krb5_error_code (*init_state) (const krb5_keyblock *key,
krb5_keyusage keyusage, krb5_data *out_state);
krb5_error_code (*free_state) (krb5_data *state);
-
+
+ /* In-place encryption/decryption of multiple buffers */
+ krb5_error_code (*encrypt_iov) (const krb5_keyblock *key,
+ const krb5_data *cipher_state,
+ krb5_crypto_iov *data,
+ size_t num_data);
+
+
+ krb5_error_code (*decrypt_iov) (const krb5_keyblock *key,
+ const krb5_data *cipher_state,
+ krb5_crypto_iov *data,
+ size_t num_data);
+
};
struct krb5_hash_provider {
const krb5_data *input,
const krb5_data *hash,
krb5_boolean *valid);
+
+ krb5_error_code (*hash_iov) (const krb5_keyblock *key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ krb5_data *output);
+
+ krb5_error_code (*verify_iov) (const krb5_keyblock *key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ const krb5_data *input,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ krb5_boolean *valid);
+};
+
+struct krb5_aead_provider {
+ krb5_error_code (*crypto_length) (const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ krb5_cryptotype type,
+ size_t *length);
+ krb5_error_code (*encrypt_iov) (const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data);
+ krb5_error_code (*decrypt_iov) (const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data);
};
typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc,
char *out_string;
const struct krb5_enc_provider *enc;
const struct krb5_hash_provider *hash;
- size_t prf_length;
+ size_t prf_length;
krb5_encrypt_length_func encrypt_len;
krb5_crypt_func encrypt;
krb5_crypt_func decrypt;
krb5_str2key_func str2key;
- krb5_prf_func prf;
+ krb5_prf_func prf;
krb5_cksumtype required_ctype;
+ const struct krb5_aead_provider *aead;
};
struct krb5_cksumtypes {
const krb5_keyblock *key, unsigned int icount,
const krb5_data *input, krb5_data *output);
+krb5_error_code krb5_hmac_iov
+(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output);
+
krb5_error_code krb5int_pbkdf2_hmac_sha1 (const krb5_data *, unsigned long,
const krb5_data *,
const krb5_data *);
const krb5_keyblock *key,
unsigned int icount, const krb5_data *input,
krb5_data *output);
+ krb5_error_code (* krb5_hmac_iov) (const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output);
/* service location and communication */
krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
const struct addrlist *, struct sendto_callback_info*, krb5_data *reply,
typedef krb5_int32 krb5_cksumtype;
typedef krb5_int32 krb5_authdatatype;
typedef krb5_int32 krb5_keyusage;
+typedef krb5_int32 krb5_cryptotype;
typedef krb5_int32 krb5_preauthtype; /* This may change, later on */
typedef krb5_int32 krb5_flags;
krb5_data ciphertext;
} krb5_enc_data;
+typedef struct _krb5_crypto_iov {
+ krb5_cryptotype flags;
+ krb5_data data;
+} krb5_crypto_iov;
+
/* per Kerberos v5 protocol spec */
#define ENCTYPE_NULL 0x0000
#define ENCTYPE_DES_CBC_CRC 0x0001 /* DES cbc mode with CRC-32 */
krb5_boolean KRB5_CALLCONV krb5_c_is_keyed_cksum
(krb5_cksumtype ctype);
+/* AEAD APIs */
+#define KRB5_CRYPTO_TYPE_EMPTY 0 /* [in] ignored */
+#define KRB5_CRYPTO_TYPE_HEADER 1 /* [out] header */
+#define KRB5_CRYPTO_TYPE_DATA 2 /* [in, out] plaintext */
+#define KRB5_CRYPTO_TYPE_SIGN_ONLY 3 /* [in] associated data */
+#define KRB5_CRYPTO_TYPE_PADDING 4 /* [out] padding */
+#define KRB5_CRYPTO_TYPE_TRAILER 5 /* [out] checksum for encrypt */
+#define KRB5_CRYPTO_TYPE_CHECKSUM 6 /* [out] checksum for MIC */
+#define KRB5_CRYPTO_TYPE_STREAM 7 /* [in] entire message */
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_make_checksum_iov
+ (krb5_context context, krb5_cksumtype cksumtype,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_crypto_iov *data, size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_verify_checksum_iov
+ (krb5_context context,
+ krb5_cksumtype cksumtype,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_boolean *valid);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_encrypt_iov
+ (krb5_context context, const krb5_keyblock *key,
+ krb5_keyusage usage, const krb5_data *cipher_state,
+ krb5_crypto_iov *data, size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_decrypt_iov
+ (krb5_context context, const krb5_keyblock *key,
+ krb5_keyusage usage, const krb5_data *cipher_state,
+ krb5_crypto_iov *data, size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_crypto_length
+ (krb5_context context, krb5_enctype enctype,
+ krb5_cryptotype type, unsigned int *size);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_crypto_length_iov
+ (krb5_context context, krb5_enctype enctype,
+ krb5_crypto_iov *data, size_t num_data);
+
+krb5_error_code KRB5_CALLCONV
+ krb5_c_padding_length
+ (krb5_context context, krb5_enctype enctype,
+ size_t data_length, unsigned int *size);
+
#ifdef KRB5_OLD_CRYPTO
/*
* old cryptosystem routine prototypes. These are now layered
PROG_RPATH=$(KRB5_LIBDIR)
STLIBOBJS=\
+ aead.o \
block_size.o \
checksum_length.o \
cksumtype_to_string.o \
cksumtypes.o \
coll_proof_cksum.o \
combine_keys.o \
+ crypto_length.o \
crypto_libinit.o \
default_state.o \
decrypt.o \
+ decrypt_iov.o \
encrypt.o \
+ encrypt_iov.o \
encrypt_length.o \
enctype_compare.o \
enctype_to_string.o \
keyed_checksum_types.o \
keylengths.o \
make_checksum.o \
+ make_checksum_iov.o \
make_random_key.o \
mandatory_sumtype.o \
nfold.o \
string_to_key.o \
valid_cksumtype.o \
valid_enctype.o \
- verify_checksum.o
+ verify_checksum.o \
+ verify_checksum_iov.o
OBJS=\
+ $(OUTPRE)aead.$(OBJEXT) \
$(OUTPRE)block_size.$(OBJEXT) \
$(OUTPRE)checksum_length.$(OBJEXT) \
$(OUTPRE)cksumtype_to_string.$(OBJEXT) \
$(OUTPRE)cksumtypes.$(OBJEXT) \
$(OUTPRE)coll_proof_cksum.$(OBJEXT) \
$(OUTPRE)combine_keys.$(OBJEXT) \
+ $(OUTPRE)crypto_length.$(OBJEXT) \
$(OUTPRE)crypto_libinit.$(OBJEXT) \
$(OUTPRE)default_state.$(OBJEXT) \
$(OUTPRE)decrypt.$(OBJEXT) \
+ $(OUTPRE)decrypt_iov.$(OBJEXT) \
$(OUTPRE)encrypt.$(OBJEXT) \
+ $(OUTPRE)encrypt_iov.$(OBJEXT) \
$(OUTPRE)encrypt_length.$(OBJEXT) \
$(OUTPRE)enctype_compare.$(OBJEXT) \
$(OUTPRE)enctype_to_string.$(OBJEXT) \
$(OUTPRE)keyed_checksum_types.$(OBJEXT) \
$(OUTPRE)keylengths.$(OBJEXT) \
$(OUTPRE)make_checksum.$(OBJEXT) \
+ $(OUTPRE)make_checksum_iov.$(OBJEXT) \
$(OUTPRE)make_random_key.$(OBJEXT) \
$(OUTPRE)mandatory_sumtype.$(OBJEXT) \
$(OUTPRE)nfold.$(OBJEXT) \
$(OUTPRE)string_to_key.$(OBJEXT) \
$(OUTPRE)valid_cksumtype.$(OBJEXT) \
$(OUTPRE)valid_enctype.$(OBJEXT) \
- $(OUTPRE)verify_checksum.$(OBJEXT)
+ $(OUTPRE)verify_checksum.$(OBJEXT) \
+ $(OUTPRE)verify_checksum_iov.$(OBJEXT)
SRCS=\
+ $(srcdir)/aead.c \
$(srcdir)/block_size.c \
$(srcdir)/checksum_length.c \
$(srcdir)/cksumtype_to_string.c \
$(srcdir)/cksumtypes.c \
$(srcdir)/coll_proof_cksum.c \
$(srcdir)/combine_keys.c \
+ $(srcdir)/crypto_length.c \
$(srcdir)/crypto_libinit.c \
$(srcdir)/default_state.c \
$(srcdir)/decrypt.c \
+ $(srcdir)/decrypt_iov.c \
$(srcdir)/encrypt.c \
+ $(srcdir)/encrypt_iov.c \
$(srcdir)/encrypt_length.c \
$(srcdir)/enctype_compare.c \
$(srcdir)/enctype_to_string.c \
$(srcdir)/keyed_checksum_types.c\
$(srcdir)/keylengths.c \
$(srcdir)/make_checksum.c \
+ $(srcdir)/make_checksum_iov.c \
$(srcdir)/make_random_key.c \
$(srcdir)/mandatory_sumtype.c \
$(srcdir)/nfold.c \
$(srcdir)/string_to_key.c \
$(srcdir)/valid_cksumtype.c \
$(srcdir)/valid_enctype.c \
- $(srcdir)/verify_checksum.c
+ $(srcdir)/verify_checksum.c \
+ $(srcdir)/verify_checksum_iov.c
LIBBASE=k5crypto
# Makefile dependencies follow. This must be the last section in
# the Makefile.in file
#
+aead.so aead.po $(OUTPRE)aead.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ aead.c etypes.h aead.h
block_size.so block_size.po $(OUTPRE)block_size.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h cksumtypes.h coll_proof_cksum.c
-combine_keys.so combine_keys.po $(OUTPRE)combine_keys.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/dk/dk.h \
- combine_keys.c etypes.h
crypto_libinit.so crypto_libinit.po $(OUTPRE)crypto_libinit.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/socket-utils.h crypto_libinit.c
default_state.so default_state.po $(OUTPRE)default_state.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
$(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
$(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
$(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
--- /dev/null
+/*
+ * lib/crypto/aead.c
+ *
