Simplify lib/crypto/krb/arcfour in the wake of r23444. Move the
authorGreg Hudson <ghudson@mit.edu>
Mon, 28 Feb 2011 23:57:56 +0000 (23:57 +0000)
committerGreg Hudson <ghudson@mit.edu>
Mon, 28 Feb 2011 23:57:56 +0000 (23:57 +0000)
contents of arcfour_aead.c into arcfour.c, turn the key derivation
helper functions into static functions, and eliminate arcfour-int.h.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24673 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/crypto/krb/arcfour/Makefile.in
src/lib/crypto/krb/arcfour/arcfour-int.h [deleted file]
src/lib/crypto/krb/arcfour/arcfour.c
src/lib/crypto/krb/arcfour/arcfour.h
src/lib/crypto/krb/arcfour/arcfour_aead.c [deleted file]
src/lib/crypto/krb/arcfour/deps
src/lib/crypto/krb/checksum/deps
src/lib/crypto/krb/checksum/hmac_md5.c
src/lib/crypto/krb/deps
src/lib/crypto/krb/old/deps
src/lib/crypto/krb/prf/deps

index 589431d221eaae441209eff209c05514e6c78e91..ce2912884ef38586ee21c0bb0f63fb4fa1414056 100644 (file)
@@ -13,17 +13,14 @@ PROG_RPATH=$(KRB5_LIBDIR)
 
 STLIBOBJS=\
        arcfour.o       \
-       arcfour_aead.o  \
        arcfour_s2k.o
 
 OBJS=\
        $(OUTPRE)arcfour.$(OBJEXT)      \
-       $(OUTPRE)arcfour_aead.$(OBJEXT) \
        $(OUTPRE)arcfour_s2k.$(OBJEXT)
 
 SRCS=\
        $(srcdir)/arcfour.c     \
-       $(srcdir)/arcfour_aead.c\
        $(srcdir)/arcfour_s2k.c
 
 ##DOS##LIBOBJS = $(OBJS)
diff --git a/src/lib/crypto/krb/arcfour/arcfour-int.h b/src/lib/crypto/krb/arcfour/arcfour-int.h
deleted file mode 100644 (file)
index 15ab75b..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
-
-  ARCFOUR cipher (based on a cipher posted on the Usenet in Spring-95).
-  This cipher is widely believed and has been tested to be equivalent
-  with the RC4 cipher from RSA Data Security, Inc.  (RC4 is a trademark
-  of RSA Data Security)
-
-*/
-#ifndef ARCFOUR_INT_H
-#define ARCFOUR_INT_H
-
-#include "arcfour.h"
-
-#define CONFOUNDERLENGTH 8
-
-krb5_keyusage
-krb5int_arcfour_translate_usage(krb5_keyusage usage);
-
-krb5_error_code
-krb5int_arcfour_usage_key(const struct krb5_enc_provider *enc,
-                          const struct krb5_hash_provider *hash,
-                          const krb5_keyblock *session_keyblock,
-                          krb5_keyusage usage,
-                          krb5_keyblock *out);
-
-krb5_error_code
-krb5int_arcfour_enc_key(const struct krb5_enc_provider *enc,
-                        const struct krb5_hash_provider *hash,
-                        const krb5_keyblock *usage_keyblock,
-                        const krb5_data *checksum, krb5_keyblock *out);
-
-#endif /* ARCFOUR_INT_H */
index 783b777ca4203ee78e5a07abd91e1edab410477b..4793cc38dd12b396448b05df1bac99cb582e1247 100644 (file)
@@ -8,9 +8,12 @@
 
 */
 #include "k5-int.h"
-#include "arcfour-int.h"
+#include "arcfour.h"
+#include "aead.h"
 #include "hash_provider/hash_provider.h"
 
+#define CONFOUNDERLENGTH 8
+
 const char l40[] = "fortybits";
 
 krb5_keyusage
@@ -35,12 +38,11 @@ krb5int_arcfour_translate_usage(krb5_keyusage usage)
 }
 
 /* Derive a usage key from a session key and krb5 usage constant. */
-krb5_error_code
-krb5int_arcfour_usage_key(const struct krb5_enc_provider *enc,
-                          const struct krb5_hash_provider *hash,
-                          const krb5_keyblock *session_keyblock,
-                          krb5_keyusage usage,
-                          krb5_keyblock *out)
+static krb5_error_code
+usage_key(const struct krb5_enc_provider *enc,
+          const struct krb5_hash_provider *hash,
+          const krb5_keyblock *session_keyblock, krb5_keyusage usage,
+          krb5_keyblock *out)
 {
     char salt_buf[14];
     unsigned int salt_len;
@@ -66,11 +68,11 @@ krb5int_arcfour_usage_key(const struct krb5_enc_provider *enc,
 }
 
 /* Derive an encryption key from a usage key and (typically) checksum. */
-krb5_error_code
