From: Greg Hudson Date: Tue, 12 Jan 2016 17:08:58 +0000 (-0500) Subject: Remove nss libk5crypto implementation X-Git-Tag: krb5-1.15-beta1~285 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=06ff3b5d3de2e162014eb71ab19d9e545808cacd;p=thirdparty%2Fkrb5.git Remove nss libk5crypto implementation Delete the nss libk5crypto implementation because: (1) the original contributor no longer requires it; (2) as far as we know it is rarely or never used; (3) NSS has significant impedance mismatch with MIT krb5's requirements, such as the inability to preserve crypto state across fork(); (4) NSS cannot do PBKDF2 with SHA-256 or SHA-384, as will be required for the aes-sha2 enctypes. ticket: 8345 (new) --- diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst index 799480b290..418ec25379 100644 --- a/doc/build/options2configure.rst +++ b/doc/build/options2configure.rst @@ -337,15 +337,12 @@ Optional packages Use specified crypto implementation (e.g., **-**\ **-with-crypto-impl=**\ *openssl*). The default is the native MIT Kerberos implementation ``builtin``. The other currently - implemented crypto backends are ``openssl`` and ``nss``. (See + implemented crypto backend is ``openssl``. (See :ref:`mitK5features`) **-**\ **-with-prng-alg=**\ *ALG* Use specified PRNG algorithm. For example, to use the OS native - prng specify ``--with-prng-alg=os``. - - Default is the ``fortuna`` PRNG algorithm. For the ``nss`` crypto - backend use one must explicitly specify ``--with-prng-alg=nss``. + prng specify ``--with-prng-alg=os``. The default is ``fortuna``. (See :ref:`mitK5features`) **-**\ **-with-pkinit-crypto-impl=**\ *IMPL* diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst index ca4b298a9a..cdcb04f870 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -32,7 +32,6 @@ Supported platforms \/ OS distributions: Crypto backends: - builtin - MIT Kerberos native crypto library - OpenSSL (1.0\+) - http://www.openssl.org - - NSS (3.12.9\+) - http://www.mozilla.org/projects/security/pki/nss Database backends: LDAP, DB2 diff --git a/src/configure.in b/src/configure.in index 889bd7d2c3..a8d52df1dc 100644 --- a/src/configure.in +++ b/src/configure.in @@ -225,24 +225,6 @@ builtin) openssl) AC_CHECK_LIB(crypto, PKCS7_get_signer_info) ;; -nss) - if test "${CRYPTO_IMPL_CFLAGS+set}" != set; then - CRYPTO_IMPL_CFLAGS=`pkg-config --cflags nss` - fi - if test "${CRYPTO_IMPL_LIBS+set}" != set; then - CRYPTO_IMPL_LIBS="-lnss3 $(pkg-config --libs nss-util)" - fi - AC_DEFINE(CRYPTO_IMPL_NSS,1,[Define if crypto implementation is NSS]) - save_CFLAGS=$CFLAGS - CFLAGS="$CFLAGS $CRYPTO_IMPL_CFLAGS" - AC_COMPILE_IFELSE([AC_LANG_SOURCE([ -#include -#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 13) -#error -#endif - ])], [], [AC_MSG_ERROR([NSS version 3.13 or later required.])]) - CFLAGS=$save_CFLAGS - ;; *) AC_MSG_ERROR([Unknown crypto implementation $withval]) ;; @@ -252,15 +234,11 @@ AC_SUBST(CRYPTO_IMPL) AC_SUBST(CRYPTO_IMPL_CFLAGS) AC_SUBST(CRYPTO_IMPL_LIBS) -if test "$CRYPTO_IMPL" = nss; then - PRNG_ALG="nss" -else AC_ARG_WITH([prng-alg], -AC_HELP_STRING([--with-prng-alg=ALG], [use specified PRNG algorithm. Ignored for nss. @<:@fortuna@:>@]), +AC_HELP_STRING([--with-prng-alg=ALG], [use specified PRNG algorithm. @<:@fortuna@:>@]), [PRNG_ALG=$withval AC_MSG_NOTICE(k5crypto will use '$withval') ], PRNG_ALG=fortuna) -fi AC_CONFIG_COMMANDS(PRNG_ALG, , PRNG_ALG=$PRNG_ALG) AC_SUBST(PRNG_ALG) if test "$PRNG_ALG" = fortuna; then diff --git a/src/lib/crypto/crypto_tests/t_fork.c b/src/lib/crypto/crypto_tests/t_fork.c index 09fb314e20..1ccd2866d5 100644 --- a/src/lib/crypto/crypto_tests/t_fork.c +++ b/src/lib/crypto/crypto_tests/t_fork.c @@ -26,7 +26,7 @@ /* * Test basic libk5crypto behavior across forks. This is primarily interesting - * for back ends with PKCS11-based constraints, such as the NSS back end. + * for back ends with PKCS11-based constraints. */ #include "k5-int.h" @@ -92,13 +92,8 @@ main() t(krb5_c_decrypt(ctx, &kb_aes, 0, NULL, &out_aes, &decrypted)); assert(data_eq(plain, decrypted)); - /* - * Encrypt another RC4 message. This may fail because RC4 cipher state in - * the NSS back end includes a PKCS11 handle which won't work across forks, - * but make sure it fails in the expected manner. - */ - ret = krb5_k_encrypt(ctx, key_rc4, 0, &state_rc4, &plain, &out_rc4); - assert(ret == 0 || ret == EINVAL); + /* Encrypt another RC4 message. */ + t(krb5_k_encrypt(ctx, key_rc4, 0, &state_rc4, &plain, &out_rc4)); t(krb5_c_free_state(ctx, &kb_rc4, &state_rc4)); /* If we're the parent, make sure the child succeeded. */ diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h index c0541447a4..a12846ae36 100644 --- a/src/lib/crypto/krb/crypto_int.h +++ b/src/lib/crypto/krb/crypto_int.h @@ -492,12 +492,12 @@ void krb5int_crypto_impl_cleanup(void); * These functions must never fail on valid inputs, and contexts must remain * valid across forks. If the module cannot meet those constraints, then it * should provide its own PRNG module and the build system should ensure that - * it is used; for an example, see how nss uses prng_nss. + * it is used. * * The function symbols named above are also in the library export list (so * they can be used by the t_fortuna.c test code), so even if the module * defines them away or doesn't work with Fortuna, the module must provide - * stubs; see stubs.c in the openssl or nss modules for examples. + * stubs; see stubs.c in the openssl module for examples. */ #include diff --git a/src/lib/crypto/krb/prng_nss.c b/src/lib/crypto/krb/prng_nss.c deleted file mode 100644 index a304054bf6..0000000000 --- a/src/lib/crypto/krb/prng_nss.c +++ /dev/null @@ -1,59 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/krb/prng_nss.c */ -/* - * Copyright (C) 2010 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "crypto_int.h" -#include "nss_prng.h" - -/* - * This PRNG module should be used whenever the NSS crypto implementation is - * used. The Fortuna module does not work with NSS because it needs to hold - * AES-256 and SHA-256 contexts across forks. - */ - -int -k5_prng_init(void) -{ - return 0; -} - -void -k5_prng_cleanup(void) -{ -} - -krb5_error_code KRB5_CALLCONV -krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, - const krb5_data *indata) -{ - return k5_nss_prng_add_entropy(context, indata); -} - -krb5_error_code KRB5_CALLCONV -krb5_c_random_make_octets(krb5_context context, krb5_data *outdata) -{ - return k5_nss_prng_make_octets(context, outdata); -} diff --git a/src/lib/crypto/nss/Makefile.in b/src/lib/crypto/nss/Makefile.in deleted file mode 100644 index 06d1d768b0..0000000000 --- a/src/lib/crypto/nss/Makefile.in +++ /dev/null @@ -1,49 +0,0 @@ -mydir=lib$(S)crypto$(S)nss -BUILDTOP=$(REL)..$(S)..$(S).. -SUBDIRS=des aes camellia md4 md5 sha1 sha2 enc_provider hash_provider -CRYPTO_IMPL_CFLAGS=@CRYPTO_IMPL_CFLAGS@ -LOCALINCLUDES = -I$(srcdir)/../krb -I$(srcdir) $(CRYPTO_IMPL_CFLAGS) - -STLIBOBJS=\ - hmac.o \ - pbkdf2.o \ - prng.o \ - stubs.o - -OBJS=\ - $(OUTPRE)hmac.$(OBJEXT) \ - $(OUTPRE)pbkdf2.$(OBJEXT) \ - $(OUTPRE)prng.$(OBJEXT) \ - $(OUTPRE)stubs.$(OBJEXT) - -SRCS=\ - $(srcdir)/hmac.c \ - $(srcdir)/pbkdf2.c \ - $(srcdir)/prng.c \ - $(srcdir)/stubs.c - -STOBJLISTS= des/OBJS.ST md4/OBJS.ST \ - md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ - enc_provider/OBJS.ST \ - hash_provider/OBJS.ST \ - aes/OBJS.ST \ - camellia/OBJS.ST \ - OBJS.ST - -SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \ - md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \ - enc_provider/OBJS.ST \ - hash_provider/OBJS.ST \ - aes/OBJS.ST \ - camellia/OBJS.ST - -all-unix:: all-libobjs -includes:: depend - -depend:: $(SRCS) - -clean-unix:: clean-libobjs - -@lib_frag@ -@libobj_frag@ - diff --git a/src/lib/crypto/nss/aes/Makefile.in b/src/lib/crypto/nss/aes/Makefile.in deleted file mode 100644 index 89f074c10f..0000000000 --- a/src/lib/crypto/nss/aes/Makefile.in +++ /dev/null @@ -1,6 +0,0 @@ -# Placeholder since all crypto modules must have the same structure. -mydir=lib$(S)crypto$(S)nss$(S)aes -BUILDTOP=$(REL)..$(S)..$(S)..$(S).. -all-unix:: all-libobjs -clean-unix:: clean-libobjs -@libobj_frag@ diff --git a/src/lib/crypto/nss/aes/deps b/src/lib/crypto/nss/aes/deps deleted file mode 100644 index 2feac3c9d3..0000000000 --- a/src/lib/crypto/nss/aes/deps +++ /dev/null @@ -1 +0,0 @@ -# No dependencies here. diff --git a/src/lib/crypto/nss/camellia/Makefile.in b/src/lib/crypto/nss/camellia/Makefile.in deleted file mode 100644 index 590c902820..0000000000 --- a/src/lib/crypto/nss/camellia/Makefile.in +++ /dev/null @@ -1,6 +0,0 @@ -# Placeholder since all crypto modules must have the same structure. -mydir=lib$(S)crypto$(S)nss$(S)camellia -BUILDTOP=$(REL)..$(S)..$(S)..