keylength is the output size */
size_t block_size, keybytes, keylength;
- /* cipher-state == 0 fresh state thrown away at end */
krb5_error_code (*encrypt)(krb5_key key, const krb5_data *cipher_state,
- const krb5_data *input, krb5_data *output);
+ krb5_crypto_iov *data, size_t num_data);
- krb5_error_code (*decrypt)(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
+ krb5_error_code (*decrypt)(krb5_key key, const krb5_data *cipher_state,
+ krb5_crypto_iov *data, size_t num_data);
krb5_error_code (*make_key)(const krb5_data *randombits,
krb5_keyblock *key);
krb5_data *out_state);
krb5_error_code (*free_state)(krb5_data *state);
- /* In-place encryption/decryption of multiple buffers */
- krb5_error_code (*encrypt_iov)(krb5_key key, const krb5_data *cipher_state,
- krb5_crypto_iov *data, size_t num_data);
-
- krb5_error_code (*decrypt_iov)(krb5_key key, const krb5_data *cipher_state,
- krb5_crypto_iov *data, size_t num_data);
-
};
struct krb5_hash_provider {
krb5_boolean *valid);
};
-struct krb5_aead_provider {
- krb5_error_code (*crypto_length)(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_cryptotype type,
- unsigned int *length);
- krb5_error_code (*encrypt_iov)(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage keyusage,
- const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data);
- krb5_error_code (*decrypt_iov)(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage keyusage,
- const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data);
-};
-
/*
* in here to deal with stuff from lib/crypto
*/
krb5int_clean_hostname(krb5_context, const char *, char *, size_t);
krb5_error_code
-krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data);
+
krb5_error_code
-krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data);
struct _krb5_kt { /* should move into k5-int.h */
krb5_magic magic;
STLIBOBJS=\
aescrypt.o \
aestab.o \
- aeskey.o \
- aes_s2k.o
+ aeskey.o
OBJS=\
$(OUTPRE)aescrypt.$(OBJEXT) \
$(OUTPRE)aestab.$(OBJEXT) \
- $(OUTPRE)aeskey.$(OBJEXT) \
- $(OUTPRE)aes_s2k.$(OBJEXT)
+ $(OUTPRE)aeskey.$(OBJEXT)
SRCS=\
$(srcdir)/aescrypt.c \
$(srcdir)/aestab.c \
$(srcdir)/aeskey.c \
- $(srcdir)/aes_s2k.c
GEN_OBJS=\
$(OUTPRE)aescrypt.$(OBJEXT) \
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * lib/crypto/aes/aes_s2k.c
- *
- * Copyright 2003 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * krb5int_aes_string_to_key
- */
-
-#include "k5-int.h"
-#include "dk.h"
-#include "aes_s2k.h"
-
-#define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */
-#define MAX_ITERATION_COUNT 0x1000000L
-
-krb5_error_code
-krb5int_aes_string_to_key(const struct krb5_enc_provider *enc,
- const krb5_data *string,
- const krb5_data *salt,
- const krb5_data *params,
- krb5_keyblock *key)
-{
- unsigned long iter_count;
- krb5_data out;
- static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
- krb5_key tempkey = NULL;
- krb5_error_code err;
-
- if (params) {
- unsigned char *p = (unsigned char *) params->data;
- if (params->length != 4)
- return KRB5_ERR_BAD_S2K_PARAMS;
- /* The first two need casts in case 'int' is 16 bits. */
- iter_count = load_32_be(p);
- if (iter_count == 0) {
- iter_count = (1UL << 16) << 16;
- if (((iter_count >> 16) >> 16) != 1)
- return KRB5_ERR_BAD_S2K_PARAMS;
- }
- } else
- iter_count = DEFAULT_ITERATION_COUNT;
-
- /* This is not a protocol specification constraint; this is an
- implementation limit, which should eventually be controlled by
- a config file. */
- if (iter_count >= MAX_ITERATION_COUNT)
- return KRB5_ERR_BAD_S2K_PARAMS;
-
- /* Use the output keyblock contents for temporary space. */
- out.data = (char *) key->contents;
- out.length = key->length;
- if (out.length != 16 && out.length != 32)
- return KRB5_CRYPTO_INTERNAL;
-
- err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt);
- if (err)
- goto cleanup;
-
- err = krb5_k_create_key (NULL, key, &tempkey);
- if (err)
- goto cleanup;
-
- err = krb5int_derive_keyblock (enc, tempkey, key, &usage);
-
-cleanup:
- if (err)
- memset (out.data, 0, out.length);
- krb5_k_free_key (NULL, tempkey);
- return err;
-}
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * lib/crypto/openssl/aes/aes_s2k.h
- */
-
-
-extern krb5_error_code
-krb5int_aes_string_to_key (const struct krb5_enc_provider *,
- const krb5_data *, const krb5_data *,
- const krb5_data *, krb5_keyblock *key);
aes.h aesopt.h aestab.c uitypes.h
aeskey.so aeskey.po $(OUTPRE)aeskey.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
aes.h aeskey.c aesopt.h uitypes.h
-aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/dk/dk.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- aes_s2k.c aes_s2k.h
hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb/aead.h \
- $(srcdir)/../krb/cksumtypes.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h hmac.c
+ $(srcdir)/../krb/cksumtypes.h $(srcdir)/../krb/etypes.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ hmac.c
pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
STLIBOBJS=\
afsstring2key.o \
- d3_cbc.o \
d3_aead.o \
d3_kysched.o \
f_aead.o \
- f_cbc.o \
f_cksum.o \
f_parity.o \
f_sched.o \
weak_key.o
OBJS= $(OUTPRE)afsstring2key.$(OBJEXT) \
- $(OUTPRE)d3_cbc.$(OBJEXT) \
$(OUTPRE)d3_aead.$(OBJEXT) \
$(OUTPRE)d3_kysched.$(OBJEXT) \
$(OUTPRE)f_aead.$(OBJEXT) \
- $(OUTPRE)f_cbc.$(OBJEXT) \
$(OUTPRE)f_cksum.$(OBJEXT) \
$(OUTPRE)f_parity.$(OBJEXT) \
$(OUTPRE)f_sched.$(OBJEXT) \
$(OUTPRE)weak_key.$(OBJEXT)
SRCS= $(srcdir)/afsstring2key.c \
- $(srcdir)/d3_cbc.c \
$(srcdir)/d3_aead.c \
$(srcdir)/d3_kysched.c \
$(srcdir)/f_aead.c \
- $(srcdir)/f_cbc.c \
$(srcdir)/f_cksum.c \
$(srcdir)/f_parity.c \
$(srcdir)/f_sched.c \
$(srcdir)/weak_key.c \
$(srcdir)/string2key.c
-EXTRADEPSRCS = $(SRCDIR)destest.c
+EXTRADEPSRCS = $(srcdir)/destest.c $(srcdir)/f_cbc.c $(srcdir)/t_verify.c
##DOS##LIBOBJS = $(OBJS)
#include "aead.h"
void
-krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data,
- unsigned long num_data,
- const mit_des_key_schedule ks1,
- const mit_des_key_schedule ks2,
- const mit_des_key_schedule ks3,
- mit_des_cblock ivec)
+krb5int_des3_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec)
{
unsigned DES_INT32 left, right;
const unsigned DES_INT32 *kp1, *kp2, *kp3;
}
void
-krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data,
- unsigned long num_data,
- const mit_des_key_schedule ks1,
- const mit_des_key_schedule ks2,
- const mit_des_key_schedule ks3,
- mit_des_cblock ivec)
+krb5int_des3_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec)
{
unsigned DES_INT32 left, right;
const unsigned DES_INT32 *kp1, *kp2, *kp3;
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright 1995 by Richard P. Basch. All Rights Reserved.
- * Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. Richard P. Basch,
- * Lehman Brothers and M.I.T. make no representations about the suitability
- * of this software for any purpose. It is provided "as is" without
- * express or implied warranty.
- */
-
-#include "des_int.h"
-#include "f_tables.h"
-
-/*
- * Triple-DES CBC encryption mode.
- */
-
-#undef mit_des3_cbc_encrypt
-int
-mit_des3_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
- unsigned long length, const mit_des_key_schedule ks1,
- const mit_des_key_schedule ks2,
- const mit_des_key_schedule ks3,
- const mit_des_cblock ivec, int enc)
-{
- if (enc)
- krb5int_des3_cbc_encrypt(in, out, length, ks1, ks2, ks3, ivec);
- else
- krb5int_des3_cbc_decrypt(in, out, length, ks1, ks2, ks3, ivec);
- return 0;
-}
-
-void
-krb5int_des3_cbc_encrypt(const mit_des_cblock *in,
- mit_des_cblock *out,
- unsigned long length,
- const mit_des_key_schedule ks1,
- const mit_des_key_schedule ks2,
- const mit_des_key_schedule ks3,
- const mit_des_cblock ivec)
-{
- unsigned DES_INT32 left, right;
- const unsigned DES_INT32 *kp1, *kp2, *kp3;
- const unsigned char *ip;
- unsigned char *op;
-
- /*
- * Get key pointer here. This won't need to be reinitialized
- */
- kp1 = (const unsigned DES_INT32 *)ks1;
- kp2 = (const unsigned DES_INT32 *)ks2;
- kp3 = (const unsigned DES_INT32 *)ks3;
-
- /*
- * Initialize left and right with the contents of the initial
- * vector.
- */
- ip = ivec;
- GET_HALF_BLOCK(left, ip);
- GET_HALF_BLOCK(right, ip);
-
- /*
- * Suitably initialized, now work the length down 8 bytes
- * at a time.
- */
- ip = *in;
- op = *out;
- while (length > 0) {
- /*
- * Get more input, xor it in. If the length is
- * greater than or equal to 8 this is straight
- * forward. Otherwise we have to fart around.
- */
- if (length >= 8) {
- unsigned DES_INT32 temp;
- GET_HALF_BLOCK(temp, ip);
- left ^= temp;
- GET_HALF_BLOCK(temp, ip);
- right ^= temp;
- length -= 8;
- } else {
- /*
- * Oh, shoot. We need to pad the
- * end with zeroes. Work backwards
- * to do this.
- */
- ip += (int) length;
- switch(length) {
- case 7: right ^= (*(--ip) & FF_UINT32) << 8;
- case 6: right ^= (*(--ip) & FF_UINT32) << 16;
- case 5: right ^= (*(--ip) & FF_UINT32) << 24;
- case 4: left ^= *(--ip) & FF_UINT32;
- case 3: left ^= (*(--ip) & FF_UINT32) << 8;
- case 2: left ^= (*(--ip) & FF_UINT32) << 16;
- case 1: left ^= (*(--ip) & FF_UINT32) << 24;
-
- }
- length = 0;
- }
-
- /*
- * Encrypt what we have
- */
- DES_DO_ENCRYPT(left, right, kp1);
- DES_DO_DECRYPT(left, right, kp2);
- DES_DO_ENCRYPT(left, right, kp3);
-
- /*
- * Copy the results out
- */
- PUT_HALF_BLOCK(left, op);
- PUT_HALF_BLOCK(right, op);
- }
-}
-
-void
-krb5int_des3_cbc_decrypt(const mit_des_cblock *in,
- mit_des_cblock *out,
- unsigned long length,
- const mit_des_key_schedule ks1,
- const mit_des_key_schedule ks2,
- const mit_des_key_schedule ks3,
- const mit_des_cblock ivec)
-{
- unsigned DES_INT32 left, right;
- const unsigned DES_INT32 *kp1, *kp2, *kp3;
- const unsigned char *ip;
- unsigned char *op;
- unsigned DES_INT32 ocipherl, ocipherr;
- unsigned DES_INT32 cipherl, cipherr;
-
- /*
- * Get key pointer here. This won't need to be reinitialized
- */
- kp1 = (const unsigned DES_INT32 *)ks1;
- kp2 = (const unsigned DES_INT32 *)ks2;
- kp3 = (const unsigned DES_INT32 *)ks3;
-
- /*
- * Decrypting is harder than encrypting because of
- * the necessity of remembering a lot more things.
- * Should think about this a little more...
- */
-
- if (length <= 0)
- return;
-
- /*
- * Prime the old cipher with ivec.
- */
- ip = ivec;
- GET_HALF_BLOCK(ocipherl, ip);
- GET_HALF_BLOCK(ocipherr, ip);
-
- /*
- * Now do this in earnest until we run out of length.
- */
- ip = *in;
- op = *out;
- for (;;) { /* check done inside loop */
- /*
- * Read a block from the input into left and
- * right. Save this cipher block for later.
- */
- GET_HALF_BLOCK(left, ip);
- GET_HALF_BLOCK(right, ip);
- cipherl = left;
- cipherr = right;
-
- /*
- * Decrypt this.
- */
- DES_DO_DECRYPT(left, right, kp3);
- DES_DO_ENCRYPT(left, right, kp2);
- DES_DO_DECRYPT(left, right, kp1);
-
- /*
- * Xor with the old cipher to get plain
- * text. Output 8 or less bytes of this.
- */
- left ^= ocipherl;
- right ^= ocipherr;
- if (length > 8) {
- length -= 8;
- PUT_HALF_BLOCK(left, op);
- PUT_HALF_BLOCK(right, op);
- /*
- * Save current cipher block here
- */
- ocipherl = cipherl;
- ocipherr = cipherr;
- } else {
- /*
- * Trouble here. Start at end of output,
- * work backwards.
- */
- op += (int) length;
- switch(length) {
- case 8: *(--op) = (unsigned char) (right & 0xff);
- case 7: *(--op) = (unsigned char) ((right >> 8) & 0xff);
- case 6: *(--op) = (unsigned char) ((right >> 16) & 0xff);
- case 5: *(--op) = (unsigned char) ((right >> 24) & 0xff);
- case 4: *(--op) = (unsigned char) (left & 0xff);
- case 3: *(--op) = (unsigned char) ((left >> 8) & 0xff);
- case 2: *(--op) = (unsigned char) ((left >> 16) & 0xff);
- case 1: *(--op) = (unsigned char) ((left >> 24) & 0xff);
- }
- break; /* we're done */
- }
- }
-}
$(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
afsstring2key.c des_int.h
-d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h d3_cbc.c des_int.h \
- f_tables.h
d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h d3_aead.c des_int.h \
- f_tables.h
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ d3_aead.c des_int.h f_tables.h
d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h des_int.h f_aead.c \
- f_tables.h
-f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h des_int.h f_cbc.c \
- f_tables.h
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ des_int.h f_aead.c f_tables.h
f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
$(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
$(top_srcdir)/include/socket-utils.h des_int.h destest.c
+f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h des_int.h f_cbc.c \
+ f_tables.h
+t_verify.so t_verify.po $(OUTPRE)t_verify.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ des_int.h t_verify.c
unsigned long, const mit_des_key_schedule,
const krb5_octet *);
-/* f_ecb.c */
-int mit_des_ecb_encrypt(const mit_des_cblock *, mit_des_cblock *,
- mit_des_key_schedule, int );
-
-/* f_cbc.c */
-int mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
- unsigned long length,
- const mit_des_key_schedule schedule,
- const mit_des_cblock ivec, int enc);
+/* f_cbc.c (used by test programs) */
+int
+mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
+ unsigned long length, const mit_des_key_schedule schedule,
+ const mit_des_cblock ivec, int enc);
#define mit_des_zeroblock krb5int_c_mit_des_zeroblock
extern const mit_des_cblock mit_des_zeroblock;
extern void test_set(FILE *, const char *, int, const char *, int);
#endif
-/* d3_ecb.c */
-extern int mit_des3_ecb_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
- mit_des_key_schedule sched1,
- mit_des_key_schedule sched2,
- mit_des_key_schedule sched3, int enc);
-
-/* d3_cbc.c */
-extern int mit_des3_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
- unsigned long length,
- const mit_des_key_schedule ks1,
- const mit_des_key_schedule ks2,
- const mit_des_key_schedule ks3,
- const mit_des_cblock ivec, int enc);
-
void
-krb5int_des3_cbc_encrypt(const mit_des_cblock *in,
- mit_des_cblock *out,
- unsigned long length,
+krb5int_des3_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data,
const mit_des_key_schedule ks1,
const mit_des_key_schedule ks2,
const mit_des_key_schedule ks3,
- const mit_des_cblock ivec);
+ mit_des_cblock ivec);
+
void
-krb5int_des3_cbc_decrypt(const mit_des_cblock *in,
- mit_des_cblock *out,
- unsigned long length,
+krb5int_des3_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data,
const mit_des_key_schedule ks1,
const mit_des_key_schedule ks2,
const mit_des_key_schedule ks3,
- const mit_des_cblock ivec);
-
-void
-krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data,
- unsigned long num_data,
- const mit_des_key_schedule ks1,
- const mit_des_key_schedule ks2,
- const mit_des_key_schedule ks3,
- mit_des_cblock ivec);
-
-void
-krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data,
- unsigned long num_data,
- const mit_des_key_schedule ks1,
- const mit_des_key_schedule ks2,
- const mit_des_key_schedule ks3,
- mit_des_cblock ivec);
-
-#define mit_des3_cbc_encrypt(in,out,length,ks1,ks2,ks3,ivec,enc) \
- ((enc ? krb5int_des3_cbc_encrypt : krb5int_des3_cbc_decrypt) \
- (in, out, length, ks1, ks2, ks3, ivec), 0)
+ mit_des_cblock ivec);
void
-krb5int_des_cbc_encrypt(const mit_des_cblock *in,
- mit_des_cblock *out,
- unsigned long length,
- const mit_des_key_schedule schedule,
- const mit_des_cblock ivec);
-void
-krb5int_des_cbc_decrypt(const mit_des_cblock *in,
- mit_des_cblock *out,
- unsigned long length,
+krb5int_des_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data,
const mit_des_key_schedule schedule,
- const mit_des_cblock ivec);
-
-#define mit_des_cbc_encrypt(in,out,length,schedule,ivec,enc) \
- ((enc ? krb5int_des_cbc_encrypt : krb5int_des_cbc_decrypt) \
- (in, out, length, schedule, ivec), 0)
-
-void
-krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data,
- unsigned long num_data,
- const mit_des_key_schedule schedule,
- mit_des_cblock ivec);
+ mit_des_cblock ivec);
void
-krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data,
- unsigned long num_data,
- const mit_des_key_schedule schedule,
- mit_des_cblock ivec);
+krb5int_des_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data,
+ const mit_des_key_schedule schedule,
+ mit_des_cblock ivec);
/* d3_procky.c */
krb5_error_code mit_des3_process_key(krb5_encrypt_block *eblock,
#include "f_tables.h"
#include "aead.h"
+const mit_des_cblock mit_des_zeroblock /* = all zero */;
+
void
-krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data,
- unsigned long num_data,
- const mit_des_key_schedule schedule,
- mit_des_cblock ivec)
+krb5int_des_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data,
+ const mit_des_key_schedule schedule,
+ mit_des_cblock ivec)
{
unsigned DES_INT32 left, right;
const unsigned DES_INT32 *kp;
}
void
-krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data,
- unsigned long num_data,
- const mit_des_key_schedule schedule,
- mit_des_cblock ivec)
+krb5int_des_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data,
+ const mit_des_key_schedule schedule,
+ mit_des_cblock ivec)
{
unsigned DES_INT32 left, right;
const unsigned DES_INT32 *kp;
PUT_HALF_BLOCK(ocipherr, ptr);
}
}
+
+#if defined(CONFIG_SMALL) && !defined(CONFIG_SMALL_NO_CRYPTO)
+void krb5int_des_do_encrypt_2 (unsigned DES_INT32 *left,
+ unsigned DES_INT32 *right,
+ const unsigned DES_INT32 *kp)
+{
+ DES_DO_ENCRYPT_1 (*left, *right, kp);
+}
+
+void krb5int_des_do_decrypt_2 (unsigned DES_INT32 *left,
+ unsigned DES_INT32 *right,
+ const unsigned DES_INT32 *kp)
+{
+ DES_DO_DECRYPT_1 (*left, *right, kp);
+}
+#endif
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
- * DES implementation donated by Dennis Ferguson
+ * CBC functions; used only by the test programs at this time. (krb5 uses the
+ * functions in f_aead.c instead.)
*/
/*
const mit_des_cblock mit_des_zeroblock /* = all zero */;
-#undef mit_des_cbc_encrypt
-int
-mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
- unsigned long length, const mit_des_key_schedule schedule,
- const mit_des_cblock ivec, int enc)
-{
- /*
- * Deal with encryption and decryption separately.
- */
- if (enc)
- krb5int_des_cbc_encrypt(in, out, length, schedule, ivec);
- else
- krb5int_des_cbc_decrypt(in, out, length, schedule, ivec);
- return 0;
-}
-
-void
-krb5int_des_cbc_encrypt(const mit_des_cblock *in,
- mit_des_cblock *out,
- unsigned long length,
- const mit_des_key_schedule schedule,
- const mit_des_cblock ivec)
+static void
+des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
+ unsigned long length, const mit_des_key_schedule schedule,
+ const mit_des_cblock ivec)
{
unsigned DES_INT32 left, right;
const unsigned DES_INT32 *kp;
}
}
-void
-krb5int_des_cbc_decrypt(const mit_des_cblock *in,
- mit_des_cblock *out,
- unsigned long length,
- const mit_des_key_schedule schedule,
- const mit_des_cblock ivec)
+static void
+des_cbc_decrypt(const mit_des_cblock *in, mit_des_cblock *out,
+ unsigned long length, const mit_des_key_schedule schedule,
+ const mit_des_cblock ivec)
{
unsigned DES_INT32 left, right;
const unsigned DES_INT32 *kp;
}
}
-#if defined(CONFIG_SMALL) && !defined(CONFIG_SMALL_NO_CRYPTO)
-void krb5int_des_do_encrypt_2 (unsigned DES_INT32 *left,
- unsigned DES_INT32 *right,
- const unsigned DES_INT32 *kp)
-{
- DES_DO_ENCRYPT_1 (*left, *right, kp);
-}
-
-void krb5int_des_do_decrypt_2 (unsigned DES_INT32 *left,
- unsigned DES_INT32 *right,
- const unsigned DES_INT32 *kp)
+int
+mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
+ unsigned long length, const mit_des_key_schedule schedule,
+ const mit_des_cblock ivec, int enc)
{
- DES_DO_DECRYPT_1 (*left, *right, kp);
+ /*
+ * Deal with encryption and decryption separately.
