xref: /freebsd/crypto/heimdal/lib/gssapi/ntlm/crypto.c (revision 02e9120893770924227138ba49df1edb3896112a)
1 /*
2  * Copyright (c) 2006 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "ntlm.h"
35 
36 uint32_t
37 _krb5_crc_update (const char *p, size_t len, uint32_t res);
38 void
39 _krb5_crc_init_table(void);
40 
41 /*
42  *
43  */
44 
45 static void
46 encode_le_uint32(uint32_t n, unsigned char *p)
47 {
48   p[0] = (n >> 0)  & 0xFF;
49   p[1] = (n >> 8)  & 0xFF;
50   p[2] = (n >> 16) & 0xFF;
51   p[3] = (n >> 24) & 0xFF;
52 }
53 
54 
55 static void
56 decode_le_uint32(const void *ptr, uint32_t *n)
57 {
58     const unsigned char *p = ptr;
59     *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
60 }
61 
62 /*
63  *
64  */
65 
66 const char a2i_signmagic[] =
67     "session key to server-to-client signing key magic constant";
68 const char a2i_sealmagic[] =
69     "session key to server-to-client sealing key magic constant";
70 const char i2a_signmagic[] =
71     "session key to client-to-server signing key magic constant";
72 const char i2a_sealmagic[] =
73     "session key to client-to-server sealing key magic constant";
74 
75 
76 void
77 _gss_ntlm_set_key(struct ntlmv2_key *key, int acceptor, int sealsign,
78 		  unsigned char *data, size_t len)
79 {
80     unsigned char out[16];
81     EVP_MD_CTX *ctx;
82     const char *signmagic;
83     const char *sealmagic;
84 
85     if (acceptor) {
86 	signmagic = a2i_signmagic;
87 	sealmagic = a2i_sealmagic;
88     } else {
89 	signmagic = i2a_signmagic;
90 	sealmagic = i2a_sealmagic;
91     }
92 
93     key->seq = 0;
94 
95     ctx = EVP_MD_CTX_create();
96     EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
97     EVP_DigestUpdate(ctx, data, len);
98     EVP_DigestUpdate(ctx, signmagic, strlen(signmagic) + 1);
99     EVP_DigestFinal_ex(ctx, key->signkey, NULL);
100 
101     EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
102     EVP_DigestUpdate(ctx, data, len);
103     EVP_DigestUpdate(ctx, sealmagic, strlen(sealmagic) + 1);
104     EVP_DigestFinal_ex(ctx, out, NULL);
105     EVP_MD_CTX_destroy(ctx);
106 
107     RC4_set_key(&key->sealkey, 16, out);
108     if (sealsign)
109 	key->signsealkey = &key->sealkey;
110 }
111 
112 /*
113  *
114  */
115 
116 static OM_uint32
117 v1_sign_message(gss_buffer_t in,
118 		RC4_KEY *signkey,
119 		uint32_t seq,
120 		unsigned char out[16])
121 {
122     unsigned char sigature[12];
123     uint32_t crc;
124 
125     _krb5_crc_init_table();
126     crc = _krb5_crc_update(in->value, in->length, 0);
127 
128     encode_le_uint32(0, &sigature[0]);
129     encode_le_uint32(crc, &sigature[4]);
130     encode_le_uint32(seq, &sigature[8]);
131 
132     encode_le_uint32(1, out); /* version */
133     RC4(signkey, sizeof(sigature), sigature, out + 4);
134 
135     if (RAND_bytes(out + 4, 4) != 1)
136 	return GSS_S_UNAVAILABLE;
137 
138     return 0;
139 }
140 
141 
142 static OM_uint32
143 v2_sign_message(gss_buffer_t in,
144 		unsigned char signkey[16],
145 		RC4_KEY *sealkey,
146 		uint32_t seq,
147 		unsigned char out[16])
148 {
149     unsigned char hmac[16];
150     unsigned int hmaclen;
151     HMAC_CTX *c;
152 
153     c = HMAC_CTX_new();
154     if (c == NULL)
155 	return GSS_S_FAILURE;
156     HMAC_Init_ex(c, signkey, 16, EVP_md5(), NULL);
157 
158     encode_le_uint32(seq, hmac);
159     HMAC_Update(c, hmac, 4);
160     HMAC_Update(c, in->value, in->length);
161     HMAC_Final(c, hmac, &hmaclen);
162     HMAC_CTX_free(c);
163 
164     encode_le_uint32(1, &out[0]);
165     if (sealkey)
166 	RC4(sealkey, 8, hmac, &out[4]);
167     else
168 	memcpy(&out[4], hmac, 8);
169 
170     memset(&out[12], 0, 4);
171 
172     return GSS_S_COMPLETE;
173 }
174 
175 static OM_uint32
176 v2_verify_message(gss_buffer_t in,
