1 /*
2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6
7 /*
8 * Copyright (C) 1998 by the FundsXpress, INC.
9 *
10 * All rights reserved.
11 *
12 * Export of this software from the United States of America may require
13 * a specific license from the United States Government. It is the
14 * responsibility of any person or organization contemplating export to
15 * obtain such a license before exporting.
16 *
17 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18 * distribute this software and its documentation for any purpose and
19 * without fee is hereby granted, provided that the above copyright
20 * notice appear in all copies and that both that copyright notice and
21 * this permission notice appear in supporting documentation, and that
22 * the name of FundsXpress. not be used in advertising or publicity pertaining
23 * to distribution of the software without specific, written prior
24 * permission. FundsXpress makes no representations about the suitability of
25 * this software for any purpose. It is provided "as is" without express
26 * or implied warranty.
27 *
28 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
29 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
30 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
31 */
32
33 #ifdef _KERNEL
34 /* Solaris Kerberos:
35 * we don't provide these functions to the kernel
36 */
37 #define krb5int_des_string_to_key NULL
38 #define krb5_dk_string_to_key NULL
39 #define krb5int_arcfour_string_to_key NULL
40 #endif /* _KERNEL */
41
42 #include <k5-int.h>
43 #include <enc_provider.h>
44 #include <hash_provider.h>
45 #include <etypes.h>
46 #include <old.h>
47 #include <raw.h>
48
49 #include <dk.h>
50 #include <arcfour.h>
51
52 /* these will be linear searched. if they ever get big, a binary
53 search or hash table would be better, which means these would need
54 to be sorted. An array would be more efficient, but that assumes
55 that the keytypes are all near each other. I'd rather not make
56 that assumption. */
57
58 struct krb5_keytypes krb5_enctypes_list[] = {
59 { ENCTYPE_DES_CBC_CRC,
60 "des-cbc-crc", "DES cbc mode with CRC-32",
61 &krb5int_enc_des, &krb5int_hash_crc32,
62 krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
63 CKSUMTYPE_RSA_MD5,
64 #ifndef _KERNEL
65 krb5int_des_string_to_key,
66 #else
67 SUN_CKM_DES_CBC,
68 NULL,
69 CRYPTO_MECH_INVALID,
70 CRYPTO_MECH_INVALID
71 #endif /* !_KERNEL */
72 },
73 { ENCTYPE_DES_CBC_MD5,
74 "des-cbc-md5", "DES cbc mode with RSA-MD5",
75 &krb5int_enc_des, &krb5int_hash_md5,
76 krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
77 CKSUMTYPE_RSA_MD5,
78 #ifndef _KERNEL
79 krb5int_des_string_to_key,
80 #else
81 SUN_CKM_DES_CBC,
82 SUN_CKM_MD5,
83 CRYPTO_MECH_INVALID,
84 CRYPTO_MECH_INVALID
85 #endif /* !_KERNEL */
86 },
87 { ENCTYPE_DES_CBC_MD5,
88 "des", "DES cbc mode with RSA-MD5", /* alias */
89 &krb5int_enc_des, &krb5int_hash_md5,
