2 * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5/gsskrb5_locl.h"
36 RCSID("$Id: arcfour.c,v 1.29 2006/10/07 22:14:05 lha Exp $");
39 * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
41 * The arcfour message have the following formats:
61 * WRAP in DCE-style have a fixed size header, the oid and length over
62 * the WRAP header is a total of
63 * GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE +
64 * GSS_ARCFOUR_WRAP_TOKEN_SIZE byte (ie total of 45 bytes overhead,
65 * remember the 2 bytes from APPL [0] SEQ).
68 #define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32
69 #define GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE 13
72 static krb5_error_code
73 arcfour_mic_key(krb5_context context, krb5_keyblock *key,
74 void *cksum_data, size_t cksum_size,
75 void *key6_data, size_t key6_size)
88 cksum_k5.checksum.data = k5_data;
89 cksum_k5.checksum.length = sizeof(k5_data);
91 if (key->keytype == KEYTYPE_ARCFOUR_56) {
92 char L40[14] = "fortybits";
94 memcpy(L40 + 10, T, sizeof(T));
95 ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5,
96 L40, 14, 0, key, &cksum_k5);
97 memset(&k5_data[7], 0xAB, 9);
99 ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5,
100 T, 4, 0, key, &cksum_k5);
105 key5.keytype = KEYTYPE_ARCFOUR;
106 key5.keyvalue = cksum_k5.checksum;
108 cksum_k6.checksum.data = key6_data;
109 cksum_k6.checksum.length = key6_size;
111 return krb5_hmac(context, CKSUMTYPE_RSA_MD5,
112 cksum_data, cksum_size, 0, &key5, &cksum_k6);
116 static krb5_error_code
117 arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
118 u_char *sgn_cksum, size_t sgn_cksum_sz,
119 const u_char *v1, size_t l1,
120 const void *v2, size_t l2,
121 const void *v3, size_t l3)
129 assert(sgn_cksum_sz == 8);
138 memcpy(ptr + l1, v2, l2);
139 memcpy(ptr + l1 + l2, v3, l3);
141 ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
147 ret = krb5_create_checksum(_gsskrb5_context,
155 memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz);
156 free_Checksum(&CKSUM);
158 krb5_crypto_destroy(_gsskrb5_context, crypto);
165 _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
166 const gsskrb5_ctx context_handle,
168 const gss_buffer_t message_buffer,
169 gss_buffer_t message_token,
174 size_t len, total_len;
175 u_char k6_data[16], *p0, *p;
178 _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
180 message_token->length = total_len;
181 message_token->value = malloc (total_len);
182 if (message_token->value == NULL) {
183 *minor_status = ENOMEM;
184 return GSS_S_FAILURE;
187 p0 = _gssapi_make_mech_header(message_token->value,
192 *p++ = 0x01; /* TOK_ID */
194 *p++ = 0x11; /* SGN_ALG */
196 *p++ = 0xff; /* Filler */
203 ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN,
204 p0 + 16, 8, /* SGN_CKSUM */
205 p0, 8, /* TOK_ID, SGN_ALG, Filer */
206 message_buffer->value, message_buffer->length,
209 _gsskrb5_release_buffer(minor_status, message_token);
211 return GSS_S_FAILURE;
214 ret = arcfour_mic_key(_gsskrb5_context, key,
215 p0 + 16, 8, /* SGN_CKSUM */
216 k6_data, sizeof(k6_data));
218 _gsskrb5_release_buffer(minor_status, message_token);
220 return GSS_S_FAILURE;
223 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
224 krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
225 context_handle->auth_context,
227 p = p0 + 8; /* SND_SEQ */
228 _gsskrb5_encode_be_om_uint32(seq_number, p);
230 krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
231 context_handle->auth_context,
233 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
235 memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4);
237 RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
238 RC4 (&rc4_key, 8, p, p);
240 memset(&rc4_key, 0, sizeof(rc4_key));
241 memset(k6_data, 0, sizeof(k6_data));
244 return GSS_S_COMPLETE;
249 _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
250 const gsskrb5_ctx context_handle,
251 const gss_buffer_t message_buffer,
252 const gss_buffer_t token_buffer,
253 gss_qop_t * qop_state,
260 u_char SND_SEQ[8], cksum_data[8], *p;
267 p = token_buffer->value;
268 omret = _gsskrb5_verify_header (&p,
269 token_buffer->length,
275 if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
276 return GSS_S_BAD_SIG;
278 if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
279 return GSS_S_BAD_MIC;
282 ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN,
283 cksum_data, sizeof(cksum_data),
285 message_buffer->value, message_buffer->length,
289 return GSS_S_FAILURE;
292 ret = arcfour_mic_key(_gsskrb5_context, key,
293 cksum_data, sizeof(cksum_data),
294 k6_data, sizeof(k6_data));
297 return GSS_S_FAILURE;
300 cmp = memcmp(cksum_data, p + 8, 8);
303 return GSS_S_BAD_MIC;
