/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */

/*

 * Copyright (C) 1998 by the FundsXpress, INC.

 *

 * All rights reserved.

 *

 * Export of this software from the United States of America may require

 * a specific license from the United States Government.  It is the

 * responsibility of any person or organization contemplating export to

 * obtain such a license before exporting.

 *

 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and

 * distribute this software and its documentation for any purpose and

 * without fee is hereby granted, provided that the above copyright

 * notice appear in all copies and that both that copyright notice and

 * this permission notice appear in supporting documentation, and that

 * the name of FundsXpress. not be used in advertising or publicity pertaining

 * to distribution of the software without specific, written prior

 * permission.  FundsXpress makes no representations about the suitability of

 * this software for any purpose.  It is provided "as is" without express

 * or implied warranty.

 *

 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR

 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED

 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

 */

#include "crypto_int.h"

static krb5_key

find_cached_dkey(struct derived_key *list, const krb5_data *constant)

{

    for (; list; list = list->next) {

        if (data_eq(list->constant, *constant)) {

            krb5_k_reference_key(NULL, list->dkey);

            return list->dkey;

        }

    }

    return NULL;

}

static krb5_error_code

add_cached_dkey(krb5_key key, const krb5_data *constant,

                const krb5_keyblock *dkeyblock, krb5_key *cached_dkey)

{

    krb5_key dkey;

    krb5_error_code ret;

    struct derived_key *dkent = NULL;

    char *data = NULL;

    /* Allocate fields for the new entry. */

    dkent = malloc(sizeof(*dkent));

    if (dkent == NULL)

        goto cleanup;

    data = k5memdup(constant->data, constant->length, &ret;;

    if (data == NULL)

        goto cleanup;

    ret = krb5_k_create_key(NULL, dkeyblock, &dkey);

    if (ret != 0)

        goto cleanup;

    /* Add the new entry to the list. */

    dkent->dkey = dkey;

    dkent->constant.data = data;

    dkent->constant.length = constant->length;

    dkent->next = key->derived;

    key->derived = dkent;

    /* Return a "copy" of the cached key. */

    krb5_k_reference_key(NULL, dkey);

    *cached_dkey = dkey;

    return 0;

cleanup:

    free(dkent);

    free(data);

    return ENOMEM;

}

static krb5_error_code

derive_random_rfc3961(const struct krb5_enc_provider *enc,

                      krb5_key inkey, krb5_data *outrnd,

                      const krb5_data *in_constant)

{

    size_t blocksize, keybytes, n;

    krb5_error_code ret;

    krb5_data block = empty_data();

    blocksize = enc->block_size;

    keybytes = enc->keybytes;

    if (blocksize == 1)

        return KRB5_BAD_ENCTYPE;

    if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)

        return KRB5_CRYPTO_INTERNAL;

    /* Allocate encryption data buffer. */

    ret = alloc_data(&block, blocksize);

    if (ret)

        return ret;

    /* Initialize the input block. */

    if (in_constant->length == blocksize) {

        memcpy(block.data, in_constant->data, blocksize);

    } else {

        krb5int_nfold(in_constant->length * 8,

                      (unsigned char *) in_constant->data,

                      blocksize * 8, (unsigned char *) block.data);

    }

    /* Loop encrypting the blocks until enough key bytes are generated. */

    n = 0;

    while (n < keybytes) {

        ret = encrypt_block(enc, inkey, &block);

        if (ret)

            goto cleanup;

        if ((keybytes - n) <= blocksize) {

            memcpy(outrnd->data + n, block.data, (keybytes - n));

            break;

        }

        memcpy(outrnd->data + n, block.data, blocksize);

        n += blocksize;

    }

cleanup:

    zapfree(block.data, blocksize);

    return ret;

}

/*

 * NIST SP800-108 KDF in feedback mode (section 5.2).

 * Parameters:

 *   - CMAC (with enc as the enc provider) is the PRF.

 *   - A block counter of four bytes is used.

 *   - Label is the key derivation constant.

