diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-08-21 12:43:48 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-08-21 12:43:48 +0000 |
| commit | 28880c01c813e0ea27dadf1baef845a031893e03 (patch) | |
| tree | 3ffe3d07ddf010ca046fde0f043ce468a94cf980 | |
| parent | 4014f2639e99069f86931f038b051cc1440f7fa8 (diff) | |
| download | krb5-28880c01c813e0ea27dadf1baef845a031893e03.zip krb5-28880c01c813e0ea27dadf1baef845a031893e03.tar.gz krb5-28880c01c813e0ea27dadf1baef845a031893e03.tar.bz2 | |
Style pass over the NSS back end
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/nss@24248 dc483132-0cff-0310-8789-dd5450dbe970
24 files changed, 627 insertions, 664 deletions
diff --git a/src/lib/crypto/nss/des/des_int.h b/src/lib/crypto/nss/des/des_int.h index 84d678c..eb17eb9 100644 --- a/src/lib/crypto/nss/des/des_int.h +++ b/src/lib/crypto/nss/des/des_int.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/crypto/des/des_int.h * @@ -53,7 +54,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -/* only do the whole thing once */ +/* only do the whole thing once */ #ifndef DES_INTERNAL_DEFS #define DES_INTERNAL_DEFS @@ -91,7 +92,7 @@ #define DES_UINT32 unsigned long #endif -typedef unsigned char des_cblock[8] /* crypto-block size */ +typedef unsigned char des_cblock[8] /* crypto-block size */ KRB5INT_DES_DEPRECATED; /* @@ -119,11 +120,11 @@ typedef des_cblock mit_des_cblock; typedef des_key_schedule mit_des_key_schedule; /* Triple-DES structures */ -typedef mit_des_cblock mit_des3_cblock[3]; -typedef mit_des_key_schedule mit_des3_key_schedule[3]; +typedef mit_des_cblock mit_des3_cblock[3]; +typedef mit_des_key_schedule mit_des3_key_schedule[3]; -#define MIT_DES_ENCRYPT 1 -#define MIT_DES_DECRYPT 0 +#define MIT_DES_ENCRYPT 1 +#define MIT_DES_DECRYPT 0 typedef struct mit_des_ran_key_seed { krb5_encrypt_block eblock; @@ -132,22 +133,22 @@ typedef struct mit_des_ran_key_seed { /* the first byte of the key is already in the keyblock */ -#define MIT_DES_BLOCK_LENGTH (8*sizeof(krb5_octet)) -#define MIT_DES_CBC_CRC_PAD_MINIMUM CRC32_CKSUM_LENGTH +#define MIT_DES_BLOCK_LENGTH (8*sizeof(krb5_octet)) +#define MIT_DES_CBC_CRC_PAD_MINIMUM CRC32_CKSUM_LENGTH /* This used to be 8*sizeof(krb5_octet) */ -#define MIT_DES_KEYSIZE 8 +#define MIT_DES_KEYSIZE 8 -#define MIT_DES_CBC_CKSUM_LENGTH (4*sizeof(krb5_octet)) +#define MIT_DES_CBC_CKSUM_LENGTH (4*sizeof(krb5_octet)) /* * Check if k5-int.h has been included before us. If so, then check to see * that our view of the DES key size is the same as k5-int.h's. */ -#ifdef KRB5_MIT_DES_KEYSIZE -#if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE +#ifdef KRB5_MIT_DES_KEYSIZE +#if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE) -#endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */ -#endif /* KRB5_MIT_DES_KEYSIZE */ +#endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */ +#endif /* KRB5_MIT_DES_KEYSIZE */ #endif /* KRB5_MIT_DES__ */ /* * End "mit-des.h" @@ -163,9 +164,9 @@ extern int mit_des_check_key_parity (mit_des_cblock ); /* string2key.c */ extern krb5_error_code mit_des_string_to_key ( const krb5_encrypt_block *, - krb5_keyblock *, const krb5_data *, const krb5_data *); + krb5_keyblock *, const krb5_data *, const krb5_data *); extern krb5_error_code mit_des_string_to_key_int - (krb5_keyblock *, const krb5_data *, const krb5_data *); + (krb5_keyblock *, const krb5_data *, const krb5_data *); /* weak_key.c */ extern int mit_des_is_weak_key (mit_des_cblock ); @@ -185,4 +186,4 @@ extern unsigned long swap_long_bytes_bit_number (unsigned long ); /* XXX depends on FILE being a #define! */ extern void test_set (FILE *, const char *, int, const char *, int); #endif -#endif /*DES_INTERNAL_DEFS*/ +#endif /*DES_INTERNAL_DEFS*/ diff --git a/src/lib/crypto/nss/des/des_oldapis.c b/src/lib/crypto/nss/des/des_oldapis.c index c931efc..eb1e586 100644 --- a/src/lib/crypto/nss/des/des_oldapis.c +++ b/src/lib/crypto/nss/des/des_oldapis.