2 * Copyright (c) 2003, PADL Software Pty Ltd.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of PADL Software nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "krb5/gsskrb5_locl.h"
35 RCSID("$Id: cfx.c,v 1.24 2006/10/24 21:13:22 lha Exp $");
38 * Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt
41 #define CFXSentByAcceptor (1 << 0)
42 #define CFXSealed (1 << 1)
43 #define CFXAcceptorSubkey (1 << 2)
46 _gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
49 size_t *output_length,
56 /* 16-byte header is always first */
57 *output_length = sizeof(gss_cfx_wrap_token_desc);
60 ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type);
64 ret = krb5_checksumsize(_gsskrb5_context, type, cksumsize);
71 /* Header is concatenated with data before encryption */
72 input_length += sizeof(gss_cfx_wrap_token_desc);
74 ret = krb5_crypto_getpadsize(_gsskrb5_context, crypto, &padsize);
80 *padlength = padsize - (input_length % padsize);
82 /* We add the pad ourselves (noted here for completeness only) */
83 input_length += *padlength;
86 *output_length += krb5_get_wrapped_length(_gsskrb5_context,
87 crypto, input_length);
89 /* Checksum is concatenated with data */
90 *output_length += input_length + *cksumsize;
93 assert(*output_length > input_length);
99 _gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
102 OM_uint32 *output_length)
108 /* 16-byte header is always first */
109 if (input_length < 16)
114 size_t wrapped_size, sz;
116 wrapped_size = input_length + 1;
119 sz = krb5_get_wrapped_length(_gsskrb5_context,
120 crypto, wrapped_size);
121 } while (wrapped_size && sz > input_length);
122 if (wrapped_size == 0) {
128 if (wrapped_size < 16) {
134 *output_length = wrapped_size;
139 ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type);
143 ret = krb5_checksumsize(_gsskrb5_context, type, &cksumsize);
147 if (input_length < cksumsize)
150 /* Checksum is concatenated with data */
151 *output_length = input_length - cksumsize;
158 OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
159 const gsskrb5_ctx context_handle,
162 OM_uint32 req_output_size,
163 OM_uint32 *max_input_size,
169 ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
171 _gsskrb5_set_error_string();
173 return GSS_S_FAILURE;
176 ret = _gsskrb5cfx_max_wrap_length_cfx(crypto, conf_req_flag,
177 req_output_size, max_input_size);
179 _gsskrb5_set_error_string();
181 krb5_crypto_destroy(_gsskrb5_context, crypto);
182 return GSS_S_FAILURE;
185 krb5_crypto_destroy(_gsskrb5_context, crypto);
187 return GSS_S_COMPLETE;
191 * Rotate "rrc" bytes to the front or back
194 static krb5_error_code
195 rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
197 u_char *tmp, buf[256];
210 if (rrc <= sizeof(buf)) {
219 memcpy(tmp, data, rrc);
220 memmove(data, (u_char *)data + rrc, left);
221 memcpy((u_char *)data + left, tmp, rrc);
223 memcpy(tmp, (u_char *)data + left, rrc);
224 memmove((u_char *)data + rrc, data, left);
225 memcpy(data, tmp, rrc);
228 if (rrc > sizeof(buf))
234 OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
235 const gsskrb5_ctx context_handle,
238 const gss_buffer_t input_message_buffer,
240 gss_buffer_t output_message_buffer,
244 gss_cfx_wrap_token token;
248 size_t wrapped_len, cksumsize;
249 uint16_t padlength, rrc = 0;
253 ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
255 _gsskrb5_set_error_string();
257 return GSS_S_FAILURE;
260 ret = _gsskrb5cfx_wrap_length_cfx(crypto, conf_req_flag,
261 input_message_buffer->length,
262 &wrapped_len, &cksumsize, &padlength);
264 _gsskrb5_set_error_string();
266 krb5_crypto_destroy(_gsskrb5_context, crypto);
267 return GSS_S_FAILURE;
270 /* Always rotate encrypted token (if any) and checksum to header */
271 rrc = (conf_req_flag ? sizeof(*token) : 0) + (uint16_t)cksumsize;
273 output_message_buffer->length = wrapped_len;
274 output_message_buffer->value = malloc(output_message_buffer->length);
275 if (output_message_buffer->value == NULL) {
276 *minor_status = ENOMEM;
277 krb5_crypto_destroy(_gsskrb5_context, crypto);
278 return GSS_S_FAILURE;
281 p = output_message_buffer->value;
282 token = (gss_cfx_wrap_token)p;
283 token->TOK_ID[0] = 0x05;
284 token->TOK_ID[1] = 0x04;
286 token->Filler = 0xFF;
287 if ((context_handle->more_flags & LOCAL) == 0)
288 token->Flags |= CFXSentByAcceptor;
289 if (context_handle->more_flags & ACCEPTOR_SUBKEY)
290 token->Flags |= CFXAcceptorSubkey;
293 * In Wrap tokens with confidentiality, the EC field is
294 * used to encode the size (in bytes) of the random filler.
