diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-10-08 14:39:24 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-10-08 14:39:24 +0000 |
| commit | 9b506bd2ead01ea6cce93a2f5bc07e037c8ceb91 (patch) | |
| tree | ee11ee1e6d525e9ef0b059870c889ecbc2cac8c4 | |
| parent | 2e333c5f80f512e16477735746bb11bc8a81e663 (diff) | |
| download | krb5-9b506bd2ead01ea6cce93a2f5bc07e037c8ceb91.zip krb5-9b506bd2ead01ea6cce93a2f5bc07e037c8ceb91.tar.gz krb5-9b506bd2ead01ea6cce93a2f5bc07e037c8ceb91.tar.bz2 | |
Change the krb5_keyblocks in the libkrb5 auth context to krb5_keys,
and use krb5_k functions to encrypt and decrypt with them.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/enc-perf@22870 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/include/k5-int.h | 5 | ||||
| -rw-r--r-- | src/lib/krb5/krb/auth_con.c | 37 | ||||
| -rw-r--r-- | src/lib/krb5/krb/auth_con.h | 6 | ||||
| -rw-r--r-- | src/lib/krb5/krb/enc_helper.c | 25 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_cred.c | 23 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_priv.c | 20 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_rep.c | 13 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_req_ext.c | 50 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_safe.c | 17 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_cred.c | 24 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_priv.c | 20 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_rep.c | 23 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_req_dec.c | 28 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_safe.c | 16 | ||||
| -rw-r--r-- | src/lib/krb5/krb/ser_actx.c | 89 |
15 files changed, 217 insertions, 179 deletions
diff --git a/src/include/k5-int.h b/src/include/k5-int.h index f30ac9b..22824c1 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -871,6 +871,11 @@ krb5_error_code krb5_encrypt_helper krb5_keyusage keyusage, const krb5_data *plain, krb5_enc_data *cipher); +krb5_error_code krb5_encrypt_keyhelper +(krb5_context context, krb5_key key, + krb5_keyusage keyusage, const krb5_data *plain, + krb5_enc_data *cipher); + /* * End "los-proto.h" */ diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index 41a2578..a3e1935 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -56,12 +56,12 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) krb5_free_address(context, auth_context->remote_port); if (auth_context->authentp) krb5_free_authenticator(context, auth_context->authentp); - if (auth_context->keyblock) - krb5_free_keyblock(context, auth_context->keyblock); + if (auth_context->key) + krb5_k_free_key(context, auth_context->key); if (auth_context->send_subkey) - krb5_free_keyblock(context, auth_context->send_subkey); + krb5_k_free_key(context, auth_context->send_subkey); if (auth_context->recv_subkey) - krb5_free_keyblock(context, auth_context->recv_subkey); + krb5_k_free_key(context, auth_context->recv_subkey); if (auth_context->rcache) krb5_rc_close(context, auth_context->rcache); if (auth_context->permitted_etypes) @@ -158,16 +158,16 @@ krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, krb krb5_error_code KRB5_CALLCONV krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) { - if (auth_context->keyblock) - krb5_free_keyblock(context, auth_context->keyblock); - return(krb5_copy_keyblock(context, keyblock, &(auth_context->keyblock))); + if (auth_context->key) + krb5_k_free_key(context, auth_context->key); + return(krb5_k_create_key(context, keyblock, &(auth_context->key))); } krb5_error_code KRB5_CALLCONV krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) { - if (auth_context->keyblock) - return krb5_copy_keyblock(context, auth_context->keyblock, keyblock); + if (auth_context->key) + return krb5_k_key_keyblock(context, auth_context->key, keyblock); *keyblock = NULL; return 0; } @@ -188,10 +188,10 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) { if (ac->send_subkey != NULL) - krb5_free_keyblock(ctx, ac->send_subkey); + krb5_k_free_key(ctx, ac->send_subkey); ac->send_subkey = NULL; if (keyblock !