Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/heimdal/lib/gssapi/krb5/cfx.c
34923 views
1
/*

2
 * Copyright (c) 2003, PADL Software Pty Ltd.

3
 * All rights reserved.

4
 *

5
 * Redistribution and use in source and binary forms, with or without

6
 * modification, are permitted provided that the following conditions

7
 * are met:

8
 *

9
 * 1. Redistributions of source code must retain the above copyright

10
 *    notice, this list of conditions and the following disclaimer.

11
 *

12
 * 2. Redistributions in binary form must reproduce the above copyright

13
 *    notice, this list of conditions and the following disclaimer in the

14
 *    documentation and/or other materials provided with the distribution.

15
 *

16
 * 3. Neither the name of PADL Software nor the names of its contributors

17
 *    may be used to endorse or promote products derived from this software

18
 *    without specific prior written permission.

19
 *

20
 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND

21
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

22
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

23
 * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE

24
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

25
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

26
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

27
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

28
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

29
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

30
 * SUCH DAMAGE.

31
 */

32


33
#include "gsskrb5_locl.h"

34


35
/*

36
 * Implementation of RFC 4121

37
 */

38


39
#define CFXSentByAcceptor	(1 << 0)

40
#define CFXSealed		(1 << 1)

41
#define CFXAcceptorSubkey	(1 << 2)

42


43
krb5_error_code

44
_gsskrb5cfx_wrap_length_cfx(krb5_context context,

45
			    krb5_crypto crypto,

46
			    int conf_req_flag,

47
			    int dce_style,

48
			    size_t input_length,

49
			    size_t *output_length,

50
			    size_t *cksumsize,

51
			    uint16_t *padlength)

52
{

53
    krb5_error_code ret;

54
    krb5_cksumtype type;

55


56
    /* 16-byte header is always first */

57
    *output_length = sizeof(gss_cfx_wrap_token_desc);

58
    *padlength = 0;

59


60
    ret = krb5_crypto_get_checksum_type(context, crypto, &type);

61
    if (ret)

62
	return ret;

63


64
    ret = krb5_checksumsize(context, type, cksumsize);

65
    if (ret)

66
	return ret;

67


68
    if (conf_req_flag) {

69
	size_t padsize;

70


71
	/* Header is concatenated with data before encryption */

72
	input_length += sizeof(gss_cfx_wrap_token_desc);

73


74
	if (dce_style) {

75
		ret = krb5_crypto_getblocksize(context, crypto, &padsize);

76
	} else {

77
		ret = krb5_crypto_getpadsize(context, crypto, &padsize);

78
	}

79
	if (ret) {

80
	    return ret;

81
	}

82
	if (padsize > 1) {

83
	    /* XXX check this */

84
	    *padlength = padsize - (input_length % padsize);

85


86
	    /* We add the pad ourselves (noted here for completeness only) */

87
	    input_length += *padlength;

88
	}

89


90
	*output_length += krb5_get_wrapped_length(context,

91
						  crypto, input_length);

92
    } else {

93
	/* Checksum is concatenated with data */

94
	*output_length += input_length + *cksumsize;

95
    }

96


97
    assert(*output_length > input_length);

98


99
    return 0;

100
}

101


102
OM_uint32

103
_gssapi_wrap_size_cfx(OM_uint32 *minor_status,

104
		      const gsskrb5_ctx ctx,

105
		      krb5_context context,

106
		      int conf_req_flag,

107
		      gss_qop_t qop_req,

108
		      OM_uint32 req_output_size,

109
		      OM_uint32 *max_input_size)

110
{

111
    krb5_error_code ret;

112


113
    *max_input_size = 0;

114


115
    /* 16-byte header is always first */

116
    if (req_output_size < 16)

117
	return 0;

118
    req_output_size -= 16;

119


120
    if (conf_req_flag) {

121
	size_t wrapped_size, sz;

122


123
	wrapped_size = req_output_size + 1;

124
	do {

125
	    wrapped_size--;

126
	    sz = krb5_get_wrapped_length(context,

127
					 ctx->crypto, wrapped_size);

128
	} while (wrapped_size && sz > req_output_size);

129
	if (wrapped_size == 0)

130
	    return 0;

131


132
	/* inner header */

133
	if (wrapped_size < 16)

134
	    return 0;

135


136
	wrapped_size -= 16;

137


138
	*max_input_size = wrapped_size;

139
    } else {

140
	krb5_cksumtype type;

141
	size_t cksumsize;

142


143
	ret = krb5_crypto_get_checksum_type(context, ctx->crypto, &type);

144
	if (ret)

145
	    return ret;

146


147
	ret = krb5_checksumsize(context, type, &cksumsize);

148
	if (ret)

149
	    return ret;

150


151
	if (req_output_size < cksumsize)

152
	    return 0;

153


154
	/* Checksum is concatenated with data */

155
	*max_input_size = req_output_size - cksumsize;

156
    }

157


158
    return 0;

159
}

160


161
/*

162
 * Rotate "rrc" bytes to the front or back

163
 */

164


165
static krb5_error_code

166
rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)

167
{

168
    u_char *tmp, buf[256];

169
    size_t left;

170


171
    if (len == 0)

172
	return 0;

173


174
    rrc %= len;

175


176
    if (rrc == 0)

177
	return 0;

178


179
    left = len - rrc;

180


181
    if (rrc <= sizeof(buf)) {

182
	tmp = buf;

183
    } else {

184
	tmp = malloc(rrc);

185
	if (tmp == NULL)

186
	    return ENOMEM;

187
    }

188


189
    if (unrotate) {

190
	memcpy(tmp, data, rrc);

191
	memmove(data, (u_char *)data + rrc, left);

192
	memcpy((u_char *)data + left, tmp, rrc);

193
    } else {

194
	memcpy(tmp, (u_char *)data + left, rrc);

195
	memmove((u_char *)data + rrc, data, left);

196
	memcpy(data, tmp, rrc);

197
    }

198


199
    if (rrc > sizeof(buf))

200
	free(tmp);

201


202
    return 0;

203
}

204


205
gss_iov_buffer_desc *

206
_gk_find_buffer(gss_iov_buffer_desc *iov, int iov_count, OM_uint32 type)

207
{

208
    int i;

209


210
    for (i = 0; i < iov_count; i++)

211
	if (type == GSS_IOV_BUFFER_TYPE(iov[i].type))

212
	    return &iov[i];

213
    return NULL;

214
}

215


216
OM_uint32

217
_gk_allocate_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *buffer, size_t size)

218
{

219
    if (buffer->type & GSS_IOV_BUFFER_FLAG_ALLOCATED) {

220
	if (buffer->buffer.length == size)

221
	    return GSS_S_COMPLETE;

222
	free(buffer->buffer.value);

223
    }

224


225
    buffer->buffer.value = malloc(size);

226
    buffer->buffer.length = size;

227
    if (buffer->buffer.value == NULL) {

228
	*minor_status = ENOMEM;

229
	return GSS_S_FAILURE;

230
    }

231
    buffer->type |= GSS_IOV_BUFFER_FLAG_ALLOCATED;

232


233
    return GSS_S_COMPLETE;

234
}

235


236


237
OM_uint32

238
_gk_verify_buffers(OM_uint32 *minor_status,

239
		   const gsskrb5_ctx ctx,

240
		   const gss_iov_buffer_desc *header,

241
		   const gss_iov_buffer_desc *padding,

242
		   const gss_iov_buffer_desc *trailer)

243
{

244
    if (header == NULL) {

245
	*minor_status = EINVAL;

246
	return GSS_S_FAILURE;

247
    }

248


249
    if (IS_DCE_STYLE(ctx)) {

250
	/*

251
	 * In DCE style mode we reject having a padding or trailer buffer

252
	 */

253
	if (padding) {

254
	    *minor_status = EINVAL;

255
	    return GSS_S_FAILURE;

