1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /*
3 * Copyright (C) 1998 by the FundsXpress, INC.
4 *
5 * All rights reserved.
6 *
7 * Export of this software from the United States of America may require
8 * a specific license from the United States Government. It is the
9 * responsibility of any person or organization contemplating export to
10 * obtain such a license before exporting.
11 *
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of FundsXpress. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. FundsXpress makes no representations about the suitability of
20 * this software for any purpose. It is provided "as is" without express
21 * or implied warranty.
22 *
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
25 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
26 */
27
28 #include "crypto_int.h"
29
30 static const unsigned char kerberos[] = "kerberos";
31 #define kerberos_len (sizeof(kerberos)-1)
32
33 krb5_error_code
krb5int_dk_string_to_key(const struct krb5_keytypes * ktp,const krb5_data * string,const krb5_data * salt,const krb5_data * parms,krb5_keyblock * keyblock)34 krb5int_dk_string_to_key(const struct krb5_keytypes *ktp,
35 const krb5_data *string, const krb5_data *salt,
36 const krb5_data *parms, krb5_keyblock *keyblock)
37 {
38 krb5_error_code ret;
39 size_t keybytes, keylength, concatlen;
40 unsigned char *concat = NULL, *foldstring = NULL, *foldkeydata = NULL;
41 krb5_data indata;
42 krb5_keyblock foldkeyblock;
43 krb5_key foldkey = NULL;
44
45 /* keyblock->length is checked by krb5int_derive_key. */
46
47 keybytes = ktp->enc->keybytes;
48 keylength = ktp->enc->keylength;
49
50 concatlen = string->length + salt->length;
51
52 concat = k5alloc(concatlen, &ret);
53 if (ret != 0)
54 goto cleanup;
55 foldstring = k5alloc(keybytes, &ret);
56 if (ret != 0)
57 goto cleanup;
58 foldkeydata = k5alloc(keylength, &ret);
59 if (ret != 0)
60 goto cleanup;
61
62 /* construct input string ( = string + salt), fold it, make_key it */
63
64 if (string->length > 0)
65 memcpy(concat, string->data, string->length);
66 if (salt->length > 0)
67 memcpy(concat + string->length, salt->data, salt->length);
68
69 krb5int_nfold(concatlen*8, concat, keybytes*8, foldstring);
70
71 indata.length = keybytes;
72 indata.data = (char *) foldstring;
73 foldkeyblock.length = keylength;
74 foldkeyblock.contents = foldkeydata;
75 foldkeyblock.enctype = ktp->etype;
76
77 ret = ktp->rand2key(&indata, &foldkeyblock);
78 if (ret != 0)
79 goto cleanup;
80
81 ret = krb5_k_create_key(NULL, &foldkeyblock, &foldkey);
82 if (ret != 0)
83 goto cleanup;
84
85 /* now derive the key from this one */
86
87 indata.length = kerberos_len;
88 indata.data = (char *) kerberos;
89
90 ret = krb5int_derive_keyblock(ktp->enc, NULL, foldkey, keyblock, &indata,
91 DERIVE_RFC3961);
92 if (ret != 0)
93 memset(keyblock->contents, 0, keyblock->length);
94
95 cleanup:
96 zapfree(concat, concatlen);
97 zapfree(foldstring, keybytes);
98 zapfree(foldkeydata, keylength);
99 krb5_k_free_key(NULL, foldkey);
100 return ret;
101 }
102
103
104 #define MAX_ITERATION_COUNT 0x1000000L
105
106 krb5_boolean k5_allow_weak_pbkdf2iter = FALSE;
107
108 static krb5_error_code
pbkdf2_string_to_key(const struct krb5_keytypes * ktp,const krb5_data * string,const krb5_data * salt,const krb5_data * pepper,const krb5_data * params,krb5_keyblock * key,enum deriv_alg deriv_alg,unsigned long def_iter_count)109 pbkdf2_string_to_key(const struct krb5_keytypes *ktp, const krb5_data *string,
110 const krb5_data *salt, const krb5_data *pepper,
111 const krb5_data *params, krb5_keyblock *key,
112 enum deriv_alg deriv_alg, unsigned long def_iter_count)
