/src/openssl36/providers/implementations/kdfs/krb5kdf.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | /* clang-format off */ |
10 | | |
11 | | /* clang-format on */ |
12 | | |
13 | | /* |
14 | | * DES low level APIs are deprecated for public use, but still ok for internal |
15 | | * use. We access the DES_set_odd_parity(3) function here. |
16 | | */ |
17 | | #include "internal/deprecated.h" |
18 | | |
19 | | #include <stdlib.h> |
20 | | #include <stdarg.h> |
21 | | #include <string.h> |
22 | | |
23 | | #include <openssl/core_names.h> |
24 | | #include <openssl/des.h> |
25 | | #include <openssl/evp.h> |
26 | | #include <openssl/kdf.h> |
27 | | #include <openssl/proverr.h> |
28 | | |
29 | | #include "internal/cryptlib.h" |
30 | | #include "crypto/evp.h" |
31 | | #include "internal/numbers.h" |
32 | | #include "prov/implementations.h" |
33 | | #include "prov/provider_ctx.h" |
34 | | #include "prov/provider_util.h" |
35 | | #include "prov/providercommon.h" |
36 | | |
37 | | /* KRB5 KDF defined in RFC 3961, Section 5.1 */ |
38 | | |
39 | | static OSSL_FUNC_kdf_newctx_fn krb5kdf_new; |
40 | | static OSSL_FUNC_kdf_dupctx_fn krb5kdf_dup; |
41 | | static OSSL_FUNC_kdf_freectx_fn krb5kdf_free; |
42 | | static OSSL_FUNC_kdf_reset_fn krb5kdf_reset; |
43 | | static OSSL_FUNC_kdf_derive_fn krb5kdf_derive; |
44 | | static OSSL_FUNC_kdf_settable_ctx_params_fn krb5kdf_settable_ctx_params; |
45 | | static OSSL_FUNC_kdf_set_ctx_params_fn krb5kdf_set_ctx_params; |
46 | | static OSSL_FUNC_kdf_gettable_ctx_params_fn krb5kdf_gettable_ctx_params; |
47 | | static OSSL_FUNC_kdf_get_ctx_params_fn krb5kdf_get_ctx_params; |
48 | | |
49 | | static int KRB5KDF(const EVP_CIPHER *cipher, ENGINE *engine, |
50 | | const unsigned char *key, size_t key_len, |
51 | | const unsigned char *constant, size_t constant_len, |
52 | | unsigned char *okey, size_t okey_len); |
53 | | |
54 | | typedef struct { |
55 | | void *provctx; |
56 | | PROV_CIPHER cipher; |
57 | | unsigned char *key; |
58 | | size_t key_len; |
59 | | unsigned char *constant; |
60 | | size_t constant_len; |
61 | | } KRB5KDF_CTX; |
62 | | |
63 | | static void *krb5kdf_new(void *provctx) |
64 | 285 | { |
65 | 285 | KRB5KDF_CTX *ctx; |
66 | | |
67 | 285 | if (!ossl_prov_is_running()) |
68 | 0 | return NULL; |
69 | | |
70 | 285 | if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) |
71 | 0 | return NULL; |
72 | 285 | ctx->provctx = provctx; |
73 | 285 | return ctx; |
74 | 285 | } |
75 | | |
76 | | static void krb5kdf_free(void *vctx) |
77 | 285 | { |
78 | 285 | KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx; |
79 | | |
80 | 285 | if (ctx != NULL) { |
81 | 285 | krb5kdf_reset(ctx); |
82 | 285 | OPENSSL_free(ctx); |
83 | 285 | } |
84 | 285 | } |
85 | | |
86 | | static void krb5kdf_reset(void *vctx) |
87 | 285 | { |
88 | 285 | KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx; |
89 | 285 | void *provctx = ctx->provctx; |
90 | | |
91 | 285 | ossl_prov_cipher_reset(&ctx->cipher); |
92 | 285 | OPENSSL_clear_free(ctx->key, ctx->key_len); |
93 | 285 | OPENSSL_clear_free(ctx->constant, ctx->constant_len); |
94 | 285 | memset(ctx, 0, sizeof(*ctx)); |
95 | 285 | ctx->provctx = provctx; |
96 | 285 | } |
97 | | |
