svn rev #22903: branches/enc-perf/src/lib/gssapi/krb5/
ghudson@MIT.EDU
ghudson at MIT.EDU
Thu Oct 15 16:56:44 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22903
Commit By: ghudson
Log Message:
Change the krb5_keyblocks in the gss-krb5 id-rec to krb5_keys, and use
krb5_k functions to encrypt and decrypt with them.
Changed Files:
U branches/enc-perf/src/lib/gssapi/krb5/accept_sec_context.c
U branches/enc-perf/src/lib/gssapi/krb5/delete_sec_context.c
U branches/enc-perf/src/lib/gssapi/krb5/gssapiP_krb5.h
U branches/enc-perf/src/lib/gssapi/krb5/init_sec_context.c
U branches/enc-perf/src/lib/gssapi/krb5/inq_context.c
U branches/enc-perf/src/lib/gssapi/krb5/k5seal.c
U branches/enc-perf/src/lib/gssapi/krb5/k5sealiov.c
U branches/enc-perf/src/lib/gssapi/krb5/k5sealv3.c
U branches/enc-perf/src/lib/gssapi/krb5/k5sealv3iov.c
U branches/enc-perf/src/lib/gssapi/krb5/k5unseal.c
U branches/enc-perf/src/lib/gssapi/krb5/k5unsealiov.c
U branches/enc-perf/src/lib/gssapi/krb5/lucid_context.c
U branches/enc-perf/src/lib/gssapi/krb5/ser_sctx.c
U branches/enc-perf/src/lib/gssapi/krb5/util_cksum.c
U branches/enc-perf/src/lib/gssapi/krb5/util_crypt.c
U branches/enc-perf/src/lib/gssapi/krb5/util_seed.c
U branches/enc-perf/src/lib/gssapi/krb5/util_seqnum.c
U branches/enc-perf/src/lib/gssapi/krb5/wrap_size_limit.c
Modified: branches/enc-perf/src/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/accept_sec_context.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/accept_sec_context.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -442,6 +442,7 @@
int no_encap = 0;
krb5_flags ap_req_options = 0;
krb5_enctype negotiated_etype;
+ krb5_keyblock *keyblock = NULL;
code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
if (code) {
@@ -876,22 +877,21 @@
}
if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
- &ctx->subkey))) {
+ &keyblock))) {
major_status = GSS_S_FAILURE;
goto fail;
}
/* use the session key if the subkey isn't present */
- if (ctx->subkey == NULL) {
- if ((code = krb5_auth_con_getkey(context, auth_context,
- &ctx->subkey))) {
+ if (keyblock == NULL) {
+ if ((code = krb5_auth_con_getkey(context, auth_context, &keyblock))) {
major_status = GSS_S_FAILURE;
goto fail;
}
}
- if (ctx->subkey == NULL) {
+ if (keyblock == NULL) {
/* this isn't a very good error, but it's not clear to me this
can actually happen */
major_status = GSS_S_FAILURE;
@@ -899,6 +899,12 @@
goto fail;
}
+ code = krb5_k_create_key(context, keyblock, &ctx->subkey);
+ if (code) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
ctx->enc = NULL;
ctx->seq = NULL;
ctx->have_acceptor_subkey = 0;
@@ -1026,12 +1032,19 @@
/* Get the new acceptor subkey. With the code above, there
should always be one if we make it to this point. */
code = krb5_auth_con_getsendsubkey(context, auth_context,
- &ctx->acceptor_subkey);
+ &keyblock);
if (code != 0) {
major_status = GSS_S_FAILURE;
goto fail;
}
+ code = krb5_k_create_key(context, keyblock, &ctx->acceptor_subkey);
+ if (code != 0) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
ctx->have_acceptor_subkey = 1;
+ krb5_free_keyblock(context, keyblock);
+ keyblock = NULL;
code = kg_setup_keys(context, ctx, ctx->acceptor_subkey,
&ctx->acceptor_subkey_cksumtype);
@@ -1148,6 +1161,8 @@
xfree(reqcksum.contents);
if (ap_rep.data)
krb5_free_data_contents(context, &ap_rep);
+ if (keyblock)
+ krb5_free_keyblock(context, keyblock);
if (major_status == GSS_S_COMPLETE ||
(major_status == GSS_S_CONTINUE_NEEDED && code != KRB5KRB_AP_ERR_MSG_TYPE)) {
ctx->k5_context = context;
Modified: branches/enc-perf/src/lib/gssapi/krb5/delete_sec_context.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/delete_sec_context.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/delete_sec_context.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -82,19 +82,19 @@
g_order_free(&(ctx->seqstate));
if (ctx->enc)
- krb5_free_keyblock(context, ctx->enc);
+ krb5_k_free_key(context, ctx->enc);
if (ctx->seq)
- krb5_free_keyblock(context, ctx->seq);
+ krb5_k_free_key(context, ctx->seq);
if (ctx->here)
krb5_free_principal(context, ctx->here);
if (ctx->there)
krb5_free_principal(context, ctx->there);
if (ctx->subkey)
- krb5_free_keyblock(context, ctx->subkey);
+ krb5_k_free_key(context, ctx->subkey);
if (ctx->acceptor_subkey)
- krb5_free_keyblock(context, ctx->acceptor_subkey);
+ krb5_k_free_key(context, ctx->acceptor_subkey);
if (ctx->auth_context) {
if (ctx->cred_rcache)
Modified: branches/enc-perf/src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-10-15 20:56:44 UTC (rev 22903)
@@ -186,15 +186,14 @@
unsigned char seed[16];
krb5_principal here;
krb5_principal there;
- krb5_keyblock *subkey; /*One of two potential keys to use with RFC
- * 4121 packets; this key must always be set.*/
+ krb5_key subkey; /* One of two potential keys to use with RFC 4121
+ * packets; this key must always be set. */
int signalg;
size_t cksum_size;
int sealalg;
- krb5_keyblock *enc; /*RFC 1964 encryption key;seq xored with a
- * constant for DES,
- * seq for other RFC 1964 enctypes */
- krb5_keyblock *seq; /*RFC 1964 sequencing key*/
+ krb5_key enc; /* RFC 1964 encryption key; seq xored with a constant
