/* Generate a response authenticator field. */
static krb5_error_code
auth_generate_response(krb5_context ctx, const char *secret,
const krad_packet *response, const uchar *auth,
uchar *rauth)
{
krb5_error_code retval;
krb5_checksum hash;
krb5_data data;
/* Allocate the temporary buffer. */
retval = alloc_data(&data, response->pkt.length + strlen(secret));
if (retval != 0)
return retval;
/* Encoded RADIUS packet with the request's
* authenticator and the secret at the end. */
memcpy(data.data, response->pkt.data, response->pkt.length);
memcpy(data.data + OFFSET_AUTH, auth, AUTH_FIELD_SIZE);
memcpy(data.data + response->pkt.length, secret, strlen(secret));
/* Hash it. */
retval = krb5_c_make_checksum(ctx, CKSUMTYPE_RSA_MD5, NULL, 0, &data,
&hash);
free(data.data);
if (retval != 0)
return retval;
memcpy(rauth, hash.contents, AUTH_FIELD_SIZE);
krb5_free_checksum_contents(ctx, &hash);
return 0;
}
/*
* Create a IAKERB-FINISHED structure containing a checksum of
* the entire IAKERB exchange.
*/
krb5_error_code
iakerb_make_finished(krb5_context context,
krb5_key key,
const krb5_data *conv,
krb5_data **finished)
{
krb5_error_code code;
krb5_iakerb_finished iaf;
*finished = NULL;
memset(&iaf, 0, sizeof(iaf));
if (key == NULL)
return KRB5KDC_ERR_NULL_KEY;
code = krb5_k_make_checksum(context, 0, key, KRB5_KEYUSAGE_IAKERB_FINISHED,
conv, &iaf.checksum);
if (code != 0)
return code;
code = encode_krb5_iakerb_finished(&iaf, finished);
krb5_free_checksum_contents(context, &iaf.checksum);
return code;
}
static void
free_vmac(krb5_context context, krb5_verifier_mac *val)
{
if (val == NULL)
return;
krb5_free_principal(context, val->princ);
krb5_free_checksum_contents(context, &val->checksum);
}
void KRB5_CALLCONV
krb5_free_checksum(krb5_context context, register krb5_checksum *val)
{
if (val == NULL)
return;
krb5_free_checksum_contents(context, val);
free(val);
}
void KRB5_CALLCONV
krb5_free_pa_s4u_x509_user(krb5_context context, krb5_pa_s4u_x509_user *req)
{
if (req == NULL)
return;
krb5_free_s4u_userid_contents(context, &req->user_id);
krb5_free_checksum_contents(context, &req->cksum);
free(req);
}
void KRB5_CALLCONV
krb5_free_fast_finished(krb5_context context, krb5_fast_finished *val)
{
if (!val)
return;
krb5_free_principal(context, val->client);
krb5_free_checksum_contents(context, &val->ticket_checksum);
free(val);
}
void KRB5_CALLCONV
krb5_free_iakerb_finished(krb5_context context, krb5_iakerb_finished *val)
{
if (val == NULL)
return ;
krb5_free_checksum_contents(context, &val->checksum);
free(val);
}
void KRB5_CALLCONV
krb5_free_pa_for_user(krb5_context context, krb5_pa_for_user *req)
{
if (req == NULL)
return;
krb5_free_principal(context, req->user);
req->user = NULL;
krb5_free_checksum_contents(context, &req->cksum);
krb5_free_data_contents(context, &req->auth_package);
free(req);
}
void KRB5_CALLCONV
krb5_free_ad_kdcissued(krb5_context context, krb5_ad_kdcissued *val)
{
if (val == NULL)
return;
krb5_free_checksum_contents(context, &val->ad_checksum);
krb5_free_principal(context, val->i_principal);
krb5_free_authdata(context, val->elements);
free(val);
}
void KRB5_CALLCONV
krb5_free_fast_armored_req(krb5_context context, krb5_fast_armored_req *val)
{
if (val == NULL)
return;
if (val->armor)
krb5_free_fast_armor(context, val->armor);
krb5_free_data_contents(context, &val->enc_part.ciphertext);
if (val->req_checksum.contents)
krb5_free_checksum_contents(context, &val->req_checksum);
free(val);
}
/* Return a four-byte hex string from the first two bytes of a SHA-1 hash of a
* byte array. Return NULL on failure. */
static char *
hash_bytes(krb5_context context, const void *ptr, size_t len)
{
krb5_checksum cksum;
krb5_data d = make_data((void *) ptr, len);
char *s = NULL;
if (krb5_k_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0, &d,
&cksum) != 0)
return NULL;
if (cksum.length >= 2)
(void) asprintf(&s, "%02X%02X", cksum.contents[0], cksum.contents[1]);
krb5_free_checksum_contents(context, &cksum);
return s;
}
void KRB5_CALLCONV
krb5_free_ad_signedpath(krb5_context context, krb5_ad_signedpath *val)
{
int i;
if (val == NULL)
return;
krb5_free_checksum_contents(context, &val->checksum);
if (val->delegated != NULL) {
for (i = 0; val->delegated[i] != NULL; i++)
krb5_free_principal(context, val->delegated[i]);
free(val->delegated);
}
krb5_free_pa_data(context, val->method_data);
free(val);
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
krb5_keyusage usage, const krb5_data *data,
const krb5_checksum *cksum, krb5_boolean *valid)
{
krb5_error_code ret;
krb5_checksum data_cksum;
*valid = 0;
ret = krb5_c_make_checksum(context, cksum->cksumtype,
key, usage, data, &data_cksum);
if (ret)
return ret;
if (data_cksum.cksumtype == cksum->cksumtype
&& krb5_data_ct_cmp(&data_cksum.checksum, &cksum->checksum) == 0)
*valid = 1;
krb5_free_checksum_contents(context, &data_cksum);
return 0;
}
krb5_error_code
gss_krb5int_make_seal_token_v3 (krb5_context context,
krb5_gss_ctx_id_rec *ctx,
const gss_buffer_desc * message,
gss_buffer_t token,
int conf_req_flag, int toktype)
{
size_t bufsize = 16;
unsigned char *outbuf = 0;
krb5_error_code err;
int key_usage;
unsigned char acceptor_flag;
const gss_buffer_desc *message2 = message;
#ifdef CFX_EXERCISE
size_t rrc;
#endif
size_t ec;
unsigned short tok_id;
krb5_checksum sum;
krb5_key key;
krb5_cksumtype cksumtype;
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
? (ctx->initiate
? KG_USAGE_INITIATOR_SEAL
: KG_USAGE_ACCEPTOR_SEAL)
: (ctx->initiate
? KG_USAGE_INITIATOR_SIGN
: KG_USAGE_ACCEPTOR_SIGN));
if (ctx->have_acceptor_subkey) {
key = ctx->acceptor_subkey;
cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
key = ctx->subkey;
cksumtype = ctx->cksumtype;
}
assert(key != NULL);
#ifdef CFX_EXERCISE
{
static int initialized = 0;
if (!initialized) {
srand(time(0));
initialized = 1;
}
}
#endif
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
krb5_data plain;
krb5_enc_data cipher;
size_t ec_max;
/* 300: Adds some slop. */
if (SIZE_MAX - 300 < message->length)
return ENOMEM;
ec_max = SIZE_MAX - message->length - 300;
if (ec_max > 0xffff)
ec_max = 0xffff;
#ifdef CFX_EXERCISE
/* For testing only. For performance, always set ec = 0. */
ec = ec_max & rand();
#else
ec = 0;
#endif
plain.length = message->length + 16 + ec;
plain.data = malloc(message->length + 16 + ec);
if (plain.data == NULL)
return ENOMEM;
/* Get size of ciphertext. */
bufsize = 16 + krb5_encrypt_size (plain.length, key->keyblock.enctype);
/* Allocate space for header plus encrypted data. */
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
free(plain.data);
return ENOMEM;
}
/* TOK_ID */
store_16_be(KG2_TOK_WRAP_MSG, outbuf);
/* flags */
outbuf[2] = (acceptor_flag
| (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
| (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xff;
/* EC */
store_16_be(ec, outbuf+4);
/* RRC */
store_16_be(0, outbuf+6);
store_64_be(ctx->seq_send, outbuf+8);
memcpy(plain.data, message->value, message->length);
if (ec != 0)
memset(plain.data + message->length, 'x', ec);
memcpy(plain.data + message->length + ec, outbuf, 16);
cipher.ciphertext.data = (char *)outbuf + 16;
cipher.ciphertext.length = bufsize - 16;
cipher.enctype = key->keyblock.enctype;
