diff options
author | Greg Hudson <ghudson@mit.edu> | 2009-10-19 20:04:21 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2009-10-19 20:04:21 +0000 |
commit | e6b93b7dd43bb765900b2db71641479b597844da (patch) | |
tree | 2b6da09e37da6ca699a8cb43c87e8a4218132254 /src/lib/gssapi | |
parent | 04a5d19e61bedbb1da4db52334c00f7a54a9d5a8 (diff) | |
download | krb5-e6b93b7dd43bb765900b2db71641479b597844da.tar.gz krb5-e6b93b7dd43bb765900b2db71641479b597844da.tar.xz krb5-e6b93b7dd43bb765900b2db71641479b597844da.zip |
Implement new APIs to allow improved crypto performance
Merge branches/enc-perf to trunk. Adds the krb5_key opaque type, the
krb5_k_* APIs to use them, and caching of derived keys when krb5_k_*
functions are used. Updates the krb5 auth context and GSS id-rec to
use krb5_keys.
ticket: 6576
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22944 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/gssapi')
-rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 27 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/delete_sec_context.c | 8 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/gssapiP_krb5.h | 41 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/init_sec_context.c | 21 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/inq_context.c | 8 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/k5seal.c | 10 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/k5sealiov.c | 11 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/k5sealv3.c | 20 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/k5sealv3iov.c | 20 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/k5unseal.c | 10 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/k5unsealiov.c | 6 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/lucid_context.c | 6 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/ser_sctx.c | 69 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/util_cksum.c | 20 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/util_crypt.c | 133 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/util_seed.c | 20 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/util_seqnum.c | 20 | ||||
-rw-r--r-- | src/lib/gssapi/krb5/wrap_size_limit.c | 6 |
18 files changed, 260 insertions, 196 deletions
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 934302cffd..6c141ae99e 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -437,6 +437,7 @@ kg_accept_krb5(minor_status, context_handle, int no_encap = 0; krb5_flags ap_req_options = 0; krb5_enctype negotiated_etype; + krb5_keyblock *keyblock = NULL; krb5_authdata_context ad_context = NULL; code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); @@ -883,22 +884,21 @@ kg_accept_krb5(minor_status, context_handle, krb5_auth_con_set_authdata_context(context, auth_context, NULL); if ((code = krb5_auth_con_getrecvsubkey(context, auth_context, - &ctx->subkey))) { + &keyblock))) { major_status = GSS_S_FAILURE; goto fail; } /* use the session key if the subkey isn't present */ - if (ctx->subkey == NULL) { - if ((code = krb5_auth_con_getkey(context, auth_context, - &ctx->subkey))) { + if (keyblock == NULL) { + if ((code = krb5_auth_con_getkey(context, auth_context, &keyblock))) { major_status = GSS_S_FAILURE; goto fail; } } - if (ctx->subkey == NULL) { + if (keyblock == NULL) { /* this isn't a very good error, but it's not clear to me this can actually happen */ major_status = GSS_S_FAILURE; @@ -906,6 +906,12 @@ kg_accept_krb5(minor_status, context_handle, goto fail; } + code = krb5_k_create_key(context, keyblock, &ctx->subkey); + if (code) { + major_status = GSS_S_FAILURE; + goto fail; + } + ctx->enc = NULL; ctx->seq = NULL; ctx->have_acceptor_subkey = 0; @@ -1033,12 +1039,19 @@ kg_accept_krb5(minor_status, context_handle, /* Get the new acceptor subkey. With the code above, there should always be one if we make it to this point. */ code = krb5_auth_con_getsendsubkey(context, auth_context, - &ctx->acceptor_subkey); + &keyblock); + if (code != 0) { + major_status = GSS_S_FAILURE; + goto fail; + } + code = krb5_k_create_key(context, keyblock, &ctx->acceptor_subkey); if (code != 0) { major_status = GSS_S_FAILURE; goto fail; } ctx->have_acceptor_subkey = 1; + krb5_free_keyblock(context, keyblock); + keyblock = NULL; code = kg_setup_keys(context, ctx, ctx->acceptor_subkey, &ctx->acceptor_subkey_cksumtype); @@ -1150,6 +1163,8 @@ fail: xfree(reqcksum.contents); if (ap_rep.data) krb5_free_data_contents(context, &ap_rep); + if (keyblock) + krb5_free_keyblock(context, keyblock); if (major_status == GSS_S_COMPLETE || (major_status == GSS_S_CONTINUE_NEEDED && code != KRB5KRB_AP_ERR_MSG_TYPE)) { ctx->k5_context = context; diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c index e2da3dc986..2032d5585e 100644 --- a/src/lib/gssapi/krb5/delete_sec_context.c +++ b/src/lib/gssapi/krb5/delete_sec_context.c @@ -82,19 +82,19 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token) g_order_free(&(ctx->seqstate)); if (ctx->enc) - krb5_free_keyblock(context, ctx->enc); + krb5_k_free_key(context, ctx->enc); if (ctx->seq) - krb5_free_keyblock(context, ctx->seq); + krb5_k_free_key(context, ctx->seq); if (ctx->here) kg_release_name(context, 0, &ctx->here); if (ctx->there) kg_release_name(context, 0, &ctx->there); if (ctx->subkey) - krb5_free_keyblock(context, ctx->subkey); + krb5_k_free_key(context, ctx->subkey); if (ctx->acceptor_subkey) - krb5_free_keyblock(context, ctx->acceptor_subkey); + krb5_k_free_key(context, ctx->acceptor_subkey); if (ctx->auth_context) { if (ctx->cred_rcache) diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index e05c5bc81f..541a745545 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -190,15 +190,14 @@ typedef struct _krb5_gss_ctx_id_rec { unsigned char seed[16]; krb5_gss_name_t here; krb5_gss_name_t there; - krb5_keyblock *subkey; /*One of two potential keys to use with RFC - * 4121 packets; this key must always be set.