2 * Copyright (c) 2011, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 #include "gssapiP_eap.h"
39 static GSSEAP_THREAD_ONCE krbContextKeyOnce = GSSEAP_ONCE_INITIALIZER;
40 static GSSEAP_THREAD_KEY krbContextKey;
43 destroyKrbContext(void *arg)
45 krb5_context context = (krb5_context)arg;
48 krb5_free_context(context);
52 createKrbContextKey(void)
54 GSSEAP_KEY_CREATE(&krbContextKey, destroyKrbContext);
57 static krb5_error_code
58 initKrbContext(krb5_context *pKrbContext)
60 krb5_context krbContext;
62 char *defaultRealm = NULL;
66 code = krb5_init_context(&krbContext);
70 krb5_appdefault_string(krbContext, "eap_gss",
71 NULL, "default_realm", "", &defaultRealm);
73 code = krb5_set_default_realm(krbContext, defaultRealm);
77 *pKrbContext = krbContext;
80 if (code != 0 && krbContext != NULL)
81 krb5_free_context(krbContext);
83 if (defaultRealm != NULL)
84 GSSEAP_FREE(defaultRealm);
90 gssEapKerberosInit(OM_uint32 *minor, krb5_context *context)
94 GSSEAP_ONCE(&krbContextKeyOnce, createKrbContextKey);
96 *context = GSSEAP_GETSPECIFIC(krbContextKey);
97 if (*context == NULL) {
98 *minor = initKrbContext(context);
100 if (GSSEAP_SETSPECIFIC(krbContextKey, *context) != 0) {
102 krb5_free_context(*context);
108 return *minor == 0 ? GSS_S_COMPLETE : GSS_S_FAILURE;
112 * Derive a key K for RFC 4121 use by using the following
113 * derivation function (based on RFC 4402);
115 * KMSK = random-to-key(MSK)
116 * Tn = pseudo-random(KMSK, n || "rfc4121-gss-eap")
117 * L = output key size
118 * K = truncate(L, T1 || T2 || .. || Tn)
121 gssEapDeriveRfc3961Key(OM_uint32 *minor,
122 const unsigned char *inputKey,
123 size_t inputKeyLength,
124 krb5_enctype encryptionType,
127 krb5_context krbContext;
128 #ifndef HAVE_HEIMDAL_VERSION
131 krb5_data ns, t, prfOut;
133 krb5_error_code code;
134 size_t randomLength, keyLength, prfLength;
135 unsigned char constant[4 + sizeof("rfc4121-gss-eap") - 1], *p;
138 assert(encryptionType != ENCTYPE_NULL);
140 memset(pKey, 0, sizeof(*pKey));
142 GSSEAP_KRB_INIT(&krbContext);
145 KRB_KEY_TYPE(&kd) = encryptionType;
153 code = krb5_c_keylengths(krbContext, encryptionType,
154 &randomLength, &keyLength);
158 KRB_KEY_DATA(&kd) = GSSEAP_MALLOC(keyLength);
159 if (KRB_KEY_DATA(&kd) == NULL) {
163 KRB_KEY_LENGTH(&kd) = keyLength;
165 /* Convert MSK into a Kerberos key */
166 #ifdef HAVE_HEIMDAL_VERSION
167 code = krb5_random_to_key(krbContext, encryptionType, inputKey,
168 MIN(inputKeyLength, randomLength), &kd);
170 data.length = MIN(inputKeyLength, randomLength);
171 data.data = (char *)inputKey;
173 code = krb5_c_random_to_key(krbContext, encryptionType, &data, &kd);
178 memset(&constant[0], 0, 4);
179 memcpy(&constant[4], "rfc4121-gss-eap", sizeof("rfc4121-gss-eap") - 1);
181 ns.length = sizeof(constant);
182 ns.data = (char *)constant;
184 /* Plug derivation constant and key into PRF */
185 code = krb5_c_prf_length(krbContext, encryptionType, &prfLength);
189 t.length = prfLength;
190 t.data = GSSEAP_MALLOC(t.length);
191 if (t.data == NULL) {
196 prfOut.length = randomLength;
197 prfOut.data = GSSEAP_MALLOC(prfOut.length);
198 if (prfOut.data == NULL) {
