net/sunrpc/auth_gss/gss_krb5_keys.c

   1 /*
   2  * COPYRIGHT (c) 2008
   3  * The Regents of the University of Michigan
   4  * ALL RIGHTS RESERVED
   5  *
   6  * Permission is granted to use, copy, create derivative works
   7  * and redistribute this software and such derivative works
   8  * for any purpose, so long as the name of The University of
   9  * Michigan is not used in any advertising or publicity
  10  * pertaining to the use of distribution of this software
  11  * without specific, written prior authorization.  If the
  12  * above copyright notice or any other identification of the
  13  * University of Michigan is included in any copy of any
  14  * portion of this software, then the disclaimer below must
  15  * also be included.
  16  *
  17  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
  18  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
  19  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
  20  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
  21  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
  22  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
  23  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
  24  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
  25  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
  26  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
  27  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
  28  * SUCH DAMAGES.
  29  */
  30
  31 /*
  32  * Copyright (C) 1998 by the FundsXpress, INC.
  33  *
  34  * All rights reserved.
  35  *
  36  * Export of this software from the United States of America may require
  37  * a specific license from the United States Government.  It is the
  38  * responsibility of any person or organization contemplating export to
  39  * obtain such a license before exporting.
  40  *
  41  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  42  * distribute this software and its documentation for any purpose and
  43  * without fee is hereby granted, provided that the above copyright
  44  * notice appear in all copies and that both that copyright notice and
  45  * this permission notice appear in supporting documentation, and that
  46  * the name of FundsXpress. not be used in advertising or publicity pertaining
  47  * to distribution of the software without specific, written prior
  48  * permission.  FundsXpress makes no representations about the suitability of
  49  * this software for any purpose.  It is provided "as is" without express
  50  * or implied warranty.
  51  *
  52  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  53  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  54  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  55  */
  56
  57 #include <crypto/skcipher.h>
  58 #include <linux/err.h>
  59 #include <linux/types.h>
  60 #include <linux/sunrpc/gss_krb5.h>
  61 #include <linux/sunrpc/xdr.h>
  62 #include <linux/lcm.h>
  63 #include <crypto/hash.h>
  64 #include <kunit/visibility.h>
  65
  66 #include "gss_krb5_internal.h"
  67
  68 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
  69 # define RPCDBG_FACILITY        RPCDBG_AUTH
  70 #endif
  71
  72 /**
  73  * krb5_nfold - n-fold function
  74  * @inbits: number of bits in @in
  75  * @in: buffer containing input to fold
  76  * @outbits: number of bits in the output buffer
  77  * @out: buffer to hold the result
  78  *
  79  * This is the n-fold function as described in rfc3961, sec 5.1
  80  * Taken from MIT Kerberos and modified.
  81  */
  82 VISIBLE_IF_KUNIT
  83 void krb5_nfold(u32 inbits, const u8 *in, u32 outbits, u8 *out)
  84 {
  85         unsigned long ulcm;
  86         int byte, i, msbit;
  87
  88         /* the code below is more readable if I make these bytes
  89            instead of bits */
  90
  91         inbits >>= 3;
  92         outbits >>= 3;
  93
  94         /* first compute lcm(n,k) */
  95         ulcm = lcm(inbits, outbits);
  96
  97         /* now do the real work */
  98
  99         memset(out, 0, outbits);
 100         byte = 0;
 101
 102         /* this will end up cycling through k lcm(k,n)/k times, which
 103            is correct */
 104         for (i = ulcm-1; i >= 0; i--) {
 105                 /* compute the msbit in k which gets added into this byte */
 106                 msbit = (
 107                         /* first, start with the msbit in the first,
 108                          * unrotated byte */
 109                          ((inbits << 3) - 1)
 110                          /* then, for each byte, shift to the right
 111                           * for each repetition */
 112                          + (((inbits << 3) + 13) * (i/inbits))
 113                          /* last, pick out the correct byte within
 114                           * that shifted repetition */
 115                          + ((inbits - (i % inbits)) << 3)
 116                          ) % (inbits << 3);
 117
 118                 /* pull out the byte value itself */
 119                 byte += (((in[((inbits - 1) - (msbit >> 3)) % inbits] << 8)|
 120                                   (in[((inbits) - (msbit >> 3)) % inbits]))
 121                                  >> ((msbit & 7) + 1)) & 0xff;
 122
 123                 /* do the addition */
 124                 byte += out[i % outbits];
 125                 out[i % outbits] = byte & 0xff;
 126
 127                 /* keep around the carry bit, if any */
 128                 byte >>= 8;
 129
 130         }
 131
 132         /* if there's a carry bit left over, add it back in */
 133         if (byte) {
 134                 for (i = outbits - 1; i >= 0; i--) {
 135                         /* do the addition */
 136                         byte += out[i];
 137                         out[i] = byte & 0xff;
 138
 139                         /* keep around the carry bit, if any */
 140                         byte >>= 8;
 141                 }
 142         }
 143 }
 144 EXPORT_SYMBOL_IF_KUNIT(krb5_nfold);
 145
 146 /*
 147  * This is the DK (derive_key) function as described in rfc3961, sec 5.1
 148  * Taken from MIT Kerberos and modified.