+ * for DES, seq for other RFC 1964 enctypes */
+ krb5_key seq; /* RFC 1964 sequencing key */
krb5_ticket_times krb_times;
krb5_flags krb_flags;
/* XXX these used to be signed. the old spec is inspecific, and
@@ -214,7 +213,7 @@
1964 tokens is permitted.*/
int proto;
krb5_cksumtype cksumtype; /* for "main" subkey */
- krb5_keyblock *acceptor_subkey; /* CFX only */
+ krb5_key acceptor_subkey; /* CFX only */
krb5_cksumtype acceptor_subkey_cksumtype;
int cred_rcache; /* did we get rcache from creds? */
krb5_authdata **authdata;
@@ -255,32 +254,32 @@
int bigend);
krb5_error_code kg_make_seq_num (krb5_context context,
- krb5_keyblock *key,
+ krb5_key key,
int direction, krb5_ui_4 seqnum, unsigned char *cksum,
unsigned char *buf);
krb5_error_code kg_get_seq_num (krb5_context context,
- krb5_keyblock *key,
+ krb5_key key,
unsigned char *cksum, unsigned char *buf, int *direction,
krb5_ui_4 *seqnum);
krb5_error_code kg_make_seed (krb5_context context,
- krb5_keyblock *key,
+ krb5_key key,
unsigned char *seed);
krb5_error_code
kg_setup_keys(krb5_context context,
krb5_gss_ctx_id_rec *ctx,
- krb5_keyblock *subkey,
+ krb5_key subkey,
krb5_cksumtype *cksumtype);
-int kg_confounder_size (krb5_context context, krb5_keyblock *key);
+int kg_confounder_size (krb5_context context, krb5_key key);
krb5_error_code kg_make_confounder (krb5_context context,
- krb5_keyblock *key, unsigned char *buf);
+ krb5_key key, unsigned char *buf);
krb5_error_code kg_encrypt (krb5_context context,
- krb5_keyblock *key, int usage,
+ krb5_key key, int usage,
krb5_pointer iv,
krb5_const_pointer in,
krb5_pointer out,
@@ -289,7 +288,7 @@
krb5_error_code kg_encrypt_iov (krb5_context context,
int proto, int dce_style,
size_t ec, size_t rrc,
- krb5_keyblock *key, int usage,
+ krb5_key key, int usage,
krb5_pointer iv,
gss_iov_buffer_desc *iov,
int iov_count);
@@ -308,7 +307,7 @@
int iov_count);
krb5_error_code kg_decrypt (krb5_context context,
- krb5_keyblock *key, int usage,
+ krb5_key key, int usage,
krb5_pointer iv,
krb5_const_pointer in,
krb5_pointer out,
@@ -317,7 +316,7 @@
krb5_error_code kg_decrypt_iov (krb5_context context,
int proto, int dce_style,
size_t ec, size_t rrc,
- krb5_keyblock *key, int usage,
+ krb5_key key, int usage,
krb5_pointer iv,
gss_iov_buffer_desc *iov,
int iov_count);
@@ -405,8 +404,8 @@
krb5_error_code kg_make_checksum_iov_v1(krb5_context context,
krb5_cksumtype type,
size_t token_cksum_len,
- krb5_keyblock *seq,
- krb5_keyblock *enc, /* for conf len */
+ krb5_key seq,
+ krb5_key enc, /* for conf len */
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count,
@@ -416,7 +415,7 @@
krb5_error_code kg_make_checksum_iov_v3(krb5_context context,
krb5_cksumtype type,
size_t rrc,
- krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count);
@@ -424,7 +423,7 @@
krb5_error_code kg_verify_checksum_iov_v3(krb5_context context,
krb5_cksumtype type,
size_t rrc,
- krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count,
Modified: branches/enc-perf/src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/init_sec_context.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/init_sec_context.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -458,6 +458,7 @@
krb5_gss_ctx_id_rec *ctx, *ctx_free;
krb5_timestamp now;
gss_buffer_desc token;
+ krb5_keyblock *keyblock;
k5_mutex_assert_locked(&cred->lock);
major_status = GSS_S_FAILURE;
@@ -578,8 +579,14 @@
krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &seq_temp);
ctx->seq_send = seq_temp;
- krb5_auth_con_getsendsubkey(context, ctx->auth_context,
- &ctx->subkey);
+ code = krb5_auth_con_getsendsubkey(context, ctx->auth_context,
+ &keyblock);
+ if (code != 0)
+ goto fail;
+ code = krb5_k_create_key(context, keyblock, &ctx->subkey);
+ krb5_free_keyblock(context, keyblock);
+ if (code != 0)
+ goto fail;
}
krb5_free_creds(context, k_cred);
@@ -644,7 +651,7 @@
if (ctx_free->there)
krb5_free_principal(context, ctx_free->there);
if (ctx_free->subkey)
- krb5_free_keyblock(context, ctx_free->subkey);
+ krb5_k_free_key(context, ctx_free->subkey);
xfree(ctx_free);
} else
(void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
@@ -774,7 +781,7 @@
* To be removed in 1999 -- proven
*/
krb5_auth_con_setuseruserkey(context, ctx->auth_context,
- ctx->subkey);
+ &ctx->subkey->keyblock);
if ((krb5_rd_rep(context, ctx->auth_context, &ap_rep,
&ap_rep_data)))
goto fail;
@@ -788,11 +795,11 @@
if (ap_rep_data->subkey != NULL &&
(ctx->proto == 1 || (ctx->gss_flags & GSS_C_DCE_STYLE) ||
- ap_rep_data->subkey->enctype != ctx->subkey->enctype)) {
+ ap_rep_data->subkey->enctype != ctx->subkey->keyblock.enctype)) {
/* Keep acceptor's subkey. */
ctx->have_acceptor_subkey = 1;
- code = krb5_copy_keyblock(context, ap_rep_data->subkey,
- &ctx->acceptor_subkey);
+ code = krb5_k_create_key(context, ap_rep_data->subkey,
+ &ctx->acceptor_subkey);
if (code) {
krb5_free_ap_rep_enc_part(context, ap_rep_data);
goto fail;
Modified: branches/enc-perf/src/lib/gssapi/krb5/inq_context.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/inq_context.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/inq_context.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -197,7 +197,7 @@
gss_buffer_set_t *data_set)
