From krb5-bugs-incoming-bounces@PCH.mit.edu Tue Apr 7 12:09:09 2009
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1@krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 777BBCCF17;
Tue, 7 Apr 2009 12:09:07 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n37C97MU014012;
Tue, 7 Apr 2009 08:09:07 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n3706jH1031632
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 6 Apr 2009 20:06:47 -0400
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
n3706Vlx017257
for <krb5-bugs@mit.edu>; Mon, 6 Apr 2009 20:06:32 -0400 (EDT)
Received: from bahamut.akisada.net (localhost [127.0.0.1])
by mit.edu (Spam Firewall) with ESMTP id 9D0A8186F8CD
for <krb5-bugs@mit.edu>; Mon, 6 Apr 2009 20:06:29 -0400 (EDT)
Received: from bahamut.akisada.net (120.145.221.202.bf.2iij.net
[202.221.145.120]) by mit.edu with ESMTP id u9hTNcseauoHPkgq
(version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for
<krb5-bugs@mit.edu>; Mon, 06 Apr 2009 20:06:28 -0400 (EDT)
Received: from bahamut.akisada.net (localhost [127.0.0.1])
by bahamut.akisada.net (8.14.2/8.14.2) with ESMTP id n3706Opn002159;
Tue, 7 Apr 2009 09:06:24 +0900 (JST) (envelope-from akisada@tahi.org)
Received: (from akisada@localhost)
by bahamut.akisada.net (8.14.2/8.14.2/Submit) id n3706OGw002158;
Tue, 7 Apr 2009 09:06:24 +0900 (JST) (envelope-from akisada@tahi.org)
Date: Tue, 7 Apr 2009 09:06:24 +0900 (JST)
Message-Id: <200904070006.n3706OGw002158@bahamut.akisada.net>
X-Authentication-Warning: bahamut.akisada.net: akisada set sender to
akisada@tahi.org using -f
To: krb5-bugs@mit.edu
Subject: PRF for des3-cbc-hmac-sha1-kd
From: Yukiyo <akisada@tahi.org>
X-send-pr-version: 3.99
X-Spam-Score: 0.22
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 07 Apr 2009 08:09:03 -0400
Cc: akisada@tahi.org
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: akisada@tahi.org
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Show quoted text
>Submitter-Id: net
>Originator: Yukiyo Akisada
>Organization:
TAHI Project
Show quoted text
>Confidential: no
>Synopsis: PRF doesn't work under des3-cbc-hmac-sha1-kd
>Severity: serious
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.6.3
>Environment:
Panasonic Let's Note CF-R7, FreeBSD 7.0-RELEASE-p6, Kerberos client, p5-Authen-Krb5-1.8/krb5-1.6.3_5 (installed from FreeBSD ports system)
System: FreeBSD bahamut.akisada.net 7.0-RELEASE-p6 FreeBSD 7.0-RELEASE-p6 #0: Tue Dec 9 16:22:14 JST 2008 akisada@bahamut.akisada.net:/usr/obj/usr/src/sys/TAHI i386
Show quoted text
>Description:
Hi, all.
I may misunderstand RFC 3961,
but in my understanding, des3-cbc-hmac-sha1-kd (etype=16) uses
PRF on Simplified Profile as its pseudo-random function.
Now, I want to use PRF function
from Krb5-1.8 perl module which is based on MIT krb5-1.6.3 implementation.
Krb5: <
http://search.cpan.org/dist/Krb5/>
But, PRF function for ENCTYPE_DES3_CBC_SHA1 has not be
defined in <krb5-1.6.3/src/lib/crypto/etypes.c>.
Indeed,
I need some modification into Krb5-1.8 to export prf function from krb5-1.6.3,
but I also need the following modification into krb5-1.6.3.
In this moment,
the following modification (described at Fix: section) matches with my expected behavior,
but I'm not sure whether this modification against krb5-1.6.3 is correct or not.
Please investigate this.
Thanks,
Show quoted text
>How-To-Repeat:
just by calling krb5_c_prf() function under des3-cbc-hmac-sha1-kd
Show quoted text
>Fix:
--- krb5-1.6.3/src/lib/crypto/etypes.c.orig 2009-04-01 17:02:56.000000000 +0900
+++ krb5-1.6.3/src/lib/crypto/etypes.c 2009-04-01 14:42:01.000000000 +0900
@@ -94,26 +94,26 @@
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
- 8,
+ 16,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
- NULL, /*PRF*/
+ krb5int_dk_prf, /*PRF*/
CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
- 8,
+ 16,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
- NULL, /*PRF*/
+ krb5int_dk_prf, /*PRF*/
CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
- 8,
+ 16,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
- NULL, /*PRF*/
+ krb5int_dk_prf, /*PRF*/
CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES_HMAC_SHA1,