krb5_error_code
krb5int_derive_key(const struct krb5_enc_provider *enc,
krb5_key inkey, krb5_key *outkey,
const krb5_data *in_constant)
{
krb5_keyblock keyblock;
krb5_error_code ret;
krb5_key dkey;
*outkey = NULL;
/* Check for a cached result. */
dkey = find_cached_dkey(inkey->derived, in_constant);
if (dkey != NULL) {
*outkey = dkey;
return 0;
}
/* Derive into a temporary keyblock. */
keyblock.length = enc->keylength;
keyblock.contents = malloc(keyblock.length);
/* Set the enctype as the krb5_k_free_key will iterate over list
or derived keys and invoke krb5_k_free_key which will lookup
the enctype for key_cleanup handler */
keyblock.enctype = inkey->keyblock.enctype;
if (keyblock.contents == NULL)
return ENOMEM;
ret = krb5int_derive_keyblock(enc, inkey, &keyblock, in_constant);
if (ret)
goto cleanup;
/* Cache the derived key. */
ret = add_cached_dkey(inkey, in_constant, &keyblock, &dkey);
if (ret != 0)
goto cleanup;
*outkey = dkey;
cleanup:
zapfree(keyblock.contents, keyblock.length);
return ret;
}
krb5_error_code
krb5int_derive_key(const struct krb5_enc_provider *enc,
krb5_key inkey, krb5_key *outkey,
const krb5_data *in_constant, enum deriv_alg alg)
{
krb5_keyblock keyblock;
krb5_error_code ret;
krb5_key dkey;
*outkey = NULL;
/* Check for a cached result. */
dkey = find_cached_dkey(inkey->derived, in_constant);
if (dkey != NULL) {
*outkey = dkey;
return 0;
}
/* Derive into a temporary keyblock. */
keyblock.length = enc->keylength;
keyblock.contents = malloc(keyblock.length);
keyblock.enctype = inkey->keyblock.enctype;
if (keyblock.contents == NULL)
return ENOMEM;
ret = krb5int_derive_keyblock(enc, inkey, &keyblock, in_constant, alg);
if (ret)
goto cleanup;
/* Cache the derived key. */
ret = add_cached_dkey(inkey, in_constant, &keyblock, &dkey);
if (ret != 0)
goto cleanup;
*outkey = dkey;
cleanup:
zapfree(keyblock.contents, keyblock.length);
return ret;
}
krb5_error_code
krb5int_dk_string_to_key(const struct krb5_keytypes *ktp,
const krb5_data *string, const krb5_data *salt,
const krb5_data *parms, krb5_keyblock *keyblock)
{
krb5_error_code ret;
size_t keybytes, keylength, concatlen;
unsigned char *concat = NULL, *foldstring = NULL, *foldkeydata = NULL;
krb5_data indata;
krb5_keyblock foldkeyblock;
krb5_key foldkey = NULL;
/* keyblock->length is checked by krb5int_derive_key. */
keybytes = ktp->enc->keybytes;
keylength = ktp->enc->keylength;
concatlen = string->length + salt->length;
concat = k5alloc(concatlen, &ret);
if (ret != 0)
goto cleanup;
foldstring = k5alloc(keybytes, &ret);
if (ret != 0)
goto cleanup;
foldkeydata = k5alloc(keylength, &ret);
if (ret != 0)
goto cleanup;
/* construct input string ( = string + salt), fold it, make_key it */
if (string->length > 0)
memcpy(concat, string->data, string->length);
if (salt->length > 0)
memcpy(concat + string->length, salt->data, salt->length);
krb5int_nfold(concatlen*8, concat, keybytes*8, foldstring);
indata.length = keybytes;
indata.data = (char *) foldstring;
foldkeyblock.length = keylength;
foldkeyblock.contents = foldkeydata;
foldkeyblock.enctype = ktp->etype;
ret = ktp->rand2key(&indata, &foldkeyblock);
if (ret != 0)
goto cleanup;
ret = krb5_k_create_key(NULL, &foldkeyblock, &foldkey);
if (ret != 0)
goto cleanup;
/* now derive the key from this one */
indata.length = kerberos_len;
indata.data = (char *) kerberos;
ret = krb5int_derive_keyblock(ktp->enc, NULL, foldkey, keyblock, &indata,
DERIVE_RFC3961);
if (ret != 0)
memset(keyblock->contents, 0, keyblock->length);
cleanup:
zapfree(concat, concatlen);
zapfree(foldstring, keybytes);
zapfree(foldkeydata, keylength);
krb5_k_free_key(NULL, foldkey);
return ret;
}
static krb5_error_code
pbkdf2_string_to_key(const struct krb5_keytypes *ktp, const krb5_data *string,
const krb5_data *salt, const krb5_data *pepper,
const krb5_data *params, krb5_keyblock *key,
enum deriv_alg deriv_alg, unsigned long def_iter_count)
{
const struct krb5_hash_provider *hash;
unsigned long iter_count;
krb5_data out;
static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
krb5_key tempkey = NULL;
krb5_error_code err;
krb5_data sandp = empty_data();
if (params) {
unsigned char *p = (unsigned char *) params->data;
if (params->length != 4)
return KRB5_ERR_BAD_S2K_PARAMS;
iter_count = load_32_be(p);
/* Zero means 2^32, which is way above what we will accept. Also don't
* accept values less than the default, unless we're running tests. */
if (iter_count == 0 ||
(!k5_allow_weak_pbkdf2iter && iter_count < def_iter_count))
return KRB5_ERR_BAD_S2K_PARAMS;
} else
iter_count = def_iter_count;
