* SUCH DAMAGE.
*/
+/*
+ * Kerberos 5 helpers.
+ */
+
#include "gssapiP_eap.h"
static GSSEAP_THREAD_ONCE krbContextKeyOnce = GSSEAP_ONCE_INITIALIZER;
}
/*
- * Derive a key for RFC 4121 use by using the following
- * derivation function:
+ * Derive a key K for RFC 4121 use by using the following
+ * derivation function (based on RFC 4402);
*
- * random-to-key(prf(random-to-key([e]msk), "rfc4121-gss-eap"))
- *
- * where random-to-key and prf are defined in RFC 3961.
+ * KMSK = random-to-key(MSK)
+ * Tn = pseudo-random(KMSK, n || "rfc4121-gss-eap")
+ * L = output key size
+ * K = truncate(L, T1 || T2 || .. || Tn)
*/
OM_uint32
-gssEapDeriveRFC3961Key(OM_uint32 *minor,
- const unsigned char *key,
- size_t keyLength,
- krb5_enctype enctype,
+gssEapDeriveRfc3961Key(OM_uint32 *minor,
+ const unsigned char *inputKey,
+ size_t inputKeyLength,
+ krb5_enctype encryptionType,
krb5_keyblock *pKey)
{
- krb5_context context;
- krb5_data data, prf;
+ krb5_context krbContext;
+ krb5_data data, ns, t, prfOut;
krb5_keyblock kd;
krb5_error_code code;
- size_t keybytes, keylength, prflength;
+ size_t randomLength, keyLength, prfLength;
+ unsigned char constant[4 + sizeof("rfc4121-gss-eap") - 1], *p;
+ ssize_t i, remain;
+
+ assert(encryptionType != ENCTYPE_NULL);
memset(pKey, 0, sizeof(*pKey));
- GSSEAP_KRB_INIT(&context);
+ GSSEAP_KRB_INIT(&krbContext);
KRB_KEY_INIT(&kd);
- KRB_KEY_TYPE(&kd) = enctype;
+ KRB_KEY_TYPE(&kd) = encryptionType;
- prf.data = NULL;
- prf.length = 0;
+ t.data = NULL;
+ t.length = 0;
- code = krb5_c_keylengths(context, enctype, &keybytes, &keylength);
- if (code != 0)
- goto cleanup;
+ prfOut.data = NULL;
+ prfOut.length = 0;
- if (keyLength < keybytes) {
- code = KRB5_BAD_MSIZE;
+ code = krb5_c_keylengths(krbContext, encryptionType,
+ &randomLength, &keyLength);
+ if (code != 0)
goto cleanup;
- }
- data.length = keybytes;
- data.data = (char *)key;
+ data.length = MIN(inputKeyLength, randomLength);
+ data.data = (char *)inputKey;
- KRB_KEY_DATA(&kd) = GSSEAP_MALLOC(keylength);
+ KRB_KEY_DATA(&kd) = GSSEAP_MALLOC(keyLength);
if (KRB_KEY_DATA(&kd) == NULL) {
code = ENOMEM;
goto cleanup;
}
- KRB_KEY_LENGTH(&kd) = keylength;
+ KRB_KEY_LENGTH(&kd) = keyLength;
/* Convert MSK into a Kerberos key */
- code = krb5_c_random_to_key(context, enctype, &data, &kd);
+ code = krb5_c_random_to_key(krbContext, encryptionType, &data, &kd);
if (code != 0)
goto cleanup;
- data.length = sizeof("rfc4121-gss-eap") - 1;
- data.data = "rfc4121-gss-eap";
+ memset(&constant[0], 0, 4);
+ memcpy(&constant[4], "rfc4121-gss-eap", sizeof("rfc4121-gss-eap") - 1);
+
+ ns.length = sizeof(constant);
+ ns.data = (char *)constant;
/* Plug derivation constant and key into PRF */
- code = krb5_c_prf_length(context, enctype, &prflength);
+ code = krb5_c_prf_length(krbContext, encryptionType, &prfLength);
if (code != 0)
goto cleanup;
- if (prflength < keybytes) {
- code = KRB5_CRYPTO_INTERNAL;
+ t.length = prfLength;
+ t.data = GSSEAP_MALLOC(t.length);
+ if (t.data == NULL) {
+ code = ENOMEM;
goto cleanup;
}
- prf.length = keybytes;
- prf.data = GSSEAP_MALLOC(prflength);
- if (data.data == NULL) {
+
+ prfOut.length = randomLength;
+ prfOut.data = GSSEAP_MALLOC(prfOut.length);
+ if (prfOut.data == NULL) {
code = ENOMEM;
goto cleanup;
}
- code = krb5_c_prf(context, &kd, &data, &prf);
- if (code != 0)
- goto cleanup;
+ for (i = 0, p = (unsigned char *)prfOut.data, remain = randomLength;
+ remain > 0;
+ p += t.length, remain -= t.length, i++)
+ {
+ store_uint32_be(i, ns.data);
+
+ code = krb5_c_prf(krbContext, &kd, &ns, &t);
+ if (code != 0)
+ goto cleanup;
+
+ memcpy(p, t.data, MIN(t.length, remain));
+ }
/* Finally, convert PRF output into a new key which we will return */
- code = krb5_c_random_to_key(context, enctype, &prf, &kd);
+ code = krb5_c_random_to_key(krbContext, encryptionType, &prfOut, &kd);
if (code != 0)
goto cleanup;
memset(KRB_KEY_DATA(&kd), 0, KRB_KEY_LENGTH(&kd));
GSSEAP_FREE(KRB_KEY_DATA(&kd));
}
- if (prf.data != NULL) {
- memset(prf.data, 0, prf.length);
- GSSEAP_FREE(prf.data);
+ if (t.data != NULL) {
+ memset(t.data, 0, t.length);
+ GSSEAP_FREE(t.data);
+ }
+ if (prfOut.data != NULL) {
+ memset(prfOut.data, 0, prfOut.length);
+ GSSEAP_FREE(prfOut.data);
}
-
*minor = code;
return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
+
+#ifdef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
+extern krb5_error_code
+krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
+#endif
+
+OM_uint32
+rfc3961ChecksumTypeForKey(OM_uint32 *minor,
+ krb5_keyblock *key,
+ krb5_cksumtype *cksumtype)
+{
+ krb5_context krbContext;
+#ifndef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
+ krb5_data data;
+ krb5_checksum cksum;
+#endif
+
+ GSSEAP_KRB_INIT(&krbContext);
+
+#ifdef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
+ *minor = krb5int_c_mandatory_cksumtype(krbContext, KRB_KEY_TYPE(key),
+ cksumtype);
+ if (*minor != 0)
+ return GSS_S_FAILURE;
+#else
+ data.length = 0;
+ data.data = NULL;
+
+ memset(&cksum, 0, sizeof(cksum));
+
+ /*
+ * This is a complete hack but it's the only way to work with
+ * MIT Kerberos pre-1.9 without using private API, as it does
+ * not support passing in zero as the checksum type.
+ */
+ *minor = krb5_c_make_checksum(krbContext, 0, key, 0, &data, &cksum);
+ if (*minor != 0)
+ return GSS_S_FAILURE;
+
+ *cksumtype = cksum.checksum_type;
+
+ krb5_free_checksum_contents(krbContext, &cksum);
+#endif /* HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE */
+
+ return GSS_S_COMPLETE;
+}