1/* 2 * COPYRIGHT (c) 2008 3 * The Regents of the University of Michigan 4 * ALL RIGHTS RESERVED 5 * 6 * Permission is granted to use, copy, create derivative works 7 * and redistribute this software and such derivative works 8 * for any purpose, so long as the name of The University of 9 * Michigan is not used in any advertising or publicity 10 * pertaining to the use of distribution of this software 11 * without specific, written prior authorization. If the 12 * above copyright notice or any other identification of the 13 * University of Michigan is included in any copy of any 14 * portion of this software, then the disclaimer below must 15 * also be included. 16 * 17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION 18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY 19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF 20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING 21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE 24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR 25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING 26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN 27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGES. 29 */ 30 31/* 32 * Copyright (C) 1998 by the FundsXpress, INC. 33 * 34 * All rights reserved. 35 * 36 * Export of this software from the United States of America may require 37 * a specific license from the United States Government. It is the 38 * responsibility of any person or organization contemplating export to 39 * obtain such a license before exporting. 40 * 41 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 42 * distribute this software and its documentation for any purpose and 43 * without fee is hereby granted, provided that the above copyright 44 * notice appear in all copies and that both that copyright notice and 45 * this permission notice appear in supporting documentation, and that 46 * the name of FundsXpress. not be used in advertising or publicity pertaining 47 * to distribution of the software without specific, written prior 48 * permission. FundsXpress makes no representations about the suitability of 49 * this software for any purpose. It is provided "as is" without express 50 * or implied warranty. 51 * 52 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 53 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 54 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 55 */ 56 57#include <linux/err.h> 58#include <linux/types.h> 59#include <linux/crypto.h> 60#include <linux/sunrpc/gss_krb5.h> 61#include <linux/sunrpc/xdr.h> 62 63#ifdef RPC_DEBUG 64# define RPCDBG_FACILITY RPCDBG_AUTH 65#endif 66 67/* 68 * This is the n-fold function as described in rfc3961, sec 5.1 69 * Taken from MIT Kerberos and modified. 70 */ 71 72static void krb5_nfold(u32 inbits, const u8 *in, 73 u32 outbits, u8 *out) 74{ 75 int a, b, c, lcm; 76 int byte, i, msbit; 77 78 /* the code below is more readable if I make these bytes 79 instead of bits */ 80 81 inbits >>= 3; 82 outbits >>= 3; 83 84 /* first compute lcm(n,k) */ 85 86 a = outbits; 87 b = inbits; 88 89 while (b != 0) { 90 c = b; 91 b = a%b; 92 a = c; 93 } 94 95 lcm = outbits*inbits/a; 96 97 /* now do the real work */ 98 99 memset(out, 0, outbits); 100 byte = 0; 101 102 /* this will end up cycling through k lcm(k,n)/k times, which 103 is correct */ 104 for (i = lcm-1; i >= 0; i--) { 105 /* compute the msbit in k which gets added into this byte */ 106 msbit = ( 107 /* first, start with the msbit in the first, 108 * unrotated byte */ 109 ((inbits << 3) - 1) 110 /* then, for each byte, shift to the right 111 * for each repetition */ 112 + (((inbits << 3) + 13) * (i/inbits)) 113 /* last, pick out the correct byte within 114 * that shifted repetition */ 115 + ((inbits - (i % inbits)) << 3) 116 ) % (inbits << 3); 117 118 /* pull out the byte value itself */ 119 byte += (((in[((inbits - 1) - (msbit >> 3)) % inbits] << 8)| 120 (in[((inbits) - (msbit >> 3)) % inbits])) 121 >> ((msbit & 7) + 1)) & 0xff; 122 123 /* do the addition */ 124 byte += out[i % outbits]; 125 out[i % outbits] = byte & 0xff; 126 127 /* keep around the carry bit, if any */ 128 byte >>= 8; 129 130 } 131 132 /* if there's a carry bit left over, add it back in */ 133 if (byte) { 134 for (i = outbits - 1; i >= 0; i--) { 135 /* do the addition */ 136 byte += out[i]; 137 out[i] = byte & 0xff; 138 139 /* keep around the carry bit, if any */ 140 byte >>= 8; 141 } 142 } 143} 144 145/* 146 * This is the DK (derive_key) function as described in rfc3961, sec 5.1 147 * Taken from MIT Kerberos and modified. 