224 is_initiator(struct krb5_context *kc)
226 	return (kc->kc_more_flags & LOCAL);
233 is_acceptor(struct krb5_context *kc)
235 	return !(kc->kc_more_flags & LOCAL);
239 get_initiator_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
242 	if (is_initiator(kc))
243 		copy_key(&kc->kc_local_subkey, kdp);
245 		copy_key(&kc->kc_remote_subkey, kdp);
247 		copy_key(&kc->kc_keyblock, kdp);
251 get_acceptor_subkey(struct krb5_context *kc, struct krb5_keyblock **kdp)
254 	if (is_initiator(kc))
255 		copy_key(&kc->kc_remote_subkey, kdp);
257 		copy_key(&kc->kc_local_subkey, kdp);
261 get_keys(struct krb5_context *kc)
269 	get_acceptor_subkey(kc, &keydata);
271 		if ((kc->kc_more_flags & ACCEPTOR_SUBKEY) == 0)
272 			get_initiator_subkey(kc, &keydata);
303 	kc->kc_tokenkey = key;
324 		kc->kc_encryptkey = ekey;
326 		kc->kc_checksumkey = key;
337 		kc->kc_checksumkey = krb5_get_checksum_key(key, KG_USAGE_SIGN);
339 		kc->kc_encryptkey = key;
347 		if (is_initiator(kc)) {
351 			kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
353 			kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
355 			kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
357 			kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
360 			kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
362 			kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
364 			kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
366 			kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
372 			kc->kc_send_seal_Ke = krb5_get_encryption_key(key,
374 			kc->kc_send_seal_Ki = krb5_get_integrity_key(key,
376 			kc->kc_send_seal_Kc = krb5_get_checksum_key(key,
378 			kc->kc_send_sign_Kc = krb5_get_checksum_key(key,
381 			kc->kc_recv_seal_Ke = krb5_get_encryption_key(key,
383 			kc->kc_recv_seal_Ki = krb5_get_integrity_key(key,
385 			kc->kc_recv_seal_Kc = krb5_get_checksum_key(key,
387 			kc->kc_recv_sign_Kc = krb5_get_checksum_key(key,
399 	struct krb5_context *kc = (struct krb5_context *)ctx;
401 	mtx_init(&kc->kc_lock, "krb5 gss lock", NULL, MTX_DEF);
409 	struct krb5_context *kc = (struct krb5_context *)ctx;
440 	kc->kc_ac_flags = get_uint32(&p, &len);
442 		get_address(&p, &len, &kc->kc_local_address);
444 		get_address(&p, &len, &kc->kc_remote_address);
445 	kc->kc_local_port = get_uint16(&p, &len);
446 	kc->kc_remote_port = get_uint16(&p, &len);
448 		get_keyblock(&p, &len, &kc->kc_keyblock);
450 		get_keyblock(&p, &len, &kc->kc_local_subkey);
452 		get_keyblock(&p, &len, &kc->kc_remote_subkey);
453 	kc->kc_local_seqnumber = get_uint32(&p, &len);
454 	kc->kc_remote_seqnumber = get_uint32(&p, &len);
455 	kc->kc_keytype = get_uint32(&p, &len);
456 	kc->kc_cksumtype = get_uint32(&p, &len);
457 	get_data(&p, &len, &kc->kc_source_name);
458 	get_data(&p, &len, &kc->kc_target_name);
459 	kc->kc_ctx_flags = get_uint32(&p, &len);
460 	kc->kc_more_flags = get_uint32(&p, &len);
461 	kc->kc_lifetime = get_uint32(&p, &len);
466 		kc->kc_msg_order.km_flags = get_uint32(&p, &len);
467 		kc->kc_msg_order.km_start = get_uint32(&p, &len);
468 		kc->kc_msg_order.km_length = get_uint32(&p, &len);
469 		kc->kc_msg_order.km_jitter_window = get_uint32(&p, &len);
470 		kc->kc_msg_order.km_first_seq = get_uint32(&p, &len);
471 		kc->kc_msg_order.km_elem =
