1
/*
2
 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3
 * (Royal Institute of Technology, Stockholm, Sweden).
4
 * All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 *
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 *
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 *
17
 * 3. Neither the name of the Institute nor the names of its contributors
18
 *    may be used to endorse or promote products derived from this software
19
 *    without specific prior written permission.
20
 *
21
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31
 * SUCH DAMAGE.
32
 */
33

34
/*
35
 * ARCFOUR
36
 */
37

38
#include "krb5_locl.h"
39

40
static struct _krb5_key_type keytype_arcfour = {
41
    ENCTYPE_ARCFOUR_HMAC_MD5,
42
    "arcfour",
43
    128,
44
    16,
45
    sizeof(struct _krb5_evp_schedule),
46
    NULL,
47
    _krb5_evp_schedule,
48
    _krb5_arcfour_salt,
49
    NULL,
50
    _krb5_evp_cleanup,
51
    EVP_rc4
52
};
53

54
/*
55
 * checksum according to section 5. of draft-brezak-win2k-krb-rc4-hmac-03.txt
56
 */
57

58
krb5_error_code
59
_krb5_HMAC_MD5_checksum(krb5_context context,
60
			struct _krb5_key_data *key,
61
			const void *data,
62
			size_t len,
63
			unsigned usage,
64
			Checksum *result)
65
{
66
    EVP_MD_CTX *m;
67
    struct _krb5_checksum_type *c = _krb5_find_checksum (CKSUMTYPE_RSA_MD5);
68
    const char signature[] = "signaturekey";
69
    Checksum ksign_c;
70
    struct _krb5_key_data ksign;
71
    krb5_keyblock kb;
72
    unsigned char t[4];
73
    unsigned char tmp[16];
74
    unsigned char ksign_c_data[16];
75
    krb5_error_code ret;
76

77
    m = EVP_MD_CTX_create();
78
    if (m == NULL) {
79
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
80
	return ENOMEM;
81
    }
82
    ksign_c.checksum.length = sizeof(ksign_c_data);
83
    ksign_c.checksum.data   = ksign_c_data;
84
    ret = _krb5_internal_hmac(context, c, signature, sizeof(signature),
85
			      0, key, &ksign_c);
86
    if (ret) {
87
	EVP_MD_CTX_destroy(m);
88
	return ret;
89
    }
90
    ksign.key = &kb;
91
    kb.keyvalue = ksign_c.checksum;
92
    EVP_DigestInit_ex(m, EVP_md5(), NULL);
93
    t[0] = (usage >>  0) & 0xFF;
94
    t[1] = (usage >>  8) & 0xFF;
95
    t[2] = (usage >> 16) & 0xFF;
96
    t[3] = (usage >> 24) & 0xFF;
97
    EVP_DigestUpdate(m, t, 4);
98
    EVP_DigestUpdate(m, data, len);
99
    EVP_DigestFinal_ex (m, tmp, NULL);
100
    EVP_MD_CTX_destroy(m);
101

102
    ret = _krb5_internal_hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result);
103
    if (ret)
104
	return ret;
105
    return 0;
106
}
107

108
struct _krb5_checksum_type _krb5_checksum_hmac_md5 = {
109
    CKSUMTYPE_HMAC_MD5,
110
    "hmac-md5",
111
    64,
112
    16,
113
    F_KEYED | F_CPROOF,
114
    _krb5_HMAC_MD5_checksum,
115
    NULL
116
};
117

118
/*
119
 * section 6 of draft-brezak-win2k-krb-rc4-hmac-03
120
 *
121
 * warning: not for small children
122
 */
123

124
static krb5_error_code
125
ARCFOUR_subencrypt(krb5_context context,
126
		   struct _krb5_key_data *key,
127
		   void *data,
128
		   size_t len,
129
		   unsigned usage,
130
		   void *ivec)
131
{
132
    EVP_CIPHER_CTX *ctx;
133
    struct _krb5_checksum_type *c = _krb5_find_checksum (CKSUMTYPE_RSA_MD5);
134
    Checksum k1_c, k2_c, k3_c, cksum;
135
    struct _krb5_key_data ke;
136
    krb5_keyblock kb;
137
    unsigned char t[4];
138
    unsigned char *cdata = data;
139
    unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
140
    krb5_error_code ret;
141

142
    t[0] = (usage >>  0) & 0xFF;
143
    t[1] = (usage >>  8) & 0xFF;
144
    t[2] = (usage >> 16) & 0xFF;
145
    t[3] = (usage >> 24) & 0xFF;
146

147
    k1_c.checksum.length = sizeof(k1_c_data);
148
    k1_c.checksum.data   = k1_c_data;
149

150
    ret = _krb5_internal_hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
151
    if (ret)
152
	krb5_abortx(context, "hmac failed");
153

154
    memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data));
155

156
    k2_c.checksum.length = sizeof(k2_c_data);
157
    k2_c.checksum.data   = k2_c_data;
158

159
    ke.key = &kb;
160
    kb.keyvalue = k2_c.checksum;
161

162
    cksum.checksum.length = 16;
163
    cksum.checksum.data   = data;
164

165
    ret = _krb5_internal_hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
166
    if (ret)
167
	krb5_abortx(context, "hmac failed");
168

169
    ke.key = &kb;
170
    kb.keyvalue = k1_c.checksum;
171

172
    k3_c.checksum.length = sizeof(k3_c_data);
173
    k3_c.checksum.data   = k3_c_data;
174

175
    ret = _krb5_internal_hmac(NULL, c, data, 16, 0, &ke, &k3_c);
176
    if (ret)
177
	krb5_abortx(context, "hmac failed");
178

