size_t seed_length;
krb5_checksum FAR *outcksum;
{
- krb5_octet outtmp[RSA_MD5_DES_CKSUM_LENGTH];
+ krb5_octet outtmp[OLD_RSA_MD5_DES_CKSUM_LENGTH];
krb5_octet *input = (krb5_octet *)in;
krb5_encrypt_block eblock;
krb5_keyblock keyblock;
krb5_MD5Final(&working);
outcksum->checksum_type = CKSUMTYPE_RSA_MD5_DES;
- outcksum->length = RSA_MD5_DES_CKSUM_LENGTH;
+ outcksum->length = OLD_RSA_MD5_DES_CKSUM_LENGTH;
memcpy((char *)outtmp, (char *)&working.digest[0], 16);
/* now encrypt it */
retval = mit_des_cbc_encrypt((mit_des_cblock *)&outtmp[0],
(mit_des_cblock *)outcksum->contents,
- RSA_MD5_DES_CKSUM_LENGTH,
+ OLD_RSA_MD5_DES_CKSUM_LENGTH,
(struct mit_des_ks_struct *)eblock.priv,
keyblock.contents,
MIT_DES_ENCRYPT);
size_t seed_length;
krb5_checksum FAR *outcksum;
{
- krb5_octet outtmp[RSA_MD5_DES_CKSUM_LENGTH+
- RSA_MD5_DES_CONFOUND_LENGTH];
+ krb5_octet outtmp[NEW_RSA_MD5_DES_CKSUM_LENGTH];
mit_des_cblock tmpkey;
- krb5_octet *input = (krb5_octet *)in;
krb5_encrypt_block eblock;
krb5_keyblock keyblock;
krb5_error_code retval;
size_t i;
krb5_MD5_CTX working;
- if (outcksum->length < RSA_MD5_DES_CKSUM_LENGTH + RSA_MD5_DES_CONFOUND_LENGTH)
+ if (outcksum->length < NEW_RSA_MD5_DES_CKSUM_LENGTH)
return KRB5_BAD_MSIZE;
/* Generate the confounder in place */
- if (retval = krb5_random_confounder(RSA_MD5_DES_CONFOUND_LENGTH,
- outtmp))
+ if ((retval = krb5_random_confounder(RSA_MD5_DES_CONFOUND_LENGTH, outtmp)))
return(retval);
/* Calculate the checksum */
in_length);
outcksum->checksum_type = CKSUMTYPE_RSA_MD5_DES;
- outcksum->length = RSA_MD5_DES_CKSUM_LENGTH + RSA_MD5_DES_CONFOUND_LENGTH;
+ outcksum->length = NEW_RSA_MD5_DES_CKSUM_LENGTH;
/* Now blast in the digest */
memcpy((char *)&outtmp[RSA_MD5_DES_CONFOUND_LENGTH],
(char *)&working.digest[0],
- RSA_MD5_DES_CKSUM_LENGTH);
+ RSA_MD5_CKSUM_LENGTH);
/* Clean up the droppings */
memset((char *)&working, 0, sizeof(working));
/* now encrypt it */
retval = mit_des_cbc_encrypt((mit_des_cblock *)&outtmp[0],
(mit_des_cblock *)outcksum->contents,
- RSA_MD5_DES_CKSUM_LENGTH +
- RSA_MD5_DES_CONFOUND_LENGTH,
+ NEW_RSA_MD5_DES_CKSUM_LENGTH,
(struct mit_des_ks_struct *)eblock.priv,
zero_ivec,
MIT_DES_ENCRYPT);
krb5_pointer seed;
size_t seed_length;
{
- krb5_octet outtmp[RSA_MD5_DES_CKSUM_LENGTH+
- RSA_MD5_DES_CONFOUND_LENGTH];
+ krb5_octet outtmp[NEW_RSA_MD5_DES_CKSUM_LENGTH];
mit_des_cblock tmpkey;
- krb5_octet *input = (krb5_octet *)in;
krb5_encrypt_block eblock;
krb5_keyblock keyblock;
krb5_error_code retval;
if (cksum->checksum_type == CKSUMTYPE_RSA_MD5_DES) {
#ifdef MD5_K5BETA_COMPAT
/*
- * We have a backwards compatibility problem here. Kerberos version 5
- * Beta 5 and previous releases did not correctly generate RSA-MD5-DES
- * checksums. The way that we can differentiate is by the length of
- * the provided checksum. If it's only RSA_MD5_DES_CKSUM_LENGTH, then
- * it's the old style, otherwise it's the correct implementation.