+ */
+ if (enc)
+ des_cbc_encrypt(in, out, length, schedule, ivec);
+ else
+ des_cbc_decrypt(in, out, length, schedule, ivec);
+ return 0;
}
-#endif
}
krb5_error_code
-krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- aes_ctx ctx;
- unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
- int nblocks = 0, blockno;
- const unsigned char *idata = (const unsigned char *) input->data;
- unsigned char *odata = (unsigned char *) output->data;
-
-/* CHECK_SIZES; */
-
- if (aes_enc_key(key->keyblock.contents, key->keyblock.length,
- &ctx) != aes_good)
- abort();
-
- if (ivec)
- memcpy(tmp, ivec->data, BLOCK_SIZE);
- else
- memset(tmp, 0, BLOCK_SIZE);
-
- nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
- if (nblocks == 1) {
- /* XXX Used for DK function. */
- enc(odata, idata, &ctx);
- } else {
- unsigned int nleft;
-
- for (blockno = 0; blockno < nblocks - 2; blockno++) {
- xorblock(tmp, idata + blockno * BLOCK_SIZE);
- enc(tmp2, tmp, &ctx);
- memcpy(odata + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE);
-
- /* Set up for next block. */
- memcpy(tmp, tmp2, BLOCK_SIZE);
- }
- /* Do final CTS step for last two blocks (the second of which
- may or may not be incomplete). */
- xorblock(tmp, idata + (nblocks - 2) * BLOCK_SIZE);
- enc(tmp2, tmp, &ctx);
- nleft = input->length - (nblocks - 1) * BLOCK_SIZE;
- memcpy(odata + (nblocks - 1) * BLOCK_SIZE, tmp2, nleft);
- memcpy(tmp, tmp2, BLOCK_SIZE);
-
- memset(tmp3, 0, sizeof(tmp3));
- memcpy(tmp3, idata + (nblocks - 1) * BLOCK_SIZE, nleft);
- xorblock(tmp, tmp3);
- enc(tmp2, tmp, &ctx);
- memcpy(odata + (nblocks - 2) * BLOCK_SIZE, tmp2, BLOCK_SIZE);
- if (ivec)
- memcpy(ivec->data, tmp2, BLOCK_SIZE);
- }
-
- return 0;
-}
-
-krb5_error_code
-krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- aes_ctx ctx;
- unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
- int nblocks = 0, blockno;
- const unsigned char *idata = (const unsigned char *) input->data;
- unsigned char *odata = (unsigned char *) output->data;
-
- CHECK_SIZES;
-
- if (aes_dec_key(key->keyblock.contents, key->keyblock.length,
- &ctx) != aes_good)
- abort();
-
- if (ivec)
- memcpy(tmp, ivec->data, BLOCK_SIZE);
- else
- memset(tmp, 0, BLOCK_SIZE);
-
- nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
- if (nblocks == 1) {
- if (input->length < BLOCK_SIZE)
- abort();
- dec(odata, idata, &ctx);
- } else {
-
- for (blockno = 0; blockno < nblocks - 2; blockno++) {
- dec(tmp2, idata + blockno * BLOCK_SIZE, &ctx);
- xorblock(tmp2, tmp);
- memcpy(odata + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE);
- memcpy(tmp, idata + blockno * BLOCK_SIZE, BLOCK_SIZE);
- }
- /* Do last two blocks, the second of which (next-to-last block
- of plaintext) may be incomplete. */
- dec(tmp2, idata + (nblocks - 2) * BLOCK_SIZE, &ctx);
- /* Set tmp3 to last ciphertext block, padded. */
- memset(tmp3, 0, sizeof(tmp3));
- memcpy(tmp3, idata + (nblocks - 1) * BLOCK_SIZE,
- input->length - (nblocks - 1) * BLOCK_SIZE);
- /* Set tmp2 to last (possibly partial) plaintext block, and
- save it. */
- xorblock(tmp2, tmp3);
- memcpy(odata + (nblocks - 1) * BLOCK_SIZE, tmp2,
- input->length - (nblocks - 1) * BLOCK_SIZE);
- /* Maybe keep the trailing part, and copy in the last
- ciphertext block. */
- memcpy(tmp2, tmp3, input->length - (nblocks - 1) * BLOCK_SIZE);
- /* Decrypt, to get next to last plaintext block xor previous
- ciphertext. */
- dec(tmp3, tmp2, &ctx);
- xorblock(tmp3, tmp);
- memcpy(odata + (nblocks - 2) * BLOCK_SIZE, tmp3, BLOCK_SIZE);
- if (ivec)
- memcpy(ivec->data, idata + (nblocks - 2) * BLOCK_SIZE, BLOCK_SIZE);
- }
-
- return 0;
-}
-
-static krb5_error_code
-krb5int_aes_encrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
aes_ctx ctx;
unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE];
int nblocks = 0, blockno;
size_t input_length, i;
+ struct iov_block_state input_pos, output_pos;
if (aes_enc_key(key->keyblock.contents, key->keyblock.length, &ctx)
!= aes_good)
input_length += iov->data.length;
}
- nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
- assert(nblocks > 1);
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
- {
+ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+ if (nblocks == 1) {
+ krb5int_c_iov_get_block(tmp, BLOCK_SIZE, data, num_data, &input_pos);
+ enc(tmp2, tmp, &ctx);
+ krb5int_c_iov_put_block(data, num_data, tmp2, BLOCK_SIZE, &output_pos);
+ } else if (nblocks > 1) {
unsigned char blockN2[BLOCK_SIZE]; /* second last */
unsigned char blockN1[BLOCK_SIZE]; /* last block */
- struct iov_block_state input_pos, output_pos;
-
- IOV_BLOCK_STATE_INIT(&input_pos);
- IOV_BLOCK_STATE_INIT(&output_pos);
for (blockno = 0; blockno < nblocks - 2; blockno++) {
unsigned char blockN[BLOCK_SIZE], *block;
return 0;
}
-static krb5_error_code
-krb5int_aes_decrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5_error_code
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
aes_ctx ctx;
unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
int nblocks = 0, blockno;
unsigned int i;
size_t input_length;
+ struct iov_block_state input_pos, output_pos;
CHECK_SIZES;
input_length += iov->data.length;
}
- nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
- assert(nblocks > 1);
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
- {
+ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+ if (nblocks == 1) {
+ krb5int_c_iov_get_block(tmp, BLOCK_SIZE, data, num_data, &input_pos);
+ enc(tmp2, tmp, &ctx);
+ krb5int_c_iov_put_block(data, num_data, tmp2, BLOCK_SIZE, &output_pos);
+ } else if (nblocks > 1) {
unsigned char blockN2[BLOCK_SIZE]; /* second last */
unsigned char blockN1[BLOCK_SIZE]; /* last block */
- struct iov_block_state input_pos, output_pos;
-
- IOV_BLOCK_STATE_INIT(&input_pos);
- IOV_BLOCK_STATE_INIT(&output_pos);
for (blockno = 0; blockno < nblocks - 2; blockno++) {
unsigned char blockN[BLOCK_SIZE], *block;
}
static krb5_error_code
-krb5int_aes_init_state (const krb5_keyblock *key, krb5_keyusage usage,
- krb5_data *state)
+aes_init_state(const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_data *state)
{
state->length = 16;
state->data = malloc(16);
krb5int_aes_encrypt,
krb5int_aes_decrypt,
krb5int_aes_make_key,
- krb5int_aes_init_state,
+ aes_init_state,
krb5int_default_free_state,
- krb5int_aes_encrypt_iov,
- krb5int_aes_decrypt_iov
};
const struct krb5_enc_provider krb5int_enc_aes256 = {
krb5int_aes_encrypt,
krb5int_aes_decrypt,
krb5int_aes_make_key,
- krb5int_aes_init_state,
- krb5int_default_free_state,
- krb5int_aes_encrypt_iov,
- krb5int_aes_decrypt_iov
+ aes_init_state,
+ krb5int_default_free_state
};
des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
- $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h des.c enc_provider.h
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../des/des_int.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ des.c enc_provider.h
des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
- $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../des/des_int.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ des3.c
+aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../aes/aes.h \
+ $(srcdir)/../aes/uitypes.h $(top_srcdir)/include/k5-buf.h \
$(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
$(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
$(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
$(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h des3.c
-aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(top_srcdir)/include/socket-utils.h aes.c enc_provider.h
+rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
- $(srcdir)/../aes/aes.h $(srcdir)/../aes/uitypes.h $(top_srcdir)/include/k5-buf.h \
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(top_srcdir)/include/k5-buf.h \
$(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
$(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
$(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
$(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h aes.c enc_provider.h
-rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- enc_provider.h rc4.c
+ $(top_srcdir)/include/socket-utils.h enc_provider.h \
+ rc4.c
static krb5_error_code
-k5_des_docrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output, int enc)
-{
- mit_des_key_schedule schedule;
-
- /* key->keyblock.enctype was checked by the caller */
-
- if (key->keyblock.length != 8)
- return(KRB5_BAD_KEYSIZE);
- if ((input->length%8) != 0)
- return(KRB5_BAD_MSIZE);
- if (ivec && (ivec->length != 8))
- return(KRB5_BAD_MSIZE);
- if (input->length != output->length)
- return(KRB5_BAD_MSIZE);
-
- switch (mit_des_key_sched(key->keyblock.contents, schedule)) {
- case -1:
- return(KRB5DES_BAD_KEYPAR);
- case -2:
- return(KRB5DES_WEAK_KEY);
- }
-
- /* this has a return value, but the code always returns zero */
-
- mit_des_cbc_encrypt((krb5_pointer) input->data,
- (krb5_pointer) output->data, input->length,
- schedule,
- (ivec
- ? (const unsigned char *) ivec->data
- : (const unsigned char *) mit_des_zeroblock),
- enc);
-
- memset(schedule, 0, sizeof(schedule));
-
- return(0);
-}
-
-static krb5_error_code
-k5_des_encrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- return(k5_des_docrypt(key, ivec, input, output, 1));
-}
-
-static krb5_error_code
-k5_des_decrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- return(k5_des_docrypt(key, ivec, input, output, 0));
-}
-
-static krb5_error_code
-k5_des_docrypt_iov(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data, int enc)
+k5_des_docrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data, int enc)
{
mit_des_key_schedule schedule;
size_t input_length = 0;
unsigned int i;
+ unsigned char *ivecbytes;
/* key->keyblock.enctype was checked by the caller */
}
/* this has a return value, but the code always returns zero */
+ ivecbytes = ivec ? (unsigned char *) ivec->data : NULL;
if (enc)
- krb5int_des_cbc_encrypt_iov(data, num_data, schedule, ivec ? ivec->data : NULL);
+ krb5int_des_cbc_encrypt(data, num_data, schedule, ivecbytes);
else
- krb5int_des_cbc_decrypt_iov(data, num_data, schedule, ivec ? ivec->data : NULL);
+ krb5int_des_cbc_decrypt(data, num_data, schedule, ivecbytes);
memset(schedule, 0, sizeof(schedule));
}
static krb5_error_code
-k5_des_encrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- return k5_des_docrypt_iov(key, ivec, data, num_data, 1);
+ return k5_des_docrypt(key, ivec, data, num_data, 1);
}
static krb5_error_code
-k5_des_decrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- return k5_des_docrypt_iov(key, ivec, data, num_data, 0);
+ return k5_des_docrypt(key, ivec, data, num_data, 0);
}
const struct krb5_enc_provider krb5int_enc_des = {
k5_des_decrypt,
krb5int_des_make_key,
krb5int_des_init_state,
- krb5int_default_free_state,
- k5_des_encrypt_iov,
- k5_des_decrypt_iov
+ krb5int_default_free_state
};
}
static krb5_error_code
-k5_des3_encrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- mit_des3_key_schedule schedule;
- krb5_error_code err;
-
- err = validate_and_schedule(key, ivec, input, output, &schedule);
- if (err)
- return err;
-
- /* this has a return value, but the code always returns zero */
- krb5int_des3_cbc_encrypt((krb5_pointer) input->data,
- (krb5_pointer) output->data, input->length,
- schedule[0], schedule[1], schedule[2],
- ivec?(const unsigned char *) ivec->data:(const unsigned char *)mit_des_zeroblock);
-
- zap(schedule, sizeof(schedule));
-
- return(0);
-}
-
-static krb5_error_code
-k5_des3_decrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- mit_des3_key_schedule schedule;
- krb5_error_code err;
-
- err = validate_and_schedule(key, ivec, input, output, &schedule);
- if (err)
- return err;
-
- /* this has a return value, but the code always returns zero */
- krb5int_des3_cbc_decrypt((krb5_pointer) input->data,
- (krb5_pointer) output->data, input->length,
- schedule[0], schedule[1], schedule[2],
- ivec?(const unsigned char *) ivec->data:(const unsigned char *)mit_des_zeroblock);
-
- zap(schedule, sizeof(schedule));
-
- return(0);
-}
-
-static krb5_error_code
-k5_des3_encrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
mit_des3_key_schedule schedule;
krb5_error_code err;
return err;
/* this has a return value, but the code always returns zero */
- krb5int_des3_cbc_encrypt_iov(data, num_data,
- schedule[0], schedule[1], schedule[2],
- ivec != NULL ? (unsigned char *) ivec->data : NULL);
+ krb5int_des3_cbc_encrypt(data, num_data,
+ schedule[0], schedule[1], schedule[2],
+ ivec != NULL ? (unsigned char *) ivec->data :
+ NULL);
zap(schedule, sizeof(schedule));
}
static krb5_error_code
-k5_des3_decrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
mit_des3_key_schedule schedule;
krb5_error_code err;
return err;
/* this has a return value, but the code always returns zero */
- krb5int_des3_cbc_decrypt_iov(data, num_data,
- schedule[0], schedule[1], schedule[2],
- ivec != NULL ? (unsigned char *) ivec->data : NULL);
+ krb5int_des3_cbc_decrypt(data, num_data,
+ schedule[0], schedule[1], schedule[2],
+ ivec != NULL ? (unsigned char *) ivec->data :
+ NULL);
zap(schedule, sizeof(schedule));
- return(0);
+ return 0;
}
const struct krb5_enc_provider krb5int_enc_des3 = {
k5_des3_decrypt,
krb5int_des3_make_key,
krb5int_des_init_state,
- krb5int_default_free_state,
- k5_des3_encrypt_iov,
- k5_des3_decrypt_iov
+ krb5int_default_free_state
};
static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest,
const unsigned char *src, unsigned int len);
-/* Interface layer to kerb5 crypto layer */
-static krb5_error_code
-k5_arcfour_docrypt(krb5_key, const krb5_data *,
- const krb5_data *, krb5_data *);
-
static const unsigned char arcfour_weakkey1[] = {0x00, 0x00, 0xfd};
static const unsigned char arcfour_weakkey2[] = {0x03, 0xfd, 0xfc};
static const struct {
}
-/* The workhorse of the arcfour system, this impliments the cipher */
-static krb5_error_code
-k5_arcfour_docrypt(krb5_key key, const krb5_data *state,
- const krb5_data *input, krb5_data *output)
-{
- ArcfourContext *arcfour_ctx;
- ArcFourCipherState *cipher_state;
- int ret;
-
- if (key->keyblock.length != 16)
- return(KRB5_BAD_KEYSIZE);
- if (state && (state->length != sizeof (ArcFourCipherState)))
- return(KRB5_BAD_MSIZE);
- if (input->length != output->length)
- return(KRB5_BAD_MSIZE);
-
- if (state) {
- cipher_state = (ArcFourCipherState *) state->data;
- arcfour_ctx=&cipher_state->ctx;
- if (cipher_state->initialized == 0) {
- if ((ret=k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
- key->keyblock.length))) {
- return ret;
- }
- cipher_state->initialized = 1;
- }
- k5_arcfour_crypt(arcfour_ctx, (unsigned char *) output->data, (const unsigned char *) input->data, input->length);
- }
- else {
- arcfour_ctx=malloc(sizeof (ArcfourContext));
- if (arcfour_ctx == NULL)
- return ENOMEM;
- if ((ret=k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
- key->keyblock.length))) {
- free(arcfour_ctx);
- return (ret);
- }
- k5_arcfour_crypt(arcfour_ctx, (unsigned char * ) output->data,
- (const unsigned char * ) input->data, input->length);
- memset(arcfour_ctx, 0, sizeof (ArcfourContext));
- free(arcfour_ctx);
- }
-
- return 0;
-}
-
-/* In-place encryption */
static krb5_error_code
-k5_arcfour_docrypt_iov(krb5_key key,
- const krb5_data *state,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
+ size_t num_data)
{
ArcfourContext *arcfour_ctx = NULL;
ArcFourCipherState *cipher_state = NULL;
k5_arcfour_docrypt,
krb5int_arcfour_make_key,
k5_arcfour_init_state, /*xxx not implemented yet*/
- krb5int_default_free_state,
- k5_arcfour_docrypt_iov,
- k5_arcfour_docrypt_iov
+ krb5int_default_free_state
};
static krb5_keyblock enc_key;
static krb5_data ivec;
-static krb5_data in, out;
static void init()
{
enc_key.contents = key;
enc_key.length = 16;
ivec.data = zero;
ivec.length = 16;
- in.data = plain;
- in.length = 16;
- out.data = cipher;
- out.length = 16;
}
static void enc()
{
- krb5_key key;
+ krb5_key k;
+ krb5_crypto_iov iov;
- krb5_k_create_key(NULL, &enc_key, &key);
- krb5int_aes_encrypt(key, &ivec, &in, &out);
- krb5_k_free_key(NULL, key);
+ memcpy(cipher, plain, 16);
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ iov.data = make_data(cipher, 16);
+ krb5_k_create_key(NULL, &enc_key, &k);
+ krb5int_aes_encrypt(k, &ivec, &iov, 1);
+ krb5_k_free_key(NULL, k);
}
static void hexdump(const char *label, const char *cp, int len)
static const int lengths[] = { 17, 31, 32, 47, 48, 64 };
int i;
- char outbuf[64], encivbuf[16], decivbuf[16], outbuf2[64];
- krb5_data in, out, enciv, deciv, out2;
+ char outbuf[64], encivbuf[16], decivbuf[16];
+ krb5_crypto_iov iov;
+ krb5_data in, enciv, deciv;
krb5_keyblock keyblock;
krb5_key key;
krb5_error_code err;
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ iov.data.data = outbuf;
in.data = input;
- out.data = outbuf;
- out2.data = outbuf2;
enciv.length = deciv.length = 16;
enciv.data = encivbuf;
deciv.data = decivbuf;
memset(deciv.data, 0, 16);
printf("\n");
- in.length = out.length = lengths[i];
+ iov.data.length = in.length = lengths[i];
+ memcpy(outbuf, input, lengths[i]);
printd("IV", &enciv);
- err = krb5int_aes_encrypt(key, &enciv, &in, &out);
+ err = krb5int_aes_encrypt(key, &enciv, &iov, 1);
if (err) {
printf("error %ld from krb5int_aes_encrypt\n", (long)err);
exit(1);
}
printd("Input", &in);
- printd("Output", &out);
+ printd("Output", &iov.data);
printd("Next IV", &enciv);
- out2.length = out.length;
- err = krb5int_aes_decrypt(key, &deciv, &out, &out2);
+ err = krb5int_aes_decrypt(key, &deciv, &iov, 1);
if (err) {
printf("error %ld from krb5int_aes_decrypt\n", (long)err);
exit(1);
}
- if (!data_eq(out2, in)) {
- printd("Decryption result DOESN'T MATCH", &out2);
+ if (memcmp(outbuf, input, lengths[i]) != 0) {
+ printd("Decryption result DOESN'T MATCH", &iov.data);
exit(1);
}
if (memcmp(enciv.data, deciv.data, 16)) {
#include "aead.h"
krb5_crypto_iov *
-krb5int_c_locate_iov(krb5_crypto_iov *data,
- size_t num_data,
+krb5int_c_locate_iov(krb5_crypto_iov *data, size_t num_data,
krb5_cryptotype type)
{
size_t i;
}
krb5_error_code
-krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage keyusage,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5int_c_iov_decrypt_stream(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage keyusage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
krb5_error_code ret;
- unsigned int header_len, trailer_len, padding_len;
+ unsigned int header_len, trailer_len;
krb5_crypto_iov *iov;
krb5_crypto_iov *stream;
size_t i, j;
stream = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM);
assert(stream != NULL);
- ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
- &header_len);
- if (ret != 0)
- return ret;
-
- ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
- &trailer_len);
- if (ret != 0)
- return ret;
-
- ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
- &padding_len);
- if (ret != 0)
- return ret;
+ header_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_HEADER);
+ trailer_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
if (stream->data.length < header_len + trailer_len)
return KRB5_BAD_MSIZE;
i = 0;
iov[i].flags = KRB5_CRYPTO_TYPE_HEADER; /* takes place of STREAM */
- iov[i].data.data = stream->data.data;
- iov[i].data.length = header_len;
+ iov[i].data = make_data(stream->data.data, header_len);
i++;
for (j = 0; j < num_data; j++) {
iov[i++] = data[j];
}
- /*
- * XXX not self-describing with respect to length, this is the best
- * we can do.
