Move the des and AFS string-to-key implementations into lib/crypto/krb,

since they aren't standard crypto primitives.  Revise the module SPI
accordingly.  Add tests for AFS string-to-key to t_str2key.c to replace
the ones in the (now defunct) t_afss2k.c.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24699 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 53 insertions, 101 deletions

diff --git a/src/lib/crypto/openssl/des/Makefile.in b/src/lib/crypto/openssl/des/Makefile.in
index 4907bc89d..ac113f7c8 100644
--- a/src/lib/crypto/openssl/des/Makefile.in
+++ b/src/lib/crypto/openssl/des/Makefile.in
@@ -7,18 +7,11 @@ RUN_SETUP = @KRB5_RUN_ENV@
 PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 
+STLIBOBJS= des_keys.o
 
-STLIBOBJS= des_oldapis.o \
-	f_parity.o 	\
-	string2key.o
+OBJS= $(OUTPRE)des_keys.$(OBJEXT)
 
-OBJS=	$(OUTPRE)f_parity.$(OBJEXT) 	\
-	$(OUTPRE)des_oldapis.$(OBJEXT) 	\
-	$(OUTPRE)string2key.$(OBJEXT)
-
-SRCS=	$(srcdir)/f_parity.c	\
-	$(srcdir)/des_oldapis.c	\
-	$(srcdir)/string2key.c
+SRCS= $(srcdir)/des_keys.c
 
 all-unix:: all-libobjs
 
diff --git a/src/lib/crypto/openssl/des/f_parity.c b/src/lib/crypto/openssl/des/des_keys.c
index f5744726a..51d9db216 100644
--- a/src/lib/crypto/openssl/des/f_parity.c
+++ b/src/lib/crypto/openssl/des/des_keys.c
@@ -1,7 +1,7 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/openssl/des/f_parity.c */
+/* lib/crypto/openssl/des/des_keys.c - Key functions used by Kerberos code */
 /*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2011 by the Massachusetts Institute of Technology.
  * All rights reserved.
  *
  * Export of this software from the United States of America may
@@ -28,7 +28,13 @@
 #include <openssl/des.h>
 
 void
-mit_des_fixup_key_parity(unsigned char *key)
+k5_des_fixup_key_parity(unsigned char *keybits)
 {
-    DES_set_odd_parity((DES_cblock *)key);
+    DES_set_odd_parity((DES_cblock *)keybits);
+}
+
+krb5_boolean
+k5_des_is_weak_key(unsigned char *keybits)
+{
+    return DES_is_weak_key((DES_cblock *)keybits);
 }
diff --git a/src/lib/crypto/openssl/des/des_oldapis.c b/src/lib/crypto/openssl/des/des_oldapis.c
deleted file mode 100644
index 584140f2c..000000000
--- a/src/lib/crypto/openssl/des/des_oldapis.c
+++ /dev/null
@@ -1,34 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/openssl/des/des_oldapis.c */
-/*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "crypto_int.h"
-
-krb5_error_code
-mit_afs_string_to_key(krb5_keyblock *keyblock, const krb5_data *data,
-                      const krb5_data *salt)
-{
-    return KRB5_CRYPTO_INTERNAL;
-}
diff --git a/src/lib/crypto/openssl/des/string2key.c b/src/lib/crypto/openssl/des/string2key.c
deleted file mode 100644
index cd3e75935..000000000
--- a/src/lib/crypto/openssl/des/string2key.c
+++ /dev/null
@@ -1,52 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/openssl/des/string2key.c */
-/*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "crypto_int.h"
-#include <openssl/des.h>
-
-krb5_error_code
-mit_des_string_to_key_int(krb5_keyblock *key, const krb5_data *pw,
-                          const krb5_data *salt)
-{
-    DES_cblock outkey;
-    char *str;
-    krb5_data s = (salt == NULL) ? empty_data() : *salt;
-
-    /* AFS string-to-key isn't implemented. */
-    if (s.length == SALT_TYPE_AFS_LENGTH)
-        return KRB5_CRYPTO_INTERNAL;
-
-    /* Concatenate password and salt. */
-    if (asprintf(&str, "%.*s%.*s", pw->length, pw->data, s.length, s.data) < 0)
-        return ENOMEM;
-    DES_string_to_key(str, &outkey);
-    free(str);
-    if (key->length < sizeof(outkey))
-        return KRB5_CRYPTO_INTERNAL;
-    key->length = sizeof(outkey);
-    memcpy(key->contents, outkey, key->length);
-    return 0;
-}
diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c
index 591e13b80..644e26633 100644
--- a/src/lib/crypto/openssl/enc_provider/des.c
+++ b/src/lib/crypto/openssl/enc_provider/des.c
@@ -52,6 +52,7 @@
 
 #include "crypto_int.h"
 #include <openssl/evp.h>
+#include <openssl/des.h>
 
 #define DES_BLOCK_SIZE 8
 #define DES_KEY_SIZE 8
@@ -188,12 +189,50 @@ k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
     return 0;
 }
 
+static krb5_error_code
+k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data,
+               const krb5_data *ivec, krb5_data *output)
+{
+    int ret;
+    struct iov_block_state iov_state;
+    DES_cblock blockY, blockB;
+    DES_key_schedule sched;
+    krb5_boolean empty;
+
+    ret = validate(key, ivec, data, num_data, &empty);
+    if (ret != 0)
+        return ret;
+
+    if (output->length != DES_BLOCK_SIZE)
+        return KRB5_BAD_MSIZE;
+
+    if (DES_set_key((DES_cblock *)key->keyblock.contents, &sched) != 0)
+        return KRB5_CRYPTO_INTERNAL;
+
+    if (ivec != NULL)
+        memcpy(blockY, ivec->data, DES_BLOCK_SIZE);
+    else
+        memset(blockY, 0, DES_BLOCK_SIZE);
+
+    IOV_BLOCK_STATE_INIT(&iov_state);
+    for (;;) {
+        if (!krb5int_c_iov_get_block(blockB, DES_BLOCK_SIZE, data, num_data,
+                                     &iov_state))
+            break;
+        store_64_n(load_64_n(blockB) ^ load_64_n(blockY), blockB);
+        DES_ecb_encrypt(&blockB, &blockY, &sched, 1);
+    }
+
+    memcpy(output->data, blockY, DES_BLOCK_SIZE);
+    return 0;
+}
+
 const struct krb5_enc_provider krb5int_enc_des = {
     DES_BLOCK_SIZE,
     DES_KEY_BYTES, DES_KEY_SIZE,
     k5_des_encrypt,
     k5_des_decrypt,
-    NULL,
+    k5_des_cbc_mac,
     krb5int_des_init_state,
     krb5int_default_free_state
 };