pull up 3des implementation from the marc-3des branch

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11001 dc483132-0cff-0310-8789-dd5450dbe970

6 files changed, 243 insertions, 16 deletions

diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog
index 54e185d2e..0162fc450 100644
--- a/src/lib/krb4/ChangeLog
+++ b/src/lib/krb4/ChangeLog
@@ -1,3 +1,26 @@
+Wed Aug 12 18:32:44 1998  Tom Yu  <tlyu@mit.edu>
+
+	* rd_req.c (krb_set_key): Nuke the krb5_keyblock if it's set.
+	(krb_set_key_krb5): New function to set a static krb5_keyblock for
+	decryption purposes.
+	(krb_clear_key_krb5): New function to clear the static
+	krb5_keyblock if it's set.
+	(krb_rd_req): Call decomp_ticket or decomp_tkt_krb5 as appropriate
+	to the key type.
+
+	* decomp_tkt.c (decomp_tkt_krb5): New wrapper to call
+	dcmp_tkt_int.
+	(decomp_ticket): Transform into wrapper to call dcmp_tkt_int.
+	(dcmp_tkt_int): New internal function; use a krb5_keyblock to
+	decrypt the ticket if present; else just use plain old C_Block.
+
+	* cr_tkt.c (krb_create_ticket): Transform into a wrapper that
+	calls krb_cr_tkt_int.
+	(krb_cr_tkt_krb5): New wrapper to call krb_cr_tkt_int.
+	(krb_cr_tkt_int): New internal function that potentially uses a
+	krb5_keyblock to encrypt the ticket, or just a C_Block if the
+	krb5_keyblock is not set.
+
 Mon Aug 10 17:51:59 1998  Matthew D Hancher  <mdh@mit.edu>
 
 	* rd_svc_key.c (read_service_key): Don't call krb5_kt_close() if 
@@ -12,6 +35,14 @@ Fri Aug  7 11:04:03 1998  Tom Yu  <tlyu@mit.edu>
 
 	* tf_util.c (tf_init): Add call to getuid() to initialize me.
 
+Thu Jul 30 13:13:30 1998  Sam Hartman  <hartmans@utwig.mesas.com>
+
+	* tf_util.c (tf_init): s/,/= so getuid() actually gets called
+
+Sun Jul 26 17:51:24 1998  Sam Hartman  <hartmans@utwig.mesas.com>
+
+	* Makefile.in (LIBMAJOR): Bump libmajor
+
 Thu Jul  9 19:35:01 1998  Matthew D Hancher  <mdh@mit.edu>
 
 	* tf_util.c (tf_init): Fixed a potential race condition in the opening 
diff --git a/src/lib/krb4/Makefile.in b/src/lib/krb4/Makefile.in
index f75a6327b..af2dca43c 100644
--- a/src/lib/krb4/Makefile.in
+++ b/src/lib/krb4/Makefile.in
@@ -8,7 +8,7 @@ DEFINES=-I$(srcdir)/../../include/kerberosIV
 ##DOS##OBJFILE=krb4.lst
 
 LIB=krb4
-LIBMAJOR=1
+LIBMAJOR=2
 LIBMINOR=0
 RELDIR=krb4
 
diff --git a/src/lib/krb4/cr_tkt.c b/src/lib/krb4/cr_tkt.c
index 39ed53859..a8224f879 100644
--- a/src/lib/krb4/cr_tkt.c
+++ b/src/lib/krb4/cr_tkt.c
@@ -13,7 +13,7 @@
 #include "krb.h"
 #include "prot.h"
 #include <string.h>
-
+#include <krb5.h>
 /*
  * Create ticket takes as arguments information that should be in a
  * ticket, and the KTEXT object in which the ticket should be
@@ -69,9 +69,53 @@
  * <=7 bytes		null		   null pad to 8 byte multiple
  *
  */
+int
+krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress,
+		  session, life, time_sec, sname, sinstance, key, k5key)
+    KTEXT   tkt;                /* Gets filled in by the ticket */
+    unsigned char flags;        /* Various Kerberos flags */
+    char    *pname;             /* Principal's name */
+    char    *pinstance;         /* Principal's instance */
+    char    *prealm;            /* Principal's authentication domain */
+    long    paddress;           /* Net address of requesting entity */
+    char    *session;           /* Session key inserted in ticket */
+    short   life;               /* Lifetime of the ticket */
+    long    time_sec;           /* Issue time and date */
+    char    *sname;             /* Service Name */
+    char    *sinstance;         /* Instance Name */
+    C_Block key;                /* Service's secret key */
+{
+    return krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress,
+			  session, life, time_sec, sname, sinstance,
+			  key, NULL);
+}
 
