From 01913796f7c213e4ed29989ef4e17f4c16de9243 Mon Sep 17 00:00:00 2001
From: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sun, 17 Mar 2013 21:58:47 -0400
Subject: [PATCH] Derive DES/fcrypt session key from other key types

If a kerberos 5 ticket has a session key with a non-DES enctype,
use the NIST SP800-108 KDF in counter mode with HMAC_MD5 as the PRF to
construct a DES key to be used by rxkad.

To satisfy the requirements of the KDF, DES3 keys are first compressed into a
168 bit form by reversing the RFC3961 random-to-key algorithm

Change-Id: I4dc8e83a641f9892b31c109fb9025251de3dcb27
---
 src/aklog/aklog_main.c       |  12 ++-
 src/rxkad/rxkad_prototypes.h |   6 ++
 src/rxkad/ticket5.c          | 197 ++++++++++++++++++++++++++++++++---
 src/shlibafsrpc/mapfile      |   1 +
 4 files changed, 196 insertions(+), 20 deletions(-)

diff --git a/src/aklog/aklog_main.c b/src/aklog/aklog_main.c
index a3df62b61..ee044e978 100644
--- a/src/aklog/aklog_main.c
+++ b/src/aklog/aklog_main.c
@@ -638,6 +638,8 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
 	    char *p;
 	    char k4name[ANAME_SZ], k4inst[INST_SZ], k4realm[REALM_SZ];
 	    int len;
+	    void *inkey = get_cred_keydata(v5cred);
+	    size_t inkey_sz = get_cred_keylen(v5cred);
 
 	    if (dflag)
 	    	printf("Using Kerberos V5 ticket natively\n");
@@ -675,8 +677,9 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
 	    atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
 	    atoken.startTime = v5cred->times.starttime;;
 	    atoken.endTime = v5cred->times.endtime;
-	    memcpy(&atoken.sessionKey, get_cred_keydata(v5cred),
-		   get_cred_keylen(v5cred));
+	    if (tkt_DeriveDesKey(get_creds_enctype(v5cred), inkey, inkey_sz,
+				 &atoken.sessionKey) != 0)
+		return RXKADBADKEY;
 	    atoken.ticketLen = v5cred->ticket.length;
 	    memcpy(atoken.ticket, v5cred->ticket.data, atoken.ticketLen);
 #ifndef HAVE_NO_KRB5_524
@@ -1911,8 +1914,9 @@ static krb5_error_code get_credv5(krb5_context context,
     
     increds.client = client_principal;
     increds.times.endtime = 0;
-    /* Ask for DES since that is what V4 understands */
-    get_creds_enctype((&increds)) = ENCTYPE_DES_CBC_CRC;
+    if (do524)
+	/* Ask for DES since that is what V4 understands */
+	get_creds_enctype((&increds)) = ENCTYPE_DES_CBC_CRC;
     
     if (keytab) {
 	int allowed_enctypes[] = {
diff --git a/src/rxkad/rxkad_prototypes.h b/src/rxkad/rxkad_prototypes.h
index 070ba13ec..db766a6aa 100644
--- a/src/rxkad/rxkad_prototypes.h
+++ b/src/rxkad/rxkad_prototypes.h
@@ -153,6 +153,12 @@ extern int tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len,
 			     afs_int32 * host, afs_int32 * start,
 			     afs_int32 * end, afs_int32 disableDotCheck,
 			     rxkad_alt_decrypt_func alt_decrypt);
+/*
+ * Compute a des key from a key of a semi-arbitrary kerberos 5 enctype.
+ * Modifies keydata if enctype is 3des.
+ */
+extern int tkt_DeriveDesKey(int enctype, void *keydata, size_t keylen, struct ktc_encryptionKey
+			    *output);
 /* ticket5_keytab.c */
 extern int rxkad_InitKeytabDecrypt(const char *);
 extern int rxkad_BindKeytabDecrypt(struct rx_securityClass *);
diff --git a/src/rxkad/ticket5.c b/src/rxkad/ticket5.c
index 8fd0f02de..c1c059f50 100644
--- a/src/rxkad/ticket5.c
+++ b/src/rxkad/ticket5.c
@@ -83,6 +83,7 @@
 #include <rx/xdr.h>
 #include <rx/rx.h>
 #include <des.h>
+#include <des_prototypes.h>
 #include "lifetimes.h"
 #include "rxkad.h"
 #endif /* defined(UKERNEL) */
@@ -184,8 +185,11 @@ static const struct krb_convert sconv_list[] = {
 static int
   krb5_des_decrypt(struct ktc_encryptionKey *, int, void *, size_t, void *,
 		   size_t *);
-
-
+static int rxkad_derive_des_key(const void *, size_t,
+				struct ktc_encryptionKey *);
+static int compress_parity_bits(void *, size_t *);
+static void hmac_md5_iov(const void *, size_t, const struct iovec *,
+			 unsigned int, void *);
 
 
 int
@@ -330,21 +334,9 @@ tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len,
     }
 
