xref: /freebsd/crypto/krb5/src/lib/crypto/krb/enc_dk_hmac.c (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/crypto/krb/enc_dk_hmac.c */
3 /*
4  * Copyright 2008, 2009 by the Massachusetts Institute of Technology.
5  * All Rights Reserved.
6  *
7  * Export of this software from the United States of America may
8  *   require a specific license from the United States Government.
9  *   It is the responsibility of any person or organization contemplating
10  *   export to obtain such a license before exporting.
11  *
12  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13  * distribute this software and its documentation for any purpose and
14  * without fee is hereby granted, provided that the above copyright
15  * notice appear in all copies and that both that copyright notice and
16  * this permission notice appear in supporting documentation, and that
17  * the name of M.I.T. not be used in advertising or publicity pertaining
18  * to distribution of the software without specific, written prior
19  * permission.  Furthermore if you modify this software you must label
20  * your software as modified software and not distribute it in such a
21  * fashion that it might be confused with the original M.I.T. software.
22  * M.I.T. makes no representations about the suitability of
23  * this software for any purpose.  It is provided "as is" without express
24  * or implied warranty.
25  */
26 
27 
28 #include "crypto_int.h"
29 
30 #define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
31 
32 /* AEAD */
33 
34 unsigned int
krb5int_dk_crypto_length(const struct krb5_keytypes * ktp,krb5_cryptotype type)35 krb5int_dk_crypto_length(const struct krb5_keytypes *ktp, krb5_cryptotype type)
36 {
37     switch (type) {
38     case KRB5_CRYPTO_TYPE_HEADER:
39     case KRB5_CRYPTO_TYPE_PADDING:
40         return ktp->enc->block_size;
41     case KRB5_CRYPTO_TYPE_TRAILER:
42     case KRB5_CRYPTO_TYPE_CHECKSUM:
43         return ktp->hash->hashsize;
44     default:
45         assert(0 && "invalid cryptotype passed to krb5int_dk_crypto_length");
46         return 0;
47     }
48 }
49 
50 unsigned int
krb5int_aes_crypto_length(const struct krb5_keytypes * ktp,krb5_cryptotype type)51 krb5int_aes_crypto_length(const struct krb5_keytypes *ktp,
52                           krb5_cryptotype type)
53 {
54     switch (type) {
55     case KRB5_CRYPTO_TYPE_HEADER:
56         return ktp->enc->block_size;
57     case KRB5_CRYPTO_TYPE_PADDING:
58         return 0;
59     case KRB5_CRYPTO_TYPE_TRAILER:
60     case KRB5_CRYPTO_TYPE_CHECKSUM:
61         return 96 / 8;
62     default:
63         assert(0 && "invalid cryptotype passed to krb5int_aes_crypto_length");
64         return 0;
65     }
66 }
67 
68 krb5_error_code
krb5int_dk_encrypt(const struct krb5_keytypes * ktp,krb5_key key,krb5_keyusage usage,const krb5_data * ivec,krb5_crypto_iov * data,size_t num_data)69 krb5int_dk_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
70                    krb5_keyusage usage, const krb5_data *ivec,
71                    krb5_crypto_iov *data, size_t num_data)
72 {
73     const struct krb5_enc_provider *enc = ktp->enc;
74     const struct krb5_hash_provider *hash = ktp->hash;
75     krb5_error_code ret;
76     unsigned char constantdata[K5CLENGTH];
77     krb5_data d1, d2;
78     krb5_crypto_iov *header, *trailer, *padding;
79     krb5_key ke = NULL, ki = NULL;
80     size_t i;
81     unsigned int blocksize, hmacsize, plainlen = 0, padsize = 0;
82     unsigned char *cksum = NULL;
83 
84     /* E(Confounder | Plaintext | Pad) | Checksum */
85 
86     blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING);
87     hmacsize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
88 
89     for (i = 0; i < num_data; i++) {
90         krb5_crypto_iov *iov = &data[i];
91 
92         if (iov->flags == KRB5_CRYPTO_TYPE_DATA)
93             plainlen += iov->data.length;
94     }
95 
96     /* Validate header and trailer lengths. */
97 
98     header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
99     if (header == NULL || header->data.length < enc->block_size)
100         return KRB5_BAD_MSIZE;
101 
102     trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
103     if (trailer == NULL || trailer->data.length < hmacsize)
104         return KRB5_BAD_MSIZE;
105 
106     if (blocksize != 0) {
107         /* Check that the input data is correctly padded. */
108         if (plainlen % blocksize)
109             padsize = blocksize - (plainlen % blocksize);
110     }
111 
112     padding = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_PADDING);
113     if (padsize && (padding == NULL || padding->data.length < padsize))
114         return KRB5_BAD_MSIZE;
115 
116     if (padding != NULL) {
117         memset(padding->data.data, 0, padsize);
