1
/*
2
 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3
 * (Royal Institute of Technology, Stockholm, Sweden).
4
 * All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 *
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 *
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 *
17
 * 3. Neither the name of the Institute nor the names of its contributors
18
 *    may be used to endorse or promote products derived from this software
19
 *    without specific prior written permission.
20
 *
21
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31
 * SUCH DAMAGE.
32
 */
33

34
#include "krb5_locl.h"
35

36
struct _krb5_key_usage {
37
    unsigned usage;
38
    struct _krb5_key_data key;
39
};
40

41

42
#ifndef HEIMDAL_SMALLER
43
#define DES3_OLD_ENCTYPE 1
44
#endif
45

46
static krb5_error_code _get_derived_key(krb5_context, krb5_crypto,
47
					unsigned, struct _krb5_key_data**);
48
static struct _krb5_key_data *_new_derived_key(krb5_crypto crypto, unsigned usage);
49

50
static void free_key_schedule(krb5_context,
51
			      struct _krb5_key_data *,
52
			      struct _krb5_encryption_type *);
53

54
/* 
55
 * Converts etype to a user readable string and sets as a side effect
56
 * the krb5_error_message containing this string. Returns
57
 * KRB5_PROG_ETYPE_NOSUPP in not the conversion of the etype failed in
58
 * which case the error code of the etype convesion is returned.
59
 */
60

61
static krb5_error_code
62
unsupported_enctype(krb5_context context, krb5_enctype etype)
63
{
64
    krb5_error_code ret;
65
    char *name;
66

67
    ret = krb5_enctype_to_string(context, etype, &name);
68
    if (ret)
69
	return ret;
70

71
    krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
72
			   N_("Encryption type %s not supported", ""),
73
			   name);
74
    free(name);
75
    return KRB5_PROG_ETYPE_NOSUPP;
76
}
77

78
/*
79
 *
80
 */
81

82
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
83
krb5_enctype_keysize(krb5_context context,
84
		     krb5_enctype type,
85
		     size_t *keysize)
86
{
87
    struct _krb5_encryption_type *et = _krb5_find_enctype(type);
88
    if(et == NULL) {
89
        return unsupported_enctype (context, type);
90
    }
91
    *keysize = et->keytype->size;
92
    return 0;
93
}
94

95
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
96
krb5_enctype_keybits(krb5_context context,
97
		     krb5_enctype type,
98
		     size_t *keybits)
99
{
100
    struct _krb5_encryption_type *et = _krb5_find_enctype(type);
101
    if(et == NULL) {
102
        return unsupported_enctype (context, type);
103
    }
104
    *keybits = et->keytype->bits;
105
    return 0;
106
}
107

108
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
109
krb5_generate_random_keyblock(krb5_context context,
110
			      krb5_enctype type,
111
			      krb5_keyblock *key)
112
{
113
    krb5_error_code ret;
114
    struct _krb5_encryption_type *et = _krb5_find_enctype(type);
115
    if(et == NULL) {
116
        return unsupported_enctype (context, type);
117
    }
118
    ret = krb5_data_alloc(&key->keyvalue, et->keytype->size);
119
    if(ret)
120
	return ret;
121
    key->keytype = type;
122
    if(et->keytype->random_key)
123
	(*et->keytype->random_key)(context, key);
124
    else
125
	krb5_generate_random_block(key->keyvalue.data,
126
				   key->keyvalue.length);
127
    return 0;
128
}
129

130
static krb5_error_code
131
_key_schedule(krb5_context context,
132
	      struct _krb5_key_data *key)
133
{
134
    krb5_error_code ret;
135
    struct _krb5_encryption_type *et = _krb5_find_enctype(key->key->keytype);
136
    struct _krb5_key_type *kt;
137

138
    if (et == NULL) {
139
        return unsupported_enctype (context,
140
                               key->key->keytype);
141
    }
142

143
    kt = et->keytype;
144

145
    if(kt->schedule == NULL)
146
	return 0;
147
    if (key->schedule != NULL)
148
	return 0;
149
    ALLOC(key->schedule, 1);
150
    if(key->schedule == NULL) {
151
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
152
	return ENOMEM;
153
    }
154
    ret = krb5_data_alloc(key->schedule, kt->schedule_size);
155
    if(ret) {
156
	free(key->schedule);
157
	key->schedule = NULL;
158
	return ret;
159
    }
160
    (*kt->schedule)(context, kt, key);
161
    return 0;
162
}
163

164
/************************************************************
165
 *                                                          *
166
 ************************************************************/
167

168
static krb5_error_code
169
SHA1_checksum(krb5_context context,
170
	      struct _krb5_key_data *key,
171
	      const void *data,
172
	      size_t len,
173
	      unsigned usage,
174
	      Checksum *C)
175
{
176
    if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_sha1(), NULL) != 1)
177
	krb5_abortx(context, "sha1 checksum failed");
178
    return 0;
179
}
180

181
/* HMAC according to RFC2104 */
182
krb5_error_code
183
_krb5_internal_hmac(krb5_context context,
184
		    struct _krb5_checksum_type *cm,
185
		    const void *data,
186
		    size_t len,
187
		    unsigned usage,
188
		    struct _krb5_key_data *keyblock,
189
		    Checksum *result)
190
{
191
    unsigned char *ipad, *opad;
192
    unsigned char *key;
193
    size_t key_len;
194
    size_t i;
195

196
    ipad = malloc(cm->blocksize + len);
197
    if (ipad == NULL)
198
	return ENOMEM;
199
    opad = malloc(cm->blocksize + cm->checksumsize);
200
    if (opad == NULL) {
201
	free(ipad);
202
	return ENOMEM;
203
    }
204
    memset(ipad, 0x36, cm->blocksize);
205
    memset(opad, 0x5c, cm->blocksize);
206

207
    if(keyblock->key->keyvalue.length > cm->blocksize){
208
	(*cm->checksum)(context,
209
			keyblock,
210
			keyblock->key->keyvalue.data,
211
			keyblock->key->keyvalue.length,
212
			usage,
213
			result);
214
	key = result->checksum.data;
215
	key_len = result->checksum.length;
216
    } else {
217
	key = keyblock->key->keyvalue.data;
218
	key_len = keyblock->key->keyvalue.length;
219
    }
220
    for(i = 0; i < key_len; i++){
221
	ipad[i] ^= key[i];
222
	opad[i] ^= key[i];
223
    }
224
    memcpy(ipad + cm->blocksize, data, len);
225
    (*cm->checksum)(context, keyblock, ipad, cm->blocksize + len,
226
		    usage, result);
227
    memcpy(opad + cm->blocksize, result->checksum.data,
228
	   result->checksum.length);
229
    (*cm->checksum)(context, keyblock, opad,
230
		    cm->blocksize + cm->checksumsize, usage, result);
231
    memset(ipad, 0, cm->blocksize + len);
232
    free(ipad);
233
    memset(opad, 0, cm->blocksize + cm->checksumsize);
234
    free(opad);
235

236
    return 0;
237
}
238

239
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
240
krb5_hmac(krb5_context context,
241
	  krb5_cksumtype cktype,
242
	  const void *data,
243
	  size_t len,
244
	  unsigned usage,
245
	  krb5_keyblock *key,
246
	  Checksum *result)
247
{
248
    struct _krb5_checksum_type *c = _krb5_find_checksum(cktype);
249
    struct _krb5_key_data kd;
250
    krb5_error_code ret;
251

252
    if (c == NULL) {
253
	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
254
				N_("checksum type %d not supported", ""),
255
				cktype);
256
	return KRB5_PROG_SUMTYPE_NOSUPP;
257
    }
258

259
    kd.key = key;
260
    kd.schedule = NULL;
261

262
    ret = _krb5_internal_hmac(context, c, data, len, usage, &kd, result);
263

264
    if (kd.schedule)
265
	krb5_free_data(context, kd.schedule);
266

267
    return ret;
268
}
269

270
krb5_error_code
271
_krb5_SP_HMAC_SHA1_checksum(krb5_context context,
272
			    struct _krb5_key_data *key,
273
			    const void *data,
274
			    size_t len,
275
			    unsigned usage,
276
			    Checksum *result)
277
{
278
    struct _krb5_checksum_type *c = _krb5_find_checksum(CKSUMTYPE_SHA1);
279
    Checksum res;
280
    char sha1_data[20];
281
    krb5_error_code ret;
282

283
    res.checksum.data = sha1_data;
284
    res.checksum.length = sizeof(sha1_data);
285

286
    ret = _krb5_internal_hmac(context, c, data, len, usage, key, &res);
287
    if (ret)
288
	krb5_abortx(context, "hmac failed");
289
    memcpy(result->checksum.data, res.checksum.data, result->checksum.length);
290
    return 0;
291
}
292

293
struct _krb5_checksum_type _krb5_checksum_sha1 = {
294
    CKSUMTYPE_SHA1,
295
    "sha1",
296
    64,
297
    20,
298
    F_CPROOF,
299
    SHA1_checksum,
300
    NULL
301
};
302

303
struct _krb5_checksum_type *
304
_krb5_find_checksum(krb5_cksumtype type)
305
{
306
    int i;
307
    for(i = 0; i < _krb5_num_checksums; i++)
308
	if(_krb5_checksum_types[i]->type == type)
309
	    return _krb5_checksum_types[i];
310
    return NULL;
311
}
312

313
static krb5_error_code
314
get_checksum_key(krb5_context context,
315
		 krb5_crypto crypto,
316
		 unsigned usage,  /* not krb5_key_usage */
317
		 struct _krb5_checksum_type *ct,
318
		 struct _krb5_key_data **key)
319
{
320
    krb5_error_code ret = 0;
321

322
    if(ct->flags & F_DERIVED)
323
	ret = _get_derived_key(context, crypto, usage, key);
324
    else if(ct->flags & F_VARIANT) {
325
	size_t i;
326

327
	*key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */);
328
	if(*key == NULL) {
329
	    krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
330
	    return ENOMEM;
331
	}
332
	ret = krb5_copy_keyblock(context, crypto->key.key, &(*key)->key);
333
	if(ret)
334
	    return ret;
335
	for(i = 0; i < (*key)->key->keyvalue.length; i++)
336
	    ((unsigned char*)(*key)->key->keyvalue.data)[i] ^= 0xF0;
337
    } else {
338
	*key = &crypto->key;
339
    }
340
    if(ret == 0)
341
	ret = _key_schedule(context, *key);
342
    return ret;
343
}
344

345
static krb5_error_code
346
create_checksum (krb5_context context,
347
		 struct _krb5_checksum_type *ct,
348
		 krb5_crypto crypto,
349
		 unsigned usage,
350
		 void *data,
351
		 size_t len,
352
		 Checksum *result)
353
{
354
    krb5_error_code ret;
355
    struct _krb5_key_data *dkey;
356
    int keyed_checksum;
357

