size_t block_size, keybytes, keylength;
/* cipher-state == 0 fresh state thrown away at end */
- krb5_error_code (*encrypt) (const krb5_keyblock *key,
+ krb5_error_code (*encrypt) (krb5_key key,
const krb5_data *cipher_state,
const krb5_data *input,
krb5_data *output);
- krb5_error_code (*decrypt) (const krb5_keyblock *key,
+ krb5_error_code (*decrypt) (krb5_key key,
const krb5_data *ivec,
const krb5_data *input,
krb5_data *output);
krb5_error_code (*free_state) (krb5_data *state);
/* In-place encryption/decryption of multiple buffers */
- krb5_error_code (*encrypt_iov) (const krb5_keyblock *key,
+ krb5_error_code (*encrypt_iov) (krb5_key key,
const krb5_data *cipher_state,
krb5_crypto_iov *data,
size_t num_data);
- krb5_error_code (*decrypt_iov) (const krb5_keyblock *key,
+ krb5_error_code (*decrypt_iov) (krb5_key key,
const krb5_data *cipher_state,
krb5_crypto_iov *data,
size_t num_data);
struct krb5_keyhash_provider {
size_t hashsize;
- krb5_error_code (*hash) (const krb5_keyblock *key,
+ krb5_error_code (*hash) (krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
const krb5_data *input,
krb5_data *output);
- krb5_error_code (*verify) (const krb5_keyblock *key,
+ krb5_error_code (*verify) (krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
const krb5_data *input,
const krb5_data *hash,
krb5_boolean *valid);
- krb5_error_code (*hash_iov) (const krb5_keyblock *key,
+ krb5_error_code (*hash_iov) (krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
const krb5_crypto_iov *data,
size_t num_data,
krb5_data *output);
- krb5_error_code (*verify_iov) (const krb5_keyblock *key,
+ krb5_error_code (*verify_iov) (krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
const krb5_crypto_iov *data,
krb5_error_code (*encrypt_iov) (const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
krb5_crypto_iov *data,
krb5_error_code (*decrypt_iov) (const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
krb5_crypto_iov *data,
krb5_error_code krb5_hmac
(const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, unsigned int icount,
+ krb5_key key, unsigned int icount,
const krb5_data *input, krb5_data *output);
krb5_error_code krb5int_hmac_iov
+(const struct krb5_hash_provider *hash,
+ krb5_key key,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output);
+
+krb5_error_code krb5int_hmac_keyblock
+(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, unsigned int icount,
+ const krb5_data *input, krb5_data *output);
+
+krb5_error_code krb5int_hmac_iov_keyblock
(const struct krb5_hash_provider *hash,
const krb5_keyblock *key,
const krb5_crypto_iov *data, size_t num_data,
krb5_data *enc_data);
krb5_error_code
-krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output);
krb5_error_code
-krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output);
struct _krb5_kt { /* should move into k5-int.h */
unsigned long iter_count;
krb5_data out;
static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
+ krb5_key tempkey = NULL;
krb5_error_code err;
if (params) {
if (iter_count >= MAX_ITERATION_COUNT)
return KRB5_ERR_BAD_S2K_PARAMS;
- /*
- * Dense key space, no parity bits or anything, so take a shortcut
- * and use the key contents buffer for the generated bytes.
- */
+ /* Use the output keyblock contents for temporary space. */
out.data = (char *) key->contents;
out.length = key->length;
if (out.length != 16 && out.length != 32)
return KRB5_CRYPTO_INTERNAL;
err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt);
- if (err) {
- memset(out.data, 0, out.length);
- return err;
- }
+ if (err)
+ goto cleanup;
- err = krb5_derive_key (enc, key, key, &usage);
- if (err) {
- memset(out.data, 0, out.length);
- return err;
- }
- return 0;
+ err = krb5_k_create_key (NULL, key, &tempkey);
+ if (err)
+ goto cleanup;
+
+ err = krb5_derive_keyblock (enc, tempkey, key, &usage);
+
+cleanup:
+ if (err)
+ memset (out.data, 0, out.length);
+ krb5_k_free_key (NULL, tempkey);
+ return err;
}
krb5_error_code
krb5_arcfour_encrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output)
{
krb5_keyblock k1, k2, k3;
+ krb5_key k3key = NULL;
krb5_data d1, d2, d3, salt, plaintext, checksum, ciphertext, confounder;
krb5_keyusage ms_usage;
size_t keylength, keybytes, blocksize, hashsize;
d1.data=malloc(d1.length);
if (d1.data == NULL)
return (ENOMEM);
- k1 = *key;
+ k1 = key->keyblock;
k1.length=d1.length;
k1.contents= (void *) d1.data;
free(d1.data);
return (ENOMEM);
}
- k2 = *key;
+ k2 = key->keyblock;
k2.length=d2.length;
k2.contents=(void *) d2.data;
free(d2.data);
return (ENOMEM);
}
- k3 = *key;
+ k3 = key->keyblock;
k3.length=d3.length;
k3.contents= (void *) d3.data;
/* begin the encryption, computer K1 */
ms_usage=krb5int_arcfour_translate_usage(usage);
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
strncpy(salt.data, krb5int_arcfour_l40, salt.length);
store_32_le(ms_usage, salt.data+10);
} else {
memcpy(k2.contents, k1.contents, k2.length);
- if (key->enctype==ENCTYPE_ARCFOUR_HMAC_EXP)
+ if (key->keyblock.enctype==ENCTYPE_ARCFOUR_HMAC_EXP)
memset(k1.contents+7, 0xab, 9);
ret=krb5_c_random_make_octets(/* XXX */ 0, &confounder);
if (ret)
goto cleanup;
- krb5_hmac(hash, &k2, 1, &plaintext, &checksum);
+ ret = krb5int_hmac_keyblock(hash, &k2, 1, &plaintext, &checksum);
+ if (ret)
+ goto cleanup;
+
+ ret = krb5int_hmac_keyblock(hash, &k1, 1, &checksum, &d3);
+ if (ret)
+ goto cleanup;
- krb5_hmac(hash, &k1, 1, &checksum, &d3);
+ ret = krb5_k_create_key(NULL, &k3, &k3key);
+ if (ret)
+ goto cleanup;
- ret=(*(enc->encrypt))(&k3, ivec, &plaintext, &ciphertext);
+ ret=(*(enc->encrypt))(k3key, ivec, &plaintext, &ciphertext);
cleanup:
memset(d1.data, 0, d1.length);
krb5_error_code
krb5_arcfour_decrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output)
{
krb5_keyblock k1,k2,k3;
+ krb5_key k3key;
krb5_data d1,d2,d3,salt,ciphertext,plaintext,checksum;
krb5_keyusage ms_usage;
size_t keybytes, keylength, hashsize, blocksize;
d1.data=malloc(d1.length);
if (d1.data == NULL)
return (ENOMEM);
- k1 = *key;
+ k1 = key->keyblock;
k1.length=d1.length;
k1.contents= (void *) d1.data;
free(d1.data);
return (ENOMEM);
}
- k2 = *key;
+ k2 = key->keyblock;
k2.length=d2.length;
k2.contents= (void *) d2.data;
free(d2.data);
return (ENOMEM);
}
- k3 = *key;
+ k3 = key->keyblock;
k3.length=d3.length;
k3.contents= (void *) d3.data;
/* We may have to try two ms_usage values; see below. */
do {
/* compute the salt */
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
strncpy(salt.data, krb5int_arcfour_l40, salt.length);
store_32_le(ms_usage, salt.data + 10);
} else {
memcpy(k2.contents, k1.contents, k2.length);
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+ if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
memset(k1.contents + 7, 0xab, 9);
- ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+ ret = krb5int_hmac_keyblock(hash, &k1, 1, &checksum, &d3);
if (ret)
goto cleanup;
- ret = (*(enc->decrypt))(&k3, ivec, &ciphertext, &plaintext);
+ ret = krb5_k_create_key(NULL, &k3, &k3key);
+ if (ret)
+ goto cleanup;
+ ret = (*(enc->decrypt))(k3key, ivec, &ciphertext, &plaintext);
+ krb5_k_free_key(NULL, k3key);
if (ret)
goto cleanup;
- ret = krb5_hmac(hash, &k2, 1, &plaintext, &d1);
+ ret = krb5int_hmac_keyblock(hash, &k2, 1, &plaintext, &d1);
if (ret)
goto cleanup;
extern
krb5_error_code krb5_arcfour_encrypt(const struct krb5_enc_provider *,
const struct krb5_hash_provider *,
- const krb5_keyblock *,
+ krb5_key,
krb5_keyusage,
const krb5_data *,
const krb5_data *,
extern
krb5_error_code krb5_arcfour_decrypt(const struct krb5_enc_provider *,
const struct krb5_hash_provider *,
- const krb5_keyblock *,
+ krb5_key,
krb5_keyusage,
const krb5_data *,
const krb5_data *,
krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *ivec,
krb5_crypto_iov *data,
krb5_error_code ret;
krb5_crypto_iov *header, *trailer;
krb5_keyblock k1, k2, k3;
+ krb5_key k3key = NULL;
krb5_data d1, d2, d3;
krb5_data checksum, confounder, header_data;
krb5_keyusage ms_usage;
data[i].data.length = 0;
}
- ret = alloc_derived_key(enc, &k1, &d1, key);
+ ret = alloc_derived_key(enc, &k1, &d1, &key->keyblock);
if (ret != 0)
goto cleanup;
- ret = alloc_derived_key(enc, &k2, &d2, key);
+ ret = alloc_derived_key(enc, &k2, &d2, &key->keyblock);
