From: Greg Hudson Date: Fri, 4 Dec 2009 05:12:35 +0000 (+0000) Subject: Consolidate the IOV and non-IOV encryption/decryption code paths, and X-Git-Tag: krb5-1.8-alpha1~91 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=5ffa313d9f6b7c509aa0d7579273150d71ea0f95;p=krb5.git Consolidate the IOV and non-IOV encryption/decryption code paths, and drop the _iov suffix from most encryption- and decryption-related functions. The enc_provider encrypt and decrypt functions take IOVs, as do the enctype entries in etypes.c, and there are no separate encrypt_iov or decrypt_iov functions. aead_provider is gone. Enctype functions now take pointers to the enctype entry instead of pointers to the enc/hash/aead providers; this allows dk_encrypt and dk_decrypt to be polymorphic in the length function they use now that AES and DES3 can't differentiate by aead provider. aes_string_to_key needed to be moved into the krb/ fold for this since it's an enctype function; it was duplicated between builtin/ and openssl/ before. This leaves openssl/aes empty; the build system currently demands that all modules have the same directory structure, so the directory and Makefile will stick around for now. Three separate copies of the derive_random logic are also now consolidated into one. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23444 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 19389145a..cbe0fd9cd 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -647,12 +647,11 @@ struct krb5_enc_provider { keylength is the output size */ size_t block_size, keybytes, keylength; - /* cipher-state == 0 fresh state thrown away at end */ krb5_error_code (*encrypt)(krb5_key key, const krb5_data *cipher_state, - const krb5_data *input, krb5_data *output); + krb5_crypto_iov *data, size_t num_data); - krb5_error_code (*decrypt)(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output); + krb5_error_code (*decrypt)(krb5_key key, const krb5_data *cipher_state, + krb5_crypto_iov *data, size_t num_data); krb5_error_code (*make_key)(const krb5_data *randombits, krb5_keyblock *key); @@ -662,13 +661,6 @@ struct krb5_enc_provider { krb5_data *out_state); krb5_error_code (*free_state)(krb5_data *state); - /* In-place encryption/decryption of multiple buffers */ - krb5_error_code (*encrypt_iov)(krb5_key key, const krb5_data *cipher_state, - krb5_crypto_iov *data, size_t num_data); - - krb5_error_code (*decrypt_iov)(krb5_key key, const krb5_data *cipher_state, - krb5_crypto_iov *data, size_t num_data); - }; struct krb5_hash_provider { @@ -703,26 +695,6 @@ struct krb5_keyhash_provider { krb5_boolean *valid); }; -struct krb5_aead_provider { - krb5_error_code (*crypto_length)(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_cryptotype type, - unsigned int *length); - krb5_error_code (*encrypt_iov)(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage keyusage, - const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data); - krb5_error_code (*decrypt_iov)(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage keyusage, - const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data); -}; - /* * in here to deal with stuff from lib/crypto */ @@ -2575,11 +2547,12 @@ krb5_error_code KRB5_CALLCONV krb5int_clean_hostname(krb5_context, const char *, char *, size_t); krb5_error_code -krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output); +krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data); + krb5_error_code -krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output); +krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data); struct _krb5_kt { /* should move into k5-int.h */ krb5_magic magic; diff --git a/src/lib/crypto/builtin/aes/Makefile.in b/src/lib/crypto/builtin/aes/Makefile.in index a8cf67051..260cc97cc 100644 --- a/src/lib/crypto/builtin/aes/Makefile.in +++ b/src/lib/crypto/builtin/aes/Makefile.in @@ -13,20 +13,17 @@ PROG_RPATH=$(KRB5_LIBDIR) STLIBOBJS=\ aescrypt.o \ aestab.o \ - aeskey.o \ - aes_s2k.o + aeskey.o OBJS=\ $(OUTPRE)aescrypt.$(OBJEXT) \ $(OUTPRE)aestab.$(OBJEXT) \ - $(OUTPRE)aeskey.$(OBJEXT) \ - $(OUTPRE)aes_s2k.$(OBJEXT) + $(OUTPRE)aeskey.$(OBJEXT) SRCS=\ $(srcdir)/aescrypt.c \ $(srcdir)/aestab.c \ $(srcdir)/aeskey.c \ - $(srcdir)/aes_s2k.c GEN_OBJS=\ $(OUTPRE)aescrypt.$(OBJEXT) \ diff --git a/src/lib/crypto/builtin/aes/aes_s2k.c b/src/lib/crypto/builtin/aes/aes_s2k.c deleted file mode 100644 index 5ad6f9b90..000000000 --- a/src/lib/crypto/builtin/aes/aes_s2k.c +++ /dev/null @@ -1,92 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * lib/crypto/aes/aes_s2k.c - * - * Copyright 2003 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * krb5int_aes_string_to_key - */ - -#include "k5-int.h" -#include "dk.h" -#include "aes_s2k.h" - -#define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */ -#define MAX_ITERATION_COUNT 0x1000000L - -krb5_error_code -krb5int_aes_string_to_key(const struct krb5_enc_provider *enc, - const krb5_data *string, - const krb5_data *salt, - const krb5_data *params, - krb5_keyblock *key) -{ - unsigned long iter_count; - krb5_data out; - static const krb5_data usage = { KV5M_DATA, 8, "kerberos" }; - krb5_key tempkey = NULL; - krb5_error_code err; - - if (params) { - unsigned char *p = (unsigned char *) params->data; - if (params->length != 4) - return KRB5_ERR_BAD_S2K_PARAMS; - /* The first two need casts in case 'int' is 16 bits. */ - iter_count = load_32_be(p); - if (iter_count == 0) { - iter_count = (1UL << 16) << 16; - if (((iter_count >> 16) >> 16) != 1) - return KRB5_ERR_BAD_S2K_PARAMS; - } - } else - iter_count = DEFAULT_ITERATION_COUNT; - - /* This is not a protocol specification constraint; this is an - implementation limit, which should eventually be controlled by - a config file. */ - if (iter_count >= MAX_ITERATION_COUNT) - return KRB5_ERR_BAD_S2K_PARAMS; - - /* Use the output keyblock contents for temporary space. */ - out.data = (char *) key->contents; - out.length = key->length; - if (out.length != 16 && out.length != 32) - return KRB5_CRYPTO_INTERNAL; - - err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt); - if (err) - goto cleanup; - - err = krb5_k_create_key (NULL, key, &tempkey); - if (err) - goto cleanup; - - err = krb5int_derive_keyblock (enc, tempkey, key, &usage); - -cleanup: - if (err) - memset (out.data, 0, out.length); - krb5_k_free_key (NULL, tempkey); - return err; -} diff --git a/src/lib/crypto/builtin/aes/aes_s2k.h b/src/lib/crypto/builtin/aes/aes_s2k.h deleted file mode 100644 index f9bb1fec1..000000000 --- a/src/lib/crypto/builtin/aes/aes_s2k.h +++ /dev/null @@ -1,10 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * lib/crypto/openssl/aes/aes_s2k.h - */ - - -extern krb5_error_code -krb5int_aes_string_to_key (const struct krb5_enc_provider *, - const krb5_data *, const krb5_data *, - const krb5_data *, krb5_keyblock *key); diff --git a/src/lib/crypto/builtin/aes/deps b/src/lib/crypto/builtin/aes/deps index 2db138343..7ce4e8416 100644 --- a/src/lib/crypto/builtin/aes/deps +++ b/src/lib/crypto/builtin/aes/deps @@ -8,14 +8,3 @@ aestab.so aestab.po $(OUTPRE)aestab.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ aes.h aesopt.h aestab.c uitypes.h aeskey.so aeskey.po $(OUTPRE)aeskey.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ aes.h aeskey.c aesopt.h uitypes.h -aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/dk/dk.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - aes_s2k.c aes_s2k.h diff --git a/src/lib/crypto/builtin/deps b/src/lib/crypto/builtin/deps index ffa962a33..a5d53a9d5 100644 --- a/src/lib/crypto/builtin/deps +++ b/src/lib/crypto/builtin/deps @@ -4,14 +4,15 @@ hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb/aead.h \ - $(srcdir)/../krb/cksumtypes.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h hmac.c + $(srcdir)/../krb/cksumtypes.h $(srcdir)/../krb/etypes.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + hmac.c pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \ diff --git a/src/lib/crypto/builtin/des/Makefile.in b/src/lib/crypto/builtin/des/Makefile.in index 9a2f68252..ff5e3fad0 100644 --- a/src/lib/crypto/builtin/des/Makefile.in +++ b/src/lib/crypto/builtin/des/Makefile.in @@ -14,11 +14,9 @@ PROG_RPATH=$(KRB5_LIBDIR) STLIBOBJS=\ afsstring2key.o \ - d3_cbc.o \ d3_aead.o \ d3_kysched.o \ f_aead.o \ - f_cbc.o \ f_cksum.o \ f_parity.o \ f_sched.o \ @@ -28,11 +26,9 @@ STLIBOBJS=\ weak_key.o OBJS= $(OUTPRE)afsstring2key.$(OBJEXT) \ - $(OUTPRE)d3_cbc.$(OBJEXT) \ $(OUTPRE)d3_aead.$(OBJEXT) \ $(OUTPRE)d3_kysched.$(OBJEXT) \ $(OUTPRE)f_aead.$(OBJEXT) \ - $(OUTPRE)f_cbc.$(OBJEXT) \ $(OUTPRE)f_cksum.$(OBJEXT) \ $(OUTPRE)f_parity.$(OBJEXT) \ $(OUTPRE)f_sched.$(OBJEXT) \ @@ -42,11 +38,9 @@ OBJS= $(OUTPRE)afsstring2key.$(OBJEXT) \ $(OUTPRE)weak_key.$(OBJEXT) SRCS= $(srcdir)/afsstring2key.c \ - $(srcdir)/d3_cbc.c \ $(srcdir)/d3_aead.c \ $(srcdir)/d3_kysched.c \ $(srcdir)/f_aead.c \ - $(srcdir)/f_cbc.c \ $(srcdir)/f_cksum.c \ $(srcdir)/f_parity.c \ $(srcdir)/f_sched.c \ @@ -55,7 +49,7 @@ SRCS= $(srcdir)/afsstring2key.c \ $(srcdir)/weak_key.c \ $(srcdir)/string2key.c -EXTRADEPSRCS = $(SRCDIR)destest.c +EXTRADEPSRCS = $(srcdir)/destest.c $(srcdir)/f_cbc.c $(srcdir)/t_verify.c ##DOS##LIBOBJS = $(OBJS) diff --git a/src/lib/crypto/builtin/des/d3_aead.c b/src/lib/crypto/builtin/des/d3_aead.c index 549a27fd9..4052a4058 100644 --- a/src/lib/crypto/builtin/des/d3_aead.c +++ b/src/lib/crypto/builtin/des/d3_aead.c @@ -27,12 +27,11 @@ #include "aead.h" void -krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data, - unsigned long num_data, - const mit_des_key_schedule ks1, - const mit_des_key_schedule ks2, - const mit_des_key_schedule ks3, - mit_des_cblock ivec) +krb5int_des3_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data, + const mit_des_key_schedule ks1, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + mit_des_cblock ivec) { unsigned DES_INT32 left, right; const unsigned DES_INT32 *kp1, *kp2, *kp3; @@ -89,12 +88,11 @@ krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data, } void -krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data, - unsigned long num_data, - const mit_des_key_schedule ks1, - const mit_des_key_schedule ks2, - const mit_des_key_schedule ks3, - mit_des_cblock ivec) +krb5int_des3_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data, + const mit_des_key_schedule ks1, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + mit_des_cblock ivec) { unsigned DES_INT32 left, right; const unsigned DES_INT32 *kp1, *kp2, *kp3; diff --git a/src/lib/crypto/builtin/des/d3_cbc.c b/src/lib/crypto/builtin/des/d3_cbc.c deleted file mode 100644 index ea3cb436b..000000000 --- a/src/lib/crypto/builtin/des/d3_cbc.c +++ /dev/null @@ -1,224 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright 1995 by Richard P. Basch. All Rights Reserved. - * Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. Richard P. Basch, - * Lehman Brothers and M.I.T. make no representations about the suitability - * of this software for any purpose. It is provided "as is" without - * express or implied warranty. - */ - -#include "des_int.h" -#include "f_tables.h" - -/* - * Triple-DES CBC encryption mode. - */ - -#undef mit_des3_cbc_encrypt -int -mit_des3_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, - unsigned long length, const mit_des_key_schedule ks1, - const mit_des_key_schedule ks2, - const mit_des_key_schedule ks3, - const mit_des_cblock ivec, int enc) -{ - if (enc) - krb5int_des3_cbc_encrypt(in, out, length, ks1, ks2, ks3, ivec); - else - krb5int_des3_cbc_decrypt(in, out, length, ks1, ks2, ks3, ivec); - return 0; -} - -void -krb5int_des3_cbc_encrypt(const mit_des_cblock *in, - mit_des_cblock *out, - unsigned long length, - const mit_des_key_schedule ks1, - const mit_des_key_schedule ks2, - const mit_des_key_schedule ks3, - const mit_des_cblock ivec) -{ - unsigned DES_INT32 left, right; - const unsigned DES_INT32 *kp1, *kp2, *kp3; - const unsigned char *ip; - unsigned char *op; - - /* - * Get key pointer here. This won't need to be reinitialized - */ - kp1 = (const unsigned DES_INT32 *)ks1; - kp2 = (const unsigned DES_INT32 *)ks2; - kp3 = (const unsigned DES_INT32 *)ks3; - - /* - * Initialize left and right with the contents of the initial - * vector. - */ - ip = ivec; - GET_HALF_BLOCK(left, ip); - GET_HALF_BLOCK(right, ip); - - /* - * Suitably initialized, now work the length down 8 bytes - * at a time. - */ - ip = *in; - op = *out; - while (length > 0) { - /* - * Get more input, xor it in. If the length is - * greater than or equal to 8 this is straight - * forward. Otherwise we have to fart around. - */ - if (length >= 8) { - unsigned DES_INT32 temp; - GET_HALF_BLOCK(temp, ip); - left ^= temp; - GET_HALF_BLOCK(temp, ip); - right ^= temp; - length -= 8; - } else { - /* - * Oh, shoot. We need to pad the - * end with zeroes. Work backwards - * to do this. - */ - ip += (int) length; - switch(length) { - case 7: right ^= (*(--ip) & FF_UINT32) << 8; - case 6: right ^= (*(--ip) & FF_UINT32) << 16; - case 5: right ^= (*(--ip) & FF_UINT32) << 24; - case 4: left ^= *(--ip) & FF_UINT32; - case 3: left ^= (*(--ip) & FF_UINT32) << 8; - case 2: left ^= (*(--ip) & FF_UINT32) << 16; - case 1: left ^= (*(--ip) & FF_UINT32) << 24; - - } - length = 0; - } - - /* - * Encrypt what we have - */ - DES_DO_ENCRYPT(left, right, kp1); - DES_DO_DECRYPT(left, right, kp2); - DES_DO_ENCRYPT(left, right, kp3); - - /* - * Copy the results out - */ - PUT_HALF_BLOCK(left, op); - PUT_HALF_BLOCK(right, op); - } -} - -void -krb5int_des3_cbc_decrypt(const mit_des_cblock *in, - mit_des_cblock *out, - unsigned long length, - const mit_des_key_schedule ks1, - const mit_des_key_schedule ks2, - const mit_des_key_schedule ks3, - const mit_des_cblock ivec) -{ - unsigned DES_INT32 left, right; - const unsigned DES_INT32 *kp1, *kp2, *kp3; - const unsigned char *ip; - unsigned char *op; - unsigned DES_INT32 ocipherl, ocipherr; - unsigned DES_INT32 cipherl, cipherr; - - /* - * Get key pointer here. This won't need to be reinitialized - */ - kp1 = (const unsigned DES_INT32 *)ks1; - kp2 = (const unsigned DES_INT32 *)ks2; - kp3 = (const unsigned DES_INT32 *)ks3; - - /* - * Decrypting is harder than encrypting because of - * the necessity of remembering a lot more things. - * Should think about this a little more... - */ - - if (length <= 0) - return; - - /* - * Prime the old cipher with ivec. - */ - ip = ivec; - GET_HALF_BLOCK(ocipherl, ip); - GET_HALF_BLOCK(ocipherr, ip); - - /* - * Now do this in earnest until we run out of length. - */ - ip = *in; - op = *out; - for (;;) { /* check done inside loop */ - /* - * Read a block from the input into left and - * right. Save this cipher block for later. - */ - GET_HALF_BLOCK(left, ip); - GET_HALF_BLOCK(right, ip); - cipherl = left; - cipherr = right; - - /* - * Decrypt this. - */ - DES_DO_DECRYPT(left, right, kp3); - DES_DO_ENCRYPT(left, right, kp2); - DES_DO_DECRYPT(left, right, kp1); - - /* - * Xor with the old cipher to get plain - * text. Output 8 or less bytes of this. - */ - left ^= ocipherl; - right ^= ocipherr; - if (length > 8) { - length -= 8; - PUT_HALF_BLOCK(left, op); - PUT_HALF_BLOCK(right, op); - /* - * Save current cipher block here - */ - ocipherl = cipherl; - ocipherr = cipherr; - } else { - /* - * Trouble here. Start at end of output, - * work backwards. - */ - op += (int) length; - switch(length) { - case 8: *(--op) = (unsigned char) (right & 0xff); - case 7: *(--op) = (unsigned char) ((right >> 8) & 0xff); - case 6: *(--op) = (unsigned char) ((right >> 16) & 0xff); - case 5: *(--op) = (unsigned char) ((right >> 24) & 0xff); - case 4: *(--op) = (unsigned char) (left & 0xff); - case 3: *(--op) = (unsigned char) ((left >> 8) & 0xff); - case 2: *(--op) = (unsigned char) ((left >> 16) & 0xff); - case 1: *(--op) = (unsigned char) ((left >> 24) & 0xff); - } - break; /* we're done */ - } - } -} diff --git a/src/lib/crypto/builtin/des/deps b/src/lib/crypto/builtin/des/deps index 7e85bc1f7..7041f2918 100644 --- a/src/lib/crypto/builtin/des/deps +++ b/src/lib/crypto/builtin/des/deps @@ -12,29 +12,18 @@ afsstring2key.so afsstring2key.po $(OUTPRE)afsstring2key.$(OBJEXT): \ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ afsstring2key.c des_int.h -d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h d3_cbc.c des_int.h \ - f_tables.h d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h d3_aead.c des_int.h \ - f_tables.h + $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + d3_aead.c des_int.h f_tables.h d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -49,26 +38,15 @@ d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h des_int.h f_aead.c \ - f_tables.h -f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h des_int.h f_cbc.c \ - f_tables.h + $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + des_int.h f_aead.c f_tables.h f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -155,3 +133,25 @@ destest.so destest.po $(OUTPRE)destest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h des_int.h destest.c +f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h des_int.h f_cbc.c \ + f_tables.h +t_verify.so t_verify.po $(OUTPRE)t_verify.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + des_int.h t_verify.c diff --git a/src/lib/crypto/builtin/des/des_int.h b/src/lib/crypto/builtin/des/des_int.h index ffa71238b..9dd599453 100644 --- a/src/lib/crypto/builtin/des/des_int.h +++ b/src/lib/crypto/builtin/des/des_int.h @@ -165,15 +165,11 @@ unsigned long mit_des_cbc_cksum(const krb5_octet *, krb5_octet *, unsigned long, const mit_des_key_schedule, const krb5_octet *); -/* f_ecb.c */ -int mit_des_ecb_encrypt(const mit_des_cblock *, mit_des_cblock *, - mit_des_key_schedule, int ); - -/* f_cbc.c */ -int mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, - unsigned long length, - const mit_des_key_schedule schedule, - const mit_des_cblock ivec, int enc); +/* f_cbc.c (used by test programs) */ +int +mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, + unsigned long length, const mit_des_key_schedule schedule, + const mit_des_cblock ivec, int enc); #define mit_des_zeroblock krb5int_c_mit_des_zeroblock extern const mit_des_cblock mit_des_zeroblock; @@ -243,85 +239,29 @@ extern unsigned long swap_long_bytes_bit_number(unsigned long); extern void test_set(FILE *, const char *, int, const char *, int); #endif -/* d3_ecb.c */ -extern int mit_des3_ecb_encrypt(const mit_des_cblock *in, mit_des_cblock *out, - mit_des_key_schedule sched1, - mit_des_key_schedule sched2, - mit_des_key_schedule sched3, int enc); - -/* d3_cbc.c */ -extern int mit_des3_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, - unsigned long length, - const mit_des_key_schedule ks1, - const mit_des_key_schedule ks2, - const mit_des_key_schedule ks3, - const mit_des_cblock ivec, int enc); - void -krb5int_des3_cbc_encrypt(const mit_des_cblock *in, - mit_des_cblock *out, - unsigned long length, +krb5int_des3_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data, const mit_des_key_schedule ks1, const mit_des_key_schedule ks2, const mit_des_key_schedule ks3, - const mit_des_cblock ivec); + mit_des_cblock ivec); + void -krb5int_des3_cbc_decrypt(const mit_des_cblock *in, - mit_des_cblock *out, - unsigned long length, +krb5int_des3_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data, const mit_des_key_schedule ks1, const mit_des_key_schedule ks2, const mit_des_key_schedule ks3, - const mit_des_cblock ivec); - -void -krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data, - unsigned long num_data, - const mit_des_key_schedule ks1, - const mit_des_key_schedule ks2, - const mit_des_key_schedule ks3, - mit_des_cblock ivec); - -void -krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data, - unsigned long num_data, - const mit_des_key_schedule ks1, - const mit_des_key_schedule ks2, - const mit_des_key_schedule ks3, - mit_des_cblock ivec); - -#define mit_des3_cbc_encrypt(in,out,length,ks1,ks2,ks3,ivec,enc) \ - ((enc ? krb5int_des3_cbc_encrypt : krb5int_des3_cbc_decrypt) \ - (in, out, length, ks1, ks2, ks3, ivec), 0) + mit_des_cblock ivec); void -krb5int_des_cbc_encrypt(const mit_des_cblock *in, - mit_des_cblock *out, - unsigned long length, - const mit_des_key_schedule schedule, - const mit_des_cblock ivec); -void -krb5int_des_cbc_decrypt(const mit_des_cblock *in, - mit_des_cblock *out, - unsigned long length, +krb5int_des_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data, const mit_des_key_schedule schedule, - const mit_des_cblock ivec); - -#define mit_des_cbc_encrypt(in,out,length,schedule,ivec,enc) \ - ((enc ? krb5int_des_cbc_encrypt : krb5int_des_cbc_decrypt) \ - (in, out, length, schedule, ivec), 0) - -void -krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data, - unsigned long num_data, - const mit_des_key_schedule schedule, - mit_des_cblock ivec); + mit_des_cblock ivec); void -krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data, - unsigned long num_data, - const mit_des_key_schedule schedule, - mit_des_cblock ivec); +krb5int_des_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data, + const mit_des_key_schedule schedule, + mit_des_cblock ivec); /* d3_procky.c */ krb5_error_code mit_des3_process_key(krb5_encrypt_block *eblock, diff --git a/src/lib/crypto/builtin/des/f_aead.c b/src/lib/crypto/builtin/des/f_aead.c index 1b92e0538..3f4fbae82 100644 --- a/src/lib/crypto/builtin/des/f_aead.c +++ b/src/lib/crypto/builtin/des/f_aead.c @@ -26,11 +26,12 @@ #include "f_tables.h" #include "aead.h" +const mit_des_cblock mit_des_zeroblock /* = all zero */; + void -krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data, - unsigned long num_data, - const mit_des_key_schedule schedule, - mit_des_cblock ivec) +krb5int_des_cbc_encrypt(krb5_crypto_iov *data, unsigned long num_data, + const mit_des_key_schedule schedule, + mit_des_cblock ivec) { unsigned DES_INT32 left, right; const unsigned DES_INT32 *kp; @@ -83,10 +84,9 @@ krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data, } void -krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data, - unsigned long num_data, - const mit_des_key_schedule schedule, - mit_des_cblock ivec) +krb5int_des_cbc_decrypt(krb5_crypto_iov *data, unsigned long num_data, + const mit_des_key_schedule schedule, + mit_des_cblock ivec) { unsigned DES_INT32 left, right; const unsigned DES_INT32 *kp; @@ -151,3 +151,19 @@ krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data, PUT_HALF_BLOCK(ocipherr, ptr); } } + +#if defined(CONFIG_SMALL) && !defined(CONFIG_SMALL_NO_CRYPTO) +void krb5int_des_do_encrypt_2 (unsigned DES_INT32 *left, + unsigned DES_INT32 *right, + const unsigned DES_INT32 *kp) +{ + DES_DO_ENCRYPT_1 (*left, *right, kp); +} + +void krb5int_des_do_decrypt_2 (unsigned DES_INT32 *left, + unsigned DES_INT32 *right, + const unsigned DES_INT32 *kp) +{ + DES_DO_DECRYPT_1 (*left, *right, kp); +} +#endif diff --git a/src/lib/crypto/builtin/des/f_cbc.c b/src/lib/crypto/builtin/des/f_cbc.c index c7e1f22d5..887740bc1 100644 --- a/src/lib/crypto/builtin/des/f_cbc.c +++ b/src/lib/crypto/builtin/des/f_cbc.c @@ -24,7 +24,8 @@ * this software for any purpose. It is provided "as is" without express * or implied warranty. * - * DES implementation donated by Dennis Ferguson + * CBC functions; used only by the test programs at this time. (krb5 uses the + * functions in f_aead.c instead.) */ /* @@ -58,28 +59,10 @@ const mit_des_cblock mit_des_zeroblock /* = all zero */; -#undef mit_des_cbc_encrypt -int -mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, - unsigned long length, const mit_des_key_schedule schedule, - const mit_des_cblock ivec, int enc) -{ - /* - * Deal with encryption and decryption separately. - */ - if (enc) - krb5int_des_cbc_encrypt(in, out, length, schedule, ivec); - else - krb5int_des_cbc_decrypt(in, out, length, schedule, ivec); - return 0; -} - -void -krb5int_des_cbc_encrypt(const mit_des_cblock *in, - mit_des_cblock *out, - unsigned long length, - const mit_des_key_schedule schedule, - const mit_des_cblock ivec) +static void +des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, + unsigned long length, const mit_des_key_schedule schedule, + const mit_des_cblock ivec) { unsigned DES_INT32 left, right; const unsigned DES_INT32 *kp; @@ -158,12 +141,10 @@ krb5int_des_cbc_encrypt(const mit_des_cblock *in, } } -void -krb5int_des_cbc_decrypt(const mit_des_cblock *in, - mit_des_cblock *out, - unsigned long length, - const mit_des_key_schedule schedule, - const mit_des_cblock ivec) +static void +des_cbc_decrypt(const mit_des_cblock *in, mit_des_cblock *out, + unsigned long length, const mit_des_key_schedule schedule, + const mit_des_cblock ivec) { unsigned DES_INT32 left, right; const unsigned DES_INT32 *kp; @@ -258,18 +239,17 @@ krb5int_des_cbc_decrypt(const mit_des_cblock *in, } } -#if defined(CONFIG_SMALL) && !defined(CONFIG_SMALL_NO_CRYPTO) -void krb5int_des_do_encrypt_2 (unsigned DES_INT32 *left, - unsigned DES_INT32 *right, - const unsigned DES_INT32 *kp) -{ - DES_DO_ENCRYPT_1 (*left, *right, kp); -} - -void krb5int_des_do_decrypt_2 (unsigned DES_INT32 *left, - unsigned DES_INT32 *right, - const unsigned DES_INT32 *kp) +int +mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, + unsigned long length, const mit_des_key_schedule schedule, + const mit_des_cblock ivec, int enc) { - DES_DO_DECRYPT_1 (*left, *right, kp); + /* + * Deal with encryption and decryption separately. + */ + if (enc) + des_cbc_encrypt(in, out, length, schedule, ivec); + else + des_cbc_decrypt(in, out, length, schedule, ivec); + return 0; } -#endif diff --git a/src/lib/crypto/builtin/enc_provider/aes.c b/src/lib/crypto/builtin/enc_provider/aes.c index 2a23f7ba0..d482724ca 100644 --- a/src/lib/crypto/builtin/enc_provider/aes.c +++ b/src/lib/crypto/builtin/enc_provider/aes.c @@ -73,134 +73,14 @@ xorblock(unsigned char *out, const unsigned char *in) } krb5_error_code -krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - aes_ctx ctx; - unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; - int nblocks = 0, blockno; - const unsigned char *idata = (const unsigned char *) input->data; - unsigned char *odata = (unsigned char *) output->data; - -/* CHECK_SIZES; */ - - if (aes_enc_key(key->keyblock.contents, key->keyblock.length, - &ctx) != aes_good) - abort(); - - if (ivec) - memcpy(tmp, ivec->data, BLOCK_SIZE); - else - memset(tmp, 0, BLOCK_SIZE); - - nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; - - if (nblocks == 1) { - /* XXX Used for DK function. */ - enc(odata, idata, &ctx); - } else { - unsigned int nleft; - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - xorblock(tmp, idata + blockno * BLOCK_SIZE); - enc(tmp2, tmp, &ctx); - memcpy(odata + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE); - - /* Set up for next block. */ - memcpy(tmp, tmp2, BLOCK_SIZE); - } - /* Do final CTS step for last two blocks (the second of which - may or may not be incomplete). */ - xorblock(tmp, idata + (nblocks - 2) * BLOCK_SIZE); - enc(tmp2, tmp, &ctx); - nleft = input->length - (nblocks - 1) * BLOCK_SIZE; - memcpy(odata + (nblocks - 1) * BLOCK_SIZE, tmp2, nleft); - memcpy(tmp, tmp2, BLOCK_SIZE); - - memset(tmp3, 0, sizeof(tmp3)); - memcpy(tmp3, idata + (nblocks - 1) * BLOCK_SIZE, nleft); - xorblock(tmp, tmp3); - enc(tmp2, tmp, &ctx); - memcpy(odata + (nblocks - 2) * BLOCK_SIZE, tmp2, BLOCK_SIZE); - if (ivec) - memcpy(ivec->data, tmp2, BLOCK_SIZE); - } - - return 0; -} - -krb5_error_code -krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - aes_ctx ctx; - unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; - int nblocks = 0, blockno; - const unsigned char *idata = (const unsigned char *) input->data; - unsigned char *odata = (unsigned char *) output->data; - - CHECK_SIZES; - - if (aes_dec_key(key->keyblock.contents, key->keyblock.length, - &ctx) != aes_good) - abort(); - - if (ivec) - memcpy(tmp, ivec->data, BLOCK_SIZE); - else - memset(tmp, 0, BLOCK_SIZE); - - nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; - - if (nblocks == 1) { - if (input->length < BLOCK_SIZE) - abort(); - dec(odata, idata, &ctx); - } else { - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - dec(tmp2, idata + blockno * BLOCK_SIZE, &ctx); - xorblock(tmp2, tmp); - memcpy(odata + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE); - memcpy(tmp, idata + blockno * BLOCK_SIZE, BLOCK_SIZE); - } - /* Do last two blocks, the second of which (next-to-last block - of plaintext) may be incomplete. */ - dec(tmp2, idata + (nblocks - 2) * BLOCK_SIZE, &ctx); - /* Set tmp3 to last ciphertext block, padded. */ - memset(tmp3, 0, sizeof(tmp3)); - memcpy(tmp3, idata + (nblocks - 1) * BLOCK_SIZE, - input->length - (nblocks - 1) * BLOCK_SIZE); - /* Set tmp2 to last (possibly partial) plaintext block, and - save it. */ - xorblock(tmp2, tmp3); - memcpy(odata + (nblocks - 1) * BLOCK_SIZE, tmp2, - input->length - (nblocks - 1) * BLOCK_SIZE); - /* Maybe keep the trailing part, and copy in the last - ciphertext block. */ - memcpy(tmp2, tmp3, input->length - (nblocks - 1) * BLOCK_SIZE); - /* Decrypt, to get next to last plaintext block xor previous - ciphertext. */ - dec(tmp3, tmp2, &ctx); - xorblock(tmp3, tmp); - memcpy(odata + (nblocks - 2) * BLOCK_SIZE, tmp3, BLOCK_SIZE); - if (ivec) - memcpy(ivec->data, idata + (nblocks - 2) * BLOCK_SIZE, BLOCK_SIZE); - } - - return 0; -} - -static krb5_error_code -krb5int_aes_encrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { aes_ctx ctx; unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE]; int nblocks = 0, blockno; size_t input_length, i; + struct iov_block_state input_pos, output_pos; if (aes_enc_key(key->keyblock.contents, key->keyblock.length, &ctx) != aes_good) @@ -218,17 +98,17 @@ krb5int_aes_encrypt_iov(krb5_key key, input_length += iov->data.length; } - nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; - - assert(nblocks > 1); + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); - { + nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; + if (nblocks == 1) { + krb5int_c_iov_get_block(tmp, BLOCK_SIZE, data, num_data, &input_pos); + enc(tmp2, tmp, &ctx); + krb5int_c_iov_put_block(data, num_data, tmp2, BLOCK_SIZE, &output_pos); + } else if (nblocks > 1) { unsigned char blockN2[BLOCK_SIZE]; /* second last */ unsigned char blockN1[BLOCK_SIZE]; /* last block */ - struct iov_block_state input_pos, output_pos; - - IOV_BLOCK_STATE_INIT(&input_pos); - IOV_BLOCK_STATE_INIT(&output_pos); for (blockno = 0; blockno < nblocks - 2; blockno++) { unsigned char blockN[BLOCK_SIZE], *block; @@ -278,17 +158,16 @@ krb5int_aes_encrypt_iov(krb5_key key, return 0; } -static krb5_error_code -krb5int_aes_decrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { aes_ctx ctx; unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; int nblocks = 0, blockno; unsigned int i; size_t input_length; + struct iov_block_state input_pos, output_pos; CHECK_SIZES; @@ -308,17 +187,17 @@ krb5int_aes_decrypt_iov(krb5_key key, input_length += iov->data.length; } - nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; - - assert(nblocks > 1); + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); - { + nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; + if (nblocks == 1) { + krb5int_c_iov_get_block(tmp, BLOCK_SIZE, data, num_data, &input_pos); + enc(tmp2, tmp, &ctx); + krb5int_c_iov_put_block(data, num_data, tmp2, BLOCK_SIZE, &output_pos); + } else if (nblocks > 1) { unsigned char blockN2[BLOCK_SIZE]; /* second last */ unsigned char blockN1[BLOCK_SIZE]; /* last block */ - struct iov_block_state input_pos, output_pos; - - IOV_BLOCK_STATE_INIT(&input_pos); - IOV_BLOCK_STATE_INIT(&output_pos); for (blockno = 0; blockno < nblocks - 2; blockno++) { unsigned char blockN[BLOCK_SIZE], *block; @@ -372,8 +251,8 @@ krb5int_aes_decrypt_iov(krb5_key key, } static krb5_error_code -krb5int_aes_init_state (const krb5_keyblock *key, krb5_keyusage usage, - krb5_data *state) +aes_init_state(const krb5_keyblock *key, krb5_keyusage usage, + krb5_data *state) { state->length = 16; state->data = malloc(16); @@ -389,10 +268,8 @@ const struct krb5_enc_provider krb5int_enc_aes128 = { krb5int_aes_encrypt, krb5int_aes_decrypt, krb5int_aes_make_key, - krb5int_aes_init_state, + aes_init_state, krb5int_default_free_state, - krb5int_aes_encrypt_iov, - krb5int_aes_decrypt_iov }; const struct krb5_enc_provider krb5int_enc_aes256 = { @@ -401,8 +278,6 @@ const struct krb5_enc_provider krb5int_enc_aes256 = { krb5int_aes_encrypt, krb5int_aes_decrypt, krb5int_aes_make_key, - krb5int_aes_init_state, - krb5int_default_free_state, - krb5int_aes_encrypt_iov, - krb5int_aes_decrypt_iov + aes_init_state, + krb5int_default_free_state }; diff --git a/src/lib/crypto/builtin/enc_provider/deps b/src/lib/crypto/builtin/enc_provider/deps index ec82b80db..deeb86454 100644 --- a/src/lib/crypto/builtin/enc_provider/deps +++ b/src/lib/crypto/builtin/enc_provider/deps @@ -4,48 +4,52 @@ des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \ - $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h des.c enc_provider.h + $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \ + $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../des/des_int.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + des.c enc_provider.h des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \ - $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \ + $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \ + $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../des/des_int.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + des3.c +aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ + $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \ + $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../aes/aes.h \ + $(srcdir)/../aes/uitypes.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h des3.c -aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(top_srcdir)/include/socket-utils.h aes.c enc_provider.h +rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \ - $(srcdir)/../aes/aes.h $(srcdir)/../aes/uitypes.h $(top_srcdir)/include/k5-buf.h \ + $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \ + $(srcdir)/../../krb/rand2key/rand2key.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h aes.c enc_provider.h -rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - enc_provider.h rc4.c + $(top_srcdir)/include/socket-utils.h enc_provider.h \ + rc4.c diff --git a/src/lib/crypto/builtin/enc_provider/des.c b/src/lib/crypto/builtin/enc_provider/des.c index e268a20f8..d63172778 100644 --- a/src/lib/crypto/builtin/enc_provider/des.c +++ b/src/lib/crypto/builtin/enc_provider/des.c @@ -33,65 +33,13 @@ static krb5_error_code -k5_des_docrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output, int enc) -{ - mit_des_key_schedule schedule; - - /* key->keyblock.enctype was checked by the caller */ - - if (key->keyblock.length != 8) - return(KRB5_BAD_KEYSIZE); - if ((input->length%8) != 0) - return(KRB5_BAD_MSIZE); - if (ivec && (ivec->length != 8)) - return(KRB5_BAD_MSIZE); - if (input->length != output->length) - return(KRB5_BAD_MSIZE); - - switch (mit_des_key_sched(key->keyblock.contents, schedule)) { - case -1: - return(KRB5DES_BAD_KEYPAR); - case -2: - return(KRB5DES_WEAK_KEY); - } - - /* this has a return value, but the code always returns zero */ - - mit_des_cbc_encrypt((krb5_pointer) input->data, - (krb5_pointer) output->data, input->length, - schedule, - (ivec - ? (const unsigned char *) ivec->data - : (const unsigned char *) mit_des_zeroblock), - enc); - - memset(schedule, 0, sizeof(schedule)); - - return(0); -} - -static krb5_error_code -k5_des_encrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - return(k5_des_docrypt(key, ivec, input, output, 1)); -} - -static krb5_error_code -k5_des_decrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - return(k5_des_docrypt(key, ivec, input, output, 0)); -} - -static krb5_error_code -k5_des_docrypt_iov(krb5_key key, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data, int enc) +k5_des_docrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data, int enc) { mit_des_key_schedule schedule; size_t input_length = 0; unsigned int i; + unsigned char *ivecbytes; /* key->keyblock.enctype was checked by the caller */ @@ -118,10 +66,11 @@ k5_des_docrypt_iov(krb5_key key, const krb5_data *ivec, } /* this has a return value, but the code always returns zero */ + ivecbytes = ivec ? (unsigned char *) ivec->data : NULL; if (enc) - krb5int_des_cbc_encrypt_iov(data, num_data, schedule, ivec ? ivec->data : NULL); + krb5int_des_cbc_encrypt(data, num_data, schedule, ivecbytes); else - krb5int_des_cbc_decrypt_iov(data, num_data, schedule, ivec ? ivec->data : NULL); + krb5int_des_cbc_decrypt(data, num_data, schedule, ivecbytes); memset(schedule, 0, sizeof(schedule)); @@ -129,21 +78,17 @@ k5_des_docrypt_iov(krb5_key key, const krb5_data *ivec, } static krb5_error_code -k5_des_encrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { - return k5_des_docrypt_iov(key, ivec, data, num_data, 1); + return k5_des_docrypt(key, ivec, data, num_data, 1); } static krb5_error_code -k5_des_decrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { - return k5_des_docrypt_iov(key, ivec, data, num_data, 0); + return k5_des_docrypt(key, ivec, data, num_data, 0); } const struct krb5_enc_provider krb5int_enc_des = { @@ -153,7 +98,5 @@ const struct krb5_enc_provider krb5int_enc_des = { k5_des_decrypt, krb5int_des_make_key, krb5int_des_init_state, - krb5int_default_free_state, - k5_des_encrypt_iov, - k5_des_decrypt_iov + krb5int_default_free_state }; diff --git a/src/lib/crypto/builtin/enc_provider/des3.c b/src/lib/crypto/builtin/enc_provider/des3.c index c4ea3b20f..e41773b82 100644 --- a/src/lib/crypto/builtin/enc_provider/des3.c +++ b/src/lib/crypto/builtin/enc_provider/des3.c @@ -88,54 +88,8 @@ validate_and_schedule_iov(krb5_key key, const krb5_data *ivec, } static krb5_error_code -k5_des3_encrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - mit_des3_key_schedule schedule; - krb5_error_code err; - - err = validate_and_schedule(key, ivec, input, output, &schedule); - if (err) - return err; - - /* this has a return value, but the code always returns zero */ - krb5int_des3_cbc_encrypt((krb5_pointer) input->data, - (krb5_pointer) output->data, input->length, - schedule[0], schedule[1], schedule[2], - ivec?(const unsigned char *) ivec->data:(const unsigned char *)mit_des_zeroblock); - - zap(schedule, sizeof(schedule)); - - return(0); -} - -static krb5_error_code -k5_des3_decrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - mit_des3_key_schedule schedule; - krb5_error_code err; - - err = validate_and_schedule(key, ivec, input, output, &schedule); - if (err) - return err; - - /* this has a return value, but the code always returns zero */ - krb5int_des3_cbc_decrypt((krb5_pointer) input->data, - (krb5_pointer) output->data, input->length, - schedule[0], schedule[1], schedule[2], - ivec?(const unsigned char *) ivec->data:(const unsigned char *)mit_des_zeroblock); - - zap(schedule, sizeof(schedule)); - - return(0); -} - -static krb5_error_code -k5_des3_encrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { mit_des3_key_schedule schedule; krb5_error_code err; @@ -145,9 +99,10 @@ k5_des3_encrypt_iov(krb5_key key, return err; /* this has a return value, but the code always returns zero */ - krb5int_des3_cbc_encrypt_iov(data, num_data, - schedule[0], schedule[1], schedule[2], - ivec != NULL ? (unsigned char *) ivec->data : NULL); + krb5int_des3_cbc_encrypt(data, num_data, + schedule[0], schedule[1], schedule[2], + ivec != NULL ? (unsigned char *) ivec->data : + NULL); zap(schedule, sizeof(schedule)); @@ -155,10 +110,8 @@ k5_des3_encrypt_iov(krb5_key key, } static krb5_error_code -k5_des3_decrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { mit_des3_key_schedule schedule; krb5_error_code err; @@ -168,13 +121,14 @@ k5_des3_decrypt_iov(krb5_key key, return err; /* this has a return value, but the code always returns zero */ - krb5int_des3_cbc_decrypt_iov(data, num_data, - schedule[0], schedule[1], schedule[2], - ivec != NULL ? (unsigned char *) ivec->data : NULL); + krb5int_des3_cbc_decrypt(data, num_data, + schedule[0], schedule[1], schedule[2], + ivec != NULL ? (unsigned char *) ivec->data : + NULL); zap(schedule, sizeof(schedule)); - return(0); + return 0; } const struct krb5_enc_provider krb5int_enc_des3 = { @@ -184,7 +138,5 @@ const struct krb5_enc_provider krb5int_enc_des3 = { k5_des3_decrypt, krb5int_des3_make_key, krb5int_des_init_state, - krb5int_default_free_state, - k5_des3_encrypt_iov, - k5_des3_decrypt_iov + krb5int_default_free_state }; diff --git a/src/lib/crypto/builtin/enc_provider/rc4.c b/src/lib/crypto/builtin/enc_provider/rc4.c index ae4a004a1..d024e4a96 100644 --- a/src/lib/crypto/builtin/enc_provider/rc4.c +++ b/src/lib/crypto/builtin/enc_provider/rc4.c @@ -39,11 +39,6 @@ static krb5_error_code k5_arcfour_init(ArcfourContext *ctx, const unsigned char static void k5_arcfour_crypt(ArcfourContext *ctx, unsigned char *dest, const unsigned char *src, unsigned int len); -/* Interface layer to kerb5 crypto layer */ -static krb5_error_code -k5_arcfour_docrypt(krb5_key, const krb5_data *, - const krb5_data *, krb5_data *); - static const unsigned char arcfour_weakkey1[] = {0x00, 0x00, 0xfd}; static const unsigned char arcfour_weakkey2[] = {0x03, 0xfd, 0xfc}; static const struct { @@ -123,58 +118,9 @@ k5_arcfour_init(ArcfourContext *ctx, const unsigned char *key, } -/* The workhorse of the arcfour system, this impliments the cipher */ -static krb5_error_code -k5_arcfour_docrypt(krb5_key key, const krb5_data *state, - const krb5_data *input, krb5_data *output) -{ - ArcfourContext *arcfour_ctx; - ArcFourCipherState *cipher_state; - int ret; - - if (key->keyblock.length != 16) - return(KRB5_BAD_KEYSIZE); - if (state && (state->length != sizeof (ArcFourCipherState))) - return(KRB5_BAD_MSIZE); - if (input->length != output->length) - return(KRB5_BAD_MSIZE); - - if (state) { - cipher_state = (ArcFourCipherState *) state->data; - arcfour_ctx=&cipher_state->ctx; - if (cipher_state->initialized == 0) { - if ((ret=k5_arcfour_init(arcfour_ctx, key->keyblock.contents, - key->keyblock.length))) { - return ret; - } - cipher_state->initialized = 1; - } - k5_arcfour_crypt(arcfour_ctx, (unsigned char *) output->data, (const unsigned char *) input->data, input->length); - } - else { - arcfour_ctx=malloc(sizeof (ArcfourContext)); - if (arcfour_ctx == NULL) - return ENOMEM; - if ((ret=k5_arcfour_init(arcfour_ctx, key->keyblock.contents, - key->keyblock.length))) { - free(arcfour_ctx); - return (ret); - } - k5_arcfour_crypt(arcfour_ctx, (unsigned char * ) output->data, - (const unsigned char * ) input->data, input->length); - memset(arcfour_ctx, 0, sizeof (ArcfourContext)); - free(arcfour_ctx); - } - - return 0; -} - -/* In-place encryption */ static krb5_error_code -k5_arcfour_docrypt_iov(krb5_key key, - const krb5_data *state, - krb5_crypto_iov *data, - size_t num_data) +k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data, + size_t num_data) { ArcfourContext *arcfour_ctx = NULL; ArcFourCipherState *cipher_state = NULL; @@ -262,7 +208,5 @@ const struct krb5_enc_provider krb5int_enc_arcfour = { k5_arcfour_docrypt, krb5int_arcfour_make_key, k5_arcfour_init_state, /*xxx not implemented yet*/ - krb5int_default_free_state, - k5_arcfour_docrypt_iov, - k5_arcfour_docrypt_iov + krb5int_default_free_state }; diff --git a/src/lib/crypto/crypto_tests/aes-test.c b/src/lib/crypto/crypto_tests/aes-test.c index e8f7cfb9c..714d08e2e 100644 --- a/src/lib/crypto/crypto_tests/aes-test.c +++ b/src/lib/crypto/crypto_tests/aes-test.c @@ -37,25 +37,24 @@ static char plain[16], cipher[16], zero[16]; static krb5_keyblock enc_key; static krb5_data ivec; -static krb5_data in, out; static void init() { enc_key.contents = key; enc_key.length = 16; ivec.data = zero; ivec.length = 16; - in.data = plain; - in.length = 16; - out.data = cipher; - out.length = 16; } static void enc() { - krb5_key key; + krb5_key k; + krb5_crypto_iov iov; - krb5_k_create_key(NULL, &enc_key, &key); - krb5int_aes_encrypt(key, &ivec, &in, &out); - krb5_k_free_key(NULL, key); + memcpy(cipher, plain, 16); + iov.flags = KRB5_CRYPTO_TYPE_DATA; + iov.data = make_data(cipher, 16); + krb5_k_create_key(NULL, &enc_key, &k); + krb5int_aes_encrypt(k, &ivec, &iov, 1); + krb5_k_free_key(NULL, k); } static void hexdump(const char *label, const char *cp, int len) diff --git a/src/lib/crypto/crypto_tests/t_cts.c b/src/lib/crypto/crypto_tests/t_cts.c index 4a908cce8..9b1c27150 100644 --- a/src/lib/crypto/crypto_tests/t_cts.c +++ b/src/lib/crypto/crypto_tests/t_cts.c @@ -117,15 +117,16 @@ static void test_cts() static const int lengths[] = { 17, 31, 32, 47, 48, 64 }; int i; - char outbuf[64], encivbuf[16], decivbuf[16], outbuf2[64]; - krb5_data in, out, enciv, deciv, out2; + char outbuf[64], encivbuf[16], decivbuf[16]; + krb5_crypto_iov iov; + krb5_data in, enciv, deciv; krb5_keyblock keyblock; krb5_key key; krb5_error_code err; + iov.flags = KRB5_CRYPTO_TYPE_DATA; + iov.data.data = outbuf; in.data = input; - out.data = outbuf; - out2.data = outbuf2; enciv.length = deciv.length = 16; enciv.data = encivbuf; deciv.data = decivbuf; @@ -145,24 +146,24 @@ static void test_cts() memset(deciv.data, 0, 16); printf("\n"); - in.length = out.length = lengths[i]; + iov.data.length = in.length = lengths[i]; + memcpy(outbuf, input, lengths[i]); printd("IV", &enciv); - err = krb5int_aes_encrypt(key, &enciv, &in, &out); + err = krb5int_aes_encrypt(key, &enciv, &iov, 1); if (err) { printf("error %ld from krb5int_aes_encrypt\n", (long)err); exit(1); } printd("Input", &in); - printd("Output", &out); + printd("Output", &iov.data); printd("Next IV", &enciv); - out2.length = out.length; - err = krb5int_aes_decrypt(key, &deciv, &out, &out2); + err = krb5int_aes_decrypt(key, &deciv, &iov, 1); if (err) { printf("error %ld from krb5int_aes_decrypt\n", (long)err); exit(1); } - if (!data_eq(out2, in)) { - printd("Decryption result DOESN'T MATCH", &out2); + if (memcmp(outbuf, input, lengths[i]) != 0) { + printd("Decryption result DOESN'T MATCH", &iov.data); exit(1); } if (memcmp(enciv.data, deciv.data, 16)) { diff --git a/src/lib/crypto/krb/aead.c b/src/lib/crypto/krb/aead.c index 646c73cb6..539dd3f4e 