+2003-03-04 Ken Raeburn <raeburn@mit.edu>
+
+ * krb5.h (ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, CKSUMTYPE_HMAC_SHA1_96_AES128,
+ CKSUMTYPE_HMAC_SHA1_96_AES256): New macros.
+ * k5-int.h (krb5_str2key_func): Added params argument.
+ (krb5int_pbkdf2_hmac_sha1): Declare.
+ (krb5_cryptosystem_entry, krb5_cs_table_entry, SUM_FUNC,
+ SUM_VERF_FUNC, krb5_checksum_entry): Delete unused declarations.
+
2003-02-26 Ken Raeburn <raeburn@mit.edu>
* configure.in: Set and substitute maybe_kerberosIV.
const krb5_data *input, krb5_data *output);
typedef krb5_error_code (*krb5_str2key_func) (const struct krb5_enc_provider *enc, const krb5_data *string,
- const krb5_data *salt, krb5_keyblock *key);
+ const krb5_data *salt, const krb5_data *parm, krb5_keyblock *key);
struct krb5_keytypes {
krb5_enctype etype;
const krb5_keyblock *key, unsigned int icount,
const krb5_data *input, krb5_data *output);
+krb5_error_code krb5int_pbkdf2_hmac_sha1 (const krb5_data *, unsigned long,
+ const krb5_data *,
+ const krb5_data *);
+
/* A definition of init_state for DES based encryption systems.
* sets up an 8-byte IV of all zeros
*/
#ifdef KRB5_OLD_CRYPTO
/* old provider api */
-typedef struct _krb5_cryptosystem_entry {
- krb5_magic magic;
- krb5_error_code (*encrypt_func) ( krb5_const_pointer /* in */,
- krb5_pointer /* out */,
- const size_t,
- krb5_encrypt_block *,
- krb5_pointer);
- krb5_error_code (*decrypt_func) ( krb5_const_pointer /* in */,
- krb5_pointer /* out */,
- const size_t,
- krb5_encrypt_block *,
- krb5_pointer);
- krb5_error_code (*process_key) ( krb5_encrypt_block *,
- const krb5_keyblock *);
- krb5_error_code (*finish_key) ( krb5_encrypt_block *);
- krb5_error_code (*string_to_key) (const krb5_encrypt_block *,
- krb5_keyblock *,
- const krb5_data *,
- const krb5_data *);
- krb5_error_code (*init_random_key) ( const krb5_encrypt_block *,
- const krb5_keyblock *,
- krb5_pointer *);
- krb5_error_code (*finish_random_key) ( const krb5_encrypt_block *,
- krb5_pointer *);
- krb5_error_code (*random_key) ( const krb5_encrypt_block *,
- krb5_pointer,
- krb5_keyblock **);
- int block_length;
- int pad_minimum; /* needed for cksum size computation */
- int keysize;
- krb5_enctype proto_enctype; /* key type,
- (assigned protocol number AND
- table index) */
-} krb5_cryptosystem_entry;
-
-typedef struct _krb5_cs_table_entry {
- krb5_magic magic;
- krb5_cryptosystem_entry * system;
- krb5_pointer random_sequence; /* from init_random_key() */
-} krb5_cs_table_entry;
-
-
-/* could be used in a table to find a sumtype */
-typedef krb5_error_code
- (*SUM_FUNC) (
- const krb5_pointer /* in */,
- const size_t /* in_length */,
- const krb5_pointer /* key/seed */,
- const size_t /* key/seed size */,
- krb5_checksum * /* out_cksum */);
-
-typedef krb5_error_code
- (*SUM_VERF_FUNC) (
- const krb5_checksum * /* out_cksum */,
- const krb5_pointer /* in */,
- const size_t /* in_length */,
- const krb5_pointer /* key/seed */,
- const size_t /* key/seed size */);
-
-typedef struct _krb5_checksum_entry {
- krb5_magic magic;
- SUM_FUNC sum_func; /* Checksum generator */
- SUM_VERF_FUNC sum_verf_func; /* Verifier of checksum */
- int checksum_length; /* length returned by sum_func */
- unsigned int is_collision_proof:1;
- unsigned int uses_key:1;
-} krb5_checksum_entry;
-
krb5_error_code krb5_crypto_os_localaddr
(krb5_address ***);
#define ENCTYPE_DES3_CBC_RAW 0x0006 /* DES-3 cbc mode raw */
#define ENCTYPE_DES_HMAC_SHA1 0x0008
#define ENCTYPE_DES3_CBC_SHA1 0x0010
+#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011
+#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012
#define ENCTYPE_ARCFOUR_HMAC 0x0017
#define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018
#define ENCTYPE_UNKNOWN 0x01ff
#define CKSUMTYPE_RSA_MD5_DES 0x0008
#define CKSUMTYPE_NIST_SHA 0x0009
#define CKSUMTYPE_HMAC_SHA1_DES3 0x000c
+#define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f
+#define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010
#define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/
/* The following are entropy source designations. Whenever
+2003-03-04 Ken Raeburn <raeburn@mit.edu>
+
+ * etypes.c: Include aes_s2k.h.
