lib\Makefile lib\crypto\Makefile \
lib\crypto\krb\crc32\Makefile lib\crypto\builtin\des\Makefile \
lib\crypto\krb\dk\Makefile lib\crypto\builtin\enc_provider\Makefile \
- lib\crypto\krb\hash_provider\Makefile \
+ lib\crypto\builtin\hash_provider\Makefile \
lib\crypto\krb\keyhash_provider\Makefile \
- lib\crypto\krb\raw\Makefile lib\crypto\old\Makefile \
+ lib\crypto\krb\prf\Makefile lib\crypto\krb\rand2key\Makefile \
+ lib\crypto\krb\raw\Makefile lib\crypto\krb\old\Makefile \
lib\crypto\builtin\sha1\Makefile lib\crypto\builtin\arcfour\Makefile \
lib\crypto\builtin\md4\Makefile lib\crypto\builtin\md5\Makefile \
lib\crypto\krb\yarrow\Makefile lib\crypto\builtin\aes\Makefile \
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\crypto\builtin\enc_provider\Makefile: lib\crypto\builtin\enc_provider\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
-##DOS##lib\crypto\krb\hash_provider\Makefile: lib\crypto\krb\hash_provider\Makefile.in $(MKFDEP)
+##DOS##lib\crypto\builtin\hash_provider\Makefile: lib\crypto\builtin\hash_provider\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##lib\crypto\krb\keyhash_provider\Makefile: lib\crypto\krb\keyhash_provider\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
config/* include/* include/kerberosIV/* \
include/krb5/* include/krb5/stock/* include/sys/* lib/* \
lib/crypto/* lib/crypto/krb/crc32/* lib/crypto/builtin/des/* lib/crypto/krb/dk/* \
- lib/crypto/builtin/enc_provider/* lib/crypto/krb/hash_provider/* \
- lib/crypto/krb/keyhash_provider/* lib/crypto/krb/old/* lib/crypto/krb/raw/* \
+ lib/crypto/builtin/enc_provider/* lib/crypto/builtin/hash_provider/* \
+ lib/crypto/krb/keyhash_provider/* \
+ lib/crypto/krb/prf/* lib/crypto/krb/rand2key/* \
+ lib/crypto/krb/old/* lib/crypto/krb/raw/* \
lib/crypto/builtin/sha1/* lib/crypto/builtin/arcfour/* lib/crypto/builtin/md4/* \
lib/crypto/builtin/md5/* lib/crypto/krb/yarrow/* \
lib/crypto/builtin/* lib/crypto/krb/* lib/crypto/crypto_tests \
# Generated makefile dependencies follow.
#
$(OUTPRE)kvno.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
kvno.c
@if test "$(srcdir)" = "." ; then \
echo 1>&2 error: cannot build dependencies with srcdir=. ; \
echo 1>&2 "(can't distinguish generated files from source files)" ; \
+ echo 1>&2 "Run 'make distclean' and create a separate build dir" ; \
+ exit 1 ; \
+ elif test -f "$(top_srcdir)/include/autoconf.h"; then \
+ echo 1>&2 "error: generated headers found in source tree" ; \
+ echo 1>&2 "Run 'make distclean' in source tree first" ; \
exit 1 ; \
else \
if test -r $(BUILDTOP)/.depend-verify-srcdir; then :; \
lib/crypto lib/crypto/krb lib/crypto/krb/crc32 lib/crypto/builtin/des
lib/crypto/krb/dk lib/crypto/builtin/enc_provider
- lib/crypto/krb/hash_provider lib/crypto/krb/keyhash_provider
+ lib/crypto/builtin/hash_provider lib/crypto/krb/keyhash_provider
+ lib/crypto/krb/prf lib/crypto/krb/rand2key
lib/crypto/builtin lib/crypto/builtin/md4 lib/crypto/builtin/md5
lib/crypto/krb/old lib/crypto/krb/raw lib/crypto/builtin/sha1
lib/crypto/builtin/arcfour lib/crypto/krb/yarrow lib/crypto/builtin/aes
clean::
$(RM) osconf.new $(BUILT_HEADERS)
+distclean::
+ $(RM) autoconf.h
+
install-headers-unix install:: krb5/krb5.h profile.h
$(INSTALL_DATA) $(srcdir)/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5.h
$(INSTALL_DATA) $(srcdir)/kdb.h $(DESTDIR)$(KRB5_INCDIR)$(S)kdb.h
* Define our view of the size of a DES key.
*/
#define KRB5_MIT_DES_KEYSIZE 8
+#define KRB5_MIT_DES3_KEYSIZE 24
+#define KRB5_MIT_DES3_KEY_BYTES 21
+
/*
* Check if des_int.h has been included before us. If so, then check to see
* that our view of the DES key size is the same as des_int.h's.
# define K5_BE
#elif defined(_LITTLE_ENDIAN)
# define K5_LE
+#elif defined(__BIG_ENDIAN__) && !defined(__LITTLE_ENDIAN__)
+# define K5_BE
+#elif defined(__LITTLE_ENDIAN__) && !defined(__BIG_ENDIAN__)
+# define K5_LE
#endif
#if !defined(K5_BE) && !defined(K5_LE)
/* Look for some architectures we know about.
As far as I know, only PDP11 and ARM (which we don't handle here)
have strange byte orders where an 8-byte value isn't laid out as
either 12345678 or 87654321. */
-# if defined(__i386__) || defined(_MIPSEL) || defined(__alpha__) || defined(__ia64__)
+# if defined(__i386__) || defined(_MIPSEL) || defined(__alpha__) || (defined(__ia64__) && !defined(__hpux))
# define K5_LE
# endif
-# if defined(__hppa__) || defined(__rs6000__) || defined(__sparc__) || defined(_MIPSEB) || defined(__m68k__) || defined(__sparc64__) || defined(__ppc__) || defined(__ppc64__)
+# if defined(__hppa__) || defined(__rs6000__) || defined(__sparc__) || defined(_MIPSEB) || defined(__m68k__) || defined(__sparc64__) || defined(__ppc__) || defined(__ppc64__) || (defined(__hpux) && defined(__ia64__))
# define K5_BE
# endif
#endif
KADMIN_OBJS = $(COMMON_OBJS) keytab.o
LOCAL_OBJS = $(COMMON_OBJS) keytab_local.o
-SRCS = kadmin.c kadmin_ct.c ss_wrapper.c getdate.c keytab.c
+SRCS = kadmin.c kadmin_ct.c ss_wrapper.c getdate.c keytab.c keytab_local.c
LOCALINCLUDES=-I$(srcdir)
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h kadmin.h keytab.c
+$(OUTPRE)keytab_local.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
+ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \
+ $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \
+ $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \
+ $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \
+ $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \
+ $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-buf.h \
+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
+ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h kadmin.h keytab.c \
+ keytab_local.c
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1994, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
/* special struct to convert flag names for principals
to actual krb5_flags for a principal */
struct pflag {
- char *flagname; /* name of flag as typed to CLI */
- int flaglen; /* length of string (not counting -,+) */
- krb5_flags theflag; /* actual principal flag to set/clear */
- int set; /* 0 means clear, 1 means set (on '-') */
+ char *flagname; /* name of flag as typed to CLI */
+ size_t flaglen; /* length of string (not counting -,+) */
+ krb5_flags theflag; /* actual principal flag to set/clear */
+ int set; /* 0 means clear, 1 means set (on '-') */
};
static struct pflag flags[] = {
-{"allow_postdated", 15, KRB5_KDB_DISALLOW_POSTDATED, 1},
-{"allow_forwardable", 17, KRB5_KDB_DISALLOW_FORWARDABLE, 1},
-{"allow_tgs_req", 13, KRB5_KDB_DISALLOW_TGT_BASED, 1},
-{"allow_renewable", 15, KRB5_KDB_DISALLOW_RENEWABLE, 1},
-{"allow_proxiable", 15, KRB5_KDB_DISALLOW_PROXIABLE, 1},
-{"allow_dup_skey", 14, KRB5_KDB_DISALLOW_DUP_SKEY, 1},
-{"allow_tix", 9, KRB5_KDB_DISALLOW_ALL_TIX, 1},
-{"requires_preauth", 16, KRB5_KDB_REQUIRES_PRE_AUTH, 0},
-{"requires_hwauth", 15, KRB5_KDB_REQUIRES_HW_AUTH, 0},
-{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
-{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
-{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
-{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
-{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 },
-{"ok_to_auth_as_delegate", 22, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0 },
-{"no_auth_data_required", 21, KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0},
+{"allow_postdated", 15, KRB5_KDB_DISALLOW_POSTDATED, 1 },
+{"allow_forwardable", 17, KRB5_KDB_DISALLOW_FORWARDABLE, 1 },
+{"allow_tgs_req", 13, KRB5_KDB_DISALLOW_TGT_BASED, 1 },
+{"allow_renewable", 15, KRB5_KDB_DISALLOW_RENEWABLE, 1 },
+{"allow_proxiable", 15, KRB5_KDB_DISALLOW_PROXIABLE, 1 },
+{"allow_dup_skey", 14, KRB5_KDB_DISALLOW_DUP_SKEY, 1 },
+{"allow_tix", 9, KRB5_KDB_DISALLOW_ALL_TIX, 1 },
+{"requires_preauth", 16, KRB5_KDB_REQUIRES_PRE_AUTH, 0 },
+{"requires_hwauth", 15, KRB5_KDB_REQUIRES_HW_AUTH, 0 },
+{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0 },
+{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1 },
+{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 },
+{"ok_to_auth_as_delegate", 22, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0 },
+{"no_auth_data_required", 21, KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0 },
};
static char *prflags[] = {
- "DISALLOW_POSTDATED", /* 0x00000001 */
- "DISALLOW_FORWARDABLE", /* 0x00000002 */
- "DISALLOW_TGT_BASED", /* 0x00000004 */
- "DISALLOW_RENEWABLE", /* 0x00000008 */
- "DISALLOW_PROXIABLE", /* 0x00000010 */
- "DISALLOW_DUP_SKEY", /* 0x00000020 */
- "DISALLOW_ALL_TIX", /* 0x00000040 */
- "REQUIRES_PRE_AUTH", /* 0x00000080 */
- "REQUIRES_HW_AUTH", /* 0x00000100 */
- "REQUIRES_PWCHANGE", /* 0x00000200 */
- "UNKNOWN_0x00000400", /* 0x00000400 */
- "UNKNOWN_0x00000800", /* 0x00000800 */
- "DISALLOW_SVR", /* 0x00001000 */
- "PWCHANGE_SERVICE", /* 0x00002000 */
- "SUPPORT_DESMD5", /* 0x00004000 */
- "NEW_PRINC", /* 0x00008000 */
- "UNKNOWN_0x00010000", /* 0x00010000 */
- "UNKNOWN_0x00020000", /* 0x00020000 */
- "UNKNOWN_0x00040000", /* 0x00040000 */
- "UNKNOWN_0x00080000", /* 0x00080000 */
- "OK_AS_DELEGATE", /* 0x00100000 */
- "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */
- "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */
+ "DISALLOW_POSTDATED", /* 0x00000001 */
+ "DISALLOW_FORWARDABLE", /* 0x00000002 */
+ "DISALLOW_TGT_BASED", /* 0x00000004 */
+ "DISALLOW_RENEWABLE", /* 0x00000008 */
+ "DISALLOW_PROXIABLE", /* 0x00000010 */
+ "DISALLOW_DUP_SKEY", /* 0x00000020 */
+ "DISALLOW_ALL_TIX", /* 0x00000040 */
+ "REQUIRES_PRE_AUTH", /* 0x00000080 */
+ "REQUIRES_HW_AUTH", /* 0x00000100 */
+ "REQUIRES_PWCHANGE", /* 0x00000200 */
+ "UNKNOWN_0x00000400", /* 0x00000400 */
+ "UNKNOWN_0x00000800", /* 0x00000800 */
+ "DISALLOW_SVR", /* 0x00001000 */
+ "PWCHANGE_SERVICE", /* 0x00002000 */
+ "SUPPORT_DESMD5", /* 0x00004000 */
+ "NEW_PRINC", /* 0x00008000 */
+ "UNKNOWN_0x00010000", /* 0x00010000 */
+ "UNKNOWN_0x00020000", /* 0x00020000 */
+ "UNKNOWN_0x00040000", /* 0x00040000 */
+ "UNKNOWN_0x00080000", /* 0x00080000 */
+ "OK_AS_DELEGATE", /* 0x00100000 */
+ "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */
+ "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */
};
-char *getenv();
int exit_status = 0;
char *def_realm = NULL;
char *whoami = NULL;
int locked = 0;
-static void usage()
+static void
+usage()
{
fprintf(stderr,
- "Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n"
- "\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]\n"
- "\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n"
- "where,\n\t[-x db_args]* - any number of database specific arguments.\n"
- "\t\t\tLook at each database documentation for supported arguments\n",
- whoami);
+ "Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n"
+ "\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]\n"
+ "\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n"
+ "where,\n\t[-x db_args]* - any number of database specific arguments.\n"
+ "\t\t\tLook at each database documentation for supported arguments\n",
+ whoami);
exit(1);
}
-static char *strdur(duration)
- time_t duration;
+static char *
+strdur(time_t duration)
{
static char out[50];
int neg, days, hours, minutes, seconds;
if (duration < 0) {
- duration *= -1;
- neg = 1;
+ duration *= -1;
+ neg = 1;
} else
- neg = 0;
+ neg = 0;
days = duration / (24 * 3600);
duration %= 24 * 3600;
hours = duration / 3600;
duration %= 60;
seconds = duration;
snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
- days, days == 1 ? "day" : "days",
- hours, minutes, seconds);
+ days, days == 1 ? "day" : "days",
+ hours, minutes, seconds);
return out;
}
-static char *strdate(when)
- krb5_timestamp when;
+static char *
+strdate(krb5_timestamp when)
{
struct tm *tm;
static char out[40];
/* this is a wrapper to go around krb5_parse_principal so we can set
the default realm up properly */
static krb5_error_code
-kadmin_parse_name(name, principal)
- char *name;
- krb5_principal *principal;
+kadmin_parse_name(char *name, krb5_principal *principal)
{
char *cp, *fullname;
krb5_error_code retval;
/* assumes def_realm is initialized! */
cp = strchr(name, '@');
while (cp) {
- if (cp - name && *(cp - 1) != '\\')
- break;
- else
- cp = strchr(cp + 1, '@');
+ if (cp - name && *(cp - 1) != '\\')
+ break;
+ else
+ cp = strchr(cp + 1, '@');
}
if (cp == NULL)
- result = asprintf(&fullname, "%s@%s", name, def_realm);
+ result = asprintf(&fullname, "%s@%s", name, def_realm);
else
- result = asprintf(&fullname, "%s", name);
+ result = asprintf(&fullname, "%s", name);
if (result < 0)
- return ENOMEM;
+ return ENOMEM;
retval = krb5_parse_name(context, fullname, principal);
free(fullname);
return retval;
}
-static void extended_com_err_fn (const char *myprog, errcode_t code,
- const char *fmt, va_list args)
+static void
+extended_com_err_fn(const char *myprog, errcode_t code,
+ const char *fmt, va_list args)
{
+ const char *emsg;
+
if (code) {
- const char *emsg;
- emsg = krb5_get_error_message (context, code);
- fprintf (stderr, "%s: %s ", myprog, emsg);
- krb5_free_error_message (context, emsg);
+ emsg = krb5_get_error_message(context, code);
+ fprintf(stderr, "%s: %s ", myprog, emsg);
+ krb5_free_error_message(context, emsg);
} else {
- fprintf (stderr, "%s: ", myprog);
+ fprintf(stderr, "%s: ", myprog);
}
- vfprintf (stderr, fmt, args);
- fprintf (stderr, "\n");
+ vfprintf(stderr, fmt, args);
+ fprintf(stderr, "\n");
}
-char *kadmin_startup(argc, argv)
- int argc;
- char *argv[];
+/* Create a principal using the oldest appropriate kadm5 API. */
+static krb5_error_code
+create_princ(kadm5_principal_ent_rec *princ, long mask, int n_ks,
+ krb5_key_salt_tuple *ks, char *pass)
+{
+ if (ks)
+ return kadm5_create_principal_3(handle, princ, mask, n_ks, ks, pass);
+ else
+ return kadm5_create_principal(handle, princ, mask, pass);
+}
+
+/* Randomize a principal's password using the oldest appropriate kadm5 API. */
+static krb5_error_code
+randkey_princ(krb5_principal princ, krb5_boolean keepold, int n_ks,
+ krb5_key_salt_tuple *ks)
+{
+ if (keepold || ks) {
+ return kadm5_randkey_principal_3(handle, princ, keepold, n_ks, ks,
+ NULL, NULL);
+ } else
+ return kadm5_randkey_principal(handle, princ, NULL, NULL);
+}
+
+char *
+kadmin_startup(int argc, char *argv[])
{
extern char *optarg;
char *princstr = NULL, *keytab_name = NULL, *query = NULL;
char **db_args = NULL;
int db_args_size = 0;
char *db_name = NULL;
- char *svcname;
+ char *svcname, *realm;
memset(¶ms, 0, sizeof(params));
#if defined(USE_KIM)
/* Turn off all password prompting from the KLL */
- retval = kim_library_set_allow_automatic_prompting (0);
+ retval = kim_library_set_allow_automatic_prompting(0);
if (retval) {
- com_err(whoami, retval,
+ com_err(whoami, retval,
"while calling kim_library_set_allow_automatic_prompting()");
- exit(1);
+ exit(1);
}
#endif
- if (strcmp (whoami, "kadmin.local") == 0)
- set_com_err_hook(extended_com_err_fn);
+ if (strcmp(whoami, "kadmin.local") == 0)
+ set_com_err_hook(extended_com_err_fn);
retval = kadm5_init_krb5_context(&context);
if (retval) {
- com_err(whoami, retval, "while initializing krb5 library");
- exit(1);
+ com_err(whoami, retval, "while initializing krb5 library");
+ exit(1);
}
while ((optchar = getopt(argc, argv, "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) {
- switch (optchar) {
- case 'x':
- db_args_size++;
- {
- char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1));
- if (temp == NULL) {
- fprintf(stderr,"%s: Cannot initialize. Not enough memory\n",
- argv[0]);
- exit(1);
- }
-
- db_args = temp;
- }
- db_args[db_args_size-1] = optarg;
- db_args[db_args_size] = NULL;
- break;
-
- case 'r':
- def_realm = optarg;
- break;
- case 'p':
- princstr = optarg;
- break;
- case 'c':
- ccache_name = optarg;
- break;
- case 'k':
- use_keytab++;
- break;
- case 't':
- keytab_name = optarg;
- break;
- case 'w':
- password = optarg;
- break;
- case 'q':
- query = optarg;
- break;
- case 'd':
- /* now db_name is not a seperate argument. It has to be passed as part of the db_args */
- if (db_name)
- free(db_name);
- asprintf(&db_name, "dbname=%s", optarg);
-
- db_args_size++;
- {
- char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */
- if (temp == NULL) {
- fprintf(stderr,
- "%s: Cannot initialize. Not enough memory\n",
- argv[0]);
- exit(1);
- }
-
- db_args = temp;
- }
- db_args[db_args_size-1] = db_name;
- db_args[db_args_size] = NULL;
- break;
- case 's':
- params.admin_server = optarg;
- params.mask |= KADM5_CONFIG_ADMIN_SERVER;
- break;
- case 'm':
- params.mkey_from_kbd = 1;
- params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
- break;
- case 'e':
- retval = krb5_string_to_keysalts(optarg,
- ", \t",
- ":.-",
- 0,
- ¶ms.keysalts,
- ¶ms.num_keysalts);
- if (retval) {
- com_err(whoami, retval, "while parsing keysalts %s", optarg);
- exit(1);
- }
- params.mask |= KADM5_CONFIG_ENCTYPES;
- break;
- case 'O':
- params.mask |= KADM5_CONFIG_OLD_AUTH_GSSAPI;
- break;
- case 'N':
- params.mask |= KADM5_CONFIG_AUTH_NOFALLBACK;
- break;
- default:
- usage();
- }
+ switch (optchar) {
+ case 'x':
+ db_args_size++;
+ db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1));
+ if (db_args == NULL) {
+ fprintf(stderr, "%s: Cannot initialize. Not enough memory\n",
+ argv[0]);
+ exit(1);
+ }
+ db_args[db_args_size - 1] = optarg;
+ db_args[db_args_size] = NULL;
+ break;
+
+ case 'r':
+ def_realm = optarg;
+ break;
+ case 'p':
+ princstr = optarg;
+ break;
+ case 'c':
+ ccache_name = optarg;
+ break;
+ case 'k':
+ use_keytab++;
+ break;
+ case 't':
+ keytab_name = optarg;
+ break;
+ case 'w':
+ password = optarg;
+ break;
+ case 'q':
+ query = optarg;
+ break;
+ case 'd':
+ /* db_name has to be passed as part of the db_args. */
+ free(db_name);
+ asprintf(&db_name, "dbname=%s", optarg);
+
+ db_args_size++;
+ db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1));
+ if (db_args == NULL) {
+ fprintf(stderr, "%s: Cannot initialize. Not enough memory\n",
+ argv[0]);
+ exit(1);
+ }
+ db_args[db_args_size - 1] = db_name;
+ db_args[db_args_size] = NULL;
+ break;
+ case 's':
+ params.admin_server = optarg;
+ params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+ break;
+ case 'm':
+ params.mkey_from_kbd = 1;
+ params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
+ break;
+ case 'e':
+ retval = krb5_string_to_keysalts(optarg, ", \t", ":.-", 0,
+ ¶ms.keysalts,
+ ¶ms.num_keysalts);
+ if (retval) {
+ com_err(whoami, retval, "while parsing keysalts %s", optarg);
+ exit(1);
+ }
+ params.mask |= KADM5_CONFIG_ENCTYPES;
+ break;
+ case 'O':
+ params.mask |= KADM5_CONFIG_OLD_AUTH_GSSAPI;
+ break;
+ case 'N':
+ params.mask |= KADM5_CONFIG_AUTH_NOFALLBACK;
+ break;
+ default:
+ usage();
+ }
}
if ((ccache_name && use_keytab) ||
- (keytab_name && !use_keytab))
- usage();
+ (keytab_name && !use_keytab))
+ usage();
if (def_realm == NULL && krb5_get_default_realm(context, &def_realm)) {
- if (freeprinc)
- free(princstr);
- fprintf(stderr, "%s: unable to get default realm\n", whoami);
- exit(1);
+ fprintf(stderr, "%s: unable to get default realm\n", whoami);
+ exit(1);
}
params.mask |= KADM5_CONFIG_REALM;
params.realm = def_realm;
if (params.mask & KADM5_CONFIG_OLD_AUTH_GSSAPI)
- svcname = KADM5_ADMIN_SERVICE;
+ svcname = KADM5_ADMIN_SERVICE;
else
- svcname = NULL;
+ svcname = NULL;
/*
* Set cc to an open credentials cache, either specified by the -c
* argument or the default.
*/
if (ccache_name == NULL) {
- if ((retval = krb5_cc_default(context, &cc))) {
- com_err(whoami, retval,
- "while opening default credentials cache");
- exit(1);
- }
+ retval = krb5_cc_default(context, &cc);
+ if (retval) {
+ com_err(whoami, retval, "while opening default credentials cache");
+ exit(1);
+ }
} else {
- if ((retval = krb5_cc_resolve(context, ccache_name, &cc))) {
- com_err(whoami, retval,
- "while opening credentials cache %s", ccache_name);
- exit(1);
- }
+ retval = krb5_cc_resolve(context, ccache_name, &cc);
+ if (retval) {
+ com_err(whoami, retval, "while opening credentials cache %s",
+ ccache_name);
+ exit(1);
+ }
}
/*
*/
if (princstr == NULL) {
- if (ccache_name != NULL &&
- !krb5_cc_get_principal(context, cc, &princ)) {
- if ((retval = krb5_unparse_name(context, princ, &princstr))) {
- com_err(whoami, retval,
- "while canonicalizing principal name");
- krb5_free_principal(context, princ);
- exit(1);
- }
- krb5_free_principal(context, princ);
- freeprinc++;
- } else if (use_keytab != 0) {
- if ((retval = krb5_sname_to_principal(context, NULL,
- "host",
- KRB5_NT_SRV_HST,
- &princ))) {
- com_err(whoami, retval,
- "creating host service principal");
- exit(1);
- }
- if ((retval = krb5_unparse_name(context, princ, &princstr))) {
- com_err(whoami, retval,
- "while canonicalizing principal name");
- krb5_free_principal(context, princ);
- exit(1);
- }
- krb5_free_principal(context, princ);
- freeprinc++;
- } else if (!krb5_cc_get_principal(context, cc, &princ)) {
- char *realm = NULL;
- if (krb5_unparse_name(context, princ, &canon)) {
- fprintf(stderr,
- "%s: unable to canonicalize principal\n", whoami);
- krb5_free_principal(context, princ);
- exit(1);
- }
- /* strip out realm of principal if it's there */
- realm = strchr(canon, '@');
- while (realm) {
- if (realm - canon && *(realm - 1) != '\\')
- break;
- else
- realm = strchr(realm+1, '@');
- }
- if (realm)
- *realm++ = '\0';
- cp = strchr(canon, '/');
- while (cp) {
- if (cp - canon && *(cp - 1) != '\\')
- break;
- else
- cp = strchr(cp+1, '/');
- }
- if (cp != NULL)
- *cp = '\0';
- if (asprintf(&princstr, "%s/admin%s%s", canon,
- (realm) ? "@" : "",
- (realm) ? realm : "") < 0) {
- fprintf(stderr, "%s: out of memory\n", whoami);
- exit(1);
- }
- free(canon);
- krb5_free_principal(context, princ);
- freeprinc++;
- } else if ((luser = getenv("USER"))) {
- if (asprintf(&princstr, "%s/admin@%s", luser, def_realm) < 0) {
- fprintf(stderr, "%s: out of memory\n", whoami);
- exit(1);
- }
- freeprinc++;
- } else if ((pw = getpwuid(getuid()))) {
- if (asprintf(&princstr, "%s/admin@%s", pw->pw_name,
- def_realm) < 0) {
- fprintf(stderr, "%s: out of memory\n", whoami);
- exit(1);
- }
- freeprinc++;
- } else {
- fprintf(stderr, "%s: unable to figure out a principal name\n",
- whoami);
- exit(1);
- }
+ if (ccache_name != NULL &&
+ !krb5_cc_get_principal(context, cc, &princ)) {
+ retval = krb5_unparse_name(context, princ, &princstr);
+ if (retval) {
+ com_err(whoami, retval, "while canonicalizing principal name");
+ exit(1);
+ }
+ krb5_free_principal(context, princ);
+ freeprinc++;
+ } else if (use_keytab != 0) {
+ retval = krb5_sname_to_principal(context, NULL, "host",
+ KRB5_NT_SRV_HST, &princ);
+ if (retval) {
+ com_err(whoami, retval, "creating host service principal");
+ exit(1);
+ }
+ retval = krb5_unparse_name(context, princ, &princstr);
+ if (retval) {
+ com_err(whoami, retval, "while canonicalizing principal name");
+ exit(1);
+ }
+ krb5_free_principal(context, princ);
+ freeprinc++;
+ } else if (!krb5_cc_get_principal(context, cc, &princ)) {
+ if (krb5_unparse_name(context, princ, &canon)) {
+ fprintf(stderr, "%s: unable to canonicalize principal\n",
+ whoami);
+ exit(1);
+ }
+ /* Strip out realm of principal if it's there. */
+ realm = strchr(canon, '@');
+ while (realm) {
+ if (realm > canon && *(realm - 1) != '\\')
+ break;
+ realm = strchr(realm + 1, '@');
+ }
+ if (realm)
+ *realm++ = '\0';
+ cp = strchr(canon, '/');
+ while (cp) {
+ if (cp > canon && *(cp - 1) != '\\')
+ break;
+ cp = strchr(cp + 1, '/');
+ }
+ if (cp != NULL)
+ *cp = '\0';
+ if (asprintf(&princstr, "%s/admin%s%s", canon,
+ (realm) ? "@" : "",
+ (realm) ? realm : "") < 0) {
+ fprintf(stderr, "%s: out of memory\n", whoami);
+ exit(1);
+ }
+ free(canon);
+ krb5_free_principal(context, princ);
+ freeprinc++;
+ } else if ((luser = getenv("USER"))) {
+ if (asprintf(&princstr, "%s/admin@%s", luser, def_realm) < 0) {
+ fprintf(stderr, "%s: out of memory\n", whoami);
+ exit(1);
+ }
+ freeprinc++;
+ } else if ((pw = getpwuid(getuid()))) {
+ if (asprintf(&princstr, "%s/admin@%s", pw->pw_name,
+ def_realm) < 0) {
+ fprintf(stderr, "%s: out of memory\n", whoami);
+ exit(1);
+ }
+ freeprinc++;
+ } else {
+ fprintf(stderr, "%s: unable to figure out a principal name\n",
+ whoami);
+ exit(1);
+ }
}
retval = krb5_klog_init(context, "admin_server", whoami, 0);
if (retval) {
- com_err(whoami, retval, "while setting up logging");
- exit(1);
+ com_err(whoami, retval, "while setting up logging");
+ exit(1);
}
/*
* use it. Otherwise, use/prompt for the password.
