409 lines
15 KiB
Diff
409 lines
15 KiB
Diff
|
From 8bbb492f2be1418e1e4bb2cf197414810dac9589 Mon Sep 17 00:00:00 2001
|
||
|
From: Robbie Harwood <rharwood@redhat.com>
|
||
|
Date: Fri, 20 Sep 2019 17:20:59 -0400
|
||
|
Subject: [PATCH] Use OpenSSL's SSKDF in PKINIT when available
|
||
|
|
||
|
Starting in 3.0, OpenSSL implements SSKDF, which is the basis of our
|
||
|
id-pkinit-kdf (RFC 8636). Factor out common setup code around
|
||
|
other_info. Adjust code to comply to existing style.
|
||
|
|
||
|
(cherry picked from commit 4376a22e41fb639be31daf81275a332d3f930996)
|
||
|
---
|
||
|
.../preauth/pkinit/pkinit_crypto_openssl.c | 294 +++++++++++-------
|
||
|
1 file changed, 181 insertions(+), 113 deletions(-)
|
||
|
|
||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||
|
index e1153344e..350c2118a 100644
|
||
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||
|
@@ -38,6 +38,12 @@
|
||
|
#include <dirent.h>
|
||
|
#include <arpa/inet.h>
|
||
|
|
||
|
+#ifdef HAVE_EVP_KDF_FETCH
|
||
|
+#include <openssl/core_names.h>
|
||
|
+#include <openssl/kdf.h>
|
||
|
+#include <openssl/params.h>
|
||
|
+#endif
|
||
|
+
|
||
|
static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
|
||
|
static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
|
||
|
|
||
|
@@ -2294,15 +2300,16 @@ cleanup:
|
||
|
}
|
||
|
|
||
|
|
||
|
-/**
|
||
|
+/*
|
||
|
* Given an algorithm_identifier, this function returns the hash length
|
||
|
* and EVP function associated with that algorithm.
|
||
|
+ *
|
||
|
+ * RFC 8636 defines a SHA384 variant, but we don't use it.
|
||
|
*/
|
||
|
static krb5_error_code
|
||
|
-pkinit_alg_values(krb5_context context,
|
||
|
- const krb5_data *alg_id,
|
||
|
- size_t *hash_bytes,
|
||
|
- const EVP_MD *(**func)(void))
|
||
|
+pkinit_alg_values(krb5_context context, const krb5_data *alg_id,
|
||
|
+ size_t *hash_bytes, const EVP_MD *(**func)(void),
|
||
|
+ char **hash_name)
|
||
|
{
|
||
|
*hash_bytes = 0;
|
||
|
*func = NULL;
|
||
|
@@ -2311,18 +2318,21 @@ pkinit_alg_values(krb5_context context,
|
||
|
krb5_pkinit_sha1_oid_len))) {
|
||
|
*hash_bytes = 20;
|
||
|
*func = &EVP_sha1;
|
||
|
+ *hash_name = strdup("SHA1");
|
||
|
return 0;
|
||
|
} else if ((alg_id->length == krb5_pkinit_sha256_oid_len) &&
|
||
|
(0 == memcmp(alg_id->data, krb5_pkinit_sha256_oid,
|
||
|
krb5_pkinit_sha256_oid_len))) {
|
||
|
*hash_bytes = 32;
|
||
|
*func = &EVP_sha256;
|
||
|
+ *hash_name = strdup("SHA256");
|
||
|
return 0;
|
||
|
} else if ((alg_id->length == krb5_pkinit_sha512_oid_len) &&
|
||
|
(0 == memcmp(alg_id->data, krb5_pkinit_sha512_oid,
|
||
|
krb5_pkinit_sha512_oid_len))) {
|
||
|
*hash_bytes = 64;
|
||
|
*func = &EVP_sha512;
|
||
|
+ *hash_name = strdup("SHA512");
|
||
|
return 0;
|
||
|
} else {
|
||
|
krb5_set_error_message(context, KRB5_ERR_BAD_S2K_PARAMS,
|
||
|
@@ -2331,11 +2341,60 @@ pkinit_alg_values(krb5_context context,
|
||
|
}
|
||
|
} /* pkinit_alg_values() */
|
||
|
|
||
|
+#ifdef HAVE_EVP_KDF_FETCH
|
||
|
+static krb5_error_code
|
||
|
+openssl_sskdf(krb5_context context, size_t hash_bytes, krb5_data *key,
