547 lines
15 KiB
C
547 lines
15 KiB
C
/*
|
|
* COPYRIGHT (c) 2008
|
|
* The Regents of the University of Michigan
|
|
* ALL RIGHTS RESERVED
|
|
*
|
|
* Permission is granted to use, copy, create derivative works
|
|
* and redistribute this software and such derivative works
|
|
* for any purpose, so long as the name of The University of
|
|
* Michigan is not used in any advertising or publicity
|
|
* pertaining to the use of distribution of this software
|
|
* without specific, written prior authorization. If the
|
|
* above copyright notice or any other identification of the
|
|
* University of Michigan is included in any copy of any
|
|
* portion of this software, then the disclaimer below must
|
|
* also be included.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
|
|
* FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
|
|
* PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
|
|
* MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
|
|
* WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
|
|
* REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
|
|
* FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
|
|
* CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
|
|
* OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
|
|
* IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGES.
|
|
*/
|
|
|
|
/*
|
|
* Copyright (C) 1998 by the FundsXpress, INC.
|
|
*
|
|
* All rights reserved.
|
|
*
|
|
* Export of this software from the United States of America may require
|
|
* a specific license from the United States Government. It is the
|
|
* responsibility of any person or organization contemplating export to
|
|
* obtain such a license before exporting.
|
|
*
|
|
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
|
* distribute this software and its documentation for any purpose and
|
|
* without fee is hereby granted, provided that the above copyright
|
|
* notice appear in all copies and that both that copyright notice and
|
|
* this permission notice appear in supporting documentation, and that
|
|
* the name of FundsXpress. not be used in advertising or publicity pertaining
|
|
* to distribution of the software without specific, written prior
|
|
* permission. FundsXpress makes no representations about the suitability of
|
|
* this software for any purpose. It is provided "as is" without express
|
|
* or implied warranty.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
|
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
|
*/
|
|
|
|
#include <crypto/skcipher.h>
|
|
#include <linux/err.h>
|
|
#include <linux/types.h>
|
|
#include <linux/sunrpc/gss_krb5.h>
|
|
#include <linux/sunrpc/xdr.h>
|
|
#include <linux/lcm.h>
|
|
#include <crypto/hash.h>
|
|
#include <kunit/visibility.h>
|
|
|
|
#include "gss_krb5_internal.h"
|
|
|
|
#if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
|
|
# define RPCDBG_FACILITY RPCDBG_AUTH
|
|
#endif
|
|
|
|
/**
|
|
* krb5_nfold - n-fold function
|
|
* @inbits: number of bits in @in
|
|
* @in: buffer containing input to fold
|
|
* @outbits: number of bits in the output buffer
|
|
* @out: buffer to hold the result
|
|
*
|
|
* This is the n-fold function as described in rfc3961, sec 5.1
|
|
* Taken from MIT Kerberos and modified.
|
|
*/
|
|
VISIBLE_IF_KUNIT
|
|
void krb5_nfold(u32 inbits, const u8 *in, u32 outbits, u8 *out)
|
|
{
|
|
unsigned long ulcm;
|
|
int byte, i, msbit;
|
|
|
|
/* the code below is more readable if I make these bytes
|
|
instead of bits */
|
|
|
|
inbits >>= 3;
|
|
outbits >>= 3;
|
|
|
|
/* first compute lcm(n,k) */
|
|
ulcm = lcm(inbits, outbits);
|
|
|
|
/* now do the real work */
|
|
|
|
memset(out, 0, outbits);
|
|
byte = 0;
|
|
|
|
/* this will end up cycling through k lcm(k,n)/k times, which
|
|
is correct */
|
|
for (i = ulcm-1; i >= 0; i--) {
|
|
/* compute the msbit in k which gets added into this byte */
|
|
msbit = (
|
|
/* first, start with the msbit in the first,
|
|
* unrotated byte */
|
|
((inbits << 3) - 1)
|
|
/* then, for each byte, shift to the right
|
|
* for each repetition */
|
|
+ (((inbits << 3) + 13) * (i/inbits))
|
|
/* last, pick out the correct byte within
|
|
* that shifted repetition */
|
|
+ ((inbits - (i % inbits)) << 3)
|
|
) % (inbits << 3);
|
|
|
|
/* pull out the byte value itself */
|
|
byte += (((in[((inbits - 1) - (msbit >> 3)) % inbits] << 8)|
|
|
(in[((inbits) - (msbit >> 3)) % inbits]))
|
|
>> ((msbit & 7) + 1)) & 0xff;
|
|
|
|
/* do the addition */
|
|
byte += out[i % outbits];
|
|
out[i % outbits] = byte & 0xff;
|
|
|
|
/* keep around the carry bit, if any */
|
|
byte >>= 8;
|
|
|
|
}
|
|
|
|
/* if there's a carry bit left over, add it back in */
|
|
if (byte) {
|
|
for (i = outbits - 1; i >= 0; i--) {
|
|
/* do the addition */
|
|
byte += out[i];
|
|
out[i] = byte & 0xff;
|
|
|
|
/* keep around the carry bit, if any */
|
|
byte >>= 8;
|
|
}
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_IF_KUNIT(krb5_nfold);
|
|
|
|
/*
|
|
* This is the DK (derive_key) function as described in rfc3961, sec 5.1
|
|
* Taken from MIT Kerberos and modified.