+ (krb5_enctypes): Add AES enctypes. Update s2k function names.
+ * pbkdf2.c (krb5int_pbkdf2): Now static. Output data descriptor
+ is const.
+ (krb5int_pbkdf2_hmac_sha1_128, krb5int_pbkdf2_hmac_sha1_256):
+ Deleted.
+ * string_to_key.c (krb5_c_string_to_key_with_params): Renamed from
+ krb5_c_string_to_key, takes new params argument and passes it
+ through.
+ (krb5_c_string_to_key): New function, passes null params.
+ * t_pkcs5.c (test_pbkdf2_rfc3211): Update calls to
+ krb5int_pbkdf2_hmac_sha1 for new API.
+ * vectors.c (test_mit_des_s2k): Update krb5_des_string_to_key call
+ for new API.
+ * Makefile.in: Update dependencies.
+
2003-03-03 Ken Raeburn <raeburn@mit.edu>
* pbkdf2.c (F): Now takes krb5_data for password and salt.
$(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
$(BUILDTOP)/include/profile.h $(srcdir)/enc_provider/enc_provider.h \
$(srcdir)/hash_provider/hash_provider.h etypes.h $(srcdir)/old/old.h \
- $(srcdir)/raw/raw.h $(srcdir)/dk/dk.h $(srcdir)/arcfour/arcfour.h
+ $(srcdir)/raw/raw.h $(srcdir)/dk/dk.h $(srcdir)/arcfour/arcfour.h \
+ $(srcdir)/aes/aes_s2k.h
hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): hmac.c $(SRCTOP)/include/k5-int.h \
$(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
$(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \
+2003-03-04 Ken Raeburn <raeburn@mit.edu>
+
+ * arcfour.c (krb5int_arcfour_string_to_key): Renamed from
+ krb5_... and added new s2k-params argument, which must be null.
+ * arcfour.h: Updated.
+
2003-02-03 Sam Hartman <hartmans@mit.edu>
* arcfour.c (krb5_arcfour_encrypt_length): l40, the 40-bit
const krb5_data *,
krb5_data *);
-extern krb5_error_code krb5_arcfour_string_to_key(
+extern krb5_error_code krb5int_arcfour_string_to_key(
const struct krb5_enc_provider *,
const krb5_data *,
const krb5_data *,
+ const krb5_data *,
krb5_keyblock *);
extern const struct krb5_enc_provider krb5int_enc_arcfour;
}
krb5_error_code
-krb5_arcfour_string_to_key(enc, string, salt, key)
- const struct krb5_enc_provider *enc;
- const krb5_data *string;
- const krb5_data *salt;
- krb5_keyblock *key;
+krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc,
+ const krb5_data *string, const krb5_data *salt,
+ const krb5_data *params, krb5_keyblock *key)
{
size_t len,slen;
unsigned char *copystr;
krb5_MD4_CTX md4_context;
+
+ if (params != NULL)
+ return KRB5_ERR_BAD_S2K_PARAMS;
if (key->length != 16)
return (KRB5_BAD_MSIZE);
+2003-03-04 Ken Raeburn <raeburn@mit.edu>
+
+ * stringtokey.c (krb5int_dk_string_to_key): Renamed from
+ krb5_... and added s2k-params argument.
+ * dk.h: Updated.
