diff options
| -rw-r--r-- | src/include/k5-int.h | 63 | ||||
| -rw-r--r-- | src/lib/crypto/cksumtypes.c | 37 | ||||
| -rw-r--r-- | src/lib/crypto/cksumtypes.h | 29 | ||||
| -rw-r--r-- | src/lib/crypto/etypes.c | 112 | ||||
| -rw-r--r-- | src/lib/crypto/etypes.h | 36 | ||||
| -rw-r--r-- | src/lib/crypto/string_to_cksumtype.c | 14 | ||||
| -rw-r--r-- | src/lib/crypto/string_to_enctype.c | 16 |
7 files changed, 120 insertions, 187 deletions
diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 78b271065b..f3da373bc2 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -657,69 +657,6 @@ struct krb5_aead_provider { size_t num_data); }; -typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t inputlen, size_t *length); - -typedef krb5_error_code (*krb5_crypt_func) (const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - const krb5_keyblock *key, krb5_keyusage keyusage, - const krb5_data *ivec, - const krb5_data *input, krb5_data *output); - -typedef krb5_error_code (*krb5_str2key_func) (const struct krb5_enc_provider *enc, const krb5_data *string, - const krb5_data *salt, const krb5_data *parm, krb5_keyblock *key); - -typedef krb5_error_code (*krb5_prf_func)( - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - const krb5_keyblock *key, - const krb5_data *in, krb5_data *out); - -struct krb5_keytypes { - krb5_enctype etype; - char *in_string; - char *out_string; - const struct krb5_enc_provider *enc; - const struct krb5_hash_provider *hash; - size_t prf_length; - krb5_encrypt_length_func encrypt_len; - krb5_crypt_func encrypt; - krb5_crypt_func decrypt; - krb5_str2key_func str2key; - krb5_prf_func prf; - krb5_cksumtype required_ctype; - const struct krb5_aead_provider *aead; -}; - -struct krb5_cksumtypes { - krb5_cksumtype ctype; - unsigned int flags; - char *in_string; - char *out_string; - /* if the hash is keyed, this is the etype it is keyed with. - Actually, it can be keyed by any etype which has the same - enc_provider as the specified etype. DERIVE checksums can - be keyed with any valid etype. */ - krb5_enctype keyed_etype; - /* I can't statically initialize a union, so I'm just going to use - two pointers here. The keyhash is used if non-NULL. If NULL, - then HMAC/hash with derived keys is used if the relevant flag - is set. Otherwise, a non-keyed hash is computed. This is all - kind of messy, but so is the krb5 api. */ - const struct krb5_keyhash_provider *keyhash; - const struct krb5_hash_provider *hash; - /* This just gets uglier and uglier. In the key derivation case, - we produce an hmac. To make the hmac code work, we can't hack - the output size indicated by the hash provider, but we may want - a truncated hmac. If we want truncation, this is the number of - bytes we truncate to; it should be 0 otherwise. */ - unsigned int trunc_size; -}; - -#define KRB5_CKSUMFLAG_DERIVE 0x0001 -#define KRB5_CKSUMFLAG_NOT_COLL_PROOF 0x0002 - /* * in here to deal with stuff from lib/crypto */ diff --git a/src/lib/crypto/cksumtypes.c b/src/lib/crypto/cksumtypes.c index fca48e29a5..037e53f495 100644 --- a/src/lib/crypto/cksumtypes.c +++ b/src/lib/crypto/cksumtypes.c @@ -31,69 +31,58 @@ const struct krb5_cksumtypes krb5_cksumtypes_list[] = { { CKSUMTYPE_CRC32, KRB5_CKSUMFLAG_NOT_COLL_PROOF, - "crc32", "CRC-32", + "crc32", { 0 }, "CRC-32", 0, NULL, &krb5int_hash_crc32 }, { CKSUMTYPE_RSA_MD4, 0, - "md4", "RSA-MD4", + "md4", { 