     /* Verify that decr_part.key is of right type */
-    switch (decr_part.key.keytype) {
-    case ETYPE_DES_CBC_CRC:
-    case ETYPE_DES_CBC_MD4:
-    case ETYPE_DES_CBC_MD5:
-	break;
-    default:
+    if (tkt_DeriveDesKey(decr_part.key.keytype, decr_part.key.keyvalue.data,
+			 decr_part.key.keyvalue.length, session_key) != 0)
 	goto bad_ticket;
-    }
-
-    if (decr_part.key.keyvalue.length != 8)
-	goto bad_ticket;
-
-    /* Extract session key */
-    memcpy(session_key, decr_part.key.keyvalue.data, 8);
-
     /* Check lifetimes and host addresses, flags etc */
     {
 	time_t now = time(0);	/* Use fast time package instead??? */
@@ -492,3 +484,176 @@ krb5_des_decrypt(struct ktc_encryptionKey *key, int etype, void *in,
 
     return ret;
 }
+
+/*
+ * Use NIST SP800-108 with HMAC(MD5) in counter mode as the PRF to derive a
+ * des key from another type of key.
+ *
+ * L is 64, as we take 64 random bits and turn them into a 56-bit des key.
+ * The output of hmac_md5 is 128 bits; we take the first 64 only, so n
+ * properly should be 1.  However, we apply a slight variation due to the
+ * possibility of producing a weak des key.  If the output key is weak, do NOT
+ * simply correct it, instead, the counter is advanced and the next output
+ * used.  As such, we code so as to have n be the full 255 permitted by our
+ * encoding of the counter i in an 8-bit field.  L itself is encoded as a
+ * 32-bit field, big-endian.  We use the constant string "rxkad" as a label
+ * for this key derivation, the standard NUL byte separator, and omit a
+ * key-derivation context.  The input key is unique to the krb5 service ticket,
+ * which is unlikely to be used in an other location.  If it is used in such
+ * a fashion, both locations will derive the same des key from the PRF, but
+ * this is no different from if a krb5 des key had been used in the same way,
+ * as traditional krb5 rxkad uses the ticket session key directly as the token
+ * key.
+ */
+static int
+rxkad_derive_des_key(const void *in, size_t insize,
+		     struct ktc_encryptionKey *out)
+{
+    unsigned char i;
+    char Lbuf[4];		/* bits of output, as 32 bit word, MSB first */
+    char tmp[16];
+    struct iovec iov[3];
+    des_cblock ktmp;
+
+    Lbuf[0] = 0;
+    Lbuf[1] = 0;
+    Lbuf[2] = 0;
+    Lbuf[3] = 64;
+
+    iov[0].iov_base = &i;
+    iov[0].iov_len = 1;
+    iov[1].iov_base = "rxkad";
+    iov[1].iov_len = strlen("rxkad") + 1;   /* includes label and separator */
+    iov[2].iov_base = Lbuf;
+    iov[2].iov_len = 4;
+
+    /* stop when 8 bit counter wraps to 0 */
+    for (i = 1; i ; i++) {
+	hmac_md5_iov(in, insize, iov, 3, tmp);
+	memcpy(ktmp, tmp, 8);
+	des_fixup_key_parity(ktmp);
+	if (!des_is_weak_key(ktmp)) {
+	    memcpy(out->data, ktmp, 8);
+	    return 0;
+	}
+    }
+    return -1;
+}
+
+/*
+ * This is the inverse of the random-to-key for 3des specified in
+ * rfc3961, converting blocks of 8 bytes to blocks of 7 bytes by distributing
+ * the bits of each 8th byte as the lsb of the previous 7 bytes.
+ */
+static int
