1 /* $NetBSD: crypto.c,v 1.2 2017/01/28 21:31:46 christos Exp $ */ 2 3 /* 4 * Copyright (c) 2006-2016 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include "ntlm.h" 37 struct hx509_certs_data; 38 struct krb5_pk_identity; 39 struct krb5_pk_cert; 40 struct ContentInfo; 41 struct AlgorithmIdentifier; 42 struct _krb5_krb_auth_data; 43 struct krb5_dh_moduli; 44 struct _krb5_key_data; 45 struct _krb5_encryption_type; 46 struct _krb5_key_type; 47 #include "krb5_locl.h" 48 49 /* 50 * 51 */ 52 53 static void 54 encode_le_uint32(uint32_t n, unsigned char *p) 55 { 56 p[0] = (n >> 0) & 0xFF; 57 p[1] = (n >> 8) & 0xFF; 58 p[2] = (n >> 16) & 0xFF; 59 p[3] = (n >> 24) & 0xFF; 60 } 61 62 63 static void 64 decode_le_uint32(const void *ptr, uint32_t *n) 65 { 66 const unsigned char *p = ptr; 67 *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); 68 } 69 70 /* 71 * 72 */ 73 74 const char a2i_signmagic[] = 75 "session key to server-to-client signing key magic constant"; 76 const char a2i_sealmagic[] = 77 "session key to server-to-client sealing key magic constant"; 78 const char i2a_signmagic[] = 79 "session key to client-to-server signing key magic constant"; 80 const char i2a_sealmagic[] = 81 "session key to client-to-server sealing key magic constant"; 82 83 84 void 85 _gss_ntlm_set_key(struct ntlmv2_key *key, int acceptor, int sealsign, 86 unsigned char *data, size_t len) 87 { 88 unsigned char out[16]; 89 EVP_MD_CTX *ctx; 90 const char *signmagic; 91 const char *sealmagic; 92 93 if (acceptor) { 94 signmagic = a2i_signmagic; 95 sealmagic = a2i_sealmagic; 96 } else { 97 signmagic = i2a_signmagic; 98 sealmagic = i2a_sealmagic; 99 } 100 101 key->seq = 0; 102 103 ctx = EVP_MD_CTX_create(); 104 EVP_DigestInit_ex(ctx, EVP_md5(), NULL); 105 EVP_DigestUpdate(ctx, data, len); 106 EVP_DigestUpdate(ctx, signmagic, strlen(signmagic) + 1); 107 EVP_DigestFinal_ex(ctx, key->signkey, NULL); 108 109 EVP_DigestInit_ex(ctx, EVP_md5(), NULL); 110 EVP_DigestUpdate(ctx, data, len); 111 EVP_DigestUpdate(ctx, sealmagic, strlen(sealmagic) + 1); 112 EVP_DigestFinal_ex(ctx, out, NULL); 113 EVP_MD_CTX_destroy(ctx); 114 115 RC4_set_key(&key->sealkey, 16, out); 116 if (sealsign) 117 key->signsealkey = &key->sealkey; 118 } 119 120 /* 121 * 122 */ 123 124 static OM_uint32 125 v1_sign_message(gss_buffer_t in, 126 RC4_KEY *signkey, 127 uint32_t seq, 128 unsigned char out[16]) 129 { 130 unsigned char sigature[12]; 131 uint32_t crc; 132 133 _krb5_crc_init_table(); 134 crc = _krb5_crc_update(in->value, in->length, 0); 135 136 encode_le_uint32(0, &sigature[0]); 137 encode_le_uint32(crc, &sigature[4]); 138 encode_le_uint32(seq, &sigature[8]); 139 140 encode_le_uint32(1, out); /* version */ 141 RC4(signkey, sizeof(sigature), sigature, out + 4); 142 143 if (RAND_bytes(out + 4, 4) != 1) 144 return GSS_S_UNAVAILABLE; 145 146 return 0; 147 } 148 149 150 static OM_uint32 151 v2_sign_message(gss_buffer_t in, 152 unsigned char signkey[16], 153 RC4_KEY *sealkey, 154 uint32_t seq, 155 unsigned char out[16]) 156 { 157 unsigned char hmac[16]; 158 unsigned int hmaclen; 159 HMAC_CTX c; 160 161 HMAC_CTX_init(&c); 162 HMAC_Init_ex(&c, signkey, 16, EVP_md5(), NULL); 163 164 encode_le_uint32(seq, hmac); 165 HMAC_Update(&c, hmac, 4); 166 HMAC_Update(&c, in->value, in->length); 167 HMAC_Final(&c, hmac, &hmaclen); 168 HMAC_CTX_cleanup(&c); 169 170 encode_le_uint32(1, &out[0]); 171 if (sealkey) 172 RC4(sealkey, 