=NULL) - return krb5_copy_keyblock(ctx, keyblock, &ac->send_subkey); + return krb5_k_create_key(ctx, keyblock, &ac->send_subkey); else return 0; } @@ -200,10 +200,10 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) { if (ac->recv_subkey != NULL) - krb5_free_keyblock(ctx, ac->recv_subkey); + krb5_k_free_key(ctx, ac->recv_subkey); ac->recv_subkey = NULL; if (keyblock != NULL) - return krb5_copy_keyblock(ctx, keyblock, &ac->recv_subkey); + return krb5_k_create_key(ctx, keyblock, &ac->recv_subkey); else return 0; } @@ -212,7 +212,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { if (ac->send_subkey != NULL) - return krb5_copy_keyblock(ctx, ac->send_subkey, keyblock); + return krb5_k_key_keyblock(ctx, ac->send_subkey, keyblock); *keyblock = NULL; return 0; } @@ -221,7 +221,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { if (ac->recv_subkey != NULL) - return krb5_copy_keyblock(ctx, ac->recv_subkey, keyblock); + return krb5_k_key_keyblock(ctx, ac->recv_subkey, keyblock); *keyblock = NULL; return 0; } @@ -266,12 +266,13 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context) { krb5_error_code ret; + krb5_enctype enctype; - if (auth_context->keyblock) { + if (auth_context->key) { size_t blocksize; - if ((ret = krb5_c_block_size(context, auth_context->keyblock->enctype, - &blocksize))) + enctype = krb5_k_key_enctype(context, auth_context->key); + if ((ret = krb5_c_block_size(context, enctype, &blocksize))) return(ret); if ((auth_context->i_vector = (krb5_pointer)calloc(1,blocksize))) { return 0; diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h index be63bed..8c3e4a2 100644 --- a/src/lib/krb5/krb/auth_con.h +++ b/src/lib/krb5/krb/auth_con.h @@ -8,9 +8,9 @@ struct _krb5_auth_context { krb5_address * remote_port; krb5_address * local_addr; krb5_address * local_port; - krb5_keyblock * keyblock; - krb5_keyblock * send_subkey; - krb5_keyblock * recv_subkey; + krb5_key key; + krb5_key send_subkey; + krb5_key recv_subkey; krb5_int32 auth_context_flags; krb5_ui_4 remote_seq_number; diff --git a/src/lib/krb5/krb/enc_helper.c b/src/lib/krb5/krb/enc_helper.c index 63e3495..0e14d8c 100644 --- a/src/lib/krb5/krb/enc_helper.c +++ b/src/lib/krb5/krb/enc_helper.c @@ -48,3 +48,28 @@ krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key, krb5_keyusag return(ret); } +krb5_error_code +krb5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage, + const krb5_data *plain, krb5_enc_data *cipher) +{ + krb5_enctype enctype; + krb5_error_code ret; + size_t enclen; + + enctype = krb5_k_key_enctype(context, key); + ret = krb5_c_encrypt_length(context, enctype, plain->length, &enclen); + if (ret != 0) + return ret; + + cipher->ciphertext.length = enclen; + cipher->ciphertext.data = malloc(enclen); + if (cipher->ciphertext.data == NULL) + return ENOMEM; + ret = krb5_k_encrypt(context, key, usage, 0, plain, cipher); + if (ret) { + free(cipher->ciphertext.data); + cipher->ciphertext.data = NULL; + } + + return ret; +} diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index f17a148..6ce0e35 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -22,7 +22,7 @@ */ static krb5_error_code encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, - krb5_keyblock *pkeyblock, krb5_enc_data *pencdata) + krb5_key pkey, krb5_enc_data *pencdata) { krb5_error_code retval; krb5_data * scratch; @@ -35,7 +35,7 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, * If the keyblock is NULL, just copy the data from the encoded * data to the ciphertext area. */ - if (pkeyblock == NULL) { + if (pkey == NULL) { pencdata->ciphertext.data = scratch->data; pencdata->ciphertext.length = scratch->length; free(scratch); @@ -43,9 +43,9 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, } /* call the encryption routine */ - retval = krb5_encrypt_helper(context, pkeyblock, - KRB5_KEYUSAGE_KRB_CRED_ENCPART, - scratch, pencdata); + retval = krb5_encrypt_keyhelper(context, pkey, + KRB5_KEYUSAGE_KRB_CRED_ENCPART, + scratch, pencdata); if (retval) { memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length); @@ -65,7 +65,7 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, static krb5_error_code krb5_mk_ncred_basic(krb5_context context, krb5_creds **ppcreds, krb5_int32 nppcreds, - krb5_keyblock *keyblock, krb5_replay_data *replaydata, + krb5_key key, krb5_replay_data *replaydata, krb5_address *local_addr, krb5_address *remote_addr, krb5_cred *pcred) { @@ -134,8 +134,7 @@ krb5_mk_ncred_basic(krb5_context context, pcred->tickets[i] = NULL; /* encrypt the credential encrypted part */ - retval = encrypt_credencpart(context, &credenc, keyblock, - &pcred->enc_part); + retval = encrypt_credencpart(context, &credenc, key, &pcred->enc_part); cleanup: krb5_free_cred_enc_part(context, &credenc); @@ -158,7 +157,7 