence)
808 			res = GSS_S_OLD_TOKEN;
809 		else
810 			res = GSS_S_UNSEQ_TOKEN;
811 		goto out;
812 	}
813 
814 	for (i = 0; i < mo->km_length; i++) {
815 		if (mo->km_elem[i] == seq) {
816 			res = GSS_S_DUPLICATE_TOKEN;
817 			goto out;
818 		}
819 		if (mo->km_elem[i] < seq) {
820 			/*
821 			 * We need to insert this seq here,
822 			 */
823 			krb5_insert_seq(mo, seq, i);
824 			if (check_replay && !check_sequence)
825 				res = GSS_S_COMPLETE;
826 			else
827 				res = GSS_S_UNSEQ_TOKEN;
828 			goto out;
829 		}
830 	}
831 
832 out:
833 	mtx_unlock(&kc->kc_lock);
834 
835 	return (res);
836 }
837 
838 static uint8_t sgn_alg_des_md5[] = { 0x00, 0x00 };
839 static uint8_t seal_alg_des[] = { 0x00, 0x00 };
840 static uint8_t sgn_alg_des3_sha1[] = { 0x04, 0x00 };
841 static uint8_t seal_alg_des3[] = { 0x02, 0x00 };
842 static uint8_t seal_alg_rc4[] = { 0x10, 0x00 };
843 static uint8_t sgn_alg_hmac_md5[] = { 0x11, 0x00 };
844 
845 /*
846  * Return the size of the inner token given the use of the key's
847  * encryption class. For wrap tokens, the length of the padded
848  * plaintext will be added to this.
849  */
850 static size_t
851 token_length(struct krb5_key_state *key)
852 {
853 
854 	return (16 + key->ks_class->ec_checksumlen);
855 }
856 
857 static OM_uint32
858 krb5_get_mic_old(struct krb5_context *kc, struct mbuf *m,
859     struct mbuf **micp, uint8_t sgn_alg[2])
860 {
861 	struct mbuf *mlast, *mic, *tm;
862 	uint8_t *p, dir;
863 	size_t tlen, mlen, cklen;
864 	uint32_t seq;
865 	char buf[8];
866 
867 	mlen = m_length(m, &mlast);
868 
869 	tlen = token_length(kc->kc_tokenkey);
870 	p = krb5_make_token("\x01\x01", tlen, tlen, &mic);
871 	p += 2;			/* TOK_ID */
872 	*p++ = sgn_alg[0];	/* SGN_ALG */
873 	*p++ = sgn_alg[1];
874 
875 	*p++ = 0xff;		/* filler */
876 	*p++ = 0xff;
877 	*p++ = 0xff;
878 	*p++ = 0xff;
879 
880 	/*
881 	 * SGN_CKSUM:
882 	 *
883 	 * Calculate the keyed checksum of the token header plus the
884 	 * message.
885 	 */
886 	cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
887 
888 	mic->m_len = p - (uint8_t *) mic->m_data;
889 	mic->m_next = m;
890 	MGET(tm, M_WAITOK, MT_DATA);
891 	tm->m_len = cklen;
892 	mlast->m_next = tm;
893 
894 	krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
895 	    8 + mlen, cklen);
896 	bcopy(tm->m_data, p + 8, cklen);
897 	mic->m_next = NULL;
898 	mlast->m_next = NULL;
899 	m_free(tm);
900 
901 	/*
902 	 * SND_SEQ:
903 	 *
904 	 * Take the four bytes of the sequence number least
905 	 * significant first followed by four bytes of direction
906 	 * marker (zero for initiator and 0xff for acceptor). Encrypt
907 	 * that data using the SGN_CKSUM as IV. Note: ARC4 wants the
908 	 * sequence number big-endian.
909 	 */
910 	seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
911 	if (sgn_alg[0] == 0x11) {
912 		p[0] = (seq >> 24);
913 		p[1] = (seq >> 16);
914 		p[2] = (seq >> 8);
915 		p[3] = (seq >> 0);
916 	} else {
917 		p[0] = (seq >> 0);
918 		p[1] = (seq >> 8);
919 		p[2] = (seq >> 16);
920 		p[3] = (seq >> 24);
921 	}
922 	if (is_initiator(kc)) {
923 		dir = 0;
924 	} else {
925 		dir = 0xff;
926 	}
927 	p[4] = dir;
928 	p[5] = dir;
929 	p[6] = dir;
930 	p[7] = dir;
931 	bcopy(p + 8, buf, 8);
932 
933 	/*
934 	 * Set the mic buffer to its final size so that the encrypt
935 	 * can see the SND_SEQ part.
936 	 */
937 	mic->m_len += 8 + cklen;
938 	krb5_encrypt(kc->kc_tokenkey, mic, mic->m_len - cklen - 8, 8, buf, 8);
939 
940 	*micp = mic;
941 	return (GSS_S_COMPLETE);
942 }
943 
944 static OM_uint32
945 krb5_get_mic_new(struct krb5_context *kc,  struct mbuf *m,
946     struct mbuf **micp)
947 {
948 	struct krb5_key_state *key = kc->kc_send_sign_Kc;
949 	struct mbuf *mlast, *mic;
950 	uint8_t *p;
951 	int flags;
952 	size_t mlen, cklen;
953 	uint32_t seq;
954 
955 	mlen = m_length(m, &mlast);
956 	cklen = key->ks_class->ec_checksumlen;
957 
958 	KASSERT(16 + cklen <= MLEN, ("checksum too large for an mbuf"));
959 	MGET(mic, M_WAITOK, MT_DATA);
960 	M_ALIGN(mic, 16 + cklen);
961 	mic->m_len = 16 + cklen;
962 	p = mic->m_data;
963 
964 	/* TOK_ID */
965 	p[0] = 0x04;
966 	p[1] = 0x04;
967 
968 	/* Flags */
969 	flags = 0;
970 	if (is_acceptor(kc))
971 		flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
972 	if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
973 		flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
974 	p[2] = flags;
975 
976 	/* Filler */
977 	p[3] = 0xff;
978 	p[4] = 0xff;
979 	p[5] = 0xff;
980 	p[6] = 0xff;
981 	p[7] = 0xff;
982 
983 	/* SND_SEQ */
984 	p[8] = 0;
985 	p[9] = 0;
986 	p[10] = 0;
987 	p[11] = 0;
988 	seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
989 	p[12] = (seq >> 24);
990 	p[13] = (seq >> 16);
991 	p[14] = (seq >> 8);
992 	p[15] = (seq >> 0);
993 
994 	/*
995 	 * SGN_CKSUM:
996 	 *
997 	 * Calculate the keyed checksum of the message plus the first
998 	 * 16 bytes of the token header.