*/
if (ccache_name) {
- printf("Authenticating as principal %s with existing credentials.\n",
- princstr);
- retval = kadm5_init_with_creds(context, princstr, cc,
- svcname,
- ¶ms,
- KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- db_args,
- &handle);
+ printf("Authenticating as principal %s with existing credentials.\n",
+ princstr);
+ retval = kadm5_init_with_creds(context, princstr, cc, svcname, ¶ms,
+ KADM5_STRUCT_VERSION,
+ KADM5_API_VERSION_2, db_args, &handle);
} else if (use_keytab) {
- if (keytab_name)
- printf("Authenticating as principal %s with keytab %s.\n",
- princstr, keytab_name);
- else
- printf("Authenticating as principal %s with default keytab.\n",
- princstr);
- retval = kadm5_init_with_skey(context, princstr, keytab_name,
- svcname,
- ¶ms,
- KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- db_args,
- &handle);
+ if (keytab_name)
+ printf("Authenticating as principal %s with keytab %s.\n",
+ princstr, keytab_name);
+ else
+ printf("Authenticating as principal %s with default keytab.\n",
+ princstr);
+ retval = kadm5_init_with_skey(context, princstr, keytab_name, svcname,
+ ¶ms, KADM5_STRUCT_VERSION,
+ KADM5_API_VERSION_2, db_args, &handle);
} else {
- printf("Authenticating as principal %s with password.\n",
- princstr);
- retval = kadm5_init_with_password(context, princstr, password,
- svcname,
- ¶ms,
- KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- db_args,
- &handle);
+ printf("Authenticating as principal %s with password.\n",
+ princstr);
+ retval = kadm5_init_with_password(context, princstr, password, svcname,
+ ¶ms, KADM5_STRUCT_VERSION,
+ KADM5_API_VERSION_2, db_args,
+ &handle);
}
if (retval) {
- com_err(whoami, retval, "while initializing %s interface", whoami);
- if (retval == KADM5_BAD_CLIENT_PARAMS ||
- retval == KADM5_BAD_SERVER_PARAMS)
- usage();
- exit(1);
+ com_err(whoami, retval, "while initializing %s interface", whoami);
+ if (retval == KADM5_BAD_CLIENT_PARAMS ||
+ retval == KADM5_BAD_SERVER_PARAMS)
+ usage();
+ exit(1);
}
if (freeprinc)
- free(princstr);
-
- if (db_name)
- free(db_name), db_name=NULL;
+ free(princstr);
- if (db_args)
- free(db_args), db_args=NULL;
+ free(db_name);
+ free(db_args);
- if ((retval = krb5_cc_close(context, cc))) {
- com_err(whoami, retval, "while closing ccache %s",
- ccache_name);
- exit(1);
+ retval = krb5_cc_close(context, cc);
+ if (retval) {
+ com_err(whoami, retval, "while closing ccache %s", ccache_name);
+ exit(1);
}
/* register the WRFILE keytab type and set it as the default */
{
#define DEFAULT_KEYTAB "WRFILE:/etc/krb5.keytab"
- /* XXX krb5_defkeyname is an internal library global and
- should go away */
- extern char *krb5_defkeyname;
- krb5_defkeyname = DEFAULT_KEYTAB;
+ /* XXX krb5_defkeyname is an internal library global and
+ should go away */
+ extern char *krb5_defkeyname;
+ krb5_defkeyname = DEFAULT_KEYTAB;
}
- if ((retval = kadm5_init_iprop(handle, 0)) != 0) {
- com_err(whoami, retval, _("while mapping update log"));
- exit(1);
+ retval = kadm5_init_iprop(handle, 0);
+ if (retval) {
+ com_err(whoami, retval, _("while mapping update log"));
+ exit(1);
}
return query;
}
-int quit()
+int
+quit()
{
kadm5_ret_t retval;
if (locked) {
- retval = kadm5_unlock(handle);
- if (retval) {
- com_err("quit", retval, "while unlocking locked database");
- return 1;
- }
- locked = 0;
+ retval = kadm5_unlock(handle);
+ if (retval) {
+ com_err("quit", retval, "while unlocking locked database");
+ return 1;
+ }
+ locked = 0;
}
kadm5_destroy(handle);
- if (ccache_name != NULL) {
- fprintf(stderr,
- "\n\a\a\aAdministration credentials NOT DESTROYED.\n");
- }
+ if (ccache_name != NULL)
+ fprintf(stderr, "\n\a\a\aAdministration credentials NOT DESTROYED.\n");
/* insert more random cleanup here */
krb5_klog_close(context);
return 0;
}
-void kadmin_lock(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_lock(int argc, char *argv[])
{
kadm5_ret_t retval;
if (locked)
- return;
+ return;
retval = kadm5_lock(handle);
if (retval) {
- com_err("lock", retval, "");
- return;
+ com_err("lock", retval, "");
+ return;
}
locked = 1;
}
-void kadmin_unlock(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_unlock(int argc, char *argv[])
{
kadm5_ret_t retval;
if (!locked)
- return;
+ return;
retval = kadm5_unlock(handle);
if (retval) {
- com_err("unlock", retval, "");
- return;
+ com_err("unlock", retval, "");
+ return;
}
locked = 0;
}
-void kadmin_delprinc(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_delprinc(int argc, char *argv[])
{
kadm5_ret_t retval;
- krb5_principal princ;
- char *canon;
+ krb5_principal princ = NULL;
+ char *canon = NULL;
char reply[5];
if (! (argc == 2 ||
- (argc == 3 && !strcmp("-force", argv[1])))) {
- fprintf(stderr, "usage: delete_principal [-force] principal\n");
- return;
+ (argc == 3 && !strcmp("-force", argv[1])))) {
+ fprintf(stderr, "usage: delete_principal [-force] principal\n");
+ return;
}
retval = kadmin_parse_name(argv[argc - 1], &princ);
if (retval) {
- com_err("delete_principal", retval, "while parsing principal name");
- return;
+ com_err("delete_principal", retval, "while parsing principal name");
+ return;
}
retval = krb5_unparse_name(context, princ, &canon);
if (retval) {
- com_err("delete_principal", retval,
- "while canonicalizing principal");
- krb5_free_principal(context, princ);
- return;
+ com_err("delete_principal", retval, "while canonicalizing principal");
+ goto cleanup;
}
if (argc == 2) {
- printf("Are you sure you want to delete the principal \"%s\"? (yes/no): ", canon);
- fgets(reply, sizeof (reply), stdin);
- if (strcmp("yes\n", reply)) {
- fprintf(stderr, "Principal \"%s\" not deleted\n", canon);
- free(canon);
- krb5_free_principal(context, princ);
- return;
- }
+ printf("Are you sure you want to delete the principal \"%s\"? "
+ "(yes/no): ", canon);
+ fgets(reply, sizeof (reply), stdin);
+ if (strcmp("yes\n", reply)) {
+ fprintf(stderr, "Principal \"%s\" not deleted\n", canon);
+ goto cleanup;
+ }
}
retval = kadm5_delete_principal(handle, princ);
- krb5_free_principal(context, princ);
if (retval) {
- com_err("delete_principal", retval,
- "while deleting principal \"%s\"", canon);
- free(canon);
- return;
+ com_err("delete_principal", retval,
+ "while deleting principal \"%s\"", canon);
+ goto cleanup;
}
- printf("Principal \"%s\" deleted.\nMake sure that you have removed this principal from all ACLs before reusing.\n", canon);
+ printf("Principal \"%s\" deleted.\nMake sure that you have removed this "
+ "principal from all ACLs before reusing.\n", canon);
+
+cleanup:
+ krb5_free_principal(context, princ);
free(canon);
- return;
}
-void kadmin_cpw(argc, argv)
- int argc;
- char *argv[];
+static void
+cpw_usage(const char *str)
+{
+ if (str)
+ fprintf(stderr, "%s\n", str);
+ fprintf(stderr, "usage: change_password [-randkey] [-keepold] "
+ "[-e keysaltlist] [-pw password] principal\n");
+}
+
+void
+kadmin_cpw(int argc, char *argv[])
{
kadm5_ret_t retval;
static char newpw[1024];
static char prompt1[1024], prompt2[1024];
- char *canon;
- char *pwarg = NULL;
+ char *canon = NULL, *pwarg = NULL;
int n_ks_tuple = 0, randkey = 0;
krb5_boolean keepold = FALSE;
krb5_key_salt_tuple *ks_tuple = NULL;
- krb5_principal princ;
+ krb5_principal princ = NULL;
char **db_args = NULL;
int db_args_size = 0;
-
if (argc < 2) {
- goto usage;
+ cpw_usage(NULL);
+ return;
}
for (argv++, argc--; argc > 1; argc--, argv++) {
- if (!strcmp("-x", *argv)) {
- argc--;
- if (argc < 1) {
- fprintf(stderr, "change_password: missing db argument\n");
- goto usage;
- }
- db_args_size++;
- {
- char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */
- if (temp == NULL) {
- fprintf(stderr,"change_password: Not enough memory\n");
- free(db_args), db_args = NULL;
- exit(1);
- }
-
- db_args = temp;
- }
- db_args[db_args_size-1] = *++argv;
- db_args[db_args_size] = NULL;
- continue;
- }
- if (!strcmp("-pw", *argv)) {
- argc--;
- if (argc < 1) {
- fprintf(stderr, "change_password: missing password arg\n");
- goto usage;
- }
- pwarg = *++argv;
- continue;
- }
- if (!strcmp("-randkey", *argv)) {
- randkey++;
- continue;
- }
- if (!strcmp("-keepold", *argv)) {
- keepold = TRUE;
- continue;
- }
- if (!strcmp("-e", *argv)) {
- argc--;
- if (argc < 1) {
- fprintf(stderr,
- "change_password: missing keysaltlist arg\n");
- goto usage;
- }
- retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
- &ks_tuple, &n_ks_tuple);
- if (retval) {
- com_err("change_password", retval,
- "while parsing keysalts %s", *argv);
- return;
- }
- continue;
- }
- goto usage;
+ if (!strcmp("-x", *argv)) {
+ argc--;
+ if (argc < 1) {
+ cpw_usage("change_password: missing db argument");
+ goto cleanup;
+ }
+ db_args_size++;
+ db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1));
+ if (db_args == NULL) {
+ fprintf(stderr, "change_password: Not enough memory\n");
+ exit(1);
+ }
+ db_args[db_args_size - 1] = *++argv;
+ db_args[db_args_size] = NULL;
+ } else if (!strcmp("-pw", *argv)) {
+ argc--;
+ if (argc < 1) {
+ cpw_usage("change_password: missing password arg");
+ goto cleanup;
+ }
+ pwarg = *++argv;
+ } else if (!strcmp("-randkey", *argv)) {
+ randkey++;
+ } else if (!strcmp("-keepold", *argv)) {
+ keepold = TRUE;
+ } else if (!strcmp("-e", *argv)) {
+ argc--;
+ if (argc < 1) {
+ cpw_usage("change_password: missing keysaltlist arg");
+ goto cleanup;
+ }
+ retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
+ &ks_tuple, &n_ks_tuple);
+ if (retval) {
+ com_err("change_password", retval,
+ "while parsing keysalts %s", *argv);
+ goto cleanup;
+ }
+ } else {
+ cpw_usage(NULL);
+ goto cleanup;
+ }
}
if (*argv == NULL) {
- com_err("change_password", 0, "missing principal name");
- goto usage;
+ com_err("change_password", 0, "missing principal name");
+ cpw_usage(NULL);
+ goto cleanup;
}
retval = kadmin_parse_name(*argv, &princ);
if (retval) {
- com_err("change_password", retval, "while parsing principal name");
- if (ks_tuple != NULL)
- free(ks_tuple);
- if (db_args) free(db_args);
- return;
+ com_err("change_password", retval, "while parsing principal name");
+ goto cleanup;
}
retval = krb5_unparse_name(context, princ, &canon);
if (retval) {
- com_err("change_password", retval, "while canonicalizing principal");
- krb5_free_principal(context, princ);
- if (ks_tuple != NULL)
- free(ks_tuple);
- if (db_args) free(db_args);
- return;
+ com_err("change_password", retval, "while canonicalizing principal");
+ goto cleanup;
}
if (pwarg != NULL) {
- if (keepold || ks_tuple != NULL) {
- retval = kadm5_chpass_principal_3(handle, princ, keepold,
- n_ks_tuple, ks_tuple, pwarg);
- if (ks_tuple != NULL)
- free(ks_tuple);
- } else {
- retval = kadm5_chpass_principal(handle, princ, pwarg);
- }
- krb5_free_principal(context, princ);
- if (retval) {
- com_err("change_password", retval,
- "while changing password for \"%s\".", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
- }
- printf("Password for \"%s\" changed.\n", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
+ if (keepold || ks_tuple != NULL) {
+ retval = kadm5_chpass_principal_3(handle, princ, keepold,
+ n_ks_tuple, ks_tuple, pwarg);
+ } else {
+ retval = kadm5_chpass_principal(handle, princ, pwarg);
+ }
+ if (retval) {
+ com_err("change_password", retval,
+ "while changing password for \"%s\".", canon);
+ goto cleanup;
+ }
+ printf("Password for \"%s\" changed.\n", canon);
} else if (randkey) {
- if (keepold || ks_tuple != NULL) {
- retval = kadm5_randkey_principal_3(handle, princ, keepold,
- n_ks_tuple, ks_tuple,
- NULL, NULL);
- if (ks_tuple != NULL)
- free(ks_tuple);
- } else {
- retval = kadm5_randkey_principal(handle, princ, NULL, NULL);
- }
- krb5_free_principal(context, princ);
- if (retval) {
- com_err("change_password", retval,
- "while randomizing key for \"%s\".", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
- }
- printf("Key for \"%s\" randomized.\n", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
- } else if (argc == 1) {
- unsigned int i = sizeof (newpw) - 1;
-
- snprintf(prompt1, sizeof(prompt1),
- "Enter password for principal \"%.900s\"",
- *argv);
- snprintf(prompt2, sizeof(prompt2),
- "Re-enter password for principal \"%.900s\"",
- *argv);
- retval = krb5_read_password(context, prompt1, prompt2,
- newpw, &i);
- if (retval) {
- com_err("change_password", retval,
- "while reading password for \"%s\".", canon);
- free(canon);
- if (ks_tuple != NULL)
- free(ks_tuple);
- krb5_free_principal(context, princ);
- if (db_args) free(db_args);
- return;
- }
- if (keepold || ks_tuple != NULL) {
- retval = kadm5_chpass_principal_3(handle, princ, keepold,
- n_ks_tuple, ks_tuple,
- newpw);
- if (ks_tuple != NULL)
- free(ks_tuple);
- } else {
- retval = kadm5_chpass_principal(handle, princ, newpw);
- }
- krb5_free_principal(context, princ);
- memset(newpw, 0, sizeof (newpw));
- if (retval) {
- com_err("change_password", retval,
- "while changing password for \"%s\".", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
- }
- printf("Password for \"%s\" changed.\n", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
+ retval = randkey_princ(princ, keepold, n_ks_tuple, ks_tuple);
+ if (retval) {
+ com_err("change_password", retval,
+ "while randomizing key for \"%s\".", canon);
+ goto cleanup;
+ }
+ printf("Key for \"%s\" randomized.\n", canon);
} else {
- free(canon);
- krb5_free_principal(context, princ);
- usage:
- if (db_args) free(db_args);
- if (ks_tuple != NULL)
- free(ks_tuple);
- fprintf(stderr,
- "usage: change_password [-randkey] [-keepold] "
- "[-e keysaltlist] [-pw password] "
- "principal\n");
- return;
+ unsigned int i = sizeof (newpw) - 1;
+
+ snprintf(prompt1, sizeof(prompt1),
+ "Enter password for principal \"%s\"", canon);
+ snprintf(prompt2, sizeof(prompt2),
+ "Re-enter password for principal \"%s\"", canon);
+ retval = krb5_read_password(context, prompt1, prompt2,
+ newpw, &i);
+ if (retval) {
+ com_err("change_password", retval,
+ "while reading password for \"%s\".", canon);
+ goto cleanup;
+ }
+ if (keepold || ks_tuple != NULL) {
+ retval = kadm5_chpass_principal_3(handle, princ, keepold,
+ n_ks_tuple, ks_tuple,
+ newpw);
+ } else {
+ retval = kadm5_chpass_principal(handle, princ, newpw);
+ }
+ memset(newpw, 0, sizeof (newpw));
+ if (retval) {
+ com_err("change_password", retval,
+ "while changing password for \"%s\".", canon);
+ goto cleanup;
+ }
+ printf("Password for \"%s\" changed.\n", canon);
}
+cleanup:
+ free(canon);
+ free(db_args);
+ krb5_free_principal(context, princ);
+ free(ks_tuple);
}
static void
kadmin_free_tl_data(kadm5_principal_ent_t princ)
{
- krb5_tl_data *tl_data = princ->tl_data;
- int n_tl_data = princ->n_tl_data;
+ krb5_tl_data *tl_data = princ->tl_data, *next;
+ int n_tl_data = princ->n_tl_data;
int i;
princ->n_tl_data = 0;
- princ->tl_data = NULL;
+ princ->tl_data = NULL;
for (i = 0; tl_data && (i < n_tl_data); i++) {
- krb5_tl_data *next = tl_data->tl_data_next;
- if (tl_data->tl_data_contents)
- free(tl_data->tl_data_contents);
- free(tl_data);
- tl_data = next;
+ next = tl_data->tl_data_next;
+ free(tl_data->tl_data_contents);
+ free(tl_data);
+ tl_data = next;
}
}
+/*
+ * Parse addprinc or modprinc arguments. Some output fields may be
+ * filled in on error.
+ */
#define KRB5_TL_DB_ARGS 0x7fff
static int
-kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
- ks_tuple, n_ks_tuple,
+kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc,
+ long *mask, char **pass, krb5_boolean *randkey,
+ krb5_key_salt_tuple **ks_tuple, int *n_ks_tuple,
#if APPLE_PKINIT
- cert_hash,
+ char **cert_hash,
#endif /* APPLE_PKINIT */
- caller)
- int argc;
- char *argv[];
- kadm5_principal_ent_t oprinc;
- long *mask;
- char **pass;
- int *randkey;
- krb5_key_salt_tuple **ks_tuple;
- int *n_ks_tuple;
-#if APPLE_PKINIT
- char **cert_hash;
-#endif /* APPLE_PKINIT */
- char *caller;
+ char *caller)
{
- int i, j, attrib_set;
+ int i, attrib_set;
+ size_t j;
time_t date;
time_t now;
krb5_error_code retval;
*cert_hash = NULL;
#endif /* APPLE_PKINIT */
time(&now);
- *randkey = 0;
+ *randkey = FALSE;
for (i = 1; i < argc - 1; i++) {
- attrib_set = 0;
- if (strlen(argv[i]) == 2 &&
- !strcmp("-x",argv[i])) {
- if (++i > argc - 2)
- return -1;
-
- tl_data = malloc(sizeof(krb5_tl_data));
- if (tl_data == NULL) {
- fprintf(stderr, "Not enough memory\n");
- return ENOMEM;
- }
-
- memset(tl_data, 0, sizeof(krb5_tl_data));
- tl_data->tl_data_type = KRB5_TL_DB_ARGS;
- tl_data->tl_data_length = strlen(argv[i])+1;
- tl_data->tl_data_contents = strdup(argv[i]);
-
- if (tail) {
- tail->tl_data_next = tl_data;
- } else {
- oprinc->tl_data = tl_data;
- }
- tail = tl_data;
- oprinc->n_tl_data++;
-
- if (tl_data->tl_data_contents == NULL) {
- fprintf(stderr, "Not enough memory\n");
- return ENOMEM;
- }
- *mask |= KADM5_TL_DATA;
- continue;
- }
- if (strlen(argv[i]) == 7 &&
- !strcmp("-expire", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- oprinc->princ_expire_time = date;
- *mask |= KADM5_PRINC_EXPIRE_TIME;
- continue;
- }
- }
- if (strlen(argv[i]) == 9 &&
- !strcmp("-pwexpire", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- oprinc->pw_expiration = date;
- *mask |= KADM5_PW_EXPIRATION;
- continue;
- }
- }
- if (strlen(argv[i]) == 8 &&
- !strcmp("-maxlife", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- oprinc->max_life = date - now;
- *mask |= KADM5_MAX_LIFE;
- continue;
- }
- }
- if (strlen(argv[i]) == 13 &&
- !strcmp("-maxrenewlife", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- oprinc->max_renewable_life = date - now;
- *mask |= KADM5_MAX_RLIFE;
- continue;
- }
- }
- if (strlen(argv[i]) == 5 &&
- !strcmp("-kvno", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- oprinc->kvno = atoi(argv[i]);
- *mask |= KADM5_KVNO;
- continue;
- }
- }
- if (strlen(argv[i]) == 7 &&
- !strcmp("-policy", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- oprinc->policy = argv[i];
- *mask |= KADM5_POLICY;
- continue;
- }
- }
- if (strlen(argv[i]) == 12 &&
- !strcmp("-clearpolicy", argv[i])) {
- oprinc->policy = NULL;
- *mask |= KADM5_POLICY_CLR;
- continue;
- }
- if (strlen(argv[i]) == 3 &&
- !strcmp("-pw", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- *pass = argv[i];
- continue;
- }
- }
- if (strlen(argv[i]) == 8 &&
- !strcmp("-randkey", argv[i])) {
- ++*randkey;
- continue;
- }
+ attrib_set = 0;
+ if (strlen(argv[i]) == 2 && !strcmp("-x",argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+
+ tl_data = malloc(sizeof(krb5_tl_data));
+ if (tl_data == NULL) {
+ fprintf(stderr, "Not enough memory\n");
+ exit(1);
+ }
+
+ memset(tl_data, 0, sizeof(krb5_tl_data));
+ tl_data->tl_data_type = KRB5_TL_DB_ARGS;
+ tl_data->tl_data_length = strlen(argv[i])+1;
+ tl_data->tl_data_contents = (krb5_octet *) strdup(argv[i]);
+
+ if (tail) {
+ tail->tl_data_next = tl_data;
+ } else {
+ oprinc->tl_data = tl_data;
+ }
+ tail = tl_data;
+ oprinc->n_tl_data++;
+
+ if (tl_data->tl_data_contents == NULL) {
+ fprintf(stderr, "Not enough memory\n");
+ exit(1);
+ }
+ *mask |= KADM5_TL_DATA;
+ continue;
+ }
+ if (strlen(argv[i]) == 7 && !strcmp("-expire", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ oprinc->princ_expire_time = date;
+ *mask |= KADM5_PRINC_EXPIRE_TIME;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 9 && !strcmp("-pwexpire", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ oprinc->pw_expiration = date;
+ *mask |= KADM5_PW_EXPIRATION;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 8 && !strcmp("-maxlife", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ oprinc->max_life = date - now;
+ *mask |= KADM5_MAX_LIFE;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 13 && !strcmp("-maxrenewlife", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ oprinc->max_renewable_life = date - now;
+ *mask |= KADM5_MAX_RLIFE;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 5 && !strcmp("-kvno", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ oprinc->kvno = atoi(argv[i]);
+ *mask |= KADM5_KVNO;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 7 && !strcmp("-policy", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ oprinc->policy = argv[i];
+ *mask |= KADM5_POLICY;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 12 && !strcmp("-clearpolicy", argv[i])) {
+ oprinc->policy = NULL;
+ *mask |= KADM5_POLICY_CLR;
+ continue;
+ }
+ if (strlen(argv[i]) == 3 && !strcmp("-pw", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ *pass = argv[i];
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 8 && !strcmp("-randkey", argv[i])) {
+ *randkey = TRUE;
+ continue;
+ }
#if APPLE_PKINIT
- if (strlen(argv[i]) == 9 &&
- !strcmp("-certhash", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- *cert_hash = argv[i];
- continue;
- }
- }
+ if (strlen(argv[i]) == 9 && !strcmp("-certhash", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ *cert_hash = argv[i];
+ continue;
+ }
+ }
#endif /* APPLE_PKINIT */
- if (!strcmp("-e", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0,
- ks_tuple, n_ks_tuple);
- if (retval) {
- com_err(caller, retval,
- "while parsing keysalts %s", argv[i]);
- return -1;
- }
- }
- continue;
- }
- for (j = 0; j < sizeof (flags) / sizeof (struct pflag); j++) {
- if (strlen(argv[i]) == flags[j].flaglen + 1 &&
- !strcmp(flags[j].flagname,
- &argv[i][1] /* strip off leading + or - */)) {
- if ((flags[j].set && argv[i][0] == '-') ||
- (!flags[j].set && argv[i][0] == '+')) {
- oprinc->attributes |= flags[j].theflag;
- *mask |= KADM5_ATTRIBUTES;
- attrib_set++;
- break;
- } else if ((flags[j].set && argv[i][0] == '+') ||
- (!flags[j].set && argv[i][0] == '-')) {
- oprinc->attributes &= ~flags[j].theflag;
- *mask |= KADM5_ATTRIBUTES;
- attrib_set++;
- break;
- } else {
- return -1;
- }
- }
- }
- if (!attrib_set)
- return -1; /* nothing was parsed */
- }
- if (i != argc - 1) {
- return -1;
+ if (!strcmp("-e", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0,
+ ks_tuple, n_ks_tuple);
+ if (retval) {
+ com_err(caller, retval,
+ "while parsing keysalts %s", argv[i]);
+ return -1;
+ }
+ }
+ continue;
+ }
+ for (j = 0; j < sizeof(flags) / sizeof(struct pflag); j++) {
+ if (strlen(argv[i]) == flags[j].flaglen + 1 &&
+ !strcmp(flags[j].flagname,
+ &argv[i][1] /* strip off leading + or - */)) {
+ if ((flags[j].set && argv[i][0] == '-') ||
+ (!flags[j].set && argv[i][0] == '+')) {
+ oprinc->attributes |= flags[j].theflag;
+ *mask |= KADM5_ATTRIBUTES;
+ attrib_set++;
+ break;
+ } else if ((flags[j].set && argv[i][0] == '+') ||
+ (!flags[j].set && argv[i][0] == '-')) {
+ oprinc->attributes &= ~flags[j].theflag;
+ *mask |= KADM5_ATTRIBUTES;
+ attrib_set++;
+ break;
+ } else {
+ return -1;
+ }
+ }
+ }
+ if (!attrib_set)
+ return -1; /* nothing was parsed */
}
+ if (i != argc - 1)
+ return -1;
retval = kadmin_parse_name(argv[i], &oprinc->principal);
if (retval) {
- com_err(caller, retval, "while parsing principal");
- return -1;
+ com_err(caller, retval, "while parsing principal");
+ return -1;
}
return 0;
}
static void
-kadmin_addprinc_usage(func)
- char *func;
+kadmin_addprinc_usage()
{
- fprintf(stderr, "usage: %s [options] principal\n", func);
+ fprintf(stderr, "usage: add_principal [options] principal\n");
fprintf(stderr, "\toptions are:\n");
- fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy] [-randkey]\n\t\t[-pw password] [-maxrenewlife maxrenewlife]\n\t\t[-e keysaltlist]\n\t\t[{+|-}attribute]\n"
+ fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] "
+ "[-pwexpire pwexpdate] [-maxlife maxtixlife]\n"
+ "\t\t[-kvno kvno] [-policy policy] [-clearpolicy] [-randkey]\n"
+ "\t\t[-pw password] [-maxrenewlife maxrenewlife]\n"
+ "\t\t[-e keysaltlist]\n\t\t[{+|-}attribute]\n"
#if APPLE_PKINIT
"\t\t[-certhash hash_string]\n"
#endif /* APPLE_PKINIT */
);
fprintf(stderr, "\tattributes are:\n");
fprintf(stderr, "%s%s%s",
- "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
- "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
- "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
- "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
- "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
- "\t\t\tLook at each database documentation for supported arguments\n");
+ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
+ "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
+ "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
+ "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
+ "\t\t\tLook at each database documentation for supported arguments\n");
}
static void
-kadmin_modprinc_usage(func)
- char *func;
+kadmin_modprinc_usage()
{
- fprintf(stderr, "usage: %s [options] principal\n", func);
+ fprintf(stderr, "usage: modify_principal [options] principal\n");
fprintf(stderr, "\toptions are:\n");
fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n\t\t[-maxrenewlife maxrenewlife] [{+|-}attribute]\n");
fprintf(stderr, "\tattributes are:\n");
fprintf(stderr, "%s%s%s",
- "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
- "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
- "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
- "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
- "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
- "\t\t\tLook at each database documentation for supported arguments\n"
- );
+ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
+ "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
+ "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
+ "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
+ "\t\t\tLook at each database documentation for supported arguments\n"
+ );
+}
+
+/* Create a dummy password for old-style (pre-1.8) randkey creation. */
+static void
+prepare_dummy_password(char *buf, size_t sz)
+{
+ size_t i;
+
+ /* Must try to pass any password policy in place, and be valid UTF-8. */
+ strlcpy(buf, "6F a[", sz);
+ for (i = strlen(buf); i < sz - 1; i++)
+ buf[i] = 'a' + (i % 26);
+ buf[sz - 1] = '\0';
}
-void kadmin_addprinc(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_addprinc(int argc, char *argv[])
{
kadm5_principal_ent_rec princ;
kadm5_policy_ent_rec defpol;
long mask;
- int randkey = 0, i;
+ krb5_boolean randkey = FALSE, old_style_randkey = FALSE;
int n_ks_tuple;
- krb5_key_salt_tuple *ks_tuple;
- char *pass, *canon;
+ krb5_key_salt_tuple *ks_tuple = NULL;
+ char *pass, *canon = NULL;
krb5_error_code retval;
char newpw[1024], dummybuf[256];
static char prompt1[1024], prompt2[1024];
char *cert_hash = NULL;
#endif /* APPLE_PKINIT */
- /*
- dummybuf is used to give random key a password,
- random key entires are created with DISALLOW_ALL_TIX
- so lets give them a known password utf8 valid pasword
- */
- for (i = 0; i < sizeof(dummybuf) - 1; i++)
- dummybuf[i] = 'a' + (random() % 25);
- dummybuf[sizeof(dummybuf) - 1] = '\0';
-
/* Zero all fields in request structure */
memset(&princ, 0, sizeof(princ));
princ.attributes = 0;
- if (kadmin_parse_princ_args(argc, argv,
- &princ, &mask, &pass, &randkey,
- &ks_tuple, &n_ks_tuple,
+ if (kadmin_parse_princ_args(argc, argv, &princ, &mask, &pass, &randkey,
+ &ks_tuple, &n_ks_tuple,
#if APPLE_PKINIT
&cert_hash,
#endif /* APPLE_PKINIT */
- "add_principal")) {
- kadmin_addprinc_usage("add_principal");
- kadmin_free_tl_data(&princ); /* need to free ks_tuple also??? */
- return;
+ "add_principal")) {
+ kadmin_addprinc_usage();
+ goto cleanup;
}
#if APPLE_PKINIT
if(cert_hash != NULL) {
- fprintf(stderr,
+ fprintf(stderr,
"add_principal: -certhash not allowed; use modify_principal\n");
- return;
+ goto cleanup;
}
#endif /* APPLE_PKINIT */
retval = krb5_unparse_name(context, princ.principal, &canon);
if (retval) {
- com_err("add_principal",
- retval, "while canonicalizing principal");
- krb5_free_principal(context, princ.principal);
- if (ks_tuple != NULL)
- free(ks_tuple);
- kadmin_free_tl_data(&princ);
- return;
+ com_err("add_principal", retval, "while canonicalizing principal");
+ goto cleanup;
}
/*
* -clearpolicy was specified, then KADM5_POLICY_CLR should be
* unset, since it is never valid for kadm5_create_principal.
*/
- if ((! (mask & KADM5_POLICY)) &&
- (! (mask & KADM5_POLICY_CLR))) {
- if (! kadm5_get_policy(handle, "default", &defpol)) {
- fprintf(stderr,
- "NOTICE: no policy specified for %s; assigning \"default\"\n",
- canon);
- princ.policy = "default";
- mask |= KADM5_POLICY;
- (void) kadm5_free_policy_ent(handle, &defpol);
- } else
- fprintf(stderr,
- "WARNING: no policy specified for %s; defaulting to no policy\n",
- canon);
+ if (!(mask & KADM5_POLICY) && !(mask & KADM5_POLICY_CLR)) {
+ if (!kadm5_get_policy(handle, "default", &defpol)) {
+ fprintf(stderr, "NOTICE: no policy specified for %s; "
+ "assigning \"default\"\n", canon);
+ princ.policy = "default";
+ mask |= KADM5_POLICY;
+ kadm5_free_policy_ent(handle, &defpol);
+ } else
+ fprintf(stderr, "WARNING: no policy specified for %s; "
+ "defaulting to no policy\n", canon);
}
mask &= ~KADM5_POLICY_CLR;
- if (randkey) { /* do special stuff if -randkey specified */
- princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; /* set notix */
- mask |= KADM5_ATTRIBUTES;
- pass = dummybuf;
+ if (randkey) {
+ pass = NULL;
} else if (pass == NULL) {
- unsigned int sz = sizeof (newpw) - 1;
-
- snprintf(prompt1, sizeof(prompt1),
- "Enter password for principal \"%.900s\"",
- canon);
- snprintf(prompt2, sizeof(prompt2),
- "Re-enter password for principal \"%.900s\"",
- canon);
- retval = krb5_read_password(context, prompt1, prompt2,
- newpw, &sz);
- if (retval) {
- com_err("add_principal", retval,
- "while reading password for \"%s\".", canon);
- free(canon);
- krb5_free_principal(context, princ.principal);
- kadmin_free_tl_data(&princ);
- return;
- }
- pass = newpw;
+ unsigned int sz = sizeof(newpw) - 1;
+
+ snprintf(prompt1, sizeof(prompt1),
+ "Enter password for principal \"%s\"", canon);
+ snprintf(prompt2, sizeof(prompt2),
+ "Re-enter password for principal \"%s\"", canon);
+ retval = krb5_read_password(context, prompt1, prompt2, newpw, &sz);
+ if (retval) {
+ com_err("add_principal", retval,
+ "while reading password for \"%s\".", canon);
+ goto cleanup;
+ }
+ pass = newpw;
}
mask |= KADM5_PRINCIPAL;
- if (ks_tuple != NULL) {
- retval = kadm5_create_principal_3(handle, &princ, mask,
- n_ks_tuple, ks_tuple, pass);
- } else {
- retval = kadm5_create_principal(handle, &princ, mask, pass);
+ retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass);
+ if (retval == EINVAL && randkey) {
+ /*
+ * The server doesn't support randkey creation. Create the principal
+ * with a dummy password and disallow tickets.
+ */
+ prepare_dummy_password(dummybuf, sizeof(dummybuf));
+ princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ mask |= KADM5_ATTRIBUTES;
+ pass = dummybuf;
+ retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass);
+ old_style_randkey = 1;
}
if (retval) {
- com_err("add_principal", retval, "while creating \"%s\".",
- canon);
- krb5_free_principal(context, princ.principal);
- free(canon);
- if (ks_tuple != NULL)
- free(ks_tuple);
- kadmin_free_tl_data(&princ);
- return;
- }
- if (randkey) { /* more special stuff for -randkey */
- if (ks_tuple != NULL) {
- retval = kadm5_randkey_principal_3(handle, princ.principal,
- FALSE,
- n_ks_tuple, ks_tuple,
- NULL, NULL);
- } else {
- retval = kadm5_randkey_principal(handle, princ.principal,
- NULL, NULL);
- }
- if (retval) {
- com_err("add_principal", retval,
- "while randomizing key for \"%s\".", canon);
- krb5_free_principal(context, princ.principal);
- free(canon);
- if (ks_tuple != NULL)
- free(ks_tuple);
- kadmin_free_tl_data(&princ);
- return;
- }
- princ.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX; /* clear notix */
- mask = KADM5_ATTRIBUTES;
- retval = kadm5_modify_principal(handle, &princ, mask);
- if (retval) {
- com_err("add_principal", retval,
- "while clearing DISALLOW_ALL_TIX for \"%s\".", canon);
- krb5_free_principal(context, princ.principal);
- free(canon);
- if (ks_tuple != NULL)
- free(ks_tuple);
- kadmin_free_tl_data(&princ);
- return;
- }
+ com_err("add_principal", retval, "while creating \"%s\".", canon);
+ goto cleanup;
+ }
+ if (old_style_randkey) {
+ /* Randomize the password and re-enable tickets. */
+ retval = randkey_princ(princ.principal, FALSE, n_ks_tuple, ks_tuple);
+ if (retval) {
+ com_err("add_principal", retval,
+ "while randomizing key for \"%s\".", canon);
+ goto cleanup;
+ }
+ princ.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX; /* clear notix */
+ mask = KADM5_ATTRIBUTES;
+ retval = kadm5_modify_principal(handle, &princ, mask);
+ if (retval) {
+ com_err("add_principal", retval,
+ "while clearing DISALLOW_ALL_TIX for \"%s\".", canon);
+ goto cleanup;
+ }
}
- krb5_free_principal(context, princ.principal);
printf("Principal \"%s\" created.\n", canon);
- if (ks_tuple != NULL)
- free(ks_tuple);
+
+cleanup:
+ krb5_free_principal(context, princ.principal);
+ free(ks_tuple);
free(canon);
kadmin_free_tl_data(&princ);
-
}
-void kadmin_modprinc(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_modprinc(int argc, char *argv[])
{
kadm5_principal_ent_rec princ, oldprinc;
- krb5_principal kprinc;
+ krb5_principal kprinc = NULL;
long mask;
krb5_error_code retval;
- char *pass, *canon;
- int randkey = 0;
+ char *pass, *canon = NULL;
+ krb5_boolean randkey = FALSE;
int n_ks_tuple = 0;
- krb5_key_salt_tuple *ks_tuple;
+ krb5_key_salt_tuple *ks_tuple = NULL;
#if APPLE_PKINIT
char *cert_hash = NULL;
#endif /* APPLE_PKINIT */
if (argc < 2) {
- kadmin_modprinc_usage("modify_principal");
- return;
+ kadmin_modprinc_usage();
+ return;
}
memset(&oldprinc, 0, sizeof(oldprinc));
retval = kadmin_parse_name(argv[argc - 1], &kprinc);
if (retval) {
- com_err("modify_principal", retval, "while parsing principal");
- return;
+ com_err("modify_principal", retval, "while parsing principal");
+ return;
}
retval = krb5_unparse_name(context, kprinc, &canon);
if (retval) {
- com_err("modify_principal", retval,
- "while canonicalizing principal");
- krb5_free_principal(context, kprinc);
- return;
+ com_err("modify_principal", retval, "while canonicalizing principal");
+ goto cleanup;
}
retval = kadm5_get_principal(handle, kprinc, &oldprinc,
- KADM5_PRINCIPAL_NORMAL_MASK);
+ KADM5_PRINCIPAL_NORMAL_MASK);
if (retval) {
- com_err("modify_principal", retval, "while getting \"%s\".",
- canon);
- krb5_free_principal(context, kprinc);
- free(canon);
- return;
+ com_err("modify_principal", retval, "while getting \"%s\".", canon);
+ goto cleanup;
}
princ.attributes = oldprinc.attributes;
kadm5_free_principal_ent(handle, &oldprinc);
retval = kadmin_parse_princ_args(argc, argv,
- &princ, &mask,
- &pass, &randkey,
- &ks_tuple, &n_ks_tuple,
+ &princ, &mask,
+ &pass, &randkey,
+ &ks_tuple, &n_ks_tuple,
#if APPLE_PKINIT
&cert_hash,
#endif /* APPLE_PKINIT */
- "modify_principal");
- if (ks_tuple != NULL) {
- free(ks_tuple);
- kadmin_modprinc_usage("modify_principal");
- free(canon);
- krb5_free_principal(context, kprinc);
- kadmin_free_tl_data(&princ); /* Apple had this commented out. Why? */
- return;
- }
- if (retval) {
- kadmin_modprinc_usage("modify_principal");
- free(canon);
- krb5_free_principal(context, kprinc);
- kadmin_free_tl_data(&princ); /* Apple had this commented out. Why? */
- return;
- }
- if (randkey) {
- fprintf(stderr, "modify_principal: -randkey not allowed\n");
- krb5_free_principal(context, princ.principal);
- free(canon);
- krb5_free_principal(context, kprinc);
- kadmin_free_tl_data(&princ);
- return;
- }
- if (pass) {
- fprintf(stderr,
- "modify_principal: -pw not allowed; use change_password\n");
- krb5_free_principal(context, princ.principal);
- free(canon);
- krb5_free_principal(context, kprinc);
- kadmin_free_tl_data(&princ);
- return;
+ "modify_principal");
+ if (retval || ks_tuple != NULL || randkey || pass) {
+ kadmin_modprinc_usage();
+ goto cleanup;
}
#if APPLE_PKINIT
if (cert_hash) {
- /*
+ /*
* Use something other than the 1st preferred enctype here for fallback
* to pwd authentication
*/
krb5_key_salt_tuple key_salt = {ENCTYPE_ARCFOUR_HMAC, KRB5_KDB_SALTTYPE_CERTHASH};
krb5_keyblock keyblock;
kadm5_ret_t kadmin_rtn;
-
+
keyblock.magic = KV5M_KEYBLOCK;
keyblock.enctype = ENCTYPE_ARCFOUR_HMAC;
keyblock.length = strlen(cert_hash);
com_err("modify_principal", kadmin_rtn,
"while adding certhash for \"%s\".", canon);
printf("realm %s data %s\n", (char *)kprinc->realm.data, (char *)kprinc->data->data);
- free(canon);
- krb5_free_principal(context, princ.principal);
- krb5_free_principal(context, kprinc);
- return;
+ goto cleanup;
}
retval = 0;
}
#endif /* APPLE_PKINIT */
if (mask) {
- /* skip this if all we're doing is setting certhash */
- retval = kadm5_modify_principal(handle, &princ, mask);
+ /* Skip this if all we're doing is setting certhash. */
+ retval = kadm5_modify_principal(handle, &princ, mask);
}
- krb5_free_principal(context, kprinc);
- krb5_free_principal(context, princ.principal);
if (retval) {
- com_err("modify_principal", retval,
- "while modifying \"%s\".", canon);
- free(canon);
- kadmin_free_tl_data(&princ);
- return;
+ com_err("modify_principal", retval, "while modifying \"%s\".", canon);
+ goto cleanup;
}
printf("Principal \"%s\" modified.\n", canon);
+cleanup:
+ krb5_free_principal(context, kprinc);
+ krb5_free_principal(context, princ.principal);
kadmin_free_tl_data(&princ);
free(canon);
+ free(ks_tuple);
}
-void kadmin_getprinc(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_getprinc(int argc, char *argv[])
{
kadm5_principal_ent_rec dprinc;
- krb5_principal princ;
+ krb5_principal princ = NULL;
krb5_error_code retval;
- char *canon, *modcanon;
+ char *canon = NULL, *modcanon = NULL;
int i;
+ size_t j;
- if (! (argc == 2 ||
- (argc == 3 && !strcmp("-terse", argv[1])))) {
- fprintf(stderr, "usage: get_principal [-terse] principal\n");
- return;
+ if (!(argc == 2 || (argc == 3 && !strcmp("-terse", argv[1])))) {
+ fprintf(stderr, "usage: get_principal [-terse] principal\n");
+ return;
}
-
memset(&dprinc, 0, sizeof(dprinc));
- memset(&princ, 0, sizeof(princ));
retval = kadmin_parse_name(argv[argc - 1], &princ);
if (retval) {
- com_err("get_principal", retval, "while parsing principal");
- return;
+ com_err("get_principal", retval, "while parsing principal");
+ return;
}
retval = krb5_unparse_name(context, princ, &canon);
if (retval) {
- com_err("get_principal", retval, "while canonicalizing principal");
- krb5_free_principal(context, princ);
- return;
+ com_err("get_principal", retval, "while canonicalizing principal");
+ goto cleanup;
}
retval = kadm5_get_principal(handle, princ, &dprinc,
- KADM5_PRINCIPAL_NORMAL_MASK | KADM5_KEY_DATA);
- krb5_free_principal(context, princ);
+ KADM5_PRINCIPAL_NORMAL_MASK | KADM5_KEY_DATA);
if (retval) {
- com_err("get_principal", retval, "while retrieving \"%s\".", canon);
- free(canon);
- return;
+ com_err("get_principal", retval, "while retrieving \"%s\".", canon);
+ goto cleanup;
}
- free(canon);
- canon = NULL;
retval = krb5_unparse_name(context, dprinc.principal, &canon);
if (retval) {
- com_err("get_principal", retval, "while canonicalizing principal");
- kadm5_free_principal_ent(handle, &dprinc);
- return;
+ com_err("get_principal", retval, "while canonicalizing principal");
+ goto cleanup;
}
retval = krb5_unparse_name(context, dprinc.mod_name, &modcanon);
if (retval) {
- com_err("get_principal", retval, "while unparsing modname");
- kadm5_free_principal_ent(handle, &dprinc);
- free(canon);
- return;
+ com_err("get_principal", retval, "while unparsing modname");
+ goto cleanup;
}
if (argc == 2) {
- printf("Principal: %s\n", canon);
- printf("Expiration date: %s\n", dprinc.princ_expire_time ?