- */
+ /* Use empty padding since tokens don't indicate the padding length. */
iov[i].flags = KRB5_CRYPTO_TYPE_PADDING;
- iov[i].data.data = NULL;
- iov[i].data.length = 0;
+ iov[i].data = empty_data();
i++;
iov[i].flags = KRB5_CRYPTO_TYPE_TRAILER;
- iov[i].data.data = stream->data.data + stream->data.length - trailer_len;
- iov[i].data.length = trailer_len;
+ iov[i].data = make_data(stream->data.data + stream->data.length -
+ trailer_len, trailer_len);
i++;
assert(i <= num_data + 2);
- ret = (*aead->decrypt_iov)(aead, enc, hash, key, keyusage, ivec, iov, i);
-
+ ret = ktp->decrypt(ktp, key, keyusage, ivec, iov, i);
free(iov);
-
return ret;
}
-krb5_error_code
-krb5int_c_padding_length(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t data_length,
- unsigned int *pad_length)
+unsigned int
+krb5int_c_padding_length(const struct krb5_keytypes *ktp, size_t data_length)
{
unsigned int header, padding;
- krb5_error_code ret;
/*
* Add in the header length since the header is encrypted along with the
* enctype using a similar token format and a block cipher, we will have to
* move this logic into an enctype-dependent function.)
*/
- ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
- &header);
- if (ret != 0)
- return ret;
+ header = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_HEADER);
data_length += header;
- ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
- &padding);
- if (ret != 0)
- return ret;
-
+ padding = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING);
if (padding == 0 || (data_length % padding) == 0)
- *pad_length = 0;
- else
- *pad_length = padding - (data_length % padding);
-
- return 0;
-}
-
-krb5_error_code
-krb5int_c_encrypt_aead_compat(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output)
-{
- krb5_crypto_iov iov[4];
- krb5_error_code ret;
- unsigned int header_len = 0;
- unsigned int padding_len = 0;
- unsigned int trailer_len = 0;
-
- ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
- &header_len);
- if (ret != 0)
- return ret;
-
- ret = krb5int_c_padding_length(aead, enc, hash, input->length,
- &padding_len);
- if (ret != 0)
- return ret;
-
- ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
- &trailer_len);
- if (ret != 0)
- return ret;
-
- if (output->length <
- header_len + input->length + padding_len + trailer_len)
- return KRB5_BAD_MSIZE;
-
- iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
- iov[0].data.data = output->data;
- iov[0].data.length = header_len;
-
- iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
- iov[1].data.data = iov[0].data.data + iov[0].data.length;
- iov[1].data.length = input->length;
- memcpy(iov[1].data.data, input->data, input->length);
-
- iov[2].flags = KRB5_CRYPTO_TYPE_PADDING;
- iov[2].data.data = iov[1].data.data + iov[1].data.length;
- iov[2].data.length = padding_len;
-
- iov[3].flags = KRB5_CRYPTO_TYPE_TRAILER;
- iov[3].data.data = iov[2].data.data + iov[2].data.length;
- iov[3].data.length = trailer_len;
-
- ret = (*aead->encrypt_iov)(aead, enc, hash, key, usage, ivec,
- iov, sizeof(iov) / sizeof(iov[0]));
-
- if (ret != 0)
- zap(iov[1].data.data, iov[1].data.length);
-
- output->length = iov[0].data.length + iov[1].data.length +
- iov[2].data.length + iov[3].data.length;
-
- return ret;
-}
-
-krb5_error_code
-krb5int_c_decrypt_aead_compat(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output)
-{
- krb5_crypto_iov iov[4];
- krb5_error_code ret;
- unsigned int header_len = 0, trailer_len = 0, plain_len;
- char *scratch = NULL;
-
- ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
- &header_len);
- if (ret != 0)
- return ret;
-
- ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
- &trailer_len);
- if (ret != 0)
- return ret;
-
- if (input->length < header_len + trailer_len)
- return KRB5_BAD_MSIZE;
- plain_len = input->length - header_len - trailer_len;
- if (output->length < input->length - header_len - trailer_len)
- return KRB5_BAD_MSIZE;
-
- scratch = k5alloc(header_len + trailer_len, &ret);
- if (scratch == NULL)
- return ret;
-
- iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
- iov[0].data = make_data(scratch, header_len);
- memcpy(iov[0].data.data, input->data, header_len);
-
- iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
- iov[1].data = make_data(output->data, plain_len);
- memcpy(iov[1].data.data, input->data + header_len, plain_len);
-
- /* Use empty padding since tokens don't indicate the padding length. */
- iov[2].flags = KRB5_CRYPTO_TYPE_PADDING;
- iov[2].data = empty_data();
-
- iov[3].flags = KRB5_CRYPTO_TYPE_TRAILER;
- iov[3].data = make_data(scratch + header_len, trailer_len);
- memcpy(iov[3].data.data, input->data + header_len + plain_len,
- trailer_len);
-
- ret = (*aead->decrypt_iov)(aead, enc, hash, key, usage, ivec,
- iov, sizeof(iov) / sizeof(iov[0]));
- if (ret != 0)
- zap(output->data, plain_len);
+ return 0;
else
- output->length = plain_len;
-
- zapfree(scratch, header_len + trailer_len);
- return ret;
-}
-
-void
-krb5int_c_encrypt_length_aead_compat(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t inputlen, size_t *length)
-{
- unsigned int header_len = 0;
- unsigned int padding_len = 0;
- unsigned int trailer_len = 0;
-
- (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
- &header_len);
- krb5int_c_padding_length(aead, enc, hash, inputlen, &padding_len);
- (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
- &trailer_len);
-
- *length = header_len + inputlen + padding_len + trailer_len;
+ return padding - (data_length % padding);
}
#include "k5-int.h"
#include "cksumtypes.h"
+#include "etypes.h"
/* AEAD helpers */
struct iov_block_state *iov_state);
krb5_error_code
-krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage keyusage,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data);
+krb5int_c_iov_decrypt_stream(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage keyusage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
-krb5_error_code
-krb5int_c_decrypt_aead_compat(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output);
-
-krb5_error_code
-krb5int_c_encrypt_aead_compat(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output);
-
-void
-krb5int_c_encrypt_length_aead_compat(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t inputlen, size_t *length);
-
-krb5_error_code
-krb5int_c_padding_length(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t data_length,
- unsigned int *pad_length);
+unsigned int
+krb5int_c_padding_length(const struct krb5_keytypes *ktp, size_t data_length);
/*
* Returns an alias into the current buffer if the next block is fully
const char l40[] = "fortybits";
-void
-krb5int_arcfour_encrypt_length(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t inputlen, size_t *length)
-{
- /* checksum + (confounder + inputlen, in even blocksize) */
- *length = hash->hashsize + krb5_roundup(8 + inputlen, enc->block_size);
-}
-
krb5_keyusage
krb5int_arcfour_translate_usage(krb5_keyusage usage)
{
krb5int_c_free_keyblock(NULL, trunc_keyblock);
return ret;
}
-
-krb5_error_code
-krb5int_arcfour_encrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output)
-{
- krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL;
- krb5_key enc_key;
- krb5_data plaintext = empty_data();
- krb5_data checksum, ciphertext, confounder;
- krb5_error_code ret;
- unsigned int plainlen;
-
- /* Allocate buffers. */
- plainlen = krb5_roundup(input->length + CONFOUNDERLENGTH, enc->block_size);
- ret = alloc_data(&plaintext, plainlen);
- if (ret != 0)
- goto cleanup;
- ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
- &usage_keyblock);
- if (ret != 0)
- goto cleanup;
- ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
- &enc_keyblock);
- if (ret != 0)
- goto cleanup;
-
- /* Set up subsets of output and plaintext. */
- checksum = make_data(output->data, hash->hashsize);
- ciphertext = make_data(output->data + hash->hashsize, plainlen);
- confounder = make_data(plaintext.data, CONFOUNDERLENGTH);
-
- /* Derive a usage key from the session key and usage. */
- ret = krb5int_arcfour_usage_key(enc, hash, &key->keyblock, usage,
- usage_keyblock);
- if (ret != 0)
- goto cleanup;
-
- /* Compose a confounder with the input data to form the plaintext. */
- ret = krb5_c_random_make_octets(NULL, &confounder);
- memcpy(plaintext.data + confounder.length, input->data, input->length);
- if (ret)
- goto cleanup;
-
- /* Compute HMAC(usage key, plaintext) to get the checksum. */
- ret = krb5int_hmac_keyblock(hash, usage_keyblock, 1, &plaintext,
- &checksum);
- if (ret)
- goto cleanup;
-
- /* Derive the encryption key from the usage key and checksum. */
- ret = krb5int_arcfour_enc_key(enc, hash, usage_keyblock, &checksum,
- enc_keyblock);
- if (ret)
- goto cleanup;
-
- /* Encrypt the plaintext. */
- ret = krb5_k_create_key(NULL, enc_keyblock, &enc_key);
- if (ret)
- goto cleanup;
- ret = (*enc->encrypt)(enc_key, ivec, &plaintext, &ciphertext);
- krb5_k_free_key(NULL, enc_key);
- if (ret)
- goto cleanup;
-
- output->length = plainlen + hash->hashsize;
-
-cleanup:
- krb5int_c_free_keyblock(NULL, usage_keyblock);
- krb5int_c_free_keyblock(NULL, enc_keyblock);
- zapfree(plaintext.data, plaintext.length);
- return ret;
-}
-
-krb5_error_code
-krb5int_arcfour_decrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output)
-{
- krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL;
- krb5_data plaintext = empty_data(), comp_checksum = empty_data();
- krb5_data checksum, ciphertext;
- krb5_key enc_key;
- krb5_error_code ret;
-
- /* Set up subsets of input. */
- checksum = make_data(input->data, hash->hashsize);
- ciphertext = make_data(input->data + hash->hashsize,
- input->length - hash->hashsize);
-
- /* Allocate buffers. */
- ret = alloc_data(&plaintext, ciphertext.length);
- if (ret != 0)
- goto cleanup;
- ret = alloc_data(&comp_checksum, hash->hashsize);
- if (ret != 0)
- goto cleanup;
- ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
- &usage_keyblock);
- if (ret != 0)
- goto cleanup;
- ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
- &enc_keyblock);
- if (ret != 0)
- goto cleanup;
-
- /* We may have to try two usage values; see below. */
- do {
- /* Derive a usage key from the session key and usage. */
- ret = krb5int_arcfour_usage_key(enc, hash, &key->keyblock, usage,
- usage_keyblock);
- if (ret != 0)
- goto cleanup;
-
- /* Derive the encryption key from the usage key and checksum. */
- ret = krb5int_arcfour_enc_key(enc, hash, usage_keyblock, &checksum,
- enc_keyblock);
- if (ret)
- goto cleanup;
-
- /* Decrypt the ciphertext. */
- ret = krb5_k_create_key(NULL, enc_keyblock, &enc_key);
- if (ret)
- goto cleanup;
- ret = (*enc->decrypt)(enc_key, ivec, &ciphertext, &plaintext);
- krb5_k_free_key(NULL, enc_key);
- if (ret)
- goto cleanup;
-
- /* Compute HMAC(usage key, plaintext) to get the checksum. */
- ret = krb5int_hmac_keyblock(hash, usage_keyblock, 1, &plaintext,
- &comp_checksum);
- if (ret)
- goto cleanup;
-
- if (memcmp(checksum.data, comp_checksum.data, hash->hashsize) != 0) {
- if (usage == 9) {
- /*
- * RFC 4757 specifies usage 8 for TGS-REP encrypted
- * parts encrypted in a subkey, but the value used by MS
- * is actually 9. We now use 9 to start with, but fall
- * back to 8 on failure in case we are communicating
- * with a KDC using the value from the RFC.
- */
- usage = 8;
- continue;
- }
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- goto cleanup;
- }
-
- break;
- } while (1);
-
- /* Remove the confounder from the plaintext to get the output. */
- memcpy(output->data, plaintext.data + CONFOUNDERLENGTH,
- plaintext.length - CONFOUNDERLENGTH);
- output->length = plaintext.length - CONFOUNDERLENGTH;
-
-cleanup:
- krb5int_c_free_keyblock(NULL, usage_keyblock);
- krb5int_c_free_keyblock(NULL, enc_keyblock);
- zapfree(plaintext.data, plaintext.length);
- zapfree(comp_checksum.data, comp_checksum.length);
- return ret;
-}
#ifndef ARCFOUR_H
#define ARCFOUR_H
-extern void
-krb5int_arcfour_encrypt_length(const struct krb5_enc_provider *,
- const struct krb5_hash_provider *,
- size_t,
- size_t *);
+#include "etypes.h"
-extern krb5_error_code
-krb5int_arcfour_encrypt(const struct krb5_enc_provider *,
- const struct krb5_hash_provider *,
- krb5_key,
- krb5_keyusage,
- const krb5_data *,
- const krb5_data *,
- krb5_data *);
+unsigned int
+krb5int_arcfour_crypto_length(const struct krb5_keytypes *ktp,
+ krb5_cryptotype type);
-extern krb5_error_code
-krb5int_arcfour_decrypt(const struct krb5_enc_provider *,
- const struct krb5_hash_provider *,
- krb5_key,
- krb5_keyusage,
- const krb5_data *,
- const krb5_data *,
- krb5_data *);
+krb5_error_code
+krb5int_arcfour_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
+
+krb5_error_code
+krb5int_arcfour_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
extern krb5_error_code
krb5int_arcfour_string_to_key(
- const struct krb5_enc_provider *,
+ const struct krb5_keytypes *,
const krb5_data *,
const krb5_data *,
const krb5_data *,
krb5_keyblock *);
extern const struct krb5_enc_provider krb5int_enc_arcfour;
-extern const struct krb5_aead_provider krb5int_aead_arcfour;
#endif /* ARCFOUR_H */
/* AEAD */
-static krb5_error_code
-krb5int_arcfour_crypto_length(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_cryptotype type,
- unsigned int *length)
+unsigned int
+krb5int_arcfour_crypto_length(const struct krb5_keytypes *ktp,
+ krb5_cryptotype type)
{
switch (type) {
case KRB5_CRYPTO_TYPE_HEADER:
- *length = hash->hashsize + CONFOUNDERLENGTH;
- break;
+ return ktp->hash->hashsize + CONFOUNDERLENGTH;
case KRB5_CRYPTO_TYPE_PADDING:
- *length = 0;
- break;
case KRB5_CRYPTO_TYPE_TRAILER:
- *length = 0;
- break;
+ return 0;
case KRB5_CRYPTO_TYPE_CHECKSUM:
- *length = hash->hashsize;
- break;
+ return ktp->hash->hashsize;
default:
- assert(0 && "invalid cryptotype passed to krb5int_arcfour_crypto_length");
- break;
+ assert(0 &&
+ "invalid cryptotype passed to krb5int_arcfour_crypto_length");
+ return 0;
}
-
- return 0;
}
/* Encrypt or decrypt using a keyblock. */
if (ret != 0)
return ret;
/* Works for encryption or decryption since arcfour is a stream cipher. */
- ret = enc->encrypt_iov(key, ivec, data, num_data);
+ ret = enc->encrypt(key, ivec, data, num_data);
krb5_k_free_key(NULL, key);
return ret;
}
-static krb5_error_code
-krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5_error_code
+krb5int_arcfour_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
+ const struct krb5_enc_provider *enc = ktp->enc;
+ const struct krb5_hash_provider *hash = ktp->hash;
krb5_error_code ret;
krb5_crypto_iov *header, *trailer;
krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL;
return ret;
}
-static krb5_error_code
-krb5int_arcfour_decrypt_iov(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5_error_code
+krb5int_arcfour_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
+ const struct krb5_enc_provider *enc = ktp->enc;
+ const struct krb5_hash_provider *hash = ktp->hash;
krb5_error_code ret;
krb5_crypto_iov *header, *trailer;
krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL;
return ret;
}
-const struct krb5_aead_provider krb5int_aead_arcfour = {
- krb5int_arcfour_crypto_length,
- krb5int_arcfour_encrypt_iov,
- krb5int_arcfour_decrypt_iov
-};
-
krb5_error_code
krb5int_arcfour_gsscrypt(const krb5_keyblock *keyblock, krb5_keyusage usage,
const krb5_data *kd_data, krb5_crypto_iov *data,
#endif
krb5_error_code
-krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc,
+krb5int_arcfour_string_to_key(const struct krb5_keytypes *ktp,
const krb5_data *string, const krb5_data *salt,
const krb5_data *params, krb5_keyblock *key)
{
arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- arcfour-int.h arcfour.c arcfour.h
-arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \
- $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(top_srcdir)/include/k5-buf.h \
+ $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
$(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
$(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
$(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
$(top_srcdir)/include/socket-utils.h arcfour-int.h \
- arcfour.h arcfour_aead.c
-arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \
+ arcfour.c arcfour.h
+arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../../builtin/md4/rsa-md4.h \
+ $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \
+ $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h \
$(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
$(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
$(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
$(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h arcfour-int.h \
- arcfour.h arcfour_s2k.c
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ arcfour-int.h arcfour.h arcfour_aead.c
+arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(srcdir)/../../builtin/md4/rsa-md4.h \
+ $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-utf8.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ arcfour-int.h arcfour.h arcfour_s2k.c
return ret;
}
-/*
- * Our DR function; mostly taken from derive.c
- */
-
+/* Our DR function, a simple wrapper around krb5int_derive_random(). */
static krb5_error_code
dr(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey,
unsigned char *out, const krb5_data *in_constant)
{
- size_t blocksize, keybytes, n;
- unsigned char *inblockdata = NULL, *outblockdata = NULL;
- krb5_data inblock, outblock;
- krb5_error_code ret;
+ krb5_data outdata = make_data(out, enc->keybytes);
krb5_key key = NULL;
+ krb5_error_code ret;
- blocksize = enc->block_size;
- keybytes = enc->keybytes;
-
- /* Allocate and set up buffers. */
- inblockdata = k5alloc(blocksize, &ret);
- if (ret)
- goto cleanup;
- outblockdata = k5alloc(blocksize, &ret);
- if (ret)
- goto cleanup;
ret = krb5_k_create_key(NULL, inkey, &key);
- if (ret)
- goto cleanup;
-
- inblock.data = (char *) inblockdata;
- inblock.length = blocksize;
-
- outblock.data = (char *) outblockdata;
- outblock.length = blocksize;
-
- /* initialize the input block */
-
- if (in_constant->length == inblock.length) {
- memcpy(inblock.data, in_constant->data, inblock.length);
- } else {
- krb5int_nfold(in_constant->length*8, (unsigned char *) in_constant->data,
- inblock.length*8, (unsigned char *) inblock.data);
- }
-
- /* loop encrypting the blocks until enough key bytes are generated */
-
- n = 0;
- while (n < keybytes) {
- ret = (*enc->encrypt)(key, 0, &inblock, &outblock);
- if (ret)
- goto cleanup;
-
- if ((keybytes - n) <= outblock.length) {
- memcpy(out + n, outblock.data, (keybytes - n));
- break;
- }
-
- memcpy(out + n, outblock.data, outblock.length);
- memcpy(inblock.data, outblock.data, outblock.length);
- n += outblock.length;
- }
-
-cleanup:
- zapfree(inblockdata, blocksize);
- zapfree(outblockdata, blocksize);
+ if (ret != 0)
+ return ret;
+ ret = krb5int_derive_random(enc, key, &outdata, in_constant);
krb5_k_free_key(NULL, key);
return ret;
}
krb5_cryptotype type, unsigned int *size)
{
const struct krb5_keytypes *ktp;
- krb5_error_code ret;
+ krb5_error_code ret = 0;
ktp = find_enctype(enctype);
- if (ktp == NULL || ktp->aead == NULL)
+ if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
switch (type) {
case KRB5_CRYPTO_TYPE_EMPTY:
case KRB5_CRYPTO_TYPE_SIGN_ONLY:
*size = 0;
- ret = 0;
break;
case KRB5_CRYPTO_TYPE_DATA:
*size = (size_t)~0; /* match Heimdal */
- ret = 0;
break;
case KRB5_CRYPTO_TYPE_HEADER:
case KRB5_CRYPTO_TYPE_PADDING:
case KRB5_CRYPTO_TYPE_TRAILER:
case KRB5_CRYPTO_TYPE_CHECKSUM:
- ret = (*ktp->aead->crypto_length)(ktp->aead, ktp->enc, ktp->hash,
- type, size);
+ *size = ktp->crypto_length(ktp, type);
break;
default:
ret = EINVAL;
const struct krb5_keytypes *ktp;
ktp = find_enctype(enctype);
- if (ktp == NULL || ktp->aead == NULL)
+ if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
- return krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash,
- data_length, pad_length);
+ *pad_length = krb5int_c_padding_length(ktp, data_length);
+ return 0;
}
krb5_error_code KRB5_CALLCONV
*/
ktp = find_enctype(enctype);
- if (ktp == NULL || ktp->aead == NULL)
+ if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
for (i = 0; i < num_data; i++) {
case KRB5_CRYPTO_TYPE_HEADER:
case KRB5_CRYPTO_TYPE_TRAILER:
case KRB5_CRYPTO_TYPE_CHECKSUM:
- ret = (*ktp->aead->crypto_length)(ktp->aead, ktp->enc, ktp->hash,
- iov->flags, &iov->data.length);
+ iov->data.length = ktp->crypto_length(ktp, iov->flags);
break;
case KRB5_CRYPTO_TYPE_EMPTY:
case KRB5_CRYPTO_TYPE_SIGN_ONLY:
if (ret != 0)
return ret;
- ret = krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash,
- data_length, &pad_length);
- if (ret != 0)
- return ret;
-
+ pad_length = krb5int_c_padding_length(ktp, data_length);
if (pad_length != 0 && padding == NULL)
return EINVAL;
const krb5_enc_data *input, krb5_data *output)
{
const struct krb5_keytypes *ktp;
+ krb5_crypto_iov iov[4];
+ krb5_error_code ret;
+ unsigned int header_len, trailer_len, plain_len;
+ char *scratch = NULL;
ktp = find_enctype(key->keyblock.enctype);
if (ktp == NULL)
if (input->enctype != ENCTYPE_UNKNOWN && ktp->etype != input->enctype)
return KRB5_BAD_ENCTYPE;
- if (ktp->decrypt == NULL) {
- assert(ktp->aead != NULL);
+ /* Verify the input and output lengths. */
