Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Add NSS as a crypto provider.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8-nss@24212 dc483132-0cff-0310-8789-dd5450dbe970
  • Loading branch information...
commit 2d798bc1868471fca196e8ab193f2ee5d61bbe8f 1 parent 4a8302a
relyea authored
Showing with 3,664 additions and 1 deletion.
  1. +22 −0 src/configure.in
  2. +1 −1  src/lib/crypto/Makefile.in
  3. +81 −0 src/lib/crypto/crypto_tests/t_encrypt.c
  4. +134 −0 src/lib/crypto/nss/Makefile.in
  5. +40 −0 src/lib/crypto/nss/aes/Makefile.in
  6. +1 −0  src/lib/crypto/nss/aes/deps
  7. +25 −0 src/lib/crypto/nss/deps
  8. +49 −0 src/lib/crypto/nss/des/Makefile.in
  9. +47 −0 src/lib/crypto/nss/des/deps
  10. +188 −0 src/lib/crypto/nss/des/des_int.h
  11. +55 −0 src/lib/crypto/nss/des/des_oldapis.c
  12. +56 −0 src/lib/crypto/nss/des/f_parity.c
  13. +85 −0 src/lib/crypto/nss/des/string2key.c
  14. +83 −0 src/lib/crypto/nss/des/weak_key.c
  15. +51 −0 src/lib/crypto/nss/enc_provider/Makefile.in
  16. +101 −0 src/lib/crypto/nss/enc_provider/aes.c
  17. 0  src/lib/crypto/nss/enc_provider/deps
  18. +100 −0 src/lib/crypto/nss/enc_provider/des.c
  19. +100 −0 src/lib/crypto/nss/enc_provider/des3.c
  20. +654 −0 src/lib/crypto/nss/enc_provider/enc_gen.c
  21. +35 −0 src/lib/crypto/nss/enc_provider/enc_provider.h
  22. +109 −0 src/lib/crypto/nss/enc_provider/rc4.c
  23. +46 −0 src/lib/crypto/nss/hash_provider/Makefile.in
  24. +52 −0 src/lib/crypto/nss/hash_provider/deps
  25. +58 −0 src/lib/crypto/nss/hash_provider/hash_crc32.c
  26. +64 −0 src/lib/crypto/nss/hash_provider/hash_gen.c
  27. +33 −0 src/lib/crypto/nss/hash_provider/hash_gen.h
  28. +63 −0 src/lib/crypto/nss/hash_provider/hash_md4.c
  29. +43 −0 src/lib/crypto/nss/hash_provider/hash_md5.c
  30. +32 −0 src/lib/crypto/nss/hash_provider/hash_provider.h
  31. +43 −0 src/lib/crypto/nss/hash_provider/hash_sha1.c
  32. +193 −0 src/lib/crypto/nss/hmac.c
  33. +3 −0  src/lib/crypto/nss/md4/ISSUES
  34. +37 −0 src/lib/crypto/nss/md4/Makefile.in
  35. +13 −0 src/lib/crypto/nss/md4/deps
  36. +247 −0 src/lib/crypto/nss/md4/md4.c
  37. +95 −0 src/lib/crypto/nss/md4/rsa-md4.h
  38. +37 −0 src/lib/crypto/nss/md5/Makefile.in
  39. +14 −0 src/lib/crypto/nss/md5/deps
  40. +81 −0 src/lib/crypto/nss/md5/md5.c
  41. +88 −0 src/lib/crypto/nss/md5/rsa-md5.h
  42. +97 −0 src/lib/crypto/nss/nss_gen.h
  43. +117 −0 src/lib/crypto/nss/pbkdf2.c
  44. +32 −0 src/lib/crypto/nss/sha1/Makefile.in
  45. +14 −0 src/lib/crypto/nss/sha1/deps
  46. +71 −0 src/lib/crypto/nss/sha1/shs.c
  47. +45 −0 src/lib/crypto/nss/sha1/shs.h
  48. +29 −0 src/lib/crypto/nss/yhash.h
View
22 src/configure.in
@@ -125,6 +125,28 @@ AC_MSG_RESULT("k5crypto will use \'$withval\'")
], withval=builtin)
AC_CONFIG_COMMANDS(CRYPTO_IMPL, , CRYPTO_IMPL=$CRYPTO_IMPL)
AC_SUBST(CRYPTO_IMPL)
+#PKG_CHECK_MODULES(CRYPTO_IMPL, $CRYPTO_IMPL, [ withval != builtin ], )
+case "$withval" in
+openssl)
+ AC_CHECK_LIB(crypto, PKCS7_get_signer_info)
+ CRYPTO_IMPL_LIBS=
+ CRYPTO_IMPL_CFLAGS=
+ ;;
+builtin)
+ CRYPTO_IMPL_LIBS=
+ CRYPTO_IMPL_CFLAGS=
+ ;;
+nss)
+ CRYPTO_IMPL_CFLAGS=`pkg-config --cflags $CRYPTO_IMPL`
+ CRYPTO_IMPL_LIBS="-lnss3 $(pkg-config --libs nss-util)"
+ ;;
+*)
+ CRYPTO_IMPL_CFLAGS=`pkg-config --cflags $CRYPTO_IMPL`
+ CRYPTO_IMPL_LIBS=`pkg-config --libs $CRYPTO_IMPL`
+ ;;
+esac
+AC_SUBST(CRYPTO_IMPL_CFLAGS)
+AC_SUBST(CRYPTO_IMPL_LIBS)
# --with-kdc-kdb-update makes the KDC update the database with last request
# information and failure information.
View
2  src/lib/crypto/Makefile.in
@@ -38,7 +38,7 @@ SUBDIROBJLISTS=krb/crc32/OBJS.ST krb/dk/OBJS.ST @CRYPTO_IMPL@/enc_provider/OBJS.
# link editor and loader support it.
DEPLIBS=
SHLIB_DIRS=-L$(TOPLIBD)
-SHLIB_EXPLIBS= $(SUPPORT_LIB) @CRYPTO_LIBS@ $(LIBS)
+SHLIB_EXPLIBS= $(SUPPORT_LIB) @CRYPTO_LIBS@ @CRYPTO_IMPL_LIBS@ $(LIBS)
SHLIB_EXPDEPLIBS= $(SUPPORT_DEPLIB)
SHLIB_LDFLAGS= $(LDFLAGS) @SHLIB_RPATH_DIRS@
SHLIB_LIBDIRS= @SHLIB_LIBDIRS@
View
81 src/lib/crypto/crypto_tests/t_encrypt.c
@@ -75,6 +75,79 @@ static int compare_results(krb5_data *d1, krb5_data *d2)
return 0;
}
+
+static void dump_data(const char *label, const krb5_data *d)
+{
+ int need_terminate = 0;
+ unsigned int i;
+
+ /* magic */
+ if (label) printf("------------- %s ------------\n",label);
+ for (i=0; i < d->length; i++) {
+ need_terminate = 1;
+ printf(" %02x",(unsigned char )d->data[i]);
+ if ((i & 0xf) == 0xf) {
+ printf("\n");
+ need_terminate = 0;
+ }
+ }
+ if (need_terminate) printf("\n");
+ printf("-------------------------------\n");
+}
+
+
+static void dump_encdata(const char *label, const krb5_enc_data *encData)
+{
+ /* magic, enctype, kvno */
+ dump_data(label, &encData->ciphertext);
+}
+
+static void dump_keyblock(const char *label, const krb5_keyblock *keyblock)
+{
+ krb5_data d;
+ /* magic, enctype */
+ d.data = (char *)keyblock->contents;
+ d.length = keyblock->length;
+ dump_data(label, &d);
+}
+
+
+static char *iov_flag_string(krb5_cryptotype flag)
+{
+ switch (flag) {
+ case KRB5_CRYPTO_TYPE_EMPTY:
+ return "KRB5_CRYPTO_TYPE_EMPTY";
+ case KRB5_CRYPTO_TYPE_HEADER:
+ return "KRB5_CRYPTO_TYPE_HEADER";
+ case KRB5_CRYPTO_TYPE_DATA:
+ return "KRB5_CRYPTO_TYPE_DATA";
+ case KRB5_CRYPTO_TYPE_SIGN_ONLY:
+ return "KRB5_CRYPTO_TYPE_SIGN_ONLY";
+ case KRB5_CRYPTO_TYPE_PADDING:
+ return "KRB5_CRYPTO_TYPE_PADDING";
+ case KRB5_CRYPTO_TYPE_TRAILER:
+ return "KRB5_CRYPTO_TYPE_TRAILER";
+ case KRB5_CRYPTO_TYPE_CHECKSUM:
+ return "KRB5_CRYPTO_TYPE_CHECKSUM";
+ case KRB5_CRYPTO_TYPE_STREAM:
+ return "KRB5_CRYPTO_TYPE_STREAM";
+ default:
+ break;
+ }
+ return "Unknown!!";
+}
+