+ * Copyright 2008 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "etypes.h"
+#include "cksumtypes.h"
+#include "dk.h"
+#include "aead.h"
+
+krb5_crypto_iov * KRB5_CALLCONV
+krb5int_c_locate_iov(krb5_crypto_iov *data,
+ size_t num_data,
+ krb5_cryptotype type)
+{
+ size_t i;
+ krb5_crypto_iov *iov = NULL;
+
+ if (data == NULL)
+ return NULL;
+
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags == type) {
+ if (iov == NULL)
+ iov = &data[i];
+ else
+ return NULL; /* can't appear twice */
+ }
+ }
+
+ return iov;
+}
+
+static krb5_error_code
+make_unkeyed_checksum_iov(const struct krb5_hash_provider *hash_provider,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ krb5_data *output)
+{
+ krb5_data *sign_data;
+ size_t num_sign_data;
+ krb5_error_code ret;
+ size_t i, j;
+
+ /* Create a checksum over all the data to be signed */
+ for (i = 0, num_sign_data = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (SIGN_IOV(iov))
+ num_sign_data++;
+ }
+
+ /* XXX cleanup to avoid alloc */
+ sign_data = (krb5_data *)calloc(num_sign_data, sizeof(krb5_data));
+ if (sign_data == NULL)
+ return ENOMEM;
+
+ for (i = 0, j = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (SIGN_IOV(iov))
+ sign_data[j++] = iov->data;
+ }
+
+ ret = hash_provider->hash(num_sign_data, sign_data, output);
+
+ free(sign_data);
+
+ return ret;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5int_c_make_checksum_iov(const struct krb5_cksumtypes *cksum_type,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ krb5_data *cksum_data)
+{
+ int e1, e2;
+ krb5_error_code ret;
+
+ if (cksum_type->keyhash != NULL) {
+ /* check if key is compatible */
+
+ if (cksum_type->keyed_etype) {
+ for (e1=0; e1<krb5_enctypes_length; e1++)
+ if (krb5_enctypes_list[e1].etype ==
+ cksum_type->keyed_etype)
+ break;
+
+ for (e2=0; e2<krb5_enctypes_length; e2++)
+ if (krb5_enctypes_list[e2].etype == key->enctype)
+ break;
+
+ if ((e1 == krb5_enctypes_length) ||
+ (e2 == krb5_enctypes_length) ||
+ (krb5_enctypes_list[e1].enc != krb5_enctypes_list[e2].enc)) {
+ ret = KRB5_BAD_ENCTYPE;
+ goto cleanup;
+ }
+ }
+
+ if (cksum_type->keyhash->hash_iov == NULL) {
+ return KRB5_BAD_ENCTYPE;
+ }
+
+ ret = (*(cksum_type->keyhash->hash_iov))(key, usage, 0,
+ data, num_data, cksum_data);
+ } else if (cksum_type->flags & KRB5_CKSUMFLAG_DERIVE) {
+ ret = krb5_dk_make_checksum_iov(cksum_type->hash,
+ key, usage, data, num_data,
+ cksum_data);
+ } else {
+ ret = make_unkeyed_checksum_iov(cksum_type->hash, data, num_data,
+ cksum_data);
+ }
+
+ if (ret == 0) {
+ if (cksum_type->trunc_size) {
+ cksum_data->length = cksum_type->trunc_size;
+ }
+ }
+
+cleanup:
+ if (ret != 0) {
+ memset(cksum_data->data, 0, cksum_data->length);
+ }
+
+ return ret;
+}
+
+const struct krb5_cksumtypes * KRB5_CALLCONV
+krb5int_c_find_checksum_type(krb5_cksumtype cksumtype)
+{
+ size_t i;
+
+ for (i = 0; i < krb5_cksumtypes_length; i++) {
+ if (krb5_cksumtypes_list[i].ctype == cksumtype)
+ break;
+ }
+
+ if (i == krb5_cksumtypes_length)
+ return NULL;
+
+ return &krb5_cksumtypes_list[i];
+}
+
+#ifdef DEBUG_IOV
+static void
+dump_block(const char *tag,
+ size_t i,
+ size_t j,
+ unsigned char *block,
+ size_t block_size)
+{
+ size_t k;
+
+ printf("[%s: %d.%d] ", tag, i, j);
+
+ for (k = 0; k < block_size; k++)
+ printf("%02x ", block[k] & 0xFF);
+
+ printf("\n");
+}
+#endif
+
+static int
+process_block_p(const krb5_crypto_iov *data,
+ size_t num_data,
+ struct iov_block_state *iov_state,
+ size_t i)
+{
+ const krb5_crypto_iov *iov = &data[i];
+ int process_block;
+
+ switch (iov->flags) {
+ case KRB5_CRYPTO_TYPE_SIGN_ONLY:
+ process_block = iov_state->include_sign_only;
+ break;
+ case KRB5_CRYPTO_TYPE_PADDING:
+ process_block = (iov_state->pad_to_boundary == 0);
+ break;
+ case KRB5_CRYPTO_TYPE_HEADER:
+ process_block = (iov_state->ignore_header == 0);
+ break;
+ case KRB5_CRYPTO_TYPE_DATA:
+ process_block = 1;
+ break;
+ default:
+ process_block = 0;
+ break;
+ }
+
+ return process_block;
+}
+
+/*
+ * Returns TRUE if, having reached the end of the current buffer,
+ * we should pad the rest of the block with zeros.
+ */
+static int
+pad_to_boundary_p(const krb5_crypto_iov *data,
+ size_t num_data,
+ struct iov_block_state *iov_state,
+ size_t i,
+ size_t j)
+{
+ /* If the pad_to_boundary flag is unset, return FALSE */
+ if (iov_state->pad_to_boundary == 0)
+ return 0;
+
+ /* If we haven't got any data, we need to get some */
+ if (j == 0)
+ return 0;
+
+ /* No boundary between adjacent buffers marked for processing */
+ if (data[iov_state->iov_pos].flags == data[i].flags)
+ return 0;
+
+ return 1;
+}
+
+krb5_boolean KRB5_CALLCONV
+krb5int_c_iov_get_block(unsigned char *block,
+ size_t block_size,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ struct iov_block_state *iov_state)
+{
+ size_t i, j = 0;
+
+ for (i = iov_state->iov_pos; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+ size_t nbytes;
+
+ if (!process_block_p(data, num_data, iov_state, i))
+ continue;
+
+ if (pad_to_boundary_p(data, num_data, iov_state, i, j))
+ break;
+
+ iov_state->iov_pos = i;
+
+ nbytes = iov->data.length - iov_state->data_pos;
+ if (nbytes > block_size - j)
+ nbytes = block_size - j;
+
+ memcpy(block + j, iov->data.data + iov_state->data_pos, nbytes);
+
+ iov_state->data_pos += nbytes;
+ j += nbytes;
+
+ assert(j <= block_size);
+
+ if (j == block_size)
+ break;
+
+ assert(iov_state->data_pos == iov->data.length);
+
+ iov_state->data_pos = 0;
+ }
+
+ iov_state->iov_pos = i;
+
+ if (j != block_size)
+ memset(block + j, 0, block_size - j);
+
+#ifdef DEBUG_IOV
+ if (iov_state->iov_pos < num_data)
+ dump_block("get_block", i, j, block, block_size);
+#endif
+
+ return (iov_state->iov_pos < num_data);
+}
+
+krb5_boolean KRB5_CALLCONV
+krb5int_c_iov_put_block(const krb5_crypto_iov *data,
+ size_t num_data,
+ unsigned char *block,
+ size_t block_size,
+ struct iov_block_state *iov_state)
+{
+ size_t i, j = 0;
+
+ for (i = iov_state->iov_pos; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+ size_t nbytes;
+
+ if (!process_block_p(data, num_data, iov_state, i))
+ continue;
+
+ if (pad_to_boundary_p(data, num_data, iov_state, i, j))
+ break;
+
+ iov_state->iov_pos = i;
+
+ nbytes = iov->data.length - iov_state->data_pos;
+ if (nbytes > block_size - j)
+ nbytes = block_size - j;
+
+ memcpy(iov->data.data + iov_state->data_pos, block + j, nbytes);
+
+ iov_state->data_pos += nbytes;
+ j += nbytes;
+
+ assert(j <= block_size);
+
+ if (j == block_size)
+ break;
+
+ assert(iov_state->data_pos == iov->data.length);
+
+ iov_state->data_pos = 0;
+ }
+
+ iov_state->iov_pos = i;
+
+#ifdef DEBUG_IOV
+ if (iov_state->iov_pos < num_data)
+ dump_block("put_block", i, j, block, block_size);
+#endif
+
+ return (iov_state->iov_pos < num_data);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_error_code ret;
+ size_t header_len, trailer_len, padding_len;
+ krb5_crypto_iov *iov;
+ krb5_crypto_iov *stream;
+ size_t i, j;
+ int got_data = 0;
+
+ stream = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM);
+ assert(stream != NULL);
+
+ ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER, &header_len);
+ if (ret != 0)
+ return ret;
+
+ ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &trailer_len);
+ if (ret != 0)
+ return ret;
+
+ ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &padding_len);
+ if (ret != 0)
+ return ret;
+
+ if (stream->data.length < header_len + trailer_len)
+ return KRB5_BAD_MSIZE;
+
+ iov = (krb5_crypto_iov *)calloc(num_data + 2, sizeof(krb5_crypto_iov));
+ if (iov == NULL)
+ return ENOMEM;
+
+ i = 0;
+
+ iov[i].flags = KRB5_CRYPTO_TYPE_HEADER; /* takes place of STREAM */
+ iov[i].data.data = stream->data.data;
+ iov[i].data.length = header_len;
+ i++;
+
+ for (j = 0; j < num_data; j++) {
+ if (data[j].flags == KRB5_CRYPTO_TYPE_DATA) {
+ if (got_data) {
+ free(iov);
+ return KRB5_BAD_MSIZE;
+ }
+
+ got_data++;
+
+ data[j].data.data = stream->data.data + header_len;
+ data[j].data.length = stream->data.length - header_len - trailer_len;
+ }
+ if (data[j].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY ||
+ data[j].flags == KRB5_CRYPTO_TYPE_DATA)
+ iov[i++] = data[j];
+ }
+
+ /* XXX not self-describing with respect to length, this is the best we can do */
+ iov[i].flags = KRB5_CRYPTO_TYPE_PADDING;
+ iov[i].data.data = NULL;
+ iov[i].data.length = 0;
+ i++;
+
+ iov[i].flags = KRB5_CRYPTO_TYPE_TRAILER;
+ iov[i].data.data = stream->data.data + stream->data.length - trailer_len;
