+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * krb5.hin (KRB5_AUTH_CONTEXT_USE_SUBKEY): New macro.
+
+ * k5-int.h (struct krb5_keytypes): Added field required_ctype.
+ (krb5int_c_mandatory_cksumtype): New declaration.
+ (krb5int_generate_and_set_subkey): Declare.
+ (memset) [__GNUC__ && __GLIBC__]: Undef, to reduce compilation
+ warnings in zap() macro with volatile pointer.
+
+ * k5-platform.h: New header file. Manages inline-function and
+ 64-bit support, in platform-specific ways.
+ * fake-addrinfo.h: Include k5-platform.h.
+ (inline): Don't define here.
+ * k5-int.h: Include k5-platform.h.
+ (krb5_ui_8, krb5_int64): New typedefs.
+ (krb5_ser_pack_int64, krb5_ser_unpack_int64): New function decls.
+
2003-10-08 Tom Yu <tlyu@mit.edu>
* k5-int.h: Add prototypes for decode_krb5_safe_with_body and
#define FAI_DEFINED
#include "port-sockets.h"
#include "socket-utils.h"
-
-#if !defined(inline)
-# if __STDC_VERSION__ >= 199901L
-/* C99 supports inline, don't do anything. */
-# elif defined(__GNUC__)
-# define inline __inline__ /* this form silences -pedantic warnings */
-# elif defined(__mips) && defined(__sgi)
-# define inline __inline /* IRIX used at MIT does inline but not c99 yet */
-# elif defined(__sun) && __SUNPRO_C >= 0x540
-/* The Forte Developer 7 C compiler supports "inline". */
-# else
-# define inline /* nothing, just static */
-# endif
-# define ADDRINFO_UNDEF_INLINE
-#endif
+#include "k5-platform.h"
#ifdef S_SPLINT_S
/*@-incondefs@*/
#endif /* HAVE_SYS_TYPES_H */
#endif /* KRB5_SYSTYPES__ */
+
+#include "k5-platform.h"
+/* not used in krb5.h (yet) */
+typedef UINT64_TYPE krb5_ui_8;
+typedef INT64_TYPE krb5_int64;
+
+
#define DEFAULT_PWD_STRING1 "Enter password"
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
krb5_crypt_func encrypt;
krb5_crypt_func decrypt;
krb5_str2key_func str2key;
+ krb5_cksumtype required_ctype;
};
struct krb5_cksumtypes {
/* Make this a function eventually? */
#define krb5int_zap_data(ptr, len) memset((volatile void *)ptr, 0, len)
+#if defined(__GNUC__) && defined(__GLIBC__)
+/* GNU libc generates multiple bogus initialization warnings if we
+ pass memset a volatile pointer. The compiler should do well enough
+ with memset even without GNU libc's attempt at optimization. */
+#undef memset
+#endif
#define zap(p,l) krb5int_zap_data(p,l)
/* A definition of init_state for DES based encryption systems.
(krb5_int32 *,
krb5_octet **,
size_t *);
+/* [De]serialize 8-byte integer */
+krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
+ (krb5_int64, krb5_octet **, size_t *);
+krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
+ (krb5_int64 *, krb5_octet **, size_t *);
/* [De]serialize byte string */
krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
(krb5_octet *,
void krb5int_set_prompt_types
(krb5_context, krb5_prompt_type *);
+krb5_error_code
+krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
+ krb5_keyblock * /* Old keyblock, not new! */);
+
/* set and change password helpers */
krb5_error_code krb5int_mk_chpw_req
extern krb5_error_code krb5int_translate_gai_error (int);
+/* Not sure it's ready for exposure just yet. */
+extern krb5_error_code
+krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
+
#endif /* _KRB5_INT_H */
--- /dev/null
+/* Copyright 2003 Massachusetts Institute of Technology. All rights reserved. */
+/* Platform-dependent junk. */
+
+#ifndef K5_PLATFORM_H
+#define K5_PLATFORM_H
+
+#if !defined(inline)
+# if __STDC_VERSION__ >= 199901L
+/* C99 supports inline, don't do anything. */
+# elif defined(__GNUC__)
+# define inline __inline__ /* this form silences -pedantic warnings */
+# elif defined(__mips) && defined(__sgi)
+# define inline __inline /* IRIX used at MIT does inline but not c99 yet */
+# elif defined(__sun) && __SUNPRO_C >= 0x540
+/* The Forte Developer 7 C compiler supports "inline". */
+# elif defined(_WIN32)
+# define inline __inline
+# else
+# define inline /* nothing, just static */
+# endif
+#endif
+
+#include "autoconf.h"
+
+/* 64-bit support: krb5_ui_8 and krb5_int64.