-int krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress,
-		  session, life, time_sec, sname, sinstance, key)
+int
+krb_cr_tkt_krb5(tkt, flags, pname, pinstance, prealm, paddress,
+		  session, life, time_sec, sname, sinstance, k5key)
+    KTEXT   tkt;                /* Gets filled in by the ticket */
+    unsigned char flags;        /* Various Kerberos flags */
+    char    *pname;             /* Principal's name */
+    char    *pinstance;         /* Principal's instance */
+    char    *prealm;            /* Principal's authentication domain */
+    long    paddress;           /* Net address of requesting entity */
+    char    *session;           /* Session key inserted in ticket */
+    short   life;               /* Lifetime of the ticket */
+    long    time_sec;           /* Issue time and date */
+    char    *sname;             /* Service Name */
+    char    *sinstance;         /* Instance Name */
+    krb5_keyblock *k5key;	/* NULL if not present */
+{
+    C_Block key;
+
+    return krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress,
+			  session, life, time_sec, sname, sinstance,
+			  key, k5key);
+}
+
+static int
+krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress,
+	       session, life, time_sec, sname, sinstance, key, k5key)
     KTEXT   tkt;                /* Gets filled in by the ticket */
     unsigned char flags;        /* Various Kerberos flags */
     char    *pname;             /* Principal's name */
@@ -84,6 +128,7 @@ int krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress,
     char    *sname;             /* Service Name */
     char    *sinstance;         /* Instance Name */
     C_Block key;                /* Service's secret key */
+    krb5_keyblock *k5key;	/* NULL if not present */
 {
     Key_schedule key_s;
     register char *data;        /* running index into ticket */
@@ -124,10 +169,43 @@ int krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress,
     }
 
 #ifndef NOENCRYPTION
-    /* Encrypt the ticket in the services key */        
-    key_sched(key,key_s);
-    pcbc_encrypt((C_Block *)tkt->dat,(C_Block *)tkt->dat,
-                 (long) tkt->length,key_s,(C_Block *)key,1);
+    /* Encrypt the ticket in the services key */
+    if (k5key != NULL) {
+	/* block locals */
+	krb5_data in;
+	krb5_enc_data out;
+	krb5_error_code ret;
+	size_t enclen;
+
+	in.length = tkt->length;
+	in.data = tkt->dat;
+	/* XXX assumes context arg is ignored */
+	ret = krb5_c_encrypt_length(NULL, k5key->enctype,
+				    (size_t)in.length, &enclen);
+	if (ret)
+	    return KFAILURE;
+	out.ciphertext.length = enclen;
+	out.ciphertext.data = malloc(enclen);
+	if (out.ciphertext.data == NULL)
+	    return KFAILURE;	/* XXX maybe ENOMEM? */
+
+	/* XXX assumes context arg is ignored */
+	ret = krb5_c_encrypt(NULL, k5key, KRB5_KEYUSAGE_KDC_REP_TICKET,
+			     NULL, &in, &out);
+	if (ret) {
+	    free(out.ciphertext.data);
+	    return KFAILURE;
+	} else {
+	    tkt->length = out.ciphertext.length;
+	    memcpy(tkt->dat, out.ciphertext.data, out.ciphertext.length);
+	    memset(out.ciphertext.data, 0, out.ciphertext.length);
+	    free(out.ciphertext.data);
+	}
+    } else {
+	key_sched(key,key_s);
+	pcbc_encrypt((C_Block *)tkt->dat,(C_Block *)tkt->dat,
+		     (long) tkt->length,key_s,(C_Block *)key,1);
+    }
 #endif /* !NOENCRYPTION */
     return 0;
 }
diff --git a/src/lib/krb4/decomp_tkt.c b/src/lib/krb4/decomp_tkt.c
index 3c5952368..d4dfd4edc 100644
--- a/src/lib/krb4/decomp_tkt.c
+++ b/src/lib/krb4/decomp_tkt.c
@@ -13,6 +13,7 @@
 #include "krb.h"
 #include "prot.h"
 #include <string.h>
+#include <krb5.h>
 
