linux/net/sunrpc/auth_gss/gss_krb5_keys.c

/*
 * COPYRIGHT (c) 2008
 * The Regents of the University of Michigan
 * ALL RIGHTS RESERVED
 *
 * Permission is granted to use, copy, create derivative works
 * and redistribute this software and such derivative works
 * for any purpose, so long as the name of The University of
 * Michigan is not used in any advertising or publicity
 * pertaining to the use of distribution of this software
 * without specific, written prior authorization.  If the
 * above copyright notice or any other identification of the
 * University of Michigan is included in any copy of any
 * portion of this software, then the disclaimer below must
 * also be included.
 *
 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGES.
 */

/*
 * Copyright (C) 1998 by the FundsXpress, INC.
 *
 * All rights reserved.
 *
 * Export of this software from the United States of America may require
 * a specific license from the United States Government.  It is the
 * responsibility of any person or organization contemplating export to
 * obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of FundsXpress. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  FundsXpress makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 */

#include <crypto/skcipher.h>
#include <linux/err.h>
#include <linux/types.h>
#include <linux/sunrpc/gss_krb5.h>
#include <linux/sunrpc/xdr.h>
#include <linux/lcm.h>
#include <crypto/hash.h>
#include <kunit/visibility.h>

#include "gss_krb5_internal.h"

#if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
# define RPCDBG_FACILITY        RPCDBG_AUTH
#endif

/**
 * krb5_nfold - n-fold function
 * @inbits: number of bits in @in
 * @in: buffer containing input to fold
 * @outbits: number of bits in the output buffer
 * @out: buffer to hold the result
 *
 * This is the n-fold function as described in rfc3961, sec 5.1
 * Taken from MIT Kerberos and modified.
 */
VISIBLE_IF_KUNIT
void krb5_nfold(u32 inbits, const u8 *in, u32 outbits, u8 *out)
{
	unsigned long ulcm;
	int byte, i, msbit;

	/* the code below is more readable if I make these bytes
	   instead of bits */

	inbits >>= 3;
	outbits >>= 3;

	/* first compute lcm(n,k) */
	ulcm = lcm(inbits, outbits);

	/* now do the real work */

	memset(out, 0, outbits);
	byte = 0;

	/* this will end up cycling through k lcm(k,n)/k times, which
	   is correct */
	for (i = ulcm-1; i >= 0; i--) {
		/* compute the msbit in k which gets added into this byte */
		msbit = (
			/* first, start with the msbit in the first,
			 * unrotated byte */
			 ((inbits << 3) - 1)
			 /* then, for each byte, shift to the right
			  * for each repetition */
			 + (((inbits << 3) + 13) * (i/inbits))
			 /* last, pick out the correct byte within
			  * that shifted repetition */
			 + ((inbits - (i % inbits)) << 3)
			 ) % (inbits << 3);

		/* pull out the byte value itself */
		byte += (((in[((inbits - 1) - (msbit >> 3)) % inbits] << 8)|
				  (in[((inbits) - (msbit >> 3)) % inbits]))
				 >> ((msbit & 7) + 1)) & 0xff;

		/* do the addition */
		byte += out[i % outbits];
		out[i % outbits] = byte & 0xff;

		/* keep around the carry bit, if any */
		byte >>= 8;

	}

	/* if there's a carry bit left over, add it back in */
	if (byte) {
		for (i = outbits - 1; i >= 0; i--) {
			/* do the addition */
			byte += out[i];
			out[i] = byte & 0xff;

			/* keep around the carry bit, if any */
			byte >>= 8;
		}
	}
}
EXPORT_SYMBOL_IF_KUNIT(krb5_nfold);

