2 * COPYRIGHT (c) 2006 The Regents of the University of Michigan
5 * Copyright (c) 2012, 2014, Intel Corporation.
7 * Permission is granted to use, copy, create derivative works
8 * and redistribute this software and such derivative works
9 * for any purpose, so long as the name of The University of
10 * Michigan is not used in any advertising or publicity
11 * pertaining to the use of distribution of this software
12 * without specific, written prior authorization. If the
13 * above copyright notice or any other identification of the
14 * University of Michigan is included in any copy of any
15 * portion of this software, then the disclaimer below must
18 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
19 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
20 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
21 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
22 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
23 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
24 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
25 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
26 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
27 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
28 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
34 #ifdef HAVE_LUCID_CONTEXT_SUPPORT
37 * Newer versions of MIT and Heimdal have lucid context support.
38 * We can use common code if it is supported.
47 #include <gssapi/gssapi.h>
49 typedef uint64_t OM_uint64;
51 #include <gssapi/gssapi_krb5.h>
54 # include "lgss_utils.h"
56 # include "gss_util.h"
57 # include "gss_oids.h"
58 # include "err_util.h"
60 #include "write_bytes.h"
65 write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
69 if (WRITE_BYTES(p, end, key->type)) return -1;
70 tmp.length = key->length;
71 tmp.value = key->data;
72 if (write_buffer(p, end, &tmp)) return -1;
77 prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
81 static int constant_zero = 0;
82 unsigned char fakeseed[16] = { 0 };
83 uint32_t word_send_seq;
84 gss_krb5_lucid_key_t enc_key;
89 * The new Kerberos interface to get the gss context
90 * does not include the seed or seed_init fields
91 * because we never really use them. But for now,
92 * send down a fake buffer so we can use the same
93 * interface to the kernel.
95 memset(&enc_key, 0, sizeof(enc_key));
97 if (!(buf->value = calloc(1, MAX_CTX_LEN)))
100 end = buf->value + MAX_CTX_LEN;
102 if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err;
104 /* seed_init and seed not used by kernel anyway */
105 if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
106 if (write_bytes(&p, end, &fakeseed, 16)) goto out_err;
108 if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err;
109 if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err;
110 if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
111 word_send_seq = lctx->send_seq; /* XXX send_seq is 64-bit */
112 if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err;
113 if (write_oid(&p, end, &krb5oid)) goto out_err;
117 * The kernel gss code expects des-cbc-raw for all flavors of des.
118 * The keytype from MIT has this type, but Heimdal does not.
119 * Force the Heimdal keytype to 4 (des-cbc-raw).
120 * Note that the rfc1964 version only supports DES enctypes.
122 if (lctx->rfc1964_kd.ctx_key.type != 4) {
123 printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
124 __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, 4);
125 lctx->rfc1964_kd.ctx_key.type = 4;
128 printerr(2, "%s: serializing keys with enctype %d and length %d\n",
129 __FUNCTION__, lctx->rfc1964_kd.ctx_key.type,
130 lctx->rfc1964_kd.ctx_key.length);
132 /* derive the encryption key and copy it into buffer */