+ header_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_HEADER);
+ trailer_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
+ if (input->ciphertext.length < header_len + trailer_len)
+ return KRB5_BAD_MSIZE;
+ plain_len = input->ciphertext.length - header_len - trailer_len;
+ if (output->length < plain_len)
+ return KRB5_BAD_MSIZE;
+
+ scratch = k5alloc(header_len + trailer_len, &ret);
+ if (scratch == NULL)
+ return ret;
+
+ iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
+ iov[0].data = make_data(scratch, header_len);
+ memcpy(iov[0].data.data, input->ciphertext.data, header_len);
- return krb5int_c_decrypt_aead_compat(ktp->aead, ktp->enc, ktp->hash,
- key, usage, ivec,
- &input->ciphertext, output);
- }
+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
+ iov[1].data = make_data(output->data, plain_len);
+ memcpy(iov[1].data.data, input->ciphertext.data + header_len, plain_len);
- return (*ktp->decrypt)(ktp->enc, ktp->hash, key, usage, ivec,
- &input->ciphertext, output);
+ /* Use empty padding since tokens don't indicate the padding length. */
+ iov[2].flags = KRB5_CRYPTO_TYPE_PADDING;
+ iov[2].data = empty_data();
+
+ iov[3].flags = KRB5_CRYPTO_TYPE_TRAILER;
+ iov[3].data = make_data(scratch + header_len, trailer_len);
+ memcpy(iov[3].data.data, input->ciphertext.data + header_len + plain_len,
+ trailer_len);
+
+ ret = ktp->decrypt(ktp, key, usage, ivec, iov, 4);
+ if (ret != 0)
+ zap(output->data, plain_len);
+ else
+ output->length = plain_len;
+ zapfree(scratch, header_len + trailer_len);
+ return ret;
}
krb5_error_code KRB5_CALLCONV
#include "aead.h"
krb5_error_code KRB5_CALLCONV
-krb5_k_decrypt_iov(krb5_context context,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *cipher_state,
- krb5_crypto_iov *data,
+krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
+ const krb5_data *cipher_state, krb5_crypto_iov *data,
size_t num_data)
{
const struct krb5_keytypes *ktp;
ktp = find_enctype(key->keyblock.enctype);
- if (ktp == NULL || ktp->aead == NULL)
+ if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
if (krb5int_c_locate_iov(data, num_data,
KRB5_CRYPTO_TYPE_STREAM) != NULL) {
- return krb5int_c_iov_decrypt_stream(ktp->aead, ktp->enc, ktp->hash,
- key, usage, cipher_state, data,
- num_data);
+ return krb5int_c_iov_decrypt_stream(ktp, key, usage, cipher_state,
+ data, num_data);
}
- return (*ktp->aead->decrypt_iov)(ktp->aead, ktp->enc, ktp->hash, key,
- usage, cipher_state, data, num_data);
+ return ktp->decrypt(ktp, key, usage, cipher_state, data, num_data);
}
krb5_error_code KRB5_CALLCONV
-krb5_c_decrypt_iov(krb5_context context,
- const krb5_keyblock *keyblock,
- krb5_keyusage usage,
- const krb5_data *cipher_state,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock *keyblock,
+ krb5_keyusage usage, const krb5_data *cipher_state,
+ krb5_crypto_iov *data, size_t num_data)
{
krb5_key key;
krb5_error_code ret;
enctype_to_string.c etypes.h
etypes.so etypes.po $(OUTPRE)etypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes_s2k.h \
- $(srcdir)/../builtin/des/des_int.h $(srcdir)/../builtin/enc_provider/enc_provider.h \
- $(srcdir)/../builtin/hash_provider/hash_provider.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/des/des_int.h \
+ $(srcdir)/../builtin/enc_provider/enc_provider.h $(srcdir)/../builtin/hash_provider/hash_provider.h \
$(srcdir)/arcfour/arcfour.h $(srcdir)/dk/dk.h $(srcdir)/old/old.h \
$(srcdir)/prf/prf_int.h $(srcdir)/raw/raw.h $(top_srcdir)/include/k5-buf.h \
$(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
$(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
$(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- aead.h cksumtypes.h make_checksum_iov.c
+ aead.h cksumtypes.h etypes.h make_checksum_iov.c
make_random_key.so make_random_key.po $(OUTPRE)make_random_key.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
$(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- aead.h cksumtypes.h verify_checksum_iov.c
+ aead.h cksumtypes.h etypes.h verify_checksum_iov.c
STLIBOBJS=\
checksum.o \
dk_aead.o \
- dk_decrypt.o \
- dk_encrypt.o \
derive.o \
stringtokey.o
OBJS=\
$(OUTPRE)checksum.$(OBJEXT) \
$(OUTPRE)dk_aead.$(OBJEXT) \
- $(OUTPRE)dk_decrypt.$(OBJEXT) \
- $(OUTPRE)dk_encrypt.$(OBJEXT) \
$(OUTPRE)derive.$(OBJEXT) \
$(OUTPRE)stringtokey.$(OBJEXT)
SRCS=\
$(srcdir)/checksum.c \
$(srcdir)/dk_aead.c \
- $(srcdir)/dk_decrypt.c \
- $(srcdir)/dk_encrypt.c \
$(srcdir)/derive.c \
$(srcdir)/stringtokey.c
dk_aead.so dk_aead.po $(OUTPRE)dk_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../aead.h \
- $(srcdir)/../cksumtypes.h $(top_srcdir)/include/k5-buf.h \
+ $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
$(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
$(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
$(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
$(top_srcdir)/include/socket-utils.h dk.h dk_aead.c
-dk_decrypt.so dk_decrypt.po $(OUTPRE)dk_decrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+derive.so derive.po $(OUTPRE)derive.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../etypes.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
$(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
$(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
$(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
$(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
$(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- dk.h dk_decrypt.c
-dk_encrypt.so dk_encrypt.po $(OUTPRE)dk_encrypt.$(OBJEXT): \
+ derive.c dk.h
+stringtokey.so stringtokey.po $(OUTPRE)stringtokey.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- dk.h dk_encrypt.c
-derive.so derive.po $(OUTPRE)derive.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(COM_ERR_DEPS) $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
$(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
$(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
$(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
$(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h derive.c dk.h
-stringtokey.so stringtokey.po $(OUTPRE)stringtokey.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- dk.h stringtokey.c
+ $(top_srcdir)/include/socket-utils.h dk.h stringtokey.c
return ENOMEM;
}
-/*
- * Compute a derived key into the keyblock outkey. This variation on
- * krb5int_derive_key does not cache the result, as it is only used
- * directly in situations which are not expected to be repeated with
- * the same inkey and constant.
- */
krb5_error_code
-krb5int_derive_keyblock(const struct krb5_enc_provider *enc,
- krb5_key inkey, krb5_keyblock *outkey,
- const krb5_data *in_constant)
+krb5int_derive_random(const struct krb5_enc_provider *enc,
+ krb5_key inkey, krb5_data *outrnd,
+ const krb5_data *in_constant)
{
size_t blocksize, keybytes, n;
- unsigned char *inblockdata = NULL, *outblockdata = NULL, *rawkey = NULL;
- krb5_data inblock, outblock;
+ krb5_crypto_iov iov;
krb5_error_code ret;
blocksize = enc->block_size;
keybytes = enc->keybytes;
- if (inkey->keyblock.length != enc->keylength ||
- outkey->length != enc->keylength)
+ if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)
return KRB5_CRYPTO_INTERNAL;
- /* Allocate and set up buffers. */
- inblockdata = k5alloc(blocksize, &ret);
- if (ret)
- goto cleanup;
- outblockdata = k5alloc(blocksize, &ret);
- if (ret)
- goto cleanup;
- rawkey = k5alloc(keybytes, &ret);
+ /* Allocate encryption data buffer. */
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ ret = alloc_data(&iov.data, blocksize);
if (ret)
- goto cleanup;
-
- inblock.data = (char *) inblockdata;
- inblock.length = blocksize;
-
- outblock.data = (char *) outblockdata;
- outblock.length = blocksize;
+ return ret;
/* Initialize the input block. */
-
- if (in_constant->length == inblock.length) {
- memcpy(inblock.data, in_constant->data, inblock.length);
+ if (in_constant->length == blocksize) {
+ memcpy(iov.data.data, in_constant->data, blocksize);
} else {
- krb5int_nfold(in_constant->length*8, (unsigned char *) in_constant->data,
- inblock.length*8, (unsigned char *) inblock.data);
+ krb5int_nfold(in_constant->length * 8,
+ (unsigned char *) in_constant->data,
+ blocksize * 8, (unsigned char *) iov.data.data);
}
- /* Loop encrypting the blocks until enough key bytes are generated */
-
+ /* Loop encrypting the blocks until enough key bytes are generated. */
n = 0;
while (n < keybytes) {
- ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock);
+ ret = enc->encrypt(inkey, 0, &iov, 1);
if (ret)
goto cleanup;
- if ((keybytes - n) <= outblock.length) {
- memcpy(rawkey + n, outblock.data, (keybytes - n));
+ if ((keybytes - n) <= blocksize) {
+ memcpy(outrnd->data + n, iov.data.data, (keybytes - n));
break;
}
- memcpy(rawkey+n, outblock.data, outblock.length);
- memcpy(inblock.data, outblock.data, outblock.length);
- n += outblock.length;
+ memcpy(outrnd->data + n, iov.data.data, blocksize);
+ n += blocksize;
}
- /* postprocess the key */
+cleanup:
+ zapfree(iov.data.data, blocksize);
+ return ret;
+}
+
+/*
+ * Compute a derived key into the keyblock outkey. This variation on
+ * krb5int_derive_key does not cache the result, as it is only used
+ * directly in situations which are not expected to be repeated with
+ * the same inkey and constant.
+ */
+krb5_error_code
+krb5int_derive_keyblock(const struct krb5_enc_provider *enc,
+ krb5_key inkey, krb5_keyblock *outkey,
+ const krb5_data *in_constant)
+{
+ krb5_error_code ret;
+ krb5_data rawkey = empty_data();
- inblock.data = (char *) rawkey;
- inblock.length = keybytes;
+ /* Allocate a buffer for the raw key bytes. */
+ ret = alloc_data(&rawkey, enc->keybytes);
+ if (ret)
+ goto cleanup;
- ret = (*enc->make_key)(&inblock, outkey);
+ /* Derive pseudo-random data for the key bytes. */
+ ret = krb5int_derive_random(enc, inkey, &rawkey, in_constant);
if (ret)
goto cleanup;
+ /* Postprocess the key. */
+ ret = enc->make_key(&rawkey, outkey);
+
cleanup:
- zapfree(inblockdata, blocksize);
- zapfree(outblockdata, blocksize);
- zapfree(rawkey, keybytes);
+ zapfree(rawkey.data, enc->keybytes);
return ret;
}
zapfree(keyblock.contents, keyblock.length);
return ret;
}
-
-krb5_error_code
-krb5int_derive_random(const struct krb5_enc_provider *enc,
- krb5_key inkey, krb5_data *outrnd,
- const krb5_data *in_constant)
-{
- size_t blocksize, keybytes, n;
- unsigned char *inblockdata = NULL, *outblockdata = NULL, *rawkey = NULL;
- krb5_data inblock, outblock;
- krb5_error_code ret;
-
- blocksize = enc->block_size;
- keybytes = enc->keybytes;
-
- if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)
- return KRB5_CRYPTO_INTERNAL;
-
- /* Allocate and set up buffers. */
-
- inblockdata = k5alloc(blocksize, &ret);
- if (ret)
- goto cleanup;
- outblockdata = k5alloc(blocksize, &ret);
- if (ret)
- goto cleanup;
- rawkey = k5alloc(keybytes, &ret);
- if (ret)
- goto cleanup;
-
- inblock.data = (char *) inblockdata;
- inblock.length = blocksize;
-
- outblock.data = (char *) outblockdata;
- outblock.length = blocksize;
-
- /* Initialize the input block. */
- if (in_constant->length == inblock.length) {
- memcpy(inblock.data, in_constant->data, inblock.length);
- } else {
- krb5int_nfold(in_constant->length*8, (unsigned char *) in_constant->data,
- inblock.length*8, (unsigned char *) inblock.data);
- }
-
- /* Loop encrypting the blocks until enough key bytes are generated. */
- n = 0;
- while (n < keybytes) {
- ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock);
- if (ret)
- goto cleanup;
-
- if ((keybytes - n) <= outblock.length) {
- memcpy(rawkey + n, outblock.data, (keybytes - n));
- break;
- }
-
- memcpy(rawkey+n, outblock.data, outblock.length);
- memcpy(inblock.data, outblock.data, outblock.length);
- n += outblock.length;
- }
-
- /* Postprocess the key. */
- memcpy(outrnd->data, rawkey, keybytes);
-
-cleanup:
- zapfree(inblockdata, blocksize);
- zapfree(outblockdata, blocksize);
- zapfree(rawkey, keybytes);
- return ret;
-}
*/
#include "k5-int.h"
+#include "etypes.h"
-void
-krb5int_dk_encrypt_length(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t input, size_t *length);
+unsigned int
+krb5int_dk_crypto_length(const struct krb5_keytypes *ktp,
+ krb5_cryptotype type);
-krb5_error_code
-krb5int_dk_encrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
-
-void
-krb5int_aes_encrypt_length(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t input, size_t *length);
+unsigned int
+krb5int_aes_crypto_length(const struct krb5_keytypes *ktp,
+ krb5_cryptotype type);
krb5_error_code
-krb5int_aes_dk_encrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *ivec,
- const krb5_data *input,
- krb5_data *output);
+krb5int_dk_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
krb5_error_code
-krb5int_dk_decrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *arg_output);
+krb5int_dk_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
krb5_error_code
-krb5int_aes_dk_decrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *ivec,
- const krb5_data *input,
- krb5_data *arg_output);
+krb5int_dk_string_to_key(const struct krb5_keytypes *enc,
+ const krb5_data *string, const krb5_data *salt,
+ const krb5_data *params, krb5_keyblock *key);
krb5_error_code
-krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
- const krb5_data *string,
- const krb5_data *salt,
- const krb5_data *params,
- krb5_keyblock *key);
+krb5int_aes_string_to_key(const struct krb5_keytypes *enc,
+ const krb5_data *string, const krb5_data *salt,
+ const krb5_data *params, krb5_keyblock *key);
krb5_error_code
krb5int_derive_keyblock(const struct krb5_enc_provider *enc,
krb5int_derive_random(const struct krb5_enc_provider *enc,
krb5_key inkey, krb5_data *outrnd,
const krb5_data *in_constant);
-
-/* AEAD */
-
-extern const struct krb5_aead_provider krb5int_aead_dk;
-extern const struct krb5_aead_provider krb5int_aead_aes;
/* AEAD */
-static krb5_error_code
-krb5int_dk_crypto_length(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_cryptotype type,
- unsigned int *length)
+unsigned int
+krb5int_dk_crypto_length(const struct krb5_keytypes *ktp, krb5_cryptotype type)
{
switch (type) {
case KRB5_CRYPTO_TYPE_HEADER:
case KRB5_CRYPTO_TYPE_PADDING:
- *length = enc->block_size;
- break;
+ return ktp->enc->block_size;
case KRB5_CRYPTO_TYPE_TRAILER:
case KRB5_CRYPTO_TYPE_CHECKSUM:
- *length = hash->hashsize;
- break;
+ return ktp->hash->hashsize;
default:
assert(0 && "invalid cryptotype passed to krb5int_dk_crypto_length");
- break;
+ return 0;
}
+}
- return 0;
+unsigned int
+krb5int_aes_crypto_length(const struct krb5_keytypes *ktp,
+ krb5_cryptotype type)
+{
+ switch (type) {
+ case KRB5_CRYPTO_TYPE_HEADER:
+ return ktp->enc->block_size;
+ case KRB5_CRYPTO_TYPE_PADDING:
+ return 0;
+ case KRB5_CRYPTO_TYPE_TRAILER:
+ case KRB5_CRYPTO_TYPE_CHECKSUM:
+ return 96 / 8;
+ default:
+ assert(0 && "invalid cryptotype passed to krb5int_aes_crypto_length");
+ return 0;
+ }
}
-static krb5_error_code
-krb5int_dk_encrypt_iov(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5_error_code
+krb5int_dk_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
+ const struct krb5_enc_provider *enc = ktp->enc;
+ const struct krb5_hash_provider *hash = ktp->hash;
krb5_error_code ret;
unsigned char constantdata[K5CLENGTH];
krb5_data d1, d2;
krb5_crypto_iov *header, *trailer, *padding;
krb5_key ke = NULL, ki = NULL;
size_t i;
- unsigned int blocksize = 0;
- unsigned int plainlen = 0;
- unsigned int hmacsize = 0;
- unsigned int padsize = 0;
+ unsigned int blocksize, hmacsize, plainlen = 0, padsize = 0;
unsigned char *cksum = NULL;
/* E(Confounder | Plaintext | Pad) | Checksum */
- ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
- &blocksize);
- if (ret != 0)
- return ret;
-
- ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
- &hmacsize);
- if (ret != 0)
- return ret;
+ blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING);
+ hmacsize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
for (i = 0; i < num_data; i++) {
krb5_crypto_iov *iov = &data[i];
goto cleanup;
/* Encrypt the plaintext (header | data | padding) */
- assert(enc->encrypt_iov != NULL);
-
- ret = (*enc->encrypt_iov)(ke, ivec, data, num_data); /* updates ivec */
+ ret = enc->encrypt(ke, ivec, data, num_data);
if (ret != 0)
goto cleanup;
return ret;
}
-static krb5_error_code
-krb5int_dk_decrypt_iov(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5_error_code
+krb5int_dk_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
+ const struct krb5_enc_provider *enc = ktp->enc;
+ const struct krb5_hash_provider *hash = ktp->hash;
krb5_error_code ret;
unsigned char constantdata[K5CLENGTH];
krb5_data d1;
krb5_crypto_iov *header, *trailer;
krb5_key ke = NULL, ki = NULL;
size_t i;
- unsigned int blocksize = 0; /* enc block size, not confounder len */
- unsigned int cipherlen = 0;
- unsigned int hmacsize = 0;
+ unsigned int blocksize; /* enc block size, not confounder len */
+ unsigned int hmacsize, cipherlen = 0;
unsigned char *cksum = NULL;
/* E(Confounder | Plaintext | Pad) | Checksum */
- ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
- &blocksize);
- if (ret != 0)
- return ret;
-
- ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
- &hmacsize);
- if (ret != 0)
- return ret;
+ blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING);
+ hmacsize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
if (blocksize != 0) {
/* Check that the input data is correctly padded. */
goto cleanup;
/* Decrypt the plaintext (header | data | padding). */
- assert(enc->decrypt_iov != NULL);
-
- ret = (*enc->decrypt_iov)(ke, ivec, data, num_data); /* updates ivec */
+ ret = enc->decrypt(ke, ivec, data, num_data);
if (ret != 0)
goto cleanup;
free(cksum);
return ret;
}
-
-const struct krb5_aead_provider krb5int_aead_dk = {
- krb5int_dk_crypto_length,
- krb5int_dk_encrypt_iov,
- krb5int_dk_decrypt_iov
-};
-
-static krb5_error_code
-krb5int_aes_crypto_length(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_cryptotype type,
- unsigned int *length)
-{
- switch (type) {
- case KRB5_CRYPTO_TYPE_HEADER:
- *length = enc->block_size;
- break;
- case KRB5_CRYPTO_TYPE_PADDING:
- *length = 0;
- break;
- case KRB5_CRYPTO_TYPE_TRAILER:
- case KRB5_CRYPTO_TYPE_CHECKSUM:
- *length = 96 / 8;
- break;
- default:
- assert(0 && "invalid cryptotype passed to krb5int_aes_crypto_length");
- break;
- }
-
- return 0;
-}
-
-const struct krb5_aead_provider krb5int_aead_aes = {
- krb5int_aes_crypto_length,
- krb5int_dk_encrypt_iov,
- krb5int_dk_decrypt_iov
-};
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#include "k5-int.h"
-#include "dk.h"
-
-#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
-
-static krb5_error_code
-krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *ivec,
- const krb5_data *input,
- krb5_data *output,
- size_t hmacsize,
- int ivec_mode);
-
-krb5_error_code
-krb5int_dk_decrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output)
-{
- return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage,
- ivec, input, output, 0, 0);
-}
-
-krb5_error_code
-krb5int_aes_dk_decrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output)
-{
- return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage,
- ivec, input, output, 96 / 8, 1);
-}
-
-static krb5_error_code
-krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output, size_t hmacsize,
- int ivec_mode)
-{
- krb5_error_code ret;
- size_t hashsize, blocksize, enclen, plainlen;
- unsigned char *plaindata = NULL, *cksum = NULL, *cn;
- krb5_key ke = NULL, ki = NULL;
- krb5_data d1, d2;
- unsigned char constantdata[K5CLENGTH];
-
- hashsize = hash->hashsize;
- blocksize = enc->block_size;
-
- if (hmacsize == 0)
- hmacsize = hashsize;
- else if (hmacsize > hashsize)
- return KRB5KRB_AP_ERR_BAD_INTEGRITY;
-
- enclen = input->length - hmacsize;
-
- /* Allocate and set up ciphertext and to-be-derived keys. */
- plaindata = k5alloc(enclen, &ret);
- if (ret != 0)
- goto cleanup;
- cksum = k5alloc(hashsize, &ret);
- if (ret != 0)
- goto cleanup;
-
- /* Derive the keys. */
-
- d1.data = (char *) constantdata;
- d1.length = K5CLENGTH;
-
- store_32_be(usage, constantdata);
-
- d1.data[4] = (char) 0xAA;
-
- ret = krb5int_derive_key(enc, key, &ke, &d1);
- if (ret != 0)
- goto cleanup;
-
- d1.data[4] = 0x55;
-
- ret = krb5int_derive_key(enc, key, &ki, &d1);
- if (ret != 0)
- goto cleanup;
-
- /* decrypt the ciphertext */
-
- d1.length = enclen;
- d1.data = input->data;
-
- d2.length = enclen;
- d2.data = (char *) plaindata;
-
- ret = (*enc->decrypt)(ke, ivec, &d1, &d2);
- if (ret != 0)
- goto cleanup;
-
- if (ivec != NULL && ivec->length == blocksize) {
- if (ivec_mode == 0)
- cn = (unsigned char *) d1.data + d1.length - blocksize;
- else if (ivec_mode == 1) {
- int nblocks = (d1.length + blocksize - 1) / blocksize;
- cn = (unsigned char *) d1.data + blocksize * (nblocks - 2);
- } else
- abort();
- } else
- cn = NULL;
-
- /* Verify the hash. */
-
- d1.length = hashsize;
- d1.data = (char *) cksum;
-
- ret = krb5int_hmac(hash, ki, 1, &d2, &d1);
- if (ret != 0)
- goto cleanup;
-
- if (memcmp(cksum, input->data+enclen, hmacsize) != 0) {
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- goto cleanup;
- }
-
- /*
- * Because this encoding isn't self-describing wrt length, the
- * best we can do here is to compute the length minus the
- * confounder.