/*
 * This is the DK (derive_key) function as described in rfc3961, sec 5.1
 * Taken from MIT Kerberos and modified.
 */
static int krb5_DK(const struct gss_krb5_enctype *gk5e,
		   const struct xdr_netobj *inkey, u8 *rawkey,
		   const struct xdr_netobj *in_constant, gfp_t gfp_mask)
{
	size_t blocksize, keybytes, keylength, n;
	unsigned char *inblockdata, *outblockdata;
	struct xdr_netobj inblock, outblock;
	struct crypto_sync_skcipher *cipher;
	int ret = -EINVAL;

	keybytes = gk5e->keybytes;
	keylength = gk5e->keylength;

	if (inkey->len != keylength)
		goto err_return;

	cipher = crypto_alloc_sync_skcipher(gk5e->encrypt_name, 0, 0);
	if (IS_ERR(cipher))
		goto err_return;
	blocksize = crypto_sync_skcipher_blocksize(cipher);
	if (crypto_sync_skcipher_setkey(cipher, inkey->data, inkey->len))
		goto err_free_cipher;

	ret = -ENOMEM;
	inblockdata = kmalloc(blocksize, gfp_mask);
	if (inblockdata == NULL)
		goto err_free_cipher;

	outblockdata = kmalloc(blocksize, gfp_mask);
	if (outblockdata == NULL)
		goto err_free_in;

	inblock.data = (char *) inblockdata;
	inblock.len = blocksize;

	outblock.data = (char *) outblockdata;
	outblock.len = blocksize;

	/* initialize the input block */

	if (in_constant->len == inblock.len) {
		memcpy(inblock.data, in_constant->data, inblock.len);
	} else {
		krb5_nfold(in_constant->len * 8, in_constant->data,
			   inblock.len * 8, inblock.data);
	}

	/* loop encrypting the blocks until enough key bytes are generated */

	n = 0;
	while (n < keybytes) {
		krb5_encrypt(cipher, NULL, inblock.data, outblock.data,
			     inblock.len);

		if ((keybytes - n) <= outblock.len) {
			memcpy(rawkey + n, outblock.data, (keybytes - n));
			break;
		}

		memcpy(rawkey + n, outblock.data, outblock.len);
		memcpy(inblock.data, outblock.data, outblock.len);
		n += outblock.len;
	}

	ret = 0;

	kfree_sensitive(outblockdata);
err_free_in:
	kfree_sensitive(inblockdata);
err_free_cipher:
	crypto_free_sync_skcipher(cipher);
err_return:
	return ret;
}

/*
 * This is the identity function, with some sanity checking.
 */
static int krb5_random_to_key_v2(const struct gss_krb5_enctype *gk5e,
				 struct xdr_netobj *randombits,
				 struct xdr_netobj *key)
{
	int ret = -EINVAL;

	if (key->len != 16 && key->len != 32) {
		dprintk("%s: key->len is %d\n", __func__, key->len);
		goto err_out;
	}
	if (randombits->len != 16 && randombits->len != 32) {
		dprintk("%s: randombits->len is %d\n",
			__func__, randombits->len);
		goto err_out;
	}
	if (randombits->len != key->len) {
		dprintk("%s: randombits->len is %d, key->len is %d\n",
			__func__, randombits->len, key->len);
		goto err_out;
	}
	memcpy(key->data, randombits->data, key->len);
	ret = 0;
err_out:
	return ret;
}

/**
 * krb5_derive_key_v2 - Derive a subkey for an RFC 3962 enctype
 * @gk5e: Kerberos 5 enctype profile
 * @inkey: base protocol key
 * @outkey: OUT: derived key
 * @label: subkey usage label
 * @gfp_mask: memory allocation control flags
 *
 * Caller sets @outkey->len to the desired length of the derived key.
 *
 * On success, returns 0 and fills in @outkey. A negative errno value
 * is returned on failure.
 */
int krb5_derive_key_v2(const struct gss_krb5_enctype *gk5e,
		       const struct xdr_netobj *inkey,
		       struct xdr_netobj *outkey,
		       const struct xdr_netobj *label,
		       gfp_t gfp_mask)
{
	struct xdr_netobj inblock;
	int ret;

	inblock.len = gk5e->keybytes;
	inblock.data = kmalloc(inblock.len, gfp_mask);
	if (!inblock.data)
		return -ENOMEM;

	ret = krb5_DK(gk5e, inkey, inblock.data, label, gfp_mask);
	if (!ret)
		ret = krb5_random_to_key_v2(gk5e, &inblock, outkey);

