From: Sam Hartman Date: Fri, 20 May 2005 02:05:24 +0000 (+0000) Subject: Implement RFC 3961 PRF X-Git-Tag: ms-bug-test-20060525~253 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=9f6b2ceb0638e95a76242cbe6f7d02729be471ec;p=krb5.git Implement RFC 3961 PRF Add krb5_c_prf, a function that implements the RFC 3961 PRF. As part of this change, the krb5_init_keyblock and krb5 free routines move to libk5crypto. Public stubs remain in libkrb5, but the actual implementation is an internal interface in libk5crypto ticket: new Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17219 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/ChangeLog b/src/include/ChangeLog index 60ee43c87..f8bf8f334 100644 --- a/src/include/ChangeLog +++ b/src/include/ChangeLog @@ -1,3 +1,7 @@ +2005-05-19 Sam Hartman + + * k5-int.h (krb5int_c_ free_keyblock init_keyblock free_keyblock_contents): new + 2005-05-13 Ken Raeburn * configure.in: Deleted, content merged into ../configure.in. @@ -6,6 +10,12 @@ ($(srcdir)/krb5/autoconf.stmp): Use $(thisconfigdir) when locating configure.in and autom4te.cache. +2005-05-06 Sam Hartman + + + * krb5.hin: Add krb5_c_prf_length + + 2005-04-28 Ken Raeburn * k5-int.h: Include fcntl.h only if HAVE_FCNTL_H is defined. @@ -106,6 +116,7 @@ (k5_debug_make_loc): Change "lineno" to type int. (k5_debug_make_loc): Likewise for argument "line". + 2005-01-04 Jeffrey Altman * krb5.hin: add prototype for krb5_is_thread_safe @@ -124,11 +135,18 @@ * krb5.hin: Flag krb5_principal2salt as KRB5_CALLCONV_WRONG. + 2004-12-08 Ken Raeburn * k5-int.h (KRB5INT_ACCESS_STRUCT_VERSION): Bump to 9. (struct _krb5int_access): Add function pointer field use_dns_kdc. +2004-12-07 Sam Hartman + + * k5-int.h: Add prf_length to the keytype function + + * krb5.hin: Add krb5_c_prf + 2004-12-06 Ken Raeburn * k5-thread.h [DEBUG_THREADS_STATS]: Include string.h and diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 5c62c1476..03a416a21 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -609,16 +609,23 @@ typedef krb5_error_code (*krb5_crypt_func) (const struct krb5_enc_provider *enc, typedef krb5_error_code (*krb5_str2key_func) (const struct krb5_enc_provider *enc, const krb5_data *string, const krb5_data *salt, const krb5_data *parm, krb5_keyblock *key); +typedef krb5_error_code (*krb5_prf_func)( + const struct krb5_enc_provider *enc, const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + krb5_data *in, krb5_data *out); + struct krb5_keytypes { krb5_enctype etype; char *in_string; char *out_string; const struct krb5_enc_provider *enc; const struct krb5_hash_provider *hash; + size_t prf_length; krb5_encrypt_length_func encrypt_len; krb5_crypt_func encrypt; krb5_crypt_func decrypt; krb5_str2key_func str2key; + krb5_prf_func prf; krb5_cksumtype required_ctype; }; @@ -707,6 +714,14 @@ krb5_error_code krb5int_c_combine_keys (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2, krb5_keyblock *outkey); +void krb5int_c_free_keyblock +(krb5_context, krb5_keyblock *key); +void krb5int_c_free_keyblock_contents + (krb5_context, krb5_keyblock *); +krb5_error_code krb5int_c_init_keyblock + (krb5_context, krb5_enctype enctype, + size_t length, krb5_keyblock **out); + /* * Internal - for cleanup. */ diff --git a/src/include/krb5.hin b/src/include/krb5.hin index 230295d01..ff1713961 100644 --- a/src/include/krb5.hin +++ b/src/include/krb5.hin @@ -436,6 +436,13 @@ krb5_error_code KRB5_CALLCONV krb5_c_free_state (krb5_context context, const krb5_keyblock *key, krb5_data *state); +krb5_error_code KRB5_CALLCONV + krb5_c_prf (krb5_context, const krb5_keyblock *, + krb5_data *in, krb5_data *out); + +krb5_error_code KRB5_CALLCONV + krb5_c_prf_length (krb5_context, krb5_enctype, size_t *outlen); + krb5_error_code