2 * Copyright (c) 2010, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Copyright 2008 by the Massachusetts Institute of Technology.
34 * All Rights Reserved.
36 * Export of this software from the United States of America may
37 * require a specific license from the United States Government.
38 * It is the responsibility of any person or organization contemplating
39 * export to obtain such a license before exporting.
41 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
42 * distribute this software and its documentation for any purpose and
43 * without fee is hereby granted, provided that the above copyright
44 * notice appear in all copies and that both that copyright notice and
45 * this permission notice appear in supporting documentation, and that
46 * the name of M.I.T. not be used in advertising or publicity pertaining
47 * to distribution of the software without specific, written prior
48 * permission. Furthermore if you modify this software you must label
49 * your software as modified software and not distribute it in such a
50 * fashion that it might be confused with the original M.I.T. software.
51 * M.I.T. makes no representations about the suitability of
52 * this software for any purpose. It is provided "as is" without express
53 * or implied warranty.
56 #include "gssapiP_eap.h"
59 * Caller must provide TOKEN | DATA | PADDING | TRAILER, except
60 * for DCE in which case it can just provide TOKEN | DATA (must
61 * guarantee that DATA is padded)
64 unwrapToken(OM_uint32 *minor,
68 gss_iov_buffer_desc *iov,
70 enum gss_eap_token_type toktype)
73 gss_iov_buffer_t header;
74 gss_iov_buffer_t padding;
75 gss_iov_buffer_t trailer;
76 unsigned char acceptor_flag;
77 unsigned char *ptr = NULL;
80 size_t data_length, assoc_data_length;
83 krb5_cksumtype cksumtype;
88 if (qop_state != NULL)
89 *qop_state = GSS_C_QOP_DEFAULT;
91 header = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
92 assert(header != NULL);
94 padding = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
95 if (padding != NULL && padding->buffer.length != 0)
96 return GSS_S_DEFECTIVE_TOKEN;
98 trailer = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
100 acceptor_flag = CTX_IS_INITIATOR(ctx) ? TOK_FLAG_SENDER_IS_ACCEPTOR : 0;
101 key_usage = (toktype == TOK_TYPE_WRAP
102 ? (!CTX_IS_INITIATOR(ctx)
103 ? KEY_USAGE_INITIATOR_SEAL
104 : KEY_USAGE_ACCEPTOR_SEAL)
105 : (!CTX_IS_INITIATOR(ctx)
106 ? KEY_USAGE_INITIATOR_SIGN
107 : KEY_USAGE_ACCEPTOR_SIGN));
109 gssEapIovMessageLength(iov, iov_count, &data_length, &assoc_data_length);
111 ptr = (unsigned char *)header->buffer.value;
113 if (header->buffer.length < 16) {
115 return GSS_S_DEFECTIVE_TOKEN;
118 if ((ptr[2] & TOK_FLAG_SENDER_IS_ACCEPTOR) != acceptor_flag) {
119 return GSS_S_BAD_SIG;
122 if (ptr[2] & TOK_FLAG_ACCEPTOR_SUBKEY) {
123 return GSS_S_BAD_SIG;
126 if (toktype == TOK_TYPE_WRAP) {
127 unsigned int k5_trailerlen;
129 if (load_uint16_be(ptr) != TOK_TYPE_WRAP)
131 conf_flag = ((ptr[2] & TOK_FLAG_WRAP_CONFIDENTIAL) != 0);
134 ec = load_uint16_be(ptr + 4);
135 rrc = load_uint16_be(ptr + 6);
136 seqnum = load_uint64_be(ptr + 8);
138 code = krb5_c_crypto_length(ctx->kerberosCtx,
139 KRB_KEYTYPE(ctx->encryptionKey),
140 conf_flag ? KRB5_CRYPTO_TYPE_TRAILER :
141 KRB5_CRYPTO_TYPE_CHECKSUM,
145 return GSS_S_FAILURE;
149 if (trailer == NULL) {