- */
-
- plainlen = enclen - blocksize;
-
- if (output->length < plainlen)
- return KRB5_BAD_MSIZE;
-
- output->length = plainlen;
-
- memcpy(output->data, d2.data+blocksize, output->length);
-
- if (cn != NULL)
- memcpy(ivec->data, cn, blocksize);
-
-cleanup:
- krb5_k_free_key(NULL, ke);
- krb5_k_free_key(NULL, ki);
- zapfree(plaindata, enclen);
- zapfree(cksum, hashsize);
- return ret;
-}
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#include "k5-int.h"
-#include "dk.h"
-
-#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
-
-/*
- * The spec says that the confounder size and padding are specific to
- * the encryption algorithm. This code (dk_encrypt_length and
- * dk_encrypt) assume the confounder is always the blocksize, and the
- * padding is always zero bytes up to the blocksize. If these
- * assumptions ever fails, the keytype table should be extended to
- * include these bits of info.
- */
-
-void
-krb5int_dk_encrypt_length(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t inputlen, size_t *length)
-{
- size_t blocksize, hashsize;
-
- blocksize = enc->block_size;
- hashsize = hash->hashsize;
- *length = krb5_roundup(blocksize + inputlen, blocksize) + hashsize;
-}
-
-krb5_error_code
-krb5int_dk_encrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output)
-{
- size_t blocksize, plainlen, enclen;
- krb5_error_code ret;
- unsigned char constantdata[K5CLENGTH];
- krb5_data d1, d2;
- unsigned char *plaintext = NULL;
- char *cn;
- krb5_key ke = NULL, ki = NULL;
-
- blocksize = enc->block_size;
- plainlen = krb5_roundup(blocksize + input->length, blocksize);
-
- krb5int_dk_encrypt_length(enc, hash, input->length, &enclen);
-
- /* key->length, ivec will be tested in enc->encrypt. */
-
- if (output->length < enclen)
- return(KRB5_BAD_MSIZE);
-
- /* Allocate and set up plaintext and to-be-derived keys. */
-
- plaintext = malloc(plainlen);
- if (plaintext == NULL)
- return ENOMEM;
-
- /* Derive the keys. */
-
- d1.data = (char *) constantdata;
- d1.length = K5CLENGTH;
-
- store_32_be(usage, constantdata);
-
- d1.data[4] = (char) 0xAA;
-
- ret = krb5int_derive_key(enc, key, &ke, &d1);
- if (ret != 0)
- goto cleanup;
-
- d1.data[4] = 0x55;
-
- ret = krb5int_derive_key(enc, key, &ki, &d1);
- if (ret != 0)
- goto cleanup;
-
- /* Put together the plaintext. */
-
- d1.length = blocksize;
- d1.data = (char *) plaintext;
-
- ret = krb5_c_random_make_octets(/* XXX */ 0, &d1);
- if (ret != 0)
- goto cleanup;
-
- memcpy(plaintext + blocksize, input->data, input->length);
-
- memset(plaintext + blocksize + input->length, 0,
- plainlen - (blocksize + input->length));
-
- /* Encrypt the plaintext. */
-
- d1.length = plainlen;
- d1.data = (char *) plaintext;
-
- d2.length = plainlen;
- d2.data = output->data;
-
- ret = (*enc->encrypt)(ke, ivec, &d1, &d2);
- if (ret != 0)
- goto cleanup;
-
- if (ivec != NULL && ivec->length == blocksize)
- cn = d2.data + d2.length - blocksize;
- else
- cn = NULL;
-
- /* Hash the plaintext. */
-
- d2.length = enclen - plainlen;
- d2.data = output->data+plainlen;
-
- output->length = enclen;
-
- ret = krb5int_hmac(hash, ki, 1, &d1, &d2);
- if (ret != 0) {
- memset(d2.data, 0, d2.length);
- goto cleanup;
- }
-
- /* Update ivec. */
- if (cn != NULL)
- memcpy(ivec->data, cn, blocksize);
-
-cleanup:
- krb5_k_free_key(NULL, ke);
- krb5_k_free_key(NULL, ki);
- zapfree(plaintext, plainlen);
- return ret;
-}
-
-/* Not necessarily "AES", per se, but "a CBC+CTS mode block cipher
- with a 96-bit truncated HMAC". */
-void
-krb5int_aes_encrypt_length(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t inputlen, size_t *length)
-{
- size_t blocksize, hashsize;
-
- blocksize = enc->block_size;
- hashsize = 96 / 8;
-
- /* No roundup, since CTS requires no padding once we've hit the
- block size. */
- *length = blocksize+inputlen + hashsize;
-}
-
-static krb5_error_code
-trunc_hmac (const struct krb5_hash_provider *hash,
- krb5_key ki, unsigned int num,
- const krb5_data *input, const krb5_data *output)
-{
- size_t hashsize;
- krb5_data tmp;
- krb5_error_code ret;
-
- hashsize = hash->hashsize;
- if (hashsize < output->length)
- return KRB5_CRYPTO_INTERNAL;
- tmp.length = hashsize;
- tmp.data = malloc(hashsize);
- if (tmp.data == NULL)
- return ENOMEM;
- ret = krb5int_hmac(hash, ki, num, input, &tmp);
- if (ret == 0)
- memcpy(output->data, tmp.data, output->length);
- memset(tmp.data, 0, hashsize);
- free(tmp.data);
- return ret;
-}
-
-krb5_error_code
-krb5int_aes_dk_encrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output)
-{
- size_t blocksize, keybytes, plainlen, enclen;
- krb5_error_code ret;
- unsigned char constantdata[K5CLENGTH];
- krb5_data d1, d2;
- unsigned char *plaintext = NULL;
- char *cn;
- krb5_key ke = NULL, ki = NULL;
-
- /* allocate and set up plaintext and to-be-derived keys */
-
- blocksize = enc->block_size;
- keybytes = enc->keybytes;
- plainlen = blocksize+input->length;
-
- krb5int_aes_encrypt_length(enc, hash, input->length, &enclen);
-
- /* key->length, ivec will be tested in enc->encrypt */
-
- if (output->length < enclen)
- return KRB5_BAD_MSIZE;
-
- plaintext = malloc(plainlen);
- if (plaintext == NULL)
- return ENOMEM;
-
- /* Derive the keys. */
-
- d1.data = (char *) constantdata;
- d1.length = K5CLENGTH;
-
- store_32_be(usage, constantdata);
-
- d1.data[4] = (char) 0xAA;
-
- ret = krb5int_derive_key(enc, key, &ke, &d1);
- if (ret != 0)
- goto cleanup;
-
- d1.data[4] = 0x55;
-
- ret = krb5int_derive_key(enc, key, &ki, &d1);
- if (ret != 0)
- goto cleanup;
-
- /* put together the plaintext */
-
- d1.length = blocksize;
- d1.data = (char *) plaintext;
-
- ret = krb5_c_random_make_octets(NULL, &d1);
- if (ret != 0)
- goto cleanup;
-
- memcpy(plaintext + blocksize, input->data, input->length);
-
- /* Ciphertext stealing; there should be no more. */
- if (plainlen != blocksize + input->length)
- abort();
-
- /* Encrypt the plaintext. */
-
- d1.length = plainlen;
- d1.data = (char *) plaintext;
-
- d2.length = plainlen;
- d2.data = output->data;
-
- ret = (*enc->encrypt)(ke, ivec, &d1, &d2);
- if (ret != 0)
- goto cleanup;
-
- if (ivec != NULL && ivec->length == blocksize) {
- int nblocks = (d2.length + blocksize - 1) / blocksize;
- cn = d2.data + blocksize * (nblocks - 2);
- } else
- cn = NULL;
-
- /* Hash the plaintext. */
-
- d2.length = enclen - plainlen;
- d2.data = output->data+plainlen;
- if (d2.length != 96 / 8)
- abort();
-
- ret = trunc_hmac(hash, ki, 1, &d1, &d2);
- if (ret != 0) {
- memset(d2.data, 0, d2.length);
- goto cleanup;
- }
-
- output->length = enclen;
-
- /* Update ivec. */
- if (cn != NULL)
- memcpy(ivec->data, cn, blocksize);
-
-cleanup:
- krb5_k_free_key(NULL, ke);
- krb5_k_free_key(NULL, ki);
- zapfree(plaintext, plainlen);
- return ret;
-}
#define kerberos_len (sizeof(kerberos)-1)
krb5_error_code
-krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
+krb5int_dk_string_to_key(const struct krb5_keytypes *ktp,
const krb5_data *string, const krb5_data *salt,
const krb5_data *parms, krb5_keyblock *keyblock)
{
+ const struct krb5_enc_provider *enc = ktp->enc;
krb5_error_code ret;
size_t keybytes, keylength, concatlen;
unsigned char *concat = NULL, *foldstring = NULL, *foldkeydata = NULL;
foldkeyblock.length = keylength;
foldkeyblock.contents = foldkeydata;
- ret = (*enc->make_key)(&indata, &foldkeyblock);
+ ret = enc->make_key(&indata, &foldkeyblock);
if (ret != 0)
goto cleanup;
krb5_k_free_key(NULL, foldkey);
return ret;
}
+
+
+#define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */
+#define MAX_ITERATION_COUNT 0x1000000L
+
+krb5_error_code
+krb5int_aes_string_to_key(const struct krb5_keytypes *ktp,
+ const krb5_data *string,
+ const krb5_data *salt,
+ const krb5_data *params,
+ krb5_keyblock *key)
+{
+ unsigned long iter_count;
+ krb5_data out;
+ static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
+ krb5_key tempkey = NULL;
+ krb5_error_code err;
+
+ if (params) {
+ unsigned char *p = (unsigned char *) params->data;
+ if (params->length != 4)
+ return KRB5_ERR_BAD_S2K_PARAMS;
+ /* The first two need casts in case 'int' is 16 bits. */
+ iter_count = load_32_be(p);
+ if (iter_count == 0) {
+ iter_count = (1UL << 16) << 16;
+ if (((iter_count >> 16) >> 16) != 1)
+ return KRB5_ERR_BAD_S2K_PARAMS;
+ }
+ } else
+ iter_count = DEFAULT_ITERATION_COUNT;
+
+ /* This is not a protocol specification constraint; this is an
+ implementation limit, which should eventually be controlled by
+ a config file. */
+ if (iter_count >= MAX_ITERATION_COUNT)
+ return KRB5_ERR_BAD_S2K_PARAMS;
+
+ /* Use the output keyblock contents for temporary space. */
+ out.data = (char *) key->contents;
+ out.length = key->length;
+ if (out.length != 16 && out.length != 32)
+ return KRB5_CRYPTO_INTERNAL;
+
+ err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt);
+ if (err)
+ goto cleanup;
+
+ err = krb5_k_create_key (NULL, key, &tempkey);
+ if (err)
+ goto cleanup;
+
+ err = krb5int_derive_keyblock(ktp->enc, tempkey, key, &usage);
+
+cleanup:
+ if (err)
+ memset (out.data, 0, out.length);
+ krb5_k_free_key (NULL, tempkey);
+ return err;
+}
const krb5_data *input, krb5_enc_data *output)
{
const struct krb5_keytypes *ktp;
+ krb5_crypto_iov iov[4];
+ krb5_error_code ret;
+ unsigned int header_len, padding_len, trailer_len, total_len;
ktp = find_enctype(key->keyblock.enctype);
if (ktp == NULL)
output->kvno = 0;
output->enctype = key->keyblock.enctype;
- if (ktp->encrypt == NULL) {
- assert(ktp->aead != NULL);
+ /* Get the lengths of the token parts and compute the total. */
+ header_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_HEADER);
+ padding_len = krb5int_c_padding_length(ktp, input->length);
+ trailer_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
+ total_len = header_len + input->length + padding_len + trailer_len;
+ if (output->ciphertext.length < total_len)
+ return KRB5_BAD_MSIZE;
+
+ /* Set up the iov structures for the token parts. */
+ iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
+ iov[0].data = make_data(output->ciphertext.data, header_len);
+
+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
+ iov[1].data = make_data(output->ciphertext.data + header_len,
+ input->length);
+ memcpy(iov[1].data.data, input->data, input->length);
- return krb5int_c_encrypt_aead_compat(ktp->aead, ktp->enc, ktp->hash,
- key, usage, ivec, input,
- &output->ciphertext);
- }
+ iov[2].flags = KRB5_CRYPTO_TYPE_PADDING;
+ iov[2].data = make_data(iov[1].data.data + input->length, padding_len);
- return (*ktp->encrypt)(ktp->enc, ktp->hash, key, usage, ivec, input,
- &output->ciphertext);
+ iov[3].flags = KRB5_CRYPTO_TYPE_TRAILER;
+ iov[3].data = make_data(iov[2].data.data + padding_len, trailer_len);
+
+ ret = ktp->encrypt(ktp, key, usage, ivec, iov, 4);
+ if (ret != 0)
+ zap(iov[1].data.data, iov[1].data.length);
+ else
+ output->ciphertext.length = total_len;
+ return ret;
}
krb5_error_code KRB5_CALLCONV
#include "etypes.h"
krb5_error_code KRB5_CALLCONV
-krb5_k_encrypt_iov(krb5_context context,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *cipher_state,
- krb5_crypto_iov *data,
+krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage,
+ const krb5_data *cipher_state, krb5_crypto_iov *data,
size_t num_data)
{
const struct krb5_keytypes *ktp;
ktp = find_enctype(key->keyblock.enctype);
- if (ktp == NULL || ktp->aead == NULL)
+ if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
- return (*ktp->aead->encrypt_iov)(ktp->aead, ktp->enc, ktp->hash,
- key, usage, cipher_state, data, num_data);
+ return ktp->encrypt(ktp, key, usage, cipher_state, data, num_data);
}
krb5_error_code KRB5_CALLCONV
-krb5_c_encrypt_iov(krb5_context context,
- const krb5_keyblock *keyblock,
- krb5_keyusage usage,
- const krb5_data *cipher_state,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock *keyblock,
+ krb5_keyusage usage, const krb5_data *cipher_state,
+ krb5_crypto_iov *data, size_t num_data)
{
krb5_key key;
krb5_error_code ret;
size_t inputlen, size_t *length)
{
const struct krb5_keytypes *ktp;
+ unsigned int header_len = 0, padding_len = 0, trailer_len = 0;
ktp = find_enctype(enctype);
if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
- if (ktp->encrypt_len == NULL) {
- assert(ktp->aead != NULL);
-
- krb5int_c_encrypt_length_aead_compat(ktp->aead, ktp->enc, ktp->hash,
- inputlen, length);
- } else {
- (*ktp->encrypt_len)(ktp->enc, ktp->hash, inputlen, length);
- }
+ header_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_HEADER);
+ padding_len = krb5int_c_padding_length(ktp, inputlen);
+ trailer_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER);
+ *length = header_len + inputlen + padding_len + trailer_len;
return 0;
}
#include "dk.h"
#include "prf_int.h"
#include "arcfour.h"
-#include "aes_s2k.h"
#include "des/des_int.h"
/* these will be linear searched. if they ever get big, a binary
"des-cbc-crc", { 0 }, "DES cbc mode with CRC-32",
&krb5int_enc_des, &krb5int_hash_crc32,
16,
- krb5int_old_encrypt_length, krb5int_old_encrypt, krb5int_old_decrypt,
+ krb5int_old_crypto_length, krb5int_old_encrypt, krb5int_old_decrypt,
krb5int_des_string_to_key,
krb5int_des_prf,
CKSUMTYPE_RSA_MD5,
- &krb5int_aead_old,
ETYPE_WEAK },
{ ENCTYPE_DES_CBC_MD4,
"des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4",
&krb5int_enc_des, &krb5int_hash_md4,
16,
- krb5int_old_encrypt_length, krb5int_old_encrypt, krb5int_old_decrypt,
+ krb5int_old_crypto_length, krb5int_old_encrypt, krb5int_old_decrypt,
krb5int_des_string_to_key,
krb5int_des_prf,
CKSUMTYPE_RSA_MD4,
- &krb5int_aead_old,
ETYPE_WEAK },
{ ENCTYPE_DES_CBC_MD5,
"des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5",
&krb5int_enc_des, &krb5int_hash_md5,
16,
- krb5int_old_encrypt_length, krb5int_old_encrypt, krb5int_old_decrypt,
+ krb5int_old_crypto_length, krb5int_old_encrypt, krb5int_old_decrypt,
krb5int_des_string_to_key,
krb5int_des_prf,
CKSUMTYPE_RSA_MD5,
- &krb5int_aead_old,
ETYPE_WEAK },
{ ENCTYPE_DES_CBC_RAW,
"des-cbc-raw", { 0 }, "DES cbc mode raw",
&krb5int_enc_des, NULL,
16,
- krb5_raw_encrypt_length, krb5int_raw_encrypt, krb5int_raw_decrypt,
+ krb5int_raw_crypto_length, krb5int_raw_encrypt, krb5int_raw_decrypt,
krb5int_des_string_to_key,
krb5int_des_prf,
0,
- &krb5int_aead_raw,
ETYPE_WEAK },
{ ENCTYPE_DES3_CBC_RAW,
"des3-cbc-raw", { 0 }, "Triple DES cbc mode raw",
&krb5int_enc_des3, NULL,
16,
- krb5_raw_encrypt_length, krb5int_raw_encrypt, krb5int_raw_decrypt,
+ krb5int_raw_crypto_length, krb5int_raw_encrypt, krb5int_raw_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
0,
- &krb5int_aead_raw,
ETYPE_WEAK },
{ ENCTYPE_DES3_CBC_SHA1,
"Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
16,
- krb5int_dk_encrypt_length, krb5int_dk_encrypt, krb5int_dk_decrypt,
+ krb5int_dk_crypto_length, krb5int_dk_encrypt, krb5int_dk_decrypt,
krb5int_dk_string_to_key,
krb5int_dk_prf,
CKSUMTYPE_HMAC_SHA1_DES3,
- &krb5int_aead_dk,
0 /*flags*/ },
{ ENCTYPE_DES_HMAC_SHA1,
"des-hmac-sha1", { 0 }, "DES with HMAC/sha1",
&krb5int_enc_des, &krb5int_hash_sha1,
8,
- krb5int_dk_encrypt_length, krb5int_dk_encrypt, krb5int_dk_decrypt,
+ krb5int_dk_crypto_length, krb5int_dk_encrypt, krb5int_dk_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
0,
- &krb5int_aead_dk,
ETYPE_WEAK },
{ ENCTYPE_ARCFOUR_HMAC,
"arcfour-hmac", { "rc4-hmac", "arcfour-hmac-md5" },
&krb5int_enc_arcfour,
&krb5int_hash_md5,
20,
- krb5int_arcfour_encrypt_length, krb5int_arcfour_encrypt,
+ krb5int_arcfour_crypto_length, krb5int_arcfour_encrypt,
krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
krb5int_arcfour_prf, /*PRF*/
CKSUMTYPE_HMAC_MD5_ARCFOUR,
- &krb5int_aead_arcfour,
0 /*flags*/ },
{ ENCTYPE_ARCFOUR_HMAC_EXP,
"arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" },
&krb5int_enc_arcfour,
&krb5int_hash_md5,
20,
- krb5int_arcfour_encrypt_length, krb5int_arcfour_encrypt,
+ krb5int_arcfour_crypto_length, krb5int_arcfour_encrypt,
krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
krb5int_arcfour_prf, /*PRF*/
CKSUMTYPE_HMAC_MD5_ARCFOUR,
- &krb5int_aead_arcfour,
ETYPE_WEAK
},
"AES-128 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes128, &krb5int_hash_sha1,
16,
- krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
+ krb5int_aes_crypto_length, krb5int_dk_encrypt, krb5int_dk_decrypt,
krb5int_aes_string_to_key,
krb5int_dk_prf,
CKSUMTYPE_HMAC_SHA1_96_AES128,
- &krb5int_aead_aes,
0 /*flags*/ },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
"aes256-cts-hmac-sha1-96", { "aes256-cts" },
"AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
16,
- krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
+ krb5int_aes_crypto_length, krb5int_dk_encrypt, krb5int_dk_decrypt,
krb5int_aes_string_to_key,
krb5int_dk_prf,
CKSUMTYPE_HMAC_SHA1_96_AES256,
- &krb5int_aead_aes,
0 /*flags*/ },
};
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
+#ifndef ETYPES_H
+#define ETYPES_H
+
#include "k5-int.h"
-typedef void (*krb5_encrypt_length_func)(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t inputlen, size_t *length);
+struct krb5_keytypes;
+
+typedef unsigned int (*crypto_length_func)(const struct krb5_keytypes *ktp,
+ krb5_cryptotype type);
-typedef krb5_error_code (*krb5_crypt_func)(const struct krb5_enc_provider *enc,
- const struct
- krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage keyusage,
- const krb5_data *ivec,
- const krb5_data *input,
- krb5_data *output);
+typedef krb5_error_code (*crypt_func)(const struct krb5_keytypes *ktp,
+ krb5_key key, krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
-typedef krb5_error_code (*krb5_str2key_func)(const struct
- krb5_enc_provider *enc,
- const krb5_data *string,
- const krb5_data *salt,
- const krb5_data *parm,
- krb5_keyblock *key);
+typedef krb5_error_code (*str2key_func)(const struct krb5_keytypes *ktp,
+ const krb5_data *string,
+ const krb5_data *salt,
+ const krb5_data *parm,
+ krb5_keyblock *key);
-typedef krb5_error_code (*krb5_prf_func)(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- const krb5_data *in, krb5_data *out);
+typedef krb5_error_code (*prf_func)(const struct krb5_keytypes *ktp,
+ krb5_key key,
+ const krb5_data *in, krb5_data *out);
struct krb5_keytypes {
krb5_enctype etype;
const struct krb5_enc_provider *enc;
const struct krb5_hash_provider *hash;
size_t prf_length;
- krb5_encrypt_length_func encrypt_len;
- krb5_crypt_func encrypt;
- krb5_crypt_func decrypt;
- krb5_str2key_func str2key;
- krb5_prf_func prf;
+ crypto_length_func crypto_length;
+ crypt_func encrypt;
+ crypt_func decrypt;
+ str2key_func str2key;
+ prf_func prf;
krb5_cksumtype required_ctype;
- const struct krb5_aead_provider *aead;
krb5_flags flags;
};
return NULL;
return &krb5int_enctypes_list[i];
}
+
+#endif
BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
LOCALINCLUDES = -I$(srcdir)/../../@CRYPTO_IMPL@/des -I$(srcdir)/../../@CRYPTO_IMPL@/md4 \
-I$(srcdir)/../../@CRYPTO_IMPL@/md5 -I$(srcdir)/../arcfour \
- -I$(srcdir)/../../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/../../@CRYPTO_IMPL@
+ -I$(srcdir)/../../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/../../@CRYPTO_IMPL@ \
+ -I$(srcdir)/..
