2 * Copyright (c) 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 _krb5_crc_update (const char *p, size_t len, uint32_t res);
39 _krb5_crc_init_table(void);
46 encode_le_uint32(uint32_t n, unsigned char *p)
48 p[0] = (n >> 0) & 0xFF;
49 p[1] = (n >> 8) & 0xFF;
50 p[2] = (n >> 16) & 0xFF;
51 p[3] = (n >> 24) & 0xFF;
56 decode_le_uint32(const void *ptr, uint32_t *n)
58 const unsigned char *p = ptr;
59 *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
66 const char a2i_signmagic[] =
67 "session key to server-to-client signing key magic constant";
68 const char a2i_sealmagic[] =
69 "session key to server-to-client sealing key magic constant";
70 const char i2a_signmagic[] =
71 "session key to client-to-server signing key magic constant";
72 const char i2a_sealmagic[] =
73 "session key to client-to-server sealing key magic constant";
77 _gss_ntlm_set_key(struct ntlmv2_key *key, int acceptor, int sealsign,
78 unsigned char *data, size_t len)
80 unsigned char out[16];
82 const char *signmagic;
83 const char *sealmagic;
86 signmagic = a2i_signmagic;
87 sealmagic = a2i_sealmagic;
89 signmagic = i2a_signmagic;
90 sealmagic = i2a_sealmagic;
95 ctx = EVP_MD_CTX_create();
96 EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
97 EVP_DigestUpdate(ctx, data, len);
98 EVP_DigestUpdate(ctx, signmagic, strlen(signmagic) + 1);
99 EVP_DigestFinal_ex(ctx, key->signkey, NULL);
101 EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
102 EVP_DigestUpdate(ctx, data, len);
103 EVP_DigestUpdate(ctx, sealmagic, strlen(sealmagic) + 1);
104 EVP_DigestFinal_ex(ctx, out, NULL);
105 EVP_MD_CTX_destroy(ctx);
107 RC4_set_key(&key->sealkey, 16, out);
109 key->signsealkey = &key->sealkey;
117 v1_sign_message(gss_buffer_t in,
120 unsigned char out[16])
122 unsigned char sigature[12];
125 _krb5_crc_init_table();
126 crc = _krb5_crc_update(in->value, in->length, 0);
128 encode_le_uint32(0, &sigature[0]);
129 encode_le_uint32(crc, &sigature[4]);
130 encode_le_uint32(seq, &sigature[8]);
132 encode_le_uint32(1, out); /* version */
133 RC4(signkey, sizeof(sigature), sigature, out + 4);
135 if (RAND_bytes(out + 4, 4) != 1)
136 return GSS_S_UNAVAILABLE;
143 v2_sign_message(gss_buffer_t in,
144 unsigned char signkey[16],
147 unsigned char out[16])
149 unsigned char hmac[16];
150 unsigned int hmaclen;
154 HMAC_Init_ex(&c, signkey, 16, EVP_md5(), NULL);
156 encode_le_uint32(seq, hmac);
157 HMAC_Update(&c, hmac, 4);
158 HMAC_Update(&c, in->value, in->length);
159 HMAC_Final(&c, hmac, &hmaclen);
160 HMAC_CTX_cleanup(&c);
162 encode_le_uint32(1, &out[0]);
164 RC4(sealkey, 8, hmac, &out[4]);
166 memcpy(&out[4], hmac, 8);
168 memset(&out[12], 0, 4);
170 return GSS_S_COMPLETE;
174 v2_verify_message(gss_buffer_t in,
175 unsigned char signkey[16],
178 const unsigned char checksum[16])
181 unsigned char out[16];
183 ret = v2_sign_message(in, signkey, sealkey, seq, out);
187 if (memcmp(checksum, out, 16) != 0)
188 return GSS_S_BAD_MIC;
190 return GSS_S_COMPLETE;
194 v2_seal_message(const gss_buffer_t in,
195 unsigned char signkey[16],
203 if (in->length + 16 < in->length)
206 p = malloc(in->length + 16);
210 RC4(sealkey, in->length, in->value, p);
212 ret = v2_sign_message(in, signkey, sealkey, seq, &p[in->length]);
219 out->length = in->length + 16;
225 v2_unseal_message(gss_buffer_t in,
226 unsigned char signkey[16],
234 return GSS_S_BAD_MIC;
236 out->length = in->length - 16;
237 out->value = malloc(out->length);
238 if (out->value == NULL)
239 return GSS_S_BAD_MIC;
241 RC4(sealkey, out->length, in->value, out->value);