$(S).. -all-unix:: all-libobjs -clean-unix:: clean-libobjs -@libobj_frag@ diff --git a/src/lib/crypto/nss/camellia/deps b/src/lib/crypto/nss/camellia/deps deleted file mode 100644 index 2feac3c9d3..0000000000 --- a/src/lib/crypto/nss/camellia/deps +++ /dev/null @@ -1 +0,0 @@ -# No dependencies here. diff --git a/src/lib/crypto/nss/crypto_mod.h b/src/lib/crypto/nss/crypto_mod.h deleted file mode 100644 index 2f82a2b0d4..0000000000 --- a/src/lib/crypto/nss/crypto_mod.h +++ /dev/null @@ -1,39 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/crypto_mod.h - NSS crypto module declarations */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* - * This header is included from lib/crypto/krb/crypto_int.h to provide - * module-specific declarations. It is not included directly from source - * files. - */ - -#ifndef CRYPTO_MOD_H -#define CRYPTO_MOD_H - -/* Because the NSS crypto module doesn't work with the Fortuna PRNG, we don't - * need to declare anything here. */ - -#endif /* CRYPTO_MOD_H */ diff --git a/src/lib/crypto/nss/deps b/src/lib/crypto/nss/deps deleted file mode 100644 index 547a6bacb6..0000000000 --- a/src/lib/crypto/nss/deps +++ /dev/null @@ -1,46 +0,0 @@ -# -# Generated makefile dependencies follow. -# -hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb/crypto_int.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - crypto_mod.h hmac.c nss_gen.h -pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb/crypto_int.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - crypto_mod.h nss_gen.h pbkdf2.c -prng.so prng.po $(OUTPRE)prng.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb/crypto_int.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - crypto_mod.h nss_gen.h nss_prng.h prng.c -stubs.so stubs.po $(OUTPRE)stubs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h stubs.c diff --git a/src/lib/crypto/nss/des/Makefile.in b/src/lib/crypto/nss/des/Makefile.in deleted file mode 100644 index 6b240e63bf..0000000000 --- a/src/lib/crypto/nss/des/Makefile.in +++ /dev/null @@ -1,21 +0,0 @@ -mydir=lib$(S)crypto$(S)nss$(S)des -BUILDTOP=$(REL)..$(S)..$(S)..$(S).. -CRYPTO_IMPL_CFLAGS=@CRYPTO_IMPL_CFLAGS@ -LOCALINCLUDES = -I$(srcdir)/../../krb -I$(srcdir)/.. $(CRYPTO_IMPL_CFLAGS) - -STLIBOBJS= des_keys.o - -OBJS= $(OUTPRE)des_keys.$(OBJEXT) - -SRCS= $(srcdir)/des_keys.c - -all-unix:: all-libobjs - -includes:: depend - -depend:: $(SRCS) - -clean-unix:: clean-libobjs - -@libobj_frag@ - diff --git a/src/lib/crypto/nss/des/deps b/src/lib/crypto/nss/des/deps deleted file mode 100644 index 21b904f896..0000000000 --- a/src/lib/crypto/nss/des/deps +++ /dev/null @@ -1,15 +0,0 @@ -# -# Generated makefile dependencies follow. -# -des_keys.so des_keys.po $(OUTPRE)des_keys.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - des_keys.c diff --git a/src/lib/crypto/nss/des/des_keys.c b/src/lib/crypto/nss/des/des_keys.c deleted file mode 100644 index 4ff0e845d2..0000000000 --- a/src/lib/crypto/nss/des/des_keys.c +++ /dev/null @@ -1,87 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/des/des_keys.c - Key functions used by Kerberos code */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "crypto_int.h" - -/* - * des_fixup_key_parity: Forces odd parity per byte; parity is bits - * 8,16,...64 in des order, implies 0, 8, 16, ... - * vax order. - */ -#define smask(step) ((1<>step)&smask(step))) -#define parity_char(x) pstep(pstep(pstep((x),4),2),1) - -void -k5_des_fixup_key_parity(unsigned char *keybits) -{ - unsigned int i; - - for (i = 0; i < 8; i++) { - keybits[i] &= 0xfe; - keybits[i] |= 1^parity_char(keybits[i]); - } -} - -/* The following are the weak DES keys: */ -static const unsigned char weak[16][8] = { - /* Weak keys */ - {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01}, - {0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe}, - {0x1f,0x1f,0x1f,0x1f,0x0e,0x0e,0x0e,0x0e}, - {0xe0,0xe0,0xe0,0xe0,0xf1,0xf1,0xf1,0xf1}, - - /* Semi-weak */ - {0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe}, - {0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01}, - - {0x1f,0xe0,0x1f,0xe0,0x0e,0xf1,0x0e,0xf1}, - {0xe0,0x1f,0xe0,0x1f,0xf1,0x0e,0xf1,0x0e}, - - {0x01,0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1}, - {0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1,0x01}, - - {0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e,0xfe}, - {0xfe,0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e}, - - {0x01,0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e}, - {0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e,0x01}, - - {0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1,0xfe}, - {0xfe,0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1} -}; - -krb5_boolean -k5_des_is_weak_key(unsigned char *keybits) -{ - unsigned int i; - - for (i = 0; i < sizeof(weak) / 8; i++) { - if (memcmp(weak[i], keybits, 8) == 0) - return TRUE; - } - return FALSE; -} diff --git a/src/lib/crypto/nss/enc_provider/Makefile.in b/src/lib/crypto/nss/enc_provider/Makefile.in deleted file mode 100644 index e1d382e2ca..0000000000 --- a/src/lib/crypto/nss/enc_provider/Makefile.in +++ /dev/null @@ -1,39 +0,0 @@ -mydir=lib$(S)crypto$(S)nss$(S)enc_provider -BUILDTOP=$(REL)..$(S)..$(S)..$(S).. -CRYPTO_IMPL_CFLAGS=@CRYPTO_IMPL_CFLAGS@ -LOCALINCLUDES = -I$(srcdir)/../../krb -I$(srcdir)/.. $(CRYPTO_IMPL_CFLAGS) - -STLIBOBJS= \ - enc_gen.o \ - des.o \ - des3.o \ - rc4.o \ - aes.o \ - camellia.o - -OBJS= \ - $(OUTPRE)enc_gen.$(OBJEXT) \ - $(OUTPRE)des.$(OBJEXT) \ - $(OUTPRE)des3.$(OBJEXT) \ - $(OUTPRE)aes.$(OBJEXT) \ - $(OUTPRE)camellia.$(OBJEXT) \ - $(OUTPRE)rc4.$(OBJEXT) - -SRCS= \ - $(srcdir)/enc_gen.c \ - $(srcdir)/des.c \ - $(srcdir)/des3.c \ - $(srcdir)/aes.c \ - $(srcdir)/camellia.c \ - $(srcdir)/rc4.c - -all-unix:: all-libobjs - -includes:: depend - -depend:: $(SRCS) - -clean-unix:: clean-libobjs - -@libobj_frag@ - diff --git a/src/lib/crypto/nss/enc_provider/aes.c b/src/lib/crypto/nss/enc_provider/aes.c deleted file mode 100644 index 3fe79967d1..0000000000 --- a/src/lib/crypto/nss/enc_provider/aes.c +++ /dev/null @@ -1,99 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/enc_provider/aes.c */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "crypto_int.h" -#include "nss_gen.h" - -krb5_error_code -krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_ENCRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_ENCRYPT, - ivec, data, num_data); -} - -krb5_error_code -krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_DECRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_DECRYPT, - ivec, data, num_data); -} - -/* - * perhaps we should store the NSS context in the krb5_data state here? - */ -static krb5_error_code -aes_init_state(const krb5_keyblock *key, krb5_keyusage usage, - krb5_data *state) -{ - state->length = 16; - state->data = (void *) malloc(16); - if (state->data == NULL) - return ENOMEM; - memset(state->data, 0, state->length); - return 0; -} - -const struct krb5_enc_provider krb5int_enc_aes128 = { - 16, - 16, 16, - krb5int_aes_encrypt, - krb5int_aes_decrypt, - NULL, - aes_init_state, - krb5int_default_free_state, -}; - -const struct krb5_enc_provider krb5int_enc_aes256 = { - 16, - 32, 32, - krb5int_aes_encrypt, - krb5int_aes_decrypt, - NULL, - aes_init_state, - krb5int_default_free_state, - k5_nss_gen_cleanup -}; diff --git a/src/lib/crypto/nss/enc_provider/camellia.c b/src/lib/crypto/nss/enc_provider/camellia.c deleted file mode 100644 index 9859efa1da..0000000000 --- a/src/lib/crypto/nss/enc_provider/camellia.c +++ /dev/null @@ -1,113 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/enc_provider/camellia.c */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "crypto_int.h" -#include "nss_gen.h" - -static krb5_error_code -krb5int_camellia_encrypt(krb5_key key, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_CAMELLIA_CBC, CKA_ENCRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_cts_iov(key, CKM_CAMELLIA_CBC, CKA_ENCRYPT, - ivec, data, num_data); -} - -static krb5_error_code -krb5int_camellia_decrypt(krb5_key key, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_CAMELLIA_CBC, CKA_DECRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_cts_iov(key, CKM_CAMELLIA_CBC, CKA_DECRYPT, - ivec, data, num_data); -} - -krb5_error_code -krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data, - size_t num_data, const krb5_data *ivec, - krb5_data *output) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_CAMELLIA_CBC, CKA_ENCRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_cbcmac_iov(key, CKM_CAMELLIA_CBC, ivec, data, num_data, - output); -} - -/* - * perhaps we should store the NSS context in the krb5_data state here? - */ -static krb5_error_code -camellia_init_state(const krb5_keyblock *key, krb5_keyusage usage, - krb5_data *state) -{ - state->length = 16; - state->data = (void *) malloc(16); - if (state->data == NULL) - return ENOMEM; - memset(state->data, 0, state->length); - return 0; -} - -const struct krb5_enc_provider krb5int_enc_camellia128 = { - 16, - 16, 16, - krb5int_camellia_encrypt, - krb5int_camellia_decrypt, - krb5int_camellia_cbc_mac, - camellia_init_state, - krb5int_default_free_state, -}; - -const struct krb5_enc_provider krb5int_enc_camellia256 = { - 16, - 32, 32, - krb5int_camellia_encrypt, - krb5int_camellia_decrypt, - krb5int_camellia_cbc_mac, - camellia_init_state, - krb5int_default_free_state, - k5_nss_gen_cleanup -}; diff --git a/src/lib/crypto/nss/enc_provider/deps b/src/lib/crypto/nss/enc_provider/deps deleted file mode 100644 index b0c2ab8c18..0000000000 --- a/src/lib/crypto/nss/enc_provider/deps +++ /dev/null @@ -1,70 +0,0 @@ -# -# Generated makefile dependencies follow. -# -enc_gen.so enc_gen.po $(OUTPRE)enc_gen.