1 /* $NetBSD: crypto.c,v 1.1.1.2 2014/04/24 12:45:29 pettai Exp $ */
2
3 /*
4 * Copyright (c) 2006 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "ntlm.h"
37
38 uint32_t
39 _krb5_crc_update (const char *p, size_t len, uint32_t res);
40 void
41 _krb5_crc_init_table(void);
42
43 /*
44 *
45 */
46
47 static void
encode_le_uint32(uint32_t n,unsigned char * p)48 encode_le_uint32(uint32_t n, unsigned char *p)
49 {
50 p[0] = (n >> 0) & 0xFF;
51 p[1] = (n >> 8) & 0xFF;
52 p[2] = (n >> 16) & 0xFF;
53 p[3] = (n >> 24) & 0xFF;
54 }
55
56
57 static void
decode_le_uint32(const void * ptr,uint32_t * n)58 decode_le_uint32(const void *ptr, uint32_t *n)
59 {
60 const unsigned char *p = ptr;
61 *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
62 }
63
64 /*
65 *
66 */
67
68 const char a2i_signmagic[] =
69 "session key to server-to-client signing key magic constant";
70 const char a2i_sealmagic[] =
71 "session key to server-to-client sealing key magic constant";
72 const char i2a_signmagic[] =
73 "session key to client-to-server signing key magic constant";
74 const char i2a_sealmagic[] =
75 "session key to client-to-server sealing key magic constant";
76
77
78 void
_gss_ntlm_set_key(struct ntlmv2_key * key,int acceptor,int sealsign,unsigned char * data,size_t len)79 _gss_ntlm_set_key(struct ntlmv2_key *key, int acceptor, int sealsign,
80 unsigned char *data, size_t len)
81 {
82 unsigned char out[16];
83 EVP_MD_CTX *ctx;
84 const char *signmagic;
85 const char *sealmagic;
86
87 if (acceptor) {
88 signmagic = a2i_signmagic;
89 sealmagic = a2i_sealmagic;
90 } else {
91 signmagic = i2a_signmagic;
92 sealmagic = i2a_sealmagic;
93 }
94
95 key->seq = 0;
96
97 ctx = EVP_MD_CTX_create();
98 EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
99 EVP_DigestUpdate(ctx, data, len);
100 EVP_DigestUpdate(ctx, signmagic, strlen(signmagic) + 1);
101 EVP_DigestFinal_ex(ctx, key->signkey, NULL);
102
103 EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
104 EVP_DigestUpdate(ctx, data, len);
105 EVP_DigestUpdate(ctx, sealmagic, strlen(sealmagic) + 1);
106 EVP_DigestFinal_ex(ctx, out, NULL);
107 EVP_MD_CTX_destroy(ctx);
108
109 RC4_set_key(&key->sealkey, 16, out);
110 if (sealsign)
111 key->signsealkey = &key->sealkey;
112 }
113
114 /*
115 *
116 */
117
118 static OM_uint32
v1_sign_message(gss_buffer_t in,RC4_KEY * signkey,uint32_t seq,unsigned char out[16])119 v1_sign_message(gss_buffer_t in,
120 RC4_KEY *signkey,
121 uint32_t seq,
122 unsigned char out[16])
123 {
124 unsigned char sigature[12];
125 uint32_t crc;
126
127 _krb5_crc_init_table();
128 crc = _krb5_crc_update(in->value, in->length, 0);
129
130 encode_le_uint32(0, &sigature[0]);
131 encode_le_uint32(crc, &sigature[4]);
132 encode_le_uint32(seq, &sigature[8]);
133
134 encode_le_uint32(1, out); /* version */
135 RC4(signkey, sizeof(sigature), sigature, out + 4);
136
137 if (RAND_bytes(out + 4, 4) != 1)
138 return GSS_S_UNAVAILABLE;
139
140 return 0;
141 }
142
143
144 static OM_uint32
