lib/gssapi/krb5/verify_mic.c

   1 /*
   2  * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "gssapi_locl.h"
  35
  36 RCSID("$Id$");
  37
  38 static OM_uint32
  39 verify_mic_des
  40            (OM_uint32 * minor_status,
  41             const gss_ctx_id_t context_handle,
  42             const gss_buffer_t message_buffer,
  43             const gss_buffer_t token_buffer,
  44             gss_qop_t * qop_state,
  45             krb5_keyblock *key
  46             )
  47 {
  48   u_char *p;
  49   MD5_CTX md5;
  50   u_char hash[16], seq_data[8];
  51   des_key_schedule schedule;
  52   des_cblock zero;
  53   des_cblock deskey;
  54   int32_t seq_number;
  55   OM_uint32 ret;
  56
  57   p = token_buffer->value;
  58   ret = gssapi_krb5_verify_header (&p,
  59                                    token_buffer->length,
  60                                    "\x01\x01");
  61   if (ret)
  62       return ret;
  63
  64   if (memcmp(p, "\x00\x00", 2) != 0)
  65       return GSS_S_BAD_SIG;
  66   p += 2;
  67   if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
  68     return GSS_S_BAD_MIC;
  69   p += 4;
  70   p += 16;
  71
  72   /* verify checksum */
  73   MD5_Init (&md5);
  74   MD5_Update (&md5, p - 24, 8);
  75   MD5_Update (&md5, message_buffer->value,
  76              message_buffer->length);
  77   MD5_Final (hash, &md5);
  78
  79   memset (&zero, 0, sizeof(zero));
  80   memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
  81
  82   des_set_key (&deskey, schedule);
  83   des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
  84                  schedule, &zero);
  85   if (memcmp (p - 8, hash, 8) != 0) {
  86     memset (deskey, 0, sizeof(deskey));
  87     memset (schedule, 0, sizeof(schedule));
  88     return GSS_S_BAD_MIC;
  89   }
  90
  91   /* verify sequence number */
  92
  93   krb5_auth_getremoteseqnumber (gssapi_krb5_context,
  94                                 context_handle->auth_context,
  95                                 &seq_number);
  96   seq_data[0] = (seq_number >> 0)  & 0xFF;
  97   seq_data[1] = (seq_number >> 8)  & 0xFF;
  98   seq_data[2] = (seq_number >> 16) & 0xFF;
  99   seq_data[3] = (seq_number >> 24) & 0xFF;
 100   memset (seq_data + 4,
 101           (context_handle->more_flags & LOCAL) ? 0xFF : 0,
 102           4);
 103
 104   p -= 16;
 105   des_set_key (&deskey, schedule);
 106   des_cbc_encrypt ((void *)p, (void *)p, 8,
 107                    schedule, (des_cblock *)hash, DES_DECRYPT);
 108
 109   memset (deskey, 0, sizeof(deskey));
 110   memset (schedule, 0, sizeof(schedule));
 111
 112   if (memcmp (p, seq_data, 8) != 0) {
 113     return GSS_S_BAD_MIC;
 114   }
 115
 116   krb5_auth_con_setremoteseqnumber (gssapi_krb5_context,
 117                                 context_handle->auth_context,
 118                                 ++seq_number);
 119
 120   return GSS_S_COMPLETE;
 121 }
 122
 123 static OM_uint32
 124 verify_mic_des3
 125            (OM_uint32 * minor_status,
 126             const gss_ctx_id_t context_handle,
 127             const gss_buffer_t message_buffer,
 128             const gss_buffer_t token_buffer,
 129             gss_qop_t * qop_state,
 130             krb5_keyblock *key
 131             )
 132 {
 133   u_char *p;
 134   u_char seq[8];
 135   int32_t seq_number;
 136   OM_uint32 ret;
 137   krb5_crypto crypto;
 138   krb5_data seq_data;
 139   int cmp;
 140   Checksum csum;
 141   char *tmp;
 142
 143   p = token_buffer->value;
 144   ret = gssapi_krb5_verify_header (&p,
 145                                    token_buffer->length,
 146                                    "\x01\x01");
 147   if (ret)
 148       return ret;
 149
 150   if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */
 151       return GSS_S_BAD_SIG;
 152   p += 2;
 153   if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
 154     return GSS_S_BAD_MIC;
 155   p += 4;
 156
 157   ret = krb5_crypto_init(gssapi_krb5_context, key,
