-CFLAGS = $(CCOPTS) $(DEFS) -I$(srcdir)/crc32 -I$(srcdir)/des -I$(srcdir)/md4 -I$(srcdir)/md5
+CFLAGS = $(CCOPTS) $(DEFS) -I$(srcdir)/crc32 -I$(srcdir)/des -I$(srcdir)/md4 -I$(srcdir)/md5 -I$(srcdir)/sha
##DOSBUILDTOP = ..\..
##DOSLIBNAME=crypto.lib
decrypt_data.$(OBJEXT) \
des_crc.$(OBJEXT) \
des_md5.$(OBJEXT) \
- des3_md5.$(OBJEXT) \
+ des3_sha.$(OBJEXT) \
des3_raw.$(OBJEXT) \
raw_des.$(OBJEXT)
$(srcdir)/decrypt_data.c \
$(srcdir)/des_crc.c \
$(srcdir)/des_md5.c \
- $(srcdir)/des3_md5.c \
+ $(srcdir)/des3_sha.c \
$(srcdir)/des3_raw.c \
$(srcdir)/raw_des.c
-LIB_SUBDIRS= des md4 md5 crc32 os .
+LIB_SUBDIRS= des md4 md5 sha crc32 os .
LIBUPDATE= $(BUILDTOP)/util/libupdate
-LIBDONE= ./des/DONE ./md4/DONE ./md5/DONE ./crc32/DONE ./os/DONE ./DONE
+LIBDONE= ./des/DONE ./md4/DONE ./md5/DONE ./sha/DONE ./crc32/DONE ./os/DONE ./DONE
# No dependencies. Record places to find this shared object if the target
# link editor and loader support it.
cd ..\md5
@echo Making in crypto\md5
-$(MAKE) -$(MFLAGS) LIBCMD=$(LIBCMD)
+ cd ..\sha
+ @echo Making in crypto\sha
+ -$(MAKE) -$(MFLAGS) LIBCMD=$(LIBCMD)
cd ..
clean-windows::
cd ..\md5
@echo Making clean in crypto\md5
-$(MAKE) -$(MFLAGS) clean
+ cd ..\sha
+ @echo Making clean in crypto\sha
+ -$(MAKE) -$(MFLAGS) clean
cd ..\os
@echo Making clean in crypto\os
-$(MAKE) -$(MFLAGS) clean
cd ..\md5
@echo Making check in crypto\md5
-$(MAKE) -$(MFLAGS) check
+ cd ..\sha
+ @echo Making check in crypto\sha
+ -$(MAKE) -$(MFLAGS) check
cd ..\os
@echo Making check in crypto\os
-$(MAKE) -$(MFLAGS) check
AC_INIT(configure.in)
CONFIG_RULES
-CONFIG_DIRS(des crc32 md4 md5 os)
+CONFIG_DIRS(des crc32 md4 md5 sha os)
AC_PROG_ARCHIVE
AC_PROG_ARCHIVE_ADD
AC_PROG_RANLIB
else
AC_MSG_RESULT(Disabling DES_CBC_MD5)
fi
-AC_ARG_ENABLE([des3-cbc-md5],
-[ --enable-des3-cbc-md5 enable DES3_CBC_MD5 (DEFAULT).
- --disable-des3-cbc-md5 disable DES3_CBC_MD5.],
+AC_ARG_ENABLE([des3-cbc-sha],
+[ --enable-des3-cbc-sha enable DES3_CBC_SHA (DEFAULT).
+ --disable-des3-cbc-sha disable DES3_CBC_SHA.],
,
enableval=yes)dnl
if test "$enableval" = yes; then
- AC_MSG_RESULT(Enabling DES3_CBC_MD5)
- AC_DEFINE(PROVIDE_DES3_CBC_MD5)
+ AC_MSG_RESULT(Enabling DES3_CBC_SHA)
+ AC_DEFINE(PROVIDE_DES3_CBC_SHA)
else
- AC_MSG_RESULT(Disabling DES3_CBC_MD5)
+ AC_MSG_RESULT(Disabling DES3_CBC_SHA)
fi
AC_ARG_WITH([des-cbc-crc],
[ --enable-des-cbc-crc enable DES_CBC_CRC (DEFAULT).
else
AC_MSG_RESULT(Disabling RSA_MD5)
fi
+AC_ARG_WITH([nist-sha],
+[ --enable-nist-sha enable NIST_SHA (DEFAULT).