|
||
|
+ krb5_data *info, char *out, size_t out_len, char *digest)
|
||
|
+{
|
||
|
+ krb5_error_code ret;
|
||
|
+ EVP_KDF *kdf = NULL;
|
||
|
+ EVP_KDF_CTX *kctx = NULL;
|
||
|
+ OSSL_PARAM params[4];
|
||
|
+ size_t i = 0;
|
||
|
|
||
|
-/* pkinit_alg_agility_kdf() --
|
||
|
- * This function generates a key using the KDF described in
|
||
|
- * draft_ietf_krb_wg_pkinit_alg_agility-04.txt. The algorithm is
|
||
|
- * described as follows:
|
||
|
+ if (digest == NULL) {
|
||
|
+ ret = oerr(context, ENOMEM,
|
||
|
+ _("Failed to allocate space for digest algorithm name"));
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+
|
||
|
+ kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL);
|
||
|
+ if (kdf == NULL) {
|
||
|
+ ret = oerr(context, KRB5_CRYPTO_INTERNAL, _("Failed to fetch SSKDF"));
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+
|
||
|
+ kctx = EVP_KDF_CTX_new(kdf);
|
||
|
+ if (!kctx) {
|
||
|
+ ret = oerr(context, KRB5_CRYPTO_INTERNAL,
|
||
|
+ _("Failed to instantiate SSKDF"));
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+
|
||
|
+ params[i++] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||
|
+ digest, 0);
|
||
|
+ params[i++] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
|
||
|
+ key->data, key->length);
|
||
|
+ params[i++] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
|
||
|
+ info->data, info->length);
|
||
|
+ params[i] = OSSL_PARAM_construct_end();
|
||
|
+ if (EVP_KDF_derive(kctx, (unsigned char *)out, out_len, params) <= 0) {
|
||
|
+ ret = oerr(context, KRB5_CRYPTO_INTERNAL,
|
||
|
+ _("Failed to derive key using SSKDF"));
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+
|
||
|
+ ret = 0;
|
||
|
+done:
|
||
|
+ EVP_KDF_free(kdf);
|
||
|
+ EVP_KDF_CTX_free(kctx);
|
||
|
+ return ret;
|
||
|
+}
|
||
|
+#else
|
||
|
+/*
|
||
|
+ * Generate a key using the KDF described in RFC 8636, also known as SSKDF
|
||
|
+ * (single-step kdf). Our caller precomputes `reps`, but otherwise the
|
||
|
+ * algorithm is as follows:
|
||
|
*
|
||
|
* 1. reps = keydatalen (K) / hash length (H)
|
||
|
*
|
||
|
@@ -2349,95 +2408,16 @@ pkinit_alg_values(krb5_context context,
|
||
|
*
|
||
|
* 4. Set key = Hash1 || Hash2 || ... so that length of key is K bytes.
|
||
|
*/
|
||
|
-krb5_error_code
|
||
|
-pkinit_alg_agility_kdf(krb5_context context,
|
||
|
- krb5_data *secret,
|
||
|
- krb5_data *alg_oid,
|
||
|
- krb5_const_principal party_u_info,
|
||
|
- krb5_const_principal party_v_info,
|
||
|
- krb5_enctype enctype,
|
||
|
- krb5_data *as_req,
|
||
|
- krb5_data *pk_as_rep,
|
||
|
- krb5_keyblock *key_block)
|
||
|
+static krb5_error_code
|
||
|
+builtin_sskdf(krb5_context context, unsigned int reps, size_t hash_len,
|
||
|
+ const EVP_MD *(*EVP_func)(void), krb5_data *secret,
|
||
|
+ krb5_data *other_info, char *out, size_t out_len)
|
||
|
{
|
||
|
- krb5_error_code retval = 0;
|
||
|
+ krb5_error_code ret = 0;
|
||
|
|
||
|
- unsigned int reps = 0;
|
||
|
- uint32_t counter = 1; /* Does this type work on Windows? */
|
||
|
+ uint32_t counter = 1;
|
||
|