+ iov[i].data.length = trailer_len;
+ i++;
+
+ assert(i <= num_data + 2);
+
+ ret = aead->decrypt_iov(aead, enc, hash, key, keyusage, ivec, iov, i);
+
+ free(iov);
+
+ return ret;
+}
+
--- /dev/null
+/*
+ * lib/crypto/aead.h
+ *
+ * Copyright 2008 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+
+/* AEAD helpers */
+
+krb5_crypto_iov * KRB5_CALLCONV
+krb5int_c_locate_iov(krb5_crypto_iov *data,
+ size_t num_data,
+ krb5_cryptotype type);
+
+krb5_error_code KRB5_CALLCONV
+krb5int_c_make_checksum_iov(const struct krb5_cksumtypes *cksum,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ krb5_data *cksum_data);
+
+const struct krb5_cksumtypes * KRB5_CALLCONV
+krb5int_c_find_checksum_type(krb5_cksumtype cksumtype);
+
+#define ENCRYPT_CONF_IOV(_iov) ((_iov)->flags == KRB5_CRYPTO_TYPE_HEADER)
+
+#define ENCRYPT_DATA_IOV(_iov) ((_iov)->flags == KRB5_CRYPTO_TYPE_DATA || \
+ (_iov)->flags == KRB5_CRYPTO_TYPE_PADDING)
+
+#define ENCRYPT_IOV(_iov) (ENCRYPT_CONF_IOV(_iov) || ENCRYPT_DATA_IOV(_iov))
+
+#define SIGN_IOV(_iov) (ENCRYPT_IOV(_iov) || \
+ (_iov)->flags == KRB5_CRYPTO_TYPE_SIGN_ONLY )
+
+struct iov_block_state {
+ size_t iov_pos; /* index into iov array */
+ size_t data_pos; /* index into iov contents */
+ unsigned int ignore_header : 1; /* have/should we process HEADER */
+ unsigned int include_sign_only : 1; /* should we process SIGN_ONLY blocks */
+ unsigned int pad_to_boundary : 1; /* should we zero fill blocks until next buffer */
+};
+
+#define IOV_BLOCK_STATE_INIT(_state) ((_state)->iov_pos = \
+ (_state)->data_pos = \
+ (_state)->ignore_header = \
+ (_state)->include_sign_only = \
+ (_state)->pad_to_boundary = 0)
+
+krb5_boolean KRB5_CALLCONV
+krb5int_c_iov_get_block(unsigned char *block,
+ size_t block_size,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ struct iov_block_state *iov_state);
+
+krb5_boolean KRB5_CALLCONV
+krb5int_c_iov_put_block(const krb5_crypto_iov *data,
+ size_t num_data,
+ unsigned char *block,
+ size_t block_size,
+ struct iov_block_state *iov_state);
+
+krb5_error_code KRB5_CALLCONV
+krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data);
+
STLIBOBJS=\
arcfour.o \
+ arcfour_aead.o \
arcfour_s2k.o
OBJS=\
$(OUTPRE)arcfour.$(OBJEXT) \
+ $(OUTPRE)arcfour_aead.$(OBJEXT) \
$(OUTPRE)arcfour_s2k.$(OBJEXT)
SRCS=\
$(srcdir)/arcfour.c \
+ $(srcdir)/arcfour_aead.c\
$(srcdir)/arcfour_s2k.c
##DOS##LIBOBJS = $(OBJS)
krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage);
+extern const char *const krb5int_arcfour_l40;
#endif /* ARCFOUR_INT_H */
*/
#include "k5-int.h"
#include "arcfour-int.h"
-static const char *const l40 = "fortybits";
+const char *const krb5int_arcfour_l40 = "fortybits";
void
krb5_arcfour_encrypt_length(const struct krb5_enc_provider *enc,
/* begin the encryption, computer K1 */
ms_usage=krb5int_arcfour_translate_usage(usage);
if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
- strncpy(salt.data, l40, salt.length);
+ strncpy(salt.data, krb5int_arcfour_l40, salt.length);
store_32_le(ms_usage, salt.data+10);
} else {
salt.length=4;
/* compute the salt */
ms_usage=krb5int_arcfour_translate_usage(usage);
if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
- strncpy(salt.data, l40, salt.length);
+ strncpy(salt.data, krb5int_arcfour_l40, salt.length);
salt.data[10]=ms_usage & 0xff;
salt.data[11]=(ms_usage>>8) & 0xff;
salt.data[12]=(ms_usage>>16) & 0xff;
krb5_keyblock *);
extern const struct krb5_enc_provider krb5int_enc_arcfour;
+extern const struct krb5_aead_provider krb5int_aead_arcfour;
+
#endif /* ARCFOUR_H */
--- /dev/null
+/*
+ * lib/crypto/arcfour/arcfour_aead.c
+ *
+ * Copyright 2008 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#include "k5-int.h"
+#include "arcfour.h"
+#include "arcfour-int.h"
+#include "aead.h"
+
+/* AEAD */
+
+static krb5_error_code
+krb5int_arcfour_crypto_length(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ krb5_cryptotype type,
+ size_t *length)
+{
+ switch (type) {
+ case KRB5_CRYPTO_TYPE_HEADER:
+ *length = hash->hashsize + CONFOUNDERLENGTH;
+ break;
+ case KRB5_CRYPTO_TYPE_PADDING:
+ *length = 0;
+ break;
+ case KRB5_CRYPTO_TYPE_TRAILER:
+ *length = 0;
+ break;
+ case KRB5_CRYPTO_TYPE_CHECKSUM:
+ *length = hash->hashsize;
+ break;
+ default:
+ assert(0 && "invalid cryptotype passed to krb5int_arcfour_crypto_length");
+ break;
+ }
+
+ return 0;
+}
+
+static krb5_error_code
+alloc_derived_key(const struct krb5_enc_provider *enc,
+ krb5_keyblock *dst,
+ krb5_data *data,
+ const krb5_keyblock *src)
+{
+ data->length = enc->keybytes;
+ data->data = malloc(data->length);
+ if (data->data == NULL)
+ return ENOMEM;
+
+ *dst = *src;
+ dst->length = data->length;
+ dst->contents = (void *)data->data;
+
+ return 0;
+}
+
+static krb5_error_code
+krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_error_code ret;
+ krb5_crypto_iov *header, *trailer;
+ krb5_keyblock k1, k2, k3;
+ krb5_data d1, d2, d3;
+ krb5_data checksum, confounder, header_data;
+ krb5_keyusage ms_usage;
+ char salt_data[14];
+ krb5_data salt;
+ size_t i;
+
+ d1.length = d2.length = d3.length = 0;
+ d1.data = d2.data = d3.data = NULL;
+
+ /*
+ * Caller must have provided space for the header, padding
+ * and trailer; per RFC 4757 we will arrange it as:
+ *
+ * Checksum | E(Confounder | Plaintext)
+ */
+
+ header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+ if (header == NULL ||
+ header->data.length < hash->hashsize + CONFOUNDERLENGTH)
+ return KRB5_BAD_MSIZE;
+
+ header_data = header->data;
+
+ /* Trailer may be absent */
+ trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+ if (trailer != NULL)
+ trailer->data.length = 0;
+
+ /* Ensure that there is no padding */
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags == KRB5_CRYPTO_TYPE_PADDING)
+ data[i].data.length = 0;
+ }
+
+ ret = alloc_derived_key(enc, &k1, &d1, key);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = alloc_derived_key(enc, &k2, &d2, key);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = alloc_derived_key(enc, &k3, &d3, key);
+ if (ret != 0)
+ goto cleanup;
+
+ /* Begin the encryption, compute K1 */
+ salt.data = salt_data;
+ salt.length = sizeof(salt_data);
+
+ ms_usage = krb5int_arcfour_translate_usage(usage);
+
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ strncpy(salt.data, krb5int_arcfour_l40, salt.length);
+ store_32_le(ms_usage, (unsigned char *)salt.data + 10);
+ } else {
+ salt.length = 4;
+ store_32_le(ms_usage, (unsigned char *)salt.data);
+ }
+ ret = krb5_hmac(hash, key, 1, &salt, &d1);
+ if (ret != 0)
+ goto cleanup;
+
+ memcpy(k2.contents, k1.contents, k2.length);
+
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+ memset(k1.contents + 7, 0xAB, 9);
+
+ header->data.length = hash->hashsize + CONFOUNDERLENGTH;
+
+ confounder.data = header->data.data + hash->hashsize;
+ confounder.length = CONFOUNDERLENGTH;
+
+ ret = krb5_c_random_make_octets(0, &confounder);
+ if (ret != 0)
+ goto cleanup;
+
+ checksum.data = header->data.data;
+ checksum.length = hash->hashsize;
+
+ /* Adjust pointers so confounder is at start of header */
+ header->data.length -= hash->hashsize;
+ header->data.data += hash->hashsize;
+
+ ret = krb5_hmac_iov(hash, &k2, data, num_data, &checksum);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = enc->encrypt_iov(&k3, ivec, data, num_data);
+ if (ret != 0)
+ goto cleanup;
+
+cleanup:
+ header->data = header_data; /* restore header pointers */
+
+ if (d1.data != NULL) {
+ memset(d1.data, 0, d1.length);
+ free(d1.data);
+ }
+ if (d2.data != NULL) {
+ memset(d2.data, 0, d2.length);
+ free(d2.data);
+ }
+ if (d3.data != NULL) {
+ memset(d3.data, 0, d3.length);
+ free(d3.data);
+ }
+
+ return ret;
+}
+
+static krb5_error_code
+krb5int_arcfour_decrypt_iov(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_error_code ret;
+ krb5_crypto_iov *header, *trailer;
+ krb5_keyblock k1, k2, k3;
+ krb5_data d1, d2, d3;
+ krb5_data checksum, header_data;
+ krb5_keyusage ms_usage;
+ char salt_data[14];
+ krb5_data salt;
+
+ d1.length = d2.length = d3.length = 0;
+ d1.data = d2.data = d3.data = NULL;
+
+ header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+ if (header == NULL ||
+ header->data.length != hash->hashsize + CONFOUNDERLENGTH)
+ return KRB5_BAD_MSIZE;
+
+ header_data = header->data;
+
+ trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+ if (trailer != NULL && trailer->data.length != 0)
