2
* Copyright (c) 2003, PADL Software Pty Ltd.
5
* Redistribution and use in source and binary forms, with or without
6
* modification, are permitted provided that the following conditions
9
* 1. Redistributions of source code must retain the above copyright
10
* notice, this list of conditions and the following disclaimer.
12
* 2. Redistributions in binary form must reproduce the above copyright
13
* notice, this list of conditions and the following disclaimer in the
14
* documentation and/or other materials provided with the distribution.
16
* 3. Neither the name of PADL Software nor the names of its contributors
17
* may be used to endorse or promote products derived from this software
18
* without specific prior written permission.
20
* THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23
* ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33
#include "krb5/gsskrb5_locl.h"
38
* Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt
41
#define CFXSentByAcceptor (1 << 0)
42
#define CFXSealed (1 << 1)
43
#define CFXAcceptorSubkey (1 << 2)
46
_gsskrb5cfx_wrap_length_cfx(const gsskrb5_ctx context_handle,
51
size_t *output_length,
58
/* 16-byte header is always first */
59
*output_length = sizeof(gss_cfx_wrap_token_desc);
62
ret = krb5_crypto_get_checksum_type(context, crypto, &type);
66
ret = krb5_checksumsize(context, type, cksumsize);
73
/* Header is concatenated with data before encryption */
74
input_length += sizeof(gss_cfx_wrap_token_desc);
76
if (IS_DCE_STYLE(context_handle)) {
77
ret = krb5_crypto_getblocksize(context, crypto, &padsize);
79
ret = krb5_crypto_getpadsize(context, crypto, &padsize);
86
*padlength = padsize - (input_length % padsize);
88
/* We add the pad ourselves (noted here for completeness only) */
89
input_length += *padlength;
92
*output_length += krb5_get_wrapped_length(context,
93
crypto, input_length);
95
/* Checksum is concatenated with data */
96
*output_length += input_length + *cksumsize;
99
assert(*output_length > input_length);
105
_gsskrb5cfx_max_wrap_length_cfx(krb5_context context,
109
OM_uint32 *output_length)
115
/* 16-byte header is always first */
116
if (input_length < 16)
121
size_t wrapped_size, sz;
123
wrapped_size = input_length + 1;
126
sz = krb5_get_wrapped_length(context,
127
crypto, wrapped_size);
128
} while (wrapped_size && sz > input_length);
129
if (wrapped_size == 0) {
135
if (wrapped_size < 16) {
141
*output_length = wrapped_size;
146
ret = krb5_crypto_get_checksum_type(context, crypto, &type);
150
ret = krb5_checksumsize(context, type, &cksumsize);
154
if (input_length < cksumsize)
157
/* Checksum is concatenated with data */
158
*output_length = input_length - cksumsize;
165
OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
166
const gsskrb5_ctx context_handle,
167
krb5_context context,
170
OM_uint32 req_output_size,
171
OM_uint32 *max_input_size,
177
ret = krb5_crypto_init(context, key, 0, &crypto);
180
return GSS_S_FAILURE;
183
ret = _gsskrb5cfx_max_wrap_length_cfx(context, crypto, conf_req_flag,
184
req_output_size, max_input_size);
187
krb5_crypto_destroy(context, crypto);
188
return GSS_S_FAILURE;
191
krb5_crypto_destroy(context, crypto);
193
return GSS_S_COMPLETE;
197
* Rotate "rrc" bytes to the front or back
200
static krb5_error_code
201
rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
203
u_char *tmp, buf[256];
216
if (rrc <= sizeof(buf)) {
225
memcpy(tmp, data, rrc);
226
memmove(data, (u_char *)data + rrc, left);
227
memcpy((u_char *)data + left, tmp, rrc);
229
memcpy(tmp, (u_char *)data + left, rrc);
230
memmove((u_char *)data + rrc, data, left);
231
memcpy(data, tmp, rrc);
234
if (rrc > sizeof(buf))
240
OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
241
const gsskrb5_ctx context_handle,
242
krb5_context context,
245
