vendor/gopkg.in/jcmturner/gokrb5.v7/gssapi/wrapToken.go - bbsim - Gitiles

 package gssapi

 import (
 	"bytes"
 	"crypto/hmac"
 	"encoding/binary"
 	"encoding/hex"
 	"errors"
 	"fmt"

 	"gopkg.in/jcmturner/gokrb5.v7/crypto"
 	"gopkg.in/jcmturner/gokrb5.v7/iana/keyusage"
 	"gopkg.in/jcmturner/gokrb5.v7/types"
 )

 /*
 From RFC 4121, section 4.2.6.2:

    Use of the GSS_Wrap() call yields a token (referred as the Wrap token
    in this document), which consists of a descriptive header, followed
    by a body portion that contains either the input user data in
    plaintext concatenated with the checksum, or the input user data
    encrypted.  The GSS_Wrap() token SHALL have the following format:

          Octet no   Name        Description
          --------------------------------------------------------------
           0..1     TOK_ID    Identification field.  Tokens emitted by
                              GSS_Wrap() contain the hex value 05 04
                              expressed in big-endian order in this
                              field.
           2        Flags     Attributes field, as described in section
                              4.2.2.
           3        Filler    Contains the hex value FF.
           4..5     EC        Contains the "extra count" field, in big-
                              endian order as described in section 4.2.3.
           6..7     RRC       Contains the "right rotation count" in big-
                              endian order, as described in section
                              4.2.5.
           8..15    SndSeqNum   Sequence number field in clear text,
                              expressed in big-endian order.
           16..last Data      Encrypted data for Wrap tokens with
                              confidentiality, or plaintext data followed
                              by the checksum for Wrap tokens without
                              confidentiality, as described in section
                              4.2.4.

 Quick notes:
 	- "EC" or "Extra Count" refers to the length of the checksum.
 	- "Flags" (complete details in section 4.2.2) is a set of bits:
 		- if bit 0 is set, it means the token was sent by the acceptor (generally the kerberized service).
 		- bit 1 indicates that the token's payload is encrypted
  		- bit 2 indicates if the message is protected using a subkey defined by the acceptor.
 	- When computing checksums, EC and RRC MUST be set to 0.
     - Wrap Tokens are not ASN.1 encoded.
 */
 const (
 	HdrLen          = 16 // Length of the Wrap Token's header
 	FillerByte byte = 0xFF
 )

 // WrapToken represents a GSS API Wrap token, as defined in RFC 4121.
 // It contains the header fields, the payload and the checksum, and provides
 // the logic for converting to/from bytes plus computing and verifying checksums
 type WrapToken struct {
 	// const GSS Token ID: 0x0504
 	Flags byte // contains three flags: acceptor, sealed, acceptor subkey
 	// const Filler: 0xFF
 	EC        uint16 // checksum length. big-endian
 	RRC       uint16 // right rotation count. big-endian
 	SndSeqNum uint64 // sender's sequence number. big-endian
 	Payload   []byte // your data! :)
 	CheckSum  []byte // authenticated checksum of { payload | header }
 }

 // Return the 2 bytes identifying a GSS API Wrap token
 func getGssWrapTokenId() *[2]byte {
 	return &[2]byte{0x05, 0x04}
 }

 // Marshal the WrapToken into a byte slice.
 // The payload should have been set and the checksum computed, otherwise an error is returned.
 func (wt *WrapToken) Marshal() ([]byte, error) {
 	if wt.CheckSum == nil {
 		return nil, errors.New("checksum has not been set")
 	}
 	if wt.Payload == nil {
 		return nil, errors.New("payload has not been set")
 	}

 	pldOffset := HdrLen                    // Offset of the payload in the token
 	chkSOffset := HdrLen + len(wt.Payload) // Offset of the checksum in the token

 	bytes := make([]byte, chkSOffset+int(wt.EC))
 	copy(bytes[0:], getGssWrapTokenId()[:])
 	bytes[2] = wt.Flags
 	bytes[3] = FillerByte
 	binary.BigEndian.PutUint16(bytes[4:6], wt.EC)
 	binary.BigEndian.PutUint16(bytes[6:8], wt.RRC)
 	binary.BigEndian.PutUint64(bytes[8:16], wt.SndSeqNum)
 	copy(bytes[pldOffset:], wt.Payload)
 	copy(bytes[chkSOffset:], wt.CheckSum)
 	return bytes, nil
 }