{
krb5_gss_ctx_id_rec *ctx;
- krb5_keyblock *key;
+ krb5_key key;
gss_buffer_desc keyvalue, keyinfo;
OM_uint32 major_status, minor;
unsigned char oid_buf[GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + 6];
@@ -206,8 +206,8 @@
ctx = (krb5_gss_ctx_id_rec *) context_handle;
key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey;
- keyvalue.value = key->contents;
- keyvalue.length = key->length;
+ keyvalue.value = key->keyblock.contents;
+ keyvalue.length = key->keyblock.length;
major_status = generic_gss_add_buffer_set_member(minor_status, &keyvalue, data_set);
if (GSS_ERROR(major_status))
@@ -219,7 +219,7 @@
major_status = generic_gss_oid_compose(minor_status,
GSS_KRB5_SESSION_KEY_ENCTYPE_OID,
GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH,
- key->enctype,
+ key->keyblock.enctype,
&oid);
if (GSS_ERROR(major_status))
goto cleanup;
Modified: branches/enc-perf/src/lib/gssapi/krb5/k5seal.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/k5seal.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/k5seal.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -53,8 +53,8 @@
static krb5_error_code
make_seal_token_v1 (krb5_context context,
- krb5_keyblock *enc,
- krb5_keyblock *seq,
+ krb5_key enc,
+ krb5_key seq,
gssint_uint64 *seqnum,
int direction,
gss_buffer_t text,
@@ -197,7 +197,7 @@
(void) memcpy(data_ptr+8, plain, msglen);
plaind.length = 8 + (bigend ? text->length : msglen);
plaind.data = data_ptr;
- code = krb5_c_make_checksum(context, md5cksum.checksum_type, seq,
+ code = krb5_k_make_checksum(context, md5cksum.checksum_type, seq,
sign_usage, &plaind, &md5cksum);
xfree(data_ptr);
@@ -212,7 +212,7 @@
if ((code = kg_encrypt(context, seq, KG_USAGE_SEAL,
(g_OID_equal(oid, gss_mech_krb5_old) ?
- seq->contents : NULL),
+ seq->keyblock.contents : NULL),
md5cksum.contents, md5cksum.contents, 16))) {
krb5_free_checksum_contents(context, &md5cksum);
xfree (plain);
@@ -259,7 +259,7 @@
krb5_keyblock *enc_key;
int i;
store_32_be(*seqnum, bigend_seqnum);
- code = krb5_copy_keyblock (context, enc, &enc_key);
+ code = krb5_k_key_keyblock(context, enc, &enc_key);
if (code)
{
xfree(plain);
Modified: branches/enc-perf/src/lib/gssapi/krb5/k5sealiov.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/k5sealiov.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/k5sealiov.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -193,7 +193,7 @@
case SGN_ALG_3:
code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL,
(g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ?
- ctx->seq->contents : NULL),
+ ctx->seq->keyblock.contents : NULL),
md5cksum.contents, md5cksum.contents, 16);
if (code != 0)
goto cleanup;
@@ -226,7 +226,7 @@
store_32_be(ctx->seq_send, bigend_seqnum);
- code = krb5_copy_keyblock(context, ctx->enc, &enc_key);
+ code = krb5_k_key_keyblock(context, ctx->enc, &enc_key);
if (code != 0)
goto cleanup;
@@ -408,13 +408,12 @@
gss_headerlen = gss_padlen = gss_trailerlen = 0;
if (ctx->proto == 1) {
+ krb5_key key;
krb5_enctype enctype;
size_t ec;
- if (ctx->have_acceptor_subkey)
- enctype = ctx->acceptor_subkey->enctype;
- else
- enctype = ctx->subkey->enctype;
+ key = (ctx->have_acceptor_subkey) ? ctx->acceptor_subkey : ctx->subkey;
+ enctype = key->keyblock.enctype;
code = krb5_c_crypto_length(context, enctype,
conf_req_flag ?
Modified: branches/enc-perf/src/lib/gssapi/krb5/k5sealv3.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/k5sealv3.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/k5sealv3.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -81,7 +81,7 @@
size_t ec;
unsigned short tok_id;
krb5_checksum sum;
- krb5_keyblock *key;
+ krb5_key key;
krb5_cksumtype cksumtype;
assert(ctx->big_endian == 0);
@@ -136,7 +136,7 @@
return ENOMEM;
/* Get size of ciphertext. */
- bufsize = 16 + krb5_encrypt_size (plain.length, key->enctype);
+ bufsize = 16 + krb5_encrypt_size (plain.length, key->keyblock.enctype);
/* Allocate space for header plus encrypted data. */
outbuf = malloc(bufsize);
if (outbuf == NULL) {
@@ -164,8 +164,8 @@
cipher.ciphertext.data = (char *)outbuf + 16;
cipher.ciphertext.length = bufsize - 16;
- cipher.enctype = key->enctype;
- err = krb5_c_encrypt(context, key, key_usage, 0, &plain, &cipher);
+ cipher.enctype = key->keyblock.enctype;
+ err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
zap(plain.data, plain.length);
free(plain.data);
plain.data = 0;
@@ -245,7 +245,7 @@
sum.contents = outbuf + 16 + message2->length;
sum.length = cksumsize;
- err = krb5_c_make_checksum(context, cksumtype, key,
+ err = krb5_k_make_checksum(context, cksumtype, key,
key_usage, &plain, &sum);
zap(plain.data, plain.length);
free(plain.data);
@@ -317,7 +317,7 @@
krb5_checksum sum;
krb5_error_code err;
krb5_boolean valid;
- krb5_keyblock *key;
+ krb5_key key;
krb5_cksumtype cksumtype;
if (ctx->big_endian != 0)
@@ -398,14 +398,14 @@
For all current cryptosystems, the ciphertext size will
be larger than the plaintext size. */
- cipher.enctype = key->enctype;
+ cipher.enctype = key->keyblock.enctype;
cipher.ciphertext.length = bodysize - 16;
cipher.ciphertext.data = (char *)ptr + 16;
plain.length = bodysize - 16;
plain.data = malloc(plain.length);
