1 /*
2 * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "gsskrb5_locl.h"
35
36 /*
37 * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
38 *
39 * The arcfour message have the following formats:
40 *
41 * MIC token
42 * TOK_ID[2] = 01 01
43 * SGN_ALG[2] = 11 00
44 * Filler[4]
45 * SND_SEQ[8]
46 * SGN_CKSUM[8]
47 *
48 * WRAP token
49 * TOK_ID[2] = 02 01
50 * SGN_ALG[2];
51 * SEAL_ALG[2]
52 * Filler[2]
53 * SND_SEQ[2]
54 * SGN_CKSUM[8]
55 * Confounder[8]
56 */
57
58 /*
59 * WRAP in DCE-style have a fixed size header, the oid and length over
60 * the WRAP header is a total of
61 * GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE +
62 * GSS_ARCFOUR_WRAP_TOKEN_SIZE byte (ie total of 45 bytes overhead,
63 * remember the 2 bytes from APPL [0] SEQ).
64 */
65
66 #define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32
67 #define GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE 13
68
69
70 static krb5_error_code
arcfour_mic_key(krb5_context context,krb5_keyblock * key,void * cksum_data,size_t cksum_size,void * key6_data,size_t key6_size)71 arcfour_mic_key(krb5_context context, krb5_keyblock *key,
72 void *cksum_data, size_t cksum_size,
73 void *key6_data, size_t key6_size)
74 {
75 krb5_error_code ret;
76
77 Checksum cksum_k5;
78 krb5_keyblock key5;
79 char k5_data[16];
80
81 Checksum cksum_k6;
82
83 char T[4];
84
85 memset(T, 0, 4);
86 cksum_k5.checksum.data = k5_data;
87 cksum_k5.checksum.length = sizeof(k5_data);
88
89 if (key->keytype == ENCTYPE_ARCFOUR_HMAC_MD5_56) {
90 char L40[14] = "fortybits";
91
92 memcpy(L40 + 10, T, sizeof(T));
93 ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5,
94 L40, 14, 0, key, &cksum_k5);
95 memset(&k5_data[7], 0xAB, 9);
96 } else {
97 ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5,
98 T, 4, 0, key, &cksum_k5);
99 }
100 if (ret)
101 return ret;
102
103 key5.keytype = ENCTYPE_ARCFOUR_HMAC_MD5;
104 key5.keyvalue = cksum_k5.checksum;
105
106 cksum_k6.checksum.data = key6_data;
107 cksum_k6.checksum.length = key6_size;
108
109 return krb5_hmac(context, CKSUMTYPE_RSA_MD5,
110 cksum_data, cksum_size, 0, &key5, &cksum_k6);
111 }
112
113
114 static krb5_error_code
arcfour_mic_cksum(krb5_context context,krb5_keyblock * key,unsigned usage,u_char * sgn_cksum,size_t sgn_cksum_sz,const u_char * v1,size_t l1,const void * v2,size_t l2,const void * v3,size_t l3)115 arcfour_mic_cksum(krb5_context context,
116 krb5_keyblock *key, unsigned usage,
117 u_char *sgn_cksum, size_t sgn_cksum_sz,
118 const u_char *v1, size_t l1,
119 const void *v2, size_t l2,
120 const void *v3, size_t l3)
121 {
122 Checksum CKSUM;
123 u_char *ptr;
124 size_t len;
125 krb5_crypto crypto;
126 krb5_error_code ret;
127
128 assert(sgn_cksum_sz == 8);
129
130 len = l1 + l2 + l3;
131
132 ptr = malloc(len);
133 if (ptr == NULL)
134 return ENOMEM;
135
136 memcpy(ptr, v1, l1);
137 memcpy(ptr + l1, v2, l2);
138 memcpy(ptr + l1 + l2, v3, l3);
139
140 ret = krb5_crypto_init(context, key, 0, &crypto);
141 if (ret) {
142 free(ptr);
143 return ret;
144 }
145
146 ret = krb5_create_checksum(context,
147 crypto,
148 usage,
149 0,
150 ptr, len,
151 &CKSUM);
152 free(ptr);
153 if (ret == 0) {
154 memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz);
155 free_Checksum(&CKSUM);
156 }
157 krb5_crypto_destroy(context, crypto);
158
159 return ret;
160 }
161
162
163 OM_uint32
_gssapi_get_mic_arcfour(OM_uint32 * minor_status,const gsskrb5_ctx context_handle,krb5_context context,gss_qop_t qop_req,const gss_buffer_t message_buffer,gss_buffer_t message_token,krb5_keyblock * key)164 _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