size_t offset = 0;
|
||
|
- size_t hash_len = 0;
|
||
|
- size_t rand_len = 0;
|
||
|
- size_t key_len = 0;
|
||
|
- krb5_data random_data;
|
||
|
- krb5_sp80056a_other_info other_info_fields;
|
||
|
- krb5_pkinit_supp_pub_info supp_pub_info_fields;
|
||
|
- krb5_data *other_info = NULL;
|
||
|
- krb5_data *supp_pub_info = NULL;
|
||
|
- krb5_algorithm_identifier alg_id;
|
||
|
EVP_MD_CTX *ctx = NULL;
|
||
|
- const EVP_MD *(*EVP_func)(void);
|
||
|
-
|
||
|
- /* initialize random_data here to make clean-up safe */
|
||
|
- random_data.length = 0;
|
||
|
- random_data.data = NULL;
|
||
|
-
|
||
|
- /* allocate and initialize the key block */
|
||
|
- key_block->magic = 0;
|
||
|
- key_block->enctype = enctype;
|
||
|
- if (0 != (retval = krb5_c_keylengths(context, enctype, &rand_len,
|
||
|
- &key_len)))
|
||
|
- goto cleanup;
|
||
|
-
|
||
|
- random_data.length = rand_len;
|
||
|
- key_block->length = key_len;
|
||
|
-
|
||
|
- if (NULL == (key_block->contents = malloc(key_block->length))) {
|
||
|
- retval = ENOMEM;
|
||
|
- goto cleanup;
|
||
|
- }
|
||
|
-
|
||
|
- memset (key_block->contents, 0, key_block->length);
|
||
|
-
|
||
|
- /* If this is anonymous pkinit, use the anonymous principle for party_u_info */
|
||
|
- if (party_u_info && krb5_principal_compare_any_realm(context, party_u_info,
|
||
|
- krb5_anonymous_principal()))
|
||
|
- party_u_info = (krb5_principal)krb5_anonymous_principal();
|
||
|
-
|
||
|
- if (0 != (retval = pkinit_alg_values(context, alg_oid, &hash_len, &EVP_func)))
|
||
|
- goto cleanup;
|
||
|
-
|
||
|
- /* 1. reps = keydatalen (K) / hash length (H) */
|
||
|
- reps = key_block->length/hash_len;
|
||
|
-
|
||
|
- /* ... and round up, if necessary */
|
||
|
- if (key_block->length > (reps * hash_len))
|
||
|
- reps++;
|
||
|
-
|
||
|
- /* Allocate enough space in the random data buffer to hash directly into
|
||
|
- * it, even if the last hash will make it bigger than the key length. */
|
||
|
- if (NULL == (random_data.data = malloc(reps * hash_len))) {
|
||
|
- retval = ENOMEM;
|
||
|
- goto cleanup;
|
||
|
- }
|
||
|
-
|
||
|
- /* Encode the ASN.1 octet string for "SuppPubInfo" */
|
||
|
- supp_pub_info_fields.enctype = enctype;
|
||
|
- supp_pub_info_fields.as_req = *as_req;
|
||
|
- supp_pub_info_fields.pk_as_rep = *pk_as_rep;
|
||
|
- if (0 != ((retval = encode_krb5_pkinit_supp_pub_info(&supp_pub_info_fields,
|
||
|
- &supp_pub_info))))
|
||
|
- goto cleanup;
|
||
|
-
|
||
|
- /* Now encode the ASN.1 octet string for "OtherInfo" */
|
||
|
- memset(&alg_id, 0, sizeof alg_id);
|
||
|
- alg_id.algorithm = *alg_oid; /*alias*/
|
||
|
-
|
||
|
- other_info_fields.algorithm_identifier = alg_id;
|
||
|
- other_info_fields.party_u_info = (krb5_principal) party_u_info;
|
||
|
- other_info_fields.party_v_info = (krb5_principal) party_v_info;
|
||
|
- other_info_fields.supp_pub_info = *supp_pub_info;
|
||
|
- if (0 != (retval = encode_krb5_sp80056a_other_info(&other_info_fields, &other_info)))
|
||
|
- goto cleanup;
|
||
|
|
||
|
/* 2. Initialize a 32-bit, big-endian bit string counter as 1.
