Implement RFC 3961 PRF
authorSam Hartman <hartmans@mit.edu>
Fri, 20 May 2005 02:05:24 +0000 (02:05 +0000)
committerSam Hartman <hartmans@mit.edu>
Fri, 20 May 2005 02:05:24 +0000 (02:05 +0000)
Add krb5_c_prf, a function that implements the RFC 3961 PRF.

As part of this change, the krb5_init_keyblock and krb5 free routines
move to libk5crypto.  Public stubs remain in libkrb5, but the actual
implementation is an internal interface in libk5crypto

ticket: new
Tags: enhancement

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17219 dc483132-0cff-0310-8789-dd5450dbe970

19 files changed:
src/include/ChangeLog
src/include/k5-int.h
src/include/krb5.hin
src/lib/crypto/ChangeLog
src/lib/crypto/Makefile.in
src/lib/crypto/dk/ChangeLog
src/lib/crypto/dk/Makefile.in
src/lib/crypto/dk/dk.h
src/lib/crypto/dk/dk_prf.c [new file with mode: 0644]
src/lib/crypto/etypes.c
src/lib/crypto/keyblocks.c [new file with mode: 0644]
src/lib/crypto/libk5crypto.exports
src/lib/crypto/prf.c [new file with mode: 0644]
src/lib/crypto/t_prf.c [new file with mode: 0644]
src/lib/krb5/krb/ChangeLog
src/lib/krb5/krb/deltat.c
src/lib/krb5/krb/init_keyblock.c
src/lib/krb5/krb/kfree.c
src/lib/krb5_32.def

index 60ee43c878eec090efcec45bf8caca1baf670464..f8bf8f334ccae4434665b9433bf9427d605a3087 100644 (file)
@@ -1,3 +1,7 @@
+2005-05-19  Sam Hartman  <hartmans@mit.edu>
+
+       * k5-int.h (krb5int_c_ free_keyblock init_keyblock free_keyblock_contents):  new
+
 2005-05-13  Ken Raeburn  <raeburn@mit.edu>
 
        * configure.in: Deleted, content merged into ../configure.in.
@@ -6,6 +10,12 @@
        ($(srcdir)/krb5/autoconf.stmp): Use $(thisconfigdir) when
        locating configure.in and autom4te.cache.
 
+2005-05-06  Sam Hartman  <hartmans@mit.edu>
+
+       
+       * krb5.hin: Add krb5_c_prf_length
+
+
 2005-04-28  Ken Raeburn  <raeburn@mit.edu>
 
        * k5-int.h: Include fcntl.h only if HAVE_FCNTL_H is defined.
        (k5_debug_make_loc): Change "lineno" to type int.
        (k5_debug_make_loc): Likewise for argument "line".
 
+
 2005-01-04  Jeffrey Altman <jaltman@mit.edu>
 
         * krb5.hin: add prototype for krb5_is_thread_safe
 
        * krb5.hin: Flag krb5_principal2salt as KRB5_CALLCONV_WRONG.
 
+
 2004-12-08  Ken Raeburn  <raeburn@mit.edu>
 
        * k5-int.h (KRB5INT_ACCESS_STRUCT_VERSION): Bump to 9.
        (struct _krb5int_access): Add function pointer field use_dns_kdc.
 
+2004-12-07  Sam Hartman  <hartmans@mit.edu>
+
+       * k5-int.h: Add prf_length to the keytype function
+
+       * krb5.hin: Add krb5_c_prf
+
 2004-12-06  Ken Raeburn  <raeburn@mit.edu>
 
        * k5-thread.h [DEBUG_THREADS_STATS]: Include string.h and
index 5c62c14767b079a13fd72a128f58dee8fa3368a5..03a416a2138a6a80b6fb991bee9ffb5c3f4632f1 100644 (file)
@@ -609,16 +609,23 @@ typedef krb5_error_code (*krb5_crypt_func) (const struct krb5_enc_provider *enc,
 typedef krb5_error_code (*krb5_str2key_func) (const struct krb5_enc_provider *enc, const krb5_data *string,
   const krb5_data *salt, const krb5_data *parm, krb5_keyblock *key);
 
+typedef krb5_error_code (*krb5_prf_func)(
+                                        const struct krb5_enc_provider *enc, const struct krb5_hash_provider *hash,
+                                        const krb5_keyblock *key,
+                                        krb5_data *in, krb5_data *out);
+
 struct krb5_keytypes {
     krb5_enctype etype;
     char *in_string;
     char *out_string;
     const struct krb5_enc_provider *enc;
     const struct krb5_hash_provider *hash;
+  size_t prf_length;
     krb5_encrypt_length_func encrypt_len;
     krb5_crypt_func encrypt;
     krb5_crypt_func decrypt;
     krb5_str2key_func str2key;
+  krb5_prf_func prf;
     krb5_cksumtype required_ctype;
 };
 
