236 lines
9.1 KiB
Go
236 lines
9.1 KiB
Go
package gssapi
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/hmac"
|
|
"encoding/binary"
|
|
"encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"gopkg.in/jcmturner/gokrb5.v7/crypto"
|
|
"gopkg.in/jcmturner/gokrb5.v7/iana/keyusage"
|
|
"gopkg.in/jcmturner/gokrb5.v7/types"
|
|
)
|
|
|
|
/*
|
|
From RFC 4121, section 4.2.6.2:
|
|
|
|
Use of the GSS_Wrap() call yields a token (referred as the Wrap token
|
|
in this document), which consists of a descriptive header, followed
|
|
by a body portion that contains either the input user data in
|
|
plaintext concatenated with the checksum, or the input user data
|
|
encrypted. The GSS_Wrap() token SHALL have the following format:
|
|
|
|
Octet no Name Description
|
|
--------------------------------------------------------------
|
|
0..1 TOK_ID Identification field. Tokens emitted by
|
|
GSS_Wrap() contain the hex value 05 04
|
|
expressed in big-endian order in this
|
|
field.
|
|
2 Flags Attributes field, as described in section
|
|
4.2.2.
|
|
3 Filler Contains the hex value FF.
|
|
4..5 EC Contains the "extra count" field, in big-
|
|
endian order as described in section 4.2.3.
|
|
6..7 RRC Contains the "right rotation count" in big-
|
|
endian order, as described in section
|
|
4.2.5.
|
|
8..15 SndSeqNum Sequence number field in clear text,
|
|
expressed in big-endian order.
|
|
16..last Data Encrypted data for Wrap tokens with
|
|
confidentiality, or plaintext data followed
|
|
by the checksum for Wrap tokens without
|
|
confidentiality, as described in section
|
|
4.2.4.
|
|
|
|
Quick notes:
|
|
- "EC" or "Extra Count" refers to the length of the checksum.
|
|
- "Flags" (complete details in section 4.2.2) is a set of bits:
|
|
- if bit 0 is set, it means the token was sent by the acceptor (generally the kerberized service).
|
|
- bit 1 indicates that the token's payload is encrypted
|
|
- bit 2 indicates if the message is protected using a subkey defined by the acceptor.
|
|
- When computing checksums, EC and RRC MUST be set to 0.
|
|
- Wrap Tokens are not ASN.1 encoded.
|
|
*/
|
|
const (
|
|
HdrLen = 16 // Length of the Wrap Token's header
|
|
FillerByte byte = 0xFF
|
|
)
|
|
|
|
// WrapToken represents a GSS API Wrap token, as defined in RFC 4121.
|
|
// It contains the header fields, the payload and the checksum, and provides
|
|
// the logic for converting to/from bytes plus computing and verifying checksums
|
|
type WrapToken struct {
|
|
// const GSS Token ID: 0x0504
|
|
Flags byte // contains three flags: acceptor, sealed, acceptor subkey
|
|
// const Filler: 0xFF
|
|
EC uint16 // checksum length. big-endian
|
|
RRC uint16 // right rotation count. big-endian
|
|
SndSeqNum uint64 // sender's sequence number. big-endian
|
|
Payload []byte // your data! :)
|
|
CheckSum []byte // authenticated checksum of { payload | header }
|
|
}
|
|
|
|
// Return the 2 bytes identifying a GSS API Wrap token
|
|
func getGssWrapTokenId() *[2]byte {
|
|
return &[2]byte{0x05, 0x04}
|
|
}
|
|
|
|
// Marshal the WrapToken into a byte slice.
|
|
// The payload should have been set and the checksum computed, otherwise an error is returned.
|
|
func (wt *WrapToken) Marshal() ([]byte, error) {
|
|
if wt.CheckSum == nil {
|
|
return nil, errors.New("checksum has not been set")
|
|
}
|
|
if wt.Payload == nil {
|
|
return nil, errors.New("payload has not been set")
|
|
}
|
|
|
|
pldOffset := HdrLen // Offset of the payload in the token
|
|
chkSOffset := HdrLen + len(wt.Payload) // Offset of the checksum in the token
|
|
|
|
bytes := make([]byte, chkSOffset+int(wt.EC))
|
|
copy(bytes[0:], getGssWrapTokenId()[:])
|
|
bytes[2] = wt.Flags
|
|
bytes[3] = FillerByte
|
|
binary.BigEndian.PutUint16(bytes[4:6], wt.EC)
|
|
binary.BigEndian.PutUint16(bytes[6:8], wt.RRC)
|
|
binary.BigEndian.PutUint64(bytes[8:16], wt.SndSeqNum)
|
|
copy(bytes[pldOffset:], wt.Payload)
|
|
copy(bytes[chkSOffset:], wt.CheckSum)
|
|
return bytes, nil
|
|
}
|
|
|
|
// SetCheckSum uses the passed encryption key and key usage to compute the checksum over the payload and
|
|
// the header, and sets the CheckSum field of this WrapToken.
|
|
// If the payload has not been set or the checksum has already been set, an error is returned.
|
|
func (wt *WrapToken) SetCheckSum(key types.EncryptionKey, keyUsage uint32) error {
|
|
if wt.Payload == nil {
|
|
return errors.New("payload has not been set")
|
|
}
|
|
if wt.CheckSum != nil {
|
|
return errors.New("checksum has already been computed")
|
|
}
|
|
chkSum, cErr := wt.computeCheckSum(key, keyUsage)
|
|
if cErr != nil {
|
|
return cErr
|
|
}
|
|
wt.CheckSum = chkSum
|
|
return nil
|
|
}
|
|
|
|
// ComputeCheckSum computes and returns the checksum of this token, computed using the passed key and key usage.
