size_t KRB5_CALLCONV
krb5_checksum_size(krb5_context context, krb5_cksumtype ctype)
{
size_t ret;
if (krb5_c_checksum_length(context, ctype, &ret))
return(-1); /* XXX */
return(ret);
}
krb5_error_code KRB5_CALLCONV
krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
krb5_keyusage usage, const krb5_data *data,
const krb5_checksum *cksum, krb5_boolean *valid)
{
int i;
size_t hashsize;
krb5_error_code ret;
krb5_data indata;
krb5_checksum computed;
for (i=0; i<krb5_cksumtypes_length; i++) {
if (krb5_cksumtypes_list[i].ctype == cksum->checksum_type)
break;
}
if (i == krb5_cksumtypes_length)
return(KRB5_BAD_ENCTYPE);
/* if there's actually a verify function, call it */
indata.length = cksum->length;
indata.data = (char *) cksum->contents;
*valid = 0;
if (krb5_cksumtypes_list[i].keyhash &&
krb5_cksumtypes_list[i].keyhash->verify)
return((*(krb5_cksumtypes_list[i].keyhash->verify))(
context, key, usage, 0, data, &indata, valid));
/* otherwise, make the checksum again, and compare */
if ((ret = krb5_c_checksum_length(context, cksum->checksum_type, &hashsize)))
return(ret);
if (cksum->length != hashsize)
return(KRB5_BAD_MSIZE);
computed.length = hashsize;
if ((ret = krb5_c_make_checksum(context, cksum->checksum_type, key, usage,
data, &computed))) {
FREE(computed.contents, computed.length);
return(ret);
}
*valid = (memcmp(computed.contents, cksum->contents, hashsize) == 0);
FREE(computed.contents, computed.length);
return(0);
}
static krb5_error_code
k5_insert_checksum(krb5_context context,
krb5_pac pac,
krb5_ui_4 type,
const krb5_keyblock *key,
krb5_cksumtype *cksumtype)
{
krb5_error_code ret;
size_t len;
krb5_data cksumdata;
ret = krb5int_c_mandatory_cksumtype(context, key->enctype, cksumtype);
if (ret != 0)
return ret;
ret = krb5_c_checksum_length(context, *cksumtype, &len);
if (ret != 0)
return ret;
ret = k5_pac_locate_buffer(context, pac, type, &cksumdata);
if (ret == 0) {
/*
* If we're resigning PAC, make sure we can fit checksum
* into existing buffer
*/
if (cksumdata.length != PAC_SIGNATURE_DATA_LENGTH + len)
return ERANGE;
memset(cksumdata.data, 0, cksumdata.length);
} else {
/* Add a zero filled buffer */
cksumdata.length = PAC_SIGNATURE_DATA_LENGTH + len;
cksumdata.data = NULL;
ret = k5_pac_add_buffer(context, pac,
type, &cksumdata,
TRUE, &cksumdata);
if (ret != 0)
return ret;
}
/* Encode checksum type into buffer */
store_32_le((krb5_ui_4)*cksumtype, cksumdata.data);
return 0;
}
krb5_error_code
gss_krb5int_make_seal_token_v3 (krb5_context context,
krb5_gss_ctx_id_rec *ctx,
const gss_buffer_desc * message,
gss_buffer_t token,
int conf_req_flag, int toktype)
{
size_t bufsize = 16;
unsigned char *outbuf = 0;
krb5_error_code err;
int key_usage;
unsigned char acceptor_flag;
const gss_buffer_desc *message2 = message;
#ifdef CFX_EXERCISE
size_t rrc;
#endif
size_t ec;
unsigned short tok_id;
krb5_checksum sum;
krb5_key key;
krb5_cksumtype cksumtype;
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
? (ctx->initiate
? KG_USAGE_INITIATOR_SEAL
: KG_USAGE_ACCEPTOR_SEAL)
: (ctx->initiate
? KG_USAGE_INITIATOR_SIGN
: KG_USAGE_ACCEPTOR_SIGN));
if (ctx->have_acceptor_subkey) {
key = ctx->acceptor_subkey;
cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
key = ctx->subkey;
cksumtype = ctx->cksumtype;
}
assert(key != NULL);
#ifdef CFX_EXERCISE
{
static int initialized = 0;
if (!initialized) {
srand(time(0));
initialized = 1;
}
}
#endif
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
krb5_data plain;
krb5_enc_data cipher;
size_t ec_max;
/* 300: Adds some slop. */
if (SIZE_MAX - 300 < message->length)
return ENOMEM;
ec_max = SIZE_MAX - message->length - 300;
if (ec_max > 0xffff)
ec_max = 0xffff;
#ifdef CFX_EXERCISE
/* For testing only. For performance, always set ec = 0. */
ec = ec_max & rand();
#else
ec = 0;
#endif
plain.length = message->length + 16 + ec;
plain.data = malloc(message->length + 16 + ec);
if (plain.data == NULL)
return ENOMEM;
/* Get size of ciphertext. */
bufsize = 16 + krb5_encrypt_size (plain.length, key->keyblock.enctype);
/* Allocate space for header plus encrypted data. */
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
free(plain.data);
return ENOMEM;
}
/* TOK_ID */
store_16_be(KG2_TOK_WRAP_MSG, outbuf);
/* flags */
outbuf[2] = (acceptor_flag
| (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
| (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xff;
/* EC */
store_16_be(ec, outbuf+4);
/* RRC */
store_16_be(0, outbuf+6);
store_64_be(ctx->seq_send, outbuf+8);
memcpy(plain.data, message->value, message->length);
if (ec != 0)
memset(plain.data + message->length, 'x', ec);
memcpy(plain.data + message->length + ec, outbuf, 16);
cipher.ciphertext.data = (char *)outbuf + 16;
cipher.ciphertext.length = bufsize - 16;
cipher.enctype = key->keyblock.enctype;
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
zap(plain.data, plain.length);
free(plain.data);
plain.data = 0;
if (err)
goto error;
/* Now that we know we're returning a valid token.... */
ctx->seq_send++;
#ifdef CFX_EXERCISE
rrc = rand() & 0xffff;
if (gss_krb5int_rotate_left(outbuf+16, bufsize-16,
(bufsize-16) - (rrc % (bufsize - 16))))
store_16_be(rrc, outbuf+6);
/* If the rotate fails, don't worry about it. */
#endif
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
krb5_data plain;
size_t cksumsize;
/* Here, message is the application-supplied data; message2 is
what goes into the output token. They may be the same, or
message2 may be empty (for MIC). */
tok_id = KG2_TOK_WRAP_MSG;
wrap_with_checksum:
plain.length = message->length + 16;
plain.data = malloc(message->length + 16);
if (plain.data == NULL)
return ENOMEM;
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
goto error;
assert(cksumsize <= 0xffff);
bufsize = 16 + message2->length + cksumsize;
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