 // SetCheckSum uses the passed encryption key and key usage to compute the checksum over the payload and
 // the header, and sets the CheckSum field of this WrapToken.
 // If the payload has not been set or the checksum has already been set, an error is returned.
 func (wt *WrapToken) SetCheckSum(key types.EncryptionKey, keyUsage uint32) error {
 	if wt.Payload == nil {
 		return errors.New("payload has not been set")
 	}
 	if wt.CheckSum != nil {
 		return errors.New("checksum has already been computed")
 	}
 	chkSum, cErr := wt.computeCheckSum(key, keyUsage)
 	if cErr != nil {
 		return cErr
 	}
 	wt.CheckSum = chkSum
 	return nil
 }

 // ComputeCheckSum computes and returns the checksum of this token, computed using the passed key and key usage.
 // Conforms to RFC 4121 in that the checksum will be computed over { body | header },
 // with the EC and RRC flags zeroed out.
 // In the context of Kerberos Wrap tokens, mostly keyusage GSSAPI_ACCEPTOR_SEAL (=22)
 // and GSSAPI_INITIATOR_SEAL (=24) will be used.
 // Note: This will NOT update the struct's Checksum field.
 func (wt *WrapToken) computeCheckSum(key types.EncryptionKey, keyUsage uint32) ([]byte, error) {
 	if wt.Payload == nil {
 		return nil, errors.New("cannot compute checksum with uninitialized payload")
 	}
 	// Build a slice containing { payload | header }
 	checksumMe := make([]byte, HdrLen+len(wt.Payload))
 	copy(checksumMe[0:], wt.Payload)
 	copy(checksumMe[len(wt.Payload):], getChecksumHeader(wt.Flags, wt.SndSeqNum))

 	encType, err := crypto.GetEtype(key.KeyType)
 	if err != nil {
 		return nil, err
 	}
 	return encType.GetChecksumHash(key.KeyValue, checksumMe, keyUsage)
 }

 // Build a header suitable for a checksum computation
 func getChecksumHeader(flags byte, senderSeqNum uint64) []byte {
 	header := make([]byte, 16)
 	copy(header[0:], []byte{0x05, 0x04, flags, 0xFF, 0x00, 0x00, 0x00, 0x00})
 	binary.BigEndian.PutUint64(header[8:], senderSeqNum)
 	return header
 }

 // Verify computes the token's checksum with the provided key and usage,
 // and compares it to the checksum present in the token.
 // In case of any failure, (false, Err) is returned, with Err an explanatory error.
 func (wt *WrapToken) Verify(key types.EncryptionKey, keyUsage uint32) (bool, error) {
 	computed, cErr := wt.computeCheckSum(key, keyUsage)
 	if cErr != nil {
 		return false, cErr
 	}
 	if !hmac.Equal(computed, wt.CheckSum) {
 		return false, fmt.Errorf(
 			"checksum mismatch. Computed: %s, Contained in token: %s",
 			hex.EncodeToString(computed), hex.EncodeToString(wt.CheckSum))
 	}
 	return true, nil
 }

