2 * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5/gsskrb5_locl.h"
39 * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
41 * The arcfour message have the following formats:
61 * WRAP in DCE-style have a fixed size header, the oid and length over
62 * the WRAP header is a total of
63 * GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE +
64 * GSS_ARCFOUR_WRAP_TOKEN_SIZE byte (ie total of 45 bytes overhead,
65 * remember the 2 bytes from APPL [0] SEQ).
68 #define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32
69 #define GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE 13
72 static krb5_error_code
73 arcfour_mic_key(krb5_context context
, krb5_keyblock
*key
,
74 void *cksum_data
, size_t cksum_size
,
75 void *key6_data
, size_t key6_size
)
88 cksum_k5
.checksum
.data
= k5_data
;
89 cksum_k5
.checksum
.length
= sizeof(k5_data
);
91 if (key
->keytype
== KEYTYPE_ARCFOUR_56
) {
92 char L40
[14] = "fortybits";
94 memcpy(L40
+ 10, T
, sizeof(T
));
95 ret
= krb5_hmac(context
, CKSUMTYPE_RSA_MD5
,
96 L40
, 14, 0, key
, &cksum_k5
);
97 memset(&k5_data
[7], 0xAB, 9);
99 ret
= krb5_hmac(context
, CKSUMTYPE_RSA_MD5
,
100 T
, 4, 0, key
, &cksum_k5
);
105 key5
.keytype
= KEYTYPE_ARCFOUR
;
106 key5
.keyvalue
= cksum_k5
.checksum
;
108 cksum_k6
.checksum
.data
= key6_data
;
109 cksum_k6
.checksum
.length
= key6_size
;
111 return krb5_hmac(context
, CKSUMTYPE_RSA_MD5
,
112 cksum_data
, cksum_size
, 0, &key5
, &cksum_k6
);
116 static krb5_error_code
117 arcfour_mic_cksum(krb5_context context
,
118 krb5_keyblock
*key
, unsigned usage
,
119 u_char
*sgn_cksum
, size_t sgn_cksum_sz
,
120 const u_char
*v1
, size_t l1
,
121 const void *v2
, size_t l2
,
122 const void *v3
, size_t l3
)
130 assert(sgn_cksum_sz
== 8);
139 memcpy(ptr
+ l1
, v2
, l2
);
140 memcpy(ptr
+ l1
+ l2
, v3
, l3
);
142 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
148 ret
= krb5_create_checksum(context
,
156 memcpy(sgn_cksum
, CKSUM
.checksum
.data
, sgn_cksum_sz
);
157 free_Checksum(&CKSUM
);
159 krb5_crypto_destroy(context
, crypto
);
166 _gssapi_get_mic_arcfour(OM_uint32
* minor_status
,
167 const gsskrb5_ctx context_handle
,
168 krb5_context context
,
170 const gss_buffer_t message_buffer
,
171 gss_buffer_t message_token
,
176 size_t len
, total_len
;
177 u_char k6_data
[16], *p0
, *p
;
180 _gsskrb5_encap_length (22, &len
, &total_len
, GSS_KRB5_MECHANISM
);
182 message_token
->length
= total_len
;
183 message_token
->value
= malloc (total_len
);
184 if (message_token
->value
== NULL
) {
185 *minor_status
= ENOMEM
;
186 return GSS_S_FAILURE
;
189 p0
= _gssapi_make_mech_header(message_token
->value
,
194 *p
++ = 0x01; /* TOK_ID */
196 *p
++ = 0x11; /* SGN_ALG */
198 *p
++ = 0xff; /* Filler */
205 ret
= arcfour_mic_cksum(context
,
206 key
, KRB5_KU_USAGE_SIGN
,
207 p0
+ 16, 8, /* SGN_CKSUM */
208 p0