const gss_buffer_t input_message_buffer,
247
gss_buffer_t output_message_buffer,
251
gss_cfx_wrap_token token;
255
size_t wrapped_len, cksumsize;
256
uint16_t padlength, rrc = 0;
260
ret = krb5_crypto_init(context, key, 0, &crypto);
263
return GSS_S_FAILURE;
266
ret = _gsskrb5cfx_wrap_length_cfx(context_handle, context,
267
crypto, conf_req_flag,
268
input_message_buffer->length,
269
&wrapped_len, &cksumsize, &padlength);
272
krb5_crypto_destroy(context, crypto);
273
return GSS_S_FAILURE;
276
/* Always rotate encrypted token (if any) and checksum to header */
277
rrc = (conf_req_flag ? sizeof(*token) : 0) + (uint16_t)cksumsize;
279
output_message_buffer->length = wrapped_len;
280
output_message_buffer->value = malloc(output_message_buffer->length);
281
if (output_message_buffer->value == NULL) {
282
*minor_status = ENOMEM;
283
krb5_crypto_destroy(context, crypto);
284
return GSS_S_FAILURE;
287
p = output_message_buffer->value;
288
token = (gss_cfx_wrap_token)p;
289
token->TOK_ID[0] = 0x05;
290
token->TOK_ID[1] = 0x04;
292
token->Filler = 0xFF;
293
if ((context_handle->more_flags & LOCAL) == 0)
294
token->Flags |= CFXSentByAcceptor;
295
if (context_handle->more_flags & ACCEPTOR_SUBKEY)
296
token->Flags |= CFXAcceptorSubkey;
299
* In Wrap tokens with confidentiality, the EC field is
300
* used to encode the size (in bytes) of the random filler.
302
token->Flags |= CFXSealed;
303
token->EC[0] = (padlength >> 8) & 0xFF;
304
token->EC[1] = (padlength >> 0) & 0xFF;
307
* In Wrap tokens without confidentiality, the EC field is
308
* used to encode the size (in bytes) of the trailing
311
* This is not used in the checksum calcuation itself,
312
* because the checksum length could potentially vary
313
* depending on the data length.
320
* In Wrap tokens that provide for confidentiality, the RRC
321
* field in the header contains the hex value 00 00 before
324
* In Wrap tokens that do not provide for confidentiality,
325
* both the EC and RRC fields in the appended checksum
326
* contain the hex value 00 00 for the purpose of calculating
332
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
333
krb5_auth_con_getlocalseqnumber(context,
334
context_handle->auth_context,
336
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
337
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
338
krb5_auth_con_setlocalseqnumber(context,
339
context_handle->auth_context,
341
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
344
* If confidentiality is requested, the token header is
345
* appended to the plaintext before encryption; the resulting
346
* token is {"header" | encrypt(plaintext | pad | "header")}.
348
* If no confidentiality is requested, the checksum is
349
* calculated over the plaintext concatenated with the
352
if (context_handle->more_flags & LOCAL) {
353
usage = KRB5_KU_USAGE_INITIATOR_SEAL;
355
usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
360
* Any necessary padding is added here to ensure that the
361
* encrypted token header is always at the end of the
364
* The specification does not require that the padding
365
* bytes are initialized.
368
memcpy(p, input_message_buffer->value, input_message_buffer->length);
369
memset(p + input_message_buffer->length, 0xFF, padlength);
370
memcpy(p + input_message_buffer->length + padlength,
371
token, sizeof(*token));
373
ret = krb5_encrypt(context, crypto,
375
input_message_buffer->length + padlength +
380
krb5_crypto_destroy(context, crypto);
381
_gsskrb5_release_buffer(minor_status, output_message_buffer);
382
return GSS_S_FAILURE;
384
assert(sizeof(*token) + cipher.length == wrapped_len);
385
token->RRC[0] = (rrc >> 8) & 0xFF;
386
token->RRC[1] = (rrc >> 0) & 0xFF;
389
* this is really ugly, but needed against windows
390
* for DCERPC, as windows rotates by EC+RRC.
