1 /* 2 * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "gsskrb5_locl.h" 35 36 /* 37 * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt 38 * 39 * The arcfour message have the following formats: 40 * 41 * MIC token 42 * TOK_ID[2] = 01 01 43 * SGN_ALG[2] = 11 00 44 * Filler[4] 45 * SND_SEQ[8] 46 * SGN_CKSUM[8] 47 * 48 * WRAP token 49 * TOK_ID[2] = 02 01 50 * SGN_ALG[2]; 51 * SEAL_ALG[2] 52 * Filler[2] 53 * SND_SEQ[2] 54 * SGN_CKSUM[8] 55 * Confounder[8] 56 */ 57 58 /* 59 * WRAP in DCE-style have a fixed size header, the oid and length over 60 * the WRAP header is a total of 61 * GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE + 62 * GSS_ARCFOUR_WRAP_TOKEN_SIZE byte (ie total of 45 bytes overhead, 63 * remember the 2 bytes from APPL [0] SEQ). 64 */ 65 66 #define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32 67 #define GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE 13 68 69 70 static krb5_error_code 71 arcfour_mic_key(krb5_context context, krb5_keyblock *key, 72 void *cksum_data, size_t cksum_size, 73 void *key6_data, size_t key6_size) 74 { 75 krb5_error_code ret; 76 77 Checksum cksum_k5; 78 krb5_keyblock key5; 79 char k5_data[16]; 80 81 Checksum cksum_k6; 82 83 char T[4]; 84 85 memset(T, 0, 4); 86 cksum_k5.checksum.data = k5_data; 87 cksum_k5.checksum.length = sizeof(k5_data); 88 89 if (key->keytype == ENCTYPE_ARCFOUR_HMAC_MD5_56) { 90 char L40[14] = "fortybits"; 91 92 memcpy(L40 + 10, T, sizeof(T)); 93 ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, 94 L40, 14, 0, key, &cksum_k5); 95 memset(&k5_data[7], 0xAB, 9); 96 } else { 97 ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, 98 T, 4, 0, key, &cksum_k5); 99 } 100 if (ret) 101 return ret; 102 103 key5.keytype = ENCTYPE_ARCFOUR_HMAC_MD5; 104 key5.keyvalue = cksum_k5.checksum; 105 106 cksum_k6.checksum.data = key6_data; 107 cksum_k6.checksum.length = key6_size; 108 109 return krb5_hmac(context, CKSUMTYPE_RSA_MD5, 110 cksum_data, cksum_size, 0, &key5, &cksum_k6); 111 } 112 113 114 static krb5_error_code 115 arcfour_mic_cksum(krb5_context context, 116 krb5_keyblock *key, unsigned usage, 117 u_char *sgn_cksum, size_t sgn_cksum_sz, 118 const u_char *v1, size_t l1, 119 const void *v2, size_t l2, 120 const void *v3, size_t l3) 121 { 122 Checksum CKSUM; 123 u_char *ptr; 124 size_t len; 125 krb5_crypto crypto; 126 krb5_error_code ret; 127 128 assert(sgn_cksum_sz == 8); 129 130 len = l1 + l2 + l3; 131 132 ptr = malloc(len); 133 if (ptr == NULL) 134 return ENOMEM; 135 136 memcpy(ptr, v1, l1); 137 memcpy(ptr + l1, v2, l2); 138 memcpy(ptr + l1 + l2, v3, l3); 139 140 ret = krb5_crypto_init(context, key, 0, &crypto); 141 if (ret) { 142 free(ptr); 143 return ret; 144 } 145 146 ret = krb5_create_checksum(context, 147 crypto, 148 usage, 149 0, 150 ptr, len, 151 &CKSUM); 152 free(ptr); 153 if (ret == 0) { 154 memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz); 155 free_Checksum(&CKSUM); 156 } 157 krb5_crypto_destroy(context, crypto); 158 159 return ret; 160 } 161 162 163 OM_uint32 164 _gssapi_get_mic_arcfour(OM_uint32 * minor_status, 165 const gsskrb5_ctx context_handle, 166 krb5_context context, 167 gss_qop_t qop_req, 168 const gss_buffer_t message_buffer, 169 gss_buffer_t message_token, 170 krb5_keyblock *key) 171 { 