diff options
Diffstat (limited to 'src/lib/crypto/krb/arcfour')
| -rw-r--r-- | src/lib/crypto/krb/arcfour/arcfour.c | 179 | ||||
| -rw-r--r-- | src/lib/crypto/krb/arcfour/arcfour.h | 37 | ||||
| -rw-r--r-- | src/lib/crypto/krb/arcfour/arcfour_aead.c | 65 | ||||
| -rw-r--r-- | src/lib/crypto/krb/arcfour/arcfour_s2k.c | 2 | ||||
| -rw-r--r-- | src/lib/crypto/krb/arcfour/deps | 43 |
5 files changed, 59 insertions, 267 deletions
diff --git a/src/lib/crypto/krb/arcfour/arcfour.c b/src/lib/crypto/krb/arcfour/arcfour.c index eb80124..c8b478f 100644 --- a/src/lib/crypto/krb/arcfour/arcfour.c +++ b/src/lib/crypto/krb/arcfour/arcfour.c @@ -13,15 +13,6 @@ const char l40[] = "fortybits"; -void -krb5int_arcfour_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t inputlen, size_t *length) -{ - /* checksum + (confounder + inputlen, in even blocksize) */ - *length = hash->hashsize + krb5_roundup(8 + inputlen, enc->block_size); -} - krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage) { @@ -93,173 +84,3 @@ krb5int_arcfour_enc_key(const struct krb5_enc_provider *enc, krb5int_c_free_keyblock(NULL, trunc_keyblock); return ret; } - -krb5_error_code -krb5int_arcfour_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL; - krb5_key enc_key; - krb5_data plaintext = empty_data(); - krb5_data checksum, ciphertext, confounder; - krb5_error_code ret; - unsigned int plainlen; - - /* Allocate buffers. */ - plainlen = krb5_roundup(input->length + CONFOUNDERLENGTH, enc->block_size); - ret = alloc_data(&plaintext, plainlen); - if (ret != 0) - goto cleanup; - ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes, - &usage_keyblock); - if (ret != 0) - goto cleanup; - ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes, - &enc_keyblock); - if (ret != 0) - goto cleanup; - - /* Set up subsets of output and plaintext. */ - checksum = make_data(output->data, hash->hashsize); - ciphertext = make_data(output->data + hash->hashsize, plainlen); - confounder = make_data(plaintext.data, CONFOUNDERLENGTH); - - /* Derive a usage key from the session key and usage. */ - ret = krb5int_arcfour_usage_key(enc, hash, &key->keyblock, usage, - usage_keyblock); - if (ret != 0) - goto cleanup; - - /* Compose a confounder with the input data to form the plaintext. */ - ret = krb5_c_random_make_octets(NULL, &confounder); - memcpy(plaintext.data + confounder.length, input->data, input->length); - if (ret) - goto cleanup; - - /* Compute HMAC(usage key, plaintext) to get the checksum. */ - ret = krb5int_hmac_keyblock(hash, usage_keyblock, 1, &plaintext, - &checksum); - if (ret) - goto cleanup; - - /* Derive the encryption key from the usage key and checksum. */ - ret = krb5int_arcfour_enc_key(enc, hash, usage_keyblock, &checksum, - enc_keyblock); - if (ret) - goto cleanup; - - /* Encrypt the plaintext. */ - ret = krb5_k_create_key(NULL, enc_keyblock, &enc_key); - if (ret) - goto cleanup; - ret = (*enc->encrypt)(enc_key, ivec, &plaintext, &ciphertext); - krb5_k_free_key(NULL, enc_key); - if (ret) - goto cleanup; - - output->length = plainlen + hash->hashsize; - -cleanup: - krb5int_c_free_keyblock(NULL, usage_keyblock); - krb5int_c_free_keyblock(NULL, enc_keyblock); - zapfree(plaintext.data, plaintext.length); - return ret; -} - -krb5_error_code -krb5int_arcfour_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) -{ - krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL; - krb5_data plaintext = empty_data(), comp_checksum = empty_data(); - krb5_data checksum, ciphertext; - krb5_key enc_key; - krb5_error_code ret; - - /* Set up subsets of input. */ - checksum = make_data(input->data, hash->hashsize); - ciphertext = make_data(input->data + hash->hashsize, - input->length - hash->hashsize); - - /* Allocate buffers. */ - ret = alloc_data(&plaintext, ciphertext.length); - if (ret != 0) - goto cleanup; - ret = alloc_data(&comp_checksum, hash->hashsize); - if (ret != 0) - goto cleanup; - ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes, - &usage_keyblock); - if (ret != 0) - goto cleanup; - ret = krb5int_c_init_keyblock(NULL, key->keyblock.enctype, enc->keybytes, - &enc_keyblock); - if (ret != 0) - goto cleanup; - - /* We may have to try two usage values; see below. */ - do { - /* Derive a usage key from the session key and usage. */ - ret = krb5int_arcfour_usage_key(enc, hash, &key->keyblock, usage, - usage_keyblock); - if (ret != 0) - goto cleanup; - - /* Derive the encryption key from the usage key and checksum. */ - ret = krb5int_arcfour_enc_key(enc, hash, usage_keyblock, &checksum, - enc_keyblock); - if (ret) - goto cleanup; - - /* Decrypt the ciphertext. */ - ret = krb5_k_create_key(NULL, enc_keyblock, &enc_key); - if (ret) - goto cleanup; - ret = (*enc->decrypt)(enc_key, ivec, &ciphertext, &plaintext); - krb5_k_free_key(NULL, enc_key); - if (ret) - goto cleanup; - - /* Compute HMAC(usage key, plaintext) to get the checksum. */ - ret = krb5int_hmac_keyblock(hash, usage_keyblock, 1, &plaintext, - &comp_checksum); - if (ret) - goto cleanup; - - if (memcmp(checksum.data, comp_checksum.data, hash->hashsize) != 0) { - if (usage == 9) { - /* - * RFC 4757 specifies usage 8 for TGS-REP encrypted - * parts encrypted in a subkey, but the value used by MS - * is actually 9. We now use 9 to start with, but fall - * back to 8 on failure in case we are communicating - * with a KDC using the value from the RFC. - */ - usage = 8; - continue; - } - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto cleanup; - } - - break; - } while (1); - - /* Remove the confounder from the plaintext to get the output. */ - memcpy(output->data, plaintext.data + CONFOUNDERLENGTH, - plaintext.length - CONFOUNDERLENGTH); - output->length = plaintext.length - CONFOUNDERLENGTH; - -cleanup: - krb5int_c_free_keyblock(NULL, usage_keyblock); - krb5int_c_free_keyblock(NULL, enc_keyblock); - zapfree(plaintext.data, plaintext.length); - zapfree(comp_checksum.data, comp_checksum.length); - return ret; -} diff --git a/src/lib/crypto/krb/arcfour/arcfour.h b/src/lib/crypto/krb/arcfour/arcfour.h index 6419338..7ec0d77 100644 --- a/src/lib/crypto/krb/arcfour/arcfour.h +++ b/src/lib/crypto/krb/arcfour/arcfour.h @@ -2,39 +2,30 @@ #ifndef ARCFOUR_H #define ARCFOUR_H -extern void -krb5int_arcfour_encrypt_length(const struct krb5_enc_provider *, - const struct krb5_hash_provider *, - size_t, - size_t *); +#include "etypes.h" -extern krb5_error_code -krb5int_arcfour_encrypt(const struct krb5_enc_provider *, - const struct krb5_hash_provider *, - krb5_key, - krb5_keyusage, - const krb5_data *, - const krb5_data *, - krb5_data *); +unsigned int +krb5int_arcfour_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type); -extern krb5_error_code -krb5int_arcfour_decrypt(const struct krb5_enc_provider *, - const struct krb5_hash_provider *, - krb5_key, - krb5_keyusage, - const krb5_data *, - const krb5_data *, - krb5_data *); +krb5_error_code +krb5int_arcfour_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); + +krb5_error_code +krb5int_arcfour_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); extern krb5_error_code krb5int_arcfour_string_to_key( - const struct krb5_enc_provider *, + const struct krb5_keytypes *, const krb5_data *, const krb5_data *, const krb5_data *, krb5_keyblock *); extern const struct krb5_enc_provider krb5int_enc_arcfour; -extern const struct krb5_aead_provider krb5int_aead_arcfour; #endif /* ARCFOUR_H */ diff --git a/src/lib/crypto/krb/arcfour/arcfour_aead.c b/src/lib/crypto/krb/arcfour/arcfour_aead.c index 0ad7c27..d886235 100644 --- a/src/lib/crypto/krb/arcfour/arcfour_aead.c +++ b/src/lib/crypto/krb/arcfour/arcfour_aead.c @@ -34,32 +34,23 @@ /* AEAD */ -static krb5_error_code -krb5int_arcfour_crypto_length(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_cryptotype type, - unsigned int *length) +unsigned int +krb5int_arcfour_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type) { switch (type) { case