if (plain.data == NULL)
goto no_mem;
- err = krb5_c_decrypt(context, key, key_usage, 0,
+ err = krb5_k_decrypt(context, key, key_usage, 0,
&cipher, &plain);
if (err) {
free(plain.data);
@@ -459,7 +459,7 @@
}
sum.contents = ptr+bodysize-ec;
sum.checksum_type = cksumtype;
- err = krb5_c_verify_checksum(context, key, key_usage,
+ err = krb5_k_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
if (err)
goto error;
@@ -496,7 +496,7 @@
sum.length = bodysize - 16;
sum.contents = ptr + 16;
sum.checksum_type = cksumtype;
- err = krb5_c_verify_checksum(context, key, key_usage,
+ err = krb5_k_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
free(plain.data);
plain.data = NULL;
Modified: branches/enc-perf/src/lib/gssapi/krb5/k5sealv3iov.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/k5sealv3iov.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/k5sealv3iov.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -53,7 +53,7 @@
int key_usage;
size_t rrc = 0;
unsigned int gss_headerlen, gss_trailerlen;
- krb5_keyblock *key;
+ krb5_key key;
krb5_cksumtype cksumtype;
size_t data_length, assoc_data_length;
@@ -95,24 +95,26 @@
size_t ec = 0;
size_t conf_data_length = data_length - assoc_data_length;
- code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen);
+ code = krb5_c_crypto_length(context, key->keyblock.enctype,
+ KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen);
if (code != 0)
goto cleanup;
- code = krb5_c_padding_length(context, key->enctype,
+ code = krb5_c_padding_length(context, key->keyblock.enctype,
conf_data_length + 16 /* E(Header) */, &k5_padlen);
if (code != 0)
goto cleanup;
if (k5_padlen == 0 && (ctx->gss_flags & GSS_C_DCE_STYLE)) {
/* Windows rejects AEAD tokens with non-zero EC */
- code = krb5_c_block_size(context, key->enctype, &ec);
+ code = krb5_c_block_size(context, key->keyblock.enctype, &ec);
if (code != 0)
goto cleanup;
} else
ec = k5_padlen;
- code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen);
+ code = krb5_c_crypto_length(context, key->keyblock.enctype,
+ KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen);
if (code != 0)
goto cleanup;
@@ -186,7 +188,9 @@
gss_headerlen = 16;
- code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_CHECKSUM, &gss_trailerlen);
+ code = krb5_c_crypto_length(context, key->keyblock.enctype,
+ KRB5_CRYPTO_TYPE_CHECKSUM,
+ &gss_trailerlen);
if (code != 0)
goto cleanup;
@@ -291,7 +295,7 @@
int key_usage;
size_t rrc, ec;
size_t data_length, assoc_data_length;
- krb5_keyblock *key;
+ krb5_key key;
gssint_uint64 seqnum;
krb5_boolean valid;
krb5_cksumtype cksumtype;
@@ -357,7 +361,7 @@
rrc = load_16_be(ptr + 6);
seqnum = load_64_be(ptr + 8);
- code = krb5_c_crypto_length(context, key->enctype,
+ code = krb5_c_crypto_length(context, key->keyblock.enctype,
conf_flag ? KRB5_CRYPTO_TYPE_TRAILER :
KRB5_CRYPTO_TYPE_CHECKSUM,
&k5_trailerlen);
Modified: branches/enc-perf/src/lib/gssapi/krb5/k5unseal.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/k5unseal.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/k5unseal.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -176,7 +176,7 @@
krb5_keyblock *enc_key;
int i;
store_32_be(seqnum, bigend_seqnum);
- code = krb5_copy_keyblock (context, ctx->enc, &enc_key);
+ code = krb5_k_key_keyblock(context, ctx->enc, &enc_key);
if (code)
{
xfree(plain);
@@ -287,7 +287,7 @@
plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
plaind.data = data_ptr;
- code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+ code = krb5_k_make_checksum(context, md5cksum.checksum_type,
ctx->seq, sign_usage,
&plaind, &md5cksum);
xfree(data_ptr);
@@ -301,7 +301,7 @@
if ((code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL,
(g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ?
- ctx->seq->contents : NULL),
+ ctx->seq->keyblock.contents : NULL),
md5cksum.contents, md5cksum.contents, 16))) {
krb5_free_checksum_contents(context, &md5cksum);
if (toktype == KG_TOK_SEAL_MSG)
@@ -354,7 +354,7 @@
(ctx->big_endian ? token.length : plainlen);
plaind.data = data_ptr;
krb5_free_checksum_contents(context, &md5cksum);
- code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+ code = krb5_k_make_checksum(context, md5cksum.checksum_type,
ctx->seq, sign_usage,
&plaind, &md5cksum);
xfree(data_ptr);
@@ -400,7 +400,7 @@
plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
plaind.data = data_ptr;
- code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+ code = krb5_k_make_checksum(context, md5cksum.checksum_type,
ctx->seq, sign_usage,
&plaind, &md5cksum);
xfree(data_ptr);
Modified: branches/enc-perf/src/lib/gssapi/krb5/k5unsealiov.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/k5unsealiov.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/k5unsealiov.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -153,7 +153,7 @@
store_32_be(seqnum, bigend_seqnum);
- code = krb5_copy_keyblock(context, ctx->enc, &enc_key);
+ code = krb5_k_key_keyblock(context, ctx->enc, &enc_key);
if (code != 0) {
retval = GSS_S_FAILURE;
goto cleanup;
@@ -231,7 +231,7 @@
case SGN_ALG_3:
code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL,
(g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ?
