2 * Copyright (c) 1997 - 2016 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #ifndef HEIMDAL_SMALLER
35 #define DES3_OLD_ENCTYPE 1
38 struct _krb5_key_data {
43 struct _krb5_key_usage;
45 #define CRYPTO_ETYPE(C) ((C)->et->type)
47 /* bits for `flags' below */
48 #define F_KEYED 0x0001 /* checksum is keyed */
49 #define F_CPROOF 0x0002 /* checksum is collision proof */
50 #define F_DERIVED 0x0004 /* uses derived keys */
51 #define F_VARIANT 0x0008 /* uses `variant' keys (6.4.3) */
52 #define F_PSEUDO 0x0010 /* not a real protocol type */
53 #define F_DISABLED 0x0020 /* enctype/checksum disabled */
54 #define F_WEAK 0x0040 /* enctype is considered weak */
55 #define F_OLD 0x0080 /* enctype is old */
57 #define F_RFC3961_ENC 0x0100 /* RFC3961 simplified profile */
58 #define F_SPECIAL 0x0200 /* backwards */
59 #define F_ENC_THEN_CKSUM 0x0400 /* checksum is over encrypted data */
60 #define F_CRYPTO_MASK 0x0F00
62 #define F_RFC3961_KDF 0x1000 /* RFC3961 KDF */
63 #define F_SP800_108_HMAC_KDF 0x2000 /* SP800-108 HMAC KDF */
64 #define F_KDF_MASK 0xF000
69 krb5_error_code (*string_to_key)(krb5_context, krb5_enctype, krb5_data,
70 krb5_salt, krb5_data, krb5_keyblock*);
73 struct _krb5_key_type {
79 void (*random_key)(krb5_context, krb5_keyblock*);
80 void (*schedule)(krb5_context, struct _krb5_key_type *, struct _krb5_key_data *);
81 struct salt_type *string_to_key;
82 void (*random_to_key)(krb5_context, krb5_keyblock*, const void*, size_t);
83 void (*cleanup)(krb5_context, struct _krb5_key_data *);
84 const EVP_CIPHER *(*evp)(void);
87 struct _krb5_checksum_type {
93 krb5_error_code (*checksum)(krb5_context context,
95 struct _krb5_key_data *key,
97 const struct krb5_crypto_iov *iov, int niov,
99 krb5_error_code (*verify)(krb5_context context,
101 struct _krb5_key_data *key,
103 const struct krb5_crypto_iov *iov, int niov,
107 struct _krb5_encryption_type {
113 size_t confoundersize;
114 struct _krb5_key_type *keytype;
115 struct _krb5_checksum_type *checksum;
116 struct _krb5_checksum_type *keyed_checksum;
118 krb5_error_code (*encrypt)(krb5_context context,
119 struct _krb5_key_data *key,
120 void *data, size_t len,
121 krb5_boolean encryptp,
124 krb5_error_code (*encrypt_iov)(krb5_context context,
125 struct _krb5_key_data *key,
126 krb5_crypto_iov *iov, int niov,
127 krb5_boolean encryptp,
131 krb5_error_code (*prf)(krb5_context,
132 krb5_crypto, const krb5_data *, krb5_data *);
135 #define ENCRYPTION_USAGE(U) (((uint32_t)(U) << 8) | 0xAA)
136 #define INTEGRITY_USAGE(U) (((uint32_t)(U) << 8) | 0x55)
137 #define CHECKSUM_USAGE(U) (((uint32_t)(U) << 8) | 0x99)
141 extern struct _krb5_checksum_type _krb5_checksum_none;
142 extern struct _krb5_checksum_type _krb5_checksum_crc32;
143 extern struct _krb5_checksum_type _krb5_checksum_rsa_md4;
144 extern struct _krb5_checksum_type _krb5_checksum_rsa_md4_des;
145 extern struct _krb5_checksum_type _krb5_checksum_rsa_md5_des;
146 extern struct _krb5_checksum_type _krb5_checksum_rsa_md5_des3;
147 extern struct _krb5_checksum_type _krb5_checksum_rsa_md5;
148 extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_des3;
149 extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes128;
150 extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes256;
151 extern struct _krb5_checksum_type _krb5_checksum_hmac_sha256_128_aes128;
152 extern struct _krb5_checksum_type _krb5_checksum_hmac_sha384_192_aes256;
153 extern struct _krb5_checksum_type _krb5_checksum_hmac_md5;
154 extern struct _krb5_checksum_type _krb5_checksum_sha1;
155 extern struct _krb5_checksum_type _krb5_checksum_sha256;
156 extern struct _krb5_checksum_type _krb5_checksum_sha384;
157 extern struct _krb5_checksum_type _krb5_checksum_sha512;
159 extern struct _krb5_checksum_type *_krb5_checksum_types[];
160 extern int _krb5_num_checksums;
164 extern struct salt_type _krb5_AES_SHA1_salt[];
165 extern struct salt_type _krb5_AES_SHA2_salt[];
166 extern struct salt_type _krb5_arcfour_salt[];
167 extern struct salt_type _krb5_des_salt[];
168 extern struct salt_type _krb5_des3_salt[];
169 extern struct salt_type _krb5_des3_salt_derived[];
171 /* Encryption types */
173 extern struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha1;
174 extern struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha1;
175 extern struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha256_128;
176 extern struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha384_192;
177 extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1;
178 extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_md5;
179 extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_none;
180 extern struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5;
181 extern struct _krb5_encryption_type _krb5_enctype_des_cbc_md5;
182 extern struct _krb5_encryption_type _krb5_enctype_old_des3_cbc_sha1;
183 extern struct _krb5_encryption_type _krb5_enctype_des_cbc_crc;
184 extern struct _krb5_encryption_type _krb5_enctype_des_cbc_md4;
185 extern struct _krb5_encryption_type _krb5_enctype_des_cbc_md5;
186 extern struct _krb5_encryption_type _krb5_enctype_des_cbc_none;
187 extern struct _krb5_encryption_type _krb5_enctype_des_cfb64_none;
188 extern struct _krb5_encryption_type _krb5_enctype_des_pcbc_none;
189 extern struct _krb5_encryption_type _krb5_enctype_null;
191 extern struct _krb5_encryption_type *_krb5_etypes[];
192 extern int _krb5_num_etypes;
195 _krb5_crypto_iov_should_sign(const struct krb5_crypto_iov *iov)
197 return (iov->flags == KRB5_CRYPTO_TYPE_DATA
198 || iov->flags == KRB5_CRYPTO_TYPE_SIGN_ONLY
199 || iov->flags == KRB5_CRYPTO_TYPE_HEADER
200 || iov->flags == KRB5_CRYPTO_TYPE_PADDING);
203 /* NO_HCRYPTO_POLLUTION is defined in pkinit-ec.c. See commentary there. */
204 #ifndef NO_HCRYPTO_POLLUTION
205 /* Interface to the EVP crypto layer provided by hcrypto */
206 struct _krb5_evp_schedule {
208 * Normally we'd say EVP_CIPHER_CTX here, but! this header gets
209 * included in lib/krb5/pkinit-ec.c
215 struct krb5_crypto_data {
216 struct _krb5_encryption_type *et;
217 struct _krb5_key_data key;
221 struct _krb5_key_usage *key_usage;
226 * Allow generation and verification of unkeyed checksums even when
227 * key material is available.
229 #define KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM 0x01
git.samba.org / samba.git / blob