err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
zap(plain.data, plain.length);
free(plain.data);
plain.data = 0;
if (err)
goto error;
/* Now that we know we're returning a valid token.... */
ctx->seq_send++;
#ifdef CFX_EXERCISE
rrc = rand() & 0xffff;
if (gss_krb5int_rotate_left(outbuf+16, bufsize-16,
(bufsize-16) - (rrc % (bufsize - 16))))
store_16_be(rrc, outbuf+6);
/* If the rotate fails, don't worry about it. */
#endif
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
krb5_data plain;
size_t cksumsize;
/* Here, message is the application-supplied data; message2 is
what goes into the output token. They may be the same, or
message2 may be empty (for MIC). */
tok_id = KG2_TOK_WRAP_MSG;
wrap_with_checksum:
plain.length = message->length + 16;
plain.data = malloc(message->length + 16);
if (plain.data == NULL)
return ENOMEM;
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
goto error;
assert(cksumsize <= 0xffff);
bufsize = 16 + message2->length + cksumsize;
outbuf = gssalloc_malloc(bufsize);
if (outbuf == NULL) {
free(plain.data);
plain.data = 0;
err = ENOMEM;
goto error;
}
/* TOK_ID */
store_16_be(tok_id, outbuf);
/* flags */
outbuf[2] = (acceptor_flag
| (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xff;
if (toktype == KG_TOK_WRAP_MSG) {
/* Use 0 for checksum calculation, substitute
checksum length later. */
/* EC */
store_16_be(0, outbuf+4);
/* RRC */
store_16_be(0, outbuf+6);
} else {
/* MIC and DEL store 0xFF in EC and RRC. */
store_16_be(0xffff, outbuf+4);
store_16_be(0xffff, outbuf+6);
}
store_64_be(ctx->seq_send, outbuf+8);
memcpy(plain.data, message->value, message->length);
memcpy(plain.data + message->length, outbuf, 16);
/* Fill in the output token -- data contents, if any, and
space for the checksum. */
if (message2->length)
memcpy(outbuf + 16, message2->value, message2->length);
sum.contents = outbuf + 16 + message2->length;
sum.length = cksumsize;
err = krb5_k_make_checksum(context, cksumtype, key,
key_usage, &plain, &sum);
zap(plain.data, plain.length);
free(plain.data);
plain.data = 0;
if (err) {
zap(outbuf,bufsize);
goto error;
}
if (sum.length != cksumsize)
abort();
memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
krb5_free_checksum_contents(context, &sum);
sum.contents = 0;
/* Now that we know we're actually generating the token... */
ctx->seq_send++;
if (toktype == KG_TOK_WRAP_MSG) {
#ifdef CFX_EXERCISE
rrc = rand() & 0xffff;
/* If the rotate fails, don't worry about it. */
if (gss_krb5int_rotate_left(outbuf+16, bufsize-16,
(bufsize-16) - (rrc % (bufsize - 16))))
store_16_be(rrc, outbuf+6);
#endif
/* Fix up EC field. */
store_16_be(cksumsize, outbuf+4);
} else {
store_16_be(0xffff, outbuf+6);
}
} else if (toktype == KG_TOK_MIC_MSG) {
tok_id = KG2_TOK_MIC_MSG;
message2 = &empty_message;
goto wrap_with_checksum;
} else if (toktype == KG_TOK_DEL_CTX) {
tok_id = KG2_TOK_DEL_CTX;
message = message2 = &empty_message;
goto wrap_with_checksum;
} else
abort();
token->value = outbuf;
token->length = bufsize;
return 0;
error:
gssalloc_free(outbuf);
token->value = NULL;
token->length = 0;
return err;
}
static krb5_error_code
make_seal_token_v1_iov(krb5_context context,
krb5_gss_ctx_id_rec *ctx,
int conf_req_flag,
int *conf_state,
gss_iov_buffer_desc *iov,
int iov_count,
int toktype)
{
krb5_error_code code = 0;
gss_iov_buffer_t header;
gss_iov_buffer_t padding;
gss_iov_buffer_t trailer;
krb5_checksum md5cksum;
krb5_checksum cksum;
size_t k5_headerlen = 0, k5_trailerlen = 0;
size_t data_length = 0, assoc_data_length = 0;
size_t tmsglen = 0, tlen;
unsigned char *ptr;
krb5_keyusage sign_usage = KG_USAGE_SIGN;
assert(toktype == KG_TOK_WRAP_MSG);
md5cksum.length = cksum.length = 0;
md5cksum.contents = cksum.contents = NULL;
header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
if (header == NULL)
return EINVAL;
padding = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
if (padding == NULL && (ctx->gss_flags & GSS_C_DCE_STYLE) == 0)
return EINVAL;
trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
if (trailer != NULL)
trailer->buffer.length = 0;
/* Determine confounder length */
if (toktype == KG_TOK_WRAP_MSG || conf_req_flag)
k5_headerlen = kg_confounder_size(context, ctx->enc);
/* Check padding length */
if (toktype == KG_TOK_WRAP_MSG) {
size_t k5_padlen = (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4) ? 1 : 8;
size_t gss_padlen;
size_t conf_data_length;
kg_iov_msglen(iov, iov_count, &data_length, &assoc_data_length);
conf_data_length = k5_headerlen + data_length - assoc_data_length;
if (k5_padlen == 1)
gss_padlen = 1; /* one byte to indicate one byte of padding */
else
gss_padlen = k5_padlen - (conf_data_length % k5_padlen);
if (ctx->gss_flags & GSS_C_DCE_STYLE) {
/* DCE will pad the actual data itself; padding buffer optional and will be zeroed */
gss_padlen = 0;
if (conf_data_length % k5_padlen)
code = KRB5_BAD_MSIZE;
} else if (padding->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
code = kg_allocate_iov(padding, gss_padlen);
} else if (padding->buffer.length < gss_padlen) {
code = KRB5_BAD_MSIZE;
}
if (code != 0)
goto cleanup;
/* Initialize padding buffer to pad itself */
if (padding != NULL) {
padding->buffer.length = gss_padlen;
memset(padding->buffer.value, (int)gss_padlen, gss_padlen);
}
if (ctx->gss_flags & GSS_C_DCE_STYLE)
tmsglen = k5_headerlen; /* confounder length */
else
tmsglen = conf_data_length + padding->buffer.length + assoc_data_length;
}
/* Determine token size */
tlen = g_token_size(ctx->mech_used, 14 + ctx->cksum_size + tmsglen);
k5_headerlen += tlen - tmsglen;
if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE)
code = kg_allocate_iov(header, k5_headerlen);
else if (header->buffer.length < k5_headerlen)
code = KRB5_BAD_MSIZE;
if (code != 0)
goto cleanup;
header->buffer.length = k5_headerlen;
ptr = (unsigned char *)header->buffer.value;
g_make_token_header(ctx->mech_used, 14 + ctx->cksum_size + tmsglen, &ptr, toktype);
/* 0..1 SIGN_ALG */
store_16_le(ctx->signalg, &ptr[0]);
/* 2..3 SEAL_ALG or Filler */
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
store_16_le(ctx->sealalg, &ptr[2]);
} else {
/* No seal */
ptr[2] = 0xFF;
ptr[3] = 0xFF;
}
/* 4..5 Filler */
ptr[4] = 0xFF;
ptr[5] = 0xFF;
/* pad the plaintext, encrypt if needed, and stick it in the token */
/* initialize the checksum */
switch (ctx->signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
break;
case SGN_ALG_HMAC_MD5:
md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
if (toktype != KG_TOK_WRAP_MSG)
sign_usage = 15;
break;
default:
case SGN_ALG_DES_MAC:
abort ();
}
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &k5_trailerlen);
if (code != 0)
goto cleanup;
md5cksum.length = k5_trailerlen;
if (k5_headerlen != 0) {
code = kg_make_confounder(context, ctx->enc, ptr + 14 + ctx->cksum_size);
if (code != 0)
goto cleanup;
}
/* compute the checksum */
code = kg_make_checksum_iov_v1(context, md5cksum.checksum_type,
ctx->cksum_size, ctx->seq, ctx->enc,
sign_usage, iov, iov_count, toktype,
&md5cksum);
if (code != 0)
goto cleanup;
switch (ctx->signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_3:
code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL,
(g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ?
