search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
use gss_krb5_get_subkey() instead of gss_krb5_get_{local,remote}key()
[heimdal.git] / lib / gssapi / krb5 / unwrap.c
blobcf82141e92f99faf7ae0cdbbad0712d5a5af8204
1 /*
2 * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "gssapi_locl.h"
35
36 RCSID("$Id$");
37
38 static OM_uint32
39 unwrap_des
40 (OM_uint32 * minor_status,
41 const gss_ctx_id_t context_handle,
42 const gss_buffer_t input_message_buffer,
43 gss_buffer_t output_message_buffer,
44 int * conf_state,
45 gss_qop_t * qop_state,
46 krb5_keyblock *key
47 )
48 {
49 u_char *p, *seq;
50 size_t len;
51 MD5_CTX md5;
52 u_char hash[16];
53 DES_key_schedule schedule;
54 DES_cblock deskey;
55 DES_cblock zero;
56 int i;
57 int32_t seq_number;
58 size_t padlength;
59 OM_uint32 ret;
60 int cstate;
61 int cmp;
62
63 p = input_message_buffer->value;
64 ret = gssapi_krb5_verify_header (&p,
65 input_message_buffer->length,
66 "\x02\x01",
67 GSS_KRB5_MECHANISM);
68 if (ret)
69 return ret;
70
71 if (memcmp (p, "\x00\x00", 2) != 0)
72 return GSS_S_BAD_SIG;
73 p += 2;
74 if (memcmp (p, "\x00\x00", 2) == 0) {
75 cstate = 1;
76 } else if (memcmp (p, "\xFF\xFF", 2) == 0) {
77 cstate = 0;
78 } else
79 return GSS_S_BAD_MIC;
80 p += 2;
81 if(conf_state != NULL)
82 *conf_state = cstate;
83 if (memcmp (p, "\xff\xff", 2) != 0)
84 return GSS_S_DEFECTIVE_TOKEN;
85 p += 2;
86 p += 16;
87
88 len = p - (u_char *)input_message_buffer->value;
89
90 if(cstate) {
91 /* decrypt data */
92 memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
93
94 for (i = 0; i < sizeof(deskey); ++i)
95 deskey[i] ^= 0xf0;
96 DES_set_key (&deskey, &schedule);
97 memset (&zero, 0, sizeof(zero));
98 DES_cbc_encrypt ((void *)p,
99 (void *)p,
100 input_message_buffer->length - len,
101 &schedule,
102 &zero,
103 DES_DECRYPT);
104
105 memset (deskey, 0, sizeof(deskey));
106 memset (&schedule, 0, sizeof(schedule));
107 }
108 /* check pad */
109 ret = _gssapi_verify_pad(input_message_buffer,
110 input_message_buffer->length - len,
111 &padlength);
112 if (ret)
113 return ret;
114
115 MD5_Init (&md5);
116 MD5_Update (&md5, p - 24, 8);
117 MD5_Update (&md5, p, input_message_buffer->length - len);
118 MD5_Final (hash, &md5);
119
120 memset (&zero, 0, sizeof(zero));
121 memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
122 DES_set_key (&deskey, &schedule);
123 DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
124 &schedule, &zero);
125 if (memcmp (p - 8, hash, 8) != 0)
126 return GSS_S_BAD_MIC;
127
128 /* verify sequence number */
129
130 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
131
132 p -= 16;
133 DES_set_key (&deskey, &schedule);
134 DES_cbc_encrypt ((void *)p, (void *)p, 8,
135 &schedule, (DES_cblock *)hash, DES_DECRYPT);
136
137 memset (deskey, 0, sizeof(deskey));
138 memset (&schedule, 0, sizeof(schedule));
139
140 seq = p;
141 gssapi_decode_om_uint32(seq, &seq_number);
142
143 if (context_handle->more_flags & LOCAL)
144 cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
145 else
146 cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
147
148 if (cmp != 0) {
149 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
150 return GSS_S_BAD_MIC;
151 }
152
153 ret = gssapi_msg_order_check(context_handle->order, seq_number);
154 if (ret) {
155 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
156 return ret;
157 }
158