113 {
114 const struct krb5_hash_provider *hash;
115 unsigned long iter_count;
116 krb5_data out;
117 static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
118 krb5_key tempkey = NULL;
119 krb5_error_code err;
120 krb5_data sandp = empty_data();
121
122 if (params) {
123 unsigned char *p = (unsigned char *) params->data;
124 if (params->length != 4)
125 return KRB5_ERR_BAD_S2K_PARAMS;
126 iter_count = load_32_be(p);
127 /* Zero means 2^32, which is way above what we will accept. Also don't
128 * accept values less than the default, unless we're running tests. */
129 if (iter_count == 0 ||
130 (!k5_allow_weak_pbkdf2iter && iter_count < def_iter_count))
131 return KRB5_ERR_BAD_S2K_PARAMS;
132
133 } else
134 iter_count = def_iter_count;
135
136 /* This is not a protocol specification constraint; this is an
137 implementation limit, which should eventually be controlled by
138 a config file. */
139 if (iter_count >= MAX_ITERATION_COUNT)
140 return KRB5_ERR_BAD_S2K_PARAMS;
141
142 /* Use the output keyblock contents for temporary space. */
143 out.data = (char *) key->contents;
144 out.length = key->length;
145 if (out.length != 16 && out.length != 32)
146 return KRB5_CRYPTO_INTERNAL;
147
148 if (pepper != NULL) {
149 err = alloc_data(&sandp, pepper->length + 1 + salt->length);
150 if (err)
151 return err;
152
153 if (pepper->length > 0)
154 memcpy(sandp.data, pepper->data, pepper->length);
155 sandp.data[pepper->length] = '\0';
156 if (salt->length > 0)
157 memcpy(&sandp.data[pepper->length + 1], salt->data, salt->length);
158
159 salt = &sandp;
160 }
161
162 hash = (ktp->hash != NULL) ? ktp->hash : &krb5int_hash_sha1;
163 err = krb5int_pbkdf2_hmac(hash, &out, iter_count, string, salt);
164 if (err)
165 goto cleanup;
166
167 err = krb5_k_create_key (NULL, key, &tempkey);
168 if (err)
169 goto cleanup;
170
171 err = krb5int_derive_keyblock(ktp->enc, ktp->hash, tempkey, key, &usage,
172 deriv_alg);
173
174 cleanup:
175 if (sandp.data)
176 free(sandp.data);
177 if (err)
178 memset (out.data, 0, out.length);
179 krb5_k_free_key (NULL, tempkey);
180 return err;
181 }
182
183 krb5_error_code
krb5int_aes_string_to_key(const struct krb5_keytypes * ktp,const krb5_data * string,const krb5_data * salt,const krb5_data * params,krb5_keyblock * key)184 krb5int_aes_string_to_key(const struct krb5_keytypes *ktp,
185 const krb5_data *string,
186 const krb5_data *salt,
187 const krb5_data *params,
188 krb5_keyblock *key)
189 {
190 return pbkdf2_string_to_key(ktp, string, salt, NULL, params, key,
191 DERIVE_RFC3961, 4096);
192 }
193
194 krb5_error_code
krb5int_camellia_string_to_key(const struct krb5_keytypes * ktp,const krb5_data * string,const krb5_data * salt,const krb5_data * params,krb5_keyblock * key)195 krb5int_camellia_string_to_key(const struct krb5_keytypes *ktp,
196 const krb5_data *string,
197 const krb5_data *salt,
198 const krb5_data *params,
199 krb5_keyblock *key)
200 {
201 krb5_data pepper = string2data(ktp->name);
202
203 return pbkdf2_string_to_key(ktp, string, salt, &pepper, params, key,
204 DERIVE_SP800_108_CMAC, 32768);
205 }
206
207 krb5_error_code
krb5int_aes2_string_to_key(const struct krb5_keytypes * ktp,const krb5_data * string,const krb5_data * salt,const krb5_data * params,krb5_keyblock * key)208 krb5int_aes2_string_to_key(const struct krb5_keytypes *ktp,
209 const krb5_data *string, const krb5_data *salt,
210 const krb5_data *params, krb5_keyblock *key)
211 {
212 krb5_data pepper = string2data(ktp->name);
213
214 return pbkdf2_string_to_key(ktp, string, salt, &pepper, params, key,
215 DERIVE_SP800_108_HMAC, 32768);
216 }
217