 149  */
 150 static int krb5_DK(const struct gss_krb5_enctype *gk5e,
 151                    const struct xdr_netobj *inkey, u8 *rawkey,
 152                    const struct xdr_netobj *in_constant, gfp_t gfp_mask)
 153 {
 154         size_t blocksize, keybytes, keylength, n;
 155         unsigned char *inblockdata, *outblockdata;
 156         struct xdr_netobj inblock, outblock;
 157         struct crypto_sync_skcipher *cipher;
 158         int ret = -EINVAL;
 159
 160         keybytes = gk5e->keybytes;
 161         keylength = gk5e->keylength;
 162
 163         if (inkey->len != keylength)
 164                 goto err_return;
 165
 166         cipher = crypto_alloc_sync_skcipher(gk5e->encrypt_name, 0, 0);
 167         if (IS_ERR(cipher))
 168                 goto err_return;
 169         blocksize = crypto_sync_skcipher_blocksize(cipher);
 170         if (crypto_sync_skcipher_setkey(cipher, inkey->data, inkey->len))
 171                 goto err_free_cipher;
 172
 173         ret = -ENOMEM;
 174         inblockdata = kmalloc(blocksize, gfp_mask);
 175         if (inblockdata == NULL)
 176                 goto err_free_cipher;
 177
 178         outblockdata = kmalloc(blocksize, gfp_mask);
 179         if (outblockdata == NULL)
 180                 goto err_free_in;
 181
 182         inblock.data = (char *) inblockdata;
 183         inblock.len = blocksize;
 184
 185         outblock.data = (char *) outblockdata;
 186         outblock.len = blocksize;
 187
 188         /* initialize the input block */
 189
 190         if (in_constant->len == inblock.len) {
 191                 memcpy(inblock.data, in_constant->data, inblock.len);
 192         } else {
 193                 krb5_nfold(in_constant->len * 8, in_constant->data,
 194                            inblock.len * 8, inblock.data);
 195         }
 196
 197         /* loop encrypting the blocks until enough key bytes are generated */
 198
 199         n = 0;
 200         while (n < keybytes) {
 201                 krb5_encrypt(cipher, NULL, inblock.data, outblock.data,
 202                              inblock.len);
 203
 204                 if ((keybytes - n) <= outblock.len) {
 205                         memcpy(rawkey + n, outblock.data, (keybytes - n));
 206                         break;
 207                 }
 208
 209                 memcpy(rawkey + n, outblock.data, outblock.len);
 210                 memcpy(inblock.data, outblock.data, outblock.len);
 211                 n += outblock.len;
 212         }
 213
 214         ret = 0;
 215
 216         kfree_sensitive(outblockdata);
 217 err_free_in:
 218         kfree_sensitive(inblockdata);
 219 err_free_cipher:
 220         crypto_free_sync_skcipher(cipher);
 221 err_return:
 222         return ret;
 223 }
 224
 225 /*
 226  * This is the identity function, with some sanity checking.
