xref: /netbsd-src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/arcfour.c (revision afab4e300d3a9fb07dd8c80daf53d0feb3345706)

/*	$NetBSD: arcfour.c,v 1.6 2023/06/19 21:41:43 christos Exp $	*/

/*
 * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include "gsskrb5_locl.h"

/*
 * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
 *
 * The arcfour message have the following formats:
 *
 * MIC token
 * 	TOK_ID[2] = 01 01
 *	SGN_ALG[2] = 11 00
 *	Filler[4]
 *	SND_SEQ[8]
 *	SGN_CKSUM[8]
 *
 * WRAP token
 *	TOK_ID[2] = 02 01
 *	SGN_ALG[2];
 *	SEAL_ALG[2]
 *	Filler[2]
 *	SND_SEQ[2]
 *	SGN_CKSUM[8]
 *	Confounder[8]
 */

/*
 * WRAP in DCE-style have a fixed size header, the oid and length over
 * the WRAP header is a total of
 * GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE +
 * GSS_ARCFOUR_WRAP_TOKEN_SIZE byte (ie total of 45 bytes overhead,
 * remember the 2 bytes from APPL [0] SEQ).
 */

#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32
#define GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE 13


static krb5_error_code
arcfour_mic_key(krb5_context context, krb5_keyblock *key,
		const void *cksum_data, size_t cksum_size,
		void *key6_data, size_t key6_size)
{
    krb5_error_code ret;

    Checksum cksum_k5;
    krb5_keyblock key5;
    char k5_data[16];

    Checksum cksum_k6;

    char T[4];

    memset(T, 0, 4);
    cksum_k5.checksum.data = k5_data;
    cksum_k5.checksum.length = sizeof(k5_data);

    if (key->keytype == KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56) {
	char L40[14] = "fortybits";

	memcpy(L40 + 10, T, sizeof(T));
	ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5,
			L40, 14, 0, key, &cksum_k5);
	memset(&k5_data[7], 0xAB, 9);
    } else {
	ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5,
			T, 4, 0, key, &cksum_k5);
    }
    if (ret)
	return ret;

    key5.keytype = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5;
    key5.keyvalue = cksum_k5.checksum;

    cksum_k6.checksum.data = key6_data;
    cksum_k6.checksum.length = key6_size;

    return krb5_hmac(context, CKSUMTYPE_RSA_MD5,
		     cksum_data, cksum_size, 0, &key5, &cksum_k6);
}


static krb5_error_code
arcfour_mic_cksum_iov(krb5_context context,
		      krb5_keyblock *key, unsigned usage,
		      u_char *sgn_cksum, size_t sgn_cksum_sz,
		      const u_char *v1, size_t l1,
		      const void *v2, size_t l2,
		      const gss_iov_buffer_desc *iov,
		      int iov_count,
		      const gss_iov_buffer_desc *padding)
{
    Checksum CKSUM;
    u_char *ptr;
    size_t len;
    size_t ofs = 0;
    int i;
    krb5_crypto crypto;
    krb5_error_code ret;

    assert(sgn_cksum_sz == 8);

    len = l1 + l2;

    for (i=0; i < iov_count; i++) {
	switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {
	case GSS_IOV_BUFFER_TYPE_DATA:
	case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
	    break;
	default:
	    continue;
	}

	len += iov[i].buffer.length;
    }

    if (padding) {
	len += padding->buffer.length;
    }

    ptr = malloc(len);
    if (ptr == NULL)
	return ENOMEM;

    memcpy(ptr + ofs, v1, l1);
    ofs += l1;
    memcpy(ptr + ofs, v2, l2);
    ofs += l2;

    for (i=0; i < iov_count; i++) {
	switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {
	case GSS_IOV_BUFFER_TYPE_DATA:
	case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
	    break;
	default:
	    continue;
	}

	memcpy(ptr + ofs,
	       iov[i].buffer.value,
	       iov[i].buffer.length);
	ofs += iov[i].buffer.length;
    }

    if (padding) {
	memcpy(ptr + ofs,
	       padding->buffer.value,
	       padding->buffer.length);
	/* ofs += padding->buffer.length; */
    }

    ret = krb5_crypto_init(context, key, 0, &crypto);
    if (ret) {
	free(ptr);
	return ret;
    }

    ret = krb5_create_checksum(context,
			       crypto,
			       usage,
			       0,
			       ptr, len,
			       &CKSUM);
    memset(ptr, 0, len);
    free(ptr);
    if (ret == 0) {
	memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz);
	free_Checksum(&CKSUM);
    }
    krb5_crypto_destroy(context, crypto);

    return ret;
}

static krb5_error_code
arcfour_mic_cksum(krb5_context context,
		  krb5_keyblock *key, unsigned usage,
		  u_char *sgn_cksum, size_t sgn_cksum_sz,
		  const u_char *v1, size_t l1,
		  const void *v2, size_t l2,
		  const void *v3, size_t l3)
{
    gss_iov_buffer_desc iov;

    iov.type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
    iov.buffer.value = rk_UNCONST(v3);
    iov.buffer.length = l3;

    return arcfour_mic_cksum_iov(context, key, usage,
				 sgn_cksum, sgn_cksum_sz,
				 v1, l1, v2, l2,
				 &iov, 1, NULL);
}