- strdate(dprinc.princ_expire_time) : "[never]");
- printf("Last password change: %s\n", dprinc.last_pwd_change ?
- strdate(dprinc.last_pwd_change) : "[never]");
- printf("Password expiration date: %s\n",
- dprinc.pw_expiration ?
- strdate(dprinc.pw_expiration) : "[none]");
- printf("Maximum ticket life: %s\n", strdur(dprinc.max_life));
- printf("Maximum renewable life: %s\n", strdur(dprinc.max_renewable_life));
- printf("Last modified: %s (%s)\n", strdate(dprinc.mod_date), modcanon);
- printf("Last successful authentication: %s\n",
- dprinc.last_success ? strdate(dprinc.last_success) :
- "[never]");
- printf("Last failed authentication: %s\n",
- dprinc.last_failed ? strdate(dprinc.last_failed) :
- "[never]");
- printf("Failed password attempts: %d\n",
- dprinc.fail_auth_count);
- printf("Number of keys: %d\n", dprinc.n_key_data);
- for (i = 0; i < dprinc.n_key_data; i++) {
- krb5_key_data *key_data = &dprinc.key_data[i];
- char enctype[BUFSIZ], salttype[BUFSIZ];
-
- if (krb5_enctype_to_string(key_data->key_data_type[0],
- enctype, sizeof(enctype)))
- snprintf(enctype, sizeof(enctype), "<Encryption type 0x%x>",
- key_data->key_data_type[0]);
- printf("Key: vno %d, %s, ", key_data->key_data_kvno, enctype);
- if (key_data->key_data_ver > 1) {
- if (krb5_salttype_to_string(key_data->key_data_type[1],
- salttype, sizeof(salttype)))
- snprintf(salttype, sizeof(salttype), "<Salt type 0x%x>",
- key_data->key_data_type[1]);
- printf("%s\n", salttype);
- } else
- printf("no salt\n");
- }
- printf("MKey: vno %d\n",
- dprinc.mkvno);
-
- printf("Attributes:");
- for (i = 0; i < sizeof (prflags) / sizeof (char *); i++) {
- if (dprinc.attributes & (krb5_flags) 1 << i)
- printf(" %s", prflags[i]);
- }
- printf("\n");
- printf("Policy: %s\n", dprinc.policy ? dprinc.policy : "[none]");
+ printf("Principal: %s\n", canon);
+ printf("Expiration date: %s\n", dprinc.princ_expire_time ?
+ strdate(dprinc.princ_expire_time) : "[never]");
+ printf("Last password change: %s\n", dprinc.last_pwd_change ?
+ strdate(dprinc.last_pwd_change) : "[never]");
+ printf("Password expiration date: %s\n",
+ dprinc.pw_expiration ?
+ strdate(dprinc.pw_expiration) : "[none]");
+ printf("Maximum ticket life: %s\n", strdur(dprinc.max_life));
+ printf("Maximum renewable life: %s\n",
+ strdur(dprinc.max_renewable_life));
+ printf("Last modified: %s (%s)\n", strdate(dprinc.mod_date), modcanon);
+ printf("Last successful authentication: %s\n",
+ dprinc.last_success ? strdate(dprinc.last_success) :
+ "[never]");
+ printf("Last failed authentication: %s\n",
+ dprinc.last_failed ? strdate(dprinc.last_failed) :
+ "[never]");
+ printf("Failed password attempts: %d\n",
+ dprinc.fail_auth_count);
+ printf("Number of keys: %d\n", dprinc.n_key_data);
+ for (i = 0; i < dprinc.n_key_data; i++) {
+ krb5_key_data *key_data = &dprinc.key_data[i];
+ char enctype[BUFSIZ], salttype[BUFSIZ];
+
+ if (krb5_enctype_to_string(key_data->key_data_type[0],
+ enctype, sizeof(enctype)))
+ snprintf(enctype, sizeof(enctype), "<Encryption type 0x%x>",
+ key_data->key_data_type[0]);
+ printf("Key: vno %d, %s, ", key_data->key_data_kvno, enctype);
+ if (key_data->key_data_ver > 1) {
+ if (krb5_salttype_to_string(key_data->key_data_type[1],
+ salttype, sizeof(salttype)))
+ snprintf(salttype, sizeof(salttype), "<Salt type 0x%x>",
+ key_data->key_data_type[1]);
+ printf("%s\n", salttype);
+ } else
+ printf("no salt\n");
+ }
+ printf("MKey: vno %d\n",
+ dprinc.mkvno);
+
+ printf("Attributes:");
+ for (j = 0; j < sizeof(prflags) / sizeof(char *); j++) {
+ if (dprinc.attributes & (krb5_flags) 1 << j)
+ printf(" %s", prflags[j]);
+ }
+ printf("\n");
+ printf("Policy: %s\n", dprinc.policy ? dprinc.policy : "[none]");
} else {
- printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\""
- "\t%d\t%d\t%d\t%d\t%d",
- canon, dprinc.princ_expire_time, dprinc.last_pwd_change,
- dprinc.pw_expiration, dprinc.max_life, modcanon,
- dprinc.mod_date, dprinc.attributes, dprinc.kvno,
- dprinc.mkvno, dprinc.policy ? dprinc.policy : "[none]",
- dprinc.max_renewable_life, dprinc.last_success,
- dprinc.last_failed, dprinc.fail_auth_count,
- dprinc.n_key_data);
- for (i = 0; i < dprinc.n_key_data; i++)
- printf("\t%d\t%d\t%d\t%d",
- dprinc.key_data[i].key_data_ver,
- dprinc.key_data[i].key_data_kvno,
- dprinc.key_data[i].key_data_type[0],
- dprinc.key_data[i].key_data_type[1]);
- printf("\n");
- }
- free(modcanon);
+ printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\""
+ "\t%d\t%d\t%d\t%d\t%d",
+ canon, dprinc.princ_expire_time, dprinc.last_pwd_change,
+ dprinc.pw_expiration, dprinc.max_life, modcanon,
+ dprinc.mod_date, dprinc.attributes, dprinc.kvno,
+ dprinc.mkvno, dprinc.policy ? dprinc.policy : "[none]",
+ dprinc.max_renewable_life, dprinc.last_success,
+ dprinc.last_failed, dprinc.fail_auth_count,
+ dprinc.n_key_data);
+ for (i = 0; i < dprinc.n_key_data; i++)
+ printf("\t%d\t%d\t%d\t%d",
+ dprinc.key_data[i].key_data_ver,
+ dprinc.key_data[i].key_data_kvno,
+ dprinc.key_data[i].key_data_type[0],
+ dprinc.key_data[i].key_data_type[1]);
+ printf("\n");
+ }
+cleanup:
+ krb5_free_principal(context, princ);
kadm5_free_principal_ent(handle, &dprinc);
+ free(modcanon);
free(canon);
}
-void kadmin_getprincs(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_getprincs(int argc, char *argv[])
{
krb5_error_code retval;
char *expr, **names;
int i, count;
expr = NULL;
- if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) {
- fprintf(stderr, "usage: get_principals [expression]\n");
- return;
+ if (!(argc == 1 || (argc == 2 && (expr = argv[1])))) {
+ fprintf(stderr, "usage: get_principals [expression]\n");
+ return;
}
retval = kadm5_get_principals(handle, expr, &names, &count);
if (retval) {
- com_err("get_principals", retval, "while retrieving list.");
- return;
+ com_err("get_principals", retval, "while retrieving list.");
+ return;
}
for (i = 0; i < count; i++)
- printf("%s\n", names[i]);
+ printf("%s\n", names[i]);
kadm5_free_name_list(handle, names, count);
}
static int
-kadmin_parse_policy_args(argc, argv, policy, mask, caller)
- int argc;
- char *argv[];
- kadm5_policy_ent_t policy;
- long *mask;
- char *caller;
+kadmin_parse_policy_args(int argc, char *argv[], kadm5_policy_ent_t policy,
+ long *mask, char *caller)
{
int i;
- time_t now;
- time_t date;
+ time_t now, date;
time(&now);
*mask = 0;
for (i = 1; i < argc - 1; i++) {
- if (strlen(argv[i]) == 8 &&
- !strcmp(argv[i], "-maxlife")) {
- if (++i > argc -2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- policy->pw_max_life = date - now;
- *mask |= KADM5_PW_MAX_LIFE;
- continue;
- }
- } else if (strlen(argv[i]) == 8 &&
- !strcmp(argv[i], "-minlife")) {
- if (++i > argc - 2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- policy->pw_min_life = date - now;
- *mask |= KADM5_PW_MIN_LIFE;
- continue;
- }
- } else if (strlen(argv[i]) == 10 &&
- !strcmp(argv[i], "-minlength")) {
- if (++i > argc - 2)
- return -1;
- else {
- policy->pw_min_length = atoi(argv[i]);
- *mask |= KADM5_PW_MIN_LENGTH;
- continue;
- }
- } else if (strlen(argv[i]) == 11 &&
- !strcmp(argv[i], "-minclasses")) {
- if (++i > argc - 2)
- return -1;
- else {
- policy->pw_min_classes = atoi(argv[i]);
- *mask |= KADM5_PW_MIN_CLASSES;
- continue;
- }
- } else if (strlen(argv[i]) == 8 &&
- !strcmp(argv[i], "-history")) {
- if (++i > argc - 2)
- return -1;
- else {
- policy->pw_history_num = atoi(argv[i]);
- *mask |= KADM5_PW_HISTORY_NUM;
- continue;
- }
- } else
- return -1;
+ if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-maxlife")) {
+ if (++i > argc -2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ policy->pw_max_life = date - now;
+ *mask |= KADM5_PW_MAX_LIFE;
+ continue;
+ }
+ } else if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-minlife")) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ policy->pw_min_life = date - now;
+ *mask |= KADM5_PW_MIN_LIFE;
+ continue;
+ }
+ } else if (strlen(argv[i]) == 10 && !strcmp(argv[i], "-minlength")) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ policy->pw_min_length = atoi(argv[i]);
+ *mask |= KADM5_PW_MIN_LENGTH;
+ continue;
+ }
+ } else if (strlen(argv[i]) == 11 && !strcmp(argv[i], "-minclasses")) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ policy->pw_min_classes = atoi(argv[i]);
+ *mask |= KADM5_PW_MIN_CLASSES;
+ continue;
+ }
+ } else if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-history")) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ policy->pw_history_num = atoi(argv[i]);
+ *mask |= KADM5_PW_HISTORY_NUM;
+ continue;
+ }
+ } else
+ return -1;
}
if (i != argc -1) {
- fprintf(stderr, "%s: parser lost count!\n", caller);
- return -1;
+ fprintf(stderr, "%s: parser lost count!\n", caller);
+ return -1;
} else
- return 0;
+ return 0;
}
static void
-kadmin_addmodpol_usage(func)
- char *func;
+kadmin_addmodpol_usage(char *func)
{
fprintf(stderr, "usage; %s [options] policy\n", func);
fprintf(stderr, "\toptions are:\n");
fprintf(stderr, "\t\t[-maxlife time] [-minlife time] [-minlength length]\n\t\t[-minclasses number] [-history number]\n");
}
-void kadmin_addpol(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_addpol(int argc, char *argv[])
{
krb5_error_code retval;
long mask;
memset(&policy, 0, sizeof(policy));
if (kadmin_parse_policy_args(argc, argv, &policy, &mask, "add_policy")) {
- kadmin_addmodpol_usage("add_policy");
- return;
- } else {
- policy.policy = argv[argc - 1];
- mask |= KADM5_POLICY;
- retval = kadm5_create_policy(handle, &policy, mask);
- if (retval) {
- com_err("add_policy", retval, "while creating policy \"%s\".",
- policy.policy);
- return;
- }
- }
- return;
+ kadmin_addmodpol_usage("add_policy");
+ return;
+ }
+ policy.policy = argv[argc - 1];
+ mask |= KADM5_POLICY;
+ retval = kadm5_create_policy(handle, &policy, mask);
+ if (retval) {
+ com_err("add_policy", retval, "while creating policy \"%s\".",
+ policy.policy);
+ }
}
-void kadmin_modpol(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_modpol(int argc, char *argv[])
{
krb5_error_code retval;
long mask;
memset(&policy, 0, sizeof(policy));
if (kadmin_parse_policy_args(argc, argv, &policy, &mask,
- "modify_policy")) {
- kadmin_addmodpol_usage("modify_policy");
- return;
- } else {
- policy.policy = argv[argc - 1];
- retval = kadm5_modify_policy(handle, &policy, mask);
- if (retval) {
- com_err("modify_policy", retval, "while modifying policy \"%s\".",
- policy.policy);
- return;
- }
- }
- return;
+ "modify_policy")) {
+ kadmin_addmodpol_usage("modify_policy");
+ return;
+ }
+ policy.policy = argv[argc - 1];
+ retval = kadm5_modify_policy(handle, &policy, mask);
+ if (retval) {
+ com_err("modify_policy", retval, "while modifying policy \"%s\".",
+ policy.policy);
+ }
}
-void kadmin_delpol(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_delpol(int argc, char *argv[])
{
krb5_error_code retval;
char reply[5];
- if (! (argc == 2 ||
- (argc == 3 && !strcmp("-force", argv[1])))) {
- fprintf(stderr, "usage: delete_policy [-force] policy\n");
- return;
+ if (!(argc == 2 || (argc == 3 && !strcmp("-force", argv[1])))) {
+ fprintf(stderr, "usage: delete_policy [-force] policy\n");
+ return;
}
if (argc == 2) {
- printf("Are you sure you want to delete the policy \"%s\"? (yes/no): ", argv[1]);
- fgets(reply, sizeof (reply), stdin);
- if (strcmp("yes\n", reply)) {
- fprintf(stderr, "Policy \"%s\" not deleted.\n", argv[1]);
- return;
- }
+ printf("Are you sure you want to delete the policy \"%s\"? (yes/no): ",
+ argv[1]);
+ fgets(reply, sizeof(reply), stdin);
+ if (strcmp("yes\n", reply)) {
+ fprintf(stderr, "Policy \"%s\" not deleted.\n", argv[1]);
+ return;
+ }
}
retval = kadm5_delete_policy(handle, argv[argc - 1]);
if (retval) {
- com_err("delete_policy:", retval, "while deleting policy \"%s\"",
- argv[argc - 1]);
- return;
+ com_err("delete_policy:", retval, "while deleting policy \"%s\"",
+ argv[argc - 1]);
}
- return;
}
-void kadmin_getpol(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_getpol(int argc, char *argv[])
{
krb5_error_code retval;
kadm5_policy_ent_rec policy;
- if (! (argc == 2 ||
- (argc == 3 && !strcmp("-terse", argv[1])))) {
- fprintf(stderr, "usage: get_policy [-terse] policy\n");
- return;
+ if (!(argc == 2 || (argc == 3 && !strcmp("-terse", argv[1])))) {
+ fprintf(stderr, "usage: get_policy [-terse] policy\n");
+ return;
}
retval = kadm5_get_policy(handle, argv[argc - 1], &policy);
if (retval) {
- com_err("get_policy", retval, "while retrieving policy \"%s\".",
- argv[argc - 1]);
- return;
+ com_err("get_policy", retval, "while retrieving policy \"%s\".",
+ argv[argc - 1]);
+ return;
}
if (argc == 2) {
- printf("Policy: %s\n", policy.policy);
- printf("Maximum password life: %ld\n", policy.pw_max_life);
- printf("Minimum password life: %ld\n", policy.pw_min_life);
- printf("Minimum password length: %ld\n", policy.pw_min_length);
- printf("Minimum number of password character classes: %ld\n",
- policy.pw_min_classes);
- printf("Number of old keys kept: %ld\n", policy.pw_history_num);
- printf("Reference count: %ld\n", policy.policy_refcnt);
+ printf("Policy: %s\n", policy.policy);
+ printf("Maximum password life: %ld\n", policy.pw_max_life);
+ printf("Minimum password life: %ld\n", policy.pw_min_life);
+ printf("Minimum password length: %ld\n", policy.pw_min_length);
+ printf("Minimum number of password character classes: %ld\n",
+ policy.pw_min_classes);
+ printf("Number of old keys kept: %ld\n", policy.pw_history_num);
+ printf("Reference count: %ld\n", policy.policy_refcnt);
} else {
- printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n",
- policy.policy, policy.pw_max_life, policy.pw_min_life,
- policy.pw_min_length, policy.pw_min_classes,
- policy.pw_history_num, policy.policy_refcnt);
+ printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n",
+ policy.policy, policy.pw_max_life, policy.pw_min_life,
+ policy.pw_min_length, policy.pw_min_classes,
+ policy.pw_history_num, policy.policy_refcnt);
}
kadm5_free_policy_ent(handle, &policy);
- return;
}
-void kadmin_getpols(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_getpols(int argc, char *argv[])
{
krb5_error_code retval;
char *expr, **names;
int i, count;
expr = NULL;
- if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) {
- fprintf(stderr, "usage: get_policies [expression]\n");
- return;
+ if (!(argc == 1 || (argc == 2 && (expr = argv[1])))) {
+ fprintf(stderr, "usage: get_policies [expression]\n");
+ return;
}
retval = kadm5_get_policies(handle, expr, &names, &count);
if (retval) {
- com_err("get_policies", retval, "while retrieving list.");
- return;
+ com_err("get_policies", retval, "while retrieving list.");
+ return;
}
for (i = 0; i < count; i++)
- printf("%s\n", names[i]);
+ printf("%s\n", names[i]);
kadm5_free_name_list(handle, names, count);
}
-void kadmin_getprivs(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_getprivs(int argc, char *argv[])
{
static char *privs[] = {"GET", "ADD", "MODIFY", "DELETE"};
krb5_error_code retval;
- int i;
+ size_t i;
long plist;
if (argc != 1) {
- fprintf(stderr, "usage: get_privs\n");
- return;
+ fprintf(stderr, "usage: get_privs\n");
+ return;
}
retval = kadm5_get_privs(handle, &plist);
if (retval) {
- com_err("get_privs", retval, "while retrieving privileges");
- return;
+ com_err("get_privs", retval, "while retrieving privileges");
+ return;
}
printf("current privileges:");
for (i = 0; i < sizeof (privs) / sizeof (char *); i++) {
- if (plist & 1 << i)
- printf(" %s", privs[i]);
+ if (plist & 1 << i)
+ printf(" %s", privs[i]);
}
printf("\n");
- return;
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
*
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#include <adm_proto.h>
#include "kadmin.h"
-static int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
- krb5_boolean keepold,
- int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
- char *princ_str);
-static int remove_principal(char *keytab_str, krb5_keytab keytab, char
- *princ_str, char *kvno_str);
+static void add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
+ krb5_boolean keepold,
+ int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
+ char *princ_str);
+static void remove_principal(char *keytab_str, krb5_keytab keytab,
+ char *princ_str, char *kvno_str);
static char *etype_string(krb5_enctype enctype);
static int quiet;
static int norandkey;
#endif
-static void add_usage()
+static void
+add_usage()
{
#ifdef KADMIN_LOCAL
- fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]\n");
+ fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]\n");
#else
- fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]\n");
+ fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]\n");
#endif
}
-
-static void rem_usage()
+
+static void
+rem_usage()
{
- fprintf(stderr, "Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n");
+ fprintf(stderr, "Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n");
}
-static int process_keytab(krb5_context my_context, char **keytab_str,
- krb5_keytab *keytab)
+static int
+process_keytab(krb5_context my_context, char **keytab_str,
+ krb5_keytab *keytab)
{
- int code;
-
- if (*keytab_str == NULL) {
- /* XXX krb5_defkeyname is an internal library global and
- should go away */
- if (! (*keytab_str = strdup(krb5_defkeyname))) {
- com_err(whoami, ENOMEM, "while creating keytab name");
- return 1;
- }
- code = krb5_kt_default(my_context, keytab);
- if (code != 0) {
- com_err(whoami, code, "while opening default keytab");
- free(*keytab_str);
- return 1;
- }
- } else {
- if (strchr(*keytab_str, ':') != NULL) {
- *keytab_str = strdup(*keytab_str);
- if (*keytab_str == NULL) {
- com_err(whoami, ENOMEM, "while creating keytab name");
- return 1;
- }
- } else {
- if (asprintf(keytab_str, "WRFILE:%s", *keytab_str) < 0) {
- *keytab_str = NULL;
- com_err(whoami, ENOMEM, "while creating keytab name");
- return 1;
- }
- }
-
- code = krb5_kt_resolve(my_context, *keytab_str, keytab);
- if (code != 0) {
- com_err(whoami, code, "while resolving keytab %s", *keytab_str);
- free(keytab_str);
- return 1;
- }
- }
-
- return 0;
+ int code;
+ char *name = *keytab_str;
+
+ if (name == NULL) {
+ /* XXX krb5_defkeyname is an internal library global and
+ should go away */
+ name = strdup(krb5_defkeyname);
+ if (!name) {
+ com_err(whoami, ENOMEM, "while creating keytab name");
+ return 1;
+ }
+ code = krb5_kt_default(my_context, keytab);
+ if (code != 0) {
+ com_err(whoami, code, "while opening default keytab");
+ free(name);
+ return 1;
+ }
+ } else {
+ if (strchr(name, ':') != NULL)
+ name = strdup(name);
+ else if (asprintf(&name, "WRFILE:%s", name) < 0)
+ name = NULL;
+ if (name == NULL) {
+ com_err(whoami, ENOMEM, "while creating keytab name");
+ return 1;
+ }
+
+ code = krb5_kt_resolve(my_context, name, keytab);
+ if (code != 0) {
+ com_err(whoami, code, "while resolving keytab %s", name);
+ free(name);
+ return 1;
+ }
+ }
+
+ *keytab_str = name;
+ return 0;
}
-
-void kadmin_keytab_add(int argc, char **argv)
+void
+kadmin_keytab_add(int argc, char **argv)
{
- krb5_keytab keytab = 0;
- char *keytab_str = NULL, **princs;
- int code, num, i;
- krb5_error_code retval;
- int n_ks_tuple = 0;
- krb5_boolean keepold = FALSE;
- krb5_key_salt_tuple *ks_tuple = NULL;
-
- argc--; argv++;
- quiet = 0;
+ krb5_keytab keytab = 0;
+ char *keytab_str = NULL, **princs;
+ int code, num, i;
+ krb5_error_code retval;
+ int n_ks_tuple = 0;
+ krb5_boolean keepold = FALSE;
+ krb5_key_salt_tuple *ks_tuple = NULL;
+
+ argc--; argv++;
+ quiet = 0;
#ifdef KADMIN_LOCAL
- norandkey = 0;
+ norandkey = 0;
#endif
- while (argc) {
- if (strncmp(*argv, "-k", 2) == 0) {
- argc--; argv++;
- if (!argc || keytab_str) {
- add_usage();
- return;
- }
- keytab_str = *argv;
- } else if (strcmp(*argv, "-q") == 0) {
- quiet++;
+ while (argc) {
+ if (strncmp(*argv, "-k", 2) == 0) {
+ argc--; argv++;
+ if (!argc || keytab_str) {
+ add_usage();
+ return;
+ }
+ keytab_str = *argv;
+ } else if (strcmp(*argv, "-q") == 0) {
+ quiet++;
#ifdef KADMIN_LOCAL
} else if (strcmp(*argv, "-norandkey") == 0) {
- norandkey++;
+ norandkey++;
#endif
- } else if (strcmp(*argv, "-e") == 0) {
- argc--;
- if (argc < 1) {
- add_usage();
- return;
- }
- retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
- &ks_tuple, &n_ks_tuple);
- if (retval) {
- com_err("ktadd", retval, "while parsing keysalts %s",
- *argv);
-
- return;
- }
- } else
- break;
- argc--; argv++;
- }
-
- if (argc == 0) {
- add_usage();
- return;
- }
+ } else if (strcmp(*argv, "-e") == 0) {
+ argc--;
+ if (argc < 1) {
+ add_usage();
+ return;
+ }
+ retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
+ &ks_tuple, &n_ks_tuple);
+ if (retval) {
+ com_err("ktadd", retval, "while parsing keysalts %s",
+ *argv);
+
+ return;
+ }
+ } else
+ break;
+ argc--; argv++;
+ }
+
+ if (argc == 0) {
+ add_usage();
+ return;
+ }
#ifdef KADMIN_LOCAL
- if (norandkey && ks_tuple) {
- fprintf(stderr, "cannot specify keysaltlist when not changing key\n");
- return;
- }
+ if (norandkey && ks_tuple) {
+ fprintf(stderr, "cannot specify keysaltlist when not changing key\n");
+ return;
+ }
#endif
- if (process_keytab(context, &keytab_str, &keytab))
- return;
-
- while (*argv) {
- if (strcmp(*argv, "-glob") == 0) {
- if (*++argv == NULL) {
- add_usage();
- break;
- }
-
- code = kadm5_get_principals(handle, *argv, &princs, &num);
- if (code) {
- com_err(whoami, code, "while expanding expression \"%s\".",
- *argv);
- argv++;
- continue;
- }
-
- for (i = 0; i < num; i++)
- (void) add_principal(handle, keytab_str, keytab,
- keepold, n_ks_tuple, ks_tuple,
- princs[i]);
- kadm5_free_name_list(handle, princs, num);
- } else
- (void) add_principal(handle, keytab_str, keytab,
- keepold, n_ks_tuple, ks_tuple,
- *argv);
- argv++;
- }
-
- code = krb5_kt_close(context, keytab);
- if (code != 0)
- com_err(whoami, code, "while closing keytab");
-
- free(keytab_str);
+ if (process_keytab(context, &keytab_str, &keytab))
+ return;
+
+ while (*argv) {
+ if (strcmp(*argv, "-glob") == 0) {
+ if (*++argv == NULL) {
+ add_usage();
+ break;
+ }
+
+ code = kadm5_get_principals(handle, *argv, &princs, &num);
+ if (code) {
+ com_err(whoami, code, "while expanding expression \"%s\".",
+ *argv);
+ argv++;
+ continue;
+ }
+
+ for (i = 0; i < num; i++)
+ add_principal(handle, keytab_str, keytab, keepold,
+ n_ks_tuple, ks_tuple, princs[i]);
+ kadm5_free_name_list(handle, princs, num);
+ } else {
+ add_principal(handle, keytab_str, keytab, keepold,
+ n_ks_tuple, ks_tuple, *argv);
+ argv++;
+ }
+ }
+
+ code = krb5_kt_close(context, keytab);
+ if (code != 0)
+ com_err(whoami, code, "while closing keytab");
+
+ free(keytab_str);
}
-void kadmin_keytab_remove(int argc, char **argv)
+void
+kadmin_keytab_remove(int argc, char **argv)
{
- krb5_keytab keytab = 0;
- char *keytab_str = NULL;
- int code;
-
- argc--; argv++;
- quiet = 0;
- while (argc) {
- if (strncmp(*argv, "-k", 2) == 0) {
- argc--; argv++;
- if (!argc || keytab_str) {
- rem_usage();
- return;
- }
- keytab_str = *argv;
- } else if (strcmp(*argv, "-q") == 0) {
- quiet++;
- } else
- break;
- argc--; argv++;
- }
-
- if (argc != 1 && argc != 2) {
- rem_usage();
- return;
- }
- if (process_keytab(context, &keytab_str, &keytab))
- return;
-
- (void) remove_principal(keytab_str, keytab, argv[0], argv[1]);
-
- code = krb5_kt_close(context, keytab);
- if (code != 0)
- com_err(whoami, code, "while closing keytab");
-
- free(keytab_str);
+ krb5_keytab keytab = 0;
+ char *keytab_str = NULL;
+ int code;
+
+ argc--; argv++;
+ quiet = 0;
+ while (argc) {
+ if (strncmp(*argv, "-k", 2) == 0) {
+ argc--; argv++;
+ if (!argc || keytab_str) {
+ rem_usage();
+ return;
+ }
+ keytab_str = *argv;
+ } else if (strcmp(*argv, "-q") == 0) {
+ quiet++;
+ } else
+ break;
+ argc--; argv++;
+ }
+
+ if (argc != 1 && argc != 2) {
+ rem_usage();
+ return;
+ }
+ if (process_keytab(context, &keytab_str, &keytab))
+ return;
+
+ remove_principal(keytab_str, keytab, argv[0], argv[1]);
+
+ code = krb5_kt_close(context, keytab);
+ if (code != 0)
+ com_err(whoami, code, "while closing keytab");
+
+ free(keytab_str);
}
-static
-int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
- krb5_boolean keepold, int n_ks_tuple,
- krb5_key_salt_tuple *ks_tuple,
- char *princ_str)
+static void
+add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
+ krb5_boolean keepold, int n_ks_tuple,
+ krb5_key_salt_tuple *ks_tuple, char *princ_str)
{
- kadm5_principal_ent_rec princ_rec;
- krb5_principal princ;
- krb5_keytab_entry new_entry;
- krb5_keyblock *keys;
- int code, nkeys, i;
+ kadm5_principal_ent_rec princ_rec;
+ krb5_principal princ = NULL;
+ krb5_keytab_entry new_entry;
+ krb5_keyblock *keys;
+ int code, nkeys, i;
- (void) memset(&princ_rec, 0, sizeof(princ_rec));
+ memset(&princ_rec, 0, sizeof(princ_rec));
- princ = NULL;
- keys = NULL;
- nkeys = 0;
+ princ = NULL;
+ keys = NULL;
+ nkeys = 0;
- code = krb5_parse_name(context, princ_str, &princ);
- if (code != 0) {
- com_err(whoami, code, "while parsing -add principal name %s",
- princ_str);
- goto cleanup;
- }
+ code = krb5_parse_name(context, princ_str, &princ);
+ if (code != 0) {
+ com_err(whoami, code, "while parsing -add principal name %s",
+ princ_str);
+ goto cleanup;
+ }
#ifdef KADMIN_LOCAL
- if (norandkey)
- code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys);
- else
+ if (norandkey)
+ code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys);
+ else
#endif
- if (keepold || ks_tuple != NULL) {
- code = kadm5_randkey_principal_3(lhandle, princ,
- keepold, n_ks_tuple, ks_tuple,
- &keys, &nkeys);
- } else {
- code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys);
- }
- if (code != 0) {
- if (code == KADM5_UNK_PRINC) {
- fprintf(stderr, "%s: Principal %s does not exist.\n",
- whoami, princ_str);
- } else
- com_err(whoami, code, "while changing %s's key",
- princ_str);
- goto cleanup;
- }
-
- code = kadm5_get_principal(lhandle, princ, &princ_rec,
- KADM5_PRINCIPAL_NORMAL_MASK);
- if (code != 0) {
- com_err(whoami, code, "while retrieving principal");
- goto cleanup;
- }
-
- for (i = 0; i < nkeys; i++) {
- memset(&new_entry, 0, sizeof(new_entry));
- new_entry.principal = princ;
- new_entry.key = keys[i];
- new_entry.vno = princ_rec.kvno;
-
- code = krb5_kt_add_entry(context, keytab, &new_entry);
- if (code != 0) {
- com_err(whoami, code, "while adding key to keytab");
- (void) kadm5_free_principal_ent(lhandle, &princ_rec);
- goto cleanup;
- }
-
- if (!quiet)
- printf("Entry for principal %s with kvno %d, "
- "encryption type %s added to keytab %s.\n",
- princ_str, princ_rec.kvno,
- etype_string(keys[i].enctype), keytab_str);
- }
-
- code = kadm5_free_principal_ent(lhandle, &princ_rec);
- if (code != 0) {
- com_err(whoami, code, "while freeing principal entry");
- goto cleanup;
- }
+ if (keepold || ks_tuple != NULL) {
+ code = kadm5_randkey_principal_3(lhandle, princ, keepold,
+ n_ks_tuple, ks_tuple, &keys, &nkeys);
+ } else
+ code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys);
+ if (code != 0) {
+ if (code == KADM5_UNK_PRINC) {
+ fprintf(stderr, "%s: Principal %s does not exist.\n",
+ whoami, princ_str);
+ } else
+ com_err(whoami, code, "while changing %s's key", princ_str);
+ goto cleanup;
+ }
+
+ code = kadm5_get_principal(lhandle, princ, &princ_rec,
+ KADM5_PRINCIPAL_NORMAL_MASK);
+ if (code != 0) {
+ com_err(whoami, code, "while retrieving principal");
+ goto cleanup;
+ }
+
+ for (i = 0; i < nkeys; i++) {
+ memset(&new_entry, 0, sizeof(new_entry));
+ new_entry.principal = princ;
+ new_entry.key = keys[i];
+ new_entry.vno = princ_rec.kvno;
+
+ code = krb5_kt_add_entry(context, keytab, &new_entry);
+ if (code != 0) {
+ com_err(whoami, code, "while adding key to keytab");
+ kadm5_free_principal_ent(lhandle, &princ_rec);
+ goto cleanup;
+ }
+
+ if (!quiet) {
+ printf("Entry for principal %s with kvno %d, "
+ "encryption type %s added to keytab %s.\n",
+ princ_str, princ_rec.kvno,
+ etype_string(keys[i].enctype), keytab_str);
+ }
+ }
+
+ code = kadm5_free_principal_ent(lhandle, &princ_rec);
+ if (code != 0) {
+ com_err(whoami, code, "while freeing principal entry");
+ goto cleanup;
+ }
cleanup:
- if (nkeys) {
- for (i = 0; i < nkeys; i++)
- krb5_free_keyblock_contents(context, &keys[i]);
- free(keys);
- }
- if (princ)
- krb5_free_principal(context, princ);
-
- return code;
+ if (nkeys) {
+ for (i = 0; i < nkeys; i++)
+ krb5_free_keyblock_contents(context, &keys[i]);
+ free(keys);
+ }
+ krb5_free_principal(context, princ);
}
-int remove_principal(char *keytab_str, krb5_keytab keytab, char
- *princ_str, char *kvno_str)
+static void
+remove_principal(char *keytab_str, krb5_keytab keytab,
+ char *princ_str, char *kvno_str)
{
- krb5_principal princ;
- krb5_keytab_entry entry;
- krb5_kt_cursor cursor;
- enum { UNDEF, SPEC, HIGH, ALL, OLD } mode;
- int code, did_something;
- krb5_kvno kvno;
-
- code = krb5_parse_name(context, princ_str, &princ);
- if (code != 0) {
- com_err(whoami, code, "while parsing principal name %s",
- princ_str);
- return code;
- }
-
- mode = UNDEF;
- if (kvno_str == NULL) {
- mode = HIGH;
- kvno = 0;
- } else if (strcmp(kvno_str, "all") == 0) {
- mode = ALL;
- kvno = 0;
- } else if (strcmp(kvno_str, "old") == 0) {
- mode = OLD;
- kvno = 0;
- } else {
- mode = SPEC;
- kvno = atoi(kvno_str);
- }
-
- /* kvno is set to specified value for SPEC, 0 otherwise */
- code = krb5_kt_get_entry(context, keytab, princ, kvno, 0, &entry);
- if (code != 0) {
- if (code == ENOENT) {
- fprintf(stderr, "%s: Keytab %s does not exist.\n",
- whoami, keytab_str);
- } else if (code == KRB5_KT_NOTFOUND) {
- if (mode != SPEC)
- fprintf(stderr, "%s: No entry for principal "
- "%s exists in keytab %s\n",
- whoami, princ_str, keytab_str);
- else
- fprintf(stderr, "%s: No entry for principal "
- "%s with kvno %d exists in keytab "
- "%s.\n", whoami, princ_str, kvno,
- keytab_str);
- } else {
- com_err(whoami, code, "while retrieving highest kvno "
- "from keytab");
- }
- return code;
- }
-
- /* set kvno to spec'ed value for SPEC, highest kvno otherwise */
- kvno = entry.vno;
- krb5_kt_free_entry(context, &entry);
-
- code = krb5_kt_start_seq_get(context, keytab, &cursor);
- if (code != 0) {
- com_err(whoami, code, "while starting keytab scan");
- return code;
- }
-
- did_something = 0;
- while ((code = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
- if (krb5_principal_compare(context, princ, entry.principal) &&
- ((mode == ALL) ||
- (mode == SPEC && entry.vno == kvno) ||
- (mode == OLD && entry.vno != kvno) ||
- (mode == HIGH && entry.vno == kvno))) {
-
- /*
- * Ack! What a kludge... the scanning functions lock
- * the keytab so entries cannot be removed while they
- * are operating.