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_address remote_fulladdr; krb5_address local_fulladdr; krb5_error_code retval; - krb5_keyblock * keyblock; + krb5_key key; krb5_replay_data replaydata; krb5_cred * pcred; krb5_int32 ncred; @@ -188,8 +187,8 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, } /* Get keyblock */ - if ((keyblock = auth_context->send_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((key = auth_context->send_subkey) == NULL) + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && @@ -246,7 +245,7 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, } /* Setup creds structure */ - if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, keyblock, + if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, key, &replaydata, plocal_fulladdr, premote_fulladdr, pcred))) { goto error; diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 30ffec3..824bfd5 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -33,10 +33,11 @@ static krb5_error_code krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, - const krb5_keyblock *keyblock, krb5_replay_data *replaydata, + krb5_key key, krb5_replay_data *replaydata, krb5_address *local_addr, krb5_address *remote_addr, krb5_pointer i_vector, krb5_data *outbuf) { + krb5_enctype enctype = krb5_k_key_enctype(context, key); krb5_error_code retval; krb5_priv privmsg; krb5_priv_enc_part privmsg_enc_part; @@ -44,7 +45,7 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, size_t blocksize, enclen; privmsg.enc_part.kvno = 0; /* XXX allow user-set? */ - privmsg.enc_part.enctype = keyblock->enctype; + privmsg.enc_part.enctype = enctype; privmsg_enc_part.user_data = *userdata; privmsg_enc_part.s_address = local_addr; @@ -60,7 +61,7 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, return retval; /* put together an eblock for this encryption */ - if ((retval = krb5_c_encrypt_length(context, keyblock->enctype, + if ((retval = krb5_c_encrypt_length(context, enctype, scratch1->length, &enclen))) goto clean_scratch; @@ -73,15 +74,14 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, /* call the encryption routine */ if (i_vector) { - if ((retval = krb5_c_block_size(context, keyblock->enctype, - &blocksize))) + if ((retval = krb5_c_block_size(context, enctype, &blocksize))) goto clean_encpart; ivdata.length = blocksize; ivdata.data = i_vector; } - if ((retval = krb5_c_encrypt(context, keyblock, + if ((retval = krb5_k_encrypt(context, key, KRB5_KEYUSAGE_KRB_PRIV_ENCPART, i_vector?&ivdata:0, scratch1, &privmsg.enc_part))) @@ -115,15 +115,15 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, krb5_replay_data *outdata) { krb5_error_code retval; - krb5_keyblock * keyblock; + krb5_key key; krb5_replay_data replaydata; /* Clear replaydata block */ memset(&replaydata, 0, sizeof(krb5_replay_data)); /* Get keyblock */ - if ((keyblock = auth_context->send_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((key = auth_context->send_subkey) == NULL) + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && @@ -192,7 +192,7 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, } } - if ((retval = krb5_mk_priv_basic(context, userdata, keyblock, &replaydata, + if ((retval = krb5_mk_priv_basic(context, userdata, key, &replaydata, plocal_fulladdr, premote_fulladdr, auth_context->i_vector, outbuf))) { CLEANUP_DONE(); diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c index 29155b6..a4dbc46 100644 --- a/src/lib/krb5/krb/mk_rep.c +++ b/src/lib/krb5/krb/mk_rep.c @@ -80,7 +80,8 @@ k5_mk_rep(krb5_context context, krb5_auth_context auth_context, if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && (auth_context->local_seq_number == 0)) { - if ((retval = krb5_generate_seq_number(context, auth_context->keyblock, + if ((retval = krb5_generate_seq_number(context, + &auth_context->key->keyblock, &auth_context->local_seq_number))) return(retval); } @@ -98,11 +99,11 @@ k5_mk_rep(krb5_context context, krb5_auth_context auth_context, assert(auth_context->negotiated_etype != ENCTYPE_NULL); retval = krb5int_generate_and_save_subkey (context, auth_context, - auth_context->keyblock, + &auth_context->key->keyblock, auth_context->negotiated_etype); if (retval) return retval; - repl.subkey = auth_context->send_subkey; + repl.subkey = &auth_context->send_subkey->keyblock; } else repl.subkey = auth_context->authentp->subkey; @@ -115,9 +116,9 @@ k5_mk_rep(krb5_context context, krb5_auth_context auth_context, if ((retval = encode_krb5_ap_rep_enc_part(&repl, &scratch))) return retval; - if ((retval = krb5_encrypt_helper(context, auth_context->keyblock, - KRB5_KEYUSAGE_AP_REP_ENCPART, - scratch, &reply.enc_part))) + if ((retval = krb5_encrypt_keyhelper(context, auth_context->key, + KRB5_KEYUSAGE_AP_REP_ENCPART, + scratch, &reply.enc_part))) goto cleanup_scratch; if (!