1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /*
3 * Copyright 2001, 2008 by the Massachusetts Institute of Technology.
4 * Copyright 1993 by OpenVision Technologies, Inc.
5 *
6 * Permission to use, copy, modify, distribute, and sell this software
7 * and its documentation for any purpose is hereby granted without fee,
8 * provided that the above copyright notice appears in all copies and
9 * that both that copyright notice and this permission notice appear in
10 * supporting documentation, and that the name of OpenVision not be used
11 * in advertising or publicity pertaining to distribution of the software
12 * without specific, written prior permission. OpenVision makes no
13 * representations about the suitability of this software for any
14 * purpose. It is provided "as is" without express or implied warranty.
15 *
16 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
17 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
18 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
19 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
20 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
21 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
22 * PERFORMANCE OF THIS SOFTWARE.
23 */
24
25 /*
26 * Copyright (C) 1998 by the FundsXpress, INC.
27 *
28 * All rights reserved.
29 *
30 * Export of this software from the United States of America may require
31 * a specific license from the United States Government. It is the
32 * responsibility of any person or organization contemplating export to
33 * obtain such a license before exporting.
34 *
35 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
36 * distribute this software and its documentation for any purpose and
37 * without fee is hereby granted, provided that the above copyright
38 * notice appear in all copies and that both that copyright notice and
39 * this permission notice appear in supporting documentation, and that
40 * the name of FundsXpress. not be used in advertising or publicity pertaining
41 * to distribution of the software without specific, written prior
42 * permission. FundsXpress makes no representations about the suitability of
43 * this software for any purpose. It is provided "as is" without express
44 * or implied warranty.
45 *
46 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
47 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
48 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
49 */
50
51 #include "k5-int.h"
52 #include "gssapiP_krb5.h"
53 #ifdef HAVE_MEMORY_H
54 #include <memory.h>
55 #endif
56
57 static krb5_error_code
kg_copy_keys(krb5_context context,krb5_gss_ctx_id_rec * ctx,krb5_key subkey)58 kg_copy_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, krb5_key subkey)
59 {
60 krb5_error_code code;
61
62 krb5_k_free_key(context, ctx->enc);
63 ctx->enc = NULL;
64 code = krb5_k_create_key(context, &subkey->keyblock, &ctx->enc);
65 if (code != 0)
66 return code;
67
68 krb5_k_free_key(context, ctx->seq);
69 ctx->seq = NULL;
70 code = krb5_k_create_key(context, &subkey->keyblock, &ctx->seq);
71 if (code != 0)
72 return code;
73
74 return 0;
75 }
76
77 krb5_error_code
kg_setup_keys(krb5_context context,krb5_gss_ctx_id_rec * ctx,krb5_key subkey,krb5_cksumtype * cksumtype)78 kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, krb5_key subkey,
79 krb5_cksumtype *cksumtype)
80 {
81 krb5_error_code code;
82
83 assert(ctx != NULL);
84 assert(subkey != NULL);
85
86 *cksumtype = 0;
87 ctx->proto = 0;
88
89 if (ctx->enc == NULL) {
90 ctx->signalg = -1;
91 ctx->sealalg = -1;
92 }
93
94 code = krb5int_c_mandatory_cksumtype(context, subkey->keyblock.enctype,
95 cksumtype);
96 if (code != 0)
97 return code;
98
99 switch (subkey->keyblock.enctype) {
100 case ENCTYPE_DES3_CBC_SHA1:
101 code = kg_copy_keys(context, ctx, subkey);
102 if (code != 0)
103 return code;
104
105 ctx->enc->keyblock.enctype = ENCTYPE_DES3_CBC_RAW;