98 | | static int krb5kdf_set_membuf(unsigned char **dst, size_t *dst_len, |
99 | | const OSSL_PARAM *p) |
100 | 534 | { |
101 | 534 | OPENSSL_clear_free(*dst, *dst_len); |
102 | 534 | *dst = NULL; |
103 | 534 | *dst_len = 0; |
104 | 534 | return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len); |
105 | 534 | } |
106 | | |
107 | | static void *krb5kdf_dup(void *vctx) |
108 | 0 | { |
109 | 0 | const KRB5KDF_CTX *src = (const KRB5KDF_CTX *)vctx; |
110 | 0 | KRB5KDF_CTX *dest; |
111 | |
|
112 | 0 | dest = krb5kdf_new(src->provctx); |
113 | 0 | if (dest != NULL) { |
114 | 0 | if (!ossl_prov_memdup(src->key, src->key_len, |
115 | 0 | &dest->key, &dest->key_len) |
116 | 0 | || !ossl_prov_memdup(src->constant, src->constant_len, |
117 | 0 | &dest->constant, &dest->constant_len) |
118 | 0 | || !ossl_prov_cipher_copy(&dest->cipher, &src->cipher)) |
119 | 0 | goto err; |
120 | 0 | } |
121 | 0 | return dest; |
122 | | |
123 | 0 | err: |
124 | 0 | krb5kdf_free(dest); |
125 | 0 | return NULL; |
126 | 0 | } |
127 | | |
128 | | static int krb5kdf_derive(void *vctx, unsigned char *key, size_t keylen, |
129 | | const OSSL_PARAM params[]) |
130 | 267 | { |
131 | 267 | KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx; |
132 | 267 | const EVP_CIPHER *cipher; |
133 | 267 | ENGINE *engine; |
134 | | |
135 | 267 | if (!ossl_prov_is_running() || !krb5kdf_set_ctx_params(ctx, params)) |
136 | 0 | return 0; |
137 | | |
138 | 267 | cipher = ossl_prov_cipher_cipher(&ctx->cipher); |
139 | 267 | if (cipher == NULL) { |
140 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER); |
141 | 0 | return 0; |
142 | 0 | } |
143 | 267 | if (ctx->key == NULL) { |
144 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY); |
145 | 0 | return 0; |
146 | 0 | } |
147 | 267 | if (ctx->constant == NULL) { |
148 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONSTANT); |
149 | 0 | return 0; |
150 | 0 | } |
151 | 267 | engine = ossl_prov_cipher_engine(&ctx->cipher); |
152 | 267 | return KRB5KDF(cipher, engine, ctx->key, ctx->key_len, |
153 | 267 | ctx->constant, ctx->constant_len, |
154 | 267 | key, keylen); |
155 | 267 | } |
156 | | |
157 | | /* clang-format off */ |
158 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
159 | | #ifndef krb5kdf_set_ctx_params_list |
160 | | static const OSSL_PARAM krb5kdf_set_ctx_params_list[] = { |
161 | | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), |
162 | | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CIPHER, NULL, 0), |
163 | | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0), |
164 | | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_CONSTANT, NULL, 0), |
165 | | OSSL_PARAM_END |
166 | | }; |
167 | | #endif |
168 | | |
169 | | #ifndef krb5kdf_set_ctx_params_st |
170 | | struct krb5kdf_set_ctx_params_st { |
171 | | OSSL_PARAM *cipher; |
172 | | OSSL_PARAM *cnst; |
173 | | OSSL_PARAM *engine; |
174 | | OSSL_PARAM *key; |
175 | | OSSL_PARAM *propq; |
176 | | }; |
177 | | #endif |
178 | | |
179 | | #ifndef krb5kdf_set_ctx_params_decoder |
180 | | static int krb5kdf_set_ctx_params_decoder |
181 | | (const OSSL_PARAM *p, struct krb5kdf_set_ctx_params_st *r) |
182 | 58 | { |
183 | 58 | const char *s; |
184 | | |