358
    if (ct->flags & F_DISABLED) {
359
	krb5_clear_error_message (context);
360
	return KRB5_PROG_SUMTYPE_NOSUPP;
361
    }
362
    keyed_checksum = (ct->flags & F_KEYED) != 0;
363
    if(keyed_checksum && crypto == NULL) {
364
	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
365
				N_("Checksum type %s is keyed but no "
366
				   "crypto context (key) was passed in", ""),
367
				ct->name);
368
	return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
369
    }
370
    if(keyed_checksum) {
371
	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
372
	if (ret)
373
	    return ret;
374
    } else
375
	dkey = NULL;
376
    result->cksumtype = ct->type;
377
    ret = krb5_data_alloc(&result->checksum, ct->checksumsize);
378
    if (ret)
379
	return (ret);
380
    return (*ct->checksum)(context, dkey, data, len, usage, result);
381
}
382

383
static int
384
arcfour_checksum_p(struct _krb5_checksum_type *ct, krb5_crypto crypto)
385
{
386
    return (ct->type == CKSUMTYPE_HMAC_MD5) &&
387
	(crypto->key.key->keytype == KEYTYPE_ARCFOUR);
388
}
389

390
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
391
krb5_create_checksum(krb5_context context,
392
		     krb5_crypto crypto,
393
		     krb5_key_usage usage,
394
		     int type,
395
		     void *data,
396
		     size_t len,
397
		     Checksum *result)
398
{
399
    struct _krb5_checksum_type *ct = NULL;
400
    unsigned keyusage;
401

402
    /* type 0 -> pick from crypto */
403
    if (type) {
404
	ct = _krb5_find_checksum(type);
405
    } else if (crypto) {
406
	ct = crypto->et->keyed_checksum;
407
	if (ct == NULL)
408
	    ct = crypto->et->checksum;
409
    }
410

411
    if(ct == NULL) {
412
	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
413
				N_("checksum type %d not supported", ""),
414
				type);
415
	return KRB5_PROG_SUMTYPE_NOSUPP;
416
    }
417

418
    if (arcfour_checksum_p(ct, crypto)) {
419
	keyusage = usage;
420
	_krb5_usage2arcfour(context, &keyusage);
421
    } else
422
	keyusage = CHECKSUM_USAGE(usage);
423

424
    return create_checksum(context, ct, crypto, keyusage,
425
			   data, len, result);
426
}
427

428
static krb5_error_code
429
verify_checksum(krb5_context context,
430
		krb5_crypto crypto,
431
		unsigned usage, /* not krb5_key_usage */
432
		void *data,
433
		size_t len,
434
		Checksum *cksum)
435
{
436
    krb5_error_code ret;
437
    struct _krb5_key_data *dkey;
438
    int keyed_checksum;
439
    Checksum c;
440
    struct _krb5_checksum_type *ct;
441

442
    ct = _krb5_find_checksum(cksum->cksumtype);
443
    if (ct == NULL || (ct->flags & F_DISABLED)) {
444
	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
445
				N_("checksum type %d not supported", ""),
446
				cksum->cksumtype);
447
	return KRB5_PROG_SUMTYPE_NOSUPP;
448
    }
449
    if(ct->checksumsize != cksum->checksum.length) {
450
	krb5_clear_error_message (context);
451
	krb5_set_error_message(context, KRB5KRB_AP_ERR_BAD_INTEGRITY,
452
			       N_("Decrypt integrity check failed for checksum type %s, "
453
				  "length was %u, expected %u", ""),
454
			       ct->name, (unsigned)cksum->checksum.length,
455
			       (unsigned)ct->checksumsize);
456

457
	return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
458
    }
459
    keyed_checksum = (ct->flags & F_KEYED) != 0;
460
    if(keyed_checksum) {
461
	struct _krb5_checksum_type *kct;
462
	if (crypto == NULL) {
463
	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
464
				   N_("Checksum type %s is keyed but no "
465
				      "crypto context (key) was passed in", ""),
466
				   ct->name);
467
	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
468
	}
469
	kct = crypto->et->keyed_checksum;
470
	if (kct == NULL || kct->type != ct->type) {
471
	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
472
				   N_("Checksum type %s is keyed, but "
473
				      "the key type %s passed didnt have that checksum "
474
				      "type as the keyed type", ""),
475
				    ct->name, crypto->et->name);
476
	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
477
	}
478

479
	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
480
	if (ret)
481
	    return ret;
482
    } else
483
	dkey = NULL;
484

485
    /*
486
     * If checksum have a verify function, lets use that instead of
487
     * calling ->checksum and then compare result.
488
     */
489

490
    if(ct->verify) {
491
	ret = (*ct->verify)(context, dkey, data, len, usage, cksum);
492
	if (ret)
493
	    krb5_set_error_message(context, ret,
494
				   N_("Decrypt integrity check failed for checksum "
495
				      "type %s, key type %s", ""),
496
				   ct->name, (crypto != NULL)? crypto->et->name : "(none)");
497
	return ret;
498
    }
499

500
    ret = krb5_data_alloc (&c.checksum, ct->checksumsize);
501
    if (ret)
502
	return ret;
503

504
    ret = (*ct->checksum)(context, dkey, data, len, usage, &c);
505
    if (ret) {
506
	krb5_data_free(&c.checksum);
507
	return ret;
508
    }
509

510
    if(krb5_data_ct_cmp(&c.checksum, &cksum->checksum) != 0) {
511
	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
512
	krb5_set_error_message(context, ret,
513
			       N_("Decrypt integrity check failed for checksum "
514
				  "type %s, key type %s", ""),
515
			       ct->name, crypto ? crypto->et->name : "(unkeyed)");
516
    } else {
517
	ret = 0;
518
    }
519
    krb5_data_free (&c.checksum);
520
    return ret;
521
}
522

523
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
524
krb5_verify_checksum(krb5_context context,
525
		     krb5_crypto crypto,
526
		     krb5_key_usage usage,
527
		     void *data,
528
		     size_t len,
529
		     Checksum *cksum)
530
{
531
    struct _krb5_checksum_type *ct;
532
    unsigned keyusage;
533

534
    ct = _krb5_find_checksum(cksum->cksumtype);
535
    if(ct == NULL) {
536
	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
537
				N_("checksum type %d not supported", ""),
538
				cksum->cksumtype);
539
	return KRB5_PROG_SUMTYPE_NOSUPP;
540
    }
541

542
    if (arcfour_checksum_p(ct, crypto)) {
543
	keyusage = usage;
544
	_krb5_usage2arcfour(context, &keyusage);
545
    } else
546
	keyusage = CHECKSUM_USAGE(usage);
547

548
    return verify_checksum(context, crypto, keyusage,
549
			   data, len, cksum);
550
}
551

552
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
553
krb5_crypto_get_checksum_type(krb5_context context,
554
                              krb5_crypto crypto,
555
			      krb5_cksumtype *type)
556
{
557
    struct _krb5_checksum_type *ct = NULL;
558

559
    if (crypto != NULL) {
560
        ct = crypto->et->keyed_checksum;
561
        if (ct == NULL)
562
            ct = crypto->et->checksum;
563
    }
564

565
    if (ct == NULL) {
566
	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
567
				N_("checksum type not found", ""));
568
        return KRB5_PROG_SUMTYPE_NOSUPP;
569
    }
570

571
    *type = ct->type;
572

573
    return 0;
574
}
575

576

577
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
578
krb5_checksumsize(krb5_context context,
579
		  krb5_cksumtype type,
580
		  size_t *size)
581
{
582
    struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
583
    if(ct == NULL) {
584
	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
585
				N_("checksum type %d not supported", ""),
586
				type);
587
	return KRB5_PROG_SUMTYPE_NOSUPP;
588
    }
589
    *size = ct->checksumsize;
590
    return 0;
591
}
592

593
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
594
krb5_checksum_is_keyed(krb5_context context,
595
		       krb5_cksumtype type)
596
{
597
    struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
598
    if(ct == NULL) {
599
	if (context)
600
	    krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
601
				    N_("checksum type %d not supported", ""),
602
				    type);
603
	return KRB5_PROG_SUMTYPE_NOSUPP;
604
    }
605
    return ct->flags & F_KEYED;
606
}
607

608
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
609
krb5_checksum_is_collision_proof(krb5_context context,
610
				 krb5_cksumtype type)
611
{
612
    struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
613
    if(ct == NULL) {
614
	if (context)
615
	    krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
616
				    N_("checksum type %d not supported", ""),
617
				    type);
618
	return KRB5_PROG_SUMTYPE_NOSUPP;
619
    }
620
    return ct->flags & F_CPROOF;
621
}
622

623
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
624
krb5_checksum_disable(krb5_context context,
625
		      krb5_cksumtype type)
626
{
627
    struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
628
    if(ct == NULL) {
629
	if (context)
630
	    krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
631
				    N_("checksum type %d not supported", ""),
632
				    type);
633
	return KRB5_PROG_SUMTYPE_NOSUPP;
634
    }
635
    ct->flags |= F_DISABLED;
636
    return 0;
637
}
638

639
/************************************************************
640
 *                                                          *
641
 ************************************************************/
642

643
struct _krb5_encryption_type *
644
_krb5_find_enctype(krb5_enctype type)
645
{
646
    int i;
647
    for(i = 0; i < _krb5_num_etypes; i++)
648
	if(_krb5_etypes[i]->type == type)
649
	    return _krb5_etypes[i];
650
    return NULL;
651
}
652

653

654
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
655
krb5_enctype_to_string(krb5_context context,
656
		       krb5_enctype etype,
657
		       char **string)
658
{
659
    struct _krb5_encryption_type *e;
660
    e = _krb5_find_enctype(etype);
661
    if(e == NULL) {
662
	krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
663
				N_("encryption type %d not supported", ""),
664
				etype);
665
	*string = NULL;
666
	return KRB5_PROG_ETYPE_NOSUPP;
667
    }
668
    *string = strdup(e->name);
669
    if(*string == NULL) {
670
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
671
	return ENOMEM;
672
    }
673
    return 0;
674
}
675

676
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
677
krb5_string_to_enctype(krb5_context context,
678
		       const char *string,
679
		       krb5_enctype *etype)
680
{
681
    int i;
682
    for(i = 0; i < _krb5_num_etypes; i++)
683
	if(strcasecmp(_krb5_etypes[i]->name, string) == 0){
684
	    *etype = _krb5_etypes[i]->type;
685
	    return 0;
686
	}
687
    krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
688
			    N_("encryption type %s not supported", ""),
689
			    string);
690
    return KRB5_PROG_ETYPE_NOSUPP;
691
}
692

693
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
694
krb5_enctype_to_keytype(krb5_context context,
695
			krb5_enctype etype,
696
			krb5_keytype *keytype)
697
{
698
    struct _krb5_encryption_type *e = _krb5_find_enctype(etype);
699
    if(e == NULL) {
700
        return unsupported_enctype (context, etype);
701
    }
702
    *keytype = e->keytype->type; /* XXX */
703
    return 0;
704
}
705

