/*
* Verify a IAKERB-FINISHED structure submitted by the initiator
*/
krb5_error_code
iakerb_verify_finished(krb5_context context,
krb5_key key,
const krb5_data *conv,
const krb5_data *finished)
{
krb5_error_code code;
krb5_iakerb_finished *iaf;
krb5_boolean valid = FALSE;
if (key == NULL)
return KRB5KDC_ERR_NULL_KEY;
code = decode_krb5_iakerb_finished(finished, &iaf);
if (code != 0)
return code;
code = krb5_k_verify_checksum(context, key, KRB5_KEYUSAGE_IAKERB_FINISHED,
conv, &iaf->checksum, &valid);
if (code == 0 && valid == FALSE)
code = KRB5KRB_AP_ERR_BAD_INTEGRITY;
krb5_free_iakerb_finished(context, iaf);
return code;
}
OM_uint32
gss_krb5int_unseal_token_v3(krb5_context *contextptr,
OM_uint32 *minor_status,
krb5_gss_ctx_id_rec *ctx,
unsigned char *ptr, unsigned int bodysize,
gss_buffer_t message_buffer,
int *conf_state, gss_qop_t *qop_state, int toktype)
{
krb5_context context = *contextptr;
krb5_data plain;
gssint_uint64 seqnum;
size_t ec, rrc;
int key_usage;
unsigned char acceptor_flag;
krb5_checksum sum;
krb5_error_code err;
krb5_boolean valid;
krb5_key key;
krb5_cksumtype cksumtype;
if (qop_state)
*qop_state = GSS_C_QOP_DEFAULT;
acceptor_flag = ctx->initiate ? FLAG_SENDER_IS_ACCEPTOR : 0;
key_usage = (toktype == KG_TOK_WRAP_MSG
? (!ctx->initiate
? KG_USAGE_INITIATOR_SEAL
: KG_USAGE_ACCEPTOR_SEAL)
: (!ctx->initiate
? KG_USAGE_INITIATOR_SIGN
: KG_USAGE_ACCEPTOR_SIGN));
/* Oops. I wrote this code assuming ptr would be at the start of
the token header. */
ptr -= 2;
bodysize += 2;
if (bodysize < 16) {
defective:
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
if ((ptr[2] & FLAG_SENDER_IS_ACCEPTOR) != acceptor_flag) {
*minor_status = (OM_uint32)G_BAD_DIRECTION;
return GSS_S_BAD_SIG;
}
/* Two things to note here.
First, we can't really enforce the use of the acceptor's subkey,
if we're the acceptor; the initiator may have sent messages
before getting the subkey. We could probably enforce it if
we're the initiator.
Second, if someone tweaks the code to not set the flag telling
the krb5 library to generate a new subkey in the AP-REP
message, the MIT library may include a subkey anyways --
namely, a copy of the AP-REQ subkey, if it was provided. So
the initiator may think we wanted a subkey, and set the flag,
even though we weren't trying to set the subkey. The "other"
key, the one not asserted by the acceptor, will have the same
value in that case, though, so we can just ignore the flag. */
if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) {
key = ctx->acceptor_subkey;
cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
key = ctx->subkey;
cksumtype = ctx->cksumtype;
}
assert(key != NULL);
if (toktype == KG_TOK_WRAP_MSG) {
if (load_16_be(ptr) != KG2_TOK_WRAP_MSG)
goto defective;
if (ptr[3] != 0xff)
goto defective;
ec = load_16_be(ptr+4);
rrc = load_16_be(ptr+6);
seqnum = load_64_be(ptr+8);
if (!gss_krb5int_rotate_left(ptr+16, bodysize-16, rrc)) {
no_mem:
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) {
/* confidentiality */
krb5_enc_data cipher;
unsigned char *althdr;
if (conf_state)
*conf_state = 1;
/* Do we have no decrypt_size function?
For all current cryptosystems, the ciphertext size will
be larger than the plaintext size. */
cipher.enctype = key->keyblock.enctype;
cipher.ciphertext.length = bodysize - 16;
cipher.ciphertext.data = (char *)ptr + 16;
plain.length = bodysize - 16;
plain.data = gssalloc_malloc(plain.length);
if (plain.data == NULL)
goto no_mem;
err = krb5_k_decrypt(context, key, key_usage, 0,
&cipher, &plain);
if (err) {
gssalloc_free(plain.data);
goto error;
}
/* Don't use bodysize here! Use the fact that
cipher.ciphertext.length has been adjusted to the
correct length. */
althdr = (unsigned char *)plain.data + plain.length - 16;
if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
|| althdr[2] != ptr[2]
|| althdr[3] != ptr[3]
|| memcmp(althdr+8, ptr+8, 8)) {
free(plain.data);
goto defective;
}
message_buffer->value = plain.data;
message_buffer->length = plain.length - ec - 16;
if(message_buffer->length == 0) {
gssalloc_free(message_buffer->value);
message_buffer->value = NULL;
}
} else {
size_t cksumsize;
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
goto error;
/* no confidentiality */
if (conf_state)
*conf_state = 0;
if (ec + 16 < ec)
/* overflow check */
goto defective;
if (ec + 16 > bodysize)
goto defective;
/* We have: header | msg | cksum.
