From: Luke Howard Date: Fri, 2 Oct 2009 17:28:35 +0000 (+0000) Subject: merge trunk from r22737 to r22836 to authdata branch X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=000e7d01cfd7bb1192ce1cab375c1191ae87dba9;p=thirdparty%2Fkrb5.git merge trunk from r22737 to r22836 to authdata branch git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/authdata@22837 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/Makefile.in b/src/Makefile.in index d74e9e535c..e5be6e1647 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -196,9 +196,10 @@ WINMAKEFILES=Makefile \ lib\Makefile lib\crypto\Makefile \ lib\crypto\krb\crc32\Makefile lib\crypto\builtin\des\Makefile \ lib\crypto\krb\dk\Makefile lib\crypto\builtin\enc_provider\Makefile \ - lib\crypto\krb\hash_provider\Makefile \ + lib\crypto\builtin\hash_provider\Makefile \ lib\crypto\krb\keyhash_provider\Makefile \ - lib\crypto\krb\raw\Makefile lib\crypto\old\Makefile \ + lib\crypto\krb\prf\Makefile lib\crypto\krb\rand2key\Makefile \ + lib\crypto\krb\raw\Makefile lib\crypto\krb\old\Makefile \ lib\crypto\builtin\sha1\Makefile lib\crypto\builtin\arcfour\Makefile \ lib\crypto\builtin\md4\Makefile lib\crypto\builtin\md5\Makefile \ lib\crypto\krb\yarrow\Makefile lib\crypto\builtin\aes\Makefile \ @@ -270,7 +271,7 @@ WINMAKEFILES=Makefile \ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\builtin\enc_provider\Makefile: lib\crypto\builtin\enc_provider\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ -##DOS##lib\crypto\krb\hash_provider\Makefile: lib\crypto\krb\hash_provider\Makefile.in $(MKFDEP) +##DOS##lib\crypto\builtin\hash_provider\Makefile: lib\crypto\builtin\hash_provider\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\krb\keyhash_provider\Makefile: lib\crypto\krb\keyhash_provider\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ @@ -395,8 +396,10 @@ FILES= ./* \ config/* include/* include/kerberosIV/* \ include/krb5/* include/krb5/stock/* include/sys/* lib/* \ lib/crypto/* lib/crypto/krb/crc32/* lib/crypto/builtin/des/* lib/crypto/krb/dk/* \ - lib/crypto/builtin/enc_provider/* lib/crypto/krb/hash_provider/* \ - lib/crypto/krb/keyhash_provider/* lib/crypto/krb/old/* lib/crypto/krb/raw/* \ + lib/crypto/builtin/enc_provider/* lib/crypto/builtin/hash_provider/* \ + lib/crypto/krb/keyhash_provider/* \ + lib/crypto/krb/prf/* lib/crypto/krb/rand2key/* \ + lib/crypto/krb/old/* lib/crypto/krb/raw/* \ lib/crypto/builtin/sha1/* lib/crypto/builtin/arcfour/* lib/crypto/builtin/md4/* \ lib/crypto/builtin/md5/* lib/crypto/krb/yarrow/* \ lib/crypto/builtin/* lib/crypto/krb/* lib/crypto/crypto_tests \ diff --git a/src/clients/kvno/deps b/src/clients/kvno/deps index 60f4595a89..fbab8bd9b1 100644 --- a/src/clients/kvno/deps +++ b/src/clients/kvno/deps @@ -2,5 +2,12 @@ # Generated makefile dependencies follow. # $(OUTPRE)kvno.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ kvno.c diff --git a/src/config/post.in b/src/config/post.in index 6ac10b05ff..023fd47974 100644 --- a/src/config/post.in +++ b/src/config/post.in @@ -28,6 +28,11 @@ $(BUILDTOP)/.depend-verify-srcdir: @if test "$(srcdir)" = "." ; then \ echo 1>&2 error: cannot build dependencies with srcdir=. ; \ echo 1>&2 "(can't distinguish generated files from source files)" ; \ + echo 1>&2 "Run 'make distclean' and create a separate build dir" ; \ + exit 1 ; \ + elif test -f "$(top_srcdir)/include/autoconf.h"; then \ + echo 1>&2 "error: generated headers found in source tree" ; \ + echo 1>&2 "Run 'make distclean' in source tree first" ; \ exit 1 ; \ else \ if test -r $(BUILDTOP)/.depend-verify-srcdir; then :; \ diff --git a/src/configure.in b/src/configure.in index 6462e5272f..af98dfbc91 100644 --- a/src/configure.in +++ b/src/configure.in @@ -1061,7 +1061,8 @@ V5_AC_OUTPUT_MAKEFILE(. lib/crypto lib/crypto/krb lib/crypto/krb/crc32 lib/crypto/builtin/des lib/crypto/krb/dk lib/crypto/builtin/enc_provider - lib/crypto/krb/hash_provider lib/crypto/krb/keyhash_provider + lib/crypto/builtin/hash_provider lib/crypto/krb/keyhash_provider + lib/crypto/krb/prf lib/crypto/krb/rand2key lib/crypto/builtin lib/crypto/builtin/md4 lib/crypto/builtin/md5 lib/crypto/krb/old lib/crypto/krb/raw lib/crypto/builtin/sha1 lib/crypto/builtin/arcfour lib/crypto/krb/yarrow lib/crypto/builtin/aes diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 4c8ca59d49..ec6a3f25e0 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -130,6 +130,9 @@ clean-windows:: clean:: $(RM) osconf.new $(BUILT_HEADERS) +distclean:: + $(RM) autoconf.h + install-headers-unix install:: krb5/krb5.h profile.h $(INSTALL_DATA) $(srcdir)/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5.h $(INSTALL_DATA) $(srcdir)/kdb.h $(DESTDIR)$(KRB5_INCDIR)$(S)kdb.h diff --git a/src/include/k5-int.h b/src/include/k5-int.h index cf26d1df12..d1081db7ef 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -879,6 +879,9 @@ typedef struct _krb5_os_context { * Define our view of the size of a DES key. */ #define KRB5_MIT_DES_KEYSIZE 8 +#define KRB5_MIT_DES3_KEYSIZE 24 +#define KRB5_MIT_DES3_KEY_BYTES 21 + /* * Check if des_int.h has been included before us. If so, then check to see * that our view of the DES key size is the same as des_int.h's. diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h index fd0bb21a0b..ef5dd419be 100644 --- a/src/include/k5-platform.h +++ b/src/include/k5-platform.h @@ -466,6 +466,10 @@ typedef struct { int error; unsigned char did_run; } k5_init_t; # define K5_BE #elif defined(_LITTLE_ENDIAN) # define K5_LE +#elif defined(__BIG_ENDIAN__) && !defined(__LITTLE_ENDIAN__) +# define K5_BE +#elif defined(__LITTLE_ENDIAN__) && !defined(__BIG_ENDIAN__) +# define K5_LE #endif #if !defined(K5_BE) && !defined(K5_LE) /* Look for some architectures we know about. @@ -480,10 +484,10 @@ typedef struct { int error; unsigned char did_run; } k5_init_t; As far as I know, only PDP11 and ARM (which we don't handle here) have strange byte orders where an 8-byte value isn't laid out as either 12345678 or 87654321. */ -# if defined(__i386__) || defined(_MIPSEL) || defined(__alpha__) || defined(__ia64__) +# if defined(__i386__) || defined(_MIPSEL) || defined(__alpha__) || (defined(__ia64__) && !defined(__hpux)) # define K5_LE # endif -# if defined(__hppa__) || defined(__rs6000__) || defined(__sparc__) || defined(_MIPSEB) || defined(__m68k__) || defined(__sparc64__) || defined(__ppc__) || defined(__ppc64__) +# if defined(__hppa__) || defined(__rs6000__) || defined(__sparc__) || defined(_MIPSEB) || defined(__m68k__) || defined(__sparc64__) || defined(__ppc__) || defined(__ppc64__) || (defined(__hpux) && defined(__ia64__)) # define K5_BE # endif #endif diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in index 68594c9bf7..25f1e73015 100644 --- a/src/kadmin/cli/Makefile.in +++ b/src/kadmin/cli/Makefile.in @@ -12,7 +12,7 @@ COMMON_OBJS = kadmin.o kadmin_ct.o ss_wrapper.o getdate.o KADMIN_OBJS = $(COMMON_OBJS) keytab.o LOCAL_OBJS = $(COMMON_OBJS) keytab_local.o -SRCS = kadmin.c kadmin_ct.c ss_wrapper.c getdate.c keytab.c +SRCS = kadmin.c kadmin_ct.c ss_wrapper.c getdate.c keytab.c keytab_local.c LOCALINCLUDES=-I$(srcdir) diff --git a/src/kadmin/cli/deps b/src/kadmin/cli/deps index 5c3ad6545e..040beda0d9 100644 --- a/src/kadmin/cli/deps +++ b/src/kadmin/cli/deps @@ -39,3 +39,22 @@ $(OUTPRE)keytab.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h kadmin.h keytab.c +$(OUTPRE)keytab_local.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h $(SRCTOP)/include/gssrpc/auth.h \ + $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \ + $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \ + $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ + $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ + $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h kadmin.h keytab.c \ + keytab_local.c diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index 513e716bbe..ad9f6bc9bd 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1994, 2008 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -52,58 +53,57 @@ /* special struct to convert flag names for principals to actual krb5_flags for a principal */ struct pflag { - char *flagname; /* name of flag as typed to CLI */ - int flaglen; /* length of string (not counting -,+) */ - krb5_flags theflag; /* actual principal flag to set/clear */ - int set; /* 0 means clear, 1 means set (on '-') */ + char *flagname; /* name of flag as typed to CLI */ + size_t flaglen; /* length of string (not counting -,+) */ + krb5_flags theflag; /* actual principal flag to set/clear */ + int set; /* 0 means clear, 1 means set (on '-') */ }; static struct pflag flags[] = { -{"allow_postdated", 15, KRB5_KDB_DISALLOW_POSTDATED, 1}, -{"allow_forwardable", 17, KRB5_KDB_DISALLOW_FORWARDABLE, 1}, -{"allow_tgs_req", 13, KRB5_KDB_DISALLOW_TGT_BASED, 1}, -{"allow_renewable", 15, KRB5_KDB_DISALLOW_RENEWABLE, 1}, -{"allow_proxiable", 15, KRB5_KDB_DISALLOW_PROXIABLE, 1}, -{"allow_dup_skey", 14, KRB5_KDB_DISALLOW_DUP_SKEY, 1}, -{"allow_tix", 9, KRB5_KDB_DISALLOW_ALL_TIX, 1}, -{"requires_preauth", 16, KRB5_KDB_REQUIRES_PRE_AUTH, 0}, -{"requires_hwauth", 15, KRB5_KDB_REQUIRES_HW_AUTH, 0}, -{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0}, -{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1}, -{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, -{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, -{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }, -{"ok_to_auth_as_delegate", 22, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0 }, -{"no_auth_data_required", 21, KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0}, +{"allow_postdated", 15, KRB5_KDB_DISALLOW_POSTDATED, 1 }, +{"allow_forwardable", 17, KRB5_KDB_DISALLOW_FORWARDABLE, 1 }, +{"allow_tgs_req", 13, KRB5_KDB_DISALLOW_TGT_BASED, 1 }, +{"allow_renewable", 15, KRB5_KDB_DISALLOW_RENEWABLE, 1 }, +{"allow_proxiable", 15, KRB5_KDB_DISALLOW_PROXIABLE, 1 }, +{"allow_dup_skey", 14, KRB5_KDB_DISALLOW_DUP_SKEY, 1 }, +{"allow_tix", 9, KRB5_KDB_DISALLOW_ALL_TIX, 1 }, +{"requires_preauth", 16, KRB5_KDB_REQUIRES_PRE_AUTH, 0 }, +{"requires_hwauth", 15, KRB5_KDB_REQUIRES_HW_AUTH, 0 }, +{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0 }, +{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1 }, +{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, +{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, +{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }, +{"ok_to_auth_as_delegate", 22, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0 }, +{"no_auth_data_required", 21, KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0 }, }; static char *prflags[] = { - "DISALLOW_POSTDATED", /* 0x00000001 */ - "DISALLOW_FORWARDABLE", /* 0x00000002 */ - "DISALLOW_TGT_BASED", /* 0x00000004 */ - "DISALLOW_RENEWABLE", /* 0x00000008 */ - "DISALLOW_PROXIABLE", /* 0x00000010 */ - "DISALLOW_DUP_SKEY", /* 0x00000020 */ - "DISALLOW_ALL_TIX", /* 0x00000040 */ - "REQUIRES_PRE_AUTH", /* 0x00000080 */ - "REQUIRES_HW_AUTH", /* 0x00000100 */ - "REQUIRES_PWCHANGE", /* 0x00000200 */ - "UNKNOWN_0x00000400", /* 0x00000400 */ - "UNKNOWN_0x00000800", /* 0x00000800 */ - "DISALLOW_SVR", /* 0x00001000 */ - "PWCHANGE_SERVICE", /* 0x00002000 */ - "SUPPORT_DESMD5", /* 0x00004000 */ - "NEW_PRINC", /* 0x00008000 */ - "UNKNOWN_0x00010000", /* 0x00010000 */ - "UNKNOWN_0x00020000", /* 0x00020000 */ - "UNKNOWN_0x00040000", /* 0x00040000 */ - "UNKNOWN_0x00080000", /* 0x00080000 */ - "OK_AS_DELEGATE", /* 0x00100000 */ - "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */ - "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */ + "DISALLOW_POSTDATED", /* 0x00000001 */ + "DISALLOW_FORWARDABLE", /* 0x00000002 */ + "DISALLOW_TGT_BASED", /* 0x00000004 */ + "DISALLOW_RENEWABLE", /* 0x00000008 */ + "DISALLOW_PROXIABLE", /* 0x00000010 */ + "DISALLOW_DUP_SKEY", /* 0x00000020 */ + "DISALLOW_ALL_TIX", /* 0x00000040 */ + "REQUIRES_PRE_AUTH", /* 0x00000080 */ + "REQUIRES_HW_AUTH", /* 0x00000100 */ + "REQUIRES_PWCHANGE", /* 0x00000200 */ + "UNKNOWN_0x00000400", /* 0x00000400 */ + "UNKNOWN_0x00000800", /* 0x00000800 */ + "DISALLOW_SVR", /* 0x00001000 */ + "PWCHANGE_SERVICE", /* 0x00002000 */ + "SUPPORT_DESMD5", /* 0x00004000 */ + "NEW_PRINC", /* 0x00008000 */ + "UNKNOWN_0x00010000", /* 0x00010000 */ + "UNKNOWN_0x00020000", /* 0x00020000 */ + "UNKNOWN_0x00040000", /* 0x00040000 */ + "UNKNOWN_0x00080000", /* 0x00080000 */ + "OK_AS_DELEGATE", /* 0x00100000 */ + "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */ + "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */ }; -char *getenv(); int exit_status = 0; char *def_realm = NULL; char *whoami = NULL; @@ -114,29 +114,30 @@ char *ccache_name = NULL; int locked = 0; -static void usage() +static void +usage() { fprintf(stderr, - "Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n" - "\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]\n" - "\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n" - "where,\n\t[-x db_args]* - any number of database specific arguments.\n" - "\t\t\tLook at each database documentation for supported arguments\n", - whoami); + "Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n" + "\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]\n" + "\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n" + "where,\n\t[-x db_args]* - any number of database specific arguments.\n" + "\t\t\tLook at each database documentation for supported arguments\n", + whoami); exit(1); } -static char *strdur(duration) - time_t duration; +static char * +strdur(time_t duration) { static char out[50]; int neg, days, hours, minutes, seconds; if (duration < 0) { - duration *= -1; - neg = 1; + duration *= -1; + neg = 1; } else - neg = 0; + neg = 0; days = duration / (24 * 3600); duration %= 24 * 3600; hours = duration / 3600; @@ -145,13 +146,13 @@ static char *strdur(duration) duration %= 60; seconds = duration; snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "", - days, days == 1 ? "day" : "days", - hours, minutes, seconds); + days, days == 1 ? "day" : "days", + hours, minutes, seconds); return out; } -static char *strdate(when) - krb5_timestamp when; +static char * +strdate(krb5_timestamp when) { struct tm *tm; static char out[40]; @@ -165,9 +166,7 @@ static char *strdate(when) /* this is a wrapper to go around krb5_parse_principal so we can set the default realm up properly */ static krb5_error_code -kadmin_parse_name(name, principal) - char *name; - krb5_principal *principal; +kadmin_parse_name(char *name, krb5_principal *principal) { char *cp, *fullname; krb5_error_code retval; @@ -176,40 +175,64 @@ kadmin_parse_name(name, principal) /* assumes def_realm is initialized! */ cp = strchr(name, '@'); while (cp) { - if (cp - name && *(cp - 1) != '\\') - break; - else - cp = strchr(cp + 1, '@'); + if (cp - name && *(cp - 1) != '\\') + break; + else + cp = strchr(cp + 1, '@'); } if (cp == NULL) - result = asprintf(&fullname, "%s@%s", name, def_realm); + result = asprintf(&fullname, "%s@%s", name, def_realm); else - result = asprintf(&fullname, "%s", name); + result = asprintf(&fullname, "%s", name); if (result < 0) - return ENOMEM; + return ENOMEM; retval = krb5_parse_name(context, fullname, principal); free(fullname); return retval; } -static void extended_com_err_fn (const char *myprog, errcode_t code, - const char *fmt, va_list args) +static void +extended_com_err_fn(const char *myprog, errcode_t code, + const char *fmt, va_list args) { + const char *emsg; + if (code) { - const char *emsg; - emsg = krb5_get_error_message (context, code); - fprintf (stderr, "%s: %s ", myprog, emsg); - krb5_free_error_message (context, emsg); + emsg = krb5_get_error_message(context, code); + fprintf(stderr, "%s: %s ", myprog, emsg); + krb5_free_error_message(context, emsg); } else { - fprintf (stderr, "%s: ", myprog); + fprintf(stderr, "%s: ", myprog); } - vfprintf (stderr, fmt, args); - fprintf (stderr, "\n"); + vfprintf(stderr, fmt, args); + fprintf(stderr, "\n"); } -char *kadmin_startup(argc, argv) - int argc; - char *argv[]; +/* Create a principal using the oldest appropriate kadm5 API. */ +static krb5_error_code +create_princ(kadm5_principal_ent_rec *princ, long mask, int n_ks, + krb5_key_salt_tuple *ks, char *pass) +{ + if (ks) + return kadm5_create_principal_3(handle, princ, mask, n_ks, ks, pass); + else + return kadm5_create_principal(handle, princ, mask, pass); +} + +/* Randomize a principal's password using the oldest appropriate kadm5 API. */ +static krb5_error_code +randkey_princ(krb5_principal princ, krb5_boolean keepold, int n_ks, + krb5_key_salt_tuple *ks) +{ + if (keepold || ks) { + return kadm5_randkey_principal_3(handle, princ, keepold, n_ks, ks, + NULL, NULL); + } else + return kadm5_randkey_principal(handle, princ, NULL, NULL); +} + +char * +kadmin_startup(int argc, char *argv[]) { extern char *optarg; char *princstr = NULL, *keytab_name = NULL, *query = NULL; @@ -224,155 +247,141 @@ char *kadmin_startup(argc, argv) char **db_args = NULL; int db_args_size = 0; char *db_name = NULL; - char *svcname; + char *svcname, *realm; memset(¶ms, 0, sizeof(params)); #if defined(USE_KIM) /* Turn off all password prompting from the KLL */ - retval = kim_library_set_allow_automatic_prompting (0); + retval = kim_library_set_allow_automatic_prompting(0); if (retval) { - com_err(whoami, retval, + com_err(whoami, retval, "while calling kim_library_set_allow_automatic_prompting()"); - exit(1); + exit(1); } #endif - if (strcmp (whoami, "kadmin.local") == 0) - set_com_err_hook(extended_com_err_fn); + if (strcmp(whoami, "kadmin.local") == 0) + set_com_err_hook(extended_com_err_fn); retval = kadm5_init_krb5_context(&context); if (retval) { - com_err(whoami, retval, "while initializing krb5 library"); - exit(1); + com_err(whoami, retval, "while initializing krb5 library"); + exit(1); } while ((optchar = getopt(argc, argv, "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) { - switch (optchar) { - case 'x': - db_args_size++; - { - char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1)); - if (temp == NULL) { - fprintf(stderr,"%s: Cannot initialize. Not enough memory\n", - argv[0]); - exit(1); - } - - db_args = temp; - } - db_args[db_args_size-1] = optarg; - db_args[db_args_size] = NULL; - break; - - case 'r': - def_realm = optarg; - break; - case 'p': - princstr = optarg; - break; - case 'c': - ccache_name = optarg; - break; - case 'k': - use_keytab++; - break; - case 't': - keytab_name = optarg; - break; - case 'w': - password = optarg; - break; - case 'q': - query = optarg; - break; - case 'd': - /* now db_name is not a seperate argument. It has to be passed as part of the db_args */ - if (db_name) - free(db_name); - asprintf(&db_name, "dbname=%s", optarg); - - db_args_size++; - { - char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ - if (temp == NULL) { - fprintf(stderr, - "%s: Cannot initialize. Not enough memory\n", - argv[0]); - exit(1); - } - - db_args = temp; - } - db_args[db_args_size-1] = db_name; - db_args[db_args_size] = NULL; - break; - case 's': - params.admin_server = optarg; - params.mask |= KADM5_CONFIG_ADMIN_SERVER; - break; - case 'm': - params.mkey_from_kbd = 1; - params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - break; - case 'e': - retval = krb5_string_to_keysalts(optarg, - ", \t", - ":.-", - 0, - ¶ms.keysalts, - ¶ms.num_keysalts); - if (retval) { - com_err(whoami, retval, "while parsing keysalts %s", optarg); - exit(1); - } - params.mask |= KADM5_CONFIG_ENCTYPES; - break; - case 'O': - params.mask |= KADM5_CONFIG_OLD_AUTH_GSSAPI; - break; - case 'N': - params.mask |= KADM5_CONFIG_AUTH_NOFALLBACK; - break; - default: - usage(); - } + switch (optchar) { + case 'x': + db_args_size++; + db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1)); + if (db_args == NULL) { + fprintf(stderr, "%s: Cannot initialize. Not enough memory\n", + argv[0]); + exit(1); + } + db_args[db_args_size - 1] = optarg; + db_args[db_args_size] = NULL; + break; + + case 'r': + def_realm = optarg; + break; + case 'p': + princstr = optarg; + break; + case 'c': + ccache_name = optarg; + break; + case 'k': + use_keytab++; + break; + case 't': + keytab_name = optarg; + break; + case 'w': + password = optarg; + break; + case 'q': + query = optarg; + break; + case 'd': + /* db_name has to be passed as part of the db_args. */ + free(db_name); + asprintf(&db_name, "dbname=%s", optarg); + + db_args_size++; + db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1)); + if (db_args == NULL) { + fprintf(stderr, "%s: Cannot initialize. Not enough memory\n", + argv[0]); + exit(1); + } + db_args[db_args_size - 1] = db_name; + db_args[db_args_size] = NULL; + break; + case 's': + params.admin_server = optarg; + params.mask |= KADM5_CONFIG_ADMIN_SERVER; + break; + case 'm': + params.mkey_from_kbd = 1; + params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; + break; + case 'e': + retval = krb5_string_to_keysalts(optarg, ", \t", ":.-", 0, + ¶ms.keysalts, + ¶ms.num_keysalts); + if (retval) { + com_err(whoami, retval, "while parsing keysalts %s", optarg); + exit(1); + } + params.mask |= KADM5_CONFIG_ENCTYPES; + break; + case 'O': + params.mask |= KADM5_CONFIG_OLD_AUTH_GSSAPI; + break; + case 'N': + params.mask |= KADM5_CONFIG_AUTH_NOFALLBACK; + break; + default: + usage(); + } } if ((ccache_name && use_keytab) || - (keytab_name && !use_keytab)) - usage(); + (keytab_name && !use_keytab)) + usage(); if (def_realm == NULL && krb5_get_default_realm(context, &def_realm)) { - if (freeprinc) - free(princstr); - fprintf(stderr, "%s: unable to get default realm\n", whoami); - exit(1); + fprintf(stderr, "%s: unable to get default realm\n", whoami); + exit(1); } params.mask |= KADM5_CONFIG_REALM; params.realm = def_realm; if (params.mask & KADM5_CONFIG_OLD_AUTH_GSSAPI) - svcname = KADM5_ADMIN_SERVICE; + svcname = KADM5_ADMIN_SERVICE; else - svcname = NULL; + svcname = NULL; /* * Set cc to an open credentials cache, either specified by the -c * argument or the default. */ if (ccache_name == NULL) { - if ((retval = krb5_cc_default(context, &cc))) { - com_err(whoami, retval, - "while opening default credentials cache"); - exit(1); - } + retval = krb5_cc_default(context, &cc); + if (retval) { + com_err(whoami, retval, "while opening default credentials cache"); + exit(1); + } } else { - if ((retval = krb5_cc_resolve(context, ccache_name, &cc))) { - com_err(whoami, retval, - "while opening credentials cache %s", ccache_name); - exit(1); - } + retval = krb5_cc_resolve(context, ccache_name, &cc); + if (retval) { + com_err(whoami, retval, "while opening credentials cache %s", + ccache_name); + exit(1); + } } /* @@ -387,93 +396,85 @@ char *kadmin_startup(argc, argv) */ if (princstr == NULL) { - if (ccache_name != NULL && - !krb5_cc_get_principal(context, cc, &princ)) { - if ((retval = krb5_unparse_name(context, princ, &princstr))) { - com_err(whoami, retval, - "while canonicalizing principal name"); - krb5_free_principal(context, princ); - exit(1); - } - krb5_free_principal(context, princ); - freeprinc++; - } else if (use_keytab != 0) { - if ((retval = krb5_sname_to_principal(context, NULL, - "host", - KRB5_NT_SRV_HST, - &princ))) { - com_err(whoami, retval, - "creating host service principal"); - exit(1); - } - if ((retval = krb5_unparse_name(context, princ, &princstr))) { - com_err(whoami, retval, - "while canonicalizing principal name"); - krb5_free_principal(context, princ); - exit(1); - } - krb5_free_principal(context, princ); - freeprinc++; - } else if (!krb5_cc_get_principal(context, cc, &princ)) { - char *realm = NULL; - if (krb5_unparse_name(context, princ, &canon)) { - fprintf(stderr, - "%s: unable to canonicalize principal\n", whoami); - krb5_free_principal(context, princ); - exit(1); - } - /* strip out realm of principal if it's there */ - realm = strchr(canon, '@'); - while (realm) { - if (realm - canon && *(realm - 1) != '\\') - break; - else - realm = strchr(realm+1, '@'); - } - if (realm) - *realm++ = '\0'; - cp = strchr(canon, '/'); - while (cp) { - if (cp - canon && *(cp - 1) != '\\') - break; - else - cp = strchr(cp+1, '/'); - } - if (cp != NULL) - *cp = '\0'; - if (asprintf(&princstr, "%s/admin%s%s", canon, - (realm) ? "@" : "", - (realm) ? realm : "") < 0) { - fprintf(stderr, "%s: out of memory\n", whoami); - exit(1); - } - free(canon); - krb5_free_principal(context, princ); - freeprinc++; - } else if ((luser = getenv("USER"))) { - if (asprintf(&princstr, "%s/admin@%s", luser, def_realm) < 0) { - fprintf(stderr, "%s: out of memory\n", whoami); - exit(1); - } - freeprinc++; - } else if ((pw = getpwuid(getuid()))) { - if (asprintf(&princstr, "%s/admin@%s", pw->pw_name, - def_realm) < 0) { - fprintf(stderr, "%s: out of memory\n", whoami); - exit(1); - } - freeprinc++; - } else { - fprintf(stderr, "%s: unable to figure out a principal name\n", - whoami); - exit(1); - } + if (ccache_name != NULL && + !krb5_cc_get_principal(context, cc, &princ)) { + retval = krb5_unparse_name(context, princ, &princstr); + if (retval) { + com_err(whoami, retval, "while canonicalizing principal name"); + exit(1); + } + krb5_free_principal(context, princ); + freeprinc++; + } else if (use_keytab != 0) { + retval = krb5_sname_to_principal(context, NULL, "host", + KRB5_NT_SRV_HST, &princ); + if (retval) { + com_err(whoami, retval, "creating host service principal"); + exit(1); + } + retval = krb5_unparse_name(context, princ, &princstr); + if (retval) { + com_err(whoami, retval, "while canonicalizing principal name"); + exit(1); + } + krb5_free_principal(context, princ); + freeprinc++; + } else if (!krb5_cc_get_principal(context, cc, &princ)) { + if (krb5_unparse_name(context, princ, &canon)) { + fprintf(stderr, "%s: unable to canonicalize principal\n", + whoami); + exit(1); + } + /* Strip out realm of principal if it's there. */ + realm = strchr(canon, '@'); + while (realm) { + if (realm > canon && *(realm - 1) != '\\') + break; + realm = strchr(realm + 1, '@'); + } + if (realm) + *realm++ = '\0'; + cp = strchr(canon, '/'); + while (cp) { + if (cp > canon && *(cp - 1) != '\\') + break; + cp = strchr(cp + 1, '/'); + } + if (cp != NULL) + *cp = '\0'; + if (asprintf(&princstr, "%s/admin%s%s", canon, + (realm) ? "@" : "", + (realm) ? realm : "") < 0) { + fprintf(stderr, "%s: out of memory\n", whoami); + exit(1); + } + free(canon); + krb5_free_principal(context, princ); + freeprinc++; + } else if ((luser = getenv("USER"))) { + if (asprintf(&princstr, "%s/admin@%s", luser, def_realm) < 0) { + fprintf(stderr, "%s: out of memory\n", whoami); + exit(1); + } + freeprinc++; + } else if ((pw = getpwuid(getuid()))) { + if (asprintf(&princstr, "%s/admin@%s", pw->pw_name, + def_realm) < 0) { + fprintf(stderr, "%s: out of memory\n", whoami); + exit(1); + } + freeprinc++; + } else { + fprintf(stderr, "%s: unable to figure out a principal name\n", + whoami); + exit(1); + } } retval = krb5_klog_init(context, "admin_server", whoami, 0); if (retval) { - com_err(whoami, retval, "while setting up logging"); - exit(1); + com_err(whoami, retval, "while setting up logging"); + exit(1); } /* @@ -481,97 +482,83 @@ char *kadmin_startup(argc, argv) * use it. Otherwise, use/prompt for the password. */ if (ccache_name) { - printf("Authenticating as principal %s with existing credentials.\n", - princstr); - retval = kadm5_init_with_creds(context, princstr, cc, - svcname, - ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, - db_args, - &handle); + printf("Authenticating as principal %s with existing credentials.\n", + princstr); + retval = kadm5_init_with_creds(context, princstr, cc, svcname, ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_2, db_args, &handle); } else if (use_keytab) { - if (keytab_name) - printf("Authenticating as principal %s with keytab %s.\n", - princstr, keytab_name); - else - printf("Authenticating as principal %s with default keytab.\n", - princstr); - retval = kadm5_init_with_skey(context, princstr, keytab_name, - svcname, - ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, - db_args, - &handle); + if (keytab_name) + printf("Authenticating as principal %s with keytab %s.\n", + princstr, keytab_name); + else + printf("Authenticating as principal %s with default keytab.\n", + princstr); + retval = kadm5_init_with_skey(context, princstr, keytab_name, svcname, + ¶ms, KADM5_STRUCT_VERSION, + KADM5_API_VERSION_2, db_args, &handle); } else { - printf("Authenticating as principal %s with password.\n", - princstr); - retval = kadm5_init_with_password(context, princstr, password, - svcname, - ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, - db_args, - &handle); + printf("Authenticating as principal %s with password.\n", + princstr); + retval = kadm5_init_with_password(context, princstr, password, svcname, + ¶ms, KADM5_STRUCT_VERSION, + KADM5_API_VERSION_2, db_args, + &handle); } if (retval) { - com_err(whoami, retval, "while initializing %s interface", whoami); - if (retval == KADM5_BAD_CLIENT_PARAMS || - retval == KADM5_BAD_SERVER_PARAMS) - usage(); - exit(1); + com_err(whoami, retval, "while initializing %s interface", whoami); + if (retval == KADM5_BAD_CLIENT_PARAMS || + retval == KADM5_BAD_SERVER_PARAMS) + usage(); + exit(1); } if (freeprinc) - free(princstr); - - if (db_name) - free(db_name), db_name=NULL; + free(princstr); - if (db_args) - free(db_args), db_args=NULL; + free(db_name); + free(db_args); - if ((retval = krb5_cc_close(context, cc))) { - com_err(whoami, retval, "while closing ccache %s", - ccache_name); - exit(1); + retval = krb5_cc_close(context, cc); + if (retval) { + com_err(whoami, retval, "while closing ccache %s", ccache_name); + exit(1); } /* register the WRFILE keytab type and set it as the default */ { #define DEFAULT_KEYTAB "WRFILE:/etc/krb5.keytab" - /* XXX krb5_defkeyname is an internal library global and - should go away */ - extern char *krb5_defkeyname; - krb5_defkeyname = DEFAULT_KEYTAB; + /* XXX krb5_defkeyname is an internal library global and + should go away */ + extern char *krb5_defkeyname; + krb5_defkeyname = DEFAULT_KEYTAB; } - if ((retval = kadm5_init_iprop(handle, 0)) != 0) { - com_err(whoami, retval, _("while mapping update log")); - exit(1); + retval = kadm5_init_iprop(handle, 0); + if (retval) { + com_err(whoami, retval, _("while mapping update log")); + exit(1); } return query; } -int quit() +int +quit() { kadm5_ret_t retval; if (locked) { - retval = kadm5_unlock(handle); - if (retval) { - com_err("quit", retval, "while unlocking locked database"); - return 1; - } - locked = 0; + retval = kadm5_unlock(handle); + if (retval) { + com_err("quit", retval, "while unlocking locked database"); + return 1; + } + locked = 0; } kadm5_destroy(handle); - if (ccache_name != NULL) { - fprintf(stderr, - "\n\a\a\aAdministration credentials NOT DESTROYED.\n"); - } + if (ccache_name != NULL) + fprintf(stderr, "\n\a\a\aAdministration credentials NOT DESTROYED.\n"); /* insert more random cleanup here */ krb5_klog_close(context); @@ -579,327 +566,259 @@ int quit() return 0; } -void kadmin_lock(argc, argv) - int argc; - char *argv[]; +void +kadmin_lock(int argc, char *argv[]) { kadm5_ret_t retval; if (locked) - return; + return; retval = kadm5_lock(handle); if (retval) { - com_err("lock", retval, ""); - return; + com_err("lock", retval, ""); + return; } locked = 1; } -void kadmin_unlock(argc, argv) - int argc; - char *argv[]; +void +kadmin_unlock(int argc, char *argv[]) { kadm5_ret_t retval; if (!locked) - return; + return; retval = kadm5_unlock(handle); if (retval) { - com_err("unlock", retval, ""); - return; + com_err("unlock", retval, ""); + return; } locked = 0; } -void kadmin_delprinc(argc, argv) - int argc; - char *argv[]; +void +kadmin_delprinc(int argc, char *argv[]) { kadm5_ret_t retval; - krb5_principal princ; - char *canon; + krb5_principal princ = NULL; + char *canon = NULL; char reply[5]; if (! (argc == 2 || - (argc == 3 && !strcmp("-force", argv[1])))) { - fprintf(stderr, "usage: delete_principal [-force] principal\n"); - return; + (argc == 3 && !strcmp("-force", argv[1])))) { + fprintf(stderr, "usage: delete_principal [-force] principal\n"); + return; } retval = kadmin_parse_name(argv[argc - 1], &princ); if (retval) { - com_err("delete_principal", retval, "while parsing principal name"); - return; + com_err("delete_principal", retval, "while parsing principal name"); + return; } retval = krb5_unparse_name(context, princ, &canon); if (retval) { - com_err("delete_principal", retval, - "while canonicalizing principal"); - krb5_free_principal(context, princ); - return; + com_err("delete_principal", retval, "while canonicalizing principal"); + goto cleanup; } if (argc == 2) { - printf("Are you sure you want to delete the principal \"%s\"? (yes/no): ", canon); - fgets(reply, sizeof (reply), stdin); - if (strcmp("yes\n", reply)) { - fprintf(stderr, "Principal \"%s\" not deleted\n", canon); - free(canon); - krb5_free_principal(context, princ); - return; - } + printf("Are you sure you want to delete the principal \"%s\"? " + "(yes/no): ", canon); + fgets(reply, sizeof (reply), stdin); + if (strcmp("yes\n", reply)) { + fprintf(stderr, "Principal \"%s\" not deleted\n", canon); + goto cleanup; + } } retval = kadm5_delete_principal(handle, princ); - krb5_free_principal(context, princ); if (retval) { - com_err("delete_principal", retval, - "while deleting principal \"%s\"", canon); - free(canon); - return; + com_err("delete_principal", retval, + "while deleting principal \"%s\"", canon); + goto cleanup; } - printf("Principal \"%s\" deleted.\nMake sure that you have removed this principal from all ACLs before reusing.\n", canon); + printf("Principal \"%s\" deleted.\nMake sure that you have removed this " + "principal from all ACLs before reusing.