1*4882a593Smuzhiyun /*
2*4882a593Smuzhiyun * COPYRIGHT (c) 2008
3*4882a593Smuzhiyun * The Regents of the University of Michigan
4*4882a593Smuzhiyun * ALL RIGHTS RESERVED
5*4882a593Smuzhiyun *
6*4882a593Smuzhiyun * Permission is granted to use, copy, create derivative works
7*4882a593Smuzhiyun * and redistribute this software and such derivative works
8*4882a593Smuzhiyun * for any purpose, so long as the name of The University of
9*4882a593Smuzhiyun * Michigan is not used in any advertising or publicity
10*4882a593Smuzhiyun * pertaining to the use of distribution of this software
11*4882a593Smuzhiyun * without specific, written prior authorization. If the
12*4882a593Smuzhiyun * above copyright notice or any other identification of the
13*4882a593Smuzhiyun * University of Michigan is included in any copy of any
14*4882a593Smuzhiyun * portion of this software, then the disclaimer below must
15*4882a593Smuzhiyun * also be included.
16*4882a593Smuzhiyun *
17*4882a593Smuzhiyun * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18*4882a593Smuzhiyun * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19*4882a593Smuzhiyun * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20*4882a593Smuzhiyun * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21*4882a593Smuzhiyun * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22*4882a593Smuzhiyun * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23*4882a593Smuzhiyun * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24*4882a593Smuzhiyun * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25*4882a593Smuzhiyun * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26*4882a593Smuzhiyun * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27*4882a593Smuzhiyun * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
28*4882a593Smuzhiyun * SUCH DAMAGES.
29*4882a593Smuzhiyun */
30*4882a593Smuzhiyun
31*4882a593Smuzhiyun /*
32*4882a593Smuzhiyun * Copyright (C) 1998 by the FundsXpress, INC.
33*4882a593Smuzhiyun *
34*4882a593Smuzhiyun * All rights reserved.
35*4882a593Smuzhiyun *
36*4882a593Smuzhiyun * Export of this software from the United States of America may require
37*4882a593Smuzhiyun * a specific license from the United States Government. It is the
38*4882a593Smuzhiyun * responsibility of any person or organization contemplating export to
39*4882a593Smuzhiyun * obtain such a license before exporting.
40*4882a593Smuzhiyun *
41*4882a593Smuzhiyun * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
42*4882a593Smuzhiyun * distribute this software and its documentation for any purpose and
43*4882a593Smuzhiyun * without fee is hereby granted, provided that the above copyright
44*4882a593Smuzhiyun * notice appear in all copies and that both that copyright notice and
45*4882a593Smuzhiyun * this permission notice appear in supporting documentation, and that
46*4882a593Smuzhiyun * the name of FundsXpress. not be used in advertising or publicity pertaining
47*4882a593Smuzhiyun * to distribution of the software without specific, written prior
48*4882a593Smuzhiyun * permission. FundsXpress makes no representations about the suitability of
49*4882a593Smuzhiyun * this software for any purpose. It is provided "as is" without express
50*4882a593Smuzhiyun * or implied warranty.
51*4882a593Smuzhiyun *
52*4882a593Smuzhiyun * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
53*4882a593Smuzhiyun * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
54*4882a593Smuzhiyun * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
55*4882a593Smuzhiyun */
56*4882a593Smuzhiyun
57*4882a593Smuzhiyun #include <crypto/skcipher.h>
58*4882a593Smuzhiyun #include <linux/err.h>
59*4882a593Smuzhiyun #include <linux/types.h>
60*4882a593Smuzhiyun #include <linux/sunrpc/gss_krb5.h>
61*4882a593Smuzhiyun #include <linux/sunrpc/xdr.h>
62*4882a593Smuzhiyun #include <linux/lcm.h>
63*4882a593Smuzhiyun
64*4882a593Smuzhiyun #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
65*4882a593Smuzhiyun # define RPCDBG_FACILITY RPCDBG_AUTH
66*4882a593Smuzhiyun #endif
67*4882a593Smuzhiyun
68*4882a593Smuzhiyun /*
69*4882a593Smuzhiyun * This is the n-fold function as described in rfc3961, sec 5.1
70*4882a593Smuzhiyun * Taken from MIT Kerberos and modified.