706
/**
707
 * Check if a enctype is valid, return 0 if it is.
708
 *
709
 * @param context Kerberos context
710
 * @param etype enctype to check if its valid or not
711
 *
712
 * @return Return an error code for an failure or 0 on success (enctype valid).
713
 * @ingroup krb5_crypto
714
 */
715

716
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
717
krb5_enctype_valid(krb5_context context,
718
		   krb5_enctype etype)
719
{
720
    struct _krb5_encryption_type *e = _krb5_find_enctype(etype);
721
    if(e && (e->flags & F_DISABLED) == 0)
722
	return 0;
723
    if (context == NULL)
724
	return KRB5_PROG_ETYPE_NOSUPP;
725
    if(e == NULL) {
726
        return unsupported_enctype (context, etype);
727
    }
728
    /* Must be (e->flags & F_DISABLED) */
729
    krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
730
			    N_("encryption type %s is disabled", ""),
731
			    e->name);
732
    return KRB5_PROG_ETYPE_NOSUPP;
733
}
734

735
/**
736
 * Return the coresponding encryption type for a checksum type.
737
 *
738
 * @param context Kerberos context
739
 * @param ctype The checksum type to get the result enctype for
740
 * @param etype The returned encryption, when the matching etype is
741
 * not found, etype is set to ETYPE_NULL.
742
 *
743
 * @return Return an error code for an failure or 0 on success.
744
 * @ingroup krb5_crypto
745
 */
746

747

748
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
749
krb5_cksumtype_to_enctype(krb5_context context,
750
			  krb5_cksumtype ctype,
751
			  krb5_enctype *etype)
752
{
753
    int i;
754

755
    *etype = ETYPE_NULL;
756

757
    for(i = 0; i < _krb5_num_etypes; i++) {
758
	if(_krb5_etypes[i]->keyed_checksum &&
759
	   _krb5_etypes[i]->keyed_checksum->type == ctype)
760
	    {
761
		*etype = _krb5_etypes[i]->type;
762
		return 0;
763
	    }
764
    }
765

766
    krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
767
			    N_("checksum type %d not supported", ""),
768
			    (int)ctype);
769
    return KRB5_PROG_SUMTYPE_NOSUPP;
770
}
771

772

773
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
774
krb5_cksumtype_valid(krb5_context context,
775
		     krb5_cksumtype ctype)
776
{
777
    struct _krb5_checksum_type *c = _krb5_find_checksum(ctype);
778
    if (c == NULL) {
779
	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
780
				N_("checksum type %d not supported", ""),
781
				ctype);
782
	return KRB5_PROG_SUMTYPE_NOSUPP;
783
    }
784
    if (c->flags & F_DISABLED) {
785
	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
786
				N_("checksum type %s is disabled", ""),
787
				c->name);
788
	return KRB5_PROG_SUMTYPE_NOSUPP;
789
    }
790
    return 0;
791
}
792

793

794
static krb5_boolean
795
derived_crypto(krb5_context context,
796
	       krb5_crypto crypto)
797
{
798
    return (crypto->et->flags & F_DERIVED) != 0;
799
}
800

801
static krb5_boolean
802
special_crypto(krb5_context context,
803
	       krb5_crypto crypto)
804
{
805
    return (crypto->et->flags & F_SPECIAL) != 0;
806
}
807

808
#define CHECKSUMSIZE(C) ((C)->checksumsize)
809
#define CHECKSUMTYPE(C) ((C)->type)
810

811
static krb5_error_code
812
encrypt_internal_derived(krb5_context context,
813
			 krb5_crypto crypto,
814
			 unsigned usage,
815
			 const void *data,
816
			 size_t len,
817
			 krb5_data *result,
818
			 void *ivec)
819
{
820
    size_t sz, block_sz, checksum_sz, total_sz;
821
    Checksum cksum;
822
    unsigned char *p, *q;
823
    krb5_error_code ret;
824
    struct _krb5_key_data *dkey;
825
    const struct _krb5_encryption_type *et = crypto->et;
826

827
    checksum_sz = CHECKSUMSIZE(et->keyed_checksum);
828

829
    sz = et->confoundersize + len;
830
    block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
831
    total_sz = block_sz + checksum_sz;
832
    p = calloc(1, total_sz);
833
    if(p == NULL) {
834
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
835
	return ENOMEM;
836
    }
837

838
    q = p;
839
    krb5_generate_random_block(q, et->confoundersize); /* XXX */
840
    q += et->confoundersize;
841
    memcpy(q, data, len);
842

843
    ret = create_checksum(context,
844
			  et->keyed_checksum,
845
			  crypto,
846
			  INTEGRITY_USAGE(usage),
847
			  p,
848
			  block_sz,
849
			  &cksum);
850
    if(ret == 0 && cksum.checksum.length != checksum_sz) {
851
	free_Checksum (&cksum);
852
	krb5_clear_error_message (context);
853
	ret = KRB5_CRYPTO_INTERNAL;
854
    }
855
    if(ret)
856
	goto fail;
857
    memcpy(p + block_sz, cksum.checksum.data, cksum.checksum.length);
858
    free_Checksum (&cksum);
859
    ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
860
    if(ret)
861
	goto fail;
862
    ret = _key_schedule(context, dkey);
863
    if(ret)
864
	goto fail;
865
    ret = (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec);
866
    if (ret)
867
	goto fail;
868
    result->data = p;
869
    result->length = total_sz;
870
    return 0;
871
 fail:
872
    memset(p, 0, total_sz);
873
    free(p);
874
    return ret;
875
}
876

877

878
static krb5_error_code
879
encrypt_internal(krb5_context context,
880
		 krb5_crypto crypto,
881
		 const void *data,
882
		 size_t len,
883
		 krb5_data *result,
884
		 void *ivec)
885
{
886
    size_t sz, block_sz, checksum_sz;
887
    Checksum cksum;
888
    unsigned char *p, *q;
889
    krb5_error_code ret;
890
    const struct _krb5_encryption_type *et = crypto->et;
891

892
    checksum_sz = CHECKSUMSIZE(et->checksum);
893

894
    sz = et->confoundersize + checksum_sz + len;
895
    block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
896
    p = calloc(1, block_sz);
897
    if(p == NULL) {
898
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
899
	return ENOMEM;
900
    }
901

902
    q = p;
903
    krb5_generate_random_block(q, et->confoundersize); /* XXX */
904
    q += et->confoundersize;
905
    memset(q, 0, checksum_sz);
906
    q += checksum_sz;
907
    memcpy(q, data, len);
908

909
    ret = create_checksum(context,
910
			  et->checksum,
911
			  crypto,
912
			  0,
913
			  p,
914
			  block_sz,
915
			  &cksum);
916
    if(ret == 0 && cksum.checksum.length != checksum_sz) {
917
	krb5_clear_error_message (context);
918
	free_Checksum(&cksum);
919
	ret = KRB5_CRYPTO_INTERNAL;
920
    }
921
    if(ret)
922
	goto fail;
923
    memcpy(p + et->confoundersize, cksum.checksum.data, cksum.checksum.length);
924
    free_Checksum(&cksum);
925
    ret = _key_schedule(context, &crypto->key);
926
    if(ret)
927
	goto fail;
928
    ret = (*et->encrypt)(context, &crypto->key, p, block_sz, 1, 0, ivec);
929
    if (ret) {
930
	memset(p, 0, block_sz);
931
	free(p);
932
	return ret;
933
    }
934
    result->data = p;
935
    result->length = block_sz;
936
    return 0;
937
 fail:
938
    memset(p, 0, block_sz);
939
    free(p);
940
    return ret;
941
}
942

943
static krb5_error_code
944
encrypt_internal_special(krb5_context context,
945
			 krb5_crypto crypto,
946
			 int usage,
947
			 const void *data,
948
			 size_t len,
949
			 krb5_data *result,
950
			 void *ivec)
951
{
952
    struct _krb5_encryption_type *et = crypto->et;
953
    size_t cksum_sz = CHECKSUMSIZE(et->checksum);
954
    size_t sz = len + cksum_sz + et->confoundersize;
955
    char *tmp, *p;
956
    krb5_error_code ret;
957

958
    tmp = malloc (sz);
959
    if (tmp == NULL) {
960
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
961
	return ENOMEM;
962
    }
963
    p = tmp;
964
    memset (p, 0, cksum_sz);
965
    p += cksum_sz;
966
    krb5_generate_random_block(p, et->confoundersize);
967
    p += et->confoundersize;
968
    memcpy (p, data, len);
969
    ret = (*et->encrypt)(context, &crypto->key, tmp, sz, TRUE, usage, ivec);
970
    if (ret) {
971
	memset(tmp, 0, sz);
972
	free(tmp);
973
	return ret;
974
    }
975
    result->data   = tmp;
976
    result->length = sz;
977
    return 0;
978
}
979

980
static krb5_error_code
981
decrypt_internal_derived(krb5_context context,
982
			 krb5_crypto crypto,
983
			 unsigned usage,
984
			 void *data,
985
			 size_t len,
986
			 krb5_data *result,
987
			 void *ivec)
988
{
989
    size_t checksum_sz;
990
    Checksum cksum;
991
    unsigned char *p;
992
    krb5_error_code ret;
993
    struct _krb5_key_data *dkey;
994
    struct _krb5_encryption_type *et = crypto->et;
995
    unsigned long l;
996

997
    checksum_sz = CHECKSUMSIZE(et->keyed_checksum);
998
    if (len < checksum_sz + et->confoundersize) {
999
	krb5_set_error_message(context, KRB5_BAD_MSIZE,
1000
			       N_("Encrypted data shorter then "
1001
				  "checksum + confunder", ""));
1002
	return KRB5_BAD_MSIZE;
1003
    }
1004

1005
    if (((len - checksum_sz) % et->padsize) != 0) {
1006
	krb5_clear_error_message(context);
1007
	return KRB5_BAD_MSIZE;
1008
    }
1009

1010
    p = malloc(len);
1011
    if(len != 0 && p == NULL) {
1012
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1013
	return ENOMEM;
1014
    }
1015
    memcpy(p, data, len);
1016

1017
    len -= checksum_sz;
1018

1019
    ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
1020
    if(ret) {
1021
	free(p);
1022
	return ret;
1023
    }
1024
    ret = _key_schedule(context, dkey);
1025
    if(ret) {
1026
	free(p);
1027
	return ret;
1028
    }
1029
    ret = (*et->encrypt)(context, dkey, p, len, 0, usage, ivec);
1030
    if (ret) {
1031
	free(p);
1032
	return ret;
1033
    }
1034

1035
    cksum.checksum.data   = p + len;
1036
    cksum.checksum.length = checksum_sz;
1037
    cksum.cksumtype       = CHECKSUMTYPE(et->keyed_checksum);
1038

