2 * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "gssapi_locl.h"
36 RCSID("$Id: get_mic.c,v 1.21.2.1 2003/09/18 22:05:12 lha Exp $");
40 (OM_uint32
* minor_status
,
41 const gss_ctx_id_t context_handle
,
43 const gss_buffer_t message_buffer
,
44 gss_buffer_t message_token
,
51 des_key_schedule schedule
;
55 size_t len
, total_len
;
57 gssapi_krb5_encap_length (22, &len
, &total_len
);
59 message_token
->length
= total_len
;
60 message_token
->value
= malloc (total_len
);
61 if (message_token
->value
== NULL
) {
62 *minor_status
= ENOMEM
;
66 p
= gssapi_krb5_make_header(message_token
->value
,
68 "\x01\x01"); /* TOK_ID */
70 memcpy (p
, "\x00\x00", 2); /* SGN_ALG = DES MAC MD5 */
73 memcpy (p
, "\xff\xff\xff\xff", 4); /* Filler */
76 /* Fill in later (SND-SEQ) */
82 MD5_Update (&md5
, p
- 24, 8);
83 MD5_Update (&md5
, message_buffer
->value
, message_buffer
->length
);
84 MD5_Final (hash
, &md5
);
86 memset (&zero
, 0, sizeof(zero
));
87 memcpy (&deskey
, key
->keyvalue
.data
, sizeof(deskey
));
88 des_set_key (&deskey
, schedule
);
89 des_cbc_cksum ((void *)hash
, (void *)hash
, sizeof(hash
),
91 memcpy (p
- 8, hash
, 8); /* SGN_CKSUM */
94 krb5_auth_con_getlocalseqnumber (gssapi_krb5_context
,
95 context_handle
->auth_context
,
98 p
-= 16; /* SND_SEQ */
99 p
[0] = (seq_number
>> 0) & 0xFF;
100 p
[1] = (seq_number
>> 8) & 0xFF;
101 p
[2] = (seq_number
>> 16) & 0xFF;
102 p
[3] = (seq_number
>> 24) & 0xFF;
104 (context_handle
->more_flags
& LOCAL
) ? 0 : 0xFF,
107 des_set_key (&deskey
, schedule
);
108 des_cbc_encrypt ((void *)p
, (void *)p
, 8,
109 schedule
, (des_cblock
*)(p
+ 8), DES_ENCRYPT
);
111 krb5_auth_con_setlocalseqnumber (gssapi_krb5_context
,
112 context_handle
->auth_context
,
115 memset (deskey
, 0, sizeof(deskey
));
116 memset (schedule
, 0, sizeof(schedule
));
119 return GSS_S_COMPLETE
;
124 (OM_uint32
* minor_status
,
125 const gss_ctx_id_t context_handle
,
127 const gss_buffer_t message_buffer
,
128 gss_buffer_t message_token
,
137 size_t len
, total_len
;
140 krb5_error_code kret
;
145 gssapi_krb5_encap_length (36, &len
, &total_len
);
147 message_token
->length
= total_len
;
148 message_token
->value
= malloc (total_len
);
149 if (message_token
->value
== NULL
) {
150 *minor_status
= ENOMEM
;
151 return GSS_S_FAILURE
;
154 p
= gssapi_krb5_make_header(message_token
->value
,
156 "\x01\x01"); /* TOK-ID */
158 memcpy (p
, "\x04\x00", 2); /* SGN_ALG = HMAC SHA1 DES3-KD */
161 memcpy (p
, "\xff\xff\xff\xff", 4); /* filler */
164 /* this should be done in parts */
166 tmp
= malloc (message_buffer
->length
+ 8);
168 free (message_token
->value
);
169 *minor_status
= ENOMEM
;
170 return GSS_S_FAILURE
;
172 memcpy (tmp
, p
- 8, 8);
173 memcpy (tmp
+ 8, message_buffer
->value
, message_buffer
->length
);
175 kret
= krb5_crypto_init(gssapi_krb5_context
, key
, 0, &crypto
);
177 free (message_token
->value
);
179 gssapi_krb5_set_error_string ();
180 *minor_status
= kret
;
181 return GSS_S_FAILURE
;
184 kret
= krb5_create_checksum (gssapi_krb5_context
,
189 message_buffer
->length
+ 8,
192 krb5_crypto_destroy (gssapi_krb5_context
, crypto
);
194 free (message_token
->value
);
195 gssapi_krb5_set_error_string ();
196 *minor_status
= kret
;
197 return GSS_S_FAILURE
;
200 memcpy (p
+ 8, cksum
.checksum
.data
, cksum
.checksum
.length
);
202 /* sequence number */
203 krb5_auth_con_getlocalseqnumber (gssapi_krb5_context
,
204 context_handle
->auth_context
,
207 seq
[0] = (seq_number
>> 0) & 0xFF;
208 seq
[1] = (seq_number
>> 8) & 0xFF;
209 seq
[2] = (seq_number
>> 16) & 0xFF;
210 seq
[3] = (seq_number
>> 24) & 0xFF;
212 (context_handle
->more_flags
& LOCAL
) ? 0 : 0xFF,
215 kret
= krb5_crypto_init(gssapi_krb5_context
, key
,
216 ETYPE_DES3_CBC_NONE
, &crypto
);
218 free (message_token
->value
);
219 gssapi_krb5_set_error_string ();
220 *minor_status
= kret
;
221 return GSS_S_FAILURE
;
224 if (context_handle
->more_flags
& COMPAT_OLD_DES3
)
227 memcpy(ivec
, p
+ 8, 8);
229 kret
= krb5_encrypt_ivec (gssapi_krb5_context
,
232 seq
, 8, &encdata
, ivec
);
233 krb5_crypto_destroy (gssapi_krb5_context
, crypto
);
235 free (message_token
->value
);
236 gssapi_krb5_set_error_string ();
237 *minor_status
= kret
;
238 return GSS_S_FAILURE
;
241 assert (encdata
.length
== 8);
243 memcpy (p
, encdata
.data
, encdata
.length
);
244 krb5_data_free (&encdata
);
246 krb5_auth_con_setlocalseqnumber (gssapi_krb5_context
,
247 context_handle
->auth_context
,
250 free_Checksum (&cksum
);
252 return GSS_S_COMPLETE
;
255 OM_uint32 gss_get_mic
256 (OM_uint32
* minor_status
,
257 const gss_ctx_id_t context_handle
,
259 const gss_buffer_t message_buffer
,
260 gss_buffer_t message_token
265 krb5_keytype keytype
;
267 ret
= gss_krb5_get_localkey(context_handle
, &key
);
269 gssapi_krb5_set_error_string ();
271 return GSS_S_FAILURE
;
273 krb5_enctype_to_keytype (gssapi_krb5_context
, key
->keytype
, &keytype
);
277 ret
= mic_des (minor_status
, context_handle
, qop_req
,
278 message_buffer
, message_token
, key
);
281 ret
= mic_des3 (minor_status
, context_handle
, qop_req
,
282 message_buffer
, message_token
, key
);
284 case KEYTYPE_ARCFOUR
:
285 ret
= _gssapi_get_mic_arcfour (minor_status
, context_handle
, qop_req
,
286 message_buffer
, message_token
, key
);
289 *minor_status
= KRB5_PROG_ETYPE_NOSUPP
;
293 krb5_free_keyblock (gssapi_krb5_context
, key
);