static krb5_boolean
is_default_salt_p(const krb5_salt *default_salt, const Key *key)
{
if (key->salt == NULL)
return TRUE;
if (default_salt->salttype != key->salt->type)
return FALSE;
if (krb5_data_cmp(&default_salt->saltvalue, &key->salt->salt))
return FALSE;
return TRUE;
}
int
main(int argc, char **argv)
{
krb5_context context;
krb5_error_code ret;
krb5_keyblock key;
krb5_crypto crypto;
size_t length;
krb5_data input, output, output2;
krb5_enctype etype = ETYPE_AES256_CTS_HMAC_SHA1_96;
ret = krb5_init_context(&context);
if (ret)
errx(1, "krb5_init_context %d", ret);
ret = krb5_generate_random_keyblock(context, etype, &key);
if (ret)
krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
ret = krb5_crypto_prf_length(context, etype, &length);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_prf_length");
ret = krb5_crypto_init(context, &key, 0, &crypto);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_init");
input.data = rk_UNCONST("foo");
input.length = 3;
ret = krb5_crypto_prf(context, crypto, &input, &output);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_prf");
ret = krb5_crypto_prf(context, crypto, &input, &output2);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_prf");
if (krb5_data_cmp(&output, &output2) != 0)
krb5_errx(context, 1, "krb5_data_cmp");
krb5_data_free(&output);
krb5_data_free(&output2);
krb5_crypto_destroy(context, crypto);
krb5_free_keyblock_contents(context, &key);
krb5_free_context(context);
return 0;
}
static int
iov_test(krb5_context context)
{
krb5_enctype enctype = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
krb5_error_code ret;
krb5_crypto crypto;
krb5_keyblock key;
krb5_data signonly, in, in2;
krb5_crypto_iov iov[6];
size_t len, i;
unsigned char *base, *p;
ret = krb5_generate_random_keyblock(context, enctype, &key);
if (ret)
krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
ret = krb5_crypto_init(context, &key, 0, &crypto);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_init");
ret = krb5_crypto_length(context, crypto, KRB5_CRYPTO_TYPE_HEADER, &len);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_length");
signonly.data = "This should be signed";
signonly.length = strlen(signonly.data);
in.data = "inputdata";
in.length = strlen(in.data);
in2.data = "INPUTDATA";
in2.length = strlen(in2.data);
memset(iov, 0, sizeof(iov));
iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
iov[1].data = in;
iov[2].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
iov[2].data = signonly;
iov[3].flags = KRB5_CRYPTO_TYPE_EMPTY;
iov[4].flags = KRB5_CRYPTO_TYPE_PADDING;
iov[5].flags = KRB5_CRYPTO_TYPE_TRAILER;
ret = krb5_crypto_length_iov(context, crypto, iov,
sizeof(iov)/sizeof(iov[0]));
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_length_iov");
for (len = 0, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) {
if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;
len += iov[i].data.length;
}
base = emalloc(len);
/*
* Allocate data for the fields
*/
for (p = base, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) {
if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;;
iov[i].data.data = p;
p += iov[i].data.length;
}
assert(iov[1].data.length == in.length);
memcpy(iov[1].data.data, in.data, iov[1].data.length);
/*
* Encrypt
*/
ret = krb5_encrypt_iov_ivec(context, crypto, 7, iov,
sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_encrypt_iov_ivec");
/*
* Decrypt
*/
ret = krb5_decrypt_iov_ivec(context, crypto, 7,
iov, sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_decrypt_iov_ivec");
/*
* Verify data
*/