-krb5int_arcfour_enc_key(const struct krb5_enc_provider *enc,
-                        const struct krb5_hash_provider *hash,
-                        const krb5_keyblock *usage_keyblock,
-                        const krb5_data *checksum, krb5_keyblock *out)
+static krb5_error_code
+enc_key(const struct krb5_enc_provider *enc,
+        const struct krb5_hash_provider *hash,
+        const krb5_keyblock *usage_keyblock, const krb5_data *checksum,
+        krb5_keyblock *out)
 {
     krb5_keyblock *trunc_keyblock = NULL;
     krb5_data out_data = make_data(out->contents, out->length);
@@ -91,3 +93,258 @@ krb5int_arcfour_enc_key(const struct krb5_enc_provider *enc,
     krb5int_c_free_keyblock(NULL, trunc_keyblock);
     return ret;
 }
+
+unsigned int
+krb5int_arcfour_crypto_length(const struct krb5_keytypes *ktp,
+                              krb5_cryptotype type)
+{
+    switch (type) {
+    case KRB5_CRYPTO_TYPE_HEADER:
+        return ktp->hash->hashsize + CONFOUNDERLENGTH;
+    case KRB5_CRYPTO_TYPE_PADDING:
+    case KRB5_CRYPTO_TYPE_TRAILER:
+        return 0;
+    case KRB5_CRYPTO_TYPE_CHECKSUM:
+        return ktp->hash->hashsize;
+    default:
+        assert(0 &&
+               "invalid cryptotype passed to krb5int_arcfour_crypto_length");
+        return 0;
+    }
+}
+
+/* Encrypt or decrypt using a keyblock. */
+static krb5_error_code
+keyblock_crypt(const struct krb5_enc_provider *enc, krb5_keyblock *keyblock,
+               const krb5_data *ivec, krb5_crypto_iov *data, size_t num_data)
+{
+    krb5_error_code ret;
+    krb5_key key;
+
+    ret = krb5_k_create_key(NULL, keyblock, &key);
+    if (ret != 0)
+        return ret;
+    /* Works for encryption or decryption since arcfour is a stream cipher. */
+    ret = enc->encrypt(key, ivec, data, num_data);
+    krb5_k_free_key(NULL, key);
+    return ret;
+}
+
+krb5_error_code
+krb5int_arcfour_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
+                        krb5_keyusage usage, const krb5_data *ivec,
+                        krb5_crypto_iov *data, size_t num_data)
+{
+    const struct krb5_enc_provider *enc = ktp->enc;
+    const struct krb5_hash_provider *hash = ktp->hash;
+    krb5_error_code ret;
+    krb5_crypto_iov *header, *trailer;
+    krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL;
+    krb5_data checksum, confounder, header_data;
+    size_t i;
+
+    /*
+     * Caller must have provided space for the header, padding
+     * and trailer; per RFC 4757 we will arrange it as:
+     *
+     *      Checksum | E(Confounder | Plaintext)
+     */
+
+    header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+    if (header == NULL ||
+        header->data.length < hash->hashsize + CONFOUNDERLENGTH)
+        return KRB5_BAD_MSIZE;
+
+    header_data = header->data;
+
+    /* Trailer may be absent. */
+    trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+    if (trailer != NULL)
+        trailer->data.length = 0;
+
+    /* Ensure that there is no padding. */
+    for (i = 0; i < num_data; i++) {
+        if (data[i].flags == KRB5_CRYPTO_TYPE_PADDING)
+            data[i].data.length = 0;
+    }
+
+    ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
+                                  &usage_keyblock);
+    if (ret != 0)
+        goto cleanup;
+    ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
+                                  &enc_keyblock);
+    if (ret != 0)
+        goto cleanup;
+
+    /* Derive a usage key from the session key and usage. */
+    ret = usage_key(enc, hash, &key->keyblock, usage, usage_keyblock);
+    if (ret != 0)
+        goto cleanup;
+
+    /* Generate a confounder in the header block, after the checksum. */
+    header->data.length = hash->hashsize + CONFOUNDERLENGTH;
+    confounder = make_data(header->data.data + hash->hashsize,
+                           CONFOUNDERLENGTH);