free(plain.data);
plain.data = 0;
err = ENOMEM;
goto error;
}
/* TOK_ID */
store_16_be(tok_id, outbuf);
/* flags */
outbuf[2] = (acceptor_flag
| (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xff;
if (toktype == KG_TOK_WRAP_MSG) {
/* Use 0 for checksum calculation, substitute
checksum length later. */
/* EC */
store_16_be(0, outbuf+4);
/* RRC */
store_16_be(0, outbuf+6);
} else {
/* MIC and DEL store 0xFF in EC and RRC. */
store_16_be(0xffff, outbuf+4);
store_16_be(0xffff, outbuf+6);
}
store_64_be(ctx->seq_send, outbuf+8);
memcpy(plain.data, message->value, message->length);
memcpy(plain.data + message->length, outbuf, 16);
/* Fill in the output token -- data contents, if any, and
space for the checksum. */
if (message2->length)
memcpy(outbuf + 16, message2->value, message2->length);
sum.contents = outbuf + 16 + message2->length;
sum.length = cksumsize;
err = krb5_k_make_checksum(context, cksumtype, key,
key_usage, &plain, &sum);
zap(plain.data, plain.length);
free(plain.data);
plain.data = 0;
if (err) {
zap(outbuf,bufsize);
goto error;
}
if (sum.length != cksumsize)
abort();
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
krb5_free_checksum_contents(context, &sum);
sum.contents = 0;
/* Now that we know we're actually generating the token... */
ctx->seq_send++;
if (toktype == KG_TOK_WRAP_MSG) {
#ifdef CFX_EXERCISE
rrc = rand() & 0xffff;
/* If the rotate fails, don't worry about it. */
if (gss_krb5int_rotate_left(outbuf+16, bufsize-16,
(bufsize-16) - (rrc % (bufsize - 16))))
store_16_be(rrc, outbuf+6);
#endif
/* Fix up EC field. */
store_16_be(cksumsize, outbuf+4);
} else {
store_16_be(0xffff, outbuf+6);
}
} else if (toktype == KG_TOK_MIC_MSG) {
tok_id = KG2_TOK_MIC_MSG;
message2 = &empty_message;
goto wrap_with_checksum;
} else if (toktype == KG_TOK_DEL_CTX) {
tok_id = KG2_TOK_DEL_CTX;
message = message2 = &empty_message;
goto wrap_with_checksum;
} else
abort();
token->value = outbuf;
token->length = bufsize;
return 0;
error:
gssalloc_free(outbuf);
token->value = NULL;
token->length = 0;
return err;
}
OM_uint32
gss_krb5int_unseal_token_v3(krb5_context *contextptr,
OM_uint32 *minor_status,
krb5_gss_ctx_id_rec *ctx,
unsigned char *ptr, unsigned int bodysize,
gss_buffer_t message_buffer,
int *conf_state, gss_qop_t *qop_state, int toktype)
{
krb5_context context = *contextptr;
krb5_data plain;
gssint_uint64 seqnum;
size_t ec, rrc;
int key_usage;
unsigned char acceptor_flag;
krb5_checksum sum;
krb5_error_code err;
krb5_boolean valid;
krb5_key key;
krb5_cksumtype cksumtype;
if (qop_state)
*qop_state = GSS_C_QOP_DEFAULT;
acceptor_flag = ctx->initiate ? FLAG_SENDER_IS_ACCEPTOR : 0;
key_usage = (toktype == KG_TOK_WRAP_MSG
? (!ctx->initiate
? KG_USAGE_INITIATOR_SEAL
: KG_USAGE_ACCEPTOR_SEAL)
: (!ctx->initiate
? KG_USAGE_INITIATOR_SIGN
: KG_USAGE_ACCEPTOR_SIGN));
/* Oops. I wrote this code assuming ptr would be at the start of
the token header. */
ptr -= 2;
bodysize += 2;
if (bodysize < 16) {
defective:
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
if ((ptr[2] & FLAG_SENDER_IS_ACCEPTOR) != acceptor_flag) {
*minor_status = (OM_uint32)G_BAD_DIRECTION;
return GSS_S_BAD_SIG;
}
/* Two things to note here.
First, we can't really enforce the use of the acceptor's subkey,
if we're the acceptor; the initiator may have sent messages
before getting the subkey. We could probably enforce it if
we're the initiator.
Second, if someone tweaks the code to not set the flag telling
the krb5 library to generate a new subkey in the AP-REP
message, the MIT library may include a subkey anyways --
namely, a copy of the AP-REQ subkey, if it was provided. So
the initiator may think we wanted a subkey, and set the flag,
even though we weren't trying to set the subkey. The "other"
key, the one not asserted by the acceptor, will have the same
value in that case, though, so we can just ignore the flag. */
if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) {
key = ctx->acceptor_subkey;
cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
key = ctx->subkey;
cksumtype = ctx->cksumtype;
}
assert(key != NULL);
if (toktype == KG_TOK_WRAP_MSG) {
if (load_16_be(ptr) != KG2_TOK_WRAP_MSG)
goto defective;
if (ptr[3] != 0xff)
goto defective;
ec = load_16_be(ptr+4);
rrc = load_16_be(ptr+6);
seqnum = load_64_be(ptr+8);
if (!gss_krb5int_rotate_left(ptr+16, bodysize-16, rrc)) {
no_mem:
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) {
/* confidentiality */
krb5_enc_data cipher;
unsigned char *althdr;
if (conf_state)
*conf_state = 1;
/* Do we have no decrypt_size function?
For all current cryptosystems, the ciphertext size will
be larger than the plaintext size. */
cipher.enctype = key->keyblock.enctype;
cipher.ciphertext.length = bodysize - 16;
cipher.ciphertext.data = (char *)ptr + 16;
plain.length = bodysize - 16;
plain.data = gssalloc_malloc(plain.length);
if (plain.data == NULL)
goto no_mem;
err = krb5_k_decrypt(context, key, key_usage, 0,
&cipher, &plain);
if (err) {
gssalloc_free(plain.data);
goto error;
}
/* Don't use bodysize here! Use the fact that
cipher.ciphertext.length has been adjusted to the
correct length. */
althdr = (unsigned char *)plain.data + plain.length - 16;
if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
|| althdr[2] != ptr[2]
|| althdr[3] != ptr[3]
|| memcmp(althdr+8, ptr+8, 8)) {
free(plain.data);
goto defective;
}
message_buffer->value = plain.data;
message_buffer->length = plain.length - ec - 16;
if(message_buffer->length == 0) {
gssalloc_free(message_buffer->value);
message_buffer->value = NULL;
}
} else {
size_t cksumsize;
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
goto error;
/* no confidentiality */
if (conf_state)
*conf_state = 0;
if (ec + 16 < ec)
/* overflow check */
goto defective;
if (ec + 16 > bodysize)
goto defective;
/* We have: header | msg | cksum.
We need cksum(msg | header).