185 | 58 | memset(r, 0, sizeof(*r)); |
186 | 58 | if (p != NULL) |
187 | 160 | for (; (s = p->key) != NULL; p++) |
188 | 128 | switch(s[0]) { |
189 | 0 | default: |
190 | 0 | break; |
191 | 64 | case 'c': |
192 | 64 | switch(s[1]) { |
193 | 0 | default: |
194 | 0 | break; |
195 | 32 | case 'i': |
196 | 32 | if (ossl_likely(strcmp("pher", s + 2) == 0)) { |
197 | | /* OSSL_KDF_PARAM_CIPHER */ |
198 | 32 | if (ossl_unlikely(r->cipher != NULL)) { |
199 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
200 | 0 | "param %s is repeated", s); |
201 | 0 | return 0; |
202 | 0 | } |
203 | 32 | r->cipher = (OSSL_PARAM *)p; |
204 | 32 | } |
205 | 32 | break; |
206 | 32 | case 'o': |
207 | 32 | if (ossl_likely(strcmp("nstant", s + 2) == 0)) { |
208 | | /* OSSL_KDF_PARAM_CONSTANT */ |
209 | 32 | if (ossl_unlikely(r->cnst != NULL)) { |
210 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
211 | 0 | "param %s is repeated", s); |
212 | 0 | return 0; |
213 | 0 | } |
214 | 32 | r->cnst = (OSSL_PARAM *)p; |
215 | 32 | } |
216 | 64 | } |
217 | 64 | break; |
218 | 64 | case 'e': |
219 | 0 | if (ossl_likely(strcmp("ngine", s + 1) == 0)) { |
220 | | /* OSSL_ALG_PARAM_ENGINE */ |
221 | 0 | if (ossl_unlikely(r->engine != NULL)) { |
222 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
223 | 0 | "param %s is repeated", s); |
224 | 0 | return 0; |
225 | 0 | } |
226 | 0 | r->engine = (OSSL_PARAM *)p; |
227 | 0 | } |
228 | 0 | break; |
229 | 32 | case 'k': |
230 | 32 | if (ossl_likely(strcmp("ey", s + 1) == 0)) { |
231 | | /* OSSL_KDF_PARAM_KEY */ |
232 | 32 | if (ossl_unlikely(r->key != NULL)) { |
233 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
234 | 0 | "param %s is repeated", s); |
235 | 0 | return 0; |
236 | 0 | } |
237 | 32 | r->key = (OSSL_PARAM *)p; |
238 | 32 | } |
239 | 32 | break; |
240 | 32 | case 'p': |
241 | 32 | if (ossl_likely(strcmp("roperties", s + 1) == 0)) { |
242 | | /* OSSL_KDF_PARAM_PROPERTIES */ |
243 | 32 | if (ossl_unlikely(r->propq != NULL)) { |
244 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
245 | 0 | "param %s is repeated", s); |
246 | 0 | return 0; |
247 | 0 | } |
248 | 32 | r->propq = (OSSL_PARAM *)p; |
249 | 32 | } |
250 | 128 | } |
251 | 58 | return 1; |
252 | 58 | } |
253 | | #endif |
254 | | /* End of machine generated */ |
255 | | /* clang-format on */ |
256 | | |
257 | | static int krb5kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) |
258 | 291 | { |
259 | 291 | struct krb5kdf_set_ctx_params_st p; |
260 | 291 | KRB5KDF_CTX *ctx = vctx; |
261 | 291 | OSSL_LIB_CTX *provctx; |
262 | | |
263 | 291 | if (ctx == NULL || !krb5kdf_set_ctx_params_decoder(params, &p)) |
264 | 0 | return 0; |
265 | | |
266 | 291 | provctx = PROV_LIBCTX_OF(ctx->provctx); |
267 | | |
268 | 291 | if (!ossl_prov_cipher_load(&ctx->cipher, p.cipher, p.propq, p.engine, provctx)) |
269 | 9 | return 0; |
270 | | |
271 | 282 | if (p.key != NULL && !krb5kdf_set_membuf(&ctx->key, &ctx->key_len, p.key)) |
272 | 0 | return 0; |
273 | | |
274 | 282 | if (p.cnst != NULL |
275 | 141 | && !krb5kdf_set_membuf(&ctx->constant, &ctx->constant_len, p.cnst)) |
276 | 0 | return 0; |
277 | | |
278 | 282 | return 1; |
279 | 282 | } |
280 | | |