ctx->seq->contents : NULL),
md5cksum.contents, md5cksum.contents, 16);
if (code != 0)
goto cleanup;
cksum.length = ctx->cksum_size;
cksum.contents = md5cksum.contents + 16 - cksum.length;
memcpy(ptr + 14, cksum.contents, cksum.length);
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
assert(md5cksum.length == ctx->cksum_size);
memcpy(ptr + 14, md5cksum.contents, md5cksum.length);
break;
case SGN_ALG_HMAC_MD5:
memcpy(ptr + 14, md5cksum.contents, ctx->cksum_size);
break;
}
/* create the seq_num */
code = kg_make_seq_num(context, ctx->seq, ctx->initiate ? 0 : 0xFF,
(OM_uint32)ctx->seq_send, ptr + 14, ptr + 6);
if (code != 0)
goto cleanup;
if (conf_req_flag) {
if (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4) {
unsigned char bigend_seqnum[4];
krb5_keyblock *enc_key;
size_t i;
store_32_be(ctx->seq_send, bigend_seqnum);
code = krb5_copy_keyblock(context, ctx->enc, &enc_key);
if (code != 0)
goto cleanup;
assert(enc_key->length == 16);
for (i = 0; i < enc_key->length; i++)
((char *)enc_key->contents)[i] ^= 0xF0;
code = kg_arcfour_docrypt_iov(context, enc_key, 0,
bigend_seqnum, 4,
iov, iov_count);
krb5_free_keyblock(context, enc_key);
} else {
code = kg_encrypt_iov(context, ctx->proto,
((ctx->gss_flags & GSS_C_DCE_STYLE) != 0),
0 /*EC*/, 0 /*RRC*/,
ctx->enc, KG_USAGE_SEAL, NULL,
iov, iov_count);
}
if (code != 0)
goto cleanup;
}
ctx->seq_send++;
ctx->seq_send &= 0xFFFFFFFFL;
code = 0;
if (conf_state != NULL)
*conf_state = conf_req_flag;
cleanup:
if (code != 0)
kg_release_iov(iov, iov_count);
krb5_free_checksum_contents(context, &md5cksum);
return code;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context = NULL;
size_t i;
struct test *test;
krb5_keyblock kb, *kbp;
krb5_checksum cksum;
krb5_cksumtype mtype;
krb5_boolean valid, verbose = FALSE;
int status = 0;
if (argc >= 2 && strcmp(argv[1], "-v") == 0)
verbose = TRUE;
for (i = 0; i < sizeof(test_cases) / sizeof(*test_cases); i++) {
test = &test_cases[i];
if (test->enctype != 0) {
kb.magic = KV5M_KEYBLOCK;
kb.enctype = test->enctype;
kb.length = test->keybits.length;
kb.contents = (unsigned char *)test->keybits.data;
kbp = &kb;
} else
kbp = NULL;
ret = krb5_c_make_checksum(context, test->sumtype, kbp, test->usage,
&test->plaintext, &cksum);
assert(!ret);
if (verbose) {
char buf[64];
krb5_cksumtype_to_string(test->sumtype, buf, sizeof(buf));
printf("\nTest %d:\n", (int)i);
printf("Plaintext: %.*s\n", (int)test->plaintext.length,
test->plaintext.data);
printf("Checksum type: %s\n", buf);
if (test->enctype != 0) {
krb5_enctype_to_name(test->enctype, FALSE, buf, sizeof(buf));
printf("Enctype: %s\n", buf);
printhex("Key: ", test->keybits.data, test->keybits.length);
printf("Key usage: %d\n", (int)test->usage);
}
printhex("Checksum: ", cksum.contents, cksum.length);
}
if (test->cksum.length != cksum.length ||
memcmp(test->cksum.data, cksum.contents, cksum.length) != 0) {
printf("derive test %d failed\n", (int)i);
status = 1;
if (!verbose)
break;
}
/* Test that the checksum verifies successfully. */
ret = krb5_c_verify_checksum(context, kbp, test->usage,
&test->plaintext, &cksum, &valid);
assert(!ret);
if (!valid) {
printf("test %d verify failed\n", (int)i);
status = 1;
if (!verbose)
break;
}
if (kbp != NULL) {
ret = krb5int_c_mandatory_cksumtype(context, kbp->enctype, &mtype);
assert(!ret);
if (test->sumtype == mtype) {
/* Test that a checksum type of 0 uses the mandatory checksum
* type for the key. */
cksum.checksum_type = 0;
ret = krb5_c_verify_checksum(context, kbp, test->usage,
&test->plaintext, &cksum, &valid);
assert(!ret && valid);
}
}
krb5_free_checksum_contents(context, &cksum);
}
return status;
}
/*
* Create a CAMMAC for contents, using enc_tkt and the first key from krbtgt
* for the KDC verifier. Set *cammac_out to a single-element authdata list
* containing the CAMMAC inside an IF-RELEVANT container.
*/
krb5_error_code
cammac_create(krb5_context context, krb5_enc_tkt_part *enc_tkt,
krb5_keyblock *server_key, krb5_db_entry *krbtgt,
krb5_authdata **contents, krb5_authdata ***cammac_out)
{
krb5_error_code ret;
krb5_data *der_authdata = NULL, *der_enctkt = NULL, *der_cammac = NULL;
krb5_authdata ad, *list[2];
krb5_cammac cammac;
krb5_verifier_mac kdc_verifier, svc_verifier;
krb5_key_data *kd;
krb5_keyblock tgtkey;
krb5_checksum kdc_cksum, svc_cksum;
*cammac_out = NULL;
memset(&tgtkey, 0, sizeof(tgtkey));
memset(&kdc_cksum, 0, sizeof(kdc_cksum));
memset(&svc_cksum, 0, sizeof(svc_cksum));
/* Fetch the first krbtgt key for the KDC verifier. */
ret = krb5_dbe_find_enctype(context, krbtgt, -1, -1, 0, &kd);
if (ret)
goto cleanup;
ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &tgtkey, NULL);
if (ret)
goto cleanup;
/* Checksum the reply with contents as authdata for the KDC verifier. */
ret = encode_kdcver_encpart(enc_tkt, contents, &der_enctkt);
if (ret)
goto cleanup;
ret = krb5_c_make_checksum(context, 0, &tgtkey, KRB5_KEYUSAGE_CAMMAC,
der_enctkt, &kdc_cksum);
if (ret)
goto cleanup;
kdc_verifier.princ = NULL;
kdc_verifier.kvno = kd->key_data_kvno;
kdc_verifier.enctype = ENCTYPE_NULL;
kdc_verifier.checksum = kdc_cksum;
/* Encode the authdata and checksum it for the service verifier. */
ret = encode_krb5_authdata(contents, &der_authdata);
if (ret)
goto cleanup;
ret = krb5_c_make_checksum(context, 0, server_key, KRB5_KEYUSAGE_CAMMAC,
der_authdata, &svc_cksum);
if (ret)
goto cleanup;
svc_verifier.princ = NULL;
svc_verifier.kvno = 0;
svc_verifier.enctype = ENCTYPE_NULL;
svc_verifier.checksum = svc_cksum;
cammac.elements = contents;
cammac.kdc_verifier = &kdc_verifier;
cammac.svc_verifier = &svc_verifier;
cammac.other_verifiers = NULL;
ret = encode_krb5_cammac(&cammac, &der_cammac);
if (ret)
goto cleanup;
/* Wrap the encoded CAMMAC in an IF-RELEVANT container and return it as a
* single-element authdata list. */
ad.ad_type = KRB5_AUTHDATA_CAMMAC;
ad.length = der_cammac->length;
ad.contents = (uint8_t *)der_cammac->data;
list[0] = &ad;
list[1] = NULL;
ret = krb5_encode_authdata_container(context, KRB5_AUTHDATA_IF_RELEVANT,
list, cammac_out);
cleanup:
krb5_free_data(context, der_enctkt);
krb5_free_data(context, der_authdata);
krb5_free_data(context, der_cammac);
krb5_free_keyblock_contents(context, &tgtkey);
krb5_free_checksum_contents(context, &kdc_cksum);
krb5_free_checksum_contents(context, &svc_cksum);
return ret;
}
static krb5_error_code
make_seal_token_v1 (krb5_context context,
krb5_keyblock *enc,
krb5_keyblock *seq,
gssint_uint64 *seqnum,
int direction,
gss_buffer_t text,
gss_buffer_t token,
int signalg,
size_t cksum_size,
int sealalg,
int do_encrypt,
int toktype,
int bigend,
gss_OID oid)
{
krb5_error_code code;
size_t sumlen;
char *data_ptr;
krb5_data plaind;
krb5_checksum md5cksum;
krb5_checksum cksum;
/* msglen contains the message length
* we are signing/encrypting. tmsglen
* contains the length of the message
* we plan to write out to the token.