Rotate the first two. */
store_16_be(0, ptr+4);
store_16_be(0, ptr+6);
plain.length = bodysize-ec;
plain.data = (char *)ptr;
if (!gss_krb5int_rotate_left(ptr, bodysize-ec, 16))
goto no_mem;
sum.length = ec;
if (sum.length != cksumsize) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
sum.contents = ptr+bodysize-ec;
sum.checksum_type = cksumtype;
err = krb5_k_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
if (err)
goto error;
if (!valid) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
message_buffer->length = plain.length - 16;
message_buffer->value = gssalloc_malloc(message_buffer->length);
if (message_buffer->value == NULL)
goto no_mem;
memcpy(message_buffer->value, plain.data, message_buffer->length);
}
err = g_order_check(&ctx->seqstate, seqnum);
*minor_status = 0;
return err;
} else if (toktype == KG_TOK_MIC_MSG) {
/* wrap token, no confidentiality */
if (load_16_be(ptr) != KG2_TOK_MIC_MSG)
goto defective;
verify_mic_1:
if (ptr[3] != 0xff)
goto defective;
if (load_32_be(ptr+4) != 0xffffffffL)
goto defective;
seqnum = load_64_be(ptr+8);
plain.length = message_buffer->length + 16;
plain.data = malloc(plain.length);
if (plain.data == NULL)
goto no_mem;
if (message_buffer->length)
memcpy(plain.data, message_buffer->value, message_buffer->length);
memcpy(plain.data + message_buffer->length, ptr, 16);
sum.length = bodysize - 16;
sum.contents = ptr + 16;
sum.checksum_type = cksumtype;
err = krb5_k_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
free(plain.data);
plain.data = NULL;
if (err) {
error:
*minor_status = err;
save_error_info(*minor_status, context);
return GSS_S_BAD_SIG; /* XXX */
}
if (!valid) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
err = g_order_check(&ctx->seqstate, seqnum);
*minor_status = 0;
return err;
} else if (toktype == KG_TOK_DEL_CTX) {
if (load_16_be(ptr) != KG2_TOK_DEL_CTX)
goto defective;
message_buffer = (gss_buffer_t)&empty_message;
goto verify_mic_1;
} else {
goto defective;
}
}
static krb5_error_code
make_seal_token_v1_iov(krb5_context context,
krb5_gss_ctx_id_rec *ctx,
int conf_req_flag,
int *conf_state,
gss_iov_buffer_desc *iov,
int iov_count,
int toktype)
{
krb5_error_code code = 0;
gss_iov_buffer_t header;
gss_iov_buffer_t padding;
gss_iov_buffer_t trailer;
krb5_checksum md5cksum;
krb5_checksum cksum;
size_t k5_headerlen = 0, k5_trailerlen = 0;
size_t data_length = 0, assoc_data_length = 0;
size_t tmsglen = 0, tlen;
unsigned char *ptr;
krb5_keyusage sign_usage = KG_USAGE_SIGN;
assert(toktype == KG_TOK_WRAP_MSG);
md5cksum.length = cksum.length = 0;
md5cksum.contents = cksum.contents = NULL;
header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
if (header == NULL)
return EINVAL;
padding = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
if (padding == NULL && (ctx->gss_flags & GSS_C_DCE_STYLE) == 0)
return EINVAL;
trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
if (trailer != NULL)
trailer->buffer.length = 0;
/* Determine confounder length */
if (toktype == KG_TOK_WRAP_MSG || conf_req_flag)
k5_headerlen = kg_confounder_size(context, ctx->enc);
/* Check padding length */
if (toktype == KG_TOK_WRAP_MSG) {
size_t k5_padlen = (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4) ? 1 : 8;
size_t gss_padlen;
size_t conf_data_length;
kg_iov_msglen(iov, iov_count, &data_length, &assoc_data_length);
conf_data_length = k5_headerlen + data_length - assoc_data_length;
if (k5_padlen == 1)
gss_padlen = 1; /* one byte to indicate one byte of padding */
else
gss_padlen = k5_padlen - (conf_data_length % k5_padlen);
if (ctx->gss_flags & GSS_C_DCE_STYLE) {
/* DCE will pad the actual data itself; padding buffer optional and will be zeroed */
gss_padlen = 0;
if (conf_data_length % k5_padlen)
code = KRB5_BAD_MSIZE;
} else if (padding->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
code = kg_allocate_iov(padding, gss_padlen);
} else if (padding->buffer.length < gss_padlen) {
code = KRB5_BAD_MSIZE;
}
if (code != 0)
goto cleanup;
/* Initialize padding buffer to pad itself */
if (padding != NULL) {
padding->buffer.length = gss_padlen;
memset(padding->buffer.value, (int)gss_padlen, gss_padlen);
}
if (ctx->gss_flags & GSS_C_DCE_STYLE)
tmsglen = k5_headerlen; /* confounder length */
else
tmsglen = conf_data_length + padding->buffer.length + assoc_data_length;
}
/* Determine token size */
tlen = g_token_size(ctx->mech_used, 14 + ctx->cksum_size + tmsglen);
k5_headerlen += tlen - tmsglen;
if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE)
code = kg_allocate_iov(header, k5_headerlen);
else if (header->buffer.length < k5_headerlen)
code = KRB5_BAD_MSIZE;
if (code != 0)
goto cleanup;
header->buffer.length = k5_headerlen;
ptr = (unsigned char *)header->buffer.value;
g_make_token_header(ctx->mech_used, 14 + ctx->cksum_size + tmsglen, &ptr, toktype);
/* 0..1 SIGN_ALG */
store_16_le(ctx->signalg, &ptr[0]);
/* 2..3 SEAL_ALG or Filler */
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
store_16_le(ctx->sealalg, &ptr[2]);
} else {
/* No seal */
ptr[2] = 0xFF;
ptr[3] = 0xFF;
}
/* 4..5 Filler */
ptr[4] = 0xFF;
ptr[5] = 0xFF;
/* pad the plaintext, encrypt if needed, and stick it in the token */
/* initialize the checksum */
switch (ctx->signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
break;
case SGN_ALG_HMAC_MD5:
md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
if (toktype != KG_TOK_WRAP_MSG)
sign_usage = 15;
break;
default:
case SGN_ALG_DES_MAC:
abort ();
}
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen);
if (code != 0)
goto cleanup;
md5cksum.length = k5_trailerlen;
if (k5_headerlen != 0) {
code = kg_make_confounder(context, ctx->enc, ptr + 14 + ctx->cksum_size);
if (code != 0)
goto cleanup;
}
/* compute the checksum */
code = kg_make_checksum_iov_v1(context, md5cksum.checksum_type,
ctx->cksum_size, ctx->seq, ctx->enc,
sign_usage, iov, iov_count, toktype,
&md5cksum);
if (code != 0)
goto cleanup;
switch (ctx->signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_3:
code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL,
(g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ?
ctx->seq->contents : NULL),
md5cksum.contents, md5cksum.contents, 16);
if (code != 0)
goto cleanup;
cksum.length = ctx->cksum_size;
cksum.contents = md5cksum.contents + 16 - cksum.length;
memcpy(ptr + 14, cksum.contents, cksum.length);
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
assert(md5cksum.length == ctx->cksum_size);
memcpy(ptr + 14, md5cksum.contents, md5cksum.length);
break;
case SGN_ALG_HMAC_MD5:
memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size);
break;
}
/* create the seq_num */
code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF,
(OM_uint32)ctx->seq_send, ptr + 14, ptr + 6);
if (code != 0)
goto cleanup;
if (conf_req_flag) {
if (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4) {
unsigned char bigend_seqnum[4];
krb5_keyblock *enc_key;
size_t i;
store_32_be(ctx->seq_send, bigend_seqnum);
code = krb5_copy_keyblock(context, ctx->enc, &enc_key);
if (code != 0)
goto cleanup;
assert(enc_key->length == 16);
for (i = 0; i < enc_key->length; i++)
((char *)enc_key->contents)[i] ^= 0xF0;
code = kg_arcfour_docrypt_iov(context, enc_key, 0,
bigend_seqnum, 4,
iov, iov_count);
krb5_free_keyblock(context, enc_key);
} else {
code = kg_encrypt_iov(context, ctx->proto,
((ctx->gss_flags & GSS_C_DCE_STYLE) != 0),
0 /*EC*/, 0 /*RRC*/,
ctx->enc, KG_USAGE_SEAL, NULL,
iov, iov_count);
}
if (code != 0)
goto cleanup;
}
ctx->seq_send++;
ctx->seq_send &= 0xFFFFFFFFL;
code = 0;
if (conf_state != NULL)
*conf_state = conf_req_flag;
cleanup:
if (code != 0)
