xref: /freebsd/crypto/heimdal/lib/krb5/crypto.c (revision 8aac90f18aef7c9eea906c3ff9a001ca7b94f375)
1 /*
2  * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "krb5_locl.h"
35 
36 struct _krb5_key_usage {
37     unsigned usage;
38     struct _krb5_key_data key;
39 };
40 
41 
42 #ifndef HEIMDAL_SMALLER
43 #define DES3_OLD_ENCTYPE 1
44 #endif
45 
46 static krb5_error_code _get_derived_key(krb5_context, krb5_crypto,
47 					unsigned, struct _krb5_key_data**);
48 static struct _krb5_key_data *_new_derived_key(krb5_crypto crypto, unsigned usage);
49 
50 static void free_key_schedule(krb5_context,
51 			      struct _krb5_key_data *,
52 			      struct _krb5_encryption_type *);
53 
54 /*
55  * Converts etype to a user readable string and sets as a side effect
56  * the krb5_error_message containing this string. Returns
57  * KRB5_PROG_ETYPE_NOSUPP in not the conversion of the etype failed in
58  * which case the error code of the etype convesion is returned.
59  */
60 
61 static krb5_error_code
62 unsupported_enctype(krb5_context context, krb5_enctype etype)
63 {
64     krb5_error_code ret;
65     char *name;
66 
67     ret = krb5_enctype_to_string(context, etype, &name);
68     if (ret)
69 	return ret;
70 
71     krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
72 			   N_("Encryption type %s not supported", ""),
73 			   name);
74     free(name);
75     return KRB5_PROG_ETYPE_NOSUPP;
76 }
77 
78 /*
79  *
80  */
81 
82 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
83 krb5_enctype_keysize(krb5_context context,
84 		     krb5_enctype type,
85 		     size_t *keysize)
86 {
87     struct _krb5_encryption_type *et = _krb5_find_enctype(type);
88     if(et == NULL) {
89         return unsupported_enctype (context, type);
90     }
91     *keysize = et->keytype->size;
92     return 0;
93 }
94 
95 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
96 krb5_enctype_keybits(krb5_context context,
97 		     krb5_enctype type,
98 		     size_t *keybits)
99 {
100     struct _krb5_encryption_type *et = _krb5_find_enctype(type);
101     if(et == NULL) {
102         return unsupported_enctype (context, type);
103     }
104     *keybits = et->keytype->bits;
105     return 0;
106 }
107 
108 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
109 krb5_generate_random_keyblock(krb5_context context,
110 			      krb5_enctype type,
111 			      krb5_keyblock *key)
112 {
113     krb5_error_code ret;
114     struct _krb5_encryption_type *et = _krb5_find_enctype(type);
115     if(et == NULL) {
116         return unsupported_enctype (context, type);
117     }
118     ret = krb5_data_alloc(&key->keyvalue, et->keytype->size);
119     if(ret)
120 	return ret;
121     key->keytype = type;
122     if(et->keytype->random_key)
123 	(*et->keytype->random_key)(context, key);
124     else
125 	krb5_generate_random_block(key->keyvalue.data,
126 				   key->keyvalue.length);
127     return 0;
128 }
129 
130 static krb5_error_code
131 _key_schedule(krb5_context context,
132 	      struct _krb5_key_data *key)
133 {
134     krb5_error_code ret;
135     struct _krb5_encryption_type *et = _krb5_find_enctype(key->key->keytype);
136     struct _krb5_key_type *kt;
137 
138     if (et == NULL) {
139         return unsupported_enctype (context,
140                                key->key->keytype);
141     }
142 
143     kt = et->keytype;
144 
145     if(kt->schedule == NULL)
146 	return 0;
147     if (key->schedule != NULL)
148 	return 0;
149     ALLOC(key->schedule, 1);
150     if(key->schedule == NULL) {
151 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
152 	return ENOMEM;
153     }
154     ret = krb5_data_alloc(key->schedule, kt->schedule_size);
155     if(ret) {
156 	free(key->schedule);
157 	key->schedule = NULL;
158 	return ret;
159     }
160     (*kt->schedule)(context, kt, key);
161     return 0;
162 }
163 
164 /************************************************************
165  *                                                          *
166  ************************************************************/
167 
168 static krb5_error_code
169 SHA1_checksum(krb5_context context,
170 	      struct _krb5_key_data *key,
171 	      const void *data,
172 	      size_t len,
173 	      unsigned usage,
174 	      Checksum *C)
175 {
176     if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_sha1(), NULL) != 1)
177 	krb5_abortx(context, "sha1 checksum failed");
178     return 0;
179 }
180 
181 /* HMAC according to RFC2104 */
182 krb5_error_code
183 _krb5_internal_hmac(krb5_context context,
184 		    struct _krb5_checksum_type *cm,
185 		    const void *data,
186 		    size_t len,
187 		    unsigned usage,
188 		    struct _krb5_key_data *keyblock,
189 		    Checksum *result)
190 {
191     unsigned char *ipad, *opad;
192     unsigned char *key;
193     size_t key_len;
194     size_t i;
195 
196     ipad = malloc(cm->blocksize + len);
197     if (ipad == NULL)
198 	return ENOMEM;
199     opad = malloc(cm->blocksize + cm->checksumsize);
200     if (opad == NULL) {
201 	free(ipad);
202 	return ENOMEM;
203     }
204     memset(ipad, 0x36, cm->blocksize);
205     memset(opad, 0x5c, cm->blocksize);
206 
207     if(keyblock->key->keyvalue.length > cm->blocksize){
208 	(*cm->checksum)(context,
209 			keyblock,
210 			keyblock->key->keyvalue.data,
211 			keyblock->key->keyvalue.length,
212 			usage,
213 			result);
214 	key = result->checksum.data;
215 	key_len = result->checksum.length;
216     } else {
217 	key = keyblock->key->keyvalue.data;
218 	key_len = keyblock->key->keyvalue.length;
219     }
220     for(i = 0; i < key_len; i++){
221 	ipad[i] ^= key[i];
222 	opad[i] ^= key[i];
223     }
224     memcpy(ipad + cm->blocksize, data, len);
225     (*cm->checksum)(context, keyblock, ipad, cm->blocksize + len,
226 		    usage, result);
227     memcpy(opad + cm->blocksize, result->checksum.data,
228 	   result->checksum.length);
229     (*cm->checksum)(context, keyblock, opad,
230 		    cm->blocksize + cm->checksumsize, usage, result);
231     memset(ipad, 0, cm->blocksize + len);
232     free(ipad);
233     memset(opad, 0, cm->blocksize + cm->checksumsize);
234     free(opad);
235 
236     return 0;
237 }
238 
239 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
240 krb5_hmac(krb5_context context,
241 	  krb5_cksumtype cktype,
242 	  const void *data,
243 	  size_t len,
244 	  unsigned usage,
245 	  krb5_keyblock *key,
246 	  Checksum *result)
247 {
248     struct _krb5_checksum_type *c = _krb5_find_checksum(cktype);
249     struct _krb5_key_data kd;
250     krb5_error_code ret;
251 
252     if (c == NULL) {
253 	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
254 				N_("checksum type %d not supported", ""),
255 				cktype);
256 	return KRB5_PROG_SUMTYPE_NOSUPP;
257     }
258 
259     kd.key = key;
260     kd.schedule = NULL;
261 
262     ret = _krb5_internal_hmac(context, c, data, len, usage, &kd, result);
263 
264     if (kd.schedule)
265 	krb5_free_data(context, kd.schedule);
266 
267     return ret;
268 }
269 
270 krb5_error_code
271 _krb5_SP_HMAC_SHA1_checksum(krb5_context context,
272 			    struct _krb5_key_data *key,
273 			    const void *data,
274 			    size_t len,
275 			    unsigned usage,
276 			    Checksum *result)
277 {
278     struct _krb5_checksum_type *c = _krb5_find_checksum(CKSUMTYPE_SHA1);
279     Checksum res;
280     char sha1_data[20];
281     krb5_error_code ret;
282 
283     res.checksum.data = sha1_data;
284     res.checksum.length = sizeof(sha1_data);
285 
286     ret = _krb5_internal_hmac(context, c, data, len, usage, key, &res);
287     if (ret)
288 	krb5_abortx(context, "hmac failed");
289     memcpy(result->checksum.data, res.checksum.data, result->checksum.length);
290     return 0;
291 }
292 
293 struct _krb5_checksum_type _krb5_checksum_sha1 = {
294     CKSUMTYPE_SHA1,
295     "sha1",
296     64,
297     20,
298     F_CPROOF,
299     SHA1_checksum,
300     NULL
301 };
302 
303 struct _krb5_checksum_type *
304 _krb5_find_checksum(krb5_cksumtype type)
305 {
306     int i;
307     for(i = 0; i < _krb5_num_checksums; i++)
308 	if(_krb5_checksum_types[i]->type == type)
309 	    return _krb5_checksum_types[i];
310     return NULL;
311 }
312 
313 static krb5_error_code
314 get_checksum_key(krb5_context context,
315 		 krb5_crypto crypto,
316 		 unsigned usage,  /* not krb5_key_usage */
317 		 struct _krb5_checksum_type *ct,
318 		 struct _krb5_key_data **key)
319 {
320     krb5_error_code ret = 0;
321 
322     if(ct->flags & F_DERIVED)
323 	ret = _get_derived_key(context, crypto, usage, key);
324     else if(ct->flags & F_VARIANT) {
325 	size_t i;
326 
327 	*key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */);
328 	if(*key == NULL) {
329 	    krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
330 	    return ENOMEM;
331 	}
332 	ret = krb5_copy_keyblock(context, crypto->key.key, &(*key)->key);
333 	if(ret)
334 	    return ret;
335 	for(i = 0; i < (*key)->key->keyvalue.length; i++)
336 	    ((unsigned char*)(*key)->key->keyvalue.data)[i] ^= 0xF0;
337     } else {
338 	*key = &crypto->key;
339     }
340     if(ret == 0)
341 	ret = _key_schedule(context, *key);
342     return ret;
343 }
344 
345 static krb5_error_code
346 create_checksum (krb5_context context,
347 		 struct _krb5_checksum_type *ct,
348 		 krb5_crypto crypto,
349 		 unsigned usage,
350 		 void *data,
351 		 size_t len,
352 		 Checksum *result)
353 {
354     krb5_error_code ret;
355     struct _krb5_key_data *dkey;
356     int keyed_checksum;
357 
358     if (ct->flags & F_DISABLED) {
359 	krb5_clear_error_message (context);
360 	return KRB5_PROG_SUMTYPE_NOSUPP;
361     }
362     keyed_checksum = (ct->flags & F_KEYED) != 0;
363     if(keyed_checksum && crypto == NULL) {
364 	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
365 				N_("Checksum type %s is keyed but no "
366 				   "crypto context (key) was passed in", ""),
367 				ct->name);
368 	return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
369     }
370     if(keyed_checksum) {
371 	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
372 	if (ret)
373 	    return ret;
374     } else
375 	dkey = NULL;
376     result->cksumtype = ct->type;
377     ret = krb5_data_alloc(&result->checksum, ct->checksumsize);
378     if (ret)
379 	return (ret);