1039
    ret = verify_checksum(context,
1040
			  crypto,
1041
			  INTEGRITY_USAGE(usage),
1042
			  p,
1043
			  len,
1044
			  &cksum);
1045
    if(ret) {
1046
	free(p);
1047
	return ret;
1048
    }
1049
    l = len - et->confoundersize;
1050
    memmove(p, p + et->confoundersize, l);
1051
    result->data = realloc(p, l);
1052
    if(result->data == NULL && l != 0) {
1053
	free(p);
1054
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1055
	return ENOMEM;
1056
    }
1057
    result->length = l;
1058
    return 0;
1059
}
1060

1061
static krb5_error_code
1062
decrypt_internal(krb5_context context,
1063
		 krb5_crypto crypto,
1064
		 void *data,
1065
		 size_t len,
1066
		 krb5_data *result,
1067
		 void *ivec)
1068
{
1069
    krb5_error_code ret;
1070
    unsigned char *p;
1071
    Checksum cksum;
1072
    size_t checksum_sz, l;
1073
    struct _krb5_encryption_type *et = crypto->et;
1074

1075
    if ((len % et->padsize) != 0) {
1076
	krb5_clear_error_message(context);
1077
	return KRB5_BAD_MSIZE;
1078
    }
1079
    checksum_sz = CHECKSUMSIZE(et->checksum);
1080
    if (len < checksum_sz + et->confoundersize) {
1081
	krb5_set_error_message(context, KRB5_BAD_MSIZE,
1082
			       N_("Encrypted data shorter then "
1083
				  "checksum + confunder", ""));
1084
	return KRB5_BAD_MSIZE;
1085
    }
1086

1087
    p = malloc(len);
1088
    if(len != 0 && p == NULL) {
1089
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1090
	return ENOMEM;
1091
    }
1092
    memcpy(p, data, len);
1093

1094
    ret = _key_schedule(context, &crypto->key);
1095
    if(ret) {
1096
	free(p);
1097
	return ret;
1098
    }
1099
    ret = (*et->encrypt)(context, &crypto->key, p, len, 0, 0, ivec);
1100
    if (ret) {
1101
	free(p);
1102
	return ret;
1103
    }
1104
    ret = krb5_data_copy(&cksum.checksum, p + et->confoundersize, checksum_sz);
1105
    if(ret) {
1106
 	free(p);
1107
 	return ret;
1108
    }
1109
    memset(p + et->confoundersize, 0, checksum_sz);
1110
    cksum.cksumtype = CHECKSUMTYPE(et->checksum);
1111
    ret = verify_checksum(context, NULL, 0, p, len, &cksum);
1112
    free_Checksum(&cksum);
1113
    if(ret) {
1114
	free(p);
1115
	return ret;
1116
    }
1117
    l = len - et->confoundersize - checksum_sz;
1118
    memmove(p, p + et->confoundersize + checksum_sz, l);
1119
    result->data = realloc(p, l);
1120
    if(result->data == NULL && l != 0) {
1121
	free(p);
1122
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1123
	return ENOMEM;
1124
    }
1125
    result->length = l;
1126
    return 0;
1127
}
1128

1129
static krb5_error_code
1130
decrypt_internal_special(krb5_context context,
1131
			 krb5_crypto crypto,
1132
			 int usage,
1133
			 void *data,
1134
			 size_t len,
1135
			 krb5_data *result,
1136
			 void *ivec)
1137
{
1138
    struct _krb5_encryption_type *et = crypto->et;
1139
    size_t cksum_sz = CHECKSUMSIZE(et->checksum);
1140
    size_t sz = len - cksum_sz - et->confoundersize;
1141
    unsigned char *p;
1142
    krb5_error_code ret;
1143

1144
    if ((len % et->padsize) != 0) {
1145
	krb5_clear_error_message(context);
1146
	return KRB5_BAD_MSIZE;
1147
    }
1148
    if (len < cksum_sz + et->confoundersize) {
1149
	krb5_set_error_message(context, KRB5_BAD_MSIZE,
1150
			       N_("Encrypted data shorter then "
1151
				  "checksum + confunder", ""));
1152
	return KRB5_BAD_MSIZE;
1153
    }
1154

1155
    p = malloc (len);
1156
    if (p == NULL) {
1157
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1158
	return ENOMEM;
1159
    }
1160
    memcpy(p, data, len);
1161

1162
    ret = (*et->encrypt)(context, &crypto->key, p, len, FALSE, usage, ivec);
1163
    if (ret) {
1164
	free(p);
1165
	return ret;
1166
    }
1167

1168
    memmove (p, p + cksum_sz + et->confoundersize, sz);
1169
    result->data = realloc(p, sz);
1170
    if(result->data == NULL && sz != 0) {
1171
	free(p);
1172
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1173
	return ENOMEM;
1174
    }
1175
    result->length = sz;
1176
    return 0;
1177
}
1178

1179
static krb5_crypto_iov *
1180
find_iv(krb5_crypto_iov *data, size_t num_data, unsigned type)
1181
{
1182
    size_t i;
1183
    for (i = 0; i < num_data; i++)
1184
	if (data[i].flags == type)
1185
	    return &data[i];
1186
    return NULL;
1187
}
1188

1189
/**
1190
 * Inline encrypt a kerberos message
1191
 *
1192
 * @param context Kerberos context
1193
 * @param crypto Kerberos crypto context
1194
 * @param usage Key usage for this buffer
1195
 * @param data array of buffers to process
1196
 * @param num_data length of array
1197
 * @param ivec initial cbc/cts vector
1198
 *
1199
 * @return Return an error code or 0.
1200
 * @ingroup krb5_crypto
1201
 *
1202
 * Kerberos encrypted data look like this:
1203
 *
1204
 * 1. KRB5_CRYPTO_TYPE_HEADER
1205
 * 2. array [1,...] KRB5_CRYPTO_TYPE_DATA and array [0,...]
1206
 *    KRB5_CRYPTO_TYPE_SIGN_ONLY in any order, however the receiver
1207
 *    have to aware of the order. KRB5_CRYPTO_TYPE_SIGN_ONLY is
1208
 *    commonly used headers and trailers.
1209
 * 3. KRB5_CRYPTO_TYPE_PADDING, at least on padsize long if padsize > 1
1210
 * 4. KRB5_CRYPTO_TYPE_TRAILER
1211
 */
1212

1213
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1214
krb5_encrypt_iov_ivec(krb5_context context,
1215
		      krb5_crypto crypto,
1216
		      unsigned usage,
1217
		      krb5_crypto_iov *data,
1218
		      int num_data,
1219
		      void *ivec)
1220
{
1221
    size_t headersz, trailersz, len;
1222
    int i;
1223
    size_t sz, block_sz, pad_sz;
1224
    Checksum cksum;
1225
    unsigned char *p, *q;
1226
    krb5_error_code ret;
1227
    struct _krb5_key_data *dkey;
1228
    const struct _krb5_encryption_type *et = crypto->et;
1229
    krb5_crypto_iov *tiv, *piv, *hiv;
1230

1231
    if (num_data < 0) {
1232
        krb5_clear_error_message(context);
1233
	return KRB5_CRYPTO_INTERNAL;
1234
    }
1235

1236
    if(!derived_crypto(context, crypto)) {
1237
	krb5_clear_error_message(context);
1238
	return KRB5_CRYPTO_INTERNAL;
1239
    }
1240

1241
    headersz = et->confoundersize;
1242
    trailersz = CHECKSUMSIZE(et->keyed_checksum);
1243

1244
    for (len = 0, i = 0; i < num_data; i++) {
1245
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1246
	    continue;
1247
	len += data[i].data.length;
1248
    }
1249

1250
    sz = headersz + len;
1251
    block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
1252

1253
    pad_sz = block_sz - sz;
1254

1255
    /* header */
1256

1257
    hiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
1258
    if (hiv == NULL || hiv->data.length != headersz)
1259
	return KRB5_BAD_MSIZE;
1260

1261
    krb5_generate_random_block(hiv->data.data, hiv->data.length);
1262

1263
    /* padding */
1264
    piv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_PADDING);
1265
    /* its ok to have no TYPE_PADDING if there is no padding */
1266
    if (piv == NULL && pad_sz != 0)
1267
	return KRB5_BAD_MSIZE;
1268
    if (piv) {
1269
	if (piv->data.length < pad_sz)
1270
	    return KRB5_BAD_MSIZE;
1271
	piv->data.length = pad_sz;
1272
	if (pad_sz)
1273
	    memset(piv->data.data, pad_sz, pad_sz);
1274
	else
1275
	    piv = NULL;
1276
    }
1277

1278
    /* trailer */
1279
    tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
1280
    if (tiv == NULL || tiv->data.length != trailersz)
1281
	return KRB5_BAD_MSIZE;
1282

1283
    /*
1284
     * XXX replace with EVP_Sign? at least make create_checksum an iov
1285
     * function.
1286
     * XXX CTS EVP is broken, can't handle multi buffers :(
1287
     */
1288

1289
    len = block_sz;
1290
    for (i = 0; i < num_data; i++) {
1291
	if (data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1292
	    continue;
1293
	len += data[i].data.length;
1294
    }
1295

1296
    p = q = malloc(len);
1297

1298
    memcpy(q, hiv->data.data, hiv->data.length);
1299
    q += hiv->data.length;
1300
    for (i = 0; i < num_data; i++) {
1301
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1302
	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1303
	    continue;
1304
	memcpy(q, data[i].data.data, data[i].data.length);
1305
	q += data[i].data.length;
1306
    }
1307
    if (piv)
1308
	memset(q, 0, piv->data.length);
1309

1310
    ret = create_checksum(context,
1311
			  et->keyed_checksum,
1312
			  crypto,
1313
			  INTEGRITY_USAGE(usage),
1314
			  p,
1315
			  len,
1316
			  &cksum);
1317
    free(p);
1318
    if(ret == 0 && cksum.checksum.length != trailersz) {
1319
	free_Checksum (&cksum);
1320
	krb5_clear_error_message (context);
1321
	ret = KRB5_CRYPTO_INTERNAL;
1322
    }
1323
    if(ret)
1324
	return ret;
1325

1326
    /* save cksum at end */
1327
    memcpy(tiv->data.data, cksum.checksum.data, cksum.checksum.length);
1328
    free_Checksum (&cksum);
1329

1330
    /* XXX replace with EVP_Cipher */
1331
    p = q = malloc(block_sz);
1332
    if(p == NULL)
1333
	return ENOMEM;
1334

1335
    memcpy(q, hiv->data.data, hiv->data.length);
1336
    q += hiv->data.length;
1337

1338
    for (i = 0; i < num_data; i++) {
1339
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1340
	    continue;
1341
	memcpy(q, data[i].data.data, data[i].data.length);
1342
	q += data[i].data.length;
1343
    }
1344
    if (piv)
1345
	memset(q, 0, piv->data.length);
1346

