summaryrefslogtreecommitdiffstats
path: root/src/lib/kdb
diff options
context:
space:
mode:
authorMarc Horowitz <marc@mit.edu>1998-10-30 02:56:35 +0000
committerMarc Horowitz <marc@mit.edu>1998-10-30 02:56:35 +0000
commit1440ab035ba04550ddbbfbff1ee9b5571e3d95db (patch)
tree9d5e8d2e151a930e044c7d0f7c64053d244577a0 /src/lib/kdb
parent61ddbf948ba6ee70c1bc049268c3dfa73bc9983e (diff)
downloadkrb5-1440ab035ba04550ddbbfbff1ee9b5571e3d95db.tar.gz
krb5-1440ab035ba04550ddbbfbff1ee9b5571e3d95db.tar.xz
krb5-1440ab035ba04550ddbbfbff1ee9b5571e3d95db.zip
pull up 3des implementation from the marc-3des branch
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11001 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/kdb')
-rw-r--r--src/lib/kdb/ChangeLog30
-rw-r--r--src/lib/kdb/Makefile.in4
-rw-r--r--src/lib/kdb/decrypt_key.c88
-rw-r--r--src/lib/kdb/encrypt_key.c80
-rw-r--r--src/lib/kdb/fetch_mkey.c40
-rw-r--r--src/lib/kdb/kdb_cpw.c209
-rw-r--r--src/lib/kdb/kdb_db2.c38
-rw-r--r--src/lib/kdb/kdb_db2.h2
-rw-r--r--src/lib/kdb/kdb_dbm.c12
-rw-r--r--src/lib/kdb/kdb_xdr.c39
-rw-r--r--src/lib/kdb/keytab.c2
-rw-r--r--src/lib/kdb/verify_mky.c21
12 files changed, 330 insertions, 235 deletions
diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog
index ec0b38457c..e12270d5c8 100644
--- a/src/lib/kdb/ChangeLog
+++ b/src/lib/kdb/ChangeLog
@@ -1,3 +1,33 @@
+1998-10-27 Marc Horowitz <marc@mit.edu>
+
+ * kdb_xdr.c, kdb_cpw.c: remove the special knowledge of ENCTYPE
+ string-to-key equivalances. the crypto api has a function for
+ this now.
+
+ * decrypt_key.c, encrypt_key.c, fetch_mkey.c, kdb_cpw.c,
+ kdb_db2.c, kdb_db2.h, kdb_dbm.c, keytab.c, verify_mky.c: change or
+ remove all the places krb5_encrypt_block was used
+ (this is mostly relevant to kdb manipulations). It was usually
+ used to specify an enctype (which is now implied by the keyblock),
+ or to store or pass in a processed key (now the api just takes a
+ key directly, so these structures and functions do, too). The kdb
+ key manuipulation functions also need to be made to use the new
+ api.
+
+Fri Sep 25 19:42:10 1998 Tom Yu <tlyu@mit.edu>
+
+ * kdb_xdr.c (krb5_dbe_search_enctype): Re-order booleans so that
+ similar doesn't get checked unless (ktype >= 0) to avoid it being
+ stack garbage.
+
+Sun Aug 16 16:52:10 1998 Sam Hartman <hartmans@utwig.mesas.com>
+
+ * Makefile.in (SHLIB_EXPLIBS): Include $(LIBS) so building on AIX works
+
+Sun Jul 26 18:12:22 1998 Sam Hartman <hartmans@utwig.mesas.com>
+
+ * Makefile.in (LIBMAJOR): bump libmajor
+
1998-05-06 Theodore Ts'o <tytso@rsts-11.mit.edu>
* t_kdb.c (main): POSIX states that getopt returns -1
diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in
index 9ec4b23d48..c44b58631d 100644
--- a/src/lib/kdb/Makefile.in
+++ b/src/lib/kdb/Makefile.in
@@ -7,14 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
LIB=kdb5
-LIBMAJOR=2
+LIBMAJOR=3
LIBMINOR=0
RELDIR=kdb
# Depends on libk5crypto and libkrb5
SHLIB_EXPDEPS = \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
$(TOPLIBD)/libkrb5$(SHLIBEXT)
-SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto
+SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(LIBS)
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
diff --git a/src/lib/kdb/decrypt_key.c b/src/lib/kdb/decrypt_key.c
index 2aa199ac7e..0cfdbda8e0 100644
--- a/src/lib/kdb/decrypt_key.c
+++ b/src/lib/kdb/decrypt_key.c
@@ -24,6 +24,32 @@
* krb5_kdb_encrypt_key(), krb5_kdb_decrypt_key functions
*/
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
#include "k5-int.h"
/*
@@ -33,40 +59,53 @@
*/
krb5_error_code
-krb5_dbekd_decrypt_key_data(context, eblock, key_data, keyblock, keysalt)
+krb5_dbekd_decrypt_key_data(context, mkey, key_data, dbkey, keysalt)
krb5_context context;
- krb5_encrypt_block * eblock;
+ const krb5_keyblock * mkey;
const krb5_key_data * key_data;
- krb5_keyblock * keyblock;
+ krb5_keyblock * dbkey;
krb5_keysalt * keysalt;
{
krb5_error_code retval = 0;
krb5_int16 tmplen;
