* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
struct _krb5_key_usage {
struct _krb5_key_data *,
struct _krb5_encryption_type *);
-/************************************************************
- * *
- ************************************************************/
+/*
+ * Converts etype to a user readable string and sets as a side effect
+ * the krb5_error_message containing this string. Returns
+ * KRB5_PROG_ETYPE_NOSUPP in not the conversion of the etype failed in
+ * which case the error code of the etype convesion is returned.
+ */
+
+static krb5_error_code
+unsupported_enctype(krb5_context context, krb5_enctype etype)
+{
+ krb5_error_code ret;
+ char *name;
+
+ ret = krb5_enctype_to_string(context, etype, &name);
+ if (ret)
+ return ret;
+
+ krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
+ N_("Encryption type %s not supported", ""),
+ name);
+ free(name);
+ return KRB5_PROG_ETYPE_NOSUPP;
+}
+
+/*
+ *
+ */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_enctype_keysize(krb5_context context,
{
struct _krb5_encryption_type *et = _krb5_find_enctype(type);
if(et == NULL) {
- krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
- N_("encryption type %d not supported", ""),
- type);
- return KRB5_PROG_ETYPE_NOSUPP;
+ return unsupported_enctype (context, type);
}
*keysize = et->keytype->size;
return 0;
{
struct _krb5_encryption_type *et = _krb5_find_enctype(type);
if(et == NULL) {
- krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
- "encryption type %d not supported",
- type);
- return KRB5_PROG_ETYPE_NOSUPP;
+ return unsupported_enctype (context, type);
}
*keybits = et->keytype->bits;
return 0;
krb5_error_code ret;
struct _krb5_encryption_type *et = _krb5_find_enctype(type);
if(et == NULL) {
- krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
- N_("encryption type %d not supported", ""),
- type);
- return KRB5_PROG_ETYPE_NOSUPP;
+ return unsupported_enctype (context, type);
}
ret = krb5_data_alloc(&key->keyvalue, et->keytype->size);
if(ret)
struct _krb5_key_type *kt;
if (et == NULL) {
- krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
- N_("encryption type %d not supported", ""),
- key->key->keytype);
- return KRB5_PROG_ETYPE_NOSUPP;
+ return unsupported_enctype (context,
+ key->key->keytype);
}
kt = et->keytype;
if (key->schedule != NULL)
return 0;
ALLOC(key->schedule, 1);
- if(key->schedule == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if (key->schedule == NULL)
+ return krb5_enomem(context);
ret = krb5_data_alloc(key->schedule, kt->schedule_size);
if(ret) {
free(key->schedule);
}
/* HMAC according to RFC2104 */
-krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_internal_hmac(krb5_context context,
struct _krb5_checksum_type *cm,
const void *data,
unsigned char *ipad, *opad;
unsigned char *key;
size_t key_len;
- int i;
+ size_t i;
ipad = malloc(cm->blocksize + len);
if (ipad == NULL)
NULL
};
-struct _krb5_checksum_type *
+KRB5_LIB_FUNCTION struct _krb5_checksum_type * KRB5_LIB_CALL
_krb5_find_checksum(krb5_cksumtype type)
{
int i;
if(ct->flags & F_DERIVED)
ret = _get_derived_key(context, crypto, usage, key);
else if(ct->flags & F_VARIANT) {
- int i;
+ size_t i;
*key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */);
- if(*key == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if (*key == NULL)
+ return krb5_enomem(context);
ret = krb5_copy_keyblock(context, crypto->key.key, &(*key)->key);
if(ret)
return ret;
return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
}
kct = crypto->et->keyed_checksum;
- if (kct != NULL && kct->type != ct->type) {
+ if (kct == NULL || kct->type != ct->type) {
krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
N_("Checksum type %s is keyed, but "
"the key type %s passed didnt have that checksum "
* *
************************************************************/
-struct _krb5_encryption_type *
+KRB5_LIB_FUNCTION struct _krb5_encryption_type * KRB5_LIB_CALL
_krb5_find_enctype(krb5_enctype type)
{
int i;
return KRB5_PROG_ETYPE_NOSUPP;
}
*string = strdup(e->name);
- if(*string == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if (*string == NULL)
+ return krb5_enomem(context);
return 0;
}
krb5_enctype *etype)
{
int i;
- for(i = 0; i < _krb5_num_etypes; i++)
+ for(i = 0; i < _krb5_num_etypes; i++) {
if(strcasecmp(_krb5_etypes[i]->name, string) == 0){
*etype = _krb5_etypes[i]->type;
return 0;
}
+ if(_krb5_etypes[i]->alias != NULL &&
+ strcasecmp(_krb5_etypes[i]->alias, string) == 0){
+ *etype = _krb5_etypes[i]->type;
+ return 0;
+ }
+ }
krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
N_("encryption type %s not supported", ""),
string);
{
struct _krb5_encryption_type *e = _krb5_find_enctype(etype);
if(e == NULL) {
- krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
- N_("encryption type %d not supported", ""),
- etype);
- return KRB5_PROG_ETYPE_NOSUPP;
+ return unsupported_enctype (context, etype);
}
*keytype = e->keytype->type; /* XXX */
return 0;
}
+/**
+ * Check if a enctype is valid, return 0 if it is.
