xref: /linux/net/sunrpc/auth_gss/gss_krb5_keys.c (revision 0d456bad36d42d16022be045c8a53ddbb59ee478)
1 /*
2  * COPYRIGHT (c) 2008
3  * The Regents of the University of Michigan
4  * ALL RIGHTS RESERVED
5  *
6  * Permission is granted to use, copy, create derivative works
7  * and redistribute this software and such derivative works
8  * for any purpose, so long as the name of The University of
9  * Michigan is not used in any advertising or publicity
10  * pertaining to the use of distribution of this software
11  * without specific, written prior authorization.  If the
12  * above copyright notice or any other identification of the
13  * University of Michigan is included in any copy of any
14  * portion of this software, then the disclaimer below must
15  * also be included.
16  *
17  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGES.
29  */
30 
31 /*
32  * Copyright (C) 1998 by the FundsXpress, INC.
33  *
34  * All rights reserved.
35  *
36  * Export of this software from the United States of America may require
37  * a specific license from the United States Government.  It is the
38  * responsibility of any person or organization contemplating export to
39  * obtain such a license before exporting.
40  *
41  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
42  * distribute this software and its documentation for any purpose and
43  * without fee is hereby granted, provided that the above copyright
44  * notice appear in all copies and that both that copyright notice and
45  * this permission notice appear in supporting documentation, and that
46  * the name of FundsXpress. not be used in advertising or publicity pertaining
47  * to distribution of the software without specific, written prior
48  * permission.  FundsXpress makes no representations about the suitability of
49  * this software for any purpose.  It is provided "as is" without express
50  * or implied warranty.
51  *
52  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
53  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
54  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
55  */
56 
57 #include <linux/err.h>
58 #include <linux/types.h>
59 #include <linux/crypto.h>
60 #include <linux/sunrpc/gss_krb5.h>
61 #include <linux/sunrpc/xdr.h>
62 
63 #ifdef RPC_DEBUG
64 # define RPCDBG_FACILITY        RPCDBG_AUTH
65 #endif
66 
67 /*
68  * This is the n-fold function as described in rfc3961, sec 5.1
69  * Taken from MIT Kerberos and modified.
70  */
71 
72 static void krb5_nfold(u32 inbits, const u8 *in,
73 		       u32 outbits, u8 *out)
74 {
75 	int a, b, c, lcm;
76 	int byte, i, msbit;
77 
78 	/* the code below is more readable if I make these bytes
79 	   instead of bits */
80 
81 	inbits >>= 3;
82 	outbits >>= 3;
83 
84 	/* first compute lcm(n,k) */
85 
86 	a = outbits;
87 	b = inbits;
88 
89 	while (b != 0) {
90 		c = b;
91 		b = a%b;
92 		a = c;
93 	}
94 
95 	lcm = outbits*inbits/a;
96 
97 	/* now do the real work */
98 
99 	memset(out, 0, outbits);
100 	byte = 0;
101 
102 	/* this will end up cycling through k lcm(k,n)/k times, which
103 	   is correct */
104 	for (i = lcm-1; i >= 0; i--) {
105 		/* compute the msbit in k which gets added into this byte */
106 		msbit = (
107 			/* first, start with the msbit in the first,
108 			 * unrotated byte */
109 			 ((inbits << 3) - 1)
110 			 /* then, for each byte, shift to the right
111 			  * for each repetition */
112 			 + (((inbits << 3) + 13) * (i/inbits))
113 			 /* last, pick out the correct byte within
114 			  * that shifted repetition */
115 			 + ((inbits - (i % inbits)) << 3)
116 			 ) % (inbits << 3);
117 
118 		/* pull out the byte value itself */
119 		byte += (((in[((inbits - 1) - (msbit >> 3)) % inbits] << 8)|
120 				  (in[((inbits) - (msbit >> 3)) % inbits]))
121 				 >> ((msbit & 7) + 1)) & 0xff;
122 
123 		/* do the addition */
124 		byte += out[i % outbits];
125 		out[i % outbits] = byte & 0xff;
126 
127 		/* keep around the carry bit, if any */
128 		byte >>= 8;
129 
130 	}
131 
132 	/* if there's a carry bit left over, add it back in */
133 	if (byte) {
134 		for (i = outbits - 1; i >= 0; i--) {
135 			/* do the addition */
136 			byte += out[i];
137 			out[i] = byte & 0xff;
138 
139 			/* keep around the carry bit, if any */
140 			byte >>= 8;
141 		}
142 	}
143 }
144 
145 /*
146  * This is the DK (derive_key) function as described in rfc3961, sec 5.1
147  * Taken from MIT Kerberos and modified.