999 	 */
1000 	mlast->m_next = mic;
1001 	krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1002 	mlast->m_next = NULL;
1003 
1004 	*micp = mic;
1005 	return (GSS_S_COMPLETE);
1006 }
1007 
1008 static OM_uint32
1009 krb5_get_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1010     gss_qop_t qop_req, struct mbuf *m, struct mbuf **micp)
1011 {
1012 	struct krb5_context *kc = (struct krb5_context *)ctx;
1013 
1014 	*minor_status = 0;
1015 
1016 	if (qop_req != GSS_C_QOP_DEFAULT)
1017 		return (GSS_S_BAD_QOP);
1018 
1019 	if (time_uptime > kc->kc_lifetime)
1020 		return (GSS_S_CONTEXT_EXPIRED);
1021 
1022 	switch (kc->kc_tokenkey->ks_class->ec_type) {
1023 	case ETYPE_DES_CBC_CRC:
1024 		return (krb5_get_mic_old(kc, m, micp, sgn_alg_des_md5));
1025 
1026 	case ETYPE_DES3_CBC_SHA1:
1027 		return (krb5_get_mic_old(kc, m, micp, sgn_alg_des3_sha1));
1028 
1029 	case ETYPE_ARCFOUR_HMAC_MD5:
1030 	case ETYPE_ARCFOUR_HMAC_MD5_56:
1031 		return (krb5_get_mic_old(kc, m, micp, sgn_alg_hmac_md5));
1032 
1033 	default:
1034 		return (krb5_get_mic_new(kc, m, micp));
1035 	}
1036 
1037 	return (GSS_S_FAILURE);
1038 }
1039 
1040 static OM_uint32
1041 krb5_verify_mic_old(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic,
1042     uint8_t sgn_alg[2])
1043 {
1044 	struct mbuf *mlast, *tm;
1045 	uint8_t *p, *tp, dir;
1046 	size_t mlen, tlen, elen;
1047 	size_t cklen;
1048 	uint32_t seq;
1049 
1050 	mlen = m_length(m, &mlast);
1051 
1052 	tlen = token_length(kc->kc_tokenkey);
1053 	p = krb5_verify_token("\x01\x01", tlen, &mic, &elen, FALSE);
1054 	if (!p)
1055 		return (GSS_S_DEFECTIVE_TOKEN);
1056 #if 0
1057 	/*
1058 	 * Disable this check - heimdal-1.1 generates DES3 MIC tokens
1059 	 * that are 2 bytes too big.
1060 	 */
1061 	if (elen != tlen)
1062 		return (GSS_S_DEFECTIVE_TOKEN);
1063 #endif
1064 	/* TOK_ID */
1065 	p += 2;
1066 
1067 	/* SGN_ALG */
1068 	if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1069 		return (GSS_S_DEFECTIVE_TOKEN);
1070 	p += 2;
1071 
1072 	if (p[0] != 0xff || p[1] != 0xff || p[2] != 0xff || p[3] != 0xff)
1073 		return (GSS_S_DEFECTIVE_TOKEN);
1074 	p += 4;
1075 
1076 	/*
1077 	 * SGN_CKSUM:
1078 	 *
1079 	 * Calculate the keyed checksum of the token header plus the
1080 	 * message.
1081 	 */
1082 	cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1083 	mic->m_len = p - (uint8_t *) mic->m_data;
1084 	mic->m_next = m;
1085 	MGET(tm, M_WAITOK, MT_DATA);
1086 	tm->m_len = cklen;
1087 	mlast->m_next = tm;
1088 
1089 	krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
1090 	    8 + mlen, cklen);
1091 	mic->m_next = NULL;
1092 	mlast->m_next = NULL;
1093 	if (bcmp(tm->m_data, p + 8, cklen)) {
1094 		m_free(tm);
1095 		return (GSS_S_BAD_SIG);
1096 	}
1097 
1098 	/*
1099 	 * SND_SEQ:
1100 	 *
1101 	 * Take the four bytes of the sequence number least
1102 	 * significant first followed by four bytes of direction
1103 	 * marker (zero for initiator and 0xff for acceptor). Encrypt
1104 	 * that data using the SGN_CKSUM as IV.  Note: ARC4 wants the
1105 	 * sequence number big-endian.
1106 	 */
1107 	bcopy(p, tm->m_data, 8);
1108 	tm->m_len = 8;
1109 	krb5_decrypt(kc->kc_tokenkey, tm, 0, 8, p + 8, 8);
1110 
1111 	tp = tm->m_data;
1112 	if (sgn_alg[0] == 0x11) {
1113 		seq = tp[3] | (tp[2] << 8) | (tp[1] << 16) | (tp[0] << 24);
1114 	} else {
1115 		seq = tp[0] | (tp[1] << 8) | (tp[2] << 16) | (tp[3] << 24);
1116 	}
1117 
1118 	if (is_initiator(kc)) {
1119 		dir = 0xff;
1120 	} else {
1121 		dir = 0;
1122 	}
1123 	if (tp[4] != dir || tp[5] != dir || tp[6] != dir || tp[7] != dir) {
1124 		m_free(tm);
1125 		return (GSS_S_DEFECTIVE_TOKEN);
1126 	}
1127 	m_free(tm);
1128 
1129 	if (kc->kc_msg_order.km_flags &
1130 		(GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1131 		return (krb5_sequence_check(kc, seq));
1132 	}
1133 
1134 	return (GSS_S_COMPLETE);
1135 }
1136 
1137 static OM_uint32
1138 krb5_verify_mic_new(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic)
1139 {
1140 	OM_uint32 res;
1141 	struct krb5_key_state *key = kc->kc_recv_sign_Kc;
1142 	struct mbuf *mlast;
1143 	uint8_t *p;
1144 	int flags;
1145 	size_t mlen, cklen;
1146 	char buf[32];
1147 
1148 	mlen = m_length(m, &mlast);
1149 	cklen = key->ks_class->ec_checksumlen;
1150 
1151 	KASSERT(mic->m_next == NULL, ("MIC should be contiguous"));
1152 	if (mic->m_len != 16 + cklen)
1153 		return (GSS_S_DEFECTIVE_TOKEN);
1154 	p = mic->m_data;
1155 
1156 	/* TOK_ID */
1157 	if (p[0] != 0x04)
1158 		return (GSS_S_DEFECTIVE_TOKEN);
1159 	if (p[1] != 0x04)
1160 		return (GSS_S_DEFECTIVE_TOKEN);
1161 
1162 	/* Flags */
1163 	flags = 0;
1164 	if (is_initiator(kc))