kg_release_iov(iov, iov_count);
krb5_free_checksum_contents(context, &md5cksum);
return code;
}
static OM_uint32
kg_unseal_v1_iov(krb5_context context,
OM_uint32 *minor_status,
krb5_gss_ctx_id_rec *ctx,
gss_iov_buffer_desc *iov,
int iov_count,
size_t token_wrapper_len,
int *conf_state,
gss_qop_t *qop_state,
int toktype)
{
OM_uint32 code;
gss_iov_buffer_t header;
gss_iov_buffer_t trailer;
unsigned char *ptr;
int sealalg;
int signalg;
krb5_checksum cksum;
krb5_checksum md5cksum;
size_t cksum_len = 0;
size_t conflen = 0;
int direction;
krb5_ui_4 seqnum;
OM_uint32 retval;
size_t sumlen;
krb5_keyusage sign_usage = KG_USAGE_SIGN;
md5cksum.length = cksum.length = 0;
md5cksum.contents = cksum.contents = NULL;
header = kg_locate_header_iov(iov, iov_count, toktype);
assert(header != NULL);
trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
if (trailer != NULL && trailer->buffer.length != 0) {
*minor_status = (OM_uint32)KRB5_BAD_MSIZE;
return GSS_S_DEFECTIVE_TOKEN;
}
if (header->buffer.length < token_wrapper_len + 14) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
ptr = (unsigned char *)header->buffer.value + token_wrapper_len;
signalg = ptr[0];
signalg |= ptr[1] << 8;
sealalg = ptr[2];
sealalg |= ptr[3] << 8;
if (ptr[4] != 0xFF || ptr[5] != 0xFF) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
if (toktype != KG_TOK_WRAP_MSG && sealalg != 0xFFFF) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
if (toktype == KG_TOK_WRAP_MSG &&
!(sealalg == 0xFFFF || sealalg == ctx->sealalg)) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
(ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
(ctx->sealalg == SEAL_ALG_DES3KD &&
signalg != SGN_ALG_HMAC_SHA1_DES3_KD)||
(ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 &&
signalg != SGN_ALG_HMAC_MD5)) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
case SGN_ALG_HMAC_MD5:
cksum_len = 8;
if (toktype != KG_TOK_WRAP_MSG)
sign_usage = 15;
break;
case SGN_ALG_3:
cksum_len = 16;
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
cksum_len = 20;
break;
default:
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
/* get the token parameters */
code = kg_get_seq_num(context, ctx->seq, ptr + 14, ptr + 6, &direction,
&seqnum);
if (code != 0) {
*minor_status = code;
return GSS_S_BAD_SIG;
}
/* decode the message, if SEAL */
if (toktype == KG_TOK_WRAP_MSG) {
if (sealalg != 0xFFFF) {
if (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4) {
unsigned char bigend_seqnum[4];
krb5_keyblock *enc_key;
size_t i;
store_32_be(seqnum, bigend_seqnum);
code = krb5_k_key_keyblock(context, ctx->enc, &enc_key);
if (code != 0) {
retval = GSS_S_FAILURE;
goto cleanup;
}
assert(enc_key->length == 16);
for (i = 0; i < enc_key->length; i++)
((char *)enc_key->contents)[i] ^= 0xF0;
code = kg_arcfour_docrypt_iov(context, enc_key, 0,
&bigend_seqnum[0], 4,
iov, iov_count);
krb5_free_keyblock(context, enc_key);
} else {
code = kg_decrypt_iov(context, 0,
((ctx->gss_flags & GSS_C_DCE_STYLE) != 0),
0 /*EC*/, 0 /*RRC*/,
ctx->enc, KG_USAGE_SEAL, NULL,
iov, iov_count);
}
if (code != 0) {
retval = GSS_S_FAILURE;
goto cleanup;
}
}
conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
}
if (header->buffer.length != token_wrapper_len + 14 + cksum_len + conflen) {
retval = GSS_S_DEFECTIVE_TOKEN;
goto cleanup;
}
/* compute the checksum of the message */
/* initialize the checksum */
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
case SGN_ALG_DES_MAC:
case SGN_ALG_3:
md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
break;
case SGN_ALG_HMAC_MD5:
md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
break;
default:
abort();
}
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
if (code != 0) {
retval = GSS_S_FAILURE;
goto cleanup;
}
md5cksum.length = sumlen;
/* compute the checksum of the message */
code = kg_make_checksum_iov_v1(context, md5cksum.checksum_type,
cksum_len, ctx->seq, ctx->enc,
sign_usage, iov, iov_count, toktype,
&md5cksum);
if (code != 0) {
retval = GSS_S_FAILURE;
goto cleanup;
}
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_3:
code = kg_encrypt_inplace(context, ctx->seq, KG_USAGE_SEAL,
(g_OID_equal(ctx->mech_used,
gss_mech_krb5_old) ?
ctx->seq->keyblock.contents : NULL),
md5cksum.contents, 16);
if (code != 0) {
retval = GSS_S_FAILURE;
goto cleanup;
}
cksum.length = cksum_len;
cksum.contents = md5cksum.contents + 16 - cksum.length;
code = k5_bcmp(cksum.contents, ptr + 14, cksum.length);
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
case SGN_ALG_HMAC_MD5:
code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len);
break;
default:
code = 0;
retval = GSS_S_DEFECTIVE_TOKEN;
goto cleanup;
break;
}
if (code != 0) {
code = 0;
retval = GSS_S_BAD_SIG;
goto cleanup;
}
/*
* For GSS_C_DCE_STYLE, the caller manages the padding, because the
* pad length is in the RPC PDU. The value of the padding may be
* uninitialized. For normal GSS, the last bytes of the decrypted
* data contain the pad length. kg_fixup_padding_iov() will find
* this and fixup the last data IOV appropriately.
*/
if (toktype == KG_TOK_WRAP_MSG &&
(ctx->gss_flags & GSS_C_DCE_STYLE) == 0) {
retval = kg_fixup_padding_iov(&code, iov, iov_count);
if (retval != GSS_S_COMPLETE)
goto cleanup;
}
if (conf_state != NULL)
*conf_state = (sealalg != 0xFFFF);
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
if ((ctx->initiate && direction != 0xff) ||
(!ctx->initiate && direction != 0)) {
*minor_status = (OM_uint32)G_BAD_DIRECTION;
retval = GSS_S_BAD_SIG;
}
code = 0;
retval = g_order_check(&ctx->seqstate, (gssint_uint64)seqnum);
cleanup:
krb5_free_checksum_contents(context, &md5cksum);
*minor_status = code;
return retval;
}
/* Verify a request from a client. */
static krb5_error_code
server_verify(krb5_context kcontext,
struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_pa_data *data,
preauth_get_entry_data_proc server_get_entry_data,
void *pa_module_context,
void **pa_request_context,
krb5_data **e_data)
{
krb5_int32 cksumtype;
krb5_checksum checksum;
krb5_boolean valid;
krb5_data *key_data, *req_body;
krb5_keyblock *keys, *key;
size_t length;
int i;
unsigned int j, cksumtypes_count;
krb5_cksumtype *cksumtypes;
krb5_error_code status;
struct server_stats *stats;
krb5_data *test_edata;
stats = pa_module_context;
/* Verify the preauth data. Start with the checksum type. */
if (data->length < 4) {
stats->failures++;
return KRB5KDC_ERR_PREAUTH_FAILED;
}
memcpy(&cksumtype, data->contents, 4);
memset(&checksum, 0, sizeof(checksum));
checksum.checksum_type = ntohl(cksumtype);
/* Verify that the amount of data we have left is what we expect. */
if (krb5_c_checksum_length(kcontext, checksum.checksum_type,
&length) != 0) {
#ifdef DEBUG
fprintf(stderr, "Error determining checksum size (type = %d). "
"Is it supported?\n", checksum.checksum_type);
#endif
stats->failures++;
return KRB5KDC_ERR_SUMTYPE_NOSUPP;
}
if (data->length - 4 != length) {
#ifdef DEBUG
fprintf(stderr, "Checksum size doesn't match client packet size.\n");
#endif
stats->failures++;
return KRB5KDC_ERR_PREAUTH_FAILED;
}
checksum.length = length;
/* Pull up the client's keys. */
key_data = NULL;
if ((*server_get_entry_data)(kcontext, request, client,
krb5plugin_preauth_keys, &key_data) != 0) {
#ifdef DEBUG
fprintf(stderr, "Error retrieving client keys.\n");
#endif
stats->failures++;
return KRB5KDC_ERR_PREAUTH_FAILED;
}
/* Find the key which would have been used to generate the checksum. */
keys = (krb5_keyblock *) key_data->data;
key = NULL;
for (i = 0; keys[i].enctype != 0; i++) {
key = &keys[i];
cksumtypes_count = 0;
cksumtypes = NULL;
if (krb5_c_keyed_checksum_types(kcontext, key->enctype,
