1/*- 2 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ 3 * Authors: Doug Rabson <dfr@rabson.org> 4 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org> 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28#include <sys/cdefs.h> 29__FBSDID("$FreeBSD: stable/11/sys/kgssapi/krb5/kcrypto_des3.c 351358 2019-08-21 22:42:08Z jhb $"); 30 31#include <sys/param.h> 32#include <sys/lock.h> 33#include <sys/malloc.h> 34#include <sys/mutex.h> 35#include <sys/kobj.h> 36#include <sys/mbuf.h> 37#include <crypto/des/des.h> 38#include <opencrypto/cryptodev.h> 39 40#include <kgssapi/gssapi.h> 41#include <kgssapi/gssapi_impl.h> 42 43#include "kcrypto.h" 44 45#define DES3_FLAGS (CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE) 46 47struct des3_state { 48 struct mtx ds_lock; 49 uint64_t ds_session; 50}; 51 52static void 53des3_init(struct krb5_key_state *ks) 54{ 55 static struct timeval lastwarn; 56 struct des3_state *ds; 57 58 ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO); 59 mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF); 60 ks->ks_priv = ds; 61 if (ratecheck(&lastwarn, &krb5_warn_interval)) 62 gone_in(13, "DES3 cipher for Kerberos GSS"); 63} 64 65static void 66des3_destroy(struct krb5_key_state *ks) 67{ 68 struct des3_state *ds = ks->ks_priv; 69 70 if (ds->ds_session) 71 crypto_freesession(ds->ds_session); 72 mtx_destroy(&ds->ds_lock); 73 free(ks->ks_priv, M_GSSAPI); 74} 75 76static void 77des3_set_key(struct krb5_key_state *ks, const void *in) 78{ 79 void *kp = ks->ks_key; 80 struct des3_state *ds = ks->ks_priv; 81 struct cryptoini cri[2]; 82 83 if (kp != in) 84 bcopy(in, kp, ks->ks_class->ec_keylen); 85 86 if (ds->ds_session) 87 crypto_freesession(ds->ds_session); 88 89 bzero(cri, sizeof(cri)); 90 91 cri[0].cri_alg = CRYPTO_SHA1_HMAC; 92 cri[0].cri_klen = 192; 93 cri[0].cri_mlen = 0; 94 cri[0].cri_key = ks->ks_key; 95 cri[0].cri_next = &cri[1]; 96 97 cri[1].cri_alg = CRYPTO_3DES_CBC; 98 cri[1].cri_klen = 192; 99 cri[1].cri_mlen = 0; 100 cri[1].cri_key = ks->ks_key; 101 cri[1].cri_next = NULL; 102 103 crypto_newsession(&ds->ds_session, cri, 104 CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE); 105} 106 107static void 108des3_random_to_key(struct krb5_key_state *ks, const void *in) 109{ 110 uint8_t *outkey; 111 const uint8_t *inkey; 112 int subkey; 113 114 for (subkey = 0, outkey = ks->ks_key, inkey = in; subkey < 3; 115 subkey++, outkey += 8, inkey += 7) { 116 /* 117 * Expand 56 bits of random data to 64 bits as follows 118 * (in the example, bit number 1 is the MSB of the 56 119 * bits of random data): 120 * 121 * expanded = 122 * 1 2 3 4 5 6 7 p 123 * 9 10 11 12 13 14 15 p 124 * 17 18 19 20 21 22 23 p 125 * 25 26 27 28 29 30 31 p 126 * 33 34 35 36 37 38 39 p 127 * 41 42 43 44 45 46 47 p 128 * 49 50 51 52 53 54 55 p 129 * 56 48 40 32 24 16 8 p 130 */ 131 outkey[0] = inkey[0]; 