v2_sign_message(gss_buffer_t in,unsigned char signkey[16],RC4_KEY * sealkey,uint32_t seq,unsigned char out[16])145 v2_sign_message(gss_buffer_t in,
146 unsigned char signkey[16],
147 RC4_KEY *sealkey,
148 uint32_t seq,
149 unsigned char out[16])
150 {
151 unsigned char hmac[16];
152 unsigned int hmaclen;
153 HMAC_CTX c;
154
155 HMAC_CTX_init(&c);
156 HMAC_Init_ex(&c, signkey, 16, EVP_md5(), NULL);
157
158 encode_le_uint32(seq, hmac);
159 HMAC_Update(&c, hmac, 4);
160 HMAC_Update(&c, in->value, in->length);
161 HMAC_Final(&c, hmac, &hmaclen);
162 HMAC_CTX_cleanup(&c);
163
164 encode_le_uint32(1, &out[0]);
165 if (sealkey)
166 RC4(sealkey, 8, hmac, &out[4]);
167 else
168 memcpy(&out[4], hmac, 8);
169
170 memset(&out[12], 0, 4);
171
172 return GSS_S_COMPLETE;
173 }
174
175 static OM_uint32
v2_verify_message(gss_buffer_t in,unsigned char signkey[16],RC4_KEY * sealkey,uint32_t seq,const unsigned char checksum[16])176 v2_verify_message(gss_buffer_t in,
177 unsigned char signkey[16],
178 RC4_KEY *sealkey,
179 uint32_t seq,
180 const unsigned char checksum[16])
181 {
182 OM_uint32 ret;
183 unsigned char out[16];
184
185 ret = v2_sign_message(in, signkey, sealkey, seq, out);
186 if (ret)
187 return ret;
188
189 if (memcmp(checksum, out, 16) != 0)
190 return GSS_S_BAD_MIC;
191
192 return GSS_S_COMPLETE;
193 }
194
195 static OM_uint32
v2_seal_message(const gss_buffer_t in,unsigned char signkey[16],uint32_t seq,RC4_KEY * sealkey,gss_buffer_t out)196 v2_seal_message(const gss_buffer_t in,
197 unsigned char signkey[16],
198 uint32_t seq,
199 RC4_KEY *sealkey,
200 gss_buffer_t out)
201 {
202 unsigned char *p;
203 OM_uint32 ret;
204
205 if (in->length + 16 < in->length)
206 return EINVAL;
207
208 p = malloc(in->length + 16);
209 if (p == NULL)
210 return ENOMEM;
211
212 RC4(sealkey, in->length, in->value, p);
213
214 ret = v2_sign_message(in, signkey, sealkey, seq, &p[in->length]);
215 if (ret) {
216 free(p);
217 return ret;
218 }
219
220 out->value = p;
221 out->length = in->length + 16;
222
223 return 0;
224 }
225
226 static OM_uint32
v2_unseal_message(gss_buffer_t in,unsigned char signkey[16],uint32_t seq,RC4_KEY * sealkey,gss_buffer_t out)227 v2_unseal_message(gss_buffer_t in,
228 unsigned char signkey[16],
229 uint32_t seq,
230 RC4_KEY *sealkey,
231 gss_buffer_t out)
232 {
233 OM_uint32 ret;
234
235 if (in->length < 16)
236 return GSS_S_BAD_MIC;
237
238 out->length = in->length - 16;
239 out->value = malloc(out->length);
240 if (out->value == NULL)
241 return GSS_S_BAD_MIC;
242
243 RC4(sealkey, out->length, in->value, out->value);
244
245 ret = v2_verify_message(out, signkey, sealkey, seq,
246 ((const unsigned char *)in->value) + out->length);
247 if (ret) {
248 OM_uint32 junk;
249 gss_release_buffer(&junk, out);
250 }
251 return ret;
252 }
253
254 /*
255 *
256 */
257
258 #define CTX_FLAGS_ISSET(_ctx,_flags) \
259 (((_ctx)->flags & (_flags)) == (_flags))
260
261 /*
262 *
263 */
264
265 OM_uint32 GSSAPI_CALLCONV
_gss_ntlm_get_mic(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,gss_qop_t qop_req,const gss_buffer_t message_buffer,gss_buffer_t message_token)266 _gss_ntlm_get_mic