+static void dump_iov(const char *label, const krb5_crypto_iov *iov, int count)
+{
+ int i;
+ if(label) printf("************* %s ************\n",label);
+ printf(" %d elements\n", count);
+ for (i=0; i < count; i++) {
+ dump_data(iov_flag_string(iov[i].flags), &iov[i].data);
+ }
+}
+
+
int
main ()
{
@@ -121,6 +194,7 @@ main ()
krb5_init_keyblock (context, enctype, 0, &keyblock));
test ("Generating random keyblock",
krb5_c_make_random_key (context, enctype, keyblock));
+ dump_keyblock("Keyblock", keyblock);
test ("Creating opaque key from keyblock",
krb5_k_create_key (context, keyblock, &key));
@@ -134,6 +208,7 @@ main ()
/* Encrypt, decrypt, and see if we got the plaintext back again. */
test ("Encrypting (c)",
krb5_c_encrypt (context, keyblock, 7, 0, &in, &enc_out));
+ dump_encdata("Encrypt_c out", &enc_out);
test ("Decrypting",
krb5_c_decrypt (context, keyblock, 7, 0, &enc_out, &check));
test ("Comparing", compare_results (&in, &check));
@@ -142,6 +217,7 @@ main ()
memset(out.data, 0, out.length);
test ("Encrypting (k)",
krb5_k_encrypt (context, key, 7, 0, &in, &enc_out));
+ dump_encdata("Encrypt_k out", &enc_out);
test ("Decrypting",
krb5_k_decrypt (context, key, 7, 0, &enc_out, &check));
test ("Comparing", compare_results (&in, &check));
@@ -196,6 +272,7 @@ main ()
/* Encrypt and decrypt in place, and check the result. */
test("iov encrypting (c)",
krb5_c_encrypt_iov(context, keyblock, 7, 0, iov, 5));
+ dump_iov("Encrypt_c iov", iov, 5);
assert(iov[1].data.length == in.length);
test("iov decrypting",
krb5_c_decrypt_iov(context, keyblock, 7, 0, iov, 5));
@@ -206,6 +283,7 @@ main ()
test("iov encrypting (k)",
krb5_k_encrypt_iov(context, key, 7, 0, iov, 5));
assert(iov[1].data.length == in.length);
+ dump_iov("Encrypt_k iov", iov, 5);
test("iov decrypting",
krb5_k_decrypt_iov(context, key, 7, 0, iov, 5));
test("Comparing results",
@@ -219,8 +297,10 @@ main ()
krb5_c_init_state (context, keyblock, 7, &state));
test ("Encrypting with state",
krb5_c_encrypt (context, keyblock, 7, &state, &in, &enc_out));
+ dump_encdata("Encrypt_c state", &enc_out);
test ("Encrypting again with state",
krb5_c_encrypt (context, keyblock, 7, &state, &in2, &enc_out2));
+ dump_encdata("Encrypt_c state2", &enc_out2);
test ("free_state",
krb5_c_free_state (context, keyblock, &state));
test ("init_state",
@@ -251,6 +331,7 @@ main ()
check.length = 2048;
test ("Encrypting with RC4 key usage 8",
krb5_c_encrypt (context, keyblock, 8, 0, &in, &enc_out));
+ dump_encdata("Encrypt rc4 fallback", &enc_out);
test ("Decrypting with RC4 key usage 9",
krb5_c_decrypt (context, keyblock, 9, 0, &enc_out, &check));
test ("Comparing", compare_results (&in, &check));
View
134 src/lib/crypto/nss/Makefile.in
@@ -0,0 +1,134 @@
+mydir=lib/crypto/nss
+BUILDTOP=$(REL)..$(S)..$(S)..
+SUBDIRS=des aes md4 md5 sha1 enc_provider hash_provider
+LOCALINCLUDES = -I$(srcdir)/../krb \
+ -I$(srcdir)/../krb/hash_provider \
+ -I$(srcdir)/des \
+ -I$(srcdir)/aes \
+ -I$(srcdir)/sha1 \
+ -I$(srcdir)/md4 \
+ -I$(srcdir)/md5 \
+ -I$(srcdir)/enc_provider \
+ -I$(srcdir)/hash_provider \
+ @CRYPTO_IMPL_CFLAGS@
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+DEFS=
+
+##DOSBUILDTOP = ..\..\..
+##DOSLIBNAME=$(OUTPRE)crypto.lib
+##DOSOBJFILE=$(OUTPRE)crypto.lst
+##DOSOBJFILELIST=@$(OUTPRE)crypto.lst @$(OUTPRE)des.lst @$(OUTPRE)md4.lst @$(OUTPRE)md5.lst @$(OUTPRE)sha1.lst @$(OUTPRE)crc32.lst @$(OUTPRE)dk.lst @$(OUTPRE)old.lst @$(OUTPRE)raw.lst @$(OUTPRE)enc_prov.lst @$(OUTPRE)hash_pro.lst @$(OUTPRE)kh_pro.lst @$(OUTPRE)yarrow.lst @$(OUTPRE)aes.lst
+##DOSOBJFILEDEP =$(OUTPRE)crypto.lst $(OUTPRE)des.lst $(OUTPRE)md4.lst $(OUTPRE)md5.lst $(OUTPRE)sha1.lst $(OUTPRE)crc32.lst $(OUTPRE)dk.lst $(OUTPRE)old.lst $(OUTPRE)raw.lst $(OUTPRE)enc_prov.lst $(OUTPRE)hash_pro.lst $(OUTPRE)kh_pro.lst $(OUTPRE)aes.lst
+
+STLIBOBJS=\
+ hmac.o \
+ pbkdf2.o
+
+OBJS=\
+ $(OUTPRE)hmac.$(OBJEXT) \
+ $(OUTPRE)pbkdf2.$(OBJEXT)
+
+SRCS=\
+ $(srcdir)/hmac.c \
+ $(srcdir)/pbkdf2.c
+
+STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
+ md5/OBJS.ST sha1/OBJS.ST \
+ enc_provider/OBJS.ST \
+ hash_provider/OBJS.ST \
+ aes/OBJS.ST \
+ OBJS.ST
+
+SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
+ md5/OBJS.ST sha1/OBJS.ST \
+ enc_provider/OBJS.ST \
+ hash_provider/OBJS.ST \
+ aes/OBJS.ST
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+includes:: depend
+
+depend:: $(SRCS)
+
+clean-unix:: clean-libobjs
+
+all-windows::
+ cd ..\des
+ @echo Making in crypto\des
+ $(MAKE) -$(MFLAGS)
+ cd ..\md4
+ @echo Making in crypto\md4
+ $(MAKE) -$(MFLAGS)
+ cd ..\md5
+ @echo Making in crypto\md5
+ $(MAKE) -$(MFLAGS)
+ cd ..\sha1
+ @echo Making in crypto\sha1
+ $(MAKE) -$(MFLAGS)
+ cd ..\hash_provider
+ @echo Making in crypto\hash_provider
+ $(MAKE) -$(MFLAGS)
+ cd ..\enc_provider
+ @echo Making in crypto\enc_provider
+ $(MAKE) -$(MFLAGS)
+ cd ..\aes
+ @echo Making in crypto\aes
+ $(MAKE) -$(MFLAGS)
+ cd ..
+
+clean-windows::
+ cd ..\des
+ @echo Making clean in crypto\des
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\md4
+ @echo Making clean in crypto\md4
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\md5
+ @echo Making clean in crypto\md5
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\sha1
+ @echo Making clean in crypto\sha1
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\hash_provider
+ @echo Making clean in crypto\hash_provider
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\enc_provider
+ @echo Making clean in crypto\enc_provider
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\aes
+ @echo Making clean in crypto\aes
+ $(MAKE) -$(MFLAGS) clean
+ cd ..