281 | | static const OSSL_PARAM *krb5kdf_settable_ctx_params(ossl_unused void *ctx, |
282 | | ossl_unused void *provctx) |
283 | 285 | { |
284 | 285 | return krb5kdf_set_ctx_params_list; |
285 | 285 | } |
286 | | |
287 | | /* clang-format off */ |
288 | | /* Machine generated by util/perl/OpenSSL/paramnames.pm */ |
289 | | #ifndef krb5kdf_get_ctx_params_list |
290 | | static const OSSL_PARAM krb5kdf_get_ctx_params_list[] = { |
291 | | OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), |
292 | | OSSL_PARAM_END |
293 | | }; |
294 | | #endif |
295 | | |
296 | | #ifndef krb5kdf_get_ctx_params_st |
297 | | struct krb5kdf_get_ctx_params_st { |
298 | | OSSL_PARAM *size; |
299 | | }; |
300 | | #endif |
301 | | |
302 | | #ifndef krb5kdf_get_ctx_params_decoder |
303 | | static int krb5kdf_get_ctx_params_decoder |
304 | | (const OSSL_PARAM *p, struct krb5kdf_get_ctx_params_st *r) |
305 | 0 | { |
306 | 0 | const char *s; |
307 | |
|
308 | 0 | memset(r, 0, sizeof(*r)); |
309 | 0 | if (p != NULL) |
310 | 0 | for (; (s = p->key) != NULL; p++) |
311 | 0 | if (ossl_likely(strcmp("size", s + 0) == 0)) { |
312 | | /* OSSL_KDF_PARAM_SIZE */ |
313 | 0 | if (ossl_unlikely(r->size != NULL)) { |
314 | 0 | ERR_raise_data(ERR_LIB_PROV, PROV_R_REPEATED_PARAMETER, |
315 | 0 | "param %s is repeated", s); |
316 | 0 | return 0; |
317 | 0 | } |
318 | 0 | r->size = (OSSL_PARAM *)p; |
319 | 0 | } |
320 | 0 | return 1; |
321 | 0 | } |
322 | | #endif |
323 | | /* End of machine generated */ |
324 | | /* clang-format on */ |
325 | | |
326 | | static int krb5kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) |
327 | 0 | { |
328 | 0 | struct krb5kdf_get_ctx_params_st p; |
329 | 0 | KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx; |
330 | |
|
331 | 0 | if (ctx == NULL || !krb5kdf_get_ctx_params_decoder(params, &p)) |
332 | 0 | return 0; |
333 | | |
334 | 0 | if (p.size != NULL) { |
335 | 0 | const EVP_CIPHER *cipher = ossl_prov_cipher_cipher(&ctx->cipher); |
336 | 0 | size_t len; |
337 | |
|
338 | 0 | if (cipher != NULL) |
339 | 0 | len = EVP_CIPHER_get_key_length(cipher); |
340 | 0 | else |
341 | 0 | len = EVP_MAX_KEY_LENGTH; |
342 | |
|
343 | 0 | if (!OSSL_PARAM_set_size_t(p.size, len)) |
344 | 0 | return 0; |
345 | 0 | } |
346 | 0 | return 1; |
347 | 0 | } |
348 | | |
349 | | static const OSSL_PARAM *krb5kdf_gettable_ctx_params(ossl_unused void *ctx, |
350 | | ossl_unused void *provctx) |
351 | 0 | { |
352 | 0 | return krb5kdf_get_ctx_params_list; |
353 | 0 | } |
354 | | |
355 | | const OSSL_DISPATCH ossl_kdf_krb5kdf_functions[] = { |
356 | | { OSSL_FUNC_KDF_NEWCTX, (void (*)(void))krb5kdf_new }, |
357 | | { OSSL_FUNC_KDF_DUPCTX, (void (*)(void))krb5kdf_dup }, |
358 | | { OSSL_FUNC_KDF_FREECTX, (void (*)(void))krb5kdf_free }, |
359 | | { OSSL_FUNC_KDF_RESET, (void (*)(void))krb5kdf_reset }, |
360 | | { OSSL_FUNC_KDF_DERIVE, (void (*)(void))krb5kdf_derive }, |
361 | | { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, |
362 | | (void (*)(void))krb5kdf_settable_ctx_params }, |
363 | | { OSSL_FUNC_KDF_SET_CTX_PARAMS, |
364 | | (void (*)(void))krb5kdf_set_ctx_params }, |
365 | | { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, |
366 | | (void (*)(void))krb5kdf_gettable_ctx_params }, |
