2 * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "gsskrb5_locl.h"
36 #ifdef HEIM_WEAK_CRYPTO
40 (OM_uint32 * minor_status,
41 const gsskrb5_ctx context_handle,
42 const gss_buffer_t input_message_buffer,
43 gss_buffer_t output_message_buffer,
45 gss_qop_t * qop_state,
53 EVP_CIPHER_CTX *des_ctx;
54 DES_key_schedule schedule;
65 if (IS_DCE_STYLE(context_handle)) {
66 token_len = 22 + 8 + 15; /* 45 */
68 token_len = input_message_buffer->length;
71 p = input_message_buffer->value;
72 ret = _gsskrb5_verify_header (&p,
79 if (memcmp (p, "\x00\x00", 2) != 0)
82 if (memcmp (p, "\x00\x00", 2) == 0) {
84 } else if (memcmp (p, "\xFF\xFF", 2) == 0) {
89 if(conf_state != NULL)
91 if (memcmp (p, "\xff\xff", 2) != 0)
92 return GSS_S_DEFECTIVE_TOKEN;
96 len = p - (u_char *)input_message_buffer->value;
100 memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
101 memset (&zero, 0, sizeof(zero));
103 for (i = 0; i < sizeof(deskey); ++i)
107 des_ctx = EVP_CIPHER_CTX_new();
108 if (des_ctx == NULL) {
109 memset (deskey, 0, sizeof(deskey));
110 *minor_status = ENOMEM;
111 return GSS_S_FAILURE;
113 EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 0);
114 EVP_Cipher(des_ctx, p, p, input_message_buffer->length - len);
115 EVP_CIPHER_CTX_free(des_ctx);
117 memset (deskey, 0, sizeof(deskey));
120 if (IS_DCE_STYLE(context_handle)) {
124 ret = _gssapi_verify_pad(input_message_buffer,
125 input_message_buffer->length - len,
131 md5 = EVP_MD_CTX_create();
132 EVP_DigestInit_ex(md5, EVP_md5(), NULL);
133 EVP_DigestUpdate(md5, p - 24, 8);
134 EVP_DigestUpdate(md5, p, input_message_buffer->length - len);
135 EVP_DigestFinal_ex(md5, hash, NULL);
136 EVP_MD_CTX_destroy(md5);
138 memset (&zero, 0, sizeof(zero));
139 memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
140 DES_set_key_unchecked (&deskey, &schedule);
141 DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
143 if (ct_memcmp (p - 8, hash, 8) != 0) {
144 memset (deskey, 0, sizeof(deskey));
145 memset (&schedule, 0, sizeof(schedule));
146 return GSS_S_BAD_MIC;
149 /* verify sequence number */
151 des_ctx = EVP_CIPHER_CTX_new();
152 if (des_ctx == NULL) {
153 memset (deskey, 0, sizeof(deskey));
154 memset (&schedule, 0, sizeof(schedule));
155 *minor_status = ENOMEM;
156 return GSS_S_FAILURE;
159 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
163 EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0);
164 EVP_Cipher(des_ctx, p, p, 8);
165 EVP_CIPHER_CTX_free(des_ctx);
167 memset (deskey, 0, sizeof(deskey));
168 memset (&schedule, 0, sizeof(schedule));
171 _gsskrb5_decode_om_uint32(seq, &seq_number);
173 if (context_handle->more_flags & LOCAL)
174 cmp = ct_memcmp(&seq[4], "\xff\xff\xff\xff", 4);
176 cmp = ct_memcmp(&seq[4], "\x00\x00\x00\x00", 4);
179 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
180 return GSS_S_BAD_MIC;
183 ret = _gssapi_msg_order_check(context_handle->order, seq_number);
185 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
189 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
193 output_message_buffer->length = input_message_buffer->length
194 - len - padlength - 8;
195 output_message_buffer->value = malloc(output_message_buffer->length);
196 if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
197 return GSS_S_FAILURE;
198 memcpy (output_message_buffer->value,
200 output_message_buffer->length);
201 return GSS_S_COMPLETE;
207 (OM_uint32 * minor_status,
208 const gsskrb5_ctx context_handle,
209 krb5_context context,
210 const gss_buffer_t input_message_buffer,
211 gss_buffer_t output_message_buffer,
213 gss_qop_t * qop_state,
231 if (IS_DCE_STYLE(context_handle)) {
232 token_len = 34 + 8 + 15; /* 57 */
234 token_len = input_message_buffer->length;
237 p = input_message_buffer->value;
238 ret = _gsskrb5_verify_header (&p,
245 if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
246 return GSS_S_BAD_SIG;
248 if (ct_memcmp (p, "\x02\x00", 2) == 0) {
250 } else if (ct_memcmp (p, "\xff\xff", 2) == 0) {
253 return GSS_S_BAD_MIC;
255 if(conf_state != NULL)
256 *conf_state = cstate;
