svn rev #21592: branches/mskrb-integ/src/lib/gssapi/krb5/
lhoward@MIT.EDU
lhoward at MIT.EDU
Fri Dec 26 00:20:57 EST 2008
http://src.mit.edu/fisheye/changelog/krb5/?cs=21592
Commit By: lhoward
Log Message:
Add RFC 4537 support to GSS-API.
Changed Files:
U branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c
U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h
U branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c
U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c
U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c
U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c
U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c
Modified: branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c 2008-12-26 05:19:33 UTC (rev 21591)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/accept_sec_context.c 2008-12-26 05:20:55 UTC (rev 21592)
@@ -343,52 +343,6 @@
return major_status;
}
-static krb5_error_code
-kg_derive_keys(krb5_context context,
- krb5_keyblock *subkey,
- krb5_keyblock **enc,
- krb5_keyblock **seq)
-{
- krb5_error_code code;
- unsigned int i;
-
- switch(subkey->enctype) {
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_CRC:
- subkey->enctype = ENCTYPE_DES_CBC_RAW;
-
- /* fill in the encryption descriptors */
-
- code = krb5_copy_keyblock(context, subkey, enc);
- if (code)
- return code;
-
- for (i=0; i<(*enc)->length; i++)
- /*SUPPRESS 113*/
- (*enc)->contents[i] ^= 0xf0;
-
- goto copy_subkey_to_seq;
-
- case ENCTYPE_DES3_CBC_SHA1:
- subkey->enctype = ENCTYPE_DES3_CBC_RAW;
-
- /* fill in the encryption descriptors */
- default:
- code = krb5_copy_keyblock(context, subkey, enc);
- if (code)
- return code;
-
- copy_subkey_to_seq:
- code = krb5_copy_keyblock(context, subkey, seq);
- if (code)
- return code;
-
- break;
- }
-
- return 0;
-}
-
static OM_uint32
kg_accept_krb5(minor_status, context_handle,
verifier_cred_handle, input_token,
@@ -440,6 +394,7 @@
krb5int_access kaccess;
int cred_rcache = 0;
int no_encap = 0;
+ krb5_flags ap_req_options = 0;
code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
if (code) {
@@ -586,7 +541,7 @@
}
if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
- cred->keytab, NULL, &ticket))) {
+ cred->keytab, &ap_req_options, &ticket))) {
major_status = GSS_S_FAILURE;
goto fail;
}
@@ -897,53 +852,17 @@
goto fail;
}
- ctx->proto = 0;
- switch(ctx->subkey->enctype) {
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_CRC:
- ctx->signalg = SGN_ALG_DES_MAC_MD5;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_DES;
- break;
- case ENCTYPE_DES3_CBC_SHA1:
- ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
- ctx->cksum_size = 20;
- ctx->sealalg = SEAL_ALG_DES3KD;
- break;
- case ENCTYPE_ARCFOUR_HMAC:
- ctx->signalg = SGN_ALG_HMAC_MD5 ;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_MICROSOFT_RC4;
- break;
- default:
- ctx->signalg = -1;
- ctx->sealalg = -1;
- ctx->proto = 1;
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype,
- &ctx->cksumtype);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- code = krb5_c_checksum_length(context, ctx->cksumtype,
- &ctx->cksum_size);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- ctx->have_acceptor_subkey = 0;
- break;
- }
-
+ ctx->enc = NULL;
+ ctx->seq = NULL;
+ ctx->have_acceptor_subkey = 0;
/* DCE_STYLE implies acceptor_subkey */
if ((ctx->gss_flags & GSS_C_DCE_STYLE) == 0) {
- code = kg_derive_keys(context, ctx->subkey, &ctx->enc, &ctx->seq);
+ code = kg_setup_keys(context, ctx, ctx->subkey, &ctx->cksumtype);
if (code) {
major_status = GSS_S_FAILURE;
goto fail;
}
}
-
ctx->krb_times = ticket->enc_part2->times; /* struct copy */
ctx->krb_flags = ticket->enc_part2->flags;
@@ -984,7 +903,8 @@
krb5_int32 seq_temp;
int cfx_generate_subkey;
- if (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE))
+ if (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE) ||
+ (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION))
cfx_generate_subkey = CFX_ACCEPTOR_SUBKEY;
else
cfx_generate_subkey = 0;