100644 --- a/src/lib/crypto/krb/aead.c +++ b/src/lib/crypto/krb/aead.c @@ -32,8 +32,7 @@ #include "aead.h" krb5_crypto_iov * -krb5int_c_locate_iov(krb5_crypto_iov *data, - size_t num_data, +krb5int_c_locate_iov(krb5_crypto_iov *data, size_t num_data, krb5_cryptotype type) { size_t i; @@ -337,17 +336,12 @@ krb5int_c_iov_put_block(const krb5_crypto_iov *data, } krb5_error_code -krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage keyusage, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5int_c_iov_decrypt_stream(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage keyusage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { krb5_error_code ret; - unsigned int header_len, trailer_len, padding_len; + unsigned int header_len, trailer_len; krb5_crypto_iov *iov; krb5_crypto_iov *stream; size_t i, j; @@ -356,20 +350,8 @@ krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead, stream = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM); assert(stream != NULL); - ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER, - &header_len); - if (ret != 0) - return ret; - - ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, - &trailer_len); - if (ret != 0) - return ret; - - ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, - &padding_len); - if (ret != 0) - return ret; + header_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_HEADER); + trailer_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER); if (stream->data.length < header_len + trailer_len) return KRB5_BAD_MSIZE; @@ -381,8 +363,7 @@ krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead, i = 0; iov[i].flags = KRB5_CRYPTO_TYPE_HEADER; /* takes place of STREAM */ - iov[i].data.data = stream->data.data; - iov[i].data.length = header_len; + iov[i].data = make_data(stream->data.data, header_len); i++; for (j = 0; j < num_data; j++) { @@ -403,38 +384,27 @@ krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead, iov[i++] = data[j]; } - /* - * XXX not self-describing with respect to length, this is the best - * we can do. - */ + /* Use empty padding since tokens don't indicate the padding length. */ iov[i].flags = KRB5_CRYPTO_TYPE_PADDING; - iov[i].data.data = NULL; - iov[i].data.length = 0; + iov[i].data = empty_data(); i++; iov[i].flags = KRB5_CRYPTO_TYPE_TRAILER; - iov[i].data.data = stream->data.data + stream->data.length - trailer_len; - iov[i].data.length = trailer_len; + iov[i].data = make_data(stream->data.data + stream->data.length - + trailer_len, trailer_len); i++; assert(i <= num_data + 2); - ret = (*aead->decrypt_iov)(aead, enc, hash, key, keyusage, ivec, iov, i); - + ret = ktp->decrypt(ktp, key, keyusage, ivec, iov, i); free(iov); - return ret; } -krb5_error_code -krb5int_c_padding_length(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t data_length, - unsigned int *pad_length) +unsigned int +krb5int_c_padding_length(const struct krb5_keytypes *ktp, size_t data_length) { unsigned int header, padding; - krb5_error_code ret; /* * Add in the header length since the header is encrypted along with the @@ -443,163 +413,12 @@ krb5int_c_padding_length(const struct krb5_aead_provider *aead, * enctype using a similar token format and a block cipher, we will have to * move this logic into an enctype-dependent function.) */ - ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER, - &header); - if (ret != 0) - return ret; + header = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_HEADER); data_length += header; - ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, - &padding); - if (ret != 0) - return ret; - + padding = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING); if (padding == 0 || (data_length % padding) == 0) - *pad_length = 0; - else - *pad_length = padding - (data_length % padding); - - return 0; -} - -krb5_error_code -krb5int_c_encrypt_aead_compat(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - krb5_crypto_iov iov[4]; - krb5_error_code ret; - unsigned int header_len = 0; - unsigned int padding_len = 0; - unsigned int trailer_len = 0; - - ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER, - &header_len); - if (ret != 0) - return ret; - - ret = krb5int_c_padding_length(aead, enc, hash, input->length, - &padding_len); - if (ret != 0) - return ret; - - ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, - &trailer_len); - if (ret != 0) - return ret; - - if (output->length < - header_len + input->length + padding_len + trailer_len) - return KRB5_BAD_MSIZE; - - iov[0].flags = KRB5_CRYPTO_TYPE_HEADER; - iov[0].data.data = output->data; - iov[0].data.length = header_len; - - iov[1].flags = KRB5_CRYPTO_TYPE_DATA; - iov[1].data.data = iov[0].data.data + iov[0].data.length; - iov[1].data.length = input->length; - memcpy(iov[1].data.data, input->data, input->length); - - iov[2].flags = KRB5_CRYPTO_TYPE_PADDING; - iov[2].data.data = iov[1].data.data + iov[1].data.length; - iov[2].data.length = padding_len; - - iov[3].flags = KRB5_CRYPTO_TYPE_TRAILER; - iov[3].data.data = iov[2].data.data + iov[2].data.length; - iov[3].data.length = trailer_len; - - ret = (*aead->encrypt_iov)(aead, enc, hash, key, usage, ivec, - iov, sizeof(iov) / sizeof(iov[0])); - - if (ret != 0) - zap(iov[1].data.data, iov[1].data.length); - - output->length = iov[0].data.length + iov[1].data.length + - iov[2].data.length + iov[3].data.length; - - return ret; -} - -krb5_error_code -krb5int_c_decrypt_aead_compat(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - krb5_crypto_iov iov[4]; - krb5_error_code ret; - unsigned int header_len = 0, trailer_len = 0, plain_len; - char *scratch = NULL; - - ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER, - &header_len); - if (ret != 0) - return ret; - - ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, - &trailer_len); - if (ret != 0) - return ret; - - if (input->length < header_len + trailer_len) - return KRB5_BAD_MSIZE; - plain_len = input->length - header_len - trailer_len; - if (output->length < input->length - header_len - trailer_len) - return KRB5_BAD_MSIZE; - - scratch = k5alloc(header_len + trailer_len, &ret); - if (scratch == NULL) - return ret; - - iov[0].flags = KRB5_CRYPTO_TYPE_HEADER; - iov[0].data = make_data(scratch, header_len); - memcpy(iov[0].data.data, input->data, header_len); - - iov[1].flags = KRB5_CRYPTO_TYPE_DATA; - iov[1].data = make_data(output->data, plain_len); - memcpy(iov[1].data.data, input->data + header_len, plain_len); - - /* Use empty padding since tokens don't indicate the padding length. */ - iov[2].flags = KRB5_CRYPTO_TYPE_PADDING; - iov[2].data = empty_data(); - - iov[3].flags = KRB5_CRYPTO_TYPE_TRAILER; - iov[3].data = make_data(scratch + header_len, trailer_len); - memcpy(iov[3].data.data, input->data + header_len + plain_len, - trailer_len); - - ret = (*aead->decrypt_iov)(aead, enc, hash, key, usage, ivec, - iov, sizeof(iov) / sizeof(iov[0])); - if (ret != 0) - zap(output->data, plain_len); + return 0; else - output->length = plain_len; - - zapfree(scratch, header_len + trailer_len); - return ret; -} - -void -krb5int_c_encrypt_length_aead_compat(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t inputlen, size_t *length) -{ - unsigned int header_len = 0; - unsigned int padding_len = 0; - unsigned int trailer_len = 0; - - (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER, - &header_len); - krb5int_c_padding_length(aead, enc, hash, inputlen, &padding_len); - (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, - &trailer_len); - - *length = header_len + inputlen + padding_len + trailer_len; + return padding - (data_length % padding); } diff --git a/src/lib/crypto/krb/aead.h b/src/lib/crypto/krb/aead.h index cc1e66a55..33ed2fd91 100644 --- a/src/lib/crypto/krb/aead.h +++ b/src/lib/crypto/krb/aead.h @@ -27,6 +27,7 @@ #include "k5-int.h" #include "cksumtypes.h" +#include "etypes.h" /* AEAD helpers */ @@ -90,43 +91,12 @@ krb5int_c_iov_put_block(const krb5_crypto_iov *data, struct iov_block_state *iov_state); krb5_error_code -krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage keyusage, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data); +krb5int_c_iov_decrypt_stream(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage keyusage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); -krb5_error_code -krb5int_c_decrypt_aead_compat(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output); - -krb5_error_code -krb5int_c_encrypt_aead_compat(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output); - -void -krb5int_c_encrypt_length_aead_compat(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t inputlen, size_t *length); - -krb5_error_code -krb5int_c_padding_length(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t data_length, - unsigned int *pad_length); +unsigned int +krb5int_c_padding_length(const struct krb5_keytypes *ktp, size_t data_length); /* * Returns an alias into the current buffer if the next block is fully diff --git a/src/lib/crypto/krb/arcfour/arcfour.c b/src/lib/crypto/krb/arcfour/arcfour.c index eb80124e4..c8b478fe5 100644 --- a/src/lib/crypto/krb/arcfour/arcfour.c +++ b/src/lib/crypto/krb/arcfour/arcfour.c @@ -13,15 +13,6 @@ const char l40[] = "fortybits"; -void -krb5int_arcfour_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t inputlen, size_t *length) -{ - /* checksum + (confounder + inputlen, in even blocksize) */ - *length = hash->hashsize + krb5_roundup(8 + inputlen, enc->block_size); -} - krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage) { @@ -93,173 +84,3 @@ krb5int_arcfour_enc_key(const struct krb5_enc_provider *enc, krb5int_c_free_keyblock(NULL, trunc_keyblock); return ret; } - -krb5_error_code -krb5int_arcfour_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL; - krb5_key enc_key; - krb5_data plaintext = empty_data(); - krb5_data checksum, ciphertext, confounder; - krb5_error_code ret; - unsigned int plainlen; - - /* Allocate buffers. */ - plainlen = krb5_roundup(input->length + CONFOUNDERLENGTH, enc->block_size); - ret = alloc_data(&plaintext, plainlen); - if (ret != 0) - goto cleanup; - ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes, - &usage_keyblock); - if (ret != 0) - goto cleanup; - ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes, - &enc_keyblock); - if (ret != 0) - goto cleanup; - - /* Set up subsets of output and plaintext. */ - checksum = make_data(output->data, hash->hashsize); - ciphertext = make_data(output->data + hash->hashsize, plainlen); - confounder = make_data(plaintext.data, CONFOUNDERLENGTH); - - /* Derive a usage key from the session key and usage. */ - ret = krb5int_arcfour_usage_key(enc, hash, &key->keyblock, usage, - usage_keyblock); - if (ret != 0) - goto cleanup; - - /* Compose a confounder with the input data to form the plaintext. */ - ret = krb5_c_random_make_octets(NULL, &confounder); - memcpy(plaintext.data + confounder.length, input->data, input->length); - if (ret) - goto cleanup; - - /* Compute HMAC(usage key, plaintext) to get the checksum. */ - ret = krb5int_hmac_keyblock(hash, usage_keyblock, 1, &plaintext, - &checksum); - if (ret) - goto cleanup; - - /* Derive the encryption key from the usage key and checksum. */ - ret = krb5int_arcfour_enc_key(enc, hash, usage_keyblock, &checksum, - enc_keyblock); - if (ret) - goto cleanup; - - /* Encrypt the plaintext. */ - ret = krb5_k_create_key(NULL, enc_keyblock, &enc_key); - if (ret) - goto cleanup; - ret = (*enc->encrypt)(enc_key, ivec, &plaintext, &ciphertext); - krb5_k_free_key(NULL, enc_key); - if (ret) - goto cleanup; - - output->length = plainlen + hash->hashsize; - -cleanup: - krb5int_c_free_keyblock(NULL, usage_keyblock); - krb5int_c_free_keyblock(NULL, enc_keyblock); - zapfree(plaintext.data, plaintext.length); - return ret; -} - -krb5_error_code -krb5int_arcfour_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL; - krb5_data plaintext = empty_data(), comp_checksum = empty_data(); - krb5_data checksum, ciphertext; - krb5_key enc_key; - krb5_error_code ret; - - /* Set up subsets of input. */ - checksum = make_data(input->data, hash->hashsize); - ciphertext = make_data(input->data + hash->hashsize, - input->length - hash->hashsize); - - /* Allocate buffers. */ - ret = alloc_data(&plaintext, ciphertext.length); - if (ret != 0) - goto cleanup; - ret = alloc_data(&comp_checksum, hash->hashsize); - if (ret != 0) - goto cleanup; - ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes, - &usage_keyblock); - if (ret != 0) - goto cleanup; - ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes, - &enc_keyblock); - if (ret != 0) - goto cleanup; - - /* We may have to try two usage values; see below. */ - do { - /* Derive a usage key from the session key and usage. */ - ret = krb5int_arcfour_usage_key(enc, hash, &key->keyblock, usage, - usage_keyblock); - if (ret != 0) - goto cleanup; - - /* Derive the encryption key from the usage key and checksum. */ - ret = krb5int_arcfour_enc_key(enc, hash, usage_keyblock, &checksum, - enc_keyblock); - if (ret) - goto cleanup; - - /* Decrypt the ciphertext. */ - ret = krb5_k_create_key(NULL, enc_keyblock, &enc_key); - if (ret) - goto cleanup; - ret = (*enc->decrypt)(enc_key, ivec, &ciphertext, &plaintext); - krb5_k_free_key(NULL, enc_key); - if (ret) - goto cleanup; - - /* Compute HMAC(usage key, plaintext) to get the checksum. */ - ret = krb5int_hmac_keyblock(hash, usage_keyblock, 1, &plaintext, - &comp_checksum); - if (ret) - goto cleanup; - - if (memcmp(checksum.data, comp_checksum.data, hash->hashsize) != 0) { - if (usage == 9) { - /* - * RFC 4757 specifies usage 8 for TGS-REP encrypted - * parts encrypted in a subkey, but the value used by MS - * is actually 9. We now use 9 to start with, but fall - * back to 8 on failure in case we are communicating - * with a KDC using the value from the RFC. - */ - usage = 8; - continue; - } - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto cleanup; - } - - break; - } while (1); - - /* Remove the confounder from the plaintext to get the output. */ - memcpy(output->data, plaintext.data + CONFOUNDERLENGTH, - plaintext.length - CONFOUNDERLENGTH); - output->length = plaintext.length - CONFOUNDERLENGTH; - -cleanup: - krb5int_c_free_keyblock(NULL, usage_keyblock); - krb5int_c_free_keyblock(NULL, enc_keyblock); - zapfree(plaintext.data, plaintext.length); - zapfree(comp_checksum.data, comp_checksum.length); - return ret; -} diff --git a/src/lib/crypto/krb/arcfour/arcfour.h b/src/lib/crypto/krb/arcfour/arcfour.h index 64193381c..7ec0d77b9 100644 --- a/src/lib/crypto/krb/arcfour/arcfour.h +++ b/src/lib/crypto/krb/arcfour/arcfour.h @@ -2,39 +2,30 @@ #ifndef ARCFOUR_H #define ARCFOUR_H -extern void -krb5int_arcfour_encrypt_length(const struct krb5_enc_provider *, - const struct krb5_hash_provider *, - size_t, - size_t *); +#include "etypes.h" -extern krb5_error_code -krb5int_arcfour_encrypt(const struct krb5_enc_provider *, - const struct krb5_hash_provider *, - krb5_key, - krb5_keyusage, - const krb5_data *, - const krb5_data *, - krb5_data *); +unsigned int +krb5int_arcfour_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type); -extern krb5_error_code -krb5int_arcfour_decrypt(const struct krb5_enc_provider *, - const struct krb5_hash_provider *, - krb5_key, - krb5_keyusage, - const krb5_data *, - const krb5_data *, - krb5_data *); +krb5_error_code +krb5int_arcfour_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); + +krb5_error_code +krb5int_arcfour_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); extern krb5_error_code krb5int_arcfour_string_to_key( - const struct krb5_enc_provider *, + const struct krb5_keytypes *, const krb5_data *, const krb5_data *, const krb5_data *, krb5_keyblock *); extern const struct krb5_enc_provider krb5int_enc_arcfour; -extern const struct krb5_aead_provider krb5int_aead_arcfour; #endif /* ARCFOUR_H */ diff --git a/src/lib/crypto/krb/arcfour/arcfour_aead.c b/src/lib/crypto/krb/arcfour/arcfour_aead.c index 0ad7c2776..d88623560 100644 --- a/src/lib/crypto/krb/arcfour/arcfour_aead.c +++ b/src/lib/crypto/krb/arcfour/arcfour_aead.c @@ -34,32 +34,23 @@ /* AEAD */ -static krb5_error_code -krb5int_arcfour_crypto_length(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_cryptotype type, - unsigned int *length) +unsigned int +krb5int_arcfour_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type) { switch (type) { case KRB5_CRYPTO_TYPE_HEADER: - *length = hash->hashsize + CONFOUNDERLENGTH; - break; + return ktp->hash->hashsize + CONFOUNDERLENGTH; case KRB5_CRYPTO_TYPE_PADDING: - *length = 0; - break; case KRB5_CRYPTO_TYPE_TRAILER: - *length = 0; - break; + return 0; case KRB5_CRYPTO_TYPE_CHECKSUM: - *length = hash->hashsize; - break; + return ktp->hash->hashsize; default: - assert(0 && "invalid cryptotype passed to krb5int_arcfour_crypto_length"); - break; + assert(0 && + "invalid cryptotype passed to krb5int_arcfour_crypto_length"); + return 0; } - - return 0; } /* Encrypt or decrypt using a keyblock. */ @@ -74,21 +65,18 @@ keyblock_crypt(const struct krb5_enc_provider *enc, krb5_keyblock *keyblock, if (ret != 0) return ret; /* Works for encryption or decryption since arcfour is a stream cipher. */ - ret = enc->encrypt_iov(key, ivec, data, num_data); + ret = enc->encrypt(key, ivec, data, num_data); krb5_k_free_key(NULL, key); return ret; } -static krb5_error_code -krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_arcfour_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { + const struct krb5_enc_provider *enc = ktp->enc; + const struct krb5_hash_provider *hash = ktp->hash; krb5_error_code ret; krb5_crypto_iov *header, *trailer; krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL; @@ -169,16 +157,13 @@ cleanup: return ret; } -static krb5_error_code -krb5int_arcfour_decrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_arcfour_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { + const struct krb5_enc_provider *enc = ktp->enc; + const struct krb5_hash_provider *hash = ktp->hash; krb5_error_code ret; krb5_crypto_iov *header, *trailer; krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL; @@ -270,12 +255,6 @@ cleanup: return ret; } -const struct krb5_aead_provider krb5int_aead_arcfour = { - krb5int_arcfour_crypto_length, - krb5int_arcfour_encrypt_iov, - krb5int_arcfour_decrypt_iov -}; - krb5_error_code krb5int_arcfour_gsscrypt(const krb5_keyblock *keyblock, krb5_keyusage usage, const krb5_data *kd_data, krb5_crypto_iov *data, diff --git a/src/lib/crypto/krb/arcfour/arcfour_s2k.c b/src/lib/crypto/krb/arcfour/arcfour_s2k.c index dbb7f459d..b77738ebb 100644 --- a/src/lib/crypto/krb/arcfour/arcfour_s2k.c +++ b/src/lib/crypto/krb/arcfour/arcfour_s2k.c @@ -9,7 +9,7 @@ #endif krb5_error_code -krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc, +krb5int_arcfour_string_to_key(const struct krb5_keytypes *ktp, const krb5_data *string, const krb5_data *salt, const krb5_data *params, krb5_keyblock *key) { diff --git a/src/lib/crypto/krb/arcfour/deps b/src/lib/crypto/krb/arcfour/deps index d9f47fcad..e626ff825 100644 --- a/src/lib/crypto/krb/arcfour/deps +++ b/src/lib/crypto/krb/arcfour/deps @@ -4,19 +4,7 @@ arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - arcfour-int.h arcfour.c arcfour.h -arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \ - $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(top_srcdir)/include/k5-buf.h \ + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ @@ -24,17 +12,30 @@ arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h arcfour-int.h \ - arcfour.h arcfour_aead.c -arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \ + arcfour.c arcfour.h +arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../builtin/md4/rsa-md4.h \ + $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \ + $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h \ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h arcfour-int.h \ - arcfour.h arcfour_s2k.c + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + arcfour-int.h arcfour.h arcfour_aead.c +arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(srcdir)/../../builtin/md4/rsa-md4.h \ + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-utf8.