+
2003-01-10 Ken Raeburn <raeburn@mit.edu>
* Makefile.in: Add AC_SUBST_FILE marker for libobj_frag.
const krb5_data *ivec, const krb5_data *input,
krb5_data *arg_output);
-krb5_error_code krb5_dk_string_to_key
+krb5_error_code krb5int_dk_string_to_key
(const struct krb5_enc_provider *enc,
const krb5_data *string, const krb5_data *salt,
- krb5_keyblock *key);
+ const krb5_data *params, krb5_keyblock *key);
krb5_error_code krb5_derive_key
(const struct krb5_enc_provider *enc,
#define kerberos_len (sizeof(kerberos)-1)
krb5_error_code
-krb5_dk_string_to_key(enc, string, salt, key)
- const struct krb5_enc_provider *enc;
- const krb5_data *string;
- const krb5_data *salt;
- krb5_keyblock *key;
+krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
+ const krb5_data *string, const krb5_data *salt,
+ const krb5_data *parms, krb5_keyblock *key)
{
krb5_error_code ret;
size_t keybytes, keylength, concatlen;
#include "raw.h"
#include "dk.h"
#include "arcfour.h"
+#include "aes_s2k.h"
/* these will be linear searched. if they ever get big, a binary
search or hash table would be better, which means these would need
"des-cbc-crc", "DES cbc mode with CRC-32",
&krb5int_enc_des, &krb5int_hash_crc32,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5_des_string_to_key },
+ krb5int_des_string_to_key },
{ ENCTYPE_DES_CBC_MD4,
"des-cbc-md4", "DES cbc mode with RSA-MD4",
&krb5int_enc_des, &krb5int_hash_md4,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5_des_string_to_key },
+ krb5int_des_string_to_key },
{ ENCTYPE_DES_CBC_MD5,
"des-cbc-md5", "DES cbc mode with RSA-MD5",
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5_des_string_to_key },
+ krb5int_des_string_to_key },
{ ENCTYPE_DES_CBC_MD5,
"des", "DES cbc mode with RSA-MD5", /* alias */
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5_des_string_to_key },
+ krb5int_des_string_to_key },
{ ENCTYPE_DES_CBC_RAW,
"des-cbc-raw", "DES cbc mode raw",
&krb5int_enc_des, NULL,
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
- krb5_des_string_to_key },
+ krb5int_des_string_to_key },
{ ENCTYPE_DES3_CBC_RAW,
"des3-cbc-raw", "Triple DES cbc mode raw",
&krb5int_enc_des3, NULL,
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
- krb5_dk_string_to_key },
+ krb5int_dk_string_to_key },
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5_dk_string_to_key },
+ krb5int_dk_string_to_key },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5_dk_string_to_key },
+ krb5int_dk_string_to_key },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5_dk_string_to_key },
+ krb5int_dk_string_to_key },
{ ENCTYPE_DES_HMAC_SHA1,
"des-hmac-sha1", "DES with HMAC/sha1",
&krb5int_enc_des, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5_dk_string_to_key },
+ krb5int_dk_string_to_key },
{ ENCTYPE_ARCFOUR_HMAC,
"arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
{ ENCTYPE_ARCFOUR_HMAC_EXP,
"arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"rc4-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+
+ { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ "aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
+ &krb5int_enc_aes128, &krb5int_hash_sha1,
+ krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
+ krb5int_aes_string_to_key },
+ { ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ "aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
+ &krb5int_enc_aes256, &krb5int_hash_sha1,
+ krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
+ krb5int_aes_string_to_key },
#ifdef ATHENA_DES3_KLUDGE
/*
"Triple DES with HMAC/sha1 and 32-bit length code",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_marc_dk_encrypt_length, krb5_marc_dk_encrypt, krb5_marc_dk_decrypt,
- krb5_dk_string_to_key },
+ krb5int_dk_string_to_key },
#endif
};
+2003-03-04 Ken Raeburn <raeburn@mit.edu>
+
+ * des_stringtokey.c (krb5int_des_string_to_key): Renamed from
+ krb5_... and added s2k-params argument which must be null.
+ * old.h: Updated.