71*4882a593Smuzhiyun */
72*4882a593Smuzhiyun
krb5_nfold(u32 inbits,const u8 * in,u32 outbits,u8 * out)73*4882a593Smuzhiyun static void krb5_nfold(u32 inbits, const u8 *in,
74*4882a593Smuzhiyun u32 outbits, u8 *out)
75*4882a593Smuzhiyun {
76*4882a593Smuzhiyun unsigned long ulcm;
77*4882a593Smuzhiyun int byte, i, msbit;
78*4882a593Smuzhiyun
79*4882a593Smuzhiyun /* the code below is more readable if I make these bytes
80*4882a593Smuzhiyun instead of bits */
81*4882a593Smuzhiyun
82*4882a593Smuzhiyun inbits >>= 3;
83*4882a593Smuzhiyun outbits >>= 3;
84*4882a593Smuzhiyun
85*4882a593Smuzhiyun /* first compute lcm(n,k) */
86*4882a593Smuzhiyun ulcm = lcm(inbits, outbits);
87*4882a593Smuzhiyun
88*4882a593Smuzhiyun /* now do the real work */
89*4882a593Smuzhiyun
90*4882a593Smuzhiyun memset(out, 0, outbits);
91*4882a593Smuzhiyun byte = 0;
92*4882a593Smuzhiyun
93*4882a593Smuzhiyun /* this will end up cycling through k lcm(k,n)/k times, which
94*4882a593Smuzhiyun is correct */
95*4882a593Smuzhiyun for (i = ulcm-1; i >= 0; i--) {
96*4882a593Smuzhiyun /* compute the msbit in k which gets added into this byte */
97*4882a593Smuzhiyun msbit = (
98*4882a593Smuzhiyun /* first, start with the msbit in the first,
99*4882a593Smuzhiyun * unrotated byte */
100*4882a593Smuzhiyun ((inbits << 3) - 1)
101*4882a593Smuzhiyun /* then, for each byte, shift to the right
102*4882a593Smuzhiyun * for each repetition */
103*4882a593Smuzhiyun + (((inbits << 3) + 13) * (i/inbits))
104*4882a593Smuzhiyun /* last, pick out the correct byte within
105*4882a593Smuzhiyun * that shifted repetition */
106*4882a593Smuzhiyun + ((inbits - (i % inbits)) << 3)
107*4882a593Smuzhiyun ) % (inbits << 3);
108*4882a593Smuzhiyun
109*4882a593Smuzhiyun /* pull out the byte value itself */
110*4882a593Smuzhiyun byte += (((in[((inbits - 1) - (msbit >> 3)) % inbits] << 8)|
111*4882a593Smuzhiyun (in[((inbits) - (msbit >> 3)) % inbits]))
112*4882a593Smuzhiyun >> ((msbit & 7) + 1)) & 0xff;
113*4882a593Smuzhiyun
114*4882a593Smuzhiyun /* do the addition */
115*4882a593Smuzhiyun byte += out[i % outbits];
116*4882a593Smuzhiyun out[i % outbits] = byte & 0xff;
117*4882a593Smuzhiyun
118*4882a593Smuzhiyun /* keep around the carry bit, if any */
119*4882a593Smuzhiyun byte >>= 8;
120*4882a593Smuzhiyun
121*4882a593Smuzhiyun }
122*4882a593Smuzhiyun
123*4882a593Smuzhiyun /* if there's a carry bit left over, add it back in */
124*4882a593Smuzhiyun if (byte) {
125*4882a593Smuzhiyun for (i = outbits - 1; i >= 0; i--) {
126*4882a593Smuzhiyun /* do the addition */
127*4882a593Smuzhiyun byte += out[i];
128*4882a593Smuzhiyun out[i] = byte & 0xff;
129*4882a593Smuzhiyun
130*4882a593Smuzhiyun /* keep around the carry bit, if any */
131*4882a593Smuzhiyun byte >>= 8;
132*4882a593Smuzhiyun }
133*4882a593Smuzhiyun }
134*4882a593Smuzhiyun }
135*4882a593Smuzhiyun
136*4882a593Smuzhiyun /*
137*4882a593Smuzhiyun * This is the DK (derive_key) function as described in rfc3961, sec 5.1
138*4882a593Smuzhiyun * Taken from MIT Kerberos and modified.