 227  */
 228 static int krb5_random_to_key_v2(const struct gss_krb5_enctype *gk5e,
 229                                  struct xdr_netobj *randombits,
 230                                  struct xdr_netobj *key)
 231 {
 232         int ret = -EINVAL;
 233
 234         if (key->len != 16 && key->len != 32) {
 235                 dprintk("%s: key->len is %d\n", __func__, key->len);
 236                 goto err_out;
 237         }
 238         if (randombits->len != 16 && randombits->len != 32) {
 239                 dprintk("%s: randombits->len is %d\n",
 240                         __func__, randombits->len);
 241                 goto err_out;
 242         }
 243         if (randombits->len != key->len) {
 244                 dprintk("%s: randombits->len is %d, key->len is %d\n",
 245                         __func__, randombits->len, key->len);
 246                 goto err_out;
 247         }
 248         memcpy(key->data, randombits->data, key->len);
 249         ret = 0;
 250 err_out:
 251         return ret;
 252 }
 253
 254 /**
 255  * krb5_derive_key_v2 - Derive a subkey for an RFC 3962 enctype
 256  * @gk5e: Kerberos 5 enctype profile
 257  * @inkey: base protocol key
 258  * @outkey: OUT: derived key
 259  * @label: subkey usage label
 260  * @gfp_mask: memory allocation control flags
 261  *
 262  * Caller sets @outkey->len to the desired length of the derived key.
 263  *
 264  * On success, returns 0 and fills in @outkey. A negative errno value
 265  * is returned on failure.
 266  */
 267 int krb5_derive_key_v2(const struct gss_krb5_enctype *gk5e,
 268                        const struct xdr_netobj *inkey,
 269                        struct xdr_netobj *outkey,
 270                        const struct xdr_netobj *label,
 271                        gfp_t gfp_mask)
 272 {
 273         struct xdr_netobj inblock;
 274         int ret;
 275
 276         inblock.len = gk5e->keybytes;
 277         inblock.data = kmalloc(inblock.len, gfp_mask);
 278         if (!inblock.data)
 279                 return -ENOMEM;
 280
 281         ret = krb5_DK(gk5e, inkey, inblock.data, label, gfp_mask);
 282         if (!ret)
 283                 ret = krb5_random_to_key_v2(gk5e, &inblock, outkey);
 284
 285         kfree_sensitive(inblock.data);
 286         return ret;
 287 }
 288
 289 /*
 290  * K(i) = CMAC(key, K(i-1) | i | constant | 0x00 | k)
 291  *
 292  *    i: A block counter is used with a length of 4 bytes, represented
 293  *       in big-endian order.
 294  *
 295  *    constant: The label input to the KDF is the usage constant supplied
 296  *              to the key derivation function
 297  *
 298  *    k: The length of the output key in bits, represented as a 4-byte
 299  *       string in big-endian order.
 300  *
 301  * Caller fills in K(i-1) in @step, and receives the result K(i)
 302  * in the same buffer.
 303  */
 304 static int
 305 krb5_cmac_Ki(struct crypto_shash *tfm, const struct xdr_netobj *constant,
 306              u32 outlen, u32 count, struct xdr_netobj *step)
 307 {
 308         __be32 k = cpu_to_be32(outlen * 8);
 309         SHASH_DESC_ON_STACK(desc, tfm);
 310         __be32 i = cpu_to_be32(count);
 311         u8 zero = 0;
 312         int ret;
 313
 314         desc->tfm = tfm;
 315         ret = crypto_shash_init(desc);
 316         if (ret)
 317                 goto out_err;
 318
 319         ret = crypto_shash_update(desc, step->data, step->len);
 320         if (ret)
 321                 goto out_err;
 322         ret = crypto_shash_update(desc, (u8 *)&i, sizeof(i));
 323         if (ret)
 324                 goto out_err;
 325         ret = crypto_shash_update(desc, constant->data, constant->len);
 326         if (ret)
 327                 goto out_err;
 328         ret = crypto_shash_update(desc, &zero, sizeof(zero));
 329         if (ret)
 330                 goto out_err;
 331         ret = crypto_shash_update(desc, (u8 *)&k, sizeof(k));
 332         if (ret)
 333                 goto out_err;
 334         ret = crypto_shash_final(desc, step->data);
 335         if (ret)
 336                 goto out_err;
 337
 338 out_err:
 339         shash_desc_zero(desc);
 340         return ret;
 341 }
 342
 343 /**
 344  * krb5_kdf_feedback_cmac - Derive a subkey for a Camellia/CMAC-based enctype
 345  * @gk5e: Kerberos 5 enctype parameters
 346  * @inkey: base protocol key
 347  * @outkey: OUT: derived key
 348  * @constant: subkey usage label
 349  * @gfp_mask: memory allocation control flags
 350  *
 351  * RFC 6803 Section 3:
 352  *
 353  * "We use a key derivation function from the family specified in
 354  *  [SP800-108], Section 5.2, 'KDF in Feedback Mode'."