if (ret != 0)
goto cleanup;
- ret = alloc_derived_key(enc, &k3, &d3, key);
+ ret = alloc_derived_key(enc, &k3, &d3, &key->keyblock);
if (ret != 0)
goto cleanup;
ms_usage = krb5int_arcfour_translate_usage(usage);
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
strncpy(salt.data, krb5int_arcfour_l40, salt.length);
store_32_le(ms_usage, salt.data + 10);
} else {
memcpy(k2.contents, k1.contents, k2.length);
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+ if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
memset(k1.contents + 7, 0xAB, 9);
header->data.length = hash->hashsize + CONFOUNDERLENGTH;
header->data.length -= hash->hashsize;
header->data.data += hash->hashsize;
- ret = krb5int_hmac_iov(hash, &k2, data, num_data, &checksum);
+ ret = krb5int_hmac_iov_keyblock(hash, &k2, data, num_data, &checksum);
if (ret != 0)
goto cleanup;
- ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+ ret = krb5int_hmac_keyblock(hash, &k1, 1, &checksum, &d3);
if (ret != 0)
goto cleanup;
- ret = enc->encrypt_iov(&k3, ivec, data, num_data);
+ ret = krb5_k_create_key(NULL, &k3, &k3key);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = enc->encrypt_iov(k3key, ivec, data, num_data);
if (ret != 0)
goto cleanup;
free(d3.data);
}
+ krb5_k_free_key(NULL, k3key);
return ret;
}
krb5int_arcfour_decrypt_iov(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *ivec,
krb5_crypto_iov *data,
krb5_error_code ret;
krb5_crypto_iov *header, *trailer;
krb5_keyblock k1, k2, k3;
+ krb5_key k3key = NULL;
krb5_data d1, d2, d3;
krb5_data checksum, header_data;
krb5_keyusage ms_usage;
if (trailer != NULL && trailer->data.length != 0)
return KRB5_BAD_MSIZE;
- ret = alloc_derived_key(enc, &k1, &d1, key);
+ ret = alloc_derived_key(enc, &k1, &d1, &key->keyblock);
if (ret != 0)
goto cleanup;
- ret = alloc_derived_key(enc, &k2, &d2, key);
+ ret = alloc_derived_key(enc, &k2, &d2, &key->keyblock);
if (ret != 0)
goto cleanup;
- ret = alloc_derived_key(enc, &k3, &d3, key);
+ ret = alloc_derived_key(enc, &k3, &d3, &key->keyblock);
if (ret != 0)
goto cleanup;
ms_usage = krb5int_arcfour_translate_usage(usage);
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
strncpy(salt.data, krb5int_arcfour_l40, salt.length);
store_32_le(ms_usage, (unsigned char *)salt.data + 10);
} else {
memcpy(k2.contents, k1.contents, k2.length);
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+ if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
memset(k1.contents + 7, 0xAB, 9);
checksum.data = header->data.data;
header->data.length -= hash->hashsize;
header->data.data += hash->hashsize;
- ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+ ret = krb5int_hmac_keyblock(hash, &k1, 1, &checksum, &d3);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = krb5_k_create_key(NULL, &k3, &k3key);
if (ret != 0)
goto cleanup;
- ret = enc->decrypt_iov(&k3, ivec, data, num_data);
+ ret = enc->decrypt_iov(k3key, ivec, data, num_data);
if (ret != 0)
goto cleanup;
- ret = krb5int_hmac_iov(hash, &k2, data, num_data, &d1);
+ ret = krb5int_hmac_iov_keyblock(hash, &k2, data, num_data, &d1);
if (ret != 0)
goto cleanup;
free(d3.data);
}
+ krb5_k_free_key(NULL, k3key);
return ret;
}
}
krb5_error_code
-krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
aes_ctx ctx;
/* CHECK_SIZES; */
- if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
+ if (aes_enc_key(key->keyblock.contents, key->keyblock.length,
+ &ctx) != aes_good)
abort();
if (ivec)
}
krb5_error_code
-krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
aes_ctx ctx;
CHECK_SIZES;
- if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
+ if (aes_dec_key(key->keyblock.contents, key->keyblock.length,
+ &ctx) != aes_good)
abort();
if (ivec)
}
static krb5_error_code
-krb5int_aes_encrypt_iov(const krb5_keyblock *key,
+krb5int_aes_encrypt_iov(krb5_key key,
const krb5_data *ivec,
krb5_crypto_iov *data,
size_t num_data)
int nblocks = 0, blockno;
size_t input_length, i;
- if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
+ if (aes_enc_key(key->keyblock.contents, key->keyblock.length, &ctx)
+ != aes_good)
abort();
if (ivec != NULL)
}
static krb5_error_code
-krb5int_aes_decrypt_iov(const krb5_keyblock *key,
+krb5int_aes_decrypt_iov(krb5_key key,
const krb5_data *ivec,
krb5_crypto_iov *data,
size_t num_data)
CHECK_SIZES;
- if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
+ if (aes_dec_key(key->keyblock.contents, key->keyblock.length,
+ &ctx) != aes_good)
abort();
if (ivec != NULL)
static krb5_error_code
-k5_des_docrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_docrypt(krb5_key key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output, int enc)
{
mit_des_key_schedule schedule;
- /* key->enctype was checked by the caller */
+ /* key->keyblock.enctype was checked by the caller */
- if (key->length != 8)
+ if (key->keyblock.length != 8)
return(KRB5_BAD_KEYSIZE);
if ((input->length%8) != 0)
return(KRB5_BAD_MSIZE);
if (input->length != output->length)
return(KRB5_BAD_MSIZE);
- switch (mit_des_key_sched(key->contents, schedule)) {
+ switch (mit_des_key_sched(key->keyblock.contents, schedule)) {
case -1:
return(KRB5DES_BAD_KEYPAR);
case -2:
}
static krb5_error_code
-k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_encrypt(krb5_key key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
return(k5_des_docrypt(key, ivec, input, output, 1));
}
static krb5_error_code
-k5_des_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_decrypt(krb5_key key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
return(k5_des_docrypt(key, ivec, input, output, 0));
}
static krb5_error_code
-k5_des_docrypt_iov(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_docrypt_iov(krb5_key key, const krb5_data *ivec,
krb5_crypto_iov *data, size_t num_data, int enc)
{
mit_des_key_schedule schedule;
size_t input_length = 0;
unsigned int i;
- /* key->enctype was checked by the caller */
+ /* key->keyblock.enctype was checked by the caller */
- if (key->length != 8)
+ if (key->keyblock.length != 8)
return(KRB5_BAD_KEYSIZE);
for (i = 0; i < num_data; i++) {
if (ivec && (ivec->length != 8))
return(KRB5_BAD_MSIZE);
- switch (mit_des_key_sched(key->contents, schedule)) {
+ switch (mit_des_key_sched(key->keyblock.contents, schedule)) {
case -1:
return(KRB5DES_BAD_KEYPAR);
case -2:
}
static krb5_error_code
-k5_des_encrypt_iov(const krb5_keyblock *key,
+k5_des_encrypt_iov(krb5_key key,
const krb5_data *ivec,
krb5_crypto_iov *data,
size_t num_data)
}
static krb5_error_code
-k5_des_decrypt_iov(const krb5_keyblock *key,
+k5_des_decrypt_iov(krb5_key key,
const krb5_data *ivec,
krb5_crypto_iov *data,
size_t num_data)
#include <rand2key.h>
static krb5_error_code
-validate_and_schedule(const krb5_keyblock *key, const krb5_data *ivec,
+validate_and_schedule(krb5_key key, const krb5_data *ivec,
const krb5_data *input, const krb5_data *output,
mit_des3_key_schedule *schedule)
{
- /* key->enctype was checked by the caller */
+ /* key->keyblock.enctype was checked by the caller */
- if (key->length != 24)
+ if (key->keyblock.length != 24)
return(KRB5_BAD_KEYSIZE);
if ((input->length%8) != 0)
return(KRB5_BAD_MSIZE);
if (input->length != output->length)
return(KRB5_BAD_MSIZE);
- switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
+ switch (mit_des3_key_sched(*(mit_des3_cblock *)key->keyblock.contents,
*schedule)) {
case -1:
return(KRB5DES_BAD_KEYPAR);
}
static krb5_error_code
-validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec,
+validate_and_schedule_iov(krb5_key key, const krb5_data *ivec,
const krb5_crypto_iov *data, size_t num_data,
mit_des3_key_schedule *schedule)
{
input_length += iov->data.length;
}
- if (key->length != 24)
+ if (key->keyblock.length != 24)
return(KRB5_BAD_KEYSIZE);
if ((input_length%8) != 0)
return(KRB5_BAD_MSIZE);
if (ivec && (ivec->length != 8))
return(KRB5_BAD_MSIZE);
- switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
+ switch (mit_des3_key_sched(*(mit_des3_cblock *)key->keyblock.contents,
*schedule)) {
case -1:
return(KRB5DES_BAD_KEYPAR);
}
static krb5_error_code
-k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des3_encrypt(krb5_key key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
mit_des3_key_schedule schedule;
}
static krb5_error_code