|
|
*/
|
|
static int krb5_DK(const struct gss_krb5_enctype *gk5e,
|
|
const struct xdr_netobj *inkey, u8 *rawkey,
|
|
const struct xdr_netobj *in_constant, gfp_t gfp_mask)
|
|
{
|
|
size_t blocksize, keybytes, keylength, n;
|
|
unsigned char *inblockdata, *outblockdata;
|
|
struct xdr_netobj inblock, outblock;
|
|
struct crypto_sync_skcipher *cipher;
|
|
int ret = -EINVAL;
|
|
|
|
keybytes = gk5e->keybytes;
|
|
keylength = gk5e->keylength;
|
|
|
|
if (inkey->len != keylength)
|
|
goto err_return;
|
|
|
|
cipher = crypto_alloc_sync_skcipher(gk5e->encrypt_name, 0, 0);
|
|
if (IS_ERR(cipher))
|
|
goto err_return;
|
|
blocksize = crypto_sync_skcipher_blocksize(cipher);
|
|
if (crypto_sync_skcipher_setkey(cipher, inkey->data, inkey->len))
|
|
goto err_return;
|
|
|
|
ret = -ENOMEM;
|
|
inblockdata = kmalloc(blocksize, gfp_mask);
|
|
if (inblockdata == NULL)
|
|
goto err_free_cipher;
|
|
|
|
outblockdata = kmalloc(blocksize, gfp_mask);
|
|
if (outblockdata == NULL)
|
|
goto err_free_in;
|
|
|
|
inblock.data = (char *) inblockdata;
|
|
inblock.len = blocksize;
|
|
|
|
outblock.data = (char *) outblockdata;
|
|
outblock.len = blocksize;
|
|
|
|
/* initialize the input block */
|
|
|
|
if (in_constant->len == inblock.len) {
|
|
memcpy(inblock.data, in_constant->data, inblock.len);
|
|
} else {
|
|
krb5_nfold(in_constant->len * 8, in_constant->data,
|
|
inblock.len * 8, inblock.data);
|
|
}
|
|
|
|
/* loop encrypting the blocks until enough key bytes are generated */
|
|
|
|
n = 0;
|
|
while (n < keybytes) {
|
|
krb5_encrypt(cipher, NULL, inblock.data, outblock.data,
|
|
inblock.len);
|
|
|
|
if ((keybytes - n) <= outblock.len) {
|
|
memcpy(rawkey + n, outblock.data, (keybytes - n));
|
|
break;
|
|
}
|
|
|
|
memcpy(rawkey + n, outblock.data, outblock.len);
|
|
memcpy(inblock.data, outblock.data, outblock.len);
|
|
n += outblock.len;
|
|
}
|
|
|
|
ret = 0;
|
|
|
|
kfree_sensitive(outblockdata);
|
|
err_free_in:
|
|
kfree_sensitive(inblockdata);
|
|
err_free_cipher:
|
|
crypto_free_sync_skcipher(cipher);
|
|
err_return:
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* This is the identity function, with some sanity checking.