392
if (IS_DCE_STYLE(context_handle)) {
393
ret = rrc_rotate(cipher.data, cipher.length, rrc+padlength, FALSE);
395
ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
399
krb5_crypto_destroy(context, crypto);
400
_gsskrb5_release_buffer(minor_status, output_message_buffer);
401
return GSS_S_FAILURE;
403
memcpy(p, cipher.data, cipher.length);
404
krb5_data_free(&cipher);
409
buf = malloc(input_message_buffer->length + sizeof(*token));
411
*minor_status = ENOMEM;
412
krb5_crypto_destroy(context, crypto);
413
_gsskrb5_release_buffer(minor_status, output_message_buffer);
414
return GSS_S_FAILURE;
416
memcpy(buf, input_message_buffer->value, input_message_buffer->length);
417
memcpy(buf + input_message_buffer->length, token, sizeof(*token));
419
ret = krb5_create_checksum(context, crypto,
421
input_message_buffer->length +
426
krb5_crypto_destroy(context, crypto);
427
_gsskrb5_release_buffer(minor_status, output_message_buffer);
429
return GSS_S_FAILURE;
434
assert(cksum.checksum.length == cksumsize);
435
token->EC[0] = (cksum.checksum.length >> 8) & 0xFF;
436
token->EC[1] = (cksum.checksum.length >> 0) & 0xFF;
437
token->RRC[0] = (rrc >> 8) & 0xFF;
438
token->RRC[1] = (rrc >> 0) & 0xFF;
441
memcpy(p, input_message_buffer->value, input_message_buffer->length);
442
memcpy(p + input_message_buffer->length,
443
cksum.checksum.data, cksum.checksum.length);
446
input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
449
krb5_crypto_destroy(context, crypto);
450
_gsskrb5_release_buffer(minor_status, output_message_buffer);
451
free_Checksum(&cksum);
452
return GSS_S_FAILURE;
454
free_Checksum(&cksum);
457
krb5_crypto_destroy(context, crypto);
459
if (conf_state != NULL) {
460
*conf_state = conf_req_flag;
464
return GSS_S_COMPLETE;
467
OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
468
const gsskrb5_ctx context_handle,
469
krb5_context context,
470
const gss_buffer_t input_message_buffer,
471
gss_buffer_t output_message_buffer,
473
gss_qop_t *qop_state,
477
gss_cfx_wrap_token token;
483
OM_uint32 seq_number_lo, seq_number_hi;
489
if (input_message_buffer->length < sizeof(*token)) {
490
return GSS_S_DEFECTIVE_TOKEN;
493
p = input_message_buffer->value;
495
token = (gss_cfx_wrap_token)p;
497
if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04) {
498
return GSS_S_DEFECTIVE_TOKEN;
501
/* Ignore unknown flags */
502
token_flags = token->Flags &
503
(CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey);
505
if (token_flags & CFXSentByAcceptor) {
506
if ((context_handle->more_flags & LOCAL) == 0)
507
return GSS_S_DEFECTIVE_TOKEN;
510
if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
511
if ((token_flags & CFXAcceptorSubkey) == 0)
512
return GSS_S_DEFECTIVE_TOKEN;
514
if (token_flags & CFXAcceptorSubkey)
515
return GSS_S_DEFECTIVE_TOKEN;
518
if (token->Filler != 0xFF) {
519
return GSS_S_DEFECTIVE_TOKEN;
522
if (conf_state != NULL) {
523
*conf_state = (token_flags & CFXSealed) ? 1 : 0;
526
ec = (token->EC[0] << 8) | token->EC[1];
527
rrc = (token->RRC[0] << 8) | token->RRC[1];
530
* Check sequence number
532
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
533
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
535
/* no support for 64-bit sequence numbers */
536
*minor_status = ERANGE;
537
return GSS_S_UNSEQ_TOKEN;
540
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
541
ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
544
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
545
_gsskrb5_release_buffer(minor_status, output_message_buffer);
548
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
551
* Decrypt and/or verify checksum
553
ret = krb5_crypto_init(context, key, 0, &crypto);
556
return GSS_S_FAILURE;
559
if (context_handle->more_flags & LOCAL) {
560
usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
562
usage = KRB5_KU_USAGE_INITIATOR_SEAL;
566
len = input_message_buffer->length;
567
len -= (p - (u_char *)input_message_buffer->value);
569
if (token_flags & CFXSealed) {
571
* this is really ugly, but needed against windows
572
* for DCERPC, as windows rotates by EC+RRC.