 #ifdef KRB_CRYPT_DEBUG
 extern int krb_debug;
@@ -65,6 +66,57 @@ decomp_ticket(tkt, flags, pname, pinstance, prealm, paddress, session,
                                  * (to decrypt the ticket) */
     Key_schedule key_s;		/* The precomputed key schedule */
 {
+    return
+	dcmp_tkt_int(tkt, flags, pname, pinstance, prealm,
+		     paddress, session, life, time_sec, sname, sinstance,
+		     key, key_s, NULL);
+}
+
+int
+decomp_tkt_krb5(tkt, flags, pname, pinstance, prealm, paddress, session,
+              life, time_sec, sname, sinstance, k5key)
+    KTEXT tkt;			/* The ticket to be decoded */
+    unsigned char *flags;       /* Kerberos ticket flags */
+    char *pname;		/* Authentication name */
+    char *pinstance;		/* Principal's instance */
+    char *prealm;		/* Principal's authentication domain */
+    unsigned KRB4_32 *paddress; /* Net address of entity
+                                 * requesting ticket */
+    C_Block session;		/* Session key inserted in ticket */
+    int *life; 		        /* Lifetime of the ticket */
+    unsigned KRB4_32 *time_sec; /* Issue time and date */
+    char *sname;		/* Service name */
+    char *sinstance;		/* Service instance */
+    krb5_keyblock *k5key;	/* krb5 keyblock of service */
+{
+    C_Block key;		/* placeholder; doesn't get used */
+    Key_schedule key_s;		/* placeholder; doesn't get used */
+
+    return
+	dcmp_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, session,
+		     life, time_sec, sname, sinstance, key, key_s, k5key);
+}
+
+static int
+dcmp_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, session,
+              life, time_sec, sname, sinstance, key, key_s, k5key)
+    KTEXT tkt;			/* The ticket to be decoded */
+    unsigned char *flags;       /* Kerberos ticket flags */
+    char *pname;		/* Authentication name */
+    char *pinstance;		/* Principal's instance */
+    char *prealm;		/* Principal's authentication domain */
+    unsigned KRB4_32 *paddress; /* Net address of entity
+                                 * requesting ticket */
+    C_Block session;		/* Session key inserted in ticket */
+    int *life; 		        /* Lifetime of the ticket */
+    unsigned KRB4_32 *time_sec; /* Issue time and date */
+    char *sname;		/* Service name */
+    char *sinstance;		/* Service instance */
+    C_Block key;		/* Service's secret key
+                                 * (to decrypt the ticket) */
+    Key_schedule key_s;		/* The precomputed key schedule */
+    krb5_keyblock *k5key;	/* krb5 keyblock of service */
+{
     static int tkt_swap_bytes;
     unsigned char *uptr;
     char *ptr = (char *)tkt->dat;
@@ -83,8 +135,37 @@ decomp_ticket(tkt, flags, pname, pinstance, prealm, paddress, session,
 	memset(keybuf, 0, sizeof(keybuf));	/* Clear the buffer */
     }
 #endif
-    pcbc_encrypt((C_Block *)tkt->dat,(C_Block *)tkt->dat,
-                 (long) tkt->length,key_s,(C_Block *) key,0);
+    if (k5key != NULL) {
+	/* block locals */
+	krb5_enc_data in;
+	krb5_data out;
+	krb5_error_code ret;
+
+	in.enctype = k5key->enctype;
+	in.kvno = 0;
+	in.ciphertext.length = tkt->length;
+	in.ciphertext.data = tkt->dat;
+	out.length = tkt->length;
+	out.data = malloc(tkt->length);
+	if (out.data == NULL)
+	    return KFAILURE;	/* XXX maybe ENOMEM? */
+
+	/* XXX note the following assumes that context arg isn't used  */
+	ret =
+	    krb5_c_decrypt(NULL, k5key,
+			   KRB5_KEYUSAGE_KDC_REP_TICKET, NULL, &in, &out);
+	if (ret) {
+	    free(out.data);
+	    return KFAILURE;
+	} else {
+	    memcpy(tkt->dat, out.data, out.length);
+	    memset(out.data, 0, out.length);
+	    free(out.data);
+	}
+    } else {
+	pcbc_encrypt((C_Block *)tkt->dat,(C_Block *)tkt->dat,
+		     (long) tkt->length,key_s,(C_Block *) key,0);
+    }
 #endif /* ! NOENCRYPTION */
 #ifdef KRB_CRYPT_DEBUG
     if (krb_debug) {
diff --git a/src/lib/krb4/rd_req.c b/src/lib/krb4/rd_req.c
index 79564e4f3..a78aadc88 100644
--- a/src/lib/krb4/rd_req.c
+++ b/src/lib/krb4/rd_req.c
@@ -32,6 +32,7 @@ static int st_kvno;		/* version number for this key */
 static char st_rlm[REALM_SZ];	/* server's realm */
 static char st_nam[ANAME_SZ];	/* service name */
 static char st_inst[INST_SZ];	/* server's instance */
+static int krb5_key;		/* whether krb5 key is used for decrypt */
 
