krb5 commit: Add krb5_c_prfplus() and krb5_c_derive_prfplus()
Greg Hudson
ghudson at mit.edu
Sun Aug 9 17:20:11 EDT 2015
https://github.com/krb5/krb5/commit/35f288092f0df7f4aca92e1f51db3611a3b32ada
commit 35f288092f0df7f4aca92e1f51db3611a3b32ada
Author: Nathaniel McCallum <npmccallum at redhat.com>
Date: Sun Jun 14 21:03:00 2015 -0400
Add krb5_c_prfplus() and krb5_c_derive_prfplus()
This commit permits the external use of the RFC 6113 PRF+ function.
It also adds a function to derive a key from an input key and string
using PRF+.
[ghudson at mit.edu: adjust style; avoid new C99isms; use string2data(),
empty_data(), and alloc_data() where appropriate; add some explanatory
comments; edit docstrings and commit message]
ticket: 8228 (new)
doc/appdev/refs/api/index.rst | 2 +
src/include/krb5/krb5.hin | 42 +++++++
src/lib/crypto/krb/cf2.c | 209 ++++++++++++++++++++---------------
src/lib/crypto/libk5crypto.exports | 2 +
src/lib/krb5_32.def | 2 +
5 files changed, 167 insertions(+), 90 deletions(-)
diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
index 64774b3..8df351d 100644
--- a/doc/appdev/refs/api/index.rst
+++ b/doc/appdev/refs/api/index.rst
@@ -304,6 +304,7 @@ Public interfaces that should not be called directly
krb5_c_crypto_length_iov.rst
krb5_c_decrypt.rst
krb5_c_decrypt_iov.rst
+ krb5_c_derive_prfplus.rst
krb5_c_encrypt.rst
krb5_c_encrypt_iov.rst
krb5_c_encrypt_length.rst
@@ -320,6 +321,7 @@ Public interfaces that should not be called directly
krb5_c_make_random_key.rst
krb5_c_padding_length.rst
krb5_c_prf.rst
+ krb5_c_prfplus.rst
krb5_c_prf_length.rst
krb5_c_random_add_entropy.rst
krb5_c_random_make_octets.rst
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 0d03c2e..544ebef 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -643,6 +643,48 @@ krb5_error_code KRB5_CALLCONV
krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t *len);
/**
+ * Generate pseudo-random bytes using RFC 6113 PRF+.
+ *
+ * @param [in] context Library context
+ * @param [in] k KDC contribution key
+ * @param [in] input Input data
+ * @param [in] output Pseudo-random output buffer
+ *
+ * This function fills @a output with PRF+(k, input) as defined in RFC 6113
+ * section 5.1. The caller must preinitialize @a output and allocate the
+ * desired amount of space. The length of the pseudo-random output will match
+ * the length of @a output.
+ *
+ * @note RFC 4402 defines a different PRF+ operation. This function does not
+ * implement that operation.
+ *
+ * @return 0 on success, @c E2BIG if output->length is too large for PRF+ to
+ * generate, @c ENOMEM on allocation failure, or an error code from
+ * krb5_c_prf()
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_c_prfplus(krb5_context context, const krb5_keyblock *k,
+ const krb5_data *input, krb5_data *output);
+
+/**
+ * Derive a key using some input data (via RFC 6113 PRF+).
+ *
+ * @param [in] context Library context
+ * @param [in] k KDC contribution key
+ * @param [in] input Input string
+ * @param [in] enctype Output key enctype (or @c ENCTYPE_NULL)
+ * @param [in] output Derived keyblock
+ *
+ * This function uses PRF+ as defined in RFC 6113 to derive a key from another
+ * key and an input string. If @a enctype is @c ENCTYPE_NULL, the output key
+ * will have the same enctype as the input key.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock *k,
+ const krb5_data *input, krb5_enctype enctype,
+ krb5_keyblock **output);
+
+/**
* Compute the KRB-FX-CF2 combination of two keys and pepper strings.
*
* @param [in] context Library context
diff --git a/src/lib/crypto/krb/cf2.c b/src/lib/crypto/krb/cf2.c
index 49584ef..2ee5aeb 100644
--- a/src/lib/crypto/krb/cf2.c
+++ b/src/lib/crypto/krb/cf2.c
@@ -1,8 +1,8 @@
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/crypto/krb/cf2.c */
/*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
+ * Copyright (C) 2009, 2015 by the Massachusetts Institute of Technology. All
+ * rights reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
@@ -31,60 +31,94 @@
#include "crypto_int.h"
-/*
- * Call the PRF function multiple times with the pepper prefixed with
- * a count byte to get enough bits of output.