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/crypto/openssl/des/des_oldapis.c * @@ -33,8 +34,8 @@ const mit_des_cblock mit_des_zeroblock /* = all zero */; unsigned long mit_des_cbc_cksum(const krb5_octet *in, krb5_octet *out, - unsigned long length, const mit_des_key_schedule schedule, - const krb5_octet *ivec) + unsigned long length, const mit_des_key_schedule schedule, + const krb5_octet *ivec) { /* Unsupported operation */ return KRB5_CRYPTO_INTERNAL; diff --git a/src/lib/crypto/nss/des/string2key.c b/src/lib/crypto/nss/des/string2key.c index 6743c81..27c5c9e 100644 --- a/src/lib/crypto/nss/des/string2key.c +++ b/src/lib/crypto/nss/des/string2key.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/crypto/openssl/des/string2key.c * @@ -29,8 +30,8 @@ #include "nss_gen.h" krb5_error_code -mit_des_string_to_key_int (krb5_keyblock *key, - const krb5_data *pw, const krb5_data *salt) +mit_des_string_to_key_int(krb5_keyblock *key, const krb5_data *pw, + const krb5_data *salt) { PK11SlotInfo *slot = NULL; PK11SymKey *symKey = NULL; @@ -38,16 +39,17 @@ mit_des_string_to_key_int (krb5_keyblock *key, SECItem paramsItem; CK_PBE_PARAMS pbe_params; CK_MECHANISM_TYPE pbeMech = CKM_NETSCAPE_PBE_SHA1_DES_CBC; - krb5_error_code ret = -1; + krb5_error_code ret; SECItem *keyData; - ret=k5_nss_init(); - if (ret) return ret; + ret = k5_nss_init(); + if (ret) + return ret; slot = PK11_GetBestSlot(pbeMech, NULL); if (slot == NULL) { - ret = k5_nss_map_last_error(); - goto loser; + ret = k5_nss_map_last_error(); + goto loser; } pwItem.data = (unsigned char *)pw->data; @@ -58,28 +60,26 @@ mit_des_string_to_key_int (krb5_keyblock *key, paramsItem.data = (unsigned char *)&pbe_params; paramsItem.len = sizeof(pbe_params); - symKey = PK11_RawPBEKeyGen(slot, pbeMech, ¶msItem, &pwItem, - PR_FALSE, NULL); + symKey = PK11_RawPBEKeyGen(slot, pbeMech, ¶msItem, &pwItem, + PR_FALSE, NULL); if (symKey == NULL) { - ret = k5_nss_map_last_error(); - goto loser; + ret = k5_nss_map_last_error(); + goto loser; } PK11_ExtractKeyValue(symKey); keyData = PK11_GetKeyData(symKey); if (!keyData) { - ret = k5_nss_map_last_error(); - goto loser; + ret = k5_nss_map_last_error(); + goto loser; } key->length = keyData->len; memcpy(key->contents, keyData->data, key->length); ret = 0; loser: - if (symKey) { - PK11_FreeSymKey(symKey); - } - if (slot) { - PK11_FreeSlot(slot); - } + if (symKey) + PK11_FreeSymKey(symKey); + if (slot) + PK11_FreeSlot(slot); return ret; } diff --git a/src/lib/crypto/nss/des/weak_key.c b/src/lib/crypto/nss/des/weak_key.c index 9ea0e20..43fbe91 100644 --- a/src/lib/crypto/nss/des/weak_key.c +++ b/src/lib/crypto/nss/des/weak_key.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/crypto/openssl/des/weak_key.c * @@ -76,8 +77,8 @@ mit_des_is_weak_key(mit_des_cblock key) const mit_des_cblock *weak_p = weak; for (i = 0; i < (sizeof(weak)/sizeof(mit_des_cblock)); i++) { - if (!memcmp(weak_p++,key,sizeof(mit_des_cblock))) - return 1; + if (!memcmp(weak_p++,key,sizeof(mit_des_cblock))) + return 1; } return 0; } diff --git a/src/lib/crypto/nss/enc_provider/aes.c b/src/lib/crypto/nss/enc_provider/aes.c index 12f0fee..0e35a95 100644 --- a/src/lib/crypto/nss/enc_provider/aes.c +++ b/src/lib/crypto/nss/enc_provider/aes.