Consolidate the IOV and non-IOV encryption/decryption code paths, and

drop the _iov suffix from most encryption- and decryption-related functions. The enc_provider encrypt and decrypt functions take IOVs, as do the enctype entries in etypes.c, and there are no separate encrypt_iov or decrypt_iov functions. aead_provider is gone. Enctype functions now take pointers to the enctype entry instead of pointers to the enc/hash/aead providers; this allows dk_encrypt and dk_decrypt to be polymorphic in the length function they use now that AES and DES3 can't differentiate by aead provider. aes_string_to_key needed to be moved into the krb/ fold for this since it's an enctype function; it was duplicated between builtin/ and openssl/ before. This leaves openssl/aes empty; the build system currently demands that all modules have the same directory structure, so the directory and Makefile will stick around for now. Three separate copies of the derive_random logic are also now consolidated into one. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23444 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2009-12-04 05:12:35 +0000
committer: Greg Hudson <ghudson@mit.edu> 2009-12-04 05:12:35 +0000
commit: 5ffa313d9f6b7c509aa0d7579273150d71ea0f95 (patch)
tree: 48f8d5606c919dd09d950c5cbf1609f312f2937d /src/lib/crypto/krb/dk/stringtokey.c
parent: ea6f77d42700352fcb2a06444d1dc00acf7c20fc (diff)
download: krb5-5ffa313d9f6b7c509aa0d7579273150d71ea0f95.tar.gz
krb5-5ffa313d9f6b7c509aa0d7579273150d71ea0f95.tar.xz
krb5-5ffa313d9f6b7c509aa0d7579273150d71ea0f95.zip
1 files changed, 63 insertions, 2 deletions
diff --git a/src/lib/crypto/krb/dk/stringtokey.c b/src/lib/crypto/krb/dk/stringtokey.c
index ff436e6ee..9a491879d 100644
--- a/src/lib/crypto/krb/dk/stringtokey.c
+++ b/src/lib/crypto/krb/dk/stringtokey.c
@@ -31,10 +31,11 @@ static const unsigned char kerberos[] = "kerberos";
 #define kerberos_len (sizeof(kerberos)-1)
 
 krb5_error_code
-krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
+krb5int_dk_string_to_key(const struct krb5_keytypes *ktp,
                          const krb5_data *string, const krb5_data *salt,
                          const krb5_data *parms, krb5_keyblock *keyblock)
 {
+    const struct krb5_enc_provider *enc = ktp->enc;
     krb5_error_code ret;
     size_t keybytes, keylength, concatlen;
     unsigned char *concat = NULL, *foldstring = NULL, *foldkeydata = NULL;
@@ -72,7 +73,7 @@ krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
     foldkeyblock.length = keylength;
     foldkeyblock.contents = foldkeydata;
 
-    ret = (*enc->make_key)(&indata, &foldkeyblock);
+    ret = enc->make_key(&indata, &foldkeyblock);
     if (ret != 0)
         goto cleanup;
 
@@ -96,3 +97,63 @@ cleanup:
     krb5_k_free_key(NULL, foldkey);
     return ret;
 }
+
+
+#define DEFAULT_ITERATION_COUNT         4096 /* was 0xb000L in earlier drafts */
+#define MAX_ITERATION_COUNT             0x1000000L
+
+krb5_error_code
+krb5int_aes_string_to_key(const struct krb5_keytypes *ktp,
+                          const krb5_data *string,
+                          const krb5_data *salt,
+                          const krb5_data *params,
+                          krb5_keyblock *key)
+{
+    unsigned long iter_count;
+    krb5_data out;
+    static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
+    krb5_key tempkey = NULL;
+    krb5_error_code err;
+
+    if (params) {
+        unsigned char *p = (unsigned char *) params->data;
+        if (params->length != 4)
+            return KRB5_ERR_BAD_S2K_PARAMS;
+        /* The first two need casts in case 'int' is 16 bits.  */
+        iter_count = load_32_be(p);
+        if (iter_count == 0) {
+            iter_count = (1UL << 16) << 16;
+            if (((iter_count >> 16) >> 16) != 1)
+                return KRB5_ERR_BAD_S2K_PARAMS;
+        }
+    } else
+        iter_count = DEFAULT_ITERATION_COUNT;
+
+    /* This is not a protocol specification constraint; this is an
+       implementation limit, which should eventually be controlled by
+       a config file.  */
+    if (iter_count >= MAX_ITERATION_COUNT)
+        return KRB5_ERR_BAD_S2K_PARAMS;
+
+    /* Use the output keyblock contents for temporary space. */
+    out.data = (char *) key->contents;
+    out.length = key->length;
+    if (out.length != 16 && out.length != 32)
+        return KRB5_CRYPTO_INTERNAL;
+
+    err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt);
+    if (err)
+        goto cleanup;
+
+    err = krb5_k_create_key (NULL, key, &tempkey);
+    if (err)
+        goto cleanup;
+
+    err = krb5int_derive_keyblock(ktp->enc, tempkey, key, &usage);
+
+cleanup:
+    if (err)
+        memset (out.data, 0, out.length);
+    krb5_k_free_key (NULL, tempkey);
+    return err;
+}
author	Greg Hudson <ghudson@mit.edu>	2009-12-04 05:12:35 +0000
committer	Greg Hudson <ghudson@mit.edu>	2009-12-04 05:12:35 +0000
commit	5ffa313d9f6b7c509aa0d7579273150d71ea0f95 (patch)
tree	48f8d5606c919dd09d950c5cbf1609f312f2937d /src/lib/crypto/krb/dk/stringtokey.c
parent	ea6f77d42700352fcb2a06444d1dc00acf7c20fc (diff)
download	krb5-5ffa313d9f6b7c509aa0d7579273150d71ea0f95.tar.gz krb5-5ffa313d9f6b7c509aa0d7579273150d71ea0f95.tar.xz krb5-5ffa313d9f6b7c509aa0d7579273150d71ea0f95.zip