 355  *
 356  *      n = ceiling(k / 128)
 357  *      K(0) = zeros
 358  *      K(i) = CMAC(key, K(i-1) | i | constant | 0x00 | k)
 359  *      DR(key, constant) = k-truncate(K(1) | K(2) | ... | K(n))
 360  *      KDF-FEEDBACK-CMAC(key, constant) = random-to-key(DR(key, constant))
 361  *
 362  * Caller sets @outkey->len to the desired length of the derived key (k).
 363  *
 364  * On success, returns 0 and fills in @outkey. A negative errno value
 365  * is returned on failure.
 366  */
 367 int
 368 krb5_kdf_feedback_cmac(const struct gss_krb5_enctype *gk5e,
 369                        const struct xdr_netobj *inkey,
 370                        struct xdr_netobj *outkey,
 371                        const struct xdr_netobj *constant,
 372                        gfp_t gfp_mask)
 373 {
 374         struct xdr_netobj step = { .data = NULL };
 375         struct xdr_netobj DR = { .data = NULL };
 376         unsigned int blocksize, offset;
 377         struct crypto_shash *tfm;
 378         int n, count, ret;
 379
 380         /*
 381          * This implementation assumes the CMAC used for an enctype's
 382          * key derivation is the same as the CMAC used for its
 383          * checksumming. This happens to be true for enctypes that
 384          * are currently supported by this implementation.
 385          */
 386         tfm = crypto_alloc_shash(gk5e->cksum_name, 0, 0);
 387         if (IS_ERR(tfm)) {
 388                 ret = PTR_ERR(tfm);
 389                 goto out;
 390         }
 391         ret = crypto_shash_setkey(tfm, inkey->data, inkey->len);
 392         if (ret)
 393                 goto out_free_tfm;
 394
 395         blocksize = crypto_shash_digestsize(tfm);
 396         n = (outkey->len + blocksize - 1) / blocksize;
 397
 398         /* K(0) is all zeroes */
 399         ret = -ENOMEM;
 400         step.len = blocksize;
 401         step.data = kzalloc(step.len, gfp_mask);
 402         if (!step.data)
 403                 goto out_free_tfm;
 404
 405         DR.len = blocksize * n;
 406         DR.data = kmalloc(DR.len, gfp_mask);
 407         if (!DR.data)
 408                 goto out_free_tfm;
 409
 410         /* XXX: Does not handle partial-block key sizes */
 411         for (offset = 0, count = 1; count <= n; count++) {
 412                 ret = krb5_cmac_Ki(tfm, constant, outkey->len, count, &step);
 413                 if (ret)
 414                         goto out_free_tfm;
 415
 416                 memcpy(DR.data + offset, step.data, blocksize);
 417                 offset += blocksize;
 418         }
 419
 420         /* k-truncate and random-to-key */
 421         memcpy(outkey->data, DR.data, outkey->len);
 422         ret = 0;
 423
 424 out_free_tfm:
 425         crypto_free_shash(tfm);
 426 out:
 427         kfree_sensitive(step.data);
 428         kfree_sensitive(DR.data);
 429         return ret;
 430 }
 431
 432 /*
 433  * K1 = HMAC-SHA(key, 0x00000001 | label | 0x00 | k)
 434  *
 435  *    key: The source of entropy from which subsequent keys are derived.
 436  *
 437  *    label: An octet string describing the intended usage of the
 438  *    derived key.