+    ret = krb5_c_random_make_octets(0, &confounder);
+    if (ret != 0)
+        goto cleanup;
+    checksum = make_data(header->data.data, hash->hashsize);
+
+    /* Adjust pointers so confounder is at start of header. */
+    header->data.length -= hash->hashsize;
+    header->data.data += hash->hashsize;
+
+    /* Compute the checksum using the usage key. */
+    ret = krb5int_hmac_keyblock(hash, usage_keyblock, data, num_data,
+                                &checksum);
+    if (ret != 0)
+        goto cleanup;
+
+    /* Derive the encryption key from the usage key and checksum. */
+    ret = enc_key(enc, hash, usage_keyblock, &checksum, enc_keyblock);
+    if (ret)
+        goto cleanup;
+
+    ret = keyblock_crypt(enc, enc_keyblock, ivec, data, num_data);
+
+cleanup:
+    header->data = header_data; /* Restore header pointers. */
+    krb5int_c_free_keyblock(NULL, usage_keyblock);
+    krb5int_c_free_keyblock(NULL, enc_keyblock);
+    return ret;
+}
+
+krb5_error_code
+krb5int_arcfour_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
+                        krb5_keyusage usage, const krb5_data *ivec,
+                        krb5_crypto_iov *data, size_t num_data)
+{
+    const struct krb5_enc_provider *enc = ktp->enc;
+    const struct krb5_hash_provider *hash = ktp->hash;
+    krb5_error_code ret;
+    krb5_crypto_iov *header, *trailer;
+    krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL;
+    krb5_data checksum, header_data, comp_checksum = empty_data();
+
+    header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+    if (header == NULL ||
+        header->data.length != hash->hashsize + CONFOUNDERLENGTH)
+        return KRB5_BAD_MSIZE;
+
+    header_data = header->data;
+
+    trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+    if (trailer != NULL && trailer->data.length != 0)
+        return KRB5_BAD_MSIZE;
+
+    /* Allocate buffers. */
+    ret = alloc_data(&comp_checksum, hash->hashsize);
+    if (ret != 0)
+        goto cleanup;
+    ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
+                                  &usage_keyblock);
+    if (ret != 0)
+        goto cleanup;
+    ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
+                                  &enc_keyblock);
+    if (ret != 0)
+        goto cleanup;
+
+    checksum = make_data(header->data.data, hash->hashsize);
+
+    /* Adjust pointers so confounder is at start of header. */
+    header->data.length -= hash->hashsize;
+    header->data.data += hash->hashsize;
+
+    /* We may have to try two usage values; see below. */
+    do {
+        /* Derive a usage key from the session key and usage. */
+        ret = usage_key(enc, hash, &key->keyblock, usage, usage_keyblock);
+        if (ret != 0)
+            goto cleanup;
+
+        /* Derive the encryption key from the usage key and checksum. */
+        ret = enc_key(enc, hash, usage_keyblock, &checksum, enc_keyblock);
+        if (ret)
+            goto cleanup;
+
+        /* Decrypt the ciphertext. */
+        ret = keyblock_crypt(enc, enc_keyblock, ivec, data, num_data);
+        if (ret != 0)
+            goto cleanup;
+
+        /* Compute HMAC(usage key, plaintext) to get the checksum. */
+        ret = krb5int_hmac_keyblock(hash, usage_keyblock, data, num_data,
+                                    &comp_checksum);
+        if (ret != 0)
+            goto cleanup;
+
+        if (memcmp(checksum.data, comp_checksum.data, hash->hashsize) != 0) {
+            if (usage == 9) {
+                /*
+                 * RFC 4757 specifies usage 8 for TGS-REP encrypted parts
+                 * encrypted in a subkey, but the value used by MS is actually
+                 * 9.  We now use 9 to start with, but fall back to 8 on
+                 * failure in case we are communicating with a KDC using the
+                 * value from the RFC.  ivec is always NULL in this case.