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/crypto/nss/enc_provider/aes.c * @@ -33,46 +34,42 @@ krb5_error_code -krb5int_aes_encrypt(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { - int ret; + krb5_error_code ret; + ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_ENCRYPT); - if (ret != 0) { - return ret; - } - return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_ENCRYPT, - ivec, data, num_data); + if (ret != 0) + return ret; + return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_ENCRYPT, + ivec, data, num_data); } krb5_error_code -krb5int_aes_decrypt(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { - int ret; + krb5_error_code ret; + ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_DECRYPT); - if (ret != 0) { - return ret; - } - return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_DECRYPT, - ivec, data, num_data); + if (ret != 0) + return ret; + return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_DECRYPT, + ivec, data, num_data); } /* * perhaps we should store the NSS context in the krb5_data state here? */ static krb5_error_code -aes_init_state (const krb5_keyblock *key, krb5_keyusage usage, - krb5_data *state) +aes_init_state(const krb5_keyblock *key, krb5_keyusage usage, + krb5_data *state) { state->length = 16; state->data = (void *) malloc(16); if (state->data == NULL) - return ENOMEM; + return ENOMEM; memset(state->data, 0, state->length); return 0; } diff --git a/src/lib/crypto/nss/enc_provider/des.c b/src/lib/crypto/nss/enc_provider/des.c index a0dc4ae..ce16d6d 100644 --- a/src/lib/crypto/nss/enc_provider/des.c +++ b/src/lib/crypto/nss/enc_provider/des.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* lib/crypto/nss/enc_provider/des.c * * Copyright (C) 2009 by the Massachusetts Institute of Technology. @@ -58,18 +59,16 @@ static krb5_error_code -k5_des_encrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_des_encrypt_iov(krb5_key key, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { - int ret; - ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT); - if (ret != 0) { - return ret; - } - return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_ENCRYPT, - ivec, data, num_data); + krb5_error_code ret; + + ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT); + if (ret != 0) + return ret; + return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_ENCRYPT, + ivec, data, num_data); } static krb5_error_code @@ -78,13 +77,13 @@ k5_des_decrypt_iov(krb5_key key, krb5_crypto_iov *data, size_t num_data) { - int ret; - ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT); - if (ret != 0) { - return ret; - } - return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_DECRYPT, - ivec, data, num_data); + krb5_error_code ret; + + ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT); + if (ret != 0) + return ret; + return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_DECRYPT, + ivec, data, num_data); } const struct krb5_enc_provider krb5int_enc_des = { diff --git a/src/lib/crypto/nss/enc_provider/des3.c b/src/lib/crypto/nss/enc_provider/des3.c index df79d0e..5ad2d08 100644 --- a/src/lib/crypto/nss/enc_provider/des3.c +++ b/src/lib/crypto/nss/enc_provider/des3.