2 * Copyright (c) 2003, PADL Software Pty Ltd.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of PADL Software nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 #include "krb5/gsskrb5_locl.h"
35 RCSID("$Id: cfx.c 19031 2006-11-13 18:02:57Z lha $");
38 * Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt
41 #define CFXSentByAcceptor (1 << 0)
42 #define CFXSealed (1 << 1)
43 #define CFXAcceptorSubkey (1 << 2)
46 _gsskrb5cfx_wrap_length_cfx(krb5_context context,
50 size_t *output_length,
57 /* 16-byte header is always first */
58 *output_length = sizeof(gss_cfx_wrap_token_desc);
61 ret = krb5_crypto_get_checksum_type(context, crypto, &type);
65 ret = krb5_checksumsize(context, type, cksumsize);
72 /* Header is concatenated with data before encryption */
73 input_length += sizeof(gss_cfx_wrap_token_desc);
75 ret = krb5_crypto_getpadsize(context, crypto, &padsize);
81 *padlength = padsize - (input_length % padsize);
83 /* We add the pad ourselves (noted here for completeness only) */
84 input_length += *padlength;
87 *output_length += krb5_get_wrapped_length(context,
88 crypto, input_length);
90 /* Checksum is concatenated with data */
91 *output_length += input_length + *cksumsize;
94 assert(*output_length > input_length);
100 _gsskrb5cfx_max_wrap_length_cfx(krb5_context context,
104 OM_uint32 *output_length)
110 /* 16-byte header is always first */
111 if (input_length < 16)
116 size_t wrapped_size, sz;
118 wrapped_size = input_length + 1;
121 sz = krb5_get_wrapped_length(context,
122 crypto, wrapped_size);
123 } while (wrapped_size && sz > input_length);
124 if (wrapped_size == 0) {
130 if (wrapped_size < 16) {
136 *output_length = wrapped_size;
141 ret = krb5_crypto_get_checksum_type(context, crypto, &type);
145 ret = krb5_checksumsize(context, type, &cksumsize);
149 if (input_length < cksumsize)
152 /* Checksum is concatenated with data */
153 *output_length = input_length - cksumsize;
160 OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
161 const gsskrb5_ctx context_handle,
162 krb5_context context,
165 OM_uint32 req_output_size,
166 OM_uint32 *max_input_size,
172 ret = krb5_crypto_init(context, key, 0, &crypto);
175 return GSS_S_FAILURE;
178 ret = _gsskrb5cfx_max_wrap_length_cfx(context, crypto, conf_req_flag,
179 req_output_size, max_input_size);
182 krb5_crypto_destroy(context, crypto);
183 return GSS_S_FAILURE;
186 krb5_crypto_destroy(context, crypto);
188 return GSS_S_COMPLETE;
192 * Rotate "rrc" bytes to the front or back
195 static krb5_error_code
196 rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
198 u_char *tmp, buf[256];
211 if (rrc <= sizeof(buf)) {
220 memcpy(tmp, data, rrc);
221 memmove(data, (u_char *)data + rrc, left);
222 memcpy((u_char *)data + left, tmp, rrc);
224 memcpy(tmp, (u_char *)data + left, rrc);
225 memmove((u_char *)data + rrc, data, left);
226 memcpy(data, tmp, rrc);
229 if (rrc > sizeof(buf))
235 OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
236 const gsskrb5_ctx context_handle,
237 krb5_context context,
240 const gss_buffer_t input_message_buffer,
242 gss_buffer_t output_message_buffer,
246 gss_cfx_wrap_token token;
250 size_t wrapped_len, cksumsize;
251 uint16_t padlength, rrc = 0;
255 ret = krb5_crypto_init(context, key, 0, &crypto);
258 return GSS_S_FAILURE;
261 ret = _gsskrb5cfx_wrap_length_cfx(context,
262 crypto, conf_req_flag,
263 input_message_buffer->length,
264 &wrapped_len, &cksumsize, &padlength);
267 krb5_crypto_destroy(context, crypto);
268 return GSS_S_FAILURE;
271 /* Always rotate encrypted token (if any) and checksum to header */
272 rrc = (conf_req_flag ? sizeof(*token) : 0) + (uint16_t)cksumsize;
274 output_message_buffer->length = wrapped_len;
275 output_message_buffer->value = malloc(output_message_buffer->length);
276 if (output_message_buffer->value == NULL) {
277 *minor_status = ENOMEM;
278 krb5_crypto_destroy(context, crypto);
279 return GSS_S_FAILURE;
282 p = output_message_buffer->value;
283 token = (gss_cfx_wrap_token)p;
284 token->TOK_ID[0] = 0x05;
285 token->TOK_ID[1] = 0x04;
287 token->Filler = 0xFF;
288 if ((context_handle->more_flags & LOCAL) == 0)
289 token->Flags |= CFXSentByAcceptor;
290 if (context_handle->more_flags & ACCEPTOR_SUBKEY)
291 token->Flags |= CFXAcceptorSubkey;
294 * In Wrap tokens with confidentiality, the EC field is
295 * used to encode the size (in bytes) of the random filler.