KRB5_CALLCONV krb5_c_make_random_key (krb5_context context, krb5_enctype enctype, diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog index fa03524a3..6f6d28dfb 100644 --- a/src/lib/crypto/ChangeLog +++ b/src/lib/crypto/ChangeLog @@ -1,3 +1,22 @@ +2005-05-19 Sam Hartman + + * keyblocks.c : File to contain memory management for keyblocks + moved from libkrb5 + + * Makefile.in (SRCS): keyblocks.c is new + + * etypes.c: Add PRF for AES + + * Makefile.in (t_prf$(EXEEXT)): New output for prf test framework + +2005-05-18 Sam Hartman + + * Makefile.in : Add prf.c + + * prf.c t_prf.c: New file + + * etypes.c: Adjust structures to support the PRF declarations. + 2005-03-15 Jeffrey Altman * keyed_cksum.c: (krb5_c_is_keyed_cksum): this is a boolean diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in index 5c1d94c2e..62cbddfe2 100644 --- a/src/lib/crypto/Makefile.in +++ b/src/lib/crypto/Makefile.in @@ -16,6 +16,7 @@ PROG_RPATH=$(KRB5_LIBDIR) EXTRADEPSRCS=\ $(srcdir)/t_nfold.c \ $(srcdir)/t_encrypt.c \ + $(srcdir)/t_prf.c \ $(srcdir)/t_prng.c \ $(srcdir)/t_hmac.c \ $(srcdir)/t_pkcs5.c \ @@ -47,6 +48,7 @@ STLIBOBJS=\ enctype_to_string.o \ etypes.o \ hmac.o \ + keyblocks.o \ keyed_cksum.o \ keyed_checksum_types.o \ make_checksum.o \ @@ -55,6 +57,7 @@ STLIBOBJS=\ nfold.o \ old_api_glue.o \ pbkdf2.o \ + prf.o \ prng.o \ state.o \ string_to_cksumtype.o \ @@ -80,6 +83,7 @@ OBJS=\ $(OUTPRE)enctype_to_string.$(OBJEXT) \ $(OUTPRE)etypes.$(OBJEXT) \ $(OUTPRE)hmac.$(OBJEXT) \ + $(OUTPRE)keyblocks.$(OBJEXT) \ $(OUTPRE)keyed_cksum.$(OBJEXT) \ $(OUTPRE)keyed_checksum_types.$(OBJEXT) \ $(OUTPRE)make_checksum.$(OBJEXT) \ @@ -88,6 +92,7 @@ OBJS=\ $(OUTPRE)nfold.$(OBJEXT) \ $(OUTPRE)old_api_glue.$(OBJEXT) \ $(OUTPRE)pbkdf2.$(OBJEXT) \ + $(OUTPRE)prf.$(OBJEXT) \ $(OUTPRE)prng.$(OBJEXT) \ $(OUTPRE)state.$(OBJEXT) \ $(OUTPRE)string_to_cksumtype.$(OBJEXT) \ @@ -113,6 +118,7 @@ SRCS=\ $(srcdir)/enctype_to_string.c \ $(srcdir)/etypes.c \ $(srcdir)/hmac.c \ + $(srcdir)/keyblocks.c \ $(srcdir)/keyed_cksum.c \ $(srcdir)/keyed_checksum_types.c\ $(srcdir)/make_checksum.c \ @@ -121,6 +127,7 @@ SRCS=\ $(srcdir)/nfold.c \ $(srcdir)/old_api_glue.c \ $(srcdir)/pbkdf2.c \ + $(srcdir)/prf.c \ $(srcdir)/prng.c \ $(srcdir)/state.c \ $(srcdir)/string_to_cksumtype.c \ @@ -170,7 +177,7 @@ libcrypto.lib: clean-unix:: clean-liblinks clean-libs clean-libobjs -check-unix:: t_nfold t_encrypt t_prng t_hmac t_pkcs5 +check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 $(RUN_SETUP) ./t_nfold $(RUN_SETUP) ./t_encrypt $(RUN_SETUP) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ @@ -185,6 +192,9 @@ t_nfold$(EXEEXT): t_nfold.$(OBJEXT) nfold.$(OBJEXT) t_encrypt$(EXEEXT): t_encrypt.$(OBJEXT) nfold.$(OBJEXT) $(CRYPTO_DEPLIB) $(CC_LINK) -o $@ t_encrypt.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) +t_prf$(EXEEXT): t_prf.$(OBJEXT) + $(CC_LINK) -o $@ t_prf.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) + t_prng$(EXEEXT): t_prng.$(OBJEXT) $(CC_LINK) -o $@ t_prng.$(OBJEXT) -lk5crypto -lcom_err $(SUPPORT_LIB) diff --git a/src/lib/crypto/dk/ChangeLog b/src/lib/crypto/dk/ChangeLog index 3430370af..5e9886700 100644 --- a/src/lib/crypto/dk/ChangeLog +++ b/src/lib/crypto/dk/ChangeLog @@ -1,3 +1,15 @@ +2005-05-19 Sam Hartman + + * dk_prf.c (krb5int_dk_prf): Use k5crypto versions of keyblock memory management + +2004-12-09 Sam Hartman + + * dk.h: Add krb5_dk_prf + + * Makefile.in (SRCS): Add dk_prf.c + + * dk_prf.c (krb5int_dk_prf): New function + 2004-03-17 Ken Raeburn * derive.c (krb5_random2key): Don't compile. diff --git a/src/lib/crypto/dk/Makefile.in b/src/lib/crypto/dk/Makefile.in index 83a7c8d78..89046a4c9 100644 --- a/src/lib/crypto/dk/Makefile.in +++ b/src/lib/crypto/dk/Makefile.in @@ -18,6 +18,7 @@ STLIBOBJS=\ dk_decrypt.o \ dk_encrypt.o \ derive.o \ + dk_prf.o \ stringtokey.o OBJS=\ @@ -25,12 +26,14 @@ OBJS=\ $(OUTPRE)dk_decrypt.