* tlen is the length of the token
* including header. */
unsigned int conflen=0, tmsglen, tlen, msglen;
unsigned char *t, *ptr;
unsigned char *plain;
unsigned char pad;
krb5_keyusage sign_usage = KG_USAGE_SIGN;
assert((!do_encrypt) || (toktype == KG_TOK_SEAL_MSG));
/* create the token buffer */
/* Do we need confounder? */
if (do_encrypt || (!bigend && (toktype == KG_TOK_SEAL_MSG)))
conflen = kg_confounder_size(context, enc);
else conflen = 0;
if (toktype == KG_TOK_SEAL_MSG) {
switch (sealalg) {
case SEAL_ALG_MICROSOFT_RC4:
msglen = conflen + text->length+1;
pad = 1;
break;
default:
/* XXX knows that des block size is 8 */
msglen = (conflen+text->length+8)&(~7);
pad = 8-(text->length%8);
}
tmsglen = msglen;
} else {
tmsglen = 0;
msglen = text->length;
pad = 0;
}
tlen = g_token_size((gss_OID) oid, 14+cksum_size+tmsglen);
if ((t = (unsigned char *) xmalloc(tlen)) == NULL)
return(ENOMEM);
/*** fill in the token */
ptr = t;
g_make_token_header(oid, 14+cksum_size+tmsglen, &ptr, toktype);
/* 0..1 SIGN_ALG */
store_16_le(signalg, &ptr[0]);
/* 2..3 SEAL_ALG or Filler */
if ((toktype == KG_TOK_SEAL_MSG) && do_encrypt) {
store_16_le(sealalg, &ptr[2]);
} else {
/* No seal */
ptr[2] = 0xff;
ptr[3] = 0xff;
}
/* 4..5 Filler */
ptr[4] = 0xff;
ptr[5] = 0xff;
/* pad the plaintext, encrypt if needed, and stick it in the token */
/* initialize the the cksum */
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
break;
case SGN_ALG_HMAC_MD5:
md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
if (toktype != KG_TOK_SEAL_MSG)
sign_usage = 15;
break;
default:
case SGN_ALG_DES_MAC:
abort ();
}
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
if (code) {
xfree(t);
return(code);
}
md5cksum.length = sumlen;
if ((plain = (unsigned char *) xmalloc(msglen ? msglen : 1)) == NULL) {
xfree(t);
return(ENOMEM);
}
if (conflen) {
if ((code = kg_make_confounder(context, enc, plain))) {
xfree(plain);
xfree(t);
return(code);
}
}
memcpy(plain+conflen, text->value, text->length);
if (pad) memset(plain+conflen+text->length, pad, pad);
/* compute the checksum */
/* 8 = head of token body as specified by mech spec */
if (! (data_ptr =
(char *) xmalloc(8 + (bigend ? text->length : msglen)))) {
xfree(plain);
xfree(t);
return(ENOMEM);
}
(void) memcpy(data_ptr, ptr-2, 8);
if (bigend)
(void) memcpy(data_ptr+8, text->value, text->length);
else
(void) memcpy(data_ptr+8, plain, msglen);
plaind.length = 8 + (bigend ? text->length : msglen);
plaind.data = data_ptr;
code = krb5_c_make_checksum(context, md5cksum.checksum_type, seq,
sign_usage, &plaind, &md5cksum);
xfree(data_ptr);
if (code) {
xfree(plain);
xfree(t);
return(code);
}
switch(signalg) {
case SGN_ALG_DES_MAC_MD5:
case 3:
if ((code = kg_encrypt(context, seq, KG_USAGE_SEAL,
(g_OID_equal(oid, gss_mech_krb5_old) ?
seq->contents : NULL),
md5cksum.contents, md5cksum.contents, 16))) {
krb5_free_checksum_contents(context, &md5cksum);
xfree (plain);
xfree(t);
return code;
}
cksum.length = cksum_size;
cksum.contents = md5cksum.contents + 16 - cksum.length;
memcpy(ptr+14, cksum.contents, cksum.length);
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
/*
* Using key derivation, the call to krb5_c_make_checksum
* already dealt with encrypting.
*/
if (md5cksum.length != cksum_size)
abort ();
memcpy (ptr+14, md5cksum.contents, md5cksum.length);
break;
case SGN_ALG_HMAC_MD5:
memcpy (ptr+14, md5cksum.contents, cksum_size);
break;
}
krb5_free_checksum_contents(context, &md5cksum);
/* create the seq_num */
if ((code = kg_make_seq_num(context, seq, direction?0:0xff,
(krb5_ui_4)*seqnum, ptr+14, ptr+6))) {
xfree (plain);
xfree(t);
return(code);
}
if (do_encrypt) {
switch(sealalg) {
case SEAL_ALG_MICROSOFT_RC4:
{
unsigned char bigend_seqnum[4];
krb5_keyblock *enc_key;
int i;
store_32_be(*seqnum, bigend_seqnum);
code = krb5_copy_keyblock (context, enc, &enc_key);
if (code)
{
xfree(plain);
xfree(t);
return(code);
}
assert (enc_key->length == 16);
for (i = 0; i <= 15; i++)
((char *) enc_key->contents)[i] ^=0xf0;
code = kg_arcfour_docrypt (enc_key, 0,
bigend_seqnum, 4,
plain, tmsglen,
ptr+14+cksum_size);
krb5_free_keyblock (context, enc_key);
if (code)
{
xfree(plain);
xfree(t);
return(code);
}
}
break;
default:
if ((code = kg_encrypt(context, enc, KG_USAGE_SEAL, NULL,
(krb5_pointer) plain,
(krb5_pointer) (ptr+cksum_size+14),
tmsglen))) {
xfree(plain);
xfree(t);
return(code);
}
}
}else {
if (tmsglen)
memcpy(ptr+14+cksum_size, plain, tmsglen);
}
xfree(plain);
/* that's it. return the token */
(*seqnum)++;
*seqnum &= 0xffffffffL;
token->length = tlen;
token->value = (void *) t;
return(0);
}
void
ktest_empty_iakerb_finished(krb5_iakerb_finished *p)
{
krb5_free_checksum_contents(NULL, &p->checksum);
}
int
ksm_rgenerate_out_msg(struct snmp_secmod_outgoing_params *parms)
{
krb5_auth_context auth_context = NULL;
krb5_error_code retcode;
krb5_ccache cc = NULL;
int retval = SNMPERR_SUCCESS;
krb5_data outdata, ivector;
krb5_keyblock *subkey = NULL;
#ifdef MIT_NEW_CRYPTO
krb5_data input;
krb5_enc_data output;
unsigned int numcksumtypes;
krb5_cksumtype *cksumtype_array;
#else /* MIT_NEW_CRYPTO */
krb5_encrypt_block eblock;
#endif /* MIT_NEW_CRYPTO */
size_t blocksize, encrypted_length;
unsigned char *encrypted_data = NULL;
int zero = 0, i;
u_char *cksum_pointer, *endp = *parms->wholeMsg;
krb5_cksumtype cksumtype;
krb5_checksum pdu_checksum;
u_char **wholeMsg = parms->wholeMsg;
size_t *offset = parms->wholeMsgOffset, seq_offset;
struct ksm_secStateRef *ksm_state = (struct ksm_secStateRef *)
parms->secStateRef;
int rc;
DEBUGMSGTL(("ksm", "Starting KSM processing\n"));
outdata.length = 0;
outdata.data = NULL;
ivector.length = 0;
ivector.data = NULL;
pdu_checksum.contents = NULL;
if (!ksm_state) {
/*
* If we don't have a ksm_state, then we're a request. Get a
* credential cache and build a ap_req.
*/
retcode = krb5_cc_default(kcontext, &cc);
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_cc_default failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Set credential cache successfully\n"));
/*
* This seems odd, since we don't need this until later (or earlier,
* depending on how you look at it), but because the most likely
* errors are Kerberos at this point, I'll get this now to save
* time not encoding the rest of the packet.
*
* Also, we need the subkey to encrypt the PDU (if required).
*/
retcode =
krb5_mk_req(kcontext, &auth_context,
AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
(char *) service_name, parms->session->peername, NULL,
cc, &outdata);
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_mk_req failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: ticket retrieved successfully for \"%s/%s\" "
"(may not be actual ticket sname)\n", service_name,
parms->session->peername));
} else {
/*
* Grab the auth_context from our security state reference
*/
auth_context = ksm_state->auth_context;
/*
* Bundle up an AP_REP. Note that we do this only when we
* have a security state reference (which means we're in an agent
* and we're sending a response).
*/
DEBUGMSGTL(("ksm", "KSM: Starting reply processing.\n"));
retcode = krb5_mk_rep(kcontext, auth_context, &outdata);
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_mk_rep failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Finished with krb5_mk_rep()\n"));
}
/*
* If we have to encrypt the PDU, do that now
*/
if (parms->secLevel == SNMP_SEC_LEVEL_AUTHPRIV) {
DEBUGMSGTL(("ksm", "KSM: Starting PDU encryption.\n"));
/*
* It's weird -
*
* If we're on the manager, it's a local subkey (because that's in
* our AP_REQ)
*
* If we're on the agent, it's a remote subkey (because that comes
* FROM the received AP_REQ).
*/
if (ksm_state)
retcode = krb5_auth_con_getremotesubkey(kcontext, auth_context,
&subkey);
else
retcode = krb5_auth_con_getlocalsubkey(kcontext, auth_context,
&subkey);
if (retcode) {
DEBUGMSGTL(("ksm",
"KSM: krb5_auth_con_getlocalsubkey failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
/*
* Note that here we need to handle different things between the
* old and new crypto APIs. First, we need to get the final encrypted
* length of the PDU.