krb5_octet * ptr;
+ krb5_enc_data cipher;
+ krb5_data plain;
- keyblock->magic = KV5M_KEYBLOCK;
- keyblock->enctype = key_data->key_data_type[0];
-
- /* Decrypt key_data_contents */
- if ((keyblock->contents = (krb5_octet *)malloc(krb5_encrypt_size(
- key_data->key_data_length[0] - 2, eblock->crypto_entry))) == NULL)
- return ENOMEM;
-
- keyblock->length = 0;
ptr = key_data->key_data_contents[0];
+
if (ptr) {
krb5_kdb_decode_int16(ptr, tmplen);
ptr += 2;
- keyblock->length = (int) tmplen;
- if ((retval = krb5_decrypt(context, (krb5_pointer) ptr,
- (krb5_pointer)keyblock->contents,
- key_data->key_data_length[0] - 2,
- eblock, 0))) {
- krb5_xfree(keyblock->contents);
- keyblock->contents = 0;
- keyblock->length = 0;
+
+ cipher.enctype = ENCTYPE_UNKNOWN;
+ cipher.ciphertext.length = key_data->key_data_length[0]-2;
+ cipher.ciphertext.data = ptr;
+ plain.length = key_data->key_data_length[0]-2;
+ if ((plain.data = (krb5_octet *) malloc(plain.length)) == NULL)
+ return(ENOMEM);
+
+ if ((retval = krb5_c_decrypt(context, mkey, 0 /* XXX */, 0,
+ &cipher, &plain))) {
+ krb5_xfree(plain.data);
return retval;
}
+
+ /* tmplen is the true length of the key. plain.data is the
+ plaintext data length, but it may be padded, since the
+ old-style etypes didn't store the real length. I can check
+ to make sure that there are enough bytes, but I can't do
+ any better than that. */
+
+ if (tmplen > plain.length) {
+ krb5_xfree(plain.data);
+ return(KRB5_CRYPTO_INTERNAL);
+ }
+
+ dbkey->magic = KV5M_KEYBLOCK;
+ dbkey->enctype = key_data->key_data_type[0];
+ dbkey->length = tmplen;
+ dbkey->contents = plain.data;
}
/* Decode salt data */
@@ -75,9 +114,11 @@ krb5_dbekd_decrypt_key_data(context, eblock, key_data, keyblock, keysalt)
keysalt->type = key_data->key_data_type[1];
if ((keysalt->data.length = key_data->key_data_length[1])) {
if (!(keysalt->data.data=(char *)malloc(keysalt->data.length))){
- krb5_xfree(keyblock->contents);
- keyblock->contents = 0;
- keyblock->length = 0;
+ if (key_data->key_data_contents[0]) {
+ krb5_xfree(dbkey->contents);
+ dbkey->contents = 0;
+ dbkey->length = 0;
+ }
return ENOMEM;
}
memcpy(keysalt->data.data, key_data->key_data_contents[1],
@@ -90,5 +131,6 @@ krb5_dbekd_decrypt_key_data(context, eblock, key_data, keyblock, keysalt)
keysalt->data.length = 0;
}
}
+
return retval;
}
diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c
index ea7d17ca78..7bcfe11eb1 100644
--- a/src/lib/kdb/encrypt_key.c
+++ b/src/lib/kdb/encrypt_key.c
@@ -24,6 +24,32 @@
* krb5_kdb_encrypt_key(), krb5_kdb_decrypt_key functions
*/
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
#include "k5-int.h"
/*
@@ -33,10 +59,10 @@
*/
krb5_error_code
-krb5_dbekd_encrypt_key_data(context, eblock, keyblock, keysalt, keyver,key_data)
+krb5_dbekd_encrypt_key_data(context, mkey, dbkey, keysalt, keyver, key_data)
krb5_context context;
- krb5_encrypt_block * eblock;
- const krb5_keyblock * keyblock;
+ const krb5_keyblock * mkey;
+ const krb5_keyblock * dbkey;
const krb5_keysalt * keysalt;
int keyver;
krb5_key_data * key_data;
@@ -44,8 +70,10 @@ krb5_dbekd_encrypt_key_data(context, eblock, keyblock, keysalt, keyver,key_data)
krb5_error_code retval;
krb5_keyblock tmp;
krb5_octet * ptr;
- krb5_int16 len;
+ size_t len;
int i;
+ krb5_data plain;
+ krb5_enc_data cipher;
for (i = 0; i < key_data->key_data_ver; i++)
if (key_data->key_data_contents[i])
@@ -58,39 +86,32 @@ krb5_dbekd_encrypt_key_data(context, eblock, keyblock, keysalt, keyver,key_data)
* The First element of the type/length/contents
* fields is the key type/length/contents
*/
- key_data->key_data_type[0] = keyblock->enctype;
- key_data->key_data_length[0] = krb5_encrypt_size(keyblock->length,
- eblock->crypto_entry) + 2;
+ if ((retval = krb5_c_encrypt_length(context, mkey->enctype, dbkey->length,
+ &len)))
+ return(retval);
- /*
- * because of checksum space requirements imposed by the encryption
- * interface, we need to copy the input key into a larger area.