+
2003-01-10 Ken Raeburn <raeburn@mit.edu>
* Makefile.in: Add AC_SUBST_FILE marker for libobj_frag.
const krb5_data * salt);
krb5_error_code
-krb5_des_string_to_key(enc, string, salt, key)
+krb5int_des_string_to_key(enc, string, salt, parm, key)
const struct krb5_enc_provider *enc;
const krb5_data *string;
const krb5_data *salt;
+ const krb5_data *parm;
krb5_keyblock *key;
{
+ if (parm != NULL)
+ return KRB5_ERR_BAD_S2K_PARAMS;
return(mit_des_string_to_key_int(key, string, salt));
}
const krb5_data *ivec, const krb5_data *input,
krb5_data *arg_output);
-krb5_error_code krb5_des_string_to_key
+krb5_error_code krb5int_des_string_to_key
(const struct krb5_enc_provider *enc,
- const krb5_data *string, const krb5_data *salt,
+ const krb5_data *string, const krb5_data *salt,
+ const krb5_data *params,
krb5_keyblock *key);
#include "k5-int.h"
#include "hash_provider.h"
-/* for k5-int.h */
-extern krb5_error_code
+/* Not exported, for now. */
+static krb5_error_code
krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
krb5_data *),
size_t hlen, const krb5_data *pass, const krb5_data *salt,
- unsigned long count, krb5_data *output);
-extern krb5_error_code
-krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count,
- const krb5_data *pass, const krb5_data *salt);
-extern krb5_error_code
-krb5int_pbkdf2_hmac_sha1_128 (char *out, unsigned long count,
- const krb5_data *pass, const krb5_data *salt);
-extern krb5_error_code
-krb5int_pbkdf2_hmac_sha1_256 (char *out, unsigned long count,
- const krb5_data *pass, const krb5_data *salt);
-
-
-
+ unsigned long count, const krb5_data *output);
static int debug_hmac = 0;
return 0;
}
-krb5_error_code
+static krb5_error_code
krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
krb5_data *),
size_t hlen,
const krb5_data *pass, const krb5_data *salt,
- unsigned long count, krb5_data *output)
+ unsigned long count, const krb5_data *output)
{
int l, r, i;
char *utmp1, *utmp2;
{
return krb5int_pbkdf2 (foo, 20, pass, salt, count, out);
}
-
-krb5_error_code
-krb5int_pbkdf2_hmac_sha1_128 (char *out, unsigned long count,
- const krb5_data *pass, const krb5_data *salt)
-{
- krb5_data out_d;
- out_d.data = out;
- out_d.length = 16;
- return krb5int_pbkdf2 (foo, 20, pass, salt, count, &out_d);
-}
-
-krb5_error_code
-krb5int_pbkdf2_hmac_sha1_256 (char *out, unsigned long count,
- const krb5_data *pass, const krb5_data *salt)
-{
- krb5_data out_d;
- out_d.data = out;
- out_d.length = 32;
- return krb5int_pbkdf2 (foo, 20, pass, salt, count, &out_d);
-}
const krb5_data *string;
const krb5_data *salt;
krb5_keyblock *key;
+{
+ return krb5_c_string_to_key_with_params(context, enctype, string, salt,
+ NULL, key);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_string_to_key_with_params(context, enctype, string, salt, params, key)
+ krb5_context context;
+ krb5_enctype enctype;
+ const krb5_data *string;
+ const krb5_data *salt;
+ const krb5_data *params;
+ krb5_keyblock *key;
{
int i;
krb5_error_code ret;
key->enctype = enctype;
key->length = keylength;
- if ((ret = ((*(krb5_enctypes_list[i].str2key))(enc, string, salt, key)))) {
+ ret = (*krb5_enctypes_list[i].str2key)(enc, string, salt, params, key);
+ if (ret) {
memset(key->contents, 0, keylength);
free(key->contents);
}
{
char x[100];
krb5_error_code err;
- krb5_data d;
+ krb5_data d, pass, salt;
int i;
/* RFC 3211 test cases. */
t[i].count, t[i].len * 8, t[i].len, t[i].pass);
d.length = t[i].len;
- err = krb5int_pbkdf2_hmac_sha1 (x, d.length, t[i].count,
- t[i].pass, t[i].salt);
+ pass.data = t[i].pass;
+ pass.length = strlen(pass.data);
+ salt.data = t[i].salt;
+ salt.length = strlen(salt.data);
+ err = krb5int_pbkdf2_hmac_sha1 (&d, t[i].count, &pass, &salt);
if (err) {
printf("error in computing pbkdf2: %s\n", error_message(err));
exit(1);
printf ("\npassword: %-25s", buf);
printhex (strlen(p), p);
printf ("\n");
- r = krb5_des_string_to_key (0, &pd, &sd, &key);
+ r = krb5int_des_string_to_key (0, &pd, &sd, 0, &key);
printf ( "DES key: %-25s", "");
printhex (key.length, key.contents);
printf ("\n\n");
projects / krb5.git / commitdiff