165 const gsskrb5_ctx context_handle,
166 krb5_context context,
167 gss_qop_t qop_req,
168 const gss_buffer_t message_buffer,
169 gss_buffer_t message_token,
170 krb5_keyblock *key)
171 {
172 krb5_error_code ret;
173 int32_t seq_number;
174 size_t len, total_len;
175 u_char k6_data[16], *p0, *p;
176 EVP_CIPHER_CTX *rc4_key;
177
178 _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
179
180 message_token->length = total_len;
181 message_token->value = malloc (total_len);
182 if (message_token->value == NULL) {
183 *minor_status = ENOMEM;
184 return GSS_S_FAILURE;
185 }
186
187 p0 = _gssapi_make_mech_header(message_token->value,
188 len,
189 GSS_KRB5_MECHANISM);
190 p = p0;
191
192 *p++ = 0x01; /* TOK_ID */
193 *p++ = 0x01;
194 *p++ = 0x11; /* SGN_ALG */
195 *p++ = 0x00;
196 *p++ = 0xff; /* Filler */
197 *p++ = 0xff;
198 *p++ = 0xff;
199 *p++ = 0xff;
200
201 p = NULL;
202
203 ret = arcfour_mic_cksum(context,
204 key, KRB5_KU_USAGE_SIGN,
205 p0 + 16, 8, /* SGN_CKSUM */
206 p0, 8, /* TOK_ID, SGN_ALG, Filer */
207 message_buffer->value, message_buffer->length,
208 NULL, 0);
209 if (ret) {
210 _gsskrb5_release_buffer(minor_status, message_token);
211 *minor_status = ret;
212 return GSS_S_FAILURE;
213 }
214
215 ret = arcfour_mic_key(context, key,
216 p0 + 16, 8, /* SGN_CKSUM */
217 k6_data, sizeof(k6_data));
218 if (ret) {
219 _gsskrb5_release_buffer(minor_status, message_token);
220 *minor_status = ret;
221 return GSS_S_FAILURE;
222 }
223
224 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
225 krb5_auth_con_getlocalseqnumber (context,
226 context_handle->auth_context,
227 &seq_number);
228 p = p0 + 8; /* SND_SEQ */
229 _gsskrb5_encode_be_om_uint32(seq_number, p);
230
231 krb5_auth_con_setlocalseqnumber (context,
232 context_handle->auth_context,
233 ++seq_number);
234 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
235
236 memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4);
237
238 rc4_key = EVP_CIPHER_CTX_new();
239 if (rc4_key == NULL) {
240 _gsskrb5_release_buffer(minor_status, message_token);
241 *minor_status = ENOMEM;
242 return GSS_S_FAILURE;
243 }
244
245 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
246 EVP_Cipher(rc4_key, p, p, 8);
247 EVP_CIPHER_CTX_free(rc4_key);
248
249 memset(k6_data, 0, sizeof(k6_data));
250
251 *minor_status = 0;
252 return GSS_S_COMPLETE;
253 }
254
255
256 OM_uint32
_gssapi_verify_mic_arcfour(OM_uint32 * minor_status,const gsskrb5_ctx context_handle,krb5_context context,const gss_buffer_t message_buffer,const gss_buffer_t token_buffer,gss_qop_t * qop_state,krb5_keyblock * key,const char * type)257 _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
258 const gsskrb5_ctx context_handle,
259 krb5_context context,
260 const gss_buffer_t message_buffer,
261 const gss_buffer_t token_buffer,
262 gss_qop_t * qop_state,
263 krb5_keyblock *key,
264 const char *type)
265 {
266 krb5_error_code ret;
267 uint32_t seq_number;
268 OM_uint32 omret;
269 u_char SND_SEQ[8], cksum_data[8], *p;
270 char k6_data[16];
271 int cmp;
272
273 if (qop_state)
274 *qop_state = 0;
275
276 p = token_buffer->value;
277 omret = _gsskrb5_verify_header (&p,
278 token_buffer->length,
279 type,
280 GSS_KRB5_MECHANISM);
281 if (omret)
282 return omret;
283
284 if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
285 return GSS_S_BAD_SIG;
286 p += 2;
287 if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
288 return GSS_S_BAD_MIC;
289 p += 4;
290