380     return (*ct->checksum)(context, dkey, data, len, usage, result);
381 }
382 
383 static int
384 arcfour_checksum_p(struct _krb5_checksum_type *ct, krb5_crypto crypto)
385 {
386     return (ct->type == CKSUMTYPE_HMAC_MD5) &&
387 	(crypto->key.key->keytype == KEYTYPE_ARCFOUR);
388 }
389 
390 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
391 krb5_create_checksum(krb5_context context,
392 		     krb5_crypto crypto,
393 		     krb5_key_usage usage,
394 		     int type,
395 		     void *data,
396 		     size_t len,
397 		     Checksum *result)
398 {
399     struct _krb5_checksum_type *ct = NULL;
400     unsigned keyusage;
401 
402     /* type 0 -> pick from crypto */
403     if (type) {
404 	ct = _krb5_find_checksum(type);
405     } else if (crypto) {
406 	ct = crypto->et->keyed_checksum;
407 	if (ct == NULL)
408 	    ct = crypto->et->checksum;
409     }
410 
411     if(ct == NULL) {
412 	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
413 				N_("checksum type %d not supported", ""),
414 				type);
415 	return KRB5_PROG_SUMTYPE_NOSUPP;
416     }
417 
418     if (arcfour_checksum_p(ct, crypto)) {
419 	keyusage = usage;
420 	_krb5_usage2arcfour(context, &keyusage);
421     } else
422 	keyusage = CHECKSUM_USAGE(usage);
423 
424     return create_checksum(context, ct, crypto, keyusage,
425 			   data, len, result);
426 }
427 
428 static krb5_error_code
429 verify_checksum(krb5_context context,
430 		krb5_crypto crypto,
431 		unsigned usage, /* not krb5_key_usage */
432 		void *data,
433 		size_t len,
434 		Checksum *cksum)
435 {
436     krb5_error_code ret;
437     struct _krb5_key_data *dkey;
438     int keyed_checksum;
439     Checksum c;
440     struct _krb5_checksum_type *ct;
441 
442     ct = _krb5_find_checksum(cksum->cksumtype);
443     if (ct == NULL || (ct->flags & F_DISABLED)) {
444 	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
445 				N_("checksum type %d not supported", ""),
446 				cksum->cksumtype);
447 	return KRB5_PROG_SUMTYPE_NOSUPP;
448     }
449     if(ct->checksumsize != cksum->checksum.length) {
450 	krb5_clear_error_message (context);
451 	krb5_set_error_message(context, KRB5KRB_AP_ERR_BAD_INTEGRITY,
452 			       N_("Decrypt integrity check failed for checksum type %s, "
453 				  "length was %u, expected %u", ""),
454 			       ct->name, (unsigned)cksum->checksum.length,
455 			       (unsigned)ct->checksumsize);
456 
457 	return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
458     }
459     keyed_checksum = (ct->flags & F_KEYED) != 0;
460     if(keyed_checksum) {
461 	struct _krb5_checksum_type *kct;
462 	if (crypto == NULL) {
463 	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
464 				   N_("Checksum type %s is keyed but no "
465 				      "crypto context (key) was passed in", ""),
466 				   ct->name);
467 	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
468 	}
469 	kct = crypto->et->keyed_checksum;
470 	if (kct == NULL || kct->type != ct->type) {
471 	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
472 				   N_("Checksum type %s is keyed, but "
473 				      "the key type %s passed didnt have that checksum "
474 				      "type as the keyed type", ""),
475 				    ct->name, crypto->et->name);
476 	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
477 	}
478 
479 	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
480 	if (ret)
481 	    return ret;
482     } else
483 	dkey = NULL;
484 
485     /*
486      * If checksum have a verify function, lets use that instead of
487      * calling ->checksum and then compare result.
488      */
489 
490     if(ct->verify) {
491 	ret = (*ct->verify)(context, dkey, data, len, usage, cksum);
492 	if (ret)
493 	    krb5_set_error_message(context, ret,
494 				   N_("Decrypt integrity check failed for checksum "
495 				      "type %s, key type %s", ""),
496 				   ct->name, (crypto != NULL)? crypto->et->name : "(none)");
497 	return ret;
498     }
499 
500     ret = krb5_data_alloc (&c.checksum, ct->checksumsize);
501     if (ret)
502 	return ret;
503 
504     ret = (*ct->checksum)(context, dkey, data, len, usage, &c);
505     if (ret) {
506 	krb5_data_free(&c.checksum);
507 	return ret;
508     }
509 
510     if(krb5_data_ct_cmp(&c.checksum, &cksum->checksum) != 0) {
511 	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
512 	krb5_set_error_message(context, ret,
513 			       N_("Decrypt integrity check failed for checksum "
514 				  "type %s, key type %s", ""),
515 			       ct->name, crypto ? crypto->et->name : "(unkeyed)");
516     } else {
517 	ret = 0;
518     }
519     krb5_data_free (&c.checksum);
520     return ret;
521 }
522 
523 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
524 krb5_verify_checksum(krb5_context context,
525 		     krb5_crypto crypto,
526 		     krb5_key_usage usage,
527 		     void *data,
528 		     size_t len,
529 		     Checksum *cksum)
530 {
531     struct _krb5_checksum_type *ct;
532     unsigned keyusage;
533 
534     ct = _krb5_find_checksum(cksum->cksumtype);
535     if(ct == NULL) {
536 	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
537 				N_("checksum type %d not supported", ""),
538 				cksum->cksumtype);
539 	return KRB5_PROG_SUMTYPE_NOSUPP;
540     }
541 
542     if (arcfour_checksum_p(ct, crypto)) {
543 	keyusage = usage;
544 	_krb5_usage2arcfour(context, &keyusage);
545     } else
546 	keyusage = CHECKSUM_USAGE(usage);
547 
548     return verify_checksum(context, crypto, keyusage,
549 			   data, len, cksum);
550 }
551 
552 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
553 krb5_crypto_get_checksum_type(krb5_context context,
554                               krb5_crypto crypto,
555 			      krb5_cksumtype *type)
556 {
557     struct _krb5_checksum_type *ct = NULL;
558 
559     if (crypto != NULL) {
560         ct = crypto->et->keyed_checksum;
561         if (ct == NULL)
562             ct = crypto->et->checksum;
563     }
564 
565     if (ct == NULL) {
566 	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
567 				N_("checksum type not found", ""));
568         return KRB5_PROG_SUMTYPE_NOSUPP;
569     }
570 
571     *type = ct->type;
572 
573     return 0;
574 }
575 
576 
577 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
578 krb5_checksumsize(krb5_context context,
579 		  krb5_cksumtype type,
580 		  size_t *size)
581 {
582     struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
583     if(ct == NULL) {
584 	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
585 				N_("checksum type %d not supported", ""),
586 				type);
587 	return KRB5_PROG_SUMTYPE_NOSUPP;
588     }
589     *size = ct->checksumsize;
590     return 0;
591 }
592 
593 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
594 krb5_checksum_is_keyed(krb5_context context,
595 		       krb5_cksumtype type)
596 {
597     struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
598     if(ct == NULL) {
599 	if (context)
600 	    krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
601 				    N_("checksum type %d not supported", ""),
602 				    type);
603 	return KRB5_PROG_SUMTYPE_NOSUPP;
604     }
605     return ct->flags & F_KEYED;
606 }
607 
608 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
609 krb5_checksum_is_collision_proof(krb5_context context,
610 				 krb5_cksumtype type)
611 {
612     struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
613     if(ct == NULL) {
614 	if (context)
615 	    krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
616 				    N_("checksum type %d not supported", ""),
617 				    type);
618 	return KRB5_PROG_SUMTYPE_NOSUPP;
619     }
620     return ct->flags & F_CPROOF;
621 }
622 
623 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
624 krb5_checksum_disable(krb5_context context,
625 		      krb5_cksumtype type)
626 {
627     struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
628     if(ct == NULL) {
629 	if (context)
630 	    krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
631 				    N_("checksum type %d not supported", ""),
632 				    type);
633 	return KRB5_PROG_SUMTYPE_NOSUPP;
634     }
635     ct->flags |= F_DISABLED;
636     return 0;
637 }
638 
639 /************************************************************
640  *                                                          *
641  ************************************************************/
642 
643 struct _krb5_encryption_type *
644 _krb5_find_enctype(krb5_enctype type)
645 {
646     int i;
647     for(i = 0; i < _krb5_num_etypes; i++)
648 	if(_krb5_etypes[i]->type == type)
649 	    return _krb5_etypes[i];
650     return NULL;
651 }
652 
653 
654 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
655 krb5_enctype_to_string(krb5_context context,
656 		       krb5_enctype etype,
657 		       char **string)
658 {
659     struct _krb5_encryption_type *e;
660     e = _krb5_find_enctype(etype);
661     if(e == NULL) {
662 	krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
663 				N_("encryption type %d not supported", ""),
664 				etype);
665 	*string = NULL;
666 	return KRB5_PROG_ETYPE_NOSUPP;
667     }
668     *string = strdup(e->name);
669     if(*string == NULL) {
670 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
671 	return ENOMEM;
672     }
673     return 0;
674 }
675 
676 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
677 krb5_string_to_enctype(krb5_context context,
678 		       const char *string,
679 		       krb5_enctype *etype)
680 {
681     int i;
682     for(i = 0; i < _krb5_num_etypes; i++)
683 	if(strcasecmp(_krb5_etypes[i]->name, string) == 0){
684 	    *etype = _krb5_etypes[i]->type;
685 	    return 0;
686 	}
687     krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
688 			    N_("encryption type %s not supported", ""),
689 			    string);
690     return KRB5_PROG_ETYPE_NOSUPP;
691 }
692 
693 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
694 krb5_enctype_to_keytype(krb5_context context,
695 			krb5_enctype etype,
696 			krb5_keytype *keytype)
697 {
698     struct _krb5_encryption_type *e = _krb5_find_enctype(etype);
699     if(e == NULL) {
700         return unsupported_enctype (context, etype);
701     }
702     *keytype = e->keytype->type; /* XXX */
703     return 0;
704 }
705 
706 /**
707  * Check if a enctype is valid, return 0 if it is.
