From 5ffa313d9f6b7c509aa0d7579273150d71ea0f95 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 4 Dec 2009 05:12:35 +0000 Subject: Consolidate the IOV and non-IOV encryption/decryption code paths, and drop the _iov suffix from most encryption- and decryption-related functions. The enc_provider encrypt and decrypt functions take IOVs, as do the enctype entries in etypes.c, and there are no separate encrypt_iov or decrypt_iov functions. aead_provider is gone. Enctype functions now take pointers to the enctype entry instead of pointers to the enc/hash/aead providers; this allows dk_encrypt and dk_decrypt to be polymorphic in the length function they use now that AES and DES3 can't differentiate by aead provider. aes_string_to_key needed to be moved into the krb/ fold for this since it's an enctype function; it was duplicated between builtin/ and openssl/ before. This leaves openssl/aes empty; the build system currently demands that all modules have the same directory structure, so the directory and Makefile will stick around for now. Three separate copies of the derive_random logic are also now consolidated into one. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23444 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/crypto/krb/old/Makefile.in | 7 +- src/lib/crypto/krb/old/deps | 55 ++++-------- src/lib/crypto/krb/old/des_stringtokey.c | 9 +- src/lib/crypto/krb/old/old.h | 30 +++---- src/lib/crypto/krb/old/old_aead.c | 61 +++++-------- src/lib/crypto/krb/old/old_decrypt.c | 144 ------------------------------- src/lib/crypto/krb/old/old_encrypt.c | 111 ------------------------ 7 files changed, 59 insertions(+), 358 deletions(-) delete mode 100644 src/lib/crypto/krb/old/old_decrypt.c delete mode 100644 src/lib/crypto/krb/old/old_encrypt.c (limited to 'src/lib/crypto/krb/old') diff --git a/src/lib/crypto/krb/old/Makefile.in b/src/lib/crypto/krb/old/Makefile.in index aadeacc..cc3c7f6 100644 --- a/src/lib/crypto/krb/old/Makefile.in +++ b/src/lib/crypto/krb/old/Makefile.in @@ -12,12 +12,11 @@ PROG_RPATH=$(KRB5_LIBDIR) RUN_SETUP = @KRB5_RUN_ENV@ KRB5_CONFIG=$(top_srcdir)/config-files/krb5.conf -STLIBOBJS= old_aead.o old_decrypt.o old_encrypt.o des_stringtokey.o +STLIBOBJS= old_aead.o des_stringtokey.o -OBJS= $(OUTPRE)des_stringtokey.$(OBJEXT) $(OUTPRE)old_aead.$(OBJEXT) $(OUTPRE)old_decrypt.$(OBJEXT) $(OUTPRE)old_encrypt.$(OBJEXT) +OBJS= $(OUTPRE)des_stringtokey.$(OBJEXT) $(OUTPRE)old_aead.$(OBJEXT) -SRCS= $(srcdir)/des_stringtokey.c $(srcdir)/old_aead.c \ - $(srcdir)/old_decrypt.c $(srcdir)/old_encrypt.c +SRCS= $(srcdir)/des_stringtokey.c $(srcdir)/old_aead.c ##DOS##LIBOBJS = $(OBJS) diff --git a/src/lib/crypto/krb/old/deps b/src/lib/crypto/krb/old/deps index de435ee..448acd9 100644 --- a/src/lib/crypto/krb/old/deps +++ b/src/lib/crypto/krb/old/deps @@ -5,45 +5,24 @@ des_stringtokey.so des_stringtokey.po $(OUTPRE)des_stringtokey.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(srcdir)/../../builtin/des/des_int.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - des_stringtokey.c old.h + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h des_stringtokey.c \ + old.h old_aead.so old_aead.po $(OUTPRE)old_aead.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - old.h old_aead.c -old_decrypt.so old_decrypt.po $(OUTPRE)old_decrypt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - old.h old_decrypt.c -old_encrypt.so old_encrypt.po $(OUTPRE)old_encrypt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - old.h old_encrypt.c + $(srcdir)/../etypes.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h old.h old_aead.c diff --git a/src/lib/crypto/krb/old/des_stringtokey.c b/src/lib/crypto/krb/old/des_stringtokey.c index 6f49166..71ee0de 100644 --- a/src/lib/crypto/krb/old/des_stringtokey.c +++ b/src/lib/crypto/krb/old/des_stringtokey.c @@ -36,13 +36,12 @@ extern krb5_error_code mit_des_string_to_key_int const krb5_data * salt); krb5_error_code -krb5int_des_string_to_key(const struct krb5_enc_provider *enc, - const krb5_data *string, - const krb5_data *salt, const krb5_data *parm, - krb5_keyblock *key) +krb5int_des_string_to_key(const struct krb5_keytypes *ktp, + const krb5_data *string, const krb5_data *salt, + const krb5_data *parm, krb5_keyblock *key) { int type; - if (parm ) { + if (parm) { if (parm->length != 1) return KRB5_ERR_BAD_S2K_PARAMS; type = parm->data[0]; diff --git a/src/lib/crypto/krb/old/old.h b/src/lib/crypto/krb/old/old.h