+ return KRB5_BAD_MSIZE;
+
+ ret = alloc_derived_key(enc, &k1, &d1, key);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = alloc_derived_key(enc, &k2, &d2, key);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = alloc_derived_key(enc, &k3, &d3, key);
+ if (ret != 0)
+ goto cleanup;
+
+ /* Begin the decryption, compute K1 */
+ salt.data = salt_data;
+ salt.length = sizeof(salt_data);
+
+ ms_usage = krb5int_arcfour_translate_usage(usage);
+
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ strncpy(salt.data, krb5int_arcfour_l40, salt.length);
+ store_32_le(ms_usage, (unsigned char *)salt.data + 10);
+ } else {
+ salt.length = 4;
+ store_32_le(ms_usage, (unsigned char *)salt.data);
+ }
+ ret = krb5_hmac(hash, key, 1, &salt, &d1);
+ if (ret != 0)
+ goto cleanup;
+
+ memcpy(k2.contents, k1.contents, k2.length);
+
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+ memset(k1.contents + 7, 0xAB, 9);
+
+ checksum.data = header->data.data;
+ checksum.length = hash->hashsize;
+
+ /* Adjust pointers so confounder is at start of header */
+ header->data.length -= hash->hashsize;
+ header->data.data += hash->hashsize;
+
+ ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = enc->decrypt_iov(&k3, ivec, data, num_data);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = krb5_hmac_iov(hash, &k2, data, num_data, &d1);
+ if (ret != 0)
+ goto cleanup;
+
+ if (memcmp(checksum.data, d1.data, hash->hashsize) != 0) {
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto cleanup;
+ }
+
+cleanup:
+ header->data = header_data; /* restore header pointers */
+
+ if (d1.data != NULL) {
+ memset(d1.data, 0, d1.length);
+ free(d1.data);
+ }
+ if (d2.data != NULL) {
+ memset(d2.data, 0, d2.length);
+ free(d2.data);
+ }
+ if (d3.data != NULL) {
+ memset(d3.data, 0, d3.length);
+ free(d3.data);
+ }
+
+ return ret;
+}
+
+const struct krb5_aead_provider krb5int_aead_arcfour = {
+ krb5int_arcfour_crypto_length,
+ krb5int_arcfour_encrypt_iov,
+ krb5int_arcfour_decrypt_iov
+};
+
--- /dev/null
+/*
+ * lib/crypto/crypto_length.c
+ *
+ * Copyright 2008 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "etypes.h"
+#include "aead.h"
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_crypto_length(krb5_context context,
+ krb5_enctype enctype,
+ krb5_cryptotype type,
+ unsigned int *size)
+{
+ int i;
+ const struct krb5_keytypes *ktp = NULL;
+ krb5_error_code ret;
+
+ for (i = 0; i < krb5_enctypes_length; i++) {
+ if (krb5_enctypes_list[i].etype == enctype) {
+ ktp = &krb5_enctypes_list[i];
+ break;
+ }
+ }
+
+ if (ktp == NULL || ktp->aead == NULL) {
+ return KRB5_BAD_ENCTYPE;
+ }
+
+ switch (type) {
+ case KRB5_CRYPTO_TYPE_EMPTY:
+ case KRB5_CRYPTO_TYPE_SIGN_ONLY:
+ *size = 0;
+ ret = 0;
+ break;
+ case KRB5_CRYPTO_TYPE_DATA:
+ *size = (size_t)~0; /* match Heimdal */
+ ret = 0;
+ break;
+ case KRB5_CRYPTO_TYPE_HEADER:
+ case KRB5_CRYPTO_TYPE_PADDING:
+ case KRB5_CRYPTO_TYPE_TRAILER:
+ case KRB5_CRYPTO_TYPE_CHECKSUM:
+ ret = ktp->aead->crypto_length(ktp->aead, ktp->enc, ktp->hash, type, size);
+ break;
+ default:
+ ret = EINVAL;
+ break;
+ }
+
+ return ret;
+}
+
+static krb5_error_code
+k5_padding_length(const struct krb5_keytypes *ktp,
+ size_t data_length,
+ unsigned int *pad_length)
+{
+ unsigned int padding;
+ krb5_error_code ret;
+
+ ret = ktp->aead->crypto_length(ktp->aead, ktp->enc, ktp->hash,
+ KRB5_CRYPTO_TYPE_PADDING, &padding);
+ if (ret != 0)
+ return ret;
+
+ if (padding == 0 || (data_length % padding) == 0)
+ *pad_length = 0;
+ else
+ *pad_length = padding - (data_length % padding);
+
+ return 0;
+}
+
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_padding_length(krb5_context context,
+ krb5_enctype enctype,
+ size_t data_length,
+ unsigned int *pad_length)
+{
+ int i;
+ const struct krb5_keytypes *ktp = NULL;
+
+ for (i = 0; i < krb5_enctypes_length; i++) {
+ if (krb5_enctypes_list[i].etype == enctype) {
+ ktp = &krb5_enctypes_list[i];
+ break;
+ }
+ }
+
+ if (ktp == NULL || ktp->aead == NULL) {
+ return KRB5_BAD_ENCTYPE;
+ }
+
+ return k5_padding_length(ktp, data_length, pad_length);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_crypto_length_iov(krb5_context context,
+ krb5_enctype enctype,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_error_code ret = 0;
+ size_t i;
+ const struct krb5_keytypes *ktp = NULL;
+ size_t data_length = 0, pad_length;
+ krb5_crypto_iov *padding = NULL;
+
+ /*
+ * XXX need to rejig internal interface so we can accurately
+ * report variable header lengths
+ */
+
+ for (i = 0; i < krb5_enctypes_length; i++) {
+ if (krb5_enctypes_list[i].etype == enctype) {
+ ktp = &krb5_enctypes_list[i];
+ break;
+ }
+ }
+
+ if (ktp == NULL || ktp->aead == NULL) {
+ return KRB5_BAD_ENCTYPE;
+ }
+
+ for (i = 0; i < num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ switch (iov->flags) {
+ case KRB5_CRYPTO_TYPE_DATA:
+ data_length += iov->data.length;
+ break;
+ case KRB5_CRYPTO_TYPE_PADDING:
+ if (padding != NULL)
+ return EINVAL;
+
+ padding = iov;
+ break;
+ case KRB5_CRYPTO_TYPE_HEADER:
+ case KRB5_CRYPTO_TYPE_TRAILER:
+ case KRB5_CRYPTO_TYPE_CHECKSUM:
+ ret = ktp->aead->crypto_length(ktp->aead, ktp->enc, ktp->hash, iov->flags, &iov->data.length);
+ break;
+ case KRB5_CRYPTO_TYPE_EMPTY:
+ case KRB5_CRYPTO_TYPE_SIGN_ONLY:
+ default:
+ break;
+ }
+
+ if (ret != 0)
+ break;
+ }
+
+ if (ret != 0)
+ return ret;
+
+ ret = k5_padding_length(ktp, data_length, &pad_length);
+ if (ret != 0)
+ return ret;
+
+ if (pad_length != 0 && padding == NULL)
+ return EINVAL;
+
+ if (padding != NULL)
+ padding->data.length = pad_length;
+
+ return 0;
+}
+
--- /dev/null
+/*
+ * lib/crypto/encrypt_iov.c
+ *
+ * Copyright 2008 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "etypes.h"
+#include "aead.h"
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_decrypt_iov(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_data *cipher_state,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int i;
+ const struct krb5_keytypes *ktp = NULL;
+
+ for (i = 0; i < krb5_enctypes_length; i++) {
+ if (krb5_enctypes_list[i].etype == key->enctype) {
+ ktp = &krb5_enctypes_list[i];
+ break;
+ }
+ }
+
+ if (ktp == NULL || ktp->aead == NULL) {
+ return KRB5_BAD_ENCTYPE;
+ }
+
+ if (krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM) != NULL) {
+ return krb5int_c_iov_decrypt_stream(ktp->aead, ktp->enc, ktp->hash,
+ key, usage, cipher_state, data, num_data);
+ }
+
+ return ktp->aead->decrypt_iov(ktp->aead, ktp->enc, ktp->hash,
+ key, usage, cipher_state, data, num_data);
+}
+
STLIBOBJS=\
afsstring2key.o \
d3_cbc.o \
+ d3_aead.o \
d3_kysched.o \
f_cbc.o \
f_cksum.o \
OBJS= $(OUTPRE)afsstring2key.$(OBJEXT) \
$(OUTPRE)d3_cbc.$(OBJEXT) \
+ $(OUTPRE)d3_aead.$(OBJEXT) \
$(OUTPRE)d3_kysched.$(OBJEXT) \
$(OUTPRE)f_cbc.$(OBJEXT) \
$(OUTPRE)f_cksum.$(OBJEXT) \
SRCS= $(srcdir)/afsstring2key.c \
$(srcdir)/d3_cbc.c \
+ $(srcdir)/d3_aead.c \
$(srcdir)/d3_kysched.c \
$(srcdir)/f_cbc.c \
$(srcdir)/f_cksum.c \
--- /dev/null
+/*
+ * Copyright (C) 2008 by the Massachusetts Institute of Technology.
+ * Copyright 1995 by Richard P. Basch. All Rights Reserved.
+ * Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used
+ * in advertising or publicity pertaining to distribution of the software
+ * without specific, written prior permission. Richard P. Basch,
+ * Lehman Brothers and M.I.T. make no representations about the suitability
+ * of this software for any purpose. It is provided "as is" without
+ * express or implied warranty.
+ */
+
+#include "des_int.h"
+#include "f_tables.h"
+#include "../aead.h"
+
+void
+krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec)
+{
+ unsigned DES_INT32 left, right;
+ const unsigned DES_INT32 *kp1, *kp2, *kp3;
+ const unsigned char *ip;
+ unsigned char *op;
+ struct iov_block_state input_pos, output_pos;
+ unsigned char iblock[MIT_DES_BLOCK_LENGTH];
+ unsigned char oblock[MIT_DES_BLOCK_LENGTH];
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ /*
+ * Get key pointer here. This won't need to be reinitialized
+ */
+ kp1 = (const unsigned DES_INT32 *)ks1;
+ kp2 = (const unsigned DES_INT32 *)ks2;
+ kp3 = (const unsigned DES_INT32 *)ks3;
+
+ /*
+ * Initialize left and right with the contents of the initial
+ * vector.
+ */
+ if (ivec != NULL)
+ ip = ivec;
+ else
+ ip = mit_des_zeroblock;
+ GET_HALF_BLOCK(left, ip);
+ GET_HALF_BLOCK(right, ip);
+
+ /*
+ * Suitably initialized, now work the length down 8 bytes
+ * at a time.