, 8, /* TOK_ID, SGN_ALG, Filer */
209 message_buffer
->value
, message_buffer
->length
,
212 _gsskrb5_release_buffer(minor_status
, message_token
);
214 return GSS_S_FAILURE
;
217 ret
= arcfour_mic_key(context
, key
,
218 p0
+ 16, 8, /* SGN_CKSUM */
219 k6_data
, sizeof(k6_data
));
221 _gsskrb5_release_buffer(minor_status
, message_token
);
223 return GSS_S_FAILURE
;
226 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
227 krb5_auth_con_getlocalseqnumber (context
,
228 context_handle
->auth_context
,
230 p
= p0
+ 8; /* SND_SEQ */
231 _gsskrb5_encode_be_om_uint32(seq_number
, p
);
233 krb5_auth_con_setlocalseqnumber (context
,
234 context_handle
->auth_context
,
236 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
238 memset (p
+ 4, (context_handle
->more_flags
& LOCAL
) ? 0 : 0xff, 4);
240 RC4_set_key (&rc4_key
, sizeof(k6_data
), k6_data
);
241 RC4 (&rc4_key
, 8, p
, p
);
243 memset(&rc4_key
, 0, sizeof(rc4_key
));
244 memset(k6_data
, 0, sizeof(k6_data
));
247 return GSS_S_COMPLETE
;
252 _gssapi_verify_mic_arcfour(OM_uint32
* minor_status
,
253 const gsskrb5_ctx context_handle
,
254 krb5_context context
,
255 const gss_buffer_t message_buffer
,
256 const gss_buffer_t token_buffer
,
257 gss_qop_t
* qop_state
,
264 u_char SND_SEQ
[8], cksum_data
[8], *p
;
271 p
= token_buffer
->value
;
272 omret
= _gsskrb5_verify_header (&p
,
273 token_buffer
->length
,
279 if (memcmp(p
, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
280 return GSS_S_BAD_SIG
;
282 if (memcmp (p
, "\xff\xff\xff\xff", 4) != 0)
283 return GSS_S_BAD_MIC
;
286 ret
= arcfour_mic_cksum(context
,
287 key
, KRB5_KU_USAGE_SIGN
,
288 cksum_data
, sizeof(cksum_data
),
290 message_buffer
->value
, message_buffer
->length
,
294 return GSS_S_FAILURE
;
297 ret
= arcfour_mic_key(context
, key
,
298 cksum_data
, sizeof(cksum_data
),
299 k6_data
, sizeof(k6_data
));
302 return GSS_S_FAILURE
;
305 cmp
= memcmp(cksum_data
, p
+ 8, 8);
308 return GSS_S_BAD_MIC
;
314 RC4_set_key (&rc4_key
, sizeof(k6_data
), (void*)k6_data
);
315 RC4 (&rc4_key
, 8, p
, SND_SEQ
);
317 memset(&rc4_key
, 0, sizeof(rc4_key
));
318 memset(k6_data
, 0, sizeof(k6_data
));
321 _gsskrb5_decode_be_om_uint32(SND_SEQ
, &seq_number
);
323 if (context_handle
->more_flags
& LOCAL
)
324 cmp
= memcmp(&SND_SEQ
[4], "\xff\xff\xff\xff", 4);
326 cmp
= memcmp(&SND_SEQ
[4], "\x00\x00\x00\x00", 4);
328 memset(SND_SEQ
, 0, sizeof(SND_SEQ
));
331 return GSS_S_BAD_MIC
;
334 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
335 omret
= _gssapi_msg_order_check(context_handle
->order
, seq_number
);
336 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
341 return GSS_S_COMPLETE
;
345 _gssapi_wrap_arcfour(OM_uint32
* minor_status
,
346 const gsskrb5_ctx context_handle
,
347 krb5_context context
,
350 const gss_buffer_t input_message_buffer
,
352 gss_buffer_t output_message_buffer