133 enc_key.type = lctx->rfc1964_kd.ctx_key.type;
134 enc_key.length = lctx->rfc1964_kd.ctx_key.length;
135 if ((enc_key.data = calloc(1, enc_key.length)) == NULL)
137 skd = (char *) lctx->rfc1964_kd.ctx_key.data;
138 dkd = (char *) enc_key.data;
139 for (i = 0; i < enc_key.length; i++)
140 dkd[i] = skd[i] ^ 0xf0;
141 if (write_lucid_keyblock(&p, end, &enc_key))
143 if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
147 buf->length = p - (char *)buf->value;
150 printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
156 if (enc_key.data) free(enc_key.data);
160 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
161 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
164 #define KG_USAGE_SEAL 22
165 #define KG_USAGE_SIGN 23
166 #define KG_USAGE_SEQ 24
169 #define KG_USAGE_ACCEPTOR_SEAL 22
170 #define KG_USAGE_ACCEPTOR_SIGN 23
171 #define KG_USAGE_INITIATOR_SEAL 24
172 #define KG_USAGE_INITIATOR_SIGN 25
174 /* Lifted from mit src/lib/gssapi/krb5/gssapiP_krb5.h */
176 SEAL_ALG_NONE = 0xffff,
177 SEAL_ALG_DES = 0x0000,
178 SEAL_ALG_1 = 0x0001, /* not published */
179 SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */
180 SEAL_ALG_DES3KD = 0x0002
183 #define KEY_USAGE_SEED_ENCRYPTION 0xAA
184 #define KEY_USAGE_SEED_INTEGRITY 0x55
185 #define KEY_USAGE_SEED_CHECKSUM 0x99
188 /* Flags for version 2 context flags */
189 #define KRB5_CTX_FLAG_INITIATOR 0x00000001
190 #define KRB5_CTX_FLAG_CFX 0x00000002
191 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
193 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
194 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
196 * We don't have "legal" access to these MIT-only
197 * structures located in libk5crypto
199 extern void *krb5int_enc_arcfour;
200 extern void *krb5int_enc_des3;
201 extern void *krb5int_enc_aes128;
202 extern void *krb5int_enc_aes256;
205 key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)
207 memset(kout, 0, sizeof(*kout));
209 kout->enctype = lin->type;
210 kout->length = lin->length;
211 kout->contents = lin->data;
213 kout->keytype = lin->type;
214 kout->keyvalue.length = lin->length;
215 kout->keyvalue.data = lin->data;
220 key_krb5_to_lucid(const krb5_keyblock *kin, gss_krb5_lucid_key_t *lout)
222 memset(lout, 0, sizeof(*lout));
225 lout->data = malloc(kin->length);
226 if (lout->data == NULL)
227 return KRB5_CC_NOMEM;
229 lout->type = kin->enctype;
230 lout->length = kin->length;
231 memcpy(lout->data, kin->contents, kin->length);
233 lout->data = malloc(kin->keyvalue.length);
234 if (lout->data == NULL)
235 return KRB5_CC_NOMEM;
237 lout->type = kin->keytype;
238 lout->length = kin->keyvalue.length;
239 memcpy(lout->data, kin->keyvalue.data, kin->keyvalue.length);
245 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
246 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
247 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
248 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
250 * Function to derive a new key from a given key and given constant data.
252 static krb5_error_code
253 derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
254 int usage, char extra)
256 krb5_error_code code;
257 unsigned char constant_data[K5CLENGTH];
259 int keylength __attribute__ ((unused));
263 krb5_keyblock kin; /* must send krb5_keyblock, not lucid! */
264 #if defined(HAVE_HEIMDAL) || HAVE_KRB5INT_DERIVE_KEY
265 krb5_context kcontext;
266 krb5_keyblock *outkey;
270 #if HAVE_KRB5INT_DERIVE_KEY
271 krb5_key key_in, key_out;
275 * XXX Hack alert. We don't have "legal" access to these
276 * values and structures located in libk5crypto
279 case ENCTYPE_DES3_CBC_SHA1:
281 case ENCTYPE_DES3_CBC_RAW:
285 enc = &krb5int_enc_des3;
288 case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