296 token->Flags |= CFXSealed;
297 token->EC[0] = (padlength >> 8) & 0xFF;
298 token->EC[1] = (padlength >> 0) & 0xFF;
301 * In Wrap tokens without confidentiality, the EC field is
302 * used to encode the size (in bytes) of the trailing
305 * This is not used in the checksum calcuation itself,
306 * because the checksum length could potentially vary
307 * depending on the data length.
314 * In Wrap tokens that provide for confidentiality, the RRC
315 * field in the header contains the hex value 00 00 before
318 * In Wrap tokens that do not provide for confidentiality,
319 * both the EC and RRC fields in the appended checksum
320 * contain the hex value 00 00 for the purpose of calculating
326 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
327 krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
328 context_handle->auth_context,
330 _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
331 _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
332 krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
333 context_handle->auth_context,
335 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
338 * If confidentiality is requested, the token header is
339 * appended to the plaintext before encryption; the resulting
340 * token is {"header" | encrypt(plaintext | pad | "header")}.
342 * If no confidentiality is requested, the checksum is
343 * calculated over the plaintext concatenated with the
346 if (context_handle->more_flags & LOCAL) {
347 usage = KRB5_KU_USAGE_INITIATOR_SEAL;
349 usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
354 * Any necessary padding is added here to ensure that the
355 * encrypted token header is always at the end of the
358 * The specification does not require that the padding
359 * bytes are initialized.
362 memcpy(p, input_message_buffer->value, input_message_buffer->length);
363 memset(p + input_message_buffer->length, 0xFF, padlength);
364 memcpy(p + input_message_buffer->length + padlength,
365 token, sizeof(*token));
367 ret = krb5_encrypt(_gsskrb5_context, crypto,
369 input_message_buffer->length + padlength +
373 _gsskrb5_set_error_string();
375 krb5_crypto_destroy(_gsskrb5_context, crypto);
376 _gsskrb5_release_buffer(minor_status, output_message_buffer);
377 return GSS_S_FAILURE;
379 assert(sizeof(*token) + cipher.length == wrapped_len);
380 token->RRC[0] = (rrc >> 8) & 0xFF;
381 token->RRC[1] = (rrc >> 0) & 0xFF;
383 ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
385 _gsskrb5_set_error_string();
387 krb5_crypto_destroy(_gsskrb5_context, crypto);
388 _gsskrb5_release_buffer(minor_status, output_message_buffer);
389 return GSS_S_FAILURE;
391 memcpy(p, cipher.data, cipher.length);
392 krb5_data_free(&cipher);
397 buf = malloc(input_message_buffer->length + sizeof(*token));
399 *minor_status = ENOMEM;
400 krb5_crypto_destroy(_gsskrb5_context, crypto);
401 _gsskrb5_release_buffer(minor_status, output_message_buffer);
402 return GSS_S_FAILURE;
404 memcpy(buf, input_message_buffer->value, input_message_buffer->length);
405 memcpy(buf + input_message_buffer->length, token, sizeof(*token));
407 ret = krb5_create_checksum(_gsskrb5_context, crypto,
409 input_message_buffer->length +
413 _gsskrb5_set_error_string();
415 krb5_crypto_destroy(_gsskrb5_context, crypto);
416 _gsskrb5_release_buffer(minor_status, output_message_buffer);
418 return GSS_S_FAILURE;
423 assert(cksum.checksum.length == cksumsize);
424 token->EC[0] = (cksum.checksum.length >> 8) & 0xFF;
425 token->EC[1] = (cksum.checksum.length >> 0) & 0xFF;
