rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove now-unused checksum functions

Browse Source
This commit is contained in:
Robbie Harwood 2019-07-02 11:42:28 -04:00
parent 490a817464
commit a0277fd396
2 changed files with 340 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

335
Remove-now-unused-checksum-functions.patch Normal file
View File

@ -0,0 +1,335 @@
From 3c132f6e129f3e4805ae44a8db749930f1e398b1 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 28 Jun 2019 13:09:47 -0400
Subject: [PATCH] Remove now-unused checksum functions
fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8 removed all call sites of
krb5int_cbc_checksum(), krb5int_confounder_verify(), and
krb5int_confounder_checksum(), but neglected the functions themselves.
ticket: 8808
(cherry picked from commit 2063ff09b384d466c15aca8970c01d074230c815)
---
src/lib/crypto/krb/Makefile.in | 6 -
src/lib/crypto/krb/checksum_cbc.c | 41 ------
src/lib/crypto/krb/checksum_confounder.c | 159 -----------------------
src/lib/crypto/krb/crypto_int.h | 16 ---
src/lib/crypto/krb/deps | 26 ----
5 files changed, 248 deletions(-)
delete mode 100644 src/lib/crypto/krb/checksum_cbc.c
delete mode 100644 src/lib/crypto/krb/checksum_confounder.c
diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in
index b587f7e19..2b0c4163d 100644
--- a/src/lib/crypto/krb/Makefile.in
+++ b/src/lib/crypto/krb/Makefile.in
@@ -10,8 +10,6 @@ STLIBOBJS=\
aead.o \
block_size.o \
cf2.o \
- checksum_cbc.o \
- checksum_confounder.o \
checksum_dk_cmac.o \
checksum_dk_hmac.o \
checksum_etm.o \
@@ -70,8 +68,6 @@ OBJS=\
$(OUTPRE)aead.$(OBJEXT) \
$(OUTPRE)block_size.$(OBJEXT) \
$(OUTPRE)cf2.$(OBJEXT) \
- $(OUTPRE)checksum_cbc.$(OBJEXT) \
- $(OUTPRE)checksum_confounder.$(OBJEXT) \
$(OUTPRE)checksum_dk_cmac.$(OBJEXT) \
$(OUTPRE)checksum_dk_hmac.$(OBJEXT) \
$(OUTPRE)checksum_etm.$(OBJEXT) \
@@ -130,8 +126,6 @@ SRCS=\
$(srcdir)/aead.c \
$(srcdir)/block_size.c \
$(srcdir)/cf2.c \
- $(srcdir)/checksum_cbc.c \
- $(srcdir)/checksum_confounder.c \
$(srcdir)/checksum_dk_cmac.c \
$(srcdir)/checksum_dk_hmac.c \
$(srcdir)/checksum_etm.c \
diff --git a/src/lib/crypto/krb/checksum_cbc.c b/src/lib/crypto/krb/checksum_cbc.c
deleted file mode 100644
index 48afeb0e5..000000000
--- a/src/lib/crypto/krb/checksum_cbc.c
+++ /dev/null
@@ -1,41 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/krb/checksum_cbc.c */
-/*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/* CBC checksum, which computes the ivec resulting from CBC encryption of the
- * input. */
-
-#include "crypto_int.h"
-
-krb5_error_code
-krb5int_cbc_checksum(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data, size_t num_data,
- krb5_data *output)
-{
- if (ctp->enc->cbc_mac == NULL)
- return KRB5_CRYPTO_INTERNAL;
- return ctp->enc->cbc_mac(key, data, num_data, NULL, output);
-}
diff --git a/src/lib/crypto/krb/checksum_confounder.c b/src/lib/crypto/krb/checksum_confounder.c
deleted file mode 100644
index 34941562c..000000000
--- a/src/lib/crypto/krb/checksum_confounder.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/krb/checksum_confounder.c */
-/*
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * Confounder checksum implementation, using tokens of the form:
- * enc(xorkey, confounder | hash(confounder | data))
- * where xorkey is the key XOR'd with 0xf0 bytes.
- */
-
-#include "crypto_int.h"
-
-/* Derive a key by XOR with 0xF0 bytes. */
-static krb5_error_code
-mk_xorkey(krb5_key origkey, krb5_key *xorkey)
-{
- krb5_error_code retval = 0;
- unsigned char *xorbytes;
- krb5_keyblock xorkeyblock;
- size_t i = 0;
-
- xorbytes = k5memdup(origkey->keyblock.contents, origkey->keyblock.length,
- &retval);
- if (xorbytes == NULL)
- return retval;
- for (i = 0; i < origkey->keyblock.length; i++)
- xorbytes[i] ^= 0xf0;
-
- /* Do a shallow copy here. */
- xorkeyblock = origkey->keyblock;
- xorkeyblock.contents = xorbytes;
-
- retval = krb5_k_create_key(0, &xorkeyblock, xorkey);
- zapfree(xorbytes, origkey->keyblock.length);
- return retval;
-}
-
-krb5_error_code
-krb5int_confounder_checksum(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data, size_t num_data,
- krb5_data *output)
-{
- krb5_error_code ret;
- krb5_data conf, hashval;
- krb5_key xorkey = NULL;
- krb5_crypto_iov *hash_iov, iov;
- size_t blocksize = ctp->enc->block_size, hashsize = ctp->hash->hashsize;
-
- /* Partition the output buffer into confounder and hash. */
- conf = make_data(output->data, blocksize);
- hashval = make_data(output->data + blocksize, hashsize);
-
- /* Create the confounder. */
- ret = krb5_c_random_make_octets(NULL, &conf);
- if (ret != 0)
- return ret;
-
- ret = mk_xorkey(key, &xorkey);
- if (ret)
- return ret;
-
- /* Hash the confounder, then the input data. */
- hash_iov = k5calloc(num_data + 1, sizeof(krb5_crypto_iov), &ret);
- if (hash_iov == NULL)
- goto cleanup;
- hash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