&cksumtypes_count, &cksumtypes) != 0)
continue;
for (j = 0; j < cksumtypes_count; j++) {
if (cksumtypes[j] == checksum.checksum_type)
break;
}
if (cksumtypes != NULL)
krb5_free_cksumtypes(kcontext, cksumtypes);
if (j < cksumtypes_count) {
#ifdef DEBUG
fprintf(stderr, "Found checksum key.\n");
#endif
break;
}
}
if ((key == NULL) || (key->enctype == 0)) {
for (i = 0; keys[i].enctype != 0; i++)
krb5_free_keyblock_contents(kcontext, &keys[i]);
krb5_free_data(kcontext, key_data);
stats->failures++;
return KRB5KDC_ERR_SUMTYPE_NOSUPP;
}
/* Save a copy of the key. */
if (krb5_copy_keyblock(kcontext, &keys[i], &key) != 0) {
for (i = 0; keys[i].enctype != 0; i++)
krb5_free_keyblock_contents(kcontext, &keys[i]);
krb5_free_data(kcontext, key_data);
stats->failures++;
return KRB5KDC_ERR_SUMTYPE_NOSUPP;
}
for (i = 0; keys[i].enctype != 0; i++)
krb5_free_keyblock_contents(kcontext, &keys[i]);
krb5_free_data(kcontext, key_data);
/* Rebuild a copy of the client's request-body. If we were serious
* about doing this with any chance of working interoperability, we'd
* extract the structure directly from the req_pkt structure. This
* will probably work if it's us on both ends, though. */
req_body = NULL;
if ((*server_get_entry_data)(kcontext, request, client,
krb5plugin_preauth_request_body,
&req_body) != 0) {
krb5_free_keyblock(kcontext, key);
stats->failures++;
return KRB5KDC_ERR_PREAUTH_FAILED;
}
#ifdef DEBUG
fprintf(stderr, "AS key type %d, checksum type %d, %d bytes.\n",
key->enctype, checksum.checksum_type, req_body->length);
#endif
/* Verify the checksum itself. */
checksum.contents = data->contents + 4;
valid = FALSE;
status = krb5_c_verify_checksum(kcontext, key,
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
req_body, &checksum, &valid);
/* Clean up. */
krb5_free_data(kcontext, req_body);
krb5_free_keyblock(kcontext, key);
/* Evaluate our results. */
if ((status != 0) || (!valid)) {
#ifdef DEBUG
if (status != 0) {
fprintf(stderr, "Error in checksum verification.\n");
} else {
fprintf(stderr, "Checksum mismatch.\n");
}
#endif
/* Return edata to exercise code that handles edata... */
test_edata = malloc(sizeof(*test_edata));
if (test_edata != NULL) {
test_edata->data = malloc(20);
if (test_edata->data == NULL) {
free(test_edata);
} else {
test_edata->length = 20;
memset(test_edata->data, 'F', 20); /* fill it with junk */
*e_data = test_edata;
}
}
stats->failures++;
return KRB5KDC_ERR_PREAUTH_FAILED;
}
/* Return edata to exercise code that handles edata... */
test_edata = malloc(sizeof(*test_edata));
if (test_edata != NULL) {
test_edata->data = malloc(20);
if (test_edata->data == NULL) {
free(test_edata);
} else {
test_edata->length = 20;
memset(test_edata->data, 'S', 20); /* fill it with junk */
*e_data = test_edata;
}
}
/* Note that preauthentication succeeded. */
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
stats->successes++;
return 0;
}
/* Verify a request from a client. */
static krb5_error_code
server_verify(krb5_context kcontext,
struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_pa_data *data,
preauth_get_entry_data_proc server_get_entry_data,
void *pa_module_context,
void **pa_request_context,
krb5_data **e_data,
krb5_authdata ***authz_data)
{
krb5_int32 cksumtype;
krb5_checksum checksum;
krb5_boolean valid;
krb5_data *key_data, *req_body;
krb5_keyblock *keys, *key;
size_t length;
int i;
unsigned int j, cksumtypes_count;
krb5_cksumtype *cksumtypes;
krb5_error_code status;
struct server_stats *stats;
krb5_data *test_edata;
test_svr_req_ctx *svr_req_ctx;
krb5_authdata **my_authz_data = NULL;
stats = pa_module_context;
#ifdef DEBUG
fprintf(stderr, "cksum_body: server_verify\n");
#endif
/* Verify the preauth data. Start with the checksum type. */
if (data->length < 4) {
stats->failures++;
return KRB5KDC_ERR_PREAUTH_FAILED;
}
memcpy(&cksumtype, data->contents, 4);
memset(&checksum, 0, sizeof(checksum));
checksum.checksum_type = ntohl(cksumtype);
/* Verify that the amount of data we have left is what we expect. */
if (krb5_c_checksum_length(kcontext, checksum.checksum_type,
&length) != 0) {
#ifdef DEBUG
fprintf(stderr, "Error determining checksum size (type = %d). "
"Is it supported?\n", checksum.checksum_type);
#endif
stats->failures++;
return KRB5KDC_ERR_SUMTYPE_NOSUPP;
}
if (data->length - 4 != length) {
#ifdef DEBUG
fprintf(stderr, "Checksum size doesn't match client packet size.\n");
#endif
stats->failures++;
return KRB5KDC_ERR_PREAUTH_FAILED;
}
checksum.length = length;
/* Pull up the client's keys. */
key_data = NULL;
if ((*server_get_entry_data)(kcontext, request, client,
krb5plugin_preauth_keys, &key_data) != 0) {
#ifdef DEBUG
fprintf(stderr, "Error retrieving client keys.\n");
#endif
stats->failures++;
return KRB5KDC_ERR_PREAUTH_FAILED;
}
/* Find the key which would have been used to generate the checksum. */
keys = (krb5_keyblock *) key_data->data;
key = NULL;
for (i = 0; keys[i].enctype != 0; i++) {
key = &keys[i];
cksumtypes_count = 0;
cksumtypes = NULL;
if (krb5_c_keyed_checksum_types(kcontext, key->enctype,
&cksumtypes_count, &cksumtypes) != 0)
continue;
for (j = 0; j < cksumtypes_count; j++) {
if (cksumtypes[j] == checksum.checksum_type)
break;
}
if (cksumtypes != NULL)
krb5_free_cksumtypes(kcontext, cksumtypes);
if (j < cksumtypes_count) {
#ifdef DEBUG
fprintf(stderr, "Found checksum key.\n");
#endif
break;
}
}
if ((key == NULL) || (key->enctype == 0)) {
for (i = 0; keys[i].enctype != 0; i++)
krb5_free_keyblock_contents(kcontext, &keys[i]);
krb5_free_data(kcontext, key_data);
stats->failures++;
return KRB5KDC_ERR_SUMTYPE_NOSUPP;
}
/* Save a copy of the key. */
if (krb5_copy_keyblock(kcontext, &keys[i], &key) != 0) {
for (i = 0; keys[i].enctype != 0; i++)
krb5_free_keyblock_contents(kcontext, &keys[i]);
krb5_free_data(kcontext, key_data);
stats->failures++;
return KRB5KDC_ERR_SUMTYPE_NOSUPP;
}
for (i = 0; keys[i].enctype != 0; i++)
krb5_free_keyblock_contents(kcontext, &keys[i]);
krb5_free_data(kcontext, key_data);
/* Rebuild a copy of the client's request-body. If we were serious
* about doing this with any chance of working interoperability, we'd
* extract the structure directly from the req_pkt structure. This
* will probably work if it's us on both ends, though. */
req_body = NULL;
if ((*server_get_entry_data)(kcontext, request, client,
krb5plugin_preauth_request_body,
&req_body) != 0) {
krb5_free_keyblock(kcontext, key);
stats->failures++;
return KRB5KDC_ERR_PREAUTH_FAILED;
}
#ifdef DEBUG
fprintf(stderr, "AS key type %d, checksum type %d, %d bytes.\n",
key->enctype, checksum.checksum_type, req_body->length);
#endif
/* Verify the checksum itself. */
checksum.contents = data->contents + 4;
valid = FALSE;
status = krb5_c_verify_checksum(kcontext, key,
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
req_body, &checksum, &valid);
/* Clean up. */
krb5_free_data(kcontext, req_body);
krb5_free_keyblock(kcontext, key);
/* Evaluate our results. */
if ((status != 0) || (!valid)) {
#ifdef DEBUG
if (status != 0) {
fprintf(stderr, "Error in checksum verification.\n");
} else {
fprintf(stderr, "Checksum mismatch.\n");
}
#endif
/* Return edata to exercise code that handles edata... */
test_edata = malloc(sizeof(*test_edata));
if (test_edata != NULL) {
test_edata->data = malloc(20);
if (test_edata->data == NULL) {
free(test_edata);
} else {
test_edata->length = 20;
memset(test_edata->data, 'F', 20); /* fill it with junk */
*e_data = test_edata;
}
}
stats->failures++;
return KRB5KDC_ERR_PREAUTH_FAILED;
}
/*
* Return some junk authorization data just to exercise the
* code path handling the returned authorization data.
