3 * The Regents of the University of Michigan
6 * Permission is granted to use, copy, create derivative works
7 * and redistribute this software and such derivative works
8 * for any purpose, so long as the name of The University of
9 * Michigan is not used in any advertising or publicity
10 * pertaining to the use of distribution of this software
11 * without specific, written prior authorization. If the
12 * above copyright notice or any other identification of the
13 * University of Michigan is included in any copy of any
14 * portion of this software, then the disclaimer below must
17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
33 #ifdef HAVE_LUCID_CONTEXT_SUPPORT
36 * Newer versions of MIT and Heimdal have lucid context support.
37 * We can use common code if it is supported.
46 #include <gssapi/gssapi.h>
48 typedef uint64_t OM_uint64;
50 #include <gssapi/gssapi_krb5.h>
58 write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
62 if (WRITE_BYTES(p, end, key->type)) return -1;
63 tmp.length = key->length;
64 tmp.value = key->data;
65 if (write_buffer(p, end, &tmp)) return -1;
70 prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
74 static int constant_zero = 0;
75 unsigned char fakeseed[16];
76 uint32_t word_send_seq;
77 gss_krb5_lucid_key_t enc_key;
80 gss_buffer_desc fakeoid;
83 * The new Kerberos interface to get the gss context
84 * does not include the seed or seed_init fields
85 * because we never really use them. But for now,
86 * send down a fake buffer so we can use the same
87 * interface to the kernel.
89 memset(&enc_key, 0, sizeof(enc_key));
90 memset(&fakeoid, 0, sizeof(fakeoid));
92 if (!(buf->value = calloc(1, MAX_CTX_LEN)))
95 end = buf->value + MAX_CTX_LEN;
97 if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err;
99 /* seed_init and seed not used by kernel anyway */
100 if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
101 if (write_bytes(&p, end, &fakeseed, 16)) goto out_err;
103 if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err;
104 if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err;
105 if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
106 word_send_seq = lctx->send_seq; /* XXX send_seq is 64-bit */
107 if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err;
108 if (write_oid(&p, end, &krb5oid)) goto out_err;
112 * The kernel gss code expects des-cbc-raw for all flavors of des.
113 * The keytype from MIT has this type, but Heimdal does not.
114 * Force the Heimdal keytype to 4 (des-cbc-raw).
115 * Note that the rfc1964 version only supports DES enctypes.
117 if (lctx->rfc1964_kd.ctx_key.type != 4) {
118 printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
119 __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, 4);
120 lctx->rfc1964_kd.ctx_key.type = 4;
123 printerr(2, "%s: serializing keys with enctype %d and length %d\n",
124 __FUNCTION__, lctx->rfc1964_kd.ctx_key.type,
125 lctx->rfc1964_kd.ctx_key.length);
127 /* derive the encryption key and copy it into buffer */
128 enc_key.type = lctx->rfc1964_kd.ctx_key.type;
129 enc_key.length = lctx->rfc1964_kd.ctx_key.length;
130 if ((enc_key.data = calloc(1, enc_key.length)) == NULL)
132 skd = (char *) lctx->rfc1964_kd.ctx_key.data;
133 dkd = (char *) enc_key.data;
134 for (i = 0; i < enc_key.length; i++)
135 dkd[i] = skd[i] ^ 0xf0;
136 if (write_lucid_keyblock(&p, end, &enc_key)) {
142 if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
145 buf->length = p - (char *)buf->value;
148 printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
149 if (buf->value) free(buf->value);
151 if (enc_key.data) free(enc_key.data);
155 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
156 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
159 #define KG_USAGE_SEAL 22
160 #define KG_USAGE_SIGN 23
161 #define KG_USAGE_SEQ 24
164 #define KG_USAGE_ACCEPTOR_SEAL 22
165 #define KG_USAGE_ACCEPTOR_SIGN 23
166 #define KG_USAGE_INITIATOR_SEAL 24
167 #define KG_USAGE_INITIATOR_SIGN 25
169 /* Lifted from mit src/lib/gssapi/krb5/gssapiP_krb5.h */
171 SEAL_ALG_NONE = 0xffff,
172 SEAL_ALG_DES = 0x0000,
173 SEAL_ALG_1 = 0x0001, /* not published */
174 SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */
175 SEAL_ALG_DES3KD = 0x0002
178 #define KEY_USAGE_SEED_ENCRYPTION 0xAA
179 #define KEY_USAGE_SEED_INTEGRITY 0x55
180 #define KEY_USAGE_SEED_CHECKSUM 0x99
183 /* Flags for version 2 context flags */
184 #define KRB5_CTX_FLAG_INITIATOR 0x00000001
185 #define KRB5_CTX_FLAG_CFX 0x00000002
186 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
188 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
189 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
191 * We don't have "legal" access to these MIT-only
192 * structures located in libk5crypto
194 extern void krb5int_enc_arcfour;
195 extern void krb5int_enc_des3;
196 extern void krb5int_enc_aes128;
197 extern void krb5int_enc_aes256;
198 extern int krb5_derive_key();
201 key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)
203 memset(kout, '\0', sizeof(kout));
205 kout->enctype = lin->type;
206 kout->length = lin->length;
207 kout->contents = lin->data;
209 kout->keytype = lin->type;
210 kout->keyvalue.length = lin->length;
211 kout->keyvalue.data = lin->data;
216 key_krb5_to_lucid(const krb5_keyblock *kin, gss_krb5_lucid_key_t *lout)
218 memset(lout, '\0', sizeof(lout));
220 lout->type = kin->enctype;
221 lout->length = kin->length;
222 lout->data = kin->contents;
224 lout->type = kin->keytype;
225 lout->length = kin->keyvalue.length;
226 memcpy(lout->data, kin->keyvalue.data, kin->keyvalue.length);
230 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
231 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
232 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
233 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */
235 * Function to derive a new key from a given key and given constant data.