256
	}

257
	if (trailer) {

258
	    *minor_status = EINVAL;

259
	    return GSS_S_FAILURE;

260
	}

261
    } else {

262
	/*

263
	 * In non-DCE style mode we require having a padding buffer

264
	 */

265
	if (padding == NULL) {

266
	    *minor_status = EINVAL;

267
	    return GSS_S_FAILURE;

268
	}

269
    }

270


271
    *minor_status = 0;

272
    return GSS_S_COMPLETE;

273
}

274


275
#if 0

276
OM_uint32

277
_gssapi_wrap_cfx_iov(OM_uint32 *minor_status,

278
		     gsskrb5_ctx ctx,

279
		     krb5_context context,

280
		     int conf_req_flag,

281
		     int *conf_state,

282
		     gss_iov_buffer_desc *iov,

283
		     int iov_count)

284
{

285
    OM_uint32 major_status, junk;

286
    gss_iov_buffer_desc *header, *trailer, *padding;

287
    size_t gsshsize, k5hsize;

288
    size_t gsstsize, k5tsize;

289
    size_t rrc = 0, ec = 0;

290
    int i;

291
    gss_cfx_wrap_token token;

292
    krb5_error_code ret;

293
    int32_t seq_number;

294
    unsigned usage;

295
    krb5_crypto_iov *data = NULL;

296


297
    header = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);

298
    if (header == NULL) {

299
	*minor_status = EINVAL;

300
	return GSS_S_FAILURE;

301
    }

302


303
    padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);

304
    if (padding != NULL) {

305
	padding->buffer.length = 0;

306
    }

307


308
    trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);

309


310
    major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer);

311
    if (major_status != GSS_S_COMPLETE) {

312
	    return major_status;

313
    }

314


315
    if (conf_req_flag) {

316
	size_t k5psize = 0;

317
	size_t k5pbase = 0;

318
	size_t k5bsize = 0;

319
	size_t size = 0;

320


321
	for (i = 0; i < iov_count; i++) {

322
	    switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {

323
	    case GSS_IOV_BUFFER_TYPE_DATA:

324
		size += iov[i].buffer.length;

325
		break;

326
	    default:

327
		break;

328
	    }

329
	}

330


331
	size += sizeof(gss_cfx_wrap_token_desc);

332


333
	*minor_status = krb5_crypto_length(context, ctx->crypto,

334
					   KRB5_CRYPTO_TYPE_HEADER,

335
					   &k5hsize);

336
	if (*minor_status)

337
	    return GSS_S_FAILURE;

338


339
	*minor_status = krb5_crypto_length(context, ctx->crypto,

340
					   KRB5_CRYPTO_TYPE_TRAILER,

341
					   &k5tsize);

342
	if (*minor_status)

343
	    return GSS_S_FAILURE;

344


345
	*minor_status = krb5_crypto_length(context, ctx->crypto,

346
					   KRB5_CRYPTO_TYPE_PADDING,

347
					   &k5pbase);

348
	if (*minor_status)

349
	    return GSS_S_FAILURE;

350


351
	if (k5pbase > 1) {

352
	    k5psize = k5pbase - (size % k5pbase);

353
	} else {

354
	    k5psize = 0;

355
	}

356


357
	if (k5psize == 0 && IS_DCE_STYLE(ctx)) {

358
	    *minor_status = krb5_crypto_getblocksize(context, ctx->crypto,

359
						     &k5bsize);

360
	    if (*minor_status)

361
		return GSS_S_FAILURE;

362
	    ec = k5bsize;

363
	} else {

364
	    ec = k5psize;

365
	}

366


367
	gsshsize = sizeof(gss_cfx_wrap_token_desc) + k5hsize;

368
	gsstsize = sizeof(gss_cfx_wrap_token_desc) + ec + k5tsize;

369
    } else {

370
	if (IS_DCE_STYLE(ctx)) {

371
	    *minor_status = EINVAL;

372
	    return GSS_S_FAILURE;

373
	}

374


375
	k5hsize = 0;

376
	*minor_status = krb5_crypto_length(context, ctx->crypto,

377
					   KRB5_CRYPTO_TYPE_CHECKSUM,

378
					   &k5tsize);

379
	if (*minor_status)

380
	    return GSS_S_FAILURE;

381


382
	gsshsize = sizeof(gss_cfx_wrap_token_desc);

383
	gsstsize = k5tsize;

384
    }

385


386
    /*

387
     *

388
     */

389


390
    if (trailer == NULL) {

391
	rrc = gsstsize;

392
	if (IS_DCE_STYLE(ctx))

393
	    rrc -= ec;

394
	gsshsize += gsstsize;

395
	gsstsize = 0;

396
    } else if (GSS_IOV_BUFFER_FLAGS(trailer->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) {

397
	major_status = _gk_allocate_buffer(minor_status, trailer, gsstsize);

398
	if (major_status)

399
	    goto failure;

400
    } else if (trailer->buffer.length < gsstsize) {

401
	*minor_status = KRB5_BAD_MSIZE;

402
	major_status = GSS_S_FAILURE;

403
	goto failure;

404
    } else

405
	trailer->buffer.length = gsstsize;

406


407
    /*

408
     *

409
     */

410


411
    if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) {

412
	major_status = _gk_allocate_buffer(minor_status, header, gsshsize);

413
	if (major_status != GSS_S_COMPLETE)

414
	    goto failure;

415
    } else if (header->buffer.length < gsshsize) {

416
	*minor_status = KRB5_BAD_MSIZE;

417
	major_status = GSS_S_FAILURE;

418
	goto failure;

419
    } else

420
	header->buffer.length = gsshsize;

421


422
    token = (gss_cfx_wrap_token)header->buffer.value;

423


424
    token->TOK_ID[0] = 0x05;

425
    token->TOK_ID[1] = 0x04;

426
    token->Flags     = 0;

427
    token->Filler    = 0xFF;

428


429
    if ((ctx->more_flags & LOCAL) == 0)

430
	token->Flags |= CFXSentByAcceptor;

431


432
    if (ctx->more_flags & ACCEPTOR_SUBKEY)

433
	token->Flags |= CFXAcceptorSubkey;

434


435
    if (ctx->more_flags & LOCAL)

436
	usage = KRB5_KU_USAGE_INITIATOR_SEAL;

437
    else

438
	usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;

439


440
    if (conf_req_flag) {

441
	/*

442
	 * In Wrap tokens with confidentiality, the EC field is

443
	 * used to encode the size (in bytes) of the random filler.

444
	 */

445
	token->Flags |= CFXSealed;

446
	token->EC[0] = (ec >> 8) & 0xFF;

447
	token->EC[1] = (ec >> 0) & 0xFF;

448


449
    } else {

450
	/*

451
	 * In Wrap tokens without confidentiality, the EC field is

452
	 * used to encode the size (in bytes) of the trailing

453
	 * checksum.

454
	 *

455
	 * This is not used in the checksum calcuation itself,

456
	 * because the checksum length could potentially vary

457
	 * depending on the data length.

458
	 */

459
	token->EC[0] = 0;

460
	token->EC[1] = 0;

461
    }

462


463
    /*

464
     * In Wrap tokens that provide for confidentiality, the RRC

465
     * field in the header contains the hex value 00 00 before

466
     * encryption.

467
     *

468
     * In Wrap tokens that do not provide for confidentiality,

469
     * both the EC and RRC fields in the appended checksum

470
     * contain the hex value 00 00 for the purpose of calculating

471
     * the checksum.