106 ctx->seq->keyblock.enctype = ENCTYPE_DES3_CBC_RAW;
107 ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
108 ctx->cksum_size = 20;
109 ctx->sealalg = SEAL_ALG_DES3KD;
110 break;
111 case ENCTYPE_ARCFOUR_HMAC:
112 case ENCTYPE_ARCFOUR_HMAC_EXP:
113 /* RFC 4121 accidentally omits RC4-HMAC-EXP as a "not-newer" enctype,
114 * even though RFC 4757 treats it as one. */
115 code = kg_copy_keys(context, ctx, subkey);
116 if (code != 0)
117 return code;
118
119 ctx->signalg = SGN_ALG_HMAC_MD5;
120 ctx->cksum_size = 8;
121 ctx->sealalg = SEAL_ALG_MICROSOFT_RC4;
122 break;
123 default:
124 ctx->proto = 1;
125 break;
126 }
127
128 return 0;
129 }
130
131 int
kg_confounder_size(krb5_context context,krb5_enctype enctype)132 kg_confounder_size(krb5_context context, krb5_enctype enctype)
133 {
134 krb5_error_code code;
135 size_t blocksize;
136 /* We special case rc4*/
137 if (enctype == ENCTYPE_ARCFOUR_HMAC || enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
138 return 8;
139 code = krb5_c_block_size(context, enctype, &blocksize);
140 if (code)
141 return(-1); /* XXX */
142
143 return(blocksize);
144 }
145
146 krb5_error_code
kg_make_confounder(krb5_context context,krb5_enctype enctype,unsigned char * buf)147 kg_make_confounder(krb5_context context, krb5_enctype enctype,
148 unsigned char *buf)
149 {
150 int confsize;
151 krb5_data lrandom;
152
153 confsize = kg_confounder_size(context, enctype);
154 if (confsize < 0)
155 return KRB5_BAD_MSIZE;
156
157 lrandom.length = confsize;
158 lrandom.data = (char *)buf;
159
160 return(krb5_c_random_make_octets(context, &lrandom));
161 }
162
163 /* Set *data_out to a krb5_data structure containing iv, or to NULL if iv is
164 * NULL. */
165 static krb5_error_code
iv_to_state(krb5_context context,krb5_key key,const uint8_t * iv,krb5_data ** data_out)166 iv_to_state(krb5_context context, krb5_key key, const uint8_t *iv,
167 krb5_data **data_out)
168 {
169 krb5_error_code code;
170 krb5_data *data;
171 size_t blocksize;
172
173 *data_out = NULL;
174 if (iv == NULL)
175 return 0;
176
177 code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize);
178 if (code)
179 return code;
180
181 data = k5alloc(sizeof(*data), &code);
182 if (data == NULL)
183 return code;
184 code = alloc_data(data, blocksize);
185 if (code) {
186 free(data);
187 return code;
188 }
189 memcpy(data->data, iv, blocksize);
190 *data_out = data;
191 return 0;
192 }
193
194 krb5_error_code
kg_encrypt(krb5_context context,krb5_key key,int usage,krb5_pointer iv,krb5_const_pointer in,krb5_pointer out,unsigned int length)195 kg_encrypt(krb5_context context, krb5_key key, int usage, krb5_pointer iv,
196 krb5_const_pointer in, krb5_pointer out, unsigned int length)
197 {
198 krb5_error_code code;
199 krb5_data *state, inputd;
200 krb5_enc_data outputd;
201
202 code = iv_to_state(context, key, iv, &state);
203 if (code)
204 return code;
205
206 inputd.length = length;
207 inputd.data = (char *)in;
208
209 outputd.ciphertext.length = length;
210 outputd.ciphertext.data = out;
211
212 code = krb5_k_encrypt(context, key, usage, state, &inputd, &outputd);
213 krb5_free_data(context, state);
214 return code;
215 }
216
217 krb5_error_code
kg_encrypt_inplace(krb5_context context,krb5_key key,int usage,krb5_pointer iv,krb5_pointer ptr,unsigned int length)218 kg_encrypt_inplace(krb5_context context, krb5_key key, int usage,
219 krb5_pointer iv, krb5_pointer ptr, unsigned int length)
220 {
221 krb5_error_code code;
222 krb5_crypto_iov iov;
223 krb5_data *state;
224
225 code = iv_to_state(context, key, iv, &state);
226 if (code)
227 return code;
228
229 iov.flags = KRB5_CRYPTO_TYPE_DATA;
230 iov.data = make_data((void *)ptr, length);
231 code = krb5_k_encrypt_iov(context, key, usage, state, &iov, 1);
232 krb5_free_data(context, state);
233 return code;
234 }
235
236 /* length is the length of the cleartext. */
237
238 krb5_error_code