DEFS=
##DOS##BUILDTOP = ..\..\..\..
$(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \
$(srcdir)/../../builtin/md5/rsa-md5.h $(srcdir)/../aead.h \
$(srcdir)/../arcfour/arcfour-int.h $(srcdir)/../arcfour/arcfour.h \
- $(srcdir)/../cksumtypes.h $(top_srcdir)/include/k5-buf.h \
+ $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
$(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
$(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
$(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \
$(srcdir)/../../builtin/md5/rsa-md5.h $(srcdir)/../arcfour/arcfour-int.h \
- $(srcdir)/../arcfour/arcfour.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h keyhash_provider.h \
- md5_hmac.c
+ $(srcdir)/../arcfour/arcfour.h $(srcdir)/../etypes.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ keyhash_provider.h md5_hmac.c
krb5_MD4_CTX ctx;
unsigned char conf[CONFLENGTH];
krb5_key xorkey = NULL;
+ krb5_crypto_iov iov;
struct krb5_enc_provider *enc = &krb5int_enc_des;
if (output->length != (CONFLENGTH+RSA_MD4_CKSUM_LENGTH))
memcpy(output->data, conf, CONFLENGTH);
memcpy(output->data+CONFLENGTH, ctx.digest, RSA_MD4_CKSUM_LENGTH);
- ret = enc->encrypt(xorkey, NULL, output, output);
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ iov.data = *output;
+ ret = enc->encrypt(xorkey, NULL, &iov, 1);
krb5_k_free_key(NULL, xorkey);
krb5_key xorkey = NULL;
int compathash = 0;
struct krb5_enc_provider *enc = &krb5int_enc_des;
- krb5_data output, iv;
+ krb5_data iv;
+ krb5_crypto_iov iov;
iv.data = NULL;
iv.length = 0;
}
/* decrypt it */
- output.data = (char *)plaintext;
- output.length = hash->length;
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ iov.data = make_data(plaintext, hash->length);
+ memcpy(plaintext, hash->data, hash->length);
- if (!compathash) {
- ret = enc->decrypt(xorkey, NULL, hash, &output);
- krb5_k_free_key(NULL, xorkey);
+ if (compathash) {
+ ret = enc->decrypt(key, &iv, &iov, 1);
+ zapfree(iv.data, iv.length);
} else {
- ret = enc->decrypt(key, &iv, hash, &output);
- zap(iv.data, iv.length);
- free(iv.data);
+ ret = enc->decrypt(xorkey, NULL, &iov, 1);
+ krb5_k_free_key(NULL, xorkey);
}
- if (ret) return(ret);
-
- if (output.length > CONFLENGTH+RSA_MD4_CKSUM_LENGTH)
- return KRB5_CRYPTO_INTERNAL;
+ if (ret)
+ return ret;
/* hash the confounder, then the input data */
krb5_MD5_CTX ctx;
unsigned char conf[CONFLENGTH];
krb5_key xorkey = NULL;
+ krb5_crypto_iov iov;
struct krb5_enc_provider *enc = &krb5int_enc_des;
if (output->length != (CONFLENGTH+RSA_MD5_CKSUM_LENGTH))
memcpy(output->data, conf, CONFLENGTH);
memcpy(output->data+CONFLENGTH, ctx.digest, RSA_MD5_CKSUM_LENGTH);
- ret = enc->encrypt(xorkey, NULL, output, output);
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ iov.data = *output;
+ ret = enc->encrypt(xorkey, NULL, &iov, 1);
krb5_k_free_key(NULL, xorkey);
krb5_key xorkey = NULL;
int compathash = 0;
struct krb5_enc_provider *enc = &krb5int_enc_des;
- krb5_data output, iv;
+ krb5_data iv;
+ krb5_crypto_iov iov;
iv.data = NULL;
iv.length = 0;
}
/* decrypt it */
- output.data = (char *)plaintext;
- output.length = hash->length;
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ iov.data = make_data(plaintext, hash->length);
+ memcpy(plaintext, hash->data, hash->length);
if (!compathash) {
- ret = enc->decrypt(xorkey, NULL, hash, &output);
+ ret = enc->decrypt(xorkey, NULL, &iov, 1);
krb5_k_free_key(NULL, xorkey);
} else {
- ret = enc->decrypt(key, &iv, hash, &output);
+ ret = enc->decrypt(key, &iv, &iov, 1);
zap(iv.data, iv.length);
free(iv.data);
}
if (ret) return(ret);
- if (output.length > CONFLENGTH+RSA_MD5_CKSUM_LENGTH)
- return KRB5_CRYPTO_INTERNAL;
-
/* hash the confounder, then the input data */
krb5int_MD5Init(&ctx);
RUN_SETUP = @KRB5_RUN_ENV@ KRB5_CONFIG=$(top_srcdir)/config-files/krb5.conf
-STLIBOBJS= old_aead.o old_decrypt.o old_encrypt.o des_stringtokey.o
+STLIBOBJS= old_aead.o des_stringtokey.o
-OBJS= $(OUTPRE)des_stringtokey.$(OBJEXT) $(OUTPRE)old_aead.$(OBJEXT) $(OUTPRE)old_decrypt.$(OBJEXT) $(OUTPRE)old_encrypt.$(OBJEXT)
+OBJS= $(OUTPRE)des_stringtokey.$(OBJEXT) $(OUTPRE)old_aead.$(OBJEXT)
-SRCS= $(srcdir)/des_stringtokey.c $(srcdir)/old_aead.c \
- $(srcdir)/old_decrypt.c $(srcdir)/old_encrypt.c
+SRCS= $(srcdir)/des_stringtokey.c $(srcdir)/old_aead.c
##DOS##LIBOBJS = $(OBJS)
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(COM_ERR_DEPS) $(srcdir)/../../builtin/des/des_int.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- des_stringtokey.c old.h
+ $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h des_stringtokey.c \
+ old.h
old_aead.so old_aead.po $(OUTPRE)old_aead.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(COM_ERR_DEPS) $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- old.h old_aead.c
-old_decrypt.so old_decrypt.po $(OUTPRE)old_decrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- old.h old_decrypt.c
-old_encrypt.so old_encrypt.po $(OUTPRE)old_encrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- old.h old_encrypt.c
+ $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h old.h old_aead.c
const krb5_data * salt);
krb5_error_code
-krb5int_des_string_to_key(const struct krb5_enc_provider *enc,
- const krb5_data *string,
- const krb5_data *salt, const krb5_data *parm,
- krb5_keyblock *key)
+krb5int_des_string_to_key(const struct krb5_keytypes *ktp,
+ const krb5_data *string, const krb5_data *salt,
+ const krb5_data *parm, krb5_keyblock *key)
{
int type;
- if (parm ) {
+ if (parm) {
if (parm->length != 1)
return KRB5_ERR_BAD_S2K_PARAMS;
type = parm->data[0];
*/
#include "k5-int.h"
+#include "etypes.h"
-void krb5int_old_encrypt_length(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t input, size_t *length);
+unsigned int
+krb5int_old_crypto_length(const struct krb5_keytypes *ktp,
+ krb5_cryptotype type);
-krb5_error_code krb5int_old_encrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
+krb5_error_code
+krb5int_old_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
-krb5_error_code krb5int_old_decrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec,
- const krb5_data *input,
- krb5_data *arg_output);
+krb5_error_code
+krb5int_old_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
-krb5_error_code krb5int_des_string_to_key(const struct krb5_enc_provider *enc,
+krb5_error_code krb5int_des_string_to_key(const struct krb5_keytypes *ktp,
const krb5_data *string,
const krb5_data *salt,
const krb5_data *params,
krb5_keyblock *key);
-
-extern const struct krb5_aead_provider krb5int_aead_old;
#include "old.h"
#include "aead.h"
-static krb5_error_code
-krb5int_old_crypto_length(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_cryptotype type,
- unsigned int *length)
+unsigned int
+krb5int_old_crypto_length(const struct krb5_keytypes *ktp,
+ krb5_cryptotype type)
{
switch (type) {
case KRB5_CRYPTO_TYPE_HEADER:
- *length = enc->block_size + hash->hashsize;
- break;
+ return ktp->enc->block_size + ktp->hash->hashsize;
case KRB5_CRYPTO_TYPE_PADDING:
- *length = enc->block_size;
- break;
+ return ktp->enc->block_size;
case KRB5_CRYPTO_TYPE_TRAILER:
- *length = 0;
- break;
+ return 0;
case KRB5_CRYPTO_TYPE_CHECKSUM:
- *length = hash->hashsize;
- break;
+ return ktp->hash->hashsize;
default:
assert(0 && "invalid cryptotype passed to krb5int_old_crypto_length");
- break;
+ return 0;
}
-
- return 0;
}
-static krb5_error_code
-krb5int_old_encrypt_iov(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, krb5_crypto_iov *data,
- size_t num_data)
+krb5_error_code
+krb5int_old_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
+ const struct krb5_enc_provider *enc = ktp->enc;
+ const struct krb5_hash_provider *hash = ktp->hash;
krb5_error_code ret;
krb5_crypto_iov *header, *trailer, *padding;
krb5_data checksum, confounder, crcivec = empty_data();
ivec = &crcivec;
}
- ret = enc->encrypt_iov(key, ivec, data, num_data);
+ ret = enc->encrypt(key, ivec, data, num_data);
if (ret != 0)
goto cleanup;
return ret;
}
-static krb5_error_code
-krb5int_old_decrypt_iov(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, krb5_crypto_iov *data,
- size_t num_data)
+krb5_error_code
+krb5int_old_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
+ const struct krb5_enc_provider *enc = ktp->enc;
+ const struct krb5_hash_provider *hash = ktp->hash;
krb5_error_code ret;
krb5_crypto_iov *header, *trailer;
krb5_data checksum, crcivec = empty_data();
}
/* Decrypt the ciphertext. */
- ret = enc->decrypt_iov(key, ivec, data, num_data);
+ ret = enc->decrypt(key, ivec, data, num_data);
if (ret != 0)
goto cleanup;
zapfree(saved_checksum, hash->hashsize);
return ret;
}
-
-const struct krb5_aead_provider krb5int_aead_old = {
- krb5int_old_crypto_length,
- krb5int_old_encrypt_iov,
- krb5int_old_decrypt_iov
-};
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#include "k5-int.h"
-#include "old.h"
-
-krb5_error_code
-krb5int_old_decrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *ivec,
- const krb5_data *input,
- krb5_data *arg_output)
-{
- krb5_error_code ret;
- size_t blocksize, hashsize, plainsize;
- unsigned char *cksumdata, *cn;
- krb5_data output, cksum, crcivec;
- int alloced;
-
- blocksize = enc->block_size;
- hashsize = hash->hashsize;
-
- plainsize = input->length - blocksize - hashsize;
-
- if (arg_output->length < plainsize)
- return(KRB5_BAD_MSIZE);
-
- /* if there's enough space to work in the app buffer, use it,
- otherwise allocate our own */
-
- if ((cksumdata = (unsigned char *) malloc(hashsize)) == NULL)
- return(ENOMEM);
-
- if (arg_output->length < input->length) {
- output.length = input->length;
-
- if ((output.data = (char *) malloc(output.length)) == NULL) {
- free(cksumdata);
- return(ENOMEM);
- }
-
- alloced = 1;
- } else {
- output.length = input->length;
-
- output.data = arg_output->data;
-
- alloced = 0;
- }
-
- /* decrypt it */
-
- /* save last ciphertext block in case we decrypt in place */
- if (ivec != NULL && ivec->length == blocksize) {
- cn = malloc(blocksize);
- if (cn == NULL) {
- ret = ENOMEM;
- goto cleanup;
- }
- memcpy(cn, input->data + input->length - blocksize, blocksize);
- } else
- cn = NULL;
-
- /* XXX this is gross, but I don't have much choice */
- if ((key->keyblock.enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) {
- crcivec.length = key->keyblock.length;
- crcivec.data = (char *) key->keyblock.contents;
- ivec = &crcivec;
- }
-
- if ((ret = ((*(enc->decrypt))(key, ivec, input, &output))))
- goto cleanup;
-
- /* verify the checksum */
-
- memcpy(cksumdata, output.data+blocksize, hashsize);
- memset(output.data+blocksize, 0, hashsize);
-
- cksum.length = hashsize;
- cksum.data = output.data+blocksize;
-
- if ((ret = ((*(hash->hash))(1, &output, &cksum))))
- goto cleanup;
-
- if (memcmp(cksum.data, cksumdata, cksum.length) != 0) {
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- goto cleanup;
- }
-
- /* copy the plaintext around */
-
- if (alloced) {
- memcpy(arg_output->data, output.data+blocksize+hashsize,
- plainsize);
- } else {
- memmove(arg_output->data, arg_output->data+blocksize+hashsize,
- plainsize);
- }
- arg_output->length = plainsize;
-
- /* update ivec */
- if (cn != NULL)
- memcpy(ivec->data, cn, blocksize);
-
- ret = 0;
-
-cleanup:
- if (alloced) {
- memset(output.data, 0, output.length);
- free(output.data);
- }
-
- if (cn != NULL)
- free(cn);
- memset(cksumdata, 0, hashsize);
- free(cksumdata);
- return(ret);
-}
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#include "k5-int.h"
-#include "old.h"
-
-void
-krb5int_old_encrypt_length(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t inputlen,
- size_t *length)
-{
- size_t blocksize, hashsize;
-
- blocksize = enc->block_size;
- hashsize = hash->hashsize;
-
- *length = krb5_roundup(blocksize+hashsize+inputlen, blocksize);
-}
-
-krb5_error_code
-krb5int_old_encrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *ivec,
- const krb5_data *input,
- krb5_data *output)
-{
- krb5_error_code ret;
- size_t blocksize, hashsize, enclen;
- krb5_data datain, crcivec;
- int real_ivec;
-
- blocksize = enc->block_size;
- hashsize = hash->hashsize;
-
- krb5int_old_encrypt_length(enc, hash, input->length, &enclen);
-
- if (output->length < enclen)
- return(KRB5_BAD_MSIZE);
-
- output->length = enclen;
-
- /* fill in confounded, padded, plaintext buffer with zero checksum */
-
- memset(output->data, 0, output->length);
-
- datain.length = blocksize;
- datain.data = output->data;
-
- if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &datain)))
- return(ret);
- memcpy(output->data+blocksize+hashsize, input->data, input->length);
-
- /* compute the checksum */
-
- datain.length = hashsize;
- datain.data = output->data+blocksize;
-
- if ((ret = ((*(hash->hash))(1, output, &datain))))
- goto cleanup;
-
- /* encrypt it */
-
- /* XXX this is gross, but I don't have much choice */
- if ((key->keyblock.enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) {
- crcivec.length = key->keyblock.length;
- crcivec.data = (char *) key->keyblock.contents;
- ivec = &crcivec;
- real_ivec = 0;
- } else
- real_ivec = 1;
-
- if ((ret = ((*(enc->encrypt))(key, ivec, output, output))))
- goto cleanup;
-
- /* update ivec */
- if (real_ivec && ivec != NULL && ivec->length == blocksize)
- memcpy(ivec->data, output->data + output->length - blocksize,
- blocksize);
-cleanup:
- if (ret)
- memset(output->data, 0, output->length);
-
- return(ret);
-}
output->magic = KV5M_DATA;
if (ktp->prf_length != output->length)
return KRB5_CRYPTO_INTERNAL;
- ret = (*ktp->prf)(ktp->enc, ktp->hash, key, input, output);
+ ret = ktp->prf(ktp, key, input, output);
return ret;
}
des_prf.so des_prf.po $(OUTPRE)des_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- des_prf.c prf_int.h
+ $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h des_prf.c prf_int.h
dk_prf.so dk_prf.po $(OUTPRE)dk_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../dk/dk.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- dk_prf.c prf_int.h
+ $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h dk_prf.c prf_int.h
rc4_prf.so rc4_prf.po $(OUTPRE)rc4_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- prf_int.h rc4_prf.c
+ $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h prf_int.h rc4_prf.c
#include "hash_provider/hash_provider.h"
krb5_error_code
-krb5int_des_prf (const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, const krb5_data *in, krb5_data *out)
+krb5int_des_prf(const struct krb5_keytypes *ktp, krb5_key key,
+ const krb5_data *in, krb5_data *out)
{
- krb5_data tmp;
- krb5_error_code ret = 0;
+ const struct krb5_hash_provider *hash = &krb5int_hash_md5;
+ krb5_crypto_iov iov;
+ krb5_error_code ret;
- hash = &krb5int_hash_md5; /* MD5 is always used. */
- tmp.length = hash->hashsize;
- tmp.data = malloc(hash->hashsize);
- if (tmp.data == NULL)
- return ENOMEM;
- ret = hash->hash(1, in, &tmp);
- if (ret == 0)
- ret = enc->encrypt(key, NULL, &tmp, out);
- free(tmp.data);
- return ret;
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ iov.data = *out;
+
+ /* Hash the input into the output buffer, then encrypt it in place. */
+ ret = hash->hash(1, in, out);
+ if (ret != 0)
+ return ret;
+ return ktp->enc->encrypt(key, NULL, &iov, 1);
}
#include <dk.h>
krb5_error_code
-krb5int_dk_prf (const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, const krb5_data *in, krb5_data *out)
+krb5int_dk_prf(const struct krb5_keytypes *ktp, krb5_key key,
+ const krb5_data *in, krb5_data *out)
{
- krb5_data tmp;
- krb5_data prfconst;
+ const struct krb5_enc_provider *enc = ktp->enc;
+ const struct krb5_hash_provider *hash = ktp->hash;
+ krb5_crypto_iov iov;
+ krb5_data prfconst = make_data("prf", 3);
krb5_key kp = NULL;
- krb5_error_code ret = 0;
+ krb5_error_code ret;
- prfconst.data = (char *) "prf";
- prfconst.length = 3;
- tmp.length = hash->hashsize;
- tmp.data = malloc(hash->hashsize);
- if (tmp.data == NULL)
- return ENOMEM;
- hash->hash(1, in, &tmp);
- tmp.length = (tmp.length/enc->block_size)*enc->block_size; /*truncate to block size*/
- ret = krb5int_derive_key(enc, key, &kp, &prfconst);
- if (ret == 0)
- ret = enc->encrypt(kp, NULL, &tmp, out);
+ /* Hash the input data into an allocated buffer. */
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ ret = alloc_data(&iov.data, hash->hashsize);
+ if (ret != 0)
+ return ret;
+ ret = hash->hash(1, in, &iov.data);
+ if (ret != 0)
+ goto cleanup;
+
+ /* Truncate the hash to the closest multiple of the block size. */
+ iov.data.length = (iov.data.length / enc->block_size) * enc->block_size;
+
+ /* Derive a key using the PRF constant. */
+ ret = krb5int_derive_key(ktp->enc, key, &kp, &prfconst);
+ if (ret != 0)
+ goto cleanup;
+
+ /* Encrypt the truncated hash in the derived key to get the output. */
+ ret = ktp->enc->encrypt(kp, NULL, &iov, 1);
+ if (ret != 0)
+ goto cleanup;
+ memcpy(out->data, iov.data.data, out->length);
+
+cleanup:
+ zapfree(iov.data.data, hash->hashsize);
krb5_k_free_key(NULL, kp);
- free (tmp.data);
return ret;
}
#define PRF_INTERNAL_DEFS
#include "k5-int.h"
+#include "etypes.h"
krb5_error_code
-krb5int_arcfour_prf(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, const krb5_data *in, krb5_data *out);
+krb5int_arcfour_prf(const struct krb5_keytypes *ktp, krb5_key key,
+ const krb5_data *in, krb5_data *out);
krb5_error_code
-krb5int_des_prf (const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, const krb5_data *in, krb5_data *out);
+krb5int_des_prf(const struct krb5_keytypes *ktp, krb5_key key,
+ const krb5_data *in, krb5_data *out);
krb5_error_code
-krb5int_dk_prf(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, const krb5_data *in, krb5_data *out);
+krb5int_dk_prf(const struct krb5_keytypes *ktp, krb5_key key,
+ const krb5_data *in, krb5_data *out);
#endif /*PRF_INTERNAL_DEFS*/
#include <hash_provider/hash_provider.h>
krb5_error_code
-krb5int_arcfour_prf(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, const krb5_data *in, krb5_data *out)
+krb5int_arcfour_prf(const struct krb5_keytypes *ktp, krb5_key key,
+ const krb5_data *in, krb5_data *out)
{
assert(out->length == 20);
return krb5int_hmac(&krb5int_hash_sha1, key, 1, in, out);
RUN_SETUP = @KRB5_RUN_ENV@ KRB5_CONFIG=$(top_srcdir)/config-files/krb5.conf
-STLIBOBJS= raw_decrypt.o raw_encrypt.o raw_aead.o
+STLIBOBJS= raw_aead.o
-OBJS= $(OUTPRE)raw_decrypt.$(OBJEXT) $(OUTPRE)raw_encrypt.$(OBJEXT) $(OUTPRE)raw_aead.$(OBJEXT)
+OBJS= $(OUTPRE)raw_aead.$(OBJEXT)
-SRCS= $(srcdir)/raw_decrypt.c $(srcdir)/raw_encrypt.c $(srcdir)/raw_aead.c
+SRCS= $(srcdir)/raw_aead.c
##DOS##LIBOBJS = $(OBJS)