\n", canon); + +cleanup: + krb5_free_principal(context, princ); free(canon); - return; } -void kadmin_cpw(argc, argv) - int argc; - char *argv[]; +static void +cpw_usage(const char *str) +{ + if (str) + fprintf(stderr, "%s\n", str); + fprintf(stderr, "usage: change_password [-randkey] [-keepold] " + "[-e keysaltlist] [-pw password] principal\n"); +} + +void +kadmin_cpw(int argc, char *argv[]) { kadm5_ret_t retval; static char newpw[1024]; static char prompt1[1024], prompt2[1024]; - char *canon; - char *pwarg = NULL; + char *canon = NULL, *pwarg = NULL; int n_ks_tuple = 0, randkey = 0; krb5_boolean keepold = FALSE; krb5_key_salt_tuple *ks_tuple = NULL; - krb5_principal princ; + krb5_principal princ = NULL; char **db_args = NULL; int db_args_size = 0; - if (argc < 2) { - goto usage; + cpw_usage(NULL); + return; } for (argv++, argc--; argc > 1; argc--, argv++) { - if (!strcmp("-x", *argv)) { - argc--; - if (argc < 1) { - fprintf(stderr, "change_password: missing db argument\n"); - goto usage; - } - db_args_size++; - { - char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ - if (temp == NULL) { - fprintf(stderr,"change_password: Not enough memory\n"); - free(db_args), db_args = NULL; - exit(1); - } - - db_args = temp; - } - db_args[db_args_size-1] = *++argv; - db_args[db_args_size] = NULL; - continue; - } - if (!strcmp("-pw", *argv)) { - argc--; - if (argc < 1) { - fprintf(stderr, "change_password: missing password arg\n"); - goto usage; - } - pwarg = *++argv; - continue; - } - if (!strcmp("-randkey", *argv)) { - randkey++; - continue; - } - if (!strcmp("-keepold", *argv)) { - keepold = TRUE; - continue; - } - if (!strcmp("-e", *argv)) { - argc--; - if (argc < 1) { - fprintf(stderr, - "change_password: missing keysaltlist arg\n"); - goto usage; - } - retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0, - &ks_tuple, &n_ks_tuple); - if (retval) { - com_err("change_password", retval, - "while parsing keysalts %s", *argv); - return; - } - continue; - } - goto usage; + if (!strcmp("-x", *argv)) { + argc--; + if (argc < 1) { + cpw_usage("change_password: missing db argument"); + goto cleanup; + } + db_args_size++; + db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1)); + if (db_args == NULL) { + fprintf(stderr, "change_password: Not enough memory\n"); + exit(1); + } + db_args[db_args_size - 1] = *++argv; + db_args[db_args_size] = NULL; + } else if (!strcmp("-pw", *argv)) { + argc--; + if (argc < 1) { + cpw_usage("change_password: missing password arg"); + goto cleanup; + } + pwarg = *++argv; + } else if (!strcmp("-randkey", *argv)) { + randkey++; + } else if (!strcmp("-keepold", *argv)) { + keepold = TRUE; + } else if (!strcmp("-e", *argv)) { + argc--; + if (argc < 1) { + cpw_usage("change_password: missing keysaltlist arg"); + goto cleanup; + } + retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0, + &ks_tuple, &n_ks_tuple); + if (retval) { + com_err("change_password", retval, + "while parsing keysalts %s", *argv); + goto cleanup; + } + } else { + cpw_usage(NULL); + goto cleanup; + } } if (*argv == NULL) { - com_err("change_password", 0, "missing principal name"); - goto usage; + com_err("change_password", 0, "missing principal name"); + cpw_usage(NULL); + goto cleanup; } retval = kadmin_parse_name(*argv, &princ); if (retval) { - com_err("change_password", retval, "while parsing principal name"); - if (ks_tuple != NULL) - free(ks_tuple); - if (db_args) free(db_args); - return; + com_err("change_password", retval, "while parsing principal name"); + goto cleanup; } retval = krb5_unparse_name(context, princ, &canon); if (retval) { - com_err("change_password", retval, "while canonicalizing principal"); - krb5_free_principal(context, princ); - if (ks_tuple != NULL) - free(ks_tuple); - if (db_args) free(db_args); - return; + com_err("change_password", retval, "while canonicalizing principal"); + goto cleanup; } if (pwarg != NULL) { - if (keepold || ks_tuple != NULL) { - retval = kadm5_chpass_principal_3(handle, princ, keepold, - n_ks_tuple, ks_tuple, pwarg); - if (ks_tuple != NULL) - free(ks_tuple); - } else { - retval = kadm5_chpass_principal(handle, princ, pwarg); - } - krb5_free_principal(context, princ); - if (retval) { - com_err("change_password", retval, - "while changing password for \"%s\".", canon); - free(canon); - if (db_args) free(db_args); - return; - } - printf("Password for \"%s\" changed.\n", canon); - free(canon); - if (db_args) free(db_args); - return; + if (keepold || ks_tuple != NULL) { + retval = kadm5_chpass_principal_3(handle, princ, keepold, + n_ks_tuple, ks_tuple, pwarg); + } else { + retval = kadm5_chpass_principal(handle, princ, pwarg); + } + if (retval) { + com_err("change_password", retval, + "while changing password for \"%s\".", canon); + goto cleanup; + } + printf("Password for \"%s\" changed.\n", canon); } else if (randkey) { - if (keepold || ks_tuple != NULL) { - retval = kadm5_randkey_principal_3(handle, princ, keepold, - n_ks_tuple, ks_tuple, - NULL, NULL); - if (ks_tuple != NULL) - free(ks_tuple); - } else { - retval = kadm5_randkey_principal(handle, princ, NULL, NULL); - } - krb5_free_principal(context, princ); - if (retval) { - com_err("change_password", retval, - "while randomizing key for \"%s\".", canon); - free(canon); - if (db_args) free(db_args); - return; - } - printf("Key for \"%s\" randomized.\n", canon); - free(canon); - if (db_args) free(db_args); - return; - } else if (argc == 1) { - unsigned int i = sizeof (newpw) - 1; - - snprintf(prompt1, sizeof(prompt1), - "Enter password for principal \"%.900s\"", - *argv); - snprintf(prompt2, sizeof(prompt2), - "Re-enter password for principal \"%.900s\"", - *argv); - retval = krb5_read_password(context, prompt1, prompt2, - newpw, &i); - if (retval) { - com_err("change_password", retval, - "while reading password for \"%s\".", canon); - free(canon); - if (ks_tuple != NULL) - free(ks_tuple); - krb5_free_principal(context, princ); - if (db_args) free(db_args); - return; - } - if (keepold || ks_tuple != NULL) { - retval = kadm5_chpass_principal_3(handle, princ, keepold, - n_ks_tuple, ks_tuple, - newpw); - if (ks_tuple != NULL) - free(ks_tuple); - } else { - retval = kadm5_chpass_principal(handle, princ, newpw); - } - krb5_free_principal(context, princ); - memset(newpw, 0, sizeof (newpw)); - if (retval) { - com_err("change_password", retval, - "while changing password for \"%s\".", canon); - free(canon); - if (db_args) free(db_args); - return; - } - printf("Password for \"%s\" changed.\n", canon); - free(canon); - if (db_args) free(db_args); - return; + retval = randkey_princ(princ, keepold, n_ks_tuple, ks_tuple); + if (retval) { + com_err("change_password", retval, + "while randomizing key for \"%s\".", canon); + goto cleanup; + } + printf("Key for \"%s\" randomized.\n", canon); } else { - free(canon); - krb5_free_principal(context, princ); - usage: - if (db_args) free(db_args); - if (ks_tuple != NULL) - free(ks_tuple); - fprintf(stderr, - "usage: change_password [-randkey] [-keepold] " - "[-e keysaltlist] [-pw password] " - "principal\n"); - return; + unsigned int i = sizeof (newpw) - 1; + + snprintf(prompt1, sizeof(prompt1), + "Enter password for principal \"%s\"", canon); + snprintf(prompt2, sizeof(prompt2), + "Re-enter password for principal \"%s\"", canon); + retval = krb5_read_password(context, prompt1, prompt2, + newpw, &i); + if (retval) { + com_err("change_password", retval, + "while reading password for \"%s\".", canon); + goto cleanup; + } + if (keepold || ks_tuple != NULL) { + retval = kadm5_chpass_principal_3(handle, princ, keepold, + n_ks_tuple, ks_tuple, + newpw); + } else { + retval = kadm5_chpass_principal(handle, princ, newpw); + } + memset(newpw, 0, sizeof (newpw)); + if (retval) { + com_err("change_password", retval, + "while changing password for \"%s\".", canon); + goto cleanup; + } + printf("Password for \"%s\" changed.\n", canon); } +cleanup: + free(canon); + free(db_args); + krb5_free_principal(context, princ); + free(ks_tuple); } static void kadmin_free_tl_data(kadm5_principal_ent_t princ) { - krb5_tl_data *tl_data = princ->tl_data; - int n_tl_data = princ->n_tl_data; + krb5_tl_data *tl_data = princ->tl_data, *next; + int n_tl_data = princ->n_tl_data; int i; princ->n_tl_data = 0; - princ->tl_data = NULL; + princ->tl_data = NULL; for (i = 0; tl_data && (i < n_tl_data); i++) { - krb5_tl_data *next = tl_data->tl_data_next; - if (tl_data->tl_data_contents) - free(tl_data->tl_data_contents); - free(tl_data); - tl_data = next; + next = tl_data->tl_data_next; + free(tl_data->tl_data_contents); + free(tl_data); + tl_data = next; } } +/* + * Parse addprinc or modprinc arguments. Some output fields may be + * filled in on error. + */ #define KRB5_TL_DB_ARGS 0x7fff static int -kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey, - ks_tuple, n_ks_tuple, +kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc, + long *mask, char **pass, krb5_boolean *randkey, + krb5_key_salt_tuple **ks_tuple, int *n_ks_tuple, #if APPLE_PKINIT - cert_hash, + char **cert_hash, #endif /* APPLE_PKINIT */ - caller) - int argc; - char *argv[]; - kadm5_principal_ent_t oprinc; - long *mask; - char **pass; - int *randkey; - krb5_key_salt_tuple **ks_tuple; - int *n_ks_tuple; -#if APPLE_PKINIT - char **cert_hash; -#endif /* APPLE_PKINIT */ - char *caller; + char *caller) { - int i, j, attrib_set; + int i, attrib_set; + size_t j; time_t date; time_t now; krb5_error_code retval; @@ -913,254 +832,256 @@ kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey, *cert_hash = NULL; #endif /* APPLE_PKINIT */ time(&now); - *randkey = 0; + *randkey = FALSE; for (i = 1; i < argc - 1; i++) { - attrib_set = 0; - if (strlen(argv[i]) == 2 && - !strcmp("-x",argv[i])) { - if (++i > argc - 2) - return -1; - - tl_data = malloc(sizeof(krb5_tl_data)); - if (tl_data == NULL) { - fprintf(stderr, "Not enough memory\n"); - return ENOMEM; - } - - memset(tl_data, 0, sizeof(krb5_tl_data)); - tl_data->tl_data_type = KRB5_TL_DB_ARGS; - tl_data->tl_data_length = strlen(argv[i])+1; - tl_data->tl_data_contents = strdup(argv[i]); - - if (tail) { - tail->tl_data_next = tl_data; - } else { - oprinc->tl_data = tl_data; - } - tail = tl_data; - oprinc->n_tl_data++; - - if (tl_data->tl_data_contents == NULL) { - fprintf(stderr, "Not enough memory\n"); - return ENOMEM; - } - *mask |= KADM5_TL_DATA; - continue; - } - if (strlen(argv[i]) == 7 && - !strcmp("-expire", argv[i])) { - if (++i > argc - 2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - oprinc->princ_expire_time = date; - *mask |= KADM5_PRINC_EXPIRE_TIME; - continue; - } - } - if (strlen(argv[i]) == 9 && - !strcmp("-pwexpire", argv[i])) { - if (++i > argc - 2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - oprinc->pw_expiration = date; - *mask |= KADM5_PW_EXPIRATION; - continue; - } - } - if (strlen(argv[i]) == 8 && - !strcmp("-maxlife", argv[i])) { - if (++i > argc - 2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - oprinc->max_life = date - now; - *mask |= KADM5_MAX_LIFE; - continue; - } - } - if (strlen(argv[i]) == 13 && - !strcmp("-maxrenewlife", argv[i])) { - if (++i > argc - 2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - oprinc->max_renewable_life = date - now; - *mask |= KADM5_MAX_RLIFE; - continue; - } - } - if (strlen(argv[i]) == 5 && - !strcmp("-kvno", argv[i])) { - if (++i > argc - 2) - return -1; - else { - oprinc->kvno = atoi(argv[i]); - *mask |= KADM5_KVNO; - continue; - } - } - if (strlen(argv[i]) == 7 && - !strcmp("-policy", argv[i])) { - if (++i > argc - 2) - return -1; - else { - oprinc->policy = argv[i]; - *mask |= KADM5_POLICY; - continue; - } - } - if (strlen(argv[i]) == 12 && - !strcmp("-clearpolicy", argv[i])) { - oprinc->policy = NULL; - *mask |= KADM5_POLICY_CLR; - continue; - } - if (strlen(argv[i]) == 3 && - !strcmp("-pw", argv[i])) { - if (++i > argc - 2) - return -1; - else { - *pass = argv[i]; - continue; - } - } - if (strlen(argv[i]) == 8 && - !strcmp("-randkey", argv[i])) { - ++*randkey; - continue; - } + attrib_set = 0; + if (strlen(argv[i]) == 2 && !strcmp("-x",argv[i])) { + if (++i > argc - 2) + return -1; + + tl_data = malloc(sizeof(krb5_tl_data)); + if (tl_data == NULL) { + fprintf(stderr, "Not enough memory\n"); + exit(1); + } + + memset(tl_data, 0, sizeof(krb5_tl_data)); + tl_data->tl_data_type = KRB5_TL_DB_ARGS; + tl_data->tl_data_length = strlen(argv[i])+1; + tl_data->tl_data_contents = (krb5_octet *) strdup(argv[i]); + + if (tail) { + tail->tl_data_next = tl_data; + } else { + oprinc->tl_data = tl_data; + } + tail = tl_data; + oprinc->n_tl_data++; + + if (tl_data->tl_data_contents == NULL) { + fprintf(stderr, "Not enough memory\n"); + exit(1); + } + *mask |= KADM5_TL_DATA; + continue; + } + if (strlen(argv[i]) == 7 && !strcmp("-expire", argv[i])) { + if (++i > argc - 2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + oprinc->princ_expire_time = date; + *mask |= KADM5_PRINC_EXPIRE_TIME; + continue; + } + } + if (strlen(argv[i]) == 9 && !strcmp("-pwexpire", argv[i])) { + if (++i > argc - 2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + oprinc->pw_expiration = date; + *mask |= KADM5_PW_EXPIRATION; + continue; + } + } + if (strlen(argv[i]) == 8 && !strcmp("-maxlife", argv[i])) { + if (++i > argc - 2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + oprinc->max_life = date - now; + *mask |= KADM5_MAX_LIFE; + continue; + } + } + if (strlen(argv[i]) == 13 && !strcmp("-maxrenewlife", argv[i])) { + if (++i > argc - 2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + oprinc->max_renewable_life = date - now; + *mask |= KADM5_MAX_RLIFE; + continue; + } + } + if (strlen(argv[i]) == 5 && !strcmp("-kvno", argv[i])) { + if (++i > argc - 2) + return -1; + else { + oprinc->kvno = atoi(argv[i]); + *mask |= KADM5_KVNO; + continue; + } + } + if (strlen(argv[i]) == 7 && !strcmp("-policy", argv[i])) { + if (++i > argc - 2) + return -1; + else { + oprinc->policy = argv[i]; + *mask |= KADM5_POLICY; + continue; + } + } + if (strlen(argv[i]) == 12 && !strcmp("-clearpolicy", argv[i])) { + oprinc->policy = NULL; + *mask |= KADM5_POLICY_CLR; + continue; + } + if (strlen(argv[i]) == 3 && !strcmp("-pw", argv[i])) { + if (++i > argc - 2) + return -1; + else { + *pass = argv[i]; + continue; + } + } + if (strlen(argv[i]) == 8 && !strcmp("-randkey", argv[i])) { + *randkey = TRUE; + continue; + } #if APPLE_PKINIT - if (strlen(argv[i]) == 9 && - !strcmp("-certhash", argv[i])) { - if (++i > argc - 2) - return -1; - else { - *cert_hash = argv[i]; - continue; - } - } + if (strlen(argv[i]) == 9 && !strcmp("-certhash", argv[i])) { + if (++i > argc - 2) + return -1; + else { + *cert_hash = argv[i]; + continue; + } + } #endif /* APPLE_PKINIT */ - if (!strcmp("-e", argv[i])) { - if (++i > argc - 2) - return -1; - else { - retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0, - ks_tuple, n_ks_tuple); - if (retval) { - com_err(caller, retval, - "while parsing keysalts %s", argv[i]); - return -1; - } - } - continue; - } - for (j = 0; j < sizeof (flags) / sizeof (struct pflag); j++) { - if (strlen(argv[i]) == flags[j].flaglen + 1 && - !strcmp(flags[j].flagname, - &argv[i][1] /* strip off leading + or - */)) { - if ((flags[j].set && argv[i][0] == '-') || - (!flags[j].set && argv[i][0] == '+')) { - oprinc->attributes |= flags[j].theflag; - *mask |= KADM5_ATTRIBUTES; - attrib_set++; - break; - } else if ((flags[j].set && argv[i][0] == '+') || - (!flags[j].set && argv[i][0] == '-')) { - oprinc->attributes &= ~flags[j].theflag; - *mask |= KADM5_ATTRIBUTES; - attrib_set++; - break; - } else { - return -1; - } - } - } - if (!attrib_set) - return -1; /* nothing was parsed */ - } - if (i != argc - 1) { - return -1; + if (!strcmp("-e", argv[i])) { + if (++i > argc - 2) + return -1; + else { + retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0, + ks_tuple, n_ks_tuple); + if (retval) { + com_err(caller, retval, + "while parsing keysalts %s", argv[i]); + return -1; + } + } + continue; + } + for (j = 0; j < sizeof(flags) / sizeof(struct pflag); j++) { + if (strlen(argv[i]) == flags[j].flaglen + 1 && + !strcmp(flags[j].flagname, + &argv[i][1] /* strip off leading + or - */)) { + if ((flags[j].set && argv[i][0] == '-') || + (!flags[j].set && argv[i][0] == '+')) { + oprinc->attributes |= flags[j].theflag; + *mask |= KADM5_ATTRIBUTES; + attrib_set++; + break; + } else if ((flags[j].set && argv[i][0] == '+') || + (!flags[j].set && argv[i][0] == '-')) { + oprinc->attributes &= ~flags[j].theflag; + *mask |= KADM5_ATTRIBUTES; + attrib_set++; + break; + } else { + return -1; + } + } + } + if (!attrib_set) + return -1; /* nothing was parsed */ } + if (i != argc - 1) + return -1; retval = kadmin_parse_name(argv[i], &oprinc->principal); if (retval) { - com_err(caller, retval, "while parsing principal"); - return -1; + com_err(caller, retval, "while parsing principal"); + return -1; } return 0; } static void -kadmin_addprinc_usage(func) - char *func; +kadmin_addprinc_usage() { - fprintf(stderr, "usage: %s [options] principal\n", func); + fprintf(stderr, "usage: add_principal [options] principal\n"); fprintf(stderr, "\toptions are:\n"); - fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy] [-randkey]\n\t\t[-pw password] [-maxrenewlife maxrenewlife]\n\t\t[-e keysaltlist]\n\t\t[{+|-}attribute]\n" + fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] " + "[-pwexpire pwexpdate] [-maxlife maxtixlife]\n" + "\t\t[-kvno kvno] [-policy policy] [-clearpolicy] [-randkey]\n" + "\t\t[-pw password] [-maxrenewlife maxrenewlife]\n" + "\t\t[-e keysaltlist]\n\t\t[{+|-}attribute]\n" #if APPLE_PKINIT "\t\t[-certhash hash_string]\n" #endif /* APPLE_PKINIT */ ); fprintf(stderr, "\tattributes are:\n"); fprintf(stderr, "%s%s%s", - "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", - "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", - "\t\trequires_hwauth needchange allow_svr password_changing_service\n" - "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" - "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" - "\t\t\tLook at each database documentation for supported arguments\n"); + "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", + "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", + "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" + "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" + "\t\t\tLook at each database documentation for supported arguments\n"); } static void -kadmin_modprinc_usage(func) - char *func; +kadmin_modprinc_usage() { - fprintf(stderr, "usage: %s [options] principal\n", func); + fprintf(stderr, "usage: modify_principal [options] principal\n"); fprintf(stderr, "\toptions are:\n"); fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n\t\t[-maxrenewlife maxrenewlife] [{+|-}attribute]\n"); fprintf(stderr, "\tattributes are:\n"); fprintf(stderr, "%s%s%s", - "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", - "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", - "\t\trequires_hwauth needchange allow_svr password_changing_service\n" - "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" - "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" - "\t\t\tLook at each database documentation for supported arguments\n" - ); + "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", + "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", + "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" + "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" + "\t\t\tLook at each database documentation for supported arguments\n" + ); +} + +/* Create a dummy password for old-style (pre-1.8) randkey creation. */ +static void +prepare_dummy_password(char *buf, size_t sz) +{ + size_t i; + + /* Must try to pass any password policy in place, and be valid UTF-8. */ + strlcpy(buf, "6F a[", sz); + for (i = strlen(buf); i < sz - 1; i++) + buf[i] = 'a' + (i % 26); + buf[sz - 1] = '\0'; } -void kadmin_addprinc(argc, argv) - int argc; - char *argv[]; +void +kadmin_addprinc(int argc, char *argv[]) { kadm5_principal_ent_rec princ; kadm5_policy_ent_rec defpol; long mask; - int randkey = 0, i; + krb5_boolean randkey = FALSE, old_style_randkey = FALSE; int n_ks_tuple; - krb5_key_salt_tuple *ks_tuple; - char *pass, *canon; + krb5_key_salt_tuple *ks_tuple = NULL; + char *pass, *canon = NULL; krb5_error_code retval; char newpw[1024], dummybuf[256]; static char prompt1[1024], prompt2[1024]; @@ -1168,48 +1089,32 @@ void kadmin_addprinc(argc, argv) char *cert_hash = NULL; #endif /* APPLE_PKINIT */ - /* - dummybuf is used to give random key a password, - random key entires are created with DISALLOW_ALL_TIX - so lets give them a known password utf8 valid pasword - */ - for (i = 0; i < sizeof(dummybuf) - 1; i++) - dummybuf[i] = 'a' + (random() % 25); - dummybuf[sizeof(dummybuf) - 1] = '\0'; - /* Zero all fields in request structure */ memset(&princ, 0, sizeof(princ)); princ.attributes = 0; - if (kadmin_parse_princ_args(argc, argv, - &princ, &mask, &pass, &randkey, - &ks_tuple, &n_ks_tuple, + if (kadmin_parse_princ_args(argc, argv, &princ, &mask, &pass, &randkey, + &ks_tuple, &n_ks_tuple, #if APPLE_PKINIT &cert_hash, #endif /* APPLE_PKINIT */ - "add_principal")) { - kadmin_addprinc_usage("add_principal"); - kadmin_free_tl_data(&princ); /* need to free ks_tuple also??? */ - return; + "add_principal")) { + kadmin_addprinc_usage(); + goto cleanup; } #if APPLE_PKINIT if(cert_hash != NULL) { - fprintf(stderr, + fprintf(stderr, "add_principal: -certhash not allowed; use modify_principal\n"); - return; + goto cleanup; } #endif /* APPLE_PKINIT */ retval = krb5_unparse_name(context, princ.principal, &canon); if (retval) { - com_err("add_principal", - retval, "while canonicalizing principal"); - krb5_free_principal(context, princ.principal); - if (ks_tuple != NULL) - free(ks_tuple); - kadmin_free_tl_data(&princ); - return; + com_err("add_principal", retval, "while canonicalizing principal"); + goto cleanup; } /* @@ -1218,126 +1123,98 @@ void kadmin_addprinc(argc, argv) * -clearpolicy was specified, then KADM5_POLICY_CLR should be * unset, since it is never valid for kadm5_create_principal. */ - if ((! (mask & KADM5_POLICY)) && - (! (mask & KADM5_POLICY_CLR))) { - if (! kadm5_get_policy(handle, "default", &defpol)) { - fprintf(stderr, - "NOTICE: no policy specified for %s; assigning \"default\"\n", - canon); - princ.policy = "default"; - mask |= KADM5_POLICY; - (void) kadm5_free_policy_ent(handle, &defpol); - } else - fprintf(stderr, - "WARNING: no policy specified for %s; defaulting to no policy\n", - canon); + if (!(mask & KADM5_POLICY) && !(mask & KADM5_POLICY_CLR)) { + if (!kadm5_get_policy(handle, "default", &defpol)) { + fprintf(stderr, "NOTICE: no policy specified for %s; " + "assigning \"default\"\n", canon); + princ.policy = "default"; + mask |= KADM5_POLICY; + kadm5_free_policy_ent(handle, &defpol); + } else + fprintf(stderr, "WARNING: no policy specified for %s; " + "defaulting to no policy\n", canon); } mask &= ~KADM5_POLICY_CLR; - if (randkey) { /* do special stuff if -randkey specified */ - princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; /* set notix */ - mask |= KADM5_ATTRIBUTES; - pass = dummybuf; + if (randkey) { + pass = NULL; } else if (pass == NULL) { - unsigned int sz = sizeof (newpw) - 1; - - snprintf(prompt1, sizeof(prompt1), - "Enter password for principal \"%.900s\"", - canon); - snprintf(prompt2, sizeof(prompt2), - "Re-enter password for principal \"%.900s\"", - canon); - retval = krb5_read_password(context, prompt1, prompt2, - newpw, &sz); - if (retval) { - com_err("add_principal", retval, - "while reading password for \"%s\".", canon); - free(canon); - krb5_free_principal(context, princ.principal); - kadmin_free_tl_data(&princ); - return; - } - pass = newpw; + unsigned int sz = sizeof(newpw) - 1; + + snprintf(prompt1, sizeof(prompt1), + "Enter password for principal \"%s\"", canon); + snprintf(prompt2, sizeof(prompt2), + "Re-enter password for principal \"%s\"", canon); + retval = krb5_read_password(context, prompt1, prompt2, newpw, &sz); + if (retval) { + com_err("add_principal", retval, + "while reading password for \"%s\".", canon); + goto cleanup; + } + pass = newpw; } mask |= KADM5_PRINCIPAL; - if (ks_tuple != NULL) { - retval = kadm5_create_principal_3(handle, &princ, mask, - n_ks_tuple, ks_tuple, pass); - } else { - retval = kadm5_create_principal(handle, &princ, mask, pass); + retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass); + if (retval == EINVAL && randkey) { + /* + * The server doesn't support randkey creation. Create the principal + * with a dummy password and disallow tickets. + */ + prepare_dummy_password(dummybuf, sizeof(dummybuf)); + princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; + mask |= KADM5_ATTRIBUTES; + pass = dummybuf; + retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass); + old_style_randkey = 1; } if (retval) { - com_err("add_principal", retval, "while creating \"%s\".", - canon); - krb5_free_principal(context, princ.principal); - free(canon); - if (ks_tuple != NULL) - free(ks_tuple); - kadmin_free_tl_data(&princ); - return; - } - if (randkey) { /* more special stuff for -randkey */ - if (ks_tuple != NULL) { - retval = kadm5_randkey_principal_3(handle, princ.principal, - FALSE, - n_ks_tuple, ks_tuple, - NULL, NULL); - } else { - retval = kadm5_randkey_principal(handle, princ.principal, - NULL, NULL); - } - if (retval) { - com_err("add_principal", retval, - "while randomizing key for \"%s\".", canon); - krb5_free_principal(context, princ.principal); - free(canon); - if (ks_tuple != NULL) - free(ks_tuple); - kadmin_free_tl_data(&princ); - return; - } - princ.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX; /* clear notix */ - mask = KADM5_ATTRIBUTES; - retval = kadm5_modify_principal(handle, &princ, mask); - if (retval) { - com_err("add_principal", retval, - "while clearing DISALLOW_ALL_TIX for \"%s\".", canon); - krb5_free_principal(context, princ.principal); - free(canon); - if (ks_tuple != NULL) - free(ks_tuple); - kadmin_free_tl_data(&princ); - return; - } + com_err("add_principal", retval, "while creating \"%s\".", canon); + goto cleanup; + } + if (old_style_randkey) { + /* Randomize the password and re-enable tickets. */ + retval = randkey_princ(princ.principal, FALSE, n_ks_tuple, ks_tuple); + if (retval) { + com_err("add_principal", retval, + "while randomizing key for \"%s\".", canon); + goto cleanup; + } + princ.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX; /* clear notix */ + mask = KADM5_ATTRIBUTES; + retval = kadm5_modify_principal(handle, &princ, mask); + if (retval) { + com_err("add_principal", retval, + "while clearing DISALLOW_ALL_TIX for \"%s\".", canon); + goto cleanup; + } } - krb5_free_principal(context, princ.principal); printf("Principal \"%s\" created.\n", canon); - if (ks_tuple != NULL) - free(ks_tuple); + +cleanup: + krb5_free_principal(context, princ.principal); + free(ks_tuple); free(canon); kadmin_free_tl_data(&princ); - } -void kadmin_modprinc(argc, argv) - int argc; - char *argv[]; +void +kadmin_modprinc(int argc, char *argv[]) { kadm5_principal_ent_rec princ, oldprinc; - krb5_principal kprinc; + krb5_principal kprinc = NULL; long mask; krb5_error_code retval; - char *pass, *canon; - int randkey = 0; + char *pass, *canon = NULL; + krb5_boolean randkey = FALSE; int n_ks_tuple = 0; - krb5_key_salt_tuple *ks_tuple; + krb5_key_salt_tuple *ks_tuple = NULL; #if APPLE_PKINIT char *cert_hash = NULL; #endif /* APPLE_PKINIT */ if (argc < 2) { - kadmin_modprinc_usage("modify_principal"); - return; + kadmin_modprinc_usage(); + return; } memset(&oldprinc, 0, sizeof(oldprinc)); @@ -1345,77 +1222,44 @@ void kadmin_modprinc(argc, argv) retval = kadmin_parse_name(argv[argc - 1], &kprinc); if (retval) { - com_err("modify_principal", retval, "while parsing principal"); - return; + com_err("modify_principal", retval, "while parsing principal"); + return; } retval = krb5_unparse_name(context, kprinc, &canon); if (retval) { - com_err("modify_principal", retval, - "while canonicalizing principal"); - krb5_free_principal(context, kprinc); - return; + com_err("modify_principal", retval, "while canonicalizing principal"); + goto cleanup; } retval = kadm5_get_principal(handle, kprinc, &oldprinc, - KADM5_PRINCIPAL_NORMAL_MASK); + KADM5_PRINCIPAL_NORMAL_MASK); if (retval) { - com_err("modify_principal", retval, "while getting \"%s\".", - canon); - krb5_free_principal(context, kprinc); - free(canon); - return; + com_err("modify_principal", retval, "while getting \"%s\".", canon); + goto cleanup; } princ.attributes = oldprinc.attributes; kadm5_free_principal_ent(handle, &oldprinc); retval = kadmin_parse_princ_args(argc, argv, - &princ, &mask, - &pass, &randkey, - &ks_tuple, &n_ks_tuple, + &princ, &mask, + &pass, &randkey, + &ks_tuple, &n_ks_tuple, #if APPLE_PKINIT &cert_hash, #endif /* APPLE_PKINIT */ - "modify_principal"); - if (ks_tuple != NULL) { - free(ks_tuple); - kadmin_modprinc_usage("modify_principal"); - free(canon); - krb5_free_principal(context, kprinc); - kadmin_free_tl_data(&princ); /* Apple had this commented out. Why? */ - return; - } - if (retval) { - kadmin_modprinc_usage("modify_principal"); - free(canon); - krb5_free_principal(context, kprinc); - kadmin_free_tl_data(&princ); /* Apple had this commented out. Why? */ - return; - } - if (randkey) { - fprintf(stderr, "modify_principal: -randkey not allowed\n"); - krb5_free_principal(context, princ.principal); - free(canon); - krb5_free_principal(context, kprinc); - kadmin_free_tl_data(&princ); - return; - } - if (pass) { - fprintf(stderr, - "modify_principal: -pw not allowed; use change_password\n"); - krb5_free_principal(context, princ.principal); - free(canon); - krb5_free_principal(context, kprinc); - kadmin_free_tl_data(&princ); - return; + "modify_principal"); + if (retval || ks_tuple != NULL || randkey || pass) { + kadmin_modprinc_usage(); + goto cleanup; } #if APPLE_PKINIT if (cert_hash) { - /* + /* * Use something other than the 1st preferred enctype here for fallback * to pwd authentication */ krb5_key_salt_tuple key_salt = {ENCTYPE_ARCFOUR_HMAC, KRB5_KDB_SALTTYPE_CERTHASH}; krb5_keyblock keyblock; kadm5_ret_t kadmin_rtn; - + keyblock.magic = KV5M_KEYBLOCK; keyblock.enctype = ENCTYPE_ARCFOUR_HMAC; keyblock.length = strlen(cert_hash); @@ -1428,275 +1272,250 @@ void kadmin_modprinc(argc, argv) com_err("modify_principal", kadmin_rtn, "while adding certhash for \"%s\".", canon); printf("realm %s data %s\n", (char *)kprinc->realm.data, (char *)kprinc->data->data); - free(canon); - krb5_free_principal(context, princ.principal); - krb5_free_principal(context, kprinc); - return; + goto cleanup; } retval = 0; } #endif /* APPLE_PKINIT */ if (mask) { - /* skip this if all we're doing is setting certhash */ - retval = kadm5_modify_principal(handle, &princ, mask); + /* Skip this if all we're doing is setting certhash. */ + retval = kadm5_modify_principal(handle, &princ, mask); } - krb5_free_principal(context, kprinc); - krb5_free_principal(context, princ.principal); if (retval) { - com_err("modify_principal", retval, - "while modifying \"%s\".", canon); - free(canon); - kadmin_free_tl_data(&princ); - return; + com_err("modify_principal", retval, "while modifying \"%s\".", canon); + goto cleanup; } printf("Principal \"%s\" modified.\n", canon); +cleanup: + krb5_free_principal(context, kprinc); + krb5_free_principal(context, princ.principal); kadmin_free_tl_data(&princ); free(canon); + free(ks_tuple); } -void kadmin_getprinc(argc, argv) - int argc; - char *argv[]; +void +kadmin_getprinc(int argc, char *argv[]) { kadm5_principal_ent_rec dprinc; - krb5_principal princ; + krb5_principal princ = NULL; krb5_error_code retval; - char *canon, *modcanon; + char *canon = NULL, *modcanon = NULL; int i; + size_t j; - if (! (argc == 2 || - (argc == 3 && !strcmp("-terse", argv[1])))) { - fprintf(stderr, "usage: get_principal [-terse] principal\n"); - return; + if (!