kg_decrypt(krb5_context context,krb5_key key,int usage,const uint8_t * iv,const uint8_t * in,uint8_t * out,unsigned int length)239 kg_decrypt(krb5_context context, krb5_key key, int usage, const uint8_t *iv,
240 const uint8_t *in, uint8_t *out, unsigned int length)
241 {
242 krb5_error_code code;
243 krb5_data *state, outputd;
244 krb5_enc_data inputd;
245
246 code = iv_to_state(context, key, iv, &state);
247 if (code)
248 return code;
249
250 inputd.enctype = ENCTYPE_UNKNOWN;
251 inputd.ciphertext.length = length;
252 inputd.ciphertext.data = (char *)in;
253
254 outputd.length = length;
255 outputd.data = (char *)out;
256
257 code = krb5_k_decrypt(context, key, usage, state, &inputd, &outputd);
258 krb5_free_data(context, state);
259 return code;
260 }
261
262 krb5_error_code
kg_arcfour_docrypt(const krb5_keyblock * keyblock,int usage,const unsigned char * kd_data,size_t kd_data_len,const unsigned char * input_buf,size_t input_len,unsigned char * output_buf)263 kg_arcfour_docrypt(const krb5_keyblock *keyblock, int usage,
264 const unsigned char *kd_data, size_t kd_data_len,
265 const unsigned char *input_buf, size_t input_len,
266 unsigned char *output_buf)
267 {
268 krb5_data kd = make_data((char *) kd_data, kd_data_len);
269 krb5_crypto_iov kiov;
270
271 memcpy(output_buf, input_buf, input_len);
272 kiov.flags = KRB5_CRYPTO_TYPE_DATA;
273 kiov.data = make_data(output_buf, input_len);
274 return krb5int_arcfour_gsscrypt(keyblock, usage, &kd, &kiov, 1);
275 }
276
277 /* Return true if cksum contains a valid checksum for header (implicitly of
278 * length 8) and data, in the RFC 1964 token format. */
279 krb5_boolean
kg_verify_checksum_v1(krb5_context context,uint16_t signalg,krb5_key key,krb5_keyusage usage,const uint8_t * header,const uint8_t * data,size_t data_len,const uint8_t * cksum,size_t cksum_len)280 kg_verify_checksum_v1(krb5_context context, uint16_t signalg, krb5_key key,
281 krb5_keyusage usage, const uint8_t *header,
282 const uint8_t *data, size_t data_len,
283 const uint8_t *cksum, size_t cksum_len)
284 {
285 krb5_error_code ret;
286 krb5_cksumtype type;
287 krb5_crypto_iov iov[3];
288 uint8_t ckbuf[20];
289
290 if (signalg == SGN_ALG_HMAC_MD5)
291 type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
292 else if (signalg == SGN_ALG_HMAC_SHA1_DES3_KD)
293 type = CKSUMTYPE_HMAC_SHA1_DES3;
294 else
295 abort();
296
297 iov[0].flags = iov[1].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
298 iov[0].data = make_data((uint8_t *)header, 8);
299 iov[1].data = make_data((uint8_t *)data, data_len);
300 iov[2].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
301 iov[2].data = make_data(ckbuf, sizeof(ckbuf));
302
303 /* For RC4 the GSS checksum is only the first eight bytes of the HMAC-MD5
304 * result, so we must compute a checksum and compare. */
305 ret = krb5_k_make_checksum_iov(context, type, key, usage, iov, 3);
306 if (ret)
307 return FALSE;
308 assert(iov[2].data.length >= cksum_len);
309 return k5_bcmp(iov[2].data.data, cksum, cksum_len) == 0;
310 }
311
312 /* Return true if cksum contains a valid checksum for data and the provided
313 * header fields, in the RFC 4121 token format. */
314 krb5_boolean
kg_verify_checksum_v3(krb5_context context,krb5_key key,krb5_keyusage usage,krb5_cksumtype cksumtype,uint16_t toktype,uint8_t flags,uint64_t seqnum,const uint8_t * data,size_t data_len,const uint8_t * cksum,size_t cksum_len)315 kg_verify_checksum_v3(krb5_context context, krb5_key key, krb5_keyusage usage,
316 krb5_cksumtype cksumtype,
317 uint16_t toktype, uint8_t flags, uint64_t seqnum,
318 const uint8_t *data, size_t data_len,
319 const uint8_t *cksum, size_t cksum_len)
320 {
321 krb5_crypto_iov iov[3];
322 uint8_t ckhdr[16];
323 krb5_boolean valid;
324
325 /*
326 * Compose an RFC 4121 token header for the checksum. For a wrap token,
327 * the EC and RRC fields have the value 0 for the checksum operation,
328 * regardless of their values in the actual token (RFC 4121 section 4.2.4).