90 krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
91 CKSUMTYPE_RSA_MD5,
92 #ifndef _KERNEL
93 krb5int_des_string_to_key,
94 #else
95 SUN_CKM_DES_CBC,
96 SUN_CKM_MD5,
97 CRYPTO_MECH_INVALID,
98 CRYPTO_MECH_INVALID
99 #endif /* _KERNEL */
100 },
101 { ENCTYPE_DES_CBC_RAW,
102 "des-cbc-raw", "DES cbc mode raw",
103 &krb5int_enc_des, NULL,
104 krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, 0,
105 #ifndef _KERNEL
106 krb5int_des_string_to_key,
107 #else
108 SUN_CKM_DES_CBC,
109 NULL,
110 CRYPTO_MECH_INVALID,
111 CRYPTO_MECH_INVALID
112 #endif /* !_KERNEL */
113 },
114
115 { ENCTYPE_DES3_CBC_RAW,
116 "des3-cbc-raw", "Triple DES cbc mode raw",
117 &krb5int_enc_des3, NULL,
118 krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, 0,
119 #ifndef _KERNEL
120 krb5int_dk_string_to_key,
121 #else
122 SUN_CKM_DES3_CBC,
123 NULL,
124 CRYPTO_MECH_INVALID,
125 CRYPTO_MECH_INVALID
126 #endif /* !_KERNEL */
127 },
128
129 { ENCTYPE_DES3_CBC_SHA1,
130 "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
131 &krb5int_enc_des3, &krb5int_hash_sha1,
132 krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
133 CKSUMTYPE_HMAC_SHA1_DES3,
134 #ifndef _KERNEL
135 krb5int_dk_string_to_key,
136 #else
137 SUN_CKM_DES3_CBC,
138 SUN_CKM_SHA1_HMAC,
139 CRYPTO_MECH_INVALID,
140 CRYPTO_MECH_INVALID
141 #endif
142 },
143 { ENCTYPE_DES3_CBC_SHA1, /* alias */
144 "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
145 &krb5int_enc_des3, &krb5int_hash_sha1,
146 krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
147 CKSUMTYPE_HMAC_SHA1_DES3,
148 #ifndef _KERNEL
149 krb5int_dk_string_to_key,
150 #else
151 SUN_CKM_DES3_CBC,
152 SUN_CKM_SHA1_HMAC,
153 CRYPTO_MECH_INVALID,
154 CRYPTO_MECH_INVALID
155 #endif /* !_KERNEL */
156 },
157 { ENCTYPE_DES3_CBC_SHA1, /* alias */
158 "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
159 &krb5int_enc_des3, &krb5int_hash_sha1,
160 krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
161 CKSUMTYPE_HMAC_SHA1_DES3,
162 #ifndef _KERNEL
163 krb5int_dk_string_to_key,
164 #else
165 SUN_CKM_DES3_CBC,
166 SUN_CKM_SHA1_HMAC,
167 CRYPTO_MECH_INVALID,
168 CRYPTO_MECH_INVALID
169 #endif /* !_KERNEL */
170 },
171 /* The des3-cbc-hmac-sha1-kd is the official enctype associated with
172 * 3DES/SHA1 in draft-ietf-krb-wg-crypto-00.txt
173 */
174 { ENCTYPE_DES3_CBC_SHA1, /* alias */
175 "des3-cbc-hmac-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
176 &krb5int_enc_des3, &krb5int_hash_sha1,
177 krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
178 CKSUMTYPE_HMAC_SHA1_DES3,
179 #ifndef _KERNEL
180 krb5int_dk_string_to_key,
181 #else
182 SUN_CKM_DES3_CBC,
183 SUN_CKM_SHA1_HMAC,
184 CRYPTO_MECH_INVALID,
185 CRYPTO_MECH_INVALID
186 #endif /* !_KERNEL */
187 },
188
189 { ENCTYPE_DES_HMAC_SHA1,
190 "des-hmac-sha1", "DES with HMAC/sha1",
191 &krb5int_enc_des, &krb5int_hash_sha1,
192 krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, 0,
193 #ifndef _KERNEL