708  *
709  * @param context Kerberos context
710  * @param etype enctype to check if its valid or not
711  *
712  * @return Return an error code for an failure or 0 on success (enctype valid).
713  * @ingroup krb5_crypto
714  */
715 
716 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
717 krb5_enctype_valid(krb5_context context,
718 		   krb5_enctype etype)
719 {
720     struct _krb5_encryption_type *e = _krb5_find_enctype(etype);
721     if(e && (e->flags & F_DISABLED) == 0)
722 	return 0;
723     if (context == NULL)
724 	return KRB5_PROG_ETYPE_NOSUPP;
725     if(e == NULL) {
726         return unsupported_enctype (context, etype);
727     }
728     /* Must be (e->flags & F_DISABLED) */
729     krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
730 			    N_("encryption type %s is disabled", ""),
731 			    e->name);
732     return KRB5_PROG_ETYPE_NOSUPP;
733 }
734 
735 /**
736  * Return the coresponding encryption type for a checksum type.
737  *
738  * @param context Kerberos context
739  * @param ctype The checksum type to get the result enctype for
740  * @param etype The returned encryption, when the matching etype is
741  * not found, etype is set to ETYPE_NULL.
742  *
743  * @return Return an error code for an failure or 0 on success.
744  * @ingroup krb5_crypto
745  */
746 
747 
748 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
749 krb5_cksumtype_to_enctype(krb5_context context,
750 			  krb5_cksumtype ctype,
751 			  krb5_enctype *etype)
752 {
753     int i;
754 
755     *etype = ETYPE_NULL;
756 
757     for(i = 0; i < _krb5_num_etypes; i++) {
758 	if(_krb5_etypes[i]->keyed_checksum &&
759 	   _krb5_etypes[i]->keyed_checksum->type == ctype)
760 	    {
761 		*etype = _krb5_etypes[i]->type;
762 		return 0;
763 	    }
764     }
765 
766     krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
767 			    N_("checksum type %d not supported", ""),
768 			    (int)ctype);
769     return KRB5_PROG_SUMTYPE_NOSUPP;
770 }
771 
772 
773 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
774 krb5_cksumtype_valid(krb5_context context,
775 		     krb5_cksumtype ctype)
776 {
777     struct _krb5_checksum_type *c = _krb5_find_checksum(ctype);
778     if (c == NULL) {
779 	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
780 				N_("checksum type %d not supported", ""),
781 				ctype);
782 	return KRB5_PROG_SUMTYPE_NOSUPP;
783     }
784     if (c->flags & F_DISABLED) {
785 	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
786 				N_("checksum type %s is disabled", ""),
787 				c->name);
788 	return KRB5_PROG_SUMTYPE_NOSUPP;
789     }
790     return 0;
791 }
792 
793 
794 static krb5_boolean
795 derived_crypto(krb5_context context,
796 	       krb5_crypto crypto)
797 {
798     return (crypto->et->flags & F_DERIVED) != 0;
799 }
800 
801 static krb5_boolean
802 special_crypto(krb5_context context,
803 	       krb5_crypto crypto)
804 {
805     return (crypto->et->flags & F_SPECIAL) != 0;
806 }
807 
808 #define CHECKSUMSIZE(C) ((C)->checksumsize)
809 #define CHECKSUMTYPE(C) ((C)->type)
810 
811 static krb5_error_code
812 encrypt_internal_derived(krb5_context context,
813 			 krb5_crypto crypto,
814 			 unsigned usage,
815 			 const void *data,
816 			 size_t len,
817 			 krb5_data *result,
818 			 void *ivec)
819 {
820     size_t sz, block_sz, checksum_sz, total_sz;
821     Checksum cksum;
822     unsigned char *p, *q;
823     krb5_error_code ret;
824     struct _krb5_key_data *dkey;
825     const struct _krb5_encryption_type *et = crypto->et;
826 
827     checksum_sz = CHECKSUMSIZE(et->keyed_checksum);
828 
829     sz = et->confoundersize + len;
830     block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
831     total_sz = block_sz + checksum_sz;
832     p = calloc(1, total_sz);
833     if(p == NULL) {
834 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
835 	return ENOMEM;
836     }
837 
838     q = p;
839     krb5_generate_random_block(q, et->confoundersize); /* XXX */
840     q += et->confoundersize;
841     memcpy(q, data, len);
842 
843     ret = create_checksum(context,
844 			  et->keyed_checksum,
845 			  crypto,
846 			  INTEGRITY_USAGE(usage),
847 			  p,
848 			  block_sz,
849 			  &cksum);
850     if(ret == 0 && cksum.checksum.length != checksum_sz) {
851 	free_Checksum (&cksum);
852 	krb5_clear_error_message (context);
853 	ret = KRB5_CRYPTO_INTERNAL;
854     }
855     if(ret)
856 	goto fail;
857     memcpy(p + block_sz, cksum.checksum.data, cksum.checksum.length);
858     free_Checksum (&cksum);
859     ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
860     if(ret)
861 	goto fail;
862     ret = _key_schedule(context, dkey);
863     if(ret)
864 	goto fail;
865     ret = (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec);
866     if (ret)
867 	goto fail;
868     result->data = p;
869     result->length = total_sz;
870     return 0;
871  fail:
872     memset(p, 0, total_sz);
873     free(p);
874     return ret;
875 }
876 
877 
878 static krb5_error_code
879 encrypt_internal(krb5_context context,
880 		 krb5_crypto crypto,
881 		 const void *data,
882 		 size_t len,
883 		 krb5_data *result,
884 		 void *ivec)
885 {
886     size_t sz, block_sz, checksum_sz;
887     Checksum cksum;
888     unsigned char *p, *q;
889     krb5_error_code ret;
890     const struct _krb5_encryption_type *et = crypto->et;
891 
892     checksum_sz = CHECKSUMSIZE(et->checksum);
893 
894     sz = et->confoundersize + checksum_sz + len;
895     block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
896     p = calloc(1, block_sz);
897     if(p == NULL) {
898 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
899 	return ENOMEM;
900     }
901 
902     q = p;
903     krb5_generate_random_block(q, et->confoundersize); /* XXX */
904     q += et->confoundersize;
905     memset(q, 0, checksum_sz);
906     q += checksum_sz;
907     memcpy(q, data, len);
908 
909     ret = create_checksum(context,
910 			  et->checksum,
911 			  crypto,
912 			  0,
913 			  p,
914 			  block_sz,
915 			  &cksum);
916     if(ret == 0 && cksum.checksum.length != checksum_sz) {
917 	krb5_clear_error_message (context);
918 	free_Checksum(&cksum);
919 	ret = KRB5_CRYPTO_INTERNAL;
920     }
921     if(ret)
922 	goto fail;
923     memcpy(p + et->confoundersize, cksum.checksum.data, cksum.checksum.length);
924     free_Checksum(&cksum);
925     ret = _key_schedule(context, &crypto->key);
926     if(ret)
927 	goto fail;
928     ret = (*et->encrypt)(context, &crypto->key, p, block_sz, 1, 0, ivec);
929     if (ret) {
930 	memset(p, 0, block_sz);
931 	free(p);
932 	return ret;
933     }
934     result->data = p;
935     result->length = block_sz;
936     return 0;
937  fail:
938     memset(p, 0, block_sz);
939     free(p);
940     return ret;
941 }
942 
943 static krb5_error_code
944 encrypt_internal_special(krb5_context context,
945 			 krb5_crypto crypto,
946 			 int usage,
947 			 const void *data,
948 			 size_t len,
949 			 krb5_data *result,
950 			 void *ivec)
951 {
952     struct _krb5_encryption_type *et = crypto->et;
953     size_t cksum_sz = CHECKSUMSIZE(et->checksum);
954     size_t sz = len + cksum_sz + et->confoundersize;
955     char *tmp, *p;
956     krb5_error_code ret;
957 
958     tmp = malloc (sz);
959     if (tmp == NULL) {
960 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
961 	return ENOMEM;
962     }
963     p = tmp;
964     memset (p, 0, cksum_sz);
965     p += cksum_sz;
966     krb5_generate_random_block(p, et->confoundersize);
967     p += et->confoundersize;
968     memcpy (p, data, len);
969     ret = (*et->encrypt)(context, &crypto->key, tmp, sz, TRUE, usage, ivec);
970     if (ret) {
971 	memset(tmp, 0, sz);
972 	free(tmp);
973 	return ret;
974     }
975     result->data   = tmp;
976     result->length = sz;
977     return 0;
978 }
979 
980 static krb5_error_code
981 decrypt_internal_derived(krb5_context context,
982 			 krb5_crypto crypto,
983 			 unsigned usage,
984 			 void *data,
985 			 size_t len,
986 			 krb5_data *result,
987 			 void *ivec)
988 {
989     size_t checksum_sz;
990     Checksum cksum;
991     unsigned char *p;
992     krb5_error_code ret;
993     struct _krb5_key_data *dkey;
994     struct _krb5_encryption_type *et = crypto->et;
995     unsigned long l;
996 
997     checksum_sz = CHECKSUMSIZE(et->keyed_checksum);
998     if (len < checksum_sz + et->confoundersize) {
999 	krb5_set_error_message(context, KRB5_BAD_MSIZE,
1000 			       N_("Encrypted data shorter then "
1001 				  "checksum + confunder", ""));
1002 	return KRB5_BAD_MSIZE;
1003     }
1004 
1005     if (((len - checksum_sz) % et->padsize) != 0) {
1006 	krb5_clear_error_message(context);
1007 	return KRB5_BAD_MSIZE;
1008     }
1009 
1010     p = malloc(len);
1011     if(len != 0 && p == NULL) {
1012 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1013 	return ENOMEM;
1014     }
1015     memcpy(p, data, len);
1016 
1017     len -= checksum_sz;
1018 
1019     ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
1020     if(ret) {
1021 	free(p);
1022 	return ret;
1023     }
1024     ret = _key_schedule(context, dkey);
1025     if(ret) {
1026 	free(p);
1027 	return ret;
1028     }
1029     ret = (*et->encrypt)(context, dkey, p, len, 0, usage, ivec);
1030     if (ret) {
1031 	free(p);
1032 	return ret;
1033     }
1034 
1035     cksum.checksum.data   = p + len;
1036     cksum.checksum.length = checksum_sz;
1037     cksum.cksumtype       = CHECKSUMTYPE(et->keyed_checksum);
1038 
1039     ret = verify_checksum(context,
1040 			  crypto,
1041 			  INTEGRITY_USAGE(usage),
1042 			  p,
1043 			  len,
1044 			  &cksum);
1045     if(ret) {
1046 	free(p);
1047 	return ret;
1048     }
1049     l = len - et->confoundersize;
1050     memmove(p, p + et->confoundersize, l);
1051     result->data = realloc(p, l);
1052     if(result->data == NULL && l != 0) {
1053 	free(p);
