--- /dev/null
+/* aklog.c: description
+ *
+ * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * Based on code:
+ * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ * Copyright (C) 2008 Chaskiel Grundman. All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ * Kerberos-5 strong enctype support for rxkad:
+ * https://tools.ietf.org/html/draft-kaduk-afs3-rxkad-k5-kdf-00
+ *
+ * Invoke as: aklog-k5 <cell> [<realm>]
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <keyutils.h>
+#include <krb5/krb5.h>
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#include <openssl/des.h>
+#include <openssl/md5.h>
+#include <openssl/err.h>
+
+struct rxrpc_key_sec2_v1 {
+ uint32_t kver; /* key payload interface version */
+ uint16_t security_index; /* RxRPC header security index */
+ uint16_t ticket_length; /* length of ticket[] */
+ uint32_t expiry; /* time at which expires */
+ uint32_t kvno; /* key version number */
+ uint8_t session_key[8]; /* DES session key */
+ uint8_t ticket[0]; /* the encrypted ticket */
+};
+
+#define RXKAD_TKT_TYPE_KERBEROS_V5 256
+#define OSERROR(X, Y) do { if ((long)(X) == -1) { perror(Y); exit(1); } } while(0)
+#define OSZERROR(X, Y) do { if ((long)(X) == 0) { perror(Y); exit(1); } } while(0)
+#define KRBERROR(X, Y) do { if ((X) != 0) { const char *msg = krb5_get_error_message(k5_ctx, (X)); fprintf(stderr, "%s: %s\n", (Y), msg); krb5_free_error_message(k5_ctx, msg); exit(1); } } while(0)
+
+/*
+ * Report an error from the crypto lib.
+ */
+static void crypto_error(const char *msg)
+{
+ const char *file;
+ char buf[120];
+ int e, line;
+
+ if (ERR_peek_error() == 0)
+ return;
+ fprintf(stderr, "aklog: %s:\n", msg);
+
+ while ((e = ERR_get_error_line(&file, &line))) {
+ ERR_error_string(e, buf);
+ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
+ }
+
+ exit(1);
+}
+
+/*
+ * Strip Triple-DES parity bits from a block.
+ *
+ * Discard the parity bits and converts an 8-octet block to a 7-octet block.
+ *
+ * See [afs3-rxkad-k5-kdf-00 §4.2] and [RFC3961 §6.3.1].
+ *
+ * [These docs number the bits weirdly. Bit '8' appears to be the LSB of the
+ * first octet, and 1 the MSB].
+ */
+static void des3_strip_parity_bits(void *random, const void *key)
+{
+ const unsigned char *k = key;
+ unsigned char *r = random, lsbs;
+ int i;
+
+ lsbs = k[7] >> 1;
+ for (i = 0; i < 7; i++) {
+ r[i] = (k[i] & 0xfe) | (lsbs & 0x1);
+ lsbs >>= 1;
+ }
+}
+
+/*
+ * Reverse the Triple-DES random-to-key operation, converting three 64-bit DES
+ * keys to 56-bit random strings and concatenate to give a 168-bit random
+ * string that can then be fed to the KDF.
+ */
+static unsigned int des3_key_to_random(void *random, const void *key, unsigned int len)
+{
+ unsigned int new_len = 0;
+
+ while (len > 8) {
+ des3_strip_parity_bits(random, key);
+ key += 8;
+ random += 7;
+ len -= 8;
+ new_len += 7;
+ }
+
+ return new_len;
+}
+
+/*
+ * The data to pass into the key derivation function.
+ */
+struct kdf_data {
+ unsigned char i_2;
+ unsigned char Label[6];
+ unsigned char L_2[4];
+} __attribute__((packed));
+
+static const struct kdf_data rxkad_kdf_data = {
+ .Label = "rxkad", /* Including NUL separator */
+ .L_2 = { 0, 0, 0, 64 }, /* BE integer */
+};
+
+/*
+ * Derive a 64-bit key we can pass to rxkad from the ticket data. The ticket
+ * data is used as the key for the HMAC-MD5 algorithm, which is used as the
+ * PRF. We then iterate over a series of constructed source strings, passing
+ * each one through the PRF until we get an MD5 output that we can cut down and
+ * use as a substitute for the DES session key that isn't too weak.
