1/* 2 * Copyright (c) 2006 Kungliga Tekniska H��gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "ntlm.h" 35 36uint32_t 37_krb5_crc_update (const char *p, size_t len, uint32_t res); 38void 39_krb5_crc_init_table(void); 40 41/* 42 * 43 */ 44 45static void 46encode_le_uint32(uint32_t n, unsigned char *p) 47{ 48 p[0] = (n >> 0) & 0xFF; 49 p[1] = (n >> 8) & 0xFF; 50 p[2] = (n >> 16) & 0xFF; 51 p[3] = (n >> 24) & 0xFF; 52} 53 54 55static void 56decode_le_uint32(const void *ptr, uint32_t *n) 57{ 58 const unsigned char *p = ptr; 59 *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); 60} 61 62/* 63 * 64 */ 65 66const char a2i_signmagic[] = 67 "session key to server-to-client signing key magic constant"; 68const char a2i_sealmagic[] = 69 "session key to server-to-client sealing key magic constant"; 70const char i2a_signmagic[] = 71 "session key to client-to-server signing key magic constant"; 72const char i2a_sealmagic[] = 73 "session key to client-to-server sealing key magic constant"; 74 75 76void 77_gss_ntlm_set_key(struct ntlmv2_key *key, int acceptor, int sealsign, 78 unsigned char *data, size_t len) 79{ 80 unsigned char out[16]; 81 EVP_MD_CTX *ctx; 82 const char *signmagic; 83 const char *sealmagic; 84 85 if (acceptor) { 86 signmagic = a2i_signmagic; 87 sealmagic = a2i_sealmagic; 88 } else { 89 signmagic = i2a_signmagic; 90 sealmagic = i2a_sealmagic; 91 } 92 93 key->seq = 0; 94 95 ctx = EVP_MD_CTX_create(); 96 EVP_DigestInit_ex(ctx, EVP_md5(), NULL); 97 EVP_DigestUpdate(ctx, data, len); 98 EVP_DigestUpdate(ctx, signmagic, strlen(signmagic) + 1); 99 EVP_DigestFinal_ex(ctx, key->signkey, NULL); 100 101 EVP_DigestInit_ex(ctx, EVP_md5(), NULL); 102 EVP_DigestUpdate(ctx, data, len); 103 EVP_DigestUpdate(ctx, sealmagic, strlen(sealmagic) + 1); 104 EVP_DigestFinal_ex(ctx, out, NULL); 105 EVP_MD_CTX_destroy(ctx); 106 107 RC4_set_key(&key->sealkey, 16, out); 108 if (sealsign) 109 key->signsealkey = &key->sealkey; 110} 111 112/* 113 * 114 */ 115 116static OM_uint32 117v1_sign_message(gss_buffer_t in, 118 RC4_KEY *signkey, 119 uint32_t seq, 120 unsigned char out[16]) 121{ 122 unsigned char sigature[12]; 123 uint32_t crc; 124 125 _krb5_crc_init_table(); 126 crc = _krb5_crc_update(in->value, in->length, 0); 127 128 encode_le_uint32(0, &sigature[0]); 129 encode_le_uint32(crc, &sigature[4]); 130 encode_le_uint32(seq, &sigature[8]); 131 132 encode_le_uint32(1, out); /* version */ 133 RC4(signkey, sizeof(sigature), sigature, out + 4); 134 135 if (RAND_bytes(out + 4, 4) != 1) 136 return GSS_S_UNAVAILABLE; 137 138 return 0; 139} 140 141 142static OM_uint32 143v2_sign_message(gss_buffer_t in, 144 unsigned char signkey[16], 145 RC4_KEY *sealkey, 146 uint32_t seq, 147 unsigned char out[16]) 148{ 149 unsigned char hmac[16]; 150 unsigned int hmaclen; 151 HMAC_CTX *c; 152 153 c = HMAC_CTX_new(); 154 if (c == NULL) 155 return GSS_S_FAILURE; 156 HMAC_Init_ex(c, signkey, 16, EVP_md5(), NULL); 157 158 encode_le_uint32(seq, hmac); 159 HMAC_Update(c, hmac, 4); 160 HMAC_Update(c, in->value, in->length); 161 HMAC_Final(c, hmac, &hmaclen); 162 HMAC_CTX_free(c); 163 164 encode_le_uint32(1, &out[0]); 165 if (sealkey) 166 RC4(sealkey, 8, hmac, &out[4]); 167 else 168 memcpy(&out[4], hmac, 8); 169 170 memset(&out[12], 0, 4); 171 172 return GSS_S_COMPLETE; 173} 174 175static OM_uint32 176v2_verify_message(gss_buffer_t in, 177 