1054 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1055 	return ENOMEM;
1056     }
1057     result->length = l;
1058     return 0;
1059 }
1060 
1061 static krb5_error_code
1062 decrypt_internal(krb5_context context,
1063 		 krb5_crypto crypto,
1064 		 void *data,
1065 		 size_t len,
1066 		 krb5_data *result,
1067 		 void *ivec)
1068 {
1069     krb5_error_code ret;
1070     unsigned char *p;
1071     Checksum cksum;
1072     size_t checksum_sz, l;
1073     struct _krb5_encryption_type *et = crypto->et;
1074 
1075     if ((len % et->padsize) != 0) {
1076 	krb5_clear_error_message(context);
1077 	return KRB5_BAD_MSIZE;
1078     }
1079     checksum_sz = CHECKSUMSIZE(et->checksum);
1080     if (len < checksum_sz + et->confoundersize) {
1081 	krb5_set_error_message(context, KRB5_BAD_MSIZE,
1082 			       N_("Encrypted data shorter then "
1083 				  "checksum + confunder", ""));
1084 	return KRB5_BAD_MSIZE;
1085     }
1086 
1087     p = malloc(len);
1088     if(len != 0 && p == NULL) {
1089 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1090 	return ENOMEM;
1091     }
1092     memcpy(p, data, len);
1093 
1094     ret = _key_schedule(context, &crypto->key);
1095     if(ret) {
1096 	free(p);
1097 	return ret;
1098     }
1099     ret = (*et->encrypt)(context, &crypto->key, p, len, 0, 0, ivec);
1100     if (ret) {
1101 	free(p);
1102 	return ret;
1103     }
1104     ret = krb5_data_copy(&cksum.checksum, p + et->confoundersize, checksum_sz);
1105     if(ret) {
1106  	free(p);
1107  	return ret;
1108     }
1109     memset(p + et->confoundersize, 0, checksum_sz);
1110     cksum.cksumtype = CHECKSUMTYPE(et->checksum);
1111     ret = verify_checksum(context, NULL, 0, p, len, &cksum);
1112     free_Checksum(&cksum);
1113     if(ret) {
1114 	free(p);
1115 	return ret;
1116     }
1117     l = len - et->confoundersize - checksum_sz;
1118     memmove(p, p + et->confoundersize + checksum_sz, l);
1119     result->data = realloc(p, l);
1120     if(result->data == NULL && l != 0) {
1121 	free(p);
1122 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1123 	return ENOMEM;
1124     }
1125     result->length = l;
1126     return 0;
1127 }
1128 
1129 static krb5_error_code
1130 decrypt_internal_special(krb5_context context,
1131 			 krb5_crypto crypto,
1132 			 int usage,
1133 			 void *data,
1134 			 size_t len,
1135 			 krb5_data *result,
1136 			 void *ivec)
1137 {
1138     struct _krb5_encryption_type *et = crypto->et;
1139     size_t cksum_sz = CHECKSUMSIZE(et->checksum);
1140     size_t sz = len - cksum_sz - et->confoundersize;
1141     unsigned char *p;
1142     krb5_error_code ret;
1143 
1144     if ((len % et->padsize) != 0) {
1145 	krb5_clear_error_message(context);
1146 	return KRB5_BAD_MSIZE;
1147     }
1148     if (len < cksum_sz + et->confoundersize) {
1149 	krb5_set_error_message(context, KRB5_BAD_MSIZE,
1150 			       N_("Encrypted data shorter then "
1151 				  "checksum + confunder", ""));
1152 	return KRB5_BAD_MSIZE;
1153     }
1154 
1155     p = malloc (len);
1156     if (p == NULL) {
1157 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1158 	return ENOMEM;
1159     }
1160     memcpy(p, data, len);
1161 
1162     ret = (*et->encrypt)(context, &crypto->key, p, len, FALSE, usage, ivec);
1163     if (ret) {
1164 	free(p);
1165 	return ret;
1166     }
1167 
1168     memmove (p, p + cksum_sz + et->confoundersize, sz);
1169     result->data = realloc(p, sz);
1170     if(result->data == NULL && sz != 0) {
1171 	free(p);
1172 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1173 	return ENOMEM;
1174     }
1175     result->length = sz;
1176     return 0;
1177 }
1178 
1179 static krb5_crypto_iov *
1180 find_iv(krb5_crypto_iov *data, size_t num_data, unsigned type)
1181 {
1182     size_t i;
1183     for (i = 0; i < num_data; i++)
1184 	if (data[i].flags == type)
1185 	    return &data[i];
1186     return NULL;
1187 }
1188 
1189 /**
1190  * Inline encrypt a kerberos message
1191  *
1192  * @param context Kerberos context
1193  * @param crypto Kerberos crypto context
1194  * @param usage Key usage for this buffer
1195  * @param data array of buffers to process
1196  * @param num_data length of array
1197  * @param ivec initial cbc/cts vector
1198  *
1199  * @return Return an error code or 0.
1200  * @ingroup krb5_crypto
1201  *
1202  * Kerberos encrypted data look like this:
1203  *
1204  * 1. KRB5_CRYPTO_TYPE_HEADER
1205  * 2. array [1,...] KRB5_CRYPTO_TYPE_DATA and array [0,...]
1206  *    KRB5_CRYPTO_TYPE_SIGN_ONLY in any order, however the receiver
1207  *    have to aware of the order. KRB5_CRYPTO_TYPE_SIGN_ONLY is
1208  *    commonly used headers and trailers.
1209  * 3. KRB5_CRYPTO_TYPE_PADDING, at least on padsize long if padsize > 1
1210  * 4. KRB5_CRYPTO_TYPE_TRAILER
1211  */
1212 
1213 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1214 krb5_encrypt_iov_ivec(krb5_context context,
1215 		      krb5_crypto crypto,
1216 		      unsigned usage,
1217 		      krb5_crypto_iov *data,
1218 		      int num_data,
1219 		      void *ivec)
1220 {
1221     size_t headersz, trailersz, len;
1222     int i;
1223     size_t sz, block_sz, pad_sz;
1224     Checksum cksum;
1225     unsigned char *p, *q;
1226     krb5_error_code ret;
1227     struct _krb5_key_data *dkey;
1228     const struct _krb5_encryption_type *et = crypto->et;
1229     krb5_crypto_iov *tiv, *piv, *hiv;
1230 
1231     if (num_data < 0) {
1232         krb5_clear_error_message(context);
1233 	return KRB5_CRYPTO_INTERNAL;
1234     }
1235 
1236     if(!derived_crypto(context, crypto)) {
1237 	krb5_clear_error_message(context);
1238 	return KRB5_CRYPTO_INTERNAL;
1239     }
1240 
1241     headersz = et->confoundersize;
1242     trailersz = CHECKSUMSIZE(et->keyed_checksum);
1243 
1244     for (len = 0, i = 0; i < num_data; i++) {
1245 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1246 	    continue;
1247 	len += data[i].data.length;
1248     }
1249 
1250     sz = headersz + len;
1251     block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */
1252 
1253     pad_sz = block_sz - sz;
1254 
1255     /* header */
1256 
1257     hiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
1258     if (hiv == NULL || hiv->data.length != headersz)
1259 	return KRB5_BAD_MSIZE;
1260 
1261     krb5_generate_random_block(hiv->data.data, hiv->data.length);
1262 
1263     /* padding */
1264     piv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_PADDING);
1265     /* its ok to have no TYPE_PADDING if there is no padding */
1266     if (piv == NULL && pad_sz != 0)
1267 	return KRB5_BAD_MSIZE;
1268     if (piv) {
1269 	if (piv->data.length < pad_sz)
1270 	    return KRB5_BAD_MSIZE;
1271 	piv->data.length = pad_sz;
1272 	if (pad_sz)
1273 	    memset(piv->data.data, pad_sz, pad_sz);
1274 	else
1275 	    piv = NULL;
1276     }
1277 
1278     /* trailer */
1279     tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
1280     if (tiv == NULL || tiv->data.length != trailersz)
1281 	return KRB5_BAD_MSIZE;
1282 
1283     /*
1284      * XXX replace with EVP_Sign? at least make create_checksum an iov
1285      * function.
1286      * XXX CTS EVP is broken, can't handle multi buffers :(
1287      */
1288 
1289     len = block_sz;
1290     for (i = 0; i < num_data; i++) {
1291 	if (data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1292 	    continue;
1293 	len += data[i].data.length;
1294     }
1295 
1296     p = q = malloc(len);
1297 
1298     memcpy(q, hiv->data.data, hiv->data.length);
1299     q += hiv->data.length;
1300     for (i = 0; i < num_data; i++) {
1301 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1302 	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1303 	    continue;
1304 	memcpy(q, data[i].data.data, data[i].data.length);
1305 	q += data[i].data.length;
1306     }
1307     if (piv)
1308 	memset(q, 0, piv->data.length);
1309 
1310     ret = create_checksum(context,
1311 			  et->keyed_checksum,
1312 			  crypto,
1313 			  INTEGRITY_USAGE(usage),
1314 			  p,
1315 			  len,
1316 			  &cksum);
1317     free(p);
1318     if(ret == 0 && cksum.checksum.length != trailersz) {
1319 	free_Checksum (&cksum);
1320 	krb5_clear_error_message (context);
1321 	ret = KRB5_CRYPTO_INTERNAL;
1322     }
1323     if(ret)
1324 	return ret;
1325 
1326     /* save cksum at end */
1327     memcpy(tiv->data.data, cksum.checksum.data, cksum.checksum.length);
1328     free_Checksum (&cksum);
1329 
1330     /* XXX replace with EVP_Cipher */
1331     p = q = malloc(block_sz);
1332     if(p == NULL)
1333 	return ENOMEM;
1334 
1335     memcpy(q, hiv->data.data, hiv->data.length);
1336     q += hiv->data.length;
1337 
1338     for (i = 0; i < num_data; i++) {
1339 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1340 	    continue;
1341 	memcpy(q, data[i].data.data, data[i].data.length);
1342 	q += data[i].data.length;
1343     }
1344     if (piv)
1345 	memset(q, 0, piv->data.length);
1346 
1347 
1348     ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
1349     if(ret) {
1350 	free(p);
1351 	return ret;
1352     }
1353     ret = _key_schedule(context, dkey);
1354     if(ret) {
1355 	free(p);
1356 	return ret;
1357     }
1358 
1359     ret = (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec);
1360     if (ret) {
1361 	free(p);
1362 	return ret;
1363     }
1364 
1365     /* now copy data back to buffers */
1366     q = p;
1367 
1368     memcpy(hiv->data.data, q, hiv->data.length);
1369     q += hiv->data.length;
1370 
1371     for (i = 0; i < num_data; i++) {
1372 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1373 	    continue;
1374 	memcpy(data[i].data.data, q, data[i].data.length);
1375 	q += data[i].data.length;
1376     }
1377     if (piv)
1378 	memcpy(piv->data.data, q, pad_sz);
1379 
1380     free(p);
1381 
1382     return ret;
1383 }
1384 
1385 /**
1386  * Inline decrypt a Kerberos message.