 /*
  * This file contains two functions.  krb_set_key() takes a DES
@@ -62,11 +63,18 @@ static char st_inst[INST_SZ];	/* server's instance */
  * krb_rd_req().
  */
 
+#include <krb5.h>
+static krb5_keyblock srv_k5key;
+
 int
 krb_set_key(key,cvt)
     char *key;
     int cvt;
 {
+    if (krb5_key)
+	/* XXX assumes that context arg is ignored */
+	krb5_free_keyblock_contents(NULL, &srv_k5key);
+    krb5_key = 0;
 #ifdef NOENCRYPTION
     memset(ky, 0, sizeof(ky));
     return KSUCCESS;
@@ -79,6 +87,25 @@ krb_set_key(key,cvt)
 #endif /* NOENCRYPTION */
 }
 
+int
+krb_set_key_krb5(ctx, key)
+    krb5_context ctx;
+    krb5_keyblock *key;
+{
+    if (krb5_key)
+	krb5_free_keyblock_contents(ctx, &srv_k5key);
+    krb5_key = 1;
+    return krb5_copy_keyblock_contents(ctx, key, &srv_k5key);
+}
+
+void
+krb_clear_key_krb5(ctx)
+    krb5_context ctx;
+{
+    if (krb5_key)
+	krb5_free_keyblock_contents(ctx, &srv_k5key);
+    krb5_key = 0;
+}
 
 /*
  * krb_rd_req() takes an AUTH_MSG_APPL_REQUEST or
@@ -234,15 +261,25 @@ krb_rd_req(authent,service,instance,from_addr,ad,fn)
     /* Decrypt and take apart ticket */
 #endif
 
-    if (decomp_ticket(tkt,&ad->k_flags,ad->pname,ad->pinst,ad->prealm,
-                      &(ad->address),ad->session, &(ad->life),
-                      &(ad->time_sec),sname,iname,ky,serv_key)) {
+    if (!krb5_key) {
+	if (decomp_ticket(tkt,&ad->k_flags,ad->pname,ad->pinst,ad->prealm,
+			  &(ad->address),ad->session, &(ad->life),
+			  &(ad->time_sec),sname,iname,ky,serv_key)) {
 #ifdef KRB_CRYPT_DEBUG
-	log("Can't decode ticket");
+	    log("Can't decode ticket");
 #endif
-        return(RD_AP_UNDEC);
+	    return(RD_AP_UNDEC);
+	}
+    } else {
+	if (decomp_tkt_krb5(tkt, &ad->k_flags, ad->pname, ad->pinst,
+			    ad->prealm, &ad->address, ad->session,
+			    &ad->life, &ad->time_sec, sname, iname,
+			    srv_k5key)) {
+	    return RD_AP_UNDEC;
+	}
     }
 
+
 #ifdef KRB_CRYPT_DEBUG
     if (krb_ap_req_debug) {
         log("Ticket Contents.");
diff --git a/src/lib/krb4/tf_util.c b/src/lib/krb4/tf_util.c
index b3eb0b43a..1c7aadd9f 100644
--- a/src/lib/krb4/tf_util.c
+++ b/src/lib/krb4/tf_util.c
@@ -182,7 +182,7 @@ int tf_init(tf_name, rw)
     int rw;
 {
     int     wflag;
-    uid_t   me, getuid();
+    uid_t   me= getuid();
     struct stat stat_buf, stat_buffd;
 #ifdef TKT_SHMEM
     char shmidname[MAXPATHLEN];