diff options
Diffstat (limited to 'crypto/heimdal/lib/krb5')
-rw-r--r-- | crypto/heimdal/lib/krb5/crypto.c | 741 | ||||
-rw-r--r-- | crypto/heimdal/lib/krb5/krb5_locl.h | 8 |
2 files changed, 255 insertions, 494 deletions
diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c index 186b384..d49138a 100644 --- a/crypto/heimdal/lib/krb5/crypto.c +++ b/crypto/heimdal/lib/krb5/crypto.c @@ -32,7 +32,8 @@ */ #include "krb5_locl.h" -RCSID("$Id: crypto.c,v 1.50 2001/05/14 06:14:45 assar Exp $"); +RCSID("$Id: crypto.c,v 1.29 2000/01/25 23:06:55 assar Exp $"); +/* RCSID("$FreeBSD$"); */ #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -112,11 +113,10 @@ struct encryption_type { size_t blocksize; size_t confoundersize; struct key_type *keytype; - struct checksum_type *checksum; + struct checksum_type *cksumtype; struct checksum_type *keyed_checksum; unsigned flags; - krb5_error_code (*encrypt)(krb5_context context, - struct key_data *key, + krb5_error_code (*encrypt)(struct key_data *key, void *data, size_t len, krb5_boolean encrypt, int usage, @@ -169,10 +169,8 @@ DES_string_to_key(krb5_context context, len = password.length + salt.saltvalue.length + 1; s = malloc(len); - if(s == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(s == NULL) return ENOMEM; - } memcpy(s, password.data, password.length); memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length); s[len - 1] = '\0'; @@ -338,10 +336,8 @@ DES3_string_to_key(krb5_context context, len = password.length + salt.saltvalue.length; str = malloc(len); - if(len != 0 && str == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(len != 0 && str == NULL) return ENOMEM; - } memcpy(str, password.data, password.length); memcpy(str + password.length, salt.saltvalue.data, salt.saltvalue.length); { @@ -392,10 +388,8 @@ DES3_string_to_key_derived(krb5_context context, char *s; s = malloc(len); - if(len != 0 && s == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(len != 0 && s == NULL) return ENOMEM; - } memcpy(s, password.data, password.length); memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length); ret = krb5_string_to_key_derived(context, @@ -440,10 +434,8 @@ ARCFOUR_string_to_key(krb5_context context, len = 2 * password.length; s = malloc (len); - if (len != 0 && s == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if (len != 0 && s == NULL) return ENOMEM; - } for (p = s, i = 0; i < password.length; ++i) { *p++ = ((char *)password.data)[i]; *p++ = 0; @@ -588,22 +580,16 @@ krb5_salttype_to_string (krb5_context context, struct salt_type *st; e = _find_enctype (etype); - if (e == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - etype); + if (e == NULL) return KRB5_PROG_ETYPE_NOSUPP; - } for (st = e->keytype->string_to_key; st && st->type; st++) { if (st->type == stype) { *string = strdup (st->name); - if (*string == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if (*string == NULL) return ENOMEM; - } return 0; } } - krb5_set_error_string(context, "salttype %d not supported", stype); return HEIM_ERR_SALTTYPE_NOSUPP; } @@ -617,18 +603,14 @@ krb5_string_to_salttype (krb5_context context, struct salt_type *st; e = _find_enctype (etype); - if (e == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - etype); + if (e == NULL) return KRB5_PROG_ETYPE_NOSUPP; - } for (st = e->keytype->string_to_key; st && st->type; st++) { if (strcasecmp (st->name, string) == 0) { *salttype = st->type; return 0; } } - krb5_set_error_string(context, "salttype %s not supported", string); return HEIM_ERR_SALTTYPE_NOSUPP; } @@ -714,16 +696,11 @@ krb5_string_to_key_data_salt (krb5_context context, { struct encryption_type *et =_find_enctype(enctype); struct salt_type *st; - if(et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - enctype); + if(et == NULL) return KRB5_PROG_ETYPE_NOSUPP; - } for(st = et->keytype->string_to_key; st && st->type; st++) if(st->type == salt.salttype) return (*st->string_to_key)(context, enctype, password, salt, key); - krb5_set_error_string(context, "salt type %d not supported", - salt.salttype); return HEIM_ERR_SALTTYPE_NOSUPP; } @@ -752,15 +729,11 @@ krb5_keytype_to_string(krb5_context context, char **string) { struct key_type *kt = _find_keytype(keytype); - if(kt == NULL) { - krb5_set_error_string(context, "key type %d not