1387  *
1388  * @param context Kerberos context
1389  * @param crypto Kerberos crypto context
1390  * @param usage Key usage for this buffer
1391  * @param data array of buffers to process
1392  * @param num_data length of array
1393  * @param ivec initial cbc/cts vector
1394  *
1395  * @return Return an error code or 0.
1396  * @ingroup krb5_crypto
1397  *
1398  * 1. KRB5_CRYPTO_TYPE_HEADER
1399  * 2. one KRB5_CRYPTO_TYPE_DATA and array [0,...] of KRB5_CRYPTO_TYPE_SIGN_ONLY in
1400  *  any order, however the receiver have to aware of the
1401  *  order. KRB5_CRYPTO_TYPE_SIGN_ONLY is commonly used unencrypoted
1402  *  protocol headers and trailers. The output data will be of same
1403  *  size as the input data or shorter.
1404  */
1405 
1406 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1407 krb5_decrypt_iov_ivec(krb5_context context,
1408 		      krb5_crypto crypto,
1409 		      unsigned usage,
1410 		      krb5_crypto_iov *data,
1411 		      unsigned int num_data,
1412 		      void *ivec)
1413 {
1414     unsigned int i;
1415     size_t headersz, trailersz, len;
1416     Checksum cksum;
1417     unsigned char *p, *q;
1418     krb5_error_code ret;
1419     struct _krb5_key_data *dkey;
1420     struct _krb5_encryption_type *et = crypto->et;
1421     krb5_crypto_iov *tiv, *hiv;
1422 
1423     if(!derived_crypto(context, crypto)) {
1424 	krb5_clear_error_message(context);
1425 	return KRB5_CRYPTO_INTERNAL;
1426     }
1427 
1428     headersz = et->confoundersize;
1429 
1430     hiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
1431     if (hiv == NULL || hiv->data.length != headersz)
1432 	return KRB5_BAD_MSIZE;
1433 
1434     /* trailer */
1435     trailersz = CHECKSUMSIZE(et->keyed_checksum);
1436 
1437     tiv = find_iv(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
1438     if (tiv->data.length != trailersz)
1439 	return KRB5_BAD_MSIZE;
1440 
1441     /* Find length of data we will decrypt */
1442 
1443     len = headersz;
1444     for (i = 0; i < num_data; i++) {
1445 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1446 	    continue;
1447 	len += data[i].data.length;
1448     }
1449 
1450     if ((len % et->padsize) != 0) {
1451 	krb5_clear_error_message(context);
1452 	return KRB5_BAD_MSIZE;
1453     }
1454 
1455     /* XXX replace with EVP_Cipher */
1456 
1457     p = q = malloc(len);
1458     if (p == NULL)
1459 	return ENOMEM;
1460 
1461     memcpy(q, hiv->data.data, hiv->data.length);
1462     q += hiv->data.length;
1463 
1464     for (i = 0; i < num_data; i++) {
1465 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1466 	    continue;
1467 	memcpy(q, data[i].data.data, data[i].data.length);
1468 	q += data[i].data.length;
1469     }
1470 
1471     ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
1472     if(ret) {
1473 	free(p);
1474 	return ret;
1475     }
1476     ret = _key_schedule(context, dkey);
1477     if(ret) {
1478 	free(p);
1479 	return ret;
1480     }
1481 
1482     ret = (*et->encrypt)(context, dkey, p, len, 0, usage, ivec);
1483     if (ret) {
1484 	free(p);
1485 	return ret;
1486     }
1487 
1488     /* copy data back to buffers */
1489     memcpy(hiv->data.data, p, hiv->data.length);
1490     q = p + hiv->data.length;
1491     for (i = 0; i < num_data; i++) {
1492 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA)
1493 	    continue;
1494 	memcpy(data[i].data.data, q, data[i].data.length);
1495 	q += data[i].data.length;
1496     }
1497 
1498     free(p);
1499 
1500     /* check signature */
1501     for (i = 0; i < num_data; i++) {
1502 	if (data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1503 	    continue;
1504 	len += data[i].data.length;
1505     }
1506 
1507     p = q = malloc(len);
1508     if (p == NULL)
1509 	return ENOMEM;
1510 
1511     memcpy(q, hiv->data.data, hiv->data.length);
1512     q += hiv->data.length;
1513     for (i = 0; i < num_data; i++) {
1514 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1515 	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1516 	    continue;
1517 	memcpy(q, data[i].data.data, data[i].data.length);
1518 	q += data[i].data.length;
1519     }
1520 
1521     cksum.checksum.data   = tiv->data.data;
1522     cksum.checksum.length = tiv->data.length;
1523     cksum.cksumtype       = CHECKSUMTYPE(et->keyed_checksum);
1524 
1525     ret = verify_checksum(context,
1526 			  crypto,
1527 			  INTEGRITY_USAGE(usage),
1528 			  p,
1529 			  len,
1530 			  &cksum);
1531     free(p);
1532     return ret;
1533 }
1534 
1535 /**
1536  * Create a Kerberos message checksum.
1537  *
1538  * @param context Kerberos context
1539  * @param crypto Kerberos crypto context
1540  * @param usage Key usage for this buffer
1541  * @param data array of buffers to process
1542  * @param num_data length of array
1543  * @param type output data
1544  *
1545  * @return Return an error code or 0.
1546  * @ingroup krb5_crypto
1547  */
1548 
1549 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1550 krb5_create_checksum_iov(krb5_context context,
1551 			 krb5_crypto crypto,
1552 			 unsigned usage,
1553 			 krb5_crypto_iov *data,
1554 			 unsigned int num_data,
1555 			 krb5_cksumtype *type)
1556 {
1557     Checksum cksum;
1558     krb5_crypto_iov *civ;
1559     krb5_error_code ret;
1560     size_t i;
1561     size_t len;
1562     char *p, *q;
1563 
1564     if(!derived_crypto(context, crypto)) {
1565 	krb5_clear_error_message(context);
1566 	return KRB5_CRYPTO_INTERNAL;
1567     }
1568 
1569     civ = find_iv(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
1570     if (civ == NULL)
1571 	return KRB5_BAD_MSIZE;
1572 
1573     len = 0;
1574     for (i = 0; i < num_data; i++) {
1575 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1576 	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1577 	    continue;
1578 	len += data[i].data.length;
1579     }
1580 
1581     p = q = malloc(len);
1582 
1583     for (i = 0; i < num_data; i++) {
1584 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1585 	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1586 	    continue;
1587 	memcpy(q, data[i].data.data, data[i].data.length);
1588 	q += data[i].data.length;
1589     }
1590 
1591     ret = krb5_create_checksum(context, crypto, usage, 0, p, len, &cksum);
1592     free(p);
1593     if (ret)
1594 	return ret;
1595 
1596     if (type)
1597 	*type = cksum.cksumtype;
1598 
1599     if (cksum.checksum.length > civ->data.length) {
1600 	krb5_set_error_message(context, KRB5_BAD_MSIZE,
1601 			       N_("Checksum larger then input buffer", ""));
1602 	free_Checksum(&cksum);
1603 	return KRB5_BAD_MSIZE;
1604     }
1605 
1606     civ->data.length = cksum.checksum.length;
1607     memcpy(civ->data.data, cksum.checksum.data, civ->data.length);
1608     free_Checksum(&cksum);
1609 
1610     return 0;
1611 }
1612 
1613 /**
1614  * Verify a Kerberos message checksum.
1615  *
1616  * @param context Kerberos context
1617  * @param crypto Kerberos crypto context
1618  * @param usage Key usage for this buffer
1619  * @param data array of buffers to process
1620  * @param num_data length of array
1621  * @param type return checksum type if not NULL
1622  *
1623  * @return Return an error code or 0.