367 | | { OSSL_FUNC_KDF_GET_CTX_PARAMS, |
368 | | (void (*)(void))krb5kdf_get_ctx_params }, |
369 | | OSSL_DISPATCH_END |
370 | | }; |
371 | | |
372 | | #ifndef OPENSSL_NO_DES |
373 | | /* |
374 | | * DES3 is a special case, it requires a random-to-key function and its |
375 | | * input truncated to 21 bytes of the 24 produced by the cipher. |
376 | | * See RFC3961 6.3.1 |
377 | | */ |
378 | | static int fixup_des3_key(unsigned char *key) |
379 | 0 | { |
380 | 0 | unsigned char *cblock; |
381 | 0 | int i, j; |
382 | |
|
383 | 0 | for (i = 2; i >= 0; i--) { |
384 | 0 | cblock = &key[i * 8]; |
385 | 0 | memmove(cblock, &key[i * 7], 7); |
386 | 0 | cblock[7] = 0; |
387 | 0 | for (j = 0; j < 7; j++) |
388 | 0 | cblock[7] |= (cblock[j] & 1) << (j + 1); |
389 | 0 | DES_set_odd_parity((DES_cblock *)cblock); |
390 | 0 | } |
391 | | |
392 | | /* fail if keys are such that triple des degrades to single des */ |
393 | 0 | if (CRYPTO_memcmp(&key[0], &key[8], 8) == 0 || CRYPTO_memcmp(&key[8], &key[16], 8) == 0) { |
394 | 0 | return 0; |
395 | 0 | } |
396 | | |
397 | 0 | return 1; |
398 | 0 | } |
399 | | #endif |
400 | | |
401 | | /* |
402 | | * N-fold(K) where blocksize is N, and constant_len is K |
403 | | * Note: Here |= denotes concatenation |
404 | | * |
405 | | * L = lcm(N,K) |
406 | | * R = L/K |
407 | | * |
408 | | * for r: 1 -> R |
409 | | * s |= constant rot 13*(r-1)) |
410 | | * |
411 | | * block = 0 |
412 | | * for k: 1 -> K |
413 | | * block += s[N(k-1)..(N-1)k] (ones'-complement addition) |
414 | | * |
415 | | * Optimizing for space we compute: |
416 | | * for each l in L-1 -> 0: |
417 | | * s[l] = (constant rot 13*(l/K))[l%k] |
418 | | * block[l % N] += s[l] (with carry) |
419 | | * finally add carry if any |
420 | | */ |
421 | | static void n_fold(unsigned char *block, unsigned int blocksize, |
422 | | const unsigned char *constant, unsigned int constant_len) |
423 | 91 | { |
424 | 91 | unsigned int tmp, gcd, remainder, lcm, carry; |
425 | 91 | int b, l; |
426 | | |
427 | 91 | if (constant_len == blocksize) { |
428 | 7 | memcpy(block, constant, constant_len); |
429 | 7 | return; |
430 | 7 | } |
431 | | |
432 | | /* Least Common Multiple of lengths: LCM(a,b)*/ |
433 | 84 | gcd = blocksize; |
434 | 84 | remainder = constant_len; |
435 | | /* Calculate Great Common Divisor first GCD(a,b) */ |
436 | 159 | while (remainder != 0) { |
437 | 75 | tmp = gcd % remainder; |
438 | 75 | gcd = remainder; |
439 | 75 | remainder = tmp; |
440 | 75 | } |
441 | | /* resulting a is the GCD, LCM(a,b) = |a*b|/GCD(a,b) */ |
442 | 84 | lcm = blocksize * constant_len / gcd; |
443 | | |
444 | | /* now spread out the bits */ |
445 | 84 | memset(block, 0, blocksize); |
446 | | |
447 | | /* last to first to be able to bring carry forward */ |
448 | 84 | carry = 0; |
449 | 2.82k | for (l = lcm - 1; l >= 0; l--) { |
450 | 2.73k | unsigned int rotbits, rshift, rbyte; |
451 | | |
452 | | /* destination byte in block is l % N */ |
453 | 2.73k | b = l % blocksize; |
454 | | /* Our virtual s buffer is R = L/K long (K = constant_len) */ |
455 | | /* So we rotate backwards from R-1 to 0 (none) rotations */ |
456 | 2.73k | rotbits = 13 * (l / constant_len); |
457 | | /* find the byte on s where rotbits falls onto */ |