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* lib/crypto/nss/enc_provider/des3.c * * Copyright (C) 2009 by the Massachusetts Institute of Technology. @@ -58,33 +59,29 @@ static krb5_error_code -k5_des3_encrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_des3_encrypt_iov(krb5_key key, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { - int ret; - ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT); - if (ret != 0) { - return ret; - } - return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_ENCRYPT, - ivec, data, num_data); + krb5_error_code ret; + + ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT); + if (ret != 0) + return ret; + return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_ENCRYPT, + ivec, data, num_data); } static krb5_error_code -k5_des3_decrypt_iov(krb5_key key, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_des3_decrypt_iov(krb5_key key, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { - int ret; + krb5_error_code ret; + ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT); - if (ret != 0) { - return ret; - } - return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_DECRYPT, - ivec, data, num_data); + if (ret != 0) + return ret; + return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_DECRYPT, + ivec, data, num_data); } const struct krb5_enc_provider krb5int_enc_des3 = { diff --git a/src/lib/crypto/nss/enc_provider/enc_gen.c b/src/lib/crypto/nss/enc_provider/enc_gen.c index 88f26f8..6ad50b8 100644 --- a/src/lib/crypto/nss/enc_provider/enc_gen.c +++ b/src/lib/crypto/nss/enc_provider/enc_gen.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/crypto/nss/enc_provider/enc_gen.c * @@ -26,7 +27,7 @@ */ /* compile options (should move to configure)... */ -#define USE_OPAQUE_KEYS 1 +#define USE_OPAQUE_KEYS 1 #define DO_FAST_XOR 1 /*#define FAKE_FIPS 1 */ @@ -49,65 +50,61 @@ #define MAX_BLOCK_SIZE 64 -krb5_error_code -k5_nss_map_error(int nss_error) -{ - /* currently KRB5 does not define a full set CRYPTO failures. - * for now just use KRB5_CRYPTO_INTERNAL. We really should return - * errors for Not logged in, and maybe a few others */ - return KRB5_CRYPTO_INTERNAL; +krb5_error_code +k5_nss_map_error(int nss_error) +{ + /* Currently KRB5 does not define a full set of CRYPTO failures. + * for now just use KRB5_CRYPTO_INTERNAL. We really should return + * errors for Not logged in, and maybe a few others. */ + return KRB5_CRYPTO_INTERNAL; } -krb5_error_code -k5_nss_map_last_error() { - return k5_nss_map_error(PORT_GetError()); +krb5_error_code +k5_nss_map_last_error(void) +{ + return k5_nss_map_error(PORT_GetError()); } static NSSInitContext *krb5_nss_init = NULL; /* - * krb5 doesn't have a call into the crypto engine to initialize it, so - * we do it here. This code will try to piggyback on any application - * initialization done to NSS. Otherwise get get our one library init context. + * krb5 doesn't have a call into the crypto engine to initialize it, so we do + * it here. This code will try to piggyback on any application initialization + * done to NSS. Otherwise get our one library init context. */ krb5_error_code -k5_nss_init() +k5_nss_init(void) { #ifdef LINUX - /* default to the system NSS */ + /* Default to the system NSS. */ #define NSS_KRB5_CONFIGDIR "sql:/etc/pki/nssdb" #define NSS_KRB5_FLAGS 0 #else - /* other platforms don't have a system NSS defined yet, do a nodb init */ + /* Other platforms don't have a system NSS defined yet, do a nodb init. */ #define NSS_KRB5_CONFIGDIR NULL #define NSS_KRB5_FLAGS NSS_INIT_NOMODDB|NSS_INIT_NOCERTDB #endif - if (krb5_nss_init) { - /* we've already initialized NSS */ - return 0; - } - if (NSS_IsInitialized()) { - /* someone else has initialized NSS */ - return 0; - } - krb5_nss_init = NSS_InitContext(NSS_KRB5_CONFIGDIR, "", "", "", NULL, - NSS_INIT_READONLY|NSS_INIT_NOROOTINIT|NSS_KRB5_FLAGS); - if (!krb5_nss_init) { - return k5_nss_map_last_error(); - } - return 0; + if (krb5_nss_init) /* We've already initialized NSS. */ + return 0; + if (NSS_IsInitialized()) /* Someone else has initialized NSS. */ + return 0; + krb5_nss_init = NSS_InitContext(NSS_KRB5_CONFIGDIR, "", "", "", NULL, + NSS_INIT_READONLY | NSS_INIT_NOROOTINIT | + NSS_KRB5_FLAGS); + if (!krb5_nss_init) + return k5_nss_map_last_error(); + return 0; } - PK11Context * k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism, - CK_ATTRIBUTE_TYPE operation, SECItem * param) + CK_ATTRIBUTE_TYPE operation, SECItem * param) { #ifdef USE_OPAQUE_KEYS PK11SymKey *key = (PK11SymKey *)krb_key->cache; - return PK11_CreateContextBySymKey(mechanism, operation, key, param); -#else + return PK11_CreateContextBySymKey(mechanism, operation, key, param); +#else PK11Context *ctx = NULL; PK11SlotInfo *slot; SECItem key; @@ -115,45 +112,43 @@ k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism, key.data = krb_key->keyblock.contents; key.len = krb_key->keyblock.length; slot = PK11_GetBestSlot(mechanism, NULL); - if (slot == NULL) { - return NULL; - } - ctx = PK11_CreateContextByRawKey(slot,mechanism, PK11_OriginGenerated, - operation, &key, param, NULL); + if (slot == NULL) + return NULL; + ctx = PK11_CreateContextByRawKey(slot,mechanism, PK11_OriginGenerated, + operation, &key, param, NULL); PK11_FreeSlot(slot); return ctx; #endif } static void inline -xor(unsigned char *x, unsigned char *y, int size) +xor(unsigned char *x, unsigned char *y, int size) { int i; + #ifdef DO_FAST_XOR #define ALIGNED(x,type) (!(((size_t)(x))&(sizeof(type)-1))) - if (ALIGNED(x,unsigned long) && ALIGNED(y, unsigned long) - && ALIGNED(size, unsigned long)) { - unsigned long *ux = (unsigned long *)x; - unsigned long *uy = (unsigned long *)y; - for (i=0; i < (int)(size/sizeof(unsigned long)); i++) { - *ux++ ^= *uy++; - } - return; + if (ALIGNED(x,unsigned long) && ALIGNED(y, unsigned long) + && ALIGNED(size, unsigned long)) { + unsigned long *ux = (unsigned long *)x; + unsigned long *uy = (unsigned long *)y; + for (i=0; i < (int)(size/sizeof(unsigned long)); i++) { + *ux++ ^= *uy++; + } + return; } #endif for (i=0; i < size; i++) { - *x++ ^= *y++; + *x++ ^= *y++; } } krb5_error_code -k5_nss_gen_block_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_nss_gen_block_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech, + CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { - int ret = 0; + krb5_error_code ret = 0; PK11Context *ctx = NULL; SECStatus rv; SECItem *param = NULL; @@ -167,7 +162,6 @@ k5_nss_gen_block_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech, int lastblock = -1; int currentblock; - IOV_BLOCK_STATE_INIT(&input_pos); IOV_BLOCK_STATE_INIT(&output_pos); @@ -175,97 +169,88 @@ k5_nss_gen_block_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech, assert(blocksize <= sizeof(storage)); if (ivec && ivec->data) { - iv.data = (unsigned char *)ivec->data; - iv.len = ivec->length; - if (operation == CKA_DECRYPT) { - int i, inputlength; - - /* count the blocks so we know which block is last */ - for (i=0, inputlength=0; i < (int)num_data; i++) { - krb5_crypto_iov *iov=&data[i]; - - if (ENCRYPT_IOV(iov)) { - inputlength += iov->data.length; - } - } - lastblock = (inputlength/blocksize) -1; - } + iv.data = (unsigned char *)ivec->data; + iv.len = ivec->length; + if (operation == CKA_DECRYPT) { + int i, inputlength; + + /* Count the blocks so we know which block is last. */ + for (i = 0, inputlength = 0; i < (int)num_data; i++) { + krb5_crypto_iov *iov = &data[i]; + + if (ENCRYPT_IOV(iov)) + inputlength += iov->data.length; + } + lastblock = (inputlength/blocksize) -1; + } } else { - memset(iv0, 0, sizeof(iv0)); - iv.data = iv0; - iv.len = blocksize; + memset(iv0, 0, sizeof(iv0)); + iv.data = iv0; + iv.len = blocksize; } param = PK11_ParamFromIV(mech, &iv); ctx = k5_nss_create_context(krb_key, mech, operation, param); if (ctx == NULL) { - ret = k5_nss_map_last_error(); - goto done; + ret = k5_nss_map_last_error(); + goto done; } for (currentblock = 0;;currentblock++) { - ptr = iov_next_block(storage, blocksize, data, num_data, - &input_pos); + ptr = iov_next_block(storage, blocksize, data, num_data, &input_pos); if (ptr == NULL) break; - lastptr = NULL; + lastptr = NULL; - /* only set if we are decrypting */ - if (lastblock == currentblock) { - memcpy(ivec->data, ptr, blocksize); - } + /* only set if we are decrypting */ + if (lastblock == currentblock) + memcpy(ivec->data, ptr, blocksize); - rv = PK11_CipherOp(ctx, ptr, &length, blocksize, ptr, blocksize); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - break; - } + rv = PK11_CipherOp(ctx, ptr, &length, blocksize, ptr, blocksize); + if (rv != SECSuccess) { + ret = k5_nss_map_last_error(); + break; + } - lastptr = ptr; + lastptr = ptr; iov_store_block(data, num_data, ptr, storage, blocksize, &output_pos); } - + if (lastptr && ivec && ivec->data && operation == CKA_ENCRYPT) { - memcpy(ivec->data, lastptr, blocksize); + memcpy(ivec->data, lastptr, blocksize); } done: - if (ctx) { + if (ctx) PK11_Finalize(ctx); - } - - if (param) { - SECITEM_FreeItem(param, PR_TRUE); - } + if (param) + SECITEM_FreeItem(param, PR_TRUE); return ret; } krb5_error_code k5_nss_stream_init_state(krb5_data *new_state) { - new_state->data = NULL; - new_state->length = 0; - return 0; + new_state->data = NULL; + new_state->length = 0; + return 0; } krb5_error_code k5_nss_stream_free_state(krb5_data *state) { - if (state->length == (unsigned)-1 && state->data) { - PK11_Finalize((PK11Context *)state->data); - } - return 0; + if (state->length == (unsigned)-1 && state->data) + PK11_Finalize((PK11Context *)state->data); + return 0; } krb5_error_code k5_nss_gen_stream_iov(krb5_key krb_key, krb5_data *state, - CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation, - krb5_crypto_iov *data, - size_t num_data) + CK_MECHANISM_TYPE mech, CK_ATTRIBUTE_TYPE operation, + krb5_crypto_iov *data, size_t num_data) { - int ret = 0; + int ret = 0; PK11Context *ctx = NULL; SECStatus rv; SECItem param; @@ -276,51 +261,50 @@ k5_nss_gen_stream_iov(krb5_key krb_key, krb5_data *state, param.len = 0; if (state && state->data) { - ctx = (PK11Context *)state->data; + ctx = (PK11Context *)state->data; } else { ctx = k5_nss_create_context(krb_key, mech, operation, ¶m); - if (state && ctx) { - state->data = (char *)ctx; - state->length = -1; /* you don't get to copy this, */ - /* blow up if you try */ - } + if (state && ctx) { + state->data = (char *)ctx; + state->length = -1; /* you don't get to copy this, */ + /* blow up if you try */ + } } if (ctx == NULL) { - ret = k5_nss_map_last_error(); - goto done; + ret = k5_nss_map_last_error(); + goto done; } for (i=0; i < (int)num_data; i++) { - int return_length; - iov = &data[i]; - if (iov->data.length <= 0) break; - - if (ENCRYPT_IOV(iov)) { - rv = PK11_CipherOp(ctx, (unsigned char *)iov->data.data, - &return_length, iov->data.length, - (unsigned char *)iov->data.data, iov->data.length); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto done; - } - iov->data.length = return_length; - } + int return_length; + iov = &data[i]; + if (iov->data.length <= 0) + break; + + if (ENCRYPT_IOV(iov)) { + rv = PK11_CipherOp(ctx, (unsigned char *)iov->data.data, + &return_length, iov->data.length, + (unsigned char *)iov->data.data, + iov->data.length); + if (rv != SECSuccess) { + ret = k5_nss_map_last_error(); + goto done; + } + iov->data.length = return_length; + } } done: - if (!state && ctx) { + if (!state && ctx) PK11_Finalize(ctx); - } return ret; } krb5_error_code -k5_nss_gen_cts_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data) +k5_nss_gen_cts_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech, + CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data) { - int ret = 0; + krb5_error_code ret = 0; PK11Context *ctx = NULL; SECStatus rv; SECItem *param = NULL; @@ -346,167 +330,163 @@ k5_nss_gen_cts_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech, assert(blocksize <= sizeof(storage)); if (ivec) { - iv.data = (unsigned char *)ivec->data; - iv.len = ivec->length; + iv.data = (unsigned char *)ivec->data; + iv.len = ivec->length; } else { - memset(iv0, 0, sizeof(iv0)); - iv.data = iv0; - iv.len = blocksize; + memset(iv0, 0, sizeof(iv0)); + iv.data = iv0; + iv.len = blocksize; } param = PK11_ParamFromIV(mech, &iv); - for (i=0, input_length=0; i < (int)num_data; i++) { - krb5_crypto_iov *iov=&data[i]; + for (i = 0, input_length = 0; i < (int)num_data; i++) { + krb5_crypto_iov *iov = &data[i]; - if (ENCRYPT_IOV(iov)) { - input_length += iov->data.length; - } + if (ENCRYPT_IOV(iov)) + input_length += iov->data.length; } - /* must be at least a block or we fail */ + /* Must be at least a block or we fail. */ if (input_length < blocksize) { - ret = -1; - goto done; + ret = EINVAL; + goto done; } bulk_length = (input_length / blocksize)*blocksize; remainder = input_length - bulk_length; - /* do the block swap even if the input data is aligned, only - * drop it if we are encrypting exactly one block */ + /* Do the block swap even if the input data is aligned, only + * drop it if we are encrypting exactly one block. */ if (remainder == 0 && bulk_length != blocksize) { - remainder = blocksize; - bulk_length -= blocksize; + remainder = blocksize; + bulk_length -= blocksize; } ctx = k5_nss_create_context(krb_key, mech, operation, param); if (ctx == NULL) { - ret = k5_nss_map_last_error(); - goto done; + ret = k5_nss_map_last_error(); + goto done; } - /* now we bulk encrypt each block in the loop. We need to know where - * to stop to do special processing. For single block operations - * we stop at the end. For all others we stop and the last second to last - * block (counting partial blocks). For decrypt operations we need to save - * cn-2 so we stop at the third to last block if it exists, Otherwise - * cn-2 = the iv */ + /* Now we bulk encrypt each block in the loop. We need to know where to + * stop to do special processing. For single block operations we stop at + * the end. For all others we stop and the last second to last block + * (counting partial blocks). For decrypt operations we