search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
x
[heimdal.git] / lib / gssapi / krb5 / unwrap.c
blob1b282acd6cd04d100bd256f972b7ddef1a867c00
1 /*
2 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "gssapi_locl.h"
35
36 RCSID("$Id$");
37
38 OM_uint32
39 gss_krb5_get_remotekey(const gss_ctx_id_t context_handle,
40 krb5_keyblock **key)
41 {
42 krb5_keyblock *skey;
43
44 krb5_auth_con_getremotesubkey(gssapi_krb5_context,
45 context_handle->auth_context,
46 &skey);
47 if(skey == NULL)
48 krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
49 context_handle->auth_context,
50 &skey);
51 if(skey == NULL)
52 krb5_auth_con_getkey(gssapi_krb5_context,
53 context_handle->auth_context,
54 &skey);
55 if(skey == NULL)
56 return GSS_S_FAILURE;
57 *key = skey;
58 return 0;
59 }
60
61 static OM_uint32
62 unwrap_des
63 (OM_uint32 * minor_status,
64 const gss_ctx_id_t context_handle,
65 const gss_buffer_t input_message_buffer,
66 gss_buffer_t output_message_buffer,
67 int * conf_state,
68 gss_qop_t * qop_state,
69 krb5_keyblock *key
70 )
71 {
72 u_char *p, *pad;
73 size_t len;
74 MD5_CTX md5;
75 u_char hash[16], seq_data[8];
76 des_key_schedule schedule;
77 des_cblock deskey;
78 des_cblock zero;
79 int i;
80 int32_t seq_number;
81 size_t padlength;
82 OM_uint32 ret;
83 int cstate;
84
85 p = input_message_buffer->value;
86 ret = gssapi_krb5_verify_header (&p,
87 input_message_buffer->length,
88 "\x02\x01");
89 if (ret) {
90 *minor_status = 0;
91 return ret;
92 }
93
94 if (memcmp (p, "\x00\x00", 2) != 0)
95 return GSS_S_BAD_SIG;
96 p += 2;
97 if (memcmp (p, "\x00\x00", 2) == 0) {
98 cstate = 1;
99 } else if (memcmp (p, "\xFF\xFF", 2) == 0) {
100 cstate = 0;
101 } else
102 return GSS_S_BAD_MIC;
103 p += 2;
104 if(conf_state != NULL)
105 *conf_state = cstate;
106 if (memcmp (p, "\xff\xff", 2) != 0)
107 return GSS_S_DEFECTIVE_TOKEN;
108 p += 2;
109 p += 16;
110
111 len = p - (u_char *)input_message_buffer->value;
112
113 if(cstate) {
114 /* decrypt data */
115 memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
116
117 for (i = 0; i < sizeof(deskey); ++i)
118 deskey[i] ^= 0xf0;
119 des_set_key (&deskey, schedule);
120 memset (&zero, 0, sizeof(zero));
121 des_cbc_encrypt ((void *)p,
122 (void *)p,
123 input_message_buffer->length - len,
124 schedule,
125 &zero,
126 DES_DECRYPT);
127
128 memset (deskey, 0, sizeof(deskey));
129 memset (schedule, 0, sizeof(schedule));
130 }
131 /* check pad */
132
133 pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1;
134 padlength = *pad;
135
136 for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
137 ;
138 if (i != 0)
139 return GSS_S_BAD_MIC;
140
141 MD5_Init (&md5);
142 MD5_Update (&md5, p - 24, 8);
143 MD5_Update (&md5, p, input_message_buffer->length - len);
144 MD5_Final (hash, &md5);
145
146 memset (&zero, 0, sizeof(zero));
147 memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
148 des_set_key (&deskey, schedule);
149 des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
150 schedule, &zero);
151 if (memcmp (p - 8, hash, 8) != 0)
152 return GSS_S_BAD_MIC;
153
154 /* verify sequence number */
155
156 krb5_auth_getremoteseqnumber (gssapi_krb5_context,
157 context_handle->auth_context,
158 &seq_number);
159 seq_data[0] = (seq_number >> 0) & 0xFF;
160 seq_data[1] = (seq_number >> 8) & 0xFF;
