--------------------
Portions contributed by Red Hat, including the pre-authentication
-plug-ins framework, contain the following copyright:
+plug-ins framework and the NSS crypto implementation, contain the
+following copyright:
Copyright (c) 2006 Red Hat, Inc.
Portions copyright (c) 2006 Massachusetts Institute of Technology
[CRYPTO_IMPL=$withval
AC_MSG_RESULT("k5crypto will use \'$withval\'")
], withval=builtin)
+CRYPTO_IMPL_LIBS=
+CRYPTO_IMPL_CFLAGS=
+case "$withval" in
+builtin)
+ ;;
+openssl)
+ AC_CHECK_LIB(crypto, PKCS7_get_signer_info)
+ ;;
+nss)
+ CRYPTO_IMPL_CFLAGS=`pkg-config --cflags nss`
+ CRYPTO_IMPL_LIBS="-lnss3 $(pkg-config --libs nss-util)"
+ AC_DEFINE(CRYPTO_IMPL_NSS,1,[Define if crypto implementation is NSS])
+ ;;
+*)
+ AC_MSG_ERROR([Unknown crypto implementation $withval])
+ ;;
+esac
AC_CONFIG_COMMANDS(CRYPTO_IMPL, , CRYPTO_IMPL=$CRYPTO_IMPL)
AC_SUBST(CRYPTO_IMPL)
+AC_SUBST(CRYPTO_IMPL_CFLAGS)
+AC_SUBST(CRYPTO_IMPL_LIBS)
# --with-kdc-kdb-update makes the KDC update the database with last request
# information and failure information.
* Internal - for cleanup.
*/
extern void krb5int_prng_cleanup(void);
+extern void krb5int_crypto_impl_cleanup(void);
#ifdef KRB5_OLD_CRYPTO
extern int krb5int_crypto_init (void);
extern int krb5int_prng_init(void);
+extern int krb5int_crypto_impl_init(void);
/*
* Referral definitions, debugging hooks, and subfunctions.
# link editor and loader support it.
DEPLIBS=
SHLIB_DIRS=-L$(TOPLIBD)
-SHLIB_EXPLIBS= $(SUPPORT_LIB) @CRYPTO_LIBS@ $(LIBS)
+SHLIB_EXPLIBS= $(SUPPORT_LIB) @CRYPTO_LIBS@ @CRYPTO_IMPL_LIBS@ $(LIBS)
SHLIB_EXPDEPLIBS= $(SUPPORT_DEPLIB)
SHLIB_LDFLAGS= $(LDFLAGS) @SHLIB_RPATH_DIRS@
SHLIB_LIBDIRS= @SHLIB_LIBDIRS@
STLIBOBJS=\
hmac.o \
- pbkdf2.o
+ init.o \
+ pbkdf2.o
OBJS=\
$(OUTPRE)hmac.$(OBJEXT) \
- $(OUTPRE)pbkdf2.$(OBJEXT)
+ $(OUTPRE)init.$(OBJEXT) \
+ $(OUTPRE)pbkdf2.$(OBJEXT)
SRCS=\
$(srcdir)/hmac.c \
+ $(srcdir)/init.c \
$(srcdir)/pbkdf2.c
STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/builtin/init.c
+ *
+ * Copyright (C) 2010 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Built-in back-end library init functions
+ */
+
+int
+krb5int_crypto_impl_init(void)
+{
+ return 0;
+}
+
+void
+krb5int_crypto_impl_cleanup(void)
+{
+}
# NOTE: The t_cksum known checksum values are primarily for regression
# testing. They are not derived a priori, but are known to produce
# checksums that interoperate.
+#
+# We use the NSS PRNG when NSS is the crypto back end, so don't test
+# against the expected output for Yarrow.
check-unix:: t_nfold t_encrypt t_prf t_prng t_cmac t_hmac \
t_cksum4 t_cksum5 \
aes-test \
t_crc t_cts t_short t_str2key t_camellia_ccm
$(RUN_SETUP) $(VALGRIND) ./t_nfold
$(RUN_SETUP) $(VALGRIND) ./t_encrypt
- $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
- diff t_prng.output $(srcdir)/t_prng.expected
+ if [ @CRYPTO_IMPL@ != nss ]; then \
+ $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
+ diff t_prng.output $(srcdir)/t_prng.expected; fi
$(RUN_SETUP) $(VALGRIND) ./t_cmac
$(RUN_SETUP) $(VALGRIND) ./t_hmac
$(RUN_SETUP) $(VALGRIND) ./t_prf <$(srcdir)/t_prf.in >t_prf.output
-I$(srcdir)/../@CRYPTO_IMPL@/ -I$(srcdir)/../@CRYPTO_IMPL@/des \
-I$(srcdir)/../@CRYPTO_IMPL@/aes -I$(srcdir)/arcfour \
-I$(srcdir)/../@CRYPTO_IMPL@/camellia \
- -I$(srcdir)/../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../@CRYPTO_IMPL@
+ -I$(srcdir)/../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../@CRYPTO_IMPL@ \
+ @CRYPTO_IMPL_CFLAGS@
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
DEFS=
int cryptoint_initialize_library (void)
{
- return krb5int_prng_init();
+ int err;
+ err = krb5int_prng_init();
+ if (err)
+ return err;
+ return krb5int_crypto_impl_init();
}
int krb5int_crypto_init(void)
{
if (!INITIALIZER_RAN(cryptoint_initialize_library))
return;
- krb5int_prng_cleanup ();
+ krb5int_prng_cleanup();
+ krb5int_crypto_impl_cleanup();
}
#include <assert.h>
#include "k5-thread.h"
-#include "yarrow.h"
-static Yarrow_CTX y_ctx;
#define yarrow_lock krb5int_yarrow_lock
k5_mutex_t yarrow_lock = K5_MUTEX_PARTIAL_INITIALIZER;
+#ifdef CRYPTO_IMPL_NSS
+
+/*
+ * Using Yarrow with NSS is a bit problematic because the MD5 contexts it holds
+ * open for the entropy pools would be invalidated by a fork(), causing us to
+ * lose the entropy contained therein.
+ *
+ * Therefore, use the NSS PRNG if NSS is the crypto implementation. Doing this
+ * via ifdefs here is temporary until we come up with better build logic for
+ * it.
+ */
+
+#include "../nss/nss_gen.h"
+#include <pk11pub.h>
+
+/*
+ * NSS gathers its own OS entropy, so it doesn't really matter how much we read
+ * in krb5_c_random_os_entropy. Use the same value as Yarrow (without using a
+ * Yarrow constant), so that we don't read too much from /dev/random.
+ */
+#define OS_ENTROPY_LEN 20
+
+int krb5int_prng_init(void)
+{
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_add_entropy(krb5_context context, unsigned int randsource,
+ const krb5_data *data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_init();
+ if (ret)
+ return ret;
+ if (PK11_RandomUpdate(data->data, data->length) != SECSuccess)
+ return k5_nss_map_last_error();
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_make_octets(krb5_context context, krb5_data *data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_init();
+ if (ret)
+ return ret;
+ if (PK11_GenerateRandom((unsigned char *)data->data,
+ data->length) != SECSuccess)
+ return k5_nss_map_last_error();
+ return 0;
+}
+
+void
+krb5int_prng_cleanup (void)
+{
+}
+
+#else /* CRYPTO_IMPL_NSS */
+
+#include "yarrow.h"
+static Yarrow_CTX y_ctx;
+
+/* Gather enough OS entropy per call to trigger a Yarrow reseed. */
+#define OS_ENTROPY_LEN (YARROW_SLOW_THRESH/8)
+
/* Helper function to estimate entropy based on sample length
* and where it comes from.
*/
return 0;
}
-krb5_error_code KRB5_CALLCONV
-krb5_c_random_seed(krb5_context context, krb5_data *data)
-{
- return krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OLDAPI, data);
-}
-
krb5_error_code KRB5_CALLCONV
krb5_c_random_make_octets(krb5_context context, krb5_data *data)
{
k5_mutex_destroy(&yarrow_lock);
}
+#endif /* not CRYPTO_IMPL_NSS */
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_seed(krb5_context context, krb5_data *data)
+{
+ return krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OLDAPI, data);
+}
/*
* Routines to get entropy from the OS. For UNIX we try /dev/urandom
krb5_data data;
struct stat sb;
int fd;
- unsigned char buf[YARROW_SLOW_THRESH/8], *bp;
+ unsigned char buf[OS_ENTROPY_LEN], *bp;
int left;
fd = open (device, O_RDONLY);
--- /dev/null
+mydir=lib/crypto/nss
+BUILDTOP=$(REL)..$(S)..$(S)..
+SUBDIRS=des aes camellia md4 md5 sha1 enc_provider hash_provider
+LOCALINCLUDES = -I$(srcdir)/../krb \
+ -I$(srcdir)/../krb/hash_provider \
+ -I$(srcdir)/des \
+ -I$(srcdir)/aes \
+ -I$(srcdir)/sha1 \
+ -I$(srcdir)/md4 \
+ -I$(srcdir)/md5 \
+ -I$(srcdir)/enc_provider \
+ -I$(srcdir)/hash_provider \
+ @CRYPTO_IMPL_CFLAGS@
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+DEFS=
+
+##DOSBUILDTOP = ..\..\..
+##DOSLIBNAME=$(OUTPRE)crypto.lib
+##DOSOBJFILE=$(OUTPRE)crypto.lst
+##DOSOBJFILELIST=@$(OUTPRE)crypto.lst @$(OUTPRE)des.lst @$(OUTPRE)md4.lst @$(OUTPRE)md5.lst @$(OUTPRE)sha1.lst @$(OUTPRE)crc32.lst @$(OUTPRE)dk.lst @$(OUTPRE)old.lst @$(OUTPRE)raw.lst @$(OUTPRE)enc_prov.lst @$(OUTPRE)hash_pro.lst @$(OUTPRE)kh_pro.lst @$(OUTPRE)yarrow.lst @$(OUTPRE)aes.lst
+##DOSOBJFILEDEP =$(OUTPRE)crypto.lst $(OUTPRE)des.lst $(OUTPRE)md4.lst $(OUTPRE)md5.lst $(OUTPRE)sha1.lst $(OUTPRE)crc32.lst $(OUTPRE)dk.lst $(OUTPRE)old.lst $(OUTPRE)raw.lst $(OUTPRE)enc_prov.lst $(OUTPRE)hash_pro.lst $(OUTPRE)kh_pro.lst $(OUTPRE)aes.lst
+
+STLIBOBJS=\
+ hmac.o \
+ pbkdf2.o
+
+OBJS=\
+ $(OUTPRE)hmac.$(OBJEXT) \
+ $(OUTPRE)pbkdf2.$(OBJEXT)
+
+SRCS=\
+ $(srcdir)/hmac.c \
+ $(srcdir)/pbkdf2.c
+
+STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
+ md5/OBJS.ST sha1/OBJS.ST \
+ enc_provider/OBJS.ST \
+ hash_provider/OBJS.ST \
+ aes/OBJS.ST \
+ camellia/OBJS.ST \
+ OBJS.ST
+
+SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
+ md5/OBJS.ST sha1/OBJS.ST \
+ enc_provider/OBJS.ST \
+ hash_provider/OBJS.ST \
+ aes/OBJS.ST \
+ camellia/OBJS.ST
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+includes:: depend
+
+depend:: $(SRCS)
+
+clean-unix:: clean-libobjs
+
+all-windows::
+ cd ..\des
+ @echo Making in crypto\des
+ $(MAKE) -$(MFLAGS)
+ cd ..\md4
+ @echo Making in crypto\md4
+ $(MAKE) -$(MFLAGS)
+ cd ..\md5
+ @echo Making in crypto\md5
+ $(MAKE) -$(MFLAGS)
+ cd ..\sha1
+ @echo Making in crypto\sha1
+ $(MAKE) -$(MFLAGS)
+ cd ..\hash_provider
+ @echo Making in crypto\hash_provider
+ $(MAKE) -$(MFLAGS)
+ cd ..\enc_provider
+ @echo Making in crypto\enc_provider
+ $(MAKE) -$(MFLAGS)
+ cd ..\aes
+ @echo Making in crypto\aes
+ $(MAKE) -$(MFLAGS)
+ cd ..\camellia
+ @echo Making in crypto\aes
+ $(MAKE) -$(MFLAGS)
+ cd ..
