Index: stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c =================================================================== --- stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c (revision 351242) +++ stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c (revision 351243) @@ -1,220 +1,224 @@ /*- * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ * Authors: Doug Rabson * Developed with Red Inc: Alfred Perlstein * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include "kcrypto.h" static void arcfour_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; ks->ks_priv = NULL; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "RC4 cipher for Kerberos GSS"); } static void arcfour_destroy(struct krb5_key_state *ks) { } static void arcfour_set_key(struct krb5_key_state *ks, const void *in) { void *kp = ks->ks_key; if (kp != in) bcopy(in, kp, 16); } static void arcfour_random_to_key(struct krb5_key_state *ks, const void *in) { arcfour_set_key(ks, in); } static void arcfour_hmac(uint8_t *key, uint8_t *data, size_t datalen, uint8_t *result) { uint8_t buf[64]; MD5_CTX md5; int i; for (i = 0; i < 16; i++) buf[i] = key[i] ^ 0x36; for (; i < 64; i++) buf[i] = 0x36; MD5Init(&md5); MD5Update(&md5, buf, 64); MD5Update(&md5, data, datalen); MD5Final(result, &md5); for (i = 0; i < 16; i++) buf[i] = key[i] ^ 0x5c; for (; i < 64; i++) buf[i] = 0x5c; MD5Init(&md5); MD5Update(&md5, buf, 64); MD5Update(&md5, result, 16); MD5Final(result, &md5); } static void arcfour_derive_key(const struct krb5_key_state *ks, uint32_t usage, uint8_t *newkey) { uint8_t t[4]; t[0] = (usage >> 24); t[1] = (usage >> 16); t[2] = (usage >> 8); t[3] = (usage >> 0); if (ks->ks_class->ec_type == ETYPE_ARCFOUR_HMAC_MD5_56) { uint8_t L40[14] = "fortybits"; bcopy(t, L40 + 10, 4); arcfour_hmac(ks->ks_key, L40, 14, newkey); memset(newkey + 7, 0xab, 9); } else { arcfour_hmac(ks->ks_key, t, 4, newkey); } } static int rc4_crypt_int(void *rs, void *buf, u_int len) { rc4_crypt(rs, buf, buf, len); return (0); } static void arcfour_encrypt(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, size_t ivlen) { struct rc4_state rs; uint8_t newkey[16]; arcfour_derive_key(ks, 0, newkey); /* * If we have an IV, then generate a new key from it using HMAC. */ if (ivec) { uint8_t kk[16]; arcfour_hmac(newkey, ivec, ivlen, kk); rc4_init(&rs, kk, 16); } else { rc4_init(&rs, newkey, 16); } m_apply(inout, skip, len, rc4_crypt_int, &rs); } static int MD5Update_int(void *ctx, void *buf, u_int len) { MD5Update(ctx, buf, len); return (0); } static void arcfour_checksum(const struct krb5_key_state *ks, int usage, struct mbuf *inout, size_t skip, size_t inlen, size_t outlen) { MD5_CTX md5; uint8_t Ksign[16]; uint8_t t[4]; uint8_t sgn_cksum[16]; arcfour_hmac(ks->ks_key, "signaturekey", 13, Ksign); t[0] = usage >> 0; t[1] = usage >> 8; t[2] = usage >> 16; t[3] = usage >> 24; MD5Init(&md5); MD5Update(&md5, t, 4); m_apply(inout, skip, inlen, MD5Update_int, &md5); MD5Final(sgn_cksum, &md5); arcfour_hmac(Ksign, sgn_cksum, 16, sgn_cksum); m_copyback(inout, skip + inlen, outlen, sgn_cksum); } struct krb5_encryption_class krb5_arcfour_encryption_class = { "arcfour-hmac-md5", /* name */ ETYPE_ARCFOUR_HMAC_MD5, /* etype */ 0, /* flags */ 1, /* blocklen */ 1, /* msgblocklen */ 8, /* checksumlen */ 128, /* keybits */ 16, /* keylen */ arcfour_init, arcfour_destroy, arcfour_set_key, arcfour_random_to_key, arcfour_encrypt, arcfour_encrypt, arcfour_checksum }; struct krb5_encryption_class krb5_arcfour_56_encryption_class = { "arcfour-hmac-md5-56", /* name */ ETYPE_ARCFOUR_HMAC_MD5_56, /* etype */ 0, /* flags */ 1, /* blocklen */ 1, /* msgblocklen */ 8, /* checksumlen */ 128, /* keybits */ 16, /* keylen */ arcfour_init, arcfour_destroy, arcfour_set_key, arcfour_random_to_key, arcfour_encrypt, arcfour_encrypt, arcfour_checksum }; Index: stable/11/sys/kgssapi/krb5/kcrypto_des.c =================================================================== --- stable/11/sys/kgssapi/krb5/kcrypto_des.c (revision 351242) +++ stable/11/sys/kgssapi/krb5/kcrypto_des.c (revision 351243) @@ -1,262 +1,266 @@ /*- * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ * Authors: Doug Rabson * Developed with Red Inc: Alfred Perlstein * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include #include "kcrypto.h" struct des1_state { struct mtx ds_lock; uint64_t ds_session; }; static void des1_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des1_state *ds; ds = malloc(sizeof(struct des1_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des lock", NULL, MTX_DEF); ks->ks_priv = ds; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "DES cipher for Kerberos GSS"); } static void des1_destroy(struct krb5_key_state *ks) { struct des1_state *ds = ks->ks_priv; if (ds->ds_session) crypto_freesession(ds->ds_session); mtx_destroy(&ds->ds_lock); free(ks->ks_priv, M_GSSAPI); } static void des1_set_key(struct krb5_key_state *ks, const void *in) { void *kp = ks->ks_key; struct des1_state *ds = ks->ks_priv; struct cryptoini cri[1]; if (kp != in) bcopy(in, kp, ks->ks_class->ec_keylen); if (ds->ds_session) crypto_freesession(ds->ds_session); bzero(cri, sizeof(cri)); cri[0].cri_alg = CRYPTO_DES_CBC; cri[0].cri_klen = 64; cri[0].cri_mlen = 0; cri[0].cri_key = ks->ks_key; cri[0].cri_next = NULL; crypto_newsession(&ds->ds_session, cri, CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE); } static void des1_random_to_key(struct krb5_key_state *ks, const void *in) { uint8_t *outkey = ks->ks_key; const uint8_t *inkey = in; /* * Expand 56 bits of random data to 64 bits as follows * (in the example, bit number 1 is the MSB of the 56 * bits of random data): * * expanded = * 1 2 3 4 5 6 7 p * 9 10 11 12 13 14 15 p * 17 18 19 20 21 22 23 p * 25 26 27 28 29 30 31 p * 33 34 35 36 37 38 39 p * 41 42 43 44 45 46 47 p * 49 50 51 52 53 54 55 p * 56 48 40 32 24 16 8 p */ outkey[0] = inkey[0]; outkey[1] = inkey[1]; outkey[2] = inkey[2]; outkey[3] = inkey[3]; outkey[4] = inkey[4]; outkey[5] = inkey[5]; outkey[6] = inkey[6]; outkey[7] = (((inkey[0] & 1) << 1) | ((inkey[1] & 1) << 2) | ((inkey[2] & 1) << 3) | ((inkey[3] & 1) << 4) | ((inkey[4] & 1) << 5) | ((inkey[5] & 1) << 6) | ((inkey[6] & 1) << 7)); des_set_odd_parity((des_cblock *) outkey); if (des_is_weak_key((des_cblock *) outkey)) outkey[7] ^= 0xf0; des1_set_key(ks, ks->ks_key); } static int des1_crypto_cb(struct cryptop *crp) { int error; struct des1_state *ds = (struct des1_state *) crp->crp_opaque; if (CRYPTO_SESID2CAPS(ds->ds_session) & CRYPTOCAP_F_SYNC) return (0); error = crp->crp_etype; if (error == EAGAIN) error = crypto_dispatch(crp); mtx_lock(&ds->ds_lock); if (error || (crp->crp_flags & CRYPTO_F_DONE)) wakeup(crp); mtx_unlock(&ds->ds_lock); return (0); } static void des1_encrypt_1(const struct krb5_key_state *ks, int buftype, void *buf, size_t skip, size_t len, void *ivec, int encdec) { struct des1_state *ds = ks->ks_priv; struct cryptop *crp; struct cryptodesc *crd; int error; crp = crypto_getreq(1); crd = crp->crp_desc; crd->crd_skip = skip; crd->crd_len = len; crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT | encdec; if (ivec) { bcopy(ivec, crd->crd_iv, 8); } else { bzero(crd->crd_iv, 8); } crd->crd_next = NULL; crd->crd_alg = CRYPTO_DES_CBC; crp->crp_sid = ds->ds_session; crp->crp_flags = buftype | CRYPTO_F_CBIFSYNC; crp->crp_buf = buf; crp->crp_opaque = (void *) ds; crp->crp_callback = des1_crypto_cb; error = crypto_dispatch(crp); if ((CRYPTO_SESID2CAPS(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) { mtx_lock(&ds->ds_lock); if (!error && !(crp->crp_flags & CRYPTO_F_DONE)) error = msleep(crp, &ds->ds_lock, 0, "gssdes", 0); mtx_unlock(&ds->ds_lock); } crypto_freereq(crp); } static void des1_encrypt(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, size_t ivlen) { des1_encrypt_1(ks, CRYPTO_F_IMBUF, inout, skip, len, ivec, CRD_F_ENCRYPT); } static void des1_decrypt(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, size_t ivlen) { des1_encrypt_1(ks, CRYPTO_F_IMBUF, inout, skip, len, ivec, 0); } static int MD5Update_int(void *ctx, void *buf, u_int len) { MD5Update(ctx, buf, len); return (0); } static void des1_checksum(const struct krb5_key_state *ks, int usage, struct mbuf *inout, size_t skip, size_t inlen, size_t outlen) { char hash[16]; MD5_CTX md5; /* * This checksum is specifically for GSS-API. First take the * MD5 checksum of the message, then calculate the CBC mode * checksum of that MD5 checksum using a zero IV. */ MD5Init(&md5); m_apply(inout, skip, inlen, MD5Update_int, &md5); MD5Final(hash, &md5); des1_encrypt_1(ks, 0, hash, 0, 16, NULL, CRD_F_ENCRYPT); m_copyback(inout, skip + inlen, outlen, hash + 8); } struct krb5_encryption_class krb5_des_encryption_class = { "des-cbc-md5", /* name */ ETYPE_DES_CBC_CRC, /* etype */ 0, /* flags */ 8, /* blocklen */ 8, /* msgblocklen */ 8, /* checksumlen */ 56, /* keybits */ 8, /* keylen */ des1_init, des1_destroy, des1_set_key, des1_random_to_key, des1_encrypt, des1_decrypt, des1_checksum }; Index: stable/11/sys/kgssapi/krb5/kcrypto_des3.c =================================================================== --- stable/11/sys/kgssapi/krb5/kcrypto_des3.c (revision 351242) +++ stable/11/sys/kgssapi/krb5/kcrypto_des3.c (revision 351243) @@ -1,402 +1,406 @@ /*- * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ * Authors: Doug Rabson * Developed with Red Inc: Alfred Perlstein * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include "kcrypto.h" #define DES3_FLAGS (CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE) struct des3_state { struct