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + arcfour-int.h arcfour.h arcfour_s2k.c diff --git a/src/lib/crypto/krb/combine_keys.c b/src/lib/crypto/krb/combine_keys.c index 73247d486..b7435383b 100644 --- a/src/lib/crypto/krb/combine_keys.c +++ b/src/lib/crypto/krb/combine_keys.c @@ -210,70 +210,19 @@ cleanup: return ret; } -/* - * Our DR function; mostly taken from derive.c - */ - +/* Our DR function, a simple wrapper around krb5int_derive_random(). */ static krb5_error_code dr(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey, unsigned char *out, const krb5_data *in_constant) { - size_t blocksize, keybytes, n; - unsigned char *inblockdata = NULL, *outblockdata = NULL; - krb5_data inblock, outblock; - krb5_error_code ret; + krb5_data outdata = make_data(out, enc->keybytes); krb5_key key = NULL; + krb5_error_code ret; - blocksize = enc->block_size; - keybytes = enc->keybytes; - - /* Allocate and set up buffers. */ - inblockdata = k5alloc(blocksize, &ret); - if (ret) - goto cleanup; - outblockdata = k5alloc(blocksize, &ret); - if (ret) - goto cleanup; ret = krb5_k_create_key(NULL, inkey, &key); - if (ret) - goto cleanup; - - inblock.data = (char *) inblockdata; - inblock.length = blocksize; - - outblock.data = (char *) outblockdata; - outblock.length = blocksize; - - /* initialize the input block */ - - if (in_constant->length == inblock.length) { - memcpy(inblock.data, in_constant->data, inblock.length); - } else { - krb5int_nfold(in_constant->length*8, (unsigned char *) in_constant->data, - inblock.length*8, (unsigned char *) inblock.data); - } - - /* loop encrypting the blocks until enough key bytes are generated */ - - n = 0; - while (n < keybytes) { - ret = (*enc->encrypt)(key, 0, &inblock, &outblock); - if (ret) - goto cleanup; - - if ((keybytes - n) <= outblock.length) { - memcpy(out + n, outblock.data, (keybytes - n)); - break; - } - - memcpy(out + n, outblock.data, outblock.length); - memcpy(inblock.data, outblock.data, outblock.length); - n += outblock.length; - } - -cleanup: - zapfree(inblockdata, blocksize); - zapfree(outblockdata, blocksize); + if (ret != 0) + return ret; + ret = krb5int_derive_random(enc, key, &outdata, in_constant); krb5_k_free_key(NULL, key); return ret; } diff --git a/src/lib/crypto/krb/crypto_length.c b/src/lib/crypto/krb/crypto_length.c index 3f5ef381e..91593ce74 100644 --- a/src/lib/crypto/krb/crypto_length.c +++ b/src/lib/crypto/krb/crypto_length.c @@ -34,28 +34,25 @@ krb5_c_crypto_length(krb5_context context, krb5_enctype enctype, krb5_cryptotype type, unsigned int *size) { const struct krb5_keytypes *ktp; - krb5_error_code ret; + krb5_error_code ret = 0; ktp = find_enctype(enctype); - if (ktp == NULL || ktp->aead == NULL) + if (ktp == NULL) return KRB5_BAD_ENCTYPE; switch (type) { case KRB5_CRYPTO_TYPE_EMPTY: case KRB5_CRYPTO_TYPE_SIGN_ONLY: *size = 0; - ret = 0; break; case KRB5_CRYPTO_TYPE_DATA: *size = (size_t)~0; /* match Heimdal */ - ret = 0; break; case KRB5_CRYPTO_TYPE_HEADER: case KRB5_CRYPTO_TYPE_PADDING: case KRB5_CRYPTO_TYPE_TRAILER: case KRB5_CRYPTO_TYPE_CHECKSUM: - ret = (*ktp->aead->crypto_length)(ktp->aead, ktp->enc, ktp->hash, - type, size); + *size = ktp->crypto_length(ktp, type); break; default: ret = EINVAL; @@ -72,11 +69,11 @@ krb5_c_padding_length(krb5_context context, krb5_enctype enctype, const struct krb5_keytypes *ktp; ktp = find_enctype(enctype); - if (ktp == NULL || ktp->aead == NULL) + if (ktp == NULL) return KRB5_BAD_ENCTYPE; - return krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash, - data_length, pad_length); + *pad_length = krb5int_c_padding_length(ktp, data_length); + return 0; } krb5_error_code KRB5_CALLCONV @@ -95,7 +92,7 @@ krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, */ ktp = find_enctype(enctype); - if (ktp == NULL || ktp->aead == NULL) + if (ktp == NULL) return KRB5_BAD_ENCTYPE; for (i = 0; i < num_data; i++) { @@ -114,8 +111,7 @@ krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, case KRB5_CRYPTO_TYPE_HEADER: case KRB5_CRYPTO_TYPE_TRAILER: case KRB5_CRYPTO_TYPE_CHECKSUM: - ret = (*ktp->aead->crypto_length)(ktp->aead, ktp->enc, ktp->hash, - iov->flags, &iov->data.length); + iov->data.length = ktp->crypto_length(ktp, iov->flags); break; case KRB5_CRYPTO_TYPE_EMPTY: case KRB5_CRYPTO_TYPE_SIGN_ONLY: @@ -130,11 +126,7 @@ krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, if (ret != 0) return ret; - ret = krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash, - data_length, &pad_length); - if (ret != 0) - return ret; - + pad_length = krb5int_c_padding_length(ktp, data_length); if (pad_length != 0 && padding == NULL) return EINVAL; diff --git a/src/lib/crypto/krb/decrypt.c b/src/lib/crypto/krb/decrypt.c index 782151846..c12c90d33 100644 --- a/src/lib/crypto/krb/decrypt.c +++ b/src/lib/crypto/krb/decrypt.c @@ -35,6 +35,10 @@ krb5_k_decrypt(krb5_context context, krb5_key key, const krb5_enc_data *input, krb5_data *output) { const struct krb5_keytypes *ktp; + krb5_crypto_iov iov[4]; + krb5_error_code ret; + unsigned int header_len, trailer_len, plain_len; + char *scratch = NULL; ktp = find_enctype(key->keyblock.enctype); if (ktp == NULL) @@ -43,16 +47,43 @@ krb5_k_decrypt(krb5_context context, krb5_key key, if (input->enctype != ENCTYPE_UNKNOWN && ktp->etype != input->enctype) return KRB5_BAD_ENCTYPE; - if (ktp->decrypt == NULL) { - assert(ktp->aead != NULL); + /* Verify the input and output lengths. */ + header_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_HEADER); + trailer_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER); + if (input->ciphertext.length < header_len + trailer_len) + return KRB5_BAD_MSIZE; + plain_len = input->ciphertext.length - header_len - trailer_len; + if (output->length < plain_len) + return KRB5_BAD_MSIZE; + + scratch = k5alloc(header_len + trailer_len, &ret); + if (scratch == NULL) + return ret; + + iov[0].flags = KRB5_CRYPTO_TYPE_HEADER; + iov[0].data = make_data(scratch, header_len); + memcpy(iov[0].data.data, input->ciphertext.data, header_len); - return krb5int_c_decrypt_aead_compat(ktp->aead, ktp->enc, ktp->hash, - key, usage, ivec, - &input->ciphertext, output); - } + iov[1].flags = KRB5_CRYPTO_TYPE_DATA; + iov[1].data = make_data(output->data, plain_len); + memcpy(iov[1].data.data, input->ciphertext.data + header_len, plain_len); - return (*ktp->decrypt)(ktp->enc, ktp->hash, key, usage, ivec, - &input->ciphertext, output); + /* Use empty padding since tokens don't indicate the padding length. */ + iov[2].flags = KRB5_CRYPTO_TYPE_PADDING; + iov[2].data = empty_data(); + + iov[3].flags = KRB5_CRYPTO_TYPE_TRAILER; + iov[3].data = make_data(scratch + header_len, trailer_len); + memcpy(iov[3].data.data, input->ciphertext.data + header_len + plain_len, + trailer_len); + + ret = ktp->decrypt(ktp, key, usage, ivec, iov, 4); + if (ret != 0) + zap(output->data, plain_len); + else + output->length = plain_len; + zapfree(scratch, header_len + trailer_len); + return ret; } krb5_error_code KRB5_CALLCONV diff --git a/src/lib/crypto/krb/decrypt_iov.c b/src/lib/crypto/krb/decrypt_iov.c index 7a37d3e26..f52a727b3 100644 --- a/src/lib/crypto/krb/decrypt_iov.c +++ b/src/lib/crypto/krb/decrypt_iov.c @@ -30,37 +30,29 @@ #include "aead.h" krb5_error_code KRB5_CALLCONV -krb5_k_decrypt_iov(krb5_context context, - krb5_key key, - krb5_keyusage usage, - const krb5_data *cipher_state, - krb5_crypto_iov *data, +krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, + const krb5_data *cipher_state, krb5_crypto_iov *data, size_t num_data) { const struct krb5_keytypes *ktp; ktp = find_enctype(key->keyblock.enctype); - if (ktp == NULL || ktp->aead == NULL) + if (ktp == NULL) return KRB5_BAD_ENCTYPE; if (krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM) != NULL) { - return krb5int_c_iov_decrypt_stream(ktp->aead, ktp->enc, ktp->hash, - key, usage, cipher_state, data, - num_data); + return krb5int_c_iov_decrypt_stream(ktp, key, usage, cipher_state, + data, num_data); } - return (*ktp->aead->decrypt_iov)(ktp->aead, ktp->enc, ktp->hash, key, - usage, cipher_state, data, num_data); + return ktp->decrypt(ktp, key, usage, cipher_state, data, num_data); } krb5_error_code KRB5_CALLCONV -krb5_c_decrypt_iov(krb5_context context, - const krb5_keyblock *keyblock, - krb5_keyusage usage, - const krb5_data *cipher_state, - krb5_crypto_iov *data, - size_t num_data) +krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock *keyblock, + krb5_keyusage usage, const krb5_data *cipher_state, + krb5_crypto_iov *data, size_t num_data) { krb5_key key; krb5_error_code ret; diff --git a/src/lib/crypto/krb/deps b/src/lib/crypto/krb/deps index 1bd41ecfe..c7d3bae2a 100644 --- a/src/lib/crypto/krb/deps +++ b/src/lib/crypto/krb/deps @@ -192,9 +192,8 @@ enctype_to_string.so enctype_to_string.po $(OUTPRE)enctype_to_string.$(OBJEXT): enctype_to_string.c etypes.h etypes.so etypes.po $(OUTPRE)etypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes_s2k.h \ - $(srcdir)/../builtin/des/des_int.h $(srcdir)/../builtin/enc_provider/enc_provider.h \ - $(srcdir)/../builtin/hash_provider/hash_provider.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/des/des_int.h \ + $(srcdir)/../builtin/enc_provider/enc_provider.h $(srcdir)/../builtin/hash_provider/hash_provider.h \ $(srcdir)/arcfour/arcfour.h $(srcdir)/dk/dk.h $(srcdir)/old/old.h \ $(srcdir)/prf/prf_int.h $(srcdir)/raw/raw.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ @@ -280,7 +279,7 @@ make_checksum_iov.so make_checksum_iov.po $(OUTPRE)make_checksum_iov.$(OBJEXT): $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - aead.h cksumtypes.h make_checksum_iov.c + aead.h cksumtypes.h etypes.h make_checksum_iov.c make_random_key.so make_random_key.po $(OUTPRE)make_random_key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -454,4 +453,4 @@ verify_checksum_iov.so verify_checksum_iov.po $(OUTPRE)verify_checksum_iov.$(OBJ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - aead.h cksumtypes.h verify_checksum_iov.c + aead.h cksumtypes.h etypes.h verify_checksum_iov.c diff --git a/src/lib/crypto/krb/dk/Makefile.in b/src/lib/crypto/krb/dk/Makefile.in index c87af05f9..8d658573d 100644 --- a/src/lib/crypto/krb/dk/Makefile.in +++ b/src/lib/crypto/krb/dk/Makefile.in @@ -13,24 +13,18 @@ PROG_RPATH=$(KRB5_LIBDIR) STLIBOBJS=\ checksum.o \ dk_aead.o \ - dk_decrypt.o \ - dk_encrypt.o \ derive.o \ stringtokey.o OBJS=\ $(OUTPRE)checksum.$(OBJEXT) \ $(OUTPRE)dk_aead.$(OBJEXT) \ - $(OUTPRE)dk_decrypt.$(OBJEXT) \ - $(OUTPRE)dk_encrypt.$(OBJEXT) \ $(OUTPRE)derive.$(OBJEXT) \ $(OUTPRE)stringtokey.$(OBJEXT) SRCS=\ $(srcdir)/checksum.c \ $(srcdir)/dk_aead.c \ - $(srcdir)/dk_decrypt.c \ - $(srcdir)/dk_encrypt.c \ $(srcdir)/derive.c \ $(srcdir)/stringtokey.c diff --git a/src/lib/crypto/krb/dk/deps b/src/lib/crypto/krb/dk/deps index 0de06af9a..1fa446a4b 100644 --- a/src/lib/crypto/krb/dk/deps +++ b/src/lib/crypto/krb/dk/deps @@ -16,7 +16,7 @@ checksum.so checksum.po $(OUTPRE)checksum.$(OBJEXT): \ dk_aead.so dk_aead.po $(OUTPRE)dk_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../aead.h \ - $(srcdir)/../cksumtypes.h $(top_srcdir)/include/k5-buf.h \ + $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ @@ -24,46 +24,25 @@ dk_aead.so dk_aead.po $(OUTPRE)dk_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h dk.h dk_aead.c -dk_decrypt.so dk_decrypt.po $(OUTPRE)dk_decrypt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ +derive.so derive.po $(OUTPRE)derive.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../etypes.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - dk.h dk_decrypt.c -dk_encrypt.so dk_encrypt.po $(OUTPRE)dk_encrypt.$(OBJEXT): \ + derive.c dk.h +stringtokey.so stringtokey.po $(OUTPRE)stringtokey.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - dk.h dk_encrypt.c -derive.so derive.po $(OUTPRE)derive.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(COM_ERR_DEPS) $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h derive.c dk.h -stringtokey.so stringtokey.po $(OUTPRE)stringtokey.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - dk.h stringtokey.c + $(top_srcdir)/include/socket-utils.h dk.h stringtokey.c diff --git a/src/lib/crypto/krb/dk/derive.c b/src/lib/crypto/krb/dk/derive.c index c963c3959..384a5e400 100644 --- a/src/lib/crypto/krb/dk/derive.c +++ b/src/lib/crypto/krb/dk/derive.c @@ -79,86 +79,86 @@ cleanup: return ENOMEM; } -/* - * Compute a derived key into the keyblock outkey. This variation on - * krb5int_derive_key does not cache the result, as it is only used - * directly in situations which are not expected to be repeated with - * the same inkey and constant. - */ krb5_error_code -krb5int_derive_keyblock(const struct krb5_enc_provider *enc, - krb5_key inkey, krb5_keyblock *outkey, - const krb5_data *in_constant) +krb5int_derive_random(const struct krb5_enc_provider *enc, + krb5_key inkey, krb5_data *outrnd, + const krb5_data *in_constant) { size_t blocksize, keybytes, n; - unsigned char *inblockdata = NULL, *outblockdata = NULL, *rawkey = NULL; - krb5_data inblock, outblock; + krb5_crypto_iov iov; krb5_error_code ret; blocksize = enc->block_size; keybytes = enc->keybytes; - if (inkey->keyblock.length != enc->keylength || - outkey->length != enc->keylength) + if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes) return KRB5_CRYPTO_INTERNAL; - /* Allocate and set up buffers. */ - inblockdata = k5alloc(blocksize, &ret); - if (ret) - goto cleanup; - outblockdata = k5alloc(blocksize, &ret); - if (ret) - goto cleanup; - rawkey = k5alloc(keybytes, &ret); + /* Allocate encryption data buffer. */ + iov.flags = KRB5_CRYPTO_TYPE_DATA; + ret = alloc_data(&iov.data, blocksize); if (ret) - goto cleanup; - - inblock.data = (char *) inblockdata; - inblock.length = blocksize; - - outblock.data = (char *) outblockdata; - outblock.length = blocksize; + return ret; /* Initialize the input block. */ - - if (in_constant->length == inblock.length) { - memcpy(inblock.data, in_constant->data, inblock.length); + if (in_constant->length == blocksize) { + memcpy(iov.data.data, in_constant->data, blocksize); } else { - krb5int_nfold(in_constant->length*8, (unsigned char *) in_constant->data, - inblock.length*8, (unsigned char *) inblock.data); + krb5int_nfold(in_constant->length * 8, + (unsigned char *) in_constant->data, + blocksize * 8, (unsigned char *) iov.data.data); } - /* Loop encrypting the blocks until enough key bytes are generated */ - + /* Loop encrypting the blocks until enough key bytes are generated. */ n = 0; while (n < keybytes) { - ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock); + ret = enc->encrypt(inkey, 0, &iov, 1); if (ret) goto cleanup; - if ((keybytes - n) <= outblock.length) { - memcpy(rawkey + n, outblock.data, (keybytes - n)); + if ((keybytes - n) <= blocksize) { + memcpy(outrnd->data + n, iov.data.data, (keybytes - n)); break; } - memcpy(rawkey+n, outblock.data, outblock.length); - memcpy(inblock.data, outblock.data, outblock.length); - n += outblock.length; + memcpy(outrnd->data + n, iov.data.data, blocksize); + n += blocksize; } - /* postprocess the key */ +cleanup: + zapfree(iov.data.data, blocksize); + return ret; +} + +/* + * Compute a derived key into the keyblock outkey. This variation on + * krb5int_derive_key does not cache the result, as it is only used + * directly in situations which are not expected to be repeated with + * the same inkey and constant. + */ +krb5_error_code +krb5int_derive_keyblock(const struct krb5_enc_provider *enc, + krb5_key inkey, krb5_keyblock *outkey, + const krb5_data *in_constant) +{ + krb5_error_code ret; + krb5_data rawkey = empty_data(); - inblock.data = (char *) rawkey; - inblock.length = keybytes; + /* Allocate a buffer for the raw key bytes. */ + ret = alloc_data(&rawkey, enc->keybytes); + if (ret) + goto cleanup; - ret = (*enc->make_key)(&inblock, outkey); + /* Derive pseudo-random data for the key bytes. */ + ret = krb5int_derive_random(enc, inkey, &rawkey, in_constant); if (ret) goto cleanup; + /* Postprocess the key. */ + ret = enc->make_key(&rawkey, outkey); + cleanup: - zapfree(inblockdata, blocksize); - zapfree(outblockdata, blocksize); - zapfree(rawkey, keybytes); + zapfree(rawkey.data, enc->keybytes); return ret; } @@ -200,72 +200,3 @@ cleanup: zapfree(keyblock.contents, keyblock.length); return ret; } - -krb5_error_code -krb5int_derive_random(const struct krb5_enc_provider *enc, - krb5_key inkey, krb5_data *outrnd, - const krb5_data *in_constant) -{ - size_t blocksize, keybytes, n; - unsigned char *inblockdata = NULL, *outblockdata = NULL, *rawkey = NULL; - krb5_data inblock, outblock; - krb5_error_code ret; - - blocksize = enc->block_size; - keybytes = enc->keybytes; - - if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes) - return KRB5_CRYPTO_INTERNAL; - - /* Allocate and set up buffers. */ - - inblockdata = k5alloc(blocksize, &ret); - if (ret) - goto cleanup; - outblockdata = k5alloc(blocksize, &ret); - if (ret) - goto cleanup; - rawkey = k5alloc(keybytes, &ret); - if (ret) - goto cleanup; - - inblock.data = (char *) inblockdata; - inblock.length = blocksize; - - outblock.data = (char *) outblockdata; - outblock.length = blocksize; - - /* Initialize the input block. */ - if (in_constant->length == inblock.length) { - memcpy(inblock.data, in_constant->data, inblock.length); - } else { - krb5int_nfold(in_constant->length*8, (unsigned char *) in_constant->data, - inblock.length*8, (unsigned char *) inblock.data); - } - - /* Loop encrypting the blocks until enough key bytes are generated. */ - n = 0; - while (n < keybytes) { - ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock); - if (ret) - goto cleanup; - - if ((keybytes - n) <= outblock.length) { - memcpy(rawkey + n, outblock.data, (keybytes - n)); - break; - } - - memcpy(rawkey+n, outblock.data, outblock.length); - memcpy(inblock.data, outblock.data, outblock.length); - n += outblock.length; - } - - /* Postprocess the key. */ - memcpy(outrnd->data, rawkey, keybytes); - -cleanup: - zapfree(inblockdata, blocksize); - zapfree(outblockdata, blocksize); - zapfree(rawkey, keybytes); - return ret; -} diff --git a/src/lib/crypto/krb/dk/dk.h b/src/lib/crypto/krb/dk/dk.h index 1ac3fbe1b..892f6b45c 100644 --- a/src/lib/crypto/krb/dk/dk.h +++ b/src/lib/crypto/krb/dk/dk.h @@ -26,55 +26,35 @@ */ #include "k5-int.h" +#include "etypes.h" -void -krb5int_dk_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t input, size_t *length); +unsigned int +krb5int_dk_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type); -krb5_error_code -krb5int_dk_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, krb5_data *output); - -void -krb5int_aes_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t input, size_t *length); +unsigned int +krb5int_aes_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type); krb5_error_code -krb5int_aes_dk_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *output); +krb5int_dk_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); krb5_error_code -krb5int_dk_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *arg_output); +krb5int_dk_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); krb5_error_code -krb5int_aes_dk_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *arg_output); +krb5int_dk_string_to_key(const struct krb5_keytypes *enc, + const krb5_data *string, const krb5_data *salt, + const krb5_data *params, krb5_keyblock *key); krb5_error_code -krb5int_dk_string_to_key(const struct krb5_enc_provider *enc, - const krb5_data *string, - const krb5_data *salt, - const krb5_data *params, - krb5_keyblock *key); +krb5int_aes_string_to_key(const struct krb5_keytypes *enc, + const krb5_data *string, const krb5_data *salt, + const krb5_data *params, krb5_keyblock *key); krb5_error_code krb5int_derive_keyblock(const struct krb5_enc_provider *enc, @@ -105,8 +85,3 @@ krb5_error_code krb5int_derive_random(const struct krb5_enc_provider *enc, krb5_key inkey, krb5_data *outrnd, const krb5_data *in_constant); - -/* AEAD */ - -extern const struct krb5_aead_provider krb5int_aead_dk; -extern const struct krb5_aead_provider krb5int_aead_aes; diff --git a/src/lib/crypto/krb/dk/dk_aead.c b/src/lib/crypto/krb/dk/dk_aead.c index 1801a7300..59c84dbce 100644 --- a/src/lib/crypto/krb/dk/dk_aead.c +++ b/src/lib/crypto/krb/dk/dk_aead.c @@ -34,63 +34,60 @@ /* AEAD */ -static krb5_error_code -krb5int_dk_crypto_length(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_cryptotype type, - unsigned int *length) +unsigned int +krb5int_dk_crypto_length(const struct krb5_keytypes *ktp, krb5_cryptotype type) { switch (type) { case KRB5_CRYPTO_TYPE_HEADER: case KRB5_CRYPTO_TYPE_PADDING: - *length = enc->block_size; - break; + return ktp->enc->block_size; case KRB5_CRYPTO_TYPE_TRAILER: case KRB5_CRYPTO_TYPE_CHECKSUM: - *length = hash->hashsize; - break; + return ktp->hash->hashsize; default: assert(0 && "invalid cryptotype passed to krb5int_dk_crypto_length"); - break; + return 0; } +} - return 0; +unsigned int +krb5int_aes_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type) +{ + switch (type) { + case KRB5_CRYPTO_TYPE_HEADER: + return ktp->enc->block_size; + case KRB5_CRYPTO_TYPE_PADDING: + return 0; + case KRB5_CRYPTO_TYPE_TRAILER: + case KRB5_CRYPTO_TYPE_CHECKSUM: + return 96 / 8; + default: + assert(0 && "invalid cryptotype passed to krb5int_aes_crypto_length"); + return 0; + } } -static krb5_error_code -krb5int_dk_encrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_dk_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { + const struct krb5_enc_provider *enc = ktp->enc; + const struct krb5_hash_provider *hash = ktp->hash; krb5_error_code ret; unsigned char constantdata[K5CLENGTH]; krb5_data d1, d2; krb5_crypto_iov *header, *trailer, *padding; krb5_key ke = NULL, ki = NULL; size_t i; - unsigned int blocksize = 0; - unsigned int plainlen = 0; - unsigned int hmacsize = 0; - unsigned int padsize = 0; + unsigned int blocksize, hmacsize, plainlen = 0, padsize = 0; unsigned char *cksum = NULL; /* E(Confounder | Plaintext | Pad) | Checksum */ - ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, - &blocksize); - if (ret != 0) - return ret; - - ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, - &hmacsize); - if (ret != 0) - return ret; + blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING); + hmacsize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER); for (i = 0; i < num_data; i++) { krb5_crypto_iov *iov = &data[i]; @@ -164,9 +161,7 @@ krb5int_dk_encrypt_iov(const struct krb5_aead_provider *aead, goto cleanup; /* Encrypt the plaintext (header | data | padding) */ - assert(enc->encrypt_iov != NULL); - - ret = (*enc->encrypt_iov)(ke, ivec, data, num_data); /* updates ivec */ + ret = enc->encrypt(ke, ivec, data, num_data); if (ret != 0) goto cleanup; @@ -183,38 +178,27 @@ cleanup: return ret; } -static krb5_error_code -krb5int_dk_decrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_dk_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { + const struct krb5_enc_provider *enc = ktp->enc; + const struct krb5_hash_provider *hash = ktp->hash; krb5_error_code ret; unsigned char constantdata[K5CLENGTH]; krb5_data d1; krb5_crypto_iov *header, *trailer; krb5_key ke = NULL, ki = NULL; size_t i; - unsigned int blocksize = 0; /* enc block size, not confounder len */ - unsigned int cipherlen = 0; - unsigned int hmacsize = 0; + unsigned int blocksize; /* enc block size, not confounder len */ + unsigned int hmacsize, cipherlen = 0; unsigned char *cksum = NULL; /* E(Confounder | Plaintext | Pad) | Checksum */ - ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, - &blocksize); - if (ret != 0) - return ret; - - ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, - &hmacsize); - if (ret != 0) - return ret; + blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING); + hmacsize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER); if (blocksize != 0) { /* Check that the input data is correctly padded. */ @@ -262,9 +246,7 @@ krb5int_dk_decrypt_iov(const struct krb5_aead_provider *aead, goto cleanup; /* Decrypt the plaintext (header | data | padding). */ - assert(enc->decrypt_iov != NULL); - - ret = (*enc->decrypt_iov)(ke, ivec, data, num_data); /* updates ivec */ + ret = enc->decrypt(ke, ivec, data, num_data); if (ret != 0) goto cleanup; @@ -288,41 +270,3 @@ cleanup: free(cksum); return ret; } - -const struct krb5_aead_provider krb5int_aead_dk = { - krb5int_dk_crypto_length, - krb5int_dk_encrypt_iov, - krb5int_dk_decrypt_iov -}; - -static krb5_error_code -krb5int_aes_crypto_length(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_cryptotype type, - unsigned int *length) -{ - switch (type) { - case KRB5_CRYPTO_TYPE_HEADER: - *length = enc->block_size; - break; - case KRB5_CRYPTO_TYPE_PADDING: - *length = 0; - break; - case KRB5_CRYPTO_TYPE_TRAILER: - case KRB5_CRYPTO_TYPE_CHECKSUM: - *length = 96 / 8; - break; - default: - assert(0 && "invalid cryptotype passed to krb5int_aes_crypto_length"); - break; - } - - return 0; -} - -const struct krb5_aead_provider krb5int_aead_aes = { - krb5int_aes_crypto_length, - krb5int_dk_encrypt_iov, - krb5int_dk_decrypt_iov -}; diff --git a/src/lib/crypto/krb/dk/dk_decrypt.c b/src/lib/crypto/krb/dk/dk_decrypt.c deleted file mode 100644 index 4ef7e47f0..000000000 --- a/src/lib/crypto/krb/dk/dk_decrypt.c +++ /dev/null @@ -1,179 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "k5-int.h" -#include "dk.h" - -#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */ - -static krb5_error_code -krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *output, - size_t hmacsize, - int ivec_mode); - -krb5_error_code -krb5int_dk_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, - ivec, input, output, 0, 0); -} - -krb5_error_code -krb5int_aes_dk_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, - ivec, input, output, 96 / 8, 1); -} - -static krb5_error_code -krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output, size_t hmacsize, - int ivec_mode) -{ - krb5_error_code ret; - size_t hashsize, blocksize, enclen, plainlen; - unsigned char *plaindata = NULL, *cksum = NULL, *cn; - krb5_key ke = NULL, ki = NULL; - krb5_data d1, d2; - unsigned char