(retval = encode_krb5_ap_rep(&reply, &toutbuf))) { diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 64eafe3..3b1c93f 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -73,7 +73,7 @@ make_etype_list(krb5_context context, static krb5_error_code krb5_generate_authenticator (krb5_context, krb5_authenticator *, krb5_principal, - krb5_checksum *, krb5_keyblock *, + krb5_checksum *, krb5_key, krb5_ui_4, krb5_authdata **, krb5_enctype *desired_etypes, krb5_enctype tkt_enctype); @@ -93,6 +93,7 @@ krb5int_generate_and_save_subkey (krb5_context context, } rnd_data; krb5_data d; krb5_error_code retval; + krb5_keyblock *kb = NULL; if (krb5_crypto_us_timeofday(&rnd_data.sec, &rnd_data.usec) == 0) { d.length = sizeof(rnd_data); @@ -100,22 +101,23 @@ krb5int_generate_and_save_subkey (krb5_context context, krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d); } - if (auth_context->send_subkey) - krb5_free_keyblock(context, auth_context->send_subkey); - if ((retval = krb5_generate_subkey_extended(context, keyblock, enctype, - &auth_context->send_subkey))) + retval = krb5_generate_subkey_extended(context, keyblock, enctype, &kb); + if (retval) return retval; + retval = krb5_auth_con_setsendsubkey(context, auth_context, kb); + if (retval) + goto cleanup; + retval = krb5_auth_con_setrecvsubkey(context, auth_context, kb); + if (retval) + goto cleanup; - if (auth_context->recv_subkey) - krb5_free_keyblock(context, auth_context->recv_subkey); - retval = krb5_copy_keyblock(context, auth_context->send_subkey, - &auth_context->recv_subkey); +cleanup: if (retval) { - krb5_free_keyblock(context, auth_context->send_subkey); - auth_context->send_subkey = NULL; - return retval; + (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL); + (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); } - return 0; + krb5_free_keyblock(context, kb); + return retval; } krb5_error_code KRB5_CALLCONV @@ -159,14 +161,14 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, *auth_context = new_auth_context; } - if ((*auth_context)->keyblock != NULL) { - krb5_free_keyblock(context, (*auth_context)->keyblock); - (*auth_context)->keyblock = NULL; + if ((*auth_context)->key != NULL) { + krb5_k_free_key(context, (*auth_context)->key); + (*auth_context)->key = NULL; } /* set auth context keyblock */ - if ((retval = krb5_copy_keyblock(context, &in_creds->keyblock, - &((*auth_context)->keyblock)))) + if ((retval = krb5_k_create_key(context, &in_creds->keyblock, + &((*auth_context)->key)))) goto cleanup; /* generate seq number if needed */ @@ -205,16 +207,18 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, checksum.length = in_data->length; checksum.contents = (krb5_octet *) in_data->data; } else { + krb5_enctype enctype = krb5_k_key_enctype(context, + (*auth_context)->key); krb5_cksumtype cksumtype; - retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype, + retval = krb5int_c_mandatory_cksumtype(context, enctype, &cksumtype); if (retval) goto cleanup_cksum; if ((*auth_context)->req_cksumtype) cksumtype = (*auth_context)->req_cksumtype; - if ((retval = krb5_c_make_checksum(context, + if ((retval = krb5_k_make_checksum(context, cksumtype, - (*auth_context)->keyblock, + (*auth_context)->key, KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, in_data, &checksum))) goto cleanup_cksum; @@ -297,7 +301,7 @@ cleanup: static krb5_error_code krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, krb5_principal client, krb5_checksum *cksum, - krb5_keyblock *key, krb5_ui_4 seq_number, + krb5_key key, krb5_ui_4 seq_number, krb5_authdata **authorization, krb5_enctype *desired_etypes, krb5_enctype tkt_enctype) @@ -307,7 +311,7 @@ krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, authent->client = client; authent->checksum = cksum; if (key) { - retval = krb5_copy_keyblock(context, key, &authent->subkey); + retval = krb5_k_key_keyblock(context, key, &authent->subkey); if (retval) return retval; } else diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index 23358b9..f3bfde3 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -48,7 +48,7 @@ */ static krb5_error_code krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, - const krb5_keyblock *keyblock, krb5_replay_data *replaydata, + krb5_key key, krb5_replay_data *replaydata, krb5_address *local_addr, krb5_address *remote_addr, krb5_cksumtype sumtype, krb5_data *outbuf) { @@ -88,7 +88,7 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, if ((retval = encode_krb5_safe(&safemsg, &scratch1))) return retval; - if ((retval = krb5_c_make_checksum(context, sumtype, keyblock, + if ((retval = krb5_k_make_checksum(context, sumtype, key, KRB5_KEYUSAGE_KRB_SAFE_CKSUM, scratch1, &safe_checksum))) goto cleanup_checksum; @@ -115,15 +115,15 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, krb5_replay_data *outdata) { krb5_error_code retval; - krb5_keyblock * keyblock; + krb5_key key; krb5_replay_data replaydata; /* Clear replaydata block */ memset(&replaydata, 0, sizeof(krb5_replay_data)); - /* Get keyblock */ - if ((keyblock = auth_context->send_subkey) == NULL) - keyblock = auth_context->keyblock; + /* Get key */ + if ((key = auth_context->send_subkey) == NULL) + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && @@ -195,10 +195,11 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, } { + krb5_enctype enctype = krb5_k_key_enctype(context, key); unsigned int nsumtypes; unsigned int i; krb5_cksumtype *sumtypes; - retval = krb5_c_keyed_checksum_types (context, keyblock->enctype, + retval = krb5_c_keyed_checksum_types (context, enctype, &nsumtypes, &sumtypes); if (retval) { CLEANUP_DONE (); @@ -218,7 +219,7 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, sumtype = sumtypes[i]; krb5_free_cksumtypes (context, sumtypes); } - if ((retval = krb5_mk_safe_basic(context, userdata, keyblock, &replaydata, + if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata, plocal_fulladdr, premote_fulladdr, sumtype, outbuf))) { CLEANUP_DONE(); diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index 4863745..a5d00dc 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -13,7 +13,7 @@ */ static krb5_error_code decrypt_credencdata(krb5_context context, krb5_cred *pcred, - krb5_keyblock *pkeyblock, krb5_cred_enc_part *pcredenc) + krb5_key pkey, krb5_cred_enc_part *pcredenc) { krb5_cred_enc_part * ppart = NULL; krb5_error_code retval; @@ -23,8 +23,8 @@ decrypt_credencdata(krb5_context context, krb5_cred *pcred, if (!(scratch.data = (char *)malloc(scratch.length))) return ENOMEM; - if (pkeyblock != NULL) { - if ((retval = krb5_c_decrypt(context, pkeyblock, + if (pkey != NULL) { + if ((retval = krb5_k_decrypt(context, pkey, KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, &pcred->enc_part, &scratch))) goto cleanup; @@ -53,7 +53,7 @@ cleanup: static krb5_error_code krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, - krb5_keyblock *pkeyblock, krb5_replay_data *replaydata, + krb5_key pkey, krb5_replay_data *replaydata, krb5_creds ***pppcreds) { krb5_error_code retval; @@ -68,7 +68,7 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, memset(&encpart, 0, sizeof(encpart)); - if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart))) + if ((retval = decrypt_credencdata(context, pcred, pkey, &encpart))) goto cleanup_cred; @@ -167,12 +167,12 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_replay_data *outdata) { krb5_error_code retval; - krb5_keyblock * keyblock; + krb5_key key; krb5_replay_data replaydata; - /* Get keyblock */ - if ((keyblock = auth_context->recv_subkey) == NULL) - keyblock = auth_context->keyblock; + /* Get key */ + if ((key = auth_context->recv_subkey) == NULL) + key = auth_context->key; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && @@ -186,14 +186,14 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, /* - * If decrypting with the first keyblock we try fails, perhaps the + * If decrypting with the first key we try fails, perhaps the * credentials are stored in the session key so try decrypting with * that. */ - if ((retval = krb5_rd_cred_basic(context, pcreddata, keyblock, + if ((retval = krb5_rd_cred_basic(context, pcreddata, key, &replaydata, pppcreds))) { if ((retval = krb5_rd_cred_basic(context, pcreddata, - auth_context->keyblock, + auth_context->key, &replaydata, pppcreds))) { return retval; } diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index eaeaed8..9b84ad8 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -54,8 +54,7 @@ Returns system