mtx ds_lock; uint64_t ds_session; }; static void des3_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des3_state *ds; ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF); ks->ks_priv = ds; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "DES3 cipher for Kerberos GSS"); } static void des3_destroy(struct krb5_key_state *ks) { struct des3_state *ds = ks->ks_priv; if (ds->ds_session) crypto_freesession(ds->ds_session); mtx_destroy(&ds->ds_lock); free(ks->ks_priv, M_GSSAPI); } static void des3_set_key(struct krb5_key_state *ks, const void *in) { void *kp = ks->ks_key; struct des3_state *ds = ks->ks_priv; struct cryptoini cri[2]; if (kp != in) bcopy(in, kp, ks->ks_class->ec_keylen); if (ds->ds_session) crypto_freesession(ds->ds_session); bzero(cri, sizeof(cri)); cri[0].cri_alg = CRYPTO_SHA1_HMAC; cri[0].cri_klen = 192; cri[0].cri_mlen = 0; cri[0].cri_key = ks->ks_key; cri[0].cri_next = &cri[1]; cri[1].cri_alg = CRYPTO_3DES_CBC; cri[1].cri_klen = 192; cri[1].cri_mlen = 0; cri[1].cri_key = ks->ks_key; cri[1].cri_next = NULL; crypto_newsession(&ds->ds_session, cri, CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE); } static void des3_random_to_key(struct krb5_key_state *ks, const void *in) { uint8_t *outkey; const uint8_t *inkey; int subkey; for (subkey = 0, outkey = ks->ks_key, inkey = in; subkey < 3; subkey++, outkey += 8, inkey += 7) { /* * Expand 56 bits of random data to 64 bits as follows * (in the example, bit number 1 is the MSB of the 56 * bits of random data): * * expanded = * 1 2 3 4 5 6 7 p * 9 10 11 12 13 14 15 p * 17 18 19 20 21 22 23 p * 25 26 27 28 29 30 31 p * 33 34 35 36 37 38 39 p * 41 42 43 44 45 46 47 p * 49 50 51 52 53 54 55 p * 56 48 40 32 24 16 8 p */ outkey[0] = inkey[0]; outkey[1] = inkey[1]; outkey[2] = inkey[2]; outkey[3] = inkey[3]; outkey[4] = inkey[4]; outkey[5] = inkey[5]; outkey[6] = inkey[6]; outkey[7] = (((inkey[0] & 1) << 1) | ((inkey[1] & 1) << 2) | ((inkey[2] & 1) << 3) | ((inkey[3] & 1) << 4) | ((inkey[4] & 1) << 5) | ((inkey[5] & 1) << 6) | ((inkey[6] & 1) << 7)); des_set_odd_parity((des_cblock *) outkey); if (des_is_weak_key((des_cblock *) outkey)) outkey[7] ^= 0xf0; } des3_set_key(ks, ks->ks_key); } static int des3_crypto_cb(struct cryptop *crp) { int error; struct des3_state *ds = (struct des3_state *) crp->crp_opaque; if (CRYPTO_SESID2CAPS(ds->ds_session) & CRYPTOCAP_F_SYNC) return (0); error = crp->crp_etype; if (error == EAGAIN) error = crypto_dispatch(crp); mtx_lock(&ds->ds_lock); if (error || (crp->crp_flags & CRYPTO_F_DONE)) wakeup(crp); mtx_unlock(&ds->ds_lock); return (0); } static void des3_encrypt_1(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, int encdec) { struct des3_state *ds = ks->ks_priv; struct cryptop *crp; struct cryptodesc *crd; int error; crp = crypto_getreq(1); crd = crp->crp_desc; crd->crd_skip = skip; crd->crd_len = len; crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT | encdec; if (ivec) { bcopy(ivec, crd->crd_iv, 8); } else { bzero(crd->crd_iv, 8); } crd->crd_next = NULL; crd->crd_alg = CRYPTO_3DES_CBC; crp->crp_sid = ds->ds_session; crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; crp->crp_buf = (void *) inout; crp->crp_opaque = (void *) ds; crp->crp_callback = des3_crypto_cb; error = crypto_dispatch(crp); if ((CRYPTO_SESID2CAPS(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) { mtx_lock(&ds->ds_lock); if (!error && !(crp->crp_flags & CRYPTO_F_DONE)) error = msleep(crp, &ds->ds_lock, 0, "gssdes3", 0); mtx_unlock(&ds->ds_lock); } crypto_freereq(crp); } static void des3_encrypt(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, size_t ivlen) { des3_encrypt_1(ks, inout, skip, len, ivec, CRD_F_ENCRYPT); } static void des3_decrypt(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, size_t ivlen) { des3_encrypt_1(ks, inout, skip, len, ivec, 0); } static void des3_checksum(const struct krb5_key_state *ks, int usage, struct mbuf *inout, size_t skip, size_t inlen, size_t outlen) { struct des3_state *ds = ks->ks_priv; struct cryptop *crp; struct cryptodesc *crd; int error; crp = crypto_getreq(1); crd = crp->crp_desc; crd->crd_skip = skip; crd->crd_len = inlen; crd->crd_inject = skip + inlen; crd->crd_flags = 0; crd->crd_next = NULL; crd->crd_alg = CRYPTO_SHA1_HMAC; crp->crp_sid = ds->ds_session; crp->crp_ilen = inlen; crp->crp_olen = 20; crp->crp_etype = 0; crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; crp->crp_buf = (void *) inout; crp->crp_opaque = (void *) ds; crp->crp_callback = des3_crypto_cb; error = crypto_dispatch(crp); if ((CRYPTO_SESID2CAPS(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) { mtx_lock(&ds->ds_lock); if (!error && !