@@ -707,6 +714,14 @@ krb5_error_code krb5int_c_combine_keys
 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
                krb5_keyblock *outkey);
 
+void  krb5int_c_free_keyblock
+(krb5_context, krb5_keyblock *key);
+void  krb5int_c_free_keyblock_contents
+       (krb5_context, krb5_keyblock *);
+krb5_error_code   krb5int_c_init_keyblock
+               (krb5_context, krb5_enctype enctype,
+               size_t length, krb5_keyblock **out); 
+
 /*
  * Internal - for cleanup.
  */
index 230295d01870f0b39f894c0bee2be49966788ca3..ff17139614fe55283ecf67896cc1be08bd8e3f00 100644 (file)
@@ -436,6 +436,13 @@ krb5_error_code KRB5_CALLCONV
        krb5_c_free_state
 (krb5_context context, const krb5_keyblock *key, krb5_data *state);
 
+krb5_error_code KRB5_CALLCONV
+    krb5_c_prf (krb5_context, const krb5_keyblock *,
+               krb5_data *in, krb5_data *out);
+
+krb5_error_code KRB5_CALLCONV
+    krb5_c_prf_length (krb5_context, krb5_enctype, size_t *outlen);
+
 krb5_error_code KRB5_CALLCONV
     krb5_c_make_random_key
     (krb5_context context, krb5_enctype enctype,
index fa03524a3aff5da880fa1a4ea0247888539a54ba..6f6d28dfbaea390ed11ecac4eefbc1cf1e852bf4 100644 (file)
@@ -1,3 +1,22 @@
+2005-05-19  Sam Hartman  <hartmans@mit.edu>
+
+       * keyblocks.c :  File to contain memory management for keyblocks
+       moved from libkrb5  
+
+       * Makefile.in (SRCS):  keyblocks.c is new
+
+       * etypes.c: Add PRF for AES
+
+       * Makefile.in (t_prf$(EXEEXT)): New output for prf test framework
+
+2005-05-18  Sam Hartman  <hartmans@mit.edu>
+
+       * Makefile.in :  Add prf.c
+
+       * prf.c t_prf.c: New file
+
+       * etypes.c: Adjust structures to support the PRF declarations.
+
 2005-03-15  Jeffrey Altman <jaltman@mit.edu>
 
         * keyed_cksum.c: (krb5_c_is_keyed_cksum): this is a boolean 
index 5c1d94c2e56c3798fbd113ea6d0b3e5e6645fea7..62cbddfe2c325ed7125fa21efe8aaadf04120ce3 100644 (file)
@@ -16,6 +16,7 @@ PROG_RPATH=$(KRB5_LIBDIR)
 EXTRADEPSRCS=\
        $(srcdir)/t_nfold.c     \
        $(srcdir)/t_encrypt.c   \
+       $(srcdir)/t_prf.c \
        $(srcdir)/t_prng.c      \
        $(srcdir)/t_hmac.c      \
        $(srcdir)/t_pkcs5.c     \
@@ -47,6 +48,7 @@ STLIBOBJS=\
        enctype_to_string.o     \
        etypes.o                \
        hmac.o                  \
+       keyblocks.o \
        keyed_cksum.o           \
        keyed_checksum_types.o  \
        make_checksum.o         \
@@ -55,6 +57,7 @@ STLIBOBJS=\
        nfold.o                 \
        old_api_glue.o          \
        pbkdf2.o                \
+       prf.o \
        prng.o                  \
        state.o \
        string_to_cksumtype.o   \
@@ -80,6 +83,7 @@ OBJS=\
        $(OUTPRE)enctype_to_string.$(OBJEXT)    \
        $(OUTPRE)etypes.$(OBJEXT)               \
        $(OUTPRE)hmac.$(OBJEXT)                 \
+       $(OUTPRE)keyblocks.$(OBJEXT) \
        $(OUTPRE)keyed_cksum.$(OBJEXT)          \
        $(OUTPRE)keyed_checksum_types.$(OBJEXT) \
        $(OUTPRE)make_checksum.$(OBJEXT)        \
@@ -88,6 +92,7 @@ OBJS=\
        $(OUTPRE)nfold.$(OBJEXT)                \
        $(OUTPRE)old_api_glue.$(OBJEXT)         \
        $(OUTPRE)pbkdf2.$(OBJEXT)               \
+       $(OUTPRE)prf.$(OBJEXT) \
        $(OUTPRE)prng.$(OBJEXT)                 \
        $(OUTPRE)state.$(OBJEXT) \
        $(OUTPRE)string_to_cksumtype.$(OBJEXT)  \
@@ -113,6 +118,7 @@ SRCS=\
        $(srcdir)/enctype_to_string.c   \
        $(srcdir)/etypes.c              \
        $(srcdir)/hmac.c                \
+       $(srcdir)/keyblocks.c \
        $(srcdir)/keyed_cksum.c         \
        $(srcdir)/keyed_checksum_types.c\
        $(srcdir)/make_checksum.c       \
@@ -121,6 +127,7 @@ SRCS=\
        $(srcdir)/nfold.c               \
        $(srcdir)/old_api_glue.c        \
        $(srcdir)/pbkdf2.c      \
+       $(srcdir)/prf.c \
        $(srcdir)/prng.c                \
        $(srcdir)/state.c \
        $(srcdir)/string_to_cksumtype.c \
@@ -170,7 +177,7 @@ libcrypto.lib:
 