 // Unmarshal bytes into the corresponding WrapToken.
 // If expectFromAcceptor is true, we expect the token to have been emitted by the gss acceptor,
 // and will check the according flag, returning an error if the token does not match the expectation.
 func (wt *WrapToken) Unmarshal(b []byte, expectFromAcceptor bool) error {
 	// Check if we can read a whole header
 	if len(b) < 16 {
 		return errors.New("bytes shorter than header length")
 	}
 	// Is the Token ID correct?
 	if !bytes.Equal(getGssWrapTokenId()[:], b[0:2]) {
 		return fmt.Errorf("wrong Token ID. Expected %s, was %s",
 			hex.EncodeToString(getGssWrapTokenId()[:]),
 			hex.EncodeToString(b[0:2]))
 	}
 	// Check the acceptor flag
 	flags := b[2]
 	isFromAcceptor := flags&0x01 == 1
 	if isFromAcceptor && !expectFromAcceptor {
 		return errors.New("unexpected acceptor flag is set: not expecting a token from the acceptor")
 	}
 	if !isFromAcceptor && expectFromAcceptor {
 		return errors.New("expected acceptor flag is not set: expecting a token from the acceptor, not the initiator")
 	}
 	// Check the filler byte
 	if b[3] != FillerByte {
 		return fmt.Errorf("unexpected filler byte: expecting 0xFF, was %s ", hex.EncodeToString(b[3:4]))
 	}
 	checksumL := binary.BigEndian.Uint16(b[4:6])
 	// Sanity check on the checksum length
 	if int(checksumL) > len(b)-HdrLen {
 		return fmt.Errorf("inconsistent checksum length: %d bytes to parse, checksum length is %d", len(b), checksumL)
 	}

 	wt.Flags = flags
 	wt.EC = checksumL
 	wt.RRC = binary.BigEndian.Uint16(b[6:8])
 	wt.SndSeqNum = binary.BigEndian.Uint64(b[8:16])
 	wt.Payload = b[16 : len(b)-int(checksumL)]
 	wt.CheckSum = b[len(b)-int(checksumL):]
 	return nil
 }

 // NewInitiatorWrapToken builds a new initiator token (acceptor flag will be set to 0) and computes the authenticated checksum.
 // Other flags are set to 0, and the RRC and sequence number are initialized to 0.
 // Note that in certain circumstances you may need to provide a sequence number that has been defined earlier.
 // This is currently not supported.
 func NewInitiatorWrapToken(payload []byte, key types.EncryptionKey) (*WrapToken, error) {
 	encType, err := crypto.GetEtype(key.KeyType)
 	if err != nil {
 		return nil, err
 	}

 	token := WrapToken{
 		Flags: 0x00, // all zeroed out (this is a token sent by the initiator)
 		// Checksum size: length of output of the HMAC function, in bytes.
 		EC:        uint16(encType.GetHMACBitLength() / 8),
 		RRC:       0,
 		SndSeqNum: 0,
 		Payload:   payload,
 	}

 	if err := token.SetCheckSum(key, keyusage.GSSAPI_INITIATOR_SEAL); err != nil {
 		return nil, err
 	}

 	return &token, nil
 }
	package gssapi

	import (
	"bytes"
	"crypto/hmac"
	"encoding/binary"
	"encoding/hex"
	"errors"
	"fmt"

	"gopkg.in/jcmturner/gokrb5.v7/crypto"
	"gopkg.in/jcmturner/gokrb5.v7/iana/keyusage"
	"gopkg.in/jcmturner/gokrb5.v7/types"
	)

	/*
	From RFC 4121, section 4.2.6.2:

	Use of the GSS_Wrap() call yields a token (referred as the Wrap token
	in this document), which consists of a descriptive header, followed
	by a body portion that contains either the input user data in
	plaintext concatenated with the checksum, or the input user data
	encrypted. The GSS_Wrap() token SHALL have the following format:

	Octet no Name Description
	--------------------------------------------------------------
	0..1 TOK_ID Identification field. Tokens emitted by
	GSS_Wrap() contain the hex value 05 04
	expressed in big-endian order in this
	field.
	2 Flags Attributes field, as described in section
	4.2.2.
	3 Filler Contains the hex value FF.
	4..5 EC Contains the "extra count" field, in big-
	endian order as described in section 4.2.3.
	6..7 RRC Contains the "right rotation count" in big-
	endian order, as described in section
	4.2.5.
	8..15 SndSeqNum Sequence number field in clear text,
	expressed in big-endian order.
	16..last Data Encrypted data for Wrap tokens with
	confidentiality, or plaintext data followed
	by the checksum for Wrap tokens without
	confidentiality, as described in section
	4.2.4.

