oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Implement gss_wrap_iov, gss_unwrap_iov for CFX type encryption types.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25286 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2009-06-22 17:56:41 +00:00
parent 4c302b52f8
commit c99b2003e2
62 changed files with 1447 additions and 551 deletions
Download Patch File Download Diff File Expand all files Collapse all files

298
lib/krb5/aes-test.c
View File

@@ -33,6 +33,7 @@
#include "krb5_locl.h"
#include <hex.h>
#include <err.h>
#include <assert.h>
#ifdef HAVE_OPENSSL
#include <openssl/evp.h>
@@ -324,30 +325,31 @@ krb_enc_iov2(krb5_context context,
krb5_data *clear)
{
krb5_crypto_iov iov[4];
krb5_data decrypt;
int ret;
char *p;
char *p, *q;
size_t len, i;
p = clear->data;
len = clear->length;
iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
iov[0].data.length = krb5_crypto_length(context, crypto, iov[0].flags);
krb5_crypto_length(context, crypto, iov[0].flags, &iov[0].data.length);
iov[0].data.data = emalloc(iov[0].data.length);
iov[1].flags = KRB5_CRYPTO_TYPE_TRAILER;
iov[1].data.length = krb5_crypto_length(context, crypto, iov[1].flags);
iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
iov[1].data.length = len;
iov[1].data.data = emalloc(iov[1].data.length);
iov[2].flags = KRB5_CRYPTO_TYPE_DATA;
iov[2].data.length = len;
iov[2].data.data = emalloc(iov[2].data.length);
memcpy(iov[2].data.data, p, iov[2].data.length);
memcpy(iov[1].data.data, p, iov[1].data.length);
/* padding buffer */
iov[3].flags = KRB5_CRYPTO_TYPE_PADDING;
iov[3].data.length = krb5_crypto_length(context, crypto, KRB5_CRYPTO_TYPE_PADDING);
iov[3].data.data = emalloc(iov[4].data.length);
iov[2].flags = KRB5_CRYPTO_TYPE_PADDING;
krb5_crypto_length(context, crypto, KRB5_CRYPTO_TYPE_PADDING, &iov[2].data.length);
iov[2].data.data = emalloc(iov[2].data.length);
iov[3].flags = KRB5_CRYPTO_TYPE_TRAILER;
krb5_crypto_length(context, crypto, iov[3].flags, &iov[3].data.length);
iov[3].data.data = emalloc(iov[3].data.length);
ret = krb5_encrypt_iov_ivec(context, crypto, usage,
iov, sizeof(iov)/sizeof(iov[0]), NULL);
@@ -360,33 +362,54 @@ krb_enc_iov2(krb5_context context,
if (len != cipher_len)
errx(1, "cipher len wrong");
/* now decrypt */
/*
* Plain decrypt
*/
p = q = emalloc(len);
for (i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) {
memcpy(q, iov[i].data.data, iov[i].data.length);
q += iov[i].data.length;
}
ret = krb5_decrypt(context, crypto, usage, p, len, &decrypt);
if (ret)
krb5_err(context, 1, ret, "krb5_decrypt");
else
krb5_data_free(&decrypt);
free(p);
/*
* Now decrypt use iov
*/
/* padding turn into data */
p = emalloc(iov[2].data.length + iov[3].data.length);
p = emalloc(iov[1].data.length + iov[2].data.length);
memcpy(p, iov[2].data.data, iov[2].data.length);
memcpy(p + iov[2].data.length, iov[3].data.data, iov[3].data.length);
memcpy(p, iov[1].data.data, iov[1].data.length);
memcpy(p + iov[1].data.length, iov[2].data.data, iov[2].data.length);
free(iov[1].data.data);
free(iov[2].data.data);
free(iov[3].data.data);
iov[2].data.data = p;
iov[2].data.length += iov[3].data.length;
iov[1].data.data = p;
iov[1].data.length += iov[2].data.length;
iov[3].flags = KRB5_CRYPTO_TYPE_EMPTY;
iov[2].flags = KRB5_CRYPTO_TYPE_EMPTY;
iov[2].data.length = 0;
ret = krb5_decrypt_iov_ivec(context, crypto, usage,
iov, sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
errx(1, "decrypt iov failed: %d", ret);
krb5_err(context, 1, ret, "decrypt iov failed: %d", ret);