#
# Generated makefile dependencies follow.
#
-raw_decrypt.so raw_decrypt.po $(OUTPRE)raw_decrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- raw.h raw_decrypt.c
-raw_encrypt.so raw_encrypt.po $(OUTPRE)raw_encrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- raw.h raw_encrypt.c
raw_aead.so raw_aead.po $(OUTPRE)raw_aead.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(COM_ERR_DEPS) $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- raw.h raw_aead.c
+ $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h raw.h raw_aead.c
*/
#include "k5-int.h"
+#include "etypes.h"
-void krb5_raw_encrypt_length(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t input, size_t *length);
+unsigned int
+krb5int_raw_crypto_length(const struct krb5_keytypes *ktp,
+ krb5_cryptotype type);
-krb5_error_code krb5int_raw_encrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec,
- const krb5_data *input,
- krb5_data *output);
+krb5_error_code
+krb5int_raw_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
-krb5_error_code krb5int_raw_decrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec,
- const krb5_data *input,
- krb5_data *arg_output);
-
-extern const struct krb5_aead_provider krb5int_aead_raw;
+krb5_error_code
+krb5int_raw_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
#include "raw.h"
#include "aead.h"
-/* AEAD */
-
-static krb5_error_code
-krb5int_raw_crypto_length(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_cryptotype type,
- unsigned int *length)
+unsigned int
+krb5int_raw_crypto_length(const struct krb5_keytypes *ktp,
+ krb5_cryptotype type)
{
switch (type) {
case KRB5_CRYPTO_TYPE_PADDING:
- *length = enc->block_size;
- break;
+ return ktp->enc->block_size;
default:
- *length = 0;
- break;
+ return 0;
}
-
- return 0;
}
-static krb5_error_code
-krb5int_raw_encrypt_iov(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5_error_code
+krb5int_raw_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
- krb5_error_code ret;
krb5_crypto_iov *padding;
size_t i;
- unsigned int blocksize = 0;
- unsigned int plainlen = 0;
- unsigned int padsize = 0;
+ unsigned int blocksize, plainlen = 0, padsize = 0;
- ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize);
- if (ret != 0)
- return ret;
+ blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING);
for (i = 0; i < num_data; i++) {
krb5_crypto_iov *iov = &data[i];
padding->data.length = padsize;
}
- assert(enc->encrypt_iov != NULL);
-
- ret = enc->encrypt_iov(key, ivec, data, num_data); /* will update ivec */
-
- return ret;
+ return ktp->enc->encrypt(key, ivec, data, num_data);
}
-static krb5_error_code
-krb5int_raw_decrypt_iov(const struct krb5_aead_provider *aead,
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key,
- krb5_keyusage usage,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5_error_code
+krb5int_raw_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
+ krb5_keyusage usage, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
- krb5_error_code ret;
size_t i;
- unsigned int blocksize = 0; /* careful, this is enc block size not confounder len */
+ unsigned int blocksize = 0; /* enc block size, not confounder len */
unsigned int cipherlen = 0;
/* E(Confounder | Plaintext | Pad) | Checksum */
- ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize);
- if (ret != 0)
- return ret;
+ blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING);
for (i = 0; i < num_data; i++) {
const krb5_crypto_iov *iov = &data[i];
if (blocksize == 0) {
/* Check for correct input length in CTS mode */
- if (enc->block_size != 0 && cipherlen < enc->block_size)
+ if (ktp->enc->block_size != 0 && cipherlen < ktp->enc->block_size)
return KRB5_BAD_MSIZE;
} else {
/* Check that the input data is correctly padded */
- if ((cipherlen % blocksize) != 0)
+ if (cipherlen % blocksize != 0)
return KRB5_BAD_MSIZE;
}
- /* Validate header and trailer lengths */
-
- /* derive the keys */
-
- /* decrypt the plaintext (header | data | padding) */
- assert(enc->decrypt_iov != NULL);
-
- ret = enc->decrypt_iov(key, ivec, data, num_data); /* will update ivec */
-
- return ret;
+ return ktp->enc->decrypt(key, ivec, data, num_data);
}
-
-const struct krb5_aead_provider krb5int_aead_raw = {
- krb5int_raw_crypto_length,
- krb5int_raw_encrypt_iov,
- krb5int_raw_decrypt_iov
-};
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#include "k5-int.h"
-#include "raw.h"
-
-krb5_error_code
-krb5int_raw_decrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output)
-{
- return((*(enc->decrypt))(key, ivec, input, output));
-}
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#include "k5-int.h"
-#include "raw.h"
-
-void
-krb5_raw_encrypt_length(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t inputlen, size_t *length)
-{
- size_t blocksize;
-
- blocksize = enc->block_size;
-
- *length = krb5_roundup(inputlen, blocksize);
-}
-
-krb5_error_code
-krb5int_raw_encrypt(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- krb5_key key, krb5_keyusage usage,
- const krb5_data *ivec, const krb5_data *input,
- krb5_data *output)
-{
- return((*(enc->encrypt))(key, ivec, input, output));
-}
key->enctype = enctype;
key->length = keylength;
- ret = (*ktp->str2key)(ktp->enc, string, salt, params, key);
+ ret = (*ktp->str2key)(ktp, string, salt, params, key);
if (ret) {
zapfree(key->contents, keylength);
key->length = 0;
#include "assert.h"
int
-krb5int_yarrow_cipher_init
-(CIPHER_CTX *ctx,
- unsigned const char * key)
+krb5int_yarrow_cipher_init(CIPHER_CTX *ctx, unsigned const char * key)
{
size_t keybytes, keylength;
const struct krb5_enc_provider *enc = &yarrow_enc_provider;
return YARROW_OK;
}
-int krb5int_yarrow_cipher_encrypt_block
-(CIPHER_CTX *ctx, const unsigned char *in,
- unsigned char *out)
+int krb5int_yarrow_cipher_encrypt_block(CIPHER_CTX *ctx,
+ const unsigned char *in,
+ unsigned char *out)
{
krb5_error_code ret;
- krb5_data ind, outd;
+ krb5_crypto_iov iov;
const struct krb5_enc_provider *enc = &yarrow_enc_provider;
- ind.data = (char *) in;
- ind.length = CIPHER_BLOCK_SIZE;
- outd.data = (char *) out;
- outd.length = CIPHER_BLOCK_SIZE;
- ret = enc->encrypt(ctx->key, 0, &ind, &outd);
- if (ret)
- return YARROW_FAIL;
- return YARROW_OK;
+
+ memcpy(out, in, CIPHER_BLOCK_SIZE);
+ iov.flags = KRB5_CRYPTO_TYPE_DATA;
+ iov.data = make_data(out, CIPHER_BLOCK_SIZE);
+ ret = enc->encrypt(ctx->key, 0, &iov, 1);
+ return (ret == 0) ? YARROW_OK : YARROW_FAIL;
}
void
-krb5int_yarrow_cipher_final
-(CIPHER_CTX *ctx)
-
+krb5int_yarrow_cipher_final(CIPHER_CTX *ctx)
{
krb5_k_free_key(NULL, ctx->key);
ctx->key = NULL;
depend:: $(SRCS)
clean-unix:: clean-libobjs
-check-unix:: t_cf2
- $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output
- diff t_cf2.output $(srcdir)/t_cf2.expected
-
-t_cf2$(EXEEXT): t_cf2.$(OBJEXT) $(SUPPORT_DEPLIB)
- $(CC_LINK) -o $@ t_cf2.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB)
-
-clean::
- $(RM) t_cf2 t_cf2.o t_cf2.output
-
-
-
all-windows::
cd ..\des
+# Nothing here! But we can't remove this directory as the build
+# system currently assumes that all modules have the same directory
+# structure.
+
mydir=lib/crypto/openssl/aes
BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../krb/dk -I$(srcdir)/../../../../include
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
-STLIBOBJS=\
- aes_s2k.o
+STLIBOBJS=
-OBJS=\
- $(OUTPRE)aes_s2k.$(OBJEXT)
+OBJS=
-SRCS=\
- $(srcdir)/aes_s2k.c
+SRCS=
##DOS##LIBOBJS = $(OBJS)
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * lib/crypto/openssl/aes/aes_s2k.c
- *
- * Copyright 2003, 2009 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * krb5int_aes_string_to_key
- */
-
-#include "k5-int.h"
-#include "dk.h"
-#include "aes_s2k.h"
-
-#define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */
-#define MAX_ITERATION_COUNT 0x1000000L
-
-krb5_error_code
-krb5int_aes_string_to_key(const struct krb5_enc_provider *enc,
- const krb5_data *string,
- const krb5_data *salt,
- const krb5_data *params,
- krb5_keyblock *key)
-{
- unsigned long iter_count;
- krb5_data out;
- static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
- krb5_key tempkey = NULL;
- krb5_error_code err;
-
- if (params) {
- unsigned char *p = (unsigned char *) params->data;
- if (params->length != 4)
- return KRB5_ERR_BAD_S2K_PARAMS;
- /* The first two need casts in case 'int' is 16 bits. */
- iter_count = load_32_be(p);
- if (iter_count == 0) {
- iter_count = (1UL << 16) << 16;
- if (((iter_count >> 16) >> 16) != 1)
- return KRB5_ERR_BAD_S2K_PARAMS;
- }
- } else
- iter_count = DEFAULT_ITERATION_COUNT;
-
- /* This is not a protocol specification constraint; this is an
- implementation limit, which should eventually be controlled by
- a config file. */
- if (iter_count >= MAX_ITERATION_COUNT)
- return KRB5_ERR_BAD_S2K_PARAMS;
-
- /* Use the output keyblock contents for temporary space. */
- out.data = (char *) key->contents;
- out.length = key->length;
- if (out.length != 16 && out.length != 32)
- return KRB5_CRYPTO_INTERNAL;
-
- err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt);
- if (err)
- goto cleanup;
-
- err = krb5_k_create_key (NULL, key, &tempkey);
- if (err)
- goto cleanup;
-
- err = krb5int_derive_keyblock (enc, tempkey, key, &usage);
-
-cleanup:
- if (err)
- memset (out.data, 0, out.length);
- krb5_k_free_key (NULL, tempkey);
- return err;
-}
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * lib/crypto/openssl/aes/aes_s2k.h
- */
-
-
-extern krb5_error_code
-krb5int_aes_string_to_key (const struct krb5_enc_provider *,
- const krb5_data *, const krb5_data *,
- const krb5_data *, krb5_keyblock *key);
-#
-# Generated makefile dependencies follow.
-#
-aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/dk/dk.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- aes_s2k.c aes_s2k.h
+# No dependencies here.
hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb/aead.h \
- $(srcdir)/../krb/cksumtypes.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h hmac.c
+ $(srcdir)/../krb/cksumtypes.h $(srcdir)/../krb/etypes.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ hmac.c
pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
/* proto's */
static krb5_error_code
-cts_enc(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
+cbc_enc(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data);
static krb5_error_code
-cbc_enc(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
+cbc_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data);
static krb5_error_code
-cts_decr(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
+cts_encr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data, size_t dlen);
static krb5_error_code
-cbc_decr(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
-static krb5_error_code
-cts_encr_iov(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data, size_t dlen);
-static krb5_error_code
-cts_decr_iov(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data, size_t dlen);
+cts_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data, size_t dlen);
#define BLOCK_SIZE 16
#define NUM_BITS 8
return NULL;
}
+/* Encrypt one block using CBC. */
static krb5_error_code
-cbc_enc(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
+cbc_enc(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0, tmp_len = 0;
- unsigned char *tmp_buf = NULL;
+ int ret, olen = BLOCK_SIZE;
+ unsigned char iblock[BLOCK_SIZE], oblock[BLOCK_SIZE];
EVP_CIPHER_CTX ciph_ctx;
-
- tmp_len = input->length;
- tmp_buf = OPENSSL_malloc(input->length);
- if (!tmp_buf){
- return ENOMEM;
- }
+ struct iov_block_state input_pos, output_pos;
EVP_CIPHER_CTX_init(&ciph_ctx);
-
ret = EVP_EncryptInit_ex(&ciph_ctx, map_mode(key->keyblock.length),
NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
+ if (ret == 0)
+ return KRB5_CRYPTO_INTERNAL;
- if (ret == 1){
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- output->length = tmp_len;
- if(ret)
- ret = EVP_EncryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len);
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+ krb5int_c_iov_get_block(iblock, BLOCK_SIZE, data, num_data, &input_pos);
+ EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
+ ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen, iblock, BLOCK_SIZE);
+ if (ret == 1) {
+ krb5int_c_iov_put_block(data, num_data, oblock, BLOCK_SIZE,
+ &output_pos);
}
-
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- if (ret == 1){
- memcpy(output->data, tmp_buf, output->length);
- ret = 0;
- } else {
- ret = KRB5_CRYPTO_INTERNAL;
- }
-
- memset(tmp_buf, 0, input->length);
- OPENSSL_free(tmp_buf);
-
- return ret;
+ zap(iblock, BLOCK_SIZE);
+ zap(oblock, BLOCK_SIZE);
+ return (ret == 1) ? 0 : KRB5_CRYPTO_INTERNAL;
}
+/* Decrypt one block using CBC. */
static krb5_error_code
-cbc_decr(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
+cbc_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0, tmp_len = 0;
- unsigned char *tmp_buf = NULL;
+ int ret = 0, olen = BLOCK_SIZE;
+ unsigned char iblock[BLOCK_SIZE], oblock[BLOCK_SIZE];
EVP_CIPHER_CTX ciph_ctx;
-
- tmp_len = input->length;
- tmp_buf = OPENSSL_malloc(input->length);
- if (!tmp_buf){
- return ENOMEM;
- }
+ struct iov_block_state input_pos, output_pos;
EVP_CIPHER_CTX_init(&ciph_ctx);
-
ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->keyblock.length),
NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
- if (ret == 1) {
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- output->length = tmp_len;
- if (ret == 1)
- ret = EVP_DecryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len);
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+ if (ret == 0)
+ return KRB5_CRYPTO_INTERNAL;
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+ krb5int_c_iov_get_block(iblock, BLOCK_SIZE, data, num_data, &input_pos);
+ EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
+ ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen, iblock, BLOCK_SIZE);
if (ret == 1) {
- output->length += tmp_len;
- memcpy(output->data, tmp_buf, output->length);
- ret = 0;
- } else {
- ret = KRB5_CRYPTO_INTERNAL;
- }
-
- memset(tmp_buf, 0, input->length);
- OPENSSL_free(tmp_buf);
-
- return ret;
-}
-
-static krb5_error_code
-cts_enc(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0, tmp_len = 0;
- size_t size = 0;
- unsigned char iv_cts[IV_CTS_BUF_SIZE];
- unsigned char *tmp_buf = NULL;
- AES_KEY enck;
-
- memset(iv_cts,0,sizeof(iv_cts));
- if (ivec && ivec->data){
- if (ivec->length != sizeof(iv_cts))
- return KRB5_CRYPTO_INTERNAL;
- memcpy(iv_cts, ivec->data,ivec->length);
- }
-
- tmp_buf = OPENSSL_malloc(input->length);
- if (!tmp_buf)
- return ENOMEM;
- tmp_len = input->length;
-
- AES_set_encrypt_key(key->keyblock.contents,
- NUM_BITS * key->keyblock.length, &enck);
-
- size = CRYPTO_cts128_encrypt((unsigned char *)input->data, tmp_buf,
- input->length, &enck,
- iv_cts, (cbc128_f)AES_cbc_encrypt);
- if (size <= 0 || output->length < size) {
- ret = KRB5_CRYPTO_INTERNAL;
- } else {
- output->length = size;
- memcpy(output->data, tmp_buf, output->length);
- ret = 0;
- }
-
- if (!ret && ivec && ivec->data)
- memcpy(ivec->data, iv_cts, sizeof(iv_cts));
-
- memset(tmp_buf, 0, input->length);
- OPENSSL_free(tmp_buf);
-
- return ret;
-}
-
-static krb5_error_code
-cts_decr(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0, tmp_len = 0;
- size_t size = 0;
- unsigned char iv_cts[IV_CTS_BUF_SIZE];
- unsigned char *tmp_buf = NULL;
- AES_KEY deck;
-
- memset(iv_cts,0,sizeof(iv_cts));
- if (ivec && ivec->data){
- if (ivec->length != sizeof(iv_cts))
- return KRB5_CRYPTO_INTERNAL;
- memcpy(iv_cts, ivec->data,ivec->length);
+ krb5int_c_iov_put_block(data, num_data, oblock, BLOCK_SIZE,
+ &output_pos);
}
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- tmp_buf = OPENSSL_malloc(input->length);
- if (!tmp_buf)
- return ENOMEM;
- tmp_len = input->length;
-
- AES_set_decrypt_key(key->keyblock.contents,
- NUM_BITS * key->keyblock.length, &deck);
-
- size = CRYPTO_cts128_decrypt((unsigned char *)input->data, tmp_buf,
- input->length, &deck,
- iv_cts, (cbc128_f)AES_cbc_encrypt);
- if (size <= 0 || output->length < size) {
- ret = KRB5_CRYPTO_INTERNAL;
- } else {
- output->length = size + 16;
- memcpy(output->data, tmp_buf, output->length);
- ret = 0;
- }
-
- if (!ret && ivec && ivec->data)
- memcpy(ivec->data, iv_cts, sizeof(iv_cts));
-
- memset(tmp_buf, 0, input->length);
- OPENSSL_free(tmp_buf);
-
- return ret;
+ zap(iblock, BLOCK_SIZE);
+ zap(oblock, BLOCK_SIZE);
+ return (ret == 1) ? 0 : KRB5_CRYPTO_INTERNAL;
}
static krb5_error_code
-cts_encr_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data, size_t dlen)
+cts_encr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data, size_t dlen)
{
int ret = 0;
- int oblock_len = BLOCK_SIZE * num_data;
- size_t size = 0, tlen = 0;
+ size_t size = 0;
unsigned char *oblock = NULL, *dbuf = NULL;
unsigned char iv_cts[IV_CTS_BUF_SIZE];
- unsigned char iblock[BLOCK_SIZE];
struct iov_block_state input_pos, output_pos;
AES_KEY enck;
memcpy(iv_cts, ivec->data,ivec->length);
}
- oblock = OPENSSL_malloc(oblock_len);
+ oblock = OPENSSL_malloc(dlen);
if (!oblock){
return ENOMEM;
}
return ENOMEM;
}
- memset(oblock, 0, oblock_len);
- memset(dbuf, 0, dlen);
-
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- tlen = 0;
- for (;;) {
- if (krb5int_c_iov_get_block(iblock, BLOCK_SIZE,
- data, num_data, &input_pos)){
- memcpy(dbuf+tlen,iblock, BLOCK_SIZE);
-
- tlen += BLOCK_SIZE;
- } else {
- memcpy(dbuf+tlen,iblock, dlen - tlen);
- break;
- }
-
- if (tlen > dlen) break;
- }
+ krb5int_c_iov_get_block(dbuf, dlen, data, num_data, &input_pos);
AES_set_encrypt_key(key->keyblock.contents,
NUM_BITS * key->keyblock.length, &enck);
if (!ret && ivec && ivec->data)
memcpy(ivec->data, iv_cts, sizeof(iv_cts));
- memset(oblock,0,oblock_len);
- memset(dbuf,0,dlen);
+ zap(oblock, dlen);
+ zap(dbuf, dlen);
OPENSSL_free(oblock);
OPENSSL_free(dbuf);
}
static krb5_error_code
-cts_decr_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data, size_t dlen)
+cts_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data, size_t dlen)
{
int ret = 0;
- int oblock_len = BLOCK_SIZE*num_data;
- size_t size = 0, tlen = 0;
+ size_t size = 0;
unsigned char *oblock = NULL;
unsigned char *dbuf = NULL;
- unsigned char iblock[BLOCK_SIZE];
unsigned char iv_cts[IV_CTS_BUF_SIZE];
struct iov_block_state input_pos, output_pos;
AES_KEY deck;
memset(iv_cts,0,sizeof(iv_cts));
if (ivec && ivec->data){
- if (ivec->length <= sizeof(iv_cts))
+ if (ivec->length != sizeof(iv_cts))
return KRB5_CRYPTO_INTERNAL;
memcpy(iv_cts, ivec->data,ivec->length);
}
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- oblock = OPENSSL_malloc(oblock_len);
+ oblock = OPENSSL_malloc(dlen);
if (!oblock)
return ENOMEM;
dbuf = OPENSSL_malloc(dlen);
return ENOMEM;
}
- memset(oblock, 0, oblock_len);
- memset(dbuf, 0, dlen);
-
AES_set_decrypt_key(key->keyblock.contents,
NUM_BITS * key->keyblock.length, &deck);
- tlen = 0;
- for (;;) {
- if (krb5int_c_iov_get_block(iblock, BLOCK_SIZE,
- data, num_data, &input_pos)){
- memcpy(dbuf+tlen,iblock, BLOCK_SIZE);
-
- tlen += BLOCK_SIZE;
- } else {
- memcpy(dbuf+tlen,iblock, dlen - tlen);
- break;
- }
-
- if (tlen > dlen) break;
- }
+ krb5int_c_iov_get_block(dbuf, dlen, data, num_data, &input_pos);
size = CRYPTO_cts128_decrypt((unsigned char *)dbuf, oblock,
dlen, &deck,
if (!ret && ivec && ivec->data)
memcpy(ivec->data, iv_cts, sizeof(iv_cts));
- memset(oblock,0,oblock_len);
- memset(dbuf,0,dlen);
+ zap(oblock, dlen);
+ zap(dbuf, dlen);
OPENSSL_free(oblock);
OPENSSL_free(dbuf);
krb5_error_code
krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0;
-
- if (input->length <= BLOCK_SIZE){
- ret = cbc_enc(key, ivec, input, output);
- } else {
- ret = cts_enc(key, ivec, input, output);
- }
-
- return ret;
-}
-
-krb5_error_code
-krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0;
