2 * Copyright (c) 2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "gssapi_locl.h"
37 * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
42 static krb5_error_code
43 arcfour_mic_key(krb5_context context
, krb5_keyblock
*key
,
44 void *cksum_data
, size_t cksum_size
,
45 void *key6_data
, size_t key6_size
)
58 cksum_k5
.checksum
.data
= k5_data
;
59 cksum_k5
.checksum
.length
= sizeof(k5_data
);
61 if (key
->keytype
== KEYTYPE_ARCFOUR_56
) {
62 char L40
[14] = "fortybits";
64 memcpy(L40
+ 10, T
, sizeof(T
));
65 ret
= krb5_hmac(context
, CKSUMTYPE_RSA_MD5
,
66 L40
, 14, 0, key
, &cksum_k5
);
67 memset(&k5_data
[7], 0xAB, 9);
69 ret
= krb5_hmac(context
, CKSUMTYPE_RSA_MD5
,
70 T
, 4, 0, key
, &cksum_k5
);
75 key5
.keytype
= KEYTYPE_ARCFOUR
;
76 key5
.keyvalue
= cksum_k5
.checksum
;
78 cksum_k6
.checksum
.data
= key6_data
;
79 cksum_k6
.checksum
.length
= key6_size
;
81 return krb5_hmac(context
, CKSUMTYPE_RSA_MD5
,
82 cksum_data
, cksum_size
, 0, &key5
, &cksum_k6
);
86 static krb5_error_code
87 arcfour_mic_cksum(krb5_keyblock
*key
, unsigned usage
,
88 u_char
*sgn_cksum
, size_t sgn_cksum_sz
,
89 const char *v1
, size_t l1
,
90 const void *v2
, size_t l2
,
91 const void *v3
, size_t l3
)
99 assert(sgn_cksum_sz
== 8);
108 memcpy(ptr
+ l1
, v2
, l2
);
109 memcpy(ptr
+ l1
+ l2
, v3
, l3
);
111 ret
= krb5_crypto_init(gssapi_krb5_context
, key
, 0, &crypto
);
117 ret
= krb5_create_checksum(gssapi_krb5_context
,
125 memcpy(sgn_cksum
, CKSUM
.checksum
.data
, sgn_cksum_sz
);
126 free_Checksum(&CKSUM
);
128 krb5_crypto_destroy(gssapi_krb5_context
, crypto
);
135 _gssapi_get_mic_arcfour(OM_uint32
* minor_status
,
136 const gss_ctx_id_t context_handle
,
138 const gss_buffer_t message_buffer
,
139 gss_buffer_t message_token
,
144 size_t len
, total_len
;
145 u_char k6_data
[16], *p0
, *p
;
148 gssapi_krb5_encap_length (22, &len
, &total_len
);
150 message_token
->length
= total_len
;
151 message_token
->value
= malloc (total_len
);
152 if (message_token
->value
== NULL
) {
153 *minor_status
= ENOMEM
;
154 return GSS_S_FAILURE
;
157 p0
= _gssapi_make_mech_header(message_token
->value
,
161 *p
++ = 0x01; /* TOK_ID */
163 *p
++ = 0x11; /* SGN_ALG */
165 *p
++ = 0xff; /* Filler */
172 ret
= arcfour_mic_cksum(key
, KRB5_KU_USAGE_SIGN
,
173 p0
+ 16, 8, /* SGN_CKSUM */
174 p0
, 8, /* TOK_ID, SGN_ALG, Filer */
175 message_buffer
->value
, message_buffer
->length
,
178 gss_release_buffer(minor_status
, message_token
);
180 return GSS_S_FAILURE
;
183 ret
= arcfour_mic_key(gssapi_krb5_context
, key
,
184 p0
+ 16, 8, /* SGN_CKSUM */
185 k6_data
, sizeof(k6_data
));
187 gss_release_buffer(minor_status
, message_token
);
189 return GSS_S_FAILURE
;
192 krb5_auth_con_getlocalseqnumber (gssapi_krb5_context
,
193 context_handle
->auth_context
,
195 p
= p0
+ 8; /* SND_SEQ */
196 gssapi_encode_be_om_uint32(seq_number
, p
);