- */
- tmp.contents = (krb5_octet *)malloc(key_data->key_data_length[0] - 2);
- len = tmp.length = keyblock->length;
- if (tmp.contents == NULL)
- return ENOMEM;
+ if ((ptr = (krb5_octet *) malloc(2 + len)) == NULL)
+ return(ENOMEM);
- memcpy((char *)tmp.contents, (const char *)keyblock->contents, tmp.length);
- key_data->key_data_contents[0] = ptr = (krb5_octet *)malloc(
- key_data->key_data_length[0]);
- if (key_data->key_data_contents[0] == NULL) {
- krb5_xfree(tmp.contents);
- return ENOMEM;
- }
+ key_data->key_data_type[0] = dbkey->enctype;
+ key_data->key_data_length[0] = 2 + len;
+ key_data->key_data_contents[0] = ptr;
- krb5_kdb_encode_int16(len, ptr);
+ krb5_kdb_encode_int16(dbkey->length, ptr);
ptr += 2;
- if ((retval = krb5_encrypt(context, (krb5_pointer) tmp.contents,
- (krb5_pointer)(ptr), tmp.length,
- eblock, 0))) {
+
+ plain.length = dbkey->length;
+ plain.data = dbkey->contents;
+
+ cipher.ciphertext.length = len;
+ cipher.ciphertext.data = ptr;
+
+ if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0,
+ &plain, &cipher))) {
krb5_xfree(key_data->key_data_contents[0]);
- krb5_xfree(tmp.contents);
return retval;
}
- krb5_xfree(tmp.contents);
-
/* After key comes the salt in necessary */
if (keysalt) {
if (keysalt->type > 0) {
@@ -108,5 +129,6 @@ krb5_dbekd_encrypt_key_data(context, eblock, keyblock, keysalt, keyver,key_data)
}
}
}
+
return retval;
}
diff --git a/src/lib/kdb/fetch_mkey.c b/src/lib/kdb/fetch_mkey.c
index 5eda4eae6b..829e0283cd 100644
--- a/src/lib/kdb/fetch_mkey.c
+++ b/src/lib/kdb/fetch_mkey.c
@@ -25,6 +25,32 @@
* Fetch a database master key from somewhere.