8, hmac, &out[4]); 173 else 174 memcpy(&out[4], hmac, 8); 175 176 memset(&out[12], 0, 4); 177 178 return GSS_S_COMPLETE; 179 } 180 181 static OM_uint32 182 v2_verify_message(gss_buffer_t in, 183 unsigned char signkey[16], 184 RC4_KEY *sealkey, 185 uint32_t seq, 186 const unsigned char checksum[16]) 187 { 188 OM_uint32 ret; 189 unsigned char out[16]; 190 191 ret = v2_sign_message(in, signkey, sealkey, seq, out); 192 if (ret) 193 return ret; 194 195 if (memcmp(checksum, out, 16) != 0) 196 return GSS_S_BAD_MIC; 197 198 return GSS_S_COMPLETE; 199 } 200 201 static OM_uint32 202 v2_seal_message(const gss_buffer_t in, 203 unsigned char signkey[16], 204 uint32_t seq, 205 RC4_KEY *sealkey, 206 gss_buffer_t out) 207 { 208 unsigned char *p; 209 OM_uint32 ret; 210 211 if (in->length + 16 < in->length) 212 return EINVAL; 213 214 p = malloc(in->length + 16); 215 if (p == NULL) 216 return ENOMEM; 217 218 RC4(sealkey, in->length, in->value, p); 219 220 ret = v2_sign_message(in, signkey, sealkey, seq, &p[in->length]); 221 if (ret) { 222 free(p); 223 return ret; 224 } 225 226 out->value = p; 227 out->length = in->length + 16; 228 229 return 0; 230 } 231 232 static OM_uint32 233 v2_unseal_message(gss_buffer_t in, 234 unsigned char signkey[16], 235 uint32_t seq, 236 RC4_KEY *sealkey, 237 gss_buffer_t out) 238 { 239 OM_uint32 ret; 240 241 if (in->length < 16) 242 return GSS_S_BAD_MIC; 243 244 out->length = in->length - 16; 245 out->value = malloc(out->length); 246 if (out->value == NULL) 247 return GSS_S_BAD_MIC; 248 249 RC4(sealkey, out->length, in->value, out->value); 250 251 ret = v2_verify_message(out, signkey, sealkey, seq, 252 ((const unsigned char *)in->value) + out->length); 253 if (ret) { 254 OM_uint32 junk; 255 gss_release_buffer(&junk, out); 256 } 257 return ret; 258 } 259 260 /* 261 * 262 */ 263 264 #define CTX_FLAGS_ISSET(_ctx,_flags) \ 265 (((_ctx)->flags & (_flags)) == (_flags)) 266 267 /* 268 * 269 */ 270 271 OM_uint32 GSSAPI_CALLCONV 272 _gss_ntlm_get_mic 273 (OM_uint32 * minor_status, 274 gss_const_ctx_id_t context_handle, 275 gss_qop_t qop_req, 276 const gss_buffer_t message_buffer, 277 gss_buffer_t message_token 278 ) 279 { 280 ntlm_ctx ctx = (ntlm_ctx)context_handle; 281 OM_uint32 junk; 282 283 *minor_status = 0; 284 285 message_token->value = malloc(16); 286 message_token->length = 16; 287 if (message_token->value == NULL) { 288 *minor_status = ENOMEM; 289 return GSS_S_FAILURE; 290 } 291 292 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) { 293 OM_uint32 ret; 294 295 if ((ctx->status & STATUS_SESSIONKEY) == 0) { 296 gss_release_buffer(&junk, message_token); 297 return GSS_S_UNAVAILABLE; 298 } 299 300 ret = v2_sign_message(message_buffer, 301 ctx->u.v2.send.signkey, 302 ctx->u.v2.send.signsealkey, 303 ctx->u.v2.send.seq++, 304 message_token->value); 305 if (ret) 306 gss_release_buffer(&junk, message_token); 307 return ret; 308 309 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) { 310 OM_uint32 ret; 311 312 if ((ctx->status & STATUS_SESSIONKEY) == 0) { 313 gss_release_buffer(&junk, message_token); 314 return GSS_S_UNAVAILABLE; 315 } 316 317 ret = v1_sign_message(message_buffer, 318 &ctx->u.v1.crypto_send.key, 319 ctx->u.v1.crypto_send.seq++, 320 message_token->value); 321 if (ret) 322 gss_release_buffer(&junk, message_token); 323 return ret; 324 325 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_ALWAYS_SIGN)) { 326 unsigned char *sigature; 