supported", keytype); + if(kt == NULL) return KRB5_PROG_KEYTYPE_NOSUPP; - } *string = strdup(kt->name); - if(*string == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(*string == NULL) return ENOMEM; - } return 0; } @@ -775,7 +748,6 @@ krb5_string_to_keytype(krb5_context context, *keytype = keytypes[i]->type; return 0; } - krb5_set_error_string(context, "key type %s not supported", string); return KRB5_PROG_KEYTYPE_NOSUPP; } @@ -786,11 +758,8 @@ krb5_generate_random_keyblock(krb5_context context, { krb5_error_code ret; struct encryption_type *et = _find_enctype(type); - if(et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - type); + if(et == NULL) return KRB5_PROG_ETYPE_NOSUPP; - } ret = krb5_data_alloc(&key->keyvalue, et->keytype->size); if(ret) return ret; @@ -816,10 +785,8 @@ _key_schedule(krb5_context context, if (key->schedule != NULL) return 0; ALLOC(key->schedule, 1); - if(key->schedule == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(key->schedule == NULL) return ENOMEM; - } ret = krb5_data_alloc(key->schedule, kt->schedule_size); if(ret) { free(key->schedule); @@ -928,10 +895,8 @@ RSA_MD4_DES_verify(krb5_context context, MD4_Update (&md4, tmp, 8); /* confounder */ MD4_Update (&md4, data, len); MD4_Final (res, &md4); - if(memcmp(res, tmp + 8, sizeof(res)) != 0) { - krb5_clear_error_string (context); + if(memcmp(res, tmp + 8, sizeof(res)) != 0) ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } memset(tmp, 0, sizeof(tmp)); memset(res, 0, sizeof(res)); return ret; @@ -1004,10 +969,8 @@ RSA_MD5_DES_verify(krb5_context context, MD5_Update (&md5, tmp, 8); /* confounder */ MD5_Update (&md5, data, len); MD5_Final (res, &md5); - if(memcmp(res, tmp + 8, sizeof(res)) != 0) { - krb5_clear_error_string (context); + if(memcmp(res, tmp + 8, sizeof(res)) != 0) ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } memset(tmp, 0, sizeof(tmp)); memset(res, 0, sizeof(res)); return ret; @@ -1066,10 +1029,8 @@ RSA_MD5_DES3_verify(krb5_context context, MD5_Update (&md5, tmp, 8); /* confounder */ MD5_Update (&md5, data, len); MD5_Final (res, &md5); - if(memcmp(res, tmp + 8, sizeof(res)) != 0) { - krb5_clear_error_string (context); + if(memcmp(res, tmp + 8, sizeof(res)) != 0) ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } memset(tmp, 0, sizeof(tmp)); memset(res, 0, sizeof(res)); return ret; @@ -1397,10 +1358,8 @@ get_checksum_key(krb5_context context, int i; *key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */); - if(*key == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(*key == NULL) return ENOMEM; - } ret = krb5_copy_keyblock(context, crypto->key.key, &(*key)->key); if(ret) return ret; @@ -1428,10 +1387,8 @@ do_checksum (krb5_context context, int keyed_checksum; keyed_checksum = (ct->flags & F_KEYED) != 0; - if(keyed_checksum && crypto == NULL) { - krb5_clear_error_string (context); + if(keyed_checksum && crypto == NULL) return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ - } if(keyed_checksum) { ret = get_checksum_key(context, crypto, usage, ct, &dkey); if (ret) @@ -1447,42 +1404,36 @@ do_checksum (krb5_context context, static krb5_error_code create_checksum(krb5_context context, krb5_crypto crypto, - krb5_key_usage usage, /* not krb5_key_usage */ - krb5_cksumtype type, /* 0 -> pick from crypto */ + unsigned usage, /* not krb5_key_usage */ + krb5_cksumtype type, /* if crypto == NULL */ void *data, size_t len, Checksum *result) { - struct checksum_type *ct = NULL; + struct checksum_type *ct; - if (type) { - ct = _find_checksum(type); - } else if (crypto) { + if(crypto) { ct = crypto->et->keyed_checksum; - if (ct == NULL) - ct = crypto->et->checksum; - } - - if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if(ct == NULL) + ct = crypto->et->cksumtype; + } else + ct = _find_checksum(type); + if(ct == NULL) return KRB5_PROG_SUMTYPE_NOSUPP; - } return do_checksum (context, ct, crypto, usage, data, len, result); } krb5_error_code krb5_create_checksum(krb5_context context, krb5_crypto crypto, - krb5_key_usage usage, - int type, + unsigned usage_or_type, void *data, size_t len, Checksum *result) { return create_checksum(context, crypto, - CHECKSUM_USAGE(usage), - type, data, len, result); + CHECKSUM_USAGE(usage_or_type), + usage_or_type, data, len, result); } static krb5_error_code @@ -1500,20 +1451,13 @@ verify_checksum(krb5_context context, struct checksum_type *ct; ct = _find_checksum(cksum->cksumtype); - if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - cksum->cksumtype); + if(ct == NULL) return KRB5_PROG_SUMTYPE_NOSUPP; - } - if(ct->checksumsize != cksum->checksum.length) { - krb5_clear_error_string (context); + if(ct->checksumsize != cksum->checksum.length) return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */ - } keyed_checksum = (ct->flags & F_KEYED) != 0; - if(keyed_checksum && crypto == NULL) { - krb5_clear_error_string (context); + if(keyed_checksum && crypto == NULL) return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ - } if(keyed_checksum) ret = get_checksum_key(context, crypto, usage, ct, &dkey); else @@ -1528,12 +1472,10 @@ verify_checksum(krb5_context context, (*ct->checksum)(context, dkey, data, len, usage, &c); if(c.checksum.length != cksum->checksum.length || - memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) { - krb5_clear_error_string (context); + memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } else { + else ret = 0; - } krb5_data_free (&c.checksum); return ret; } @@ -1556,11 +1498,8 @@ krb5_checksumsize(krb5_context context, size_t *size) { struct checksum_type *ct = _find_checksum(type); - if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if(ct == NULL) return KRB5_PROG_SUMTYPE_NOSUPP; - } *size = ct->checksumsize; return 0; } @@ -1570,11 +1509,8 @@ krb5_checksum_is_keyed(krb5_context context, krb5_cksumtype type) { struct checksum_type *ct = _find_checksum(type); - if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if(ct == NULL) return KRB5_PROG_SUMTYPE_NOSUPP; - } return ct->flags & F_KEYED; } @@ -1583,11 +1519,8 @@ krb5_checksum_is_collision_proof(krb5_context context, krb5_cksumtype type) { struct checksum_type *ct = _find_checksum(type); - if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if(ct == NULL) return KRB5_PROG_SUMTYPE_NOSUPP; - } return ct->flags & F_CPROOF; } @@ -1596,8 +1529,7 @@ krb5_checksum_is_collision_proof(krb5_context context, ************************************************************/ static krb5_error_code -NULL_encrypt(krb5_context context, - struct key_data *key, +NULL_encrypt(struct key_data *key, void *data, size_t len, krb5_boolean encrypt, @@ -1608,8 +1540,7 @@ NULL_encrypt(krb5_context context, } static krb5_error_code -DES_CBC_encrypt_null_ivec(krb5_context context, - struct key_data *key, +DES_CBC_encrypt_null_ivec(struct key_data *key, void *data, size_t len, krb5_boolean encrypt, @@ -1624,8 +1555,7 @@ DES_CBC_encrypt_null_ivec(krb5_context context, } static krb5_error_code -DES_CBC_encrypt_key_ivec(krb5_context context, - struct key_data *key, +DES_CBC_encrypt_key_ivec(struct key_data *key, void *data, size_t len, krb5_boolean encrypt, @@ -1640,8 +1570,7 @@ DES_CBC_encrypt_key_ivec(krb5_context context, } static krb5_error_code -DES3_CBC_encrypt(krb5_context context, - struct key_data *key, +DES3_CBC_encrypt(struct key_data *key, void *data, size_t len, krb5_boolean encrypt, @@ -1656,8 +1585,7 @@ DES3_CBC_encrypt(krb5_context context, } static krb5_error_code -DES3_CBC_encrypt_ivec(krb5_context context, - struct key_data *key, +DES3_CBC_encrypt_ivec(struct key_data *key, void *data, size_t len, krb5_boolean encrypt, @@ -1671,8 +1599,7 @@ DES3_CBC_encrypt_ivec(krb5_context context, } static krb5_error_code -DES_CFB64_encrypt_null_ivec(krb5_context context, - struct key_data *key, +DES_CFB64_encrypt_null_ivec(struct key_data *key, void *data, size_t len, krb5_boolean encrypt, @@ -1689,8 +1616,7 @@ DES_CFB64_encrypt_null_ivec(krb5_context context, } static krb5_error_code -DES_PCBC_encrypt_key_ivec(krb5_context context, - struct key_data *key, +DES_PCBC_encrypt_key_ivec(struct key_data *key, void *data, size_t len, krb5_boolean encrypt, @@ -1712,8 +1638,7 @@ DES_PCBC_encrypt_key_ivec(krb5_context context, */ static krb5_error_code -ARCFOUR_subencrypt(krb5_context context, - struct key_data *key, +ARCFOUR_subencrypt(struct key_data *key, void *data, size_t len, int usage, @@ -1768,8 +1693,7 @@ ARCFOUR_subencrypt(krb5_context context, } static krb5_error_code -ARCFOUR_subdecrypt(krb5_context context, - struct key_data *key, +ARCFOUR_subdecrypt(struct key_data *key, void *data, size_t len, int usage, @@ -1823,12 +1747,10 @@ ARCFOUR_subdecrypt(krb5_context context, memset (k2_c_data, 0, sizeof(k2_c_data)); memset (k3_c_data, 0, sizeof(k3_c_data)); - if (memcmp (cksum.checksum.data, data, 16) != 0) { - krb5_clear_error_string (context); + if (memcmp (cksum.checksum.data, data, 16) != 0) return KRB5KRB_AP_ERR_BAD_INTEGRITY; - } else { + else return 0; - } } /* @@ -1878,8 +1800,7 @@ usage2arcfour (int usage) } static krb5_error_code -ARCFOUR_encrypt(krb5_context context, - struct key_data *key, +ARCFOUR_encrypt(struct key_data *key, void *data, size_t len, krb5_boolean encrypt, @@ -1889,9 +1810,9 @@ ARCFOUR_encrypt(krb5_context context, usage = usage2arcfour (usage); if (encrypt) - return ARCFOUR_subencrypt (context, key, data, len, usage, ivec); + return ARCFOUR_subencrypt (key, data, len, usage, ivec); else - return ARCFOUR_subdecrypt (context, key, data, len, usage, ivec); + return ARCFOUR_subdecrypt (key, data, len, usage, ivec); } @@ -1899,164 +1820,150 @@ ARCFOUR_encrypt(krb5_context context, * these should currently be in reverse preference order. * (only relevant for !F_PSEUDO) */ -static struct encryption_type enctype_null = { - ETYPE_NULL, - "null", - 1, - 0, - &keytype_null, - &checksum_none, - NULL, - 0, - NULL_encrypt, -}; -static struct encryption_type enctype_des_cbc_crc = { - ETYPE_DES_CBC_CRC, - "des-cbc-crc", - 8, - 8, - &keytype_des, - &checksum_crc32, - NULL, - 0, - DES_CBC_encrypt_key_ivec, -}; -static struct encryption_type enctype_des_cbc_md4 = { - ETYPE_DES_CBC_MD4, - "des-cbc-md4", - 8, - 8, - &keytype_des, - &checksum_rsa_md4, - &checksum_rsa_md4_des, - 0, - DES_CBC_encrypt_null_ivec, -}; -static struct encryption_type enctype_des_cbc_md5 = { - ETYPE_DES_CBC_MD5, - "des-cbc-md5", - 8, - 8, - &keytype_des, - &checksum_rsa_md5, - &checksum_rsa_md5_des, - 0, - DES_CBC_encrypt_null_ivec, -}; -static struct encryption_type enctype_arcfour_hmac_md5 = { - ETYPE_ARCFOUR_HMAC_MD5, - "arcfour-hmac-md5", - 1, - 8, - &keytype_arcfour, - &checksum_hmac_md5_enc, - &checksum_hmac_md5_enc, - F_SPECIAL, - ARCFOUR_encrypt -}; -static struct encryption_type enctype_des3_cbc_md5 = { - ETYPE_DES3_CBC_MD5, - "des3-cbc-md5", - 8, - 8, - &keytype_des3, - &checksum_rsa_md5, - &checksum_rsa_md5_des3, - 0, - DES3_CBC_encrypt, -}; -static struct encryption_type enctype_des3_cbc_sha1 = { - ETYPE_DES3_CBC_SHA1, - "des3-cbc-sha1", - 8, - 8, - &keytype_des3_derived, - &checksum_sha1, - &checksum_hmac_sha1_des3, - F_DERIVED, - DES3_CBC_encrypt, -}; -static struct encryption_type enctype_old_des3_cbc_sha1 = { - ETYPE_OLD_DES3_CBC_SHA1, - "old-des3-cbc-sha1", - 8, - 8, - &keytype_des3, - &checksum_sha1, - &checksum_hmac_sha1_des3, - 0, - DES3_CBC_encrypt, -}; -static struct encryption_type enctype_des_cbc_none = { - ETYPE_DES_CBC_NONE, - "des-cbc-none", - 8, - 0, - &keytype_des, - &checksum_none, - NULL, - F_PSEUDO, - DES_CBC_encrypt_null_ivec, -}; -static struct encryption_type enctype_des_cfb64_none = { - ETYPE_DES_CFB64_NONE, - "des-cfb64-none", - 1, - 0, - &keytype_des, - &checksum_none, - NULL, - F_PSEUDO, - DES_CFB64_encrypt_null_ivec, -}; -static struct encryption_type enctype_des_pcbc_none = { - ETYPE_DES_PCBC_NONE, - "des-pcbc-none", - 8, - 0, - &keytype_des, - &checksum_none, - NULL, - F_PSEUDO, - DES_PCBC_encrypt_key_ivec, -}; -static struct encryption_type enctype_des3_cbc_none = { - ETYPE_DES3_CBC_NONE, - "des3-cbc-none", - 8, - 0, - &keytype_des3_derived, - &checksum_none, - NULL, - F_PSEUDO, - DES3_CBC_encrypt, -}; -static struct encryption_type enctype_des3_cbc_none_ivec = { - ETYPE_DES3_CBC_NONE_IVEC, - "des3-cbc-none-ivec", - 8, - 0, - &keytype_des3_derived, - &checksum_none, - NULL, - F_PSEUDO, - DES3_CBC_encrypt_ivec, -}; - -static struct encryption_type *etypes[] = { - &enctype_null, - &enctype_des_cbc_crc, - &enctype_des_cbc_md4, - &enctype_des_cbc_md5, - &enctype_arcfour_hmac_md5, - &enctype_des3_cbc_md5, - &enctype_des3_cbc_sha1, - &enctype_old_des3_cbc_sha1, - &enctype_des_cbc_none, - &enctype_des_cfb64_none, - &enctype_des_pcbc_none, - &enctype_des3_cbc_none, - &enctype_des3_cbc_none_ivec +static struct encryption_type etypes[] = { + { + ETYPE_NULL, + "null", + 1, + 0, + &keytype_null, + &checksum_none, + NULL, + 0, + NULL_encrypt, + }, + { + ETYPE_DES_CBC_CRC, + "des-cbc-crc", + 