unsigned char signkey[16], 178 RC4_KEY *sealkey, 179 uint32_t seq, 180 const unsigned char checksum[16]) 181{ 182 OM_uint32 ret; 183 unsigned char out[16]; 184 185 ret = v2_sign_message(in, signkey, sealkey, seq, out); 186 if (ret) 187 return ret; 188 189 if (memcmp(checksum, out, 16) != 0) 190 return GSS_S_BAD_MIC; 191 192 return GSS_S_COMPLETE; 193} 194 195static OM_uint32 196v2_seal_message(const gss_buffer_t in, 197 unsigned char signkey[16], 198 uint32_t seq, 199 RC4_KEY *sealkey, 200 gss_buffer_t out) 201{ 202 unsigned char *p; 203 OM_uint32 ret; 204 205 if (in->length + 16 < in->length) 206 return EINVAL; 207 208 p = malloc(in->length + 16); 209 if (p == NULL) 210 return ENOMEM; 211 212 RC4(sealkey, in->length, in->value, p); 213 214 ret = v2_sign_message(in, signkey, sealkey, seq, &p[in->length]); 215 if (ret) { 216 free(p); 217 return ret; 218 } 219 220 out->value = p; 221 out->length = in->length + 16; 222 223 return 0; 224} 225 226static OM_uint32 227v2_unseal_message(gss_buffer_t in, 228 unsigned char signkey[16], 229 uint32_t seq, 230 RC4_KEY *sealkey, 231 gss_buffer_t out) 232{ 233 OM_uint32 ret; 234 235 if (in->length < 16) 236 return GSS_S_BAD_MIC; 237 238 out->length = in->length - 16; 239 out->value = malloc(out->length); 240 if (out->value == NULL) 241 return GSS_S_BAD_MIC; 242 243 RC4(sealkey, out->length, in->value, out->value); 244 245 ret = v2_verify_message(out, signkey, sealkey, seq, 246 ((const unsigned char *)in->value) + out->length); 247 if (ret) { 248 OM_uint32 junk; 249 gss_release_buffer(&junk, out); 250 } 251 return ret; 252} 253 254/* 255 * 256 */ 257 258#define CTX_FLAGS_ISSET(_ctx,_flags) \ 259 (((_ctx)->flags & (_flags)) == (_flags)) 260 261/* 262 * 263 */ 264 265OM_uint32 GSSAPI_CALLCONV 266_gss_ntlm_get_mic 267 (OM_uint32 * minor_status, 268 const gss_ctx_id_t context_handle, 269 gss_qop_t qop_req, 270 const gss_buffer_t message_buffer, 271 gss_buffer_t message_token 272 ) 273{ 274 ntlm_ctx ctx = (ntlm_ctx)context_handle; 275 OM_uint32 junk; 276 277 *minor_status = 0; 278 279 message_token->value = malloc(16); 280 message_token->length = 16; 281 if (message_token->value == NULL) { 282 *minor_status = ENOMEM; 283 return GSS_S_FAILURE; 284 } 285 286 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) { 287 OM_uint32 ret; 288 289 if ((ctx->status & STATUS_SESSIONKEY) == 0) { 290 gss_release_buffer(&junk, message_token); 291 return GSS_S_UNAVAILABLE; 292 } 293 294 ret = v2_sign_message(message_buffer, 295 ctx->u.v2.send.signkey, 296 ctx->u.v2.send.signsealkey, 297 ctx->u.v2.send.seq++, 298 message_token->value); 299 if (ret) 300 gss_release_buffer(&junk, message_token); 301 return ret; 302 303 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) { 304 OM_uint32 ret; 305 306 if ((ctx->status & STATUS_SESSIONKEY) == 0) { 307 gss_release_buffer(&junk, message_token); 308 return GSS_S_UNAVAILABLE; 309 } 310 311 ret = v1_sign_message(message_buffer, 312 &ctx->u.v1.crypto_send.key, 313 ctx->u.v1.crypto_send.seq++, 314 message_token->value); 315 if (ret) 316 gss_release_buffer(&junk, message_token); 317 return ret; 318 319 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_ALWAYS_SIGN)) { 320 unsigned char *sigature; 321 322 sigature = message_token->value; 323 324 encode_le_uint32(1, &sigature[0]); /* version */ 325 encode_le_uint32(0, &sigature[4]); 326 