errors, integrity errors. static krb5_error_code krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf, - const krb5_keyblock *keyblock, - const krb5_address *local_addr, + const krb5_key key, const krb5_address *local_addr, const krb5_address *remote_addr, krb5_pointer i_vector, krb5_replay_data *replaydata, krb5_data *outbuf) { @@ -65,6 +64,7 @@ krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf, krb5_priv_enc_part * privmsg_enc_part; size_t blocksize; krb5_data ivdata; + krb5_enctype enctype; if (!krb5_is_krb_priv(inbuf)) return KRB5KRB_AP_ERR_MSG_TYPE; @@ -74,8 +74,8 @@ krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf, return retval; if (i_vector) { - if ((retval = krb5_c_block_size(context, keyblock->enctype, - &blocksize))) + enctype = krb5_k_key_enctype(context, key); + if ((retval = krb5_c_block_size(context, enctype, &blocksize))) goto cleanup_privmsg; ivdata.length = blocksize; @@ -88,7 +88,7 @@ krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf, goto cleanup_privmsg; } - if ((retval = krb5_c_decrypt(context, keyblock, + if ((retval = krb5_k_decrypt(context, key, KRB5_KEYUSAGE_KRB_PRIV_ENCPART, i_vector?&ivdata:0, &privmsg->enc_part, &scratch))) @@ -156,12 +156,12 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, krb5_replay_data *outdata) { krb5_error_code retval; - krb5_keyblock * keyblock; + krb5_key key; krb5_replay_data replaydata; - /* Get keyblock */ - if ((keyblock = auth_context->recv_subkey) == NULL) - keyblock = auth_context->keyblock; + /* Get key */ + if ((key = auth_context->recv_subkey) == NULL) + key = auth_context->key; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && @@ -213,7 +213,7 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, } memset(&replaydata, 0, sizeof(replaydata)); - if ((retval = krb5_rd_priv_basic(context, inbuf, keyblock, + if ((retval = krb5_rd_priv_basic(context, inbuf, key, plocal_fulladdr, premote_fulladdr, auth_context->i_vector, diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index 1e3c145..6e9cb08 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -95,7 +95,7 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, goto clean_scratch; } - retval = krb5_c_decrypt(context, auth_context->keyblock, + retval = krb5_k_decrypt(context, auth_context->key, KRB5_KEYUSAGE_AP_REP_ENCPART, 0, &reply->enc_part, &scratch); if (retval) @@ -115,23 +115,14 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, /* Set auth subkey. */ if (enc->subkey) { - if (auth_context->recv_subkey) { - krb5_free_keyblock(context, auth_context->recv_subkey); - auth_context->recv_subkey = NULL; - } - retval = krb5_copy_keyblock(context, enc->subkey, - &auth_context->recv_subkey); + retval = krb5_auth_con_setrecvsubkey(context, auth_context, + enc->subkey); if (retval) goto clean_scratch; - if (auth_context->send_subkey) { - krb5_free_keyblock(context, auth_context->send_subkey); - auth_context->send_subkey = NULL; - } - retval = krb5_copy_keyblock(context, enc->subkey, - &auth_context->send_subkey); + retval = krb5_auth_con_setsendsubkey(context, auth_context, + enc->subkey); if (retval) { - krb5_free_keyblock(context, auth_context->send_subkey); - auth_context->send_subkey = NULL; + (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); goto clean_scratch; } /* Not used for anything yet. */ @@ -178,7 +169,7 @@ krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, return(ENOMEM); } - if ((retval = krb5_c_decrypt(context, auth_context->keyblock, + if ((retval = krb5_k_decrypt(context, auth_context->key, KRB5_KEYUSAGE_AP_REP_ENCPART, 0, &reply->enc_part, &scratch))) goto clean_scratch; diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index c618be1..cb4b8cc 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -227,12 +227,13 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, do we need special processing here ? */ /* decrypt the ticket */ - if ((*auth_context)->keyblock) { /* User to User authentication */ - if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock, + if ((*auth_context)->key) { /* User to User authentication */ + if ((retval = krb5_decrypt_tkt_part(context, + &(*auth_context)->key->keyblock, req->ticket))) goto cleanup; - krb5_free_keyblock(context, (*auth_context)->keyblock); - (*auth_context)->keyblock = NULL; + krb5_k_free_key(context, (*auth_context)->key); + (*auth_context)->key = NULL; } else { if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, server, keytab))) goto