1165 		flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1166 	if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1167 		flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1168 	if (p[2] != flags)
1169 		return (GSS_S_DEFECTIVE_TOKEN);
1170 
1171 	/* Filler */
1172 	if (p[3] != 0xff)
1173 		return (GSS_S_DEFECTIVE_TOKEN);
1174 	if (p[4] != 0xff)
1175 		return (GSS_S_DEFECTIVE_TOKEN);
1176 	if (p[5] != 0xff)
1177 		return (GSS_S_DEFECTIVE_TOKEN);
1178 	if (p[6] != 0xff)
1179 		return (GSS_S_DEFECTIVE_TOKEN);
1180 	if (p[7] != 0xff)
1181 		return (GSS_S_DEFECTIVE_TOKEN);
1182 
1183 	/* SND_SEQ */
1184 	if (kc->kc_msg_order.km_flags &
1185 		(GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1186 		uint32_t seq;
1187 		if (p[8] || p[9] || p[10] || p[11]) {
1188 			res = GSS_S_UNSEQ_TOKEN;
1189 		} else {
1190 			seq = (p[12] << 24) | (p[13] << 16)
1191 				| (p[14] << 8) | p[15];
1192 			res = krb5_sequence_check(kc, seq);
1193 		}
1194 		if (GSS_ERROR(res))
1195 			return (res);
1196 	} else {
1197 		res = GSS_S_COMPLETE;
1198 	}
1199 
1200 	/*
1201 	 * SGN_CKSUM:
1202 	 *
1203 	 * Calculate the keyed checksum of the message plus the first
1204 	 * 16 bytes of the token header.
1205 	 */
1206 	m_copydata(mic, 16, cklen, buf);
1207 	mlast->m_next = mic;
1208 	krb5_checksum(key, 0, m, 0, mlen + 16, cklen);
1209 	mlast->m_next = NULL;
1210 	if (bcmp(buf, p + 16, cklen)) {
1211 		return (GSS_S_BAD_SIG);
1212 	}
1213 
1214 	return (GSS_S_COMPLETE);
1215 }
1216 
1217 static OM_uint32
1218 krb5_verify_mic(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1219     struct mbuf *m, struct mbuf *mic, gss_qop_t *qop_state)
1220 {
1221 	struct krb5_context *kc = (struct krb5_context *)ctx;
1222 
1223 	*minor_status = 0;
1224 	if (qop_state)
1225 		*qop_state = GSS_C_QOP_DEFAULT;
1226 
1227 	if (time_uptime > kc->kc_lifetime)
1228 		return (GSS_S_CONTEXT_EXPIRED);
1229 
1230 	switch (kc->kc_tokenkey->ks_class->ec_type) {
1231 	case ETYPE_DES_CBC_CRC:
1232 		return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des_md5));
1233 
1234 	case ETYPE_ARCFOUR_HMAC_MD5:
1235 	case ETYPE_ARCFOUR_HMAC_MD5_56:
1236 		return (krb5_verify_mic_old(kc, m, mic, sgn_alg_hmac_md5));
1237 
1238 	case ETYPE_DES3_CBC_SHA1:
1239 		return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des3_sha1));
1240 
1241 	default:
1242 		return (krb5_verify_mic_new(kc, m, mic));
1243 	}
1244 
1245 	return (GSS_S_FAILURE);
1246 }
1247 
1248 static OM_uint32
1249 krb5_wrap_old(struct krb5_context *kc, int conf_req_flag,
1250     struct mbuf **mp, int *conf_state,
1251     uint8_t sgn_alg[2], uint8_t seal_alg[2])
1252 {
1253 	struct mbuf *m, *mlast, *tm, *cm, *pm;
1254 	size_t mlen, tlen, padlen, datalen;
1255 	uint8_t *p, dir;
1256 	size_t cklen;
1257 	uint8_t buf[8];
1258 	uint32_t seq;
1259 
1260 	/*
1261 	 * How many trailing pad bytes do we need?
1262 	 */
1263 	m = *mp;
1264 	mlen = m_length(m, &mlast);
1265 	tlen = kc->kc_tokenkey->ks_class->ec_msgblocklen;
1266 	padlen = tlen - (mlen % tlen);
1267 
1268 	/*
1269 	 * The data part of the token has eight bytes of random
1270 	 * confounder prepended and followed by up to eight bytes of
1271 	 * padding bytes each of which is set to the number of padding
1272 	 * bytes.
1273 	 */
1274 	datalen = mlen + 8 + padlen;
1275 	tlen = token_length(kc->kc_tokenkey);
1276 
1277 	p = krb5_make_token("\x02\x01", tlen, datalen + tlen, &tm);
1278 	p += 2;			/* TOK_ID */
1279 	*p++ = sgn_alg[0];	/* SGN_ALG */
1280 	*p++ = sgn_alg[1];
1281 	if (conf_req_flag) {
1282 		*p++ = seal_alg[0]; /* SEAL_ALG */
1283 		*p++ = seal_alg[1];
1284 	} else {
1285 		*p++ = 0xff;	/* SEAL_ALG = none */
1286 		*p++ = 0xff;
1287 	}
1288 
1289 	*p++ = 0xff;		/* filler */
1290 	*p++ = 0xff;
1291 
1292 	/*
1293 	 * Copy the padded message data.
1294 	 */
1295 	if (M_LEADINGSPACE(m) >= 8) {
1296 		m->m_data -= 8;
1297 		m->m_len += 8;
1298 	} else {
1299 		MGET(cm, M_WAITOK, MT_DATA);
1300 		cm->m_len = 8;
1301 		cm->m_next = m;
1302 		m = cm;
1303 	}
1304 	arc4rand(m->m_data, 8, 0);
1305 	if (M_TRAILINGSPACE(mlast) >= padlen) {
1306 		memset(mlast->m_data + mlast->m_len, padlen, padlen);
1307 		mlast->m_len += padlen;
1308 	} else {
1309 		MGET(pm, M_WAITOK, MT_DATA);
1310 		memset(pm->m_data, padlen, padlen);
1311 		pm->m_len = padlen;
1312 		mlast->m_next = pm;
1313 		mlast = pm;
1314 	}
1315 	tm->m_next = m;
1316 
1317 	/*
1318 	 * SGN_CKSUM:
1319 	 *
1320 	 * Calculate the keyed checksum of the token header plus the
1321 	 * padded message. Fiddle with tm->m_len so that we only
1322 	 * checksum the 8 bytes of head that we care about.