+ * We have a backwards compatibility problem here. Kerberos
+ * version 5 Beta 5 and previous releases did not correctly
+ * generate RSA-MD5-DES checksums. The way that we can
+ * differentiate is by the length of the provided checksum.
+ * If it's only OLD_RSA_MD5_DES_CKSUM_LENGTH, then it's the
+ * old style, otherwise it's the correct implementation.
*/
- if (cksum->length == RSA_MD5_DES_CKSUM_LENGTH) {
+ if (cksum->length == OLD_RSA_MD5_DES_CKSUM_LENGTH) {
/*
* If we're verifying the Old Style (tm) checksum, then we can just
* recalculate the checksum and encrypt it and see if it's the
/* now encrypt the checksum */
retval = mit_des_cbc_encrypt((mit_des_cblock *)&working.digest[0],
(mit_des_cblock *)&outtmp[0],
- RSA_MD5_DES_CKSUM_LENGTH,
+ OLD_RSA_MD5_DES_CKSUM_LENGTH,
(struct mit_des_ks_struct *)
eblock.priv,
keyblock.contents,
(void) mit_des_finish_key(&eblock);
return retval;
}
- if (retval = mit_des_finish_key(&eblock))
+ if ((retval = mit_des_finish_key(&eblock)))
return(retval);
/* Compare the encrypted checksums */
if (memcmp((char *) &outtmp[0],
(char *) cksum->contents,
- RSA_MD5_DES_CKSUM_LENGTH))
+ OLD_RSA_MD5_DES_CKSUM_LENGTH))
retval = KRB5KRB_AP_ERR_BAD_INTEGRITY;
}
else
#endif /* MD5_K5BETA_COMPAT */
- if (cksum->length == (RSA_MD5_DES_CKSUM_LENGTH +
- RSA_MD5_DES_CONFOUND_LENGTH)) {
+ if (cksum->length == (NEW_RSA_MD5_DES_CKSUM_LENGTH)) {
/*
* If we're verifying the correct implementation, then we have
* to do a little more work because we must decrypt the checksum
/* now decrypt it */
retval = mit_des_cbc_encrypt((mit_des_cblock *)cksum->contents,
(mit_des_cblock *)&outtmp[0],
- RSA_MD5_DES_CKSUM_LENGTH +
- RSA_MD5_DES_CONFOUND_LENGTH,
+ NEW_RSA_MD5_DES_CKSUM_LENGTH,
(struct mit_des_ks_struct *)
eblock.priv,
zero_ivec,
(void) mit_des_finish_key(&eblock);
return retval;
}
- if (retval = mit_des_finish_key(&eblock))
- return(retval);
-
- /* Now that we have the decrypted checksum, try to regenerate it */
- krb5_md5_calculate_cksum(&working,
- (krb5_pointer) outtmp,
- (size_t) RSA_MD5_DES_CONFOUND_LENGTH,
- in,
- in_length);
-
- /* Compare the checksums */
- if (memcmp((char *) &outtmp[RSA_MD5_DES_CONFOUND_LENGTH],
- (char *) &working.digest[0],
- RSA_MD5_DES_CKSUM_LENGTH))
- retval = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- }
- else
- retval = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- }
-#if CKSUMTYPE_RSA_MD5_DES3
- else if (cksum->checksum_type == CKSUMTYPE_RSA_MD5_DES3) {
- if (cksum->length == (RSA_MD5_DES_CKSUM_LENGTH +
- RSA_MD5_DES_CONFOUND_LENGTH)) {
- /*
- * If we're verifying the correct implementation, then we have
- * to do a little more work because we must decrypt the checksum
- * because it contains the confounder in it. So, figure out
- * what our key variant is and then do it!