if (clear->length != iov[2].data.length)
if (clear->length != iov[1].data.length)
errx(1, "length incorrect");
p = clear->data;
if (memcmp(iov[2].data.data, p, iov[2].data.length) != 0)
errx(1, "iov[2] incorrect");
if (memcmp(iov[1].data.data, p, iov[1].data.length) != 0)
errx(1, "iov[1] incorrect");
return 0;
}
@@ -408,14 +431,14 @@ krb_enc_iov(krb5_context context,
len = cipher->length;
iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
iov[0].data.length = krb5_crypto_length(context, crypto, iov[0].flags);
krb5_crypto_length(context, crypto, iov[0].flags, &iov[0].data.length);
iov[0].data.data = emalloc(iov[0].data.length);
memcpy(iov[0].data.data, p, iov[0].data.length);
p += iov[0].data.length;
len -= iov[0].data.length;
iov[1].flags = KRB5_CRYPTO_TYPE_TRAILER;
iov[1].data.length = krb5_crypto_length(context, crypto, iov[1].flags);
krb5_crypto_length(context, crypto, iov[1].flags, &iov[1].data.length);
iov[1].data.data = emalloc(iov[1].data.length);
memcpy(iov[1].data.data, p + len - iov[1].data.length, iov[1].data.length);
len -= iov[1].data.length;
@@ -428,7 +451,7 @@ krb_enc_iov(krb5_context context,
ret = krb5_decrypt_iov_ivec(context, crypto, usage,
iov, sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
errx(1, "krb_enc_iov decrypt iov failed: %d", ret);
krb5_err(context, 1, ret, "krb_enc_iov decrypt iov failed: %d", ret);
if (clear->length != iov[2].data.length)
errx(1, "length incorrect");
@@ -440,6 +463,43 @@ krb_enc_iov(krb5_context context,
return 0;
}
static int
krb_checksum_iov(krb5_context context,
krb5_crypto crypto,
unsigned usage,
krb5_data *plain)
{
krb5_crypto_iov iov[4];
int ret;
char *p;
size_t len;
p = plain->data;
len = plain->length;
iov[0].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
krb5_crypto_length(context, crypto, iov[0].flags, &iov[0].data.length);
iov[0].data.data = emalloc(iov[0].data.length);
iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
iov[1].data.length = len;
iov[1].data.data = p;
iov[2].flags = KRB5_CRYPTO_TYPE_TRAILER;
krb5_crypto_length(context, crypto, iov[0].flags, &iov[2].data.length);
iov[2].data.data = malloc(iov[2].data.length);
ret = krb5_create_checksum_iov(context, crypto, usage,
iov, sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_create_checksum_iov failed");
ret = krb5_verify_checksum_iov(context, crypto, usage, iov, sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_verify_checksum_iov");
return 0;
}
static int
@@ -548,6 +608,10 @@ krb_enc_test(krb5_context context)
if (ret)
errx(1, "krb_enc_iov2 failed with %d for test %d", ret, i);
ret = krb_checksum_iov(context, crypto, krbencs[i].usage, &plain);
if (ret)
errx(1, "krb_checksum_iov failed with %d for test %d", ret, i);
krb5_crypto_destroy(context, crypto);
ret = krb_enc_mit(context, krbencs[i].enctype, &kb,
@@ -559,6 +623,184 @@ krb_enc_test(krb5_context context)
return 0;
}
static int
iov_test(krb5_context context)
{
krb5_enctype enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
krb5_error_code ret;
krb5_crypto crypto;
krb5_keyblock key;
krb5_data signonly, in, in2;
krb5_crypto_iov iov[6];
size_t len, i;
unsigned char *base, *p;
ret = krb5_generate_random_keyblock(context, enctype, &key);
if (ret)
krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
ret = krb5_crypto_init(context, &key, 0, &crypto);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_init");
ret = krb5_crypto_length(context, crypto, KRB5_CRYPTO_TYPE_HEADER, &len);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_length");