(crp->crp_flags & CRYPTO_F_DONE)) error = msleep(crp, &ds->ds_lock, 0, "gssdes3", 0); mtx_unlock(&ds->ds_lock); } crypto_freereq(crp); } struct krb5_encryption_class krb5_des3_encryption_class = { "des3-cbc-sha1", /* name */ ETYPE_DES3_CBC_SHA1, /* etype */ EC_DERIVED_KEYS, /* flags */ 8, /* blocklen */ 8, /* msgblocklen */ 20, /* checksumlen */ 168, /* keybits */ 24, /* keylen */ des3_init, des3_destroy, des3_set_key, des3_random_to_key, des3_encrypt, des3_decrypt, des3_checksum }; #if 0 struct des3_dk_test { uint8_t key[24]; uint8_t usage[8]; size_t usagelen; uint8_t dk[24]; }; struct des3_dk_test tests[] = { {{0xdc, 0xe0, 0x6b, 0x1f, 0x64, 0xc8, 0x57, 0xa1, 0x1c, 0x3d, 0xb5, 0x7c, 0x51, 0x89, 0x9b, 0x2c, 0xc1, 0x79, 0x10, 0x08, 0xce, 0x97, 0x3b, 0x92}, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, {0x92, 0x51, 0x79, 0xd0, 0x45, 0x91, 0xa7, 0x9b, 0x5d, 0x31, 0x92, 0xc4, 0xa7, 0xe9, 0xc2, 0x89, 0xb0, 0x49, 0xc7, 0x1f, 0x6e, 0xe6, 0x04, 0xcd}}, {{0x5e, 0x13, 0xd3, 0x1c, 0x70, 0xef, 0x76, 0x57, 0x46, 0x57, 0x85, 0x31, 0xcb, 0x51, 0xc1, 0x5b, 0xf1, 0x1c, 0xa8, 0x2c, 0x97, 0xce, 0xe9, 0xf2}, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, {0x9e, 0x58, 0xe5, 0xa1, 0x46, 0xd9, 0x94, 0x2a, 0x10, 0x1c, 0x46, 0x98, 0x45, 0xd6, 0x7a, 0x20, 0xe3, 0xc4, 0x25, 0x9e, 0xd9, 0x13, 0xf2, 0x07}}, {{0x98, 0xe6, 0xfd, 0x8a, 0x04, 0xa4, 0xb6, 0x85, 0x9b, 0x75, 0xa1, 0x76, 0x54, 0x0b, 0x97, 0x52, 0xba, 0xd3, 0xec, 0xd6, 0x10, 0xa2, 0x52, 0xbc}, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, {0x13, 0xfe, 0xf8, 0x0d, 0x76, 0x3e, 0x94, 0xec, 0x6d, 0x13, 0xfd, 0x2c, 0xa1, 0xd0, 0x85, 0x07, 0x02, 0x49, 0xda, 0xd3, 0x98, 0x08, 0xea, 0xbf}}, {{0x62, 0x2a, 0xec, 0x25, 0xa2, 0xfe, 0x2c, 0xad, 0x70, 0x94, 0x68, 0x0b, 0x7c, 0x64, 0x94, 0x02, 0x80, 0x08, 0x4c, 0x1a, 0x7c, 0xec, 0x92, 0xb5}, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, {0xf8, 0xdf, 0xbf, 0x04, 0xb0, 0x97, 0xe6, 0xd9, 0xdc, 0x07, 0x02, 0x68, 0x6b, 0xcb, 0x34, 0x89, 0xd9, 0x1f, 0xd9, 0xa4, 0x51, 0x6b, 0x70, 0x3e}}, {{0xd3, 0xf8, 0x29, 0x8c, 0xcb, 0x16, 0x64, 0x38, 0xdc, 0xb9, 0xb9, 0x3e, 0xe5, 0xa7, 0x62, 0x92, 0x86, 0xa4, 0x91, 0xf8, 0x38, 0xf8, 0x02, 0xfb}, {0x6b, 0x65, 0x72, 0x62, 0x65, 0x72, 0x6f, 0x73}, 8, {0x23, 0x70, 0xda, 0x57, 0x5d, 0x2a, 0x3d, 0xa8, 0x64, 0xce, 0xbf, 0xdc, 0x52, 0x04, 0xd5, 0x6d, 0xf7, 0x79, 0xa7, 0xdf, 0x43, 0xd9, 0xda, 0x43}}, {{0xc1, 0x08, 0x16, 0x49, 0xad, 0xa7, 0x43, 0x62, 0xe6, 0xa1, 0x45, 0x9d, 0x01, 0xdf, 0xd3, 0x0d, 0x67, 0xc2, 0x23, 0x4c, 0x94, 0x07, 0x04, 0xda}, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, {0x34, 0x80, 0x57, 0xec, 0x98, 0xfd, 0xc4, 0x80, 0x16, 0x16, 0x1c, 0x2a, 0x4c, 0x7a, 0x94, 0x3e, 0x92, 0xae, 0x49, 0x2c, 0x98, 0x91, 0x75, 0xf7}}, {{0x5d, 0x15, 0x4a, 0xf2, 0x38, 0xf4, 0x67, 0x13, 0x15, 0x57, 0x19, 0xd5, 0x5e, 0x2f, 0x1f, 0x79, 0x0d, 0xd6, 0x61, 0xf2, 0x79, 0xa7, 0x91, 0x7c}, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, {0xa8, 0x80, 0x8a, 0xc2, 0x67, 0xda, 0xda, 0x3d, 0xcb, 0xe9, 0xa7, 0xc8, 0x46, 0x26, 0xfb, 0xc7, 0x61, 0xc2, 0x94, 0xb0, 0x13, 0x15, 0xe5, 0xc1}}, {{0x79, 0x85, 0x62, 0xe0, 0x49, 0x85, 0x2f, 0x57, 0xdc, 0x8c, 0x34, 0x3b, 0xa1, 0x7f, 0x2c, 0xa1, 0xd9, 0x73, 0x94, 0xef, 0xc8, 0xad, 0xc4, 0x43}, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, {0xc8, 0x13, 0xf8, 0x8a, 0x3b, 0xe3, 0xb3, 0x34, 0xf7, 0x54, 0x25, 0xce, 0x91, 0x75, 0xfb, 0xe3, 0xc8, 0x49, 0x3b, 0x89, 0xc8, 0x70, 0x3b, 0x49}}, {{0x26, 0xdc, 0xe3, 0x34, 0xb5, 0x45, 0x29, 0x2f, 0x2f, 0xea, 0xb9, 0xa8, 0x70, 0x1a, 0x89, 0xa4, 0xb9, 0x9e, 0xb9, 0x94, 0x2c, 0xec, 0xd0, 0x16}, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, {0xf4, 0x8f, 0xfd, 0x6e, 0x83, 0xf8, 0x3e, 0x73, 0x54, 0xe6, 0x94, 0xfd, 0x25, 0x2c, 0xf8, 0x3b, 0xfe, 0x58, 0xf7, 0xd5, 0xba, 0x37, 0xec, 0x5d}}, }; #define N_TESTS (sizeof(tests) / sizeof(tests[0])) int main(int argc, char **argv) { struct krb5_key_state *key, *dk; uint8_t *dkp; int j, i; for (j = 0; j < N_TESTS; j++) { struct des3_dk_test *t = &tests[j]; key = krb5_create_key(&des3_encryption_class); krb5_set_key(key, t->key); dk = krb5_derive_key(key, t->usage, t->usagelen); krb5_free_key(key); if (memcmp(dk->ks_key, t->dk, 24)) { printf("DES3 dk("); for (i = 0; i < 24; i++) printf("%02x", t->key[i]); printf(", "); for (i = 0; i < t->usagelen; i++) printf("%02x", t->usage[i]); printf(") failed\n"); printf("should be: "); for (i = 0; i < 24; i++) printf("%02x", t->dk[i]); printf("\n result was: "); dkp = dk->ks_key; for (i = 0; i < 24; i++) printf("%02x", dkp[i]); printf("\n"); } krb5_free_key(dk); } return (0); } #endif Index: stable/11 =================================================================== --- stable/11 (revision 351242) +++ stable/11 (revision 351243) Property changes on: stable/11 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r348875 Index: stable/12/sys/kgssapi/krb5/kcrypto_arcfour.c =================================================================== --- stable/12/sys/kgssapi/krb5/kcrypto_arcfour.c (revision 351242) +++ stable/12/sys/kgssapi/krb5/kcrypto_arcfour.c (revision 351243) @@ -1,222 +1,226 @@ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD * * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ * Authors: Doug Rabson * Developed with Red Inc: Alfred Perlstein * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include "kcrypto.h" static void arcfour_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; ks->ks_priv = NULL; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "RC4 cipher for Kerberos GSS"); } static void arcfour_destroy(struct krb5_key_state *ks) { } static void arcfour_set_key(struct krb5_key_state *ks, const void *in) { void *kp = ks->ks_key; if (kp != in) bcopy(in, kp, 16); } static void arcfour_random_to_key(struct krb5_key_state *ks, const void *in) { arcfour_set_key(ks, in); } static void arcfour_hmac(uint8_t *key, uint8_t *data, size_t datalen, uint8_t *result) { uint8_t buf[64]; MD5_CTX md5; int i; for (i = 0; i < 16; i++) buf[i] = key[i] ^ 0x36; for (; i < 64; i++) buf[i] = 0x36; MD5Init(&md5); MD5Update(&md5, buf, 64); MD5Update(&md5, data, datalen); MD5Final(result, &md5); for (i = 0; i < 16; i++) buf[i] = key[i] ^ 0x5c; for (; i < 64; i++) buf[i] = 0x5c; MD5Init(&md5); MD5Update(&md5, buf, 64); MD5Update(&md5, result, 16); MD5Final(result, &md5); } static void arcfour_derive_key(const struct krb5_key_state *ks, uint32_t usage, uint8_t *newkey) { uint8_t t[4]; t[0] = (usage >> 24); t[1] = (usage >> 16); t[2] = (usage >> 8); t[3] = (usage >> 0); if (ks->ks_class->ec_type == ETYPE_ARCFOUR_HMAC_MD5_56) { uint8_t L40[14] = "fortybits"; bcopy(t, L40 + 10, 4); arcfour_hmac(ks->ks_key, L40, 14, newkey); memset(newkey + 7, 0xab, 9); } else { arcfour_hmac(ks->ks_key, t, 4, newkey); } } static int rc4_crypt_int(void *rs, void *buf, u_int len) { rc4_crypt(rs, buf, buf, len); return (0); } static void arcfour_encrypt(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, size_t ivlen) { struct rc4_state rs; uint8_t newkey[16]; arcfour_derive_key(ks, 0, newkey); /* * If we have an IV, then generate a new key from it using HMAC. */ if (ivec) { uint8_t kk[16]; arcfour_hmac(newkey, ivec, ivlen, kk); rc4_init(&rs, kk, 16); } else { rc4_init(&rs, newkey, 16); } m_apply(inout, skip, len, rc4_crypt_int, &rs); } static int MD5Update_int(void *ctx, void *buf, u_int len) { MD5Update(ctx, buf, len); return (0); } static void arcfour_checksum(const struct krb5_key_state *ks, int usage, struct mbuf *inout, size_t skip, size_t inlen, size_t outlen) { MD5_CTX md5; uint8_t Ksign[16]; uint8_t t[4]; uint8_t sgn_cksum[16]; arcfour_hmac(ks->ks_key, "signaturekey", 13, Ksign); t[0] = usage >> 0; t[1] = usage >> 8; t[2] = usage >> 16; t[3] = usage >> 24; MD5Init(&md5); MD5Update(&md5, t, 4); m_apply(inout, skip, inlen, MD5Update_int, &md5); MD5Final(sgn_cksum, &md5); arcfour_hmac(Ksign, sgn_cksum, 16, sgn_cksum); m_copyback(inout, skip + inlen, outlen, sgn_cksum); } struct krb5_encryption_class krb5_arcfour_encryption_class = { "arcfour-hmac-md5", /* name */ ETYPE_ARCFOUR_HMAC_MD5, /* etype */ 0, /* flags */ 1, /* blocklen */ 1, /* msgblocklen */ 8, /* checksumlen */ 128, /* keybits */ 16, /* keylen */ arcfour_init, arcfour_destroy, arcfour_set_key, arcfour_random_to_key, arcfour_encrypt, arcfour_encrypt, arcfour_checksum }; struct krb5_encryption_class krb5_arcfour_56_encryption_class = { "arcfour-hmac-md5-56", /* name */ ETYPE_ARCFOUR_HMAC_MD5_56, /* etype */ 0, /* flags */ 1, /* blocklen */ 1, /* msgblocklen */ 8, /* checksumlen */ 128, /* keybits */ 16, /* keylen */ arcfour_init, arcfour_destroy, arcfour_set_key, arcfour_random_to_key, arcfour_encrypt, arcfour_encrypt, arcfour_checksum }; Index: stable/12/sys/kgssapi/krb5/kcrypto_des.c =================================================================== --- stable/12/sys/kgssapi/krb5/kcrypto_des.c (revision 351242) +++ stable/12/sys/kgssapi/krb5/kcrypto_des.c (revision 351243) @@ -1,264 +1,268 @@ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD * * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ * Authors: Doug Rabson * Developed with Red Inc: Alfred Perlstein * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include #include "kcrypto.h" struct des1_state { struct mtx ds_lock; crypto_session_t ds_session; }; static void des1_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des1_state *ds; ds = malloc(sizeof(struct des1_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des lock", NULL, MTX_DEF); ks->ks_priv = ds; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "DES cipher for Kerberos GSS"); } static void des1_destroy(struct krb5_key_state *ks) { struct des1_state *ds = ks->ks_priv; if (ds->ds_session) crypto_freesession(ds->ds_session); mtx_destroy(&ds->ds_lock); free(ks->ks_priv, M_GSSAPI); } static void des1_set_key(struct krb5_key_state *ks, const void *in) { void *kp = ks->ks_key; struct des1_state *ds = ks->ks_priv; struct cryptoini cri[1]; if (kp != in) bcopy(in, kp, ks->ks_class->ec_keylen); if (ds->ds_session) crypto_freesession(ds->ds_session); bzero(cri, sizeof(cri)); cri[0].cri_alg = CRYPTO_DES_CBC; cri[0].cri_klen = 64; cri[0].cri_mlen = 0; cri[0].cri_key = ks->ks_key; cri[0].cri_next = NULL; crypto_newsession(&ds->ds_session, cri, CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE); } static void des1_random_to_key(struct krb5_key_state *ks, const void *in) { uint8_t *outkey = ks->ks_key; const uint8_t *inkey = in; /* * Expand 56 bits of random data to 64 bits as follows * (in the example, bit number 1 is the MSB of the 56 * bits of random data): * * expanded = * 1 2 3 4 5 6 7 p * 9 10 11 12 13 14 15 p * 17 18 19 20 21 22 23 p * 25 26 27 28 29 30 31 p * 33 34 35 36 37 38 39 p * 41 42 43 44 45 46 47 p * 49 50 51 52 53 54 55 p * 56 48 40 32 24 16 8 p */ outkey[0] = inkey[0]; outkey[1] = inkey[1]; outkey[2] = inkey[2]; outkey[3] = inkey[3]; outkey[4] = inkey[4]; outkey[5] = inkey[5]; outkey[6] = inkey[6]; outkey[7] = (((inkey[0] & 1) << 1) | ((inkey[1] & 1) << 2) | ((inkey[2] & 1) << 3) | ((inkey[3] & 1) << 4) | ((inkey[4] & 1) << 5) | ((inkey[5] & 1) << 6) | ((inkey[6] & 1) << 7)); des_set_odd_parity((des_cblock *) outkey); if (des_is_weak_key((des_cblock *) outkey)) outkey[7] ^= 0xf0; des1_set_key(ks, ks->ks_key); } static int des1_crypto_cb(struct cryptop *crp) { int error; struct des1_state *ds = (struct des1_state *) crp->crp_opaque; if (crypto_ses2caps(ds->ds_session) & CRYPTOCAP_F_SYNC) return (0); error = crp->crp_etype; if (error == EAGAIN) error = crypto_dispatch(crp); mtx_lock(&ds->ds_lock); if (error || (crp->crp_flags & CRYPTO_F_DONE)) wakeup(crp); mtx_unlock(&ds->ds_lock); return (0); } static void des1_encrypt_1(const struct krb5_key_state *ks, int buftype, void *buf, size_t skip, size_t len, void *ivec, int encdec) { struct des1_state *ds = ks->ks_priv; struct cryptop *crp; struct cryptodesc *crd; int error; crp = crypto_getreq(1); crd = crp->crp_desc; crd->crd_skip = skip; crd->crd_len = len; crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT | encdec; if (ivec) { bcopy(ivec, crd->crd_iv, 8); } else { bzero(crd->crd_iv, 8); } crd->crd_next = NULL; crd->crd_alg = CRYPTO_DES_CBC; crp->crp_session = ds->ds_session; crp->crp_flags = buftype | CRYPTO_F_CBIFSYNC; crp->crp_buf = buf; crp->crp_opaque = (void *) ds; crp->crp_callback = des1_crypto_cb; error = crypto_dispatch(crp); if ((crypto_ses2caps(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) { mtx_lock(&ds->ds_lock); if (!error && !(crp->crp_flags & CRYPTO_F_DONE)) error = msleep(crp, &ds->ds_lock, 0, "gssdes", 0); mtx_unlock(&ds->ds_lock); } crypto_freereq(crp); } static void des1_encrypt(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, size_t ivlen) { des1_encrypt_1(ks, CRYPTO_F_IMBUF, inout, skip, len, ivec, CRD_F_ENCRYPT); } static void des1_decrypt(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, size_t ivlen) { des1_encrypt_1(ks, CRYPTO_F_IMBUF, inout, skip, len, ivec, 0); } static int MD5Update_int(void *ctx, void *buf, u_int len) { MD5Update(ctx, buf, len); return (0); } static void des1_checksum(const struct krb5_key_state *ks, int usage, struct mbuf *inout, size_t skip, size_t inlen, size_t outlen) { char hash[16]; MD5_CTX md5; /* * This checksum is specifically for GSS-API. First take the * MD5 checksum of the message, then calculate the CBC mode * checksum of that MD5 checksum using a zero IV. */ MD5Init(&md5); m_apply(inout, skip, inlen, MD5Update_int, &md5); MD5Final(hash, &md5); des1_encrypt_1(ks, 0, hash, 0, 16, NULL, CRD_F_ENCRYPT); m_copyback(inout, skip + inlen, outlen, hash + 8); } struct krb5_encryption_class krb5_des_encryption_class = { "des-cbc-md5", /* name */ ETYPE_DES_CBC_CRC, /* etype */ 0, /* flags */ 8, /* blocklen */ 8, /* msgblocklen */ 8, /* checksumlen */ 56, /* keybits */ 8, /* keylen */ des1_init, des1_destroy, des1_set_key, des1_random_to_key, des1_encrypt, des1_decrypt, des1_checksum }; Index: stable/12/sys/kgssapi/krb5/kcrypto_des3.c =================================================================== --- stable/12/sys/kgssapi/krb5/kcrypto_des3.c (revision 351242) +++ stable/12/sys/kgssapi/krb5/kcrypto_des3.c (revision 351243) @@ -1,404 +1,408 @@ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD * * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ * Authors: Doug Rabson * Developed with Red Inc: Alfred Perlstein * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include "kcrypto.h" #define DES3_FLAGS (CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE) struct