 *   - Context is empty.

 *   - Four bytes are used to encode the output length in the PRF input.

 */

static krb5_error_code

derive_random_sp800_108_feedback_cmac(const struct krb5_enc_provider *enc,

                                      krb5_key inkey, krb5_data *outrnd,

                                      const krb5_data *in_constant)

{

    size_t blocksize, keybytes, n;

    krb5_crypto_iov iov[6];

    krb5_error_code ret;

    krb5_data prf;

    unsigned int i;

    unsigned char ibuf[4], Lbuf[4];

    blocksize = enc->block_size;

    keybytes = enc->keybytes;

    if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)

        return KRB5_CRYPTO_INTERNAL;

    /* Allocate encryption data buffer. */

    ret = alloc_data(&prf, blocksize);

    if (ret)

        return ret;

    /* K(i-1): the previous block of PRF output, initially all-zeros. */

    iov[0].flags = KRB5_CRYPTO_TYPE_DATA;

    iov[0].data = prf;

    /* [i]2: four-byte big-endian binary string giving the block counter */

    iov[1].flags = KRB5_CRYPTO_TYPE_DATA;

    iov[1].data = make_data(ibuf, sizeof(ibuf));

    /* Label: the fixed derived-key input */

    iov[2].flags = KRB5_CRYPTO_TYPE_DATA;

    iov[2].data = *in_constant;

    /* 0x00: separator byte */

    iov[3].flags = KRB5_CRYPTO_TYPE_DATA;

    iov[3].data = make_data("", 1);

    /* Context: (unused) */

    iov[4].flags = KRB5_CRYPTO_TYPE_DATA;

    iov[4].data = empty_data();

    /* [L]2: four-byte big-endian binary string giving the output length */

    iov[5].flags = KRB5_CRYPTO_TYPE_DATA;

    iov[5].data = make_data(Lbuf, sizeof(Lbuf));

    store_32_be(outrnd->length * 8, Lbuf);

    for (i = 1, n = 0; n < keybytes; i++) {

        /* Update the block counter. */

        store_32_be(i, ibuf);

        /* Compute a CMAC checksum, storing the result into K(i-1). */

        ret = krb5int_cmac_checksum(enc, inkey, iov, 6, &prf;;

        if (ret)

            goto cleanup;

        /* Copy the result into the appropriate part of the output buffer. */

        if (keybytes - n <= blocksize) {

            memcpy(outrnd->data + n, prf.data, keybytes - n);

            break;

        }

        memcpy(outrnd->data + n, prf.data, blocksize);

        n += blocksize;

    }

cleanup:

    zapfree(prf.data, blocksize);

    return ret;

}

/*

 * NIST SP800-108 KDF in counter mode (section 5.1).

 * Parameters:

 *   - HMAC (with hash as the hash provider) is the PRF.

 *   - A block counter of four bytes is used.

 *   - Four bytes are used to encode the output length in the PRF input.

 *

 * There are no uses requiring more than a single PRF invocation.

 */

krb5_error_code

k5_sp800_108_counter_hmac(const struct krb5_hash_provider *hash,

                          krb5_key inkey, krb5_data *outrnd,

                          const krb5_data *label, const krb5_data *context)

{

    krb5_crypto_iov iov[5];

    krb5_error_code ret;

    krb5_data prf;

    unsigned char ibuf[4], lbuf[4];

    if (hash == NULL || outrnd->length > hash->hashsize)

        return KRB5_CRYPTO_INTERNAL;

    /* Allocate encryption data buffer. */

    ret = alloc_data(&prf, hash->hashsize);

    if (ret)

        return ret;

    /* [i]2: four-byte big-endian binary string giving the block counter (1) */

    iov[0].flags = KRB5_CRYPTO_TYPE_DATA;

    iov[0].data = make_data(ibuf, sizeof(ibuf));

    store_32_be(1, ibuf);

    /* Label */

    iov[1].flags = KRB5_CRYPTO_TYPE_DATA;

    iov[1].data = *label;

