2 * Copyright (c) 2003, PADL Software Pty Ltd.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of PADL Software nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "gsskrb5_locl.h"
38 * Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt
41 #define CFXSentByAcceptor (1 << 0)
42 #define CFXSealed (1 << 1)
43 #define CFXAcceptorSubkey (1 << 2)
46 _gsskrb5cfx_wrap_length_cfx(const gsskrb5_ctx context_handle,
51 size_t *output_length,
58 /* 16-byte header is always first */
59 *output_length = sizeof(gss_cfx_wrap_token_desc);
62 ret = krb5_crypto_get_checksum_type(context, crypto, &type);
66 ret = krb5_checksumsize(context, type, cksumsize);
73 /* Header is concatenated with data before encryption */
74 input_length += sizeof(gss_cfx_wrap_token_desc);
76 if (IS_DCE_STYLE(context_handle)) {
77 ret = krb5_crypto_getblocksize(context, crypto, &padsize);
79 ret = krb5_crypto_getpadsize(context, crypto, &padsize);
86 *padlength = padsize - (input_length % padsize);
88 /* We add the pad ourselves (noted here for completeness only) */
89 input_length += *padlength;
92 *output_length += krb5_get_wrapped_length(context,
93 crypto, input_length);
95 /* Checksum is concatenated with data */
96 *output_length += input_length + *cksumsize;
99 assert(*output_length > input_length);
104 OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
105 const gsskrb5_ctx ctx,
106 krb5_context context,
109 OM_uint32 req_output_size,
110 OM_uint32 *max_input_size)
116 /* 16-byte header is always first */
117 if (req_output_size < 16)
119 req_output_size -= 16;
122 size_t wrapped_size, sz;
124 wrapped_size = req_output_size + 1;
127 sz = krb5_get_wrapped_length(context,
128 ctx->crypto, wrapped_size);
129 } while (wrapped_size && sz > req_output_size);
130 if (wrapped_size == 0)
134 if (wrapped_size < 16)
139 *max_input_size = wrapped_size;
144 ret = krb5_crypto_get_checksum_type(context, ctx->crypto, &type);
148 ret = krb5_checksumsize(context, type, &cksumsize);
152 if (req_output_size < cksumsize)
155 /* Checksum is concatenated with data */
156 *max_input_size = req_output_size - cksumsize;
163 * Rotate "rrc" bytes to the front or back
166 static krb5_error_code
167 rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
169 u_char *tmp, buf[256];
182 if (rrc <= sizeof(buf)) {
191 memcpy(tmp, data, rrc);
192 memmove(data, (u_char *)data + rrc, left);
193 memcpy((u_char *)data + left, tmp, rrc);
195 memcpy(tmp, (u_char *)data + left, rrc);
196 memmove((u_char *)data + rrc, data, left);
197 memcpy(data, tmp, rrc);
200 if (rrc > sizeof(buf))
206 OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
207 const gsskrb5_ctx ctx,
208 krb5_context context,
211 const gss_buffer_t input_message_buffer,
213 gss_buffer_t output_message_buffer)
215 gss_cfx_wrap_token token;
219 size_t wrapped_len, cksumsize;
220 uint16_t padlength, rrc = 0;
224 ret = _gsskrb5cfx_wrap_length_cfx(ctx, context,
225 ctx->crypto, conf_req_flag,
226 input_message_buffer->length,
227 &wrapped_len, &cksumsize, &padlength);
230 return GSS_S_FAILURE;
233 /* Always rotate encrypted token (if any) and checksum to header */
234 rrc = (conf_req_flag ? sizeof(*token) : 0) + (uint16_t)cksumsize;
236 output_message_buffer->length = wrapped_len;
237 output_message_buffer->value = malloc(output_message_buffer->length);
238 if (output_message_buffer->value == NULL) {
239 *minor_status = ENOMEM;
240 return GSS_S_FAILURE;
243 p = output_message_buffer->value;
244 token = (gss_cfx_wrap_token)p;
245 token->TOK_ID[0] = 0x05;
246 token->TOK_ID[1] = 0x04;
248 token->Filler = 0xFF;
249 if ((ctx->more_flags & LOCAL) == 0)
250 token->Flags |= CFXSentByAcceptor;
251 if (ctx->more_flags & ACCEPTOR_SUBKEY)
252 token->Flags |= CFXAcceptorSubkey;
255 * In Wrap tokens with confidentiality, the EC field is
256 * used to encode the size (in bytes) of the random filler.
