1 /*
2  * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * DES low level APIs are deprecated for public use, but still ok for internal
12  * use.  We access the DES_set_odd_parity(3) function here.
13  */
14 #include "internal/deprecated.h"
15 
16 #include <stdlib.h>
17 #include <stdarg.h>
18 #include <string.h>
19 
20 #include <openssl/core_names.h>
21 #include <openssl/des.h>
22 #include <openssl/evp.h>
23 #include <openssl/kdf.h>
24 #include <openssl/proverr.h>
25 
26 #include "internal/cryptlib.h"
27 #include "crypto/evp.h"
28 #include "internal/numbers.h"
29 #include "prov/implementations.h"
30 #include "prov/provider_ctx.h"
31 #include "prov/provider_util.h"
32 #include "prov/providercommon.h"
33 
34 /* KRB5 KDF defined in RFC 3961, Section 5.1 */
35 
36 static OSSL_FUNC_kdf_newctx_fn krb5kdf_new;
37 static OSSL_FUNC_kdf_dupctx_fn krb5kdf_dup;
38 static OSSL_FUNC_kdf_freectx_fn krb5kdf_free;
39 static OSSL_FUNC_kdf_reset_fn krb5kdf_reset;
40 static OSSL_FUNC_kdf_derive_fn krb5kdf_derive;
41 static OSSL_FUNC_kdf_settable_ctx_params_fn krb5kdf_settable_ctx_params;
42 static OSSL_FUNC_kdf_set_ctx_params_fn krb5kdf_set_ctx_params;
43 static OSSL_FUNC_kdf_gettable_ctx_params_fn krb5kdf_gettable_ctx_params;
44 static OSSL_FUNC_kdf_get_ctx_params_fn krb5kdf_get_ctx_params;
45 
46 static int KRB5KDF(const EVP_CIPHER *cipher, ENGINE *engine,
47                    const unsigned char *key, size_t key_len,
48                    const unsigned char *constant, size_t constant_len,
49                    unsigned char *okey, size_t okey_len);
50 
51 typedef struct {
52     void *provctx;
53     PROV_CIPHER cipher;
54     unsigned char *key;
55     size_t key_len;
56     unsigned char *constant;
57     size_t constant_len;
58 } KRB5KDF_CTX;
59 
krb5kdf_new(void * provctx)60 static void *krb5kdf_new(void *provctx)
61 {
62     KRB5KDF_CTX *ctx;
63 
64     if (!ossl_prov_is_running())
65         return NULL;
66 
67     if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
68         return NULL;
69     ctx->provctx = provctx;
70     return ctx;
71 }
72 
krb5kdf_free(void * vctx)73 static void krb5kdf_free(void *vctx)
74 {
75     KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx;
76 
77     if (ctx != NULL) {
78         krb5kdf_reset(ctx);
79         OPENSSL_free(ctx);
80     }
81 }
82 
krb5kdf_reset(void * vctx)83 static void krb5kdf_reset(void *vctx)
84 {
85     KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx;
86     void *provctx = ctx->provctx;
87 
88     ossl_prov_cipher_reset(&ctx->cipher);
89     OPENSSL_clear_free(ctx->key, ctx->key_len);
90     OPENSSL_clear_free(ctx->constant, ctx->constant_len);
91     memset(ctx, 0, sizeof(*ctx));
92     ctx->provctx = provctx;
93 }
94 
krb5kdf_set_membuf(unsigned char ** dst,size_t * dst_len,const OSSL_PARAM * p)95 static int krb5kdf_set_membuf(unsigned char **dst, size_t *dst_len,
96                               const OSSL_PARAM *p)
97 {
98     OPENSSL_clear_free(*dst, *dst_len);
99     *dst = NULL;
100     *dst_len = 0;
101     return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len);
102 }
103 
krb5kdf_dup(void * vctx)104 static void *krb5kdf_dup(void *vctx)
105 {
106     const KRB5KDF_CTX *src = (const KRB5KDF_CTX *)vctx;
107     KRB5KDF_CTX *dest;
108 
109     dest = krb5kdf_new(src->provctx);
110     if (dest != NULL) {
111         if (!ossl_prov_memdup(src->key, src->key_len,
112                               &dest->key, &dest->key_len)
113                 || !ossl_prov_memdup(src->constant, src->constant_len,
114                                      &dest->constant , &dest->constant_len)
115                 || !ossl_prov_cipher_copy(&dest->cipher, &src->cipher))
116             goto err;
117     }
118     return dest;
119 
120  err:
121     krb5kdf_free(dest);
122     return NULL;
123 }
124 
krb5kdf_derive(void * vctx,unsigned char * key,size_t keylen,const OSSL_PARAM params[])125 static int krb5kdf_derive(void *vctx, unsigned char *key, size_t keylen,
126                           const OSSL_PARAM params[])
127 {
128     KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx;
129     const EVP_CIPHER *cipher;
130     ENGINE *engine;
131 
132     if (!ossl_prov_is_running() || !krb5kdf_set_ctx_params(ctx, params))
133         return 0;
134 
135     cipher = ossl_prov_cipher_cipher(&ctx->cipher);