signonly.data = "This should be signed";
signonly.length = strlen(signonly.data);
in.data = "inputdata";
in.length = strlen(in.data);
in2.data = "INPUTDATA";
in2.length = strlen(in2.data);
memset(iov, 0, sizeof(iov));
iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
iov[1].data = in;
iov[2].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
iov[2].data = signonly;
iov[3].flags = KRB5_CRYPTO_TYPE_EMPTY;
iov[4].flags = KRB5_CRYPTO_TYPE_PADDING;
iov[5].flags = KRB5_CRYPTO_TYPE_TRAILER;
ret = krb5_crypto_length_iov(context, crypto, iov,
sizeof(iov)/sizeof(iov[0]));
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_length_iov");
for (len = 0, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) {
if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;
len += iov[i].data.length;
}
base = emalloc(len);
/*
* Allocate data for the fields
*/
for (p = base, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) {
if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;;
iov[i].data.data = p;
p += iov[i].data.length;
}
assert(iov[1].data.length == in.length);
memcpy(iov[1].data.data, in.data, iov[1].data.length);
/*
* Encrypt
*/
ret = krb5_encrypt_iov_ivec(context, crypto, 7, iov,
sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_encrypt_iov_ivec");
/*
* Decrypt
*/
ret = krb5_decrypt_iov_ivec(context, crypto, 7,
iov, sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_decrypt_iov_ivec");
/*
* Verify data
*/
if (krb5_data_cmp(&iov[1].data, &in) != 0)
krb5_errx(context, 1, "decrypted data not same");
/*
* Free memory
*/
free(base);
/* Set up for second try */
iov[3].flags = KRB5_CRYPTO_TYPE_DATA;
iov[3].data = in;
ret = krb5_crypto_length_iov(context, crypto,
iov, sizeof(iov)/sizeof(iov[0]));
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_length_iov");
for (len = 0, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) {
if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;
len += iov[i].data.length;
}
base = emalloc(len);
/*
* Allocate data for the fields
*/
for (p = base, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) {
if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;;
iov[i].data.data = p;
p += iov[i].data.length;
}
assert(iov[1].data.length == in.length);
memcpy(iov[1].data.data, in.data, iov[1].data.length);
assert(iov[3].data.length == in2.length);
memcpy(iov[3].data.data, in2.data, iov[3].data.length);
/*
* Encrypt
*/
ret = krb5_encrypt_iov_ivec(context, crypto, 7,
iov, sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_encrypt_iov_ivec");
/*
* Decrypt
*/
ret = krb5_decrypt_iov_ivec(context, crypto, 7,
iov, sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_decrypt_iov_ivec");
/*
* Verify data
*/
if (krb5_data_cmp(&iov[1].data, &in) != 0)
krb5_errx(context, 1, "decrypted data 2.1 not same");
if (krb5_data_cmp(&iov[3].data, &in2) != 0)
krb5_errx(context, 1, "decrypted data 2.2 not same");
/*
* Free memory
*/
free(base);
krb5_crypto_destroy(context, crypto);
return 0;
}
static int
random_to_key(krb5_context context)
@@ -592,7 +834,6 @@ random_to_key(krb5_context context)
return 0;
}
int
main(int argc, char **argv)
{
@@ -608,6 +849,7 @@ main(int argc, char **argv)
val |= krb_enc_test(context);
val |= random_to_key(context);
val |= iov_test(context);
if (verbose && val == 0)
printf("all ok\n");

277
lib/krb5/crypto.c
View File

@@ -3182,7 +3182,7 @@ krb5_encrypt_iov_ivec(krb5_context context,
krb5_error_code ret;
struct key_data *dkey;
const struct encryption_type *et = crypto->et;
