s4:heimdal: import lorikeet-heimdal-202201172009 (commit 5a0b45cd723628b3690ea848548b...

[samba.git] / source4 / heimdal / lib / krb5 / crypto.h

diff --git a/source4/heimdal/lib/krb5/crypto.h b/source4/heimdal/lib/krb5/crypto.h
index 9b95b8f0cbcc5db2c793c2c7a762038712098350..d02f841305bdc87789e96bc1e58381335637b15a 100644 (file)
--- a/source4/heimdal/lib/krb5/crypto.h
+++ b/source4/heimdal/lib/krb5/crypto.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2016 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -42,24 +42,26 @@ struct _krb5_key_data {
 
 struct _krb5_key_usage;
 
-struct krb5_crypto_data {
-    struct _krb5_encryption_type *et;
-    struct _krb5_key_data key;
-    int num_key_usage;
-    struct _krb5_key_usage *key_usage;
-};
-
 #define CRYPTO_ETYPE(C) ((C)->et->type)
 
 /* bits for `flags' below */
-#define F_KEYED                 1      /* checksum is keyed */
-#define F_CPROOF        2      /* checksum is collision proof */
-#define F_DERIVED       4      /* uses derived keys */
-#define F_VARIANT       8      /* uses `variant' keys (6.4.3) */
-#define F_PSEUDO       16      /* not a real protocol type */
-#define F_SPECIAL      32      /* backwards */
-#define F_DISABLED     64      /* enctype/checksum disabled */
-#define F_WEAK        128      /* enctype is considered weak */
+#define F_KEYED                        0x0001  /* checksum is keyed */
+#define F_CPROOF               0x0002  /* checksum is collision proof */
+#define F_DERIVED              0x0004  /* uses derived keys */
+#define F_VARIANT              0x0008  /* uses `variant' keys (6.4.3) */
+#define F_PSEUDO               0x0010  /* not a real protocol type */
+#define F_DISABLED             0x0020  /* enctype/checksum disabled */
+#define F_WEAK                 0x0040  /* enctype is considered weak */
+#define F_OLD                  0x0080  /* enctype is old */
+
+#define F_RFC3961_ENC          0x0100  /* RFC3961 simplified profile */
+#define F_SPECIAL              0x0200  /* backwards */
+#define F_ENC_THEN_CKSUM       0x0400  /* checksum is over encrypted data */
+#define F_CRYPTO_MASK          0x0F00
+
+#define F_RFC3961_KDF          0x1000  /* RFC3961 KDF */
+#define F_SP800_108_HMAC_KDF   0x2000  /* SP800-108 HMAC KDF */
+#define F_KDF_MASK             0xF000
 
 struct salt_type {
     krb5_salttype type;
@@ -89,20 +91,23 @@ struct _krb5_checksum_type {
     size_t checksumsize;
     unsigned flags;
     krb5_error_code (*checksum)(krb5_context context,
+                               krb5_crypto crypto,
                                struct _krb5_key_data *key,
-                               const void *buf, size_t len,
                                unsigned usage,
+                               const struct krb5_crypto_iov *iov, int niov,
                                Checksum *csum);
     krb5_error_code (*verify)(krb5_context context,
+                             krb5_crypto crypto,
                              struct _krb5_key_data *key,
-                             const void *buf, size_t len,
                              unsigned usage,
+                             const struct krb5_crypto_iov *iov, int niov,
                              Checksum *csum);
 };
 
 struct _krb5_encryption_type {
     krb5_enctype type;
     const char *name;
+    const char *alias;
     size_t blocksize;
     size_t padsize;
     size_t confoundersize;
@@ -116,14 +121,20 @@ struct _krb5_encryption_type {
                               krb5_boolean encryptp,
                               int usage,
                               void *ivec);
+    krb5_error_code (*encrypt_iov)(krb5_context context,
+                              struct _krb5_key_data *key,
+                              krb5_crypto_iov *iov, int niov,
+                              krb5_boolean encryptp,
+                              int usage,
+                              void *ivec);
     size_t prf_length;
     krb5_error_code (*prf)(krb5_context,
                           krb5_crypto, const krb5_data *, krb5_data *);
 };
 