179
    ctx = EVP_CIPHER_CTX_new();
180
    if (ctx == NULL)
181
	krb5_abortx(context, "malloc failed");
182

183
    EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 1);
184
    EVP_Cipher(ctx, cdata + 16, cdata + 16, len - 16);
185
    EVP_CIPHER_CTX_free(ctx);
186

187
    memset (k1_c_data, 0, sizeof(k1_c_data));
188
    memset (k2_c_data, 0, sizeof(k2_c_data));
189
    memset (k3_c_data, 0, sizeof(k3_c_data));
190
    return 0;
191
}
192

193
static krb5_error_code
194
ARCFOUR_subdecrypt(krb5_context context,
195
		   struct _krb5_key_data *key,
196
		   void *data,
197
		   size_t len,
198
		   unsigned usage,
199
		   void *ivec)
200
{
201
    EVP_CIPHER_CTX *ctx;
202
    struct _krb5_checksum_type *c = _krb5_find_checksum (CKSUMTYPE_RSA_MD5);
203
    Checksum k1_c, k2_c, k3_c, cksum;
204
    struct _krb5_key_data ke;
205
    krb5_keyblock kb;
206
    unsigned char t[4];
207
    unsigned char *cdata = data;
208
    unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
209
    unsigned char cksum_data[16];
210
    krb5_error_code ret;
211

212
    t[0] = (usage >>  0) & 0xFF;
213
    t[1] = (usage >>  8) & 0xFF;
214
    t[2] = (usage >> 16) & 0xFF;
215
    t[3] = (usage >> 24) & 0xFF;
216

217
    k1_c.checksum.length = sizeof(k1_c_data);
218
    k1_c.checksum.data   = k1_c_data;
219

220
    ret = _krb5_internal_hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
221
    if (ret)
222
	krb5_abortx(context, "hmac failed");
223

224
    memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data));
225

226
    k2_c.checksum.length = sizeof(k2_c_data);
227
    k2_c.checksum.data   = k2_c_data;
228

229
    ke.key = &kb;
230
    kb.keyvalue = k1_c.checksum;
231

232
    k3_c.checksum.length = sizeof(k3_c_data);
233
    k3_c.checksum.data   = k3_c_data;
234

235
    ret = _krb5_internal_hmac(NULL, c, cdata, 16, 0, &ke, &k3_c);
236
    if (ret)
237
	krb5_abortx(context, "hmac failed");
238

239
    ctx = EVP_CIPHER_CTX_new();
240
    if (ctx == NULL)
241
	krb5_abortx(context, "malloc failed");
242
    EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 0);
243
    EVP_Cipher(ctx, cdata + 16, cdata + 16, len - 16);
244
    EVP_CIPHER_CTX_free(ctx);
245

246
    ke.key = &kb;
247
    kb.keyvalue = k2_c.checksum;
248

249
    cksum.checksum.length = 16;
250
    cksum.checksum.data   = cksum_data;
251

252
    ret = _krb5_internal_hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
253
    if (ret)
254
	krb5_abortx(context, "hmac failed");
255

256
    memset (k1_c_data, 0, sizeof(k1_c_data));
257
    memset (k2_c_data, 0, sizeof(k2_c_data));
258
    memset (k3_c_data, 0, sizeof(k3_c_data));
259

260
    if (ct_memcmp (cksum.checksum.data, data, 16) != 0) {
261
	krb5_clear_error_message (context);
262
	return KRB5KRB_AP_ERR_BAD_INTEGRITY;
263
    } else {
264
	return 0;
265
    }
266
}
267

268
/*
269
 * convert the usage numbers used in
270
 * draft-ietf-cat-kerb-key-derivation-00.txt to the ones in
271
 * draft-brezak-win2k-krb-rc4-hmac-04.txt
272
 */
273

274
krb5_error_code
275
_krb5_usage2arcfour(krb5_context context, unsigned *usage)
276
{
277
    switch (*usage) {
278
    case KRB5_KU_AS_REP_ENC_PART : /* 3 */
279
	*usage = 8;
280
	return 0;
281
    case KRB5_KU_USAGE_SEAL :  /* 22 */
282
	*usage = 13;
283
	return 0;
284
    case KRB5_KU_USAGE_SIGN : /* 23 */
285
        *usage = 15;
286
        return 0;
287
    case KRB5_KU_USAGE_SEQ: /* 24 */
288
	*usage = 0;
289
	return 0;
290
    default :
291
	return 0;
292
    }
293
}
294

295
static krb5_error_code
296
ARCFOUR_encrypt(krb5_context context,
297
		struct _krb5_key_data *key,
298
		void *data,
299
		size_t len,
300
		krb5_boolean encryptp,
301
		int usage,
302
		void *ivec)
303
{
304
    krb5_error_code ret;
305
    unsigned keyusage = usage;
306

307
    if((ret = _krb5_usage2arcfour (context, &keyusage)) != 0)
308
	return ret;
309

310
    if (encryptp)
311
	return ARCFOUR_subencrypt (context, key, data, len, keyusage, ivec);
312
    else
313
	return ARCFOUR_subdecrypt (context, key, data, len, keyusage, ivec);
314
}
315

316
struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = {
317
    ETYPE_ARCFOUR_HMAC_MD5,
318
    "arcfour-hmac-md5",
319
    1,
320
    1,
321
    8,
322
    &keytype_arcfour,
323
    &_krb5_checksum_hmac_md5,
324
    &_krb5_checksum_hmac_md5,
325
    F_SPECIAL,
326
    ARCFOUR_encrypt,
327
    0,
328
    NULL
329
};
330

331