297 token->Flags |= CFXSealed;
298 token->EC[0] = (padlength >> 8) & 0xFF;
299 token->EC[1] = (padlength >> 0) & 0xFF;
302 * In Wrap tokens without confidentiality, the EC field is
303 * used to encode the size (in bytes) of the trailing
306 * This is not used in the checksum calcuation itself,
307 * because the checksum length could potentially vary
308 * depending on the data length.
315 * In Wrap tokens that provide for confidentiality, the RRC
316 * field in the header contains the hex value 00 00 before
319 * In Wrap tokens that do not provide for confidentiality,
320 * both the EC and RRC fields in the appended checksum
321 * contain the hex value 00 00 for the purpose of calculating
327 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
328 krb5_auth_con_getlocalseqnumber(context,
329 context_handle->auth_context,
331 _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
332 _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
333 krb5_auth_con_setlocalseqnumber(context,
334 context_handle->auth_context,
336 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
339 * If confidentiality is requested, the token header is
340 * appended to the plaintext before encryption; the resulting
341 * token is {"header" | encrypt(plaintext | pad | "header")}.
343 * If no confidentiality is requested, the checksum is
344 * calculated over the plaintext concatenated with the
347 if (context_handle->more_flags & LOCAL) {
348 usage = KRB5_KU_USAGE_INITIATOR_SEAL;
350 usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
355 * Any necessary padding is added here to ensure that the
356 * encrypted token header is always at the end of the
359 * The specification does not require that the padding
360 * bytes are initialized.
363 memcpy(p, input_message_buffer->value, input_message_buffer->length);
364 memset(p + input_message_buffer->length, 0xFF, padlength);
365 memcpy(p + input_message_buffer->length + padlength,
366 token, sizeof(*token));
368 ret = krb5_encrypt(context, crypto,
370 input_message_buffer->length + padlength +
375 krb5_crypto_destroy(context, crypto);
376 _gsskrb5_release_buffer(minor_status, output_message_buffer);
377 return GSS_S_FAILURE;
379 assert(sizeof(*token) + cipher.length == wrapped_len);
380 token->RRC[0] = (rrc >> 8) & 0xFF;
381 token->RRC[1] = (rrc >> 0) & 0xFF;
383 ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
386 krb5_crypto_destroy(context, crypto);
387 _gsskrb5_release_buffer(minor_status, output_message_buffer);
388 return GSS_S_FAILURE;
390 memcpy(p, cipher.data, cipher.length);
391 krb5_data_free(&cipher);
396 buf = malloc(input_message_buffer->length + sizeof(*token));
398 *minor_status = ENOMEM;
399 krb5_crypto_destroy(context, crypto);
400 _gsskrb5_release_buffer(minor_status, output_message_buffer);
401 return GSS_S_FAILURE;
403 memcpy(buf, input_message_buffer->value, input_message_buffer->length);
404 memcpy(buf + input_message_buffer->length, token, sizeof(*token));
406 ret = krb5_create_checksum(context, crypto,
408 input_message_buffer->length +
413 krb5_crypto_destroy(context, crypto);
414 _gsskrb5_release_buffer(minor_status, output_message_buffer);
416 return GSS_S_FAILURE;
421 assert(cksum.checksum.length == cksumsize);
422 token->EC[0] = (cksum.checksum.length >> 8) & 0xFF;
423 token->EC[1] = (cksum.checksum.length >> 0) & 0xFF;
