1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/crypto/krb/enc_dk_hmac.c */
4 * Copyright 2008, 2009 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
28 #include "crypto_int.h"
30 #define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
35 krb5int_dk_crypto_length(const struct krb5_keytypes *ktp, krb5_cryptotype type)
38 case KRB5_CRYPTO_TYPE_HEADER:
39 case KRB5_CRYPTO_TYPE_PADDING:
40 return ktp->enc->block_size;
41 case KRB5_CRYPTO_TYPE_TRAILER:
42 case KRB5_CRYPTO_TYPE_CHECKSUM:
43 return ktp->hash->hashsize;
45 assert(0 && "invalid cryptotype passed to krb5int_dk_crypto_length");
51 krb5int_aes_crypto_length(const struct krb5_keytypes *ktp,
55 case KRB5_CRYPTO_TYPE_HEADER:
56 return ktp->enc->block_size;
57 case KRB5_CRYPTO_TYPE_PADDING:
59 case KRB5_CRYPTO_TYPE_TRAILER:
60 case KRB5_CRYPTO_TYPE_CHECKSUM:
63 assert(0 && "invalid cryptotype passed to krb5int_aes_crypto_length");
69 krb5int_dk_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
70 krb5_keyusage usage, const krb5_data *ivec,
71 krb5_crypto_iov *data, size_t num_data)
73 const struct krb5_enc_provider *enc = ktp->enc;
74 const struct krb5_hash_provider *hash = ktp->hash;
76 unsigned char constantdata[K5CLENGTH];
78 krb5_crypto_iov *header, *trailer, *padding;
79 krb5_key ke = NULL, ki = NULL;
81 unsigned int blocksize, hmacsize, plainlen = 0, padsize = 0;
82 unsigned char *cksum = NULL;
84 /* E(Confounder | Plaintext | Pad) | Checksum */
86 blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING);
87 hmacsize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
89 for (i = 0; i < num_data; i++) {
90 krb5_crypto_iov *iov = &data[i];
92 if (iov->flags == KRB5_CRYPTO_TYPE_DATA)
93 plainlen += iov->data.length;
96 /* Validate header and trailer lengths. */
98 header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
99 if (header == NULL || header->data.length < enc->block_size)
100 return KRB5_BAD_MSIZE;
102 trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
103 if (trailer == NULL || trailer->data.length < hmacsize)
104 return KRB5_BAD_MSIZE;
106 if (blocksize != 0) {
107 /* Check that the input data is correctly padded. */
108 if (plainlen % blocksize)
109 padsize = blocksize - (plainlen % blocksize);
112 padding = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_PADDING);
113 if (padsize && (padding == NULL || padding->data.length < padsize))
114 return KRB5_BAD_MSIZE;
116 if (padding != NULL) {
117 memset(padding->data.data, 0, padsize);
118 padding->data.length = padsize;
121 cksum = k5alloc(hash->hashsize, &ret);
125 /* Derive the keys. */
127 d1.data = (char *)constantdata;
128 d1.length = K5CLENGTH;
130 store_32_be(usage, constantdata);
134 ret = krb5int_derive_key(enc, key, &ke, &d1, DERIVE_RFC3961);
140 ret = krb5int_derive_key(enc, key, &ki, &d1, DERIVE_RFC3961);
144 /* Generate confounder. */
146 header->data.length = enc->block_size;
148 ret = krb5_c_random_make_octets(/* XXX */ NULL, &header->data);
152 /* Hash the plaintext. */
153 d2.length = hash->hashsize;
154 d2.data = (char *)cksum;
156 ret = krb5int_hmac(hash, ki, data, num_data, &d2);
160 /* Encrypt the plaintext (header | data | padding) */
161 ret = enc->encrypt(ke, ivec, data, num_data);
165 /* Possibly truncate the hash */
166 assert(hmacsize <= d2.length);
168 memcpy(trailer->data.data, cksum, hmacsize);
169 trailer->data.length = hmacsize;
172 krb5_k_free_key(NULL, ke);
173 krb5_k_free_key(NULL, ki);
179 krb5int_dk_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
180 krb5_keyusage usage, const krb5_data *ivec,
181 krb5_crypto_iov *data, size_t num_data)
183 const struct krb5_enc_provider *enc = ktp->enc;
184 const struct krb5_hash_provider *hash = ktp->hash;
186 unsigned char constantdata[K5CLENGTH];
188 krb5_crypto_iov *header, *trailer;
189 krb5_key ke = NULL, ki = NULL;
191 unsigned int blocksize; /* enc block size, not confounder len */
192 unsigned int hmacsize, cipherlen = 0;
193 unsigned char *cksum = NULL;
195 /* E(Confounder | Plaintext | Pad) | Checksum */
197 blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING);
198 hmacsize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
200 if (blocksize != 0) {
201 /* Check that the input data is correctly padded. */
202 for (i = 0; i < num_data; i++) {
203 const krb5_crypto_iov *iov = &data[i];
205 if (ENCRYPT_DATA_IOV(iov))
206 cipherlen += iov->data.length;
208 if (cipherlen % blocksize != 0)
209 return KRB5_BAD_MSIZE;
212 /* Validate header and trailer lengths */
214 header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
215 if (header == NULL || header->data.length != enc->block_size)
216 return KRB5_BAD_MSIZE;
218 trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
219 if (trailer == NULL || trailer->data.length != hmacsize)
220 return KRB5_BAD_MSIZE;
222 cksum = k5alloc(hash->hashsize, &ret);
226 /* Derive the keys. */
228 d1.data = (char *)constantdata;
229 d1.length = K5CLENGTH;
231 store_32_be(usage, constantdata);
235 ret = krb5int_derive_key(enc, key, &ke, &d1, DERIVE_RFC3961);
241 ret = krb5int_derive_key(enc, key, &ki, &d1, DERIVE_RFC3961);
245 /* Decrypt the plaintext (header | data | padding). */
246 ret = enc->decrypt(ke, ivec, data, num_data);
250 /* Verify the hash. */
251 d1.length = hash->hashsize; /* non-truncated length */
252 d1.data = (char *)cksum;
254 ret = krb5int_hmac(hash, ki, data, num_data, &d1);
258 /* Compare only the possibly truncated length. */
259 if (memcmp(cksum, trailer->data.data, hmacsize) != 0) {
260 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
265 krb5_k_free_key(NULL, ke);
266 krb5_k_free_key(NULL, ki);