sys/kgssapi/krb5/kcrypto_des3.c

   1 /*-
   2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
   3  *
   4  * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
   5  * Authors: Doug Rabson <dfr@rabson.org>
   6  * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  * 1. Redistributions of source code must retain the above copyright
  12  *    notice, this list of conditions and the following disclaimer.
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  27  * SUCH DAMAGE.
  28  */
  29
  30 #include <sys/cdefs.h>
  31 __FBSDID("$FreeBSD$");
  32
  33 #include <sys/param.h>
  34 #include <sys/lock.h>
  35 #include <sys/malloc.h>
  36 #include <sys/mutex.h>
  37 #include <sys/kobj.h>
  38 #include <sys/mbuf.h>
  39 #include <crypto/des/des.h>
  40 #include <opencrypto/cryptodev.h>
  41
  42 #include <kgssapi/gssapi.h>
  43 #include <kgssapi/gssapi_impl.h>
  44
  45 #include "kcrypto.h"
  46
  47 #define DES3_FLAGS      (CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE)
  48
  49 struct des3_state {
  50         struct mtx      ds_lock;
  51         crypto_session_t ds_session;
  52 };
  53
  54 static void
  55 des3_init(struct krb5_key_state *ks)
  56 {
  57         static struct timeval lastwarn;
  58         struct des3_state *ds;
  59
  60         ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO);
  61         mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF);
  62         ks->ks_priv = ds;
  63         if (ratecheck(&lastwarn, &krb5_warn_interval))
  64                 gone_in(13, "DES3 cipher for Kerberos GSS");
  65 }
  66
  67 static void
  68 des3_destroy(struct krb5_key_state *ks)
  69 {
  70         struct des3_state *ds = ks->ks_priv;
  71
  72         if (ds->ds_session)
  73                 crypto_freesession(ds->ds_session);
  74         mtx_destroy(&ds->ds_lock);
  75         free(ks->ks_priv, M_GSSAPI);
  76 }
  77
  78 static void
  79 des3_set_key(struct krb5_key_state *ks, const void *in)
  80 {
  81         void *kp = ks->ks_key;
  82         struct des3_state *ds = ks->ks_priv;
  83         struct cryptoini cri[2];
  84
  85         if (kp != in)
  86                 bcopy(in, kp, ks->ks_class->ec_keylen);
  87
  88         if (ds->ds_session)
  89                 crypto_freesession(ds->ds_session);
  90
  91         bzero(cri, sizeof(cri));
  92
  93         cri[0].cri_alg = CRYPTO_SHA1_HMAC;
  94         cri[0].cri_klen = 192;
  95         cri[0].cri_mlen = 0;
  96         cri[0].cri_key = ks->ks_key;
  97         cri[0].cri_next = &cri[1];
  98
  99         cri[1].cri_alg = CRYPTO_3DES_CBC;
 100         cri[1].cri_klen = 192;
 101         cri[1].cri_mlen = 0;
 102         cri[1].cri_key = ks->ks_key;
 103         cri[1].cri_next = NULL;
 104
 105         crypto_newsession(&ds->ds_session, cri,
 106             CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE);
 107 }
 108
 109 static void
 110 des3_random_to_key(struct krb5_key_state *ks, const void *in)
 111 {
 112         uint8_t *outkey;
 113         const uint8_t *inkey;
 114         int subkey;
 115
 116         for (subkey = 0, outkey = ks->ks_key, inkey = in; subkey < 3;
 117              subkey++, outkey += 8, inkey += 7) {
 118                 /*
 119                  * Expand 56 bits of random data to 64 bits as follows
 120                  * (in the example, bit number 1 is the MSB of the 56
 121                  * bits of random data):
 122                  *
 123                  * expanded =
 124                  *       1  2  3  4  5  6  7  p
 125                  *       9 10 11 12 13 14 15  p
 126                  *      17 18 19 20 21 22 23  p
 127                  *      25 26 27 28 29 30 31  p
 128                  *      33 34 35 36 37 38 39  p
 129                  *      41 42 43 44 45 46 47  p
 130                  *      49 50 51 52 53 54 55  p