424 token->RRC[0] = (rrc >> 8) & 0xFF;
425 token->RRC[1] = (rrc >> 0) & 0xFF;
428 memcpy(p, input_message_buffer->value, input_message_buffer->length);
429 memcpy(p + input_message_buffer->length,
430 cksum.checksum.data, cksum.checksum.length);
433 input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
436 krb5_crypto_destroy(context, crypto);
437 _gsskrb5_release_buffer(minor_status, output_message_buffer);
438 free_Checksum(&cksum);
439 return GSS_S_FAILURE;
441 free_Checksum(&cksum);
444 krb5_crypto_destroy(context, crypto);
446 if (conf_state != NULL) {
447 *conf_state = conf_req_flag;
451 return GSS_S_COMPLETE;
454 OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
455 const gsskrb5_ctx context_handle,
456 krb5_context context,
457 const gss_buffer_t input_message_buffer,
458 gss_buffer_t output_message_buffer,
460 gss_qop_t *qop_state,
464 gss_cfx_wrap_token token;
470 OM_uint32 seq_number_lo, seq_number_hi;
476 if (input_message_buffer->length < sizeof(*token)) {
477 return GSS_S_DEFECTIVE_TOKEN;
480 p = input_message_buffer->value;
482 token = (gss_cfx_wrap_token)p;
484 if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04) {
485 return GSS_S_DEFECTIVE_TOKEN;
488 /* Ignore unknown flags */
489 token_flags = token->Flags &
490 (CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey);
492 if (token_flags & CFXSentByAcceptor) {
493 if ((context_handle->more_flags & LOCAL) == 0)
494 return GSS_S_DEFECTIVE_TOKEN;
497 if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
498 if ((token_flags & CFXAcceptorSubkey) == 0)
499 return GSS_S_DEFECTIVE_TOKEN;
501 if (token_flags & CFXAcceptorSubkey)
502 return GSS_S_DEFECTIVE_TOKEN;
505 if (token->Filler != 0xFF) {
506 return GSS_S_DEFECTIVE_TOKEN;
509 if (conf_state != NULL) {
510 *conf_state = (token_flags & CFXSealed) ? 1 : 0;
513 ec = (token->EC[0] << 8) | token->EC[1];
514 rrc = (token->RRC[0] << 8) | token->RRC[1];
517 * Check sequence number
519 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
520 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
522 /* no support for 64-bit sequence numbers */
523 *minor_status = ERANGE;
524 return GSS_S_UNSEQ_TOKEN;
527 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
528 ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
531 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
532 _gsskrb5_release_buffer(minor_status, output_message_buffer);
535 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
538 * Decrypt and/or verify checksum
540 ret = krb5_crypto_init(context, key, 0, &crypto);
543 return GSS_S_FAILURE;
546 if (context_handle->more_flags & LOCAL) {
547 usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
549 usage = KRB5_KU_USAGE_INITIATOR_SEAL;
553 len = input_message_buffer->length;
554 len -= (p - (u_char *)input_message_buffer->value);
556 /* Rotate by RRC; bogus to do this in-place XXX */
557 *minor_status = rrc_rotate(p, len, rrc, TRUE);
558 if (*minor_status != 0) {
559 krb5_crypto_destroy(context, crypto);
560 return GSS_S_FAILURE;
563 if (token_flags & CFXSealed) {
564 ret = krb5_decrypt(context, crypto, usage,
568 krb5_crypto_destroy(context, crypto);
569 return GSS_S_BAD_MIC;
572 /* Check that there is room for the pad and token header */
573 if (data.length < ec + sizeof(*token)) {
574 krb5_crypto_destroy(context, crypto);
575 krb5_data_free(&data);
