summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorKen Raeburn <raeburn@mit.edu>2003-12-13 06:28:35 +0000
committerKen Raeburn <raeburn@mit.edu>2003-12-13 06:28:35 +0000
commita87606b8e2b12a6a5260539a5544f55fb81d53bc (patch)
tree6417250436c25f4dc42f0142d211872c57ca1ba2 /src
parent7943823ea88ccb7e5a2b9e1981f1f601ba261af5 (diff)
Add platform-dependent 64-bit and inline-function support via new header
k5-platform.h. Add 64-bit serializer support. [Not needed for ticket 1471, but needed for 2040 and annoying to check in separately.] Add to (internal for now) crypto API a function to get the mandatory checksum type associated with an enctype. New support for server-generated subkey, selected via an auth_context flag. ticket: 1471 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15908 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
-rw-r--r--src/include/ChangeLog18
-rw-r--r--src/include/fake-addrinfo.h16
-rw-r--r--src/include/k5-int.h27
-rw-r--r--src/include/k5-platform.h136
-rw-r--r--src/include/krb5.hin3
-rw-r--r--src/lib/crypto/ChangeLog6
-rw-r--r--src/lib/crypto/Makefile.in3
-rw-r--r--src/lib/crypto/etypes.c48
-rw-r--r--src/lib/crypto/mandatory_sumtype.c41
-rw-r--r--src/lib/krb5/krb/ChangeLog12
-rw-r--r--src/lib/krb5/krb/mk_rep.c9
-rw-r--r--src/lib/krb5/krb/mk_req_ext.c57
-rw-r--r--src/lib/krb5/krb/serialize.c35
13 files changed, 350 insertions, 61 deletions
diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index 84602683f..d6cffd004 100644
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -1,3 +1,21 @@
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * krb5.hin (KRB5_AUTH_CONTEXT_USE_SUBKEY): New macro.
+
+ * k5-int.h (struct krb5_keytypes): Added field required_ctype.
+ (krb5int_c_mandatory_cksumtype): New declaration.
+ (krb5int_generate_and_set_subkey): Declare.
+ (memset) [__GNUC__ && __GLIBC__]: Undef, to reduce compilation
+ warnings in zap() macro with volatile pointer.
+
+ * k5-platform.h: New header file. Manages inline-function and
+ 64-bit support, in platform-specific ways.
+ * fake-addrinfo.h: Include k5-platform.h.
+ (inline): Don't define here.
+ * k5-int.h: Include k5-platform.h.
+ (krb5_ui_8, krb5_int64): New typedefs.
+ (krb5_ser_pack_int64, krb5_ser_unpack_int64): New function decls.
+
2003-10-08 Tom Yu <tlyu@mit.edu>
* k5-int.h: Add prototypes for decode_krb5_safe_with_body and
diff --git a/src/include/fake-addrinfo.h b/src/include/fake-addrinfo.h
index e620357da..9d122e392 100644
--- a/src/include/fake-addrinfo.h
+++ b/src/include/fake-addrinfo.h
@@ -101,21 +101,7 @@
#define FAI_DEFINED
#include "port-sockets.h"
#include "socket-utils.h"
-
-#if !defined(inline)
-# if __STDC_VERSION__ >= 199901L
-/* C99 supports inline, don't do anything. */
-# elif defined(__GNUC__)
-# define inline __inline__ /* this form silences -pedantic warnings */
-# elif defined(__mips) && defined(__sgi)
-# define inline __inline /* IRIX used at MIT does inline but not c99 yet */
-# elif defined(__sun) && __SUNPRO_C >= 0x540
-/* The Forte Developer 7 C compiler supports "inline". */
-# else
-# define inline /* nothing, just static */
-# endif
-# define ADDRINFO_UNDEF_INLINE
-#endif
+#include "k5-platform.h"
#ifdef S_SPLINT_S
/*@-incondefs@*/
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index ebcd2135f..82bc29117 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -136,6 +136,13 @@ typedef unsigned char u_char;
#endif /* HAVE_SYS_TYPES_H */
#endif /* KRB5_SYSTYPES__ */
+
+#include "k5-platform.h"
+/* not used in krb5.h (yet) */
+typedef UINT64_TYPE krb5_ui_8;
+typedef INT64_TYPE krb5_int64;