1347

1348
    ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
1349
    if(ret) {
1350
	free(p);
1351
	return ret;
1352
    }
1353
    ret = _key_schedule(context, dkey);
1354
    if(ret) {
1355
	free(p);
1356
	return ret;
1357
    }
1358

1359
    ret = (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec);
1360
    if (ret) {
1361
	free(p);
1362
	return ret;
1363
    }
1364

1365
    /* now copy data back to buffers */
1366
    q = p;
1367

1368
    memcpy(hiv->data.data, q, hiv->data.length);
1369
    q += hiv->data.length;
1370

1371
    for (i = 0; i < num_data; i++) {
1372
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1373
	    continue;
1374
	memcpy(data[i].data.data, q, data[i].data.length);
1375
	q += data[i].data.length;
1376
    }
1377
    if (piv)
1378
	memcpy(piv->data.data, q, pad_sz);
1379

1380
    free(p);
1381

1382
    return ret;
1383
}
1384

1385
/**
1386
 * Inline decrypt a Kerberos message.
1387
 *
1388
 * @param context Kerberos context
1389
 * @param crypto Kerberos crypto context
1390
 * @param usage Key usage for this buffer
1391
 * @param data array of buffers to process
1392
 * @param num_data length of array
1393
 * @param ivec initial cbc/cts vector
1394
 *
1395
 * @return Return an error code or 0.
1396
 * @ingroup krb5_crypto
1397
 *
1398
 * 1. KRB5_CRYPTO_TYPE_HEADER
1399
 * 2. one KRB5_CRYPTO_TYPE_DATA and array [0,...] of KRB5_CRYPTO_TYPE_SIGN_ONLY in
1400
 *  any order, however the receiver have to aware of the
1401
 *  order. KRB5_CRYPTO_TYPE_SIGN_ONLY is commonly used unencrypoted
1402
 *  protocol headers and trailers. The output data will be of same
1403
 *  size as the input data or shorter.
1404
 */
1405

1406
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1407
krb5_decrypt_iov_ivec(krb5_context context,
1408
		      krb5_crypto crypto,
1409
		      unsigned usage,
1410
		      krb5_crypto_iov *data,
1411
		      unsigned int num_data,
1412
		      void *ivec)
1413
{
1414
    unsigned int i;
1415
    size_t headersz, trailersz, len;
1416
    Checksum cksum;
1417
    unsigned char *p, *q;
1418
    krb5_error_code ret;
1419
    struct _krb5_key_data *dkey;
1420
    struct _krb5_encryption_type *et = crypto->et;
1421
    krb5_crypto_iov *tiv, *hiv;
1422

1423
    if(!derived_crypto(context, crypto)) {
1424
	krb5_clear_error_message(context);
1425
	return KRB5_CRYPTO_INTERNAL;
1426
    }
1427

1428
    headersz = et->confoundersize;
1429

1430
    hiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
1431
    if (hiv == NULL || hiv->data.length != headersz)
1432
	return KRB5_BAD_MSIZE;
1433

1434
    /* trailer */
1435
    trailersz = CHECKSUMSIZE(et->keyed_checksum);
1436

1437
    tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
1438
    if (tiv->data.length != trailersz)
1439
	return KRB5_BAD_MSIZE;
1440

1441
    /* Find length of data we will decrypt */
1442

1443
    len = headersz;
1444
    for (i = 0; i < num_data; i++) {
1445
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1446
	    continue;
1447
	len += data[i].data.length;
1448
    }
1449

1450
    if ((len % et->padsize) != 0) {
1451
	krb5_clear_error_message(context);
1452
	return KRB5_BAD_MSIZE;
1453
    }
1454

1455
    /* XXX replace with EVP_Cipher */
1456

1457
    p = q = malloc(len);
1458
    if (p == NULL)
1459
	return ENOMEM;
1460

1461
    memcpy(q, hiv->data.data, hiv->data.length);
1462
    q += hiv->data.length;
1463

1464
    for (i = 0; i < num_data; i++) {
1465
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1466
	    continue;
1467
	memcpy(q, data[i].data.data, data[i].data.length);
1468
	q += data[i].data.length;
1469
    }
1470

1471
    ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
1472
    if(ret) {
1473
	free(p);
1474
	return ret;
1475
    }
1476
    ret = _key_schedule(context, dkey);
1477
    if(ret) {
1478
	free(p);
1479
	return ret;
1480
    }
1481

1482
    ret = (*et->encrypt)(context, dkey, p, len, 0, usage, ivec);
1483
    if (ret) {
1484
	free(p);
1485
	return ret;
1486
    }
1487

1488
    /* copy data back to buffers */
1489
    memcpy(hiv->data.data, p, hiv->data.length);
1490
    q = p + hiv->data.length;
1491
    for (i = 0; i < num_data; i++) {
1492
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1493
	    continue;
1494
	memcpy(data[i].data.data, q, data[i].data.length);
1495
	q += data[i].data.length;
1496
    }
1497

1498
    free(p);
1499

1500
    /* check signature */
1501
    for (i = 0; i < num_data; i++) {
1502
	if (data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1503
	    continue;
1504
	len += data[i].data.length;
1505
    }
1506

1507
    p = q = malloc(len);
1508
    if (p == NULL)
1509
	return ENOMEM;
1510

1511
    memcpy(q, hiv->data.data, hiv->data.length);
1512
    q += hiv->data.length;
1513
    for (i = 0; i < num_data; i++) {
1514
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1515
	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1516
	    continue;
1517
	memcpy(q, data[i].data.data, data[i].data.length);
1518
	q += data[i].data.length;
1519
    }
1520

1521
    cksum.checksum.data   = tiv->data.data;
1522
    cksum.checksum.length = tiv->data.length;
1523
    cksum.cksumtype       = CHECKSUMTYPE(et->keyed_checksum);
1524

1525
    ret = verify_checksum(context,
1526
			  crypto,
1527
			  INTEGRITY_USAGE(usage),
1528
			  p,
1529
			  len,
1530
			  &cksum);
1531
    free(p);
1532
    return ret;
1533
}
1534

1535
/**
1536
 * Create a Kerberos message checksum.
1537
 *
1538
 * @param context Kerberos context
1539
 * @param crypto Kerberos crypto context
1540
 * @param usage Key usage for this buffer
1541
 * @param data array of buffers to process
1542
 * @param num_data length of array
1543
 * @param type output data
1544
 *
1545
 * @return Return an error code or 0.
1546
 * @ingroup krb5_crypto
1547
 */
1548

1549
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1550
krb5_create_checksum_iov(krb5_context context,
1551
			 krb5_crypto crypto,
1552
			 unsigned usage,
1553
			 krb5_crypto_iov *data,
1554
			 unsigned int num_data,
1555
			 krb5_cksumtype *type)
1556
{
1557
    Checksum cksum;
1558
    krb5_crypto_iov *civ;
1559
    krb5_error_code ret;
1560
    size_t i;
1561
    size_t len;
1562
    char *p, *q;
1563

1564
    if(!derived_crypto(context, crypto)) {
1565
	krb5_clear_error_message(context);
1566
	return KRB5_CRYPTO_INTERNAL;
1567
    }
1568

1569
    civ = find_iv(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
1570
    if (civ == NULL)
1571
	return KRB5_BAD_MSIZE;
1572

1573
    len = 0;
1574
    for (i = 0; i < num_data; i++) {
1575
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1576
	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1577
	    continue;
1578
	len += data[i].data.length;
1579
    }
1580

1581
    p = q = malloc(len);
1582

1583
    for (i = 0; i < num_data; i++) {
1584
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1585
	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1586
	    continue;
1587
	memcpy(q, data[i].data.data, data[i].data.length);
1588
	q += data[i].data.length;
1589
    }
1590

1591
    ret = krb5_create_checksum(context, crypto, usage, 0, p, len, &cksum);
1592
    free(p);
1593
    if (ret)
1594
	return ret;
1595

1596
    if (type)
1597
	*type = cksum.cksumtype;
1598

1599
    if (cksum.checksum.length > civ->data.length) {
1600
	krb5_set_error_message(context, KRB5_BAD_MSIZE,
1601
			       N_("Checksum larger then input buffer", ""));
1602
	free_Checksum(&cksum);
1603
	return KRB5_BAD_MSIZE;
1604
    }
1605

1606
    civ->data.length = cksum.checksum.length;
1607
    memcpy(civ->data.data, cksum.checksum.data, civ->data.length);
1608
    free_Checksum(&cksum);
1609

1610
    return 0;
1611
}
1612

1613
/**
1614
 * Verify a Kerberos message checksum.
1615
 *
1616
 * @param context Kerberos context
1617
 * @param crypto Kerberos crypto context
1618
 * @param usage Key usage for this buffer
1619
 * @param data array of buffers to process
1620
 * @param num_data length of array
1621
 * @param type return checksum type if not NULL
1622
 *
1623
 * @return Return an error code or 0.
1624
 * @ingroup krb5_crypto
1625
 */
1626

1627
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1628
krb5_verify_checksum_iov(krb5_context context,
1629
			 krb5_crypto crypto,
1630
			 unsigned usage,
1631
			 krb5_crypto_iov *data,
1632
			 unsigned int num_data,
1633
			 krb5_cksumtype *type)
1634
{
1635
    struct _krb5_encryption_type *et = crypto->et;
1636
    Checksum cksum;
1637
    krb5_crypto_iov *civ;
1638
    krb5_error_code ret;
1639
    size_t i;
1640
    size_t len;
1641
    char *p, *q;
1642

1643
    if(!derived_crypto(context, crypto)) {
1644
	krb5_clear_error_message(context);
1645
	return KRB5_CRYPTO_INTERNAL;
1646
    }
1647

1648
    civ = find_iv(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
1649
    if (civ == NULL)
1650
	return KRB5_BAD_MSIZE;
1651

1652
    len = 0;
1653
    for (i = 0; i < num_data; i++) {
1654
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1655
	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1656
	    continue;
1657
	len += data[i].data.length;
1658
    }
1659

1660
    p = q = malloc(len);
1661

1662
    for (i = 0; i < num_data; i++) {
1663
	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1664
	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1665
	    continue;
1666
	memcpy(q, data[i].data.data, data[i].data.length);
1667
	q += data[i].data.length;
1668
    }
1669

1670
    cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum);
1671
    cksum.checksum.length = civ->data.length;
1672
    cksum.checksum.data = civ->data.data;
1673

1674
    ret = krb5_verify_checksum(context, crypto, usage, p, len, &cksum);
1675
    free(p);
1676

1677
    if (ret == 0 && type)
1678
	*type = cksum.cksumtype;
1679

1680
    return ret;
1681
}
1682

1683

1684
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1685
krb5_crypto_length(krb5_context context,
1686
		   krb5_crypto crypto,
1687
		   int type,
1688
		   size_t *len)
1689
{
1690
    if (!derived_crypto(context, crypto)) {
1691
	krb5_set_error_message(context, EINVAL, "not a derived crypto");
1692
	return EINVAL;
1693
    }
1694