OM_uint32
_gssapi_get_mic_arcfour(OM_uint32 * minor_status,
			const gsskrb5_ctx context_handle,
			krb5_context context,
			gss_qop_t qop_req,
			const gss_buffer_t message_buffer,
			gss_buffer_t message_token,
			krb5_keyblock *key)
{
    krb5_error_code ret;
    int32_t seq_number;
    size_t len, total_len;
    u_char k6_data[16], *p0, *p;
    EVP_CIPHER_CTX *rc4_key;

    _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);

    message_token->length = total_len;
    message_token->value  = malloc (total_len);
    if (message_token->value == NULL) {
	*minor_status = ENOMEM;
	return GSS_S_FAILURE;
    }

    p0 = _gssapi_make_mech_header(message_token->value,
				  len,
				  GSS_KRB5_MECHANISM);
    p = p0;

    *p++ = 0x01; /* TOK_ID */
    *p++ = 0x01;
    *p++ = 0x11; /* SGN_ALG */
    *p++ = 0x00;
    *p++ = 0xff; /* Filler */
    *p++ = 0xff;
    *p++ = 0xff;
    *p++ = 0xff;

    p = NULL;

    ret = arcfour_mic_cksum(context,
			    key, KRB5_KU_USAGE_SIGN,
			    p0 + 16, 8,  /* SGN_CKSUM */
			    p0, 8, /* TOK_ID, SGN_ALG, Filer */
			    message_buffer->value, message_buffer->length,
			    NULL, 0);
    if (ret) {
	_gsskrb5_release_buffer(minor_status, message_token);
	*minor_status = ret;
	return GSS_S_FAILURE;
    }

    ret = arcfour_mic_key(context, key,
			  p0 + 16, 8, /* SGN_CKSUM */
			  k6_data, sizeof(k6_data));
    if (ret) {
	_gsskrb5_release_buffer(minor_status, message_token);
	*minor_status = ret;
	return GSS_S_FAILURE;
    }

    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
    krb5_auth_con_getlocalseqnumber (context,
				     context_handle->auth_context,
				     &seq_number);
    p = p0 + 8; /* SND_SEQ */
    _gsskrb5_encode_be_om_uint32(seq_number, p);

    krb5_auth_con_setlocalseqnumber (context,
				     context_handle->auth_context,
				     ++seq_number);
    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);

    memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4);

#if OPENSSL_VERSION_NUMBER < 0x10100000UL
    EVP_CIPHER_CTX rc4_keys;
    rc4_key = &rc4_keys;
    EVP_CIPHER_CTX_init(rc4_key);
#else
    rc4_key = EVP_CIPHER_CTX_new();
#endif
    if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
	*minor_status = EINVAL;
	return GSS_S_FAILURE;
    }

    EVP_Cipher(rc4_key, p, p, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
    EVP_CIPHER_CTX_cleanup(rc4_key);
#else
    EVP_CIPHER_CTX_free(rc4_key);
#endif

    memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));

    *minor_status = 0;
    return GSS_S_COMPLETE;
}


OM_uint32
_gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
			   const gsskrb5_ctx context_handle,
			   krb5_context context,
			   const gss_buffer_t message_buffer,
			   const gss_buffer_t token_buffer,
			   gss_qop_t * qop_state,
			   krb5_keyblock *key,
			   const char *type)
{
    krb5_error_code ret;
    uint32_t seq_number;
    OM_uint32 omret;
    u_char SND_SEQ[8], cksum_data[8], *p;
    char k6_data[16];
    int cmp;

    if (qop_state)
	*qop_state = 0;

    p = token_buffer->value;
    omret = _gsskrb5_verify_header (&p,
				       token_buffer->length,
				       type,
				       GSS_KRB5_MECHANISM);
    if (omret)
	return omret;

    if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
	return GSS_S_BAD_SIG;
    p += 2;
    if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
	return GSS_S_BAD_MIC;
    p += 4;

    ret = arcfour_mic_cksum(context,
			    key, KRB5_KU_USAGE_SIGN,
			    cksum_data, sizeof(cksum_data),
			    p - 8, 8,
			    message_buffer->value, message_buffer->length,
			    NULL, 0);
    if (ret) {
	*minor_status = ret;
	return GSS_S_FAILURE;
    }

    ret = arcfour_mic_key(context, key,
			  cksum_data, sizeof(cksum_data),
			  k6_data, sizeof(k6_data));
    if (ret) {
	*minor_status = ret;
	return GSS_S_FAILURE;
    }

    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
    if (cmp) {
	*minor_status = 0;
	return GSS_S_BAD_MIC;
    }