243 ret = v2_verify_message(out, signkey, sealkey, seq,
244 ((const unsigned char *)in->value) + out->length);
247 gss_release_buffer(&junk, out);
256 #define CTX_FLAGS_ISSET(_ctx,_flags) \
257 (((_ctx)->flags & (_flags)) == (_flags))
263 OM_uint32 GSSAPI_CALLCONV
265 (OM_uint32 * minor_status,
266 const gss_ctx_id_t context_handle,
268 const gss_buffer_t message_buffer,
269 gss_buffer_t message_token
272 ntlm_ctx ctx = (ntlm_ctx)context_handle;
277 message_token->value = malloc(16);
278 message_token->length = 16;
279 if (message_token->value == NULL) {
280 *minor_status = ENOMEM;
281 return GSS_S_FAILURE;
284 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) {
287 if ((ctx->status & STATUS_SESSIONKEY) == 0) {
288 gss_release_buffer(&junk, message_token);
289 return GSS_S_UNAVAILABLE;
292 ret = v2_sign_message(message_buffer,
293 ctx->u.v2.send.signkey,
294 ctx->u.v2.send.signsealkey,
295 ctx->u.v2.send.seq++,
296 message_token->value);
298 gss_release_buffer(&junk, message_token);
301 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) {
304 if ((ctx->status & STATUS_SESSIONKEY) == 0) {
305 gss_release_buffer(&junk, message_token);
306 return GSS_S_UNAVAILABLE;
309 ret = v1_sign_message(message_buffer,
310 &ctx->u.v1.crypto_send.key,
311 ctx->u.v1.crypto_send.seq++,
312 message_token->value);
314 gss_release_buffer(&junk, message_token);
317 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_ALWAYS_SIGN)) {
318 unsigned char *sigature;
320 sigature = message_token->value;
322 encode_le_uint32(1, &sigature[0]); /* version */
323 encode_le_uint32(0, &sigature[4]);
324 encode_le_uint32(0, &sigature[8]);
325 encode_le_uint32(0, &sigature[12]);
327 return GSS_S_COMPLETE;
329 gss_release_buffer(&junk, message_token);
331 return GSS_S_UNAVAILABLE;
338 OM_uint32 GSSAPI_CALLCONV
340 (OM_uint32 * minor_status,
341 const gss_ctx_id_t context_handle,
342 const gss_buffer_t message_buffer,
343 const gss_buffer_t token_buffer,
344 gss_qop_t * qop_state
347 ntlm_ctx ctx = (ntlm_ctx)context_handle;
349 if (qop_state != NULL)
350 *qop_state = GSS_C_QOP_DEFAULT;
353 if (token_buffer->length != 16)
354 return GSS_S_BAD_MIC;
356 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) {
359 if ((ctx->status & STATUS_SESSIONKEY) == 0)
360 return GSS_S_UNAVAILABLE;
362 ret = v2_verify_message(message_buffer,
363 ctx->u.v2.recv.signkey,
364 ctx->u.v2.recv.signsealkey,
365 ctx->u.v2.recv.seq++,
366 token_buffer->value);
370 return GSS_S_COMPLETE;
371 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) {
373 unsigned char sigature[12];
376 if ((ctx->status & STATUS_SESSIONKEY) == 0)
377 return GSS_S_UNAVAILABLE;
379 decode_le_uint32(token_buffer->value, &num);
381 return GSS_S_BAD_MIC;
383 RC4(&ctx->u.v1.crypto_recv.key, sizeof(sigature),
384 ((unsigned char *)token_buffer->value) + 4, sigature);
386 _krb5_crc_init_table();
387 crc = _krb5_crc_update(message_buffer->value,
388 message_buffer->length, 0);
389 /* skip first 4 bytes in the encrypted checksum */
390 decode_le_uint32(&sigature[4], &num);
392 return GSS_S_BAD_MIC;
393 decode_le_uint32(&sigature[8], &num);
394 if (ctx->u.v1.crypto_recv.seq != num)
395 return GSS_S_BAD_MIC;
396 ctx->u.v1.crypto_recv.seq++;
398 return GSS_S_COMPLETE;
399 } else if (ctx->flags & NTLM_NEG_ALWAYS_SIGN) {
403 p = (unsigned char*)(token_buffer->value);
405 decode_le_uint32(&p[0], &num); /* version */
406 if (num != 1) return GSS_S_BAD_MIC;
407 decode_le_uint32(&p[4], &num);
408 if (num != 0) return GSS_S_BAD_MIC;
