summaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorKen Raeburn <raeburn@mit.edu>2003-12-13 06:28:35 +0000
committerKen Raeburn <raeburn@mit.edu>2003-12-13 06:28:35 +0000
commita87606b8e2b12a6a5260539a5544f55fb81d53bc (patch)
tree6417250436c25f4dc42f0142d211872c57ca1ba2 /src/lib
parent7943823ea88ccb7e5a2b9e1981f1f601ba261af5 (diff)
Add platform-dependent 64-bit and inline-function support via new header
k5-platform.h. Add 64-bit serializer support. [Not needed for ticket 1471, but needed for 2040 and annoying to check in separately.] Add to (internal for now) crypto API a function to get the mandatory checksum type associated with an enctype. New support for server-generated subkey, selected via an auth_context flag. ticket: 1471 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15908 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/crypto/ChangeLog6
-rw-r--r--src/lib/crypto/Makefile.in3
-rw-r--r--src/lib/crypto/etypes.c48
-rw-r--r--src/lib/crypto/mandatory_sumtype.c41
-rw-r--r--src/lib/krb5/krb/ChangeLog12
-rw-r--r--src/lib/krb5/krb/mk_rep.c9
-rw-r--r--src/lib/krb5/krb/mk_req_ext.c57
-rw-r--r--src/lib/krb5/krb/serialize.c35
8 files changed, 166 insertions, 45 deletions
diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog
index e02d9790e..241723997 100644
--- a/src/lib/crypto/ChangeLog
+++ b/src/lib/crypto/ChangeLog
@@ -1,3 +1,9 @@
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * etypes.c (krb5_enctypes_list): Fill in required_ctype field.
+ * mandatory_sumtype.c: New file.
+ * Makefile.in (SRCS, OBJS, STLIBOBJS): Build it.
+
2003-07-22 Ken Raeburn <raeburn@mit.edu>
* block_size.c (krb5_c_block_size): Read new numeric fields for
diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in
index 87e6c51c3..d01c921ad 100644
--- a/src/lib/crypto/Makefile.in
+++ b/src/lib/crypto/Makefile.in
@@ -54,6 +54,7 @@ STLIBOBJS=\
keyed_checksum_types.o \
make_checksum.o \
make_random_key.o \
+ mandatory_sumtype.o \
nfold.o \
old_api_glue.o \
pbkdf2.o \
@@ -86,6 +87,7 @@ OBJS=\
$(OUTPRE)keyed_checksum_types.$(OBJEXT) \
$(OUTPRE)make_checksum.$(OBJEXT) \
$(OUTPRE)make_random_key.$(OBJEXT) \
+ $(OUTPRE)mandatory_sumtype.$(OBJEXT) \
$(OUTPRE)nfold.$(OBJEXT) \
$(OUTPRE)old_api_glue.$(OBJEXT) \
$(OUTPRE)pbkdf2.$(OBJEXT) \
@@ -118,6 +120,7 @@ SRCS=\
$(srcdir)/keyed_checksum_types.c\
$(srcdir)/make_checksum.c \
$(srcdir)/make_random_key.c \
+ $(srcdir)/mandatory_sumtype.c \
$(srcdir)/nfold.c \
$(srcdir)/old_api_glue.c \
$(srcdir)/pbkdf2.c \
diff --git a/src/lib/crypto/etypes.c b/src/lib/crypto/etypes.c
index 6c195e4b2..6dcf02643 100644
--- a/src/lib/crypto/etypes.c
+++ b/src/lib/crypto/etypes.c
@@ -45,103 +45,109 @@ const struct krb5_keytypes krb5_enctypes_list[] = {
"des-cbc-crc", "DES cbc mode with CRC-32",
&krb5int_enc_des, &krb5int_hash_crc32,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_MD4,
"des-cbc-md4", "DES cbc mode with RSA-MD4",
&krb5int_enc_des, &krb5int_hash_md4,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD4 },
{ ENCTYPE_DES_CBC_MD5,
"des-cbc-md5", "DES cbc mode with RSA-MD5",
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_MD5,
"des", "DES cbc mode with RSA-MD5", /* alias */
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_RAW,
"des-cbc-raw", "DES cbc mode raw",
&krb5int_enc_des, NULL,
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, 0 },
{ ENCTYPE_DES3_CBC_RAW,
"des3-cbc-raw", "Triple DES cbc mode raw",
&krb5int_enc_des3, NULL,
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, 0 },