*/
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
#include "k5-int.h"
/* these are available to other funcs, and the pointers may be reassigned */
@@ -52,10 +78,11 @@ char *krb5_mkey_pwd_prompt2 = KRB5_KDC_MKEY_2;
#endif
krb5_error_code
-krb5_db_fetch_mkey(context, mname, eblock, fromkeyboard, twice, keyfile, salt, key)
+krb5_db_fetch_mkey(context, mname, etype, fromkeyboard, twice, keyfile,
+ salt, key)
krb5_context context;
krb5_principal mname;
- krb5_encrypt_block * eblock;
+ krb5_enctype etype;
krb5_boolean fromkeyboard;
krb5_boolean twice;
char *keyfile;
@@ -67,7 +94,6 @@ krb5_db_fetch_mkey(context, mname, eblock, fromkeyboard, twice, keyfile, salt, k
krb5_data pwd;
int size = sizeof(password);
-
if (fromkeyboard) {
krb5_data scratch;
@@ -83,8 +109,9 @@ krb5_db_fetch_mkey(context, mname, eblock, fromkeyboard, twice, keyfile, salt, k
if (retval)
return retval;
}
- retval = krb5_string_to_key(context, eblock, key, &pwd,
- salt ? salt : &scratch);
+ retval = krb5_c_string_to_key(context, etype, &pwd, salt?salt:&scratch,
+ key);
+
if (!salt)
krb5_xfree(scratch.data);
memset(password, 0, sizeof(password)); /* erase it */
@@ -142,7 +169,8 @@ krb5_db_fetch_mkey(context, mname, eblock, fromkeyboard, twice, keyfile, salt, k
key->contents = 0;
} else
retval = 0;
- krb5_use_enctype(context, eblock, key->enctype);
+
+ key->enctype = etype;
errout:
(void) fclose(kf);
diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c
index ec7419e1c6..d68d784c19 100644
--- a/src/lib/kdb/kdb_cpw.c
+++ b/src/lib/kdb/kdb_cpw.c
@@ -22,6 +22,32 @@
*
*/
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
#include "k5-int.h"
#include "krb5/adm.h"
#include <stdio.h>
@@ -61,32 +87,23 @@ cleanup_key_data(context, count, data)
free(data);
}
-/*
- * Currently we can only generate random keys for preinitialized
- * krb5_encrypt_block with a seed. This is bogus but currently
- * necessary to insure that we don't generate two keys with the
- * same data.
- */
static krb5_error_code
-add_key_rnd(context, master_eblock, ks_tuple, ks_tuple_count, db_entry, kvno)
+add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno)
krb5_context context;
- krb5_encrypt_block * master_eblock;
+ krb5_keyblock * master_key;
krb5_key_salt_tuple * ks_tuple;
int ks_tuple_count;
krb5_db_entry * db_entry;
int kvno;
{
krb5_principal krbtgt_princ;
- krb5_keyblock krbtgt_key, * key;
- krb5_pointer krbtgt_seed;
- krb5_encrypt_block krbtgt_eblock;
+ krb5_keyblock key;
krb5_db_entry krbtgt_entry;
krb5_key_data * krbtgt_kdata;
- krb5_boolean more, found;
+ krb5_boolean more;
int max_kvno, one, i, j;
krb5_error_code retval;
- memset(&krbtgt_key, 0, sizeof(krbtgt_key));
retval = krb5_build_principal_ext(context, &krbtgt_princ,
db_entry->princ->realm.length,
db_entry->princ->realm.data,
@@ -119,17 +136,9 @@ add_key_rnd(context, master_eblock, ks_tuple, ks_tuple_count, db_entry, kvno)
}
for (i = 0; i < ks_tuple_count; i++) {
- krb5_enctype new_enctype, old_enctype;
+ krb5_boolean similar;
- switch (new_enctype = ks_tuple[i].ks_enctype) {
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_RAW:
- new_enctype = ENCTYPE_DES_CBC_CRC;
- default:
- break;
- }
- found = 0;
+ similar = 0;
/*
* We could use krb5_keysalt_iterate to replace this loop, or use
@@ -137,74 +146,44 @@ add_key_rnd(context, master_eblock, ks_tuple, ks_tuple_count, db_entry, kvno)
* circular library dependencies.