cleanup; @@ -459,14 +460,14 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, (*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number; if ((*auth_context)->authentp->subkey) { - if ((retval = krb5_copy_keyblock(context, - (*auth_context)->authentp->subkey, - &((*auth_context)->recv_subkey)))) + if ((retval = krb5_k_create_key(context, + (*auth_context)->authentp->subkey, + &((*auth_context)->recv_subkey)))) goto cleanup; - retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey, - &((*auth_context)->send_subkey)); + retval = krb5_k_create_key(context, (*auth_context)->authentp->subkey, + &((*auth_context)->send_subkey)); if (retval) { - krb5_free_keyblock(context, (*auth_context)->recv_subkey); + krb5_k_free_key(context, (*auth_context)->recv_subkey); (*auth_context)->recv_subkey = NULL; goto cleanup; } @@ -475,8 +476,8 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, (*auth_context)->send_subkey = 0; } - if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session, - &((*auth_context)->keyblock)))) + if ((retval = krb5_k_create_key(context, req->ticket->enc_part2->session, + &((*auth_context)->key)))) goto cleanup; debug_log_authz_data("ticket", req->ticket->enc_part2->authorization_data); @@ -499,7 +500,8 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, *ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK; if (rfc4537_etypes_len != 0) *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION; - if ((*auth_context)->negotiated_etype != (*auth_context)->keyblock->enctype) + if ((*auth_context)->negotiated_etype != + krb5_k_key_enctype(context, (*auth_context)->key)) *ap_req_options |= AP_OPTS_USE_SUBKEY; } diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index 989c222..68c1331 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -46,7 +46,7 @@ */ static krb5_error_code krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, - const krb5_keyblock *keyblock, + krb5_key key, const krb5_address *recv_addr, const krb5_address *sender_addr, krb5_replay_data *replaydata, krb5_data *outbuf) @@ -124,7 +124,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, if (retval) goto cleanup; - retval = krb5_c_verify_checksum(context, keyblock, + retval = krb5_k_verify_checksum(context, key, KRB5_KEYUSAGE_KRB_SAFE_CKSUM, scratch, his_cksum, &valid); @@ -136,7 +136,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in * case someone actually implements it correctly. */ - retval = krb5_c_verify_checksum(context, keyblock, + retval = krb5_k_verify_checksum(context, key, KRB5_KEYUSAGE_KRB_SAFE_CKSUM, &safe_body, his_cksum, &valid); if (!valid) { @@ -164,7 +164,7 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, krb5_replay_data *outdata) { krb5_error_code retval; - krb5_keyblock * keyblock; + krb5_key key; krb5_replay_data replaydata; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || @@ -180,9 +180,9 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, if (!auth_context->remote_addr) return KRB5_REMOTE_ADDR_REQUIRED; - /* Get keyblock */ - if ((keyblock = auth_context->recv_subkey) == NULL) - keyblock = auth_context->keyblock; + /* Get key */ + if ((key = auth_context->recv_subkey) == NULL) + key = auth_context->key; { krb5_address * premote_fulladdr; @@ -220,7 +220,7 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, } memset(&replaydata, 0, sizeof(replaydata)); - if ((retval = krb5_rd_safe_basic(context, inbuf, keyblock, + if ((retval = krb5_rd_safe_basic(context, inbuf, key, plocal_fulladdr, premote_fulladdr, &replaydata, outbuf))) { CLEANUP_DONE(); diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c index 347b300..30ad09d 100644 --- a/src/lib/krb5/krb/ser_actx.c +++ b/src/lib/krb5/krb/ser_actx.c @@ -75,6 +75,7 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) krb5_error_code kret; krb5_auth_context auth_context; size_t required; + krb5_enctype enctype; /* * krb5_auth_context requires at minimum: @@ -92,9 +93,9 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) kret = 0; /* Calculate size required by i_vector - ptooey */ - if (auth_context->i_vector && auth_context->keyblock) { - kret = krb5_c_block_size(kcontext, auth_context->keyblock->enctype, - &required); + if (auth_context->i_vector && auth_context->key) { + enctype = krb5_k_key_enctype(kcontext, auth_context->key); + kret = krb5_c_block_size(kcontext, enctype, &required); } else { required = 0; } @@ -141,11 +142,11 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) required += sizeof(krb5_int32); } - /* Calculate size required by keyblock, if appropriate */ - if (!kret && auth_context->keyblock) { + /* Calculate size required by key, if appropriate */ + if (!kret && auth_context->key) { kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) auth_context->keyblock, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->key->keyblock, &required); if (!kret) required += sizeof(krb5_int32); @@ -154,8 +155,8 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) /* Calculate size required by send_subkey, if appropriate */ if (!kret && auth_context->send_subkey) { kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) auth_context->send_subkey, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->send_subkey->keyblock, &required); if (!kret) required += sizeof(krb5_int32); @@ -164,8 +165,8 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) /* Calculate size required by recv_subkey, if appropriate */ if (!kret && auth_context->recv_subkey) { kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) auth_context->recv_subkey, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->recv_subkey->keyblock, &required); if (!kret) required += sizeof(krb5_int32); @@ -197,6 +198,7 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe size_t remain; size_t obuf; krb5_int32 obuf32; + krb5_enctype enctype; required = 0; bp = *buffer; @@ -224,9 +226,8 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe /* Now figure out the number of bytes for i_vector and write it */ if (auth_context->i_vector) { - kret = krb5_c_block_size(kcontext, - auth_context->keyblock->enctype, - &obuf); + enctype = krb5_k_key_enctype(kcontext, auth_context->key); + kret = krb5_c_block_size(kcontext, enctype, &obuf); } else { obuf = 0; } @@ -289,12 +290,12 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe } /* Now handle keyblock, if appropriate */ - if (!kret && auth_context->keyblock) { + if (!kret && auth_context->key) { (void) krb5_ser_pack_int32(TOKEN_KEYBLOCK, &bp, &remain); kret = krb5_externalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer) - auth_context->keyblock, + &auth_context->key->keyblock, &bp, &remain); } @@ -304,8 +305,8 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe (void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain); kret = krb5_externalize_opaque(kcontext, KV5M_KEYBLOCK, - (krb5_pointer) - auth_context->send_subkey, + (krb5_pointer) &auth_context-> + send_subkey->keyblock, &bp, &remain); } @@ -315,8 +316,8 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe (void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain); kret = krb5_externalize_opaque(kcontext, KV5M_KEYBLOCK, - (krb5_pointer) - auth_context->recv_subkey, + (krb5_pointer) &auth_context-> + recv_subkey->keyblock, &bp, &remain); } @@ -345,6 +346,22 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe return(kret); } +/* Internalize a keyblock and convert it to a key. */ +static krb5_error_code +intern_key(krb5_context ctx, krb5_key *key, krb5_octet **bp, size_t *sp) +{ + krb5_keyblock *keyblock; + krb5_error_code ret; + + ret = krb5_internalize_opaque(ctx, KV5M_KEYBLOCK, + (krb5_pointer *) &keyblock, bp, sp); + if (ret != 0) + return ret; + ret = krb5_k_create_key(ctx, keyblock, key); + krb5_free_keyblock(ctx, keyblock); + return ret; +} + /* * krb5_auth_context_internalize() - Internalize the krb5_auth_context. */ @@ -464,37 +481,29 @@ krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_oc /* This is the keyblock */ if (!kret && (tag == TOKEN_KEYBLOCK)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) - &auth_context->keyblock, - &bp, - &remain))) + if (!(kret = intern_key(kcontext, + &auth_context->key, + &bp, + &remain))) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } /* This is the send_subkey */ if (!kret && (tag == TOKEN_LSKBLOCK)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) - &auth_context-> - send_subkey, - &bp, - &remain))) + if (!(kret = intern_key(kcontext, + &auth_context->send_subkey, + &bp, + &remain))) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } /* This is the recv_subkey */ if (!kret) { if (tag == TOKEN_RSKBLOCK) { - kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) - &auth_context-> - recv_subkey, - &bp, - &remain); + kret = intern_key(kcontext, + &auth_context->recv_subkey, + &bp, + &remain); } else { /* |