327 328 sigature = message_token->value; 329 330 encode_le_uint32(1, &sigature[0]); /* version */ 331 encode_le_uint32(0, &sigature[4]); 332 encode_le_uint32(0, &sigature[8]); 333 encode_le_uint32(0, &sigature[12]); 334 335 return GSS_S_COMPLETE; 336 } 337 gss_release_buffer(&junk, message_token); 338 339 return GSS_S_UNAVAILABLE; 340 } 341 342 /* 343 * 344 */ 345 346 OM_uint32 GSSAPI_CALLCONV 347 _gss_ntlm_verify_mic 348 (OM_uint32 * minor_status, 349 gss_const_ctx_id_t context_handle, 350 const gss_buffer_t message_buffer, 351 const gss_buffer_t token_buffer, 352 gss_qop_t * qop_state 353 ) 354 { 355 ntlm_ctx ctx = (ntlm_ctx)context_handle; 356 357 if (qop_state != NULL) 358 *qop_state = GSS_C_QOP_DEFAULT; 359 *minor_status = 0; 360 361 if (token_buffer->length != 16) 362 return GSS_S_BAD_MIC; 363 364 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) { 365 OM_uint32 ret; 366 367 if ((ctx->status & STATUS_SESSIONKEY) == 0) 368 return GSS_S_UNAVAILABLE; 369 370 ret = v2_verify_message(message_buffer, 371 ctx->u.v2.recv.signkey, 372 ctx->u.v2.recv.signsealkey, 373 ctx->u.v2.recv.seq++, 374 token_buffer->value); 375 if (ret) 376 return ret; 377 378 return GSS_S_COMPLETE; 379 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) { 380 381 unsigned char sigature[12]; 382 uint32_t crc, num; 383 384 if ((ctx->status & STATUS_SESSIONKEY) == 0) 385 return GSS_S_UNAVAILABLE; 386 387 decode_le_uint32(token_buffer->value, &num); 388 if (num != 1) 389 return GSS_S_BAD_MIC; 390 391 RC4(&ctx->u.v1.crypto_recv.key, sizeof(sigature), 392 ((unsigned char *)token_buffer->value) + 4, sigature); 393 394 _krb5_crc_init_table(); 395 crc = _krb5_crc_update(message_buffer->value, 396 message_buffer->length, 0); 397 /* skip first 4 bytes in the encrypted checksum */ 398 decode_le_uint32(&sigature[4], &num); 399 if (num != crc) 400 return GSS_S_BAD_MIC; 401 decode_le_uint32(&sigature[8], &num); 402 if (ctx->u.v1.crypto_recv.seq != num) 403 return GSS_S_BAD_MIC; 404 ctx->u.v1.crypto_recv.seq++; 405 406 return GSS_S_COMPLETE; 407 } else if (ctx->flags & NTLM_NEG_ALWAYS_SIGN) { 408 uint32_t num; 409 unsigned char *p; 410 411 p = (unsigned char*)(token_buffer->value); 412 413 decode_le_uint32(&p[0], &num); /* version */ 414 if (num != 1) return GSS_S_BAD_MIC; 415 decode_le_uint32(&p[4], &num); 416 if (num != 0) return GSS_S_BAD_MIC; 417 decode_le_uint32(&p[8], &num); 418 if (num != 0) return GSS_S_BAD_MIC; 419 decode_le_uint32(&p[12], &num); 420 if (num != 0) return GSS_S_BAD_MIC; 421 422 return GSS_S_COMPLETE; 423 } 424 425 return GSS_S_UNAVAILABLE; 426 } 427 428 /* 429 * 430 */ 431 432 OM_uint32 GSSAPI_CALLCONV 433 _gss_ntlm_wrap_size_limit ( 434 OM_uint32 * minor_status, 435 gss_const_ctx_id_t context_handle, 436 int conf_req_flag, 437 gss_qop_t qop_req, 438 OM_uint32 req_output_size, 439 OM_uint32 * max_input_size 440 ) 441 { 442 ntlm_ctx ctx = (ntlm_ctx)context_handle; 443 444 *minor_status = 0; 445 446 if(ctx->flags & NTLM_NEG_SEAL) { 447 448 if (req_output_size < 16) 449 *max_input_size = 0; 450 else 451 *max_input_size = req_output_size - 16; 452 453 return GSS_S_COMPLETE; 454 } 455 456 return GSS_S_UNAVAILABLE; 457 } 458 459 /* 460 * 461 */ 462 463 OM_uint32 GSSAPI_CALLCONV 464 _gss_ntlm_wrap 465 (OM_uint32 * minor_status, 466 gss_const_ctx_id_t context_handle, 467 int conf_req_flag, 468 gss_qop_t qop_req, 469 const gss_buffer_t input_message_buffer, 470 int * conf_state, 