172 krb5_error_code ret; 173 int32_t seq_number; 174 size_t len, total_len; 175 u_char k6_data[16], *p0, *p; 176 EVP_CIPHER_CTX *rc4_key; 177 178 _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM); 179 180 message_token->length = total_len; 181 message_token->value = malloc (total_len); 182 if (message_token->value == NULL) { 183 *minor_status = ENOMEM; 184 return GSS_S_FAILURE; 185 } 186 187 p0 = _gssapi_make_mech_header(message_token->value, 188 len, 189 GSS_KRB5_MECHANISM); 190 p = p0; 191 192 *p++ = 0x01; /* TOK_ID */ 193 *p++ = 0x01; 194 *p++ = 0x11; /* SGN_ALG */ 195 *p++ = 0x00; 196 *p++ = 0xff; /* Filler */ 197 *p++ = 0xff; 198 *p++ = 0xff; 199 *p++ = 0xff; 200 201 p = NULL; 202 203 ret = arcfour_mic_cksum(context, 204 key, KRB5_KU_USAGE_SIGN, 205 p0 + 16, 8, /* SGN_CKSUM */ 206 p0, 8, /* TOK_ID, SGN_ALG, Filer */ 207 message_buffer->value, message_buffer->length, 208 NULL, 0); 209 if (ret) { 210 _gsskrb5_release_buffer(minor_status, message_token); 211 *minor_status = ret; 212 return GSS_S_FAILURE; 213 } 214 215 ret = arcfour_mic_key(context, key, 216 p0 + 16, 8, /* SGN_CKSUM */ 217 k6_data, sizeof(k6_data)); 218 if (ret) { 219 _gsskrb5_release_buffer(minor_status, message_token); 220 *minor_status = ret; 221 return GSS_S_FAILURE; 222 } 223 224 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); 225 krb5_auth_con_getlocalseqnumber (context, 226 context_handle->auth_context, 227 &seq_number); 228 p = p0 + 8; /* SND_SEQ */ 229 _gsskrb5_encode_be_om_uint32(seq_number, p); 230 231 krb5_auth_con_setlocalseqnumber (context, 232 context_handle->auth_context, 233 ++seq_number); 234 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); 235 236 memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4); 237 238 rc4_key = EVP_CIPHER_CTX_new(); 239 if (rc4_key == NULL) { 240 _gsskrb5_release_buffer(minor_status, message_token); 241 *minor_status = ENOMEM; 242 return GSS_S_FAILURE; 243 } 244 245 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); 246 EVP_Cipher(rc4_key, p, p, 8); 247 EVP_CIPHER_CTX_free(rc4_key); 248 249 memset(k6_data, 0, sizeof(k6_data)); 250 251 *minor_status = 0; 252 return GSS_S_COMPLETE; 253 } 254 255 256 OM_uint32 257 _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, 258 const gsskrb5_ctx context_handle, 259 krb5_context context, 260 const gss_buffer_t message_buffer, 261 const gss_buffer_t token_buffer, 262 gss_qop_t * qop_state, 263 krb5_keyblock *key, 264 const char *type) 265 { 266 krb5_error_code ret; 267 uint32_t seq_number; 268 OM_uint32 omret; 269 u_char SND_SEQ[8], cksum_data[8], *p; 270 char k6_data[16]; 271 int cmp; 272 273 if (qop_state) 274 *qop_state = 0; 275 276 p = token_buffer->value; 277 omret = _gsskrb5_verify_header (&p, 278 token_buffer->length, 279 type, 280 GSS_KRB5_MECHANISM); 281 if (omret) 282 return omret; 283 284 if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ 285 return GSS_S_BAD_SIG; 286 p += 2; 287 if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) 288 return GSS_S_BAD_MIC; 289 p += 4; 290 291 ret = arcfour_mic_cksum(context, 292 key, KRB5_KU_USAGE_SIGN, 293 cksum_data, sizeof(cksum_data), 294 p - 8, 8, 295 message_buffer->value, message_buffer->length, 296 NULL, 0); 297 if (ret) { 298 *minor_status = ret; 299 return