diff options
Diffstat (limited to 'third_party/heimdal/lib/kafs/rxkad_kdf.c')
-rw-r--r-- | third_party/heimdal/lib/kafs/rxkad_kdf.c | 221 |
1 files changed, 221 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/kafs/rxkad_kdf.c b/third_party/heimdal/lib/kafs/rxkad_kdf.c new file mode 100644 index 0000000..5af391e --- /dev/null +++ b/third_party/heimdal/lib/kafs/rxkad_kdf.c @@ -0,0 +1,221 @@ +/* + * Copyright (c) 1995-2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Portions Copyright (c) 2013-2014 Carnegie Mellon University + * All rights reserved. + * + * Portions Copyright (c) 2013 by the Massachusetts Institute of Technology + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#define HC_DEPRECATED_CRYPTO +#include "kafs_locl.h" + +static int rxkad_derive_des_key(const void *, size_t, char[8]); +static int compress_parity_bits(void *, size_t *); + +/** + * Use NIST SP800-108 with HMAC(MD5) in counter mode as the PRF to derive a + * des key from another type of key. + * + * L is 64, as we take 64 random bits and turn them into a 56-bit des key. + * The output of hmac_md5 is 128 bits; we take the first 64 only, so n + * properly should be 1. However, we apply a slight variation due to the + * possibility of producing a weak des key. If the output key is weak, do NOT + * simply correct it, instead, the counter is advanced and the next output + * used. As such, we code so as to have n be the full 255 permitted by our + * encoding of the counter i in an 8-bit field. L itself is encoded as a + * 32-bit field, big-endian. We use the constant string "rxkad" as a label + * for this key derivation, the standard NUL byte separator, and omit a + * key-derivation context. The input key is unique to the krb5 service ticket, + * which is unlikely to be used in an other location. If it is used in such + * a fashion, both locations will derive the same des key from the PRF, but + * this is no different from if a krb5 des key had been used in the same way, + * as traditional krb5 rxkad uses the ticket session key directly as the token + * key. + * + * @param[in] in pointer to input key data + * @param[in] insize length of input key data + * @param[out] out 8-byte buffer to hold the derived key + * + * @return Returns 0 to indicate success, or an error code. + * + * @retval KRB5DES_WEAK_KEY Successive derivation attempts with all + * 255 possible counter values each produced weak DES keys. This input + * cannot be used to produce a usable key. + */ +static int +rxkad_derive_des_key(const void *in, size_t insize, char out[8]) +{ + unsigned char i; + static unsigned char label[] = "rxkad"; + /* bits of output, as 32 bit word, MSB first */ + static unsigned char Lbuf[4] = { 0, 0, 0, 64 }; + /* only needs to be 16 for md5, but lets be sure it fits */ + unsigned char tmp[64]; + unsigned int mdsize; + DES_cblock ktmp; + HMAC_CTX mctx; + + /* stop when 8 bit counter wraps to 0 */ + for (i = 1; i; i++) { + HMAC_CTX_init(&mctx); + if (HMAC_Init_ex(&mctx, in, insize, EVP_md5(), NULL) == 0) { + HMAC_CTX_cleanup(&mctx); + return ENOMEM; + } + HMAC_Update(&mctx, &i, 1); + HMAC_Update(&mctx, label, sizeof(label)); /* includes label and separator */ + HMAC_Update(&mctx, Lbuf, 4); + mdsize = sizeof(tmp); + HMAC_Final(&mctx, tmp, &mdsize); + HMAC_CTX_cleanup(&mctx); + memcpy(ktmp, tmp, 8); + DES_set_odd_parity(&ktmp); + if (!DES_is_weak_key(&ktmp)) { + memcpy(out, ktmp, 8); + return 0; + } + } + return KRB5DES_WEAK_KEY; +} + +/** + * This is the inverse of the random-to-key for 3des specified in + * rfc3961, converting blocks of 8 bytes to blocks of 7 bytes by distributing + * the bits of each 8th byte as the lsb of the previous 7 bytes. + * + * @param[in,out] buffer Buffer containing the key to be converted + * @param[in,out] bufsiz Points to the size of the key data. On + * return, this is updated to reflect the size of the compressed data. + * + * @return Returns 0 to indicate success, or an error code. + * + * @retval KRB5_BAD_KEYSIZE The key size was not a multiple of 8 bytes. + */ +static int +compress_parity_bits(void *buffer, size_t *bufsiz) +{ + unsigned char *cb, tmp; + int i, j, nk; + + if (*bufsiz % 8 != 0) + return KRB5_BAD_KEYSIZE; + cb = (unsigned char *)buffer; + nk = *bufsiz / 8; + for (i = 0; i < nk; i++) { + tmp = cb[8 * i + 7] >> 1; + for (j = 0; j < 7; j++) { + cb[8 * i + j] &= 0xfe; + cb[8 * i + j] |= tmp & 0x1; + tmp >>= 1; + } + } + for (i = 1; i < nk; i++) + memmove(cb + 7 * i, cb + 8 * i, 7); + *bufsiz = 7 * nk; + return 0; +} + +/** + * Derive a DES key for use with rxkad and fcrypt from a given Kerberos + * key of (almost) any type. This function encodes enctype-specific + * knowledge about how to derive a DES key from a given key type. + * If given a des key, use it directly; otherwise, perform any parity + * fixup that may be needed and pass through to the hmad-md5 bits. + * + * @param[in] enctype Kerberos enctype of the input key + * @param[in] keydata Input key data + * @param[in] keylen Size of input key data + * @param[out] output 8-byte buffer to hold the derived key + * + * @return Returns 0 to indicate success, or an error code. + * + * @retval KRB5_PROG_ETYPE_NOSUPP The enctype is one for which rxkad-kdf + * is not supported. This includes several reserved enctypes, enctype + * values used in PKINIT to stand for CMS algorithm identifiers, and all + * private-use (negative) enctypes. + * + * @retval KRB5_BAD_KEYSIZE The key size was not a multiple of 8 bytes + * (for 3DES key types), exactly 8 bytes (for DES key types), or at least + * 8 bytes (for other key types). + * + * @retval KRB5DES_WEAK_KEY Successive derivation attempts with all + * 255 possible counter values each produced weak DES keys. This input + * cannot be used to produce a usable key. + */ +int +_kafs_derive_des_key(krb5_enctype enctype, void *keydata, size_t keylen, + char output[8]) +{ + int ret = 0; + + switch ((int)enctype) { + case ETYPE_DES_CBC_CRC: + case ETYPE_DES_CBC_MD4: + case ETYPE_DES_CBC_MD5: + if (keylen != 8) + return KRB5_BAD_KEYSIZE; + + /* Extract session key */ + memcpy(output, keydata, 8); + break; + case ETYPE_NULL: + case 4: + case 6: + case 8: + case 9: + case 10: + case 11: + case 12: + case 13: + case 14: + case 15: + return KRB5_PROG_ETYPE_NOSUPP; + /*In order to become a "Cryptographic Key" as specified in + * SP800-108, it must be indistinguishable from a random bitstring. */ + case ETYPE_DES3_CBC_MD5: + case ETYPE_OLD_DES3_CBC_SHA1: + case ETYPE_DES3_CBC_SHA1: + ret = compress_parity_bits(keydata, &keylen); + if (ret) + return ret; + fallthrough; + default: + if (enctype < 0) + return KRB5_PROG_ETYPE_NOSUPP; + if (keylen < 7) + return KRB5_BAD_KEYSIZE; + ret = rxkad_derive_des_key(keydata, keylen, output); + } + return ret; +} |