1323 	 */
1324 	cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1325 	tlen = tm->m_len;
1326 	tm->m_len = p - (uint8_t *) tm->m_data;
1327 	MGET(cm, M_WAITOK, MT_DATA);
1328 	cm->m_len = cklen;
1329 	mlast->m_next = cm;
1330 	krb5_checksum(kc->kc_checksumkey, 13, tm, tm->m_len - 8,
1331 	    datalen + 8, cklen);
1332 	tm->m_len = tlen;
1333 	mlast->m_next = NULL;
1334 	bcopy(cm->m_data, p + 8, cklen);
1335 	m_free(cm);
1336 
1337 	/*
1338 	 * SND_SEQ:
1339 	 *
1340 	 * Take the four bytes of the sequence number least
1341 	 * significant first (most significant first for ARCFOUR)
1342 	 * followed by four bytes of direction marker (zero for
1343 	 * initiator and 0xff for acceptor). Encrypt that data using
1344 	 * the SGN_CKSUM as IV.
1345 	 */
1346 	seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1347 	if (sgn_alg[0] == 0x11) {
1348 		p[0] = (seq >> 24);
1349 		p[1] = (seq >> 16);
1350 		p[2] = (seq >> 8);
1351 		p[3] = (seq >> 0);
1352 	} else {
1353 		p[0] = (seq >> 0);
1354 		p[1] = (seq >> 8);
1355 		p[2] = (seq >> 16);
1356 		p[3] = (seq >> 24);
1357 	}
1358 	if (is_initiator(kc)) {
1359 		dir = 0;
1360 	} else {
1361 		dir = 0xff;
1362 	}
1363 	p[4] = dir;
1364 	p[5] = dir;
1365 	p[6] = dir;
1366 	p[7] = dir;
1367 	krb5_encrypt(kc->kc_tokenkey, tm, p - (uint8_t *) tm->m_data,
1368 	    8, p + 8, 8);
1369 
1370 	if (conf_req_flag) {
1371 		/*
1372 		 * Encrypt the padded message with an IV of zero for
1373 		 * DES and DES3, or an IV of the sequence number in
1374 		 * big-endian format for ARCFOUR.
1375 		 */
1376 		if (seal_alg[0] == 0x10) {
1377 			buf[0] = (seq >> 24);
1378 			buf[1] = (seq >> 16);
1379 			buf[2] = (seq >> 8);
1380 			buf[3] = (seq >> 0);
1381 			krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1382 			    buf, 4);
1383 		} else {
1384 			krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1385 			    NULL, 0);
1386 		}
1387 	}
1388 
1389 	if (conf_state)
1390 		*conf_state = conf_req_flag;
1391 
1392 	*mp = tm;
1393 	return (GSS_S_COMPLETE);
1394 }
1395 
1396 static OM_uint32
1397 krb5_wrap_new(struct krb5_context *kc, int conf_req_flag,
1398     struct mbuf **mp, int *conf_state)
1399 {
1400 	struct krb5_key_state *Ke = kc->kc_send_seal_Ke;
1401 	struct krb5_key_state *Ki = kc->kc_send_seal_Ki;
1402 	struct krb5_key_state *Kc = kc->kc_send_seal_Kc;
1403 	const struct krb5_encryption_class *ec = Ke->ks_class;
1404 	struct mbuf *m, *mlast, *tm;
1405 	uint8_t *p;
1406 	int flags, EC;
1407 	size_t mlen, blen, mblen, cklen, ctlen;
1408 	uint32_t seq;
1409 	static char zpad[32];
1410 
1411 	m = *mp;
1412 	mlen = m_length(m, &mlast);
1413 
1414 	blen = ec->ec_blocklen;
1415 	mblen = ec->ec_msgblocklen;
1416 	cklen = ec->ec_checksumlen;
1417 
1418 	if (conf_req_flag) {
1419 		/*
1420 		 * For sealed messages, we need space for 16 bytes of
1421 		 * header, blen confounder, plaintext, padding, copy
1422 		 * of header and checksum.
1423 		 *
1424 		 * We pad to mblen (which may be different from
1425 		 * blen). If the encryption class is using CTS, mblen
1426 		 * will be one (i.e. no padding required).
1427 		 */
1428 		if (mblen > 1)
1429 			EC = mlen % mblen;
1430 		else
1431 			EC = 0;
1432 		ctlen = blen + mlen + EC + 16;
1433 
1434 		/*
1435 		 * Put initial header and confounder before the
1436 		 * message.
1437 		 */
1438 		M_PREPEND(m, 16 + blen, M_WAITOK);
1439 
1440 		/*
1441 		 * Append padding + copy of header and checksum. Try
1442 		 * to fit this into the end of the original message,
1443 		 * otherwise allocate a trailer.
1444 		 */
1445 		if (M_TRAILINGSPACE(mlast) >= EC + 16 + cklen) {
1446 			tm = NULL;
1447 			mlast->m_len += EC + 16 + cklen;
1448 		} else {
1449 			MGET(tm, M_WAITOK, MT_DATA);
1450 			tm->m_len = EC + 16 + cklen;
1451 			mlast->m_next = tm;
1452 		}
1453 	} else {
1454 		/*
1455 		 * For unsealed messages, we need 16 bytes of header
1456 		 * plus space for the plaintext and a checksum. EC is
1457 		 * set to the checksum size. We leave space in tm for
1458 		 * a copy of the header - this will be trimmed later.
