diff options
author | Greg Hudson <ghudson@mit.edu> | 2009-12-10 17:10:10 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2009-12-10 17:10:10 +0000 |
commit | bad149c2a94f20df57f9d51810aff23aeb0921a4 (patch) | |
tree | 9a023564d65fe8c46bcc330f950b37b919599c03 /src/lib/crypto/krb/dk | |
parent | 009463e22f989a287835228459487c64dcb0b8b3 (diff) | |
download | krb5-bad149c2a94f20df57f9d51810aff23aeb0921a4.zip krb5-bad149c2a94f20df57f9d51810aff23aeb0921a4.tar.gz krb5-bad149c2a94f20df57f9d51810aff23aeb0921a4.tar.bz2 |
Restructure the crypto checksum implementation to minimize
dependencies on the internals of modules.
* Keyhash providers are gone.
* The cksumtypes table contains checksum and verify functions,
similar to the etypes encrypt and decrypt functions. New checksum
functions parallel the old keyhash providers, and there are also
functions for unkeyed and derived-key HMAC checksums.
* The flags field is now used to indicate whether a checksum is
unkeyed, but not whether it is a derived-key HMAC checksum.
* The descbc checksum is handled through a new enc_provider function
which calculates a CBC MAC.
The OpenSSL module does not implement the CBC MAC function (it didn't
implement descbc before). builtin/des could probably get rid of
f_cksum.c (the old DES CBC routine) with some alterations to
string2key.c.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23462 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/crypto/krb/dk')
-rw-r--r-- | src/lib/crypto/krb/dk/checksum.c | 30 | ||||
-rw-r--r-- | src/lib/crypto/krb/dk/deps | 18 | ||||
-rw-r--r-- | src/lib/crypto/krb/dk/dk.h | 9 |
3 files changed, 25 insertions, 32 deletions
diff --git a/src/lib/crypto/krb/dk/checksum.c b/src/lib/crypto/krb/dk/checksum.c index dee4f47..3dbde10 100644 --- a/src/lib/crypto/krb/dk/checksum.c +++ b/src/lib/crypto/krb/dk/checksum.c @@ -28,15 +28,15 @@ #include "k5-int.h" #include "etypes.h" #include "dk.h" -#include "aead.h" +#include "cksumtypes.h" #define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */ krb5_error_code -krb5int_dk_make_checksum(const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_crypto_iov *data, size_t num_data, - krb5_data *output) +krb5int_dk_checksum(const struct krb5_cksumtypes *ctp, + krb5_key key, krb5_keyusage usage, + const krb5_crypto_iov *data, size_t num_data, + krb5_data *output) { const struct krb5_keytypes *ktp; const struct krb5_enc_provider *enc; @@ -45,32 +45,24 @@ krb5int_dk_make_checksum(const struct krb5_hash_provider *hash, krb5_data datain; krb5_key kc; + /* Use the key's enctype (more flexible than setting an enctype in ctp). */ ktp = find_enctype(key->keyblock.enctype); if (ktp == NULL) return KRB5_BAD_ENCTYPE; enc = ktp->enc; - - /* - * key->length will be tested in enc->encrypt. - * output->length will be tested in krb5int_hmac. - */ + if (key->keyblock.length != enc->keylength) + return KRB5_BAD_KEYSIZE; /* Derive the key. */ - - datain.data = (char *) constantdata; - datain.length = K5CLENGTH; - + datain = make_data(constantdata, K5CLENGTH); store_32_be(usage, constantdata); - - datain.data[4] = (char) 0x99; - + constantdata[4] = (char) 0x99; ret = krb5int_derive_key(enc, key, &kc, &datain); if (ret) return ret; /* Hash the data. */ - - ret = krb5int_hmac(hash, kc, data, num_data, output); + ret = krb5int_hmac(ctp->hash, kc, data, num_data, output); if (ret) memset(output->data, 0, output->length); diff --git a/src/lib/crypto/krb/dk/deps b/src/lib/crypto/krb/dk/deps index 1fa446a..029fe6a 100644 --- a/src/lib/crypto/krb/dk/deps +++ b/src/lib/crypto/krb/dk/deps @@ -4,15 +4,15 @@ checksum.so checksum.po $(OUTPRE)checksum.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h \ - $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h checksum.c dk.h + $(COM_ERR_DEPS) $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + checksum.c dk.h dk_aead.so dk_aead.po $(OUTPRE)dk_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../aead.h \ diff --git a/src/lib/crypto/krb/dk/dk.h b/src/lib/crypto/krb/dk/dk.h index 5e00268..0fdd984 100644 --- a/src/lib/crypto/krb/dk/dk.h +++ b/src/lib/crypto/krb/dk/dk.h @@ -27,6 +27,7 @@ #include "k5-int.h" #include "etypes.h" +#include "cksumtypes.h" unsigned int krb5int_dk_crypto_length(const struct krb5_keytypes *ktp, @@ -69,10 +70,10 @@ krb5int_derive_key(const struct krb5_enc_provider *enc, const krb5_data *in_constant); krb5_error_code -krb5int_dk_make_checksum(const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_crypto_iov *data, size_t num_data, - krb5_data *output); +krb5int_dk_checksum(const struct krb5_cksumtypes *ctp, + krb5_key key, krb5_keyusage usage, + const krb5_crypto_iov *data, size_t num_data, + krb5_data *output); krb5_error_code krb5int_derive_random(const struct krb5_enc_provider *enc, |