574
if (IS_DCE_STYLE(context_handle)) {
575
*minor_status = rrc_rotate(p, len, rrc+ec, TRUE);
577
*minor_status = rrc_rotate(p, len, rrc, TRUE);
579
if (*minor_status != 0) {
580
krb5_crypto_destroy(context, crypto);
581
return GSS_S_FAILURE;
584
ret = krb5_decrypt(context, crypto, usage,
588
krb5_crypto_destroy(context, crypto);
589
return GSS_S_BAD_MIC;
592
/* Check that there is room for the pad and token header */
593
if (data.length < ec + sizeof(*token)) {
594
krb5_crypto_destroy(context, crypto);
595
krb5_data_free(&data);
596
return GSS_S_DEFECTIVE_TOKEN;
599
p += data.length - sizeof(*token);
601
/* RRC is unprotected; don't modify input buffer */
602
((gss_cfx_wrap_token)p)->RRC[0] = token->RRC[0];
603
((gss_cfx_wrap_token)p)->RRC[1] = token->RRC[1];
605
/* Check the integrity of the header */
606
if (memcmp(p, token, sizeof(*token)) != 0) {
607
krb5_crypto_destroy(context, crypto);
608
krb5_data_free(&data);
609
return GSS_S_BAD_MIC;
612
output_message_buffer->value = data.data;
613
output_message_buffer->length = data.length - ec - sizeof(*token);
617
/* Rotate by RRC; bogus to do this in-place XXX */
618
*minor_status = rrc_rotate(p, len, rrc, TRUE);
619
if (*minor_status != 0) {
620
krb5_crypto_destroy(context, crypto);
621
return GSS_S_FAILURE;
624
/* Determine checksum type */
625
ret = krb5_crypto_get_checksum_type(context,
626
crypto, &cksum.cksumtype);
629
krb5_crypto_destroy(context, crypto);
630
return GSS_S_FAILURE;
633
cksum.checksum.length = ec;
635
/* Check we have at least as much data as the checksum */
636
if (len < cksum.checksum.length) {
637
*minor_status = ERANGE;
638
krb5_crypto_destroy(context, crypto);
639
return GSS_S_BAD_MIC;
642
/* Length now is of the plaintext only, no checksum */
643
len -= cksum.checksum.length;
644
cksum.checksum.data = p + len;
646
output_message_buffer->length = len; /* for later */
647
output_message_buffer->value = malloc(len + sizeof(*token));
648
if (output_message_buffer->value == NULL) {
649
*minor_status = ENOMEM;
650
krb5_crypto_destroy(context, crypto);
651
return GSS_S_FAILURE;
654
/* Checksum is over (plaintext-data | "header") */
655
memcpy(output_message_buffer->value, p, len);
656
memcpy((u_char *)output_message_buffer->value + len,
657
token, sizeof(*token));
659
/* EC is not included in checksum calculation */
660
token = (gss_cfx_wrap_token)((u_char *)output_message_buffer->value +
667
ret = krb5_verify_checksum(context, crypto,
669
output_message_buffer->value,
670
len + sizeof(*token),
674
krb5_crypto_destroy(context, crypto);
675
_gsskrb5_release_buffer(minor_status, output_message_buffer);
676
return GSS_S_BAD_MIC;
680
krb5_crypto_destroy(context, crypto);
682
if (qop_state != NULL) {
683
*qop_state = GSS_C_QOP_DEFAULT;
687
return GSS_S_COMPLETE;
690
OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
691
const gsskrb5_ctx context_handle,
692
krb5_context context,
694
const gss_buffer_t message_buffer,
695
gss_buffer_t message_token,
699
gss_cfx_mic_token token;
707
ret = krb5_crypto_init(context, key, 0, &crypto);
710
return GSS_S_FAILURE;
713
len = message_buffer->length + sizeof(*token);
716
*minor_status = ENOMEM;
717
krb5_crypto_destroy(context, crypto);
718
return GSS_S_FAILURE;
721
memcpy(buf, message_buffer->value, message_buffer->length);
723
token = (gss_cfx_mic_token)(buf + message_buffer->length);
724
token->TOK_ID[0] = 0x04;
725
token->TOK_ID[1] = 0x04;
727
if ((context_handle->more_flags & LOCAL) == 0)
728
token->Flags |= CFXSentByAcceptor;
729
if (context_handle->more_flags & ACCEPTOR_SUBKEY)
730
token->Flags |= CFXAcceptorSubkey;
731
memset(token->Filler, 0xFF, 5);
733
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
734
krb5_auth_con_getlocalseqnumber(context,
