source4/heimdal/lib/gssapi/krb5/unwrap.c

   1 /*
   2  * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "krb5/gsskrb5_locl.h"
  35
  36 RCSID("$Id: unwrap.c,v 1.38 2006/10/18 15:59:28 lha Exp $");
  37
  38 static OM_uint32
  39 unwrap_des
  40            (OM_uint32 * minor_status,
  41             const gsskrb5_ctx context_handle,
  42             const gss_buffer_t input_message_buffer,
  43             gss_buffer_t output_message_buffer,
  44             int * conf_state,
  45             gss_qop_t * qop_state,
  46             krb5_keyblock *key
  47            )
  48 {
  49   u_char *p, *seq;
  50   size_t len;
  51   MD5_CTX md5;
  52   u_char hash[16];
  53   DES_key_schedule schedule;
  54   DES_cblock deskey;
  55   DES_cblock zero;
  56   int i;
  57   uint32_t seq_number;
  58   size_t padlength;
  59   OM_uint32 ret;
  60   int cstate;
  61   int cmp;
  62
  63   p = input_message_buffer->value;
  64   ret = _gsskrb5_verify_header (&p,
  65                                    input_message_buffer->length,
  66                                    "\x02\x01",
  67                                    GSS_KRB5_MECHANISM);
  68   if (ret)
  69       return ret;
  70
  71   if (memcmp (p, "\x00\x00", 2) != 0)
  72     return GSS_S_BAD_SIG;
  73   p += 2;
  74   if (memcmp (p, "\x00\x00", 2) == 0) {
  75       cstate = 1;
  76   } else if (memcmp (p, "\xFF\xFF", 2) == 0) {
  77       cstate = 0;
  78   } else
  79       return GSS_S_BAD_MIC;
  80   p += 2;
  81   if(conf_state != NULL)
  82       *conf_state = cstate;
  83   if (memcmp (p, "\xff\xff", 2) != 0)
  84     return GSS_S_DEFECTIVE_TOKEN;
  85   p += 2;
  86   p += 16;
  87
  88   len = p - (u_char *)input_message_buffer->value;
  89
  90   if(cstate) {
  91       /* decrypt data */
  92       memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
  93
  94       for (i = 0; i < sizeof(deskey); ++i)
  95           deskey[i] ^= 0xf0;
  96       DES_set_key (&deskey, &schedule);
  97       memset (&zero, 0, sizeof(zero));
  98       DES_cbc_encrypt ((void *)p,
  99                        (void *)p,
 100                        input_message_buffer->length - len,
 101                        &schedule,
 102                        &zero,
 103                        DES_DECRYPT);
 104
 105       memset (deskey, 0, sizeof(deskey));
 106       memset (&schedule, 0, sizeof(schedule));
 107   }
 108   /* check pad */
 109   ret = _gssapi_verify_pad(input_message_buffer,
 110                            input_message_buffer->length - len,
 111                            &padlength);
 112   if (ret)
 113       return ret;
 114
 115   MD5_Init (&md5);
 116   MD5_Update (&md5, p - 24, 8);
 117   MD5_Update (&md5, p, input_message_buffer->length - len);
 118   MD5_Final (hash, &md5);
 119
 120   memset (&zero, 0, sizeof(zero));
 121   memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
 122   DES_set_key (&deskey, &schedule);
 123   DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
 124                  &schedule, &zero);
 125   if (memcmp (p - 8, hash, 8) != 0)
 126     return GSS_S_BAD_MIC;
 127
 128   /* verify sequence number */
 129
 130   HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
 131
 132   p -= 16;
 133   DES_set_key (&deskey, &schedule);
 134   DES_cbc_encrypt ((void *)p, (void *)p, 8,
 135                    &schedule, (DES_cblock *)hash, DES_DECRYPT);
 136
 137   memset (deskey, 0, sizeof(deskey));
 138   memset (&schedule, 0, sizeof(schedule));
 139
 140   seq = p;
 141   _gsskrb5_decode_om_uint32(seq, &seq_number);
 142
 143   if (context_handle->more_flags & LOCAL)
 144       cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
 145   else
 146       cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
 147
 148   if (cmp != 0) {
 149     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
 150     return GSS_S_BAD_MIC;
 151   }
 152
 153   ret = _gssapi_msg_order_check(context_handle->order, seq_number);
 154   if (ret) {
 155     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
 156     return ret;
 157   }
 158
 159   HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
 160
 161   /* copy out data */
 162
 163   output_message_buffer->length = input_message_buffer->length