|
|
*/
|
|
static int krb5_random_to_key_v2(const struct gss_krb5_enctype *gk5e,
|
|
struct xdr_netobj *randombits,
|
|
struct xdr_netobj *key)
|
|
{
|
|
int ret = -EINVAL;
|
|
|
|
if (key->len != 16 && key->len != 32) {
|
|
dprintk("%s: key->len is %d\n", __func__, key->len);
|
|
goto err_out;
|
|
}
|
|
if (randombits->len != 16 && randombits->len != 32) {
|
|
dprintk("%s: randombits->len is %d\n",
|
|
__func__, randombits->len);
|
|
goto err_out;
|
|
}
|
|
if (randombits->len != key->len) {
|
|
dprintk("%s: randombits->len is %d, key->len is %d\n",
|
|
__func__, randombits->len, key->len);
|
|
goto err_out;
|
|
}
|
|
memcpy(key->data, randombits->data, key->len);
|
|
ret = 0;
|
|
err_out:
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* krb5_derive_key_v2 - Derive a subkey for an RFC 3962 enctype
|
|
* @gk5e: Kerberos 5 enctype profile
|
|
* @inkey: base protocol key
|
|
* @outkey: OUT: derived key
|
|
* @label: subkey usage label
|
|
* @gfp_mask: memory allocation control flags
|
|
*
|
|
* Caller sets @outkey->len to the desired length of the derived key.
|
|
*
|
|
* On success, returns 0 and fills in @outkey. A negative errno value
|
|
* is returned on failure.
|
|
*/
|
|
int krb5_derive_key_v2(const struct gss_krb5_enctype *gk5e,
|
|
const struct xdr_netobj *inkey,
|
|
struct xdr_netobj *outkey,
|
|
const struct xdr_netobj *label,
|
|
gfp_t gfp_mask)
|
|
{
|
|
struct xdr_netobj inblock;
|
|
int ret;
|
|
|
|
inblock.len = gk5e->keybytes;
|
|
inblock.data = kmalloc(inblock.len, gfp_mask);
|
|
if (!inblock.data)
|
|
return -ENOMEM;
|
|
|
|
ret = krb5_DK(gk5e, inkey, inblock.data, label, gfp_mask);
|
|
if (!ret)
|
|
ret = krb5_random_to_key_v2(gk5e, &inblock, outkey);
|
|
|
|
kfree_sensitive(inblock.data);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* K(i) = CMAC(key, K(i-1) | i | constant | 0x00 | k)
|
|
*
|
|
* i: A block counter is used with a length of 4 bytes, represented
|
|
* in big-endian order.
|
|
*
|
|
* constant: The label input to the KDF is the usage constant supplied
|
|
* to the key derivation function
|
|
*
|
|
* k: The length of the output key in bits, represented as a 4-byte
|
|
* string in big-endian order.
|
|
*
|
|
* Caller fills in K(i-1) in @step, and receives the result K(i)
|
|
* in the same buffer.
|
|
*/
|
|
static int
|
|
krb5_cmac_Ki(struct crypto_shash *tfm, const struct xdr_netobj *constant,
|
|
u32 outlen, u32 count, struct xdr_netobj *step)
|
|
{
|
|
__be32 k = cpu_to_be32(outlen * 8);
|
|
SHASH_DESC_ON_STACK(desc, tfm);
|
|
__be32 i = cpu_to_be32(count);
|
|
u8 zero = 0;
|
|
int ret;
|
|
|
|
desc->tfm = tfm;
|
|
ret = crypto_shash_init(desc);
|
|
if (ret)
|
|
goto out_err;
|
|
|
|
ret = crypto_shash_update(desc, step->data, step->len);
|
|
if (ret)
|
|
goto out_err;
|
|
ret = crypto_shash_update(desc, (u8 *)&i, sizeof(i));
|
|
if (ret)
|
|
goto out_err;
|
|
ret = crypto_shash_update(desc, constant->data, constant->len);
|
|
if (ret)
|
|
goto out_err;
|
|
ret = crypto_shash_update(desc, &zero, sizeof(zero));
|
|
if (ret)
|
|
goto out_err;
|
|
ret = crypto_shash_update(desc, (u8 *)&k, sizeof(k));
|
|
if (ret)
|
|
goto out_err;
|
|
ret = crypto_shash_final(desc, step->data);
|
|
if (ret)
|
|
goto out_err;
|
|
|
|
out_err:
|
|
shash_desc_zero(desc);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* krb5_kdf_feedback_cmac - Derive a subkey for a Camellia/CMAC-based enctype
|
|
* @gk5e: Kerberos 5 enctype parameters
|
|
* @inkey: base protocol key
|
|
* @outkey: OUT: derived key
|
|
* @constant: subkey usage label
|
|
* @gfp_mask: memory allocation control flags
|
|
*
|
|
* RFC 6803 Section 3:
|
|
*
|
|
* "We use a key derivation function from the family specified in
|
|
* [SP800-108], Section 5.2, 'KDF in Feedback Mode'."