+
+clean-windows::
+ cd ..\des
+ @echo Making clean in crypto\des
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\md4
+ @echo Making clean in crypto\md4
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\md5
+ @echo Making clean in crypto\md5
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\sha1
+ @echo Making clean in crypto\sha1
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\hash_provider
+ @echo Making clean in crypto\hash_provider
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\enc_provider
+ @echo Making clean in crypto\enc_provider
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\aes
+ @echo Making clean in crypto\aes
+ $(MAKE) -$(MFLAGS) clean
+ cd ..\camellia
+ @echo Making clean in crypto\aes
+ $(MAKE) -$(MFLAGS) clean
+ cd ..
+
+check-windows::
+ cd ..\des
+ @echo Making check in crypto\des
+ $(MAKE) -$(MFLAGS) check
+ cd ..\md4
+ @echo Making check in crypto\md4
+ $(MAKE) -$(MFLAGS) check
+ cd ..\md5
+ @echo Making check in crypto\md5
+ $(MAKE) -$(MFLAGS) check
+ cd ..\sha1
+ @echo Making check in crypto\sha1
+ $(MAKE) -$(MFLAGS) check
+ cd ..\hash_provider
+ @echo Making check in crypto\hash_provider
+ $(MAKE) -$(MFLAGS) check
+ cd ..\enc_provider
+ @echo Making check in crypto\enc_provider
+ $(MAKE) -$(MFLAGS) check
+ cd ..\aes
+ @echo Making check in crypto\aes
+ $(MAKE) -$(MFLAGS) check
+ cd ..\camellia
+ @echo Making check in crypto\aes
+ $(MAKE) -$(MFLAGS) check
+ cd ..
+
+
+@lib_frag@
+@libobj_frag@
+
--- /dev/null
+# Nothing here! But we can't remove this directory as the build
+# system currently assumes that all modules have the same directory
+# structure.
+
+mydir=lib/crypto/nss/aes
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../krb/dk -I$(srcdir)/../../../../include
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=aes
+##DOS##OBJFILE=..\$(OUTPRE)aes.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+STLIBOBJS=
+
+OBJS=
+
+SRCS=
+
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+check::
+
+
+clean-unix:: clean-libobjs
+
+clean::
+
+@libobj_frag@
+
--- /dev/null
+# No dependencies here.
--- /dev/null
+# Nothing here! But we can't remove this directory as the build
+# system currently assumes that all modules have the same directory
+# structure.
+
+mydir=lib/crypto/nss/camellia
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../krb/dk -I$(srcdir)/../../../../include
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=camellia
+##DOS##OBJFILE=..\$(OUTPRE)camellia.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+STLIBOBJS=
+
+OBJS=
+
+SRCS=
+
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+check::
+
+
+clean-unix:: clean-libobjs
+
+clean::
+
+@libobj_frag@
+
--- /dev/null
+#
+# Generated makefile dependencies follow.
+#
+hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h $(srcdir)/hmac.c \
+ $(srcdir)/../krb/aead.h $(srcdir)/../krb/cksumtypes.h
+pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h $(srcdir)/hash_provider/hash_provider.h \
+ $(srcdir)/pbkdf2.c
--- /dev/null
+mydir=lib/crypto/nss/des
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../.. -I$(srcdir)/../../krb @CRYPTO_IMPL_CFLAGS@
+
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=des
+##DOS##OBJFILE=..\$(OUTPRE)des.lst
+
+RUN_SETUP = @KRB5_RUN_ENV@
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+
+STLIBOBJS= des_oldapis.o \
+ f_parity.o \
+ string2key.o \
+ weak_key.o
+
+OBJS= $(OUTPRE)f_parity.$(OBJEXT) \
+ $(OUTPRE)des_oldapis.$(OBJEXT) \
+ $(OUTPRE)string2key.$(OBJEXT) \
+ $(OUTPRE)weak_key.$(OBJEXT)
+
+SRCS= $(srcdir)/f_parity.c \
+ $(srcdir)/des_oldapis.c \
+ $(srcdir)/weak_key.c \
+ $(srcdir)/string2key.c
+
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+check-unix::
+
+includes:: depend
+
+depend:: $(SRCS)
+
+check-windows::
+
+clean::
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
--- /dev/null
+#
+# Generated makefile dependencies follow.
+#
+f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/des_int.h $(srcdir)/f_parity.c
+des_oldapis.so des_oldapis.po $(OUTPRE)des_oldapis.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h $(srcdir)/des_int.h \
+ $(srcdir)/des_oldapis.c
+weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/des_int.h $(srcdir)/weak_key.c
+string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/des_int.h $(srcdir)/string2key.c
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/des/des_int.h
+ *
+ * Copyright 1987, 1988, 1990, 2002, 2009 by the Massachusetts Institute of
+ * Technology. All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Private include file for the Data Encryption Standard library.
+ */
+
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/* only do the whole thing once */
+#ifndef DES_INTERNAL_DEFS
+#define DES_INTERNAL_DEFS
+
+#include "k5-int.h"
+/*
+ * Begin "mit-des.h"
+ */
+#ifndef KRB5_MIT_DES__
+#define KRB5_MIT_DES__
+
+#if defined(__MACH__) && defined(__APPLE__)
+#include <TargetConditionals.h>
+#include <AvailabilityMacros.h>
+#if TARGET_RT_MAC_CFM
+#error "Use KfM 4.0 SDK headers for CFM compilation."
+#endif
+#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS)
+#define KRB5INT_DES_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5
+#endif
+#endif /* defined(__MACH__) && defined(__APPLE__) */
+
+/* Macro to add deprecated attribute to DES types and functions */
+/* Currently only defined on Mac OS X 10.5 and later. */
+#ifndef KRB5INT_DES_DEPRECATED
+#define KRB5INT_DES_DEPRECATED
+#endif
+
+#include <limits.h>
+
+#if UINT_MAX >= 0xFFFFFFFFUL
+#define DES_INT32 int
+#define DES_UINT32 unsigned int
+#else
+#define DES_INT32 long
+#define DES_UINT32 unsigned long
+#endif
+
+typedef unsigned char des_cblock[8] /* crypto-block size */
+KRB5INT_DES_DEPRECATED;
+
+/*
+ * Key schedule.
+ *
+ * This used to be
+ *
+ * typedef struct des_ks_struct {
+ * union { DES_INT32 pad; des_cblock _;} __;
+ * } des_key_schedule[16];
+ *
+ * but it would cause trouble if DES_INT32 were ever more than 4
+ * bytes. The reason is that all the encryption functions cast it to
+ * (DES_INT32 *), and treat it as if it were DES_INT32[32]. If
+ * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the
+ * caller-allocated des_key_schedule will be overflowed by the key
+ * scheduling functions. We can't assume that every platform will
+ * have an exact 32-bit int, and nothing should be looking inside a
+ * des_key_schedule anyway.
+ */
+typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16]
+KRB5INT_DES_DEPRECATED;
+
+typedef des_cblock mit_des_cblock;
+typedef des_key_schedule mit_des_key_schedule;
+
+/* Triple-DES structures */
+typedef mit_des_cblock mit_des3_cblock[3];
+typedef mit_des_key_schedule mit_des3_key_schedule[3];
+
+#define MIT_DES_ENCRYPT 1
+#define MIT_DES_DECRYPT 0
+
+typedef struct mit_des_ran_key_seed {
+ krb5_encrypt_block eblock;
+ krb5_data sequence;
+} mit_des_random_state;
+
+/* the first byte of the key is already in the keyblock */
+
+#define MIT_DES_BLOCK_LENGTH (8*sizeof(krb5_octet))
+#define MIT_DES_CBC_CRC_PAD_MINIMUM CRC32_CKSUM_LENGTH
+/* This used to be 8*sizeof(krb5_octet) */
+#define MIT_DES_KEYSIZE 8
+
+#define MIT_DES_CBC_CKSUM_LENGTH (4*sizeof(krb5_octet))
+
+/*
+ * Check if k5-int.h has been included before us. If so, then check to see
+ * that our view of the DES key size is the same as k5-int.h's.
+ */
+#ifdef KRB5_MIT_DES_KEYSIZE
+#if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
+error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
+#endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
+#endif /* KRB5_MIT_DES_KEYSIZE */
+#endif /* KRB5_MIT_DES__ */
+/*
+ * End "mit-des.h"
+ */
+
+#define mit_des_zeroblock krb5int_c_mit_des_zeroblock
+extern const mit_des_cblock mit_des_zeroblock;
+
+/* key_parity.c */
+extern void mit_des_fixup_key_parity (mit_des_cblock );
+extern int mit_des_check_key_parity (mit_des_cblock );
+
+/* string2key.c */
+extern krb5_error_code mit_des_string_to_key
+ ( const krb5_encrypt_block *,
+ krb5_keyblock *, const krb5_data *, const krb5_data *);
+extern krb5_error_code mit_des_string_to_key_int
+ (krb5_keyblock *, const krb5_data *, const krb5_data *);
+
+/* weak_key.c */
+extern int mit_des_is_weak_key (mit_des_cblock );
+
+/* misc.c */
+extern void swap_bits (char *);
+extern unsigned long long_swap_bits (unsigned long );
+extern unsigned long swap_six_bits_to_ansi (unsigned long );
+extern unsigned long swap_four_bits_to_ansi (unsigned long );
+extern unsigned long swap_bit_pos_1 (unsigned long );
+extern unsigned long swap_bit_pos_0 (unsigned long );
+extern unsigned long swap_bit_pos_0_to_ansi (unsigned long );
+extern unsigned long rev_swap_bit_pos_0 (unsigned long );
+extern unsigned long swap_byte_bits (unsigned long );
+extern unsigned long swap_long_bytes_bit_number (unsigned long );
+#ifdef FILE
+/* XXX depends on FILE being a #define! */
+extern void test_set (FILE *, const char *, int, const char *, int);
+#endif
+#endif /*DES_INTERNAL_DEFS*/
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/openssl/des/des_oldapis.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
+
+#include "k5-int.h"
+#include "des_int.h"
+#include <ctype.h>
+
+const mit_des_cblock mit_des_zeroblock /* = all zero */;
+
+unsigned long
+mit_des_cbc_cksum(const krb5_octet *in, krb5_octet *out,
+ unsigned long length, const mit_des_key_schedule schedule,
+ const krb5_octet *ivec)
+{
+ /* Unsupported operation */
+ return KRB5_CRYPTO_INTERNAL;
+}
+
+krb5_error_code
+mit_afs_string_to_key (krb5_keyblock *keyblock, const krb5_data *data,
+ const krb5_data *salt)
+{
+ return KRB5_CRYPTO_INTERNAL;
+}
+
+int
+mit_des_key_sched(mit_des_cblock k, mit_des_key_schedule schedule)
+{
+ /* Unsupported operation */
+ return KRB5_CRYPTO_INTERNAL;
+}
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * These routines check and fix parity of encryption keys for the DES
+ * algorithm.
+ *
+ * They are a replacement for routines in key_parity.c, that don't require
+ * the table building that they do.
+ *
+ * Mark Eichin -- Cygnus Support
+ */
+
+
+#include "des_int.h"
+
+/*
+ * des_fixup_key_parity: Forces odd parity per byte; parity is bits
+ * 8,16,...64 in des order, implies 0, 8, 16, ...
+ * vax order.
+ */
+#define smask(step) ((1<<step)-1)
+#define pstep(x,step) (((x)&smask(step))^(((x)>>step)&smask(step)))
+#define parity_char(x) pstep(pstep(pstep((x),4),2),1)
+
+void
+mit_des_fixup_key_parity(mit_des_cblock key)
+{
+ unsigned int i;
+ for (i=0; i<sizeof(mit_des_cblock); i++)
+ {
+ key[i] &= 0xfe;
+ key[i] |= 1^parity_char(key[i]);
+ }
+
+ return;
+}
+
+/*
+ * des_check_key_parity: returns true iff key has the correct des parity.
+ * See des_fix_key_parity for the definition of
+ * correct des parity.