177 		  unsigned char signkey[16],
178 		  RC4_KEY *sealkey,
179 		  uint32_t seq,
180 		  const unsigned char checksum[16])
181 {
182     OM_uint32 ret;
183     unsigned char out[16];
184 
185     ret = v2_sign_message(in, signkey, sealkey, seq, out);
186     if (ret)
187 	return ret;
188 
189     if (memcmp(checksum, out, 16) != 0)
190 	return GSS_S_BAD_MIC;
191 
192     return GSS_S_COMPLETE;
193 }
194 
195 static OM_uint32
196 v2_seal_message(const gss_buffer_t in,
197 		unsigned char signkey[16],
198 		uint32_t seq,
199 		RC4_KEY *sealkey,
200 		gss_buffer_t out)
201 {
202     unsigned char *p;
203     OM_uint32 ret;
204 
205     if (in->length + 16 < in->length)
206 	return EINVAL;
207 
208     p = malloc(in->length + 16);
209     if (p == NULL)
210 	return ENOMEM;
211 
212     RC4(sealkey, in->length, in->value, p);
213 
214     ret = v2_sign_message(in, signkey, sealkey, seq, &p[in->length]);
215     if (ret) {
216 	free(p);
217 	return ret;
218     }
219 
220     out->value = p;
221     out->length = in->length + 16;
222 
223     return 0;
224 }
225 
226 static OM_uint32
227 v2_unseal_message(gss_buffer_t in,
228 		  unsigned char signkey[16],
229 		  uint32_t seq,
230 		  RC4_KEY *sealkey,
231 		  gss_buffer_t out)
232 {
233     OM_uint32 ret;
234 
235     if (in->length < 16)
236 	return GSS_S_BAD_MIC;
237 
238     out->length = in->length - 16;
239     out->value = malloc(out->length);
240     if (out->value == NULL)
241 	return GSS_S_BAD_MIC;
242 
243     RC4(sealkey, out->length, in->value, out->value);
244 
245     ret = v2_verify_message(out, signkey, sealkey, seq,
246 			    ((const unsigned char *)in->value) + out->length);
247     if (ret) {
248 	OM_uint32 junk;
249 	gss_release_buffer(&junk, out);
250     }
251     return ret;
252 }
253 
254 /*
255  *
256  */
257 
258 #define CTX_FLAGS_ISSET(_ctx,_flags) \
259     (((_ctx)->flags & (_flags)) == (_flags))
260 
261 /*
262  *
263  */
264 
265 OM_uint32 GSSAPI_CALLCONV
266 _gss_ntlm_get_mic
267            (OM_uint32 * minor_status,
268             const gss_ctx_id_t context_handle,
269             gss_qop_t qop_req,
270             const gss_buffer_t message_buffer,
271             gss_buffer_t message_token
272            )
273 {
274     ntlm_ctx ctx = (ntlm_ctx)context_handle;
275     OM_uint32 junk;
276 
277     *minor_status = 0;
278 
279     message_token->value = malloc(16);
280     message_token->length = 16;
281     if (message_token->value == NULL) {
282 	*minor_status = ENOMEM;
283 	return GSS_S_FAILURE;
284     }
285 
286     if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) {
287 	OM_uint32 ret;
288 
289 	if ((ctx->status & STATUS_SESSIONKEY) == 0) {
290 	    gss_release_buffer(&junk, message_token);
291 	    return GSS_S_UNAVAILABLE;
292 	}
293 
294 	ret = v2_sign_message(message_buffer,
295 			      ctx->u.v2.send.signkey,
296 			      ctx->u.v2.send.signsealkey,
297 			      ctx->u.v2.send.seq++,
298 			      message_token->value);
299 	if (ret)
300 	    gss_release_buffer(&junk, message_token);
301         return ret;
302 
303     } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) {
304 	OM_uint32 ret;
305 
306 	if ((ctx->status & STATUS_SESSIONKEY) == 0) {
307 	    gss_release_buffer(&junk, message_token);
308 	    return GSS_S_UNAVAILABLE;
309 	}
310 
311 	ret = v1_sign_message(message_buffer,
312 			      &ctx->u.v1.crypto_send.key,
313 			      ctx->u.v1.crypto_send.seq++,
314 			      message_token->value);
315 	if (ret)
316 	    gss_release_buffer(&junk, message_token);
317         return ret;
318 
319     } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_ALWAYS_SIGN)) {
320 	unsigned char *sigature;
321 
322 	sigature = message_token->value;
323 
324 	encode_le_uint32(1, &sigature[0]); /* version */