1459 		 */
1460 		M_PREPEND(m, 16, M_WAITOK);
1461 
1462 		MGET(tm, M_WAITOK, MT_DATA);
1463 		tm->m_len = cklen + 16;
1464 		mlast->m_next = tm;
1465 		ctlen = 0;
1466 		EC = cklen;
1467 	}
1468 
1469 	p = m->m_data;
1470 
1471 	/* TOK_ID */
1472 	p[0] = 0x05;
1473 	p[1] = 0x04;
1474 
1475 	/* Flags */
1476 	flags = 0;
1477 	if (conf_req_flag)
1478 		flags = GSS_TOKEN_SEALED;
1479 	if (is_acceptor(kc))
1480 		flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1481 	if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1482 		flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1483 	p[2] = flags;
1484 
1485 	/* Filler */
1486 	p[3] = 0xff;
1487 
1488 	/* EC + RRC - set to zero initially */
1489 	p[4] = 0;
1490 	p[5] = 0;
1491 	p[6] = 0;
1492 	p[7] = 0;
1493 
1494 	/* SND_SEQ */
1495 	p[8] = 0;
1496 	p[9] = 0;
1497 	p[10] = 0;
1498 	p[11] = 0;
1499 	seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1500 	p[12] = (seq >> 24);
1501 	p[13] = (seq >> 16);
1502 	p[14] = (seq >> 8);
1503 	p[15] = (seq >> 0);
1504 
1505 	if (conf_req_flag) {
1506 		/*
1507 		 * Encrypt according to RFC 4121 section 4.2 and RFC
1508 		 * 3961 section 5.3. Note: we don't generate tokens
1509 		 * with RRC values other than zero. If we did, we
1510 		 * should zero RRC in the copied header.
1511 		 */
1512 		arc4rand(p + 16, blen, 0);
1513 		if (EC) {
1514 			m_copyback(m, 16 + blen + mlen, EC, zpad);
1515 		}
1516 		m_copyback(m, 16 + blen + mlen + EC, 16, p);
1517 
1518 		krb5_checksum(Ki, 0, m, 16, ctlen, cklen);
1519 		krb5_encrypt(Ke, m, 16, ctlen, NULL, 0);
1520 	} else {
1521 		/*
1522 		 * The plaintext message is followed by a checksum of
1523 		 * the plaintext plus a version of the header where EC
1524 		 * and RRC are set to zero. Also, the original EC must
1525 		 * be our checksum size.
1526 		 */
1527 		bcopy(p, tm->m_data, 16);
1528 		krb5_checksum(Kc, 0, m, 16, mlen + 16, cklen);
1529 		tm->m_data += 16;
1530 		tm->m_len -= 16;
1531 	}
1532 
1533 	/*
1534 	 * Finally set EC to its actual value
1535 	 */
1536 	p[4] = EC >> 8;
1537 	p[5] = EC;
1538 
1539 	*mp = m;
1540 	return (GSS_S_COMPLETE);
1541 }
1542 
1543 static OM_uint32
1544 krb5_wrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1545     int conf_req_flag, gss_qop_t qop_req,
1546     struct mbuf **mp, int *conf_state)
1547 {
1548 	struct krb5_context *kc = (struct krb5_context *)ctx;
1549 
1550 	*minor_status = 0;
1551 	if (conf_state)
1552 		*conf_state = 0;
1553 
1554 	if (qop_req != GSS_C_QOP_DEFAULT)
1555 		return (GSS_S_BAD_QOP);
1556 
1557 	if (time_uptime > kc->kc_lifetime)
1558 		return (GSS_S_CONTEXT_EXPIRED);
1559 
1560 	switch (kc->kc_tokenkey->ks_class->ec_type) {
1561 	case ETYPE_DES_CBC_CRC:
1562 		return (krb5_wrap_old(kc, conf_req_flag,
1563 			mp, conf_state, sgn_alg_des_md5, seal_alg_des));
1564 
1565 	case ETYPE_ARCFOUR_HMAC_MD5:
1566 	case ETYPE_ARCFOUR_HMAC_MD5_56:
1567 		return (krb5_wrap_old(kc, conf_req_flag,
1568 			mp, conf_state, sgn_alg_hmac_md5, seal_alg_rc4));
1569 
1570 	case ETYPE_DES3_CBC_SHA1:
1571 		return (krb5_wrap_old(kc, conf_req_flag,
1572 			mp, conf_state, sgn_alg_des3_sha1, seal_alg_des3));
1573 
1574 	default:
1575 		return (krb5_wrap_new(kc, conf_req_flag, mp, conf_state));
1576 	}
1577 
1578 	return (GSS_S_FAILURE);
1579 }
1580 
1581 static void
1582 m_trim(struct mbuf *m, int len)
1583 {
1584 	struct mbuf *n;
1585 	int off;
1586 
1587 	if (m == NULL)
1588 		return;
1589 	n = m_getptr(m, len, &off);
1590 	if (n) {
1591 		n->m_len = off;
1592 		if (n->m_next) {
1593 			m_freem(n->m_next);
1594 			n->m_next = NULL;
1595 		}
1596 	}
1597 }
1598 
1599 static OM_uint32
1600 krb5_unwrap_old(struct krb5_context *kc, struct mbuf **mp, int *conf_state,
1601     uint8_t sgn_alg[2], uint8_t seal_alg[2])
1602 {
1603 	OM_uint32 res;
1604 	struct mbuf *m, *mlast, *hm, *cm, *n;
1605 	uint8_t *p, dir;
1606 	size_t tlen, elen, datalen, padlen;
1607 	size_t cklen;
1608 	uint8_t buf[32];
1609 	uint32_t seq;
1610 	int i, conf;
1611 
1612 	m = *mp;
1613 	m_length(m, &mlast);
1614 
1615 	tlen = token_length(kc->kc_tokenkey);
1616 	cklen = kc->kc_tokenkey->ks_class->ec_checksumlen;
1617 
1618 	p = krb5_verify_token("\x02\x01", tlen, &m, &elen, TRUE);
1619 	*mp = m;
1620 	if (!p)
1621 		return (GSS_S_DEFECTIVE_TOKEN);
1622 	datalen = elen - tlen;
1623 
1624 	/*
1625 	 * Trim the framing header first to make life a little easier
1626 	 * later.
1627 	 */
1628 	m_adj(m, p - (uint8_t *) m->m_data);
1629 
1630 	/* TOK_ID */
1631 	p += 2;
1632 
1633 	/* SGN_ALG */
1634 	if (p[0] != sgn_alg[0] || p[1] != sgn_alg[1])
1635 		return (GSS_S_DEFECTIVE_TOKEN);
1636 	p += 2;
1637 
1638 	/* SEAL_ALG */
1639 	if (p[0] == seal_alg[0] && p[1] == seal_alg[1])
1640 		conf = 1;
1641 	else if (p[0] == 0xff && p[1] == 0xff)
1642 		conf = 0;
1643 	else
1644 		return (GSS_S_DEFECTIVE_TOKEN);
1645 	p += 2;
1646 
1647 	if (p[0] != 0xff || p[1] != 0xff)
1648 		return (GSS_S_DEFECTIVE_TOKEN);
1649 	p += 2;
1650 
1651 	/*
1652 	 * SND_SEQ:
1653 	 *
1654 	 * Take the four bytes of the sequence number least
1655 	 * significant first (most significant for ARCFOUR) followed
1656 	 * by four bytes of direction marker (zero for initiator and
1657 	 * 0xff for acceptor). Encrypt that data using the SGN_CKSUM
1658 	 * as IV.