+ */
+int
+mit_des_check_key_parity(mit_des_cblock key)
+{
+ unsigned int i;
+
+ for (i=0; i<sizeof(mit_des_cblock); i++)
+ {
+ if((key[i] & 1) == parity_char(0xfe&key[i]))
+ {
+ return 0;
+ }
+ }
+
+ return(1);
+}
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/openssl/des/string2key.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "des_int.h"
+#include "pk11pub.h"
+#include "nss_gen.h"
+
+krb5_error_code
+mit_des_string_to_key_int(krb5_keyblock *key, const krb5_data *pw,
+ const krb5_data *salt)
+{
+ PK11SlotInfo *slot = NULL;
+ PK11SymKey *symKey = NULL;
+ SECItem pwItem;
+ SECItem paramsItem;
+ CK_PBE_PARAMS pbe_params;
+ CK_MECHANISM_TYPE pbeMech = CKM_NETSCAPE_PBE_SHA1_DES_CBC;
+ krb5_error_code ret;
+ SECItem *keyData;
+
+ ret = k5_nss_init();
+ if (ret)
+ return ret;
+
+ slot = PK11_GetBestSlot(pbeMech, NULL);
+ if (slot == NULL) {
+ ret = k5_nss_map_last_error();
+ goto loser;
+ }
+
+ pwItem.data = (unsigned char *)pw->data;
+ pwItem.len = pw->length;
+ memset(&pbe_params, 0, sizeof(pbe_params));
+ pbe_params.pSalt = (unsigned char *)salt->data;
+ pbe_params.ulSaltLen = salt->length;
+ pbe_params.ulIteration = 1;
+ paramsItem.data = (unsigned char *)&pbe_params;
+ paramsItem.len = sizeof(pbe_params);
+
+ symKey = PK11_RawPBEKeyGen(slot, pbeMech, ¶msItem, &pwItem,
+ PR_FALSE, NULL);
+ if (symKey == NULL) {
+ ret = k5_nss_map_last_error();
+ goto loser;
+ }
+ PK11_ExtractKeyValue(symKey);
+ keyData = PK11_GetKeyData(symKey);
+ if (!keyData) {
+ ret = k5_nss_map_last_error();
+ goto loser;
+ }
+ key->length = keyData->len;
+ memcpy(key->contents, keyData->data, key->length);
+ ret = 0;
+
+loser:
+ if (symKey)
+ PK11_FreeSymKey(symKey);
+ if (slot)
+ PK11_FreeSlot(slot);
+ return ret;
+}
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/openssl/des/weak_key.c
+ *
+ * Copyright 1989,1990,2009 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Under U.S. law, this software may not be exported outside the US
+ * without license from the U.S. Commerce department.
+ *
+ * These routines form the library interface to the DES facilities.
+ *
+ * Originally written 8/85 by Steve Miller, MIT Project Athena.
+ */
+
+#include "des_int.h"
+
+/*
+ * The following are the weak DES keys:
+ */
+static const mit_des_cblock weak[16] = {
+ /* weak keys */
+ {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
+ {0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe},
+ {0x1f,0x1f,0x1f,0x1f,0x0e,0x0e,0x0e,0x0e},
+ {0xe0,0xe0,0xe0,0xe0,0xf1,0xf1,0xf1,0xf1},
+
+ /* semi-weak */
+ {0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe},
+ {0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01},
+
+ {0x1f,0xe0,0x1f,0xe0,0x0e,0xf1,0x0e,0xf1},
+ {0xe0,0x1f,0xe0,0x1f,0xf1,0x0e,0xf1,0x0e},
+
+ {0x01,0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1},
+ {0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1,0x01},
+
+ {0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e,0xfe},
+ {0xfe,0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e},
+
+ {0x01,0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e},
+ {0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e,0x01},
+
+ {0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1,0xfe},
+ {0xfe,0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1}
+};
+
+/*
+ * mit_des_is_weak_key: returns true iff key is a [semi-]weak des key.
+ *
+ * Requires: key has correct odd parity.
+ */
+int
+mit_des_is_weak_key(mit_des_cblock key)
+{
+ unsigned int i;
+ const mit_des_cblock *weak_p = weak;
+
+ for (i = 0; i < (sizeof(weak)/sizeof(mit_des_cblock)); i++) {
+ if (!memcmp(weak_p++,key,sizeof(mit_des_cblock)))
+ return 1;
+ }
+ return 0;
+}
--- /dev/null
+mydir=lib/crypto/nss/enc_provider
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/../des \
+ -I$(srcdir)/../arcfour \
+ -I$(srcdir)/../aes \
+ -I$(srcdir)/../../krb \
+ -I$(srcdir)/../../krb/rand2key \
+ -I$(srcdir)/.. -I$(srcdir)/. \
+ @CRYPTO_IMPL_CFLAGS@
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=enc_provider
+##DOS##OBJFILE=..\$(OUTPRE)enc_prov.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+STLIBOBJS= \
+ enc_gen.o \
+ des.o \
+ des3.o \
+ rc4.o \
+ aes.o \
+ camellia.o
+
+OBJS= \
+ $(OUTPRE)enc_gen.$(OBJEXT) \
+ $(OUTPRE)des.$(OBJEXT) \
+ $(OUTPRE)des3.$(OBJEXT) \
+ $(OUTPRE)aes.$(OBJEXT) \
+ $(OUTPRE)camellia.$(OBJEXT) \
+ $(OUTPRE)rc4.$(OBJEXT)
+
+SRCS= \
+ $(srcdir)/enc_gen.c \
+ $(srcdir)/des.c \
+ $(srcdir)/des3.c \
+ $(srcdir)/aes.c \
+ $(srcdir)/camellia.c \
+ $(srcdir)/rc4.c
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/enc_provider/aes.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "enc_provider.h"
+#include "rand2key.h"
+#include "aead.h"
+#include "nss_gen.h"
+
+
+krb5_error_code
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_ENCRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_ENCRYPT,
+ ivec, data, num_data);
+}
+
+krb5_error_code
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_DECRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_DECRYPT,
+ ivec, data, num_data);
+}
+
+/*
+ * perhaps we should store the NSS context in the krb5_data state here?
+ */
+static krb5_error_code
+aes_init_state(const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_data *state)
+{
+ state->length = 16;
+ state->data = (void *) malloc(16);
+ if (state->data == NULL)
+ return ENOMEM;
+ memset(state->data, 0, state->length);
+ return 0;
+}
+
+const struct krb5_enc_provider krb5int_enc_aes128 = {
+ 16,
+ 16, 16,
+ krb5int_aes_encrypt,
+ krb5int_aes_decrypt,
+ NULL,
+ krb5int_aes_make_key,
+ aes_init_state,
+ krb5int_default_free_state,
+};
+
+const struct krb5_enc_provider krb5int_enc_aes256 = {
+ 16,
+ 32, 32,
+ krb5int_aes_encrypt,
+ krb5int_aes_decrypt,
+ NULL,
+ krb5int_aes_make_key,
+ aes_init_state,
+ krb5int_default_free_state,
+ k5_nss_gen_cleanup
+};
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/enc_provider/camellia.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "enc_provider.h"
+#include "rand2key.h"
+#include "aead.h"
+#include "nss_gen.h"
+
+#ifdef CAMELLIA_CCM
+
+/* XXX These won't work yet (they're just the AES functions, which aren't right
+ * for CTR mode). Will fix later. */
+
+krb5_error_code
+krb5int_camellia_encrypt(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_CAMELLIA_CBC, CKA_ENCRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_cts_iov(key, CKM_CAMELLIA_CBC, CKA_ENCRYPT,
+ ivec, data, num_data);
+}
+
+krb5_error_code
+krb5int_camellia_decrypt(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_CAMELLIA_CBC, CKA_DECRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_cts_iov(key, CKM_CAMELLIA_CBC, CKA_DECRYPT,
+ ivec, data, num_data);
+}
+
+/*
+ * perhaps we should store the NSS context in the krb5_data state here?
+ */
+static krb5_error_code
+camellia_init_state(const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_data *state)
+{
+ state->length = 16;
+ state->data = (void *) malloc(16);
+ if (state->data == NULL)
+ return ENOMEM;
+ memset(state->data, 0, state->length);
+ return 0;
+}
+
+const struct krb5_enc_provider krb5int_enc_camellia128 = {
+ 16,
+ 16, 16,
+ krb5int_camellia_encrypt,
+ krb5int_camellia_decrypt,
+ krb5int_camellia_cbc_mac,
+ krb5int_camellia_make_key,
+ camellia_init_state,
+ krb5int_default_free_state,
+};
+
+const struct krb5_enc_provider krb5int_enc_camellia256 = {
+ 16,
+ 32, 32,
+ krb5int_camellia_encrypt,
+ krb5int_camellia_decrypt,
+ krb5int_camellia_cbc_mac,
+ krb5int_camellia_make_key,
+ camellia_init_state,
+ krb5int_default_free_state,
+ k5_nss_gen_cleanup
+};
+
+#else /* CAMELLIA_CCM */
+
+/* These won't be used, but are still in the export table. */
+
+krb5_error_code
+krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
+ size_t num_data, const krb5_data *iv,
+ krb5_data *output)
+{
+ return EINVAL;
+}
+
+const struct krb5_enc_provider krb5int_enc_camellia128_ctr = {
+};
+
+#endif
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/enc_provider/des.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "nss_gen.h"
+#include <aead.h>
+#include <rand2key.h>
+#include "des_int.h"
+
+
+static krb5_error_code
+k5_des_encrypt_iov(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_ENCRYPT,
+ ivec, data, num_data);
+}
+
+static krb5_error_code
+k5_des_decrypt_iov(krb5_key key,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_DECRYPT,
+ ivec, data, num_data);
+}
+
+const struct krb5_enc_provider krb5int_enc_des = {
+ 8,
+ 7, KRB5_MIT_DES_KEYSIZE,
+ k5_des_encrypt_iov,
+ k5_des_decrypt_iov,
+ NULL,
+ krb5int_des_make_key,
+ krb5int_des_init_state,
+ krb5int_default_free_state,
+ k5_nss_gen_cleanup
+};
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/enc_provider/des3.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "nss_gen.h"
+#include <aead.h>
+#include <rand2key.h>
+#include "des_int.h"
+
+
+static krb5_error_code
+k5_des3_encrypt_iov(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_ENCRYPT,
+ ivec, data, num_data);
+}
+
+static krb5_error_code
+k5_des3_decrypt_iov(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_DECRYPT,
+ ivec, data, num_data);
+}
+
+const struct krb5_enc_provider krb5int_enc_des3 = {
+ 8,
+ 21, KRB5_MIT_DES3_KEYSIZE,
+ k5_des3_encrypt_iov,
+ k5_des3_decrypt_iov,
+ NULL,
+ krb5int_des3_make_key,
+ krb5int_des_init_state,
+ krb5int_default_free_state,
+ k5_nss_gen_cleanup
+};
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/enc_provider/enc_gen.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "nss_gen.h"
+#include "enc_provider.h"
+#include "rand2key.h"
+#include "aead.h"
+#include "seccomon.h"
+#include "pk11pub.h"
+#include "nss.h"
+
+/* 512 bits is bigger than anything defined to date */
+#define MAX_KEY_LENGTH 64
+#define MAX_BLOCK_SIZE 64
+
+static NSSInitContext *k5_nss_ctx = NULL;
+static pid_t k5_nss_pid = 0;
+static k5_mutex_t k5_nss_lock = K5_MUTEX_PARTIAL_INITIALIZER;
+
+struct stream_state {
+ struct stream_state *loopback; /* To detect copying */
+ pid_t pid; /* To detect use across fork */
+ PK11Context *ctx;
+};
+
+struct cached_key {
+ pid_t pid; /* To detect use across fork */
+ PK11SymKey *symkey;
+};
+
+krb5_error_code
+k5_nss_map_error(int nss_error)
+{
+ /* Currently KRB5 does not define a full set of CRYPTO failures.