1695
    switch(type) {
1696
    case KRB5_CRYPTO_TYPE_EMPTY:
1697
	*len = 0;
1698
	return 0;
1699
    case KRB5_CRYPTO_TYPE_HEADER:
1700
	*len = crypto->et->blocksize;
1701
	return 0;
1702
    case KRB5_CRYPTO_TYPE_DATA:
1703
    case KRB5_CRYPTO_TYPE_SIGN_ONLY:
1704
	/* len must already been filled in */
1705
	return 0;
1706
    case KRB5_CRYPTO_TYPE_PADDING:
1707
	if (crypto->et->padsize > 1)
1708
	    *len = crypto->et->padsize;
1709
	else
1710
	    *len = 0;
1711
	return 0;
1712
    case KRB5_CRYPTO_TYPE_TRAILER:
1713
	*len = CHECKSUMSIZE(crypto->et->keyed_checksum);
1714
	return 0;
1715
    case KRB5_CRYPTO_TYPE_CHECKSUM:
1716
	if (crypto->et->keyed_checksum)
1717
	    *len = CHECKSUMSIZE(crypto->et->keyed_checksum);
1718
	else
1719
	    *len = CHECKSUMSIZE(crypto->et->checksum);
1720
	return 0;
1721
    }
1722
    krb5_set_error_message(context, EINVAL,
1723
			   "%d not a supported type", type);
1724
    return EINVAL;
1725
}
1726

1727

1728
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1729
krb5_crypto_length_iov(krb5_context context,
1730
		       krb5_crypto crypto,
1731
		       krb5_crypto_iov *data,
1732
		       unsigned int num_data)
1733
{
1734
    krb5_error_code ret;
1735
    size_t i;
1736

1737
    for (i = 0; i < num_data; i++) {
1738
	ret = krb5_crypto_length(context, crypto,
1739
				 data[i].flags,
1740
				 &data[i].data.length);
1741
	if (ret)
1742
	    return ret;
1743
    }
1744
    return 0;
1745
}
1746

1747

1748
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1749
krb5_encrypt_ivec(krb5_context context,
1750
		  krb5_crypto crypto,
1751
		  unsigned usage,
1752
		  const void *data,
1753
		  size_t len,
1754
		  krb5_data *result,
1755
		  void *ivec)
1756
{
1757
    if(derived_crypto(context, crypto))
1758
	return encrypt_internal_derived(context, crypto, usage,
1759
					data, len, result, ivec);
1760
    else if (special_crypto(context, crypto))
1761
	return encrypt_internal_special (context, crypto, usage,
1762
					 data, len, result, ivec);
1763
    else
1764
	return encrypt_internal(context, crypto, data, len, result, ivec);
1765
}
1766

1767
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1768
krb5_encrypt(krb5_context context,
1769
	     krb5_crypto crypto,
1770
	     unsigned usage,
1771
	     const void *data,
1772
	     size_t len,
1773
	     krb5_data *result)
1774
{
1775
    return krb5_encrypt_ivec(context, crypto, usage, data, len, result, NULL);
1776
}
1777

1778
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1779
krb5_encrypt_EncryptedData(krb5_context context,
1780
			   krb5_crypto crypto,
1781
			   unsigned usage,
1782
			   void *data,
1783
			   size_t len,
1784
			   int kvno,
1785
			   EncryptedData *result)
1786
{
1787
    result->etype = CRYPTO_ETYPE(crypto);
1788
    if(kvno){
1789
	ALLOC(result->kvno, 1);
1790
	*result->kvno = kvno;
1791
    }else
1792
	result->kvno = NULL;
1793
    return krb5_encrypt(context, crypto, usage, data, len, &result->cipher);
1794
}
1795

1796
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1797
krb5_decrypt_ivec(krb5_context context,
1798
		  krb5_crypto crypto,
1799
		  unsigned usage,
1800
		  void *data,
1801
		  size_t len,
1802
		  krb5_data *result,
1803
		  void *ivec)
1804
{
1805
    if(derived_crypto(context, crypto))
1806
	return decrypt_internal_derived(context, crypto, usage,
1807
					data, len, result, ivec);
1808
    else if (special_crypto (context, crypto))
1809
	return decrypt_internal_special(context, crypto, usage,
1810
					data, len, result, ivec);
1811
    else
1812
	return decrypt_internal(context, crypto, data, len, result, ivec);
1813
}
1814

1815
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1816
krb5_decrypt(krb5_context context,
1817
	     krb5_crypto crypto,
1818
	     unsigned usage,
1819
	     void *data,
1820
	     size_t len,
1821
	     krb5_data *result)
1822
{
1823
    return krb5_decrypt_ivec (context, crypto, usage, data, len, result,
1824
			      NULL);
1825
}
1826

1827
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1828
krb5_decrypt_EncryptedData(krb5_context context,
1829
			   krb5_crypto crypto,
1830
			   unsigned usage,
1831
			   const EncryptedData *e,
1832
			   krb5_data *result)
1833
{
1834
    return krb5_decrypt(context, crypto, usage,
1835
			e->cipher.data, e->cipher.length, result);
1836
}
1837

1838
/************************************************************
1839
 *                                                          *
1840
 ************************************************************/
1841

1842
krb5_error_code
1843
_krb5_derive_key(krb5_context context,
1844
		 struct _krb5_encryption_type *et,
1845
		 struct _krb5_key_data *key,
1846
		 const void *constant,
1847
		 size_t len)
1848
{
1849
    unsigned char *k = NULL;
1850
    unsigned int nblocks = 0, i;
1851
    krb5_error_code ret = 0;
1852
    struct _krb5_key_type *kt = et->keytype;
1853

1854
    ret = _key_schedule(context, key);
1855
    if(ret)
1856
	return ret;
1857
    if(et->blocksize * 8 < kt->bits || len != et->blocksize) {
1858
	nblocks = (kt->bits + et->blocksize * 8 - 1) / (et->blocksize * 8);
1859
	k = malloc(nblocks * et->blocksize);
1860
	if(k == NULL) {
1861
	    ret = ENOMEM;
1862
	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1863
	    goto out;
1864
	}
1865
	ret = _krb5_n_fold(constant, len, k, et->blocksize);
1866
	if (ret) {
1867
	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1868
	    goto out;
1869
	}
1870

1871
	for(i = 0; i < nblocks; i++) {
1872
	    if(i > 0)
1873
		memcpy(k + i * et->blocksize,
1874
		       k + (i - 1) * et->blocksize,
1875
		       et->blocksize);
1876
	    (*et->encrypt)(context, key, k + i * et->blocksize, et->blocksize,
1877
			   1, 0, NULL);
1878
	}
1879
    } else {
1880
	/* this case is probably broken, but won't be run anyway */
1881
	void *c = malloc(len);
1882
	size_t res_len = (kt->bits + 7) / 8;
1883

1884
	if(len != 0 && c == NULL) {
1885
	    ret = ENOMEM;
1886
	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1887
	    goto out;
1888
	}
1889
	memcpy(c, constant, len);
1890
	(*et->encrypt)(context, key, c, len, 1, 0, NULL);
1891
	k = malloc(res_len);
1892
	if(res_len != 0 && k == NULL) {
1893
	    free(c);
1894
	    ret = ENOMEM;
1895
	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1896
	    goto out;
1897
	}
1898
	ret = _krb5_n_fold(c, len, k, res_len);
1899
	free(c);
1900
	if (ret) {
1901
	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1902
	    goto out;
1903
	}
1904
    }
1905

1906
    /* XXX keytype dependent post-processing */
1907
    switch(kt->type) {
1908
    case ETYPE_OLD_DES3_CBC_SHA1:
1909
	_krb5_DES3_random_to_key(context, key->key, k, nblocks * et->blocksize);
1910
	break;
1911
    case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
1912
    case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
1913
	memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length);
1914
	break;
1915
    default:
1916
	ret = KRB5_CRYPTO_INTERNAL;
1917
	krb5_set_error_message(context, ret,
1918
			       N_("derive_key() called with unknown keytype (%u)", ""),
1919
			       kt->type);
1920
	break;
1921
    }
1922
 out:
1923
    if (key->schedule) {
1924
	free_key_schedule(context, key, et);
1925
	key->schedule = NULL;
1926
    }
1927
    if (k) {
1928
	memset(k, 0, nblocks * et->blocksize);
1929
	free(k);
1930
    }
1931
    return ret;
1932
}
1933

1934
static struct _krb5_key_data *
1935
_new_derived_key(krb5_crypto crypto, unsigned usage)
1936
{
1937
    struct _krb5_key_usage *d = crypto->key_usage;
1938
    d = realloc(d, (crypto->num_key_usage + 1) * sizeof(*d));
1939
    if(d == NULL)
1940
	return NULL;
1941
    crypto->key_usage = d;
1942
    d += crypto->num_key_usage++;
1943
    memset(d, 0, sizeof(*d));
1944
    d->usage = usage;
1945
    return &d->key;
1946
}
1947

1948
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1949
krb5_derive_key(krb5_context context,
1950
		const krb5_keyblock *key,
1951
		krb5_enctype etype,
1952
		const void *constant,
1953
		size_t constant_len,
1954
		krb5_keyblock **derived_key)
1955
{
1956
    krb5_error_code ret;
1957
    struct _krb5_encryption_type *et;
1958
    struct _krb5_key_data d;
1959

1960
    *derived_key = NULL;
1961

1962
    et = _krb5_find_enctype (etype);
1963
    if (et == NULL) {
1964
        return unsupported_enctype (context, etype);
1965
    }
1966

1967
    ret = krb5_copy_keyblock(context, key, &d.key);
1968
    if (ret)
1969
	return ret;
1970

1971
    d.schedule = NULL;
1972
    ret = _krb5_derive_key(context, et, &d, constant, constant_len);
1973
    if (ret == 0)
1974
	ret = krb5_copy_keyblock(context, d.key, derived_key);
1975
    _krb5_free_key_data(context, &d, et);
1976
    return ret;
1977
}
1978

1979
static krb5_error_code
1980
_get_derived_key(krb5_context context,
1981
		 krb5_crypto crypto,
1982
		 unsigned usage,
1983
		 struct _krb5_key_data **key)
1984
{
1985
    int i;
1986
    struct _krb5_key_data *d;
1987
    unsigned char constant[5];
1988

1989
    for(i = 0; i < crypto->num_key_usage; i++)
1990
	if(crypto->key_usage[i].usage == usage) {
1991
	    *key = &crypto->key_usage[i].key;
1992
	    return 0;
1993
	}
1994
    d = _new_derived_key(crypto, usage);
1995
    if(d == NULL) {
1996
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1997
	return ENOMEM;
1998
    }
1999
    krb5_copy_keyblock(context, crypto->key.key, &d->key);
2000
    _krb5_put_int(constant, usage, 5);
2001
    _krb5_derive_key(context, crypto->et, d, constant, sizeof(constant));
2002
    *key = d;
2003
    return 0;
2004
}
2005