des3_state { struct mtx ds_lock; crypto_session_t ds_session; }; static void des3_init(struct krb5_key_state *ks) { + static struct timeval lastwarn; + static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des3_state *ds; ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF); ks->ks_priv = ds; + if (ratecheck(&lastwarn, &warninterval)) + gone_in(13, "DES3 cipher for Kerberos GSS"); } static void des3_destroy(struct krb5_key_state *ks) { struct des3_state *ds = ks->ks_priv; if (ds->ds_session) crypto_freesession(ds->ds_session); mtx_destroy(&ds->ds_lock); free(ks->ks_priv, M_GSSAPI); } static void des3_set_key(struct krb5_key_state *ks, const void *in) { void *kp = ks->ks_key; struct des3_state *ds = ks->ks_priv; struct cryptoini cri[2]; if (kp != in) bcopy(in, kp, ks->ks_class->ec_keylen); if (ds->ds_session) crypto_freesession(ds->ds_session); bzero(cri, sizeof(cri)); cri[0].cri_alg = CRYPTO_SHA1_HMAC; cri[0].cri_klen = 192; cri[0].cri_mlen = 0; cri[0].cri_key = ks->ks_key; cri[0].cri_next = &cri[1]; cri[1].cri_alg = CRYPTO_3DES_CBC; cri[1].cri_klen = 192; cri[1].cri_mlen = 0; cri[1].cri_key = ks->ks_key; cri[1].cri_next = NULL; crypto_newsession(&ds->ds_session, cri, CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE); } static void des3_random_to_key(struct krb5_key_state *ks, const void *in) { uint8_t *outkey; const uint8_t *inkey; int subkey; for (subkey = 0, outkey = ks->ks_key, inkey = in; subkey < 3; subkey++, outkey += 8, inkey += 7) { /* * Expand 56 bits of random data to 64 bits as follows * (in the example, bit number 1 is the MSB of the 56 * bits of random data): * * expanded = * 1 2 3 4 5 6 7 p * 9 10 11 12 13 14 15 p * 17 18 19 20 21 22 23 p * 25 26 27 28 29 30 31 p * 33 34 35 36 37 38 39 p * 41 42 43 44 45 46 47 p * 49 50 51 52 53 54 55 p * 56 48 40 32 24 16 8 p */ outkey[0] = inkey[0]; outkey[1] = inkey[1]; outkey[2] = inkey[2]; outkey[3] = inkey[3]; outkey[4] = inkey[4]; outkey[5] = inkey[5]; outkey[6] = inkey[6]; outkey[7] = (((inkey[0] & 1) << 1) | ((inkey[1] & 1) << 2) | ((inkey[2] & 1) << 3) | ((inkey[3] & 1) << 4) | ((inkey[4] & 1) << 5) | ((inkey[5] & 1) << 6) | ((inkey[6] & 1) << 7)); des_set_odd_parity((des_cblock *) outkey); if (des_is_weak_key((des_cblock *) outkey)) outkey[7] ^= 0xf0; } des3_set_key(ks, ks->ks_key); } static int des3_crypto_cb(struct cryptop *crp) { int error; struct des3_state *ds = (struct des3_state *) crp->crp_opaque; if (crypto_ses2caps(ds->ds_session) & CRYPTOCAP_F_SYNC) return (0); error = crp->crp_etype; if (error == EAGAIN) error = crypto_dispatch(crp); mtx_lock(&ds->ds_lock); if (error || (crp->crp_flags & CRYPTO_F_DONE)) wakeup(crp); mtx_unlock(&ds->ds_lock); return (0); } static void des3_encrypt_1(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, int encdec) { struct des3_state *ds = ks->ks_priv; struct cryptop *crp; struct cryptodesc *crd; int error; crp = crypto_getreq(1); crd = crp->crp_desc; crd->crd_skip = skip; crd->crd_len = len; crd->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT | encdec; if (ivec) { bcopy(ivec, crd->crd_iv, 8); } else { bzero(crd->crd_iv, 8); } crd->crd_next = NULL; crd->crd_alg = CRYPTO_3DES_CBC; crp->crp_session = ds->ds_session; crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; crp->crp_buf = (void *) inout; crp->crp_opaque = (void *) ds; crp->crp_callback = des3_crypto_cb; error = crypto_dispatch(crp); if ((crypto_ses2caps(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) { mtx_lock(&ds->ds_lock); if (!error && !(crp->crp_flags & CRYPTO_F_DONE)) error = msleep(crp, &ds->ds_lock, 0, "gssdes3", 0); mtx_unlock(&ds->ds_lock); } crypto_freereq(crp); } static void des3_encrypt(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, size_t ivlen) { des3_encrypt_1(ks, inout, skip, len, ivec, CRD_F_ENCRYPT); } static void des3_decrypt(const struct krb5_key_state *ks, struct mbuf *inout, size_t skip, size_t len, void *ivec, size_t ivlen) { des3_encrypt_1(ks, inout, skip, len, ivec, 0); } static void des3_checksum(const struct krb5_key_state *ks, int usage, struct mbuf *inout, size_t skip, size_t inlen, size_t outlen) { struct des3_state *ds = ks->ks_priv; struct cryptop *crp; struct cryptodesc *crd; int error; crp = crypto_getreq(1); crd = crp->crp_desc; crd->crd_skip = skip; crd->crd_len = inlen; crd->crd_inject = skip + inlen; crd->crd_flags = 0; crd->crd_next = NULL; crd->crd_alg = CRYPTO_SHA1_HMAC; crp->crp_session = ds->ds_session; crp->crp_ilen = inlen; crp->crp_olen = 20; crp->crp_etype = 0; crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; crp->crp_buf = (void *) inout; crp->crp_opaque = (void *) ds; crp->crp_callback = des3_crypto_cb; error = crypto_dispatch(crp); if ((crypto_ses2caps(ds->ds_session) & CRYPTOCAP_F_SYNC) == 0) { mtx_lock(&ds->ds_lock); if (!error && !