258 token->Flags |= CFXSealed;
259 token->EC[0] = (padlength >> 8) & 0xFF;
260 token->EC[1] = (padlength >> 0) & 0xFF;
263 * In Wrap tokens without confidentiality, the EC field is
264 * used to encode the size (in bytes) of the trailing
267 * This is not used in the checksum calcuation itself,
268 * because the checksum length could potentially vary
269 * depending on the data length.
276 * In Wrap tokens that provide for confidentiality, the RRC
277 * field in the header contains the hex value 00 00 before
280 * In Wrap tokens that do not provide for confidentiality,
281 * both the EC and RRC fields in the appended checksum
282 * contain the hex value 00 00 for the purpose of calculating
288 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
289 krb5_auth_con_getlocalseqnumber(context,
292 _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
293 _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
294 krb5_auth_con_setlocalseqnumber(context,
297 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
300 * If confidentiality is requested, the token header is
301 * appended to the plaintext before encryption; the resulting
302 * token is {"header" | encrypt(plaintext | pad | "header")}.
304 * If no confidentiality is requested, the checksum is
305 * calculated over the plaintext concatenated with the
308 if (ctx->more_flags & LOCAL) {
309 usage = KRB5_KU_USAGE_INITIATOR_SEAL;
311 usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
316 * Any necessary padding is added here to ensure that the
317 * encrypted token header is always at the end of the
320 * The specification does not require that the padding
321 * bytes are initialized.
324 memcpy(p, input_message_buffer->value, input_message_buffer->length);
325 memset(p + input_message_buffer->length, 0xFF, padlength);
326 memcpy(p + input_message_buffer->length + padlength,
327 token, sizeof(*token));
329 ret = krb5_encrypt(context, ctx->crypto,
331 input_message_buffer->length + padlength +
336 _gsskrb5_release_buffer(minor_status, output_message_buffer);
337 return GSS_S_FAILURE;
339 assert(sizeof(*token) + cipher.length == wrapped_len);
340 token->RRC[0] = (rrc >> 8) & 0xFF;
341 token->RRC[1] = (rrc >> 0) & 0xFF;
344 * this is really ugly, but needed against windows
345 * for DCERPC, as windows rotates by EC+RRC.
347 if (IS_DCE_STYLE(ctx)) {
348 ret = rrc_rotate(cipher.data, cipher.length, rrc+padlength, FALSE);
350 ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
354 _gsskrb5_release_buffer(minor_status, output_message_buffer);
355 return GSS_S_FAILURE;
357 memcpy(p, cipher.data, cipher.length);
358 krb5_data_free(&cipher);
363 buf = malloc(input_message_buffer->length + sizeof(*token));
365 *minor_status = ENOMEM;
366 _gsskrb5_release_buffer(minor_status, output_message_buffer);
367 return GSS_S_FAILURE;
369 memcpy(buf, input_message_buffer->value, input_message_buffer->length);
370 memcpy(buf + input_message_buffer->length, token, sizeof(*token));
372 ret = krb5_create_checksum(context, ctx->crypto,
374 input_message_buffer->length +
379 _gsskrb5_release_buffer(minor_status, output_message_buffer);
381 return GSS_S_FAILURE;
386 assert(cksum.checksum.length == cksumsize);
387 token->EC[0] = (cksum.checksum.length >> 8) & 0xFF;
388 token->EC[1] = (cksum.checksum.length >> 0) & 0xFF;
389 token->RRC[0] = (rrc >> 8) & 0xFF;
390 token->RRC[1] = (rrc >> 0) & 0xFF;
393 memcpy(p, input_message_buffer->value, input_message_buffer->length);
394 memcpy(p + input_message_buffer->length,
395 cksum.checksum.data, cksum.checksum.length);
398 input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
401 _gsskrb5_release_buffer(minor_status, output_message_buffer);
402 free_Checksum(&cksum);
403 return GSS_S_FAILURE;
405 free_Checksum(&cksum);
408 if (conf_state != NULL) {
409 *conf_state = conf_req_flag;
413 return GSS_S_COMPLETE;
416 OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
417 const gsskrb5_ctx ctx,
418 krb5_context context,
419 const gss_buffer_t input_message_buffer,
420 gss_buffer_t output_message_buffer,
422 gss_qop_t *qop_state)
424 gss_cfx_wrap_token token;
430 OM_uint32 seq_number_lo, seq_number_hi;