krb5_crypto_iov *tiv, *piv, *hiv, *div;
krb5_crypto_iov *tiv, *piv, *hiv;
if (num_data < 0) {
krb5_clear_error_message(context);
@@ -3197,11 +3197,11 @@ krb5_encrypt_iov_ivec(krb5_context context,
headersz = et->confoundersize;
trailersz = CHECKSUMSIZE(et->keyed_checksum);
div = find_iv(data, num_data, KRB5_CRYPTO_TYPE_DATA);
if (div == NULL)
return KRB5_CRYPTO_INTERNAL;
len = div->data.length;
for (len = 0, i = 0; i < num_data; i++) {
if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
continue;
len += data[i].data.length;
}
sz = headersz + len;
block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
@@ -3217,7 +3217,6 @@ krb5_encrypt_iov_ivec(krb5_context context,
krb5_generate_random_block(hiv->data.data, hiv->data.length);
/* padding */
piv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_PADDING);
/* its ok to have no TYPE_PADDING if there is no padding */
if (piv == NULL && pad_sz != 0)
@@ -3226,26 +3225,26 @@ krb5_encrypt_iov_ivec(krb5_context context,
if (piv->data.length < pad_sz)
return KRB5_BAD_MSIZE;
piv->data.length = pad_sz;
if (pad_sz)
memset(piv->data.data, pad_sz, pad_sz);
else
piv = NULL;
}
/* trailer */
tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
if (tiv == NULL || tiv->data.length != trailersz)
return KRB5_BAD_MSIZE;
/*
* XXX replace with EVP_Sign? at least make create_checksum an iov
* function.
* XXX CTS EVP is broken, can't handle multi buffers :(
*/
len = hiv->data.length;
len = block_sz;
for (i = 0; i < num_data; i++) {
if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
if (data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;
len += data[i].data.length;
}
@@ -3261,6 +3260,10 @@ krb5_encrypt_iov_ivec(krb5_context context,
memcpy(q, data[i].data.data, data[i].data.length);
q += data[i].data.length;
}
if (piv) {
memset(q, 0, piv->data.length);
q += piv->data.length;
}
ret = create_checksum(context,
et->keyed_checksum,
@@ -3282,30 +3285,24 @@ krb5_encrypt_iov_ivec(krb5_context context,
memcpy(tiv->data.data, cksum.checksum.data, cksum.checksum.length);
free_Checksum (&cksum);
/* now encrypt data */
ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
if(ret)
return ret;
ret = _key_schedule(context, dkey);
if(ret)
return ret;
/* XXX replace with EVP_Cipher */
len = hiv->data.length + div->data.length;
if (piv)
len += piv->data.length;
p = q = malloc(len);
p = q = malloc(block_sz);
if(p == NULL)
return ENOMEM;
memcpy(q, hiv->data.data, hiv->data.length);
q += hiv->data.length;
memcpy(q, div->data.data, div->data.length);
q += div->data.length;
memset(q, 0, pad_sz);
for (i = 0; i < num_data; i++) {
if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
continue;
memcpy(q, data[i].data.data, data[i].data.length);
q += data[i].data.length;
}
if (piv) {
memset(q, 0, piv->data.length);
q += piv->data.length;
}
ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
if(ret) {
@@ -3318,7 +3315,7 @@ krb5_encrypt_iov_ivec(krb5_context context,
return ret;
}
ret = (*et->encrypt)(context, dkey, p, len, 1, usage, ivec);
ret = (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec);
if (ret) {
free(p);
return ret;
@@ -3330,11 +3327,17 @@ krb5_encrypt_iov_ivec(krb5_context context,
memcpy(hiv->data.data, q, hiv->data.length);
q += hiv->data.length;
memcpy(div->data.data, q, div->data.length);
q += div->data.length;
if (piv)
for (i = 0; i < num_data; i++) {
if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
continue;
memcpy(data[i].data.data, q, data[i].data.length);
q += data[i].data.length;