1659 	 */
1660 	krb5_decrypt(kc->kc_tokenkey, m, 8, 8, p + 8, 8);
1661 	if (sgn_alg[0] == 0x11) {
1662 		seq = p[3] | (p[2] << 8) | (p[1] << 16) | (p[0] << 24);
1663 	} else {
1664 		seq = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
1665 	}
1666 
1667 	if (is_initiator(kc)) {
1668 		dir = 0xff;
1669 	} else {
1670 		dir = 0;
1671 	}
1672 	if (p[4] != dir || p[5] != dir || p[6] != dir || p[7] != dir)
1673 		return (GSS_S_DEFECTIVE_TOKEN);
1674 
1675 	if (kc->kc_msg_order.km_flags &
1676 	    (GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1677 		res = krb5_sequence_check(kc, seq);
1678 		if (GSS_ERROR(res))
1679 			return (res);
1680 	} else {
1681 		res = GSS_S_COMPLETE;
1682 	}
1683 
1684 	/*
1685 	 * If the token was encrypted, decode it in-place.
1686 	 */
1687 	if (conf) {
1688 		/*
1689 		 * Decrypt the padded message with an IV of zero for
1690 		 * DES and DES3 or an IV of the big-endian encoded
1691 		 * sequence number for ARCFOUR.
1692 		 */
1693 		if (seal_alg[0] == 0x10) {
1694 			krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1695 			    datalen, p, 4);
1696 		} else {
1697 			krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1698 			    datalen, NULL, 0);
1699 		}
1700 	}
1701 	if (conf_state)
1702 		*conf_state = conf;
1703 
1704 	/*
1705 	 * Check the trailing pad bytes.
1706 	 * RFC1964 specifies between 1<->8 bytes, each with a binary value
1707 	 * equal to the number of bytes.
1708 	 */
1709 	if (mlast->m_len > 0)
1710 		padlen = mlast->m_data[mlast->m_len - 1];
1711 	else {
1712 		n = m_getptr(m, tlen + datalen - 1, &i);
1713 		/*
1714 		 * When the position is exactly equal to the # of data bytes
1715 		 * in the mbuf list, m_getptr() will return the last mbuf in
1716 		 * the list and an off == m_len for that mbuf, so that case
1717 		 * needs to be checked as well as a NULL return.
1718 		 */
1719 		if (n == NULL || n->m_len == i)
1720 			return (GSS_S_DEFECTIVE_TOKEN);
1721 		padlen = n->m_data[i];
1722 	}
1723 	if (padlen < 1 || padlen > 8 || padlen > tlen + datalen)
1724 		return (GSS_S_DEFECTIVE_TOKEN);
1725 	m_copydata(m, tlen + datalen - padlen, padlen, buf);
1726 	for (i = 0; i < padlen; i++) {
1727 		if (buf[i] != padlen) {
1728 			return (GSS_S_DEFECTIVE_TOKEN);
1729 		}
1730 	}
1731 
1732 	/*
1733 	 * SGN_CKSUM:
1734 	 *
1735 	 * Calculate the keyed checksum of the token header plus the
1736 	 * padded message. We do a little mbuf surgery to trim out the
1737 	 * parts we don't want to checksum.
1738 	 */
1739 	hm = m;
1740 	*mp = m = m_split(m, 16 + cklen, M_WAITOK);
1741 	mlast = m_last(m);
1742 	hm->m_len = 8;
1743 	hm->m_next = m;
1744 	MGET(cm, M_WAITOK, MT_DATA);
1745 	cm->m_len = cklen;
1746 	mlast->m_next = cm;
1747 
1748 	krb5_checksum(kc->kc_checksumkey, 13, hm, 0, datalen + 8, cklen);
1749 	hm->m_next = NULL;
1750 	mlast->m_next = NULL;
1751 
1752 	if (bcmp(cm->m_data, hm->m_data + 16, cklen)) {
1753 		m_freem(hm);
1754 		m_free(cm);
1755 		return (GSS_S_BAD_SIG);
1756 	}
1757 	m_freem(hm);
1758 	m_free(cm);
1759 
1760 	/*
1761 	 * Trim off the confounder and padding.
1762 	 */
1763 	m_adj(m, 8);
1764 	if (mlast->m_len >= padlen) {
1765 		mlast->m_len -= padlen;
1766 	} else {
1767 		m_trim(m, datalen - 8 - padlen);
1768 	}
1769 
1770 	*mp = m;
1771 	return (res);
1772 }
1773 
1774 static OM_uint32
1775 krb5_unwrap_new(struct krb5_context *kc, struct mbuf **mp, int *conf_state)
1776 {
1777 	OM_uint32 res;
1778 	struct krb5_key_state *Ke = kc->kc_recv_seal_Ke;
1779 	struct krb5_key_state *Ki = kc->kc_recv_seal_Ki;
1780 	struct krb5_key_state *Kc = kc->kc_recv_seal_Kc;
1781 	const struct krb5_encryption_class *ec = Ke->ks_class;
1782 	struct mbuf *m, *mlast, *hm, *cm;
1783 	uint8_t *p;
1784 	int sealed, flags, EC, RRC;
1785 	size_t blen, cklen, ctlen, mlen, plen, tlen;
1786 	char buf[32], buf2[32];
1787 
1788 	m = *mp;
1789 	mlen = m_length(m, &mlast);
1790 
1791 	if (mlen <= 16)
1792 		return (GSS_S_DEFECTIVE_TOKEN);
1793 	if (m->m_len < 16) {
1794 		m = m_pullup(m, 16);
1795 		*mp = m;
1796 	}
1797 	p = m->m_data;
1798 
1799 	/* TOK_ID */
1800 	if (p[0] != 0x05)
1801 		return (GSS_S_DEFECTIVE_TOKEN);
1802 	if (p[1] != 0x04)
1803 		return (GSS_S_DEFECTIVE_TOKEN);
1804 
1805 	/* Flags */
1806 	sealed = p[2] & GSS_TOKEN_SEALED;
1807 	flags = sealed;
1808 	if (is_initiator(kc))
1809 		flags |= GSS_TOKEN_SENT_BY_ACCEPTOR;
1810 	if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1811 		flags |= GSS_TOKEN_ACCEPTOR_SUBKEY;
1812 	if (p[2] != flags)
1813 		return (GSS_S_DEFECTIVE_TOKEN);
1814 
1815 	/* Filler */
1816 	if (p[3] != 0xff)
1817 		return (GSS_S_DEFECTIVE_TOKEN);
1818 
1819 	/* EC + RRC */
1820 	EC = (p[4] << 8) + p[5];
1821 	RRC = (p[6] << 8) + p[7];
1822 
1823 	/* SND_SEQ */
1824 	if (kc->kc_msg_order.km_flags &
1825 		(GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG)) {
1826 		uint32_t seq;
1827 		if (p[8] || p[9] || p[10] || p[11]) {
1828 			res = GSS_S_UNSEQ_TOKEN;
1829 		} else {
1830 			seq = (p[12] << 24) | (p[13] << 16)
1831 				| (p[14] << 8) | p[15];
1832 			res = krb5_sequence_check(kc, seq);
1833 		}
1834 		if (GSS_ERROR(res))
1835 			return (res);
1836 	} else {
1837 		res = GSS_S_COMPLETE;
1838 	}
1839 
1840 	/*
1841 	 * Separate the header before dealing with RRC. We only need
1842 	 * to keep the header if the message isn't encrypted.