+
+
#define DEFAULT_PWD_STRING1 "Enter password"
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
@@ -631,6 +638,7 @@ struct krb5_keytypes {
krb5_crypt_func encrypt;
krb5_crypt_func decrypt;
krb5_str2key_func str2key;
+ krb5_cksumtype required_ctype;
};
struct krb5_cksumtypes {
@@ -680,6 +688,12 @@ krb5_error_code krb5int_pbkdf2_hmac_sha1 (const krb5_data *, unsigned long,
/* Make this a function eventually? */
#define krb5int_zap_data(ptr, len) memset((volatile void *)ptr, 0, len)
+#if defined(__GNUC__) && defined(__GLIBC__)
+/* GNU libc generates multiple bogus initialization warnings if we
+ pass memset a volatile pointer. The compiler should do well enough
+ with memset even without GNU libc's attempt at optimization. */
+#undef memset
+#endif
#define zap(p,l) krb5int_zap_data(p,l)
/* A definition of init_state for DES based encryption systems.
@@ -1585,6 +1599,11 @@ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
(krb5_int32 *,
krb5_octet **,
size_t *);
+/* [De]serialize 8-byte integer */
+krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
+ (krb5_int64, krb5_octet **, size_t *);
+krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
+ (krb5_int64 *, krb5_octet **, size_t *);
/* [De]serialize byte string */
krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
(krb5_octet *,
@@ -1607,6 +1626,10 @@ krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
void krb5int_set_prompt_types
(krb5_context, krb5_prompt_type *);
+krb5_error_code
+krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
+ krb5_keyblock * /* Old keyblock, not new! */);
+
/* set and change password helpers */
krb5_error_code krb5int_mk_chpw_req
@@ -1910,4 +1933,8 @@ extern const krb5_kt_ops krb5_kt_dfl_ops;
extern krb5_error_code krb5int_translate_gai_error (int);
+/* Not sure it's ready for exposure just yet. */
+extern krb5_error_code
+krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
+
#endif /* _KRB5_INT_H */
diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h
new file mode 100644
index 000000000..e6d2ad0e4
--- /dev/null
+++ b/src/include/k5-platform.h
@@ -0,0 +1,136 @@
+/* Copyright 2003 Massachusetts Institute of Technology. All rights reserved. */
+/* Platform-dependent junk. */
+
+#ifndef K5_PLATFORM_H
+#define K5_PLATFORM_H
+
+#if !defined(inline)
+# if __STDC_VERSION__ >= 199901L
+/* C99 supports inline, don't do anything. */
+# elif defined(__GNUC__)
+# define inline __inline__ /* this form silences -pedantic warnings */
+# elif defined(__mips) && defined(__sgi)
+# define inline __inline /* IRIX used at MIT does inline but not c99 yet */
+# elif defined(__sun) && __SUNPRO_C >= 0x540
+/* The Forte Developer 7 C compiler supports "inline". */
+# elif defined(_WIN32)
+# define inline __inline
+# else
+# define inline /* nothing, just static */
+# endif
+#endif
+
+#include "autoconf.h"
+
+/* 64-bit support: krb5_ui_8 and krb5_int64.
+
+ This should move to krb5.h eventually, but without the namespace
+ pollution from the autoconf macros. */
+#if defined(HAVE_STDINT_H) || defined(HAVE_INTTYPES_H)
+# ifdef HAVE_STDINT_H
+# include <stdint.h>
+# endif
+# ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+# endif
+# define INT64_TYPE int64_t
+# define UINT64_TYPE uint64_t
+#elif defined(_WIN32)
+# define INT64_TYPE signed __int64
+# define UINT64_TYPE unsigned __int64
+#else /* not Windows, and neither stdint.h nor inttypes.h */
+# define INT64_TYPE signed long long
+# define UINT64_TYPE unsigned long long
+#endif
+
+/* Read and write integer values as (unaligned) octet strings in
+ specific byte orders.