GSS_S_FAILURE; 300 } 301 302 ret = arcfour_mic_key(context, key, 303 cksum_data, sizeof(cksum_data), 304 k6_data, sizeof(k6_data)); 305 if (ret) { 306 *minor_status = ret; 307 return GSS_S_FAILURE; 308 } 309 310 cmp = ct_memcmp(cksum_data, p + 8, 8); 311 if (cmp) { 312 *minor_status = 0; 313 return GSS_S_BAD_MIC; 314 } 315 316 { 317 EVP_CIPHER_CTX *rc4_key; 318 319 rc4_key = EVP_CIPHER_CTX_new(); 320 if (rc4_key == NULL) { 321 *minor_status = ENOMEM; 322 return GSS_S_FAILURE; 323 } 324 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0); 325 EVP_Cipher(rc4_key, SND_SEQ, p, 8); 326 EVP_CIPHER_CTX_free(rc4_key); 327 328 memset(k6_data, 0, sizeof(k6_data)); 329 } 330 331 _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); 332 333 if (context_handle->more_flags & LOCAL) 334 cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); 335 else 336 cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); 337 338 memset(SND_SEQ, 0, sizeof(SND_SEQ)); 339 if (cmp != 0) { 340 *minor_status = 0; 341 return GSS_S_BAD_MIC; 342 } 343 344 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); 345 omret = _gssapi_msg_order_check(context_handle->order, seq_number); 346 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); 347 if (omret) 348 return omret; 349 350 *minor_status = 0; 351 return GSS_S_COMPLETE; 352 } 353 354 OM_uint32 355 _gssapi_wrap_arcfour(OM_uint32 * minor_status, 356 const gsskrb5_ctx context_handle, 357 krb5_context context, 358 int conf_req_flag, 359 gss_qop_t qop_req, 360 const gss_buffer_t input_message_buffer, 361 int * conf_state, 362 gss_buffer_t output_message_buffer, 363 krb5_keyblock *key) 364 { 365 u_char Klocaldata[16], k6_data[16], *p, *p0; 366 size_t len, total_len, datalen; 367 krb5_keyblock Klocal; 368 krb5_error_code ret; 369 int32_t seq_number; 370 371 if (conf_state) 372 *conf_state = 0; 373 374 datalen = input_message_buffer->length; 375 376 if (IS_DCE_STYLE(context_handle)) { 377 len = GSS_ARCFOUR_WRAP_TOKEN_SIZE; 378 _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); 379 total_len += datalen; 380 } else { 381 datalen += 1; /* padding */ 382 len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE; 383 _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); 384 } 385 386 output_message_buffer->length = total_len; 387 output_message_buffer->value = malloc (total_len); 388 if (output_message_buffer->value == NULL) { 389 *minor_status = ENOMEM; 390 return GSS_S_FAILURE; 391 } 392 393 p0 = _gssapi_make_mech_header(output_message_buffer->value, 394 len, 395 GSS_KRB5_MECHANISM); 396 p = p0; 397 398 *p++ = 0x02; /* TOK_ID */ 399 *p++ = 0x01; 400 *p++ = 0x11; /* SGN_ALG */ 401 *p++ = 0x00; 402 if (conf_req_flag) { 403 *p++ = 0x10; /* SEAL_ALG */ 404 *p++ = 0x00; 405 } else { 406 *p++ = 0xff; /* SEAL_ALG */ 407 *p++ = 0xff; 408 } 409 *p++ = 0xff; /* Filler */ 410 *p++ = 0xff; 411 412 p = NULL; 413 414 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); 415 krb5_auth_con_getlocalseqnumber (context, 416 context_handle->auth_context, 417 &seq_number); 418 419 _gsskrb5_encode_be_om_uint32(seq_number, p0 + 8); 420 421 krb5_auth_con_setlocalseqnumber (context, 422 context_handle->auth_context, 423 ++seq_number); 424 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); 425 426 memset (p0 + 8 + 4, 427 (context_handle->more_flags & LOCAL) ? 