constantdata[K5CLENGTH]; - - hashsize = hash->hashsize; - blocksize = enc->block_size; - - if (hmacsize == 0) - hmacsize = hashsize; - else if (hmacsize > hashsize) - return KRB5KRB_AP_ERR_BAD_INTEGRITY; - - enclen = input->length - hmacsize; - - /* Allocate and set up ciphertext and to-be-derived keys. */ - plaindata = k5alloc(enclen, &ret); - if (ret != 0) - goto cleanup; - cksum = k5alloc(hashsize, &ret); - if (ret != 0) - goto cleanup; - - /* Derive the keys. */ - - d1.data = (char *) constantdata; - d1.length = K5CLENGTH; - - store_32_be(usage, constantdata); - - d1.data[4] = (char) 0xAA; - - ret = krb5int_derive_key(enc, key, &ke, &d1); - if (ret != 0) - goto cleanup; - - d1.data[4] = 0x55; - - ret = krb5int_derive_key(enc, key, &ki, &d1); - if (ret != 0) - goto cleanup; - - /* decrypt the ciphertext */ - - d1.length = enclen; - d1.data = input->data; - - d2.length = enclen; - d2.data = (char *) plaindata; - - ret = (*enc->decrypt)(ke, ivec, &d1, &d2); - if (ret != 0) - goto cleanup; - - if (ivec != NULL && ivec->length == blocksize) { - if (ivec_mode == 0) - cn = (unsigned char *) d1.data + d1.length - blocksize; - else if (ivec_mode == 1) { - int nblocks = (d1.length + blocksize - 1) / blocksize; - cn = (unsigned char *) d1.data + blocksize * (nblocks - 2); - } else - abort(); - } else - cn = NULL; - - /* Verify the hash. */ - - d1.length = hashsize; - d1.data = (char *) cksum; - - ret = krb5int_hmac(hash, ki, 1, &d2, &d1); - if (ret != 0) - goto cleanup; - - if (memcmp(cksum, input->data+enclen, hmacsize) != 0) { - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto cleanup; - } - - /* - * Because this encoding isn't self-describing wrt length, the - * best we can do here is to compute the length minus the - * confounder. - */ - - plainlen = enclen - blocksize; - - if (output->length < plainlen) - return KRB5_BAD_MSIZE; - - output->length = plainlen; - - memcpy(output->data, d2.data+blocksize, output->length); - - if (cn != NULL) - memcpy(ivec->data, cn, blocksize); - -cleanup: - krb5_k_free_key(NULL, ke); - krb5_k_free_key(NULL, ki); - zapfree(plaindata, enclen); - zapfree(cksum, hashsize); - return ret; -} diff --git a/src/lib/crypto/krb/dk/dk_encrypt.c b/src/lib/crypto/krb/dk/dk_encrypt.c deleted file mode 100644 index 29699d7a4..000000000 --- a/src/lib/crypto/krb/dk/dk_encrypt.c +++ /dev/null @@ -1,308 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "k5-int.h" -#include "dk.h" - -#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */ - -/* - * The spec says that the confounder size and padding are specific to - * the encryption algorithm. This code (dk_encrypt_length and - * dk_encrypt) assume the confounder is always the blocksize, and the - * padding is always zero bytes up to the blocksize. If these - * assumptions ever fails, the keytype table should be extended to - * include these bits of info. - */ - -void -krb5int_dk_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t inputlen, size_t *length) -{ - size_t blocksize, hashsize; - - blocksize = enc->block_size; - hashsize = hash->hashsize; - *length = krb5_roundup(blocksize + inputlen, blocksize) + hashsize; -} - -krb5_error_code -krb5int_dk_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - size_t blocksize, plainlen, enclen; - krb5_error_code ret; - unsigned char constantdata[K5CLENGTH]; - krb5_data d1, d2; - unsigned char *plaintext = NULL; - char *cn; - krb5_key ke = NULL, ki = NULL; - - blocksize = enc->block_size; - plainlen = krb5_roundup(blocksize + input->length, blocksize); - - krb5int_dk_encrypt_length(enc, hash, input->length, &enclen); - - /* key->length, ivec will be tested in enc->encrypt. */ - - if (output->length < enclen) - return(KRB5_BAD_MSIZE); - - /* Allocate and set up plaintext and to-be-derived keys. */ - - plaintext = malloc(plainlen); - if (plaintext == NULL) - return ENOMEM; - - /* Derive the keys. */ - - d1.data = (char *) constantdata; - d1.length = K5CLENGTH; - - store_32_be(usage, constantdata); - - d1.data[4] = (char) 0xAA; - - ret = krb5int_derive_key(enc, key, &ke, &d1); - if (ret != 0) - goto cleanup; - - d1.data[4] = 0x55; - - ret = krb5int_derive_key(enc, key, &ki, &d1); - if (ret != 0) - goto cleanup; - - /* Put together the plaintext. */ - - d1.length = blocksize; - d1.data = (char *) plaintext; - - ret = krb5_c_random_make_octets(/* XXX */ 0, &d1); - if (ret != 0) - goto cleanup; - - memcpy(plaintext + blocksize, input->data, input->length); - - memset(plaintext + blocksize + input->length, 0, - plainlen - (blocksize + input->length)); - - /* Encrypt the plaintext. */ - - d1.length = plainlen; - d1.data = (char *) plaintext; - - d2.length = plainlen; - d2.data = output->data; - - ret = (*enc->encrypt)(ke, ivec, &d1, &d2); - if (ret != 0) - goto cleanup; - - if (ivec != NULL && ivec->length == blocksize) - cn = d2.data + d2.length - blocksize; - else - cn = NULL; - - /* Hash the plaintext. */ - - d2.length = enclen - plainlen; - d2.data = output->data+plainlen; - - output->length = enclen; - - ret = krb5int_hmac(hash, ki, 1, &d1, &d2); - if (ret != 0) { - memset(d2.data, 0, d2.length); - goto cleanup; - } - - /* Update ivec. */ - if (cn != NULL) - memcpy(ivec->data, cn, blocksize); - -cleanup: - krb5_k_free_key(NULL, ke); - krb5_k_free_key(NULL, ki); - zapfree(plaintext, plainlen); - return ret; -} - -/* Not necessarily "AES", per se, but "a CBC+CTS mode block cipher - with a 96-bit truncated HMAC". */ -void -krb5int_aes_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t inputlen, size_t *length) -{ - size_t blocksize, hashsize; - - blocksize = enc->block_size; - hashsize = 96 / 8; - - /* No roundup, since CTS requires no padding once we've hit the - block size. */ - *length = blocksize+inputlen + hashsize; -} - -static krb5_error_code -trunc_hmac (const struct krb5_hash_provider *hash, - krb5_key ki, unsigned int num, - const krb5_data *input, const krb5_data *output) -{ - size_t hashsize; - krb5_data tmp; - krb5_error_code ret; - - hashsize = hash->hashsize; - if (hashsize < output->length) - return KRB5_CRYPTO_INTERNAL; - tmp.length = hashsize; - tmp.data = malloc(hashsize); - if (tmp.data == NULL) - return ENOMEM; - ret = krb5int_hmac(hash, ki, num, input, &tmp); - if (ret == 0) - memcpy(output->data, tmp.data, output->length); - memset(tmp.data, 0, hashsize); - free(tmp.data); - return ret; -} - -krb5_error_code -krb5int_aes_dk_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - size_t blocksize, keybytes, plainlen, enclen; - krb5_error_code ret; - unsigned char constantdata[K5CLENGTH]; - krb5_data d1, d2; - unsigned char *plaintext = NULL; - char *cn; - krb5_key ke = NULL, ki = NULL; - - /* allocate and set up plaintext and to-be-derived keys */ - - blocksize = enc->block_size; - keybytes = enc->keybytes; - plainlen = blocksize+input->length; - - krb5int_aes_encrypt_length(enc, hash, input->length, &enclen); - - /* key->length, ivec will be tested in enc->encrypt */ - - if (output->length < enclen) - return KRB5_BAD_MSIZE; - - plaintext = malloc(plainlen); - if (plaintext == NULL) - return ENOMEM; - - /* Derive the keys. */ - - d1.data = (char *) constantdata; - d1.length = K5CLENGTH; - - store_32_be(usage, constantdata); - - d1.data[4] = (char) 0xAA; - - ret = krb5int_derive_key(enc, key, &ke, &d1); - if (ret != 0) - goto cleanup; - - d1.data[4] = 0x55; - - ret = krb5int_derive_key(enc, key, &ki, &d1); - if (ret != 0) - goto cleanup; - - /* put together the plaintext */ - - d1.length = blocksize; - d1.data = (char *) plaintext; - - ret = krb5_c_random_make_octets(NULL, &d1); - if (ret != 0) - goto cleanup; - - memcpy(plaintext + blocksize, input->data, input->length); - - /* Ciphertext stealing; there should be no more. */ - if (plainlen != blocksize + input->length) - abort(); - - /* Encrypt the plaintext. */ - - d1.length = plainlen; - d1.data = (char *) plaintext; - - d2.length = plainlen; - d2.data = output->data; - - ret = (*enc->encrypt)(ke, ivec, &d1, &d2); - if (ret != 0) - goto cleanup; - - if (ivec != NULL && ivec->length == blocksize) { - int nblocks = (d2.length + blocksize - 1) / blocksize; - cn = d2.data + blocksize * (nblocks - 2); - } else - cn = NULL; - - /* Hash the plaintext. */ - - d2.length = enclen - plainlen; - d2.data = output->data+plainlen; - if (d2.length != 96 / 8) - abort(); - - ret = trunc_hmac(hash, ki, 1, &d1, &d2); - if (ret != 0) { - memset(d2.data, 0, d2.length); - goto cleanup; - } - - output->length = enclen; - - /* Update ivec. */ - if (cn != NULL) - memcpy(ivec->data, cn, blocksize); - -cleanup: - krb5_k_free_key(NULL, ke); - krb5_k_free_key(NULL, ki); - zapfree(plaintext, plainlen); - return ret; -} diff --git a/src/lib/crypto/krb/dk/stringtokey.c b/src/lib/crypto/krb/dk/stringtokey.c index ff436e6ee..9a491879d 100644 --- a/src/lib/crypto/krb/dk/stringtokey.c +++ b/src/lib/crypto/krb/dk/stringtokey.c @@ -31,10 +31,11 @@ static const unsigned char kerberos[] = "kerberos"; #define kerberos_len (sizeof(kerberos)-1) krb5_error_code -krb5int_dk_string_to_key(const struct krb5_enc_provider *enc, +krb5int_dk_string_to_key(const struct krb5_keytypes *ktp, const krb5_data *string, const krb5_data *salt, const krb5_data *parms, krb5_keyblock *keyblock) { + const struct krb5_enc_provider *enc = ktp->enc; krb5_error_code ret; size_t keybytes, keylength, concatlen; unsigned char *concat = NULL, *foldstring = NULL, *foldkeydata = NULL; @@ -72,7 +73,7 @@ krb5int_dk_string_to_key(const struct krb5_enc_provider *enc, foldkeyblock.length = keylength; foldkeyblock.contents = foldkeydata; - ret = (*enc->make_key)(&indata, &foldkeyblock); + ret = enc->make_key(&indata, &foldkeyblock); if (ret != 0) goto cleanup; @@ -96,3 +97,63 @@ cleanup: krb5_k_free_key(NULL, foldkey); return ret; } + + +#define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */ +#define MAX_ITERATION_COUNT 0x1000000L + +krb5_error_code +krb5int_aes_string_to_key(const struct krb5_keytypes *ktp, + const krb5_data *string, + const krb5_data *salt, + const krb5_data *params, + krb5_keyblock *key) +{ + unsigned long iter_count; + krb5_data out; + static const krb5_data usage = { KV5M_DATA, 8, "kerberos" }; + krb5_key tempkey = NULL; + krb5_error_code err; + + if (params) { + unsigned char *p = (unsigned char *) params->data; + if (params->length != 4) + return KRB5_ERR_BAD_S2K_PARAMS; + /* The first two need casts in case 'int' is 16 bits. */ + iter_count = load_32_be(p); + if (iter_count == 0) { + iter_count = (1UL << 16) << 16; + if (((iter_count >> 16) >> 16) != 1) + return KRB5_ERR_BAD_S2K_PARAMS; + } + } else + iter_count = DEFAULT_ITERATION_COUNT; + + /* This is not a protocol specification constraint; this is an + implementation limit, which should eventually be controlled by + a config file. */ + if (iter_count >= MAX_ITERATION_COUNT) + return KRB5_ERR_BAD_S2K_PARAMS; + + /* Use the output keyblock contents for temporary space. */ + out.data = (char *) key->contents; + out.length = key->length; + if (out.length != 16 && out.length != 32) + return KRB5_CRYPTO_INTERNAL; + + err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt); + if (err) + goto cleanup; + + err = krb5_k_create_key (NULL, key, &tempkey); + if (err) + goto cleanup; + + err = krb5int_derive_keyblock(ktp->enc, tempkey, key, &usage); + +cleanup: + if (err) + memset (out.data, 0, out.length); + krb5_k_free_key (NULL, tempkey); + return err; +} diff --git a/src/lib/crypto/krb/encrypt.c b/src/lib/crypto/krb/encrypt.c index 07d8871d4..8f5c481b5 100644 --- a/src/lib/crypto/krb/encrypt.c +++ b/src/lib/crypto/krb/encrypt.c @@ -35,6 +35,9 @@ krb5_k_encrypt(krb5_context context, krb5_key key, const krb5_data *input, krb5_enc_data *output) { const struct krb5_keytypes *ktp; + krb5_crypto_iov iov[4]; + krb5_error_code ret; + unsigned int header_len, padding_len, trailer_len, total_len; ktp = find_enctype(key->keyblock.enctype); if (ktp == NULL) @@ -44,16 +47,35 @@ krb5_k_encrypt(krb5_context context, krb5_key key, output->kvno = 0; output->enctype = key->keyblock.enctype; - if (ktp->encrypt == NULL) { - assert(ktp->aead != NULL); + /* Get the lengths of the token parts and compute the total. */ + header_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_HEADER); + padding_len = krb5int_c_padding_length(ktp, input->length); + trailer_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER); + total_len = header_len + input->length + padding_len + trailer_len; + if (output->ciphertext.length < total_len) + return KRB5_BAD_MSIZE; + + /* Set up the iov structures for the token parts. */ + iov[0].flags = KRB5_CRYPTO_TYPE_HEADER; + iov[0].data = make_data(output->ciphertext.data, header_len); + + iov[1].flags = KRB5_CRYPTO_TYPE_DATA; + iov[1].data = make_data(output->ciphertext.data + header_len, + input->length); + memcpy(iov[1].data.data, input->data, input->length); - return krb5int_c_encrypt_aead_compat(ktp->aead, ktp->enc, ktp->hash, - key, usage, ivec, input, - &output->ciphertext); - } + iov[2].flags = KRB5_CRYPTO_TYPE_PADDING; + iov[2].data = make_data(iov[1].data.data + input->length, padding_len); - return (*ktp->encrypt)(ktp->enc, ktp->hash, key, usage, ivec, input, - &output->ciphertext); + iov[3].flags = KRB5_CRYPTO_TYPE_TRAILER; + iov[3].data = make_data(iov[2].data.data + padding_len, trailer_len); + + ret = ktp->encrypt(ktp, key, usage, ivec, iov, 4); + if (ret != 0) + zap(iov[1].data.data, iov[1].data.length); + else + output->ciphertext.length = total_len; + return ret; } krb5_error_code KRB5_CALLCONV diff --git a/src/lib/crypto/krb/encrypt_iov.c b/src/lib/crypto/krb/encrypt_iov.c index c0651e156..26bb82b8a 100644 --- a/src/lib/crypto/krb/encrypt_iov.c +++ b/src/lib/crypto/krb/encrypt_iov.c @@ -29,30 +29,23 @@ #include "etypes.h" krb5_error_code KRB5_CALLCONV -krb5_k_encrypt_iov(krb5_context context, - krb5_key key, - krb5_keyusage usage, - const krb5_data *cipher_state, - krb5_crypto_iov *data, +krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, + const krb5_data *cipher_state, krb5_crypto_iov *data, size_t num_data) { const struct krb5_keytypes *ktp; ktp = find_enctype(key->keyblock.enctype); - if (ktp == NULL || ktp->aead == NULL) + if (ktp == NULL) return KRB5_BAD_ENCTYPE; - return (*ktp->aead->encrypt_iov)(ktp->aead, ktp->enc, ktp->hash, - key, usage, cipher_state, data, num_data); + return ktp->encrypt(ktp, key, usage, cipher_state, data, num_data); } krb5_error_code KRB5_CALLCONV -krb5_c_encrypt_iov(krb5_context context, - const krb5_keyblock *keyblock, - krb5_keyusage usage, - const krb5_data *cipher_state, - krb5_crypto_iov *data, - size_t num_data) +krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock *keyblock, + krb5_keyusage usage, const krb5_data *cipher_state, + krb5_crypto_iov *data, size_t num_data) { krb5_key key; krb5_error_code ret; diff --git a/src/lib/crypto/krb/encrypt_length.c b/src/lib/crypto/krb/encrypt_length.c index f270f8a22..be99f17fa 100644 --- a/src/lib/crypto/krb/encrypt_length.c +++ b/src/lib/crypto/krb/encrypt_length.c @@ -34,19 +34,16 @@ krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype, size_t inputlen, size_t *length) { const struct krb5_keytypes *ktp; + unsigned int header_len = 0, padding_len = 0, trailer_len = 0; ktp = find_enctype(enctype); if (ktp == NULL) return KRB5_BAD_ENCTYPE; - if (ktp->encrypt_len == NULL) { - assert(ktp->aead != NULL); - - krb5int_c_encrypt_length_aead_compat(ktp->aead, ktp->enc, ktp->hash, - inputlen, length); - } else { - (*ktp->encrypt_len)(ktp->enc, ktp->hash, inputlen, length); - } + header_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_HEADER); + padding_len = krb5int_c_padding_length(ktp, inputlen); + trailer_len = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_TRAILER); + *length = header_len + inputlen + padding_len + trailer_len; return 0; } diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c index 368e7913c..bd0e8964d 100644 --- a/src/lib/crypto/krb/etypes.c +++ b/src/lib/crypto/krb/etypes.c @@ -34,7 +34,6 @@ #include "dk.h" #include "prf_int.h" #include "arcfour.h" -#include "aes_s2k.h" #include "des/des_int.h" /* these will be linear searched. if they ever get big, a binary @@ -48,51 +47,46 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { "des-cbc-crc", { 0 }, "DES cbc mode with CRC-32", &krb5int_enc_des, &krb5int_hash_crc32, 16, - krb5int_old_encrypt_length, krb5int_old_encrypt, krb5int_old_decrypt, + krb5int_old_crypto_length, krb5int_old_encrypt, krb5int_old_decrypt, krb5int_des_string_to_key, krb5int_des_prf, CKSUMTYPE_RSA_MD5, - &krb5int_aead_old, ETYPE_WEAK }, { ENCTYPE_DES_CBC_MD4, "des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4", &krb5int_enc_des, &krb5int_hash_md4, 16, - krb5int_old_encrypt_length, krb5int_old_encrypt, krb5int_old_decrypt, + krb5int_old_crypto_length, krb5int_old_encrypt, krb5int_old_decrypt, krb5int_des_string_to_key, krb5int_des_prf, CKSUMTYPE_RSA_MD4, - &krb5int_aead_old, ETYPE_WEAK }, { ENCTYPE_DES_CBC_MD5, "des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5", &krb5int_enc_des, &krb5int_hash_md5, 16, - krb5int_old_encrypt_length, krb5int_old_encrypt, krb5int_old_decrypt, + krb5int_old_crypto_length, krb5int_old_encrypt, krb5int_old_decrypt, krb5int_des_string_to_key, krb5int_des_prf, CKSUMTYPE_RSA_MD5, - &krb5int_aead_old, ETYPE_WEAK }, { ENCTYPE_DES_CBC_RAW, "des-cbc-raw", { 0 }, "DES cbc mode raw", &krb5int_enc_des, NULL, 16, - krb5_raw_encrypt_length, krb5int_raw_encrypt, krb5int_raw_decrypt, + krb5int_raw_crypto_length, krb5int_raw_encrypt, krb5int_raw_decrypt, krb5int_des_string_to_key, krb5int_des_prf, 0, - &krb5int_aead_raw, ETYPE_WEAK }, { ENCTYPE_DES3_CBC_RAW, "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw", &krb5int_enc_des3, NULL, 16, - krb5_raw_encrypt_length, krb5int_raw_encrypt, krb5int_raw_decrypt, + krb5int_raw_crypto_length, krb5int_raw_encrypt, krb5int_raw_decrypt, krb5int_dk_string_to_key, NULL, /*PRF*/ 0, - &krb5int_aead_raw, ETYPE_WEAK }, { ENCTYPE_DES3_CBC_SHA1, @@ -100,22 +94,20 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, 16, - krb5int_dk_encrypt_length, krb5int_dk_encrypt, krb5int_dk_decrypt, + krb5int_dk_crypto_length, krb5int_dk_encrypt, krb5int_dk_decrypt, krb5int_dk_string_to_key, krb5int_dk_prf, CKSUMTYPE_HMAC_SHA1_DES3, - &krb5int_aead_dk, 0 /*flags*/ }, { ENCTYPE_DES_HMAC_SHA1, "des-hmac-sha1", { 0 }, "DES with HMAC/sha1", &krb5int_enc_des, &krb5int_hash_sha1, 8, - krb5int_dk_encrypt_length, krb5int_dk_encrypt, krb5int_dk_decrypt, + krb5int_dk_crypto_length, krb5int_dk_encrypt, krb5int_dk_decrypt, krb5int_dk_string_to_key, NULL, /*PRF*/ 0, - &krb5int_aead_dk, ETYPE_WEAK }, { ENCTYPE_ARCFOUR_HMAC, "arcfour-hmac", { "rc4-hmac", "arcfour-hmac-md5" }, @@ -123,11 +115,10 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { &krb5int_enc_arcfour, &krb5int_hash_md5, 20, - krb5int_arcfour_encrypt_length, krb5int_arcfour_encrypt, + krb5int_arcfour_crypto_length, krb5int_arcfour_encrypt, krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key, krb5int_arcfour_prf, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR, - &krb5int_aead_arcfour, 0 /*flags*/ }, { ENCTYPE_ARCFOUR_HMAC_EXP, "arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" }, @@ -135,11 +126,10 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { &krb5int_enc_arcfour, &krb5int_hash_md5, 20, - krb5int_arcfour_encrypt_length, krb5int_arcfour_encrypt, + krb5int_arcfour_crypto_length, krb5int_arcfour_encrypt, krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key, krb5int_arcfour_prf, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR, - &krb5int_aead_arcfour, ETYPE_WEAK }, @@ -148,22 +138,20 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { "AES-128 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes128, &krb5int_hash_sha1, 16, - krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, + krb5int_aes_crypto_length, krb5int_dk_encrypt, krb5int_dk_decrypt, krb5int_aes_string_to_key, krb5int_dk_prf, CKSUMTYPE_HMAC_SHA1_96_AES128, - &krb5int_aead_aes, 0 /*flags*/ }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, "aes256-cts-hmac-sha1-96", { "aes256-cts" }, "AES-256 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes256, &krb5int_hash_sha1, 16, - krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, + krb5int_aes_crypto_length, krb5int_dk_encrypt, krb5int_dk_decrypt, krb5int_aes_string_to_key, krb5int_dk_prf, CKSUMTYPE_HMAC_SHA1_96_AES256, - &krb5int_aead_aes, 0 /*flags*/ }, }; diff --git a/src/lib/crypto/krb/etypes.h b/src/lib/crypto/krb/etypes.h index 57cca7427..be737cb50 100644 --- a/src/lib/crypto/krb/etypes.h +++ b/src/lib/crypto/krb/etypes.h @@ -25,32 +25,30 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ +#ifndef ETYPES_H +#define ETYPES_H + #include "k5-int.h" -typedef void (*krb5_encrypt_length_func)(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t inputlen, size_t *length); +struct krb5_keytypes; + +typedef unsigned int (*crypto_length_func)(const struct krb5_keytypes *ktp, + krb5_cryptotype type); -typedef krb5_error_code (*krb5_crypt_func)(const struct krb5_enc_provider *enc, - const struct - krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage keyusage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *output); +typedef krb5_error_code (*crypt_func)(const struct krb5_keytypes *ktp, + krb5_key key, krb5_keyusage keyusage, + const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); -typedef krb5_error_code (*krb5_str2key_func)(const struct - krb5_enc_provider *enc, - const krb5_data *string, - const krb5_data *salt, - const krb5_data *parm, - krb5_keyblock *key); +typedef krb5_error_code (*str2key_func)(const struct krb5_keytypes *ktp, + const krb5_data *string, + const krb5_data *salt, + const krb5_data *parm, + krb5_keyblock *key); -typedef krb5_error_code (*krb5_prf_func)(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - const krb5_data *in, krb5_data *out); +typedef krb5_error_code (*prf_func)(const struct krb5_keytypes *ktp, + krb5_key key, + const krb5_data *in, krb5_data *out); struct krb5_keytypes { krb5_enctype etype; @@ -60,13 +58,12 @@ struct krb5_keytypes { const struct krb5_enc_provider *enc; const struct krb5_hash_provider *hash; size_t prf_length; - krb5_encrypt_length_func encrypt_len; - krb5_crypt_func encrypt; - krb5_crypt_func decrypt; - krb5_str2key_func str2key; - krb5_prf_func prf; + crypto_length_func crypto_length; + crypt_func encrypt; + crypt_func decrypt; + str2key_func str2key; + prf_func prf; krb5_cksumtype required_ctype; - const struct krb5_aead_provider *aead; krb5_flags flags; }; @@ -89,3 +86,5 @@ find_enctype(krb5_enctype enctype) return NULL; return &krb5int_enctypes_list[i]; } + +#endif diff --git a/src/lib/crypto/krb/keyhash_provider/Makefile.in b/src/lib/crypto/krb/keyhash_provider/Makefile.in index c6bec1d5b..b36f91aee 100644 --- a/src/lib/crypto/krb/keyhash_provider/Makefile.in +++ b/src/lib/crypto/krb/keyhash_provider/Makefile.in @@ -2,7 +2,8 @@ mydir=lib/crypto/krb/keyhash_provider BUILDTOP=$(REL)..