*/
for (j = 0; j < i; j++) {
- switch (old_enctype = ks_tuple[j].ks_enctype) {
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_RAW:
- old_enctype = ENCTYPE_DES_CBC_CRC;
- default:
- break;
- }
- if (old_enctype == new_enctype) {
- found = 1;
+ if ((retval = krb5_c_enctype_compare(context,
+ ks_tuple[i].ks_enctype,
+ ks_tuple[j].ks_enctype,
+ &similar)))
+ return(retval);
+
+ if (similar)
break;
- }
}
- if (found)
- continue;
- if (retval = krb5_dbe_create_key_data(context, db_entry))
- goto add_key_rnd_err;
- if (retval = krb5_dbe_find_enctype(context, &krbtgt_entry,
- ks_tuple[i].ks_enctype,
- -1, 0, &krbtgt_kdata))
- goto add_key_rnd_err;
+ if (similar)
+ continue;
- /* Decrypt key */
- if (retval = krb5_dbekd_decrypt_key_data(context, master_eblock,
- krbtgt_kdata,&krbtgt_key,NULL))
+ if (retval = krb5_dbe_create_key_data(context, db_entry))
goto add_key_rnd_err;
- /* Init key */
- krbtgt_key.enctype = ks_tuple[i].ks_enctype;
- krb5_use_enctype(context, &krbtgt_eblock, ks_tuple[i].ks_enctype);
- if (retval = krb5_process_key(context, &krbtgt_eblock, &krbtgt_key)) {
- goto add_key_rnd_err;
- }
+ /* there used to be code here to extract the old key, and derive
+ a new key from it. Now that there's a unified prng, that isn't
+ necessary. */
- /* Init random generator */
- if (retval = krb5_init_random_key(context, &krbtgt_eblock,
- &krbtgt_key, &krbtgt_seed)) {
- krb5_finish_key(context, &krbtgt_eblock);
+ /* make new key */
+ if ((retval = krb5_c_make_random_key(context, ks_tuple[i].ks_enctype,
+ &key)))
goto add_key_rnd_err;
- }
- if (retval = krb5_random_key(context,&krbtgt_eblock,krbtgt_seed,&key)) {
- krb5_finish_random_key(context, &krbtgt_eblock, &krbtgt_seed);
- krb5_finish_key(context, &krbtgt_eblock);
- goto add_key_rnd_err;
- }
+ retval = krb5_dbekd_encrypt_key_data(context, master_key,
+ &key, NULL, kvno,
+ &db_entry->key_data[db_entry->n_key_data-1]);
- krb5_finish_random_key(context, &krbtgt_eblock, &krbtgt_seed);
- krb5_finish_key(context, &krbtgt_eblock);
+ krb5_free_keyblock_contents(context, &key);
- if (retval = krb5_dbekd_encrypt_key_data(context, master_eblock,
- key, NULL, kvno,
- &db_entry->key_data[db_entry->n_key_data-1])) {
- krb5_free_keyblock(context, key);
+ if (retval)
goto add_key_rnd_err;
- }
-
- /* Finish random key */
- krb5_free_keyblock(context, key);
}
-add_key_rnd_err:;
+add_key_rnd_err:
krb5_db_free_principal(context, &krbtgt_entry, one);
- if (krbtgt_key.contents && krbtgt_key.length) {
- memset(krbtgt_key.contents, 0, krbtgt_key.length);
- krb5_xfree(krbtgt_key.contents);
- }
+
return(retval);
}
@@ -215,9 +194,9 @@ add_key_rnd_err:;
* As a side effect all old keys are nuked.
*/
krb5_error_code
-krb5_dbe_crk(context, master_eblock, ks_tuple, ks_tuple_count, db_entry)
+krb5_dbe_crk(context, master_key, ks_tuple, ks_tuple_count, db_entry)
krb5_context context;
- krb5_encrypt_block * master_eblock;
+ krb5_keyblock * master_key;
krb5_key_salt_tuple * ks_tuple;
int ks_tuple_count;
krb5_db_entry * db_entry;
@@ -237,7 +216,7 @@ krb5_dbe_crk(context, master_eblock, ks_tuple, ks_tuple_count, db_entry)
/* increment the kvno */
kvno++;
- if (retval = add_key_rnd(context, master_eblock, ks_tuple,
+ if (retval = add_key_rnd(context, master_key, ks_tuple,
ks_tuple_count, db_entry, kvno)) {
cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
db_entry->n_key_data = key_data_count;
@@ -255,9 +234,9 @@ krb5_dbe_crk(context, master_eblock, ks_tuple, ks_tuple_count, db_entry)
* As a side effect all old keys older than the max kvno are nuked.
*/
krb5_error_code
-krb5_dbe_ark(context, master_eblock, ks_tuple, ks_tuple_count, db_entry)
+krb5_dbe_ark(context, master_key, ks_tuple, ks_tuple_count, db_entry)
krb5_context context;
- krb5_encrypt_block * master_eblock;
+ krb5_keyblock * master_key;
krb5_key_salt_tuple * ks_tuple;
int ks_tuple_count;
krb5_db_entry * db_entry;
@@ -278,7 +257,7 @@ krb5_dbe_ark(context, master_eblock, ks_tuple, ks_tuple_count, db_entry)
/* increment the kvno */
kvno++;
- if (retval = add_key_rnd(context, master_eblock, ks_tuple,
+ if (retval = add_key_rnd(context, master_key, ks_tuple,
ks_tuple_count, db_entry, kvno)) {
cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
db_entry->n_key_data = key_data_count;
@@ -307,10 +286,10 @@ krb5_dbe_ark(context, master_eblock, ks_tuple, ks_tuple_count, db_entry)
* If passwd is NULL the assumes that the caller wants a random password.