257 if (ct_memcmp (p, "\xff\xff", 2) != 0)
258 return GSS_S_DEFECTIVE_TOKEN;
262 len = p - (u_char *)input_message_buffer->value;
268 ret = krb5_crypto_init(context, key,
269 ETYPE_DES3_CBC_NONE, &crypto);
272 return GSS_S_FAILURE;
274 ret = krb5_decrypt(context, crypto, KRB5_KU_USAGE_SEAL,
275 p, input_message_buffer->length - len, &tmp);
276 krb5_crypto_destroy(context, crypto);
279 return GSS_S_FAILURE;
281 assert (tmp.length == input_message_buffer->length - len);
283 memcpy (p, tmp.data, tmp.length);
284 krb5_data_free(&tmp);
287 if (IS_DCE_STYLE(context_handle)) {
291 ret = _gssapi_verify_pad(input_message_buffer,
292 input_message_buffer->length - len,
298 /* verify sequence number */
300 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
304 ret = krb5_crypto_init(context, key,
305 ETYPE_DES3_CBC_NONE, &crypto);
308 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
309 return GSS_S_FAILURE;
314 memcpy(&ivec, p + 8, 8);
315 ret = krb5_decrypt_ivec (context,
321 krb5_crypto_destroy (context, crypto);
324 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
325 return GSS_S_FAILURE;
327 if (seq_data.length != 8) {
328 krb5_data_free (&seq_data);
330 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
331 return GSS_S_BAD_MIC;
335 _gsskrb5_decode_om_uint32(seq, &seq_number);
337 if (context_handle->more_flags & LOCAL)
338 cmp = ct_memcmp(&seq[4], "\xff\xff\xff\xff", 4);
340 cmp = ct_memcmp(&seq[4], "\x00\x00\x00\x00", 4);
342 krb5_data_free (&seq_data);
345 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
346 return GSS_S_BAD_MIC;
349 ret = _gssapi_msg_order_check(context_handle->order, seq_number);
352 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
356 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
358 /* verify checksum */
360 memcpy (cksum, p + 8, 20);
362 memcpy (p + 20, p - 8, 8);
364 csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3;
365 csum.checksum.length = 20;
366 csum.checksum.data = cksum;
368 ret = krb5_crypto_init(context, key, 0, &crypto);
371 return GSS_S_FAILURE;
374 ret = krb5_verify_checksum (context, crypto,
377 input_message_buffer->length - len + 8,
379 krb5_crypto_destroy (context, crypto);
382 return GSS_S_FAILURE;
387 output_message_buffer->length = input_message_buffer->length
388 - len - padlength - 8;
389 output_message_buffer->value = malloc(output_message_buffer->length);
390 if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
391 return GSS_S_FAILURE;
392 memcpy (output_message_buffer->value,
394 output_message_buffer->length);
395 return GSS_S_COMPLETE;
398 OM_uint32 GSSAPI_CALLCONV _gsskrb5_unwrap
399 (OM_uint32 * minor_status,
400 const gss_ctx_id_t context_handle,
401 const gss_buffer_t input_message_buffer,
402 gss_buffer_t output_message_buffer,
404 gss_qop_t * qop_state
408 krb5_context context;
410 krb5_keytype keytype;
411 gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle;
413 output_message_buffer->value = NULL;
414 output_message_buffer->length = 0;
415 if (qop_state != NULL)
416 *qop_state = GSS_C_QOP_DEFAULT;
418 GSSAPI_KRB5_INIT (&context);
420 if (ctx->more_flags & IS_CFX)
421 return _gssapi_unwrap_cfx (minor_status, ctx, context,
422 input_message_buffer, output_message_buffer,
423 conf_state, qop_state);
425 HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
426 ret = _gsskrb5i_get_token_key(ctx, context, &key);
427 HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
430 return GSS_S_FAILURE;
432 krb5_enctype_to_keytype (context, key->keytype, &keytype);
438 #ifdef HEIM_WEAK_CRYPTO
439 ret = unwrap_des (minor_status, ctx,
440 input_message_buffer, output_message_buffer,
441 conf_state, qop_state, key);
447 ret = unwrap_des3 (minor_status, ctx, context,
448 input_message_buffer, output_message_buffer,
449 conf_state, qop_state, key);
451 case KEYTYPE_ARCFOUR:
452 case KEYTYPE_ARCFOUR_56:
453 ret = _gssapi_unwrap_arcfour (minor_status, ctx, context,
454 input_message_buffer, output_message_buffer,
455 conf_state, qop_state, key);
461 krb5_free_keyblock (context, key);