203 for (i = 0, p = (unsigned char *)prfOut.data, remain = randomLength;
205 p += t.length, remain -= t.length, i++)
207 store_uint32_be(i, ns.data);
209 code = krb5_c_prf(krbContext, &kd, &ns, &t);
213 memcpy(p, t.data, MIN(t.length, remain));
216 /* Finally, convert PRF output into a new key which we will return */
217 #ifdef HAVE_HEIMDAL_VERSION
218 code = krb5_random_to_key(krbContext, encryptionType,
219 prfOut.data, prfOut.length, &kd);
221 code = krb5_c_random_to_key(krbContext, encryptionType, &prfOut, &kd);
227 KRB_KEY_DATA(&kd) = NULL;
230 if (KRB_KEY_DATA(&kd) != NULL) {
231 memset(KRB_KEY_DATA(&kd), 0, KRB_KEY_LENGTH(&kd));
232 GSSEAP_FREE(KRB_KEY_DATA(&kd));
234 if (t.data != NULL) {
235 memset(t.data, 0, t.length);
238 if (prfOut.data != NULL) {
239 memset(prfOut.data, 0, prfOut.length);
240 GSSEAP_FREE(prfOut.data);
243 return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
246 #ifdef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
247 extern krb5_error_code
248 krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
252 rfc3961ChecksumTypeForKey(OM_uint32 *minor,
254 krb5_cksumtype *cksumtype)
256 krb5_context krbContext;
257 #ifndef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
262 GSSEAP_KRB_INIT(&krbContext);
264 #ifdef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
265 *minor = krb5int_c_mandatory_cksumtype(krbContext, KRB_KEY_TYPE(key),
268 return GSS_S_FAILURE;
273 memset(&cksum, 0, sizeof(cksum));
276 * This is a complete hack but it's the only way to work with
277 * MIT Kerberos pre-1.9 without using private API, as it does
278 * not support passing in zero as the checksum type.
280 *minor = krb5_c_make_checksum(krbContext, 0, key, 0, &data, &cksum);
282 return GSS_S_FAILURE;
284 #ifdef HAVE_HEIMDAL_VERSION
285 *cksumtype = cksum.cksumtype;
287 *cksumtype = cksum.checksum_type;
290 krb5_free_checksum_contents(krbContext, &cksum);
291 #endif /* HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE */
293 if (!krb5_c_is_keyed_cksum(*cksumtype)) {
294 *minor = KRB5KRB_AP_ERR_INAPP_CKSUM;
295 return GSS_S_FAILURE;
298 return GSS_S_COMPLETE;
301 #ifdef HAVE_HEIMDAL_VERSION
302 static heim_general_string krbAnonymousPrincipalComponents[] =
303 { KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME };
305 static const Principal krbAnonymousPrincipalData = {
306 { KRB5_NT_WELLKNOWN, { 2, krbAnonymousPrincipalComponents } },
307 "WELLKNOWN:ANONYMOUS"
312 krbAnonymousPrincipal(void)
314 #ifdef HAVE_HEIMDAL_VERSION
315 return &krbAnonymousPrincipalData;
317 return krb5_anonymous_principal();
322 krbCryptoLength(krb5_context krbContext,
323 #ifdef HAVE_HEIMDAL_VERSION
324 krb5_crypto krbCrypto,
331 #ifdef HAVE_HEIMDAL_VERSION
332 return krb5_crypto_length(krbContext, krbCrypto, type, length);
335 krb5_error_code code;
337 code = krb5_c_crypto_length(krbContext, KRB_KEY_TYPE(key), type, &len);
339 *length = (size_t)len;
346 krbPaddingLength(krb5_context krbContext,
347 #ifdef HAVE_HEIMDAL_VERSION
348 krb5_crypto krbCrypto,
355 krb5_error_code code;
356 #ifdef HAVE_HEIMDAL_VERSION
357 size_t headerLength, paddingLength;