(argc == 2 || (argc == 3 && !strcmp("-terse", argv[1])))) { + fprintf(stderr, "usage: get_principal [-terse] principal\n"); + return; } - memset(&dprinc, 0, sizeof(dprinc)); - memset(&princ, 0, sizeof(princ)); retval = kadmin_parse_name(argv[argc - 1], &princ); if (retval) { - com_err("get_principal", retval, "while parsing principal"); - return; + com_err("get_principal", retval, "while parsing principal"); + return; } retval = krb5_unparse_name(context, princ, &canon); if (retval) { - com_err("get_principal", retval, "while canonicalizing principal"); - krb5_free_principal(context, princ); - return; + com_err("get_principal", retval, "while canonicalizing principal"); + goto cleanup; } retval = kadm5_get_principal(handle, princ, &dprinc, - KADM5_PRINCIPAL_NORMAL_MASK | KADM5_KEY_DATA); - krb5_free_principal(context, princ); + KADM5_PRINCIPAL_NORMAL_MASK | KADM5_KEY_DATA); if (retval) { - com_err("get_principal", retval, "while retrieving \"%s\".", canon); - free(canon); - return; + com_err("get_principal", retval, "while retrieving \"%s\".", canon); + goto cleanup; } - free(canon); - canon = NULL; retval = krb5_unparse_name(context, dprinc.principal, &canon); if (retval) { - com_err("get_principal", retval, "while canonicalizing principal"); - kadm5_free_principal_ent(handle, &dprinc); - return; + com_err("get_principal", retval, "while canonicalizing principal"); + goto cleanup; } retval = krb5_unparse_name(context, dprinc.mod_name, &modcanon); if (retval) { - com_err("get_principal", retval, "while unparsing modname"); - kadm5_free_principal_ent(handle, &dprinc); - free(canon); - return; + com_err("get_principal", retval, "while unparsing modname"); + goto cleanup; } if (argc == 2) { - printf("Principal: %s\n", canon); - printf("Expiration date: %s\n", dprinc.princ_expire_time ? - strdate(dprinc.princ_expire_time) : "[never]"); - printf("Last password change: %s\n", dprinc.last_pwd_change ? - strdate(dprinc.last_pwd_change) : "[never]"); - printf("Password expiration date: %s\n", - dprinc.pw_expiration ? - strdate(dprinc.pw_expiration) : "[none]"); - printf("Maximum ticket life: %s\n", strdur(dprinc.max_life)); - printf("Maximum renewable life: %s\n", strdur(dprinc.max_renewable_life)); - printf("Last modified: %s (%s)\n", strdate(dprinc.mod_date), modcanon); - printf("Last successful authentication: %s\n", - dprinc.last_success ? strdate(dprinc.last_success) : - "[never]"); - printf("Last failed authentication: %s\n", - dprinc.last_failed ? strdate(dprinc.last_failed) : - "[never]"); - printf("Failed password attempts: %d\n", - dprinc.fail_auth_count); - printf("Number of keys: %d\n", dprinc.n_key_data); - for (i = 0; i < dprinc.n_key_data; i++) { - krb5_key_data *key_data = &dprinc.key_data[i]; - char enctype[BUFSIZ], salttype[BUFSIZ]; - - if (krb5_enctype_to_string(key_data->key_data_type[0], - enctype, sizeof(enctype))) - snprintf(enctype, sizeof(enctype), "", - key_data->key_data_type[0]); - printf("Key: vno %d, %s, ", key_data->key_data_kvno, enctype); - if (key_data->key_data_ver > 1) { - if (krb5_salttype_to_string(key_data->key_data_type[1], - salttype, sizeof(salttype))) - snprintf(salttype, sizeof(salttype), "", - key_data->key_data_type[1]); - printf("%s\n", salttype); - } else - printf("no salt\n"); - } - printf("MKey: vno %d\n", - dprinc.mkvno); - - printf("Attributes:"); - for (i = 0; i < sizeof (prflags) / sizeof (char *); i++) { - if (dprinc.attributes & (krb5_flags) 1 << i) - printf(" %s", prflags[i]); - } - printf("\n"); - printf("Policy: %s\n", dprinc.policy ? dprinc.policy : "[none]"); + printf("Principal: %s\n", canon); + printf("Expiration date: %s\n", dprinc.princ_expire_time ? + strdate(dprinc.princ_expire_time) : "[never]"); + printf("Last password change: %s\n", dprinc.last_pwd_change ? + strdate(dprinc.last_pwd_change) : "[never]"); + printf("Password expiration date: %s\n", + dprinc.pw_expiration ? + strdate(dprinc.pw_expiration) : "[none]"); + printf("Maximum ticket life: %s\n", strdur(dprinc.max_life)); + printf("Maximum renewable life: %s\n", + strdur(dprinc.max_renewable_life)); + printf("Last modified: %s (%s)\n", strdate(dprinc.mod_date), modcanon); + printf("Last successful authentication: %s\n", + dprinc.last_success ? strdate(dprinc.last_success) : + "[never]"); + printf("Last failed authentication: %s\n", + dprinc.last_failed ? strdate(dprinc.last_failed) : + "[never]"); + printf("Failed password attempts: %d\n", + dprinc.fail_auth_count); + printf("Number of keys: %d\n", dprinc.n_key_data); + for (i = 0; i < dprinc.n_key_data; i++) { + krb5_key_data *key_data = &dprinc.key_data[i]; + char enctype[BUFSIZ], salttype[BUFSIZ]; + + if (krb5_enctype_to_string(key_data->key_data_type[0], + enctype, sizeof(enctype))) + snprintf(enctype, sizeof(enctype), "", + key_data->key_data_type[0]); + printf("Key: vno %d, %s, ", key_data->key_data_kvno, enctype); + if (key_data->key_data_ver > 1) { + if (krb5_salttype_to_string(key_data->key_data_type[1], + salttype, sizeof(salttype))) + snprintf(salttype, sizeof(salttype), "", + key_data->key_data_type[1]); + printf("%s\n", salttype); + } else + printf("no salt\n"); + } + printf("MKey: vno %d\n", + dprinc.mkvno); + + printf("Attributes:"); + for (j = 0; j < sizeof(prflags) / sizeof(char *); j++) { + if (dprinc.attributes & (krb5_flags) 1 << j) + printf(" %s", prflags[j]); + } + printf("\n"); + printf("Policy: %s\n", dprinc.policy ? dprinc.policy : "[none]"); } else { - printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"" - "\t%d\t%d\t%d\t%d\t%d", - canon, dprinc.princ_expire_time, dprinc.last_pwd_change, - dprinc.pw_expiration, dprinc.max_life, modcanon, - dprinc.mod_date, dprinc.attributes, dprinc.kvno, - dprinc.mkvno, dprinc.policy ? dprinc.policy : "[none]", - dprinc.max_renewable_life, dprinc.last_success, - dprinc.last_failed, dprinc.fail_auth_count, - dprinc.n_key_data); - for (i = 0; i < dprinc.n_key_data; i++) - printf("\t%d\t%d\t%d\t%d", - dprinc.key_data[i].key_data_ver, - dprinc.key_data[i].key_data_kvno, - dprinc.key_data[i].key_data_type[0], - dprinc.key_data[i].key_data_type[1]); - printf("\n"); - } - free(modcanon); + printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"" + "\t%d\t%d\t%d\t%d\t%d", + canon, dprinc.princ_expire_time, dprinc.last_pwd_change, + dprinc.pw_expiration, dprinc.max_life, modcanon, + dprinc.mod_date, dprinc.attributes, dprinc.kvno, + dprinc.mkvno, dprinc.policy ? dprinc.policy : "[none]", + dprinc.max_renewable_life, dprinc.last_success, + dprinc.last_failed, dprinc.fail_auth_count, + dprinc.n_key_data); + for (i = 0; i < dprinc.n_key_data; i++) + printf("\t%d\t%d\t%d\t%d", + dprinc.key_data[i].key_data_ver, + dprinc.key_data[i].key_data_kvno, + dprinc.key_data[i].key_data_type[0], + dprinc.key_data[i].key_data_type[1]); + printf("\n"); + } +cleanup: + krb5_free_principal(context, princ); kadm5_free_principal_ent(handle, &dprinc); + free(modcanon); free(canon); } -void kadmin_getprincs(argc, argv) - int argc; - char *argv[]; +void +kadmin_getprincs(int argc, char *argv[]) { krb5_error_code retval; char *expr, **names; int i, count; expr = NULL; - if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) { - fprintf(stderr, "usage: get_principals [expression]\n"); - return; + if (!(argc == 1 || (argc == 2 && (expr = argv[1])))) { + fprintf(stderr, "usage: get_principals [expression]\n"); + return; } retval = kadm5_get_principals(handle, expr, &names, &count); if (retval) { - com_err("get_principals", retval, "while retrieving list."); - return; + com_err("get_principals", retval, "while retrieving list."); + return; } for (i = 0; i < count; i++) - printf("%s\n", names[i]); + printf("%s\n", names[i]); kadm5_free_name_list(handle, names, count); } static int -kadmin_parse_policy_args(argc, argv, policy, mask, caller) - int argc; - char *argv[]; - kadm5_policy_ent_t policy; - long *mask; - char *caller; +kadmin_parse_policy_args(int argc, char *argv[], kadm5_policy_ent_t policy, + long *mask, char *caller) { int i; - time_t now; - time_t date; + time_t now, date; time(&now); *mask = 0; for (i = 1; i < argc - 1; i++) { - if (strlen(argv[i]) == 8 && - !strcmp(argv[i], "-maxlife")) { - if (++i > argc -2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - policy->pw_max_life = date - now; - *mask |= KADM5_PW_MAX_LIFE; - continue; - } - } else if (strlen(argv[i]) == 8 && - !strcmp(argv[i], "-minlife")) { - if (++i > argc - 2) - return -1; - else { - date = get_date(argv[i]); - if (date == (time_t)-1) { - fprintf(stderr, "Invalid date specification \"%s\".\n", - argv[i]); - return -1; - } - policy->pw_min_life = date - now; - *mask |= KADM5_PW_MIN_LIFE; - continue; - } - } else if (strlen(argv[i]) == 10 && - !strcmp(argv[i], "-minlength")) { - if (++i > argc - 2) - return -1; - else { - policy->pw_min_length = atoi(argv[i]); - *mask |= KADM5_PW_MIN_LENGTH; - continue; - } - } else if (strlen(argv[i]) == 11 && - !strcmp(argv[i], "-minclasses")) { - if (++i > argc - 2) - return -1; - else { - policy->pw_min_classes = atoi(argv[i]); - *mask |= KADM5_PW_MIN_CLASSES; - continue; - } - } else if (strlen(argv[i]) == 8 && - !strcmp(argv[i], "-history")) { - if (++i > argc - 2) - return -1; - else { - policy->pw_history_num = atoi(argv[i]); - *mask |= KADM5_PW_HISTORY_NUM; - continue; - } - } else - return -1; + if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-maxlife")) { + if (++i > argc -2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + policy->pw_max_life = date - now; + *mask |= KADM5_PW_MAX_LIFE; + continue; + } + } else if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-minlife")) { + if (++i > argc - 2) + return -1; + else { + date = get_date(argv[i]); + if (date == (time_t)-1) { + fprintf(stderr, "Invalid date specification \"%s\".\n", + argv[i]); + return -1; + } + policy->pw_min_life = date - now; + *mask |= KADM5_PW_MIN_LIFE; + continue; + } + } else if (strlen(argv[i]) == 10 && !strcmp(argv[i], "-minlength")) { + if (++i > argc - 2) + return -1; + else { + policy->pw_min_length = atoi(argv[i]); + *mask |= KADM5_PW_MIN_LENGTH; + continue; + } + } else if (strlen(argv[i]) == 11 && !strcmp(argv[i], "-minclasses")) { + if (++i > argc - 2) + return -1; + else { + policy->pw_min_classes = atoi(argv[i]); + *mask |= KADM5_PW_MIN_CLASSES; + continue; + } + } else if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-history")) { + if (++i > argc - 2) + return -1; + else { + policy->pw_history_num = atoi(argv[i]); + *mask |= KADM5_PW_HISTORY_NUM; + continue; + } + } else + return -1; } if (i != argc -1) { - fprintf(stderr, "%s: parser lost count!\n", caller); - return -1; + fprintf(stderr, "%s: parser lost count!\n", caller); + return -1; } else - return 0; + return 0; } static void -kadmin_addmodpol_usage(func) - char *func; +kadmin_addmodpol_usage(char *func) { fprintf(stderr, "usage; %s [options] policy\n", func); fprintf(stderr, "\toptions are:\n"); fprintf(stderr, "\t\t[-maxlife time] [-minlife time] [-minlength length]\n\t\t[-minclasses number] [-history number]\n"); } -void kadmin_addpol(argc, argv) - int argc; - char *argv[]; +void +kadmin_addpol(int argc, char *argv[]) { krb5_error_code retval; long mask; @@ -1704,24 +1523,20 @@ void kadmin_addpol(argc, argv) memset(&policy, 0, sizeof(policy)); if (kadmin_parse_policy_args(argc, argv, &policy, &mask, "add_policy")) { - kadmin_addmodpol_usage("add_policy"); - return; - } else { - policy.policy = argv[argc - 1]; - mask |= KADM5_POLICY; - retval = kadm5_create_policy(handle, &policy, mask); - if (retval) { - com_err("add_policy", retval, "while creating policy \"%s\".", - policy.policy); - return; - } - } - return; + kadmin_addmodpol_usage("add_policy"); + return; + } + policy.policy = argv[argc - 1]; + mask |= KADM5_POLICY; + retval = kadm5_create_policy(handle, &policy, mask); + if (retval) { + com_err("add_policy", retval, "while creating policy \"%s\".", + policy.policy); + } } -void kadmin_modpol(argc, argv) - int argc; - char *argv[]; +void +kadmin_modpol(int argc, char *argv[]) { krb5_error_code retval; long mask; @@ -1729,133 +1544,121 @@ void kadmin_modpol(argc, argv) memset(&policy, 0, sizeof(policy)); if (kadmin_parse_policy_args(argc, argv, &policy, &mask, - "modify_policy")) { - kadmin_addmodpol_usage("modify_policy"); - return; - } else { - policy.policy = argv[argc - 1]; - retval = kadm5_modify_policy(handle, &policy, mask); - if (retval) { - com_err("modify_policy", retval, "while modifying policy \"%s\".", - policy.policy); - return; - } - } - return; + "modify_policy")) { + kadmin_addmodpol_usage("modify_policy"); + return; + } + policy.policy = argv[argc - 1]; + retval = kadm5_modify_policy(handle, &policy, mask); + if (retval) { + com_err("modify_policy", retval, "while modifying policy \"%s\".", + policy.policy); + } } -void kadmin_delpol(argc, argv) - int argc; - char *argv[]; +void +kadmin_delpol(int argc, char *argv[]) { krb5_error_code retval; char reply[5]; - if (! (argc == 2 || - (argc == 3 && !strcmp("-force", argv[1])))) { - fprintf(stderr, "usage: delete_policy [-force] policy\n"); - return; + if (!(argc == 2 || (argc == 3 && !strcmp("-force", argv[1])))) { + fprintf(stderr, "usage: delete_policy [-force] policy\n"); + return; } if (argc == 2) { - printf("Are you sure you want to delete the policy \"%s\"? (yes/no): ", argv[1]); - fgets(reply, sizeof (reply), stdin); - if (strcmp("yes\n", reply)) { - fprintf(stderr, "Policy \"%s\" not deleted.\n", argv[1]); - return; - } + printf("Are you sure you want to delete the policy \"%s\"? (yes/no): ", + argv[1]); + fgets(reply, sizeof(reply), stdin); + if (strcmp("yes\n", reply)) { + fprintf(stderr, "Policy \"%s\" not deleted.\n", argv[1]); + return; + } } retval = kadm5_delete_policy(handle, argv[argc - 1]); if (retval) { - com_err("delete_policy:", retval, "while deleting policy \"%s\"", - argv[argc - 1]); - return; + com_err("delete_policy:", retval, "while deleting policy \"%s\"", + argv[argc - 1]); } - return; } -void kadmin_getpol(argc, argv) - int argc; - char *argv[]; +void +kadmin_getpol(int argc, char *argv[]) { krb5_error_code retval; kadm5_policy_ent_rec policy; - if (! (argc == 2 || - (argc == 3 && !strcmp("-terse", argv[1])))) { - fprintf(stderr, "usage: get_policy [-terse] policy\n"); - return; + if (!(argc == 2 || (argc == 3 && !strcmp("-terse", argv[1])))) { + fprintf(stderr, "usage: get_policy [-terse] policy\n"); + return; } retval = kadm5_get_policy(handle, argv[argc - 1], &policy); if (retval) { - com_err("get_policy", retval, "while retrieving policy \"%s\".", - argv[argc - 1]); - return; + com_err("get_policy", retval, "while retrieving policy \"%s\".", + argv[argc - 1]); + return; } if (argc == 2) { - printf("Policy: %s\n", policy.policy); - printf("Maximum password life: %ld\n", policy.pw_max_life); - printf("Minimum password life: %ld\n", policy.pw_min_life); - printf("Minimum password length: %ld\n", policy.pw_min_length); - printf("Minimum number of password character classes: %ld\n", - policy.pw_min_classes); - printf("Number of old keys kept: %ld\n", policy.pw_history_num); - printf("Reference count: %ld\n", policy.policy_refcnt); + printf("Policy: %s\n", policy.policy); + printf("Maximum password life: %ld\n", policy.pw_max_life); + printf("Minimum password life: %ld\n", policy.pw_min_life); + printf("Minimum password length: %ld\n", policy.pw_min_length); + printf("Minimum number of password character classes: %ld\n", + policy.pw_min_classes); + printf("Number of old keys kept: %ld\n", policy.pw_history_num); + printf("Reference count: %ld\n", policy.policy_refcnt); } else { - printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n", - policy.policy, policy.pw_max_life, policy.pw_min_life, - policy.pw_min_length, policy.pw_min_classes, - policy.pw_history_num, policy.policy_refcnt); + printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n", + policy.policy, policy.pw_max_life, policy.pw_min_life, + policy.pw_min_length, policy.pw_min_classes, + policy.pw_history_num, policy.policy_refcnt); } kadm5_free_policy_ent(handle, &policy); - return; } -void kadmin_getpols(argc, argv) - int argc; - char *argv[]; +void +kadmin_getpols(int argc, char *argv[]) { krb5_error_code retval; char *expr, **names; int i, count; expr = NULL; - if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) { - fprintf(stderr, "usage: get_policies [expression]\n"); - return; + if (!(argc == 1 || (argc == 2 && (expr = argv[1])))) { + fprintf(stderr, "usage: get_policies [expression]\n"); + return; } retval = kadm5_get_policies(handle, expr, &names, &count); if (retval) { - com_err("get_policies", retval, "while retrieving list."); - return; + com_err("get_policies", retval, "while retrieving list."); + return; } for (i = 0; i < count; i++) - printf("%s\n", names[i]); + printf("%s\n", names[i]); kadm5_free_name_list(handle, names, count); } -void kadmin_getprivs(argc, argv) - int argc; - char *argv[]; +void +kadmin_getprivs(int argc, char *argv[]) { static char *privs[] = {"GET", "ADD", "MODIFY", "DELETE"}; krb5_error_code retval; - int i; + size_t i; long plist; if (argc != 1) { - fprintf(stderr, "usage: get_privs\n"); - return; + fprintf(stderr, "usage: get_privs\n"); + return; } retval = kadm5_get_privs(handle, &plist); if (retval) { - com_err("get_privs", retval, "while retrieving privileges"); - return; + com_err("get_privs", retval, "while retrieving privileges"); + return; } printf("current privileges:"); for (i = 0; i < sizeof (privs) / sizeof (char *); i++) { - if (plist & 1 << i) - printf(" %s", privs[i]); + if (plist & 1 << i) + printf(" %s", privs[i]); } printf("\n"); - return; } diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c index 5fb5613f2f..fa2de42a80 100644 --- a/src/kadmin/cli/keytab.c +++ b/src/kadmin/cli/keytab.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. * @@ -7,14 +8,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -25,7 +26,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -45,12 +46,12 @@ static char *rcsid = "$Header$"; #include #include "kadmin.h" -static int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, - krb5_boolean keepold, - int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, - char *princ_str); -static int remove_principal(char *keytab_str, krb5_keytab keytab, char - *princ_str, char *kvno_str); +static void add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, + krb5_boolean keepold, + int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, + char *princ_str); +static void remove_principal(char *keytab_str, krb5_keytab keytab, + char *princ_str, char *kvno_str); static char *etype_string(krb5_enctype enctype); static int quiet; @@ -59,417 +60,408 @@ static int quiet; static int norandkey; #endif -static void add_usage() +static void +add_usage() { #ifdef KADMIN_LOCAL - fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]\n"); + fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]\n"); #else - fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]\n"); + fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]\n"); #endif } - -static void rem_usage() + +static void +rem_usage() { - fprintf(stderr, "Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n"); + fprintf(stderr, "Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n"); } -static int process_keytab(krb5_context my_context, char **keytab_str, - krb5_keytab *keytab) +static int +process_keytab(krb5_context my_context, char **keytab_str, + krb5_keytab *keytab) { - int code; - - if (*keytab_str == NULL) { - /* XXX krb5_defkeyname is an internal library global and - should go away */ - if (! (*keytab_str = strdup(krb5_defkeyname))) { - com_err(whoami, ENOMEM, "while creating keytab name"); - return 1; - } - code = krb5_kt_default(my_context, keytab); - if (code != 0) { - com_err(whoami, code, "while opening default keytab"); - free(*keytab_str); - return 1; - } - } else { - if (strchr(*keytab_str, ':') != NULL) { - *keytab_str = strdup(*keytab_str); - if (*keytab_str == NULL) { - com_err(whoami, ENOMEM, "while creating keytab name"); - return 1; - } - } else { - if (asprintf(keytab_str, "WRFILE:%s", *keytab_str) < 0) { - *keytab_str = NULL; - com_err(whoami, ENOMEM, "while creating keytab name"); - return 1; - } - } - - code = krb5_kt_resolve(my_context, *keytab_str, keytab); - if (code != 0) { - com_err(whoami, code, "while resolving keytab %s", *keytab_str); - free(keytab_str); - return 1; - } - } - - return 0; + int code; + char *name = *keytab_str; + + if (name == NULL) { + /* XXX krb5_defkeyname is an internal library global and + should go away */ + name = strdup(krb5_defkeyname); + if (!name) { + com_err(whoami, ENOMEM, "while creating keytab name"); + return 1; + } + code = krb5_kt_default(my_context, keytab); + if (code != 0) { + com_err(whoami, code, "while opening default keytab"); + free(name); + return 1; + } + } else { + if (strchr(name, ':') != NULL) + name = strdup(name); + else if (asprintf(&name, "WRFILE:%s", name) < 0) + name = NULL; + if (name == NULL) { + com_err(whoami, ENOMEM, "while creating keytab name"); + return 1; + } + + code = krb5_kt_resolve(my_context, name, keytab); + if (code != 0) { + com_err(whoami, code, "while resolving keytab %s", name); + free(name); + return 1; + } + } + + *keytab_str = name; + return 0; } - -void kadmin_keytab_add(int argc, char **argv) +void +kadmin_keytab_add(int argc, char **argv) { - krb5_keytab keytab = 0; - char *keytab_str = NULL, **princs; - int code, num, i; - krb5_error_code retval; - int n_ks_tuple = 0; - krb5_boolean keepold = FALSE; - krb5_key_salt_tuple *ks_tuple = NULL; - - argc--; argv++; - quiet = 0; + krb5_keytab keytab = 0; + char *keytab_str = NULL, **princs; + int code, num, i; + krb5_error_code retval; + int n_ks_tuple = 0; + krb5_boolean keepold = FALSE; + krb5_key_salt_tuple *ks_tuple = NULL; + + argc--; argv++; + quiet = 0; #ifdef KADMIN_LOCAL - norandkey = 0; + norandkey = 0; #endif - while (argc) { - if (strncmp(*argv, "-k", 2) == 0) { - argc--; argv++; - if (!argc || keytab_str) { - add_usage(); - return; - } - keytab_str = *argv; - } else if (strcmp(*argv, "-q") == 0) { - quiet++; + while (argc) { + if (strncmp(*argv, "-k", 2) == 0) { + argc--; argv++; + if (!argc || keytab_str) { + add_usage(); + return; + } + keytab_str = *argv; + } else if (strcmp(*argv, "-q") == 0) { + quiet++; #ifdef KADMIN_LOCAL } else if (strcmp(*argv, "-norandkey") == 0) { - norandkey++; + norandkey++; #endif - } else if (strcmp(*argv, "-e") == 0) { - argc--; - if (argc < 1) { - add_usage(); - return; - } - retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0, - &ks_tuple, &n_ks_tuple); - if (retval) { - com_err("ktadd", retval, "while parsing keysalts %s", - *argv); - - return; - } - } else - break; - argc--; argv++; - } - - if (argc == 0) { - add_usage(); - return; - } + } else if (strcmp(*argv, "-e") == 0) { + argc--; + if (argc < 1) { + add_usage(); + return; + } + retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0, + &ks_tuple, &n_ks_tuple); + if (retval) { + com_err("ktadd", retval, "while parsing keysalts %s", + *argv); + + return; + } + } else + break; + argc--; argv++; + } + + if (argc == 0) { + add_usage(); + return; + } #ifdef KADMIN_LOCAL - if (norandkey && ks_tuple) { - fprintf(stderr, "cannot specify keysaltlist when not changing key\n"); - return; - } + if (norandkey && ks_tuple) { + fprintf(stderr, "cannot specify keysaltlist when not changing key\n"); + return; + } #endif - if (process_keytab(context, &keytab_str, &keytab)) - return; - - while (*argv) { - if (strcmp(*argv, "-glob") == 0) { - if (*++argv == NULL) { - add_usage(); - break; - } - - code = kadm5_get_principals(handle, *argv, &princs, &num); - if (code) { - com_err(whoami, code, "while expanding expression \"%s\".", - *argv); - argv++; - continue; - } - - for (i = 0; i < num; i++) - (void) add_principal(handle, keytab_str, keytab, - keepold, n_ks_tuple, ks_tuple, - princs[i]); - kadm5_free_name_list(handle, princs, num); - } else - (void) add_principal(handle, keytab_str, keytab, - keepold, n_ks_tuple, ks_tuple, - *argv); - argv++; - } - - code = krb5_kt_close(context, keytab); - if (code != 0) - com_err(whoami, code, "while closing keytab"); - - free(keytab_str); + if (process_keytab(context, &keytab_str, &keytab)) + return; + + while (*argv) { + if (strcmp(*argv, "-glob") == 0) { + if (*++argv == NULL) { + add_usage(); + break; + } + + code = kadm5_get_principals(handle, *argv, &princs, &num); + if (code) { + com_err(whoami, code, "while expanding expression \"%s\".", + *argv); + argv++; + continue; + } + + for (i = 0; i < num; i++) + add_principal(handle, keytab_str, keytab, keepold, + n_ks_tuple, ks_tuple, princs[i]); + kadm5_free_name_list(handle, princs, num); + } else { + add_principal(handle, keytab_str, keytab, keepold, + n_ks_tuple, ks_tuple, *argv); + argv++; + } + } + + code = krb5_kt_close(context, keytab); + if (code != 0) + com_err(whoami, code, "while closing keytab"); + + free(keytab_str); } -void kadmin_keytab_remove(int argc, char **argv) +void +kadmin_keytab_remove(int argc, char **argv) { - krb5_keytab keytab = 0; - char *keytab_str = NULL; - int code; - - argc--; argv++; - quiet = 0; - while (argc) { - if (strncmp(*argv, "-k", 2) == 0) { - argc--; argv++; - if (!argc || keytab_str) { - rem_usage(); - return; - } - keytab_str = *argv; - } else if (strcmp(*argv, "-q") == 0) { - quiet++; - } else - break; - argc--; argv++; - } - - if (argc != 1 && argc != 2) { - rem_usage(); - return; - } - if (process_keytab(context, &keytab_str, &keytab)) - return; - - (void) remove_principal(keytab_str, keytab, argv[0], argv[1]); - - code = krb5_kt_close(context, keytab); - if (code != 0) - com_err(whoami, code, "while closing keytab"); - - free(keytab_str); + krb5_keytab keytab = 0; + char *keytab_str = NULL; + int code; + + argc--; argv++; + quiet = 0; + while (argc) { + if (strncmp(*argv, "-k", 2) == 0) { + argc--; argv++; + if (!argc || keytab_str) { + rem_usage(); + return; + } + keytab_str = *argv; + } else if (strcmp(*argv, "-q") == 0) { + quiet++; + } else + break; + argc--; argv++; + } + + if (argc != 1 && argc != 2) { + rem_usage(); + return; + } + if (process_keytab(context, &keytab_str, &keytab)) + return; + + remove_principal(keytab_str, keytab, argv[0], argv[1]); + + code = krb5_kt_close(context, keytab); + if (code != 0) + com_err(whoami, code, "while closing keytab"); + + free(keytab_str); } -static -int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, - krb5_boolean keepold, int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - char *princ_str) +static void +add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, + krb5_boolean keepold, int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, char *princ_str) { - kadm5_principal_ent_rec princ_rec; - krb5_principal princ; - krb5_keytab_entry new_entry; - krb5_keyblock *keys; - int code, nkeys, i; + kadm5_principal_ent_rec princ_rec; + krb5_principal princ = NULL; + krb5_keytab_entry new_entry; + krb5_keyblock *keys; + int code, nkeys, i; - (void) memset(&princ_rec, 0, sizeof(princ_rec)); + memset(&princ_rec, 0, sizeof(princ_rec)); - princ = NULL; - keys = NULL; - nkeys = 0; + princ = NULL; + keys = NULL; + nkeys = 0; - code = krb5_parse_name(context, princ_str, &princ); - if (code != 0) { - com_err(whoami, code, "while parsing -add principal name %s", - princ_str); - goto cleanup; - } + code = krb5_parse_name(context, princ_str, &princ); + if (code != 0) { + com_err(whoami, code, "while parsing -add principal name %s", + princ_str); + goto cleanup; + } #ifdef KADMIN_LOCAL - if (norandkey) - code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys); - else + if (norandkey) + code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys); + else #endif - if (keepold || ks_tuple != NULL) { - code = kadm5_randkey_principal_3(lhandle, princ, - keepold, n_ks_tuple, ks_tuple, - &keys, &nkeys); - } else { - code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys); - } - if (code != 0) { - if (code == KADM5_UNK_PRINC) { - fprintf(stderr, "%s: Principal %s does not exist.\n", - whoami, princ_str); - } else - com_err(whoami, code, "while changing %s's key", - princ_str); - goto cleanup; - } - - code = kadm5_get_principal(lhandle, princ, &princ_rec, - KADM5_PRINCIPAL_NORMAL_MASK); - if (code != 0) { - com_err(whoami, code, "while retrieving principal"); - goto cleanup; - } - - for (i = 0; i < nkeys; i++) { - memset(&new_entry, 0, sizeof(new_entry)); - new_entry.principal = princ; - new_entry.key = keys[i]; - new_entry.vno = princ_rec.kvno; - - code = krb5_kt_add_entry(context, keytab, &new_entry); - if (code != 0) { - com_err(whoami, code, "while adding key to keytab"); - (void) kadm5_free_principal_ent(lhandle, &princ_rec); - goto cleanup; - } - - if (!quiet) - printf("Entry for principal %s with kvno %d, " - "encryption type %s added to keytab %s.\n", - princ_str, princ_rec.kvno, - etype_string(keys[i].enctype), keytab_str); - } - - code = kadm5_free_principal_ent(lhandle, &princ_rec); - if (code != 0) { - com_err(whoami, code, "while freeing principal entry"); - goto cleanup; - } + if (keepold || ks_tuple != NULL) { + code = kadm5_randkey_principal_3(lhandle, princ, keepold, + n_ks_tuple, ks_tuple, &keys, &nkeys); + } else + code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys); + if (code != 0) { + if (code == KADM5_UNK_PRINC) { + fprintf(stderr, "%s: Principal %s does not exist.\n", + whoami, princ_str); + } else + com_err(whoami, code, "while changing %s's key", princ_str); + goto cleanup; + } + + code = kadm5_get_principal(lhandle, princ, &princ_rec, + KADM5_PRINCIPAL_NORMAL_MASK); + if (code != 0) { + com_err(whoami, code, "while retrieving principal"); + goto cleanup; + } + + for (i = 0; i < nkeys; i++) { + memset(&new_entry, 0, sizeof(new_entry)); + new_entry.principal = princ; + new_entry.key = keys[i]; + new_entry.vno = princ_rec.kvno; + + code = krb5_kt_add_entry(context, keytab, &new_entry); + if (code != 0) { + com_err(whoami, code, "while adding key to keytab"); + kadm5_free_principal_ent(lhandle, &princ_rec); + goto cleanup; + } + + if (!quiet) { + printf("Entry for principal %s with kvno %d, " + "encryption type %s added to keytab %s.\n", + princ_str, princ_rec.kvno, + etype_string(keys[i].enctype), keytab_str); + } + } + + code = kadm5_free_principal_ent(lhandle, &princ_rec); + if (code != 0) { + com_err(whoami, code, "while freeing principal entry"); + goto cleanup; + } cleanup: - if (nkeys) { - for (i = 0; i < nkeys; i++) - krb5_free_keyblock_contents(context, &keys[i]); - free(keys); - } - if (princ) - krb5_free_principal(context, princ); - - return code; + if (nkeys) { + for (i = 0; i < nkeys; i++) + krb5_free_keyblock_contents(context, &keys[i]); + free(keys); + } + krb5_free_principal(context, princ); } -int remove_principal(char *keytab_str, krb5_keytab keytab, char - *princ_str, char *kvno_str) +static void +remove_principal(char *keytab_str, krb5_keytab keytab, + char *princ_str, char *kvno_str) { - krb5_principal princ; - krb5_keytab_entry entry; - krb5_kt_cursor cursor; - enum { UNDEF, SPEC, HIGH, ALL, OLD } mode; - int code, did_something; - krb5_kvno kvno; - - code = krb5_parse_name(context, princ_str, &princ); - if (code != 0) { - com_err(whoami, code, "while parsing principal name %s", - princ_str); - return code; - } - - mode = UNDEF; - if (kvno_str == NULL) { - mode = HIGH; - kvno = 0; - } else if (strcmp(kvno_str, "all") == 0) { - mode = ALL; - kvno = 0; - } else if (strcmp(kvno_str, "old") == 0) { - mode = OLD; - kvno = 0; - } else { - mode = SPEC; - kvno = atoi(kvno_str); - } - - /* kvno is set to specified value for SPEC, 0 otherwise */ - code = krb5_kt_get_entry(context, keytab, princ, kvno, 0, &entry); - if (code != 0) { - if (code == ENOENT) { - fprintf(stderr, "%s: Keytab %s does not exist.\n", - whoami, keytab_str); - } else if (code == KRB5_KT_NOTFOUND) { - if (mode != SPEC) - fprintf(stderr, "%s: No entry for principal " - "%s exists in keytab %s\n", - whoami, princ_str, keytab_str); - else - fprintf(stderr, "%s: No entry for principal " - "%s with kvno %d exists in keytab " - "%s.\n", whoami, princ_str, kvno, - keytab_str); - } else { - com_err(whoami, code, "while retrieving highest kvno " - "from keytab"); - } - return code; - } - - /* set kvno to spec'ed value for SPEC, highest kvno otherwise */ - kvno = entry.vno; - krb5_kt_free_entry(context, &entry); - - code = krb5_kt_start_seq_get(context, keytab, &cursor); - if (code != 0) { - com_err(whoami, code, "while starting keytab scan"); - return code; - } - - did_something = 0; - while ((code = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) { - if (krb5_principal_compare(context, princ, entry.principal) && - ((mode == ALL) || - (mode == SPEC && entry.vno == kvno) || - (mode == OLD && entry.vno != kvno) || - (mode == HIGH && entry.vno == kvno))) { - - /* - * Ack! What a kludge... the scanning functions lock - * the keytab so entries cannot be removed while they - * are operating. - */ - code = krb5_kt_end_seq_get(context, keytab, &cursor); - if (code != 0) { - com_err(whoami, code, "while temporarily ending " - "keytab scan"); - return code; - } - code = krb5_kt_remove_entry(context, keytab, &entry); - if (code != 0) { - com_err(whoami, code, "while deleting entry from keytab"); - return code; - } - code = krb5_kt_start_seq_get(context, keytab, &cursor); - if (code != 0) { - com_err(whoami, code, "while restarting keytab scan"); - return code; - } - - did_something++; - if (!quiet) - printf("Entry for principal %s with kvno %d " - "removed from keytab %s.\n", - princ_str, entry.vno, keytab_str); - } - krb5_kt_free_entry(context, &entry); - } - if (code && code != KRB5_KT_END) { - com_err(whoami, code, "while scanning keytab"); - return code; - } - if ((code = krb5_kt_end_seq_get(context, keytab, &cursor))) { - com_err(whoami, code, "while ending keytab scan"); - return code; - } - - /* - * If !did_someting then mode must be OLD or we would have - * already returned with an error. But check it anyway just to - * prevent unexpected error messages... - */ - if (!did_something && mode == OLD) { - fprintf(stderr, "%s: There is only one entry for principal " - "%s in keytab %s\n", whoami, princ_str, keytab_str); - return 1; - } - - return 0; + krb5_principal princ; + krb5_keytab_entry entry; + krb5_kt_cursor cursor; + enum { UNDEF, SPEC, HIGH, ALL, OLD } mode; + int code, did_something; + krb5_kvno kvno; + + code = krb5_parse_name(context, princ_str, &princ); + if (code != 0) { + com_err(whoami, code, "while parsing principal name %s", princ_str); + return; + } + + mode = UNDEF; + if (kvno_str == NULL) { + mode = HIGH; + kvno = 0; + } else if (strcmp(kvno_str, "all") == 0) { + mode = ALL; + kvno = 0; + } else if (strcmp(kvno_str, "old") == 0) { + mode = OLD; + kvno = 0; + } else { + mode = SPEC; + kvno = atoi(kvno_str); + } + + /* kvno is set to specified value for SPEC, 0 otherwise */ + code = krb5_kt_get_entry(context, keytab, princ, kvno, 0, &entry); + if (code != 0) { + if (code == ENOENT) { + fprintf(stderr, "%s: Keytab %s does not exist.\n", + whoami, keytab_str); + } else if (code == KRB5_KT_NOTFOUND) { + if (mode != SPEC) { + fprintf(stderr, "%s: No entry for principal " + "%s exists in keytab %s\n", + whoami, princ_str, keytab_str); + } else { + fprintf(stderr, "%s: No entry for principal " + "%s with kvno %d exists in keytab " + "%s.\n", whoami, princ_str, kvno, keytab_str); + } + } else + com_err(whoami, code, "while retrieving highest kvno from keytab"); + return; + } + + /* set kvno to spec'ed value for SPEC, highest kvno otherwise */ + kvno = entry.vno; + krb5_kt_free_entry(context, &entry); + + code = krb5_kt_start_seq_get(context, keytab, &cursor); + if (code != 0) { + com_err(whoami, code, "while starting keytab scan"); + return; + } + + did_something = 0; + while ((code = krb5_kt_next_entry(context, keytab, &entry, + &cursor)) == 0) { + if (krb5_principal_compare(context, princ, entry.principal) && + ((mode == ALL) || + (mode == SPEC && entry.vno == kvno) || + (mode == OLD && entry.vno != kvno) || + (mode == HIGH && entry.vno == kvno))) { + + /* + * Ack! What a kludge... the scanning functions lock + * the keytab so entries cannot be removed while they + * are operating. + */ + code = krb5_kt_end_seq_get(context, keytab, &cursor); + if (code != 0) { + com_err(whoami, code, "while temporarily ending keytab scan"); + return; + } + code = krb5_kt_remove_entry(context, keytab, &entry); + if (code != 0) { + com_err(whoami, code, "while deleting entry from keytab"); + return; + } + code = krb5_kt_start_seq_get(context, keytab, &cursor); + if (code != 0) { + com_err(whoami, code, "while restarting keytab scan"); + return; + } + + did_something++; + if (!quiet) + printf("Entry for principal %s with kvno %d " + "removed from keytab %s.