+ *
+ * @param context Kerberos context
+ * @param etype enctype to check if its valid or not
+ *
+ * @return Return an error code for an failure or 0 on success (enctype valid).
+ * @ingroup krb5_crypto
+ */
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_enctype_valid(krb5_context context,
krb5_enctype etype)
{
struct _krb5_encryption_type *e = _krb5_find_enctype(etype);
- if(e == NULL) {
- krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
- N_("encryption type %d not supported", ""),
- etype);
- return KRB5_PROG_ETYPE_NOSUPP;
- }
- if (e->flags & F_DISABLED) {
- krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
- N_("encryption type %s is disabled", ""),
- e->name);
+ if(e && (e->flags & F_DISABLED) == 0)
+ return 0;
+ if (context == NULL)
return KRB5_PROG_ETYPE_NOSUPP;
+ if(e == NULL) {
+ return unsupported_enctype (context, etype);
}
- return 0;
+ /* Must be (e->flags & F_DISABLED) */
+ krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
+ N_("encryption type %s is disabled", ""),
+ e->name);
+ return KRB5_PROG_ETYPE_NOSUPP;
}
/**
block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
total_sz = block_sz + checksum_sz;
p = calloc(1, total_sz);
- if(p == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if (p == NULL)
+ return krb5_enomem(context);
q = p;
krb5_generate_random_block(q, et->confoundersize); /* XXX */
sz = et->confoundersize + checksum_sz + len;
block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
p = calloc(1, block_sz);
- if(p == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if (p == NULL)
+ return krb5_enomem(context);
q = p;
krb5_generate_random_block(q, et->confoundersize); /* XXX */
krb5_error_code ret;
tmp = malloc (sz);
- if (tmp == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if (tmp == NULL)
+ return krb5_enomem(context);
p = tmp;
memset (p, 0, cksum_sz);
p += cksum_sz;
}
p = malloc(len);
- if(len != 0 && p == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if (len != 0 && p == NULL)
+ return krb5_enomem(context);
memcpy(p, data, len);
len -= checksum_sz;
result->data = realloc(p, l);
if(result->data == NULL && l != 0) {
free(p);
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
result->length = l;
return 0;
}
p = malloc(len);
- if(len != 0 && p == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if (len != 0 && p == NULL)
+ return krb5_enomem(context);
memcpy(p, data, len);
ret = _key_schedule(context, &crypto->key);
result->data = realloc(p, l);
if(result->data == NULL && l != 0) {
free(p);
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
result->length = l;
return 0;
}
p = malloc (len);
- if (p == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if (p == NULL)
+ return krb5_enomem(context);
memcpy(p, data, len);
ret = (*et->encrypt)(context, &crypto->key, p, len, FALSE, usage, ivec);
result->data = realloc(p, sz);
if(result->data == NULL && sz != 0) {
free(p);
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
result->length = sz;
return 0;
}
static krb5_crypto_iov *
-find_iv(krb5_crypto_iov *data, int num_data, int type)
+find_iv(krb5_crypto_iov *data, size_t num_data, unsigned type)
{
- int i;
+ size_t i;
for (i = 0; i < num_data; i++)
if (data[i].flags == type)
return &data[i];
struct _krb5_encryption_type *et = crypto->et;
krb5_crypto_iov *tiv, *hiv;
- if (num_data < 0) {
- krb5_clear_error_message(context);
- return KRB5_CRYPTO_INTERNAL;
- }
-
if(!derived_crypto(context, crypto)) {
krb5_clear_error_message(context);
return KRB5_CRYPTO_INTERNAL;
Checksum cksum;
krb5_crypto_iov *civ;
krb5_error_code ret;
- int i;
+ size_t i;
size_t len;
char *p, *q;
- if (num_data < 0) {
- krb5_clear_error_message(context);
- return KRB5_CRYPTO_INTERNAL;
- }
-
if(!derived_crypto(context, crypto)) {
krb5_clear_error_message(context);
return KRB5_CRYPTO_INTERNAL;
Checksum cksum;
krb5_crypto_iov *civ;
krb5_error_code ret;
- int i;
+ size_t i;
size_t len;
char *p, *q;
- if (num_data < 0) {
- krb5_clear_error_message(context);
- return KRB5_CRYPTO_INTERNAL;
- }
-
if(!derived_crypto(context, crypto)) {
krb5_clear_error_message(context);
return KRB5_CRYPTO_INTERNAL;
unsigned int num_data)
{
krb5_error_code ret;
- int i;
+ size_t i;
for (i = 0; i < num_data; i++) {
ret = krb5_crypto_length(context, crypto,
* *
************************************************************/
-krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_derive_key(krb5_context context,
struct _krb5_encryption_type *et,
struct _krb5_key_data *key,
nblocks = (kt->bits + et->blocksize * 8 - 1) / (et->blocksize * 8);