- */
- code = krb5_kt_end_seq_get(context, keytab, &cursor);
- if (code != 0) {
- com_err(whoami, code, "while temporarily ending "
- "keytab scan");
- return code;
- }
- code = krb5_kt_remove_entry(context, keytab, &entry);
- if (code != 0) {
- com_err(whoami, code, "while deleting entry from keytab");
- return code;
- }
- code = krb5_kt_start_seq_get(context, keytab, &cursor);
- if (code != 0) {
- com_err(whoami, code, "while restarting keytab scan");
- return code;
- }
-
- did_something++;
- if (!quiet)
- printf("Entry for principal %s with kvno %d "
- "removed from keytab %s.\n",
- princ_str, entry.vno, keytab_str);
- }
- krb5_kt_free_entry(context, &entry);
- }
- if (code && code != KRB5_KT_END) {
- com_err(whoami, code, "while scanning keytab");
- return code;
- }
- if ((code = krb5_kt_end_seq_get(context, keytab, &cursor))) {
- com_err(whoami, code, "while ending keytab scan");
- return code;
- }
-
- /*
- * If !did_someting then mode must be OLD or we would have
- * already returned with an error. But check it anyway just to
- * prevent unexpected error messages...
- */
- if (!did_something && mode == OLD) {
- fprintf(stderr, "%s: There is only one entry for principal "
- "%s in keytab %s\n", whoami, princ_str, keytab_str);
- return 1;
- }
-
- return 0;
+ krb5_principal princ;
+ krb5_keytab_entry entry;
+ krb5_kt_cursor cursor;
+ enum { UNDEF, SPEC, HIGH, ALL, OLD } mode;
+ int code, did_something;
+ krb5_kvno kvno;
+
+ code = krb5_parse_name(context, princ_str, &princ);
+ if (code != 0) {
+ com_err(whoami, code, "while parsing principal name %s", princ_str);
+ return;
+ }
+
+ mode = UNDEF;
+ if (kvno_str == NULL) {
+ mode = HIGH;
+ kvno = 0;
+ } else if (strcmp(kvno_str, "all") == 0) {
+ mode = ALL;
+ kvno = 0;
+ } else if (strcmp(kvno_str, "old") == 0) {
+ mode = OLD;
+ kvno = 0;
+ } else {
+ mode = SPEC;
+ kvno = atoi(kvno_str);
+ }
+
+ /* kvno is set to specified value for SPEC, 0 otherwise */
+ code = krb5_kt_get_entry(context, keytab, princ, kvno, 0, &entry);
+ if (code != 0) {
+ if (code == ENOENT) {
+ fprintf(stderr, "%s: Keytab %s does not exist.\n",
+ whoami, keytab_str);
+ } else if (code == KRB5_KT_NOTFOUND) {
+ if (mode != SPEC) {
+ fprintf(stderr, "%s: No entry for principal "
+ "%s exists in keytab %s\n",
+ whoami, princ_str, keytab_str);
+ } else {
+ fprintf(stderr, "%s: No entry for principal "
+ "%s with kvno %d exists in keytab "
+ "%s.\n", whoami, princ_str, kvno, keytab_str);
+ }
+ } else
+ com_err(whoami, code, "while retrieving highest kvno from keytab");
+ return;
+ }
+
+ /* set kvno to spec'ed value for SPEC, highest kvno otherwise */
+ kvno = entry.vno;
+ krb5_kt_free_entry(context, &entry);
+
+ code = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (code != 0) {
+ com_err(whoami, code, "while starting keytab scan");
+ return;
+ }
+
+ did_something = 0;
+ while ((code = krb5_kt_next_entry(context, keytab, &entry,
+ &cursor)) == 0) {
+ if (krb5_principal_compare(context, princ, entry.principal) &&
+ ((mode == ALL) ||
+ (mode == SPEC && entry.vno == kvno) ||
+ (mode == OLD && entry.vno != kvno) ||
+ (mode == HIGH && entry.vno == kvno))) {
+
+ /*
+ * Ack! What a kludge... the scanning functions lock
+ * the keytab so entries cannot be removed while they
+ * are operating.
+ */
+ code = krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (code != 0) {
+ com_err(whoami, code, "while temporarily ending keytab scan");
+ return;
+ }
+ code = krb5_kt_remove_entry(context, keytab, &entry);
+ if (code != 0) {
+ com_err(whoami, code, "while deleting entry from keytab");
+ return;
+ }
+ code = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (code != 0) {
+ com_err(whoami, code, "while restarting keytab scan");
+ return;
+ }
+
+ did_something++;
+ if (!quiet)
+ printf("Entry for principal %s with kvno %d "
+ "removed from keytab %s.\n",
+ princ_str, entry.vno, keytab_str);
+ }
+ krb5_kt_free_entry(context, &entry);
+ }
+ if (code && code != KRB5_KT_END) {
+ com_err(whoami, code, "while scanning keytab");
+ return;
+ }
+ code = krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (code) {
+ com_err(whoami, code, "while ending keytab scan");
+ return;
+ }
+
+ /*
+ * If !did_someting then mode must be OLD or we would have
+ * already returned with an error. But check it anyway just to
+ * prevent unexpected error messages...
+ */
+ if (!did_something && mode == OLD) {
+ fprintf(stderr, "%s: There is only one entry for principal "
+ "%s in keytab %s\n", whoami, princ_str, keytab_str);
+ }
}
/*
* encryption type. XXX copied from klist.c; this should be a
* library function, or perhaps just #defines
*/
-static char *etype_string(enctype)
- krb5_enctype enctype;
+static char *
+etype_string(krb5_enctype enctype)
{
static char buf[100];
krb5_error_code ret;
- if ((ret = krb5_enctype_to_string(enctype, buf, sizeof(buf))))
- snprintf(buf, sizeof(buf), "etype %d", enctype);
+ ret = krb5_enctype_to_string(enctype, buf, sizeof(buf));
+ if (ret)
+ snprintf(buf, sizeof(buf), "etype %d", enctype);
return buf;
}
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1994 by the Massachusetts Institute of Technology.
* All Rights Reserved.
extern int exit_status;
extern char *whoami;
-int main(argc, argv)
- int argc;
- char *argv[];
+int
+main(int argc, char *argv[])
{
char *request;
krb5_error_code retval;
whoami = ((whoami = strrchr(argv[0], '/')) ? whoami+1 : argv[0]);
request = kadmin_startup(argc, argv);
- sci_idx = ss_create_invocation(whoami, "5.0", (char *) NULL,
- &kadmin_cmds, &retval);
+ sci_idx = ss_create_invocation(whoami, "5.0", NULL, &kadmin_cmds, &retval);
if (retval) {
- ss_perror(sci_idx, retval, "creating invocation");
- exit(1);
+ ss_perror(sci_idx, retval, "creating invocation");
+ exit(1);
}
if (request) {
- code = ss_execute_line(sci_idx, request);
- if (code != 0) {
- ss_perror(sci_idx, code, request);
- exit_status++;
- }
+ code = ss_execute_line(sci_idx, request);
+ if (code != 0) {
+ ss_perror(sci_idx, code, request);
+ exit_status++;
+ }
} else
retval = ss_listen(sci_idx);
return quit() ? 1 : exit_status;
krb5_pa_data *pa_tgs_req; /*points into request*/
krb5_data scratch;
+ reply.padata = 0; /* For cleanup handler */
+ reply_encpart.enc_padata = 0;
+
session_key.contents = NULL;
retval = decode_krb5_tgs_req(pkt, &request);
ticket_reply.enc_part.kvno = ticket_kvno;
/* Start assembling the response */
reply.msg_type = KRB5_TGS_REP;
- reply.padata = 0;/* always */
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER) != NULL) {
errcode = kdc_make_s4u2self_rep(kdc_context,
myfulldir=lib/crypto
mydir=lib/crypto
BUILDTOP=$(REL)..$(S)..
-SUBDIRS= builtin krb crypto_tests
+SUBDIRS= krb builtin crypto_tests
RUN_SETUP = @KRB5_RUN_ENV@
PROG_LIBPATH=-L$(TOPLIBD)
RELDIR=crypto
STOBJLISTS=krb/crc32/OBJS.ST krb/dk/OBJS.ST builtin/enc_provider/OBJS.ST \
- krb/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \
+ builtin/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \
+ krb/prf/OBJS.ST krb/rand2key/OBJS.ST \
krb/old/OBJS.ST krb/raw/OBJS.ST krb/yarrow/OBJS.ST \
builtin/md4/OBJS.ST builtin/md5/OBJS.ST builtin/sha1/OBJS.ST \
builtin/arcfour/OBJS.ST builtin/aes/OBJS.ST builtin/des/OBJS.ST \
krb/OBJS.ST builtin/OBJS.ST
SUBDIROBJLISTS=krb/crc32/OBJS.ST krb/dk/OBJS.ST builtin/enc_provider/OBJS.ST \
- krb/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \
+ builtin/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \
+ krb/prf/OBJS.ST krb/rand2key/OBJS.ST \
krb/old/OBJS.ST krb/raw/OBJS.ST krb/yarrow/OBJS.ST \
builtin/md4/OBJS.ST builtin/md5/OBJS.ST builtin/sha1/OBJS.ST \
builtin/arcfour/OBJS.ST builtin/aes/OBJS.ST builtin/des/OBJS.ST \
myfulldir=lib/crypto/builtin
mydir=lib/crypto/builtin
BUILDTOP=$(REL)..$(S)..$(S)..
-SUBDIRS=des arcfour aes md4 md5 sha1 enc_provider
+SUBDIRS=des arcfour aes md4 md5 sha1 enc_provider hash_provider
LOCALINCLUDES = -I$(srcdir)/../krb \
-I$(srcdir)/../krb/hash_provider \
-I$(srcdir)/../@CRYPTO_IMPL@/des \
-I$(srcdir)/../@CRYPTO_IMPL@/sha1 \
-I$(srcdir)/../@CRYPTO_IMPL@/md4 \
-I$(srcdir)/../@CRYPTO_IMPL@/md5 \
- -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider
+ -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider \
+ -I$(srcdir)/../@CRYPTO_IMPL@/hash_provider
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
DEFS=
STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
md5/OBJS.ST sha1/OBJS.ST \
enc_provider/OBJS.ST \
+ hash_provider/OBJS.ST \
arcfour/OBJS.ST \
aes/OBJS.ST \
OBJS.ST
SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
md5/OBJS.ST sha1/OBJS.ST \
enc_provider/OBJS.ST \
+ hash_provider/OBJS.ST \
arcfour/OBJS.ST \
- aes/OBJS.ST OBJS.ST
+ aes/OBJS.ST
##DOS##LIBOBJS = $(OBJS)
cd ..\sha1
@echo Making in crypto\sha1
$(MAKE) -$(MFLAGS)
+ cd ..\hash_provider
+ @echo Making in crypto\hash_provider
+ $(MAKE) -$(MFLAGS)
cd ..\enc_provider
@echo Making in crypto\enc_provider
$(MAKE) -$(MFLAGS)
cd ..\sha1
@echo Making clean in crypto\sha1
$(MAKE) -$(MFLAGS) clean
+ cd ..\hash_provider
+ @echo Making clean in crypto\hash_provider
+ $(MAKE) -$(MFLAGS) clean
cd ..\enc_provider
@echo Making clean in crypto\enc_provider
$(MAKE) -$(MFLAGS) clean
cd ..\sha1
@echo Making check in crypto\sha1
$(MAKE) -$(MFLAGS) check
+ cd ..\hash_provider
+ @echo Making check in crypto\hash_provider
+ $(MAKE) -$(MFLAGS) check
cd ..\enc_provider
@echo Making check in crypto\enc_provider
$(MAKE) -$(MFLAGS) check
$(OUTPRE)../../$(CIMPL)/aes_s2k.$(OBJEXT)
SRCS=\
- $(srcdir)..//../$(CIMPL)/aescrypt.c \
- $(srcdir)..//../$(CIMPL)/aestab.c \
+ $(srcdir)/../../$(CIMPL)/aescrypt.c \
+ $(srcdir)/../../$(CIMPL)/aestab.c \
$(srcdir)/../../$(CIMPL)/aeskey.c \
$(srcdir)/../../$(CIMPL)/aes_s2k.c
# Generated makefile dependencies follow.
#
aescrypt.so aescrypt.po $(OUTPRE)aescrypt.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h aes.h aescrypt.c aesopt.h \
- uitypes.h
+ $(BUILDTOP)/include/autoconf.h $(srcdir)/../../builtin/aes/aes.h \
+ $(srcdir)/../../builtin/aes/aescrypt.c $(srcdir)/../../builtin/aes/aesopt.h \
+ $(srcdir)/../../builtin/aes/uitypes.h
aestab.so aestab.po $(OUTPRE)aestab.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- aes.h aesopt.h aestab.c uitypes.h
+ $(srcdir)/../../builtin/aes/aes.h $(srcdir)/../../builtin/aes/aesopt.h \
+ $(srcdir)/../../builtin/aes/aestab.c $(srcdir)/../../builtin/aes/uitypes.h
aeskey.so aeskey.po $(OUTPRE)aeskey.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- aes.h aeskey.c aesopt.h uitypes.h
+ $(srcdir)/../../builtin/aes/aes.h $(srcdir)/../../builtin/aes/aeskey.c \
+ $(srcdir)/../../builtin/aes/aesopt.h $(srcdir)/../../builtin/aes/uitypes.h
aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../../krb/dk/dk.h aes_s2k.c aes_s2k.h
+ $(srcdir)/../../builtin/aes/aes_s2k.c $(srcdir)/../../builtin/aes/aes_s2k.h \
+ $(srcdir)/../../krb/dk/dk.h
myfulldir=lib/crypto/builtin/arcfour
mydir=lib/crypto/builtin/arcfour
BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../md4 -I$(srcdir)/../../krb
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../@CRYPTO_IMPL@/md4 -I$(srcdir)/../../krb
DEFS=
##DOS##BUILDTOP = ..\..\..\..
return (ret);
}
- krb5_error_code krb5int_arcfour_prf(
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
- const krb5_data *in, krb5_data *out)
- {
- assert(out->length == 20);
- return krb5_hmac(&krb5int_hash_sha1, key, 1, in, out);
- }
-
extern const struct krb5_enc_provider krb5int_enc_arcfour;
extern const struct krb5_aead_provider krb5int_aead_arcfour;
- krb5_error_code krb5int_arcfour_prf(
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
- const krb5_data *in, krb5_data *out);
#endif /* ARCFOUR_H */
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../../krb/hash_provider/hash_provider.h arcfour-int.h \
- arcfour.c arcfour.h
+ $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.c \
+ $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../krb/hash_provider/hash_provider.h
arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h arcfour-int.h arcfour.h \
- arcfour_aead.c
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \
+ $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/arcfour/arcfour_aead.c \
+ $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h
arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/k5-utf8.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../md4/rsa-md4.h arcfour-int.h arcfour.h \
- arcfour_s2k.c
+ $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.h \
+ $(srcdir)/../../builtin/arcfour/arcfour_s2k.c $(srcdir)/../md4/rsa-md4.h
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../builtin/pbkdf2.c $(srcdir)/../krb/hash_provider/hash_provider.h
+ $(srcdir)/../builtin/pbkdf2.c $(srcdir)/../builtin/hash_provider/hash_provider.h
../../$(CIMPL)/d3_cbc.o \
../../$(CIMPL)/d3_aead.o \
../../$(CIMPL)/d3_kysched.o \
- ../../$(CIMPL)/des_prf.o \
../../$(CIMPL)/f_aead.o \
../../$(CIMPL)/f_cbc.o \
../../$(CIMPL)/f_cksum.o \
$(OUTPRE)../../$(CIMPL)/d3_cbc.$(OBJEXT) \
$(OUTPRE)../../$(CIMPL)/d3_aead.$(OBJEXT) \
$(OUTPRE)../../$(CIMPL)/d3_kysched.$(OBJEXT) \
- $(OUTPRE)../../$(CIMPL)/des_prf.$(OBJEXT) \
$(OUTPRE)../../$(CIMPL)/f_aead.$(OBJEXT) \
$(OUTPRE)../../$(CIMPL)/f_cbc.$(OBJEXT) \
$(OUTPRE)../../$(CIMPL)/f_cksum.$(OBJEXT) \
$(srcdir)/../../$(CIMPL)/d3_cbc.c \
$(srcdir)/../../$(CIMPL)/d3_aead.c \
$(srcdir)/../../$(CIMPL)/d3_kysched.c \
- $(srcdir)/../../$(CIMPL)/des_prf.c \
$(srcdir)/../../$(CIMPL)/f_aead.c \
$(srcdir)/../../$(CIMPL)/f_cbc.c \
$(srcdir)/../../$(CIMPL)/f_cksum.c \
$(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h afsstring2key.c des_int.h
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/afsstring2key.c \
+ $(srcdir)/../../builtin/des/des_int.h
d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- d3_cbc.c des_int.h f_tables.h
+ $(srcdir)/../../builtin/des/d3_cbc.c $(srcdir)/../../builtin/des/des_int.h \
+ $(srcdir)/../../builtin/des/f_tables.h
d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \
- d3_aead.c des_int.h f_tables.h
+ $(srcdir)/../../builtin/des/d3_aead.c $(srcdir)/../../builtin/des/des_int.h \
+ $(srcdir)/../../builtin/des/f_tables.h $(srcdir)/../../krb/aead.h \
+ $(srcdir)/../../krb/cksumtypes.h
d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h d3_kysched.c des_int.h
-des_prf.so des_prf.po $(OUTPRE)des_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../../krb/hash_provider/hash_provider.h des_prf.c
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/d3_kysched.c \
+ $(srcdir)/../../builtin/des/des_int.h
f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \
- des_int.h f_aead.c f_tables.h
+ $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_aead.c \
+ $(srcdir)/../../builtin/des/f_tables.h $(srcdir)/../../krb/aead.h \
+ $(srcdir)/../../krb/cksumtypes.h
f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- des_int.h f_cbc.c f_tables.h
+ $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_cbc.c \
+ $(srcdir)/../../builtin/des/f_tables.h
f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- des_int.h f_cksum.c f_tables.h
+ $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_cksum.c \
+ $(srcdir)/../../builtin/des/f_tables.h
f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h des_int.h f_parity.c
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+ $(srcdir)/../../builtin/des/f_parity.c
f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- des_int.h f_sched.c
+ $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_sched.c
f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h des_int.h f_tables.c \
- f_tables.h
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+ $(srcdir)/../../builtin/des/f_tables.c $(srcdir)/../../builtin/des/f_tables.h
key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h des_int.h key_sched.c
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+ $(srcdir)/../../builtin/des/key_sched.c
weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h des_int.h weak_key.c
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+ $(srcdir)/../../builtin/des/weak_key.c
string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h des_int.h string2key.c
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+ $(srcdir)/../../builtin/des/string2key.c
extern krb5_error_code mit_des_set_random_sequence_number
(const krb5_data * sequence,
krb5_pointer random_state);
-krb5_error_code
-krb5int_des_prf (const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
- const krb5_data *in, krb5_data *out);
#endif /*DES_INTERNAL_DEFS*/
LOCALINCLUDES = -I$(srcdir)/../../@CRYPTO_IMPL@/des \
-I$(srcdir)/../../@CRYPTO_IMPL@/arcfour \
-I$(srcdir)/../../@CRYPTO_IMPL@/aes \
- -I$(srcdir)/../../krb \
+ -I$(srcdir)/../../krb \
+ -I$(srcdir)/../../krb/rand2key \
-I$(srcdir)/.. -I$(srcdir)/../../@CRYPTO_IMPL@
DEFS=
#include "enc_provider.h"
#include "aes.h"
#include <aead.h>
+#include <rand2key.h>
#if 0
aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]);
return 0;
}
-static krb5_error_code
-k5_aes_make_key(const krb5_data *randombits, krb5_keyblock *key)
-{
- if (key->length != 16 && key->length != 32)
- return(KRB5_BAD_KEYSIZE);
- if (randombits->length != key->length)
- return(KRB5_CRYPTO_INTERNAL);
-
- key->magic = KV5M_KEYBLOCK;
-
- memcpy(key->contents, randombits->data, randombits->length);
- return(0);
-}
-
static krb5_error_code
krb5int_aes_init_state (const krb5_keyblock *key, krb5_keyusage usage,
krb5_data *state)
16, 16,
krb5int_aes_encrypt,
krb5int_aes_decrypt,
- k5_aes_make_key,
+ krb5int_aes_make_key,
krb5int_aes_init_state,
krb5int_default_free_state,
krb5int_aes_encrypt_iov,
32, 32,
krb5int_aes_encrypt,
krb5int_aes_decrypt,
- k5_aes_make_key,
+ krb5int_aes_make_key,
krb5int_aes_init_state,
krb5int_default_free_state,
krb5int_aes_encrypt_iov,
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../des/des_int.h $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h des.c enc_provider.h
+ $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/enc_provider/des.c \
+ $(srcdir)/../../builtin/enc_provider/enc_provider.h \
+ $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h
des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../des/des_int.h $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h des3.c
+ $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/enc_provider/des3.c \
+ $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h
aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../aes/aes.h $(srcdir)/../aes/uitypes.h \
- $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h aes.c \
- enc_provider.h
+ $(srcdir)/../../builtin/aes/aes.h $(srcdir)/../../builtin/aes/uitypes.h \
+ $(srcdir)/../../builtin/enc_provider/aes.c $(srcdir)/../../builtin/enc_provider/enc_provider.h \
+ $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h
rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../arcfour/arcfour-int.h $(srcdir)/../arcfour/arcfour.h \
- $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h enc_provider.h \
- rc4.c
+ $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.h \
+ $(srcdir)/../../builtin/enc_provider/enc_provider.h \
+ $(srcdir)/../../builtin/enc_provider/rc4.c $(srcdir)/../../krb/aead.h \
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h
#include "k5-int.h"
#include "des_int.h"
#include "enc_provider.h"
-#include "aead.h"
+#include <aead.h>
+#include <rand2key.h>
+
static krb5_error_code
k5_des_docrypt(const krb5_keyblock *key, const krb5_data *ivec,
return(k5_des_docrypt(key, ivec, input, output, 0));
}
-static krb5_error_code
-k5_des_make_key(const krb5_data *randombits, krb5_keyblock *key)
-{
- if (key->length != 8)
- return(KRB5_BAD_KEYSIZE);
- if (randombits->length != 7)
- return(KRB5_CRYPTO_INTERNAL);
-
- key->magic = KV5M_KEYBLOCK;
- key->length = 8;
-
- /* take the seven bytes, move them around into the top 7 bits of the
- 8 key bytes, then compute the parity bits */
-
- memcpy(key->contents, randombits->data, randombits->length);
- key->contents[7] = (((key->contents[0]&1)<<1) | ((key->contents[1]&1)<<2) |
- ((key->contents[2]&1)<<3) | ((key->contents[3]&1)<<4) |
- ((key->contents[4]&1)<<5) | ((key->contents[5]&1)<<6) |
- ((key->contents[6]&1)<<7));
-
- mit_des_fixup_key_parity(key->contents);
-
- return(0);
-}
-
static krb5_error_code
k5_des_docrypt_iov(const krb5_keyblock *key, const krb5_data *ivec,
krb5_crypto_iov *data, size_t num_data, int enc)
7, 8,
k5_des_encrypt,
k5_des_decrypt,
- k5_des_make_key,
+ krb5int_des_make_key,
krb5int_des_init_state,
krb5int_default_free_state,
k5_des_encrypt_iov,
#include "k5-int.h"
#include "des_int.h"
#include <aead.h>
+#include <rand2key.h>
static krb5_error_code
validate_and_schedule(const krb5_keyblock *key, const krb5_data *ivec,
return(0);
}
-static krb5_error_code
-k5_des3_make_key(const krb5_data *randombits, krb5_keyblock *key)
-{
- int i;
-
- if (key->length != 24)
- return(KRB5_BAD_KEYSIZE);
- if (randombits->length != 21)
- return(KRB5_CRYPTO_INTERNAL);
-
- key->magic = KV5M_KEYBLOCK;
- key->length = 24;
-
- /* take the seven bytes, move them around into the top 7 bits of the
- 8 key bytes, then compute the parity bits. Do this three times. */
-
- for (i=0; i<3; i++) {
- memcpy(key->contents+i*8, randombits->data+i*7, 7);
- key->contents[i*8+7] = (((key->contents[i*8]&1)<<1) |
- ((key->contents[i*8+1]&1)<<2) |
- ((key->contents[i*8+2]&1)<<3) |
- ((key->contents[i*8+3]&1)<<4) |
- ((key->contents[i*8+4]&1)<<5) |
- ((key->contents[i*8+5]&1)<<6) |
- ((key->contents[i*8+6]&1)<<7));
-
- mit_des_fixup_key_parity(key->contents+i*8);
- }
-
- return(0);
-}
-
static krb5_error_code
k5_des3_encrypt_iov(const krb5_keyblock *key,
const krb5_data *ivec,
21, 24,
k5_des3_encrypt,
k5_des3_decrypt,
- k5_des3_make_key,
+ krb5int_des3_make_key,
krb5int_des_init_state,
krb5int_default_free_state,
k5_des3_encrypt_iov,
#include "arcfour-int.h"
#include "enc_provider.h"
#include <aead.h>
+#include <rand2key.h>
+
/* gets the next byte from the PRNG */
#if ((__GNUC__ >= 2) )
static __inline__ unsigned int k5_arcfour_byte(ArcfourContext *);
k5_arcfour_docrypt(const krb5_keyblock *, const krb5_data *,
const krb5_data *, krb5_data *);
-/* from a random bitstrem, construct a key */
-static krb5_error_code
-k5_arcfour_make_key(const krb5_data *, krb5_keyblock *);
-
static const unsigned char arcfour_weakkey1[] = {0x00, 0x00, 0xfd};
static const unsigned char arcfour_weakkey2[] = {0x03, 0xfd, 0xfc};
static const struct {
return 0;
}
-static krb5_error_code
-k5_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key)
-{
- if (key->length != 16)
- return(KRB5_BAD_KEYSIZE);
- if (randombits->length != 16)
- return(KRB5_CRYPTO_INTERNAL);
-
- key->magic = KV5M_KEYBLOCK;
- key->length = 16;
-
- memcpy(key->contents, randombits->data, randombits->length);
-
- return(0);
-}
-
static krb5_error_code
k5_arcfour_init_state (const krb5_keyblock *key,
krb5_keyusage keyusage, krb5_data *new_state)
16, 16,
k5_arcfour_docrypt,
k5_arcfour_docrypt,
- k5_arcfour_make_key,
+ krb5int_arcfour_make_key,
k5_arcfour_init_state, /*xxx not implemented yet*/
krb5int_default_free_state,
k5_arcfour_docrypt_iov,
--- /dev/null
+thisconfigdir=../../../..
+myfulldir=lib/crypto/builtin/hash_provider
+mydir=lib/crypto/builtin/hash_provider
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/../../krb/crc32 -I$(srcdir)/../../@CRYPTO_IMPL@/md4 \
+ -I$(srcdir)/../../@CRYPTO_IMPL@/md5 -I$(srcdir)/../../@CRYPTO_IMPL@/sha1
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=hash_provider
+##DOS##OBJFILE=..\$(OUTPRE)hash_pro.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+CIMPL = @CRYPTO_IMPL@/hash_provider
+
+STLIBOBJS= \
+ ../../$(CIMPL)/hash_crc32.o \
+ ../../$(CIMPL)/hash_md4.o \
+ ../../$(CIMPL)/hash_md5.o \
+ ../../$(CIMPL)/hash_sha1.o
+
+OBJS= $(OUTPRE)../../$(CIMPL)/hash_crc32.$(OBJEXT) \
+ $(OUTPRE)../../$(CIMPL)/hash_md4.$(OBJEXT) \
+ $(OUTPRE)../../$(CIMPL)/hash_md5.$(OBJEXT) \
+ $(OUTPRE)../../$(CIMPL)/hash_sha1.$(OBJEXT)
+
+SRCS= $(srcdir)/../../$(CIMPL)/hash_crc32.c \
+ $(srcdir)/../../$(CIMPL)/hash_md4.c \
+ $(srcdir)/../../$(CIMPL)/hash_md5.c \
+ $(srcdir)/../../$(CIMPL)/hash_sha1.c
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
--- /dev/null
+#
+# Generated makefile dependencies follow.