    {
	EVP_CIPHER_CTX *rc4_key;
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX rc4_keys;
	rc4_key = &rc4_keys;
	EVP_CIPHER_CTX_init(rc4_key);
#else
	rc4_key = EVP_CIPHER_CTX_new();
#endif

	if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL,
	    0)) {
	    *minor_status = EINVAL;
	    return GSS_S_FAILURE;
	}
	EVP_Cipher(rc4_key, SND_SEQ, p, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX_cleanup(rc4_key);
#else
	EVP_CIPHER_CTX_free(rc4_key);
#endif

	memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));
    }

    _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);

    if (context_handle->more_flags & LOCAL)
	cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
    else
	cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);

    memset_s(SND_SEQ, sizeof(SND_SEQ), 0, sizeof(SND_SEQ));
    if (cmp != 0) {
	*minor_status = 0;
	return GSS_S_BAD_MIC;
    }

    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
    omret = _gssapi_msg_order_check(context_handle->order, seq_number);
    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
    if (omret)
	return omret;

    *minor_status = 0;
    return GSS_S_COMPLETE;
}

OM_uint32
_gssapi_wrap_arcfour(OM_uint32 * minor_status,
		     const gsskrb5_ctx context_handle,
		     krb5_context context,
		     int conf_req_flag,
		     gss_qop_t qop_req,
		     const gss_buffer_t input_message_buffer,
		     int * conf_state,
		     gss_buffer_t output_message_buffer,
		     krb5_keyblock *key)
{
    u_char Klocaldata[16], k6_data[16], *p, *p0;
    size_t len, total_len, datalen;
    krb5_keyblock Klocal;
    krb5_error_code ret;
    int32_t seq_number;

    if (conf_state)
	*conf_state = 0;

    datalen = input_message_buffer->length;

    if (IS_DCE_STYLE(context_handle)) {
	len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
	_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
	total_len += datalen;
    } else {
	datalen += 1; /* padding */
	len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
	_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
    }

    output_message_buffer->length = total_len;
    output_message_buffer->value  = malloc (total_len);
    if (output_message_buffer->value == NULL) {
	*minor_status = ENOMEM;
	return GSS_S_FAILURE;
    }

    p0 = _gssapi_make_mech_header(output_message_buffer->value,
				  len,
				  GSS_KRB5_MECHANISM);
    p = p0;

    *p++ = 0x02; /* TOK_ID */
    *p++ = 0x01;
    *p++ = 0x11; /* SGN_ALG */
    *p++ = 0x00;
    if (conf_req_flag) {
	*p++ = 0x10; /* SEAL_ALG */
	*p++ = 0x00;
    } else {
	*p++ = 0xff; /* SEAL_ALG */
	*p++ = 0xff;
    }
    *p++ = 0xff; /* Filler */
    *p++ = 0xff;

    p = NULL;

    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
    krb5_auth_con_getlocalseqnumber (context,
				     context_handle->auth_context,
				     &seq_number);

    _gsskrb5_encode_be_om_uint32(seq_number, p0 + 8);

    krb5_auth_con_setlocalseqnumber (context,
				     context_handle->auth_context,
				     ++seq_number);
    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);

    memset (p0 + 8 + 4,
	    (context_handle->more_flags & LOCAL) ? 0 : 0xff,
	    4);

    krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */

    /* p points to data */
    p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
    memcpy(p, input_message_buffer->value, input_message_buffer->length);

    if (!IS_DCE_STYLE(context_handle))
	p[input_message_buffer->length] = 1; /* padding */

    ret = arcfour_mic_cksum(context,
			    key, KRB5_KU_USAGE_SEAL,
			    p0 + 16, 8, /* SGN_CKSUM */
			    p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */
			    p0 + 24, 8, /* Confounder */
			    p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
			    datalen);
    if (ret) {
	*minor_status = ret;
	_gsskrb5_release_buffer(minor_status, output_message_buffer);
	return GSS_S_FAILURE;
    }

    {
	int i;

	Klocal.keytype = key->keytype;
	Klocal.keyvalue.data = Klocaldata;
	Klocal.keyvalue.length = sizeof(Klocaldata);

	for (i = 0; i < 16; i++)
	    Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
    }
    ret = arcfour_mic_key(context, &Klocal,
			  p0 + 8, 4, /* SND_SEQ */
			  k6_data, sizeof(k6_data));
    memset_s(Klocaldata, sizeof(Klocaldata), 0, sizeof(Klocaldata));
    if (ret) {
	_gsskrb5_release_buffer(minor_status, output_message_buffer);
	*minor_status = ret;
	return GSS_S_FAILURE;
    }


    if(conf_req_flag) {
	EVP_CIPHER_CTX *rc4_key;
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX rc4_keys;
	rc4_key = &rc4_keys;
	EVP_CIPHER_CTX_init(rc4_key);
#else
	rc4_key = EVP_CIPHER_CTX_new();
#endif

	EVP_CIPHER_CTX_init(rc4_key);
	if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
	    *minor_status = EINVAL;
	    return GSS_S_FAILURE;
	}
	EVP_Cipher(rc4_key, p0 + 24, p0 + 24, 8 + datalen);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX_cleanup(rc4_key);
#else
	EVP_CIPHER_CTX_free(rc4_key);
#endif
    }
    memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));

    ret = arcfour_mic_key(context, key,
			  p0 + 16, 8, /* SGN_CKSUM */
			  k6_data, sizeof(k6_data));
    if (ret) {
	_gsskrb5_release_buffer(minor_status, output_message_buffer);
	*minor_status = ret;
	return GSS_S_FAILURE;
    }