139*4882a593Smuzhiyun */
140*4882a593Smuzhiyun
krb5_derive_key(const struct gss_krb5_enctype * gk5e,const struct xdr_netobj * inkey,struct xdr_netobj * outkey,const struct xdr_netobj * in_constant,gfp_t gfp_mask)141*4882a593Smuzhiyun u32 krb5_derive_key(const struct gss_krb5_enctype *gk5e,
142*4882a593Smuzhiyun const struct xdr_netobj *inkey,
143*4882a593Smuzhiyun struct xdr_netobj *outkey,
144*4882a593Smuzhiyun const struct xdr_netobj *in_constant,
145*4882a593Smuzhiyun gfp_t gfp_mask)
146*4882a593Smuzhiyun {
147*4882a593Smuzhiyun size_t blocksize, keybytes, keylength, n;
148*4882a593Smuzhiyun unsigned char *inblockdata, *outblockdata, *rawkey;
149*4882a593Smuzhiyun struct xdr_netobj inblock, outblock;
150*4882a593Smuzhiyun struct crypto_sync_skcipher *cipher;
151*4882a593Smuzhiyun u32 ret = EINVAL;
152*4882a593Smuzhiyun
153*4882a593Smuzhiyun blocksize = gk5e->blocksize;
154*4882a593Smuzhiyun keybytes = gk5e->keybytes;
155*4882a593Smuzhiyun keylength = gk5e->keylength;
156*4882a593Smuzhiyun
157*4882a593Smuzhiyun if ((inkey->len != keylength) || (outkey->len != keylength))
158*4882a593Smuzhiyun goto err_return;
159*4882a593Smuzhiyun
160*4882a593Smuzhiyun cipher = crypto_alloc_sync_skcipher(gk5e->encrypt_name, 0, 0);
161*4882a593Smuzhiyun if (IS_ERR(cipher))
162*4882a593Smuzhiyun goto err_return;
163*4882a593Smuzhiyun if (crypto_sync_skcipher_setkey(cipher, inkey->data, inkey->len))
164*4882a593Smuzhiyun goto err_return;
165*4882a593Smuzhiyun
166*4882a593Smuzhiyun /* allocate and set up buffers */
167*4882a593Smuzhiyun
168*4882a593Smuzhiyun ret = ENOMEM;
169*4882a593Smuzhiyun inblockdata = kmalloc(blocksize, gfp_mask);
170*4882a593Smuzhiyun if (inblockdata == NULL)
171*4882a593Smuzhiyun goto err_free_cipher;
172*4882a593Smuzhiyun
173*4882a593Smuzhiyun outblockdata = kmalloc(blocksize, gfp_mask);
174*4882a593Smuzhiyun if (outblockdata == NULL)
175*4882a593Smuzhiyun goto err_free_in;
176*4882a593Smuzhiyun
177*4882a593Smuzhiyun rawkey = kmalloc(keybytes, gfp_mask);
178*4882a593Smuzhiyun if (rawkey == NULL)
179*4882a593Smuzhiyun goto err_free_out;
180*4882a593Smuzhiyun
181*4882a593Smuzhiyun inblock.data = (char *) inblockdata;
182*4882a593Smuzhiyun inblock.len = blocksize;
183*4882a593Smuzhiyun
184*4882a593Smuzhiyun outblock.data = (char *) outblockdata;
185*4882a593Smuzhiyun outblock.len = blocksize;
186*4882a593Smuzhiyun
187*4882a593Smuzhiyun /* initialize the input block */
188*4882a593Smuzhiyun
189*4882a593Smuzhiyun if (in_constant->len == inblock.len) {
190*4882a593Smuzhiyun memcpy(inblock.data, in_constant->data, inblock.len);
191*4882a593Smuzhiyun } else {
192*4882a593Smuzhiyun krb5_nfold(in_constant->len * 8, in_constant->data,
193*4882a593Smuzhiyun inblock.len * 8, inblock.data);
194*4882a593Smuzhiyun }
195*4882a593Smuzhiyun
196*4882a593Smuzhiyun /* loop encrypting the blocks until enough key bytes are generated */