136     if (cipher == NULL) {
137         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER);
138         return 0;
139     }
140     if (ctx->key == NULL) {
141         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
142         return 0;
143     }
144     if (ctx->constant == NULL) {
145         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONSTANT);
146         return 0;
147     }
148     engine = ossl_prov_cipher_engine(&ctx->cipher);
149     return KRB5KDF(cipher, engine, ctx->key, ctx->key_len,
150                    ctx->constant, ctx->constant_len,
151                    key, keylen);
152 }
153 
krb5kdf_set_ctx_params(void * vctx,const OSSL_PARAM params[])154 static int krb5kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
155 {
156     const OSSL_PARAM *p;
157     KRB5KDF_CTX *ctx = vctx;
158     OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
159 
160     if (ossl_param_is_empty(params))
161         return 1;
162 
163     if (!ossl_prov_cipher_load_from_params(&ctx->cipher, params, provctx))
164         return 0;
165 
166     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KEY)) != NULL)
167         if (!krb5kdf_set_membuf(&ctx->key, &ctx->key_len, p))
168             return 0;
169 
170     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_CONSTANT))
171         != NULL)
172         if (!krb5kdf_set_membuf(&ctx->constant, &ctx->constant_len, p))
173             return 0;
174 
175     return 1;
176 }
177 
krb5kdf_settable_ctx_params(ossl_unused void * ctx,ossl_unused void * provctx)178 static const OSSL_PARAM *krb5kdf_settable_ctx_params(ossl_unused void *ctx,
179                                                      ossl_unused void *provctx)
180 {
181     static const OSSL_PARAM known_settable_ctx_params[] = {
182         OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
183         OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_CIPHER, NULL, 0),
184         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_KEY, NULL, 0),
185         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_CONSTANT, NULL, 0),
186         OSSL_PARAM_END
187     };
188     return known_settable_ctx_params;
189 }
190 
krb5kdf_get_ctx_params(void * vctx,OSSL_PARAM params[])191 static int krb5kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
192 {
193     KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx;
194     const EVP_CIPHER *cipher;
195     size_t len;
196     OSSL_PARAM *p;
197 
198     cipher = ossl_prov_cipher_cipher(&ctx->cipher);
199     if (cipher)
200         len = EVP_CIPHER_get_key_length(cipher);
201     else
202         len = EVP_MAX_KEY_LENGTH;
203 
204     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
205         return OSSL_PARAM_set_size_t(p, len);
206     return -2;
207 }
208 
krb5kdf_gettable_ctx_params(ossl_unused void * ctx,ossl_unused void * provctx)209 static const OSSL_PARAM *krb5kdf_gettable_ctx_params(ossl_unused void *ctx,
210                                                      ossl_unused void *provctx)
211 {
212     static const OSSL_PARAM known_gettable_ctx_params[] = {
213         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
214         OSSL_PARAM_END
215     };
216     return known_gettable_ctx_params;
217 }
218 
219 const OSSL_DISPATCH ossl_kdf_krb5kdf_functions[] = {
220     { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))krb5kdf_new },
221     { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))krb5kdf_dup },
222     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))krb5kdf_free },
223     { OSSL_FUNC_KDF_RESET, (void(*)(void))krb5kdf_reset },
224     { OSSL_FUNC_KDF_DERIVE, (void(*)(void))krb5kdf_derive },
225     { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
226       (void(*)(void))krb5kdf_settable_ctx_params },
227     { OSSL_FUNC_KDF_SET_CTX_PARAMS,
228       (void(*)(void))krb5kdf_set_ctx_params },
229     { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
230       (void(*)(void))krb5kdf_gettable_ctx_params },
231     { OSSL_FUNC_KDF_GET_CTX_PARAMS,
232       (void(*)(void))krb5kdf_get_ctx_params },
233     OSSL_DISPATCH_END
234 };
235 
236 #ifndef OPENSSL_NO_DES
237 /*
238  * DES3 is a special case, it requires a random-to-key function and its
239  * input truncated to 21 bytes of the 24 produced by the cipher.