0 }, "RSA-MD4", 0, NULL, &krb5int_hash_md4 }, { CKSUMTYPE_RSA_MD4_DES, 0, - "md4-des", "RSA-MD4 with DES cbc mode", + "md4-des", { 0 }, "RSA-MD4 with DES cbc mode", ENCTYPE_DES_CBC_CRC, &krb5int_keyhash_md4des, NULL }, { CKSUMTYPE_DESCBC, 0, - "des-cbc", "DES cbc mode", + "des-cbc", { 0 }, "DES cbc mode", ENCTYPE_DES_CBC_CRC, &krb5int_keyhash_descbc, NULL }, { CKSUMTYPE_RSA_MD5, 0, - "md5", "RSA-MD5", + "md5", { 0 }, "RSA-MD5", 0, NULL, &krb5int_hash_md5 }, { CKSUMTYPE_RSA_MD5_DES, 0, - "md5-des", "RSA-MD5 with DES cbc mode", + "md5-des", { 0 }, "RSA-MD5 with DES cbc mode", ENCTYPE_DES_CBC_CRC, &krb5int_keyhash_md5des, NULL }, { CKSUMTYPE_NIST_SHA, 0, - "sha", "NIST-SHA", + "sha", { 0 }, "NIST-SHA", 0, NULL, &krb5int_hash_sha1 }, { CKSUMTYPE_HMAC_SHA1_DES3, KRB5_CKSUMFLAG_DERIVE, - "hmac-sha1-des3", "HMAC-SHA1 DES3 key", + "hmac-sha1-des3", { "hmac-sha1-des3-kd" }, "HMAC-SHA1 DES3 key", 0, NULL, &krb5int_hash_sha1 }, - { CKSUMTYPE_HMAC_SHA1_DES3, KRB5_CKSUMFLAG_DERIVE, - "hmac-sha1-des3-kd", "HMAC-SHA1 DES3 key", /* alias */ - 0, NULL, - &krb5int_hash_sha1 }, - { CKSUMTYPE_HMAC_MD5_ARCFOUR, 0, - "hmac-md5-rc4", "Microsoft HMAC MD5 (RC4 key)", - ENCTYPE_ARCFOUR_HMAC, &krb5int_keyhash_hmac_md5, - NULL }, - { CKSUMTYPE_HMAC_MD5_ARCFOUR, 0, - "hmac-md5-enc", "Microsoft HMAC MD5 (RC4 key)", /*Heimdal alias*/ - ENCTYPE_ARCFOUR_HMAC, &krb5int_keyhash_hmac_md5, - NULL }, { CKSUMTYPE_HMAC_MD5_ARCFOUR, 0, - "hmac-md5-earcfour", "Microsoft HMAC MD5 (RC4 key)", /* alias*/ + "hmac-md5-rc4", { "hmac-md5-enc", "hmac-md5-earcfour" }, + "Microsoft HMAC MD5 (RC4 key)", ENCTYPE_ARCFOUR_HMAC, &krb5int_keyhash_hmac_md5, NULL }, { CKSUMTYPE_HMAC_SHA1_96_AES128, KRB5_CKSUMFLAG_DERIVE, - "hmac-sha1-96-aes128", "HMAC-SHA1 AES128 key", + "hmac-sha1-96-aes128", { 0 }, "HMAC-SHA1 AES128 key", 0, NULL, &krb5int_hash_sha1, 12 }, { CKSUMTYPE_HMAC_SHA1_96_AES256, KRB5_CKSUMFLAG_DERIVE, - "hmac-sha1-96-aes256", "HMAC-SHA1 AES256 key", + "hmac-sha1-96-aes256", { 0 }, "HMAC-SHA1 AES256 key", 0, NULL, &krb5int_hash_sha1, 12 }, { CKSUMTYPE_MD5_HMAC_ARCFOUR, 0, - "md5-hmac-rc4", "Microsoft MD5 HMAC (RC4 key)", + "md5-hmac-rc4", { 0 }, "Microsoft MD5 HMAC (RC4 key)", ENCTYPE_ARCFOUR_HMAC, &krb5int_keyhash_md5_hmac, NULL } }; diff --git a/src/lib/crypto/cksumtypes.h b/src/lib/crypto/cksumtypes.h index ef23169fab..71409d4272 100644 --- a/src/lib/crypto/cksumtypes.h +++ b/src/lib/crypto/cksumtypes.h @@ -26,5 +26,34 @@ #include "k5-int.h" +struct krb5_cksumtypes { + krb5_cksumtype ctype; + unsigned int flags; + char *name; + char *aliases[2]; + char *out_string; + /* if the hash is keyed, this is the etype it is keyed with. + Actually, it can be keyed by any etype which has the same + enc_provider as the specified etype. DERIVE checksums can + be keyed with any valid etype. */ + krb5_enctype keyed_etype; + /* I can't statically initialize a union, so I'm just going to use + two pointers here. The keyhash is used if non-NULL. If NULL, + then HMAC/hash with derived keys is used if the relevant flag + is set. Otherwise, a non-keyed hash is computed. This is all + kind of messy, but so is the krb5 api. */ + const struct krb5_keyhash_provider *keyhash; + const struct krb5_hash_provider *hash; + /* This just gets uglier and uglier. In the key derivation case, + we produce an hmac. To make the hmac code work, we can't hack + the output size