Line data Source code
1 : /*
2 : * Copyright (c) 1997 - 2016 Kungliga Tekniska Högskolan
3 : * (Royal Institute of Technology, Stockholm, Sweden).
4 : * All rights reserved.
5 : *
6 : * Redistribution and use in source and binary forms, with or without
7 : * modification, are permitted provided that the following conditions
8 : * are met:
9 : *
10 : * 1. Redistributions of source code must retain the above copyright
11 : * notice, this list of conditions and the following disclaimer.
12 : *
13 : * 2. Redistributions in binary form must reproduce the above copyright
14 : * notice, this list of conditions and the following disclaimer in the
15 : * documentation and/or other materials provided with the distribution.
16 : *
17 : * 3. Neither the name of the Institute nor the names of its contributors
18 : * may be used to endorse or promote products derived from this software
19 : * without specific prior written permission.
20 : *
21 : * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 : * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 : * SUCH DAMAGE.
32 : */
33 :
34 : #ifndef HEIMDAL_SMALLER
35 : #define DES3_OLD_ENCTYPE 1
36 : #endif
37 :
38 : struct _krb5_key_data {
39 : krb5_keyblock *key;
40 : krb5_data *schedule;
41 : };
42 :
43 : struct _krb5_key_usage;
44 :
45 : #define CRYPTO_ETYPE(C) ((C)->et->type)
46 :
47 : /* bits for `flags' below */
48 : #define F_KEYED 0x0001 /* checksum is keyed */
49 : #define F_CPROOF 0x0002 /* checksum is collision proof */
50 : #define F_DERIVED 0x0004 /* uses derived keys */
51 : #define F_VARIANT 0x0008 /* uses `variant' keys (6.4.3) */
52 : #define F_PSEUDO 0x0010 /* not a real protocol type */
53 : #define F_DISABLED 0x0020 /* enctype/checksum disabled */
54 : #define F_WEAK 0x0040 /* enctype is considered weak */
55 : #define F_OLD 0x0080 /* enctype is old */
56 :
57 : #define F_RFC3961_ENC 0x0100 /* RFC3961 simplified profile */
58 : #define F_SPECIAL 0x0200 /* backwards */
59 : #define F_ENC_THEN_CKSUM 0x0400 /* checksum is over encrypted data */
60 : #define F_CRYPTO_MASK 0x0F00
61 :
62 : #define F_RFC3961_KDF 0x1000 /* RFC3961 KDF */
63 : #define F_SP800_108_HMAC_KDF 0x2000 /* SP800-108 HMAC KDF */
64 : #define F_KDF_MASK 0xF000
65 :
66 : struct salt_type {
67 : krb5_salttype type;
68 : const char *name;
69 : krb5_error_code (*string_to_key)(krb5_context, krb5_enctype, krb5_data,
70 : krb5_salt, krb5_data, krb5_keyblock*);
71 : };
72 :
73 : struct _krb5_key_type {
74 : krb5_enctype type;
75 : const char *name;
76 : size_t bits;
77 : size_t size;
78 : size_t schedule_size;
79 : void (*random_key)(krb5_context, krb5_keyblock*);
80 : void (*schedule)(krb5_context, struct _krb5_key_type *, struct _krb5_key_data *);
81 : struct salt_type *string_to_key;
82 : void (*random_to_key)(krb5_context, krb5_keyblock*, const void*, size_t);
83 : void (*cleanup)(krb5_context, struct _krb5_key_data *);
84 : const EVP_CIPHER *(*evp)(void);
85 : };
86 :
87 : struct _krb5_checksum_type {
88 : krb5_cksumtype type;
89 : const char *name;
90 : size_t blocksize;
91 : size_t checksumsize;
92 : unsigned flags;
93 : krb5_error_code (*checksum)(krb5_context context,
94 : krb5_crypto crypto,
95 : struct _krb5_key_data *key,
96 : unsigned usage,
97 : const struct krb5_crypto_iov *iov, int niov,
98 : Checksum *csum);
99 : krb5_error_code (*verify)(krb5_context context,
100 : krb5_crypto crypto,
101 : struct _krb5_key_data *key,
102 : unsigned usage,
103 : const struct krb5_crypto_iov *iov, int niov,
104 : Checksum *csum);
105 : };
106 :
107 : struct _krb5_encryption_type {
108 : krb5_enctype type;
109 : const char *name;
110 : const char *alias;
111 : size_t blocksize;
112 : size_t padsize;
113 : size_t confoundersize;
114 : struct _krb5_key_type *keytype;
115 : struct _krb5_checksum_type *checksum;
116 : struct _krb5_checksum_type *keyed_checksum;
117 : unsigned flags;
118 : krb5_error_code (*encrypt)(krb5_context context,
119 : struct _krb5_key_data *key,
120 : void *data, size_t len,
121 : krb5_boolean encryptp,
122 : int usage,
123 : void *ivec);
124 : krb5_error_code (*encrypt_iov)(krb5_context context,
125 : struct _krb5_key_data *key,
126 : krb5_crypto_iov *iov, int niov,
127 : krb5_boolean encryptp,
128 : int usage,
129 : void *ivec);
130 : size_t prf_length;
131 : krb5_error_code (*prf)(krb5_context,
132 : krb5_crypto, const krb5_data *, krb5_data *);
133 : };
134 :