*
* NOTE that this is NOT VALID authorization data!
*/
#ifdef DEBUG
fprintf(stderr, "cksum_body: doing authorization data!\n");
#endif
my_authz_data = malloc(2 * sizeof(*my_authz_data));
if (my_authz_data != NULL) {
#if 1 /* USE_5000_AD */
#define AD_ALLOC_SIZE 5000
/* ad_header consists of a sequence tag (0x30) and length
* (0x82 0x1384) followed by octet string tag (0x04) and
* length (0x82 0x1380) */
krb5_octet ad_header[] = {0x30, 0x82, 0x13, 0x84, 0x04, 0x82, 0x13, 0x80};
#else
#define AD_ALLOC_SIZE 100
/* ad_header consists of a sequence tag (0x30) and length
* (0x62) followed by octet string tag (0x04) and length
* (0x60) */
krb5_octet ad_header[] = {0x30, 0x62, 0x04, 0x60};
#endif
my_authz_data[1] = NULL;
my_authz_data[0] = malloc(sizeof(krb5_authdata));
if (my_authz_data[0] == NULL) {
free(my_authz_data);
return ENOMEM;
}
my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE);
if (my_authz_data[0]->contents == NULL) {
free(my_authz_data[0]);
free(my_authz_data);
return ENOMEM;
}
memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE);
my_authz_data[0]->magic = KV5M_AUTHDATA;
my_authz_data[0]->ad_type = 1;
my_authz_data[0]->length = AD_ALLOC_SIZE;
memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header));
snprintf(my_authz_data[0]->contents + sizeof(ad_header),
AD_ALLOC_SIZE - sizeof(ad_header),
"cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE);
*authz_data = my_authz_data;
#ifdef DEBUG
fprintf(stderr, "Returning %d bytes of authorization data\n",
AD_ALLOC_SIZE);
#endif
}
/* Return edata to exercise code that handles edata... */
test_edata = malloc(sizeof(*test_edata));
if (test_edata != NULL) {
test_edata->data = malloc(20);
if (test_edata->data == NULL) {
free(test_edata);
} else {
test_edata->length = 20;
memset(test_edata->data, 'S', 20); /* fill it with junk */
*e_data = test_edata;
}
}
/* Return a request context to exercise code that handles it */
svr_req_ctx = malloc(sizeof(*svr_req_ctx));
if (svr_req_ctx != NULL) {
svr_req_ctx->value1 = 111111;
svr_req_ctx->value2 = 222222;
#ifdef DEBUG
fprintf(stderr, "server_verify: returning context at %p\n",
svr_req_ctx);
#endif
}
*pa_request_context = svr_req_ctx;
/* Note that preauthentication succeeded. */
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
stats->successes++;
return 0;
}
static krb5_error_code
make_seal_token_v1 (krb5_context context,
krb5_keyblock *enc,
krb5_keyblock *seq,
gssint_uint64 *seqnum,
int direction,
gss_buffer_t text,
gss_buffer_t token,
int signalg,
size_t cksum_size,
int sealalg,
int do_encrypt,
int toktype,
int bigend,
gss_OID oid)
{
krb5_error_code code;
size_t sumlen;
char *data_ptr;
krb5_data plaind;
krb5_checksum md5cksum;
krb5_checksum cksum;
/* msglen contains the message length
* we are signing/encrypting. tmsglen
* contains the length of the message
* we plan to write out to the token.
* tlen is the length of the token
* including header. */
unsigned int conflen=0, tmsglen, tlen, msglen;
unsigned char *t, *ptr;
unsigned char *plain;
unsigned char pad;
krb5_keyusage sign_usage = KG_USAGE_SIGN;
assert((!do_encrypt) || (toktype == KG_TOK_SEAL_MSG));
/* create the token buffer */
/* Do we need confounder? */
if (do_encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG)))
conflen = kg_confounder_size(context, enc);
else conflen = 0;
if (toktype == KG_TOK_SEAL_MSG) {
switch (sealalg) {
case SEAL_ALG_MICROSOFT_RC4:
msglen = conflen + text->length+1;
pad = 1;
break;
default:
/* XXX knows that des block size is 8 */
msglen = (conflen+text->length+8)&(~7);
pad = 8-(text->length%8);
}
tmsglen = msglen;
} else {
tmsglen = 0;
msglen = text->length;
pad = 0;
}
tlen = g_token_size((gss_OID) oid, 14+cksum_size+tmsglen);
if ((t = (unsigned char *) xmalloc(tlen)) == NULL)
return(ENOMEM);
/*** fill in the token */
ptr = t;
g_make_token_header(oid, 14+cksum_size+tmsglen, &ptr, toktype);
/* 0..1 SIGN_ALG */
store_16_le(signalg, &ptr[0]);
/* 2..3 SEAL_ALG or Filler */
if ((toktype == KG_TOK_SEAL_MSG) && do_encrypt) {
store_16_le(sealalg, &ptr[2]);
} else {
/* No seal */
ptr[2] = 0xff;
ptr[3] = 0xff;
}
/* 4..5 Filler */
ptr[4] = 0xff;
ptr[5] = 0xff;
/* pad the plaintext, encrypt if needed, and stick it in the token */
/* initialize the the cksum */
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
break;
case SGN_ALG_HMAC_MD5:
md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
if (toktype != KG_TOK_SEAL_MSG)
sign_usage = 15;
break;
default:
case SGN_ALG_DES_MAC:
abort ();
}
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
if (code) {
xfree(t);
return(code);
}
md5cksum.length = sumlen;
if ((plain = (unsigned char *) xmalloc(msglen ? msglen : 1)) == NULL) {
xfree(t);
return(ENOMEM);
}
if (conflen) {
if ((code = kg_make_confounder(context, enc, plain))) {
xfree(plain);
xfree(t);
return(code);
}
}
memcpy(plain+conflen, text->value, text->length);
if (pad) memset(plain+conflen+text->length, pad, pad);
/* compute the checksum */
/* 8 = head of token body as specified by mech spec */
if (! (data_ptr =
(char *) xmalloc(8 + (bigend ? text->length : msglen)))) {
xfree(plain);
xfree(t);
return(ENOMEM);
}
(void) memcpy(data_ptr, ptr-2, 8);
if (bigend)
(void) memcpy(data_ptr+8, text->value, text->length);
else
(void) memcpy(data_ptr+8, plain, msglen);
plaind.length = 8 + (bigend ? text->length : msglen);
plaind.data = data_ptr;
code = krb5_c_make_checksum(context, md5cksum.checksum_type, seq,
sign_usage, &plaind, &md5cksum);
xfree(data_ptr);
if (code) {
xfree(plain);
xfree(t);
return(code);
}
switch(signalg) {
case SGN_ALG_DES_MAC_MD5:
case 3:
if ((code = kg_encrypt(context, seq, KG_USAGE_SEAL,
(g_OID_equal(oid, gss_mech_krb5_old) ?
seq->contents : NULL),
md5cksum.contents, md5cksum.contents, 16))) {
krb5_free_checksum_contents(context, &md5cksum);
xfree (plain);
xfree(t);
return code;
}
cksum.length = cksum_size;
cksum.contents = md5cksum.contents + 16 - cksum.length;
memcpy(ptr+14, cksum.contents, cksum.length);
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
/*
* Using key derivation, the call to krb5_c_make_checksum
* already dealt with encrypting.