237 static krb5_error_code
238 derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
239 int usage, char extra)
241 krb5_error_code code;
242 unsigned char constant_data[K5CLENGTH];
246 krb5_keyblock kin, kout; /* must send krb5_keyblock, not lucid! */
248 krb5_context kcontext;
249 krb5_keyblock *outkey;
253 * XXX Hack alert. We don't have "legal" access to these
254 * values and structures located in libk5crypto
257 case ENCTYPE_DES3_CBC_SHA1:
259 case ENCTYPE_DES3_CBC_RAW:
263 enc = &krb5int_enc_des3;
266 case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
269 enc = &krb5int_enc_aes128;
272 case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
275 enc = &krb5int_enc_aes256;
279 code = KRB5_BAD_ENCTYPE;
283 /* allocate memory for output key */
284 if ((out->data = malloc(keylength)) == NULL) {
288 out->length = keylength;
289 out->type = in->type;
291 /* Convert to correct format for call to krb5_derive_key */
292 key_lucid_to_krb5(in, &kin);
293 key_lucid_to_krb5(out, &kout);
295 datain.data = (char *) constant_data;
296 datain.length = K5CLENGTH;
298 ((char *)(datain.data))[0] = (usage>>24)&0xff;
299 ((char *)(datain.data))[1] = (usage>>16)&0xff;
300 ((char *)(datain.data))[2] = (usage>>8)&0xff;
301 ((char *)(datain.data))[3] = usage&0xff;
303 ((char *)(datain.data))[4] = (char) extra;
306 code = krb5_derive_key(enc, &kin, &kout, &datain);
308 if ((code = krb5_init_context(&kcontext))) {
310 code = krb5_derive_key(kcontext, &kin, in->type, constant_data, K5CLENGTH, &outkey);
318 key_krb5_to_lucid(&kout, out);
320 key_krb5_to_lucid(outkey, out);
321 krb5_free_keyblock(kcontext, outkey);
322 krb5_free_context(kcontext);
327 printerr(0, "ERROR: %s: returning error %d (%s)\n",
328 __FUNCTION__, code, error_message(code));
334 * Prepare a new-style buffer, as defined in rfc4121 (a.k.a. cfx),
335 * to send to the kernel for newer encryption types -- or for DES3.
339 * u32 initiate; ( whether we are the initiator or not )
342 * #define KRB5_CTX_FLAG_INITIATOR 0x00000001
343 * #define KRB5_CTX_FLAG_CFX 0x00000002
344 * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
346 * u32 enctype; ( encrption type of keys )
347 * u32 size_of_each_key; ( size of each key in bytes )
348 * u32 number_of_keys; ( N -- should always be 3 for now )
355 prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx,
356 gss_buffer_desc *buf)
358 static int constant_two = 2;
360 uint32_t v2_flags = 0;
361 gss_krb5_lucid_key_t enc_key;
362 gss_krb5_lucid_key_t derived_key;
363 gss_buffer_desc fakeoid;
368 memset(&enc_key, 0, sizeof(enc_key));
369 memset(&fakeoid, 0, sizeof(fakeoid));
371 if (!(buf->value = calloc(1, MAX_CTX_LEN)))
374 end = buf->value + MAX_CTX_LEN;
377 if (WRITE_BYTES(&p, end, constant_two)) goto out_err;
378 if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
381 v2_flags |= KRB5_CTX_FLAG_INITIATOR;
382 if (lctx->protocol != 0)
383 v2_flags |= KRB5_CTX_FLAG_CFX;
384 if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1)
385 v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;
387 if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
389 if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err;
391 /* Protocol 0 here implies DES3 or RC4 */
392 printerr(2, "%s: protocol %d\n", __FUNCTION__, lctx->protocol);
393 if (lctx->protocol == 0) {
394 enctype = lctx->rfc1964_kd.ctx_key.type;
397 * The kernel gss code expects ENCTYPE_DES3_CBC_RAW (6) for
398 * 3des keys, but Heimdal key has ENCTYPE_DES3_CBC_SHA1 (16).
399 * Force the Heimdal enctype to 6.
