/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/crypto/krb/enc_dk_hmac.c */
/*
* Copyright 2008, 2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*/
#include "crypto_int.h"
#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
/* AEAD */
unsigned int
krb5int_dk_crypto_length(const struct krb5_keytypes *ktp, krb5_cryptotype type)
{
switch (type) {
case KRB5_CRYPTO_TYPE_HEADER:
case KRB5_CRYPTO_TYPE_PADDING:
return ktp->enc->block_size;
case KRB5_CRYPTO_TYPE_TRAILER:
case KRB5_CRYPTO_TYPE_CHECKSUM:
return ktp->hash->hashsize;
default:
assert(0 && "invalid cryptotype passed to krb5int_dk_crypto_length");
return 0;
}
}
unsigned int
krb5int_aes_crypto_length(const struct krb5_keytypes *ktp,
krb5_cryptotype type)
{
switch (type) {
case KRB5_CRYPTO_TYPE_HEADER:
return ktp->enc->block_size;
case KRB5_CRYPTO_TYPE_PADDING:
return 0;
case KRB5_CRYPTO_TYPE_TRAILER:
case KRB5_CRYPTO_TYPE_CHECKSUM:
return 96 / 8;
default:
assert(0 && "invalid cryptotype passed to krb5int_aes_crypto_length");
return 0;
}
}
krb5_error_code
krb5int_dk_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
krb5_keyusage usage, const krb5_data *ivec,
krb5_crypto_iov *data, size_t num_data)
{
const struct krb5_enc_provider *enc = ktp->enc;
const struct krb5_hash_provider *hash = ktp->hash;
krb5_error_code ret;
unsigned char constantdata[K5CLENGTH];
krb5_data d1, d2;
krb5_crypto_iov *header, *trailer, *padding;
krb5_key ke = NULL, ki = NULL;
size_t i;
unsigned int blocksize, hmacsize, plainlen = 0, padsize = 0;
unsigned char *cksum = NULL;
/* E(Confounder | Plaintext | Pad) | Checksum */
blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING);
hmacsize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
for (i = 0; i < num_data; i++) {
krb5_crypto_iov *iov = &data[i];
if (iov->flags == KRB5_CRYPTO_TYPE_DATA)
plainlen += iov->data.length;
}
/* Validate header and trailer lengths. */
header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
if (header == NULL || header->data.length < enc->block_size)
return KRB5_BAD_MSIZE;
trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
if (trailer == NULL || trailer->data.length < hmacsize)
return KRB5_BAD_MSIZE;
if (blocksize != 0) {
/* Check that the input data is correctly padded. */
if (plainlen % blocksize)
padsize = blocksize - (plainlen % blocksize);
}
padding = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_PADDING);
if (padsize && (padding == NULL || padding->data.length < padsize))
return KRB5_BAD_MSIZE;
if (padding != NULL) {
memset(padding->data.data, 0, padsize);
padding->data.length = padsize;
}
cksum = k5alloc(hash->hashsize, &ret);
if (ret != 0)
goto cleanup;
/* Derive the keys. */
d1.data = (char *)constantdata;
d1.length = K5CLENGTH;
store_32_be(usage, constantdata);
d1.data[4] = 0xAA;
ret = krb5int_derive_key(enc, NULL, key, &ke, &d1, DERIVE_RFC3961);
if (ret != 0)
goto cleanup;
d1.data[4] = 0x55;
ret = krb5int_derive_key(enc, NULL, key, &ki, &d1, DERIVE_RFC3961);
if (ret != 0)
goto cleanup;
/* Generate confounder. */
header->data.length = enc->block_size;
ret = krb5_c_random_make_octets(/* XXX */ NULL, &header->data);
if (ret != 0)
goto cleanup;
/* Hash the plaintext. */
d2.length = hash->hashsize;
d2.data = (char *)cksum;
ret = krb5int_hmac(hash, ki, data, num_data, &d2);
if (ret != 0)
goto cleanup;
/* Encrypt the plaintext (header | data | padding) */
ret = enc->encrypt(ke, ivec, data, num_data);
if (ret != 0)
goto cleanup;
/* Possibly truncate the hash */
assert(hmacsize <= d2.length);
memcpy(trailer->data.data, cksum, hmacsize);
trailer->data.length = hmacsize;
cleanup:
krb5_k_free_key(NULL, ke);
krb5_k_free_key(NULL, ki);
free(cksum);
return ret;
}
krb5_error_code
krb5int_dk_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
krb5_keyusage usage, const krb5_data *ivec,
krb5_crypto_iov *data, size_t num_data)
{
const struct krb5_enc_provider *enc = ktp->enc;
const struct krb5_hash_provider *hash = ktp->hash;
krb5_error_code ret;
unsigned char constantdata[K5CLENGTH];
krb5_data d1;
krb5_crypto_iov *header, *trailer;
krb5_key ke = NULL, ki = NULL;
size_t i;
unsigned int blocksize; /* enc block size, not confounder len */
unsigned int hmacsize, cipherlen = 0;
unsigned char *cksum = NULL;
/* E(Confounder | Plaintext | Pad) | Checksum */
blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING);
hmacsize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
if (blocksize != 0) {
/* Check that the input data is correctly padded. */
for (i = 0; i < num_data; i++) {
const krb5_crypto_iov *iov = &data[i];
if (ENCRYPT_DATA_IOV(iov))
cipherlen += iov->data.length;
}
if (cipherlen % blocksize != 0)
return KRB5_BAD_MSIZE;
}
/* Validate header and trailer lengths */
header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
if (header == NULL || header->data.length != enc->block_size)
return KRB5_BAD_MSIZE;
trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
if (trailer == NULL || trailer->data.length != hmacsize)
return KRB5_BAD_MSIZE;
cksum = k5alloc(hash->hashsize, &ret);
if (ret != 0)
goto cleanup;
/* Derive the keys. */
d1.data = (char *)constantdata;
d1.length = K5CLENGTH;
store_32_be(usage, constantdata);
d1.data[4] = 0xAA;
ret = krb5int_derive_key(enc, NULL, key, &ke, &d1, DERIVE_RFC3961);
if (ret != 0)
goto cleanup;
d1.data[4] = 0x55;
ret = krb5int_derive_key(enc, NULL, key, &ki, &d1, DERIVE_RFC3961);
if (ret != 0)
goto cleanup;
/* Decrypt the plaintext (header | data | padding). */
ret = enc->decrypt(ke, ivec, data, num_data);
if (ret != 0)
goto cleanup;
/* Verify the hash. */
d1.length = hash->hashsize; /* non-truncated length */
d1.data = (char *)cksum;
ret = krb5int_hmac(hash, ki, data, num_data, &d1);
if (ret != 0)
goto cleanup;
/* Compare only the possibly truncated length. */
if (k5_bcmp(cksum, trailer->data.data, hmacsize) != 0) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto cleanup;
}
cleanup:
krb5_k_free_key(NULL, ke);
krb5_k_free_key(NULL, ki);
free(cksum);
return ret;
}