+                 * We need to re-encrypt the data in the wrong key first.
+                 */
+                ret = keyblock_crypt(enc, enc_keyblock, NULL, data, num_data);
+                if (ret != 0)
+                    goto cleanup;
+                usage = 8;
+                continue;
+            }
+            ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+            goto cleanup;
+        }
+
+        break;
+    } while (1);
+
+cleanup:
+    header->data = header_data; /* Restore header pointers. */
+    krb5int_c_free_keyblock(NULL, usage_keyblock);
+    krb5int_c_free_keyblock(NULL, enc_keyblock);
+    zapfree(comp_checksum.data, comp_checksum.length);
+    return ret;
+}
+
+krb5_error_code
+krb5int_arcfour_gsscrypt(const krb5_keyblock *keyblock, krb5_keyusage usage,
+                         const krb5_data *kd_data, krb5_crypto_iov *data,
+                         size_t num_data)
+{
+    const struct krb5_enc_provider *enc = &krb5int_enc_arcfour;
+    const struct krb5_hash_provider *hash = &krb5int_hash_md5;
+    krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL;
+    krb5_error_code ret;
+
+    ret = krb5int_c_init_keyblock(NULL, keyblock->enctype, enc->keybytes,
+                                  &usage_keyblock);
+    if (ret != 0)
+        goto cleanup;
+    ret = krb5int_c_init_keyblock(NULL, keyblock->enctype, enc->keybytes,
+                                  &enc_keyblock);
+    if (ret != 0)
+        goto cleanup;
+
+    /* Derive a usage key from the session key and usage. */
+    ret = usage_key(enc, hash, keyblock, usage, usage_keyblock);
+    if (ret != 0)
+        goto cleanup;
+
+    /* Derive the encryption key from the usage key and kd_data. */
+    ret = enc_key(enc, hash, usage_keyblock, kd_data, enc_keyblock);
+    if (ret != 0)
+        goto cleanup;
+
+    /* Encrypt or decrypt (encrypt_iov works for both) the input. */
+    ret = keyblock_crypt(enc, enc_keyblock, 0, data, num_data);
+
+cleanup:
+    krb5int_c_free_keyblock(NULL, usage_keyblock);
+    krb5int_c_free_keyblock(NULL, enc_keyblock);
+    return ret;
+}
index 7ec0d77b9bb57172c1bd54ad6cdd2129bbe2bf2f..34cbcc0f34ea1d2a54480d16a2960b7a91f40502 100644 (file)
@@ -4,6 +4,9 @@
 
 #include "etypes.h"
 
+krb5_keyusage
+krb5int_arcfour_translate_usage(krb5_keyusage usage);
+
 unsigned int
 krb5int_arcfour_crypto_length(const struct krb5_keytypes *ktp,
                               krb5_cryptotype type);
diff --git a/src/lib/crypto/krb/arcfour/arcfour_aead.c b/src/lib/crypto/krb/arcfour/arcfour_aead.c
deleted file mode 100644 (file)
index 6f82921..0000000
+++ /dev/null
@@ -1,296 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * lib/crypto/arcfour/arcfour_aead.c
- *
- * Copyright 2008 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- */
-
-
-#include "k5-int.h"
-#include "arcfour.h"
-#include "arcfour-int.h"
-#include "hash_provider/hash_provider.h"
-#include "aead.h"
-
-/* AEAD */
-
-unsigned int
-krb5int_arcfour_crypto_length(const struct krb5_keytypes *ktp,
-                              krb5_cryptotype type)
-{
-    switch (type) {
-    case KRB5_CRYPTO_TYPE_HEADER:
-        return ktp->hash->hashsize + CONFOUNDERLENGTH;
-    case KRB5_CRYPTO_TYPE_PADDING:
-    case KRB5_CRYPTO_TYPE_TRAILER:
-        return 0;
-    case KRB5_CRYPTO_TYPE_CHECKSUM:
-        return ktp->hash->hashsize;
-    default:
-        assert(0 &&