|
|
*
|
|
* n = ceiling(k / 128)
|
|
* K(0) = zeros
|
|
* K(i) = CMAC(key, K(i-1) | i | constant | 0x00 | k)
|
|
* DR(key, constant) = k-truncate(K(1) | K(2) | ... | K(n))
|
|
* KDF-FEEDBACK-CMAC(key, constant) = random-to-key(DR(key, constant))
|
|
*
|
|
* Caller sets @outkey->len to the desired length of the derived key (k).
|
|
*
|
|
* On success, returns 0 and fills in @outkey. A negative errno value
|
|
* is returned on failure.
|
|
*/
|
|
int
|
|
krb5_kdf_feedback_cmac(const struct gss_krb5_enctype *gk5e,
|
|
const struct xdr_netobj *inkey,
|
|
struct xdr_netobj *outkey,
|
|
const struct xdr_netobj *constant,
|
|
gfp_t gfp_mask)
|
|
{
|
|
struct xdr_netobj step = { .data = NULL };
|
|
struct xdr_netobj DR = { .data = NULL };
|
|
unsigned int blocksize, offset;
|
|
struct crypto_shash *tfm;
|
|
int n, count, ret;
|
|
|
|
/*
|
|
* This implementation assumes the CMAC used for an enctype's
|
|
* key derivation is the same as the CMAC used for its
|
|
* checksumming. This happens to be true for enctypes that
|
|
* are currently supported by this implementation.
|
|
*/
|
|
tfm = crypto_alloc_shash(gk5e->cksum_name, 0, 0);
|
|
if (IS_ERR(tfm)) {
|
|
ret = PTR_ERR(tfm);
|
|
goto out;
|
|
}
|
|
ret = crypto_shash_setkey(tfm, inkey->data, inkey->len);
|
|
if (ret)
|
|
goto out_free_tfm;
|
|
|
|
blocksize = crypto_shash_digestsize(tfm);
|
|
n = (outkey->len + blocksize - 1) / blocksize;
|
|
|
|
/* K(0) is all zeroes */
|
|
ret = -ENOMEM;
|
|
step.len = blocksize;
|
|
step.data = kzalloc(step.len, gfp_mask);
|
|
if (!step.data)
|
|
goto out_free_tfm;
|
|
|
|
DR.len = blocksize * n;
|
|
DR.data = kmalloc(DR.len, gfp_mask);
|
|
if (!DR.data)
|
|
goto out_free_tfm;
|
|
|
|
/* XXX: Does not handle partial-block key sizes */
|
|
for (offset = 0, count = 1; count <= n; count++) {
|
|
ret = krb5_cmac_Ki(tfm, constant, outkey->len, count, &step);
|
|
if (ret)
|
|
goto out_free_tfm;
|
|
|
|
memcpy(DR.data + offset, step.data, blocksize);
|
|
offset += blocksize;
|
|
}
|
|
|
|
/* k-truncate and random-to-key */
|
|
memcpy(outkey->data, DR.data, outkey->len);
|
|
ret = 0;
|
|
|
|
out_free_tfm:
|
|
crypto_free_shash(tfm);
|
|
out:
|
|
kfree_sensitive(step.data);
|
|
kfree_sensitive(DR.data);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* K1 = HMAC-SHA(key, 0x00000001 | label | 0x00 | k)
|
|
*
|
|
* key: The source of entropy from which subsequent keys are derived.
|
|
*
|
|
* label: An octet string describing the intended usage of the
|
|
* derived key.