-#define ENCRYPTION_USAGE(U) (((U) << 8) | 0xAA)
-#define INTEGRITY_USAGE(U) (((U) << 8) | 0x55)
-#define CHECKSUM_USAGE(U) (((U) << 8) | 0x99)
+#define ENCRYPTION_USAGE(U) (((uint32_t)(U) << 8) | 0xAA)
+#define INTEGRITY_USAGE(U) (((uint32_t)(U) << 8) | 0x55)
+#define CHECKSUM_USAGE(U) (((uint32_t)(U) << 8) | 0x99)
 
 /* Checksums */
 
@@ -137,15 +148,21 @@ extern struct _krb5_checksum_type _krb5_checksum_rsa_md5;
 extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_des3;
 extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes128;
 extern struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes256;
+extern struct _krb5_checksum_type _krb5_checksum_hmac_sha256_128_aes128;
+extern struct _krb5_checksum_type _krb5_checksum_hmac_sha384_192_aes256;
 extern struct _krb5_checksum_type _krb5_checksum_hmac_md5;
 extern struct _krb5_checksum_type _krb5_checksum_sha1;
+extern struct _krb5_checksum_type _krb5_checksum_sha256;
+extern struct _krb5_checksum_type _krb5_checksum_sha384;
+extern struct _krb5_checksum_type _krb5_checksum_sha512;
 
 extern struct _krb5_checksum_type *_krb5_checksum_types[];
 extern int _krb5_num_checksums;
 
 /* Salts */
 
-extern struct salt_type _krb5_AES_salt[];
+extern struct salt_type _krb5_AES_SHA1_salt[];
+extern struct salt_type _krb5_AES_SHA2_salt[];
 extern struct salt_type _krb5_arcfour_salt[];
 extern struct salt_type _krb5_des_salt[];
 extern struct salt_type _krb5_des3_salt[];
@@ -155,6 +172,8 @@ extern struct salt_type _krb5_des3_salt_derived[];
 
 extern struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha1;
 extern struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha1;
+extern struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha256_128;
+extern struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha384_192;
 extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1;
 extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_md5;
 extern struct _krb5_encryption_type _krb5_enctype_des3_cbc_none;
@@ -172,8 +191,41 @@ extern struct _krb5_encryption_type _krb5_enctype_null;
 extern struct _krb5_encryption_type *_krb5_etypes[];
 extern int _krb5_num_etypes;
 
+static inline int
+_krb5_crypto_iov_should_sign(const struct krb5_crypto_iov *iov)
+{
+    return (iov->flags == KRB5_CRYPTO_TYPE_DATA
+            || iov->flags == KRB5_CRYPTO_TYPE_SIGN_ONLY
+            || iov->flags == KRB5_CRYPTO_TYPE_HEADER
+            || iov->flags == KRB5_CRYPTO_TYPE_PADDING);
+}
+
+/* NO_HCRYPTO_POLLUTION is defined in pkinit-ec.c.  See commentary there. */
+#ifndef NO_HCRYPTO_POLLUTION
 /* Interface to the EVP crypto layer provided by hcrypto */
 struct _krb5_evp_schedule {
+    /*
+     * Normally we'd say EVP_CIPHER_CTX here, but!  this header gets
+     * included in lib/krb5/pkinit-ec.c
+     */
     EVP_CIPHER_CTX ectx;
     EVP_CIPHER_CTX dctx;
 };
+
+struct krb5_crypto_data {
+    struct _krb5_encryption_type *et;
+    struct _krb5_key_data key;
+    EVP_MD_CTX *mdctx;
+    HMAC_CTX *hmacctx;
+    int num_key_usage;
+    struct _krb5_key_usage *key_usage;
+    krb5_flags flags;
+};
+
+/*
+ * Allow generation and verification of unkeyed checksums even when
+ * key material is available.
+ */
+#define KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM                    0x01
+
+#endif