135 : #define ENCRYPTION_USAGE(U) (((uint32_t)(U) << 8) | 0xAA)
136 : #define INTEGRITY_USAGE(U) (((uint32_t)(U) << 8) | 0x55)
137 : #define CHECKSUM_USAGE(U) (((uint32_t)(U) << 8) | 0x99)
138 :
139 : /* Checksums */
140 :
141 : extern struct _krb5_checksum_type _krb5_checksum_none;
142 : extern struct _krb5_checksum_type _krb5_checksum_crc32;
143 : extern struct _krb5_checksum_type _krb5_checksum_rsa_md4;
144 : extern struct _krb5_checksum_type _krb5_checksum_rsa_md4_des;
145 : extern struct _krb5_checksum_type _krb5_checksum_rsa_md5_des;
146 : extern struct _krb5_checksum_type _krb5_checksum_rsa_md5_des3;
147 : extern struct _krb5_checksum_type _krb5_checksum_rsa_md5;
148 : extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_des3;
149 : extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes128;
150 : extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes256;
151 : extern struct _krb5_checksum_type _krb5_checksum_hmac_sha256_128_aes128;
152 : extern struct _krb5_checksum_type _krb5_checksum_hmac_sha384_192_aes256;
153 : extern struct _krb5_checksum_type _krb5_checksum_hmac_md5;
154 : extern struct _krb5_checksum_type _krb5_checksum_sha1;
155 : extern struct _krb5_checksum_type _krb5_checksum_sha256;
156 : extern struct _krb5_checksum_type _krb5_checksum_sha384;
157 : extern struct _krb5_checksum_type _krb5_checksum_sha512;
158 :
159 : extern struct _krb5_checksum_type *_krb5_checksum_types[];
160 : extern int _krb5_num_checksums;
161 :
162 : /* Salts */
163 :
164 : extern struct salt_type _krb5_AES_SHA1_salt[];
165 : extern struct salt_type _krb5_AES_SHA2_salt[];
166 : extern struct salt_type _krb5_arcfour_salt[];
167 : extern struct salt_type _krb5_des_salt[];
168 : extern struct salt_type _krb5_des3_salt[];
169 : extern struct salt_type _krb5_des3_salt_derived[];
170 :
171 : /* Encryption types */
172 :
173 : extern struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha1;
174 : extern struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha1;
175 : extern struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha256_128;
176 : extern struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha384_192;
177 : extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1;
178 : extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_md5;
179 : extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_none;
180 : extern struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5;
181 : extern struct _krb5_encryption_type _krb5_enctype_des_cbc_md5;
182 : extern struct _krb5_encryption_type _krb5_enctype_old_des3_cbc_sha1;
183 : extern struct _krb5_encryption_type _krb5_enctype_des_cbc_crc;
184 : extern struct _krb5_encryption_type _krb5_enctype_des_cbc_md4;
185 : extern struct _krb5_encryption_type _krb5_enctype_des_cbc_md5;
186 : extern struct _krb5_encryption_type _krb5_enctype_des_cbc_none;
187 : extern struct _krb5_encryption_type _krb5_enctype_des_cfb64_none;
188 : extern struct _krb5_encryption_type _krb5_enctype_des_pcbc_none;
189 : extern struct _krb5_encryption_type _krb5_enctype_null;
190 :
191 : extern struct _krb5_encryption_type *_krb5_etypes[];
192 : extern int _krb5_num_etypes;
193 :
194 : static inline int
195 18536671 : _krb5_crypto_iov_should_sign(const struct krb5_crypto_iov *iov)
196 : {
197 18536671 : return (iov->flags == KRB5_CRYPTO_TYPE_DATA
198 7949905 : || iov->flags == KRB5_CRYPTO_TYPE_SIGN_ONLY
199 4820397 : || iov->flags == KRB5_CRYPTO_TYPE_HEADER
200 26486576 : || iov->flags == KRB5_CRYPTO_TYPE_PADDING);
201 : }
202 :
203 : /* NO_HCRYPTO_POLLUTION is defined in pkinit-ec.c. See commentary there. */
204 : #ifndef NO_HCRYPTO_POLLUTION
205 : /* Interface to the EVP crypto layer provided by hcrypto */
206 : struct _krb5_evp_schedule {
207 : /*
208 : * Normally we'd say EVP_CIPHER_CTX here, but! this header gets
209 : * included in lib/krb5/pkinit-ec.c
210 : */
211 : EVP_CIPHER_CTX ectx;
212 : EVP_CIPHER_CTX dctx;
213 : };
214 :
215 : struct krb5_crypto_data {
216 : struct _krb5_encryption_type *et;
217 : struct _krb5_key_data key;
218 : EVP_MD_CTX *mdctx;
219 : HMAC_CTX *hmacctx;
220 : int num_key_usage;
221 : struct _krb5_key_usage *key_usage;
222 : krb5_flags flags;
223 : };
224 :
225 : /*
226 : * Allow generation and verification of unkeyed checksums even when
227 : * key material is available.
228 : */
229 : #define KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM 0x01
230 :
231 : #endif
|
