Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(picky-krb): implement Kerberos encryption without a checksum #342

Merged
merged 2 commits into from
Feb 4, 2025
Merged

feat(picky-krb): implement Kerberos encryption without a checksum #342

merged 2 commits into from
Feb 4, 2025
+534 −65

Conversation

TheBestTvarynka
Copy link
Collaborator

Hi,
I added the possibility of Kerberos encryption but without a checksum. We need this functionality to support SECBUFFER_READONLY and SECBUFFER_READONLY_WITH_CHECKSUM flags for security buffers in sspi-rs. Related to: Devolutions/sspi-rs#120

Additionally, I reviewed the crypto module in picky-krb. It seems like Kerberos encryption algorithms were implemented a long time ago. We can refactor it by using cts and aes crates and get rid of the custom cts mode implementation. Let's create an issue for the future.

Docs & reference:

@TheBestTvarynka
feat(picky_krb): added a possibility to encrypt and decrypt data with…
928c357 
…out mandatory checksum verification

Made the hmac_sha1 function available outside the crate so it can be used to manually generate a checksum outside the crate

feat(picky-krb): made a few AES-related constants public to use them in the sspi-rs

refactor(picky-krb): fixed issues found during the code review

Replaced multiple vecs with a single struct. Fixed unit tests that were affected by this change

Removed version bump

refactor(picky-krb): minor changes

refactor(picky-krb): changed result struct's name

refactor(picky-krb): removed code duplication

refactor(picky-krb): changed back visibility of the common module

fix: reverted a version change

feature(picky-krb): added a possibility to get the checksum type from a Cipher
@TheBestTvarynka
refactor(picky-krb): crypto: small code improvements;
504d075
@TheBestTvarynka TheBestTvarynka self-assigned this Feb 4, 2025
@TheBestTvarynka TheBestTvarynka marked this pull request as ready for review February 4, 2025 12:18
@TheBestTvarynka TheBestTvarynka mentioned this pull request Feb 4, 2025
Merged
CBenoit
CBenoit approved these changes Feb 4, 2025
View reviewed changes
Copy link
Member

@CBenoit CBenoit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! LGTM.

Additionally, I reviewed the crypto module in picky-krb. It seems like Kerberos encryption algorithms were implemented a long time ago. We can refactor it by using cts and a

Good catch. Refactoring out this code is much welcomed! 👍

@CBenoit CBenoit merged commit 90eab01 into master Feb 4, 2025
11 checks passed
@CBenoit CBenoit deleted the feat/picky-krb-encrypt-no-checksum branch February 4, 2025 18:25
@devolutionsbot devolutionsbot mentioned this pull request Feb 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CBenoit CBenoit CBenoit approved these changes

Assignees

@TheBestTvarynka TheBestTvarynka

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TheBestTvarynka @CBenoit