197*4882a593Smuzhiyun
198*4882a593Smuzhiyun n = 0;
199*4882a593Smuzhiyun while (n < keybytes) {
200*4882a593Smuzhiyun (*(gk5e->encrypt))(cipher, NULL, inblock.data,
201*4882a593Smuzhiyun outblock.data, inblock.len);
202*4882a593Smuzhiyun
203*4882a593Smuzhiyun if ((keybytes - n) <= outblock.len) {
204*4882a593Smuzhiyun memcpy(rawkey + n, outblock.data, (keybytes - n));
205*4882a593Smuzhiyun break;
206*4882a593Smuzhiyun }
207*4882a593Smuzhiyun
208*4882a593Smuzhiyun memcpy(rawkey + n, outblock.data, outblock.len);
209*4882a593Smuzhiyun memcpy(inblock.data, outblock.data, outblock.len);
210*4882a593Smuzhiyun n += outblock.len;
211*4882a593Smuzhiyun }
212*4882a593Smuzhiyun
213*4882a593Smuzhiyun /* postprocess the key */
214*4882a593Smuzhiyun
215*4882a593Smuzhiyun inblock.data = (char *) rawkey;
216*4882a593Smuzhiyun inblock.len = keybytes;
217*4882a593Smuzhiyun
218*4882a593Smuzhiyun BUG_ON(gk5e->mk_key == NULL);
219*4882a593Smuzhiyun ret = (*(gk5e->mk_key))(gk5e, &inblock, outkey);
220*4882a593Smuzhiyun if (ret) {
221*4882a593Smuzhiyun dprintk("%s: got %d from mk_key function for '%s'\n",
222*4882a593Smuzhiyun __func__, ret, gk5e->encrypt_name);
223*4882a593Smuzhiyun goto err_free_raw;
224*4882a593Smuzhiyun }
225*4882a593Smuzhiyun
226*4882a593Smuzhiyun /* clean memory, free resources and exit */
227*4882a593Smuzhiyun
228*4882a593Smuzhiyun ret = 0;
229*4882a593Smuzhiyun
230*4882a593Smuzhiyun err_free_raw:
231*4882a593Smuzhiyun kfree_sensitive(rawkey);
232*4882a593Smuzhiyun err_free_out:
233*4882a593Smuzhiyun kfree_sensitive(outblockdata);
234*4882a593Smuzhiyun err_free_in:
235*4882a593Smuzhiyun kfree_sensitive(inblockdata);
236*4882a593Smuzhiyun err_free_cipher:
237*4882a593Smuzhiyun crypto_free_sync_skcipher(cipher);
238*4882a593Smuzhiyun err_return:
239*4882a593Smuzhiyun return ret;
240*4882a593Smuzhiyun }
241*4882a593Smuzhiyun
242*4882a593Smuzhiyun #define smask(step) ((1<<step)-1)
243*4882a593Smuzhiyun #define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
244*4882a593Smuzhiyun #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
245*4882a593Smuzhiyun
mit_des_fixup_key_parity(u8 key[8])246*4882a593Smuzhiyun static void mit_des_fixup_key_parity(u8 key[8])
247*4882a593Smuzhiyun {
248*4882a593Smuzhiyun int i;
249*4882a593Smuzhiyun for (i = 0; i < 8; i++) {
250*4882a593Smuzhiyun key[i] &= 0xfe;
251*4882a593Smuzhiyun key[i] |= 1^parity_char(key[i]);
252*4882a593Smuzhiyun }
253*4882a593Smuzhiyun }
254*4882a593Smuzhiyun
255*4882a593Smuzhiyun /*
256*4882a593Smuzhiyun * This is the des3 key derivation postprocess function
257*4882a593Smuzhiyun */
gss_krb5_des3_make_key(const struct gss_krb5_enctype * gk5e,struct xdr_netobj * randombits,struct xdr_netobj * key)258*4882a593Smuzhiyun u32 gss_krb5_des3_make_key(const struct gss_krb5_enctype *gk5e,
259*4882a593Smuzhiyun struct xdr_netobj *randombits,
260*4882a593Smuzhiyun struct xdr_netobj *key)