\n", + princ_str, entry.vno, keytab_str); + } + krb5_kt_free_entry(context, &entry); + } + if (code && code != KRB5_KT_END) { + com_err(whoami, code, "while scanning keytab"); + return; + } + code = krb5_kt_end_seq_get(context, keytab, &cursor); + if (code) { + com_err(whoami, code, "while ending keytab scan"); + return; + } + + /* + * If !did_someting then mode must be OLD or we would have + * already returned with an error. But check it anyway just to + * prevent unexpected error messages... + */ + if (!did_something && mode == OLD) { + fprintf(stderr, "%s: There is only one entry for principal " + "%s in keytab %s\n", whoami, princ_str, keytab_str); + } } /* @@ -477,14 +469,15 @@ int remove_principal(char *keytab_str, krb5_keytab keytab, char * encryption type. XXX copied from klist.c; this should be a * library function, or perhaps just #defines */ -static char *etype_string(enctype) - krb5_enctype enctype; +static char * +etype_string(krb5_enctype enctype) { static char buf[100]; krb5_error_code ret; - if ((ret = krb5_enctype_to_string(enctype, buf, sizeof(buf)))) - snprintf(buf, sizeof(buf), "etype %d", enctype); + ret = krb5_enctype_to_string(enctype, buf, sizeof(buf)); + if (ret) + snprintf(buf, sizeof(buf), "etype %d", enctype); return buf; } diff --git a/src/kadmin/cli/ss_wrapper.c b/src/kadmin/cli/ss_wrapper.c index f73ba82387..93cf1dc7d0 100644 --- a/src/kadmin/cli/ss_wrapper.c +++ b/src/kadmin/cli/ss_wrapper.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * Copyright 1994 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -35,9 +36,8 @@ extern ss_request_table kadmin_cmds; extern int exit_status; extern char *whoami; -int main(argc, argv) - int argc; - char *argv[]; +int +main(int argc, char *argv[]) { char *request; krb5_error_code retval; @@ -46,18 +46,17 @@ int main(argc, argv) whoami = ((whoami = strrchr(argv[0], '/')) ? whoami+1 : argv[0]); request = kadmin_startup(argc, argv); - sci_idx = ss_create_invocation(whoami, "5.0", (char *) NULL, - &kadmin_cmds, &retval); + sci_idx = ss_create_invocation(whoami, "5.0", NULL, &kadmin_cmds, &retval); if (retval) { - ss_perror(sci_idx, retval, "creating invocation"); - exit(1); + ss_perror(sci_idx, retval, "creating invocation"); + exit(1); } if (request) { - code = ss_execute_line(sci_idx, request); - if (code != 0) { - ss_perror(sci_idx, code, request); - exit_status++; - } + code = ss_execute_line(sci_idx, request); + if (code != 0) { + ss_perror(sci_idx, code, request); + exit_status++; + } } else retval = ss_listen(sci_idx); return quit() ? 1 : exit_status; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 48d8f3886e..7ea3975dc5 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -130,6 +130,9 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, krb5_pa_data *pa_tgs_req; /*points into request*/ krb5_data scratch; + reply.padata = 0; /* For cleanup handler */ + reply_encpart.enc_padata = 0; + session_key.contents = NULL; retval = decode_krb5_tgs_req(pkt, &request); @@ -866,7 +869,6 @@ tgt_again: ticket_reply.enc_part.kvno = ticket_kvno; /* Start assembling the response */ reply.msg_type = KRB5_TGS_REP; - reply.padata = 0;/* always */ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER) != NULL) { errcode = kdc_make_s4u2self_rep(kdc_context, diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in index a6203b2fb1..b89619f4f1 100644 --- a/src/lib/crypto/Makefile.in +++ b/src/lib/crypto/Makefile.in @@ -2,7 +2,7 @@ thisconfigdir=../.. myfulldir=lib/crypto mydir=lib/crypto BUILDTOP=$(REL)..$(S).. -SUBDIRS= builtin krb crypto_tests +SUBDIRS= krb builtin crypto_tests RUN_SETUP = @KRB5_RUN_ENV@ PROG_LIBPATH=-L$(TOPLIBD) @@ -21,14 +21,16 @@ LIBFINIFUNC=cryptoint_cleanup_library RELDIR=crypto STOBJLISTS=krb/crc32/OBJS.ST krb/dk/OBJS.ST builtin/enc_provider/OBJS.ST \ - krb/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \ + builtin/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \ + krb/prf/OBJS.ST krb/rand2key/OBJS.ST \ krb/old/OBJS.ST krb/raw/OBJS.ST krb/yarrow/OBJS.ST \ builtin/md4/OBJS.ST builtin/md5/OBJS.ST builtin/sha1/OBJS.ST \ builtin/arcfour/OBJS.ST builtin/aes/OBJS.ST builtin/des/OBJS.ST \ krb/OBJS.ST builtin/OBJS.ST SUBDIROBJLISTS=krb/crc32/OBJS.ST krb/dk/OBJS.ST builtin/enc_provider/OBJS.ST \ - krb/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \ + builtin/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST \ + krb/prf/OBJS.ST krb/rand2key/OBJS.ST \ krb/old/OBJS.ST krb/raw/OBJS.ST krb/yarrow/OBJS.ST \ builtin/md4/OBJS.ST builtin/md5/OBJS.ST builtin/sha1/OBJS.ST \ builtin/arcfour/OBJS.ST builtin/aes/OBJS.ST builtin/des/OBJS.ST \ diff --git a/src/lib/crypto/builtin/Makefile.in b/src/lib/crypto/builtin/Makefile.in index c1d8a554be..deccbd647c 100644 --- a/src/lib/crypto/builtin/Makefile.in +++ b/src/lib/crypto/builtin/Makefile.in @@ -2,7 +2,7 @@ thisconfigdir=../../.. myfulldir=lib/crypto/builtin mydir=lib/crypto/builtin BUILDTOP=$(REL)..$(S)..$(S).. -SUBDIRS=des arcfour aes md4 md5 sha1 enc_provider +SUBDIRS=des arcfour aes md4 md5 sha1 enc_provider hash_provider LOCALINCLUDES = -I$(srcdir)/../krb \ -I$(srcdir)/../krb/hash_provider \ -I$(srcdir)/../@CRYPTO_IMPL@/des \ @@ -11,7 +11,8 @@ LOCALINCLUDES = -I$(srcdir)/../krb \ -I$(srcdir)/../@CRYPTO_IMPL@/sha1 \ -I$(srcdir)/../@CRYPTO_IMPL@/md4 \ -I$(srcdir)/../@CRYPTO_IMPL@/md5 \ - -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider + -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider \ + -I$(srcdir)/../@CRYPTO_IMPL@/hash_provider PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) DEFS= @@ -38,6 +39,7 @@ SRCS=\ STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ md5/OBJS.ST sha1/OBJS.ST \ enc_provider/OBJS.ST \ + hash_provider/OBJS.ST \ arcfour/OBJS.ST \ aes/OBJS.ST \ OBJS.ST @@ -45,8 +47,9 @@ STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \ md5/OBJS.ST sha1/OBJS.ST \ enc_provider/OBJS.ST \ + hash_provider/OBJS.ST \ arcfour/OBJS.ST \ - aes/OBJS.ST OBJS.ST + aes/OBJS.ST ##DOS##LIBOBJS = $(OBJS) @@ -70,6 +73,9 @@ all-windows:: cd ..\sha1 @echo Making in crypto\sha1 $(MAKE) -$(MFLAGS) + cd ..\hash_provider + @echo Making in crypto\hash_provider + $(MAKE) -$(MFLAGS) cd ..\enc_provider @echo Making in crypto\enc_provider $(MAKE) -$(MFLAGS) @@ -94,6 +100,9 @@ clean-windows:: cd ..\sha1 @echo Making clean in crypto\sha1 $(MAKE) -$(MFLAGS) clean + cd ..\hash_provider + @echo Making clean in crypto\hash_provider + $(MAKE) -$(MFLAGS) clean cd ..\enc_provider @echo Making clean in crypto\enc_provider $(MAKE) -$(MFLAGS) clean @@ -118,6 +127,9 @@ check-windows:: cd ..\sha1 @echo Making check in crypto\sha1 $(MAKE) -$(MFLAGS) check + cd ..\hash_provider + @echo Making check in crypto\hash_provider + $(MAKE) -$(MFLAGS) check cd ..\enc_provider @echo Making check in crypto\enc_provider $(MAKE) -$(MFLAGS) check diff --git a/src/lib/crypto/builtin/aes/Makefile.in b/src/lib/crypto/builtin/aes/Makefile.in index 49bc6a9c23..f888d7d3c3 100644 --- a/src/lib/crypto/builtin/aes/Makefile.in +++ b/src/lib/crypto/builtin/aes/Makefile.in @@ -27,8 +27,8 @@ OBJS=\ $(OUTPRE)../../$(CIMPL)/aes_s2k.$(OBJEXT) SRCS=\ - $(srcdir)..//../$(CIMPL)/aescrypt.c \ - $(srcdir)..//../$(CIMPL)/aestab.c \ + $(srcdir)/../../$(CIMPL)/aescrypt.c \ + $(srcdir)/../../$(CIMPL)/aestab.c \ $(srcdir)/../../$(CIMPL)/aeskey.c \ $(srcdir)/../../$(CIMPL)/aes_s2k.c diff --git a/src/lib/crypto/builtin/aes/deps b/src/lib/crypto/builtin/aes/deps index 6f75c718cf..02cdba09ac 100644 --- a/src/lib/crypto/builtin/aes/deps +++ b/src/lib/crypto/builtin/aes/deps @@ -2,12 +2,15 @@ # Generated makefile dependencies follow. # aescrypt.so aescrypt.po $(OUTPRE)aescrypt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h aes.h aescrypt.c aesopt.h \ - uitypes.h + $(BUILDTOP)/include/autoconf.h $(srcdir)/../../builtin/aes/aes.h \ + $(srcdir)/../../builtin/aes/aescrypt.c $(srcdir)/../../builtin/aes/aesopt.h \ + $(srcdir)/../../builtin/aes/uitypes.h aestab.so aestab.po $(OUTPRE)aestab.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - aes.h aesopt.h aestab.c uitypes.h + $(srcdir)/../../builtin/aes/aes.h $(srcdir)/../../builtin/aes/aesopt.h \ + $(srcdir)/../../builtin/aes/aestab.c $(srcdir)/../../builtin/aes/uitypes.h aeskey.so aeskey.po $(OUTPRE)aeskey.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - aes.h aeskey.c aesopt.h uitypes.h + $(srcdir)/../../builtin/aes/aes.h $(srcdir)/../../builtin/aes/aeskey.c \ + $(srcdir)/../../builtin/aes/aesopt.h $(srcdir)/../../builtin/aes/uitypes.h aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -17,4 +20,5 @@ aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../../krb/dk/dk.h aes_s2k.c aes_s2k.h + $(srcdir)/../../builtin/aes/aes_s2k.c $(srcdir)/../../builtin/aes/aes_s2k.h \ + $(srcdir)/../../krb/dk/dk.h diff --git a/src/lib/crypto/builtin/arcfour/Makefile.in b/src/lib/crypto/builtin/arcfour/Makefile.in index 499c0a0765..6b54f494b9 100644 --- a/src/lib/crypto/builtin/arcfour/Makefile.in +++ b/src/lib/crypto/builtin/arcfour/Makefile.in @@ -2,7 +2,7 @@ thisconfigdir=../../../.. myfulldir=lib/crypto/builtin/arcfour mydir=lib/crypto/builtin/arcfour BUILDTOP=$(REL)..$(S)..$(S)..$(S).. -LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../md4 -I$(srcdir)/../../krb +LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../@CRYPTO_IMPL@/md4 -I$(srcdir)/../../krb DEFS= ##DOS##BUILDTOP = ..\..\..\.. diff --git a/src/lib/crypto/builtin/arcfour/arcfour.c b/src/lib/crypto/builtin/arcfour/arcfour.c index 87220a7563..e5cdfdc8c2 100644 --- a/src/lib/crypto/builtin/arcfour/arcfour.c +++ b/src/lib/crypto/builtin/arcfour/arcfour.c @@ -323,13 +323,3 @@ krb5_arcfour_decrypt(const struct krb5_enc_provider *enc, return (ret); } - krb5_error_code krb5int_arcfour_prf( - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - const krb5_keyblock *key, - const krb5_data *in, krb5_data *out) - { - assert(out->length == 20); - return krb5_hmac(&krb5int_hash_sha1, key, 1, in, out); - } - diff --git a/src/lib/crypto/builtin/arcfour/arcfour.h b/src/lib/crypto/builtin/arcfour/arcfour.h index be408febc6..e8ff203ca1 100644 --- a/src/lib/crypto/builtin/arcfour/arcfour.h +++ b/src/lib/crypto/builtin/arcfour/arcfour.h @@ -34,10 +34,5 @@ extern krb5_error_code krb5int_arcfour_string_to_key( extern const struct krb5_enc_provider krb5int_enc_arcfour; extern const struct krb5_aead_provider krb5int_aead_arcfour; - krb5_error_code krb5int_arcfour_prf( - const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - const krb5_keyblock *key, - const krb5_data *in, krb5_data *out); #endif /* ARCFOUR_H */ diff --git a/src/lib/crypto/builtin/arcfour/deps b/src/lib/crypto/builtin/arcfour/deps index d96dc703b5..2f470e6c75 100644 --- a/src/lib/crypto/builtin/arcfour/deps +++ b/src/lib/crypto/builtin/arcfour/deps @@ -10,8 +10,8 @@ arcfour.so arcfour.po $(OUTPRE)arcfour.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../../krb/hash_provider/hash_provider.h arcfour-int.h \ - arcfour.c arcfour.h + $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.c \ + $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../krb/hash_provider/hash_provider.h arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -21,9 +21,9 @@ arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h arcfour-int.h arcfour.h \ - arcfour_aead.c + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \ + $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/arcfour/arcfour_aead.c \ + $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -34,5 +34,5 @@ arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \ $(SRCTOP)/include/k5-utf8.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../md4/rsa-md4.h arcfour-int.h arcfour.h \ - arcfour_s2k.c + $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.h \ + $(srcdir)/../../builtin/arcfour/arcfour_s2k.c $(srcdir)/../md4/rsa-md4.h diff --git a/src/lib/crypto/builtin/deps b/src/lib/crypto/builtin/deps index fb4163ea6c..55016e958e 100644 --- a/src/lib/crypto/builtin/deps +++ b/src/lib/crypto/builtin/deps @@ -21,4 +21,4 @@ pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../builtin/pbkdf2.c $(srcdir)/../krb/hash_provider/hash_provider.h + $(srcdir)/../builtin/pbkdf2.c $(srcdir)/../builtin/hash_provider/hash_provider.h diff --git a/src/lib/crypto/builtin/des/Makefile.in b/src/lib/crypto/builtin/des/Makefile.in index 47e9b1a614..23b2c032c5 100644 --- a/src/lib/crypto/builtin/des/Makefile.in +++ b/src/lib/crypto/builtin/des/Makefile.in @@ -19,7 +19,6 @@ STLIBOBJS=\ ../../$(CIMPL)/d3_cbc.o \ ../../$(CIMPL)/d3_aead.o \ ../../$(CIMPL)/d3_kysched.o \ - ../../$(CIMPL)/des_prf.o \ ../../$(CIMPL)/f_aead.o \ ../../$(CIMPL)/f_cbc.o \ ../../$(CIMPL)/f_cksum.o \ @@ -34,7 +33,6 @@ OBJS= $(OUTPRE)../../$(CIMPL)/afsstring2key.$(OBJEXT) \ $(OUTPRE)../../$(CIMPL)/d3_cbc.$(OBJEXT) \ $(OUTPRE)../../$(CIMPL)/d3_aead.$(OBJEXT) \ $(OUTPRE)../../$(CIMPL)/d3_kysched.$(OBJEXT) \ - $(OUTPRE)../../$(CIMPL)/des_prf.$(OBJEXT) \ $(OUTPRE)../../$(CIMPL)/f_aead.$(OBJEXT) \ $(OUTPRE)../../$(CIMPL)/f_cbc.$(OBJEXT) \ $(OUTPRE)../../$(CIMPL)/f_cksum.$(OBJEXT) \ @@ -49,7 +47,6 @@ SRCS= $(srcdir)/../../$(CIMPL)/afsstring2key.c \ $(srcdir)/../../$(CIMPL)/d3_cbc.c \ $(srcdir)/../../$(CIMPL)/d3_aead.c \ $(srcdir)/../../$(CIMPL)/d3_kysched.c \ - $(srcdir)/../../$(CIMPL)/des_prf.c \ $(srcdir)/../../$(CIMPL)/f_aead.c \ $(srcdir)/../../$(CIMPL)/f_cbc.c \ $(srcdir)/../../$(CIMPL)/f_cksum.c \ diff --git a/src/lib/crypto/builtin/des/deps b/src/lib/crypto/builtin/des/deps index 391d3a1c53..bbfc7e0a29 100644 --- a/src/lib/crypto/builtin/des/deps +++ b/src/lib/crypto/builtin/des/deps @@ -10,7 +10,8 @@ afsstring2key.so afsstring2key.po $(OUTPRE)afsstring2key.$(OBJEXT): \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h afsstring2key.c des_int.h + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/afsstring2key.c \ + $(srcdir)/../../builtin/des/des_int.h d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -20,7 +21,8 @@ d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - d3_cbc.c des_int.h f_tables.h + $(srcdir)/../../builtin/des/d3_cbc.c $(srcdir)/../../builtin/des/des_int.h \ + $(srcdir)/../../builtin/des/f_tables.h d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -30,8 +32,9 @@ d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \ - d3_aead.c des_int.h f_tables.h + $(srcdir)/../../builtin/des/d3_aead.c $(srcdir)/../../builtin/des/des_int.h \ + $(srcdir)/../../builtin/des/f_tables.h $(srcdir)/../../krb/aead.h \ + $(srcdir)/../../krb/cksumtypes.h d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -41,17 +44,8 @@ d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h d3_kysched.c des_int.h -des_prf.so des_prf.po $(OUTPRE)des_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../../krb/hash_provider/hash_provider.h des_prf.c + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/d3_kysched.c \ + $(srcdir)/../../builtin/des/des_int.h f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -61,8 +55,9 @@ f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \ - des_int.h f_aead.c f_tables.h + $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_aead.c \ + $(srcdir)/../../builtin/des/f_tables.h $(srcdir)/../../krb/aead.h \ + $(srcdir)/../../krb/cksumtypes.h f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -72,7 +67,8 @@ f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h f_cbc.c f_tables.h + $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_cbc.c \ + $(srcdir)/../../builtin/des/f_tables.h f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -82,7 +78,8 @@ f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h f_cksum.c f_tables.h + $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_cksum.c \ + $(srcdir)/../../builtin/des/f_tables.h f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -92,7 +89,8 @@ f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h f_parity.c + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \ + $(srcdir)/../../builtin/des/f_parity.c f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -102,7 +100,7 @@ f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h f_sched.c + $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_sched.c f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -112,8 +110,8 @@ f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h f_tables.c \ - f_tables.h + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \ + $(srcdir)/../../builtin/des/f_tables.c $(srcdir)/../../builtin/des/f_tables.h key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -123,7 +121,8 @@ key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h key_sched.c + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \ + $(srcdir)/../../builtin/des/key_sched.c weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -133,7 +132,8 @@ weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h weak_key.c + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \ + $(srcdir)/../../builtin/des/weak_key.c string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -143,4 +143,5 @@ string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h string2key.c + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \ + $(srcdir)/../../builtin/des/string2key.c diff --git a/src/lib/crypto/builtin/des/des_int.h b/src/lib/crypto/builtin/des/des_int.h index 4a1d52ae35..fd2024a454 100644 --- a/src/lib/crypto/builtin/des/des_int.h +++ b/src/lib/crypto/builtin/des/des_int.h @@ -374,9 +374,4 @@ extern krb5_error_code mit_des_set_random_generator_seed extern krb5_error_code mit_des_set_random_sequence_number (const krb5_data * sequence, krb5_pointer random_state); -krb5_error_code -krb5int_des_prf (const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - const krb5_keyblock *key, - const krb5_data *in, krb5_data *out); #endif /*DES_INTERNAL_DEFS*/ diff --git a/src/lib/crypto/builtin/enc_provider/Makefile.in b/src/lib/crypto/builtin/enc_provider/Makefile.in index 1895b519dc..712a22524f 100644 --- a/src/lib/crypto/builtin/enc_provider/Makefile.in +++ b/src/lib/crypto/builtin/enc_provider/Makefile.in @@ -5,7 +5,8 @@ BUILDTOP=$(REL)..$(S)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/../../@CRYPTO_IMPL@/des \ -I$(srcdir)/../../@CRYPTO_IMPL@/arcfour \ -I$(srcdir)/../../@CRYPTO_IMPL@/aes \ - -I$(srcdir)/../../krb \ + -I$(srcdir)/../../krb \ + -I$(srcdir)/../../krb/rand2key \ -I$(srcdir)/.. -I$(srcdir)/../../@CRYPTO_IMPL@ DEFS= diff --git a/src/lib/crypto/builtin/enc_provider/aes.c b/src/lib/crypto/builtin/enc_provider/aes.c index 88f2d9e350..c0e1606a00 100644 --- a/src/lib/crypto/builtin/enc_provider/aes.c +++ b/src/lib/crypto/builtin/enc_provider/aes.c @@ -28,6 +28,7 @@ #include "enc_provider.h" #include "aes.h" #include +#include #if 0 aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]); @@ -363,20 +364,6 @@ krb5int_aes_decrypt_iov(const krb5_keyblock *key, return 0; } -static krb5_error_code -k5_aes_make_key(const krb5_data *randombits, krb5_keyblock *key) -{ - if (key->length != 16 && key->length != 32) - return(KRB5_BAD_KEYSIZE); - if (randombits->length != key->length) - return(KRB5_CRYPTO_INTERNAL); - - key->magic = KV5M_KEYBLOCK; - - memcpy(key->contents, randombits->data, randombits->length); - return(0); -} - static krb5_error_code krb5int_aes_init_state (const krb5_keyblock *key, krb5_keyusage usage, krb5_data *state) @@ -394,7 +381,7 @@ const struct krb5_enc_provider krb5int_enc_aes128 = { 16, 16, krb5int_aes_encrypt, krb5int_aes_decrypt, - k5_aes_make_key, + krb5int_aes_make_key, krb5int_aes_init_state, krb5int_default_free_state, krb5int_aes_encrypt_iov, @@ -406,7 +393,7 @@ const struct krb5_enc_provider krb5int_enc_aes256 = { 32, 32, krb5int_aes_encrypt, krb5int_aes_decrypt, - k5_aes_make_key, + krb5int_aes_make_key, krb5int_aes_init_state, krb5int_default_free_state, krb5int_aes_encrypt_iov, diff --git a/src/lib/crypto/builtin/enc_provider/deps b/src/lib/crypto/builtin/enc_provider/deps index ed1b61cfc9..20b3a7dcc8 100644 --- a/src/lib/crypto/builtin/enc_provider/deps +++ b/src/lib/crypto/builtin/enc_provider/deps @@ -10,8 +10,10 @@ des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../des/des_int.h $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h des.c enc_provider.h + $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/enc_provider/des.c \ + $(srcdir)/../../builtin/enc_provider/enc_provider.h \ + $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \ + $(srcdir)/../../krb/rand2key/rand2key.h des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -21,8 +23,9 @@ des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../des/des_int.h $(srcdir)/../../krb/aead.h \ - $(srcdir)/../../krb/cksumtypes.h des3.c + $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/enc_provider/des3.c \ + $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \ + $(srcdir)/../../krb/rand2key/rand2key.h aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -32,9 +35,10 @@ aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../aes/aes.h $(srcdir)/../aes/uitypes.h \ - $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h aes.c \ - enc_provider.h + $(srcdir)/../../builtin/aes/aes.h $(srcdir)/../../builtin/aes/uitypes.h \ + $(srcdir)/../../builtin/enc_provider/aes.c $(srcdir)/../../builtin/enc_provider/enc_provider.h \ + $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \ + $(srcdir)/../../krb/rand2key/rand2key.h rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -44,6 +48,7 @@ rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../arcfour/arcfour-int.h $(srcdir)/../arcfour/arcfour.h \ - $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h enc_provider.h \ - rc4.c + $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.h \ + $(srcdir)/../../builtin/enc_provider/enc_provider.h \ + $(srcdir)/../../builtin/enc_provider/rc4.c $(srcdir)/../../krb/aead.h \ + $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h diff --git a/src/lib/crypto/builtin/enc_provider/des.c b/src/lib/crypto/builtin/enc_provider/des.c index 547f6b976e..433032dd31 100644 --- a/src/lib/crypto/builtin/enc_provider/des.c +++ b/src/lib/crypto/builtin/enc_provider/des.c @@ -27,7 +27,9 @@ #include "k5-int.h" #include "des_int.h" #include "enc_provider.h" -#include "aead.h" +#include +#include + static krb5_error_code k5_des_docrypt(const krb5_keyblock *key, const krb5_data *ivec, @@ -82,31 +84,6 @@ k5_des_decrypt(const krb5_keyblock *key, const krb5_data *ivec, return(k5_des_docrypt(key, ivec, input, output, 0)); } -static krb5_error_code -k5_des_make_key(const krb5_data *randombits, krb5_keyblock *key) -{ - if (key->length != 8) - return(KRB5_BAD_KEYSIZE); - if (randombits->length != 7) - return(KRB5_CRYPTO_INTERNAL); - - key->magic = KV5M_KEYBLOCK; - key->length = 8; - - /* take the seven bytes, move them around into the top 7 bits of the - 8 key bytes, then compute the parity bits */ - - memcpy(key->contents, randombits->data, randombits->length); - key->contents[7] = (((key->contents[0]&1)<<1) | ((key->contents[1]&1)<<2) | - ((key->contents[2]&1)<<3) | ((key->contents[3]&1)<<4) | - ((key->contents[4]&1)<<5) | ((key->contents[5]&1)<<6) | - ((key->contents[6]&1)<<7)); - - mit_des_fixup_key_parity(key->contents); - - return(0); -} - static krb5_error_code k5_des_docrypt_iov(const krb5_keyblock *key, const krb5_data *ivec, krb5_crypto_iov *data, size_t num_data, int enc) @@ -173,7 +150,7 @@ const struct krb5_enc_provider krb5int_enc_des = { 7, 8, k5_des_encrypt, k5_des_decrypt, - k5_des_make_key, + krb5int_des_make_key, krb5int_des_init_state, krb5int_default_free_state, k5_des_encrypt_iov, diff --git a/src/lib/crypto/builtin/enc_provider/des3.c b/src/lib/crypto/builtin/enc_provider/des3.c index dc7c63338c..7dba292ae0 100644 --- a/src/lib/crypto/builtin/enc_provider/des3.c +++ b/src/lib/crypto/builtin/enc_provider/des3.c @@ -27,6 +27,7 @@ #include "k5-int.h" #include "des_int.h" #include +#include static krb5_error_code validate_and_schedule(const krb5_keyblock *key, const krb5_data *ivec, @@ -129,38 +130,6 @@ k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec, return(0); } -static krb5_error_code -k5_des3_make_key(const krb5_data *randombits, krb5_keyblock *key) -{ - int i; - - if (key->length != 24) - return(KRB5_BAD_KEYSIZE); - if (randombits->length != 21) - return(KRB5_CRYPTO_INTERNAL); - - key->magic = KV5M_KEYBLOCK; - key->length = 24; - - /* take the seven bytes, move them around into the top 7 bits of the - 8 key bytes, then compute the parity bits. Do this three times. */ - - for (i=0; i<3; i++) { - memcpy(key->contents+i*8, randombits->data+i*7, 7); - key->contents[i*8+7] = (((key->contents[i*8]&1)<<1) | - ((key->contents[i*8+1]&1)<<2) | - ((key->contents[i*8+2]&1)<<3) | - ((key->contents[i*8+3]&1)<<4) | - ((key->contents[i*8+4]&1)<<5) | - ((key->contents[i*8+5]&1)<<6) | - ((key->contents[i*8+6]&1)<<7)); - - mit_des_fixup_key_parity(key->contents+i*8); - } - - return(0); -} - static krb5_error_code k5_des3_encrypt_iov(const krb5_keyblock *key, const krb5_data *ivec, @@ -212,7 +181,7 @@ const struct krb5_enc_provider krb5int_enc_des3 = { 21, 24, k5_des3_encrypt, k5_des3_decrypt, - k5_des3_make_key, + krb5int_des3_make_key, krb5int_des_init_state, krb5int_default_free_state, k5_des3_encrypt_iov, diff --git a/src/lib/crypto/builtin/enc_provider/rc4.c b/src/lib/crypto/builtin/enc_provider/rc4.c index d1dbb6cc3f..df2c914f88 100644 --- a/src/lib/crypto/builtin/enc_provider/rc4.c +++ b/src/lib/crypto/builtin/enc_provider/rc4.c @@ -10,6 +10,8 @@ #include "arcfour-int.h" #include "enc_provider.h" #include +#include + /* gets the next byte from the PRNG */ #if ((__GNUC__ >= 2) ) static __inline__ unsigned int k5_arcfour_byte(ArcfourContext *); @@ -30,10 +32,6 @@ static krb5_error_code k5_arcfour_docrypt(const krb5_keyblock *, const krb5_data *, const krb5_data *, krb5_data *); -/* from a random bitstrem, construct a key */ -static krb5_error_code -k5_arcfour_make_key(const krb5_data *, krb5_keyblock *); - static const unsigned char arcfour_weakkey1[] = {0x00, 0x00, 0xfd}; static const unsigned char arcfour_weakkey2[] = {0x03, 0xfd, 0xfc}; static const struct { @@ -212,22 +210,6 @@ k5_arcfour_docrypt_iov(const krb5_keyblock *key, return 0; } -static krb5_error_code -k5_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key) -{ - if (key->length != 16) - return(KRB5_BAD_KEYSIZE); - if (randombits->length != 16) - return(KRB5_CRYPTO_INTERNAL); - - key->magic = KV5M_KEYBLOCK; - key->length = 16; - - memcpy(key->contents, randombits->data, randombits->length); - - return(0); -} - static krb5_error_code k5_arcfour_init_state (const krb5_keyblock *key, krb5_keyusage keyusage, krb5_data *new_state) @@ -262,7 +244,7 @@ const struct krb5_enc_provider krb5int_enc_arcfour = { 16, 16, k5_arcfour_docrypt, k5_arcfour_docrypt, - k5_arcfour_make_key, + krb5int_arcfour_make_key, k5_arcfour_init_state, /*xxx not implemented yet*/ krb5int_default_free_state, k5_arcfour_docrypt_iov, diff --git a/src/lib/crypto/builtin/hash_provider/Makefile.in b/src/lib/crypto/builtin/hash_provider/Makefile.in new file mode 100644 index 0000000000..a901d1175e --- /dev/null +++ b/src/lib/crypto/builtin/hash_provider/Makefile.in @@ -0,0 +1,45 @@ +thisconfigdir=../../../.. +myfulldir=lib/crypto/builtin/hash_provider +mydir=lib/crypto/builtin/hash_provider +BUILDTOP=$(REL)..$(S)..$(S)..$(S).. +LOCALINCLUDES = -I$(srcdir)/../../krb/crc32 -I$(srcdir)/../../@CRYPTO_IMPL@/md4 \ + -I$(srcdir)/../../@CRYPTO_IMPL@/md5 -I$(srcdir)/../../@CRYPTO_IMPL@/sha1 +DEFS= + +##DOS##BUILDTOP = ..\..\..\.. +##DOS##PREFIXDIR=hash_provider +##DOS##OBJFILE=..\$(OUTPRE)hash_pro.lst + +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) + +CIMPL = @CRYPTO_IMPL@/hash_provider + +STLIBOBJS= \ + ../../$(CIMPL)/hash_crc32.o \ + ../../$(CIMPL)/hash_md4.o \ + ../../$(CIMPL)/hash_md5.o \ + ../../$(CIMPL)/hash_sha1.o + +OBJS= $(OUTPRE)../../$(CIMPL)/hash_crc32.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/hash_md4.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/hash_md5.$(OBJEXT) \ + $(OUTPRE)../../$(CIMPL)/hash_sha1.$(OBJEXT) + +SRCS= $(srcdir)/../../$(CIMPL)/hash_crc32.c \ + $(srcdir)/../../$(CIMPL)/hash_md4.c \ + $(srcdir)/../../$(CIMPL)/hash_md5.c \ + $(srcdir)/../../$(CIMPL)/hash_sha1.c + +##DOS##LIBOBJS = $(OBJS) + +all-unix:: all-libobjs + +includes:: depend + +depend:: $(SRCS) + +clean-unix:: clean-libobjs + +@libobj_frag@ + diff --git a/src/lib/crypto/builtin/hash_provider/deps b/src/lib/crypto/builtin/hash_provider/deps new file mode 100644 index 0000000000..deca38437c --- /dev/null +++ b/src/lib/crypto/builtin/hash_provider/deps @@ -0,0 +1,47 @@ +# +# Generated makefile dependencies follow. +# +hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../krb/crc32/crc-32.h \ + hash_crc32.c hash_provider.h +hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/md4/rsa-md4.h \ + hash_md4.c hash_provider.h +hash_md5.so hash_md5.po $(OUTPRE)hash_md5.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/md5/rsa-md5.h \ + hash_md5.c hash_provider.h +hash_sha1.so hash_sha1.po $(OUTPRE)hash_sha1.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/sha1/shs.h \ + hash_provider.h hash_sha1.c diff --git a/src/lib/crypto/builtin/hash_provider/hash_crc32.c b/src/lib/crypto/builtin/hash_provider/hash_crc32.c new file mode 100644 index 0000000000..780e1589dd --- /dev/null +++ b/src/lib/crypto/builtin/hash_provider/hash_crc32.c @@ -0,0 +1,56 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" +#include "crc-32.h" +#include "hash_provider.h" + +static krb5_error_code +k5_crc32_hash(unsigned int icount, const krb5_data *input, + krb5_data *output) +{ + unsigned long c, cn; + unsigned int i; + + if (output->length != CRC32_CKSUM_LENGTH) + return(KRB5_CRYPTO_INTERNAL); + + c = 0; + for (i=0; idata); + return(0); +} + +const struct krb5_hash_provider krb5int_hash_crc32 = { + "CRC32", + CRC32_CKSUM_LENGTH, + 1, + k5_crc32_hash +}; diff --git a/src/lib/crypto/builtin/hash_provider/hash_md4.c b/src/lib/crypto/builtin/hash_provider/hash_md4.c new file mode 100644 index 0000000000..f507aaaf7d --- /dev/null +++ b/src/lib/crypto/builtin/hash_provider/hash_md4.c @@ -0,0 +1,56 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" +#include "rsa-md4.h" +#include "hash_provider.h" + +static krb5_error_code +k5_md4_hash(unsigned int icount, const krb5_data *input, + krb5_data *output) +{ + krb5_MD4_CTX ctx; + unsigned int i; + + if (output->length != RSA_MD4_CKSUM_LENGTH) + return(KRB5_CRYPTO_INTERNAL); + + krb5_MD4Init(&ctx); + for (i=0; idata, ctx.digest, RSA_MD4_CKSUM_LENGTH); + + return(0); +} + +const struct krb5_hash_provider krb5int_hash_md4 = { + "MD4", + RSA_MD4_CKSUM_LENGTH, + 64, + k5_md4_hash +}; diff --git a/src/lib/crypto/builtin/hash_provider/hash_md5.c b/src/lib/crypto/builtin/hash_provider/hash_md5.c new file mode 100644 index 0000000000..a6e380ae2d --- /dev/null +++ b/src/lib/crypto/builtin/hash_provider/hash_md5.c @@ -0,0 +1,56 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" +#include "rsa-md5.h" +#include "hash_provider.h" + +static krb5_error_code +k5_md5_hash(unsigned int icount, const krb5_data *input, + krb5_data *output) +{ + krb5_MD5_CTX ctx; + unsigned int i; + + if (output->length != RSA_MD5_CKSUM_LENGTH) + return(KRB5_CRYPTO_INTERNAL); + + krb5_MD5Init(&ctx); + for (i=0; idata, ctx.digest, RSA_MD5_CKSUM_LENGTH); + + return(0); +} + +const struct krb5_hash_provider krb5int_hash_md5 = { + "MD5", + RSA_MD5_CKSUM_LENGTH, + 64, + k5_md5_hash +}; diff --git a/src/lib/crypto/builtin/hash_provider/hash_provider.h b/src/lib/crypto/builtin/hash_provider/hash_provider.h new file mode 100644 index 0000000000..4fa46097db --- /dev/null +++ b/src/lib/crypto/builtin/hash_provider/hash_provider.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" + +extern const struct krb5_hash_provider krb5int_hash_crc32; +extern const struct krb5_hash_provider krb5int_hash_md4; +extern const struct krb5_hash_provider krb5int_hash_md5; +extern const struct krb5_hash_provider krb5int_hash_sha1; diff --git a/src/lib/crypto/builtin/hash_provider/hash_sha1.c b/src/lib/crypto/builtin/hash_provider/hash_sha1.c new file mode 100644 index 0000000000..00ab72bda6 --- /dev/null +++ b/src/lib/crypto/builtin/hash_provider/hash_sha1.c @@ -0,0 +1,58 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" +#include "shs.h" +#include "hash_provider.h" + +static krb5_error_code +k5_sha1_hash(unsigned int icount, const krb5_data *input, + krb5_data *output) +{ + SHS_INFO ctx; + unsigned int i; + + if (output->length != SHS_DIGESTSIZE) + return(KRB5_CRYPTO_INTERNAL); + + shsInit(&ctx); + for (i=0; idata[i*4]); + } + + return(0); +} + +const struct krb5_hash_provider krb5int_hash_sha1 = { + "SHA1", + SHS_DIGESTSIZE, + SHS_DATASIZE, + k5_sha1_hash +}; diff --git a/src/lib/crypto/builtin/md4/deps b/src/lib/crypto/builtin/md4/deps index 775a8b446c..79148325ea 100644 --- a/src/lib/crypto/builtin/md4/deps +++ b/src/lib/crypto/builtin/md4/deps @@ -10,4 +10,4 @@ md4.so md4.po $(OUTPRE)md4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - md4.c rsa-md4.h + $(srcdir)/../../builtin/md4/md4.c $(srcdir)/../../builtin/md4/rsa-md4.h diff --git a/src/lib/crypto/builtin/md5/deps b/src/lib/crypto/builtin/md5/deps index 131185443e..fc6a3824b5 100644 --- a/src/lib/crypto/builtin/md5/deps +++ b/src/lib/crypto/builtin/md5/deps @@ -10,4 +10,4 @@ md5.so md5.po $(OUTPRE)md5.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - md5.c rsa-md5.h + $(srcdir)/../../builtin/md5/md5.c $(srcdir)/../../builtin/md5/rsa-md5.h diff --git a/src/lib/crypto/builtin/sha1/deps b/src/lib/crypto/builtin/sha1/deps index e8f519a9e6..a57d8877b8 100644 --- a/src/lib/crypto/builtin/sha1/deps +++ b/src/lib/crypto/builtin/sha1/deps @@ -10,4 +10,4 @@ shs.so shs.po $(OUTPRE)shs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - shs.c shs.h + $(srcdir)/../../builtin/sha1/shs.c $(srcdir)/../../builtin/sha1/shs.h diff --git a/src/lib/crypto/krb/yarrow/yhash.h b/src/lib/crypto/builtin/yhash.h similarity index 100% rename from src/lib/crypto/krb/yarrow/yhash.h rename to src/lib/crypto/builtin/yhash.h diff --git a/src/lib/crypto/crypto_tests/Makefile.in b/src/lib/crypto/crypto_tests/Makefile.in index 41704c85c2..3d7eca18b6 100644 --- a/src/lib/crypto/crypto_tests/Makefile.in +++ b/src/lib/crypto/crypto_tests/Makefile.in @@ -3,7 +3,7 @@ myfulldir=lib/crypto/crypto_tests mydir=lib/crypto/crypto_tests BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/../krb -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider \ - -I$(srcdir)/../krb/hash_provider -I$(srcdir)/../krb/keyhash_provider \ + -I$(srcdir)/../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/../krb/keyhash_provider \ -I$(srcdir)/../krb/dk -I$(srcdir)/../@CRYPTO_IMPL@/ \ -I$(srcdir)/../krb/yarrow \ -I$(srcdir)/../krb/crc32 -I$(srcdir)/../krb/old -I$(srcdir)/../krb/raw \ diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in index 636d2c6cdd..e64ef8f310 100644 --- a/src/lib/crypto/krb/Makefile.in +++ b/src/lib/crypto/krb/Makefile.in @@ -2,14 +2,15 @@ thisconfigdir=../../.. myfulldir=lib/crypto/krb mydir=lib/crypto/krb BUILDTOP=$(REL)..