diff --git a/admin/ktutil_locl.h b/admin/ktutil_locl.h index b0bb9e701..02b761f45 100644 --- a/admin/ktutil_locl.h +++ b/admin/ktutil_locl.h @@ -54,7 +54,11 @@ #include #include +#ifdef HAVE_OPENSSL_DES_H +#include +#else #include +#endif #include #include diff --git a/appl/ftp/ftp/ftp_locl.h b/appl/ftp/ftp/ftp_locl.h index 37749cd19..33f27457f 100644 --- a/appl/ftp/ftp/ftp_locl.h +++ b/appl/ftp/ftp/ftp_locl.h @@ -129,7 +129,13 @@ struct hostent *gethostbyname(const char *); #include "roken.h" #include "security.h" -#include /* for des_read_pw_string */ + +/* des_read_pw_string */ +#ifdef HAVE_OPENSSL_DES_H +#include +#else +#include +#endif #if defined(__sun__) && !defined(__svr4) int fclose(FILE*); diff --git a/appl/kx/common.c b/appl/kx/common.c index c493b1bb3..99884c8d9 100644 --- a/appl/kx/common.c +++ b/appl/kx/common.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -405,7 +405,11 @@ create_and_write_cookie (char *xauthfile, auth.name_length = strlen(auth.name); auth.data_length = cookie_sz; auth.data = (char*)cookie; +#ifdef HAVE_OPENSSL_DES_H + krb5_generate_random_block (cookie, cookie_sz); +#else des_rand_data (cookie, cookie_sz); +#endif strlcpy(xauthfile, "/tmp/AXXXXXX", xauthfile_size); fd = mkstemp(xauthfile); diff --git a/appl/otp/otp_locl.h b/appl/otp/otp_locl.h index 4a4c15f10..71176bb22 100644 --- a/appl/otp/otp_locl.h +++ b/appl/otp/otp_locl.h @@ -52,5 +52,9 @@ #endif #include #include +#ifdef HAVE_OPENSSL_DES_H +#include +#else #include +#endif #include diff --git a/appl/su/su.c b/appl/su/su.c index 3904c9c6f..05c4f1308 100644 --- a/appl/su/su.c +++ b/appl/su/su.c @@ -50,7 +50,11 @@ RCSID("$Id$"); #include +#ifdef HAVE_OPENSSL_DES_H +#include +#else #include +#endif #include #include #include diff --git a/appl/telnet/libtelnet/enc_des.c b/appl/telnet/libtelnet/enc_des.c index a5c32465d..c1466927e 100644 --- a/appl/telnet/libtelnet/enc_des.c +++ b/appl/telnet/libtelnet/enc_des.c @@ -50,7 +50,11 @@ RCSID("$Id$"); #include "encrypt.h" #include "misc-proto.h" +#ifdef HAVE_OPENSSL_DES_H +#include +#else #include +#endif extern int encrypt_debug_mode; diff --git a/appl/telnet/libtelnet/encrypt.h b/appl/telnet/libtelnet/encrypt.h index 1a4a7ba59..5b7da5170 100644 --- a/appl/telnet/libtelnet/encrypt.h +++ b/appl/telnet/libtelnet/encrypt.h @@ -90,6 +90,13 @@ typedef struct { #define SK_DES 1 /* Matched Kerberos v5 KEYTYPE_DES */ +#ifdef HAVE_OPENSSL_CRYPTO_H +#include +#define des_new_random_key des_random_key +#else +#include +#endif + #include "enc-proto.h" extern int encrypt_debug_mode; diff --git a/appl/telnet/libtelnet/kerberos.c b/appl/telnet/libtelnet/kerberos.c index 16ef86e03..413ed0023 100644 --- a/appl/telnet/libtelnet/kerberos.c +++ b/appl/telnet/libtelnet/kerberos.c @@ -65,7 +65,6 @@ RCSID("$Id$"); #include #endif #include -#include /* BSD wont include this in krb.h, so we do it here */ #include #include #include diff --git a/appl/telnet/libtelnet/krb4encpwd.c b/appl/telnet/libtelnet/krb4encpwd.c index 211d60ca1..969c47bb2 100644 --- a/appl/telnet/libtelnet/krb4encpwd.c +++ b/appl/telnet/libtelnet/krb4encpwd.c @@ -74,7 +74,6 @@ RCSID("$Id$"); #include #include -#include #include #include #include diff --git a/appl/telnet/telnetd/telnetd.h b/appl/telnet/telnetd/telnetd.h index fdda3d785..65046073e 100644 --- a/appl/telnet/telnetd/telnetd.h +++ b/appl/telnet/telnetd/telnetd.h @@ -166,7 +166,6 @@ struct hostent *gethostbyname(const char *); #endif #ifdef KRB4 -#include #include #endif diff --git a/kadmin/kadmin_locl.h b/kadmin/kadmin_locl.h index 8c740c003..d04fab100 100644 --- a/kadmin/kadmin_locl.h +++ b/kadmin/kadmin_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -83,7 +83,11 @@ #endif #include #include +#ifdef HAVE_OPENSSL_DES_H +#include +#else #include +#endif #include #include #include @@ -176,7 +180,7 @@ random_password(char *pw, size_t len); /* kadm_conn.c */ -sig_atomic_t term_flag, doing_useful_work; +extern sig_atomic_t term_flag, doing_useful_work; void parse_ports(krb5_context, const char*); int start_server(krb5_context); diff --git a/kadmin/random_password.c b/kadmin/random_password.c index de9ef01d3..c90b1f140 100644 --- a/kadmin/random_password.c +++ b/kadmin/random_password.c @@ -57,9 +57,9 @@ random_password(char *pw, size_t len) { #ifdef OTP_STYLE { - des_cblock newkey; + OtpKey newkey; - des_new_random_key(&newkey); + krb5_generate_random_block(&newkey, sizeof(newkey)); otp_print_stddict (newkey, pw, len); strlwr(pw); } @@ -80,11 +80,11 @@ random_password(char *pw, size_t len) #ifndef OTP_STYLE /* return a random value in range 0-127 */ static int -RND(des_cblock *key, int *left) +RND(unsigned char *key, int keylen, int *left) { if(*left == 0){ - des_new_random_key(key); - *left = 8; + krb5_generate_random_block(key, keylen); + *left = keylen; } (*left)--; return ((unsigned char*)key)[*left]; @@ -120,7 +120,7 @@ generate_password(char **pw, int num_classes, ...) } *classes; va_list ap; int len, i; - des_cblock rbuf; /* random buffer */ + unsigned char rbuf[8]; /* random buffer */ int rleft = 0; classes = malloc(num_classes * sizeof(*classes)); @@ -138,11 +138,12 @@ generate_password(char **pw, int num_classes, ...) return; for(i = 0; i < len; i++) { int j; - int x = RND(&rbuf, &rleft) % (len - i); + int x = RND(rbuf, sizeof(rbuf), &rleft) % (len - i); int t = 0; for(j = 0; j < num_classes; j++) { if(x < t + classes[j].freq) { - (*pw)[i] = classes[j].str[RND(&rbuf, &rleft) % classes[j].len]; + (*pw)[i] = classes[j].str[RND(rbuf, sizeof(rbuf), &rleft) + % classes[j].len]; classes[j].freq--; break; } diff --git a/kdc/headers.h b/kdc/headers.h index 9d079c80c..efcf350f6 100644 --- a/kdc/headers.h +++ b/kdc/headers.h @@ -82,7 +82,11 @@ #include #include #include +#ifdef HAVE_OPENSSL_DES_H +#include +#else #include +#endif #include #include #include diff --git a/kpasswd/kpasswd_locl.h b/kpasswd/kpasswd_locl.h index df75fb799..b47d1d2c6 100644 --- a/kpasswd/kpasswd_locl.h +++ b/kpasswd/kpasswd_locl.h @@ -95,7 +95,11 @@ #include #include #include +#ifdef HAVE_OPENSSL_DES_H +#include +#else #include +#endif #include #endif /* __KPASSWD_LOCL_H__ */ diff --git a/lib/hdb/hdb_locl.h b/lib/hdb/hdb_locl.h index 5565f6294..e7aaee439 100644 --- a/lib/hdb/hdb_locl.h +++ b/lib/hdb/hdb_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -56,7 +56,11 @@ #endif #include +#ifdef HAVE_OPENSSL_DES_H +#include +#else #include +#endif #include #include #include @@ -73,14 +77,4 @@ #include #endif -int hdb_principal2key(krb5_context, krb5_principal, krb5_data*); -int hdb_key2principal(krb5_context, krb5_data*, krb5_principal); - -krb5_error_code hdb_lock(int, int); -krb5_error_code hdb_unlock(int); - -krb5_error_code _hdb_fetch(krb5_context, HDB*, unsigned, hdb_entry*); -krb5_error_code _hdb_store(krb5_context, HDB*, unsigned, hdb_entry*); -krb5_error_code _hdb_remove(krb5_context, HDB*, hdb_entry*); - #endif /* __HDB_LOCL_H__ */ diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c index 8716a9532..197382cb8 100644 --- a/lib/krb5/crypto.c +++ b/lib/krb5/crypto.c @@ -2532,6 +2532,71 @@ krb5_decrypt_EncryptedData(krb5_context context, * * ************************************************************/ +#ifdef HAVE_OPENSSL_DES_H +#include + +/* From openssl/crypto/rand/rand_lcl.h */ +#define ENTROPY_NEEDED 20 +static int +seed_something(void) +{ + int fd = -1; + size_t len; + char buf[1024], seedfile[256]; + + /* If there is a seed file, load it. But such a file cannot be trusted, + so use 0 for the entropy estimate */ + if (RAND_file_name(seedfile, sizeof(seedfile))) { + fd = open(seedfile, O_RDONLY); + if (fd >= 0) { + read(fd, buf, sizeof(buf)); + /* Use the full buffer anyway */ + RAND_add(buf, sizeof(buf), 0.0); + } else + seedfile[0] = '\0'; + } else + seedfile[0] = '\0'; + + /* Calling RAND_status() will try to use /dev/urandom if it exists so + we do not have to deal with it. */ + if (RAND_status() != 1) { + krb5_context context; + char *p; + + /* Try using egd */ + if (!krb5_init_context(&context)) { + p = krb5_config_get_string(context, NULL, "libdefaults", + "egd_socket", NULL); + if (p != NULL) + RAND_egd_bytes(p, ENTROPY_NEEDED); + krb5_free_context(context); + } + } + + if (RAND_status() == 1) { + /* Update the seed file */ + if (seedfile[0]) + RAND_write_file(seedfile); + + return 0; + } else + return -1; +} + +void +krb5_generate_random_block(void *buf, size_t len) +{ + static int rng_initialized = 0; + + if (!rng_initialized) { + if (seed_something()) + krb5_abortx(NULL, "Fatal: could not seed the random number generator"); + + rng_initialized = 1; + } + RAND_bytes(buf, len); +} +#else void krb5_generate_random_block(void *buf, size_t len) { @@ -2557,6 +2622,7 @@ krb5_generate_random_block(void *buf, size_t len) buf = (char*)buf + sizeof(out); } } +#endif static void DES3_postproc(krb5_context context,