	Quick notes:
	- "EC" or "Extra Count" refers to the length of the checksum.
	- "Flags" (complete details in section 4.2.2) is a set of bits:
	- if bit 0 is set, it means the token was sent by the acceptor (generally the kerberized service).
	- bit 1 indicates that the token's payload is encrypted
	- bit 2 indicates if the message is protected using a subkey defined by the acceptor.
	- When computing checksums, EC and RRC MUST be set to 0.
	- Wrap Tokens are not ASN.1 encoded.
	*/
	const (
	HdrLen = 16 // Length of the Wrap Token's header
	FillerByte byte = 0xFF
	)

	// WrapToken represents a GSS API Wrap token, as defined in RFC 4121.
	// It contains the header fields, the payload and the checksum, and provides
	// the logic for converting to/from bytes plus computing and verifying checksums
	type WrapToken struct {
	// const GSS Token ID: 0x0504
	Flags byte // contains three flags: acceptor, sealed, acceptor subkey
	// const Filler: 0xFF
	EC uint16 // checksum length. big-endian
	RRC uint16 // right rotation count. big-endian
	SndSeqNum uint64 // sender's sequence number. big-endian
	Payload []byte // your data! :)
	CheckSum []byte // authenticated checksum of { payload \| header }
	}

	// Return the 2 bytes identifying a GSS API Wrap token
	func getGssWrapTokenId() *[2]byte {
	return &[2]byte{0x05, 0x04}
	}

	// Marshal the WrapToken into a byte slice.
	// The payload should have been set and the checksum computed, otherwise an error is returned.
	func (wt *WrapToken) Marshal() ([]byte, error) {
	if wt.CheckSum == nil {
	return nil, errors.New("checksum has not been set")
	}
	if wt.Payload == nil {
	return nil, errors.New("payload has not been set")
	}

	pldOffset := HdrLen // Offset of the payload in the token
	chkSOffset := HdrLen + len(wt.Payload) // Offset of the checksum in the token

	bytes := make([]byte, chkSOffset+int(wt.EC))
	copy(bytes[0:], getGssWrapTokenId()[:])
	bytes[2] = wt.Flags
	bytes[3] = FillerByte
	binary.BigEndian.PutUint16(bytes[4:6], wt.EC)
	binary.BigEndian.PutUint16(bytes[6:8], wt.RRC)
	binary.BigEndian.PutUint64(bytes[8:16], wt.SndSeqNum)
	copy(bytes[pldOffset:], wt.Payload)
	copy(bytes[chkSOffset:], wt.CheckSum)
	return bytes, nil
	}

	// SetCheckSum uses the passed encryption key and key usage to compute the checksum over the payload and
	// the header, and sets the CheckSum field of this WrapToken.
	// If the payload has not been set or the checksum has already been set, an error is returned.
	func (wt *WrapToken) SetCheckSum(key types.EncryptionKey, keyUsage uint32) error {
	if wt.Payload == nil {
	return errors.New("payload has not been set")
	}
	if wt.CheckSum != nil {
	return errors.New("checksum has already been computed")
	}
	chkSum, cErr := wt.computeCheckSum(key, keyUsage)
	if cErr != nil {
	return cErr
	}
	wt.CheckSum = chkSum
	return nil
	}

	// ComputeCheckSum computes and returns the checksum of this token, computed using the passed key and key usage.
	// Conforms to RFC 4121 in that the checksum will be computed over { body \| header },
	// with the EC and RRC flags zeroed out.
	// In the context of Kerberos Wrap tokens, mostly keyusage GSSAPI_ACCEPTOR_SEAL (=22)
	// and GSSAPI_INITIATOR_SEAL (=24) will be used.
	// Note: This will NOT update the struct's Checksum field.
	func (wt *WrapToken) computeCheckSum(key types.EncryptionKey, keyUsage uint32) ([]byte, error) {
	if wt.Payload == nil {
	return nil, errors.New("cannot compute checksum with uninitialized payload")
	}
	// Build a slice containing { payload \| header }
	checksumMe := make([]byte, HdrLen+len(wt.Payload))
	copy(checksumMe[0:], wt.Payload)
	copy(checksumMe[len(wt.Payload):], getChecksumHeader(wt.Flags, wt.SndSeqNum))

	encType, err := crypto.GetEtype(key.KeyType)
	if err != nil {
	return nil, err
	}
	return encType.GetChecksumHash(key.KeyValue, checksumMe, keyUsage)
	}