- */
-static krb5_error_code
-prf_plus(krb5_context context, const krb5_keyblock *k, const char *pepper,
- size_t keybytes, char **out)
+#ifndef MIN
+#define MIN(a,b) ((a) < (b) ? (a) : (b))
+#endif
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_prfplus(krb5_context context, const krb5_keyblock *k,
+ const krb5_data *input, krb5_data *output)
{
- krb5_error_code retval = 0;
- size_t prflen, iterations;
- krb5_data out_data;
- krb5_data in_data;
- char *buffer = NULL;
- struct k5buf prf_inbuf;
-
- k5_buf_init_dynamic(&prf_inbuf);
- k5_buf_add_len(&prf_inbuf, "\001", 1);
- k5_buf_add(&prf_inbuf, pepper);
- retval = krb5_c_prf_length( context, k->enctype, &prflen);
- if (retval)
- goto cleanup;
- iterations = keybytes / prflen;
- if (keybytes % prflen != 0)
- iterations++;
- assert(iterations <= 254);
- buffer = k5calloc(iterations, prflen, &retval);
- if (retval)
+ krb5_error_code ret;
+ krb5_data prf_in = empty_data(), prf_out = empty_data();
+ size_t prflen, nblocks, i;
+
+ /* Calculate the number of PRF invocations we will need. */
+ ret = krb5_c_prf_length(context, k->enctype, &prflen);
+ if (ret)
+ return ret;
+ nblocks = (output->length + prflen - 1)/ prflen;
+ if (nblocks > 255)
+ return E2BIG;
+
+ /* Allocate PRF input and output buffers. */
+ ret = alloc_data(&prf_in, input->length + 1);
+ if (ret)
goto cleanup;
- retval = k5_buf_status(&prf_inbuf);
- if (retval)
+ ret = alloc_data(&prf_out, prflen);
+ if (ret)
goto cleanup;
- in_data.length = prf_inbuf.len;
- in_data.data = prf_inbuf.data;
- out_data.length = prflen;
- out_data.data = buffer;
-
- while (iterations > 0) {
- retval = krb5_c_prf(context, k, &in_data, &out_data);
- if (retval)
+
+ /* Concatenate PRF(k, 1||input) || PRF(k, 2||input) || ... to produce the
+ * desired number of bytes. */
+ memcpy(&prf_in.data[1], input->data, input->length);
+ for (i = 0; i < nblocks; i++) {
+ prf_in.data[0] = i + 1;
+ ret = krb5_c_prf(context, k, &prf_in, &prf_out);
+ if (ret)
goto cleanup;
- out_data.data += prflen;
- in_data.data[0]++;
- iterations--;
- }
- *out = buffer;
- buffer = NULL;
+ memcpy(&output->data[i * prflen], prf_out.data,
+ MIN(prflen, output->length - i * prflen));
+ }
cleanup:
- free(buffer);
- k5_buf_free(&prf_inbuf);
- return retval;
+ zapfree(prf_out.data, prf_out.length);
+ zapfree(prf_in.data, prf_in.length);
+ return ret;
}
+krb5_error_code KRB5_CALLCONV
+krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock *k,
+ const krb5_data *input, krb5_enctype enctype,
+ krb5_keyblock **out)
+{
+ krb5_error_code ret;
+ const struct krb5_keytypes *ktp;
+ krb5_data rnd = empty_data();
+ krb5_keyblock *kb = NULL;
+
+ *out = NULL;
+
+ ktp = find_enctype((enctype == ENCTYPE_NULL) ? k->enctype : enctype);
+ if (ktp == NULL)
+ return KRB5_BAD_ENCTYPE;
+
+ /* Generate enough pseudo-random bytes for the random-to-key function. */
+ ret = alloc_data(&rnd, ktp->enc->keybytes);
+ if (ret)
+ goto cleanup;
+ ret = krb5_c_prfplus(context, k, input, &rnd);
+ if (ret)
+ goto cleanup;
+
+ /* Generate a key from the pseudo-random bytes. */
+ ret = krb5int_c_init_keyblock(context, ktp->etype, ktp->enc->keylength,
+ &kb);
+ if (ret)
+ goto cleanup;
+ ret = (*ktp->rand2key)(&rnd, kb);
+ if (ret)
+ goto cleanup;
+
+ *out = kb;
+ kb = NULL;
+
+cleanup:
+ zapfree(rnd.data, rnd.length);
+ krb5int_c_free_keyblock(context, kb);
+ return ret;
+}
krb5_error_code KRB5_CALLCONV