+ * for now just use KRB5_CRYPTO_INTERNAL. We really should return
+ * errors for Not logged in, and maybe a few others. */
+ return KRB5_CRYPTO_INTERNAL;
+}
+
+krb5_error_code
+k5_nss_map_last_error(void)
+{
+ return k5_nss_map_error(PORT_GetError());
+}
+
+int
+krb5int_crypto_impl_init(void)
+{
+ return k5_mutex_finish_init(&k5_nss_lock);
+}
+
+void
+krb5int_crypto_impl_cleanup(void)
+{
+ k5_mutex_destroy(&k5_nss_lock);
+}
+
+/*
+ * krb5 doesn't have a call into the crypto engine to initialize it, so we do
+ * it here. This code will try to piggyback on any application initialization
+ * done to NSS. Otherwise get our one library init context.
+ */
+#define NSS_KRB5_CONFIGDIR "sql:/etc/pki/nssdb"
+krb5_error_code
+k5_nss_init(void)
+{
+ PRUint32 flags = NSS_INIT_READONLY | NSS_INIT_NOROOTINIT;
+ krb5_error_code ret;
+ SECStatus rv;
+ pid_t pid;
+
+ ret = k5_mutex_lock(&k5_nss_lock);
+ if (ret)
+ return ret;
+
+ pid = getpid();
+ if (k5_nss_ctx != NULL) {
+ /* Do nothing if the existing context is still good. */
+ if (k5_nss_pid == pid)
+ goto cleanup;
+
+ /* We've forked since the last init, and need to reinitialize. */
+ rv = NSS_ShutdownContext(k5_nss_ctx);
+ k5_nss_ctx = NULL;
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto cleanup;
+ }
+ }
+ k5_nss_ctx = NSS_InitContext(NSS_KRB5_CONFIGDIR, "", "", "", NULL, flags);
+ if (k5_nss_ctx == NULL) {
+ /* There may be no system database; try again without it. */
+ flags |= NSS_INIT_NOMODDB | NSS_INIT_NOCERTDB;
+ k5_nss_ctx = NSS_InitContext(NULL, "", "", "", NULL, flags);
+ if (k5_nss_ctx == NULL) {
+ ret = k5_nss_map_last_error();
+ goto cleanup;
+ }
+ }
+ k5_nss_pid = pid;
+
+cleanup:
+ k5_mutex_unlock(&k5_nss_lock);
+ return ret;
+}
+
+PK11Context *
+k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism,
+ CK_ATTRIBUTE_TYPE operation, SECItem *param)
+{
+ struct cached_key *ckey = krb_key->cache;
+
+ return PK11_CreateContextBySymKey(mechanism, operation, ckey->symkey,
+ param);
+}
+
+static void inline
+xor(unsigned char *x, unsigned char *y, int size)
+{
+ int i;
+
+#define ALIGNED(x,type) (!(((size_t)(x))&(sizeof(type)-1)))
+ if (ALIGNED(x,unsigned long) && ALIGNED(y, unsigned long)
+ && ALIGNED(size, unsigned long)) {
+ unsigned long *ux = (unsigned long *)x;
+ unsigned long *uy = (unsigned long *)y;
+ for (i=0; i < (int)(size/sizeof(unsigned long)); i++) {
+ *ux++ ^= *uy++;
+ }
+ return;
+ }
+ for (i=0; i < size; i++) {
+ *x++ ^= *y++;
+ }
+}
+
+krb5_error_code
+k5_nss_gen_block_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ krb5_error_code ret = 0;
+ PK11Context *ctx = NULL;
+ SECStatus rv;
+ SECItem *param = NULL;
+ struct iov_block_state input_pos, output_pos;
+ unsigned char storage[MAX_BLOCK_SIZE];
+ unsigned char iv0[MAX_BLOCK_SIZE];
+ unsigned char *ptr = NULL,*lastptr = NULL;
+ SECItem iv;
+ size_t blocksize;
+ int length = 0;
+ int lastblock = -1;
+ int currentblock;
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ blocksize = PK11_GetBlockSize(mech, NULL);
+ assert(blocksize <= sizeof(storage));
+
+ if (ivec && ivec->data) {
+ iv.data = (unsigned char *)ivec->data;
+ iv.len = ivec->length;
+ if (operation == CKA_DECRYPT) {
+ int i, inputlength;
+
+ /* Count the blocks so we know which block is last. */
+ for (i = 0, inputlength = 0; i < (int)num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ inputlength += iov->data.length;
+ }
+ lastblock = (inputlength/blocksize) -1;
+ }
+ } else {
+ memset(iv0, 0, sizeof(iv0));
+ iv.data = iv0;
+ iv.len = blocksize;
+ }
+ param = PK11_ParamFromIV(mech, &iv);
+
+ ctx = k5_nss_create_context(krb_key, mech, operation, param);
+ if (ctx == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+
+ for (currentblock = 0;;currentblock++) {
+ if (!krb5int_c_iov_get_block_nocopy(storage, blocksize, data, num_data,
+ &input_pos, &ptr))
+ break;
+
+ lastptr = NULL;
+
+ /* only set if we are decrypting */
+ if (lastblock == currentblock)
+ memcpy(ivec->data, ptr, blocksize);
+
+ rv = PK11_CipherOp(ctx, ptr, &length, blocksize, ptr, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ break;
+ }
+
+ lastptr = ptr;
+ krb5int_c_iov_put_block_nocopy(data, num_data, storage, blocksize,
+ &output_pos, ptr);
+ }
+
+ if (lastptr && ivec && ivec->data && operation == CKA_ENCRYPT) {
+ memcpy(ivec->data, lastptr, blocksize);
+ }
+done:
+ if (ctx) {
+ PK11_Finalize(ctx);
+ PK11_DestroyContext(ctx, PR_TRUE);
+ }
+ if (param)
+ SECITEM_FreeItem(param, PR_TRUE);
+ return ret;
+}
+
+krb5_error_code
+k5_nss_stream_init_state(krb5_data *new_state)
+{
+ struct stream_state *sstate;
+
+ /* Create a state structure with an uninitialized context. */
+ sstate = calloc(1, sizeof(*sstate));
+ if (sstate == NULL)
+ return ENOMEM;
+ sstate->loopback = NULL;
+ new_state->data = (char *) sstate;
+ new_state->length = sizeof(*sstate);
+ return 0;
+}
+
+krb5_error_code
+k5_nss_stream_free_state(krb5_data *state)
+{
+ struct stream_state *sstate = (struct stream_state *) state->data;
+
+ /* Clean up the OpenSSL context if it was initialized. */
+ if (sstate && sstate->loopback == sstate) {
+ PK11_Finalize(sstate->ctx);
+ PK11_DestroyContext(sstate->ctx, PR_TRUE);
+ }
+ free(sstate);
+ return 0;
+}
+
+krb5_error_code
+k5_nss_gen_stream_iov(krb5_key krb_key, krb5_data *state,
+ CK_MECHANISM_TYPE mech, CK_ATTRIBUTE_TYPE operation,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ int ret = 0;
+ PK11Context *ctx = NULL;
+ SECStatus rv;
+ SECItem param;
+ krb5_crypto_iov *iov;
+ struct stream_state *sstate = NULL;
+ int i;
+
+ param.data = NULL;
+ param.len = 0;
+
+ sstate = (state == NULL) ? NULL : (struct stream_state *) state->data;
+ if (sstate == NULL || sstate->loopback == NULL) {
+ ctx = k5_nss_create_context(krb_key, mech, operation, ¶m);
+ if (ctx == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ if (sstate) {
+ sstate->loopback = sstate;
+ sstate->pid = getpid();
+ sstate->ctx = ctx;
+ }
+ } else {
+ /* Cipher state can't be copied or used across a fork. */
+ if (sstate->loopback != sstate || sstate->pid != getpid())
+ return EINVAL;
+ ctx = sstate->ctx;
+ }
+
+ for (i=0; i < (int)num_data; i++) {
+ int return_length;
+ iov = &data[i];
+ if (iov->data.length <= 0)
+ break;
+
+ if (ENCRYPT_IOV(iov)) {
+ rv = PK11_CipherOp(ctx, (unsigned char *)iov->data.data,
+ &return_length, iov->data.length,
+ (unsigned char *)iov->data.data,
+ iov->data.length);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ iov->data.length = return_length;
+ }
+ }
+done:
+ if (!state && ctx) {
+ PK11_Finalize(ctx);
+ PK11_DestroyContext(ctx, PR_TRUE);
+ }
+ return ret;
+}
+
+krb5_error_code
+k5_nss_gen_cts_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ krb5_error_code ret = 0;
+ PK11Context *ctx = NULL;
+ SECStatus rv;
+ SECItem *param = NULL;
+ struct iov_block_state input_pos, output_pos;
+ unsigned char storage[MAX_BLOCK_SIZE];
+ unsigned char recover1[MAX_BLOCK_SIZE];
+ unsigned char recover2[MAX_BLOCK_SIZE];
+ unsigned char block1[MAX_BLOCK_SIZE];
+ unsigned char block2[MAX_BLOCK_SIZE];
+ unsigned char iv0[MAX_BLOCK_SIZE];
+ unsigned char *ptr = NULL;
+ SECItem iv;
+ size_t blocksize;
+ size_t bulk_length, remainder;
+ size_t input_length, lastblock;
+ size_t length;
+ int i, len;
+
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+
+ blocksize = PK11_GetBlockSize(mech, NULL);
+ assert(blocksize <= sizeof(storage));
+
+ if (ivec) {
+ iv.data = (unsigned char *)ivec->data;
+ iv.len = ivec->length;
+ } else {
+ memset(iv0, 0, sizeof(iv0));
+ iv.data = iv0;
+ iv.len = blocksize;
+ }
+ param = PK11_ParamFromIV(mech, &iv);
+
+ for (i = 0, input_length = 0; i < (int)num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
+
+ if (ENCRYPT_IOV(iov))
+ input_length += iov->data.length;
+ }
+ /* Must be at least a block or we fail. */
+ if (input_length < blocksize) {
+ ret = EINVAL;
+ goto done;
+ }
+
+ bulk_length = (input_length / blocksize)*blocksize;
+ remainder = input_length - bulk_length;
+ /* Do the block swap even if the input data is aligned, only
+ * drop it if we are encrypting exactly one block. */
+ if (remainder == 0 && bulk_length != blocksize) {
+ remainder = blocksize;
+ bulk_length -= blocksize;
+ }
+
+ ctx = k5_nss_create_context(krb_key, mech, operation, param);
+ if (ctx == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+
+ /* Now we bulk encrypt each block in the loop. We need to know where to
+ * stop to do special processing. For single block operations we stop at
+ * the end. For all others we stop and the last second to last block
+ * (counting partial blocks). For decrypt operations we need to save cn-2
+ * so we stop at the third to last block if it exists, otherwise cn-2 = the
+ * iv. */
+ lastblock = bulk_length;
+ if (remainder) {
+ /* We need to process the last full block and last partitial block
+ * differently. */
+ lastblock = bulk_length - blocksize;
+ if (operation == CKA_DECRYPT) {
+ if (bulk_length > blocksize) {
+ /* Stop at cn-2 so we can save it before going on. */
+ lastblock = bulk_length - 2*blocksize;
+ } else {
+ /* iv is cn-2, save it now, cn - 2. */
+ memcpy(recover1, iv.data, blocksize);
+ memcpy(recover2, iv.data, blocksize);
+ }
+ }
+ }
+ for (length = 0; length < lastblock; length += blocksize) {
+ if (!krb5int_c_iov_get_block_nocopy(storage, blocksize, data, num_data,
+ &input_pos, &ptr))
+ break;
+
+ rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ break;
+ }
+
+ krb5int_c_iov_put_block_nocopy(data, num_data, storage, blocksize,
+ &output_pos, ptr);
+ }
+ if (remainder) {
+ if (operation == CKA_DECRYPT) {
+ if (bulk_length > blocksize) {
+ /* we need to save cn-2 */
+ if (!krb5int_c_iov_get_block_nocopy(storage, blocksize, data,
+ num_data, &input_pos,
+ &ptr))
+ goto done; /* shouldn't happen */
+
+ /* save cn-2 */
+ memcpy(recover1, ptr, blocksize);
+ memcpy(recover2, ptr, blocksize);
+
+ /* now process it as normal */
+ rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+
+ krb5int_c_iov_put_block_nocopy(data, num_data, storage,
+ blocksize, &output_pos, ptr);
+ }
+ }
+ /* fetch the last 2 blocks */
+ memset(block1, 0, blocksize); /* last block, could be partial */
+ krb5int_c_iov_get_block(block2, blocksize, data, num_data, &input_pos);
+ krb5int_c_iov_get_block(block1, remainder, data, num_data, &input_pos);
+ if (operation == CKA_DECRYPT) {
+ /* recover1 and recover2 are xor values to recover the true
+ * underlying data of the last 2 decrypts. This keeps us from
+ * having to try to reset our IV to do the final decryption. */
+ /* Currently: block1 is cn || 0, block2 is cn-1.