$(S)..$(S).. -SUBDIRS= crc32 dk hash_provider keyhash_provider \ - old raw yarrow +SUBDIRS= crc32 dk keyhash_provider \ + prf rand2key old raw yarrow LOCALINCLUDES = -I$(srcdir) -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider -I$(srcdir)/dk \ - -I$(srcdir)/hash_provider -I$(srcdir)/keyhash_provider \ + -I$(srcdir)/../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/keyhash_provider \ + -I$(srcdir)/prf -I$(srcdir)/rand2key \ -I$(srcdir)/old -I$(srcdir)/raw -I$(srcdir)/yarrow \ -I$(srcdir)/../@CRYPTO_IMPL@/ -I$(srcdir)/../@CRYPTO_IMPL@/des \ -I$(srcdir)/../@CRYPTO_IMPL@/aes -I$(srcdir)/../@CRYPTO_IMPL@/arcfour \ - -I$(srcdir)/../@CRYPTO_IMPL@/sha1 + -I$(srcdir)/../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../@CRYPTO_IMPL@ PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) DEFS= @@ -150,12 +151,14 @@ SRCS=\ $(srcdir)/verify_checksum_iov.c STOBJLISTS=crc32/OBJS.ST dk/OBJS.ST \ - hash_provider/OBJS.ST keyhash_provider/OBJS.ST \ + keyhash_provider/OBJS.ST \ + prf/OBJS.ST rand2key/OBJS.ST \ old/OBJS.ST raw/OBJS.ST yarrow/OBJS.ST OBJS.ST SUBDIROBJLISTS=crc32/OBJS.ST dk/OBJS.ST \ - hash_provider/OBJS.ST keyhash_provider/OBJS.ST \ - old/OBJS.ST raw/OBJS.ST yarrow/OBJS.ST OBJS.ST + keyhash_provider/OBJS.ST \ + prf/OBJS.ST rand2key/OBJS.ST \ + old/OBJS.ST raw/OBJS.ST yarrow/OBJS.ST ##DOS##LIBOBJS = $(OBJS) @@ -173,12 +176,15 @@ all-windows:: cd ..\dk @echo Making in crypto\dk $(MAKE) -$(MFLAGS) - cd ..\hash_provider - @echo Making in crypto\hash_provider - $(MAKE) -$(MFLAGS) cd ..\keyhash_provider @echo Making in crypto\keyhash_provider $(MAKE) -$(MFLAGS) + cd ..\prf + @echo Making in crypto\prf + $(MAKE) -$(MFLAGS) + cd ..\rand2key + @echo Making in crypto\rand2key + $(MAKE) -$(MFLAGS) cd ..\old @echo Making in crypto\old $(MAKE) -$(MFLAGS) @@ -197,12 +203,15 @@ clean-windows:: cd ..\dk @echo Making clean in crypto\dk $(MAKE) -$(MFLAGS) clean - cd ..\hash_provider - @echo Making clean in crypto\hash_provider - $(MAKE) -$(MFLAGS) clean cd ..\keyhash_provider @echo Making clean in crypto\keyhash_provider $(MAKE) -$(MFLAGS) clean + cd ..\prf + @echo Making clean in crypto\prf + $(MAKE) -$(MFLAGS) clean + cd ..\rand2key + @echo Making clean in crypto\rand2key + $(MAKE) -$(MFLAGS) clean cd ..\old @echo Making clean in crypto\old $(MAKE) -$(MFLAGS) clean @@ -221,13 +230,16 @@ check-windows:: cd ..\dk @echo Making check in crypto\dk $(MAKE) -$(MFLAGS) check - cd ..\hash_provider - @echo Making check in crypto\hash_provider - $(MAKE) -$(MFLAGS) check cd ..\keyhash_provider @echo Making check in crypto\keyhash_provider $(MAKE) -$(MFLAGS) check - cd ..\md4 + cd ..\prf + @echo Making check in crypto\prf + $(MAKE) -$(MFLAGS) check + cd ..\rand2key + @echo Making check in crypto\rand2key + $(MAKE) -$(MFLAGS) check + cd ..\old @echo Making check in crypto\old $(MAKE) -$(MFLAGS) check cd ..\raw diff --git a/src/lib/crypto/krb/deps b/src/lib/crypto/krb/deps index 58a614bdf4..aafb06b005 100644 --- a/src/lib/crypto/krb/deps +++ b/src/lib/crypto/krb/deps @@ -52,7 +52,7 @@ cksumtypes.so cksumtypes.po $(OUTPRE)cksumtypes.$(OBJEXT): \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/hash_provider/hash_provider.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../builtin/hash_provider/hash_provider.h \ $(srcdir)/keyhash_provider/keyhash_provider.h cksumtypes.c \ cksumtypes.h coll_proof_cksum.so coll_proof_cksum.po $(OUTPRE)coll_proof_cksum.$(OBJEXT): \ @@ -191,9 +191,10 @@ etypes.so etypes.po $(OUTPRE)etypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ $(srcdir)/../builtin/aes/aes_s2k.h $(srcdir)/../builtin/arcfour/arcfour.h \ - $(srcdir)/../builtin/des/des_int.h $(srcdir)/dk/dk.h \ - $(srcdir)/../builtin/enc_provider/enc_provider.h $(srcdir)/hash_provider/hash_provider.h \ - $(srcdir)/old/old.h $(srcdir)/raw/raw.h etypes.c etypes.h + $(srcdir)/../builtin/des/des_int.h $(srcdir)/../builtin/enc_provider/enc_provider.h \ + $(srcdir)/dk/dk.h $(srcdir)/../builtin/hash_provider/hash_provider.h \ + $(srcdir)/old/old.h $(srcdir)/prf/prf_int.h $(srcdir)/raw/raw.h \ + etypes.c etypes.h keyblocks.so keyblocks.po $(OUTPRE)keyblocks.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -326,9 +327,9 @@ prng.so prng.po $(OUTPRE)prng.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../builtin/sha1/shs.h $(srcdir)/../builtin/enc_provider/enc_provider.h \ + $(srcdir)/../builtin/enc_provider/enc_provider.h $(srcdir)/../builtin/sha1/shs.h \ $(srcdir)/yarrow/yarrow.h $(srcdir)/yarrow/ycipher.h \ - $(srcdir)/yarrow/yhash.h $(srcdir)/yarrow/ytypes.h \ + $(srcdir)/../builtin/yhash.h $(srcdir)/yarrow/ytypes.h \ prng.c random_to_key.so random_to_key.po $(OUTPRE)random_to_key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ diff --git a/src/lib/crypto/krb/dk/Makefile.in b/src/lib/crypto/krb/dk/Makefile.in index 6741ba66a1..a731cbc095 100644 --- a/src/lib/crypto/krb/dk/Makefile.in +++ b/src/lib/crypto/krb/dk/Makefile.in @@ -18,7 +18,6 @@ STLIBOBJS=\ dk_decrypt.o \ dk_encrypt.o \ derive.o \ - dk_prf.o \ stringtokey.o OBJS=\ @@ -27,7 +26,6 @@ OBJS=\ $(OUTPRE)dk_decrypt.$(OBJEXT) \ $(OUTPRE)dk_encrypt.$(OBJEXT) \ $(OUTPRE)derive.$(OBJEXT) \ - $(OUTPRE)dk_prf.$(OBJEXT) \ $(OUTPRE)stringtokey.$(OBJEXT) SRCS=\ @@ -35,7 +33,6 @@ SRCS=\ $(srcdir)/dk_aead.c \ $(srcdir)/dk_decrypt.c \ $(srcdir)/dk_encrypt.c \ - $(srcdir)/dk_prf.c \ $(srcdir)/derive.c \ $(srcdir)/stringtokey.c diff --git a/src/lib/crypto/krb/dk/deps b/src/lib/crypto/krb/dk/deps index e901a54835..83a8c27418 100644 --- a/src/lib/crypto/krb/dk/deps +++ b/src/lib/crypto/krb/dk/deps @@ -44,16 +44,6 @@ dk_encrypt.so dk_encrypt.po $(OUTPRE)dk_encrypt.$(OBJEXT): \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h dk.h dk_encrypt.c -dk_prf.so dk_prf.po $(OUTPRE)dk_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - dk.h dk_prf.c derive.so derive.po $(OUTPRE)derive.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ diff --git a/src/lib/crypto/krb/dk/dk.h b/src/lib/crypto/krb/dk/dk.h index bc40134eff..54d1076c8b 100644 --- a/src/lib/crypto/krb/dk/dk.h +++ b/src/lib/crypto/krb/dk/dk.h @@ -69,11 +69,6 @@ krb5_error_code krb5int_dk_string_to_key const krb5_data *string, const krb5_data *salt, const krb5_data *params, krb5_keyblock *key); -krb5_error_code -krb5int_dk_prf(const struct krb5_enc_provider *enc, - const struct krb5_hash_provider *hash, - const krb5_keyblock *key, const krb5_data *in, krb5_data *out); - krb5_error_code krb5_derive_key (const struct krb5_enc_provider *enc, const krb5_keyblock *inkey, diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c index c44ee413ea..bd5c6d8a87 100644 --- a/src/lib/crypto/krb/etypes.c +++ b/src/lib/crypto/krb/etypes.c @@ -31,6 +31,7 @@ #include "old.h" #include "raw.h" #include "dk.h" +#include "prf_int.h" #include "arcfour.h" #include "aes_s2k.h" #include "des/des_int.h" diff --git a/src/lib/crypto/krb/keyhash_provider/Makefile.in b/src/lib/crypto/krb/keyhash_provider/Makefile.in index d84ce7967e..d30f6c4f09 100644 --- a/src/lib/crypto/krb/keyhash_provider/Makefile.in +++ b/src/lib/crypto/krb/keyhash_provider/Makefile.in @@ -4,7 +4,7 @@ mydir=lib/crypto/krb/keyhash_provider BUILDTOP=$(REL)..$(S)..$(S)..$(S).. LOCALINCLUDES = -I$(srcdir)/../../@CRYPTO_IMPL@/des -I$(srcdir)/../../@CRYPTO_IMPL@/md4 \ -I$(srcdir)/../../@CRYPTO_IMPL@/md5 -I$(srcdir)/../../@CRYPTO_IMPL@/arcfour \ - -I$(srcdir)/../hash_provider + -I$(srcdir)/../../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/../../@CRYPTO_IMPL@ DEFS= ##DOS##BUILDTOP = ..\..\..\.. diff --git a/src/lib/crypto/krb/keyhash_provider/deps b/src/lib/crypto/krb/keyhash_provider/deps index bfd980b0ea..09af19d598 100644 --- a/src/lib/crypto/krb/keyhash_provider/deps +++ b/src/lib/crypto/krb/keyhash_provider/deps @@ -44,7 +44,7 @@ hmac_md5.so hmac_md5.po $(OUTPRE)hmac_md5.$(OBJEXT): \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \ $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/md5/rsa-md5.h \ - $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../hash_provider/hash_provider.h \ + $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../../builtin/hash_provider/hash_provider.h \ hmac_md5.c keyhash_provider.h md5_hmac.so md5_hmac.po $(OUTPRE)md5_hmac.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ @@ -57,5 +57,5 @@ md5_hmac.so md5_hmac.po $(OUTPRE)md5_hmac.$(OBJEXT): \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \ $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/md5/rsa-md5.h \ - $(srcdir)/../hash_provider/hash_provider.h keyhash_provider.h \ + $(srcdir)/../../builtin/hash_provider/hash_provider.h keyhash_provider.h \ md5_hmac.c diff --git a/src/lib/crypto/krb/keyhash_provider/k5_md4des.c b/src/lib/crypto/krb/keyhash_provider/k5_md4des.c index fceb58ebd4..49700a89d4 100644 --- a/src/lib/crypto/krb/keyhash_provider/k5_md4des.c +++ b/src/lib/crypto/krb/keyhash_provider/k5_md4des.c @@ -36,8 +36,7 @@ /* des-cbc(xorkey, conf | rsa-md4(conf | data)) */ -/* this could be done in terms of the md4 and des providers, but - that's less efficient, and there's no need for this to be generic */ +extern struct krb5_enc_provider krb5int_enc_des; static krb5_error_code k5_md4des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec, @@ -47,14 +46,8 @@ k5_md4des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *i krb5_data data; krb5_MD4_CTX ctx; unsigned char conf[CONFLENGTH]; - unsigned char xorkey[8]; - unsigned int i; - mit_des_key_schedule schedule; + struct krb5_enc_provider *enc = &krb5int_enc_des; - if (key->length != 8) - return(KRB5_BAD_KEYSIZE); - if (ivec) - return(KRB5_CRYPTO_INTERNAL); if (output->length != (CONFLENGTH+RSA_MD4_CKSUM_LENGTH)) return(KRB5_CRYPTO_INTERNAL); @@ -65,19 +58,6 @@ k5_md4des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *i if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &data))) return(ret); - /* create and schedule the encryption key */ - - memcpy(xorkey, key->contents, sizeof(xorkey)); - for (i=0; idata, conf, CONFLENGTH); memcpy(output->data+CONFLENGTH, ctx.digest, RSA_MD4_CKSUM_LENGTH); - /* encrypt it, in place. this has a return value, but it's - always zero. */ + ret = enc->encrypt(key, NULL, output, output); - mit_des_cbc_encrypt((krb5_pointer) output->data, - (krb5_pointer) output->data, output->length, - schedule, (const unsigned char *) mit_des_zeroblock, - 1); - - return(0); + return (ret); } static krb5_error_code @@ -108,17 +82,15 @@ k5_md4des_verify(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *input, const krb5_data *hash, krb5_boolean *valid) { + krb5_error_code ret; krb5_MD4_CTX ctx; unsigned char plaintext[CONFLENGTH+RSA_MD4_CKSUM_LENGTH]; - unsigned char xorkey[8]; - unsigned int i; - mit_des_key_schedule schedule; int compathash = 0; + struct krb5_enc_provider *enc = &krb5int_enc_des; + krb5_data output, iv; if (key->length != 8) return(KRB5_BAD_KEYSIZE); - if (ivec) - return(KRB5_CRYPTO_INTERNAL); if (hash->length != (CONFLENGTH+RSA_MD4_CKSUM_LENGTH)) { #ifdef KRB5_MD4DES_BETA5_COMPAT if (hash->length != RSA_MD4_CKSUM_LENGTH) @@ -131,41 +103,40 @@ k5_md4des_verify(const krb5_keyblock *key, krb5_keyusage usage, return(KRB5_CRYPTO_INTERNAL); } - /* create and schedule the encryption key */ - - memcpy(xorkey, key->contents, sizeof(xorkey)); - if (!compathash) { - for (i=0; ilength); + if (!iv.data) return ENOMEM; + iv.length = key->length; + if (key->contents) + memcpy(iv.data, key->contents, key->length); } - /* decrypt it. this has a return value, but it's always zero. */ + /* decrypt it */ + output.data = plaintext; + output.length = hash->length; if (!compathash) { - mit_des_cbc_encrypt((krb5_pointer) hash->data, - (krb5_pointer) plaintext, hash->length, - schedule, - (const unsigned char *) mit_des_zeroblock, 0); + ret = enc->decrypt(key, NULL, hash, &output); } else { - mit_des_cbc_encrypt((krb5_pointer) hash->data, - (krb5_pointer) plaintext, hash->length, - schedule, xorkey, 0); + ret = enc->decrypt(key, &iv, hash, &output); + } + + if (compathash && iv.data) { + free (iv.data); } + if (ret) return(ret); + + if (output.length > CONFLENGTH+RSA_MD4_CKSUM_LENGTH) + return KRB5_CRYPTO_INTERNAL; + /* hash the confounder, then the input data */ krb5_MD4Init(&ctx); if (!compathash) { krb5_MD4Update(&ctx, plaintext, CONFLENGTH); } - krb5_MD4Update(&ctx, (unsigned char *) input->data, + krb5_MD4Update(&ctx, (unsigned char *) input->data, (unsigned int) input->length); krb5_MD4Final(&ctx); diff --git a/src/lib/crypto/krb/keyhash_provider/k5_md5des.c b/src/lib/crypto/krb/keyhash_provider/k5_md5des.c index 0175c68ab7..24d6317060 100644 --- a/src/lib/crypto/krb/keyhash_provider/k5_md5des.c +++ b/src/lib/crypto/krb/keyhash_provider/k5_md5des.c @@ -36,8 +36,7 @@ /* des-cbc(xorkey, conf | rsa-md5(conf | data)) */ -/* this could be done in terms of the md5 and des providers, but - that's less efficient, and there's no need for this to be generic */ +extern struct krb5_enc_provider krb5int_enc_des; static krb5_error_code k5_md5des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec, @@ -47,14 +46,8 @@ k5_md5des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *i krb5_data data; krb5_MD5_CTX ctx; unsigned char conf[CONFLENGTH]; - unsigned char xorkey[8]; - unsigned int i; - mit_des_key_schedule schedule; + struct krb5_enc_provider *enc = &krb5int_enc_des; - if (key->length != 8) - return(KRB5_BAD_KEYSIZE); - if (ivec) - return(KRB5_CRYPTO_INTERNAL); if (output->length != (CONFLENGTH+RSA_MD5_CKSUM_LENGTH)) return(KRB5_CRYPTO_INTERNAL); @@ -65,19 +58,6 @@ k5_md5des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *i if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &data))) return(ret); - /* create and schedule the encryption key */ - - memcpy(xorkey, key->contents, sizeof(xorkey)); - for (i=0; idata, conf, CONFLENGTH); memcpy(output->data+CONFLENGTH, ctx.digest, RSA_MD5_CKSUM_LENGTH); - /* encrypt it, in place. this has a return value, but it's - always zero. */ + ret = enc->encrypt(key, NULL, output, output); - mit_des_cbc_encrypt((krb5_pointer) output->data, - (krb5_pointer) output->data, output->length, - schedule, (const unsigned char *) mit_des_zeroblock, - 1); + return ret; - return(0); } static krb5_error_code @@ -107,17 +82,16 @@ k5_md5des_verify(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data const krb5_data *input, const krb5_data *hash, krb5_boolean *valid) { + krb5_error_code ret; krb5_MD5_CTX ctx; unsigned char plaintext[CONFLENGTH+RSA_MD5_CKSUM_LENGTH]; - unsigned char xorkey[8]; - unsigned int i; - mit_des_key_schedule schedule; int compathash = 0; + struct krb5_enc_provider *enc = &krb5int_enc_des; + krb5_data output, iv; if (key->length != 8) return(KRB5_BAD_KEYSIZE); - if (ivec) - return(KRB5_CRYPTO_INTERNAL); + if (hash->length != (CONFLENGTH+RSA_MD5_CKSUM_LENGTH)) { #ifdef KRB5_MD5DES_BETA5_COMPAT if (hash->length != RSA_MD5_CKSUM_LENGTH) @@ -129,41 +103,40 @@ k5_md5des_verify(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data #endif } - /* create and schedule the encryption key */ - - memcpy(xorkey, key->contents, sizeof(xorkey)); - if (!compathash) { - for (i=0; ilength); + if (!iv.data) return ENOMEM; + iv.length = key->length; + if (key->contents) + memcpy(iv.data, key->contents, key->length); } - /* decrypt it. this has a return value, but it's always zero. */ + /* decrypt it */ + output.data = plaintext; + output.length = hash->length; if (!compathash) { - mit_des_cbc_encrypt((krb5_pointer) hash->data, - (krb5_pointer) plaintext, hash->length, - schedule, - (const unsigned char *) mit_des_zeroblock, 0); + ret = enc->decrypt(key, NULL, hash, &output); } else { - mit_des_cbc_encrypt((krb5_pointer) hash->data, - (krb5_pointer) plaintext, hash->length, - schedule, xorkey, 0); + ret = enc->decrypt(key, &iv, hash, &output); + } + + if (compathash && iv.data) { + free (iv.data); } + if (ret) return(ret); + + if (output.length > CONFLENGTH+RSA_MD5_CKSUM_LENGTH) + return KRB5_CRYPTO_INTERNAL; + /* hash the confounder, then the input data */ krb5_MD5Init(&ctx); if (!compathash) { krb5_MD5Update(&ctx, plaintext, CONFLENGTH); } - krb5_MD5Update(&ctx, (unsigned char *) input->data, + krb5_MD5Update(&ctx, (unsigned char *) input->data, (unsigned) input->length); krb5_MD5Final(&ctx); diff --git a/src/lib/crypto/krb/prf/Makefile.in b/src/lib/crypto/krb/prf/Makefile.in new file mode 100644 index 0000000000..42b14b95a8 --- /dev/null +++ b/src/lib/crypto/krb/prf/Makefile.in @@ -0,0 +1,38 @@ +thisconfigdir=../../../.. +myfulldir=lib/crypto/krb/prf +mydir=lib/crypto/krb/prf +BUILDTOP=$(REL)..$(S)..$(S)..$(S).. +LOCALINCLUDES = -I$(srcdir) -I$(srcdir)/.. \ + -I$(srcdir)/../dk \ + -I$(srcdir)/../../@CRYPTO_IMPL@ \ + -I$(srcdir)/../../@CRYPTO_IMPL@/md5 \ + -I$(srcdir)/../../@CRYPTO_IMPL@/sha1 +DEFS= + +##DOS##BUILDTOP = ..\..\..\.. +##DOS##PREFIXDIR=prf +##DOS##OBJFILE=..\$(OUTPRE)prf.lst + +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) + +STLIBOBJS= des_prf.o dk_prf.o rc4_prf.o + +OBJS= $(OUTPRE)des_prf.$(OBJEXT) $(OUTPRE)dk_prf.$(OBJEXT) \ + $(OUTPRE)rc4_prf.$(OBJEXT) + +SRCS= $(srcdir)/des_prf.c $(srcdir)/dk_prf.c \ + $(srcdir)/rc4_prf.c + +##DOS##LIBOBJS = $(OBJS) + +all-unix:: all-libobjs + +includes:: depend + +depend:: $(SRCS) + +clean-unix:: clean-libobjs + +@libobj_frag@ + diff --git a/src/lib/crypto/krb/prf/deps b/src/lib/crypto/krb/prf/deps new file mode 100644 index 0000000000..c0b02f1c40 --- /dev/null +++ b/src/lib/crypto/krb/prf/deps @@ -0,0 +1,34 @@ +# +# Generated makefile dependencies follow. +# +des_prf.so des_prf.po $(OUTPRE)des_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + des_prf.c prf_int.h +dk_prf.so dk_prf.po $(OUTPRE)dk_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../dk/dk.h dk_prf.c prf_int.h +rc4_prf.so rc4_prf.po $(OUTPRE)rc4_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../../builtin/hash_provider/hash_provider.h prf_int.h \ + rc4_prf.c diff --git a/src/lib/crypto/builtin/des/des_prf.c b/src/lib/crypto/krb/prf/des_prf.c similarity index 94% rename from src/lib/crypto/builtin/des/des_prf.c rename to src/lib/crypto/krb/prf/des_prf.c index a86ba907cb..869f2e0bf6 100644 --- a/src/lib/crypto/builtin/des/des_prf.c +++ b/src/lib/crypto/krb/prf/des_prf.c @@ -1,5 +1,5 @@ /* - * lib/crypto/des/des_prf.c + * lib/crypto/krb/prf//des_prf.c * * Copyright (C) 2004, 2009 by the Massachusetts Institute of Technology. * All rights reserved. @@ -29,8 +29,8 @@ * des-cbc-crc, des-cbc-md4, and des-cbc-md5 enctypes. */ -#include "k5-int.h" -#include "hash_provider/hash_provider.h" /* XXX is this ok? */ +#include "prf_int.h" +//#include /* XXX is this ok? */ krb5_error_code krb5int_des_prf (const struct krb5_enc_provider *enc, diff --git a/src/lib/crypto/krb/dk/dk_prf.c b/src/lib/crypto/krb/prf/dk_prf.c similarity index 96% rename from src/lib/crypto/krb/dk/dk_prf.c rename to src/lib/crypto/krb/prf/dk_prf.c index ec64caf16b..cc3e2d9341 100644 --- a/src/lib/crypto/krb/dk/dk_prf.c +++ b/src/lib/crypto/krb/prf/dk_prf.c @@ -1,5 +1,5 @@ /* - * lib/crypto/dk/prf.c + * lib/crypto/krb/prf/dk_prf.c * * Copyright (C) 2004 by the Massachusetts Institute of Technology. * All rights reserved. @@ -29,8 +29,8 @@ *simplified profile enctypes. */ -#include "k5-int.h" -#include "dk.h" +#include "prf_int.h" +#include krb5_error_code krb5int_dk_prf (const struct krb5_enc_provider *enc, diff --git a/src/lib/crypto/krb/prf/prf_int.h b/src/lib/crypto/krb/prf/prf_int.h new file mode 100644 index 0000000000..180ce027d9 --- /dev/null +++ b/src/lib/crypto/krb/prf/prf_int.h @@ -0,0 +1,51 @@ +/* + * lib/crypto/krb/prf/prf_int.h + * + * Copyright 1987, 1988, 1990, 2002 by the Massachusetts Institute of + * Technology. All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#ifndef PRF_INTERNAL_DEFS +#define PRF_INTERNAL_DEFS + +#include "k5-int.h" + +krb5_error_code +krb5int_arcfour_prf(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out); + +krb5_error_code +krb5int_des_prf (const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out); + +krb5_error_code +krb5int_dk_prf(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, const krb5_data *in, krb5_data *out); + +#endif /*PRF_INTERNAL_DEFS*/ + + diff --git a/src/lib/crypto/krb/prf/rc4_prf.c b/src/lib/crypto/krb/prf/rc4_prf.c new file mode 100644 index 0000000000..2b1b73f914 --- /dev/null +++ b/src/lib/crypto/krb/prf/rc4_prf.c @@ -0,0 +1,42 @@ +/* + * lib/crypto/krb/prf/rc4_prf.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ + +#include "prf_int.h" +#include "k5-int.h" +#include + +krb5_error_code +krb5int_arcfour_prf(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out) +{ + assert(out->length == 20); + return krb5_hmac(&krb5int_hash_sha1, key, 1, in, out); +} + + diff --git a/src/lib/crypto/krb/rand2key/Makefile.in b/src/lib/crypto/krb/rand2key/Makefile.in new file mode 100644 index 0000000000..d868fc9224 --- /dev/null +++ b/src/lib/crypto/krb/rand2key/Makefile.in @@ -0,0 +1,34 @@ +thisconfigdir=../../../.. +myfulldir=lib/crypto/krb/rand2key +mydir=lib/crypto/krb/rand2key +BUILDTOP=$(REL)..$(S)..$(S)..$(S).. +LOCALINCLUDES = -I$(srcdir)/. +DEFS= + +##DOS##BUILDTOP = ..\..\..\.. +##DOS##PREFIXDIR=rand2key +##DOS##OBJFILE=..\$(OUTPRE)rand2key.lst + +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) + +STLIBOBJS= aes_rand2key.o des_rand2key.o des3_rand2key.o rc4_rand2key.o + +OBJS= $(OUTPRE)aes_rand2key.$(OBJEXT) $(OUTPRE)des_rand2key.$(OBJEXT) \ + $(OUTPRE)des3_rand2key.$(OBJEXT) $(OUTPRE)rc4_rand2key.$(OBJEXT) + +SRCS= $(srcdir)/aes_rand2key.c $(srcdir)/des_rand2key.c \ + $(srcdir)/des3_rand2key.c $(srcdir)/rc4_rand2key.c + +##DOS##LIBOBJS = $(OBJS) + +all-unix:: all-libobjs + +includes:: depend + +depend:: $(SRCS) + +clean-unix:: clean-libobjs + +@libobj_frag@ + diff --git a/src/lib/crypto/krb/rand2key/aes_rand2key.c b/src/lib/crypto/krb/rand2key/aes_rand2key.c new file mode 100644 index 0000000000..25c72cff3c --- /dev/null +++ b/src/lib/crypto/krb/rand2key/aes_rand2key.c @@ -0,0 +1,44 @@ +/* + * lib/crypto/krb/rand2key/aes_rand2key.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + + +#include "rand2key.h" + +krb5_error_code +krb5int_aes_make_key(const krb5_data *randombits, krb5_keyblock *key) +{ + if (key->length != 16 && key->length != 32) + return(KRB5_BAD_KEYSIZE); + if (randombits->length != key->length) + return(KRB5_CRYPTO_INTERNAL); + + key->magic = KV5M_KEYBLOCK; + + memcpy(key->contents, randombits->data, randombits->length); + + return(0); +} + diff --git a/src/lib/crypto/krb/rand2key/deps b/src/lib/crypto/krb/rand2key/deps new file mode 100644 index 0000000000..634ec6176a --- /dev/null +++ b/src/lib/crypto/krb/rand2key/deps @@ -0,0 +1,43 @@ +# +# Generated makefile dependencies follow. +# +aes_rand2key.so aes_rand2key.po $(OUTPRE)aes_rand2key.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h aes_rand2key.c rand2key.h +des_rand2key.so des_rand2key.po $(OUTPRE)des_rand2key.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_rand2key.c rand2key.h +des3_rand2key.so des3_rand2key.po $(OUTPRE)des3_rand2key.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des3_rand2key.c rand2key.h +rc4_rand2key.so rc4_rand2key.po $(OUTPRE)rc4_rand2key.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h rand2key.h rc4_rand2key.c diff --git a/src/lib/crypto/krb/rand2key/des3_rand2key.c b/src/lib/crypto/krb/rand2key/des3_rand2key.c new file mode 100644 index 0000000000..9f2b2c592b --- /dev/null +++ b/src/lib/crypto/krb/rand2key/des3_rand2key.c @@ -0,0 +1,59 @@ +/* + * lib/crypto/krb/rand2key/des3_rand2key.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + + +#include "rand2key.h" + +/* RFC 3961 */ +krb5_error_code +krb5int_des3_make_key(const krb5_data *randombits, krb5_keyblock *key) +{ + int i; + if (key->length != KRB5_MIT_DES3_KEYSIZE) + return(KRB5_BAD_KEYSIZE); + if (randombits->length != KRB5_MIT_DES3_KEY_BYTES) + return(KRB5_CRYPTO_INTERNAL); + + key->magic = KV5M_KEYBLOCK; + + /* take the seven bytes, move them around into the top 7 bits of the + 8 key bytes, then compute the parity bits. Do this three times. */ + + for (i=0; i<3; i++) { + memcpy(key->contents+i*8, randombits->data+i*7, 7); + key->contents[i*8+7] = (((key->contents[i*8]&1)<<1) | + ((key->contents[i*8+1]&1)<<2) | + ((key->contents[i*8+2]&1)<<3) | + ((key->contents[i*8+3]&1)<<4) | + ((key->contents[i*8+4]&1)<<5) | + ((key->contents[i*8+5]&1)<<6) | + ((key->contents[i*8+6]&1)<<7)); + + mit_des_fixup_key_parity(key->contents+i*8); + } + return(0); +} + diff --git a/src/lib/crypto/krb/rand2key/des_rand2key.c b/src/lib/crypto/krb/rand2key/des_rand2key.c new file mode 100644 index 0000000000..47db2c39f5 --- /dev/null +++ b/src/lib/crypto/krb/rand2key/des_rand2key.c @@ -0,0 +1,54 @@ +/* + * lib/crypto/krb/rand2key/des_rand2key.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + + +#include "rand2key.h" + +krb5_error_code +krb5int_des_make_key(const krb5_data *randombits, krb5_keyblock *key) +{ + if (key->length != KRB5_MIT_DES_KEYSIZE) + return(KRB5_BAD_KEYSIZE); + if (randombits->length != 7) + return(KRB5_CRYPTO_INTERNAL); + + key->magic = KV5M_KEYBLOCK; + + /* take the seven bytes, move them around into the top 7 bits of the + 8 key bytes, then compute the parity bits */ + + memcpy(key->contents, randombits->data, randombits->length); + key->contents[7] = (((key->contents[0]&1)<<1) | ((key->contents[1]&1)<<2) | + ((key->contents[2]&1)<<3) | ((key->contents[3]&1)<<4) | + ((key->contents[4]&1)<<5) | ((key->contents[5]&1)<<6) | + ((key->contents[6]&1)<<7)); + + mit_des_fixup_key_parity(key->contents); + + return(0); +} + + diff --git a/src/lib/crypto/krb/rand2key/rand2key.h b/src/lib/crypto/krb/rand2key/rand2key.h new file mode 100644 index 0000000000..d452940b38 --- /dev/null +++ b/src/lib/crypto/krb/rand2key/rand2key.h @@ -0,0 +1,18 @@ +#include "k5-int.h" + + +krb5_error_code +krb5int_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key); + +krb5_error_code +krb5int_des_make_key(const krb5_data *randombits, krb5_keyblock *key); + +/* RFC 3961 */ +krb5_error_code +krb5int_des3_make_key(const krb5_data *randombits, krb5_keyblock *key); + +krb5_error_code +krb5int_aes_make_key(const krb5_data *randombits, krb5_keyblock *key); + + + diff --git a/src/lib/crypto/krb/rand2key/rc4_rand2key.c b/src/lib/crypto/krb/rand2key/rc4_rand2key.c new file mode 100644 index 0000000000..0e66d887df --- /dev/null +++ b/src/lib/crypto/krb/rand2key/rc4_rand2key.c @@ -0,0 +1,45 @@ +/* + * lib/crypto/krb/rand2key/rc4_rand2key.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include "rand2key.h" + + +krb5_error_code +krb5int_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key) +{ + if (key->length != 16) + return(KRB5_BAD_KEYSIZE); + if (randombits->length != 16) + return(KRB5_CRYPTO_INTERNAL); + + key->magic = KV5M_KEYBLOCK; + key->length = 16; + + memcpy(key->contents, randombits->data, randombits->length); + + return(0); +} + diff --git a/src/lib/crypto/krb/yarrow/Makefile.in b/src/lib/crypto/krb/yarrow/Makefile.in index b246c6cc05..0a3c1e708d 100644 --- a/src/lib/crypto/krb/yarrow/Makefile.in +++ b/src/lib/crypto/krb/yarrow/Makefile.in @@ -2,7 +2,10 @@ thisconfigdir=../../../.. myfulldir=lib/crypto/krb/yarrow mydir=lib/crypto/krb/yarrow BUILDTOP=$(REL)..$(S)..$(S)..$(S).. -LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../@CRYPTO_IMPL@ -I$(srcdir)/../../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../../@CRYPTO_IMPL@/enc_provider +LOCALINCLUDES = -I$(srcdir)/.. \ + -I$(srcdir)/../../@CRYPTO_IMPL@ \ + -I$(srcdir)/../../@CRYPTO_IMPL@/sha1 \ + -I$(srcdir)/../../@CRYPTO_IMPL@/enc_provider DEFS= ##DOS##BUILDTOP = ..\..\..\.. diff --git a/src/lib/crypto/krb/yarrow/deps b/src/lib/crypto/krb/yarrow/deps index ed10e31373..ebc455065b 100644 --- a/src/lib/crypto/krb/yarrow/deps +++ b/src/lib/crypto/krb/yarrow/deps @@ -11,7 +11,7 @@ yarrow.so yarrow.po $(OUTPRE)yarrow.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ $(srcdir)/../../builtin/sha1/shs.h yarrow.c yarrow.h \ - ycipher.h yexcep.h yhash.h ylock.h ystate.h ytypes.h + ycipher.h yexcep.h $(srcdir)/../../builtin/yhash.h ylock.h ystate.h ytypes.h ycipher.so ycipher.po $(OUTPRE)ycipher.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ @@ -21,5 +21,6 @@ ycipher.so ycipher.po $(OUTPRE)ycipher.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../../builtin/sha1/shs.h $(srcdir)/../../builtin/enc_provider/enc_provider.h \ - yarrow.h ycipher.c ycipher.h yhash.h ytypes.h + $(srcdir)/../../builtin/enc_provider/enc_provider.h \ + $(srcdir)/../../builtin/sha1/shs.h yarrow.h ycipher.c \ + ycipher.h $(srcdir)/../../builtin/yhash.h ytypes.h diff --git a/src/lib/crypto/krb/yarrow/yarrow.c b/src/lib/crypto/krb/yarrow/yarrow.c index ff25fa9c5d..b1533daf48 100644 --- a/src/lib/crypto/krb/yarrow/yarrow.c +++ b/src/lib/crypto/krb/yarrow/yarrow.c @@ -34,7 +34,6 @@ #define YARROW_IMPL #include "yarrow.h" -#include "yhash.h" #include "ycipher.h" #include "ylock.h" #include "ystate.h" diff --git a/src/lib/crypto/krb/yarrow/yarrow.h b/src/lib/crypto/krb/yarrow/yarrow.h index 7e1fe1442d..bb8c63ac05 100644 --- a/src/lib/crypto/krb/yarrow/yarrow.h +++ b/src/lib/crypto/krb/yarrow/yarrow.h @@ -10,7 +10,7 @@ #define YARROW_NO_MATHLIB #include "ytypes.h" -#include "yhash.h" +#include #include "ycipher.h" /* These error codes are returned by the functions below. */ diff --git a/src/lib/crypto/openssl/arcfour/arcfour-int.h b/src/lib/crypto/openssl/arcfour/arcfour-int.h new file mode 100644 index 0000000000..d9db0be8a7 --- /dev/null +++ b/src/lib/crypto/openssl/arcfour/arcfour-int.h @@ -0,0 +1,35 @@ +/* + +ARCFOUR cipher (based on a cipher posted on the Usenet in Spring-95). +This cipher is widely believed and has been tested to be equivalent +with the RC4 cipher from RSA Data Security, Inc. (RC4 is a trademark +of RSA Data Security) + +*/ +#ifndef ARCFOUR_INT_H +#define ARCFOUR_INT_H + +#include "arcfour.h" +#include + +#define CONFOUNDERLENGTH 8 + +typedef struct +{ + EVP_CIPHER_CTX evp_ctx; + unsigned int x; + unsigned int y; + unsigned char state[256]; + +} ArcfourContext; + +typedef struct { + int initialized; + ArcfourContext ctx; +} ArcFourCipherState; + +krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage); + +extern const char *const krb5int_arcfour_l40; + +#endif /* ARCFOUR_INT_H */ diff --git a/src/lib/crypto/openssl/arcfour/arcfour.c b/src/lib/crypto/openssl/arcfour/arcfour.c new file mode 100644 index 0000000000..687f276b01 --- /dev/null +++ b/src/lib/crypto/openssl/arcfour/arcfour.c @@ -0,0 +1,326 @@ +/* + +ARCFOUR cipher (based on a cipher posted on the Usenet in Spring-95). +This cipher is widely believed and has been tested to be equivalent +with the RC4 cipher from RSA Data Security, Inc. (RC4 is a trademark +of RSA Data Security) + +*/ +#include "k5-int.h" +#include "arcfour-int.h" +#include "hash_provider/hash_provider.h" + +const char *const krb5int_arcfour_l40 = "fortybits"; + +void +krb5_arcfour_encrypt_length(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + size_t inputlen, size_t *length) +{ + size_t blocksize, hashsize; + + blocksize = enc->block_size; + hashsize = hash->hashsize; + + /* checksum + (confounder + inputlen, in even blocksize) */ + *length = hashsize + krb5_roundup(8 + inputlen, blocksize); +} + + krb5_keyusage + krb5int_arcfour_translate_usage(krb5_keyusage usage) +{ + switch (usage) { + case 1: /* AS-REQ PA-ENC-TIMESTAMP padata timestamp, */ + return 1; + case 2: /* ticket from kdc */ + return 2; + case 3: /* as-rep encrypted part */ + return 8; + case 4: /* tgs-req authz data */ + return 4; + case 5: /* tgs-req authz data in subkey */ + return 5; + case 6: /* tgs-req authenticator cksum */ + return 6; +case 7: /* tgs-req authenticator */ + return 7; + case 8: + return 8; + case 9: /* tgs-rep encrypted with subkey */ + return 9; + case 10: /* ap-rep authentication cksum */ + return 10; /* xxx Microsoft never uses this*/ + case 11: /* app-req authenticator */ + return 11; + case 12: /* app-rep encrypted part */ + return 12; + case 23: /* sign wrap token*/ + return 13; + default: + return usage; +} +} + +/* RFC 4757 */ +krb5_error_code +krb5_arcfour_encrypt(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, krb5_keyusage usage, + const krb5_data *ivec, const krb5_data *input, + krb5_data *output) +{ + krb5_keyblock k1, k2, k3; + krb5_data d1, d2, d3, salt, plaintext, checksum, ciphertext, confounder; + krb5_keyusage ms_usage; + size_t keylength, keybytes, blocksize, hashsize; + krb5_error_code ret; + + blocksize = enc->block_size; + keybytes = enc->keybytes; + keylength = enc->keylength; + hashsize = hash->hashsize; + + d1.length=keybytes; + d1.data=malloc(d1.length); + if (d1.data == NULL) + return (ENOMEM); + k1 = *key; + k1.length=d1.length; + k1.contents= (void *) d1.data; + + d2.length=keybytes; + d2.data=malloc(d2.length); + if (d2.data == NULL) { + free(d1.data); + return (ENOMEM); + } + k2 = *key; + k2.length=d2.length; + k2.contents=(void *) d2.data; + + d3.length=keybytes; + d3.data=malloc(d3.length); + if (d3.data == NULL) { + free(d1.data); + free(d2.data); + return (ENOMEM); + } + k3 = *key; + k3.length=d3.length; + k3.contents= (void *) d3.data; + + salt.length=14; + salt.data=malloc(salt.length); + if (salt.data == NULL) { + free(d1.data); + free(d2.data); + free(d3.data); + return (ENOMEM); + } + + /* is "input" already blocksize aligned? if it is, then we need this + step, otherwise we do not */ + plaintext.length=krb5_roundup(input->length+CONFOUNDERLENGTH,blocksize); + plaintext.data=malloc(plaintext.length); + if (plaintext.data == NULL) { + free(d1.data); + free(d2.data); + free(d3.data); + free(salt.data); + return(ENOMEM); + } + + /* setup convienient pointers into the allocated data */ + checksum.length=hashsize; + checksum.data=output->data; + ciphertext.length=krb5_roundup(input->length+CONFOUNDERLENGTH,blocksize); + ciphertext.data=output->data+hashsize; + confounder.length=CONFOUNDERLENGTH; + confounder.data=plaintext.data; + output->length = plaintext.length+hashsize; + + /* begin the encryption, computer K1 */ + ms_usage=krb5int_arcfour_translate_usage(usage); + if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { + strncpy(salt.data, krb5int_arcfour_l40, salt.length); + store_32_le(ms_usage, salt.data+10); + } else { + salt.length=4; + store_32_le(ms_usage, salt.data); + } + krb5_hmac(hash, key, 1, &salt, &d1); + + memcpy(k2.contents, k1.contents, k2.length); + + if (key->enctype==ENCTYPE_ARCFOUR_HMAC_EXP) + memset(k1.contents+7, 0xab, 9); + + ret=krb5_c_random_make_octets(/* XXX */ 0, &confounder); + memcpy(plaintext.data+confounder.length, input->data, input->length); + if (ret) + goto cleanup; + + krb5_hmac(hash, &k2, 1, &plaintext, &checksum); + + krb5_hmac(hash, &k1, 1, &checksum, &d3); + + ret=(*(enc->encrypt))(&k3, ivec, &plaintext, &ciphertext); + + cleanup: + memset(d1.data, 0, d1.length); + memset(d2.data, 0, d2.length); + memset(d3.data, 0, d3.length); + memset(salt.data, 0, salt.length); + memset(plaintext.data, 0, plaintext.length); + + free(d1.data); + free(d2.data); + free(d3.data); + free(salt.data); + free(plaintext.data); + return (ret); +} + +/* This is the arcfour-hmac decryption routine */ +krb5_error_code +krb5_arcfour_decrypt(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, krb5_keyusage usage, + const krb5_data *ivec, const krb5_data *input, + krb5_data *output) +{ + krb5_keyblock k1,k2,k3; + krb5_data d1,d2,d3,salt,ciphertext,plaintext,checksum; + krb5_keyusage ms_usage; + size_t keybytes, keylength, hashsize, blocksize; + krb5_error_code ret; + + blocksize = enc->block_size; + keybytes = enc->keybytes; + keylength = enc->keylength; + hashsize = hash->hashsize; + + d1.length=keybytes; + d1.data=malloc(d1.length); + if (d1.data == NULL) + return (ENOMEM); + k1 = *key; + k1.length=d1.length; + k1.contents= (void *) d1.data; + + d2.length=keybytes; + d2.data=malloc(d2.length); + if (d2.data == NULL) { + free(d1.data); + return (ENOMEM); + } + k2 = *key; + k2.length=d2.length; + k2.contents= (void *) d2.data; + + d3.length=keybytes; + d3.data=malloc(d3.length); + if (d3.data == NULL) { + free(d1.data); + free(d2.data); + return (ENOMEM); + } + k3 = *key; + k3.length=d3.length; + k3.contents= (void *) d3.data; + + salt.length=14; + salt.data=malloc(salt.length); + if(salt.data==NULL) { + free(d1.data); + free(d2.data); + free(d3.data); + return (ENOMEM); + } + + ciphertext.length=input->length-hashsize; + ciphertext.data=input->data+hashsize; + plaintext.length=ciphertext.length; + plaintext.data=malloc(plaintext.length); + if (plaintext.data == NULL) { + free(d1.data); + free(d2.data); + free(d3.data); + free(salt.data); + return (ENOMEM); + } + + checksum.length=hashsize; + checksum.data=input->data; + + ms_usage=krb5int_arcfour_translate_usage(usage); + + /* We may have to try two ms_usage values; see below. */ + do { + /* compute the salt */ + if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { + strncpy(salt.data, krb5int_arcfour_l40, salt.length); + store_32_le(ms_usage, salt.data + 10); + } else { + salt.length = 4; + store_32_le(ms_usage, salt.data); + } + ret = krb5_hmac(hash, key, 1, &salt, &d1); + if (ret) + goto cleanup; + + memcpy(k2.contents, k1.contents, k2.length); + + if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) + memset(k1.contents + 7, 0xab, 9); + + ret = krb5_hmac(hash, &k1, 1, &checksum, &d3); + if (ret) + goto cleanup; + + ret = (*(enc->decrypt))(&k3, ivec, &ciphertext, &plaintext); + if (ret) + goto cleanup; + + ret = krb5_hmac(hash, &k2, 1, &plaintext, &d1); + if (ret) + goto cleanup; + + if (memcmp(checksum.data, d1.data, hashsize) != 0) { + if (ms_usage == 9) { + /* + * RFC 4757 specifies usage 8 for TGS-REP encrypted + * parts encrypted in a subkey, but the value used by MS + * is actually 9. We now use 9 to start with, but fall + * back to 8 on failure in case we are communicating + * with a KDC using the value from the RFC. + */ + ms_usage = 8; + continue; + } + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto cleanup; + } + + break; + } while (1); + + memcpy(output->data, plaintext.data+CONFOUNDERLENGTH, + (plaintext.length-CONFOUNDERLENGTH)); + output->length=plaintext.length-CONFOUNDERLENGTH; + + cleanup: + memset(d1.data, 0, d1.length); + memset(d2.data, 0, d2.length); + memset(d3.data, 0, d2.length); + memset(salt.data, 0, salt.length); + memset(plaintext.data, 0, plaintext.length); + + free(d1.data); + free(d2.data); + free(d3.data); + free(salt.data); + free(plaintext.data); + return (ret); +} + diff --git a/src/lib/crypto/openssl/arcfour/arcfour.h b/src/lib/crypto/openssl/arcfour/arcfour.h new file mode 100644 index 0000000000..be408febc6 --- /dev/null +++ b/src/lib/crypto/openssl/arcfour/arcfour.h @@ -0,0 +1,43 @@ +#ifndef ARCFOUR_H +#define ARCFOUR_H + +extern void +krb5_arcfour_encrypt_length(const struct krb5_enc_provider *, + const struct krb5_hash_provider *, + size_t, + size_t *); + +extern +krb5_error_code krb5_arcfour_encrypt(const struct krb5_enc_provider *, + const struct krb5_hash_provider *, + const krb5_keyblock *, + krb5_keyusage, + const krb5_data *, + const krb5_data *, + krb5_data *); + +extern +krb5_error_code krb5_arcfour_decrypt(const struct krb5_enc_provider *, + const struct krb5_hash_provider *, + const krb5_keyblock *, + krb5_keyusage, + const krb5_data *, + const krb5_data *, + krb5_data *); + +extern krb5_error_code krb5int_arcfour_string_to_key( + const struct krb5_enc_provider *, + const krb5_data *, + const krb5_data *, + const krb5_data *, + krb5_keyblock *); + +extern const struct krb5_enc_provider krb5int_enc_arcfour; +extern const struct krb5_aead_provider krb5int_aead_arcfour; + krb5_error_code krb5int_arcfour_prf( + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out); + +#endif /* ARCFOUR_H */ diff --git a/src/lib/crypto/openssl/arcfour/arcfour_aead.c b/src/lib/crypto/openssl/arcfour/arcfour_aead.c new file mode 100644 index 0000000000..cff7d66d65 --- /dev/null +++ b/src/lib/crypto/openssl/arcfour/arcfour_aead.c @@ -0,0 +1,325 @@ +/* + * lib/crypto/arcfour/arcfour_aead.c + * + * Copyright 2008 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + + +#include "k5-int.h" +#include "arcfour.h" +#include "arcfour-int.h" +#include "aead.h" + +/* AEAD */ + +static krb5_error_code +krb5int_arcfour_crypto_length(const struct krb5_aead_provider *aead, + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + krb5_cryptotype type, + unsigned int *length) +{ + switch (type) { + case KRB5_CRYPTO_TYPE_HEADER: + *length = hash->hashsize + CONFOUNDERLENGTH; + break; + case KRB5_CRYPTO_TYPE_PADDING: + *length = 0; + break; + case KRB5_CRYPTO_TYPE_TRAILER: + *length = 0; + break; + case KRB5_CRYPTO_TYPE_CHECKSUM: + *length = hash->hashsize; + break; + default: + assert(0 && "invalid cryptotype passed to krb5int_arcfour_crypto_length"); + break; + } + + return 0; +} + +static krb5_error_code +alloc_derived_key(const struct krb5_enc_provider *enc, + krb5_keyblock *dst, + krb5_data *data, + const krb5_keyblock *src) +{ + data->length = enc->keybytes; + data->data = malloc(data->length); + if (data->data == NULL) + return ENOMEM; + + *dst = *src; + dst->length = data->length; + dst->contents = (void *)data->data; + + return 0; +} + +static krb5_error_code +krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead, + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + krb5_keyusage usage, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + krb5_error_code ret; + krb5_crypto_iov *header, *trailer; + krb5_keyblock k1, k2, k3; + krb5_data d1, d2, d3; + krb5_data checksum, confounder, header_data; + krb5_keyusage ms_usage; + char salt_data[14]; + krb5_data salt; + size_t i; + + d1.length = d2.length = d3.length = 0; + d1.data = d2.data = d3.data = NULL; + + /* + * Caller must have provided space for the header, padding + * and trailer; per RFC 4757 we will arrange it as: + * + * Checksum | E(Confounder | Plaintext) + */ + + header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER); + if (header == NULL || + header->data.length < hash->hashsize + CONFOUNDERLENGTH) + return KRB5_BAD_MSIZE; + + header_data = header->data; + + /* Trailer may be absent */ + trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER); + if (trailer != NULL) + trailer->data.length = 0; + + /* Ensure that there is no padding */ + for (i = 0; i < num_data; i++) { + if (data[i].flags == KRB5_CRYPTO_TYPE_PADDING) + data[i].data.length = 0; + } + + ret = alloc_derived_key(enc, &k1, &d1, key); + if (ret != 0) + goto cleanup; + + ret = alloc_derived_key(enc, &k2, &d2, key); + if (ret != 0) + goto cleanup; + + ret = alloc_derived_key(enc, &k3, &d3, key); + if (ret != 0) + goto cleanup; + + /* Begin the encryption, compute K1 */ + salt.data = salt_data; + salt.length = sizeof(salt_data); + + ms_usage = krb5int_arcfour_translate_usage(usage); + + if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { + strncpy(salt.data, krb5int_arcfour_l40, salt.length); + store_32_le(ms_usage, salt.data + 10); + } else { + salt.length = 4; + store_32_le(ms_usage, salt.data); + } + ret = krb5_hmac(hash, key, 1, &salt, &d1); + if (ret != 0) + goto cleanup; + + memcpy(k2.contents, k1.contents, k2.length); + + if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) + memset(k1.contents + 7, 0xAB, 9); + + header->data.length = hash->hashsize + CONFOUNDERLENGTH; + + confounder.data = header->data.data + hash->hashsize; + confounder.length = CONFOUNDERLENGTH; + + ret = krb5_c_random_make_octets(0, &confounder); + if (ret != 0) + goto cleanup; + + checksum.data = header->data.data; + checksum.length = hash->hashsize; + + /* Adjust pointers so confounder is at start of header */ + header->data.length -= hash->hashsize; + header->data.data += hash->hashsize; + + ret = krb5int_hmac_iov(hash, &k2, data, num_data, &checksum); + if (ret != 0) + goto cleanup; + + ret = krb5_hmac(hash, &k1, 1, &checksum, &d3); + if (ret != 0) + goto cleanup; + + ret = enc->encrypt_iov(&k3, ivec, data, num_data); + if (ret != 0) + goto cleanup; + +cleanup: + header->data = header_data; /* restore header pointers */ + + if (d1.data != NULL) { + memset(d1.data, 0, d1.length); + free(d1.data); + } + if (d2.data != NULL) { + memset(d2.data, 0, d2.length); + free(d2.data); + } + if (d3.data != NULL) { + memset(d3.data, 0, d3.length); + free(d3.data); + } + + return ret; +} + +static krb5_error_code +krb5int_arcfour_decrypt_iov(const struct krb5_aead_provider *aead, + const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + krb5_keyusage usage, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + krb5_error_code ret; + krb5_crypto_iov *header, *trailer; + krb5_keyblock k1, k2, k3; + krb5_data d1, d2, d3; + krb5_data checksum, header_data; + krb5_keyusage ms_usage; + char salt_data[14]; + krb5_data salt; + + d1.length = d2.length = d3.length = 0; + d1.data = d2.data = d3.data = NULL; + + header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER); + if (header == NULL || + header->data.length != hash->hashsize + CONFOUNDERLENGTH) + return KRB5_BAD_MSIZE; + + header_data = header->data; + + trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER); + if (trailer != NULL && trailer->data.length != 0) + return KRB5_BAD_MSIZE; + + ret = alloc_derived_key(enc, &k1, &d1, key); + if (ret != 0) + goto cleanup; + + ret = alloc_derived_key(enc, &k2, &d2, key); + if (ret != 0) + goto cleanup; + + ret = alloc_derived_key(enc, &k3, &d3, key); + if (ret != 0) + goto cleanup; + + /* Begin the decryption, compute K1 */ + salt.data = salt_data; + salt.length = sizeof(salt_data); + + ms_usage = krb5int_arcfour_translate_usage(usage); + + if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { + strncpy(salt.data, krb5int_arcfour_l40, salt.length); + store_32_le(ms_usage, (unsigned char *)salt.data + 10); + } else { + salt.length = 4; + store_32_le(ms_usage, (unsigned char *)salt.data); + } + ret = krb5_hmac(hash, key, 1, &salt, &d1); + if (ret != 0) + goto cleanup; + + memcpy(k2.contents, k1.contents, k2.length); + + if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) + memset(k1.contents + 7, 0xAB, 9); + + checksum.data = header->data.data; + checksum.length = hash->hashsize; + + /* Adjust pointers so confounder is at start of header */ + header->data.length -= hash->hashsize; + header->data.data += hash->hashsize; + + ret = krb5_hmac(hash, &k1, 1, &checksum, &d3); + if (ret != 0) + goto cleanup; + + ret = enc->decrypt_iov(&k3, ivec, data, num_data); + if (ret != 0) + goto cleanup; + + ret = krb5int_hmac_iov(hash, &k2, data, num_data, &d1); + if (ret != 0) + goto cleanup; + + if (memcmp(checksum.data, d1.data, hash->hashsize) != 0) { + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto cleanup; + } + +cleanup: + header->data = header_data; /* restore header pointers */ + + if (d1.data != NULL) { + memset(d1.data, 0, d1.length); + free(d1.data); + } + if (d2.data != NULL) { + memset(d2.data, 0, d2.length); + free(d2.data); + } + if (d3.data != NULL) { + memset(d3.data, 0, d3.length); + free(d3.data); + } + + return ret; +} + +const struct krb5_aead_provider krb5int_aead_arcfour = { + krb5int_arcfour_crypto_length, + krb5int_arcfour_encrypt_iov, + krb5int_arcfour_decrypt_iov +}; + diff --git a/src/lib/crypto/openssl/arcfour/arcfour_s2k.c b/src/lib/crypto/openssl/arcfour/arcfour_s2k.c new file mode 100644 index 0000000000..41053ed17d --- /dev/null +++ b/src/lib/crypto/openssl/arcfour/arcfour_s2k.c @@ -0,0 +1,59 @@ +#include "k5-int.h" +#include "k5-utf8.h" +#include "rsa-md4.h" +#include "arcfour-int.h" + +#if TARGET_OS_MAC && !defined(DEPEND) +#include +#endif + +krb5_error_code +krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc, + const krb5_data *string, const krb5_data *salt, + const krb5_data *params, krb5_keyblock *key) +{ + krb5_error_code err = 0; + krb5_MD4_CTX md4_context; + unsigned char *copystr; + size_t copystrlen; + + if (params != NULL) + return KRB5_ERR_BAD_S2K_PARAMS; + + if (key->length != 16) + return (KRB5_BAD_MSIZE); + + /* We ignore salt per the Microsoft spec*/ + + /* compute the space needed for the new string. + Since the password must be stored in unicode, we need to increase + that number by 2x. + */ + + err = krb5int_utf8cs_to_ucs2les(string->data, string->length, ©str, ©strlen); + if (err) + return err; + + /* the actual MD4 hash of the data */ + krb5_MD4Init(&md4_context); + krb5_MD4Update(&md4_context, copystr, copystrlen); + krb5_MD4Final(&md4_context); + memcpy(key->contents, md4_context.digest, 16); + +#if 0 + /* test the string_to_key function */ + printf("Hash="); + { + int counter; + for(counter=0;counter<16;counter++) + printf("%02x", md4_context.digest[counter]); + printf("\n"); + } +#endif /* 0 */ + + /* Zero out the data behind us */ + memset(copystr, 0, copystrlen); + memset(&md4_context, 0, sizeof(md4_context)); + free(copystr); + return err; +} diff --git a/src/lib/crypto/openssl/des/afsstring2key.c b/src/lib/crypto/openssl/des/afsstring2key.c new file mode 100644 index 0000000000..031db5845f --- /dev/null +++ b/src/lib/crypto/openssl/des/afsstring2key.c @@ -0,0 +1,27 @@ +/* lib/crypto/openss/des/afsstring2key.c + * + * Copyright 2009 by the Massachusetts Institute + * of Technology. + * All Rights Reserved. + * + */ + +#include "k5-int.h" +#include "des_int.h" +#include + +krb5_error_code +mit_afs_string_to_key (krb5_keyblock *keyblock, const krb5_data *data, + const krb5_data *salt) +{ + return KRB5_CRYPTO_INTERNAL; +} +char * +mit_afs_crypt(const char *pw, const char *salt, + char *iobuf) +{ + /* Unsupported operation */ + return NULL; +} + + diff --git a/src/lib/crypto/openssl/des/d3_aead.c b/src/lib/crypto/openssl/des/d3_aead.c new file mode 100644 index 0000000000..cd99886116 --- /dev/null +++ b/src/lib/crypto/openssl/des/d3_aead.c @@ -0,0 +1,34 @@ +/* lib/crypto/openssl/des/d3_aead.c + * + * Copyright 2009 by the Massachusetts Institute + * of Technology. + * All Rights Reserved. + * + */ +#include "des_int.h" +#include "aead.h" + +void +krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule ks1, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + mit_des_cblock ivec) +{ + /* Unsupported operation */ + abort(); +} + +void +krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule ks1, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + mit_des_cblock ivec) +{ + /* Unsupported operation */ + abort(); +} + diff --git a/src/lib/crypto/openssl/des/d3_cbc.c b/src/lib/crypto/openssl/des/d3_cbc.c new file mode 100644 index 0000000000..98caab5039 --- /dev/null +++ b/src/lib/crypto/openssl/des/d3_cbc.c @@ -0,0 +1,51 @@ +/* lib/crypto/openssl/des/d3_cbc.c + * + * Copyright 2009 by the Massachusetts Institute + * of Technology. + * All Rights Reserved. + * + */ +#include "des_int.h" + +/* + * Triple-DES CBC encryption mode. + */ + +#undef mit_des3_cbc_encrypt +int +mit_des3_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, + unsigned long length, const mit_des_key_schedule ks1, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + const mit_des_cblock ivec, int enc) +{ + /* Unsupported operation */ + return KRB5_CRYPTO_INTERNAL; +} + +void +krb5int_des3_cbc_encrypt(const mit_des_cblock *input, + mit_des_cblock *output, + unsigned long length, + const mit_des_key_schedule key, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + const mit_des_cblock ivec) +{ + /* Unsupported operation */ + abort(); +} + +void +krb5int_des3_cbc_decrypt(const mit_des_cblock *in, + mit_des_cblock *out, + unsigned long length, + const mit_des_key_schedule ks1, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + const mit_des_cblock ivec) +{ + /* Unsupported operation */ + abort(); +} + diff --git a/src/lib/crypto/openssl/des/d3_kysched.c b/src/lib/crypto/openssl/des/d3_kysched.c new file mode 100644 index 0000000000..fb42e792f9 --- /dev/null +++ b/src/lib/crypto/openssl/des/d3_kysched.c @@ -0,0 +1,18 @@ +/* lib/crypto/openssl/des/d3_kysched.c + * + * Copyright 2009 by the Massachusetts Institute + * of Technology. + * All Rights Reserved. + * + */ + +#include "des_int.h" + +int +mit_des3_key_sched(mit_des3_cblock k, mit_des3_key_schedule schedule) +{ + /* Unsupported operation */ + return KRB5_CRYPTO_INTERNAL; +} + + diff --git a/src/lib/crypto/openssl/des/des_int.h b/src/lib/crypto/openssl/des/des_int.h new file mode 100644 index 0000000000..fd2024a454 --- /dev/null +++ b/src/lib/crypto/openssl/des/des_int.h @@ -0,0 +1,377 @@ +/* + * lib/crypto/des/des_int.h + * + * Copyright 1987, 1988, 1990, 2002 by the Massachusetts Institute of + * Technology. All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * Private include file for the Data Encryption Standard library. + */ + +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +/* only do the whole thing once */ +#ifndef DES_INTERNAL_DEFS +#define DES_INTERNAL_DEFS + +#include "k5-int.h" +/* + * Begin "mit-des.h" + */ +#ifndef KRB5_MIT_DES__ +#define KRB5_MIT_DES__ + +#if defined(__MACH__) && defined(__APPLE__) +#include +#include +#if TARGET_RT_MAC_CFM +#error "Use KfM 4.0 SDK headers for CFM compilation." +#endif +#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS) +#define KRB5INT_DES_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5 +#endif +#endif /* defined(__MACH__) && defined(__APPLE__) */ + +/* Macro to add deprecated attribute to DES types and functions */ +/* Currently only defined on Mac OS X 10.5 and later. */ +#ifndef KRB5INT_DES_DEPRECATED +#define KRB5INT_DES_DEPRECATED +#endif + +#include + +#if UINT_MAX >= 0xFFFFFFFFUL +#define DES_INT32 int +#define DES_UINT32 unsigned int +#else +#define DES_INT32 long +#define DES_UINT32 unsigned long +#endif + +typedef unsigned char des_cblock[8] /* crypto-block size */ +KRB5INT_DES_DEPRECATED; + +/* + * Key schedule. + * + * This used to be + * + * typedef struct des_ks_struct { + * union { DES_INT32 pad; des_cblock _;} __; + * } des_key_schedule[16]; + * + * but it would cause trouble if DES_INT32 were ever more than 4 + * bytes. The reason is that all the encryption functions cast it to + * (DES_INT32 *), and treat it as if it were DES_INT32[32]. If + * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the + * caller-allocated des_key_schedule will be overflowed by the key + * scheduling functions. We can't assume that every platform will + * have an exact 32-bit int, and nothing should be looking inside a + * des_key_schedule anyway. + */ +typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16] +KRB5INT_DES_DEPRECATED; + +typedef des_cblock mit_des_cblock; +typedef des_key_schedule mit_des_key_schedule; + +/* Triple-DES structures */ +typedef mit_des_cblock mit_des3_cblock[3]; +typedef mit_des_key_schedule mit_des3_key_schedule[3]; + +#define MIT_DES_ENCRYPT 1 +#define MIT_DES_DECRYPT 0 + +typedef struct mit_des_ran_key_seed { + krb5_encrypt_block eblock; + krb5_data sequence; +} mit_des_random_state; + +/* the first byte of the key is already in the keyblock */ + +#define MIT_DES_BLOCK_LENGTH (8*sizeof(krb5_octet)) +#define MIT_DES_CBC_CRC_PAD_MINIMUM CRC32_CKSUM_LENGTH +/* This used to be 8*sizeof(krb5_octet) */ +#define MIT_DES_KEYSIZE 8 + +#define MIT_DES_CBC_CKSUM_LENGTH (4*sizeof(krb5_octet)) + +/* + * Check if k5-int.h has been included before us. If so, then check to see + * that our view of the DES key size is the same as k5-int.h's. + */ +#ifdef KRB5_MIT_DES_KEYSIZE +#if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE +error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE) +#endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */ +#endif /* KRB5_MIT_DES_KEYSIZE */ +#endif /* KRB5_MIT_DES__ */ +/* + * End "mit-des.h" + */ + +/* afsstring2key.c */ +extern krb5_error_code mit_afs_string_to_key + (krb5_keyblock *keyblock, + const krb5_data *data, + const krb5_data *salt); +extern char *mit_afs_crypt + (const char *pw, const char *salt, char *iobuf); + +/* f_cksum.c */ +extern unsigned long mit_des_cbc_cksum + (const krb5_octet *, krb5_octet *, unsigned long , + const mit_des_key_schedule, const krb5_octet *); + +/* f_ecb.c */ +extern int mit_des_ecb_encrypt + (const mit_des_cblock *, mit_des_cblock *, mit_des_key_schedule , int ); + +/* f_cbc.c */ +extern int mit_des_cbc_encrypt (const mit_des_cblock *in, + mit_des_cblock *out, + unsigned long length, + const mit_des_key_schedule schedule, + const mit_des_cblock ivec, int enc); + +#define mit_des_zeroblock krb5int_c_mit_des_zeroblock +extern const mit_des_cblock mit_des_zeroblock; + +/* fin_rndkey.c */ +extern krb5_error_code mit_des_finish_random_key + ( const krb5_encrypt_block *, + krb5_pointer *); + +/* finish_key.c */ +extern krb5_error_code mit_des_finish_key + ( krb5_encrypt_block *); + +/* init_rkey.c */ +extern krb5_error_code mit_des_init_random_key + ( const krb5_encrypt_block *, + const krb5_keyblock *, + krb5_pointer *); + +/* key_parity.c */ +extern void mit_des_fixup_key_parity (mit_des_cblock ); +extern int mit_des_check_key_parity (mit_des_cblock ); + +/* key_sched.c */ +extern int mit_des_key_sched + (mit_des_cblock , mit_des_key_schedule ); + +/* process_ky.c */ +extern krb5_error_code mit_des_process_key + ( krb5_encrypt_block *, const krb5_keyblock *); + +/* random_key.c */ +extern krb5_error_code mit_des_random_key + ( const krb5_encrypt_block *, krb5_pointer , + krb5_keyblock **); + +/* string2key.c */ +extern krb5_error_code mit_des_string_to_key + ( const krb5_encrypt_block *, + krb5_keyblock *, const krb5_data *, const krb5_data *); +extern krb5_error_code mit_des_string_to_key_int + (krb5_keyblock *, const krb5_data *, const krb5_data *); + +/* weak_key.c */ +extern int mit_des_is_weak_key (mit_des_cblock ); + +/* cmb_keys.c */ +krb5_error_code mit_des_combine_subkeys + (const krb5_keyblock *, const krb5_keyblock *, + krb5_keyblock **); + +/* f_pcbc.c */ +int mit_des_pcbc_encrypt (); + +/* f_sched.c */ +int mit_des_make_key_sched(mit_des_cblock, mit_des_key_schedule); + + +/* misc.c */ +extern void swap_bits (char *); +extern unsigned long long_swap_bits (unsigned long ); +extern unsigned long swap_six_bits_to_ansi (unsigned long ); +extern unsigned long swap_four_bits_to_ansi (unsigned long ); +extern unsigned long swap_bit_pos_1 (unsigned long ); +extern unsigned long swap_bit_pos_0 (unsigned long ); +extern unsigned long swap_bit_pos_0_to_ansi (unsigned long ); +extern unsigned long rev_swap_bit_pos_0 (unsigned long ); +extern unsigned long swap_byte_bits (unsigned long ); +extern unsigned long swap_long_bytes_bit_number (unsigned long ); +#ifdef FILE +/* XXX depends on FILE being a #define! */ +extern void test_set (FILE *, const char *, int, const char *, int); +#endif + +/* d3_ecb.c */ +extern int mit_des3_ecb_encrypt + (const mit_des_cblock *in, + mit_des_cblock *out, + mit_des_key_schedule sched1, + mit_des_key_schedule sched2, + mit_des_key_schedule sched3, + int enc); + +/* d3_cbc.c */ +extern int mit_des3_cbc_encrypt + (const mit_des_cblock *in, + mit_des_cblock *out, + unsigned long length, + const mit_des_key_schedule ks1, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + const mit_des_cblock ivec, + int enc); + +void +krb5int_des3_cbc_encrypt(const mit_des_cblock *in, + mit_des_cblock *out, + unsigned long length, + const mit_des_key_schedule ks1, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + const mit_des_cblock ivec); +void +krb5int_des3_cbc_decrypt(const mit_des_cblock *in, + mit_des_cblock *out, + unsigned long length, + const mit_des_key_schedule ks1, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + const mit_des_cblock ivec); + +void +krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule ks1, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + mit_des_cblock ivec); + +void +krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule ks1, + const mit_des_key_schedule ks2, + const mit_des_key_schedule ks3, + mit_des_cblock ivec); + +#define mit_des3_cbc_encrypt(in,out,length,ks1,ks2,ks3,ivec,enc) \ + ((enc ? krb5int_des3_cbc_encrypt : krb5int_des3_cbc_decrypt) \ + (in, out, length, ks1, ks2, ks3, ivec), 0) + +void +krb5int_des_cbc_encrypt(const mit_des_cblock *in, + mit_des_cblock *out, + unsigned long length, + const mit_des_key_schedule schedule, + const mit_des_cblock ivec); +void +krb5int_des_cbc_decrypt(const mit_des_cblock *in, + mit_des_cblock *out, + unsigned long length, + const mit_des_key_schedule schedule, + const mit_des_cblock ivec); + +#define mit_des_cbc_encrypt(in,out,length,schedule,ivec,enc) \ + ((enc ? krb5int_des_cbc_encrypt : krb5int_des_cbc_decrypt) \ + (in, out, length, schedule, ivec), 0) + +void +krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule schedule, + mit_des_cblock ivec); + +void +krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule schedule, + mit_des_cblock ivec); + +/* d3_procky.c */ +extern krb5_error_code mit_des3_process_key + (krb5_encrypt_block * eblock, + const krb5_keyblock * keyblock); + +/* d3_kysched.c */ +extern int mit_des3_key_sched + (mit_des3_cblock key, + mit_des3_key_schedule schedule); + +/* d3_str2ky.c */ +extern krb5_error_code mit_des3_string_to_key + (const krb5_encrypt_block * eblock, + krb5_keyblock * keyblock, + const krb5_data * data, + const krb5_data * salt); + +/* u_nfold.c */ +extern krb5_error_code mit_des_n_fold + (const krb5_octet * input, + const size_t in_len, + krb5_octet * output, + const size_t out_len); + +/* u_rn_key.c */ +extern int mit_des_is_weak_keyblock + (krb5_keyblock *keyblock); + +extern void mit_des_fixup_keyblock_parity + (krb5_keyblock *keyblock); + +extern krb5_error_code mit_des_set_random_generator_seed + (const krb5_data * seed, + krb5_pointer random_state); + +extern krb5_error_code mit_des_set_random_sequence_number + (const krb5_data * sequence, + krb5_pointer random_state); +#endif /*DES_INTERNAL_DEFS*/ diff --git a/src/lib/crypto/openssl/des/f_aead.c b/src/lib/crypto/openssl/des/f_aead.c new file mode 100644 index 0000000000..2046475901 --- /dev/null +++ b/src/lib/crypto/openssl/des/f_aead.c @@ -0,0 +1,33 @@ +/* lib/crypto/openssl/des/f_aead.c + * + * Copyright 2009 by the Massachusetts Institute + * of Technology. + * All Rights Reserved. + * + */ + +#include "des_int.h" +#include "aead.h" + + +void +krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule schedule, + mit_des_cblock ivec) +{ + /* Unsupported operation */ + abort(); +} + +void +krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data, + unsigned long num_data, + const mit_des_key_schedule schedule, + mit_des_cblock iv) +{ + /* Unsupported operation */ + abort(); +} + + diff --git a/src/lib/crypto/openssl/des/f_cbc.c b/src/lib/crypto/openssl/des/f_cbc.c new file mode 100644 index 0000000000..55b648fc13 --- /dev/null +++ b/src/lib/crypto/openssl/des/f_cbc.c @@ -0,0 +1,89 @@ +/* + * lib/crypto/openssldes/f_cbc.c + * + * Copyright (C) 1990 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * DES implementation donated by Dennis Ferguson + */ + +/* + * des_cbc_encrypt.c - an implementation of the DES cipher function in cbc mode + */ +#include "des_int.h" + +/* + * des_cbc_encrypt - {en,de}crypt a stream in CBC mode + */ + +/* + * This routine performs DES cipher-block-chaining operation, either + * encrypting from cleartext to ciphertext, if encrypt != 0 or + * decrypting from ciphertext to cleartext, if encrypt == 0. + * + * The key schedule is passed as an arg, as well as the cleartext or + * ciphertext. The cleartext and ciphertext should be in host order. + * + * NOTE-- the output is ALWAYS an multiple of 8 bytes long. If not + * enough space was provided, your program will get trashed. + * + * For encryption, the cleartext string is null padded, at the end, to + * an integral multiple of eight bytes. + * + * For decryption, the ciphertext will be used in integral multiples + * of 8 bytes, but only the first "length" bytes returned into the + * cleartext. + */ + +const mit_des_cblock mit_des_zeroblock /* = all zero */; + +#undef mit_des_cbc_encrypt +int +mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out, + unsigned long length, const mit_des_key_schedule schedule, + const mit_des_cblock ivec, int enc) +{ + /* Unsupported operation */ + return KRB5_CRYPTO_INTERNAL; +} +void +krb5int_des_cbc_encrypt(const mit_des_cblock *in, + mit_des_cblock *out, + unsigned long length, + const mit_des_key_schedule schedule, + const mit_des_cblock ivec) +{ + /* Unsupported operation */ + abort(); +} + +void +krb5int_des_cbc_decrypt(const mit_des_cblock *in, + mit_des_cblock *out, + unsigned long length, + const mit_des_key_schedule schedule, + const mit_des_cblock ivec) +{ + /* Unsupported operation */ + abort(); +} + diff --git a/src/lib/crypto/openssl/des/f_cksum.c b/src/lib/crypto/openssl/des/f_cksum.c new file mode 100644 index 0000000000..c49c8fdb3f --- /dev/null +++ b/src/lib/crypto/openssl/des/f_cksum.c @@ -0,0 +1,18 @@ +/* + * lib/crypto/openssl/des/f_cksum.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + */ + +#include "des_int.h" + +unsigned long +mit_des_cbc_cksum(const krb5_octet *in, krb5_octet *out, + unsigned long length, const mit_des_key_schedule schedule, + const krb5_octet *ivec) +{ + /* Unsupported operation */ + return KRB5_CRYPTO_INTERNAL; +} + diff --git a/src/lib/crypto/openssl/des/f_parity.c b/src/lib/crypto/openssl/des/f_parity.c new file mode 100644 index 0000000000..1a83db6ef5 --- /dev/null +++ b/src/lib/crypto/openssl/des/f_parity.c @@ -0,0 +1,29 @@ +/* + * lib/crypto/openssl/des/f_parity.