    {
	EVP_CIPHER_CTX *rc4_key;
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX rc4_keys;
	rc4_key = &rc4_keys;
	EVP_CIPHER_CTX_init(rc4_key);
#else
	rc4_key = EVP_CIPHER_CTX_new();
#endif

	if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
	    *minor_status = EINVAL;
	    return GSS_S_FAILURE;
	}
	EVP_Cipher(rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX_cleanup(rc4_key);
#else
	EVP_CIPHER_CTX_free(rc4_key);
#endif
	memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));
    }

    if (conf_state)
	*conf_state = conf_req_flag;

    *minor_status = 0;
    return GSS_S_COMPLETE;
}

OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
				 const gsskrb5_ctx context_handle,
				 krb5_context context,
				 const gss_buffer_t input_message_buffer,
				 gss_buffer_t output_message_buffer,
				 int *conf_state,
				 gss_qop_t *qop_state,
				 krb5_keyblock *key)
{
    u_char Klocaldata[16];
    krb5_keyblock Klocal;
    krb5_error_code ret;
    uint32_t seq_number;
    size_t datalen;
    OM_uint32 omret;
    u_char k6_data[16], SND_SEQ[8], Confounder[8];
    u_char cksum_data[8];
    u_char *p, *p0;
    int cmp;
    int conf_flag;
    size_t padlen = 0, len;

    if (conf_state)
	*conf_state = 0;
    if (qop_state)
	*qop_state = 0;

    p0 = input_message_buffer->value;

    if (IS_DCE_STYLE(context_handle)) {
	len = GSS_ARCFOUR_WRAP_TOKEN_SIZE +
	    GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE;
	if (input_message_buffer->length < len)
	    return GSS_S_BAD_MECH;
    } else {
	len = input_message_buffer->length;
    }

    omret = _gssapi_verify_mech_header(&p0,
				       len,
				       GSS_KRB5_MECHANISM);
    if (omret)
	return omret;

    /* length of mech header */
    len = (p0 - (u_char *)input_message_buffer->value) +
	GSS_ARCFOUR_WRAP_TOKEN_SIZE;

    if (len > input_message_buffer->length)
	return GSS_S_BAD_MECH;

    /* length of data */
    datalen = input_message_buffer->length - len;

    p = p0;

    if (memcmp(p, "\x02\x01", 2) != 0)
	return GSS_S_BAD_SIG;
    p += 2;
    if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
	return GSS_S_BAD_SIG;
    p += 2;

    if (memcmp (p, "\x10\x00", 2) == 0)
	conf_flag = 1;
    else if (memcmp (p, "\xff\xff", 2) == 0)
	conf_flag = 0;
    else
	return GSS_S_BAD_SIG;

    p += 2;
    if (memcmp (p, "\xff\xff", 2) != 0)
	return GSS_S_BAD_MIC;
    p = NULL;

    ret = arcfour_mic_key(context, key,
			  p0 + 16, 8, /* SGN_CKSUM */
			  k6_data, sizeof(k6_data));
    if (ret) {
	*minor_status = ret;
	return GSS_S_FAILURE;
    }

    {
	EVP_CIPHER_CTX *rc4_key;
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX rc4_keys;
	rc4_key = &rc4_keys;
	EVP_CIPHER_CTX_init(rc4_key);
#else
	rc4_key = EVP_CIPHER_CTX_new();
#endif

	if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
	    *minor_status = EINVAL;
	    return GSS_S_FAILURE;
	}
	EVP_Cipher(rc4_key, SND_SEQ, p0 + 8, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX_cleanup(rc4_key);
#else
	EVP_CIPHER_CTX_free(rc4_key);
#endif
	memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));
    }

    _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);

    if (context_handle->more_flags & LOCAL)
	cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
    else
	cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);

    if (cmp != 0) {
	*minor_status = 0;
	return GSS_S_BAD_MIC;
    }

    {
	int i;

	Klocal.keytype = key->keytype;
	Klocal.keyvalue.data = Klocaldata;
	Klocal.keyvalue.length = sizeof(Klocaldata);

	for (i = 0; i < 16; i++)
	    Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
    }
    ret = arcfour_mic_key(context, &Klocal,
			  SND_SEQ, 4,
			  k6_data, sizeof(k6_data));
    memset_s(Klocaldata, sizeof(Klocaldata), 0, sizeof(Klocaldata));
    if (ret) {
	*minor_status = ret;
	return GSS_S_FAILURE;
    }

    output_message_buffer->value = malloc(datalen);
    if (output_message_buffer->value == NULL) {
	*minor_status = ENOMEM;
	return GSS_S_FAILURE;
    }
    output_message_buffer->length = datalen;