426 token->RRC[0] = (rrc >> 8) & 0xFF;
427 token->RRC[1] = (rrc >> 0) & 0xFF;
430 memcpy(p, input_message_buffer->value, input_message_buffer->length);
431 memcpy(p + input_message_buffer->length,
432 cksum.checksum.data, cksum.checksum.length);
435 input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
437 _gsskrb5_set_error_string();
439 krb5_crypto_destroy(_gsskrb5_context, crypto);
440 _gsskrb5_release_buffer(minor_status, output_message_buffer);
441 free_Checksum(&cksum);
442 return GSS_S_FAILURE;
444 free_Checksum(&cksum);
447 krb5_crypto_destroy(_gsskrb5_context, crypto);
449 if (conf_state != NULL) {
450 *conf_state = conf_req_flag;
454 return GSS_S_COMPLETE;
457 OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
458 const gsskrb5_ctx context_handle,
459 const gss_buffer_t input_message_buffer,
460 gss_buffer_t output_message_buffer,
462 gss_qop_t *qop_state,
466 gss_cfx_wrap_token token;
472 OM_uint32 seq_number_lo, seq_number_hi;
478 if (input_message_buffer->length < sizeof(*token)) {
479 return GSS_S_DEFECTIVE_TOKEN;
482 p = input_message_buffer->value;
484 token = (gss_cfx_wrap_token)p;
486 if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04) {
487 return GSS_S_DEFECTIVE_TOKEN;
490 /* Ignore unknown flags */
491 token_flags = token->Flags &
492 (CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey);
494 if (token_flags & CFXSentByAcceptor) {
495 if ((context_handle->more_flags & LOCAL) == 0)
496 return GSS_S_DEFECTIVE_TOKEN;
499 if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
500 if ((token_flags & CFXAcceptorSubkey) == 0)
501 return GSS_S_DEFECTIVE_TOKEN;
503 if (token_flags & CFXAcceptorSubkey)
504 return GSS_S_DEFECTIVE_TOKEN;
507 if (token->Filler != 0xFF) {
508 return GSS_S_DEFECTIVE_TOKEN;
511 if (conf_state != NULL) {
512 *conf_state = (token_flags & CFXSealed) ? 1 : 0;
515 ec = (token->EC[0] << 8) | token->EC[1];
516 rrc = (token->RRC[0] << 8) | token->RRC[1];
519 * Check sequence number
521 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
522 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
524 /* no support for 64-bit sequence numbers */
525 *minor_status = ERANGE;
526 return GSS_S_UNSEQ_TOKEN;
529 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
530 ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
533 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
534 _gsskrb5_release_buffer(minor_status, output_message_buffer);
537 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
540 * Decrypt and/or verify checksum
542 ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
544 _gsskrb5_set_error_string();
546 return GSS_S_FAILURE;
549 if (context_handle->more_flags & LOCAL) {
550 usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
552 usage = KRB5_KU_USAGE_INITIATOR_SEAL;
556 len = input_message_buffer->length;
557 len -= (p - (u_char *)input_message_buffer->value);
559 /* Rotate by RRC; bogus to do this in-place XXX */
560 *minor_status = rrc_rotate(p, len, rrc, TRUE);
561 if (*minor_status != 0) {
562 krb5_crypto_destroy(_gsskrb5_context, crypto);
563 return GSS_S_FAILURE;
566 if (token_flags & CFXSealed) {
567 ret = krb5_decrypt(_gsskrb5_context, crypto, usage,
570 _gsskrb5_set_error_string();
572 krb5_crypto_destroy(_gsskrb5_context, crypto);
573 return GSS_S_BAD_MIC;
576 /* Check that there is room for the pad and token header */
577 if (data.length < ec + sizeof(*token)) {
578 krb5_crypto_destroy(_gsskrb5_context, crypto);
579 krb5_data_free(&data);
580 return GSS_S_DEFECTIVE_TOKEN;