    /* 0x00: separator byte */

    iov[2].flags = KRB5_CRYPTO_TYPE_DATA;

    iov[2].data = make_data("", 1);

    /* Context */

    iov[3].flags = KRB5_CRYPTO_TYPE_DATA;

    iov[3].data = *context;

    /* [L]2: four-byte big-endian binary string giving the output length */

    iov[4].flags = KRB5_CRYPTO_TYPE_DATA;

    iov[4].data = make_data(lbuf, sizeof(lbuf));

    store_32_be(outrnd->length * 8, lbuf);

    ret = krb5int_hmac(hash, inkey, iov, 5, &prf;;

    if (!ret)

        memcpy(outrnd->data, prf.data, outrnd->length);

    zapfree(prf.data, prf.length);

    return ret;

}

krb5_error_code

krb5int_derive_random(const struct krb5_enc_provider *enc,

                      const struct krb5_hash_provider *hash,

                      krb5_key inkey, krb5_data *outrnd,

                      const krb5_data *in_constant, enum deriv_alg alg)

{

    krb5_data empty = empty_data();

    switch (alg) {

    case DERIVE_RFC3961:

        return derive_random_rfc3961(enc, inkey, outrnd, in_constant);

    case DERIVE_SP800_108_CMAC:

        return derive_random_sp800_108_feedback_cmac(enc, inkey, outrnd,

                                                     in_constant);

    case DERIVE_SP800_108_HMAC:

        return k5_sp800_108_counter_hmac(hash, inkey, outrnd, in_constant,

                                         &empty);

    default:

        return EINVAL;

    }

}

/*

 * Compute a derived key into the keyblock outkey.  This variation on

 * krb5int_derive_key does not cache the result, as it is only used

 * directly in situations which are not expected to be repeated with

 * the same inkey and constant.

 */

krb5_error_code

krb5int_derive_keyblock(const struct krb5_enc_provider *enc,

                        const struct krb5_hash_provider *hash,

                        krb5_key inkey, krb5_keyblock *outkey,

                        const krb5_data *in_constant, enum deriv_alg alg)

{

    krb5_error_code ret;

    krb5_data rawkey = empty_data();

    /* Allocate a buffer for the raw key bytes. */

    ret = alloc_data(&rawkey, enc->keybytes);

    if (ret)

        goto cleanup;

    /* Derive pseudo-random data for the key bytes. */

    ret = krb5int_derive_random(enc, hash, inkey, &rawkey, in_constant, alg);

    if (ret)

        goto cleanup;

    /* Postprocess the key. */

    ret = krb5_c_random_to_key(NULL, inkey->keyblock.enctype, &rawkey, outkey);

cleanup:

    zapfree(rawkey.data, enc->keybytes);

    return ret;

}

krb5_error_code

krb5int_derive_key(const struct krb5_enc_provider *enc,

                   const struct krb5_hash_provider *hash,

                   krb5_key inkey, krb5_key *outkey,

                   const krb5_data *in_constant, enum deriv_alg alg)

{

    krb5_keyblock keyblock;

    krb5_error_code ret;

    krb5_key dkey;

    *outkey = NULL;

    /* Check for a cached result. */

    dkey = find_cached_dkey(inkey->derived, in_constant);

    if (dkey != NULL) {

        *outkey = dkey;

        return 0;

    }

    /* Derive into a temporary keyblock. */

    keyblock.length = enc->keylength;

    keyblock.contents = malloc(keyblock.length);

    keyblock.enctype = inkey->keyblock.enctype;

    if (keyblock.contents == NULL)

        return ENOMEM;

    ret = krb5int_derive_keyblock(enc, hash, inkey, &keyblock, in_constant,

                                  alg);

    if (ret)

        goto cleanup;

    /* Cache the derived key. */

    ret = add_cached_dkey(inkey, in_constant, &keyblock, &dkey);

    if (ret != 0)

        goto cleanup;

    *outkey = dkey;

cleanup:

    zapfree(keyblock.contents, keyblock.length);

    return ret;

}