+#
+hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
+ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
+ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../krb/crc32/crc-32.h \
+ hash_crc32.c hash_provider.h
+hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
+ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
+ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/md4/rsa-md4.h \
+ hash_md4.c hash_provider.h
+hash_md5.so hash_md5.po $(OUTPRE)hash_md5.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
+ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
+ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/md5/rsa-md5.h \
+ hash_md5.c hash_provider.h
+hash_sha1.so hash_sha1.po $(OUTPRE)hash_sha1.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
+ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
+ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/sha1/shs.h \
+ hash_provider.h hash_sha1.c
--- /dev/null
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "crc-32.h"
+#include "hash_provider.h"
+
+static krb5_error_code
+k5_crc32_hash(unsigned int icount, const krb5_data *input,
+ krb5_data *output)
+{
+ unsigned long c, cn;
+ unsigned int i;
+
+ if (output->length != CRC32_CKSUM_LENGTH)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ c = 0;
+ for (i=0; i<icount; i++) {
+ mit_crc32(input[i].data, input[i].length, &cn);
+ c ^= cn;
+ }
+
+ store_32_le(c, output->data);
+ return(0);
+}
+
+const struct krb5_hash_provider krb5int_hash_crc32 = {
+ "CRC32",
+ CRC32_CKSUM_LENGTH,
+ 1,
+ k5_crc32_hash
+};
--- /dev/null
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "rsa-md4.h"
+#include "hash_provider.h"
+
+static krb5_error_code
+k5_md4_hash(unsigned int icount, const krb5_data *input,
+ krb5_data *output)
+{
+ krb5_MD4_CTX ctx;
+ unsigned int i;
+
+ if (output->length != RSA_MD4_CKSUM_LENGTH)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ krb5_MD4Init(&ctx);
+ for (i=0; i<icount; i++)
+ krb5_MD4Update(&ctx, (unsigned char *) input[i].data, input[i].length);
+ krb5_MD4Final(&ctx);
+
+ memcpy(output->data, ctx.digest, RSA_MD4_CKSUM_LENGTH);
+
+ return(0);
+}
+
+const struct krb5_hash_provider krb5int_hash_md4 = {
+ "MD4",
+ RSA_MD4_CKSUM_LENGTH,
+ 64,
+ k5_md4_hash
+};
--- /dev/null
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "rsa-md5.h"
+#include "hash_provider.h"
+
+static krb5_error_code
+k5_md5_hash(unsigned int icount, const krb5_data *input,
+ krb5_data *output)
+{
+ krb5_MD5_CTX ctx;
+ unsigned int i;
+
+ if (output->length != RSA_MD5_CKSUM_LENGTH)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ krb5_MD5Init(&ctx);
+ for (i=0; i<icount; i++)
+ krb5_MD5Update(&ctx, (unsigned char *) input[i].data, input[i].length);
+ krb5_MD5Final(&ctx);
+
+ memcpy(output->data, ctx.digest, RSA_MD5_CKSUM_LENGTH);
+
+ return(0);
+}
+
+const struct krb5_hash_provider krb5int_hash_md5 = {
+ "MD5",
+ RSA_MD5_CKSUM_LENGTH,
+ 64,
+ k5_md5_hash
+};
--- /dev/null
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+
+extern const struct krb5_hash_provider krb5int_hash_crc32;
+extern const struct krb5_hash_provider krb5int_hash_md4;
+extern const struct krb5_hash_provider krb5int_hash_md5;
+extern const struct krb5_hash_provider krb5int_hash_sha1;
--- /dev/null
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "shs.h"
+#include "hash_provider.h"
+
+static krb5_error_code
+k5_sha1_hash(unsigned int icount, const krb5_data *input,
+ krb5_data *output)
+{
+ SHS_INFO ctx;
+ unsigned int i;
+
+ if (output->length != SHS_DIGESTSIZE)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ shsInit(&ctx);
+ for (i=0; i<icount; i++)
+ shsUpdate(&ctx, (unsigned char *) input[i].data, input[i].length);
+ shsFinal(&ctx);
+
+ for (i=0; i<(sizeof(ctx.digest)/sizeof(ctx.digest[0])); i++) {
+ store_32_be(ctx.digest[i], &output->data[i*4]);
+ }
+
+ return(0);
+}
+
+const struct krb5_hash_provider krb5int_hash_sha1 = {
+ "SHA1",
+ SHS_DIGESTSIZE,
+ SHS_DATASIZE,
+ k5_sha1_hash
+};
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- md4.c rsa-md4.h
+ $(srcdir)/../../builtin/md4/md4.c $(srcdir)/../../builtin/md4/rsa-md4.h
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- md5.c rsa-md5.h
+ $(srcdir)/../../builtin/md5/md5.c $(srcdir)/../../builtin/md5/rsa-md5.h
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- shs.c shs.h
+ $(srcdir)/../../builtin/sha1/shs.c $(srcdir)/../../builtin/sha1/shs.h
mydir=lib/crypto/crypto_tests
BUILDTOP=$(REL)..$(S)..$(S)..
LOCALINCLUDES = -I$(srcdir)/../krb -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider \
- -I$(srcdir)/../krb/hash_provider -I$(srcdir)/../krb/keyhash_provider \
+ -I$(srcdir)/../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/../krb/keyhash_provider \
-I$(srcdir)/../krb/dk -I$(srcdir)/../@CRYPTO_IMPL@/ \
-I$(srcdir)/../krb/yarrow \
-I$(srcdir)/../krb/crc32 -I$(srcdir)/../krb/old -I$(srcdir)/../krb/raw \
myfulldir=lib/crypto/krb
mydir=lib/crypto/krb
BUILDTOP=$(REL)..$(S)..$(S)..
-SUBDIRS= crc32 dk hash_provider keyhash_provider \
- old raw yarrow
+SUBDIRS= crc32 dk keyhash_provider \
+ prf rand2key old raw yarrow
LOCALINCLUDES = -I$(srcdir) -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider -I$(srcdir)/dk \
- -I$(srcdir)/hash_provider -I$(srcdir)/keyhash_provider \
+ -I$(srcdir)/../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/keyhash_provider \
+ -I$(srcdir)/prf -I$(srcdir)/rand2key \
-I$(srcdir)/old -I$(srcdir)/raw -I$(srcdir)/yarrow \
-I$(srcdir)/../@CRYPTO_IMPL@/ -I$(srcdir)/../@CRYPTO_IMPL@/des \
-I$(srcdir)/../@CRYPTO_IMPL@/aes -I$(srcdir)/../@CRYPTO_IMPL@/arcfour \
- -I$(srcdir)/../@CRYPTO_IMPL@/sha1
+ -I$(srcdir)/../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../@CRYPTO_IMPL@
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
DEFS=
$(srcdir)/verify_checksum_iov.c
STOBJLISTS=crc32/OBJS.ST dk/OBJS.ST \
- hash_provider/OBJS.ST keyhash_provider/OBJS.ST \
+ keyhash_provider/OBJS.ST \
+ prf/OBJS.ST rand2key/OBJS.ST \
old/OBJS.ST raw/OBJS.ST yarrow/OBJS.ST OBJS.ST
SUBDIROBJLISTS=crc32/OBJS.ST dk/OBJS.ST \
- hash_provider/OBJS.ST keyhash_provider/OBJS.ST \
- old/OBJS.ST raw/OBJS.ST yarrow/OBJS.ST OBJS.ST
+ keyhash_provider/OBJS.ST \
+ prf/OBJS.ST rand2key/OBJS.ST \
+ old/OBJS.ST raw/OBJS.ST yarrow/OBJS.ST
##DOS##LIBOBJS = $(OBJS)
cd ..\dk
@echo Making in crypto\dk
$(MAKE) -$(MFLAGS)
- cd ..\hash_provider
- @echo Making in crypto\hash_provider
- $(MAKE) -$(MFLAGS)
cd ..\keyhash_provider
@echo Making in crypto\keyhash_provider
$(MAKE) -$(MFLAGS)
+ cd ..\prf
+ @echo Making in crypto\prf
+ $(MAKE) -$(MFLAGS)
+ cd ..\rand2key
+ @echo Making in crypto\rand2key
+ $(MAKE) -$(MFLAGS)
cd ..\old
@echo Making in crypto\old
$(MAKE) -$(MFLAGS)
cd ..\dk
@echo Making clean in crypto\dk
$(MAKE) -$(MFLAGS) clean
- cd ..\hash_provider
- @echo Making clean in crypto\hash_provider
- $(MAKE) -$(MFLAGS) clean
cd ..\keyhash_provider
@echo Making clean in crypto\keyhash_provider
$(MAKE) -$(MFLAGS) clean
+ cd ..\prf
+ @echo Making clean in crypto\prf
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\rand2key
+ @echo Making clean in crypto\rand2key
+ $(MAKE) -$(MFLAGS) clean
cd ..\old
@echo Making clean in crypto\old
$(MAKE) -$(MFLAGS) clean
cd ..\dk
@echo Making check in crypto\dk
$(MAKE) -$(MFLAGS) check
- cd ..\hash_provider
- @echo Making check in crypto\hash_provider
- $(MAKE) -$(MFLAGS) check
cd ..\keyhash_provider
@echo Making check in crypto\keyhash_provider
$(MAKE) -$(MFLAGS) check
- cd ..\md4
+ cd ..\prf
+ @echo Making check in crypto\prf
+ $(MAKE) -$(MFLAGS) check
+ cd ..\rand2key
+ @echo Making check in crypto\rand2key
+ $(MAKE) -$(MFLAGS) check
+ cd ..\old
@echo Making check in crypto\old
$(MAKE) -$(MFLAGS) check
cd ..\raw
$(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(srcdir)/hash_provider/hash_provider.h \
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../builtin/hash_provider/hash_provider.h \
$(srcdir)/keyhash_provider/keyhash_provider.h cksumtypes.c \
cksumtypes.h
coll_proof_cksum.so coll_proof_cksum.po $(OUTPRE)coll_proof_cksum.$(OBJEXT): \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
$(srcdir)/../builtin/aes/aes_s2k.h $(srcdir)/../builtin/arcfour/arcfour.h \
- $(srcdir)/../builtin/des/des_int.h $(srcdir)/dk/dk.h \
- $(srcdir)/../builtin/enc_provider/enc_provider.h $(srcdir)/hash_provider/hash_provider.h \
- $(srcdir)/old/old.h $(srcdir)/raw/raw.h etypes.c etypes.h
+ $(srcdir)/../builtin/des/des_int.h $(srcdir)/../builtin/enc_provider/enc_provider.h \
+ $(srcdir)/dk/dk.h $(srcdir)/../builtin/hash_provider/hash_provider.h \
+ $(srcdir)/old/old.h $(srcdir)/prf/prf_int.h $(srcdir)/raw/raw.h \
+ etypes.c etypes.h
keyblocks.so keyblocks.po $(OUTPRE)keyblocks.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../builtin/sha1/shs.h $(srcdir)/../builtin/enc_provider/enc_provider.h \
+ $(srcdir)/../builtin/enc_provider/enc_provider.h $(srcdir)/../builtin/sha1/shs.h \
$(srcdir)/yarrow/yarrow.h $(srcdir)/yarrow/ycipher.h \
- $(srcdir)/yarrow/yhash.h $(srcdir)/yarrow/ytypes.h \
+ $(srcdir)/../builtin/yhash.h $(srcdir)/yarrow/ytypes.h \
prng.c
random_to_key.so random_to_key.po $(OUTPRE)random_to_key.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
dk_decrypt.o \
dk_encrypt.o \
derive.o \
- dk_prf.o \
stringtokey.o
OBJS=\
$(OUTPRE)dk_decrypt.$(OBJEXT) \
$(OUTPRE)dk_encrypt.$(OBJEXT) \
$(OUTPRE)derive.$(OBJEXT) \
- $(OUTPRE)dk_prf.$(OBJEXT) \
$(OUTPRE)stringtokey.$(OBJEXT)
SRCS=\
$(srcdir)/dk_aead.c \
$(srcdir)/dk_decrypt.c \
$(srcdir)/dk_encrypt.c \
- $(srcdir)/dk_prf.c \
$(srcdir)/derive.c \
$(srcdir)/stringtokey.c
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h dk.h dk_encrypt.c
-dk_prf.so dk_prf.po $(OUTPRE)dk_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
- $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
- $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
- $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
- $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
- $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- dk.h dk_prf.c
derive.so derive.po $(OUTPRE)derive.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
const krb5_data *string, const krb5_data *salt,
const krb5_data *params, krb5_keyblock *key);
-krb5_error_code
-krb5int_dk_prf(const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, const krb5_data *in, krb5_data *out);
-
krb5_error_code krb5_derive_key
(const struct krb5_enc_provider *enc,
const krb5_keyblock *inkey,
#include "old.h"
#include "raw.h"
#include "dk.h"
+#include "prf_int.h"
#include "arcfour.h"
#include "aes_s2k.h"
#include "des/des_int.h"
BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
LOCALINCLUDES = -I$(srcdir)/../../@CRYPTO_IMPL@/des -I$(srcdir)/../../@CRYPTO_IMPL@/md4 \
-I$(srcdir)/../../@CRYPTO_IMPL@/md5 -I$(srcdir)/../../@CRYPTO_IMPL@/arcfour \
- -I$(srcdir)/../hash_provider
+ -I$(srcdir)/../../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/../../@CRYPTO_IMPL@
DEFS=
##DOS##BUILDTOP = ..\..\..\..
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \
$(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/md5/rsa-md5.h \
- $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../hash_provider/hash_provider.h \
+ $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../../builtin/hash_provider/hash_provider.h \
hmac_md5.c keyhash_provider.h
md5_hmac.so md5_hmac.po $(OUTPRE)md5_hmac.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \
$(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/md5/rsa-md5.h \
- $(srcdir)/../hash_provider/hash_provider.h keyhash_provider.h \
+ $(srcdir)/../../builtin/hash_provider/hash_provider.h keyhash_provider.h \
md5_hmac.c
/* des-cbc(xorkey, conf | rsa-md4(conf | data)) */
-/* this could be done in terms of the md4 and des providers, but
- that's less efficient, and there's no need for this to be generic */
+extern struct krb5_enc_provider krb5int_enc_des;
static krb5_error_code
k5_md4des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec,
krb5_data data;
krb5_MD4_CTX ctx;
unsigned char conf[CONFLENGTH];
- unsigned char xorkey[8];
- unsigned int i;
- mit_des_key_schedule schedule;
+ struct krb5_enc_provider *enc = &krb5int_enc_des;
- if (key->length != 8)
- return(KRB5_BAD_KEYSIZE);
- if (ivec)
- return(KRB5_CRYPTO_INTERNAL);
if (output->length != (CONFLENGTH+RSA_MD4_CKSUM_LENGTH))
return(KRB5_CRYPTO_INTERNAL);
if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &data)))
return(ret);
- /* create and schedule the encryption key */
-
- memcpy(xorkey, key->contents, sizeof(xorkey));
- for (i=0; i<sizeof(xorkey); i++)
- xorkey[i] ^= 0xf0;
-
- switch (ret = mit_des_key_sched(xorkey, schedule)) {
- case -1:
- return(KRB5DES_BAD_KEYPAR);
- case -2:
- return(KRB5DES_WEAK_KEY);
- }
-
/* hash the confounder, then the input data */
krb5_MD4Init(&ctx);
memcpy(output->data, conf, CONFLENGTH);
memcpy(output->data+CONFLENGTH, ctx.digest, RSA_MD4_CKSUM_LENGTH);
- /* encrypt it, in place. this has a return value, but it's
- always zero. */
+ ret = enc->encrypt(key, NULL, output, output);
- mit_des_cbc_encrypt((krb5_pointer) output->data,
- (krb5_pointer) output->data, output->length,
- schedule, (const unsigned char *) mit_des_zeroblock,
- 1);
-
- return(0);
+ return (ret);
}
static krb5_error_code
const krb5_data *input, const krb5_data *hash,
krb5_boolean *valid)
{
+ krb5_error_code ret;
krb5_MD4_CTX ctx;
unsigned char plaintext[CONFLENGTH+RSA_MD4_CKSUM_LENGTH];
- unsigned char xorkey[8];
- unsigned int i;
- mit_des_key_schedule schedule;
int compathash = 0;
+ struct krb5_enc_provider *enc = &krb5int_enc_des;
+ krb5_data output, iv;
if (key->length != 8)
return(KRB5_BAD_KEYSIZE);
- if (ivec)
- return(KRB5_CRYPTO_INTERNAL);
if (hash->length != (CONFLENGTH+RSA_MD4_CKSUM_LENGTH)) {
#ifdef KRB5_MD4DES_BETA5_COMPAT
if (hash->length != RSA_MD4_CKSUM_LENGTH)
return(KRB5_CRYPTO_INTERNAL);
}
- /* create and schedule the encryption key */
-
- memcpy(xorkey, key->contents, sizeof(xorkey));
- if (!compathash) {
- for (i=0; i<sizeof(xorkey); i++)
- xorkey[i] ^= 0xf0;
- }
-
- switch (mit_des_key_sched(xorkey, schedule)) {
- case -1:
- return(KRB5DES_BAD_KEYPAR);
- case -2:
- return(KRB5DES_WEAK_KEY);
+ if (compathash) {
+ iv.data = malloc(key->length);
+ if (!iv.data) return ENOMEM;
+ iv.length = key->length;
+ if (key->contents)
+ memcpy(iv.data, key->contents, key->length);
}
- /* decrypt it. this has a return value, but it's always zero. */
+ /* decrypt it */
+ output.data = plaintext;
+ output.length = hash->length;
if (!compathash) {
- mit_des_cbc_encrypt((krb5_pointer) hash->data,
- (krb5_pointer) plaintext, hash->length,
- schedule,
- (const unsigned char *) mit_des_zeroblock, 0);
+ ret = enc->decrypt(key, NULL, hash, &output);
} else {
- mit_des_cbc_encrypt((krb5_pointer) hash->data,
- (krb5_pointer) plaintext, hash->length,
- schedule, xorkey, 0);
+ ret = enc->decrypt(key, &iv, hash, &output);
+ }
+
+ if (compathash && iv.data) {
+ free (iv.data);
}
+ if (ret) return(ret);
+
+ if (output.length > CONFLENGTH+RSA_MD4_CKSUM_LENGTH)
+ return KRB5_CRYPTO_INTERNAL;
+
/* hash the confounder, then the input data */
krb5_MD4Init(&ctx);
if (!compathash) {
krb5_MD4Update(&ctx, plaintext, CONFLENGTH);
}
- krb5_MD4Update(&ctx, (unsigned char *) input->data,
+ krb5_MD4Update(&ctx, (unsigned char *) input->data,
(unsigned int) input->length);
krb5_MD4Final(&ctx);
/* des-cbc(xorkey, conf | rsa-md5(conf | data)) */
-/* this could be done in terms of the md5 and des providers, but
- that's less efficient, and there's no need for this to be generic */
+extern struct krb5_enc_provider krb5int_enc_des;
static krb5_error_code
k5_md5des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec,
krb5_data data;
krb5_MD5_CTX ctx;
unsigned char conf[CONFLENGTH];
- unsigned char xorkey[8];
- unsigned int i;
- mit_des_key_schedule schedule;
+ struct krb5_enc_provider *enc = &krb5int_enc_des;
- if (key->length != 8)
- return(KRB5_BAD_KEYSIZE);
- if (ivec)
- return(KRB5_CRYPTO_INTERNAL);
if (output->length != (CONFLENGTH+RSA_MD5_CKSUM_LENGTH))
return(KRB5_CRYPTO_INTERNAL);
if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &data)))
return(ret);
- /* create and schedule the encryption key */
-
- memcpy(xorkey, key->contents, sizeof(xorkey));
- for (i=0; i<sizeof(xorkey); i++)
- xorkey[i] ^= 0xf0;
-
- switch (ret = mit_des_key_sched(xorkey, schedule)) {
- case -1:
- return(KRB5DES_BAD_KEYPAR);
- case -2:
- return(KRB5DES_WEAK_KEY);
- }
-
/* hash the confounder, then the input data */
krb5_MD5Init(&ctx);
memcpy(output->data, conf, CONFLENGTH);
memcpy(output->data+CONFLENGTH, ctx.digest, RSA_MD5_CKSUM_LENGTH);
- /* encrypt it, in place. this has a return value, but it's
- always zero. */
+ ret = enc->encrypt(key, NULL, output, output);
- mit_des_cbc_encrypt((krb5_pointer) output->data,
- (krb5_pointer) output->data, output->length,
- schedule, (const unsigned char *) mit_des_zeroblock,
- 1);
+ return ret;
- return(0);
}
static krb5_error_code
const krb5_data *input, const krb5_data *hash,
krb5_boolean *valid)
{
+ krb5_error_code ret;
krb5_MD5_CTX ctx;
unsigned char plaintext[CONFLENGTH+RSA_MD5_CKSUM_LENGTH];
- unsigned char xorkey[8];
- unsigned int i;
- mit_des_key_schedule schedule;
int compathash = 0;
+ struct krb5_enc_provider *enc = &krb5int_enc_des;
+ krb5_data output, iv;
if (key->length != 8)
return(KRB5_BAD_KEYSIZE);
- if (ivec)
- return(KRB5_CRYPTO_INTERNAL);
+
if (hash->length != (CONFLENGTH+RSA_MD5_CKSUM_LENGTH)) {
#ifdef KRB5_MD5DES_BETA5_COMPAT
if (hash->length != RSA_MD5_CKSUM_LENGTH)
#endif
}
- /* create and schedule the encryption key */
-
- memcpy(xorkey, key->contents, sizeof(xorkey));
- if (!compathash) {
- for (i=0; i<sizeof(xorkey); i++)
- xorkey[i] ^= 0xf0;
- }
-
- switch (mit_des_key_sched(xorkey, schedule)) {
- case -1:
- return(KRB5DES_BAD_KEYPAR);
- case -2:
- return(KRB5DES_WEAK_KEY);
+ if (compathash) {
+ iv.data = malloc(key->length);
+ if (!iv.data) return ENOMEM;
+ iv.length = key->length;
+ if (key->contents)
+ memcpy(iv.data, key->contents, key->length);
}
- /* decrypt it. this has a return value, but it's always zero. */
+ /* decrypt it */
+ output.data = plaintext;
+ output.length = hash->length;
if (!compathash) {
- mit_des_cbc_encrypt((krb5_pointer) hash->data,
- (krb5_pointer) plaintext, hash->length,
- schedule,
- (const unsigned char *) mit_des_zeroblock, 0);
+ ret = enc->decrypt(key, NULL, hash, &output);
} else {
- mit_des_cbc_encrypt((krb5_pointer) hash->data,
- (krb5_pointer) plaintext, hash->length,
- schedule, xorkey, 0);
+ ret = enc->decrypt(key, &iv, hash, &output);
+ }
+
+ if (compathash && iv.data) {
+ free (iv.data);
}
+ if (ret) return(ret);
+
+ if (output.length > CONFLENGTH+RSA_MD5_CKSUM_LENGTH)
+ return KRB5_CRYPTO_INTERNAL;
+
/* hash the confounder, then the input data */
krb5_MD5Init(&ctx);
if (!compathash) {
krb5_MD5Update(&ctx, plaintext, CONFLENGTH);
}
- krb5_MD5Update(&ctx, (unsigned char *) input->data,
+ krb5_MD5Update(&ctx, (unsigned char *) input->data,
(unsigned) input->length);
krb5_MD5Final(&ctx);
--- /dev/null
+thisconfigdir=../../../..
+myfulldir=lib/crypto/krb/prf
+mydir=lib/crypto/krb/prf
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir) -I$(srcdir)/.. \
+ -I$(srcdir)/../dk \
+ -I$(srcdir)/../../@CRYPTO_IMPL@ \
+ -I$(srcdir)/../../@CRYPTO_IMPL@/md5 \
+ -I$(srcdir)/../../@CRYPTO_IMPL@/sha1
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=prf
+##DOS##OBJFILE=..\$(OUTPRE)prf.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+STLIBOBJS= des_prf.o dk_prf.o rc4_prf.o
+
+OBJS= $(OUTPRE)des_prf.$(OBJEXT) $(OUTPRE)dk_prf.$(OBJEXT) \
+ $(OUTPRE)rc4_prf.$(OBJEXT)
+
+SRCS= $(srcdir)/des_prf.c $(srcdir)/dk_prf.c \
+ $(srcdir)/rc4_prf.c
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
--- /dev/null
+#
+# Generated makefile dependencies follow.
+#
+des_prf.so des_prf.po $(OUTPRE)des_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ des_prf.c prf_int.h
+dk_prf.so dk_prf.po $(OUTPRE)dk_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(srcdir)/../dk/dk.h dk_prf.c prf_int.h
+rc4_prf.so rc4_prf.po $(OUTPRE)rc4_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ $(srcdir)/../../builtin/hash_provider/hash_provider.h prf_int.h \
+ rc4_prf.c
/*
- * lib/crypto/des/des_prf.c
+ * lib/crypto/krb/prf//des_prf.c
*
* Copyright (C) 2004, 2009 by the Massachusetts Institute of Technology.
* All rights reserved.
* des-cbc-crc, des-cbc-md4, and des-cbc-md5 enctypes.
*/
-#include "k5-int.h"
-#include "hash_provider/hash_provider.h" /* XXX is this ok? */
+#include "prf_int.h"
+//#include <hash_provider/hash_provider.h> /* XXX is this ok? */
krb5_error_code
krb5int_des_prf (const struct krb5_enc_provider *enc,
/*
- * lib/crypto/dk/prf.c
+ * lib/crypto/krb/prf/dk_prf.c
*
* Copyright (C) 2004 by the Massachusetts Institute of Technology.
* All rights reserved.
*simplified profile enctypes.
*/
-#include "k5-int.h"
-#include "dk.h"
+#include "prf_int.h"
+#include <dk.h>
krb5_error_code
krb5int_dk_prf (const struct krb5_enc_provider *enc,
--- /dev/null
+/*
+ * lib/crypto/krb/prf/prf_int.h
+ *
+ * Copyright 1987, 1988, 1990, 2002 by the Massachusetts Institute of
+ * Technology. All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifndef PRF_INTERNAL_DEFS
+#define PRF_INTERNAL_DEFS
+
+#include "k5-int.h"
+
+krb5_error_code
+krb5int_arcfour_prf(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ const krb5_data *in, krb5_data *out);
+
+krb5_error_code
+krb5int_des_prf (const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ const krb5_data *in, krb5_data *out);
+
+krb5_error_code
+krb5int_dk_prf(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, const krb5_data *in, krb5_data *out);
+
+#endif /*PRF_INTERNAL_DEFS*/
+
+
--- /dev/null
+/*
+ * lib/crypto/krb/prf/rc4_prf.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
+
+#include "prf_int.h"
+#include "k5-int.h"
+#include <hash_provider/hash_provider.h>
+
+krb5_error_code
+krb5int_arcfour_prf(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ const krb5_data *in, krb5_data *out)
+{
+ assert(out->length == 20);
+ return krb5_hmac(&krb5int_hash_sha1, key, 1, in, out);
+}
+
+
--- /dev/null
+thisconfigdir=../../../..
+myfulldir=lib/crypto/krb/rand2key
+mydir=lib/crypto/krb/rand2key
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/.
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=rand2key
+##DOS##OBJFILE=..\$(OUTPRE)rand2key.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+STLIBOBJS= aes_rand2key.o des_rand2key.o des3_rand2key.o rc4_rand2key.o
+
+OBJS= $(OUTPRE)aes_rand2key.$(OBJEXT) $(OUTPRE)des_rand2key.$(OBJEXT) \
+ $(OUTPRE)des3_rand2key.$(OBJEXT) $(OUTPRE)rc4_rand2key.$(OBJEXT)
+
+SRCS= $(srcdir)/aes_rand2key.c $(srcdir)/des_rand2key.c \
+ $(srcdir)/des3_rand2key.c $(srcdir)/rc4_rand2key.c
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
--- /dev/null
+/*
+ * lib/crypto/krb/rand2key/aes_rand2key.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#include "rand2key.h"
+
+krb5_error_code
+krb5int_aes_make_key(const krb5_data *randombits, krb5_keyblock *key)
+{
+ if (key->length != 16 && key->length != 32)
+ return(KRB5_BAD_KEYSIZE);
+ if (randombits->length != key->length)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ key->magic = KV5M_KEYBLOCK;
+
+ memcpy(key->contents, randombits->data, randombits->length);
+
+ return(0);
+}
+
--- /dev/null
+#
+# Generated makefile dependencies follow.
+#
+aes_rand2key.so aes_rand2key.po $(OUTPRE)aes_rand2key.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
+ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
+ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h aes_rand2key.c rand2key.h
+des_rand2key.so des_rand2key.po $(OUTPRE)des_rand2key.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
+ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
+ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h des_rand2key.c rand2key.h
+des3_rand2key.so des3_rand2key.po $(OUTPRE)des3_rand2key.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
+ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
+ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h des3_rand2key.c rand2key.h
+rc4_rand2key.so rc4_rand2key.po $(OUTPRE)rc4_rand2key.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
+ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
+ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h rand2key.h rc4_rand2key.c
--- /dev/null
+/*
+ * lib/crypto/krb/rand2key/des3_rand2key.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#include "rand2key.h"
+
+/* RFC 3961 */
+krb5_error_code
+krb5int_des3_make_key(const krb5_data *randombits, krb5_keyblock *key)
+{
+ int i;
+ if (key->length != KRB5_MIT_DES3_KEYSIZE)
+ return(KRB5_BAD_KEYSIZE);
+ if (randombits->length != KRB5_MIT_DES3_KEY_BYTES)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ key->magic = KV5M_KEYBLOCK;
+
+ /* take the seven bytes, move them around into the top 7 bits of the
+ 8 key bytes, then compute the parity bits. Do this three times. */
+
+ for (i=0; i<3; i++) {
+ memcpy(key->contents+i*8, randombits->data+i*7, 7);
+ key->contents[i*8+7] = (((key->contents[i*8]&1)<<1) |
+ ((key->contents[i*8+1]&1)<<2) |
+ ((key->contents[i*8+2]&1)<<3) |
+ ((key->contents[i*8+3]&1)<<4) |
+ ((key->contents[i*8+4]&1)<<5) |
+ ((key->contents[i*8+5]&1)<<6) |
+ ((key->contents[i*8+6]&1)<<7));
+
+ mit_des_fixup_key_parity(key->contents+i*8);
+ }
+ return(0);
+}
+
--- /dev/null
+/*
+ * lib/crypto/krb/rand2key/des_rand2key.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#include "rand2key.h"
+
+krb5_error_code
+krb5int_des_make_key(const krb5_data *randombits, krb5_keyblock *key)
+{
+ if (key->length != KRB5_MIT_DES_KEYSIZE)
+ return(KRB5_BAD_KEYSIZE);
+ if (randombits->length != 7)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ key->magic = KV5M_KEYBLOCK;
+
+ /* take the seven bytes, move them around into the top 7 bits of the
+ 8 key bytes, then compute the parity bits */
+
+ memcpy(key->contents, randombits->data, randombits->length);
+ key->contents[7] = (((key->contents[0]&1)<<1) | ((key->contents[1]&1)<<2) |
+ ((key->contents[2]&1)<<3) | ((key->contents[3]&1)<<4) |
+ ((key->contents[4]&1)<<5) | ((key->contents[5]&1)<<6) |
+ ((key->contents[6]&1)<<7));
+
+ mit_des_fixup_key_parity(key->contents);
+
+ return(0);
+}
+
+
--- /dev/null
+#include "k5-int.h"
+
+
+krb5_error_code
+krb5int_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key);
+
+krb5_error_code
+krb5int_des_make_key(const krb5_data *randombits, krb5_keyblock *key);
+
+/* RFC 3961 */
+krb5_error_code
+krb5int_des3_make_key(const krb5_data *randombits, krb5_keyblock *key);
+
+krb5_error_code
+krb5int_aes_make_key(const krb5_data *randombits, krb5_keyblock *key);
+
+
+
--- /dev/null
+/*
+ * lib/crypto/krb/rand2key/rc4_rand2key.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "rand2key.h"
+
+
+krb5_error_code
+krb5int_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key)
+{
+ if (key->length != 16)
+ return(KRB5_BAD_KEYSIZE);
+ if (randombits->length != 16)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ key->magic = KV5M_KEYBLOCK;
+ key->length = 16;
+
+ memcpy(key->contents, randombits->data, randombits->length);
+
+ return(0);
+}
+
myfulldir=lib/crypto/krb/yarrow
mydir=lib/crypto/krb/yarrow
BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../@CRYPTO_IMPL@ -I$(srcdir)/../../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../../@CRYPTO_IMPL@/enc_provider
+LOCALINCLUDES = -I$(srcdir)/.. \
+ -I$(srcdir)/../../@CRYPTO_IMPL@ \
+ -I$(srcdir)/../../@CRYPTO_IMPL@/sha1 \
+ -I$(srcdir)/../../@CRYPTO_IMPL@/enc_provider
DEFS=
##DOS##BUILDTOP = ..\..\..\..
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
$(srcdir)/../../builtin/sha1/shs.h yarrow.c yarrow.h \
- ycipher.h yexcep.h yhash.h ylock.h ystate.h ytypes.h
+ ycipher.h yexcep.h $(srcdir)/../../builtin/yhash.h ylock.h ystate.h ytypes.h
ycipher.so ycipher.po $(OUTPRE)ycipher.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
$(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(srcdir)/../../builtin/sha1/shs.h $(srcdir)/../../builtin/enc_provider/enc_provider.h \
- yarrow.h ycipher.c ycipher.h yhash.h ytypes.h
+ $(srcdir)/../../builtin/enc_provider/enc_provider.h \
+ $(srcdir)/../../builtin/sha1/shs.h yarrow.h ycipher.c \
+ ycipher.h $(srcdir)/../../builtin/yhash.h ytypes.h
#define YARROW_IMPL
#include "yarrow.h"
-#include "yhash.h"
#include "ycipher.h"
#include "ylock.h"
#include "ystate.h"
#define YARROW_NO_MATHLIB
#include "ytypes.h"
-#include "yhash.h"
+#include <yhash.h>
#include "ycipher.h"
/* These error codes are returned by the functions below. */
--- /dev/null
+/*
+
+ARCFOUR cipher (based on a cipher posted on the Usenet in Spring-95).
+This cipher is widely believed and has been tested to be equivalent
+with the RC4 cipher from RSA Data Security, Inc. (RC4 is a trademark
+of RSA Data Security)
+
+*/
+#ifndef ARCFOUR_INT_H
+#define ARCFOUR_INT_H
+
+#include "arcfour.h"
+#include <openssl/evp.h>
+
+#define CONFOUNDERLENGTH 8
+
+typedef struct
+{
+ EVP_CIPHER_CTX evp_ctx;
+ unsigned int x;
+ unsigned int y;
+ unsigned char state[256];
+
+} ArcfourContext;
+
+typedef struct {
+ int initialized;
+ ArcfourContext ctx;
+} ArcFourCipherState;
+
+krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage);
+
+extern const char *const krb5int_arcfour_l40;
+
+#endif /* ARCFOUR_INT_H */
--- /dev/null
+/*
+
+ARCFOUR cipher (based on a cipher posted on the Usenet in Spring-95).