@@ -1019,27 +939,20 @@
major_status = GSS_S_FAILURE;
goto fail;
}
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context,
- ctx->acceptor_subkey->enctype,
- &ctx->acceptor_subkey_cksumtype);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
ctx->have_acceptor_subkey = 1;
- }
- /* the reply token hasn't been sent yet, but that's ok. */
- if (ctx->gss_flags & GSS_C_DCE_STYLE) {
- assert(ctx->have_acceptor_subkey);
- assert(ctx->enc == NULL && ctx->seq == NULL);
-
- code = kg_derive_keys(context, ctx->acceptor_subkey, &ctx->enc, &ctx->seq);
+ code = kg_setup_keys(context, ctx, ctx->acceptor_subkey,
+ &ctx->acceptor_subkey_cksumtype);
if (code) {
major_status = GSS_S_FAILURE;
goto fail;
}
+ }
+ /* the reply token hasn't been sent yet, but that's ok. */
+ if (ctx->gss_flags & GSS_C_DCE_STYLE) {
+ assert(ctx->have_acceptor_subkey);
+
/* in order to force acceptor subkey to be used, don't set PROT_READY */
/* Raw AP-REP is returned */
Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-26 05:19:33 UTC (rev 21591)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h 2008-12-26 05:20:55 UTC (rev 21592)
@@ -262,6 +262,12 @@
krb5_keyblock *key,
unsigned char *seed);
+krb5_error_code
+kg_setup_keys(krb5_context context,
+ krb5_gss_ctx_id_rec *ctx,
+ krb5_keyblock *subkey,
+ krb5_cksumtype *cksumtype);
+
int kg_confounder_size (krb5_context context, krb5_keyblock *key);
krb5_error_code kg_make_confounder (krb5_context context,
Modified: branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c 2008-12-26 05:19:33 UTC (rev 21591)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/init_sec_context.c 2008-12-26 05:20:55 UTC (rev 21592)
@@ -328,7 +328,7 @@
mk_req_flags = AP_OPTS_USE_SUBKEY;
if (ctx->gss_flags & GSS_C_MUTUAL_FLAG)
- mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED;
+ mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_ETYPE_NEGOTIATION;
code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags,
checksum_data, k_cred, &ap_req);
@@ -385,168 +385,6 @@
}
/*
- * setup_enc
- *
- * Fill in the encryption descriptors. Called after AP-REQ is made.
- */
-static OM_uint32
-setup_enc(
- OM_uint32 *minor_status,
- krb5_gss_ctx_id_rec *ctx,
- krb5_context context)
-{
- krb5_error_code code;
- unsigned int i;
- krb5int_access kaccess;
-
- code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
- if (code)
- goto fail;
-
- ctx->have_acceptor_subkey = 0;
- ctx->proto = 0;
- ctx->cksumtype = 0;
- switch(ctx->subkey->enctype) {
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_CRC:
- ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
- ctx->signalg = SGN_ALG_DES_MAC_MD5;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_DES;
-
- /* The encryption key is the session key XOR
- 0xf0f0f0f0f0f0f0f0. */
- if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc)))
- goto fail;
-
- for (i=0; i<ctx->enc->length; i++)
- ctx->enc->contents[i] ^= 0xf0;
-
- goto copy_subkey_to_seq;
-
- case ENCTYPE_DES3_CBC_SHA1:
- /* MIT extension */
- ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
- ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
- ctx->cksum_size = 20;
- ctx->sealalg = SEAL_ALG_DES3KD;
-
- copy_subkey:
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
- if (code)
- goto fail;
- copy_subkey_to_seq:
- code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
- if (code) {
- krb5_free_keyblock (context, ctx->enc);
- goto fail;
- }
- break;
-
- case ENCTYPE_ARCFOUR_HMAC:
- /* Microsoft extension */
- ctx->signalg = SGN_ALG_HMAC_MD5 ;
- ctx->cksum_size = 8;
- ctx->sealalg = SEAL_ALG_MICROSOFT_RC4 ;
-
- goto copy_subkey;
-
- default:
- /* Fill some fields we shouldn't be using on this path
- with garbage. */
- ctx->signalg = -10;
- ctx->sealalg = -10;
-
- ctx->proto = 1;
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, ctx->subkey->enctype,
- &ctx->cksumtype);
- if (code)
- goto fail;
- code = krb5_c_checksum_length(context, ctx->cksumtype,
- &ctx->cksum_size);
- if (code)
- goto fail;
- goto copy_subkey;