*/
if (md5cksum.length != cksum_size)
abort ();
memcpy (ptr+14, md5cksum.contents, md5cksum.length);
break;
case SGN_ALG_HMAC_MD5:
memcpy (ptr+14, md5cksum.contents, cksum_size);
break;
}
krb5_free_checksum_contents(context, &md5cksum);
/* create the seq_num */
if ((code = kg_make_seq_num(context, seq, direction?0:0xff,
(krb5_ui_4)*seqnum, ptr+14, ptr+6))) {
xfree (plain);
xfree(t);
return(code);
}
if (do_encrypt) {
switch(sealalg) {
case SEAL_ALG_MICROSOFT_RC4:
{
unsigned char bigend_seqnum[4];
krb5_keyblock *enc_key;
int i;
store_32_be(*seqnum, bigend_seqnum);
code = krb5_copy_keyblock (context, enc, &enc_key);
if (code)
{
xfree(plain);
xfree(t);
return(code);
}
assert (enc_key->length == 16);
for (i = 0; i <= 15; i++)
((char *) enc_key->contents)[i] ^=0xf0;
code = kg_arcfour_docrypt (enc_key, 0,
bigend_seqnum, 4,
plain, tmsglen,
ptr+14+cksum_size);
krb5_free_keyblock (context, enc_key);
if (code)
{
xfree(plain);
xfree(t);
return(code);
}
}
break;
default:
if ((code = kg_encrypt(context, enc, KG_USAGE_SEAL, NULL,
(krb5_pointer) plain,
(krb5_pointer) (ptr+cksum_size+14),
tmsglen))) {
xfree(plain);
xfree(t);
return(code);
}
}
}else {
if (tmsglen)
memcpy(ptr+14+cksum_size, plain, tmsglen);
}
xfree(plain);
/* that's it. return the token */
(*seqnum)++;
*seqnum &= 0xffffffffL;
token->length = tlen;
token->value = (void *) t;
return(0);
}
int
ksm_rgenerate_out_msg(struct snmp_secmod_outgoing_params *parms)
{
krb5_auth_context auth_context = NULL;
krb5_error_code retcode;
krb5_ccache cc = NULL;
int retval = SNMPERR_SUCCESS;
krb5_data outdata, ivector;
krb5_keyblock *subkey = NULL;
#ifdef MIT_NEW_CRYPTO
krb5_data input;
krb5_enc_data output;
unsigned int numcksumtypes;
krb5_cksumtype *cksumtype_array;
#else /* MIT_NEW_CRYPTO */
krb5_encrypt_block eblock;
#endif /* MIT_NEW_CRYPTO */
size_t blocksize, encrypted_length;
unsigned char *encrypted_data = NULL;
int zero = 0, i;
u_char *cksum_pointer, *endp = *parms->wholeMsg;
krb5_cksumtype cksumtype;
krb5_checksum pdu_checksum;
u_char **wholeMsg = parms->wholeMsg;
size_t *offset = parms->wholeMsgOffset, seq_offset;
struct ksm_secStateRef *ksm_state = (struct ksm_secStateRef *)
parms->secStateRef;
int rc;
DEBUGMSGTL(("ksm", "Starting KSM processing\n"));
outdata.length = 0;
outdata.data = NULL;
ivector.length = 0;
ivector.data = NULL;
pdu_checksum.contents = NULL;
if (!ksm_state) {
/*
* If we don't have a ksm_state, then we're a request. Get a
* credential cache and build a ap_req.
*/
retcode = krb5_cc_default(kcontext, &cc);
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_cc_default failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Set credential cache successfully\n"));
/*
* This seems odd, since we don't need this until later (or earlier,
* depending on how you look at it), but because the most likely
* errors are Kerberos at this point, I'll get this now to save
* time not encoding the rest of the packet.
*
* Also, we need the subkey to encrypt the PDU (if required).
*/
retcode =
krb5_mk_req(kcontext, &auth_context,
AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
(char *) service_name, parms->session->peername, NULL,
cc, &outdata);
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_mk_req failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: ticket retrieved successfully for \"%s/%s\" "
"(may not be actual ticket sname)\n", service_name,
parms->session->peername));
} else {
/*
* Grab the auth_context from our security state reference
*/
auth_context = ksm_state->auth_context;
/*
* Bundle up an AP_REP. Note that we do this only when we
* have a security state reference (which means we're in an agent
* and we're sending a response).
*/
DEBUGMSGTL(("ksm", "KSM: Starting reply processing.\n"));
retcode = krb5_mk_rep(kcontext, auth_context, &outdata);
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_mk_rep failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Finished with krb5_mk_rep()\n"));
}
/*
* If we have to encrypt the PDU, do that now
*/
if (parms->secLevel == SNMP_SEC_LEVEL_AUTHPRIV) {
DEBUGMSGTL(("ksm", "KSM: Starting PDU encryption.\n"));
/*
* It's weird -
*
* If we're on the manager, it's a local subkey (because that's in
* our AP_REQ)
*
* If we're on the agent, it's a remote subkey (because that comes
* FROM the received AP_REQ).
*/
if (ksm_state)
retcode = krb5_auth_con_getremotesubkey(kcontext, auth_context,
&subkey);
else
retcode = krb5_auth_con_getlocalsubkey(kcontext, auth_context,
&subkey);
if (retcode) {
DEBUGMSGTL(("ksm",
"KSM: krb5_auth_con_getlocalsubkey failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
/*
* Note that here we need to handle different things between the
* old and new crypto APIs. First, we need to get the final encrypted
* length of the PDU.
*/
#ifdef MIT_NEW_CRYPTO
retcode = krb5_c_encrypt_length(kcontext, subkey->enctype,
parms->scopedPduLen,
&encrypted_length);
if (retcode) {
DEBUGMSGTL(("ksm",
"Encryption length calculation failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
#else /* MIT_NEW_CRYPTO */
krb5_use_enctype(kcontext, &eblock, subkey->enctype);
retcode = krb5_process_key(kcontext, &eblock, subkey);
if (retcode) {
DEBUGMSGTL(("ksm", "krb5_process_key failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
encrypted_length = krb5_encrypt_size(parms->scopedPduLen,
eblock.crypto_entry);
#endif /* MIT_NEW_CRYPTO */
encrypted_data = malloc(encrypted_length);
if (!encrypted_data) {
DEBUGMSGTL(("ksm",
"KSM: Unable to malloc %d bytes for encrypt "
"buffer: %s\n", parms->scopedPduLen,
strerror(errno)));
retval = SNMPERR_MALLOC;
#ifndef MIT_NEW_CRYPTO
krb5_finish_key(kcontext, &eblock);
#endif /* ! MIT_NEW_CRYPTO */
goto error;
}
/*
* We need to set up a blank initialization vector for the encryption.
* Use a block of all zero's (which is dependent on the block size
* of the encryption method).
*/
#ifdef MIT_NEW_CRYPTO
retcode = krb5_c_block_size(kcontext, subkey->enctype, &blocksize);
if (retcode) {
DEBUGMSGTL(("ksm",
"Unable to determine crypto block size: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
#else /* MIT_NEW_CRYPTO */
blocksize =
krb5_enctype_array[subkey->enctype]->system->block_length;
#endif /* MIT_NEW_CRYPTO */
ivector.data = malloc(blocksize);
if (!ivector.data) {
DEBUGMSGTL(("ksm", "Unable to allocate %d bytes for ivector\n",
blocksize));
retval = SNMPERR_MALLOC;
goto error;
}
ivector.length = blocksize;
memset(ivector.data, 0, blocksize);
/*
* Finally! Do the encryption!