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES_HMAC_SHA1,
"des-hmac-sha1", "DES with HMAC/sha1",
&krb5int_enc_des, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, 0 },
{ ENCTYPE_ARCFOUR_HMAC,
"arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP,
"arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"rc4-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
"aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes128, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */
"aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes128, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
"aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */
"aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 },
#ifdef ATHENA_DES3_KLUDGE
/*
@@ -153,7 +159,7 @@ const struct krb5_keytypes krb5_enctypes_list[] = {
"Triple DES with HMAC/sha1 and 32-bit length code",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_marc_dk_encrypt_length, krb5_marc_dk_encrypt, krb5_marc_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
#endif
};
diff --git a/src/lib/crypto/mandatory_sumtype.c b/src/lib/crypto/mandatory_sumtype.c
new file mode 100644
index 000000000..f9322ff3f
--- /dev/null
+++ b/src/lib/crypto/mandatory_sumtype.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2003 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "etypes.h"
+
+krb5_error_code
+krb5int_c_mandatory_cksumtype (krb5_context ctx, krb5_enctype etype,
+ krb5_cksumtype *cksumtype)
+{
+ int i;
+
+ for (i = 0; i < krb5_enctypes_length; i++)
+ if (krb5_enctypes_list[i].etype == etype) {
+ *cksumtype = krb5_enctypes_list[i].required_ctype;
+ return 0;
+ }
+
+ return KRB5_BAD_ENCTYPE;
+}
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 7ce92efa3..11e840b6b 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,15 @@
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * mk_req_ext.c (krb5int_generate_and_save_subkey): New function,
+ split out from krb5_mk_req_extended.
+ (krb5_mk_req_extended): Call it.
+ * mk_rep.c (krb5_mk_rep): If KRB5_AUTH_CONTEXT_USE_SUBKEY flag is
+ set, call krb5int_generate_and_save_subkey to set up a new subkey
+ to send to the client.
+
+ * serialize.c (krb5_ser_pack_int64, krb5_ser_unpack_int64): New
+ functions.
+
2003-10-30 Tom Yu <tlyu@mit.edu>
* gen_seqnum.c (krb5_generate_seq_number): Fix mask; was short by
diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c
index 31f3fe500..393f634bb 100644
--- a/src/lib/krb5/krb/mk_rep.c
+++ b/src/lib/krb5/krb/mk_rep.c
@@ -59,7 +59,14 @@ krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *out
repl.ctime = auth_context->authentp->ctime;
repl.cusec = auth_context->authentp->cusec;
- repl.subkey = auth_context->authentp->subkey;
+ if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) {
+ retval = krb5int_generate_and_save_subkey (context, auth_context,
+ auth_context->keyblock);
+ if (retval)
+ return retval;
+ repl.subkey = auth_context->send_subkey;
+ } else
+ repl.subkey = auth_context->authentp->subkey;
repl.seq_number = auth_context->local_seq_number;
/* encode it before encrypting */
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index bac7ac0ee..cdb8f6950 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -70,6 +70,38 @@ krb5_generate_authenticator (krb5_context,
krb5_checksum *, krb5_keyblock *,
krb5_ui_4, krb5_authdata ** );
+krb5_error_code
+krb5int_generate_and_save_subkey (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock *keyblock)
+{
+ /* Provide some more fodder for random number code.