+
+ This should move to krb5.h eventually, but without the namespace
+ pollution from the autoconf macros. */
+#if defined(HAVE_STDINT_H) || defined(HAVE_INTTYPES_H)
+# ifdef HAVE_STDINT_H
+# include <stdint.h>
+# endif
+# ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+# endif
+# define INT64_TYPE int64_t
+# define UINT64_TYPE uint64_t
+#elif defined(_WIN32)
+# define INT64_TYPE signed __int64
+# define UINT64_TYPE unsigned __int64
+#else /* not Windows, and neither stdint.h nor inttypes.h */
+# define INT64_TYPE signed long long
+# define UINT64_TYPE unsigned long long
+#endif
+
+/* Read and write integer values as (unaligned) octet strings in
+ specific byte orders.
+
+ Add per-platform optimizations later if needed. (E.g., maybe x86
+ unaligned word stores and gcc/asm instructions for byte swaps,
+ etc.) */
+
+static inline void
+store_16_be (unsigned int val, unsigned char *p)
+{
+ p[0] = (val >> 8) & 0xff;
+ p[1] = (val ) & 0xff;
+}
+static inline void
+store_16_le (unsigned int val, unsigned char *p)
+{
+ p[1] = (val >> 8) & 0xff;
+ p[0] = (val ) & 0xff;
+}
+static inline void
+store_32_be (unsigned int val, unsigned char *p)
+{
+ p[0] = (val >> 24) & 0xff;
+ p[1] = (val >> 16) & 0xff;
+ p[2] = (val >> 8) & 0xff;
+ p[3] = (val ) & 0xff;
+}
+static inline void
+store_32_le (unsigned int val, unsigned char *p)
+{
+ p[3] = (val >> 24) & 0xff;
+ p[2] = (val >> 16) & 0xff;
+ p[1] = (val >> 8) & 0xff;
+ p[0] = (val ) & 0xff;
+}
+static inline void
+store_64_be (UINT64_TYPE val, unsigned char *p)
+{
+ p[0] = (val >> 56) & 0xff;
+ p[1] = (val >> 48) & 0xff;
+ p[2] = (val >> 40) & 0xff;
+ p[3] = (val >> 32) & 0xff;
+ p[4] = (val >> 24) & 0xff;
+ p[5] = (val >> 16) & 0xff;
+ p[6] = (val >> 8) & 0xff;
+ p[7] = (val ) & 0xff;
+}
+static inline void
+store_64_le (UINT64_TYPE val, unsigned char *p)
+{
+ p[7] = (val >> 56) & 0xff;
+ p[6] = (val >> 48) & 0xff;
+ p[5] = (val >> 40) & 0xff;
+ p[4] = (val >> 32) & 0xff;
+ p[3] = (val >> 24) & 0xff;
+ p[2] = (val >> 16) & 0xff;
+ p[1] = (val >> 8) & 0xff;
+ p[0] = (val ) & 0xff;
+}
+static inline unsigned short
+load_16_be (unsigned char *p)
+{
+ return (p[1] | (p[0] << 8));
+}
+static inline unsigned short
+load_16_le (unsigned char *p)
+{
+ return (p[0] | (p[1] << 8));
+}
+static inline unsigned int
+load_32_be (unsigned char *p)
+{
+ return (p[3] | (p[2] << 8) | (p[1] << 16) | (p[0] << 24));
+}
+static inline unsigned int
+load_32_le (unsigned char *p)
+{
+ return (p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24));
+}
+static inline UINT64_TYPE
+load_64_be (unsigned char *p)
+{
+ return ((UINT64_TYPE)load_32_be(p) << 32) | load_32_be(p+4);
+}
+static inline UINT64_TYPE
+load_64_le (unsigned char *p)
+{
+ return ((UINT64_TYPE)load_32_le(p+4) << 32) | load_32_le(p);
+}
+
+#endif /* K5_PLATFORM_H */
#define KRB5_AUTH_CONTEXT_DO_SEQUENCE 0x00000004
#define KRB5_AUTH_CONTEXT_RET_SEQUENCE 0x00000008
#define KRB5_AUTH_CONTEXT_PERMIT_ALL 0x00000010
+#define KRB5_AUTH_CONTEXT_USE_SUBKEY 0x00000020
typedef struct krb5_replay_data {
krb5_timestamp timestamp;
#define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR 0x00000008
/* type of function used as a callback to generate checksum data for
- * mk_req*/
+ * mk_req */
typedef krb5_error_code
(KRB5_CALLCONV * krb5_mk_req_checksum_func) (krb5_context, krb5_auth_context , void *,
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * etypes.c (krb5_enctypes_list): Fill in required_ctype field.