}
if (piv) {
memcpy(piv->data.data, q, pad_sz);
q += pad_sz;
}
free(p);
return ret;
@@ -3371,13 +3374,12 @@ krb5_decrypt_iov_ivec(krb5_context context,
{
unsigned int i;
size_t headersz, trailersz, len;
size_t sz, block_sz, pad_sz;
Checksum cksum;
unsigned char *p, *q;
krb5_error_code ret;
struct key_data *dkey;
struct encryption_type *et = crypto->et;
krb5_crypto_iov *tiv, *hiv, *div;
krb5_crypto_iov *tiv, *hiv;
if (num_data < 0) {
krb5_clear_error_message(context);
@@ -3390,56 +3392,47 @@ krb5_decrypt_iov_ivec(krb5_context context,
}
headersz = et->confoundersize;
trailersz = CHECKSUMSIZE(et->keyed_checksum);
for (len = 0, i = 0; i < num_data; i++) {
if (data[i].flags == KRB5_CRYPTO_TYPE_DATA) {
if (len != 0)
return KRB5_CRYPTO_INTERNAL;
len += data[i].data.length;
}
}
sz = headersz + len;
block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
pad_sz = block_sz - sz;
trailersz += pad_sz;
/* header */
hiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
if (hiv == NULL || hiv->data.length < headersz)
if (hiv == NULL || hiv->data.length != headersz)
return KRB5_BAD_MSIZE;
hiv->data.length = headersz;
/* trailer */
trailersz = CHECKSUMSIZE(et->keyed_checksum);
tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
if (tiv == NULL || tiv->data.length < trailersz)
if (tiv->data.length != trailersz)
return KRB5_BAD_MSIZE;
tiv->data.length = trailersz;
div = find_iv(data, num_data, KRB5_CRYPTO_TYPE_DATA);
if (div == NULL)
return KRB5_CRYPTO_INTERNAL;
/* Find length of data we will decrypt */
/* XXX replace with EVP_Cipher */
for (len = 0, i = 0; i < num_data; i++) {
if (data[i].flags != KRB5_CRYPTO_TYPE_HEADER &&
data[i].flags != KRB5_CRYPTO_TYPE_DATA)
len = headersz;
for (i = 0; i < num_data; i++) {
if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
continue;
len += data[i].data.length;
}
if ((len % et->padsize) != 0) {
krb5_clear_error_message(context);
return KRB5_BAD_MSIZE;
}
/* XXX replace with EVP_Cipher */
p = q = malloc(len);
if (p == NULL)
return ENOMEM;
memcpy(q, hiv->data.data, hiv->data.length);
q += hiv->data.length;
memcpy(q, div->data.data, div->data.length);
for (i = 0; i < num_data; i++) {
if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
continue;
memcpy(q, data[i].data.data, data[i].data.length);
q += data[i].data.length;
}
ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
if(ret) {
@@ -3460,20 +3453,26 @@ krb5_decrypt_iov_ivec(krb5_context context,
/* copy data back to buffers */
memcpy(hiv->data.data, p, hiv->data.length);
memcpy(div->data.data, p + hiv->data.length, len - hiv->data.length);
q = p + hiv->data.length;
for (i = 0; i < num_data; i++) {
if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
continue;
memcpy(data[i].data.data, q, data[i].data.length);
q += data[i].data.length;
}
free(p);
/* check signature */
len = hiv->data.length;
for (i = 0; i < num_data; i++) {
if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
if (data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;
len += data[i].data.length;
}
p = q = malloc(len);
if (p == NULL)
return ENOMEM;
memcpy(q, hiv->data.data, hiv->data.length);
q += hiv->data.length;
@@ -3582,33 +3581,145 @@ krb5_create_checksum_iov(krb5_context context,
return 0;
}
/**
* Verify a Kerberos message checksum.
*
* @param context Kerberos context
* @param crypto Kerberos crypto context
* @param usage Key usage for this buffer
* @param data array of buffers to process
* @param num_data length of array
*
* @return Return an error code or 0.