- */
-
- /* Set up the variant of the key (see RFC 1510 section 6.4.5) */
- memset((char *) tmpkey, 0, sizeof(mit_des_cblock));
- for (i=0; (i<seed_length) && (i<sizeof(mit_des_cblock)); i++)
- tmpkey[i] = (((krb5_octet *) seed)[i]) ^ 0xf0;
-
- keyblock.length = sizeof(mit_des3_cblock);
- keyblock.contents = (krb5_octet *) tmpkey;
- keyblock.enctype = ENCTYPE_DES3_CBC_MD5;
-
- if ((retval = mit_des3_process_key(&eblock, &keyblock)))
- return retval;
- /* now decrypt it */
- retval = mit_des3_cbc_encrypt((mit_des_cblock *)cksum->contents,
- (mit_des_cblock *)&outtmp[0],
- RSA_MD5_DES_CKSUM_LENGTH +
- RSA_MD5_DES_CONFOUND_LENGTH,
- (struct mit_des_ks_struct *)
- eblock.priv,
- ((struct mit_des_ks_struct *)
- eblock.priv) + 1,
- ((struct mit_des_ks_struct *)
- eblock.priv) + 2,
- keyblock.contents,
- MIT_DES_DECRYPT);
- if (retval) {
- (void) mit_des_finish_key(&eblock);
- return retval;
- }
- if (retval = mit_des_finish_key(&eblock))
+ if ((retval = mit_des_finish_key(&eblock)))
return(retval);
/* Now that we have the decrypted checksum, try to regenerate it */
/* Compare the checksums */
if (memcmp((char *) &outtmp[RSA_MD5_DES_CONFOUND_LENGTH],
(char *) &working.digest[0],
- RSA_MD5_DES_CKSUM_LENGTH))
+ RSA_MD5_CKSUM_LENGTH))
retval = KRB5KRB_AP_ERR_BAD_INTEGRITY;
}
else
retval = KRB5KRB_AP_ERR_BAD_INTEGRITY;
}
-#endif /* CKSUMTYPE_RSA_MD5_DES3 */
else
retval = KRB5KRB_AP_ERR_INAPP_CKSUM;
0,
krb5_md5_crypto_compat_sum_func,
krb5_md5_crypto_verify_func,
- RSA_MD5_DES_CKSUM_LENGTH,
+ OLD_RSA_MD5_DES_CKSUM_LENGTH,
1, /* is collision proof */
1, /* uses key */
};
0,
krb5_md5_crypto_sum_func,
krb5_md5_crypto_verify_func,
- RSA_MD5_DES_CKSUM_LENGTH+RSA_MD5_DES_CONFOUND_LENGTH,
+ NEW_RSA_MD5_DES_CKSUM_LENGTH,
1, /* is collision proof */
1, /* uses key */
};
if (scompat) {
rsa_md5_des_cksumtable_entry.sum_func = krb5_md5_crypto_compat_sum_func;
rsa_md5_des_cksumtable_entry.checksum_length =
- RSA_MD5_DES_CKSUM_LENGTH;
+ OLD_RSA_MD5_DES_CKSUM_LENGTH;
}
else {
rsa_md5_des_cksumtable_entry.sum_func = krb5_md5_crypto_sum_func;
rsa_md5_des_cksumtable_entry.checksum_length =
- RSA_MD5_DES_CKSUM_LENGTH + RSA_MD5_DES_CONFOUND_LENGTH;
+ NEW_RSA_MD5_DES_CKSUM_LENGTH;
}
}
#endif /* MD5_K5BETA_COMPAT */
#endif /* MD == 5 */
#include "des_int.h"
+#define MD5_K5BETA_COMPAT
+#define MD4_K5BETA_COMPAT
+
#if MD == 4
#define CONFOUNDER_LENGTH RSA_MD4_DES_CONFOUND_LENGTH
-#define CHECKSUM_LENGTH RSA_MD4_DES_CKSUM_LENGTH
+#define NEW_CHECKSUM_LENGTH NEW_RSA_MD4_DES_CKSUM_LENGTH
+#define OLD_CHECKSUM_LENGTH OLD_RSA_MD4_DES_CKSUM_LENGTH
#define CHECKSUM_TYPE CKSUMTYPE_RSA_MD4_DES
#ifdef MD4_K5BETA_COMPAT
#define K5BETA_COMPAT 1
#if MD == 5
#define CONFOUNDER_LENGTH RSA_MD5_DES_CONFOUND_LENGTH
-#define CHECKSUM_LENGTH RSA_MD5_DES_CKSUM_LENGTH
+#define NEW_CHECKSUM_LENGTH NEW_RSA_MD5_DES_CKSUM_LENGTH
+#define OLD_CHECKSUM_LENGTH OLD_RSA_MD5_DES_CKSUM_LENGTH
#define CHECKSUM_TYPE CKSUMTYPE_RSA_MD5_DES
#ifdef MD5_K5BETA_COMPAT
#define K5BETA_COMPAT 1
int argc;
char **argv;
{
- krb5_octet confound[CONFOUNDER_LENGTH];
int msgindex;
- int i;
