/* * COPYRIGHT (c) 2006 * The Regents of the University of Michigan * ALL RIGHTS RESERVED * * Permission is granted to use, copy, create derivative works * and redistribute this software and such derivative works * for any purpose, so long as the name of The University of * Michigan is not used in any advertising or publicity * pertaining to the use of distribution of this software * without specific, written prior authorization. If the * above copyright notice or any other identification of the * University of Michigan is included in any copy of any * portion of this software, then the disclaimer below must * also be included. * * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF * SUCH DAMAGES. */ #include "config.h" #ifdef HAVE_LUCID_CONTEXT_SUPPORT /* * Newer versions of MIT and Heimdal have lucid context support. * We can use common code if it is supported. */ #include #include #include #include #include #include #include #ifndef OM_uint64 typedef uint64_t OM_uint64; #endif #include #ifdef _NEW_BUILD_ # include "lgss_utils.h" #else # include "gss_util.h" # include "gss_oids.h" # include "err_util.h" #endif #include "write_bytes.h" #include "context.h" extern OM_uint32 gss_export_lucid_sec_context(OM_uint32 *min_stat, gss_ctx_id_t *ctx, OM_uint32 version, void **kctx); extern OM_uint32 gss_free_lucid_sec_context(OM_uint32 *min_stat, gss_ctx_id_t ctx, void *kctx); static int write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key) { gss_buffer_desc tmp; if (WRITE_BYTES(p, end, key->type)) return -1; tmp.length = key->length; tmp.value = key->data; if (write_buffer(p, end, &tmp)) return -1; return 0; } static int prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *buf) { char *p, *end; static int constant_zero = 0; unsigned char fakeseed[16] = { 0 }; uint32_t word_send_seq; gss_krb5_lucid_key_t enc_key; int i; char *skd, *dkd; gss_buffer_desc fakeoid; /* * The new Kerberos interface to get the gss context * does not include the seed or seed_init fields * because we never really use them. But for now, * send down a fake buffer so we can use the same * interface to the kernel. */ memset(&enc_key, 0, sizeof(enc_key)); memset(&fakeoid, 0, sizeof(fakeoid)); if (!(buf->value = calloc(1, MAX_CTX_LEN))) goto out_err; p = buf->value; end = buf->value + MAX_CTX_LEN; if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err; /* seed_init and seed not used by kernel anyway */ if (WRITE_BYTES(&p, end, constant_zero)) goto out_err; if (write_bytes(&p, end, &fakeseed, 16)) goto out_err; if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err; if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err; if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err; word_send_seq = lctx->send_seq; /* XXX send_seq is 64-bit */ if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err; if (write_oid(&p, end, &krb5oid)) goto out_err; #ifdef HAVE_HEIMDAL /* * The kernel gss code expects des-cbc-raw for all flavors of des. * The keytype from MIT has this type, but Heimdal does not. * Force the Heimdal keytype to 4 (des-cbc-raw). * Note that the rfc1964 version only supports DES enctypes. */ if (lctx->rfc1964_kd.ctx_key.type != 4) { printerr(2, "%s: overriding heimdal keytype (%d => %d)\n", __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, 4); lctx->rfc1964_kd.ctx_key.type = 4; } #endif printerr(2, "%s: serializing keys with enctype %d and length %d\n", __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, lctx->rfc1964_kd.ctx_key.length); /* derive the encryption key and copy it into buffer */ enc_key.type = lctx->rfc1964_kd.ctx_key.type; enc_key.length = lctx->rfc1964_kd.ctx_key.length; if ((enc_key.data = calloc(1, enc_key.length)) == NULL) goto out_err; skd = (char *) lctx->rfc1964_kd.ctx_key.data; dkd = (char *) enc_key.data; for (i = 0; i < enc_key.length; i++) dkd[i] = skd[i] ^ 0xf0; if (write_lucid_keyblock(&p, end, &enc_key)) { free(enc_key.data); goto out_err; } free(enc_key.data); if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key)) goto out_err; buf->length = p - (char *)buf->value; return 0; out_err: printerr(0, "ERROR: failed serializing krb5 context for kernel\n"); if (buf->value) free(buf->value); buf->length = 0; if (enc_key.data) free(enc_key.data); return -1; } /* XXX Hack alert! XXX Do NOT submit upstream! XXX */ /* XXX Hack alert! XXX Do NOT submit upstream! XXX */ /* for 3DES */ #define KG_USAGE_SEAL 22 #define KG_USAGE_SIGN 23 #define KG_USAGE_SEQ 24 /* for rfc???? */ #define KG_USAGE_ACCEPTOR_SEAL 22 #define KG_USAGE_ACCEPTOR_SIGN 23 #define KG_USAGE_INITIATOR_SEAL 24 #define KG_USAGE_INITIATOR_SIGN 25 /* Lifted from mit src/lib/gssapi/krb5/gssapiP_krb5.h */ enum seal_alg { SEAL_ALG_NONE = 0xffff, SEAL_ALG_DES = 0x0000, SEAL_ALG_1 = 0x0001, /* not published */ SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */ SEAL_ALG_DES3KD = 0x0002 }; #define KEY_USAGE_SEED_ENCRYPTION 0xAA #define KEY_USAGE_SEED_INTEGRITY 0x55 #define KEY_USAGE_SEED_CHECKSUM 0x99 #define K5CLENGTH 5 /* Flags for version 2 context flags */ #define KRB5_CTX_FLAG_INITIATOR 0x00000001 #define KRB5_CTX_FLAG_CFX 0x00000002 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 /* XXX Hack alert! XXX Do NOT submit upstream! XXX */ /* XXX Hack alert! XXX Do NOT submit upstream! XXX */ /* * We don't have "legal" access to these MIT-only * structures located in libk5crypto */ extern void krb5int_enc_arcfour; extern void krb5int_enc_des3; extern void krb5int_enc_aes128; extern void krb5int_enc_aes256; extern int krb5_derive_key(); static void key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout) { memset(kout, '\0', sizeof(kout)); #ifdef HAVE_KRB5 kout->enctype = lin->type; kout->length = lin->length; kout->contents = lin->data; #else kout->keytype = lin->type; kout->keyvalue.length = lin->length; kout->keyvalue.data = lin->data; #endif } static void key_krb5_to_lucid(const krb5_keyblock *kin, gss_krb5_lucid_key_t *lout) { memset(lout, '\0', sizeof(lout)); #ifdef HAVE_KRB5 lout->type = kin->enctype; lout->length = kin->length; lout->data = kin->contents; #else lout->type = kin->keytype; lout->length = kin->keyvalue.length; memcpy(lout->data, kin->keyvalue.data, kin->keyvalue.length); #endif } /* XXX Hack alert! XXX Do NOT submit upstream! XXX */ /* XXX Hack alert! XXX Do NOT submit upstream! XXX */ /* XXX Hack alert! XXX Do NOT submit upstream! XXX */ /* XXX Hack alert! XXX Do NOT submit upstream! XXX */ /* * Function to derive a new key from a given key and given constant data. */ static krb5_error_code derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out, int usage, char extra) { krb5_error_code code; unsigned char constant_data[K5CLENGTH]; krb5_data datain; int keylength; void *enc; krb5_keyblock kin, kout; /* must send krb5_keyblock, not lucid! */ #ifdef HAVE_HEIMDAL krb5_context kcontext; krb5_keyblock *outkey; #endif /* * XXX Hack alert. We don't have "legal" access to these * values and structures located in libk5crypto */ switch (in->type) { case ENCTYPE_DES3_CBC_SHA1: #ifdef HAVE_KRB5 case ENCTYPE_DES3_CBC_RAW: #endif keylength = 24; #ifdef HAVE_KRB5 enc = &krb5int_enc_des3; #endif break; case ENCTYPE_AES128_CTS_HMAC_SHA1_96: keylength = 16; #ifdef HAVE_KRB5 enc = &krb5int_enc_aes128; #endif break; case ENCTYPE_AES256_CTS_HMAC_SHA1_96: keylength = 32; #ifdef HAVE_KRB5 enc = &krb5int_enc_aes256; #endif break; default: code = KRB5_BAD_ENCTYPE; goto out; } /* allocate memory for output key */ if ((out->data = malloc(keylength)) == NULL) { code = ENOMEM; goto out; } out->length = keylength; out->type = in->type; /* Convert to correct format for call to krb5_derive_key */ key_lucid_to_krb5(in, &kin); key_lucid_to_krb5(out, &kout); datain.data = (char *) constant_data; datain.length = K5CLENGTH; ((char *)(datain.data))[0] = (usage>>24)&0xff; ((char *)(datain.data))[1] = (usage>>16)&0xff; ((char *)(datain.data))[2] = (usage>>8)&0xff; ((char *)(datain.data))[3] = usage&0xff; ((char *)(datain.data))[4] = (char) extra; #ifdef HAVE_KRB5 code = krb5_derive_key(enc, &kin, &kout, &datain); #else if ((code = krb5_init_context(&kcontext))) { } code = krb5_derive_key(kcontext, &kin, in->type, constant_data, K5CLENGTH, &outkey); #endif if (code) { free(out->data); out->data = NULL; goto out; } #ifdef HAVE_KRB5 key_krb5_to_lucid(&kout, out); #else key_krb5_to_lucid(outkey, out); krb5_free_keyblock(kcontext, outkey); krb5_free_context(kcontext); #endif out: if (code) printerr(0, "ERROR: %s: returning error %d (%s)\n", __FUNCTION__, code, error_message(code)); return (code); } /* * Prepare a new-style buffer, as defined in rfc4121 (a.k.a. cfx), * to send to the kernel for newer encryption types -- or for DES3. * * The new format is: * * u32 initiate; ( whether we are the initiator or not ) * s32 endtime; * u32 flags; * #define KRB5_CTX_FLAG_INITIATOR 0x00000001 * #define KRB5_CTX_FLAG_CFX 0x00000002 * #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 * u64 seq_send; * u32 enctype; ( encrption type of keys ) * u32 size_of_each_key; ( size of each key in bytes ) * u32 number_of_keys; ( N -- should always be 3 for now ) * keydata-1; ( Ke ) * keydata-2; ( Ki ) * keydata-3; ( Kc ) * */ static int prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx, gss_buffer_desc *buf) { static int constant_two = 2; char *p, *end; uint32_t v2_flags = 0; gss_krb5_lucid_key_t enc_key; gss_krb5_lucid_key_t derived_key; gss_buffer_desc fakeoid; uint32_t enctype; uint32_t keysize; uint32_t numkeys; memset(&enc_key, 0, sizeof(enc_key)); memset(&fakeoid, 0, sizeof(fakeoid)); if (!(buf->value = calloc(1, MAX_CTX_LEN))) goto out_err; p = buf->value; end = buf->value + MAX_CTX_LEN; /* Version 2 */ if (WRITE_BYTES(&p, end, constant_two)) goto out_err; if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err; if (lctx->initiate) v2_flags |= KRB5_CTX_FLAG_INITIATOR; if (lctx->protocol != 0) v2_flags |= KRB5_CTX_FLAG_CFX; if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1) v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY; if (WRITE_BYTES(&p, end, v2_flags)) goto out_err; if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err; /* Protocol 0 here implies DES3 or RC4 */ printerr(3, "protocol %d\n", lctx->protocol); if (lctx->protocol == 0) { enctype = lctx->rfc1964_kd.ctx_key.type; #ifdef HAVE_HEIMDAL /* * The kernel gss code expects ENCTYPE_DES3_CBC_RAW (6) for * 3des keys, but Heimdal key has ENCTYPE_DES3_CBC_SHA1 (16). * Force the Heimdal enctype to 6. */ if (enctype == ENCTYPE_DES3_CBC_SHA1) { printerr(2, "%s: overriding heimdal keytype (%d => %d)\n", __FUNCTION__, enctype, 6); enctype = 6; } #endif keysize = lctx->rfc1964_kd.ctx_key.length; numkeys = 3; /* XXX is always gonna be three? */ } else { if (lctx->cfx_kd.have_acceptor_subkey) { enctype = lctx->cfx_kd.acceptor_subkey.type; keysize = lctx->cfx_kd.acceptor_subkey.length; } else { enctype = lctx->cfx_kd.ctx_key.type; keysize = lctx->cfx_kd.ctx_key.length; } numkeys = 3; } printerr(3, "serializing %d keys with enctype %d and size %d\n", numkeys, enctype, keysize); if (WRITE_BYTES(&p, end, enctype)) goto out_err; if (WRITE_BYTES(&p, end, keysize)) goto out_err; if (WRITE_BYTES(&p, end, numkeys)) goto out_err; if (lctx->protocol == 0) { /* derive and send down: Ke, Ki, and Kc */ /* Ke */ if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data, lctx->rfc1964_kd.ctx_key.length)) goto out_err; /* Ki */ if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data, lctx->rfc1964_kd.ctx_key.length)) goto out_err; /* Kc */ /* * RC4 is special, it dosen't need key derivation. Actually * the Ke is based on plain text. Here we just let all three * key identical, kernel will handle