-k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des3_decrypt(krb5_key key, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
mit_des3_key_schedule schedule;
}
static krb5_error_code
-k5_des3_encrypt_iov(const krb5_keyblock *key,
+k5_des3_encrypt_iov(krb5_key key,
const krb5_data *ivec,
krb5_crypto_iov *data,
size_t num_data)
}
static krb5_error_code
-k5_des3_decrypt_iov(const krb5_keyblock *key,
+k5_des3_decrypt_iov(krb5_key key,
const krb5_data *ivec,
krb5_crypto_iov *data,
size_t num_data)
/* Interface layer to kerb5 crypto layer */
static krb5_error_code
-k5_arcfour_docrypt(const krb5_keyblock *, const krb5_data *,
+k5_arcfour_docrypt(krb5_key, const krb5_data *,
const krb5_data *, krb5_data *);
static const unsigned char arcfour_weakkey1[] = {0x00, 0x00, 0xfd};
/* The workhorse of the arcfour system, this impliments the cipher */
static krb5_error_code
-k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state,
+k5_arcfour_docrypt(krb5_key key, const krb5_data *state,
const krb5_data *input, krb5_data *output)
{
ArcfourContext *arcfour_ctx;
ArcFourCipherState *cipher_state;
int ret;
- if (key->length != 16)
+ if (key->keyblock.length != 16)
return(KRB5_BAD_KEYSIZE);
if (state && (state->length != sizeof (ArcFourCipherState)))
return(KRB5_BAD_MSIZE);
cipher_state = (ArcFourCipherState *) state->data;
arcfour_ctx=&cipher_state->ctx;
if (cipher_state->initialized == 0) {
- if ((ret=k5_arcfour_init(arcfour_ctx, key->contents, key->length))) {
+ if ((ret=k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+ key->keyblock.length))) {
return ret;
}
cipher_state->initialized = 1;
arcfour_ctx=malloc(sizeof (ArcfourContext));
if (arcfour_ctx == NULL)
return ENOMEM;
- if ((ret=k5_arcfour_init(arcfour_ctx, key->contents, key->length))) {
+ if ((ret=k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+ key->keyblock.length))) {
free(arcfour_ctx);
return (ret);
}
/* In-place encryption */
static krb5_error_code
-k5_arcfour_docrypt_iov(const krb5_keyblock *key,
+k5_arcfour_docrypt_iov(krb5_key key,
const krb5_data *state,
krb5_crypto_iov *data,
size_t num_data)
krb5_error_code ret;
size_t i;
- if (key->length != 16)
+ if (key->keyblock.length != 16)
return KRB5_BAD_KEYSIZE;
if (state != NULL && (state->length != sizeof(ArcFourCipherState)))
return KRB5_BAD_MSIZE;
cipher_state = (ArcFourCipherState *)state->data;
arcfour_ctx = &cipher_state->ctx;
if (cipher_state->initialized == 0) {
- ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length);
+ ret = k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+ key->keyblock.length);
if (ret != 0)
return ret;
if (arcfour_ctx == NULL)
return ENOMEM;
- ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length);
+ ret = k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+ key->keyblock.length);
if (ret != 0) {
free(arcfour_ctx);
return ret;
#include "k5-int.h"
#include "aead.h"
+/*
+ * Because our built-in HMAC implementation doesn't need to invoke any
+ * encryption or keyed hash functions, it is simplest to define it in
+ * terms of keyblocks, and then supply a simple wrapper for the
+ * "normal" krb5_key-using interfaces. The keyblock interfaces are
+ * useful for the biult-in arcfour code which constructs a lot of
+ * intermediate HMAC keys. For other back ends, it should not be
+ * necessary to supply the _keyblock versions of the hmac functions if
+ * the back end code doesn't make use of them.
+ */
+
/*
* the HMAC transform looks like:
*
*/
krb5_error_code
-krb5_hmac(const struct krb5_hash_provider *hash, const krb5_keyblock *key,
- unsigned int icount, const krb5_data *input, krb5_data *output)
+krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key, unsigned int icount,
+ const krb5_data *input, krb5_data *output)
{
size_t hashsize, blocksize;
unsigned char *xorkey, *ihash;
}
krb5_error_code
-krb5int_hmac_iov(const struct krb5_hash_provider *hash, const krb5_keyblock *key,
- const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
+krb5int_hmac_iov_keyblock(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output)
{
krb5_data *sign_data;
size_t num_sign_data;
}
/* caller must store checksum in iov as it may be TYPE_TRAILER or TYPE_CHECKSUM */
- ret = krb5_hmac(hash, key, num_sign_data, sign_data, output);
+ ret = krb5int_hmac_keyblock(hash, key, num_sign_data, sign_data, output);
free(sign_data);
return ret;
}
+krb5_error_code
+krb5_hmac(const struct krb5_hash_provider *hash, krb5_key key,
+ unsigned int icount, const krb5_data *input, krb5_data *output)
+{
+ return krb5int_hmac_keyblock(hash, &key->keyblock, icount, input, output);
+}
+
+krb5_error_code
+krb5int_hmac_iov(const struct krb5_hash_provider *hash, krb5_key key,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output)
+{
+ return krb5int_hmac_iov_keyblock(hash, &key->keyblock, data, num_data,
+ output);
+}
*
*
* Implementation of PBKDF2 from RFC 2898.
- * Not currently used; likely to be used when we get around to AES support.
*/
#include <ctype.h>
#include "k5-int.h"
#include "hash_provider.h"
+/*
+ * RFC 2898 specifies PBKDF2 in terms of an underlying pseudo-random
+ * function with two arguments (password and salt||blockindex). Right
+ * now we only use PBKDF2 with the hmac-sha1 PRF, also specified in
+ * RFC 2898, which invokes HMAC with the password as the key and the
+ * second argument as the text. (HMAC accepts any key size up to the
+ * block size; the password is pre-hashed with unkeyed SHA1 if it is
+ * longer than the block size.)
+ *
+ * For efficiency, it is better to generate the key from the password
+ * once at the beginning, so we specify prf_func in terms of a
+ * krb5_key first argument. That might not be convenient for a PRF
+ * which uses the password in some other way, so this might need to be
+ * adjusted in the future.
+ */
+
+typedef krb5_error_code (*prf_func)(krb5_key pass, krb5_data *salt,
+ krb5_data *out);
+
/* Not exported, for now. */
static krb5_error_code
-krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
- krb5_data *),
- size_t hlen, const krb5_data *pass, const krb5_data *salt,
- unsigned long count, const krb5_data *output);
+krb5int_pbkdf2 (prf_func prf, size_t hlen, krb5_key pass,
+ const krb5_data *salt, unsigned long count,
+ const krb5_data *output);
static int debug_hmac = 0;
}
printf("\n");
}
-static void printk(const char *descr, krb5_keyblock *k) {
- krb5_data d;
- d.data = (char *) k->contents;
- d.length = k->length;
- printd(descr, &d);
-}
static krb5_error_code
-F(char *output, char *u_tmp1, char *u_tmp2,
- krb5_error_code (*prf)(krb5_keyblock *, krb5_data *, krb5_data *),
- size_t hlen,
- const krb5_data *pass, const krb5_data *salt,
- unsigned long count, int i)
+F(char *output, char *u_tmp1, char *u_tmp2, prf_func prf, size_t hlen,
+ krb5_key pass, const krb5_data *salt, unsigned long count, int i)
{
unsigned char ibytes[4];
size_t tlen;
unsigned int j, k;
- krb5_keyblock pdata;
krb5_data sdata;
krb5_data out;
krb5_error_code err;
- pdata.contents = pass->data;
- pdata.length = pass->length;
-
#if 0
printf("F(i=%d, count=%lu, pass=%d:%s)\n", i, count,
pass->length, pass->data);
- printk("F password", &pdata);
#endif
/* Compute U_1. */
#if 0
printf("F: computing hmac #1 (U_1) with %s\n", pdata.contents);
#endif
- err = (*prf)(&pdata, &sdata, &out);
+ err = (*prf)(pass, &sdata, &out);
if (err)
return err;
#if 0
printf("F: computing hmac #%d (U_%d)\n", j, j);
#endif
memcpy(u_tmp2, u_tmp1, hlen);
- err = (*prf)(&pdata, &sdata, &out);
+ err = (*prf)(pass, &sdata, &out);
if (err)
return err;
#if 0
}
static krb5_error_code
-krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
- krb5_data *),
- size_t hlen,
- const krb5_data *pass, const krb5_data *salt,
- unsigned long count, const krb5_data *output)
+krb5int_pbkdf2 (prf_func prf, size_t hlen, krb5_key pass,
+ const krb5_data *salt, unsigned long count,
+ const krb5_data *output)
{
int l, r, i;
char *utmp1, *utmp2;
return 0;
}
-static krb5_error_code hmac1(const struct krb5_hash_provider *h,
- krb5_keyblock *key, krb5_data *in, krb5_data *out)
+/*
+ * Implements the hmac-sha1 PRF. pass has been pre-hashed (if
+ * necessary) and converted to a key already; salt has had the block
+ * index appended to the original salt.