We need cksum(msg | header).
Rotate the first two. */
store_16_be(0, ptr+4);
store_16_be(0, ptr+6);
plain.length = bodysize-ec;
plain.data = (char *)ptr;
if (!gss_krb5int_rotate_left(ptr, bodysize-ec, 16))
goto no_mem;
sum.length = ec;
if (sum.length != cksumsize) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
sum.contents = ptr+bodysize-ec;
sum.checksum_type = cksumtype;
err = krb5_k_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
if (err)
goto error;
if (!valid) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
message_buffer->length = plain.length - 16;
message_buffer->value = gssalloc_malloc(message_buffer->length);
if (message_buffer->value == NULL)
goto no_mem;
memcpy(message_buffer->value, plain.data, message_buffer->length);
}
err = g_order_check(&ctx->seqstate, seqnum);
*minor_status = 0;
return err;
} else if (toktype == KG_TOK_MIC_MSG) {
/* wrap token, no confidentiality */
if (load_16_be(ptr) != KG2_TOK_MIC_MSG)
goto defective;
verify_mic_1:
if (ptr[3] != 0xff)
goto defective;
if (load_32_be(ptr+4) != 0xffffffffL)
goto defective;
seqnum = load_64_be(ptr+8);
plain.length = message_buffer->length + 16;
plain.data = malloc(plain.length);
if (plain.data == NULL)
goto no_mem;
if (message_buffer->length)
memcpy(plain.data, message_buffer->value, message_buffer->length);
memcpy(plain.data + message_buffer->length, ptr, 16);
sum.length = bodysize - 16;
sum.contents = ptr + 16;
sum.checksum_type = cksumtype;
err = krb5_k_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
free(plain.data);
plain.data = NULL;
if (err) {
error:
*minor_status = err;
save_error_info(*minor_status, context);
return GSS_S_BAD_SIG; /* XXX */
}
if (!valid) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
err = g_order_check(&ctx->seqstate, seqnum);
*minor_status = 0;
return err;
} else if (toktype == KG_TOK_DEL_CTX) {
if (load_16_be(ptr) != KG2_TOK_DEL_CTX)
goto defective;
message_buffer = (gss_buffer_t)&empty_message;
goto verify_mic_1;
} else {
goto defective;
}
}
/*
parses a KRB_SAFE message from inbuf, placing the integrity-protected user
data in *outbuf.
key specifies the key to be used for decryption of the message.
outbuf points to allocated storage which the caller should free when finished.
returns system errors, integrity errors
*/
static krb5_error_code
rd_safe_basic(krb5_context context, krb5_auth_context ac,
const krb5_data *inbuf, krb5_key key,
krb5_replay_data *replaydata, krb5_data *outbuf)
{
krb5_error_code retval;
krb5_safe * message;
krb5_data safe_body;
krb5_checksum our_cksum, *his_cksum;
krb5_octet zero_octet = 0;
krb5_data *scratch;
krb5_boolean valid;
struct krb5_safe_with_body swb;
if (!krb5_is_krb_safe(inbuf))
return KRB5KRB_AP_ERR_MSG_TYPE;
if ((retval = decode_krb5_safe_with_body(inbuf, &message, &safe_body)))
return retval;
if (!krb5_c_valid_cksumtype(message->checksum->checksum_type)) {
retval = KRB5_PROG_SUMTYPE_NOSUPP;
goto cleanup;
}
if (!krb5_c_is_coll_proof_cksum(message->checksum->checksum_type) ||
!krb5_c_is_keyed_cksum(message->checksum->checksum_type)) {
retval = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto cleanup;
}
retval = k5_privsafe_check_addrs(context, ac, message->s_address,
message->r_address);
if (retval)
goto cleanup;
/* verify the checksum */
/*
* In order to recreate what was checksummed, we regenerate the message
* without checksum and then have the cryptographic subsystem verify
* the checksum for us. This is because some checksum methods have
* a confounder encrypted as part of the checksum.
*/
his_cksum = message->checksum;
our_cksum.length = 0;
our_cksum.checksum_type = 0;
our_cksum.contents = &zero_octet;
message->checksum = &our_cksum;
swb.body = &safe_body;
swb.safe = message;
retval = encode_krb5_safe_with_body(&swb, &scratch);
message->checksum = his_cksum;
if (retval)
goto cleanup;
retval = krb5_k_verify_checksum(context, key,
KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
scratch, his_cksum, &valid);
(void) memset(scratch->data, 0, scratch->length);
krb5_free_data(context, scratch);
if (!valid) {
/*
* Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in
* case someone actually implements it correctly.
*/
retval = krb5_k_verify_checksum(context, key,
KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
&safe_body, his_cksum, &valid);
if (!valid) {
retval = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
}
replaydata->timestamp = message->timestamp;
replaydata->usec = message->usec;
replaydata->seq = message->seq_number;
*outbuf = message->user_data;
message->user_data.data = NULL;
retval = 0;
cleanup:
krb5_free_safe(context, message);
return retval;
}