*/
static krb5_error_code
-add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd,
+add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd,
db_entry, kvno)
krb5_context context;
- krb5_encrypt_block * master_eblock;
+ krb5_keyblock * master_key;
krb5_key_salt_tuple * ks_tuple;
int ks_tuple_count;
char * passwd;
@@ -318,7 +297,6 @@ add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd,
int kvno;
{
krb5_error_code retval;
- krb5_encrypt_block key_eblock;
krb5_keysalt key_salt;
krb5_keyblock key;
krb5_data pwd;
@@ -328,40 +306,30 @@ add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd,
retval = 0;
for (i = 0; i < ks_tuple_count; i++) {
- krb5_enctype new_enctype, old_enctype;
+ krb5_boolean similar;
+
+ similar = 0;
- switch (new_enctype = ks_tuple[i].ks_enctype) {
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_RAW:
- new_enctype = ENCTYPE_DES_CBC_CRC;
- default:
- break;
- }
/*
* We could use krb5_keysalt_iterate to replace this loop, or use
* krb5_keysalt_is_present for the loop below, but we want to avoid
* circular library dependencies.
*/
- for (found = j = 0; j < i; j++) {
- if (ks_tuple[j].ks_salttype == ks_tuple[i].ks_salttype) {
- switch (old_enctype = ks_tuple[j].ks_enctype) {
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_RAW:
- old_enctype = ENCTYPE_DES_CBC_CRC;
- default:
- break;
- }
- if (old_enctype == new_enctype) {
- found = 1;
- break;
- }
- }
+ for (j = 0; j < i; j++) {
+ if ((retval = krb5_c_enctype_compare(context,
+ ks_tuple[i].ks_enctype,
+ ks_tuple[j].ks_enctype,
+ &similar)))
+ return(retval);
+
+ if (similar &&
+ (ks_tuple[j].ks_salttype == ks_tuple[i].ks_salttype))
+ break;
}
- if (found)
+
+ if (j < i)
continue;
- krb5_use_enctype(context, &key_eblock, ks_tuple[i].ks_enctype);
+
if (retval = krb5_dbe_create_key_data(context, db_entry))
return(retval);
@@ -422,8 +390,9 @@ add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd,
pwd.data = passwd;
pwd.length = strlen(passwd);
- if (retval = krb5_string_to_key(context, &key_eblock, &key, &pwd,
- &key_salt.data)) {
+
+ if ((retval = krb5_c_string_to_key(context, ks_tuple[i].ks_enctype,
+ &pwd, &key_salt.data, &key))) {
if (key_salt.data.data)
free(key_salt.data.data);
return(retval);
@@ -433,7 +402,7 @@ add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd,
key_salt.data.length =
krb5_princ_realm(context, db_entry->princ)->length;
- if (retval = krb5_dbekd_encrypt_key_data(context, master_eblock, &key,
+ if (retval = krb5_dbekd_encrypt_key_data(context, master_key, &key,
(const krb5_keysalt *)&key_salt,
kvno, &db_entry->key_data[db_entry->n_key_data-1])) {
if (key_salt.data.data)
@@ -455,10 +424,10 @@ add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count, passwd,
* As a side effect all old keys are nuked.
*/
krb5_error_code
-krb5_dbe_cpw(context, master_eblock, ks_tuple, ks_tuple_count, passwd,
+krb5_dbe_cpw(context, master_key, ks_tuple, ks_tuple_count, passwd,
new_kvno, db_entry)
krb5_context context;
- krb5_encrypt_block * master_eblock;
+ krb5_keyblock * master_key;
krb5_key_salt_tuple * ks_tuple;
int ks_tuple_count;
char * passwd;
@@ -483,7 +452,7 @@ krb5_dbe_cpw(context, master_eblock, ks_tuple, ks_tuple_count, passwd,
if (new_kvno < old_kvno+1)
new_kvno = old_kvno+1;
- if (retval = add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count,
+ if (retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count,
passwd, db_entry, new_kvno)) {
cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
db_entry->n_key_data = key_data_count;
@@ -501,9 +470,9 @@ krb5_dbe_cpw(context, master_eblock, ks_tuple, ks_tuple_count, passwd,
* As a side effect all old keys older than the max kvno are nuked.