-               "invalid cryptotype passed to krb5int_arcfour_crypto_length");
-        return 0;
-    }
-}
-
-/* Encrypt or decrypt using a keyblock. */
-static krb5_error_code
-keyblock_crypt(const struct krb5_enc_provider *enc, krb5_keyblock *keyblock,
-               const krb5_data *ivec, krb5_crypto_iov *data, size_t num_data)
-{
-    krb5_error_code ret;
-    krb5_key key;
-
-    ret = krb5_k_create_key(NULL, keyblock, &key);
-    if (ret != 0)
-        return ret;
-    /* Works for encryption or decryption since arcfour is a stream cipher. */
-    ret = enc->encrypt(key, ivec, data, num_data);
-    krb5_k_free_key(NULL, key);
-    return ret;
-}
-
-krb5_error_code
-krb5int_arcfour_encrypt(const struct krb5_keytypes *ktp, krb5_key key,
-                        krb5_keyusage usage, const krb5_data *ivec,
-                        krb5_crypto_iov *data, size_t num_data)
-{
-    const struct krb5_enc_provider *enc = ktp->enc;
-    const struct krb5_hash_provider *hash = ktp->hash;
-    krb5_error_code ret;
-    krb5_crypto_iov *header, *trailer;
-    krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL;
-    krb5_data checksum, confounder, header_data;
-    size_t i;
-
-    /*
-     * Caller must have provided space for the header, padding
-     * and trailer; per RFC 4757 we will arrange it as:
-     *
-     *      Checksum | E(Confounder | Plaintext)
-     */
-
-    header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
-    if (header == NULL ||
-        header->data.length < hash->hashsize + CONFOUNDERLENGTH)
-        return KRB5_BAD_MSIZE;
-
-    header_data = header->data;
-
-    /* Trailer may be absent. */
-    trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
-    if (trailer != NULL)
-        trailer->data.length = 0;
-
-    /* Ensure that there is no padding. */
-    for (i = 0; i < num_data; i++) {
-        if (data[i].flags == KRB5_CRYPTO_TYPE_PADDING)
-            data[i].data.length = 0;
-    }
-
-    ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
-                                  &usage_keyblock);
-    if (ret != 0)
-        goto cleanup;
-    ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
-                                  &enc_keyblock);
-    if (ret != 0)
-        goto cleanup;
-
-    /* Derive a usage key from the session key and usage. */
-    ret = krb5int_arcfour_usage_key(enc, hash, &key->keyblock, usage,
-                                    usage_keyblock);
-    if (ret != 0)
-        goto cleanup;
-
-    /* Generate a confounder in the header block, after the checksum. */
-    header->data.length = hash->hashsize + CONFOUNDERLENGTH;
-    confounder = make_data(header->data.data + hash->hashsize,
-                           CONFOUNDERLENGTH);
-    ret = krb5_c_random_make_octets(0, &confounder);
-    if (ret != 0)
-        goto cleanup;
-    checksum = make_data(header->data.data, hash->hashsize);
-
-    /* Adjust pointers so confounder is at start of header. */
-    header->data.length -= hash->hashsize;
-    header->data.data += hash->hashsize;
-
-    /* Compute the checksum using the usage key. */
-    ret = krb5int_hmac_keyblock(hash, usage_keyblock, data, num_data,
-                                &checksum);
-    if (ret != 0)
-        goto cleanup;
-
-    /* Derive the encryption key from the usage key and checksum. */
-    ret = krb5int_arcfour_enc_key(enc, hash, usage_keyblock, &checksum,
-                                  enc_keyblock);
-    if (ret)