198 krb5_auth_con_setlocalseqnumber (gssapi_krb5_context
,
199 context_handle
->auth_context
,
202 memset (p
+ 4, (context_handle
->more_flags
& LOCAL
) ? 0 : 0xff, 4);
204 RC4_set_key (&rc4_key
, sizeof(k6_data
), k6_data
);
205 RC4 (&rc4_key
, 8, p
, p
);
207 memset(&rc4_key
, 0, sizeof(rc4_key
));
208 memset(k6_data
, 0, sizeof(k6_data
));
211 return GSS_S_COMPLETE
;
216 _gssapi_verify_mic_arcfour(OM_uint32
* minor_status
,
217 const gss_ctx_id_t context_handle
,
218 const gss_buffer_t message_buffer
,
219 const gss_buffer_t token_buffer
,
220 gss_qop_t
* qop_state
,
225 int32_t seq_number
, seq_number2
;
227 char cksum_data
[8], k6_data
[16], SND_SEQ
[8];
234 p
= token_buffer
->value
;
235 omret
= gssapi_krb5_verify_header (&p
,
236 token_buffer
->length
,
241 if (memcmp(p
, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
242 return GSS_S_BAD_SIG
;
244 if (memcmp (p
, "\xff\xff\xff\xff", 4) != 0)
245 return GSS_S_BAD_MIC
;
248 ret
= arcfour_mic_cksum(key
, KRB5_KU_USAGE_SIGN
,
249 cksum_data
, sizeof(cksum_data
),
251 message_buffer
->value
, message_buffer
->length
,
255 return GSS_S_FAILURE
;
258 ret
= arcfour_mic_key(gssapi_krb5_context
, key
,
259 cksum_data
, sizeof(cksum_data
),
260 k6_data
, sizeof(k6_data
));
263 return GSS_S_FAILURE
;
266 cmp
= memcmp(cksum_data
, p
+ 8, 8);
269 return GSS_S_BAD_MIC
;
275 RC4_set_key (&rc4_key
, sizeof(k6_data
), k6_data
);
276 RC4 (&rc4_key
, 8, p
, SND_SEQ
);
278 memset(&rc4_key
, 0, sizeof(rc4_key
));
279 memset(k6_data
, 0, sizeof(k6_data
));
282 gssapi_decode_be_om_uint32(SND_SEQ
, &seq_number
);
284 if (context_handle
->more_flags
& LOCAL
)
285 cmp
= memcmp(&SND_SEQ
[4], "\xff\xff\xff\xff", 4);
287 cmp
= memcmp(&SND_SEQ
[4], "\x00\x00\x00\x00", 4);
289 memset(SND_SEQ
, 0, sizeof(SND_SEQ
));
292 return GSS_S_BAD_MIC
;
295 krb5_auth_con_getlocalseqnumber (gssapi_krb5_context
,
296 context_handle
->auth_context
,
299 if (seq_number
!= seq_number2
) {
301 return GSS_S_UNSEQ_TOKEN
;
304 krb5_auth_con_setlocalseqnumber (gssapi_krb5_context
,
305 context_handle
->auth_context
,
309 return GSS_S_COMPLETE
;
313 _gssapi_wrap_arcfour(OM_uint32
* minor_status
,
314 const gss_ctx_id_t context_handle
,
317 const gss_buffer_t input_message_buffer
,
319 gss_buffer_t output_message_buffer
,
322 u_char Klocaldata
[16], k6_data
[16], *p
, *p0
;
323 size_t len
, total_len
, datalen
;
324 krb5_keyblock Klocal
;
331 datalen
= input_message_buffer
->length
+ 1 /* padding */;
333 gssapi_krb5_encap_length (len
, &len
, &total_len
);
335 output_message_buffer
->length
= total_len
;
336 output_message_buffer
->value
= malloc (total_len
);
337 if (output_message_buffer
->value
== NULL
) {
338 *minor_status
= ENOMEM
;
339 return GSS_S_FAILURE
;
342 p0
= _gssapi_make_mech_header(output_message_buffer
->value
,
346 *p
++ = 0x02; /* TOK_ID */
348 *p
++ = 0x11; /* SGN_ALG */
351 *p