329 * For a MIC token, the corresponding four bytes have the value 0xFF.
330 */
331 store_16_be(toktype, ckhdr);
332 ckhdr[2] = flags;
333 ckhdr[3] = 0xFF;
334 store_32_be((toktype == KG2_TOK_MIC_MSG) ? 0xFFFFFFFF : 0, ckhdr + 4);
335 store_64_be(seqnum, ckhdr + 8);
336
337 /* Verify the checksum over the data and composed header. */
338 iov[0].flags = iov[1].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
339 iov[0].data = make_data((uint8_t *)data, data_len);
340 iov[1].data = make_data(ckhdr, 16);
341 iov[2].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
342 iov[2].data = make_data((uint8_t *)cksum, cksum_len);
343 return krb5_k_verify_checksum_iov(context, cksumtype, key, usage, iov, 3,
344 &valid) == 0 && valid;
345 }
346
347 /* AEAD */
348 static krb5_error_code
kg_translate_iov_v1(krb5_context context,krb5_enctype enctype,gss_iov_buffer_desc * iov,int iov_count,krb5_crypto_iov ** pkiov,size_t * pkiov_count)349 kg_translate_iov_v1(krb5_context context, krb5_enctype enctype,
350 gss_iov_buffer_desc *iov, int iov_count,
351 krb5_crypto_iov **pkiov, size_t *pkiov_count)
352 {
353 gss_iov_buffer_desc *header;
354 gss_iov_buffer_desc *trailer;
355 int i = 0, j;
356 size_t kiov_count;
357 krb5_crypto_iov *kiov;
358 size_t conf_len;
359
360 *pkiov = NULL;
361 *pkiov_count = 0;
362
363 conf_len = kg_confounder_size(context, enctype);
364
365 header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
366 assert(header != NULL);
367
368 if (header->buffer.length < conf_len)
369 return KRB5_BAD_MSIZE;
370
371 trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
372 assert(trailer == NULL || trailer->buffer.length == 0);
373
374 kiov_count = 3 + iov_count;
375 kiov = (krb5_crypto_iov *)malloc(kiov_count * sizeof(krb5_crypto_iov));
376 if (kiov == NULL)
377 return ENOMEM;
378
379 /* For pre-CFX (raw enctypes) there is no krb5 header */
380 kiov[i].flags = KRB5_CRYPTO_TYPE_HEADER;
381 kiov[i].data.length = 0;
382 kiov[i].data.data = NULL;
383 i++;
384
385 /* For pre-CFX, the confounder is at the end of the GSS header */
386 kiov[i].flags = KRB5_CRYPTO_TYPE_DATA;
387 kiov[i].data.length = conf_len;
388 kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - conf_len;
389 i++;
390
391 for (j = 0; j < iov_count; j++) {
392 kiov[i].flags = kg_translate_flag_iov(iov[j].type);
393 if (kiov[i].flags == KRB5_CRYPTO_TYPE_EMPTY)
394 continue;
395
396 kiov[i].data.length = iov[j].buffer.length;
397 kiov[i].data.data = (char *)iov[j].buffer.value;
398 i++;
399 }
400
401 kiov[i].flags = KRB5_CRYPTO_TYPE_TRAILER;
402 kiov[i].data.length = 0;
403 kiov[i].data.data = NULL;
404 i++;
405
406 *pkiov = kiov;
407 *pkiov_count = i;
408
409 return 0;
410 }
411
412 /*
413 * DCE_STYLE indicates actual RRC is EC + RRC
414 * EC is extra rotate count for DCE_STYLE, pad length otherwise
415 * RRC is rotate count.