309 RC4_set_key (&rc4_key, sizeof(k6_data), (void*)k6_data);
310 RC4 (&rc4_key, 8, p, SND_SEQ);
312 memset(&rc4_key, 0, sizeof(rc4_key));
313 memset(k6_data, 0, sizeof(k6_data));
316 _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
318 if (context_handle->more_flags & LOCAL)
319 cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
321 cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
323 memset(SND_SEQ, 0, sizeof(SND_SEQ));
326 return GSS_S_BAD_MIC;
329 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
330 omret = _gssapi_msg_order_check(context_handle->order, seq_number);
331 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
336 return GSS_S_COMPLETE;
340 _gssapi_wrap_arcfour(OM_uint32 * minor_status,
341 const gsskrb5_ctx context_handle,
344 const gss_buffer_t input_message_buffer,
346 gss_buffer_t output_message_buffer,
349 u_char Klocaldata[16], k6_data[16], *p, *p0;
350 size_t len, total_len, datalen;
351 krb5_keyblock Klocal;
358 if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
359 datalen = input_message_buffer->length + 1 /* padding */;
361 len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
362 _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
364 datalen = input_message_buffer->length;
366 len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
367 _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
368 total_len += datalen;
371 output_message_buffer->length = total_len;
372 output_message_buffer->value = malloc (total_len);
373 if (output_message_buffer->value == NULL) {
374 *minor_status = ENOMEM;
375 return GSS_S_FAILURE;
378 p0 = _gssapi_make_mech_header(output_message_buffer->value,
383 *p++ = 0x02; /* TOK_ID */
385 *p++ = 0x11; /* SGN_ALG */
388 *p++ = 0x10; /* SEAL_ALG */
391 *p++ = 0xff; /* SEAL_ALG */
394 *p++ = 0xff; /* Filler */
399 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
400 krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
401 context_handle->auth_context,
404 _gsskrb5_encode_be_om_uint32(seq_number, p0 + 8);
406 krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
407 context_handle->auth_context,
409 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
412 (context_handle->more_flags & LOCAL) ? 0 : 0xff,
415 krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */
417 /* p points to data */
418 p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
419 memcpy(p, input_message_buffer->value, input_message_buffer->length);
421 if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
422 p[input_message_buffer->length] = 1; /* PADDING */
425 ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
426 p0 + 16, 8, /* SGN_CKSUM */
427 p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */
428 p0 + 24, 8, /* Confounder */
429 p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
433 _gsskrb5_release_buffer(minor_status, output_message_buffer);
434 return GSS_S_FAILURE;
440 Klocal.keytype = key->keytype;
441 Klocal.keyvalue.data = Klocaldata;
442 Klocal.keyvalue.length = sizeof(Klocaldata);
444 for (i = 0; i < 16; i++)
445 Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
447 ret = arcfour_mic_key(_gsskrb5_context, &Klocal,
448 p0 + 8, 4, /* SND_SEQ */
449 k6_data, sizeof(k6_data));
450 memset(Klocaldata, 0, sizeof(Klocaldata));
452 _gsskrb5_release_buffer(minor_status, output_message_buffer);
454 return GSS_S_FAILURE;
461 RC4_set_key (&rc4_key, sizeof(k6_data), (void *)k6_data);
463 RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */
464 memset(&rc4_key, 0, sizeof(rc4_key));
466 memset(k6_data, 0, sizeof(k6_data));
468 ret = arcfour_mic_key(_gsskrb5_context, key,
469 p0 + 16, 8, /* SGN_CKSUM */
470 k6_data, sizeof(k6_data));
472 _gsskrb5_release_buffer(minor_status, output_message_buffer);
474 return GSS_S_FAILURE;
480 RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
481 RC4 (&rc4_key, 8, p0 + 8, p0 + 8); /* SND_SEQ */
482 memset(&rc4_key, 0, sizeof(rc4_key));
483 memset(k6_data, 0, sizeof(k6_data));
487 *conf_state = conf_req_flag;
490 return GSS_S_COMPLETE;
493 OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
494 const gsskrb5_ctx context_handle,
495 const gss_buffer_t input_message_buffer,
496 gss_buffer_t output_message_buffer,
498 gss_qop_t *qop_state,
501 u_char Klocaldata[16];
502 krb5_keyblock Klocal;
507 u_char k6_data[16], SND_SEQ[8], Confounder[8];
508 u_char cksum_data[8];
512 size_t padlen = 0, len;
519 p0 = input_message_buffer->value;
521 if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
522 len = input_message_buffer->length;
524 len = GSS_ARCFOUR_WRAP_TOKEN_SIZE +
525 GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE;
526 if (input_message_buffer->length < len)