359 code = krbCryptoLength(krbContext, krbCrypto,
360 KRB5_CRYPTO_TYPE_HEADER, &headerLength);
364 dataLength += headerLength;
366 code = krb5_crypto_length(krbContext, krbCrypto,
367 KRB5_CRYPTO_TYPE_PADDING, &paddingLength);
371 if (paddingLength != 0 && (dataLength % paddingLength) != 0)
372 *padLength = paddingLength - (dataLength % paddingLength);
380 code = krb5_c_padding_length(krbContext, KRB_KEY_TYPE(key), dataLength, &pad);
382 *padLength = (size_t)pad;
385 #endif /* HAVE_HEIMDAL_VERSION */
389 krbBlockSize(krb5_context krbContext,
390 #ifdef HAVE_HEIMDAL_VERSION
391 krb5_crypto krbCrypto,
397 #ifdef HAVE_HEIMDAL_VERSION
398 return krb5_crypto_getblocksize(krbContext, krbCrypto, blockSize);
400 return krb5_c_block_size(krbContext, KRB_KEY_TYPE(key), blockSize);
406 #ifdef HAVE_HEIMDAL_VERSION
407 krb5_context krbContext,
409 krb5_context krbContext GSSEAP_UNUSED,
411 krb5_enctype enctype,
415 krb5_error_code code;
416 #ifdef HAVE_HEIMDAL_VERSION
417 char *enctypeBuf = NULL;
419 char enctypeBuf[128];
421 size_t prefixLength, enctypeLength;
423 #ifdef HAVE_HEIMDAL_VERSION
424 code = krb5_enctype_to_string(krbContext, enctype, &enctypeBuf);
426 code = krb5_enctype_to_name(enctype, 0, enctypeBuf, sizeof(enctypeBuf));
431 prefixLength = (prefix != NULL) ? strlen(prefix) : 0;
432 enctypeLength = strlen(enctypeBuf);
434 string->value = GSSEAP_MALLOC(prefixLength + enctypeLength + 1);
435 if (string->value == NULL) {
436 #ifdef HAVE_HEIMDAL_VERSION
437 krb5_xfree(enctypeBuf);
442 if (prefixLength != 0)
443 memcpy(string->value, prefix, prefixLength);
444 memcpy((char *)string->value + prefixLength, enctypeBuf, enctypeLength);
446 string->length = prefixLength + enctypeLength;
447 ((char *)string->value)[string->length] = '\0';
449 #ifdef HAVE_HEIMDAL_VERSION
450 krb5_xfree(enctypeBuf);
457 krbMakeAuthDataKdcIssued(krb5_context context,
458 const krb5_keyblock *key,
459 krb5_const_principal issuer,
460 #ifdef HAVE_HEIMDAL_VERSION
461 const AuthorizationData *authdata,
462 AuthorizationData *adKdcIssued
464 krb5_authdata *const *authdata,
465 krb5_authdata ***adKdcIssued
469 #ifdef HAVE_HEIMDAL_VERSION
470 krb5_error_code code;
471 AD_KDCIssued kdcIssued;
472 AuthorizationDataElement adDatum;
474 size_t buf_size, len;
475 krb5_crypto crypto = NULL;
477 memset(&kdcIssued, 0, sizeof(kdcIssued));
478 memset(adKdcIssued, 0, sizeof(*adKdcIssued));
480 kdcIssued.i_realm = issuer->realm != NULL ? (Realm *)&issuer->realm : NULL;
481 kdcIssued.i_sname = (PrincipalName *)&issuer->name;
482 kdcIssued.elements = *authdata;
484 ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, authdata, &len, code);
488 code = krb5_crypto_init(context, key, 0, &crypto);
492 code = krb5_create_checksum(context, crypto, KRB5_KU_AD_KDC_ISSUED,
493 0, buf, buf_size, &kdcIssued.ad_checksum);
500 ASN1_MALLOC_ENCODE(AD_KDCIssued, buf, buf_size, &kdcIssued, &len, code);
504 adDatum.ad_type = KRB5_AUTHDATA_KDC_ISSUED;
505 adDatum.ad_data.length = buf_size;
506 adDatum.ad_data.data = buf;
508 code = add_AuthorizationData(adKdcIssued, &adDatum);
516 krb5_crypto_destroy(context, crypto);
517 free_Checksum(&kdcIssued.ad_checksum);