472
     */

473
    token->RRC[0] = 0;

474
    token->RRC[1] = 0;

475


476
    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);

477
    krb5_auth_con_getlocalseqnumber(context,

478
				    ctx->auth_context,

479
				    &seq_number);

480
    _gsskrb5_encode_be_om_uint32(0,          &token->SND_SEQ[0]);

481
    _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);

482
    krb5_auth_con_setlocalseqnumber(context,

483
				    ctx->auth_context,

484
				    ++seq_number);

485
    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

486


487
    data = calloc(iov_count + 3, sizeof(data[0]));

488
    if (data == NULL) {

489
	*minor_status = ENOMEM;

490
	major_status = GSS_S_FAILURE;

491
	goto failure;

492
    }

493


494
    if (conf_req_flag) {

495
	/*

496
	  plain packet:

497


498
	  {"header" | encrypt(plaintext-data | ec-padding | E"header")}

499


500
	  Expanded, this is with with RRC = 0:

501


502
	  {"header" | krb5-header | plaintext-data | ec-padding | E"header" | krb5-trailer }

503


504
	  In DCE-RPC mode == no trailer: RRC = gss "trailer" == length(ec-padding | E"header" | krb5-trailer)

505


506
	  {"header" | ec-padding | E"header" | krb5-trailer | krb5-header | plaintext-data  }

507
	 */

508


509
	i = 0;

510
	data[i].flags = KRB5_CRYPTO_TYPE_HEADER;

511
	data[i].data.data = ((uint8_t *)header->buffer.value) + header->buffer.length - k5hsize;

512
	data[i].data.length = k5hsize;

513


514
	for (i = 1; i < iov_count + 1; i++) {

515
	    switch (GSS_IOV_BUFFER_TYPE(iov[i - 1].type)) {

516
	    case GSS_IOV_BUFFER_TYPE_DATA:

517
		data[i].flags = KRB5_CRYPTO_TYPE_DATA;

518
		break;

519
	    case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:

520
		data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;

521
		break;

522
	    default:

523
		data[i].flags = KRB5_CRYPTO_TYPE_EMPTY;

524
		break;

525
	    }

526
	    data[i].data.length = iov[i - 1].buffer.length;

527
	    data[i].data.data = iov[i - 1].buffer.value;

528
	}

529


530
	/*

531
	 * Any necessary padding is added here to ensure that the

532
	 * encrypted token header is always at the end of the

533
	 * ciphertext.

534
	 */

535


536
	/* encrypted CFX header in trailer (or after the header if in

537
	   DCE mode). Copy in header into E"header"

538
	*/

539
	data[i].flags = KRB5_CRYPTO_TYPE_DATA;

540
	if (trailer)

541
	    data[i].data.data = trailer->buffer.value;

542
	else

543
	    data[i].data.data = ((uint8_t *)header->buffer.value) + sizeof(*token);

544


545
	data[i].data.length = ec + sizeof(*token);

546
	memset(data[i].data.data, 0xFF, ec);

547
	memcpy(((uint8_t *)data[i].data.data) + ec, token, sizeof(*token));

548
	i++;

549


550
	/* Kerberos trailer comes after the gss trailer */

551
	data[i].flags = KRB5_CRYPTO_TYPE_TRAILER;

552
	data[i].data.data = ((uint8_t *)data[i-1].data.data) + ec + sizeof(*token);

553
	data[i].data.length = k5tsize;

554
	i++;

555


556
	ret = krb5_encrypt_iov_ivec(context, ctx->crypto, usage, data, i, NULL);

557
	if (ret != 0) {

558
	    *minor_status = ret;

559
	    major_status = GSS_S_FAILURE;

560
	    goto failure;

561
	}

562


563
	if (rrc) {

564
	    token->RRC[0] = (rrc >> 8) & 0xFF;

565
	    token->RRC[1] = (rrc >> 0) & 0xFF;

566
	}

567


568
    } else {

569
	/*

570
	  plain packet:

571


572
	  {data | "header" | gss-trailer (krb5 checksum)

573


574
	  don't do RRC != 0

575


576
	 */

577


578
	for (i = 0; i < iov_count; i++) {

579
	    switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {

580
	    case GSS_IOV_BUFFER_TYPE_DATA:

581
		data[i].flags = KRB5_CRYPTO_TYPE_DATA;

582
		break;

583
	    case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:

584
		data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;

585
		break;

586
	    default:

587
		data[i].flags = KRB5_CRYPTO_TYPE_EMPTY;

588
		break;

589
	    }

590
	    data[i].data.length = iov[i].buffer.length;

591
	    data[i].data.data = iov[i].buffer.value;

592
	}

593


594
	data[i].flags = KRB5_CRYPTO_TYPE_DATA;

595
	data[i].data.data = header->buffer.value;

596
	data[i].data.length = sizeof(gss_cfx_wrap_token_desc);

597
	i++;

598


599
	data[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;

600
	if (trailer) {

601
		data[i].data.data = trailer->buffer.value;

602
	} else {

603
		data[i].data.data = (uint8_t *)header->buffer.value +

604
				     sizeof(gss_cfx_wrap_token_desc);

605
	}

606
	data[i].data.length = k5tsize;

607
	i++;

608


609
	ret = krb5_create_checksum_iov(context, ctx->crypto, usage, data, i, NULL);

610
	if (ret) {

611
	    *minor_status = ret;

612
	    major_status = GSS_S_FAILURE;

613
	    goto failure;

614
	}

615


616
	if (rrc) {

617
	    token->RRC[0] = (rrc >> 8) & 0xFF;

618
	    token->RRC[1] = (rrc >> 0) & 0xFF;

619
	}

620


621
	token->EC[0] =  (k5tsize >> 8) & 0xFF;

622
	token->EC[1] =  (k5tsize >> 0) & 0xFF;

623
    }

624


625
    if (conf_state != NULL)

626
	*conf_state = conf_req_flag;

627


628
    free(data);

629


630
    *minor_status = 0;

631
    return GSS_S_COMPLETE;

632


633
 failure:

634
    if (data)

635
	free(data);

636


637
    gss_release_iov_buffer(&junk, iov, iov_count);

638


639
    return major_status;

640
}

641
#endif

642


643
/* This is slowpath */

644
static OM_uint32

645
unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int iov_count)

646
{

647
    uint8_t *p, *q;

648
    size_t len = 0, skip;

649
    int i;

650


651
    for (i = 0; i < iov_count; i++)

652
	if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA ||

653
	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||

654
	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)

655
	    len += iov[i].buffer.length;

656


657
    p = malloc(len);

658
    if (p == NULL) {

659
	*minor_status = ENOMEM;

660
	return GSS_S_FAILURE;

661
    }

662
    q = p;

663


664
    /* copy up */

665


666
    for (i = 0; i < iov_count; i++) {

667
	if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA ||

668
	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||

669
	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)

670
	{

671
	    memcpy(q, iov[i].buffer.value, iov[i].buffer.length);

672
	    q += iov[i].buffer.length;

673
	}

674
    }

675
    assert((size_t)(q - p) == len);

676


677
    /* unrotate first part */

678
    q = p + rrc;

679
    skip = rrc;

680
    for (i = 0; i < iov_count; i++) {

681
	if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA ||

682
	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||

683
	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)

684
	{

685
	    if (iov[i].buffer.length <= skip) {

686
		skip -= iov[i].buffer.length;

687
	    } else {

688
		memcpy(((uint8_t *)iov[i].buffer.value) + skip, q, iov[i].buffer.length - skip);

689
		q += iov[i].buffer.length - skip;

690
		skip = 0;

691
	    }

692
	}

693
    }

694
    /* copy trailer */

695
    q = p;

696
    skip = rrc;

697
    for (i = 0; i < iov_count; i++) {

698
	if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA ||

699
	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||

700
	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)

701
	{

702
	    memcpy(q, iov[i].buffer.value, min(iov[i].buffer.length, skip));

703
	    if (iov[i].buffer.length > skip)

704
		break;

705
	    skip -= iov[i].buffer.length;

706
	    q += iov[i].buffer.length;

707
	}

708
    }

709
    return GSS_S_COMPLETE;

710
}

711


712
#if 0

713


714
OM_uint32

715
_gssapi_unwrap_cfx_iov(OM_uint32 *minor_status,

716
		       gsskrb5_ctx ctx,

717
		       krb5_context context,

718
		       int *conf_state,

719
		       gss_qop_t *qop_state,

720
		       gss_iov_buffer_desc *iov,

721
		       int iov_count)