	kfree_sensitive(inblock.data);
	return ret;
}

/*
 * K(i) = CMAC(key, K(i-1) | i | constant | 0x00 | k)
 *
 *    i: A block counter is used with a length of 4 bytes, represented
 *       in big-endian order.
 *
 *    constant: The label input to the KDF is the usage constant supplied
 *              to the key derivation function
 *
 *    k: The length of the output key in bits, represented as a 4-byte
 *       string in big-endian order.
 *
 * Caller fills in K(i-1) in @step, and receives the result K(i)
 * in the same buffer.
 */
static int
krb5_cmac_Ki(struct crypto_shash *tfm, const struct xdr_netobj *constant,
	     u32 outlen, u32 count, struct xdr_netobj *step)
{
	__be32 k = cpu_to_be32(outlen * 8);
	SHASH_DESC_ON_STACK(desc, tfm);
	__be32 i = cpu_to_be32(count);
	u8 zero = 0;
	int ret;

	desc->tfm = tfm;
	ret = crypto_shash_init(desc);
	if (ret)
		goto out_err;

	ret = crypto_shash_update(desc, step->data, step->len);
	if (ret)
		goto out_err;
	ret = crypto_shash_update(desc, (u8 *)&i, sizeof(i));
	if (ret)
		goto out_err;
	ret = crypto_shash_update(desc, constant->data, constant->len);
	if (ret)
		goto out_err;
	ret = crypto_shash_update(desc, &zero, sizeof(zero));
	if (ret)
		goto out_err;
	ret = crypto_shash_update(desc, (u8 *)&k, sizeof(k));
	if (ret)
		goto out_err;
	ret = crypto_shash_final(desc, step->data);
	if (ret)
		goto out_err;

out_err:
	shash_desc_zero(desc);
	return ret;
}

/**
 * krb5_kdf_feedback_cmac - Derive a subkey for a Camellia/CMAC-based enctype
 * @gk5e: Kerberos 5 enctype parameters
 * @inkey: base protocol key
 * @outkey: OUT: derived key
 * @constant: subkey usage label
 * @gfp_mask: memory allocation control flags
 *
 * RFC 6803 Section 3:
 *
 * "We use a key derivation function from the family specified in
 *  [SP800-108], Section 5.2, 'KDF in Feedback Mode'."
 *
 *	n = ceiling(k / 128)
 *	K(0) = zeros
 *	K(i) = CMAC(key, K(i-1) | i | constant | 0x00 | k)
 *	DR(key, constant) = k-truncate(K(1) | K(2) | ... | K(n))
 *	KDF-FEEDBACK-CMAC(key, constant) = random-to-key(DR(key, constant))
 *
 * Caller sets @outkey->len to the desired length of the derived key (k).
 *
 * On success, returns 0 and fills in @outkey. A negative errno value
 * is returned on failure.
 */
int
krb5_kdf_feedback_cmac(const struct gss_krb5_enctype *gk5e,
		       const struct xdr_netobj *inkey,
		       struct xdr_netobj *outkey,
		       const struct xdr_netobj *constant,
		       gfp_t gfp_mask)
{
	struct xdr_netobj step = { .data = NULL };
	struct xdr_netobj DR = { .data = NULL };
	unsigned int blocksize, offset;
	struct crypto_shash *tfm;
	int n, count, ret;

	/*
	 * This implementation assumes the CMAC used for an enctype's
	 * key derivation is the same as the CMAC used for its
	 * checksumming. This happens to be true for enctypes that
	 * are currently supported by this implementation.
	 */
	tfm = crypto_alloc_shash(gk5e->cksum_name, 0, 0);
	if (IS_ERR(tfm)) {
		ret = PTR_ERR(tfm);
		goto out;
	}
	ret = crypto_shash_setkey(tfm, inkey->data, inkey->len);
	if (ret)
		goto out_free_tfm;

	blocksize = crypto_shash_digestsize(tfm);
	n = (outkey->len + blocksize - 1) / blocksize;

	/* K(0) is all zeroes */
	ret = -ENOMEM;
	step.len = blocksize;
	step.data = kzalloc(step.len, gfp_mask);
	if (!step.data)
		goto out_free_tfm;

	DR.len = blocksize * n;
	DR.data = kmalloc(DR.len, gfp_mask);
	if (!DR.data)
		goto out_free_tfm;