148  */
149 
150 u32 krb5_derive_key(const struct gss_krb5_enctype *gk5e,
151 		    const struct xdr_netobj *inkey,
152 		    struct xdr_netobj *outkey,
153 		    const struct xdr_netobj *in_constant,
154 		    gfp_t gfp_mask)
155 {
156 	size_t blocksize, keybytes, keylength, n;
157 	unsigned char *inblockdata, *outblockdata, *rawkey;
158 	struct xdr_netobj inblock, outblock;
159 	struct crypto_blkcipher *cipher;
160 	u32 ret = EINVAL;
161 
162 	blocksize = gk5e->blocksize;
163 	keybytes = gk5e->keybytes;
164 	keylength = gk5e->keylength;
165 
166 	if ((inkey->len != keylength) || (outkey->len != keylength))
167 		goto err_return;
168 
169 	cipher = crypto_alloc_blkcipher(gk5e->encrypt_name, 0,
170 					CRYPTO_ALG_ASYNC);
171 	if (IS_ERR(cipher))
172 		goto err_return;
173 	if (crypto_blkcipher_setkey(cipher, inkey->data, inkey->len))
174 		goto err_return;
175 
176 	/* allocate and set up buffers */
177 
178 	ret = ENOMEM;
179 	inblockdata = kmalloc(blocksize, gfp_mask);
180 	if (inblockdata == NULL)
181 		goto err_free_cipher;
182 
183 	outblockdata = kmalloc(blocksize, gfp_mask);
184 	if (outblockdata == NULL)
185 		goto err_free_in;
186 
187 	rawkey = kmalloc(keybytes, gfp_mask);
188 	if (rawkey == NULL)
189 		goto err_free_out;
190 
191 	inblock.data = (char *) inblockdata;
192 	inblock.len = blocksize;
193 
194 	outblock.data = (char *) outblockdata;
195 	outblock.len = blocksize;
196 
197 	/* initialize the input block */
198 
199 	if (in_constant->len == inblock.len) {
200 		memcpy(inblock.data, in_constant->data, inblock.len);
201 	} else {
202 		krb5_nfold(in_constant->len * 8, in_constant->data,
203 			   inblock.len * 8, inblock.data);
204 	}
205 
206 	/* loop encrypting the blocks until enough key bytes are generated */
207 
208 	n = 0;
209 	while (n < keybytes) {
210 		(*(gk5e->encrypt))(cipher, NULL, inblock.data,
211 				   outblock.data, inblock.len);
212 
213 		if ((keybytes - n) <= outblock.len) {
214 			memcpy(rawkey + n, outblock.data, (keybytes - n));
215 			break;
216 		}
217 
218 		memcpy(rawkey + n, outblock.data, outblock.len);
219 		memcpy(inblock.data, outblock.data, outblock.len);
220 		n += outblock.len;
221 	}
222 
223 	/* postprocess the key */
224 
225 	inblock.data = (char *) rawkey;
226 	inblock.len = keybytes;
227 
228 	BUG_ON(gk5e->mk_key == NULL);
229 	ret = (*(gk5e->mk_key))(gk5e, &inblock, outkey);
230 	if (ret) {
231 		dprintk("%s: got %d from mk_key function for '%s'\n",
232 			__func__, ret, gk5e->encrypt_name);
233 		goto err_free_raw;
234 	}
235 
236 	/* clean memory, free resources and exit */
237 
238 	ret = 0;
239 
240 err_free_raw:
241 	memset(rawkey, 0, keybytes);
242 	kfree(rawkey);
243 err_free_out:
244 	memset(outblockdata, 0, blocksize);
245 	kfree(outblockdata);
246 err_free_in:
247 	memset(inblockdata, 0, blocksize);
248 	kfree(inblockdata);
249 err_free_cipher:
250 	crypto_free_blkcipher(cipher);
251 err_return:
252 	return ret;
253 }
254 
255 #define smask(step) ((1<<step)-1)
256 #define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
257 #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
258 
259 static void mit_des_fixup_key_parity(u8 key[8])
260 {
261 	int i;
262 	for (i = 0; i < 8; i++) {
263 		key[i] &= 0xfe;
264 		key[i] |= 1^parity_char(key[i]);
265 	}
266 }
267 
268 /*
269  * This is the des3 key derivation postprocess function
270  */
271 u32 gss_krb5_des3_make_key(const struct gss_krb5_enctype *gk5e,
272 			   struct xdr_netobj *randombits,
273 			   struct xdr_netobj *key)
274 {
275 	int i;
276 	u32 ret = EINVAL;
277 
278 	if (key->len != 24) {
279 		dprintk("%s: key->len is %d\n", __func__, key->len);
280 		goto err_out;
281 	}
282 	if (randombits->len != 21) {
283 		dprintk("%s: randombits->len is %d\n",
284 			__func__, randombits->len);
285 		goto err_out;
286 	}
287 
288 	/* take the seven bytes, move them around into the top 7 bits of the
289 	   8 key bytes, then compute the parity bits.  Do this three times. */
290 
291 	for (i = 0; i < 3; i++) {
292 		memcpy(key->data + i*8, randombits->data + i*7, 7);
293 		key->data[i*8+7] = (((key->data[i*8]&1)<<1) |
294 				    ((key->data[i*8+1]&1)<<2) |
295 				    ((key->data[i*8+2]&1)<<3) |
296 				    ((key->data[i*8+3]&1)<<4) |
297 				    ((key->data[i*8+4]&1)<<5) |
298 				    ((key->data[i*8+5]&1)<<6) |
299 				    ((key->data[i*8+6]&1)<<7));
300 
301 		mit_des_fixup_key_parity(key->data + i*8);
302 	}
303 	ret = 0;
304 err_out:
305 	return ret;
306 }
307 
308 /*
309  * This is the aes key derivation postprocess function
310  */
311 u32 gss_krb5_aes_make_key(const struct gss_krb5_enctype *gk5e,
312 			  struct xdr_netobj *randombits,
313 			  struct xdr_netobj *key)
314 {
315 	u32 ret = EINVAL;
316 
317 	if (key->len != 16 && key->len != 32) {
318 		dprintk("%s: key->len is %d\n", __func__, key->len);
319 		goto err_out;
320 	}
321 	if (randombits->len != 16 && randombits->len != 32) {
322 		dprintk("%s: randombits->len is %d\n",
323 			__func__, randombits->len);
324 		goto err_out;
325 	}
326 	if (randombits->len != key->len) {
327 		dprintk("%s: randombits->len is %d, key->len is %d\n",
328 			__func__, randombits->len, key->len);
329 		goto err_out;
330 	}
331 	memcpy(key->data, randombits->data, key->len);
332 	ret = 0;
333 err_out:
334 	return ret;
335 }
336 
337