2 * Copyright (c) 1995, 1996, 1997, 2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * Copyright 1992, 2002 by the Massachusetts Institute of Technology.
35 * All Rights Reserved.
37 * Export of this software from the United States of America may
38 * require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. Furthermore if you modify this software you must label
50 * your software as modified software and not distribute it in such a
51 * fashion that it might be confused with the original M.I.T. software.
52 * M.I.T. makes no representations about the suitability of
53 * this software for any purpose. It is provided "as is" without express
54 * or implied warranty.
57 #include <afsconfig.h>
58 #include <afs/param.h>
63 #ifdef IGNORE_SOME_GCC_WARNINGS
64 # pragma GCC diagnostic warning "-Wimplicit-function-declaration"
70 #define HC_DEPRECATED_CRYPTO
71 #include <hcrypto/md4.h>
72 #include <hcrypto/md5.h>
73 #include <hcrypto/des.h>
74 #include <hcrypto/hmac.h>
76 #include "lifetimes.h"
78 #include "rxkad_convert.h"
80 #include "v5gen-rewrite.h"
86 #define RFC3961_NO_ENUMS
87 #define RFC3961_NO_CKSUM
88 #include <afs/rfc3961.h>
91 * Principal conversion Taken from src/lib/krb5/krb/conv_princ from MIT Kerberos. If you
92 * find a need to change the services here, please consider opening a
93 * bug with MIT by sending mail to krb5-bugs@mit.edu.
103 #define DO_REALM_CONVERSION 0x00000001
106 * Kadmin doesn't do realm conversion because it's currently
107 * kadmin/REALM.NAME. Zephyr doesn't because it's just zephyr/zephyr.
109 * "Realm conversion" is a bit of a misnomer; really, the v5 name is
110 * using a FQDN or something that looks like it, where the v4 name is
111 * just using the first label. Sometimes that second principal name
112 * component is a hostname, sometimes the realm name, sometimes it's
115 * This list should probably be more configurable, and more than
116 * likely on a per-realm basis, so locally-defined services can be
119 static const struct krb_convert sconv_list
[] = {
120 /* Realm conversion, Change service name */
121 #define RC(V5NAME,V4NAME) { V5NAME, V4NAME, DO_REALM_CONVERSION, sizeof(V5NAME)-1 }
122 /* Realm conversion */
123 #define R(NAME) { NAME, NAME, DO_REALM_CONVERSION, sizeof(NAME)-1 }
124 /* No Realm conversion */
125 #define NR(NAME) { NAME, NAME, 0, sizeof(NAME)-1 }
176 krb5_des_decrypt(struct ktc_encryptionKey
*, int, void *, size_t, void *,
178 static int rxkad_derive_des_key(const void *, size_t,
179 struct ktc_encryptionKey
*);
180 static int compress_parity_bits(void *, size_t *);
183 tkt_DecodeTicket5(char *ticket
, afs_int32 ticket_len
,
184 int (*get_key
) (void *, int, struct ktc_encryptionKey
*),
185 rxkad_get_key_enctype_func get_key_enctype
,
186 char *get_key_rock
, int serv_kvno
, char *name
, char *inst
,
187 char *cell
, struct ktc_encryptionKey
*session_key
, afs_int32
* host
,
188 afs_uint32
* start
, afs_uint32
* end
, afs_int32 disableCheckdot
)
190 char plain
[MAXKRB5TICKETLEN
];
191 struct ktc_encryptionKey serv_key
;
193 size_t keysize
, allocsiz
;
194 krb5_context context
;
198 Ticket t5
; /* Must free */