$(S)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/../../@CRYPTO_IMPL@/des -I$(srcdir)/../../@CRYPTO_IMPL@/md4 \ -I$(srcdir)/../../@CRYPTO_IMPL@/md5 -I$(srcdir)/../arcfour \ - -I$(srcdir)/../../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/../../@CRYPTO_IMPL@ + -I$(srcdir)/../../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/../../@CRYPTO_IMPL@ \ + -I$(srcdir)/.. DEFS= ##DOS##BUILDTOP = ..\..\..\.. diff --git a/src/lib/crypto/krb/keyhash_provider/deps b/src/lib/crypto/krb/keyhash_provider/deps index b375e8896..2cca4cdd0 100644 --- a/src/lib/crypto/krb/keyhash_provider/deps +++ b/src/lib/crypto/krb/keyhash_provider/deps @@ -42,7 +42,7 @@ hmac_md5.so hmac_md5.po $(OUTPRE)hmac_md5.$(OBJEXT): \ $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \ $(srcdir)/../../builtin/md5/rsa-md5.h $(srcdir)/../aead.h \ $(srcdir)/../arcfour/arcfour-int.h $(srcdir)/../arcfour/arcfour.h \ - $(srcdir)/../cksumtypes.h $(top_srcdir)/include/k5-buf.h \ + $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ @@ -55,12 +55,12 @@ md5_hmac.so md5_hmac.po $(OUTPRE)md5_hmac.$(OBJEXT): \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \ $(srcdir)/../../builtin/md5/rsa-md5.h $(srcdir)/../arcfour/arcfour-int.h \ - $(srcdir)/../arcfour/arcfour.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h keyhash_provider.h \ - md5_hmac.c + $(srcdir)/../arcfour/arcfour.h $(srcdir)/../etypes.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + keyhash_provider.h md5_hmac.c diff --git a/src/lib/crypto/krb/keyhash_provider/k5_md4des.c b/src/lib/crypto/krb/keyhash_provider/k5_md4des.c index 032cf3980..89e04bb34 100644 --- a/src/lib/crypto/krb/keyhash_provider/k5_md4des.c +++ b/src/lib/crypto/krb/keyhash_provider/k5_md4des.c @@ -72,6 +72,7 @@ k5_md4des_hash(krb5_key key, krb5_keyusage usage, const krb5_data *ivec, krb5_MD4_CTX ctx; unsigned char conf[CONFLENGTH]; krb5_key xorkey = NULL; + krb5_crypto_iov iov; struct krb5_enc_provider *enc = &krb5int_enc_des; if (output->length != (CONFLENGTH+RSA_MD4_CKSUM_LENGTH)) @@ -101,7 +102,9 @@ k5_md4des_hash(krb5_key key, krb5_keyusage usage, const krb5_data *ivec, memcpy(output->data, conf, CONFLENGTH); memcpy(output->data+CONFLENGTH, ctx.digest, RSA_MD4_CKSUM_LENGTH); - ret = enc->encrypt(xorkey, NULL, output, output); + iov.flags = KRB5_CRYPTO_TYPE_DATA; + iov.data = *output; + ret = enc->encrypt(xorkey, NULL, &iov, 1); krb5_k_free_key(NULL, xorkey); @@ -120,7 +123,8 @@ k5_md4des_verify(krb5_key key, krb5_keyusage usage, krb5_key xorkey = NULL; int compathash = 0; struct krb5_enc_provider *enc = &krb5int_enc_des; - krb5_data output, iv; + krb5_data iv; + krb5_crypto_iov iov; iv.data = NULL; iv.length = 0; @@ -152,22 +156,20 @@ k5_md4des_verify(krb5_key key, krb5_keyusage usage, } /* decrypt it */ - output.data = (char *)plaintext; - output.length = hash->length; + iov.flags = KRB5_CRYPTO_TYPE_DATA; + iov.data = make_data(plaintext, hash->length); + memcpy(plaintext, hash->data, hash->length); - if (!compathash) { - ret = enc->decrypt(xorkey, NULL, hash, &output); - krb5_k_free_key(NULL, xorkey); + if (compathash) { + ret = enc->decrypt(key, &iv, &iov, 1); + zapfree(iv.data, iv.length); } else { - ret = enc->decrypt(key, &iv, hash, &output); - zap(iv.data, iv.length); - free(iv.data); + ret = enc->decrypt(xorkey, NULL, &iov, 1); + krb5_k_free_key(NULL, xorkey); } - if (ret) return(ret); - - if (output.length > CONFLENGTH+RSA_MD4_CKSUM_LENGTH) - return KRB5_CRYPTO_INTERNAL; + if (ret) + return ret; /* hash the confounder, then the input data */ diff --git a/src/lib/crypto/krb/keyhash_provider/k5_md5des.c b/src/lib/crypto/krb/keyhash_provider/k5_md5des.c index b2bea2569..2540e0b54 100644 --- a/src/lib/crypto/krb/keyhash_provider/k5_md5des.c +++ b/src/lib/crypto/krb/keyhash_provider/k5_md5des.c @@ -72,6 +72,7 @@ k5_md5des_hash(krb5_key key, krb5_keyusage usage, const krb5_data *ivec, krb5_MD5_CTX ctx; unsigned char conf[CONFLENGTH]; krb5_key xorkey = NULL; + krb5_crypto_iov iov; struct krb5_enc_provider *enc = &krb5int_enc_des; if (output->length != (CONFLENGTH+RSA_MD5_CKSUM_LENGTH)) @@ -101,7 +102,9 @@ k5_md5des_hash(krb5_key key, krb5_keyusage usage, const krb5_data *ivec, memcpy(output->data, conf, CONFLENGTH); memcpy(output->data+CONFLENGTH, ctx.digest, RSA_MD5_CKSUM_LENGTH); - ret = enc->encrypt(xorkey, NULL, output, output); + iov.flags = KRB5_CRYPTO_TYPE_DATA; + iov.data = *output; + ret = enc->encrypt(xorkey, NULL, &iov, 1); krb5_k_free_key(NULL, xorkey); @@ -120,7 +123,8 @@ k5_md5des_verify(krb5_key key, krb5_keyusage usage, const krb5_data *ivec, krb5_key xorkey = NULL; int compathash = 0; struct krb5_enc_provider *enc = &krb5int_enc_des; - krb5_data output, iv; + krb5_data iv; + krb5_crypto_iov iov; iv.data = NULL; iv.length = 0; @@ -152,23 +156,21 @@ k5_md5des_verify(krb5_key key, krb5_keyusage usage, const krb5_data *ivec, } /* decrypt it */ - output.data = (char *)plaintext; - output.length = hash->length; + iov.flags = KRB5_CRYPTO_TYPE_DATA; + iov.data = make_data(plaintext, hash->length); + memcpy(plaintext, hash->data, hash->length); if (!compathash) { - ret = enc->decrypt(xorkey, NULL, hash, &output); + ret = enc->decrypt(xorkey, NULL, &iov, 1); krb5_k_free_key(NULL, xorkey); } else { - ret = enc->decrypt(key, &iv, hash, &output); + ret = enc->decrypt(key, &iv, &iov, 1); zap(iv.data, iv.length); free(iv.data); } if (ret) return(ret); - if (output.length > CONFLENGTH+RSA_MD5_CKSUM_LENGTH) - return KRB5_CRYPTO_INTERNAL; - /* hash the confounder, then the input data */ krb5int_MD5Init(&ctx); diff --git a/src/lib/crypto/krb/old/Makefile.in b/src/lib/crypto/krb/old/Makefile.in index aadeacc03..cc3c7f602 100644 --- a/src/lib/crypto/krb/old/Makefile.in +++ b/src/lib/crypto/krb/old/Makefile.in @@ -12,12 +12,11 @@ PROG_RPATH=$(KRB5_LIBDIR) RUN_SETUP = @KRB5_RUN_ENV@ KRB5_CONFIG=$(top_srcdir)/config-files/krb5.conf -STLIBOBJS= old_aead.o old_decrypt.o old_encrypt.o des_stringtokey.o +STLIBOBJS= old_aead.o des_stringtokey.o -OBJS= $(OUTPRE)des_stringtokey.$(OBJEXT) $(OUTPRE)old_aead.$(OBJEXT) $(OUTPRE)old_decrypt.$(OBJEXT) $(OUTPRE)old_encrypt.$(OBJEXT) +OBJS= $(OUTPRE)des_stringtokey.$(OBJEXT) $(OUTPRE)old_aead.$(OBJEXT) -SRCS= $(srcdir)/des_stringtokey.c $(srcdir)/old_aead.c \ - $(srcdir)/old_decrypt.c $(srcdir)/old_encrypt.c +SRCS= $(srcdir)/des_stringtokey.c $(srcdir)/old_aead.c ##DOS##LIBOBJS = $(OBJS) diff --git a/src/lib/crypto/krb/old/deps b/src/lib/crypto/krb/old/deps index de435eefa..448acd990 100644 --- a/src/lib/crypto/krb/old/deps +++ b/src/lib/crypto/krb/old/deps @@ -5,45 +5,24 @@ des_stringtokey.so des_stringtokey.po $(OUTPRE)des_stringtokey.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(srcdir)/../../builtin/des/des_int.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - des_stringtokey.c old.h + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h des_stringtokey.c \ + old.h old_aead.so old_aead.po $(OUTPRE)old_aead.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - old.h old_aead.c -old_decrypt.so old_decrypt.po $(OUTPRE)old_decrypt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - old.h old_decrypt.c -old_encrypt.so old_encrypt.po $(OUTPRE)old_encrypt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - old.h old_encrypt.c + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h old.h old_aead.c diff --git a/src/lib/crypto/krb/old/des_stringtokey.c b/src/lib/crypto/krb/old/des_stringtokey.c index 6f49166d1..71ee0de1d 100644 --- a/src/lib/crypto/krb/old/des_stringtokey.c +++ b/src/lib/crypto/krb/old/des_stringtokey.c @@ -36,13 +36,12 @@ extern krb5_error_code mit_des_string_to_key_int const krb5_data * salt); krb5_error_code -krb5int_des_string_to_key(const struct krb5_enc_provider *enc, - const krb5_data *string, - const krb5_data *salt, const krb5_data *parm, - krb5_keyblock *key) +krb5int_des_string_to_key(const struct krb5_keytypes *ktp, + const krb5_data *string, const krb5_data *salt, + const krb5_data *parm, krb5_keyblock *key) { int type; - if (parm ) { + if (parm) { if (parm->length != 1) return KRB5_ERR_BAD_S2K_PARAMS; type = parm->data[0]; diff --git a/src/lib/crypto/krb/old/old.h b/src/lib/crypto/krb/old/old.h index 58f4f5a79..d092686d3 100644 --- a/src/lib/crypto/krb/old/old.h +++ b/src/lib/crypto/krb/old/old.h @@ -26,28 +26,24 @@ */ #include "k5-int.h" +#include "etypes.h" -void krb5int_old_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t input, size_t *length); +unsigned int +krb5int_old_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type); -krb5_error_code krb5int_old_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, krb5_data *output); +krb5_error_code +krb5int_old_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); -krb5_error_code krb5int_old_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *arg_output); +krb5_error_code +krb5int_old_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); -krb5_error_code krb5int_des_string_to_key(const struct krb5_enc_provider *enc, +krb5_error_code krb5int_des_string_to_key(const struct krb5_keytypes *ktp, const krb5_data *string, const krb5_data *salt, const krb5_data *params, krb5_keyblock *key); - -extern const struct krb5_aead_provider krb5int_aead_old; diff --git a/src/lib/crypto/krb/old/old_aead.c b/src/lib/crypto/krb/old/old_aead.c index 5249188f6..c72faebd3 100644 --- a/src/lib/crypto/krb/old/old_aead.c +++ b/src/lib/crypto/krb/old/old_aead.c @@ -30,42 +30,32 @@ #include "old.h" #include "aead.h" -static krb5_error_code -krb5int_old_crypto_length(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_cryptotype type, - unsigned int *length) +unsigned int +krb5int_old_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type) { switch (type) { case KRB5_CRYPTO_TYPE_HEADER: - *length = enc->block_size + hash->hashsize; - break; + return ktp->enc->block_size + ktp->hash->hashsize; case KRB5_CRYPTO_TYPE_PADDING: - *length = enc->block_size; - break; + return ktp->enc->block_size; case KRB5_CRYPTO_TYPE_TRAILER: - *length = 0; - break; + return 0; case KRB5_CRYPTO_TYPE_CHECKSUM: - *length = hash->hashsize; - break; + return ktp->hash->hashsize; default: assert(0 && "invalid cryptotype passed to krb5int_old_crypto_length"); - break; + return 0; } - - return 0; } -static krb5_error_code -krb5int_old_encrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_old_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { + const struct krb5_enc_provider *enc = ktp->enc; + const struct krb5_hash_provider *hash = ktp->hash; krb5_error_code ret; krb5_crypto_iov *header, *trailer, *padding; krb5_data checksum, confounder, crcivec = empty_data(); @@ -122,7 +112,7 @@ krb5int_old_encrypt_iov(const struct krb5_aead_provider *aead, ivec = &crcivec; } - ret = enc->encrypt_iov(key, ivec, data, num_data); + ret = enc->encrypt(key, ivec, data, num_data); if (ret != 0) goto cleanup; @@ -131,14 +121,13 @@ cleanup: return ret; } -static krb5_error_code -krb5int_old_decrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_old_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { + const struct krb5_enc_provider *enc = ktp->enc; + const struct krb5_hash_provider *hash = ktp->hash; krb5_error_code ret; krb5_crypto_iov *header, *trailer; krb5_data checksum, crcivec = empty_data(); @@ -173,7 +162,7 @@ krb5int_old_decrypt_iov(const struct krb5_aead_provider *aead, } /* Decrypt the ciphertext. */ - ret = enc->decrypt_iov(key, ivec, data, num_data); + ret = enc->decrypt(key, ivec, data, num_data); if (ret != 0) goto cleanup; @@ -201,9 +190,3 @@ cleanup: zapfree(saved_checksum, hash->hashsize); return ret; } - -const struct krb5_aead_provider krb5int_aead_old = { - krb5int_old_crypto_length, - krb5int_old_encrypt_iov, - krb5int_old_decrypt_iov -}; diff --git a/src/lib/crypto/krb/old/old_decrypt.c b/src/lib/crypto/krb/old/old_decrypt.c deleted file mode 100644 index 47996be1d..000000000 --- a/src/lib/crypto/krb/old/old_decrypt.c +++ /dev/null @@ -1,144 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "k5-int.h" -#include "old.h" - -krb5_error_code -krb5int_old_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *arg_output) -{ - krb5_error_code ret; - size_t blocksize, hashsize, plainsize; - unsigned char *cksumdata, *cn; - krb5_data output, cksum, crcivec; - int alloced; - - blocksize = enc->block_size; - hashsize = hash->hashsize; - - plainsize = input->length - blocksize - hashsize; - - if (arg_output->length < plainsize) - return(KRB5_BAD_MSIZE); - - /* if there's enough space to work in the app buffer, use it, - otherwise allocate our own */ - - if ((cksumdata = (unsigned char *) malloc(hashsize)) == NULL) - return(ENOMEM); - - if (arg_output->length < input->length) { - output.length = input->length; - - if ((output.data = (char *) malloc(output.length)) == NULL) { - free(cksumdata); - return(ENOMEM); - } - - alloced = 1; - } else { - output.length = input->length; - - output.data = arg_output->data; - - alloced = 0; - } - - /* decrypt it */ - - /* save last ciphertext block in case we decrypt in place */ - if (ivec != NULL && ivec->length == blocksize) { - cn = malloc(blocksize); - if (cn == NULL) { - ret = ENOMEM; - goto cleanup; - } - memcpy(cn, input->data + input->length - blocksize, blocksize); - } else - cn = NULL; - - /* XXX this is gross, but I don't have much choice */ - if ((key->keyblock.enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) { - crcivec.length = key->keyblock.length; - crcivec.data = (char *) key->keyblock.contents; - ivec = &crcivec; - } - - if ((ret = ((*(enc->decrypt))(key, ivec, input, &output)))) - goto cleanup; - - /* verify the checksum */ - - memcpy(cksumdata, output.data+blocksize, hashsize); - memset(output.data+blocksize, 0, hashsize); - - cksum.length = hashsize; - cksum.data = output.data+blocksize; - - if ((ret = ((*(hash->hash))(1, &output, &cksum)))) - goto cleanup; - - if (memcmp(cksum.data, cksumdata, cksum.length) != 0) { - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto cleanup; - } - - /* copy the plaintext around */ - - if (alloced) { - memcpy(arg_output->data, output.data+blocksize+hashsize, - plainsize); - } else { - memmove(arg_output->data, arg_output->data+blocksize+hashsize, - plainsize); - } - arg_output->length = plainsize; - - /* update ivec */ - if (cn != NULL) - memcpy(ivec->data, cn, blocksize); - - ret = 0; - -cleanup: - if (alloced) { - memset(output.data, 0, output.length); - free(output.data); - } - - if (cn != NULL) - free(cn); - memset(cksumdata, 0, hashsize); - free(cksumdata); - return(ret); -} diff --git a/src/lib/crypto/krb/old/old_encrypt.c b/src/lib/crypto/krb/old/old_encrypt.c deleted file mode 100644 index 1903a6ca5..000000000 --- a/src/lib/crypto/krb/old/old_encrypt.c +++ /dev/null @@ -1,111 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "k5-int.h" -#include "old.h" - -void -krb5int_old_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t inputlen, - size_t *length) -{ - size_t blocksize, hashsize; - - blocksize = enc->block_size; - hashsize = hash->hashsize; - - *length = krb5_roundup(blocksize+hashsize+inputlen, blocksize); -} - -krb5_error_code -krb5int_old_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *output) -{ - krb5_error_code ret; - size_t blocksize, hashsize, enclen; - krb5_data datain, crcivec; - int real_ivec; - - blocksize = enc->block_size; - hashsize = hash->hashsize; - - krb5int_old_encrypt_length(enc, hash, input->length, &enclen); - - if (output->length < enclen) - return(KRB5_BAD_MSIZE); - - output->length = enclen; - - /* fill in confounded, padded, plaintext buffer with zero checksum */ - - memset(output->data, 0, output->length); - - datain.length = blocksize; - datain.data = output->data; - - if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &datain))) - return(ret); - memcpy(output->data+blocksize+hashsize, input->data, input->length); - - /* compute the checksum */ - - datain.length = hashsize; - datain.data = output->data+blocksize; - - if ((ret = ((*(hash->hash))(1, output, &datain)))) - goto cleanup; - - /* encrypt it */ - - /* XXX this is gross, but I don't have much choice */ - if ((key->keyblock.enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) { - crcivec.length = key->keyblock.length; - crcivec.data = (char *) key->keyblock.contents; - ivec = &crcivec; - real_ivec = 0; - } else - real_ivec = 1; - - if ((ret = ((*(enc->encrypt))(key, ivec, output, output)))) - goto cleanup; - - /* update ivec */ - if (real_ivec && ivec != NULL && ivec->length == blocksize) - memcpy(ivec->data, output->data + output->length - blocksize, - blocksize); -cleanup: - if (ret) - memset(output->data, 0, output->length); - - return(ret); -} diff --git a/src/lib/crypto/krb/prf.c b/src/lib/crypto/krb/prf.c index 03615411b..e42d36361 100644 --- a/src/lib/crypto/krb/prf.c +++ b/src/lib/crypto/krb/prf.c @@ -69,7 +69,7 @@ krb5_k_prf(krb5_context context, krb5_key key, output->magic = KV5M_DATA; if (ktp->prf_length != output->length) return KRB5_CRYPTO_INTERNAL; - ret = (*ktp->prf)(ktp->enc, ktp->hash, key, input, output); + ret = ktp->prf(ktp, key, input, output); return ret; } diff --git a/src/lib/crypto/krb/prf/deps b/src/lib/crypto/krb/prf/deps index ca4293ee0..8fbbe6098 100644 --- a/src/lib/crypto/krb/prf/deps +++ b/src/lib/crypto/krb/prf/deps @@ -4,33 +4,33 @@ des_prf.so des_prf.po $(OUTPRE)des_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - des_prf.c prf_int.h + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h des_prf.c prf_int.h dk_prf.so dk_prf.po $(OUTPRE)dk_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../dk/dk.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - dk_prf.c prf_int.h + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h dk_prf.c prf_int.h rc4_prf.so rc4_prf.po $(OUTPRE)rc4_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - prf_int.h rc4_prf.c + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h prf_int.h rc4_prf.c diff --git a/src/lib/crypto/krb/prf/des_prf.c b/src/lib/crypto/krb/prf/des_prf.c index 9b4e1355a..96f5e2b40 100644 --- a/src/lib/crypto/krb/prf/des_prf.c +++ b/src/lib/crypto/krb/prf/des_prf.c @@ -34,21 +34,19 @@ #include "hash_provider/hash_provider.h" krb5_error_code -krb5int_des_prf (const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, const krb5_data *in, krb5_data *out) +krb5int_des_prf(const struct krb5_keytypes *ktp, krb5_key key, + const krb5_data *in, krb5_data *out) { - krb5_data tmp; - krb5_error_code ret = 0; + const struct krb5_hash_provider *hash = &krb5int_hash_md5; + krb5_crypto_iov iov; + krb5_error_code ret; - hash = &krb5int_hash_md5; /* MD5 is always used. */ - tmp.length = hash->hashsize; - tmp.data = malloc(hash->hashsize); - if (tmp.data == NULL) - return ENOMEM; - ret = hash->hash(1, in, &tmp); - if (ret == 0) - ret = enc->encrypt(key, NULL, &tmp, out); - free(tmp.data); - return ret; + iov.flags = KRB5_CRYPTO_TYPE_DATA; + iov.data = *out; + + /* Hash the input into the output buffer, then encrypt it in place. */ + ret = hash->hash(1, in, out); + if (ret != 0) + return ret; + return ktp->enc->encrypt(key, NULL, &iov, 1); } diff --git a/src/lib/crypto/krb/prf/dk_prf.c b/src/lib/crypto/krb/prf/dk_prf.c index a453fc5c2..3c9a39481 100644 --- a/src/lib/crypto/krb/prf/dk_prf.c +++ b/src/lib/crypto/krb/prf/dk_prf.c @@ -34,27 +34,41 @@ #include krb5_error_code -krb5int_dk_prf (const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, const krb5_data *in, krb5_data *out) +krb5int_dk_prf(const struct krb5_keytypes *ktp, krb5_key key, + const krb5_data *in, krb5_data *out) { - krb5_data tmp; - krb5_data prfconst; + const struct krb5_enc_provider *enc = ktp->enc; + const struct krb5_hash_provider *hash = ktp->hash; + krb5_crypto_iov iov; + krb5_data prfconst = make_data("prf", 3); krb5_key kp = NULL; - krb5_error_code ret = 0; + krb5_error_code ret; - prfconst.data = (char *) "prf"; - prfconst.length = 3; - tmp.length = hash->hashsize; - tmp.data = malloc(hash->hashsize); - if (tmp.data == NULL) - return ENOMEM; - hash->hash(1, in, &tmp); - tmp.length = (tmp.length/enc->block_size)*enc->block_size; /*truncate to block size*/ - ret = krb5int_derive_key(enc, key, &kp, &prfconst); - if (ret == 0) - ret = enc->encrypt(kp, NULL, &tmp, out); + /* Hash the input data into an allocated buffer. */ + iov.flags = KRB5_CRYPTO_TYPE_DATA; + ret = alloc_data(&iov.data, hash->hashsize); + if (ret != 0) + return ret; + ret = hash->hash(1, in, &iov.data); + if (ret != 0) + goto cleanup; + + /* Truncate the hash to the closest multiple of the block size. */ + iov.data.length = (iov.data.length / enc->block_size) * enc->block_size; + + /* Derive a key using the PRF constant. */ + ret = krb5int_derive_key(ktp->enc, key, &kp, &prfconst); + if (ret != 0) + goto cleanup; + + /* Encrypt the truncated hash in the derived key to get the output. */ + ret = ktp->enc->encrypt(kp, NULL, &iov, 1); + if (ret != 0) + goto cleanup; + memcpy(out->data, iov.data.data, out->length); + +cleanup: + zapfree(iov.data.data, hash->hashsize); krb5_k_free_key(NULL, kp); - free (tmp.data); return ret; } diff --git a/src/lib/crypto/krb/prf/prf_int.h b/src/lib/crypto/krb/prf/prf_int.h index 341a99a0b..865f62ba2 100644 --- a/src/lib/crypto/krb/prf/prf_int.h +++ b/src/lib/crypto/krb/prf/prf_int.h @@ -29,20 +29,18 @@ #define PRF_INTERNAL_DEFS #include "k5-int.h" +#include "etypes.h" krb5_error_code -krb5int_arcfour_prf(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, const krb5_data *in, krb5_data *out); +krb5int_arcfour_prf(const struct krb5_keytypes *ktp, krb5_key key, + const krb5_data *in, krb5_data *out); krb5_error_code -krb5int_des_prf (const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, const krb5_data *in, krb5_data *out); +krb5int_des_prf(const struct krb5_keytypes *ktp, krb5_key key, + const krb5_data *in, krb5_data *out); krb5_error_code -krb5int_dk_prf(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, const krb5_data *in, krb5_data *out); +krb5int_dk_prf(const struct krb5_keytypes *ktp, krb5_key key, + const krb5_data *in, krb5_data *out); #endif /*PRF_INTERNAL_DEFS*/ diff --git a/src/lib/crypto/krb/prf/rc4_prf.c b/src/lib/crypto/krb/prf/rc4_prf.c index a851035ff..5f662d7e2 100644 --- a/src/lib/crypto/krb/prf/rc4_prf.c +++ b/src/lib/crypto/krb/prf/rc4_prf.c @@ -31,9 +31,8 @@ #include krb5_error_code -krb5int_arcfour_prf(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, const krb5_data *in, krb5_data *out) +krb5int_arcfour_prf(const struct krb5_keytypes *ktp, krb5_key key, + const krb5_data *in, krb5_data *out) { assert(out->length == 20); return krb5int_hmac(&krb5int_hash_sha1, key, 1, in, out); diff --git a/src/lib/crypto/krb/raw/Makefile.in b/src/lib/crypto/krb/raw/Makefile.in index 78dc0e3e5..147b1d52e 100644 --- a/src/lib/crypto/krb/raw/Makefile.in +++ b/src/lib/crypto/krb/raw/Makefile.in @@ -12,11 +12,11 @@ PROG_RPATH=$(KRB5_LIBDIR) RUN_SETUP = @KRB5_RUN_ENV@ KRB5_CONFIG=$(top_srcdir)/config-files/krb5.conf -STLIBOBJS= raw_decrypt.o raw_encrypt.o raw_aead.o +STLIBOBJS= raw_aead.o -OBJS= $(OUTPRE)raw_decrypt.$(OBJEXT) $(OUTPRE)raw_encrypt.$(OBJEXT) $(OUTPRE)raw_aead.$(OBJEXT) +OBJS= $(OUTPRE)raw_aead.