576 return GSS_S_DEFECTIVE_TOKEN;
579 p += data.length - sizeof(*token);
581 /* RRC is unprotected; don't modify input buffer */
582 ((gss_cfx_wrap_token)p)->RRC[0] = token->RRC[0];
583 ((gss_cfx_wrap_token)p)->RRC[1] = token->RRC[1];
585 /* Check the integrity of the header */
586 if (memcmp(p, token, sizeof(*token)) != 0) {
587 krb5_crypto_destroy(context, crypto);
588 krb5_data_free(&data);
589 return GSS_S_BAD_MIC;
592 output_message_buffer->value = data.data;
593 output_message_buffer->length = data.length - ec - sizeof(*token);
597 /* Determine checksum type */
598 ret = krb5_crypto_get_checksum_type(context,
599 crypto, &cksum.cksumtype);
602 krb5_crypto_destroy(context, crypto);
603 return GSS_S_FAILURE;
606 cksum.checksum.length = ec;
608 /* Check we have at least as much data as the checksum */
609 if (len < cksum.checksum.length) {
610 *minor_status = ERANGE;
611 krb5_crypto_destroy(context, crypto);
612 return GSS_S_BAD_MIC;
615 /* Length now is of the plaintext only, no checksum */
616 len -= cksum.checksum.length;
617 cksum.checksum.data = p + len;
619 output_message_buffer->length = len; /* for later */
620 output_message_buffer->value = malloc(len + sizeof(*token));
621 if (output_message_buffer->value == NULL) {
622 *minor_status = ENOMEM;
623 krb5_crypto_destroy(context, crypto);
624 return GSS_S_FAILURE;
627 /* Checksum is over (plaintext-data | "header") */
628 memcpy(output_message_buffer->value, p, len);
629 memcpy((u_char *)output_message_buffer->value + len,
630 token, sizeof(*token));
632 /* EC is not included in checksum calculation */
633 token = (gss_cfx_wrap_token)((u_char *)output_message_buffer->value +
640 ret = krb5_verify_checksum(context, crypto,
642 output_message_buffer->value,
643 len + sizeof(*token),
647 krb5_crypto_destroy(context, crypto);
648 _gsskrb5_release_buffer(minor_status, output_message_buffer);
649 return GSS_S_BAD_MIC;
653 krb5_crypto_destroy(context, crypto);
655 if (qop_state != NULL) {
656 *qop_state = GSS_C_QOP_DEFAULT;
660 return GSS_S_COMPLETE;
663 OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
664 const gsskrb5_ctx context_handle,
665 krb5_context context,
667 const gss_buffer_t message_buffer,
668 gss_buffer_t message_token,
672 gss_cfx_mic_token token;
680 ret = krb5_crypto_init(context, key, 0, &crypto);
683 return GSS_S_FAILURE;
686 len = message_buffer->length + sizeof(*token);
689 *minor_status = ENOMEM;
690 krb5_crypto_destroy(context, crypto);
691 return GSS_S_FAILURE;
694 memcpy(buf, message_buffer->value, message_buffer->length);
696 token = (gss_cfx_mic_token)(buf + message_buffer->length);
697 token->TOK_ID[0] = 0x04;
698 token->TOK_ID[1] = 0x04;
700 if ((context_handle->more_flags & LOCAL) == 0)
701 token->Flags |= CFXSentByAcceptor;
702 if (context_handle->more_flags & ACCEPTOR_SUBKEY)
703 token->Flags |= CFXAcceptorSubkey;
704 memset(token->Filler, 0xFF, 5);
706 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
707 krb5_auth_con_getlocalseqnumber(context,
708 context_handle->auth_context,
710 _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
711 _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
712 krb5_auth_con_setlocalseqnumber(context,
713 context_handle->auth_context,
715 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
717 if (context_handle->more_flags & LOCAL) {
718 usage = KRB5_KU_USAGE_INITIATOR_SIGN;