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ - $(srcdir)/../crypto_mod.h $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h enc_gen.c -des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ - $(srcdir)/../crypto_mod.h $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h des.c -des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ - $(srcdir)/../crypto_mod.h $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h des3.c -aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ - $(srcdir)/../crypto_mod.h $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h aes.c -camellia.so camellia.po $(OUTPRE)camellia.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \ - $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h camellia.c -rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \ - $(srcdir)/../crypto_mod.h $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h rc4.c diff --git a/src/lib/crypto/nss/enc_provider/des.c b/src/lib/crypto/nss/enc_provider/des.c deleted file mode 100644 index bb1f1c0470..0000000000 --- a/src/lib/crypto/nss/enc_provider/des.c +++ /dev/null @@ -1,89 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/enc_provider/des.c */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "crypto_int.h" -#include "nss_gen.h" - -static krb5_error_code -k5_des_encrypt_iov(krb5_key key, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_ENCRYPT, - ivec, data, num_data); -} - -static krb5_error_code -k5_des_decrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_DECRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_DECRYPT, - ivec, data, num_data); -} - -static krb5_error_code -k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data, - const krb5_data *ivec, krb5_data *output) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_cbcmac_iov(key, CKM_DES_CBC, ivec, data, num_data, - output); -} - -const struct krb5_enc_provider krb5int_enc_des = { - 8, - 7, 8, - k5_des_encrypt_iov, - k5_des_decrypt_iov, - k5_des_cbc_mac, - krb5int_des_init_state, - krb5int_default_free_state, - k5_nss_gen_cleanup -}; diff --git a/src/lib/crypto/nss/enc_provider/des3.c b/src/lib/crypto/nss/enc_provider/des3.c deleted file mode 100644 index 6217709c8e..0000000000 --- a/src/lib/crypto/nss/enc_provider/des3.c +++ /dev/null @@ -1,74 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/enc_provider/des3.c */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "crypto_int.h" -#include "nss_gen.h" - -static krb5_error_code -k5_des3_encrypt_iov(krb5_key key, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_ENCRYPT, - ivec, data, num_data); -} - -static krb5_error_code -k5_des3_decrypt_iov(krb5_key key, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_DECRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_DECRYPT, - ivec, data, num_data); -} - -const struct krb5_enc_provider krb5int_enc_des3 = { - 8, - 21, 24, - k5_des3_encrypt_iov, - k5_des3_decrypt_iov, - NULL, - krb5int_des_init_state, - krb5int_default_free_state, - k5_nss_gen_cleanup -}; diff --git a/src/lib/crypto/nss/enc_provider/enc_gen.c b/src/lib/crypto/nss/enc_provider/enc_gen.c deleted file mode 100644 index cfe0d65e8e..0000000000 --- a/src/lib/crypto/nss/enc_provider/enc_gen.c +++ /dev/null @@ -1,730 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/enc_provider/enc_gen.c */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "crypto_int.h" -#include "nss_gen.h" -#include "seccomon.h" -#include "secmod.h" -#include "pk11pub.h" -#include "nss.h" - -/* 512 bits is bigger than anything defined to date */ -#define MAX_KEY_LENGTH 64 -#define MAX_BLOCK_SIZE 64 - -static NSSInitContext *k5_nss_ctx = NULL; -static pid_t k5_nss_pid = 0; -static k5_mutex_t k5_nss_lock = K5_MUTEX_PARTIAL_INITIALIZER; - -struct stream_state { - struct stream_state *loopback; /* To detect copying */ - pid_t pid; /* To detect use across fork */ - PK11Context *ctx; -}; - -struct cached_key { - pid_t pid; /* To detect use across fork */ - PK11SymKey *symkey; -}; - -krb5_error_code -k5_nss_map_error(int nss_error) -{ - /* Currently KRB5 does not define a full set of CRYPTO failures. - * for now just use KRB5_CRYPTO_INTERNAL. We really should return - * errors for Not logged in, and maybe a few others. */ - return KRB5_CRYPTO_INTERNAL; -} - -krb5_error_code -k5_nss_map_last_error(void) -{ - return k5_nss_map_error(PORT_GetError()); -} - -int -krb5int_crypto_impl_init(void) -{ - return k5_mutex_finish_init(&k5_nss_lock); -} - -void -krb5int_crypto_impl_cleanup(void) -{ - k5_mutex_destroy(&k5_nss_lock); -} - -/* - * krb5 doesn't have a call into the crypto engine to initialize it, so we do - * it here. This code will try to piggyback on any application initialization - * done to NSS. Otherwise get our one library init context. - */ -#define NSS_KRB5_CONFIGDIR "sql:/etc/pki/nssdb" -krb5_error_code -k5_nss_init(void) -{ - PRUint32 flags = NSS_INIT_READONLY | NSS_INIT_NOROOTINIT; - krb5_error_code ret = 0; - SECStatus rv; - pid_t pid; - - k5_mutex_lock(&k5_nss_lock); - pid = getpid(); - if (k5_nss_ctx != NULL) { - /* Do nothing if the existing context is still good. */ - if (k5_nss_pid == pid) - goto cleanup; - /* The caller has forked. Restart the NSS modules. This will - * invalidate all of our PKCS11 handles, which we're prepared for. */ - rv = SECMOD_RestartModules(TRUE); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto cleanup; - } - k5_nss_pid = pid; - goto cleanup; - } - k5_nss_ctx = NSS_InitContext(NSS_KRB5_CONFIGDIR, "", "", "", NULL, flags); - if (k5_nss_ctx == NULL) { - /* There may be no system database; try again without it. */ - flags |= NSS_INIT_NOMODDB | NSS_INIT_NOCERTDB; - k5_nss_ctx = NSS_InitContext(NULL, "", "", "", NULL, flags); - if (k5_nss_ctx == NULL) { - ret = k5_nss_map_last_error(); - goto cleanup; - } - } - k5_nss_pid = pid; - -cleanup: - k5_mutex_unlock(&k5_nss_lock); - return ret; -} - -PK11Context * -k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism, - CK_ATTRIBUTE_TYPE operation, SECItem *param) -{ - struct cached_key *ckey = krb_key->cache; - - return PK11_CreateContextBySymKey(mechanism, operation, ckey->symkey, - param); -} - -static void inline -xor(unsigned char *x, unsigned char *y, int size) -{ - int i; - -#define ALIGNED(x,type) (!(((size_t)(x))&(sizeof(type)-1))) - if (ALIGNED(x,unsigned long) && ALIGNED(y, unsigned long) - && ALIGNED(size, unsigned long)) { - unsigned long *ux = (unsigned long *)x; - unsigned long *uy = (unsigned long *)y; - for (i=0; i < (int)(size/sizeof(unsigned long)); i++) { - *ux++ ^= *uy++; - } - return; - } - for (i=0; i < size; i++) { - *x++ ^= *y++; - } -} - -krb5_error_code -k5_nss_gen_block_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data) -{ - krb5_error_code ret = 0; - PK11Context *ctx = NULL; - SECStatus rv; - SECItem *param = NULL; - struct iov_cursor cursor; - unsigned char block[MAX_BLOCK_SIZE]; - unsigned char iv0[MAX_BLOCK_SIZE]; - unsigned char *lastptr = NULL; - SECItem iv; - size_t blocksize; - int length = 0; - int lastblock = -1; - int currentblock; - - blocksize = PK11_GetBlockSize(mech, NULL); - assert(blocksize <= sizeof(block)); - - if (ivec && ivec->data) { - iv.data = (unsigned char *)ivec->data; - iv.len = ivec->length; - if (operation == CKA_DECRYPT) { - /* Count the blocks so we know which block is last. */ - int inputlength = iov_total_length(data, num_data, FALSE); - lastblock = (inputlength/blocksize) -1; - } - } else { - memset(iv0, 0, sizeof(iv0)); - iv.data = iv0; - iv.len = blocksize; - } - param = PK11_ParamFromIV(mech, &iv); - - ctx = k5_nss_create_context(krb_key, mech, operation, param); - if (ctx == NULL) { - ret = k5_nss_map_last_error(); - goto done; - } - - k5_iov_cursor_init(&cursor, data, num_data, blocksize, FALSE); - for (currentblock = 0;;currentblock++) { - if (!k5_iov_cursor_get(&cursor, block)) - break; - - lastptr = NULL; - - /* only set if we are decrypting */ - if (lastblock == currentblock) - memcpy(ivec->data, block, blocksize); - - rv = PK11_CipherOp(ctx, block, &length, blocksize, block, blocksize); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - break; - } - - lastptr = block; - k5_iov_cursor_put(&cursor, block); - } - - if (lastptr && ivec && ivec->data && operation == CKA_ENCRYPT) { - memcpy(ivec->data, lastptr, blocksize); - } -done: - if (ctx) { - PK11_Finalize(ctx); - PK11_DestroyContext(ctx, PR_TRUE); - } - if (param) - SECITEM_FreeItem(param, PR_TRUE); - return ret; -} - -krb5_error_code -k5_nss_stream_init_state(krb5_data *new_state) -{ - struct stream_state *sstate; - - /* Create