+
+check-windows::
+ cd ..\des
+ @echo Making check in crypto\des
+ $(MAKE) -$(MFLAGS) check
+ cd ..\md4
+ @echo Making check in crypto\md4
+ $(MAKE) -$(MFLAGS) check
+ cd ..\md5
+ @echo Making check in crypto\md5
+ $(MAKE) -$(MFLAGS) check
+ cd ..\sha1
+ @echo Making check in crypto\sha1
+ $(MAKE) -$(MFLAGS) check
+ cd ..\hash_provider
+ @echo Making check in crypto\hash_provider
+ $(MAKE) -$(MFLAGS) check
+ cd ..\enc_provider
+ @echo Making check in crypto\enc_provider
+ $(MAKE) -$(MFLAGS) check
+ cd ..\aes
+ @echo Making check in crypto\aes
+ $(MAKE) -$(MFLAGS) check
+ cd ..
+
+
+@lib_frag@
+@libobj_frag@
+
View
40 src/lib/crypto/nss/aes/Makefile.in
@@ -0,0 +1,40 @@
+# Nothing here! But we can't remove this directory as the build
+# system currently assumes that all modules have the same directory
+# structure.
+
+mydir=lib/crypto/nss/aes
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../krb/dk -I$(srcdir)/../../../../include
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=aes
+##DOS##OBJFILE=..\$(OUTPRE)aes.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+STLIBOBJS=
+
+OBJS=
+
+SRCS=
+
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+check::
+
+
+clean-unix:: clean-libobjs
+
+clean::
+
+@libobj_frag@
+
View
1  src/lib/crypto/nss/aes/deps
@@ -0,0 +1 @@
+# No dependencies here.
View
25 src/lib/crypto/nss/deps
@@ -0,0 +1,25 @@
+#
+# Generated makefile dependencies follow.
+#
+hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h $(srcdir)/hmac.c \
+ $(srcdir)/../krb/aead.h $(srcdir)/../krb/cksumtypes.h
+pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h $(srcdir)/hash_provider/hash_provider.h \
+ $(srcdir)/pbkdf2.c
View
49 src/lib/crypto/nss/des/Makefile.in
@@ -0,0 +1,49 @@
+mydir=lib/crypto/nss/des
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../.. -I$(srcdir)/../../krb @CRYPTO_IMPL_CFLAGS@
+
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=des
+##DOS##OBJFILE=..\$(OUTPRE)des.lst
+
+RUN_SETUP = @KRB5_RUN_ENV@
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+
+STLIBOBJS= des_oldapis.o \
+ f_parity.o \
+ string2key.o \
+ weak_key.o
+
+OBJS= $(OUTPRE)f_parity.$(OBJEXT) \
+ $(OUTPRE)des_oldapis.$(OBJEXT) \
+ $(OUTPRE)string2key.$(OBJEXT) \
+ $(OUTPRE)weak_key.$(OBJEXT)
+
+SRCS= $(srcdir)/f_parity.c \
+ $(srcdir)/des_oldapis.c \
+ $(srcdir)/weak_key.c \
+ $(srcdir)/string2key.c
+
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+check-unix::
+
+includes:: depend
+
+depend:: $(SRCS)
+
+check-windows::
+
+clean::
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
View
47 src/lib/crypto/nss/des/deps
@@ -0,0 +1,47 @@
+#
+# Generated makefile dependencies follow.
+#
+f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/des_int.h $(srcdir)/f_parity.c
+des_oldapis.so des_oldapis.po $(OUTPRE)des_oldapis.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h $(srcdir)/des_int.h \
+ $(srcdir)/des_oldapis.c
+weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/des_int.h $(srcdir)/weak_key.c
+string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/des_int.h $(srcdir)/string2key.c
View
188 src/lib/crypto/nss/des/des_int.h
@@ -0,0 +1,188 @@
+/*
+ * lib/crypto/des/des_int.h
+ *
+ * Copyright 1987, 1988, 1990, 2002, 2009 by the Massachusetts Institute of
+ * Technology. All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Private include file for the Data Encryption Standard library.
+ */
+
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/* only do the whole thing once */
+#ifndef DES_INTERNAL_DEFS
+#define DES_INTERNAL_DEFS
+
+#include "k5-int.h"
+/*
+ * Begin "mit-des.h"
+ */
+#ifndef KRB5_MIT_DES__
+#define KRB5_MIT_DES__
+
+#if defined(__MACH__) && defined(__APPLE__)
+#include <TargetConditionals.h>
+#include <AvailabilityMacros.h>
+#if TARGET_RT_MAC_CFM
+#error "Use KfM 4.0 SDK headers for CFM compilation."
+#endif
+#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS)
+#define KRB5INT_DES_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5
+#endif
+#endif /* defined(__MACH__) && defined(__APPLE__) */
+
+/* Macro to add deprecated attribute to DES types and functions */
+/* Currently only defined on Mac OS X 10.5 and later. */
+#ifndef KRB5INT_DES_DEPRECATED
+#define KRB5INT_DES_DEPRECATED
+#endif
+
+#include <limits.h>
+
+#if UINT_MAX >= 0xFFFFFFFFUL
+#define DES_INT32 int
+#define DES_UINT32 unsigned int
+#else
+#define DES_INT32 long
+#define DES_UINT32 unsigned long
+#endif
+
+typedef unsigned char des_cblock[8] /* crypto-block size */
+KRB5INT_DES_DEPRECATED;
+
+/*
+ * Key schedule.
+ *
+ * This used to be
+ *
+ * typedef struct des_ks_struct {
+ * union { DES_INT32 pad; des_cblock _;} __;
+ * } des_key_schedule[16];
+ *
+ * but it would cause trouble if DES_INT32 were ever more than 4
+ * bytes. The reason is that all the encryption functions cast it to
+ * (DES_INT32 *), and treat it as if it were DES_INT32[32]. If
+ * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the
+ * caller-allocated des_key_schedule will be overflowed by the key
+ * scheduling functions. We can't assume that every platform will
+ * have an exact 32-bit int, and nothing should be looking inside a
+ * des_key_schedule anyway.
+ */
+typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16]
+KRB5INT_DES_DEPRECATED;
+
+typedef des_cblock mit_des_cblock;
+typedef des_key_schedule mit_des_key_schedule;
+
+/* Triple-DES structures */
+typedef mit_des_cblock mit_des3_cblock[3];
+typedef mit_des_key_schedule mit_des3_key_schedule[3];
+
+#define MIT_DES_ENCRYPT 1
+#define MIT_DES_DECRYPT 0
+
+typedef struct mit_des_ran_key_seed {
+ krb5_encrypt_block eblock;
+ krb5_data sequence;
+} mit_des_random_state;
+
+/* the first byte of the key is already in the keyblock */
+
+#define MIT_DES_BLOCK_LENGTH (8*sizeof(krb5_octet))
+#define MIT_DES_CBC_CRC_PAD_MINIMUM CRC32_CKSUM_LENGTH
+/* This used to be 8*sizeof(krb5_octet) */
+#define MIT_DES_KEYSIZE 8
+
+#define MIT_DES_CBC_CKSUM_LENGTH (4*sizeof(krb5_octet))
+
+/*
+ * Check if k5-int.h has been included before us. If so, then check to see
+ * that our view of the DES key size is the same as k5-int.h's.