,
355 u_char Klocaldata
[16], k6_data
[16], *p
, *p0
;
356 size_t len
, total_len
, datalen
;
357 krb5_keyblock Klocal
;
364 datalen
= input_message_buffer
->length
;
366 if (IS_DCE_STYLE(context_handle
)) {
367 len
= GSS_ARCFOUR_WRAP_TOKEN_SIZE
;
368 _gssapi_encap_length(len
, &len
, &total_len
, GSS_KRB5_MECHANISM
);
369 total_len
+= datalen
;
371 datalen
+= 1; /* padding */
372 len
= datalen
+ GSS_ARCFOUR_WRAP_TOKEN_SIZE
;
373 _gssapi_encap_length(len
, &len
, &total_len
, GSS_KRB5_MECHANISM
);
376 output_message_buffer
->length
= total_len
;
377 output_message_buffer
->value
= malloc (total_len
);
378 if (output_message_buffer
->value
== NULL
) {
379 *minor_status
= ENOMEM
;
380 return GSS_S_FAILURE
;
383 p0
= _gssapi_make_mech_header(output_message_buffer
->value
,
388 *p
++ = 0x02; /* TOK_ID */
390 *p
++ = 0x11; /* SGN_ALG */
393 *p
++ = 0x10; /* SEAL_ALG */
396 *p
++ = 0xff; /* SEAL_ALG */
399 *p
++ = 0xff; /* Filler */
404 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
405 krb5_auth_con_getlocalseqnumber (context
,
406 context_handle
->auth_context
,
409 _gsskrb5_encode_be_om_uint32(seq_number
, p0
+ 8);
411 krb5_auth_con_setlocalseqnumber (context
,
412 context_handle
->auth_context
,
414 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
417 (context_handle
->more_flags
& LOCAL
) ? 0 : 0xff,
420 krb5_generate_random_block(p0
+ 24, 8); /* fill in Confounder */
422 /* p points to data */
423 p
= p0
+ GSS_ARCFOUR_WRAP_TOKEN_SIZE
;
424 memcpy(p
, input_message_buffer
->value
, input_message_buffer
->length
);
426 if (!IS_DCE_STYLE(context_handle
))
427 p
[input_message_buffer
->length
] = 1; /* padding */
429 ret
= arcfour_mic_cksum(context
,
430 key
, KRB5_KU_USAGE_SEAL
,
431 p0
+ 16, 8, /* SGN_CKSUM */
432 p0
, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */
433 p0
+ 24, 8, /* Confounder */
434 p0
+ GSS_ARCFOUR_WRAP_TOKEN_SIZE
,
438 _gsskrb5_release_buffer(minor_status
, output_message_buffer
);
439 return GSS_S_FAILURE
;
445 Klocal
.keytype
= key
->keytype
;
446 Klocal
.keyvalue
.data
= Klocaldata
;
447 Klocal
.keyvalue
.length
= sizeof(Klocaldata
);
449 for (i
= 0; i
< 16; i
++)
450 Klocaldata
[i
] = ((u_char
*)key
->keyvalue
.data
)[i
] ^ 0xF0;
452 ret
= arcfour_mic_key(context
, &Klocal
,
453 p0
+ 8, 4, /* SND_SEQ */
454 k6_data
, sizeof(k6_data
));
455 memset(Klocaldata
, 0, sizeof(Klocaldata
));
457 _gsskrb5_release_buffer(minor_status
, output_message_buffer
);
459 return GSS_S_FAILURE
;
466 RC4_set_key (&rc4_key
, sizeof(k6_data
), (void *)k6_data
);
468 RC4 (&rc4_key
, 8 + datalen
, p0
+ 24, p0
+ 24); /* Confounder + data */
469 memset(&rc4_key
, 0, sizeof(rc4_key
));
471 memset(k6_data
, 0, sizeof(k6_data
));
473 ret
= arcfour_mic_key(context
, key
,
474 p0
+ 16, 8, /* SGN_CKSUM */
475 k6_data
, sizeof(k6_data
));
477 _gsskrb5_release_buffer(minor_status