291 enc = &krb5int_enc_aes128;
294 case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
297 enc = &krb5int_enc_aes256;
301 code = KRB5_BAD_ENCTYPE;
305 /* Convert to correct format for call to krb5_derive_key */
306 key_lucid_to_krb5(in, &kin);
308 datain.data = (char *) constant_data;
309 datain.length = K5CLENGTH;
311 ((char *)(datain.data))[0] = (usage>>24)&0xff;
312 ((char *)(datain.data))[1] = (usage>>16)&0xff;
313 ((char *)(datain.data))[2] = (usage>>8)&0xff;
314 ((char *)(datain.data))[3] = usage&0xff;
316 ((char *)(datain.data))[4] = (char) extra;
318 /* Step 1: Init context */
319 /* Heimdal and newer MIT Kerberos require kcontext */
320 #if defined(HAVE_KRB5INT_DERIVE_KEY) || defined(HAVE_HEIMDAL)
321 code = krb5_init_context(&kcontext);
326 /* Step 2: Get the derived key */
328 #if HAVE_KRB5INT_DERIVE_KEY
329 code = krb5_k_create_key(kcontext, &kin, &key_in);
333 code = krb5int_derive_key(enc, key_in, &key_out, &datain,
336 krb5_k_free_key(kcontext, key_in);
338 krb5_k_key_keyblock(kcontext, key_out, &outkey);
339 krb5_k_free_key(kcontext, key_out);
341 #else /* !HAVE_KRB5INT_DERIVE_KEY */
342 out->length = keylength;
343 out->type = in->type;
345 key_lucid_to_krb5(out, &kout);
347 code = krb5_derive_key(enc, &kin, &kout, &datain);
348 #endif /* HAVE_KRB5INT_DERIVE_KEY */
349 #else /* !defined(HAVE_KRB5) */
350 code = krb5_derive_key(kcontext, &kin, in->type, constant_data, K5CLENGTH, &outkey);
351 #endif /* defined(HAVE_KRB5) */
356 /* Step 3: Copy the key to out */
357 #if defined(HAVE_KRB5INT_DERIVE_KEY) || defined(HAVE_HEIMDAL)
358 code = key_krb5_to_lucid(outkey, out);
359 krb5_free_keyblock(kcontext, outkey);
360 #else /* !defined(HAVE_KRB5) */
361 code = key_krb5_to_lucid(&kout, out);
362 #endif /* defined(HAVE_KRB5) */
364 /* Step 4: Free the context */
365 #if defined(HAVE_KRB5INT_DERIVE_KEY) || defined(HAVE_HEIMDAL)
366 krb5_free_context(kcontext);
371 printerr(0, "ERROR: %s: returning error %d (%s)\n",
372 __FUNCTION__, code, error_message(code));
378 * Prepare a new-style buffer, as defined in rfc4121 (a.k.a. cfx),
379 * to send to the kernel for newer encryption types -- or for DES3.
383 * u32 initiate; ( whether we are the initiator or not )
386 * #define KRB5_CTX_FLAG_INITIATOR 0x00000001
387 * #define KRB5_CTX_FLAG_CFX 0x00000002
388 * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
390 * u32 enctype; ( encrption type of keys )
391 * u32 size_of_each_key; ( size of each key in bytes )
392 * u32 number_of_keys; ( N -- should always be 3 for now )
399 prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx,
400 gss_buffer_desc *buf)
402 static int constant_two = 2;
404 uint32_t v2_flags = 0;
405 gss_krb5_lucid_key_t enc_key;
406 gss_krb5_lucid_key_t derived_key;
407 gss_buffer_desc fakeoid;
412 memset(&enc_key, 0, sizeof(enc_key));
413 memset(&fakeoid, 0, sizeof(fakeoid));
415 if (!(buf->value = calloc(1, MAX_CTX_LEN)))
418 end = buf->value + MAX_CTX_LEN;
421 if (WRITE_BYTES(&p, end, constant_two)) goto out_err;
422 if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
425 v2_flags |= KRB5_CTX_FLAG_INITIATOR;
426 if (lctx->protocol != 0)
427 v2_flags |= KRB5_CTX_FLAG_CFX;
428 if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1)
429 v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;
431 if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
433 if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err;
435 /* Protocol 0 here implies DES3 or RC4 */
436 printerr(3, "protocol %d\n", lctx->protocol);
437 if (lctx->protocol == 0) {
438 enctype = lctx->rfc1964_kd.ctx_key.type;
441 * The kernel gss code expects ENCTYPE_DES3_CBC_RAW (6) for
442 * 3des keys, but Heimdal key has ENCTYPE_DES3_CBC_SHA1 (16).
443 * Force the Heimdal enctype to 6.
