1/* 2 * COPYRIGHT (c) 2008 3 * The Regents of the University of Michigan 4 * ALL RIGHTS RESERVED 5 * 6 * Permission is granted to use, copy, create derivative works 7 * and redistribute this software and such derivative works 8 * for any purpose, so long as the name of The University of 9 * Michigan is not used in any advertising or publicity 10 * pertaining to the use of distribution of this software 11 * without specific, written prior authorization. If the 12 * above copyright notice or any other identification of the 13 * University of Michigan is included in any copy of any 14 * portion of this software, then the disclaimer below must 15 * also be included. 16 * 17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION 18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY 19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF 20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING 21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE 24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR 25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING 26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN 27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGES. 29 */ 30 31/* 32 * Copyright (C) 1998 by the FundsXpress, INC. 33 * 34 * All rights reserved. 35 * 36 * Export of this software from the United States of America may require 37 * a specific license from the United States Government. It is the 38 * responsibility of any person or organization contemplating export to 39 * obtain such a license before exporting. 40 * 41 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 42 * distribute this software and its documentation for any purpose and 43 * without fee is hereby granted, provided that the above copyright 44 * notice appear in all copies and that both that copyright notice and 45 * this permission notice appear in supporting documentation, and that 46 * the name of FundsXpress. not be used in advertising or publicity pertaining 47 * to distribution of the software without specific, written prior 48 * permission. FundsXpress makes no representations about the suitability of 49 * this software for any purpose. It is provided "as is" without express 50 * or implied warranty. 51 * 52 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 53 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 54 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 55 */ 56 57#include <crypto/skcipher.h> 58#include <linux/err.h> 59#include <linux/types.h> 60#include <linux/sunrpc/gss_krb5.h> 61#include <linux/sunrpc/xdr.h> 62#include <linux/lcm.h> 63#include <crypto/hash.h> 64#include <kunit/visibility.h> 65 66#include "gss_krb5_internal.h" 67 68#if IS_ENABLED(CONFIG_SUNRPC_DEBUG) 69# define RPCDBG_FACILITY RPCDBG_AUTH 70#endif 71 72/** 73 * krb5_nfold - n-fold function 74 * @inbits: number of bits in @in 75 * @in: buffer containing input to fold 76 * @outbits: number of bits in the output buffer 77 * @out: buffer to hold the result 78 * 79 * This is the n-fold function as described in rfc3961, sec 5.1 80 * Taken from MIT Kerberos and modified. 81 */ 82VISIBLE_IF_KUNIT 83void krb5_nfold(u32 inbits, const u8 *in, u32 outbits, u8 *out) 84{ 85 unsigned long ulcm; 86 int byte, i, msbit; 87 88 /* the code below is more readable if I make these bytes 89 instead of bits */ 90 91 inbits >>= 3; 92 outbits >>= 3; 93 94 /* first compute lcm(n,k) */ 95 ulcm = lcm(inbits, outbits); 96 97 /* now do the real work */ 98 99 memset(out, 0, outbits); 100 byte = 0; 101 102 /* this will end up cycling through k lcm(k,n)/k times, which 103 is correct */ 104 for (i = ulcm-1; i >= 0; i--) { 105 /* compute the msbit in k which gets added into this byte */ 106 msbit = ( 107 /* first, start with the msbit in the first, 108 * unrotated byte */ 109 ((inbits << 3) - 1) 110 /* then, for each byte, shift to the right 111 * for each repetition */ 112 + (((inbits << 3) + 13) * (i/inbits)) 113 /* last, pick out the correct byte within 114 * that shifted repetition */ 115 + ((inbits - (i % inbits)) << 3) 116 ) % (inbits << 3); 117 118 /* pull out the byte value itself */ 119 byte += (((in[((inbits - 1) - (msbit >> 3)) % inbits] << 8)| 120 (in[((inbits) - (msbit >> 3)) % inbits])) 121 >> ((msbit & 7) + 1)) & 0xff; 122 123 /* do the addition */ 124 byte += out[i % outbits]; 125 out[i % outbits] = byte & 0xff; 126 127 /* keep around the carry bit, if any */ 128 byte >>= 8; 129 130 } 131 132 /* if there's a carry bit left over, add it back in */ 133 if (byte) { 134 for (i = outbits - 1; i >= 0; i--) { 135 /* do the addition */ 136 byte += out[i]; 137 out[i] = byte & 0xff; 138 139 /* keep around the carry bit, if any */ 140 byte >>= 8; 141 } 142 } 143} 144EXPORT_SYMBOL_IF_KUNIT(krb5_nfold); 145 146/* 147 * This is the DK (derive_key) function as described in rfc3961, sec 5.1 148 * Taken from MIT Kerberos and modified. 149 */ 150static int krb5_DK(const struct gss_krb5_enctype *gk5e, 151 const struct xdr_netobj *inkey, u8 *rawkey, 152 const struct xdr_netobj *in_constant, gfp_t gfp_mask) 153{ 154 size_t blocksize, keybytes, keylength, n; 155 unsigned char *inblockdata, *outblockdata; 156 struct xdr_netobj inblock, outblock; 157 struct crypto_sync_skcipher *cipher; 158 int ret = -EINVAL; 159 160 keybytes = gk5e->keybytes; 161 keylength = gk5e->keylength; 162 163 if (inkey->len != keylength) 164 goto err_return; 165 166 cipher = crypto_alloc_sync_skcipher(gk5e->encrypt_name, 0, 0); 167 if (IS_ERR(cipher)) 168 goto err_return; 169 blocksize = crypto_sync_skcipher_blocksize(cipher); 170 if (crypto_sync_skcipher_setkey(cipher, inkey->data, inkey->len)) 171 goto err_return; 172 173 ret = -ENOMEM; 174 inblockdata = kmalloc(blocksize, gfp_mask); 175 if (inblockdata == NULL) 176 goto err_free_cipher; 177 178 outblockdata = kmalloc(blocksize, gfp_mask); 179 if (outblockdata == NULL) 180 goto err_free_in; 181 182 inblock.data = (char *) inblockdata; 183 inblock.len = blocksize; 184 185 outblock.data = (char *) outblockdata; 186 outblock.len = blocksize; 187 188 /* initialize the input block */ 189 190 if (in_constant->len == inblock.len) { 191 memcpy(inblock.data, in_constant->data, inblock.len); 192 } else { 193 krb5_nfold(in_constant->len * 8, in_constant->data, 194 inblock.len * 8, inblock.data); 195 } 196 197 /* loop encrypting the blocks until enough key bytes are generated */ 198 199 n = 0; 200 while (n < keybytes) { 201 krb5_encrypt(cipher, NULL, inblock.data, outblock.data, 202 inblock.len); 203 204 if ((keybytes - n) <= outblock.len) { 205 memcpy(rawkey + n, outblock.data, (keybytes - n)); 206 break; 207 } 208 209 memcpy(rawkey + n, outblock.data, outblock.len); 210 memcpy(inblock.data, outblock.data, outblock.len); 211 n += outblock.len; 212 } 213 214 ret = 0; 215 216 kfree_sensitive(outblockdata); 217err_free_in: 218 kfree_sensitive(inblockdata); 219err_free_cipher: 220 crypto_free_sync_skcipher(cipher); 221err_return: 222 return ret; 223} 224 225/* 226 * This is the identity function, with some sanity checking. 227 */ 228static int krb5_random_to_key_v2(const struct gss_krb5_enctype *gk5e, 229 struct xdr_netobj *randombits, 230 struct xdr_netobj *key) 231{ 232 int ret = -EINVAL; 233 234 if (key->len != 16 && key->len != 32) { 235 dprintk("%s: key->len is %d\n", __func__, key->len); 236 goto err_out; 237 } 238 if (randombits->len != 16 && randombits->len != 32) { 239 dprintk("%s: randombits->len is %d\n", 240 __func__, randombits->len); 241 goto err_out; 242 } 243 if (randombits->len != key->len) { 244 dprintk("%s: randombits->len is %d, key->len is %d\n", 245 __func__, randombits->len, key->len); 246 goto err_out; 247 } 248 memcpy(key->data, randombits->data, key->len); 249 ret = 0; 250err_out: 251 return ret; 252} 253 254/** 255 * krb5_derive_key_v2 - Derive a subkey for an RFC 3962 enctype 256 * @gk5e: Kerberos 5 enctype profile 257 * @inkey: base protocol key 258 * @outkey: OUT: derived key 259 * @label: subkey usage label 260 * @gfp_mask: memory allocation control flags 261 * 262 * Caller sets @outkey->len to the desired length of the derived key. 263 * 264 * On success, returns 0 and fills in @outkey. A negative errno value 265 * is returned on failure. 