|
|
// Conforms to RFC 4121 in that the checksum will be computed over { body | header },
|
|
// with the EC and RRC flags zeroed out.
|
|
// In the context of Kerberos Wrap tokens, mostly keyusage GSSAPI_ACCEPTOR_SEAL (=22)
|
|
// and GSSAPI_INITIATOR_SEAL (=24) will be used.
|
|
// Note: This will NOT update the struct's Checksum field.
|
|
func (wt *WrapToken) computeCheckSum(key types.EncryptionKey, keyUsage uint32) ([]byte, error) {
|
|
if wt.Payload == nil {
|
|
return nil, errors.New("cannot compute checksum with uninitialized payload")
|
|
}
|
|
// Build a slice containing { payload | header }
|
|
checksumMe := make([]byte, HdrLen+len(wt.Payload))
|
|
copy(checksumMe[0:], wt.Payload)
|
|
copy(checksumMe[len(wt.Payload):], getChecksumHeader(wt.Flags, wt.SndSeqNum))
|
|
|
|
encType, err := crypto.GetEtype(key.KeyType)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return encType.GetChecksumHash(key.KeyValue, checksumMe, keyUsage)
|
|
}
|
|
|
|
// Build a header suitable for a checksum computation
|
|
func getChecksumHeader(flags byte, senderSeqNum uint64) []byte {
|
|
header := make([]byte, 16)
|
|
copy(header[0:], []byte{0x05, 0x04, flags, 0xFF, 0x00, 0x00, 0x00, 0x00})
|
|
binary.BigEndian.PutUint64(header[8:], senderSeqNum)
|
|
return header
|
|
}
|
|
|
|
// Verify computes the token's checksum with the provided key and usage,
|
|
// and compares it to the checksum present in the token.
|
|
// In case of any failure, (false, Err) is returned, with Err an explanatory error.
|
|
func (wt *WrapToken) Verify(key types.EncryptionKey, keyUsage uint32) (bool, error) {
|
|
computed, cErr := wt.computeCheckSum(key, keyUsage)
|
|
if cErr != nil {
|
|
return false, cErr
|
|
}
|
|
if !hmac.Equal(computed, wt.CheckSum) {
|
|
return false, fmt.Errorf(
|
|
"checksum mismatch. Computed: %s, Contained in token: %s",
|
|
hex.EncodeToString(computed), hex.EncodeToString(wt.CheckSum))
|
|
}
|
|
return true, nil
|
|
}
|
|
|
|
// Unmarshal bytes into the corresponding WrapToken.
|
|
// If expectFromAcceptor is true, we expect the token to have been emitted by the gss acceptor,
|
|
// and will check the according flag, returning an error if the token does not match the expectation.
|
|
func (wt *WrapToken) Unmarshal(b []byte, expectFromAcceptor bool) error {
|
|
// Check if we can read a whole header
|
|
if len(b) < 16 {
|
|
return errors.New("bytes shorter than header length")
|
|
}
|
|
// Is the Token ID correct?
|
|
if !bytes.Equal(getGssWrapTokenId()[:], b[0:2]) {
|
|
return fmt.Errorf("wrong Token ID. Expected %s, was %s",
|
|
hex.EncodeToString(getGssWrapTokenId()[:]),
|
|
hex.EncodeToString(b[0:2]))
|
|
}
|
|
// Check the acceptor flag
|
|
flags := b[2]
|
|
isFromAcceptor := flags&0x01 == 1
|
|
if isFromAcceptor && !expectFromAcceptor {
|
|
return errors.New("unexpected acceptor flag is set: not expecting a token from the acceptor")
|
|
}
|
|
if !isFromAcceptor && expectFromAcceptor {
|
|
return errors.New("expected acceptor flag is not set: expecting a token from the acceptor, not the initiator")
|
|
}
|
|
// Check the filler byte
|
|
if b[3] != FillerByte {
|
|
return fmt.Errorf("unexpected filler byte: expecting 0xFF, was %s ", hex.EncodeToString(b[3:4]))
|
|
}
|
|
checksumL := binary.BigEndian.Uint16(b[4:6])
|
|
// Sanity check on the checksum length
|
|
if int(checksumL) > len(b)-HdrLen {
|
|
return fmt.Errorf("inconsistent checksum length: %d bytes to parse, checksum length is %d", len(b), checksumL)
|
|
}
|
|
|
|
wt.Flags = flags
|
|
wt.EC = checksumL
|
|
wt.RRC = binary.BigEndian.Uint16(b[6:8])
|
|
wt.SndSeqNum = binary.BigEndian.Uint64(b[8:16])
|
|
wt.Payload = b[16 : len(b)-int(checksumL)]
|
|
wt.CheckSum = b[len(b)-int(checksumL):]
|
|
return nil
|
|
}
|
|
|
|
// NewInitiatorWrapToken builds a new initiator token (acceptor flag will be set to 0) and computes the authenticated checksum.
|
|
// Other flags are set to 0, and the RRC and sequence number are initialized to 0.
|
|
// Note that in certain circumstances you may need to provide a sequence number that has been defined earlier.
|
|
// This is currently not supported.
|
|
func NewInitiatorWrapToken(payload []byte, key types.EncryptionKey) (*WrapToken, error) {
|
|
encType, err := crypto.GetEtype(key.KeyType)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
token := WrapToken{
|
|
Flags: 0x00, // all zeroed out (this is a token sent by the initiator)
|
|
// Checksum size: length of output of the HMAC function, in bytes.
|
|
EC: uint16(encType.GetHMACBitLength() / 8),
|
|
RRC: 0,
|
|
SndSeqNum: 0,
|
|
Payload: payload,
|
|
}
|
|
|
|
if err := token.SetCheckSum(key, keyusage.GSSAPI_INITIATOR_SEAL); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &token, nil
|
|
}
|