720 usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
723 ret = krb5_create_checksum(context, crypto,
724 usage, 0, buf, len, &cksum);
727 krb5_crypto_destroy(context, crypto);
729 return GSS_S_FAILURE;
731 krb5_crypto_destroy(context, crypto);
733 /* Determine MIC length */
734 message_token->length = sizeof(*token) + cksum.checksum.length;
735 message_token->value = malloc(message_token->length);
736 if (message_token->value == NULL) {
737 *minor_status = ENOMEM;
738 free_Checksum(&cksum);
740 return GSS_S_FAILURE;
743 /* Token is { "header" | get_mic("header" | plaintext-data) } */
744 memcpy(message_token->value, token, sizeof(*token));
745 memcpy((u_char *)message_token->value + sizeof(*token),
746 cksum.checksum.data, cksum.checksum.length);
748 free_Checksum(&cksum);
752 return GSS_S_COMPLETE;
755 OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
756 const gsskrb5_ctx context_handle,
757 krb5_context context,
758 const gss_buffer_t message_buffer,
759 const gss_buffer_t token_buffer,
760 gss_qop_t *qop_state,
764 gss_cfx_mic_token token;
768 OM_uint32 seq_number_lo, seq_number_hi;
774 if (token_buffer->length < sizeof(*token)) {
775 return GSS_S_DEFECTIVE_TOKEN;
778 p = token_buffer->value;
780 token = (gss_cfx_mic_token)p;
782 if (token->TOK_ID[0] != 0x04 || token->TOK_ID[1] != 0x04) {
783 return GSS_S_DEFECTIVE_TOKEN;
786 /* Ignore unknown flags */
787 token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey);
789 if (token_flags & CFXSentByAcceptor) {
790 if ((context_handle->more_flags & LOCAL) == 0)
791 return GSS_S_DEFECTIVE_TOKEN;
793 if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
794 if ((token_flags & CFXAcceptorSubkey) == 0)
795 return GSS_S_DEFECTIVE_TOKEN;
797 if (token_flags & CFXAcceptorSubkey)
798 return GSS_S_DEFECTIVE_TOKEN;
801 if (memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) {
802 return GSS_S_DEFECTIVE_TOKEN;
806 * Check sequence number
808 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
809 _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
811 *minor_status = ERANGE;
812 return GSS_S_UNSEQ_TOKEN;
815 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
816 ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
819 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
822 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
827 ret = krb5_crypto_init(context, key, 0, &crypto);
830 return GSS_S_FAILURE;
833 ret = krb5_crypto_get_checksum_type(context, crypto,
837 krb5_crypto_destroy(context, crypto);
838 return GSS_S_FAILURE;
841 cksum.checksum.data = p + sizeof(*token);
842 cksum.checksum.length = token_buffer->length - sizeof(*token);
844 if (context_handle->more_flags & LOCAL) {
845 usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
847 usage = KRB5_KU_USAGE_INITIATOR_SIGN;
850 buf = malloc(message_buffer->length + sizeof(*token));
852 *minor_status = ENOMEM;
853 krb5_crypto_destroy(context, crypto);
854 return GSS_S_FAILURE;
856 memcpy(buf, message_buffer->value, message_buffer->length);
857 memcpy(buf + message_buffer->length, token, sizeof(*token));
859 ret = krb5_verify_checksum(context, crypto,
862 sizeof(*token) + message_buffer->length,
864 krb5_crypto_destroy(context, crypto);
868 return GSS_S_BAD_MIC;
873 if (qop_state != NULL) {
874 *qop_state = GSS_C_QOP_DEFAULT;
877 return GSS_S_COMPLETE;