267 (OM_uint32 * minor_status,
268 const gss_ctx_id_t context_handle,
269 gss_qop_t qop_req,
270 const gss_buffer_t message_buffer,
271 gss_buffer_t message_token
272 )
273 {
274 ntlm_ctx ctx = (ntlm_ctx)context_handle;
275 OM_uint32 junk;
276
277 *minor_status = 0;
278
279 message_token->value = malloc(16);
280 message_token->length = 16;
281 if (message_token->value == NULL) {
282 *minor_status = ENOMEM;
283 return GSS_S_FAILURE;
284 }
285
286 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) {
287 OM_uint32 ret;
288
289 if ((ctx->status & STATUS_SESSIONKEY) == 0) {
290 gss_release_buffer(&junk, message_token);
291 return GSS_S_UNAVAILABLE;
292 }
293
294 ret = v2_sign_message(message_buffer,
295 ctx->u.v2.send.signkey,
296 ctx->u.v2.send.signsealkey,
297 ctx->u.v2.send.seq++,
298 message_token->value);
299 if (ret)
300 gss_release_buffer(&junk, message_token);
301 return ret;
302
303 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) {
304 OM_uint32 ret;
305
306 if ((ctx->status & STATUS_SESSIONKEY) == 0) {
307 gss_release_buffer(&junk, message_token);
308 return GSS_S_UNAVAILABLE;
309 }
310
311 ret = v1_sign_message(message_buffer,
312 &ctx->u.v1.crypto_send.key,
313 ctx->u.v1.crypto_send.seq++,
314 message_token->value);
315 if (ret)
316 gss_release_buffer(&junk, message_token);
317 return ret;
318
319 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_ALWAYS_SIGN)) {
320 unsigned char *sigature;
321
322 sigature = message_token->value;
323
324 encode_le_uint32(1, &sigature[0]); /* version */
325 encode_le_uint32(0, &sigature[4]);
326 encode_le_uint32(0, &sigature[8]);
327 encode_le_uint32(0, &sigature[12]);
328
329 return GSS_S_COMPLETE;
330 }
331 gss_release_buffer(&junk, message_token);
332
333 return GSS_S_UNAVAILABLE;
334 }
335
336 /*
337 *
338 */
339
340 OM_uint32 GSSAPI_CALLCONV
_gss_ntlm_verify_mic(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,const gss_buffer_t message_buffer,const gss_buffer_t token_buffer,gss_qop_t * qop_state)341 _gss_ntlm_verify_mic
342 (OM_uint32 * minor_status,
343 const gss_ctx_id_t context_handle,
344 const gss_buffer_t message_buffer,
345 const gss_buffer_t token_buffer,
346 gss_qop_t * qop_state
347 )
348 {
349 ntlm_ctx ctx = (ntlm_ctx)context_handle;
350
351 if (qop_state != NULL)
352 *qop_state = GSS_C_QOP_DEFAULT;
353 *minor_status = 0;
354
355 if (token_buffer->length != 16)
356 return GSS_S_BAD_MIC;
357
358 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) {
359 OM_uint32 ret;
360
361 if ((ctx->status & STATUS_SESSIONKEY) == 0)
362 return GSS_S_UNAVAILABLE;
363
364 ret = v2_verify_message(message_buffer,
365 ctx->u.v2.recv.signkey,
366 ctx->u.v2.recv.signsealkey,
367 ctx->u.v2.recv.seq++,
368 token_buffer->value);
369 if (ret)
370 return ret;
371
372 return GSS_S_COMPLETE;
373 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) {
374
375 unsigned char sigature[12];
376 uint32_t crc, num;
377
378 if ((ctx->status & STATUS_SESSIONKEY) == 0)