    if(conf_flag) {
	EVP_CIPHER_CTX *rc4_key;
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX rc4_keys;
	rc4_key = &rc4_keys;
	EVP_CIPHER_CTX_init(rc4_key);
#else
	rc4_key = EVP_CIPHER_CTX_new();
#endif
	if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
	    *minor_status = EINVAL;
	    return GSS_S_FAILURE;
	}
	EVP_Cipher(rc4_key, Confounder, p0 + 24, 8);
	EVP_Cipher(rc4_key, output_message_buffer->value, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, datalen);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX_cleanup(rc4_key);
#else
	EVP_CIPHER_CTX_free(rc4_key);
#endif
    } else {
	memcpy(Confounder, p0 + 24, 8); /* Confounder */
	memcpy(output_message_buffer->value,
	       p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
	       datalen);
    }
    memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));

    if (!IS_DCE_STYLE(context_handle)) {
	ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen);
	if (ret) {
	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
	    *minor_status = 0;
	    return ret;
	}
	output_message_buffer->length -= padlen;
    }

    ret = arcfour_mic_cksum(context,
			    key, KRB5_KU_USAGE_SEAL,
			    cksum_data, sizeof(cksum_data),
			    p0, 8,
			    Confounder, sizeof(Confounder),
			    output_message_buffer->value,
			    output_message_buffer->length + padlen);
    if (ret) {
	_gsskrb5_release_buffer(minor_status, output_message_buffer);
	*minor_status = ret;
	return GSS_S_FAILURE;
    }

    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
    if (cmp) {
	_gsskrb5_release_buffer(minor_status, output_message_buffer);
	*minor_status = 0;
	return GSS_S_BAD_MIC;
    }

    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
    omret = _gssapi_msg_order_check(context_handle->order, seq_number);
    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
    if (omret)
	return omret;

    if (conf_state)
	*conf_state = conf_flag;

    *minor_status = 0;
    return GSS_S_COMPLETE;
}

static OM_uint32
max_wrap_length_arcfour(const gsskrb5_ctx ctx,
			krb5_crypto crypto,
			size_t input_length,
			OM_uint32 *max_input_size)
{
    /*
     * if GSS_C_DCE_STYLE is in use:
     *  - we only need to encapsulate the WRAP token
     * However, since this is a fixed since, we just
     */
    if (IS_DCE_STYLE(ctx)) {
	size_t len, total_len;

	len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
	_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);

	if (input_length < len)
	    *max_input_size = 0;
	else
	    *max_input_size = input_length - len;

    } else {
	size_t extrasize = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
	size_t blocksize = 8;
	size_t len, total_len;

	len = 8 + input_length + blocksize + extrasize;

	_gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);

	total_len -= input_length; /* token length */
	if (total_len < input_length) {
	    *max_input_size = (input_length - total_len);
	    (*max_input_size) &= (~(OM_uint32)(blocksize - 1));
	} else {
	    *max_input_size = 0;
	}
    }

    return GSS_S_COMPLETE;
}

OM_uint32
_gssapi_wrap_size_arcfour(OM_uint32 *minor_status,
			  const gsskrb5_ctx ctx,
			  krb5_context context,
			  int conf_req_flag,
			  gss_qop_t qop_req,
			  OM_uint32 req_output_size,
			  OM_uint32 *max_input_size,
			  krb5_keyblock *key)
{
    krb5_error_code ret;
    krb5_crypto crypto;

    ret = krb5_crypto_init(context, key, 0, &crypto);
    if (ret != 0) {
	*minor_status = ret;
	return GSS_S_FAILURE;
    }

    ret = max_wrap_length_arcfour(ctx, crypto,
				  req_output_size, max_input_size);
    if (ret != 0) {
	*minor_status = ret;
	krb5_crypto_destroy(context, crypto);
	return GSS_S_FAILURE;
    }

    krb5_crypto_destroy(context, crypto);

    return GSS_S_COMPLETE;
}

OM_uint32
_gssapi_wrap_iov_length_arcfour(OM_uint32 *minor_status,
				gsskrb5_ctx ctx,
				krb5_context context,
				int conf_req_flag,
				gss_qop_t qop_req,
				int *conf_state,
				gss_iov_buffer_desc *iov,
				int iov_count)
{
    OM_uint32 major_status;
    size_t data_len = 0;
    int i;
    gss_iov_buffer_desc *header = NULL;
    gss_iov_buffer_desc *padding = NULL;
    gss_iov_buffer_desc *trailer = NULL;

    *minor_status = 0;

    for (i = 0; i < iov_count; i++) {
	switch(GSS_IOV_BUFFER_TYPE(iov[i].type)) {
	case GSS_IOV_BUFFER_TYPE_EMPTY:
	    break;
	case GSS_IOV_BUFFER_TYPE_DATA:
	    data_len += iov[i].buffer.length;
	    break;
	case GSS_IOV_BUFFER_TYPE_HEADER:
	    if (header != NULL) {
		*minor_status = EINVAL;
		return GSS_S_FAILURE;
	    }
	    header = &iov[i];
	    break;
	case GSS_IOV_BUFFER_TYPE_TRAILER:
	    if (trailer != NULL) {
		*minor_status = EINVAL;
		return GSS_S_FAILURE;
	    }
	    trailer = &iov[i];
	    break;
	case GSS_IOV_BUFFER_TYPE_PADDING:
	    if (padding != NULL) {
		*minor_status = EINVAL;
		return GSS_S_FAILURE;
	    }
	    padding = &iov[i];
	    break;
	case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
	    break;
	default:
	    *minor_status = EINVAL;
	    return GSS_S_FAILURE;
	}
    }