KRB5_CRYPTO_TYPE_HEADER: - *length = hash->hashsize + CONFOUNDERLENGTH; - break; + return ktp->hash->hashsize + CONFOUNDERLENGTH; case KRB5_CRYPTO_TYPE_PADDING: - *length = 0; - break; case KRB5_CRYPTO_TYPE_TRAILER: - *length = 0; - break; + return 0; case KRB5_CRYPTO_TYPE_CHECKSUM: - *length = hash->hashsize; - break; + return ktp->hash->hashsize; default: - assert(0 && "invalid cryptotype passed to krb5int_arcfour_crypto_length"); - break; + assert(0 && + "invalid cryptotype passed to krb5int_arcfour_crypto_length"); + return 0; } - - return 0; } /* Encrypt or decrypt using a keyblock. */ @@ -74,21 +65,18 @@ keyblock_crypt(const struct krb5_enc_provider *enc, krb5_keyblock *keyblock, if (ret != 0) return ret; /* Works for encryption or decryption since arcfour is a stream cipher. */ - ret = enc->encrypt_iov(key, ivec, data, num_data); + ret = enc->encrypt(key, ivec, data, num_data); krb5_k_free_key(NULL, key); return ret; } -static krb5_error_code -krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_arcfour_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { + const struct krb5_enc_provider *enc = ktp->enc; + const struct krb5_hash_provider *hash = ktp->hash; krb5_error_code ret; krb5_crypto_iov *header, *trailer; krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL; @@ -169,16 +157,13 @@ cleanup: return ret; } -static krb5_error_code -krb5int_arcfour_decrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_arcfour_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { + const struct krb5_enc_provider *enc = ktp->enc; + const struct krb5_hash_provider *hash = ktp->hash; krb5_error_code ret; krb5_crypto_iov *header, *trailer; krb5_keyblock *usage_keyblock = NULL, *enc_keyblock = NULL; @@ -270,12 +255,6 @@ cleanup: return ret; } -const struct krb5_aead_provider krb5int_aead_arcfour = { - krb5int_arcfour_crypto_length, - krb5int_arcfour_encrypt_iov, - krb5int_arcfour_decrypt_iov -}; - krb5_error_code krb5int_arcfour_gsscrypt(const krb5_keyblock *keyblock, krb5_keyusage usage, const krb5_data *kd_data, krb5_crypto_iov *data, diff --git a/src/lib/crypto/krb/arcfour/arcfour_s2k.c b/src/lib/crypto/krb/arcfour/arcfour_s2k.c index dbb7f45..b77738e 100644 --- a/src/lib/crypto/krb/arcfour/arcfour_s2k.c +++ b/src/lib/crypto/krb/arcfour/arcfour_s2k.c @@ -9,7 +9,7 @@ #endif krb5_error_code -krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc, +krb5int_arcfour_string_to_key(const struct krb5_keytypes *ktp, const krb5_data *string, const krb5_data *salt, const krb5_data *params, krb5_keyblock *key) { diff --git a/src/lib/crypto/krb/arcfour/deps b/src/lib/crypto/krb/arcfour/deps index d9f47fc..e626ff8 100644 --- a/src/lib/crypto/krb/arcfour/deps +++ b/src/lib/crypto/krb/arcfour/deps @@ -4,19 +4,7 @@ arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - arcfour-int.h arcfour.c arcfour.h -arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \ - $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(top_srcdir)/include/k5-buf.h \ + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ @@ -24,17 +12,30 @@ arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h arcfour-int.h \ - arcfour.h arcfour_aead.c -arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \ + arcfour.c arcfour.h +arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../builtin/md4/rsa-md4.h \ + $(COM_ERR_DEPS) $(srcdir)/../../builtin/hash_provider/hash_provider.h \ + $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h \ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-utf8.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h arcfour-int.h \ - arcfour.h arcfour_s2k.c + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + arcfour-int.h arcfour.h arcfour_aead.c +arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(srcdir)/../../builtin/md4/rsa-md4.h \ + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-utf8.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + arcfour-int.h arcfour.h arcfour_s2k.c |