Hi, Sam.

Actually, I'm developping RFC 4430 (KINK) protocol conformance tester
which uses krb5-1.6.3 as the Kerberos engine.
And I'm using kinkd in Racoon2 as the counterpart implementation now.

    * Racoon2 is IKEv1/IKEv2/KINK IPsec daemon developped by The Racoon2
      Project which is one of WGs in WIDE Project in Japan.

        <http://www.racoon2.wide.ad.jp/>

Racoon2 has its own PRF function, and the function expects 16 bytes PRF.

Now, I changed prf_length from 16 bytes to 8 bytes
in krb5_enctypes_list for ENCTYPE_DES3_CBC_SHA1 on my side (MIT Kerberos
implementation).
But I think that MIT Kerberos implementation itself still expects 16
bytes PRF.

I performed following 2 tests under this environment.

    test 1)

        When I use 8 bytes output buffer for generated PRF,
        following validation is not passed.

        <krb5-1.6.3/src/lib/crypto/enc_provider/des3.c: validate_and_schedule()>
        43     if (input->length != output->length)
        44         return(KRB5_BAD_MSIZE);

    test 2)

        When I expect 16 bytes output buffer for generated PRF
        (prf_length is still set 8 bytes),
        following validation is not passed.

        <krb5-1.6.3/src/lib/crypto/prf.c: krb5_c_prf()>
        80     krb5_c_prf_length (context, key->enctype, &len);
        81     if( len != output->length)
        82         return (KRB5_CRYPTO_INTERNAL);

For the reason of above failure,
I found the following code in krb5int_dk_prf() function.

    <krb5-1.6.3/src/lib/crypto/dk/dk_prf.c: krb5int_dk_prf()>
     48   tmp.length = hash->hashsize;
     49   tmp.data = malloc(hash->hashsize);
     50   if (tmp.data == NULL)
     51     return ENOMEM;
     52   hash->hash(1, in, &tmp);
     53   tmp.length = (tmp.length/enc->block_size)*enc->block_size; /*truncate to block size*/

The initial tmp.length (line 48) is 20 bytes under des3-cbc-hmac-sha1-kd.
At the same time, enc->block_size is 8 bytes.
Finally, tmp.length (line 53) will be 16 bytes.

This buffer (tmp) will be passed into enc->encrypt(), that is
k5_des3_encrypt().

That is why I guess that MIT implementation expects 16 bytes PRF.

How do you think?

Regards,


On Tue,  7 Apr 2009 14:47:53 +0000 (UTC)
"Sam Hartman via RT" <rt-comment@krbdev.mit.edu> wrote:

> Based on the discussions on the ietf-krb-wg list, I'd expect the DES3
> PRF output to be 8 bytes not 16.
> What environment do you have where  you would expect 16 bytes.
> 
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs
> 


-- 
Yukiyo Akisada <akisada@tahi.org>