+ */
+static krb5_error_code
+hmac_sha1(krb5_key pass, krb5_data *salt, krb5_data *out)
{
- char tmp[40];
- size_t blocksize, hashsize;
+ const struct krb5_hash_provider *h = &krb5int_hash_sha1;
krb5_error_code err;
- krb5_keyblock k;
- k = *key;
- key = &k;
if (debug_hmac)
- printk(" test key", key);
- blocksize = h->blocksize;
- hashsize = h->hashsize;
- if (hashsize > sizeof(tmp))
- abort();
- if (key->length > blocksize) {
- krb5_data d, d2;
- d.data = (char *) key->contents;
- d.length = key->length;
- d2.data = tmp;
- d2.length = hashsize;
- err = h->hash (1, &d, &d2);
- if (err)
- return err;
- key->length = d2.length;
- key->contents = (krb5_octet *) d2.data;
- if (debug_hmac)
- printk(" pre-hashed key", key);
- }
- if (debug_hmac)
- printd(" hmac input", in);
- err = krb5_hmac(h, key, 1, in, out);
+ printd(" hmac input", salt);
+ err = krb5_hmac(h, pass, 1, salt, out);
if (err == 0 && debug_hmac)
printd(" hmac output", out);
return err;
}
-static krb5_error_code
-foo(krb5_keyblock *pass, krb5_data *salt, krb5_data *out)
-{
- krb5_error_code err;
-
- memset(out->data, 0, out->length);
- err = hmac1 (&krb5int_hash_sha1, pass, salt, out);
- return err;
-}
-
krb5_error_code
krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count,
const krb5_data *pass, const krb5_data *salt)
{
- return krb5int_pbkdf2 (foo, 20, pass, salt, count, out);
+ const struct krb5_hash_provider *h = &krb5int_hash_sha1;
+ krb5_keyblock keyblock;
+ krb5_key key;
+ char tmp[40];
+ krb5_data d;
+ krb5_error_code err;
+
+ assert(h->hashsize <= sizeof(tmp));
+ if (pass->length > h->blocksize) {
+ d.data = tmp;
+ d.length = h->hashsize;
+ err = h->hash (1, pass, &d);
+ if (err)
+ return err;
+ keyblock.length = d.length;
+ keyblock.contents = (krb5_octet *) d.data;
+ } else {
+ keyblock.length = pass->length;
+ keyblock.contents = (krb5_octet *) pass->data;
+ }
+
+ err = krb5_k_create_key(NULL, &keyblock, &key);
+ if (err)
+ return err;
+
+ err = krb5int_pbkdf2(hmac_sha1, 20, key, salt, count, out);
+ krb5_k_free_key(NULL, key);
+ return err;
}
krb5_error_code
krb5int_c_make_checksum_iov(const struct krb5_cksumtypes *cksum_type,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_crypto_iov *data,
size_t num_data,
if (cksum_type->keyed_etype) {
e1 = find_enctype(cksum_type->keyed_etype);
- e2 = find_enctype(key->enctype);
+ e2 = find_enctype(key->keyblock.enctype);
if (e1 == NULL || e2 == NULL || e1->enc != e2->enc) {
ret = KRB5_BAD_ENCTYPE;
goto cleanup;
krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
krb5_crypto_iov *data,
krb5int_c_encrypt_aead_compat(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output)
{
krb5int_c_decrypt_aead_compat(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output)
{
krb5_error_code
krb5int_c_make_checksum_iov(const struct krb5_cksumtypes *cksum,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_crypto_iov *data,
size_t num_data,
krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
krb5_crypto_iov *data,
krb5int_c_decrypt_aead_compat(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output);
krb5int_c_encrypt_aead_compat(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output);
size_t keybytes, keylength;
const struct krb5_enc_provider *enc;
krb5_data input, randbits;
- krb5_keyblock tkey;
+ krb5_keyblock tkeyblock;
+ krb5_key tkey = NULL;
krb5_error_code ret;
const struct krb5_keytypes *ktp;
krb5_boolean myalloc = FALSE;
randbits.length = keybytes;
randbits.data = (char *) rnd;
- tkey.length = keylength;
- tkey.contents = output;
+ tkeyblock.length = keylength;
+ tkeyblock.contents = output;
- ret = (*enc->make_key)(&randbits, &tkey);
+ ret = (*enc->make_key)(&randbits, &tkeyblock);
+ if (ret)
+ goto cleanup;
+
+ ret = krb5_k_create_key(NULL, &tkeyblock, &tkey);
if (ret)
goto cleanup;
myalloc = TRUE;
}
- ret = krb5_derive_key(enc, &tkey, outkey, &input);
+ ret = krb5_derive_keyblock(enc, tkey, outkey, &input);
if (ret) {
if (myalloc) {
free(outkey->contents);
zapfree(rnd, keybytes);
zapfree(combined, keybytes * 2);
zapfree(output, keylength);
+ krb5_k_free_key(NULL, tkey);
return ret;
}
unsigned char *inblockdata = NULL, *outblockdata = NULL;
krb5_data inblock, outblock;
krb5_error_code ret;
+ krb5_key key = NULL;
blocksize = enc->block_size;
keybytes = enc->keybytes;
if (ret)
goto cleanup;
outblockdata = k5alloc(blocksize, &ret);
+ if (ret)
+ goto cleanup;
+ ret = krb5_k_create_key(NULL, inkey, &key);
if (ret)
goto cleanup;
n = 0;
while (n < keybytes) {
- ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock);
+ ret = (*enc->encrypt)(key, 0, &inblock, &outblock);
if (ret)
goto cleanup;
cleanup:
zapfree(inblockdata, blocksize);
zapfree(outblockdata, blocksize);
+ krb5_k_free_key(NULL, key);
return ret;
}
#include "aead.h"
krb5_error_code KRB5_CALLCONV
-krb5_c_decrypt(krb5_context context, const krb5_keyblock *key,
+krb5_k_decrypt(krb5_context context, krb5_key key,
krb5_keyusage usage, const krb5_data *ivec,
const krb5_enc_data *input, krb5_data *output)
{
const struct krb5_keytypes *ktp;
- ktp = find_enctype(key->enctype);
+ ktp = find_enctype(key->keyblock.enctype);
if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
return (*ktp->decrypt)(ktp->enc, ktp->hash, key, usage, ivec,
&input->ciphertext, output);
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_decrypt(krb5_context context, const krb5_keyblock *keyblock,
+ krb5_keyusage usage, const krb5_data *ivec,
+ const krb5_enc_data *input, krb5_data *output)
+{
+ krb5_key key;
+ krb5_error_code ret;
+
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ ret = krb5_k_decrypt(context, key, usage, ivec, input, output);
+ krb5_k_free_key(context, key);
+ return ret;
+}
#include "aead.h"
krb5_error_code KRB5_CALLCONV
-krb5_c_decrypt_iov(krb5_context context,
- const krb5_keyblock *key,
+krb5_k_decrypt_iov(krb5_context context,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *cipher_state,
krb5_crypto_iov *data,
{
const struct krb5_keytypes *ktp;
- ktp = find_enctype(key->enctype);
+ ktp = find_enctype(key->keyblock.enctype);
if (ktp == NULL || ktp->aead == NULL)
return KRB5_BAD_ENCTYPE;
usage, cipher_state, data, num_data);
}
+krb5_error_code KRB5_CALLCONV
+krb5_c_decrypt_iov(krb5_context context,
+ const krb5_keyblock *keyblock,
+ krb5_keyusage usage,
+ const krb5_data *cipher_state,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_key key;
+ krb5_error_code ret;
+
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ ret = krb5_k_decrypt_iov(context, key, usage, cipher_state, data,
+ num_data);
+ krb5_k_free_key(context, key);
+ return ret;
+}
krb5_error_code
krb5_dk_make_checksum(const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *input, krb5_data *output)
{
const struct krb5_keytypes *ktp;
const struct krb5_enc_provider *enc;
- size_t keylength;
krb5_error_code ret;
unsigned char constantdata[K5CLENGTH];
krb5_data datain;
- unsigned char *kcdata;
- krb5_keyblock kc;
+ krb5_key kc;
- ktp = find_enctype(key->enctype);
+ ktp = find_enctype(key->keyblock.enctype);
if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
enc = ktp->enc;
* output->length will be tested in krb5_hmac.
*/
- /* Allocate and set to-be-derived keys. */
- keylength = enc->keylength;
- kcdata = malloc(keylength);
- if (kcdata == NULL)
- return ENOMEM;
-
- kc.contents = kcdata;
- kc.length = keylength;
-
/* Derive the key. */
datain.data = (char *) constantdata;
ret = krb5_derive_key(enc, key, &kc, &datain);
if (ret)
- goto cleanup;
+ return ret;
/* hash the data */
datain = *input;
- ret = krb5_hmac(hash, &kc, 1, &datain, output);
+ ret = krb5_hmac(hash, kc, 1, &datain, output);
if (ret)
memset(output->data, 0, output->length);
-cleanup:
- zapfree(kcdata, keylength);
+ krb5_k_free_key(NULL, kc);
return ret;
}
krb5_error_code
krb5int_dk_make_checksum_iov(const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_crypto_iov *data, size_t num_data,
krb5_data *output)
{
const struct krb5_keytypes *ktp;
const struct krb5_enc_provider *enc;
- size_t keylength;
krb5_error_code ret;
unsigned char constantdata[K5CLENGTH];
krb5_data datain;
- unsigned char *kcdata;
- krb5_keyblock kc;
+ krb5_key kc;
- ktp = find_enctype(key->enctype);
+ ktp = find_enctype(key->keyblock.enctype);
if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
enc = ktp->enc;
* output->length will be tested in krb5_hmac.