445 if (enctype == ENCTYPE_DES3_CBC_SHA1) {
446 printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
447 __FUNCTION__, enctype, 6);
452 keysize = lctx->rfc1964_kd.ctx_key.length;
453 numkeys = 3; /* XXX is always gonna be three? */
455 if (lctx->cfx_kd.have_acceptor_subkey) {
456 enctype = lctx->cfx_kd.acceptor_subkey.type;
457 keysize = lctx->cfx_kd.acceptor_subkey.length;
459 enctype = lctx->cfx_kd.ctx_key.type;
460 keysize = lctx->cfx_kd.ctx_key.length;
464 printerr(3, "serializing %d keys with enctype %d and size %d\n",
465 numkeys, enctype, keysize);
466 if (WRITE_BYTES(&p, end, enctype)) goto out_err;
467 if (WRITE_BYTES(&p, end, keysize)) goto out_err;
468 if (WRITE_BYTES(&p, end, numkeys)) goto out_err;
470 if (lctx->protocol == 0) {
471 /* derive and send down: Ke, Ki, and Kc */
473 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
474 lctx->rfc1964_kd.ctx_key.length))
478 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
479 lctx->rfc1964_kd.ctx_key.length))
484 * RC4 is special, it dosen't need key derivation. Actually
485 * the Ke is based on plain text. Here we just let all three
486 * key identical, kernel will handle everything. --ericm
488 if (lctx->rfc1964_kd.ctx_key.type == ENCTYPE_ARCFOUR_HMAC) {
489 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
490 lctx->rfc1964_kd.ctx_key.length))
493 if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key,
495 KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM))
497 if (write_bytes(&p, end, derived_key.data,
500 free(derived_key.data);
503 gss_krb5_lucid_key_t *keyptr;
504 uint32_t sign_usage, seal_usage;
506 if (lctx->cfx_kd.have_acceptor_subkey)
507 keyptr = &lctx->cfx_kd.acceptor_subkey;
509 keyptr = &lctx->cfx_kd.ctx_key;
512 * These are from rfc4142, but I don't understand:
513 * if we supply different 'usage' value for client &
514 * server, then the peers will have different derived
515 * keys. How could this work?
517 * Here we simply use old SIGN/SEAL values until we
518 * find the answer. --ericm
521 sign_usage = KG_USAGE_SIGN;
522 seal_usage = KG_USAGE_SEAL;
524 /* derive and send down: Ke, Ki, and Kc */
527 if (derive_key_lucid(keyptr, &derived_key,
528 seal_usage, KEY_USAGE_SEED_ENCRYPTION))
530 if (write_bytes(&p, end, derived_key.data,
533 free(derived_key.data);
536 if (derive_key_lucid(keyptr, &derived_key,
537 seal_usage, KEY_USAGE_SEED_INTEGRITY))
539 if (write_bytes(&p, end, derived_key.data,
542 free(derived_key.data);
545 if (derive_key_lucid(keyptr, &derived_key,
546 sign_usage, KEY_USAGE_SEED_CHECKSUM))
548 if (write_bytes(&p, end, derived_key.data,
551 free(derived_key.data);
554 buf->length = p - (char *)buf->value;
558 printerr(0, "ERROR: %s: failed serializing krb5 context for kernel\n",
572 serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
574 OM_uint32 maj_stat, min_stat;
575 void *return_ctx = 0;
577 gss_krb5_lucid_context_v1_t *lctx = 0;
580 printerr(3, "lucid version!\n");
581 maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, &ctx,
583 if (maj_stat != GSS_S_COMPLETE) {
584 pgsserr("gss_krb5_export_lucid_sec_context",
585 maj_stat, min_stat, &krb5oid);
589 /* Check the version returned, we only support v1 right now */
590 vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
593 lctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
596 printerr(0, "ERROR: unsupported lucid sec context version %d\n",
603 * Now lctx points to a lucid context that we can send down to kernel
605 * Note: we send down different information to the kernel depending
606 * on the protocol version and the enctyption type.
607 * For protocol version 0 with all enctypes besides DES3, we use
608 * the original format. For protocol version != 0 or DES3, we
609 * send down the new style information.
612 if (lctx->protocol == 0 && lctx->rfc1964_kd.ctx_key.type <= 4)
613 retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
615 retcode = prepare_krb5_rfc4121_buffer(lctx, buf);
617 maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, return_ctx);
618 if (maj_stat != GSS_S_COMPLETE) {
619 pgsserr("gss_krb5_export_lucid_sec_context",
620 maj_stat, min_stat, &krb5oid);
621 printerr(0, "WARN: failed to free lucid sec context\n");
625 printerr(1, "%s: prepare_krb5_*_buffer failed (retcode = %d)\n",
626 __FUNCTION__, retcode);
633 printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
639 #endif /* HAVE_LUCID_CONTEXT_SUPPORT */