150 size_t desired_rrc = k5_trailerlen;
153 desired_rrc += 16; /* E(Header) */
155 if ((ctx->gssFlags & GSS_C_DCE_STYLE) == 0)
159 /* According to MS, we only need to deal with a fixed RRC for DCE */
160 if (rrc != desired_rrc)
162 } else if (rrc != 0) {
167 unsigned char *althdr;
170 code = gssEapDecrypt(ctx->kerberosCtx,
171 ((ctx->gssFlags & GSS_C_DCE_STYLE) != 0),
172 ec, rrc, ctx->encryptionKey,
173 key_usage, 0, iov, iov_count);
176 return GSS_S_BAD_SIG;
179 /* Validate header integrity */
181 althdr = (unsigned char *)header->buffer.value + 16 + ec;
183 althdr = (unsigned char *)trailer->buffer.value + ec;
185 if (load_uint16_be(althdr) != TOK_TYPE_WRAP
186 || althdr[2] != ptr[2]
187 || althdr[3] != ptr[3]
188 || memcmp(althdr + 8, ptr + 8, 8) != 0) {
190 return GSS_S_BAD_SIG;
193 /* Verify checksum: note EC is checksum size here, not padding */
194 if (ec != k5_trailerlen)
197 /* Zero EC, RRC before computing checksum */
198 store_uint16_be(0, ptr + 4);
199 store_uint16_be(0, ptr + 6);
201 code = gssEapVerify(ctx->kerberosCtx, cksumtype, rrc,
202 ctx->encryptionKey, key_usage,
203 iov, iov_count, &valid);
204 if (code != 0 || valid == FALSE) {
206 return GSS_S_BAD_SIG;
210 code = sequenceCheck(&ctx->seqState, seqnum);
211 } else if (toktype == TOK_TYPE_MIC) {
212 if (load_uint16_be(ptr) != TOK_TYPE_MIC)
218 seqnum = load_uint64_be(ptr + 8);
220 code = gssEapVerify(ctx->kerberosCtx, cksumtype, 0,
221 ctx->encryptionKey, key_usage,
222 iov, iov_count, &valid);
223 if (code != 0 || valid == FALSE) {
225 return GSS_S_BAD_SIG;
227 code = sequenceCheck(&ctx->seqState, seqnum);
228 } else if (toktype == TOK_TYPE_DELETE) {
229 if (load_uint16_be(ptr) != TOK_TYPE_DELETE)
238 if (conf_state != NULL)
239 *conf_state = conf_flag;
246 return GSS_S_DEFECTIVE_TOKEN;
250 rotateLeft(void *ptr, size_t bufsiz, size_t rc)
260 tbuf = GSSEAP_MALLOC(rc);
264 memcpy(tbuf, ptr, rc);
265 memmove(ptr, (char *)ptr + rc, bufsiz - rc);
266 memcpy((char *)ptr + bufsiz - rc, tbuf, rc);
273 * Split a STREAM | SIGN_DATA | DATA into
274 * HEADER | SIGN_DATA | DATA | PADDING | TRAILER
277 unwrapStream(OM_uint32 *minor,
280 gss_qop_t *qop_state,
281 gss_iov_buffer_desc *iov,
283 enum gss_eap_token_type toktype)
286 OM_uint32 code = 0, major = GSS_S_FAILURE;
287 krb5_context context = ctx->kerberosCtx;
288 int conf_req_flag, toktype2;
290 gss_iov_buffer_desc *tiov = NULL;
291 gss_iov_buffer_t stream, data = NULL;
292 gss_iov_buffer_t theader, tdata = NULL, tpadding, ttrailer;
294 assert(toktype == TOK_TYPE_WRAP);
296 if (toktype != TOK_TYPE_WRAP || (ctx->gssFlags & GSS_C_DCE_STYLE)) {
301 stream = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_STREAM);
302 assert(stream != NULL);
304 if (stream->buffer.length < 16) {
305 major = GSS_S_DEFECTIVE_TOKEN;
309 ptr = (unsigned char *)stream->buffer.value;
310 toktype2 = load_uint16_be(ptr);
313 tiov = (gss_iov_buffer_desc *)GSSEAP_CALLOC((size_t)iov_count + 2,
314 sizeof(gss_iov_buffer_desc));
321 theader = &tiov[i++];
322 theader->type = GSS_IOV_BUFFER_TYPE_HEADER;
323 theader->buffer.value = stream->buffer.value;
324 theader->buffer.length = 16;
326 /* n[SIGN_DATA] | DATA | m[SIGN_DATA] */
327 for (j = 0; j < iov_count; j++) {
328 OM_uint32 type = GSS_IOV_BUFFER_TYPE(iov[j].type);
330 if (type == GSS_IOV_BUFFER_TYPE_DATA) {
332 /* only a single DATA buffer can appear */