+ */
+#ifdef KRB5_MIT_DES_KEYSIZE
+#if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
+error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
+#endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
+#endif /* KRB5_MIT_DES_KEYSIZE */
+#endif /* KRB5_MIT_DES__ */
+/*
+ * End "mit-des.h"
+ */
+
+#define mit_des_zeroblock krb5int_c_mit_des_zeroblock
+extern const mit_des_cblock mit_des_zeroblock;
+
+/* key_parity.c */
+extern void mit_des_fixup_key_parity (mit_des_cblock );
+extern int mit_des_check_key_parity (mit_des_cblock );
+
+/* string2key.c */
+extern krb5_error_code mit_des_string_to_key
+ ( const krb5_encrypt_block *,
+ krb5_keyblock *, const krb5_data *, const krb5_data *);
+extern krb5_error_code mit_des_string_to_key_int
+ (krb5_keyblock *, const krb5_data *, const krb5_data *);
+
+/* weak_key.c */
+extern int mit_des_is_weak_key (mit_des_cblock );
+
+/* misc.c */
+extern void swap_bits (char *);
+extern unsigned long long_swap_bits (unsigned long );
+extern unsigned long swap_six_bits_to_ansi (unsigned long );
+extern unsigned long swap_four_bits_to_ansi (unsigned long );
+extern unsigned long swap_bit_pos_1 (unsigned long );
+extern unsigned long swap_bit_pos_0 (unsigned long );
+extern unsigned long swap_bit_pos_0_to_ansi (unsigned long );
+extern unsigned long rev_swap_bit_pos_0 (unsigned long );
+extern unsigned long swap_byte_bits (unsigned long );
+extern unsigned long swap_long_bytes_bit_number (unsigned long );
+#ifdef FILE
+/* XXX depends on FILE being a #define! */
+extern void test_set (FILE *, const char *, int, const char *, int);
+#endif
+#endif /*DES_INTERNAL_DEFS*/
View
55 src/lib/crypto/nss/des/des_oldapis.c
@@ -0,0 +1,55 @@
+/*
+ * lib/crypto/openssl/des/des_oldapis.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
+
+#include "k5-int.h"
+#include "des_int.h"
+#include <ctype.h>
+
+const mit_des_cblock mit_des_zeroblock /* = all zero */;
+
+unsigned long
+mit_des_cbc_cksum(const krb5_octet *in, krb5_octet *out,
+ unsigned long length, const mit_des_key_schedule schedule,
+ const krb5_octet *ivec)
+{
+ /* Unsupported operation */
+ return KRB5_CRYPTO_INTERNAL;
+}
+
+krb5_error_code
+mit_afs_string_to_key (krb5_keyblock *keyblock, const krb5_data *data,
+ const krb5_data *salt)
+{
+ return KRB5_CRYPTO_INTERNAL;
+}
+
+int
+mit_des_key_sched(mit_des_cblock k, mit_des_key_schedule schedule)
+{
+ /* Unsupported operation */
+ return KRB5_CRYPTO_INTERNAL;
+}
View
56 src/lib/crypto/nss/des/f_parity.c
@@ -0,0 +1,56 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * These routines check and fix parity of encryption keys for the DES
+ * algorithm.
+ *
+ * They are a replacement for routines in key_parity.c, that don't require
+ * the table building that they do.
+ *
+ * Mark Eichin -- Cygnus Support
+ */
+
+
+#include "des_int.h"
+
+/*
+ * des_fixup_key_parity: Forces odd parity per byte; parity is bits
+ * 8,16,...64 in des order, implies 0, 8, 16, ...
+ * vax order.
+ */
+#define smask(step) ((1<<step)-1)
+#define pstep(x,step) (((x)&smask(step))^(((x)>>step)&smask(step)))
+#define parity_char(x) pstep(pstep(pstep((x),4),2),1)
+
+void
+mit_des_fixup_key_parity(mit_des_cblock key)
+{
+ unsigned int i;
+ for (i=0; i<sizeof(mit_des_cblock); i++)
+ {
+ key[i] &= 0xfe;
+ key[i] |= 1^parity_char(key[i]);
+ }
+
+ return;
+}
+
+/*
+ * des_check_key_parity: returns true iff key has the correct des parity.
+ * See des_fix_key_parity for the definition of
+ * correct des parity.
+ */
+int
+mit_des_check_key_parity(mit_des_cblock key)
+{
+ unsigned int i;
+
+ for (i=0; i<sizeof(mit_des_cblock); i++)
+ {
+ if((key[i] & 1) == parity_char(0xfe&key[i]))
+ {
+ return 0;
+ }
+ }
+
+ return(1);
+}
View
85 src/lib/crypto/nss/des/string2key.c
@@ -0,0 +1,85 @@
+/*
+ * lib/crypto/openssl/des/string2key.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "des_int.h"
+#include "pk11pub.h"
+#include "nss_gen.h"
+
+krb5_error_code
+mit_des_string_to_key_int (krb5_keyblock *key,
+ const krb5_data *pw, const krb5_data *salt)
+{
+ PK11SlotInfo *slot = NULL;
+ PK11SymKey *symKey = NULL;
+ SECItem pwItem;
+ SECItem paramsItem;
+ CK_PBE_PARAMS pbe_params;
+ CK_MECHANISM_TYPE pbeMech = CKM_NETSCAPE_PBE_SHA1_DES_CBC;
+ krb5_error_code ret = -1;
+ SECItem *keyData;
+
+ ret=k5_nss_init();
+ if (ret) return ret;
+
+ slot = PK11_GetBestSlot(pbeMech, NULL);
+ if (slot == NULL) {
+ ret = k5_nss_map_last_error();
+ goto loser;
+ }
+
+ pwItem.data = (unsigned char *)pw->data;
+ pwItem.len = pw->length;
+ pbe_params.pSalt = (unsigned char *)salt->data;
+ pbe_params.ulSaltLen = salt->length;
+ pbe_params.ulIteration = 1;
+ paramsItem.data = (unsigned char *)&pbe_params;
+ paramsItem.len = sizeof(pbe_params);
+
+ symKey = PK11_RawPBEKeyGen(slot, pbeMech, &paramsItem, &pwItem,
+ PR_FALSE, NULL);
+ if (symKey == NULL) {
+ ret = k5_nss_map_last_error();
+ goto loser;
+ }
+ PK11_ExtractKeyValue(symKey);
+ keyData = PK11_GetKeyData(symKey);
+ if (!keyData) {
+ ret = k5_nss_map_last_error();
+ goto loser;
+ }
+ key->length = keyData->len;
+ memcpy(key->contents, keyData->data, key->length);
+ ret = 0;
+
+loser:
+ if (symKey) {
+ PK11_FreeSymKey(symKey);
+ }
+ if (slot) {
+ PK11_FreeSlot(slot);
+ }
+ return ret;
+}
View
83 src/lib/crypto/nss/des/weak_key.c
@@ -0,0 +1,83 @@
+/*
+ * lib/crypto/openssl/des/weak_key.c
+ *
+ * Copyright 1989,1990,2009 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Under U.S. law, this software may not be exported outside the US
+ * without license from the U.S. Commerce department.
+ *
+ * These routines form the library interface to the DES facilities.
+ *
+ * Originally written 8/85 by Steve Miller, MIT Project Athena.
+ */
+
+#include "des_int.h"
+
+/*
+ * The following are the weak DES keys:
+ */
+static const mit_des_cblock weak[16] = {
+ /* weak keys */
+ {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
+ {0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe},
+ {0x1f,0x1f,0x1f,0x1f,0x0e,0x0e,0x0e,0x0e},
+ {0xe0,0xe0,0xe0,0xe0,0xf1,0xf1,0xf1,0xf1},
+
+ /* semi-weak */
+ {0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe},
+ {0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01},
+
+ {0x1f,0xe0,0x1f,0xe0,0x0e,0xf1,0x0e,0xf1},
+ {0xe0,0x1f,0xe0,0x1f,0xf1,0x0e,0xf1,0x0e},
+
+ {0x01,0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1},
+ {0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1,0x01},
+
+ {0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e,0xfe},
+ {0xfe,0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e},
+
+ {0x01,0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e},
+ {0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e,0x01},
+
+ {0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1,0xfe},
+ {0xfe,0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1}
+};
+
+/*
+ * mit_des_is_weak_key: returns true iff key is a [semi-]weak des key.
+ *
+ * Requires: key has correct odd parity.