472 			malloc(kc->kc_msg_order.km_jitter_window * sizeof(uint32_t),
474 		for (i = 0; i < kc->kc_msg_order.km_jitter_window; i++)
475 			kc->kc_msg_order.km_elem[i] = get_uint32(&p, &len);
477 		kc->kc_msg_order.km_flags = 0;
480 	res = get_keys(kc);
487 	delete_keyblock(&kc->kc_keyblock);
488 	delete_keyblock(&kc->kc_local_subkey);
489 	delete_keyblock(&kc->kc_remote_subkey);
497 	struct krb5_context *kc = (struct krb5_context *)ctx;
499 	delete_address(&kc->kc_local_address);
500 	delete_address(&kc->kc_remote_address);
501 	delete_keyblock(&kc->kc_keyblock);
502 	delete_keyblock(&kc->kc_local_subkey);
503 	delete_keyblock(&kc->kc_remote_subkey);
504 	delete_data(&kc->kc_source_name);
505 	delete_data(&kc->kc_target_name);
506 	if (kc->kc_msg_order.km_elem)
507 		free(kc->kc_msg_order.km_elem, M_GSSAPI);
512 	if (kc->kc_tokenkey) {
513 		krb5_free_key(kc->kc_tokenkey);
514 		if (kc->kc_encryptkey) {
515 			krb5_free_key(kc->kc_encryptkey);
516 			krb5_free_key(kc->kc_checksumkey);
518 			krb5_free_key(kc->kc_send_seal_Ke);
519 			krb5_free_key(kc->kc_send_seal_Ki);
520 			krb5_free_key(kc->kc_send_seal_Kc);
521 			krb5_free_key(kc->kc_send_sign_Kc);
522 			krb5_free_key(kc->kc_recv_seal_Ke);
523 			krb5_free_key(kc->kc_recv_seal_Ki);
524 			krb5_free_key(kc->kc_recv_seal_Kc);
525 			krb5_free_key(kc->kc_recv_sign_Kc);
528 	mtx_destroy(&kc->kc_lock);
772 krb5_sequence_check(struct krb5_context *kc, uint32_t seq)
775 	struct krb5_msg_order *mo = &kc->kc_msg_order;
780 	mtx_lock(&kc->kc_lock);
833 	mtx_unlock(&kc->kc_lock);
858 krb5_get_mic_old(struct krb5_context *kc, struct mbuf *m,
869 	tlen = token_length(kc->kc_tokenkey);
886 	cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
894 	krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
910 	seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
922 	if (is_initiator(kc)) {
938 	krb5_encrypt(kc->kc_tokenkey, mic, mic->m_len - cklen - 8, 8, buf, 8);
945 krb5_get_mic_new(struct krb5_context *kc,  struct mbuf *m,
948 	struct krb5_key_state *key = kc->kc_send_sign_Kc;
970 	if (is_acceptor(kc))
972 	if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
988 	seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1012 	struct krb5_context *kc = (struct krb5_context *)ctx;
1019 	if (time_uptime > kc->kc_lifetime)
1022 	switch (kc->kc_tokenkey->ks_class->ec_type) {
1024 		return (krb5_get_mic_old(kc, m, micp, sgn_alg_des_md5));
1027 		return (krb5_get_mic_old(kc, m, micp, sgn_alg_des3_sha1));
1031 		return (krb5_get_mic_old(kc, m, micp, sgn_alg_hmac_md5));
1034 		return (krb5_get_mic_new(kc, m, micp));
1041 krb5_verify_mic_old(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic,
1052 	tlen = token_length(kc->kc_tokenkey);
1082 	cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1090 	krb5_checksum(kc->kc_checksumkey, 15, mic, mic->m_len - 8,
1110 	krb5_decrypt(kc->kc_tokenkey, tm, 0, 8, p + 8, 8);
1119 	if (is_initiator(kc)) {
1130 	if (kc->kc_msg_order.km_flags &
1132 		return (krb5_sequence_check(kc, seq));
1139 krb5_verify_mic_new(struct krb5_context *kc, struct mbuf *m, struct mbuf *mic)
1142 	struct krb5_key_state *key = kc->kc_recv_sign_Kc;
1165 	if (is_initiator(kc))
1167 	if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1185 	if (kc->kc_msg_order.km_flags &