encode_le_uint32(0, &sigature[8]); 327 encode_le_uint32(0, &sigature[12]); 328 329 return GSS_S_COMPLETE; 330 } 331 gss_release_buffer(&junk, message_token); 332 333 return GSS_S_UNAVAILABLE; 334} 335 336/* 337 * 338 */ 339 340OM_uint32 GSSAPI_CALLCONV 341_gss_ntlm_verify_mic 342 (OM_uint32 * minor_status, 343 const gss_ctx_id_t context_handle, 344 const gss_buffer_t message_buffer, 345 const gss_buffer_t token_buffer, 346 gss_qop_t * qop_state 347 ) 348{ 349 ntlm_ctx ctx = (ntlm_ctx)context_handle; 350 351 if (qop_state != NULL) 352 *qop_state = GSS_C_QOP_DEFAULT; 353 *minor_status = 0; 354 355 if (token_buffer->length != 16) 356 return GSS_S_BAD_MIC; 357 358 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN|NTLM_NEG_NTLM2_SESSION)) { 359 OM_uint32 ret; 360 361 if ((ctx->status & STATUS_SESSIONKEY) == 0) 362 return GSS_S_UNAVAILABLE; 363 364 ret = v2_verify_message(message_buffer, 365 ctx->u.v2.recv.signkey, 366 ctx->u.v2.recv.signsealkey, 367 ctx->u.v2.recv.seq++, 368 token_buffer->value); 369 if (ret) 370 return ret; 371 372 return GSS_S_COMPLETE; 373 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SIGN)) { 374 375 unsigned char sigature[12]; 376 uint32_t crc, num; 377 378 if ((ctx->status & STATUS_SESSIONKEY) == 0) 379 return GSS_S_UNAVAILABLE; 380 381 decode_le_uint32(token_buffer->value, &num); 382 if (num != 1) 383 return GSS_S_BAD_MIC; 384 385 RC4(&ctx->u.v1.crypto_recv.key, sizeof(sigature), 386 ((unsigned char *)token_buffer->value) + 4, sigature); 387 388 _krb5_crc_init_table(); 389 crc = _krb5_crc_update(message_buffer->value, 390 message_buffer->length, 0); 391 /* skip first 4 bytes in the encrypted checksum */ 392 decode_le_uint32(&sigature[4], &num); 393 if (num != crc) 394 return GSS_S_BAD_MIC; 395 decode_le_uint32(&sigature[8], &num); 396 if (ctx->u.v1.crypto_recv.seq != num) 397 return GSS_S_BAD_MIC; 398 ctx->u.v1.crypto_recv.seq++; 399 400 return GSS_S_COMPLETE; 401 } else if (ctx->flags & NTLM_NEG_ALWAYS_SIGN) { 402 uint32_t num; 403 unsigned char *p; 404 405 p = (unsigned char*)(token_buffer->value); 406 407 decode_le_uint32(&p[0], &num); /* version */ 408 if (num != 1) return GSS_S_BAD_MIC; 409 decode_le_uint32(&p[4], &num); 410 if (num != 0) return GSS_S_BAD_MIC; 411 decode_le_uint32(&p[8], &num); 412 if (num != 0) return GSS_S_BAD_MIC; 413 decode_le_uint32(&p[12], &num); 414 if (num != 0) return GSS_S_BAD_MIC; 415 416 return GSS_S_COMPLETE; 417 } 418 419 return GSS_S_UNAVAILABLE; 420} 421 422/* 423 * 424 */ 425 426OM_uint32 GSSAPI_CALLCONV 427_gss_ntlm_wrap_size_limit ( 428 OM_uint32 * minor_status, 429 const gss_ctx_id_t context_handle, 430 int conf_req_flag, 431 gss_qop_t qop_req, 432 OM_uint32 req_output_size, 433 OM_uint32 * max_input_size 434 ) 435{ 436 ntlm_ctx ctx = (ntlm_ctx)context_handle; 437 438 *minor_status = 0; 439 440 if(ctx->flags & NTLM_NEG_SEAL) { 441 442 if (req_output_size < 16) 443 *max_input_size = 0; 444 else 445 *max_input_size = req_output_size - 16; 446 447 return GSS_S_COMPLETE; 448 } 449 450 return GSS_S_UNAVAILABLE; 451} 452 453/* 454 * 455 */ 456 457OM_uint32 GSSAPI_CALLCONV 458_gss_ntlm_wrap 459(OM_uint32 * minor_status, 460 const gss_ctx_id_t context_handle, 461 int conf_req_flag, 462 gss_qop_t qop_req, 463 const gss_buffer_t input_message_buffer, 464 int * conf_state, 465 gss_buffer_t output_message_buffer 466 ) 467{ 468 ntlm_ctx