1 /*-
2 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
3 * Authors: Doug Rabson <dfr@rabson.org>
4 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30
31 #include <sys/param.h>
32 #include <sys/lock.h>
33 #include <sys/malloc.h>
34 #include <sys/mutex.h>
35 #include <sys/kobj.h>
36 #include <sys/mbuf.h>
37 #include <crypto/des/des.h>
38 #include <opencrypto/cryptodev.h>
39
40 #include <kgssapi/gssapi.h>
41 #include <kgssapi/gssapi_impl.h>
42
43 #include "kcrypto.h"
44
45 #define DES3_FLAGS (CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE)
46
47 struct des3_state {
48 struct mtx ds_lock;
49 uint64_t ds_session;
50 };
51
52 static void
des3_init(struct krb5_key_state * ks)53 des3_init(struct krb5_key_state *ks)
54 {
55 struct des3_state *ds;
56
57 ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO);
58 mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF);
59 ks->ks_priv = ds;
60 }
61
62 static void
des3_destroy(struct krb5_key_state * ks)63 des3_destroy(struct krb5_key_state *ks)
64 {
65 struct des3_state *ds = ks->ks_priv;
66
67 if (ds->ds_session)
68 crypto_freesession(ds->ds_session);
69 mtx_destroy(&ds->ds_lock);
70 free(ks->ks_priv, M_GSSAPI);
71 }
72
73 static void
des3_set_key(struct krb5_key_state * ks,const void * in)74 des3_set_key(struct krb5_key_state *ks, const void *in)
75 {
76 void *kp = ks->ks_key;
77 struct des3_state *ds = ks->ks_priv;
78 struct cryptoini cri[2];
79
80 if (kp != in)
81 bcopy(in, kp, ks->ks_class->ec_keylen);
82
83 if (ds->ds_session)
84 crypto_freesession(ds->ds_session);
85
86 bzero(cri, sizeof(cri));
87
88 cri[0].cri_alg = CRYPTO_SHA1_HMAC;
89 cri[0].cri_klen = 192;
90 cri[0].cri_mlen = 0;
91 cri[0].cri_key = ks->ks_key;
92 cri[0].cri_next = &cri[1];
93
94 cri[1].cri_alg = CRYPTO_3DES_CBC;
95 cri[1].cri_klen = 192;
96 cri[1].cri_mlen = 0;
97 cri[1].cri_key = ks->ks_key;
98 cri[1].cri_next = NULL;
99
100 crypto_newsession(&ds->ds_session, cri,
101 CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE);
102 }
103
104 static void
des3_random_to_key(struct krb5_key_state * ks,const void * in)105 des3_random_to_key(struct krb5_key_state *ks, const void *in)
106 {
107 uint8_t *outkey;
108 const uint8_t *inkey;
109 int subkey;
110
111 for (subkey = 0, outkey = ks->ks_key, inkey = in; subkey < 3;
112 subkey++, outkey += 8, inkey += 7) {
113 /*
114 * Expand 56 bits of random data to 64 bits as follows
115 * (in the example, bit number 1 is the MSB of the 56
116 * bits of random data):
117 *
118 * expanded =
119 * 1 2 3 4 5 6 7 p
120 * 9 10 11 12 13 14 15 p
121 * 17 18 19 20 21 22 23 p
122 * 25 26 27 28 29 30 31 p
123 * 33 34 35 36 37 38 39 p
124 * 41 42 43 44 45 46 47 p
125 * 49 50 51 52 53 54 55 p
126 * 56 48 40 32 24 16 8 p
127 */
128 outkey[0] = inkey[0];
129 outkey[1] = inkey[1];
130 outkey[2] = inkey[2];
131 outkey[3] = inkey[3];
132 outkey[4] = inkey[4];
133 outkey[5] = inkey[5];
134 outkey[6] = inkey[6];
135 outkey[7] = (((inkey[0] & 1) << 1)
136 | ((inkey[1] & 1) << 2)