132 outkey[1] = inkey[1]; 133 outkey[2] = inkey[2]; 134 outkey[3] = inkey[3]; 135 outkey[4] = inkey[4]; 136 outkey[5] = inkey[5]; 137 outkey[6] = inkey[6]; 138 outkey[7] = (((inkey[0] & 1) << 1) 139 | ((inkey[1] & 1) << 2) 140 | ((inkey[2] & 1) << 3) 141 | ((inkey[3] & 1) << 4) 142 | ((inkey[4] & 1) << 5) 143 | ((inkey[5] & 1) << 6) 144 | ((inkey[6] & 1) << 7)); 145 des_set_odd_parity((des_cblock *) outkey); 146 if (des_is_weak_key((des_cblock *) outkey)) 147 outkey[7] ^= 0xf0; 148 } 149 150 des3_set_key(ks, ks->ks_key); 151} 152 153static int 154des3_crypto_cb(struct cryptop *crp) 155{ 156 int error; 157 struct des3_state *ds = (struct des3_state *) crp->crp_opaque; 158 159 if (CRYPTO_SESID2CAPS(ds->ds_session) & CRYPTOCAP_F_SYNC) 160 return (0); 161 162 error = crp->crp_etype; 163 if (error == EAGAIN) 164 error = crypto_dispatch(crp); 165 mtx_lock(&ds->ds_lock); 166 if (error || (crp->crp_flags & CRYPTO_F_DONE)) 167 wakeup(crp); 168 mtx_unlock(&ds->ds_lock); 169 170 return (0); 171} 172 173static void 174des3_encrypt_1(const struct krb5_key_state *ks, struct mbuf *inout, 175 size_t skip, size_t len, void *ivec, int encdec) 176{ 177 struct des3_state *ds = ks->ks_priv; 178 struct cryptop *crp; 179 struct cryptodesc *crd; 180 int error; 181 182 crp = crypto_getreq(1); 183 crd = crp->crp_desc; 184 185 crd->crd_skip = skip; 186 crd->crd_len = len; 187 crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT | encdec; 188 if (ivec) { 189 bcopy(ivec, crd->crd_iv, 8); 190 } else { 191 bzero(crd->crd_iv, 8); 192 } 193 crd->crd_next = NULL; 194 crd->crd_alg = CRYPTO_3DES_CBC; 195 196 crp->crp_sid = ds->ds_session; 197 crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; 198 crp->crp_buf = (void *) inout; 199 crp->crp_opaque = (void *) ds; 200 crp->crp_callback = des3_crypto_cb; 201 202 error = crypto_dispatch(crp); 203 204 if ((CRYPTO_SESID2CAPS(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) { 205 mtx_lock(&ds->ds_lock); 206 if (!error && !(crp->crp_flags & CRYPTO_F_DONE)) 207 error = msleep(crp, &ds->ds_lock, 0, "gssdes3", 0); 208 mtx_unlock(&ds->ds_lock); 209 } 210 211 crypto_freereq(crp); 212} 213 214static void 215des3_encrypt(const struct krb5_key_state *ks, struct mbuf *inout, 216 size_t skip, size_t len, void *ivec, size_t ivlen) 217{ 218 219 des3_encrypt_1(ks, inout, skip, len, ivec, CRD_F_ENCRYPT); 220} 221 222static void 223des3_decrypt(const struct krb5_key_state *ks, struct mbuf *inout, 224 size_t skip, size_t len, void *ivec, size_t ivlen) 225{ 226 227 des3_encrypt_1(ks, inout, skip, len, ivec, 0); 228} 229 230static void 231des3_checksum(const struct krb5_key_state *ks, int usage, 232 struct mbuf *inout, size_t skip, size_t inlen, size_t outlen) 233{ 234 struct des3_state *ds = ks->ks_priv; 235 struct cryptop *crp; 236 struct cryptodesc *crd; 237 int error; 238 239 crp = crypto_getreq(1); 240 crd = crp->crp_desc; 241 242 crd->crd_skip = skip; 243 crd->crd_len = inlen; 244 crd->crd_inject = skip + inlen; 245 crd->crd_flags = 0; 246 crd->crd_next = NULL; 247 crd->crd_alg = CRYPTO_SHA1_HMAC; 248 249 crp->crp_sid = ds->ds_session; 250 crp->crp_ilen = inlen; 251 crp->crp_olen = 20; 252 crp->crp_etype = 0; 253 crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; 254 crp->crp_buf = (void *) inout; 255 crp->crp_opaque = (void *) ds; 256 crp->crp_callback = des3_crypto_cb; 257 258 error = crypto_dispatch(crp); 259 260 if ((CRYPTO_SESID2CAPS(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) { 261 mtx_lock(&ds->ds_lock); 262 if (!error && !(crp->crp_flags & CRYPTO_F_DONE)) 263 error = msleep(crp, &ds->ds_lock, 0, "gssdes3", 0); 264 mtx_unlock(&ds->ds_lock); 265 } 266 267 crypto_freereq(crp); 268} 269 270struct krb5_encryption_class krb5_des3_encryption_class = { 271 "des3-cbc-sha1", /* name */ 272 ETYPE_DES3_CBC_SHA1, /* etype */ 273 EC_DERIVED_KEYS, /* flags */ 274 8, /* blocklen */ 275 8, /* msgblocklen */ 276 20, /* checksumlen */ 277 168, /* keybits */ 278 24, /* keylen */ 279 des3_init, 280 des3_destroy, 281 des3_set_key, 282 des3_random_to_key, 283 des3_encrypt, 284 des3_decrypt, 285 des3_checksum 286}; 287 288#if 0 289struct des3_dk_test { 290 uint8_t key[24]; 291 uint8_t usage[8]; 292 size_t usagelen; 293 uint8_t dk[24]; 294}; 295struct des3_dk_test tests[] = { 296 {{0xdc, 0xe0, 0x6b, 0x1f, 0x64, 0xc8, 0x57, 0xa1, 0x1c, 0x3d, 0xb5, 297 0x7c, 0x51, 0x89, 0x9b, 0x2c, 0xc1, 0x79, 0x10, 0x08, 0xce, 0x97, 298 0x3b, 0x92}, 299 {0x00, 0x00, 0x00, 0x01, 0x55}, 5, 300 {0x92, 0x51, 0x79, 0xd0, 0x45, 0x91, 0xa7, 0x9b, 0x5d, 0x31, 0x92, 301 0xc4, 0xa7, 0xe9, 0xc2, 0x89, 0xb0, 0x49, 0xc7, 0x1f, 0x6e, 0xe6, 302 0x04, 0xcd}}, 303 304 {{0x5e, 0x13, 0xd3, 0x1c, 0x70, 0xef, 0x76, 0x57, 0x46, 0x57, 0x85, 305 0x31, 0xcb, 0x51, 0xc1, 0x5b, 0xf1, 0x1c, 0xa8, 0x2c, 0x97, 0xce, 306 0xe9, 0xf2}, 307 {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, 308 {0x9e, 0x58, 0xe5, 0xa1, 0x46, 0xd9, 0x94, 0x2a, 0x10, 0x1c, 0x46, 309 0x98, 0x45, 0xd6, 0x7a, 0x20, 0xe3, 0xc4, 0x25, 0x9e, 0xd9, 0x13, 310 0xf2, 0x07}}, 311 312 {{0x98, 0xe6, 0xfd, 0x8a, 0x04, 0xa4, 0xb6, 0x85, 0x9b, 0x75, 0xa1, 313 0x76, 0x54, 0x0b, 0x97, 0x52, 0xba, 0xd3, 0xec, 0xd6, 0x10, 0xa2, 314 0x52, 0xbc}, 315 {0x00, 0x00, 0x00, 0x01, 0x55}, 5, 316 {0x13, 0xfe, 0xf8, 0x0d, 0x76, 0x3e, 0x94, 0xec, 0x6d, 0x13, 0xfd, 317 0x2c, 0xa1, 0xd0, 0x85, 0x07, 0x02, 0x49, 0xda, 0xd3, 0x98, 0x08, 318 0xea, 0xbf}}, 319 320 {{0x62, 0x2a, 0xec, 0x25, 0xa2, 0xfe, 0x2c, 0xad, 0x70, 0x94, 0x68, 321 0x0b, 0x7c, 0x64, 0x94, 0x02, 0x80, 0x08, 0x4c, 0x1a, 0x7c, 0xec, 322 0x92, 0xb5}, 323 {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, 324 {0xf8, 0xdf, 0xbf, 0x04, 0xb0, 0x97, 0xe6, 0xd9, 0xdc, 0x07, 0x02, 325 0x68, 0x6b, 0xcb, 0x34, 0x89, 0xd9, 