 131                  *      56 48 40 32 24 16  8  p
 132                  */
 133                 outkey[0] = inkey[0];
 134                 outkey[1] = inkey[1];
 135                 outkey[2] = inkey[2];
 136                 outkey[3] = inkey[3];
 137                 outkey[4] = inkey[4];
 138                 outkey[5] = inkey[5];
 139                 outkey[6] = inkey[6];
 140                 outkey[7] = (((inkey[0] & 1) << 1)
 141                     | ((inkey[1] & 1) << 2)
 142                     | ((inkey[2] & 1) << 3)
 143                     | ((inkey[3] & 1) << 4)
 144                     | ((inkey[4] & 1) << 5)
 145                     | ((inkey[5] & 1) << 6)
 146                     | ((inkey[6] & 1) << 7));
 147                 des_set_odd_parity(outkey);
 148                 if (des_is_weak_key(outkey))
 149                         outkey[7] ^= 0xf0;
 150         }
 151
 152         des3_set_key(ks, ks->ks_key);
 153 }
 154
 155 static int
 156 des3_crypto_cb(struct cryptop *crp)
 157 {
 158         int error;
 159         struct des3_state *ds = (struct des3_state *) crp->crp_opaque;
 160
 161         if (crypto_ses2caps(ds->ds_session) & CRYPTOCAP_F_SYNC)
 162                 return (0);
 163
 164         error = crp->crp_etype;
 165         if (error == EAGAIN)
 166                 error = crypto_dispatch(crp);
 167         mtx_lock(&ds->ds_lock);
 168         if (error || (crp->crp_flags & CRYPTO_F_DONE))
 169                 wakeup(crp);
 170         mtx_unlock(&ds->ds_lock);
 171
 172         return (0);
 173 }
 174
 175 static void
 176 des3_encrypt_1(const struct krb5_key_state *ks, struct mbuf *inout,
 177     size_t skip, size_t len, void *ivec, int encdec)
 178 {
 179         struct des3_state *ds = ks->ks_priv;
 180         struct cryptop *crp;
 181         struct cryptodesc *crd;
 182         int error;
 183
 184         crp = crypto_getreq(1);
 185         crd = crp->crp_desc;
 186
 187         crd->crd_skip = skip;
 188         crd->crd_len = len;
 189         crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT | encdec;
 190         if (ivec) {
 191                 bcopy(ivec, crd->crd_iv, 8);
 192         } else {
 193                 bzero(crd->crd_iv, 8);
 194         }
 195         crd->crd_next = NULL;
 196         crd->crd_alg = CRYPTO_3DES_CBC;
 197
 198         crp->crp_session = ds->ds_session;
 199         crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
 200         crp->crp_buf = (void *) inout;
 201         crp->crp_opaque = (void *) ds;
 202         crp->crp_callback = des3_crypto_cb;
 203
 204         error = crypto_dispatch(crp);
 205
 206         if ((crypto_ses2caps(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) {
 207                 mtx_lock(&ds->ds_lock);
 208                 if (!error && !(crp->crp_flags & CRYPTO_F_DONE))
 209                         error = msleep(crp, &ds->ds_lock, 0, "gssdes3", 0);
 210                 mtx_unlock(&ds->ds_lock);
 211         }
 212
 213         crypto_freereq(crp);
 214 }
 215
 216 static void
 217 des3_encrypt(const struct krb5_key_state *ks, struct mbuf *inout,
 218     size_t skip, size_t len, void *ivec, size_t ivlen)
 219 {
 220
 221         des3_encrypt_1(ks, inout, skip, len, ivec, CRD_F_ENCRYPT);
 222 }
 223
 224 static void
 225 des3_decrypt(const struct krb5_key_state *ks, struct mbuf *inout,
 226     size_t skip, size_t len, void *ivec, size_t ivlen)
 227 {
 228
 229         des3_encrypt_1(ks, inout, skip, len, ivec, 0);
 230 }
 231
 232 static void
 233 des3_checksum(const struct krb5_key_state *ks, int usage,
 234     struct mbuf *inout, size_t skip, size_t inlen, size_t outlen)
 235 {
 236         struct des3_state *ds = ks->ks_priv;
 237         struct cryptop *crp;
 238         struct cryptodesc *crd;
 239         int error;