148 */ 149 150u32 krb5_derive_key(const struct gss_krb5_enctype *gk5e, 151 const struct xdr_netobj *inkey, 152 struct xdr_netobj *outkey, 153 const struct xdr_netobj *in_constant, 154 gfp_t gfp_mask) 155{ 156 size_t blocksize, keybytes, keylength, n; 157 unsigned char *inblockdata, *outblockdata, *rawkey; 158 struct xdr_netobj inblock, outblock; 159 struct crypto_blkcipher *cipher; 160 u32 ret = EINVAL; 161 162 blocksize = gk5e->blocksize; 163 keybytes = gk5e->keybytes; 164 keylength = gk5e->keylength; 165 166 if ((inkey->len != keylength) || (outkey->len != keylength)) 167 goto err_return; 168 169 cipher = crypto_alloc_blkcipher(gk5e->encrypt_name, 0, 170 CRYPTO_ALG_ASYNC); 171 if (IS_ERR(cipher)) 172 goto err_return; 173 if (crypto_blkcipher_setkey(cipher, inkey->data, inkey->len)) 174 goto err_return; 175 176 /* allocate and set up buffers */ 177 178 ret = ENOMEM; 179 inblockdata = kmalloc(blocksize, gfp_mask); 180 if (inblockdata == NULL) 181 goto err_free_cipher; 182 183 outblockdata = kmalloc(blocksize, gfp_mask); 184 if (outblockdata == NULL) 185 goto err_free_in; 186 187 rawkey = kmalloc(keybytes, gfp_mask); 188 if (rawkey == NULL) 189 goto err_free_out; 190 191 inblock.data = (char *) inblockdata; 192 inblock.len = blocksize; 193 194 outblock.data = (char *) outblockdata; 195 outblock.len = blocksize; 196 197 /* initialize the input block */ 198 199 if (in_constant->len == inblock.len) { 200 memcpy(inblock.data, in_constant->data, inblock.len); 201 } else { 202 krb5_nfold(in_constant->len * 8, in_constant->data, 203 inblock.len * 8, inblock.data); 204 } 205 206 /* loop encrypting the blocks until enough key bytes are generated */ 207 208 n = 0; 209 while (n < keybytes) { 210 (*(gk5e->encrypt))(cipher, NULL, inblock.data, 211 outblock.data, inblock.len); 212 213 if ((keybytes - n) <= outblock.len) { 214 memcpy(rawkey + n, outblock.data, (keybytes - n)); 215 break; 216 } 217 218 memcpy(rawkey + n, outblock.data, outblock.len); 219 memcpy(inblock.data, outblock.data, outblock.len); 220 n += outblock.len; 221 } 222 223 /* postprocess the key */ 224 225 inblock.data = (char *) rawkey; 226 inblock.len = keybytes; 227 228 BUG_ON(gk5e->mk_key == NULL); 229 ret = (*(gk5e->mk_key))(gk5e, &inblock, outkey); 230 if (ret) { 231 dprintk("%s: got %d from mk_key function for '%s'\n", 232 __func__, ret, gk5e->encrypt_name); 233 goto err_free_raw; 234 } 235 236 /* clean memory, free resources and exit */ 237 238 ret = 0; 239 240err_free_raw: 241 memset(rawkey, 0, keybytes); 242 kfree(rawkey); 243err_free_out: 244 memset(outblockdata, 0, blocksize); 245 kfree(outblockdata); 246err_free_in: 247 memset(inblockdata, 0, blocksize); 248 kfree(inblockdata); 249err_free_cipher: 250 crypto_free_blkcipher(cipher); 251err_return: 252 return ret; 253} 254 255#define smask(step) ((1<<step)-1) 256#define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step))) 257#define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1) 258 259static void mit_des_fixup_key_parity(u8 key[8]) 260{ 261 int i; 262 for (i = 0; i < 8; i++) { 263 key[i] &= 0xfe; 264 key[i] |= 1^parity_char(key[i]); 265 } 266} 267 268/* 269 * This is the des3 key derivation postprocess function 270 */ 271u32 gss_krb5_des3_make_key(const struct gss_krb5_enctype *gk5e, 272 struct xdr_netobj *randombits, 273 struct xdr_netobj *key) 274{ 275 int i; 276 u32 ret = EINVAL; 277 278 if (key->len != 24) { 279 dprintk("%s: key->len is %d\n", __func__, key->len); 280 goto err_out; 281 } 282 if (randombits->len != 21) { 283 dprintk("%s: randombits->len is %d\n", 284 __func__, randombits->len); 285 goto err_out; 286 } 287 288 /* take the seven bytes, move them around into the top 7 bits of the 289 8 key bytes, then compute the parity bits. Do this three times. */ 290 291 for (i = 0; i < 3; i++) { 292 memcpy(key->data + i*8, randombits->data + i*7, 7); 293 key->data[i*8+7] = (((key->data[i*8]&1)<<1) | 294 ((key->data[i*8+1]&1)<<2) | 295 ((key->data[i*8+2]&1)<<3) | 296 ((key->data[i*8+3]&1)<<4) | 297 ((key->data[i*8+4]&1)<<5) | 298 ((key->data[i*8+5]&1)<<6) | 299 ((key->data[i*8+6]&1)<<7)); 300 301 mit_des_fixup_key_parity(key->data + i*8); 302 } 303 ret = 0; 304err_out: 305 return ret; 306} 307 308/* 309 * This is the aes key derivation postprocess function 310 */ 311u32 gss_krb5_aes_make_key(const struct gss_krb5_enctype *gk5e, 312 struct xdr_netobj *randombits, 313 struct xdr_netobj *key) 314{ 315 u32 ret = EINVAL; 316 317 if (key->len != 16 && key->len != 32) { 318 dprintk("%s: key->len is %d\n", __func__, key->len); 319 goto err_out; 320 } 321 if (randombits->len != 16 && randombits->len != 32) { 322 dprintk("%s: randombits->len is %d\n", 323 __func__, randombits->len); 324 goto err_out; 325 } 326 if (randombits->len != key->len) { 327 dprintk("%s: randombits->len is %d, key->len is %d\n", 328 __func__, randombits->len, key->len); 329 goto err_out; 330 } 331 memcpy(key->data, randombits->data, key->len); 332 ret = 0; 333err_out: 334 return ret; 335} 336