 164     - len - padlength - 8;
 165   output_message_buffer->value  = malloc(output_message_buffer->length);
 166   if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
 167       return GSS_S_FAILURE;
 168   memcpy (output_message_buffer->value,
 169           p + 24,
 170           output_message_buffer->length);
 171   return GSS_S_COMPLETE;
 172 }
 173
 174 static OM_uint32
 175 unwrap_des3
 176            (OM_uint32 * minor_status,
 177             const gsskrb5_ctx context_handle,
 178             const gss_buffer_t input_message_buffer,
 179             gss_buffer_t output_message_buffer,
 180             int * conf_state,
 181             gss_qop_t * qop_state,
 182             krb5_keyblock *key
 183            )
 184 {
 185   u_char *p;
 186   size_t len;
 187   u_char *seq;
 188   krb5_data seq_data;
 189   u_char cksum[20];
 190   uint32_t seq_number;
 191   size_t padlength;
 192   OM_uint32 ret;
 193   int cstate;
 194   krb5_crypto crypto;
 195   Checksum csum;
 196   int cmp;
 197
 198   p = input_message_buffer->value;
 199   ret = _gsskrb5_verify_header (&p,
 200                                    input_message_buffer->length,
 201                                    "\x02\x01",
 202                                    GSS_KRB5_MECHANISM);
 203   if (ret)
 204       return ret;
 205
 206   if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
 207     return GSS_S_BAD_SIG;
 208   p += 2;
 209   if (memcmp (p, "\x02\x00", 2) == 0) {
 210     cstate = 1;
 211   } else if (memcmp (p, "\xff\xff", 2) == 0) {
 212     cstate = 0;
 213   } else
 214     return GSS_S_BAD_MIC;
 215   p += 2;
 216   if(conf_state != NULL)
 217     *conf_state = cstate;
 218   if (memcmp (p, "\xff\xff", 2) != 0)
 219     return GSS_S_DEFECTIVE_TOKEN;
 220   p += 2;
 221   p += 28;
 222
 223   len = p - (u_char *)input_message_buffer->value;
 224
 225   if(cstate) {
 226       /* decrypt data */
 227       krb5_data tmp;
 228
 229       ret = krb5_crypto_init(_gsskrb5_context, key,
 230                              ETYPE_DES3_CBC_NONE, &crypto);
 231       if (ret) {
 232           _gsskrb5_set_error_string ();
 233           *minor_status = ret;
 234           return GSS_S_FAILURE;
 235       }
 236       ret = krb5_decrypt(_gsskrb5_context, crypto, KRB5_KU_USAGE_SEAL,
 237                          p, input_message_buffer->length - len, &tmp);
 238       krb5_crypto_destroy(_gsskrb5_context, crypto);
 239       if (ret) {
 240           _gsskrb5_set_error_string ();
 241           *minor_status = ret;
 242           return GSS_S_FAILURE;
 243       }
 244       assert (tmp.length == input_message_buffer->length - len);
 245
 246       memcpy (p, tmp.data, tmp.length);
 247       krb5_data_free(&tmp);
 248   }
 249   /* check pad */
 250   ret = _gssapi_verify_pad(input_message_buffer,
 251                            input_message_buffer->length - len,
 252                            &padlength);
 253   if (ret)
 254       return ret;
 255
 256   /* verify sequence number */
 257
 258   HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
 259
 260   p -= 28;
 261
 262   ret = krb5_crypto_init(_gsskrb5_context, key,
 263                          ETYPE_DES3_CBC_NONE, &crypto);
 264   if (ret) {
 265       _gsskrb5_set_error_string ();
 266       *minor_status = ret;
 267       HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
 268       return GSS_S_FAILURE;
 269   }
 270   {
 271       DES_cblock ivec;
 272
 273       memcpy(&ivec, p + 8, 8);
 274       ret = krb5_decrypt_ivec (_gsskrb5_context,
 275                                crypto,
 276                                KRB5_KU_USAGE_SEQ,
 277                                p, 8, &seq_data,
 278                                &ivec);
 279   }
 280   krb5_crypto_destroy (_gsskrb5_context, crypto);
 281   if (ret) {
 282       _gsskrb5_set_error_string ();
 283       *minor_status = ret;
 284       HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
 285       return GSS_S_FAILURE;
 286   }
 287   if (seq_data.length != 8) {
 288       krb5_data_free (&seq_data);
 289       *minor_status = 0;
 290       HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
 291       return GSS_S_BAD_MIC;
 292   }
 293
 294   seq = seq_data.data;