458 | 2.73k | rbyte = l - (rotbits / 8); |
459 | | /* calculate how much shift on that byte */ |
460 | 2.73k | rshift = rotbits & 0x07; |
461 | | /* rbyte % constant_len gives us the unrotated byte in the |
462 | | * constant buffer, get also the previous byte then |
463 | | * appropriately shift them to get the rotated byte we need */ |
464 | 2.73k | tmp = (constant[(rbyte - 1) % constant_len] << (8 - rshift) |
465 | 2.73k | | constant[rbyte % constant_len] >> rshift) |
466 | 2.73k | & 0xff; |
467 | | /* add with carry to any value placed by previous passes */ |
468 | 2.73k | tmp += carry + block[b]; |
469 | 2.73k | block[b] = tmp & 0xff; |
470 | | /* save any carry that may be left */ |
471 | 2.73k | carry = tmp >> 8; |
472 | 2.73k | } |
473 | | |
474 | | /* if any carry is left at the end, add it through the number */ |
475 | 115 | for (b = blocksize - 1; b >= 0 && carry != 0; b--) { |
476 | 31 | carry += block[b]; |
477 | 31 | block[b] = carry & 0xff; |
478 | 31 | carry >>= 8; |
479 | 31 | } |
480 | 84 | } |
481 | | |
482 | | static int cipher_init(EVP_CIPHER_CTX *ctx, |
483 | | const EVP_CIPHER *cipher, ENGINE *engine, |
484 | | const unsigned char *key, size_t key_len) |
485 | 1.34k | { |
486 | 1.34k | int klen, ret; |
487 | | |
488 | 1.34k | ret = EVP_EncryptInit_ex(ctx, cipher, engine, NULL, NULL); |
489 | 1.34k | if (!ret) |
490 | 0 | goto out; |
491 | | /* set the key len for the odd variable key len cipher */ |
492 | 1.34k | klen = EVP_CIPHER_CTX_get_key_length(ctx); |
493 | 1.34k | if (key_len != (size_t)klen) { |
494 | 67 | ret = EVP_CIPHER_CTX_set_key_length(ctx, (int)key_len); |
495 | 67 | if (ret <= 0) { |
496 | 67 | ret = 0; |
497 | 67 | goto out; |
498 | 67 | } |
499 | 67 | } |
500 | 1.27k | ret = EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL); |
501 | 1.27k | if (!ret) |
502 | 2 | goto out; |
503 | | /* we never want padding, either the length requested is a multiple of |
504 | | * the cipher block size or we are passed a cipher that can cope with |
505 | | * partial blocks via techniques like cipher text stealing */ |
506 | 1.27k | ret = EVP_CIPHER_CTX_set_padding(ctx, 0); |
507 | 1.27k | if (!ret) |
508 | 0 | goto out; |
509 | | |
510 | 1.34k | out: |
511 | 1.34k | return ret; |
512 | 1.27k | } |
513 | | |
514 | | static int KRB5KDF(const EVP_CIPHER *cipher, ENGINE *engine, |
515 | | const unsigned char *key, size_t key_len, |
516 | | const unsigned char *constant, size_t constant_len, |
517 | | unsigned char *okey, size_t okey_len) |
518 | 267 | { |
519 | 267 | EVP_CIPHER_CTX *ctx = NULL; |
520 | 267 | unsigned char block[EVP_MAX_BLOCK_LENGTH * 2]; |
521 | 267 | unsigned char *plainblock, *cipherblock; |
522 | 267 | size_t blocksize; |
523 | 267 | size_t cipherlen; |
524 | 267 | size_t osize; |
525 | 267 | #ifndef OPENSSL_NO_DES |
526 | 267 | int des3_no_fixup = 0; |
527 | 267 | #endif |
528 | 267 | int ret; |
529 | | |
530 | 267 | if (key_len != okey_len) { |
531 | 69 | #ifndef OPENSSL_NO_DES |
532 | | /* special case for 3des, where the caller may be requesting |
533 | | * the random raw key, instead of the fixed up key */ |
534 | 69 | if (EVP_CIPHER_get_nid(cipher) == NID_des_ede3_cbc && key_len == 24 && okey_len == 21) { |