 clean-unix:: clean-liblinks clean-libs clean-libobjs
 
-check-unix:: t_nfold t_encrypt t_prng t_hmac t_pkcs5
+check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5
        $(RUN_SETUP) ./t_nfold
        $(RUN_SETUP) ./t_encrypt
        $(RUN_SETUP) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
@@ -185,6 +192,9 @@ t_nfold$(EXEEXT): t_nfold.$(OBJEXT) nfold.$(OBJEXT)
 t_encrypt$(EXEEXT): t_encrypt.$(OBJEXT) nfold.$(OBJEXT) $(CRYPTO_DEPLIB)
        $(CC_LINK) -o $@ t_encrypt.$(OBJEXT)  -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB)
 
+t_prf$(EXEEXT): t_prf.$(OBJEXT) 
+       $(CC_LINK) -o $@ t_prf.$(OBJEXT)  -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB)
+
 t_prng$(EXEEXT): t_prng.$(OBJEXT) 
        $(CC_LINK) -o $@ t_prng.$(OBJEXT)  -lk5crypto -lcom_err $(SUPPORT_LIB)
 
index 3430370afae4615065a97acc9e0ed6292bee635b..5e988670073be1f1320bbf8533f3b761719740de 100644 (file)
@@ -1,3 +1,15 @@
+2005-05-19  Sam Hartman  <hartmans@mit.edu>
+
+       * dk_prf.c (krb5int_dk_prf):  Use k5crypto versions of keyblock memory management
+
+2004-12-09  Sam Hartman  <hartmans@mit.edu>
+
+       * dk.h: Add krb5_dk_prf
+
+       * Makefile.in (SRCS): Add dk_prf.c
+
+       * dk_prf.c (krb5int_dk_prf): New function
+
 2004-03-17  Ken Raeburn  <raeburn@mit.edu>
 
        * derive.c (krb5_random2key): Don't compile.
index 83a7c8d78aa8108e085e45e047df1a068cbe1f71..89046a4c9968d3a4022bbe70e1f6b4dab63222fe 100644 (file)
@@ -18,6 +18,7 @@ STLIBOBJS=\
        dk_decrypt.o    \
        dk_encrypt.o    \
        derive.o        \
+       dk_prf.o  \
        stringtokey.o
 
 OBJS=\
@@ -25,12 +26,14 @@ OBJS=\
        $(OUTPRE)dk_decrypt.$(OBJEXT)   \
        $(OUTPRE)dk_encrypt.$(OBJEXT)   \
        $(OUTPRE)derive.$(OBJEXT)       \
+       $(OUTPRE)dk_prf.$(OBJEXT) \
        $(OUTPRE)stringtokey.$(OBJEXT)
 
 SRCS=\
        $(srcdir)/checksum.c    \
        $(srcdir)/dk_decrypt.c  \
        $(srcdir)/dk_encrypt.c  \
+       $(srcdir)/dk_prf.c \
        $(srcdir)/derive.c      \
        $(srcdir)/stringtokey.c
 
index 1d742ce164b19004cbd803d11e2c6eb8bb6b0836..47bda6ebf2a8a7ebe984018b926657c74cea55e6 100644 (file)
@@ -69,6 +69,11 @@ krb5_error_code krb5int_dk_string_to_key
                const krb5_data *string, const krb5_data *salt,
                const krb5_data *params, krb5_keyblock *key);
 