416 */
417 static krb5_error_code
kg_translate_iov_v3(krb5_context context,int dce_style,size_t ec,size_t rrc,krb5_enctype enctype,gss_iov_buffer_desc * iov,int iov_count,krb5_crypto_iov ** pkiov,size_t * pkiov_count)418 kg_translate_iov_v3(krb5_context context, int dce_style, size_t ec, size_t rrc,
419 krb5_enctype enctype, gss_iov_buffer_desc *iov,
420 int iov_count, krb5_crypto_iov **pkiov,
421 size_t *pkiov_count)
422 {
423 gss_iov_buffer_t header;
424 gss_iov_buffer_t trailer;
425 int i = 0, j;
426 size_t kiov_count;
427 krb5_crypto_iov *kiov;
428 unsigned int k5_headerlen = 0, k5_trailerlen = 0;
429 size_t gss_headerlen, gss_trailerlen;
430 krb5_error_code code;
431
432 *pkiov = NULL;
433 *pkiov_count = 0;
434
435 header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
436 assert(header != NULL);
437
438 trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
439 assert(trailer == NULL || rrc == 0);
440
441 code = krb5_c_crypto_length(context, enctype, KRB5_CRYPTO_TYPE_HEADER,
442 &k5_headerlen);
443 if (code != 0)
444 return code;
445
446 code = krb5_c_crypto_length(context, enctype, KRB5_CRYPTO_TYPE_TRAILER,
447 &k5_trailerlen);
448 if (code != 0)
449 return code;
450
451 /* Check header and trailer sizes */
452 gss_headerlen = 16 /* GSS-Header */ + k5_headerlen; /* Kerb-Header */
453 gss_trailerlen = ec + 16 /* E(GSS-Header) */ + k5_trailerlen; /* Kerb-Trailer */
454
455 /* If we're caller without a trailer, we must rotate by trailer length */
456 if (trailer == NULL) {
457 size_t actual_rrc = rrc;
458
459 if (dce_style)
460 actual_rrc += ec; /* compensate for Windows bug */
461
462 if (actual_rrc != gss_trailerlen)
463 return KRB5_BAD_MSIZE;
464
465 gss_headerlen += gss_trailerlen;
466 gss_trailerlen = 0;
467 } else {
468 if (trailer->buffer.length != gss_trailerlen)
469 return KRB5_BAD_MSIZE;
470 }
471
472 if (header->buffer.length != gss_headerlen)
473 return KRB5_BAD_MSIZE;
474
475 kiov_count = 3 + iov_count;
476 kiov = (krb5_crypto_iov *)malloc(kiov_count * sizeof(krb5_crypto_iov));
477 if (kiov == NULL)
478 return ENOMEM;
479
480 /*
481 * The krb5 header is located at the end of the GSS header.
482 */
483 kiov[i].flags = KRB5_CRYPTO_TYPE_HEADER;
484 kiov[i].data.length = k5_headerlen;
485 kiov[i].data.data = (char *)header->buffer.value + header->buffer.length - k5_headerlen;
486 i++;
487
488 for (j = 0; j < iov_count; j++) {
489 kiov[i].flags = kg_translate_flag_iov(iov[j].type);
490 if (kiov[i].flags == KRB5_CRYPTO_TYPE_EMPTY)
491 continue;
492
493 kiov[i].data.length = iov[j].buffer.length;
494 kiov[i].data.data = (char *)iov[j].buffer.value;
495 i++;
496 }
497
498 /*
499 * The EC and encrypted GSS header are placed in the trailer, which may
500 * be rotated directly after the plaintext header if no trailer buffer
501 * is provided.
502 */
503 kiov[i].flags = KRB5_CRYPTO_TYPE_DATA;
504 kiov[i].data.length = ec + 16; /* E(Header) */
505 if (trailer == NULL)
506 kiov[i].data.data = (char *)header->buffer.value + 16;
507 else
508 kiov[i].data.data = (char *)trailer->buffer.value;
509 i++;
510
511 /*
512 * The krb5 trailer is placed after the encrypted copy of the
513 * krb5 header (which may be in the GSS header or trailer).
