[krbdev.mit.edu #6440] PRF doesn't work under des3-cbc-hmac-sha1-kd environment

The RT System itself via RT rt-comment at krbdev.mit.edu
Tue Apr 7 08:09:10 EDT 2009 

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Tue Apr  7 12:09:10 2009
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1 at krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id 6F74ECCF14;
	Tue,  7 Apr 2009 12:09:07 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n37C97Gd014009;
	Tue, 7 Apr 2009 08:09:07 -0400
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n368GZ8F030757
	for <krb5-bugs-incoming at PCH.mit.edu>; Mon, 6 Apr 2009 04:16:35 -0400
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	n368GQex023172
	for <krb5-bugs at mit.edu>; Mon, 6 Apr 2009 04:16:26 -0400 (EDT)
Received: from localhost.tahi.org (localhost [127.0.0.1])
	by mit.edu (Spam Firewall) with ESMTP id E097315A7B36
	for <krb5-bugs at mit.edu>; Mon,  6 Apr 2009 04:16:25 -0400 (EDT)
Received: from localhost.tahi.org (120.145.221.202.bf.2iij.net
	[202.221.145.120]) by mit.edu with ESMTP id 7DhTUi4C6gHq7Gil
	(version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for
	<krb5-bugs at mit.edu>; Mon, 06 Apr 2009 04:16:24 -0400 (EDT)
Received: from localhost.tahi.org (localhost [127.0.0.1])
	by localhost.tahi.org (8.14.2/8.14.2) with ESMTP id n368G7WA017631;
	Mon, 6 Apr 2009 17:16:07 +0900 (JST)
	(envelope-from akisada at localhost.tahi.org)
Received: (from akisada at localhost)
	by localhost.tahi.org (8.14.2/8.14.2/Submit) id n368G7Gn017630;
	Mon, 6 Apr 2009 17:16:07 +0900 (JST) (envelope-from akisada)
Date: Mon, 6 Apr 2009 17:16:07 +0900 (JST)
Message-Id: <200904060816.n368G7Gn017630 at localhost.tahi.org>
To: krb5-bugs at mit.edu
Subject: PRF for des3-cbc-hmac-sha1-kd
From: Yukiyo Akisada <akisada at tahi.org>
X-send-pr-version: 3.99
X-Spam-Score: 0.737
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 07 Apr 2009 08:09:03 -0400
Cc: akisada at tahi.org
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: akisada at tahi.org
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	Yukiyo Akisada
>Organization:
	TAHI Project
>Confidential:	no
>Synopsis:	PRF doesn't work under des3-cbc-hmac-sha1-kd environment
>Severity:	serious
>Priority:	medium
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.6.3
>Environment:
	Panasonic CF-R7, FreeBSD 7.0-RELEASE-p6, krb5-1.6.3_5 (installed from FreeBSD ports system)
System: FreeBSD localhost.tahi.org 7.0-RELEASE-p6 FreeBSD 7.0-RELEASE-p6 #0: Tue Dec 9 16:22:14 JST 2008 akisada at bahamut.akisada.net:/usr/obj/usr/src/sys/TAHI i386


>Description:
	Hi, all.
	
	I may misunderstand RFC 3961,
	but in my understanding, des3-cbc-hmac-sha1-kd (etype=16) uses
	PRF on Simplified Profile as its pseudo-random function.
	
	Now, I want to use PRF function
	from Krb5-1.8 perl module which is based on MIT krb5-1.6.3 implementation.
	
	    Krb5: <http://search.cpan.org/dist/Krb5/>
	
	But, PRF function for ENCTYPE_DES3_CBC_SHA1 has not be
	defined in <krb5-1.6.3/src/lib/crypto/etypes.c>.
	
	Indeed,
	I need some modification into Krb5-1.8 to export prf function from krb5-1.6.3,
	but I also need the following modification into krb5-1.6.3.
	
	In this moment,
	the following modification (at Fix section) matches with my expected behavior,
	but I'm not sure whether this modification against krb5-1.6.3 is correct or not.
	
	Please investigate this.

	Thanks,

>How-To-Repeat:
	just by calling krb5_c_prf() function under des3-cbc-hmac-sha1-kd
>Fix:
	--- krb5-1.6.3/src/lib/crypto/etypes.c.orig 2009-04-01 17:02:56.000000000 +0900
	+++ krb5-1.6.3/src/lib/crypto/etypes.c  2009-04-01 14:42:01.000000000 +0900
	@@ -94,26 +94,26 @@
	     { ENCTYPE_DES3_CBC_SHA1,
	       "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
	       &krb5int_enc_des3, &krb5int_hash_sha1,
	-      8,
	+      16,
	       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
	       krb5int_dk_string_to_key,
	-      NULL, /*PRF*/
	+      krb5int_dk_prf, /*PRF*/
	       CKSUMTYPE_HMAC_SHA1_DES3 },
	     { ENCTYPE_DES3_CBC_SHA1,   /* alias */
	       "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
	       &krb5int_enc_des3, &krb5int_hash_sha1,
	-      8,
	+      16,
	       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
	       krb5int_dk_string_to_key,
	-      NULL, /*PRF*/
	+      krb5int_dk_prf, /*PRF*/
	       CKSUMTYPE_HMAC_SHA1_DES3 },
	     { ENCTYPE_DES3_CBC_SHA1,   /* alias */
	       "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
	       &krb5int_enc_des3, &krb5int_hash_sha1,
	-      8,
	+      16,
	       krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
	       krb5int_dk_string_to_key,
	-      NULL, /*PRF*/
	+      krb5int_dk_prf, /*PRF*/
	       CKSUMTYPE_HMAC_SHA1_DES3 },
	
	     { ENCTYPE_DES_HMAC_SHA1,

More information about the krb5-bugs mailing list