diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c index 68917fc76..ebddaf3dc 100644 --- a/lib/krb5/crypto.c +++ b/lib/krb5/crypto.c @@ -40,6 +40,12 @@ RCSID("$Id$"); static void krb5_crypto_debug(krb5_context, int, size_t, krb5_keyblock*); #endif +#ifndef HEIMDAL_SMALLER +#define WEAK_ENCTYPES 1 +#define DES3_OLD_ENCTYPE 1 +#endif + + #ifdef HAVE_OPENSSL /* XXX forward decl for hcrypto glue */ const EVP_CIPHER * _krb5_EVP_hcrypto_aes_128_cts(void); const EVP_CIPHER * _krb5_EVP_hcrypto_aes_256_cts(void); @@ -186,6 +192,7 @@ krb5_DES_random_key(krb5_context context, } while(DES_is_weak_key(k)); } +#ifdef WEAK_ENCTYPES static void krb5_DES_schedule_old(krb5_context context, struct key_type *kt, @@ -193,6 +200,8 @@ krb5_DES_schedule_old(krb5_context context, { DES_set_key_unchecked(key->key->keyvalue.data, key->schedule->data); } +#endif /* WEAK_ENCTYPES */ + #ifdef ENABLE_AFS_STRING_TO_KEY @@ -427,6 +436,7 @@ xor (DES_cblock *key, const unsigned char *b) a[7] ^= b[7]; } +#ifdef DES3_OLD_ENCTYPE static krb5_error_code DES3_string_to_key(krb5_context context, krb5_enctype enctype, @@ -490,6 +500,7 @@ DES3_string_to_key(krb5_context context, free(str); return 0; } +#endif static krb5_error_code DES3_string_to_key_derived(krb5_context context, @@ -738,6 +749,7 @@ static struct salt_type des_salt[] = { { 0 } }; +#ifdef DES3_OLD_ENCTYPE static struct salt_type des3_salt[] = { { KRB5_PW_SALT, @@ -746,6 +758,7 @@ static struct salt_type des3_salt[] = { }, { 0 } }; +#endif static struct salt_type des3_salt_derived[] = { { @@ -789,6 +802,7 @@ static struct key_type keytype_null = { NULL }; +#ifdef WEAK_ENCTYPES static struct key_type keytype_des_old = { KEYTYPE_DES, "des-old", @@ -800,6 +814,7 @@ static struct key_type keytype_des_old = { des_salt, krb5_DES_random_to_key }; +#endif /* WEAK_ENCTYPES */ static struct key_type keytype_des = { KEYTYPE_DES, @@ -815,6 +830,7 @@ static struct key_type keytype_des = { EVP_des_cbc }; +#ifdef DES3_OLD_ENCTYPE static struct key_type keytype_des3 = { KEYTYPE_DES3, "des3", @@ -826,6 +842,7 @@ static struct key_type keytype_des3 = { des3_salt, DES3_random_to_key }; +#endif static struct key_type keytype_des3_derived = { KEYTYPE_DES3, @@ -882,7 +899,9 @@ static struct key_type *keytypes[] = { &keytype_null, &keytype_des, &keytype_des3_derived, +#ifdef DES3_OLD_ENCTYPE &keytype_des3, +#endif &keytype_aes128, &keytype_aes256, &keytype_arcfour @@ -2140,25 +2159,6 @@ NULL_encrypt(krb5_context context, return 0; } -static krb5_error_code -evp_des_encrypt_null_ivec(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ignore_ivec) -{ - struct evp_schedule *ctx = key->schedule->data; - EVP_CIPHER_CTX *c; - DES_cblock ivec; - memset(&ivec, 0, sizeof(ivec)); - c = encryptp ? &ctx->ectx : &ctx->dctx; - EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1); - EVP_Cipher(c, data, data, len); - return 0; -} - static krb5_error_code evp_encrypt(krb5_context context, struct key_data *key, @@ -2188,6 +2188,26 @@ evp_encrypt(krb5_context context, return 0; } +#ifdef WEAK_ENCTYPES +static krb5_error_code +evp_des_encrypt_null_ivec(krb5_context context, + struct key_data *key, + void *data, + size_t len, + krb5_boolean encryptp, + int usage, + void *ignore_ivec) +{ + struct evp_schedule *ctx = key->schedule->data; + EVP_CIPHER_CTX *c; + DES_cblock ivec; + memset(&ivec, 0, sizeof(ivec)); + c = encryptp ? &ctx->ectx : &ctx->dctx; + EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1); + EVP_Cipher(c, data, data, len); + return 0; +} + static krb5_error_code evp_des_encrypt_key_ivec(krb5_context context, struct key_data *key, @@ -2207,25 +2227,6 @@ evp_des_encrypt_key_ivec(krb5_context context, return 0; } -static krb5_error_code -DES3_CBC_encrypt(krb5_context context, - struct key_data *key, - void *data, - size_t len, - krb5_boolean encryptp, - int usage, - void *ivec) -{ - DES_cblock local_ivec; - DES_key_schedule *s = key->schedule->data; - if(ivec == NULL) { - ivec = &local_ivec; - memset(local_ivec, 0, sizeof(local_ivec)); - } - DES_ede3_cbc_encrypt(data, data, len, &s[0], &s[1], &s[2], ivec, encryptp); - return 0; -} - static krb5_error_code DES_CFB64_encrypt_null_ivec(krb5_context context, struct key_data *key, @@ -2260,6 +2261,26 @@ DES_PCBC_encrypt_key_ivec(krb5_context context, DES_pcbc_encrypt(data, data, len, s, &ivec, encryptp); return 0; } +#endif + +static krb5_error_code +DES3_CBC_encrypt(krb5_context context, + struct key_data *key, + void *data, + size_t len, + krb5_boolean encryptp, + int usage, + void *ivec) +{ + DES_cblock local_ivec; + DES_key_schedule *s = key->schedule->data; + if(ivec == NULL) { + ivec = &local_ivec; + memset(local_ivec, 0, sizeof(local_ivec)); + } + DES_ede3_cbc_encrypt(data, data, len, &s[0], &s[1], &s[2], ivec, encryptp); + return 0; +} /* * section 6 of draft-brezak-win2k-krb-rc4-hmac-03 @@ -2526,6 +2547,109 @@ static struct encryption_type enctype_null = { 0, NULL }; +static struct encryption_type enctype_arcfour_hmac_md5 = { + ETYPE_ARCFOUR_HMAC_MD5, + "arcfour-hmac-md5", + 1, + 1, + 8, + &keytype_arcfour, + &checksum_hmac_md5, + NULL, + F_SPECIAL, + ARCFOUR_encrypt, + 0, + NULL +}; +#ifdef DES3_OLD_ENCTYPE +static struct encryption_type enctype_des3_cbc_md5 = { + ETYPE_DES3_CBC_MD5, + "des3-cbc-md5", + 8, + 8, + 8, + &keytype_des3, + &checksum_rsa_md5, + &checksum_rsa_md5_des3, + 0, + DES3_CBC_encrypt, + 0, + NULL +}; +#endif +static struct encryption_type enctype_des3_cbc_sha1 = { + ETYPE_DES3_CBC_SHA1, + "des3-cbc-sha1", + 8, + 8, + 8, + &keytype_des3_derived, + &checksum_sha1, + &checksum_hmac_sha1_des3, + F_DERIVED, + DES3_CBC_encrypt, + 0, + NULL +}; +#ifdef DES3_OLD_ENCTYPE +static struct encryption_type enctype_old_des3_cbc_sha1 = { + ETYPE_OLD_DES3_CBC_SHA1, + "old-des3-cbc-sha1", + 8, + 8, + 8, + &keytype_des3, + &checksum_sha1, + &checksum_hmac_sha1_des3, + 0, + DES3_CBC_encrypt, + 0, + NULL +}; +#endif +static struct encryption_type enctype_aes128_cts_hmac_sha1 = { + ETYPE_AES128_CTS_HMAC_SHA1_96, + "aes128-cts-hmac-sha1-96", + 16, + 1, + 16, + &keytype_aes128, + &checksum_sha1, + &checksum_hmac_sha1_aes128, + F_DERIVED, + evp_encrypt, + 16, + AES_PRF +}; +static struct encryption_type enctype_aes256_cts_hmac_sha1 = { + ETYPE_AES256_CTS_HMAC_SHA1_96, + "aes256-cts-hmac-sha1-96", + 16, + 1, + 