+ */
+ for (;;) {
+ unsigned DES_INT32 temp;
+
+ ip = iblock;
+ op = oblock;
+
+ if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data, num_data, &input_pos))
+ break;
+
+ GET_HALF_BLOCK(temp, ip);
+ left ^= temp;
+ GET_HALF_BLOCK(temp, ip);
+ right ^= temp;
+
+ /*
+ * Encrypt what we have
+ */
+ DES_DO_ENCRYPT(left, right, kp1);
+ DES_DO_DECRYPT(left, right, kp2);
+ DES_DO_ENCRYPT(left, right, kp3);
+
+ /*
+ * Copy the results out
+ */
+ PUT_HALF_BLOCK(left, op);
+ PUT_HALF_BLOCK(right, op);
+
+ krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
+ }
+
+ if (ivec != NULL)
+ memcpy(ivec, oblock, MIT_DES_BLOCK_LENGTH);
+}
+
+void
+krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec)
+{
+ unsigned DES_INT32 left, right;
+ const unsigned DES_INT32 *kp1, *kp2, *kp3;
+ const unsigned char *ip;
+ unsigned DES_INT32 ocipherl, ocipherr;
+ unsigned DES_INT32 cipherl, cipherr;
+ unsigned char *op;
+ struct iov_block_state input_pos, output_pos;
+ unsigned char iblock[MIT_DES_BLOCK_LENGTH];
+ unsigned char oblock[MIT_DES_BLOCK_LENGTH];
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ /*
+ * Get key pointer here. This won't need to be reinitialized
+ */
+ kp1 = (const unsigned DES_INT32 *)ks1;
+ kp2 = (const unsigned DES_INT32 *)ks2;
+ kp3 = (const unsigned DES_INT32 *)ks3;
+
+ /*
+ * Decrypting is harder than encrypting because of
+ * the necessity of remembering a lot more things.
+ * Should think about this a little more...
+ */
+
+ if (num_data == 0)
+ return;
+
+ /*
+ * Prime the old cipher with ivec.
+ */
+ if (ivec != NULL)
+ ip = ivec;
+ else
+ ip = mit_des_zeroblock;
+ GET_HALF_BLOCK(ocipherl, ip);
+ GET_HALF_BLOCK(ocipherr, ip);
+
+ /*
+ * Now do this in earnest until we run out of length.
+ */
+ for (;;) {
+ /*
+ * Read a block from the input into left and
+ * right. Save this cipher block for later.
+ */
+
+ if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data, num_data, &input_pos))
+ break;
+
+ ip = iblock;
+ op = oblock;
+
+ GET_HALF_BLOCK(left, ip);
+ GET_HALF_BLOCK(right, ip);
+ cipherl = left;
+ cipherr = right;
+
+ /*
+ * Decrypt this.
+ */
+ DES_DO_DECRYPT(left, right, kp3);
+ DES_DO_ENCRYPT(left, right, kp2);
+ DES_DO_DECRYPT(left, right, kp1);
+
+ /*
+ * Xor with the old cipher to get plain
+ * text. Output 8 or less bytes of this.
+ */
+ left ^= ocipherl;
+ right ^= ocipherr;
+
+ PUT_HALF_BLOCK(left, op);
+ PUT_HALF_BLOCK(right, op);
+
+ /*
+ * Save current cipher block here
+ */
+ ocipherl = cipherl;
+ ocipherr = cipherr;
+
+ krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
+ }
+
+ if (ivec != NULL)
+ memcpy(ivec, oblock, MIT_DES_BLOCK_LENGTH);
+}
const mit_des_key_schedule ks3,
const mit_des_cblock ivec);
+void
+krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec);
+
+void
+krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec);
#define mit_des3_cbc_encrypt(in,out,length,ks1,ks2,ks3,ivec,enc) \
((enc ? krb5int_des3_cbc_encrypt : krb5int_des3_cbc_decrypt) \
STLIBOBJS=\
checksum.o \
+ dk_aead.o \
dk_decrypt.o \
dk_encrypt.o \
derive.o \
OBJS=\
$(OUTPRE)checksum.$(OBJEXT) \
+ $(OUTPRE)dk_aead.$(OBJEXT) \
$(OUTPRE)dk_decrypt.$(OBJEXT) \
$(OUTPRE)dk_encrypt.$(OBJEXT) \
$(OUTPRE)derive.$(OBJEXT) \
SRCS=\
$(srcdir)/checksum.c \
+ $(srcdir)/dk_aead.c \
$(srcdir)/dk_decrypt.c \
$(srcdir)/dk_encrypt.c \
$(srcdir)/dk_prf.c \
#include "k5-int.h"
#include "etypes.h"
#include "dk.h"
+#include "aead.h"
#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
return(ret);
}
+krb5_error_code
+krb5_dk_make_checksum_iov(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output)
+{
+ int i;
+ const struct krb5_enc_provider *enc;
+ size_t blocksize, keybytes, keylength;
+ krb5_error_code ret;
+ unsigned char constantdata[K5CLENGTH];
+ krb5_data datain;
+ unsigned char *kcdata;
+ krb5_keyblock kc;
+
+ for (i=0; i<krb5_enctypes_length; i++) {
+ if (krb5_enctypes_list[i].etype == key->enctype)
+ break;
+ }
+
+ if (i == krb5_enctypes_length)
+ return(KRB5_BAD_ENCTYPE);
+
+ enc = krb5_enctypes_list[i].enc;
+
+ /* allocate and set to-be-derived keys */
+
+ blocksize = enc->block_size;
+ keybytes = enc->keybytes;
+ keylength = enc->keylength;
+
+ /* key->length will be tested in enc->encrypt
+ output->length will be tested in krb5_hmac */
+
+ if ((kcdata = (unsigned char *) malloc(keylength)) == NULL)
+ return(ENOMEM);
+
+ kc.contents = kcdata;
+ kc.length = keylength;
+
+ /* derive the key */
+
+ datain.data = (char *) constantdata;
+ datain.length = K5CLENGTH;
+
+ datain.data[0] = (usage>>24)&0xff;
+ datain.data[1] = (usage>>16)&0xff;
+ datain.data[2] = (usage>>8)&0xff;
+ datain.data[3] = usage&0xff;
+
+ datain.data[4] = (char) 0x99;
+
+ if ((ret = krb5_derive_key(enc, key, &kc, &datain)) != 0)
+ goto cleanup;
+
+ /* hash the data */
+
+ if ((ret = krb5_hmac_iov(hash, &kc, data, num_data, output)) != 0)
+ memset(output->data, 0, output->length);
+
+ /* ret is set correctly by the prior call */
+
+cleanup:
+ memset(kcdata, 0, keylength);
+
+ free(kcdata);
+
+ return(ret);
+}
+
const krb5_keyblock *key, krb5_keyusage usage,
const krb5_data *input, krb5_data *output);
+krb5_error_code
+krb5_dk_make_checksum_iov(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output);
+
krb5_error_code
krb5_derive_random(const struct krb5_enc_provider *enc,
const krb5_keyblock *inkey, krb5_data *outrnd,
const krb5_data *in_constant);
+
+/* AEAD */
+
+extern const struct krb5_aead_provider krb5int_aead_dk;
+extern const struct krb5_aead_provider krb5int_aead_aes;
+
--- /dev/null
+/*
+ * lib/crypto/dk/dk_aead.c
+ *
+ * Copyright 2008 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#include "k5-int.h"
+#include "dk.h"
+#include "aead.h"
+
+#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
+
+/* AEAD */
+
+static krb5_error_code
+krb5int_dk_crypto_length(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ krb5_cryptotype type,
+ size_t *length)
+{
+ switch (type) {
+ case KRB5_CRYPTO_TYPE_HEADER:
+ case KRB5_CRYPTO_TYPE_PADDING:
+ *length = enc->block_size;
+ break;
+ case KRB5_CRYPTO_TYPE_TRAILER:
+ case KRB5_CRYPTO_TYPE_CHECKSUM:
+ *length = hash->hashsize;
+ break;
+ default:
+ assert(0 && "invalid cryptotype passed to krb5int_dk_crypto_length");
+ break;
+ }
+
+ return 0;
+}
+
+static krb5_error_code
+krb5int_dk_encrypt_iov(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_error_code ret;
+ unsigned char constantdata[K5CLENGTH];
+ krb5_data d1, d2;
+ krb5_crypto_iov *header, *trailer, *padding;
+ krb5_keyblock ke, ki;
+ size_t i;
+ size_t blocksize = 0;
+ size_t plainlen = 0;
+ size_t hmacsize = 0;
+ size_t padsize = 0;
+ unsigned char *cksum = NULL;
+
+ ke.contents = ki.contents = NULL;
+ ke.length = ki.length = 0;
+
+ /* E(Confounder | Plaintext | Pad) | Checksum */
+
+ ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize);
+ if (ret != 0)
+ return ret;
+
+ ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &hmacsize);
+ if (ret != 0)
+ return ret;
+
+ for (i = 0; i < num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ if (iov->flags == KRB5_CRYPTO_TYPE_DATA)
+ plainlen += iov->data.length;
+ }
+
+ /* Validate header and trailer lengths. */
+
+ header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+ if (header == NULL || header->data.length < enc->block_size)
+ return KRB5_BAD_MSIZE;
+
+ trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+ if (trailer == NULL || trailer->data.length < hmacsize)
+ return KRB5_BAD_MSIZE;
+
+ if (blocksize != 0) {
+ /* Check that the input data is correctly padded */
+ if (plainlen % blocksize)
+ padsize = blocksize - (plainlen % blocksize);
+ }
+
+ padding = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_PADDING);
+ if (padsize && (padding == NULL || padding->data.length < padsize))
+ return KRB5_BAD_MSIZE;
+
+ if (padding != NULL) {
+ memset(padding->data.data, 0, padsize);
+ padding->data.length = padsize;
+ }
+
+ ke.length = enc->keylength;
+ ke.contents = malloc(ke.length);
+ if (ke.contents == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+ ki.length = enc->keylength;
+ ki.contents = malloc(ki.length);
+ if (ki.contents == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+ cksum = (unsigned char *)malloc(hash->hashsize);
+ if (cksum == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+
+ /* derive the keys */
+
+ d1.data = (char *)constantdata;
+ d1.length = K5CLENGTH;
+
+ d1.data[0] = (usage >> 24) & 0xFF;
+ d1.data[1] = (usage >> 16) & 0xFF;
+ d1.data[2] = (usage >> 8 ) & 0xFF;
+ d1.data[3] = (usage ) & 0xFF;
+
+ d1.data[4] = 0xAA;
+
+ ret = krb5_derive_key(enc, key, &ke, &d1);
+ if (ret != 0)
+ goto cleanup;
+
+ d1.data[4] = 0x55;
+
+ ret = krb5_derive_key(enc, key, &ki, &d1);
+ if (ret != 0)
+ goto cleanup;
+
+ /* generate confounder */
+
+ header->data.length = enc->block_size;
+
+ ret = krb5_c_random_make_octets(/* XXX */ NULL, &header->data);
+ if (ret != 0)
+ goto cleanup;
+
+ /* hash the plaintext */
+ d2.length = hash->hashsize;
+ d2.data = (char *)cksum;
+
+ ret = krb5_hmac_iov(hash, &ki, data, num_data, &d2);