everything. --ericm */ if (lctx->rfc1964_kd.ctx_key.type == ENCTYPE_ARCFOUR_HMAC) { if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data, lctx->rfc1964_kd.ctx_key.length)) goto out_err; } else { if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key, &derived_key, KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM)) goto out_err; if (write_bytes(&p, end, derived_key.data, derived_key.length)) goto out_err; free(derived_key.data); } } else { gss_krb5_lucid_key_t *keyptr; uint32_t sign_usage, seal_usage; if (lctx->cfx_kd.have_acceptor_subkey) keyptr = &lctx->cfx_kd.acceptor_subkey; else keyptr = &lctx->cfx_kd.ctx_key; #if 0 if (lctx->initiate == 1) { sign_usage = KG_USAGE_INITIATOR_SIGN; seal_usage = KG_USAGE_INITIATOR_SEAL; } else { sign_usage = KG_USAGE_ACCEPTOR_SIGN; seal_usage = KG_USAGE_ACCEPTOR_SEAL; } #else /* FIXME * These are from rfc4142, but I don't understand: if we supply * different 'usage' value for client & server, then the peers * will have different derived keys. How could this work? * * Here we simply use old SIGN/SEAL values until we find the * answer. --ericm * FIXME */ sign_usage = KG_USAGE_SIGN; seal_usage = KG_USAGE_SEAL; #endif /* derive and send down: Ke, Ki, and Kc */ /* Ke */ if (derive_key_lucid(keyptr, &derived_key, seal_usage, KEY_USAGE_SEED_ENCRYPTION)) goto out_err; if (write_bytes(&p, end, derived_key.data, derived_key.length)) goto out_err; free(derived_key.data); /* Ki */ if (derive_key_lucid(keyptr, &derived_key, seal_usage, KEY_USAGE_SEED_INTEGRITY)) goto out_err; if (write_bytes(&p, end, derived_key.data, derived_key.length)) goto out_err; free(derived_key.data); /* Kc */ if (derive_key_lucid(keyptr, &derived_key, sign_usage, KEY_USAGE_SEED_CHECKSUM)) goto out_err; if (write_bytes(&p, end, derived_key.data, derived_key.length)) goto out_err; free(derived_key.data); } buf->length = p - (char *)buf->value; return 0; out_err: printerr(0, "ERROR: %s: failed serializing krb5 context for kernel\n", __FUNCTION__); if (buf->value) { free(buf->value); buf->value = NULL; } buf->length = 0; if (enc_key.data) { free(enc_key.data); enc_key.data = NULL; } return -1; } int serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf) { OM_uint32 maj_stat, min_stat; void *return_ctx = 0; OM_uint32 vers; gss_krb5_lucid_context_v1_t *lctx = 0; int retcode = 0; printerr(3, "lucid version!\n"); maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx, 1, &return_ctx); if (maj_stat != GSS_S_COMPLETE) { pgsserr("gss_export_lucid_sec_context", maj_stat, min_stat, &krb5oid); goto out_err; } /* Check the version returned, we only support v1 right now */ vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version; switch (vers) { case 1: lctx = (gss_krb5_lucid_context_v1_t *) return_ctx; break; default: printerr(0, "ERROR: unsupported lucid sec context version %d\n", vers); goto out_err; break; } /* * Now lctx points to a lucid context that we can send down to kernel * * Note: we send down different information to the kernel depending * on the protocol version and the enctyption type. * For protocol version 0 with all enctypes besides DES3, we use * the original format. For protocol version != 0 or DES3, we * send down the new style information. */ if (lctx->protocol == 0 && lctx->rfc1964_kd.ctx_key.type <= 4) retcode = prepare_krb5_rfc1964_buffer(lctx, buf); else retcode = prepare_krb5_rfc4121_buffer(lctx, buf); maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx); if (maj_stat != GSS_S_COMPLETE) { pgsserr("gss_export_lucid_sec_context", maj_stat, min_stat, &krb5oid); printerr(0, "WARN: failed to free lucid sec context\n"); } if (retcode) { printerr(1, "%s: prepare_krb5_*_buffer failed (retcode = %d)\n", __FUNCTION__, retcode); goto out_err; } return 0; out_err: printerr(0, "ERROR: failed serializing krb5 context for kernel\n"); return -1; } #endif /* HAVE_LUCID_CONTEXT_SUPPORT */