+ --disable-nist-sha disable NIST_SHA.],
+,
+enableval=yes)dnl
+if test "$enableval" = yes; then
+ AC_MSG_RESULT(Enabling NIST_SHA)
+ AC_DEFINE(PROVIDE_NIST_SHA)
+else
+ AC_MSG_RESULT(Disabling NIST_SHA)
+fi
V5_SHARED_LIB_OBJS
SubdirLibraryRule([${OBJS}])
#include "rsa-md5.h"
#define MD5_CKENTRY &rsa_md5_cksumtable_entry
#define MD5_DES_CKENTRY &rsa_md5_des_cksumtable_entry
-#define MD5_DES3_CKENTRY MD5_DES_CKENTRY
#else
#define MD5_CKENTRY 0
#define MD5_DES_CKENTRY 0
-#define MD5_DES3_CKENTRY 0
+#endif
+
+#ifdef PROVIDE_NIST_SHA
+#include "shs.h"
+#define SHA_CKENTRY &nist_sha_cksumtable_entry
+#define SHA_DES3_CKENTRY &nist_sha_des3_cksumtable_entry
+#else
+#define SHA_CKENTRY 0
+#define SHA_DES3_CKENTRY 0
#endif
#ifdef PROVIDE_SNEFRU
#define DES_CBC_RAW_CSENTRY 0
#endif
-#ifdef PROVIDE_DES3_CBC_MD5
+#ifdef PROVIDE_DES3_CBC_SHA
#ifndef _DES_DONE__
#include "des_int.h"
#define _DES_DONE__
#endif
-#define DES3_CBC_MD5_CSENTRY &krb5_des3_md5_cst_entry
+#define DES3_CBC_SHA_CSENTRY &krb5_des3_sha_cst_entry
#else
-#define DES3_CBC_MD5_CSENTRY 0
+#define DES3_CBC_SHA_CSENTRY 0
#endif
#ifdef PROVIDE_DES3_CBC_RAW
0, /* ENCTYPE_DES_CBC_MD4 */
DES_CBC_MD5_CSENTRY, /* ENCTYPE_DES_CBC_MD5 */
DES_CBC_RAW_CSENTRY, /* ENCTYPE_DES_CBC_RAW */
- DES3_CBC_MD5_CSENTRY, /* ENCTYPE_DES3_CBC_MD5 */
+ DES3_CBC_SHA_CSENTRY, /* ENCTYPE_DES3_CBC_SHA */
DES3_CBC_RAW_CSENTRY /* ENCTYPE_DES3_CBC_RAW */
};
0, /* 6 - rsa-md4-des-k */
MD5_CKENTRY, /* 7 - CKSUMTYPE_RSA_MD5 */
MD5_DES_CKENTRY, /* 8 - CKSUMTYPE_RSA_MD5_DES */
- MD5_DES3_CKENTRY /* 9 - CKSUMTYPE_RSA_MD5_DES3 */
+ SHA_CKENTRY, /* 9 - CKSUMTYPE_NIST_SHA */
+ SHA_DES3_CKENTRY /* 10 - CKSUMTYPE_NIST_SHA_DES3 */
};
krb5_cksumtype krb5_max_cksum = sizeof(krb5_cksumarray)/sizeof(krb5_cksumarray[0]);
--- /dev/null
+/*
+ * lib/crypto/des3-sha.c
+ *
+ * Copyright 1996 by Lehman Brothers, Inc.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of Lehman Brothers or M.I.T. not be used in advertising or
+ * publicity pertaining to distribution of the software without
+ * specific, written prior permission. Lehman Brothers and
+ * M.I.T. make no representations about the suitability of this
+ * software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "shs.h"
+#include "des_int.h"
+
+krb5_error_code mit_des3_sha_encrypt_func
+ PROTOTYPE(( krb5_const_pointer, krb5_pointer, const size_t,
+ krb5_encrypt_block *, krb5_pointer ));
+
+krb5_error_code mit_des3_sha_decrypt_func
+ PROTOTYPE(( krb5_const_pointer, krb5_pointer, const size_t,
+ krb5_encrypt_block *, krb5_pointer ));
+
+static mit_des_cblock zero_ivec = { 0 };
+
+static krb5_cryptosystem_entry mit_des3_sha_cryptosystem_entry = {
+ 0,
+ mit_des3_sha_encrypt_func,
+ mit_des3_sha_decrypt_func,
+ mit_des3_process_key,
+ mit_des_finish_key,
+ mit_des3_string_to_key,
+ mit_des_init_random_key,
+ mit_des_finish_random_key,
+ mit_des_random_key,
+ sizeof(mit_des_cblock),
+ NIST_SHA_CKSUM_LENGTH+sizeof(mit_des_cblock),
+ sizeof(mit_des3_cblock),
+ ENCTYPE_DES3_CBC_SHA
+ };
+
+krb5_cs_table_entry krb5_des3_sha_cst_entry = {
+ 0,
+ &mit_des3_sha_cryptosystem_entry,
+ 0
+ };
+
+
+krb5_error_code
+mit_des3_sha_encrypt_func(in, out, size, key, ivec)
+ krb5_const_pointer in;
+ krb5_pointer out;
+ const size_t size;