722
{

723
    OM_uint32 seq_number_lo, seq_number_hi, major_status, junk;

724
    gss_iov_buffer_desc *header, *trailer, *padding;

725
    gss_cfx_wrap_token token, ttoken;

726
    u_char token_flags;

727
    krb5_error_code ret;

728
    unsigned usage;

729
    uint16_t ec, rrc;

730
    krb5_crypto_iov *data = NULL;

731
    int i, j;

732


733
    *minor_status = 0;

734


735
    header = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);

736
    if (header == NULL) {

737
	*minor_status = EINVAL;

738
	return GSS_S_FAILURE;

739
    }

740


741
    if (header->buffer.length < sizeof(*token)) /* we check exact below */

742
	return GSS_S_DEFECTIVE_TOKEN;

743


744
    padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);

745
    if (padding != NULL && padding->buffer.length != 0) {

746
	*minor_status = EINVAL;

747
	return GSS_S_FAILURE;

748
    }

749


750
    trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);

751


752
    major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer);

753
    if (major_status != GSS_S_COMPLETE) {

754
	    return major_status;

755
    }

756


757
    token = (gss_cfx_wrap_token)header->buffer.value;

758


759
    if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04)

760
	return GSS_S_DEFECTIVE_TOKEN;

761


762
    /* Ignore unknown flags */

763
    token_flags = token->Flags &

764
	(CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey);

765


766
    if (token_flags & CFXSentByAcceptor) {

767
	if ((ctx->more_flags & LOCAL) == 0)

768
	    return GSS_S_DEFECTIVE_TOKEN;

769
    }

770


771
    if (ctx->more_flags & ACCEPTOR_SUBKEY) {

772
	if ((token_flags & CFXAcceptorSubkey) == 0)

773
	    return GSS_S_DEFECTIVE_TOKEN;

774
    } else {

775
	if (token_flags & CFXAcceptorSubkey)

776
	    return GSS_S_DEFECTIVE_TOKEN;

777
    }

778


779
    if (token->Filler != 0xFF)

780
	return GSS_S_DEFECTIVE_TOKEN;

781


782
    if (conf_state != NULL)

783
	*conf_state = (token_flags & CFXSealed) ? 1 : 0;

784


785
    ec  = (token->EC[0]  << 8) | token->EC[1];

786
    rrc = (token->RRC[0] << 8) | token->RRC[1];

787


788
    /*

789
     * Check sequence number

790
     */

791
    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);

792
    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);

793
    if (seq_number_hi) {

794
	/* no support for 64-bit sequence numbers */

795
	*minor_status = ERANGE;

796
	return GSS_S_UNSEQ_TOKEN;

797
    }

798


799
    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);

800
    ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);

801
    if (ret != 0) {

802
	*minor_status = 0;

803
	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

804
	return ret;

805
    }

806
    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

807


808
    /*

809
     * Decrypt and/or verify checksum

810
     */

811


812
    if (ctx->more_flags & LOCAL) {

813
	usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;

814
    } else {

815
	usage = KRB5_KU_USAGE_INITIATOR_SEAL;

816
    }

817


818
    data = calloc(iov_count + 3, sizeof(data[0]));

819
    if (data == NULL) {

820
	*minor_status = ENOMEM;

821
	major_status = GSS_S_FAILURE;

822
	goto failure;

823
    }

824


825
    if (token_flags & CFXSealed) {

826
	size_t k5tsize, k5hsize;

827


828
	krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_HEADER, &k5hsize);

829
	krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_TRAILER, &k5tsize);

830


831
	/* Rotate by RRC; bogus to do this in-place XXX */

832
	/* Check RRC */

833


834
	if (trailer == NULL) {

835
	    size_t gsstsize = k5tsize + sizeof(*token);

836
	    size_t gsshsize = k5hsize + sizeof(*token);

837


838
	    if (rrc != gsstsize) {

839
		major_status = GSS_S_DEFECTIVE_TOKEN;

840
		goto failure;

841
	    }

842


843
	    if (IS_DCE_STYLE(ctx))

844
		gsstsize += ec;

845


846
	    gsshsize += gsstsize;

847


848
	    if (header->buffer.length != gsshsize) {

849
		major_status = GSS_S_DEFECTIVE_TOKEN;

850
		goto failure;

851
	    }

852
	} else if (trailer->buffer.length != sizeof(*token) + k5tsize) {

853
	    major_status = GSS_S_DEFECTIVE_TOKEN;

854
	    goto failure;

855
	} else if (header->buffer.length != sizeof(*token) + k5hsize) {

856
	    major_status = GSS_S_DEFECTIVE_TOKEN;

857
	    goto failure;

858
	} else if (rrc != 0) {

859
	    /* go though slowpath */

860
	    major_status = unrotate_iov(minor_status, rrc, iov, iov_count);

861
	    if (major_status)

862
		goto failure;

863
	}

864


865
	i = 0;

866
	data[i].flags = KRB5_CRYPTO_TYPE_HEADER;

867
	data[i].data.data = ((uint8_t *)header->buffer.value) + header->buffer.length - k5hsize;

868
	data[i].data.length = k5hsize;

869
	i++;

870


871
	for (j = 0; j < iov_count; i++, j++) {

872
	    switch (GSS_IOV_BUFFER_TYPE(iov[j].type)) {

873
	    case GSS_IOV_BUFFER_TYPE_DATA:

874
		data[i].flags = KRB5_CRYPTO_TYPE_DATA;

875
		break;

876
	    case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:

877
		data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;

878
		break;

879
	    default:

880
		data[i].flags = KRB5_CRYPTO_TYPE_EMPTY;

881
		break;

882
	    }

883
	    data[i].data.length = iov[j].buffer.length;

884
	    data[i].data.data = iov[j].buffer.value;

885
	}

886


887
	/* encrypted CFX header in trailer (or after the header if in

888
	   DCE mode). Copy in header into E"header"

889
	*/

890
	data[i].flags = KRB5_CRYPTO_TYPE_DATA;

891
	if (trailer) {

892
	    data[i].data.data = trailer->buffer.value;

893
	} else {

894
	    data[i].data.data = ((uint8_t *)header->buffer.value) +

895
		header->buffer.length - k5hsize - k5tsize - ec- sizeof(*token);

896
	}

897


898
	data[i].data.length = ec + sizeof(*token);

899
	ttoken = (gss_cfx_wrap_token)(((uint8_t *)data[i].data.data) + ec);

900
	i++;

901


902
	/* Kerberos trailer comes after the gss trailer */

903
	data[i].flags = KRB5_CRYPTO_TYPE_TRAILER;

904
	data[i].data.data = ((uint8_t *)data[i-1].data.data) + ec + sizeof(*token);

905
	data[i].data.length = k5tsize;

906
	i++;

907


908
	ret = krb5_decrypt_iov_ivec(context, ctx->crypto, usage, data, i, NULL);

909
	if (ret != 0) {

910
	    *minor_status = ret;

911
	    major_status = GSS_S_FAILURE;

912
	    goto failure;

913
	}

914


915
	ttoken->RRC[0] = token->RRC[0];

916
	ttoken->RRC[1] = token->RRC[1];

917


918
	/* Check the integrity of the header */

919
	if (ct_memcmp(ttoken, token, sizeof(*token)) != 0) {

920
	    major_status = GSS_S_BAD_MIC;

921
	    goto failure;

922
	}

923
    } else {

924
	size_t gsstsize = ec;

925
	size_t gsshsize = sizeof(*token);

926


927
	if (trailer == NULL) {

928
	    /* Check RRC */

929
	    if (rrc != gsstsize) {

930
	       *minor_status = EINVAL;

931
	       major_status = GSS_S_FAILURE;

932
	       goto failure;