409 decode_le_uint32(&p[8], &num);
410 if (num != 0) return GSS_S_BAD_MIC;
411 decode_le_uint32(&p[12], &num);
412 if (num != 0) return GSS_S_BAD_MIC;
414 return GSS_S_COMPLETE;
417 return GSS_S_UNAVAILABLE;
424 OM_uint32 GSSAPI_CALLCONV
425 _gss_ntlm_wrap_size_limit (
426 OM_uint32 * minor_status,
427 const gss_ctx_id_t context_handle,
430 OM_uint32 req_output_size,
431 OM_uint32 * max_input_size
434 ntlm_ctx ctx = (ntlm_ctx)context_handle;
438 if(ctx->flags & NTLM_NEG_SEAL) {
440 if (req_output_size < 16)
443 *max_input_size = req_output_size - 16;
445 return GSS_S_COMPLETE;
448 return GSS_S_UNAVAILABLE;
455 OM_uint32 GSSAPI_CALLCONV
457 (OM_uint32 * minor_status,
458 const gss_ctx_id_t context_handle,
461 const gss_buffer_t input_message_buffer,
463 gss_buffer_t output_message_buffer
466 ntlm_ctx ctx = (ntlm_ctx)context_handle;
472 if (output_message_buffer == GSS_C_NO_BUFFER)
473 return GSS_S_FAILURE;
476 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) {
478 return v2_seal_message(input_message_buffer,
479 ctx->u.v2.send.signkey,
480 ctx->u.v2.send.seq++,
481 &ctx->u.v2.send.sealkey,
482 output_message_buffer);
484 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) {
485 gss_buffer_desc trailer;
488 output_message_buffer->length = input_message_buffer->length + 16;
489 output_message_buffer->value = malloc(output_message_buffer->length);
490 if (output_message_buffer->value == NULL) {
491 output_message_buffer->length = 0;
492 return GSS_S_FAILURE;
496 RC4(&ctx->u.v1.crypto_send.key, input_message_buffer->length,
497 input_message_buffer->value, output_message_buffer->value);
499 ret = _gss_ntlm_get_mic(minor_status, context_handle,
500 0, input_message_buffer,
503 gss_release_buffer(&junk, output_message_buffer);
506 if (trailer.length != 16) {
507 gss_release_buffer(&junk, output_message_buffer);
508 gss_release_buffer(&junk, &trailer);
509 return GSS_S_FAILURE;
511 memcpy(((unsigned char *)output_message_buffer->value) +
512 input_message_buffer->length,
513 trailer.value, trailer.length);
514 gss_release_buffer(&junk, &trailer);
516 return GSS_S_COMPLETE;
519 return GSS_S_UNAVAILABLE;
526 OM_uint32 GSSAPI_CALLCONV
528 (OM_uint32 * minor_status,
529 const gss_ctx_id_t context_handle,
530 const gss_buffer_t input_message_buffer,
531 gss_buffer_t output_message_buffer,
533 gss_qop_t * qop_state
536 ntlm_ctx ctx = (ntlm_ctx)context_handle;
540 output_message_buffer->value = NULL;
541 output_message_buffer->length = 0;
548 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) {
550 return v2_unseal_message(input_message_buffer,
551 ctx->u.v2.recv.signkey,
552 ctx->u.v2.recv.seq++,
553 &ctx->u.v2.recv.sealkey,
554 output_message_buffer);
556 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) {
558 gss_buffer_desc trailer;
561 if (input_message_buffer->length < 16)
562 return GSS_S_BAD_MIC;
564 output_message_buffer->length = input_message_buffer->length - 16;
565 output_message_buffer->value = malloc(output_message_buffer->length);
566 if (output_message_buffer->value == NULL) {
567 output_message_buffer->length = 0;
568 return GSS_S_FAILURE;
571 RC4(&ctx->u.v1.crypto_recv.key, output_message_buffer->length,
572 input_message_buffer->value, output_message_buffer->value);
574 trailer.value = ((unsigned char *)input_message_buffer->value) +
575 output_message_buffer->length;
578 ret = _gss_ntlm_verify_mic(minor_status, context_handle,
579 output_message_buffer,
582 gss_release_buffer(&junk, output_message_buffer);
586 return GSS_S_COMPLETE;
589 return GSS_S_UNAVAILABLE;