(generate_dh_keyblock): use the new function krb5_random_to_key
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13743 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
51
kdc/pkinit.c
51
kdc/pkinit.c
@@ -220,14 +220,12 @@ check_dh_params(DH *dh)
|
|||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
|
generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
|
||||||
krb5_keyblock *reply_key)
|
krb5_enctype enctype, krb5_keyblock *reply_key)
|
||||||
{
|
{
|
||||||
unsigned char *dh_gen_key = NULL;
|
unsigned char *dh_gen_key = NULL;
|
||||||
krb5_keyblock key;
|
krb5_keyblock key;
|
||||||
int dh_gen_keylen;
|
int dh_gen_keylen;
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
/* XXX don't hardcode the keytype */
|
|
||||||
krb5_enctype enctype = ETYPE_DES3_CBC_SHA1;
|
|
||||||
|
|
||||||
memset(&key, 0, sizeof(key));
|
memset(&key, 0, sizeof(key));
|
||||||
|
|
||||||
@@ -261,46 +259,15 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
switch (enctype) {
|
ret = krb5_random_to_key(context, enctype,
|
||||||
case ETYPE_DES_CBC_CRC:
|
dh_gen_key, dh_gen_keylen, &key);
|
||||||
case ETYPE_DES_CBC_MD4:
|
|
||||||
case ETYPE_DES_CBC_MD5:
|
|
||||||
case ETYPE_DES3_CBC_SHA1:
|
|
||||||
case ETYPE_OLD_DES3_CBC_SHA1: {
|
|
||||||
DES_cblock *k;
|
|
||||||
|
|
||||||
ret = krb5_generate_random_keyblock(context, enctype, &key);
|
if (ret) {
|
||||||
if (ret)
|
krb5_set_error_string(context,
|
||||||
goto out;
|
"pkinit - can't create key from DH key");
|
||||||
memset(key.keyvalue.data, 0, key.keyvalue.length);
|
ret = KRB5KRB_ERR_GENERIC;
|
||||||
|
goto out;
|
||||||
if (dh_gen_keylen < key.keyvalue.length) {
|
|
||||||
krb5_set_error_string(context, "Too small key generated by "
|
|
||||||
"Diffie-Hellman mechanism");
|
|
||||||
ret = KRB5KRB_ERR_GENERIC;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
memcpy(key.keyvalue.data, dh_gen_key, key.keyvalue.length);
|
|
||||||
k = key.keyvalue.data;
|
|
||||||
DES_set_odd_parity(&k[0]);
|
|
||||||
switch (enctype) {
|
|
||||||
case ETYPE_DES3_CBC_SHA1:
|
|
||||||
case ETYPE_OLD_DES3_CBC_SHA1:
|
|
||||||
DES_set_odd_parity(&k[1]);
|
|
||||||
DES_set_odd_parity(&k[2]);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
default:
|
|
||||||
krb5_set_error_string(context, "PKINIT DH, unsupported enctype: %d",
|
|
||||||
(int)enctype);
|
|
||||||
ret = KRB5_KDC_ERR_KEY_TOO_WEAK;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = krb5_copy_keyblock_contents(context, &key, reply_key);
|
ret = krb5_copy_keyblock_contents(context, &key, reply_key);
|
||||||
|
|
||||||
out:
|
out:
|
||||||
@@ -946,7 +913,7 @@ pk_mk_pa_reply(krb5_context context,
|
|||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
ret = generate_dh_keyblock(context, client_params,
|
ret = generate_dh_keyblock(context, client_params, enctype,
|
||||||
&client_params->reply_key);
|
&client_params->reply_key);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|||||||
Reference in New Issue
Block a user