$(OBJEXT) \ $(OUTPRE)dk_encrypt.$(OBJEXT) \ $(OUTPRE)derive.$(OBJEXT) \ + $(OUTPRE)dk_prf.$(OBJEXT) \ $(OUTPRE)stringtokey.$(OBJEXT) SRCS=\ $(srcdir)/checksum.c \ $(srcdir)/dk_decrypt.c \ $(srcdir)/dk_encrypt.c \ + $(srcdir)/dk_prf.c \ $(srcdir)/derive.c \ $(srcdir)/stringtokey.c diff --git a/src/lib/crypto/dk/dk.h b/src/lib/crypto/dk/dk.h index 1d742ce16..47bda6ebf 100644 --- a/src/lib/crypto/dk/dk.h +++ b/src/lib/crypto/dk/dk.h @@ -69,6 +69,11 @@ krb5_error_code krb5int_dk_string_to_key const krb5_data *string, const krb5_data *salt, const krb5_data *params, krb5_keyblock *key); +krb5_error_code +krb5int_dk_prf(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, const krb5_data *in, krb5_data *out); + krb5_error_code krb5_derive_key (const struct krb5_enc_provider *enc, const krb5_keyblock *inkey, diff --git a/src/lib/crypto/dk/dk_prf.c b/src/lib/crypto/dk/dk_prf.c new file mode 100644 index 000000000..ec64caf16 --- /dev/null +++ b/src/lib/crypto/dk/dk_prf.c @@ -0,0 +1,64 @@ +/* + * lib/crypto/dk/prf.c + * + * Copyright (C) 2004 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * This file contains an implementation of the RFC 3961 PRF for + *simplified profile enctypes. + */ + +#include "k5-int.h" +#include "dk.h" + +krb5_error_code +krb5int_dk_prf (const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out) +{ + krb5_data tmp; + krb5_data prfconst; + krb5_keyblock *kp = NULL; + krb5_error_code ret = 0; + + prfconst.data = (char *) "prf"; + prfconst.length = 3; + tmp.length = hash->hashsize; + tmp.data = malloc(hash->hashsize); + if (tmp.data == NULL) + return ENOMEM; + hash->hash(1, in, &tmp); + tmp.length = (tmp.length/enc->block_size)*enc->block_size; /*truncate to block size*/ + ret = krb5int_c_init_keyblock(0, key->enctype, + key->length, &kp); + if (ret == 0) + ret = krb5_derive_key(enc, key, kp, &prfconst); + if (ret == 0) + ret = enc->encrypt(kp, NULL, &tmp, out); + if (kp) + krb5int_c_free_keyblock(0, kp); + free (tmp.data); + return ret; +} diff --git a/src/lib/crypto/etypes.c b/src/lib/crypto/etypes.c index 0a153743a..4273e2826 100644 --- a/src/lib/crypto/etypes.c +++ b/src/lib/crypto/etypes.c @@ -44,110 +44,170 @@ const struct krb5_keytypes krb5_enctypes_list[] = { { ENCTYPE_DES_CBC_CRC, "des-cbc-crc", "DES cbc mode with CRC-32", &krb5int_enc_des, &krb5int_hash_crc32, + 8, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 }, + krb5int_des_string_to_key, + NULL, /*PRF*/ + CKSUMTYPE_RSA_MD5 }, { ENCTYPE_DES_CBC_MD4, "des-cbc-md4", "DES cbc mode with RSA-MD4", &krb5int_enc_des, &krb5int_hash_md4, + 8, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key, CKSUMTYPE_RSA_MD4 }, + krb5int_des_string_to_key, + NULL, /*PRF*/ + CKSUMTYPE_RSA_MD4 }, { ENCTYPE_DES_CBC_MD5, "des-cbc-md5", "DES cbc mode with RSA-MD5", &krb5int_enc_des, &krb5int_hash_md5, + 8, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 }, + krb5int_des_string_to_key, + NULL, /*PRF*/ +CKSUMTYPE_RSA_MD5 }, { ENCTYPE_DES_CBC_MD5, "des", "DES cbc mode with RSA-MD5", /* alias */ &krb5int_enc_des, &krb5int_hash_md5, + 8, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 }, + krb5int_des_string_to_key, + NULL, /*PRF*/ + CKSUMTYPE_RSA_MD5 }, { ENCTYPE_DES_CBC_RAW, "des-cbc-raw", "DES cbc mode raw", &krb5int_enc_des, NULL, + 8, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, - krb5int_des_string_to_key, 0 }, + krb5int_des_string_to_key, + NULL, /*PRF*/ + 0 }, { ENCTYPE_DES3_CBC_RAW, "des3-cbc-raw", "Triple DES cbc mode raw", &krb5int_enc_des3, NULL, + 8, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, - krb5int_dk_string_to_key, 