*/ + krb5_key subkey; /* One of two potential keys to use with RFC 4121 + * packets; this key must always be set. */ int signalg; size_t cksum_size; int sealalg; - krb5_keyblock *enc; /*RFC 1964 encryption key;seq xored with a - * constant for DES, - * seq for other RFC 1964 enctypes */ - krb5_keyblock *seq; /*RFC 1964 sequencing key*/ + krb5_key enc; /* RFC 1964 encryption key; seq xored with a constant + * for DES, seq for other RFC 1964 enctypes */ + krb5_key seq; /* RFC 1964 sequencing key */ krb5_ticket_times krb_times; krb5_flags krb_flags; /* XXX these used to be signed. the old spec is inspecific, and @@ -218,7 +217,7 @@ typedef struct _krb5_gss_ctx_id_rec { 1964 tokens is permitted.*/ int proto; krb5_cksumtype cksumtype; /* for "main" subkey */ - krb5_keyblock *acceptor_subkey; /* CFX only */ + krb5_key acceptor_subkey; /* CFX only */ krb5_cksumtype acceptor_subkey_cksumtype; int cred_rcache; /* did we get rcache from creds? */ krb5_authdata **authdata; @@ -259,32 +258,32 @@ krb5_error_code kg_checksum_channel_bindings int bigend); krb5_error_code kg_make_seq_num (krb5_context context, - krb5_keyblock *key, + krb5_key key, int direction, krb5_ui_4 seqnum, unsigned char *cksum, unsigned char *buf); krb5_error_code kg_get_seq_num (krb5_context context, - krb5_keyblock *key, + krb5_key key, unsigned char *cksum, unsigned char *buf, int *direction, krb5_ui_4 *seqnum); krb5_error_code kg_make_seed (krb5_context context, - krb5_keyblock *key, + krb5_key key, unsigned char *seed); krb5_error_code kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, - krb5_keyblock *subkey, + krb5_key subkey, krb5_cksumtype *cksumtype); -int kg_confounder_size (krb5_context context, krb5_keyblock *key); +int kg_confounder_size (krb5_context context, krb5_key key); krb5_error_code kg_make_confounder (krb5_context context, - krb5_keyblock *key, unsigned char *buf); + krb5_key key, unsigned char *buf); krb5_error_code kg_encrypt (krb5_context context, - krb5_keyblock *key, int usage, + krb5_key key, int usage, krb5_pointer iv, krb5_const_pointer in, krb5_pointer out, @@ -293,7 +292,7 @@ krb5_error_code kg_encrypt (krb5_context context, krb5_error_code kg_encrypt_iov (krb5_context context, int proto, int dce_style, size_t ec, size_t rrc, - krb5_keyblock *key, int usage, + krb5_key key, int usage, krb5_pointer iv, gss_iov_buffer_desc *iov, int iov_count); @@ -312,7 +311,7 @@ kg_arcfour_docrypt_iov (krb5_context context, int iov_count); krb5_error_code kg_decrypt (krb5_context context, - krb5_keyblock *key, int usage, + krb5_key key, int usage, krb5_pointer iv, krb5_const_pointer in, krb5_pointer out, @@ -321,7 +320,7 @@ krb5_error_code kg_decrypt (krb5_context context, krb5_error_code kg_decrypt_iov (krb5_context context, int proto, int dce_style, size_t ec, size_t rrc, - krb5_keyblock *key, int usage, + krb5_key key, int usage, krb5_pointer iv, gss_iov_buffer_desc *iov, int iov_count); @@ -409,8 +408,8 @@ void kg_release_iov(gss_iov_buffer_desc *iov, krb5_error_code kg_make_checksum_iov_v1(krb5_context context, krb5_cksumtype type, size_t token_cksum_len, - krb5_keyblock *seq, - krb5_keyblock *enc, /* for conf len */ + krb5_key seq, + krb5_key enc, /* for conf len */ krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, @@ -420,7 +419,7 @@ krb5_error_code kg_make_checksum_iov_v1(krb5_context context, krb5_error_code kg_make_checksum_iov_v3(krb5_context context, krb5_cksumtype type, size_t rrc, - krb5_keyblock *key, + krb5_key key, krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count); @@ -428,7 +427,7 @@ krb5_error_code kg_make_checksum_iov_v3(krb5_context context, krb5_error_code kg_verify_checksum_iov_v3(krb5_context context, krb5_cksumtype type, size_t rrc, - krb5_keyblock *key, + krb5_key key, krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 62e7d6ed73..e04818f760 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -482,6 +482,7 @@ kg_new_connection( krb5_gss_ctx_id_rec *ctx, *ctx_free; krb5_timestamp now; gss_buffer_desc token; + krb5_keyblock *keyblock; k5_mutex_assert_locked(&cred->lock); major_status = GSS_S_FAILURE; @@ -602,8 +603,14 @@ kg_new_connection( krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &seq_temp); ctx->seq_send = seq_temp; - krb5_auth_con_getsendsubkey(context, ctx->auth_context, - &ctx->subkey); + code = krb5_auth_con_getsendsubkey(context, ctx->auth_context, + &keyblock); + if (code != 0) + goto fail; + code = krb5_k_create_key(context, keyblock, &ctx->subkey); + krb5_free_keyblock(context, keyblock); + if (code != 0) + goto fail; } krb5_free_creds(context, k_cred); @@ -668,7 +675,7 @@ fail: if (ctx_free->there) kg_release_name(context, 0, &ctx_free->there); if (ctx_free->subkey) - krb5_free_keyblock(context, ctx_free->subkey); + krb5_k_free_key(context, ctx_free->subkey); xfree(ctx_free); } else (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); @@ -797,7 +804,7 @@ mutual_auth( * To be removed in 1999 -- proven */ krb5_auth_con_setuseruserkey(context, ctx->auth_context, - ctx->subkey); + &ctx->subkey->keyblock); if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep, &ap_rep_data))) goto fail; @@ -811,11 +818,11 @@ mutual_auth( if (ap_rep_data->subkey != NULL && (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE) || - ap_rep_data->subkey->enctype != ctx->subkey->enctype)) { + ap_rep_data->subkey->enctype != ctx->subkey->keyblock.enctype)) { /* Keep acceptor's subkey. */ ctx->have_acceptor_subkey = 1; - code = krb5_copy_keyblock(context, ap_rep_data->subkey, - &ctx->acceptor_subkey); + code = krb5_k_create_key(context, ap_rep_data->subkey, + &ctx->acceptor_subkey); if (code) { krb5_free_ap_rep_enc_part(context, ap_rep_data); goto fail; diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c index fbc389245c..eaf1c4d02b 100644 --- a/src/lib/gssapi/krb5/inq_context.c +++ b/src/lib/gssapi/krb5/inq_context.c @@ -187,7 +187,7 @@ gss_krb5int_inq_session_key( gss_buffer_set_t *data_set) { krb5_gss_ctx_id_rec *ctx; - krb5_keyblock *key; + krb5_key key; gss_buffer_desc keyvalue, keyinfo; OM_uint32 major_status, minor; unsigned char oid_buf[GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + 6]; @@ -196,8 +196,8 @@ gss_krb5int_inq_session_key( ctx = (krb5_gss_ctx_id_rec *) context_handle; key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey; - keyvalue.value = key->contents; - keyvalue.length = key->length; + keyvalue.value = key->keyblock.contents; + keyvalue.length = key->keyblock.length; major_status = generic_gss_add_buffer_set_member(minor_status, &keyvalue, data_set); if (GSS_ERROR(major_status)) @@ -209,7 +209,7 @@ gss_krb5int_inq_session_key( major_status = generic_gss_oid_compose(minor_status, GSS_KRB5_SESSION_KEY_ENCTYPE_OID, GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH, - key->enctype, + key->keyblock.enctype, &oid); if (GSS_ERROR(major_status)) goto cleanup; diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index 1949020ab1..7a6e5aae8f 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -53,8 +53,8 @@ static krb5_error_code make_seal_token_v1 (krb5_context context, - krb5_keyblock *enc, - krb5_keyblock *seq, + krb5_key enc, + krb5_key seq, gssint_uint64 *seqnum, int direction, gss_buffer_t text, @@ -197,7 +197,7 @@ make_seal_token_v1 (krb5_context context, (void) memcpy(data_ptr+8, plain, msglen); plaind.length = 8 + (bigend ? text->length : msglen); plaind.data = data_ptr; - code = krb5_c_make_checksum(context, md5cksum.checksum_type, seq, + code = krb5_k_make_checksum(context, md5cksum.checksum_type, seq, sign_usage, &plaind, &md5cksum); xfree(data_ptr); @@ -212,7 +212,7 @@ make_seal_token_v1 (krb5_context context, if ((code = kg_encrypt(context, seq, KG_USAGE_SEAL, (g_OID_equal(oid, gss_mech_krb5_old) ? - seq->contents : NULL), + seq->keyblock.contents : NULL), md5cksum.contents, md5cksum.contents, 16))) { krb5_free_checksum_contents(context, &md5cksum); xfree (plain); @@ -259,7 +259,7 @@ make_seal_token_v1 (krb5_context context, krb5_keyblock *enc_key; int i; store_32_be(*seqnum, bigend_seqnum); - code = krb5_copy_keyblock (context, enc, &enc_key); + code = krb5_k_key_keyblock(context, enc, &enc_key); if (code) { xfree(plain); diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c index f4354a9f3d..1a9eac994a 100644 --- a/src/lib/gssapi/krb5/k5sealiov.c +++ b/src/lib/gssapi/krb5/k5sealiov.c @@ -193,7 +193,7 @@ make_seal_token_v1_iov(krb5_context context, case SGN_ALG_3: code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL, (g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ? - ctx->seq->contents : NULL), + ctx->seq->keyblock.contents : NULL), md5cksum.contents, md5cksum.contents, 16); if (code != 0) goto cleanup; @@ -226,7 +226,7 @@ make_seal_token_v1_iov(krb5_context context, store_32_be(ctx->seq_send, bigend_seqnum); - code = krb5_copy_keyblock(context, ctx->enc, &enc_key); + code = krb5_k_key_keyblock(context, ctx->enc, &enc_key); if (code != 0) goto cleanup; @@ -408,13 +408,12 @@ kg_seal_iov_length(OM_uint32 *minor_status, gss_headerlen = gss_padlen = gss_trailerlen = 0; if (ctx->proto == 1) { + krb5_key key; krb5_enctype enctype; size_t ec; - if (ctx->have_acceptor_subkey) - enctype = ctx->acceptor_subkey->enctype; - else - enctype = ctx->subkey->enctype; + key = (ctx->have_acceptor_subkey) ? ctx->acceptor_subkey : ctx->subkey; + enctype = key->keyblock.enctype; code = krb5_c_crypto_length(context, enctype, conf_req_flag ? diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c index 26e20d73b4..ad5c03a398 100644 --- a/src/lib/gssapi/krb5/k5sealv3.c +++ b/src/lib/gssapi/krb5/k5sealv3.c @@ -81,7 +81,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, size_t ec; unsigned short tok_id; krb5_checksum sum; - krb5_keyblock *key; + krb5_key key; krb5_cksumtype cksumtype; assert(ctx->big_endian == 0); @@ -136,7 +136,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, return ENOMEM; /* Get size of ciphertext. */ - bufsize = 16 + krb5_encrypt_size (plain.length, key->enctype); + bufsize = 16 + krb5_encrypt_size (plain.length, key->keyblock.enctype); /* Allocate space for header plus encrypted data. */ outbuf = malloc(bufsize); if (outbuf == NULL) { @@ -164,8 +164,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, cipher.ciphertext.data = (char *)outbuf + 16; cipher.ciphertext.length = bufsize - 16; - cipher.enctype = key->enctype; - err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher); + cipher.enctype = key->keyblock.enctype; + err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher); zap(plain.data, plain.length); free(plain.data); plain.data = 0; @@ -245,7 +245,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, sum.contents = outbuf + 16 + message2->length; sum.length = cksumsize; - err = krb5_c_make_checksum(context, cksumtype, key, + err = krb5_k_make_checksum(context, cksumtype, key, key_usage, &plain, &sum); zap(plain.data, plain.length); free(plain.data); @@ -317,7 +317,7 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, krb5_checksum sum; krb5_error_code err; krb5_boolean valid; - krb5_keyblock *key; + krb5_key key; krb5_cksumtype cksumtype; if (ctx->big_endian != 0) @@ -398,14 +398,14 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, For all current cryptosystems, the ciphertext size will be larger than the plaintext size. */ - cipher.enctype = key->enctype; + cipher.enctype = key->keyblock.enctype; cipher.ciphertext.length = bodysize - 16; cipher.ciphertext.data = (char *)ptr + 16; plain.length = bodysize - 16; plain.data = malloc(plain.length); if (plain.data == NULL) goto no_mem; - err = krb5_c_decrypt(context, key, key_usage, 0, + err = krb5_k_decrypt(context, key, key_usage, 0, &cipher, &plain); if (err) { free(plain.data); @@ -459,7 +459,7 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, } sum.contents = ptr+bodysize-ec; sum.checksum_type = cksumtype; - err = krb5_c_verify_checksum(context, key, key_usage, + err = krb5_k_verify_checksum(context, key, key_usage, &plain, &sum, &valid); if (err) goto error; @@ -496,7 +496,7 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, sum.length = bodysize - 16; sum.contents = ptr + 16; sum.checksum_type = cksumtype; - err = krb5_c_verify_checksum(context, key, key_usage, + err = krb5_k_verify_checksum(context, key, key_usage, &plain, &sum, &valid); free(plain.data); plain.data = NULL; diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c index c30352b0a5..b5b979310f 100644 --- a/src/lib/gssapi/krb5/k5sealv3iov.c +++ b/src/lib/gssapi/krb5/k5sealv3iov.c @@ -53,7 +53,7 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context, int key_usage; size_t rrc = 0; unsigned int gss_headerlen, gss_trailerlen; - krb5_keyblock *key; + krb5_key key; krb5_cksumtype cksumtype; size_t data_length, assoc_data_length; @@ -95,24 +95,26 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context, size_t ec = 0; size_t conf_data_length = data_length - assoc_data_length; - code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen); + code = krb5_c_crypto_length(context, key->keyblock.enctype, + KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen); if (code != 0) goto cleanup; - code = krb5_c_padding_length(context, key->enctype, + code = krb5_c_padding_length(context, key->keyblock.enctype, conf_data_length + 16 /* E(Header) */, &k5_padlen); if (code != 0) goto cleanup; if (k5_padlen == 0 && (ctx->gss_flags & GSS_C_DCE_STYLE)) { /* Windows rejects AEAD tokens with non-zero EC */ - code = krb5_c_block_size(context, key->enctype, &ec); + code = krb5_c_block_size(context, key->keyblock.enctype, &ec); if (code != 0) goto cleanup; } else ec = k5_padlen; - code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen); + code = krb5_c_crypto_length(context, key->keyblock.enctype, + KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen); if (code != 0) goto cleanup; @@ -186,7 +188,9 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context, gss_headerlen = 16; - code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_CHECKSUM, &gss_trailerlen); + code = krb5_c_crypto_length(context, key->keyblock.enctype, + KRB5_CRYPTO_TYPE_CHECKSUM, + &gss_trailerlen); if (code != 0) goto cleanup; @@ -291,7 +295,7 @@ gss_krb5int_unseal_v3_iov(krb5_context context, int key_usage; size_t rrc, ec; size_t data_length, assoc_data_length; - krb5_keyblock *key; + krb5_key key; gssint_uint64 seqnum; krb5_boolean valid; krb5_cksumtype cksumtype; @@ -357,7 +361,7 @@ gss_krb5int_unseal_v3_iov(krb5_context context, rrc = load_16_be(ptr + 6); seqnum = load_64_be(ptr + 8); - code = krb5_c_crypto_length(context, key->enctype, + code = krb5_c_crypto_length(context, key->keyblock.enctype, conf_flag ? KRB5_CRYPTO_TYPE_TRAILER : KRB5_CRYPTO_TYPE_CHECKSUM, &k5_trailerlen); diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index f55180af86..2ef59a7224 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -176,7 +176,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, krb5_keyblock *enc_key; int i; store_32_be(seqnum, bigend_seqnum); - code = krb5_copy_keyblock (context, ctx->enc, &enc_key); + code = krb5_k_key_keyblock(context, ctx->enc, &enc_key); if (code) { xfree(plain); @@ -287,7 +287,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, plaind.length = 8 + (ctx->big_endian ? token.length : plainlen); plaind.data = data_ptr; - code = krb5_c_make_checksum(context, md5cksum.checksum_type, + code = krb5_k_make_checksum(context, md5cksum.checksum_type, ctx->seq, sign_usage, &plaind, &md5cksum); xfree(data_ptr); @@ -301,7 +301,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, if ((code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL, (g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ? - ctx->seq->contents : NULL), + ctx->seq->keyblock.contents : NULL), md5cksum.contents, md5cksum.contents, 16))) { krb5_free_checksum_contents(context, &md5cksum); if (toktype == KG_TOK_SEAL_MSG) @@ -354,7 +354,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, (ctx->big_endian ? token.length : plainlen); plaind.data = data_ptr; krb5_free_checksum_contents(context, &md5cksum); - code = krb5_c_make_checksum(context, md5cksum.checksum_type, + code = krb5_k_make_checksum(context, md5cksum.checksum_type, ctx->seq, sign_usage, &plaind, &md5cksum); xfree(data_ptr); @@ -400,7 +400,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, plaind.length = 8 + (ctx->big_endian ? token.length : plainlen); plaind.data = data_ptr; - code = krb5_c_make_checksum(context, md5cksum.checksum_type, + code = krb5_k_make_checksum(context, md5cksum.checksum_type, ctx->seq, sign_usage, &plaind, &md5cksum); xfree(data_ptr); diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c index 5d2bd1afa5..d09bf89a45 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -153,7 +153,7 @@ kg_unseal_v1_iov(krb5_context context, store_32_be(seqnum, bigend_seqnum); - code = krb5_copy_keyblock(context, ctx->enc, &enc_key); + code = krb5_k_key_keyblock(context, ctx->enc, &enc_key); if (code != 0) { retval = GSS_S_FAILURE; goto cleanup; @@ -231,7 +231,7 @@ kg_unseal_v1_iov(krb5_context context, case SGN_ALG_3: code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL, (g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ? - ctx->seq->contents : NULL), + ctx->seq->keyblock.contents : NULL), md5cksum.contents, md5cksum.contents, 16); if (code != 0) { retval = GSS_S_FAILURE; @@ -518,7 +518,7 @@ kg_unseal_stream_iov(OM_uint32 *minor_status, case KG2_TOK_WRAP_MSG: case KG2_TOK_DEL_CTX: { size_t ec, rrc; - krb5_enctype enctype = ctx->enc->enctype; + krb5_enctype enctype = ctx->enc->keyblock.enctype; unsigned int k5_headerlen = 0; unsigned int k5_trailerlen = 0; diff --git a/src/lib/gssapi/krb5/lucid_context.c b/src/lib/gssapi/krb5/lucid_context.c index cefac261ed..fb5a8e7877 100644 --- a/src/lib/gssapi/krb5/lucid_context.c +++ b/src/lib/gssapi/krb5/lucid_context.c @@ -213,7 +213,7 @@ make_external_lucid_ctx_v1( lctx->rfc1964_kd.sign_alg = gctx->signalg; lctx->rfc1964_kd.seal_alg = gctx->sealalg; /* Copy key */ - if ((retval = copy_keyblock_to_lucid_key(gctx->seq, + if ((retval = copy_keyblock_to_lucid_key(&gctx->seq->keyblock, &lctx->rfc1964_kd.ctx_key))) goto error_out; } @@ -221,11 +221,11 @@ make_external_lucid_ctx_v1( /* Copy keys */ /* (subkey is always present, either a copy of the kerberos session key or a subkey) */ - if ((retval = copy_keyblock_to_lucid_key(gctx->subkey, + if ((retval = copy_keyblock_to_lucid_key(&gctx->subkey->keyblock, &lctx->cfx_kd.ctx_key))) goto error_out; if (gctx->have_acceptor_subkey) { - if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey, + if ((retval = copy_keyblock_to_lucid_key(&gctx->acceptor_subkey->keyblock, &lctx->cfx_kd.acceptor_subkey))) goto error_out; lctx->cfx_kd.have_acceptor_subkey = 1; diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c index 9b55a65077..bdcd7685ef 100644 --- a/src/lib/gssapi/krb5/ser_sctx.c +++ b/src/lib/gssapi/krb5/ser_sctx.c @@ -304,19 +304,19 @@ kg_ctx_size(kcontext, arg, sizep) if (!kret && ctx->subkey) kret = krb5_size_opaque(kcontext, KV5M_KEYBLOCK, - (krb5_pointer) ctx->subkey, + (krb5_pointer) &ctx->subkey->keyblock, &required); if (!kret && ctx->enc) kret = krb5_size_opaque(kcontext, KV5M_KEYBLOCK, - (krb5_pointer) ctx->enc, + (krb5_pointer) &ctx->enc->keyblock, &required); if (!kret && ctx->seq) kret = krb5_size_opaque(kcontext, KV5M_KEYBLOCK, - (krb5_pointer) ctx->seq, + (krb5_pointer) &ctx->seq->keyblock, &required); if (!kret) @@ -339,8 +339,8 @@ kg_ctx_size(kcontext, arg, sizep) &required); if (!kret && ctx->acceptor_subkey) kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->acceptor_subkey, + KV5M_KEYBLOCK, (krb5_pointer) + &ctx->acceptor_subkey->keyblock, &required); if (!kret && ctx->authdata) { krb5_int32 i; @@ -459,20 +459,20 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) if (!kret && ctx->subkey) kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->subkey, + KV5M_KEYBLOCK, (krb5_pointer) + &ctx->subkey->keyblock, &bp, &remain); if (!kret && ctx->enc) kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->enc, + KV5M_KEYBLOCK, (krb5_pointer) + &ctx->enc->keyblock, &bp, &remain); if (!kret && ctx->seq) kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->seq, + KV5M_KEYBLOCK, (krb5_pointer) + &ctx->seq->keyblock, &bp, &remain); if (!kret && ctx->seqstate) @@ -499,8 +499,8 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) &bp, &remain); if (!kret && ctx->acceptor_subkey) kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) ctx->acceptor_subkey, + KV5M_KEYBLOCK, (krb5_pointer) + &ctx->acceptor_subkey->keyblock, &bp, &remain); if (!kret) kret = krb5_ser_pack_int32((krb5_int32) ctx->acceptor_subkey_cksumtype, @@ -554,6 +554,22 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) return(kret); } +/* Internalize a keyblock and convert it to a key. */ +static krb5_error_code +intern_key(krb5_context ctx, krb5_key *key, krb5_octet **bp, size_t *sp) +{ + krb5_keyblock *keyblock; + krb5_error_code ret; + + ret = krb5_internalize_opaque(ctx, KV5M_KEYBLOCK, + (krb5_pointer *) &keyblock, bp, sp); + if (ret != 0) + return ret; + ret = krb5_k_create_key(ctx, keyblock, key); + krb5_free_keyblock(ctx, keyblock); + return ret; +} + /* * Internalize this krb5_gss_ctx_id_t. */ @@ -670,26 +686,17 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) kret = 0; } if (!kret && - (kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) &ctx->subkey, - &bp, &remain))) { + (kret = intern_key(kcontext, &ctx->subkey, &bp, &remain))) { if (kret == EINVAL) kret = 0; } if (!kret && - (kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) &ctx->enc, - &bp, &remain))) { + (kret = intern_key(kcontext, &ctx->enc, &bp, &remain))) { if (kret == EINVAL) kret = 0; } if (!kret && - (kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) &ctx->seq, - &bp, &remain))) { + (kret = intern_key(kcontext, &ctx->seq, &bp, &remain))) { if (kret == EINVAL) kret = 0; } @@ -720,10 +727,8 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->cksumtype = ibuf; if (!kret && - (kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) &ctx->acceptor_subkey, - &bp, &remain))) { + (kret = intern_key(kcontext, &ctx->acceptor_subkey, + &bp, &remain))) { if (kret == EINVAL) kret = 0; } @@ -781,11 +786,11 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) *argp = (krb5_pointer) ctx; } else { if (ctx->seq) - krb5_free_keyblock(kcontext, ctx->seq); + krb5_k_free_key(kcontext, ctx->seq); if (ctx->enc) - krb5_free_keyblock(kcontext, ctx->enc); + krb5_k_free_key(kcontext, ctx->enc); if (ctx->subkey) - krb5_free_keyblock(kcontext, ctx->subkey); + krb5_k_free_key(kcontext, ctx->subkey); if (ctx->there) kg_release_name(kcontext, 0, &ctx->there); if (ctx->here) diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c index fc6c849c95..9d4e08ff81 100644 --- a/src/lib/gssapi/krb5/util_cksum.c +++ b/src/lib/gssapi/krb5/util_cksum.c @@ -112,8 +112,8 @@ krb5_error_code kg_make_checksum_iov_v1(krb5_context context, krb5_cksumtype type, size_t cksum_len, - krb5_keyblock *seq, - krb5_keyblock *enc, + krb5_key seq, + krb5_key enc, krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, @@ -137,7 +137,7 @@ kg_make_checksum_iov_v1(krb5_context context, /* Checksum over ( Header | Confounder | Data | Pad ) */ if (toktype == KG_TOK_WRAP_MSG) - conf_len = kg_confounder_size(context, (krb5_keyblock *)enc); + conf_len = kg_confounder_size(context, enc); /* Checksum output */ kiov[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM; @@ -173,7 +173,7 @@ kg_make_checksum_iov_v1(krb5_context context, i++; } - code = krb5_c_make_checksum_iov(context, type, seq, sign_usage, kiov, kiov_count); + code = krb5_k_make_checksum_iov(context, type, seq, sign_usage, kiov, kiov_count); if (code == 0) { checksum->length = kiov[0].data.length; checksum->contents = (unsigned char *)kiov[0].data.data; @@ -189,7 +189,7 @@ static krb5_error_code checksum_iov_v3(krb5_context context, krb5_cksumtype type, size_t rrc, - krb5_keyblock *key, + krb5_key key, krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, @@ -207,7 +207,7 @@ checksum_iov_v3(krb5_context context, if (verify) *valid = FALSE; - code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_CHECKSUM, &k5_checksumlen); + code = krb5_c_crypto_length(context, key->keyblock.enctype, KRB5_CRYPTO_TYPE_CHECKSUM, &k5_checksumlen); if (code != 0) return code; @@ -258,9 +258,9 @@ checksum_iov_v3(krb5_context context, i++; if (verify) - code = krb5_c_verify_checksum_iov(context, type, key, sign_usage, kiov, kiov_count, valid); + code = krb5_k_verify_checksum_iov(context, type, key, sign_usage, kiov, kiov_count, valid); else - code = krb5_c_make_checksum_iov(context, type, key, sign_usage, kiov, kiov_count); + code = krb5_k_make_checksum_iov(context, type, key, sign_usage, kiov, kiov_count); xfree(kiov); @@ -271,7 +271,7 @@ krb5_error_code kg_make_checksum_iov_v3(krb5_context context, krb5_cksumtype type, size_t rrc, - krb5_keyblock *key, + krb5_key key, krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count) @@ -284,7 +284,7 @@ krb5_error_code kg_verify_checksum_iov_v3(krb5_context context, krb5_cksumtype type, size_t rrc, - krb5_keyblock *key, + krb5_key key, krb5_keyusage sign_usage, gss_iov_buffer_desc *iov, int iov_count, diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c index 87e04065fa..53e420d9fa 100644 --- a/src/lib/gssapi/krb5/util_crypt.c +++ b/src/lib/gssapi/krb5/util_crypt.c @@ -59,39 +59,53 @@ static const char kg_arcfour_l40[] = "fortybits"; static krb5_error_code kg_copy_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, - krb5_keyblock *subkey) + krb5_key subkey) { krb5_error_code code; - if (ctx->enc != NULL) { - krb5_free_keyblock(context, ctx->enc); - ctx->enc = NULL; - } + krb5_k_free_key(context, ctx->enc); + ctx->enc = NULL; + code = krb5_k_create_key(context, &subkey->keyblock, &ctx->enc); + if (code != 0) + return code; - code = krb5_copy_keyblock(context, subkey, &ctx->enc); + krb5_k_free_key(context, ctx->seq); + ctx->seq = NULL; + code = krb5_k_create_key(context, &subkey->keyblock, &ctx->seq); if (code != 0) return code; - if (ctx->seq != NULL) { - krb5_free_keyblock(context, ctx->seq); - ctx->seq = NULL; - } + return 0; +} + +static krb5_error_code +kg_derive_des_enc_key(krb5_context context, krb5_key subkey, krb5_key *out) +{ + krb5_error_code code; + krb5_keyblock *keyblock; + unsigned int i; + + *out = NULL; - code = krb5_copy_keyblock(context, subkey, &ctx->seq); + code = krb5_k_key_keyblock(context, subkey, &keyblock); if (code != 0) return code; - return 0; + for (i = 0; i < keyblock->length; i++) + keyblock->contents[i] ^= 0xF0; + + code = krb5_k_create_key(context, keyblock, out); + krb5_free_keyblock(context, keyblock); + return code; } krb5_error_code kg_setup_keys(krb5_context context, krb5_gss_ctx_id_rec *ctx, - krb5_keyblock *subkey, + krb5_key subkey, krb5_cksumtype *cksumtype) { krb5_error_code code; - unsigned int i; krb5int_access kaccess; assert(ctx != NULL); @@ -109,36 +123,40 @@ kg_setup_keys(krb5_context context, if (code != 0) return code; - code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, subkey->enctype, + code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, + subkey->keyblock.enctype, cksumtype); if (code != 0) return code; - switch (subkey->enctype) { + switch (subkey->keyblock.enctype) { case ENCTYPE_DES_CBC_MD5: case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_CRC: - code = kg_copy_keys(context, ctx, subkey); + krb5_k_free_key(context, ctx->seq); + code = krb5_k_create_key(context, &subkey->keyblock, &ctx->seq); + if (code != 0) + return code; + + krb5_k_free_key(context, ctx->enc); + code = kg_derive_des_enc_key(context, subkey, &ctx->enc); if (code != 0) return code; - ctx->enc->enctype = ENCTYPE_DES_CBC_RAW; - ctx->seq->enctype = ENCTYPE_DES_CBC_RAW; + ctx->enc->keyblock.enctype = ENCTYPE_DES_CBC_RAW; + ctx->seq->keyblock.enctype = ENCTYPE_DES_CBC_RAW; ctx->signalg = SGN_ALG_DES_MAC_MD5; ctx->cksum_size = 8; ctx->sealalg = SEAL_ALG_DES; - for (i = 0; i < ctx->enc->length; i++) - /*SUPPRESS 113*/ - ctx->enc->contents[i] ^= 0xF0; break; case ENCTYPE_DES3_CBC_SHA1: code = kg_copy_keys(context, ctx, subkey); if (code != 0) return code; - ctx->enc->enctype = ENCTYPE_DES3_CBC_RAW; - ctx->seq->enctype = ENCTYPE_DES3_CBC_RAW; + ctx->enc->keyblock.enctype = ENCTYPE_DES3_CBC_RAW; + ctx->seq->keyblock.enctype = ENCTYPE_DES3_CBC_RAW; ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD; ctx->cksum_size = 20; ctx->sealalg = SEAL_ALG_DES3KD; @@ -164,15 +182,15 @@ kg_setup_keys(krb5_context context, int kg_confounder_size(context, key) krb5_context context; - krb5_keyblock *key; + krb5_key key; { krb5_error_code code; size_t blocksize; /* We special case rc4*/ - if (key->enctype == ENCTYPE_ARCFOUR_HMAC || - key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) + if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC || + key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) return 8; - code = krb5_c_block_size(context, key->enctype, &blocksize); + code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize); if (code) return(-1); /* XXX */ @@ -182,7 +200,7 @@ kg_confounder_size(context, key) krb5_error_code kg_make_confounder(context, key, buf) krb5_context context; - krb5_keyblock *key; + krb5_key key; unsigned char *buf; { int confsize; @@ -201,7 +219,7 @@ kg_make_confounder(context, key, buf) krb5_error_code kg_encrypt(context, key, usage, iv, in, out, length) krb5_context context; - krb5_keyblock *key; + krb5_key key; int usage; krb5_pointer iv; krb5_const_pointer in; @@ -214,7 +232,7 @@ kg_encrypt(context, key, usage, iv, in, out, length) krb5_enc_data outputd; if (iv) { - code = krb5_c_block_size(context, key->enctype, &blocksize); + code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize); if (code) return(code); @@ -234,7 +252,7 @@ kg_encrypt(context, key, usage, iv, in, out, length) outputd.ciphertext.length = length; outputd.ciphertext.data = out; - code = krb5_c_encrypt(context, key, usage, pivd, &inputd, &outputd); + code = krb5_k_encrypt(context, key, usage, pivd, &inputd, &outputd); if (pivd != NULL) free(pivd->data); return code; @@ -245,7 +263,7 @@ kg_encrypt(context, key, usage, iv, in, out, length) krb5_error_code kg_decrypt(context, key, usage, iv, in, out, length) krb5_context context; - krb5_keyblock *key; + krb5_key key; int usage; krb5_pointer iv; krb5_const_pointer in; @@ -258,7 +276,7 @@ kg_decrypt(context, key, usage, iv, in, out, length) krb5_enc_data inputd; if (iv) { - code = krb5_c_block_size(context, key->enctype, &blocksize); + code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize); if (code) return(code); @@ -279,7 +297,7 @@ kg_decrypt(context, key, usage, iv, in, out, length) outputd.length = length; outputd.data = out; - code = krb5_c_decrypt(context, key, usage, pivd, &inputd, &outputd); + code = krb5_k_decrypt(context, key, usage, pivd, &inputd, &outputd); if (pivd != NULL) free(pivd->data); return code; @@ -294,6 +312,7 @@ kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage, krb5_error_code code; krb5_data input, output; krb5int_access kaccess; + krb5_key key; krb5_keyblock seq_enc_key, usage_key; unsigned char t[14]; size_t i = 0; @@ -341,9 +360,11 @@ kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage, input.length = input_len; output.data = (void * ) output_buf; output.length = input_len; - code = ((*kaccess.arcfour_enc_provider->encrypt)( - &seq_enc_key, 0, - &input, &output)); + code = krb5_k_create_key(NULL, &seq_enc_key, &key); + if (code) + goto cleanup_arcfour; + code = (*kaccess.arcfour_enc_provider->encrypt)(key, 0, &input, &output); + krb5_k_free_key(NULL, key); cleanup_arcfour: memset (seq_enc_key.contents, 0, seq_enc_key.length); memset (usage_key.contents, 0, usage_key.length); @@ -356,7 +377,7 @@ cleanup_arcfour: static krb5_error_code kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count) krb5_context context; - const krb5_keyblock *key; + krb5_key key; gss_iov_buffer_desc *iov; int iov_count; krb5_crypto_iov **pkiov; @@ -372,7 +393,7 @@ kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count) *pkiov = NULL; *pkiov_count = 0; - conf_len = kg_confounder_size(context, (krb5_keyblock *)key); + conf_len = kg_confounder_size(context, key); header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER); assert(header != NULL); @@ -427,7 +448,7 @@ kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pki int dce_style; /* DCE_STYLE indicates actual RRC is EC + RRC */ size_t ec; /* Extra rotate count for DCE_STYLE, pad length otherwise */ size_t rrc; /* Rotate count */ - const krb5_keyblock *key; + krb5_key key; gss_iov_buffer_desc *iov; int iov_count; krb5_crypto_iov **pkiov; @@ -451,11 +472,13 @@ kg_translate_iov_v3(context, dce_style, ec, rrc, key, iov, iov_count, pkiov, pki trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); assert(trailer == NULL || rrc == 0); - code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen); + code = krb5_c_crypto_length(context, key->keyblock.enctype, + KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen); if (code != 0) return code; - code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen); + code = krb5_c_crypto_length(context, key->keyblock.enctype, + KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen); if (code != 0) return code; @@ -541,7 +564,7 @@ kg_translate_iov(context, proto, dce_style, ec, rrc, key, iov, iov_count, pkiov, int dce_style; size_t ec; size_t rrc; - const krb5_keyblock *key; + krb5_key key; gss_iov_buffer_desc *iov; int iov_count; krb5_crypto_iov **pkiov; @@ -559,7 +582,7 @@ kg_encrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_coun int dce_style; size_t ec; size_t rrc; - krb5_keyblock *key; + krb5_key key; int usage; krb5_pointer iv; gss_iov_buffer_desc *iov; @@ -572,7 +595,7 @@ kg_encrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_coun krb5_crypto_iov *kiov; if (iv) { - code = krb5_c_block_size(context, key->enctype, &blocksize); + code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize); if (code) return(code); @@ -589,7 +612,7 @@ kg_encrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_coun code = kg_translate_iov(context, proto, dce_style, ec, rrc, key, iov, iov_count, &kiov, &kiov_count); if (code == 0) { - code = krb5_c_encrypt_iov(context, key, usage, pivd, kiov, kiov_count); + code = krb5_k_encrypt_iov(context, key, usage, pivd, kiov, kiov_count); free(kiov); } @@ -608,7 +631,7 @@ kg_decrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_coun int dce_style; size_t ec; size_t rrc; - krb5_keyblock *key; + krb5_key key; int usage; krb5_pointer iv; gss_iov_buffer_desc *iov; @@ -621,7 +644,7 @@ kg_decrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_coun krb5_crypto_iov *kiov; if (iv) { - code = krb5_c_block_size(context, key->enctype, &blocksize); + code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize); if (code) return(code); @@ -638,7 +661,7 @@ kg_decrypt_iov(context, proto, dce_style, ec, rrc, key, usage, iv, iov, iov_coun code = kg_translate_iov(context, proto, dce_style, ec, rrc, key, iov, iov_count, &kiov, &kiov_count); if (code == 0) { - code = krb5_c_decrypt_iov(context, key, usage, pivd, kiov, kiov_count); + code = krb5_k_decrypt_iov(context, key, usage, pivd, kiov, kiov_count); free(kiov); } @@ -657,6 +680,7 @@ kg_arcfour_docrypt_iov (krb5_context context, krb5_error_code code; krb5_data input, output; krb5int_access kaccess; + krb5_key key; krb5_keyblock seq_enc_key, usage_key; unsigned char t[14]; size_t i = 0; @@ -709,9 +733,12 @@ kg_arcfour_docrypt_iov (krb5_context context, if (code) goto cleanup_arcfour; - code = ((*kaccess.arcfour_enc_provider->encrypt_iov)( - &seq_enc_key, 0, - kiov, kiov_count)); + code = krb5_k_create_key(context, &seq_enc_key, &key); + if (code) + goto cleanup_arcfour; + code = (*kaccess.arcfour_enc_provider->encrypt_iov)(key, 0, kiov, + kiov_count); + krb5_k_free_key(context, key); cleanup_arcfour: memset (seq_enc_key.contents, 0, seq_enc_key.length); memset (usage_key.contents, 0, usage_key.length); diff --git a/src/lib/gssapi/krb5/util_seed.c b/src/lib/gssapi/krb5/util_seed.c index b559f5e088..5c696ea3b5 100644 --- a/src/lib/gssapi/krb5/util_seed.c +++ b/src/lib/gssapi/krb5/util_seed.c @@ -31,25 +31,31 @@ static const unsigned char zeros[16] = {0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0}; krb5_error_code kg_make_seed(context, key, seed) krb5_context context; - krb5_keyblock *key; + krb5_key key; unsigned char *seed; { krb5_error_code code; - krb5_keyblock *tmpkey; + krb5_key rkey = NULL; + krb5_keyblock *tmpkey, *kb; unsigned int i; - code = krb5_copy_keyblock(context, key, &tmpkey); + code = krb5_k_key_keyblock(context, key, &tmpkey); if (code) return(code); /* reverse the key bytes, as per spec */ - + kb = &key->keyblock; for (i=0; i<tmpkey->length; i++) - tmpkey->contents[i] = key->contents[key->length - 1 - i]; + tmpkey->contents[i] = kb->contents[kb->length - 1 - i]; + + code = krb5_k_create_key(context, tmpkey, &rkey); + if (code) + goto cleanup; - code = kg_encrypt(context, tmpkey, KG_USAGE_SEAL, NULL, zeros, seed, 16); + code = kg_encrypt(context, rkey, KG_USAGE_SEAL, NULL, zeros, seed, 16); +cleanup: krb5_free_keyblock(context, tmpkey); - + krb5_k_free_key(context, rkey); return(code); } diff --git a/src/lib/gssapi/krb5/util_seqnum.c b/src/lib/gssapi/krb5/util_seqnum.c index b91dd658c0..388990a30c 100644 --- a/src/lib/gssapi/krb5/util_seqnum.c +++ b/src/lib/gssapi/krb5/util_seqnum.c @@ -32,7 +32,7 @@ krb5_error_code kg_make_seq_num(context, key, direction, seqnum, cksum, buf) krb5_context context; - krb5_keyblock *key; + krb5_key key; int direction; krb5_ui_4 seqnum; unsigned char *cksum; @@ -44,11 +44,11 @@ kg_make_seq_num(context, key, direction, seqnum, cksum, buf) plain[5] = direction; plain[6] = direction; plain[7] = direction; - if (key->enctype == ENCTYPE_ARCFOUR_HMAC || - key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { + if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC || + key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { /* Yes, Microsoft used big-endian sequence number.*/ store_32_be(seqnum, plain); - return kg_arcfour_docrypt (key, 0, + return kg_arcfour_docrypt (&key->keyblock, 0, cksum, 8, &plain[0], 8, buf); @@ -61,7 +61,7 @@ kg_make_seq_num(context, key, direction, seqnum, cksum, buf) krb5_error_code kg_get_seq_num(context, key, cksum, buf, direction, seqnum) krb5_context context; - krb5_keyblock *key; + krb5_key key; unsigned char *cksum; unsigned char *buf; int *direction; @@ -70,9 +70,9 @@ krb5_error_code kg_get_seq_num(context, key, cksum, buf, direction, seqnum) krb5_error_code code; unsigned char plain[8]; - if (key->enctype == ENCTYPE_ARCFOUR_HMAC || - key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { - code = kg_arcfour_docrypt (key, 0, + if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC || + key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { + code = kg_arcfour_docrypt (&key->keyblock, 0, cksum, 8, buf, 8, plain); @@ -88,8 +88,8 @@ krb5_error_code kg_get_seq_num(context, key, cksum, buf, direction, seqnum) return((krb5_error_code) KG_BAD_SEQ); *direction = plain[4]; - if (key->enctype == ENCTYPE_ARCFOUR_HMAC || - key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { + if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC || + key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { *seqnum = (plain[3]|(plain[2]<<8) | (plain[1]<<16)| (plain[0]<<24)); } else { *seqnum = ((plain[0]) | diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c index 7fa9c44d66..0b90bba00b 100644 --- a/src/lib/gssapi/krb5/wrap_size_limit.c +++ b/src/lib/gssapi/krb5/wrap_size_limit.c @@ -114,10 +114,12 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, /* Token header: 16 octets. */ if (conf_req_flag) { + krb5_key key; krb5_enctype enctype; - enctype = ctx->have_acceptor_subkey ? ctx->acceptor_subkey->enctype - : ctx->subkey->enctype; + key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey + : ctx->subkey; + enctype = key->keyblock.enctype; while (sz > 0 && krb5_encrypt_size(sz, enctype) + 16 > req_output_size) sz--; |