+krb5_error_code 
+krb5int_dk_prf(const struct krb5_enc_provider *enc,
+              const struct krb5_hash_provider *hash,
+              const krb5_keyblock *key, const krb5_data *in, krb5_data *out);
+
 krb5_error_code krb5_derive_key
 (const struct krb5_enc_provider *enc,
                const krb5_keyblock *inkey,
diff --git a/src/lib/crypto/dk/dk_prf.c b/src/lib/crypto/dk/dk_prf.c
new file mode 100644 (file)
index 0000000..ec64caf
--- /dev/null
@@ -0,0 +1,64 @@
+/*
+ * lib/crypto/dk/prf.c
+ *
+ * Copyright (C) 2004 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * 
+ *
+ * This file contains an implementation of the RFC 3961 PRF for
+ *simplified profile enctypes.
+ */
+
+#include "k5-int.h"
+#include "dk.h"
+
+krb5_error_code
+krb5int_dk_prf (const struct krb5_enc_provider *enc,
+               const struct krb5_hash_provider *hash,
+               const krb5_keyblock *key,
+               const krb5_data *in, krb5_data *out)
+{
+  krb5_data tmp;
+  krb5_data prfconst;
+  krb5_keyblock *kp = NULL;
+  krb5_error_code ret = 0;
+  
+  prfconst.data = (char *) "prf";
+  prfconst.length = 3;
+  tmp.length = hash->hashsize;
+  tmp.data = malloc(hash->hashsize);
+  if (tmp.data == NULL)
+    return ENOMEM;
+  hash->hash(1, in, &tmp);
+  tmp.length = (tmp.length/enc->block_size)*enc->block_size; /*truncate to block size*/
+  ret = krb5int_c_init_keyblock(0, key->enctype,
+                          key->length, &kp);
+    if (ret == 0)
+      ret = krb5_derive_key(enc, key, kp, &prfconst);
+  if (ret == 0)
+    ret = enc->encrypt(kp, NULL, &tmp, out);
+      if (kp)
+       krb5int_c_free_keyblock(0, kp);
+  free (tmp.data);
+  return ret;
+}
index 0a153743ad8b4031f73252ef179d20ce37e37a51..4273e2826ea4c5fef170a285769fa18086fe4b0f 100644 (file)
@@ -44,110 +44,170 @@ const struct krb5_keytypes krb5_enctypes_list[] = {
     { ENCTYPE_DES_CBC_CRC,
       "des-cbc-crc", "DES cbc mode with CRC-32",
       &krb5int_enc_des, &krb5int_hash_crc32,
+      8,
       krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
-      krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
+      krb5int_des_string_to_key,
+      NULL, /*PRF*/
+      CKSUMTYPE_RSA_MD5 },
     { ENCTYPE_DES_CBC_MD4,
       "des-cbc-md4", "DES cbc mode with RSA-MD4",
       &krb5int_enc_des, &krb5int_hash_md4,
+      8,
       krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
-      krb5int_des_string_to_key, CKSUMTYPE_RSA_MD4 },
+      krb5int_des_string_to_key,
+      NULL, /*PRF*/
+      CKSUMTYPE_RSA_MD4 },
     { ENCTYPE_DES_CBC_MD5,
       "des-cbc-md5", "DES cbc mode with RSA-MD5",
       &krb5int_enc_des, &krb5int_hash_md5,
+      8,
       krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
-      krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
+      krb5int_des_string_to_key,
+      NULL, /*PRF*/
+CKSUMTYPE_RSA_MD5 },
     { ENCTYPE_DES_CBC_MD5,
       "des", "DES cbc mode with RSA-MD5", /* alias */
       &krb5int_enc_des, &krb5int_hash_md5,
+      8,
       krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
-      krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
+      krb5int_des_string_to_key,
+      NULL, /*PRF*/
+      CKSUMTYPE_RSA_MD5 },
 
     { ENCTYPE_DES_CBC_RAW,
       "des-cbc-raw", "DES cbc mode raw",
       &krb5int_enc_des, NULL,
+      8,
       krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
-      krb5int_des_string_to_key, 0 },
+      krb5int_des_string_to_key,
+      NULL, /*PRF*/
+      0 },
     { ENCTYPE_DES3_CBC_RAW,
       "des3-cbc-raw", "Triple DES cbc mode raw",
       &krb5int_enc_des3, NULL,
+      8,
       krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
-      krb5int_dk_string_to_key, 0 },
+      krb5int_dk_string_to_key,
+      NULL, /*PRF*/
+      0 },
 
     { ENCTYPE_DES3_CBC_SHA1,
       "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
       &krb5int_enc_des3, &krb5int_hash_sha1,
+      8,
       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
-      krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
+      krb5int_dk_string_to_key,
+      NULL, /*PRF*/
+      CKSUMTYPE_HMAC_SHA1_DES3 },
     { ENCTYPE_DES3_CBC_SHA1,   /* alias */
       "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
       &krb5int_enc_des3, &krb5int_hash_sha1,
+      8,
       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
-      krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
+      krb5int_dk_string_to_key,
+      NULL, /*PRF*/
+      CKSUMTYPE_HMAC_SHA1_DES3 },
     { ENCTYPE_DES3_CBC_SHA1,   /* alias */
       "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
       &krb5int_enc_des3, &krb5int_hash_sha1,
+      8,
       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
-      krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
+      krb5int_dk_string_to_key,
+      NULL, /*PRF*/
+      CKSUMTYPE_HMAC_SHA1_DES3 },
 