index 58f4f5a..d092686 100644 --- a/src/lib/crypto/krb/old/old.h +++ b/src/lib/crypto/krb/old/old.h @@ -26,28 +26,24 @@ */ #include "k5-int.h" +#include "etypes.h" -void krb5int_old_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t input, size_t *length); +unsigned int +krb5int_old_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type); -krb5_error_code krb5int_old_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, krb5_data *output); +krb5_error_code +krb5int_old_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); -krb5_error_code krb5int_old_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *arg_output); +krb5_error_code +krb5int_old_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); -krb5_error_code krb5int_des_string_to_key(const struct krb5_enc_provider *enc, +krb5_error_code krb5int_des_string_to_key(const struct krb5_keytypes *ktp, const krb5_data *string, const krb5_data *salt, const krb5_data *params, krb5_keyblock *key); - -extern const struct krb5_aead_provider krb5int_aead_old; diff --git a/src/lib/crypto/krb/old/old_aead.c b/src/lib/crypto/krb/old/old_aead.c index 5249188..c72faeb 100644 --- a/src/lib/crypto/krb/old/old_aead.c +++ b/src/lib/crypto/krb/old/old_aead.c @@ -30,42 +30,32 @@ #include "old.h" #include "aead.h" -static krb5_error_code -krb5int_old_crypto_length(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_cryptotype type, - unsigned int *length) +unsigned int +krb5int_old_crypto_length(const struct krb5_keytypes *ktp, + krb5_cryptotype type) { switch (type) { case KRB5_CRYPTO_TYPE_HEADER: - *length = enc->block_size + hash->hashsize; - break; + return ktp->enc->block_size + ktp->hash->hashsize; case KRB5_CRYPTO_TYPE_PADDING: - *length = enc->block_size; - break; + return ktp->enc->block_size; case KRB5_CRYPTO_TYPE_TRAILER: - *length = 0; - break; + return 0; case KRB5_CRYPTO_TYPE_CHECKSUM: - *length = hash->hashsize; - break; + return ktp->hash->hashsize; default: assert(0 && "invalid cryptotype passed to krb5int_old_crypto_length"); - break; + return 0; } - - return 0; } -static krb5_error_code -krb5int_old_encrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_old_encrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { + const struct krb5_enc_provider *enc = ktp->enc; + const struct krb5_hash_provider *hash = ktp->hash; krb5_error_code ret; krb5_crypto_iov *header, *trailer, *padding; krb5_data checksum, confounder, crcivec = empty_data(); @@ -122,7 +112,7 @@ krb5int_old_encrypt_iov(const struct krb5_aead_provider *aead, ivec = &crcivec; } - ret = enc->encrypt_iov(key, ivec, data, num_data); + ret = enc->encrypt(key, ivec, data, num_data); if (ret != 0) goto cleanup; @@ -131,14 +121,13 @@ cleanup: return ret; } -static krb5_error_code -krb5int_old_decrypt_iov(const struct krb5_aead_provider *aead, - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, krb5_keyusage usage, - const krb5_data *ivec, krb5_crypto_iov *data, - size_t num_data) +krb5_error_code +krb5int_old_decrypt(const struct krb5_keytypes *ktp, krb5_key key, + krb5_keyusage usage, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { + const struct krb5_enc_provider *enc = ktp->enc; + const struct krb5_hash_provider *hash = ktp->hash; krb5_error_code ret; krb5_crypto_iov *header, *trailer; krb5_data checksum, crcivec = empty_data(); @@ -173,7 +162,7 @@ krb5int_old_decrypt_iov(const struct krb5_aead_provider *aead, } /* Decrypt the ciphertext. */ - ret = enc->decrypt_iov(key, ivec, data, num_data); + ret = enc->decrypt(key, ivec, data, num_data); if (ret != 0) goto cleanup; @@ -201,9 +190,3 @@ cleanup: zapfree(saved_checksum, hash->hashsize); return ret; } - -const struct krb5_aead_provider krb5int_aead_old = { - krb5int_old_crypto_length, - krb5int_old_encrypt_iov, - krb5int_old_decrypt_iov -}; diff --git a/src/lib/crypto/krb/old/old_decrypt.c b/src/lib/crypto/krb/old/old_decrypt.c deleted file mode 100644 index 47996be..0000000 --- a/src/lib/crypto/krb/old/old_decrypt.c +++ /dev/null @@ -1,144 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "k5-int.h" -#include "old.h" - -krb5_error_code -krb5int_old_decrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *arg_output) -{ - krb5_error_code ret; - size_t blocksize, hashsize, plainsize; - unsigned char *cksumdata, *cn; - krb5_data output, cksum, crcivec; - int alloced; - - blocksize = enc->block_size; - hashsize = hash->hashsize; - - plainsize = input->length - blocksize - hashsize; - - if (arg_output->length < plainsize) - return(KRB5_BAD_MSIZE); - - /* if there's enough space to work in the app buffer, use it, - otherwise allocate our own */ - - if ((cksumdata = (unsigned char *) malloc(hashsize)) == NULL) - return(ENOMEM); - - if (arg_output->length < input->length) { - output.length = input->length; - - if ((output.data = (char *) malloc(output.length)) == NULL) { - free(cksumdata); - return(ENOMEM); - } - - alloced = 1; - } else { - output.length = input->length; - - output.data = arg_output->data; - - alloced = 0; - } - - /* decrypt it */ - - /* save last ciphertext block in case we decrypt in place */ - if (ivec != NULL && ivec->length == blocksize) { - cn = malloc(blocksize); - if (cn == NULL) { - ret = ENOMEM; - goto cleanup; - } - memcpy(cn, input->data + input->length - blocksize, blocksize); - } else - cn = NULL; - - /* XXX this is gross, but I don't have much choice */ - if ((key->keyblock.enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) { - crcivec.length = key->keyblock.length; - crcivec.data = (char *) key->keyblock.contents; - ivec = &crcivec; - } - - if ((ret = ((*(enc->decrypt))(key, ivec, input, &output)))) - goto cleanup; - - /* verify the checksum */ - - memcpy(cksumdata, output.data+blocksize, hashsize); - memset(output.data+blocksize, 0, hashsize); - - cksum.length = hashsize; - cksum.data = output.data+blocksize; - - if ((ret = ((*(hash->hash))(1, &output, &cksum)))) - goto cleanup; - - if (memcmp(cksum.data, cksumdata, cksum.length) != 0) { - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto cleanup; - } - - /* copy the plaintext around */ - - if (alloced) { - memcpy(arg_output->data, output.data+blocksize+hashsize, - plainsize); - } else { - memmove(arg_output->data, arg_output->data+blocksize+hashsize, - plainsize); - } - arg_output->length = plainsize; - - /* update ivec */ - if (cn != NULL) - memcpy(ivec->data, cn, blocksize); - - ret = 0; - -cleanup: - if (alloced) { - memset(output.data, 0, output.length); - free(output.data); - } - - if (cn != NULL) - free(cn); - memset(cksumdata, 0, hashsize); - free(cksumdata); - return(ret); -} diff --git a/src/lib/crypto/krb/old/old_encrypt.c b/src/lib/crypto/krb/old/old_encrypt.c deleted file mode 100644 index 1903a6c..0000000 --- a/src/lib/crypto/krb/old/old_encrypt.c +++ /dev/null @@ -1,111 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "k5-int.h" -#include "old.h" - -void -krb5int_old_encrypt_length(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - size_t inputlen, - size_t *length) -{ - size_t blocksize, hashsize; - - blocksize = enc->block_size; - hashsize = hash->hashsize; - - *length = krb5_roundup(blocksize+hashsize+inputlen, blocksize); -} - -krb5_error_code -krb5int_old_encrypt(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - krb5_key key, - krb5_keyusage usage, - const krb5_data *ivec, - const krb5_data *input, - krb5_data *output) -{ - krb5_error_code ret; - size_t blocksize, hashsize, enclen; - krb5_data datain, crcivec; - int real_ivec; - - blocksize = enc->block_size; - hashsize = hash->hashsize; - - krb5int_old_encrypt_length(enc, hash, input->length, &enclen); - - if (output->length < enclen) - return(KRB5_BAD_MSIZE); - - output->length = enclen; - - /* fill in confounded, padded, plaintext buffer with zero checksum */ - - memset(output->data, 0, output->length); - - datain.length = blocksize; - datain.data = output->data; - - if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &datain))) - return(ret); - memcpy(output->data+blocksize+hashsize, input->data, input->length); - - /* compute the checksum */ - - datain.length = hashsize; - datain.data = output->data+blocksize; - - if ((ret = ((*(hash->hash))(1, output, &datain)))) - goto cleanup; - - /* encrypt it */ - - /* XXX this is gross, but I don't have much choice */ - if ((key->keyblock.enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) { - crcivec.length = key->keyblock.length; - crcivec.data = (char *) key->keyblock.contents; - ivec = &crcivec; - real_ivec = 0; - } else - real_ivec = 1; - - if ((ret = ((*(enc->encrypt))(key, ivec, output, output)))) - goto cleanup; - - /* update ivec */ - if (real_ivec && ivec != NULL && ivec->length == blocksize) - memcpy(ivec->data, output->data + output->length - blocksize, - blocksize); -cleanup: - if (ret) - memset(output->data, 0, output->length); - - return(ret); -} -- cgit v1.1