8, + 8, + &keytype_des, + &checksum_crc32, + NULL, + 0, + DES_CBC_encrypt_key_ivec, + }, + { + ETYPE_DES_CBC_MD4, + "des-cbc-md4", + 8, + 8, + &keytype_des, + &checksum_rsa_md4, + &checksum_rsa_md4_des, + 0, + DES_CBC_encrypt_null_ivec, + }, + { + ETYPE_DES_CBC_MD5, + "des-cbc-md5", + 8, + 8, + &keytype_des, + &checksum_rsa_md5, + &checksum_rsa_md5_des, + 0, + DES_CBC_encrypt_null_ivec, + }, + { + ETYPE_ARCFOUR_HMAC_MD5, + "arcfour-hmac-md5", + 1, + 8, + &keytype_arcfour, + &checksum_hmac_md5_enc, + &checksum_hmac_md5_enc, + F_SPECIAL, + ARCFOUR_encrypt + }, + { + ETYPE_DES3_CBC_MD5, + "des3-cbc-md5", + 8, + 8, + &keytype_des3, + &checksum_rsa_md5, + &checksum_rsa_md5_des3, + 0, + DES3_CBC_encrypt, + }, + { + ETYPE_DES3_CBC_SHA1, + "des3-cbc-sha1", + 8, + 8, + &keytype_des3_derived, + &checksum_sha1, + &checksum_hmac_sha1_des3, + F_DERIVED, + DES3_CBC_encrypt, + }, + { + ETYPE_OLD_DES3_CBC_SHA1, + "old-des3-cbc-sha1", + 8, + 8, + &keytype_des3, + &checksum_sha1, + &checksum_hmac_sha1_des3, + 0, + DES3_CBC_encrypt, + }, + { + ETYPE_DES_CBC_NONE, + "des-cbc-none", + 8, + 0, + &keytype_des, + &checksum_none, + NULL, + F_PSEUDO, + DES_CBC_encrypt_null_ivec, + }, + { + ETYPE_DES_CFB64_NONE, + "des-cfb64-none", + 1, + 0, + &keytype_des, + &checksum_none, + NULL, + F_PSEUDO, + DES_CFB64_encrypt_null_ivec, + }, + { + ETYPE_DES_PCBC_NONE, + "des-pcbc-none", + 8, + 0, + &keytype_des, + &checksum_none, + NULL, + F_PSEUDO, + DES_PCBC_encrypt_key_ivec, + }, + { + ETYPE_DES3_CBC_NONE, + "des3-cbc-none", + 8, + 0, + &keytype_des3_derived, + &checksum_none, + NULL, + F_PSEUDO, + DES3_CBC_encrypt, + }, + { + ETYPE_DES3_CBC_NONE_IVEC, + "des3-cbc-none-ivec", + 8, + 0, + &keytype_des3_derived, + &checksum_none, + NULL, + F_PSEUDO, + DES3_CBC_encrypt_ivec, + } }; static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]); @@ -2067,8 +1974,8 @@ _find_enctype(krb5_enctype type) { int i; for(i = 0; i < num_etypes; i++) - if(etypes[i]->type == type) - return etypes[i]; + if(etypes[i].type == type) + return &etypes[i]; return NULL; } @@ -2080,16 +1987,11 @@ krb5_enctype_to_string(krb5_context context, { struct encryption_type *e; e = _find_enctype(etype); - if(e == NULL) { - krb5_set_error_string (context, "encryption type %d not supported", - etype); + if(e == NULL) return KRB5_PROG_ETYPE_NOSUPP; - } *string = strdup(e->name); - if(*string == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(*string == NULL) return ENOMEM; - } return 0; } @@ -2100,12 +2002,10 @@ krb5_string_to_enctype(krb5_context context, { int i; for(i = 0; i < num_etypes; i++) - if(strcasecmp(etypes[i]->name, string) == 0){ - *etype = etypes[i]->type; + if(strcasecmp(etypes[i].name, string) == 0){ + *etype = etypes[i].type; return 0; } - krb5_set_error_string (context, "encryption type %s not supported", - string); return KRB5_PROG_ETYPE_NOSUPP; } @@ -2115,11 +2015,8 @@ krb5_enctype_to_keytype(krb5_context context, krb5_keytype *keytype) { struct encryption_type *e = _find_enctype(etype); - if(e == NULL) { - krb5_set_error_string (context, "encryption type %d not supported", - etype); + if(e == NULL) return KRB5_PROG_ETYPE_NOSUPP; - } *keytype = e->keytype->type; /* XXX */ return 0; } @@ -2150,20 +2047,18 @@ krb5_keytype_to_enctypes (krb5_context context, int *ret; for (i = num_etypes - 1; i >= 0; --i) { - if (etypes[i]->keytype->type == keytype - && !(etypes[i]->flags & F_PSEUDO)) + if (etypes[i].keytype->type == keytype + && !(etypes[i].flags & F_PSEUDO)) ++n; } ret = malloc(n * sizeof(int)); - if (ret == NULL && n != 0) { - krb5_set_error_string(context, "malloc: out of memory"); + if (ret == NULL && n != 0) return ENOMEM; - } n = 0; for (i = num_etypes - 1; i >= 0; --i) { - if (etypes[i]->keytype->type == keytype - && !(etypes[i]->flags & F_PSEUDO)) - ret[n++] = etypes[i]->type; + if (etypes[i].keytype->type == keytype + && !