199 EncTicketPart decr_part
; /* Must free */
201 size_t siz
, plainsiz
= 0;
203 char *v5_comp0
, *v5_comp1
, *c
;
204 const struct krb_convert
*p
;
206 memset(&t5
, 0, sizeof(t5
));
207 memset(&decr_part
, 0, sizeof(decr_part
));
212 return RXKADBADTICKET
; /* no ticket */
214 if (serv_kvno
== RXKAD_TKT_TYPE_KERBEROS_V5
) {
215 code
= decode_Ticket((unsigned char *)ticket
, ticket_len
, &t5
, &siz
);
222 code
= decode_EncryptedData((unsigned char *)ticket
, ticket_len
, &t5
.enc_part
, &siz
);
227 /* If kvno is null, it's probably not included because it was kvno==0
229 if (t5
.enc_part
.kvno
== NULL
) {
232 v5_serv_kvno
= *t5
.enc_part
.kvno
;
235 /* Check that the key type really fit into 8 bytes */
236 switch (t5
.enc_part
.etype
) {
237 case ETYPE_DES_CBC_CRC
:
238 case ETYPE_DES_CBC_MD4
:
239 case ETYPE_DES_CBC_MD5
:
241 if (t5
.enc_part
.cipher
.length
> sizeof(plain
)
242 || t5
.enc_part
.cipher
.length
% 8 != 0)
245 code
= (*get_key
) (get_key_rock
, v5_serv_kvno
, &serv_key
);
249 /* Decrypt data here, save in plain, assume it will shrink */
251 krb5_des_decrypt(&serv_key
, t5
.enc_part
.etype
,
252 t5
.enc_part
.cipher
.data
, t5
.enc_part
.cipher
.length
,
256 if (get_key_enctype
== NULL
)
258 code
= krb5_init_context(&context
);
261 code
= krb5_enctype_valid(context
, t5
.enc_part
.etype
);
263 krb5_free_context(context
);
266 code
= krb5_enctype_keybits(context
, t5
.enc_part
.etype
, &keysize
);
268 krb5_free_context(context
);
271 keysize
= keysize
/ 8;
273 keybuf
= rxi_Alloc(allocsiz
);
274 /* this is not quite a hole for afsconf_GetKeyByTypes. A wrapper
275 that calls afsconf_GetKeyByTypes and afsconf_typedKey_values
277 code
= get_key_enctype(get_key_rock
, v5_serv_kvno
, t5
.enc_part
.etype
,
280 rxi_Free(keybuf
, allocsiz
);
281 krb5_free_context(context
);
284 code
= krb5_keyblock_init(context
, t5
.enc_part
.etype
,
285 keybuf
, keysize
, &k
);
286 rxi_Free(keybuf
, allocsiz
);
288 krb5_free_context(context
);
291 code
= krb5_crypto_init(context
, &k
, t5
.enc_part
.etype
, &cr
);
292 krb5_free_keyblock_contents(context
, &k
);
294 krb5_free_context(context
);
297 #ifndef KRB5_KU_TICKET
298 #define KRB5_KU_TICKET 2
300 code
= krb5_decrypt(context
, cr
, KRB5_KU_TICKET
, t5
.enc_part
.cipher
.data
,
301 t5
.enc_part
.cipher
.length
, &plaindata
);
302 krb5_crypto_destroy(context
, cr
);
304 if (plaindata
.length
> MAXKRB5TICKETLEN
) {
305 krb5_data_free(&plaindata
);
306 krb5_free_context(context
);
309 memcpy(plain
, plaindata
.data
, plaindata
.length
);
310 plainsiz
= plaindata
.length
;
311 krb5_data_free(&plaindata
);
313 krb5_free_context(context
);
320 code
= decode_EncTicketPart((unsigned char *)plain
, plainsiz
, &decr_part
, &siz
);
324 /* Extract realm and principal */
325 strncpy(cell
, decr_part
.crealm
, MAXKTCNAMELEN
);
326 cell
[MAXKTCNAMELEN
- 1] = '\0';
328 switch (decr_part
.cname
.name_string
.len
) {
330 v5_comp0
= decr_part
.cname
.name_string
.val
[0];
331 v5_comp1
= decr_part
.cname
.name_string
.val
[1];
334 if (strcmp(p
->v5_str
, v5_comp0
) == 0) {
336 * It is, so set the new name now, and chop off
337 * instance's domain name if requested.