$(OBJEXT) -SRCS= $(srcdir)/raw_decrypt.c $(srcdir)/raw_encrypt.c $(srcdir)/raw_aead.c +SRCS= $(srcdir)/raw_aead.c ##DOS##LIBOBJS = $(OBJS) diff --git a/src/lib/crypto/krb/raw/deps b/src/lib/crypto/krb/raw/deps index 3e76b617b..654c4c31c 100644 --- a/src/lib/crypto/krb/raw/deps +++ b/src/lib/crypto/krb/raw/deps @@ -1,37 +1,15 @@ # # Generated makefile dependencies follow. # -raw_decrypt.so raw_decrypt.po $(OUTPRE)raw_decrypt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - raw.h raw_decrypt.c -raw_encrypt.so raw_encrypt.po $(OUTPRE)raw_encrypt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - raw.h raw_encrypt.c raw_aead.so raw_aead.po $(OUTPRE)raw_aead.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - raw.h raw_aead.c + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h raw.h raw_aead.c diff --git a/src/lib/crypto/krb/raw/raw.h b/src/lib/crypto/krb/raw/raw.h index 8f82feaf5..ee54d5874 100644 --- a/src/lib/crypto/krb/raw/raw.h +++ b/src/lib/crypto/krb/raw/raw.h @@ -26,23 +26,18 @@ */ #include "k5-int.h" +#include "etypes.h" -void krb5_raw_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t input, size_t *length); +unsigned int +krb5int_raw_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type); -krb5_error_code krb5int_raw_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *output); +krb5_error_code +krb5int_raw_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); -krb5_error_code krb5int_raw_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *arg_output); - -extern const struct krb5_aead_provider krb5int_aead_raw; +krb5_error_code +krb5int_raw_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); diff --git a/src/lib/crypto/krb/raw/raw_aead.c b/src/lib/crypto/krb/raw/raw_aead.c index ea91de83a..75f23241c 100644 --- a/src/lib/crypto/krb/raw/raw_aead.c +++ b/src/lib/crypto/krb/raw/raw_aead.c @@ -30,47 +30,28 @@ #include "raw.h" #include "aead.h" -/* AEAD */ - -static krb5_error_code -krb5int_raw_crypto_length(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_cryptotype type, - unsigned int *length) +unsigned int +krb5int_raw_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type) { switch (type) { case KRB5_CRYPTO_TYPE_PADDING: - *length = enc->block_size; - break; + return ktp->enc->block_size; default: - *length = 0; - break; + return 0; } - - return 0; } -static krb5_error_code -krb5int_raw_encrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_raw_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { - krb5_error_code ret; krb5_crypto_iov *padding; size_t i; - unsigned int blocksize = 0; - unsigned int plainlen = 0; - unsigned int padsize = 0; + unsigned int blocksize, plainlen = 0, padsize = 0; - ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize); - if (ret != 0) - return ret; + blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING); for (i = 0; i < num_data; i++) { krb5_crypto_iov *iov = &data[i]; @@ -94,33 +75,21 @@ krb5int_raw_encrypt_iov(const struct krb5_aead_provider *aead, padding->data.length = padsize; } - assert(enc->encrypt_iov != NULL); - - ret = enc->encrypt_iov(key, ivec, data, num_data); /* will update ivec */ - - return ret; + return ktp->enc->encrypt(key, ivec, data, num_data); } -static krb5_error_code -krb5int_raw_decrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_raw_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { - krb5_error_code ret; size_t i; - unsigned int blocksize = 0; /* careful, this is enc block size not confounder len */ + unsigned int blocksize = 0; /* enc block size, not confounder len */ unsigned int cipherlen = 0; /* E(Confounder | Plaintext | Pad) | Checksum */ - ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize); - if (ret != 0) - return ret; + blocksize = ktp->crypto_length(ktp, KRB5_CRYPTO_TYPE_PADDING); for (i = 0; i < num_data; i++) { const krb5_crypto_iov *iov = &data[i]; @@ -131,28 +100,13 @@ krb5int_raw_decrypt_iov(const struct krb5_aead_provider *aead, if (blocksize == 0) { /* Check for correct input length in CTS mode */ - if (enc->block_size != 0 && cipherlen < enc->block_size) + if (ktp->enc->block_size != 0 && cipherlen < ktp->enc->block_size) return KRB5_BAD_MSIZE; } else { /* Check that the input data is correctly padded */ - if ((cipherlen % blocksize) != 0) + if (cipherlen % blocksize != 0) return KRB5_BAD_MSIZE; } - /* Validate header and trailer lengths */ - - /* derive the keys */ - - /* decrypt the plaintext (header | data | padding) */ - assert(enc->decrypt_iov != NULL); - - ret = enc->decrypt_iov(key, ivec, data, num_data); /* will update ivec */ - - return ret; + return ktp->enc->decrypt(key, ivec, data, num_data); } - -const struct krb5_aead_provider krb5int_aead_raw = { - krb5int_raw_crypto_length, - krb5int_raw_encrypt_iov, - krb5int_raw_decrypt_iov -}; diff --git a/src/lib/crypto/krb/raw/raw_decrypt.c b/src/lib/crypto/krb/raw/raw_decrypt.c deleted file mode 100644 index d2e12d6d9..000000000 --- a/src/lib/crypto/krb/raw/raw_decrypt.c +++ /dev/null @@ -1,39 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "k5-int.h" -#include "raw.h" - -krb5_error_code -krb5int_raw_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - return((*(enc->decrypt))(key, ivec, input, output)); -} diff --git a/src/lib/crypto/krb/raw/raw_encrypt.c b/src/lib/crypto/krb/raw/raw_encrypt.c deleted file mode 100644 index ba8eb3b90..000000000 --- a/src/lib/crypto/krb/raw/raw_encrypt.c +++ /dev/null @@ -1,51 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "k5-int.h" -#include "raw.h" - -void -krb5_raw_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t inputlen, size_t *length) -{ - size_t blocksize; - - blocksize = enc->block_size; - - *length = krb5_roundup(inputlen, blocksize); -} - -krb5_error_code -krb5int_raw_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - return((*(enc->encrypt))(key, ivec, input, output)); -} diff --git a/src/lib/crypto/krb/string_to_key.c b/src/lib/crypto/krb/string_to_key.c index 0a593d472..356940455 100644 --- a/src/lib/crypto/krb/string_to_key.c +++ b/src/lib/crypto/krb/string_to_key.c @@ -85,7 +85,7 @@ krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype, key->enctype = enctype; key->length = keylength; - ret = (*ktp->str2key)(ktp->enc, string, salt, params, key); + ret = (*ktp->str2key)(ktp, string, salt, params, key); if (ret) { zapfree(key->contents, keylength); key->length = 0; diff --git a/src/lib/crypto/krb/yarrow/ycipher.c b/src/lib/crypto/krb/yarrow/ycipher.c index 2eacc95be..71b89b0fa 100644 --- a/src/lib/crypto/krb/yarrow/ycipher.c +++ b/src/lib/crypto/krb/yarrow/ycipher.c @@ -35,9 +35,7 @@ #include "assert.h" int -krb5int_yarrow_cipher_init -(CIPHER_CTX *ctx, - unsigned const char * key) +krb5int_yarrow_cipher_init(CIPHER_CTX *ctx, unsigned const char * key) { size_t keybytes, keylength; const struct krb5_enc_provider *enc = &yarrow_enc_provider; @@ -67,27 +65,23 @@ cleanup: return YARROW_OK; } -int krb5int_yarrow_cipher_encrypt_block -(CIPHER_CTX *ctx, const unsigned char *in, - unsigned char *out) +int krb5int_yarrow_cipher_encrypt_block(CIPHER_CTX *ctx, + const unsigned char *in, + unsigned char *out) { krb5_error_code ret; - krb5_data ind, outd; + krb5_crypto_iov iov; const struct krb5_enc_provider *enc = &yarrow_enc_provider; - ind.data = (char *) in; - ind.length = CIPHER_BLOCK_SIZE; - outd.data = (char *) out; - outd.length = CIPHER_BLOCK_SIZE; - ret = enc->encrypt(ctx->key, 0, &ind, &outd); - if (ret) - return YARROW_FAIL; - return YARROW_OK; + + memcpy(out, in, CIPHER_BLOCK_SIZE); + iov.flags = KRB5_CRYPTO_TYPE_DATA; + iov.data = make_data(out, CIPHER_BLOCK_SIZE); + ret = enc->encrypt(ctx->key, 0, &iov, 1); + return (ret == 0) ? YARROW_OK : YARROW_FAIL; } void -krb5int_yarrow_cipher_final -(CIPHER_CTX *ctx) - +krb5int_yarrow_cipher_final(CIPHER_CTX *ctx) { krb5_k_free_key(NULL, ctx->key); ctx->key = NULL; diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in index e95227340..a008d5727 100644 --- a/src/lib/crypto/openssl/Makefile.in +++ b/src/lib/crypto/openssl/Makefile.in @@ -53,18 +53,6 @@ includes:: depend depend:: $(SRCS) clean-unix:: clean-libobjs -check-unix:: t_cf2 - $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output - diff t_cf2.output $(srcdir)/t_cf2.expected - -t_cf2$(EXEEXT): t_cf2.$(OBJEXT) $(SUPPORT_DEPLIB) - $(CC_LINK) -o $@ t_cf2.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) - -clean:: - $(RM) t_cf2 t_cf2.o t_cf2.output - - - all-windows:: cd ..\des diff --git a/src/lib/crypto/openssl/aes/Makefile.in b/src/lib/crypto/openssl/aes/Makefile.in index b1848d6f7..6352c3dc2 100644 --- a/src/lib/crypto/openssl/aes/Makefile.in +++ b/src/lib/crypto/openssl/aes/Makefile.in @@ -1,3 +1,7 @@ +# Nothing here! But we can't remove this directory as the build +# system currently assumes that all modules have the same directory +# structure. + mydir=lib/crypto/openssl/aes BUILDTOP=$(REL)..$(S)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../krb/dk -I$(srcdir)/../../../../include @@ -10,14 +14,11 @@ DEFS= PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) -STLIBOBJS=\ - aes_s2k.o +STLIBOBJS= -OBJS=\ - $(OUTPRE)aes_s2k.$(OBJEXT) +OBJS= -SRCS=\ - $(srcdir)/aes_s2k.c +SRCS= ##DOS##LIBOBJS = $(OBJS) diff --git a/src/lib/crypto/openssl/aes/aes_s2k.c b/src/lib/crypto/openssl/aes/aes_s2k.c deleted file mode 100644 index b2fa1f1d9..000000000 --- a/src/lib/crypto/openssl/aes/aes_s2k.c +++ /dev/null @@ -1,92 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * lib/crypto/openssl/aes/aes_s2k.c - * - * Copyright 2003, 2009 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * krb5int_aes_string_to_key - */ - -#include "k5-int.h" -#include "dk.h" -#include "aes_s2k.h" - -#define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */ -#define MAX_ITERATION_COUNT 0x1000000L - -krb5_error_code -krb5int_aes_string_to_key(const struct krb5_enc_provider *enc, - const krb5_data *string, - const krb5_data *salt, - const krb5_data *params, - krb5_keyblock *key) -{ - unsigned long iter_count; - krb5_data out; - static const krb5_data usage = { KV5M_DATA, 8, "kerberos" }; - krb5_key tempkey = NULL; - krb5_error_code err; - - if (params) { - unsigned char *p = (unsigned char *) params->data; - if (params->length != 4) - return KRB5_ERR_BAD_S2K_PARAMS; - /* The first two need casts in case 'int' is 16 bits. */ - iter_count = load_32_be(p); - if (iter_count == 0) { - iter_count = (1UL << 16) << 16; - if (((iter_count >> 16) >> 16) != 1) - return KRB5_ERR_BAD_S2K_PARAMS; - } - } else - iter_count = DEFAULT_ITERATION_COUNT; - - /* This is not a protocol specification constraint; this is an - implementation limit, which should eventually be controlled by - a config file. */ - if (iter_count >= MAX_ITERATION_COUNT) - return KRB5_ERR_BAD_S2K_PARAMS; - - /* Use the output keyblock contents for temporary space. */ - out.data = (char *) key->contents; - out.length = key->length; - if (out.length != 16 && out.length != 32) - return KRB5_CRYPTO_INTERNAL; - - err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt); - if (err) - goto cleanup; - - err = krb5_k_create_key (NULL, key, &tempkey); - if (err) - goto cleanup; - - err = krb5int_derive_keyblock (enc, tempkey, key, &usage); - -cleanup: - if (err) - memset (out.data, 0, out.length); - krb5_k_free_key (NULL, tempkey); - return err; -} diff --git a/src/lib/crypto/openssl/aes/aes_s2k.h b/src/lib/crypto/openssl/aes/aes_s2k.h deleted file mode 100644 index f9bb1fec1..000000000 --- a/src/lib/crypto/openssl/aes/aes_s2k.h +++ /dev/null @@ -1,10 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * lib/crypto/openssl/aes/aes_s2k.h - */ - - -extern krb5_error_code -krb5int_aes_string_to_key (const struct krb5_enc_provider *, - const krb5_data *, const krb5_data *, - const krb5_data *, krb5_keyblock *key); diff --git a/src/lib/crypto/openssl/aes/deps b/src/lib/crypto/openssl/aes/deps index 93ce8c90f..2feac3c9d 100644 --- a/src/lib/crypto/openssl/aes/deps +++ b/src/lib/crypto/openssl/aes/deps @@ -1,14 +1 @@ -# -# Generated makefile dependencies follow. -# -aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/dk/dk.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - aes_s2k.c aes_s2k.h +# No dependencies here. diff --git a/src/lib/crypto/openssl/deps b/src/lib/crypto/openssl/deps index 6cf7e30c9..dba4cf8b2 100644 --- a/src/lib/crypto/openssl/deps +++ b/src/lib/crypto/openssl/deps @@ -4,14 +4,15 @@ hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb/aead.h \ - $(srcdir)/../krb/cksumtypes.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h hmac.c + $(srcdir)/../krb/cksumtypes.h $(srcdir)/../krb/etypes.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + hmac.c pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \ diff --git a/src/lib/crypto/openssl/enc_provider/aes.c b/src/lib/crypto/openssl/enc_provider/aes.c index 519a1b54a..51bf5ce42 100644 --- a/src/lib/crypto/openssl/enc_provider/aes.c +++ b/src/lib/crypto/openssl/enc_provider/aes.c @@ -36,23 +36,17 @@ /* proto's */ static krb5_error_code -cts_enc(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output); +cbc_enc(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data); static krb5_error_code -cbc_enc(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output); +cbc_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data); static krb5_error_code -cts_decr(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output); +cts_encr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data, size_t dlen); static krb5_error_code -cbc_decr(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output); -static krb5_error_code -cts_encr_iov(krb5_key key, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data, size_t dlen); -static krb5_error_code -cts_decr_iov(krb5_key key, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data, size_t dlen); +cts_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data, size_t dlen); #define BLOCK_SIZE 16 #define NUM_BITS 8 @@ -69,194 +63,78 @@ map_mode(unsigned int len) return NULL; } +/* Encrypt one block using CBC. */ static krb5_error_code -cbc_enc(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) +cbc_enc(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { - int ret = 0, tmp_len = 0; - unsigned char *tmp_buf = NULL; + int ret, olen = BLOCK_SIZE; + unsigned char iblock[BLOCK_SIZE], oblock[BLOCK_SIZE]; EVP_CIPHER_CTX ciph_ctx; - - tmp_len = input->length; - tmp_buf = OPENSSL_malloc(input->length); - if (!tmp_buf){ - return ENOMEM; - } + struct iov_block_state input_pos, output_pos; EVP_CIPHER_CTX_init(&ciph_ctx); - ret = EVP_EncryptInit_ex(&ciph_ctx, map_mode(key->keyblock.length), NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL); + if (ret == 0) + return KRB5_CRYPTO_INTERNAL; - if (ret == 1){ - EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); - ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, - (unsigned char *)input->data, input->length); - output->length = tmp_len; - if(ret) - ret = EVP_EncryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len); + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + krb5int_c_iov_get_block(iblock, BLOCK_SIZE, data, num_data, &input_pos); + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen, iblock, BLOCK_SIZE); + if (ret == 1) { + krb5int_c_iov_put_block(data, num_data, oblock, BLOCK_SIZE, + &output_pos); } - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - if (ret == 1){ - memcpy(output->data, tmp_buf, output->length); - ret = 0; - } else { - ret = KRB5_CRYPTO_INTERNAL; - } - - memset(tmp_buf, 0, input->length); - OPENSSL_free(tmp_buf); - - return ret; + zap(iblock, BLOCK_SIZE); + zap(oblock, BLOCK_SIZE); + return (ret == 1) ? 0 : KRB5_CRYPTO_INTERNAL; } +/* Decrypt one block using CBC. */ static krb5_error_code -cbc_decr(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) +cbc_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { - int ret = 0, tmp_len = 0; - unsigned char *tmp_buf = NULL; + int ret = 0, olen = BLOCK_SIZE; + unsigned char iblock[BLOCK_SIZE], oblock[BLOCK_SIZE]; EVP_CIPHER_CTX ciph_ctx; - - tmp_len = input->length; - tmp_buf = OPENSSL_malloc(input->length); - if (!tmp_buf){ - return ENOMEM; - } + struct iov_block_state input_pos, output_pos; EVP_CIPHER_CTX_init(&ciph_ctx); - ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->keyblock.length), NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL); - if (ret == 1) { - EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); - ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, - (unsigned char *)input->data, input->length); - output->length = tmp_len; - if (ret == 1) - ret = EVP_DecryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len); - } - - EVP_CIPHER_CTX_cleanup(&ciph_ctx); + if (ret == 0) + return KRB5_CRYPTO_INTERNAL; + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + krb5int_c_iov_get_block(iblock, BLOCK_SIZE, data, num_data, &input_pos); + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen, iblock, BLOCK_SIZE); if (ret == 1) { - output->length += tmp_len; - memcpy(output->data, tmp_buf, output->length); - ret = 0; - } else { - ret = KRB5_CRYPTO_INTERNAL; - } - - memset(tmp_buf, 0, input->length); - OPENSSL_free(tmp_buf); - - return ret; -} - -static krb5_error_code -cts_enc(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - int ret = 0, tmp_len = 0; - size_t size = 0; - unsigned char iv_cts[IV_CTS_BUF_SIZE]; - unsigned char *tmp_buf = NULL; - AES_KEY enck; - - memset(iv_cts,0,sizeof(iv_cts)); - if (ivec && ivec->data){ - if (ivec->length != sizeof(iv_cts)) - return KRB5_CRYPTO_INTERNAL; - memcpy(iv_cts, ivec->data,ivec->length); - } - - tmp_buf = OPENSSL_malloc(input->length); - if (!tmp_buf) - return ENOMEM; - tmp_len = input->length; - - AES_set_encrypt_key(key->keyblock.contents, - NUM_BITS * key->keyblock.length, &enck); - - size = CRYPTO_cts128_encrypt((unsigned char *)input->data, tmp_buf, - input->length, &enck, - iv_cts, (cbc128_f)AES_cbc_encrypt); - if (size <= 0 || output->length < size) { - ret = KRB5_CRYPTO_INTERNAL; - } else { - output->length = size; - memcpy(output->data, tmp_buf, output->length); - ret = 0; - } - - if (!ret && ivec && ivec->data) - memcpy(ivec->data, iv_cts, sizeof(iv_cts)); - - memset(tmp_buf, 0, input->length); - OPENSSL_free(tmp_buf); - - return ret; -} - -static krb5_error_code -cts_decr(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - int ret = 0, tmp_len = 0; - size_t size = 0; - unsigned char iv_cts[IV_CTS_BUF_SIZE]; - unsigned char *tmp_buf = NULL; - AES_KEY deck; - - memset(iv_cts,0,sizeof(iv_cts)); - if (ivec && ivec->data){ - if (ivec->length != sizeof(iv_cts)) - return KRB5_CRYPTO_INTERNAL; - memcpy(iv_cts, ivec->data,ivec->length); + krb5int_c_iov_put_block(data, num_data, oblock, BLOCK_SIZE, + &output_pos); } + EVP_CIPHER_CTX_cleanup(&ciph_ctx); - tmp_buf = OPENSSL_malloc(input->length); - if (!tmp_buf) - return ENOMEM; - tmp_len = input->length; - - AES_set_decrypt_key(key->keyblock.contents, - NUM_BITS * key->keyblock.length, &deck); - - size = CRYPTO_cts128_decrypt((unsigned char *)input->data, tmp_buf, - input->length, &deck, - iv_cts, (cbc128_f)AES_cbc_encrypt); - if (size <= 0 || output->length < size) { - ret = KRB5_CRYPTO_INTERNAL; - } else { - output->length = size + 16; - memcpy(output->data, tmp_buf, output->length); - ret = 0; - } - - if (!ret && ivec && ivec->data) - memcpy(ivec->data, iv_cts, sizeof(iv_cts)); - - memset(tmp_buf, 0, input->length); - OPENSSL_free(tmp_buf); - - return ret; + zap(iblock, BLOCK_SIZE); + zap(oblock, BLOCK_SIZE); + return (ret == 1) ? 0 : KRB5_CRYPTO_INTERNAL; } static krb5_error_code -cts_encr_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data, size_t dlen) +cts_encr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data, size_t dlen) { int ret = 0; - int oblock_len = BLOCK_SIZE * num_data; - size_t size = 0, tlen = 0; + size_t size = 0; unsigned char *oblock = NULL, *dbuf = NULL; unsigned char iv_cts[IV_CTS_BUF_SIZE]; - unsigned char iblock[BLOCK_SIZE]; struct iov_block_state input_pos, output_pos; AES_KEY enck; @@ -267,7 +145,7 @@ cts_encr_iov(krb5_key key, memcpy(iv_cts, ivec->data,ivec->length); } - oblock = OPENSSL_malloc(oblock_len); + oblock = OPENSSL_malloc(dlen); if (!oblock){ return ENOMEM; } @@ -277,26 +155,10 @@ cts_encr_iov(krb5_key key, return ENOMEM; } - memset(oblock, 0, oblock_len); - memset(dbuf, 0, dlen); - IOV_BLOCK_STATE_INIT(&input_pos); IOV_BLOCK_STATE_INIT(&output_pos); - tlen = 0; - for (;;) { - if (krb5int_c_iov_get_block(iblock, BLOCK_SIZE, - data, num_data, &input_pos)){ - memcpy(dbuf+tlen,iblock, BLOCK_SIZE); - - tlen += BLOCK_SIZE; - } else { - memcpy(dbuf+tlen,iblock, dlen - tlen); - break; - } - - if (tlen > dlen) break; - } + krb5int_c_iov_get_block(dbuf, dlen, data, num_data, &input_pos); AES_set_encrypt_key(key->keyblock.contents, NUM_BITS * key->keyblock.length, &enck); @@ -313,8 +175,8 @@ cts_encr_iov(krb5_key key, if (!ret && ivec && ivec->data) memcpy(ivec->data, iv_cts, sizeof(iv_cts)); - memset(oblock,0,oblock_len); - memset(dbuf,0,dlen); + zap(oblock, dlen); + zap(dbuf, dlen); OPENSSL_free(oblock); OPENSSL_free(dbuf); @@ -322,24 +184,20 @@ cts_encr_iov(krb5_key key, } static krb5_error_code -cts_decr_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data, size_t dlen) +cts_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data, size_t dlen) { int ret = 0; - int oblock_len = BLOCK_SIZE*num_data; - size_t size = 0, tlen = 0; + size_t size = 0; unsigned char *oblock = NULL; unsigned char *dbuf = NULL; - unsigned char iblock[BLOCK_SIZE]; unsigned char iv_cts[IV_CTS_BUF_SIZE]; struct iov_block_state input_pos, output_pos; AES_KEY deck; memset(iv_cts,0,sizeof(iv_cts)); if (ivec && ivec->data){ - if (ivec->length <= sizeof(iv_cts)) + if (ivec->length != sizeof(iv_cts)) return KRB5_CRYPTO_INTERNAL; memcpy(iv_cts, ivec->data,ivec->length); } @@ -347,7 +205,7 @@ cts_decr_iov(krb5_key key, IOV_BLOCK_STATE_INIT(&input_pos); IOV_BLOCK_STATE_INIT(&output_pos); - oblock = OPENSSL_malloc(oblock_len); + oblock = OPENSSL_malloc(dlen); if (!oblock) return ENOMEM; dbuf = OPENSSL_malloc(dlen); @@ -356,26 +214,10 @@ cts_decr_iov(krb5_key key, return ENOMEM; } - memset(oblock, 0, oblock_len); - memset(dbuf, 0, dlen); - AES_set_decrypt_key(key->keyblock.contents, NUM_BITS * key->keyblock.length, &deck); - tlen = 0; - for (;;) { - if (krb5int_c_iov_get_block(iblock, BLOCK_SIZE, - data, num_data, &input_pos)){ - memcpy(dbuf+tlen,iblock, BLOCK_SIZE); - - tlen += BLOCK_SIZE; - } else { - memcpy(dbuf+tlen,iblock, dlen - tlen); - break; - } - - if (tlen > dlen) break; - } + krb5int_c_iov_get_block(dbuf, dlen, data, num_data, &input_pos); size = CRYPTO_cts128_decrypt((unsigned char *)dbuf, oblock, dlen, &deck, @@ -389,8 +231,8 @@ cts_decr_iov(krb5_key key, if (!ret && ivec && ivec->data) memcpy(ivec->data, iv_cts, sizeof(iv_cts)); - memset(oblock,0,oblock_len); - memset(dbuf,0,dlen); + zap(oblock, dlen); + zap(dbuf, dlen); OPENSSL_free(oblock); OPENSSL_free(dbuf); @@ -399,43 +241,7 @@ cts_decr_iov(krb5_key key, krb5_error_code krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - int ret = 0; - - if (input->length <= BLOCK_SIZE){ - ret = cbc_enc(key, ivec, input, output); - } else { - ret = cts_enc(key, ivec, input, output); - } - - return ret; -} - -krb5_error_code -krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - int ret = 0; - int nblocks = 0; - - if (input->length < BLOCK_SIZE) - abort(); - - if (input->length == BLOCK_SIZE){ - ret = cbc_decr(key, ivec, input, output); - } else { - ret = cts_decr(key, ivec, input, output); - } - - return ret; -} - -static krb5_error_code -krb5int_aes_encrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) + krb5_crypto_iov *data, size_t num_data) { int ret = 0; int nblocks = 0; @@ -449,18 +255,20 @@ krb5int_aes_encrypt_iov(krb5_key key, } nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; - assert(nblocks > 1); - - ret = cts_encr_iov(key, ivec, data, num_data, input_length); + if (nblocks == 1) { + if (input_length != BLOCK_SIZE) + return KRB5_BAD_MSIZE; + ret = cbc_enc(key, ivec, data, num_data); + } else if (nblocks > 1) { + ret = cts_encr(key, ivec, data, num_data, input_length); + } return ret; } -static krb5_error_code -krb5int_aes_decrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { int ret = 0; int nblocks = 0; @@ -474,10 +282,13 @@ krb5int_aes_decrypt_iov(krb5_key key, } nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; - - assert(nblocks > 1); - - ret = cts_decr_iov(key, ivec, data, num_data, input_length); + if (nblocks == 1) { + if (input_length != BLOCK_SIZE) + return KRB5_BAD_MSIZE; + ret = cbc_enc(key, ivec, data, num_data); + } else if (nblocks > 1) { + ret = cts_decr(key, ivec, data, num_data, input_length); + } return ret; } @@ -500,9 +311,7 @@ const struct krb5_enc_provider krb5int_enc_aes128 = { krb5int_aes_decrypt, krb5int_aes_make_key, krb5int_aes_init_state, - krb5int_default_free_state, - krb5int_aes_encrypt_iov, - krb5int_aes_decrypt_iov + krb5int_default_free_state }; const struct krb5_enc_provider krb5int_enc_aes256 = { @@ -512,7 +321,5 @@ const struct krb5_enc_provider krb5int_enc_aes256 = { krb5int_aes_decrypt, krb5int_aes_make_key, krb5int_aes_init_state, - krb5int_default_free_state, - krb5int_aes_encrypt_iov, - krb5int_aes_decrypt_iov + krb5int_default_free_state }; diff --git a/src/lib/crypto/openssl/enc_provider/deps b/src/lib/crypto/openssl/enc_provider/deps index 2254ccd51..739c8dd6b 100644 --- a/src/lib/crypto/openssl/enc_provider/deps +++ b/src/lib/crypto/openssl/enc_provider/deps @@ -4,43 +4,34 @@ des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \ - $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h des.c + $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \ + $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../des/des_int.