- hash_iov[0].data = conf;
- memcpy(hash_iov + 1, data, num_data * sizeof(krb5_crypto_iov));
- ret = ctp->hash->hash(hash_iov, num_data + 1, &hashval);
- if (ret != 0)
- goto cleanup;
-
- /* Confounder and hash are in output buffer; encrypt them in place. */
- iov.flags = KRB5_CRYPTO_TYPE_DATA;
- iov.data = *output;
- ret = ctp->enc->encrypt(xorkey, NULL, &iov, 1);
-
-cleanup:
- free(hash_iov);
- krb5_k_free_key(NULL, xorkey);
- return ret;
-}
-
-krb5_error_code krb5int_confounder_verify(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data,
- size_t num_data,
- const krb5_data *input,
- krb5_boolean *valid)
-{
- krb5_error_code ret;
- unsigned char *plaintext = NULL;
- krb5_key xorkey = NULL;
- krb5_data computed = empty_data();
- krb5_crypto_iov *hash_iov = NULL, iov;
- size_t blocksize = ctp->enc->block_size, hashsize = ctp->hash->hashsize;
-
- plaintext = k5memdup(input->data, input->length, &ret);
- if (plaintext == NULL)
- return ret;
-
- ret = mk_xorkey(key, &xorkey);
- if (ret != 0)
- goto cleanup;
-
- /* Decrypt the input checksum. */
- iov.flags = KRB5_CRYPTO_TYPE_DATA;
- iov.data = make_data(plaintext, input->length);
- ret = ctp->enc->decrypt(xorkey, NULL, &iov, 1);
- if (ret != 0)
- goto cleanup;
-
- /* Hash the confounder, then the input data. */
- hash_iov = k5calloc(num_data + 1, sizeof(krb5_crypto_iov), &ret);
- if (hash_iov == NULL)
- goto cleanup;
- hash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
- hash_iov[0].data = make_data(plaintext, blocksize);
- memcpy(hash_iov + 1, data, num_data * sizeof(krb5_crypto_iov));
- ret = alloc_data(&computed, hashsize);
- if (ret != 0)
- goto cleanup;
- ret = ctp->hash->hash(hash_iov, num_data + 1, &computed);
- if (ret != 0)
- goto cleanup;
-
- /* Compare the decrypted hash to the computed one. */
- *valid = (k5_bcmp(plaintext + blocksize, computed.data, hashsize) == 0);
-
-cleanup:
- zapfree(plaintext, input->length);
- zapfree(computed.data, hashsize);
- free(hash_iov);
- krb5_k_free_key(NULL, xorkey);
- return ret;
-}
diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
index 1b4324d71..5cc1f8e43 100644
--- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h
@@ -299,11 +299,6 @@ krb5_error_code krb5int_unkeyed_checksum(const struct krb5_cksumtypes *ctp,
const krb5_crypto_iov *data,
size_t num_data,
krb5_data *output);
-krb5_error_code krb5int_cbc_checksum(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data,
- size_t num_data,
- krb5_data *output);
krb5_error_code krb5int_hmacmd5_checksum(const struct krb5_cksumtypes *ctp,
krb5_key key, krb5_keyusage usage,
const krb5_crypto_iov *data,
@@ -317,17 +312,6 @@ krb5_error_code krb5int_dk_cmac_checksum(const struct krb5_cksumtypes *ctp,
krb5_key key, krb5_keyusage usage,
const krb5_crypto_iov *data,
size_t num_data, krb5_data *output);
-krb5_error_code krb5int_confounder_checksum(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data,
- size_t num_data,
- krb5_data *output);
-krb5_error_code krb5int_confounder_verify(const struct krb5_cksumtypes *ctp,
- krb5_key key, krb5_keyusage usage,
- const krb5_crypto_iov *data,
- size_t num_data,
- const krb5_data *input,
- krb5_boolean *valid);
krb5_error_code krb5int_etm_checksum(const struct krb5_cksumtypes *ctp,
krb5_key key, krb5_keyusage usage,
const krb5_crypto_iov *data,
diff --git a/src/lib/crypto/krb/deps b/src/lib/crypto/krb/deps
index 2f4af1906..883d12c56 100644
--- a/src/lib/crypto/krb/deps
+++ b/src/lib/crypto/krb/deps
@@ -37,32 +37,6 @@ cf2.so cf2.po $(OUTPRE)cf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
cf2.c crypto_int.h
-checksum_cbc.so checksum_cbc.po $(OUTPRE)checksum_cbc.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/crypto_mod.h \
- $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h checksum_cbc.c \
- crypto_int.h
-checksum_confounder.so checksum_confounder.po $(OUTPRE)checksum_confounder.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h $(srcdir)/../builtin/crypto_mod.h \
- $(srcdir)/../builtin/sha2/sha2.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h checksum_confounder.c \
- crypto_int.h
checksum_dk_cmac.so checksum_dk_cmac.po $(OUTPRE)checksum_dk_cmac.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \

6
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 33%{?dist}
Release: 34%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -110,6 +110,7 @@ Patch147: Remove-strerror-calls-from-k5_get_error.patch
Patch148: Remove-PKINIT-draft-9-support.patch
Patch149: Remove-PKINIT-draft-9-ASN.1-code-and-types.patch
Patch150: Remove-3des-support.patch
Patch151: Remove-now-unused-checksum-functions.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -719,6 +720,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Tue Jul 02 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-34
- Remove now-unused checksum functions
* Wed Jun 26 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-33
- Fix typo in 3des commit