- int nblocks = 0;
-
- if (input->length < BLOCK_SIZE)
- abort();
-
- if (input->length == BLOCK_SIZE){
- ret = cbc_decr(key, ivec, input, output);
- } else {
- ret = cts_decr(key, ivec, input, output);
- }
-
- return ret;
-}
-
-static krb5_error_code
-krb5int_aes_encrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+ krb5_crypto_iov *data, size_t num_data)
{
int ret = 0;
int nblocks = 0;
}
nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
- assert(nblocks > 1);
-
- ret = cts_encr_iov(key, ivec, data, num_data, input_length);
+ if (nblocks == 1) {
+ if (input_length != BLOCK_SIZE)
+ return KRB5_BAD_MSIZE;
+ ret = cbc_enc(key, ivec, data, num_data);
+ } else if (nblocks > 1) {
+ ret = cts_encr(key, ivec, data, num_data, input_length);
+ }
return ret;
}
-static krb5_error_code
-krb5int_aes_decrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5_error_code
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
int ret = 0;
int nblocks = 0;
}
nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
- assert(nblocks > 1);
-
- ret = cts_decr_iov(key, ivec, data, num_data, input_length);
+ if (nblocks == 1) {
+ if (input_length != BLOCK_SIZE)
+ return KRB5_BAD_MSIZE;
+ ret = cbc_enc(key, ivec, data, num_data);
+ } else if (nblocks > 1) {
+ ret = cts_decr(key, ivec, data, num_data, input_length);
+ }
return ret;
}
krb5int_aes_decrypt,
krb5int_aes_make_key,
krb5int_aes_init_state,
- krb5int_default_free_state,
- krb5int_aes_encrypt_iov,
- krb5int_aes_decrypt_iov
+ krb5int_default_free_state
};
const struct krb5_enc_provider krb5int_enc_aes256 = {
krb5int_aes_decrypt,
krb5int_aes_make_key,
krb5int_aes_init_state,
- krb5int_default_free_state,
- krb5int_aes_encrypt_iov,
- krb5int_aes_decrypt_iov
+ krb5int_default_free_state
};
des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
- $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h des.c
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../des/des_int.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ des.c
des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
- $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h des3.c
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../des/des_int.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ des3.c
aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
- $(srcdir)/../hash_provider/hash_provider.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h aes.c enc_provider.h
-rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../hash_provider/hash_provider.h \
$(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
$(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
$(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
$(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
$(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- rc4.c
+ aes.c enc_provider.h
+rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h rc4.c
static krb5_error_code
validate(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, const krb5_data *output)
-{
- /* key->keyblock.enctype was checked by the caller */
- if (key->keyblock.length != KRB5_MIT_DES_KEYSIZE)
- return(KRB5_BAD_KEYSIZE);
- if ((input->length%8) != 0)
- return(KRB5_BAD_MSIZE);
- if (ivec && (ivec->length != 8))
- return(KRB5_BAD_MSIZE);
- if (input->length != output->length)
- return(KRB5_BAD_MSIZE);
-
- return 0;
-}
-
-static krb5_error_code
-validate_iov(krb5_key key, const krb5_data *ivec,
- const krb5_crypto_iov *data, size_t num_data)
+ const krb5_crypto_iov *data, size_t num_data)
{
size_t i, input_length;
input_length += iov->data.length;
}
- if (key->keyblock.length != KRB5_MIT_DES3_KEYSIZE)
+ if (key->keyblock.length != KRB5_MIT_DES_KEYSIZE)
return(KRB5_BAD_KEYSIZE);
if ((input_length%DES_BLOCK_SIZE) != 0)
return(KRB5_BAD_MSIZE);
}
static krb5_error_code
-k5_des_encrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
+k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0, tmp_len = 0;
- unsigned int tmp_buf_len = 0;
- unsigned char *tmp_buf = NULL;
- EVP_CIPHER_CTX ciph_ctx;
-
- ret = validate(key, ivec, input, output);
- if (ret)
- return ret;
-
- tmp_buf_len = output->length*2;
- tmp_buf=OPENSSL_malloc(tmp_buf_len);
- if (!tmp_buf)
- return ENOMEM;
- memset(tmp_buf,0,output->length);
-
- EVP_CIPHER_CTX_init(&ciph_ctx);
-
- ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, key->keyblock.contents,
- (ivec) ? (unsigned char*)ivec->data : NULL);
- if (ret) {
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- if (!ret || output->length < (unsigned int)tmp_len) {
- ret = KRB5_CRYPTO_INTERNAL;
- } else {
- output->length = tmp_len;
- ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf + tmp_len, &tmp_len);
- }
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
- if (ret == 1)
- memcpy(output->data,tmp_buf, output->length);
-
- memset(tmp_buf, 0, tmp_buf_len);
- OPENSSL_free(tmp_buf);
-
- if (ret != 1)
- return KRB5_CRYPTO_INTERNAL;
- return 0;
-}
-
-
-static krb5_error_code
-k5_des_decrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- /* key->keyblock.enctype was checked by the caller */
- int ret = 0, tmp_len = 0;
- unsigned char *tmp_buf;
- EVP_CIPHER_CTX ciph_ctx;
-
- ret = validate(key, ivec, input, output);
- if (ret)
- return ret;
-
-
- tmp_buf=OPENSSL_malloc(output->length);
- if (!tmp_buf)
- return ENOMEM;
- memset(tmp_buf,0,output->length);
-
- EVP_CIPHER_CTX_init(&ciph_ctx);
-
- ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, key->keyblock.contents,
- (ivec) ? (unsigned char*)ivec->data : NULL);
- if (ret) {
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- if (ret) {
- output->length = tmp_len;
- ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len);
- }
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
- if (ret == 1)
- memcpy(output->data,tmp_buf, output->length);
-
- memset(tmp_buf,0,output->length);
- OPENSSL_free(tmp_buf);
-
- if ( ret != 1)
- return KRB5_CRYPTO_INTERNAL;
- return 0;
-}
-
-static krb5_error_code
-k5_des_encrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
-{
- int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
- int oblock_len = MIT_DES_BLOCK_LENGTH * num_data;
- unsigned char *iblock = NULL, *oblock = NULL;
+ int ret, olen = MIT_DES_BLOCK_LENGTH;
+ unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH];
struct iov_block_state input_pos, output_pos;
- EVP_CIPHER_CTX ciph_ctx;
-
- iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
- if (!iblock)
- return ENOMEM;
- oblock = OPENSSL_malloc(oblock_len);
- if (!oblock){
- OPENSSL_free(iblock);
- return ENOMEM;
- }
+ EVP_CIPHER_CTX ciph_ctx;
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- ret = validate_iov(key, ivec, data, num_data);
+ ret = validate(key, ivec, data, num_data);
if (ret)
return ret;
- memset(oblock, 0, oblock_len);
-
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
key->keyblock.contents, (ivec && ivec->data) ? (unsigned char*)ivec->data : NULL);
- if (!ret){
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ if (!ret)
return KRB5_CRYPTO_INTERNAL;
- }
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
for (;;) {
- if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data, num_data, &input_pos))
+ if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data,
+ num_data, &input_pos))
break;
- if (input_pos.iov_pos == num_data)
+ ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen,
+ (unsigned char *)iblock, MIT_DES_BLOCK_LENGTH);
+ if (!ret)
break;
- ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len,
- (unsigned char *)iblock, input_pos.data_pos);
- if (!ret) break;
-
- krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
+ krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH,
+ &output_pos);
}
- if(ret)
- ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
-
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- memset(iblock,0,sizeof(iblock));
- memset(oblock,0,sizeof(oblock));
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ zap(iblock, sizeof(iblock));
+ zap(oblock, sizeof(oblock));
- if ( ret != 1)
+ if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
return 0;
}
static krb5_error_code
-k5_des_decrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0;
- int tmp_len = MIT_DES_BLOCK_LENGTH;
- int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
- unsigned char *iblock = NULL, *oblock = NULL;
+ int ret, olen = MIT_DES_BLOCK_LENGTH;
+ unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH];
struct iov_block_state input_pos, output_pos;
- EVP_CIPHER_CTX ciph_ctx;
-
- iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
- if (!iblock)
- return ENOMEM;
- oblock = OPENSSL_malloc(oblock_len);
- if (!oblock){
- OPENSSL_free(iblock);
- return ENOMEM;
- }
+ EVP_CIPHER_CTX ciph_ctx;
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- ret = validate_iov(key, ivec, data, num_data);
+ ret = validate(key, ivec, data, num_data);
if (ret)
return ret;
- memset(oblock, 0, oblock_len);
-
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
- key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
- if (!ret){
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ key->keyblock.contents,
+ (ivec) ? (unsigned char*)ivec->data : NULL);
+ if (!ret)
return KRB5_CRYPTO_INTERNAL;
- }
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
data, num_data, &input_pos))
break;
- if (input_pos.iov_pos == num_data)
- break;
-
- ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len,
- (unsigned char *)iblock,
- input_pos.data_pos);
+ ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen,
+ iblock, MIT_DES_BLOCK_LENGTH);
if (!ret) break;
krb5int_c_iov_put_block(data, num_data, oblock,
MIT_DES_BLOCK_LENGTH, &output_pos);
}
- if(ret)
- ret = EVP_DecryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
-
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- memset(iblock,0,sizeof(iblock));
- memset(oblock,0,sizeof(oblock));
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ zap(iblock, sizeof(iblock));
+ zap(oblock, sizeof(oblock));
if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
k5_des_decrypt,
krb5int_des_make_key,
krb5int_des_init_state,
- krb5int_default_free_state,
- k5_des_encrypt_iov,
- k5_des_decrypt_iov
+ krb5int_default_free_state
};
static krb5_error_code
validate(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, const krb5_data *output)
-{
- /* key->keyblock.enctype was checked by the caller */
-
- if (key->keyblock.length != KRB5_MIT_DES3_KEYSIZE)
- return(KRB5_BAD_KEYSIZE);
- if ((input->length%DES_BLOCK_SIZE) != 0)
- return(KRB5_BAD_MSIZE);
- if (ivec && (ivec->length != 8))
- return(KRB5_BAD_MSIZE);
- if (input->length != output->length)
- return(KRB5_BAD_MSIZE);
-
- return 0;
-}
-
-static krb5_error_code
-validate_iov(krb5_key key, const krb5_data *ivec,
- const krb5_crypto_iov *data, size_t num_data)
+ const krb5_crypto_iov *data, size_t num_data)
{
size_t i, input_length;
}
static krb5_error_code
-k5_des3_encrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0, tmp_len = 0;
- unsigned int tmp_buf_len = 0;
- unsigned char *tmp_buf = NULL;
- EVP_CIPHER_CTX ciph_ctx;
-
- ret = validate(key, ivec, input, output);
- if (ret)
- return ret;
-
- tmp_buf_len = output->length * 2;
- tmp_buf = OPENSSL_malloc(tmp_buf_len);
- if (!tmp_buf)
- return ENOMEM;
-
- EVP_CIPHER_CTX_init(&ciph_ctx);
-
- ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, key->keyblock.contents,
- (ivec) ? (unsigned char*)ivec->data : NULL);
- if (ret) {
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- if (!ret || output->length < (unsigned int)tmp_len) {
- ret = KRB5_CRYPTO_INTERNAL;
- } else {
- output->length = tmp_len;
- ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len);
- }
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
- if (ret == 1)
- memcpy(output->data,tmp_buf, output->length);
-
- memset(tmp_buf, 0, tmp_buf_len);
- OPENSSL_free(tmp_buf);
-
- if (ret != 1)
- return KRB5_CRYPTO_INTERNAL;
-
- return 0;
-
-}
-
-static krb5_error_code
-k5_des3_decrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0, tmp_len = 0;
- unsigned int tmp_buf_len = 0;
- unsigned char *tmp_buf = NULL;
- EVP_CIPHER_CTX ciph_ctx;
-
- ret = validate(key, ivec, input, output);
- if (ret)
- return ret;
-
-
- tmp_buf_len = output->length;
- tmp_buf=OPENSSL_malloc(tmp_buf_len);
- if (!tmp_buf)
- return ENOMEM;
-
- EVP_CIPHER_CTX_init(&ciph_ctx);
-
- ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, key->keyblock.contents,
- (ivec) ? (unsigned char*)ivec->data: NULL);
- if (ret) {
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- if (!ret || output->length < (unsigned int)tmp_len) {
- ret = KRB5_CRYPTO_INTERNAL;
- } else {
- output->length = tmp_len;
- ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len);
- }
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
- if (ret == 1)
- memcpy(output->data,tmp_buf, output->length);
-
- memset(tmp_buf,0,tmp_buf_len);
- OPENSSL_free(tmp_buf);
-
- if (ret != 1)
- return KRB5_CRYPTO_INTERNAL;
- return 0;
-
-}
-
-static krb5_error_code
-k5_des3_encrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0;
- int tmp_len = MIT_DES_BLOCK_LENGTH;
- int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
- unsigned char *iblock = NULL, *oblock = NULL;
+ int ret, olen = MIT_DES_BLOCK_LENGTH;
+ unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH];
struct iov_block_state input_pos, output_pos;
- EVP_CIPHER_CTX ciph_ctx;
+ EVP_CIPHER_CTX ciph_ctx;
- ret = validate_iov(key, ivec, data, num_data);
+ ret = validate(key, ivec, data, num_data);
if (ret)
return ret;
- iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
- if (!iblock)
- return ENOMEM;
- oblock = OPENSSL_malloc(oblock_len);
- if (!oblock){
- OPENSSL_free(iblock);
- return ENOMEM;
- }
-
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- memset(oblock, 0, oblock_len);
-
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
- key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
- if (!ret){
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ key->keyblock.contents,
+ (ivec) ? (unsigned char*)ivec->data : NULL);
+ if (!ret)
return KRB5_CRYPTO_INTERNAL;
- }
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
data, num_data, &input_pos))
break;
- if (input_pos.iov_pos == num_data)
+ ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen,
+ (unsigned char *)iblock, MIT_DES_BLOCK_LENGTH);
+ if (!ret)
break;
- ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len,
- (unsigned char *)iblock, input_pos.data_pos);
- if (!ret) break;
-
krb5int_c_iov_put_block(data, num_data,
oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
}
- if(ret) {
- /*if (ivec != NULL && ivec->data)
- memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */
- ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+input_pos.data_pos, &tmp_len);
- }
+ /*if (ivec != NULL && ivec->data)
+ memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- memset(iblock,0,sizeof(iblock));
- memset(oblock,0,sizeof(oblock));
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ zap(iblock, sizeof(iblock));
+ zap(oblock, sizeof(oblock));
if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
}
static krb5_error_code
-k5_des3_decrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0;
- int tmp_len = MIT_DES_BLOCK_LENGTH;
- int oblock_len = MIT_DES_BLOCK_LENGTH * num_data;
- unsigned char *iblock = NULL, *oblock = NULL;
+ int ret, olen = MIT_DES_BLOCK_LENGTH;
+ unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH];
struct iov_block_state input_pos, output_pos;
- EVP_CIPHER_CTX ciph_ctx;
+ EVP_CIPHER_CTX ciph_ctx;
- ret = validate_iov(key, ivec, data, num_data);
+ ret = validate(key, ivec, data, num_data);
if (ret)
return ret;
- iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
- if (!iblock)
- return ENOMEM;
- oblock = OPENSSL_malloc(oblock_len);
- if (!oblock){
- OPENSSL_free(iblock);
- return ENOMEM;
- }
-
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- memset(oblock, 0, oblock_len);
-
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
- key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
- if (!ret){
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ key->keyblock.contents,
+ (ivec) ? (unsigned char*)ivec->data : NULL);
+ if (!ret)
return KRB5_CRYPTO_INTERNAL;
- }
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
data, num_data, &input_pos))
break;
- if (input_pos.iov_pos == num_data)
+ ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen,
+ (unsigned char *)iblock, MIT_DES_BLOCK_LENGTH);
+ if (!ret)
break;
- ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len,
- (unsigned char *)iblock, input_pos.data_pos);
- if (!ret) break;
-
- krb5int_c_iov_put_block(data, num_data,
- oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
+ krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH,
+ &output_pos);
}
- if(ret) {
- /*if (ivec != NULL && ivec->data)
- memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */
- ret = EVP_DecryptFinal_ex(&ciph_ctx,
- oblock + input_pos.data_pos, &tmp_len);
- }
+ /*if (ivec != NULL && ivec->data)
+ memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- memset(iblock,0,sizeof(iblock));
- memset(oblock,0,sizeof(oblock));
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ zap(iblock, sizeof(iblock));
+ zap(oblock, sizeof(oblock));
if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
k5_des3_decrypt,
krb5int_des3_make_key,
krb5int_des_init_state,
- krb5int_default_free_state,
- k5_des3_encrypt_iov,
- k5_des3_decrypt_iov
+ krb5int_default_free_state
};
/* prototypes */
static krb5_error_code
-k5_arcfour_docrypt(krb5_key, const krb5_data *,
- const krb5_data *, krb5_data *);
-static krb5_error_code
k5_arcfour_free_state ( krb5_data *state);
static krb5_error_code
k5_arcfour_init_state (const krb5_keyblock *key,
* this impliments the cipher
*/
-/* In-place rc4 crypto */
-static krb5_error_code
-k5_arcfour_docrypt(krb5_key key, const krb5_data *state,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0, tmp_len = 0;
- unsigned char *tmp_buf = NULL;
- EVP_CIPHER_CTX ciph_ctx;
-
- if (key->keyblock.length != RC4_KEY_SIZE)
- return(KRB5_BAD_KEYSIZE);
-
- if (input->length != output->length)
- return(KRB5_BAD_MSIZE);
-
- EVP_CIPHER_CTX_init(&ciph_ctx);
-
- ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, key->keyblock.contents, NULL);
- if (ret) {
- tmp_buf=(unsigned char *)output->data;
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- output->length = tmp_len;
- }
- if (ret) {
- tmp_buf += tmp_len;
- ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf, &tmp_len);
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
- if (ret != 1)
- return KRB5_CRYPTO_INTERNAL;
-
- output->length += tmp_len;
-
- return 0;
-}
-
/* In-place IOV crypto */
static krb5_error_code
-k5_arcfour_docrypt_iov(krb5_key key,
- const krb5_data *state,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
+ size_t num_data)
{
size_t i;
int ret = 0, tmp_len = 0;
k5_arcfour_docrypt,
krb5int_arcfour_make_key,
k5_arcfour_init_state, /*xxx not implemented */
- k5_arcfour_free_state, /*xxx not implemented */
- k5_arcfour_docrypt_iov,
- k5_arcfour_docrypt_iov
+ k5_arcfour_free_state /*xxx not implemented */
};
includes:: depend
depend:: $(SRCS)
-t_shs: t_shs.o shs.o $(SUPPORT_DEPLIB)
- $(CC_LINK) -o t_shs t_shs.o shs.o $(SUPPORT_LIB)
-
-$(OUTPRE)t_shs.exe: $(OUTPRE)t_shs.obj $(OUTPRE)shs.obj
- link -out:$@ $**
-
-t_shs3: t_shs3.o shs.o $(SUPPORT_DEPLIB)
- $(CC_LINK) -o t_shs3 t_shs3.o shs.o $(SUPPORT_LIB)
-
-check-unix:: t_shs t_shs3
- $(RUN_SETUP) $(VALGRIND) $(C)t_shs -x
- $(RUN_SETUP) $(VALGRIND) $(C)t_shs3
-
-check-windows:: $(OUTPRE)t_shs.exe $(OUTPRE)t_shs3.exe
- $(OUTPRE)$(C)t_shs.exe -x
- $(OUTPRE)$(C)t_shs3.exe
clean::
- $(RM) t_shs$(EXEEXT) t_shs.$(OBJEXT) t_shs3$(EXEEXT) t_shs3.$(OBJEXT)
clean-unix:: clean-libobjs
projects / krb5.git / commitdiff