266 */ 267int krb5_derive_key_v2(const struct gss_krb5_enctype *gk5e, 268 const struct xdr_netobj *inkey, 269 struct xdr_netobj *outkey, 270 const struct xdr_netobj *label, 271 gfp_t gfp_mask) 272{ 273 struct xdr_netobj inblock; 274 int ret; 275 276 inblock.len = gk5e->keybytes; 277 inblock.data = kmalloc(inblock.len, gfp_mask); 278 if (!inblock.data) 279 return -ENOMEM; 280 281 ret = krb5_DK(gk5e, inkey, inblock.data, label, gfp_mask); 282 if (!ret) 283 ret = krb5_random_to_key_v2(gk5e, &inblock, outkey); 284 285 kfree_sensitive(inblock.data); 286 return ret; 287} 288 289/* 290 * K(i) = CMAC(key, K(i-1) | i | constant | 0x00 | k) 291 * 292 * i: A block counter is used with a length of 4 bytes, represented 293 * in big-endian order. 294 * 295 * constant: The label input to the KDF is the usage constant supplied 296 * to the key derivation function 297 * 298 * k: The length of the output key in bits, represented as a 4-byte 299 * string in big-endian order. 300 * 301 * Caller fills in K(i-1) in @step, and receives the result K(i) 302 * in the same buffer. 303 */ 304static int 305krb5_cmac_Ki(struct crypto_shash *tfm, const struct xdr_netobj *constant, 306 u32 outlen, u32 count, struct xdr_netobj *step) 307{ 308 __be32 k = cpu_to_be32(outlen * 8); 309 SHASH_DESC_ON_STACK(desc, tfm); 310 __be32 i = cpu_to_be32(count); 311 u8 zero = 0; 312 int ret; 313 314 desc->tfm = tfm; 315 ret = crypto_shash_init(desc); 316 if (ret) 317 goto out_err; 318 319 ret = crypto_shash_update(desc, step->data, step->len); 320 if (ret) 321 goto out_err; 322 ret = crypto_shash_update(desc, (u8 *)&i, sizeof(i)); 323 if (ret) 324 goto out_err; 325 ret = crypto_shash_update(desc, constant->data, constant->len); 326 if (ret) 327 goto out_err; 328 ret = crypto_shash_update(desc, &zero, sizeof(zero)); 329 if (ret) 330 goto out_err; 331 ret = crypto_shash_update(desc, (u8 *)&k, sizeof(k)); 332 if (ret) 333 goto out_err; 334 ret = crypto_shash_final(desc, step->data); 335 if (ret) 336 goto out_err; 337 338out_err: 339 shash_desc_zero(desc); 340 return ret; 341} 342 343/** 344 * krb5_kdf_feedback_cmac - Derive a subkey for a Camellia/CMAC-based enctype 345 * @gk5e: Kerberos 5 enctype parameters 346 * @inkey: base protocol key 347 * @outkey: OUT: derived key 348 * @constant: subkey usage label 349 * @gfp_mask: memory allocation control flags 350 * 351 * RFC 6803 Section 3: 352 * 353 * "We use a key derivation function from the family specified in 354 * [SP800-108], Section 5.2, 'KDF in Feedback Mode'." 355 * 356 * n = ceiling(k / 128) 357 * K(0) = zeros 358 * K(i) = CMAC(key, K(i-1) | i | constant | 0x00 | k) 359 * DR(key, constant) = k-truncate(K(1) | K(2) | ... | K(n)) 360 * KDF-FEEDBACK-CMAC(key, constant) = random-to-key(DR(key, constant)) 361 * 362 * Caller sets @outkey->len to the desired length of the derived key (k). 363 * 364 * On success, returns 0 and fills in @outkey. A negative errno value 365 * is returned on failure. 366 */ 367int 368krb5_kdf_feedback_cmac(const struct gss_krb5_enctype *gk5e, 369 const struct xdr_netobj *inkey, 370 struct xdr_netobj *outkey, 371 const struct xdr_netobj *constant, 372 gfp_t gfp_mask) 373{ 374 struct xdr_netobj step = { .data = NULL }; 375 struct xdr_netobj DR = { .data = NULL }; 376 unsigned int blocksize, offset; 377 struct crypto_shash *tfm; 378 int n, count, ret; 379 380 /* 381 * This implementation assumes the CMAC used for an enctype's 382 * key derivation is the same as the CMAC used for its 383 * checksumming. This happens to be true for enctypes that 384 * are currently supported by this implementation. 