*/
- /* Allocate and set to-be-derived keys. */
-
- keylength = enc->keylength;
- kcdata = malloc(keylength);
- if (kcdata == NULL)
- return ENOMEM;
-
- kc.contents = kcdata;
- kc.length = keylength;
-
/* Derive the key. */
datain.data = (char *) constantdata;
ret = krb5_derive_key(enc, key, &kc, &datain);
if (ret)
- goto cleanup;
+ return ret;
/* Hash the data. */
- ret = krb5int_hmac_iov(hash, &kc, data, num_data, output);
+ ret = krb5int_hmac_iov(hash, kc, data, num_data, output);
if (ret)
memset(output->data, 0, output->length);
-cleanup:
- zapfree(kcdata, keylength);
-
- return(ret);
+ krb5_k_free_key(NULL, kc);
+ return ret;
}
-
#include "dk.h"
krb5_error_code
-krb5_derive_key(const struct krb5_enc_provider *enc,
- const krb5_keyblock *inkey, krb5_keyblock *outkey,
- const krb5_data *in_constant)
+krb5_derive_keyblock(const struct krb5_enc_provider *enc,
+ krb5_key inkey, krb5_keyblock *outkey,
+ const krb5_data *in_constant)
{
size_t blocksize, keybytes, n;
unsigned char *inblockdata = NULL, *outblockdata = NULL, *rawkey = NULL;
blocksize = enc->block_size;
keybytes = enc->keybytes;
- if (inkey->length != enc->keylength || outkey->length != enc->keylength)
+ if (inkey->keyblock.length != enc->keylength ||
+ outkey->length != enc->keylength)
return KRB5_CRYPTO_INTERNAL;
/* Allocate and set up buffers. */
return ret;
}
+krb5_error_code
+krb5_derive_key(const struct krb5_enc_provider *enc,
+ krb5_key inkey, krb5_key *outkey,
+ const krb5_data *in_constant)
+{
+ krb5_keyblock keyblock;
+ krb5_error_code ret;
+
+ *outkey = NULL;
+
+ /* Set up a temporary keyblock. */
+ keyblock.length = enc->keylength;
+ keyblock.contents = malloc(keyblock.length);
+ if (keyblock.contents == NULL)
+ return ENOMEM;
+
+ ret = krb5_derive_keyblock(enc, inkey, &keyblock, in_constant);
+ if (ret)
+ goto cleanup;
+
+ /* Convert the keyblock to a key. */
+ ret = krb5_k_create_key(NULL, &keyblock, outkey);
+
+cleanup:
+ zapfree(keyblock.contents, keyblock.length);
+ return ret;
+}
krb5_error_code
krb5_derive_random(const struct krb5_enc_provider *enc,
- const krb5_keyblock *inkey, krb5_data *outrnd,
+ krb5_key inkey, krb5_data *outrnd,
const krb5_data *in_constant)
{
size_t blocksize, keybytes, n;
blocksize = enc->block_size;
keybytes = enc->keybytes;
- if (inkey->length != enc->keylength || outrnd->length != keybytes)
+ if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)
return KRB5_CRYPTO_INTERNAL;
/* Allocate and set up buffers. */
krb5_error_code krb5_dk_encrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec,
const krb5_data *input, krb5_data *output);
krb5_error_code krb5int_aes_dk_encrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *ivec,
const krb5_data *input,
krb5_error_code krb5_dk_decrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *arg_output);
krb5_error_code krb5int_aes_dk_decrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *ivec,
const krb5_data *input,
const krb5_data *params,
krb5_keyblock *key);
+krb5_error_code krb5_derive_keyblock(const struct krb5_enc_provider *enc,
+ krb5_key inkey,
+ krb5_keyblock *outkey,
+ const krb5_data *in_constant);
+
krb5_error_code krb5_derive_key(const struct krb5_enc_provider *enc,
- const krb5_keyblock *inkey,
- krb5_keyblock *outkey,
+ krb5_key inkey,
+ krb5_key *outkey,
const krb5_data *in_constant);
krb5_error_code krb5_dk_make_checksum(const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *input,
krb5_data *output);
krb5_error_code
krb5int_dk_make_checksum_iov(const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_crypto_iov *data, size_t num_data,
krb5_data *output);
krb5_error_code
krb5_derive_random(const struct krb5_enc_provider *enc,
- const krb5_keyblock *inkey, krb5_data *outrnd,
+ krb5_key inkey, krb5_data *outrnd,
const krb5_data *in_constant);
/* AEAD */
krb5int_dk_encrypt_iov(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *ivec,
krb5_crypto_iov *data,
unsigned char constantdata[K5CLENGTH];
krb5_data d1, d2;
krb5_crypto_iov *header, *trailer, *padding;
- krb5_keyblock ke, ki;
+ krb5_key ke = NULL, ki = NULL;
size_t i;
unsigned int blocksize = 0;
unsigned int plainlen = 0;
unsigned int padsize = 0;
unsigned char *cksum = NULL;
- ke.contents = ki.contents = NULL;
- ke.length = ki.length = 0;
-
/* E(Confounder | Plaintext | Pad) | Checksum */
ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
padding->data.length = padsize;
}
- ke.length = enc->keylength;
- ke.contents = k5alloc(ke.length, &ret);
- if (ret != 0)
- goto cleanup;
- ki.length = enc->keylength;
- ki.contents = k5alloc(ki.length, &ret);
- if (ret != 0)
- goto cleanup;
cksum = k5alloc(hash->hashsize, &ret);
if (ret != 0)
goto cleanup;
d2.length = hash->hashsize;
d2.data = (char *)cksum;
- ret = krb5int_hmac_iov(hash, &ki, data, num_data, &d2);
+ ret = krb5int_hmac_iov(hash, ki, data, num_data, &d2);
if (ret != 0)
goto cleanup;
/* Encrypt the plaintext (header | data | padding) */
assert(enc->encrypt_iov != NULL);
- ret = (*enc->encrypt_iov)(&ke, ivec, data, num_data); /* updates ivec */
+ ret = (*enc->encrypt_iov)(ke, ivec, data, num_data); /* updates ivec */
if (ret != 0)
goto cleanup;
trailer->data.length = hmacsize;
cleanup:
- zapfree(ke.contents, ke.length);
- zapfree(ki.contents, ki.length);
+ krb5_k_free_key(NULL, ke);
+ krb5_k_free_key(NULL, ki);
free(cksum);
return ret;
}
krb5int_dk_decrypt_iov(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *ivec,
krb5_crypto_iov *data,
unsigned char constantdata[K5CLENGTH];
krb5_data d1;
krb5_crypto_iov *header, *trailer;
- krb5_keyblock ke, ki;
+ krb5_key ke = NULL, ki = NULL;
size_t i;
unsigned int blocksize = 0; /* enc block size, not confounder len */
unsigned int cipherlen = 0;
usage, ivec, data, num_data);
}
- ke.contents = ki.contents = NULL;
- ke.length = ki.length = 0;
-
/* E(Confounder | Plaintext | Pad) | Checksum */
ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
if (trailer == NULL || trailer->data.length != hmacsize)
return KRB5_BAD_MSIZE;
- ke.length = enc->keylength;
- ke.contents = k5alloc(ke.length, &ret);
- if (ret != 0)
- goto cleanup;
- ki.length = enc->keylength;
- ki.contents = k5alloc(ki.length, &ret);
- if (ret != 0)
- goto cleanup;
cksum = k5alloc(hash->hashsize, &ret);
if (ret != 0)
goto cleanup;
/* Decrypt the plaintext (header | data | padding). */
assert(enc->decrypt_iov != NULL);
- ret = (*enc->decrypt_iov)(&ke, ivec, data, num_data); /* updates ivec */
+ ret = (*enc->decrypt_iov)(ke, ivec, data, num_data); /* updates ivec */
if (ret != 0)
goto cleanup;
d1.length = hash->hashsize; /* non-truncated length */
d1.data = (char *)cksum;
- ret = krb5int_hmac_iov(hash, &ki, data, num_data, &d1);
+ ret = krb5int_hmac_iov(hash, ki, data, num_data, &d1);
if (ret != 0)
goto cleanup;
}
cleanup:
- zapfree(ke.contents, ke.length);
- zapfree(ki.contents, ki.length);
+ krb5_k_free_key(NULL, ke);
+ krb5_k_free_key(NULL, ki);
free(cksum);
-
return ret;
}
static krb5_error_code
krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *ivec,
const krb5_data *input,
krb5_error_code
krb5_dk_decrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output)
{
krb5_error_code
krb5int_aes_dk_decrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output)
{
static krb5_error_code
krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output, size_t hmacsize,
int ivec_mode)
{
krb5_error_code ret;
- size_t hashsize, blocksize, keylength, enclen, plainlen;
- unsigned char *plaindata = NULL, *kedata = NULL, *kidata = NULL;
- unsigned char *cksum = NULL, *cn;
- krb5_keyblock ke, ki;
+ size_t hashsize, blocksize, enclen, plainlen;
+ unsigned char *plaindata = NULL, *cksum = NULL, *cn;
+ krb5_key ke = NULL, ki = NULL;
krb5_data d1, d2;
unsigned char constantdata[K5CLENGTH];
hashsize = hash->hashsize;
blocksize = enc->block_size;
- keylength = enc->keylength;
if (hmacsize == 0)
hmacsize = hashsize;
enclen = input->length - hmacsize;
/* Allocate and set up ciphertext and to-be-derived keys. */
- kedata = k5alloc(keylength, &ret);
- if (ret != 0)
- goto cleanup;
- kidata = k5alloc(keylength, &ret);
- if (ret != 0)
- goto cleanup;
