Module: Rex::Proto::Kerberos::Crypto::GssNewEncryptionType

Included in:

AesBlockCipherBase

Defined in:

lib/rex/proto/kerberos/crypto/gss_new_encryption_type.rb

Overview

The RFC4121 implementation of GSS wrapping (Section 4.2.6.2) which applies to “newer encryption types” (defined as those not in section 1 of RFC4121) This mixin may be included by Encryption providers in Rex::Proto::Kerberos::Crypto

Constant Summary

GSS_SENT_BY_ACCEPTOR =

1

GSS_SEALED =

2

GSS_ACCEPTOR_SUBKEY =

4

GSS_HEADER_LEN =

The length of the GSS header

16

TOK_ID_GSS_WRAP =

0x0504

Instance Method Summary

• #calculate_encrypted_length(plaintext_len) ⇒ Object
• #gss_unwrap(ciphertext, key, expected_sequence_number, is_initiator, opts = {}) ⇒ Object
• #gss_wrap(plaintext, key, sequence_number, is_initiator, opts = {}) ⇒ String, Integer

  Encrypt the message, wrapping it in GSS structures.

Instance Method Details

#calculate_encrypted_length(plaintext_len) ⇒ Object

# File 'lib/rex/proto/kerberos/crypto/gss_new_encryption_type.rb', line 91

def calculate_encrypted_length(plaintext_len)
  plaintext_len
end

#gss_unwrap(ciphertext, key, expected_sequence_number, is_initiator, opts = {}) ⇒ Object

Parameters:

• options (Hash) —

  a customizable set of options

Raises:

• (Rex::Proto::Kerberos::Model::Error::KerberosError)

# File 'lib/rex/proto/kerberos/crypto/gss_new_encryption_type.rb', line 59

def gss_unwrap(ciphertext, key, expected_sequence_number, is_initiator, opts={})
  use_acceptor_subkey = opts.fetch(:use_acceptor_subkey) { true }
  # Handle wrap-around
  sequence_number &= 0xFFFFFFFFFFFFFFFF

  expected_flags = GSS_SEALED
  expected_flags |= GSS_ACCEPTOR_SUBKEY if use_acceptor_subkey

  if is_initiator
    key_usage = Rex::Proto::Kerberos::Crypto::KeyUsage::GSS_ACCEPTOR_SEAL
    expected_flags |= GSS_SENT_BY_ACCEPTOR
  else
    key_usage = Rex::Proto::Kerberos::Crypto::KeyUsage::GSS_INITIATOR_SEAL
  end
  header = ciphertext[0,GSS_HEADER_LEN]
  ciphertext = ciphertext[GSS_HEADER_LEN, ciphertext.length]

  tok_id, flags, filler, ec, rrc, snd_seq = header.unpack('nCCnnQ>')
  raise Rex::Proto::Kerberos::Model::Error::KerberosError, 'Invalid token ID' unless tok_id == TOK_ID_GSS_WRAP
  raise Rex::Proto::Kerberos::Model::Error::KerberosError, 'Invalid filler' unless filler == 0xFF
  raise Rex::Proto::Kerberos::Model::Error::KerberosError, 'Unexpected flags' unless flags == expected_flags
  raise Rex::Proto::Kerberos::Model::Error::KerberosError, "Invalid sequence number (received #{snd_seq}; expected #{expected_sequence_number})" unless expected_sequence_number == snd_seq

  # Could do some sanity checking here of those values
  ciphertext = rotate(ciphertext, -(rrc+ec))

  plaintext = self.decrypt(ciphertext, key.value, key_usage)

  plaintext = plaintext[0, plaintext.length - ec - GSS_HEADER_LEN]
  plaintext
end

#gss_wrap(plaintext, key, sequence_number, is_initiator, opts = {}) ⇒ String, Integer

Encrypt the message, wrapping it in GSS structures

Parameters:

• options (Hash) —

  a customizable set of options

Returns:

• (String, Integer, Integer) —

  The encrypted data, the length of its header, and the length of padding added to it prior to encryption

# File 'lib/rex/proto/kerberos/crypto/gss_new_encryption_type.rb', line 24

def gss_wrap(plaintext, key, sequence_number, is_initiator, opts={})
  use_acceptor_subkey = opts.fetch(:use_acceptor_subkey) { true }
  # Handle wrap-around
  sequence_number &= 0xFFFFFFFFFFFFFFFF

  flags = GSS_SEALED
  flags |= GSS_ACCEPTOR_SUBKEY if use_acceptor_subkey

  if is_initiator
    key_usage = Rex::Proto::Kerberos::Crypto::KeyUsage::GSS_INITIATOR_SEAL
  else
    key_usage = Rex::Proto::Kerberos::Crypto::KeyUsage::GSS_ACCEPTOR_SEAL
    flags |= GSS_SENT_BY_ACCEPTOR
  end

  tok_id = TOK_ID_GSS_WRAP
  filler = 0xFF
  ec = calculate_ec(plaintext.length)
  rrc = calculate_rrc

  # RFC4121, Section 4.2.4
  plaintext_header = [tok_id, flags, filler, 0, 0, sequence_number].pack('nCCnnQ>')

  header = [tok_id, flags, filler, ec, rrc, sequence_number].pack('nCCnnQ>')
  # "x" chosen as the filler based on the Linux implementation of the kerberos client
  # https://salsa.debian.org/debian/krb5/-/blob/0269810b1aec6c554fb746433f045d59fd34ab3a/src/lib/gssapi/krb5/k5sealv3.c#L160
  ec_filler = "x" * ec
  plaintext = plaintext + ec_filler + plaintext_header
  ciphertext = self.encrypt(plaintext, key.value, key_usage)
  rotated = rotate(ciphertext, rrc+ec)

  result = [header + rotated, header_length + ec, ec]
end