583 p += data.length - sizeof(*token);
585 /* RRC is unprotected; don't modify input buffer */
586 ((gss_cfx_wrap_token)p)->RRC[0] = token->RRC[0];
587 ((gss_cfx_wrap_token)p)->RRC[1] = token->RRC[1];
589 /* Check the integrity of the header */
590 if (memcmp(p, token, sizeof(*token)) != 0) {
591 krb5_crypto_destroy(_gsskrb5_context, crypto);
592 krb5_data_free(&data);
593 return GSS_S_BAD_MIC;
596 output_message_buffer->value = data.data;
597 output_message_buffer->length = data.length - ec - sizeof(*token);
601 /* Determine checksum type */
602 ret = krb5_crypto_get_checksum_type(_gsskrb5_context,
603 crypto, &cksum.cksumtype);
605 _gsskrb5_set_error_string();
607 krb5_crypto_destroy(_gsskrb5_context, crypto);
608 return GSS_S_FAILURE;
611 cksum.checksum.length = ec;
613 /* Check we have at least as much data as the checksum */
614 if (len < cksum.checksum.length) {
615 *minor_status = ERANGE;
616 krb5_crypto_destroy(_gsskrb5_context, crypto);
617 return GSS_S_BAD_MIC;
620 /* Length now is of the plaintext only, no checksum */
621 len -= cksum.checksum.length;
622 cksum.checksum.data = p + len;
624 output_message_buffer->length = len; /* for later */
625 output_message_buffer->value = malloc(len + sizeof(*token));
626 if (output_message_buffer->value == NULL) {
627 *minor_status = ENOMEM;
628 krb5_crypto_destroy(_gsskrb5_context, crypto);
629 return GSS_S_FAILURE;
632 /* Checksum is over (plaintext-data | "header") */
633 memcpy(output_message_buffer->value, p, len);
634 memcpy((u_char *)output_message_buffer->value + len,
635 token, sizeof(*token));
637 /* EC is not included in checksum calculation */
638 token = (gss_cfx_wrap_token)((u_char *)output_message_buffer->value +
645 ret = krb5_verify_checksum(_gsskrb5_context, crypto,
647 output_message_buffer->value,
648 len + sizeof(*token),
651 _gsskrb5_set_error_string();
653 krb5_crypto_destroy(_gsskrb5_context, crypto);
654 _gsskrb5_release_buffer(minor_status, output_message_buffer);
655 return GSS_S_BAD_MIC;
659 krb5_crypto_destroy(_gsskrb5_context, crypto);
661 if (qop_state != NULL) {
662 *qop_state = GSS_C_QOP_DEFAULT;
666 return GSS_S_COMPLETE;
669 OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
670 const gsskrb5_ctx context_handle,
672 const gss_buffer_t message_buffer,
673 gss_buffer_t message_token,
677 gss_cfx_mic_token token;
685 ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
687 _gsskrb5_set_error_string();
689 return GSS_S_FAILURE;
692 len = message_buffer->length + sizeof(*token);
695 *minor_status = ENOMEM;
696 krb5_crypto_destroy(_gsskrb5_context, crypto);
697 return GSS_S_FAILURE;
700 memcpy(buf, message_buffer->value, message_buffer->length);
702 token = (gss_cfx_mic_token)(buf + message_buffer->length);
703 token->TOK_ID[0] = 0x04;
704 token->TOK_ID[1] = 0x04;
706 if ((context_handle->more_flags & LOCAL) == 0)
707 token->Flags |= CFXSentByAcceptor;
708 if (context_handle->more_flags & ACCEPTOR_SUBKEY)
709 token->Flags |= CFXAcceptorSubkey;
710 memset(token->Filler, 0xFF, 5);
712 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
713 krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
714 context_handle->auth_context,
716 _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
717 _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
718 krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
719 context_handle->auth_context,
721 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
723 if (context_handle->more_flags & LOCAL) {
724 usage = KRB5_KU_USAGE_INITIATOR_SIGN;