- ctx->seq->contents : NULL),
+ ctx->seq->keyblock.contents : NULL),
md5cksum.contents, md5cksum.contents, 16);
if (code != 0) {
retval = GSS_S_FAILURE;
@@ -518,7 +518,7 @@
case KG2_TOK_WRAP_MSG:
case KG2_TOK_DEL_CTX: {
size_t ec, rrc;
- krb5_enctype enctype = ctx->enc->enctype;
+ krb5_enctype enctype = ctx->enc->keyblock.enctype;
unsigned int k5_headerlen = 0;
unsigned int k5_trailerlen = 0;
Modified: branches/enc-perf/src/lib/gssapi/krb5/lucid_context.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/lucid_context.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/lucid_context.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -213,7 +213,7 @@
lctx->rfc1964_kd.sign_alg = gctx->signalg;
lctx->rfc1964_kd.seal_alg = gctx->sealalg;
/* Copy key */
- if ((retval = copy_keyblock_to_lucid_key(gctx->seq,
+ if ((retval = copy_keyblock_to_lucid_key(&gctx->seq->keyblock,
&lctx->rfc1964_kd.ctx_key)))
goto error_out;
}
@@ -221,11 +221,11 @@
/* Copy keys */
/* (subkey is always present, either a copy of the kerberos
session key or a subkey) */
- if ((retval = copy_keyblock_to_lucid_key(gctx->subkey,
+ if ((retval = copy_keyblock_to_lucid_key(&gctx->subkey->keyblock,
&lctx->cfx_kd.ctx_key)))
goto error_out;
if (gctx->have_acceptor_subkey) {
- if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey,
+ if ((retval = copy_keyblock_to_lucid_key(&gctx->acceptor_subkey->keyblock,
&lctx->cfx_kd.acceptor_subkey)))
goto error_out;
lctx->cfx_kd.have_acceptor_subkey = 1;
Modified: branches/enc-perf/src/lib/gssapi/krb5/ser_sctx.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/ser_sctx.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/ser_sctx.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -304,19 +304,19 @@
if (!kret && ctx->subkey)
kret = krb5_size_opaque(kcontext,
KV5M_KEYBLOCK,
- (krb5_pointer) ctx->subkey,
+ (krb5_pointer) &ctx->subkey->keyblock,
&required);
if (!kret && ctx->enc)
kret = krb5_size_opaque(kcontext,
KV5M_KEYBLOCK,
- (krb5_pointer) ctx->enc,
+ (krb5_pointer) &ctx->enc->keyblock,
&required);
if (!kret && ctx->seq)
kret = krb5_size_opaque(kcontext,
KV5M_KEYBLOCK,
- (krb5_pointer) ctx->seq,
+ (krb5_pointer) &ctx->seq->keyblock,
&required);
if (!kret)
@@ -339,8 +339,8 @@
&required);
if (!kret && ctx->acceptor_subkey)
kret = krb5_size_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->acceptor_subkey,
+ KV5M_KEYBLOCK, (krb5_pointer)
+ &ctx->acceptor_subkey->keyblock,
&required);
if (!kret && ctx->authdata) {
krb5_int32 i;
@@ -448,20 +448,20 @@
if (!kret && ctx->subkey)
kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->subkey,
+ KV5M_KEYBLOCK, (krb5_pointer)
+ &ctx->subkey->keyblock,
&bp, &remain);
if (!kret && ctx->enc)
kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->enc,
+ KV5M_KEYBLOCK, (krb5_pointer)
+ &ctx->enc->keyblock,
&bp, &remain);
if (!kret && ctx->seq)
kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->seq,
+ KV5M_KEYBLOCK, (krb5_pointer)
+ &ctx->seq->keyblock,
&bp, &remain);
if (!kret && ctx->seqstate)
@@ -488,8 +488,8 @@
&bp, &remain);
if (!kret && ctx->acceptor_subkey)
kret = krb5_externalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer) ctx->acceptor_subkey,
+ KV5M_KEYBLOCK, (krb5_pointer)
+ &ctx->acceptor_subkey->keyblock,
&bp, &remain);
if (!kret)
kret = krb5_ser_pack_int32((krb5_int32) ctx->acceptor_subkey_cksumtype,
@@ -529,6 +529,22 @@
return(kret);
}
+/* Internalize a keyblock and convert it to a key. */
+static krb5_error_code
+intern_key(krb5_context ctx, krb5_key *key, krb5_octet **bp, size_t *sp)
+{
+ krb5_keyblock *keyblock;
+ krb5_error_code ret;
+
+ ret = krb5_internalize_opaque(ctx, KV5M_KEYBLOCK,
+ (krb5_pointer *) &keyblock, bp, sp);
+ if (ret != 0)
+ return ret;
+ ret = krb5_k_create_key(ctx, keyblock, key);
+ krb5_free_keyblock(ctx, keyblock);
+ return ret;
+}
+
/*
* Internalize this krb5_gss_ctx_id_t.
*/
@@ -634,26 +650,17 @@
kret = 0;
}
if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->subkey,
- &bp, &remain))) {
+ (kret = intern_key(kcontext, &ctx->subkey, &bp, &remain))) {
if (kret == EINVAL)
kret = 0;
}
if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->enc,
- &bp, &remain))) {
+ (kret = intern_key(kcontext, &ctx->enc, &bp, &remain))) {
if (kret == EINVAL)
kret = 0;
}
if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->seq,
- &bp, &remain))) {
+ (kret = intern_key(kcontext, &ctx->seq, &bp, &remain))) {
if (kret == EINVAL)
kret = 0;
}
@@ -684,10 +691,8 @@
kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
ctx->cksumtype = ibuf;
if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_KEYBLOCK,
- (krb5_pointer *) &ctx->acceptor_subkey,
- &bp, &remain))) {
+ (kret = intern_key(kcontext, &ctx->acceptor_subkey,
+ &bp, &remain))) {
if (kret == EINVAL)
kret = 0;
}
@@ -730,11 +735,11 @@
*argp = (krb5_pointer) ctx;
} else {
if (ctx->seq)
- krb5_free_keyblock(kcontext, ctx->seq);
+ krb5_k_free_key(kcontext, ctx->seq);
if (ctx->enc)
- krb5_free_keyblock(kcontext, ctx->enc);
+ krb5_k_free_key(kcontext, ctx->enc);
if (ctx->subkey)
- krb5_free_keyblock(kcontext, ctx->subkey);
+ krb5_k_free_key(kcontext, ctx->subkey);
if (ctx->there)
krb5_free_principal(kcontext, ctx->there);
if (ctx->here)