k = malloc(nblocks * et->blocksize);
if(k == NULL) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+ ret = krb5_enomem(context);
goto out;
}
ret = _krb5_n_fold(constant, len, k, et->blocksize);
if (ret) {
- krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+ krb5_enomem(context);
goto out;
}
size_t res_len = (kt->bits + 7) / 8;
if(len != 0 && c == NULL) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+ ret = krb5_enomem(context);
goto out;
}
memcpy(c, constant, len);
k = malloc(res_len);
if(res_len != 0 && k == NULL) {
free(c);
- ret = ENOMEM;
- krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+ ret = krb5_enomem(context);
goto out;
}
ret = _krb5_n_fold(c, len, k, res_len);
free(c);
if (ret) {
- krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+ krb5_enomem(context);
goto out;
}
}
/* XXX keytype dependent post-processing */
switch(kt->type) {
- case KEYTYPE_DES3:
+ case KRB5_ENCTYPE_OLD_DES3_CBC_SHA1:
_krb5_DES3_random_to_key(context, key->key, k, nblocks * et->blocksize);
break;
- case KEYTYPE_AES128:
- case KEYTYPE_AES256:
+ case KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+ case KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96:
memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length);
break;
default:
et = _krb5_find_enctype (etype);
if (et == NULL) {
- krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
- N_("encryption type %d not supported", ""),
- etype);
- return KRB5_PROG_ETYPE_NOSUPP;
+ return unsupported_enctype (context, etype);
}
ret = krb5_copy_keyblock(context, key, &d.key);
return 0;
}
d = _new_derived_key(crypto, usage);
- if(d == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if (d == NULL)
+ return krb5_enomem(context);
krb5_copy_keyblock(context, crypto->key.key, &d->key);
_krb5_put_int(constant, usage, 5);
_krb5_derive_key(context, crypto->et, d, constant, sizeof(constant));
{
krb5_error_code ret;
ALLOC(*crypto, 1);
- if(*crypto == NULL) {
- krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
- if(etype == ETYPE_NULL)
+ if (*crypto == NULL)
+ return krb5_enomem(context);
+ if(etype == (krb5_enctype)ETYPE_NULL)
etype = key->keytype;
(*crypto)->et = _krb5_find_enctype(etype);
if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) {
free(*crypto);
*crypto = NULL;
- krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
- N_("encryption type %d not supported", ""),
- etype);
- return KRB5_PROG_ETYPE_NOSUPP;
+ return unsupported_enctype(context, etype);
}
if((*crypto)->et->keytype->size != key->keyvalue.length) {
free(*crypto);
krb5_free_data(context, key->schedule);
}
-void
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
_krb5_free_key_data(krb5_context context, struct _krb5_key_data *key,
struct _krb5_encryption_type *et)
{
return 0;
}
+/**
+ * Returns is the encryption is strong or weak
+ *
+ * @param context Kerberos 5 context
+ * @param enctype encryption type to probe
+ *
+ * @return Returns true if encryption type is weak or is not supported.
+ *
+ * @ingroup krb5_crypto
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_is_enctype_weak(krb5_context context, krb5_enctype enctype)
+{
+ struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
+ if(et == NULL || (et->flags & F_WEAK))
+ return TRUE;
+ return FALSE;
+}
+
static size_t
wrapped_length (krb5_context context,
krb5_crypto crypto,
krb5_data_free(&input2);
if (ret)
krb5_data_free(output);
- return 0;
+ return ret;
}
/**
size_t i, keysize;
memset(res, 0, sizeof(*res));
+ krb5_data_zero(&os1);
+ krb5_data_zero(&os2);
ret = krb5_enctype_keysize(context, enctype, &keysize);
if (ret)
* @ingroup krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_keytype_to_enctypes (krb5_context context,
krb5_keytype keytype,
unsigned *len,
krb5_enctype **val)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
int i;
unsigned n = 0;
}
ret = malloc(n * sizeof(*ret));
- if (ret == NULL && n != 0) {
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
- return ENOMEM;
- }
+ if (ret == NULL && n != 0)
+ return krb5_enomem(context);
n = 0;
for (i = _krb5_num_etypes - 1; i >= 0; --i) {
if (_krb5_etypes[i]->keytype->type == keytype
*/
/* if two enctypes have compatible keys */
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_enctypes_compatible_keys(krb5_context context,
krb5_enctype etype1,
krb5_enctype etype2)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
struct _krb5_encryption_type *e1 = _krb5_find_enctype(etype1);
struct _krb5_encryption_type *e2 = _krb5_find_enctype(etype2);
git://git.openafs.org / openafs.git / blobdiff