*/
#ifdef MIT_NEW_CRYPTO
retcode = krb5_c_encrypt_length(kcontext, subkey->enctype,
parms->scopedPduLen,
&encrypted_length);
if (retcode) {
DEBUGMSGTL(("ksm",
"Encryption length calculation failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
#else /* MIT_NEW_CRYPTO */
krb5_use_enctype(kcontext, &eblock, subkey->enctype);
retcode = krb5_process_key(kcontext, &eblock, subkey);
if (retcode) {
DEBUGMSGTL(("ksm", "krb5_process_key failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
encrypted_length = krb5_encrypt_size(parms->scopedPduLen,
eblock.crypto_entry);
#endif /* MIT_NEW_CRYPTO */
encrypted_data = malloc(encrypted_length);
if (!encrypted_data) {
DEBUGMSGTL(("ksm",
"KSM: Unable to malloc %d bytes for encrypt "
"buffer: %s\n", parms->scopedPduLen,
strerror(errno)));
retval = SNMPERR_MALLOC;
#ifndef MIT_NEW_CRYPTO
krb5_finish_key(kcontext, &eblock);
#endif /* ! MIT_NEW_CRYPTO */
goto error;
}
/*
* We need to set up a blank initialization vector for the encryption.
* Use a block of all zero's (which is dependent on the block size
* of the encryption method).
*/
#ifdef MIT_NEW_CRYPTO
retcode = krb5_c_block_size(kcontext, subkey->enctype, &blocksize);
if (retcode) {
DEBUGMSGTL(("ksm",
"Unable to determine crypto block size: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
#else /* MIT_NEW_CRYPTO */
blocksize =
krb5_enctype_array[subkey->enctype]->system->block_length;
#endif /* MIT_NEW_CRYPTO */
ivector.data = malloc(blocksize);
if (!ivector.data) {
DEBUGMSGTL(("ksm", "Unable to allocate %d bytes for ivector\n",
blocksize));
retval = SNMPERR_MALLOC;
goto error;
}
ivector.length = blocksize;
memset(ivector.data, 0, blocksize);
/*
* Finally! Do the encryption!
*/
#ifdef MIT_NEW_CRYPTO
input.data = (char *) parms->scopedPdu;
input.length = parms->scopedPduLen;
output.ciphertext.data = (char *) encrypted_data;
output.ciphertext.length = encrypted_length;
retcode =
krb5_c_encrypt(kcontext, subkey, KSM_KEY_USAGE_ENCRYPTION,
&ivector, &input, &output);
#else /* MIT_NEW_CRYPTO */
retcode = krb5_encrypt(kcontext, (krb5_pointer) parms->scopedPdu,
(krb5_pointer) encrypted_data,
parms->scopedPduLen, &eblock, ivector.data);
krb5_finish_key(kcontext, &eblock);
#endif /* MIT_NEW_CRYPTO */
if (retcode) {
DEBUGMSGTL(("ksm", "KSM: krb5_encrypt failed: %s\n",
error_message(retcode)));
retval = SNMPERR_KRB5;
snmp_set_detail(error_message(retcode));
goto error;
}
*offset = 0;
rc = asn_realloc_rbuild_string(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
encrypted_data,
encrypted_length);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building encrypted payload failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Encryption complete.\n"));
} else {
/*
* Plaintext PDU (not encrypted)
*/
if (*parms->wholeMsgLen < parms->scopedPduLen) {
DEBUGMSGTL(("ksm", "Not enough room for plaintext PDU.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
}
/*
* Start encoding the msgSecurityParameters
*
* For now, use 0 for the response hint
*/
DEBUGMSGTL(("ksm", "KSM: scopedPdu added to payload\n"));
seq_offset = *offset;
rc = asn_realloc_rbuild_int(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_INTEGER),
(long *) &zero, sizeof(zero));
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_string(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
(u_char *) outdata.data,
outdata.length);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm AP_REQ failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
/*
* Now, we need to pick the "right" checksum algorithm. For old
* crypto, just pick CKSUMTYPE_RSA_MD5_DES; for new crypto, pick
* one of the "approved" ones.
*/
#ifdef MIT_NEW_CRYPTO
retcode = krb5_c_keyed_checksum_types(kcontext, subkey->enctype,
&numcksumtypes, &cksumtype_array);
if (retcode) {
DEBUGMSGTL(("ksm", "Unable to find appropriate keyed checksum: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
if (numcksumtypes <= 0) {
DEBUGMSGTL(("ksm", "We received a list of zero cksumtypes for this "
"enctype (%d)\n", subkey->enctype));
snmp_set_detail("No valid checksum type for this encryption type");
retval = SNMPERR_KRB5;
goto error;
}
/*
* It's not clear to me from the API which checksum you're supposed
* to support, so I'm taking a guess at the first one
*/
cksumtype = cksumtype_array[0];
krb5_free_cksumtypes(kcontext, cksumtype_array);
DEBUGMSGTL(("ksm", "KSM: Choosing checksum type of %d (subkey type "
"of %d)\n", cksumtype, subkey->enctype));
retcode = krb5_c_checksum_length(kcontext, cksumtype, &blocksize);
if (retcode) {
DEBUGMSGTL(("ksm", "Unable to determine checksum length: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
pdu_checksum.length = blocksize;
#else /* MIT_NEW_CRYPTO */
if (ksm_state)
cksumtype = ksm_state->cksumtype;
else
cksumtype = CKSUMTYPE_RSA_MD5_DES;
if (!is_keyed_cksum(cksumtype)) {
DEBUGMSGTL(("ksm", "Checksum type %d is not a keyed checksum\n",
cksumtype));
snmp_set_detail("Checksum is not a keyed checksum");
retval = SNMPERR_KRB5;
goto error;
}
if (!is_coll_proof_cksum(cksumtype)) {
DEBUGMSGTL(("ksm", "Checksum type %d is not a collision-proof "
"checksum\n", cksumtype));
snmp_set_detail("Checksum is not a collision-proof checksum");
retval = SNMPERR_KRB5;
goto error;
}
pdu_checksum.length = krb5_checksum_size(kcontext, cksumtype);
pdu_checksum.checksum_type = cksumtype;
#endif /* MIT_NEW_CRYPTO */
/*
* Note that here, we're just leaving blank space for the checksum;
* we remember where that is, and we'll fill it in later.
*/
*offset += pdu_checksum.length;
memset(*wholeMsg + *parms->wholeMsgLen - *offset, 0, pdu_checksum.length);
cksum_pointer = *wholeMsg + *parms->wholeMsgLen - *offset;
rc = asn_realloc_rbuild_header(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
pdu_checksum.length);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_int(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
(long *) &cksumtype,
sizeof(cksumtype));
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_sequence(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_SEQUENCE |
ASN_CONSTRUCTOR),
*offset - seq_offset);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
rc = asn_realloc_rbuild_header(wholeMsg, parms->wholeMsgLen,
parms->wholeMsgOffset, 1,
(u_char) (ASN_UNIVERSAL |
ASN_PRIMITIVE |
ASN_OCTET_STR),
*offset - seq_offset);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building ksm security parameters failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Security parameter encoding completed\n"));
/*
* We're done with the KSM security parameters - now we do the global
* header and wrap up the whole PDU.
*/
if (*parms->wholeMsgLen < parms->globalDataLen) {
DEBUGMSGTL(("ksm", "Building global data failed.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
*offset += parms->globalDataLen;
memcpy(*wholeMsg + *parms->wholeMsgLen - *offset,
parms->globalData, parms->globalDataLen);
rc = asn_realloc_rbuild_sequence(wholeMsg, parms->wholeMsgLen,
offset, 1,
(u_char) (ASN_SEQUENCE |
ASN_CONSTRUCTOR),
*offset);
if (rc == 0) {
DEBUGMSGTL(("ksm", "Building master packet sequence.\n"));
retval = SNMPERR_TOO_LONG;
goto error;
}
DEBUGMSGTL(("ksm", "KSM: PDU master packet encoding complete.\n"));
/*
* Now we need to checksum the entire PDU (since it's built).
*/
pdu_checksum.contents = malloc(pdu_checksum.length);
if (!pdu_checksum.contents) {
DEBUGMSGTL(("ksm", "Unable to malloc %d bytes for checksum\n",
pdu_checksum.length));
retval = SNMPERR_MALLOC;
goto error;
}
/*
* If we didn't encrypt the packet, we haven't yet got the subkey.
* Get that now.