-        goto cleanup;
-
-    ret = keyblock_crypt(enc, enc_keyblock, ivec, data, num_data);
-
-cleanup:
-    header->data = header_data; /* Restore header pointers. */
-    krb5int_c_free_keyblock(NULL, usage_keyblock);
-    krb5int_c_free_keyblock(NULL, enc_keyblock);
-    return ret;
-}
-
-krb5_error_code
-krb5int_arcfour_decrypt(const struct krb5_keytypes *ktp, krb5_key key,
-                        krb5_keyusage usage, const krb5_data *ivec,
-                        krb5_crypto_iov *data, size_t num_data)
-{
-    const struct krb5_enc_provider *enc = ktp->enc;
-    const struct krb5_hash_provider *hash = ktp->hash;
-    krb5_error_code ret;
-    krb5_crypto_iov *header, *trailer;
-    krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL;
-    krb5_data checksum, header_data, comp_checksum = empty_data();
-
-    header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
-    if (header == NULL ||
-        header->data.length != hash->hashsize + CONFOUNDERLENGTH)
-        return KRB5_BAD_MSIZE;
-
-    header_data = header->data;
-
-    trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
-    if (trailer != NULL && trailer->data.length != 0)
-        return KRB5_BAD_MSIZE;
-
-    /* Allocate buffers. */
-    ret = alloc_data(&comp_checksum, hash->hashsize);
-    if (ret != 0)
-        goto cleanup;
-    ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
-                                  &usage_keyblock);
-    if (ret != 0)
-        goto cleanup;
-    ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes,
-                                  &enc_keyblock);
-    if (ret != 0)
-        goto cleanup;
-
-    checksum = make_data(header->data.data, hash->hashsize);
-
-    /* Adjust pointers so confounder is at start of header. */
-    header->data.length -= hash->hashsize;
-    header->data.data += hash->hashsize;
-
-    /* We may have to try two usage values; see below. */
-    do {
-        /* Derive a usage key from the session key and usage. */
-        ret = krb5int_arcfour_usage_key(enc, hash, &key->keyblock, usage,
-                                        usage_keyblock);
-        if (ret != 0)
-            goto cleanup;
-
-        /* Derive the encryption key from the usage key and checksum. */
-        ret = krb5int_arcfour_enc_key(enc, hash, usage_keyblock, &checksum,
-                                      enc_keyblock);
-        if (ret)
-            goto cleanup;
-
-        /* Decrypt the ciphertext. */
-        ret = keyblock_crypt(enc, enc_keyblock, ivec, data, num_data);
-        if (ret != 0)
-            goto cleanup;
-
-        /* Compute HMAC(usage key, plaintext) to get the checksum. */
-        ret = krb5int_hmac_keyblock(hash, usage_keyblock, data, num_data,
-                                    &comp_checksum);
-        if (ret != 0)
-            goto cleanup;
-
-        if (memcmp(checksum.data, comp_checksum.data, hash->hashsize) != 0) {
-            if (usage == 9) {
-                /*
-                 * RFC 4757 specifies usage 8 for TGS-REP encrypted parts
-                 * encrypted in a subkey, but the value used by MS is actually
-                 * 9.  We now use 9 to start with, but fall back to 8 on
-                 * failure in case we are communicating with a KDC using the
-                 * value from the RFC.  ivec is always NULL in this case.
-                 * We need to re-encrypt the data in the wrong key first.