0 }, + krb5int_dk_string_to_key, + NULL, /*PRF*/ + 0 }, { ENCTYPE_DES3_CBC_SHA1, "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, + 8, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 }, + krb5int_dk_string_to_key, + NULL, /*PRF*/ + CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES3_CBC_SHA1, /* alias */ "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, + 8, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 }, + krb5int_dk_string_to_key, + NULL, /*PRF*/ + CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES3_CBC_SHA1, /* alias */ "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, + 8, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 }, + krb5int_dk_string_to_key, + NULL, /*PRF*/ + CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES_HMAC_SHA1, "des-hmac-sha1", "DES with HMAC/sha1", &krb5int_enc_des, &krb5int_hash_sha1, + 8, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key, 0 }, + krb5int_dk_string_to_key, + NULL, /*PRF*/ + 0 }, { ENCTYPE_ARCFOUR_HMAC, "arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour, - &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, + &krb5int_hash_md5, + 0, +krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + NULL, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC, /* alias */ "rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour, - &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, + &krb5int_hash_md5, + 0, + krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + NULL, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC, /* alias */ "arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour, - &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, + &krb5int_hash_md5, + 0, + krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + NULL, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC_EXP, "arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, - &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, + &krb5int_hash_md5, + 0, + krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + NULL, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */ "rc4-hmac-exp", "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, - &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, + &krb5int_hash_md5, + 0, + krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + NULL, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */ "arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, - &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, + &krb5int_hash_md5, + 0, + krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + NULL, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_AES128_CTS_HMAC_SHA1_96, "aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes128, &krb5int_hash_sha1, + 16, krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, - krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 }, + krb5int_aes_string_to_key, + krb5int_dk_prf, + CKSUMTYPE_HMAC_SHA1_96_AES128 }, { ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */ "aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes128, &krb5int_hash_sha1, + 16, krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, - krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 }, + krb5int_aes_string_to_key, + krb5int_dk_prf, + CKSUMTYPE_HMAC_SHA1_96_AES128 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, "aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes256, &krb5int_hash_sha1, + 16, krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, - krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 }, + krb5int_aes_string_to_key, + krb5int_dk_prf, + CKSUMTYPE_HMAC_SHA1_96_AES256 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */ "aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes256, &krb5int_hash_sha1, + 16, krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, - krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 }, + krb5int_aes_string_to_key, + krb5int_dk_prf, + CKSUMTYPE_HMAC_SHA1_96_AES256 }, }; const int krb5_enctypes_length = diff --git a/src/lib/crypto/keyblocks.c b/src/lib/crypto/keyblocks.c new file mode 100644 index 000000000..02ff677d1 --- /dev/null +++ b/src/lib/crypto/keyblocks.c @@ -0,0 +1,79 @@ +/* + * lib/crypto/keyblocks.c + * + * Copyright (C) 2002, 2005 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * krb5_init_keyblock- a function to set up + * an empty keyblock + */ + + +#include "k5-int.h" +#include + +krb5_error_code krb5int_c_init_keyblock + (krb5_context context, krb5_enctype enctype, + size_t length, krb5_keyblock **out) +{ + krb5_keyblock *kb; + kb = malloc (sizeof(krb5_keyblock)); + assert (out); + *out = NULL; + if (!kb) { + return ENOMEM; + } + kb->magic = KV5M_KEYBLOCK; + kb->enctype = enctype; + kb->length = length; + if(length) { + kb->contents = malloc (length); + if(!kb->contents) { + free (kb); + return ENOMEM; + } + } else { + kb->contents = NULL; + } + *out = kb; + return 0; +} + + +void KRB5_CALLCONV +krb5int_c_free_keyblock(krb5_context context, register krb5_keyblock *val) +{ + krb5_free_keyblock_contents(context, val); + krb5_xfree(val); +} + +void +krb5int_c_free_keyblock_contents(krb5_context context, register krb5_keyblock *key) +{ + if (key->contents) { + krb5int_zap_data (key->contents, key->length); + krb5_xfree(key->contents); + key->contents = 0; + } +} diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports index 744b1de48..b06f2e427 100644 --- a/src/lib/crypto/libk5crypto.exports +++ b/src/lib/crypto/libk5crypto.exports @@ -25,6 +25,8 @@ krb5_c_is_keyed_cksum krb5_c_keyed_checksum_types krb5_c_make_checksum krb5_c_make_random_key +krb5_c_prf +krb5_c_prf_length krb5_c_random_add_entropy krb5_c_random_make_octets krb5_c_random_os_entropy @@ -88,6 +90,9 @@ krb5int_arcfour_string_to_key krb5int_arcfour_translate_usage krb5int_c_combine_keys krb5int_c_mandatory_cksumtype +krb5int_c_free_keyblock +krb5int_c_free_keyblock_contents +krb5int_c_init_keyblock krb5int_c_mit_des_zeroblock krb5int_default_free_state krb5int_des3_cbc_decrypt diff --git a/src/lib/crypto/prf.c b/src/lib/crypto/prf.c new file mode 100644 index 000000000..f52564db4 --- /dev/null +++ b/src/lib/crypto/prf.c @@ -0,0 +1,87 @@ +/* + * lib/crypto/prf.c + * + * Copyright (C) 2004 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * This contains the implementation of krb5_c_prf, which will find + *the enctype-specific PRF and then generate pseudo-random data. This + *function yields krb5_c_prf_length bytes of output. + */ + + +#include "k5-int.h" +#include "etypes.h" + +#include + +krb5_error_code KRB5_CALLCONV +krb5_c_prf_length(krb5_context context, krb5_enctype enctype, + size_t *len) +{ + int i; + assert (len); + + for (i=0; idata); + + + for (i=0; ienctype) + break; + } + + if (i == krb5_enctypes_length) + return(KRB5_BAD_ENCTYPE); + + output->magic = KV5M_DATA; + if (!krb5_enctypes_list[i].prf) + return (KRB5_CRYPTO_INTERNAL); + krb5_c_prf_length (context, key->enctype, &len); + if( len != output->length) + return (KRB5_CRYPTO_INTERNAL); + return((*(krb5_enctypes_list[i].prf)) + (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash, + key, input, output)); +} + diff --git a/src/lib/crypto/t_prf.c b/src/lib/crypto/t_prf.c new file mode 100644 index 000000000..f11784b3d --- /dev/null +++ b/src/lib/crypto/t_prf.c @@ -0,0 +1,89 @@ +/* + * lib/crypto/t_prf.c + * + * Copyright (C) 2004 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * This file contains tests