735
context_handle->auth_context,
737
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
738
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
739
krb5_auth_con_setlocalseqnumber(context,
740
context_handle->auth_context,
742
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
744
if (context_handle->more_flags & LOCAL) {
745
usage = KRB5_KU_USAGE_INITIATOR_SIGN;
747
usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
750
ret = krb5_create_checksum(context, crypto,
751
usage, 0, buf, len, &cksum);
754
krb5_crypto_destroy(context, crypto);
756
return GSS_S_FAILURE;
758
krb5_crypto_destroy(context, crypto);
760
/* Determine MIC length */
761
message_token->length = sizeof(*token) + cksum.checksum.length;
762
message_token->value = malloc(message_token->length);
763
if (message_token->value == NULL) {
764
*minor_status = ENOMEM;
765
free_Checksum(&cksum);
767
return GSS_S_FAILURE;
770
/* Token is { "header" | get_mic("header" | plaintext-data) } */
771
memcpy(message_token->value, token, sizeof(*token));
772
memcpy((u_char *)message_token->value + sizeof(*token),
773
cksum.checksum.data, cksum.checksum.length);
775
free_Checksum(&cksum);
779
return GSS_S_COMPLETE;
782
OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
783
const gsskrb5_ctx context_handle,
784
krb5_context context,
785
const gss_buffer_t message_buffer,
786
const gss_buffer_t token_buffer,
787
gss_qop_t *qop_state,
791
gss_cfx_mic_token token;
795
OM_uint32 seq_number_lo, seq_number_hi;
801
if (token_buffer->length < sizeof(*token)) {
802
return GSS_S_DEFECTIVE_TOKEN;
805
p = token_buffer->value;
807
token = (gss_cfx_mic_token)p;
809
if (token->TOK_ID[0] != 0x04 || token->TOK_ID[1] != 0x04) {
810
return GSS_S_DEFECTIVE_TOKEN;
813
/* Ignore unknown flags */
814
token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey);
816
if (token_flags & CFXSentByAcceptor) {
817
if ((context_handle->more_flags & LOCAL) == 0)
818
return GSS_S_DEFECTIVE_TOKEN;
820
if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
821
if ((token_flags & CFXAcceptorSubkey) == 0)
822
return GSS_S_DEFECTIVE_TOKEN;
824
if (token_flags & CFXAcceptorSubkey)
825
return GSS_S_DEFECTIVE_TOKEN;
828
if (memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) {
829
return GSS_S_DEFECTIVE_TOKEN;
833
* Check sequence number
835
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
836
_gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
838
*minor_status = ERANGE;
839
return GSS_S_UNSEQ_TOKEN;
842
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
843
ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
846
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
849
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
854
ret = krb5_crypto_init(context, key, 0, &crypto);
857
return GSS_S_FAILURE;
860
ret = krb5_crypto_get_checksum_type(context, crypto,
864
krb5_crypto_destroy(context, crypto);
865
return GSS_S_FAILURE;
868
cksum.checksum.data = p + sizeof(*token);
869
cksum.checksum.length = token_buffer->length - sizeof(*token);
871
if (context_handle->more_flags & LOCAL) {
872
usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
874
usage = KRB5_KU_USAGE_INITIATOR_SIGN;
877
buf = malloc(message_buffer->length + sizeof(*token));
879
*minor_status = ENOMEM;
880
krb5_crypto_destroy(context, crypto);
881
return GSS_S_FAILURE;
883
memcpy(buf, message_buffer->value, message_buffer->length);
884
memcpy(buf + message_buffer->length, token, sizeof(*token));
886
ret = krb5_verify_checksum(context, crypto,
889
sizeof(*token) + message_buffer->length,
891
krb5_crypto_destroy(context, crypto);
895
return GSS_S_BAD_MIC;
900
if (qop_state != NULL) {
901
*qop_state = GSS_C_QOP_DEFAULT;
904
return GSS_S_COMPLETE;