indicated by the hash provider, but we may want + a truncated hmac. If we want truncation, this is the number of + bytes we truncate to; it should be 0 otherwise. */ + unsigned int trunc_size; +}; + +#define KRB5_CKSUMFLAG_DERIVE 0x0001 +#define KRB5_CKSUMFLAG_NOT_COLL_PROOF 0x0002 + extern const struct krb5_cksumtypes krb5_cksumtypes_list[]; extern const unsigned int krb5_cksumtypes_length; diff --git a/src/lib/crypto/etypes.c b/src/lib/crypto/etypes.c index de11787d14..c300f3b2c1 100644 --- a/src/lib/crypto/etypes.c +++ b/src/lib/crypto/etypes.c @@ -42,7 +42,7 @@ const struct krb5_keytypes krb5_enctypes_list[] = { { ENCTYPE_DES_CBC_CRC, - "des-cbc-crc", "DES cbc mode with CRC-32", + "des-cbc-crc", { 0 }, "DES cbc mode with CRC-32", &krb5int_enc_des, &krb5int_hash_crc32, 8, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, @@ -51,7 +51,7 @@ const struct krb5_keytypes krb5_enctypes_list[] = { CKSUMTYPE_RSA_MD5, NULL /*AEAD*/ }, { ENCTYPE_DES_CBC_MD4, - "des-cbc-md4", "DES cbc mode with RSA-MD4", + "des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4", &krb5int_enc_des, &krb5int_hash_md4, 8, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, @@ -60,7 +60,7 @@ const struct krb5_keytypes krb5_enctypes_list[] = { CKSUMTYPE_RSA_MD4, NULL /*AEAD*/ }, { ENCTYPE_DES_CBC_MD5, - "des-cbc-md5", "DES cbc mode with RSA-MD5", + "des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5", &krb5int_enc_des, &krb5int_hash_md5, 8, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, @@ -68,18 +68,8 @@ const struct krb5_keytypes krb5_enctypes_list[] = { NULL, /*PRF*/ CKSUMTYPE_RSA_MD5, NULL /*AEAD*/ }, - { ENCTYPE_DES_CBC_MD5, - "des", "DES cbc mode with RSA-MD5", /* alias */ - &krb5int_enc_des, &krb5int_hash_md5, - 8, - krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, - krb5int_des_string_to_key, - NULL, /*PRF*/ - CKSUMTYPE_RSA_MD5, - NULL /*AEAD*/ }, - { ENCTYPE_DES_CBC_RAW, - "des-cbc-raw", "DES cbc mode raw", + "des-cbc-raw", { 0 }, "DES cbc mode raw", &krb5int_enc_des, NULL, 8, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, @@ -88,7 +78,7 @@ const struct krb5_keytypes krb5_enctypes_list[] = { 0, &krb5int_aead_raw }, { ENCTYPE_DES3_CBC_RAW, - "des3-cbc-raw", "Triple DES cbc mode raw", + "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw", &krb5int_enc_des3, NULL, 8, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, @@ -98,25 +88,8 @@ const struct krb5_keytypes krb5_enctypes_list[] = { &krb5int_aead_raw }, { ENCTYPE_DES3_CBC_SHA1, - "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1", - &krb5int_enc_des3, &krb5int_hash_sha1, - 8, - krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key, - NULL, /*PRF*/ - CKSUMTYPE_HMAC_SHA1_DES3, - &krb5int_aead_dk }, - { ENCTYPE_DES3_CBC_SHA1, /* alias */ - "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1", - &krb5int_enc_des3, &krb5int_hash_sha1, - 8, - krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, - krb5int_dk_string_to_key, - NULL, /*PRF*/ - CKSUMTYPE_HMAC_SHA1_DES3, - &krb5int_aead_dk }, - { ENCTYPE_DES3_CBC_SHA1, /* alias */ - "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1", + "des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" }, + "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, 8, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, @@ -126,7 +99,7 @@ const struct krb5_keytypes