+compress_parity_bits(void *buffer, size_t *bufsiz)
+{
+    unsigned char *cb, tmp;
+    int i, j, nk;
+
+    if (*bufsiz % 8 != 0)
+	return 1;
+    cb = (unsigned char *)buffer;
+    nk = *bufsiz / 8;
+    for (i = 0; i < nk; i++) {
+	tmp = cb[8 * i + 7] >> 1;
+	for (j = 0; j < 7; j++) {
+	    cb[8 * i + j] &= 0xfe;
+	    cb[8 * i + j] |= tmp & 0x1;
+	    tmp >>= 1;
+	}
+    }
+    for (i = 1; i < nk; i++)
+	memmove(cb + 7 * i, cb + 8 * i, 7);
+    *bufsiz = 7 * nk;
+    return 0;
+}
+
+/* HMAC: Keyed-Hashing for Message Authentication, using MD5 as the hash.
+ * See RFC 2104.
+ *
+ * The constants 64 and 16 are the input block size and output length,
+ * respectively, of md5.
+ */
+static void
+hmac_md5_iov(const void *key, size_t ks,
+	     const struct iovec *data, unsigned int niov, void *output)
+{
+    MD5_CTX md5;
+    const unsigned char *kp;
+    unsigned int i;
+    unsigned char tmp[16], tmpk[16], i_pad[64], o_pad[64];
+    if (ks > 64) {
+	MD5_Init(&md5);
+	MD5_Update(&md5, key, ks);
+	MD5_Final(tmpk, &md5);
+	key = tmpk;
+	ks = 16;
+    }
+    kp = key;
+    for (i = 0; i < ks; i++)
+	i_pad[i] = kp[i] ^ 0x36;
+    memset(i_pad + ks, 0x36, 64 - ks);
+    MD5_Init(&md5);
+    MD5_Update(&md5, i_pad, 64);
+    for (i = 0; i < niov; i++)
+	MD5_Update(&md5, data[i].iov_base, data[i].iov_len);
+    MD5_Final(tmp, &md5);
+    for (i = 0; i < ks; i++)
+	o_pad[i] = kp[i] ^ 0x5c;
+    memset(o_pad + ks, 0x5c, 64 - ks);
+    MD5_Init(&md5);
+    MD5_Update(&md5, o_pad, 64);
+    MD5_Update(&md5, tmp, 16);
+    MD5_Final(output, &md5);
+}
+
+/*
+ * Enctype-specific knowledge about how to derive a des key from a given
+ * key.  If given a des key, use it directly; otherwise, perform any
+ * parity fixup that may be needed and pass through to the hmad-md5 bits.
+ */
+int
+tkt_DeriveDesKey(int enctype, void *keydata, size_t keylen,
+		 struct ktc_encryptionKey *output)
+{
+    switch (enctype) {
+    case ETYPE_DES_CBC_CRC:
+    case ETYPE_DES_CBC_MD4:
+    case ETYPE_DES_CBC_MD5:
+	if (keylen != 8)
+	    return 1;
+
+	/* Extract session key */
+	memcpy(output, keydata, 8);
+	break;
+    case ETYPE_NULL:
+    case 4:
+    case 6:
+    case 8:
+    case 9:
+    case 10:
+    case 11:
+    case 12:
+    case 13:
+    case 14:
+    case 15:
+	return 1;
+	/*In order to become a "Cryptographic Key" as specified in
+	 * SP800-108, it must be indistinguishable from a random bitstring. */
+    case ETYPE_DES3_CBC_MD5:
+    case ETYPE_OLD_DES3_CBC_SHA1:
+    case ETYPE_DES3_CBC_SHA1:
+	if (compress_parity_bits(keydata, &keylen))
+	    return 1;
+	/* FALLTHROUGH */
+    default:
+	if (enctype < 0)
+	    return 1;
+	if (keylen < 7)
+	    return 1;
+	if (rxkad_derive_des_key(keydata, keylen, output) != 0)
+	    return 1;
+    }
+    return 0;
+}
diff --git a/src/shlibafsrpc/mapfile b/src/shlibafsrpc/mapfile
index bbe301427..914667998 100644
--- a/src/shlibafsrpc/mapfile
+++ b/src/shlibafsrpc/mapfile
@@ -52,6 +52,7 @@
 	time_to_life;
 	tkt_CheckTimes;
 	tkt_DecodeTicket;
+	tkt_DeriveDesKey;
 	tkt_MakeTicket;
 	xdrrx_create;
 	hton_syserr_conv;
-- 
2.39.5