	/* XXX: Does not handle partial-block key sizes */
	for (offset = 0, count = 1; count <= n; count++) {
		ret = krb5_cmac_Ki(tfm, constant, outkey->len, count, &step);
		if (ret)
			goto out_free_tfm;

		memcpy(DR.data + offset, step.data, blocksize);
		offset += blocksize;
	}

	/* k-truncate and random-to-key */
	memcpy(outkey->data, DR.data, outkey->len);
	ret = 0;

out_free_tfm:
	crypto_free_shash(tfm);
out:
	kfree_sensitive(step.data);
	kfree_sensitive(DR.data);
	return ret;
}

/*
 * K1 = HMAC-SHA(key, 0x00000001 | label | 0x00 | k)
 *
 *    key: The source of entropy from which subsequent keys are derived.
 *
 *    label: An octet string describing the intended usage of the
 *    derived key.
 *
 *    k: Length in bits of the key to be outputted, expressed in
 *    big-endian binary representation in 4 bytes.
 */
static int
krb5_hmac_K1(struct crypto_shash *tfm, const struct xdr_netobj *label,
	     u32 outlen, struct xdr_netobj *K1)
{
	__be32 k = cpu_to_be32(outlen * 8);
	SHASH_DESC_ON_STACK(desc, tfm);
	__be32 one = cpu_to_be32(1);
	u8 zero = 0;
	int ret;

	desc->tfm = tfm;
	ret = crypto_shash_init(desc);
	if (ret)
		goto out_err;
	ret = crypto_shash_update(desc, (u8 *)&one, sizeof(one));
	if (ret)
		goto out_err;
	ret = crypto_shash_update(desc, label->data, label->len);
	if (ret)
		goto out_err;
	ret = crypto_shash_update(desc, &zero, sizeof(zero));
	if (ret)
		goto out_err;
	ret = crypto_shash_update(desc, (u8 *)&k, sizeof(k));
	if (ret)
		goto out_err;
	ret = crypto_shash_final(desc, K1->data);
	if (ret)
		goto out_err;

out_err:
	shash_desc_zero(desc);
	return ret;
}

/**
 * krb5_kdf_hmac_sha2 - Derive a subkey for an AES/SHA2-based enctype
 * @gk5e: Kerberos 5 enctype policy parameters
 * @inkey: base protocol key
 * @outkey: OUT: derived key
 * @label: subkey usage label
 * @gfp_mask: memory allocation control flags
 *
 * RFC 8009 Section 3:
 *
 *  "We use a key derivation function from Section 5.1 of [SP800-108],
 *   which uses the HMAC algorithm as the PRF."
 *
 *	function KDF-HMAC-SHA2(key, label, [context,] k):
 *		k-truncate(K1)
 *
 * Caller sets @outkey->len to the desired length of the derived key.
 *
 * On success, returns 0 and fills in @outkey. A negative errno value
 * is returned on failure.
 */
int
krb5_kdf_hmac_sha2(const struct gss_krb5_enctype *gk5e,
		   const struct xdr_netobj *inkey,
		   struct xdr_netobj *outkey,
		   const struct xdr_netobj *label,
		   gfp_t gfp_mask)
{
	struct crypto_shash *tfm;
	struct xdr_netobj K1 = {
		.data = NULL,
	};
	int ret;

	/*
	 * This implementation assumes the HMAC used for an enctype's
	 * key derivation is the same as the HMAC used for its
	 * checksumming. This happens to be true for enctypes that
	 * are currently supported by this implementation.
	 */
	tfm = crypto_alloc_shash(gk5e->cksum_name, 0, 0);
	if (IS_ERR(tfm)) {
		ret = PTR_ERR(tfm);
		goto out;
	}
	ret = crypto_shash_setkey(tfm, inkey->data, inkey->len);
	if (ret)
		goto out_free_tfm;

	K1.len = crypto_shash_digestsize(tfm);
	K1.data = kmalloc(K1.len, gfp_mask);
	if (!K1.data) {
		ret = -ENOMEM;
		goto out_free_tfm;
	}

	ret = krb5_hmac_K1(tfm, label, outkey->len, &K1);
	if (ret)
		goto out_free_tfm;

	/* k-truncate and random-to-key */
	memcpy(outkey->data, K1.data, outkey->len);

out_free_tfm:
	kfree_sensitive(K1.data);
	crypto_free_shash(tfm);
out:
	return ret;
}