-                 */
-                ret = keyblock_crypt(enc, enc_keyblock, NULL, data, num_data);
-                if (ret != 0)
-                    goto cleanup;
-                usage = 8;
-                continue;
-            }
-            ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-            goto cleanup;
-        }
-
-        break;
-    } while (1);
-
-cleanup:
-    header->data = header_data; /* Restore header pointers. */
-    krb5int_c_free_keyblock(NULL, usage_keyblock);
-    krb5int_c_free_keyblock(NULL, enc_keyblock);
-    zapfree(comp_checksum.data, comp_checksum.length);
-    return ret;
-}
-
-krb5_error_code
-krb5int_arcfour_gsscrypt(const krb5_keyblock *keyblock, krb5_keyusage usage,
-                         const krb5_data *kd_data, krb5_crypto_iov *data,
-                         size_t num_data)
-{
-    const struct krb5_enc_provider *enc = &krb5int_enc_arcfour;
-    const struct krb5_hash_provider *hash = &krb5int_hash_md5;
-    krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL;
-    krb5_error_code ret;
-
-    ret = krb5int_c_init_keyblock(NULL, keyblock->enctype, enc->keybytes,
-                                  &usage_keyblock);
-    if (ret != 0)
-        goto cleanup;
-    ret = krb5int_c_init_keyblock(NULL, keyblock->enctype, enc->keybytes,
-                                  &enc_keyblock);
-    if (ret != 0)
-        goto cleanup;
-
-    /* Derive a usage key from the session key and usage. */
-    ret = krb5int_arcfour_usage_key(enc, hash, keyblock, usage,
-                                    usage_keyblock);
-    if (ret != 0)
-        goto cleanup;
-
-    /* Derive the encryption key from the usage key and kd_data. */
-    ret = krb5int_arcfour_enc_key(enc, hash, usage_keyblock, kd_data,
-                                  enc_keyblock);
-    if (ret != 0)
-        goto cleanup;
-
-    /* Encrypt or decrypt (encrypt_iov works for both) the input. */
-    ret = keyblock_crypt(enc, enc_keyblock, 0, data, num_data);
-
-cleanup:
-    krb5int_c_free_keyblock(NULL, usage_keyblock);
-    krb5int_c_free_keyblock(NULL, enc_keyblock);
-    return ret;
-}
index 8d026c4510f538841c7cf700f0a8e128a39754e6..2bfa78931c27e06527363ea652dd12c4ebf6ef97 100644 (file)
@@ -3,7 +3,7 @@
 #
 arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
-  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../openssl/hash_provider/hash_provider.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \
   $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
   $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
   $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
@@ -12,25 +12,11 @@ arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): $(BUILDTOP)/include/autoconf.h
   $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
   $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
   $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  arcfour-int.h arcfour.c arcfour.h
-arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \
-  $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
-  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(srcdir)/../../openssl/hash_provider/hash_provider.h \
-  $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h \
-  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
-  $(top_srcdir)/include/socket-utils.h arcfour-int.h \
-  arcfour.h arcfour_aead.c
+  arcfour.c arcfour.h
 arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(srcdir)/../../openssl/md4/rsa-md4.h \
+  $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \
   $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
   $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
   $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
@@ -39,5 +25,4 @@ arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \
   $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \
   $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
   $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
-  $(top_srcdir)/include/socket-utils.h arcfour-int.h \
-  arcfour.h arcfour_s2k.c
+  $(top_srcdir)/include/socket-utils.h arcfour.h arcfour_s2k.c
index 799dc266764707c2d12fbd624404fbc1d11bc379..99cea9c8a64c68cd5a61f01c17cf732653eeb2a7 100644 (file)
@@ -40,8 +40,7 @@ confounder.so confounder.po $(OUTPRE)confounder.$(OBJEXT): \
 hmac_md5.so hmac_md5.po $(OUTPRE)hmac_md5.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(srcdir)/../arcfour/arcfour-int.h \
-  $(srcdir)/../arcfour/arcfour.h $(srcdir)/../cksumtypes.h \
+  $(COM_ERR_DEPS) $(srcdir)/../arcfour/arcfour.h $(srcdir)/../cksumtypes.h \
   $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
   $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
   $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
index 784b746f52dc1257e20d51797ccd7180985926d3..521ecaeddd860a4255709b9770b95609183d5005 100644 (file)
@@ -33,7 +33,6 @@
 #include "k5-int.h"
 #include "cksumtypes.h"
 #include "arcfour.h"
-#include "arcfour-int.h"
 