if (krb5_data_cmp(&iov[1].data, &in) != 0)
krb5_errx(context, 1, "decrypted data not same");
/*
* Free memory
*/
free(base);
/* Set up for second try */
iov[3].flags = KRB5_CRYPTO_TYPE_DATA;
iov[3].data = in;
ret = krb5_crypto_length_iov(context, crypto,
iov, sizeof(iov)/sizeof(iov[0]));
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_length_iov");
for (len = 0, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) {
if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;
len += iov[i].data.length;
}
base = emalloc(len);
/*
* Allocate data for the fields
*/
for (p = base, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) {
if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
continue;;
iov[i].data.data = p;
p += iov[i].data.length;
}
assert(iov[1].data.length == in.length);
memcpy(iov[1].data.data, in.data, iov[1].data.length);
assert(iov[3].data.length == in2.length);
memcpy(iov[3].data.data, in2.data, iov[3].data.length);
/*
* Encrypt
*/
ret = krb5_encrypt_iov_ivec(context, crypto, 7,
iov, sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_encrypt_iov_ivec");
/*
* Decrypt
*/
ret = krb5_decrypt_iov_ivec(context, crypto, 7,
iov, sizeof(iov)/sizeof(iov[0]), NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_decrypt_iov_ivec");
/*
* Verify data
*/
if (krb5_data_cmp(&iov[1].data, &in) != 0)
krb5_errx(context, 1, "decrypted data 2.1 not same");
if (krb5_data_cmp(&iov[3].data, &in2) != 0)
krb5_errx(context, 1, "decrypted data 2.2 not same");
/*
* Free memory
*/
free(base);
krb5_crypto_destroy(context, crypto);
krb5_free_keyblock_contents(context, &key);
return 0;
}
krb5_boolean KRB5_LIB_FUNCTION
krb5_compare_creds(krb5_context context, krb5_flags whichfields,
const krb5_creds * mcreds, const krb5_creds * creds)
{
krb5_boolean match = TRUE;
if (match && mcreds->server) {
if (whichfields & (KRB5_TC_DONT_MATCH_REALM | KRB5_TC_MATCH_SRV_NAMEONLY))
match = krb5_principal_compare_any_realm (context, mcreds->server,
creds->server);
else
match = krb5_principal_compare (context, mcreds->server,
creds->server);
}
if (match && mcreds->client) {
if(whichfields & KRB5_TC_DONT_MATCH_REALM)
match = krb5_principal_compare_any_realm (context, mcreds->client,
creds->client);
else
match = krb5_principal_compare (context, mcreds->client,
creds->client);
}
if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE))
match = mcreds->session.keytype == creds->session.keytype;
if (match && (whichfields & KRB5_TC_MATCH_FLAGS_EXACT))
match = mcreds->flags.i == creds->flags.i;
if (match && (whichfields & KRB5_TC_MATCH_FLAGS))
match = (creds->flags.i & mcreds->flags.i) == mcreds->flags.i;
if (match && (whichfields & KRB5_TC_MATCH_TIMES_EXACT))
match = krb5_times_equal(&mcreds->times, &creds->times);
if (match && (whichfields & KRB5_TC_MATCH_TIMES))
/* compare only expiration times */
match = (mcreds->times.renew_till <= creds->times.renew_till) &&
(mcreds->times.endtime <= creds->times.endtime);
if (match && (whichfields & KRB5_TC_MATCH_AUTHDATA)) {
unsigned int i;
if(mcreds->authdata.len != creds->authdata.len)
match = FALSE;
else
for(i = 0; match && i < mcreds->authdata.len; i++)
match = (mcreds->authdata.val[i].ad_type ==
creds->authdata.val[i].ad_type) &&
(krb5_data_cmp(&mcreds->authdata.val[i].ad_data,
&creds->authdata.val[i].ad_data) == 0);
}
if (match && (whichfields & KRB5_TC_MATCH_2ND_TKT))
match = (krb5_data_cmp(&mcreds->second_ticket, &creds->second_ticket) == 0);
if (match && (whichfields & KRB5_TC_MATCH_IS_SKEY))
match = ((mcreds->second_ticket.length == 0) ==
(creds->second_ticket.length == 0));
return match;
}