	// Build a header suitable for a checksum computation
	func getChecksumHeader(flags byte, senderSeqNum uint64) []byte {
	header := make([]byte, 16)
	copy(header[0:], []byte{0x05, 0x04, flags, 0xFF, 0x00, 0x00, 0x00, 0x00})
	binary.BigEndian.PutUint64(header[8:], senderSeqNum)
	return header
	}

	// Verify computes the token's checksum with the provided key and usage,
	// and compares it to the checksum present in the token.
	// In case of any failure, (false, Err) is returned, with Err an explanatory error.
	func (wt *WrapToken) Verify(key types.EncryptionKey, keyUsage uint32) (bool, error) {
	computed, cErr := wt.computeCheckSum(key, keyUsage)
	if cErr != nil {
	return false, cErr
	}
	if !hmac.Equal(computed, wt.CheckSum) {
	return false, fmt.Errorf(
	"checksum mismatch. Computed: %s, Contained in token: %s",
	hex.EncodeToString(computed), hex.EncodeToString(wt.CheckSum))
	}
	return true, nil
	}

	// Unmarshal bytes into the corresponding WrapToken.
	// If expectFromAcceptor is true, we expect the token to have been emitted by the gss acceptor,
	// and will check the according flag, returning an error if the token does not match the expectation.
	func (wt *WrapToken) Unmarshal(b []byte, expectFromAcceptor bool) error {
	// Check if we can read a whole header
	if len(b) < 16 {
	return errors.New("bytes shorter than header length")
	}
	// Is the Token ID correct?
	if !bytes.Equal(getGssWrapTokenId()[:], b[0:2]) {
	return fmt.Errorf("wrong Token ID. Expected %s, was %s",
	hex.EncodeToString(getGssWrapTokenId()[:]),
	hex.EncodeToString(b[0:2]))
	}
	// Check the acceptor flag
	flags := b[2]
	isFromAcceptor := flags&0x01 == 1
	if isFromAcceptor && !expectFromAcceptor {
	return errors.New("unexpected acceptor flag is set: not expecting a token from the acceptor")
	}
	if !isFromAcceptor && expectFromAcceptor {
	return errors.New("expected acceptor flag is not set: expecting a token from the acceptor, not the initiator")
	}
	// Check the filler byte
	if b[3] != FillerByte {
	return fmt.Errorf("unexpected filler byte: expecting 0xFF, was %s ", hex.EncodeToString(b[3:4]))
	}
	checksumL := binary.BigEndian.Uint16(b[4:6])
	// Sanity check on the checksum length
	if int(checksumL) > len(b)-HdrLen {
	return fmt.Errorf("inconsistent checksum length: %d bytes to parse, checksum length is %d", len(b), checksumL)
	}

	wt.Flags = flags
	wt.EC = checksumL
	wt.RRC = binary.BigEndian.Uint16(b[6:8])
	wt.SndSeqNum = binary.BigEndian.Uint64(b[8:16])
	wt.Payload = b[16 : len(b)-int(checksumL)]
	wt.CheckSum = b[len(b)-int(checksumL):]
	return nil
	}

	// NewInitiatorWrapToken builds a new initiator token (acceptor flag will be set to 0) and computes the authenticated checksum.
	// Other flags are set to 0, and the RRC and sequence number are initialized to 0.
	// Note that in certain circumstances you may need to provide a sequence number that has been defined earlier.
	// This is currently not supported.
	func NewInitiatorWrapToken(payload []byte, key types.EncryptionKey) (*WrapToken, error) {
	encType, err := crypto.GetEtype(key.KeyType)
	if err != nil {
	return nil, err
	}

	token := WrapToken{
	Flags: 0x00, // all zeroed out (this is a token sent by the initiator)
	// Checksum size: length of output of the HMAC function, in bytes.
	EC: uint16(encType.GetHMACBitLength() / 8),
	RRC: 0,
	SndSeqNum: 0,
	Payload: payload,
	}

	if err := token.SetCheckSum(key, keyusage.GSSAPI_INITIATOR_SEAL); err != nil {
	return nil, err
	}

	return &token, nil
	}