oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

mrore DH bits

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24697 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2009-02-14 20:12:55 +00:00
parent f293652434
commit 985e9f898d
1 changed files with 65 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
kdc/pkinit.c
View File

@@ -56,6 +56,7 @@ struct pk_client_params {
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
struct { struct {
EC_KEY *public_key; EC_KEY *public_key;
EC_KEY *key;
} ecdh; } ecdh;
#endif #endif
} u; } u;
@@ -178,6 +179,12 @@ _kdc_pk_free_client_param(krb5_context context,
if (client_params->u.dh.public_key) if (client_params->u.dh.public_key)
BN_free(client_params->u.dh.public_key); BN_free(client_params->u.dh.public_key);
} }
if (client_params->keyex == USE_ECDH) {
if (client_params->u.ecdh.key)
EC_KEY_free(client_params->u.ecdh.key);
if (client_params->u.ecdh.public_key)
EC_KEY_free(client_params->u.ecdh.public_key);
}
krb5_free_keyblock_contents(context, &client_params->reply_key); krb5_free_keyblock_contents(context, &client_params->reply_key);
if (client_params->dh_group_name) if (client_params->dh_group_name)
free(client_params->dh_group_name); free(client_params->dh_group_name);
@@ -190,8 +197,9 @@ _kdc_pk_free_client_param(krb5_context context,
} }
static krb5_error_code static krb5_error_code
generate_dh_keyblock(krb5_context context, pk_client_params *client_params, generate_dh_keyblock(krb5_context context,
krb5_enctype enctype, krb5_keyblock *reply_key) pk_client_params *client_params,
krb5_enctype enctype)
{ {
unsigned char *dh_gen_key = NULL; unsigned char *dh_gen_key = NULL;
krb5_keyblock key; krb5_keyblock key;
@@ -239,7 +247,6 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
} }
ret = 0; ret = 0;
} else if (client_params->keyex == USE_ECDH) { } else if (client_params->keyex == USE_ECDH) {
EC_KEY *key;
if (client_params->u.ecdh.public_key == NULL) { if (client_params->u.ecdh.public_key == NULL) {
ret = KRB5KRB_ERR_GENERIC; ret = KRB5KRB_ERR_GENERIC;
@@ -247,23 +254,22 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
goto out; goto out;
} }
key = EC_KEY_new(); client_params->u.ecdh.key = EC_KEY_new();
if (key == NULL) { if (client_params->u.ecdh.key == NULL) {
ret = ENOMEM; ret = ENOMEM;
goto out; goto out;
} }
EC_KEY_set_group(key, EC_KEY_get0_group(client_params->u.ecdh.public_key)); EC_KEY_set_group(client_params->u.ecdh.key,
EC_KEY_get0_group(client_params->u.ecdh.public_key));
if (EC_KEY_generate_key(key) != 1) { if (EC_KEY_generate_key(client_params->u.ecdh.key) != 1) {
ret = ENOMEM; ret = ENOMEM;
EC_KEY_free(key);
goto out; goto out;
} }
size = (EC_GROUP_get_degree(EC_KEY_get0_group(key)) + 7) / 8; size = (EC_GROUP_get_degree(EC_KEY_get0_group(client_params->u.ecdh.key)) + 7) / 8;
dh_gen_key = malloc(size); dh_gen_key = malloc(size);
if (dh_gen_key == NULL) { if (dh_gen_key == NULL) {
EC_KEY_free(key);
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, krb5_set_error_message(context, ret,
N_("malloc: out of memory", "")); N_("malloc: out of memory", ""));
@@ -272,11 +278,8 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
dh_gen_keylen = ECDH_compute_key(dh_gen_key, size, dh_gen_keylen = ECDH_compute_key(dh_gen_key, size,
EC_KEY_get0_public_key(client_params->u.ecdh.public_key), EC_KEY_get0_public_key(client_params->u.ecdh.public_key),
key, NULL); client_params->u.ecdh.key, NULL);
EC_KEY_free(key);
ret = 0; ret = 0;