194 krb5int_dk_string_to_key,
195 #else
196 SUN_CKM_DES_CBC,
197 SUN_CKM_SHA1_HMAC,
198 CRYPTO_MECH_INVALID,
199 CRYPTO_MECH_INVALID
200 #endif /* !_KERNEL */
201 },
202 { ENCTYPE_ARCFOUR_HMAC,
203 "arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour,
204 &krb5int_hash_md5,
205 krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
206 krb5_arcfour_decrypt,
207 CKSUMTYPE_HMAC_MD5_ARCFOUR,
208 #ifndef _KERNEL
209 krb5int_arcfour_string_to_key,
210 #else
211 SUN_CKM_RC4,
212 SUN_CKM_MD5_HMAC,
213 CRYPTO_MECH_INVALID,
214 CRYPTO_MECH_INVALID
215 #endif /* !_KERNEL */
216 },
217 { ENCTYPE_ARCFOUR_HMAC, /* alias */
218 "rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
219 &krb5int_hash_md5,
220 krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
221 krb5_arcfour_decrypt,
222 CKSUMTYPE_HMAC_MD5_ARCFOUR,
223 #ifndef _KERNEL
224 krb5int_arcfour_string_to_key,
225 #else
226 SUN_CKM_RC4,
227 SUN_CKM_MD5_HMAC,
228 CRYPTO_MECH_INVALID,
229 CRYPTO_MECH_INVALID
230 #endif /* !_KERNEL */
231 },
232 { ENCTYPE_ARCFOUR_HMAC, /* alias */
233 "arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
234 &krb5int_hash_md5,
235 krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
236 krb5_arcfour_decrypt,
237 CKSUMTYPE_HMAC_MD5_ARCFOUR,
238 #ifndef _KERNEL
239 krb5int_arcfour_string_to_key,
240 #else
241 SUN_CKM_RC4,
242 SUN_CKM_MD5_HMAC,
243 CRYPTO_MECH_INVALID,
244 CRYPTO_MECH_INVALID
245 #endif /* !_KERNEL */
246 },
247 { ENCTYPE_ARCFOUR_HMAC_EXP,
248 "arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5",
249 &krb5int_enc_arcfour,
250 &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
251 krb5_arcfour_decrypt,
252 CKSUMTYPE_HMAC_MD5_ARCFOUR,
253 #ifndef _KERNEL
254 krb5int_arcfour_string_to_key,
255 #else
256 SUN_CKM_RC4,
257 SUN_CKM_MD5_HMAC,
258 CRYPTO_MECH_INVALID,
259 CRYPTO_MECH_INVALID
260 #endif /* !_KERNEL */
261 },
262 { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
263 "rc4-hmac-exp", "Exportable ArcFour with HMAC/md5",
264 &krb5int_enc_arcfour,
265 &krb5int_hash_md5,
266 krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
267 krb5_arcfour_decrypt,
268 CKSUMTYPE_HMAC_MD5_ARCFOUR,
269 #ifndef _KERNEL
270 krb5int_arcfour_string_to_key,
271 #else
272 SUN_CKM_RC4,
273 SUN_CKM_MD5_HMAC,
274 CRYPTO_MECH_INVALID,
275 CRYPTO_MECH_INVALID
276 #endif /* !_KERNEL */
277 },
278 { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
279 "arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5",
280 &krb5int_enc_arcfour,
281 &krb5int_hash_md5,
282 krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
283 krb5_arcfour_decrypt,
284 CKSUMTYPE_HMAC_MD5_ARCFOUR,
285 #ifndef _KERNEL
286 krb5int_arcfour_string_to_key,
287 #else
288 SUN_CKM_RC4,
289 SUN_CKM_MD5_HMAC,
290 CRYPTO_MECH_INVALID,
291 CRYPTO_MECH_INVALID
292 #endif /* !_KERNEL */
293 },
294
295 /*
296 * Note, all AES enctypes must use SUN_CKM_AES_CBC. See aes_provider.c for
297 * more info.