385 */ 386 tfm = crypto_alloc_shash(gk5e->cksum_name, 0, 0); 387 if (IS_ERR(tfm)) { 388 ret = PTR_ERR(tfm); 389 goto out; 390 } 391 ret = crypto_shash_setkey(tfm, inkey->data, inkey->len); 392 if (ret) 393 goto out_free_tfm; 394 395 blocksize = crypto_shash_digestsize(tfm); 396 n = (outkey->len + blocksize - 1) / blocksize; 397 398 /* K(0) is all zeroes */ 399 ret = -ENOMEM; 400 step.len = blocksize; 401 step.data = kzalloc(step.len, gfp_mask); 402 if (!step.data) 403 goto out_free_tfm; 404 405 DR.len = blocksize * n; 406 DR.data = kmalloc(DR.len, gfp_mask); 407 if (!DR.data) 408 goto out_free_tfm; 409 410 /* XXX: Does not handle partial-block key sizes */ 411 for (offset = 0, count = 1; count <= n; count++) { 412 ret = krb5_cmac_Ki(tfm, constant, outkey->len, count, &step); 413 if (ret) 414 goto out_free_tfm; 415 416 memcpy(DR.data + offset, step.data, blocksize); 417 offset += blocksize; 418 } 419 420 /* k-truncate and random-to-key */ 421 memcpy(outkey->data, DR.data, outkey->len); 422 ret = 0; 423 424out_free_tfm: 425 crypto_free_shash(tfm); 426out: 427 kfree_sensitive(step.data); 428 kfree_sensitive(DR.data); 429 return ret; 430} 431 432/* 433 * K1 = HMAC-SHA(key, 0x00000001 | label | 0x00 | k) 434 * 435 * key: The source of entropy from which subsequent keys are derived. 436 * 437 * label: An octet string describing the intended usage of the 438 * derived key. 439 * 440 * k: Length in bits of the key to be outputted, expressed in 441 * big-endian binary representation in 4 bytes. 442 */ 443static int 444krb5_hmac_K1(struct crypto_shash *tfm, const struct xdr_netobj *label, 445 u32 outlen, struct xdr_netobj *K1) 446{ 447 __be32 k = cpu_to_be32(outlen * 8); 448 SHASH_DESC_ON_STACK(desc, tfm); 449 __be32 one = cpu_to_be32(1); 450 u8 zero = 0; 451 int ret; 452 453 desc->tfm = tfm; 454 ret = crypto_shash_init(desc); 455 if (ret) 456 goto out_err; 457 ret = crypto_shash_update(desc, (u8 *)&one, sizeof(one)); 458 if (ret) 459 goto out_err; 460 ret = crypto_shash_update(desc, label->data, label->len); 461 if (ret) 462 goto out_err; 463 ret = crypto_shash_update(desc, &zero, sizeof(zero)); 464 if (ret) 465 goto out_err; 466 ret = crypto_shash_update(desc, (u8 *)&k, sizeof(k)); 467 if (ret) 468 goto out_err; 469 ret = crypto_shash_final(desc, K1->data); 470 if (ret) 471 goto out_err; 472 473out_err: 474 shash_desc_zero(desc); 475 return ret; 476} 477 478/** 479 * krb5_kdf_hmac_sha2 - Derive a subkey for an AES/SHA2-based enctype 480 * @gk5e: Kerberos 5 enctype policy parameters 481 * @inkey: base protocol key 482 * @outkey: OUT: derived key 483 * @label: subkey usage label 484 * @gfp_mask: memory allocation control flags 485 * 486 * RFC 8009 Section 3: 487 * 488 * "We use a key derivation function from Section 5.1 of [SP800-108], 489 * which uses the HMAC algorithm as the PRF." 490 * 491 * function KDF-HMAC-SHA2(key, label, [context,] k): 492 * k-truncate(K1) 493 * 494 * Caller sets @outkey->len to the desired length of the derived key. 495 * 496 * On success, returns 0 and fills in @outkey. A negative errno value 497 * is returned on failure. 498 */ 499int 500krb5_kdf_hmac_sha2(const struct gss_krb5_enctype *gk5e, 501 const struct xdr_netobj *inkey, 502 struct xdr_netobj *outkey, 503 const struct xdr_netobj *label, 504 gfp_t gfp_mask) 505{ 506 struct crypto_shash *tfm; 507 struct xdr_netobj K1 = { 508 .data = NULL, 509 }; 510 int ret; 511 512 /* 513 * This implementation assumes the HMAC used for an enctype's 514 * key derivation is the same as the HMAC used for its 515 * checksumming. This happens to be true for enctypes that 516 * are currently supported by this implementation. 517 */ 518 tfm = crypto_alloc_shash(gk5e->cksum_name, 0, 0); 519 if (IS_ERR(tfm)) { 520 ret = PTR_ERR(tfm); 521 goto out; 522 } 523 ret = crypto_shash_setkey(tfm, inkey->data, inkey->len); 524 if (ret) 525 goto out_free_tfm; 526 527 K1.len = crypto_shash_digestsize(tfm); 528 K1.data = kmalloc(K1.len, gfp_mask); 529 if (!K1.data) { 530 ret = -ENOMEM; 531 goto out_free_tfm; 532 } 533 534 ret = krb5_hmac_K1(tfm, label, outkey->len, &K1); 535 if (ret) 536 goto out_free_tfm; 537 538 /* k-truncate and random-to-key */ 539 memcpy(outkey->data, K1.data, outkey->len); 540 541out_free_tfm: 542 kfree_sensitive(K1.data); 543 crypto_free_shash(tfm); 544out: 545 return ret; 546} 547