514 */
515 kiov[i].flags = KRB5_CRYPTO_TYPE_TRAILER;
516 kiov[i].data.length = k5_trailerlen;
517 kiov[i].data.data = kiov[i - 1].data.data + ec + 16; /* E(Header) */
518 i++;
519
520 *pkiov = kiov;
521 *pkiov_count = i;
522
523 return 0;
524 }
525
526 /* PROTO is 1 if CFX, 0 if pre-CFX */
527 static krb5_error_code
kg_translate_iov(krb5_context context,int proto,int dce_style,size_t ec,size_t rrc,krb5_enctype enctype,gss_iov_buffer_desc * iov,int iov_count,krb5_crypto_iov ** pkiov,size_t * pkiov_count)528 kg_translate_iov(krb5_context context, int proto, int dce_style, size_t ec,
529 size_t rrc, krb5_enctype enctype, gss_iov_buffer_desc *iov,
530 int iov_count, krb5_crypto_iov **pkiov, size_t *pkiov_count)
531 {
532 return proto ?
533 kg_translate_iov_v3(context, dce_style, ec, rrc, enctype,
534 iov, iov_count, pkiov, pkiov_count) :
535 kg_translate_iov_v1(context, enctype, iov, iov_count,
536 pkiov, pkiov_count);
537 }
538
539 krb5_error_code
kg_encrypt_iov(krb5_context context,int proto,int dce_style,size_t ec,size_t rrc,krb5_key key,int usage,krb5_pointer iv,gss_iov_buffer_desc * iov,int iov_count)540 kg_encrypt_iov(krb5_context context, int proto, int dce_style, size_t ec,
541 size_t rrc, krb5_key key, int usage, krb5_pointer iv,
542 gss_iov_buffer_desc *iov, int iov_count)
543 {
544 krb5_error_code code;
545 krb5_data *state;
546 size_t kiov_len;
547 krb5_crypto_iov *kiov;
548
549 code = iv_to_state(context, key, iv, &state);
550 if (code)
551 return code;
552
553 code = kg_translate_iov(context, proto, dce_style, ec, rrc,
554 key->keyblock.enctype, iov, iov_count,
555 &kiov, &kiov_len);
556 if (code == 0) {
557 code = krb5_k_encrypt_iov(context, key, usage, state, kiov, kiov_len);
558 free(kiov);
559 }
560
561 krb5_free_data(context, state);
562 return code;
563 }
564
565 /* length is the length of the cleartext. */
566
567 krb5_error_code
kg_decrypt_iov(krb5_context context,int proto,int dce_style,size_t ec,size_t rrc,krb5_key key,int usage,krb5_pointer iv,gss_iov_buffer_desc * iov,int iov_count)568 kg_decrypt_iov(krb5_context context, int proto, int dce_style, size_t ec,
569 size_t rrc, krb5_key key, int usage, krb5_pointer iv,
570 gss_iov_buffer_desc *iov, int iov_count)
571 {
572 krb5_error_code code;
573 krb5_data *state;
574 size_t kiov_len;
575 krb5_crypto_iov *kiov;
576
577 code = iv_to_state(context, key, iv, &state);
578 if (code)
579 return code;
580
581 code = kg_translate_iov(context, proto, dce_style, ec, rrc,
582 key->keyblock.enctype, iov, iov_count,
583 &kiov, &kiov_len);
584 if (code == 0) {
585 code = krb5_k_decrypt_iov(context, key, usage, state, kiov, kiov_len);
586 free(kiov);
587 }
588
589 krb5_free_data(context, state);
590 return code;
591 }
592
593 krb5_error_code
kg_arcfour_docrypt_iov(krb5_context context,const krb5_keyblock * keyblock,int usage,const unsigned char * kd_data,size_t kd_data_len,gss_iov_buffer_desc * iov,int iov_count)594 kg_arcfour_docrypt_iov(krb5_context context, const krb5_keyblock *keyblock,
595 int usage, const unsigned char *kd_data,
596 size_t kd_data_len, gss_iov_buffer_desc *iov,
597 int iov_count)
598 {
599 krb5_error_code code;
