diff options
author | Luke Howard <lukeh@padl.com> | 2010-05-14 15:22:43 +0000 |
---|---|---|
committer | Luke Howard <lukeh@padl.com> | 2010-05-14 15:22:43 +0000 |
commit | f7d55dcd75cd99e6ed903a20bf9dea5fe73c0238 (patch) | |
tree | d8dc8efd73f5ac88acc5b9e170ac98516c627848 | |
parent | 1af7de5c7c528cdad9c14b2e05e48e4e62a35aed (diff) | |
download | krb5-f7d55dcd75cd99e6ed903a20bf9dea5fe73c0238.zip krb5-f7d55dcd75cd99e6ed903a20bf9dea5fe73c0238.tar.gz krb5-f7d55dcd75cd99e6ed903a20bf9dea5fe73c0238.tar.bz2 |
further salt new enctypes with enctype name
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/camellia-ccm@24031 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/lib/crypto/krb/dk/dk.h | 9 | ||||
-rw-r--r-- | src/lib/crypto/krb/dk/stringtokey.c | 51 | ||||
-rw-r--r-- | src/lib/crypto/krb/etypes.c | 8 |
3 files changed, 57 insertions, 11 deletions
diff --git a/src/lib/crypto/krb/dk/dk.h b/src/lib/crypto/krb/dk/dk.h index 04223e6..1f17332 100644 --- a/src/lib/crypto/krb/dk/dk.h +++ b/src/lib/crypto/krb/dk/dk.h @@ -61,7 +61,14 @@ krb5int_aes_string_to_key(const struct krb5_keytypes *enc, const krb5_data *string, const krb5_data *salt, const krb5_data *params, krb5_keyblock *key); -#define krb5int_camellia_string_to_key krb5int_aes_string_to_key +krb5_error_code +krb5int_peppered_string_to_key(const struct krb5_keytypes *enc, + const krb5_data *string, const krb5_data *salt, + const krb5_data *params, krb5_keyblock *key); + +#define krb5int_aes_ccm_string_to_key krb5int_peppered_string_to_key +#define krb5int_camellia_string_to_key krb5int_peppered_string_to_key +#define krb5int_camellia_ccm_string_to_key krb5int_peppered_string_to_key krb5_error_code krb5int_derive_keyblock(const struct krb5_enc_provider *enc, diff --git a/src/lib/crypto/krb/dk/stringtokey.c b/src/lib/crypto/krb/dk/stringtokey.c index 4c7206c..0eacb2f 100644 --- a/src/lib/crypto/krb/dk/stringtokey.c +++ b/src/lib/crypto/krb/dk/stringtokey.c @@ -103,18 +103,20 @@ cleanup: #define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */ #define MAX_ITERATION_COUNT 0x1000000L -krb5_error_code -krb5int_aes_string_to_key(const struct krb5_keytypes *ktp, - const krb5_data *string, - const krb5_data *salt, - const krb5_data *params, - krb5_keyblock *key) +static krb5_error_code +pbkdf2_string_to_key(const struct krb5_keytypes *ktp, + const krb5_data *string, + const krb5_data *salt, + const krb5_data *pepper, + const krb5_data *params, + krb5_keyblock *key) { unsigned long iter_count; krb5_data out; static const krb5_data usage = { KV5M_DATA, 8, "kerberos" }; krb5_key tempkey = NULL; krb5_error_code err; + krb5_data spepper = empty_data(); if (params) { unsigned char *p = (unsigned char *) params->data; @@ -142,6 +144,18 @@ krb5int_aes_string_to_key(const struct krb5_keytypes *ktp, if (out.length != 16 && out.length != 32) return KRB5_CRYPTO_INTERNAL; + if (pepper != NULL) { + err = alloc_data(&spepper, pepper->length + 1 + salt->length); + if (err) + return err; + + memcpy(spepper.data, pepper->data, pepper->length); + spepper.data[pepper->length] = '\0'; + memcpy(&spepper.data[pepper->length + 1], salt->data, salt->length); + + salt = &spepper; + } + err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt); if (err) goto cleanup; @@ -153,8 +167,33 @@ krb5int_aes_string_to_key(const struct krb5_keytypes *ktp, err = krb5int_derive_keyblock(ktp->enc, tempkey, key, &usage); cleanup: + if (spepper.data) + free(spepper.data); if (err) memset (out.data, 0, out.length); krb5_k_free_key (NULL, tempkey); return err; } + +krb5_error_code +krb5int_aes_string_to_key(const struct krb5_keytypes *ktp, + const krb5_data *string, + const krb5_data *salt, + const krb5_data *params, + krb5_keyblock *key) +{ + return pbkdf2_string_to_key(ktp, string, salt, NULL, params, key); +} + +krb5_error_code +krb5int_peppered_string_to_key(const struct krb5_keytypes *ktp, + const krb5_data *string, + const krb5_data *salt, + const krb5_data *params, + krb5_keyblock *key) +{ + krb5_data pepper = string2data(ktp->name); + + return pbkdf2_string_to_key(ktp, string, salt, &pepper, params, key); +} + diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c index ad2db1c..595dc1c 100644 --- a/src/lib/crypto/krb/etypes.c +++ b/src/lib/crypto/krb/etypes.c @@ -160,7 +160,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { &krb5int_enc_aes128_ctr, NULL, 16, krb5int_ccm_crypto_length, krb5int_ccm_encrypt, krb5int_ccm_decrypt, - krb5int_aes_string_to_key, + krb5int_aes_ccm_string_to_key, krb5int_ccm_prf, CKSUMTYPE_CMAC_128_AES128, 0 /*flags*/ }, @@ -170,7 +170,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { &krb5int_enc_aes256_ctr, NULL, 16, krb5int_ccm_crypto_length, krb5int_ccm_encrypt, krb5int_ccm_decrypt, - krb5int_aes_string_to_key, + krb5int_aes_ccm_string_to_key, krb5int_ccm_prf, CKSUMTYPE_CMAC_128_AES256, 0 /*flags */ }, @@ -201,7 +201,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { &krb5int_enc_camellia128_ctr, NULL, 16, krb5int_ccm_crypto_length, krb5int_ccm_encrypt, krb5int_ccm_decrypt, - krb5int_camellia_string_to_key, + krb5int_camellia_ccm_string_to_key, krb5int_ccm_prf, CKSUMTYPE_CMAC_128_CAMELLIA128, 0 /*flags*/ }, @@ -211,7 +211,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { &krb5int_enc_camellia256_ctr, NULL, 16, krb5int_ccm_crypto_length, krb5int_ccm_encrypt, krb5int_ccm_decrypt, - krb5int_camellia_string_to_key, + krb5int_camellia_ccm_string_to_key, krb5int_ccm_prf, CKSUMTYPE_CMAC_128_CAMELLIA256, 0 /*flags */ }, |