+ if (ret != 0)
+ goto cleanup;
+
+ /* encrypt the plaintext (header | data | padding) */
+ assert(enc->encrypt_iov != NULL);
+
+ ret = enc->encrypt_iov(&ke, ivec, data, num_data); /* will update ivec */
+ if (ret != 0)
+ goto cleanup;
+
+ /* possibly truncate the hash */
+ assert(hmacsize <= d2.length);
+
+ memcpy(trailer->data.data, cksum, hmacsize);
+ trailer->data.length = hmacsize;
+
+cleanup:
+ if (ke.contents != NULL) {
+ memset(ke.contents, 0, ke.length);
+ free(ke.contents);
+ }
+ if (ki.contents != NULL) {
+ memset(ki.contents, 0, ki.length);
+ free(ki.contents);
+ }
+ if (cksum != NULL) {
+ free(cksum);
+ }
+
+ return ret;
+}
+
+static krb5_error_code
+krb5int_dk_decrypt_iov(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_error_code ret;
+ unsigned char constantdata[K5CLENGTH];
+ krb5_data d1;
+ krb5_crypto_iov *header, *trailer;
+ krb5_keyblock ke, ki;
+ size_t i;
+ size_t blocksize = 0; /* careful, this is enc block size not confounder len */
+ size_t cipherlen = 0;
+ size_t hmacsize = 0;
+ unsigned char *cksum = NULL;
+
+ ke.contents = ki.contents = NULL;
+ ke.length = ki.length = 0;
+
+ /* E(Confounder | Plaintext | Pad) | Checksum */
+
+ ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize);
+ if (ret != 0)
+ return ret;
+
+ ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &hmacsize);
+ if (ret != 0)
+ return ret;
+
+ for (i = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_DATA_IOV(iov))
+ cipherlen += iov->data.length;
+ }
+
+ if (blocksize == 0) {
+ /* Check for correct input length in CTS mode */
+ if (enc->block_size != 0 && cipherlen < enc->block_size)
+ return KRB5_BAD_MSIZE;
+ } else {
+ /* Check that the input data is correctly padded */
+ if ((cipherlen % blocksize) != 0)
+ return KRB5_BAD_MSIZE;
+ }
+
+ /* Validate header and trailer lengths */
+
+ header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+ if (header == NULL || header->data.length != enc->block_size)
+ return KRB5_BAD_MSIZE;
+
+ trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+ if (trailer == NULL || trailer->data.length != hmacsize)
+ return KRB5_BAD_MSIZE;
+
+ ke.length = enc->keylength;
+ ke.contents = malloc(ke.length);
+ if (ke.contents == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+ ki.length = enc->keylength;
+ ki.contents = malloc(ki.length);
+ if (ki.contents == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+ cksum = (unsigned char *)malloc(hash->hashsize);
+ if (cksum == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+
+ /* derive the keys */
+
+ d1.data = (char *)constantdata;
+ d1.length = K5CLENGTH;
+
+ d1.data[0] = (usage >> 24) & 0xFF;
+ d1.data[1] = (usage >> 16) & 0xFF;
+ d1.data[2] = (usage >> 8 ) & 0xFF;
+ d1.data[3] = (usage ) & 0xFF;
+
+ d1.data[4] = 0xAA;
+
+ ret = krb5_derive_key(enc, key, &ke, &d1);
+ if (ret != 0)
+ goto cleanup;
+
+ d1.data[4] = 0x55;
+
+ ret = krb5_derive_key(enc, key, &ki, &d1);
+ if (ret != 0)
+ goto cleanup;
+
+ /* decrypt the plaintext (header | data | padding) */
+ assert(enc->decrypt_iov != NULL);
+
+ ret = enc->decrypt_iov(&ke, ivec, data, num_data); /* will update ivec */
+ if (ret != 0)
+ goto cleanup;
+
+ /* verify the hash */
+ d1.length = hash->hashsize; /* non-truncated length */
+ d1.data = (char *)cksum;
+
+ ret = krb5_hmac_iov(hash, &ki, data, num_data, &d1);
+ if (ret != 0)
+ goto cleanup;
+
+ /* compare only the possibly truncated length */
+ if (memcmp(cksum, trailer->data.data, hmacsize) != 0) {
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto cleanup;
+ }
+
+cleanup:
+ if (ke.contents != NULL) {
+ memset(ke.contents, 0, ke.length);
+ free(ke.contents);
+ }
+ if (ki.contents != NULL) {
+ memset(ki.contents, 0, ki.length);
+ free(ki.contents);
+ }
+ if (cksum != NULL) {
+ free(cksum);
+ }
+
+ return ret;
+}
+
+const struct krb5_aead_provider krb5int_aead_dk = {
+ krb5int_dk_crypto_length,
+ krb5int_dk_encrypt_iov,
+ krb5int_dk_decrypt_iov
+};
+
+static krb5_error_code
+krb5int_aes_crypto_length(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ krb5_cryptotype type,
+ size_t *length)
+{
+ switch (type) {
+ case KRB5_CRYPTO_TYPE_HEADER:
+ *length = enc->block_size;
+ break;
+ case KRB5_CRYPTO_TYPE_PADDING:
+ *length = 0;
+ break;
+ case KRB5_CRYPTO_TYPE_TRAILER:
+ case KRB5_CRYPTO_TYPE_CHECKSUM:
+ *length = 96 / 8;
+ break;
+ default:
+ assert(0 && "invalid cryptotype passed to krb5int_aes_crypto_length");
+ break;
+ }
+
+ return 0;
+}
+
+const struct krb5_aead_provider krb5int_aead_aes = {
+ krb5int_aes_crypto_length,
+ krb5int_dk_encrypt_iov,
+ krb5int_dk_decrypt_iov
+};
+
/*
- * lib/crypto/enc_provider/aes.h
+ * lib/crypto/enc_provider/aes.c
*
- * Copyright (C) 2003, 2007 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2003, 2007, 2008 by the Massachusetts Institute of Technology.
* All rights reserved.
*
* Export of this software from the United States of America may
#include "k5-int.h"
#include "enc_provider.h"
#include "aes.h"
+#include "../aead.h"
#if 0
aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]);
return 0;
}
+static krb5_error_code
+krb5int_aes_encrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ aes_ctx ctx;
+ char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE];
+ int nblocks = 0, blockno;
+ size_t input_length, i;
+
+ if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
+ abort();
+
+ if (ivec != NULL)
+ memcpy(tmp, ivec->data, BLOCK_SIZE);
+ else
+ memset(tmp, 0, BLOCK_SIZE);
+
+ for (i = 0, input_length = 0; i < num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ input_length += iov->data.length;
+ }
+
+ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+ assert(nblocks > 1);
+
+ {
+ char blockN2[BLOCK_SIZE]; /* second last */
+ char blockN1[BLOCK_SIZE]; /* last block */
+ struct iov_block_state input_pos, output_pos;
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ char blockN[BLOCK_SIZE];
+
+ krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos);
+ xorblock(tmp, blockN);
+ enc(tmp2, tmp, &ctx);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos);
+
+ /* Set up for next block. */
+ memcpy(tmp, tmp2, BLOCK_SIZE);
+ }
+
+ /* Do final CTS step for last two blocks (the second of which
+ may or may not be incomplete). */
+
+ /* First, get the last two blocks */
+ memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */
+ krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos);
+ krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos);
+
+ /* Encrypt second last block */
+ xorblock(tmp, blockN2);
+ enc(tmp2, tmp, &ctx);
+ memcpy(blockN2, tmp2, BLOCK_SIZE); /* blockN2 now contains first block */
+ memcpy(tmp, tmp2, BLOCK_SIZE);
+
+ /* Encrypt last block */
+ xorblock(tmp, blockN1);
+ enc(tmp2, tmp, &ctx);
+ memcpy(blockN1, tmp2, BLOCK_SIZE);
+ if (ivec != NULL)
+ memcpy(ivec->data, tmp2, BLOCK_SIZE);
+
+ /* Put the last two blocks back into the ivec (reverse order) */
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos);
+ }
+
+ return 0;
+}
+
+static krb5_error_code
+krb5int_aes_decrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ aes_ctx ctx;
+ char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
+ int nblocks = 0, blockno;
+ size_t input_length, i;
+
+ CHECK_SIZES;
+
+ if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
+ abort();
+
+ if (ivec != NULL)
+ memcpy(tmp, ivec->data, BLOCK_SIZE);
+ else
+ memset(tmp, 0, BLOCK_SIZE);
+
+ for (i = 0, input_length = 0; i < num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ input_length += iov->data.length;
+ }
+
+ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+ assert(nblocks > 1);
+
+ {
+ char blockN2[BLOCK_SIZE]; /* second last */
+ char blockN1[BLOCK_SIZE]; /* last block */
+ struct iov_block_state input_pos, output_pos;
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ char blockN[BLOCK_SIZE];
+
+ krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos);
+ dec(tmp2, blockN, &ctx);
+ xorblock(tmp2, tmp);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos);
+ memcpy(tmp, blockN, BLOCK_SIZE);
+ }
+
+ /* Do last two blocks, the second of which (next-to-last block
+ of plaintext) may be incomplete. */
+
+ /* First, get the last two encrypted blocks */
+ memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */
+ krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos);
+ krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos);
+
+ /* Decrypt second last block */
+ dec(tmp2, blockN2, &ctx);
+ /* Set tmp3 to last ciphertext block (already padded) */
+ memcpy(tmp3, blockN1, BLOCK_SIZE);
+ /* Set tmp2 to last (possibly partial) plaintext block, and
+ save it. */
+ xorblock(tmp2, tmp3);
+ memcpy(blockN1, tmp2, BLOCK_SIZE);
+ /* Maybe keep the trailing part, and copy in the last
+ ciphertext block. */
+ memcpy(tmp2, tmp3, BLOCK_SIZE);
+ dec(tmp3, tmp2, &ctx);
+ xorblock(tmp3, tmp);
+ /* Copy out ivec first before we clobber blockN2 with plaintext */
+ if (ivec != NULL)
+ memcpy(ivec->data, blockN2, BLOCK_SIZE);
+ memcpy(blockN2, tmp3, BLOCK_SIZE);
+