+ This isn't strong cryptographically; the point here is not
+ to guarantee randomness, but to make it less likely that multiple
+ sessions could pick the same subkey. */
+ struct {
+ krb5_int32 sec, usec;
+ } rnd_data;
+ krb5_data d;
+ krb5_error_code retval;
+
+ krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
+ d.length = sizeof (rnd_data);
+ d.data = (char *) &rnd_data;
+ (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d);
+
+ if ((retval = krb5_generate_subkey(context, keyblock, &auth_context->send_subkey)))
+ return retval;
+ retval = krb5_copy_keyblock(context, auth_context->send_subkey,
+ &auth_context->recv_subkey);
+ if (retval) {
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ auth_context->send_subkey = NULL;
+ return retval;
+ }
+ return 0;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
krb5_flags ap_req_options, krb5_data *in_data,
@@ -131,29 +163,10 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
}
if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) {
- /* Provide some more fodder for random number code.
- This isn't strong cryptographically; the point here is not
- to guarantee randomness, but to make it less likely that multiple
- sessions could pick the same subkey. */
- struct {
- krb5_int32 sec, usec;
- } rnd_data;
- krb5_data d;
- krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
- d.length = sizeof (rnd_data);
- d.data = (char *) &rnd_data;
- (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d);
-
- if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock,
- &(*auth_context)->send_subkey)))
- goto cleanup;
- retval = krb5_copy_keyblock(context, (*auth_context)->send_subkey,
- &((*auth_context)->recv_subkey));
- if (retval) {
- krb5_free_keyblock(context, (*auth_context)->send_subkey);
- (*auth_context)->send_subkey = NULL;
+ retval = krb5int_generate_and_save_subkey (context, *auth_context,
+ &in_creds->keyblock);
+ if (retval)
goto cleanup;
- }
}
diff --git a/src/lib/krb5/krb/serialize.c b/src/lib/krb5/krb/serialize.c
index 7c5f17a4c..9cbcef78d 100644
--- a/src/lib/krb5/krb/serialize.c
+++ b/src/lib/krb5/krb/serialize.c
@@ -174,7 +174,7 @@ krb5_internalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer *
}
/*
- * krb5_ser_pack_int32() - Pack a 4-byte integer if space is availble.
+ * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available.
* Update buffer pointer and remaining space.
*/
krb5_error_code KRB5_CALLCONV
@@ -194,6 +194,23 @@ krb5_ser_pack_int32(krb5_int32 iarg, krb5_octet **bufp, size_t *remainp)
}
/*
+ * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available.
+ * Update buffer pointer and remaining space.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_ser_pack_int64(krb5_int64 iarg, krb5_octet **bufp, size_t *remainp)
+{
+ if (*remainp >= sizeof(krb5_int64)) {
+ store_64_be(iarg, (unsigned char *)*bufp);
+ *bufp += sizeof(krb5_int64);
+ *remainp -= sizeof(krb5_int64);
+ return(0);
+ }
+ else
+ return(ENOMEM);
+}
+
+/*
* krb5_ser_pack_bytes() - Pack a string of bytes.
*/
krb5_error_code KRB5_CALLCONV
@@ -229,6 +246,22 @@ krb5_ser_unpack_int32(krb5_int32 *intp, krb5_octet **bufp, size_t *remainp)
}
/*
+ * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_ser_unpack_int64(krb5_int64 *intp, krb5_octet **bufp, size_t *remainp)
+{
+ if (*remainp >= sizeof(krb5_int64)) {
+ *intp = load_64_be((unsigned char *)*bufp);
+ *bufp += sizeof(krb5_int64);
+ *remainp -= sizeof(krb5_int64);
+ return(0);
+ }
+ else
+ return(ENOMEM);
+}
+
+/*
* krb5_ser_unpack_bytes() - Unpack a byte string if it's there.
*/
krb5_error_code KRB5_CALLCONV
generated by cgit (git 2.34.1) at 2026-03-28 04:40:28 +0000