1193 			res = krb5_sequence_check(kc, seq);
1222 	struct krb5_context *kc = (struct krb5_context *)ctx;
1228 	if (time_uptime > kc->kc_lifetime)
1231 	switch (kc->kc_tokenkey->ks_class->ec_type) {
1233 		return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des_md5));
1237 		return (krb5_verify_mic_old(kc, m, mic, sgn_alg_hmac_md5));
1240 		return (krb5_verify_mic_old(kc, m, mic, sgn_alg_des3_sha1));
1243 		return (krb5_verify_mic_new(kc, m, mic));
1250 krb5_wrap_old(struct krb5_context *kc, int conf_req_flag,
1266 	tlen = kc->kc_tokenkey->ks_class->ec_msgblocklen;
1276 	tlen = token_length(kc->kc_tokenkey);
1325 	cklen = kc->kc_checksumkey->ks_class->ec_checksumlen;
1331 	krb5_checksum(kc->kc_checksumkey, 13, tm, tm->m_len - 8,
1347 	seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1359 	if (is_initiator(kc)) {
1368 	krb5_encrypt(kc->kc_tokenkey, tm, p - (uint8_t *) tm->m_data,
1382 			krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1385 			krb5_encrypt(kc->kc_encryptkey, m, 0, datalen,
1398 krb5_wrap_new(struct krb5_context *kc, int conf_req_flag,
1401 	struct krb5_key_state *Ke = kc->kc_send_seal_Ke;
1402 	struct krb5_key_state *Ki = kc->kc_send_seal_Ki;
1403 	struct krb5_key_state *Kc = kc->kc_send_seal_Kc;
1480 	if (is_acceptor(kc))
1482 	if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1500 	seq = atomic_fetchadd_32(&kc->kc_local_seqnumber, 1);
1549 	struct krb5_context *kc = (struct krb5_context *)ctx;
1558 	if (time_uptime > kc->kc_lifetime)
1561 	switch (kc->kc_tokenkey->ks_class->ec_type) {
1563 		return (krb5_wrap_old(kc, conf_req_flag,
1568 		return (krb5_wrap_old(kc, conf_req_flag,
1572 		return (krb5_wrap_old(kc, conf_req_flag,
1576 		return (krb5_wrap_new(kc, conf_req_flag, mp, conf_state));
1601 krb5_unwrap_old(struct krb5_context *kc, struct mbuf **mp, int *conf_state,
1616 	tlen = token_length(kc->kc_tokenkey);
1617 	cklen = kc->kc_tokenkey->ks_class->ec_checksumlen;
1661 	krb5_decrypt(kc->kc_tokenkey, m, 8, 8, p + 8, 8);
1668 	if (is_initiator(kc)) {
1676 	if (kc->kc_msg_order.km_flags &
1678 		res = krb5_sequence_check(kc, seq);
1695 			krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1698 			krb5_decrypt(kc->kc_encryptkey, m, 16 + cklen,
1749 	krb5_checksum(kc->kc_checksumkey, 13, hm, 0, datalen + 8, cklen);
1776 krb5_unwrap_new(struct krb5_context *kc, struct mbuf **mp, int *conf_state)
1779 	struct krb5_key_state *Ke = kc->kc_recv_seal_Ke;
1780 	struct krb5_key_state *Ki = kc->kc_recv_seal_Ki;
1781 	struct krb5_key_state *Kc = kc->kc_recv_seal_Kc;
1809 	if (is_initiator(kc))
1811 	if (kc->kc_more_flags & ACCEPTOR_SUBKEY)
1825 	if (kc->kc_msg_order.km_flags &
1833 			res = krb5_sequence_check(kc, seq);
1977 	struct krb5_context *kc = (struct krb5_context *)ctx;
1986 	if (time_uptime > kc->kc_lifetime)
1989 	switch (kc->kc_tokenkey->ks_class->ec_type) {
1991 		maj_stat = krb5_unwrap_old(kc, mp, conf_state,
1997 		maj_stat = krb5_unwrap_old(kc, mp, conf_state,
2002 		maj_stat = krb5_unwrap_old(kc, mp, conf_state,
2007 		maj_stat = krb5_unwrap_new(kc, mp, conf_state);
2024 	struct krb5_context *kc = (struct krb5_context *)ctx;
2034 	ec = kc->kc_tokenkey->ks_class;

Indexes created Mon Jul 01 21:43:02 MDT 2024