ctx = (ntlm_ctx)context_handle; 469 OM_uint32 ret; 470 471 *minor_status = 0; 472 if (conf_state) 473 *conf_state = 0; 474 if (output_message_buffer == GSS_C_NO_BUFFER) 475 return GSS_S_FAILURE; 476 477 478 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) { 479 480 return v2_seal_message(input_message_buffer, 481 ctx->u.v2.send.signkey, 482 ctx->u.v2.send.seq++, 483 &ctx->u.v2.send.sealkey, 484 output_message_buffer); 485 486 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) { 487 gss_buffer_desc trailer; 488 OM_uint32 junk; 489 490 output_message_buffer->length = input_message_buffer->length + 16; 491 output_message_buffer->value = malloc(output_message_buffer->length); 492 if (output_message_buffer->value == NULL) { 493 output_message_buffer->length = 0; 494 return GSS_S_FAILURE; 495 } 496 497 498 RC4(&ctx->u.v1.crypto_send.key, input_message_buffer->length, 499 input_message_buffer->value, output_message_buffer->value); 500 501 ret = _gss_ntlm_get_mic(minor_status, context_handle, 502 0, input_message_buffer, 503 &trailer); 504 if (ret) { 505 gss_release_buffer(&junk, output_message_buffer); 506 return ret; 507 } 508 if (trailer.length != 16) { 509 gss_release_buffer(&junk, output_message_buffer); 510 gss_release_buffer(&junk, &trailer); 511 return GSS_S_FAILURE; 512 } 513 memcpy(((unsigned char *)output_message_buffer->value) + 514 input_message_buffer->length, 515 trailer.value, trailer.length); 516 gss_release_buffer(&junk, &trailer); 517 518 return GSS_S_COMPLETE; 519 } 520 521 return GSS_S_UNAVAILABLE; 522} 523 524/* 525 * 526 */ 527 528OM_uint32 GSSAPI_CALLCONV 529_gss_ntlm_unwrap 530 (OM_uint32 * minor_status, 531 const gss_ctx_id_t context_handle, 532 const gss_buffer_t input_message_buffer, 533 gss_buffer_t output_message_buffer, 534 int * conf_state, 535 gss_qop_t * qop_state 536 ) 537{ 538 ntlm_ctx ctx = (ntlm_ctx)context_handle; 539 OM_uint32 ret; 540 541 *minor_status = 0; 542 output_message_buffer->value = NULL; 543 output_message_buffer->length = 0; 544 545 if (conf_state) 546 *conf_state = 0; 547 if (qop_state) 548 *qop_state = 0; 549 550 if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) { 551 552 return v2_unseal_message(input_message_buffer, 553 ctx->u.v2.recv.signkey, 554 ctx->u.v2.recv.seq++, 555 &ctx->u.v2.recv.sealkey, 556 output_message_buffer); 557 558 } else if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL)) { 559 560 gss_buffer_desc trailer; 561 OM_uint32 junk; 562 563 if (input_message_buffer->length < 16) 564 return GSS_S_BAD_MIC; 565 566 output_message_buffer->length = input_message_buffer->length - 16; 567 output_message_buffer->value = malloc(output_message_buffer->length); 568 if (output_message_buffer->value == NULL) { 569 output_message_buffer->length = 0; 570 return GSS_S_FAILURE; 571 } 572 573 RC4(&ctx->u.v1.crypto_recv.key, output_message_buffer->length, 574 input_message_buffer->value, output_message_buffer->value); 575 576 trailer.value = ((unsigned char *)input_message_buffer->value) + 577 output_message_buffer->length; 578 trailer.length = 16; 579 580 ret = _gss_ntlm_verify_mic(minor_status, context_handle, 581 output_message_buffer, 582 &trailer, NULL); 583 if (ret) { 584 gss_release_buffer(&junk, output_message_buffer); 585 return ret; 586 } 587 588 return GSS_S_COMPLETE; 589 } 590 591 return GSS_S_UNAVAILABLE; 592} 593