159 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
160
161 /* copy out data */
162
163 output_message_buffer->length = input_message_buffer->length
164 - len - padlength - 8;
165 output_message_buffer->value = malloc(output_message_buffer->length);
166 if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
167 return GSS_S_FAILURE;
168 memcpy (output_message_buffer->value,
169 p + 24,
170 output_message_buffer->length);
171 return GSS_S_COMPLETE;
172 }
173
174 static OM_uint32
175 unwrap_des3
176 (OM_uint32 * minor_status,
177 const gss_ctx_id_t context_handle,
178 const gss_buffer_t input_message_buffer,
179 gss_buffer_t output_message_buffer,
180 int * conf_state,
181 gss_qop_t * qop_state,
182 krb5_keyblock *key
183 )
184 {
185 u_char *p;
186 size_t len;
187 u_char *seq;
188 krb5_data seq_data;
189 u_char cksum[20];
190 int32_t seq_number;
191 size_t padlength;
192 OM_uint32 ret;
193 int cstate;
194 krb5_crypto crypto;
195 Checksum csum;
196 int cmp;
197
198 p = input_message_buffer->value;
199 ret = gssapi_krb5_verify_header (&p,
200 input_message_buffer->length,
201 "\x02\x01",
202 GSS_KRB5_MECHANISM);
203 if (ret)
204 return ret;
205
206 if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
207 return GSS_S_BAD_SIG;
208 p += 2;
209 if (memcmp (p, "\x02\x00", 2) == 0) {
210 cstate = 1;
211 } else if (memcmp (p, "\xff\xff", 2) == 0) {
212 cstate = 0;
213 } else
214 return GSS_S_BAD_MIC;
215 p += 2;
216 if(conf_state != NULL)
217 *conf_state = cstate;
218 if (memcmp (p, "\xff\xff", 2) != 0)
219 return GSS_S_DEFECTIVE_TOKEN;
220 p += 2;
221 p += 28;
222
223 len = p - (u_char *)input_message_buffer->value;
224
225 if(cstate) {
226 /* decrypt data */
227 krb5_data tmp;
228
229 ret = krb5_crypto_init(gssapi_krb5_context, key,
230 ETYPE_DES3_CBC_NONE, &crypto);
231 if (ret) {
232 gssapi_krb5_set_error_string ();
233 *minor_status = ret;
234 return GSS_S_FAILURE;
235 }
236 ret = krb5_decrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL,
237 p, input_message_buffer->length - len, &tmp);
238 krb5_crypto_destroy(gssapi_krb5_context, crypto);
239 if (ret) {
240 gssapi_krb5_set_error_string ();
241 *minor_status = ret;
242 return GSS_S_FAILURE;
243 }
244 assert (tmp.length == input_message_buffer->length - len);
245
246 memcpy (p, tmp.data, tmp.length);
247 krb5_data_free(&tmp);
248 }
249 /* check pad */
250 ret = _gssapi_verify_pad(input_message_buffer,
251 input_message_buffer->length - len,
252 &padlength);
253 if (ret)
254 return ret;
255
256 /* verify sequence number */
257
258 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
259
260 p -= 28;
261
262 ret = krb5_crypto_init(gssapi_krb5_context, key,
263 ETYPE_DES3_CBC_NONE, &crypto);
264 if (ret) {
265 gssapi_krb5_set_error_string ();
266 *minor_status = ret;
267 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
268 return GSS_S_FAILURE;
269 }
270 {
271 DES_cblock ivec;
272
273 memcpy(&ivec, p + 8, 8);
274 ret = krb5_decrypt_ivec (gssapi_krb5_context,
275 crypto,
276 KRB5_KU_USAGE_SEQ,
277 p, 8, &seq_data,
278 &ivec);
279 }
280 krb5_crypto_destroy (gssapi_krb5_context, crypto);
281 if (ret) {
282 gssapi_krb5_set_error_string ();
283 *minor_status = ret;
284 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
285 return GSS_S_FAILURE;
286 }
287 if (seq_data.length != 8) {
288 krb5_data_free (&seq_data);
289 *minor_status = 0;