933
	    }

934


935
	    gsshsize += gsstsize;

936
	    gsstsize = 0;

937
	} else if (trailer->buffer.length != gsstsize) {

938
	    major_status = GSS_S_DEFECTIVE_TOKEN;

939
	    goto failure;

940
	} else if (rrc != 0) {

941
	    /* Check RRC */

942
	    *minor_status = EINVAL;

943
	    major_status = GSS_S_FAILURE;

944
	    goto failure;

945
	}

946


947
	if (header->buffer.length != gsshsize) {

948
	    major_status = GSS_S_DEFECTIVE_TOKEN;

949
	    goto failure;

950
	}

951


952
	for (i = 0; i < iov_count; i++) {

953
	    switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {

954
	    case GSS_IOV_BUFFER_TYPE_DATA:

955
		data[i].flags = KRB5_CRYPTO_TYPE_DATA;

956
		break;

957
	    case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:

958
		data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;

959
		break;

960
	    default:

961
		data[i].flags = KRB5_CRYPTO_TYPE_EMPTY;

962
		break;

963
	    }

964
	    data[i].data.length = iov[i].buffer.length;

965
	    data[i].data.data = iov[i].buffer.value;

966
	}

967


968
	data[i].flags = KRB5_CRYPTO_TYPE_DATA;

969
	data[i].data.data = header->buffer.value;

970
	data[i].data.length = sizeof(*token);

971
	i++;

972


973
	data[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;

974
	if (trailer) {

975
		data[i].data.data = trailer->buffer.value;

976
	} else {

977
		data[i].data.data = (uint8_t *)header->buffer.value +

978
				     sizeof(*token);

979
	}

980
	data[i].data.length = ec;

981
	i++;

982


983
	token = (gss_cfx_wrap_token)header->buffer.value;

984
	token->EC[0]  = 0;

985
	token->EC[1]  = 0;

986
	token->RRC[0] = 0;

987
	token->RRC[1] = 0;

988


989
	ret = krb5_verify_checksum_iov(context, ctx->crypto, usage, data, i, NULL);

990
	if (ret) {

991
	    *minor_status = ret;

992
	    major_status = GSS_S_FAILURE;

993
	    goto failure;

994
	}

995
    }

996


997
    if (qop_state != NULL) {

998
	*qop_state = GSS_C_QOP_DEFAULT;

999
    }

1000


1001
    free(data);

1002


1003
    *minor_status = 0;

1004
    return GSS_S_COMPLETE;

1005


1006
 failure:

1007
    if (data)

1008
	free(data);

1009


1010
    gss_release_iov_buffer(&junk, iov, iov_count);

1011


1012
    return major_status;

1013
}

1014
#endif

1015


1016
OM_uint32

1017
_gssapi_wrap_iov_length_cfx(OM_uint32 *minor_status,

1018
			    gsskrb5_ctx ctx,

1019
			    krb5_context context,

1020
			    int conf_req_flag,

1021
			    gss_qop_t qop_req,

1022
			    int *conf_state,

1023
			    gss_iov_buffer_desc *iov,

1024
			    int iov_count)

1025
{

1026
    OM_uint32 major_status;

1027
    size_t size;

1028
    int i;

1029
    gss_iov_buffer_desc *header = NULL;

1030
    gss_iov_buffer_desc *padding = NULL;

1031
    gss_iov_buffer_desc *trailer = NULL;

1032
    size_t gsshsize = 0;

1033
    size_t gsstsize = 0;

1034
    size_t k5hsize = 0;

1035
    size_t k5tsize = 0;

1036


1037
    GSSAPI_KRB5_INIT (&context);

1038
    *minor_status = 0;

1039


1040
    for (size = 0, i = 0; i < iov_count; i++) {

1041
	switch(GSS_IOV_BUFFER_TYPE(iov[i].type)) {

1042
	case GSS_IOV_BUFFER_TYPE_EMPTY:

1043
	    break;

1044
	case GSS_IOV_BUFFER_TYPE_DATA:

1045
	    size += iov[i].buffer.length;

1046
	    break;

1047
	case GSS_IOV_BUFFER_TYPE_HEADER:

1048
	    if (header != NULL) {

1049
		*minor_status = 0;

1050
		return GSS_S_FAILURE;

1051
	    }

1052
	    header = &iov[i];

1053
	    break;

1054
	case GSS_IOV_BUFFER_TYPE_TRAILER:

1055
	    if (trailer != NULL) {

1056
		*minor_status = 0;

1057
		return GSS_S_FAILURE;

1058
	    }

1059
	    trailer = &iov[i];

1060
	    break;

1061
	case GSS_IOV_BUFFER_TYPE_PADDING:

1062
	    if (padding != NULL) {

1063
		*minor_status = 0;

1064
		return GSS_S_FAILURE;

1065
	    }

1066
	    padding = &iov[i];

1067
	    break;

1068
	case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:

1069
	    break;

1070
	default:

1071
	    *minor_status = EINVAL;

1072
	    return GSS_S_FAILURE;

1073
	}

1074
    }

1075


1076
    major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer);

1077
    if (major_status != GSS_S_COMPLETE) {

1078
	    return major_status;

1079
    }

1080


1081
    if (conf_req_flag) {

1082
	size_t k5psize = 0;

1083
	size_t k5pbase = 0;

1084
	size_t k5bsize = 0;

1085
	size_t ec = 0;

1086


1087
	size += sizeof(gss_cfx_wrap_token_desc);

1088


1089
	*minor_status = krb5_crypto_length(context, ctx->crypto,

1090
					   KRB5_CRYPTO_TYPE_HEADER,

1091
					   &k5hsize);

1092
	if (*minor_status)

1093
	    return GSS_S_FAILURE;

1094


1095
	*minor_status = krb5_crypto_length(context, ctx->crypto,

1096
					   KRB5_CRYPTO_TYPE_TRAILER,

1097
					   &k5tsize);

1098
	if (*minor_status)

1099
	    return GSS_S_FAILURE;

1100


1101
	*minor_status = krb5_crypto_length(context, ctx->crypto,

1102
					   KRB5_CRYPTO_TYPE_PADDING,

1103
					   &k5pbase);

1104
	if (*minor_status)

1105
	    return GSS_S_FAILURE;

1106


1107
	if (k5pbase > 1) {

1108
	    k5psize = k5pbase - (size % k5pbase);

1109
	} else {

1110
	    k5psize = 0;

1111
	}

1112


1113
	if (k5psize == 0 && IS_DCE_STYLE(ctx)) {

1114
	    *minor_status = krb5_crypto_getblocksize(context, ctx->crypto,

1115
						     &k5bsize);

1116
	    if (*minor_status)

1117
		return GSS_S_FAILURE;

1118


1119
	    ec = k5bsize;

1120
	} else {

1121
	    ec = k5psize;

1122
	}

1123


1124
	gsshsize = sizeof(gss_cfx_wrap_token_desc) + k5hsize;

1125
	gsstsize = sizeof(gss_cfx_wrap_token_desc) + ec + k5tsize;

1126
    } else {

1127
	*minor_status = krb5_crypto_length(context, ctx->crypto,

1128
					   KRB5_CRYPTO_TYPE_CHECKSUM,

1129
					   &k5tsize);

1130
	if (*minor_status)

1131
	    return GSS_S_FAILURE;

1132


1133
	gsshsize = sizeof(gss_cfx_wrap_token_desc);

1134
	gsstsize = k5tsize;

1135
    }

1136


1137
    if (trailer != NULL) {

1138
	trailer->buffer.length = gsstsize;

1139
    } else {

1140
	gsshsize += gsstsize;

1141
    }

1142


1143
    header->buffer.length = gsshsize;

1144


1145
    if (padding) {

1146
	/* padding is done via EC and is contained in the header or trailer */

1147
	padding->buffer.length = 0;

1148
    }

1149


1150
    if (conf_state) {

1151
	*conf_state = conf_req_flag;