1843 	 */
1844 	if (sealed) {
1845 		hm = NULL;
1846 		m_adj(m, 16);
1847 	} else {
1848 		hm = m;
1849 		*mp = m = m_split(m, 16, M_WAITOK);
1850 		mlast = m_last(m);
1851 	}
1852 
1853 	/*
1854 	 * Undo the effects of RRC by rotating left.
1855 	 */
1856 	if (RRC > 0) {
1857 		struct mbuf *rm;
1858 		size_t rlen;
1859 
1860 		rlen = mlen - 16;
1861 		if (RRC <= sizeof(buf) && m->m_len >= rlen) {
1862 			/*
1863 			 * Simple case, just rearrange the bytes in m.
1864 			 */
1865 			bcopy(m->m_data, buf, RRC);
1866 			bcopy(m->m_data + RRC, m->m_data, rlen - RRC);
1867 			bcopy(buf, m->m_data + rlen - RRC, RRC);
1868 		} else {
1869 			/*
1870 			 * More complicated - rearrange the mbuf
1871 			 * chain.
1872 			 */
1873 			rm = m;
1874 			*mp = m = m_split(m, RRC, M_WAITOK);
1875 			m_cat(m, rm);
1876 			mlast = rm;
1877 		}
1878 	}
1879 
1880 	blen = ec->ec_blocklen;
1881 	cklen = ec->ec_checksumlen;
1882 	if (sealed) {
1883 		/*
1884 		 * Decrypt according to RFC 4121 section 4.2 and RFC
1885 		 * 3961 section 5.3. The message must be large enough
1886 		 * for a blocksize confounder, at least one block of
1887 		 * cyphertext and a checksum.
1888 		 */
1889 		if (mlen < 16 + 2*blen + cklen)
1890 			return (GSS_S_DEFECTIVE_TOKEN);
1891 
1892 		ctlen = mlen - 16 - cklen;
1893 		krb5_decrypt(Ke, m, 0, ctlen, NULL, 0);
1894 
1895 		/*
1896 		 * The size of the plaintext is ctlen minus blocklen
1897 		 * (for the confounder), 16 (for the copy of the token
1898 		 * header) and EC (for the filler). The actual
1899 		 * plaintext starts after the confounder.
1900 		 */
1901 		plen = ctlen - blen - 16 - EC;
1902 
1903 		/*
1904 		 * Checksum the padded plaintext.
1905 		 */
1906 		m_copydata(m, ctlen, cklen, buf);
1907 		krb5_checksum(Ki, 0, m, 0, ctlen, cklen);
1908 		m_copydata(m, ctlen, cklen, buf2);
1909 
1910 		if (bcmp(buf, buf2, cklen))
1911 			return (GSS_S_BAD_SIG);
1912 
1913 		/*
1914 		 * Trim the message back to just plaintext.
1915 		 */
1916 		m_adj(m, blen);
1917 		tlen = 16 + EC + cklen;
1918 		if (mlast->m_len >= tlen) {
1919 			mlast->m_len -= tlen;
1920 		} else {
1921 			m_trim(m, plen);
1922 		}
1923 	} else {
1924 		/*
1925 		 * The plaintext message is followed by a checksum of
1926 		 * the plaintext plus a version of the header where EC
1927 		 * and RRC are set to zero. Also, the original EC must
1928 		 * be our checksum size.
1929 		 */
1930 		if (mlen < 16 + cklen || EC != cklen)
1931 			return (GSS_S_DEFECTIVE_TOKEN);
1932 
1933 		/*
1934 		 * The size of the plaintext is simply the message
1935 		 * size less header and checksum. The plaintext starts
1936 		 * right after the header (which we have saved in hm).
1937 		 */
1938 		plen = mlen - 16 - cklen;
1939 
1940 		/*
1941 		 * Insert a copy of the header (with EC and RRC set to
1942 		 * zero) between the plaintext message and the
1943 		 * checksum.
1944 		 */
1945 		p = hm->m_data;
1946 		p[4] = p[5] = p[6] = p[7] = 0;
1947 
1948 		cm = m_split(m, plen, M_WAITOK);
1949 		mlast = m_last(m);
1950 		m->m_next = hm;
1951 		hm->m_next = cm;
1952 
1953 		bcopy(cm->m_data, buf, cklen);
1954 		krb5_checksum(Kc, 0, m, 0, plen + 16, cklen);
1955 		if (bcmp(cm->m_data, buf, cklen))
1956 			return (GSS_S_BAD_SIG);
1957 
1958 		/*
1959 		 * The checksum matches, discard all buf the plaintext.
