From: Ken Raeburn Date: Sat, 13 Dec 2003 06:28:35 +0000 (+0000) Subject: Add platform-dependent 64-bit and inline-function support via new header X-Git-Tag: krb5-1.4-beta1~716 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=a87606b8e2b12a6a5260539a5544f55fb81d53bc;p=krb5.git Add platform-dependent 64-bit and inline-function support via new header k5-platform.h. Add 64-bit serializer support. [Not needed for ticket 1471, but needed for 2040 and annoying to check in separately.] Add to (internal for now) crypto API a function to get the mandatory checksum type associated with an enctype. New support for server-generated subkey, selected via an auth_context flag. ticket: 1471 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15908 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/ChangeLog b/src/include/ChangeLog index 84602683f..d6cffd004 100644 --- a/src/include/ChangeLog +++ b/src/include/ChangeLog @@ -1,3 +1,21 @@ +2003-12-13 Ken Raeburn + + * krb5.hin (KRB5_AUTH_CONTEXT_USE_SUBKEY): New macro. + + * k5-int.h (struct krb5_keytypes): Added field required_ctype. + (krb5int_c_mandatory_cksumtype): New declaration. + (krb5int_generate_and_set_subkey): Declare. + (memset) [__GNUC__ && __GLIBC__]: Undef, to reduce compilation + warnings in zap() macro with volatile pointer. + + * k5-platform.h: New header file. Manages inline-function and + 64-bit support, in platform-specific ways. + * fake-addrinfo.h: Include k5-platform.h. + (inline): Don't define here. + * k5-int.h: Include k5-platform.h. + (krb5_ui_8, krb5_int64): New typedefs. + (krb5_ser_pack_int64, krb5_ser_unpack_int64): New function decls. + 2003-10-08 Tom Yu * k5-int.h: Add prototypes for decode_krb5_safe_with_body and diff --git a/src/include/fake-addrinfo.h b/src/include/fake-addrinfo.h index e620357da..9d122e392 100644 --- a/src/include/fake-addrinfo.h +++ b/src/include/fake-addrinfo.h @@ -101,21 +101,7 @@ #define FAI_DEFINED #include "port-sockets.h" #include "socket-utils.h" - -#if !defined(inline) -# if __STDC_VERSION__ >= 199901L -/* C99 supports inline, don't do anything. */ -# elif defined(__GNUC__) -# define inline __inline__ /* this form silences -pedantic warnings */ -# elif defined(__mips) && defined(__sgi) -# define inline __inline /* IRIX used at MIT does inline but not c99 yet */ -# elif defined(__sun) && __SUNPRO_C >= 0x540 -/* The Forte Developer 7 C compiler supports "inline". */ -# else -# define inline /* nothing, just static */ -# endif -# define ADDRINFO_UNDEF_INLINE -#endif +#include "k5-platform.h" #ifdef S_SPLINT_S /*@-incondefs@*/ diff --git a/src/include/k5-int.h b/src/include/k5-int.h index ebcd2135f..82bc29117 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -136,6 +136,13 @@ typedef unsigned char u_char; #endif /* HAVE_SYS_TYPES_H */ #endif /* KRB5_SYSTYPES__ */ + +#include "k5-platform.h" +/* not used in krb5.h (yet) */ +typedef UINT64_TYPE krb5_ui_8; +typedef INT64_TYPE krb5_int64; + + #define DEFAULT_PWD_STRING1 "Enter password" #define DEFAULT_PWD_STRING2 "Re-enter password for verification" @@ -631,6 +638,7 @@ struct krb5_keytypes { krb5_crypt_func encrypt; krb5_crypt_func decrypt; krb5_str2key_func str2key; + krb5_cksumtype required_ctype; }; struct krb5_cksumtypes { @@ -680,6 +688,12 @@ krb5_error_code krb5int_pbkdf2_hmac_sha1 (const krb5_data *, unsigned long, /* Make this a function eventually? */ #define krb5int_zap_data(ptr, len) memset((volatile void *)ptr, 0, len) +#if defined(__GNUC__) && defined(__GLIBC__) +/* GNU libc generates multiple bogus initialization warnings if we + pass memset a volatile pointer. The compiler should do well enough + with memset even without GNU libc's attempt at optimization. */ +#undef memset +#endif #define zap(p,l) krb5int_zap_data(p,l) /* A definition of init_state for DES based encryption systems. @@ -1585,6 +1599,11 @@ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32 (krb5_int32 *, krb5_octet **, size_t *); +/* [De]serialize 8-byte integer */ +krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64 + (krb5_int64, krb5_octet **, size_t *); +krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64 + (krb5_int64 *, krb5_octet **, size_t *); /* [De]serialize byte string */ krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes (krb5_octet *, @@ -1607,6 +1626,10 @@ krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default void krb5int_set_prompt_types (krb5_context, krb5_prompt_type *); +krb5_error_code +krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context, + krb5_keyblock * /* Old keyblock, not new! */); + /* set and change password helpers */ krb5_error_code krb5int_mk_chpw_req @@ -1910,4 +1933,8 @@ extern const krb5_kt_ops krb5_kt_dfl_ops; extern krb5_error_code krb5int_translate_gai_error (int); +/* Not sure it's ready for exposure just yet. */ +extern krb5_error_code +krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *); + #endif /* _KRB5_INT_H */ diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h new file mode 100644 index 000000000..e6d2ad0e4 --- /dev/null +++ b/src/include/k5-platform.h @@ -0,0 +1,136 @@ +/* Copyright 2003 Massachusetts Institute of Technology. All rights reserved. */ +/* Platform-dependent junk. */ + +#ifndef K5_PLATFORM_H +#define K5_PLATFORM_H + +#if !defined(inline) +# if __STDC_VERSION__ >= 199901L +/* C99 supports inline, don't do anything. */ +# elif defined(__GNUC__) +# define inline __inline__ /* this form silences -pedantic warnings */ +# elif defined(__mips) && defined(__sgi) +# define inline __inline /* IRIX used at MIT does inline but not c99 yet */ +# elif defined(__sun) && __SUNPRO_C >= 0x540 +/* The Forte Developer 7 C compiler supports "inline". */ +# elif defined(_WIN32) +# define inline __inline +# else +# define inline /* nothing, just static */ +# endif +#endif + +#include "autoconf.h" + +/* 64-bit support: krb5_ui_8 and krb5_int64. + + This should move to krb5.h eventually, but without the namespace + pollution from the autoconf macros. */ +#if defined(HAVE_STDINT_H) || defined(HAVE_INTTYPES_H) +# ifdef HAVE_STDINT_H +# include +# endif +# ifdef HAVE_INTTYPES_H +# include +# endif +# define INT64_TYPE int64_t +# define UINT64_TYPE uint64_t +#elif defined(_WIN32) +# define INT64_TYPE signed __int64 +# define UINT64_TYPE unsigned __int64 +#else /* not Windows, and neither stdint.h nor inttypes.h */ +# define INT64_TYPE signed long long +# define UINT64_TYPE unsigned long long +#endif + +/* Read and write integer values as (unaligned) octet strings in + specific byte orders. + + Add per-platform optimizations later if needed. (E.g., maybe x86 + unaligned word stores and gcc/asm instructions for byte swaps, + etc.) */ + +static inline void +store_16_be (unsigned int val, unsigned char *p) +{ + p[0] = (val >> 8) & 0xff; + p[1] = (val ) & 0xff; +} +static inline void +store_16_le (unsigned int val, unsigned char *p) +{ + p[1] = (val >> 8) & 0xff; + p[0] = (val ) & 0xff; +} +static inline void +store_32_be (unsigned int val, unsigned char *p) +{ + p[0] = (val >> 24) & 0xff; + p[1] = (val >> 16) & 0xff; + p[2] = (val >> 8) & 0xff; + p[3] = (val ) & 0xff; +} +static inline void +store_32_le (unsigned int val, unsigned char *p) +{ + p[3] = (val >> 24) & 0xff; + p[2] = (val >> 16) & 0xff; + p[1] = (val >> 8) & 0xff; + p[0] = (val ) & 0xff; +} +static inline void +store_64_be (UINT64_TYPE val, unsigned char *p) +{ + p[0] = (val >> 56) & 0xff; + p[1] = (val >> 48) & 0xff; + p[2] = (val >> 40) & 0xff; + p[3] = (val >> 32) & 0xff; + p[4] = (val >> 24) & 0xff; + p[5] = (val >> 16) & 0xff; + p[6] = (val >> 8) & 0xff; + p[7] = (val ) & 0xff; +} +static inline void +store_64_le (UINT64_TYPE val, unsigned char *p) +{ + p[7] = (val >> 56) & 0xff; + p[6] = (val >> 48) & 0xff; + p[5] = (val >> 40) & 0xff; + p[4] = (val >> 32) & 0xff; + p[3] = (val >> 24) & 0xff; + p[2] = (val >> 16) & 0xff; + p[1] = (val >> 8) & 0xff; + p[0] = (val ) & 0xff; +} +static inline unsigned short +load_16_be (unsigned char *p) +{ + return (p[1] | (p[0] << 8)); +} +static inline unsigned short +load_16_le (unsigned char *p) +{ + return (p[0] | (p[1] << 8)); +} +static inline unsigned int +load_32_be (unsigned char *p) +{ + return (p[3] | (p[2] << 8) | (p[1] << 16) | (p[0] << 