137 | ((inkey[2] & 1) << 3)
138 | ((inkey[3] & 1) << 4)
139 | ((inkey[4] & 1) << 5)
140 | ((inkey[5] & 1) << 6)
141 | ((inkey[6] & 1) << 7));
142 des_set_odd_parity((des_cblock *) outkey);
143 if (des_is_weak_key((des_cblock *) outkey))
144 outkey[7] ^= 0xf0;
145 }
146
147 des3_set_key(ks, ks->ks_key);
148 }
149
150 static int
des3_crypto_cb(struct cryptop * crp)151 des3_crypto_cb(struct cryptop *crp)
152 {
153 int error;
154 struct des3_state *ds = (struct des3_state *) crp->crp_opaque;
155
156 if (CRYPTO_SESID2CAPS(ds->ds_session) & CRYPTOCAP_F_SYNC)
157 return (0);
158
159 error = crp->crp_etype;
160 if (error == EAGAIN)
161 error = crypto_dispatch(crp);
162 mtx_lock(&ds->ds_lock);
163 if (error || (crp->crp_flags & CRYPTO_F_DONE))
164 wakeup(crp);
165 mtx_unlock(&ds->ds_lock);
166
167 return (0);
168 }
169
170 static void
des3_encrypt_1(const struct krb5_key_state * ks,struct mbuf * inout,size_t skip,size_t len,void * ivec,int encdec)171 des3_encrypt_1(const struct krb5_key_state *ks, struct mbuf *inout,
172 size_t skip, size_t len, void *ivec, int encdec)
173 {
174 struct des3_state *ds = ks->ks_priv;
175 struct cryptop *crp;
176 struct cryptodesc *crd;
177 int error;
178
179 crp = crypto_getreq(1);
180 crd = crp->crp_desc;
181
182 crd->crd_skip = skip;
183 crd->crd_len = len;
184 crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT | encdec;
185 if (ivec) {
186 bcopy(ivec, crd->crd_iv, 8);
187 } else {
188 bzero(crd->crd_iv, 8);
189 }
190 crd->crd_next = NULL;
191 crd->crd_alg = CRYPTO_3DES_CBC;
192
193 crp->crp_sid = ds->ds_session;
194 crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
195 crp->crp_buf = (void *) inout;
196 crp->crp_opaque = (void *) ds;
197 crp->crp_callback = des3_crypto_cb;
198
199 error = crypto_dispatch(crp);
200
201 if ((CRYPTO_SESID2CAPS(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) {
202 mtx_lock(&ds->ds_lock);
203 if (!error && !(crp->crp_flags & CRYPTO_F_DONE))
204 error = msleep(crp, &ds->ds_lock, 0, "gssdes3", 0);
205 mtx_unlock(&ds->ds_lock);
206 }
207
208 crypto_freereq(crp);
209 }
210
211 static void
des3_encrypt(const struct krb5_key_state * ks,struct mbuf * inout,size_t skip,size_t len,void * ivec,size_t ivlen)212 des3_encrypt(const struct krb5_key_state *ks, struct mbuf *inout,
213 size_t skip, size_t len, void *ivec, size_t ivlen)
214 {
215
216 des3_encrypt_1(ks, inout, skip, len, ivec, CRD_F_ENCRYPT);
217 }
218
219 static void
des3_decrypt(const struct krb5_key_state * ks,struct mbuf * inout,size_t skip,size_t len,void * ivec,size_t ivlen)220 des3_decrypt(const struct krb5_key_state *ks, struct mbuf *inout,
221 size_t skip, size_t len, void *ivec, size_t ivlen)
222 {
223
224 des3_encrypt_1(ks, inout, skip, len, ivec, 0);
225 }
226
227 static void
des3_checksum(const struct krb5_key_state * ks,int usage,struct mbuf * inout,size_t skip,size_t inlen,size_t outlen)228 des3_checksum(const struct krb5_key_state *ks, int usage,
229 struct mbuf *inout, size_t skip, size_t inlen, size_t outlen)