0 : 0xff, 428 4); 429 430 krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */ 431 432 /* p points to data */ 433 p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE; 434 memcpy(p, input_message_buffer->value, input_message_buffer->length); 435 436 if (!IS_DCE_STYLE(context_handle)) 437 p[input_message_buffer->length] = 1; /* padding */ 438 439 ret = arcfour_mic_cksum(context, 440 key, KRB5_KU_USAGE_SEAL, 441 p0 + 16, 8, /* SGN_CKSUM */ 442 p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */ 443 p0 + 24, 8, /* Confounder */ 444 p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, 445 datalen); 446 if (ret) { 447 *minor_status = ret; 448 _gsskrb5_release_buffer(minor_status, output_message_buffer); 449 return GSS_S_FAILURE; 450 } 451 452 { 453 int i; 454 455 Klocal.keytype = key->keytype; 456 Klocal.keyvalue.data = Klocaldata; 457 Klocal.keyvalue.length = sizeof(Klocaldata); 458 459 for (i = 0; i < 16; i++) 460 Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; 461 } 462 ret = arcfour_mic_key(context, &Klocal, 463 p0 + 8, 4, /* SND_SEQ */ 464 k6_data, sizeof(k6_data)); 465 memset(Klocaldata, 0, sizeof(Klocaldata)); 466 if (ret) { 467 _gsskrb5_release_buffer(minor_status, output_message_buffer); 468 *minor_status = ret; 469 return GSS_S_FAILURE; 470 } 471 472 473 if(conf_req_flag) { 474 EVP_CIPHER_CTX *rc4_key; 475 476 rc4_key = EVP_CIPHER_CTX_new(); 477 if (rc4_key == NULL) { 478 _gsskrb5_release_buffer(minor_status, output_message_buffer); 479 *minor_status = ENOMEM; 480 return GSS_S_FAILURE; 481 } 482 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); 483 EVP_Cipher(rc4_key, p0 + 24, p0 + 24, 8 + datalen); 484 EVP_CIPHER_CTX_free(rc4_key); 485 } 486 memset(k6_data, 0, sizeof(k6_data)); 487 488 ret = arcfour_mic_key(context, key, 489 p0 + 16, 8, /* SGN_CKSUM */ 490 k6_data, sizeof(k6_data)); 491 if (ret) { 492 _gsskrb5_release_buffer(minor_status, output_message_buffer); 493 *minor_status = ret; 494 return GSS_S_FAILURE; 495 } 496 497 { 498 EVP_CIPHER_CTX *rc4_key; 499 500 rc4_key = EVP_CIPHER_CTX_new(); 501 if (rc4_key == NULL) { 502 _gsskrb5_release_buffer(minor_status, output_message_buffer); 503 *minor_status = ENOMEM; 504 return GSS_S_FAILURE; 505 } 506 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); 507 EVP_Cipher(rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8); 508 EVP_CIPHER_CTX_free(rc4_key); 509 memset(k6_data, 0, sizeof(k6_data)); 510 } 511 512 if (conf_state) 513 *conf_state = conf_req_flag; 514 515 *minor_status = 0; 516 return GSS_S_COMPLETE; 517 } 518 519 OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, 520 const gsskrb5_ctx context_handle, 521 krb5_context context, 522 const gss_buffer_t input_message_buffer, 523 gss_buffer_t output_message_buffer, 524 int *conf_state, 525 gss_qop_t *qop_state, 526 krb5_keyblock *key) 527 { 528 u_char Klocaldata[16]; 529 krb5_keyblock Klocal; 530 krb5_error_code ret; 531 uint32_t seq_number; 532 size_t datalen; 533 OM_uint32 omret; 534 u_char k6_data[16], SND_SEQ[8], Confounder[8]; 535 u_char cksum_data[8]; 536 u_char *p, *p0; 537 int cmp; 538 int conf_flag; 539 size_t padlen = 0, len; 540 541 if (conf_state) 542 *conf_state = 0; 543 if (qop_state) 544 *qop_state = 0; 545 546 p0 = input_message_buffer->value; 547 548 if (IS_DCE_STYLE(context_handle)) { 549 len = GSS_ARCFOUR_WRAP_TOKEN_SIZE + 550 GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE; 551 if (input_message_buffer->length < len) 552 return GSS_S_BAD_MECH; 553 } else { 554 len = input_message_buffer->length; 555 } 556 557 omret = _gssapi_verify_mech_header(&p0, 558 len, 559 GSS_KRB5_MECHANISM); 560 if (omret) 561 return omret; 562 563 /* length of mech header */ 564 len = (p0 - (u_char *)input_message_buffer->value) + 565 GSS_ARCFOUR_WRAP_TOKEN_SIZE; 566 567 if (len > input_message_buffer->length) 568 return GSS_S_BAD_MECH; 569 570 /* length of data */ 571 datalen = input_message_buffer->length - len; 572 573 p = p0; 574 575 if (memcmp(p, "\x02\x01", 2) != 0) 576 return GSS_S_BAD_SIG; 577 p += 2; 578 if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ 579 return GSS_S_BAD_SIG; 580 p += 2; 581 582 if (memcmp (p, "\x10\x00", 2) == 0) 583 conf_flag = 1; 584 else if (memcmp (p, "\xff\xff", 2) == 0) 585 conf_flag = 0; 586 else 587 return GSS_S_BAD_SIG; 588 589 p += 2; 590 if (memcmp (p, "\xff\xff", 2) != 0) 591 return GSS_S_BAD_MIC; 592 p = NULL; 593 594 ret = arcfour_mic_key(context, key, 595 p0 + 16, 8, /* SGN_CKSUM */ 596 k6_data, sizeof(k6_data)); 597 if (ret) { 598 *minor_status = ret; 599 return GSS_S_FAILURE; 600 } 601 602 { 603 EVP_CIPHER_CTX *rc4_key; 604 605 rc4_key = EVP_CIPHER_CTX_new(); 606 if (rc4_key == NULL) { 607 *minor_status = ENOMEM; 608 return GSS_S_FAILURE; 609 } 610 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); 611 EVP_Cipher(rc4_key, SND_SEQ, p0 + 8, 8); 612 EVP_CIPHER_CTX_free(rc4_key); 613 memset(k6_data, 0, sizeof(k6_data)); 614 } 615 616 _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); 617 618 if (context_handle->more_flags & LOCAL) 619 cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); 620 else 621 cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); 622 623 if (cmp != 0) { 624 *minor_status = 0; 625 return GSS_S_BAD_MIC; 626 } 627 628 { 629 int i; 630 631 Klocal.keytype = key->keytype; 632 Klocal.keyvalue.data = Klocaldata; 633 Klocal.keyvalue.length = sizeof(Klocaldata); 634 635 for (i = 0; i < 16; i++) 636 Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; 637 } 638 ret = arcfour_mic_key(context, &Klocal, 639 SND_SEQ, 4, 640 k6_data, sizeof(k6_data)); 641 memset(Klocaldata, 0, sizeof(Klocaldata)); 642 if (ret) { 643 *minor_status = ret; 644 return GSS_S_FAILURE; 645 } 646 647 output_message_buffer->value = malloc(datalen); 648 if (output_message_buffer->value == NULL) { 649 *minor_status = ENOMEM; 650 return GSS_S_FAILURE; 651 } 652 output_message_buffer->length = datalen; 653 654 if(conf_flag) { 655 EVP_CIPHER_CTX *rc4_key; 656 657 rc4_key = EVP_CIPHER_CTX_new(); 658 if (rc4_key == NULL) { 659 _gsskrb5_release_buffer(minor_status, output_message_buffer); 660 *minor_status = ENOMEM; 661 return GSS_S_FAILURE; 662 } 663 EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); 664 EVP_Cipher(rc4_key, Confounder, p0 + 24, 8); 665 EVP_Cipher(rc4_key, output_message_buffer->value, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, datalen); 666 EVP_CIPHER_CTX_free(rc4_key); 667 } else { 668 memcpy(Confounder, p0 + 24, 8); /* Confounder */ 669 memcpy(output_message_buffer->value, 670 p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, 671 datalen); 672 } 673 memset(k6_data, 0, sizeof(k6_data)); 674 675 if (!IS_DCE_STYLE(context_handle)) { 676 ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen); 677 if (ret) { 678 _gsskrb5_release_buffer(minor_status, output_message_buffer); 679 *minor_status = 0; 680 return ret; 681 } 682 output_message_buffer->length -= padlen; 683 } 684 685 ret = arcfour_mic_cksum(context, 686 key, KRB5_KU_USAGE_SEAL, 687 cksum_data, sizeof(cksum_data), 688 p0, 8, 689 Confounder, sizeof(Confounder), 690 output_message_buffer->value, 691 output_message_buffer->length + padlen); 692 if (ret) { 693 _gsskrb5_release_buffer(minor_status, output_message_buffer); 694 *minor_status = ret; 695 return GSS_S_FAILURE; 696 } 697 698 cmp = ct_memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ 699 if (cmp) { 700 _gsskrb5_release_buffer(minor_status, output_message_buffer); 701 *minor_status = 0; 702 return GSS_S_BAD_MIC; 703 } 704 705 HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); 706 omret = _gssapi_msg_order_check(context_handle->order, seq_number); 707 HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); 708 if (omret) 709 return omret; 710 711 if (conf_state) 712 *conf_state = conf_flag; 713 714 *minor_status = 0; 715 return GSS_S_COMPLETE; 716 } 717 718 static OM_uint32 719 max_wrap_length_arcfour(const gsskrb5_ctx ctx, 720 krb5_crypto crypto, 721 size_t input_length, 722 OM_uint32 *max_input_size) 723 { 724 /* 725 * if GSS_C_DCE_STYLE is in use: 726 * - we only need to encapsulate the WRAP token 727 * However, since this is a fixed since, we just 728 */ 729 if (IS_DCE_STYLE(ctx)) { 730 size_t len, total_len; 731 732 len = GSS_ARCFOUR_WRAP_TOKEN_SIZE; 733 _gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); 734 735 if (input_length < len) 736 *max_input_size = 0; 737 else 738 *max_input_size = input_length - len; 739 740 } else { 741 size_t extrasize = GSS_ARCFOUR_WRAP_TOKEN_SIZE; 742 size_t blocksize = 8; 743 size_t len, total_len; 744 745 len = 8 + input_length + blocksize + extrasize; 746 747 _gsskrb5_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM); 748 749 total_len -= input_length; /* token length */ 750 if (total_len < input_length) { 751 *max_input_size = (input_length - total_len); 752 (*max_input_size) &= (~(OM_uint32)(blocksize - 1)); 753 } else { 754 *max_input_size = 0; 755 } 756 } 757 758 return GSS_S_COMPLETE; 759 } 760 761 OM_uint32 762 _gssapi_wrap_size_arcfour(OM_uint32 *minor_status, 763 const gsskrb5_ctx ctx, 764 krb5_context context, 765 int conf_req_flag, 766 gss_qop_t qop_req, 767 OM_uint32 req_output_size, 768 OM_uint32 *max_input_size, 769 krb5_keyblock *key) 770 { 771 krb5_error_code ret; 772 krb5_crypto crypto; 773 774 ret = krb5_crypto_init(context, key, 0, &crypto); 775 if (ret != 0) { 776 *minor_status = ret; 777 return GSS_S_FAILURE; 778 } 779 780 ret = max_wrap_length_arcfour(ctx, crypto, 781 req_output_size, max_input_size); 782 if (ret != 0) { 783 *minor_status = ret; 784 krb5_crypto_destroy(context, crypto); 785 return GSS_S_FAILURE; 786 } 787 788 krb5_crypto_destroy(context, crypto); 789 790 return GSS_S_COMPLETE; 791 } 792