291 ret = arcfour_mic_cksum(context,
292 key, KRB5_KU_USAGE_SIGN,
293 cksum_data, sizeof(cksum_data),
294 p - 8, 8,
295 message_buffer->value, message_buffer->length,
296 NULL, 0);
297 if (ret) {
298 *minor_status = ret;
299 return GSS_S_FAILURE;
300 }
301
302 ret = arcfour_mic_key(context, key,
303 cksum_data, sizeof(cksum_data),
304 k6_data, sizeof(k6_data));
305 if (ret) {
306 *minor_status = ret;
307 return GSS_S_FAILURE;
308 }
309
310 cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
311 if (cmp) {
312 *minor_status = 0;
313 return GSS_S_BAD_MIC;
314 }
315
316 {
317 EVP_CIPHER_CTX *rc4_key;
318
319 rc4_key = EVP_CIPHER_CTX_new();
320 if (rc4_key == NULL) {
321 *minor_status = ENOMEM;
322 return GSS_S_FAILURE;
323 }
324 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0);
325 EVP_Cipher(rc4_key, SND_SEQ, p, 8);
326 EVP_CIPHER_CTX_free(rc4_key);
327
328 memset(k6_data, 0, sizeof(k6_data));
329 }
330
331 _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
332
333 if (context_handle->more_flags & LOCAL)
334 cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
335 else
336 cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
337
338 memset(SND_SEQ, 0, sizeof(SND_SEQ));
339 if (cmp != 0) {
340 *minor_status = 0;
341 return GSS_S_BAD_MIC;
342 }
343
344 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
345 omret = _gssapi_msg_order_check(context_handle->order, seq_number);
346 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
347 if (omret)
348 return omret;
349
350 *minor_status = 0;
351 return GSS_S_COMPLETE;
352 }
353
354 OM_uint32
_gssapi_wrap_arcfour(OM_uint32 * minor_status,const gsskrb5_ctx context_handle,krb5_context context,int conf_req_flag,gss_qop_t qop_req,const gss_buffer_t input_message_buffer,int * conf_state,gss_buffer_t output_message_buffer,krb5_keyblock * key)355 _gssapi_wrap_arcfour(OM_uint32 * minor_status,
356 const gsskrb5_ctx context_handle,
357 krb5_context context,
358 int conf_req_flag,
359 gss_qop_t qop_req,
360 const gss_buffer_t input_message_buffer,
361 int * conf_state,
362 gss_buffer_t output_message_buffer,
363 krb5_keyblock *key)
364 {
365 u_char Klocaldata[16], k6_data[16], *p, *p0;
366 size_t len, total_len, datalen;
367 krb5_keyblock Klocal;
368 krb5_error_code ret;
369 int32_t seq_number;
370
371 if (conf_state)
372 *conf_state = 0;
373
374 datalen = input_message_buffer->length;
375
376 if (IS_DCE_STYLE(context_handle)) {
377 len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
378 _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
379 total_len += datalen;
380 } else {
381 datalen += 1; /* padding */
382 len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
383 _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
384 }
385
386 output_message_buffer->length = total_len;
387 output_message_buffer->value = malloc (total_len);
388 if (output_message_buffer->value == NULL) {
389 *minor_status = ENOMEM;
390 return GSS_S_FAILURE;
391 }
392
393 p0 = _gssapi_make_mech_header(output_message_buffer->value,
394 len,
395 GSS_KRB5_MECHANISM);
396 p = p0;
397
398 *p++ = 0x02; /* TOK_ID */
399 *p++ = 0x01;
400 *p++ = 0x11; /* SGN_ALG */
401 *p++ = 0x00;
402 if (conf_req_flag) {
403 *p++ = 0x10; /* SEAL_ALG */
404 *p++ = 0x00;
405 } else {
406 *p++ = 0xff; /* SEAL_ALG */
407 *p++ = 0xff;
408 }
409 *p++ = 0xff; /* Filler */
410 *p++ = 0xff;
411
412 p = NULL;
413
414 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
415 krb5_auth_con_getlocalseqnumber (context,
416 context_handle->auth_context,