24)); +} +static inline unsigned int +load_32_le (unsigned char *p) +{ + return (p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24)); +} +static inline UINT64_TYPE +load_64_be (unsigned char *p) +{ + return ((UINT64_TYPE)load_32_be(p) << 32) | load_32_be(p+4); +} +static inline UINT64_TYPE +load_64_le (unsigned char *p) +{ + return ((UINT64_TYPE)load_32_le(p+4) << 32) | load_32_le(p); +} + +#endif /* K5_PLATFORM_H */ diff --git a/src/include/krb5.hin b/src/include/krb5.hin index eae960191..a397cb74a 100644 --- a/src/include/krb5.hin +++ b/src/include/krb5.hin @@ -1155,6 +1155,7 @@ typedef struct _krb5_pwd_data { #define KRB5_AUTH_CONTEXT_DO_SEQUENCE 0x00000004 #define KRB5_AUTH_CONTEXT_RET_SEQUENCE 0x00000008 #define KRB5_AUTH_CONTEXT_PERMIT_ALL 0x00000010 +#define KRB5_AUTH_CONTEXT_USE_SUBKEY 0x00000020 typedef struct krb5_replay_data { krb5_timestamp timestamp; @@ -1169,7 +1170,7 @@ typedef struct krb5_replay_data { #define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR 0x00000008 /* type of function used as a callback to generate checksum data for - * mk_req*/ + * mk_req */ typedef krb5_error_code (KRB5_CALLCONV * krb5_mk_req_checksum_func) (krb5_context, krb5_auth_context , void *, diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog index e02d9790e..241723997 100644 --- a/src/lib/crypto/ChangeLog +++ b/src/lib/crypto/ChangeLog @@ -1,3 +1,9 @@ +2003-12-13 Ken Raeburn + + * etypes.c (krb5_enctypes_list): Fill in required_ctype field. + * mandatory_sumtype.c: New file. + * Makefile.in (SRCS, OBJS, STLIBOBJS): Build it. + 2003-07-22 Ken Raeburn * block_size.c (krb5_c_block_size): Read new numeric fields for diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in index 87e6c51c3..d01c921ad 100644 --- a/src/lib/crypto/Makefile.in +++ b/src/lib/crypto/Makefile.in @@ -54,6 +54,7 @@ STLIBOBJS=\ keyed_checksum_types.o \ make_checksum.o \ make_random_key.o \ + mandatory_sumtype.o \ nfold.o \ old_api_glue.o \ pbkdf2.o \ @@ -86,6 +87,7 @@ OBJS=\ $(OUTPRE)keyed_checksum_types.$(OBJEXT) \ $(OUTPRE)make_checksum.$(OBJEXT) \ $(OUTPRE)make_random_key.$(OBJEXT) \ + $(OUTPRE)mandatory_sumtype.$(OBJEXT) \ $(OUTPRE)nfold.$(OBJEXT) \ $(OUTPRE)old_api_glue.$(OBJEXT) \ $(OUTPRE)pbkdf2.$(OBJEXT) \ @@ -118,6 +120,7 @@ SRCS=\ $(srcdir)/keyed_checksum_types.c\ $(srcdir)/make_checksum.c \ $(srcdir)/make_random_key.c \ + $(srcdir)/mandatory_sumtype.c \ $(srcdir)/nfold.c \ $(srcdir)/old_api_glue.c \ $(srcdir)/pbkdf2.c \ diff --git a/src/lib/crypto/etypes.c b/src/lib/crypto/etypes.c index 6c195e4b2..6dcf02643 100644 --- a/src/lib/crypto/etypes.c +++ b/src/lib/crypto/etypes.c @@ -45,103 +45,109 @@ const struct krb5_keytypes krb5_enctypes_list[] = { "des-cbc-crc", "DES cbc mode with CRC-32", &krb5int_enc_des, &krb5int_hash_crc32, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key }, + krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 }, { ENCTYPE_DES_CBC_MD4, "des-cbc-md4", "DES cbc mode with RSA-MD4", &krb5int_enc_des, &krb5int_hash_md4, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key }, + krb5int_des_string_to_key, CKSUMTYPE_RSA_MD4 }, { ENCTYPE_DES_CBC_MD5, "des-cbc-md5", "DES cbc mode with RSA-MD5", &krb5int_enc_des, &krb5int_hash_md5, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key }, + krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 }, { ENCTYPE_DES_CBC_MD5, "des", "DES cbc mode with RSA-MD5", /* alias */ &krb5int_enc_des, &krb5int_hash_md5, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key }, + krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 }, { ENCTYPE_DES_CBC_RAW, "des-cbc-raw", "DES cbc mode raw", &krb5int_enc_des, NULL, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, - krb5int_des_string_to_key }, + krb5int_des_string_to_key, 0 }, { ENCTYPE_DES3_CBC_RAW, "des3-cbc-raw", "Triple DES cbc mode raw", &krb5int_enc_des3, NULL, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, 0 }, { ENCTYPE_DES3_CBC_SHA1, "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES3_CBC_SHA1, /* alias */ "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES3_CBC_SHA1, /* alias */ "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES_HMAC_SHA1, "des-hmac-sha1", "DES with HMAC/sha1", &krb5int_enc_des, &krb5int_hash_sha1, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, 0 }, { ENCTYPE_ARCFOUR_HMAC, "arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC, /* alias */ "rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC, /* alias */ "arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC_EXP, "arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */ "rc4-hmac-exp", "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */ "arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key }, + krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, + CKSUMTYPE_HMAC_MD5_ARCFOUR }, { ENCTYPE_AES128_CTS_HMAC_SHA1_96, "aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes128, &krb5int_hash_sha1, krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, - krb5int_aes_string_to_key }, + krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 }, { ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */ "aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes128, &krb5int_hash_sha1, krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, - krb5int_aes_string_to_key }, + krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, "aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes256, &krb5int_hash_sha1, krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, - krb5int_aes_string_to_key }, + krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */ "aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes256, &krb5int_hash_sha1, krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, - krb5int_aes_string_to_key }, + krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 }, #ifdef ATHENA_DES3_KLUDGE /* @@ -153,7 +159,7 @@ const struct krb5_keytypes krb5_enctypes_list[] = { "Triple DES with HMAC/sha1 and 32-bit length code", &krb5int_enc_des3, &krb5int_hash_sha1, krb5_marc_dk_encrypt_length, krb5_marc_dk_encrypt, krb5_marc_dk_decrypt, - krb5int_dk_string_to_key }, + krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 }, #endif }; diff --git a/src/lib/crypto/mandatory_sumtype.c b/src/lib/crypto/mandatory_sumtype.c new file mode 100644 index 000000000..f9322ff3f --- /dev/null +++ b/src/lib/crypto/mandatory_sumtype.c @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2003 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include "k5-int.h" +#include "etypes.h" + +krb5_error_code +krb5int_c_mandatory_cksumtype (krb5_context ctx, krb5_enctype etype, + krb5_cksumtype *cksumtype) +{ + int i; + + for (i = 0; i < krb5_enctypes_length; i++) + if (krb5_enctypes_list[i].etype == etype) { + *cksumtype = krb5_enctypes_list[i].required_ctype; + return 0; + } + + return KRB5_BAD_ENCTYPE; +} diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 7ce92efa3..11e840b6b 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,15 @@ +2003-12-13 Ken Raeburn + + * mk_req_ext.c (krb5int_generate_and_save_subkey): New function, + split out from krb5_mk_req_extended. + (krb5_mk_req_extended): Call it. + * mk_rep.c (krb5_mk_rep): If KRB5_AUTH_CONTEXT_USE_SUBKEY flag is + set, call krb5int_generate_and_save_subkey to set up a new subkey + to send to the client. + + * serialize.c (krb5_ser_pack_int64, krb5_ser_unpack_int64): New + functions. + 2003-10-30 Tom Yu * gen_seqnum.c (krb5_generate_seq_number): Fix mask; was short by diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c index 31f3fe500..393f634bb 100644 --- a/src/lib/krb5/krb/mk_rep.c +++ b/src/lib/krb5/krb/mk_rep.c @@ -59,7 +59,14 @@ krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *out repl.ctime = auth_context->authentp->ctime; repl.cusec = auth_context->authentp->cusec; - repl.subkey = auth_context->authentp->subkey; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) { + retval = krb5int_generate_and_save_subkey (context, auth_context, + auth_context->keyblock); + if (retval) + return retval; + repl.subkey = auth_context->send_subkey; + } else + repl.subkey = auth_context->authentp->subkey; repl.seq_number = auth_context->local_seq_number; /* encode it before encrypting */ diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index bac7ac0ee..cdb8f6950 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -70,6 +70,38 @@ krb5_generate_authenticator (krb5_context, krb5_checksum *, krb5_keyblock *, krb5_ui_4, krb5_authdata ** ); +krb5_error_code +krb5int_generate_and_save_subkey (krb5_context context, + krb5_auth_context auth_context, + krb5_keyblock *keyblock) +{ + /* Provide some more fodder for random number code. + This isn't strong cryptographically; the point here is not + to guarantee randomness, but to make it less likely that multiple + sessions could pick the same subkey. */ + struct { + krb5_int32 sec, usec; + } rnd_data; + krb5_data d; + krb5_error_code retval; + + krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec); + d.length = sizeof (rnd_data); + d.data = (char *) &rnd_data; + (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d); + + if ((retval = krb5_generate_subkey(context, keyblock, &auth_context->send_subkey))) + return retval; + retval = krb5_copy_keyblock(context, auth_context->send_subkey, + &auth_context->recv_subkey); + if (retval) { + krb5_free_keyblock(context, auth_context->send_subkey); + auth_context->send_subkey = NULL; + return retval; + } + return 0; +} + krb5_error_code KRB5_CALLCONV krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, krb5_flags ap_req_options, krb5_data *in_data, @@ -131,29 +163,10 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, } if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) { - /* Provide some more fodder for random number code. - This isn't strong cryptographically; the point here is not - to guarantee randomness, but to make it less likely that multiple - sessions could pick the same subkey. */ - struct { - krb5_int32 sec, usec; - } rnd_data; - krb5_data d; - krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec); - d.length = sizeof (rnd_data); - d.data = (char *) &rnd_data; - (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d); - - if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock, - &(*auth_context)->send_subkey))) - goto cleanup; - retval = krb5_copy_keyblock(context, (*auth_context)->send_subkey, - &((*auth_context)->recv_subkey)); - if (retval) { - krb5_free_keyblock(context, (*auth_context)->send_subkey); - (*auth_context)->send_subkey = NULL; + retval = krb5int_generate_and_save_subkey (context, *auth_context, + &in_creds->keyblock); + if (retval) goto cleanup; - } } diff --git a/src/lib/krb5/krb/serialize.c b/src/lib/krb5/krb/serialize.c index 7c5f17a4c..9cbcef78d 100644 --- a/src/lib/krb5/krb/serialize.c +++ b/src/lib/krb5/krb/serialize.c @@ -174,7 +174,7 @@ krb5_internalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer * } /* - * krb5_ser_pack_int32() - Pack a 4-byte integer if space is availble. + * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available. * Update buffer pointer and remaining space. */ krb5_error_code KRB5_CALLCONV @@ -193,6 +193,23 @@ krb5_ser_pack_int32(krb5_int32 iarg, krb5_octet **bufp, size_t *remainp) return(ENOMEM); } +/* + * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available. + * Update buffer pointer and remaining space. + */ +krb5_error_code KRB5_CALLCONV +krb5_ser_pack_int64(krb5_int64 iarg, krb5_octet **bufp, size_t *remainp) +{ + if (*remainp >= sizeof(krb5_int64)) { + store_64_be(iarg, (unsigned char *)*bufp); + *bufp += sizeof(krb5_int64); + *remainp -= sizeof(krb5_int64); + return(0); + } + else + return(ENOMEM); +} + /* * krb5_ser_pack_bytes() - Pack a string of bytes. */ @@ -228,6 +245,22 @@ krb5_ser_unpack_int32(krb5_int32 *intp, krb5_octet **bufp, size_t *remainp) return(ENOMEM); } +/* + * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there. + */ +krb5_error_code KRB5_CALLCONV +krb5_ser_unpack_int64(krb5_int64 *intp, krb5_octet **bufp, size_t *remainp) +{ + if (*remainp >= sizeof(krb5_int64)) { + *intp = load_64_be((unsigned char *)*bufp); + *bufp += sizeof(krb5_int64); + *remainp -= sizeof(krb5_int64); + return(0); + } + else + return(ENOMEM); +} + /* * krb5_ser_unpack_bytes() - Unpack a byte string if it's there. */