krb5_c_fx_cf2_simple(krb5_context context,
@@ -92,56 +126,51 @@ krb5_c_fx_cf2_simple(krb5_context context,
const krb5_keyblock *k2, const char *pepper2,
krb5_keyblock **out)
{
- const struct krb5_keytypes *out_enctype;
- size_t keybytes, keylength, i;
- char *prf1 = NULL, *prf2 = NULL;
- krb5_data keydata;
- krb5_enctype out_enctype_num;
- krb5_error_code retval = 0;
- krb5_keyblock *out_key = NULL;
-
- if (k1 == NULL || !krb5_c_valid_enctype(k1->enctype))
- return KRB5_BAD_ENCTYPE;
- if (k2 == NULL || !krb5_c_valid_enctype(k2->enctype))
+ krb5_error_code ret;
+ const struct krb5_keytypes *ktp = NULL;
+ const krb5_data pepper1_data = string2data((char *)pepper1);
+ const krb5_data pepper2_data = string2data((char *)pepper2);
+ krb5_data prf1 = empty_data(), prf2 = empty_data();
+ unsigned int i;
+ krb5_keyblock *kb = NULL;
+
+ *out = NULL;
+
+ ktp = find_enctype(k1->enctype);
+ if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
- out_enctype_num = k1->enctype;
- assert(out != NULL);
- out_enctype = find_enctype(out_enctype_num);
- assert(out_enctype != NULL);
- if (out_enctype->prf == NULL) {
- if (context) {
- k5_set_error(&(context->err), KRB5_CRYPTO_INTERNAL,
- _("Enctype %d has no PRF"), out_enctype_num);
- }
- return KRB5_CRYPTO_INTERNAL;
- }
- keybytes = out_enctype->enc->keybytes;
- keylength = out_enctype->enc->keylength;
- retval = prf_plus(context, k1, pepper1, keybytes, &prf1);
- if (retval)
+ /* Generate PRF+(k1, pepper1) and PRF+(k2, kepper2). */
+ ret = alloc_data(&prf1, ktp->enc->keybytes);
+ if (ret)
+ goto cleanup;
+ ret = krb5_c_prfplus(context, k1, &pepper1_data, &prf1);
+ if (ret)
goto cleanup;
- retval = prf_plus(context, k2, pepper2, keybytes, &prf2);
- if (retval)
+ ret = alloc_data(&prf2, ktp->enc->keybytes);
+ if (ret)
goto cleanup;
- for (i = 0; i < keybytes; i++)
- prf1[i] ^= prf2[i];
- retval = krb5int_c_init_keyblock(context, out_enctype_num, keylength,
- &out_key);
- if (retval)
+ ret = krb5_c_prfplus(context, k2, &pepper2_data, &prf2);
+ if (ret)
+ goto cleanup;
+
+ /* Compute the XOR of the two PRF+ values and generate a key. */
+ for (i = 0; i < prf1.length; i++)
+ prf1.data[i] ^= prf2.data[i];
+ ret = krb5int_c_init_keyblock(context, ktp->etype, ktp->enc->keylength,
+ &kb);
+ if (ret)
goto cleanup;
- keydata.data = prf1;
- keydata.length = keybytes;
- retval = (*out_enctype->rand2key)(&keydata, out_key);
- if (retval)
+ ret = (*ktp->rand2key)(&prf1, kb);
+ if (ret)
goto cleanup;
- *out = out_key;
- out_key = NULL;
+ *out = kb;
+ kb = NULL;
cleanup:
- krb5int_c_free_keyblock( context, out_key);
- zapfree(prf1, keybytes);
- zapfree(prf2, keybytes);
- return retval;
+ zapfree(prf2.data, prf2.length);
+ zapfree(prf1.data, prf1.length);
+ krb5int_c_free_keyblock(context, kb);
+ return ret;
}
diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports
index 9342387..d0f0d29 100644
--- a/src/lib/crypto/libk5crypto.exports
+++ b/src/lib/crypto/libk5crypto.exports
@@ -102,3 +102,5 @@ k5_sha256_init
k5_sha256_update
krb5int_nfold
k5_allow_weak_pbkdf2iter
+krb5_c_prfplus
+krb5_c_derive_prfplus
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 226155f..3734e9b 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -461,3 +461,5 @@ EXPORTS
krb5_vprepend_error_message @428
krb5_wrap_error_message @429
krb5_vwrap_error_message @430
+ krb5_c_prfplus @431
+ krb5_c_derive_prfplus @432
More information about the cvs-krb5
mailing list