+ * recover1 & recover2 is set to cn-2. */
+ /* recover2 recovers pn || c' from p'n-1. The raw decrypted block
+ * will be p'n-1 xor with cn-2 while pn || c' = p'n-1 xor cn || 0.
+ * recover2 is cn-2 xor cn || 0, so we can simple xor recover1
+ * with the raw decrypted block. */
+ /* recover1 recovers pn-1 from the raw decryption of cn || c'.
+ * the raw decrypt of cn || c' = p'n xor cn-1 while
+ * pn-1 = p'n xor cn-2
+ * recover1 is cn-2 xor cn-1, so we can simple xor recover 2 with
+ * the raw decrypt of cn||c' to get pn-1. */
+ xor(recover1, block2, blocksize);
+ xor(recover2, block1, blocksize);
+ if (ivec && ivec->data)
+ memcpy(ivec->data, block2, blocksize);
+ }
+ rv = PK11_CipherOp(ctx, block2, &len, blocksize, block2, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ if (operation == CKA_DECRYPT) {
+ /* block2 now has p'n-1 xor cn-2. */
+ xor(block2, recover2, blocksize);
+ /* block 2 now has pn || c'. */
+ /* copy c' into cn || c'. */
+ memcpy(block1 + remainder, block2 + remainder,
+ blocksize - remainder);
+ }
+ rv = PK11_CipherOp(ctx, block1, &len, blocksize, block1, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ if (operation == CKA_DECRYPT) {
+ /* block1 now has p'n xor cn-1 */
+ xor(block1, recover1, blocksize);
+ /* block 1 now has pn-1 */
+ } else {
+ if (ivec && ivec->data) {
+ memcpy(ivec->data, block1, blocksize);
+ }
+ }
+ krb5int_c_iov_put_block(data,num_data, block1, blocksize, &output_pos);
+ krb5int_c_iov_put_block(data,num_data, block2, remainder, &output_pos);
+ }
+
+done:
+ if (ctx) {
+ PK11_Finalize(ctx);
+ PK11_DestroyContext(ctx, PR_TRUE);
+ }
+ if (param)
+ SECITEM_FreeItem(param, PR_TRUE);
+ return ret;
+}
+
+void
+k5_nss_gen_cleanup(krb5_key krb_key)
+{
+ struct cached_key *ckey = krb_key->cache;
+
+ if (ckey) {
+ PK11_FreeSymKey(ckey->symkey);
+ free(ckey);
+ krb_key->cache = NULL;
+ }
+}
+
+krb5_error_code
+k5_nss_gen_import(krb5_key krb_key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation)
+{
+ krb5_error_code ret = 0;
+ pid_t pid = getpid();
+ struct cached_key *ckey = krb_key->cache;
+ PK11SymKey *symkey;
+ PK11SlotInfo *slot = NULL;
+ SECItem raw_key;
+#ifdef FAKE_FIPS
+ PK11SymKey *wrapping_key = NULL;
+ PK11Context *ctx = NULL;
+ SECItem wrapped_key;
+ SECItem params;
+ unsigned char wrapped_key_data[MAX_KEY_LENGTH];
+ unsigned char padded_key_data[MAX_KEY_LENGTH];
+ int wrapping_index, series, blocksize;
+ int keyLength;
+ CK_MECHANISM_TYPE mechanism;
+ SECStatus rv;
+#endif
+
+ if (ckey && ckey->pid == pid)
+ return 0;
+
+ ret = k5_nss_init();
+ if (ret)
+ return ret;
+
+ if (ckey) {
+ /* Discard the no-longer-valid symkey and steal its container. */
+ PK11_FreeSymKey(ckey->symkey);
+ ckey->symkey = NULL;
+ krb_key->cache = NULL;
+ } else {
+ /* Allocate a new container. */
+ ckey = k5alloc(sizeof(*ckey), &ret);
+ if (ckey == NULL)
+ return ret;
+ }
+
+ slot = PK11_GetBestSlot(mech, NULL);
+ if (slot == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ raw_key.data = krb_key->keyblock.contents;
+ raw_key.len = krb_key->keyblock.length;
+
+#ifdef FAKE_FIPS
+ /* First, fetch a wrapping key. */
+ wrapping_index = PK11_GetCurrentWrapIndex(slot);
+ series = PK11_GetSlotSeries(slot);
+ wrapping_key = PK11_GetWrapKey(slot, wrapping_index,
+ CKM_INVALID_MECHANISM, series, NULL);
+ if (wrapping_key == NULL) {
+ /* One doesn't exist, create one. */
+ mechanism = PK11_GetBestWrapMechanism(slot);
+ keyLength = PK11_GetBestKeyLength(slot, mechanism);
+ wrapping_key = PK11_TokenKeyGenWithFlags(slot, mechanism, NULL,
+ keyLength, NULL,
+ CKF_UNWRAP | CKF_ENCRYPT, 0,
+ NULL);
+ if (!wrapping_key) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ PK11_SetWrapKey(slot, wrapping_index, wrapping_key);
+ }
+
+ /* Now encrypt the data with the wrapping key. */
+ mechanism = PK11_GetMechanism(wrapping_key);
+ params.data = NULL;
+ params.len = 0;
+ ctx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT,
+ wrapping_key, ¶ms);
+ if (ctx == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+
+ wrapped_key.data = wrapped_key_data;
+ wrapped_key.len = sizeof(wrapped_key_data);
+ blocksize = PK11_GetBlockSize(mechanism, NULL);
+ keyLength = raw_key.len;
+
+ /*
+ * ECB modes need keys in integral multiples of the block size.
+ * if the key isn't and integral multiple, pad it with zero. Unwrap
+ * will use the length parameter to appropriately set the key.
+ */
+ if ((raw_key.len % blocksize) != 0) {
+ int keyblocks = (raw_key.len + (blocksize - 1)) / blocksize;
+ keyLength = keyblocks * blocksize;
+ assert(keyLength <= sizeof(padded_key_data));
+ memset(padded_key_data, 0, keyLength);
+ memcpy(padded_key_data, raw_key.data, raw_key.len);
+ raw_key.data = padded_key_data;
+ }
+ rv = PK11_CipherOp(ctx, wrapped_key.data, (int *)&wrapped_key.len,
+ sizeof(wrapped_key_data), raw_key.data, keyLength);
+ if (keyLength != raw_key.len) {
+ /* Clear our copy of the key bits. */
+ memset(padded_key_data, 0, keyLength);
+ }
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ PK11_Finalize(ctx);
+ PK11_DestroyContext(ctx, PR_TRUE);
+ ctx = NULL;
+
+ /* Now now we have a 'wrapped' version of the, we can import it into
+ * the token without running afoul with FIPS. */
+ symkey = PK11_UnwrapSymKey(wrapping_key, mechanism, ¶ms, &wrapped_key,
+ mech, operation, raw_key.len);
+#else
+ symkey = PK11_ImportSymKey(slot, mech, PK11_OriginGenerated, operation,
+ &raw_key, NULL);
+#endif
+ if (symkey == NULL) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ ckey->pid = pid;
+ ckey->symkey = symkey;
+ krb_key->cache = ckey;
+ ckey = NULL;
+
+done:
+ free(ckey);
+ if (slot)
+ PK11_FreeSlot(slot);
+#ifdef FAKE_FIPS
+ if (ctx) {
+ PK11_Finalize(ctx);
+ PK11_DestroyContext(ctx, PR_TRUE);
+ }
+ if (wrapping_key)
+ PK11_FreeSymKey(wrapping_key);
+#endif
+
+ return ret;
+}
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+
+extern const struct krb5_enc_provider krb5int_enc_des;
+extern const struct krb5_enc_provider krb5int_enc_des3;
+extern const struct krb5_enc_provider krb5int_enc_arcfour;
+extern const struct krb5_enc_provider krb5int_enc_aes128;
+extern const struct krb5_enc_provider krb5int_enc_aes256;
+extern const struct krb5_enc_provider krb5int_enc_aes128_ctr;
+extern const struct krb5_enc_provider krb5int_enc_aes256_ctr;
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/enc_provider/rc4.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include <aead.h>
+#include <rand2key.h>
+#include "nss_gen.h"
+
+#define RC4_KEY_SIZE 16
+#define RC4_BLOCK_SIZE 1
+
+/* In-place IOV crypto */
+static krb5_error_code
+k5_arcfour_encrypt_iov(krb5_key key, const krb5_data *state,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_RC4, CKA_ENCRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_ENCRYPT,
+ data, num_data);
+}
+
+/* In-place IOV crypto */
+static krb5_error_code
+k5_arcfour_decrypt_iov(krb5_key key, const krb5_data *state,
+ krb5_crypto_iov *data, size_t num_data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_RC4, CKA_DECRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_DECRYPT,
+ data, num_data);
+}
+
+static krb5_error_code
+k5_arcfour_free_state(krb5_data *state)
+{
+ return k5_nss_stream_free_state(state);
+}
+
+static krb5_error_code
+k5_arcfour_init_state(const krb5_keyblock *key,
+ krb5_keyusage keyusage, krb5_data *new_state)
+{
+ /* key can't quite be used here. See comment in k5_arcfour_init_state. */
+ return k5_nss_stream_init_state(new_state);
+}
+
+const struct krb5_enc_provider krb5int_enc_arcfour = {
+ /* This seems to work... although I am not sure what the
+ implications are in other places in the kerberos library. */
+ RC4_BLOCK_SIZE,
+ /* Keysize is arbitrary in arcfour, but the constraints of the
+ system, and to attempt to work with the MSFT system forces us
+ to 16byte/128bit. Since there is no parity in the key, the
+ byte and length are the same. */
+ RC4_KEY_SIZE, RC4_KEY_SIZE,
+ k5_arcfour_encrypt_iov,
+ k5_arcfour_decrypt_iov,
+ NULL,
+ krb5int_arcfour_make_key,
+ k5_arcfour_init_state,
+ k5_arcfour_free_state,
+ k5_nss_gen_cleanup
+};
--- /dev/null
+mydir=lib/crypto/nss/hash_provider
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)/../../krb/crc32 -I$(srcdir)/../md4 \
+ -I$(srcdir)/.. -I$(srcdir)/../../krb \
+ @CRYPTO_IMPL_CFLAGS@
+
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=hash_provider
+##DOS##OBJFILE=..\$(OUTPRE)hash_pro.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+STLIBOBJS= \
+ hash_gen.o \
+ hash_crc32.o \
+ hash_md4.o \
+ hash_md5.o \
+ hash_sha1.o
+
+OBJS= $(OUTPRE)hash_gen.$(OBJEXT) \
+ $(OUTPRE)hash_crc32.$(OBJEXT) \
+ $(OUTPRE)hash_md4.$(OBJEXT) \
+ $(OUTPRE)hash_md5.$(OBJEXT) \
+ $(OUTPRE)hash_sha1.$(OBJEXT)
+
+SRCS= $(srcdir)/hash_gen.c \
+ $(srcdir)/hash_crc32.c \
+ $(srcdir)/hash_md4.c \
+ $(srcdir)/hash_md5.c \
+ $(srcdir)/hash_sha1.c
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
--- /dev/null
+#
+# Generated makefile dependencies follow.