+ */
+int
+mit_des_is_weak_key(mit_des_cblock key)
+{
+ unsigned int i;
+ const mit_des_cblock *weak_p = weak;
+
+ for (i = 0; i < (sizeof(weak)/sizeof(mit_des_cblock)); i++) {
+ if (!memcmp(weak_p++,key,sizeof(mit_des_cblock)))
+ return 1;
+ }
+ return 0;
+}
View
51 src/lib/crypto/nss/enc_provider/Makefile.in
@@ -0,0 +1,51 @@
+mydir=lib/crypto/nss/enc_provider
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/../des \
+ -I$(srcdir)/../arcfour \
+ -I$(srcdir)/../aes \
+ -I$(srcdir)/../../krb \
+ -I$(srcdir)/../../krb/rand2key \
+ -I$(srcdir)/.. -I$(srcdir)/. \
+ @CRYPTO_IMPL_CFLAGS@
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=enc_provider
+##DOS##OBJFILE=..\$(OUTPRE)enc_prov.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+STLIBOBJS= \
+ enc_gen.o \
+ des.o \
+ des3.o \
+ rc4.o \
+ aes.o
+
+OBJS= \
+ $(OUTPRE)enc_gen.$(OBJEXT) \
+ $(OUTPRE)des.$(OBJEXT) \
+ $(OUTPRE)des3.$(OBJEXT) \
+ $(OUTPRE)aes.$(OBJEXT) \
+ $(OUTPRE)rc4.$(OBJEXT)
+
+SRCS= \
+ $(srcdir)/enc_gen.c \
+ $(srcdir)/des.c \
+ $(srcdir)/des3.c \
+ $(srcdir)/aes.c \
+ $(srcdir)/rc4.c
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
View
101 src/lib/crypto/nss/enc_provider/aes.c
@@ -0,0 +1,101 @@
+/*
+ * lib/crypto/nss/enc_provider/aes.c
+ *
+ * Copyright (C) 2003, 2007, 2008, 2009 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2010 Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "enc_provider.h"
+#include "rand2key.h"
+#include "aead.h"
+#include "nss_gen.h"
+
+
+krb5_error_code
+krb5int_aes_encrypt(krb5_key key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int ret;
+ ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_ENCRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+ return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_ENCRYPT,
+ ivec, data, num_data);
+}
+
+krb5_error_code
+krb5int_aes_decrypt(krb5_key key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int ret;
+ ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_DECRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+ return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_DECRYPT,
+ ivec, data, num_data);
+}
+
+/*
+ * perhaps we should store the NSS context in the krb5_data state here?
+ */
+static krb5_error_code
+aes_init_state (const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_data *state)
+{
+ state->length = 16;
+ state->data = (void *) malloc(16);
+ if (state->data == NULL)
+ return ENOMEM;
+ memset(state->data, 0, state->length);
+ return 0;
+}
+
+const struct krb5_enc_provider krb5int_enc_aes128 = {
+ 16,
+ 16, 16,
+ krb5int_aes_encrypt,
+ krb5int_aes_decrypt,
+ NULL,
+ krb5int_aes_make_key,
+ aes_init_state,
+ krb5int_default_free_state,
+};
+
+const struct krb5_enc_provider krb5int_enc_aes256 = {
+ 16,
+ 32, 32,
+ krb5int_aes_encrypt,
+ krb5int_aes_decrypt,
+ NULL,
+ krb5int_aes_make_key,
+ aes_init_state,
+ krb5int_default_free_state,
+ k5_nss_gen_cleanup
+};
View
0  src/lib/crypto/nss/enc_provider/deps
No changes.
View
100 src/lib/crypto/nss/enc_provider/des.c
@@ -0,0 +1,100 @@
+/* lib/crypto/nss/enc_provider/des.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2010 Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "nss_gen.h"
+#include <aead.h>
+#include <rand2key.h>
+#include "des_int.h"
+
+
+static krb5_error_code
+k5_des_encrypt_iov(krb5_key key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int ret;
+ ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+ return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_ENCRYPT,
+ ivec, data, num_data);
+}
+
+static krb5_error_code
+k5_des_decrypt_iov(krb5_key key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int ret;
+ ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+ return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_DECRYPT,
+ ivec, data, num_data);
+}
+
+const struct krb5_enc_provider krb5int_enc_des = {
+ 8,
+ 7, KRB5_MIT_DES_KEYSIZE,
+ k5_des_encrypt_iov,
+ k5_des_decrypt_iov,
+ NULL,
+ krb5int_des_make_key,
+ krb5int_des_init_state,
+ krb5int_default_free_state,
+ k5_nss_gen_cleanup
+};
View
100 src/lib/crypto/nss/enc_provider/des3.c
@@ -0,0 +1,100 @@
+/* lib/crypto/nss/enc_provider/des3.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2010 Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "nss_gen.h"
+#include <aead.h>
+#include <rand2key.h>
+#include "des_int.h"
+
+
+static krb5_error_code
+k5_des3_encrypt_iov(krb5_key key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int ret;
+ ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+ return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_ENCRYPT,
+ ivec, data, num_data);
+}
+
+static krb5_error_code
+k5_des3_decrypt_iov(krb5_key key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int ret;
+ ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+ return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_DECRYPT,
+ ivec, data, num_data);
+}
+
+const struct krb5_enc_provider krb5int_enc_des3 = {
+ 8,
+ 21, KRB5_MIT_DES3_KEYSIZE,
+ k5_des3_encrypt_iov,
+ k5_des3_decrypt_iov,
+ NULL,
+ krb5int_des3_make_key,
+ krb5int_des_init_state,
+ krb5int_default_free_state,
+ k5_nss_gen_cleanup
+};
View
654 src/lib/crypto/nss/enc_provider/enc_gen.c
@@ -0,0 +1,654 @@
+/*
+ * lib/crypto/nss/enc_provider/enc_gen.c
+ *
+ * Copyright (C) 2003, 2007, 2008, 2009 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2010 Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* compile options (should move to configure)... */
+#define USE_OPAQUE_KEYS 1
+#define DO_FAST_XOR 1
+/*#define FAKE_FIPS 1 */
+
+#include "k5-int.h"
+#include "nss_gen.h"
+#include "enc_provider.h"
+#include "rand2key.h"
+#include "aead.h"
+#include "seccomon.h"
+#include "pk11pub.h"
+#ifndef USE_OPAQUE_KEYS
+/* use of this function is discouraged */
+#define PK11_CreateContextByRawKey __PK11_CreateContextByRawKey
+#include "pk11priv.h"
+#endif
+#include "nss.h"
+
+/* 512 bits is bigger than anything defined to date */
+#define MAX_KEY_LENGTH 64
+#define MAX_BLOCK_SIZE 64
+
+
+krb5_error_code
+k5_nss_map_error(int nss_error)
+{
+ /* currently KRB5 does not define a full set CRYPTO failures.
+ * for now just use KRB5_CRYPTO_INTERNAL. We really should return
+ * errors for Not logged in, and maybe a few others */
+ return KRB5_CRYPTO_INTERNAL;
+}
+
+krb5_error_code
+k5_nss_map_last_error() {
+ return k5_nss_map_error(PORT_GetError());
+}
+
+static NSSInitContext *krb5_nss_init = NULL;
+
+/*
+ * krb5 doesn't have a call into the crypto engine to initialize it, so
+ * we do it here. This code will try to piggyback on any application
+ * initialization done to NSS. Otherwise get get our one library init context.
