1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Kerberos key derivation.
3  *
4  * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9 
10 #include <linux/export.h>
11 #include <linux/slab.h>
12 #include <crypto/skcipher.h>
13 #include <crypto/hash.h>
14 #include "internal.h"
15 
16 /**
17  * crypto_krb5_calc_PRFplus - Calculate PRF+ [RFC4402]
18  * @krb5: The encryption type to use
19  * @K: The protocol key for the pseudo-random function
20  * @L: The length of the output
21  * @S: The input octet string
22  * @result: Result buffer, sized to krb5->prf_len
23  * @gfp: Allocation restrictions
24  *
25  * Calculate the kerberos pseudo-random function, PRF+() by the following
26  * method:
27  *
28  *      PRF+(K, L, S) = truncate(L, T1 || T2 || .. || Tn)
29  *      Tn = PRF(K, n || S)
30  *      [rfc4402 sec 2]
31  */
crypto_krb5_calc_PRFplus(const struct krb5_enctype * krb5,const struct krb5_buffer * K,unsigned int L,const struct krb5_buffer * S,struct krb5_buffer * result,gfp_t gfp)32 int crypto_krb5_calc_PRFplus(const struct krb5_enctype *krb5,
33 			     const struct krb5_buffer *K,
34 			     unsigned int L,
35 			     const struct krb5_buffer *S,
36 			     struct krb5_buffer *result,
37 			     gfp_t gfp)
38 {
39 	struct krb5_buffer T_series, Tn, n_S;
40 	void *buffer;
41 	int ret, n = 1;
42 
43 	Tn.len = krb5->prf_len;
44 	T_series.len = 0;
45 	n_S.len = 4 + S->len;
46 
47 	buffer = kzalloc(round16(L + Tn.len) + round16(n_S.len), gfp);
48 	if (!buffer)
49 		return -ENOMEM;
50 
51 	T_series.data = buffer;
52 	n_S.data = buffer + round16(L + Tn.len);
53 	memcpy(n_S.data + 4, S->data, S->len);
54 
55 	while (T_series.len < L) {
56 		*(__be32 *)(n_S.data) = htonl(n);
57 		Tn.data = T_series.data + Tn.len * (n - 1);
58 		ret = krb5->profile->calc_PRF(krb5, K, &n_S, &Tn, gfp);
59 		if (ret < 0)
60 			goto err;
61 		T_series.len += Tn.len;
62 		n++;
63 	}
64 
65 	/* Truncate to L */
66 	memcpy(result->data, T_series.data, L);
67 	ret = 0;
68 
69 err:
70 	kfree_sensitive(buffer);
71 	return ret;
72 }
73 EXPORT_SYMBOL(crypto_krb5_calc_PRFplus);
74 
75 /**
76  * krb5_derive_Kc - Derive key Kc and install into a hash
77  * @krb5: The encryption type to use
78  * @TK: The base key
79  * @usage: The key usage number
80  * @key: Prepped buffer to store the key into
81  * @gfp: Allocation restrictions
82  *
83  * Derive the Kerberos Kc checksumming key.  The key is stored into the
84  * prepared buffer.
85  */
krb5_derive_Kc(const struct krb5_enctype * krb5,const struct krb5_buffer * TK,u32 usage,struct krb5_buffer * key,gfp_t gfp)86 int krb5_derive_Kc(const struct krb5_enctype *krb5, const struct krb5_buffer *TK,
87 		   u32 usage, struct krb5_buffer *key, gfp_t gfp)
88 {
89 	u8 buf[5] __aligned(CRYPTO_MINALIGN);
90 	struct krb5_buffer usage_constant = { .len = 5, .data = buf };
91 
92 	*(__be32 *)buf = cpu_to_be32(usage);
93 	buf[4] = KEY_USAGE_SEED_CHECKSUM;
94 
95 	key->len = krb5->Kc_len;
96 	return krb5->profile->calc_Kc(krb5, TK, &usage_constant, key, gfp);
97 }
98 
99 /**
100  * krb5_derive_Ke - Derive key Ke and install into an skcipher
101  * @krb5: The encryption type to use
102  * @TK: The base key
103  * @usage: The key usage number
104  * @key: Prepped buffer to store the key into
105  * @gfp: Allocation restrictions
106  *
107  * Derive the Kerberos Ke encryption key.  The key is stored into the prepared
108  * buffer.
109  */
krb5_derive_Ke(const struct krb5_enctype * krb5,const struct krb5_buffer * TK,u32 usage,struct krb5_buffer * key,gfp_t gfp)110 int krb5_derive_Ke(const struct krb5_enctype *krb5, const struct krb5_buffer *TK,
111 		   u32 usage, struct krb5_buffer *key, gfp_t gfp)
112 {
113 	u8 buf[5] __aligned(CRYPTO_MINALIGN);
114 	struct krb5_buffer usage_constant = { .len = 5, .data = buf };
115 
116 	*(__be32 *)buf = cpu_to_be32(usage);
117 	buf[4] = KEY_USAGE_SEED_ENCRYPTION;
118 
119 	key->len = krb5->Ke_len;
120 	return krb5->profile->calc_Ke(krb5, TK, &usage_constant, key, gfp);
121 }
122 
123 /**
124  * krb5_derive_Ki - Derive key Ki and install into a hash
125  * @krb5: The encryption type to use
126  * @TK: The base key
127  * @usage: The key usage number
128  * @key: Prepped buffer to store the key into
129  * @gfp: Allocation restrictions
130  *
131  * Derive the Kerberos Ki integrity checksum key.  The key is stored into the
132  * prepared buffer.
133  */
krb5_derive_Ki(const struct krb5_enctype * krb5,const struct krb5_buffer * TK,u32 usage,struct krb5_buffer * key,gfp_t gfp)134 int krb5_derive_Ki(const struct krb5_enctype *krb5, const struct krb5_buffer *TK,
135 		   u32 usage, struct krb5_buffer *key, gfp_t gfp)
136 {
137 	u8 buf[5] __aligned(CRYPTO_MINALIGN);
138 	struct krb5_buffer usage_constant = { .len = 5, .data = buf };
139 
140 	*(__be32 *)buf = cpu_to_be32(usage);
141 	buf[4] = KEY_USAGE_SEED_INTEGRITY;
142 
143 	key->len = krb5->Ki_len;
144 	return krb5->profile->calc_Ki(krb5, TK, &usage_constant, key, gfp);
145 }
146