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + */ + +#include "des_int.h" +#include + +void +mit_des_fixup_key_parity(mit_des_cblock key) +{ + DES_set_odd_parity(key); +} + +/* + * des_check_key_parity: returns true iff key has the correct des parity. + * See des_fix_key_parity for the definition of + * correct des parity. + */ +int +mit_des_check_key_parity(mit_des_cblock key) +{ + if (!DES_check_key_parity(key)) + return(0); + return (1); +} + diff --git a/src/lib/crypto/openssl/des/f_sched.c b/src/lib/crypto/openssl/des/f_sched.c new file mode 100644 index 0000000000..e833132bfe --- /dev/null +++ b/src/lib/crypto/openssl/des/f_sched.c @@ -0,0 +1,15 @@ +/* + * lib/crypto/openssl/des/f_sched.c + * + * Copyright (C) 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + */ + +#include "des_int.h" + +int +mit_des_make_key_sched(mit_des_cblock key, mit_des_key_schedule schedule) +{ + return KRB5_CRYPTO_INTERNAL; // CRYPTO_UNSOPPERTED_OP +} + diff --git a/src/lib/crypto/openssl/des/f_tables.c b/src/lib/crypto/openssl/des/f_tables.c new file mode 100644 index 0000000000..a8d161d5c6 --- /dev/null +++ b/src/lib/crypto/openssl/des/f_tables.c @@ -0,0 +1,17 @@ +/* + * lib/crypto/openssl/des/f_tables.c + * + * Copyright 2009 by the Massachusetts Institute + * of Technology. + * All Rights Reserved. + * + */ + +#include "des_int.h" +#include "f_tables.h" + +const unsigned DES_INT32 des_IP_table[] = {}; +const unsigned DES_INT32 des_FP_table[] = {}; +const unsigned DES_INT32 des_SP_table[] = {}; + + diff --git a/src/lib/crypto/openssl/des/f_tables.h b/src/lib/crypto/openssl/des/f_tables.h new file mode 100644 index 0000000000..af20cd59ea --- /dev/null +++ b/src/lib/crypto/openssl/des/f_tables.h @@ -0,0 +1,9 @@ +/* + * lib/crypto/des/f_tables.h + * + * Copyright 2009 by the Massachusetts Institute + * of Technology. + * All Rights Reserved. + * + */ + diff --git a/src/lib/crypto/openssl/des/key_sched.c b/src/lib/crypto/openssl/des/key_sched.c new file mode 100644 index 0000000000..1007ec9615 --- /dev/null +++ b/src/lib/crypto/openssl/des/key_sched.c @@ -0,0 +1,18 @@ +/* + * lib/crypto/openssl/des/key_sched.c + * + * Copyright 2009 by the Massachusetts Institute + * of Technology. + * All Rights Reserved. + * + */ + +#include "des_int.h" + +int +mit_des_key_sched(mit_des_cblock k, mit_des_key_schedule schedule) +{ + /* Unsupported operation */ + return KRB5_CRYPTO_INTERNAL; +} + diff --git a/src/lib/crypto/openssl/des/string2key.c b/src/lib/crypto/openssl/des/string2key.c new file mode 100644 index 0000000000..775a15364e --- /dev/null +++ b/src/lib/crypto/openssl/des/string2key.c @@ -0,0 +1,26 @@ +/* + * lib/crypto/openssl/des/string2key.c + * + * Copyright 2009 by the Massachusetts Institute + * of Technology. + * All Rights Reserved. + * + */ + +#include "des_int.h" +#include + + +krb5_error_code +mit_des_string_to_key_int (krb5_keyblock *key, + const krb5_data *pw, const krb5_data *salt) +{ + DES_cblock outkey; + DES_string_to_key(pw->data, &outkey); + if ( key->length < sizeof(outkey)) + return KRB5_CRYPTO_INTERNAL; + key->length = sizeof(outkey); + memcpy(key->contents, outkey, key->length); + return 0; +} + diff --git a/src/lib/crypto/openssl/des/weak_key.c b/src/lib/crypto/openssl/des/weak_key.c new file mode 100644 index 0000000000..7f97083922 --- /dev/null +++ b/src/lib/crypto/openssl/des/weak_key.c @@ -0,0 +1,87 @@ +/* + * lib/crypto/openssl/des/weak_key.c + * + * Copyright 1989,1990,2009 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * Under U.S. law, this software may not be exported outside the US + * without license from the U.S. Commerce department. + * + * These routines form the library interface to the DES facilities. + * + * Originally written 8/85 by Steve Miller, MIT Project Athena. + */ + +#include "des_int.h" + +/* + * The following are the weak DES keys: + */ +static const mit_des_cblock weak[16] = { + /* weak keys */ + {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01}, + {0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe}, + {0x1f,0x1f,0x1f,0x1f,0x0e,0x0e,0x0e,0x0e}, + {0xe0,0xe0,0xe0,0xe0,0xf1,0xf1,0xf1,0xf1}, + + /* semi-weak */ + {0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe}, + {0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01}, + + {0x1f,0xe0,0x1f,0xe0,0x0e,0xf1,0x0e,0xf1}, + {0xe0,0x1f,0xe0,0x1f,0xf1,0x0e,0xf1,0x0e}, + + {0x01,0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1}, + {0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1,0x01}, + + {0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e,0xfe}, + {0xfe,0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e}, + + {0x01,0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e}, + {0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e,0x01}, + + {0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1,0xfe}, + {0xfe,0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1} +}; + +/* + * mit_des_is_weak_key: returns true iff key is a [semi-]weak des key. + * + * Requires: key has correct odd parity. + */ +int +mit_des_is_weak_key(mit_des_cblock key) +{ + unsigned int i; + const mit_des_cblock *weak_p = weak; + + for (i = 0; i < (sizeof(weak)/sizeof(mit_des_cblock)); i++) { + if (!memcmp(weak_p++,key,sizeof(mit_des_cblock))) + return 1; + } + if ( DES_is_weak_key(key) == 1) /* Also OpenSSL's check */ + return 1; + + return 0; +} + diff --git a/src/lib/crypto/openssl/enc_provider/aes.c b/src/lib/crypto/openssl/enc_provider/aes.c new file mode 100644 index 0000000000..c1678184ba --- /dev/null +++ b/src/lib/crypto/openssl/enc_provider/aes.c @@ -0,0 +1,505 @@ +/* + * lib/crypto/openssl/enc_provider/aes.c + * + * Copyright (C) 2003, 2007, 2008, 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include "k5-int.h" +#include "enc_provider.h" +#include "aes.h" +#include +#include +#include +#include +#include +#include + +/* proto's */ +static krb5_error_code +cts_enc(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output); +static krb5_error_code +cbc_enc(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output); +static krb5_error_code +cts_decr(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output); +static krb5_error_code +cbc_decr(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output); + +static const EVP_CIPHER * +map_mode( unsigned int len) +{ + if (len==16) + return EVP_aes_128_cbc(); + if (len==32) + return EVP_aes_256_cbc(); + else + return NULL; +} + +static inline void enc(char *out, const char *in, aes_ctx *ctx) +{ + if (aes_enc_blk((const unsigned char *)in, (unsigned char *)out, ctx) + != aes_good) + abort(); +} +static inline void dec(char *out, const char *in, aes_ctx *ctx) +{ + if (aes_dec_blk((const unsigned char *)in, (unsigned char *)out, ctx) + != aes_good) + abort(); +} +static void xorblock(char *out, const char *in) +{ + int z; + for (z = 0; z < BLOCK_SIZE; z++) + out[z] ^= in[z]; +} + + +static krb5_error_code +cbc_enc(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + EVP_CIPHER_CTX ciph_ctx; + unsigned char *key_buf = NULL; + unsigned char *tmp_buf = NULL; + int ret = 0, tmp_len = 0; + + key_buf = OPENSSL_malloc(key->length); + if (!key_buf) + return ENOMEM; + tmp_len = input->length; + tmp_buf = OPENSSL_malloc(input->length); + if (!tmp_buf){ + OPENSSL_free(key_buf); + return ENOMEM; + } + memcpy(key_buf, key->contents, key->length); + + EVP_CIPHER_CTX_init(&ciph_ctx); + + if (ivec && ivec->data && (ivec->length <= EVP_MAX_IV_LENGTH)){ + ret = EVP_EncryptInit_ex(&ciph_ctx, map_mode(key->length), + NULL, key_buf, (unsigned char*)ivec->data); + } else { + ret = EVP_EncryptInit_ex(&ciph_ctx, map_mode(key->length), + NULL, key_buf, NULL); + } + + if (ret == 1){ + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, + (unsigned char *)input->data, input->length); + + output->length = tmp_len; + if(ret) + ret = EVP_EncryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len); + } + + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + if (ret == 1){ + memcpy(output->data, tmp_buf, output->length); + ret = 0; + } else { + ret = KRB5_CRYPTO_INTERNAL; + } + + OPENSSL_free(key_buf); + OPENSSL_free(tmp_buf); + + return ret; +} + +static krb5_error_code +cbc_decr(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + int ret = 0; + int tmp_len = 0; + unsigned char *key_buf = NULL; + unsigned char *tmp_buf = NULL; + EVP_CIPHER_CTX ciph_ctx; + + + key_buf = OPENSSL_malloc(key->length); + if (!key_buf) + return ENOMEM; + tmp_len = input->length; + tmp_buf = OPENSSL_malloc(input->length); + if (!tmp_buf){ + OPENSSL_free(key_buf); + return ENOMEM; + } + memcpy(key_buf, key->contents, key->length); + + EVP_CIPHER_CTX_init(&ciph_ctx); + + if (ivec && ivec->data && (ivec->length <= EVP_MAX_IV_LENGTH)) { + ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->length), + NULL, key_buf, (unsigned char*)ivec->data); + } else + ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->length), + NULL, key_buf, NULL); + + if (ret == 1) { + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, + (unsigned char *)input->data, input->length); + output->length = tmp_len; + if (ret == 1) + ret = EVP_DecryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len); + } + + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + if (ret == 1) { + output->length += tmp_len; + memcpy(output->data, tmp_buf, output->length); + ret = 0; + } else { + ret = KRB5_CRYPTO_INTERNAL; + } + + OPENSSL_free(key_buf); + OPENSSL_free(tmp_buf); + + return ret; +} + +static krb5_error_code +cts_enc(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + size_t size = 0; + int ret = 0, tmp_len = 0; + unsigned char iv_cts[EVP_MAX_IV_LENGTH*4]; + unsigned char *tmp_buf = NULL; + AES_KEY enck; + + memset(iv_cts,0,sizeof(iv_cts)); + if (ivec && ivec->data && (ivec->length <= sizeof(iv_cts))) + memcpy(iv_cts, ivec->data,ivec->length); + + tmp_buf = OPENSSL_malloc(input->length); + if (!tmp_buf) + return ENOMEM; + tmp_len = input->length; + + AES_set_encrypt_key(key->contents, 8*key->length, &enck); + + size = CRYPTO_cts128_encrypt((unsigned char *)input->data, tmp_buf, + input->length, &enck, + iv_cts, (cbc128_f)AES_cbc_encrypt); + + if (size <= 0 || output->length < size) { + ret = KRB5_CRYPTO_INTERNAL; + } else { + output->length = size; + memcpy(output->data, tmp_buf, output->length); + ret = 0; + } + + OPENSSL_free(tmp_buf); + + return ret; +} + +static krb5_error_code +cts_decr(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + size_t size = 0; + int ret = 0, tmp_len = 0; + unsigned char iv_cts[EVP_MAX_IV_LENGTH*4]; + unsigned char *tmp_buf = NULL; + AES_KEY deck; + + memset(iv_cts,0,EVP_MAX_IV_LENGTH*4); + if (ivec && ivec->data && (ivec->length <= EVP_MAX_IV_LENGTH)) + memcpy(iv_cts, ivec->data,ivec->length); + + tmp_buf = OPENSSL_malloc(input->length); + if (!tmp_buf) + return ENOMEM; + tmp_len = input->length; + + AES_set_decrypt_key(key->contents, 8*key->length, &deck); + + size = CRYPTO_cts128_decrypt((unsigned char *)input->data, tmp_buf, + input->length, &deck, + iv_cts, (cbc128_f)AES_cbc_encrypt); + + + if (size <= 0 || output->length < size) { + ret = KRB5_CRYPTO_INTERNAL; + } else { + output->length = size + 16; + memcpy(output->data, tmp_buf, output->length); + ret = 0; + } + + OPENSSL_free(tmp_buf); + + return ret; +} + +krb5_error_code +krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + int ret = 0; + + if ( input->length < BLOCK_SIZE * 2) { + + ret = cbc_enc(key, ivec, input, output); + + } else { + + ret = cts_enc(key, ivec, input, output); + } + + return ret; +} + +krb5_error_code +krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) +{ + int ret = 0; + + if ( input->length < BLOCK_SIZE*2) { + + ret = cbc_decr(key, ivec, input, output); + + } else { + + ret = cts_decr(key, ivec, input, output); + + } + + return ret; +} + +static krb5_error_code +krb5int_aes_encrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + aes_ctx ctx; + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE]; + int nblocks = 0, blockno; + size_t input_length, i; + + if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) + abort(); + + if (ivec != NULL) + memcpy(tmp, ivec->data, BLOCK_SIZE); + else + memset(tmp, 0, BLOCK_SIZE); + + for (i = 0, input_length = 0; i < num_data; i++) { + krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_IOV(iov)) + input_length += iov->data.length; + } + + nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; + + assert(nblocks > 1); + + { + char blockN2[BLOCK_SIZE]; /* second last */ + char blockN1[BLOCK_SIZE]; /* last block */ + struct iov_block_state input_pos, output_pos; + + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + char blockN[BLOCK_SIZE]; + + krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos); + xorblock(tmp, blockN); + enc(tmp2, tmp, &ctx); + krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos); + + /* Set up for next block. */ + memcpy(tmp, tmp2, BLOCK_SIZE); + } + + /* Do final CTS step for last two blocks (the second of which + may or may not be incomplete). */ + + /* First, get the last two blocks */ + memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */ + krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos); + krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos); + + /* Encrypt second last block */ + xorblock(tmp, blockN2); + enc(tmp2, tmp, &ctx); + memcpy(blockN2, tmp2, BLOCK_SIZE); /* blockN2 now contains first block */ + memcpy(tmp, tmp2, BLOCK_SIZE); + + /* Encrypt last block */ + xorblock(tmp, blockN1); + enc(tmp2, tmp, &ctx); + memcpy(blockN1, tmp2, BLOCK_SIZE); + + /* Put the last two blocks back into the iovec (reverse order) */ + krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos); + krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos); + + if (ivec != NULL) + memcpy(ivec->data, blockN1, BLOCK_SIZE); + } + + return 0; +} + +static krb5_error_code +krb5int_aes_decrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) +{ + aes_ctx ctx; + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; + int nblocks = 0, blockno; + unsigned int i; + size_t input_length; + + if (aes_dec_key(key->contents, key->length, &ctx) != aes_good) + abort(); + + if (ivec != NULL) + memcpy(tmp, ivec->data, BLOCK_SIZE); + else + memset(tmp, 0, BLOCK_SIZE); + + for (i = 0, input_length = 0; i < num_data; i++) { + krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_IOV(iov)) + input_length += iov->data.length; + } + + nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; + + assert(nblocks > 1); + + { + char blockN2[BLOCK_SIZE]; /* second last */ + char blockN1[BLOCK_SIZE]; /* last block */ + struct iov_block_state input_pos, output_pos; + + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + char blockN[BLOCK_SIZE]; + + krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos); + dec(tmp2, blockN, &ctx); + xorblock(tmp2, tmp); + krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos); + memcpy(tmp, blockN, BLOCK_SIZE); + } + + /* Do last two blocks, the second of which (next-to-last block + of plaintext) may be incomplete. */ + + /* First, get the last two encrypted blocks */ + memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */ + krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos); + krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos); + + /* Decrypt second last block */ + dec(tmp2, blockN2, &ctx); + /* Set tmp2 to last (possibly partial) plaintext block, and + save it. */ + xorblock(tmp2, blockN1); + memcpy(blockN2, tmp2, BLOCK_SIZE); + + /* Maybe keep the trailing part, and copy in the last + ciphertext block. */ + input_length %= BLOCK_SIZE; + memcpy(tmp2, blockN1, input_length ? input_length : BLOCK_SIZE); + dec(tmp3, tmp2, &ctx); + xorblock(tmp3, tmp); + /* Copy out ivec first before we clobber blockN1 with plaintext */ + if (ivec != NULL) + memcpy(ivec->data, blockN1, BLOCK_SIZE); + memcpy(blockN1, tmp3, BLOCK_SIZE); + + /* Put the last two blocks back into the iovec */ + krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos); + krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos); + } + + return 0; +} + +static krb5_error_code +krb5int_aes_init_state (const krb5_keyblock *key, krb5_keyusage usage, + krb5_data *state) +{ + state->length = 16; + state->data = (void *) malloc(16); + if (state->data == NULL) + return ENOMEM; + memset(state->data, 0, state->length); + return 0; +} + +const struct krb5_enc_provider krb5int_enc_aes128 = { + 16, + 16, 16, + krb5int_aes_encrypt, + krb5int_aes_decrypt, + krb5int_aes_make_key, + krb5int_aes_init_state, + krb5int_default_free_state, + krb5int_aes_encrypt_iov, + krb5int_aes_decrypt_iov +}; + +const struct krb5_enc_provider krb5int_enc_aes256 = { + 16, + 32, 32, + krb5int_aes_encrypt, + krb5int_aes_decrypt, + krb5int_aes_make_key, + krb5int_aes_init_state, + krb5int_default_free_state, + krb5int_aes_encrypt_iov, + krb5int_aes_decrypt_iov +}; + diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c index bc4313659b..4965c6e6fa 100644 --- a/src/lib/crypto/openssl/enc_provider/des.c +++ b/src/lib/crypto/openssl/enc_provider/des.c @@ -1,44 +1,73 @@ -/* +/* lib/crypto/openssl/enc_provider/des.c */ #include "k5-int.h" -#include "des_int.h" -#include "enc_provider.h" #include +#include #include +#include "des_int.h" #define DES_BLOCK_SIZE 8 #define DES_KEY_BYTES 7 -#define DES_KEY_LEN 8 + +static krb5_error_code +validate(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, const krb5_data *output) +{ + /* key->enctype was checked by the caller */ + if (key->length != KRB5_MIT_DES_KEYSIZE) + return(KRB5_BAD_KEYSIZE); + if ((input->length%8) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + if (input->length != output->length) + return(KRB5_BAD_MSIZE); + + return 0; +} + +static krb5_error_code +validate_iov(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_crypto_iov *data, size_t num_data) +{ + size_t i, input_length; + + for (i = 0, input_length = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + if (ENCRYPT_IOV(iov)) + input_length += iov->data.length; + } + + if (key->length != KRB5_MIT_DES3_KEYSIZE) + return(KRB5_BAD_KEYSIZE); + if ((input_length%DES_BLOCK_SIZE) != 0) + return(KRB5_BAD_MSIZE); + if (ivec && (ivec->length != 8)) + return(KRB5_BAD_MSIZE); + + return 0; +} static krb5_error_code k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec, const krb5_data *input, krb5_data *output) { - int ret = 0, tmp_len = 0; - EVP_CIPHER_CTX ciph_ctx; + int ret = 0, tmp_len = 0; + unsigned int tmp_buf_len = 0; unsigned char *keybuf = NULL; unsigned char *tmp_buf = NULL; - unsigned char iv[EVP_MAX_IV_LENGTH]; + EVP_CIPHER_CTX ciph_ctx; - if (key->length != DES_KEY_LEN) - return(KRB5_BAD_KEYSIZE); - if ((input->length%8) != 0) - return(KRB5_BAD_MSIZE); - if (ivec && (ivec->length != 8)) - return(KRB5_BAD_MSIZE); - if (input->length != output->length) - return(KRB5_BAD_MSIZE); + ret = validate(key, ivec, input, output); + if (ret) + return ret; keybuf=key->contents; keybuf[key->length] = '\0'; - if ( ivec && ivec->data ) { - memset(iv,0,sizeof(iv)); - memcpy(iv,ivec->data,ivec->length); - } - - tmp_buf=OPENSSL_malloc(output->length); + tmp_buf_len = output->length*2; + tmp_buf=OPENSSL_malloc(tmp_buf_len); if (!tmp_buf) return ENOMEM; memset(tmp_buf,0,output->length); @@ -46,12 +75,14 @@ k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec, EVP_CIPHER_CTX_init(&ciph_ctx); ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, keybuf, - (ivec && ivec->data) ? iv : NULL); + (ivec) ? (unsigned char*)ivec->data : NULL); if (ret) { EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, (unsigned char *)input->data, input->length); - if (ret) { + if (!ret || output->length < (unsigned int)tmp_len) { + ret = KRB5_CRYPTO_INTERNAL; + } else { output->length = tmp_len; ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf + tmp_len, &tmp_len); } @@ -59,45 +90,35 @@ k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec, EVP_CIPHER_CTX_cleanup(&ciph_ctx); - if (ret) + if (ret == 1) memcpy(output->data,tmp_buf, output->length); - memset(tmp_buf,0,output->length); + memset(tmp_buf, 0, tmp_buf_len); OPENSSL_free(tmp_buf); - if (!ret) + if (ret != 1) return KRB5_CRYPTO_INTERNAL; return 0; } + static krb5_error_code k5_des_decrypt(const krb5_keyblock *key, const krb5_data *ivec, const krb5_data *input, krb5_data *output) { /* key->enctype was checked by the caller */ - int ret = 0, tmp_len = 0; - EVP_CIPHER_CTX ciph_ctx; + int ret = 0, tmp_len = 0; unsigned char *keybuf = NULL; unsigned char *tmp_buf; - unsigned char iv[EVP_MAX_IV_LENGTH]; + EVP_CIPHER_CTX ciph_ctx; - if (key->length != DES_KEY_LEN) - return(KRB5_BAD_KEYSIZE); - if ((input->length%8) != 0) - return(KRB5_BAD_MSIZE); - if (ivec && (ivec->length != 8)) - return(KRB5_BAD_MSIZE); - if (input->length != output->length) - return(KRB5_BAD_MSIZE); + ret = validate(key, ivec, input, output); + if (ret) + return ret; keybuf=key->contents; keybuf[key->length] = '\0'; - if ( ivec != NULL && ivec->data ){ - memset(iv,0,sizeof(iv)); - memcpy(iv,ivec->data,ivec->length); - } - tmp_buf=OPENSSL_malloc(output->length); if (!tmp_buf) return ENOMEM; @@ -106,7 +127,7 @@ k5_des_decrypt(const krb5_keyblock *key, const krb5_data *ivec, EVP_CIPHER_CTX_init(&ciph_ctx); ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, keybuf, - (ivec && ivec->data) ? iv : NULL); + (ivec) ? (unsigned char*)ivec->data : NULL); if (ret) { EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, @@ -119,92 +140,92 @@ k5_des_decrypt(const krb5_keyblock *key, const krb5_data *ivec, EVP_CIPHER_CTX_cleanup(&ciph_ctx); - if (ret) + if (ret == 1) memcpy(output->data,tmp_buf, output->length); - memset(tmp_buf,0,output->length ); + memset(tmp_buf,0,output->length); OPENSSL_free(tmp_buf); - if (!ret) + if ( ret != 1) return KRB5_CRYPTO_INTERNAL; return 0; } -static krb5_error_code -k5_des_make_key(const krb5_data *randombits, krb5_keyblock *key) -{ - if (key->length != DES_KEY_LEN) - return(KRB5_BAD_KEYSIZE); - if (randombits->length != 7) - return(KRB5_CRYPTO_INTERNAL); - - key->magic = KV5M_KEYBLOCK; - - /* take the seven bytes, move them around into the top 7 bits of the - 8 key bytes, then compute the parity bits */ - - memcpy(key->contents, randombits->data, randombits->length); - key->contents[7] = (((key->contents[0]&1)<<1) | ((key->contents[1]&1)<<2) | - ((key->contents[2]&1)<<3) | ((key->contents[3]&1)<<4) | - ((key->contents[4]&1)<<5) | ((key->contents[5]&1)<<6) | - ((key->contents[6]&1)<<7)); - - mit_des_fixup_key_parity(key->contents); - - return(0); -} - static krb5_error_code k5_des_encrypt_iov(const krb5_keyblock *key, const krb5_data *ivec, krb5_crypto_iov *data, size_t num_data) { - int ret = 0, tmp_len = 0; - unsigned int i = 0; + int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH; + int oblock_len = MIT_DES_BLOCK_LENGTH * num_data; + unsigned char *iblock = NULL, *oblock = NULL; + unsigned char *keybuf = NULL ; + struct iov_block_state input_pos, output_pos; EVP_CIPHER_CTX ciph_ctx; - unsigned char *keybuf = NULL ; - krb5_crypto_iov *iov = NULL; - unsigned char *tmp_buf = NULL; - unsigned char iv[EVP_MAX_IV_LENGTH]; - if (ivec && ivec->data){ - memset(iv,0,sizeof(iv)); - memcpy(iv,ivec->data,ivec->length); - } + iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH); + if (!iblock) + return ENOMEM; + oblock = OPENSSL_malloc(oblock_len); + if (!oblock){ + OPENSSL_free(iblock); + return ENOMEM; + } + + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + + keybuf=key->contents; + keybuf[key->length] = '\0'; + + ret = validate_iov(key, ivec, data, num_data); + if (ret) + return ret; + + memset(oblock, 0, oblock_len); EVP_CIPHER_CTX_init(&ciph_ctx); ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, - keybuf, (ivec && ivec->data) ? iv : NULL); - if (!ret) + keybuf, (ivec && ivec->data) ? (unsigned char*)ivec->data : NULL); + if (!ret){ + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + OPENSSL_free(iblock); + OPENSSL_free(oblock); return KRB5_CRYPTO_INTERNAL; + } - for (i = 0; i < num_data; i++) { - iov = &data[i]; - if (iov->data.length <= 0) break; - tmp_len = iov->data.length; - - if (ENCRYPT_DATA_IOV(iov)) { - tmp_buf=(unsigned char *)iov->data.data; - ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, - (unsigned char *)iov->data.data, iov->data.length); - if (!ret) break; - iov->data.length = tmp_len; - } + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + + for (;;) { + + if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data, num_data, &input_pos)) + break; + + if (input_pos.iov_pos == num_data) + break; + + ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len, + (unsigned char *)iblock, input_pos.data_pos); + if (!ret) break; + + krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos); } - if(ret) - ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len); - if (ret) - iov->data.length += tmp_len; + if(ret) + ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len); EVP_CIPHER_CTX_cleanup(&ciph_ctx); - if (!ret) + memset(iblock,0,sizeof(iblock)); + memset(oblock,0,sizeof(oblock)); + OPENSSL_free(iblock); + OPENSSL_free(oblock); + + if ( ret != 1) return KRB5_CRYPTO_INTERNAL; return 0; - } static krb5_error_code @@ -213,56 +234,87 @@ k5_des_decrypt_iov(const krb5_keyblock *key, krb5_crypto_iov *data, size_t num_data) { - int ret = 0, tmp_len = 0; - unsigned int i = 0; - EVP_CIPHER_CTX ciph_ctx; - unsigned char *keybuf = NULL ; - krb5_crypto_iov *iov = NULL; - unsigned char *tmp_buf = NULL; - unsigned char iv[EVP_MAX_IV_LENGTH]; + int ret = 0; + int tmp_len = MIT_DES_BLOCK_LENGTH; + int oblock_len = MIT_DES_BLOCK_LENGTH*num_data; + unsigned char *iblock = NULL, *oblock = NULL; + unsigned char *keybuf = NULL; + struct iov_block_state input_pos, output_pos; + EVP_CIPHER_CTX ciph_ctx; + + iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH); + if (!iblock) + return ENOMEM; + oblock = OPENSSL_malloc(oblock_len); + if (!oblock){ + OPENSSL_free(iblock); + return ENOMEM; + } + + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + + keybuf=key->contents; + keybuf[key->length] = '\0'; + + ret = validate_iov(key, ivec, data, num_data); + if (ret) + return ret; + + memset(oblock, 0, oblock_len); - if (ivec && ivec->data){ - memset(iv,0,sizeof(iv)); - memcpy(iv,ivec->data,ivec->length); - } + EVP_CIPHER_CTX_init(&ciph_ctx); ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, - keybuf, (ivec && ivec->data) ? iv : NULL); - if (!ret) + keybuf, (ivec) ? (unsigned char*)ivec->data : NULL); + if (!ret){ + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + OPENSSL_free(iblock); + OPENSSL_free(oblock); return KRB5_CRYPTO_INTERNAL; + } - for (i = 0; i < num_data; i++) { - iov = &data[i]; - if (iov->data.length <= 0) break; - tmp_len = iov->data.length; - - if (ENCRYPT_DATA_IOV(iov)) { - tmp_buf=(unsigned char *)iov->data.data; - ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, - (unsigned char *)iov->data.data, iov->data.length); - if (!ret) break; - iov->data.length = tmp_len; - } + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); + + for (;;) { + + if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, + data, num_data, &input_pos)) + break; + + if (input_pos.iov_pos == num_data) + break; + + ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len, + (unsigned char *)iblock, + input_pos.data_pos); + if (!ret) break; + + krb5int_c_iov_put_block(data, num_data, oblock, + MIT_DES_BLOCK_LENGTH, &output_pos); } - if(ret) - ret = EVP_DecryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len); - if (ret) - iov->data.length += tmp_len; + if(ret) + ret = EVP_DecryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len); EVP_CIPHER_CTX_cleanup(&ciph_ctx); - if (!ret) + memset(iblock,0,sizeof(iblock)); + memset(oblock,0,sizeof(oblock)); + OPENSSL_free(iblock); + OPENSSL_free(oblock); + + if (ret != 1) return KRB5_CRYPTO_INTERNAL; return 0; } const struct krb5_enc_provider krb5int_enc_des = { DES_BLOCK_SIZE, - DES_KEY_BYTES, DES_KEY_LEN, + DES_KEY_BYTES, KRB5_MIT_DES_KEYSIZE, k5_des_encrypt, k5_des_decrypt, - k5_des_make_key, + krb5int_des_make_key, krb5int_des_init_state, krb5int_default_free_state, k5_des_encrypt_iov, diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c index 1cc67483df..1dec8e27e2 100644 --- a/src/lib/crypto/openssl/enc_provider/des3.c +++ b/src/lib/crypto/openssl/enc_provider/des3.c @@ -1,25 +1,22 @@ -/* +/* lib/crypto/openssl/enc_provider/des3.c */ #include "k5-int.h" #include "des_int.h" #include +#include #include #define DES_BLOCK_SIZE 8 -#define DES3_KEY_BYTES 21 -#define DES3_KEY_LEN 24 static krb5_error_code validate(const krb5_keyblock *key, const krb5_data *ivec, const krb5_data *input, const krb5_data *output) { - mit_des3_key_schedule schedule; - /* key->enctype was checked by the caller */ - if (key->length != DES3_KEY_LEN) + if (key->length != KRB5_MIT_DES3_KEYSIZE) return(KRB5_BAD_KEYSIZE); if ((input->length%DES_BLOCK_SIZE) != 0) return(KRB5_BAD_MSIZE); @@ -28,13 +25,6 @@ validate(const krb5_keyblock *key, const krb5_data *ivec, if (input->length != output->length) return(KRB5_BAD_MSIZE); - switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents, - schedule)) { - case -1: - return(KRB5DES_BAD_KEYPAR); - case -2: - return(KRB5DES_WEAK_KEY); - } return 0; } @@ -43,29 +33,20 @@ validate_iov(const krb5_keyblock *key, const krb5_data *ivec, const krb5_crypto_iov *data, size_t num_data) { size_t i, input_length; - mit_des3_key_schedule schedule; for (i = 0, input_length = 0; i < num_data; i++) { const krb5_crypto_iov *iov = &data[i]; - if (ENCRYPT_IOV(iov)) input_length += iov->data.length; } - if (key->length != DES3_KEY_LEN) + if (key->length != KRB5_MIT_DES3_KEYSIZE) return(KRB5_BAD_KEYSIZE); if ((input_length%DES_BLOCK_SIZE) != 0) return(KRB5_BAD_MSIZE); if (ivec && (ivec->length != 8)) return(KRB5_BAD_MSIZE); - switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents, - schedule)) { - case -1: - return(KRB5DES_BAD_KEYPAR); - case -2: - return(KRB5DES_WEAK_KEY); - } return 0; } @@ -73,12 +54,11 @@ static krb5_error_code k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec, const krb5_data *input, krb5_data *output) { - - int ret = 0, tmp_len = 0; - EVP_CIPHER_CTX ciph_ctx; + int ret = 0, tmp_len = 0; + unsigned int tmp_buf_len = 0; unsigned char *keybuf = NULL; unsigned char *tmp_buf = NULL; - unsigned char iv[EVP_MAX_IV_LENGTH]; + EVP_CIPHER_CTX ciph_ctx; ret = validate(key, ivec, input, output); if (ret) @@ -87,24 +67,22 @@ k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec, keybuf=key->contents; keybuf[key->length] = '\0'; - if (ivec && ivec->data) { - memset(iv,0,sizeof(iv)); - memcpy(iv,ivec->data,ivec->length); - } - - tmp_buf = OPENSSL_malloc(output->length); + tmp_buf_len = output->length * 2; + tmp_buf = OPENSSL_malloc(tmp_buf_len); if (!tmp_buf) return ENOMEM; EVP_CIPHER_CTX_init(&ciph_ctx); ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, keybuf, - (ivec && ivec->data) ? iv : NULL); + (ivec) ? (unsigned char*)ivec->data : NULL); if (ret) { EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); - ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, + ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, (unsigned char *)input->data, input->length); - if (ret) { + if (!ret || output->length < (unsigned int)tmp_len) { + ret = KRB5_CRYPTO_INTERNAL; + } else { output->length = tmp_len; ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len); } @@ -112,13 +90,15 @@ k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec, EVP_CIPHER_CTX_cleanup(&ciph_ctx); - if (ret) + if (ret == 1) memcpy(output->data,tmp_buf, output->length); - memset(tmp_buf,0,output->length); + + memset(tmp_buf, 0, tmp_buf_len); OPENSSL_free(tmp_buf); - if (!ret) + if (ret != 1) return KRB5_CRYPTO_INTERNAL; + return 0; } @@ -127,11 +107,11 @@ static krb5_error_code k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec, const krb5_data *input, krb5_data *output) { - int ret = 0, tmp_len = 0; - EVP_CIPHER_CTX ciph_ctx; + int ret = 0, tmp_len = 0; + unsigned int tmp_buf_len = 0; unsigned char *keybuf = NULL; unsigned char *tmp_buf = NULL; - unsigned char iv[EVP_MAX_IV_LENGTH]; + EVP_CIPHER_CTX ciph_ctx; ret = validate(key, ivec, input, output); if (ret) @@ -140,24 +120,22 @@ k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec, keybuf=key->contents; keybuf[key->length] = '\0'; - if (ivec && ivec->data) { - memset(iv,0,sizeof(iv)); - memcpy(iv,ivec->data,ivec->length); - } - - tmp_buf=OPENSSL_malloc(output->length); + tmp_buf_len = output->length; + tmp_buf=OPENSSL_malloc(tmp_buf_len); if (!tmp_buf) return ENOMEM; EVP_CIPHER_CTX_init(&ciph_ctx); ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, keybuf, - (ivec && ivec->data) ? iv: NULL); + (ivec) ? (unsigned char*)ivec->data: NULL); if (ret) { EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, (unsigned char *)input->data, input->length); - if (ret) { + if (!ret || output->length < (unsigned int)tmp_len) { + ret = KRB5_CRYPTO_INTERNAL; + } else { output->length = tmp_len; ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len); } @@ -165,185 +143,185 @@ k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec, EVP_CIPHER_CTX_cleanup(&ciph_ctx); - if (ret) + if (ret == 1) memcpy(output->data,tmp_buf, output->length); - memset(tmp_buf,0,output->length); + memset(tmp_buf,0,tmp_buf_len); OPENSSL_free(tmp_buf); - if (!ret) + if (ret != 1) return KRB5_CRYPTO_INTERNAL; return 0; } static krb5_error_code -k5_des3_make_key(const krb5_data *randombits, krb5_keyblock *key) +k5_des3_encrypt_iov(const krb5_keyblock *key, + const krb5_data *ivec, + krb5_crypto_iov *data, + size_t num_data) { - int i; + int ret = 0; + int tmp_len = MIT_DES_BLOCK_LENGTH; + int oblock_len = MIT_DES_BLOCK_LENGTH*num_data; + unsigned char *iblock = NULL, *oblock = NULL; + unsigned char *keybuf = NULL; + struct iov_block_state input_pos, output_pos; + EVP_CIPHER_CTX ciph_ctx; - if (key->length != DES3_KEY_LEN) - return(KRB5_BAD_KEYSIZE); - if (randombits->length != DES3_KEY_BYTES) - return(KRB5_CRYPTO_INTERNAL); + ret = validate_iov(key, ivec, data, num_data); + if (ret) + return ret; - key->magic = KV5M_KEYBLOCK; + iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH); + if (!iblock) + return ENOMEM; + oblock = OPENSSL_malloc(oblock_len); + if (!oblock){ + OPENSSL_free(iblock); + return ENOMEM; + } + + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + + keybuf=key->contents; + keybuf[key->length] = '\0'; - /* take the seven bytes, move them around into the top 7 bits of the - 8 key bytes, then compute the parity bits. Do this three times. */ + memset(oblock, 0, oblock_len); - for (i=0; i<3; i++) { - memcpy(key->contents+i*8, randombits->data+i*7, 7); - key->contents[i*8+7] = (((key->contents[i*8]&1)<<1) | - ((key->contents[i*8+1]&1)<<2) | - ((key->contents[i*8+2]&1)<<3) | - ((key->contents[i*8+3]&1)<<4) | - ((key->contents[i*8+4]&1)<<5) | - ((key->contents[i*8+5]&1)<<6) | - ((key->contents[i*8+6]&1)<<7)); + EVP_CIPHER_CTX_init(&ciph_ctx); - mit_des_fixup_key_parity(key->contents+i*8); + ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, + keybuf, (ivec) ? (unsigned char*)ivec->data : NULL); + if (!ret){ + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + OPENSSL_free(iblock); + OPENSSL_free(oblock); + return KRB5_CRYPTO_INTERNAL; } - return(0); -} + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); -static krb5_error_code -validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec, - const krb5_crypto_iov *data, size_t num_data, - mit_des3_key_schedule *schedule) -{ - size_t i, input_length; + for (;;) { - for (i = 0, input_length = 0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; + if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, + data, num_data, &input_pos)) + break; - if (ENCRYPT_IOV(iov)) - input_length += iov->data.length; - } + if (input_pos.iov_pos == num_data) + break; - if (key->length != 24) - return(KRB5_BAD_KEYSIZE); - if ((input_length%8) != 0) - return(KRB5_BAD_MSIZE); - if (ivec && (ivec->length != 8)) - return(KRB5_BAD_MSIZE); - - switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents, - *schedule)) { - case -1: - return(KRB5DES_BAD_KEYPAR); - case -2: - return(KRB5DES_WEAK_KEY); + ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len, + (unsigned char *)iblock, input_pos.data_pos); + if (!ret) break; + + krb5int_c_iov_put_block(data, num_data, + oblock, MIT_DES_BLOCK_LENGTH, &output_pos); } + + if(ret) + ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+input_pos.data_pos, &tmp_len); + + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + memset(iblock,0,sizeof(iblock)); + memset(oblock,0,sizeof(oblock)); + OPENSSL_free(iblock); + OPENSSL_free(oblock); + + if (ret != 1) + return KRB5_CRYPTO_INTERNAL; return 0; } static krb5_error_code -k5_des3_encrypt_iov(const krb5_keyblock *key, +k5_des3_decrypt_iov(const krb5_keyblock *key, const