339 strncpy(name
, p
->v4_str
, MAXKTCNAMELEN
);
340 name
[MAXKTCNAMELEN
- 1] = '\0';
341 if (p
->flags
& DO_REALM_CONVERSION
) {
342 c
= strchr(v5_comp1
, '.');
343 if (!c
|| (c
- v5_comp1
) >= MAXKTCNAMELEN
- 1)
345 strncpy(inst
, v5_comp1
, c
- v5_comp1
);
346 inst
[c
- v5_comp1
] = '\0';
354 strncpy(inst
, decr_part
.cname
.name_string
.val
[1], MAXKTCNAMELEN
);
355 inst
[MAXKTCNAMELEN
- 1] = '\0';
356 strncpy(name
, decr_part
.cname
.name_string
.val
[0], MAXKTCNAMELEN
);
357 name
[MAXKTCNAMELEN
- 1] = '\0';
361 strncpy(name
, decr_part
.cname
.name_string
.val
[0], MAXKTCNAMELEN
);
362 name
[MAXKTCNAMELEN
- 1] = '\0';
368 if (!disableCheckdot
) {
370 * If the first part of the name_string contains a dot, punt since
371 * then we can't see the diffrence between the kerberos 5
372 * principals foo.root and foo/root later in the fileserver.
374 if (strchr(decr_part
.cname
.name_string
.val
[0], '.') != NULL
)
378 /* Verify that decr_part.key is of right type */
379 if (tkt_DeriveDesKey(decr_part
.key
.keytype
, decr_part
.key
.keyvalue
.data
,
380 decr_part
.key
.keyvalue
.length
, session_key
) != 0)
382 /* Check lifetimes and host addresses, flags etc */
384 time_t now
= time(0); /* Use fast time package instead??? */
385 *start
= decr_part
.authtime
;
386 if (decr_part
.starttime
)
387 *start
= *decr_part
.starttime
;
389 if (*start
- now
> CLOCK_SKEW
|| decr_part
.flags
.invalid
)
392 if (decr_part
.flags
.invalid
)
395 if (now
> decr_part
.endtime
)
397 *end
= decr_part
.endtime
;
401 if (serv_kvno
== RXKAD_TKT_TYPE_KERBEROS_V5
)
404 free_EncryptedData(&t5
.enc_part
);
405 free_EncTicketPart(&decr_part
);
406 memset(&serv_key
, 0, sizeof(serv_key
));
410 code
= RXKADUNKNOWNKEY
;
419 code
= RXKADBADTICKET
;
425 verify_checksum_md4(void *data
, size_t len
,
426 void *cksum
, size_t cksumsz
,
427 struct ktc_encryptionKey
*key
)
430 unsigned char tmp
[16];
433 MD4_Update(&md4
, data
, len
);
434 MD4_Final(tmp
, &md4
);
436 if (memcmp(tmp
, cksum
, cksumsz
) != 0)
442 verify_checksum_md5(void *data
, size_t len
,
443 void *cksum
, size_t cksumsz
,
444 struct ktc_encryptionKey
*key
)
447 unsigned char tmp
[16];
450 MD5_Update(&md5
, data
, len
);
451 MD5_Final(tmp
, &md5
);
453 if (memcmp(tmp
, cksum
, cksumsz
) != 0)
459 verify_checksum_crc(void *data
, size_t len
, void *cksum
, size_t cksumsz
,
460 struct ktc_encryptionKey
*key
)
465 _rxkad_crc_init_table();
466 crc
= _rxkad_crc_update(data
, len
, 0);
468 r
[1] = (crc
>> 8) & 0xff;
469 r
[2] = (crc
>> 16) & 0xff;
470 r
[3] = (crc
>> 24) & 0xff;
472 if (memcmp(cksum
, r
, 4) != 0)
479 krb5_des_decrypt(struct ktc_encryptionKey
*key
, int etype
, void *in
,
480 size_t insz
, void *out
, size_t * outsz
)
482 int (*cksum_func
) (void *, size_t, void *, size_t,
483 struct ktc_encryptionKey
*);
488 int ret
= 1; /* failure */
492 DES_key_sched(ktc_to_cblock(key
), &s
);
494 #define CONFOUNDERSZ 8
497 case ETYPE_DES_CBC_CRC
:
498 memcpy(&ivec
, key
, sizeof(ivec