+
+ Add per-platform optimizations later if needed. (E.g., maybe x86
+ unaligned word stores and gcc/asm instructions for byte swaps,
+ etc.) */
+
+static inline void
+store_16_be (unsigned int val, unsigned char *p)
+{
+ p[0] = (val >> 8) & 0xff;
+ p[1] = (val ) & 0xff;
+}
+static inline void
+store_16_le (unsigned int val, unsigned char *p)
+{
+ p[1] = (val >> 8) & 0xff;
+ p[0] = (val ) & 0xff;
+}
+static inline void
+store_32_be (unsigned int val, unsigned char *p)
+{
+ p[0] = (val >> 24) & 0xff;
+ p[1] = (val >> 16) & 0xff;
+ p[2] = (val >> 8) & 0xff;
+ p[3] = (val ) & 0xff;
+}
+static inline void
+store_32_le (unsigned int val, unsigned char *p)
+{
+ p[3] = (val >> 24) & 0xff;
+ p[2] = (val >> 16) & 0xff;
+ p[1] = (val >> 8) & 0xff;
+ p[0] = (val ) & 0xff;
+}
+static inline void
+store_64_be (UINT64_TYPE val, unsigned char *p)
+{
+ p[0] = (val >> 56) & 0xff;
+ p[1] = (val >> 48) & 0xff;
+ p[2] = (val >> 40) & 0xff;
+ p[3] = (val >> 32) & 0xff;
+ p[4] = (val >> 24) & 0xff;
+ p[5] = (val >> 16) & 0xff;
+ p[6] = (val >> 8) & 0xff;
+ p[7] = (val ) & 0xff;
+}
+static inline void
+store_64_le (UINT64_TYPE val, unsigned char *p)
+{
+ p[7] = (val >> 56) & 0xff;
+ p[6] = (val >> 48) & 0xff;
+ p[5] = (val >> 40) & 0xff;
+ p[4] = (val >> 32) & 0xff;
+ p[3] = (val >> 24) & 0xff;
+ p[2] = (val >> 16) & 0xff;
+ p[1] = (val >> 8) & 0xff;
+ p[0] = (val ) & 0xff;
+}
+static inline unsigned short
+load_16_be (unsigned char *p)
+{
+ return (p[1] | (p[0] << 8));
+}
+static inline unsigned short
+load_16_le (unsigned char *p)
+{
+ return (p[0] | (p[1] << 8));
+}
+static inline unsigned int
+load_32_be (unsigned char *p)
+{
+ return (p[3] | (p[2] << 8) | (p[1] << 16) | (p[0] << 24));
+}
+static inline unsigned int
+load_32_le (unsigned char *p)
+{
+ return (p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24));
+}
+static inline UINT64_TYPE
+load_64_be (unsigned char *p)
+{
+ return ((UINT64_TYPE)load_32_be(p) << 32) | load_32_be(p+4);
+}
+static inline UINT64_TYPE
+load_64_le (unsigned char *p)
+{
+ return ((UINT64_TYPE)load_32_le(p+4) << 32) | load_32_le(p);
+}
+
+#endif /* K5_PLATFORM_H */
diff --git a/src/include/krb5.hin b/src/include/krb5.hin
index eae960191..a397cb74a 100644
--- a/src/include/krb5.hin
+++ b/src/include/krb5.hin
@@ -1155,6 +1155,7 @@ typedef struct _krb5_pwd_data {
#define KRB5_AUTH_CONTEXT_DO_SEQUENCE 0x00000004
#define KRB5_AUTH_CONTEXT_RET_SEQUENCE 0x00000008
#define KRB5_AUTH_CONTEXT_PERMIT_ALL 0x00000010
+#define KRB5_AUTH_CONTEXT_USE_SUBKEY 0x00000020
typedef struct krb5_replay_data {
krb5_timestamp timestamp;
@@ -1169,7 +1170,7 @@ typedef struct krb5_replay_data {
#define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR 0x00000008
/* type of function used as a callback to generate checksum data for
- * mk_req*/
+ * mk_req */
typedef krb5_error_code
(KRB5_CALLCONV * krb5_mk_req_checksum_func) (krb5_context, krb5_auth_context , void *,
diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog
index e02d9790e..241723997 100644
--- a/src/lib/crypto/ChangeLog
+++ b/src/lib/crypto/ChangeLog
@@ -1,3 +1,9 @@
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * etypes.c (krb5_enctypes_list): Fill in required_ctype field.
