2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 #include "gssapiP_eap.h"
39 static GSSEAP_THREAD_ONCE krbContextKeyOnce = GSSEAP_ONCE_INITIALIZER;
40 static GSSEAP_THREAD_KEY krbContextKey;
43 destroyKrbContext(void *arg)
45 krb5_context context = (krb5_context)arg;
48 krb5_free_context(context);
52 createKrbContextKey(void)
54 GSSEAP_KEY_CREATE(&krbContextKey, destroyKrbContext);
58 gssEapKerberosInit(OM_uint32 *minor, krb5_context *context)
62 GSSEAP_ONCE(&krbContextKeyOnce, createKrbContextKey);
64 *context = GSSEAP_GETSPECIFIC(krbContextKey);
65 if (*context == NULL) {
66 *minor = krb5_init_context(context);
68 if (GSSEAP_SETSPECIFIC(krbContextKey, *context) != 0) {
70 krb5_free_context(*context);
76 return *minor == 0 ? GSS_S_COMPLETE : GSS_S_FAILURE;
80 * Derive a key K for RFC 4121 use by using the following
81 * derivation function (based on RFC 4402);
83 * KMSK = random-to-key(MSK)
84 * Tn = pseudo-random(KMSK, n || "rfc4121-gss-eap")
86 * K = truncate(L, T1 || T2 || .. || Tn)
89 gssEapDeriveRfc3961Key(OM_uint32 *minor,
90 const unsigned char *inputKey,
91 size_t inputKeyLength,
92 krb5_enctype encryptionType,
95 krb5_context krbContext;
96 #ifndef HAVE_HEIMDAL_VERSION
99 krb5_data ns, t, prfOut;
101 krb5_error_code code;
102 size_t randomLength, keyLength, prfLength;
103 unsigned char constant[4 + sizeof("rfc4121-gss-eap") - 1], *p;
106 assert(encryptionType != ENCTYPE_NULL);
108 memset(pKey, 0, sizeof(*pKey));
110 GSSEAP_KRB_INIT(&krbContext);
113 KRB_KEY_TYPE(&kd) = encryptionType;
121 code = krb5_c_keylengths(krbContext, encryptionType,
122 &randomLength, &keyLength);
126 KRB_KEY_DATA(&kd) = GSSEAP_MALLOC(keyLength);
127 if (KRB_KEY_DATA(&kd) == NULL) {
131 KRB_KEY_LENGTH(&kd) = keyLength;
133 /* Convert MSK into a Kerberos key */
134 #ifdef HAVE_HEIMDAL_VERSION
135 code = krb5_random_to_key(krbContext, encryptionType, inputKey,
136 MIN(inputKeyLength, randomLength), &kd);
138 data.length = MIN(inputKeyLength, randomLength);
139 data.data = (char *)inputKey;
141 code = krb5_c_random_to_key(krbContext, encryptionType, &data, &kd);
146 memset(&constant[0], 0, 4);
147 memcpy(&constant[4], "rfc4121-gss-eap", sizeof("rfc4121-gss-eap") - 1);
149 ns.length = sizeof(constant);
150 ns.data = (char *)constant;
152 /* Plug derivation constant and key into PRF */
153 code = krb5_c_prf_length(krbContext, encryptionType, &prfLength);
157 t.length = prfLength;
158 t.data = GSSEAP_MALLOC(t.length);
159 if (t.data == NULL) {
164 prfOut.length = randomLength;
165 prfOut.data = GSSEAP_MALLOC(prfOut.length);
166 if (prfOut.data == NULL) {
171 for (i = 0, p = (unsigned char *)prfOut.data, remain = randomLength;
173 p += t.length, remain -= t.length, i++)
175 store_uint32_be(i, ns.data);
177 code = krb5_c_prf(krbContext, &kd, &ns, &t);
181 memcpy(p, t.data, MIN(t.length, remain));
184 /* Finally, convert PRF output into a new key which we will return */
185 #ifdef HAVE_HEIMDAL_VERSION
186 code = krb5_random_to_key(krbContext, encryptionType,
187 prfOut.data, prfOut.length, &kd);
189 code = krb5_c_random_to_key(krbContext, encryptionType, &prfOut, &kd);
195 KRB_KEY_DATA(&kd) = NULL;
198 if (KRB_KEY_DATA(&kd) != NULL) {
199 memset(KRB_KEY_DATA(&kd), 0, KRB_KEY_LENGTH(&kd));
200 GSSEAP_FREE(KRB_KEY_DATA(&kd));
202 if (t.data != NULL) {
203 memset(t.data, 0, t.length);
206 if (prfOut.data != NULL) {
207 memset(prfOut.data, 0, prfOut.length);
208 GSSEAP_FREE(prfOut.data);
211 return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
214 #ifdef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
215 extern krb5_error_code
216 krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
220 rfc3961ChecksumTypeForKey(OM_uint32 *minor,
222 krb5_cksumtype *cksumtype)
224 krb5_context krbContext;
225 #ifndef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
230 GSSEAP_KRB_INIT(&krbContext);
232 #ifdef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
233 *minor = krb5int_c_mandatory_cksumtype(krbContext, KRB_KEY_TYPE(key),
236 return GSS_S_FAILURE;
241 memset(&cksum, 0, sizeof(cksum));
244 * This is a complete hack but it's the only way to work with
245 * MIT Kerberos pre-1.9 without using private API, as it does
246 * not support passing in zero as the checksum type.