a state structure with an uninitialized context. */ - sstate = calloc(1, sizeof(*sstate)); - if (sstate == NULL) - return ENOMEM; - sstate->loopback = NULL; - new_state->data = (char *) sstate; - new_state->length = sizeof(*sstate); - return 0; -} - -void -k5_nss_stream_free_state(krb5_data *state) -{ - struct stream_state *sstate = (struct stream_state *) state->data; - - /* Clean up the OpenSSL context if it was initialized. */ - if (sstate && sstate->loopback == sstate) { - PK11_Finalize(sstate->ctx); - PK11_DestroyContext(sstate->ctx, PR_TRUE); - } - free(sstate); -} - -krb5_error_code -k5_nss_gen_stream_iov(krb5_key krb_key, krb5_data *state, - CK_MECHANISM_TYPE mech, CK_ATTRIBUTE_TYPE operation, - krb5_crypto_iov *data, size_t num_data) -{ - int ret = 0; - PK11Context *ctx = NULL; - SECStatus rv; - SECItem param; - krb5_crypto_iov *iov; - struct stream_state *sstate = NULL; - int i; - - param.data = NULL; - param.len = 0; - - sstate = (state == NULL) ? NULL : (struct stream_state *) state->data; - if (sstate == NULL || sstate->loopback == NULL) { - ctx = k5_nss_create_context(krb_key, mech, operation, ¶m); - if (ctx == NULL) { - ret = k5_nss_map_last_error(); - goto done; - } - if (sstate) { - sstate->loopback = sstate; - sstate->pid = getpid(); - sstate->ctx = ctx; - } - } else { - /* Cipher state can't be copied or used across a fork. */ - if (sstate->loopback != sstate || sstate->pid != getpid()) - return EINVAL; - ctx = sstate->ctx; - } - - for (i=0; i < (int)num_data; i++) { - int return_length; - iov = &data[i]; - if (iov->data.length <= 0) - continue; - - if (ENCRYPT_IOV(iov)) { - rv = PK11_CipherOp(ctx, (unsigned char *)iov->data.data, - &return_length, iov->data.length, - (unsigned char *)iov->data.data, - iov->data.length); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto done; - } - iov->data.length = return_length; - } - } -done: - if (!state && ctx) { - PK11_Finalize(ctx); - PK11_DestroyContext(ctx, PR_TRUE); - } - return ret; -} - -krb5_error_code -k5_nss_gen_cts_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data) -{ - krb5_error_code ret = 0; - PK11Context *ctx = NULL; - SECStatus rv; - SECItem *param = NULL; - struct iov_cursor cursor; - unsigned char block[MAX_BLOCK_SIZE]; - unsigned char recover1[MAX_BLOCK_SIZE]; - unsigned char recover2[MAX_BLOCK_SIZE]; - unsigned char block1[MAX_BLOCK_SIZE]; - unsigned char block2[MAX_BLOCK_SIZE]; - unsigned char iv0[MAX_BLOCK_SIZE]; - SECItem iv; - size_t blocksize; - size_t bulk_length, remainder; - size_t input_length, lastblock; - size_t length; - int len; - - blocksize = PK11_GetBlockSize(mech, NULL); - assert(blocksize <= sizeof(block)); - - if (ivec) { - iv.data = (unsigned char *)ivec->data; - iv.len = ivec->length; - } else { - memset(iv0, 0, sizeof(iv0)); - iv.data = iv0; - iv.len = blocksize; - } - param = PK11_ParamFromIV(mech, &iv); - - input_length = iov_total_length(data, num_data, FALSE); - /* Must be at least a block or we fail. */ - if (input_length < blocksize) { - ret = EINVAL; - goto done; - } - - bulk_length = (input_length / blocksize)*blocksize; - remainder = input_length - bulk_length; - /* Do the block swap even if the input data is aligned, only - * drop it if we are encrypting exactly one block. */ - if (remainder == 0 && bulk_length != blocksize) { - remainder = blocksize; - bulk_length -= blocksize; - } - - ctx = k5_nss_create_context(krb_key, mech, operation, param); - if (ctx == NULL) { - ret = k5_nss_map_last_error(); - goto done; - } - - /* Now we bulk encrypt each block in the loop. We need to know where to - * stop to do special processing. For single block operations we stop at - * the end. For all others we stop and the last second to last block - * (counting partial blocks). For decrypt operations we need to save cn-2 - * so we stop at the third to last block if it exists, otherwise cn-2 = the - * iv. */ - lastblock = bulk_length; - if (remainder) { - /* We need to process the last full block and last partitial block - * differently. */ - lastblock = bulk_length - blocksize; - if (operation == CKA_DECRYPT) { - if (bulk_length > blocksize) { - /* Stop at cn-2 so we can save it before going on. */ - lastblock = bulk_length - 2*blocksize; - } else { - /* iv is cn-2, save it now, cn - 2. */ - memcpy(recover1, iv.data, blocksize); - memcpy(recover2, iv.data, blocksize); - } - } - } - k5_iov_cursor_init(&cursor, data, num_data, blocksize, FALSE); - for (length = 0; length < lastblock; length += blocksize) { - if (!k5_iov_cursor_get(&cursor, block)) - break; - - rv = PK11_CipherOp(ctx, block, &len, blocksize, block, blocksize); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - break; - } - - k5_iov_cursor_put(&cursor, block); - } - if (remainder) { - if (operation == CKA_DECRYPT) { - if (bulk_length > blocksize) { - /* we need to save cn-2 */ - if (!k5_iov_cursor_get(&cursor, block)) - goto done; /* shouldn't happen */ - - /* save cn-2 */ - memcpy(recover1, block, blocksize); - memcpy(recover2, block, blocksize); - - /* now process it as normal */ - rv = PK11_CipherOp(ctx, block, &len, blocksize, block, - blocksize); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto done; - } - - k5_iov_cursor_put(&cursor, block); - } - } - /* fetch the last 2 blocks */ - k5_iov_cursor_get(&cursor, block2); - k5_iov_cursor_get(&cursor, block1); - if (operation == CKA_DECRYPT) { - /* recover1 and recover2 are xor values to recover the true - * underlying data of the last 2 decrypts. This keeps us from - * having to try to reset our IV to do the final decryption. */ - /* Currently: block1 is cn || 0, block2 is cn-1. - * recover1 & recover2 is set to cn-2. */ - /* recover2 recovers pn || c' from p'n-1. The raw decrypted block - * will be p'n-1 xor with cn-2 while pn || c' = p'n-1 xor cn || 0. - * recover2 is cn-2 xor cn || 0, so we can simple xor recover1 - * with the raw decrypted block. */ - /* recover1 recovers pn-1 from the raw decryption of cn || c'. - * the raw decrypt of cn || c' = p'n xor cn-1 while - * pn-1 = p'n xor cn-2 - * recover1 is cn-2 xor cn-1, so we can simple xor recover 2 with - * the raw decrypt of cn||c' to get pn-1. */ - xor(recover1, block2, blocksize); - xor(recover2, block1, blocksize); - if (ivec && ivec->data) - memcpy(ivec->data, block2, blocksize); - } - rv = PK11_CipherOp(ctx, block2, &len, blocksize, block2, blocksize); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto done; - } - if (operation == CKA_DECRYPT) { - /* block2 now has p'n-1 xor cn-2. */ - xor(block2, recover2, blocksize); - /* block 2 now has pn || c'. */ - /* copy c' into cn || c'. */ - memcpy(block1 + remainder, block2 + remainder, - blocksize - remainder); - } - rv = PK11_CipherOp(ctx, block1, &len, blocksize, block1, blocksize); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto done; - } - if (operation == CKA_DECRYPT) { - /* block1 now has p'n xor cn-1 */ - xor(block1, recover1, blocksize); - /* block 1 now has pn-1 */ - } else { - if (ivec && ivec->data) { - memcpy(ivec->data, block1, blocksize); - } - } - k5_iov_cursor_put(&cursor, block1); - k5_iov_cursor_put(&cursor, block2); - } - -done: - if (ctx) { - PK11_Finalize(ctx); - PK11_DestroyContext(ctx, PR_TRUE); - } - if (param) - SECITEM_FreeItem(param, PR_TRUE); - return ret; -} - -krb5_error_code -k5_nss_gen_cbcmac_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech, - const krb5_data *ivec, const krb5_crypto_iov *data, - size_t num_data, krb5_data *output) -{ - krb5_error_code ret = 0; - PK11Context *ctx = NULL; - SECStatus rv; - SECItem *param = NULL; - struct iov_cursor cursor; - unsigned char block[MAX_BLOCK_SIZE], *lastblock; - unsigned char iv0[MAX_BLOCK_SIZE]; - SECItem iv; - size_t blocksize; - int length = 0; - int currentblock; - - blocksize = PK11_GetBlockSize(mech, NULL); - assert(blocksize <= sizeof(block)); - if (output->length < blocksize) - return KRB5_BAD_MSIZE; - - if (ivec && ivec->data) { - iv.data = (unsigned char *)ivec->data; - iv.len = ivec->length; - } else { - memset(iv0, 0, sizeof(iv0)); - iv.data = iv0; - iv.len = blocksize; - } - param = PK11_ParamFromIV(mech, &iv); - - ctx = k5_nss_create_context(krb_key, mech, CKA_ENCRYPT, param); - if (ctx == NULL) { - ret = k5_nss_map_last_error(); - goto done; - } - - lastblock = iv.data; - k5_iov_cursor_init(&cursor, data, num_data, blocksize, FALSE); - for (currentblock = 0;;currentblock++) { - if (!k5_iov_cursor_get(&cursor, block)) - break; - rv = PK11_CipherOp(ctx, block, &length, blocksize, block, blocksize); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto done; - } - lastblock = block; - } - memcpy(output->data, lastblock, blocksize); - -done: - if (ctx) { - PK11_Finalize(ctx); - PK11_DestroyContext(ctx, PR_TRUE); - } - if (param) - SECITEM_FreeItem(param, PR_TRUE); - return ret; -} - -void -k5_nss_gen_cleanup(krb5_key krb_key) -{ - struct cached_key *ckey = krb_key->cache; - - if (ckey) { - PK11_FreeSymKey(ckey->symkey); - free(ckey); - krb_key->cache = NULL; - } -} - -krb5_error_code -k5_nss_gen_import(krb5_key krb_key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation) -{ - krb5_error_code ret = 0; - pid_t pid = getpid(); - struct cached_key *ckey = krb_key->cache; - PK11SymKey *symkey; - PK11SlotInfo *slot = NULL; - SECItem raw_key; -#ifdef FAKE_FIPS - PK11SymKey *wrapping_key = NULL; - PK11Context *ctx = NULL; - SECItem wrapped_key; - SECItem params; - unsigned char wrapped_key_data[MAX_KEY_LENGTH]; - unsigned char padded_key_data[MAX_KEY_LENGTH]; - int wrapping_index, series, blocksize; - int keyLength; - CK_MECHANISM_TYPE mechanism; - SECStatus rv; -#endif - - if (ckey && ckey->pid == pid) - return 0; - - ret = k5_nss_init(); - if (ret) - return ret; - - if (ckey) { - /* Discard the no-longer-valid symkey and steal its container. */ - PK11_FreeSymKey(ckey->symkey); - ckey->symkey = NULL; - krb_key->cache = NULL; - } else { - /* Allocate a new container. */ - ckey = k5alloc(sizeof(*ckey), &ret); - if (ckey == NULL) - return ret; - } - - slot = PK11_GetBestSlot(mech, NULL); - if (slot == NULL) { - ret = k5_nss_map_last_error(); - goto done; - } - raw_key.data = krb_key->keyblock.contents; - raw_key.len = krb_key->keyblock.length; - -#ifdef FAKE_FIPS - /* First, fetch a wrapping key. */ - wrapping_index = PK11_GetCurrentWrapIndex(slot); - series = PK11_GetSlotSeries(slot); - wrapping_key = PK11_GetWrapKey(slot, wrapping_index, - CKM_INVALID_MECHANISM, series, NULL); - if (wrapping_key == NULL) { - /* One doesn't exist, create one. */ - mechanism = PK11_GetBestWrapMechanism(slot); - keyLength = PK11_GetBestKeyLength(slot, mechanism); - wrapping_key = PK11_TokenKeyGenWithFlags(slot, mechanism, NULL, - keyLength, NULL, - CKF_UNWRAP | CKF_ENCRYPT, 0, - NULL); - if (!wrapping_key) { - ret = k5_nss_map_last_error(); - goto done; - } - PK11_SetWrapKey(slot, wrapping_index, wrapping_key); - } - - /* Now encrypt the data with the wrapping key. */ - mechanism = PK11_GetMechanism(wrapping_key); - params.data = NULL; - params.len = 0; - ctx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, - wrapping_key, ¶ms); - if (ctx == NULL) { - ret = k5_nss_map_last_error(); - goto done; - } - - wrapped_key.data = wrapped_key_data; - wrapped_key.len = sizeof(wrapped_key_data); - blocksize = PK11_GetBlockSize(mechanism, NULL); - keyLength = raw_key.len; - - /* - * ECB modes need keys in integral multiples of the block size. - * if the key isn't and integral multiple, pad it with zero. Unwrap - * will use the length parameter to appropriately set the key. - */ - if ((raw_key.len % blocksize) != 0) { - int keyblocks = (raw_key.len + (blocksize - 1)) / blocksize; - keyLength = keyblocks * blocksize; - assert(keyLength <= sizeof(padded_key_data)); - memset(padded_key_data, 0, keyLength); - memcpy(padded_key_data, raw_key.data, raw_key.len); - raw_key.data = padded_key_data; - } - rv = PK11_CipherOp(ctx, wrapped_key.data, (int *)&wrapped_key.len, - sizeof(wrapped_key_data), raw_key.data, keyLength); - if (keyLength != raw_key.len) { - /* Clear our copy of the key bits. */ - memset(padded_key_data, 0, keyLength); - } - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto done; - } - PK11_Finalize(ctx); - PK11_DestroyContext(ctx, PR_TRUE); - ctx = NULL; - - /* Now now we have a 'wrapped' version of the, we can import it into - * the token without running afoul with FIPS. */ - symkey = PK11_UnwrapSymKey(wrapping_key, mechanism, ¶ms, &wrapped_key, - mech, operation, raw_key.len); -#else - symkey = PK11_ImportSymKey(slot, mech, PK11_OriginGenerated, operation, - &raw_key, NULL); -#endif - if (symkey == NULL) { - ret = k5_nss_map_last_error(); - goto done; - } - ckey->pid = pid; - ckey->symkey = symkey; - krb_key->cache = ckey; - ckey = NULL; - -done: - free(ckey); - if (slot) - PK11_FreeSlot(slot); -#ifdef FAKE_FIPS - if (ctx) { - PK11_Finalize(ctx); - PK11_DestroyContext(ctx, PR_TRUE); - } - if (wrapping_key) - PK11_FreeSymKey(wrapping_key); -#endif - - return ret; -} diff --git a/src/lib/crypto/nss/enc_provider/rc4.c b/src/lib/crypto/nss/enc_provider/rc4.c deleted file mode 100644 index 17d90d94f9..0000000000 --- a/src/lib/crypto/nss/enc_provider/rc4.c +++ /dev/null @@ -1,99 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/enc_provider/rc4.c */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "crypto_int.h" -#include "nss_gen.h" - -#define RC4_KEY_SIZE 16 -#define RC4_BLOCK_SIZE 1 - -/* In-place IOV crypto */ -static krb5_error_code -k5_arcfour_encrypt_iov(krb5_key key, const krb5_data *state, - krb5_crypto_iov *data, size_t num_data) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_RC4, CKA_ENCRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_ENCRYPT, - data, num_data); -} - -/* In-place IOV crypto */ -static krb5_error_code -k5_arcfour_decrypt_iov(krb5_key key, const krb5_data *state, - krb5_crypto_iov *data, size_t num_data) -{ - krb5_error_code ret; - - ret = k5_nss_gen_import(key, CKM_RC4, CKA_DECRYPT); - if (ret != 0) - return ret; - return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_DECRYPT, - data, num_data); -} - -static void -k5_arcfour_free_state(krb5_data *state) -{ - (void)k5_nss_stream_free_state(state); -} - -static krb5_error_code -k5_arcfour_init_state(const krb5_keyblock *key, - krb5_keyusage keyusage, krb5_data *new_state) -{ - /* key can't quite be used here. See comment in k5_arcfour_init_state. */ - return k5_nss_stream_init_state(new_state); -} - -const struct krb5_enc_provider krb5int_enc_arcfour = { - /* This seems to work... although I am not sure what the - implications are in other places in the kerberos library. */ - RC4_BLOCK_SIZE, - /* Keysize is arbitrary in arcfour, but the constraints of the - system, and to attempt to work with the MSFT system forces us - to 16byte/128bit. Since there is no parity in the key, the - byte and length are the same. */ - RC4_KEY_SIZE, RC4_KEY_SIZE, - k5_arcfour_encrypt_iov, - k5_arcfour_decrypt_iov, - NULL, - k5_arcfour_init_state, - k5_arcfour_free_state, - k5_nss_gen_cleanup -}; diff --git a/src/lib/crypto/nss/hash_provider/Makefile.in b/src/lib/crypto/nss/hash_provider/Makefile.in deleted file mode 100644 index 495309b320..0000000000 --- a/src/lib/crypto/nss/hash_provider/Makefile.in +++ /dev/null @@ -1,35 +0,0 @@ -mydir=lib$(S)crypto$(S)nss$(S)hash_provider -BUILDTOP=$(REL)..$(S)..$(S)..$(S).. -CRYPTO_IMPL_CFLAGS=@CRYPTO_IMPL_CFLAGS@ -LOCALINCLUDES = -I$(srcdir)/../../krb -I$(srcdir)/.. -I$(srcdir)/../md4 \ - $(CRYPTO_IMPL_CFLAGS) - -STLIBOBJS= \ - hash_gen.o \ - hash_crc32.o \ - hash_md4.o \ - hash_md5.o \ - hash_sha1.o - -OBJS= $(OUTPRE)hash_gen.$(OBJEXT) \ - $(OUTPRE)hash_crc32.$(OBJEXT) \ - $(OUTPRE)hash_md4.$(OBJEXT) \ - $(OUTPRE)hash_md5.$(OBJEXT) \ - $(OUTPRE)hash_sha1.$(OBJEXT) - -SRCS= $(srcdir)/hash_gen.c \ - $(srcdir)/hash_crc32.c \ - $(srcdir)/hash_md4.c \ - $(srcdir)/hash_md5.c \ - $(srcdir)/hash_sha1.c - -all-unix:: all-libobjs - -includes:: depend - -depend:: $(SRCS) - -clean-unix:: clean-libobjs - -@libobj_frag@ - diff --git a/src/lib/crypto/nss/hash_provider/deps b/src/lib/crypto/nss/hash_provider/deps deleted file mode 100644 index f16b148b3f..0000000000 --- a/src/lib/crypto/nss/hash_provider/deps +++ /dev/null @@ -1,63 +0,0 @@ -# -# Generated makefile dependencies follow. -# -hash_gen.so hash_gen.po $(OUTPRE)hash_gen.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \ - $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h hash_gen.c -hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - hash_crc32.c -hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \ - $(srcdir)/../md4/rsa-md4.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h hash_md4.c -hash_md5.so hash_md5.po $(OUTPRE)hash_md5.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \ - $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h hash_md5.c -hash_sha1.so hash_sha1.po $(OUTPRE)hash_sha1.