static krb5_boolean is_default_salt_p(const krb5_salt *default_salt, const Key *key) { if (key->salt == NULL) return TRUE; if (default_salt->salttype != key->salt->type) return FALSE; if (krb5_data_cmp(&default_salt->saltvalue, &key->salt->salt)) return FALSE; return TRUE; }
int main(int argc, char **argv) { krb5_context context; krb5_error_code ret; krb5_keyblock key; krb5_crypto crypto; size_t length; krb5_data input, output, output2; krb5_enctype etype = ETYPE_AES256_CTS_HMAC_SHA1_96; ret = krb5_init_context(&context); if (ret) errx(1, "krb5_init_context %d", ret); ret = krb5_generate_random_keyblock(context, etype, &key); if (ret) krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); ret = krb5_crypto_prf_length(context, etype, &length); if (ret) krb5_err(context, 1, ret, "krb5_crypto_prf_length"); ret = krb5_crypto_init(context, &key, 0, &crypto); if (ret) krb5_err(context, 1, ret, "krb5_crypto_init"); input.data = rk_UNCONST("foo"); input.length = 3; ret = krb5_crypto_prf(context, crypto, &input, &output); if (ret) krb5_err(context, 1, ret, "krb5_crypto_prf"); ret = krb5_crypto_prf(context, crypto, &input, &output2); if (ret) krb5_err(context, 1, ret, "krb5_crypto_prf"); if (krb5_data_cmp(&output, &output2) != 0) krb5_errx(context, 1, "krb5_data_cmp"); krb5_data_free(&output); krb5_data_free(&output2); krb5_crypto_destroy(context, crypto); krb5_free_keyblock_contents(context, &key); krb5_free_context(context); return 0; }
static int iov_test(krb5_context context) { krb5_enctype enctype = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96; krb5_error_code ret; krb5_crypto crypto; krb5_keyblock key; krb5_data signonly, in, in2; krb5_crypto_iov iov[6]; size_t len, i; unsigned char *base, *p; ret = krb5_generate_random_keyblock(context, enctype, &key); if (ret) krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); ret = krb5_crypto_init(context, &key, 0, &crypto); if (ret) krb5_err(context, 1, ret, "krb5_crypto_init"); ret = krb5_crypto_length(context, crypto, KRB5_CRYPTO_TYPE_HEADER, &len); if (ret) krb5_err(context, 1, ret, "krb5_crypto_length"); signonly.data = "This should be signed"; signonly.length = strlen(signonly.data); in.data = "inputdata"; in.length = strlen(in.data); in2.data = "INPUTDATA"; in2.length = strlen(in2.data); memset(iov, 0, sizeof(iov)); iov[0].flags = KRB5_CRYPTO_TYPE_HEADER; iov[1].flags = KRB5_CRYPTO_TYPE_DATA; iov[1].data = in; iov[2].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY; iov[2].data = signonly; iov[3].flags = KRB5_CRYPTO_TYPE_EMPTY; iov[4].flags = KRB5_CRYPTO_TYPE_PADDING; iov[5].flags = KRB5_CRYPTO_TYPE_TRAILER; ret = krb5_crypto_length_iov(context, crypto, iov, sizeof(iov)/sizeof(iov[0])); if (ret) krb5_err(context, 1, ret, "krb5_crypto_length_iov"); for (len = 0, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) { if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY) continue; len += iov[i].data.length; } base = emalloc(len); /* * Allocate data for the fields */ for (p = base, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) { if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY) continue;; iov[i].data.data = p; p += iov[i].data.length; } assert(iov[1].data.length == in.length); memcpy(iov[1].data.data, in.data, iov[1].data.length); /* * Encrypt */ ret = krb5_encrypt_iov_ivec(context, crypto, 7, iov, sizeof(iov)/sizeof(iov[0]), NULL); if (ret) krb5_err(context, 1, ret, "krb5_encrypt_iov_ivec"); /* * Decrypt */ ret = krb5_decrypt_iov_ivec(context, crypto, 7, iov, sizeof(iov)/sizeof(iov[0]), NULL); if (ret) krb5_err(context, 1, ret, "krb5_decrypt_iov_ivec"); /* * Verify data */ if (krb5_data_cmp(&iov[1].data, &in) != 0) krb5_errx(context, 1, "decrypted data not same"); /* * Free memory */ free(base); /* Set up for second try */ iov[3].flags = KRB5_CRYPTO_TYPE_DATA; iov[3].data = in; ret = krb5_crypto_length_iov(context, crypto, iov, sizeof(iov)/sizeof(iov[0])); if (ret) krb5_err(context, 1, ret, "krb5_crypto_length_iov"); for (len = 0, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) { if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY) continue; len += iov[i].data.length; } base = emalloc(len); /* * Allocate data for the fields */ for (p = base, i = 0; i < sizeof(iov)/sizeof(iov[0]); i++) { if (iov[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY) continue;; iov[i].data.data = p; p += iov[i].data.length; } assert(iov[1].data.length == in.length); memcpy(iov[1].data.data, in.data, iov[1].data.length); assert(iov[3].data.length == in2.length); memcpy(iov[3].data.data, in2.data, iov[3].data.length); /* * Encrypt */ ret = krb5_encrypt_iov_ivec(context, crypto, 7, iov, sizeof(iov)/sizeof(iov[0]), NULL); if (ret) krb5_err(context, 1, ret, "krb5_encrypt_iov_ivec"); /* * Decrypt */ ret = krb5_decrypt_iov_ivec(context, crypto, 7, iov, sizeof(iov)/sizeof(iov[0]), NULL); if (ret) krb5_err(context, 1, ret, "krb5_decrypt_iov_ivec"); /* * Verify data */ if (krb5_data_cmp(&iov[1].data, &in) != 0) krb5_errx(context, 1, "decrypted data 2.1 not same"); if (krb5_data_cmp(&iov[3].data, &in2) != 0) krb5_errx(context, 1, "decrypted data 2.2 not same"); /* * Free memory */ free(base); krb5_crypto_destroy(context, crypto); krb5_free_keyblock_contents(context, &key); return 0; }
krb5_boolean KRB5_LIB_FUNCTION krb5_compare_creds(krb5_context context, krb5_flags whichfields, const krb5_creds * mcreds, const krb5_creds * creds) { krb5_boolean match = TRUE; if (match && mcreds->server) { if (whichfields & (KRB5_TC_DONT_MATCH_REALM | KRB5_TC_MATCH_SRV_NAMEONLY)) match = krb5_principal_compare_any_realm (context, mcreds->server, creds->server); else match = krb5_principal_compare (context, mcreds->server, creds->server); } if (match && mcreds->client) { if(whichfields & KRB5_TC_DONT_MATCH_REALM) match = krb5_principal_compare_any_realm (context, mcreds->client, creds->client); else match = krb5_principal_compare (context, mcreds->client, creds->client); } if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE)) match = mcreds->session.keytype == creds->session.keytype; if (match && (whichfields & KRB5_TC_MATCH_FLAGS_EXACT)) match = mcreds->flags.i == creds->flags.i; if (match && (whichfields & KRB5_TC_MATCH_FLAGS)) match = (creds->flags.i & mcreds->flags.i) == mcreds->flags.i; if (match && (whichfields & KRB5_TC_MATCH_TIMES_EXACT)) match = krb5_times_equal(&mcreds->times, &creds->times); if (match && (whichfields & KRB5_TC_MATCH_TIMES)) /* compare only expiration times */ match = (mcreds->times.renew_till <= creds->times.renew_till) && (mcreds->times.endtime <= creds->times.endtime); if (match && (whichfields & KRB5_TC_MATCH_AUTHDATA)) { unsigned int i; if(mcreds->authdata.len != creds->authdata.len) match = FALSE; else for(i = 0; match && i < mcreds->authdata.len; i++) match = (mcreds->authdata.val[i].ad_type == creds->authdata.val[i].ad_type) && (krb5_data_cmp(&mcreds->authdata.val[i].ad_data, &creds->authdata.val[i].ad_data) == 0); } if (match && (whichfields & KRB5_TC_MATCH_2ND_TKT)) match = (krb5_data_cmp(&mcreds->second_ticket, &creds->second_ticket) == 0); if (match && (whichfields & KRB5_TC_MATCH_IS_SKEY)) match = ((mcreds->second_ticket.length == 0) == (creds->second_ticket.length == 0)); return match; }