1152
    }

1153


1154
    return GSS_S_COMPLETE;

1155
}

1156


1157


1158


1159


1160
OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,

1161
			   const gsskrb5_ctx ctx,

1162
			   krb5_context context,

1163
			   int conf_req_flag,

1164
			   const gss_buffer_t input_message_buffer,

1165
			   int *conf_state,

1166
			   gss_buffer_t output_message_buffer)

1167
{

1168
    gss_cfx_wrap_token token;

1169
    krb5_error_code ret;

1170
    unsigned usage;

1171
    krb5_data cipher;

1172
    size_t wrapped_len, cksumsize;

1173
    uint16_t padlength, rrc = 0;

1174
    int32_t seq_number;

1175
    u_char *p;

1176


1177
    ret = _gsskrb5cfx_wrap_length_cfx(context,

1178
				      ctx->crypto, conf_req_flag,

1179
				      IS_DCE_STYLE(ctx),

1180
				      input_message_buffer->length,

1181
				      &wrapped_len, &cksumsize, &padlength);

1182
    if (ret != 0) {

1183
	*minor_status = ret;

1184
	return GSS_S_FAILURE;

1185
    }

1186


1187
    /* Always rotate encrypted token (if any) and checksum to header */

1188
    rrc = (conf_req_flag ? sizeof(*token) : 0) + (uint16_t)cksumsize;

1189


1190
    output_message_buffer->length = wrapped_len;

1191
    output_message_buffer->value = malloc(output_message_buffer->length);

1192
    if (output_message_buffer->value == NULL) {

1193
	*minor_status = ENOMEM;

1194
	return GSS_S_FAILURE;

1195
    }

1196


1197
    p = output_message_buffer->value;

1198
    token = (gss_cfx_wrap_token)p;

1199
    token->TOK_ID[0] = 0x05;

1200
    token->TOK_ID[1] = 0x04;

1201
    token->Flags     = 0;

1202
    token->Filler    = 0xFF;

1203
    if ((ctx->more_flags & LOCAL) == 0)

1204
	token->Flags |= CFXSentByAcceptor;

1205
    if (ctx->more_flags & ACCEPTOR_SUBKEY)

1206
	token->Flags |= CFXAcceptorSubkey;

1207
    if (conf_req_flag) {

1208
	/*

1209
	 * In Wrap tokens with confidentiality, the EC field is

1210
	 * used to encode the size (in bytes) of the random filler.

1211
	 */

1212
	token->Flags |= CFXSealed;

1213
	token->EC[0] = (padlength >> 8) & 0xFF;

1214
	token->EC[1] = (padlength >> 0) & 0xFF;

1215
    } else {

1216
	/*

1217
	 * In Wrap tokens without confidentiality, the EC field is

1218
	 * used to encode the size (in bytes) of the trailing

1219
	 * checksum.

1220
	 *

1221
	 * This is not used in the checksum calcuation itself,

1222
	 * because the checksum length could potentially vary

1223
	 * depending on the data length.

1224
	 */

1225
	token->EC[0] = 0;

1226
	token->EC[1] = 0;

1227
    }

1228


1229
    /*

1230
     * In Wrap tokens that provide for confidentiality, the RRC

1231
     * field in the header contains the hex value 00 00 before

1232
     * encryption.

1233
     *

1234
     * In Wrap tokens that do not provide for confidentiality,

1235
     * both the EC and RRC fields in the appended checksum

1236
     * contain the hex value 00 00 for the purpose of calculating

1237
     * the checksum.

1238
     */

1239
    token->RRC[0] = 0;

1240
    token->RRC[1] = 0;

1241


1242
    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);

1243
    krb5_auth_con_getlocalseqnumber(context,

1244
				    ctx->auth_context,

1245
				    &seq_number);

1246
    _gsskrb5_encode_be_om_uint32(0,          &token->SND_SEQ[0]);

1247
    _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);

1248
    krb5_auth_con_setlocalseqnumber(context,

1249
				    ctx->auth_context,

1250
				    ++seq_number);

1251
    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

1252


1253
    /*

1254
     * If confidentiality is requested, the token header is

1255
     * appended to the plaintext before encryption; the resulting

1256
     * token is {"header" | encrypt(plaintext | pad | "header")}.

1257
     *

1258
     * If no confidentiality is requested, the checksum is

1259
     * calculated over the plaintext concatenated with the

1260
     * token header.

1261
     */

1262
    if (ctx->more_flags & LOCAL) {

1263
	usage = KRB5_KU_USAGE_INITIATOR_SEAL;

1264
    } else {

1265
	usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;

1266
    }

1267


1268
    if (conf_req_flag) {

1269
	/*

1270
	 * Any necessary padding is added here to ensure that the

1271
	 * encrypted token header is always at the end of the

1272
	 * ciphertext.

1273
	 *

1274
	 * The specification does not require that the padding

1275
	 * bytes are initialized.

1276
	 */

1277
	p += sizeof(*token);

1278
	memcpy(p, input_message_buffer->value, input_message_buffer->length);

1279
	memset(p + input_message_buffer->length, 0xFF, padlength);

1280
	memcpy(p + input_message_buffer->length + padlength,

1281
	       token, sizeof(*token));

1282


1283
	ret = krb5_encrypt(context, ctx->crypto,

1284
			   usage, p,

1285
			   input_message_buffer->length + padlength +

1286
				sizeof(*token),

1287
			   &cipher);

1288
	if (ret != 0) {

1289
	    *minor_status = ret;

1290
	    _gsskrb5_release_buffer(minor_status, output_message_buffer);

1291
	    return GSS_S_FAILURE;

1292
	}

1293
	assert(sizeof(*token) + cipher.length == wrapped_len);

1294
	token->RRC[0] = (rrc >> 8) & 0xFF;

1295
	token->RRC[1] = (rrc >> 0) & 0xFF;

1296


1297
	/*

1298
	 * this is really ugly, but needed against windows

1299
	 * for DCERPC, as windows rotates by EC+RRC.

1300
	 */

1301
	if (IS_DCE_STYLE(ctx)) {

1302
		ret = rrc_rotate(cipher.data, cipher.length, rrc+padlength, FALSE);

1303
	} else {

1304
		ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);

1305
	}

1306
	if (ret != 0) {

1307
	    *minor_status = ret;

1308
	    _gsskrb5_release_buffer(minor_status, output_message_buffer);

1309
	    return GSS_S_FAILURE;

1310
	}

1311
	memcpy(p, cipher.data, cipher.length);

1312
	krb5_data_free(&cipher);

1313
    } else {

1314
	char *buf;

1315
	Checksum cksum;

1316


1317
	buf = malloc(input_message_buffer->length + sizeof(*token));

1318
	if (buf == NULL) {

1319
	    *minor_status = ENOMEM;

1320
	    _gsskrb5_release_buffer(minor_status, output_message_buffer);

1321
	    return GSS_S_FAILURE;

1322
	}

1323
	memcpy(buf, input_message_buffer->value, input_message_buffer->length);

1324
	memcpy(buf + input_message_buffer->length, token, sizeof(*token));

1325


1326
	ret = krb5_create_checksum(context, ctx->crypto,

1327
				   usage, 0, buf,

1328
				   input_message_buffer->length +

1329
					sizeof(*token),

1330
				   &cksum);

1331
	if (ret != 0) {

1332
	    *minor_status = ret;

1333
	    _gsskrb5_release_buffer(minor_status, output_message_buffer);

1334
	    free(buf);

1335
	    return GSS_S_FAILURE;

1336
	}

1337


1338
	free(buf);

1339


1340
	assert(cksum.checksum.length == cksumsize);

1341
	token->EC[0] =  (cksum.checksum.length >> 8) & 0xFF;

1342
	token->EC[1] =  (cksum.checksum.length >> 0) & 0xFF;

1343
	token->RRC[0] = (rrc >> 8) & 0xFF;

