From: Sam Hartman Date: Tue, 6 Nov 2001 15:25:49 +0000 (+0000) Subject: * Add krb5_c_init_state and krb5_c_free_state functions X-Git-Tag: krb5-1.3-alpha1~970 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=207af9b0e6f257d475f64f74fcba3ff911aeeee0;p=krb5.git * Add krb5_c_init_state and krb5_c_free_state functions * Add init_state and free_state to enc_providers as operations that need to be filled in * Implement generic free_state and des-specific init_state * Implement arcfour-specific init_state * Add functions to find enctype state functions and call them * Add tests for above git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13948 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/ChangeLog b/src/include/ChangeLog index b7be66241..e1818dde5 100644 --- a/src/include/ChangeLog +++ b/src/include/ChangeLog @@ -1,3 +1,15 @@ +2001-11-06 Sam Hartman + + * k5-int.h: Add krb5int_des_init_state and krb5int_default_free_state + +2001-11-06 Sam Hartman + + * k5-int.h: Add init_state and free_state to enc_provider struct + +2001-11-05 Sam Hartman + + * krb5.hin: Add krb5_c_init_state and krb5_c_free_state + 2001-10-30 Ezra Peisach * fake-addrinfo.c (freeaddrinfo): Do not free NULL pointers. diff --git a/src/include/k5-int.h b/src/include/k5-int.h index fa8c9c28a..4d04738ca 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -521,9 +521,9 @@ struct krb5_enc_provider { keylength is the output size */ void (*keysize) (size_t *keybytes, size_t *keylength); - /* ivec == 0 is an all-zeros ivec */ + /* cipher-state == 0 fresh state thrown away at end */ krb5_error_code (*encrypt) (krb5_const krb5_keyblock *key, - krb5_const krb5_data *ivec, + krb5_const krb5_data *cipher_state, krb5_const krb5_data *input, krb5_data *output); @@ -534,6 +534,11 @@ struct krb5_enc_provider { krb5_error_code (*make_key) (krb5_const krb5_data *randombits, krb5_keyblock *key); + + krb5_error_code (*init_state) (krb5_const krb5_keyblock *key, + krb5_keyusage keyusage, krb5_data *out_state); + krb5_error_code (*free_state) (krb5_data *state); + }; struct krb5_hash_provider { @@ -623,6 +628,21 @@ krb5_error_code krb5_hmac krb5_const krb5_keyblock *key, unsigned int icount, krb5_const krb5_data *input, krb5_data *output); +/* A definition of init_state for DES based encryption systems. + * sets up an 8-byte IV of all zeros + */ + +krb5_error_code krb5int_des_init_state +(krb5_const krb5_keyblock *key, krb5_keyusage usage, krb5_data *new_state); + +/* + * normally to free a cipher_state you can just memset the length to zero and + * free it. + */ +krb5_error_code krb5int_default_free_state +(krb5_data *state); + + /* * These declarations are here, so both krb5 and k5crypto * can get to them. diff --git a/src/include/krb5.hin b/src/include/krb5.hin index 4119085a3..88185c2e9 100644 --- a/src/include/krb5.hin +++ b/src/include/krb5.hin @@ -371,13 +371,13 @@ typedef struct _krb5_enc_data { krb5_error_code KRB5_CALLCONV krb5_c_encrypt (krb5_context context, krb5_const krb5_keyblock *key, - krb5_keyusage usage, krb5_const krb5_data *ivec, + krb5_keyusage usage, krb5_const krb5_data *cipher_state, krb5_const krb5_data *input, krb5_enc_data *output); krb5_error_code KRB5_CALLCONV krb5_c_decrypt (krb5_context context, krb5_const krb5_keyblock *key, - krb5_keyusage usage, krb5_const krb5_data *ivec, + krb5_keyusage usage, krb5_const krb5_data *cipher_state, krb5_const krb5_enc_data *input, krb5_data *output); krb5_error_code KRB5_CALLCONV @@ -390,6 +390,16 @@ krb5_error_code KRB5_CALLCONV (krb5_context context, krb5_enctype enctype, size_t *blocksize); +krb5_error_code KRB5_CALLCONV + krb5_c_init_state +(krb5_context context, +krb5_const krb5_keyblock *key, krb5_keyusage usage, +krb5_data *new_state); + +krb5_error_code KRB5_CALLCONV + krb5_c_free_state +(krb5_context context, krb5_const krb5_keyblock *key, krb5_data *state); + krb5_error_code KRB5_CALLCONV krb5_c_make_random_key (krb5_context context, krb5_enctype enctype, diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog index c5b737148..f91e7bee1 100644 --- a/src/lib/crypto/ChangeLog +++ b/src/lib/crypto/ChangeLog @@ -1,3 +1,9 @@ +2001-11-06 Sam Hartman + + * state.c: New file + + * default_state.c: New file. + 2001-10-29 Jeff Altman * Makefile.in - Windows configuration for src/lib/crypto/arcfour diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in index 672af7a26..39f70d8fd 100644 --- a/src/lib/crypto/Makefile.in +++ b/src/lib/crypto/Makefile.in @@ -30,6 +30,7 @@ STLIBOBJS=\ cksumtypes.o \ coll_proof_cksum.o \ crypto_libinit.o \ + default_state.o \ decrypt.o \ encrypt.o \ encrypt_length.o \ @@ -44,6 +45,7 @@ STLIBOBJS=\ nfold.o \ old_api_glue.o \ prng.o \ + state.o \ string_to_cksumtype.o \ string_to_enctype.o \ string_to_key.o \ @@ -58,6 +60,7 @@ OBJS=\ $(OUTPRE)cksumtypes.$(OBJEXT) \ $(OUTPRE)coll_proof_cksum.$(OBJEXT) \ $(OUTPRE)crypto_libinit.$(OBJEXT) \ + $(OUTPRE)default_state.$(OBJEXT) \ $(OUTPRE)decrypt.$(OBJEXT) \ $(OUTPRE)encrypt.$(OBJEXT) \ $(OUTPRE)encrypt_length.$(OBJEXT) \ @@ -72,6 +75,7 @@ OBJS=\ $(OUTPRE)nfold.$(OBJEXT) \ $(OUTPRE)old_api_glue.$(OBJEXT) \ $(OUTPRE)prng.$(OBJEXT) \ + $(OUTPRE)state.$(OBJEXT) \ $(OUTPRE)string_to_cksumtype.$(OBJEXT) \ $(OUTPRE)string_to_enctype.$(OBJEXT) \ $(OUTPRE)string_to_key.$(OBJEXT) \ @@ -86,6 +90,7 @@ SRCS=\ $(srcdir)/cksumtypes.c \ $(srcdir)/coll_proof_cksum.c \ $(srcdir)/crypto_libinit.c \ + $(srcdir)/default_state.c \ $(srcdir)/decrypt.c \ $(srcdir)/encrypt.c \ $(srcdir)/encrypt_length.c \ @@ -100,6 +105,7 @@ SRCS=\ $(srcdir)/nfold.c \ $(srcdir)/old_api_glue.c \ $(srcdir)/prng.c \ + $(srcdir)/state.c \ $(srcdir)/string_to_cksumtype.c \ $(srcdir)/string_to_enctype.c \ $(srcdir)/string_to_key.c \ diff --git a/src/lib/crypto/arcfour/ChangeLog b/src/lib/crypto/arcfour/ChangeLog index f3b4a5040..d511f8f00 100644 --- a/src/lib/crypto/arcfour/ChangeLog +++ b/src/lib/crypto/arcfour/ChangeLog @@ -1,3 +1,7 @@ +2001-11-06 Sam Hartman + + * arcfour-int.h: Structure for arcfour cipher state + 2001-10-26 Ezra Peisach * string_to_key.c (krb5_arcfour_string_to_key): Cleanup variables diff --git a/src/lib/crypto/arcfour/arcfour-int.h b/src/lib/crypto/arcfour/arcfour-int.h index b54fce1e2..398fe57a1 100644 --- a/src/lib/crypto/arcfour/arcfour-int.h +++ b/src/lib/crypto/arcfour/arcfour-int.h @@ -20,6 +20,11 @@ typedef struct unsigned char state[256]; } ArcfourContext; +typedef struct { + int initialized; + ArcfourContext ctx; +} ArcFourCipherState; + krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage); diff --git a/src/lib/crypto/default_state.c b/src/lib/crypto/default_state.c new file mode 100644 index 000000000..33a189f26 --- /dev/null +++ b/src/lib/crypto/default_state.c @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2001 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * Section 6 (Encryption) of the Kerberos revisions document defines + * cipher states to be used to chain encryptions and decryptions + * together. Examples of cipher states include initialization vectors + * for CBC encription. Most Kerberos encryption systems can share + * code for initializing and freeing cipher states. This file + * contains that default code. + */ + +#include "k5-int.h" + +krb5_error_code krb5int_des_init_state +(const krb5_keyblock *key, krb5_keyusage usage, krb5_data *new_state ) +{ + new_state->length = 8; + new_state->data = (void *) malloc(8); + if (new_state->data) { + memset (new_state->data, 0, new_state->length); + /* We need to copy in the key for des-cbc-cr--ick, but that's how it works*/ + if (key->enctype == ENCTYPE_DES_CBC_CRC) { + memcpy (new_state->data, key->contents, new_state->length); + } + } else { + return ENOMEM; + } + return 0; +} + +krb5_error_code krb5int_default_free_state +(krb5_data *state) +{ + if (state->data) { + free (state->data); + state-> data = NULL; + state->length = 0; + } + return 0; +} + + + diff --git a/src/lib/crypto/enc_provider/ChangeLog b/src/lib/crypto/enc_provider/ChangeLog index 4fe632c86..4b06974c2 100644 --- a/src/lib/crypto/enc_provider/ChangeLog +++ b/src/lib/crypto/enc_provider/ChangeLog @@ -1,3 +1,11 @@ +2001-11-06 Sam Hartman + + * arcfour.c (k5_arcfour_docrypt): Treat state as an + ArcFourCipherState structure; manipulate and initialize as appropriate. + (k5_arcfour_init_state): new function + + * arcfour.c des.c des3.c: Add state functions + 2001-10-23 Sam Hartman * arcfour.c (endif /* gcc inlines*/): handle inlines in an ansi-compatible manner diff --git a/src/lib/crypto/enc_provider/arcfour.c b/src/lib/crypto/enc_provider/arcfour.c index 43c71f179..28627b784 100644 --- a/src/lib/crypto/enc_provider/arcfour.c +++ b/src/lib/crypto/enc_provider/arcfour.c @@ -146,17 +146,25 @@ k5_arcfour_docrypt(krb5_const krb5_keyblock *key, krb5_const krb5_data *state, krb5_const krb5_data *input, krb5_data *output) { ArcfourContext *arcfour_ctx; + ArcFourCipherState *cipher_state; int ret; if (key->length != 16) return(KRB5_BAD_KEYSIZE); - if (state && (state->length != sizeof (ArcfourContext))) + if (state && (state->length != sizeof (ArcFourCipherState))) return(KRB5_BAD_MSIZE); if (input->length != output->length) return(KRB5_BAD_MSIZE); if (state) { - arcfour_ctx=(ArcfourContext *)state->data; + cipher_state = (ArcFourCipherState *) state->data; + arcfour_ctx=&cipher_state->ctx; + if (cipher_state->initialized == 0) { + if ((ret=k5_arcfour_init(arcfour_ctx, key->contents, key->length))) { + return ret; + } + cipher_state->initialized = 1; + } k5_arcfour_crypt(arcfour_ctx, (unsigned char *) output->data, (const unsigned char *) input->data, input->length); } else { @@ -192,6 +200,26 @@ k5_arcfour_make_key(krb5_const krb5_data *randombits, krb5_keyblock *key) return(0); } +static krb5_error_code +k5_arcfour_init_state (const krb5_keyblock *key, + krb5_keyusage keyusage, krb5_data *new_state) +{ + /* Note that we can't actually set up the state here because the key + * will change between now and when encrypt is called + * because it is data dependent. Yeah, this has strange + * properties. --SDH + */ + new_state->length = sizeof (ArcFourCipherState); + new_state->data = malloc (new_state->length); + if (new_state->data) { + memset (new_state->data, 0 , new_state->length); + /* That will set initialized to zero*/ + }else { + return (ENOMEM); + } + return 0; +} + /* Since the arcfour cipher is identical going forwards and backwards, we just call "docrypt" directly */ @@ -200,5 +228,7 @@ const struct krb5_enc_provider krb5int_enc_arcfour = { k5_arcfour_keysize, k5_arcfour_docrypt, k5_arcfour_docrypt, - k5_arcfour_make_key + k5_arcfour_make_key, + k5_arcfour_init_state, /*xxx not implemented yet*/ + krb5int_default_free_state }; diff --git a/src/lib/crypto/enc_provider/des.c b/src/lib/crypto/enc_provider/des.c index e12ddcdc9..e9ecb72e1 100644 --- a/src/lib/crypto/enc_provider/des.c +++ b/src/lib/crypto/enc_provider/des.c @@ -126,5 +126,7 @@ const struct krb5_enc_provider krb5int_enc_des = { k5_des_keysize, k5_des_encrypt, k5_des_decrypt, - k5_des_make_key + k5_des_make_key, + krb5int_des_init_state, + krb5int_default_free_state }; diff --git a/src/lib/crypto/enc_provider/des3.c b/src/lib/crypto/enc_provider/des3.c index 5f638fdba..91579c6ab 100644 --- a/src/lib/crypto/enc_provider/des3.c +++ b/src/lib/crypto/enc_provider/des3.c @@ -131,5 +131,7 @@ const struct krb5_enc_provider krb5int_enc_des3 = { k5_des3_keysize, k5_des3_encrypt, k5_des3_decrypt, - k5_des3_make_key + k5_des3_make_key, + krb5int_des_init_state, + krb5int_default_free_state }; diff --git a/src/lib/crypto/state.c b/src/lib/crypto/state.c new file mode 100644 index 000000000..30e52ef68 --- /dev/null +++ b/src/lib/crypto/state.c @@ -0,0 +1,71 @@ +/* + * lib/crypto/state.c + * + * Copyright (C) 2001 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + + * + * + * + * * Section 6 (Encryption) of the Kerberos revisions document defines + * cipher states to be used to chain encryptions and decryptions + * together. Examples of cipher states include initialization vectors + * for CBC encription. This file contains implementations of + * krb5_c_init_state and krb5_c_free_state used by clients of the + * Kerberos crypto library. + */ +#include "k5-int.h" +#include "etypes.h" + +krb5_error_code krb5_c_init_state +(krb5_context context, const krb5_keyblock *key, + krb5_keyusage keyusage, krb5_data *new_state) +{ + int i; + + for (i=0; ienctype) + break; + } + + if (i == krb5_enctypes_length) + return(KRB5_BAD_ENCTYPE); + + return (*(krb5_enctypes_list[i].enc->init_state)) + (key, keyusage, new_state); +} + +krb5_error_code krb5_c_free_state +(krb5_context context, const krb5_keyblock *key, krb5_data *state) +{ + int i; + + for (i=0; ienctype) + break; + } + + if (i == krb5_enctypes_length) + return(KRB5_BAD_ENCTYPE); + + return (*(krb5_enctypes_list[i].enc->free_state)) + (state); +} diff --git a/src/lib/crypto/t_encrypt.c b/src/lib/crypto/t_encrypt.c index 6cdfc21c6..db20210c3 100644 --- a/src/lib/crypto/t_encrypt.c +++ b/src/lib/crypto/t_encrypt.c @@ -1,5 +1,5 @@ /* - * lib/crypto/t_encrypt.c +main * lib/crypto/t_encrypt.c * * Copyright2001 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -53,9 +53,11 @@ if( retval) { \ abort(); \ } else printf ("OK\n"); -int main () { +int +main () +{ krb5_context context ; - krb5_data in, out, check; + krb5_data in, out, check, state; int i; size_t len; krb5_enc_data enc_out; @@ -85,6 +87,14 @@ int main () { krb5_c_encrypt (context, &key, 7, 0, &in, &enc_out)); test ("Decrypting", krb5_c_decrypt (context, &key, 7, 0, &enc_out, &check)); + test ("init_state", + krb5_c_init_state (context, &key, 7, &state)); + test ("Encrypting with state", + krb5_c_encrypt (context, &key, 7, &state, &in, &enc_out)); + test ("Decrypting", + krb5_c_decrypt (context, &key, 7, 0, &enc_out, &check)); + test ("free_state", + krb5_c_free_state (context, &key, &state)); } return 0; }