+ * mandatory_sumtype.c: New file.
+ * Makefile.in (SRCS, OBJS, STLIBOBJS): Build it.
+
2003-07-22 Ken Raeburn <raeburn@mit.edu>
* block_size.c (krb5_c_block_size): Read new numeric fields for
diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in
index 87e6c51c3..d01c921ad 100644
--- a/src/lib/crypto/Makefile.in
+++ b/src/lib/crypto/Makefile.in
@@ -54,6 +54,7 @@ STLIBOBJS=\
keyed_checksum_types.o \
make_checksum.o \
make_random_key.o \
+ mandatory_sumtype.o \
nfold.o \
old_api_glue.o \
pbkdf2.o \
@@ -86,6 +87,7 @@ OBJS=\
$(OUTPRE)keyed_checksum_types.$(OBJEXT) \
$(OUTPRE)make_checksum.$(OBJEXT) \
$(OUTPRE)make_random_key.$(OBJEXT) \
+ $(OUTPRE)mandatory_sumtype.$(OBJEXT) \
$(OUTPRE)nfold.$(OBJEXT) \
$(OUTPRE)old_api_glue.$(OBJEXT) \
$(OUTPRE)pbkdf2.$(OBJEXT) \
@@ -118,6 +120,7 @@ SRCS=\
$(srcdir)/keyed_checksum_types.c\
$(srcdir)/make_checksum.c \
$(srcdir)/make_random_key.c \
+ $(srcdir)/mandatory_sumtype.c \
$(srcdir)/nfold.c \
$(srcdir)/old_api_glue.c \
$(srcdir)/pbkdf2.c \
diff --git a/src/lib/crypto/etypes.c b/src/lib/crypto/etypes.c
index 6c195e4b2..6dcf02643 100644
--- a/src/lib/crypto/etypes.c
+++ b/src/lib/crypto/etypes.c
@@ -45,103 +45,109 @@ const struct krb5_keytypes krb5_enctypes_list[] = {
"des-cbc-crc", "DES cbc mode with CRC-32",
&krb5int_enc_des, &krb5int_hash_crc32,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_MD4,
"des-cbc-md4", "DES cbc mode with RSA-MD4",
&krb5int_enc_des, &krb5int_hash_md4,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD4 },
{ ENCTYPE_DES_CBC_MD5,
"des-cbc-md5", "DES cbc mode with RSA-MD5",
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_MD5,
"des", "DES cbc mode with RSA-MD5", /* alias */
&krb5int_enc_des, &krb5int_hash_md5,
krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, CKSUMTYPE_RSA_MD5 },
{ ENCTYPE_DES_CBC_RAW,
"des-cbc-raw", "DES cbc mode raw",
&krb5int_enc_des, NULL,
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
- krb5int_des_string_to_key },
+ krb5int_des_string_to_key, 0 },
{ ENCTYPE_DES3_CBC_RAW,
"des3-cbc-raw", "Triple DES cbc mode raw",
&krb5int_enc_des3, NULL,
krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, 0 },
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES_HMAC_SHA1,
"des-hmac-sha1", "DES with HMAC/sha1",
&krb5int_enc_des, &krb5int_hash_sha1,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, 0 },
{ ENCTYPE_ARCFOUR_HMAC,
"arcfour-hmac","ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"rc4-hmac", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC, /* alias */
"arcfour-hmac-md5", "ArcFour with HMAC/md5", &krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP,
"arcfour-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"rc4-hmac-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_ARCFOUR_HMAC_EXP, /* alias */
"arcfour-hmac-md5-exp", "Exportable ArcFour with HMAC/md5",
&krb5int_enc_arcfour,
&krb5int_hash_md5, krb5_arcfour_encrypt_length, krb5_arcfour_encrypt,
- krb5_arcfour_decrypt, krb5int_arcfour_string_to_key },
+ krb5_arcfour_decrypt, krb5int_arcfour_string_to_key,
+ CKSUMTYPE_HMAC_MD5_ARCFOUR },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
"aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes128, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 },
{ ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */
"aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes128, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES128 },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
"aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 },
{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */
"aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC",
&krb5int_enc_aes256, &krb5int_hash_sha1,
krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
- krb5int_aes_string_to_key },
+ krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 },
#ifdef ATHENA_DES3_KLUDGE
/*
@@ -153,7 +159,7 @@ const struct krb5_keytypes krb5_enctypes_list[] = {
"Triple DES with HMAC/sha1 and 32-bit length code",
&krb5int_enc_des3, &krb5int_hash_sha1,
krb5_marc_dk_encrypt_length, krb5_marc_dk_encrypt, krb5_marc_dk_decrypt,
- krb5int_dk_string_to_key },
+ krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
#endif
};
diff --git a/src/lib/crypto/mandatory_sumtype.c b/src/lib/crypto/mandatory_sumtype.c
new file mode 100644
index 000000000..f9322ff3f
--- /dev/null
+++ b/src/lib/crypto/mandatory_sumtype.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2003 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "etypes.h"
+
+krb5_error_code
+krb5int_c_mandatory_cksumtype (krb5_context ctx, krb5_enctype etype,
+ krb5_cksumtype *cksumtype)
+{
+ int i;
+
+ for (i = 0; i < krb5_enctypes_length; i++)
+ if (krb5_enctypes_list[i].etype == etype) {
+ *cksumtype = krb5_enctypes_list[i].required_ctype;
+ return 0;
+ }
+
+ return KRB5_BAD_ENCTYPE;
+}
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 7ce92efa3..11e840b6b 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,15 @@
+2003-12-13 Ken Raeburn <raeburn@mit.edu>
+
+ * mk_req_ext.c (krb5int_generate_and_save_subkey): New function,
+ split out from krb5_mk_req_extended.
+ (krb5_mk_req_extended): Call it.
+ * mk_rep.c (krb5_mk_rep): If KRB5_AUTH_CONTEXT_USE_SUBKEY flag is
+ set, call krb5int_generate_and_save_subkey to set up a new subkey
+ to send to the client.
+
+ * serialize.c (krb5_ser_pack_int64, krb5_ser_unpack_int64): New
+ functions.
+
2003-10-30 Tom Yu <tlyu@mit.edu>
* gen_seqnum.c (krb5_generate_seq_number): Fix mask; was short by
diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c
index 31f3fe500..393f634bb 100644
--- a/src/lib/krb5/krb/mk_rep.c
+++ b/src/lib/krb5/krb/mk_rep.c
@@ -59,7 +59,14 @@ krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *out
repl.ctime = auth_context->authentp->ctime;
repl.cusec = auth_context->authentp->cusec;
- repl.subkey = auth_context->authentp->subkey;
+ if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) {
+ retval = krb5int_generate_and_save_subkey (context, auth_context,
+ auth_context->keyblock);
+ if (retval)
+ return retval;
+ repl.subkey = auth_context->send_subkey;
+ } else
+ repl.subkey = auth_context->authentp->subkey;
repl.seq_number = auth_context->local_seq_number;
/* encode it before encrypting */
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index bac7ac0ee..cdb8f6950 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -70,6 +70,38 @@ krb5_generate_authenticator (krb5_context,
krb5_checksum *, krb5_keyblock *,
krb5_ui_4, krb5_authdata ** );
+krb5_error_code
+krb5int_generate_and_save_subkey (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock *keyblock)
+{
+ /* Provide some more fodder for random number code.