2006
/**
2007
 * Create a crypto context used for all encryption and signature
2008
 * operation. The encryption type to use is taken from the key, but
2009
 * can be overridden with the enctype parameter.  This can be useful
2010
 * for encryptions types which is compatiable (DES for example).
2011
 *
2012
 * To free the crypto context, use krb5_crypto_destroy().
2013
 *
2014
 * @param context Kerberos context
2015
 * @param key the key block information with all key data
2016
 * @param etype the encryption type
2017
 * @param crypto the resulting crypto context
2018
 *
2019
 * @return Return an error code or 0.
2020
 *
2021
 * @ingroup krb5_crypto
2022
 */
2023

2024
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2025
krb5_crypto_init(krb5_context context,
2026
		 const krb5_keyblock *key,
2027
		 krb5_enctype etype,
2028
		 krb5_crypto *crypto)
2029
{
2030
    krb5_error_code ret;
2031
    ALLOC(*crypto, 1);
2032
    if(*crypto == NULL) {
2033
	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
2034
	return ENOMEM;
2035
    }
2036
    if(etype == ETYPE_NULL)
2037
	etype = key->keytype;
2038
    (*crypto)->et = _krb5_find_enctype(etype);
2039
    if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) {
2040
	free(*crypto);
2041
	*crypto = NULL;
2042
	return unsupported_enctype(context, etype);
2043
    }
2044
    if((*crypto)->et->keytype->size != key->keyvalue.length) {
2045
	free(*crypto);
2046
	*crypto = NULL;
2047
	krb5_set_error_message (context, KRB5_BAD_KEYSIZE,
2048
				"encryption key has bad length");
2049
	return KRB5_BAD_KEYSIZE;
2050
    }
2051
    ret = krb5_copy_keyblock(context, key, &(*crypto)->key.key);
2052
    if(ret) {
2053
	free(*crypto);
2054
	*crypto = NULL;
2055
	return ret;
2056
    }
2057
    ret = fbsd_ossl_provider_load();
2058
    if (ret)
2059
	return ret;
2060
    (*crypto)->key.schedule = NULL;
2061
    (*crypto)->num_key_usage = 0;
2062
    (*crypto)->key_usage = NULL;
2063
    return 0;
2064
}
2065

2066
static void
2067
free_key_schedule(krb5_context context,
2068
		  struct _krb5_key_data *key,
2069
		  struct _krb5_encryption_type *et)
2070
{
2071
    if (et->keytype->cleanup)
2072
	(*et->keytype->cleanup)(context, key);
2073
    memset(key->schedule->data, 0, key->schedule->length);
2074
    krb5_free_data(context, key->schedule);
2075
}
2076

2077
void
2078
_krb5_free_key_data(krb5_context context, struct _krb5_key_data *key,
2079
	      struct _krb5_encryption_type *et)
2080
{
2081
    krb5_free_keyblock(context, key->key);
2082
    if(key->schedule) {
2083
	free_key_schedule(context, key, et);
2084
	key->schedule = NULL;
2085
    }
2086
}
2087

2088
static void
2089
free_key_usage(krb5_context context, struct _krb5_key_usage *ku,
2090
	       struct _krb5_encryption_type *et)
2091
{
2092
    _krb5_free_key_data(context, &ku->key, et);
2093
}
2094

2095
/**
2096
 * Free a crypto context created by krb5_crypto_init().
2097
 *
2098
 * @param context Kerberos context
2099
 * @param crypto crypto context to free
2100
 *
2101
 * @return Return an error code or 0.
2102
 *
2103
 * @ingroup krb5_crypto
2104
 */
2105

2106
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2107
krb5_crypto_destroy(krb5_context context,
2108
		    krb5_crypto crypto)
2109
{
2110
    int i;
2111

2112
    for(i = 0; i < crypto->num_key_usage; i++)
2113
	free_key_usage(context, &crypto->key_usage[i], crypto->et);
2114
    free(crypto->key_usage);
2115
    _krb5_free_key_data(context, &crypto->key, crypto->et);
2116
    free (crypto);
2117
    return 0;
2118
}
2119

2120
/**
2121
 * Return the blocksize used algorithm referenced by the crypto context
2122
 *
2123
 * @param context Kerberos context
2124
 * @param crypto crypto context to query
2125
 * @param blocksize the resulting blocksize
2126
 *
2127
 * @return Return an error code or 0.
2128
 *
2129
 * @ingroup krb5_crypto
2130
 */
2131

2132
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2133
krb5_crypto_getblocksize(krb5_context context,
2134
			 krb5_crypto crypto,
2135
			 size_t *blocksize)
2136
{
2137
    *blocksize = crypto->et->blocksize;
2138
    return 0;
2139
}
2140

2141
/**
2142
 * Return the encryption type used by the crypto context
2143
 *
2144
 * @param context Kerberos context
2145
 * @param crypto crypto context to query
2146
 * @param enctype the resulting encryption type
2147
 *
2148
 * @return Return an error code or 0.
2149
 *
2150
 * @ingroup krb5_crypto
2151
 */
2152

2153
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2154
krb5_crypto_getenctype(krb5_context context,
2155
		       krb5_crypto crypto,
2156
		       krb5_enctype *enctype)
2157
{
2158
    *enctype = crypto->et->type;
2159
    return 0;
2160
}
2161

2162
/**
2163
 * Return the padding size used by the crypto context
2164
 *
2165
 * @param context Kerberos context
2166
 * @param crypto crypto context to query
2167
 * @param padsize the return padding size
2168
 *
2169
 * @return Return an error code or 0.
2170
 *
2171
 * @ingroup krb5_crypto
2172
 */
2173

2174
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2175
krb5_crypto_getpadsize(krb5_context context,
2176
                       krb5_crypto crypto,
2177
                       size_t *padsize)
2178
{
2179
    *padsize = crypto->et->padsize;
2180
    return 0;
2181
}
2182

2183
/**
2184
 * Return the confounder size used by the crypto context
2185
 *
2186
 * @param context Kerberos context
2187
 * @param crypto crypto context to query
2188
 * @param confoundersize the returned confounder size
2189
 *
2190
 * @return Return an error code or 0.
2191
 *
2192
 * @ingroup krb5_crypto
2193
 */
2194

2195
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2196
krb5_crypto_getconfoundersize(krb5_context context,
2197
                              krb5_crypto crypto,
2198
                              size_t *confoundersize)
2199
{
2200
    *confoundersize = crypto->et->confoundersize;
2201
    return 0;
2202
}
2203

2204

2205
/**
2206
 * Disable encryption type
2207
 *
2208
 * @param context Kerberos 5 context
2209
 * @param enctype encryption type to disable
2210
 *
2211
 * @return Return an error code or 0.
2212
 *
2213
 * @ingroup krb5_crypto
2214
 */
2215

2216
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2217
krb5_enctype_disable(krb5_context context,
2218
		     krb5_enctype enctype)
2219
{
2220
    struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
2221
    if(et == NULL) {
2222
	if (context)
2223
	    krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
2224
				    N_("encryption type %d not supported", ""),
2225
				    enctype);
2226
	return KRB5_PROG_ETYPE_NOSUPP;
2227
    }
2228
    et->flags |= F_DISABLED;
2229
    return 0;
2230
}
2231

2232
/**
2233
 * Enable encryption type
2234
 *
2235
 * @param context Kerberos 5 context
2236
 * @param enctype encryption type to enable
2237
 *
2238
 * @return Return an error code or 0.
2239
 *
2240
 * @ingroup krb5_crypto
2241
 */
2242

2243
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2244
krb5_enctype_enable(krb5_context context,
2245
		    krb5_enctype enctype)
2246
{
2247
    struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
2248
    if(et == NULL) {
2249
	if (context)
2250
	    krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
2251
				    N_("encryption type %d not supported", ""),
2252
				    enctype);
2253
	return KRB5_PROG_ETYPE_NOSUPP;
2254
    }
2255
    et->flags &= ~F_DISABLED;
2256
    return 0;
2257
}
2258

2259
/**
2260
 * Enable or disable all weak encryption types
2261
 *
2262
 * @param context Kerberos 5 context
2263
 * @param enable true to enable, false to disable
2264
 *
2265
 * @return Return an error code or 0.
2266
 *
2267
 * @ingroup krb5_crypto
2268
 */
2269

2270
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2271
krb5_allow_weak_crypto(krb5_context context,
2272
		       krb5_boolean enable)
2273
{
2274
    int i;
2275

2276
    for(i = 0; i < _krb5_num_etypes; i++)
2277
	if(_krb5_etypes[i]->flags & F_WEAK) {
2278
	    if(enable)
2279
		_krb5_etypes[i]->flags &= ~F_DISABLED;
2280
	    else
2281
		_krb5_etypes[i]->flags |= F_DISABLED;
2282
	}
2283
    return 0;
2284
}
2285

2286
static size_t
2287
wrapped_length (krb5_context context,
2288
		krb5_crypto  crypto,
2289
		size_t       data_len)
2290
{
2291
    struct _krb5_encryption_type *et = crypto->et;
2292
    size_t padsize = et->padsize;
2293
    size_t checksumsize = CHECKSUMSIZE(et->checksum);
2294
    size_t res;
2295

2296
    res =  et->confoundersize + checksumsize + data_len;
2297
    res =  (res + padsize - 1) / padsize * padsize;
2298
    return res;
2299
}
2300

2301
static size_t
2302
wrapped_length_dervied (krb5_context context,
2303
			krb5_crypto  crypto,
2304
			size_t       data_len)
2305
{
2306
    struct _krb5_encryption_type *et = crypto->et;
2307
    size_t padsize = et->padsize;
2308
    size_t res;
2309

2310
    res =  et->confoundersize + data_len;
2311
    res =  (res + padsize - 1) / padsize * padsize;
2312
    if (et->keyed_checksum)
2313
	res += et->keyed_checksum->checksumsize;
2314
    else
2315
	res += et->checksum->checksumsize;
2316
    return res;
2317
}
2318

2319
/*
2320
 * Return the size of an encrypted packet of length `data_len'
2321
 */
2322

2323
KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
2324
krb5_get_wrapped_length (krb5_context context,
2325
			 krb5_crypto  crypto,
2326
			 size_t       data_len)
2327
{
2328
    if (derived_crypto (context, crypto))
2329
	return wrapped_length_dervied (context, crypto, data_len);
2330
    else
2331
	return wrapped_length (context, crypto, data_len);
2332
}
2333

2334
/*
2335
 * Return the size of an encrypted packet of length `data_len'
2336
 */
2337

2338
static size_t
2339
crypto_overhead (krb5_context context,
2340
		 krb5_crypto  crypto)
2341
{
2342
    struct _krb5_encryption_type *et = crypto->et;
2343
    size_t res;
2344