     { ENCTYPE_DES_HMAC_SHA1,
       "des-hmac-sha1", "DES with HMAC/sha1",
       &krb5int_enc_des, &krb5int_hash_sha1,
+      8,
       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
-      krb5int_dk_string_to_key, 0 },
+      krb5int_dk_string_to_key,
+      NULL, /*PRF*/
+      0 },
     { ENCTYPE_ARCFOUR_HMAC, 
       "arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour,
-      &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
+      &krb5int_hash_md5,
+      0,
+krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
       krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+      NULL, /*PRF*/
       CKSUMTYPE_HMAC_MD5_ARCFOUR },
     { ENCTYPE_ARCFOUR_HMAC,  /* alias */
       "rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
-      &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
+      &krb5int_hash_md5,
+      0,
+      krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
       krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+      NULL, /*PRF*/
       CKSUMTYPE_HMAC_MD5_ARCFOUR },
     { ENCTYPE_ARCFOUR_HMAC,  /* alias */
       "arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
-      &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
+      &krb5int_hash_md5,
+      0,
+      krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
       krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+      NULL, /*PRF*/
       CKSUMTYPE_HMAC_MD5_ARCFOUR },
     { ENCTYPE_ARCFOUR_HMAC_EXP, 
       "arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5",
       &krb5int_enc_arcfour,
-      &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
+      &krb5int_hash_md5,
+      0,
+      krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
       krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+      NULL, /*PRF*/
       CKSUMTYPE_HMAC_MD5_ARCFOUR },
     { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
       "rc4-hmac-exp", "Exportable ArcFour with HMAC/md5",
       &krb5int_enc_arcfour,
-      &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
+      &krb5int_hash_md5,
+      0,
+      krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
       krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+      NULL, /*PRF*/
       CKSUMTYPE_HMAC_MD5_ARCFOUR },
     { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
       "arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5",
       &krb5int_enc_arcfour,
-      &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
+      &krb5int_hash_md5,
+      0,
+      krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
       krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+      NULL, /*PRF*/
       CKSUMTYPE_HMAC_MD5_ARCFOUR },
 
     { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
       "aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
       &krb5int_enc_aes128, &krb5int_hash_sha1,
+      16,
       krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
-      krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 },
+      krb5int_aes_string_to_key,
+      krb5int_dk_prf,
+      CKSUMTYPE_HMAC_SHA1_96_AES128 },
     { ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */
       "aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
       &krb5int_enc_aes128, &krb5int_hash_sha1,
+      16,
       krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
-      krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 },
+      krb5int_aes_string_to_key,
+      krb5int_dk_prf,
+      CKSUMTYPE_HMAC_SHA1_96_AES128 },
     { ENCTYPE_AES256_CTS_HMAC_SHA1_96,
       "aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
       &krb5int_enc_aes256, &krb5int_hash_sha1,
+      16,
       krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
-      krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 },
+      krb5int_aes_string_to_key,
+      krb5int_dk_prf,
+      CKSUMTYPE_HMAC_SHA1_96_AES256 },
     { ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */
       "aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
       &krb5int_enc_aes256, &krb5int_hash_sha1,
+      16,
       krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
-      krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 },
+      krb5int_aes_string_to_key,
+      krb5int_dk_prf,
+      CKSUMTYPE_HMAC_SHA1_96_AES256 },
 };
 
