1 files changed, 63 insertions, 2 deletions

diff --git a/src/lib/crypto/krb/dk/stringtokey.c b/src/lib/crypto/krb/dk/stringtokey.c
index ff436e6..9a49187 100644
--- a/src/lib/crypto/krb/dk/stringtokey.c
+++ b/src/lib/crypto/krb/dk/stringtokey.c
@@ -31,10 +31,11 @@ static const unsigned char kerberos[] = "kerberos";
 #define kerberos_len (sizeof(kerberos)-1)
 
 krb5_error_code
-krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
+krb5int_dk_string_to_key(const struct krb5_keytypes *ktp,
                          const krb5_data *string, const krb5_data *salt,
                          const krb5_data *parms, krb5_keyblock *keyblock)
 {
+    const struct krb5_enc_provider *enc = ktp->enc;
     krb5_error_code ret;
     size_t keybytes, keylength, concatlen;
     unsigned char *concat = NULL, *foldstring = NULL, *foldkeydata = NULL;
@@ -72,7 +73,7 @@ krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
     foldkeyblock.length = keylength;
     foldkeyblock.contents = foldkeydata;
 
-    ret = (*enc->make_key)(&indata, &foldkeyblock);
+    ret = enc->make_key(&indata, &foldkeyblock);
     if (ret != 0)
         goto cleanup;
 
@@ -96,3 +97,63 @@ cleanup:
     krb5_k_free_key(NULL, foldkey);
     return ret;
 }
+
+
+#define DEFAULT_ITERATION_COUNT         4096 /* was 0xb000L in earlier drafts */
+#define MAX_ITERATION_COUNT             0x1000000L
+
+krb5_error_code
+krb5int_aes_string_to_key(const struct krb5_keytypes *ktp,
+                          const krb5_data *string,
+                          const krb5_data *salt,
+                          const krb5_data *params,
+                          krb5_keyblock *key)
+{
+    unsigned long iter_count;
+    krb5_data out;
+    static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
+    krb5_key tempkey = NULL;
+    krb5_error_code err;
+
+    if (params) {
+        unsigned char *p = (unsigned char *) params->data;
+        if (params->length != 4)
+            return KRB5_ERR_BAD_S2K_PARAMS;
+        /* The first two need casts in case 'int' is 16 bits.  */
+        iter_count = load_32_be(p);
+        if (iter_count == 0) {
+            iter_count = (1UL << 16) << 16;
+            if (((iter_count >> 16) >> 16) != 1)
+                return KRB5_ERR_BAD_S2K_PARAMS;
+        }
+    } else
+        iter_count = DEFAULT_ITERATION_COUNT;
+
+    /* This is not a protocol specification constraint; this is an
+       implementation limit, which should eventually be controlled by
+       a config file.  */
+    if (iter_count >= MAX_ITERATION_COUNT)
+        return KRB5_ERR_BAD_S2K_PARAMS;
+
+    /* Use the output keyblock contents for temporary space. */
+    out.data = (char *) key->contents;
+    out.length = key->length;
+    if (out.length != 16 && out.length != 32)
+        return KRB5_CRYPTO_INTERNAL;
+
+    err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt);
+    if (err)
+        goto cleanup;
+
+    err = krb5_k_create_key (NULL, key, &tempkey);
+    if (err)
+        goto cleanup;
+
+    err = krb5int_derive_keyblock(ktp->enc, tempkey, key, &usage);
+
+cleanup:
+    if (err)
+        memset (out.data, 0, out.length);
+    krb5_k_free_key (NULL, tempkey);
+    return err;
+}