+This cipher is widely believed and has been tested to be equivalent
+with the RC4 cipher from RSA Data Security, Inc. (RC4 is a trademark
+of RSA Data Security)
+
+*/
+#include "k5-int.h"
+#include "arcfour-int.h"
+#include "hash_provider/hash_provider.h"
+
+const char *const krb5int_arcfour_l40 = "fortybits";
+
+void
+krb5_arcfour_encrypt_length(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ size_t inputlen, size_t *length)
+{
+ size_t blocksize, hashsize;
+
+ blocksize = enc->block_size;
+ hashsize = hash->hashsize;
+
+ /* checksum + (confounder + inputlen, in even blocksize) */
+ *length = hashsize + krb5_roundup(8 + inputlen, blocksize);
+}
+
+ krb5_keyusage
+ krb5int_arcfour_translate_usage(krb5_keyusage usage)
+{
+ switch (usage) {
+ case 1: /* AS-REQ PA-ENC-TIMESTAMP padata timestamp, */
+ return 1;
+ case 2: /* ticket from kdc */
+ return 2;
+ case 3: /* as-rep encrypted part */
+ return 8;
+ case 4: /* tgs-req authz data */
+ return 4;
+ case 5: /* tgs-req authz data in subkey */
+ return 5;
+ case 6: /* tgs-req authenticator cksum */
+ return 6;
+case 7: /* tgs-req authenticator */
+ return 7;
+ case 8:
+ return 8;
+ case 9: /* tgs-rep encrypted with subkey */
+ return 9;
+ case 10: /* ap-rep authentication cksum */
+ return 10; /* xxx Microsoft never uses this*/
+ case 11: /* app-req authenticator */
+ return 11;
+ case 12: /* app-rep encrypted part */
+ return 12;
+ case 23: /* sign wrap token*/
+ return 13;
+ default:
+ return usage;
+}
+}
+
+/* RFC 4757 */
+krb5_error_code
+krb5_arcfour_encrypt(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_data *ivec, const krb5_data *input,
+ krb5_data *output)
+{
+ krb5_keyblock k1, k2, k3;
+ krb5_data d1, d2, d3, salt, plaintext, checksum, ciphertext, confounder;
+ krb5_keyusage ms_usage;
+ size_t keylength, keybytes, blocksize, hashsize;
+ krb5_error_code ret;
+
+ blocksize = enc->block_size;
+ keybytes = enc->keybytes;
+ keylength = enc->keylength;
+ hashsize = hash->hashsize;
+
+ d1.length=keybytes;
+ d1.data=malloc(d1.length);
+ if (d1.data == NULL)
+ return (ENOMEM);
+ k1 = *key;
+ k1.length=d1.length;
+ k1.contents= (void *) d1.data;
+
+ d2.length=keybytes;
+ d2.data=malloc(d2.length);
+ if (d2.data == NULL) {
+ free(d1.data);
+ return (ENOMEM);
+ }
+ k2 = *key;
+ k2.length=d2.length;
+ k2.contents=(void *) d2.data;
+
+ d3.length=keybytes;
+ d3.data=malloc(d3.length);
+ if (d3.data == NULL) {
+ free(d1.data);
+ free(d2.data);
+ return (ENOMEM);
+ }
+ k3 = *key;
+ k3.length=d3.length;
+ k3.contents= (void *) d3.data;
+
+ salt.length=14;
+ salt.data=malloc(salt.length);
+ if (salt.data == NULL) {
+ free(d1.data);
+ free(d2.data);
+ free(d3.data);
+ return (ENOMEM);
+ }
+
+ /* is "input" already blocksize aligned? if it is, then we need this
+ step, otherwise we do not */
+ plaintext.length=krb5_roundup(input->length+CONFOUNDERLENGTH,blocksize);
+ plaintext.data=malloc(plaintext.length);
+ if (plaintext.data == NULL) {
+ free(d1.data);
+ free(d2.data);
+ free(d3.data);
+ free(salt.data);
+ return(ENOMEM);
+ }
+
+ /* setup convienient pointers into the allocated data */
+ checksum.length=hashsize;
+ checksum.data=output->data;
+ ciphertext.length=krb5_roundup(input->length+CONFOUNDERLENGTH,blocksize);
+ ciphertext.data=output->data+hashsize;
+ confounder.length=CONFOUNDERLENGTH;
+ confounder.data=plaintext.data;
+ output->length = plaintext.length+hashsize;
+
+ /* begin the encryption, computer K1 */
+ ms_usage=krb5int_arcfour_translate_usage(usage);
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ strncpy(salt.data, krb5int_arcfour_l40, salt.length);
+ store_32_le(ms_usage, salt.data+10);
+ } else {
+ salt.length=4;
+ store_32_le(ms_usage, salt.data);
+ }
+ krb5_hmac(hash, key, 1, &salt, &d1);
+
+ memcpy(k2.contents, k1.contents, k2.length);
+
+ if (key->enctype==ENCTYPE_ARCFOUR_HMAC_EXP)
+ memset(k1.contents+7, 0xab, 9);
+
+ ret=krb5_c_random_make_octets(/* XXX */ 0, &confounder);
+ memcpy(plaintext.data+confounder.length, input->data, input->length);
+ if (ret)
+ goto cleanup;
+
+ krb5_hmac(hash, &k2, 1, &plaintext, &checksum);
+
+ krb5_hmac(hash, &k1, 1, &checksum, &d3);
+
+ ret=(*(enc->encrypt))(&k3, ivec, &plaintext, &ciphertext);
+
+ cleanup:
+ memset(d1.data, 0, d1.length);
+ memset(d2.data, 0, d2.length);
+ memset(d3.data, 0, d3.length);
+ memset(salt.data, 0, salt.length);
+ memset(plaintext.data, 0, plaintext.length);
+
+ free(d1.data);
+ free(d2.data);
+ free(d3.data);
+ free(salt.data);
+ free(plaintext.data);
+ return (ret);
+}
+
+/* This is the arcfour-hmac decryption routine */
+krb5_error_code
+krb5_arcfour_decrypt(const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, krb5_keyusage usage,
+ const krb5_data *ivec, const krb5_data *input,
+ krb5_data *output)
+{
+ krb5_keyblock k1,k2,k3;
+ krb5_data d1,d2,d3,salt,ciphertext,plaintext,checksum;
+ krb5_keyusage ms_usage;
+ size_t keybytes, keylength, hashsize, blocksize;
+ krb5_error_code ret;
+
+ blocksize = enc->block_size;
+ keybytes = enc->keybytes;
+ keylength = enc->keylength;
+ hashsize = hash->hashsize;
+
+ d1.length=keybytes;
+ d1.data=malloc(d1.length);
+ if (d1.data == NULL)
+ return (ENOMEM);
+ k1 = *key;
+ k1.length=d1.length;
+ k1.contents= (void *) d1.data;
+
+ d2.length=keybytes;
+ d2.data=malloc(d2.length);
+ if (d2.data == NULL) {
+ free(d1.data);
+ return (ENOMEM);
+ }
+ k2 = *key;
+ k2.length=d2.length;
+ k2.contents= (void *) d2.data;
+
+ d3.length=keybytes;
+ d3.data=malloc(d3.length);
+ if (d3.data == NULL) {
+ free(d1.data);
+ free(d2.data);
+ return (ENOMEM);
+ }
+ k3 = *key;
+ k3.length=d3.length;
+ k3.contents= (void *) d3.data;
+
+ salt.length=14;
+ salt.data=malloc(salt.length);
+ if(salt.data==NULL) {
+ free(d1.data);
+ free(d2.data);
+ free(d3.data);
+ return (ENOMEM);
+ }
+
+ ciphertext.length=input->length-hashsize;
+ ciphertext.data=input->data+hashsize;
+ plaintext.length=ciphertext.length;
+ plaintext.data=malloc(plaintext.length);
+ if (plaintext.data == NULL) {
+ free(d1.data);
+ free(d2.data);
+ free(d3.data);
+ free(salt.data);
+ return (ENOMEM);
+ }
+
+ checksum.length=hashsize;
+ checksum.data=input->data;
+
+ ms_usage=krb5int_arcfour_translate_usage(usage);
+
+ /* We may have to try two ms_usage values; see below. */
+ do {
+ /* compute the salt */
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ strncpy(salt.data, krb5int_arcfour_l40, salt.length);
+ store_32_le(ms_usage, salt.data + 10);
+ } else {
+ salt.length = 4;
+ store_32_le(ms_usage, salt.data);
+ }
+ ret = krb5_hmac(hash, key, 1, &salt, &d1);
+ if (ret)
+ goto cleanup;
+
+ memcpy(k2.contents, k1.contents, k2.length);
+
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+ memset(k1.contents + 7, 0xab, 9);
+
+ ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+ if (ret)
+ goto cleanup;
+
+ ret = (*(enc->decrypt))(&k3, ivec, &ciphertext, &plaintext);
+ if (ret)
+ goto cleanup;
+
+ ret = krb5_hmac(hash, &k2, 1, &plaintext, &d1);
+ if (ret)
+ goto cleanup;
+
+ if (memcmp(checksum.data, d1.data, hashsize) != 0) {
+ if (ms_usage == 9) {
+ /*
+ * RFC 4757 specifies usage 8 for TGS-REP encrypted
+ * parts encrypted in a subkey, but the value used by MS
+ * is actually 9. We now use 9 to start with, but fall
+ * back to 8 on failure in case we are communicating
+ * with a KDC using the value from the RFC.
+ */
+ ms_usage = 8;
+ continue;
+ }
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto cleanup;
+ }
+
+ break;
+ } while (1);
+
+ memcpy(output->data, plaintext.data+CONFOUNDERLENGTH,
+ (plaintext.length-CONFOUNDERLENGTH));
+ output->length=plaintext.length-CONFOUNDERLENGTH;
+
+ cleanup:
+ memset(d1.data, 0, d1.length);
+ memset(d2.data, 0, d2.length);
+ memset(d3.data, 0, d2.length);
+ memset(salt.data, 0, salt.length);
+ memset(plaintext.data, 0, plaintext.length);
+
+ free(d1.data);
+ free(d2.data);
+ free(d3.data);
+ free(salt.data);
+ free(plaintext.data);
+ return (ret);
+}
+
--- /dev/null
+#ifndef ARCFOUR_H
+#define ARCFOUR_H
+
+extern void
+krb5_arcfour_encrypt_length(const struct krb5_enc_provider *,
+ const struct krb5_hash_provider *,
+ size_t,
+ size_t *);
+
+extern
+krb5_error_code krb5_arcfour_encrypt(const struct krb5_enc_provider *,
+ const struct krb5_hash_provider *,
+ const krb5_keyblock *,
+ krb5_keyusage,
+ const krb5_data *,
+ const krb5_data *,
+ krb5_data *);
+
+extern
+krb5_error_code krb5_arcfour_decrypt(const struct krb5_enc_provider *,
+ const struct krb5_hash_provider *,
+ const krb5_keyblock *,
+ krb5_keyusage,
+ const krb5_data *,
+ const krb5_data *,
+ krb5_data *);
+
+extern krb5_error_code krb5int_arcfour_string_to_key(
+ const struct krb5_enc_provider *,
+ const krb5_data *,
+ const krb5_data *,
+ const krb5_data *,
+ krb5_keyblock *);
+
+extern const struct krb5_enc_provider krb5int_enc_arcfour;
+extern const struct krb5_aead_provider krb5int_aead_arcfour;
+ krb5_error_code krb5int_arcfour_prf(
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ const krb5_data *in, krb5_data *out);
+
+#endif /* ARCFOUR_H */
--- /dev/null
+/*
+ * lib/crypto/arcfour/arcfour_aead.c
+ *
+ * Copyright 2008 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#include "k5-int.h"
+#include "arcfour.h"
+#include "arcfour-int.h"
+#include "aead.h"
+
+/* AEAD */
+
+static krb5_error_code
+krb5int_arcfour_crypto_length(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ krb5_cryptotype type,
+ unsigned int *length)
+{
+ switch (type) {
+ case KRB5_CRYPTO_TYPE_HEADER:
+ *length = hash->hashsize + CONFOUNDERLENGTH;
+ break;
+ case KRB5_CRYPTO_TYPE_PADDING:
+ *length = 0;
+ break;
+ case KRB5_CRYPTO_TYPE_TRAILER:
+ *length = 0;
+ break;
+ case KRB5_CRYPTO_TYPE_CHECKSUM:
+ *length = hash->hashsize;
+ break;
+ default:
+ assert(0 && "invalid cryptotype passed to krb5int_arcfour_crypto_length");
+ break;
+ }
+
+ return 0;
+}
+
+static krb5_error_code
+alloc_derived_key(const struct krb5_enc_provider *enc,
+ krb5_keyblock *dst,
+ krb5_data *data,
+ const krb5_keyblock *src)
+{
+ data->length = enc->keybytes;
+ data->data = malloc(data->length);
+ if (data->data == NULL)
+ return ENOMEM;
+
+ *dst = *src;
+ dst->length = data->length;
+ dst->contents = (void *)data->data;
+
+ return 0;
+}
+
+static krb5_error_code
+krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_error_code ret;
+ krb5_crypto_iov *header, *trailer;
+ krb5_keyblock k1, k2, k3;
+ krb5_data d1, d2, d3;
+ krb5_data checksum, confounder, header_data;
+ krb5_keyusage ms_usage;
+ char salt_data[14];
+ krb5_data salt;
+ size_t i;
+
+ d1.length = d2.length = d3.length = 0;
+ d1.data = d2.data = d3.data = NULL;
+
+ /*
+ * Caller must have provided space for the header, padding
+ * and trailer; per RFC 4757 we will arrange it as:
+ *
+ * Checksum | E(Confounder | Plaintext)
+ */
+
+ header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+ if (header == NULL ||
+ header->data.length < hash->hashsize + CONFOUNDERLENGTH)
+ return KRB5_BAD_MSIZE;
+
+ header_data = header->data;
+
+ /* Trailer may be absent */
+ trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+ if (trailer != NULL)
+ trailer->data.length = 0;
+
+ /* Ensure that there is no padding */
+ for (i = 0; i < num_data; i++) {
+ if (data[i].flags == KRB5_CRYPTO_TYPE_PADDING)
+ data[i].data.length = 0;
+ }
+
+ ret = alloc_derived_key(enc, &k1, &d1, key);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = alloc_derived_key(enc, &k2, &d2, key);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = alloc_derived_key(enc, &k3, &d3, key);
+ if (ret != 0)
+ goto cleanup;
+
+ /* Begin the encryption, compute K1 */
+ salt.data = salt_data;
+ salt.length = sizeof(salt_data);
+
+ ms_usage = krb5int_arcfour_translate_usage(usage);
+
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ strncpy(salt.data, krb5int_arcfour_l40, salt.length);
+ store_32_le(ms_usage, salt.data + 10);
+ } else {
+ salt.length = 4;
+ store_32_le(ms_usage, salt.data);
+ }
+ ret = krb5_hmac(hash, key, 1, &salt, &d1);
+ if (ret != 0)
+ goto cleanup;
+
+ memcpy(k2.contents, k1.contents, k2.length);
+
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+ memset(k1.contents + 7, 0xAB, 9);
+
+ header->data.length = hash->hashsize + CONFOUNDERLENGTH;
+
+ confounder.data = header->data.data + hash->hashsize;
+ confounder.length = CONFOUNDERLENGTH;
+
+ ret = krb5_c_random_make_octets(0, &confounder);
+ if (ret != 0)
+ goto cleanup;
+
+ checksum.data = header->data.data;
+ checksum.length = hash->hashsize;
+
+ /* Adjust pointers so confounder is at start of header */
+ header->data.length -= hash->hashsize;
+ header->data.data += hash->hashsize;
+
+ ret = krb5int_hmac_iov(hash, &k2, data, num_data, &checksum);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = enc->encrypt_iov(&k3, ivec, data, num_data);
+ if (ret != 0)
+ goto cleanup;
+
+cleanup:
+ header->data = header_data; /* restore header pointers */
+
+ if (d1.data != NULL) {
+ memset(d1.data, 0, d1.length);
+ free(d1.data);
+ }
+ if (d2.data != NULL) {
+ memset(d2.data, 0, d2.length);
+ free(d2.data);
+ }
+ if (d3.data != NULL) {
+ memset(d3.data, 0, d3.length);
+ free(d3.data);
+ }
+
+ return ret;
+}
+
+static krb5_error_code
+krb5int_arcfour_decrypt_iov(const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ krb5_keyusage usage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_error_code ret;
+ krb5_crypto_iov *header, *trailer;
+ krb5_keyblock k1, k2, k3;
+ krb5_data d1, d2, d3;
+ krb5_data checksum, header_data;
+ krb5_keyusage ms_usage;
+ char salt_data[14];
+ krb5_data salt;
+
+ d1.length = d2.length = d3.length = 0;
+ d1.data = d2.data = d3.data = NULL;
+
+ header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+ if (header == NULL ||
+ header->data.length != hash->hashsize + CONFOUNDERLENGTH)
+ return KRB5_BAD_MSIZE;
+
+ header_data = header->data;
+
+ trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+ if (trailer != NULL && trailer->data.length != 0)
+ return KRB5_BAD_MSIZE;
+
+ ret = alloc_derived_key(enc, &k1, &d1, key);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = alloc_derived_key(enc, &k2, &d2, key);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = alloc_derived_key(enc, &k3, &d3, key);
+ if (ret != 0)
+ goto cleanup;
+
+ /* Begin the decryption, compute K1 */
+ salt.data = salt_data;
+ salt.length = sizeof(salt_data);
+
+ ms_usage = krb5int_arcfour_translate_usage(usage);
+
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ strncpy(salt.data, krb5int_arcfour_l40, salt.length);
+ store_32_le(ms_usage, (unsigned char *)salt.data + 10);
+ } else {
+ salt.length = 4;
+ store_32_le(ms_usage, (unsigned char *)salt.data);
+ }
+ ret = krb5_hmac(hash, key, 1, &salt, &d1);
+ if (ret != 0)
+ goto cleanup;
+
+ memcpy(k2.contents, k1.contents, k2.length);
+
+ if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+ memset(k1.contents + 7, 0xAB, 9);
+
+ checksum.data = header->data.data;
+ checksum.length = hash->hashsize;
+
+ /* Adjust pointers so confounder is at start of header */
+ header->data.length -= hash->hashsize;
+ header->data.data += hash->hashsize;
+
+ ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = enc->decrypt_iov(&k3, ivec, data, num_data);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = krb5int_hmac_iov(hash, &k2, data, num_data, &d1);
+ if (ret != 0)
+ goto cleanup;
+
+ if (memcmp(checksum.data, d1.data, hash->hashsize) != 0) {
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto cleanup;
+ }
+
+cleanup:
+ header->data = header_data; /* restore header pointers */
+
+ if (d1.data != NULL) {
+ memset(d1.data, 0, d1.length);
+ free(d1.data);
+ }
+ if (d2.data != NULL) {
+ memset(d2.data, 0, d2.length);
+ free(d2.data);
+ }
+ if (d3.data != NULL) {
+ memset(d3.data, 0, d3.length);
+ free(d3.data);
+ }
+
+ return ret;
+}
+
+const struct krb5_aead_provider krb5int_aead_arcfour = {
+ krb5int_arcfour_crypto_length,
+ krb5int_arcfour_encrypt_iov,
+ krb5int_arcfour_decrypt_iov
+};
+
--- /dev/null
+#include "k5-int.h"
+#include "k5-utf8.h"
+#include "rsa-md4.h"
+#include "arcfour-int.h"
+
+#if TARGET_OS_MAC && !defined(DEPEND)
+#include <CoreFoundation/CFString.h>
+#endif
+
+krb5_error_code
+krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc,
+ const krb5_data *string, const krb5_data *salt,
+ const krb5_data *params, krb5_keyblock *key)
+{
+ krb5_error_code err = 0;
+ krb5_MD4_CTX md4_context;
+ unsigned char *copystr;
+ size_t copystrlen;
+
+ if (params != NULL)
+ return KRB5_ERR_BAD_S2K_PARAMS;
+
+ if (key->length != 16)
+ return (KRB5_BAD_MSIZE);
+
+ /* We ignore salt per the Microsoft spec*/
+
+ /* compute the space needed for the new string.
+ Since the password must be stored in unicode, we need to increase
+ that number by 2x.
+ */
+
+ err = krb5int_utf8cs_to_ucs2les(string->data, string->length, ©str, ©strlen);
+ if (err)
+ return err;
+
+ /* the actual MD4 hash of the data */
+ krb5_MD4Init(&md4_context);
+ krb5_MD4Update(&md4_context, copystr, copystrlen);
+ krb5_MD4Final(&md4_context);
+ memcpy(key->contents, md4_context.digest, 16);
+
+#if 0
+ /* test the string_to_key function */
+ printf("Hash=");
+ {
+ int counter;
+ for(counter=0;counter<16;counter++)
+ printf("%02x", md4_context.digest[counter]);
+ printf("\n");
+ }
+#endif /* 0 */
+
+ /* Zero out the data behind us */
+ memset(copystr, 0, copystrlen);
+ memset(&md4_context, 0, sizeof(md4_context));
+ free(copystr);
+ return err;
+}
--- /dev/null
+/* lib/crypto/openss/des/afsstring2key.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "k5-int.h"
+#include "des_int.h"
+#include <ctype.h>
+
+krb5_error_code
+mit_afs_string_to_key (krb5_keyblock *keyblock, const krb5_data *data,
+ const krb5_data *salt)
+{
+ return KRB5_CRYPTO_INTERNAL;
+}
+char *
+mit_afs_crypt(const char *pw, const char *salt,
+ char *iobuf)
+{
+ /* Unsupported operation */
+ return NULL;
+}
+
+
--- /dev/null
+/* lib/crypto/openssl/des/d3_aead.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+#include "des_int.h"
+#include "aead.h"
+
+void
+krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec)
+{
+ /* Unsupported operation */
+ abort();
+}
+
+void
+krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec)
+{
+ /* Unsupported operation */
+ abort();
+}
+
--- /dev/null
+/* lib/crypto/openssl/des/d3_cbc.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+#include "des_int.h"
+
+/*
+ * Triple-DES CBC encryption mode.
+ */
+
+#undef mit_des3_cbc_encrypt
+int
+mit_des3_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
+ unsigned long length, const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ const mit_des_cblock ivec, int enc)
+{
+ /* Unsupported operation */
+ return KRB5_CRYPTO_INTERNAL;
+}
+
+void
+krb5int_des3_cbc_encrypt(const mit_des_cblock *input,
+ mit_des_cblock *output,
+ unsigned long length,
+ const mit_des_key_schedule key,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ const mit_des_cblock ivec)
+{
+ /* Unsupported operation */
+ abort();
+}
+
+void
+krb5int_des3_cbc_decrypt(const mit_des_cblock *in,
+ mit_des_cblock *out,
+ unsigned long length,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ const mit_des_cblock ivec)
+{
+ /* Unsupported operation */
+ abort();
+}
+
--- /dev/null
+/* lib/crypto/openssl/des/d3_kysched.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "des_int.h"
+
+int
+mit_des3_key_sched(mit_des3_cblock k, mit_des3_key_schedule schedule)
+{
+ /* Unsupported operation */
+ return KRB5_CRYPTO_INTERNAL;
+}
+
+
--- /dev/null
+/*
+ * lib/crypto/des/des_int.h
+ *
+ * Copyright 1987, 1988, 1990, 2002 by the Massachusetts Institute of
+ * Technology. All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Private include file for the Data Encryption Standard library.
+ */
+
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/* only do the whole thing once */
+#ifndef DES_INTERNAL_DEFS
+#define DES_INTERNAL_DEFS
+
+#include "k5-int.h"
+/*
+ * Begin "mit-des.h"
+ */
+#ifndef KRB5_MIT_DES__
+#define KRB5_MIT_DES__
+
+#if defined(__MACH__) && defined(__APPLE__)
+#include <TargetConditionals.h>
+#include <AvailabilityMacros.h>
+#if TARGET_RT_MAC_CFM
+#error "Use KfM 4.0 SDK headers for CFM compilation."
+#endif
+#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS)
+#define KRB5INT_DES_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5
+#endif
+#endif /* defined(__MACH__) && defined(__APPLE__) */
+
+/* Macro to add deprecated attribute to DES types and functions */
+/* Currently only defined on Mac OS X 10.5 and later. */
+#ifndef KRB5INT_DES_DEPRECATED
+#define KRB5INT_DES_DEPRECATED
+#endif
+
+#include <limits.h>
+
+#if UINT_MAX >= 0xFFFFFFFFUL
+#define DES_INT32 int
+#define DES_UINT32 unsigned int
+#else
+#define DES_INT32 long
+#define DES_UINT32 unsigned long
+#endif
+
+typedef unsigned char des_cblock[8] /* crypto-block size */
+KRB5INT_DES_DEPRECATED;
+
+/*
+ * Key schedule.
+ *
+ * This used to be
+ *
+ * typedef struct des_ks_struct {
+ * union { DES_INT32 pad; des_cblock _;} __;
+ * } des_key_schedule[16];
+ *
+ * but it would cause trouble if DES_INT32 were ever more than 4
+ * bytes. The reason is that all the encryption functions cast it to
+ * (DES_INT32 *), and treat it as if it were DES_INT32[32]. If
+ * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the
+ * caller-allocated des_key_schedule will be overflowed by the key
+ * scheduling functions. We can't assume that every platform will
+ * have an exact 32-bit int, and nothing should be looking inside a
+ * des_key_schedule anyway.
+ */
+typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16]
+KRB5INT_DES_DEPRECATED;
+
+typedef des_cblock mit_des_cblock;
+typedef des_key_schedule mit_des_key_schedule;
+
+/* Triple-DES structures */
+typedef mit_des_cblock mit_des3_cblock[3];
+typedef mit_des_key_schedule mit_des3_key_schedule[3];
+
+#define MIT_DES_ENCRYPT 1
+#define MIT_DES_DECRYPT 0
+
+typedef struct mit_des_ran_key_seed {
+ krb5_encrypt_block eblock;
+ krb5_data sequence;
+} mit_des_random_state;
+
+/* the first byte of the key is already in the keyblock */
+
+#define MIT_DES_BLOCK_LENGTH (8*sizeof(krb5_octet))
+#define MIT_DES_CBC_CRC_PAD_MINIMUM CRC32_CKSUM_LENGTH
+/* This used to be 8*sizeof(krb5_octet) */
+#define MIT_DES_KEYSIZE 8
+
+#define MIT_DES_CBC_CKSUM_LENGTH (4*sizeof(krb5_octet))
+
+/*
+ * Check if k5-int.h has been included before us. If so, then check to see
+ * that our view of the DES key size is the same as k5-int.h's.
+ */
+#ifdef KRB5_MIT_DES_KEYSIZE
+#if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
+error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
+#endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
+#endif /* KRB5_MIT_DES_KEYSIZE */
+#endif /* KRB5_MIT_DES__ */
+/*
+ * End "mit-des.h"
+ */
+
+/* afsstring2key.c */
+extern krb5_error_code mit_afs_string_to_key
+ (krb5_keyblock *keyblock,
+ const krb5_data *data,
+ const krb5_data *salt);
+extern char *mit_afs_crypt
+ (const char *pw, const char *salt, char *iobuf);
+
+/* f_cksum.c */
+extern unsigned long mit_des_cbc_cksum
+ (const krb5_octet *, krb5_octet *, unsigned long ,
+ const mit_des_key_schedule, const krb5_octet *);
+
+/* f_ecb.c */
+extern int mit_des_ecb_encrypt
+ (const mit_des_cblock *, mit_des_cblock *, mit_des_key_schedule , int );
+
+/* f_cbc.c */
+extern int mit_des_cbc_encrypt (const mit_des_cblock *in,
+ mit_des_cblock *out,
+ unsigned long length,
+ const mit_des_key_schedule schedule,
+ const mit_des_cblock ivec, int enc);
+
+#define mit_des_zeroblock krb5int_c_mit_des_zeroblock
+extern const mit_des_cblock mit_des_zeroblock;
+
+/* fin_rndkey.c */
+extern krb5_error_code mit_des_finish_random_key
+ ( const krb5_encrypt_block *,
+ krb5_pointer *);
+
+/* finish_key.c */
+extern krb5_error_code mit_des_finish_key
+ ( krb5_encrypt_block *);
+
+/* init_rkey.c */
+extern krb5_error_code mit_des_init_random_key
+ ( const krb5_encrypt_block *,
+ const krb5_keyblock *,
+ krb5_pointer *);
+
+/* key_parity.c */
+extern void mit_des_fixup_key_parity (mit_des_cblock );
+extern int mit_des_check_key_parity (mit_des_cblock );
+
+/* key_sched.c */
+extern int mit_des_key_sched
+ (mit_des_cblock , mit_des_key_schedule );
+
+/* process_ky.c */
+extern krb5_error_code mit_des_process_key
+ ( krb5_encrypt_block *, const krb5_keyblock *);
+
+/* random_key.c */
+extern krb5_error_code mit_des_random_key
+ ( const krb5_encrypt_block *, krb5_pointer ,
+ krb5_keyblock **);
+
+/* string2key.c */
+extern krb5_error_code mit_des_string_to_key
+ ( const krb5_encrypt_block *,
+ krb5_keyblock *, const krb5_data *, const krb5_data *);
+extern krb5_error_code mit_des_string_to_key_int
+ (krb5_keyblock *, const krb5_data *, const krb5_data *);
+
+/* weak_key.c */
+extern int mit_des_is_weak_key (mit_des_cblock );
+
+/* cmb_keys.c */
+krb5_error_code mit_des_combine_subkeys
+ (const krb5_keyblock *, const krb5_keyblock *,
+ krb5_keyblock **);
+
+/* f_pcbc.c */
+int mit_des_pcbc_encrypt ();
+
+/* f_sched.c */
+int mit_des_make_key_sched(mit_des_cblock, mit_des_key_schedule);
+
+
+/* misc.c */
+extern void swap_bits (char *);
+extern unsigned long long_swap_bits (unsigned long );
+extern unsigned long swap_six_bits_to_ansi (unsigned long );
+extern unsigned long swap_four_bits_to_ansi (unsigned long );
+extern unsigned long swap_bit_pos_1 (unsigned long );
+extern unsigned long swap_bit_pos_0 (unsigned long );
+extern unsigned long swap_bit_pos_0_to_ansi (unsigned long );
+extern unsigned long rev_swap_bit_pos_0 (unsigned long );
+extern unsigned long swap_byte_bits (unsigned long );
+extern unsigned long swap_long_bytes_bit_number (unsigned long );
+#ifdef FILE
+/* XXX depends on FILE being a #define! */
+extern void test_set (FILE *, const char *, int, const char *, int);
+#endif
+
+/* d3_ecb.c */
+extern int mit_des3_ecb_encrypt
+ (const mit_des_cblock *in,
+ mit_des_cblock *out,
+ mit_des_key_schedule sched1,
+ mit_des_key_schedule sched2,
+ mit_des_key_schedule sched3,
+ int enc);
+
+/* d3_cbc.c */
+extern int mit_des3_cbc_encrypt
+ (const mit_des_cblock *in,
+ mit_des_cblock *out,
+ unsigned long length,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ const mit_des_cblock ivec,
+ int enc);
+
+void
+krb5int_des3_cbc_encrypt(const mit_des_cblock *in,
+ mit_des_cblock *out,
+ unsigned long length,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ const mit_des_cblock ivec);
+void
+krb5int_des3_cbc_decrypt(const mit_des_cblock *in,
+ mit_des_cblock *out,
+ unsigned long length,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ const mit_des_cblock ivec);
+
+void
+krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec);
+
+void
+krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule ks1,
+ const mit_des_key_schedule ks2,
+ const mit_des_key_schedule ks3,
+ mit_des_cblock ivec);
+
+#define mit_des3_cbc_encrypt(in,out,length,ks1,ks2,ks3,ivec,enc) \
+ ((enc ? krb5int_des3_cbc_encrypt : krb5int_des3_cbc_decrypt) \
+ (in, out, length, ks1, ks2, ks3, ivec), 0)
+
+void
+krb5int_des_cbc_encrypt(const mit_des_cblock *in,
+ mit_des_cblock *out,
+ unsigned long length,
+ const mit_des_key_schedule schedule,
+ const mit_des_cblock ivec);
+void
+krb5int_des_cbc_decrypt(const mit_des_cblock *in,
+ mit_des_cblock *out,
+ unsigned long length,
+ const mit_des_key_schedule schedule,
+ const mit_des_cblock ivec);
+
+#define mit_des_cbc_encrypt(in,out,length,schedule,ivec,enc) \
+ ((enc ? krb5int_des_cbc_encrypt : krb5int_des_cbc_decrypt) \
+ (in, out, length, schedule, ivec), 0)
+
+void
+krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule schedule,
+ mit_des_cblock ivec);
+
+void
+krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule schedule,
+ mit_des_cblock ivec);
+
+/* d3_procky.c */
+extern krb5_error_code mit_des3_process_key
+ (krb5_encrypt_block * eblock,
+ const krb5_keyblock * keyblock);
+
+/* d3_kysched.c */
+extern int mit_des3_key_sched
+ (mit_des3_cblock key,
+ mit_des3_key_schedule schedule);
+
+/* d3_str2ky.c */
+extern krb5_error_code mit_des3_string_to_key
+ (const krb5_encrypt_block * eblock,
+ krb5_keyblock * keyblock,
+ const krb5_data * data,
+ const krb5_data * salt);
+
+/* u_nfold.c */
+extern krb5_error_code mit_des_n_fold
+ (const krb5_octet * input,
+ const size_t in_len,
+ krb5_octet * output,
+ const size_t out_len);
+
+/* u_rn_key.c */
+extern int mit_des_is_weak_keyblock
+ (krb5_keyblock *keyblock);
+
+extern void mit_des_fixup_keyblock_parity
+ (krb5_keyblock *keyblock);
+
+extern krb5_error_code mit_des_set_random_generator_seed
+ (const krb5_data * seed,
+ krb5_pointer random_state);
+
+extern krb5_error_code mit_des_set_random_sequence_number
+ (const krb5_data * sequence,
+ krb5_pointer random_state);
+#endif /*DES_INTERNAL_DEFS*/
--- /dev/null
+/* lib/crypto/openssl/des/f_aead.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "des_int.h"
+#include "aead.h"
+
+
+void
+krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule schedule,
+ mit_des_cblock ivec)
+{
+ /* Unsupported operation */
+ abort();
+}
+
+void
+krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data,
+ unsigned long num_data,
+ const mit_des_key_schedule schedule,
+ mit_des_cblock iv)
+{
+ /* Unsupported operation */
+ abort();
+}
+
+
--- /dev/null
+/*
+ * lib/crypto/openssldes/f_cbc.c
+ *
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * DES implementation donated by Dennis Ferguson
+ */
+
+/*
+ * des_cbc_encrypt.c - an implementation of the DES cipher function in cbc mode
+ */
+#include "des_int.h"
+
+/*
+ * des_cbc_encrypt - {en,de}crypt a stream in CBC mode
+ */
+
+/*
+ * This routine performs DES cipher-block-chaining operation, either
+ * encrypting from cleartext to ciphertext, if encrypt != 0 or
+ * decrypting from ciphertext to cleartext, if encrypt == 0.
+ *
+ * The key schedule is passed as an arg, as well as the cleartext or
+ * ciphertext. The cleartext and ciphertext should be in host order.
+ *
+ * NOTE-- the output is ALWAYS an multiple of 8 bytes long. If not
+ * enough space was provided, your program will get trashed.
+ *
+ * For encryption, the cleartext string is null padded, at the end, to
+ * an integral multiple of eight bytes.
+ *
+ * For decryption, the ciphertext will be used in integral multiples
+ * of 8 bytes, but only the first "length" bytes returned into the
+ * cleartext.
+ */
+
+const mit_des_cblock mit_des_zeroblock /* = all zero */;
+
+#undef mit_des_cbc_encrypt
+int
+mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
+ unsigned long length, const mit_des_key_schedule schedule,
+ const mit_des_cblock ivec, int enc)
+{
+ /* Unsupported operation */
+ return KRB5_CRYPTO_INTERNAL;
+}
+void
+krb5int_des_cbc_encrypt(const mit_des_cblock *in,
+ mit_des_cblock *out,
+ unsigned long length,
+ const mit_des_key_schedule schedule,
+ const mit_des_cblock ivec)
+{
+ /* Unsupported operation */
+ abort();
+}
+
+void
+krb5int_des_cbc_decrypt(const mit_des_cblock *in,
+ mit_des_cblock *out,
+ unsigned long length,
+ const mit_des_key_schedule schedule,
+ const mit_des_cblock ivec)
+{
+ /* Unsupported operation */
+ abort();
+}
+
--- /dev/null
+/*
+ * lib/crypto/openssl/des/f_cksum.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ */
+
+#include "des_int.h"
+
+unsigned long
+mit_des_cbc_cksum(const krb5_octet *in, krb5_octet *out,
+ unsigned long length, const mit_des_key_schedule schedule,
+ const krb5_octet *ivec)
+{
+ /* Unsupported operation */
+ return KRB5_CRYPTO_INTERNAL;
+}
+
--- /dev/null
+/*
+ * lib/crypto/openssl/des/f_parity.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ */
+
+#include "des_int.h"
+#include <openssl/des.h>
+
+void
+mit_des_fixup_key_parity(mit_des_cblock key)
+{
+ DES_set_odd_parity(key);
+}
+
+/*
+ * des_check_key_parity: returns true iff key has the correct des parity.