goto out;
} else { } else {
ret = KRB5KRB_ERR_GENERIC; ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, krb5_set_error_message(context, ret,
@@ -288,7 +291,7 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
enctype, enctype,
dh_gen_key, dh_gen_keylen, dh_gen_key, dh_gen_keylen,
NULL, NULL, NULL, NULL,
reply_key); &client_params->reply_key);
out: out:
if (dh_gen_key) if (dh_gen_key)
@@ -1011,9 +1014,7 @@ out:
static krb5_error_code static krb5_error_code
pk_mk_pa_reply_dh(krb5_context context, pk_mk_pa_reply_dh(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
DH *kdc_dh,
pk_client_params *client_params, pk_client_params *client_params,
krb5_keyblock *reply_key,
ContentInfo *content_info, ContentInfo *content_info,
hx509_cert *kdc_cert) hx509_cert *kdc_cert)
{ {
@@ -1022,32 +1023,61 @@ pk_mk_pa_reply_dh(krb5_context context,
ContentInfo contentinfo; ContentInfo contentinfo;
krb5_error_code ret; krb5_error_code ret;
size_t size; size_t size;
heim_integer i;
memset(&contentinfo, 0, sizeof(contentinfo)); memset(&contentinfo, 0, sizeof(contentinfo));
memset(&dh_info, 0, sizeof(dh_info)); memset(&dh_info, 0, sizeof(dh_info));
krb5_data_zero(&buf);
krb5_data_zero(&signed_data); krb5_data_zero(&signed_data);
krb5_data_zero(&buf);
*kdc_cert = NULL; *kdc_cert = NULL;
ret = BN_to_integer(context, kdc_dh->pub_key, &i); if (client_params->keyex == USE_DH) {
if (ret) DH *kdc_dh = client_params->u.dh.key;
return ret; heim_integer i;
ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret); ret = BN_to_integer(context, kdc_dh->pub_key, &i);
der_free_heim_integer(&i); if (ret)
if (ret) { return ret;
krb5_set_error_message(context, ret, "ASN.1 encoding of "
"DHPublicKey failed (%d)", ret); ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);
return ret; der_free_heim_integer(&i);
} if (ret) {
if (buf.length != size) krb5_set_error_message(context, ret, "ASN.1 encoding of "
krb5_abortx(context, "Internal ASN.1 encoder error"); "DHPublicKey failed (%d)", ret);
return ret;
}
if (buf.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
dh_info.subjectPublicKey.length = buf.length * 8;
dh_info.subjectPublicKey.data = buf.data;
krb5_data_zero(&buf);
} else if (client_params->keyex == USE_ECDH) {
#ifdef HAVE_OPENSSL
unsigned char *p;
int len;
dh_info.subjectPublicKey.length = buf.length * 8; len = i2o_ECPublicKey(client_params->u.ecdh.key, NULL);
dh_info.subjectPublicKey.data = buf.data; if (len <= 0)
abort();
p = malloc(len);
if (p == NULL)
abort();
dh_info.subjectPublicKey.length = len * 8;
dh_info.subjectPublicKey.data = p;
len = i2o_ECPublicKey(client_params->u.ecdh.key, &p);
if (len <= 0)
abort();
#else
return ENOMEM;
#endif
} else
krb5_abortx(context, "no keyex selected ?");
dh_info.nonce = client_params->nonce; dh_info.nonce = client_params->nonce;
ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size, ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size,
@@ -1217,14 +1247,12 @@ _kdc_pk_mk_pa_reply(krb5_context context,
rep.element = choice_PA_PK_AS_REP_dhInfo; rep.element = choice_PA_PK_AS_REP_dhInfo;
ret = generate_dh_keyblock(context, client_params, enctype, ret = generate_dh_keyblock(context, client_params, enctype);
&client_params->reply_key);
if (ret) if (ret)
return ret; return ret;
ret = pk_mk_pa_reply_dh(context, config, client_params->u.dh.key, ret = pk_mk_pa_reply_dh(context, config,
client_params, client_params,
&client_params->reply_key,
&info, &info,
&kdc_cert); &kdc_cert);