*/
if (!subkey) {
if (ksm_state)
retcode = krb5_auth_con_getremotesubkey(kcontext, auth_context,
&subkey);
else
retcode = krb5_auth_con_getlocalsubkey(kcontext, auth_context,
&subkey);
if (retcode) {
DEBUGMSGTL(("ksm", "krb5_auth_con_getlocalsubkey failed: %s\n",
error_message(retcode)));
snmp_set_detail(error_message(retcode));
retval = SNMPERR_KRB5;
goto error;
}
}
#ifdef MIT_NEW_CRYPTO
input.data = (char *) (*wholeMsg + *parms->wholeMsgLen - *offset);
input.length = *offset;
retcode = krb5_c_make_checksum(kcontext, cksumtype, subkey,
KSM_KEY_USAGE_CHECKSUM, &input,
&pdu_checksum);
#else /* MIT_NEW_CRYPTO */
retcode = krb5_calculate_checksum(kcontext, cksumtype, *wholeMsg +
*parms->wholeMsgLen - *offset,
*offset,
(krb5_pointer) subkey->contents,
subkey->length, &pdu_checksum);
#endif /* MIT_NEW_CRYPTO */
if (retcode) {
DEBUGMSGTL(("ksm", "Calculate checksum failed: %s\n",
error_message(retcode)));
retval = SNMPERR_KRB5;
snmp_set_detail(error_message(retcode));
goto error;
}
DEBUGMSGTL(("ksm", "KSM: Checksum calculation complete.\n"));
memcpy(cksum_pointer, pdu_checksum.contents, pdu_checksum.length);
DEBUGMSGTL(("ksm", "KSM: Writing checksum of %d bytes at offset %d\n",
pdu_checksum.length, cksum_pointer - (*wholeMsg + 1)));
DEBUGMSGTL(("ksm", "KSM: Checksum:"));
for (i = 0; i < pdu_checksum.length; i++)
DEBUGMSG(("ksm", " %02x",
(unsigned int) pdu_checksum.contents[i]));
DEBUGMSG(("ksm", "\n"));
/*
* If we're _not_ called as part of a response (null ksm_state),
* then save the auth_context for later using our cache routines.
*/
if (!ksm_state) {
if ((retval = ksm_insert_cache(parms->pdu->msgid, auth_context,
(u_char *) parms->secName,
parms->secNameLen)) !=
SNMPERR_SUCCESS)
goto error;
auth_context = NULL;
}
DEBUGMSGTL(("ksm", "KSM processing complete!\n"));
error:
if (pdu_checksum.contents)
#ifdef MIT_NEW_CRYPTO
krb5_free_checksum_contents(kcontext, &pdu_checksum);
#else /* MIT_NEW_CRYPTO */
free(pdu_checksum.contents);
#endif /* MIT_NEW_CRYPTO */
if (ivector.data)
free(ivector.data);
if (subkey)
krb5_free_keyblock(kcontext, subkey);
if (encrypted_data)
free(encrypted_data);
if (cc)
krb5_cc_close(kcontext, cc);
if (auth_context && !ksm_state)
krb5_auth_con_free(kcontext, auth_context);
return retval;
}
static OM_uint32
kg_unseal_v1_iov(krb5_context context,
OM_uint32 *minor_status,
krb5_gss_ctx_id_rec *ctx,
gss_iov_buffer_desc *iov,
int iov_count,
size_t token_wrapper_len,
int *conf_state,
gss_qop_t *qop_state,
int toktype)
{
OM_uint32 code;
gss_iov_buffer_t header;
gss_iov_buffer_t trailer;
unsigned char *ptr;
int sealalg;
int signalg;
krb5_checksum cksum;
krb5_checksum md5cksum;
size_t cksum_len = 0;
size_t conflen = 0;
int direction;
krb5_ui_4 seqnum;
OM_uint32 retval;
size_t sumlen;
krb5_keyusage sign_usage = KG_USAGE_SIGN;
md5cksum.length = cksum.length = 0;
md5cksum.contents = cksum.contents = NULL;
header = kg_locate_header_iov(iov, iov_count, toktype);
assert(header != NULL);
trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
if (trailer != NULL && trailer->buffer.length != 0) {
*minor_status = (OM_uint32)KRB5_BAD_MSIZE;
return GSS_S_DEFECTIVE_TOKEN;
}
if (header->buffer.length < token_wrapper_len + 14) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
ptr = (unsigned char *)header->buffer.value + token_wrapper_len;
signalg = ptr[0];
signalg |= ptr[1] << 8;
sealalg = ptr[2];
sealalg |= ptr[3] << 8;
if (ptr[4] != 0xFF || ptr[5] != 0xFF) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
if (toktype != KG_TOK_WRAP_MSG && sealalg != 0xFFFF) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
if (toktype == KG_TOK_WRAP_MSG &&
!(sealalg == 0xFFFF || sealalg == ctx->sealalg)) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
(ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
(ctx->sealalg == SEAL_ALG_DES3KD &&
signalg != SGN_ALG_HMAC_SHA1_DES3_KD)||
(ctx->sealalg == SEAL_ALG_MICROSOFT_RC4 &&
signalg != SGN_ALG_HMAC_MD5)) {
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
case SGN_ALG_HMAC_MD5:
cksum_len = 8;
if (toktype != KG_TOK_WRAP_MSG)
sign_usage = 15;
break;
case SGN_ALG_3:
cksum_len = 16;
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
cksum_len = 20;
break;
default:
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
/* get the token parameters */
code = kg_get_seq_num(context, ctx->seq, ptr + 14, ptr + 6, &direction,
&seqnum);
if (code != 0) {
*minor_status = code;
return GSS_S_BAD_SIG;
}
/* decode the message, if SEAL */
if (toktype == KG_TOK_WRAP_MSG) {
if (sealalg != 0xFFFF) {
if (ctx->sealalg == SEAL_ALG_MICROSOFT_RC4) {
unsigned char bigend_seqnum[4];
krb5_keyblock *enc_key;
size_t i;
store_32_be(seqnum, bigend_seqnum);
code = krb5_k_key_keyblock(context, ctx->enc, &enc_key);
if (code != 0) {
retval = GSS_S_FAILURE;
goto cleanup;
}
assert(enc_key->length == 16);
for (i = 0; i < enc_key->length; i++)
((char *)enc_key->contents)[i] ^= 0xF0;
code = kg_arcfour_docrypt_iov(context, enc_key, 0,
&bigend_seqnum[0], 4,
iov, iov_count);
krb5_free_keyblock(context, enc_key);
} else {
code = kg_decrypt_iov(context, 0,
((ctx->gss_flags & GSS_C_DCE_STYLE) != 0),
0 /*EC*/, 0 /*RRC*/,
ctx->enc, KG_USAGE_SEAL, NULL,
iov, iov_count);
}
if (code != 0) {
retval = GSS_S_FAILURE;
goto cleanup;
}
}
conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype);
}
if (header->buffer.length != token_wrapper_len + 14 + cksum_len + conflen) {
retval = GSS_S_DEFECTIVE_TOKEN;
goto cleanup;
}
/* compute the checksum of the message */
/* initialize the checksum */
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_MD2_5:
case SGN_ALG_DES_MAC:
case SGN_ALG_3:
md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
break;
case SGN_ALG_HMAC_MD5:
md5cksum.checksum_type = CKSUMTYPE_HMAC_MD5_ARCFOUR;
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
break;
default:
abort();
}
code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen);
if (code != 0) {
retval = GSS_S_FAILURE;
goto cleanup;
}
md5cksum.length = sumlen;
/* compute the checksum of the message */
code = kg_make_checksum_iov_v1(context, md5cksum.checksum_type,
cksum_len, ctx->seq, ctx->enc,
sign_usage, iov, iov_count, toktype,
&md5cksum);
if (code != 0) {
retval = GSS_S_FAILURE;
goto cleanup;
}
switch (signalg) {
case SGN_ALG_DES_MAC_MD5:
case SGN_ALG_3:
code = kg_encrypt_inplace(context, ctx->seq, KG_USAGE_SEAL,
(g_OID_equal(ctx->mech_used,
gss_mech_krb5_old) ?
ctx->seq->keyblock.contents : NULL),
md5cksum.contents, 16);
if (code != 0) {
retval = GSS_S_FAILURE;
goto cleanup;
}
cksum.length = cksum_len;
cksum.contents = md5cksum.contents + 16 - cksum.length;
code = k5_bcmp(cksum.contents, ptr + 14, cksum.length);
break;
case SGN_ALG_HMAC_SHA1_DES3_KD:
case SGN_ALG_HMAC_MD5:
code = k5_bcmp(md5cksum.contents, ptr + 14, cksum_len);
break;
default:
code = 0;
retval = GSS_S_DEFECTIVE_TOKEN;
goto cleanup;
break;
}
if (code != 0) {
code = 0;
retval = GSS_S_BAD_SIG;
goto cleanup;
}
/*
* For GSS_C_DCE_STYLE, the caller manages the padding, because the
* pad length is in the RPC PDU. The value of the padding may be
* uninitialized. For normal GSS, the last bytes of the decrypted
* data contain the pad length. kg_fixup_padding_iov() will find
* this and fixup the last data IOV appropriately.