, output_message_buffer
);
479 return GSS_S_FAILURE
;
485 RC4_set_key (&rc4_key
, sizeof(k6_data
), k6_data
);
486 RC4 (&rc4_key
, 8, p0
+ 8, p0
+ 8); /* SND_SEQ */
487 memset(&rc4_key
, 0, sizeof(rc4_key
));
488 memset(k6_data
, 0, sizeof(k6_data
));
492 *conf_state
= conf_req_flag
;
495 return GSS_S_COMPLETE
;
498 OM_uint32
_gssapi_unwrap_arcfour(OM_uint32
*minor_status
,
499 const gsskrb5_ctx context_handle
,
500 krb5_context context
,
501 const gss_buffer_t input_message_buffer
,
502 gss_buffer_t output_message_buffer
,
504 gss_qop_t
*qop_state
,
507 u_char Klocaldata
[16];
508 krb5_keyblock Klocal
;
513 u_char k6_data
[16], SND_SEQ
[8], Confounder
[8];
514 u_char cksum_data
[8];
518 size_t padlen
= 0, len
;
525 p0
= input_message_buffer
->value
;
527 if (IS_DCE_STYLE(context_handle
)) {
528 len
= GSS_ARCFOUR_WRAP_TOKEN_SIZE
+
529 GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE
;
530 if (input_message_buffer
->length
< len
)
531 return GSS_S_BAD_MECH
;
533 len
= input_message_buffer
->length
;
536 omret
= _gssapi_verify_mech_header(&p0
,
542 /* length of mech header */
543 len
= (p0
- (u_char
*)input_message_buffer
->value
) +
544 GSS_ARCFOUR_WRAP_TOKEN_SIZE
;
546 if (len
> input_message_buffer
->length
)
547 return GSS_S_BAD_MECH
;
550 datalen
= input_message_buffer
->length
- len
;
554 if (memcmp(p
, "\x02\x01", 2) != 0)
555 return GSS_S_BAD_SIG
;
557 if (memcmp(p
, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
558 return GSS_S_BAD_SIG
;
561 if (memcmp (p
, "\x10\x00", 2) == 0)
563 else if (memcmp (p
, "\xff\xff", 2) == 0)
566 return GSS_S_BAD_SIG
;
569 if (memcmp (p
, "\xff\xff", 2) != 0)
570 return GSS_S_BAD_MIC
;
573 ret
= arcfour_mic_key(context
, key
,
574 p0
+ 16, 8, /* SGN_CKSUM */
575 k6_data
, sizeof(k6_data
));
578 return GSS_S_FAILURE
;
584 RC4_set_key (&rc4_key
, sizeof(k6_data
), k6_data
);
585 RC4 (&rc4_key
, 8, p0
+ 8, SND_SEQ
); /* SND_SEQ */
586 memset(&rc4_key
, 0, sizeof(rc4_key
));
587 memset(k6_data
, 0, sizeof(k6_data
));
590 _gsskrb5_decode_be_om_uint32(SND_SEQ
, &seq_number
);
592 if (context_handle
->more_flags
& LOCAL
)
593 cmp
= memcmp(&SND_SEQ
[4], "\xff\xff\xff\xff", 4);
595 cmp
= memcmp(&SND_SEQ
[4], "\x00\x00\x00\x00", 4);
599 return GSS_S_BAD_MIC
;
605 Klocal
.keytype
= key
->keytype
;
606 Klocal
.keyvalue
.data
= Klocaldata
;
607 Klocal
.keyvalue
.length
= sizeof(Klocaldata
);
609 for (i
= 0; i
< 16; i
++)
610 Klocaldata
[i
] = ((u_char
*)key
->keyvalue
.data
)[i
] ^ 0xF0;
612 ret
= arcfour_mic_key(context
, &Klocal
,
614 k6_data
, sizeof(k6_data
));
615 memset(Klocaldata
, 0, sizeof(Klocaldata
));
618 return GSS_S_FAILURE
;
621 output_message_buffer
->value
= malloc(datalen
);
622 if (output_message_buffer
->value
== NULL
) {
623 *minor_status
= ENOMEM
;
624 return GSS_S_FAILURE
;
626 output_message_buffer
->length