161 seq_data[2] = (seq_number >> 16) & 0xFF;
162 seq_data[3] = (seq_number >> 24) & 0xFF;
163 memset (seq_data + 4,
164 (context_handle->more_flags & LOCAL) ? 0xFF : 0,
165 4);
166
167 p -= 16;
168 des_set_key (&deskey, schedule);
169 des_cbc_encrypt ((void *)p, (void *)p, 8,
170 schedule, (des_cblock *)hash, DES_DECRYPT);
171
172 memset (deskey, 0, sizeof(deskey));
173 memset (schedule, 0, sizeof(schedule));
174
175 if (memcmp (p, seq_data, 8) != 0) {
176 return GSS_S_BAD_MIC;
177 }
178
179 krb5_auth_con_setremoteseqnumber (gssapi_krb5_context,
180 context_handle->auth_context,
181 ++seq_number);
182
183 /* copy out data */
184
185 output_message_buffer->length = input_message_buffer->length
186 - len - padlength - 8;
187 output_message_buffer->value = malloc(output_message_buffer->length);
188 if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
189 return GSS_S_FAILURE;
190 memcpy (output_message_buffer->value,
191 p + 24,
192 output_message_buffer->length);
193 return GSS_S_COMPLETE;
194 }
195
196 static OM_uint32
197 unwrap_des3
198 (OM_uint32 * minor_status,
199 const gss_ctx_id_t context_handle,
200 const gss_buffer_t input_message_buffer,
201 gss_buffer_t output_message_buffer,
202 int * conf_state,
203 gss_qop_t * qop_state,
204 krb5_keyblock *key
205 )
206 {
207 u_char *p, *pad;
208 size_t len;
209 u_char seq[8];
210 krb5_data seq_data;
211 u_char cksum[20];
212 int i;
213 int32_t seq_number;
214 size_t padlength;
215 OM_uint32 ret;
216 int cstate;
217 krb5_crypto crypto;
218 Checksum csum;
219 int cmp;
220
221 p = input_message_buffer->value;
222 ret = gssapi_krb5_verify_header (&p,
223 input_message_buffer->length,
224 "\x02\x01");
225 if (ret)
226 return ret;
227
228 if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
229 return GSS_S_BAD_SIG;
230 p += 2;
231 if (memcmp (p, "\x02\x00", 2) == 0) {
232 cstate = 1;
233 } else if (memcmp (p, "\xff\xff", 2) == 0) {
234 cstate = 0;
235 } else
236 return GSS_S_BAD_MIC;
237 p += 2;
238 if(conf_state != NULL)
239 *conf_state = cstate;
240 if (memcmp (p, "\xff\xff", 2) != 0)
241 return GSS_S_DEFECTIVE_TOKEN;
242 p += 2;
243 p += 28;
244
245 len = p - (u_char *)input_message_buffer->value;
246
247 if(cstate) {
248 /* decrypt data */
249 krb5_data tmp;
250
251 ret = krb5_crypto_init(gssapi_krb5_context, key,
252 ETYPE_DES3_CBC_NONE, &crypto);
253 if (ret) {
254 gssapi_krb5_set_error_string ();
255 *minor_status = ret;
256 return GSS_S_FAILURE;
257 }
258 ret = krb5_decrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL,
259 p, input_message_buffer->length - len, &tmp);
260 krb5_crypto_destroy(gssapi_krb5_context, crypto);
261 if (ret) {
262 gssapi_krb5_set_error_string ();
263 *minor_status = ret;
264 return GSS_S_FAILURE;
265 }
266 assert (tmp.length == input_message_buffer->length - len);
267
268 memcpy (p, tmp.data, tmp.length);
269 krb5_data_free(&tmp);
270 }
271 /* check pad */
272
273 pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1;
274 padlength = *pad;
275
276 for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
277 ;
278 if (i != 0)
279 return GSS_S_BAD_MIC;
280
281 /* verify sequence number */
282
283 krb5_auth_getremoteseqnumber (gssapi_krb5_context,
284 context_handle->auth_context,
285 &seq_number);
286 seq[0] = (seq_number >> 0) & 0xFF;
287 seq[1] = (seq_number >> 8) & 0xFF;