    if (header == NULL) {
        *minor_status = EINVAL;
        return GSS_S_FAILURE;
    }

    major_status = _gk_verify_buffers(minor_status, ctx, header,
				      padding, trailer, FALSE);
    if (major_status != GSS_S_COMPLETE) {
	    return major_status;
    }

    if (IS_DCE_STYLE(ctx)) {
	size_t len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
	size_t total_len;
	_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
	header->buffer.length = total_len;
    } else {
	size_t len;
	size_t total_len;
	if (padding) {
	    data_len += 1; /* padding */
	}
	len = data_len + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
	_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
	header->buffer.length = total_len - data_len;
    }

    if (trailer) {
	trailer->buffer.length = 0;
    }

    if (padding) {
	padding->buffer.length = 1;
    }

    return GSS_S_COMPLETE;
}

OM_uint32
_gssapi_wrap_iov_arcfour(OM_uint32 *minor_status,
			 gsskrb5_ctx ctx,
			 krb5_context context,
			 int conf_req_flag,
			 int *conf_state,
			 gss_iov_buffer_desc *iov,
			 int iov_count,
			 krb5_keyblock *key)
{
    OM_uint32 major_status, junk;
    gss_iov_buffer_desc *header, *padding, *trailer;
    krb5_error_code kret;
    int32_t seq_number;
    u_char Klocaldata[16], k6_data[16], *p, *p0;
    size_t make_len = 0;
    size_t header_len = 0;
    size_t data_len = 0;
    krb5_keyblock Klocal;
    int i;

    header = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
    padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
    trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);

    major_status = _gk_verify_buffers(minor_status, ctx, header,
				      padding, trailer, FALSE);
    if (major_status != GSS_S_COMPLETE) {
	return major_status;
    }

    for (i = 0; i < iov_count; i++) {
	switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {
	case GSS_IOV_BUFFER_TYPE_DATA:
	    break;
	default:
	    continue;
	}

	data_len += iov[i].buffer.length;
    }

    if (padding) {
	data_len += 1;
    }

    if (IS_DCE_STYLE(ctx)) {
	size_t unwrapped_len;
	unwrapped_len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
	_gssapi_encap_length(unwrapped_len,
			     &make_len,
			     &header_len,
			     GSS_KRB5_MECHANISM);
    } else {
	size_t unwrapped_len;
	unwrapped_len = GSS_ARCFOUR_WRAP_TOKEN_SIZE + data_len;
	_gssapi_encap_length(unwrapped_len,
			     &make_len,
			     &header_len,
			     GSS_KRB5_MECHANISM);
	header_len -= data_len;
    }

    if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
	major_status = _gk_allocate_buffer(minor_status, header,
					   header_len);
	if (major_status != GSS_S_COMPLETE)
	    goto failure;
    } else if (header->buffer.length < header_len) {
	*minor_status = KRB5_BAD_MSIZE;
	major_status = GSS_S_FAILURE;
	goto failure;
    } else {
	header->buffer.length = header_len;
    }

    if (padding) {
	if (GSS_IOV_BUFFER_FLAGS(padding->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
	    major_status = _gk_allocate_buffer(minor_status, padding, 1);
	    if (major_status != GSS_S_COMPLETE)
		goto failure;
	} else if (padding->buffer.length < 1) {
	    *minor_status = KRB5_BAD_MSIZE;
	    major_status = GSS_S_FAILURE;
	    goto failure;
	} else {
	    padding->buffer.length = 1;
	}
	memset(padding->buffer.value, 1, 1);
    }

    if (trailer) {
	trailer->buffer.length = 0;
	trailer->buffer.value = NULL;
    }

    p0 = _gssapi_make_mech_header(header->buffer.value,
				  make_len,
				  GSS_KRB5_MECHANISM);
    p = p0;

    *p++ = 0x02; /* TOK_ID */
    *p++ = 0x01;
    *p++ = 0x11; /* SGN_ALG */
    *p++ = 0x00;
    if (conf_req_flag) {
	*p++ = 0x10; /* SEAL_ALG */
	*p++ = 0x00;
    } else {
	*p++ = 0xff; /* SEAL_ALG */
	*p++ = 0xff;
    }
    *p++ = 0xff; /* Filler */
    *p++ = 0xff;

    p = NULL;

    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
    krb5_auth_con_getlocalseqnumber(context,
				    ctx->auth_context,
				    &seq_number);
    _gsskrb5_encode_be_om_uint32(seq_number, p0 + 8);

    krb5_auth_con_setlocalseqnumber(context,
				    ctx->auth_context,
				    ++seq_number);
    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

    memset(p0 + 8 + 4,
           (ctx->more_flags & LOCAL) ? 0 : 0xff,
           4);

    krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */

    /* Sign Data */
    kret = arcfour_mic_cksum_iov(context,
				 key, KRB5_KU_USAGE_SEAL,
				 p0 + 16, 8, /* SGN_CKSUM */
				 p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */
				 p0 + 24, 8, /* Confounder */
				 iov, iov_count, /* Data + SignOnly */
				 padding); /* padding */
    if (kret) {
	*minor_status = kret;
	major_status = GSS_S_FAILURE;
	goto failure;
    }