+ * See des_fix_key_parity for the definition of
+ * correct des parity.
+ */
+int
+mit_des_check_key_parity(mit_des_cblock key)
+{
+ if (!DES_check_key_parity(key))
+ return(0);
+ return (1);
+}
+
--- /dev/null
+/*
+ * lib/crypto/openssl/des/f_sched.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ */
+
+#include "des_int.h"
+
+int
+mit_des_make_key_sched(mit_des_cblock key, mit_des_key_schedule schedule)
+{
+ return KRB5_CRYPTO_INTERNAL; // CRYPTO_UNSOPPERTED_OP
+}
+
--- /dev/null
+/*
+ * lib/crypto/openssl/des/f_tables.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "des_int.h"
+#include "f_tables.h"
+
+const unsigned DES_INT32 des_IP_table[] = {};
+const unsigned DES_INT32 des_FP_table[] = {};
+const unsigned DES_INT32 des_SP_table[] = {};
+
+
--- /dev/null
+/*
+ * lib/crypto/des/f_tables.h
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
--- /dev/null
+/*
+ * lib/crypto/openssl/des/key_sched.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "des_int.h"
+
+int
+mit_des_key_sched(mit_des_cblock k, mit_des_key_schedule schedule)
+{
+ /* Unsupported operation */
+ return KRB5_CRYPTO_INTERNAL;
+}
+
--- /dev/null
+/*
+ * lib/crypto/openssl/des/string2key.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "des_int.h"
+#include <openssl/des.h>
+
+
+krb5_error_code
+mit_des_string_to_key_int (krb5_keyblock *key,
+ const krb5_data *pw, const krb5_data *salt)
+{
+ DES_cblock outkey;
+ DES_string_to_key(pw->data, &outkey);
+ if ( key->length < sizeof(outkey))
+ return KRB5_CRYPTO_INTERNAL;
+ key->length = sizeof(outkey);
+ memcpy(key->contents, outkey, key->length);
+ return 0;
+}
+
--- /dev/null
+/*
+ * lib/crypto/openssl/des/weak_key.c
+ *
+ * Copyright 1989,1990,2009 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Under U.S. law, this software may not be exported outside the US
+ * without license from the U.S. Commerce department.
+ *
+ * These routines form the library interface to the DES facilities.
+ *
+ * Originally written 8/85 by Steve Miller, MIT Project Athena.
+ */
+
+#include "des_int.h"
+
+/*
+ * The following are the weak DES keys:
+ */
+static const mit_des_cblock weak[16] = {
+ /* weak keys */
+ {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
+ {0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe},
+ {0x1f,0x1f,0x1f,0x1f,0x0e,0x0e,0x0e,0x0e},
+ {0xe0,0xe0,0xe0,0xe0,0xf1,0xf1,0xf1,0xf1},
+
+ /* semi-weak */
+ {0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe},
+ {0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01},
+
+ {0x1f,0xe0,0x1f,0xe0,0x0e,0xf1,0x0e,0xf1},
+ {0xe0,0x1f,0xe0,0x1f,0xf1,0x0e,0xf1,0x0e},
+
+ {0x01,0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1},
+ {0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1,0x01},
+
+ {0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e,0xfe},
+ {0xfe,0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e},
+
+ {0x01,0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e},
+ {0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e,0x01},
+
+ {0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1,0xfe},
+ {0xfe,0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1}
+};
+
+/*
+ * mit_des_is_weak_key: returns true iff key is a [semi-]weak des key.
+ *
+ * Requires: key has correct odd parity.
+ */
+int
+mit_des_is_weak_key(mit_des_cblock key)
+{
+ unsigned int i;
+ const mit_des_cblock *weak_p = weak;
+
+ for (i = 0; i < (sizeof(weak)/sizeof(mit_des_cblock)); i++) {
+ if (!memcmp(weak_p++,key,sizeof(mit_des_cblock)))
+ return 1;
+ }
+ if ( DES_is_weak_key(key) == 1) /* Also OpenSSL's check */
+ return 1;
+
+ return 0;
+}
+
--- /dev/null
+/*
+ * lib/crypto/openssl/enc_provider/aes.c
+ *
+ * Copyright (C) 2003, 2007, 2008, 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "enc_provider.h"
+#include "aes.h"
+#include <aead.h>
+#include <hash_provider/hash_provider.h>
+#include <openssl/evp.h>
+#include <openssl/aes.h>
+#include <openssl/modes.h>
+#include <rand2key.h>
+
+/* proto's */
+static krb5_error_code
+cts_enc(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output);
+static krb5_error_code
+cbc_enc(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output);
+static krb5_error_code
+cts_decr(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output);
+static krb5_error_code
+cbc_decr(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output);
+
+static const EVP_CIPHER *
+map_mode( unsigned int len)
+{
+ if (len==16)
+ return EVP_aes_128_cbc();
+ if (len==32)
+ return EVP_aes_256_cbc();
+ else
+ return NULL;
+}
+
+static inline void enc(char *out, const char *in, aes_ctx *ctx)
+{
+ if (aes_enc_blk((const unsigned char *)in, (unsigned char *)out, ctx)
+ != aes_good)
+ abort();
+}
+static inline void dec(char *out, const char *in, aes_ctx *ctx)
+{
+ if (aes_dec_blk((const unsigned char *)in, (unsigned char *)out, ctx)
+ != aes_good)
+ abort();
+}
+static void xorblock(char *out, const char *in)
+{
+ int z;
+ for (z = 0; z < BLOCK_SIZE; z++)
+ out[z] ^= in[z];
+}
+
+
+static krb5_error_code
+cbc_enc(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output)
+{
+ EVP_CIPHER_CTX ciph_ctx;
+ unsigned char *key_buf = NULL;
+ unsigned char *tmp_buf = NULL;
+ int ret = 0, tmp_len = 0;
+
+ key_buf = OPENSSL_malloc(key->length);
+ if (!key_buf)
+ return ENOMEM;
+ tmp_len = input->length;
+ tmp_buf = OPENSSL_malloc(input->length);
+ if (!tmp_buf){
+ OPENSSL_free(key_buf);
+ return ENOMEM;
+ }
+ memcpy(key_buf, key->contents, key->length);
+
+ EVP_CIPHER_CTX_init(&ciph_ctx);
+
+ if (ivec && ivec->data && (ivec->length <= EVP_MAX_IV_LENGTH)){
+ ret = EVP_EncryptInit_ex(&ciph_ctx, map_mode(key->length),
+ NULL, key_buf, (unsigned char*)ivec->data);
+ } else {
+ ret = EVP_EncryptInit_ex(&ciph_ctx, map_mode(key->length),
+ NULL, key_buf, NULL);
+ }
+
+ if (ret == 1){
+ EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
+ ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
+ (unsigned char *)input->data, input->length);
+
+ output->length = tmp_len;
+ if(ret)
+ ret = EVP_EncryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len);
+ }
+
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+ if (ret == 1){
+ memcpy(output->data, tmp_buf, output->length);
+ ret = 0;
+ } else {
+ ret = KRB5_CRYPTO_INTERNAL;
+ }
+
+ OPENSSL_free(key_buf);
+ OPENSSL_free(tmp_buf);
+
+ return ret;
+}
+
+static krb5_error_code
+cbc_decr(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output)
+{
+ int ret = 0;
+ int tmp_len = 0;
+ unsigned char *key_buf = NULL;
+ unsigned char *tmp_buf = NULL;
+ EVP_CIPHER_CTX ciph_ctx;
+
+
+ key_buf = OPENSSL_malloc(key->length);
+ if (!key_buf)
+ return ENOMEM;
+ tmp_len = input->length;
+ tmp_buf = OPENSSL_malloc(input->length);
+ if (!tmp_buf){
+ OPENSSL_free(key_buf);
+ return ENOMEM;
+ }
+ memcpy(key_buf, key->contents, key->length);
+
+ EVP_CIPHER_CTX_init(&ciph_ctx);
+
+ if (ivec && ivec->data && (ivec->length <= EVP_MAX_IV_LENGTH)) {
+ ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->length),
+ NULL, key_buf, (unsigned char*)ivec->data);
+ } else
+ ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->length),
+ NULL, key_buf, NULL);
+
+ if (ret == 1) {
+ EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
+ ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
+ (unsigned char *)input->data, input->length);
+ output->length = tmp_len;
+ if (ret == 1)
+ ret = EVP_DecryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len);
+ }
+
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+ if (ret == 1) {
+ output->length += tmp_len;
+ memcpy(output->data, tmp_buf, output->length);
+ ret = 0;
+ } else {
+ ret = KRB5_CRYPTO_INTERNAL;
+ }
+
+ OPENSSL_free(key_buf);
+ OPENSSL_free(tmp_buf);
+
+ return ret;
+}
+
+static krb5_error_code
+cts_enc(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output)
+{
+ size_t size = 0;
+ int ret = 0, tmp_len = 0;
+ unsigned char iv_cts[EVP_MAX_IV_LENGTH*4];
+ unsigned char *tmp_buf = NULL;
+ AES_KEY enck;
+
+ memset(iv_cts,0,sizeof(iv_cts));
+ if (ivec && ivec->data && (ivec->length <= sizeof(iv_cts)))
+ memcpy(iv_cts, ivec->data,ivec->length);
+
+ tmp_buf = OPENSSL_malloc(input->length);
+ if (!tmp_buf)
+ return ENOMEM;
+ tmp_len = input->length;
+
+ AES_set_encrypt_key(key->contents, 8*key->length, &enck);
+
+ size = CRYPTO_cts128_encrypt((unsigned char *)input->data, tmp_buf,
+ input->length, &enck,
+ iv_cts, (cbc128_f)AES_cbc_encrypt);
+
+ if (size <= 0 || output->length < size) {
+ ret = KRB5_CRYPTO_INTERNAL;
+ } else {
+ output->length = size;
+ memcpy(output->data, tmp_buf, output->length);
+ ret = 0;
+ }
+
+ OPENSSL_free(tmp_buf);
+
+ return ret;
+}
+
+static krb5_error_code
+cts_decr(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output)
+{
+ size_t size = 0;
+ int ret = 0, tmp_len = 0;
+ unsigned char iv_cts[EVP_MAX_IV_LENGTH*4];
+ unsigned char *tmp_buf = NULL;
+ AES_KEY deck;
+
+ memset(iv_cts,0,EVP_MAX_IV_LENGTH*4);
+ if (ivec && ivec->data && (ivec->length <= EVP_MAX_IV_LENGTH))
+ memcpy(iv_cts, ivec->data,ivec->length);
+
+ tmp_buf = OPENSSL_malloc(input->length);
+ if (!tmp_buf)
+ return ENOMEM;
+ tmp_len = input->length;
+
+ AES_set_decrypt_key(key->contents, 8*key->length, &deck);
+
+ size = CRYPTO_cts128_decrypt((unsigned char *)input->data, tmp_buf,
+ input->length, &deck,
+ iv_cts, (cbc128_f)AES_cbc_encrypt);
+
+
+ if (size <= 0 || output->length < size) {
+ ret = KRB5_CRYPTO_INTERNAL;
+ } else {
+ output->length = size + 16;
+ memcpy(output->data, tmp_buf, output->length);
+ ret = 0;
+ }
+
+ OPENSSL_free(tmp_buf);
+
+ return ret;
+}
+
+krb5_error_code
+krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output)
+{
+ int ret = 0;
+
+ if ( input->length < BLOCK_SIZE * 2) {
+
+ ret = cbc_enc(key, ivec, input, output);
+
+ } else {
+
+ ret = cts_enc(key, ivec, input, output);
+ }
+
+ return ret;
+}
+
+krb5_error_code
+krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output)
+{
+ int ret = 0;
+
+ if ( input->length < BLOCK_SIZE*2) {
+
+ ret = cbc_decr(key, ivec, input, output);
+
+ } else {
+
+ ret = cts_decr(key, ivec, input, output);
+
+ }
+
+ return ret;
+}
+
+static krb5_error_code
+krb5int_aes_encrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ aes_ctx ctx;
+ char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE];
+ int nblocks = 0, blockno;
+ size_t input_length, i;
+
+ if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
+ abort();
+
+ if (ivec != NULL)
+ memcpy(tmp, ivec->data, BLOCK_SIZE);
+ else
+ memset(tmp, 0, BLOCK_SIZE);
+
+ for (i = 0, input_length = 0; i < num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ input_length += iov->data.length;
+ }
+
+ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+ assert(nblocks > 1);
+
+ {
+ char blockN2[BLOCK_SIZE]; /* second last */
+ char blockN1[BLOCK_SIZE]; /* last block */
+ struct iov_block_state input_pos, output_pos;
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ char blockN[BLOCK_SIZE];
+
+ krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos);
+ xorblock(tmp, blockN);
+ enc(tmp2, tmp, &ctx);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos);
+
+ /* Set up for next block. */
+ memcpy(tmp, tmp2, BLOCK_SIZE);
+ }
+
+ /* Do final CTS step for last two blocks (the second of which
+ may or may not be incomplete). */
+
+ /* First, get the last two blocks */
+ memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */
+ krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos);
+ krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos);
+
+ /* Encrypt second last block */
+ xorblock(tmp, blockN2);
+ enc(tmp2, tmp, &ctx);
+ memcpy(blockN2, tmp2, BLOCK_SIZE); /* blockN2 now contains first block */
+ memcpy(tmp, tmp2, BLOCK_SIZE);
+
+ /* Encrypt last block */
+ xorblock(tmp, blockN1);
+ enc(tmp2, tmp, &ctx);
+ memcpy(blockN1, tmp2, BLOCK_SIZE);
+
+ /* Put the last two blocks back into the iovec (reverse order) */
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos);
+
+ if (ivec != NULL)
+ memcpy(ivec->data, blockN1, BLOCK_SIZE);
+ }
+
+ return 0;
+}
+
+static krb5_error_code
+krb5int_aes_decrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ aes_ctx ctx;
+ char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
+ int nblocks = 0, blockno;
+ unsigned int i;
+ size_t input_length;
+
+ if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
+ abort();
+
+ if (ivec != NULL)
+ memcpy(tmp, ivec->data, BLOCK_SIZE);
+ else
+ memset(tmp, 0, BLOCK_SIZE);
+
+ for (i = 0, input_length = 0; i < num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ input_length += iov->data.length;
+ }
+
+ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+ assert(nblocks > 1);
+
+ {
+ char blockN2[BLOCK_SIZE]; /* second last */
+ char blockN1[BLOCK_SIZE]; /* last block */
+ struct iov_block_state input_pos, output_pos;
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ for (blockno = 0; blockno < nblocks - 2; blockno++) {
+ char blockN[BLOCK_SIZE];
+
+ krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos);
+ dec(tmp2, blockN, &ctx);
+ xorblock(tmp2, tmp);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos);
+ memcpy(tmp, blockN, BLOCK_SIZE);
+ }
+
+ /* Do last two blocks, the second of which (next-to-last block
+ of plaintext) may be incomplete. */
+
+ /* First, get the last two encrypted blocks */
+ memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */
+ krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos);
+ krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos);
+
+ /* Decrypt second last block */
+ dec(tmp2, blockN2, &ctx);
+ /* Set tmp2 to last (possibly partial) plaintext block, and
+ save it. */
+ xorblock(tmp2, blockN1);
+ memcpy(blockN2, tmp2, BLOCK_SIZE);
+
+ /* Maybe keep the trailing part, and copy in the last
+ ciphertext block. */
+ input_length %= BLOCK_SIZE;
+ memcpy(tmp2, blockN1, input_length ? input_length : BLOCK_SIZE);
+ dec(tmp3, tmp2, &ctx);
+ xorblock(tmp3, tmp);
+ /* Copy out ivec first before we clobber blockN1 with plaintext */
+ if (ivec != NULL)
+ memcpy(ivec->data, blockN1, BLOCK_SIZE);
+ memcpy(blockN1, tmp3, BLOCK_SIZE);
+
+ /* Put the last two blocks back into the iovec */
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos);
+ }
+
+ return 0;
+}
+
+static krb5_error_code
+krb5int_aes_init_state (const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_data *state)
+{
+ state->length = 16;
+ state->data = (void *) malloc(16);
+ if (state->data == NULL)
+ return ENOMEM;
+ memset(state->data, 0, state->length);
+ return 0;
+}
+
+const struct krb5_enc_provider krb5int_enc_aes128 = {
+ 16,
+ 16, 16,
+ krb5int_aes_encrypt,
+ krb5int_aes_decrypt,
+ krb5int_aes_make_key,
+ krb5int_aes_init_state,
+ krb5int_default_free_state,
+ krb5int_aes_encrypt_iov,
+ krb5int_aes_decrypt_iov
+};
+
+const struct krb5_enc_provider krb5int_enc_aes256 = {
+ 16,
+ 32, 32,
+ krb5int_aes_encrypt,
+ krb5int_aes_decrypt,
+ krb5int_aes_make_key,
+ krb5int_aes_init_state,
+ krb5int_default_free_state,
+ krb5int_aes_encrypt_iov,
+ krb5int_aes_decrypt_iov
+};
+
-/*
+/* lib/crypto/openssl/enc_provider/des.c
*/
#include "k5-int.h"
-#include "des_int.h"
-#include "enc_provider.h"
#include <aead.h>
+#include <rand2key.h>
#include <openssl/evp.h>
+#include "des_int.h"
#define DES_BLOCK_SIZE 8
#define DES_KEY_BYTES 7
-#define DES_KEY_LEN 8
+
+static krb5_error_code
+validate(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_data *input, const krb5_data *output)
+{
+ /* key->enctype was checked by the caller */
+ if (key->length != KRB5_MIT_DES_KEYSIZE)
+ return(KRB5_BAD_KEYSIZE);
+ if ((input->length%8) != 0)
+ return(KRB5_BAD_MSIZE);
+ if (ivec && (ivec->length != 8))
+ return(KRB5_BAD_MSIZE);
+ if (input->length != output->length)
+ return(KRB5_BAD_MSIZE);
+
+ return 0;
+}
+
+static krb5_error_code
+validate_iov(const krb5_keyblock *key, const krb5_data *ivec,
+ const krb5_crypto_iov *data, size_t num_data)
+{
+ size_t i, input_length;
+
+ for (i = 0, input_length = 0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+ if (ENCRYPT_IOV(iov))
+ input_length += iov->data.length;
+ }
+
+ if (key->length != KRB5_MIT_DES3_KEYSIZE)
+ return(KRB5_BAD_KEYSIZE);
+ if ((input_length%DES_BLOCK_SIZE) != 0)
+ return(KRB5_BAD_MSIZE);
+ if (ivec && (ivec->length != 8))
+ return(KRB5_BAD_MSIZE);
+
+ return 0;
+}
static krb5_error_code
k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
- int ret = 0, tmp_len = 0;
- EVP_CIPHER_CTX ciph_ctx;
+ int ret = 0, tmp_len = 0;
+ unsigned int tmp_buf_len = 0;
unsigned char *keybuf = NULL;
unsigned char *tmp_buf = NULL;
- unsigned char iv[EVP_MAX_IV_LENGTH];
+ EVP_CIPHER_CTX ciph_ctx;
- if (key->length != DES_KEY_LEN)
- return(KRB5_BAD_KEYSIZE);
- if ((input->length%8) != 0)
- return(KRB5_BAD_MSIZE);
- if (ivec && (ivec->length != 8))
- return(KRB5_BAD_MSIZE);
- if (input->length != output->length)
- return(KRB5_BAD_MSIZE);
+ ret = validate(key, ivec, input, output);
+ if (ret)
+ return ret;
keybuf=key->contents;
keybuf[key->length] = '\0';
- if ( ivec && ivec->data ) {
- memset(iv,0,sizeof(iv));
- memcpy(iv,ivec->data,ivec->length);
- }
-
- tmp_buf=OPENSSL_malloc(output->length);
+ tmp_buf_len = output->length*2;
+ tmp_buf=OPENSSL_malloc(tmp_buf_len);
if (!tmp_buf)
return ENOMEM;
memset(tmp_buf,0,output->length);
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, keybuf,
- (ivec && ivec->data) ? iv : NULL);
+ (ivec) ? (unsigned char*)ivec->data : NULL);
if (ret) {
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
(unsigned char *)input->data, input->length);
- if (ret) {
+ if (!ret || output->length < (unsigned int)tmp_len) {
+ ret = KRB5_CRYPTO_INTERNAL;
+ } else {
output->length = tmp_len;
ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf + tmp_len, &tmp_len);
}
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- if (ret)
+ if (ret == 1)
memcpy(output->data,tmp_buf, output->length);
- memset(tmp_buf,0,output->length);
+ memset(tmp_buf, 0, tmp_buf_len);
OPENSSL_free(tmp_buf);
- if (!ret)
+ if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
return 0;
}
+
static krb5_error_code
k5_des_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
/* key->enctype was checked by the caller */
- int ret = 0, tmp_len = 0;
- EVP_CIPHER_CTX ciph_ctx;
+ int ret = 0, tmp_len = 0;
unsigned char *keybuf = NULL;
unsigned char *tmp_buf;
- unsigned char iv[EVP_MAX_IV_LENGTH];
+ EVP_CIPHER_CTX ciph_ctx;
- if (key->length != DES_KEY_LEN)
- return(KRB5_BAD_KEYSIZE);
- if ((input->length%8) != 0)
- return(KRB5_BAD_MSIZE);
- if (ivec && (ivec->length != 8))
- return(KRB5_BAD_MSIZE);
- if (input->length != output->length)
- return(KRB5_BAD_MSIZE);
+ ret = validate(key, ivec, input, output);
+ if (ret)
+ return ret;
keybuf=key->contents;
keybuf[key->length] = '\0';
- if ( ivec != NULL && ivec->data ){
- memset(iv,0,sizeof(iv));
- memcpy(iv,ivec->data,ivec->length);
- }
-
tmp_buf=OPENSSL_malloc(output->length);
if (!tmp_buf)
return ENOMEM;
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, keybuf,
- (ivec && ivec->data) ? iv : NULL);
+ (ivec) ? (unsigned char*)ivec->data : NULL);
if (ret) {
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- if (ret)
+ if (ret == 1)
memcpy(output->data,tmp_buf, output->length);
- memset(tmp_buf,0,output->length );
+ memset(tmp_buf,0,output->length);
OPENSSL_free(tmp_buf);
- if (!ret)
+ if ( ret != 1)
return KRB5_CRYPTO_INTERNAL;
return 0;
}
-static krb5_error_code
-k5_des_make_key(const krb5_data *randombits, krb5_keyblock *key)
-{
- if (key->length != DES_KEY_LEN)
- return(KRB5_BAD_KEYSIZE);
- if (randombits->length != 7)
- return(KRB5_CRYPTO_INTERNAL);
-
- key->magic = KV5M_KEYBLOCK;
-
- /* take the seven bytes, move them around into the top 7 bits of the
- 8 key bytes, then compute the parity bits */
-
- memcpy(key->contents, randombits->data, randombits->length);
- key->contents[7] = (((key->contents[0]&1)<<1) | ((key->contents[1]&1)<<2) |
- ((key->contents[2]&1)<<3) | ((key->contents[3]&1)<<4) |
- ((key->contents[4]&1)<<5) | ((key->contents[5]&1)<<6) |
- ((key->contents[6]&1)<<7));
-
- mit_des_fixup_key_parity(key->contents);
-
- return(0);
-}
-
static krb5_error_code
k5_des_encrypt_iov(const krb5_keyblock *key,
const krb5_data *ivec,
krb5_crypto_iov *data,
size_t num_data)
{
- int ret = 0, tmp_len = 0;
- unsigned int i = 0;
+ int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
+ int oblock_len = MIT_DES_BLOCK_LENGTH * num_data;
+ unsigned char *iblock = NULL, *oblock = NULL;
+ unsigned char *keybuf = NULL ;
+ struct iov_block_state input_pos, output_pos;
EVP_CIPHER_CTX ciph_ctx;
- unsigned char *keybuf = NULL ;
- krb5_crypto_iov *iov = NULL;
- unsigned char *tmp_buf = NULL;
- unsigned char iv[EVP_MAX_IV_LENGTH];
- if (ivec && ivec->data){
- memset(iv,0,sizeof(iv));
- memcpy(iv,ivec->data,ivec->length);
- }
+ iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
+ if (!iblock)
+ return ENOMEM;
+ oblock = OPENSSL_malloc(oblock_len);
+ if (!oblock){
+ OPENSSL_free(iblock);
+ return ENOMEM;
+ }
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ keybuf=key->contents;
+ keybuf[key->length] = '\0';
+
+ ret = validate_iov(key, ivec, data, num_data);
+ if (ret)
+ return ret;
+
+ memset(oblock, 0, oblock_len);
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
- keybuf, (ivec && ivec->data) ? iv : NULL);
- if (!ret)
+ keybuf, (ivec && ivec->data) ? (unsigned char*)ivec->data : NULL);
+ if (!ret){
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+ OPENSSL_free(iblock);
+ OPENSSL_free(oblock);
return KRB5_CRYPTO_INTERNAL;
+ }
- for (i = 0; i < num_data; i++) {
- iov = &data[i];
- if (iov->data.length <= 0) break;
- tmp_len = iov->data.length;
-
- if (ENCRYPT_DATA_IOV(iov)) {
- tmp_buf=(unsigned char *)iov->data.data;
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)iov->data.data, iov->data.length);
- if (!ret) break;
- iov->data.length = tmp_len;
- }
+ EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
+
+ for (;;) {
+
+ if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data, num_data, &input_pos))
+ break;
+
+ if (input_pos.iov_pos == num_data)
+ break;
+
+ ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len,
+ (unsigned char *)iblock, input_pos.data_pos);
+ if (!ret) break;
+
+ krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
}
- if(ret)
- ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len);
- if (ret)
- iov->data.length += tmp_len;
+ if(ret)
+ ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- if (!ret)
+ memset(iblock,0,sizeof(iblock));
+ memset(oblock,0,sizeof(oblock));
+ OPENSSL_free(iblock);
+ OPENSSL_free(oblock);
+
+ if ( ret != 1)
return KRB5_CRYPTO_INTERNAL;
return 0;
-
}
static krb5_error_code
krb5_crypto_iov *data,
size_t num_data)
{
- int ret = 0, tmp_len = 0;
- unsigned int i = 0;
- EVP_CIPHER_CTX ciph_ctx;
- unsigned char *keybuf = NULL ;
- krb5_crypto_iov *iov = NULL;
- unsigned char *tmp_buf = NULL;
- unsigned char iv[EVP_MAX_IV_LENGTH];
+ int ret = 0;
+ int tmp_len = MIT_DES_BLOCK_LENGTH;
+ int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
+ unsigned char *iblock = NULL, *oblock = NULL;
+ unsigned char *keybuf = NULL;
+ struct iov_block_state input_pos, output_pos;
+ EVP_CIPHER_CTX ciph_ctx;
+
+ iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
+ if (!iblock)
+ return ENOMEM;
+ oblock = OPENSSL_malloc(oblock_len);
+ if (!oblock){
+ OPENSSL_free(iblock);
+ return ENOMEM;
+ }
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ keybuf=key->contents;
+ keybuf[key->length] = '\0';
+
+ ret = validate_iov(key, ivec, data, num_data);
+ if (ret)
+ return ret;
+
+ memset(oblock, 0, oblock_len);
- if (ivec && ivec->data){
- memset(iv,0,sizeof(iv));
- memcpy(iv,ivec->data,ivec->length);
- }
+ EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
- keybuf, (ivec && ivec->data) ? iv : NULL);
- if (!ret)
+ keybuf, (ivec) ? (unsigned char*)ivec->data : NULL);
+ if (!ret){
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+ OPENSSL_free(iblock);
+ OPENSSL_free(oblock);
return KRB5_CRYPTO_INTERNAL;
+ }
- for (i = 0; i < num_data; i++) {
- iov = &data[i];
- if (iov->data.length <= 0) break;
- tmp_len = iov->data.length;
-
- if (ENCRYPT_DATA_IOV(iov)) {
- tmp_buf=(unsigned char *)iov->data.data;
- ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)iov->data.data, iov->data.length);
- if (!ret) break;
- iov->data.length = tmp_len;
- }
+ EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
+
+ for (;;) {
+
+ if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH,
+ data, num_data, &input_pos))
+ break;
+
+ if (input_pos.iov_pos == num_data)
+ break;
+
+ ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len,
+ (unsigned char *)iblock,
+ input_pos.data_pos);
+ if (!ret) break;
+
+ krb5int_c_iov_put_block(data, num_data, oblock,
+ MIT_DES_BLOCK_LENGTH, &output_pos);
}
- if(ret)
- ret = EVP_DecryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len);
- if (ret)
- iov->data.length += tmp_len;
+ if(ret)
+ ret = EVP_DecryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- if (!ret)
+ memset(iblock,0,sizeof(iblock));
+ memset(oblock,0,sizeof(oblock));
+ OPENSSL_free(iblock);
+ OPENSSL_free(oblock);
+
+ if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
return 0;
}
const struct krb5_enc_provider krb5int_enc_des = {
DES_BLOCK_SIZE,
- DES_KEY_BYTES, DES_KEY_LEN,
+ DES_KEY_BYTES, KRB5_MIT_DES_KEYSIZE,
k5_des_encrypt,
k5_des_decrypt,
- k5_des_make_key,
+ krb5int_des_make_key,
krb5int_des_init_state,
krb5int_default_free_state,
k5_des_encrypt_iov,
-/*
+/* lib/crypto/openssl/enc_provider/des3.c
*/
#include "k5-int.h"
#include "des_int.h"
#include <aead.h>
+#include <rand2key.h>
#include <openssl/evp.h>
#define DES_BLOCK_SIZE 8
-#define DES3_KEY_BYTES 21
-#define DES3_KEY_LEN 24
static krb5_error_code
validate(const krb5_keyblock *key, const krb5_data *ivec,
const krb5_data *input, const krb5_data *output)
{
- mit_des3_key_schedule schedule;
-
/* key->enctype was checked by the caller */
- if (key->length != DES3_KEY_LEN)
+ if (key->length != KRB5_MIT_DES3_KEYSIZE)
return(KRB5_BAD_KEYSIZE);
if ((input->length%DES_BLOCK_SIZE) != 0)
return(KRB5_BAD_MSIZE);
if (input->length != output->length)
return(KRB5_BAD_MSIZE);
- switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
- schedule)) {
- case -1:
- return(KRB5DES_BAD_KEYPAR);
- case -2:
- return(KRB5DES_WEAK_KEY);
- }
return 0;
}
const krb5_crypto_iov *data, size_t num_data)
{
size_t i, input_length;
- mit_des3_key_schedule schedule;
for (i = 0, input_length = 0; i < num_data; i++) {
const krb5_crypto_iov *iov = &data[i];
-
if (ENCRYPT_IOV(iov))
input_length += iov->data.length;
}
- if (key->length != DES3_KEY_LEN)
+ if (key->length != KRB5_MIT_DES3_KEYSIZE)
return(KRB5_BAD_KEYSIZE);
if ((input_length%DES_BLOCK_SIZE) != 0)
return(KRB5_BAD_MSIZE);
if (ivec && (ivec->length != 8))
return(KRB5_BAD_MSIZE);
- switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
- schedule)) {
- case -1:
- return(KRB5DES_BAD_KEYPAR);
- case -2:
- return(KRB5DES_WEAK_KEY);
- }
return 0;
}
k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
-
- int ret = 0, tmp_len = 0;
- EVP_CIPHER_CTX ciph_ctx;
+ int ret = 0, tmp_len = 0;
+ unsigned int tmp_buf_len = 0;
unsigned char *keybuf = NULL;
unsigned char *tmp_buf = NULL;
- unsigned char iv[EVP_MAX_IV_LENGTH];
+ EVP_CIPHER_CTX ciph_ctx;
ret = validate(key, ivec, input, output);
if (ret)
keybuf=key->contents;
keybuf[key->length] = '\0';
- if (ivec && ivec->data) {
- memset(iv,0,sizeof(iv));
- memcpy(iv,ivec->data,ivec->length);
- }
-
- tmp_buf = OPENSSL_malloc(output->length);
+ tmp_buf_len = output->length * 2;
+ tmp_buf = OPENSSL_malloc(tmp_buf_len);
if (!tmp_buf)
return ENOMEM;
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, keybuf,
- (ivec && ivec->data) ? iv : NULL);
+ (ivec) ? (unsigned char*)ivec->data : NULL);
if (ret) {
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
+ ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
(unsigned char *)input->data, input->length);
- if (ret) {
+ if (!ret || output->length < (unsigned int)tmp_len) {
+ ret = KRB5_CRYPTO_INTERNAL;
+ } else {
output->length = tmp_len;
ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len);
}
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- if (ret)
+ if (ret == 1)
memcpy(output->data,tmp_buf, output->length);
- memset(tmp_buf,0,output->length);
+
+ memset(tmp_buf, 0, tmp_buf_len);
OPENSSL_free(tmp_buf);
- if (!ret)
+ if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
+
return 0;
}
k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
- int ret = 0, tmp_len = 0;
- EVP_CIPHER_CTX ciph_ctx;
+ int ret = 0, tmp_len = 0;
+ unsigned int tmp_buf_len = 0;
unsigned char *keybuf = NULL;
unsigned char *tmp_buf = NULL;
- unsigned char iv[EVP_MAX_IV_LENGTH];
+ EVP_CIPHER_CTX ciph_ctx;
ret = validate(key, ivec, input, output);
if (ret)
keybuf=key->contents;
keybuf[key->length] = '\0';
- if (ivec && ivec->data) {
- memset(iv,0,sizeof(iv));
- memcpy(iv,ivec->data,ivec->length);
- }
-
- tmp_buf=OPENSSL_malloc(output->length);
+ tmp_buf_len = output->length;
+ tmp_buf=OPENSSL_malloc(tmp_buf_len);
if (!tmp_buf)
return ENOMEM;
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, keybuf,
- (ivec && ivec->data) ? iv: NULL);
+ (ivec) ? (unsigned char*)ivec->data: NULL);
if (ret) {
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
(unsigned char *)input->data, input->length);
- if (ret) {
+ if (!ret || output->length < (unsigned int)tmp_len) {
+ ret = KRB5_CRYPTO_INTERNAL;
+ } else {
output->length = tmp_len;
ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len);
}
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- if (ret)
+ if (ret == 1)
memcpy(output->data,tmp_buf, output->length);
- memset(tmp_buf,0,output->length);
+ memset(tmp_buf,0,tmp_buf_len);
OPENSSL_free(tmp_buf);
- if (!ret)
+ if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
return 0;
}
static krb5_error_code
-k5_des3_make_key(const krb5_data *randombits, krb5_keyblock *key)
+k5_des3_encrypt_iov(const krb5_keyblock *key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
{
- int i;
+ int ret = 0;
+ int tmp_len = MIT_DES_BLOCK_LENGTH;
+ int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
+ unsigned char *iblock = NULL, *oblock = NULL;
+ unsigned char *keybuf = NULL;
+ struct iov_block_state input_pos, output_pos;
+ EVP_CIPHER_CTX ciph_ctx;
- if (key->length != DES3_KEY_LEN)
- return(KRB5_BAD_KEYSIZE);