1960 		 */
1961 		mlast->m_next = NULL;
1962 		m_freem(hm);
1963 	}
1964 
1965 	if (conf_state)
1966 		*conf_state = (sealed != 0);
1967 
1968 	return (res);
1969 }
1970 
1971 static OM_uint32
1972 krb5_unwrap(gss_ctx_id_t ctx, OM_uint32 *minor_status,
1973     struct mbuf **mp, int *conf_state, gss_qop_t *qop_state)
1974 {
1975 	struct krb5_context *kc = (struct krb5_context *)ctx;
1976 	OM_uint32 maj_stat;
1977 
1978 	*minor_status = 0;
1979 	if (qop_state)
1980 		*qop_state = GSS_C_QOP_DEFAULT;
1981 	if (conf_state)
1982 		*conf_state = 0;
1983 
1984 	if (time_uptime > kc->kc_lifetime)
1985 		return (GSS_S_CONTEXT_EXPIRED);
1986 
1987 	switch (kc->kc_tokenkey->ks_class->ec_type) {
1988 	case ETYPE_DES_CBC_CRC:
1989 		maj_stat = krb5_unwrap_old(kc, mp, conf_state,
1990 			sgn_alg_des_md5, seal_alg_des);
1991 		break;
1992 
1993 	case ETYPE_ARCFOUR_HMAC_MD5:
1994 	case ETYPE_ARCFOUR_HMAC_MD5_56:
1995 		maj_stat = krb5_unwrap_old(kc, mp, conf_state,
1996 			sgn_alg_hmac_md5, seal_alg_rc4);
1997 		break;
1998 
1999 	case ETYPE_DES3_CBC_SHA1:
2000 		maj_stat = krb5_unwrap_old(kc, mp, conf_state,
2001 			sgn_alg_des3_sha1, seal_alg_des3);
2002 		break;
2003 
2004 	default:
2005 		maj_stat = krb5_unwrap_new(kc, mp, conf_state);
2006 		break;
2007 	}
2008 
2009 	if (GSS_ERROR(maj_stat)) {
2010 		m_freem(*mp);
2011 		*mp = NULL;
2012 	}
2013 
2014 	return (maj_stat);
2015 }
2016 
2017 static OM_uint32
2018 krb5_wrap_size_limit(gss_ctx_id_t ctx, OM_uint32 *minor_status,
2019     int conf_req_flag, gss_qop_t qop_req, OM_uint32 req_output_size,
2020     OM_uint32 *max_input_size)
2021 {
2022 	struct krb5_context *kc = (struct krb5_context *)ctx;
2023 	const struct krb5_encryption_class *ec;
2024 	OM_uint32 overhead;
2025 
2026 	*minor_status = 0;
2027 	*max_input_size = 0;
2028 
2029 	if (qop_req != GSS_C_QOP_DEFAULT)
2030 		return (GSS_S_BAD_QOP);
2031 
2032 	ec = kc->kc_tokenkey->ks_class;
2033 	switch (ec->ec_type) {
2034 	case ETYPE_DES_CBC_CRC:
2035 	case ETYPE_DES3_CBC_SHA1:
2036 	case ETYPE_ARCFOUR_HMAC_MD5:
2037 	case ETYPE_ARCFOUR_HMAC_MD5_56:
2038 		/*
2039 		 * up to 5 bytes for [APPLICATION 0] SEQUENCE
2040 		 * 2 + krb5 oid length
2041 		 * 8 bytes of header
2042 		 * 8 bytes of confounder
2043 		 * maximum of 8 bytes of padding
2044 		 * checksum
2045 		 */
2046 		overhead = 5 + 2 + krb5_mech_oid.length;
2047 		overhead += 8 + 8 + ec->ec_msgblocklen;
2048 		overhead += ec->ec_checksumlen;
2049 		break;
2050 
2051 	default:
2052 		if (conf_req_flag) {
2053 			/*
2054 			 * 16 byts of header
2055 			 * blocklen bytes of confounder
2056 			 * up to msgblocklen - 1 bytes of padding
2057 			 * 16 bytes for copy of header
2058 			 * checksum
2059 			 */
2060 			overhead = 16 + ec->ec_blocklen;
2061 			overhead += ec->ec_msgblocklen - 1;
2062 			overhead += 16;
2063 			overhead += ec->ec_checksumlen;
2064 		} else {
2065 			/*
2066 			 * 16 bytes of header plus checksum.
2067 			 */
2068 			overhead = 16 + ec->ec_checksumlen;
2069 		}
2070 	}
2071 
2072 	*max_input_size = req_output_size - overhead;
2073 
2074 	return (GSS_S_COMPLETE);
2075 }
2076 
2077 static kobj_method_t krb5_methods[] = {
2078 	KOBJMETHOD(kgss_init,		krb5_init),
2079 	KOBJMETHOD(kgss_import,		krb5_import),
2080 	KOBJMETHOD(kgss_delete,		krb5_delete),
2081 	KOBJMETHOD(kgss_mech_type,	krb5_mech_type),
2082 	KOBJMETHOD(kgss_get_mic,	krb5_get_mic),
2083 	KOBJMETHOD(kgss_verify_mic,	krb5_verify_mic),
2084 	KOBJMETHOD(kgss_wrap,		krb5_wrap),
2085 	KOBJMETHOD(kgss_unwrap,		krb5_unwrap),
2086 	KOBJMETHOD(kgss_wrap_size_limit, krb5_wrap_size_limit),
2087 	{ 0, 0 }
2088 };
2089 
2090 static struct kobj_class krb5_class = {
2091 	"kerberosv5",
2092 	krb5_methods,
2093 	sizeof(struct krb5_context)
2094 };
2095 
2096 /*
2097  * Kernel module glue
2098  */
2099 static int
2100 kgssapi_krb5_modevent(module_t mod, int type, void *data)
2101 {
2102 
2103 	switch (type) {
2104 	case MOD_LOAD:
2105 		kgss_install_mech(&krb5_mech_oid, "kerberosv5", &krb5_class);
2106 		break;
2107 
2108 	case MOD_UNLOAD:
2109 		kgss_uninstall_mech(&krb5_mech_oid);
2110 		break;
2111 	}
2112 
2113 	return (0);
2114 }
2115 static moduledata_t kgssapi_krb5_mod = {
2116 	"kgssapi_krb5",
2117 	kgssapi_krb5_modevent,
2118 	NULL,
2119 };
2120 DECLARE_MODULE(kgssapi_krb5, kgssapi_krb5_mod, SI_SUB_VFS, SI_ORDER_ANY);
2121 MODULE_DEPEND(kgssapi_krb5, kgssapi, 1, 1, 1);
2122 MODULE_DEPEND(kgssapi_krb5, crypto, 1, 1, 1);
2123 MODULE_DEPEND(kgssapi_krb5, rc4, 1, 1, 1);
2124 MODULE_VERSION(kgssapi_krb5, 1);
2125