288 seq[2] = (seq_number >> 16) & 0xFF;
289 seq[3] = (seq_number >> 24) & 0xFF;
290 memset (seq + 4,
291 (context_handle->more_flags & LOCAL) ? 0xFF : 0,
292 4);
293
294 p -= 28;
295
296 ret = krb5_crypto_init(gssapi_krb5_context, key,
297 ETYPE_DES3_CBC_NONE_IVEC, &crypto);
298 if (ret) {
299 gssapi_krb5_set_error_string ();
300 *minor_status = ret;
301 return GSS_S_FAILURE;
302 }
303 {
304 des_cblock ivec;
305
306 memcpy(&ivec, p + 8, 8);
307 ret = krb5_decrypt_ivec (gssapi_krb5_context,
308 crypto,
309 KRB5_KU_USAGE_SEQ,
310 p, 8, &seq_data,
311 &ivec);
312 }
313 krb5_crypto_destroy (gssapi_krb5_context, crypto);
314 if (ret) {
315 gssapi_krb5_set_error_string ();
316 *minor_status = ret;
317 return GSS_S_FAILURE;
318 }
319 if (seq_data.length != 8) {
320 krb5_data_free (&seq_data);
321 return GSS_S_BAD_MIC;
322 }
323
324 cmp = memcmp (seq, seq_data.data, seq_data.length);
325 krb5_data_free (&seq_data);
326 if (cmp != 0) {
327 return GSS_S_BAD_MIC;
328 }
329
330 krb5_auth_con_setremoteseqnumber (gssapi_krb5_context,
331 context_handle->auth_context,
332 ++seq_number);
333
334 /* verify checksum */
335
336 memcpy (cksum, p + 8, 20);
337
338 memcpy (p + 20, p - 8, 8);
339
340 csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3;
341 csum.checksum.length = 20;
342 csum.checksum.data = cksum;
343
344 ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
345 if (ret) {
346 gssapi_krb5_set_error_string ();
347 *minor_status = ret;
348 return GSS_S_FAILURE;
349 }
350
351 ret = krb5_verify_checksum (gssapi_krb5_context, crypto,
352 KRB5_KU_USAGE_SIGN,
353 p + 20,
354 input_message_buffer->length - len + 8,
355 &csum);
356 krb5_crypto_destroy (gssapi_krb5_context, crypto);
357 if (ret) {
358 gssapi_krb5_set_error_string ();
359 *minor_status = ret;
360 return GSS_S_FAILURE;
361 }
362
363 /* copy out data */
364
365 output_message_buffer->length = input_message_buffer->length
366 - len - padlength - 8;
367 output_message_buffer->value = malloc(output_message_buffer->length);
368 if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
369 return GSS_S_FAILURE;
370 memcpy (output_message_buffer->value,
371 p + 36,
372 output_message_buffer->length);
373 return GSS_S_COMPLETE;
374 }
375
376 OM_uint32 gss_unwrap
377 (OM_uint32 * minor_status,
378 const gss_ctx_id_t context_handle,
379 const gss_buffer_t input_message_buffer,
380 gss_buffer_t output_message_buffer,
381 int * conf_state,
382 gss_qop_t * qop_state
383 )
384 {
385 krb5_keyblock *key;
386 OM_uint32 ret;
387 krb5_keytype keytype;
388
389 ret = gss_krb5_get_remotekey(context_handle, &key);
390 if (ret) {
391 gssapi_krb5_set_error_string ();
392 *minor_status = ret;
393 return GSS_S_FAILURE;
394 }
395 krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
396
397 switch (keytype) {
398 case KEYTYPE_DES :
399 ret = unwrap_des (minor_status, context_handle,
400 input_message_buffer, output_message_buffer,
401 conf_state, qop_state, key);
402 break;
403 case KEYTYPE_DES3 :
404 ret = unwrap_des3 (minor_status, context_handle,
405 input_message_buffer, output_message_buffer,
406 conf_state, qop_state, key);
407 break;
408 default :
409 *minor_status = KRB5_PROG_ETYPE_NOSUPP;
410 ret = GSS_S_FAILURE;
411 break;
412 }
413 krb5_free_keyblock (gssapi_krb5_context, key);
414 return ret;
415 }
Heimdal