= datalen
;
631 RC4_set_key (&rc4_key
, sizeof(k6_data
), k6_data
);
632 RC4 (&rc4_key
, 8, p0
+ 24, Confounder
); /* Confounder */
633 RC4 (&rc4_key
, datalen
, p0
+ GSS_ARCFOUR_WRAP_TOKEN_SIZE
,
634 output_message_buffer
->value
);
635 memset(&rc4_key
, 0, sizeof(rc4_key
));
637 memcpy(Confounder
, p0
+ 24, 8); /* Confounder */
638 memcpy(output_message_buffer
->value
,
639 p0
+ GSS_ARCFOUR_WRAP_TOKEN_SIZE
,
642 memset(k6_data
, 0, sizeof(k6_data
));
644 if (!IS_DCE_STYLE(context_handle
)) {
645 ret
= _gssapi_verify_pad(output_message_buffer
, datalen
, &padlen
);
647 _gsskrb5_release_buffer(minor_status
, output_message_buffer
);
651 output_message_buffer
->length
-= padlen
;
654 ret
= arcfour_mic_cksum(context
,
655 key
, KRB5_KU_USAGE_SEAL
,
656 cksum_data
, sizeof(cksum_data
),
658 Confounder
, sizeof(Confounder
),
659 output_message_buffer
->value
,
660 output_message_buffer
->length
+ padlen
);
662 _gsskrb5_release_buffer(minor_status
, output_message_buffer
);
664 return GSS_S_FAILURE
;
667 cmp
= memcmp(cksum_data
, p0
+ 16, 8); /* SGN_CKSUM */
669 _gsskrb5_release_buffer(minor_status
, output_message_buffer
);
671 return GSS_S_BAD_MIC
;
674 HEIMDAL_MUTEX_lock(&context_handle
->ctx_id_mutex
);
675 omret
= _gssapi_msg_order_check(context_handle
->order
, seq_number
);
676 HEIMDAL_MUTEX_unlock(&context_handle
->ctx_id_mutex
);
681 *conf_state
= conf_flag
;
684 return GSS_S_COMPLETE
;
688 max_wrap_length_arcfour(const gsskrb5_ctx ctx
,
691 OM_uint32
*max_input_size
)
694 * if GSS_C_DCE_STYLE is in use:
695 * - we only need to encapsulate the WRAP token
696 * However, since this is a fixed since, we just
698 if (IS_DCE_STYLE(ctx
)) {
699 size_t len
, total_len
;
701 len
= GSS_ARCFOUR_WRAP_TOKEN_SIZE
;
702 _gssapi_encap_length(len
, &len
, &total_len
, GSS_KRB5_MECHANISM
);
704 if (input_length
< len
)
707 *max_input_size
= input_length
- len
;
710 size_t extrasize
= GSS_ARCFOUR_WRAP_TOKEN_SIZE
;
711 size_t blocksize
= 8;
712 size_t len
, total_len
;
714 len
= 8 + input_length
+ blocksize
+ extrasize
;
716 _gsskrb5_encap_length(len
, &len
, &total_len
, GSS_KRB5_MECHANISM
);
718 total_len
-= input_length
; /* token length */
719 if (total_len
< input_length
) {
720 *max_input_size
= (input_length
- total_len
);
721 (*max_input_size
) &= (~(OM_uint32
)(blocksize
- 1));
727 return GSS_S_COMPLETE
;
731 _gssapi_wrap_size_arcfour(OM_uint32
*minor_status
,
732 const gsskrb5_ctx ctx
,
733 krb5_context context
,
736 OM_uint32 req_output_size
,
737 OM_uint32
*max_input_size
,
743 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
746 return GSS_S_FAILURE
;
749 ret
= max_wrap_length_arcfour(ctx
, crypto
,
750 req_output_size
, max_input_size
);
753 krb5_crypto_destroy(context
, crypto
);
754 return GSS_S_FAILURE
;
757 krb5_crypto_destroy(context
, crypto
);
759 return GSS_S_COMPLETE
;