- }
- *minor_status = 0;
- return GSS_S_COMPLETE;
-fail:
- *minor_status = code;
- return GSS_S_FAILURE;
-}
-
-static OM_uint32
-setup_enc_dce(
- krb5_error_code *minor_status,
- krb5_gss_ctx_id_rec *ctx,
- krb5_context context)
-{
- krb5_error_code code;
- size_t i;
-
- if (ctx->proto > 0) {
- return GSS_S_COMPLETE; /* CFX handles acceptor_subkey directly */
- }
-
- assert(ctx->have_acceptor_subkey && ctx->acceptor_subkey);
-
- if (ctx->enc != NULL) {
- krb5_free_keyblock(context, ctx->enc);
- ctx->enc = NULL;
- }
- if (ctx->seq != NULL) {
- krb5_free_keyblock(context, ctx->seq);
- ctx->seq = NULL;
- }
-
- switch(ctx->acceptor_subkey->enctype) {
- case ENCTYPE_DES_CBC_MD5:
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_CRC:
- ctx->acceptor_subkey->enctype = ENCTYPE_DES_CBC_RAW;
-
- /* The encryption key is the session key XOR
- 0xf0f0f0f0f0f0f0f0. */
- if ((code = krb5_copy_keyblock(context, ctx->acceptor_subkey, &ctx->enc)))
- goto fail;
-
- for (i=0; i<ctx->enc->length; i++)
- ctx->enc->contents[i] ^= 0xf0;
-
- goto copy_acceptor_subkey_to_seq;
-
- case ENCTYPE_DES3_CBC_SHA1:
- /* MIT extension */
- ctx->acceptor_subkey->enctype = ENCTYPE_DES3_CBC_RAW;
-
- copy_acceptor_subkey:
- code = krb5_copy_keyblock (context, ctx->acceptor_subkey, &ctx->enc);
- if (code)
- goto fail;
- copy_acceptor_subkey_to_seq:
- code = krb5_copy_keyblock (context, ctx->acceptor_subkey, &ctx->seq);
- if (code) {
- krb5_free_keyblock (context, ctx->enc);
- goto fail;
- }
- break;
-
- case ENCTYPE_ARCFOUR_HMAC:
- /* Microsoft extension */
- goto copy_acceptor_subkey;
- default:
- assert(0);
- break;
- }
- *minor_status = 0;
- return GSS_S_COMPLETE;
-fail:
- *minor_status = code;
- return GSS_S_FAILURE;
-}
-
-/*
* new_connection
*
* Do the grunt work of setting up a new context.
@@ -691,12 +529,16 @@
&ctx->subkey);
}
- major_status = setup_enc(minor_status, ctx, context);
-
if (k_cred) {
krb5_free_creds(context, k_cred);
- k_cred = 0;
+ k_cred = NULL;
}
+ ctx->enc = NULL;
+ ctx->seq = NULL;
+ ctx->have_acceptor_subkey = 0;
+ code = kg_setup_keys(context, ctx, ctx->subkey, &ctx->cksumtype);
+ if (code != 0)
+ goto fail;
/* at this point, the context is constructed and valid,
hence, releaseable */
@@ -893,21 +735,24 @@
(ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0,
(ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0, ctx->proto);
- if ((ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE)) &&
- ap_rep_data->subkey) {
+ if (ap_rep_data->subkey != NULL &&
+ (ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE) ||
+ ap_rep_data->subkey->enctype != ctx->subkey->enctype)) {
/* Keep acceptor's subkey. */
ctx->have_acceptor_subkey = 1;
code = krb5_copy_keyblock(context, ap_rep_data->subkey,
&ctx->acceptor_subkey);
- if (code)
+ if (code) {
+ krb5_free_ap_rep_enc_part(context, ap_rep_data);
goto fail;
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context,
- ctx->acceptor_subkey->enctype,
- &ctx->acceptor_subkey_cksumtype);
- if (code)
- goto fail;
+ }
+ code = kg_setup_keys(context, ctx, ctx->acceptor_subkey,
+ &ctx->acceptor_subkey_cksumtype);
+ if (code) {
+ krb5_free_ap_rep_enc_part(context, ap_rep_data);
+ goto fail;
+ }
}
-
/* free the ap_rep_data */
krb5_free_ap_rep_enc_part(context, ap_rep_data);
@@ -920,10 +765,6 @@
output_token->value = outbuf.data;
output_token->length = outbuf.length;
-
- major_status = setup_enc_dce(&code, ctx, context);
- if (major_status != GSS_S_COMPLETE)
- goto fail;
}
/* set established */
Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-26 05:19:33 UTC (rev 21591)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c 2008-12-26 05:20:55 UTC (rev 21592)
@@ -421,9 +421,14 @@
gss_headerlen = gss_padlen = gss_trailerlen = 0;
if (ctx->proto == 1) {
- krb5_enctype enctype = ctx->enc->enctype;
+ krb5_enctype enctype;
size_t ec;
+ if (ctx->have_acceptor_subkey)
+ enctype = ctx->acceptor_subkey->enctype;
+ else
+ enctype = ctx->enc->enctype;
+
code = krb5_c_crypto_length(context, enctype,
conf_req_flag ?