*/
if (toktype == KG_TOK_WRAP_MSG &&
(ctx->gss_flags & GSS_C_DCE_STYLE) == 0) {
retval = kg_fixup_padding_iov(&code, iov, iov_count);
if (retval != GSS_S_COMPLETE)
goto cleanup;
}
if (conf_state != NULL)
*conf_state = (sealalg != 0xFFFF);
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
if ((ctx->initiate && direction != 0xff) ||
(!ctx->initiate && direction != 0)) {
*minor_status = (OM_uint32)G_BAD_DIRECTION;
retval = GSS_S_BAD_SIG;
}
code = 0;
retval = g_order_check(&ctx->seqstate, (gssint_uint64)seqnum);
cleanup:
krb5_free_checksum_contents(context, &md5cksum);
*minor_status = code;
return retval;
}
krb5_error_code
kdc_fast_response_handle_padata(struct kdc_request_state *state,
krb5_kdc_req *request,
krb5_kdc_rep *rep, krb5_enctype enctype)
{
krb5_error_code retval = 0;
krb5_fast_finished finish;
krb5_fast_response fast_response;
krb5_data *encoded_ticket = NULL;
krb5_data *encrypted_reply = NULL;
krb5_pa_data *pa = NULL, **pa_array = NULL;
krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5;
krb5_pa_data *empty_padata[] = {NULL};
krb5_keyblock *strengthen_key = NULL;
kdc_realm_t *kdc_active_realm = state->realm_data;
if (!state->armor_key)
return 0;
memset(&finish, 0, sizeof(finish));
retval = krb5_init_keyblock(kdc_context, enctype, 0, &strengthen_key);
if (retval == 0)
retval = krb5_c_make_random_key(kdc_context, enctype, strengthen_key);
if (retval == 0) {
state->strengthen_key = strengthen_key;
strengthen_key = NULL;
}
fast_response.padata = rep->padata;
if (fast_response.padata == NULL)
fast_response.padata = &empty_padata[0];
fast_response.strengthen_key = state->strengthen_key;
fast_response.nonce = request->nonce;
fast_response.finished = &finish;
finish.client = rep->client;
pa_array = calloc(3, sizeof(*pa_array));
if (pa_array == NULL)
retval = ENOMEM;
pa = calloc(1, sizeof(krb5_pa_data));
if (retval == 0 && pa == NULL)
retval = ENOMEM;
if (retval == 0)
retval = krb5_us_timeofday(kdc_context, &finish.timestamp, &finish.usec);
if (retval == 0)
retval = encode_krb5_ticket(rep->ticket, &encoded_ticket);
if (retval == 0)
retval = krb5int_c_mandatory_cksumtype(kdc_context,
state->armor_key->enctype,
&cksumtype);
if (retval == 0)
retval = krb5_c_make_checksum(kdc_context, cksumtype,
state->armor_key,
KRB5_KEYUSAGE_FAST_FINISHED,
encoded_ticket, &finish.ticket_checksum);
if (retval == 0)
retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply);
if (retval == 0) {
pa[0].pa_type = KRB5_PADATA_FX_FAST;
pa[0].length = encrypted_reply->length;
pa[0].contents = (unsigned char *) encrypted_reply->data;
pa_array[0] = &pa[0];
krb5_free_pa_data(kdc_context, rep->padata);
rep->padata = pa_array;
pa_array = NULL;
free(encrypted_reply);
encrypted_reply = NULL;
pa = NULL;
}
if (pa)
free(pa);
if (pa_array)
free(pa_array);
if (encrypted_reply)
krb5_free_data(kdc_context, encrypted_reply);
if (encoded_ticket)
krb5_free_data(kdc_context, encoded_ticket);
if (strengthen_key != NULL)
krb5_free_keyblock(kdc_context, strengthen_key);
if (finish.ticket_checksum.contents)
krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum);
return retval;
}
static krb5_error_code
client_process(krb5_context kcontext,
void *client_plugin_context,
void *client_request_context,
krb5_get_init_creds_opt *opt,
preauth_get_client_data_proc client_get_data_proc,
struct _krb5_preauth_client_rock *rock,
krb5_kdc_req *request,
krb5_data *encoded_request_body,
krb5_data *encoded_previous_request,
krb5_pa_data *pa_data,
krb5_prompter_fct prompter,
void *prompter_data,
preauth_get_as_key_proc gak_fct,
void *gak_data,
krb5_data *salt, krb5_data *s2kparams,
krb5_keyblock *as_key,
krb5_pa_data **out_pa_data)
{
krb5_pa_data *send_pa;
krb5_checksum checksum;
krb5_enctype enctype;
krb5_cksumtype *cksumtypes;
krb5_error_code status = 0;
krb5_int32 cksumtype, *enctypes;
unsigned int i, n_enctypes, cksumtype_count;
int num_gic_info = 0;
krb5_gic_opt_pa_data *gic_info;
status = krb5_get_init_creds_opt_get_pa(kcontext, opt,
&num_gic_info, &gic_info);
if (status && status != ENOENT) {
#ifdef DEBUG
fprintf(stderr, "Error from krb5_get_init_creds_opt_get_pa: %s\n",
error_message(status));
#endif
return status;
}
#ifdef DEBUG
fprintf(stderr, "(cksum_body) Got the following gic options:\n");
#endif
for (i = 0; i < num_gic_info; i++) {
#ifdef DEBUG
fprintf(stderr, " '%s' = '%s'\n", gic_info[i].attr, gic_info[i].value);
#endif
}
krb5_get_init_creds_opt_free_pa(kcontext, num_gic_info, gic_info);
memset(&checksum, 0, sizeof(checksum));
/* Get the user's long-term key if we haven't asked for it yet. Try
* all of the encryption types which the server supports. */
if (as_key->length == 0) {
if ((pa_data != NULL) && (pa_data->length >= 4)) {
#ifdef DEBUG
fprintf(stderr, "%d bytes of preauth data.\n", pa_data->length);
#endif
n_enctypes = pa_data->length / 4;
enctypes = (krb5_int32*) pa_data->contents;
} else {
n_enctypes = request->nktypes;
}
for (i = 0; i < n_enctypes; i++) {
if ((pa_data != NULL) && (pa_data->length >= 4)) {
memcpy(&enctype, pa_data->contents + 4 * i, 4);
enctype = ntohl(enctype);
} else {
enctype = request->ktype[i];
}
#ifdef DEBUG
fprintf(stderr, "Asking for AS key (type = %d).\n", enctype);
#endif
status = (*gak_fct)(kcontext, request->client, enctype,
prompter, prompter_data,
salt, s2kparams, as_key, gak_data);
if (status == 0)
break;
}
if (status != 0)
return status;
}
#ifdef DEBUG
fprintf(stderr, "Got AS key (type = %d).\n", as_key->enctype);
#endif
/* Determine an appropriate checksum type for this key. */
cksumtype_count = 0;
cksumtypes = NULL;
status = krb5_c_keyed_checksum_types(kcontext, as_key->enctype,
&cksumtype_count, &cksumtypes);
if (status != 0)
return status;
/* Generate the checksum. */
for (i = 0; i < cksumtype_count; i++) {
status = krb5_c_make_checksum(kcontext, cksumtypes[i], as_key,
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
encoded_request_body,
&checksum);
if (status == 0) {
#ifdef DEBUG
fprintf(stderr, "Made checksum (type = %d, %d bytes).\n",
checksum.checksum_type, encoded_request_body->length);
#endif
break;
}
}
cksumtype = htonl(cksumtypes[i]);
krb5_free_cksumtypes(kcontext, cksumtypes);
if (status != 0) {
if (checksum.length > 0)
krb5_free_checksum_contents(kcontext, &checksum);
return status;
}
/* Allocate the preauth data structure. */
send_pa = malloc(sizeof(krb5_pa_data));
if (send_pa == NULL) {
krb5_free_checksum_contents(kcontext, &checksum);
return ENOMEM;
}
send_pa->pa_type = KRB5_PADATA_CKSUM_BODY_REQ;
send_pa->length = 4 + checksum.length;
send_pa->contents = malloc(4 + checksum.length);
if (send_pa->contents == NULL) {
krb5_free_checksum_contents(kcontext, &checksum);
free(send_pa);
return ENOMEM;
}
/* Store the checksum. */
memcpy(send_pa->contents, &cksumtype, 4);
memcpy(send_pa->contents + 4, checksum.contents, checksum.length);
*out_pa_data = send_pa;
/* Clean up. */
krb5_free_checksum_contents(kcontext, &checksum);
return 0;
}
krb5_error_code
gss_krb5int_make_seal_token_v3 (krb5_context context,
krb5_gss_ctx_id_rec *ctx,
const gss_buffer_desc * message,
gss_buffer_t token,
int conf_req_flag, int toktype)
{
size_t bufsize = 16;
unsigned char *outbuf = 0;
krb5_error_code err;
int key_usage;
unsigned char acceptor_flag;
const gss_buffer_desc *message2 = message;
#ifdef CFX_EXERCISE
size_t rrc;
#endif
size_t ec;
unsigned short tok_id;
krb5_checksum sum;
krb5_keyblock *key;
ASSERT(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0);
ASSERT(ctx->big_endian == 0);
acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
key_usage = (toktype == KG_TOK_WRAP_MSG
? (ctx->initiate
? KG_USAGE_INITIATOR_SEAL
: KG_USAGE_ACCEPTOR_SEAL)
: (ctx->initiate
? KG_USAGE_INITIATOR_SIGN
: KG_USAGE_ACCEPTOR_SIGN));
if (ctx->have_acceptor_subkey) {
key = ctx->acceptor_subkey;
} else {
key = ctx->enc;
}
#ifdef _KERNEL
context->kef_cipher_mt = get_cipher_mech_type(context, key);
context->kef_hash_mt = get_hash_mech_type(context, key);
if ((err = init_key_kef(context->kef_cipher_mt, key))) {
return (GSS_S_FAILURE);
}
#endif /* _KERNEL */
#ifdef CFX_EXERCISE
{
static int initialized = 0;
if (!initialized) {
srand(time(0));
initialized = 1;
}
}
#endif
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
krb5_data plain;
krb5_enc_data cipher;
size_t ec_max;
size_t tlen;
/* 300: Adds some slop. */
if (SIZE_MAX - 300 < message->length)
return ENOMEM;
ec_max = SIZE_MAX - message->length - 300;
if (ec_max > 0xffff)
ec_max = 0xffff;
/*
* EC should really be a multiple (1) of the number of octets that
* the cryptosystem would pad by if we didn't have the filler.