+#
+hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/hash_crc32.c \
+ $(srcdir)/hash_provider.h \
+ $(srcdir)/../../krb/crc32/crc-32.h
+hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/hash_md4.c $(srcdir)/hash_provider.h \
+ $(srcdir)/../md4/rsa-md4.h
+hash_md5.so hash_md5.po $(OUTPRE)hash_md5.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/hash_md5.c $(srcdir)/hash_provider.h \
+ $(srcdir)/../md5/rsa-md5.h
+hash_sha1.so hash_sha1.po $(OUTPRE)hash_sha1.$(OBJEXT): \
+ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
+ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ $(srcdir)/hash_provider.h \
+ $(srcdir)/hash_sha1.c $(srcdir)/../sha1/shs.h
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "crc-32.h"
+#include "hash_provider.h"
+#include "aead.h"
+
+static krb5_error_code
+k5_crc32_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
+{
+ unsigned long c;
+ unsigned int i;
+
+ if (output->length != CRC32_CKSUM_LENGTH)
+ return KRB5_CRYPTO_INTERNAL;
+
+ c = 0;
+ for (i=0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (SIGN_IOV(iov))
+ mit_crc32(iov->data.data, iov->data.length, &c);
+ }
+
+ store_32_le(c, output->data);
+ return 0;
+}
+
+const struct krb5_hash_provider krb5int_hash_crc32 = {
+ "CRC32",
+ CRC32_CKSUM_LENGTH,
+ 1,
+ k5_crc32_hash
+};
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/hash_provider/hash_gen.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "sechash.h"
+#include "nss_gen.h"
+#include "aead.h"
+
+krb5_error_code
+k5_nss_gen_hash(HASH_HashType hashType, const krb5_crypto_iov *data,
+ size_t num_data, krb5_data *output)
+{
+ unsigned int i;
+ HASHContext *ctx;
+ krb5_error_code ret;
+
+ ret = k5_nss_init();
+ if (ret)
+ return ret;
+
+ if (output->length != HASH_ResultLen(hashType))
+ return KRB5_CRYPTO_INTERNAL;
+
+ ctx = HASH_Create(hashType);
+ if (!ctx)
+ return ENOMEM;
+
+ HASH_Begin(ctx);
+ for (i=0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (iov->data.length && SIGN_IOV(iov)) {
+ HASH_Update(ctx, (unsigned char *) iov->data.data,
+ iov->data.length);
+ }
+ }
+
+ HASH_End(ctx, (unsigned char *)output->data,
+ &output->length, output->length);
+ HASH_Destroy(ctx);
+
+ return 0;
+}
+
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/hash_provider/hash_gen.h
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "sechash.h"
+#include "k5-int.h"
+
+krb5_error_code k5_nss_gen_hash(HASH_HashType hashType, unsigned int icount,
+ const krb5_data *input, krb5_data *output);
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "hash_provider.h"
+#include "rsa-md4.h"
+#include "aead.h"
+
+static krb5_error_code
+k5_md4_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
+{
+ krb5_MD4_CTX ctx;
+ unsigned long i;
+
+ if (output->length != RSA_MD4_CKSUM_LENGTH)
+ return KRB5_CRYPTO_INTERNAL;
+
+ krb5int_MD4Init(&ctx);
+ for (i=0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (SIGN_IOV(iov)) {
+ krb5int_MD4Update(&ctx, (unsigned char *)iov->data.data,
+ iov->data.length);
+ }
+ }
+ krb5int_MD4Final(&ctx);
+
+ memcpy(output->data, ctx.digest, RSA_MD4_CKSUM_LENGTH);
+
+ return 0;
+}
+
+const struct krb5_hash_provider krb5int_hash_md4 = {
+ "MD4",
+ RSA_MD4_CKSUM_LENGTH,
+ 64,
+ k5_md4_hash
+};
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/hash_provider/hash_md5.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "nss_gen.h"
+#include "hash_provider.h"
+
+static krb5_error_code
+k5_md5_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
+{
+ return k5_nss_gen_hash(HASH_AlgMD5, data, num_data, output);
+}
+
+const struct krb5_hash_provider krb5int_hash_md5 = {
+ "MD5",
+ MD5_LENGTH,
+ 64,
+ k5_md5_hash
+};
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+
+extern const struct krb5_hash_provider krb5int_hash_crc32;
+extern const struct krb5_hash_provider krb5int_hash_md4;
+extern const struct krb5_hash_provider krb5int_hash_md5;
+extern const struct krb5_hash_provider krb5int_hash_sha1;
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/hash_provider/hash_sha1.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "nss_gen.h"
+#include "hash_provider.h"
+
+static krb5_error_code
+k5_sha1_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
+{
+ return k5_nss_gen_hash(HASH_AlgSHA1, data, num_data, output);
+}
+
+const struct krb5_hash_provider krb5int_hash_sha1 = {
+ "SHA1",
+ SHA1_LENGTH,
+ 64,
+ k5_sha1_hash
+};
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/hmac.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "aead.h"
+#include "nss_gen.h"
+#include "pk11pub.h"
+
+/*
+ * the HMAC transform looks like:
+ *
+ * H(K XOR opad, H(K XOR ipad, text))
+ *
+ * where H is a cryptographic hash
+ * K is an n byte key
+ * ipad is the byte 0x36 repeated blocksize times
+ * opad is the byte 0x5c repeated blocksize times
+ * and text is the data being protected
+ */
+
+static CK_MECHANISM_TYPE
+digest_to_hmac(const struct krb5_hash_provider *hash)
+{
+ /* use strcmp so we don't confuse SHA1 with SHA128 */
+ /* handle the obvious cases first */
+ if (!strcmp(hash->hash_name, "SHA1"))
+ return CKM_SHA_1_HMAC;
+ if (!strcmp(hash->hash_name, "MD5"))
+ return CKM_MD5_HMAC;
+ return CKM_INVALID_MECHANISM;
+}
+
+krb5_error_code
+krb5int_hmac(const struct krb5_hash_provider *hash, krb5_key key,
+ const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
+{
+ unsigned int i = 0;
+ CK_MECHANISM_TYPE mech;
+ PK11Context *ctx = NULL;
+ krb5_error_code ret = 0;
+ SECStatus rv;
+ SECItem param;
+
+ if (output->length < hash->hashsize)
+ return KRB5_BAD_MSIZE;
+
+ mech = digest_to_hmac(hash);
+ if (mech == CKM_INVALID_MECHANISM)
+ return KRB5_CRYPTO_INTERNAL; /* unsupported alg */
+
+ ret = k5_nss_gen_import(key, mech, CKA_SIGN);
+ if (ret != 0)
+ return ret;
+
+ param.data = NULL;
+ param.len = 0;
+ ctx = k5_nss_create_context(key, mech, CKA_SIGN, ¶m);
+ if (ctx == NULL)
+ goto fail;
+
+ rv = PK11_DigestBegin(ctx);
+ if (rv != SECSuccess)
+ goto fail;
+
+ for (i=0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
+
+ if (iov->data.length && SIGN_IOV(iov)) {
+ rv = PK11_DigestOp(ctx,(const unsigned char*)iov->data.data,
+ iov->data.length);
+ if (rv != SECSuccess)
+ goto fail;
+ }
+
+ }
+ rv = PK11_DigestFinal(ctx, (unsigned char *) output->data, &output->length,
+ output->length);
+ if (rv != SECSuccess)
+ goto fail;
+ PK11_DestroyContext(ctx, PR_TRUE);
+ return 0;
+fail:
+ ret = k5_nss_map_last_error();
+ if (ctx)
+ PK11_DestroyContext(ctx, PR_TRUE);
+ return ret;
+}
+
+krb5_error_code
+krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *keyblock,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output)
+{
+ krb5_key key;
+ krb5_error_code code;
+
+ if (keyblock->length > hash->blocksize)
+ return KRB5_CRYPTO_INTERNAL;
+
+ memset(&key, 0, sizeof(key));
+
+ code = krb5_k_create_key(NULL, keyblock, &key);
+ if (code)
+ return code;
+ code = krb5int_hmac(hash, key, data, num_data, output);
+ krb5_k_free_key(NULL, key);
+ return code;
+}
--- /dev/null
+mydir=lib/crypto/nss/md4
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+LOCALINCLUDES = -I$(srcdir)
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=md4
+##DOS##OBJFILE=..\$(OUTPRE)md4.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+STLIBOBJS= md4.o
+
+OBJS= $(OUTPRE)md4.$(OBJEXT)
+
+SRCS= $(srcdir)/md4.c
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+
+check-unix::
+
+check-windows::
+
+clean::
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
--- /dev/null
+#
+# Generated makefile dependencies follow.
+#
+md4.so md4.po $(OUTPRE)md4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h md4.c rsa-md4.h
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/md4/md4.c
+ */
+
+/*
+**********************************************************************
+** md4.c **
+** RSA Data Security, Inc. MD4 Message Digest Algorithm **
+** Created: 2/17/90 RLR **
+** Revised: 1/91 SRD,AJ,BSK,JT Reference C Version **
+**********************************************************************
+*/
+
+/*
+**********************************************************************
+** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. **
+** **
+** License to copy and use this software is granted provided that **
+** it is identified as the "RSA Data Security, Inc. MD4 Message **
+** Digest Algorithm" in all material mentioning or referencing this **
+** software or this function. **
+** **
+** License is also granted to make and use derivative works **
+** provided that such works are identified as "derived from the RSA **
+** Data Security, Inc. MD4 Message Digest Algorithm" in all **
+** material mentioning or referencing the derived work. **
+** **
+** RSA Data Security, Inc. makes no representations concerning **
+** either the merchantability of this software or the suitability **
+** of this software for any particular purpose. It is provided "as **
+** is" without express or implied warranty of any kind. **
+** **
+** These notices must be retained in any copies of any part of this **
+** documentation and/or software. **
+**********************************************************************
+*/
+
+#include "k5-int.h"
+#include "rsa-md4.h"
+
+/* forward declaration */
+static void Transform (krb5_ui_4 *, krb5_ui_4 *);
+
+static const unsigned char PADDING[64] = {
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/* F, G and H are basic MD4 functions: selection, majority, parity */
+#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
+#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+
+/* ROTATE_LEFT rotates x left n bits */
+#define ROTATE_LEFT(x, n) ((((x) << (n)) & 0xffffffff) | ((x) >> (32-(n))))
+
+/* FF, GG and HH are MD4 transformations for rounds 1, 2 and 3 */
+/* Rotation is separate from addition to prevent recomputation */
+#define FF(a, b, c, d, x, s) \
+ {(a) += F ((b), (c), (d)) + (x); \
+ (a) &= 0xffffffff; \
+ (a) = ROTATE_LEFT ((a), (s));}
+#define GG(a, b, c, d, x, s) \
+ {(a) += G ((b), (c), (d)) + (x) + 013240474631UL; \
+ (a) &= 0xffffffff; \
+ (a) = ROTATE_LEFT ((a), (s));}
+#define HH(a, b, c, d, x, s) \
+ {(a) += H ((b), (c), (d)) + (x) + 015666365641UL; \
+ (a) &= 0xffffffff; \
+ (a) = ROTATE_LEFT ((a), (s));}
+
+void
+krb5int_MD4Init (krb5_MD4_CTX *mdContext)
+{
+ mdContext->i[0] = mdContext->i[1] = (krb5_ui_4)0;
+
+ /* Load magic initialization constants.
+ */
+ mdContext->buf[0] = 0x67452301UL;
+ mdContext->buf[1] = 0xefcdab89UL;
+ mdContext->buf[2] = 0x98badcfeUL;
+ mdContext->buf[3] = 0x10325476UL;
+}
+
+void
+krb5int_MD4Update (krb5_MD4_CTX *mdContext, const unsigned char *inBuf, unsigned int inLen)
+{
+ krb5_ui_4 in[16];
+ int mdi;
+ unsigned int i, ii;
+
+ /* compute number of bytes mod 64 */
+ mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
+
+ /* update number of bits */
+ if ((mdContext->i[0] + ((krb5_ui_4)inLen << 3)) < mdContext->i[0])
+ mdContext->i[1]++;
+ mdContext->i[0] += ((krb5_ui_4)inLen << 3);
+ mdContext->i[1] += ((krb5_ui_4)inLen >> 29);
+
+ while (inLen--) {
+ /* add new character to buffer, increment mdi */
+ mdContext->in[mdi++] = *inBuf++;
+
+ /* transform if necessary */
+ if (mdi == 0x40) {
+ for (i = 0, ii = 0; i < 16; i++, ii += 4) {
+ in[i] = load_32_le(mdContext->in+ii);
+ }
+ Transform (mdContext->buf, in);
+ mdi = 0;
+ }
+ }
+}
+
+void
+krb5int_MD4Final (krb5_MD4_CTX *mdContext)
+{
+ krb5_ui_4 in[16];
+ int mdi;
+ unsigned int i, ii;
+ unsigned int padLen;
+
+ /* save number of bits */
+ in[14] = mdContext->i[0];
+ in[15] = mdContext->i[1];
+
+ /* compute number of bytes mod 64 */
+ mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
+
+ /* pad out to 56 mod 64 */
+ padLen = (mdi < 56) ? (56 - mdi) : (120 - mdi);
+ krb5int_MD4Update (mdContext, PADDING, padLen);
+
+ /* append length in bits and transform */
+ for (i = 0, ii = 0; i < 14; i++, ii += 4)
+ in[i] = load_32_le(mdContext->in+ii);
+ Transform (mdContext->buf, in);
+
+
+ /* store buffer in digest */
+ for (i = 0, ii = 0; i < 4; i++, ii += 4) {
+ store_32_le(mdContext->buf[i], mdContext->digest+ii);
+ }
+}
+
+/* Basic MD4 step. Transform buf based on in.