KRB5_CRYPTO_TYPE_TRAILER : KRB5_CRYPTO_TYPE_CHECKSUM,
Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c 2008-12-26 05:19:33 UTC (rev 21591)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3.c 2008-12-26 05:20:55 UTC (rev 21592)
@@ -82,6 +82,7 @@
unsigned short tok_id;
krb5_checksum sum;
krb5_keyblock *key;
+ krb5_cksumtype cksumtype;
assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0);
assert(ctx->big_endian == 0);
@@ -96,8 +97,10 @@
: KG_USAGE_ACCEPTOR_SIGN));
if (ctx->have_acceptor_subkey) {
key = ctx->acceptor_subkey;
+ cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
key = ctx->enc;
+ cksumtype = ctx->cksumtype;
}
#ifdef CFX_EXERCISE
@@ -133,7 +136,7 @@
return ENOMEM;
/* Get size of ciphertext. */
- bufsize = 16 + krb5_encrypt_size (plain.length, ctx->enc->enctype);
+ bufsize = 16 + krb5_encrypt_size (plain.length, key->enctype);
/* Allocate space for header plus encrypted data. */
outbuf = malloc(bufsize);
if (outbuf == NULL) {
@@ -238,7 +241,7 @@
sum.contents = outbuf + 16 + message2->length;
sum.length = ctx->cksum_size;
- err = krb5_c_make_checksum(context, ctx->cksumtype, key,
+ err = krb5_c_make_checksum(context, cksumtype, key,
key_usage, &plain, &sum);
zap(plain.data, plain.length);
free(plain.data);
@@ -311,6 +314,7 @@
krb5_error_code err;
krb5_boolean valid;
krb5_keyblock *key;
+ krb5_cksumtype cksumtype;
assert(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0);
assert(ctx->big_endian == 0);
@@ -360,8 +364,10 @@
value in that case, though, so we can just ignore the flag. */
if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) {
key = ctx->acceptor_subkey;
+ cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
key = ctx->enc;
+ cksumtype = ctx->cksumtype;
}
if (toktype == KG_TOK_WRAP_MSG) {
@@ -442,7 +448,7 @@
return GSS_S_BAD_SIG;
}
sum.contents = ptr+bodysize-ec;
- sum.checksum_type = ctx->cksumtype;
+ sum.checksum_type = cksumtype;
err = krb5_c_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
if (err)
@@ -479,7 +485,7 @@
memcpy(plain.data + message_buffer->length, ptr, 16);
sum.length = bodysize - 16;
sum.contents = ptr + 16;
- sum.checksum_type = ctx->cksumtype;
+ sum.checksum_type = cksumtype;
err = krb5_c_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
free(plain.data);
Modified: branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c 2008-12-26 05:19:33 UTC (rev 21591)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c 2008-12-26 05:20:55 UTC (rev 21592)
@@ -54,6 +54,7 @@
size_t rrc = 0;
size_t gss_headerlen, gss_trailerlen;
krb5_keyblock *key;
+ krb5_cksumtype cksumtype;
size_t data_length, assoc_data_length;
assert(toktype != KG_TOK_WRAP_MSG || ctx->enc != NULL);
@@ -69,8 +70,10 @@
: KG_USAGE_ACCEPTOR_SIGN));
if (ctx->have_acceptor_subkey) {
key = ctx->acceptor_subkey;
+ cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
key = ctx->enc;
+ cksumtype = ctx->cksumtype;
}
kg_iov_msglen(iov, iov_count, &data_length, &assoc_data_length);
@@ -230,7 +233,7 @@
}
store_64_be(ctx->seq_send, outbuf + 8);
- code = kg_make_checksum_iov_v3(context, ctx->cksumtype,
+ code = kg_make_checksum_iov_v3(context, cksumtype,
rrc, key, key_usage,
iov, iov_count);