|
||
|
* 3. For i = 1 to reps by 1, do the following:
|
||
|
@@ -2450,7 +2430,7 @@ pkinit_alg_agility_kdf(krb5_context context,
|
||
|
|
||
|
ctx = EVP_MD_CTX_new();
|
||
|
if (ctx == NULL) {
|
||
|
- retval = KRB5_CRYPTO_INTERNAL;
|
||
|
+ ret = KRB5_CRYPTO_INTERNAL;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
@@ -2458,7 +2438,7 @@ pkinit_alg_agility_kdf(krb5_context context,
|
||
|
if (!EVP_DigestInit(ctx, EVP_func())) {
|
||
|
krb5_set_error_message(context, KRB5_CRYPTO_INTERNAL,
|
||
|
"Call to OpenSSL EVP_DigestInit() returned an error.");
|
||
|
- retval = KRB5_CRYPTO_INTERNAL;
|
||
|
+ ret = KRB5_CRYPTO_INTERNAL;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
@@ -2467,15 +2447,16 @@ pkinit_alg_agility_kdf(krb5_context context,
|
||
|
!EVP_DigestUpdate(ctx, other_info->data, other_info->length)) {
|
||
|
krb5_set_error_message(context, KRB5_CRYPTO_INTERNAL,
|
||
|
"Call to OpenSSL EVP_DigestUpdate() returned an error.");
|
||
|
- retval = KRB5_CRYPTO_INTERNAL;
|
||
|
+ ret = KRB5_CRYPTO_INTERNAL;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
- /* 4. Set key = Hash1 || Hash2 || ... so that length of key is K bytes. */
|
||
|
- if (!EVP_DigestFinal(ctx, (uint8_t *)random_data.data + offset, &s)) {
|
||
|
+ /* 4. Set key = Hash1 || Hash2 || ... so that length of key is K
|
||
|
+ * bytes. */
|
||
|
+ if (!EVP_DigestFinal(ctx, (unsigned char *)out + offset, &s)) {
|
||
|
krb5_set_error_message(context, KRB5_CRYPTO_INTERNAL,
|
||
|
"Call to OpenSSL EVP_DigestUpdate() returned an error.");
|
||
|
- retval = KRB5_CRYPTO_INTERNAL;
|
||
|
+ ret = KRB5_CRYPTO_INTERNAL;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
offset += s;
|
||
|
@@ -2484,26 +2465,113 @@ pkinit_alg_agility_kdf(krb5_context context,
|
||
|
EVP_MD_CTX_free(ctx);
|
||
|
ctx = NULL;
|
||
|
}
|
||
|
-
|
||
|
- retval = krb5_c_random_to_key(context, enctype, &random_data,
|
||
|
- key_block);
|
||
|
-
|
||
|
cleanup:
|
||
|
EVP_MD_CTX_free(ctx);
|
||
|
+ return ret;
|
||
|
+} /* builtin_sskdf() */
|
||
|
+#endif /* HAVE_EVP_KDF_FETCH */
|
||
|
|
||
|
- /* If this has been an error, free the allocated key_block, if any */
|
||
|
- if (retval) {
|
||
|
- krb5_free_keyblock_contents(context, key_block);
|
||
|
+/* id-pkinit-kdf family, as specified by RFC 8636. */
|
||
|
+krb5_error_code
|
||
|
+pkinit_alg_agility_kdf(krb5_context context, krb5_data *secret,
|
||
|
+ krb5_data *alg_oid, krb5_const_principal party_u_info,
|
||
|
+ krb5_const_principal party_v_info,
|
||
|
+ krb5_enctype enctype, krb5_data *as_req,
|
||
|
+ krb5_data *pk_as_rep, krb5_keyblock *key_block)
|
||
|
+{
|
||
|
+ krb5_error_code ret;
|
||
|
+ size_t hash_len = 0, rand_len = 0, key_len = 0;
|
||
|
+ const EVP_MD *(*EVP_func)(void);
|
||
|
+ krb5_sp80056a_other_info other_info_fields;
|
||
|
+ krb5_pkinit_supp_pub_info supp_pub_info_fields;
|
||
|
+ krb5_data *other_info = NULL, *supp_pub_info = NULL;
|
||
|
+ krb5_data random_data = empty_data();
|
||
|
+ krb5_algorithm_identifier alg_id;
|
||
|
+ unsigned int reps;
|
||
|
+ char *hash_name = NULL;
|
||
|
+
|
||
|
+ /* Allocate and initialize the key block. */
|
||
|
+ key_block->magic = 0;
|
||
|
+ key_block->enctype = enctype;
|
||
|
+
|
||
|
+ /* Use separate variables to avoid alignment restriction problems. */
|
||
|