535 | 0 | des3_no_fixup = 1; |
536 | 69 | } else { |
537 | 69 | #endif |
538 | 69 | ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_OUTPUT_BUFFER_SIZE); |
539 | 69 | return 0; |
540 | 69 | #ifndef OPENSSL_NO_DES |
541 | 69 | } |
542 | 69 | #endif |
543 | 69 | } |
544 | | |
545 | 198 | ctx = EVP_CIPHER_CTX_new(); |
546 | 198 | if (ctx == NULL) |
547 | 0 | return 0; |
548 | | |
549 | 198 | ret = cipher_init(ctx, cipher, engine, key, key_len); |
550 | 198 | if (!ret) |
551 | 69 | goto out; |
552 | | |
553 | | /* Initialize input block */ |
554 | 129 | blocksize = EVP_CIPHER_CTX_get_block_size(ctx); |
555 | | |
556 | 129 | if (blocksize == 0) { |
557 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER); |
558 | 0 | ret = 0; |
559 | 0 | goto out; |
560 | 0 | } |
561 | | |
562 | 129 | if (constant_len > blocksize) { |
563 | 38 | ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONSTANT_LENGTH); |
564 | 38 | ret = 0; |
565 | 38 | goto out; |
566 | 38 | } |
567 | | |
568 | 91 | n_fold(block, (unsigned int)blocksize, constant, (unsigned int)constant_len); |
569 | 91 | plainblock = block; |
570 | 91 | cipherblock = block + EVP_MAX_BLOCK_LENGTH; |
571 | | |
572 | 1.30k | for (osize = 0; osize < okey_len; osize += cipherlen) { |
573 | 1.23k | int olen; |
574 | | |
575 | 1.23k | ret = EVP_EncryptUpdate(ctx, cipherblock, &olen, |
576 | 1.23k | plainblock, (int)blocksize); |
577 | 1.23k | if (!ret) |
578 | 24 | goto out; |
579 | 1.21k | cipherlen = olen; |
580 | 1.21k | ret = EVP_EncryptFinal_ex(ctx, cipherblock, &olen); |
581 | 1.21k | if (!ret) |
582 | 0 | goto out; |
583 | 1.21k | if (olen != 0) { |
584 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH); |
585 | 0 | ret = 0; |
586 | 0 | goto out; |
587 | 0 | } |
588 | | |
589 | | /* write cipherblock out */ |
590 | 1.21k | if (cipherlen > okey_len - osize) |
591 | 0 | cipherlen = okey_len - osize; |
592 | 1.21k | memcpy(okey + osize, cipherblock, cipherlen); |
593 | | |
594 | 1.21k | if (okey_len > osize + cipherlen) { |
595 | | /* we need to reinitialize cipher context per spec */ |
596 | 1.14k | ret = EVP_CIPHER_CTX_reset(ctx); |
597 | 1.14k | if (!ret) |
598 | 0 | goto out; |
599 | 1.14k | ret = cipher_init(ctx, cipher, engine, key, key_len); |
600 | 1.14k | if (!ret) |
601 | 0 | goto out; |
602 | | |
603 | | /* also swap block offsets so last ciphertext becomes new |
604 | | * plaintext */ |
605 | 1.14k | plainblock = cipherblock; |
606 | 1.14k | if (cipherblock == block) { |
607 | 540 | cipherblock += EVP_MAX_BLOCK_LENGTH; |
608 | 607 | } else { |
609 | 607 | cipherblock = block; |
610 | 607 | } |
611 | 1.14k | } |
612 | 1.21k | } |
613 | | |
614 | 67 | #ifndef OPENSSL_NO_DES |
615 | 67 | if (EVP_CIPHER_get_nid(cipher) == NID_des_ede3_cbc && !des3_no_fixup) { |
616 | 0 | ret = fixup_des3_key(okey); |
617 | 0 | if (!ret) { |
618 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GENERATE_KEY); |
619 | 0 | goto out; |
620 | 0 | } |
621 | 0 | } |
622 | 67 | #endif |
623 | | |
624 | 67 | ret = 1; |
625 | | |
626 | 198 | out: |
627 | 198 | EVP_CIPHER_CTX_free(ctx); |
628 | 198 | OPENSSL_cleanse(block, EVP_MAX_BLOCK_LENGTH * 2); |
629 | 198 | return ret; |
630 | 67 | } |