 439  *
 440  *    k: Length in bits of the key to be outputted, expressed in
 441  *    big-endian binary representation in 4 bytes.
 442  */
 443 static int
 444 krb5_hmac_K1(struct crypto_shash *tfm, const struct xdr_netobj *label,
 445              u32 outlen, struct xdr_netobj *K1)
 446 {
 447         __be32 k = cpu_to_be32(outlen * 8);
 448         SHASH_DESC_ON_STACK(desc, tfm);
 449         __be32 one = cpu_to_be32(1);
 450         u8 zero = 0;
 451         int ret;
 452
 453         desc->tfm = tfm;
 454         ret = crypto_shash_init(desc);
 455         if (ret)
 456                 goto out_err;
 457         ret = crypto_shash_update(desc, (u8 *)&one, sizeof(one));
 458         if (ret)
 459                 goto out_err;
 460         ret = crypto_shash_update(desc, label->data, label->len);
 461         if (ret)
 462                 goto out_err;
 463         ret = crypto_shash_update(desc, &zero, sizeof(zero));
 464         if (ret)
 465                 goto out_err;
 466         ret = crypto_shash_update(desc, (u8 *)&k, sizeof(k));
 467         if (ret)
 468                 goto out_err;
 469         ret = crypto_shash_final(desc, K1->data);
 470         if (ret)
 471                 goto out_err;
 472
 473 out_err:
 474         shash_desc_zero(desc);
 475         return ret;
 476 }
 477
 478 /**
 479  * krb5_kdf_hmac_sha2 - Derive a subkey for an AES/SHA2-based enctype
 480  * @gk5e: Kerberos 5 enctype policy parameters
 481  * @inkey: base protocol key
 482  * @outkey: OUT: derived key
 483  * @label: subkey usage label
 484  * @gfp_mask: memory allocation control flags
 485  *
 486  * RFC 8009 Section 3:
 487  *
 488  *  "We use a key derivation function from Section 5.1 of [SP800-108],
 489  *   which uses the HMAC algorithm as the PRF."
 490  *
 491  *      function KDF-HMAC-SHA2(key, label, [context,] k):
 492  *              k-truncate(K1)
 493  *
 494  * Caller sets @outkey->len to the desired length of the derived key.
 495  *
 496  * On success, returns 0 and fills in @outkey. A negative errno value
 497  * is returned on failure.
 498  */
 499 int
 500 krb5_kdf_hmac_sha2(const struct gss_krb5_enctype *gk5e,
 501                    const struct xdr_netobj *inkey,
 502                    struct xdr_netobj *outkey,
 503                    const struct xdr_netobj *label,
 504                    gfp_t gfp_mask)
 505 {
 506         struct crypto_shash *tfm;
 507         struct xdr_netobj K1 = {
 508                 .data = NULL,
 509         };
 510         int ret;
 511
 512         /*
 513          * This implementation assumes the HMAC used for an enctype's
 514          * key derivation is the same as the HMAC used for its
 515          * checksumming. This happens to be true for enctypes that
 516          * are currently supported by this implementation.
 517          */
 518         tfm = crypto_alloc_shash(gk5e->cksum_name, 0, 0);
 519         if (IS_ERR(tfm)) {
 520                 ret = PTR_ERR(tfm);
 521                 goto out;
 522         }
 523         ret = crypto_shash_setkey(tfm, inkey->data, inkey->len);
 524         if (ret)
 525                 goto out_free_tfm;
 526
 527         K1.len = crypto_shash_digestsize(tfm);
 528         K1.data = kmalloc(K1.len, gfp_mask);
 529         if (!K1.data) {
 530                 ret = -ENOMEM;
 531                 goto out_free_tfm;
 532         }
 533
 534         ret = krb5_hmac_K1(tfm, label, outkey->len, &K1);
 535         if (ret)
 536                 goto out_free_tfm;
 537
 538         /* k-truncate and random-to-key */
 539         memcpy(outkey->data, K1.data, outkey->len);
 540
 541 out_free_tfm:
 542         kfree_sensitive(K1.data);
 543         crypto_free_shash(tfm);
 544 out:
 545         return ret;
 546 }