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \ - $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h hash_sha1.c diff --git a/src/lib/crypto/nss/hash_provider/hash_crc32.c b/src/lib/crypto/nss/hash_provider/hash_crc32.c deleted file mode 100644 index c8d0e08345..0000000000 --- a/src/lib/crypto/nss/hash_provider/hash_crc32.c +++ /dev/null @@ -1,56 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "crypto_int.h" - -static krb5_error_code -k5_crc32_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) -{ - unsigned long c; - unsigned int i; - - if (output->length != CRC32_CKSUM_LENGTH) - return KRB5_CRYPTO_INTERNAL; - - c = 0; - for (i=0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - - if (SIGN_IOV(iov)) - mit_crc32(iov->data.data, iov->data.length, &c); - } - - store_32_le(c, output->data); - return 0; -} - -const struct krb5_hash_provider krb5int_hash_crc32 = { - "CRC32", - CRC32_CKSUM_LENGTH, - 1, - k5_crc32_hash -}; diff --git a/src/lib/crypto/nss/hash_provider/hash_gen.c b/src/lib/crypto/nss/hash_provider/hash_gen.c deleted file mode 100644 index 9364a6cec2..0000000000 --- a/src/lib/crypto/nss/hash_provider/hash_gen.c +++ /dev/null @@ -1,74 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/hash_provider/hash_gen.c */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "crypto_int.h" -#include "sechash.h" -#include "nss_gen.h" - -krb5_error_code -k5_nss_gen_hash(HASH_HashType hashType, const krb5_crypto_iov *data, - size_t num_data, krb5_data *output) -{ - unsigned int i; - HASHContext *ctx; - krb5_error_code ret; - - ret = k5_nss_init(); - if (ret) - return ret; - - if (output->length != HASH_ResultLen(hashType)) - return KRB5_CRYPTO_INTERNAL; - - ctx = HASH_Create(hashType); - if (!ctx) - return ENOMEM; - - HASH_Begin(ctx); - for (i=0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - - if (iov->data.length && SIGN_IOV(iov)) { - HASH_Update(ctx, (unsigned char *) iov->data.data, - iov->data.length); - } - } - - HASH_End(ctx, (unsigned char *)output->data, - &output->length, output->length); - HASH_Destroy(ctx); - - return 0; -} diff --git a/src/lib/crypto/nss/hash_provider/hash_gen.h b/src/lib/crypto/nss/hash_provider/hash_gen.h deleted file mode 100644 index 2b84da58cb..0000000000 --- a/src/lib/crypto/nss/hash_provider/hash_gen.h +++ /dev/null @@ -1,40 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/hash_provider/hash_gen.h */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "k5-int.h" -#include "sechash.h" - -krb5_error_code k5_nss_gen_hash(HASH_HashType hashType, unsigned int icount, - const krb5_data *input, krb5_data *output); diff --git a/src/lib/crypto/nss/hash_provider/hash_md4.c b/src/lib/crypto/nss/hash_provider/hash_md4.c deleted file mode 100644 index 7bf68909e5..0000000000 --- a/src/lib/crypto/nss/hash_provider/hash_md4.c +++ /dev/null @@ -1,61 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 2010 Red Hat, Inc. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "crypto_int.h" -#include "rsa-md4.h" - -static krb5_error_code -k5_md4_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) -{ - krb5_MD4_CTX ctx; - unsigned long i; - - if (output->length != RSA_MD4_CKSUM_LENGTH) - return KRB5_CRYPTO_INTERNAL; - - krb5int_MD4Init(&ctx); - for (i=0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - - if (SIGN_IOV(iov)) { - krb5int_MD4Update(&ctx, (unsigned char *)iov->data.data, - iov->data.length); - } - } - krb5int_MD4Final(&ctx); - - memcpy(output->data, ctx.digest, RSA_MD4_CKSUM_LENGTH); - - return 0; -} - -const struct krb5_hash_provider krb5int_hash_md4 = { - "MD4", - RSA_MD4_CKSUM_LENGTH, - 64, - k5_md4_hash -}; diff --git a/src/lib/crypto/nss/hash_provider/hash_md5.c b/src/lib/crypto/nss/hash_provider/hash_md5.c deleted file mode 100644 index 167114f68c..0000000000 --- a/src/lib/crypto/nss/hash_provider/hash_md5.c +++ /dev/null @@ -1,50 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/hash_provider/hash_md5.c */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "crypto_int.h" -#include "nss_gen.h" - -static krb5_error_code -k5_md5_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) -{ - return k5_nss_gen_hash(HASH_AlgMD5, data, num_data, output); -} - -const struct krb5_hash_provider krb5int_hash_md5 = { - "MD5", - MD5_LENGTH, - 64, - k5_md5_hash -}; diff --git a/src/lib/crypto/nss/hash_provider/hash_sha1.c b/src/lib/crypto/nss/hash_provider/hash_sha1.c deleted file mode 100644 index bd84d742fc..0000000000 --- a/src/lib/crypto/nss/hash_provider/hash_sha1.c +++ /dev/null @@ -1,50 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/hash_provider/hash_sha1.c */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "crypto_int.h" -#include "nss_gen.h" - -static krb5_error_code -k5_sha1_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) -{ - return k5_nss_gen_hash(HASH_AlgSHA1, data, num_data, output); -} - -const struct krb5_hash_provider krb5int_hash_sha1 = { - "SHA1", - SHA1_LENGTH, - 64, - k5_sha1_hash -}; diff --git a/src/lib/crypto/nss/hmac.c b/src/lib/crypto/nss/hmac.c deleted file mode 100644 index 8de0d7add4..0000000000 --- a/src/lib/crypto/nss/hmac.c +++ /dev/null @@ -1,140 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/hmac.c */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "crypto_int.h" -#include "nss_gen.h" -#include "pk11pub.h" - -/* - * the HMAC transform looks like: - * - * H(K XOR opad, H(K XOR ipad, text)) - * - * where H is a cryptographic hash - * K is an n byte key - * ipad is the byte 0x36 repeated blocksize times - * opad is the byte 0x5c repeated blocksize times - * and text is the data being protected - */ - -static CK_MECHANISM_TYPE -digest_to_hmac(const struct krb5_hash_provider *hash) -{ - /* use strcmp so we don't confuse SHA1 with SHA128 */ - /* handle the obvious cases first */ - if (!strcmp(hash->hash_name, "SHA1")) - return CKM_SHA_1_HMAC; - if (!strcmp(hash->hash_name, "MD5")) - return CKM_MD5_HMAC; - return CKM_INVALID_MECHANISM; -} - -krb5_error_code -krb5int_hmac(const struct krb5_hash_provider *hash, krb5_key key, - const krb5_crypto_iov *data, size_t num_data, krb5_data *output) -{ - unsigned int i = 0; - CK_MECHANISM_TYPE mech; - PK11Context *ctx = NULL; - krb5_error_code ret = 0; - SECStatus rv; - SECItem param; - - if (output->length < hash->hashsize) - return KRB5_BAD_MSIZE; - - mech = digest_to_hmac(hash); - if (mech == CKM_INVALID_MECHANISM) - return KRB5_CRYPTO_INTERNAL; /* unsupported alg */ - - ret = k5_nss_gen_import(key, mech, CKA_SIGN); - if (ret != 0) - return ret; - - param.data = NULL; - param.len = 0; - ctx = k5_nss_create_context(key, mech, CKA_SIGN, ¶m); - if (ctx == NULL) - goto fail; - - rv = PK11_DigestBegin(ctx); - if (rv != SECSuccess) - goto fail; - - for (i=0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - - if (iov->data.length && SIGN_IOV(iov)) { - rv = PK11_DigestOp(ctx,(const unsigned char*)iov->data.data, - iov->data.length); - if (rv != SECSuccess) - goto fail; - } - - } - rv = PK11_DigestFinal(ctx, (unsigned char *) output->data, &output->length, - output->length); - if (rv != SECSuccess) - goto fail; - PK11_DestroyContext(ctx, PR_TRUE); - return 0; -fail: - ret = k5_nss_map_last_error(); - if (ctx) - PK11_DestroyContext(ctx, PR_TRUE); - return ret; -} - -krb5_error_code -krb5int_hmac_keyblock(const struct krb5_hash_provider *hash, - const krb5_keyblock *keyblock, - const krb5_crypto_iov *data, size_t num_data, - krb5_data *output) -{ - krb5_key key; - krb5_error_code code; - - if (keyblock->length > hash->blocksize) - return KRB5_CRYPTO_INTERNAL; - - memset(&key, 0, sizeof(key)); - - code = krb5_k_create_key(NULL, keyblock, &key); - if (code) - return code; - code = krb5int_hmac(hash, key, data, num_data, output); - krb5_k_free_key(NULL, key); - return code; -} diff --git a/src/lib/crypto/nss/md4/Makefile.in b/src/lib/crypto/nss/md4/Makefile.in deleted file mode 100644 index b71c192bc1..0000000000 --- a/src/lib/crypto/nss/md4/Makefile.in +++ /dev/null @@ -1,18 +0,0 @@ -mydir=lib$(S)crypto$(S)nss$(S)md4 -BUILDTOP=$(REL)..$(S)..$(S)..$(S).. - -STLIBOBJS= md4.o - -OBJS= $(OUTPRE)md4.$(OBJEXT) - -SRCS= $(srcdir)/md4.c - -all-unix:: all-libobjs - -includes:: depend - -depend:: $(SRCS) - -clean-unix:: clean-libobjs - -@libobj_frag@ diff --git a/src/lib/crypto/nss/md4/deps b/src/lib/crypto/nss/md4/deps deleted file mode 100644 index 55d209b453..0000000000 --- a/src/lib/crypto/nss/md4/deps +++ /dev/null @@ -1,13 +0,0 @@ -# -# Generated makefile dependencies follow. -# -md4.so md4.po $(OUTPRE)md4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h md4.c rsa-md4.h diff --git a/src/lib/crypto/nss/md4/md4.c b/src/lib/crypto/nss/md4/md4.c deleted file mode 100644 index 1853207b98..0000000000 --- a/src/lib/crypto/nss/md4/md4.c +++ /dev/null @@ -1,242 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/md4/md4.c */ -/* - * Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. - * - * License to copy and use this software is granted provided that - * it is identified as the "RSA Data Security, Inc. MD4 Message - * Digest Algorithm" in all material mentioning or referencing this - * software or this function. - * - * License is also granted to make and use derivative works - * provided that such works are identified as "derived from the RSA - * Data Security, Inc. MD4 Message Digest Algorithm" in all - * material mentioning or referencing the derived work. - * - * RSA Data Security, Inc. makes no representations concerning - * either the merchantability of this software or the suitability - * of this software for any particular purpose. It is provided "as - * is" without express or implied warranty of any kind. - * - * These notices must be retained in any copies of any part of this - * documentation and/or software. - */ - -/* -********************************************************************** -** md4.c ** -** RSA Data Security, Inc. MD4 Message Digest Algorithm ** -** Created: 2/17/90 RLR ** -** Revised: 1/91 SRD,AJ,BSK,JT Reference C Version ** -********************************************************************** -*/ - -#include "k5-int.h" -#include "rsa-md4.h" - -/* forward declaration */ -static void Transform (krb5_ui_4 *, krb5_ui_4 *); - -static const unsigned char PADDING[64] = { - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; - -/* F, G and H are basic MD4 functions: selection, majority, parity */ -#define F(x, y, z) (((x) & (y)) | ((~x) & (z))) -#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z))) -#define H(x, y, z) ((x) ^ (y) ^ (z)) - -/* ROTATE_LEFT rotates x left n bits */ -#define ROTATE_LEFT(x, n) ((((x) << (n)) & 0xffffffff) | ((x) >> (32-(n)))) - -/* FF, GG and HH are MD4 transformations for rounds 1, 2 and 3 */ -/* Rotation is separate from addition to prevent recomputation */ -#define FF(a, b, c, d, x, s) \ - {(a) += F ((b), (c), (d)) + (x); \ - (a) &= 0xffffffff; \ - (a) = ROTATE_LEFT ((a), (s));} -#define GG(a, b, c, d, x, s) \ - {(a) += G ((b), (c), (d)) + (x) + 013240474631UL; \ - (a) &= 0xffffffff; \ - (a) = ROTATE_LEFT ((a), (s));} -#define HH(a, b, c, d, x, s) \ - {(a) += H ((b), (c), (d)) + (x) + 015666365641UL; \ - (a) &= 0xffffffff; \ - (a) = ROTATE_LEFT ((a), (s));} - -void -krb5int_MD4Init (krb5_MD4_CTX *mdContext) -{ - mdContext->i[0] = mdContext->i[1] = (krb5_ui_4)0; - - /* Load magic initialization constants. - */ - mdContext->buf[0] = 0x67452301UL; - mdContext->buf[1] = 0xefcdab89UL; - mdContext->buf[2] = 0x98badcfeUL; - mdContext->buf[3] = 0x10325476UL; -} - -void -krb5int_MD4Update (krb5_MD4_CTX *mdContext, const unsigned char *inBuf, unsigned int inLen) -{ - krb5_ui_4 in[16]; - int mdi; - unsigned int i, ii; - - /* compute number of bytes mod 64 */ - mdi = (int)((mdContext->i[0] >> 3) & 0x3F); - - /* update number of bits */ - if ((mdContext->i[0] + ((krb5_ui_4)inLen << 3)) < mdContext->i[0]) - mdContext->i[1]++; - mdContext->i[0] += ((krb5_ui_4)inLen << 3); - mdContext->i[1] += ((krb5_ui_4)inLen >> 29); - - while (inLen--) { - /* add new character to buffer, increment mdi */ - mdContext->in[mdi++] = *inBuf++; - - /* transform if necessary */ - if (mdi == 0x40) { - for (i = 0, ii = 0; i < 16; i++, ii += 4) { - in[i] = load_32_le(mdContext->in+ii); - } - Transform (mdContext->buf, in); - mdi = 0; - } - } -} - -void -krb5int_MD4Final (krb5_MD4_CTX *mdContext) -{ - krb5_ui_4 in[16]; - int mdi; - unsigned int i, ii; - unsigned int padLen; - - /* save number of bits */ - in[14] = mdContext->i[0]; - in[15] = mdContext->i[1]; - - /* compute number of bytes mod 64 */ - mdi = (int)((mdContext->i[0] >> 3) & 0x3F); - - /* pad out to 56 mod 64 */ - padLen = (mdi < 56) ? (56 - mdi) : (120 - mdi); - krb5int_MD4Update (mdContext, PADDING, padLen); - - /* append length in bits and transform */ - for (i = 0, ii = 0; i < 14; i++, ii += 4) - in[i] = load_32_le(mdContext->in+ii); - Transform (mdContext->buf, in); - - - /* store buffer in digest */ - for (i = 0, ii = 0; i < 4; i++, ii += 4) { - store_32_le(mdContext->buf[i], mdContext->digest+ii); - } -} - -/* Basic MD4 step. Transform buf based on in. - */ -static void Transform (krb5_ui_4 *buf, krb5_ui_4 *in) -{ - register krb5_ui_4 a = buf[0], b = buf[1], c = buf[2], d = buf[3]; - -#if defined(CONFIG_SMALL) && !defined(CONFIG_SMALL_NO_CRYPTO) - int i; -#define ROTATE { krb5_ui_4 temp; temp = d, d = c, c = b, b = a, a = temp; } - for (i = 0; i < 16; i++) { - static const unsigned char round1consts[] = { 3, 7, 11, 19, }; - FF (a, b, c, d, in[i], round1consts[i%4]); ROTATE; - } - for (i = 0; i < 16; i++) { - static const unsigned char round2indices[] = { - 0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15 - }; - static const unsigned char round2consts[] = { 3, 5, 9, 13 }; - GG (a, b, c, d, in[round2indices[i]], round2consts[i%4]); ROTATE; - } - for (i = 0; i < 16; i++) { - static const unsigned char round3indices[] = { - 0, 8, 4, 12, 2, 10, 6, 14, 1, 9, 5, 13, 3, 11, 7, 15 - }; - static const unsigned char round3consts[] = { 3, 9, 11, 15 }; - HH (a, b, c, d, in[round3indices[i]], round3consts[i%4]); ROTATE; - } -#else - /* Round 1 */ - FF (a, b, c, d, in[ 0], 3); - FF (d, a, b, c, in[ 1], 7); - FF (c, d, a, b, in[ 2], 11); - FF (b, c, d, a, in[ 3], 19); - FF (a, b, c, d, in[ 4], 3); - FF (d, a, b, c, in[ 5], 7); - FF (c, d, a, b, in[ 6], 11); - FF (b, c, d, a, in[ 7], 19); - FF (a, b, c, d, in[ 8], 3); - FF (d, a, b, c, in[ 9], 7); - FF (c, d, a, b, in[10], 11); - FF (b, c, d, a, in[11], 19); - FF (a, b, c, d, in[12], 3); - FF (d, a, b, c, in[13], 7); - FF (c, d, a, b, in[14], 11); - FF (b, c, d, a, in[15], 19); - - /* Round 2 */ - GG (a, b, c, d, in[ 0], 3); - GG (d, a, b, c, in[ 4], 5); - GG (c, d, a, b, in[ 8], 9); - GG (b, c, d, a, in[12], 13); - GG (a, b, c, d, in[ 1], 3); - GG (d, a, b, c, in[ 5], 5); - GG (c, d, a, b, in[ 9], 9); - GG (b, c, d, a, in[13], 13); - GG (a, b, c, d, in[ 2], 3); - GG (d, a, b, c, in[ 6], 5); - GG (c, d, a, b, in[10], 9); - GG (b, c, d, a, in[14], 13); - GG (a, b, c, d, in[ 3], 3); - GG (d, a, b, c, in[ 7], 5); - GG (c, d, a, b, in[11], 9); - GG (b, c, d, a, in[15], 13); - - /* Round 3 */ - HH (a, b, c, d, in[ 0], 3); - HH (d, a, b, c, in[ 8], 9); - HH (c, d, a, b, in[ 4], 11); - HH (b, c, d, a, in[12], 15); - HH (a, b, c, d, in[ 2], 3); - HH (d, a, b, c, in[10], 9); - HH (c, d, a, b, in[ 6], 11); - HH (b, c, d, a, in[14], 15); - HH (a, b, c, d, in[ 1], 3); - HH (d, a, b, c, in[ 9], 9); - HH (c, d, a, b, in[ 5], 11); - HH (b, c, d, a, in[13], 15); - HH (a, b, c, d, in[ 3], 3); - HH (d, a, b, c, in[11], 9); - HH (c, d, a, b, in[ 7], 11); - HH (b, c, d, a, in[15], 15); -#endif - - buf[0] += a; - buf[1] += b; - buf[2] += c; - buf[3] += d; -} - -/* -********************************************************************** -** End of md4.c ** -******************************* (cut) ******************************** -*/ diff --git a/src/lib/crypto/nss/md4/rsa-md4.h b/src/lib/crypto/nss/md4/rsa-md4.h deleted file mode 100644 index d44869a4b1..0000000000 --- a/src/lib/crypto/nss/md4/rsa-md4.h +++ /dev/null @@ -1,90 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/md4/rsa-md4.h */ -/* - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ -/* - * Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. - * - * License to copy and use this software is granted provided that - * it is identified as the "RSA Data Security, Inc. MD4 Message - * Digest Algorithm" in all material mentioning or referencing this - * software or this function. - * - * License is also granted to make and use derivative works - * provided that such works are identified as "derived from the RSA - * Data Security, Inc. MD4 Message Digest Algorithm" in all - * material mentioning or referencing the derived work. - * - * RSA Data Security, Inc. makes no representations concerning - * either the merchantability of this software or the suitability - * of this software for any particular purpose. It is provided "as - * is" without express or implied warranty of any kind. - * - * These notices must be retained in any copies of any part of this - * documentation and/or software. - */ - -/* RSA MD4 header file, with Kerberos/STDC additions */ - -#ifndef __KRB5_RSA_MD4_H__ -#define __KRB5_RSA_MD4_H__ - -#ifdef unicos61 -#include -#endif /* unicos61 */ - -/* 16 u_char's in the digest */ -#define RSA_MD4_CKSUM_LENGTH 16 -/* des blocksize is 8, so this works nicely... */ -#define OLD_RSA_MD4_DES_CKSUM_LENGTH 16 -#define NEW_RSA_MD4_DES_CKSUM_LENGTH 24 -#define RSA_MD4_DES_CONFOUND_LENGTH 8 - -/* -********************************************************************** -** md4.h -- Header file for implementation of MD4 ** -** RSA Data Security, Inc. MD4 Message Digest Algorithm ** -** Created: 2/17/90 RLR ** -** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version ** -********************************************************************** -*/ - -/* Data structure for MD4 (Message Digest) computation */ -typedef struct { - krb5_ui_4 i[2]; /* number of _bits_ handled mod 2^64 */ - krb5_ui_4 buf[4]; /* scratch buffer */ - unsigned char in[64]; /* input buffer */ - unsigned char digest[16]; /* actual digest after MD4Final call */ -} krb5_MD4_CTX; - -extern void krb5int_MD4Init(krb5_MD4_CTX *); -extern void krb5int_MD4Update(krb5_MD4_CTX *, const unsigned char *, unsigned int); -extern void krb5int_MD4Final(krb5_MD4_CTX *); - -/* -********************************************************************** -** End of md4.h ** -******************************* (cut) ******************************** -*/ -#endif /* __KRB5_RSA_MD4_H__ */ diff --git a/src/lib/crypto/nss/md5/Makefile.in b/src/lib/crypto/nss/md5/Makefile.in deleted file mode 100644 index 5a292e1883..0000000000 --- a/src/lib/crypto/nss/md5/Makefile.in +++ /dev/null @@ -1,6 +0,0 @@ -# Placeholder since all crypto modules must have the same structure. -mydir=lib$(S)crypto$(S)nss$(S)md5 -BUILDTOP=$(REL)..$(S)..$(S)..