726 usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
729 ret = krb5_create_checksum(_gsskrb5_context, crypto,
730 usage, 0, buf, len, &cksum);
732 _gsskrb5_set_error_string();
734 krb5_crypto_destroy(_gsskrb5_context, crypto);
736 return GSS_S_FAILURE;
738 krb5_crypto_destroy(_gsskrb5_context, crypto);
740 /* Determine MIC length */
741 message_token->length = sizeof(*token) + cksum.checksum.length;
742 message_token->value = malloc(message_token->length);
743 if (message_token->value == NULL) {
744 *minor_status = ENOMEM;
745 free_Checksum(&cksum);
747 return GSS_S_FAILURE;
750 /* Token is { "header" | get_mic("header" | plaintext-data) } */
751 memcpy(message_token->value, token, sizeof(*token));
752 memcpy((u_char *)message_token->value + sizeof(*token),
753 cksum.checksum.data, cksum.checksum.length);
755 free_Checksum(&cksum);
759 return GSS_S_COMPLETE;
762 OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
763 const gsskrb5_ctx context_handle,
764 const gss_buffer_t message_buffer,
765 const gss_buffer_t token_buffer,
766 gss_qop_t *qop_state,
770 gss_cfx_mic_token token;
774 OM_uint32 seq_number_lo, seq_number_hi;
780 if (token_buffer->length < sizeof(*token)) {
781 return GSS_S_DEFECTIVE_TOKEN;
784 p = token_buffer->value;
786 token = (gss_cfx_mic_token)p;
788 if (token->TOK_ID[0] != 0x04 || token->TOK_ID[1] != 0x04) {
789 return GSS_S_DEFECTIVE_TOKEN;
792 /* Ignore unknown flags */
793 token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey);
795 if (token_flags & CFXSentByAcceptor) {
796 if ((context_handle->more_flags & LOCAL) == 0)
797 return GSS_S_DEFECTIVE_TOKEN;
799 if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
800 if ((token_flags & CFXAcceptorSubkey) == 0)
801 return GSS_S_DEFECTIVE_TOKEN;
803 if (token_flags & CFXAcceptorSubkey)
804 return GSS_S_DEFECTIVE_TOKEN;
807 if (memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) {
808 return GSS_S_DEFECTIVE_TOKEN;
812 * Check sequence number
814 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
815 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
817 *minor_status = ERANGE;
818 return GSS_S_UNSEQ_TOKEN;
821 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
822 ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
825 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
828 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
833 ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
835 _gsskrb5_set_error_string();
837 return GSS_S_FAILURE;
840 ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto,
843 _gsskrb5_set_error_string();
845 krb5_crypto_destroy(_gsskrb5_context, crypto);
846 return GSS_S_FAILURE;
849 cksum.checksum.data = p + sizeof(*token);
850 cksum.checksum.length = token_buffer->length - sizeof(*token);
852 if (context_handle->more_flags & LOCAL) {
853 usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
855 usage = KRB5_KU_USAGE_INITIATOR_SIGN;
858 buf = malloc(message_buffer->length + sizeof(*token));
860 *minor_status = ENOMEM;
861 krb5_crypto_destroy(_gsskrb5_context, crypto);
862 return GSS_S_FAILURE;
864 memcpy(buf, message_buffer->value, message_buffer->length);
865 memcpy(buf + message_buffer->length, token, sizeof(*token));
867 ret = krb5_verify_checksum(_gsskrb5_context, crypto,
870 sizeof(*token) + message_buffer->length,
872 krb5_crypto_destroy(_gsskrb5_context, crypto);
874 _gsskrb5_set_error_string();
877 return GSS_S_BAD_MIC;
882 if (qop_state != NULL) {
883 *qop_state = GSS_C_QOP_DEFAULT;
886 return GSS_S_COMPLETE;