527 return GSS_S_BAD_MECH;
530 omret = _gssapi_verify_mech_header(&p0,
536 /* length of mech header */
537 len = (p0 - (u_char *)input_message_buffer->value) +
538 GSS_ARCFOUR_WRAP_TOKEN_SIZE;
540 if (len > input_message_buffer->length)
541 return GSS_S_BAD_MECH;
544 datalen = input_message_buffer->length - len;
548 if (memcmp(p, "\x02\x01", 2) != 0)
549 return GSS_S_BAD_SIG;
551 if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
552 return GSS_S_BAD_SIG;
555 if (memcmp (p, "\x10\x00", 2) == 0)
557 else if (memcmp (p, "\xff\xff", 2) == 0)
560 return GSS_S_BAD_SIG;
563 if (memcmp (p, "\xff\xff", 2) != 0)
564 return GSS_S_BAD_MIC;
567 ret = arcfour_mic_key(_gsskrb5_context, key,
568 p0 + 16, 8, /* SGN_CKSUM */
569 k6_data, sizeof(k6_data));
572 return GSS_S_FAILURE;
578 RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
579 RC4 (&rc4_key, 8, p0 + 8, SND_SEQ); /* SND_SEQ */
580 memset(&rc4_key, 0, sizeof(rc4_key));
581 memset(k6_data, 0, sizeof(k6_data));
584 _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
586 if (context_handle->more_flags & LOCAL)
587 cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
589 cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
593 return GSS_S_BAD_MIC;
599 Klocal.keytype = key->keytype;
600 Klocal.keyvalue.data = Klocaldata;
601 Klocal.keyvalue.length = sizeof(Klocaldata);
603 for (i = 0; i < 16; i++)
604 Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
606 ret = arcfour_mic_key(_gsskrb5_context, &Klocal,
608 k6_data, sizeof(k6_data));
609 memset(Klocaldata, 0, sizeof(Klocaldata));
612 return GSS_S_FAILURE;
615 output_message_buffer->value = malloc(datalen);
616 if (output_message_buffer->value == NULL) {
617 *minor_status = ENOMEM;
618 return GSS_S_FAILURE;
620 output_message_buffer->length = datalen;
625 RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
626 RC4 (&rc4_key, 8, p0 + 24, Confounder); /* Confounder */
627 RC4 (&rc4_key, datalen, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
628 output_message_buffer->value);
629 memset(&rc4_key, 0, sizeof(rc4_key));
631 memcpy(Confounder, p0 + 24, 8); /* Confounder */
632 memcpy(output_message_buffer->value,
633 p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
636 memset(k6_data, 0, sizeof(k6_data));
638 if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
639 ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen);
641 _gsskrb5_release_buffer(minor_status, output_message_buffer);
645 output_message_buffer->length -= padlen;
648 ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
649 cksum_data, sizeof(cksum_data),
651 Confounder, sizeof(Confounder),
652 output_message_buffer->value,
653 output_message_buffer->length + padlen);
655 _gsskrb5_release_buffer(minor_status, output_message_buffer);
657 return GSS_S_FAILURE;
660 cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
662 _gsskrb5_release_buffer(minor_status, output_message_buffer);
664 return GSS_S_BAD_MIC;
667 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
668 omret = _gssapi_msg_order_check(context_handle->order, seq_number);
669 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
674 *conf_state = conf_flag;
677 return GSS_S_COMPLETE;
681 max_wrap_length_arcfour(const gsskrb5_ctx ctx,
684 OM_uint32 *max_input_size)
687 * if GSS_C_DCE_STYLE is in use:
688 * - we only need to encapsulate the WRAP token
689 * However, since this is a fixed since, we just
691 if (ctx->flags & GSS_C_DCE_STYLE) {
692 size_t len, total_len;
694 len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
695 _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
697 if (input_length < len)
700 *max_input_size = input_length - len;
703 size_t extrasize = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
704 size_t blocksize = 8;
705 size_t len, total_len;
707 len = 8 + input_length + blocksize + extrasize;
709 _gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
711 total_len -= input_length; /* token length */
712 if (total_len < input_length) {
713 *max_input_size = (input_length - total_len);
714 (*max_input_size) &= (~(OM_uint32)(blocksize - 1));
720 return GSS_S_COMPLETE;
724 _gssapi_wrap_size_arcfour(OM_uint32 *minor_status,
725 const gsskrb5_ctx ctx,
728 OM_uint32 req_output_size,
729 OM_uint32 *max_input_size,
735 ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
737 _gsskrb5_set_error_string();
739 return GSS_S_FAILURE;
742 ret = max_wrap_length_arcfour(ctx, crypto,
743 req_output_size, max_input_size);
745 _gsskrb5_set_error_string();
747 krb5_crypto_destroy(_gsskrb5_context, crypto);
748 return GSS_S_FAILURE;
751 krb5_crypto_destroy(_gsskrb5_context, crypto);
753 return GSS_S_COMPLETE;