Modified: branches/enc-perf/src/lib/gssapi/krb5/util_cksum.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/util_cksum.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/util_cksum.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -112,8 +112,8 @@
kg_make_checksum_iov_v1(krb5_context context,
krb5_cksumtype type,
size_t cksum_len,
- krb5_keyblock *seq,
- krb5_keyblock *enc,
+ krb5_key seq,
+ krb5_key enc,
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count,
@@ -137,7 +137,7 @@
/* Checksum over ( Header | Confounder | Data | Pad ) */
if (toktype == KG_TOK_WRAP_MSG)
- conf_len = kg_confounder_size(context, (krb5_keyblock *)enc);
+ conf_len = kg_confounder_size(context, enc);
/* Checksum output */
kiov[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
@@ -173,7 +173,7 @@
i++;
}
- code = krb5_c_make_checksum_iov(context, type, seq, sign_usage, kiov, kiov_count);
+ code = krb5_k_make_checksum_iov(context, type, seq, sign_usage, kiov, kiov_count);
if (code == 0) {
checksum->length = kiov[0].data.length;
checksum->contents = (unsigned char *)kiov[0].data.data;
@@ -189,7 +189,7 @@
checksum_iov_v3(krb5_context context,
krb5_cksumtype type,
size_t rrc,
- krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count,
@@ -207,7 +207,7 @@
if (verify)
*valid = FALSE;
- code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_CHECKSUM, &k5_checksumlen);
+ code = krb5_c_crypto_length(context, key->keyblock.enctype, KRB5_CRYPTO_TYPE_CHECKSUM, &k5_checksumlen);
if (code != 0)
return code;
@@ -258,9 +258,9 @@
i++;
if (verify)
- code = krb5_c_verify_checksum_iov(context, type, key, sign_usage, kiov, kiov_count, valid);
+ code = krb5_k_verify_checksum_iov(context, type, key, sign_usage, kiov, kiov_count, valid);
else
- code = krb5_c_make_checksum_iov(context, type, key, sign_usage, kiov, kiov_count);
+ code = krb5_k_make_checksum_iov(context, type, key, sign_usage, kiov, kiov_count);
xfree(kiov);
@@ -271,7 +271,7 @@
kg_make_checksum_iov_v3(krb5_context context,
krb5_cksumtype type,
size_t rrc,
- krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count)
@@ -284,7 +284,7 @@
kg_verify_checksum_iov_v3(krb5_context context,
krb5_cksumtype type,
size_t rrc,
- krb5_keyblock *key,
+ krb5_key key,
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count,
Modified: branches/enc-perf/src/lib/gssapi/krb5/util_crypt.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/util_crypt.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/util_crypt.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -59,39 +59,53 @@
static krb5_error_code
kg_copy_keys(krb5_context context,
krb5_gss_ctx_id_rec *ctx,
- krb5_keyblock *subkey)
+ krb5_key subkey)
{
krb5_error_code code;
- if (ctx->enc != NULL) {
- krb5_free_keyblock(context, ctx->enc);
- ctx->enc = NULL;
- }
+ krb5_k_free_key(context, ctx->enc);
+ ctx->enc = NULL;
+ code = krb5_k_create_key(context, &subkey->keyblock, &ctx->enc);
+ if (code != 0)
+ return code;
- code = krb5_copy_keyblock(context, subkey, &ctx->enc);
+ krb5_k_free_key(context, ctx->seq);
+ ctx->seq = NULL;
+ code = krb5_k_create_key(context, &subkey->keyblock, &ctx->seq);
if (code != 0)
return code;
- if (ctx->seq != NULL) {
- krb5_free_keyblock(context, ctx->seq);
- ctx->seq = NULL;
- }
+ return 0;
+}
- code = krb5_copy_keyblock(context, subkey, &ctx->seq);
+static krb5_error_code
+kg_derive_des_enc_key(krb5_context context, krb5_key subkey, krb5_key *out)
+{
+ krb5_error_code code;
+ krb5_keyblock *keyblock;
+ unsigned int i;
+
+ *out = NULL;
+
+ code = krb5_k_key_keyblock(context, subkey, &keyblock);
if (code != 0)
return code;
- return 0;
+ for (i = 0; i < keyblock->length; i++)
+ keyblock->contents[i] ^= 0xF0;
+
+ code = krb5_k_create_key(context, keyblock, out);
+ krb5_free_keyblock(context, keyblock);
+ return code;
}
krb5_error_code
kg_setup_keys(krb5_context context,
krb5_gss_ctx_id_rec *ctx,
- krb5_keyblock *subkey,
+ krb5_key subkey,
krb5_cksumtype *cksumtype)
{
krb5_error_code code;
- unsigned int i;
krb5int_access kaccess;
assert(ctx != NULL);
@@ -109,36 +123,40 @@
if (code != 0)
return code;
- code = (*kaccess.krb5int_c_mandatory_cksumtype)(context, subkey->enctype,
+ code = (*kaccess.krb5int_c_mandatory_cksumtype)(context,
+ subkey->keyblock.enctype,
cksumtype);
if (code != 0)
return code;
- switch (subkey->enctype) {
+ switch (subkey->keyblock.enctype) {
case ENCTYPE_DES_CBC_MD5:
case ENCTYPE_DES_CBC_MD4:
case ENCTYPE_DES_CBC_CRC:
- code = kg_copy_keys(context, ctx, subkey);
+ krb5_k_free_key(context, ctx->seq);
+ code = krb5_k_create_key(context, &subkey->keyblock, &ctx->seq);
if (code != 0)
return code;
- ctx->enc->enctype = ENCTYPE_DES_CBC_RAW;
- ctx->seq->enctype = ENCTYPE_DES_CBC_RAW;
+ krb5_k_free_key(context, ctx->enc);
+ code = kg_derive_des_enc_key(context, subkey, &ctx->enc);
+ if (code != 0)
+ return code;
+
+ ctx->enc->keyblock.enctype = ENCTYPE_DES_CBC_RAW;
+ ctx->seq->keyblock.enctype = ENCTYPE_DES_CBC_RAW;
ctx->signalg = SGN_ALG_DES_MAC_MD5;
ctx->cksum_size = 8;
ctx->sealalg = SEAL_ALG_DES;
- for (i = 0; i < ctx->enc->length; i++)
- /*SUPPRESS 113*/
- ctx->enc->contents[i] ^= 0xF0;
break;
case ENCTYPE_DES3_CBC_SHA1:
code = kg_copy_keys(context, ctx, subkey);
if (code != 0)
return code;
- ctx->enc->enctype = ENCTYPE_DES3_CBC_RAW;