for the PRF code in Kerberos. IT reads + *an input file, and writes an output file. It is assumed that the + *output file will be diffed against expected output to see whether + *regression tests pass. The input file is a very primitive format. + *It includes an enctype and to be string2keyed followed by a number of bytes of input + *length, followed by that many bytes of input. The program outputs + *krb5_c_prf of that input and key as a hex string. + */ + +#include "k5-int.h" +#include + +int main () { + krb5_error_code ret; + krb5_data input, output; + krb5_keyblock *key = NULL; + unsigned int in_length; + unsigned int i; + while (1) { + krb5_enctype enctype; + char s[1025]; + + if (scanf( "%d", &enctype) == EOF) + break; + if (scanf("%1024s", &s[0]) == EOF) + break; + assert (krb5_init_keyblock(0, enctype, 0, &key) == 0); + input.data = &s[0]; + input.length = strlen(s); + assert(krb5_c_string_to_key (0, enctype, &input, &input, key) == 0); + + if (scanf("%u", &in_length) == EOF) + break; + + if (in_length ) { + unsigned int lc; + assert ((input.data = malloc(in_length)) != NULL); + for (lc = in_length; lc > 0; lc--) { + scanf ("%2x", &i); + input.data[in_length-lc] = (unsigned) (i&0xff); + } + input.length = in_length; + assert (krb5_c_prf_length(0, enctype, &i) == 0); + assert (output.data = malloc(i)); + output.length = i; + assert (krb5_c_prf(0, key, &input, &output) == 0); + + free (input.data); + input.data = NULL; + } + for (; i > 0; i--) { + printf ("%02x", + (unsigned int) ((unsigned char ) output.data[output.length-i])); + } + printf ("\n"); + + free (output.data); + output.data = NULL; + krb5_free_keyblock(0, key); + key = NULL; + } + + return (0); +} diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 26ae8fe04..01f9e4956 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,9 @@ +2005-05-19 Sam Hartman + + * kfree.c (krb5_free_keyblock_contents krb5_free_keyblock): Make + stubs into libk5crypto so that libk5crypto can call these. + * init_keyblock.c (krb5_init_keyblock): As above. + 2005-04024 Jeffrey Altman * get_creds.c: diff --git a/src/lib/krb5/krb/deltat.c b/src/lib/krb5/krb/deltat.c index 770234de5..2541591f8 100644 --- a/src/lib/krb5/krb/deltat.c +++ b/src/lib/krb5/krb/deltat.c @@ -1,7 +1,7 @@ -/* A Bison parser, made by GNU Bison 1.875c. */ +/* A Bison parser, made by GNU Bison 1.875d. */ /* Skeleton parser for Yacc-like parsing with Bison, - Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003 Free Software Foundation, Inc. + Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -187,6 +187,13 @@ typedef union YYSTYPE { int val; } YYSTYPE; #if ! defined (yyoverflow) || YYERROR_VERBOSE +# ifndef YYFREE +# define YYFREE free +# endif +# ifndef YYMALLOC +# define YYMALLOC malloc +# endif + /* The parser invokes alloca or malloc; define the necessary symbols. */ # ifdef YYSTACK_USE_ALLOCA @@ -211,8 +218,8 @@ typedef union YYSTYPE { int val; } YYSTYPE; # include /* INFRINGES ON USER NAME SPACE */ # define YYSIZE_T size_t # endif -# define YYSTACK_ALLOC malloc -# define YYSTACK_FREE free +# define YYSTACK_ALLOC YYMALLOC +# define YYSTACK_FREE YYFREE # endif #endif /* ! defined (yyoverflow) || YYERROR_VERBOSE */ @@ -224,7 +231,7 @@ typedef union YYSTYPE { int val; } YYSTYPE; /* A type that is properly aligned for any stack member. */ union yyalloc { - short yyss; + short int yyss; YYSTYPE yyvs; }; @@ -234,7 +241,7 @@ union yyalloc /* The size of an array large to enough to hold all stacks, each with N elements. */ # define YYSTACK_BYTES(N) \ - ((N) * (sizeof (short) + sizeof (YYSTYPE)) \ + ((N) * (sizeof (short int) + sizeof (YYSTYPE)) \ + YYSTACK_GAP_MAXIMUM) /* Copy COUNT objects from FROM to TO. The source and destination do @@ -276,7 +283,7 @@ union yyalloc #if defined (__STDC__) || defined (__cplusplus) typedef signed char yysigned_char; #else - typedef short yysigned_char; + typedef short int yysigned_char; #endif /* YYFINAL -- State number of the termination state. */ @@ -378,7 +385,7 @@ static const char *const yytname[] = # ifdef YYPRINT /* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to token YYLEX-NUM. */ -static const unsigned short yytoknum[] = +static const unsigned short int yytoknum[] = { 0, 256, 257, 258, 259, 260, 45, 58, 100, 104, 109, 115, 261 @@ -580,12 +587,12 @@ do { \ #if defined (__STDC__) || defined (__cplusplus) static void -yy_stack_print (short *bottom, short *top) +yy_stack_print (short int *bottom, short int *top) #else static void yy_stack_print (bottom, top) - short *bottom; - short *top; + short int *bottom; + short int *top; #endif { YYFPRINTF (stderr, "Stack now"); @@ -852,9 +859,9 @@ int yynerrs; to reallocate them elsewhere. */ /* The state stack. */ - short yyssa[YYINITDEPTH]; - short *yyss = yyssa; - register short *yyssp; + short int yyssa[YYINITDEPTH]; + short int *yyss = yyssa; + register short int *yyssp; /* The semantic value stack. */ YYSTYPE yyvsa[YYINITDEPTH]; @@ -891,6 +898,7 @@ int yynerrs; yyssp = yyss; yyvsp = yyvs; + goto yysetstate; /*------------------------------------------------------------. @@ -916,7 +924,7 @@ int yynerrs; these so that the &'s don't force the real ones into memory. */ YYSTYPE *yyvs1 = yyvs; - short *yyss1 = yyss; + short int *yyss1 = yyss; /* Each stack pointer address is followed by the size of the @@ -944,7 +952,7 @@ int yynerrs; yystacksize = YYMAXDEPTH; { - short *yyss1 = yyss; + short int *yyss1 = yyss; union yyalloc *yyptr = (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize)); if (! yyptr) @@ -1151,8 +1159,8 @@ yyreduce: } -/* Line 993 of yacc.c. */ -#line 1156 "deltat.c" +/* Line 1010 of yacc.c. */ +#line 1164 "deltat.c" yyvsp -= yylen; yyssp -= yylen; diff --git a/src/lib/krb5/krb/init_keyblock.c b/src/lib/krb5/krb/init_keyblock.c index a6feeeaf1..3be842ac8 100644 --- a/src/lib/krb5/krb/init_keyblock.c +++ b/src/lib/krb5/krb/init_keyblock.c @@ -37,25 +37,5 @@ krb5_error_code KRB5_CALLCONV krb5_init_keyblock (krb5_context context, krb5_enctype enctype, size_t length, krb5_keyblock **out) { - krb5_keyblock *kb; - kb = malloc (sizeof(krb5_keyblock)); - assert (out); - *out = NULL; - if (!kb) { - return ENOMEM; - } - kb->magic = KV5M_KEYBLOCK; - kb->enctype = enctype; - kb->length = length; - if(length) { - kb->contents = malloc (length); - if(!kb->contents) { - free (kb); - return ENOMEM; - } - } else { - kb->contents = NULL; - } - *out = kb; - return 0; + return krb5int_c_init_keyblock (context, enctype, length, out); } diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index 470043971..39bb1f212 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -340,18 +340,13 @@ krb5_free_kdc_req(krb5_context context, krb5_kdc_req *val) void KRB5_CALLCONV krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock *key) { - if (key->contents) { - memset(key->contents, 0, key->length); - krb5_xfree(key->contents); - key->contents = 0; - } + krb5int_c_free_keyblock_contents (context, key); } void KRB5_CALLCONV krb5_free_keyblock(krb5_context context, register krb5_keyblock *val) { - krb5_free_keyblock_contents(context, val); - krb5_xfree(val); + krb5int_c_free_keyblock (context, val); } diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index 0125d2630..012d6f7bf 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -64,6 +64,8 @@ EXPORTS krb5_c_keyed_checksum_types krb5_c_make_checksum krb5_c_make_random_key +krb5_c_prf +krb5_c_prf_length krb5_c_random_make_octets krb5_c_random_seed krb5_c_string_to_key