+ */
+krb5_error_code
+k5_nss_init()
+{
+#ifdef LINUX
+ /* default to the system NSS */
+#define NSS_KRB5_CONFIGDIR "sql:/etc/pki/nssdb"
+#define NSS_KRB5_FLAGS 0
+#else
+ /* other platforms don't have a system NSS defined yet, do a nodb init */
+#define NSS_KRB5_CONFIGDIR NULL
+#define NSS_KRB5_FLAGS NSS_INIT_NOMODDB|NSS_INIT_NOCERTDB
+#endif
+ if (krb5_nss_init) {
+ /* we've already initialized NSS */
+ return 0;
+ }
+ if (NSS_IsInitialized()) {
+ /* someone else has initialized NSS */
+ return 0;
+ }
+ krb5_nss_init = NSS_InitContext(NSS_KRB5_CONFIGDIR, "", "", "", NULL,
+ NSS_INIT_READONLY|NSS_INIT_NOROOTINIT|NSS_KRB5_FLAGS);
+ if (!krb5_nss_init) {
+ return k5_nss_map_last_error();
+ }
+ return 0;
+}
+
+
+PK11Context *
+k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism,
+ CK_ATTRIBUTE_TYPE operation, SECItem * param)
+{
+#ifdef USE_OPAQUE_KEYS
+ PK11SymKey *key = (PK11SymKey *)krb_key->cache;
+
+ return PK11_CreateContextBySymKey(mechanism, operation, key, param);
+#else
+ PK11Context *ctx = NULL;
+ PK11SlotInfo *slot;
+ SECItem key;
+
+ key.data = krb_key->keyblock.contents;
+ key.len = krb_key->keyblock.length;
+ slot = PK11_GetBestSlot(mechanism, NULL);
+ if (slot == NULL) {
+ return NULL;
+ }
+ ctx = PK11_CreateContextByRawKey(slot,mechanism, PK11_OriginGenerated,
+ operation, &key, param, NULL);
+ PK11_FreeSlot(slot);
+ return ctx;
+#endif
+}
+
+static void inline
+xor(unsigned char *x, unsigned char *y, int size)
+{
+ int i;
+#ifdef DO_FAST_XOR
+#define ALIGNED(x,type) (!(((size_t)(x))&(sizeof(type)-1)))
+ if (ALIGNED(x,unsigned long) && ALIGNED(y, unsigned long)
+ && ALIGNED(size, unsigned long)) {
+ unsigned long *ux = (unsigned long *)x;
+ unsigned long *uy = (unsigned long *)y;
+ for (i=0; i < (int)(size/sizeof(unsigned long)); i++) {
+ *ux++ ^= *uy++;
+ }
+ return;
+ }
+#endif
+ for (i=0; i < size; i++) {
+ *x++ ^= *y++;
+ }
+}
+
+krb5_error_code
+k5_nss_gen_block_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int ret = 0;
+ PK11Context *ctx = NULL;
+ SECStatus rv;
+ SECItem *param = NULL;
+ struct iov_block_state input_pos, output_pos;
+ unsigned char storage[MAX_BLOCK_SIZE];
+ unsigned char iv0[MAX_BLOCK_SIZE];
+ unsigned char *ptr = NULL,*lastptr = NULL;
+ SECItem iv;
+ size_t blocksize;
+ int length = 0;
+ int lastblock = -1;
+ int currentblock;
+
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ blocksize = PK11_GetBlockSize(mech, NULL);
+ assert(blocksize <= sizeof(storage));
+
+ if (ivec && ivec->data) {
+ iv.data = (unsigned char *)ivec->data;
+ iv.len = ivec->length;
+ if (operation == CKA_DECRYPT) {
+ int i, inputlength;
+
+ /* count the blocks so we know which block is last */
+ for (i=0, inputlength=0; i < (int)num_data; i++) {
+ krb5_crypto_iov *iov=&data[i];
+
+ if (ENCRYPT_IOV(iov)) {
+ inputlength += iov->data.length;
+ }
+ }
+ lastblock = (inputlength/blocksize) -1;
+ }
+ } else {
+ memset(iv0, 0, sizeof(iv0));
+ iv.data = iv0;
+ iv.len = blocksize;
+ }
+ param = PK11_ParamFromIV(mech, &iv);
+
+ ctx = k5_nss_create_context(krb_key, mech, operation, param);
+ if (ctx == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+
+ for (currentblock = 0;;currentblock++) {
+ ptr = iov_next_block(storage, blocksize, data, num_data,
+ &input_pos);
+ if (ptr == NULL)
+ break;
+
+ lastptr = NULL;
+
+ /* only set if we are decrypting */
+ if (lastblock == currentblock) {
+ memcpy(ivec->data, ptr, blocksize);
+ }
+
+ rv = PK11_CipherOp(ctx, ptr, &length, blocksize, ptr, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ break;
+ }
+
+ lastptr = ptr;
+ iov_store_block(data, num_data, ptr, storage, blocksize,
+ &output_pos);
+ }
+
+ if (lastptr && ivec && ivec->data && operation == CKA_ENCRYPT) {
+ memcpy(ivec->data, lastptr, blocksize);
+ }
+done:
+ if (ctx) {
+ PK11_Finalize(ctx);
+ }
+
+ if (param) {
+ SECITEM_FreeItem(param, PR_TRUE);
+ }
+ return ret;
+}
+
+krb5_error_code
+k5_nss_stream_init_state(krb5_data *new_state)
+{
+ new_state->data = NULL;
+ new_state->length = 0;
+ return 0;
+}
+
+krb5_error_code
+k5_nss_stream_free_state(krb5_data *state)
+{
+ if (state->length == (unsigned)-1 && state->data) {
+ PK11_Finalize((PK11Context *)state->data);
+ }
+ return 0;
+}
+
+krb5_error_code
+k5_nss_gen_stream_iov(krb5_key krb_key, krb5_data *state,
+ CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int ret = 0;
+ PK11Context *ctx = NULL;
+ SECStatus rv;
+ SECItem param;
+ krb5_crypto_iov *iov;
+ int i;
+
+ param.data = NULL;
+ param.len = 0;
+
+ if (state && state->data) {
+ ctx = (PK11Context *)state->data;
+ } else {
+ ctx = k5_nss_create_context(krb_key, mech, operation, &param);
+ if (state && ctx) {
+ state->data = (char *)ctx;
+ state->length = -1; /* you don't get to copy this, */
+ /* blow up if you try */
+ }
+ }
+ if (ctx == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+
+ for (i=0; i < (int)num_data; i++) {
+ int return_length;
+ iov = &data[i];
+ if (iov->data.length <= 0) break;
+
+ if (ENCRYPT_IOV(iov)) {
+ rv = PK11_CipherOp(ctx, (unsigned char *)iov->data.data,
+ &return_length, iov->data.length,
+ (unsigned char *)iov->data.data, iov->data.length);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ iov->data.length = return_length;
+ }
+ }
+done:
+ if (!state && ctx) {
+ PK11_Finalize(ctx);
+ }
+ return ret;
+}
+
+krb5_error_code
+k5_nss_gen_cts_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int ret = 0;
+ PK11Context *ctx = NULL;
+ SECStatus rv;
+ SECItem *param = NULL;
+ struct iov_block_state input_pos, output_pos;
+ unsigned char storage[MAX_BLOCK_SIZE];
+ unsigned char recover1[MAX_BLOCK_SIZE];
+ unsigned char recover2[MAX_BLOCK_SIZE];
+ unsigned char block1[MAX_BLOCK_SIZE];
+ unsigned char block2[MAX_BLOCK_SIZE];
+ unsigned char iv0[MAX_BLOCK_SIZE];
+ unsigned char *ptr = NULL;
+ SECItem iv;
+ size_t blocksize;
+ size_t bulk_length, remainder;
+ size_t input_length, lastblock;
+ size_t length;
+ int i, len;
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ blocksize = PK11_GetBlockSize(mech, NULL);
+ assert(blocksize <= sizeof(storage));
+
+ if (ivec) {
+ iv.data = (unsigned char *)ivec->data;
+ iv.len = ivec->length;
+ } else {
+ memset(iv0, 0, sizeof(iv0));
+ iv.data = iv0;
+ iv.len = blocksize;
+ }
+ param = PK11_ParamFromIV(mech, &iv);
+
+ for (i=0, input_length=0; i < (int)num_data; i++) {
+ krb5_crypto_iov *iov=&data[i];
+
+ if (ENCRYPT_IOV(iov)) {
+ input_length += iov->data.length;
+ }
+ }
+ /* must be at least a block or we fail */
+ if (input_length < blocksize) {
+ ret = -1;
+ goto done;
+ }
+
+ bulk_length = (input_length / blocksize)*blocksize;
+ remainder = input_length - bulk_length;
+ /* do the block swap even if the input data is aligned, only
+ * drop it if we are encrypting exactly one block */
+ if (remainder == 0 && bulk_length != blocksize) {
+ remainder = blocksize;
+ bulk_length -= blocksize;
+ }
+
+ ctx = k5_nss_create_context(krb_key, mech, operation, param);
+ if (ctx == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+
+ /* now we bulk encrypt each block in the loop. We need to know where
+ * to stop to do special processing. For single block operations
+ * we stop at the end. For all others we stop and the last second to last
+ * block (counting partial blocks). For decrypt operations we need to save
+ * cn-2 so we stop at the third to last block if it exists, Otherwise
+ * cn-2 = the iv */
+ lastblock = bulk_length;
+ if (remainder) {
+ /* we need to process the last full block and last partitial block
+ * differently */
+ lastblock = bulk_length - blocksize;
+ if (operation == CKA_DECRYPT) {
+ if (bulk_length > blocksize) {
+ /* stop at cn-2 so we can save it before going on */
+ lastblock = bulk_length - 2*blocksize;
+ } else {
+ /* iv is cn-2, save it now, cn - 2 */
+ memcpy(recover1, iv.data, blocksize);
+ memcpy(recover2, iv.data, blocksize);
+ }
+ }
+ }
+ for (length = 0; length < lastblock; length += blocksize) {
+ ptr = iov_next_block(storage, blocksize, data, num_data,
+ &input_pos);
+ if (ptr == NULL)
+ break;
+
+ rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ break;
+ }
+
+ iov_store_block(data, num_data, ptr, storage, blocksize,
+ &output_pos);
+ }
+ if (remainder) {
+ if (operation == CKA_DECRYPT) {
+ if (bulk_length > blocksize) {
+ /* we need to save cn-2 */
+ ptr = iov_next_block(storage, blocksize, data, num_data,
+ &input_pos);
+ if (ptr == NULL)
+ goto done; /* shouldn't happen */
+
+ /* save cn-2 */
+ memcpy(recover1, ptr, blocksize);
+ memcpy(recover2, ptr, blocksize);
+
+ /* now process it as normal */
+ rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+
+ iov_store_block(data, num_data, ptr, storage, blocksize,
+ &output_pos);
+ }
+ }
+ /* fetch the last 2 blocks */
+ memset(block1, 0, blocksize); /* last block, could be partial */
+ krb5int_c_iov_get_block(block2, blocksize, data, num_data, &input_pos);
+ krb5int_c_iov_get_block(block1, remainder, data, num_data, &input_pos);
+ if (operation == CKA_DECRYPT) {
+ /* recover1 and recover2 are xor values to recover the true
+ * underlying data of the last 2 decrypts. This keeps us from having
+ * to try to reset our IV to do the final decryption. */
+ /* currently: block1 is cn || 0, block2 is cn-1.