+ * mandatory_sumtype.c: New file.
+ * Makefile.in (SRCS, OBJS, STLIBOBJS): Build it.
+
2003-07-22 Ken Raeburn <raeburn@mit.edu>
* block_size.c (krb5_c_block_size): Read new numeric fields for
keyed_checksum_types.o \
make_checksum.o \
make_random_key.o \
+ mandatory_sumtype.o \
nfold.o \
old_api_glue.o \
pbkdf2.o \
$(OUTPRE)keyed_checksum_types.$(OBJEXT) \
$(OUTPRE)make_checksum.$(OBJEXT) \
$(OUTPRE)make_random_key.$(OBJEXT) \
+ $(OUTPRE)mandatory_sumtype.$(OBJEXT) \
$(OUTPRE)nfold.$(OBJEXT) \
$(OUTPRE)old_api_glue.$(OBJEXT) \
$(OUTPRE)pbkdf2.$(OBJEXT) \
$(srcdir)/keyed_checksum_types.c\
$(srcdir)/make_checksum.c \
$(srcdir)/make_random_key.c \
+ $(srcdir)/mandatory_sumtype.c \
$(srcdir)/nfold.c \
$(srcdir)/old_api_glue.c \
$(srcdir)/pbkdf2.c \
"des-cbc-crc", "DES cbc mode with CRC-32",
&krb5int_enc_des, &krb5int_hash_crc32,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_MD4,
"des-cbc-md4", "DES cbc mode with RSA-MD4",
&krb5int_enc_des, &krb5int_hash_md4,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD4 },
{ ENCTYPE_DES_CBC_MD5,
"des-cbc-md5", "DES cbc mode with RSA-MD5",
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_MD5,
"des", "DES cbc mode with RSA-MD5", /* alias */
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_RAW,
"des-cbc-raw", "DES cbc mode raw",
&krb5int_enc_des, NULL,
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, 0 },
{ ENCTYPE_DES3_CBC_RAW,
"des3-cbc-raw", "Triple DES cbc mode raw",
&krb5int_enc_des3, NULL,
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, 0 },
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES_HMAC_SHA1,
"des-hmac-sha1", "DES with HMAC/sha1",
&krb5int_enc_des, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, 0 },
{ ENCTYPE_ARCFOUR_HMAC,
"arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP,
"arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"rc4-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
"aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes128, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */
"aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes128, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
"aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */
"aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 },
#ifdef ATHENA_DES3_KLUDGE
/*
"Triple DES with HMAC/sha1 and 32-bit length code",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_marc_dk_encrypt_length, krb5_marc_dk_encrypt, krb5_marc_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
#endif
};
--- /dev/null
+/*
+ * Copyright (C) 2003 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "etypes.h"
+
+krb5_error_code
+krb5int_c_mandatory_cksumtype (krb5_context ctx, krb5_enctype etype,
+ krb5_cksumtype *cksumtype)
+{
+ int i;
+
+ for (i = 0; i < krb5_enctypes_length; i++)
+ if (krb5_enctypes_list[i].etype == etype) {
+ *cksumtype = krb5_enctypes_list[i].required_ctype;
+ return 0;
+ }
+
+ return KRB5_BAD_ENCTYPE;
+}
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * mk_req_ext.c (krb5int_generate_and_save_subkey): New function,
+ split out from krb5_mk_req_extended.
+ (krb5_mk_req_extended): Call it.
+ * mk_rep.c (krb5_mk_rep): If KRB5_AUTH_CONTEXT_USE_SUBKEY flag is
+ set, call krb5int_generate_and_save_subkey to set up a new subkey
+ to send to the client.