plaindata = k5alloc(enclen, &ret);
if (ret != 0)
goto cleanup;
if (ret != 0)
goto cleanup;
- ke.contents = kedata;
- ke.length = keylength;
- ki.contents = kidata;
- ki.length = keylength;
-
/* Derive the keys. */
d1.data = (char *) constantdata;
d2.length = enclen;
d2.data = (char *) plaindata;
- ret = (*enc->decrypt)(&ke, ivec, &d1, &d2);
+ ret = (*enc->decrypt)(ke, ivec, &d1, &d2);
if (ret != 0)
goto cleanup;
d1.length = hashsize;
d1.data = (char *) cksum;
- ret = krb5_hmac(hash, &ki, 1, &d2, &d1);
+ ret = krb5_hmac(hash, ki, 1, &d2, &d1);
if (ret != 0)
goto cleanup;
memcpy(ivec->data, cn, blocksize);
cleanup:
- zapfree(kedata, keylength);
- zapfree(kidata, keylength);
+ krb5_k_free_key(NULL, ke);
+ krb5_k_free_key(NULL, ki);
zapfree(plaindata, enclen);
zapfree(cksum, hashsize);
return ret;
krb5_error_code
krb5_dk_encrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output)
{
- size_t blocksize, keylength, plainlen, enclen;
+ size_t blocksize, plainlen, enclen;
krb5_error_code ret;
unsigned char constantdata[K5CLENGTH];
krb5_data d1, d2;
- unsigned char *plaintext = NULL, *kedata = NULL, *kidata = NULL;
+ unsigned char *plaintext = NULL;
char *cn;
- krb5_keyblock ke, ki;
+ krb5_key ke = NULL, ki = NULL;
blocksize = enc->block_size;
- keylength = enc->keylength;
plainlen = krb5_roundup(blocksize + input->length, blocksize);
krb5_dk_encrypt_length(enc, hash, input->length, &enclen);
/* Allocate and set up plaintext and to-be-derived keys. */
- kedata = k5alloc(keylength, &ret);
- if (ret != 0)
- goto cleanup;
- kidata = k5alloc(keylength, &ret);
- if (ret != 0)
- goto cleanup;
- plaintext = k5alloc(plainlen, &ret);
- if (ret != 0)
- goto cleanup;
-
- ke.contents = kedata;
- ke.length = keylength;
- ki.contents = kidata;
- ki.length = keylength;
+ plaintext = malloc(plainlen);
+ if (plaintext == NULL)
+ return ENOMEM;
/* Derive the keys. */
d2.length = plainlen;
d2.data = output->data;
- ret = (*enc->encrypt)(&ke, ivec, &d1, &d2);
+ ret = (*enc->encrypt)(ke, ivec, &d1, &d2);
if (ret != 0)
goto cleanup;
output->length = enclen;
- ret = krb5_hmac(hash, &ki, 1, &d1, &d2);
+ ret = krb5_hmac(hash, ki, 1, &d1, &d2);
if (ret != 0) {
memset(d2.data, 0, d2.length);
goto cleanup;
memcpy(ivec->data, cn, blocksize);
cleanup:
- zapfree(kedata, keylength);
- zapfree(kidata, keylength);
+ krb5_k_free_key(NULL, ke);
+ krb5_k_free_key(NULL, ki);
zapfree(plaintext, plainlen);
return ret;
}
static krb5_error_code
trunc_hmac (const struct krb5_hash_provider *hash,
- const krb5_keyblock *ki, unsigned int num,
+ krb5_key ki, unsigned int num,
const krb5_data *input, const krb5_data *output)
{
size_t hashsize;
krb5_error_code
krb5int_aes_dk_encrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output)
{
- size_t blocksize, keybytes, keylength, plainlen, enclen;
+ size_t blocksize, keybytes, plainlen, enclen;
krb5_error_code ret;
unsigned char constantdata[K5CLENGTH];
krb5_data d1, d2;
- unsigned char *plaintext = NULL, *kedata = NULL, *kidata = NULL;
+ unsigned char *plaintext = NULL;
char *cn;
- krb5_keyblock ke, ki;
+ krb5_key ke = NULL, ki = NULL;
/* allocate and set up plaintext and to-be-derived keys */
blocksize = enc->block_size;
keybytes = enc->keybytes;
- keylength = enc->keylength;
plainlen = blocksize+input->length;
krb5int_aes_encrypt_length(enc, hash, input->length, &enclen);
if (output->length < enclen)
return KRB5_BAD_MSIZE;
- kedata = k5alloc(keylength, &ret);
- if (ret != 0)
- goto cleanup;
- kidata = k5alloc(keylength, &ret);
- if (ret != 0)
- goto cleanup;
- plaintext = k5alloc(plainlen, &ret);
- if (ret != 0)
- goto cleanup;
-
- ke.contents = kedata;
- ke.length = keylength;
- ki.contents = kidata;
- ki.length = keylength;
+ plaintext = malloc(plainlen);
+ if (plaintext == NULL)
+ return ENOMEM;
/* Derive the keys. */
d2.length = plainlen;
d2.data = output->data;
- ret = (*enc->encrypt)(&ke, ivec, &d1, &d2);
+ ret = (*enc->encrypt)(ke, ivec, &d1, &d2);
if (ret != 0)
goto cleanup;
if (d2.length != 96 / 8)
abort();
- ret = trunc_hmac(hash, &ki, 1, &d1, &d2);
+ ret = trunc_hmac(hash, ki, 1, &d1, &d2);
if (ret != 0) {
memset(d2.data, 0, d2.length);
goto cleanup;
memcpy(ivec->data, cn, blocksize);
cleanup:
- zapfree(kedata, keylength);
- zapfree(kidata, keylength);
+ krb5_k_free_key(NULL, ke);
+ krb5_k_free_key(NULL, ki);
zapfree(plaintext, plainlen);
return ret;
}
krb5_error_code
krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
const krb5_data *string, const krb5_data *salt,
- const krb5_data *parms, krb5_keyblock *key)
+ const krb5_data *parms, krb5_keyblock *keyblock)
{
krb5_error_code ret;
size_t keybytes, keylength, concatlen;
unsigned char *concat = NULL, *foldstring = NULL, *foldkeydata = NULL;
krb5_data indata;
- krb5_keyblock foldkey;
+ krb5_keyblock foldkeyblock;
+ krb5_key foldkey = NULL;
- /* key->length is checked by krb5_derive_key. */
+ /* keyblock->length is checked by krb5_derive_key. */
keybytes = enc->keybytes;
keylength = enc->keylength;
indata.length = keybytes;
indata.data = (char *) foldstring;
- foldkey.length = keylength;
- foldkey.contents = foldkeydata;
+ foldkeyblock.length = keylength;
+ foldkeyblock.contents = foldkeydata;
- ret = (*enc->make_key)(&indata, &foldkey);
+ ret = (*enc->make_key)(&indata, &foldkeyblock);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = krb5_k_create_key(NULL, &foldkeyblock, &foldkey);
if (ret != 0)
goto cleanup;
indata.length = kerberos_len;
indata.data = (char *) kerberos;
- ret = krb5_derive_key(enc, &foldkey, key, &indata);
+ ret = krb5_derive_keyblock(enc, foldkey, keyblock, &indata);
if (ret != 0)
- memset(key->contents, 0, key->length);
+ memset(keyblock->contents, 0, keyblock->length);
cleanup:
zapfree(concat, concatlen);
zapfree(foldstring, keybytes);
zapfree(foldkeydata, keylength);
+ krb5_k_free_key(NULL, foldkey);
return ret;
}
#include "aead.h"
krb5_error_code KRB5_CALLCONV
-krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
+krb5_k_encrypt(krb5_context context, krb5_key key,
krb5_keyusage usage, const krb5_data *ivec,
const krb5_data *input, krb5_enc_data *output)
{
const struct krb5_keytypes *ktp;
- ktp = find_enctype(key->enctype);
+ ktp = find_enctype(key->keyblock.enctype);
if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
output->magic = KV5M_ENC_DATA;
output->kvno = 0;
- output->enctype = key->enctype;
+ output->enctype = key->keyblock.enctype;
if (ktp->encrypt == NULL) {
assert(ktp->aead != NULL);
return (*ktp->encrypt)(ktp->enc, ktp->hash, key, usage, ivec, input,
&output->ciphertext);
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_encrypt(krb5_context context, const krb5_keyblock *keyblock,
+ krb5_keyusage usage, const krb5_data *ivec,
+ const krb5_data *input, krb5_enc_data *output)
+{
+ krb5_key key;
+ krb5_error_code ret;
+
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ ret = krb5_k_encrypt(context, key, usage, ivec, input, output);
+ krb5_k_free_key(context, key);
+ return ret;
+}
#include "etypes.h"
krb5_error_code KRB5_CALLCONV
-krb5_c_encrypt_iov(krb5_context context,
- const krb5_keyblock *key,
+krb5_k_encrypt_iov(krb5_context context,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *cipher_state,
krb5_crypto_iov *data,
{
const struct krb5_keytypes *ktp;
- ktp = find_enctype(key->enctype);
+ ktp = find_enctype(key->keyblock.enctype);
if (ktp == NULL || ktp->aead == NULL)
return KRB5_BAD_ENCTYPE;
key, usage, cipher_state, data, num_data);
}
+krb5_error_code KRB5_CALLCONV
+krb5_c_encrypt_iov(krb5_context context,
+ const krb5_keyblock *keyblock,
+ krb5_keyusage usage,
+ const krb5_data *cipher_state,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_key key;
+ krb5_error_code ret;
+
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ ret = krb5_k_encrypt_iov(context, key, usage, cipher_state, data,
+ num_data);
+ krb5_k_free_key(context, key);
+ return ret;
+}
typedef krb5_error_code (*krb5_crypt_func)(const struct krb5_enc_provider *enc,
const struct
krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
const krb5_data *input,
typedef krb5_error_code (*krb5_prf_func)(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