krb5_context kcontext;
krb5_encrypt_block encblock;
krb5_keyblock keyblock;
pwdata.length = strlen(pwd);
pwdata.data = pwd;
krb5_use_enctype(kcontext, &encblock, DEFAULT_KDC_ENCTYPE);
- if (kret = mit_des_string_to_key(&encblock, &keyblock, &pwdata, NULL)) {
+ if ((kret = mit_des_string_to_key(&encblock, &keyblock, &pwdata, NULL))) {
printf("mit_des_string_to_key choked with %d\n", kret);
return(kret);
}
- if (kret = mit_des_process_key(&encblock, &keyblock)) {
+ if ((kret = mit_des_process_key(&encblock, &keyblock))) {
printf("mit_des_process_key choked with %d\n", kret);
return(kret);
}
- oldstyle_checksum.length = CHECKSUM_LENGTH;
- if (!(oldstyle_checksum.contents = (krb5_octet *) malloc(CHECKSUM_LENGTH))) {
+ oldstyle_checksum.length = OLD_CHECKSUM_LENGTH;
+ if (!(oldstyle_checksum.contents = (krb5_octet *) malloc(OLD_CHECKSUM_LENGTH))) {
printf("cannot get memory for old style checksum\n");
return(ENOMEM);
}
- newstyle_checksum.length = krb5_checksum_size(kcontext, CHECKSUM_TYPE);
+ newstyle_checksum.length = NEW_CHECKSUM_LENGTH;
if (!(newstyle_checksum.contents = (krb5_octet *)
- malloc(newstyle_checksum.length))) {
+ malloc(NEW_CHECKSUM_LENGTH))) {
printf("cannot get memory for new style checksum\n");
return(ENOMEM);
}
for (msgindex = 1; msgindex < argc; msgindex++) {
- if (kret = CKSUM_FUNCTION(argv[msgindex],
- strlen(argv[msgindex]),
- (krb5_pointer) keyblock.contents,
- keyblock.length,
- &newstyle_checksum)) {
+ if ((kret = CKSUM_FUNCTION(argv[msgindex],
+ strlen(argv[msgindex]),
+ (krb5_pointer) keyblock.contents,
+ keyblock.length,
+ &newstyle_checksum))) {
printf("krb5_calculate_checksum choked with %d\n", kret);
break;
}
print_checksum("correct", MD, argv[msgindex], &newstyle_checksum);
#ifdef K5BETA_COMPAT
- if (kret = COMPAT_FUNCTION(argv[msgindex],
- strlen(argv[msgindex]),
- (krb5_pointer) keyblock.contents,
- keyblock.length,
- &oldstyle_checksum)) {
+ if ((kret = COMPAT_FUNCTION(argv[msgindex],
+ strlen(argv[msgindex]),
+ (krb5_pointer) keyblock.contents,
+ keyblock.length,
+ &oldstyle_checksum))) {
printf("old style calculate_checksum choked with %d\n", kret);
break;
}
print_checksum("old", MD, argv[msgindex], &oldstyle_checksum);
#endif /* K5BETA_COMPAT */
- if (kret = VERIFY_FUNCTION(&newstyle_checksum,
- argv[msgindex],
- strlen(argv[msgindex]),
- (krb5_pointer) keyblock.contents,
- keyblock.length)) {
+ if ((kret = VERIFY_FUNCTION(&newstyle_checksum,
+ argv[msgindex],
+ strlen(argv[msgindex]),
+ (krb5_pointer) keyblock.contents,
+ keyblock.length))) {
printf("verify on new checksum choked with %d\n", kret);
break;
}
printf("Verify succeeded for \"%s\"\n", argv[msgindex]);
#ifdef K5BETA_COMPAT
- if (kret = VERIFY_FUNCTION(&oldstyle_checksum,
- argv[msgindex],
- strlen(argv[msgindex]),
- (krb5_pointer) keyblock.contents,
- keyblock.length)) {
+ if ((kret = VERIFY_FUNCTION(&oldstyle_checksum,
+ argv[msgindex],
+ strlen(argv[msgindex]),
+ (krb5_pointer) keyblock.contents,
+ keyblock.length))) {
printf("verify on old checksum choked with %d\n", kret);
break;
}
projects / krb5.git / commitdiff