248 *minor = krb5_c_make_checksum(krbContext, 0, key, 0, &data, &cksum);
250 return GSS_S_FAILURE;
252 #ifdef HAVE_HEIMDAL_VERSION
253 *cksumtype = cksum.cksumtype;
255 *cksumtype = cksum.checksum_type;
258 krb5_free_checksum_contents(krbContext, &cksum);
259 #endif /* HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE */
261 if (!krb5_c_is_keyed_cksum(*cksumtype)) {
262 *minor = KRB5KRB_AP_ERR_INAPP_CKSUM;
263 return GSS_S_FAILURE;
266 return GSS_S_COMPLETE;
269 #ifdef HAVE_HEIMDAL_VERSION
270 static heim_general_string krbAnonymousPrincipalComponents[] =
271 { KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME };
273 static const Principal krbAnonymousPrincipalData = {
274 { KRB5_NT_WELLKNOWN, { 2, krbAnonymousPrincipalComponents } },
275 "WELLKNOWN:ANONYMOUS"
280 krbAnonymousPrincipal(void)
282 #ifdef HAVE_HEIMDAL_VERSION
283 return &krbAnonymousPrincipalData;
285 return krb5_anonymous_principal();
290 krbCryptoLength(krb5_context krbContext,
291 #ifdef HAVE_HEIMDAL_VERSION
292 krb5_crypto krbCrypto,
299 #ifdef HAVE_HEIMDAL_VERSION
300 return krb5_crypto_length(krbContext, krbCrypto, type, length);
303 krb5_error_code code;
305 code = krb5_c_crypto_length(krbContext, KRB_KEY_TYPE(key), type, &len);
307 *length = (size_t)len;
314 krbPaddingLength(krb5_context krbContext,
315 #ifdef HAVE_HEIMDAL_VERSION
316 krb5_crypto krbCrypto,
323 krb5_error_code code;
324 #ifdef HAVE_HEIMDAL_VERSION
325 size_t headerLength, paddingLength;
327 code = krbCryptoLength(krbContext, krbCrypto,
328 KRB5_CRYPTO_TYPE_HEADER, &headerLength);
332 dataLength += headerLength;
334 code = krb5_crypto_length(krbContext, krbCrypto,
335 KRB5_CRYPTO_TYPE_PADDING, &paddingLength);
339 if (paddingLength != 0 && (dataLength % paddingLength) != 0)
340 *padLength = paddingLength - (dataLength % paddingLength);
348 code = krb5_c_padding_length(krbContext, KRB_KEY_TYPE(key), dataLength, &pad);
350 *padLength = (size_t)pad;
353 #endif /* HAVE_HEIMDAL_VERSION */
357 krbBlockSize(krb5_context krbContext,
358 #ifdef HAVE_HEIMDAL_VERSION
359 krb5_crypto krbCrypto,
365 #ifdef HAVE_HEIMDAL_VERSION
366 return krb5_crypto_getblocksize(krbContext, krbCrypto, blockSize);
368 return krb5_c_block_size(krbContext, KRB_KEY_TYPE(key), blockSize);
373 krbEnctypeToString(krb5_context krbContext,
374 krb5_enctype enctype,
378 krb5_error_code code;
379 #ifdef HAVE_HEIMDAL_VERSION
380 char *enctypeBuf = NULL;
382 char enctypeBuf[128];
384 size_t prefixLength, enctypeLength;
386 #ifdef HAVE_HEIMDAL_VERSION
387 code = krb5_enctype_to_string(krbContext, enctype, &enctypeBuf);
389 code = krb5_enctype_to_name(enctype, 0, enctypeBuf, sizeof(enctypeBuf));
394 prefixLength = (prefix != NULL) ? strlen(prefix) : 0;
395 enctypeLength = strlen(enctypeBuf);
397 string->value = GSSEAP_MALLOC(prefixLength + enctypeLength + 1);
398 if (string->value == NULL) {
399 #ifdef HAVE_HEIMDAL_VERSION
400 krb5_xfree(enctypeBuf);
405 if (prefixLength != 0)
406 memcpy(string->value, prefix, prefixLength);
407 memcpy((char *)string->value + prefixLength, enctypeBuf, enctypeLength);
409 string->length = prefixLength + enctypeLength;
410 ((char *)string->value)[string->length] = '\0';
412 #ifdef HAVE_HEIMDAL_VERSION
413 krb5_xfree(enctypeBuf);