1/*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ 5 * Authors: Doug Rabson <dfr@rabson.org> 6 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org> 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> 31__FBSDID("$FreeBSD$"); 32 33#include <sys/param.h> 34#include <sys/lock.h> 35#include <sys/kobj.h> 36#include <sys/malloc.h> 37#include <sys/md5.h> 38#include <sys/mutex.h> 39#include <sys/mbuf.h> 40#include <crypto/des/des.h> 41#include <opencrypto/cryptodev.h> 42 43#include <kgssapi/gssapi.h> 44#include <kgssapi/gssapi_impl.h> 45 46#include "kcrypto.h" 47 48struct des1_state { 49 struct mtx ds_lock; 50 crypto_session_t ds_session; 51}; 52 53static void 54des1_init(struct krb5_key_state *ks) 55{ 56 static struct timeval lastwarn; 57 struct des1_state *ds; 58 59 ds = malloc(sizeof(struct des1_state), M_GSSAPI, M_WAITOK|M_ZERO); 60 mtx_init(&ds->ds_lock, "gss des lock", NULL, MTX_DEF); 61 ks->ks_priv = ds; 62 if (ratecheck(&lastwarn, &krb5_warn_interval)) 63 gone_in(13, "DES cipher for Kerberos GSS"); 64} 65 66static void 67des1_destroy(struct krb5_key_state *ks) 68{ 69 struct des1_state *ds = ks->ks_priv; 70 71 if (ds->ds_session) 72 crypto_freesession(ds->ds_session); 73 mtx_destroy(&ds->ds_lock); 74 free(ks->ks_priv, M_GSSAPI); 75 76} 77 78static void 79des1_set_key(struct krb5_key_state *ks, const void *in) 80{ 81 void *kp = ks->ks_key; 82 struct des1_state *ds = ks->ks_priv; 83 struct cryptoini cri[1]; 84 85 if (kp != in) 86 bcopy(in, kp, ks->ks_class->ec_keylen); 87 88 if (ds->ds_session) 89 crypto_freesession(ds->ds_session); 90 91 bzero(cri, sizeof(cri)); 92 93 cri[0].cri_alg = CRYPTO_DES_CBC; 94 cri[0].cri_klen = 64; 95 cri[0].cri_mlen = 0; 96 cri[0].cri_key = ks->ks_key; 97 cri[0].cri_next = NULL; 98 99 crypto_newsession(&ds->ds_session, cri, 100 CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE); 101} 102 103static void 104des1_random_to_key(struct krb5_key_state *ks, const void *in) 105{ 106 uint8_t *outkey = ks->ks_key; 107 const uint8_t *inkey = in; 108 109 /* 110 * Expand 56 bits of random data to 64 bits as follows 111 * (in the example, bit number 1 is the MSB of the 56 112 * bits of random data): 113 * 114 * expanded = 115 * 1 2 3 4 5 6 7 p 116 * 9 10 11 12 13 14 15 p 117 * 17 18 19 20 21 22 23 p 118 * 25 26 27 28 29 30 31 p 119 * 33 34 35 36 37 38 39 p 120 * 41 42 43 44 45 46 47 p 121 * 49 50 51 52 53 54 55 p 122 * 56 48 40 32 24 16 8 p 123 */ 124 outkey[0] = inkey[0]; 125 outkey[1] = inkey[1]; 126 outkey[2] = inkey[2]; 127 outkey[3] = inkey[3]; 128 outkey[4] = inkey[4]; 129 outkey[5] = inkey[5]; 130 outkey[6] = inkey[6]; 131 outkey[7] = (((inkey[0] & 1) << 1) 132 | ((inkey[1] & 1) << 2) 133 | ((inkey[2] & 1) << 3) 134 | ((inkey[3] & 1) << 4) 135 | ((inkey[4] & 1) << 5) 136 | ((inkey[5] & 1) << 6) 137 | ((inkey[6] & 1) << 7)); 138 des_set_odd_parity((des_cblock *) outkey); 139 if (des_is_weak_key((des_cblock *) outkey)) 140 outkey[7] ^= 0xf0; 141 142 des1_set_key(ks, ks->ks_key); 143} 144 145static int 146des1_crypto_cb(struct cryptop *crp) 147{ 148 int error; 149 struct des1_state *ds = (struct des1_state *) crp->crp_opaque; 150 151 if (crypto_ses2caps(ds->ds_session) & CRYPTOCAP_F_SYNC) 152 return (0); 153 154 error = crp->crp_etype; 155 if (error == EAGAIN) 156 error = crypto_dispatch(crp); 157 mtx_lock(&ds->ds_lock); 158 if (error || (crp->crp_flags & CRYPTO_F_DONE)) 159 wakeup(crp); 160 mtx_unlock(&ds->ds_lock); 161 162 return (0); 163} 164 165static void 166des1_encrypt_1(const struct krb5_key_state *ks, int buftype, void *buf, 167 size_t skip, size_t len, void *ivec, int encdec) 168{ 169 struct des1_state *ds = ks->ks_priv; 170 struct cryptop *crp; 171 struct cryptodesc *crd; 172 int error; 173 174 crp = crypto_getreq(1); 175 crd = crp->crp_desc; 176 177 crd->crd_skip = skip; 178 crd->crd_len = len; 179 crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT | encdec; 180 if (ivec) { 181 bcopy(ivec, crd->crd_iv, 8); 182 } else { 183 bzero(crd->crd_iv, 8); 184 } 185 crd->crd_next = NULL; 186 crd->crd_alg = CRYPTO_DES_CBC; 187 188 crp->crp_session = ds->ds_session; 189 crp->crp_flags = buftype | CRYPTO_F_CBIFSYNC; 190 crp->crp_buf = buf; 191 crp->crp_opaque = (void *) ds; 192 crp->crp_callback = des1_crypto_cb; 193 194 error = crypto_dispatch(crp); 195 196 if ((crypto_ses2caps(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) { 197 mtx_lock(&ds->ds_lock); 198 if (!error && !(crp->crp_flags & CRYPTO_F_DONE)) 199 error = msleep(crp, &ds->ds_lock, 0, "gssdes", 0); 200 mtx_unlock(&ds->ds_lock); 201 } 202 203 crypto_freereq(crp); 204} 205 206static void 207des1_encrypt(const struct krb5_key_state *ks, struct mbuf *inout, 208 size_t skip, size_t len, void *ivec, size_t ivlen) 209{ 210 211 des1_encrypt_1(ks, CRYPTO_F_IMBUF, inout, skip, len, ivec, 212 CRD_F_ENCRYPT); 213} 214 215static void 216des1_decrypt(const struct krb5_key_state *ks, struct mbuf *inout, 217 size_t skip, size_t len, void *ivec, size_t ivlen) 218{ 219 220 des1_encrypt_1(ks, CRYPTO_F_IMBUF, inout, skip, len, ivec, 0); 221} 222 223static int 224MD5Update_int(void *ctx, void *buf, u_int len) 225{ 226 227 MD5Update(ctx, buf, len); 228 return (0); 229} 230 231static void 232des1_checksum(const struct krb5_key_state *ks, int usage, 233 struct mbuf *inout, size_t skip, size_t inlen, size_t outlen) 234{ 235 char hash[16]; 236 MD5_CTX md5; 237 238 /* 239 * This checksum is specifically for GSS-API. First take the 240 * MD5 checksum of the message, then calculate the CBC mode 241 * checksum of that MD5 checksum using a zero IV. 242 */ 243 MD5Init(&md5); 244 m_apply(inout, skip, inlen, MD5Update_int, &md5); 245 MD5Final(hash, &md5); 246 247 des1_encrypt_1(ks, 0, hash, 0, 16, NULL, CRD_F_ENCRYPT); 248 m_copyback(inout, skip + inlen, outlen, hash + 8); 249} 250 251struct krb5_encryption_class krb5_des_encryption_class = { 252 "des-cbc-md5", /* name */ 253 ETYPE_DES_CBC_CRC, /* etype */ 254 0, /* flags */ 255 8, /* blocklen */ 256 8, /* msgblocklen */ 257 8, /* checksumlen */ 258 56, /* keybits */ 259 8, /* keylen */ 260 des1_init, 261 des1_destroy, 262 des1_set_key, 263 des1_random_to_key, 264 des1_encrypt, 265 des1_decrypt, 266 des1_checksum 267}; 268