+ * recover1 & recover2 is set to cn-2 */
+ /* recover2 recovers pn || c' from p'n-1. The raw decrypted block
+ * will be p'n-1 xor with cn-2 while pn || c' = p'n-1 xor cn || 0.
+ * recover2 is cn-2 xor cn || 0, so we can simple xor recover1
+ * with the raw decrypted block */
+ /* recover1 recovers pn-1 from the raw decryption of cn || c'.
+ * the raw decrypt of cn || c' = p'n xor cn-1 while
+ * pn-1 = p'n xor cn-2
+ * recover1 is cn-2 xor cn-1, so we can simple xor recover 2 with
+ * the raw decrypt of cn||c' to get pn-1 */
+ xor(recover1, block2, blocksize);
+ xor(recover2, block1, blocksize);
+ if (ivec && ivec->data) {
+ memcpy(ivec->data, block2, blocksize);
+ }
+ }
+ rv = PK11_CipherOp(ctx, block2, &len, blocksize, block2, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ if (operation == CKA_DECRYPT) {
+ /* block2 now has p'n-1 xor cn-2 */
+ xor(block2, recover2, blocksize);
+ /* block 2 now has pn || c' */
+ /* copy c' into cn || c' */
+ memcpy(block1+remainder, block2+remainder, blocksize-remainder);
+ }
+ rv = PK11_CipherOp(ctx, block1, &len, blocksize, block1, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ if (operation == CKA_DECRYPT) {
+ /* block1 now has p'n xor cn-1 */
+ xor(block1, recover1, blocksize);
+ /* block 1 now has pn-1 */
+ } else {
+ if (ivec && ivec->data) {
+ memcpy(ivec->data, block1, blocksize);
+ }
+ }
+ krb5int_c_iov_put_block(data,num_data, block1, blocksize, &output_pos);
+ krb5int_c_iov_put_block(data,num_data, block2, remainder, &output_pos);
+ }
+
+done:
+ if (ctx) {
+ PK11_Finalize(ctx);
+ }
+
+ if (param) {
+ SECITEM_FreeItem(param, PR_TRUE);
+ }
+ return ret;
+}
+
+void
+k5_nss_gen_cleanup(krb5_key krb_key)
+{
+#ifdef USE_OPAQUE_KEYS
+ PK11SymKey *key = (PK11SymKey *)krb_key->cache;
+
+ if (key) {
+ PK11_FreeSymKey(key);
+ krb_key->cache = NULL;
+ }
+#endif
+}
+
+krb5_error_code
+k5_nss_gen_import(krb5_key krb_key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation)
+{
+ int ret = 0;
+#ifdef USE_OPAQUE_KEYS
+ PK11SymKey *key = (PK11SymKey *)krb_key->cache;
+ PK11SlotInfo *slot = NULL;
+ SECItem raw_key;
+#ifdef FAKE_FIPS
+ PK11SymKey *wrapping_key = NULL;
+ PK11Context *ctx = NULL;
+ SECItem wrapped_key;
+ SECItem params;
+ unsigned char wrapped_key_data[MAX_KEY_LENGTH];
+ unsigned char padded_key_data[MAX_KEY_LENGTH];
+ int wrapping_index, series, blocksize;
+ int keyLength;
+ CK_MECHANISM_TYPE mechanism;
+ SECStatus rv;
+#endif
+
+ if (key) { return 0; }
+
+ ret = k5_nss_init();
+ if (ret) return ret;
+
+ slot = PK11_GetBestSlot(mech, NULL);
+ if (slot == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ raw_key.data = krb_key->keyblock.contents;
+ raw_key.len = krb_key->keyblock.length;
+
+#ifdef FAKE_FIPS
+ /* first, fetch a wrapping key */
+ wrapping_index = PK11_GetCurrentWrapIndex(slot);
+ series = PK11_GetSlotSeries(slot);
+ wrapping_key =PK11_GetWrapKey(slot, wrapping_index,
+ CKM_INVALID_MECHANISM, series, NULL);
+ if (wrapping_key == NULL) {
+ /* one doesn't exist, create one */
+ mechanism = PK11_GetBestWrapMechanism(slot);
+ keyLength = PK11_GetBestKeyLength(slot, mechanism);
+ wrapping_key = PK11_TokenKeyGenWithFlags(slot, mechanism, NULL,
+ keyLength, NULL, CKF_UNWRAP|CKF_ENCRYPT, 0,
+ NULL);
+ if (!wrapping_key) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ PK11_SetWrapKey(slot, wrapping_index, wrapping_key);
+ }
+
+ /* now encrypt the data with the wrapping key */
+ mechanism = PK11_GetMechanism(wrapping_key);
+ params.data = NULL;
+ params.len = 0;
+ ctx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT,
+ wrapping_key, &params);
+ if (ctx == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+
+ wrapped_key.data = wrapped_key_data;
+ wrapped_key.len = sizeof(wrapped_key_data);
+ blocksize = PK11_GetBlockSize(mechanism, NULL);
+ keyLength = raw_key.len;
+
+ /*
+ * ECB modes need keys in integral multiples of the block size.
+ * if the key isn't and integral multiple, pad it with zero. Unwrap
+ * will use the length parameter to appropriately set the key.