    Klocal.keytype = key->keytype;
    Klocal.keyvalue.data = Klocaldata;
    Klocal.keyvalue.length = sizeof(Klocaldata);

    for (i = 0; i < 16; i++) {
	Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
    }
    kret = arcfour_mic_key(context, &Klocal,
			   p0 + 8, 4, /* SND_SEQ */
			   k6_data, sizeof(k6_data));
    memset_s(Klocaldata, sizeof(Klocaldata), 0, sizeof(Klocaldata));
    if (kret) {
	*minor_status = kret;
	major_status = GSS_S_FAILURE;
	goto failure;
    }

    if (conf_req_flag) {
	EVP_CIPHER_CTX *rc4_key;
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX rc4_keys;
	rc4_key = &rc4_keys;
	EVP_CIPHER_CTX_init(rc4_key);
#else
	rc4_key = EVP_CIPHER_CTX_new();
#endif
	if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
	    *minor_status = EINVAL;
	    return GSS_S_FAILURE;
	}

	/* Confounder */
	EVP_Cipher(rc4_key, p0 + 24, p0 + 24, 8);

	/* Seal Data */
	for (i=0; i < iov_count; i++) {
	    switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {
	    case GSS_IOV_BUFFER_TYPE_DATA:
		break;
	    default:
		continue;
	    }

	    EVP_Cipher(rc4_key, iov[i].buffer.value,
		       iov[i].buffer.value, iov[i].buffer.length);
	}

	/* Padding */
	if (padding) {
	    EVP_Cipher(rc4_key, padding->buffer.value,
		       padding->buffer.value, padding->buffer.length);
	}

#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX_cleanup(rc4_key);
#else
	EVP_CIPHER_CTX_free(rc4_key);
#endif
    }
    memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));

    kret = arcfour_mic_key(context, key,
			   p0 + 16, 8, /* SGN_CKSUM */
			   k6_data, sizeof(k6_data));
    if (kret) {
	*minor_status = kret;
	major_status = GSS_S_FAILURE;
        return major_status;
    }

    {
	EVP_CIPHER_CTX *rc4_key;
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX rc4_keys;
	rc4_key = &rc4_keys;
	EVP_CIPHER_CTX_init(rc4_key);
#else
	rc4_key = EVP_CIPHER_CTX_new();
#endif
	if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
	    *minor_status = EINVAL;
	    return GSS_S_FAILURE;
	}
	EVP_Cipher(rc4_key, p0 + 8, p0 + 8, 8); /* SND_SEQ */
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX_cleanup(rc4_key);
#else
	EVP_CIPHER_CTX_free(rc4_key);
#endif

	memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));
    }

    if (conf_state)
	*conf_state = conf_req_flag;

    *minor_status = 0;
    return GSS_S_COMPLETE;

failure:

    gss_release_iov_buffer(&junk, iov, iov_count);

    return major_status;
}

OM_uint32
_gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
			   gsskrb5_ctx ctx,
			   krb5_context context,
			   int *pconf_state,
			   gss_qop_t *pqop_state,
			   gss_iov_buffer_desc *iov,
			   int iov_count,
			   krb5_keyblock *key)
{
    OM_uint32 major_status;
    gss_iov_buffer_desc *header, *padding, *trailer;
    krb5_keyblock Klocal;
    uint8_t Klocaldata[16];
    uint8_t k6_data[16], snd_seq[8], Confounder[8];
    uint8_t cksum_data[8];
    uint8_t *_p = NULL;
    const uint8_t *p, *p0;
    size_t verify_len = 0;
    uint32_t seq_number;
    size_t hlen = 0;
    int conf_state;
    int cmp;
    size_t i;
    krb5_error_code kret;
    OM_uint32 ret;

    if (pconf_state != NULL) {
	*pconf_state = 0;
    }
    if (pqop_state != NULL) {
	*pqop_state = 0;
    }

    header = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
    padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
    trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);

    /* Check if the packet is correct */
    major_status = _gk_verify_buffers(minor_status,
				      ctx,
				      header,
				      padding,
				      trailer,
				      FALSE); /* behaves as stream cipher */
    if (major_status != GSS_S_COMPLETE) {
	return major_status;
    }

    if (padding != NULL && padding->buffer.length != 1) {
	*minor_status = EINVAL;
	return GSS_S_FAILURE;
    }

    verify_len = header->buffer.length;

    if (!IS_DCE_STYLE(context)) {
	for (i = 0; i < iov_count; i++) {
	    /* length in header also includes data and padding */
	    if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA)
		verify_len += iov[i].buffer.length;
	}

	if (padding)
	    verify_len += padding->buffer.length;
    }

    _p = header->buffer.value;

    ret = _gssapi_verify_mech_header(&_p,
				     verify_len,
				     GSS_KRB5_MECHANISM);
    if (ret) {
	return ret;
    }
    p0 = _p;