if (code != 0)
@@ -286,6 +289,7 @@
krb5_keyblock *key;
gssint_uint64 seqnum;
krb5_boolean valid;
+ krb5_cksumtype cksumtype;
assert(toktype != KG_TOK_WRAP_MSG || ctx->enc != 0);
assert(ctx->big_endian == 0);
@@ -328,8 +332,10 @@
if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) {
key = ctx->acceptor_subkey;
+ cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
key = ctx->enc;
+ cksumtype = ctx->cksumtype;
}
if (toktype == KG_TOK_WRAP_MSG) {
@@ -392,7 +398,7 @@
store_16_be(0, ptr + 4);
store_16_be(0, ptr + 6);
- code = kg_verify_checksum_iov_v3(context, ctx->cksumtype, rrc,
+ code = kg_verify_checksum_iov_v3(context, cksumtype, rrc,
key, key_usage,
iov, iov_count, &valid);
if (code != 0 || valid == FALSE) {
@@ -411,7 +417,7 @@
goto defective;
seqnum = load_64_be(ptr + 8);
- code = kg_verify_checksum_iov_v3(context, ctx->cksumtype, 0,
+ code = kg_verify_checksum_iov_v3(context, cksumtype, 0,
key, key_usage,
iov, iov_count, &valid);
if (code != 0 || valid == FALSE) {
Modified: branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-26 05:19:33 UTC (rev 21591)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c 2008-12-26 05:20:55 UTC (rev 21592)
@@ -54,6 +54,87 @@
#include <memory.h>
#endif
+krb5_error_code
+kg_setup_keys(krb5_context context,
+ krb5_gss_ctx_id_rec *ctx,
+ krb5_keyblock *subkey,
+ krb5_cksumtype *cksumtype)
+{
+ krb5_error_code code;
+ unsigned int i;
+ krb5int_access kaccess;
+
+ assert(ctx != NULL);
+ assert(subkey != NULL);
+
+ *cksumtype = 0;
+ ctx->proto = 0;
+
+ code = krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION);
+ if (code != 0)
+ return code;
+
+ if (ctx->enc != NULL) {
+ krb5_free_keyblock(context, ctx->enc);
+ ctx->enc = NULL;
+ }
+ code = krb5_copy_keyblock(context, subkey, &ctx->enc);
+ if (code != 0)
+ return code;
+
+ if (ctx->seq != NULL) {
+ krb5_free_keyblock(context, ctx->seq);
+ ctx->seq = NULL;
+ }
+ code = krb5_copy_keyblock(context, subkey, &ctx->seq);
+ if (code != 0)
+ return code;
+
+ switch (subkey->enctype) {
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_CRC:
+ ctx->enc->enctype = ENCTYPE_DES_CBC_RAW;
+ ctx->seq->enctype = ENCTYPE_DES_CBC_RAW;
+ ctx->signalg = SGN_ALG_DES_MAC_MD5;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_DES;
+
+ for (i = 0; i < ctx->enc->length; i++)
+ /*SUPPRESS 113*/
+ ctx->enc->contents[i] ^= 0xF0;
+ break;
+ case ENCTYPE_DES3_CBC_SHA1:
+ ctx->enc->enctype = ENCTYPE_DES3_CBC_RAW;
+ ctx->seq->enctype = ENCTYPE_DES3_CBC_RAW;
+ ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
+ ctx->cksum_size = 20;
+ ctx->sealalg = SEAL_ALG_DES3KD;
+ break;
+ case ENCTYPE_ARCFOUR_HMAC:
+ ctx->signalg = SGN_ALG_HMAC_MD5;
+ ctx->cksum_size = 8;
+ ctx->sealalg = SEAL_ALG_MICROSOFT_RC4;
+ break;
+ default:
+ ctx->signalg = -1;
+ ctx->sealalg = -1;
+ ctx->proto = 1;
+
+ code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, subkey->enctype,
+ cksumtype);
+ if (code != 0)
+ return code;
+
+ code = krb5_c_checksum_length(context, *cksumtype, &ctx->cksum_size);
+ if (code != 0)
+ return code;
+ break;
+ }
+
+ return 0;
+}
+
int
kg_confounder_size(context, key)
krb5_context context;
More information about the cvs-krb5
mailing list