+ ret = krb5_c_keylengths(context, enctype, &rand_len, &key_len);
|
||
|
+ if (ret)
|
||
|
+ goto cleanup;
|
||
|
+ random_data.length = rand_len;
|
||
|
+ key_block->length = key_len;
|
||
|
+
|
||
|
+ key_block->contents = k5calloc(key_block->length, 1, &ret);
|
||
|
+ if (key_block->contents == NULL)
|
||
|
+ goto cleanup;
|
||
|
+
|
||
|
+ /* If this is anonymous pkinit, use the anonymous principle for
|
||
|
+ * party_u_info. */
|
||
|
+ if (party_u_info &&
|
||
|
+ krb5_principal_compare_any_realm(context, party_u_info,
|
||
|
+ krb5_anonymous_principal())) {
|
||
|
+ party_u_info = (krb5_principal)krb5_anonymous_principal();
|
||
|
}
|
||
|
|
||
|
- /* free other allocated resources, either way */
|
||
|
- if (random_data.data)
|
||
|
- free(random_data.data);
|
||
|
+ ret = pkinit_alg_values(context, alg_oid, &hash_len, &EVP_func,
|
||
|
+ &hash_name);
|
||
|
+ if (ret)
|
||
|
+ goto cleanup;
|
||
|
+
|
||
|
+ /* 1. reps = keydatalen (K) / hash length (H) */
|
||
|
+ reps = key_block->length / hash_len;
|
||
|
+
|
||
|
+ /* ... and round up, if necessary. */
|
||
|
+ if (key_block->length > (reps * hash_len))
|
||
|
+ reps++;
|
||
|
+
|
||
|
+ /* Allocate enough space in the random data buffer to hash directly into
|
||
|
+ * it, even if the last hash will make it bigger than the key length. */
|
||
|
+ random_data.data = k5alloc(reps * hash_len, &ret);
|
||
|
+ if (random_data.data == NULL)
|
||
|
+ goto cleanup;
|
||
|
+
|
||
|
+ /* Encode the ASN.1 octet string for "SuppPubInfo". */
|
||
|
+ supp_pub_info_fields.enctype = enctype;
|
||
|
+ supp_pub_info_fields.as_req = *as_req;
|
||
|
+ supp_pub_info_fields.pk_as_rep = *pk_as_rep;
|
||
|
+ ret = encode_krb5_pkinit_supp_pub_info(&supp_pub_info_fields,
|
||
|
+ &supp_pub_info);
|
||
|
+ if (ret)
|
||
|
+ goto cleanup;
|
||
|
+
|
||
|
+ /* Now encode the ASN.1 octet string for "OtherInfo". */
|
||
|
+ memset(&alg_id, 0, sizeof(alg_id));
|
||
|
+ alg_id.algorithm = *alg_oid;
|
||
|
+ other_info_fields.algorithm_identifier = alg_id;
|
||
|
+ other_info_fields.party_u_info = (krb5_principal)party_u_info;
|
||
|
+ other_info_fields.party_v_info = (krb5_principal)party_v_info;
|
||
|
+ other_info_fields.supp_pub_info = *supp_pub_info;
|
||
|
+ ret = encode_krb5_sp80056a_other_info(&other_info_fields, &other_info);
|
||
|
+ if (ret)
|
||
|
+ goto cleanup;
|
||
|
+
|
||
|
+#ifdef HAVE_EVP_KDF_FETCH
|
||
|
+ ret = openssl_sskdf(context, hash_len, secret, other_info,
|
||
|
+ random_data.data, key_block->length, hash_name);
|
||
|
+#else
|
||
|
+ ret = builtin_sskdf(context, reps, hash_len, EVP_func, secret,
|
||
|
+ other_info, random_data.data, key_block->length);
|
||
|
+#endif
|
||
|
+ if (ret)
|
||
|
+ goto cleanup;
|
||
|
+
|
||
|
+ ret = krb5_c_random_to_key(context, enctype, &random_data, key_block);
|
||
|
+cleanup:
|
||
|
+ if (ret)
|
||
|
+ krb5_free_keyblock_contents(context, key_block);
|
||
|
+
|
||
|
+ free(hash_name);
|
||
|
+ zapfree(random_data.data, random_data.length);
|
||
|
krb5_free_data(context, other_info);
|
||
|
krb5_free_data(context, supp_pub_info);
|
||
|
-
|
||
|
- return retval;
|
||
|
-} /*pkinit_alg_agility_kdf() */
|
||
|
+ return ret;
|
||
|
+}
|
||
|
|
||
|
/* Call DH_compute_key() and ensure that we left-pad short results instead of
|
||
|
* leaving junk bytes at the end of the buffer. */
|