0x1f, 0xd9, 0xa4, 0x51, 0x6b, 326 0x70, 0x3e}}, 327 328 {{0xd3, 0xf8, 0x29, 0x8c, 0xcb, 0x16, 0x64, 0x38, 0xdc, 0xb9, 0xb9, 329 0x3e, 0xe5, 0xa7, 0x62, 0x92, 0x86, 0xa4, 0x91, 0xf8, 0x38, 0xf8, 330 0x02, 0xfb}, 331 {0x6b, 0x65, 0x72, 0x62, 0x65, 0x72, 0x6f, 0x73}, 8, 332 {0x23, 0x70, 0xda, 0x57, 0x5d, 0x2a, 0x3d, 0xa8, 0x64, 0xce, 0xbf, 333 0xdc, 0x52, 0x04, 0xd5, 0x6d, 0xf7, 0x79, 0xa7, 0xdf, 0x43, 0xd9, 334 0xda, 0x43}}, 335 336 {{0xc1, 0x08, 0x16, 0x49, 0xad, 0xa7, 0x43, 0x62, 0xe6, 0xa1, 0x45, 337 0x9d, 0x01, 0xdf, 0xd3, 0x0d, 0x67, 0xc2, 0x23, 0x4c, 0x94, 0x07, 338 0x04, 0xda}, 339 {0x00, 0x00, 0x00, 0x01, 0x55}, 5, 340 {0x34, 0x80, 0x57, 0xec, 0x98, 0xfd, 0xc4, 0x80, 0x16, 0x16, 0x1c, 341 0x2a, 0x4c, 0x7a, 0x94, 0x3e, 0x92, 0xae, 0x49, 0x2c, 0x98, 0x91, 342 0x75, 0xf7}}, 343 344 {{0x5d, 0x15, 0x4a, 0xf2, 0x38, 0xf4, 0x67, 0x13, 0x15, 0x57, 0x19, 345 0xd5, 0x5e, 0x2f, 0x1f, 0x79, 0x0d, 0xd6, 0x61, 0xf2, 0x79, 0xa7, 346 0x91, 0x7c}, 347 {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, 348 {0xa8, 0x80, 0x8a, 0xc2, 0x67, 0xda, 0xda, 0x3d, 0xcb, 0xe9, 0xa7, 349 0xc8, 0x46, 0x26, 0xfb, 0xc7, 0x61, 0xc2, 0x94, 0xb0, 0x13, 0x15, 350 0xe5, 0xc1}}, 351 352 {{0x79, 0x85, 0x62, 0xe0, 0x49, 0x85, 0x2f, 0x57, 0xdc, 0x8c, 0x34, 353 0x3b, 0xa1, 0x7f, 0x2c, 0xa1, 0xd9, 0x73, 0x94, 0xef, 0xc8, 0xad, 354 0xc4, 0x43}, 355 {0x00, 0x00, 0x00, 0x01, 0x55}, 5, 356 {0xc8, 0x13, 0xf8, 0x8a, 0x3b, 0xe3, 0xb3, 0x34, 0xf7, 0x54, 0x25, 357 0xce, 0x91, 0x75, 0xfb, 0xe3, 0xc8, 0x49, 0x3b, 0x89, 0xc8, 0x70, 358 0x3b, 0x49}}, 359 360 {{0x26, 0xdc, 0xe3, 0x34, 0xb5, 0x45, 0x29, 0x2f, 0x2f, 0xea, 0xb9, 361 0xa8, 0x70, 0x1a, 0x89, 0xa4, 0xb9, 0x9e, 0xb9, 0x94, 0x2c, 0xec, 362 0xd0, 0x16}, 363 {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, 364 {0xf4, 0x8f, 0xfd, 0x6e, 0x83, 0xf8, 0x3e, 0x73, 0x54, 0xe6, 0x94, 365 0xfd, 0x25, 0x2c, 0xf8, 0x3b, 0xfe, 0x58, 0xf7, 0xd5, 0xba, 0x37, 366 0xec, 0x5d}}, 367}; 368#define N_TESTS (sizeof(tests) / sizeof(tests[0])) 369 370int 371main(int argc, char **argv) 372{ 373 struct krb5_key_state *key, *dk; 374 uint8_t *dkp; 375 int j, i; 376 377 for (j = 0; j < N_TESTS; j++) { 378 struct des3_dk_test *t = &tests[j]; 379 key = krb5_create_key(&des3_encryption_class); 380 krb5_set_key(key, t->key); 381 dk = krb5_derive_key(key, t->usage, t->usagelen); 382 krb5_free_key(key); 383 if (memcmp(dk->ks_key, t->dk, 24)) { 384 printf("DES3 dk("); 385 for (i = 0; i < 24; i++) 386 printf("%02x", t->key[i]); 387 printf(", "); 388 for (i = 0; i < t->usagelen; i++) 389 printf("%02x", t->usage[i]); 390 printf(") failed\n"); 391 printf("should be: "); 392 for (i = 0; i < 24; i++) 393 printf("%02x", t->dk[i]); 394 printf("\n result was: "); 395 dkp = dk->ks_key; 396 for (i = 0; i < 24; i++) 397 printf("%02x", dkp[i]); 398 printf("\n"); 399 } 400 krb5_free_key(dk); 401 } 402 403 return (0); 404} 405#endif 406