| blob | 21dd3543d83602bac791d8c92078c1f32e8374b5 |
1 /*
2 * Copyright (c) 1995-2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2013-2014 Carnegie Mellon University
7 * All rights reserved.
8 *
9 * Portions Copyright (c) 2013 by the Massachusetts Institute of Technology
10 * All rights reserved.
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 *
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 *
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 *
23 * 3. Neither the name of the Institute nor the names of its contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 */
45 /**
46 * Use NIST SP800-108 with HMAC(MD5) in counter mode as the PRF to derive a
47 * des key from another type of key.
48 *
49 * L is 64, as we take 64 random bits and turn them into a 56-bit des key.
50 * The output of hmac_md5 is 128 bits; we take the first 64 only, so n
51 * properly should be 1. However, we apply a slight variation due to the
52 * possibility of producing a weak des key. If the output key is weak, do NOT
53 * simply correct it, instead, the counter is advanced and the next output
54 * used. As such, we code so as to have n be the full 255 permitted by our
55 * encoding of the counter i in an 8-bit field. L itself is encoded as a
56 * 32-bit field, big-endian. We use the constant string "rxkad" as a label
57 * for this key derivation, the standard NUL byte separator, and omit a
58 * key-derivation context. The input key is unique to the krb5 service ticket,
59 * which is unlikely to be used in an other location. If it is used in such
60 * a fashion, both locations will derive the same des key from the PRF, but
61 * this is no different from if a krb5 des key had been used in the same way,
62 * as traditional krb5 rxkad uses the ticket session key directly as the token
63 * key.
64 *
65 * @param[in] in pointer to input key data
66 * @param[in] insize length of input key data
67 * @param[out] out 8-byte buffer to hold the derived key
68 *
69 * @return Returns 0 to indicate success, or an error code.
70 *
71 * @retval KRB5DES_WEAK_KEY Successive derivation attempts with all
72 * 255 possible counter values each produced weak DES keys. This input
73 * cannot be used to produce a usable key.
74 */
75 static int
77 {
80 /* bits of output, as 32 bit word, MSB first */
82 /* only needs to be 16 for md5, but lets be sure it fits */
85 DES_cblock ktmp;
86 HMAC_CTX mctx;
88 /* stop when 8 bit counter wraps to 0 */
102 }
103 }
105 }
107 /**
108 * This is the inverse of the random-to-key for 3des specified in
109 * rfc3961, converting blocks of 8 bytes to blocks of 7 bytes by distributing
110 * the bits of each 8th byte as the lsb of the previous 7 bytes.
111 *
112 * @param[in,out] buffer Buffer containing the key to be converted
113 * @param[in,out] bufsiz Points to the size of the key data. On
114 * return, this is updated to reflect the size of the compressed data.
115 *
116 * @return Returns 0 to indicate success, or an error code.
117 *
118 * @retval KRB5_BAD_KEYSIZE The key size was not a multiple of 8 bytes.
119 */
120 static int
122 {
136 }
137 }
142 }
144 /**
145 * Derive a DES key for use with rxkad and fcrypt from a given Kerberos
146 * key of (almost) any type. This function encodes enctype-specific
147 * knowledge about how to derive a DES key from a given key type.
148 * If given a des key, use it directly; otherwise, perform any parity
149 * fixup that may be needed and pass through to the hmad-md5 bits.
150 *
151 * @param[in] enctype Kerberos enctype of the input key
152 * @param[in] keydata Input key data
153 * @param[in] keylen Size of input key data
154 * @param[out] output 8-byte buffer to hold the derived key
155 *
156 * @return Returns 0 to indicate success, or an error code.
157 *
158 * @retval KRB5_PROG_ETYPE_NOSUPP The enctype is one for which rxkad-kdf
159 * is not supported. This includes several reserved enctypes, enctype
160 * values used in PKINIT to stand for CMS algorithm identifiers, and all
161 * private-use (negative) enctypes.
162 *
163 * @retval KRB5_BAD_KEYSIZE The key size was not a multiple of 8 bytes
164 * (for 3DES key types), exactly 8 bytes (for DES key types), or at least
165 * 8 bytes (for other key types).
166 *
167 * @retval KRB5DES_WEAK_KEY Successive derivation attempts with all
168 * 255 possible counter values each produced weak DES keys. This input
169 * cannot be used to produce a usable key.
170 */
171 int
174 {
184 /* Extract session key */
199 /*In order to become a "Cryptographic Key" as specified in
200 * SP800-108, it must be indistinguishable from a random bitstring. */
207 /* FALLTHROUGH */
214 }
216 }