krb5_data *ivec, krb5_crypto_iov *data, size_t num_data) { -#if 0 - int ret = 0, tmp_len = 0; - unsigned int i = 0; - EVP_CIPHER_CTX ciph_ctx; - unsigned char *keybuf = NULL ; - krb5_crypto_iov *iov = NULL; - unsigned char *tmp_buf = NULL; - unsigned char iv[EVP_MAX_IV_LENGTH]; + int ret = 0; + int tmp_len = MIT_DES_BLOCK_LENGTH; + int oblock_len = MIT_DES_BLOCK_LENGTH * num_data; + unsigned char *iblock = NULL, *oblock = NULL; + unsigned char *keybuf = NULL ; + struct iov_block_state input_pos, output_pos; + EVP_CIPHER_CTX ciph_ctx; ret = validate_iov(key, ivec, data, num_data); if (ret) - return ret; + return ret; - if (ivec && ivec->data){ - memset(iv,0,sizeof(iv)); - memcpy(iv,ivec->data,ivec->length); + iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH); + if (!iblock) + return ENOMEM; + oblock = OPENSSL_malloc(oblock_len); + if (!oblock){ + OPENSSL_free(iblock); + return ENOMEM; } + IOV_BLOCK_STATE_INIT(&input_pos); + IOV_BLOCK_STATE_INIT(&output_pos); + + keybuf=key->contents; + keybuf[key->length] = '\0'; + + memset(oblock, 0, oblock_len); EVP_CIPHER_CTX_init(&ciph_ctx); - ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, - keybuf, (ivec && ivec->data) ? iv : NULL); - if (!ret) + ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, + keybuf, (ivec) ? (unsigned char*)ivec->data : NULL); + if (!ret){ + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + OPENSSL_free(iblock); + OPENSSL_free(oblock); return KRB5_CRYPTO_INTERNAL; - - for (i = 0; i < num_data; i++) { - iov = &data[i]; - if (iov->data.length <= 0) break; - tmp_len = iov->data.length; - - if (ENCRYPT_IOV(iov)) { - tmp_buf=(unsigned char *)iov->data.data; - ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, - (unsigned char *)iov->data.data, iov->data.length); - if (!ret) break; - iov->data.length = tmp_len; - } } - if(ret) - ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len); - - if (ret) - iov->data.length += tmp_len; - - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - if (!ret) - return KRB5_CRYPTO_INTERNAL; - return 0; -#endif + EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); -//#if 0 - mit_des3_key_schedule schedule; - krb5_error_code err; + for (;;) { - err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule); - if (err) - return err; + if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, + data, num_data, &input_pos)) + break; - /* this has a return value, but the code always returns zero */ - krb5int_des3_cbc_encrypt_iov(data, num_data, - schedule[0], schedule[1], schedule[2], - ivec != NULL ? (unsigned char *) ivec->data : NULL); + if (input_pos.iov_pos == num_data) + break; - zap(schedule, sizeof(schedule)); - return(0); -//#endif -} + ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len, + (unsigned char *)iblock, input_pos.data_pos); + if (!ret) break; -static krb5_error_code -k5_des3_decrypt_iov(const krb5_keyblock *key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) -{ - mit_des3_key_schedule schedule; - krb5_error_code err; + krb5int_c_iov_put_block(data, num_data, + oblock, MIT_DES_BLOCK_LENGTH, &output_pos); + } - err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule); - if (err) - return err; + if(ret) + ret = EVP_DecryptFinal_ex(&ciph_ctx, + oblock + input_pos.data_pos, &tmp_len); - /* this has a return value, but the code always returns zero */ - krb5int_des3_cbc_decrypt_iov(data, num_data, - schedule[0], schedule[1], schedule[2], - ivec != NULL ? (unsigned char *) ivec->data : NULL); + EVP_CIPHER_CTX_cleanup(&ciph_ctx); - zap(schedule, sizeof(schedule)); + memset(iblock,0,sizeof(iblock)); + memset(oblock,0,sizeof(oblock)); + OPENSSL_free(iblock); + OPENSSL_free(oblock); - return(0); + if (ret != 1) + return KRB5_CRYPTO_INTERNAL; + return 0; } const struct krb5_enc_provider krb5int_enc_des3 = { DES_BLOCK_SIZE, - DES3_KEY_BYTES, DES3_KEY_LEN, + KRB5_MIT_DES3_KEY_BYTES, KRB5_MIT_DES3_KEYSIZE, k5_des3_encrypt, k5_des3_decrypt, - k5_des3_make_key, + krb5int_des3_make_key, krb5int_des_init_state, krb5int_default_free_state, k5_des3_encrypt_iov, diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c index b82af5247a..ae2f58f406 100644 --- a/src/lib/crypto/openssl/enc_provider/rc4.c +++ b/src/lib/crypto/openssl/enc_provider/rc4.c @@ -1,33 +1,33 @@ -/* arcfour.c +/* lib/crypto/openssl/enc_provider/rc4.c * * #include STD_DISCLAIMER */ #include "k5-int.h" -#include "arcfour-int.h" -#include "enc_provider.h" #include +#include #include #define RC4_KEY_SIZE 16 #define RC4_BLOCK_SIZE 1 /* Interface layer to kerb5 crypto layer */ + +/* prototypes */ static krb5_error_code k5_arcfour_docrypt(const krb5_keyblock *, const krb5_data *, const krb5_data *, krb5_data *); - -/* from a random bitstrem, construct a key */ -static krb5_error_code -k5_arcfour_make_key(const krb5_data *, krb5_keyblock *); - static krb5_error_code k5_arcfour_free_state ( krb5_data *state); static krb5_error_code k5_arcfour_init_state (const krb5_keyblock *key, krb5_keyusage keyusage, krb5_data *new_state); -/* The workhorse of the arcfour system, this impliments the cipher */ +/* The workhorse of the arcfour system, + * this impliments the cipher + */ + +/* In-place rc4 crypto */ static krb5_error_code k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state, const krb5_data *input, krb5_data *output) @@ -47,26 +47,30 @@ k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state, keybuf[key->length] = '\0'; EVP_CIPHER_CTX_init(&ciph_ctx); + ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, keybuf, NULL); if (ret) { tmp_buf=(unsigned char *)output->data; - ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, (unsigned char *)input->data, input->length); + ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, + (unsigned char *)input->data, input->length); output->length = tmp_len; } if (ret) { tmp_buf += tmp_len; ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf, &tmp_len); } + EVP_CIPHER_CTX_cleanup(&ciph_ctx); - output->length += tmp_len; - if (!ret) + if (ret != 1) return KRB5_CRYPTO_INTERNAL; + + output->length += tmp_len; + return 0; } - -/* In-place decryption */ +/* In-place IOV crypto */ static krb5_error_code k5_arcfour_docrypt_iov(const krb5_keyblock *key, const krb5_data *state, @@ -75,10 +79,10 @@ k5_arcfour_docrypt_iov(const krb5_keyblock *key, { size_t i; int ret = 0, tmp_len = 0; - EVP_CIPHER_CTX ciph_ctx; - unsigned char *keybuf = NULL ; - krb5_crypto_iov *iov = NULL; + unsigned char *keybuf = NULL ; unsigned char *tmp_buf = NULL; + krb5_crypto_iov *iov = NULL; + EVP_CIPHER_CTX ciph_ctx; keybuf=key->contents; keybuf[key->length] = '\0'; @@ -86,8 +90,10 @@ k5_arcfour_docrypt_iov(const krb5_keyblock *key, EVP_CIPHER_CTX_init(&ciph_ctx); ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, keybuf, NULL); - if (!ret) - return -1; + if (!ret){ + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + return KRB5_CRYPTO_INTERNAL; + } for (i = 0; i < num_data; i++) { iov = &data[i]; @@ -96,7 +102,7 @@ k5_arcfour_docrypt_iov(const krb5_keyblock *key, if (ENCRYPT_IOV(iov)) { tmp_buf=(unsigned char *)iov->data.data; - ret = EVP_EncryptUpdate(&ciph_ctx, + ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len, (unsigned char *)iov->data.data, iov->data.length); if (!ret) break; @@ -105,29 +111,15 @@ k5_arcfour_docrypt_iov(const krb5_keyblock *key, } if(ret) ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len); - if (ret) - iov->data.length += tmp_len; - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - - if (!ret) - return -1; - return 0; -} - -static krb5_error_code -k5_arcfour_make_key(const krb5_data *randombits, krb5_keyblock *key) -{ - if (key->length != RC4_KEY_SIZE) - return(KRB5_BAD_KEYSIZE); - if (randombits->length != RC4_KEY_SIZE) - return(KRB5_CRYPTO_INTERNAL); + EVP_CIPHER_CTX_cleanup(&ciph_ctx); - key->magic = KV5M_KEYBLOCK; + if (ret != 1) + return KRB5_CRYPTO_INTERNAL; - memcpy(key->contents, randombits->data, randombits->length); + iov->data.length += tmp_len; - return(0); + return 0; } static krb5_error_code @@ -158,7 +150,7 @@ const struct krb5_enc_provider krb5int_enc_arcfour = { RC4_KEY_SIZE, RC4_KEY_SIZE, k5_arcfour_docrypt, k5_arcfour_docrypt, - k5_arcfour_make_key, + krb5int_arcfour_make_key, k5_arcfour_init_state, /*xxx not implemented */ k5_arcfour_free_state, /*xxx not implemented */ k5_arcfour_docrypt_iov, diff --git a/src/lib/crypto/openssl/hash_provider/hash_crc32.c b/src/lib/crypto/openssl/hash_provider/hash_crc32.c new file mode 100644 index 0000000000..a3d3028e8f --- /dev/null +++ b/src/lib/crypto/openssl/hash_provider/hash_crc32.c @@ -0,0 +1,56 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" +#include "crc-32.h" +#include "hash_provider.h" + +static krb5_error_code +k5_crc32_hash(unsigned int icount, const krb5_data *input, + krb5_data *output) +{ + unsigned long c, cn; + unsigned int i; + + if (output->length != CRC32_CKSUM_LENGTH) + return(KRB5_CRYPTO_INTERNAL); + + c = 0; + for (i=0; idata); + return(0); +} + +const struct krb5_hash_provider krb5int_hash_crc32 = { + "CRC32", + CRC32_CKSUM_LENGTH, + 1, + k5_crc32_hash +}; diff --git a/src/lib/crypto/openssl/hash_provider/hash_md4.c b/src/lib/crypto/openssl/hash_provider/hash_md4.c new file mode 100644 index 0000000000..f507aaaf7d --- /dev/null +++ b/src/lib/crypto/openssl/hash_provider/hash_md4.c @@ -0,0 +1,56 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" +#include "rsa-md4.h" +#include "hash_provider.h" + +static krb5_error_code +k5_md4_hash(unsigned int icount, const krb5_data *input, + krb5_data *output) +{ + krb5_MD4_CTX ctx; + unsigned int i; + + if (output->length != RSA_MD4_CKSUM_LENGTH) + return(KRB5_CRYPTO_INTERNAL); + + krb5_MD4Init(&ctx); + for (i=0; idata, ctx.digest, RSA_MD4_CKSUM_LENGTH); + + return(0); +} + +const struct krb5_hash_provider krb5int_hash_md4 = { + "MD4", + RSA_MD4_CKSUM_LENGTH, + 64, + k5_md4_hash +}; diff --git a/src/lib/crypto/openssl/hash_provider/hash_md5.c b/src/lib/crypto/openssl/hash_provider/hash_md5.c new file mode 100644 index 0000000000..a6e380ae2d --- /dev/null +++ b/src/lib/crypto/openssl/hash_provider/hash_md5.c @@ -0,0 +1,56 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" +#include "rsa-md5.h" +#include "hash_provider.h" + +static krb5_error_code +k5_md5_hash(unsigned int icount, const krb5_data *input, + krb5_data *output) +{ + krb5_MD5_CTX ctx; + unsigned int i; + + if (output->length != RSA_MD5_CKSUM_LENGTH) + return(KRB5_CRYPTO_INTERNAL); + + krb5_MD5Init(&ctx); + for (i=0; idata, ctx.digest, RSA_MD5_CKSUM_LENGTH); + + return(0); +} + +const struct krb5_hash_provider krb5int_hash_md5 = { + "MD5", + RSA_MD5_CKSUM_LENGTH, + 64, + k5_md5_hash +}; diff --git a/src/lib/crypto/openssl/hash_provider/hash_provider.h b/src/lib/crypto/openssl/hash_provider/hash_provider.h new file mode 100644 index 0000000000..4fa46097db --- /dev/null +++ b/src/lib/crypto/openssl/hash_provider/hash_provider.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" + +extern const struct krb5_hash_provider krb5int_hash_crc32; +extern const struct krb5_hash_provider krb5int_hash_md4; +extern const struct krb5_hash_provider krb5int_hash_md5; +extern const struct krb5_hash_provider krb5int_hash_sha1; diff --git a/src/lib/crypto/openssl/hash_provider/hash_sha1.c b/src/lib/crypto/openssl/hash_provider/hash_sha1.c new file mode 100644 index 0000000000..d217086e68 --- /dev/null +++ b/src/lib/crypto/openssl/hash_provider/hash_sha1.c @@ -0,0 +1,61 @@ +/* lib/crypto/openssl/hash/yhash.h + * + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#include "k5-int.h" +#include "shs.h" +#include "hash_provider.h" + +static krb5_error_code +k5_sha1_hash(unsigned int icount, const krb5_data *input, + krb5_data *output) +{ + SHS_INFO ctx; + unsigned int i; + + if (output->length != SHS_DIGESTSIZE) + return(KRB5_CRYPTO_INTERNAL); + + shsInit(&ctx); + for (i=0; i 0 && ctx.digestLen <= output->length){ + output->length = ctx.digestLen; + memcpy(output->data, ctx.digestBuf,ctx.digestLen); + } + + return(0); +} + +const struct krb5_hash_provider krb5int_hash_sha1 = { + "SHA1", + SHS_DIGESTSIZE, + SHS_DATASIZE, + k5_sha1_hash +}; + diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c index a5543c9773..e0c8dec796 100644 --- a/src/lib/crypto/openssl/hmac.c +++ b/src/lib/crypto/openssl/hmac.c @@ -1,4 +1,4 @@ -/* +/* lib/crypto/openssl/hmac.c */ #include "k5-int.h" diff --git a/src/lib/crypto/openssl/sha1/shs.c b/src/lib/crypto/openssl/sha1/shs.c index 9fb60f87c9..fadb228b41 100644 --- a/src/lib/crypto/openssl/sha1/shs.c +++ b/src/lib/crypto/openssl/sha1/shs.c @@ -3,12 +3,19 @@ #include #endif #include +#define h0init 0x67452301L +#define h1init 0xEFCDAB89L +#define h2init 0x98BADCFEL +#define h3init 0x10325476L +#define h4init 0xC3D2E1F0L /* Initialize the SHS values */ void shsInit(SHS_INFO *shsInfo) { EVP_MD_CTX_init(&shsInfo->ossl_sha1_ctx ); EVP_DigestInit_ex(&shsInfo->ossl_sha1_ctx , EVP_sha1(), NULL); + shsInfo->digestLen = 0; + memset(shsInfo->digestBuf, 0 , sizeof(shsInfo->digestBuf)); } /* Update SHS for a block of data */ @@ -22,13 +29,8 @@ void shsUpdate(SHS_INFO *shsInfo, const SHS_BYTE *buffer, unsigned int count) void shsFinal(SHS_INFO *shsInfo) { - unsigned char *digest_buf = NULL; - - digest_buf = (unsigned char *)OPENSSL_malloc( sizeof(shsInfo->digest)); - - EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx , digest_buf , &shsInfo->digest_len); - - memcpy(shsInfo->digest, digest_buf, shsInfo->digest_len); - OPENSSL_free(digest_buf); + EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx ,(unsigned char *)shsInfo->digestBuf , &shsInfo->digestLen); EVP_MD_CTX_cleanup(&shsInfo->ossl_sha1_ctx ); } + + diff --git a/src/lib/crypto/openssl/sha1/shs.h b/src/lib/crypto/openssl/sha1/shs.h index 66e91b69bb..88ab172875 100644 --- a/src/lib/crypto/openssl/sha1/shs.h +++ b/src/lib/crypto/openssl/sha1/shs.h @@ -23,10 +23,8 @@ typedef krb5_ui_4 SHS_LONG; typedef struct { EVP_MD_CTX ossl_sha1_ctx; - unsigned int digest_len; - SHS_LONG digest[ 5 ]; /* Message digest */ - SHS_LONG countLo, countHi; /* 64-bit bit count */ - SHS_LONG data[ 16 ]; /* SHS data buffer */ + unsigned char digestBuf[SHS_DIGESTSIZE]; /* output */ + unsigned int digestLen; /* output */ } SHS_INFO; /* Message digest functions (shs.c) */ diff --git a/src/lib/crypto/openssl/yhash.h b/src/lib/crypto/openssl/yhash.h new file mode 100644 index 0000000000..94c557c64b --- /dev/null +++ b/src/lib/crypto/openssl/yhash.h @@ -0,0 +1,30 @@ +/* -*- Mode: C; c-file-style: "bsd" -*- */ +/* lib/crypto/openssl/hash/yhash.h + */ + +#ifndef YHASH_H +#define YHASH_H + +/* hash function interface */ + +/* default to SHA1 for yarrow 160 */ + +#include "shs.h" + + +#define HASH_CTX SHS_INFO +#define HASH_Init(x) shsInit(x) +#define HASH_Update(x, buf, sz) shsUpdate(x, (const void*)buf, sz) + +#define HASH_Final(x, tdigest) do { \ + int loopvar; \ + unsigned char *out2 = (void *)(tdigest); \ + HASH_CTX *ctx = (x); \ + shsFinal(ctx); \ + memcpy(out2, ctx->digestBuf, ctx->digestLen); \ + } while(0) + +#define HASH_DIGEST_SIZE SHS_DIGESTSIZE + +#endif /* YHASH_H */ + diff --git a/src/lib/gssapi/krb5/deps b/src/lib/gssapi/krb5/deps index b2a19f9560..616821ed34 100644 --- a/src/lib/gssapi/krb5/deps +++ b/src/lib/gssapi/krb5/deps @@ -477,6 +477,20 @@ rel_name.so rel_name.po $(OUTPRE)rel_name.$(OBJEXT): \ $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \ ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \ gssapi_krb5.h rel_name.c +s4u_gss_glue.so s4u_gss_glue.po $(OUTPRE)s4u_gss_glue.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ + $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \ + $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \ + ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \ + gssapi_krb5.h s4u_gss_glue.c seal.so seal.po $(OUTPRE)seal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index d7acd52b78..351bead8a2 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -403,7 +403,9 @@ krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status, { OM_uint32 major_status = GSS_S_FAILURE; krb5_gss_cred_id_t cred; +#if 0 size_t i; +#endif if (minor_status == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE; diff --git a/src/lib/gssapi/mechglue/deps b/src/lib/gssapi/mechglue/deps index c54fae9f27..034ef18a2c 100644 --- a/src/lib/gssapi/mechglue/deps +++ b/src/lib/gssapi/mechglue/deps @@ -17,6 +17,14 @@ g_acquire_cred.so g_acquire_cred.po $(OUTPRE)g_acquire_cred.$(OBJEXT): \ $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \ ../generic/gssapi_err_generic.h g_acquire_cred.c mechglue.h \ mglueP.h +g_acquire_cred_imp_name.so g_acquire_cred_imp_name.po \ + $(OUTPRE)g_acquire_cred_imp_name.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-thread.h $(srcdir)/../generic/gssapiP_generic.h \ + $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \ + ../generic/gssapi_err_generic.h g_acquire_cred_imp_name.c \ + mechglue.h mglueP.h g_buffer_set.so g_buffer_set.po $(OUTPRE)g_buffer_set.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(COM_ERR_DEPS) \ diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 5c5cdc8cc9..1a60f52f4a 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -226,7 +226,7 @@ kadm5_create_principal_3(void *server_handle, return KADM5_BAD_MASK; if((mask & ~ALL_PRINC_MASK)) return KADM5_BAD_MASK; - if (entry == (kadm5_principal_ent_t) NULL || password == NULL) + if (entry == NULL) return EINVAL; /* @@ -260,11 +260,14 @@ kadm5_create_principal_3(void *server_handle, return ret; } } - if ((ret = passwd_check(handle, password, (mask & KADM5_POLICY), - &polent, entry->principal))) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; + if (password) { + ret = passwd_check(handle, password, (mask & KADM5_POLICY), + &polent, entry->principal); + if (ret) { + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return ret; + } } /* * Start populating the various DB fields, using the @@ -360,12 +363,20 @@ kadm5_create_principal_3(void *server_handle, return (ret); } - if ((ret = krb5_dbe_cpw(handle->context, act_mkey, - n_ks_tuple?ks_tuple:handle->params.keysalts, - n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - password, - (mask & KADM5_KVNO)?entry->kvno:1, - FALSE, &kdb))) { + if (password) { + ret = krb5_dbe_cpw(handle->context, act_mkey, + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + password, (mask & KADM5_KVNO)?entry->kvno:1, + FALSE, &kdb); + } else { + /* Null password means create with random key (new in 1.8). */ + ret = krb5_dbe_crk(handle->context, &master_keyblock, + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + FALSE, &kdb); + } + if (ret) { krb5_db_free_principal(handle->context, &kdb, 1); if (mask & KADM5_POLICY) (void) kadm5_free_policy_ent(handle->lhandle, &polent); diff --git a/src/lib/kadm5/unit-test/api.2/crte-principal.exp b/src/lib/kadm5/unit-test/api.2/crte-principal.exp index 8a84af2710..8a604d0a6e 100644 --- a/src/lib/kadm5/unit-test/api.2/crte-principal.exp +++ b/src/lib/kadm5/unit-test/api.2/crte-principal.exp @@ -54,10 +54,10 @@ proc test3 {} { perror "$test: unexpected failure in init" return } - one_line_fail_test [format { + one_line_succeed_test [format { kadm5_create_principal $server_handle [simple_principal "%s/a"] \ {KADM5_PRINCIPAL} null - } $test] "EINVAL" + } $test] if { ! [cmd {kadm5_destroy $server_handle}]} { perror "$test: unexpected failure in destroy" return diff --git a/src/lib/krb5/krb/deps b/src/lib/krb5/krb/deps index ddbbb6e5ab..786c71a775 100644 --- a/src/lib/krb5/krb/deps +++ b/src/lib/krb5/krb/deps @@ -667,6 +667,16 @@ recvauth.so recvauth.po $(OUTPRE)recvauth.$(OBJEXT): \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h auth_con.h recvauth.c +s4u_creds.so s4u_creds.po $(OUTPRE)s4u_creds.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ + $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ + $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h int-proto.h s4u_creds.c sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c index ef57e6d832..381173d5c8 100644 --- a/src/lib/krb5/krb/fast.c +++ b/src/lib/krb5/krb/fast.c @@ -484,7 +484,6 @@ krb5_error_code krb5int_fast_reply_key(krb5_context context, krb5_error_code krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state **state) { - krb5_error_code retval = 0; struct krb5int_fast_request_state *local_state ; local_state = malloc(sizeof *local_state); if (local_state == NULL) diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c index dad3e1a917..88148d772f 100644 --- a/src/lib/krb5/krb/get_creds.c +++ b/src/lib/krb5/krb/get_creds.c @@ -46,10 +46,16 @@ #include "k5-int.h" #include "int-proto.h" +/* + * Set *mcreds and *fields to a matching credential and field set for + * use with krb5_cc_retrieve_cred, based on a set of input credentials + * and options. The fields of *mcreds will be aliased to the fields + * of in_creds, so the contents of *mcreds should not be freed. + */ krb5_error_code -krb5_get_credentials_core(krb5_context context, krb5_flags options, - krb5_creds *in_creds, krb5_creds *mcreds, - krb5_flags *fields) +krb5int_construct_matching_creds(krb5_context context, krb5_flags options, + krb5_creds *in_creds, krb5_creds *mcreds, + krb5_flags *fields) { if (!in_creds || !in_creds->server || !in_creds->client) return EINVAL; @@ -77,7 +83,7 @@ krb5_get_credentials_core(krb5_context context, krb5_flags options, int i; *fields |= KRB5_TC_MATCH_KTYPE; - ret = krb5_get_tgs_ktypes (context, mcreds->server, &ktypes); + ret = krb5_get_tgs_ktypes(context, mcreds->server, &ktypes); for (i = 0; ktypes[i]; i++) if (ktypes[i] == mcreds->keyblock.enctype) break; @@ -109,52 +115,46 @@ krb5_get_credentials(krb5_context context, krb5_flags options, krb5_creds **out_creds) { krb5_error_code retval; - krb5_creds mcreds; - krb5_creds *ncreds; - krb5_creds **tgts; + krb5_creds mcreds, *ncreds, **tgts, **tgts_iter; krb5_flags fields; - int not_ktype; + krb5_boolean not_ktype = FALSE; int kdcopt = 0; + *out_creds = NULL; + + /* + * See if we already have the ticket cached. To do this usefully + * for constrained delegation, we would need to look inside + * second_ticket, which we can't do. + */ if ((options & KRB5_GC_CONSTRAINED_DELEGATION) == 0) { - retval = krb5_get_credentials_core(context, options, - in_creds, - &mcreds, &fields); + retval = krb5int_construct_matching_creds(context, options, in_creds, + &mcreds, &fields); if (retval) return retval; - if ((ncreds = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL) + ncreds = malloc(sizeof(krb5_creds)); + if (!ncreds) return ENOMEM; memset(ncreds, 0, sizeof(krb5_creds)); ncreds->magic = KV5M_CREDS; - /* The caller is now responsible for cleaning up in_creds */ - if ((retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds, - ncreds))) { - free(ncreds); - ncreds = in_creds; - } else { + retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds, + ncreds); + if (retval == 0) { *out_creds = ncreds; + return 0; } - } else { - /* - * To do this usefully for constrained delegation, we would - * need to look inside second_ticket, which we can't do. - */ - ncreds = in_creds; - retval = KRB5_CC_NOTFOUND; - } - - if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE) - || options & KRB5_GC_CACHED) - return retval; - - if (retval == KRB5_CC_NOT_KTYPE) - not_ktype = 1; - else - not_ktype = 0; + free(ncreds); + ncreds = NULL; + if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE) + || options & KRB5_GC_CACHED) + return retval; + not_ktype = (retval == KRB5_CC_NOT_KTYPE); + } else if (options & KRB5_GC_CACHED) + return KRB5_CC_NOTFOUND; if (options & KRB5_GC_CANONICALIZE) kdcopt |= KDC_OPT_CANONICALIZE; @@ -168,27 +168,15 @@ krb5_get_credentials(krb5_context context, krb5_flags options, kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT; } - retval = krb5_get_cred_from_kdc_opt(context, ccache, ncreds, - out_creds, &tgts, kdcopt); + retval = krb5_get_cred_from_kdc_opt(context, ccache, in_creds, + &ncreds, &tgts, kdcopt); if (tgts) { - register int i = 0; - krb5_error_code rv2; - while (tgts[i]) { - if ((rv2 = krb5_cc_store_cred(context, ccache, tgts[i]))) { - retval = rv2; - break; - } - i++; - } + /* Attempt to cache intermediate ticket-granting tickets. */ + for (tgts_iter = tgts; *tgts_iter; tgts_iter++) + (void) krb5_cc_store_cred(context, ccache, *tgts_iter); krb5_free_tgt_creds(context, tgts); } - if (!retval && (options & KRB5_GC_CONSTRAINED_DELEGATION)) { - if (((*out_creds)->ticket_flags & TKT_FLG_FORWARDABLE) == 0) { - retval = KRB5_TKT_NOT_FORWARDABLE; - krb5_free_creds(context, *out_creds); - *out_creds = NULL; - } - } + /* * Translate KRB5_CC_NOTFOUND if we previously got * KRB5_CC_NOT_KTYPE from krb5_cc_retrieve_cred(), in order to @@ -202,19 +190,23 @@ krb5_get_credentials(krb5_context context, krb5_flags options, */ if ((retval == KRB5_CC_NOTFOUND || retval == KRB5_CC_NOT_KTYPE) && not_ktype) - retval = KRB5_CC_NOT_KTYPE; - - if (!retval && (options & KRB5_GC_NO_STORE) == 0) { - /* the purpose of the krb5_get_credentials call is to - * obtain a set of credentials for the caller. the - * krb5_cc_store_cred() call is to optimize performance - * for future calls. Ignore any errors, since the credentials - * are still valid even if we fail to store them in the cache. - */ - krb5_cc_store_cred(context, ccache, *out_creds); + return KRB5_CC_NOT_KTYPE; + else if (retval) + return retval; + + if ((options & KRB5_GC_CONSTRAINED_DELEGATION) + && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) { + /* This ticket won't work for constrained delegation. */ + krb5_free_creds(context, ncreds); + return KRB5_TKT_NOT_FORWARDABLE; } - return retval; + /* Attempt to cache the returned ticket. */ + if (!(options & KRB5_GC_NO_STORE)) + (void) krb5_cc_store_cred(context, ccache, ncreds); + + *out_creds = ncreds; + return 0; } #define INT_GC_VALIDATE 1 diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index 03b541fb5b..724e18bf8b 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -61,9 +61,9 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds ***tgts, int kdcopt); krb5_error_code -krb5_get_credentials_core(krb5_context context, krb5_flags options, - krb5_creds *in_creds, krb5_creds *mcreds, - krb5_flags *fields); +krb5int_construct_matching_creds(krb5_context context, krb5_flags options, + krb5_creds *in_creds, krb5_creds *mcreds, + krb5_flags *fields); #define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew) diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index 0995b30221..801eed0da7 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -450,8 +450,6 @@ void KRB5_CALLCONV krb5_free_passwd_phrase_element(krb5_context context, passwd_phrase_element *val) { - register passwd_phrase_element **temp; - if (val == NULL) return; krb5_free_data(context, val->passwd); diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index eec35a6672..883d33cc77 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -207,13 +207,10 @@ build_pa_for_user(krb5_context context, krb5_data *for_user_data = NULL; char package[] = "Kerberos"; - memset(&for_user, 0, sizeof(for_user)); - - if (userid->user == NULL) { - code = EINVAL; - goto cleanup; - } + if (userid->user == NULL) + return EINVAL; + memset(&for_user, 0, sizeof(for_user)); for_user.user = userid->user; for_user.auth_package.data = package; for_user.auth_package.length = sizeof(package) - 1; @@ -769,8 +766,8 @@ krb5_get_credentials_for_proxy(krb5_context context, goto cleanup; } - code = krb5_get_credentials_core(context, options, in_creds, - &mcreds, &fields); + code = krb5int_construct_matching_creds(context, options, in_creds, + &mcreds, &fields); if (code != 0) goto cleanup; diff --git a/src/plugins/kdb/db2/libdb2/Makefile.in b/src/plugins/kdb/db2/libdb2/Makefile.in index f3a5f4963d..536d31ca9e 100644 --- a/src/plugins/kdb/db2/libdb2/Makefile.in +++ b/src/plugins/kdb/db2/libdb2/Makefile.in @@ -21,7 +21,7 @@ SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) all-unix:: includes all-libs -all-prerecurse: $(HDRS) +all-prerecurse depend-prerecurse: $(HDRS) clean-unix:: clean-libs clean-includes includes:: $(HDRS) diff --git a/src/plugins/preauth/pkinit/deps b/src/plugins/preauth/pkinit/deps index 68af306ff6..8600c2b243 100644 --- a/src/plugins/preauth/pkinit/deps +++ b/src/plugins/preauth/pkinit/deps @@ -13,8 +13,10 @@ pkinit_accessor.so pkinit_accessor.po $(OUTPRE)pkinit_accessor.$(OBJEXT): \ $(SRCTOP)/include/socket-utils.h pkinit_accessor.c \ pkinit_accessor.h pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(srcdir)/../fast_factor.h \ pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \ pkinit_srv.c pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \ @@ -24,8 +26,10 @@ pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \ $(SRCTOP)/include/krb5/preauth_plugin.h pkcs11.h pkinit.h \ pkinit_accessor.h pkinit_crypto.h pkinit_lib.c pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(srcdir)/../fast_factor.h \ pkcs11.h pkinit.h pkinit_accessor.h pkinit_clnt.c pkinit_crypto.h pkinit_profile.so pkinit_profile.po $(OUTPRE)pkinit_profile.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ diff --git a/src/tests/asn.1/Makefile.in b/src/tests/asn.1/Makefile.in index 605e90293c..766cbb5957 100644 --- a/src/tests/asn.1/Makefile.in +++ b/src/tests/asn.1/Makefile.in @@ -78,7 +78,7 @@ check-encode-trval: krb5_encode_test expected_trval.out install:: clean:: - rm -f *~ *.o krb5_encode_test krb5_decode_test test.out trval t_trval expected_encode.out expected_trval.out trval.out + rm -f *~ *.o krb5_encode_test krb5_decode_test krb5_decode_leak test.out trval t_trval expected_encode.out expected_trval.out trval.out ################ Dependencies ################ diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp index 3ec5103dbb..1eac9e339c 100644 --- a/src/tests/dejagnu/krb-standalone/kadmin.exp +++ b/src/tests/dejagnu/krb-standalone/kadmin.exp @@ -269,8 +269,8 @@ proc kadmin_cpw { pname password } { send "adminpass$KEY\r" } - expect "Enter password for principal \"$pname\":" { send "$password\r" } - expect "Re-enter password for principal \"$pname\":" { send "$password\r" } + expect "Enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" } + expect "Re-enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" } # When in doubt, jam one of these in there. expect "\r" expect "Password for \"$pname@$REALMNAME\" changed." diff --git a/src/tests/gssapi/deps b/src/tests/gssapi/deps index bdce1a3c5f..e1a3eb0d93 100644 --- a/src/tests/gssapi/deps +++ b/src/tests/gssapi/deps @@ -3,3 +3,7 @@ # $(OUTPRE)t_imp_name.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssapi/gssapi_generic.h t_imp_name.c +$(OUTPRE)t_s4u.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ + $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \ + t_s4u.c diff --git a/src/util/ss/deps b/src/util/ss/deps index 8bbd6aabc3..265edb484e 100644 --- a/src/util/ss/deps +++ b/src/util/ss/deps @@ -59,7 +59,7 @@ utils.so utils.po $(OUTPRE)utils.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ utils.c options.so options.po $(OUTPRE)options.$(OBJEXT): $(BUILDTOP)/include/ss/ss_err.h \ $(COM_ERR_DEPS) copyright.h options.c ss.h -cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.h +cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.o: $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) \ ct.tab.c ss.h ss_err.so ss_err.po $(OUTPRE)ss_err.$(OBJEXT): $(COM_ERR_DEPS) \ diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in index c890a8c69d..88ac6811f3 100644 --- a/src/util/support/Makefile.in +++ b/src/util/support/Makefile.in @@ -102,7 +102,8 @@ SRCS=\ $(srcdir)/strlcpy.c \ $(srcdir)/printf.c \ $(srcdir)/mkstemp.c \ - $(srcdir)/t_k5buf.c + $(srcdir)/t_k5buf.c \ + $(srcdir)/t_unal.c SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -153,13 +154,17 @@ T_K5BUF_OBJS= t_k5buf.o k5buf.o $(PRINTF_ST_OBJ) t_k5buf: $(T_K5BUF_OBJS) $(CC_LINK) -o t_k5buf $(T_K5BUF_OBJS) -TEST_PROGS= t_k5buf +t_unal: t_unal.o + $(CC_LINK) -o t_unal t_unal.o + +TEST_PROGS= t_k5buf t_unal check-unix:: $(TEST_PROGS) ./t_k5buf + ./t_unal clean:: - $(RM) t_k5buf.o t_k5buf + $(RM) t_k5buf.o t_k5buf t_unal.o t_unal @lib_frag@ @libobj_frag@ diff --git a/src/util/support/deps b/src/util/support/deps index c75af76417..39af00ca9b 100644 --- a/src/util/support/deps +++ b/src/util/support/deps @@ -44,3 +44,6 @@ mkstemp.so mkstemp.po $(OUTPRE)mkstemp.$(OBJEXT): $(BUILDTOP)/include/autoconf.h t_k5buf.so t_k5buf.po $(OUTPRE)t_k5buf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-thread.h k5buf-int.h t_k5buf.c +t_unal.so t_unal.po $(OUTPRE)t_unal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ + t_unal.c diff --git a/src/util/support/t_unal.c b/src/util/support/t_unal.c new file mode 100644 index 0000000000..d9a3cc4b0f --- /dev/null +++ b/src/util/support/t_unal.c @@ -0,0 +1,46 @@ +#undef NDEBUG +#include +#include "k5-platform.h" + +int main () +{ + /* Test some low-level assumptions the Kerberos code depends + on. */ + + union { + UINT64_TYPE n64; + uint32_t n32; + uint16_t n16; + unsigned char b[9]; + } u; + static unsigned char buf[9] = { 0, 1, 2, 3, 4, 5, 6, 7, 8 }; + + assert(load_64_be(buf+1) == 0x0102030405060708LL); + assert(load_64_le(buf+1) == 0x0807060504030201LL); + assert(load_32_le(buf+2) == 0x05040302); + assert(load_32_be(buf+2) == 0x02030405); + assert(load_16_be(buf+3) == 0x0304); + assert(load_16_le(buf+3) == 0x0403); + u.b[0] = 0; + assert((store_64_be(0x0102030405060708LL, u.b+1), !memcmp(buf, u.b, 9))); + u.b[1] = 9; + assert((store_64_le(0x0807060504030201LL, u.b+1), !memcmp(buf, u.b, 9))); + u.b[2] = 10; + assert((store_32_be(0x02030405, u.b+2), !memcmp(buf, u.b, 9))); + u.b[3] = 11; + assert((store_32_le(0x05040302, u.b+2), !memcmp(buf, u.b, 9))); + u.b[4] = 12; + assert((store_16_be(0x0304, u.b+3), !memcmp(buf, u.b, 9))); + u.b[4] = 13; + assert((store_16_le(0x0403, u.b+3), !memcmp(buf, u.b, 9))); + /* Verify that load_*_n properly does native format. Assume + the unaligned thing is okay. */ + u.n64 = 0x090a0b0c0d0e0f00LL; + assert(load_64_n((unsigned char *) &u.n64) == 0x090a0b0c0d0e0f00LL); + u.n32 = 0x06070809; + assert(load_32_n((unsigned char *) &u.n32) == 0x06070809); + u.n16 = 0x0a0b; + assert(load_16_n((unsigned char *) &u.n16) == 0x0a0b); + + return 0; +}