118         padding->data.length = padsize;
119     }
120 
121     cksum = k5alloc(hash->hashsize, &ret);
122     if (ret != 0)
123         goto cleanup;
124 
125     /* Derive the keys. */
126 
127     d1.data = (char *)constantdata;
128     d1.length = K5CLENGTH;
129 
130     store_32_be(usage, constantdata);
131 
132     d1.data[4] = 0xAA;
133 
134     ret = krb5int_derive_key(enc, NULL, key, &ke, &d1, DERIVE_RFC3961);
135     if (ret != 0)
136         goto cleanup;
137 
138     d1.data[4] = 0x55;
139 
140     ret = krb5int_derive_key(enc, NULL, key, &ki, &d1, DERIVE_RFC3961);
141     if (ret != 0)
142         goto cleanup;
143 
144     /* Generate confounder. */
145 
146     header->data.length = enc->block_size;
147 
148     ret = krb5_c_random_make_octets(/* XXX */ NULL, &header->data);
149     if (ret != 0)
150         goto cleanup;
151 
152     /* Hash the plaintext. */
153     d2.length = hash->hashsize;
154     d2.data = (char *)cksum;
155 
156     ret = krb5int_hmac(hash, ki, data, num_data, &d2);
157     if (ret != 0)
158         goto cleanup;
159 
160     /* Encrypt the plaintext (header | data | padding) */
161     ret = enc->encrypt(ke, ivec, data, num_data);
162     if (ret != 0)
163         goto cleanup;
164 
165     /* Possibly truncate the hash */
166     assert(hmacsize <= d2.length);
167 
168     memcpy(trailer->data.data, cksum, hmacsize);
169     trailer->data.length = hmacsize;
170 
171 cleanup:
172     krb5_k_free_key(NULL, ke);
173     krb5_k_free_key(NULL, ki);
174     free(cksum);
175     return ret;
176 }
177 
178 krb5_error_code
krb5int_dk_decrypt(const struct krb5_keytypes * ktp,krb5_key key,krb5_keyusage usage,const krb5_data * ivec,krb5_crypto_iov * data,size_t num_data)179 krb5int_dk_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
180                    krb5_keyusage usage, const krb5_data *ivec,
181                    krb5_crypto_iov *data, size_t num_data)
182 {
183     const struct krb5_enc_provider *enc = ktp->enc;
184     const struct krb5_hash_provider *hash = ktp->hash;
185     krb5_error_code ret;
186     unsigned char constantdata[K5CLENGTH];
187     krb5_data d1;
188     krb5_crypto_iov *header, *trailer;
189     krb5_key ke = NULL, ki = NULL;
190     size_t i;
191     unsigned int blocksize; /* enc block size, not confounder len */
192     unsigned int hmacsize, cipherlen = 0;
193     unsigned char *cksum = NULL;
194 
195     /* E(Confounder | Plaintext | Pad) | Checksum */
196 
197     blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING);
198     hmacsize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
199 
200     if (blocksize != 0) {
201         /* Check that the input data is correctly padded. */
202         for (i = 0; i < num_data; i++) {
203             const krb5_crypto_iov *iov = &data[i];
204 
205             if (ENCRYPT_DATA_IOV(iov))
206                 cipherlen += iov->data.length;
207         }
208         if (cipherlen % blocksize != 0)
209             return KRB5_BAD_MSIZE;
210     }
211 
212     /* Validate header and trailer lengths */
213 
214     header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
215     if (header == NULL || header->data.length != enc->block_size)
216         return KRB5_BAD_MSIZE;
217 
218     trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
219     if (trailer == NULL || trailer->data.length != hmacsize)
220         return KRB5_BAD_MSIZE;
221 
222     cksum = k5alloc(hash->hashsize, &ret);
223     if (ret != 0)
224         goto cleanup;
225 
226     /* Derive the keys. */
227 
228     d1.data = (char *)constantdata;
229     d1.length = K5CLENGTH;
230 
231     store_32_be(usage, constantdata);
232 
233     d1.data[4] = 0xAA;
234 
235     ret = krb5int_derive_key(enc, NULL, key, &ke, &d1, DERIVE_RFC3961);
236     if (ret != 0)
237         goto cleanup;
238 
239     d1.data[4] = 0x55;
240 
241     ret = krb5int_derive_key(enc, NULL, key, &ki, &d1, DERIVE_RFC3961);
242     if (ret != 0)
243         goto cleanup;
244 
245     /* Decrypt the plaintext (header | data | padding). */
246     ret = enc->decrypt(ke, ivec, data, num_data);
247     if (ret != 0)
248         goto cleanup;
249 
250     /* Verify the hash. */
251     d1.length = hash->hashsize; /* non-truncated length */
252     d1.data = (char *)cksum;
253 
254     ret = krb5int_hmac(hash, ki, data, num_data, &d1);
255     if (ret != 0)
256         goto cleanup;
257 
258     /* Compare only the possibly truncated length. */
259     if (k5_bcmp(cksum, trailer->data.data, hmacsize) != 0) {
260         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
261         goto cleanup;
262     }
263 
264 cleanup:
265     krb5_k_free_key(NULL, ke);
266     krb5_k_free_key(NULL, ki);
267     free(cksum);
268     return ret;
269 }
270