- if (randombits->length != DES3_KEY_BYTES)
- return(KRB5_CRYPTO_INTERNAL);
+ ret = validate_iov(key, ivec, data, num_data);
+ if (ret)
+ return ret;
- key->magic = KV5M_KEYBLOCK;
+ iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
+ if (!iblock)
+ return ENOMEM;
+ oblock = OPENSSL_malloc(oblock_len);
+ if (!oblock){
+ OPENSSL_free(iblock);
+ return ENOMEM;
+ }
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ keybuf=key->contents;
+ keybuf[key->length] = '\0';
- /* take the seven bytes, move them around into the top 7 bits of the
- 8 key bytes, then compute the parity bits. Do this three times. */
+ memset(oblock, 0, oblock_len);
- for (i=0; i<3; i++) {
- memcpy(key->contents+i*8, randombits->data+i*7, 7);
- key->contents[i*8+7] = (((key->contents[i*8]&1)<<1) |
- ((key->contents[i*8+1]&1)<<2) |
- ((key->contents[i*8+2]&1)<<3) |
- ((key->contents[i*8+3]&1)<<4) |
- ((key->contents[i*8+4]&1)<<5) |
- ((key->contents[i*8+5]&1)<<6) |
- ((key->contents[i*8+6]&1)<<7));
+ EVP_CIPHER_CTX_init(&ciph_ctx);
- mit_des_fixup_key_parity(key->contents+i*8);
+ ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
+ keybuf, (ivec) ? (unsigned char*)ivec->data : NULL);
+ if (!ret){
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+ OPENSSL_free(iblock);
+ OPENSSL_free(oblock);
+ return KRB5_CRYPTO_INTERNAL;
}
- return(0);
-}
+ EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
-static krb5_error_code
-validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec,
- const krb5_crypto_iov *data, size_t num_data,
- mit_des3_key_schedule *schedule)
-{
- size_t i, input_length;
+ for (;;) {
- for (i = 0, input_length = 0; i < num_data; i++) {
- const krb5_crypto_iov *iov = &data[i];
+ if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH,
+ data, num_data, &input_pos))
+ break;
- if (ENCRYPT_IOV(iov))
- input_length += iov->data.length;
- }
+ if (input_pos.iov_pos == num_data)
+ break;
- if (key->length != 24)
- return(KRB5_BAD_KEYSIZE);
- if ((input_length%8) != 0)
- return(KRB5_BAD_MSIZE);
- if (ivec && (ivec->length != 8))
- return(KRB5_BAD_MSIZE);
-
- switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
- *schedule)) {
- case -1:
- return(KRB5DES_BAD_KEYPAR);
- case -2:
- return(KRB5DES_WEAK_KEY);
+ ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len,
+ (unsigned char *)iblock, input_pos.data_pos);
+ if (!ret) break;
+
+ krb5int_c_iov_put_block(data, num_data,
+ oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
}
+
+ if(ret)
+ ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+input_pos.data_pos, &tmp_len);
+
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+ memset(iblock,0,sizeof(iblock));
+ memset(oblock,0,sizeof(oblock));
+ OPENSSL_free(iblock);
+ OPENSSL_free(oblock);
+
+ if (ret != 1)
+ return KRB5_CRYPTO_INTERNAL;
return 0;
}
static krb5_error_code
-k5_des3_encrypt_iov(const krb5_keyblock *key,
+k5_des3_decrypt_iov(const krb5_keyblock *key,
const krb5_data *ivec,
krb5_crypto_iov *data,
size_t num_data)
{
-#if 0
- int ret = 0, tmp_len = 0;
- unsigned int i = 0;
- EVP_CIPHER_CTX ciph_ctx;
- unsigned char *keybuf = NULL ;
- krb5_crypto_iov *iov = NULL;
- unsigned char *tmp_buf = NULL;
- unsigned char iv[EVP_MAX_IV_LENGTH];
+ int ret = 0;
+ int tmp_len = MIT_DES_BLOCK_LENGTH;
+ int oblock_len = MIT_DES_BLOCK_LENGTH * num_data;
+ unsigned char *iblock = NULL, *oblock = NULL;
+ unsigned char *keybuf = NULL ;
+ struct iov_block_state input_pos, output_pos;
+ EVP_CIPHER_CTX ciph_ctx;
ret = validate_iov(key, ivec, data, num_data);
if (ret)
- return ret;
+ return ret;
- if (ivec && ivec->data){
- memset(iv,0,sizeof(iv));
- memcpy(iv,ivec->data,ivec->length);
+ iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
+ if (!iblock)
+ return ENOMEM;
+ oblock = OPENSSL_malloc(oblock_len);
+ if (!oblock){
+ OPENSSL_free(iblock);
+ return ENOMEM;
}
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ keybuf=key->contents;
+ keybuf[key->length] = '\0';
+
+ memset(oblock, 0, oblock_len);
EVP_CIPHER_CTX_init(&ciph_ctx);
- ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
- keybuf, (ivec && ivec->data) ? iv : NULL);
- if (!ret)
+ ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
+ keybuf, (ivec) ? (unsigned char*)ivec->data : NULL);
+ if (!ret){
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+ OPENSSL_free(iblock);
+ OPENSSL_free(oblock);
return KRB5_CRYPTO_INTERNAL;
-
- for (i = 0; i < num_data; i++) {
- iov = &data[i];
- if (iov->data.length <= 0) break;
- tmp_len = iov->data.length;
-
- if (ENCRYPT_IOV(iov)) {
- tmp_buf=(unsigned char *)iov->data.data;
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)iov->data.data, iov->data.length);
- if (!ret) break;
- iov->data.length = tmp_len;
- }
}
- if(ret)
- ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len);
-
- if (ret)
- iov->data.length += tmp_len;
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- if (!ret)
- return KRB5_CRYPTO_INTERNAL;
- return 0;
-#endif
+ EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
-//#if 0
- mit_des3_key_schedule schedule;
- krb5_error_code err;
+ for (;;) {
- err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule);
- if (err)
- return err;
+ if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH,
+ data, num_data, &input_pos))
+ break;
- /* this has a return value, but the code always returns zero */
- krb5int_des3_cbc_encrypt_iov(data, num_data,
- schedule[0], schedule[1], schedule[2],
- ivec != NULL ? (unsigned char *) ivec->data : NULL);
+ if (input_pos.iov_pos == num_data)
+ break;
- zap(schedule, sizeof(schedule));
- return(0);
-//#endif
-}
+ ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len,
+ (unsigned char *)iblock, input_pos.data_pos);
+ if (!ret) break;
-static krb5_error_code
-k5_des3_decrypt_iov(const krb5_keyblock *key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
-{
- mit_des3_key_schedule schedule;
- krb5_error_code err;
+ krb5int_c_iov_put_block(data, num_data,
+ oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
+ }
- err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule);
- if (err)
- return err;
+ if(ret)
+ ret = EVP_DecryptFinal_ex(&ciph_ctx,
+ oblock + input_pos.data_pos, &tmp_len);
- /* this has a return value, but the code always returns zero */
- krb5int_des3_cbc_decrypt_iov(data, num_data,
- schedule[0], schedule[1], schedule[2],
- ivec != NULL ? (unsigned char *) ivec->data : NULL);
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- zap(schedule, sizeof(schedule));
+ memset(iblock,0,sizeof(iblock));
+ memset(oblock,0,sizeof(oblock));
+ OPENSSL_free(iblock);
+ OPENSSL_free(oblock);
- return(0);
+ if (ret != 1)
+ return KRB5_CRYPTO_INTERNAL;
+ return 0;
}
const struct krb5_enc_provider krb5int_enc_des3 = {
DES_BLOCK_SIZE,
- DES3_KEY_BYTES, DES3_KEY_LEN,
+ KRB5_MIT_DES3_KEY_BYTES, KRB5_MIT_DES3_KEYSIZE,
k5_des3_encrypt,
k5_des3_decrypt,
- k5_des3_make_key,
+ krb5int_des3_make_key,
krb5int_des_init_state,
krb5int_default_free_state,
k5_des3_encrypt_iov,
-/* arcfour.c
+/* lib/crypto/openssl/enc_provider/rc4.c
*
* #include STD_DISCLAIMER
*/
#include "k5-int.h"
-#include "arcfour-int.h"
-#include "enc_provider.h"
#include <aead.h>
+#include <rand2key.h>
#include <openssl/evp.h>
#define RC4_KEY_SIZE 16
#define RC4_BLOCK_SIZE 1
/* Interface layer to kerb5 crypto layer */
+
+/* prototypes */
static krb5_error_code
k5_arcfour_docrypt(const krb5_keyblock *, const krb5_data *,
const krb5_data *, krb5_data *);
-
-/* from a random bitstrem, construct a key */
-static krb5_error_code
-k5_arcfour_make_key(const krb5_data *, krb5_keyblock *);
-
static krb5_error_code
k5_arcfour_free_state ( krb5_data *state);
static krb5_error_code
k5_arcfour_init_state (const krb5_keyblock *key,
krb5_keyusage keyusage, krb5_data *new_state);
-/* The workhorse of the arcfour system, this impliments the cipher */
+/* The workhorse of the arcfour system,
+ * this impliments the cipher
+ */
+
+/* In-place rc4 crypto */
static krb5_error_code
k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state,
const krb5_data *input, krb5_data *output)
keybuf[key->length] = '\0';
EVP_CIPHER_CTX_init(&ciph_ctx);
+
ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, keybuf, NULL);
if (ret) {
tmp_buf=(unsigned char *)output->data;
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, (unsigned char *)input->data, input->length);
+ ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
+ (unsigned char *)input->data, input->length);
output->length = tmp_len;
}
if (ret) {
tmp_buf += tmp_len;
ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf, &tmp_len);
}
+
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- output->length += tmp_len;
- if (!ret)
+ if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
+
+ output->length += tmp_len;
+
return 0;
}
-
-/* In-place decryption */
+/* In-place IOV crypto */
static krb5_error_code
k5_arcfour_docrypt_iov(const krb5_keyblock *key,
const krb5_data *state,
{
size_t i;
int ret = 0, tmp_len = 0;
- EVP_CIPHER_CTX ciph_ctx;
- unsigned char *keybuf = NULL ;
- krb5_crypto_iov *iov = NULL;
+ unsigned char *keybuf = NULL ;
unsigned char *tmp_buf = NULL;
+ krb5_crypto_iov *iov = NULL;
+ EVP_CIPHER_CTX ciph_ctx;
keybuf=key->contents;
keybuf[key->length] = '\0';
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, keybuf, NULL);
- if (!ret)
- return -1;
+ if (!ret){
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+ return KRB5_CRYPTO_INTERNAL;
+ }
for (i = 0; i < num_data; i++) {
iov = &data[i];
if (ENCRYPT_IOV(iov)) {
tmp_buf=(unsigned char *)iov->data.data;
- ret = EVP_EncryptUpdate(&ciph_ctx,
+ ret = EVP_EncryptUpdate(&ciph_ctx,
tmp_buf, &tmp_len,
(unsigned char *)iov->data.data, iov->data.length);
if (!ret) break;
}
if(ret)
ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len);
- if (ret)
- iov->data.length += tmp_len;
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
- if (!ret)
- return -1;
- return 0;
-}
-
-static krb5_error_code
-k5_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key)
-{
- if (key->length != RC4_KEY_SIZE)
- return(KRB5_BAD_KEYSIZE);
- if (randombits->length != RC4_KEY_SIZE)
- return(KRB5_CRYPTO_INTERNAL);
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- key->magic = KV5M_KEYBLOCK;
+ if (ret != 1)
+ return KRB5_CRYPTO_INTERNAL;
- memcpy(key->contents, randombits->data, randombits->length);
+ iov->data.length += tmp_len;
- return(0);
+ return 0;
}
static krb5_error_code
RC4_KEY_SIZE, RC4_KEY_SIZE,
k5_arcfour_docrypt,
k5_arcfour_docrypt,
- k5_arcfour_make_key,
+ krb5int_arcfour_make_key,
k5_arcfour_init_state, /*xxx not implemented */
k5_arcfour_free_state, /*xxx not implemented */
k5_arcfour_docrypt_iov,
--- /dev/null
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "crc-32.h"
+#include "hash_provider.h"
+
+static krb5_error_code
+k5_crc32_hash(unsigned int icount, const krb5_data *input,
+ krb5_data *output)
+{
+ unsigned long c, cn;
+ unsigned int i;
+
+ if (output->length != CRC32_CKSUM_LENGTH)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ c = 0;
+ for (i=0; i<icount; i++) {
+ mit_crc32(input[i].data, input[i].length, &cn);
+ c ^= cn;
+ }
+
+ store_32_le(c, output->data);
+ return(0);
+}
+
+const struct krb5_hash_provider krb5int_hash_crc32 = {
+ "CRC32",
+ CRC32_CKSUM_LENGTH,
+ 1,
+ k5_crc32_hash
+};
--- /dev/null
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "rsa-md4.h"
+#include "hash_provider.h"
+
+static krb5_error_code
+k5_md4_hash(unsigned int icount, const krb5_data *input,
+ krb5_data *output)
+{
+ krb5_MD4_CTX ctx;
+ unsigned int i;
+
+ if (output->length != RSA_MD4_CKSUM_LENGTH)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ krb5_MD4Init(&ctx);
+ for (i=0; i<icount; i++)
+ krb5_MD4Update(&ctx, (unsigned char *) input[i].data, input[i].length);
+ krb5_MD4Final(&ctx);
+
+ memcpy(output->data, ctx.digest, RSA_MD4_CKSUM_LENGTH);
+
+ return(0);
+}
+
+const struct krb5_hash_provider krb5int_hash_md4 = {
+ "MD4",
+ RSA_MD4_CKSUM_LENGTH,
+ 64,
+ k5_md4_hash
+};
--- /dev/null
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "rsa-md5.h"
+#include "hash_provider.h"
+
+static krb5_error_code
+k5_md5_hash(unsigned int icount, const krb5_data *input,
+ krb5_data *output)
+{
+ krb5_MD5_CTX ctx;
+ unsigned int i;
+
+ if (output->length != RSA_MD5_CKSUM_LENGTH)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ krb5_MD5Init(&ctx);
+ for (i=0; i<icount; i++)
+ krb5_MD5Update(&ctx, (unsigned char *) input[i].data, input[i].length);
+ krb5_MD5Final(&ctx);
+
+ memcpy(output->data, ctx.digest, RSA_MD5_CKSUM_LENGTH);
+
+ return(0);
+}
+
+const struct krb5_hash_provider krb5int_hash_md5 = {
+ "MD5",
+ RSA_MD5_CKSUM_LENGTH,
+ 64,
+ k5_md5_hash
+};
--- /dev/null
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+
+extern const struct krb5_hash_provider krb5int_hash_crc32;
+extern const struct krb5_hash_provider krb5int_hash_md4;
+extern const struct krb5_hash_provider krb5int_hash_md5;
+extern const struct krb5_hash_provider krb5int_hash_sha1;
--- /dev/null
+/* lib/crypto/openssl/hash/yhash.h
+ *
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "shs.h"
+#include "hash_provider.h"
+
+static krb5_error_code
+k5_sha1_hash(unsigned int icount, const krb5_data *input,
+ krb5_data *output)
+{
+ SHS_INFO ctx;
+ unsigned int i;
+
+ if (output->length != SHS_DIGESTSIZE)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ shsInit(&ctx);
+ for (i=0; i<icount; i++)
+ shsUpdate(&ctx, (unsigned char *) input[i].data, input[i].length);
+ shsFinal(&ctx);
+
+ if (ctx.digestLen > 0 && ctx.digestLen <= output->length){
+ output->length = ctx.digestLen;
+ memcpy(output->data, ctx.digestBuf,ctx.digestLen);
+ }
+
+ return(0);
+}
+
+const struct krb5_hash_provider krb5int_hash_sha1 = {
+ "SHA1",
+ SHS_DIGESTSIZE,
+ SHS_DATASIZE,
+ k5_sha1_hash
+};
+
-/*
+/* lib/crypto/openssl/hmac.c
*/
#include "k5-int.h"
#include <sys/types.h>
#endif
#include <string.h>
+#define h0init 0x67452301L
+#define h1init 0xEFCDAB89L
+#define h2init 0x98BADCFEL
+#define h3init 0x10325476L
+#define h4init 0xC3D2E1F0L
/* Initialize the SHS values */
void shsInit(SHS_INFO *shsInfo)
{
EVP_MD_CTX_init(&shsInfo->ossl_sha1_ctx );
EVP_DigestInit_ex(&shsInfo->ossl_sha1_ctx , EVP_sha1(), NULL);
+ shsInfo->digestLen = 0;
+ memset(shsInfo->digestBuf, 0 , sizeof(shsInfo->digestBuf));
}
/* Update SHS for a block of data */
void shsFinal(SHS_INFO *shsInfo)
{
- unsigned char *digest_buf = NULL;
-
- digest_buf = (unsigned char *)OPENSSL_malloc( sizeof(shsInfo->digest));
-
- EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx , digest_buf , &shsInfo->digest_len);
-
- memcpy(shsInfo->digest, digest_buf, shsInfo->digest_len);
- OPENSSL_free(digest_buf);
+ EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx ,(unsigned char *)shsInfo->digestBuf , &shsInfo->digestLen);
EVP_MD_CTX_cleanup(&shsInfo->ossl_sha1_ctx );
}
+
+
typedef struct {
EVP_MD_CTX ossl_sha1_ctx;
- unsigned int digest_len;
- SHS_LONG digest[ 5 ]; /* Message digest */
- SHS_LONG countLo, countHi; /* 64-bit bit count */
- SHS_LONG data[ 16 ]; /* SHS data buffer */
+ unsigned char digestBuf[SHS_DIGESTSIZE]; /* output */
+ unsigned int digestLen; /* output */
} SHS_INFO;
/* Message digest functions (shs.c) */
--- /dev/null
+/* -*- Mode: C; c-file-style: "bsd" -*- */
+/* lib/crypto/openssl/hash/yhash.h
+ */
+
+#ifndef YHASH_H
+#define YHASH_H
+
+/* hash function interface */
+
+/* default to SHA1 for yarrow 160 */
+
+#include "shs.h"
+
+
+#define HASH_CTX SHS_INFO
+#define HASH_Init(x) shsInit(x)
+#define HASH_Update(x, buf, sz) shsUpdate(x, (const void*)buf, sz)
+
+#define HASH_Final(x, tdigest) do { \
+ int loopvar; \
+ unsigned char *out2 = (void *)(tdigest); \
+ HASH_CTX *ctx = (x); \
+ shsFinal(ctx); \
+ memcpy(out2, ctx->digestBuf, ctx->digestLen); \
+ } while(0)
+
+#define HASH_DIGEST_SIZE SHS_DIGESTSIZE
+
+#endif /* YHASH_H */
+
$(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
gssapi_krb5.h rel_name.c
+s4u_gss_glue.so s4u_gss_glue.po $(OUTPRE)s4u_gss_glue.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
+ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
+ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
+ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
+ $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
+ ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
+ gssapi_krb5.h s4u_gss_glue.c
seal.so seal.po $(OUTPRE)seal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
{
OM_uint32 major_status = GSS_S_FAILURE;
krb5_gss_cred_id_t cred;
+#if 0
size_t i;
+#endif
if (minor_status == NULL)
return GSS_S_CALL_INACCESSIBLE_WRITE;
$(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
../generic/gssapi_err_generic.h g_acquire_cred.c mechglue.h \
mglueP.h
+g_acquire_cred_imp_name.so g_acquire_cred_imp_name.po \
+ $(OUTPRE)g_acquire_cred_imp_name.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-thread.h $(srcdir)/../generic/gssapiP_generic.h \
+ $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
+ ../generic/gssapi_err_generic.h g_acquire_cred_imp_name.c \
+ mechglue.h mglueP.h
g_buffer_set.so g_buffer_set.po $(OUTPRE)g_buffer_set.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssapi/gssapi_ext.h $(COM_ERR_DEPS) \
return KADM5_BAD_MASK;
if((mask & ~ALL_PRINC_MASK))
return KADM5_BAD_MASK;
- if (entry == (kadm5_principal_ent_t) NULL || password == NULL)
+ if (entry == NULL)
return EINVAL;
/*
return ret;
}
}
- if ((ret = passwd_check(handle, password, (mask & KADM5_POLICY),
- &polent, entry->principal))) {
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
+ if (password) {
+ ret = passwd_check(handle, password, (mask & KADM5_POLICY),
+ &polent, entry->principal);
+ if (ret) {
+ if (mask & KADM5_POLICY)
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ return ret;
+ }
}
/*
* Start populating the various DB fields, using the
return (ret);
}
- if ((ret = krb5_dbe_cpw(handle->context, act_mkey,
- n_ks_tuple?ks_tuple:handle->params.keysalts,
- n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
- password,
- (mask & KADM5_KVNO)?entry->kvno:1,
- FALSE, &kdb))) {
+ if (password) {
+ ret = krb5_dbe_cpw(handle->context, act_mkey,
+ n_ks_tuple?ks_tuple:handle->params.keysalts,
+ n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
+ password, (mask & KADM5_KVNO)?entry->kvno:1,
+ FALSE, &kdb);
+ } else {
+ /* Null password means create with random key (new in 1.8). */
+ ret = krb5_dbe_crk(handle->context, &master_keyblock,
+ n_ks_tuple?ks_tuple:handle->params.keysalts,
+ n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
+ FALSE, &kdb);
+ }
+ if (ret) {
krb5_db_free_principal(handle->context, &kdb, 1);
if (mask & KADM5_POLICY)
(void) kadm5_free_policy_ent(handle->lhandle, &polent);
perror "$test: unexpected failure in init"
return
}
- one_line_fail_test [format {
+ one_line_succeed_test [format {
kadm5_create_principal $server_handle [simple_principal "%s/a"] \
{KADM5_PRINCIPAL} null
- } $test] "EINVAL"
+ } $test]
if { ! [cmd {kadm5_destroy $server_handle}]} {
perror "$test: unexpected failure in destroy"
return
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h auth_con.h recvauth.c
+s4u_creds.so s4u_creds.po $(OUTPRE)s4u_creds.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
+ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
+ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
+ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+ $(SRCTOP)/include/socket-utils.h int-proto.h s4u_creds.c
sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
krb5_error_code
krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state)
{
- krb5_error_code retval = 0;
struct krb5int_fast_request_state *local_state ;
local_state = malloc(sizeof *local_state);
if (local_state == NULL)
#include "k5-int.h"
#include "int-proto.h"
+/*
+ * Set *mcreds and *fields to a matching credential and field set for
+ * use with krb5_cc_retrieve_cred, based on a set of input credentials
+ * and options. The fields of *mcreds will be aliased to the fields
+ * of in_creds, so the contents of *mcreds should not be freed.
+ */
krb5_error_code
-krb5_get_credentials_core(krb5_context context, krb5_flags options,
- krb5_creds *in_creds, krb5_creds *mcreds,
- krb5_flags *fields)
+krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
+ krb5_creds *in_creds, krb5_creds *mcreds,
+ krb5_flags *fields)
{
if (!in_creds || !in_creds->server || !in_creds->client)
return EINVAL;
int i;
*fields |= KRB5_TC_MATCH_KTYPE;
- ret = krb5_get_tgs_ktypes (context, mcreds->server, &ktypes);
+ ret = krb5_get_tgs_ktypes(context, mcreds->server, &ktypes);
for (i = 0; ktypes[i]; i++)
if (ktypes[i] == mcreds->keyblock.enctype)
break;
krb5_creds **out_creds)
{
krb5_error_code retval;
- krb5_creds mcreds;
- krb5_creds *ncreds;
- krb5_creds **tgts;
+ krb5_creds mcreds, *ncreds, **tgts, **tgts_iter;
krb5_flags fields;
- int not_ktype;
+ krb5_boolean not_ktype = FALSE;
int kdcopt = 0;
+ *out_creds = NULL;
+
+ /*
+ * See if we already have the ticket cached. To do this usefully
+ * for constrained delegation, we would need to look inside
+ * second_ticket, which we can't do.
+ */
if ((options & KRB5_GC_CONSTRAINED_DELEGATION) == 0) {
- retval = krb5_get_credentials_core(context, options,
- in_creds,
- &mcreds, &fields);
+ retval = krb5int_construct_matching_creds(context, options, in_creds,
+ &mcreds, &fields);
if (retval)
return retval;
- if ((ncreds = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL)
+ ncreds = malloc(sizeof(krb5_creds));
+ if (!ncreds)
return ENOMEM;
memset(ncreds, 0, sizeof(krb5_creds));
ncreds->magic = KV5M_CREDS;
- /* The caller is now responsible for cleaning up in_creds */
- if ((retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds,
- ncreds))) {
- free(ncreds);
- ncreds = in_creds;
- } else {
+ retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds,
+ ncreds);
+ if (retval == 0) {
*out_creds = ncreds;
+ return 0;
}
- } else {
- /*
- * To do this usefully for constrained delegation, we would
- * need to look inside second_ticket, which we can't do.
- */
- ncreds = in_creds;
- retval = KRB5_CC_NOTFOUND;
- }
-
- if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE)
- || options & KRB5_GC_CACHED)
- return retval;
-
- if (retval == KRB5_CC_NOT_KTYPE)
- not_ktype = 1;
- else
- not_ktype = 0;
+ free(ncreds);
+ ncreds = NULL;
+ if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE)
+ || options & KRB5_GC_CACHED)
+ return retval;
+ not_ktype = (retval == KRB5_CC_NOT_KTYPE);
+ } else if (options & KRB5_GC_CACHED)
+ return KRB5_CC_NOTFOUND;
if (options & KRB5_GC_CANONICALIZE)
kdcopt |= KDC_OPT_CANONICALIZE;
kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT;
}
- retval = krb5_get_cred_from_kdc_opt(context, ccache, ncreds,
- out_creds, &tgts, kdcopt);
+ retval = krb5_get_cred_from_kdc_opt(context, ccache, in_creds,
+ &ncreds, &tgts, kdcopt);
if (tgts) {
- register int i = 0;
- krb5_error_code rv2;
- while (tgts[i]) {
- if ((rv2 = krb5_cc_store_cred(context, ccache, tgts[i]))) {
- retval = rv2;
- break;
- }
- i++;
- }
+ /* Attempt to cache intermediate ticket-granting tickets. */
+ for (tgts_iter = tgts; *tgts_iter; tgts_iter++)
+ (void) krb5_cc_store_cred(context, ccache, *tgts_iter);
krb5_free_tgt_creds(context, tgts);
}
- if (!retval && (options & KRB5_GC_CONSTRAINED_DELEGATION)) {
- if (((*out_creds)->ticket_flags & TKT_FLG_FORWARDABLE) == 0) {
- retval = KRB5_TKT_NOT_FORWARDABLE;
- krb5_free_creds(context, *out_creds);
- *out_creds = NULL;
- }
- }
+
/*
* Translate KRB5_CC_NOTFOUND if we previously got
* KRB5_CC_NOT_KTYPE from krb5_cc_retrieve_cred(), in order to
*/
if ((retval == KRB5_CC_NOTFOUND || retval == KRB5_CC_NOT_KTYPE)
&& not_ktype)
- retval = KRB5_CC_NOT_KTYPE;
-
- if (!retval && (options & KRB5_GC_NO_STORE) == 0) {
- /* the purpose of the krb5_get_credentials call is to
- * obtain a set of credentials for the caller. the
- * krb5_cc_store_cred() call is to optimize performance
- * for future calls. Ignore any errors, since the credentials
- * are still valid even if we fail to store them in the cache.
- */
- krb5_cc_store_cred(context, ccache, *out_creds);
+ return KRB5_CC_NOT_KTYPE;
+ else if (retval)
+ return retval;
+
+ if ((options & KRB5_GC_CONSTRAINED_DELEGATION)
+ && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) {
+ /* This ticket won't work for constrained delegation. */
+ krb5_free_creds(context, ncreds);
+ return KRB5_TKT_NOT_FORWARDABLE;
}
- return retval;
+ /* Attempt to cache the returned ticket. */
+ if (!(options & KRB5_GC_NO_STORE))
+ (void) krb5_cc_store_cred(context, ccache, ncreds);
+
+ *out_creds = ncreds;
+ return 0;
}
#define INT_GC_VALIDATE 1
krb5_creds ***tgts, int kdcopt);
krb5_error_code
-krb5_get_credentials_core(krb5_context context, krb5_flags options,
- krb5_creds *in_creds, krb5_creds *mcreds,
- krb5_flags *fields);
+krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
+ krb5_creds *in_creds, krb5_creds *mcreds,
+ krb5_flags *fields);
#define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew)
krb5_free_passwd_phrase_element(krb5_context context,
passwd_phrase_element *val)
{
- register passwd_phrase_element **temp;
-
if (val == NULL)
return;
krb5_free_data(context, val->passwd);
krb5_data *for_user_data = NULL;
char package[] = "Kerberos";
- memset(&for_user, 0, sizeof(for_user));
-
- if (userid->user == NULL) {
- code = EINVAL;
- goto cleanup;
- }
+ if (userid->user == NULL)
+ return EINVAL;
+ memset(&for_user, 0, sizeof(for_user));
for_user.user = userid->user;
for_user.auth_package.data = package;
for_user.auth_package.length = sizeof(package) - 1;
goto cleanup;
}
- code = krb5_get_credentials_core(context, options, in_creds,
- &mcreds, &fields);
+ code = krb5int_construct_matching_creds(context, options, in_creds,
+ &mcreds, &fields);
if (code != 0)
goto cleanup;
SHLIB_RDIRS=$(KRB5_LIBDIR)
all-unix:: includes all-libs
-all-prerecurse: $(HDRS)
+all-prerecurse depend-prerecurse: $(HDRS)
clean-unix:: clean-libs clean-includes
includes:: $(HDRS)
$(SRCTOP)/include/socket-utils.h pkinit_accessor.c \
pkinit_accessor.h
pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(srcdir)/../fast_factor.h \
pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
pkinit_srv.c
pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \
$(SRCTOP)/include/krb5/preauth_plugin.h pkcs11.h pkinit.h \
pkinit_accessor.h pkinit_crypto.h pkinit_lib.c
pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \
+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-plugin.h \
+ $(SRCTOP)/include/krb5/preauth_plugin.h $(srcdir)/../fast_factor.h \
pkcs11.h pkinit.h pkinit_accessor.h pkinit_clnt.c pkinit_crypto.h
pkinit_profile.so pkinit_profile.po $(OUTPRE)pkinit_profile.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
install::
clean::
- rm -f *~ *.o krb5_encode_test krb5_decode_test test.out trval t_trval expected_encode.out expected_trval.out trval.out
+ rm -f *~ *.o krb5_encode_test krb5_decode_test krb5_decode_leak test.out trval t_trval expected_encode.out expected_trval.out trval.out
################ Dependencies ################
send "adminpass$KEY\r"
}
- expect "Enter password for principal \"$pname\":" { send "$password\r" }
- expect "Re-enter password for principal \"$pname\":" { send "$password\r" }
+ expect "Enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" }
+ expect "Re-enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" }
# When in doubt, jam one of these in there.
expect "\r"
expect "Password for \"$pname@$REALMNAME\" changed."
#
$(OUTPRE)t_imp_name.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssapi/gssapi_generic.h t_imp_name.c
+$(OUTPRE)t_s4u.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \
+ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \
+ t_s4u.c
utils.c
options.so options.po $(OUTPRE)options.$(OBJEXT): $(BUILDTOP)/include/ss/ss_err.h \
$(COM_ERR_DEPS) copyright.h options.c ss.h
-cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.h
+cmd_tbl.lex.o: cmd_tbl.lex.c
ct.tab.o: $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) \
ct.tab.c ss.h
ss_err.so ss_err.po $(OUTPRE)ss_err.$(OBJEXT): $(COM_ERR_DEPS) \
$(srcdir)/strlcpy.c \
$(srcdir)/printf.c \
$(srcdir)/mkstemp.c \
- $(srcdir)/t_k5buf.c
+ $(srcdir)/t_k5buf.c \
+ $(srcdir)/t_unal.c
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
t_k5buf: $(T_K5BUF_OBJS)
$(CC_LINK) -o t_k5buf $(T_K5BUF_OBJS)
-TEST_PROGS= t_k5buf
+t_unal: t_unal.o
+ $(CC_LINK) -o t_unal t_unal.o
+
+TEST_PROGS= t_k5buf t_unal
check-unix:: $(TEST_PROGS)
./t_k5buf
+ ./t_unal
clean::
- $(RM) t_k5buf.o t_k5buf
+ $(RM) t_k5buf.o t_k5buf t_unal.o t_unal
@lib_frag@
@libobj_frag@
t_k5buf.so t_k5buf.po $(OUTPRE)t_k5buf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-platform.h \
$(SRCTOP)/include/k5-thread.h k5buf-int.h t_k5buf.c
+t_unal.so t_unal.po $(OUTPRE)t_unal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
+ t_unal.c
--- /dev/null
+#undef NDEBUG
+#include <assert.h>
+#include "k5-platform.h"
+
+int main ()
+{
+ /* Test some low-level assumptions the Kerberos code depends
+ on. */
+
+ union {
+ UINT64_TYPE n64;
+ uint32_t n32;
+ uint16_t n16;
+ unsigned char b[9];
+ } u;
+ static unsigned char buf[9] = { 0, 1, 2, 3, 4, 5, 6, 7, 8 };
+
+ assert(load_64_be(buf+1) == 0x0102030405060708LL);
+ assert(load_64_le(buf+1) == 0x0807060504030201LL);
+ assert(load_32_le(buf+2) == 0x05040302);
+ assert(load_32_be(buf+2) == 0x02030405);
+ assert(load_16_be(buf+3) == 0x0304);
+ assert(load_16_le(buf+3) == 0x0403);
+ u.b[0] = 0;
+ assert((store_64_be(0x0102030405060708LL, u.b+1), !memcmp(buf, u.b, 9)));
+ u.b[1] = 9;
+ assert((store_64_le(0x0807060504030201LL, u.b+1), !memcmp(buf, u.b, 9)));
+ u.b[2] = 10;
+ assert((store_32_be(0x02030405, u.b+2), !memcmp(buf, u.b, 9)));
+ u.b[3] = 11;
+ assert((store_32_le(0x05040302, u.b+2), !memcmp(buf, u.b, 9)));
+ u.b[4] = 12;
+ assert((store_16_be(0x0304, u.b+3), !memcmp(buf, u.b, 9)));
+ u.b[4] = 13;
+ assert((store_16_le(0x0403, u.b+3), !memcmp(buf, u.b, 9)));
+ /* Verify that load_*_n properly does native format. Assume
+ the unaligned thing is okay. */
+ u.n64 = 0x090a0b0c0d0e0f00LL;
+ assert(load_64_n((unsigned char *) &u.n64) == 0x090a0b0c0d0e0f00LL);
+ u.n32 = 0x06070809;
+ assert(load_32_n((unsigned char *) &u.n32) == 0x06070809);
+ u.n16 = 0x0a0b;
+ assert(load_16_n((unsigned char *) &u.n16) == 0x0a0b);
+
+ return 0;
+}
projects / thirdparty / krb5.git / commitdiff