600 krb5_data kd = make_data((char *) kd_data, kd_data_len);
601 krb5_crypto_iov *kiov = NULL;
602 size_t kiov_len = 0;
603
604 code = kg_translate_iov(context, 0 /* proto */, 0 /* dce_style */,
605 0 /* ec */, 0 /* rrc */, keyblock->enctype,
606 iov, iov_count, &kiov, &kiov_len);
607 if (code)
608 return code;
609 code = krb5int_arcfour_gsscrypt(keyblock, usage, &kd, kiov, kiov_len);
610 free(kiov);
611 return code;
612 }
613
614 krb5_cryptotype
kg_translate_flag_iov(OM_uint32 type)615 kg_translate_flag_iov(OM_uint32 type)
616 {
617 krb5_cryptotype ktype;
618
619 switch (GSS_IOV_BUFFER_TYPE(type)) {
620 case GSS_IOV_BUFFER_TYPE_DATA:
621 case GSS_IOV_BUFFER_TYPE_PADDING:
622 ktype = KRB5_CRYPTO_TYPE_DATA;
623 break;
624 case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
625 ktype = KRB5_CRYPTO_TYPE_SIGN_ONLY;
626 break;
627 default:
628 ktype = KRB5_CRYPTO_TYPE_EMPTY;
629 break;
630 }
631
632 return ktype;
633 }
634
635 gss_iov_buffer_t
kg_locate_iov(gss_iov_buffer_desc * iov,int iov_count,OM_uint32 type)636 kg_locate_iov(gss_iov_buffer_desc *iov, int iov_count, OM_uint32 type)
637 {
638 int i;
639 gss_iov_buffer_t p = GSS_C_NO_IOV_BUFFER;
640
641 if (iov == GSS_C_NO_IOV_BUFFER)
642 return GSS_C_NO_IOV_BUFFER;
643
644 for (i = iov_count - 1; i >= 0; i--) {
645 if (GSS_IOV_BUFFER_TYPE(iov[i].type) == type) {
646 if (p == GSS_C_NO_IOV_BUFFER)
647 p = &iov[i];
648 else
649 return GSS_C_NO_IOV_BUFFER;
650 }
651 }
652
653 return p;
654 }
655
656 /* Return the IOV where the GSSAPI token header should be placed (and possibly
657 * the checksum as well, depending on the token type). */
658 gss_iov_buffer_t
kg_locate_header_iov(gss_iov_buffer_desc * iov,int iov_count,int toktype)659 kg_locate_header_iov(gss_iov_buffer_desc *iov, int iov_count, int toktype)
660 {
661 if (toktype == KG_TOK_MIC_MSG)
662 return kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_MIC_TOKEN);
663 else
664 return kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
665 }
666
667 void
kg_iov_msglen(gss_iov_buffer_desc * iov,int iov_count,size_t * data_length_p,size_t * assoc_data_length_p)668 kg_iov_msglen(gss_iov_buffer_desc *iov, int iov_count, size_t *data_length_p,
669 size_t *assoc_data_length_p)
670 {
671 int i;
672 size_t data_length = 0, assoc_data_length = 0;
673
674 assert(iov != GSS_C_NO_IOV_BUFFER);
675
676 *data_length_p = *assoc_data_length_p = 0;
677
678 for (i = 0; i < iov_count; i++) {
679 OM_uint32 type = GSS_IOV_BUFFER_TYPE(iov[i].type);
680
681 if (type == GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
682 assoc_data_length += iov[i].buffer.length;
683
684 if (type == GSS_IOV_BUFFER_TYPE_DATA ||
685 type == GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
686 data_length += iov[i].buffer.length;
687 }
688
689 *data_length_p = data_length;
690 *assoc_data_length_p = assoc_data_length;
691 }
692
693 void
kg_release_iov(gss_iov_buffer_desc * iov,int iov_count)694 kg_release_iov(gss_iov_buffer_desc *iov, int iov_count)
695 {
696 int i;
697
698 assert(iov != GSS_C_NO_IOV_BUFFER);
699
700 for (i = 0; i < iov_count; i++) {
701 if (iov[i].type & GSS_IOV_BUFFER_FLAG_ALLOCATED) {