 const int krb5_enctypes_length =
diff --git a/src/lib/crypto/keyblocks.c b/src/lib/crypto/keyblocks.c
new file mode 100644 (file)
index 0000000..02ff677
--- /dev/null
@@ -0,0 +1,79 @@
+/*
+ * lib/crypto/keyblocks.c
+ *
+ * Copyright (C) 2002, 2005 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * 
+ *
+ * krb5_init_keyblock- a function to set up 
+ *  an empty keyblock
+ */
+
+
+#include "k5-int.h"
+#include <assert.h>
+
+krb5_error_code   krb5int_c_init_keyblock
+       (krb5_context context, krb5_enctype enctype,
+        size_t length, krb5_keyblock **out)
+{
+    krb5_keyblock *kb;
+    kb = malloc (sizeof(krb5_keyblock));
+    assert (out);
+    *out = NULL;
+    if (!kb) {
+       return ENOMEM;
+    }
+    kb->magic = KV5M_KEYBLOCK;
+    kb->enctype = enctype;
+    kb->length = length;
+    if(length) {
+       kb->contents = malloc (length);
+       if(!kb->contents) {
+           free (kb);
+           return ENOMEM;
+       }
+    } else {
+       kb->contents = NULL;
+    }
+    *out = kb;
+    return 0;
+}
+
+
+void KRB5_CALLCONV
+krb5int_c_free_keyblock(krb5_context context, register krb5_keyblock *val)
+{
+    krb5_free_keyblock_contents(context, val);
+    krb5_xfree(val);
+}
+
+void 
+krb5int_c_free_keyblock_contents(krb5_context context, register krb5_keyblock *key)
+{
+     if (key->contents) {
+       krb5int_zap_data (key->contents, key->length);
+         krb5_xfree(key->contents);
+         key->contents = 0;
+     }
+}
index 744b1de4899c89097c8092220e07d7def9d3c462..b06f2e427bd49d876a75eab0f2bc00efeb955275 100644 (file)
@@ -25,6 +25,8 @@ krb5_c_is_keyed_cksum
 krb5_c_keyed_checksum_types
 krb5_c_make_checksum
 krb5_c_make_random_key
+krb5_c_prf
+krb5_c_prf_length
 krb5_c_random_add_entropy
 krb5_c_random_make_octets
 krb5_c_random_os_entropy
@@ -88,6 +90,9 @@ krb5int_arcfour_string_to_key
 krb5int_arcfour_translate_usage
 krb5int_c_combine_keys
 krb5int_c_mandatory_cksumtype
+krb5int_c_free_keyblock
+krb5int_c_free_keyblock_contents
+krb5int_c_init_keyblock
 krb5int_c_mit_des_zeroblock
 krb5int_default_free_state
 krb5int_des3_cbc_decrypt
diff --git a/src/lib/crypto/prf.c b/src/lib/crypto/prf.c
new file mode 100644 (file)
index 0000000..f52564d
--- /dev/null
@@ -0,0 +1,87 @@
+/*
+ * lib/crypto/prf.c
+ *
+ * Copyright (C) 2004 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * 
+ *
+ * This contains the implementation of krb5_c_prf, which  will find
+ *the enctype-specific PRF and then generate pseudo-random data.  This
+ *function yields krb5_c_prf_length bytes of output.
+ */
+
+
+#include "k5-int.h"
+#include "etypes.h"
+
+#include <assert.h>
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_prf_length(krb5_context context, krb5_enctype enctype,
+                 size_t *len)
+{
+    int i;
+    assert (len);
+
+    for (i=0; i<krb5_enctypes_length; i++) {
+       if (krb5_enctypes_list[i].etype == enctype)
+           break;
+    }
+
+    if (i == krb5_enctypes_length)
+       return(KRB5_BAD_ENCTYPE);
+
+    *len = krb5_enctypes_list[i].prf_length;
+    return 0;
+    
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_prf(krb5_context context, const krb5_keyblock *key,
+krb5_data *input, krb5_data *output)
+{
+    int i;
+    size_t len;
+    assert(input && output);
+    assert (output->data);
+
+
+    for (i=0; i<krb5_enctypes_length; i++) {
+       if (krb5_enctypes_list[i].etype == key->enctype)
+           break;
+    }
+
+    if (i == krb5_enctypes_length)
+       return(KRB5_BAD_ENCTYPE);
+
+    output->magic = KV5M_DATA;
+    if (!krb5_enctypes_list[i].prf)
+       return (KRB5_CRYPTO_INTERNAL);
+    krb5_c_prf_length (context, key->enctype, &len);
+    if( len != output->length)
+       return (KRB5_CRYPTO_INTERNAL);
+            return((*(krb5_enctypes_list[i].prf))
+          (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
+           key,  input, output));
+}
+
diff --git a/src/lib/crypto/t_prf.c b/src/lib/crypto/t_prf.c
new file mode 100644 (file)
index 0000000..f11784b
--- /dev/null
@@ -0,0 +1,89 @@
+/*
+ * lib/crypto/t_prf.c
+ *
+ * Copyright (C) 2004 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * This file contains tests for the PRF  code in Kerberos.  IT reads
+ *an input file, and writes an output file.  It is assumed that the
+ *output file will be diffed against expected output  to see whether
+ *regression tests pass.  The input file is a very primitive format.
+ *It  includes an enctype and  to be string2keyed   followed by a number of bytes of input
+ *length, followed by  that many bytes of input.  The program outputs
+ *krb5_c_prf of that input and key  as a hex string.
+ */
+
+#include "k5-int.h"
+#include <assert.h>
+
+int main () {
+  krb5_error_code ret;
+  krb5_data input, output;
+  krb5_keyblock *key = NULL;
+  unsigned int in_length;
+  unsigned int i;
+  while (1) {
+      krb5_enctype enctype;
+      char s[1025];
+
+      if (scanf( "%d", &enctype) == EOF)
+         break;
+      if (scanf("%1024s", &s[0]) == EOF)
+         break;
+      assert (krb5_init_keyblock(0, enctype, 0, &key) == 0);
+      input.data = &s[0];
+      input.length = strlen(s);
+      assert(krb5_c_string_to_key (0, enctype, &input, &input, key) == 0);
+    
+      if (scanf("%u", &in_length) == EOF)
+         break;
+
+      if (in_length ) {
+         unsigned int lc;
+         assert ((input.data = malloc(in_length)) != NULL);
+         for (lc = in_length; lc > 0; lc--) {
+             scanf ("%2x",  &i);
+             input.data[in_length-lc] = (unsigned) (i&0xff);
+         }
+         input.length = in_length;
+         assert (krb5_c_prf_length(0, enctype, &i) == 0);
+         assert (output.data = malloc(i));
+         output.length = i;
+         assert (krb5_c_prf(0, key, &input, &output) == 0);
+      
+         free (input.data);
+         input.data = NULL;
+      }
+      for (; i > 0; i--) {
+         printf ("%02x",
+                 (unsigned int) ((unsigned char ) output.data[output.length-i]));
+      }
+      printf ("\n");
+
+      free (output.data);
+      output.data = NULL;
+      krb5_free_keyblock(0, key);
+      key = NULL;
+  }
+
+  return (0);
+}
index 26ae8fe04fe565cc8fd5f7feb3710504e019e471..01f9e4956069e798a82e9592ca766c0b96f17220 100644 (file)
@@ -1,3 +1,9 @@
+2005-05-19  Sam Hartman  <hartmans@mit.edu>
+
+       * kfree.c (krb5_free_keyblock_contents krb5_free_keyblock):   Make
+       stubs into libk5crypto so that libk5crypto can call these. 
+       * init_keyblock.c (krb5_init_keyblock): As above.
+
 2005-04024  Jeffrey Altman <jaltman@mit.edu>
 