- ctx->seq->enctype = ENCTYPE_DES3_CBC_RAW;
+ ctx->enc->keyblock.enctype = ENCTYPE_DES3_CBC_RAW;
+ ctx->seq->keyblock.enctype = ENCTYPE_DES3_CBC_RAW;
ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
ctx->cksum_size = 20;
ctx->sealalg = SEAL_ALG_DES3KD;
@@ -164,15 +182,15 @@
int
kg_confounder_size(context, key)
krb5_context context;
- krb5_keyblock *key;
+ krb5_key key;
{
krb5_error_code code;
size_t blocksize;
/* We special case rc4*/
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC ||
- key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+ if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC ||
+ key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
return 8;
- code = krb5_c_block_size(context, key->enctype, &blocksize);
+ code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize);
if (code)
return(-1); /* XXX */
@@ -182,7 +200,7 @@
krb5_error_code
kg_make_confounder(context, key, buf)
krb5_context context;
- krb5_keyblock *key;
+ krb5_key key;
unsigned char *buf;
{
int confsize;
@@ -201,7 +219,7 @@
krb5_error_code
kg_encrypt(context, key, usage, iv, in, out, length)
krb5_context context;
- krb5_keyblock *key;
+ krb5_key key;
int usage;
krb5_pointer iv;
krb5_const_pointer in;
@@ -214,7 +232,7 @@
krb5_enc_data outputd;
if (iv) {
- code = krb5_c_block_size(context, key->enctype, &blocksize);
+ code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize);
if (code)
return(code);
@@ -234,7 +252,7 @@
outputd.ciphertext.length = length;
outputd.ciphertext.data = out;
- code = krb5_c_encrypt(context, key, usage, pivd, &inputd, &outputd);
+ code = krb5_k_encrypt(context, key, usage, pivd, &inputd, &outputd);
if (pivd != NULL)
free(pivd->data);
return code;
@@ -245,7 +263,7 @@
krb5_error_code
kg_decrypt(context, key, usage, iv, in, out, length)
krb5_context context;
- krb5_keyblock *key;
+ krb5_key key;
int usage;
krb5_pointer iv;
krb5_const_pointer in;
@@ -258,7 +276,7 @@
krb5_enc_data inputd;
if (iv) {
- code = krb5_c_block_size(context, key->enctype, &blocksize);
+ code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize);
if (code)
return(code);
@@ -279,7 +297,7 @@
outputd.length = length;
outputd.data = out;
- code = krb5_c_decrypt(context, key, usage, pivd, &inputd, &outputd);
+ code = krb5_k_decrypt(context, key, usage, pivd, &inputd, &outputd);
if (pivd != NULL)
free(pivd->data);
return code;
@@ -294,6 +312,7 @@
krb5_error_code code;
krb5_data input, output;
krb5int_access kaccess;
+ krb5_key key;
krb5_keyblock seq_enc_key, usage_key;
unsigned char t[14];
size_t i = 0;
@@ -341,9 +360,11 @@
input.length = input_len;
output.data = (void * ) output_buf;
output.length = input_len;
- code = ((*kaccess.arcfour_enc_provider->encrypt)(
- &seq_enc_key, 0,
- &input, &output));
+ code = krb5_k_create_key(NULL, &seq_enc_key, &key);
+ if (code)
+ goto cleanup_arcfour;
+ code = (*kaccess.arcfour_enc_provider->encrypt)(key, 0, &input, &output);
+ krb5_k_free_key(NULL, key);
cleanup_arcfour:
memset (seq_enc_key.contents, 0, seq_enc_key.length);
memset (usage_key.contents, 0, usage_key.length);
@@ -356,7 +377,7 @@
static krb5_error_code
kg_translate_iov_v1(context, key, iov, iov_count, pkiov, pkiov_count)
krb5_context context;
- const krb5_keyblock *key;
+ krb5_key key;
gss_iov_buffer_desc *iov;
int iov_count;
krb5_crypto_iov **pkiov;
@@ -372,7 +393,7 @@
*pkiov = NULL;
*pkiov_count = 0;
- conf_len = kg_confounder_size(context, (krb5_keyblock *)key);
+ conf_len = kg_confounder_size(context, key);
header = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
assert(header != NULL);
@@ -427,7 +448,7 @@
int dce_style; /* DCE_STYLE indicates actual RRC is EC + RRC */
size_t ec; /* Extra rotate count for DCE_STYLE, pad length otherwise */
size_t rrc; /* Rotate count */
- const krb5_keyblock *key;
+ krb5_key key;
gss_iov_buffer_desc *iov;
int iov_count;
krb5_crypto_iov **pkiov;
@@ -451,11 +472,13 @@
trailer = kg_locate_iov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
assert(trailer == NULL || rrc == 0);
- code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen);
+ code = krb5_c_crypto_length(context, key->keyblock.enctype,
+ KRB5_CRYPTO_TYPE_HEADER, &k5_headerlen);
if (code != 0)
return code;
- code = krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen);
+ code = krb5_c_crypto_length(context, key->keyblock.enctype,
+ KRB5_CRYPTO_TYPE_TRAILER, &k5_trailerlen);
if (code != 0)
return code;
@@ -541,7 +564,7 @@
int dce_style;
size_t ec;
size_t rrc;
- const krb5_keyblock *key;
+ krb5_key key;
gss_iov_buffer_desc *iov;
int iov_count;
krb5_crypto_iov **pkiov;
@@ -559,7 +582,7 @@
int dce_style;
size_t ec;
size_t rrc;
- krb5_keyblock *key;
+ krb5_key key;
int usage;
krb5_pointer iv;
gss_iov_buffer_desc *iov;
@@ -572,7 +595,7 @@
krb5_crypto_iov *kiov;
if (iv) {
- code = krb5_c_block_size(context, key->enctype, &blocksize);
+ code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize);
if (code)
return(code);
@@ -589,7 +612,7 @@
code = kg_translate_iov(context, proto, dce_style, ec, rrc, key,
iov, iov_count, &kiov, &kiov_count);
if (code == 0) {
- code = krb5_c_encrypt_iov(context, key, usage, pivd, kiov, kiov_count);
+ code = krb5_k_encrypt_iov(context, key, usage, pivd, kiov, kiov_count);
free(kiov);
}