290 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
291 return GSS_S_BAD_MIC;
292 }
293
294 seq = seq_data.data;
295 gssapi_decode_om_uint32(seq, &seq_number);
296
297 if (context_handle->more_flags & LOCAL)
298 cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
299 else
300 cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
301
302 krb5_data_free (&seq_data);
303 if (cmp != 0) {
304 *minor_status = 0;
305 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
306 return GSS_S_BAD_MIC;
307 }
308
309 ret = gssapi_msg_order_check(context_handle->order, seq_number);
310 if (ret) {
311 *minor_status = 0;
312 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
313 return ret;
314 }
315
316 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
317
318 /* verify checksum */
319
320 memcpy (cksum, p + 8, 20);
321
322 memcpy (p + 20, p - 8, 8);
323
324 csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3;
325 csum.checksum.length = 20;
326 csum.checksum.data = cksum;
327
328 ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
329 if (ret) {
330 gssapi_krb5_set_error_string ();
331 *minor_status = ret;
332 return GSS_S_FAILURE;
333 }
334
335 ret = krb5_verify_checksum (gssapi_krb5_context, crypto,
336 KRB5_KU_USAGE_SIGN,
337 p + 20,
338 input_message_buffer->length - len + 8,
339 &csum);
340 krb5_crypto_destroy (gssapi_krb5_context, crypto);
341 if (ret) {
342 gssapi_krb5_set_error_string ();
343 *minor_status = ret;
344 return GSS_S_FAILURE;
345 }
346
347 /* copy out data */
348
349 output_message_buffer->length = input_message_buffer->length
350 - len - padlength - 8;
351 output_message_buffer->value = malloc(output_message_buffer->length);
352 if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
353 return GSS_S_FAILURE;
354 memcpy (output_message_buffer->value,
355 p + 36,
356 output_message_buffer->length);
357 return GSS_S_COMPLETE;
358 }
359
360 OM_uint32 gss_unwrap
361 (OM_uint32 * minor_status,
362 const gss_ctx_id_t context_handle,
363 const gss_buffer_t input_message_buffer,
364 gss_buffer_t output_message_buffer,
365 int * conf_state,
366 gss_qop_t * qop_state
367 )
368 {
369 krb5_keyblock *key;
370 OM_uint32 ret;
371 krb5_keytype keytype;
372
373 output_message_buffer->value = NULL;
374 output_message_buffer->length = 0;
375
376 if (qop_state != NULL)
377 *qop_state = GSS_C_QOP_DEFAULT;
378 ret = gss_krb5_get_subkey(context_handle, &key);
379 if (ret) {
380 gssapi_krb5_set_error_string ();
381 *minor_status = ret;
382 return GSS_S_FAILURE;
383 }
384 krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
385
386 *minor_status = 0;
387
388 switch (keytype) {
389 case KEYTYPE_DES :
390 ret = unwrap_des (minor_status, context_handle,
391 input_message_buffer, output_message_buffer,
392 conf_state, qop_state, key);
393 break;
394 case KEYTYPE_DES3 :
395 ret = unwrap_des3 (minor_status, context_handle,
396 input_message_buffer, output_message_buffer,
397 conf_state, qop_state, key);
398 break;
399 case KEYTYPE_ARCFOUR:
400 ret = _gssapi_unwrap_arcfour (minor_status, context_handle,
401 input_message_buffer, output_message_buffer,
402 conf_state, qop_state, key);
403 break;
404 default :
405 ret = _gssapi_unwrap_cfx (minor_status, context_handle,
406 input_message_buffer, output_message_buffer,
407 conf_state, qop_state, key);
408 break;
409 }
410 krb5_free_keyblock (gssapi_krb5_context, key);
411 return ret;
412 }
Heimdal