417 &seq_number);
418
419 _gsskrb5_encode_be_om_uint32(seq_number, p0 + 8);
420
421 krb5_auth_con_setlocalseqnumber (context,
422 context_handle->auth_context,
423 ++seq_number);
424 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
425
426 memset (p0 + 8 + 4,
427 (context_handle->more_flags & LOCAL) ? 0 : 0xff,
428 4);
429
430 krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */
431
432 /* p points to data */
433 p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
434 memcpy(p, input_message_buffer->value, input_message_buffer->length);
435
436 if (!IS_DCE_STYLE(context_handle))
437 p[input_message_buffer->length] = 1; /* padding */
438
439 ret = arcfour_mic_cksum(context,
440 key, KRB5_KU_USAGE_SEAL,
441 p0 + 16, 8, /* SGN_CKSUM */
442 p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */
443 p0 + 24, 8, /* Confounder */
444 p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
445 datalen);
446 if (ret) {
447 *minor_status = ret;
448 _gsskrb5_release_buffer(minor_status, output_message_buffer);
449 return GSS_S_FAILURE;
450 }
451
452 {
453 int i;
454
455 Klocal.keytype = key->keytype;
456 Klocal.keyvalue.data = Klocaldata;
457 Klocal.keyvalue.length = sizeof(Klocaldata);
458
459 for (i = 0; i < 16; i++)
460 Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
461 }
462 ret = arcfour_mic_key(context, &Klocal,
463 p0 + 8, 4, /* SND_SEQ */
464 k6_data, sizeof(k6_data));
465 memset(Klocaldata, 0, sizeof(Klocaldata));
466 if (ret) {
467 _gsskrb5_release_buffer(minor_status, output_message_buffer);
468 *minor_status = ret;
469 return GSS_S_FAILURE;
470 }
471
472
473 if(conf_req_flag) {
474 EVP_CIPHER_CTX *rc4_key;
475
476 rc4_key = EVP_CIPHER_CTX_new();
477 if (rc4_key == NULL) {
478 _gsskrb5_release_buffer(minor_status, output_message_buffer);
479 *minor_status = ENOMEM;
480 return GSS_S_FAILURE;
481 }
482 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
483 EVP_Cipher(rc4_key, p0 + 24, p0 + 24, 8 + datalen);
484 EVP_CIPHER_CTX_free(rc4_key);
485 }
486 memset(k6_data, 0, sizeof(k6_data));
487
488 ret = arcfour_mic_key(context, key,
489 p0 + 16, 8, /* SGN_CKSUM */
490 k6_data, sizeof(k6_data));
491 if (ret) {
492 _gsskrb5_release_buffer(minor_status, output_message_buffer);
493 *minor_status = ret;
494 return GSS_S_FAILURE;
495 }
496
497 {
498 EVP_CIPHER_CTX *rc4_key;
499
500 rc4_key = EVP_CIPHER_CTX_new();
501 if (rc4_key == NULL) {
502 _gsskrb5_release_buffer(minor_status, output_message_buffer);
503 *minor_status = ENOMEM;
504 return GSS_S_FAILURE;
505 }
506 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
507 EVP_Cipher(rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8);
508 EVP_CIPHER_CTX_free(rc4_key);
509 memset(k6_data, 0, sizeof(k6_data));
510 }
511
512 if (conf_state)
513 *conf_state = conf_req_flag;
514
515 *minor_status = 0;
516 return GSS_S_COMPLETE;
517 }
518
_gssapi_unwrap_arcfour(OM_uint32 * minor_status,const gsskrb5_ctx context_handle,krb5_context context,const gss_buffer_t input_message_buffer,gss_buffer_t output_message_buffer,int * conf_state,gss_qop_t * qop_state,krb5_keyblock * key)519 OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
520 const gsskrb5_ctx context_handle,
521 krb5_context context,
522 const gss_buffer_t input_message_buffer,
523 gss_buffer_t output_message_buffer,
524 int *conf_state,
525 gss_qop_t *qop_state,
526 krb5_keyblock *key)
527 {
528 u_char Klocaldata[16];
529 krb5_keyblock Klocal;
530 krb5_error_code ret;
531 uint32_t seq_number;
532 size_t datalen;
533 OM_uint32 omret;