@@ -608,7 +631,7 @@
int dce_style;
size_t ec;
size_t rrc;
- krb5_keyblock *key;
+ krb5_key key;
int usage;
krb5_pointer iv;
gss_iov_buffer_desc *iov;
@@ -621,7 +644,7 @@
krb5_crypto_iov *kiov;
if (iv) {
- code = krb5_c_block_size(context, key->enctype, &blocksize);
+ code = krb5_c_block_size(context, key->keyblock.enctype, &blocksize);
if (code)
return(code);
@@ -638,7 +661,7 @@
code = kg_translate_iov(context, proto, dce_style, ec, rrc, key,
iov, iov_count, &kiov, &kiov_count);
if (code == 0) {
- code = krb5_c_decrypt_iov(context, key, usage, pivd, kiov, kiov_count);
+ code = krb5_k_decrypt_iov(context, key, usage, pivd, kiov, kiov_count);
free(kiov);
}
@@ -657,6 +680,7 @@
krb5_error_code code;
krb5_data input, output;
krb5int_access kaccess;
+ krb5_key key;
krb5_keyblock seq_enc_key, usage_key;
unsigned char t[14];
size_t i = 0;
@@ -709,9 +733,12 @@
if (code)
goto cleanup_arcfour;
- code = ((*kaccess.arcfour_enc_provider->encrypt_iov)(
- &seq_enc_key, 0,
- kiov, kiov_count));
+ code = krb5_k_create_key(context, &seq_enc_key, &key);
+ if (code)
+ goto cleanup_arcfour;
+ code = (*kaccess.arcfour_enc_provider->encrypt_iov)(key, 0, kiov,
+ kiov_count);
+ krb5_k_free_key(context, key);
cleanup_arcfour:
memset (seq_enc_key.contents, 0, seq_enc_key.length);
memset (usage_key.contents, 0, usage_key.length);
Modified: branches/enc-perf/src/lib/gssapi/krb5/util_seed.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/util_seed.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/util_seed.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -31,25 +31,31 @@
krb5_error_code
kg_make_seed(context, key, seed)
krb5_context context;
- krb5_keyblock *key;
+ krb5_key key;
unsigned char *seed;
{
krb5_error_code code;
- krb5_keyblock *tmpkey;
+ krb5_key rkey = NULL;
+ krb5_keyblock *tmpkey, *kb;
unsigned int i;
- code = krb5_copy_keyblock(context, key, &tmpkey);
+ code = krb5_k_key_keyblock(context, key, &tmpkey);
if (code)
return(code);
/* reverse the key bytes, as per spec */
-
+ kb = &key->keyblock;
for (i=0; i<tmpkey->length; i++)
- tmpkey->contents[i] = key->contents[key->length - 1 - i];
+ tmpkey->contents[i] = kb->contents[kb->length - 1 - i];
- code = kg_encrypt(context, tmpkey, KG_USAGE_SEAL, NULL, zeros, seed, 16);
+ code = krb5_k_create_key(context, tmpkey, &rkey);
+ if (code)
+ goto cleanup;
+ code = kg_encrypt(context, rkey, KG_USAGE_SEAL, NULL, zeros, seed, 16);
+
+cleanup:
krb5_free_keyblock(context, tmpkey);
-
+ krb5_k_free_key(context, rkey);
return(code);
}
Modified: branches/enc-perf/src/lib/gssapi/krb5/util_seqnum.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/util_seqnum.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/util_seqnum.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -32,7 +32,7 @@
krb5_error_code
kg_make_seq_num(context, key, direction, seqnum, cksum, buf)
krb5_context context;
- krb5_keyblock *key;
+ krb5_key key;
int direction;
krb5_ui_4 seqnum;
unsigned char *cksum;
@@ -44,11 +44,11 @@
plain[5] = direction;
plain[6] = direction;
plain[7] = direction;
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC ||
- key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC ||
+ key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
/* Yes, Microsoft used big-endian sequence number.*/
store_32_be(seqnum, plain);
- return kg_arcfour_docrypt (key, 0,
+ return kg_arcfour_docrypt (&key->keyblock, 0,
cksum, 8,
&plain[0], 8,
buf);
@@ -61,7 +61,7 @@
krb5_error_code kg_get_seq_num(context, key, cksum, buf, direction, seqnum)
krb5_context context;
- krb5_keyblock *key;
+ krb5_key key;
unsigned char *cksum;
unsigned char *buf;
int *direction;
@@ -70,9 +70,9 @@
krb5_error_code code;
unsigned char plain[8];
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC ||
- key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
- code = kg_arcfour_docrypt (key, 0,
+ if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC ||
+ key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ code = kg_arcfour_docrypt (&key->keyblock, 0,
cksum, 8,
buf, 8,
plain);
@@ -88,8 +88,8 @@
return((krb5_error_code) KG_BAD_SEQ);
*direction = plain[4];
- if (key->enctype == ENCTYPE_ARCFOUR_HMAC ||
- key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+ if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC ||
+ key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
*seqnum = (plain[3]|(plain[2]<<8) | (plain[1]<<16)| (plain[0]<<24));
} else {
*seqnum = ((plain[0]) |
Modified: branches/enc-perf/src/lib/gssapi/krb5/wrap_size_limit.c
===================================================================
--- branches/enc-perf/src/lib/gssapi/krb5/wrap_size_limit.c 2009-10-15 19:57:29 UTC (rev 22902)
+++ branches/enc-perf/src/lib/gssapi/krb5/wrap_size_limit.c 2009-10-15 20:56:44 UTC (rev 22903)
@@ -114,10 +114,12 @@
/* Token header: 16 octets. */
if (conf_req_flag) {
+ krb5_key key;
krb5_enctype enctype;
- enctype = ctx->have_acceptor_subkey ? ctx->acceptor_subkey->enctype
- : ctx->subkey->enctype;
+ key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey
+ : ctx->subkey;
+ enctype = key->keyblock.enctype;
while (sz > 0 && krb5_encrypt_size(sz, enctype) + 16 > req_output_size)
sz--;
More information about the cvs-krb5
mailing list