));
500 cksum_func
= verify_checksum_crc
;
502 case ETYPE_DES_CBC_MD4
:
503 memset(&ivec
, 0, sizeof(ivec
));
505 cksum_func
= verify_checksum_md4
;
507 case ETYPE_DES_CBC_MD5
:
508 memset(&ivec
, 0, sizeof(ivec
));
510 cksum_func
= verify_checksum_md5
;
516 DES_cbc_encrypt(in
, out
, insz
, &s
, &ivec
, 0);
518 memcpy(cksum
, (char *)out
+ CONFOUNDERSZ
, cksumsz
);
519 memset((char *)out
+ CONFOUNDERSZ
, 0, cksumsz
);
522 ret
= (*cksum_func
) (out
, insz
, cksum
, cksumsz
, key
);
524 *outsz
= insz
- CONFOUNDERSZ
- cksumsz
;
525 memmove(out
, (char *)out
+ CONFOUNDERSZ
+ cksumsz
, *outsz
);
531 tkt_MakeTicket5(char *ticket
, int *ticketLen
, int enctype
, int *kvno
,
532 void *key
, size_t keylen
,
533 char *name
, char *inst
, char *cell
, afs_uint32 start
,
534 afs_uint32 end
, struct ktc_encryptionKey
*sessionKey
,
535 char *sname
, char *sinst
)
538 EncryptedData encdata
;
539 unsigned char *buf
, *encodebuf
;
540 size_t encodelen
, allocsiz
;
541 heim_general_string carray
[2];
543 krb5_context context
;
549 memset(&encrypted
, 0, sizeof(encrypted
));
553 memset(&kb
, 0, sizeof(kb
));
554 memset(&data
, 0, sizeof(data
));
556 data
.flags
.transited_policy_checked
= 1;
557 data
.key
.keytype
=ETYPE_DES_CBC_CRC
;
558 data
.key
.keyvalue
.data
=sessionKey
->data
;
559 data
.key
.keyvalue
.length
=8;
563 data
.cname
.name_type
=KRB5_NT_PRINCIPAL
;
564 data
.cname
.name_string
.val
=carray
;
565 data
.cname
.name_string
.len
=inst
[0]?2:1;
569 allocsiz
= length_EncTicketPart(&data
);
570 buf
= rxi_Alloc(allocsiz
);
571 encodelen
= allocsiz
;
572 /* encode function wants pointer to end of buffer */
573 encodebuf
= buf
+ allocsiz
- 1;
574 code
= encode_EncTicketPart(encodebuf
, allocsiz
, &data
, &encodelen
);
578 code
= krb5_init_context(&context
);
581 code
= krb5_keyblock_init(context
, enctype
, key
, keylen
, &kb
);
584 code
= krb5_crypto_init(context
, &kb
, enctype
, &cr
);
587 code
= krb5_encrypt(context
, cr
, KRB5_KU_TICKET
, buf
,
588 encodelen
, &encrypted
);
591 memset(&encdata
, 0, sizeof(encdata
));
592 encdata
.etype
=enctype
;
594 encdata
.cipher
.data
=encrypted
.data
;
595 encdata
.cipher
.length
=encrypted
.length
;
597 if (length_EncryptedData(&encdata
) > *ticketLen
) {
598 code
= RXKADTICKETLEN
;
602 code
= encode_EncryptedData((unsigned char *)ticket
+ *ticketLen
- 1, *ticketLen
, &encdata
, &tl
);
604 *kvno
=RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY
;
606 * encode function fills in from the end. move data to
607 * beginning of buffer
609 memmove(ticket
, ticket
+ *ticketLen
- tl
, tl
);
614 krb5_data_free(&encrypted
);
616 krb5_crypto_destroy(context
, cr
);
617 krb5_free_keyblock_contents(context
, &kb
);
618 krb5_free_context(context
);
619 rxi_Free(buf
, allocsiz
);
620 if ((code
& 0xFFFFFF00) == ERROR_TABLE_BASE_asn1
)
621 return RXKADINCONSISTENCY
;
626 * Use NIST SP800-108 with HMAC(MD5) in counter mode as the PRF to derive a
627 * des key from another type of key.