534 u_char k6_data[16], SND_SEQ[8], Confounder[8];
535 u_char cksum_data[8];
536 u_char *p, *p0;
537 int cmp;
538 int conf_flag;
539 size_t padlen = 0, len;
540
541 if (conf_state)
542 *conf_state = 0;
543 if (qop_state)
544 *qop_state = 0;
545
546 p0 = input_message_buffer->value;
547
548 if (IS_DCE_STYLE(context_handle)) {
549 len = GSS_ARCFOUR_WRAP_TOKEN_SIZE +
550 GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE;
551 if (input_message_buffer->length < len)
552 return GSS_S_BAD_MECH;
553 } else {
554 len = input_message_buffer->length;
555 }
556
557 omret = _gssapi_verify_mech_header(&p0,
558 len,
559 GSS_KRB5_MECHANISM);
560 if (omret)
561 return omret;
562
563 /* length of mech header */
564 len = (p0 - (u_char *)input_message_buffer->value) +
565 GSS_ARCFOUR_WRAP_TOKEN_SIZE;
566
567 if (len > input_message_buffer->length)
568 return GSS_S_BAD_MECH;
569
570 /* length of data */
571 datalen = input_message_buffer->length - len;
572
573 p = p0;
574
575 if (memcmp(p, "\x02\x01", 2) != 0)
576 return GSS_S_BAD_SIG;
577 p += 2;
578 if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
579 return GSS_S_BAD_SIG;
580 p += 2;
581
582 if (memcmp (p, "\x10\x00", 2) == 0)
583 conf_flag = 1;
584 else if (memcmp (p, "\xff\xff", 2) == 0)
585 conf_flag = 0;
586 else
587 return GSS_S_BAD_SIG;
588
589 p += 2;
590 if (memcmp (p, "\xff\xff", 2) != 0)
591 return GSS_S_BAD_MIC;
592 p = NULL;
593
594 ret = arcfour_mic_key(context, key,
595 p0 + 16, 8, /* SGN_CKSUM */
596 k6_data, sizeof(k6_data));
597 if (ret) {
598 *minor_status = ret;
599 return GSS_S_FAILURE;
600 }
601
602 {
603 EVP_CIPHER_CTX *rc4_key;
604
605 rc4_key = EVP_CIPHER_CTX_new();
606 if (rc4_key == NULL) {
607 *minor_status = ENOMEM;
608 return GSS_S_FAILURE;
609 }
610 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
611 EVP_Cipher(rc4_key, SND_SEQ, p0 + 8, 8);
612 EVP_CIPHER_CTX_free(rc4_key);
613 memset(k6_data, 0, sizeof(k6_data));
614 }
615
616 _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
617
618 if (context_handle->more_flags & LOCAL)
619 cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
620 else
621 cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
622
623 if (cmp != 0) {
624 *minor_status = 0;
625 return GSS_S_BAD_MIC;
626 }
627
628 {
629 int i;
630
631 Klocal.keytype = key->keytype;
632 Klocal.keyvalue.data = Klocaldata;
633 Klocal.keyvalue.length = sizeof(Klocaldata);
634
635 for (i = 0; i < 16; i++)
636 Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
637 }
638 ret = arcfour_mic_key(context, &Klocal,
639 SND_SEQ, 4,
640 k6_data, sizeof(k6_data));
641 memset(Klocaldata, 0, sizeof(Klocaldata));
642 if (ret) {
643 *minor_status = ret;
644 return GSS_S_FAILURE;
645 }
646
647 output_message_buffer->value = malloc(datalen);
648 if (output_message_buffer->value == NULL) {
649 *minor_status = ENOMEM;
650 return GSS_S_FAILURE;
651 }
652 output_message_buffer->length = datalen;
653
654 if(conf_flag) {
655 EVP_CIPHER_CTX *rc4_key;
656
657 rc4_key = EVP_CIPHER_CTX_new();
658 if (rc4_key == NULL) {
659 _gsskrb5_release_buffer(minor_status, output_message_buffer);
660 *minor_status = ENOMEM;
661 return GSS_S_FAILURE;
662 }
663 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
664 EVP_Cipher(rc4_key, Confounder, p0 + 24, 8);
665 EVP_Cipher(rc4_key, output_message_buffer->value, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, datalen);
666 EVP_CIPHER_CTX_free(rc4_key);
667 } else {
668 memcpy(Confounder, p0 + 24, 8); /* Confounder */
669 memcpy(output_message_buffer->value,