471 gss_buffer_t output_message_buffer 472 ) 473 { 474 ntlm_ctx ctx = (ntlm_ctx)context_handle; 475 OM_uint32 ret; 476 477 *minor_status = 0; 478 if (conf_state) 479 *conf_state = 0; 480 if (output_message_buffer == GSS_C_NO_BUFFER) 481 return GSS_S_FAILURE; 482 483 484 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) { 485 486 return v2_seal_message(input_message_buffer, 487 ctx->u.v2.send.signkey, 488 ctx->u.v2.send.seq++, 489 &ctx->u.v2.send.sealkey, 490 output_message_buffer); 491 492 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) { 493 gss_buffer_desc trailer; 494 OM_uint32 junk; 495 496 output_message_buffer->length = input_message_buffer->length + 16; 497 output_message_buffer->value = malloc(output_message_buffer->length); 498 if (output_message_buffer->value == NULL) { 499 output_message_buffer->length = 0; 500 return GSS_S_FAILURE; 501 } 502 503 504 RC4(&ctx->u.v1.crypto_send.key, input_message_buffer->length, 505 input_message_buffer->value, output_message_buffer->value); 506 507 ret = _gss_ntlm_get_mic(minor_status, context_handle, 508 0, input_message_buffer, 509 &trailer); 510 if (ret) { 511 gss_release_buffer(&junk, output_message_buffer); 512 return ret; 513 } 514 if (trailer.length != 16) { 515 gss_release_buffer(&junk, output_message_buffer); 516 gss_release_buffer(&junk, &trailer); 517 return GSS_S_FAILURE; 518 } 519 memcpy(((unsigned char *)output_message_buffer->value) + 520 input_message_buffer->length, 521 trailer.value, trailer.length); 522 gss_release_buffer(&junk, &trailer); 523 524 return GSS_S_COMPLETE; 525 } 526 527 return GSS_S_UNAVAILABLE; 528 } 529 530 /* 531 * 532 */ 533 534 OM_uint32 GSSAPI_CALLCONV 535 _gss_ntlm_unwrap 536 (OM_uint32 * minor_status, 537 gss_const_ctx_id_t context_handle, 538 const gss_buffer_t input_message_buffer, 539 gss_buffer_t output_message_buffer, 540 int * conf_state, 541 gss_qop_t * qop_state 542 ) 543 { 544 ntlm_ctx ctx = (ntlm_ctx)context_handle; 545 OM_uint32 ret; 546 547 *minor_status = 0; 548 output_message_buffer->value = NULL; 549 output_message_buffer->length = 0; 550 551 if (conf_state) 552 *conf_state = 0; 553 if (qop_state) 554 *qop_state = 0; 555 556 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) { 557 558 return v2_unseal_message(input_message_buffer, 559 ctx->u.v2.recv.signkey, 560 ctx->u.v2.recv.seq++, 561 &ctx->u.v2.recv.sealkey, 562 output_message_buffer); 563 564 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) { 565 566 gss_buffer_desc trailer; 567 OM_uint32 junk; 568 569 if (input_message_buffer->length < 16) 570 return GSS_S_BAD_MIC; 571 572 output_message_buffer->length = input_message_buffer->length - 16; 573 output_message_buffer->value = malloc(output_message_buffer->length); 574 if (output_message_buffer->value == NULL) { 575 output_message_buffer->length = 0; 576 return GSS_S_FAILURE; 577 } 578 579 RC4(&ctx->u.v1.crypto_recv.key, output_message_buffer->length, 580 input_message_buffer->value, output_message_buffer->value); 581 582 trailer.value = ((unsigned char *)input_message_buffer->value) + 583 output_message_buffer->length; 584 trailer.length = 16; 585 586 ret = _gss_ntlm_verify_mic(minor_status, context_handle, 587 output_message_buffer, 588 &trailer, NULL); 589 if (ret) { 590 gss_release_buffer(&junk, output_message_buffer); 591 return ret; 592 } 593 594 return GSS_S_COMPLETE; 595 } 596 597 return GSS_S_UNAVAILABLE; 598 } 599