krb5_enctypes_list[] = { &krb5int_aead_dk }, { ENCTYPE_DES_HMAC_SHA1, - "des-hmac-sha1", "DES with HMAC/sha1", + "des-hmac-sha1", { 0 }, "DES with HMAC/sha1", &krb5int_enc_des, &krb5int_hash_sha1, 8, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, @@ -135,34 +108,8 @@ const struct krb5_keytypes krb5_enctypes_list[] = { 0, NULL }, { ENCTYPE_ARCFOUR_HMAC, - "arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour, - &krb5int_hash_md5, - 0, -krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, - NULL, /*PRF*/ - CKSUMTYPE_HMAC_MD5_ARCFOUR, - &krb5int_aead_arcfour }, - { ENCTYPE_ARCFOUR_HMAC, /* alias */ - "rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour, - &krb5int_hash_md5, - 0, - krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, - NULL, /*PRF*/ - CKSUMTYPE_HMAC_MD5_ARCFOUR, - &krb5int_aead_arcfour }, - { ENCTYPE_ARCFOUR_HMAC, /* alias */ - "arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour, - &krb5int_hash_md5, - 0, - krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, - NULL, /*PRF*/ - CKSUMTYPE_HMAC_MD5_ARCFOUR, - &krb5int_aead_arcfour }, - { ENCTYPE_ARCFOUR_HMAC_EXP, - "arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5", + "arcfour-hmac", { "rc4-hmac", "arcfour-hmac-md5" }, + "ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, 0, @@ -171,18 +118,9 @@ krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, NULL, /*PRF*/ CKSUMTYPE_HMAC_MD5_ARCFOUR, &krb5int_aead_arcfour }, - { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */ - "rc4-hmac-exp", "Exportable ArcFour with HMAC/md5", - &krb5int_enc_arcfour, - &krb5int_hash_md5, - 0, - krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, - krb5_arcfour_decrypt, krb5int_arcfour_string_to_key, - NULL, /*PRF*/ - CKSUMTYPE_HMAC_MD5_ARCFOUR, - &krb5int_aead_arcfour }, - { ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */ - "arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5", + { ENCTYPE_ARCFOUR_HMAC_EXP, + "arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" }, + "Exportable ArcFour with HMAC/md5", &krb5int_enc_arcfour, &krb5int_hash_md5, 0, @@ -193,16 +131,8 @@ krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, &krb5int_aead_arcfour }, { ENCTYPE_AES128_CTS_HMAC_SHA1_96, - "aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC", - &krb5int_enc_aes128, &krb5int_hash_sha1, - 16, - krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, - krb5int_aes_string_to_key, - krb5int_dk_prf, - CKSUMTYPE_HMAC_SHA1_96_AES128, - &krb5int_aead_aes }, - { ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */ - "aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC", + "aes128-cts-hmac-sha1-96", { "aes128-cts" }, + "AES-128 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes128, &krb5int_hash_sha1, 16, krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, @@ -211,16 +141,8 @@ krb5_arcfour_encrypt_length, krb5_arcfour_encrypt, CKSUMTYPE_HMAC_SHA1_96_AES128, &krb5int_aead_aes }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, - "aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC", - &krb5int_enc_aes256, &krb5int_hash_sha1, - 16, - krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, - krb5int_aes_string_to_key, - krb5int_dk_prf, - CKSUMTYPE_HMAC_SHA1_96_AES256, - &krb5int_aead_aes }, - { ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */ - "aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC", + "aes256-cts-hmac-sha1-96", { "aes256-cts" }, + "AES-256 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes256, &krb5int_hash_sha1, 16, krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, diff --git a/src/lib/crypto/etypes.h b/src/lib/crypto/etypes.h index ca94e56ffa..af2718d826 100644 --- a/src/lib/crypto/etypes.h +++ b/src/lib/crypto/etypes.h @@ -26,5 +26,41 @@ #include "k5-int.h" +typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + size_t inputlen, size_t *length); + +typedef krb5_error_code (*krb5_crypt_func) (const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, krb5_keyusage keyusage, + const krb5_data *ivec, + const krb5_data *input, krb5_data *output); + +typedef krb5_error_code (*krb5_str2key_func) (const struct krb5_enc_provider *enc, const krb5_data *string, + const krb5_data *salt, const krb5_data *parm, krb5_keyblock *key); + +typedef krb5_error_code (*krb5_prf_func)( + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out); + +struct krb5_keytypes { + krb5_enctype etype; + char *name; + char *aliases[2]; + char *out_string; + const struct krb5_enc_provider *enc; + const struct krb5_hash_provider *hash; + size_t prf_length; + krb5_encrypt_length_func encrypt_len; + krb5_crypt_func encrypt; + krb5_crypt_func decrypt; + krb5_str2key_func str2key; + krb5_prf_func prf; + krb5_cksumtype required_ctype; + const struct krb5_aead_provider *aead; +}; + extern const struct krb5_keytypes krb5_enctypes_list[]; extern const int krb5_enctypes_length; diff --git a/src/lib/crypto/string_to_cksumtype.c b/src/lib/crypto/string_to_cksumtype.c index a796851457..5a3c70d731 100644 --- a/src/lib/crypto/string_to_cksumtype.c +++ b/src/lib/crypto/string_to_cksumtype.c @@ -30,13 +30,23 @@ krb5_error_code KRB5_CALLCONV krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep) { - unsigned int i; + unsigned int i, j; for (i=0; i<krb5_cksumtypes_length; i++) { - if (strcasecmp(krb5_cksumtypes_list[i].in_string, string) == 0) { + if (strcasecmp(krb5_cksumtypes_list[i].name, string) == 0) { *cksumtypep = krb5_cksumtypes_list[i].ctype; return(0); } +#define MAX_ALIASES (sizeof(krb5_cksumtypes_list[i].aliases) / sizeof(krb5_cksumtypes_list[i].aliases[0])) + for (j = 0; j < MAX_ALIASES; j++) { + const char *alias = krb5_cksumtypes_list[i].aliases[j]; + if (alias == NULL) + break; + if (strcasecmp(alias, string) == 0) { + *cksumtypep = krb5_cksumtypes_list[i].ctype; + return 0; + } + } } return(EINVAL); diff --git a/src/lib/crypto/string_to_enctype.c b/src/lib/crypto/string_to_enctype.c index 9d3245bf01..cda6634206 100644 --- a/src/lib/crypto/string_to_enctype.c +++ b/src/lib/crypto/string_to_enctype.c @@ -30,12 +30,22 @@ krb5_error_code KRB5_CALLCONV krb5_string_to_enctype(char *string, krb5_enctype *enctypep) { - int i; + int i, j; for (i=0; i<krb5_enctypes_length; i++) { - if (strcasecmp(krb5_enctypes_list[i].in_string, string) == 0) { + if (strcasecmp(krb5_enctypes_list[i].name, string) == 0) { *enctypep = krb5_enctypes_list[i].etype; - return(0); + return 0; + } +#define MAX_ALIASES (sizeof(krb5_enctypes_list[i].aliases) / sizeof(krb5_enctypes_list[i].aliases[0])) + for (j = 0; j < MAX_ALIASES; j++) { + const char *alias = krb5_enctypes_list[i].aliases[j]; + if (alias == NULL) + break; + if (strcasecmp(alias, string) == 0) { + *enctypep = krb5_enctypes_list[i].etype; + return 0; + } } } |