 240
 241         crp = crypto_getreq(1);
 242         crd = crp->crp_desc;
 243
 244         crd->crd_skip = skip;
 245         crd->crd_len = inlen;
 246         crd->crd_inject = skip + inlen;
 247         crd->crd_flags = 0;
 248         crd->crd_next = NULL;
 249         crd->crd_alg = CRYPTO_SHA1_HMAC;
 250
 251         crp->crp_session = ds->ds_session;
 252         crp->crp_ilen = inlen;
 253         crp->crp_olen = 20;
 254         crp->crp_etype = 0;
 255         crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
 256         crp->crp_buf = (void *) inout;
 257         crp->crp_opaque = (void *) ds;
 258         crp->crp_callback = des3_crypto_cb;
 259
 260         error = crypto_dispatch(crp);
 261
 262         if ((crypto_ses2caps(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) {
 263                 mtx_lock(&ds->ds_lock);
 264                 if (!error && !(crp->crp_flags & CRYPTO_F_DONE))
 265                         error = msleep(crp, &ds->ds_lock, 0, "gssdes3", 0);
 266                 mtx_unlock(&ds->ds_lock);
 267         }
 268
 269         crypto_freereq(crp);
 270 }
 271
 272 struct krb5_encryption_class krb5_des3_encryption_class = {
 273         "des3-cbc-sha1",        /* name */
 274         ETYPE_DES3_CBC_SHA1,    /* etype */
 275         EC_DERIVED_KEYS,        /* flags */
 276         8,                      /* blocklen */
 277         8,                      /* msgblocklen */
 278         20,                     /* checksumlen */
 279         168,                    /* keybits */
 280         24,                     /* keylen */
 281         des3_init,
 282         des3_destroy,
 283         des3_set_key,
 284         des3_random_to_key,
 285         des3_encrypt,
 286         des3_decrypt,
 287         des3_checksum
 288 };
 289
 290 #if 0
 291 struct des3_dk_test {
 292         uint8_t key[24];
 293         uint8_t usage[8];
 294         size_t usagelen;
 295         uint8_t dk[24];
 296 };
 297 struct des3_dk_test tests[] = {
 298         {{0xdc, 0xe0, 0x6b, 0x1f, 0x64, 0xc8, 0x57, 0xa1, 0x1c, 0x3d, 0xb5,
 299           0x7c, 0x51, 0x89, 0x9b, 0x2c, 0xc1, 0x79, 0x10, 0x08, 0xce, 0x97,
 300           0x3b, 0x92},
 301          {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
 302          {0x92, 0x51, 0x79, 0xd0, 0x45, 0x91, 0xa7, 0x9b, 0x5d, 0x31, 0x92,
 303           0xc4, 0xa7, 0xe9, 0xc2, 0x89, 0xb0, 0x49, 0xc7, 0x1f, 0x6e, 0xe6,
 304           0x04, 0xcd}},
 305
 306         {{0x5e, 0x13, 0xd3, 0x1c, 0x70, 0xef, 0x76, 0x57, 0x46, 0x57, 0x85,
 307           0x31, 0xcb, 0x51, 0xc1, 0x5b, 0xf1, 0x1c, 0xa8, 0x2c, 0x97, 0xce,
 308           0xe9, 0xf2},
 309          {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
 310          {0x9e, 0x58, 0xe5, 0xa1, 0x46, 0xd9, 0x94, 0x2a, 0x10, 0x1c, 0x46,
 311           0x98, 0x45, 0xd6, 0x7a, 0x20, 0xe3, 0xc4, 0x25, 0x9e, 0xd9, 0x13,
 312           0xf2, 0x07}},
 313
 314         {{0x98, 0xe6, 0xfd, 0x8a, 0x04, 0xa4, 0xb6, 0x85, 0x9b, 0x75, 0xa1,
 315           0x76, 0x54, 0x0b, 0x97, 0x52, 0xba, 0xd3, 0xec, 0xd6, 0x10, 0xa2,
 316           0x52, 0xbc},
 317          {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
 318          {0x13, 0xfe, 0xf8, 0x0d, 0x76, 0x3e, 0x94, 0xec, 0x6d, 0x13, 0xfd,
 319           0x2c, 0xa1, 0xd0, 0x85, 0x07, 0x02, 0x49, 0xda, 0xd3, 0x98, 0x08,
 320           0xea, 0xbf}},
 321
 322         {{0x62, 0x2a, 0xec, 0x25, 0xa2, 0xfe, 0x2c, 0xad, 0x70, 0x94, 0x68,
 323           0x0b, 0x7c, 0x64, 0x94, 0x02, 0x80, 0x08, 0x4c, 0x1a, 0x7c, 0xec,
 324           0x92, 0xb5},
 325          {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
 326          {0xf8, 0xdf, 0xbf, 0x04, 0xb0, 0x97, 0xe6, 0xd9, 0xdc, 0x07, 0x02,
 327           0x68, 0x6b, 0xcb, 0x34, 0x89, 0xd9, 0x1f, 0xd9, 0xa4, 0x51, 0x6b,
 328           0x70, 0x3e}},