702 gssalloc_free(iov[i].buffer.value);
703 iov[i].buffer.length = 0;
704 iov[i].buffer.value = NULL;
705 iov[i].type &= ~(GSS_IOV_BUFFER_FLAG_ALLOCATED);
706 }
707 }
708 }
709
710 OM_uint32
kg_fixup_padding_iov(OM_uint32 * minor_status,gss_iov_buffer_desc * iov,int iov_count)711 kg_fixup_padding_iov(OM_uint32 *minor_status, gss_iov_buffer_desc *iov,
712 int iov_count)
713 {
714 gss_iov_buffer_t padding = NULL;
715 gss_iov_buffer_t data = NULL;
716 size_t padlength, relative_padlength;
717 unsigned char *p;
718
719 data = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_DATA);
720 padding = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
721
722 /* Do nothing if padding is absent or empty, to allow unwrapping of WinRM
723 * unpadded RC4 tokens using an explicit IOV array. */
724 if (data == NULL || padding == NULL || padding->buffer.length == 0) {
725 *minor_status = 0;
726 return GSS_S_COMPLETE;
727 }
728
729 p = (unsigned char *)padding->buffer.value;
730 padlength = p[padding->buffer.length - 1];
731
732 if (data->buffer.length + padding->buffer.length < padlength ||
733 padlength == 0) {
734 *minor_status = (OM_uint32)KRB5_BAD_MSIZE;
735 return GSS_S_DEFECTIVE_TOKEN;
736 }
737
738 /*
739 * kg_unseal_stream_iov() will place one byte of padding in the
740 * padding buffer; its true value is unknown until after decryption.
741 *
742 * relative_padlength contains the number of bytes to compensate the
743 * padding and data buffers by; it will be zero if the caller manages
744 * the padding length.
745 *
746 * If the caller manages the padding length, then relative_padlength
747 * will be zero.
748 *
749 * eg. if the buffers are structured as follows:
750 *
751 * +---DATA---+-PAD-+
752 * | ABCDE444 | 4 |
753 * +----------+-----+
754 *
755 * after compensation they would look like:
756 *
757 * +-DATA--+-PAD--+
758 * | ABCDE | NULL |
759 * +-------+------+
760 */
761 relative_padlength = padlength - padding->buffer.length;
762
763 assert(data->buffer.length >= relative_padlength);
764
765 data->buffer.length -= relative_padlength;
766
767 kg_release_iov(padding, 1);
768 padding->buffer.length = 0;
769 padding->buffer.value = NULL;
770
771 return GSS_S_COMPLETE;
772 }
773
774 krb5_boolean
kg_integ_only_iov(gss_iov_buffer_desc * iov,int iov_count)775 kg_integ_only_iov(gss_iov_buffer_desc *iov, int iov_count)
776 {
777 int i;
778 krb5_boolean has_conf_data = FALSE;
779
780 assert(iov != GSS_C_NO_IOV_BUFFER);
781
782 for (i = 0; i < iov_count; i++) {
783 if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA) {
784 has_conf_data = TRUE;
785 break;
786 }
787 }
788
789 return (has_conf_data == FALSE);
790 }
791
792 krb5_error_code
kg_allocate_iov(gss_iov_buffer_t iov,size_t size)793 kg_allocate_iov(gss_iov_buffer_t iov, size_t size)
794 {
795 assert(iov != GSS_C_NO_IOV_BUFFER);
796 assert(iov->type & GSS_IOV_BUFFER_FLAG_ALLOCATE);
797
798 iov->buffer.length = size;
799 iov->buffer.value = gssalloc_malloc(size);
800 if (iov->buffer.value == NULL) {
801 iov->buffer.length = 0;
802 return ENOMEM;
803 }
804
805 iov->type |= GSS_IOV_BUFFER_FLAG_ALLOCATED;
806
807 return 0;
808 }
809