const krb5_data *in, krb5_data *out);
struct krb5_keytypes {
#include "keyhash_provider.h"
static krb5_error_code
-k5_descbc_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec,
+k5_descbc_hash(krb5_key key, krb5_keyusage usage, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
mit_des_key_schedule schedule;
- if (key->length != 8)
+ if (key->keyblock.length != 8)
return(KRB5_BAD_KEYSIZE);
if ((input->length%8) != 0)
return(KRB5_BAD_MSIZE);
if (output->length != 8)
return(KRB5_CRYPTO_INTERNAL);
- switch (mit_des_key_sched(key->contents, schedule)) {
+ switch (mit_des_key_sched(key->keyblock.contents, schedule)) {
case -1:
return(KRB5DES_BAD_KEYPAR);
case -2:
#include "../aead.h"
static krb5_error_code
-k5_hmac_md5_hash (const krb5_keyblock *key, krb5_keyusage usage,
+k5_hmac_md5_hash (krb5_key key, krb5_keyusage usage,
const krb5_data *iv,
const krb5_data *input, krb5_data *output)
{
krb5_keyusage ms_usage;
krb5_error_code ret;
- krb5_keyblock ks;
+ krb5_keyblock keyblock;
+ krb5_key ks = NULL;
krb5_data ds, ks_constant, md5tmp;
krb5_MD5_CTX ctx;
char t[4];
- ds.length = key->length;
- ks.length = key->length;
+ ds.length = key->keyblock.length;
ds.data = malloc(ds.length);
if (ds.data == NULL)
return ENOMEM;
- ks.contents = (void *) ds.data;
ks_constant.data = "signaturekey";
ks_constant.length = strlen(ks_constant.data)+1; /* Including null*/
if (ret)
goto cleanup;
+ keyblock.length = key->keyblock.length;
+ keyblock.contents = (void *) ds.data;
+ ret = krb5_k_create_key(NULL, &keyblock, &ks);
+ if (ret)
+ goto cleanup;
+
krb5_MD5Init (&ctx);
ms_usage = krb5int_arcfour_translate_usage (usage);
store_32_le(ms_usage, t);
krb5_MD5Final(&ctx);
md5tmp.data = (void *) ctx.digest;
md5tmp.length = 16;
- ret = krb5_hmac ( &krb5int_hash_md5, &ks, 1, &md5tmp,
+
+ ret = krb5_hmac ( &krb5int_hash_md5, ks, 1, &md5tmp,
output);
cleanup:
memset(&ctx, 0, sizeof(ctx));
- memset (ks.contents, 0, ks.length);
- free (ks.contents);
+ zapfree(ds.data, ds.length);
+ krb5_k_free_key(NULL, ks);
return ret;
}
static krb5_error_code
-k5_hmac_md5_hash_iov (const krb5_keyblock *key, krb5_keyusage usage,
+k5_hmac_md5_hash_iov (krb5_key key, krb5_keyusage usage,
const krb5_data *iv,
const krb5_crypto_iov *data, size_t num_data,
krb5_data *output)
{
krb5_keyusage ms_usage;
krb5_error_code ret;
- krb5_keyblock ks;
+ krb5_keyblock keyblock;
+ krb5_key ks = NULL;
krb5_data ds, ks_constant, md5tmp;
krb5_MD5_CTX ctx;
char t[4];
size_t i;
- ds.length = key->length;
- ks.length = key->length;
+ ds.length = key->keyblock.length;
ds.data = malloc(ds.length);
if (ds.data == NULL)
return ENOMEM;
- ks.contents = (void *) ds.data;
ks_constant.data = "signaturekey";
ks_constant.length = strlen(ks_constant.data)+1; /* Including null*/
if (ret)
goto cleanup;
+ keyblock.length = key->keyblock.length;
+ keyblock.contents = (void *) ds.data;
+ ret = krb5_k_create_key(NULL, &keyblock, &ks);
+ if (ret)
+ goto cleanup;
+
krb5_MD5Init (&ctx);
ms_usage = krb5int_arcfour_translate_usage (usage);
store_32_le(ms_usage, t);
krb5_MD5Final(&ctx);
md5tmp.data = (void *) ctx.digest;
md5tmp.length = 16;
- ret = krb5_hmac ( &krb5int_hash_md5, &ks, 1, &md5tmp,
+ ret = krb5_hmac ( &krb5int_hash_md5, ks, 1, &md5tmp,
output);
cleanup:
memset(&ctx, 0, sizeof(ctx));
- memset (ks.contents, 0, ks.length);
- free (ks.contents);
+ zapfree(keyblock.contents, keyblock.length);
+ krb5_k_free_key(NULL, ks);
return ret;
}
extern struct krb5_enc_provider krb5int_enc_des;
static krb5_error_code
-k5_md4des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec,
+k5_md4des_hash(krb5_key key, krb5_keyusage usage, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
krb5_error_code ret;
}
static krb5_error_code
-k5_md4des_verify(const krb5_keyblock *key, krb5_keyusage usage,
+k5_md4des_verify(krb5_key key, krb5_keyusage usage,
const krb5_data *ivec,
const krb5_data *input, const krb5_data *hash,
krb5_boolean *valid)
struct krb5_enc_provider *enc = &krb5int_enc_des;
krb5_data output, iv;
- if (key->length != 8)
+ if (key->keyblock.length != 8)
return(KRB5_BAD_KEYSIZE);
if (hash->length != (CONFLENGTH+RSA_MD4_CKSUM_LENGTH)) {
#ifdef KRB5_MD4DES_BETA5_COMPAT
}
if (compathash) {
- iv.data = malloc(key->length);
+ iv.data = malloc(key->keyblock.length);
if (!iv.data) return ENOMEM;
- iv.length = key->length;
- if (key->contents)
- memcpy(iv.data, key->contents, key->length);
+ iv.length = key->keyblock.length;
+ if (key->keyblock.contents)
+ memcpy(iv.data, key->keyblock.contents, key->keyblock.length);
}
/* decrypt it */
extern struct krb5_enc_provider krb5int_enc_des;
static krb5_error_code
-k5_md5des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec,
+k5_md5des_hash(krb5_key key, krb5_keyusage usage, const krb5_data *ivec,
const krb5_data *input, krb5_data *output)
{
krb5_error_code ret;
}
static krb5_error_code
-k5_md5des_verify(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec,
+k5_md5des_verify(krb5_key key, krb5_keyusage usage, const krb5_data *ivec,
const krb5_data *input, const krb5_data *hash,
krb5_boolean *valid)
{
struct krb5_enc_provider *enc = &krb5int_enc_des;
krb5_data output, iv;
- if (key->length != 8)
+ if (key->keyblock.length != 8)
return(KRB5_BAD_KEYSIZE);
if (hash->length != (CONFLENGTH+RSA_MD5_CKSUM_LENGTH)) {
}
if (compathash) {
- iv.data = malloc(key->length);
+ iv.data = malloc(key->keyblock.length);
if (!iv.data) return ENOMEM;
- iv.length = key->length;
- if (key->contents)
- memcpy(iv.data, key->contents, key->length);
+ iv.length = key->keyblock.length;
+ if (key->keyblock.contents)
+ memcpy(iv.data, key->keyblock.contents, key->keyblock.length);
}
/* decrypt it */
#include "hash_provider.h"
static krb5_error_code
-k5_md5_hmac_hash (const krb5_keyblock *key, krb5_keyusage usage,
+k5_md5_hmac_hash (krb5_key key, krb5_keyusage usage,
const krb5_data *iv,
const krb5_data *input, krb5_data *output)
{
#include "dk.h"
krb5_error_code KRB5_CALLCONV
-krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
- const krb5_keyblock *key, krb5_keyusage usage,
+krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *input, krb5_checksum *cksum)
{
unsigned int i;
/* check if key is compatible */
if (ctp->keyed_etype) {
ktp1 = find_enctype(ctp->keyed_etype);
- ktp2 = find_enctype(key->enctype);
+ ktp2 = find_enctype(key->keyblock.enctype);
if (ktp1 == NULL || ktp2 == NULL || ktp1->enc != ktp2->enc) {
ret = KRB5_BAD_ENCTYPE;
goto cleanup;
return ret;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
+ const krb5_keyblock *keyblock, krb5_keyusage usage,
+ const krb5_data *input, krb5_checksum *cksum)
+{
+ krb5_key key = NULL;
+ krb5_error_code ret;
+
+ if (keyblock != NULL) {
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ }
+ ret = krb5_k_make_checksum(context, cksumtype, key, usage, input, cksum);
+ krb5_k_free_key(context, key);
+ return ret;
+}
#include "aead.h"
krb5_error_code KRB5_CALLCONV
-krb5_c_make_checksum_iov(krb5_context context,
+krb5_k_make_checksum_iov(krb5_context context,
krb5_cksumtype cksumtype,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
krb5_crypto_iov *data,
size_t num_data)
return(ret);
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_make_checksum_iov(krb5_context context,
+ krb5_cksumtype cksumtype,
+ const krb5_keyblock *keyblock,
+ krb5_keyusage usage,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_key key;
+ krb5_error_code ret;
+
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ ret = krb5_k_make_checksum_iov(context, cksumtype, key, usage,
+ data, num_data);
+ krb5_k_free_key(context, key);
+ return ret;
+}
krb5_error_code krb5_old_encrypt
(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output);
krb5_error_code krb5_old_decrypt
(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *arg_output);
krb5_error_code
krb5_old_decrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *ivec,
const krb5_data *input,
cn = NULL;
/* XXX this is gross, but I don't have much choice */
- if ((key->enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) {
- crcivec.length = key->length;