 329
 330         {{0xd3, 0xf8, 0x29, 0x8c, 0xcb, 0x16, 0x64, 0x38, 0xdc, 0xb9, 0xb9,
 331           0x3e, 0xe5, 0xa7, 0x62, 0x92, 0x86, 0xa4, 0x91, 0xf8, 0x38, 0xf8,
 332           0x02, 0xfb},
 333          {0x6b, 0x65, 0x72, 0x62, 0x65, 0x72, 0x6f, 0x73}, 8,
 334          {0x23, 0x70, 0xda, 0x57, 0x5d, 0x2a, 0x3d, 0xa8, 0x64, 0xce, 0xbf,
 335           0xdc, 0x52, 0x04, 0xd5, 0x6d, 0xf7, 0x79, 0xa7, 0xdf, 0x43, 0xd9,
 336           0xda, 0x43}},
 337
 338         {{0xc1, 0x08, 0x16, 0x49, 0xad, 0xa7, 0x43, 0x62, 0xe6, 0xa1, 0x45,
 339           0x9d, 0x01, 0xdf, 0xd3, 0x0d, 0x67, 0xc2, 0x23, 0x4c, 0x94, 0x07,
 340           0x04, 0xda},
 341          {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
 342          {0x34, 0x80, 0x57, 0xec, 0x98, 0xfd, 0xc4, 0x80, 0x16, 0x16, 0x1c,
 343           0x2a, 0x4c, 0x7a, 0x94, 0x3e, 0x92, 0xae, 0x49, 0x2c, 0x98, 0x91,
 344           0x75, 0xf7}},
 345
 346         {{0x5d, 0x15, 0x4a, 0xf2, 0x38, 0xf4, 0x67, 0x13, 0x15, 0x57, 0x19,
 347           0xd5, 0x5e, 0x2f, 0x1f, 0x79, 0x0d, 0xd6, 0x61, 0xf2, 0x79, 0xa7,
 348           0x91, 0x7c},
 349          {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
 350          {0xa8, 0x80, 0x8a, 0xc2, 0x67, 0xda, 0xda, 0x3d, 0xcb, 0xe9, 0xa7,
 351           0xc8, 0x46, 0x26, 0xfb, 0xc7, 0x61, 0xc2, 0x94, 0xb0, 0x13, 0x15,
 352           0xe5, 0xc1}},
 353
 354         {{0x79, 0x85, 0x62, 0xe0, 0x49, 0x85, 0x2f, 0x57, 0xdc, 0x8c, 0x34,
 355           0x3b, 0xa1, 0x7f, 0x2c, 0xa1, 0xd9, 0x73, 0x94, 0xef, 0xc8, 0xad,
 356           0xc4, 0x43},
 357          {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
 358          {0xc8, 0x13, 0xf8, 0x8a, 0x3b, 0xe3, 0xb3, 0x34, 0xf7, 0x54, 0x25,
 359           0xce, 0x91, 0x75, 0xfb, 0xe3, 0xc8, 0x49, 0x3b, 0x89, 0xc8, 0x70,
 360           0x3b, 0x49}},
 361
 362         {{0x26, 0xdc, 0xe3, 0x34, 0xb5, 0x45, 0x29, 0x2f, 0x2f, 0xea, 0xb9,
 363           0xa8, 0x70, 0x1a, 0x89, 0xa4, 0xb9, 0x9e, 0xb9, 0x94, 0x2c, 0xec,
 364           0xd0, 0x16},
 365          {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
 366          {0xf4, 0x8f, 0xfd, 0x6e, 0x83, 0xf8, 0x3e, 0x73, 0x54, 0xe6, 0x94,
 367           0xfd, 0x25, 0x2c, 0xf8, 0x3b, 0xfe, 0x58, 0xf7, 0xd5, 0xba, 0x37,
 368           0xec, 0x5d}},
 369 };
 370 #define N_TESTS         (sizeof(tests) / sizeof(tests[0]))
 371
 372 int
 373 main(int argc, char **argv)
 374 {
 375         struct krb5_key_state *key, *dk;
 376         uint8_t *dkp;
 377         int j, i;
 378
 379         for (j = 0; j < N_TESTS; j++) {
 380                 struct des3_dk_test *t = &tests[j];
 381                 key = krb5_create_key(&des3_encryption_class);
 382                 krb5_set_key(key, t->key);
 383                 dk = krb5_derive_key(key, t->usage, t->usagelen);
 384                 krb5_free_key(key);
 385                 if (memcmp(dk->ks_key, t->dk, 24)) {
 386                         printf("DES3 dk(");
 387                         for (i = 0; i < 24; i++)
 388                                 printf("%02x", t->key[i]);
 389                         printf(", ");
 390                         for (i = 0; i < t->usagelen; i++)
 391                                 printf("%02x", t->usage[i]);
 392                         printf(") failed\n");
 393                         printf("should be: ");
 394                         for (i = 0; i < 24; i++)
 395                                 printf("%02x", t->dk[i]);
 396                         printf("\n result was: ");
 397                         dkp = dk->ks_key;
 398                         for (i = 0; i < 24; i++)
 399                                 printf("%02x", dkp[i]);
 400                         printf("\n");
 401                 }
 402                 krb5_free_key(dk);
 403         }
 404
 405         return (0);
 406 }
 407 #endif