+ *
+ * [afs3-rxkad-k5-kdf-00 §4.3]
+ */
+static void key_derivation_function(krb5_creds *creds, uint8_t *session_key)
+{
+ unsigned int i, len;
+ union {
+ unsigned char md5[MD5_DIGEST_LENGTH];
+ DES_cblock des;
+ } buf;
+ const EVP_MD *algo = EVP_md5(); /* We use HMAC-MD5 */
+
+ struct kdf_data kdf_data = rxkad_kdf_data;
+
+ for (i = 1; i <= 255; i++) {
+ /* K(i) = PRF(Ks, [i]_2 || Label || 0x00 || [L]_2) */
+ kdf_data.i_2 = i;
+ len = sizeof(buf.md5);
+ if (!HMAC(algo,
+ creds->keyblock.contents, creds->keyblock.length,
+ (unsigned char *)&kdf_data, sizeof(kdf_data),
+ buf.md5, &len))
+ crypto_error("HMAC");
+
+ if (len < sizeof(buf.des)) {
+ fprintf(stderr, "aklog: HMAC returned short result\n");
+ exit(1);
+ }
+
+ /* Overlay the DES parity. */
+ DES_set_odd_parity(&buf.des);
+ if (!DES_is_weak_key(&buf.des))
+ goto success;
+ }
+
+ fprintf(stderr, "aklog: Unable to derive strong DES key\n");
+ exit(1);
+
+success:
+ memcpy(session_key, buf.des, sizeof(buf.des));
+}
+
+/*
+ * Extract or derive the session key.
+ */
+static void derive_key(krb5_creds *creds, uint8_t *session_key)
+{
+ unsigned int length = creds->keyblock.length;
+
+ switch (creds->keyblock.enctype) {
+ case ENCTYPE_NULL: goto not_supported;
+ case ENCTYPE_DES_CBC_CRC: goto just_copy;
+ case ENCTYPE_DES_CBC_MD4: goto just_copy;
+ case ENCTYPE_DES_CBC_MD5: goto just_copy;
+ case ENCTYPE_DES_CBC_RAW: goto deprecated;
+ case ENCTYPE_DES3_CBC_SHA: goto des3_discard_parity; /* des3-cbc-md5 */
+ case ENCTYPE_DES3_CBC_RAW: goto deprecated;
+ case 7: goto des3_discard_parity; /* des3-cbc-sha1 */
+ case ENCTYPE_DES_HMAC_SHA1: goto deprecated;
+ case ENCTYPE_DSA_SHA1_CMS: goto not_supported;
+ case ENCTYPE_MD5_RSA_CMS: goto not_supported;
+ case ENCTYPE_SHA1_RSA_CMS: goto not_supported;
+ case ENCTYPE_RC2_CBC_ENV: goto not_supported;
+ case ENCTYPE_RSA_ENV: goto not_supported;
+ case ENCTYPE_RSA_ES_OAEP_ENV: goto not_supported;
+ case ENCTYPE_DES3_CBC_ENV: goto not_supported;
+ case ENCTYPE_DES3_CBC_SHA1: goto des3_discard_parity; /* des3-cbc-sha1-kd */
+ default:
+ if (length < 7)
+ goto key_too_short;
+ if (creds->keyblock.enctype < 0)
+ goto not_supported;
+ goto derive_key;
+ }
+
+ /* Strip the parity bits for 3DES then do KDF [afs3-rxkad-k5-kdf-00 §4.2]. */
+des3_discard_parity:
+ if (length & 7) {
+ fprintf(stderr, "aklog: 3DES session key not multiple of 8 octets.\n");
+ exit(1);
+ }
+ creds->keyblock.length = des3_key_to_random(creds->keyblock.contents,
+ creds->keyblock.contents,
+ length);
+ goto derive_key;
+
+ /* Do KDF [afs3-rxkad-k5-kdf-00 §4.3]. */
+derive_key:
+ key_derivation_function(creds, session_key);
+ return;
+
+ /* Use as-is for single-DES [afs3-rxkad-k5-kdf-00 §4.1]. */
+just_copy:
+ if (length != 8) {
+ fprintf(stderr, "aklog: DES session key not 8 octets.\n");
+ exit(1);
+ }
+
