have AESCBC keyhash_provider do its own key derivation

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/aes-ccm@23459 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/crypto/krb/dk/dk_ccm.c b/src/lib/crypto/krb/dk/dk_ccm.c
index c8ee323523f07ba722cbaf7111a2f4ce0740ebfd..b3b18ffce8a27ff8b3b593ae1aae0030a0db2323 100644 (file)
--- a/src/lib/crypto/krb/dk/dk_ccm.c
+++ b/src/lib/crypto/krb/dk/dk_ccm.c
@@ -380,7 +380,7 @@ krb5int_ccm_encrypt_iov(const struct krb5_aead_provider *aead,
        goto cleanup;
     }
 
-    ret = krb5int_c_make_checksum_iov(keyhash, kc, usage, sign_data, num_sign_data, &cksum);
+    ret = krb5int_c_make_checksum_iov(keyhash, key, usage, sign_data, num_sign_data, &cksum);
     if (ret != 0)
        goto cleanup;
 
@@ -576,7 +576,7 @@ krb5int_ccm_decrypt_iov(const struct krb5_aead_provider *aead,
            sign_data[num_sign_data++] = data[i];
     }
 
-    ret = krb5int_c_make_checksum_iov(keyhash, kc, usage, sign_data, num_sign_data, &cksum);
+    ret = krb5int_c_make_checksum_iov(keyhash, key, usage, sign_data, num_sign_data, &cksum);
     if (ret != 0)
        goto cleanup;
 

diff --git a/src/lib/crypto/krb/keyhash_provider/aescbc.c b/src/lib/crypto/krb/keyhash_provider/aescbc.c
index 2312c8b0ea855ccf810b508c0e657277420e2fd3..c947353a6903d2d49f801adf7db19a3f4733b595 100644 (file)
--- a/src/lib/crypto/krb/keyhash_provider/aescbc.c
+++ b/src/lib/crypto/krb/keyhash_provider/aescbc.c
@@ -28,8 +28,13 @@
 #include "k5-int.h"
 #include "keyhash_provider.h"
 #include "hash_provider.h"
+#include "enc_provider/enc_provider.h"
+#include "../etypes.h"
 #include "../aes/aes.h"
 #include "../aead.h"
+#include "../dk/dk.h"
+
+#define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
 
 static void xorblock(unsigned char *out, unsigned const char *in)
 {
@@ -38,12 +43,17 @@ static void xorblock(unsigned char *out, unsigned const char *in)
        out[z] ^= in[z];
 }
 
-static  krb5_error_code
+static krb5_error_code
 k5_aescbc_hash_iov (krb5_key key, krb5_keyusage usage,
                    const krb5_data *iv,
                    const krb5_crypto_iov *data, size_t num_data,
                    krb5_data *output)
 {
+    unsigned char constantdata[K5CLENGTH];
+    krb5_error_code ret;
+    krb5_data d1;
+    krb5_key kc;
+    int i;
     aes_ctx ctx;
     unsigned char blockY[BLOCK_SIZE];
     struct iov_block_state iov_state;
@@ -51,6 +61,28 @@ k5_aescbc_hash_iov (krb5_key key, krb5_keyusage usage,
     if (output->length < BLOCK_SIZE)
        return KRB5_BAD_MSIZE;
 
+    d1.data = (char *)constantdata;
+    d1.length = K5CLENGTH;
+
+    d1.data[0] = (usage >> 24) & 0xFF;
+    d1.data[1] = (usage >> 16) & 0xFF;
+    d1.data[2] = (usage >> 8 ) & 0xFF;
+    d1.data[3] = (usage      ) & 0xFF;
+
+    d1.data[4] = 0xCC;
+
+    for (i = 0, kc = NULL; i < krb5_enctypes_length; i++) {
+        if (krb5_enctypes_list[i].etype == krb5_k_key_enctype(NULL, key)) {
+            ret = krb5_derive_key(krb5_enctypes_list[i].enc, key, &kc, &d1);
+            if (ret != 0)
+                return ret;
+            break;
+        }
+    }
+
+    if (kc == NULL)
+        abort();
+
     if (aes_enc_key(key->keyblock.contents,
                    key->keyblock.length, &ctx) != aes_good)
        abort();
@@ -85,10 +117,12 @@ k5_aescbc_hash_iov (krb5_key key, krb5_keyusage usage,
     output->length = BLOCK_SIZE;
     memcpy(output->data, blockY, BLOCK_SIZE);
 
+    krb5_k_free_key(NULL, kc);
+
     return 0;
 }
 
-static  krb5_error_code
+static krb5_error_code
 k5_aescbc_hash (krb5_key key, krb5_keyusage usage,
                const krb5_data *iv,
                const krb5_data *input, krb5_data *output)