*
* For AES-CTS this will always be 0 and we expect no further
* enctypes, so there should be no issue here.
*/
ec = 0;
plain.length = message->length + 16 + ec;
plain.data = MALLOC(plain.length);
if (plain.data == NULL)
return ENOMEM;
/* Get size of ciphertext. */
if ((err = krb5_c_encrypt_length(context,
ctx->enc->enctype, plain.length, &tlen))) {
FREE(plain.data, plain.length);
return (err);
}
bufsize = 16 + tlen;
/* Allocate space for header plus encrypted data. */
outbuf = MALLOC(bufsize);
if (outbuf == NULL) {
FREE(plain.data, plain.length);
return ENOMEM;
}
/* TOK_ID */
store_16_be(0x0504, outbuf);
/* flags */
outbuf[2] = (acceptor_flag
| (conf_req_flag ? FLAG_WRAP_CONFIDENTIAL : 0)
| (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xff;
/* EC */
store_16_be(ec, outbuf+4);
/* RRC */
store_16_be(0, outbuf+6);
store_64_be(ctx->seq_send, outbuf+8);
(void) memcpy(plain.data, message->value, message->length);
(void) memset(plain.data + message->length, 'x', ec);
(void) memcpy(plain.data + message->length + ec, outbuf, 16);
/* Should really use scatter/gather crypto interfaces */
cipher.ciphertext.data = (char *)outbuf + 16;
cipher.ciphertext.length = bufsize - 16;
cipher.enctype = key->enctype;
err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher);
(void) bzero(plain.data, plain.length);
FREE(plain.data, plain.length);
plain.data = 0;
if (err)
goto error;
/* Now that we know we're returning a valid token.... */
ctx->seq_send++;
#ifdef CFX_EXERCISE
rrc = rand() & 0xffff;
if (rotate_left(outbuf+16, bufsize-16,
(bufsize-16) - (rrc % (bufsize - 16))))
store_16_be(rrc, outbuf+6);
/* If the rotate fails, don't worry about it. */
#endif
} else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
krb5_data plain;
/* Here, message is the application-supplied data; message2 is
what goes into the output token. They may be the same, or
message2 may be empty (for MIC). */
tok_id = 0x0504;
wrap_with_checksum:
plain.length = message->length + 16;
plain.data = MALLOC(message->length + 16);
if (plain.data == NULL)
return ENOMEM;
if (ctx->cksum_size > 0xffff) {
FREE(plain.data, plain.length);
return EINVAL;
}
bufsize = 16 + message2->length + ctx->cksum_size;
outbuf = MALLOC(bufsize);
if (outbuf == NULL) {
FREE(plain.data, plain.length);
plain.data = 0;
err = ENOMEM;
goto error;
}
/* TOK_ID */
store_16_be(tok_id, outbuf);
/* flags */
outbuf[2] = (acceptor_flag
| (ctx->have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0));
/* filler */
outbuf[3] = 0xff;
if (toktype == KG_TOK_WRAP_MSG) {
/* Use 0 for checksum calculation, substitute
checksum length later. */
/* EC */
store_16_be(0, outbuf+4);
/* RRC */
store_16_be(0, outbuf+6);
} else {
/* MIC and DEL store 0xFF in EC and RRC. */
store_16_be(0xffff, outbuf+4);
store_16_be(0xffff, outbuf+6);
}
store_64_be(ctx->seq_send, outbuf+8);
(void) memcpy(plain.data, message->value, message->length);
(void) memcpy(plain.data + message->length, outbuf, 16);
/* Fill in the output token -- data contents, if any, and
space for the checksum. */
if (message2->length)
(void) memcpy(outbuf + 16, message2->value, message2->length);
sum.contents = outbuf + 16 + message2->length;
sum.length = ctx->cksum_size;
err = krb5_c_make_checksum(context, ctx->cksumtype, key,
key_usage, &plain, &sum);
bzero(plain.data, plain.length);
FREE(plain.data, plain.length);
plain.data = 0;
if (err) {
bzero(outbuf,bufsize);
err = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto error;
}
if (sum.length != ctx->cksum_size) {
err = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto error;
}
(void) memcpy(outbuf + 16 + message2->length, sum.contents,
ctx->cksum_size);
krb5_free_checksum_contents(context, &sum);
sum.contents = 0;
/* Now that we know we're actually generating the token... */
ctx->seq_send++;
if (toktype == KG_TOK_WRAP_MSG) {
#ifdef CFX_EXERCISE
rrc = rand() & 0xffff;
/* If the rotate fails, don't worry about it. */
if (rotate_left(outbuf+16, bufsize-16,
(bufsize-16) - (rrc % (bufsize - 16))))
store_16_be(rrc, outbuf+6);
#endif
/* Fix up EC field. */
store_16_be(ctx->cksum_size, outbuf+4);
} else {
store_16_be(0xffff, outbuf+6);
}
} else if (toktype == KG_TOK_MIC_MSG) {
tok_id = 0x0404;
message2 = &empty_message;
goto wrap_with_checksum;
} else if (toktype == KG_TOK_DEL_CTX) {
/*
* Solaris Kerberos:
* No token should be generated for context deletion. Just
* return.
*/
return 0;
} else {
err = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto error;
}
token->value = outbuf;
token->length = bufsize;
return 0;
error:
FREE(outbuf, bufsize);
token->value = NULL;
token->length = 0;
return err;
}
static krb5_error_code
make_ad_signedpath(krb5_context context,
krb5_const_principal for_user_princ,
krb5_principal server,
const krb5_db_entry *krbtgt,
krb5_keyblock *krbtgt_key,
krb5_principal *deleg_path,
krb5_enc_tkt_part *enc_tkt_reply)
{
krb5_error_code code;
krb5_ad_signedpath sp;
int i;
krb5_data *data = NULL;
krb5_authdata ad_datum, *ad_data[2];
krb5_authdata **if_relevant = NULL;
memset(&sp, 0, sizeof(sp));
sp.enctype = krbtgt_key->enctype;
if (deleg_path != NULL) {
for (i = 0; deleg_path[i] != NULL; i++)
;
} else
i = 0;
sp.delegated = k5calloc(i + (server ? 1 : 0) + 1, sizeof(krb5_principal),
&code);
if (code != 0)
goto cleanup;
/* Combine existing and new transited services, if any */
if (deleg_path != NULL)
memcpy(sp.delegated, deleg_path, i * sizeof(krb5_principal));
if (server != NULL)
sp.delegated[i++] = server;
sp.delegated[i] = NULL;
sp.method_data = NULL;
code = make_ad_signedpath_checksum(context,
for_user_princ,
krbtgt,
krbtgt_key,
enc_tkt_reply,
sp.delegated,
sp.method_data,
&sp.checksum);
if (code != 0) {
if (code == KRB5KRB_AP_ERR_INAPP_CKSUM) {
/*
* In the hopefully unlikely case the TGS key enctype
* has an unkeyed mandatory checksum type, do not fail
* so we do not prevent the KDC from servicing requests.
*/
code = 0;
}
goto cleanup;
}
code = encode_krb5_ad_signedpath(&sp, &data);
if (code != 0)
goto cleanup;
ad_datum.ad_type = KRB5_AUTHDATA_SIGNTICKET;
ad_datum.contents = (krb5_octet *)data->data;
ad_datum.length = data->length;
ad_data[0] = &ad_datum;
ad_data[1] = NULL;
code = krb5_encode_authdata_container(context,
KRB5_AUTHDATA_IF_RELEVANT,
ad_data,
&if_relevant);
if (code != 0)
goto cleanup;
code = merge_authdata(context,
if_relevant,
&enc_tkt_reply->authorization_data,
FALSE, /* !copy */
FALSE); /* !ignore_kdc_issued */
if (code != 0)
goto cleanup;
if_relevant = NULL; /* merge_authdata() freed */
cleanup:
if (sp.delegated != NULL)
free(sp.delegated);
krb5_free_authdata(context, if_relevant);
krb5_free_data(context, data);
krb5_free_checksum_contents(context, &sp.checksum);
krb5_free_pa_data(context, sp.method_data);
return code;
}