325 	encode_le_uint32(0, &sigature[4]);
326 	encode_le_uint32(0, &sigature[8]);
327 	encode_le_uint32(0, &sigature[12]);
328 
329         return GSS_S_COMPLETE;
330     }
331     gss_release_buffer(&junk, message_token);
332 
333     return GSS_S_UNAVAILABLE;
334 }
335 
336 /*
337  *
338  */
339 
340 OM_uint32 GSSAPI_CALLCONV
341 _gss_ntlm_verify_mic
342            (OM_uint32 * minor_status,
343             const gss_ctx_id_t context_handle,
344             const gss_buffer_t message_buffer,
345             const gss_buffer_t token_buffer,
346             gss_qop_t * qop_state
347 	    )
348 {
349     ntlm_ctx ctx = (ntlm_ctx)context_handle;
350 
351     if (qop_state != NULL)
352 	*qop_state = GSS_C_QOP_DEFAULT;
353     *minor_status = 0;
354 
355     if (token_buffer->length != 16)
356 	return GSS_S_BAD_MIC;
357 
358     if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) {
359 	OM_uint32 ret;
360 
361 	if ((ctx->status & STATUS_SESSIONKEY) == 0)
362 	    return GSS_S_UNAVAILABLE;
363 
364 	ret = v2_verify_message(message_buffer,
365 				ctx->u.v2.recv.signkey,
366 				ctx->u.v2.recv.signsealkey,
367 				ctx->u.v2.recv.seq++,
368 				token_buffer->value);
369 	if (ret)
370 	    return ret;
371 
372 	return GSS_S_COMPLETE;
373     } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) {
374 
375 	unsigned char sigature[12];
376 	uint32_t crc, num;
377 
378 	if ((ctx->status & STATUS_SESSIONKEY) == 0)
379 	    return GSS_S_UNAVAILABLE;
380 
381 	decode_le_uint32(token_buffer->value, &num);
382 	if (num != 1)
383 	    return GSS_S_BAD_MIC;
384 
385 	RC4(&ctx->u.v1.crypto_recv.key, sizeof(sigature),
386 	    ((unsigned char *)token_buffer->value) + 4, sigature);
387 
388 	_krb5_crc_init_table();
389 	crc = _krb5_crc_update(message_buffer->value,
390 			       message_buffer->length, 0);
391 	/* skip first 4 bytes in the encrypted checksum */
392 	decode_le_uint32(&sigature[4], &num);
393 	if (num != crc)
394 	    return GSS_S_BAD_MIC;
395 	decode_le_uint32(&sigature[8], &num);
396 	if (ctx->u.v1.crypto_recv.seq != num)
397 	    return GSS_S_BAD_MIC;
398 	ctx->u.v1.crypto_recv.seq++;
399 
400         return GSS_S_COMPLETE;
401     } else if (ctx->flags & NTLM_NEG_ALWAYS_SIGN) {
402 	uint32_t num;
403 	unsigned char *p;
404 
405 	p = (unsigned char*)(token_buffer->value);
406 
407 	decode_le_uint32(&p[0], &num); /* version */
408 	if (num != 1) return GSS_S_BAD_MIC;
409 	decode_le_uint32(&p[4], &num);
410 	if (num != 0) return GSS_S_BAD_MIC;
411 	decode_le_uint32(&p[8], &num);
412 	if (num != 0) return GSS_S_BAD_MIC;
413 	decode_le_uint32(&p[12], &num);
414 	if (num != 0) return GSS_S_BAD_MIC;
415 
416         return GSS_S_COMPLETE;
417     }
418 
419     return GSS_S_UNAVAILABLE;
420 }
421 
422 /*
423  *
424  */
425 
426 OM_uint32 GSSAPI_CALLCONV
427 _gss_ntlm_wrap_size_limit (
428             OM_uint32 * minor_status,
429             const gss_ctx_id_t context_handle,
430             int conf_req_flag,
431             gss_qop_t qop_req,
432             OM_uint32 req_output_size,
433             OM_uint32 * max_input_size
434            )
435 {
436     ntlm_ctx ctx = (ntlm_ctx)context_handle;
437 
438     *minor_status = 0;
439 
440     if(ctx->flags & NTLM_NEG_SEAL) {
441 
442 	if (req_output_size < 16)
443 	    *max_input_size = 0;
444 	else
445 	    *max_input_size = req_output_size - 16;
446 
447 	return GSS_S_COMPLETE;
448     }
449 
450     return GSS_S_UNAVAILABLE;
451 }
452 
453 /*
454  *
455  */
456 
457 OM_uint32 GSSAPI_CALLCONV
458 _gss_ntlm_wrap
459 (OM_uint32 * minor_status,
460  const gss_ctx_id_t context_handle,
461  int conf_req_flag,
462  gss_qop_t qop_req,
463  const gss_buffer_t input_message_buffer,
464  int * conf_state,
465  gss_buffer_t output_message_buffer
466     )