2345
    res = CHECKSUMSIZE(et->checksum);
2346
    res += et->confoundersize;
2347
    if (et->padsize > 1)
2348
	res += et->padsize;
2349
    return res;
2350
}
2351

2352
static size_t
2353
crypto_overhead_dervied (krb5_context context,
2354
			 krb5_crypto  crypto)
2355
{
2356
    struct _krb5_encryption_type *et = crypto->et;
2357
    size_t res;
2358

2359
    if (et->keyed_checksum)
2360
	res = CHECKSUMSIZE(et->keyed_checksum);
2361
    else
2362
	res = CHECKSUMSIZE(et->checksum);
2363
    res += et->confoundersize;
2364
    if (et->padsize > 1)
2365
	res += et->padsize;
2366
    return res;
2367
}
2368

2369
KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
2370
krb5_crypto_overhead (krb5_context context, krb5_crypto crypto)
2371
{
2372
    if (derived_crypto (context, crypto))
2373
	return crypto_overhead_dervied (context, crypto);
2374
    else
2375
	return crypto_overhead (context, crypto);
2376
}
2377

2378
/**
2379
 * Converts the random bytestring to a protocol key according to
2380
 * Kerberos crypto frame work. It may be assumed that all the bits of
2381
 * the input string are equally random, even though the entropy
2382
 * present in the random source may be limited.
2383
 *
2384
 * @param context Kerberos 5 context
2385
 * @param type the enctype resulting key will be of
2386
 * @param data input random data to convert to a key
2387
 * @param size size of input random data, at least krb5_enctype_keysize() long
2388
 * @param key key, output key, free with krb5_free_keyblock_contents()
2389
 *
2390
 * @return Return an error code or 0.
2391
 *
2392
 * @ingroup krb5_crypto
2393
 */
2394

2395
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2396
krb5_random_to_key(krb5_context context,
2397
		   krb5_enctype type,
2398
		   const void *data,
2399
		   size_t size,
2400
		   krb5_keyblock *key)
2401
{
2402
    krb5_error_code ret;
2403
    struct _krb5_encryption_type *et = _krb5_find_enctype(type);
2404
    if(et == NULL) {
2405
	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
2406
			       N_("encryption type %d not supported", ""),
2407
			       type);
2408
	return KRB5_PROG_ETYPE_NOSUPP;
2409
    }
2410
    if ((et->keytype->bits + 7) / 8 > size) {
2411
	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
2412
			       N_("encryption key %s needs %d bytes "
2413
				  "of random to make an encryption key "
2414
				  "out of it", ""),
2415
			       et->name, (int)et->keytype->size);
2416
	return KRB5_PROG_ETYPE_NOSUPP;
2417
    }
2418
    ret = krb5_data_alloc(&key->keyvalue, et->keytype->size);
2419
    if(ret)
2420
	return ret;
2421
    key->keytype = type;
2422
    if (et->keytype->random_to_key)
2423
 	(*et->keytype->random_to_key)(context, key, data, size);
2424
    else
2425
	memcpy(key->keyvalue.data, data, et->keytype->size);
2426

2427
    return 0;
2428
}
2429

2430

2431

2432
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2433
krb5_crypto_prf_length(krb5_context context,
2434
		       krb5_enctype type,
2435
		       size_t *length)
2436
{
2437
    struct _krb5_encryption_type *et = _krb5_find_enctype(type);
2438

2439
    if(et == NULL || et->prf_length == 0) {
2440
	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
2441
			       N_("encryption type %d not supported", ""),
2442
			       type);
2443
	return KRB5_PROG_ETYPE_NOSUPP;
2444
    }
2445

2446
    *length = et->prf_length;
2447
    return 0;
2448
}
2449

2450
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2451
krb5_crypto_prf(krb5_context context,
2452
		const krb5_crypto crypto,
2453
		const krb5_data *input,
2454
		krb5_data *output)
2455
{
2456
    struct _krb5_encryption_type *et = crypto->et;
2457

2458
    krb5_data_zero(output);
2459

2460
    if(et->prf == NULL) {
2461
	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
2462
			       "kerberos prf for %s not supported",
2463
			       et->name);
2464
	return KRB5_PROG_ETYPE_NOSUPP;
2465
    }
2466

2467
    return (*et->prf)(context, crypto, input, output);
2468
}
2469

2470
static krb5_error_code
2471
krb5_crypto_prfplus(krb5_context context,
2472
		    const krb5_crypto crypto,
2473
		    const krb5_data *input,
2474
		    size_t length,
2475
		    krb5_data *output)
2476
{
2477
    krb5_error_code ret;
2478
    krb5_data input2;
2479
    unsigned char i = 1;
2480
    unsigned char *p;
2481

2482
    krb5_data_zero(&input2);
2483
    krb5_data_zero(output);
2484

2485
    krb5_clear_error_message(context);
2486

2487
    ret = krb5_data_alloc(output, length);
2488
    if (ret) goto out;
2489
    ret = krb5_data_alloc(&input2, input->length + 1);
2490
    if (ret) goto out;
2491

2492
    krb5_clear_error_message(context);
2493

2494
    memcpy(((unsigned char *)input2.data) + 1, input->data, input->length);
2495

2496
    p = output->data;
2497

2498
    while (length) {
2499
	krb5_data block;
2500

2501
	((unsigned char *)input2.data)[0] = i++;
2502

2503
	ret = krb5_crypto_prf(context, crypto, &input2, &block);
2504
	if (ret)
2505
	    goto out;
2506

2507
	if (block.length < length) {
2508
	    memcpy(p, block.data, block.length);
2509
	    length -= block.length;
2510
	} else {
2511
	    memcpy(p, block.data, length);
2512
	    length = 0;
2513
	}
2514
	p += block.length;
2515
	krb5_data_free(&block);
2516
    }
2517

2518
 out:
2519
    krb5_data_free(&input2);
2520
    if (ret)
2521
	krb5_data_free(output);
2522
    return 0;
2523
}
2524

2525
/**
2526
 * The FX-CF2 key derivation function, used in FAST and preauth framework.
2527
 *
2528
 * @param context Kerberos 5 context
2529
 * @param crypto1 first key to combine
2530
 * @param crypto2 second key to combine
2531
 * @param pepper1 factor to combine with first key to garante uniqueness
2532
 * @param pepper2 factor to combine with second key to garante uniqueness
2533
 * @param enctype the encryption type of the resulting key
2534
 * @param res allocated key, free with krb5_free_keyblock_contents()
2535
 *
2536
 * @return Return an error code or 0.
2537
 *
2538
 * @ingroup krb5_crypto
2539
 */
2540

2541
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2542
krb5_crypto_fx_cf2(krb5_context context,
2543
		   const krb5_crypto crypto1,
2544
		   const krb5_crypto crypto2,
2545
		   krb5_data *pepper1,
2546
		   krb5_data *pepper2,
2547
		   krb5_enctype enctype,
2548
		   krb5_keyblock *res)
2549
{
2550
    krb5_error_code ret;
2551
    krb5_data os1, os2;
2552
    size_t i, keysize;
2553

2554
    memset(res, 0, sizeof(*res));
2555

2556
    ret = krb5_enctype_keysize(context, enctype, &keysize);
2557
    if (ret)
2558
	return ret;
2559

2560
    ret = krb5_data_alloc(&res->keyvalue, keysize);
2561
    if (ret)
2562
	goto out;
2563
    ret = krb5_crypto_prfplus(context, crypto1, pepper1, keysize, &os1);
2564
    if (ret)
2565
	goto out;
2566
    ret = krb5_crypto_prfplus(context, crypto2, pepper2, keysize, &os2);
2567
    if (ret)
2568
	goto out;
2569

2570
    res->keytype = enctype;
2571
    {
2572
	unsigned char *p1 = os1.data, *p2 = os2.data, *p3 = res->keyvalue.data;
2573
	for (i = 0; i < keysize; i++)
2574
	    p3[i] = p1[i] ^ p2[i];
2575
    }
2576
 out:
2577
    if (ret)
2578
	krb5_data_free(&res->keyvalue);
2579
    krb5_data_free(&os1);
2580
    krb5_data_free(&os2);
2581

2582
    return ret;
2583
}
2584

2585

2586

2587
#ifndef HEIMDAL_SMALLER
2588

2589
/**
2590
 * Deprecated: keytypes doesn't exists, they are really enctypes.
2591
 *
2592
 * @ingroup krb5_deprecated
2593
 */
2594

2595
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2596
krb5_keytype_to_enctypes (krb5_context context,
2597
			  krb5_keytype keytype,
2598
			  unsigned *len,
2599
			  krb5_enctype **val)
2600
    KRB5_DEPRECATED_FUNCTION("Use X instead")
2601
{
2602
    int i;
2603
    unsigned n = 0;
2604
    krb5_enctype *ret;
2605

2606
    for (i = _krb5_num_etypes - 1; i >= 0; --i) {
2607
	if (_krb5_etypes[i]->keytype->type == keytype
2608
	    && !(_krb5_etypes[i]->flags & F_PSEUDO)
2609
	    && krb5_enctype_valid(context, _krb5_etypes[i]->type) == 0)
2610
	    ++n;
2611
    }
2612
    if (n == 0) {
2613
	krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP,
2614
			       "Keytype have no mapping");
2615
	return KRB5_PROG_KEYTYPE_NOSUPP;
2616
    }
2617

2618
    ret = malloc(n * sizeof(*ret));
2619
    if (ret == NULL && n != 0) {
2620
	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
2621
	return ENOMEM;
2622
    }
2623
    n = 0;
2624
    for (i = _krb5_num_etypes - 1; i >= 0; --i) {
2625
	if (_krb5_etypes[i]->keytype->type == keytype
2626
	    && !(_krb5_etypes[i]->flags & F_PSEUDO)
2627
	    && krb5_enctype_valid(context, _krb5_etypes[i]->type) == 0)
2628
	    ret[n++] = _krb5_etypes[i]->type;
2629
    }
2630
    *len = n;
2631
    *val = ret;
2632
    return 0;
2633
}
2634

2635
/**
2636
 * Deprecated: keytypes doesn't exists, they are really enctypes.
2637
 *
2638
 * @ingroup krb5_deprecated
2639
 */
2640

2641
/* if two enctypes have compatible keys */
2642
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
2643
krb5_enctypes_compatible_keys(krb5_context context,
2644
			      krb5_enctype etype1,
2645
			      krb5_enctype etype2)
2646
    KRB5_DEPRECATED_FUNCTION("Use X instead")
2647
{
2648
    struct _krb5_encryption_type *e1 = _krb5_find_enctype(etype1);
2649
    struct _krb5_encryption_type *e2 = _krb5_find_enctype(etype2);
2650
    return e1 != NULL && e2 != NULL && e1->keytype == e2->keytype;
2651
}
2652

2653
#endif /* HEIMDAL_SMALLER */
2654

2655