+ */
+ if ((raw_key.len % blocksize) != 0) {
+ int keyblocks = (raw_key.len +(blocksize-1))/blocksize;
+ keyLength = keyblocks * blocksize;
+ assert(keyLength <= sizeof(padded_key_data));
+ memset(padded_key_data, 0, keyLength);
+ memcpy(padded_key_data,raw_key.data, raw_key.len);
+ raw_key.data = padded_key_data;
+ }
+ rv = PK11_CipherOp(ctx, wrapped_key.data, (int *)&wrapped_key.len,
+ sizeof(wrapped_key_data), raw_key.data, keyLength);
+ if (keyLength != raw_key.len) {
+ /* clear our copy of the key bits */
+ memset(padded_key_data, 0, keyLength);
+ }
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ PK11_Finalize(ctx);
+ ctx = NULL;
+
+ /* now now we have a 'wrapped' version of the, we can import it into
+ * the token without running afoul with FIPS. */
+ key = PK11_UnwrapSymKey(wrapping_key, mechanism, &params, &wrapped_key,
+ mech, operation, raw_key.len);
+#else
+ key = PK11_ImportSymKey(slot, mech, PK11_OriginGenerated, operation,
+ &raw_key, NULL);
+#endif
+ if (key == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ krb_key->cache = (void *) key;
+
+done:
+ if (slot) {
+ PK11_FreeSlot(slot);
+ }
+#ifdef FAKE_FIPS
+ if (ctx) {
+ PK11_Finalize(ctx);
+ }
+ if (wrapping_key) {
+ PK11_FreeSymKey(wrapping_key);
+ }
+#endif
+
+#else
+ ret = k5_nss_init();
+#endif
+ return ret;
+}
View
35 src/lib/crypto/nss/enc_provider/enc_provider.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+
+extern const struct krb5_enc_provider krb5int_enc_des;
+extern const struct krb5_enc_provider krb5int_enc_des3;
+extern const struct krb5_enc_provider krb5int_enc_arcfour;
+extern const struct krb5_enc_provider krb5int_enc_aes128;
+extern const struct krb5_enc_provider krb5int_enc_aes256;
+extern const struct krb5_enc_provider krb5int_enc_aes128_ctr;
+extern const struct krb5_enc_provider krb5int_enc_aes256_ctr;
View
109 src/lib/crypto/nss/enc_provider/rc4.c
@@ -0,0 +1,109 @@
+/* lib/crypto/nss/enc_provider/rc4.c
+ *
+ * #include STD_DISCLAIMER
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2010 Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* arcfour.c
+ *
+ * Copyright (c) 2000 by Computer Science Laboratory,
+ * Rensselaer Polytechnic Institute
+ *
+ * #include STD_DISCLAIMER
+ */
+
+
+#include "k5-int.h"
+#include <aead.h>
+#include <rand2key.h>
+#include "nss_gen.h"
+
+#define RC4_KEY_SIZE 16
+#define RC4_BLOCK_SIZE 1
+
+/* In-place IOV crypto */
+static krb5_error_code
+k5_arcfour_encrypt_iov(krb5_key key,
+ const krb5_data *state,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int ret;
+ ret = k5_nss_gen_import(key, CKM_RC4, CKA_ENCRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+ return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_ENCRYPT,
+ data, num_data);
+}
+
+/* In-place IOV crypto */
+static krb5_error_code
+k5_arcfour_decrypt_iov(krb5_key key,
+ const krb5_data *state,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ int ret;
+ ret = k5_nss_gen_import(key, CKM_RC4, CKA_DECRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+ return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_DECRYPT,
+ data, num_data);
+}
+
+static krb5_error_code
+k5_arcfour_free_state ( krb5_data *state)
+{
+ return k5_nss_stream_free_state(state);
+}
+
+static krb5_error_code
+k5_arcfour_init_state (const krb5_keyblock *key,
+ krb5_keyusage keyusage, krb5_data *new_state)
+{
+ /* key can't quite be used here. see comment in k5_arcfour_init_state */
+ return k5_nss_stream_init_state(new_state);
+
+}
+
+const struct krb5_enc_provider krb5int_enc_arcfour = {
+ /* This seems to work... although I am not sure what the
+ implications are in other places in the kerberos library */
+ RC4_BLOCK_SIZE,
+ /* Keysize is arbitrary in arcfour, but the constraints of the
+ system, and to attempt to work with the MSFT system forces us
+ to 16byte/128bit. Since there is no parity in the key, the
+ byte and length are the same. */
+ RC4_KEY_SIZE, RC4_KEY_SIZE,
+ k5_arcfour_encrypt_iov,
+ k5_arcfour_decrypt_iov,
+ NULL,
+ krb5int_arcfour_make_key,
+ k5_arcfour_init_state,
+ k5_arcfour_free_state,
+ k5_nss_gen_cleanup
+};
View
46 src/lib/crypto/nss/hash_provider/Makefile.in
@@ -0,0 +1,46 @@
+mydir=lib/crypto/nss/hash_provider
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/../../krb/crc32 -I$(srcdir)/../md4 \
+ -I$(srcdir)/.. -I$(srcdir)/../../krb \
+ @CRYPTO_IMPL_CFLAGS@
+
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=hash_provider
+##DOS##OBJFILE=..\$(OUTPRE)hash_pro.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+STLIBOBJS= \
+ hash_gen.o \
+ hash_crc32.o \
+ hash_md4.o \
+ hash_md5.o \
+ hash_sha1.o
+
+OBJS= $(OUTPRE)hash_gen.$(OBJEXT) \
+ $(OUTPRE)hash_crc32.$(OBJEXT) \
+ $(OUTPRE)hash_md4.$(OBJEXT) \
+ $(OUTPRE)hash_md5.$(OBJEXT) \
+ $(OUTPRE)hash_sha1.$(OBJEXT)
+
+SRCS= $(srcdir)/hash_gen.c \
+ $(srcdir)/hash_crc32.c \
+ $(srcdir)/hash_md4.c \
+ $(srcdir)/hash_md5.c \
+ $(srcdir)/hash_sha1.c
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
View
52 src/lib/crypto/nss/hash_provider/deps
@@ -0,0 +1,52 @@
+#
+# Generated makefile dependencies follow.
+#
+hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/hash_crc32.c \
+ $(srcdir)/hash_provider.h \
+ $(srcdir)/../../krb/crc32/crc-32.h
+hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/hash_md4.c $(srcdir)/hash_provider.h \
+ $(srcdir)/../md4/rsa-md4.h
+hash_md5.so hash_md5.po $(OUTPRE)hash_md5.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/hash_md5.c $(srcdir)/hash_provider.h \
+ $(srcdir)/../md5/rsa-md5.h
+hash_sha1.so hash_sha1.po $(OUTPRE)hash_sha1.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/hash_provider.h \
+ $(srcdir)/hash_sha1.c $(srcdir)/../sha1/shs.h
View
58 src/lib/crypto/nss/hash_provider/hash_crc32.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "crc-32.h"
+#include "hash_provider.h"
+#include "aead.h"
+
+static krb5_error_code
+k5_crc32_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
+{
+ unsigned long c;
+ unsigned int i;
+
+ if (output->length != CRC32_CKSUM_LENGTH)
+ return(KRB5_CRYPTO_INTERNAL);
+
+ c = 0;
+ for (i=0; i < num_data; i++) {
+ const krb5_crypto_iov *iov=&data[i];
+
+ if (SIGN_IOV(iov))
+ mit_crc32(iov->data.data, iov->data.length, &c);
+ }
+
+ store_32_le(c, output->data);
+ return(0);
+}
+
+const struct krb5_hash_provider krb5int_hash_crc32 = {
+ "CRC32",
+ CRC32_CKSUM_LENGTH,
+ 1,
+ k5_crc32_hash
+};
View
64 src/lib/crypto/nss/hash_provider/hash_gen.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "sechash.h"
+#include "nss_gen.h"
+#include "aead.h"
+
+krb5_error_code
+k5_nss_gen_hash(HASH_HashType hashType, const krb5_crypto_iov *data,
+ size_t num_data, krb5_data *output)
+{
+ unsigned int i;
+ HASHContext *ctx;
+ krb5_error_code ret;
+
+ ret = k5_nss_init();
+ if (ret) return ret;
+
+ if (output->length != HASH_ResultLen(hashType))
+ return(KRB5_CRYPTO_INTERNAL);
+
+ ctx = HASH_Create(hashType);
+ if (!ctx)
+ return(ENOMEM);
+
+ HASH_Begin(ctx);
+ for (i=0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (iov->data.length && SIGN_IOV(iov))
+ HASH_Update(ctx, (unsigned char *) iov->data.data,
+ iov->data.length);
+ }
+
+ HASH_End(ctx, (unsigned char *)output->data,
+ &output->length, output->length);
+
+ return(0);
+}
+
View
33 src/lib/crypto/nss/hash_provider/hash_gen.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "sechash.h"
+#include "k5-int.h"
+
+krb5_error_code k5_nss_gen_hash(HASH_HashType hashType, unsigned int icount,
+ const krb5_data *input,
+ krb5_data *output);
+
View
63 src/lib/crypto/nss/hash_provider/hash_md4.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "hash_provider.h"
+#include "rsa-md4.h"
+#include "aead.h"
+
+static krb5_error_code
+k5_md4_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
+{
+ krb5_MD4_CTX ctx;
+ unsigned long i;
+
+ if (output->length != RSA_MD4_CKSUM_LENGTH) {
+ return KRB5_CRYPTO_INTERNAL;
+ }
+
+ krb5int_MD4Init(&ctx);
+ for (i=0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (SIGN_IOV(iov)) {
+ krb5int_MD4Update(&ctx, (unsigned char *)iov->data.data,
+ iov->data.length);
+ }
+ }
+ krb5int_MD4Final(&ctx);
+
+ memcpy(output->data, ctx.digest, RSA_MD4_CKSUM_LENGTH);
+
+ return 0;