401 if (enctype == ENCTYPE_DES3_CBC_SHA1) {
402 printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
403 __FUNCTION__, enctype, 6);
408 keysize = lctx->rfc1964_kd.ctx_key.length;
409 numkeys = 3; /* XXX is always gonna be three? */
411 if (lctx->cfx_kd.have_acceptor_subkey) {
412 enctype = lctx->cfx_kd.acceptor_subkey.type;
413 keysize = lctx->cfx_kd.acceptor_subkey.length;
415 enctype = lctx->cfx_kd.ctx_key.type;
416 keysize = lctx->cfx_kd.ctx_key.length;
420 printerr(2, "%s: serializing %d keys with enctype %d and size %d\n",
421 __FUNCTION__, numkeys, enctype, keysize);
422 if (WRITE_BYTES(&p, end, enctype)) goto out_err;
423 if (WRITE_BYTES(&p, end, keysize)) goto out_err;
424 if (WRITE_BYTES(&p, end, numkeys)) goto out_err;
426 if (lctx->protocol == 0) {
427 /* derive and send down: Ke, Ki, and Kc */
429 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
430 lctx->rfc1964_kd.ctx_key.length))
434 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
435 lctx->rfc1964_kd.ctx_key.length))
440 * RC4 is special, it dosen't need key derivation. Actually
441 * the Ke is based on plain text. Here we just let all three
442 * key identical, kernel will handle everything. --ericm
444 if (lctx->rfc1964_kd.ctx_key.type == ENCTYPE_ARCFOUR_HMAC) {
445 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
446 lctx->rfc1964_kd.ctx_key.length))
449 if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key,
451 KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM))
453 if (write_bytes(&p, end, derived_key.data,
456 free(derived_key.data);
459 gss_krb5_lucid_key_t *keyptr;
460 uint32_t sign_usage, seal_usage;
462 if (lctx->cfx_kd.have_acceptor_subkey)
463 keyptr = &lctx->cfx_kd.acceptor_subkey;
465 keyptr = &lctx->cfx_kd.ctx_key;
468 if (lctx->initiate == 1) {
469 sign_usage = KG_USAGE_INITIATOR_SIGN;
470 seal_usage = KG_USAGE_INITIATOR_SEAL;
472 sign_usage = KG_USAGE_ACCEPTOR_SIGN;
473 seal_usage = KG_USAGE_ACCEPTOR_SEAL;
477 * These are from rfc4142, but I don't understand: if we supply
478 * different 'usage' value for client & server, then the peers
479 * will have different derived keys. How could this work?
481 * Here we simply use old SIGN/SEAL values until we find the
485 sign_usage = KG_USAGE_SIGN;
486 seal_usage = KG_USAGE_SEAL;
489 /* derive and send down: Ke, Ki, and Kc */
492 if (derive_key_lucid(keyptr, &derived_key,
493 seal_usage, KEY_USAGE_SEED_ENCRYPTION))
495 if (write_bytes(&p, end, derived_key.data,
498 free(derived_key.data);
501 if (derive_key_lucid(keyptr, &derived_key,
502 seal_usage, KEY_USAGE_SEED_INTEGRITY))
504 if (write_bytes(&p, end, derived_key.data,
507 free(derived_key.data);
510 if (derive_key_lucid(keyptr, &derived_key,
511 sign_usage, KEY_USAGE_SEED_CHECKSUM))
513 if (write_bytes(&p, end, derived_key.data,
516 free(derived_key.data);
519 buf->length = p - (char *)buf->value;
523 printerr(0, "ERROR: %s: failed serializing krb5 context for kernel\n",
537 serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
539 OM_uint32 maj_stat, min_stat;
540 void *return_ctx = 0;
542 gss_krb5_lucid_context_v1_t *lctx = 0;
545 printerr(2, "DEBUG: %s: lucid version!\n", __FUNCTION__);
546 maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
548 if (maj_stat != GSS_S_COMPLETE) {
549 pgsserr("gss_export_lucid_sec_context",
550 maj_stat, min_stat, &krb5oid);
554 /* Check the version returned, we only support v1 right now */
555 vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
558 lctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
561 printerr(0, "ERROR: unsupported lucid sec context version %d\n",
568 * Now lctx points to a lucid context that we can send down to kernel
570 * Note: we send down different information to the kernel depending
571 * on the protocol version and the enctyption type.
572 * For protocol version 0 with all enctypes besides DES3, we use
573 * the original format. For protocol version != 0 or DES3, we
574 * send down the new style information.
577 if (lctx->protocol == 0 && lctx->rfc1964_kd.ctx_key.type <= 4)
578 retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
580 retcode = prepare_krb5_rfc4121_buffer(lctx, buf);
582 maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
583 if (maj_stat != GSS_S_COMPLETE) {
584 pgsserr("gss_export_lucid_sec_context",
585 maj_stat, min_stat, &krb5oid);
586 printerr(0, "WARN: failed to free lucid sec context\n");
590 printerr(1, "%s: prepare_krb5_*_buffer failed (retcode = %d)\n",
591 __FUNCTION__, retcode);
598 printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
604 #endif /* HAVE_LUCID_CONTEXT_SUPPORT */