 krb5_error_code krb5int_hmacmd5_checksum(const struct krb5_cksumtypes *ctp,
                                          krb5_key key, krb5_keyusage usage,
index 8f86ab95b11e71b047391defc4dc9b3e8c0e2389..a728ae11ba0a55652fdc4cebe54a9214ede87293 100644 (file)
@@ -51,8 +51,8 @@ cksumtype_to_string.so cksumtype_to_string.po $(OUTPRE)cksumtype_to_string.$(OBJ
 cksumtypes.so cksumtypes.po $(OUTPRE)cksumtypes.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(srcdir)/../openssl/enc_provider/enc_provider.h \
-  $(srcdir)/../openssl/hash_provider/hash_provider.h \
+  $(COM_ERR_DEPS) $(srcdir)/../builtin/enc_provider/enc_provider.h \
+  $(srcdir)/../builtin/hash_provider/hash_provider.h \
   $(srcdir)/dk/dk.h $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
   $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
   $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
@@ -193,8 +193,8 @@ enctype_util.so enctype_util.po $(OUTPRE)enctype_util.$(OBJEXT): \
   etypes.h
 etypes.so etypes.po $(OUTPRE)etypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
-  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../openssl/des/des_int.h \
-  $(srcdir)/../openssl/enc_provider/enc_provider.h $(srcdir)/../openssl/hash_provider/hash_provider.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/des/des_int.h \
+  $(srcdir)/../builtin/enc_provider/enc_provider.h $(srcdir)/../builtin/hash_provider/hash_provider.h \
   $(srcdir)/arcfour/arcfour.h $(srcdir)/dk/dk.h $(srcdir)/old/old.h \
   $(srcdir)/prf/prf_int.h $(srcdir)/raw/raw.h $(top_srcdir)/include/k5-buf.h \
   $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
@@ -355,15 +355,16 @@ prng.so prng.po $(OUTPRE)prng.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
 prng_fortuna.so prng_fortuna.po $(OUTPRE)prng_fortuna.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(srcdir)/../openssl/aes/aes.h $(srcdir)/../openssl/sha2/sha2.h \
-  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
-  $(top_srcdir)/include/socket-utils.h prng.h prng_fortuna.c
+  $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/aes/uitypes.h \
+  $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  prng.h prng_fortuna.c
 cf2.so cf2.po $(OUTPRE)cf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
@@ -378,7 +379,7 @@ cf2.so cf2.po $(OUTPRE)cf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
 random_to_key.so random_to_key.po $(OUTPRE)random_to_key.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(srcdir)/../openssl/des/des_int.h \
+  $(COM_ERR_DEPS) $(srcdir)/../builtin/des/des_int.h \
   $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
   $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
   $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
@@ -424,16 +425,16 @@ string_to_key.so string_to_key.po $(OUTPRE)string_to_key.$(OBJEXT): \
 t_fortuna.so t_fortuna.po $(OUTPRE)t_fortuna.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(srcdir)/../openssl/aes/aes.h $(srcdir)/../openssl/sha2/sha2.h \
-  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
-  $(top_srcdir)/include/socket-utils.h prng.h prng_fortuna.c \
-  t_fortuna.c
+  $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/aes/uitypes.h \
+  $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+  prng.h prng_fortuna.c t_fortuna.c
 valid_cksumtype.so valid_cksumtype.po $(OUTPRE)valid_cksumtype.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
index 5f9cf94f1141f23659c6027a70286ca2aa26aa6b..0e51f504a2f9a0a3df8209576ef32b2640b45b72 100644 (file)
@@ -4,7 +4,7 @@
 des_stringtokey.so des_stringtokey.po $(OUTPRE)des_stringtokey.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(srcdir)/../../openssl/des/des_int.h \
+  $(COM_ERR_DEPS) $(srcdir)/../../builtin/des/des_int.h \
   $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
   $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
   $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
index 2f28a7c8695d73ea40701f9ec9b3334fe524cb40..dbf083fa561ee2b285f39d1e48a1b19e9faca797 100644 (file)
@@ -3,7 +3,7 @@
 #
 des_prf.so des_prf.po $(OUTPRE)des_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
-  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../openssl/hash_provider/hash_provider.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \
   $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
   $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
   $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
@@ -27,7 +27,7 @@ dk_prf.so dk_prf.po $(OUTPRE)dk_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   dk_prf.c prf_int.h
 rc4_prf.so rc4_prf.po $(OUTPRE)rc4_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
-  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../openssl/hash_provider/hash_provider.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \
   $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \
   $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
   $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \