[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal 0.3e
>>>>> "GOMBAS" == GOMBAS Gabor <gombasg@inf.elte.hu> writes:
GOMBAS> On Tue, Feb 06, 2001 at 11:34:41AM +0100, Richard Levitte
GOMBAS> - VMS Whacker wrote:
>> #include <openssl/blowfish.h>
GOMBAS> You do not need it. It was left there by mistake. At least
GOMBAS> I do not know about anybody else who is playing with
GOMBAS> Blowfish encryption...
Sorry, I got your name wrong before. Ooops :-(.
Anyway, I have updated your patch, by hand for Heimdal 0.3e.
Hopefully it is correct... (I wasn't sure of some of the changes). I
have taken care to ensure no bugs exist, but you might end up with a
secure authentication protocol, instead of a wide-area bulk disk
eraser.
Oh, this version doesn't include -lcom_err in the output of krb5-config,
so I fixed that to (not tested yet).
diff -ruN heimdal-0.3e-old/admin/ktutil_locl.h heimdal-0.3e/admin/ktutil_locl.h
--- heimdal-0.3e-old/admin/ktutil_locl.h Wed Jul 19 23:58:19 2000
+++ heimdal-0.3e/admin/ktutil_locl.h Wed Feb 7 12:18:43 2001
@@ -54,7 +54,11 @@
#include <parse_time.h>
#include <roken.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
#include <des.h>
+#endif
#include <krb5.h>
#include <kadm5/admin.h>
diff -ruN heimdal-0.3e-old/appl/ftp/ftp/ftp_locl.h heimdal-0.3e/appl/ftp/ftp/ftp_locl.h
--- heimdal-0.3e-old/appl/ftp/ftp/ftp_locl.h Fri Dec 3 03:58:29 1999
+++ heimdal-0.3e/appl/ftp/ftp/ftp_locl.h Wed Feb 7 12:19:39 2001
@@ -129,7 +129,11 @@
#include "roken.h"
#include "security.h"
-#include <des.h> /* for des_read_pw_string */
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
#if defined(__sun__) && !defined(__svr4)
int fclose(FILE*);
diff -ruN heimdal-0.3e-old/appl/kx/common.c heimdal-0.3e/appl/kx/common.c
--- heimdal-0.3e-old/appl/kx/common.c Wed Jan 17 21:09:16 2001
+++ heimdal-0.3e/appl/kx/common.c Wed Feb 7 12:20:16 2001
@@ -405,7 +405,7 @@
auth.name_length = strlen(auth.name);
auth.data_length = cookie_sz;
auth.data = (char*)cookie;
- des_rand_data (cookie, cookie_sz);
+ krb5_generate_random_block (cookie, cookie_sz);
strlcpy(xauthfile, "/tmp/AXXXXXX", xauthfile_size);
fd = mkstemp(xauthfile);
diff -ruN heimdal-0.3e-old/appl/otp/otp_locl.h heimdal-0.3e/appl/otp/otp_locl.h
--- heimdal-0.3e-old/appl/otp/otp_locl.h Fri Dec 3 03:58:32 1999
+++ heimdal-0.3e/appl/otp/otp_locl.h Wed Feb 7 12:20:53 2001
@@ -52,5 +52,9 @@
#endif
#include <roken.h>
#include <err.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
#include <des.h>
+#endif
#include <otp.h>
diff -ruN heimdal-0.3e-old/appl/su/su.c heimdal-0.3e/appl/su/su.c
--- heimdal-0.3e-old/appl/su/su.c Sat Jan 27 03:02:49 2001
+++ heimdal-0.3e/appl/su/su.c Wed Feb 7 12:21:30 2001
@@ -50,7 +50,11 @@
#include <pwd.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
#include <des.h>
+#endif
#include <krb5.h>
#include <kafs.h>
#include <err.h>
diff -ruN heimdal-0.3e-old/appl/telnet/libtelnet/enc_des.c heimdal-0.3e/appl/telnet/libtelnet/enc_des.c
--- heimdal-0.3e-old/appl/telnet/libtelnet/enc_des.c Fri Jul 10 09:16:23 1998
+++ heimdal-0.3e/appl/telnet/libtelnet/enc_des.c Wed Feb 7 12:23:14 2001
@@ -50,8 +50,6 @@
#include "encrypt.h"
#include "misc-proto.h"
-#include <des.h>
-
extern int encrypt_debug_mode;
#define CFB 0
@@ -208,19 +206,7 @@
/*
* Create a random feed and send it over.
*/
-#ifndef OLD_DES_RANDOM_KEY
des_new_random_key(&fbp->temp_feed);
-#else
- /*
- * From des_cryp.man "If the des_check_key flag is non-zero,
- * des_set_key will check that the key passed is
- * of odd parity and is not a week or semi-weak key."
- */
- do {
- des_random_key(fbp->temp_feed);
- des_set_odd_parity(fbp->temp_feed);
- } while (des_is_weak_key(fbp->temp_feed));
-#endif
des_ecb_encrypt(&fbp->temp_feed,
&fbp->temp_feed,
fbp->krbdes_sched, 1);
@@ -404,7 +390,7 @@
fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]);
if (fbp->once == 0) {
-#ifndef OLD_DES_RANDOM_KEY
+#ifndef HAVE_OPENSSL_DES_H
des_init_random_number_generator(&fbp->krbdes_key);
#endif
fbp->once = 1;
diff -ruN heimdal-0.3e-old/appl/telnet/libtelnet/encrypt.h heimdal-0.3e/appl/telnet/libtelnet/encrypt.h
--- heimdal-0.3e-old/appl/telnet/libtelnet/encrypt.h Sat Jan 25 10:10:56 1997
+++ heimdal-0.3e/appl/telnet/libtelnet/encrypt.h Wed Feb 7 12:24:00 2001
@@ -90,6 +90,13 @@
#define SK_DES 1 /* Matched Kerberos v5 KEYTYPE_DES */
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#define des_new_random_key des_random_key
+#else
+#include <des.h>
+#endif
+
#include "enc-proto.h"
extern int encrypt_debug_mode;
diff -ruN heimdal-0.3e-old/appl/telnet/libtelnet/kerberos.c heimdal-0.3e/appl/telnet/libtelnet/kerberos.c
--- heimdal-0.3e-old/appl/telnet/libtelnet/kerberos.c Thu Nov 23 13:28:06 2000
+++ heimdal-0.3e/appl/telnet/libtelnet/kerberos.c Wed Feb 7 12:24:27 2001
@@ -65,7 +65,6 @@
#include <arpa/telnet.h>
#endif
#include <stdio.h>
-#include <des.h> /* BSD wont include this in krb.h, so we do it here */
#include <krb.h>
#include <pwd.h>
#include <stdlib.h>
diff -ruN heimdal-0.3e-old/appl/telnet/libtelnet/krb4encpwd.c heimdal-0.3e/appl/telnet/libtelnet/krb4encpwd.c
--- heimdal-0.3e-old/appl/telnet/libtelnet/krb4encpwd.c Fri Sep 17 06:41:34 1999
+++ heimdal-0.3e/appl/telnet/libtelnet/krb4encpwd.c Wed Feb 7 12:24:43 2001
@@ -74,7 +74,6 @@
#include <pwd.h>
#include <stdio.h>
-#include <des.h>
#include <krb.h>
#include <stdlib.h>
#include <string.h>
diff -ruN heimdal-0.3e-old/configure.in heimdal-0.3e/configure.in
--- heimdal-0.3e-old/configure.in Mon Feb 5 18:58:05 2001
+++ heimdal-0.3e/configure.in Wed Feb 7 12:25:28 2001
@@ -292,6 +292,7 @@
netinet/in_systm.h \
netinet6/in6.h \
netinfo/ni.h \
+ openssl/crypto.h \
paths.h \
pthread.h \
pty.h \
@@ -566,7 +567,10 @@
"$ac_cv_func_SHA1_Init" = "yes" -a \
"$ac_cv_func_RC4" = "yes"; then
DIR_des=''
- LIB_des="-R $krb4_libdir -L$krb4_libdir $ac_cv_funclib_MD4_Init"
+ if test "$krb4_libdir" != ""; then
+ LIB_des="-rpath $krb4_libdir -L$krb4_libdir"
+ fi
+ LIB_des="$LIB_des $ac_cv_funclib_MD4_Init"
LIB_des_appl="$LIB_des"
else
DIR_des='des'
diff -ruN heimdal-0.3e-old/kadmin/kadmin_locl.h heimdal-0.3e/kadmin/kadmin_locl.h
--- heimdal-0.3e-old/kadmin/kadmin_locl.h Tue Sep 19 23:46:18 2000
+++ heimdal-0.3e/kadmin/kadmin_locl.h Wed Feb 7 12:27:09 2001
@@ -83,7 +83,11 @@
#endif
#include <err.h>
#include <roken.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
#include <des.h>
+#endif
#include <krb5.h>
#include <krb5_locl.h>
#include <hdb.h>
diff -ruN heimdal-0.3e-old/kadmin/random_password.c heimdal-0.3e/kadmin/random_password.c
--- heimdal-0.3e-old/kadmin/random_password.c Fri Dec 3 04:04:58 1999
+++ heimdal-0.3e/kadmin/random_password.c Wed Feb 7 12:30:13 2001
@@ -57,8 +57,9 @@
{
#ifdef OTP_STYLE
{
- des_cblock newkey;
+ OtpKey newkey;
+ krb5_generate_random_block(&newkey, sizeof(newkey));
des_new_random_key(&newkey);
otp_print_stddict (newkey, pw, len);
strlwr(pw);
@@ -80,11 +81,11 @@
#ifndef OTP_STYLE
/* return a random value in range 0-127 */
static int
-RND(des_cblock *key, int *left)
+RND(unsigned char *key, int keylen, int *left)
{
if(*left == 0){
- des_new_random_key(key);
- *left = 8;
+ krb5_generate_random_block(key, keylen);
+ *left = keylen;
}
(*left)--;
return ((unsigned char*)key)[*left];
@@ -120,7 +121,7 @@
} *classes;
va_list ap;
int len, i;
- des_cblock rbuf; /* random buffer */
+ unsigned char rbuf[8]; /* random buffer */
int rleft = 0;
classes = malloc(num_classes * sizeof(*classes));
@@ -138,11 +139,12 @@
return;
for(i = 0; i < len; i++) {
int j;
- int x = RND(&rbuf, &rleft) % (len - i);
+ int x = RND(rbuf, sizeof(rbuf), &rleft) % (len - i);
int t = 0;
for(j = 0; j < num_classes; j++) {
if(x < t + classes[j].freq) {
- (*pw)[i] = classes[j].str[RND(&rbuf, &rleft) % classes[j].len];
+ (*pw)[i] = classes[j].str[RND(rbuf, sizeof(rbuf), &rleft) %
+ classes[j].len];
classes[j].freq--;
break;
}
diff -ruN heimdal-0.3e-old/kdc/headers.h heimdal-0.3e/kdc/headers.h
--- heimdal-0.3e-old/kdc/headers.h Fri Aug 4 21:21:38 2000
+++ heimdal-0.3e/kdc/headers.h Wed Feb 7 12:30:47 2001
@@ -82,7 +82,11 @@
#include <getarg.h>
#include <base64.h>
#include <parse_units.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
#include <des.h>
+#endif
#include <krb5.h>
#include <krb5_locl.h>
#include <hdb.h>
diff -ruN heimdal-0.3e-old/kpasswd/kpasswd_locl.h heimdal-0.3e/kpasswd/kpasswd_locl.h
--- heimdal-0.3e-old/kpasswd/kpasswd_locl.h Fri Aug 4 21:22:51 2000
+++ heimdal-0.3e/kpasswd/kpasswd_locl.h Wed Feb 7 12:31:32 2001
@@ -95,7 +95,11 @@
#include <err.h>
#include <roken.h>
#include <getarg.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
#include <des.h>
+#endif
#include <krb5.h>
#endif /* __KPASSWD_LOCL_H__ */
diff -ruN heimdal-0.3e-old/lib/hdb/hdb_locl.h heimdal-0.3e/lib/hdb/hdb_locl.h
--- heimdal-0.3e-old/lib/hdb/hdb_locl.h Tue Nov 14 17:57:17 2000
+++ heimdal-0.3e/lib/hdb/hdb_locl.h Wed Feb 7 12:32:11 2001
@@ -56,7 +56,11 @@
#endif
#include <roken.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
#include <des.h>
+#endif
#include <krb5.h>
#include <hdb.h>
#include <hdb-private.h>
diff -ruN heimdal-0.3e-old/lib/hdb/mkey.c heimdal-0.3e/lib/hdb/mkey.c
--- heimdal-0.3e-old/lib/hdb/mkey.c Tue Jan 30 12:20:57 2001
+++ heimdal-0.3e/lib/hdb/mkey.c Wed Feb 7 12:32:36 2001
@@ -437,9 +437,6 @@
if (ret)
return ret;
db->master_key = mkey;
-#if 0 /* XXX - why? */
- des_set_random_generator_seed(key.keyvalue.data);
-#endif
db->master_key_set = 1;
return 0;
}
diff -ruN heimdal-0.3e-old/lib/krb5/crypto.c heimdal-0.3e/lib/krb5/crypto.c
--- heimdal-0.3e-old/lib/krb5/crypto.c Wed Jan 31 04:10:55 2001
+++ heimdal-0.3e/lib/krb5/crypto.c Wed Feb 7 12:38:11 2001
@@ -2532,6 +2532,71 @@
* *
************************************************************/
+#ifdef HAVE_OPENSSL_DES_H
+/* From openssl/crypto/rand/rand_lcl.h */
+#define ENTROPY_NEEDED 20
+static int seed_something(void)
+{
+ int fd = -1;
+ size_t len;
+ char buf[1024], seedfile[256];
+
+ /* If there is a seed file, load it. But such a file cannot be trusted,
+ so use 0 for the entropy estimate */
+ if (RAND_file_name(seedfile, sizeof(seedfile))) {
+ fd = open(seedfile, O_RDONLY);
+ if (fd >= 0) {
+ read(fd, buf, sizeof(buf));
+ /* Use the full buffer anyway */
+ RAND_add(buf, sizeof(buf), 0.0);
+ }
+ else
+ seedfile[0] = '\0';
+ }
+ else
+ seedfile[0] = '\0';
+
+ /* Calling RAND_status() will try to use /dev/urandom if it exists so
+ we do not have to deal with it. */
+ if (RAND_status() != 1) {
+ krb5_context context;
+ char *p;
+
+ /* Try using egd */
+ if (!krb5_init_context(&context)) {
+ p = krb5_config_get_string(context, NULL, "libdefaults",
+ "egd_socket", NULL);
+ if (p != NULL)
+ RAND_egd_bytes(p, ENTROPY_NEEDED);
+ krb5_free_context(context);
+ }
+ }
+
+ if (RAND_status() == 1) {
+ /* Update the seed file */
+ if (seedfile[0])
+ RAND_write_file(seedfile);
+
+ return 0;
+ }
+ else
+ return -1;
+}
+
+void
+krb5_generate_random_block(void *buf, size_t len)
+{
+ static int rng_initialized = 0;
+
+ if (!rng_initialized) {
+ if (seed_something())
+ krb5_abortx(NULL, "Fatal: could not seed the random number generator");
+
+ rng_initialized = 1;
+ }
+ RAND_bytes(buf, len);
+}
+#else
void
krb5_generate_random_block(void *buf, size_t len)
{
@@ -2557,6 +2622,7 @@
buf = (char*)buf + sizeof(out);
}
}
+#endif
static void
DES3_postproc(krb5_context context,
diff -ruN heimdal-0.3e-old/lib/krb5/krb5_locl.h heimdal-0.3e/lib/krb5/krb5_locl.h
--- heimdal-0.3e-old/lib/krb5/krb5_locl.h Mon Jan 29 13:09:00 2001
+++ heimdal-0.3e/lib/krb5/krb5_locl.h Wed Feb 7 12:33:59 2001
@@ -111,6 +111,7 @@
#ifdef HAVE_OPENSSL_DES_H
#include <openssl/des.h>
+#define des_new_random_key des_random_key
#else
#include <des.h>
#endif
diff -ruN heimdal-0.3e-old/tools/krb5-config.in heimdal-0.3e/tools/krb5-config.in
--- heimdal-0.3e-old/tools/krb5-config.in Mon Jan 29 17:56:51 2001
+++ heimdal-0.3e/tools/krb5-config.in Wed Feb 7 13:12:11 2001
@@ -99,7 +99,7 @@
lib_flags="$lib_flags -lkadm5srv"
;;
esac
- lib_flags="$lib_flags -lkrb5 -lasn1 @LIB_des_appl@ -lroken"
+ lib_flags="$lib_flags -lkrb5 -lasn1 -lcom_err @LIB_des_appl@ -lroken"
lib_flags="$lib_flags @LIB_crypt@ @LIB_dbopen@ @LIBS@"
echo $lib_flags
fi
--
Brian May <bam@snoopy.apana.org.au>