 158                          ETYPE_DES3_CBC_NONE, &crypto);
 159   if (ret){
 160       gssapi_krb5_set_error_string ();
 161       *minor_status = ret;
 162       return GSS_S_FAILURE;
 163   }
 164
 165   /* verify sequence number */
 166
 167   ret = krb5_decrypt (gssapi_krb5_context,
 168                       crypto,
 169                       KRB5_KU_USAGE_SEQ,
 170                       p, 8, &seq_data);
 171   if (ret) {
 172       gssapi_krb5_set_error_string ();
 173       krb5_crypto_destroy (gssapi_krb5_context, crypto);
 174       *minor_status = ret;
 175       return GSS_S_FAILURE;
 176   }
 177
 178   if (seq_data.length != 8) {
 179       krb5_crypto_destroy (gssapi_krb5_context, crypto);
 180       krb5_data_free (&seq_data);
 181       return GSS_S_BAD_MIC;
 182   }
 183
 184   krb5_auth_getremoteseqnumber (gssapi_krb5_context,
 185                                 context_handle->auth_context,
 186                                 &seq_number);
 187   seq[0] = (seq_number >> 0)  & 0xFF;
 188   seq[1] = (seq_number >> 8)  & 0xFF;
 189   seq[2] = (seq_number >> 16) & 0xFF;
 190   seq[3] = (seq_number >> 24) & 0xFF;
 191   memset (seq + 4,
 192           (context_handle->more_flags & LOCAL) ? 0xFF : 0,
 193           4);
 194   cmp = memcmp (seq, seq_data.data, seq_data.length);
 195   krb5_data_free (&seq_data);
 196   if (cmp != 0) {
 197       krb5_crypto_destroy (gssapi_krb5_context, crypto);
 198       return GSS_S_BAD_MIC;
 199   }
 200
 201   /* verify checksum */
 202
 203   tmp = malloc (message_buffer->length + 8);
 204   if (tmp == NULL) {
 205       krb5_crypto_destroy (gssapi_krb5_context, crypto);
 206       *minor_status = ENOMEM;
 207       return GSS_S_FAILURE;
 208   }
 209
 210   memcpy (tmp, p - 8, 8);
 211   memcpy (tmp + 8, message_buffer->value, message_buffer->length);
 212
 213   csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3;
 214   csum.checksum.length = 20;
 215   csum.checksum.data   = p + 8;
 216
 217   ret = krb5_verify_checksum (gssapi_krb5_context, crypto,
 218                               KRB5_KU_USAGE_SIGN,
 219                               tmp, message_buffer->length + 8,
 220                               &csum);
 221   free (tmp);
 222   if (ret) {
 223       gssapi_krb5_set_error_string ();
 224       krb5_crypto_destroy (gssapi_krb5_context, crypto);
 225       *minor_status = ret;
 226       return GSS_S_BAD_MIC;
 227   }
 228
 229   krb5_auth_con_setremoteseqnumber (gssapi_krb5_context,
 230                                 context_handle->auth_context,
 231                                 ++seq_number);
 232
 233   krb5_crypto_destroy (gssapi_krb5_context, crypto);
 234   return GSS_S_COMPLETE;
 235 }
 236
 237 OM_uint32
 238 gss_verify_mic
 239            (OM_uint32 * minor_status,
 240             const gss_ctx_id_t context_handle,
 241             const gss_buffer_t message_buffer,
 242             const gss_buffer_t token_buffer,
 243             gss_qop_t * qop_state
 244             )
 245 {
 246     krb5_keyblock *key;
 247     OM_uint32 ret;
 248     krb5_keytype keytype;
 249
 250     ret = gss_krb5_get_remotekey(context_handle, &key);
 251     if (ret) {
 252         gssapi_krb5_set_error_string ();
 253         *minor_status = ret;
 254         return GSS_S_FAILURE;
 255     }
 256     krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
 257     switch (keytype) {
 258     case KEYTYPE_DES :
 259         ret = verify_mic_des (minor_status, context_handle,
 260                               message_buffer, token_buffer, qop_state, key);
 261         break;
 262     case KEYTYPE_DES3 :
 263         ret = verify_mic_des3 (minor_status, context_handle,
 264                                message_buffer, token_buffer, qop_state, key);
 265         break;
 266     default :
 267         *minor_status = KRB5_PROG_ETYPE_NOSUPP;
 268         ret = GSS_S_FAILURE;
 269         break;
 270     }
 271     krb5_free_keyblock (gssapi_krb5_context, key);
 272     return ret;
 273 }