379 return GSS_S_UNAVAILABLE;
380
381 decode_le_uint32(token_buffer->value, &num);
382 if (num != 1)
383 return GSS_S_BAD_MIC;
384
385 RC4(&ctx->u.v1.crypto_recv.key, sizeof(sigature),
386 ((unsigned char *)token_buffer->value) + 4, sigature);
387
388 _krb5_crc_init_table();
389 crc = _krb5_crc_update(message_buffer->value,
390 message_buffer->length, 0);
391 /* skip first 4 bytes in the encrypted checksum */
392 decode_le_uint32(&sigature[4], &num);
393 if (num != crc)
394 return GSS_S_BAD_MIC;
395 decode_le_uint32(&sigature[8], &num);
396 if (ctx->u.v1.crypto_recv.seq != num)
397 return GSS_S_BAD_MIC;
398 ctx->u.v1.crypto_recv.seq++;
399
400 return GSS_S_COMPLETE;
401 } else if (ctx->flags & NTLM_NEG_ALWAYS_SIGN) {
402 uint32_t num;
403 unsigned char *p;
404
405 p = (unsigned char*)(token_buffer->value);
406
407 decode_le_uint32(&p[0], &num); /* version */
408 if (num != 1) return GSS_S_BAD_MIC;
409 decode_le_uint32(&p[4], &num);
410 if (num != 0) return GSS_S_BAD_MIC;
411 decode_le_uint32(&p[8], &num);
412 if (num != 0) return GSS_S_BAD_MIC;
413 decode_le_uint32(&p[12], &num);
414 if (num != 0) return GSS_S_BAD_MIC;
415
416 return GSS_S_COMPLETE;
417 }
418
419 return GSS_S_UNAVAILABLE;
420 }
421
422 /*
423 *
424 */
425
426 OM_uint32 GSSAPI_CALLCONV
_gss_ntlm_wrap_size_limit(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,int conf_req_flag,gss_qop_t qop_req,OM_uint32 req_output_size,OM_uint32 * max_input_size)427 _gss_ntlm_wrap_size_limit (
428 OM_uint32 * minor_status,
429 const gss_ctx_id_t context_handle,
430 int conf_req_flag,
431 gss_qop_t qop_req,
432 OM_uint32 req_output_size,
433 OM_uint32 * max_input_size
434 )
435 {
436 ntlm_ctx ctx = (ntlm_ctx)context_handle;
437
438 *minor_status = 0;
439
440 if(ctx->flags & NTLM_NEG_SEAL) {
441
442 if (req_output_size < 16)
443 *max_input_size = 0;
444 else
445 *max_input_size = req_output_size - 16;
446
447 return GSS_S_COMPLETE;
448 }
449
450 return GSS_S_UNAVAILABLE;
451 }
452
453 /*
454 *
455 */
456
457 OM_uint32 GSSAPI_CALLCONV
_gss_ntlm_wrap(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,int conf_req_flag,gss_qop_t qop_req,const gss_buffer_t input_message_buffer,int * conf_state,gss_buffer_t output_message_buffer)458 _gss_ntlm_wrap
459 (OM_uint32 * minor_status,
460 const gss_ctx_id_t context_handle,
461 int conf_req_flag,
462 gss_qop_t qop_req,
463 const gss_buffer_t input_message_buffer,
464 int * conf_state,
465 gss_buffer_t output_message_buffer
466 )
467 {
468 ntlm_ctx ctx = (ntlm_ctx)context_handle;
469 OM_uint32 ret;
470
471 *minor_status = 0;
472 if (conf_state)
473 *conf_state = 0;
474 if (output_message_buffer == GSS_C_NO_BUFFER)
475 return GSS_S_FAILURE;
476
477
478 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) {
479
480 return v2_seal_message(input_message_buffer,
481 ctx->u.v2.send.signkey,
482 ctx->u.v2.send.seq++,
483 &ctx->u.v2.send.sealkey,
484 output_message_buffer);
485
486 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) {
487 gss_buffer_desc trailer;