230 {
231 struct des3_state *ds = ks->ks_priv;
232 struct cryptop *crp;
233 struct cryptodesc *crd;
234 int error;
235
236 crp = crypto_getreq(1);
237 crd = crp->crp_desc;
238
239 crd->crd_skip = skip;
240 crd->crd_len = inlen;
241 crd->crd_inject = skip + inlen;
242 crd->crd_flags = 0;
243 crd->crd_next = NULL;
244 crd->crd_alg = CRYPTO_SHA1_HMAC;
245
246 crp->crp_sid = ds->ds_session;
247 crp->crp_ilen = inlen;
248 crp->crp_olen = 20;
249 crp->crp_etype = 0;
250 crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
251 crp->crp_buf = (void *) inout;
252 crp->crp_opaque = (void *) ds;
253 crp->crp_callback = des3_crypto_cb;
254
255 error = crypto_dispatch(crp);
256
257 if ((CRYPTO_SESID2CAPS(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) {
258 mtx_lock(&ds->ds_lock);
259 if (!error && !(crp->crp_flags & CRYPTO_F_DONE))
260 error = msleep(crp, &ds->ds_lock, 0, "gssdes3", 0);
261 mtx_unlock(&ds->ds_lock);
262 }
263
264 crypto_freereq(crp);
265 }
266
267 struct krb5_encryption_class krb5_des3_encryption_class = {
268 "des3-cbc-sha1", /* name */
269 ETYPE_DES3_CBC_SHA1, /* etype */
270 EC_DERIVED_KEYS, /* flags */
271 8, /* blocklen */
272 8, /* msgblocklen */
273 20, /* checksumlen */
274 168, /* keybits */
275 24, /* keylen */
276 des3_init,
277 des3_destroy,
278 des3_set_key,
279 des3_random_to_key,
280 des3_encrypt,
281 des3_decrypt,
282 des3_checksum
283 };
284
285 #if 0
286 struct des3_dk_test {
287 uint8_t key[24];
288 uint8_t usage[8];
289 size_t usagelen;
290 uint8_t dk[24];
291 };
292 struct des3_dk_test tests[] = {
293 {{0xdc, 0xe0, 0x6b, 0x1f, 0x64, 0xc8, 0x57, 0xa1, 0x1c, 0x3d, 0xb5,
294 0x7c, 0x51, 0x89, 0x9b, 0x2c, 0xc1, 0x79, 0x10, 0x08, 0xce, 0x97,
295 0x3b, 0x92},
296 {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
297 {0x92, 0x51, 0x79, 0xd0, 0x45, 0x91, 0xa7, 0x9b, 0x5d, 0x31, 0x92,
298 0xc4, 0xa7, 0xe9, 0xc2, 0x89, 0xb0, 0x49, 0xc7, 0x1f, 0x6e, 0xe6,
299 0x04, 0xcd}},
300
301 {{0x5e, 0x13, 0xd3, 0x1c, 0x70, 0xef, 0x76, 0x57, 0x46, 0x57, 0x85,
302 0x31, 0xcb, 0x51, 0xc1, 0x5b, 0xf1, 0x1c, 0xa8, 0x2c, 0x97, 0xce,
303 0xe9, 0xf2},
304 {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
305 {0x9e, 0x58, 0xe5, 0xa1, 0x46, 0xd9, 0x94, 0x2a, 0x10, 0x1c, 0x46,
306 0x98, 0x45, 0xd6, 0x7a, 0x20, 0xe3, 0xc4, 0x25, 0x9e, 0xd9, 0x13,
307 0xf2, 0x07}},
308
309 {{0x98, 0xe6, 0xfd, 0x8a, 0x04, 0xa4, 0xb6, 0x85, 0x9b, 0x75, 0xa1,
310 0x76, 0x54, 0x0b, 0x97, 0x52, 0xba, 0xd3, 0xec, 0xd6, 0x10, 0xa2,
311 0x52, 0xbc},
312 {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
313 {0x13, 0xfe, 0xf8, 0x0d, 0x76, 0x3e, 0x94, 0xec, 0x6d, 0x13, 0xfd,
314 0x2c, 0xa1, 0xd0, 0x85, 0x07, 0x02, 0x49, 0xda, 0xd3, 0x98, 0x08,
315 0xea, 0xbf}},
316
317 {{0x62, 0x2a, 0xec, 0x25, 0xa2, 0xfe, 0x2c, 0xad, 0x70, 0x94, 0x68,
318 0x0b, 0x7c, 0x64, 0x94, 0x02, 0x80, 0x08, 0x4c, 0x1a, 0x7c, 0xec,
319 0x92, 0xb5},
320 {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