436 if (input_message_buffer->length < sizeof(*token)) {
437 return GSS_S_DEFECTIVE_TOKEN;
440 p = input_message_buffer->value;
442 token = (gss_cfx_wrap_token)p;
444 if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04) {
445 return GSS_S_DEFECTIVE_TOKEN;
448 /* Ignore unknown flags */
449 token_flags = token->Flags &
450 (CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey);
452 if (token_flags & CFXSentByAcceptor) {
453 if ((ctx->more_flags & LOCAL) == 0)
454 return GSS_S_DEFECTIVE_TOKEN;
457 if (ctx->more_flags & ACCEPTOR_SUBKEY) {
458 if ((token_flags & CFXAcceptorSubkey) == 0)
459 return GSS_S_DEFECTIVE_TOKEN;
461 if (token_flags & CFXAcceptorSubkey)
462 return GSS_S_DEFECTIVE_TOKEN;
465 if (token->Filler != 0xFF) {
466 return GSS_S_DEFECTIVE_TOKEN;
469 if (conf_state != NULL) {
470 *conf_state = (token_flags & CFXSealed) ? 1 : 0;
473 ec = (token->EC[0] << 8) | token->EC[1];
474 rrc = (token->RRC[0] << 8) | token->RRC[1];
477 * Check sequence number
479 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
480 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
482 /* no support for 64-bit sequence numbers */
483 *minor_status = ERANGE;
484 return GSS_S_UNSEQ_TOKEN;
487 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
488 ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
491 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
492 _gsskrb5_release_buffer(minor_status, output_message_buffer);
495 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
498 * Decrypt and/or verify checksum
501 if (ctx->more_flags & LOCAL) {
502 usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
504 usage = KRB5_KU_USAGE_INITIATOR_SEAL;
508 len = input_message_buffer->length;
509 len -= (p - (u_char *)input_message_buffer->value);
511 if (token_flags & CFXSealed) {
513 * this is really ugly, but needed against windows
514 * for DCERPC, as windows rotates by EC+RRC.
516 if (IS_DCE_STYLE(ctx)) {
517 *minor_status = rrc_rotate(p, len, rrc+ec, TRUE);
519 *minor_status = rrc_rotate(p, len, rrc, TRUE);
521 if (*minor_status != 0) {
522 return GSS_S_FAILURE;
525 ret = krb5_decrypt(context, ctx->crypto, usage,
529 return GSS_S_BAD_MIC;
532 /* Check that there is room for the pad and token header */
533 if (data.length < ec + sizeof(*token)) {
534 krb5_data_free(&data);
535 return GSS_S_DEFECTIVE_TOKEN;
538 p += data.length - sizeof(*token);
540 /* RRC is unprotected; don't modify input buffer */
541 ((gss_cfx_wrap_token)p)->RRC[0] = token->RRC[0];
542 ((gss_cfx_wrap_token)p)->RRC[1] = token->RRC[1];
544 /* Check the integrity of the header */
545 if (memcmp(p, token, sizeof(*token)) != 0) {
546 krb5_data_free(&data);
547 return GSS_S_BAD_MIC;
550 output_message_buffer->value = data.data;
551 output_message_buffer->length = data.length - ec - sizeof(*token);
555 /* Rotate by RRC; bogus to do this in-place XXX */
556 *minor_status = rrc_rotate(p, len, rrc, TRUE);
557 if (*minor_status != 0) {
558 return GSS_S_FAILURE;
561 /* Determine checksum type */
562 ret = krb5_crypto_get_checksum_type(context,
567 return GSS_S_FAILURE;
570 cksum.checksum.length = ec;
572 /* Check we have at least as much data as the checksum */
573 if (len < cksum.checksum.length) {
574 *minor_status = ERANGE;
575 return GSS_S_BAD_MIC;
578 /* Length now is of the plaintext only, no checksum */
579 len -= cksum.checksum.length;
580 cksum.checksum.data = p + len;
582 output_message_buffer->length = len; /* for later */
583 output_message_buffer->value = malloc(len + sizeof(*token));
584 if (output_message_buffer->value == NULL) {
585 *minor_status = ENOMEM;
586 return GSS_S_FAILURE;
589 /* Checksum is over (plaintext-data | "header") */
590 memcpy(output_message_buffer->value, p, len);
591 memcpy((u_char *)output_message_buffer->value + len,
592 token, sizeof(*token));
594 /* EC is not included in checksum calculation */
595 token = (gss_cfx_wrap_token)((u_char *)output_message_buffer->value +
602 ret = krb5_verify_checksum(context, ctx->crypto,
604 output_message_buffer->value,
605 len + sizeof(*token),
609 _gsskrb5_release_buffer(minor_status, output_message_buffer);
610 return GSS_S_BAD_MIC;
614 if (qop_state != NULL) {