/* This is not a protocol specification constraint; this is an
implementation limit, which should eventually be controlled by
a config file. */
if (iter_count >= MAX_ITERATION_COUNT)
return KRB5_ERR_BAD_S2K_PARAMS;
/* Use the output keyblock contents for temporary space. */
out.data = (char *) key->contents;
out.length = key->length;
if (out.length != 16 && out.length != 32)
return KRB5_CRYPTO_INTERNAL;
if (pepper != NULL) {
err = alloc_data(&sandp, pepper->length + 1 + salt->length);
if (err)
return err;
if (pepper->length > 0)
memcpy(sandp.data, pepper->data, pepper->length);
sandp.data[pepper->length] = '\0';
if (salt->length > 0)
memcpy(&sandp.data[pepper->length + 1], salt->data, salt->length);
salt = &sandp;
}
hash = (ktp->hash != NULL) ? ktp->hash : &krb5int_hash_sha1;
err = krb5int_pbkdf2_hmac(hash, &out, iter_count, string, salt);
if (err)
goto cleanup;
err = krb5_k_create_key (NULL, key, &tempkey);
if (err)
goto cleanup;
err = krb5int_derive_keyblock(ktp->enc, ktp->hash, tempkey, key, &usage,
deriv_alg);
cleanup:
if (sandp.data)
free(sandp.data);
if (err)
memset (out.data, 0, out.length);
krb5_k_free_key (NULL, tempkey);
return err;
}
krb5_error_code
krb5int_c_combine_keys(krb5_context context, krb5_keyblock *key1,
krb5_keyblock *key2, krb5_keyblock *outkey)
{
unsigned char *r1 = NULL, *r2 = NULL, *combined = NULL, *rnd = NULL;
unsigned char *output = NULL;
size_t keybytes, keylength;
const struct krb5_enc_provider *enc;
krb5_data input, randbits;
krb5_keyblock tkeyblock;
krb5_key tkey = NULL;
krb5_error_code ret;
const struct krb5_keytypes *ktp;
krb5_boolean myalloc = FALSE;
if (!enctype_ok(key1->enctype) || !enctype_ok(key2->enctype))
return KRB5_CRYPTO_INTERNAL;
if (key1->length != key2->length || key1->enctype != key2->enctype)
return KRB5_CRYPTO_INTERNAL;
/* Find our encryption algorithm. */
ktp = find_enctype(key1->enctype);
if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
enc = ktp->enc;
keybytes = enc->keybytes;
keylength = enc->keylength;
/* Allocate and set up buffers. */
r1 = k5alloc(keybytes, &ret);
if (ret)
goto cleanup;
r2 = k5alloc(keybytes, &ret);
if (ret)
goto cleanup;
rnd = k5alloc(keybytes, &ret);
if (ret)
goto cleanup;
combined = k5alloc(keybytes * 2, &ret);
if (ret)
goto cleanup;
output = k5alloc(keylength, &ret);
if (ret)
goto cleanup;
/*
* Get R1 and R2 (by running the input keys through the DR algorithm.
* Note this is most of derive-key, but not all.
*/
input.length = key2->length;
input.data = (char *) key2->contents;
ret = dr(enc, key1, r1, &input);
if (ret)
goto cleanup;
input.length = key1->length;
input.data = (char *) key1->contents;
ret = dr(enc, key2, r2, &input);
if (ret)
goto cleanup;
/*
* Concatenate the two keys together, and then run them through
* n-fold to reduce them to a length appropriate for the random-to-key
* operation. Note here that krb5int_nfold() takes sizes in bits, hence
* the multiply by 8.
*/
memcpy(combined, r1, keybytes);
memcpy(combined + keybytes, r2, keybytes);
krb5int_nfold((keybytes * 2) * 8, combined, keybytes * 8, rnd);
/*
* Run the "random" bits through random-to-key to produce a encryption
* key.
*/
randbits.length = keybytes;
randbits.data = (char *) rnd;
tkeyblock.length = keylength;
tkeyblock.contents = output;
ret = (*ktp->rand2key)(&randbits, &tkeyblock);
if (ret)
goto cleanup;
ret = krb5_k_create_key(NULL, &tkeyblock, &tkey);
if (ret)
goto cleanup;
/*
* Run through derive-key one more time to produce the final key.
* Note that the input to derive-key is the ASCII string "combine".
*/
input.length = 7;
input.data = "combine";
/*
* Just FYI: _if_ we have space here in the key, then simply use it
* without modification. But if the key is blank (no allocated storage)
* then allocate some memory for it. This allows programs to use one of
* the existing keys as the output key, _or_ pass in a blank keyblock
* for us to allocate. It's easier for us to allocate it since we already
* know the crypto library internals
*/
if (outkey->length == 0 || outkey->contents == NULL) {
outkey->contents = k5alloc(keylength, &ret);
if (ret)
goto cleanup;
outkey->length = keylength;
outkey->enctype = key1->enctype;
myalloc = TRUE;
}
ret = krb5int_derive_keyblock(enc, tkey, outkey, &input, DERIVE_RFC3961);
if (ret) {
if (myalloc) {
free(outkey->contents);
outkey->contents = NULL;
}
goto cleanup;
}
cleanup:
zapfree(r1, keybytes);
zapfree(r2, keybytes);
zapfree(rnd, keybytes);
zapfree(combined, keybytes * 2);
zapfree(output, keylength);
krb5_k_free_key(NULL, tkey);
return ret;
}