(crp->crp_flags & CRYPTO_F_DONE)) error = msleep(crp, &ds->ds_lock, 0, "gssdes3", 0); mtx_unlock(&ds->ds_lock); } crypto_freereq(crp); } struct krb5_encryption_class krb5_des3_encryption_class = { "des3-cbc-sha1", /* name */ ETYPE_DES3_CBC_SHA1, /* etype */ EC_DERIVED_KEYS, /* flags */ 8, /* blocklen */ 8, /* msgblocklen */ 20, /* checksumlen */ 168, /* keybits */ 24, /* keylen */ des3_init, des3_destroy, des3_set_key, des3_random_to_key, des3_encrypt, des3_decrypt, des3_checksum }; #if 0 struct des3_dk_test { uint8_t key[24]; uint8_t usage[8]; size_t usagelen; uint8_t dk[24]; }; struct des3_dk_test tests[] = { {{0xdc, 0xe0, 0x6b, 0x1f, 0x64, 0xc8, 0x57, 0xa1, 0x1c, 0x3d, 0xb5, 0x7c, 0x51, 0x89, 0x9b, 0x2c, 0xc1, 0x79, 0x10, 0x08, 0xce, 0x97, 0x3b, 0x92}, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, {0x92, 0x51, 0x79, 0xd0, 0x45, 0x91, 0xa7, 0x9b, 0x5d, 0x31, 0x92, 0xc4, 0xa7, 0xe9, 0xc2, 0x89, 0xb0, 0x49, 0xc7, 0x1f, 0x6e, 0xe6, 0x04, 0xcd}}, {{0x5e, 0x13, 0xd3, 0x1c, 0x70, 0xef, 0x76, 0x57, 0x46, 0x57, 0x85, 0x31, 0xcb, 0x51, 0xc1, 0x5b, 0xf1, 0x1c, 0xa8, 0x2c, 0x97, 0xce, 0xe9, 0xf2}, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, {0x9e, 0x58, 0xe5, 0xa1, 0x46, 0xd9, 0x94, 0x2a, 0x10, 0x1c, 0x46, 0x98, 0x45, 0xd6, 0x7a, 0x20, 0xe3, 0xc4, 0x25, 0x9e, 0xd9, 0x13, 0xf2, 0x07}}, {{0x98, 0xe6, 0xfd, 0x8a, 0x04, 0xa4, 0xb6, 0x85, 0x9b, 0x75, 0xa1, 0x76, 0x54, 0x0b, 0x97, 0x52, 0xba, 0xd3, 0xec, 0xd6, 0x10, 0xa2, 0x52, 0xbc}, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, {0x13, 0xfe, 0xf8, 0x0d, 0x76, 0x3e, 0x94, 0xec, 0x6d, 0x13, 0xfd, 0x2c, 0xa1, 0xd0, 0x85, 0x07, 0x02, 0x49, 0xda, 0xd3, 0x98, 0x08, 0xea, 0xbf}}, {{0x62, 0x2a, 0xec, 0x25, 0xa2, 0xfe, 0x2c, 0xad, 0x70, 0x94, 0x68, 0x0b, 0x7c, 0x64, 0x94, 0x02, 0x80, 0x08, 0x4c, 0x1a, 0x7c, 0xec, 0x92, 0xb5}, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, {0xf8, 0xdf, 0xbf, 0x04, 0xb0, 0x97, 0xe6, 0xd9, 0xdc, 0x07, 0x02, 0x68, 0x6b, 0xcb, 0x34, 0x89, 0xd9, 0x1f, 0xd9, 0xa4, 0x51, 0x6b, 0x70, 0x3e}}, {{0xd3, 0xf8, 0x29, 0x8c, 0xcb, 0x16, 0x64, 0x38, 0xdc, 0xb9, 0xb9, 0x3e, 0xe5, 0xa7, 0x62, 0x92, 0x86, 0xa4, 0x91, 0xf8, 0x38, 0xf8, 0x02, 0xfb}, {0x6b, 0x65, 0x72, 0x62, 0x65, 0x72, 0x6f, 0x73}, 8, {0x23, 0x70, 0xda, 0x57, 0x5d, 0x2a, 0x3d, 0xa8, 0x64, 0xce, 0xbf, 0xdc, 0x52, 0x04, 0xd5, 0x6d, 0xf7, 0x79, 0xa7, 0xdf, 0x43, 0xd9, 0xda, 0x43}}, {{0xc1, 0x08, 0x16, 0x49, 0xad, 0xa7, 0x43, 0x62, 0xe6, 0xa1, 0x45, 0x9d, 0x01, 0xdf, 0xd3, 0x0d, 0x67, 0xc2, 0x23, 0x4c, 0x94, 0x07, 0x04, 0xda}, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, {0x34, 0x80, 0x57, 0xec, 0x98, 0xfd, 0xc4, 0x80, 0x16, 0x16, 0x1c, 0x2a, 0x4c, 0x7a, 0x94, 0x3e, 0x92, 0xae, 0x49, 0x2c, 0x98, 0x91, 0x75, 0xf7}}, {{0x5d, 0x15, 0x4a, 0xf2, 0x38, 0xf4, 0x67, 0x13, 0x15, 0x57, 0x19, 0xd5, 0x5e, 0x2f, 0x1f, 0x79, 0x0d, 0xd6, 0x61, 0xf2, 0x79, 0xa7, 0x91, 0x7c}, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, {0xa8, 0x80, 0x8a, 0xc2, 0x67, 0xda, 0xda, 0x3d, 0xcb, 0xe9, 0xa7, 0xc8, 0x46, 0x26, 0xfb, 0xc7, 0x61, 0xc2, 0x94, 0xb0, 0x13, 0x15, 0xe5, 0xc1}}, {{0x79, 0x85, 0x62, 0xe0, 0x49, 0x85, 0x2f, 0x57, 0xdc, 0x8c, 0x34, 0x3b, 0xa1, 0x7f, 0x2c, 0xa1, 0xd9, 0x73, 0x94, 0xef, 0xc8, 0xad, 0xc4, 0x43}, {0x00, 0x00, 0x00, 0x01, 0x55}, 5, {0xc8, 0x13, 0xf8, 0x8a, 0x3b, 0xe3, 0xb3, 0x34, 0xf7, 0x54, 0x25, 0xce, 0x91, 0x75, 0xfb, 0xe3, 0xc8, 0x49, 0x3b, 0x89, 0xc8, 0x70, 0x3b, 0x49}}, {{0x26, 0xdc, 0xe3, 0x34, 0xb5, 0x45, 0x29, 0x2f, 0x2f, 0xea, 0xb9, 0xa8, 0x70, 0x1a, 0x89, 0xa4, 0xb9, 0x9e, 0xb9, 0x94, 0x2c, 0xec, 0xd0, 0x16}, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5, {0xf4, 0x8f, 0xfd, 0x6e, 0x83, 0xf8, 0x3e, 0x73, 0x54, 0xe6, 0x94, 0xfd, 0x25, 0x2c, 0xf8, 0x3b, 0xfe, 0x58, 0xf7, 0xd5, 0xba, 0x37, 0xec, 0x5d}}, }; #define N_TESTS (sizeof(tests) / sizeof(tests[0])) int main(int argc, char **argv) { struct krb5_key_state *key, *dk; uint8_t *dkp; int j, i; for (j = 0; j < N_TESTS; j++) { struct des3_dk_test *t = &tests[j]; key = krb5_create_key(&des3_encryption_class); krb5_set_key(key, t->key); dk = krb5_derive_key(key, t->usage, t->usagelen); krb5_free_key(key); if (memcmp(dk->ks_key, t->dk, 24)) { printf("DES3 dk("); for (i = 0; i < 24; i++) printf("%02x", t->key[i]); printf(", "); for (i = 0; i < t->usagelen; i++) printf("%02x", t->usage[i]); printf(") failed\n"); printf("should be: "); for (i = 0; i < 24; i++) printf("%02x", t->dk[i]); printf("\n result was: "); dkp = dk->ks_key; for (i = 0; i < 24; i++) printf("%02x", dkp[i]); printf("\n"); } krb5_free_key(dk); } return (0); } #endif Index: stable/12 =================================================================== --- stable/12 (revision 351242) +++ stable/12 (revision 351243) Property changes on: stable/12 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r348875