670 p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
671 datalen);
672 }
673 memset(k6_data, 0, sizeof(k6_data));
674
675 if (!IS_DCE_STYLE(context_handle)) {
676 ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen);
677 if (ret) {
678 _gsskrb5_release_buffer(minor_status, output_message_buffer);
679 *minor_status = 0;
680 return ret;
681 }
682 output_message_buffer->length -= padlen;
683 }
684
685 ret = arcfour_mic_cksum(context,
686 key, KRB5_KU_USAGE_SEAL,
687 cksum_data, sizeof(cksum_data),
688 p0, 8,
689 Confounder, sizeof(Confounder),
690 output_message_buffer->value,
691 output_message_buffer->length + padlen);
692 if (ret) {
693 _gsskrb5_release_buffer(minor_status, output_message_buffer);
694 *minor_status = ret;
695 return GSS_S_FAILURE;
696 }
697
698 cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
699 if (cmp) {
700 _gsskrb5_release_buffer(minor_status, output_message_buffer);
701 *minor_status = 0;
702 return GSS_S_BAD_MIC;
703 }
704
705 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
706 omret = _gssapi_msg_order_check(context_handle->order, seq_number);
707 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
708 if (omret)
709 return omret;
710
711 if (conf_state)
712 *conf_state = conf_flag;
713
714 *minor_status = 0;
715 return GSS_S_COMPLETE;
716 }
717
718 static OM_uint32
max_wrap_length_arcfour(const gsskrb5_ctx ctx,krb5_crypto crypto,size_t input_length,OM_uint32 * max_input_size)719 max_wrap_length_arcfour(const gsskrb5_ctx ctx,
720 krb5_crypto crypto,
721 size_t input_length,
722 OM_uint32 *max_input_size)
723 {
724 /*
725 * if GSS_C_DCE_STYLE is in use:
726 * - we only need to encapsulate the WRAP token
727 * However, since this is a fixed since, we just
728 */
729 if (IS_DCE_STYLE(ctx)) {
730 size_t len, total_len;
731
732 len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
733 _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
734
735 if (input_length < len)
736 *max_input_size = 0;
737 else
738 *max_input_size = input_length - len;
739
740 } else {
741 size_t extrasize = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
742 size_t blocksize = 8;
743 size_t len, total_len;
744
745 len = 8 + input_length + blocksize + extrasize;
746
747 _gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
748
749 total_len -= input_length; /* token length */
750 if (total_len < input_length) {
751 *max_input_size = (input_length - total_len);
752 (*max_input_size) &= (~(OM_uint32)(blocksize - 1));
753 } else {
754 *max_input_size = 0;
755 }
756 }
757
758 return GSS_S_COMPLETE;
759 }
760
761 OM_uint32
_gssapi_wrap_size_arcfour(OM_uint32 * minor_status,const gsskrb5_ctx ctx,krb5_context context,int conf_req_flag,gss_qop_t qop_req,OM_uint32 req_output_size,OM_uint32 * max_input_size,krb5_keyblock * key)762 _gssapi_wrap_size_arcfour(OM_uint32 *minor_status,
763 const gsskrb5_ctx ctx,
764 krb5_context context,
765 int conf_req_flag,
766 gss_qop_t qop_req,
767 OM_uint32 req_output_size,
768 OM_uint32 *max_input_size,
769 krb5_keyblock *key)
770 {
771 krb5_error_code ret;
772 krb5_crypto crypto;
773
774 ret = krb5_crypto_init(context, key, 0, &crypto);
775 if (ret != 0) {
776 *minor_status = ret;
777 return GSS_S_FAILURE;
778 }
779
780 ret = max_wrap_length_arcfour(ctx, crypto,
781 req_output_size, max_input_size);
782 if (ret != 0) {
783 *minor_status = ret;
784 krb5_crypto_destroy(context, crypto);
785 return GSS_S_FAILURE;
786 }
787
788 krb5_crypto_destroy(context, crypto);
789
790 return GSS_S_COMPLETE;
791 }
792