# NOTE: The t_cksum known checksum values are primarily for regression
# testing. They are not derived a priori, but are known to produce
# checksums that interoperate.
+#
+# We use the NSS PRNG when NSS is the crypto back end, so don't test
+# against the expected output for Yarrow.
check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac \
t_cksum4 t_cksum5 \
aes-test \
t_crc t_cts t_short
$(RUN_SETUP) $(VALGRIND) ./t_nfold
$(RUN_SETUP) $(VALGRIND) ./t_encrypt
- $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
- diff t_prng.output $(srcdir)/t_prng.expected
+ if [ @CRYPTO_IMPL@ != nss ]; then \
+ $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
+ diff t_prng.output $(srcdir)/t_prng.expected; fi
$(RUN_SETUP) $(VALGRIND) ./t_hmac
$(RUN_SETUP) $(VALGRIND) ./t_prf <$(srcdir)/t_prf.in >t_prf.output
diff t_prf.output $(srcdir)/t_prf.expected
#include <assert.h>
#include "k5-thread.h"
-#include "yarrow.h"
-static Yarrow_CTX y_ctx;
#define yarrow_lock krb5int_yarrow_lock
k5_mutex_t yarrow_lock = K5_MUTEX_PARTIAL_INITIALIZER;
+#ifdef CRYPTO_IMPL_NSS
+
+/*
+ * Using Yarrow with NSS is a bit problematic because the MD5 contexts it holds
+ * open for the entropy pools would be invalidated by a fork(), causing us to
+ * lose the entropy contained therein.
+ *
+ * Therefore, use the NSS PRNG if NSS is the crypto implementation. Doing this
+ * via ifdefs here is temporary until we come up with better build logic for
+ * it.
+ */
+
+#include "../nss/nss_gen.h"
+#include <pk11pub.h>
+
+/* Gather 8K of OS entropy per call, enough to fill the additional data buffer
+ * for the built-in PRNG and trigger a reseed. */
+#define OS_ENTROPY_LEN 8192
+
+int krb5int_prng_init(void)
+{
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_add_entropy(krb5_context context, unsigned int randsource,
+ const krb5_data *data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_init();
+ if (ret)
+ return ret;
+ if (PK11_RandomUpdate(data->data, data->length) != SECSuccess)
+ return k5_nss_map_last_error();
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_make_octets(krb5_context context, krb5_data *data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_init();
+ if (ret)
+ return ret;
+ if (PK11_GenerateRandom((unsigned char *)data->data,
+ data->length) != SECSuccess)
+ return k5_nss_map_last_error();
+ return 0;
+}
+
+void
+krb5int_prng_cleanup (void)
+{
+}
+
+#else /* CRYPTO_IMPL_NSS */
+
+#include "yarrow.h"
+static Yarrow_CTX y_ctx;
+
+/* Gather enough OS entropy per call to trigger a Yarrow reseed. */
+#define OS_ENTROPY_LEN (YARROW_SLOW_THRESH/8)
+
/* Helper function to estimate entropy based on sample length
* and where it comes from.
*/
return 0;
}
-krb5_error_code KRB5_CALLCONV
-krb5_c_random_seed(krb5_context context, krb5_data *data)
-{
- return krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OLDAPI, data);
-}
-
krb5_error_code KRB5_CALLCONV
krb5_c_random_make_octets(krb5_context context, krb5_data *data)
{
k5_mutex_destroy(&yarrow_lock);
}
+#endif /* not CRYPTO_IMPL_NSS */
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_seed(krb5_context context, krb5_data *data)
+{
+ return krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OLDAPI, data);
+}
/*
* Routines to get entropy from the OS. For UNIX we try /dev/urandom
krb5_data data;
struct stat sb;
int fd;
- unsigned char buf[YARROW_SLOW_THRESH/8], *bp;
+ unsigned char buf[OS_ENTROPY_LEN], *bp;
int left;
fd = open (device, O_RDONLY);
projects / thirdparty / krb5.git / commitdiff