+
+ * serialize.c (krb5_ser_pack_int64, krb5_ser_unpack_int64): New
+ functions.
+
2003-10-30 Tom Yu <tlyu@mit.edu>
* gen_seqnum.c (krb5_generate_seq_number): Fix mask; was short by
repl.ctime = auth_context->authentp->ctime;
repl.cusec = auth_context->authentp->cusec;
- repl.subkey = auth_context->authentp->subkey;
+ if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) {
+ retval = krb5int_generate_and_save_subkey (context, auth_context,
+ auth_context->keyblock);
+ if (retval)
+ return retval;
+ repl.subkey = auth_context->send_subkey;
+ } else
+ repl.subkey = auth_context->authentp->subkey;
repl.seq_number = auth_context->local_seq_number;
/* encode it before encrypting */
krb5_checksum *, krb5_keyblock *,
krb5_ui_4, krb5_authdata ** );
+krb5_error_code
+krb5int_generate_and_save_subkey (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock *keyblock)
+{
+ /* Provide some more fodder for random number code.
+ This isn't strong cryptographically; the point here is not
+ to guarantee randomness, but to make it less likely that multiple
+ sessions could pick the same subkey. */
+ struct {
+ krb5_int32 sec, usec;
+ } rnd_data;
+ krb5_data d;
+ krb5_error_code retval;
+
+ krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
+ d.length = sizeof (rnd_data);
+ d.data = (char *) &rnd_data;
+ (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d);
+
+ if ((retval = krb5_generate_subkey(context, keyblock, &auth_context->send_subkey)))
+ return retval;
+ retval = krb5_copy_keyblock(context, auth_context->send_subkey,
+ &auth_context->recv_subkey);
+ if (retval) {
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ auth_context->send_subkey = NULL;
+ return retval;
+ }
+ return 0;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
krb5_flags ap_req_options, krb5_data *in_data,
}
if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) {
- /* Provide some more fodder for random number code.
- This isn't strong cryptographically; the point here is not
- to guarantee randomness, but to make it less likely that multiple
- sessions could pick the same subkey. */
- struct {
- krb5_int32 sec, usec;
- } rnd_data;
- krb5_data d;
- krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
- d.length = sizeof (rnd_data);
- d.data = (char *) &rnd_data;
- (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d);
-
- if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock,
- &(*auth_context)->send_subkey)))
- goto cleanup;
- retval = krb5_copy_keyblock(context, (*auth_context)->send_subkey,
- &((*auth_context)->recv_subkey));
- if (retval) {
- krb5_free_keyblock(context, (*auth_context)->send_subkey);
- (*auth_context)->send_subkey = NULL;
+ retval = krb5int_generate_and_save_subkey (context, *auth_context,
+ &in_creds->keyblock);
+ if (retval)
goto cleanup;
- }
}
}
\f
/*
- * krb5_ser_pack_int32() - Pack a 4-byte integer if space is availble.
+ * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available.
* Update buffer pointer and remaining space.
*/
krb5_error_code KRB5_CALLCONV
return(ENOMEM);
}
\f
+/*
+ * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available.
+ * Update buffer pointer and remaining space.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_ser_pack_int64(krb5_int64 iarg, krb5_octet **bufp, size_t *remainp)
+{
+ if (*remainp >= sizeof(krb5_int64)) {
+ store_64_be(iarg, (unsigned char *)*bufp);
+ *bufp += sizeof(krb5_int64);
+ *remainp -= sizeof(krb5_int64);
+ return(0);
+ }
+ else
+ return(ENOMEM);
+}
+\f
/*
* krb5_ser_pack_bytes() - Pack a string of bytes.
*/
return(ENOMEM);
}
\f
+/*
+ * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_ser_unpack_int64(krb5_int64 *intp, krb5_octet **bufp, size_t *remainp)
+{
+ if (*remainp >= sizeof(krb5_int64)) {
+ *intp = load_64_be((unsigned char *)*bufp);
+ *bufp += sizeof(krb5_int64);
+ *remainp -= sizeof(krb5_int64);
+ return(0);
+ }
+ else
+ return(ENOMEM);
+}
+\f
/*
* krb5_ser_unpack_bytes() - Unpack a byte string if it's there.
*/
projects / krb5.git / commitdiff