16, + &keytype_aes256, + &checksum_sha1, + &checksum_hmac_sha1_aes256, + F_DERIVED, + evp_encrypt, + 16, + AES_PRF +}; +static struct encryption_type enctype_des3_cbc_none = { + ETYPE_DES3_CBC_NONE, + "des3-cbc-none", + 8, + 8, + 0, + &keytype_des3_derived, + &checksum_none, + NULL, + F_PSEUDO, + DES3_CBC_encrypt, + 0, + NULL +}; +#ifdef WEAK_ENCTYPES static struct encryption_type enctype_des_cbc_crc = { ETYPE_DES_CBC_CRC, "des-cbc-crc", @@ -2568,90 +2692,6 @@ static struct encryption_type enctype_des_cbc_md5 = { 0, NULL }; -static struct encryption_type enctype_arcfour_hmac_md5 = { - ETYPE_ARCFOUR_HMAC_MD5, - "arcfour-hmac-md5", - 1, - 1, - 8, - &keytype_arcfour, - &checksum_hmac_md5, - NULL, - F_SPECIAL, - ARCFOUR_encrypt, - 0, - NULL -}; -static struct encryption_type enctype_des3_cbc_md5 = { - ETYPE_DES3_CBC_MD5, - "des3-cbc-md5", - 8, - 8, - 8, - &keytype_des3, - &checksum_rsa_md5, - &checksum_rsa_md5_des3, - 0, - DES3_CBC_encrypt, - 0, - NULL -}; -static struct encryption_type enctype_des3_cbc_sha1 = { - ETYPE_DES3_CBC_SHA1, - "des3-cbc-sha1", - 8, - 8, - 8, - &keytype_des3_derived, - &checksum_sha1, - &checksum_hmac_sha1_des3, - F_DERIVED, - DES3_CBC_encrypt, - 0, - NULL -}; -static struct encryption_type enctype_old_des3_cbc_sha1 = { - ETYPE_OLD_DES3_CBC_SHA1, - "old-des3-cbc-sha1", - 8, - 8, - 8, - &keytype_des3, - &checksum_sha1, - &checksum_hmac_sha1_des3, - 0, - DES3_CBC_encrypt, - 0, - NULL -}; -static struct encryption_type enctype_aes128_cts_hmac_sha1 = { - ETYPE_AES128_CTS_HMAC_SHA1_96, - "aes128-cts-hmac-sha1-96", - 16, - 1, - 16, - &keytype_aes128, - &checksum_sha1, - &checksum_hmac_sha1_aes128, - F_DERIVED, - evp_encrypt, - 16, - AES_PRF -}; -static struct encryption_type enctype_aes256_cts_hmac_sha1 = { - ETYPE_AES256_CTS_HMAC_SHA1_96, - "aes256-cts-hmac-sha1-96", - 16, - 1, - 16, - &keytype_aes256, - &checksum_sha1, - &checksum_hmac_sha1_aes256, - F_DERIVED, - evp_encrypt, - 16, - AES_PRF -}; static struct encryption_type enctype_des_cbc_none = { ETYPE_DES_CBC_NONE, "des-cbc-none", @@ -2694,36 +2734,27 @@ static struct encryption_type enctype_des_pcbc_none = { 0, NULL }; -static struct encryption_type enctype_des3_cbc_none = { - ETYPE_DES3_CBC_NONE, - "des3-cbc-none", - 8, - 8, - 0, - &keytype_des3_derived, - &checksum_none, - NULL, - F_PSEUDO, - DES3_CBC_encrypt, - 0, - NULL -}; +#endif /* WEAK_ENCTYPES */ static struct encryption_type *etypes[] = { - &enctype_null, + &enctype_aes256_cts_hmac_sha1, + &enctype_aes128_cts_hmac_sha1, + &enctype_des3_cbc_sha1, + &enctype_des3_cbc_none, /* used by the gss-api mech */ + &enctype_arcfour_hmac_md5, +#ifdef DES3_OLD_ENCTYPE + &enctype_des3_cbc_md5, + &enctype_old_des3_cbc_sha1, +#endif +#ifdef WEAK_ENCTYPES &enctype_des_cbc_crc, &enctype_des_cbc_md4, &enctype_des_cbc_md5, - &enctype_arcfour_hmac_md5, - &enctype_des3_cbc_md5, - &enctype_des3_cbc_sha1, - &enctype_old_des3_cbc_sha1, - &enctype_aes128_cts_hmac_sha1, - &enctype_aes256_cts_hmac_sha1, &enctype_des_cbc_none, &enctype_des_cfb64_none, &enctype_des_pcbc_none, - &enctype_des3_cbc_none +#endif + &enctype_null }; static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]);