521 return krb5_make_authdata_kdc_issued(context, key, issuer, authdata,
523 #endif /* HAVE_HEIMDAL_VERSION */
527 krbMakeCred(krb5_context krbContext,
528 krb5_auth_context authContext,
532 krb5_error_code code;
533 #ifdef HAVE_HEIMDAL_VERSION
535 KrbCredInfo krbCredInfo;
536 EncKrbCredPart encKrbCredPart;
538 krb5_crypto krbCrypto = NULL;
539 krb5_data encKrbCredPartData;
540 krb5_replay_data rdata;
546 memset(data, 0, sizeof(*data));
547 #ifdef HAVE_HEIMDAL_VERSION
548 memset(&krbCred, 0, sizeof(krbCred));
549 memset(&krbCredInfo, 0, sizeof(krbCredInfo));
550 memset(&encKrbCredPart, 0, sizeof(encKrbCredPart));
551 memset(&rdata, 0, sizeof(rdata));
553 if (authContext->local_subkey)
554 key = authContext->local_subkey;
555 else if (authContext->remote_subkey)
556 key = authContext->remote_subkey;
558 key = authContext->keyblock;
561 krbCred.msg_type = krb_cred;
562 krbCred.tickets.val = (Ticket *)GSSEAP_CALLOC(1, sizeof(Ticket));
563 if (krbCred.tickets.val == NULL) {
567 krbCred.tickets.len = 1;
569 code = decode_Ticket(creds->ticket.data,
570 creds->ticket.length,
571 krbCred.tickets.val, &len);
575 krbCredInfo.key = creds->session;
576 krbCredInfo.prealm = &creds->client->realm;
577 krbCredInfo.pname = &creds->client->name;
578 krbCredInfo.flags = &creds->flags.b;
579 krbCredInfo.authtime = &creds->times.authtime;
580 krbCredInfo.starttime = &creds->times.starttime;
581 krbCredInfo.endtime = &creds->times.endtime;
582 krbCredInfo.renew_till = &creds->times.renew_till;
583 krbCredInfo.srealm = &creds->server->realm;
584 krbCredInfo.sname = &creds->server->name;
585 krbCredInfo.caddr = creds->addresses.len ? &creds->addresses : NULL;
587 encKrbCredPart.ticket_info.len = 1;
588 encKrbCredPart.ticket_info.val = &krbCredInfo;
589 if (authContext->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
590 rdata.seq = authContext->local_seqnumber;
591 encKrbCredPart.nonce = (int32_t *)&rdata.seq;
593 encKrbCredPart.nonce = NULL;
595 if (authContext->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
596 krb5_us_timeofday(krbContext, &rdata.timestamp, &rdata.usec);
597 encKrbCredPart.timestamp = &rdata.timestamp;
598 encKrbCredPart.usec = &rdata.usec;
600 encKrbCredPart.timestamp = NULL;
601 encKrbCredPart.usec = NULL;
603 encKrbCredPart.s_address = authContext->local_address;
604 encKrbCredPart.r_address = authContext->remote_address;
606 ASN1_MALLOC_ENCODE(EncKrbCredPart, encKrbCredPartData.data,
607 encKrbCredPartData.length, &encKrbCredPart,
612 code = krb5_crypto_init(krbContext, key, 0, &krbCrypto);
616 code = krb5_encrypt_EncryptedData(krbContext,
619 encKrbCredPartData.data,
620 encKrbCredPartData.length,
626 ASN1_MALLOC_ENCODE(KRB_CRED, data->data, data->length,
627 &krbCred, &len, code);
631 if (authContext->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
632 authContext->local_seqnumber++;
635 if (krbCrypto != NULL)
636 krb5_crypto_destroy(krbContext, krbCrypto);
637 free_KRB_CRED(&krbCred);
638 krb5_data_free(&encKrbCredPartData);
642 code = krb5_mk_1cred(krbContext, authContext, creds, &d, NULL);
649 #endif /* HAVE_HEIMDAL_VERSION */