615 *qop_state = GSS_C_QOP_DEFAULT;
619 return GSS_S_COMPLETE;
622 OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
623 const gsskrb5_ctx ctx,
624 krb5_context context,
626 const gss_buffer_t message_buffer,
627 gss_buffer_t message_token)
629 gss_cfx_mic_token token;
637 len = message_buffer->length + sizeof(*token);
640 *minor_status = ENOMEM;
641 return GSS_S_FAILURE;
644 memcpy(buf, message_buffer->value, message_buffer->length);
646 token = (gss_cfx_mic_token)(buf + message_buffer->length);
647 token->TOK_ID[0] = 0x04;
648 token->TOK_ID[1] = 0x04;
650 if ((ctx->more_flags & LOCAL) == 0)
651 token->Flags |= CFXSentByAcceptor;
652 if (ctx->more_flags & ACCEPTOR_SUBKEY)
653 token->Flags |= CFXAcceptorSubkey;
654 memset(token->Filler, 0xFF, 5);
656 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
657 krb5_auth_con_getlocalseqnumber(context,
660 _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
661 _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
662 krb5_auth_con_setlocalseqnumber(context,
665 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
667 if (ctx->more_flags & LOCAL) {
668 usage = KRB5_KU_USAGE_INITIATOR_SIGN;
670 usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
673 ret = krb5_create_checksum(context, ctx->crypto,
674 usage, 0, buf, len, &cksum);
678 return GSS_S_FAILURE;
681 /* Determine MIC length */
682 message_token->length = sizeof(*token) + cksum.checksum.length;
683 message_token->value = malloc(message_token->length);
684 if (message_token->value == NULL) {
685 *minor_status = ENOMEM;
686 free_Checksum(&cksum);
688 return GSS_S_FAILURE;
691 /* Token is { "header" | get_mic("header" | plaintext-data) } */
692 memcpy(message_token->value, token, sizeof(*token));
693 memcpy((u_char *)message_token->value + sizeof(*token),
694 cksum.checksum.data, cksum.checksum.length);
696 free_Checksum(&cksum);
700 return GSS_S_COMPLETE;
703 OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
704 const gsskrb5_ctx ctx,
705 krb5_context context,
706 const gss_buffer_t message_buffer,
707 const gss_buffer_t token_buffer,
708 gss_qop_t *qop_state)
710 gss_cfx_mic_token token;
714 OM_uint32 seq_number_lo, seq_number_hi;
720 if (token_buffer->length < sizeof(*token)) {
721 return GSS_S_DEFECTIVE_TOKEN;
724 p = token_buffer->value;
726 token = (gss_cfx_mic_token)p;
728 if (token->TOK_ID[0] != 0x04 || token->TOK_ID[1] != 0x04) {
729 return GSS_S_DEFECTIVE_TOKEN;
732 /* Ignore unknown flags */
733 token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey);
735 if (token_flags & CFXSentByAcceptor) {
736 if ((ctx->more_flags & LOCAL) == 0)
737 return GSS_S_DEFECTIVE_TOKEN;
739 if (ctx->more_flags & ACCEPTOR_SUBKEY) {
740 if ((token_flags & CFXAcceptorSubkey) == 0)
741 return GSS_S_DEFECTIVE_TOKEN;
743 if (token_flags & CFXAcceptorSubkey)
744 return GSS_S_DEFECTIVE_TOKEN;
747 if (memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) {
748 return GSS_S_DEFECTIVE_TOKEN;
752 * Check sequence number
754 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
755 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
757 *minor_status = ERANGE;
758 return GSS_S_UNSEQ_TOKEN;
761 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
762 ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
765 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
768 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
773 ret = krb5_crypto_get_checksum_type(context, ctx->crypto,
777 return GSS_S_FAILURE;
780 cksum.checksum.data = p + sizeof(*token);
781 cksum.checksum.length = token_buffer->length - sizeof(*token);
783 if (ctx->more_flags & LOCAL) {
784 usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
786 usage = KRB5_KU_USAGE_INITIATOR_SIGN;
789 buf = malloc(message_buffer->length + sizeof(*token));
791 *minor_status = ENOMEM;
792 return GSS_S_FAILURE;
794 memcpy(buf, message_buffer->value, message_buffer->length);
795 memcpy(buf + message_buffer->length, token, sizeof(*token));
797 ret = krb5_verify_checksum(context, ctx->crypto,
800 sizeof(*token) + message_buffer->length,
805 return GSS_S_BAD_MIC;
810 if (qop_state != NULL) {
811 *qop_state = GSS_C_QOP_DEFAULT;
814 return GSS_S_COMPLETE;