488 OM_uint32 junk;
489
490 output_message_buffer->length = input_message_buffer->length + 16;
491 output_message_buffer->value = malloc(output_message_buffer->length);
492 if (output_message_buffer->value == NULL) {
493 output_message_buffer->length = 0;
494 return GSS_S_FAILURE;
495 }
496
497
498 RC4(&ctx->u.v1.crypto_send.key, input_message_buffer->length,
499 input_message_buffer->value, output_message_buffer->value);
500
501 ret = _gss_ntlm_get_mic(minor_status, context_handle,
502 0, input_message_buffer,
503 &trailer);
504 if (ret) {
505 gss_release_buffer(&junk, output_message_buffer);
506 return ret;
507 }
508 if (trailer.length != 16) {
509 gss_release_buffer(&junk, output_message_buffer);
510 gss_release_buffer(&junk, &trailer);
511 return GSS_S_FAILURE;
512 }
513 memcpy(((unsigned char *)output_message_buffer->value) +
514 input_message_buffer->length,
515 trailer.value, trailer.length);
516 gss_release_buffer(&junk, &trailer);
517
518 return GSS_S_COMPLETE;
519 }
520
521 return GSS_S_UNAVAILABLE;
522 }
523
524 /*
525 *
526 */
527
528 OM_uint32 GSSAPI_CALLCONV
_gss_ntlm_unwrap(OM_uint32 * minor_status,const gss_ctx_id_t context_handle,const gss_buffer_t input_message_buffer,gss_buffer_t output_message_buffer,int * conf_state,gss_qop_t * qop_state)529 _gss_ntlm_unwrap
530 (OM_uint32 * minor_status,
531 const gss_ctx_id_t context_handle,
532 const gss_buffer_t input_message_buffer,
533 gss_buffer_t output_message_buffer,
534 int * conf_state,
535 gss_qop_t * qop_state
536 )
537 {
538 ntlm_ctx ctx = (ntlm_ctx)context_handle;
539 OM_uint32 ret;
540
541 *minor_status = 0;
542 output_message_buffer->value = NULL;
543 output_message_buffer->length = 0;
544
545 if (conf_state)
546 *conf_state = 0;
547 if (qop_state)
548 *qop_state = 0;
549
550 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) {
551
552 return v2_unseal_message(input_message_buffer,
553 ctx->u.v2.recv.signkey,
554 ctx->u.v2.recv.seq++,
555 &ctx->u.v2.recv.sealkey,
556 output_message_buffer);
557
558 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) {
559
560 gss_buffer_desc trailer;
561 OM_uint32 junk;
562
563 if (input_message_buffer->length < 16)
564 return GSS_S_BAD_MIC;
565
566 output_message_buffer->length = input_message_buffer->length - 16;
567 output_message_buffer->value = malloc(output_message_buffer->length);
568 if (output_message_buffer->value == NULL) {
569 output_message_buffer->length = 0;
570 return GSS_S_FAILURE;
571 }
572
573 RC4(&ctx->u.v1.crypto_recv.key, output_message_buffer->length,
574 input_message_buffer->value, output_message_buffer->value);
575
576 trailer.value = ((unsigned char *)input_message_buffer->value) +
577 output_message_buffer->length;
578 trailer.length = 16;
579
580 ret = _gss_ntlm_verify_mic(minor_status, context_handle,
581 output_message_buffer,
582 &trailer, NULL);
583 if (ret) {
584 gss_release_buffer(&junk, output_message_buffer);
585 return ret;
586 }
587
588 return GSS_S_COMPLETE;
589 }
590
591 return GSS_S_UNAVAILABLE;
592 }
593