    /* length of mech header */
    hlen = (p0 - (uint8_t *)header->buffer.value);
    hlen += GSS_ARCFOUR_WRAP_TOKEN_SIZE;

    if (hlen > header->buffer.length) {
	return GSS_S_BAD_MECH;
    }

    p = p0;

    if (memcmp(p, "\x02\x01", 2) != 0)
	return GSS_S_BAD_SIG;
    p += 2;
    if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
	return GSS_S_BAD_SIG;
    p += 2;

    if (memcmp (p, "\x10\x00", 2) == 0)
	conf_state = 1;
    else if (memcmp (p, "\xff\xff", 2) == 0)
	conf_state = 0;
    else
	return GSS_S_BAD_SIG;

    p += 2;
    if (memcmp (p, "\xff\xff", 2) != 0)
	return GSS_S_BAD_MIC;
    p = NULL;

    kret = arcfour_mic_key(context,
			   key,
			   p0 + 16, /* SGN_CKSUM */
			   8,       /* SGN_CKSUM_LEN */
			   k6_data,
			   sizeof(k6_data));
    if (kret) {
	*minor_status = kret;
	return GSS_S_FAILURE;
    }

    {
	EVP_CIPHER_CTX *rc4_key;
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX rc4_keys;
	rc4_key = &rc4_keys;
	EVP_CIPHER_CTX_init(rc4_key);
#else
	rc4_key = EVP_CIPHER_CTX_new();
#endif

	EVP_CIPHER_CTX_init(rc4_key);
	if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
	    *minor_status = EINVAL;
	    return GSS_S_FAILURE;
	}
	EVP_Cipher(rc4_key, snd_seq, p0 + 8, 8); /* SND_SEQ */
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX_cleanup(rc4_key);
#else
	EVP_CIPHER_CTX_free(rc4_key);
#endif

	memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));
    }

    _gsskrb5_decode_be_om_uint32(snd_seq, &seq_number);

    if (ctx->more_flags & LOCAL) {
	cmp = (ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4) != 0);
    } else {
	cmp = (ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4) != 0);
    }
    if (cmp != 0) {
	*minor_status = 0;
	return GSS_S_BAD_MIC;
    }

    /* keyblock */
    Klocal.keytype = key->keytype;
    Klocal.keyvalue.data = Klocaldata;
    Klocal.keyvalue.length = sizeof(Klocaldata);

    for (i = 0; i < 16; i++) {
	Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
    }

    kret = arcfour_mic_key(context,
			   &Klocal,
			   snd_seq,
			   4,
			   k6_data, sizeof(k6_data));
    memset_s(Klocaldata, sizeof(Klocaldata), 0, sizeof(Klocaldata));
    if (kret) {
	*minor_status = kret;
	return GSS_S_FAILURE;
    }

    if (conf_state == 1) {
	EVP_CIPHER_CTX *rc4_key;
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX rc4_keys;
	rc4_key = &rc4_keys;
	EVP_CIPHER_CTX_init(rc4_key);
#else
	rc4_key = EVP_CIPHER_CTX_new();
#endif

	if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
	    *minor_status = EINVAL;
	    return GSS_S_FAILURE;
	}

	/* Confounder */
	EVP_Cipher(rc4_key, Confounder, p0 + 24, 8);

	/* Data */
	for (i = 0; i < iov_count; i++) {
	    switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {
	    case GSS_IOV_BUFFER_TYPE_DATA:
		break;
	    default:
		continue;
	    }

	    EVP_Cipher(rc4_key, iov[i].buffer.value,
		       iov[i].buffer.value, iov[i].buffer.length);
	}

	/* Padding */
	if (padding) {
	    EVP_Cipher(rc4_key, padding->buffer.value,
		       padding->buffer.value, padding->buffer.length);
	}

#if OPENSSL_VERSION_NUMBER < 0x10100000UL
	EVP_CIPHER_CTX_cleanup(rc4_key);
#else
	EVP_CIPHER_CTX_free(rc4_key);
#endif
    } else {
	/* Confounder */
	memcpy(Confounder, p0 + 24, 8);
    }
    memset_s(k6_data, sizeof(k6_data), 0, sizeof(k6_data));

    /* Prepare the buffer for signing */
    kret = arcfour_mic_cksum_iov(context,
				 key, KRB5_KU_USAGE_SEAL,
				 cksum_data, sizeof(cksum_data),
				 p0, 8,
				 Confounder, sizeof(Confounder),
				 iov, iov_count,
				 padding);
    if (kret) {
	*minor_status = kret;
	return GSS_S_FAILURE;
    }

    cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
    if (cmp != 0) {
	*minor_status = 0;
	return GSS_S_BAD_MIC;
    }

    if (padding) {
	size_t plen;

	ret = _gssapi_verify_pad(&padding->buffer, 1, &plen);
	if (ret) {
	    *minor_status = 0;
	    return ret;
	}
    }

    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
    ret = _gssapi_msg_order_check(ctx->order, seq_number);
    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
    if (ret != 0) {
	return ret;
    }

    if (pconf_state) {
	*pconf_state = conf_state;
    }

    *minor_status = 0;
    return GSS_S_COMPLETE;
}