*/
krb5_error_code
-krb5_dbe_apw(context, master_eblock, ks_tuple, ks_tuple_count, passwd, db_entry)
+krb5_dbe_apw(context, master_key, ks_tuple, ks_tuple_count, passwd, db_entry)
krb5_context context;
- krb5_encrypt_block * master_eblock;
+ krb5_keyblock * master_key;
krb5_key_salt_tuple * ks_tuple;
int ks_tuple_count;
char * passwd;
@@ -526,7 +495,7 @@ krb5_dbe_apw(context, master_eblock, ks_tuple, ks_tuple_count, passwd, db_entry)
/* increment the kvno */
new_kvno = old_kvno+1;
- if (retval = add_key_pwd(context, master_eblock, ks_tuple, ks_tuple_count,
+ if (retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count,
passwd, db_entry, new_kvno)) {
cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data);
db_entry->n_key_data = key_data_count;
diff --git a/src/lib/kdb/kdb_db2.c b/src/lib/kdb/kdb_db2.c
index 80c9213dd3..ab4d07e231 100644
--- a/src/lib/kdb/kdb_db2.c
+++ b/src/lib/kdb/kdb_db2.c
@@ -22,6 +22,32 @@
*
*/
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
#if HAVE_UNISTD_H
#include <unistd.h>
#endif
@@ -325,9 +351,9 @@ krb5_db2_db_close_database(context)
* Set/Get the master key associated with the database
*/
krb5_error_code
-krb5_db2_db_set_mkey(context, eblock)
+krb5_db2_db_set_mkey(context, key)
krb5_context context;
- krb5_encrypt_block *eblock;
+ krb5_keyblock *key;
{
krb5_db2_context *db_ctx;
@@ -335,14 +361,14 @@ krb5_db2_db_set_mkey(context, eblock)
return(KRB5_KDB_DBNOTINITED);
db_ctx = context->db_context;
- db_ctx->db_master_key = eblock;
+ db_ctx->db_master_key = key;
return 0;
}
krb5_error_code
-krb5_db2_db_get_mkey(context, eblock)
+krb5_db2_db_get_mkey(context, key)
krb5_context context;
- krb5_encrypt_block **eblock;
+ krb5_keyblock **key;
{
krb5_db2_context *db_ctx;
@@ -350,7 +376,7 @@ krb5_db2_db_get_mkey(context, eblock)
return(KRB5_KDB_DBNOTINITED);
db_ctx = context->db_context;
- *eblock = db_ctx->db_master_key;
+ *key = db_ctx->db_master_key;
return 0;
}
diff --git a/src/lib/kdb/kdb_db2.h b/src/lib/kdb/kdb_db2.h
index d17fde4769..f2f01311e7 100644
--- a/src/lib/kdb/kdb_db2.h
+++ b/src/lib/kdb/kdb_db2.h
@@ -58,7 +58,7 @@ typedef struct _krb5_db2_context {
int db_locks_held; /* Number of times locked */
int db_lock_mode; /* Last lock mode, e.g. greatest*/
krb5_boolean db_nb_locks; /* [Non]Blocking lock modes */
- krb5_encrypt_block *db_master_key; /* Master key of database */
+ krb5_keyblock *db_master_key; /* Master key of database */
} krb5_db2_context;
#define KRB5_DB2_MAX_RETRY 5
diff --git a/src/lib/kdb/kdb_dbm.c b/src/lib/kdb/kdb_dbm.c
index 1ae241dfa0..7af32d720b 100644
--- a/src/lib/kdb/kdb_dbm.c
+++ b/src/lib/kdb/kdb_dbm.c
@@ -330,10 +330,10 @@ krb5_dbm_db_close_database(context)
* The should really reference the db_context
*/
krb5_error_code
-krb5_dbm_db_set_mkey(context, db_context, eblock)
+krb5_dbm_db_set_mkey(context, db_context, key)
krb5_context context;
krb5_db_context * db_context;
- krb5_encrypt_block * eblock;
+ krb5_keyblock * key;
{
krb5_db_context *db_ctx;
@@ -341,15 +341,15 @@ krb5_dbm_db_set_mkey(context, db_context, eblock)
return(KRB5_KDB_DBNOTINITED);
db_ctx = context->db_context;
- db_ctx->db_master_key = eblock;
+ db_ctx->db_master_key = key;
return 0;
}
krb5_error_code
-krb5_dbm_db_get_mkey(context, db_context, eblock)
+krb5_dbm_db_get_mkey(context, db_context, key)
krb5_context context;
krb5_db_context * db_context;
- krb5_encrypt_block **eblock;
+ krb5_keyblock **key;
{
krb5_db_context *db_ctx;
@@ -357,7 +357,7 @@ krb5_dbm_db_get_mkey(context, db_context, eblock)
return(KRB5_KDB_DBNOTINITED);
db_ctx = context->db_context;
- *eblock = db_ctx->db_master_key;
+ *key = db_ctx->db_master_key;
return 0;
}
diff --git a/src/lib/kdb/kdb_xdr.c b/src/lib/kdb/kdb_xdr.c
index 209e4f3ca9..a26b7f79da 100644
--- a/src/lib/kdb/kdb_xdr.c
+++ b/src/lib/kdb/kdb_xdr.c
@@ -735,40 +735,27 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
}
}
- /*
- * ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD4, ENCTYPE_DES_CBC_MD5,
- * ENCTYPE_DES_CBC_RAW all use the same key.