+ This isn't strong cryptographically; the point here is not
+ to guarantee randomness, but to make it less likely that multiple
+ sessions could pick the same subkey. */
+ struct {
+ krb5_int32 sec, usec;
+ } rnd_data;
+ krb5_data d;
+ krb5_error_code retval;
+
+ krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
+ d.length = sizeof (rnd_data);
+ d.data = (char *) &rnd_data;
+ (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d);
+
+ if ((retval = krb5_generate_subkey(context, keyblock, &auth_context->send_subkey)))
+ return retval;
+ retval = krb5_copy_keyblock(context, auth_context->send_subkey,
+ &auth_context->recv_subkey);
+ if (retval) {
+ krb5_free_keyblock(context, auth_context->send_subkey);
+ auth_context->send_subkey = NULL;
+ return retval;
+ }
+ return 0;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
krb5_flags ap_req_options, krb5_data *in_data,
@@ -131,29 +163,10 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
}
if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) {
- /* Provide some more fodder for random number code.
- This isn't strong cryptographically; the point here is not
- to guarantee randomness, but to make it less likely that multiple
- sessions could pick the same subkey. */
- struct {
- krb5_int32 sec, usec;
- } rnd_data;
- krb5_data d;
- krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
- d.length = sizeof (rnd_data);
- d.data = (char *) &rnd_data;
- (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d);
-
- if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock,
- &(*auth_context)->send_subkey)))
- goto cleanup;
- retval = krb5_copy_keyblock(context, (*auth_context)->send_subkey,
- &((*auth_context)->recv_subkey));
- if (retval) {
- krb5_free_keyblock(context, (*auth_context)->send_subkey);
- (*auth_context)->send_subkey = NULL;
+ retval = krb5int_generate_and_save_subkey (context, *auth_context,
+ &in_creds->keyblock);
+ if (retval)
goto cleanup;
- }
}
diff --git a/src/lib/krb5/krb/serialize.c b/src/lib/krb5/krb/serialize.c
index 7c5f17a4c..9cbcef78d 100644
--- a/src/lib/krb5/krb/serialize.c
+++ b/src/lib/krb5/krb/serialize.c
@@ -174,7 +174,7 @@ krb5_internalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer *
}
/*
- * krb5_ser_pack_int32() - Pack a 4-byte integer if space is availble.
+ * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available.
* Update buffer pointer and remaining space.
*/
krb5_error_code KRB5_CALLCONV
@@ -194,6 +194,23 @@ krb5_ser_pack_int32(krb5_int32 iarg, krb5_octet **bufp, size_t *remainp)
}
/*
+ * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available.
+ * Update buffer pointer and remaining space.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_ser_pack_int64(krb5_int64 iarg, krb5_octet **bufp, size_t *remainp)
+{
+ if (*remainp >= sizeof(krb5_int64)) {
+ store_64_be(iarg, (unsigned char *)*bufp);
+ *bufp += sizeof(krb5_int64);
+ *remainp -= sizeof(krb5_int64);
+ return(0);
+ }
+ else
+ return(ENOMEM);
+}
+
+/*
* krb5_ser_pack_bytes() - Pack a string of bytes.
*/
krb5_error_code KRB5_CALLCONV
@@ -229,6 +246,22 @@ krb5_ser_unpack_int32(krb5_int32 *intp, krb5_octet **bufp, size_t *remainp)
}
/*
+ * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_ser_unpack_int64(krb5_int64 *intp, krb5_octet **bufp, size_t *remainp)
+{
+ if (*remainp >= sizeof(krb5_int64)) {
+ *intp = load_64_be((unsigned char *)*bufp);
+ *bufp += sizeof(krb5_int64);
+ *remainp -= sizeof(krb5_int64);
+ return(0);
+ }
+ else
+ return(ENOMEM);
+}
+
+/*
* krb5_ser_unpack_bytes() - Unpack a byte string if it's there.
*/
krb5_error_code KRB5_CALLCONV
generated by cgit (git 2.34.1) at 2026-04-04 23:32:27 +0000