298 */
299 { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
300 "aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
301 &krb5int_enc_aes128, &krb5int_hash_sha1,
302 krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
303 CKSUMTYPE_HMAC_SHA1_96_AES128,
304 #ifndef _KERNEL
305 krb5int_aes_string_to_key,
306 #else
307 SUN_CKM_AES_CBC,
308 SUN_CKM_SHA1_HMAC,
309 CRYPTO_MECH_INVALID,
310 CRYPTO_MECH_INVALID
311 #endif /* !_KERNEL */
312 },
313 { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
314 "aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
315 &krb5int_enc_aes128, &krb5int_hash_sha1,
316 krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
317 CKSUMTYPE_HMAC_SHA1_96_AES128,
318 #ifndef _KERNEL
319 krb5int_aes_string_to_key,
320 #else
321 SUN_CKM_AES_CBC,
322 SUN_CKM_SHA1_HMAC,
323 CRYPTO_MECH_INVALID,
324 CRYPTO_MECH_INVALID
325 #endif /* !_KERNEL */
326 },
327 { ENCTYPE_AES256_CTS_HMAC_SHA1_96,
328 "aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
329 &krb5int_enc_aes256, &krb5int_hash_sha1,
330 krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
331 CKSUMTYPE_HMAC_SHA1_96_AES256,
332 #ifndef _KERNEL
333 krb5int_aes_string_to_key,
334 #else
335 SUN_CKM_AES_CBC,
336 SUN_CKM_SHA1_HMAC,
337 CRYPTO_MECH_INVALID,
338 CRYPTO_MECH_INVALID
339 #endif /* !_KERNEL */
340 },
341 { ENCTYPE_AES256_CTS_HMAC_SHA1_96,
342 "aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
343 &krb5int_enc_aes256, &krb5int_hash_sha1,
344 krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
345 CKSUMTYPE_HMAC_SHA1_96_AES256,
346 #ifndef _KERNEL
347 krb5int_aes_string_to_key,
348 #else
349 SUN_CKM_AES_CBC,
350 SUN_CKM_SHA1_HMAC,
351 CRYPTO_MECH_INVALID,
352 CRYPTO_MECH_INVALID
353 #endif /* !_KERNEL */
354 },
355 };
356
357 const int krb5_enctypes_length =
358 sizeof(krb5_enctypes_list)/sizeof(struct krb5_keytypes);
359
360 #ifdef _KERNEL
361
362 /*
363 * Routine to pre-fetch the mechanism types from KEF so
364 * we dont keep doing this step later.
365 */
366 void
367 setup_kef_keytypes()
368 {
369 int i;
370 struct krb5_keytypes *kt;
371
372 for (i=0; i<krb5_enctypes_length; i++) {
373 kt = (struct krb5_keytypes *)&krb5_enctypes_list[i];
374 if (kt->kef_cipher_mt == CRYPTO_MECH_INVALID &&
375 kt->mt_e_name != NULL) {
376 krb5_enctypes_list[i].kef_cipher_mt =
377 crypto_mech2id(kt->mt_e_name);
378 }
379
380 if (kt->kef_hash_mt == CRYPTO_MECH_INVALID &&
381 kt->mt_h_name != NULL) {
382 krb5_enctypes_list[i].kef_hash_mt =
383 crypto_mech2id(kt->mt_h_name);
384 }
385 KRB5_LOG1(KRB5_INFO, "setup_kef_keytypes(): %s ==> %ld",
386 kt->mt_e_name,
387 (ulong_t) krb5_enctypes_list[i].kef_cipher_mt);
388 }
389 }
390
391 /*ARGSUSED*/
392 crypto_mech_type_t
393 get_cipher_mech_type(krb5_context context, krb5_keyblock *key)
394 {
395 int i;
396 struct krb5_keytypes *kt;
397
398 if (key == NULL)
399 return (CRYPTO_MECH_INVALID);
400
401 for (i=0; i<krb5_enctypes_length; i++) {
402 kt = (struct krb5_keytypes *)&krb5_enctypes_list[i];
403 if (kt->etype == key->enctype) {
404 KRB5_LOG1(KRB5_INFO, "get_cipher_mech_type() "
405 "found %s %ld",
406 kt->mt_e_name,
407 (ulong_t) kt->kef_cipher_mt);
408 return (kt->kef_cipher_mt);
409 }
410 }
411 return (CRYPTO_MECH_INVALID);
412 }
413
414 /*ARGSUSED*/
415 crypto_mech_type_t
416 get_hash_mech_type(krb5_context context, krb5_keyblock *key)
417 {
418 int i;
419 struct krb5_keytypes *kt;
420
421 if (key == NULL)
422 return (CRYPTO_MECH_INVALID);
423
424 for (i=0; i<krb5_enctypes_length; i++) {
425 kt = (struct krb5_keytypes *)&krb5_enctypes_list[i];
426 if (kt->etype == key->enctype) {
427 KRB5_LOG1(KRB5_INFO, "get_hash_mech_type() "
428 "found %s %ld",
429 kt->mt_h_name,
430 (ulong_t) kt->kef_hash_mt);
431 return (kt->kef_hash_mt);
432 }
433 }
434 return (CRYPTO_MECH_INVALID);
435 }
436
437 #endif /* _KERNEL */