(etypes[i].flags & F_PSEUDO)) + ret[n++] = etypes[i].type; } *len = n; *val = ret; @@ -2190,10 +2085,8 @@ krb5_keytype_to_enctypes_default (krb5_context context, for (n = 0; context->etypes_des[n]; ++n) ; ret = malloc (n * sizeof(*ret)); - if (ret == NULL && n != 0) { - krb5_set_error_string(context, "malloc: out of memory"); + if (ret == NULL && n != 0) return ENOMEM; - } for (i = 0; i < n; ++i) ret[i] = context->etypes_des[i]; *len = n; @@ -2268,13 +2161,12 @@ encrypt_internal_derived(krb5_context context, ret = create_checksum(context, crypto, INTEGRITY_USAGE(usage), - et->keyed_checksum->type, + 0, p, block_sz, &cksum); if(ret == 0 && cksum.checksum.length != checksum_sz) { free_Checksum (&cksum); - krb5_clear_error_string (context); ret = KRB5_CRYPTO_INTERNAL; } if(ret) { @@ -2299,7 +2191,7 @@ encrypt_internal_derived(krb5_context context, #ifdef CRYPTO_DEBUG krb5_crypto_debug(context, 1, block_sz, dkey->key); #endif - (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec); + (*et->encrypt)(dkey, p, block_sz, 1, usage, ivec); result->data = p; result->length = block_sz + checksum_sz; return 0; @@ -2319,15 +2211,13 @@ encrypt_internal(krb5_context context, krb5_error_code ret; struct encryption_type *et = crypto->et; - checksum_sz = CHECKSUMSIZE(et->checksum); + checksum_sz = CHECKSUMSIZE(et->cksumtype); sz = et->confoundersize + checksum_sz + len; block_sz = (sz + et->blocksize - 1) &~ (et->blocksize - 1); /* pad */ p = calloc(1, block_sz); - if(p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(p == NULL) return ENOMEM; - } q = p; krb5_generate_random_block(q, et->confoundersize); /* XXX */ @@ -2337,14 +2227,14 @@ encrypt_internal(krb5_context context, memcpy(q, data, len); ret = create_checksum(context, - crypto, + NULL, 0, - et->checksum->type, + CHECKSUMTYPE(et->cksumtype), p, block_sz, &cksum); if(ret == 0 && cksum.checksum.length != checksum_sz) { - krb5_clear_error_string (context); + free_Checksum (&cksum); ret = KRB5_CRYPTO_INTERNAL; } if(ret) { @@ -2364,7 +2254,7 @@ encrypt_internal(krb5_context context, #ifdef CRYPTO_DEBUG krb5_crypto_debug(context, 1, block_sz, crypto->key.key); #endif - (*et->encrypt)(context, &crypto->key, p, block_sz, 1, 0, ivec); + (*et->encrypt)(&crypto->key, p, block_sz, 1, 0, ivec); result->data = p; result->length = block_sz; return 0; @@ -2380,22 +2270,20 @@ encrypt_internal_special(krb5_context context, void *ivec) { struct encryption_type *et = crypto->et; - size_t cksum_sz = CHECKSUMSIZE(et->checksum); + size_t cksum_sz = CHECKSUMSIZE(et->cksumtype); size_t sz = len + cksum_sz + et->confoundersize; char *tmp, *p; tmp = malloc (sz); - if (tmp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if (tmp == NULL) return ENOMEM; - } p = tmp; memset (p, 0, cksum_sz); p += cksum_sz; krb5_generate_random_block(p, et->confoundersize); p += et->confoundersize; memcpy (p, data, len); - (*et->encrypt)(context, &crypto->key, tmp, sz, TRUE, usage, ivec); + (*et->encrypt)(&crypto->key, tmp, sz, TRUE, usage, ivec); result->data = tmp; result->length = sz; return 0; @@ -2419,16 +2307,12 @@ decrypt_internal_derived(krb5_context context, unsigned long l; checksum_sz = CHECKSUMSIZE(et->keyed_checksum); - if (len < checksum_sz) { - krb5_clear_error_string (context); - return EINVAL; /* XXX - better error code? */ - } + if (len < checksum_sz) + return EINVAL; /* better error code? */ p = malloc(len); - if(len != 0 && p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(len != 0 && p == NULL) return ENOMEM; - } memcpy(p, data, len); len -= checksum_sz; @@ -2446,7 +2330,7 @@ decrypt_internal_derived(krb5_context context, #ifdef CRYPTO_DEBUG krb5_crypto_debug(context, 0, len, dkey->key); #endif - (*et->encrypt)(context, dkey, p, len, 0, usage, ivec); + (*et->encrypt)(dkey, p, len, 0, usage, ivec); cksum.checksum.data = p + len; cksum.checksum.length = checksum_sz; @@ -2465,9 +2349,8 @@ decrypt_internal_derived(krb5_context context, l = len - et->confoundersize; memmove(p, p + et->confoundersize, l); result->data = realloc(p, l); - if(result->data == NULL) { + if(p == NULL) { free(p); - krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } result->length = l; @@ -2488,12 +2371,10 @@ decrypt_internal(krb5_context context, size_t checksum_sz, l; struct encryption_type *et = crypto->et; - checksum_sz = CHECKSUMSIZE(et->checksum); + checksum_sz = CHECKSUMSIZE(et->cksumtype); p = malloc(len); - if(len != 0 && p == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(len != 0 && p == NULL) return ENOMEM; - } memcpy(p, data, len); ret = _key_schedule(context, &crypto->key); @@ -2504,14 +2385,14 @@ decrypt_internal(krb5_context context, #ifdef CRYPTO_DEBUG krb5_crypto_debug(context, 0, len, crypto->key.key); #endif - (*et->encrypt)(context, &crypto->key, p, len, 0, 0, ivec); + (*et->encrypt)(&crypto->key, p, len, 0, 0, ivec); ret = krb5_data_copy(&cksum.checksum, p + et->confoundersize, checksum_sz); if(ret) { free(p); return ret; } memset(p + et->confoundersize, 0, checksum_sz); - cksum.cksumtype = CHECKSUMTYPE(et->checksum); + cksum.cksumtype = CHECKSUMTYPE(et->cksumtype); ret = verify_checksum(context, NULL, 0, p, len, &cksum); free_Checksum(&cksum); if(ret) { @@ -2523,7 +2404,6 @@ decrypt_internal(krb5_context context, result->data = realloc(p, l); if(result->data == NULL) { free(p); - krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } result->length = l; @@ -2540,18 +2420,16 @@ decrypt_internal_special(krb5_context context, void *ivec) { struct encryption_type *et = crypto->et; - size_t cksum_sz = CHECKSUMSIZE(et->checksum); + size_t cksum_sz = CHECKSUMSIZE(et->cksumtype); size_t sz = len - cksum_sz - et->confoundersize; char *cdata = (char *)data; char *tmp; tmp = malloc (sz); - if (tmp == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if (tmp == NULL) return ENOMEM; - } - (*et->encrypt)(context, &crypto->key, data, len, FALSE, usage, ivec); + (*et->encrypt)(&crypto->key, data, len, FALSE, usage, ivec); memcpy (tmp, cdata + cksum_sz + et->confoundersize, sz); @@ -2655,73 +2533,6 @@ krb5_decrypt_EncryptedData(krb5_context context, * * ************************************************************/ -#ifdef HAVE_OPENSSL_DES_H -#include <openssl/rand.h> - -/* From openssl/crypto/rand/rand_lcl.h */ -#define ENTROPY_NEEDED 20 -static int -seed_something(void) -{ - int fd = -1; - size_t len; - char buf[1024], seedfile[256]; - - /* If there is a seed file, load it. But such a file cannot be trusted, - so use 0 for the entropy estimate */ - if (RAND_file_name(seedfile, sizeof(seedfile))) { - fd = open(seedfile, O_RDONLY); - if (fd >= 0) { - read(fd, buf, sizeof(buf)); - /* Use the full buffer anyway */ - RAND_add(buf, sizeof(buf), 0.0); - } else - seedfile[0] = '\0'; - } else - seedfile[0] = '\0'; - - /* Calling RAND_status() will try to use /dev/urandom if it exists so - we do not have to deal with it. */ - if (RAND_status() != 1) { - krb5_context context; - char *p; - - /* Try using egd */ - if (!krb5_init_context(&context)) { - p = krb5_config_get_string(context, NULL, "libdefaults", - "egd_socket", NULL); - if (p != NULL) - RAND_egd_bytes(p, ENTROPY_NEEDED); - krb5_free_context(context); - } - } - - if (RAND_status() == 1) { - /* Update the seed file */ - if (seedfile[0]) - RAND_write_file(seedfile); - - return 0; - } else - return -1; -} - -void -krb5_generate_random_block(void *buf, size_t len) -{ - static int rng_initialized = 0; - - if (!rng_initialized) { - if (seed_something()) - krb5_abortx(NULL, "Fatal: could not seed the random number generator"); - - rng_initialized = 1; - } - RAND_bytes(buf, len); -} - -#else - void krb5_generate_random_block(void *buf, size_t len) { @@ -2747,7 +2558,6 @@ krb5_generate_random_block(void *buf, size_t len) buf = (char*)buf + sizeof(out); } } -#endif static void DES3_postproc(krb5_context context, @@ -2788,7 +2598,7 @@ static krb5_error_code derive_key(krb5_context context, struct encryption_type *et, struct key_data *key, - const void *constant, + void *constant, size_t len) { unsigned char *k; @@ -2803,36 +2613,29 @@ derive_key(krb5_context context, len != et->blocksize) { nblocks = (kt->bits + et->blocksize * 8 - 1) / (et->blocksize * 8); k = malloc(nblocks * et->blocksize); - if(k == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(k == NULL) return ENOMEM; - } _krb5_n_fold(constant, len, k, et->blocksize); for(i = 0; i < nblocks; i++) { if(i > 0) memcpy(k + i * et->blocksize, k + (i - 1) * et->blocksize, et->blocksize); - (*et->encrypt)(context, key, k + i * et->blocksize, et->blocksize, - 1, 0, NULL); + (*et->encrypt)(key, k + i * et->blocksize, et->blocksize, 1, 0, + NULL); } } else { /* this case is probably broken, but won't be run anyway */ void *c = malloc(len); size_t res_len = (kt->bits + 7) / 8; - if(len != 0 && c == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(len != 0 && c == NULL) return ENOMEM; - } memcpy(c, constant, len); - (*et->encrypt)(context, key, c, len, 1, 0, NULL); + (*et->encrypt)(key, c, len, 1, 0, NULL); k = malloc(res_len); - if(res_len != 0 && k == NULL) { - free(c); - krb5_set_error_string(context, "malloc: out of memory"); + if(res_len != 0 && k == NULL) return ENOMEM; - } _krb5_n_fold(c, len, k, res_len); free(c); } @@ -2843,9 +2646,8 @@ derive_key(krb5_context context, DES3_postproc(context, k, nblocks * et->blocksize, key); break; default: - krb5_set_error_string(context, - "derive_key() called with unknown keytype (%u)", - kt->type); + krb5_warnx(context, "derive_key() called with unknown keytype (%u)", + kt->type); ret = KRB5_CRYPTO_INTERNAL; break; } @@ -2868,38 +2670,6 @@ _new_derived_key(krb5_crypto crypto, unsigned usage) return &d->key; } -krb5_error_code -krb5_derive_key(krb5_context context, - const krb5_keyblock *key, - krb5_enctype etype, - const void *constant, - size_t constant_len, - krb5_keyblock **derived_key) -{ - krb5_error_code ret; - struct encryption_type *et; - struct key_data d; - - et = _find_enctype (etype); - if (et == NULL) { - krb5_set_error_string(context, "encryption type %d not supported", - etype); - return KRB5_PROG_ETYPE_NOSUPP; - } - - ret = krb5_copy_keyblock(context, key, derived_key); - if (ret) - return ret; - - d.key = *derived_key; - d.schedule = NULL; - ret = derive_key(context, et, &d, constant, constant_len); - if (ret) - return ret; - ret = krb5_copy_keyblock(context, d.key, derived_key); - return ret; -} - static krb5_error_code _get_derived_key(krb5_context context, krb5_crypto crypto, @@ -2916,10 +2686,8 @@ _get_derived_key(krb5_context context, return 0; } d = _new_derived_key(crypto, usage); - if(d == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(d == NULL) return ENOMEM; - } krb5_copy_keyblock(context, crypto->key.key, &d->key); _krb5_put_int(constant, usage, 5); derive_key(context, crypto->et, d, constant, sizeof(constant)); @@ -2930,23 +2698,19 @@ _get_derived_key(krb5_context context, krb5_error_code krb5_crypto_init(krb5_context context, - const krb5_keyblock *key, + krb5_keyblock *key, krb5_enctype etype, krb5_crypto *crypto) { krb5_error_code ret; ALLOC(*crypto, 1); - if(*crypto == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); + if(*crypto == NULL) return ENOMEM; - } if(etype == ETYPE_NULL) etype = key->keytype; (*crypto)->et = _find_enctype(etype); if((*crypto)->et == NULL) { free(*crypto); - krb5_set_error_string (context, "encryption type %d not supported", - etype); return KRB5_PROG_ETYPE_NOSUPP; } ret = krb5_copy_keyblock(context, key, &(*crypto)->key.key); @@ -3002,11 +2766,8 @@ krb5_string_to_key_derived(krb5_context context, struct key_data kd; u_char *tmp; - if(et == NULL) { - krb5_set_error_string (context, "encryption type %d not supported", - etype); + if(et == NULL) return KRB5_PROG_ETYPE_NOSUPP; - } ALLOC(kd.key, 1); kd.key->keytype = etype; tmp = malloc (et->keytype->bits / 8); @@ -3033,7 +2794,7 @@ wrapped_length (krb5_context context, size_t blocksize = et->blocksize; size_t res; - res = et->confoundersize + et->checksum->checksumsize + data_len; + res = et->confoundersize + et->cksumtype->checksumsize + data_len; res = (res + blocksize - 1) / blocksize * blocksize; return res; } @@ -3049,7 +2810,7 @@ wrapped_length_dervied (krb5_context context, res = et->confoundersize + data_len; res = (res + blocksize - 1) / blocksize * blocksize; - res += et->checksum->checksumsize; + res += et->cksumtype->checksumsize; return res; } diff --git a/crypto/heimdal/lib/krb5/krb5_locl.h b/crypto/heimdal/lib/krb5/krb5_locl.h index 02bcfe4..0d15772 100644 --- a/crypto/heimdal/lib/krb5/krb5_locl.h +++ b/crypto/heimdal/lib/krb5/krb5_locl.h @@ -31,7 +31,8 @@ * SUCH DAMAGE. */ -/* $Id: krb5_locl.h,v 1.66 2001/05/10 15:31:34 assar Exp $ */ +/* $Id: krb5_locl.h,v 1.63 1999/12/02 17:05:11 joda Exp $ */ +/* $FreeBSD$ */ #ifndef __KRB5_LOCL_H__ #define __KRB5_LOCL_H__ @@ -135,7 +136,7 @@ struct sockaddr_dl; #include <rc4.h> #endif -#include <krb5_asn1.h> +#include <asn1.h> #include <der.h> #include <krb5.h> @@ -147,8 +148,7 @@ struct sockaddr_dl; #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) /* should this be public? */ -#define KEYTAB_DEFAULT "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab" -#define KEYTAB_DEFAULT_MODIFY "FILE:/etc/krb5.keytab" +#define KEYTAB_DEFAULT "FILE:/etc/krb5.keytab" #ifndef O_BINARY #define O_BINARY 0 |