+ */
+static void Transform (krb5_ui_4 *buf, krb5_ui_4 *in)
+{
+ register krb5_ui_4 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
+
+#if defined(CONFIG_SMALL) && !defined(CONFIG_SMALL_NO_CRYPTO)
+ int i;
+#define ROTATE { krb5_ui_4 temp; temp = d, d = c, c = b, b = a, a = temp; }
+ for (i = 0; i < 16; i++) {
+ static const unsigned char round1consts[] = { 3, 7, 11, 19, };
+ FF (a, b, c, d, in[i], round1consts[i%4]); ROTATE;
+ }
+ for (i = 0; i < 16; i++) {
+ static const unsigned char round2indices[] = {
+ 0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15
+ };
+ static const unsigned char round2consts[] = { 3, 5, 9, 13 };
+ GG (a, b, c, d, in[round2indices[i]], round2consts[i%4]); ROTATE;
+ }
+ for (i = 0; i < 16; i++) {
+ static const unsigned char round3indices[] = {
+ 0, 8, 4, 12, 2, 10, 6, 14, 1, 9, 5, 13, 3, 11, 7, 15
+ };
+ static const unsigned char round3consts[] = { 3, 9, 11, 15 };
+ HH (a, b, c, d, in[round3indices[i]], round3consts[i%4]); ROTATE;
+ }
+#else
+ /* Round 1 */
+ FF (a, b, c, d, in[ 0], 3);
+ FF (d, a, b, c, in[ 1], 7);
+ FF (c, d, a, b, in[ 2], 11);
+ FF (b, c, d, a, in[ 3], 19);
+ FF (a, b, c, d, in[ 4], 3);
+ FF (d, a, b, c, in[ 5], 7);
+ FF (c, d, a, b, in[ 6], 11);
+ FF (b, c, d, a, in[ 7], 19);
+ FF (a, b, c, d, in[ 8], 3);
+ FF (d, a, b, c, in[ 9], 7);
+ FF (c, d, a, b, in[10], 11);
+ FF (b, c, d, a, in[11], 19);
+ FF (a, b, c, d, in[12], 3);
+ FF (d, a, b, c, in[13], 7);
+ FF (c, d, a, b, in[14], 11);
+ FF (b, c, d, a, in[15], 19);
+
+ /* Round 2 */
+ GG (a, b, c, d, in[ 0], 3);
+ GG (d, a, b, c, in[ 4], 5);
+ GG (c, d, a, b, in[ 8], 9);
+ GG (b, c, d, a, in[12], 13);
+ GG (a, b, c, d, in[ 1], 3);
+ GG (d, a, b, c, in[ 5], 5);
+ GG (c, d, a, b, in[ 9], 9);
+ GG (b, c, d, a, in[13], 13);
+ GG (a, b, c, d, in[ 2], 3);
+ GG (d, a, b, c, in[ 6], 5);
+ GG (c, d, a, b, in[10], 9);
+ GG (b, c, d, a, in[14], 13);
+ GG (a, b, c, d, in[ 3], 3);
+ GG (d, a, b, c, in[ 7], 5);
+ GG (c, d, a, b, in[11], 9);
+ GG (b, c, d, a, in[15], 13);
+
+ /* Round 3 */
+ HH (a, b, c, d, in[ 0], 3);
+ HH (d, a, b, c, in[ 8], 9);
+ HH (c, d, a, b, in[ 4], 11);
+ HH (b, c, d, a, in[12], 15);
+ HH (a, b, c, d, in[ 2], 3);
+ HH (d, a, b, c, in[10], 9);
+ HH (c, d, a, b, in[ 6], 11);
+ HH (b, c, d, a, in[14], 15);
+ HH (a, b, c, d, in[ 1], 3);
+ HH (d, a, b, c, in[ 9], 9);
+ HH (c, d, a, b, in[ 5], 11);
+ HH (b, c, d, a, in[13], 15);
+ HH (a, b, c, d, in[ 3], 3);
+ HH (d, a, b, c, in[11], 9);
+ HH (c, d, a, b, in[ 7], 11);
+ HH (b, c, d, a, in[15], 15);
+#endif
+
+ buf[0] += a;
+ buf[1] += b;
+ buf[2] += c;
+ buf[3] += d;
+}
+
+/*
+**********************************************************************
+** End of md4.c **
+******************************* (cut) ********************************
+*/
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/md4/rsa-md4.h
+ *
+ * Copyright 1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * RSA MD4 header file, with Kerberos/STDC additions.
+ */
+
+#ifndef __KRB5_RSA_MD4_H__
+#define __KRB5_RSA_MD4_H__
+
+#ifdef unicos61
+#include <sys/types.h>
+#endif /* unicos61 */
+
+/* 16 u_char's in the digest */
+#define RSA_MD4_CKSUM_LENGTH 16
+/* des blocksize is 8, so this works nicely... */
+#define OLD_RSA_MD4_DES_CKSUM_LENGTH 16
+#define NEW_RSA_MD4_DES_CKSUM_LENGTH 24
+#define RSA_MD4_DES_CONFOUND_LENGTH 8
+
+/*
+**********************************************************************
+** md4.h -- Header file for implementation of MD4 **
+** RSA Data Security, Inc. MD4 Message Digest Algorithm **
+** Created: 2/17/90 RLR **
+** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version **
+**********************************************************************
+*/
+
+/*
+**********************************************************************
+** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. **
+** **
+** License to copy and use this software is granted provided that **
+** it is identified as the "RSA Data Security, Inc. MD4 Message **
+** Digest Algorithm" in all material mentioning or referencing this **
+** software or this function. **
+** **
+** License is also granted to make and use derivative works **
+** provided that such works are identified as "derived from the RSA **
+** Data Security, Inc. MD4 Message Digest Algorithm" in all **
+** material mentioning or referencing the derived work. **
+** **
+** RSA Data Security, Inc. makes no representations concerning **
+** either the merchantability of this software or the suitability **
+** of this software for any particular purpose. It is provided "as **
+** is" without express or implied warranty of any kind. **
+** **
+** These notices must be retained in any copies of any part of this **
+** documentation and/or software. **
+**********************************************************************
+*/
+
+/* Data structure for MD4 (Message Digest) computation */
+typedef struct {
+ krb5_ui_4 i[2]; /* number of _bits_ handled mod 2^64 */
+ krb5_ui_4 buf[4]; /* scratch buffer */
+ unsigned char in[64]; /* input buffer */
+ unsigned char digest[16]; /* actual digest after MD4Final call */
+} krb5_MD4_CTX;
+
+extern void krb5int_MD4Init(krb5_MD4_CTX *);
+extern void krb5int_MD4Update(krb5_MD4_CTX *, const unsigned char *, unsigned int);
+extern void krb5int_MD4Final(krb5_MD4_CTX *);
+
+/*
+**********************************************************************
+** End of md4.h **
+******************************* (cut) ********************************
+*/
+#endif /* __KRB5_RSA_MD4_H__ */
--- /dev/null
+mydir=lib/crypto/nss/md5
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+DEFS=
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=md5
+##DOS##OBJFILE=..\$(OUTPRE)md5.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+LOCALINCLUDES = -I$(srcdir)/.. @CRYPTO_IMPL_CFLAGS@
+
+
+STLIBOBJS= md5.o
+
+OBJS= $(OUTPRE)md5.$(OBJEXT)
+
+SRCS= $(srcdir)/md5.c
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+check-unix::
+
+check-windows::
+
+clean::
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
--- /dev/null
+#
+# Generated makefile dependencies follow.
+#
+md5.so md5.po $(OUTPRE)md5.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h $(srcdir)/md5.c \
+ $(srcdir)/rsa-md5.h
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/md5/md5.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "rsa-md5.h"
+#include "pk11pub.h"
+#include "nss_gen.h"
+
+
+/* Initialize the message-digest context mdContext. */
+void
+krb5int_MD5Init(krb5_MD5_CTX *mdContext)
+{
+ if (k5_nss_init()) {
+ mdContext->nss_ctxt = NULL;
+ return;
+ }
+ mdContext->nss_ctxt = PK11_CreateDigestContext(SEC_OID_MD5);
+ if (mdContext->nss_ctxt == NULL)
+ return;
+ PK11_DigestBegin((PK11Context *)mdContext->nss_ctxt);
+}
+
+/*
+ * Update the message-digest context to account for the presence of each of the
+ * characters inBuf[0..inLen-1] in the message whose digest is being computed.
+ */
+void
+krb5int_MD5Update(krb5_MD5_CTX *mdContext, const unsigned char *inBuf,
+ unsigned int inLen)
+{
+ if (mdContext->nss_ctxt == NULL)
+ return;
+ PK11_DigestOp((PK11Context *)mdContext->nss_ctxt, inBuf, inLen);
+}
+
+/* Terminate the message-digest computation and end with the desired message
+ * digest in mdContext->digest[0...15]. */
+void
+krb5int_MD5Final(krb5_MD5_CTX *mdContext)
+{
+ unsigned int digestLength;
+
+ if (mdContext->nss_ctxt == NULL)
+ return;
+ PK11_DigestFinal((PK11Context *)mdContext->nss_ctxt, mdContext->digest,
+ &digestLength, sizeof (mdContext->digest));
+ /* since there is not separate cleanup step, free the context now.
+ * (otherwise we could have reused the context for another MD5 operation
+ * in the future).