321 {0xf8, 0xdf, 0xbf, 0x04, 0xb0, 0x97, 0xe6, 0xd9, 0xdc, 0x07, 0x02,
322 0x68, 0x6b, 0xcb, 0x34, 0x89, 0xd9, 0x1f, 0xd9, 0xa4, 0x51, 0x6b,
323 0x70, 0x3e}},
324
325 {{0xd3, 0xf8, 0x29, 0x8c, 0xcb, 0x16, 0x64, 0x38, 0xdc, 0xb9, 0xb9,
326 0x3e, 0xe5, 0xa7, 0x62, 0x92, 0x86, 0xa4, 0x91, 0xf8, 0x38, 0xf8,
327 0x02, 0xfb},
328 {0x6b, 0x65, 0x72, 0x62, 0x65, 0x72, 0x6f, 0x73}, 8,
329 {0x23, 0x70, 0xda, 0x57, 0x5d, 0x2a, 0x3d, 0xa8, 0x64, 0xce, 0xbf,
330 0xdc, 0x52, 0x04, 0xd5, 0x6d, 0xf7, 0x79, 0xa7, 0xdf, 0x43, 0xd9,
331 0xda, 0x43}},
332
333 {{0xc1, 0x08, 0x16, 0x49, 0xad, 0xa7, 0x43, 0x62, 0xe6, 0xa1, 0x45,
334 0x9d, 0x01, 0xdf, 0xd3, 0x0d, 0x67, 0xc2, 0x23, 0x4c, 0x94, 0x07,
335 0x04, 0xda},
336 {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
337 {0x34, 0x80, 0x57, 0xec, 0x98, 0xfd, 0xc4, 0x80, 0x16, 0x16, 0x1c,
338 0x2a, 0x4c, 0x7a, 0x94, 0x3e, 0x92, 0xae, 0x49, 0x2c, 0x98, 0x91,
339 0x75, 0xf7}},
340
341 {{0x5d, 0x15, 0x4a, 0xf2, 0x38, 0xf4, 0x67, 0x13, 0x15, 0x57, 0x19,
342 0xd5, 0x5e, 0x2f, 0x1f, 0x79, 0x0d, 0xd6, 0x61, 0xf2, 0x79, 0xa7,
343 0x91, 0x7c},
344 {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
345 {0xa8, 0x80, 0x8a, 0xc2, 0x67, 0xda, 0xda, 0x3d, 0xcb, 0xe9, 0xa7,
346 0xc8, 0x46, 0x26, 0xfb, 0xc7, 0x61, 0xc2, 0x94, 0xb0, 0x13, 0x15,
347 0xe5, 0xc1}},
348
349 {{0x79, 0x85, 0x62, 0xe0, 0x49, 0x85, 0x2f, 0x57, 0xdc, 0x8c, 0x34,
350 0x3b, 0xa1, 0x7f, 0x2c, 0xa1, 0xd9, 0x73, 0x94, 0xef, 0xc8, 0xad,
351 0xc4, 0x43},
352 {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
353 {0xc8, 0x13, 0xf8, 0x8a, 0x3b, 0xe3, 0xb3, 0x34, 0xf7, 0x54, 0x25,
354 0xce, 0x91, 0x75, 0xfb, 0xe3, 0xc8, 0x49, 0x3b, 0x89, 0xc8, 0x70,
355 0x3b, 0x49}},
356
357 {{0x26, 0xdc, 0xe3, 0x34, 0xb5, 0x45, 0x29, 0x2f, 0x2f, 0xea, 0xb9,
358 0xa8, 0x70, 0x1a, 0x89, 0xa4, 0xb9, 0x9e, 0xb9, 0x94, 0x2c, 0xec,
359 0xd0, 0x16},
360 {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
361 {0xf4, 0x8f, 0xfd, 0x6e, 0x83, 0xf8, 0x3e, 0x73, 0x54, 0xe6, 0x94,
362 0xfd, 0x25, 0x2c, 0xf8, 0x3b, 0xfe, 0x58, 0xf7, 0xd5, 0xba, 0x37,
363 0xec, 0x5d}},
364 };
365 #define N_TESTS (sizeof(tests) / sizeof(tests[0]))
366
367 int
368 main(int argc, char **argv)
369 {
370 struct krb5_key_state *key, *dk;
371 uint8_t *dkp;
372 int j, i;
373
374 for (j = 0; j < N_TESTS; j++) {
375 struct des3_dk_test *t = &tests[j];
376 key = krb5_create_key(&des3_encryption_class);
377 krb5_set_key(key, t->key);
378 dk = krb5_derive_key(key, t->usage, t->usagelen);
379 krb5_free_key(key);
380 if (memcmp(dk->ks_key, t->dk, 24)) {
381 printf("DES3 dk(");
382 for (i = 0; i < 24; i++)
383 printf("%02x", t->key[i]);
384 printf(", ");
385 for (i = 0; i < t->usagelen; i++)
386 printf("%02x", t->usage[i]);
387 printf(") failed\n");
388 printf("should be: ");
389 for (i = 0; i < 24; i++)
390 printf("%02x", t->dk[i]);
391 printf("\n result was: ");
392 dkp = dk->ks_key;
393 for (i = 0; i < 24; i++)
394 printf("%02x", dkp[i]);
395 printf("\n");
396 }
397 krb5_free_key(dk);
398 }
399
400 return (0);
401 }
402 #endif
403