1624  * @ingroup krb5_crypto
1625  */
1626 
1627 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1628 krb5_verify_checksum_iov(krb5_context context,
1629 			 krb5_crypto crypto,
1630 			 unsigned usage,
1631 			 krb5_crypto_iov *data,
1632 			 unsigned int num_data,
1633 			 krb5_cksumtype *type)
1634 {
1635     struct _krb5_encryption_type *et = crypto->et;
1636     Checksum cksum;
1637     krb5_crypto_iov *civ;
1638     krb5_error_code ret;
1639     size_t i;
1640     size_t len;
1641     char *p, *q;
1642 
1643     if(!derived_crypto(context, crypto)) {
1644 	krb5_clear_error_message(context);
1645 	return KRB5_CRYPTO_INTERNAL;
1646     }
1647 
1648     civ = find_iv(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
1649     if (civ == NULL)
1650 	return KRB5_BAD_MSIZE;
1651 
1652     len = 0;
1653     for (i = 0; i < num_data; i++) {
1654 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1655 	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1656 	    continue;
1657 	len += data[i].data.length;
1658     }
1659 
1660     p = q = malloc(len);
1661 
1662     for (i = 0; i < num_data; i++) {
1663 	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
1664 	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
1665 	    continue;
1666 	memcpy(q, data[i].data.data, data[i].data.length);
1667 	q += data[i].data.length;
1668     }
1669 
1670     cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum);
1671     cksum.checksum.length = civ->data.length;
1672     cksum.checksum.data = civ->data.data;
1673 
1674     ret = krb5_verify_checksum(context, crypto, usage, p, len, &cksum);
1675     free(p);
1676 
1677     if (ret == 0 && type)
1678 	*type = cksum.cksumtype;
1679 
1680     return ret;
1681 }
1682 
1683 
1684 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1685 krb5_crypto_length(krb5_context context,
1686 		   krb5_crypto crypto,
1687 		   int type,
1688 		   size_t *len)
1689 {
1690     if (!derived_crypto(context, crypto)) {
1691 	krb5_set_error_message(context, EINVAL, "not a derived crypto");
1692 	return EINVAL;
1693     }
1694 
1695     switch(type) {
1696     case KRB5_CRYPTO_TYPE_EMPTY:
1697 	*len = 0;
1698 	return 0;
1699     case KRB5_CRYPTO_TYPE_HEADER:
1700 	*len = crypto->et->blocksize;
1701 	return 0;
1702     case KRB5_CRYPTO_TYPE_DATA:
1703     case KRB5_CRYPTO_TYPE_SIGN_ONLY:
1704 	/* len must already been filled in */
1705 	return 0;
1706     case KRB5_CRYPTO_TYPE_PADDING:
1707 	if (crypto->et->padsize > 1)
1708 	    *len = crypto->et->padsize;
1709 	else
1710 	    *len = 0;
1711 	return 0;
1712     case KRB5_CRYPTO_TYPE_TRAILER:
1713 	*len = CHECKSUMSIZE(crypto->et->keyed_checksum);
1714 	return 0;
1715     case KRB5_CRYPTO_TYPE_CHECKSUM:
1716 	if (crypto->et->keyed_checksum)
1717 	    *len = CHECKSUMSIZE(crypto->et->keyed_checksum);
1718 	else
1719 	    *len = CHECKSUMSIZE(crypto->et->checksum);
1720 	return 0;
1721     }
1722     krb5_set_error_message(context, EINVAL,
1723 			   "%d not a supported type", type);
1724     return EINVAL;
1725 }
1726 
1727 
1728 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1729 krb5_crypto_length_iov(krb5_context context,
1730 		       krb5_crypto crypto,
1731 		       krb5_crypto_iov *data,
1732 		       unsigned int num_data)
1733 {
1734     krb5_error_code ret;
1735     size_t i;
1736 
1737     for (i = 0; i < num_data; i++) {
1738 	ret = krb5_crypto_length(context, crypto,
1739 				 data[i].flags,
1740 				 &data[i].data.length);
1741 	if (ret)
1742 	    return ret;
1743     }
1744     return 0;
1745 }
1746 
1747 
1748 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1749 krb5_encrypt_ivec(krb5_context context,
1750 		  krb5_crypto crypto,
1751 		  unsigned usage,
1752 		  const void *data,
1753 		  size_t len,
1754 		  krb5_data *result,
1755 		  void *ivec)
1756 {
1757     if(derived_crypto(context, crypto))
1758 	return encrypt_internal_derived(context, crypto, usage,
1759 					data, len, result, ivec);
1760     else if (special_crypto(context, crypto))
1761 	return encrypt_internal_special (context, crypto, usage,
1762 					 data, len, result, ivec);
1763     else
1764 	return encrypt_internal(context, crypto, data, len, result, ivec);
1765 }
1766 
1767 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1768 krb5_encrypt(krb5_context context,
1769 	     krb5_crypto crypto,
1770 	     unsigned usage,
1771 	     const void *data,
1772 	     size_t len,
1773 	     krb5_data *result)
1774 {
1775     return krb5_encrypt_ivec(context, crypto, usage, data, len, result, NULL);
1776 }
1777 
1778 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1779 krb5_encrypt_EncryptedData(krb5_context context,
1780 			   krb5_crypto crypto,
1781 			   unsigned usage,
1782 			   void *data,
1783 			   size_t len,
1784 			   int kvno,
1785 			   EncryptedData *result)
1786 {
1787     result->etype = CRYPTO_ETYPE(crypto);
1788     if(kvno){
1789 	ALLOC(result->kvno, 1);
1790 	*result->kvno = kvno;
1791     }else
1792 	result->kvno = NULL;
1793     return krb5_encrypt(context, crypto, usage, data, len, &result->cipher);
1794 }
1795 
1796 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1797 krb5_decrypt_ivec(krb5_context context,
1798 		  krb5_crypto crypto,
1799 		  unsigned usage,
1800 		  void *data,
1801 		  size_t len,
1802 		  krb5_data *result,
1803 		  void *ivec)
1804 {
1805     if(derived_crypto(context, crypto))
1806 	return decrypt_internal_derived(context, crypto, usage,
1807 					data, len, result, ivec);
1808     else if (special_crypto (context, crypto))
1809 	return decrypt_internal_special(context, crypto, usage,
1810 					data, len, result, ivec);
1811     else
1812 	return decrypt_internal(context, crypto, data, len, result, ivec);
1813 }
1814 
1815 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1816 krb5_decrypt(krb5_context context,
1817 	     krb5_crypto crypto,
1818 	     unsigned usage,
1819 	     void *data,
1820 	     size_t len,
1821 	     krb5_data *result)
1822 {
1823     return krb5_decrypt_ivec (context, crypto, usage, data, len, result,
1824 			      NULL);
1825 }
1826 
1827 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1828 krb5_decrypt_EncryptedData(krb5_context context,
1829 			   krb5_crypto crypto,
1830 			   unsigned usage,
1831 			   const EncryptedData *e,
1832 			   krb5_data *result)
1833 {
1834     return krb5_decrypt(context, crypto, usage,
1835 			e->cipher.data, e->cipher.length, result);
1836 }
1837 
1838 /************************************************************
1839  *                                                          *
1840  ************************************************************/
1841 
1842 krb5_error_code
1843 _krb5_derive_key(krb5_context context,
1844 		 struct _krb5_encryption_type *et,
1845 		 struct _krb5_key_data *key,
1846 		 const void *constant,
1847 		 size_t len)
1848 {
1849     unsigned char *k = NULL;
1850     unsigned int nblocks = 0, i;
1851     krb5_error_code ret = 0;
1852     struct _krb5_key_type *kt = et->keytype;
1853 
1854     ret = _key_schedule(context, key);
1855     if(ret)
1856 	return ret;
1857     if(et->blocksize * 8 < kt->bits || len != et->blocksize) {
1858 	nblocks = (kt->bits + et->blocksize * 8 - 1) / (et->blocksize * 8);
1859 	k = malloc(nblocks * et->blocksize);
1860 	if(k == NULL) {
1861 	    ret = ENOMEM;
1862 	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1863 	    goto out;
1864 	}
1865 	ret = _krb5_n_fold(constant, len, k, et->blocksize);
1866 	if (ret) {
1867 	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1868 	    goto out;
1869 	}
1870 
1871 	for(i = 0; i < nblocks; i++) {
1872 	    if(i > 0)
1873 		memcpy(k + i * et->blocksize,
1874 		       k + (i - 1) * et->blocksize,
1875 		       et->blocksize);
1876 	    (*et->encrypt)(context, key, k + i * et->blocksize, et->blocksize,
1877 			   1, 0, NULL);
1878 	}
1879     } else {
1880 	/* this case is probably broken, but won't be run anyway */
1881 	void *c = malloc(len);
1882 	size_t res_len = (kt->bits + 7) / 8;
1883 
1884 	if(len != 0 && c == NULL) {
1885 	    ret = ENOMEM;
1886 	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1887 	    goto out;
1888 	}
1889 	memcpy(c, constant, len);
1890 	(*et->encrypt)(context, key, c, len, 1, 0, NULL);
1891 	k = malloc(res_len);
1892 	if(res_len != 0 && k == NULL) {
1893 	    free(c);
1894 	    ret = ENOMEM;
1895 	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1896 	    goto out;
1897 	}
1898 	ret = _krb5_n_fold(c, len, k, res_len);
1899 	free(c);
1900 	if (ret) {
1901 	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1902 	    goto out;
1903 	}
1904     }
1905 
1906     /* XXX keytype dependent post-processing */
1907     switch(kt->type) {
1908     case ETYPE_OLD_DES3_CBC_SHA1:
1909 	_krb5_DES3_random_to_key(context, key->key, k, nblocks * et->blocksize);
1910 	break;
1911     case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
1912     case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
1913 	memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length);
1914 	break;
1915     default:
1916 	ret = KRB5_CRYPTO_INTERNAL;
1917 	krb5_set_error_message(context, ret,
1918 			       N_("derive_key() called with unknown keytype (%u)", ""),
1919 			       kt->type);
1920 	break;
1921     }
1922  out:
1923     if (key->schedule) {
1924 	free_key_schedule(context, key, et);
1925 	key->schedule = NULL;
1926     }
1927     if (k) {
1928 	memset(k, 0, nblocks * et->blocksize);
1929 	free(k);
1930     }
1931     return ret;
1932 }
1933 
1934 static struct _krb5_key_data *
1935 _new_derived_key(krb5_crypto crypto, unsigned usage)
1936 {
1937     struct _krb5_key_usage *d = crypto->key_usage;
1938     d = realloc(d, (crypto->num_key_usage + 1) * sizeof(*d));
1939     if(d == NULL)
1940 	return NULL;
1941     crypto->key_usage = d;
1942     d += crypto->num_key_usage++;
1943     memset(d, 0, sizeof(*d));
1944     d->usage = usage;
1945     return &d->key;
1946 }
1947 
1948 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1949 krb5_derive_key(krb5_context context,
1950 		const krb5_keyblock *key,
1951 		krb5_enctype etype,
1952 		const void *constant,
1953 		size_t constant_len,
1954 		krb5_keyblock **derived_key)
1955 {
1956     krb5_error_code ret;
1957     struct _krb5_encryption_type *et;
1958     struct _krb5_key_data d;
1959 
1960     *derived_key = NULL;
1961 
1962     et = _krb5_find_enctype (etype);
1963     if (et == NULL) {
1964         return unsupported_enctype (context, etype);
1965     }
1966 
1967     ret = krb5_copy_keyblock(context, key, &d.key);
1968     if (ret)
1969 	return ret;
1970 
1971     d.schedule = NULL;
1972     ret = _krb5_derive_key(context, et, &d, constant, constant_len);
1973     if (ret == 0)
1974 	ret = krb5_copy_keyblock(context, d.key, derived_key);
1975     _krb5_free_key_data(context, &d, et);
1976     return ret;
1977 }
1978 
1979 static krb5_error_code
1980 _get_derived_key(krb5_context context,
1981 		 krb5_crypto crypto,
1982 		 unsigned usage,
1983 		 struct _krb5_key_data **key)
1984 {
1985     int i;
1986     struct _krb5_key_data *d;
1987     unsigned char constant[5];
1988 
1989     for(i = 0; i < crypto->num_key_usage; i++)
1990 	if(crypto->key_usage[i].usage == usage) {
1991 	    *key = &crypto->key_usage[i].key;
1992 	    return 0;
1993 	}
1994     d = _new_derived_key(crypto, usage);
1995     if(d == NULL) {
1996 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1997 	return ENOMEM;
1998     }
1999     krb5_copy_keyblock(context, crypto->key.key, &d->key);
2000     _krb5_put_int(constant, usage, 5);
2001     _krb5_derive_key(context, crypto->et, d, constant, sizeof(constant));
2002     *key = d;
2003     return 0;
2004 }
2005 
2006 /**
2007  * Create a crypto context used for all encryption and signature
2008  * operation. The encryption type to use is taken from the key, but
2009  * can be overridden with the enctype parameter.  This can be useful
2010  * for encryptions types which is compatiable (DES for example).