+ */
+ PK11_DestroyContext((PK11Context *)mdContext->nss_ctxt, PR_TRUE);
+ mdContext->nss_ctxt = NULL;
+}
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/openssl/md5/rsa-md5.h
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ ***********************************************************************
+ ** md5.h -- header file for implementation of MD5 **
+ ** RSA Data Security, Inc. MD5 Message-Digest Algorithm **
+ ** Created: 2/17/90 RLR **
+ ** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version **
+ ** Revised (for MD5): RLR 4/27/91 **
+ ** -- G modified to have y&~z instead of y&z **
+ ** -- FF, GG, HH modified to add in last register done **
+ ** -- Access pattern: round 2 works mod 5, round 3 works mod 3 **
+ ** -- distinct additive constant for each step **
+ ** -- round 4 added, working mod 7 **
+ ***********************************************************************
+ */
+
+/*
+ ***********************************************************************
+ ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. **
+ ** **
+ ** License to copy and use this software is granted provided that **
+ ** it is identified as the "RSA Data Security, Inc. MD5 Message- **
+ ** Digest Algorithm" in all material mentioning or referencing this **
+ ** software or this function. **
+ ** **
+ ** License is also granted to make and use derivative works **
+ ** provided that such works are identified as "derived from the RSA **
+ ** Data Security, Inc. MD5 Message-Digest Algorithm" in all **
+ ** material mentioning or referencing the derived work. **
+ ** **
+ ** RSA Data Security, Inc. makes no representations concerning **
+ ** either the merchantability of this software or the suitability **
+ ** of this software for any particular purpose. It is provided "as **
+ ** is" without express or implied warranty of any kind. **
+ ** **
+ ** These notices must be retained in any copies of any part of this **
+ ** documentation and/or software. **
+ ***********************************************************************
+ */
+
+
+#ifndef KRB5_RSA_MD5__
+#define KRB5_RSA_MD5__
+
+/* Data structure for MD5 (Message-Digest) computation */
+typedef struct {
+ void *nss_ctxt;
+ krb5_int32 * digest_len;
+ krb5_ui_4 i[2]; /* number of _bits_ handled mod 2^64 */
+ krb5_ui_4 buf[4]; /* scratch buffer */
+ unsigned char in[64]; /* input buffer */
+ unsigned char digest[16]; /* actual digest after MD5Final call */
+} krb5_MD5_CTX;
+
+extern void krb5int_MD5Init(krb5_MD5_CTX *);
+extern void krb5int_MD5Update(krb5_MD5_CTX *, const unsigned char *,
+ unsigned int);
+extern void krb5int_MD5Final(krb5_MD5_CTX *);
+
+#define RSA_MD5_CKSUM_LENGTH 16
+#define OLD_RSA_MD5_DES_CKSUM_LENGTH 16
+#define NEW_RSA_MD5_DES_CKSUM_LENGTH 24
+#define RSA_MD5_DES_CONFOUND_LENGTH 8
+
+#endif /* KRB5_RSA_MD5__ */
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/nss_gen.h
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "pkcs11t.h"
+#include "sechash.h"
+#include "secmodt.h"
+
+/* 512 bits is bigger than anything defined to date */
+#define MAX_KEY_LENGTH 64
+#define MAX_BLOCK_SIZE 64
+
+/*
+ * Common nss utils
+ */
+
+/* Make sure NSS is properly initialized. */
+krb5_error_code k5_nss_init(void);
+
+/* Import a key into NSS and store the handle in krb5_key. */
+krb5_error_code
+k5_nss_gen_import(krb5_key key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation);
+
+/* Clean up an imported key. */
+void
+k5_nss_gen_cleanup(krb5_key key);
+
+/* Create a new crypto/hash/sign context from a krb5_key. */
+PK11Context *
+k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism,
+ CK_ATTRIBUTE_TYPE operation, SECItem * param);
+
+/* Map an NSS error into a krb5_error_code. */
+krb5_error_code k5_nss_map_error(int nss_error);
+krb5_error_code k5_nss_map_last_error(void);
+
+
+/*
+ * Common encryption functions
+ */
+
+/* Encrypt/decrypt block modes except cts using iov. */
+krb5_error_code
+k5_nss_gen_block_iov(krb5_key key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
+
+/* Encrypt/decrypt stream modes using iov. */
+krb5_error_code
+k5_nss_gen_stream_iov(krb5_key key, krb5_data *state, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation, krb5_crypto_iov *data,
+ size_t num_data);
+
+/* Encrypt/decrypt block modes using cts. */
+krb5_error_code
+k5_nss_gen_cts_iov(krb5_key key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
+
+/* Stream state management calls. */
+krb5_error_code k5_nss_stream_init_state(krb5_data *new_state);
+krb5_error_code k5_nss_stream_free_state(krb5_data *state);
+
+/*
+ * Common hash functions
+ */
+
+/* All hash modes. */
+krb5_error_code
+k5_nss_gen_hash(HASH_HashType hashType, const krb5_crypto_iov *data,
+ size_t num_data, krb5_data *output);
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/pbkdf2.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <ctype.h>
+#include "k5-int.h"
+#include "hash_provider.h"
+#include "pk11pub.h"
+#include "nss_gen.h"
+
+
+krb5_error_code
+krb5int_pbkdf2_hmac_sha1(const krb5_data *out, unsigned long count,
+ const krb5_data *pass, const krb5_data *salt)
+{
+
+ PK11SlotInfo *slot = NULL;
+ SECAlgorithmID *algid = NULL;
+ PK11SymKey *symKey = NULL;
+ SECItem saltItem, pwItem;
+ const SECItem *keydata = NULL;
+ SECOidTag pbeAlg = SEC_OID_PKCS5_PBKDF2;
+ SECOidTag cipherAlg = SEC_OID_AES_256_CBC;
+ SECOidTag prfAlg = SEC_OID_HMAC_SHA1;
+ krb5_error_code ret;
+
+ ret = k5_nss_init();
+ if (ret)
+ return ret;
+
+ slot = PK11_GetBestSlot(PK11_AlgtagToMechanism(pbeAlg), NULL);
+ if (slot == NULL)
+ return k5_nss_map_last_error();
+
+ saltItem.type = siBuffer;
+ saltItem.data = (unsigned char *)salt->data;
+ saltItem.len = salt->length;
+
+ /* PKCS 5 was designed to be DER encoded. Algid's carry all the
+ * information needed to describe the encoding the the recipient.
+ * This usually allows for crypto agility in the protocol automatically.
+ * Kerberos already had to solve it's crypto agility issues, so the
+ * algid is just and extra step we need that we will throw away */
+ algid = PK11_CreatePBEV2AlgorithmID(pbeAlg, cipherAlg, prfAlg,
+ out->length, count, &saltItem);
+ if (algid == NULL) {
+ ret = k5_nss_map_last_error();
+ goto loser;
+ }
+
+ pwItem.type = siBuffer;
+ pwItem.data = (unsigned char *)pass->data;
+ pwItem.len = pass->length;
+
+ symKey = PK11_PBEKeyGen(slot, algid, &pwItem, PR_FALSE, NULL);
+ if (symKey == NULL) {
+ ret = k5_nss_map_last_error();
+ goto loser;
+ }
+
+ /* At this point we should return symKey as a key, but kerberos is
+ * still passing bits around instead of key handles. */
+ PK11_ExtractKeyValue(symKey);
+
+ /* keydata here is a const * and is valid as long as the key has not been
+ * destroyed. */
+ keydata = PK11_GetKeyData(symKey);
+ if (keydata == NULL) {
+ ret = k5_nss_map_last_error();
+ goto loser;
+ }
+
+ if (out->length != keydata->len) {
+ ret = -1; /* XXXXX */
+ goto loser;
+ }
+ memcpy(out->data, keydata->data, keydata->len);
+ ret = 0;
+
+loser:
+ if (symKey)
+ PK11_FreeSymKey(symKey);
+ if (algid)
+ SECOID_DestroyAlgorithmID(algid, PR_TRUE);
+ if (slot)
+ PK11_FreeSlot(slot);
+
+ return ret;
+}
--- /dev/null
+mydir=lib/crypto/nss/sha1
+BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+DEFS=
+LOCALINCLUDES = -I$(srcdir)/.. @CRYPTO_IMPL_CFLAGS@
+
+##DOS##BUILDTOP = ..\..\..\..
+##DOS##PREFIXDIR=sha1
+##DOS##OBJFILE=..\$(OUTPRE)sha1.lst
+
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
+STLIBOBJS= shs.o
+
+OBJS= $(OUTPRE)shs.$(OBJEXT)
+
+SRCS= $(srcdir)/shs.c
+
+##DOS##LIBOBJS = $(OBJS)
+
+all-unix:: all-libobjs
+
+includes:: depend
+
+depend:: $(SRCS)
+
+clean::
+
+clean-unix:: clean-libobjs
+
+@libobj_frag@
+
--- /dev/null
+#
+# Generated makefile dependencies follow.
+#
+shs.so shs.po $(OUTPRE)shs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h $(srcdir)/shs.c \
+ $(srcdir)/shs.h
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/nss/sha1/shs.c
+ *
+ * Copyright (c) 2010 Red Hat, Inc.
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+#include "shs.h"
+#include "pk11pub.h"
+#include "nss_gen.h"
+
+/* Initialize the SHS values */
+void shsInit(SHS_INFO *shsInfo)
+{
+ if (k5_nss_init()) {
+ shsInfo->nss_ctxt = NULL;
+ return;
+ }
+ shsInfo->nss_ctxt = PK11_CreateDigestContext(SEC_OID_SHA1);
+ if (shsInfo->nss_ctxt == NULL)
+ return;
+ PK11_DigestBegin((PK11Context *)shsInfo->nss_ctxt);
+}
+
+/* Update SHS for a block of data */
+void shsUpdate(SHS_INFO *shsInfo, const SHS_BYTE *buffer, unsigned int count)
+{
+ if (shsInfo->nss_ctxt == NULL)
+ return;
+ PK11_DigestOp((PK11Context *)shsInfo->nss_ctxt, buffer, count);
+}
+
+
+/* Final wrapup - pad to SHS_DATASIZE-byte boundary with the bit pattern
+ * 1 0* (64-bit count of bits processed, MSB-first) */
+void shsFinal(SHS_INFO *shsInfo)
+{
+ if (shsInfo->nss_ctxt == NULL)
+ return;
+ PK11_DigestFinal((PK11Context *)shsInfo->nss_ctxt, shsInfo->digestBuf,
+ &shsInfo->digestLen, sizeof (shsInfo->digestBuf));
+ /* Since there is not separate cleanup step, free the context now.
+ * (otherwise we could have reused the context for another MD5 operation
+ * in the future).
+ */
+ PK11_DestroyContext((PK11Context *)shsInfo->nss_ctxt, PR_TRUE);
+ shsInfo->nss_ctxt = NULL;
+}
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+#ifndef _SHS_DEFINED
+
+#include "k5-int.h"
+
+#define _SHS_DEFINED
+
+/* Some useful types */
+
+typedef krb5_octet SHS_BYTE;
+typedef krb5_ui_4 SHS_LONG;
+
+/* Define the following to use the updated SHS implementation */
+#define NEW_SHS /**/
+
+/* The SHS block size and message digest sizes, in bytes */
+
+#define SHS_DATASIZE 64
+#define SHS_DIGESTSIZE 20
+
+/* The structure for storing SHS info */
+
+typedef struct {
+ void *nss_ctxt;
+ unsigned char digestBuf[SHS_DIGESTSIZE]; /* output */
+ unsigned int digestLen; /* output */
+} SHS_INFO;
+
+/* Message digest functions (shs.c) */
+void shsInit(SHS_INFO *shsInfo);
+void shsUpdate(SHS_INFO *shsInfo, const SHS_BYTE *buffer, unsigned int count);
+void shsFinal(SHS_INFO *shsInfo);
+
+
+/* Keyed Message digest functions (hmac_sha.c) */
+krb5_error_code hmac_sha(krb5_octet *text,
+ int text_len,
+ krb5_octet *key,
+ int key_len,
+ krb5_octet *digest);
+
+
+#define NIST_SHA_CKSUM_LENGTH SHS_DIGESTSIZE
+#define HMAC_SHA_CKSUM_LENGTH SHS_DIGESTSIZE
+
+#endif /* _SHS_DEFINED */
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/crypto/openssl/hash/yhash.h
+ */
+
+#ifndef YHASH_H
+#define YHASH_H
+
+/* hash function interface */
+
+/* default to SHA1 for yarrow 160 */
+
+#include "shs.h"
+
+
+#define HASH_CTX SHS_INFO
+#define HASH_Init(x) shsInit(x)
+#define HASH_Update(x, buf, sz) shsUpdate(x, (const void*)buf, sz)
+
+#define HASH_Final(x, tdigest) do { \
+ int loopvar; \
+ unsigned char *out2 = (void *)(tdigest); \
+ HASH_CTX *ctx = (x); \
+ shsFinal(ctx); \
+ memcpy(out2, ctx->digestBuf, ctx->digestLen); \
+ } while(0)
+
+#define HASH_DIGEST_SIZE SHS_DIGESTSIZE
+
+#endif /* YHASH_H */
STLIBOBJS=\
hmac.o \
- pbkdf2.o
+ init.o \
+ pbkdf2.o
OBJS=\
$(OUTPRE)hmac.$(OBJEXT) \
- $(OUTPRE)pbkdf2.$(OBJEXT)
+ $(OUTPRE)init.$(OBJEXT) \
+ $(OUTPRE)pbkdf2.$(OBJEXT)
SRCS=\
$(srcdir)/hmac.c \
+ $(srcdir)/init.c \
$(srcdir)/pbkdf2.c
STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
--- /dev/null
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/openssl/init.c
+ *
+ * Copyright (C) 2010 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * OpenSSL back-end library init functions
+ */
+
+int
+krb5int_crypto_impl_init(void)
+{
+ return 0;
+}
+
+void
+krb5int_crypto_impl_cleanup(void)
+{
+}