From 0f240326537d6d303c288506840189d3b35c4da3 Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@mit.edu>
Date: Fri, 13 Feb 2004 23:38:57 +0000
Subject: [PATCH] * dk_decrypt.c (krb5_dk_decrypt_maybe_trunc_hmac): New
 argument IVEC_MODE.  If clear, same old behavior.  If set, copy out next to
 last block for CTS. (krb5_dk_decrypt, krb5int_aes_dk_decrypt): Pass extra
 argument. * dk_encrypt.c (krb5int_aes_dk_encrypt): For IV, copy out next to
 last block for CTS.

ticket: 2229
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16077 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/crypto/dk/ChangeLog    |  9 +++++++++
 src/lib/crypto/dk/dk_decrypt.c | 22 +++++++++++++++-------
 src/lib/crypto/dk/dk_encrypt.c | 28 ++++++++++++++++++++++++----
 3 files changed, 48 insertions(+), 11 deletions(-)

diff --git a/src/lib/crypto/dk/ChangeLog b/src/lib/crypto/dk/ChangeLog
index 30107a218..98adf7537 100644
--- a/src/lib/crypto/dk/ChangeLog
+++ b/src/lib/crypto/dk/ChangeLog
@@ -1,3 +1,12 @@
+2004-02-13  Ken Raeburn  <raeburn@mit.edu>
+
+	* dk_decrypt.c (krb5_dk_decrypt_maybe_trunc_hmac): New argument
+	IVEC_MODE.  If clear, same old behavior.  If set, copy out next
+	to last block for CTS.
+	(krb5_dk_decrypt, krb5int_aes_dk_decrypt): Pass extra argument.
+	* dk_encrypt.c (krb5int_aes_dk_encrypt): For IV, copy out next to
+	last block for CTS.
+
 2003-07-22  Ken Raeburn  <raeburn@mit.edu>
 
 	* checksum.c (krb5_dk_make_checksum, krb5_marc_dk_make_checksum):
diff --git a/src/lib/crypto/dk/dk_decrypt.c b/src/lib/crypto/dk/dk_decrypt.c
index 0c95d4079..823eefa27 100644
--- a/src/lib/crypto/dk/dk_decrypt.c
+++ b/src/lib/crypto/dk/dk_decrypt.c
@@ -37,7 +37,8 @@ krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc,
 				 const krb5_data *ivec,
 				 const krb5_data *input,
 				 krb5_data *output,
-				 size_t hmacsize);
+				 size_t hmacsize,
+				 int ivec_mode);
 
 krb5_error_code
 krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output)
@@ -50,7 +51,7 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output)
      krb5_data *output;
 {
     return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage,
-					    ivec, input, output, 0);
+					    ivec, input, output, 0, 0);
 }
 
 krb5_error_code
@@ -64,12 +65,12 @@ krb5int_aes_dk_decrypt(enc, hash, key, usage, ivec, input, output)
      krb5_data *output;
 {
     return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage,
-					    ivec, input, output, 96 / 8);
+					    ivec, input, output, 96 / 8, 1);
 }
 
 static krb5_error_code
 krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, ivec, input, output,
-				 hmacsize)
+				 hmacsize, ivec_mode)
      const struct krb5_enc_provider *enc;
      const struct krb5_hash_provider *hash;
      const krb5_keyblock *key;
@@ -78,6 +79,7 @@ krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, ivec, input, output,
      const krb5_data *input;
      krb5_data *output;
      size_t hmacsize;
+     int ivec_mode;
 {
     krb5_error_code ret;
     size_t hashsize, blocksize, keybytes, keylength, enclen, plainlen;
@@ -154,9 +156,15 @@ krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, ivec, input, output,
     if ((ret = ((*(enc->decrypt))(&ke, ivec, &d1, &d2))) != 0)
 	goto cleanup;
 
-    if (ivec != NULL && ivec->length == blocksize)
-	cn = (unsigned char *) d1.data + d1.length - blocksize;
-    else
+    if (ivec != NULL && ivec->length == blocksize) {
+	if (ivec_mode == 0)
+	    cn = (unsigned char *) d1.data + d1.length - blocksize;
+	else if (ivec_mode == 1) {
+	    int nblocks = (d1.length + blocksize - 1) / blocksize;
+	    cn = d1.data + blocksize * (nblocks - 2);
+	} else
+	    abort();
+    } else
 	cn = NULL;
 
     /* verify the hash */
diff --git a/src/lib/crypto/dk/dk_encrypt.c b/src/lib/crypto/dk/dk_encrypt.c
index 32cc509af..cf6b826a4 100644
--- a/src/lib/crypto/dk/dk_encrypt.c
+++ b/src/lib/crypto/dk/dk_encrypt.c
@@ -313,9 +313,10 @@ krb5int_aes_dk_encrypt(enc, hash, key, usage, ivec, input, output)
     if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2))))
 	goto cleanup;
 
-    if (ivec != NULL && ivec->length == blocksize)
-	cn = d2.data + d2.length - blocksize;
-    else
+    if (ivec != NULL && ivec->length == blocksize) {
+	int nblocks = (d2.length + blocksize - 1) / blocksize;
+	cn = d2.data + blocksize * (nblocks - 2);
+    } else
 	cn = NULL;
 
     /* hash the plaintext */
@@ -333,8 +334,27 @@ krb5int_aes_dk_encrypt(enc, hash, key, usage, ivec, input, output)
     output->length = enclen;
 
     /* update ivec */
-    if (cn != NULL)
+    if (cn != NULL) {
 	memcpy(ivec->data, cn, blocksize);
+#if 0
+	{
+	    int i;
+	    printf("\n%s: output:", __func__);
+	    for (i = 0; i < output->length; i++) {
+		if (i % 16 == 0)
+		    printf("\n%s: ", __func__);
+		printf(" %02x", i[(unsigned char *)output->data]);
+	    }
+	    printf("\n%s: outputIV:", __func__);
+	    for (i = 0; i < ivec->length; i++) {
+		if (i % 16 == 0)
+		    printf("\n%s: ", __func__);
+		printf(" %02x", i[(unsigned char *)ivec->data]);
+	    }
+	    printf("\n");  fflush(stdout);
+	}
+#endif
+    }
 
     /* ret is set correctly by the prior call */
 
-- 
2.26.2