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + des.c des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \ - $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h des3.c + $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \ + $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../des/des_int.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + des3.c aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \ - $(srcdir)/../hash_provider/hash_provider.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h aes.c enc_provider.h -rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \ + $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \ + $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../hash_provider/hash_provider.h \ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ @@ -48,4 +39,16 @@ rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - rc4.c + aes.c enc_provider.h +rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \ + $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \ + $(srcdir)/../../krb/rand2key/rand2key.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h rc4.c diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c index 5881291c9..59030f8a4 100644 --- a/src/lib/crypto/openssl/enc_provider/des.c +++ b/src/lib/crypto/openssl/enc_provider/des.c @@ -61,24 +61,7 @@ static krb5_error_code validate(krb5_key key, const krb5_data *ivec, - const krb5_data *input, const krb5_data *output) -{ - /* key->keyblock.enctype was checked by the caller */ - if (key->keyblock.length != KRB5_MIT_DES_KEYSIZE) - return(KRB5_BAD_KEYSIZE); - if ((input->length%8) != 0) - return(KRB5_BAD_MSIZE); - if (ivec && (ivec->length != 8)) - return(KRB5_BAD_MSIZE); - if (input->length != output->length) - return(KRB5_BAD_MSIZE); - - return 0; -} - -static krb5_error_code -validate_iov(krb5_key key, const krb5_data *ivec, - const krb5_crypto_iov *data, size_t num_data) + const krb5_crypto_iov *data, size_t num_data) { size_t i, input_length; @@ -88,7 +71,7 @@ validate_iov(krb5_key key, const krb5_data *ivec, input_length += iov->data.length; } - if (key->keyblock.length != KRB5_MIT_DES3_KEYSIZE) + if (key->keyblock.length != KRB5_MIT_DES_KEYSIZE) return(KRB5_BAD_KEYSIZE); if ((input_length%DES_BLOCK_SIZE) != 0) return(KRB5_BAD_MSIZE); @@ -99,215 +82,79 @@ validate_iov(krb5_key key, const krb5_data *ivec, } static krb5_error_code -k5_des_encrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) +k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { - int ret = 0, tmp_len = 0; - unsigned int tmp_buf_len = 0; - unsigned char *tmp_buf = NULL; - EVP_CIPHER_CTX ciph_ctx; - - ret = validate(key, ivec, input, output); - if (ret) - return ret; - - tmp_buf_len = output->length*2; - tmp_buf=OPENSSL_malloc(tmp_buf_len); - if (!tmp_buf) - return ENOMEM; - memset(tmp_buf,0,output->length); - - EVP_CIPHER_CTX_init(&ciph_ctx); - - ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, key->keyblock.contents, - (ivec) ? (unsigned char*)ivec->data : NULL); - if (ret) { - EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); - ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, - (unsigned char *)input->data, input->length); - if (!ret || output->length < (unsigned int)tmp_len) { - ret = KRB5_CRYPTO_INTERNAL; - } else { - output->length = tmp_len; - ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf + tmp_len, &tmp_len); - } - } - - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - - if (ret == 1) - memcpy(output->data,tmp_buf, output->length); - - memset(tmp_buf, 0, tmp_buf_len); - OPENSSL_free(tmp_buf); - - if (ret != 1) - return KRB5_CRYPTO_INTERNAL; - return 0; -} - - -static krb5_error_code -k5_des_decrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - /* key->keyblock.enctype was checked by the caller */ - int ret = 0, tmp_len = 0; - unsigned char *tmp_buf; - EVP_CIPHER_CTX ciph_ctx; - - ret = validate(key, ivec, input, output); - if (ret) - return ret; - - - tmp_buf=OPENSSL_malloc(output->length); - if (!tmp_buf) - return ENOMEM; - memset(tmp_buf,0,output->length); - - EVP_CIPHER_CTX_init(&ciph_ctx); - - ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, key->keyblock.contents, - (ivec) ? (unsigned char*)ivec->data : NULL); - if (ret) { - EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); - ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, - (unsigned char *)input->data, input->length); - if (ret) { - output->length = tmp_len; - ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len); - } - } - - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - - if (ret == 1) - memcpy(output->data,tmp_buf, output->length); - - memset(tmp_buf,0,output->length); - OPENSSL_free(tmp_buf); - - if ( ret != 1) - return KRB5_CRYPTO_INTERNAL; - return 0; -} - -static krb5_error_code -k5_des_encrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) -{ - int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH; - int oblock_len = MIT_DES_BLOCK_LENGTH * num_data; - unsigned char *iblock = NULL, *oblock = NULL; + int ret, olen = MIT_DES_BLOCK_LENGTH; + unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH]; struct iov_block_state input_pos, output_pos; - EVP_CIPHER_CTX ciph_ctx; - - iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH); - if (!iblock) - return ENOMEM; - oblock = OPENSSL_malloc(oblock_len); - if (!oblock){ - OPENSSL_free(iblock); - return ENOMEM; - } + EVP_CIPHER_CTX ciph_ctx; IOV_BLOCK_STATE_INIT(&input_pos); IOV_BLOCK_STATE_INIT(&output_pos); - ret = validate_iov(key, ivec, data, num_data); + ret = validate(key, ivec, data, num_data); if (ret) return ret; - memset(oblock, 0, oblock_len); - EVP_CIPHER_CTX_init(&ciph_ctx); ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, key->keyblock.contents, (ivec && ivec->data) ? (unsigned char*)ivec->data : NULL); - if (!ret){ - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - OPENSSL_free(iblock); - OPENSSL_free(oblock); + if (!ret) return KRB5_CRYPTO_INTERNAL; - } EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); for (;;) { - if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data, num_data, &input_pos)) + if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data, + num_data, &input_pos)) break; - if (input_pos.iov_pos == num_data) + ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen, + (unsigned char *)iblock, MIT_DES_BLOCK_LENGTH); + if (!ret) break; - ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len, - (unsigned char *)iblock, input_pos.data_pos); - if (!ret) break; - - krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos); + krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, + &output_pos); } - if(ret) - ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len); - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - memset(iblock,0,sizeof(iblock)); - memset(oblock,0,sizeof(oblock)); - OPENSSL_free(iblock); - OPENSSL_free(oblock); + zap(iblock, sizeof(iblock)); + zap(oblock, sizeof(oblock)); - if ( ret != 1) + if (ret != 1) return KRB5_CRYPTO_INTERNAL; return 0; } static krb5_error_code -k5_des_decrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { - int ret = 0; - int tmp_len = MIT_DES_BLOCK_LENGTH; - int oblock_len = MIT_DES_BLOCK_LENGTH*num_data; - unsigned char *iblock = NULL, *oblock = NULL; + int ret, olen = MIT_DES_BLOCK_LENGTH; + unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH]; struct iov_block_state input_pos, output_pos; - EVP_CIPHER_CTX ciph_ctx; - - iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH); - if (!iblock) - return ENOMEM; - oblock = OPENSSL_malloc(oblock_len); - if (!oblock){ - OPENSSL_free(iblock); - return ENOMEM; - } + EVP_CIPHER_CTX ciph_ctx; IOV_BLOCK_STATE_INIT(&input_pos); IOV_BLOCK_STATE_INIT(&output_pos); - ret = validate_iov(key, ivec, data, num_data); + ret = validate(key, ivec, data, num_data); if (ret) return ret; - memset(oblock, 0, oblock_len); - EVP_CIPHER_CTX_init(&ciph_ctx); ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, - key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL); - if (!ret){ - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - OPENSSL_free(iblock); - OPENSSL_free(oblock); + key->keyblock.contents, + (ivec) ? (unsigned char*)ivec->data : NULL); + if (!ret) return KRB5_CRYPTO_INTERNAL; - } EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); @@ -317,27 +164,18 @@ k5_des_decrypt_iov(krb5_key key, data, num_data, &input_pos)) break; - if (input_pos.iov_pos == num_data) - break; - - ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len, - (unsigned char *)iblock, - input_pos.data_pos); + ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen, + iblock, MIT_DES_BLOCK_LENGTH); if (!ret) break; krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos); } - if(ret) - ret = EVP_DecryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len); - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - memset(iblock,0,sizeof(iblock)); - memset(oblock,0,sizeof(oblock)); - OPENSSL_free(iblock); - OPENSSL_free(oblock); + zap(iblock, sizeof(iblock)); + zap(oblock, sizeof(oblock)); if (ret != 1) return KRB5_CRYPTO_INTERNAL; @@ -351,7 +189,5 @@ const struct krb5_enc_provider krb5int_enc_des = { k5_des_decrypt, krb5int_des_make_key, krb5int_des_init_state, - krb5int_default_free_state, - k5_des_encrypt_iov, - k5_des_decrypt_iov + krb5int_default_free_state }; diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c index b299d3c29..832eff915 100644 --- a/src/lib/crypto/openssl/enc_provider/des3.c +++ b/src/lib/crypto/openssl/enc_provider/des3.c @@ -60,25 +60,7 @@ static krb5_error_code validate(krb5_key key, const krb5_data *ivec, - const krb5_data *input, const krb5_data *output) -{ - /* key->keyblock.enctype was checked by the caller */ - - if (key->keyblock.length != KRB5_MIT_DES3_KEYSIZE) - return(KRB5_BAD_KEYSIZE); - if ((input->length%DES_BLOCK_SIZE) != 0) - return(KRB5_BAD_MSIZE); - if (ivec && (ivec->length != 8)) - return(KRB5_BAD_MSIZE); - if (input->length != output->length) - return(KRB5_BAD_MSIZE); - - return 0; -} - -static krb5_error_code -validate_iov(krb5_key key, const krb5_data *ivec, - const krb5_crypto_iov *data, size_t num_data) + const krb5_crypto_iov *data, size_t num_data) { size_t i, input_length; @@ -99,144 +81,28 @@ validate_iov(krb5_key key, const krb5_data *ivec, } static krb5_error_code -k5_des3_encrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - int ret = 0, tmp_len = 0; - unsigned int tmp_buf_len = 0; - unsigned char *tmp_buf = NULL; - EVP_CIPHER_CTX ciph_ctx; - - ret = validate(key, ivec, input, output); - if (ret) - return ret; - - tmp_buf_len = output->length * 2; - tmp_buf = OPENSSL_malloc(tmp_buf_len); - if (!tmp_buf) - return ENOMEM; - - EVP_CIPHER_CTX_init(&ciph_ctx); - - ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, key->keyblock.contents, - (ivec) ? (unsigned char*)ivec->data : NULL); - if (ret) { - EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); - ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, - (unsigned char *)input->data, input->length); - if (!ret || output->length < (unsigned int)tmp_len) { - ret = KRB5_CRYPTO_INTERNAL; - } else { - output->length = tmp_len; - ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len); - } - } - - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - - if (ret == 1) - memcpy(output->data,tmp_buf, output->length); - - memset(tmp_buf, 0, tmp_buf_len); - OPENSSL_free(tmp_buf); - - if (ret != 1) - return KRB5_CRYPTO_INTERNAL; - - return 0; - -} - -static krb5_error_code -k5_des3_decrypt(krb5_key key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) -{ - int ret = 0, tmp_len = 0; - unsigned int tmp_buf_len = 0; - unsigned char *tmp_buf = NULL; - EVP_CIPHER_CTX ciph_ctx; - - ret = validate(key, ivec, input, output); - if (ret) - return ret; - - - tmp_buf_len = output->length; - tmp_buf=OPENSSL_malloc(tmp_buf_len); - if (!tmp_buf) - return ENOMEM; - - EVP_CIPHER_CTX_init(&ciph_ctx); - - ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, key->keyblock.contents, - (ivec) ? (unsigned char*)ivec->data: NULL); - if (ret) { - EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); - ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, - (unsigned char *)input->data, input->length); - if (!ret || output->length < (unsigned int)tmp_len) { - ret = KRB5_CRYPTO_INTERNAL; - } else { - output->length = tmp_len; - ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len); - } - } - - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - - if (ret == 1) - memcpy(output->data,tmp_buf, output->length); - - memset(tmp_buf,0,tmp_buf_len); - OPENSSL_free(tmp_buf); - - if (ret != 1) - return KRB5_CRYPTO_INTERNAL; - return 0; - -} - -static krb5_error_code -k5_des3_encrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { - int ret = 0; - int tmp_len = MIT_DES_BLOCK_LENGTH; - int oblock_len = MIT_DES_BLOCK_LENGTH*num_data; - unsigned char *iblock = NULL, *oblock = NULL; + int ret, olen = MIT_DES_BLOCK_LENGTH; + unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH]; struct iov_block_state input_pos, output_pos; - EVP_CIPHER_CTX ciph_ctx; + EVP_CIPHER_CTX ciph_ctx; - ret = validate_iov(key, ivec, data, num_data); + ret = validate(key, ivec, data, num_data); if (ret) return ret; - iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH); - if (!iblock) - return ENOMEM; - oblock = OPENSSL_malloc(oblock_len); - if (!oblock){ - OPENSSL_free(iblock); - return ENOMEM; - } - IOV_BLOCK_STATE_INIT(&input_pos); IOV_BLOCK_STATE_INIT(&output_pos); - memset(oblock, 0, oblock_len); - EVP_CIPHER_CTX_init(&ciph_ctx); ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, - key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL); - if (!ret){ - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - OPENSSL_free(iblock); - OPENSSL_free(oblock); + key->keyblock.contents, + (ivec) ? (unsigned char*)ivec->data : NULL); + if (!ret) return KRB5_CRYPTO_INTERNAL; - } EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); @@ -246,29 +112,22 @@ k5_des3_encrypt_iov(krb5_key key, data, num_data, &input_pos)) break; - if (input_pos.iov_pos == num_data) + ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen, + (unsigned char *)iblock, MIT_DES_BLOCK_LENGTH); + if (!ret) break; - ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len, - (unsigned char *)iblock, input_pos.data_pos); - if (!ret) break; - krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos); } - if(ret) { - /*if (ivec != NULL && ivec->data) - memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */ - ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+input_pos.data_pos, &tmp_len); - } + /*if (ivec != NULL && ivec->data) + memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */ EVP_CIPHER_CTX_cleanup(&ciph_ctx); - memset(iblock,0,sizeof(iblock)); - memset(oblock,0,sizeof(oblock)); - OPENSSL_free(iblock); - OPENSSL_free(oblock); + zap(iblock, sizeof(iblock)); + zap(oblock, sizeof(oblock)); if (ret != 1) return KRB5_CRYPTO_INTERNAL; @@ -276,46 +135,28 @@ k5_des3_encrypt_iov(krb5_key key, } static krb5_error_code -k5_des3_decrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data, + size_t num_data) { - int ret = 0; - int tmp_len = MIT_DES_BLOCK_LENGTH; - int oblock_len = MIT_DES_BLOCK_LENGTH * num_data; - unsigned char *iblock = NULL, *oblock = NULL; + int ret, olen = MIT_DES_BLOCK_LENGTH; + unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH]; struct iov_block_state input_pos, output_pos; - EVP_CIPHER_CTX ciph_ctx; + EVP_CIPHER_CTX ciph_ctx; - ret = validate_iov(key, ivec, data, num_data); + ret = validate(key, ivec, data, num_data); if (ret) return ret; - iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH); - if (!iblock) - return ENOMEM; - oblock = OPENSSL_malloc(oblock_len); - if (!oblock){ - OPENSSL_free(iblock); - return ENOMEM; - } - IOV_BLOCK_STATE_INIT(&input_pos); IOV_BLOCK_STATE_INIT(&output_pos); - memset(oblock, 0, oblock_len); - EVP_CIPHER_CTX_init(&ciph_ctx); ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, - key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL); - if (!ret){ - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - OPENSSL_free(iblock); - OPENSSL_free(oblock); + key->keyblock.contents, + (ivec) ? (unsigned char*)ivec->data : NULL); + if (!ret) return KRB5_CRYPTO_INTERNAL; - } EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); @@ -325,30 +166,22 @@ k5_des3_decrypt_iov(krb5_key key, data, num_data, &input_pos)) break; - if (input_pos.iov_pos == num_data) + ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen, + (unsigned char *)iblock, MIT_DES_BLOCK_LENGTH); + if (!ret) break; - ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len, - (unsigned char *)iblock, input_pos.data_pos); - if (!ret) break; - - krb5int_c_iov_put_block(data, num_data, - oblock, MIT_DES_BLOCK_LENGTH, &output_pos); + krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, + &output_pos); } - if(ret) { - /*if (ivec != NULL && ivec->data) - memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */ - ret = EVP_DecryptFinal_ex(&ciph_ctx, - oblock + input_pos.data_pos, &tmp_len); - } + /*if (ivec != NULL && ivec->data) + memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */ EVP_CIPHER_CTX_cleanup(&ciph_ctx); - memset(iblock,0,sizeof(iblock)); - memset(oblock,0,sizeof(oblock)); - OPENSSL_free(iblock); - OPENSSL_free(oblock); + zap(iblock, sizeof(iblock)); + zap(oblock, sizeof(oblock)); if (ret != 1) return KRB5_CRYPTO_INTERNAL; @@ -362,7 +195,5 @@ const struct krb5_enc_provider krb5int_enc_des3 = { k5_des3_decrypt, krb5int_des3_make_key, krb5int_des_init_state, - krb5int_default_free_state, - k5_des3_encrypt_iov, - k5_des3_decrypt_iov + krb5int_default_free_state }; diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c index edfbb3218..51cd350f8 100644 --- a/src/lib/crypto/openssl/enc_provider/rc4.c +++ b/src/lib/crypto/openssl/enc_provider/rc4.c @@ -61,9 +61,6 @@ typedef struct { /* prototypes */ static krb5_error_code -k5_arcfour_docrypt(krb5_key, const krb5_data *, - const krb5_data *, krb5_data *); -static krb5_error_code k5_arcfour_free_state ( krb5_data *state); static krb5_error_code k5_arcfour_init_state (const krb5_keyblock *key, @@ -73,51 +70,10 @@ k5_arcfour_init_state (const krb5_keyblock *key, * this impliments the cipher */ -/* In-place rc4 crypto */ -static krb5_error_code -k5_arcfour_docrypt(krb5_key key, const krb5_data *state, - const krb5_data *input, krb5_data *output) -{ - int ret = 0, tmp_len = 0; - unsigned char *tmp_buf = NULL; - EVP_CIPHER_CTX ciph_ctx; - - if (key->keyblock.length != RC4_KEY_SIZE) - return(KRB5_BAD_KEYSIZE); - - if (input->length != output->length) - return(KRB5_BAD_MSIZE); - - EVP_CIPHER_CTX_init(&ciph_ctx); - - ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, key->keyblock.contents, NULL); - if (ret) { - tmp_buf=(unsigned char *)output->data; - ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, - (unsigned char *)input->data, input->length); - output->length = tmp_len; - } - if (ret) { - tmp_buf += tmp_len; - ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf, &tmp_len); - } - - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - - if (ret != 1) - return KRB5_CRYPTO_INTERNAL; - - output->length += tmp_len; - - return 0; -} - /* In-place IOV crypto */ static krb5_error_code -k5_arcfour_docrypt_iov(krb5_key key, - const krb5_data *state, - krb5_crypto_iov *data, - size_t num_data) +k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data, + size_t num_data) { size_t i; int ret = 0, tmp_len = 0; @@ -191,7 +147,5 @@ const struct krb5_enc_provider krb5int_enc_arcfour = { k5_arcfour_docrypt, krb5int_arcfour_make_key, k5_arcfour_init_state, /*xxx not implemented */ - k5_arcfour_free_state, /*xxx not implemented */ - k5_arcfour_docrypt_iov, - k5_arcfour_docrypt_iov + k5_arcfour_free_state /*xxx not implemented */ }; diff --git a/src/lib/crypto/openssl/sha1/Makefile.in b/src/lib/crypto/openssl/sha1/Makefile.in index 4cef43a15..0ec25872e 100644 --- a/src/lib/crypto/openssl/sha1/Makefile.in +++ b/src/lib/crypto/openssl/sha1/Makefile.in @@ -22,25 +22,8 @@ all-unix:: all-libobjs includes:: depend depend:: $(SRCS) -t_shs: t_shs.o shs.o $(SUPPORT_DEPLIB) - $(CC_LINK) -o t_shs t_shs.o shs.o $(SUPPORT_LIB) - -$(OUTPRE)t_shs.exe: $(OUTPRE)t_shs.obj $(OUTPRE)shs.obj - link -out:$@ $** - -t_shs3: t_shs3.o shs.o $(SUPPORT_DEPLIB) - $(CC_LINK) -o t_shs3 t_shs3.o shs.o $(SUPPORT_LIB) - -check-unix:: t_shs t_shs3 - $(RUN_SETUP) $(VALGRIND) $(C)t_shs -x - $(RUN_SETUP) $(VALGRIND) $(C)t_shs3 - -check-windows:: $(OUTPRE)t_shs.exe $(OUTPRE)t_shs3.exe - $(OUTPRE)$(C)t_shs.exe -x - $(OUTPRE)$(C)t_shs3.exe clean:: - $(RM) t_shs$(EXEEXT) t_shs.$(OBJEXT) t_shs3$(EXEEXT) t_shs3.$(OBJEXT) clean-unix:: clean-libobjs