467 {
468     ntlm_ctx ctx = (ntlm_ctx)context_handle;
469     OM_uint32 ret;
470 
471     *minor_status = 0;
472     if (conf_state)
473 	*conf_state = 0;
474     if (output_message_buffer == GSS_C_NO_BUFFER)
475 	return GSS_S_FAILURE;
476 
477 
478     if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) {
479 
480 	return v2_seal_message(input_message_buffer,
481 			       ctx->u.v2.send.signkey,
482 			       ctx->u.v2.send.seq++,
483 			       &ctx->u.v2.send.sealkey,
484 			       output_message_buffer);
485 
486     } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) {
487 	gss_buffer_desc trailer;
488 	OM_uint32 junk;
489 
490 	output_message_buffer->length = input_message_buffer->length + 16;
491 	output_message_buffer->value = malloc(output_message_buffer->length);
492 	if (output_message_buffer->value == NULL) {
493 	    output_message_buffer->length = 0;
494 	    return GSS_S_FAILURE;
495 	}
496 
497 
498 	RC4(&ctx->u.v1.crypto_send.key, input_message_buffer->length,
499 	    input_message_buffer->value, output_message_buffer->value);
500 
501 	ret = _gss_ntlm_get_mic(minor_status, context_handle,
502 				0, input_message_buffer,
503 				&trailer);
504 	if (ret) {
505 	    gss_release_buffer(&junk, output_message_buffer);
506 	    return ret;
507 	}
508 	if (trailer.length != 16) {
509 	    gss_release_buffer(&junk, output_message_buffer);
510 	    gss_release_buffer(&junk, &trailer);
511 	    return GSS_S_FAILURE;
512 	}
513 	memcpy(((unsigned char *)output_message_buffer->value) +
514 	       input_message_buffer->length,
515 	       trailer.value, trailer.length);
516 	gss_release_buffer(&junk, &trailer);
517 
518 	return GSS_S_COMPLETE;
519     }
520 
521     return GSS_S_UNAVAILABLE;
522 }
523 
524 /*
525  *
526  */
527 
528 OM_uint32 GSSAPI_CALLCONV
529 _gss_ntlm_unwrap
530            (OM_uint32 * minor_status,
531             const gss_ctx_id_t context_handle,
532             const gss_buffer_t input_message_buffer,
533             gss_buffer_t output_message_buffer,
534             int * conf_state,
535             gss_qop_t * qop_state
536            )
537 {
538     ntlm_ctx ctx = (ntlm_ctx)context_handle;
539     OM_uint32 ret;
540 
541     *minor_status = 0;
542     output_message_buffer->value = NULL;
543     output_message_buffer->length = 0;
544 
545     if (conf_state)
546 	*conf_state = 0;
547     if (qop_state)
548 	*qop_state = 0;
549 
550     if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) {
551 
552 	return v2_unseal_message(input_message_buffer,
553 				 ctx->u.v2.recv.signkey,
554 				 ctx->u.v2.recv.seq++,
555 				 &ctx->u.v2.recv.sealkey,
556 				 output_message_buffer);
557 
558     } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) {
559 
560 	gss_buffer_desc trailer;
561 	OM_uint32 junk;
562 
563 	if (input_message_buffer->length < 16)
564 	    return GSS_S_BAD_MIC;
565 
566 	output_message_buffer->length = input_message_buffer->length - 16;
567 	output_message_buffer->value = malloc(output_message_buffer->length);
568 	if (output_message_buffer->value == NULL) {
569 	    output_message_buffer->length = 0;
570 	    return GSS_S_FAILURE;
571 	}
572 
573 	RC4(&ctx->u.v1.crypto_recv.key, output_message_buffer->length,
574 	    input_message_buffer->value, output_message_buffer->value);
575 
576 	trailer.value = ((unsigned char *)input_message_buffer->value) +
577 	    output_message_buffer->length;
578 	trailer.length = 16;
579 
580 	ret = _gss_ntlm_verify_mic(minor_status, context_handle,
581 				   output_message_buffer,
582 				   &trailer, NULL);
583 	if (ret) {
584 	    gss_release_buffer(&junk, output_message_buffer);
585 	    return ret;
586 	}
587 
588 	return GSS_S_COMPLETE;
589     }
590 
591     return GSS_S_UNAVAILABLE;
592 }
593