340 if (type == GSS_IOV_BUFFER_TYPE_DATA ||
341 type == GSS_IOV_BUFFER_TYPE_SIGN_ONLY)
346 /* a single DATA buffer must be present */
351 /* PADDING | TRAILER */
352 tpadding = &tiov[i++];
353 tpadding->type = GSS_IOV_BUFFER_TYPE_PADDING;
354 tpadding->buffer.length = 0;
355 tpadding->buffer.value = NULL;
357 ttrailer = &tiov[i++];
358 ttrailer->type = GSS_IOV_BUFFER_TYPE_TRAILER;
362 unsigned int k5_headerlen = 0;
363 unsigned int k5_trailerlen = 0;
365 conf_req_flag = ((ptr[0] & TOK_FLAG_WRAP_CONFIDENTIAL) != 0);
366 ec = conf_req_flag ? load_uint16_be(ptr + 2) : 0;
367 rrc = load_uint16_be(ptr + 4);
370 code = rotateLeft((unsigned char *)stream->buffer.value + 16,
371 stream->buffer.length - 16, rrc);
374 store_uint16_be(0, ptr + 4); /* set RRC to zero */
378 code = krb5_c_crypto_length(context, ctx->encryptionType,
379 KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen);
382 theader->buffer.length += k5_headerlen; /* length validated later */
385 /* no PADDING for CFX, EC is used instead */
386 code = krb5_c_crypto_length(context, ctx->encryptionType,
388 ? KRB5_CRYPTO_TYPE_TRAILER
389 : KRB5_CRYPTO_TYPE_CHECKSUM,
394 ttrailer->buffer.length = ec + (conf_req_flag ? 16 : 0 /* E(Header) */) +
396 ttrailer->buffer.value = (unsigned char *)stream->buffer.value +
397 stream->buffer.length - ttrailer->buffer.length;
400 /* IOV: -----------0-------------+---1---+--2--+----------------3--------------*/
401 /* Old: GSS-Header | Conf | Data | Pad | */
402 /* CFX: GSS-Header | Kerb-Header | Data | | EC | E(Header) | Kerb-Trailer */
403 /* GSS: -------GSS-HEADER--------+-DATA--+-PAD-+----------GSS-TRAILER----------*/
405 /* validate lengths */
406 if (stream->buffer.length < theader->buffer.length +
407 tpadding->buffer.length +
408 ttrailer->buffer.length) {
409 code = KRB5_BAD_MSIZE;
410 major = GSS_S_DEFECTIVE_TOKEN;
415 tdata->buffer.length = stream->buffer.length - ttrailer->buffer.length -
416 tpadding->buffer.length - theader->buffer.length;
418 assert(data != NULL);
420 if (data->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
421 code = gssEapAllocIov(tdata, tdata->buffer.length);
425 memcpy(tdata->buffer.value,
426 (unsigned char *)stream->buffer.value + theader->buffer.length,
427 tdata->buffer.length);
429 tdata->buffer.value = (unsigned char *)stream->buffer.value +
430 theader->buffer.length;
433 assert(i <= iov_count + 2);
435 major = unwrapToken(&code, ctx, conf_state, qop_state,
437 if (major == GSS_S_COMPLETE) {
439 } else if (tdata->type & GSS_IOV_BUFFER_FLAG_ALLOCATED) {
442 gss_release_buffer(&tmp, &tdata->buffer);
443 tdata->type &= ~(GSS_IOV_BUFFER_FLAG_ALLOCATED);
456 gssEapUnwrapOrVerifyMIC(OM_uint32 *minor,
459 gss_qop_t *qop_state,
460 gss_iov_buffer_desc *iov,
462 enum gss_eap_token_type toktype)
466 if (!CTX_IS_ESTABLISHED(ctx))
467 return GSS_S_NO_CONTEXT;
469 if (gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_STREAM) != NULL) {
470 major = unwrapStream(minor, ctx, conf_state, qop_state,
471 iov, iov_count, toktype);
473 major = unwrapToken(minor, ctx, conf_state, qop_state,
474 iov, iov_count, toktype);
481 gss_unwrap_iov(OM_uint32 *minor,
484 gss_qop_t *qop_state,
485 gss_iov_buffer_desc *iov,
488 return gssEapUnwrapOrVerifyMIC(minor, ctx, conf_state, qop_state,
489 iov, iov_count, TOK_TYPE_WRAP);
projects / mech_eap.orig / blob