2011  *
2012  * To free the crypto context, use krb5_crypto_destroy().
2013  *
2014  * @param context Kerberos context
2015  * @param key the key block information with all key data
2016  * @param etype the encryption type
2017  * @param crypto the resulting crypto context
2018  *
2019  * @return Return an error code or 0.
2020  *
2021  * @ingroup krb5_crypto
2022  */
2023 
2024 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2025 krb5_crypto_init(krb5_context context,
2026 		 const krb5_keyblock *key,
2027 		 krb5_enctype etype,
2028 		 krb5_crypto *crypto)
2029 {
2030     krb5_error_code ret;
2031     ALLOC(*crypto, 1);
2032     if(*crypto == NULL) {
2033 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
2034 	return ENOMEM;
2035     }
2036     if(etype == ETYPE_NULL)
2037 	etype = key->keytype;
2038     (*crypto)->et = _krb5_find_enctype(etype);
2039     if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) {
2040 	free(*crypto);
2041 	*crypto = NULL;
2042 	return unsupported_enctype(context, etype);
2043     }
2044     if((*crypto)->et->keytype->size != key->keyvalue.length) {
2045 	free(*crypto);
2046 	*crypto = NULL;
2047 	krb5_set_error_message (context, KRB5_BAD_KEYSIZE,
2048 				"encryption key has bad length");
2049 	return KRB5_BAD_KEYSIZE;
2050     }
2051     ret = krb5_copy_keyblock(context, key, &(*crypto)->key.key);
2052     if(ret) {
2053 	free(*crypto);
2054 	*crypto = NULL;
2055 	return ret;
2056     }
2057     ret = fbsd_ossl_provider_load();
2058     if (ret)
2059 	return ret;
2060     (*crypto)->key.schedule = NULL;
2061     (*crypto)->num_key_usage = 0;
2062     (*crypto)->key_usage = NULL;
2063     return 0;
2064 }
2065 
2066 static void
2067 free_key_schedule(krb5_context context,
2068 		  struct _krb5_key_data *key,
2069 		  struct _krb5_encryption_type *et)
2070 {
2071     if (et->keytype->cleanup)
2072 	(*et->keytype->cleanup)(context, key);
2073     memset(key->schedule->data, 0, key->schedule->length);
2074     krb5_free_data(context, key->schedule);
2075 }
2076 
2077 void
2078 _krb5_free_key_data(krb5_context context, struct _krb5_key_data *key,
2079 	      struct _krb5_encryption_type *et)
2080 {
2081     krb5_free_keyblock(context, key->key);
2082     if(key->schedule) {
2083 	free_key_schedule(context, key, et);
2084 	key->schedule = NULL;
2085     }
2086 }
2087 
2088 static void
2089 free_key_usage(krb5_context context, struct _krb5_key_usage *ku,
2090 	       struct _krb5_encryption_type *et)
2091 {
2092     _krb5_free_key_data(context, &ku->key, et);
2093 }
2094 
2095 /**
2096  * Free a crypto context created by krb5_crypto_init().
2097  *
2098  * @param context Kerberos context
2099  * @param crypto crypto context to free
2100  *
2101  * @return Return an error code or 0.
2102  *
2103  * @ingroup krb5_crypto
2104  */
2105 
2106 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2107 krb5_crypto_destroy(krb5_context context,
2108 		    krb5_crypto crypto)
2109 {
2110     int i;
2111 
2112     for(i = 0; i < crypto->num_key_usage; i++)
2113 	free_key_usage(context, &crypto->key_usage[i], crypto->et);
2114     free(crypto->key_usage);
2115     _krb5_free_key_data(context, &crypto->key, crypto->et);
2116     free (crypto);
2117     return 0;
2118 }
2119 
2120 /**
2121  * Return the blocksize used algorithm referenced by the crypto context
2122  *
2123  * @param context Kerberos context
2124  * @param crypto crypto context to query
2125  * @param blocksize the resulting blocksize
2126  *
2127  * @return Return an error code or 0.
2128  *
2129  * @ingroup krb5_crypto
2130  */
2131 
2132 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2133 krb5_crypto_getblocksize(krb5_context context,
2134 			 krb5_crypto crypto,
2135 			 size_t *blocksize)
2136 {
2137     *blocksize = crypto->et->blocksize;
2138     return 0;
2139 }
2140 
2141 /**
2142  * Return the encryption type used by the crypto context
2143  *
2144  * @param context Kerberos context
2145  * @param crypto crypto context to query
2146  * @param enctype the resulting encryption type
2147  *
2148  * @return Return an error code or 0.
2149  *
2150  * @ingroup krb5_crypto
2151  */
2152 
2153 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2154 krb5_crypto_getenctype(krb5_context context,
2155 		       krb5_crypto crypto,
2156 		       krb5_enctype *enctype)
2157 {
2158     *enctype = crypto->et->type;
2159     return 0;
2160 }
2161 
2162 /**
2163  * Return the padding size used by the crypto context
2164  *
2165  * @param context Kerberos context
2166  * @param crypto crypto context to query
2167  * @param padsize the return padding size
2168  *
2169  * @return Return an error code or 0.
2170  *
2171  * @ingroup krb5_crypto
2172  */
2173 
2174 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2175 krb5_crypto_getpadsize(krb5_context context,
2176                        krb5_crypto crypto,
2177                        size_t *padsize)
2178 {
2179     *padsize = crypto->et->padsize;
2180     return 0;
2181 }
2182 
2183 /**
2184  * Return the confounder size used by the crypto context
2185  *
2186  * @param context Kerberos context
2187  * @param crypto crypto context to query
2188  * @param confoundersize the returned confounder size
2189  *
2190  * @return Return an error code or 0.
2191  *
2192  * @ingroup krb5_crypto
2193  */
2194 
2195 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2196 krb5_crypto_getconfoundersize(krb5_context context,
2197                               krb5_crypto crypto,
2198                               size_t *confoundersize)
2199 {
2200     *confoundersize = crypto->et->confoundersize;
2201     return 0;
2202 }
2203 
2204 
2205 /**
2206  * Disable encryption type
2207  *
2208  * @param context Kerberos 5 context
2209  * @param enctype encryption type to disable
2210  *
2211  * @return Return an error code or 0.
2212  *
2213  * @ingroup krb5_crypto
2214  */
2215 
2216 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2217 krb5_enctype_disable(krb5_context context,
2218 		     krb5_enctype enctype)
2219 {
2220     struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
2221     if(et == NULL) {
2222 	if (context)
2223 	    krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
2224 				    N_("encryption type %d not supported", ""),
2225 				    enctype);
2226 	return KRB5_PROG_ETYPE_NOSUPP;
2227     }
2228     et->flags |= F_DISABLED;
2229     return 0;
2230 }
2231 
2232 /**
2233  * Enable encryption type
2234  *
2235  * @param context Kerberos 5 context
2236  * @param enctype encryption type to enable
2237  *
2238  * @return Return an error code or 0.
2239  *
2240  * @ingroup krb5_crypto
2241  */
2242 
2243 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2244 krb5_enctype_enable(krb5_context context,
2245 		    krb5_enctype enctype)
2246 {
2247     struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
2248     if(et == NULL) {
2249 	if (context)
2250 	    krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
2251 				    N_("encryption type %d not supported", ""),
2252 				    enctype);
2253 	return KRB5_PROG_ETYPE_NOSUPP;
2254     }
2255     et->flags &= ~F_DISABLED;
2256     return 0;
2257 }
2258 
2259 /**
2260  * Enable or disable all weak encryption types
2261  *
2262  * @param context Kerberos 5 context
2263  * @param enable true to enable, false to disable
2264  *
2265  * @return Return an error code or 0.
2266  *
2267  * @ingroup krb5_crypto
2268  */
2269 
2270 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2271 krb5_allow_weak_crypto(krb5_context context,
2272 		       krb5_boolean enable)
2273 {
2274     int i;
2275 
2276     for(i = 0; i < _krb5_num_etypes; i++)
2277 	if(_krb5_etypes[i]->flags & F_WEAK) {
2278 	    if(enable)
2279 		_krb5_etypes[i]->flags &= ~F_DISABLED;
2280 	    else
2281 		_krb5_etypes[i]->flags |= F_DISABLED;
2282 	}
2283     return 0;
2284 }
2285 
2286 static size_t
2287 wrapped_length (krb5_context context,
2288 		krb5_crypto  crypto,
2289 		size_t       data_len)
2290 {
2291     struct _krb5_encryption_type *et = crypto->et;
2292     size_t padsize = et->padsize;
2293     size_t checksumsize = CHECKSUMSIZE(et->checksum);
2294     size_t res;
2295 
2296     res =  et->confoundersize + checksumsize + data_len;
2297     res =  (res + padsize - 1) / padsize * padsize;
2298     return res;
2299 }
2300 
2301 static size_t
2302 wrapped_length_dervied (krb5_context context,
2303 			krb5_crypto  crypto,
2304 			size_t       data_len)
2305 {
2306     struct _krb5_encryption_type *et = crypto->et;
2307     size_t padsize = et->padsize;
2308     size_t res;
2309 
2310     res =  et->confoundersize + data_len;
2311     res =  (res + padsize - 1) / padsize * padsize;
2312     if (et->keyed_checksum)
2313 	res += et->keyed_checksum->checksumsize;
2314     else
2315 	res += et->checksum->checksumsize;
2316     return res;
2317 }
2318 
2319 /*
2320  * Return the size of an encrypted packet of length `data_len'
2321  */
2322 
2323 KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
2324 krb5_get_wrapped_length (krb5_context context,
2325 			 krb5_crypto  crypto,
2326 			 size_t       data_len)
2327 {
2328     if (derived_crypto (context, crypto))
2329 	return wrapped_length_dervied (context, crypto, data_len);
2330     else
2331 	return wrapped_length (context, crypto, data_len);
2332 }
2333 
2334 /*
2335  * Return the size of an encrypted packet of length `data_len'
2336  */
2337 
2338 static size_t
2339 crypto_overhead (krb5_context context,
2340 		 krb5_crypto  crypto)
2341 {
2342     struct _krb5_encryption_type *et = crypto->et;
2343     size_t res;
2344 
2345     res = CHECKSUMSIZE(et->checksum);
2346     res += et->confoundersize;
2347     if (et->padsize > 1)
2348 	res += et->padsize;
2349     return res;
2350 }
2351 
2352 static size_t
2353 crypto_overhead_dervied (krb5_context context,
2354 			 krb5_crypto  crypto)
2355 {
2356     struct _krb5_encryption_type *et = crypto->et;
2357     size_t res;
2358 
2359     if (et->keyed_checksum)
2360 	res = CHECKSUMSIZE(et->keyed_checksum);
2361     else
2362 	res = CHECKSUMSIZE(et->checksum);
2363     res += et->confoundersize;
2364     if (et->padsize > 1)
2365 	res += et->padsize;
2366     return res;
2367 }
2368 
2369 KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
2370 krb5_crypto_overhead (krb5_context context, krb5_crypto crypto)
2371 {
2372     if (derived_crypto (context, crypto))
2373 	return crypto_overhead_dervied (context, crypto);
2374     else
2375 	return crypto_overhead (context, crypto);
2376 }
2377 
2378 /**
2379  * Converts the random bytestring to a protocol key according to
2380  * Kerberos crypto frame work. It may be assumed that all the bits of
2381  * the input string are equally random, even though the entropy
2382  * present in the random source may be limited.