240  * See RFC3961 6.3.1
241  */
fixup_des3_key(unsigned char * key)242 static int fixup_des3_key(unsigned char *key)
243 {
244     unsigned char *cblock;
245     int i, j;
246 
247     for (i = 2; i >= 0; i--) {
248         cblock = &key[i * 8];
249         memmove(cblock, &key[i * 7], 7);
250         cblock[7] = 0;
251         for (j = 0; j < 7; j++)
252             cblock[7] |= (cblock[j] & 1) << (j + 1);
253         DES_set_odd_parity((DES_cblock *)cblock);
254     }
255 
256     /* fail if keys are such that triple des degrades to single des */
257     if (CRYPTO_memcmp(&key[0], &key[8], 8) == 0 ||
258         CRYPTO_memcmp(&key[8], &key[16], 8) == 0) {
259         return 0;
260     }
261 
262     return 1;
263 }
264 #endif
265 
266 /*
267  * N-fold(K) where blocksize is N, and constant_len is K
268  * Note: Here |= denotes concatenation
269  *
270  * L = lcm(N,K)
271  * R = L/K
272  *
273  * for r: 1 -> R
274  *   s |= constant rot 13*(r-1))
275  *
276  * block = 0
277  * for k: 1 -> K
278  *   block += s[N(k-1)..(N-1)k] (one's complement addition)
279  *
280  * Optimizing for space we compute:
281  * for each l in L-1 -> 0:
282  *   s[l] = (constant rot 13*(l/K))[l%k]
283  *   block[l % N] += s[l] (with carry)
284  * finally add carry if any
285  */
n_fold(unsigned char * block,unsigned int blocksize,const unsigned char * constant,size_t constant_len)286 static void n_fold(unsigned char *block, unsigned int blocksize,
287                    const unsigned char *constant, size_t constant_len)
288 {
289     unsigned int tmp, gcd, remainder, lcm, carry;
290     int b, l;
291 
292     if (constant_len == blocksize) {
293         memcpy(block, constant, constant_len);
294         return;
295     }
296 
297     /* Least Common Multiple of lengths: LCM(a,b)*/
298     gcd = blocksize;
299     remainder = constant_len;
300     /* Calculate Great Common Divisor first GCD(a,b) */
301     while (remainder != 0) {
302         tmp = gcd % remainder;
303         gcd = remainder;
304         remainder = tmp;
305     }
306     /* resulting a is the GCD, LCM(a,b) = |a*b|/GCD(a,b) */
307     lcm = blocksize * constant_len / gcd;
308 
309     /* now spread out the bits */
310     memset(block, 0, blocksize);
311 
312     /* last to first to be able to bring carry forward */
313     carry = 0;
314     for (l = lcm - 1; l >= 0; l--) {
315         unsigned int rotbits, rshift, rbyte;
316 
317         /* destination byte in block is l % N */
318         b = l % blocksize;
319         /* Our virtual s buffer is R = L/K long (K = constant_len) */
320         /* So we rotate backwards from R-1 to 0 (none) rotations */
321         rotbits = 13 * (l / constant_len);
322         /* find the byte on s where rotbits falls onto */
323         rbyte = l - (rotbits / 8);
324         /* calculate how much shift on that byte */
325         rshift = rotbits & 0x07;
326         /* rbyte % constant_len gives us the unrotated byte in the
327          * constant buffer, get also the previous byte then
328          * appropriately shift them to get the rotated byte we need */
329         tmp = (constant[(rbyte-1) % constant_len] << (8 - rshift)
330                | constant[rbyte % constant_len] >> rshift)
331               & 0xff;
332         /* add with carry to any value placed by previous passes */
333         tmp += carry + block[b];
334         block[b] = tmp & 0xff;
335         /* save any carry that may be left */
336         carry = tmp >> 8;
337     }
338 
339     /* if any carry is left at the end, add it through the number */
340     for (b = blocksize - 1; b >= 0 && carry != 0; b--) {
341         carry += block[b];
342         block[b] = carry & 0xff;
343         carry >>= 8;
344     }
345 }
346 
cipher_init(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * engine,const unsigned char * key,size_t key_len)347 static int cipher_init(EVP_CIPHER_CTX *ctx,
348                        const EVP_CIPHER *cipher, ENGINE *engine,
349                        const unsigned char *key, size_t key_len)
350 {
351     int klen, ret;
352 
353     ret = EVP_EncryptInit_ex(ctx, cipher, engine, key, NULL);
354     if (!ret)
355         goto out;
356     /* set the key len for the odd variable key len cipher */
357     klen = EVP_CIPHER_CTX_get_key_length(ctx);
358     if (key_len != (size_t)klen) {
359         ret = EVP_CIPHER_CTX_set_key_length(ctx, key_len);
360         if (ret <= 0) {
361             ret = 0;
362             goto out;