- */
- switch (ktype) {
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_RAW:
- ktype = ENCTYPE_DES_CBC_CRC;
- break;
- default:
- break;
- }
-
maxkvno = -1;
datap = (krb5_key_data *) NULL;
for (i = *start; i < dbentp->n_key_data; i++) {
- krb5_enctype db_ktype;
- krb5_int32 db_stype;
-
- switch (db_ktype = dbentp->key_data[i].key_data_type[0]) {
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_RAW:
- db_ktype = ENCTYPE_DES_CBC_CRC;
- default:
- break;
- }
+ krb5_boolean similar;
+ krb5_error_code ret;
+ krb5_int32 db_stype;
+
if (dbentp->key_data[i].key_data_ver > 1) {
db_stype = dbentp->key_data[i].key_data_type[1];
} else {
db_stype = KRB5_KDB_SALTTYPE_NORMAL;
}
- if (((db_ktype == (krb5_enctype) ktype) || (ktype < 0)) &&
+
+ if (ktype >= 0) {
+ if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
+ dbentp->key_data[i].key_data_type[0],
+ &similar)))
+ return(ret);
+ }
+
+ if (((ktype < 0) || similar) &&
((db_stype == stype) || (stype < 0))) {
if (kvno >= 0) {
if (kvno == dbentp->key_data[i].key_data_kvno) {
diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c
index 9c184b5148..63a7bf7c88 100644
--- a/src/lib/kdb/keytab.c
+++ b/src/lib/kdb/keytab.c
@@ -89,7 +89,7 @@ krb5_ktkdb_get_entry(context, id, principal, kvno, enctype, entry)
krb5_enctype enctype;
krb5_keytab_entry * entry;
{
- krb5_encrypt_block * master_key;
+ krb5_keyblock * master_key;
krb5_error_code kerror = 0;
krb5_key_data * key_data;
krb5_db_entry db_entry;
diff --git a/src/lib/kdb/verify_mky.c b/src/lib/kdb/verify_mky.c
index 121c721488..4bab17024e 100644
--- a/src/lib/kdb/verify_mky.c
+++ b/src/lib/kdb/verify_mky.c
@@ -29,16 +29,13 @@
/*
* Verify that the master key in *mkey matches the database entry
* for mprinc.
- *
- * eblock points to an encrypt_block used for the realm in question.
*/
krb5_error_code
-krb5_db_verify_master_key(context, mprinc, mkey, eblock)
+krb5_db_verify_master_key(context, mprinc, mkey)
krb5_context context;
krb5_principal mprinc;
krb5_keyblock *mkey;
- krb5_encrypt_block *eblock;
{
krb5_error_code retval;
krb5_db_entry master_entry;
@@ -60,24 +57,18 @@ krb5_db_verify_master_key(context, mprinc, mkey, eblock)
return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
}
- /* do any necessary key pre-processing */
- if ((retval = krb5_process_key(context, eblock, mkey))) {
- krb5_db_free_principal(context, &master_entry, nprinc);
- return(retval);
- }
- if ((retval = krb5_dbekd_decrypt_key_data(context, eblock,
+ if ((retval = krb5_dbekd_decrypt_key_data(context, mkey,
&master_entry.key_data[0],
&tempkey, NULL))) {
- (void) krb5_finish_key(context, eblock);
krb5_db_free_principal(context, &master_entry, nprinc);
return retval;
}
+
if (mkey->length != tempkey.length ||
- memcmp((char *)mkey->contents, (char *)tempkey.contents,mkey->length)) {
+ memcmp((char *)mkey->contents,
+ (char *)tempkey.contents,mkey->length)) {
retval = KRB5_KDB_BADMASTERKEY;
- (void) krb5_finish_key(context, eblock);
- } else
- retval = krb5_finish_key(context, eblock);
+ }
memset((char *)tempkey.contents, 0, tempkey.length);
krb5_xfree(tempkey.contents);
generated by cgit (git 2.34.1) at 2026-01-06 03:50:42 +0000