2383  *
2384  * @param context Kerberos 5 context
2385  * @param type the enctype resulting key will be of
2386  * @param data input random data to convert to a key
2387  * @param size size of input random data, at least krb5_enctype_keysize() long
2388  * @param key key, output key, free with krb5_free_keyblock_contents()
2389  *
2390  * @return Return an error code or 0.
2391  *
2392  * @ingroup krb5_crypto
2393  */
2394 
2395 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2396 krb5_random_to_key(krb5_context context,
2397 		   krb5_enctype type,
2398 		   const void *data,
2399 		   size_t size,
2400 		   krb5_keyblock *key)
2401 {
2402     krb5_error_code ret;
2403     struct _krb5_encryption_type *et = _krb5_find_enctype(type);
2404     if(et == NULL) {
2405 	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
2406 			       N_("encryption type %d not supported", ""),
2407 			       type);
2408 	return KRB5_PROG_ETYPE_NOSUPP;
2409     }
2410     if ((et->keytype->bits + 7) / 8 > size) {
2411 	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
2412 			       N_("encryption key %s needs %d bytes "
2413 				  "of random to make an encryption key "
2414 				  "out of it", ""),
2415 			       et->name, (int)et->keytype->size);
2416 	return KRB5_PROG_ETYPE_NOSUPP;
2417     }
2418     ret = krb5_data_alloc(&key->keyvalue, et->keytype->size);
2419     if(ret)
2420 	return ret;
2421     key->keytype = type;
2422     if (et->keytype->random_to_key)
2423  	(*et->keytype->random_to_key)(context, key, data, size);
2424     else
2425 	memcpy(key->keyvalue.data, data, et->keytype->size);
2426 
2427     return 0;
2428 }
2429 
2430 
2431 
2432 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2433 krb5_crypto_prf_length(krb5_context context,
2434 		       krb5_enctype type,
2435 		       size_t *length)
2436 {
2437     struct _krb5_encryption_type *et = _krb5_find_enctype(type);
2438 
2439     if(et == NULL || et->prf_length == 0) {
2440 	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
2441 			       N_("encryption type %d not supported", ""),
2442 			       type);
2443 	return KRB5_PROG_ETYPE_NOSUPP;
2444     }
2445 
2446     *length = et->prf_length;
2447     return 0;
2448 }
2449 
2450 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2451 krb5_crypto_prf(krb5_context context,
2452 		const krb5_crypto crypto,
2453 		const krb5_data *input,
2454 		krb5_data *output)
2455 {
2456     struct _krb5_encryption_type *et = crypto->et;
2457 
2458     krb5_data_zero(output);
2459 
2460     if(et->prf == NULL) {
2461 	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
2462 			       "kerberos prf for %s not supported",
2463 			       et->name);
2464 	return KRB5_PROG_ETYPE_NOSUPP;
2465     }
2466 
2467     return (*et->prf)(context, crypto, input, output);
2468 }
2469 
2470 static krb5_error_code
2471 krb5_crypto_prfplus(krb5_context context,
2472 		    const krb5_crypto crypto,
2473 		    const krb5_data *input,
2474 		    size_t length,
2475 		    krb5_data *output)
2476 {
2477     krb5_error_code ret;
2478     krb5_data input2;
2479     unsigned char i = 1;
2480     unsigned char *p;
2481 
2482     krb5_data_zero(&input2);
2483     krb5_data_zero(output);
2484 
2485     krb5_clear_error_message(context);
2486 
2487     ret = krb5_data_alloc(output, length);
2488     if (ret) goto out;
2489     ret = krb5_data_alloc(&input2, input->length + 1);
2490     if (ret) goto out;
2491 
2492     krb5_clear_error_message(context);
2493 
2494     memcpy(((unsigned char *)input2.data) + 1, input->data, input->length);
2495 
2496     p = output->data;
2497 
2498     while (length) {
2499 	krb5_data block;
2500 
2501 	((unsigned char *)input2.data)[0] = i++;
2502 
2503 	ret = krb5_crypto_prf(context, crypto, &input2, &block);
2504 	if (ret)
2505 	    goto out;
2506 
2507 	if (block.length < length) {
2508 	    memcpy(p, block.data, block.length);
2509 	    length -= block.length;
2510 	} else {
2511 	    memcpy(p, block.data, length);
2512 	    length = 0;
2513 	}
2514 	p += block.length;
2515 	krb5_data_free(&block);
2516     }
2517 
2518  out:
2519     krb5_data_free(&input2);
2520     if (ret)
2521 	krb5_data_free(output);
2522     return 0;
2523 }
2524 
2525 /**
2526  * The FX-CF2 key derivation function, used in FAST and preauth framework.
2527  *
2528  * @param context Kerberos 5 context
2529  * @param crypto1 first key to combine
2530  * @param crypto2 second key to combine
2531  * @param pepper1 factor to combine with first key to garante uniqueness
2532  * @param pepper2 factor to combine with second key to garante uniqueness
2533  * @param enctype the encryption type of the resulting key
2534  * @param res allocated key, free with krb5_free_keyblock_contents()
2535  *
2536  * @return Return an error code or 0.
2537  *
2538  * @ingroup krb5_crypto
2539  */
2540 
2541 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2542 krb5_crypto_fx_cf2(krb5_context context,
2543 		   const krb5_crypto crypto1,
2544 		   const krb5_crypto crypto2,
2545 		   krb5_data *pepper1,
2546 		   krb5_data *pepper2,
2547 		   krb5_enctype enctype,
2548 		   krb5_keyblock *res)
2549 {
2550     krb5_error_code ret;
2551     krb5_data os1, os2;
2552     size_t i, keysize;
2553 
2554     memset(res, 0, sizeof(*res));
2555 
2556     ret = krb5_enctype_keysize(context, enctype, &keysize);
2557     if (ret)
2558 	return ret;
2559 
2560     ret = krb5_data_alloc(&res->keyvalue, keysize);
2561     if (ret)
2562 	goto out;
2563     ret = krb5_crypto_prfplus(context, crypto1, pepper1, keysize, &os1);
2564     if (ret)
2565 	goto out;
2566     ret = krb5_crypto_prfplus(context, crypto2, pepper2, keysize, &os2);
2567     if (ret)
2568 	goto out;
2569 
2570     res->keytype = enctype;
2571     {
2572 	unsigned char *p1 = os1.data, *p2 = os2.data, *p3 = res->keyvalue.data;
2573 	for (i = 0; i < keysize; i++)
2574 	    p3[i] = p1[i] ^ p2[i];
2575     }
2576  out:
2577     if (ret)
2578 	krb5_data_free(&res->keyvalue);
2579     krb5_data_free(&os1);
2580     krb5_data_free(&os2);
2581 
2582     return ret;
2583 }
2584 
2585 
2586 
2587 #ifndef HEIMDAL_SMALLER
2588 
2589 /**
2590  * Deprecated: keytypes doesn't exists, they are really enctypes.
2591  *
2592  * @ingroup krb5_deprecated
2593  */
2594 
2595 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2596 krb5_keytype_to_enctypes (krb5_context context,
2597 			  krb5_keytype keytype,
2598 			  unsigned *len,
2599 			  krb5_enctype **val)
2600     KRB5_DEPRECATED_FUNCTION("Use X instead")
2601 {
2602     int i;
2603     unsigned n = 0;
2604     krb5_enctype *ret;
2605 
2606     for (i = _krb5_num_etypes - 1; i >= 0; --i) {
2607 	if (_krb5_etypes[i]->keytype->type == keytype
2608 	    && !(_krb5_etypes[i]->flags & F_PSEUDO)
2609 	    && krb5_enctype_valid(context, _krb5_etypes[i]->type) == 0)
2610 	    ++n;
2611     }
2612     if (n == 0) {
2613 	krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP,
2614 			       "Keytype have no mapping");
2615 	return KRB5_PROG_KEYTYPE_NOSUPP;
2616     }
2617 
2618     ret = malloc(n * sizeof(*ret));
2619     if (ret == NULL && n != 0) {
2620 	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
2621 	return ENOMEM;
2622     }
2623     n = 0;
2624     for (i = _krb5_num_etypes - 1; i >= 0; --i) {
2625 	if (_krb5_etypes[i]->keytype->type == keytype
2626 	    && !(_krb5_etypes[i]->flags & F_PSEUDO)
2627 	    && krb5_enctype_valid(context, _krb5_etypes[i]->type) == 0)
2628 	    ret[n++] = _krb5_etypes[i]->type;
2629     }
2630     *len = n;
2631     *val = ret;
2632     return 0;
2633 }
2634 
2635 /**
2636  * Deprecated: keytypes doesn't exists, they are really enctypes.
2637  *
2638  * @ingroup krb5_deprecated
2639  */
2640 
2641 /* if two enctypes have compatible keys */
2642 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
2643 krb5_enctypes_compatible_keys(krb5_context context,
2644 			      krb5_enctype etype1,
2645 			      krb5_enctype etype2)
2646     KRB5_DEPRECATED_FUNCTION("Use X instead")
2647 {
2648     struct _krb5_encryption_type *e1 = _krb5_find_enctype(etype1);
2649     struct _krb5_encryption_type *e2 = _krb5_find_enctype(etype2);
2650     return e1 != NULL && e2 != NULL && e1->keytype == e2->keytype;
2651 }
2652 
2653 #endif /* HEIMDAL_SMALLER */
2654