629 * L is 64, as we take 64 random bits and turn them into a 56-bit des key.
630 * The output of hmac_md5 is 128 bits; we take the first 64 only, so n
631 * properly should be 1. However, we apply a slight variation due to the
632 * possibility of producing a weak des key. If the output key is weak, do NOT
633 * simply correct it, instead, the counter is advanced and the next output
634 * used. As such, we code so as to have n be the full 255 permitted by our
635 * encoding of the counter i in an 8-bit field. L itself is encoded as a
636 * 32-bit field, big-endian. We use the constant string "rxkad" as a label
637 * for this key derivation, the standard NUL byte separator, and omit a
638 * key-derivation context. The input key is unique to the krb5 service ticket,
639 * which is unlikely to be used in an other location. If it is used in such
640 * a fashion, both locations will derive the same des key from the PRF, but
641 * this is no different from if a krb5 des key had been used in the same way,
642 * as traditional krb5 rxkad uses the ticket session key directly as the token
646 rxkad_derive_des_key(const void *in
, size_t insize
,
647 struct ktc_encryptionKey
*out
)
650 char Lbuf
[4]; /* bits of output, as 32 bit word, MSB first */
651 char tmp
[64]; /* only needs to be 16 for md5, but lets be sure it fits */
661 /* stop when 8 bit counter wraps to 0 */
662 for (i
= 1; i
; i
++) {
663 HMAC_CTX_init(&mctx
);
664 HMAC_Init_ex(&mctx
, in
, insize
, EVP_md5(), NULL
);
665 HMAC_Update(&mctx
, &i
, 1);
666 HMAC_Update(&mctx
, "rxkad", strlen("rxkad") + 1); /* includes label and separator */
667 HMAC_Update(&mctx
, Lbuf
, 4);
668 mdsize
= sizeof(tmp
);
669 HMAC_Final(&mctx
, tmp
, &mdsize
);
670 memcpy(ktmp
, tmp
, 8);
671 DES_set_odd_parity(&ktmp
);
672 if (!DES_is_weak_key(&ktmp
)) {
673 memcpy(out
->data
, ktmp
, 8);
681 * This is the inverse of the random-to-key for 3des specified in
682 * rfc3961, converting blocks of 8 bytes to blocks of 7 bytes by distributing
683 * the bits of each 8th byte as the lsb of the previous 7 bytes.
686 compress_parity_bits(void *buffer
, size_t *bufsiz
)
688 unsigned char *cb
, tmp
;
691 if (*bufsiz
% 8 != 0)
693 cb
= (unsigned char *)buffer
;
695 for (i
= 0; i
< nk
; i
++) {
696 tmp
= cb
[8 * i
+ 7] >> 1;
697 for (j
= 0; j
< 7; j
++) {
698 cb
[8 * i
+ j
] &= 0xfe;
699 cb
[8 * i
+ j
] |= tmp
& 0x1;
703 for (i
= 1; i
< nk
; i
++)
704 memmove(cb
+ 7 * i
, cb
+ 8 * i
, 7);
710 * Enctype-specific knowledge about how to derive a des key from a given
711 * key. If given a des key, use it directly; otherwise, perform any
712 * parity fixup that may be needed and pass through to the hmad-md5 bits.
715 tkt_DeriveDesKey(int enctype
, void *keydata
, size_t keylen
,
716 struct ktc_encryptionKey
*output
)
719 case ETYPE_DES_CBC_CRC
:
720 case ETYPE_DES_CBC_MD4
:
721 case ETYPE_DES_CBC_MD5
:
725 /* Extract session key */
726 memcpy(output
, keydata
, 8);
740 /*In order to become a "Cryptographic Key" as specified in
741 * SP800-108, it must be indistinguishable from a random bitstring. */
742 case ETYPE_DES3_CBC_MD5
:
743 case ETYPE_OLD_DES3_CBC_SHA1
:
744 case ETYPE_DES3_CBC_SHA1
:
745 if (compress_parity_bits(keydata
, &keylen
))
753 if (rxkad_derive_des_key(keydata
, keylen
, output
) != 0)