++ = 0x10; /* SEAL_ALG */
354 *p
++ = 0xff; /* SEAL_ALG */
357 *p
++ = 0xff; /* Filler */
362 krb5_auth_con_getlocalseqnumber (gssapi_krb5_context
,
363 context_handle
->auth_context
,
366 gssapi_encode_be_om_uint32(seq_number
, p0
+ 8);
368 krb5_auth_con_setlocalseqnumber (gssapi_krb5_context
,
369 context_handle
->auth_context
,
373 (context_handle
->more_flags
& LOCAL
) ? 0 : 0xff,
376 krb5_generate_random_block(p0
+ 24, 8); /* fill in Confounder */
378 /* p points to data */
379 p
= p0
+ GSS_ARCFOUR_WRAP_TOKEN_SIZE
;
380 memcpy(p
, input_message_buffer
->value
, input_message_buffer
->length
);
381 p
[input_message_buffer
->length
] = 1; /* PADDING */
383 ret
= arcfour_mic_cksum(key
, KRB5_KU_USAGE_SEAL
,
384 p0
+ 16, 8, /* SGN_CKSUM */
385 p0
, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */
386 p0
+ 24, 8, /* Confounder */
387 p0
+ GSS_ARCFOUR_WRAP_TOKEN_SIZE
,
391 gss_release_buffer(minor_status
, output_message_buffer
);
392 return GSS_S_FAILURE
;
398 Klocal
.keytype
= key
->keytype
;
399 Klocal
.keyvalue
.data
= Klocaldata
;
400 Klocal
.keyvalue
.length
= sizeof(Klocaldata
);
402 for (i
= 0; i
< 16; i
++)
403 Klocaldata
[i
] = ((u_char
*)key
->keyvalue
.data
)[i
] ^ 0xF0;
405 ret
= arcfour_mic_key(gssapi_krb5_context
, &Klocal
,
406 p0
+ 8, 4, /* SND_SEQ */
407 k6_data
, sizeof(k6_data
));
408 memset(Klocaldata
, 0, sizeof(Klocaldata
));
410 gss_release_buffer(minor_status
, output_message_buffer
);
412 return GSS_S_FAILURE
;
419 RC4_set_key (&rc4_key
, sizeof(k6_data
), k6_data
);
421 RC4 (&rc4_key
, 8 + datalen
, p0
+ 24, p0
+ 24); /* Confounder + data */
422 memset(&rc4_key
, 0, sizeof(rc4_key
));
424 memset(k6_data
, 0, sizeof(k6_data
));
426 ret
= arcfour_mic_key(gssapi_krb5_context
, key
,
427 p0
+ 16, 8, /* SGN_CKSUM */
428 k6_data
, sizeof(k6_data
));
430 gss_release_buffer(minor_status
, output_message_buffer
);
432 return GSS_S_FAILURE
;
438 RC4_set_key (&rc4_key
, sizeof(k6_data
), k6_data
);
439 RC4 (&rc4_key
, 8, p0
+ 8, p0
+ 8); /* SND_SEQ */
440 memset(&rc4_key
, 0, sizeof(rc4_key
));
441 memset(k6_data
, 0, sizeof(k6_data
));
445 *conf_state
= conf_req_flag
;
448 return GSS_S_COMPLETE
;
451 OM_uint32
_gssapi_unwrap_arcfour(OM_uint32
*minor_status
,
452 const gss_ctx_id_t context_handle
,
453 const gss_buffer_t input_message_buffer
,
454 gss_buffer_t output_message_buffer
,
456 gss_qop_t
*qop_state
,
459 u_char Klocaldata
[16];
460 krb5_keyblock Klocal
;
462 int32_t seq_number
, seq_number2
;
465 char k6_data
[16], SND_SEQ
[8], Confounder
[8];
477 p0
= input_message_buffer
->value
;
478 omret
= _gssapi_verify_mech_header(&p0
,
479 input_message_buffer
->length
);
484 datalen
= input_message_buffer
->length
-
485 (p
- ((u_char
*)input_message_buffer
->value
)) -
486 GSS_ARCFOUR_WRAP_TOKEN_SIZE
;
488 if (memcmp(p
, "\x02\x01", 2) != 0)
489 return GSS_S_BAD_SIG
;
491 if (memcmp(p
, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
492 return GSS_S_BAD_SIG
;
495 if (memcmp (p
, "\x10\x00", 2) == 0)
497 else if (memcmp (p
, "\xff\xff", 2) == 0)
500 return GSS_S_BAD_SIG
;
503 if (memcmp (p
, "\xff\xff", 2) != 0)
504 return GSS_S_BAD_MIC
;
507 ret
= arcfour_mic_key(gssapi_krb5_context
, key
,
508 p0
+ 16, 8, /* SGN_CKSUM */
509 k6_data
, sizeof(k6_data
));
512 return GSS_S_FAILURE
;
518 RC4_set_key (&rc4_key
, sizeof(k6_data
), k6_data
);
519 RC4 (&rc4_key
, 8, p0
+ 8, SND_SEQ
); /* SND_SEQ */
520 memset(&rc4_key
, 0, sizeof(rc4_key
));
521 memset(k6_data
, 0, sizeof(k6_data
));
524 gssapi_decode_be_om_uint32(SND_SEQ
, &seq_number
);
526 if (context_handle
->more_flags
& LOCAL
)
527 cmp
= memcmp(&SND_SEQ
[4], "\xff\xff\xff\xff", 4);
529 cmp
= memcmp(&SND_SEQ
[4], "\x00\x00\x00\x00", 4);
533 return GSS_S_BAD_MIC
;
539 Klocal
.keytype
= key
->keytype
;
540 Klocal
.keyvalue
.data
= Klocaldata
;
541 Klocal
.keyvalue
.length
= sizeof(Klocaldata
);
543 for (i
= 0; i
< 16; i
++)
544 Klocaldata
[i
] = ((u_char
*)key
->keyvalue
.data
)[i
] ^ 0xF0;
546 ret
= arcfour_mic_key(gssapi_krb5_context
, &Klocal
,
548 k6_data
, sizeof(k6_data
));
549 memset(Klocaldata
, 0, sizeof(Klocaldata
));
552 return GSS_S_FAILURE
;
555 output_message_buffer
->value
= malloc(datalen
);
556 if (output_message_buffer
->value
== NULL
) {
557 *minor_status
= ENOMEM
;
558 return GSS_S_FAILURE
;
560 output_message_buffer
->length
= datalen
;
565 RC4_set_key (&rc4_key
, sizeof(k6_data
), k6_data
);
566 RC4 (&rc4_key
, 8, p0
+ 24, Confounder
); /* Confounder */
567 RC4 (&rc4_key
, datalen
, p0
+ GSS_ARCFOUR_WRAP_TOKEN_SIZE
,
568 output_message_buffer
->value
);
569 memset(&rc4_key
, 0, sizeof(rc4_key
));
571 memcpy(Confounder
, p0
+ 24, 8); /* Confounder */
572 memcpy(output_message_buffer
->value
,
573 p0
+ GSS_ARCFOUR_WRAP_TOKEN_SIZE
,
576 memset(k6_data
, 0, sizeof(k6_data
));
578 ret
= _gssapi_verify_pad(output_message_buffer
, datalen
, &padlen
);
580 gss_release_buffer(minor_status
, output_message_buffer
);
584 output_message_buffer
->length
-= padlen
;
586 ret
= arcfour_mic_cksum(key
, KRB5_KU_USAGE_SEAL
,
587 cksum_data
, sizeof(cksum_data
),
589 Confounder
, sizeof(Confounder
),
590 output_message_buffer
->value
,
591 output_message_buffer
->length
+ padlen
);
593 gss_release_buffer(minor_status
, output_message_buffer
);
595 return GSS_S_FAILURE
;
598 cmp
= memcmp(cksum_data
, p0
+ 16, 8); /* SGN_CKSUM */
600 gss_release_buffer(minor_status
, output_message_buffer
);
602 return GSS_S_BAD_MIC
;
605 krb5_auth_getremoteseqnumber (gssapi_krb5_context
,
606 context_handle
->auth_context
,
609 if (seq_number
!= seq_number2
) {
611 return GSS_S_UNSEQ_TOKEN
;
614 krb5_auth_con_setremoteseqnumber (gssapi_krb5_context
,
615 context_handle
->auth_context
,
619 *conf_state
= conf_flag
;
622 return GSS_S_COMPLETE
;