363         }
364     }
365     /* we never want padding, either the length requested is a multiple of
366      * the cipher block size or we are passed a cipher that can cope with
367      * partial blocks via techniques like cipher text stealing */
368     ret = EVP_CIPHER_CTX_set_padding(ctx, 0);
369     if (!ret)
370         goto out;
371 
372 out:
373     return ret;
374 }
375 
KRB5KDF(const EVP_CIPHER * cipher,ENGINE * engine,const unsigned char * key,size_t key_len,const unsigned char * constant,size_t constant_len,unsigned char * okey,size_t okey_len)376 static int KRB5KDF(const EVP_CIPHER *cipher, ENGINE *engine,
377                    const unsigned char *key, size_t key_len,
378                    const unsigned char *constant, size_t constant_len,
379                    unsigned char *okey, size_t okey_len)
380 {
381     EVP_CIPHER_CTX *ctx = NULL;
382     unsigned char block[EVP_MAX_BLOCK_LENGTH * 2];
383     unsigned char *plainblock, *cipherblock;
384     size_t blocksize;
385     size_t cipherlen;
386     size_t osize;
387 #ifndef OPENSSL_NO_DES
388     int des3_no_fixup = 0;
389 #endif
390     int ret;
391 
392     if (key_len != okey_len) {
393 #ifndef OPENSSL_NO_DES
394         /* special case for 3des, where the caller may be requesting
395          * the random raw key, instead of the fixed up key  */
396         if (EVP_CIPHER_get_nid(cipher) == NID_des_ede3_cbc &&
397             key_len == 24 && okey_len == 21) {
398                 des3_no_fixup = 1;
399         } else {
400 #endif
401             ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_OUTPUT_BUFFER_SIZE);
402             return 0;
403 #ifndef OPENSSL_NO_DES
404         }
405 #endif
406     }
407 
408     ctx = EVP_CIPHER_CTX_new();
409     if (ctx == NULL)
410         return 0;
411 
412     ret = cipher_init(ctx, cipher, engine, key, key_len);
413     if (!ret)
414         goto out;
415 
416     /* Initialize input block */
417     blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
418 
419     if (blocksize == 0) {
420         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER);
421         ret = 0;
422         goto out;
423     }
424 
425     if (constant_len > blocksize) {
426         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONSTANT_LENGTH);
427         ret = 0;
428         goto out;
429     }
430 
431     n_fold(block, blocksize, constant, constant_len);
432     plainblock = block;
433     cipherblock = block + EVP_MAX_BLOCK_LENGTH;
434 
435     for (osize = 0; osize < okey_len; osize += cipherlen) {
436         int olen;
437 
438         ret = EVP_EncryptUpdate(ctx, cipherblock, &olen,
439                                 plainblock, blocksize);
440         if (!ret)
441             goto out;
442         cipherlen = olen;
443         ret = EVP_EncryptFinal_ex(ctx, cipherblock, &olen);
444         if (!ret)
445             goto out;
446         if (olen != 0) {
447             ERR_raise(ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH);
448             ret = 0;
449             goto out;
450         }
451 
452         /* write cipherblock out */
453         if (cipherlen > okey_len - osize)
454             cipherlen = okey_len - osize;
455         memcpy(okey + osize, cipherblock, cipherlen);
456 
457         if (okey_len > osize + cipherlen) {
458             /* we need to reinitialize cipher context per spec */
459             ret = EVP_CIPHER_CTX_reset(ctx);
460             if (!ret)
461                 goto out;
462             ret = cipher_init(ctx, cipher, engine, key, key_len);
463             if (!ret)
464                 goto out;
465 
466             /* also swap block offsets so last ciphertext becomes new
467              * plaintext */
468             plainblock = cipherblock;
469             if (cipherblock == block) {
470                 cipherblock += EVP_MAX_BLOCK_LENGTH;
471             } else {
472                 cipherblock = block;
473             }
474         }
475     }
476 
477 #ifndef OPENSSL_NO_DES
478     if (EVP_CIPHER_get_nid(cipher) == NID_des_ede3_cbc && !des3_no_fixup) {
479         ret = fixup_des3_key(okey);
480         if (!ret) {
481             ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GENERATE_KEY);
482             goto out;
483         }
484     }
485 #endif
486 
487     ret = 1;
488 
489 out:
490     EVP_CIPHER_CTX_free(ctx);
491     OPENSSL_cleanse(block, EVP_MAX_BLOCK_LENGTH * 2);
492     return ret;
493 }
494 
495