+ krb5_encrypt_block * key;
+ krb5_pointer ivec;
+{
+ krb5_checksum cksum;
+ krb5_octet contents[NIST_SHA_CKSUM_LENGTH];
+ int sumsize;
+ krb5_error_code retval;
+
+/* if ( size < sizeof(mit_des_cblock) )
+ return KRB5_BAD_MSIZE; */
+
+ /* caller passes data size, and saves room for the padding. */
+ /* format of ciphertext, per RFC is:
+ +-----------+----------+-------------+-----+
+ |confounder | check | msg-seq | pad |
+ +-----------+----------+-------------+-----+
+
+ our confounder is 8 bytes (one cblock);
+ our checksum is NIST_SHA_CKSUM_LENGTH
+ */
+ sumsize = krb5_roundup(size+NIST_SHA_CKSUM_LENGTH+sizeof(mit_des_cblock),
+ sizeof(mit_des_cblock));
+
+ /* assemble crypto input into the output area, then encrypt in place. */
+
+ memset((char *)out, 0, sumsize);
+
+ /* put in the confounder */
+ if ((retval = krb5_random_confounder(sizeof(mit_des_cblock), out)))
+ return retval;
+
+ memcpy((char *)out+sizeof(mit_des_cblock)+NIST_SHA_CKSUM_LENGTH, (char *)in,
+ size);
+
+ cksum.contents = contents;
+
+ /* This is equivalent to krb5_calculate_checksum(CKSUMTYPE_MD5,...)
+ but avoids use of the cryptosystem config table which can not be
+ referenced here if this object is to be included in a shared library. */
+ if ((retval = nist_sha_cksumtable_entry.sum_func((krb5_pointer) out,
+ sumsize,
+ (krb5_pointer)key->key->contents,
+ key->key->length,
+ &cksum)))
+ return retval;
+
+ memcpy((char *)out+sizeof(mit_des_cblock), (char *)contents,
+ NIST_SHA_CKSUM_LENGTH);
+
+ /* We depend here on the ability of this DES-3 implementation to
+ encrypt plaintext to ciphertext in-place. */
+ return (mit_des3_cbc_encrypt(out,
+ out,
+ sumsize,
+ (struct mit_des_ks_struct *) key->priv,
+ ((struct mit_des_ks_struct *) key->priv) + 1,
+ ((struct mit_des_ks_struct *) key->priv) + 2,
+ ivec ? ivec : (krb5_pointer)zero_ivec,
+ MIT_DES_ENCRYPT));
+
+}
+
+krb5_error_code
+mit_des3_sha_decrypt_func(in, out, size, key, ivec)
+ krb5_const_pointer in;
+ krb5_pointer out;
+ const size_t size;
+ krb5_encrypt_block * key;
+ krb5_pointer ivec;
+{
+ krb5_checksum cksum;
+ krb5_octet contents_prd[NIST_SHA_CKSUM_LENGTH];
+ krb5_octet contents_get[NIST_SHA_CKSUM_LENGTH];
+ char *p;
+ krb5_error_code retval;
+
+ if ( size < 2*sizeof(mit_des_cblock) )
+ return KRB5_BAD_MSIZE;
+
+ retval = mit_des3_cbc_encrypt((const mit_des_cblock *) in,
+ out,
+ size,
+ (struct mit_des_ks_struct *) key->priv,
+ ((struct mit_des_ks_struct *) key->priv) + 1,
+ ((struct mit_des_ks_struct *) key->priv) + 2,
+ ivec ? ivec : (krb5_pointer)zero_ivec,
+ MIT_DES_DECRYPT);
+ if (retval)
+ return retval;
+
+ cksum.contents = contents_prd;
+ p = (char *)out + sizeof(mit_des_cblock);
+ memcpy((char *)contents_get, p, NIST_SHA_CKSUM_LENGTH);
+ memset(p, 0, NIST_SHA_CKSUM_LENGTH);
+
+ if ((retval = nist_sha_cksumtable_entry.sum_func(out, size,
+ (krb5_pointer)key->key->contents,
+ key->key->length,
+ &cksum)))
+ return retval;
+
+ if (memcmp((char *)contents_get, (char *)contents_prd, NIST_SHA_CKSUM_LENGTH) )
+ return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ memmove((char *)out, (char *)out +
+ sizeof(mit_des_cblock) + NIST_SHA_CKSUM_LENGTH,
+ size - sizeof(mit_des_cblock) - NIST_SHA_CKSUM_LENGTH);
+ return 0;
+}