|
|
*
|
|
* k: Length in bits of the key to be outputted, expressed in
|
|
* big-endian binary representation in 4 bytes.
|
|
*/
|
|
static int
|
|
krb5_hmac_K1(struct crypto_shash *tfm, const struct xdr_netobj *label,
|
|
u32 outlen, struct xdr_netobj *K1)
|
|
{
|
|
__be32 k = cpu_to_be32(outlen * 8);
|
|
SHASH_DESC_ON_STACK(desc, tfm);
|
|
__be32 one = cpu_to_be32(1);
|
|
u8 zero = 0;
|
|
int ret;
|
|
|
|
desc->tfm = tfm;
|
|
ret = crypto_shash_init(desc);
|
|
if (ret)
|
|
goto out_err;
|
|
ret = crypto_shash_update(desc, (u8 *)&one, sizeof(one));
|
|
if (ret)
|
|
goto out_err;
|
|
ret = crypto_shash_update(desc, label->data, label->len);
|
|
if (ret)
|
|
goto out_err;
|
|
ret = crypto_shash_update(desc, &zero, sizeof(zero));
|
|
if (ret)
|
|
goto out_err;
|
|
ret = crypto_shash_update(desc, (u8 *)&k, sizeof(k));
|
|
if (ret)
|
|
goto out_err;
|
|
ret = crypto_shash_final(desc, K1->data);
|
|
if (ret)
|
|
goto out_err;
|
|
|
|
out_err:
|
|
shash_desc_zero(desc);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* krb5_kdf_hmac_sha2 - Derive a subkey for an AES/SHA2-based enctype
|
|
* @gk5e: Kerberos 5 enctype policy parameters
|
|
* @inkey: base protocol key
|
|
* @outkey: OUT: derived key
|
|
* @label: subkey usage label
|
|
* @gfp_mask: memory allocation control flags
|
|
*
|
|
* RFC 8009 Section 3:
|
|
*
|
|
* "We use a key derivation function from Section 5.1 of [SP800-108],
|
|
* which uses the HMAC algorithm as the PRF."
|
|
*
|
|
* function KDF-HMAC-SHA2(key, label, [context,] k):
|
|
* k-truncate(K1)
|
|
*
|
|
* Caller sets @outkey->len to the desired length of the derived key.
|
|
*
|
|
* On success, returns 0 and fills in @outkey. A negative errno value
|
|
* is returned on failure.
|
|
*/
|
|
int
|
|
krb5_kdf_hmac_sha2(const struct gss_krb5_enctype *gk5e,
|
|
const struct xdr_netobj *inkey,
|
|
struct xdr_netobj *outkey,
|
|
const struct xdr_netobj *label,
|
|
gfp_t gfp_mask)
|
|
{
|
|
struct crypto_shash *tfm;
|
|
struct xdr_netobj K1 = {
|
|
.data = NULL,
|
|
};
|
|
int ret;
|
|
|
|
/*
|
|
* This implementation assumes the HMAC used for an enctype's
|
|
* key derivation is the same as the HMAC used for its
|
|
* checksumming. This happens to be true for enctypes that
|
|
* are currently supported by this implementation.
|
|
*/
|
|
tfm = crypto_alloc_shash(gk5e->cksum_name, 0, 0);
|
|
if (IS_ERR(tfm)) {
|
|
ret = PTR_ERR(tfm);
|
|
goto out;
|
|
}
|
|
ret = crypto_shash_setkey(tfm, inkey->data, inkey->len);
|
|
if (ret)
|
|
goto out_free_tfm;
|
|
|
|
K1.len = crypto_shash_digestsize(tfm);
|
|
K1.data = kmalloc(K1.len, gfp_mask);
|
|
if (!K1.data) {
|
|
ret = -ENOMEM;
|
|
goto out_free_tfm;
|
|
}
|
|
|
|
ret = krb5_hmac_K1(tfm, label, outkey->len, &K1);
|
|
if (ret)
|
|
goto out_free_tfm;
|
|
|
|
/* k-truncate and random-to-key */
|
|
memcpy(outkey->data, K1.data, outkey->len);
|
|
|
|
out_free_tfm:
|
|
kfree_sensitive(K1.data);
|
|
crypto_free_shash(tfm);
|
|
out:
|
|
return ret;
|
|
}
|