         * get_creds.c: 
index 770234de5db8d4ae95cc6095ad690783b1cb0841..2541591f890d52c125640470b9070da37be925b2 100644 (file)
@@ -1,7 +1,7 @@
-/* A Bison parser, made by GNU Bison 1.875c.  */
+/* A Bison parser, made by GNU Bison 1.875d.  */
 
 /* Skeleton parser for Yacc-like parsing with Bison,
-   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -187,6 +187,13 @@ typedef union YYSTYPE { int val; } YYSTYPE;
 
 #if ! defined (yyoverflow) || YYERROR_VERBOSE
 
+# ifndef YYFREE
+#  define YYFREE free
+# endif
+# ifndef YYMALLOC
+#  define YYMALLOC malloc
+# endif
+
 /* The parser invokes alloca or malloc; define the necessary symbols.  */
 
 # ifdef YYSTACK_USE_ALLOCA
@@ -211,8 +218,8 @@ typedef union YYSTYPE { int val; } YYSTYPE;
 #   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
 #   define YYSIZE_T size_t
 #  endif
-#  define YYSTACK_ALLOC malloc
-#  define YYSTACK_FREE free
+#  define YYSTACK_ALLOC YYMALLOC
+#  define YYSTACK_FREE YYFREE
 # endif
 #endif /* ! defined (yyoverflow) || YYERROR_VERBOSE */
 
@@ -224,7 +231,7 @@ typedef union YYSTYPE { int val; } YYSTYPE;
 /* A type that is properly aligned for any stack member.  */
 union yyalloc
 {
-  short yyss;
+  short int yyss;
   YYSTYPE yyvs;
   };
 
@@ -234,7 +241,7 @@ union yyalloc
 /* The size of an array large to enough to hold all stacks, each with
    N elements.  */
 # define YYSTACK_BYTES(N) \
-     ((N) * (sizeof (short) + sizeof (YYSTYPE))                                \
+     ((N) * (sizeof (short int) + sizeof (YYSTYPE))                    \
       + YYSTACK_GAP_MAXIMUM)
 
 /* Copy COUNT objects from FROM to TO.  The source and destination do
@@ -276,7 +283,7 @@ union yyalloc
 #if defined (__STDC__) || defined (__cplusplus)
    typedef signed char yysigned_char;
 #else
-   typedef short yysigned_char;
+   typedef short int yysigned_char;
 #endif
 
 /* YYFINAL -- State number of the termination state. */
@@ -378,7 +385,7 @@ static const char *const yytname[] =
 # ifdef YYPRINT
 /* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to
    token YYLEX-NUM.  */
-static const unsigned short yytoknum[] =
+static const unsigned short int yytoknum[] =
 {
        0,   256,   257,   258,   259,   260,    45,    58,   100,   104,
      109,   115,   261
@@ -580,12 +587,12 @@ do {                                                              \
 
 #if defined (__STDC__) || defined (__cplusplus)
 static void
-yy_stack_print (short *bottom, short *top)
+yy_stack_print (short int *bottom, short int *top)
 #else
 static void
 yy_stack_print (bottom, top)
-    short *bottom;
-    short *top;
+    short int *bottom;
+    short int *top;
 #endif
 {
   YYFPRINTF (stderr, "Stack now");
@@ -852,9 +859,9 @@ int yynerrs;
      to reallocate them elsewhere.  */
 
   /* The state stack.  */
-  short        yyssa[YYINITDEPTH];
-  short *yyss = yyssa;
-  register short *yyssp;
+  short int yyssa[YYINITDEPTH];
+  short int *yyss = yyssa;
+  register short int *yyssp;
 
   /* The semantic value stack.  */
   YYSTYPE yyvsa[YYINITDEPTH];
@@ -891,6 +898,7 @@ int yynerrs;
   yyssp = yyss;
   yyvsp = yyvs;
 
+
   goto yysetstate;
 
 /*------------------------------------------------------------.
@@ -916,7 +924,7 @@ int yynerrs;
           these so that the &'s don't force the real ones into
           memory.  */
        YYSTYPE *yyvs1 = yyvs;
-       short *yyss1 = yyss;
+       short int *yyss1 = yyss;
 
 
        /* Each stack pointer address is followed by the size of the
@@ -944,7 +952,7 @@ int yynerrs;
        yystacksize = YYMAXDEPTH;
 
       {
-       short *yyss1 = yyss;
+       short int *yyss1 = yyss;
        union yyalloc *yyptr =
          (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
        if (! yyptr)
@@ -1151,8 +1159,8 @@ yyreduce:
 
     }
 
-/* Line 993 of yacc.c.  */
-#line 1156 "deltat.c"
+/* Line 1010 of yacc.c.  */
+#line 1164 "deltat.c"
 \f
   yyvsp -= yylen;
   yyssp -= yylen;
index a6feeeaf196bedfd363588c75215c0cd7b866300..3be842ac8659cc43ea84c102962cb481749aea43 100644 (file)
@@ -37,25 +37,5 @@ krb5_error_code KRB5_CALLCONV  krb5_init_keyblock
        (krb5_context context, krb5_enctype enctype,
         size_t length, krb5_keyblock **out)
 {
-    krb5_keyblock *kb;
-    kb = malloc (sizeof(krb5_keyblock));
-    assert (out);
-    *out = NULL;
-    if (!kb) {
-       return ENOMEM;
-    }
-    kb->magic = KV5M_KEYBLOCK;
-    kb->enctype = enctype;
-    kb->length = length;
-    if(length) {
-       kb->contents = malloc (length);
-       if(!kb->contents) {
-           free (kb);
-           return ENOMEM;
-       }
-    } else {
-       kb->contents = NULL;
-    }
-    *out = kb;
-    return 0;
+  return krb5int_c_init_keyblock (context, enctype, length, out);
 }
index 47004397155f5a31ade21e85daa245c1a7d5895d..39bb1f212819cb34191f4970d9e3b9954f913b16 100644 (file)
@@ -340,18 +340,13 @@ krb5_free_kdc_req(krb5_context context, krb5_kdc_req *val)
 void KRB5_CALLCONV
 krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock *key)
 {
-     if (key->contents) {
-         memset(key->contents, 0, key->length);
-         krb5_xfree(key->contents);
-         key->contents = 0;
-     }
+    krb5int_c_free_keyblock_contents (context, key);
 }
 
 void KRB5_CALLCONV
 krb5_free_keyblock(krb5_context context, register krb5_keyblock *val)
 {
-    krb5_free_keyblock_contents(context, val);
-    krb5_xfree(val);
+    krb5int_c_free_keyblock (context, val);
 }
 
 
index 0125d2630eb3ba75a62ac26808aaedd7870f88df..012d6f7bfa0e01482ceeb199bc12366ca42a348f 100644 (file)
@@ -64,6 +64,8 @@ EXPORTS
        krb5_c_keyed_checksum_types
        krb5_c_make_checksum
        krb5_c_make_random_key
+krb5_c_prf
+krb5_c_prf_length
        krb5_c_random_make_octets
        krb5_c_random_seed
        krb5_c_string_to_key