+ /* Put the last two blocks back into the ivec */
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos);
+ }
+
+ return 0;
+}
+
static krb5_error_code
k5_aes_make_key(const krb5_data *randombits, krb5_keyblock *key)
{
krb5int_aes_decrypt,
k5_aes_make_key,
krb5int_aes_init_state,
- krb5int_default_free_state
+ krb5int_default_free_state,
+ krb5int_aes_encrypt_iov,
+ krb5int_aes_decrypt_iov
};
const struct krb5_enc_provider krb5int_enc_aes256 = {
krb5int_aes_decrypt,
k5_aes_make_key,
krb5int_aes_init_state,
- krb5int_default_free_state
+ krb5int_default_free_state,
+ krb5int_aes_encrypt_iov,
+ krb5int_aes_decrypt_iov
};
+
#include "k5-int.h"
#include "des_int.h"
+#include "../aead.h"
static krb5_error_code
validate_and_schedule(const krb5_keyblock *key, const krb5_data *ivec,
return 0;
}
+static krb5_error_code
+validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_crypto_iov *data, size_t num_data,
+ mit_des3_key_schedule *schedule)
+{
+ size_t i, input_length;
+
+ for (i = 0, input_length = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ input_length += iov->data.length;
+ }
+
+ if (key->length != 24)
+ return(KRB5_BAD_KEYSIZE);
+ if ((input_length%8) != 0)
+ return(KRB5_BAD_MSIZE);
+ if (ivec && (ivec->length != 8))
+ return(KRB5_BAD_MSIZE);
+
+ switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
+ *schedule)) {
+ case -1:
+ return(KRB5DES_BAD_KEYPAR);
+ case -2:
+ return(KRB5DES_WEAK_KEY);
+ }
+ return 0;
+}
+
static krb5_error_code
k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
return(0);
}
+static krb5_error_code
+k5_des3_encrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ mit_des3_key_schedule schedule;
+ krb5_error_code err;
+
+ err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule);
+ if (err)
+ return err;
+
+ /* this has a return value, but the code always returns zero */
+ krb5int_des3_cbc_encrypt_iov(data, num_data,
+ schedule[0], schedule[1], schedule[2],
+ ivec != NULL ? (const unsigned char *) ivec->data : NULL);
+
+ zap(schedule, sizeof(schedule));
+
+ return(0);
+}
+
+static krb5_error_code
+k5_des3_decrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ mit_des3_key_schedule schedule;
+ krb5_error_code err;
+
+ err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule);
+ if (err)
+ return err;
+
+ /* this has a return value, but the code always returns zero */
+ krb5int_des3_cbc_decrypt_iov(data, num_data,
+ schedule[0], schedule[1], schedule[2],
+ ivec != NULL ? (const unsigned char *) ivec->data : NULL);
+
+ zap(schedule, sizeof(schedule));
+
+ return(0);
+}
+
const struct krb5_enc_provider krb5int_enc_des3 = {
8,
21, 24,
k5_des3_decrypt,
k5_des3_make_key,
krb5int_des_init_state,
- krb5int_default_free_state
+ krb5int_default_free_state,
+ k5_des3_encrypt_iov,
+ k5_des3_decrypt_iov
};
+
extern const struct krb5_enc_provider krb5int_enc_arcfour;
extern const struct krb5_enc_provider krb5int_enc_aes128;
extern const struct krb5_enc_provider krb5int_enc_aes256;
+
#include "k5-int.h"
#include "arcfour-int.h"
#include "enc_provider.h"
+#include "../aead.h"
/* gets the next byte from the PRNG */
#if ((__GNUC__ >= 2) )
static __inline__ unsigned int k5_arcfour_byte(ArcfourContext *);
return 0;
}
+/* In-place encryption */
+static krb5_error_code
+k5_arcfour_docrypt_iov(const krb5_keyblock *key,
+ const krb5_data *state,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ ArcfourContext *arcfour_ctx = NULL;
+ ArcFourCipherState *cipher_state = NULL;
+ krb5_error_code ret;
+ size_t i;
+
+ if (key->length != 16)
+ return KRB5_BAD_KEYSIZE;
+ if (state != NULL && (state->length != sizeof(ArcFourCipherState)))
+ return KRB5_BAD_MSIZE;
+
+ if (state != NULL) {
+ cipher_state = (ArcFourCipherState *)state->data;
+ arcfour_ctx = &cipher_state->ctx;
+ if (cipher_state->initialized == 0) {
+ ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length);
+ if (ret != 0)
+ return ret;
+
+ cipher_state->initialized = 1;
+ }
+ } else {
+ arcfour_ctx = (ArcfourContext *)malloc(sizeof(ArcfourContext));
+ if (arcfour_ctx == NULL)
+ return ENOMEM;
+
+ ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length);
+ if (ret != 0) {
+ free(arcfour_ctx);
+ return ret;
+ }
+ }
+
+ for (i = 0; i < num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ k5_arcfour_crypt(arcfour_ctx, (unsigned char *)iov->data.data,
+ (const unsigned char *)iov->data.data, iov->data.length);
+ }
+
+ if (state == NULL) {
+ memset(arcfour_ctx, 0, sizeof(ArcfourContext));
+ free(arcfour_ctx);
+ }
+
+ return 0;
+}
+
static krb5_error_code
k5_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key)
{
k5_arcfour_docrypt,
k5_arcfour_make_key,
k5_arcfour_init_state, /*xxx not implemented yet*/
- krb5int_default_free_state
+ krb5int_default_free_state,
+ k5_arcfour_docrypt_iov,
+ k5_arcfour_docrypt_iov
};
+
--- /dev/null
+/*
+ * lib/crypto/encrypt_iov.c
+ *
+ * Copyright 2008 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "etypes.h"
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_encrypt_iov(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_data *cipher_state,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int i;
+ const struct krb5_keytypes *ktp = NULL;
+
+ for (i = 0; i < krb5_enctypes_length; i++) {
+ if (krb5_enctypes_list[i].etype == key->enctype) {
+ ktp = &krb5_enctypes_list[i];
+ break;
+ }
+ }
+
+ if (ktp == NULL || ktp->aead == NULL) {
+ return KRB5_BAD_ENCTYPE;
+ }
+
+ return ktp->aead->encrypt_iov(ktp->aead, ktp->enc, ktp->hash,
+ key, usage, cipher_state, data, num_data);
+}
+
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
krb5int_des_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_RSA_MD5 },
+ CKSUMTYPE_RSA_MD5,
+ NULL /*AEAD*/ },
{ ENCTYPE_DES_CBC_MD4,
"des-cbc-md4", "DES cbc mode with RSA-MD4",
&krb5int_enc_des, &krb5int_hash_md4,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
krb5int_des_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_RSA_MD4 },
+ CKSUMTYPE_RSA_MD4,
+ NULL /*AEAD*/ },
{ ENCTYPE_DES_CBC_MD5,
"des-cbc-md5", "DES cbc mode with RSA-MD5",
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
krb5int_des_string_to_key,
NULL, /*PRF*/
-CKSUMTYPE_RSA_MD5 },
+ CKSUMTYPE_RSA_MD5,
+ NULL /*AEAD*/ },
{ ENCTYPE_DES_CBC_MD5,
"des", "DES cbc mode with RSA-MD5", /* alias */
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
krb5int_des_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_RSA_MD5 },
+ CKSUMTYPE_RSA_MD5,
+ NULL /*AEAD*/ },
{ ENCTYPE_DES_CBC_RAW,
"des-cbc-raw", "DES cbc mode raw",
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
krb5int_des_string_to_key,
NULL, /*PRF*/
- 0 },
+ 0,
+ NULL /*AEAD*/ },
{ ENCTYPE_DES3_CBC_RAW,
"des3-cbc-raw", "Triple DES cbc mode raw",
&krb5int_enc_des3, NULL,
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
- 0 },
+ 0,
+ NULL /*AEAD*/ },
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_SHA1_DES3 },
+ CKSUMTYPE_HMAC_SHA1_DES3,
+ &krb5int_aead_dk },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_SHA1_DES3 },
+ CKSUMTYPE_HMAC_SHA1_DES3,
+ &krb5int_aead_dk },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_SHA1_DES3 },
+ CKSUMTYPE_HMAC_SHA1_DES3,
+ &krb5int_aead_dk },
{ ENCTYPE_DES_HMAC_SHA1,
"des-hmac-sha1", "DES with HMAC/sha1",
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
NULL, /*PRF*/
- 0 },
+ 0,
+ NULL },
{ ENCTYPE_ARCFOUR_HMAC,
"arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5,
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5,
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5,
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_ARCFOUR_HMAC_EXP,
"arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"rc4-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
NULL, /*PRF*/
- CKSUMTYPE_HMAC_MD5_ARCFOUR },
+ CKSUMTYPE_HMAC_MD5_ARCFOUR,
+ &krb5int_aead_arcfour },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
"aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
krb5int_aes_string_to_key,
krb5int_dk_prf,
- CKSUMTYPE_HMAC_SHA1_96_AES128 },
+ CKSUMTYPE_HMAC_SHA1_96_AES128,
+ &krb5int_aead_aes },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */
"aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes128, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
krb5int_aes_string_to_key,
krb5int_dk_prf,
- CKSUMTYPE_HMAC_SHA1_96_AES128 },
+ CKSUMTYPE_HMAC_SHA1_96_AES128,
+ &krb5int_aead_aes },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
"aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
krb5int_aes_string_to_key,
krb5int_dk_prf,
- CKSUMTYPE_HMAC_SHA1_96_AES256 },
+ CKSUMTYPE_HMAC_SHA1_96_AES256,
+ &krb5int_aead_aes },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */
"aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
krb5int_aes_string_to_key,
krb5int_dk_prf,
- CKSUMTYPE_HMAC_SHA1_96_AES256 },
+ CKSUMTYPE_HMAC_SHA1_96_AES256,
+ &krb5int_aead_aes },
};
const int krb5_enctypes_length =
*/
#include "k5-int.h"
+#include "aead.h"
/*
* the HMAC transform looks like:
return(ret);
}
+
+krb5_error_code