$(S).. -all-unix:: all-libobjs -clean-unix:: clean-libobjs -@libobj_frag@ diff --git a/src/lib/crypto/nss/md5/deps b/src/lib/crypto/nss/md5/deps deleted file mode 100644 index 2feac3c9d3..0000000000 --- a/src/lib/crypto/nss/md5/deps +++ /dev/null @@ -1 +0,0 @@ -# No dependencies here. diff --git a/src/lib/crypto/nss/nss_gen.h b/src/lib/crypto/nss/nss_gen.h deleted file mode 100644 index ccf9219032..0000000000 --- a/src/lib/crypto/nss/nss_gen.h +++ /dev/null @@ -1,110 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/nss_gen.h */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "k5-int.h" -#include "pkcs11t.h" -#include "sechash.h" -#include "secmodt.h" - -/* 512 bits is bigger than anything defined to date */ -#define MAX_KEY_LENGTH 64 -#define MAX_BLOCK_SIZE 64 - -/* - * Common nss utils - */ - -/* Make sure NSS is properly initialized. */ -krb5_error_code k5_nss_init(void); - -/* Import a key into NSS and store the handle in krb5_key. */ -krb5_error_code -k5_nss_gen_import(krb5_key key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation); - -/* Clean up an imported key. */ -void -k5_nss_gen_cleanup(krb5_key key); - -/* Create a new crypto/hash/sign context from a krb5_key. */ -PK11Context * -k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism, - CK_ATTRIBUTE_TYPE operation, SECItem * param); - -/* Map an NSS error into a krb5_error_code. */ -krb5_error_code k5_nss_map_error(int nss_error); -krb5_error_code k5_nss_map_last_error(void); - - -/* - * Common encryption functions - */ - -/* Encrypt/decrypt block modes except cts using iov. */ -krb5_error_code -k5_nss_gen_block_iov(krb5_key key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data); - -/* Encrypt/decrypt stream modes using iov. */ -krb5_error_code -k5_nss_gen_stream_iov(krb5_key key, krb5_data *state, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation, krb5_crypto_iov *data, - size_t num_data); - -/* Encrypt/decrypt block modes using cts. */ -krb5_error_code -k5_nss_gen_cts_iov(krb5_key key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec, - krb5_crypto_iov *data, size_t num_data); - -/* Compute a CBC-MAC. */ -krb5_error_code -k5_nss_gen_cbcmac_iov(krb5_key key, CK_MECHANISM_TYPE mech, - const krb5_data *ivec, const krb5_crypto_iov *data, - size_t num_data, krb5_data *output); - -/* Stream state management calls. */ -krb5_error_code k5_nss_stream_init_state(krb5_data *new_state); -void k5_nss_stream_free_state(krb5_data *state); - -/* - * Common hash functions - */ - -/* All hash modes. */ -krb5_error_code -k5_nss_gen_hash(HASH_HashType hashType, const krb5_crypto_iov *data, - size_t num_data, krb5_data *output); diff --git a/src/lib/crypto/nss/nss_prng.h b/src/lib/crypto/nss/nss_prng.h deleted file mode 100644 index 11bf9edc1b..0000000000 --- a/src/lib/crypto/nss/nss_prng.h +++ /dev/null @@ -1,36 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/nss_prng.h - Declarations for NSS PRNG wrappers */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#ifndef NSS_PRNG_H -#define NSS_PRNG_H - -krb5_error_code -k5_nss_prng_add_entropy(krb5_context context, const krb5_data *indata); - -krb5_error_code -k5_nss_prng_make_octets(krb5_context context, krb5_data *outdata); - -#endif /* NSS_PRNG_H */ diff --git a/src/lib/crypto/nss/pbkdf2.c b/src/lib/crypto/nss/pbkdf2.c deleted file mode 100644 index 10272c8d2a..0000000000 --- a/src/lib/crypto/nss/pbkdf2.c +++ /dev/null @@ -1,120 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/pbkdf2.c */ -/* - * Copyright (c) 2010 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include "crypto_int.h" -#include "pk11pub.h" -#include "nss_gen.h" - - -krb5_error_code -krb5int_pbkdf2_hmac_sha1(const krb5_data *out, unsigned long count, - const krb5_data *pass, const krb5_data *salt) -{ - - PK11SlotInfo *slot = NULL; - SECAlgorithmID *algid = NULL; - PK11SymKey *symKey = NULL; - SECItem saltItem, pwItem; - const SECItem *keydata = NULL; - SECOidTag pbeAlg = SEC_OID_PKCS5_PBKDF2; - SECOidTag cipherAlg = SEC_OID_AES_256_CBC; - SECOidTag prfAlg = SEC_OID_HMAC_SHA1; - krb5_error_code ret; - - ret = k5_nss_init(); - if (ret) - return ret; - - slot = PK11_GetBestSlot(PK11_AlgtagToMechanism(pbeAlg), NULL); - if (slot == NULL) - return k5_nss_map_last_error(); - - /* NSS treats a null saltItem.data as a request for a random salt. */ - saltItem.type = siBuffer; - saltItem.data = (salt->data == NULL) ? "" : (unsigned char *)salt->data; - saltItem.len = salt->length; - - /* PKCS 5 was designed to be DER encoded. Algid's carry all the - * information needed to describe the encoding the the recipient. - * This usually allows for crypto agility in the protocol automatically. - * Kerberos already had to solve it's crypto agility issues, so the - * algid is just and extra step we need that we will throw away */ - algid = PK11_CreatePBEV2AlgorithmID(pbeAlg, cipherAlg, prfAlg, - out->length, count, &saltItem); - if (algid == NULL) { - ret = k5_nss_map_last_error(); - goto loser; - } - - pwItem.type = siBuffer; - pwItem.data = (unsigned char *)pass->data; - pwItem.len = pass->length; - - symKey = PK11_PBEKeyGen(slot, algid, &pwItem, PR_FALSE, NULL); - if (symKey == NULL) { - ret = k5_nss_map_last_error(); - goto loser; - } - - /* At this point we should return symKey as a key, but kerberos is - * still passing bits around instead of key handles. */ - PK11_ExtractKeyValue(symKey); - - /* keydata here is a const * and is valid as long as the key has not been - * destroyed. */ - keydata = PK11_GetKeyData(symKey); - if (keydata == NULL) { - ret = k5_nss_map_last_error(); - goto loser; - } - - if (out->length != keydata->len) { - ret = -1; /* XXXXX */ - goto loser; - } - memcpy(out->data, keydata->data, keydata->len); - ret = 0; - -loser: - if (symKey) - PK11_FreeSymKey(symKey); - if (algid) - SECOID_DestroyAlgorithmID(algid, PR_TRUE); - if (slot) - PK11_FreeSlot(slot); - - return ret; -} diff --git a/src/lib/crypto/nss/prng.c b/src/lib/crypto/nss/prng.c deleted file mode 100644 index ebd1d3ac23..0000000000 --- a/src/lib/crypto/nss/prng.c +++ /dev/null @@ -1,57 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/prng.c - NSS prng functions */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "crypto_int.h" -#include "nss_gen.h" -#include "nss_prng.h" -#include - -krb5_error_code -k5_nss_prng_add_entropy(krb5_context context, const krb5_data *indata) -{ - krb5_error_code ret; - - ret = k5_nss_init(); - if (ret) - return ret; - if (PK11_RandomUpdate(indata->data, indata->length) != SECSuccess) - return k5_nss_map_last_error(); - return 0; -} - -krb5_error_code -k5_nss_prng_make_octets(krb5_context context, krb5_data *outdata) -{ - krb5_error_code ret; - - ret = k5_nss_init(); - if (ret) - return ret; - if (PK11_GenerateRandom((unsigned char *)outdata->data, - outdata->length) != SECSuccess) - return k5_nss_map_last_error(); - return 0; -} diff --git a/src/lib/crypto/nss/sha1/Makefile.in b/src/lib/crypto/nss/sha1/Makefile.in deleted file mode 100644 index 26d9859a95..0000000000 --- a/src/lib/crypto/nss/sha1/Makefile.in +++ /dev/null @@ -1,6 +0,0 @@ -# Placeholder since all crypto modules must have the same structure. -mydir=lib$(S)crypto$(S)nss$(S)sha1 -BUILDTOP=$(REL)..$(S)..$(S)..$(S).. -all-unix:: all-libobjs -clean-unix:: clean-libobjs -@libobj_frag@ diff --git a/src/lib/crypto/nss/sha1/deps b/src/lib/crypto/nss/sha1/deps deleted file mode 100644 index 2feac3c9d3..0000000000 --- a/src/lib/crypto/nss/sha1/deps +++ /dev/null @@ -1 +0,0 @@ -# No dependencies here. diff --git a/src/lib/crypto/nss/sha2/Makefile.in b/src/lib/crypto/nss/sha2/Makefile.in deleted file mode 100644 index 89f074c10f..0000000000 --- a/src/lib/crypto/nss/sha2/Makefile.in +++ /dev/null @@ -1,6 +0,0 @@ -# Placeholder since all crypto modules must have the same structure. -mydir=lib$(S)crypto$(S)nss$(S)aes -BUILDTOP=$(REL)..$(S)..$(S)..$(S).. -all-unix:: all-libobjs -clean-unix:: clean-libobjs -@libobj_frag@ diff --git a/src/lib/crypto/nss/sha2/deps b/src/lib/crypto/nss/sha2/deps deleted file mode 100644 index 2feac3c9d3..0000000000 --- a/src/lib/crypto/nss/sha2/deps +++ /dev/null @@ -1 +0,0 @@ -# No dependencies here. diff --git a/src/lib/crypto/nss/stubs.c b/src/lib/crypto/nss/stubs.c deleted file mode 100644 index 034e7e6f03..0000000000 --- a/src/lib/crypto/nss/stubs.c +++ /dev/null @@ -1,68 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/crypto/nss/stubs.c - NSS stub functions */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* - * This file defines symbols which must be exported by libk5crypto because they - * are in the export list (for the sake of test programs), but which are not - * used when NSS is the back end. - */ - -#include "k5-int.h" - -/* - * These functions are used by the Fortuna PRNG and test program. The Fortuna - * PRNG is not used when NSS is the back end (the NSS PRNG is always used). - */ -void krb5int_aes_enc_blk(void); -void krb5int_aes_enc_key(void); -void k5_sha256_final(void); -void k5_sha256_init(void); -void k5_sha256_update(void); - -void krb5int_aes_enc_blk(void) -{ - abort(); -} - -void krb5int_aes_enc_key(void) -{ - abort(); -} - -void k5_sha256_final(void) -{ - abort(); -} - -void k5_sha256_init(void) -{ - abort(); -} - -void k5_sha256_update(void) -{ - abort(); -}