*/
#ifdef MIT_NEW_CRYPTO
input.data = (char *) parms->scopedPdu;
input.length = parms->scopedPduLen;
output.ciphertext.data = (char *) encrypted_data;
output.ciphertext.length = encrypted_length;
retcode =
krb5_c_encrypt(kcontext, subkey, KSM_KEY_USAGE_ENCRYPTION,
&ivector, &input, &output);
#else /* MIT_NEW_CRYPTO */
retcode = krb5_encrypt(kcontext, (krb5_pointer) parms->scopedPdu,
(krb5_pointer) encrypted_data,
parms->scopedPduLen, &eblock, ivector.data);
krb5_finish_key(kcontext, &eblock);
#endif /* MIT_NEW_CRYPTO */
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_encrypt failed: %s\n",
error_message(retcode)));
retval = SNMPERR_KRB5;
snmp_set_detail(error_message(retcode));
goto error;
}
*offset = 0;
rc = asn_realloc_rbuild_string(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
encrypted_data,
encrypted_length);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building encrypted payload failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Encryption complete.\n"));
} else {
/*
* Plaintext PDU (not encrypted)
*/
if (*parms->wholeMsgLen < parms->scopedPduLen) {
DEBUGMSGTL(("ksm", "Not enough room for plaintext PDU.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
}
/*
* Start encoding the msgSecurityParameters
*
* For now, use 0 for the response hint
*/
DEBUGMSGTL(("ksm", "KSM: scopedPdu added to payload\n"));
seq_offset = *offset;
rc = asn_realloc_rbuild_int(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_INTEGER),
(long *) &zero, sizeof(zero));
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_string(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
(u_char *) outdata.data,
outdata.length);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm AP_REQ failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
/*
* Now, we need to pick the "right" checksum algorithm. For old
* crypto, just pick CKSUMTYPE_RSA_MD5_DES; for new crypto, pick
* one of the "approved" ones.
*/
#ifdef MIT_NEW_CRYPTO
retcode = krb5_c_keyed_checksum_types(kcontext, subkey->enctype,
&numcksumtypes, &cksumtype_array);
if (retcode) {
DEBUGMSGTL(("ksm", "Unable to find appropriate keyed checksum: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
if (numcksumtypes <= 0) {
DEBUGMSGTL(("ksm", "We received a list of zero cksumtypes for this "
"enctype (%d)\n", subkey->enctype));
snmp_set_detail("No valid checksum type for this encryption type");
retval = SNMPERR_KRB5;
goto error;
}
/*
* It's not clear to me from the API which checksum you're supposed
* to support, so I'm taking a guess at the first one
*/
cksumtype = cksumtype_array[0];
krb5_free_cksumtypes(kcontext, cksumtype_array);
DEBUGMSGTL(("ksm", "KSM: Choosing checksum type of %d (subkey type "
"of %d)\n", cksumtype, subkey->enctype));
retcode = krb5_c_checksum_length(kcontext, cksumtype, &blocksize);
if (retcode) {
DEBUGMSGTL(("ksm", "Unable to determine checksum length: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
pdu_checksum.length = blocksize;
#else /* MIT_NEW_CRYPTO */
if (ksm_state)
cksumtype = ksm_state->cksumtype;
else
cksumtype = CKSUMTYPE_RSA_MD5_DES;
if (!is_keyed_cksum(cksumtype)) {
DEBUGMSGTL(("ksm", "Checksum type %d is not a keyed checksum\n",
cksumtype));
snmp_set_detail("Checksum is not a keyed checksum");
retval = SNMPERR_KRB5;
goto error;
}
if (!is_coll_proof_cksum(cksumtype)) {
DEBUGMSGTL(("ksm", "Checksum type %d is not a collision-proof "
"checksum\n", cksumtype));
snmp_set_detail("Checksum is not a collision-proof checksum");
retval = SNMPERR_KRB5;
goto error;
}
pdu_checksum.length = krb5_checksum_size(kcontext, cksumtype);
pdu_checksum.checksum_type = cksumtype;
#endif /* MIT_NEW_CRYPTO */
/*
* Note that here, we're just leaving blank space for the checksum;
* we remember where that is, and we'll fill it in later.
*/
*offset += pdu_checksum.length;
memset(*wholeMsg + *parms->wholeMsgLen - *offset, 0, pdu_checksum.length);
cksum_pointer = *wholeMsg + *parms->wholeMsgLen - *offset;
rc = asn_realloc_rbuild_header(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
pdu_checksum.length);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_int(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
(long *) &cksumtype,
sizeof(cksumtype));
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_sequence(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_SEQUENCE |
ASN_CONSTRUCTOR),
*offset - seq_offset);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_header(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
*offset - seq_offset);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Security parameter encoding completed\n"));
/*
* We're done with the KSM security parameters - now we do the global
* header and wrap up the whole PDU.
*/
if (*parms->wholeMsgLen < parms->globalDataLen) {
DEBUGMSGTL(("ksm", "Building global data failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
*offset += parms->globalDataLen;
memcpy(*wholeMsg + *parms->wholeMsgLen - *offset,
parms->globalData, parms->globalDataLen);
rc = asn_realloc_rbuild_sequence(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_SEQUENCE |
ASN_CONSTRUCTOR),
*offset);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building master packet sequence.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: PDU master packet encoding complete.\n"));
/*
* Now we need to checksum the entire PDU (since it's built).
*/
pdu_checksum.contents = malloc(pdu_checksum.length);
if (!pdu_checksum.contents) {
DEBUGMSGTL(("ksm", "Unable to malloc %d bytes for checksum\n",
pdu_checksum.length));
retval = SNMPERR_MALLOC;
goto error;
}
/*
* If we didn't encrypt the packet, we haven't yet got the subkey.
* Get that now.
*/
if (!subkey) {
if (ksm_state)
retcode = krb5_auth_con_getremotesubkey(kcontext, auth_context,
&subkey);
else
retcode = krb5_auth_con_getlocalsubkey(kcontext, auth_context,
&subkey);
if (retcode) {
DEBUGMSGTL(("ksm", "krb5_auth_con_getlocalsubkey failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
}
#ifdef MIT_NEW_CRYPTO
input.data = (char *) (*wholeMsg + *parms->wholeMsgLen - *offset);
input.length = *offset;
retcode = krb5_c_make_checksum(kcontext, cksumtype, subkey,
KSM_KEY_USAGE_CHECKSUM, &input,
&pdu_checksum);
#else /* MIT_NEW_CRYPTO */
retcode = krb5_calculate_checksum(kcontext, cksumtype, *wholeMsg +
*parms->wholeMsgLen - *offset,
*offset,
(krb5_pointer) subkey->contents,
subkey->length, &pdu_checksum);
#endif /* MIT_NEW_CRYPTO */
if (retcode) {
DEBUGMSGTL(("ksm", "Calculate checksum failed: %s\n",
error_message(retcode)));
retval = SNMPERR_KRB5;
snmp_set_detail(error_message(retcode));
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Checksum calculation complete.\n"));
memcpy(cksum_pointer, pdu_checksum.contents, pdu_checksum.length);
DEBUGMSGTL(("ksm", "KSM: Writing checksum of %d bytes at offset %d\n",
pdu_checksum.length, cksum_pointer - (*wholeMsg + 1)));
DEBUGMSGTL(("ksm", "KSM: Checksum:"));
for (i = 0; i < pdu_checksum.length; i++)
DEBUGMSG(("ksm", " %02x",
(unsigned int) pdu_checksum.contents[i]));
DEBUGMSG(("ksm", "\n"));
/*
* If we're _not_ called as part of a response (null ksm_state),
* then save the auth_context for later using our cache routines.
*/
if (!ksm_state) {
if ((retval = ksm_insert_cache(parms->pdu->msgid, auth_context,
(u_char *) parms->secName,
parms->secNameLen)) !=
SNMPERR_SUCCESS)
goto error;
auth_context = NULL;
}
DEBUGMSGTL(("ksm", "KSM processing complete!\n"));
error:
if (pdu_checksum.contents)
#ifdef MIT_NEW_CRYPTO
krb5_free_checksum_contents(kcontext, &pdu_checksum);
#else /* MIT_NEW_CRYPTO */
free(pdu_checksum.contents);
#endif /* MIT_NEW_CRYPTO */
if (ivector.data)
free(ivector.data);
if (subkey)
krb5_free_keyblock(kcontext, subkey);
if (encrypted_data)
free(encrypted_data);
if (cc)
krb5_cc_close(kcontext, cc);
if (auth_context && !ksm_state)
krb5_auth_con_free(kcontext, auth_context);
return retval;
}