- crcivec.data = (char *) key->contents;
+ if ((key->keyblock.enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) {
+ crcivec.length = key->keyblock.length;
+ crcivec.data = (char *) key->keyblock.contents;
ivec = &crcivec;
}
krb5_error_code
krb5_old_encrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *ivec,
const krb5_data *input,
/* encrypt it */
/* XXX this is gross, but I don't have much choice */
- if ((key->enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) {
- crcivec.length = key->length;
- crcivec.data = (char *) key->contents;
+ if ((key->keyblock.enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) {
+ crcivec.length = key->keyblock.length;
+ crcivec.data = (char *) key->keyblock.contents;
ivec = &crcivec;
real_ivec = 0;
} else
}
krb5_error_code KRB5_CALLCONV
-krb5_c_prf(krb5_context context, const krb5_keyblock *key,
+krb5_c_prf(krb5_context context, const krb5_keyblock *keyblock,
krb5_data *input, krb5_data *output)
{
const struct krb5_keytypes *ktp;
+ krb5_key key;
+ krb5_error_code ret;
assert(input && output);
assert(output->data);
- ktp = find_enctype(key->enctype);
+ ktp = find_enctype(keyblock->enctype);
if (ktp == NULL)
return KRB5_BAD_ENCTYPE;
if (ktp->prf == NULL)
output->magic = KV5M_DATA;
if (ktp->prf_length != output->length)
return KRB5_CRYPTO_INTERNAL;
- return (*ktp->prf)(ktp->enc, ktp->hash, key, input, output);
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ ret = (*ktp->prf)(ktp->enc, ktp->hash, key, input, output);
+ krb5_k_free_key(context, key);
+ return ret;
}
krb5_error_code
krb5int_des_prf (const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
- const krb5_data *in, krb5_data *out)
+ krb5_key key, const krb5_data *in, krb5_data *out)
{
krb5_data tmp;
krb5_error_code ret = 0;
krb5_error_code
krb5int_dk_prf (const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
- const krb5_data *in, krb5_data *out)
+ krb5_key key, const krb5_data *in, krb5_data *out)
{
krb5_data tmp;
krb5_data prfconst;
- krb5_keyblock *kp = NULL;
+ krb5_key kp = NULL;
krb5_error_code ret = 0;
prfconst.data = (char *) "prf";
return ENOMEM;
hash->hash(1, in, &tmp);
tmp.length = (tmp.length/enc->block_size)*enc->block_size; /*truncate to block size*/
- ret = krb5int_c_init_keyblock(0, key->enctype,
- key->length, &kp);
- if (ret == 0)
- ret = krb5_derive_key(enc, key, kp, &prfconst);
+ ret = krb5_derive_key(enc, key, &kp, &prfconst);
if (ret == 0)
- ret = enc->encrypt(kp, NULL, &tmp, out);
- if (kp)
- krb5int_c_free_keyblock(0, kp);
+ ret = enc->encrypt(kp, NULL, &tmp, out);
+ krb5_k_free_key(NULL, kp);
free (tmp.data);
return ret;
}
krb5_error_code
krb5int_arcfour_prf(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
- const krb5_data *in, krb5_data *out);
+ krb5_key key, const krb5_data *in, krb5_data *out);
krb5_error_code
krb5int_des_prf (const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
- const krb5_data *in, krb5_data *out);
+ krb5_key key, const krb5_data *in, krb5_data *out);
krb5_error_code
krb5int_dk_prf(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, const krb5_data *in, krb5_data *out);
+ krb5_key key, const krb5_data *in, krb5_data *out);
#endif /*PRF_INTERNAL_DEFS*/
krb5_error_code
krb5int_arcfour_prf(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
- const krb5_data *in, krb5_data *out)
+ krb5_key key, const krb5_data *in, krb5_data *out)
{
assert(out->length == 20);
return krb5_hmac(&krb5int_hash_sha1, key, 1, in, out);
krb5_error_code krb5_raw_encrypt
(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output);
krb5_error_code krb5_raw_decrypt
(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *arg_output);
krb5int_raw_encrypt_iov(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *ivec,
krb5_crypto_iov *data,
krb5int_raw_decrypt_iov(const struct krb5_aead_provider *aead,
const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_data *ivec,
krb5_crypto_iov *data,
krb5_error_code
krb5_raw_decrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output)
{
krb5_error_code
krb5_raw_encrypt(const struct krb5_enc_provider *enc,
const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_key key, krb5_keyusage usage,
const krb5_data *ivec, const krb5_data *input,
krb5_data *output)
{
#include "cksumtypes.h"
krb5_error_code KRB5_CALLCONV
-krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
+krb5_k_verify_checksum(krb5_context context, krb5_key key,
krb5_keyusage usage, const krb5_data *data,
const krb5_checksum *cksum, krb5_boolean *valid)
{
computed.length = hashsize;
- ret = krb5_c_make_checksum(context, cksum->checksum_type, key, usage,
+ ret = krb5_k_make_checksum(context, cksum->checksum_type, key, usage,
data, &computed);
if (ret)
return ret;
free(computed.contents);
return 0;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *keyblock,
+ krb5_keyusage usage, const krb5_data *data,
+ const krb5_checksum *cksum, krb5_boolean *valid)
+{
+ krb5_key key = NULL;
+ krb5_error_code ret;
+
+ if (keyblock != NULL) {
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ }
+ ret = krb5_k_verify_checksum(context, key, usage, data, cksum, valid);
+ krb5_k_free_key(context, key);
+ return ret;
+}
#include "aead.h"
krb5_error_code KRB5_CALLCONV
-krb5_c_verify_checksum_iov(krb5_context context,
+krb5_k_verify_checksum_iov(krb5_context context,
krb5_cksumtype checksum_type,
- const krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage usage,
const krb5_crypto_iov *data,
size_t num_data,
free(computed.data);
return 0;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_verify_checksum_iov(krb5_context context,
+ krb5_cksumtype checksum_type,
+ const krb5_keyblock *keyblock,
+ krb5_keyusage usage,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ krb5_boolean *valid)
+{
+ krb5_key key;
+ krb5_error_code ret;
+
+ ret = krb5_k_create_key(context, keyblock, &key);
+ if (ret != 0)
+ return ret;
+ ret = krb5_k_verify_checksum_iov(context, checksum_type, key, usage, data,
+ num_data, valid);
+ krb5_k_free_key(context, key);
+ return ret;
+}
const struct krb5_enc_provider *enc = &yarrow_enc_provider;
krb5_error_code ret;
krb5_data randombits;
+ krb5_keyblock keyblock;
+
keybytes = enc->keybytes;
keylength = enc->keylength;
assert (keybytes == CIPHER_KEY_SIZE);
- if (ctx->key.contents) {
- memset (ctx->key.contents, 0, ctx->key.length);
- free (ctx->key.contents);
- }
- ctx->key.contents = (void *) malloc (keylength);
- ctx->key.length = keylength;
- if (ctx->key.contents == NULL)
+ krb5_k_free_key(NULL, ctx->key);
+ ctx->key = NULL;
+ keyblock.contents = malloc(keylength);
+ keyblock.length = keylength;
+ if (keyblock.contents == NULL)
return (YARROW_NOMEM);
randombits.data = (char *) key;
randombits.length = keybytes;
- ret = enc->make_key (&randombits, &ctx->key);
- if (ret) {
- memset (ctx->key.contents, 0, ctx->key.length);
- free(ctx->key.contents);
- ctx->key.contents = NULL;
- return (YARROW_FAIL);
- }
- return (YARROW_OK);
+ ret = enc->make_key(&randombits, &keyblock);
+ if (ret != 0)
+ goto cleanup;
+ ret = krb5_k_create_key(NULL, &keyblock, &ctx->key);
+cleanup:
+ free(keyblock.contents);
+ if (ret)
+ return YARROW_FAIL;
+ return YARROW_OK;
}
int krb5int_yarrow_cipher_encrypt_block
ind.length = CIPHER_BLOCK_SIZE;
outd.data = (char *) out;
outd.length = CIPHER_BLOCK_SIZE;
- ret = enc->encrypt (&ctx->key, 0, &ind, &outd);
+ ret = enc->encrypt(ctx->key, 0, &ind, &outd);
if (ret)
return YARROW_FAIL;
return YARROW_OK;
(CIPHER_CTX *ctx)
{
- if (ctx->key.contents) {
- memset (ctx->key.contents, 0, ctx->key.length);
- free (ctx->key.contents);
- }
- ctx->key.contents = 0;
- ctx->key.length = 0;
+ krb5_k_free_key(NULL, ctx->key);
+ ctx->key = NULL;
}
typedef struct
{
- krb5_keyblock key;
+ krb5_key key;
} CIPHER_CTX;
/* We need to choose a cipher. To do this, choose an enc_provider.
}
expect_tcl_prompt
+ while {![file exists /tmp/go]} {}
send_tcl_cmd_await_echo {kadm5_init admin admin $KADM5_ADMIN_SERVICE null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 server_handle}
expect_kadm_ok
expect "^% "
projects / thirdparty / krb5.git / commitdiff