1344
	token->RRC[1] = (rrc >> 0) & 0xFF;

1345


1346
	p += sizeof(*token);

1347
	memcpy(p, input_message_buffer->value, input_message_buffer->length);

1348
	memcpy(p + input_message_buffer->length,

1349
	       cksum.checksum.data, cksum.checksum.length);

1350


1351
	ret = rrc_rotate(p,

1352
	    input_message_buffer->length + cksum.checksum.length, rrc, FALSE);

1353
	if (ret != 0) {

1354
	    *minor_status = ret;

1355
	    _gsskrb5_release_buffer(minor_status, output_message_buffer);

1356
	    free_Checksum(&cksum);

1357
	    return GSS_S_FAILURE;

1358
	}

1359
	free_Checksum(&cksum);

1360
    }

1361


1362
    if (conf_state != NULL) {

1363
	*conf_state = conf_req_flag;

1364
    }

1365


1366
    *minor_status = 0;

1367
    return GSS_S_COMPLETE;

1368
}

1369


1370
OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,

1371
			     const gsskrb5_ctx ctx,

1372
			     krb5_context context,

1373
			     const gss_buffer_t input_message_buffer,

1374
			     gss_buffer_t output_message_buffer,

1375
			     int *conf_state,

1376
			     gss_qop_t *qop_state)

1377
{

1378
    gss_cfx_wrap_token token;

1379
    u_char token_flags;

1380
    krb5_error_code ret;

1381
    unsigned usage;

1382
    krb5_data data;

1383
    uint16_t ec, rrc;

1384
    OM_uint32 seq_number_lo, seq_number_hi;

1385
    size_t len;

1386
    u_char *p;

1387


1388
    *minor_status = 0;

1389


1390
    if (input_message_buffer->length < sizeof(*token)) {

1391
	return GSS_S_DEFECTIVE_TOKEN;

1392
    }

1393


1394
    p = input_message_buffer->value;

1395


1396
    token = (gss_cfx_wrap_token)p;

1397


1398
    if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04) {

1399
	return GSS_S_DEFECTIVE_TOKEN;

1400
    }

1401


1402
    /* Ignore unknown flags */

1403
    token_flags = token->Flags &

1404
	(CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey);

1405


1406
    if (token_flags & CFXSentByAcceptor) {

1407
	if ((ctx->more_flags & LOCAL) == 0)

1408
	    return GSS_S_DEFECTIVE_TOKEN;

1409
    }

1410


1411
    if (ctx->more_flags & ACCEPTOR_SUBKEY) {

1412
	if ((token_flags & CFXAcceptorSubkey) == 0)

1413
	    return GSS_S_DEFECTIVE_TOKEN;

1414
    } else {

1415
	if (token_flags & CFXAcceptorSubkey)

1416
	    return GSS_S_DEFECTIVE_TOKEN;

1417
    }

1418


1419
    if (token->Filler != 0xFF) {

1420
	return GSS_S_DEFECTIVE_TOKEN;

1421
    }

1422


1423
    if (conf_state != NULL) {

1424
	*conf_state = (token_flags & CFXSealed) ? 1 : 0;

1425
    }

1426


1427
    ec  = (token->EC[0]  << 8) | token->EC[1];

1428
    rrc = (token->RRC[0] << 8) | token->RRC[1];

1429


1430
    /*

1431
     * Check sequence number

1432
     */

1433
    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);

1434
    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);

1435
    if (seq_number_hi) {

1436
	/* no support for 64-bit sequence numbers */

1437
	*minor_status = ERANGE;

1438
	return GSS_S_UNSEQ_TOKEN;

1439
    }

1440


1441
    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);

1442
    ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);

1443
    if (ret != 0) {

1444
	*minor_status = 0;

1445
	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

1446
	_gsskrb5_release_buffer(minor_status, output_message_buffer);

1447
	return ret;

1448
    }

1449
    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

1450


1451
    /*

1452
     * Decrypt and/or verify checksum

1453
     */

1454


1455
    if (ctx->more_flags & LOCAL) {

1456
	usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;

1457
    } else {

1458
	usage = KRB5_KU_USAGE_INITIATOR_SEAL;

1459
    }

1460


1461
    p += sizeof(*token);

1462
    len = input_message_buffer->length;

1463
    len -= (p - (u_char *)input_message_buffer->value);

1464


1465
    if (token_flags & CFXSealed) {

1466
	/*

1467
	 * this is really ugly, but needed against windows

1468
	 * for DCERPC, as windows rotates by EC+RRC.

1469
	 */

1470
	if (IS_DCE_STYLE(ctx)) {

1471
		*minor_status = rrc_rotate(p, len, rrc+ec, TRUE);

1472
	} else {

1473
		*minor_status = rrc_rotate(p, len, rrc, TRUE);

1474
	}

1475
	if (*minor_status != 0) {

1476
	    return GSS_S_FAILURE;

1477
	}

1478


1479
	ret = krb5_decrypt(context, ctx->crypto, usage,

1480
	    p, len, &data);

1481
	if (ret != 0) {

1482
	    *minor_status = ret;

1483
	    return GSS_S_BAD_MIC;

1484
	}

1485


1486
	/* Check that there is room for the pad and token header */

1487
	if (data.length < ec + sizeof(*token)) {

1488
	    krb5_data_free(&data);

1489
	    return GSS_S_DEFECTIVE_TOKEN;

1490
	}

1491
	p = data.data;

1492
	p += data.length - sizeof(*token);

1493


1494
	/* RRC is unprotected; don't modify input buffer */

1495
	((gss_cfx_wrap_token)p)->RRC[0] = token->RRC[0];

1496
	((gss_cfx_wrap_token)p)->RRC[1] = token->RRC[1];

1497


1498
	/* Check the integrity of the header */

1499
	if (ct_memcmp(p, token, sizeof(*token)) != 0) {

1500
	    krb5_data_free(&data);

1501
	    return GSS_S_BAD_MIC;

1502
	}

1503


1504
	output_message_buffer->value = data.data;

1505
	output_message_buffer->length = data.length - ec - sizeof(*token);

1506
    } else {

1507
	Checksum cksum;

1508


1509
	/* Rotate by RRC; bogus to do this in-place XXX */

1510
	*minor_status = rrc_rotate(p, len, rrc, TRUE);

1511
	if (*minor_status != 0) {

1512
	    return GSS_S_FAILURE;

1513
	}

1514


1515
	/* Determine checksum type */

1516
	ret = krb5_crypto_get_checksum_type(context,

1517
					    ctx->crypto,

1518
					    &cksum.cksumtype);

1519
	if (ret != 0) {

1520
	    *minor_status = ret;

1521
	    return GSS_S_FAILURE;

1522
	}

1523


1524
	cksum.checksum.length = ec;

1525


1526
	/* Check we have at least as much data as the checksum */

1527
	if (len < cksum.checksum.length) {

1528
	    *minor_status = ERANGE;

1529
	    return GSS_S_BAD_MIC;

1530
	}

1531


1532
	/* Length now is of the plaintext only, no checksum */

1533
	len -= cksum.checksum.length;

1534
	cksum.checksum.data = p + len;

1535


1536
	output_message_buffer->length = len; /* for later */

1537
	output_message_buffer->value = malloc(len + sizeof(*token));

1538
	if (output_message_buffer->value == NULL) {

1539
	    *minor_status = ENOMEM;

1540
	    return GSS_S_FAILURE;

1541
	}

1542


1543
	/* Checksum is over (plaintext-data | "header") */

1544
	memcpy(output_message_buffer->value, p, len);

1545
	memcpy((u_char *)output_message_buffer->value + len,

1546
	       token, sizeof(*token));

1547


1548
	/* EC is not included in checksum calculation */

1549
	token = (gss_cfx_wrap_token)((u_char *)output_message_buffer->value +

1550
				     len);

1551
	token->EC[0]  = 0;