* @ingroup krb5_crypto
*/
size_t KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_FUNCTION
krb5_verify_checksum_iov(krb5_context context,
krb5_crypto crypto,
unsigned usage,
krb5_crypto_iov *data,
unsigned int num_data,
krb5_cksumtype *type)
{
struct encryption_type *et = crypto->et;
Checksum cksum;
krb5_crypto_iov *civ;
krb5_error_code ret;
int i;
size_t len;
char *p, *q;
if (num_data < 0) {
krb5_clear_error_message(context);
return KRB5_CRYPTO_INTERNAL;
}
if(!derived_crypto(context, crypto)) {
krb5_clear_error_message(context);
return KRB5_CRYPTO_INTERNAL;
}
civ = find_iv(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
if (civ == NULL)
return KRB5_BAD_MSIZE;
len = 0;
for (i = 0; i < num_data; i++) {
if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;
len += data[i].data.length;
}
p = q = malloc(len);
for (i = 0; i < num_data; i++) {
if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;
memcpy(q, data[i].data.data, data[i].data.length);
q += data[i].data.length;
}
cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum);
cksum.checksum.length = civ->data.length;
cksum.checksum.data = civ->data.data;
ret = krb5_verify_checksum(context, crypto, usage, p, len, &cksum);
free(p);
if (ret == 0 && type)
*type = cksum.cksumtype;
return ret;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_crypto_length(krb5_context context,
krb5_crypto crypto,
int type)
int type,
size_t *len)
{
if (!derived_crypto(context, crypto))
return (size_t)-1;
if (!derived_crypto(context, crypto)) {
krb5_set_error_message(context, EINVAL, "not a derived crypto");
return EINVAL;
}
switch(type) {
case KRB5_CRYPTO_TYPE_EMPTY:
*len = 0;
return 0;
case KRB5_CRYPTO_TYPE_HEADER:
return crypto->et->blocksize;
*len = crypto->et->blocksize;
return 0;
case KRB5_CRYPTO_TYPE_DATA:
case KRB5_CRYPTO_TYPE_SIGN_ONLY:
/* len must already been filled in */
return 0;
case KRB5_CRYPTO_TYPE_PADDING:
if (crypto->et->padsize > 1)
return crypto->et->padsize;
*len = crypto->et->padsize;
else
*len = 0;
return 0;
case KRB5_CRYPTO_TYPE_TRAILER:
return CHECKSUMSIZE(crypto->et->keyed_checksum);
*len = CHECKSUMSIZE(crypto->et->keyed_checksum);
return 0;
case KRB5_CRYPTO_TYPE_CHECKSUM:
if (crypto->et->keyed_checksum)
return CHECKSUMSIZE(crypto->et->keyed_checksum);
return CHECKSUMSIZE(crypto->et->checksum);
*len = CHECKSUMSIZE(crypto->et->keyed_checksum);
else
*len = CHECKSUMSIZE(crypto->et->checksum);
return 0;
}
return (size_t)-1;
krb5_set_error_message(context, EINVAL,
"%d not a supported type", type);
return EINVAL;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_crypto_length_iov(krb5_context context,
krb5_crypto crypto,
krb5_crypto_iov *data,
unsigned int num_data)
{
krb5_error_code ret;
int i;
for (i = 0; i < num_data; i++) {
ret = krb5_crypto_length(context, crypto,
data[i].flags,
&data[i].data.length);
if (ret)
return ret;
}
return 0;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_encrypt_ivec(krb5_context context,
krb5_crypto crypto,

2
lib/krb5/version-script.map
View File

@@ -185,6 +185,7 @@ HEIMDAL_KRB5_2.0 {
krb5_crypto_prf;
krb5_crypto_prf_length;
krb5_crypto_length;
krb5_crypto_length_iov;
krb5_decrypt_iov_ivec;
krb5_encrypt_iov_ivec;
krb5_data_alloc;
@@ -641,6 +642,7 @@ HEIMDAL_KRB5_2.0 {
krb5_verify_ap_req;
krb5_verify_authenticator_checksum;
krb5_verify_checksum;
krb5_verify_checksum_iov;
krb5_verify_init_creds;
krb5_verify_init_creds_opt_init;
krb5_verify_init_creds_opt_set_ap_req_nofail;