+ memcpy(session_key, creds->keyblock.contents, length);
+ return;
+
+deprecated:
+ fprintf(stderr, "aklog: Ticket contains deprecated enc type (%d)\n",
+ creds->keyblock.enctype);
+ exit(1);
+
+not_supported:
+ fprintf(stderr, "aklog: Ticket contains unsupported enc type (%d)\n",
+ creds->keyblock.enctype);
+ exit(1);
+key_too_short:
+ fprintf(stderr, "aklog: Ticket contains short key block (%u)\n", length);
+ exit(1);
+}
+
+int main(int argc, char **argv)
+{
+ char *cell, *realm, *princ, *desc, *p;
+ int ret;
+ size_t plen;
+ struct rxrpc_key_sec2_v1 *payload;
+ krb5_error_code kresult;
+ krb5_context k5_ctx;
+ krb5_ccache cc;
+ krb5_creds search_cred, *creds;
+
+ if (argc < 2 || argc > 3) {
+ fprintf(stderr, "Usage: aklog <cell> [<realm>]\n");
+ exit(1);
+ }
+
+ cell = argv[1];
+ if (argc == 3) {
+ realm = strdup(argv[3]);
+ OSZERROR(realm, "strdup");
+ } else {
+ realm = strdup(cell);
+ OSZERROR(realm, "strdup");
+ for (p = realm; *p; p++)
+ *p = toupper(*p);
+ }
+
+ for (p = cell; *p; p++)
+ *p = tolower(*p);
+
+ ret = asprintf(&princ, "afs/%s@%s", cell, realm);
+ OSERROR(ret, "asprintf");
+ ret = asprintf(&desc, "afs@%s", cell);
+ OSERROR(ret, "asprintf");
+
+ printf("CELL %s\n", cell);
+ printf("PRINC %s\n", princ);
+
+ kresult = krb5_init_context(&k5_ctx);
+ if (kresult) { fprintf(stderr, "krb5_init_context failed\n"); exit(1); }
+
+ kresult = krb5_cc_default(k5_ctx, &cc);
+ KRBERROR(kresult, "Getting credential cache");
+
+ memset(&search_cred, 0, sizeof(krb5_creds));
+
+ kresult = krb5_cc_get_principal(k5_ctx, cc, &search_cred.client);
+ KRBERROR(kresult, "Getting client principal");
+
+ kresult = krb5_parse_name(k5_ctx, princ, &search_cred.server);
+ KRBERROR(kresult, "Parsing server principal name");
+
+ //search_cred.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
+
+ kresult = krb5_get_credentials(k5_ctx, 0, cc, &search_cred, &creds);
+ KRBERROR(kresult, "Getting tickets");
+
+ plen = sizeof(*payload) + creds->ticket.length;
+ payload = calloc(1, plen + 4);
+ if (!payload) {
+ perror("calloc");
+ exit(1);
+ }
+
+ printf("plen=%zu tklen=%u rk=%zu\n",
+ plen, creds->ticket.length, sizeof(*payload));
+
+ /* use version 1 of the key data interface */
+ payload->kver = 1;
+ payload->security_index = 2;
+ payload->ticket_length = creds->ticket.length;
+ payload->expiry = creds->times.endtime;
+ payload->kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
+
+ derive_key(creds, payload->session_key);
+ memcpy(payload->ticket, creds->ticket.data, creds->ticket.length);
+
+ ret = add_key("rxrpc", desc, payload, plen, KEY_SPEC_SESSION_KEYRING);
+ OSERROR(ret, "add_key");
+
+ krb5_free_creds(k5_ctx, creds);
+ krb5_free_cred_contents(k5_ctx, &search_cred);
+ krb5_cc_close(k5_ctx, cc);
+ krb5_free_context(k5_ctx);
+ exit(0);
+}
projects / users / dhowells / kafs-client.git / commitdiff