261*4882a593Smuzhiyun {
262*4882a593Smuzhiyun int i;
263*4882a593Smuzhiyun u32 ret = EINVAL;
264*4882a593Smuzhiyun
265*4882a593Smuzhiyun if (key->len != 24) {
266*4882a593Smuzhiyun dprintk("%s: key->len is %d\n", __func__, key->len);
267*4882a593Smuzhiyun goto err_out;
268*4882a593Smuzhiyun }
269*4882a593Smuzhiyun if (randombits->len != 21) {
270*4882a593Smuzhiyun dprintk("%s: randombits->len is %d\n",
271*4882a593Smuzhiyun __func__, randombits->len);
272*4882a593Smuzhiyun goto err_out;
273*4882a593Smuzhiyun }
274*4882a593Smuzhiyun
275*4882a593Smuzhiyun /* take the seven bytes, move them around into the top 7 bits of the
276*4882a593Smuzhiyun 8 key bytes, then compute the parity bits. Do this three times. */
277*4882a593Smuzhiyun
278*4882a593Smuzhiyun for (i = 0; i < 3; i++) {
279*4882a593Smuzhiyun memcpy(key->data + i*8, randombits->data + i*7, 7);
280*4882a593Smuzhiyun key->data[i*8+7] = (((key->data[i*8]&1)<<1) |
281*4882a593Smuzhiyun ((key->data[i*8+1]&1)<<2) |
282*4882a593Smuzhiyun ((key->data[i*8+2]&1)<<3) |
283*4882a593Smuzhiyun ((key->data[i*8+3]&1)<<4) |
284*4882a593Smuzhiyun ((key->data[i*8+4]&1)<<5) |
285*4882a593Smuzhiyun ((key->data[i*8+5]&1)<<6) |
286*4882a593Smuzhiyun ((key->data[i*8+6]&1)<<7));
287*4882a593Smuzhiyun
288*4882a593Smuzhiyun mit_des_fixup_key_parity(key->data + i*8);
289*4882a593Smuzhiyun }
290*4882a593Smuzhiyun ret = 0;
291*4882a593Smuzhiyun err_out:
292*4882a593Smuzhiyun return ret;
293*4882a593Smuzhiyun }
294*4882a593Smuzhiyun
295*4882a593Smuzhiyun /*
296*4882a593Smuzhiyun * This is the aes key derivation postprocess function
297*4882a593Smuzhiyun */
gss_krb5_aes_make_key(const struct gss_krb5_enctype * gk5e,struct xdr_netobj * randombits,struct xdr_netobj * key)298*4882a593Smuzhiyun u32 gss_krb5_aes_make_key(const struct gss_krb5_enctype *gk5e,
299*4882a593Smuzhiyun struct xdr_netobj *randombits,
300*4882a593Smuzhiyun struct xdr_netobj *key)
301*4882a593Smuzhiyun {
302*4882a593Smuzhiyun u32 ret = EINVAL;
303*4882a593Smuzhiyun
304*4882a593Smuzhiyun if (key->len != 16 && key->len != 32) {
305*4882a593Smuzhiyun dprintk("%s: key->len is %d\n", __func__, key->len);
306*4882a593Smuzhiyun goto err_out;
307*4882a593Smuzhiyun }
308*4882a593Smuzhiyun if (randombits->len != 16 && randombits->len != 32) {
309*4882a593Smuzhiyun dprintk("%s: randombits->len is %d\n",
310*4882a593Smuzhiyun __func__, randombits->len);
311*4882a593Smuzhiyun goto err_out;
312*4882a593Smuzhiyun }
313*4882a593Smuzhiyun if (randombits->len != key->len) {
314*4882a593Smuzhiyun dprintk("%s: randombits->len is %d, key->len is %d\n",
315*4882a593Smuzhiyun __func__, randombits->len, key->len);
316*4882a593Smuzhiyun goto err_out;
317*4882a593Smuzhiyun }
318*4882a593Smuzhiyun memcpy(key->data, randombits->data, key->len);
319*4882a593Smuzhiyun ret = 0;
320*4882a593Smuzhiyun err_out:
321*4882a593Smuzhiyun return ret;
322*4882a593Smuzhiyun }
323