+krb5_hmac_iov(const struct krb5_hash_provider *hash, const krb5_keyblock *key,
+ const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
+{
+ krb5_data *sign_data;
+ size_t num_sign_data;
+ krb5_error_code ret;
+ size_t i, j;
+
+ /* Create a checksum over all the data to be signed */
+ for (i = 0, num_sign_data = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (SIGN_IOV(iov))
+ num_sign_data++;
+ }
+ /* XXX cleanup to avoid alloc */
+ sign_data = (krb5_data *)calloc(num_sign_data, sizeof(krb5_data));
+ if (sign_data == NULL)
+ return ENOMEM;
+
+ for (i = 0, j = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (SIGN_IOV(iov))
+ sign_data[j++] = iov->data;
+ }
+
+ /* caller must store checksum in iov as it may be TYPE_TRAILER or TYPE_CHECKSUM */
+ ret = krb5_hmac(hash, key, num_sign_data, sign_data, output);
+
+ free(sign_data);
+
+ return ret;
+}
+
const struct krb5_keyhash_provider krb5int_keyhash_descbc = {
8,
k5_descbc_hash,
+ NULL,
+ NULL,
NULL
};
#include "arcfour-int.h"
#include "rsa-md5.h"
#include "hash_provider.h"
+#include "../aead.h"
static krb5_error_code
k5_hmac_md5_hash (const krb5_keyblock *key, krb5_keyusage usage,
return ret;
}
-
+static krb5_error_code
+k5_hmac_md5_hash_iov (const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_data *iv,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output)
+{
+ krb5_keyusage ms_usage;
+ krb5_error_code ret;
+ krb5_keyblock ks;
+ krb5_data ds, ks_constant, md5tmp;
+ krb5_MD5_CTX ctx;
+ char t[4];
+ size_t i;
+
+ ds.length = key->length;
+ ks.length = key->length;
+ ds.data = malloc(ds.length);
+ if (ds.data == NULL)
+ return ENOMEM;
+ ks.contents = (void *) ds.data;
+
+ ks_constant.data = "signaturekey";
+ ks_constant.length = strlen(ks_constant.data)+1; /* Including null*/
+
+ ret = krb5_hmac( &krb5int_hash_md5, key, 1,
+ &ks_constant, &ds);
+ if (ret)
+ goto cleanup;
+
+ krb5_MD5Init (&ctx);
+ ms_usage = krb5int_arcfour_translate_usage (usage);
+ t[0] = (ms_usage) & 0xff;
+ t[1] = (ms_usage>>8) & 0xff;
+ t[2] = (ms_usage >>16) & 0xff;
+ t[3] = (ms_usage>>24) & 0XFF;
+ krb5_MD5Update (&ctx, (unsigned char * ) &t, 4);
+ for (i = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (SIGN_IOV(iov))
+ krb5_MD5Update (&ctx, (unsigned char *)iov->data.data,
+ (unsigned int)iov->data.length);
+ }
+ krb5_MD5Final(&ctx);
+ md5tmp.data = (void *) ctx.digest;
+ md5tmp.length = 16;
+ ret = krb5_hmac ( &krb5int_hash_md5, &ks, 1, &md5tmp,
+ output);
+
+ cleanup:
+ memset(&ctx, 0, sizeof(ctx));
+ memset (ks.contents, 0, ks.length);
+ free (ks.contents);
+ return ret;
+}
const struct krb5_keyhash_provider krb5int_keyhash_hmac_md5 = {
16,
k5_hmac_md5_hash,
- NULL /*checksum again*/
+ NULL, /*checksum again*/
+ k5_hmac_md5_hash_iov,
+ NULL /*checksum again */
};
const struct krb5_keyhash_provider krb5int_keyhash_md4des = {
CONFLENGTH+RSA_MD4_CKSUM_LENGTH,
k5_md4des_hash,
- k5_md4des_verify
+ k5_md4des_verify,
+ NULL,
+ NULL
};
const struct krb5_keyhash_provider krb5int_keyhash_md5des = {
CONFLENGTH+RSA_MD5_CKSUM_LENGTH,
k5_md5des_hash,
- k5_md5des_verify
+ k5_md5des_verify,
+ NULL,
+ NULL
};
krb5_arcfour_encrypt_length
krb5_c_block_size
krb5_c_checksum_length
+krb5_c_crypto_length
+krb5_c_crypto_length_iov
krb5_c_decrypt
+krb5_c_decrypt_iov
krb5_c_encrypt
+krb5_c_encrypt_iov
krb5_c_encrypt_length
krb5_c_enctype_compare
krb5_c_free_state
krb5_c_keyed_checksum_types
krb5_c_keylengths
krb5_c_make_checksum
+krb5_c_make_checksum_iov
krb5_c_make_random_key
+krb5_c_padding_length
krb5_c_prf
krb5_c_prf_length
krb5_c_random_add_entropy
krb5_c_valid_cksumtype
krb5_c_valid_enctype
krb5_c_verify_checksum
+krb5_c_verify_checksum_iov
krb5_calculate_checksum
krb5_checksum_size
krb5_cksumtype_to_string
krb5_finish_random_key
krb5_free_cksumtypes
krb5_hmac
+krb5_hmac_iov
krb5_init_random_key
krb5_nfold
krb5_old_decrypt
--- /dev/null
+/*
+ * lib/crypto/make_checksum_iov.c
+ *
+ * Copyright 2008 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "cksumtypes.h"
+#include "aead.h"
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_make_checksum_iov(krb5_context context,
+ krb5_cksumtype cksumtype,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_error_code ret;
+ size_t cksumlen;
+ krb5_crypto_iov *checksum;
+ size_t i;
+
+ for (i = 0; i < krb5_cksumtypes_length; i++) {
+ if (krb5_cksumtypes_list[i].ctype == cksumtype)
+ break;
+ }
+
+ if (i == krb5_cksumtypes_length)
+ return(KRB5_BAD_ENCTYPE);
+
+ if (krb5_cksumtypes_list[i].keyhash)
+ cksumlen = krb5_cksumtypes_list[i].keyhash->hashsize;
+ else
+ cksumlen = krb5_cksumtypes_list[i].hash->hashsize;
+
+ checksum = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
+ if (checksum == NULL || checksum->data.length < cksumlen)
+ return(KRB5_BAD_MSIZE);
+
+ checksum->data.length = cksumlen;
+
+ ret = krb5int_c_make_checksum_iov(&krb5_cksumtypes_list[i],
+ key, usage, data, num_data,
+ &checksum->data);
+
+ return(ret);
+}
/*
main * lib/crypto/t_encrypt.c
*
- * Copyright2001 by the Massachusetts Institute of Technology.
+ * Copyright 2001, 2008by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
{
krb5_context context = 0;
krb5_data in, in2, out, out2, check, check2, state;
+ krb5_crypto_iov iov[5];
int i;
size_t len;
krb5_enc_data enc_out, enc_out2;
krb5_error_code retval;
krb5_keyblock *key;
+ memset(iov, 0, sizeof(iov));
+
in.data = "This is a test.\n";
in.length = strlen (in.data);
in2.data = "This is another test.\n";
test ("Decrypting",
krb5_c_decrypt (context, key, 7, 0, &enc_out, &check));
test ("Comparing", compare_results (&in, &check));
+ if ( krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_HEADER, &len) == 0 ){
+ /* We support iov/aead*/
+ int j, pos;
+ krb5_data signdata;
+ signdata.data = (char *) "This should be signed";
+ signdata.length = strlen(signdata.data);
+ iov[0].flags= KRB5_CRYPTO_TYPE_STREAM;
+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
+ iov[0].data = enc_out.ciphertext;
+ iov[1].data = out;
+ test("IOV stream decrypting",
+ krb5_c_decrypt_iov( context, key, 7, 0, iov, 2));
+ test("Comparing results",
+ compare_results(&in, &iov[1].data));
+ iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
+ iov[1].data = in; /*We'll need to copy memory before encrypt*/
+ iov[2].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
+ iov[2].data = signdata;
+ iov[3].flags = KRB5_CRYPTO_TYPE_PADDING;
+ iov[4].flags = KRB5_CRYPTO_TYPE_TRAILER;
+ test("Setting up iov lengths",
+ krb5_c_crypto_length_iov(context, key->enctype, iov, 5));
+ for (j=0,pos=0; j <= 4; j++ ){
+ if (iov[j].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
+ continue;
+ iov[j].data.data = &out.data[pos];
+ pos += iov[j].data.length;
+ }
+ assert (iov[1].data.length == in.length);
+ memcpy(iov[1].data.data, in.data, in.length);
+ test("iov encrypting",
+ krb5_c_encrypt_iov(context, key, 7, 0, iov, 5));
+ assert(iov[1].data.length == in.length);
+ test("iov decrypting",
+ krb5_c_decrypt_iov(context, key, 7, 0, iov, 5));
+ test("Comparing results",
+ compare_results(&in, &iov[1].data));
+
+ }
enc_out.ciphertext.length = out.length;
check.length = 2048;
test ("init_state",
--- /dev/null
+/*
+ * lib/crypto/verify_checksum_iov.c
+ *
+ * Copyright 2008 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "cksumtypes.h"
+#include "aead.h"
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_verify_checksum_iov(krb5_context context,
+ krb5_cksumtype checksum_type,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ krb5_boolean *valid)
+{
+ unsigned int i;
+ size_t hashsize;
+ krb5_error_code ret;
+ krb5_data computed;
+ krb5_crypto_iov *checksum;
+
+ for (i=0; i<krb5_cksumtypes_length; i++) {
+ if (krb5_cksumtypes_list[i].ctype == checksum_type)
+ break;
+ }
+
+ if (i == krb5_cksumtypes_length)
+ return(KRB5_BAD_ENCTYPE);
+
+ checksum = krb5int_c_locate_iov((krb5_crypto_iov *)data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
+ if (checksum == NULL)
+ return(KRB5_BAD_MSIZE);
+
+ /* if there's actually a verify function, call it */
+
+ if (krb5_cksumtypes_list[i].keyhash &&
+ krb5_cksumtypes_list[i].keyhash->verify_iov)
+ return((*(krb5_cksumtypes_list[i].keyhash->verify_iov))(key, usage, 0,
+ &checksum->data,
+ data, num_data,
+ valid));
+
+ /* otherwise, make the checksum again, and compare */
+
+ if ((ret = krb5_c_checksum_length(context, checksum_type, &hashsize)))
+ return(ret);
+
+ if (checksum->data.length != hashsize)
+ return(KRB5_BAD_MSIZE);
+
+ computed.data = malloc(hashsize);
+ if (computed.data == NULL) {
+ return(ENOMEM);
+ }
+ computed.length = hashsize;
+
+ if ((ret = krb5int_c_make_checksum_iov(&krb5_cksumtypes_list[i], key, usage,
+ data, num_data, &computed))) {
+ free(computed.data);
+ return(ret);
+ }
+
+ *valid = (memcmp(computed.data, &checksum->data, hashsize) == 0);
+
+ free(computed.data);
+
+ return(0);
+}
#endif
S (free_addrlist, krb5int_free_addrlist),
S (krb5_hmac, krb5_hmac),
+ S (krb5_hmac_iov, krb5_hmac_iov),
S (md5_hash_provider, &krb5int_hash_md5),
S (arcfour_enc_provider, &krb5int_enc_arcfour),
S (sendto_udp, &krb5int_sendto),