 295   _gsskrb5_decode_om_uint32(seq, &seq_number);
 296
 297   if (context_handle->more_flags & LOCAL)
 298       cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
 299   else
 300       cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
 301
 302   krb5_data_free (&seq_data);
 303   if (cmp != 0) {
 304       *minor_status = 0;
 305       HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
 306       return GSS_S_BAD_MIC;
 307   }
 308
 309   ret = _gssapi_msg_order_check(context_handle->order, seq_number);
 310   if (ret) {
 311       *minor_status = 0;
 312       HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
 313       return ret;
 314   }
 315
 316   HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
 317
 318   /* verify checksum */
 319
 320   memcpy (cksum, p + 8, 20);
 321
 322   memcpy (p + 20, p - 8, 8);
 323
 324   csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3;
 325   csum.checksum.length = 20;
 326   csum.checksum.data   = cksum;
 327
 328   ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
 329   if (ret) {
 330       _gsskrb5_set_error_string ();
 331       *minor_status = ret;
 332       return GSS_S_FAILURE;
 333   }
 334
 335   ret = krb5_verify_checksum (_gsskrb5_context, crypto,
 336                               KRB5_KU_USAGE_SIGN,
 337                               p + 20,
 338                               input_message_buffer->length - len + 8,
 339                               &csum);
 340   krb5_crypto_destroy (_gsskrb5_context, crypto);
 341   if (ret) {
 342       _gsskrb5_set_error_string ();
 343       *minor_status = ret;
 344       return GSS_S_FAILURE;
 345   }
 346
 347   /* copy out data */
 348
 349   output_message_buffer->length = input_message_buffer->length
 350     - len - padlength - 8;
 351   output_message_buffer->value  = malloc(output_message_buffer->length);
 352   if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
 353       return GSS_S_FAILURE;
 354   memcpy (output_message_buffer->value,
 355           p + 36,
 356           output_message_buffer->length);
 357   return GSS_S_COMPLETE;
 358 }
 359
 360 OM_uint32 _gsskrb5_unwrap
 361            (OM_uint32 * minor_status,
 362             const gss_ctx_id_t context_handle,
 363             const gss_buffer_t input_message_buffer,
 364             gss_buffer_t output_message_buffer,
 365             int * conf_state,
 366             gss_qop_t * qop_state
 367            )
 368 {
 369   krb5_keyblock *key;
 370   OM_uint32 ret;
 371   krb5_keytype keytype;
 372   gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle;
 373
 374   output_message_buffer->value = NULL;
 375   output_message_buffer->length = 0;
 376
 377   if (qop_state != NULL)
 378       *qop_state = GSS_C_QOP_DEFAULT;
 379   HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
 380   ret = _gsskrb5i_get_token_key(ctx, &key);
 381   HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 382   if (ret) {
 383       _gsskrb5_set_error_string ();
 384       *minor_status = ret;
 385       return GSS_S_FAILURE;
 386   }
 387   krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
 388
 389   *minor_status = 0;
 390
 391   switch (keytype) {
 392   case KEYTYPE_DES :
 393       ret = unwrap_des (minor_status, ctx,
 394                         input_message_buffer, output_message_buffer,
 395                         conf_state, qop_state, key);
 396       break;
 397   case KEYTYPE_DES3 :
 398       ret = unwrap_des3 (minor_status, ctx,
 399                          input_message_buffer, output_message_buffer,
 400                          conf_state, qop_state, key);
 401       break;
 402   case KEYTYPE_ARCFOUR:
 403   case KEYTYPE_ARCFOUR_56:
 404       ret = _gssapi_unwrap_arcfour (minor_status, ctx,
 405                                     input_message_buffer, output_message_buffer,
 406                                     conf_state, qop_state, key);
 407       break;
 408   default :
 409       ret = _gssapi_unwrap_cfx (minor_status, ctx,
 410                                 input_message_buffer, output_message_buffer,
 411                                 conf_state, qop_state, key);
 412       break;
 413   }
 414   krb5_free_keyblock (_gsskrb5_context, key);
 415   return ret;
 416 }