1552
	token->EC[1]  = 0;

1553
	token->RRC[0] = 0;

1554
	token->RRC[1] = 0;

1555


1556
	ret = krb5_verify_checksum(context, ctx->crypto,

1557
				   usage,

1558
				   output_message_buffer->value,

1559
				   len + sizeof(*token),

1560
				   &cksum);

1561
	if (ret != 0) {

1562
	    *minor_status = ret;

1563
	    _gsskrb5_release_buffer(minor_status, output_message_buffer);

1564
	    return GSS_S_BAD_MIC;

1565
	}

1566
    }

1567


1568
    if (qop_state != NULL) {

1569
	*qop_state = GSS_C_QOP_DEFAULT;

1570
    }

1571


1572
    *minor_status = 0;

1573
    return GSS_S_COMPLETE;

1574
}

1575


1576
OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,

1577
			  const gsskrb5_ctx ctx,

1578
			  krb5_context context,

1579
			  gss_qop_t qop_req,

1580
			  const gss_buffer_t message_buffer,

1581
			  gss_buffer_t message_token)

1582
{

1583
    gss_cfx_mic_token token;

1584
    krb5_error_code ret;

1585
    unsigned usage;

1586
    Checksum cksum;

1587
    u_char *buf;

1588
    size_t len;

1589
    int32_t seq_number;

1590


1591
    len = message_buffer->length + sizeof(*token);

1592
    buf = malloc(len);

1593
    if (buf == NULL) {

1594
	*minor_status = ENOMEM;

1595
	return GSS_S_FAILURE;

1596
    }

1597


1598
    memcpy(buf, message_buffer->value, message_buffer->length);

1599


1600
    token = (gss_cfx_mic_token)(buf + message_buffer->length);

1601
    token->TOK_ID[0] = 0x04;

1602
    token->TOK_ID[1] = 0x04;

1603
    token->Flags = 0;

1604
    if ((ctx->more_flags & LOCAL) == 0)

1605
	token->Flags |= CFXSentByAcceptor;

1606
    if (ctx->more_flags & ACCEPTOR_SUBKEY)

1607
	token->Flags |= CFXAcceptorSubkey;

1608
    memset(token->Filler, 0xFF, 5);

1609


1610
    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);

1611
    krb5_auth_con_getlocalseqnumber(context,

1612
				    ctx->auth_context,

1613
				    &seq_number);

1614
    _gsskrb5_encode_be_om_uint32(0,          &token->SND_SEQ[0]);

1615
    _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);

1616
    krb5_auth_con_setlocalseqnumber(context,

1617
				    ctx->auth_context,

1618
				    ++seq_number);

1619
    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

1620


1621
    if (ctx->more_flags & LOCAL) {

1622
	usage = KRB5_KU_USAGE_INITIATOR_SIGN;

1623
    } else {

1624
	usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;

1625
    }

1626


1627
    ret = krb5_create_checksum(context, ctx->crypto,

1628
	usage, 0, buf, len, &cksum);

1629
    if (ret != 0) {

1630
	*minor_status = ret;

1631
	free(buf);

1632
	return GSS_S_FAILURE;

1633
    }

1634


1635
    /* Determine MIC length */

1636
    message_token->length = sizeof(*token) + cksum.checksum.length;

1637
    message_token->value = malloc(message_token->length);

1638
    if (message_token->value == NULL) {

1639
	*minor_status = ENOMEM;

1640
	free_Checksum(&cksum);

1641
	free(buf);

1642
	return GSS_S_FAILURE;

1643
    }

1644


1645
    /* Token is { "header" | get_mic("header" | plaintext-data) } */

1646
    memcpy(message_token->value, token, sizeof(*token));

1647
    memcpy((u_char *)message_token->value + sizeof(*token),

1648
	   cksum.checksum.data, cksum.checksum.length);

1649


1650
    free_Checksum(&cksum);

1651
    free(buf);

1652


1653
    *minor_status = 0;

1654
    return GSS_S_COMPLETE;

1655
}

1656


1657
OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,

1658
				 const gsskrb5_ctx ctx,

1659
				 krb5_context context,

1660
				 const gss_buffer_t message_buffer,

1661
				 const gss_buffer_t token_buffer,

1662
				 gss_qop_t *qop_state)

1663
{

1664
    gss_cfx_mic_token token;

1665
    u_char token_flags;

1666
    krb5_error_code ret;

1667
    unsigned usage;

1668
    OM_uint32 seq_number_lo, seq_number_hi;

1669
    u_char *buf, *p;

1670
    Checksum cksum;

1671


1672
    *minor_status = 0;

1673


1674
    if (token_buffer->length < sizeof(*token)) {

1675
	return GSS_S_DEFECTIVE_TOKEN;

1676
    }

1677


1678
    p = token_buffer->value;

1679


1680
    token = (gss_cfx_mic_token)p;

1681


1682
    if (token->TOK_ID[0] != 0x04 || token->TOK_ID[1] != 0x04) {

1683
	return GSS_S_DEFECTIVE_TOKEN;

1684
    }

1685


1686
    /* Ignore unknown flags */

1687
    token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey);

1688


1689
    if (token_flags & CFXSentByAcceptor) {

1690
	if ((ctx->more_flags & LOCAL) == 0)

1691
	    return GSS_S_DEFECTIVE_TOKEN;

1692
    }

1693
    if (ctx->more_flags & ACCEPTOR_SUBKEY) {

1694
	if ((token_flags & CFXAcceptorSubkey) == 0)

1695
	    return GSS_S_DEFECTIVE_TOKEN;

1696
    } else {

1697
	if (token_flags & CFXAcceptorSubkey)

1698
	    return GSS_S_DEFECTIVE_TOKEN;

1699
    }

1700


1701
    if (ct_memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) {

1702
	return GSS_S_DEFECTIVE_TOKEN;

1703
    }

1704


1705
    /*

1706
     * Check sequence number

1707
     */

1708
    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);

1709
    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);

1710
    if (seq_number_hi) {

1711
	*minor_status = ERANGE;

1712
	return GSS_S_UNSEQ_TOKEN;

1713
    }

1714


1715
    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);

1716
    ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);

1717
    if (ret != 0) {

1718
	*minor_status = 0;

1719
	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

1720
	return ret;

1721
    }

1722
    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

1723


1724
    /*

1725
     * Verify checksum

1726
     */

1727
    ret = krb5_crypto_get_checksum_type(context, ctx->crypto,

1728
					&cksum.cksumtype);

1729
    if (ret != 0) {

1730
	*minor_status = ret;

1731
	return GSS_S_FAILURE;

1732
    }

1733


1734
    cksum.checksum.data = p + sizeof(*token);

1735
    cksum.checksum.length = token_buffer->length - sizeof(*token);

1736


1737
    if (ctx->more_flags & LOCAL) {

1738
	usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;

1739
    } else {

1740
	usage = KRB5_KU_USAGE_INITIATOR_SIGN;

1741
    }

1742


1743
    buf = malloc(message_buffer->length + sizeof(*token));

1744
    if (buf == NULL) {

1745
	*minor_status = ENOMEM;

1746
	return GSS_S_FAILURE;

1747
    }

1748
    memcpy(buf, message_buffer->value, message_buffer->length);

1749
    memcpy(buf + message_buffer->length, token, sizeof(*token));

1750


1751
    ret = krb5_verify_checksum(context, ctx->crypto,

1752
			       usage,

1753
			       buf,

1754
			       sizeof(*token) + message_buffer->length,

1755
			       &cksum);

1756
    if (ret != 0) {

1757
	*minor_status = ret;

1758
	free(buf);

1759
	return GSS_S_BAD_MIC;

1760
    }

1761


1762
    free(buf);

1763


1764
    if (qop_state != NULL) {

1765
	*qop_state = GSS_C_QOP_DEFAULT;

1766
    }

1767


1768
    return GSS_S_COMPLETE;

1769
}

1770


1771