need to save cn-2 + * so we stop at the third to last block if it exists, otherwise cn-2 = the + * iv. */ lastblock = bulk_length; if (remainder) { - /* we need to process the last full block and last partitial block - * differently */ - lastblock = bulk_length - blocksize; - if (operation == CKA_DECRYPT) { - if (bulk_length > blocksize) { - /* stop at cn-2 so we can save it before going on */ - lastblock = bulk_length - 2*blocksize; - } else { - /* iv is cn-2, save it now, cn - 2 */ - memcpy(recover1, iv.data, blocksize); - memcpy(recover2, iv.data, blocksize); - } - } - } + /* We need to process the last full block and last partitial block + * differently. */ + lastblock = bulk_length - blocksize; + if (operation == CKA_DECRYPT) { + if (bulk_length > blocksize) { + /* Stop at cn-2 so we can save it before going on. */ + lastblock = bulk_length - 2*blocksize; + } else { + /* iv is cn-2, save it now, cn - 2. */ + memcpy(recover1, iv.data, blocksize); + memcpy(recover2, iv.data, blocksize); + } + } + } for (length = 0; length < lastblock; length += blocksize) { ptr = iov_next_block(storage, blocksize, data, num_data, &input_pos); if (ptr == NULL) break; - rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - break; - } + rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize); + if (rv != SECSuccess) { + ret = k5_nss_map_last_error(); + break; + } iov_store_block(data, num_data, ptr, storage, blocksize, &output_pos); } if (remainder) { - if (operation == CKA_DECRYPT) { - if (bulk_length > blocksize) { - /* we need to save cn-2 */ - ptr = iov_next_block(storage, blocksize, data, num_data, - &input_pos); - if (ptr == NULL) - goto done; /* shouldn't happen */ - - /* save cn-2 */ - memcpy(recover1, ptr, blocksize); - memcpy(recover2, ptr, blocksize); - - /* now process it as normal */ - rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto done; - } - - iov_store_block(data, num_data, ptr, storage, blocksize, - &output_pos); - } - } - /* fetch the last 2 blocks */ - memset(block1, 0, blocksize); /* last block, could be partial */ - krb5int_c_iov_get_block(block2, blocksize, data, num_data, &input_pos); - krb5int_c_iov_get_block(block1, remainder, data, num_data, &input_pos); - if (operation == CKA_DECRYPT) { - /* recover1 and recover2 are xor values to recover the true - * underlying data of the last 2 decrypts. This keeps us from having - * to try to reset our IV to do the final decryption. */ - /* currently: block1 is cn || 0, block2 is cn-1. - * recover1 & recover2 is set to cn-2 */ - /* recover2 recovers pn || c' from p'n-1. The raw decrypted block - * will be p'n-1 xor with cn-2 while pn || c' = p'n-1 xor cn || 0. - * recover2 is cn-2 xor cn || 0, so we can simple xor recover1 - * with the raw decrypted block */ - /* recover1 recovers pn-1 from the raw decryption of cn || c'. - * the raw decrypt of cn || c' = p'n xor cn-1 while - * pn-1 = p'n xor cn-2 - * recover1 is cn-2 xor cn-1, so we can simple xor recover 2 with - * the raw decrypt of cn||c' to get pn-1 */ - xor(recover1, block2, blocksize); - xor(recover2, block1, blocksize); - if (ivec && ivec->data) { - memcpy(ivec->data, block2, blocksize); - } - } - rv = PK11_CipherOp(ctx, block2, &len, blocksize, block2, blocksize); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto done; - } - if (operation == CKA_DECRYPT) { - /* block2 now has p'n-1 xor cn-2 */ - xor(block2, recover2, blocksize); - /* block 2 now has pn || c' */ - /* copy c' into cn || c' */ - memcpy(block1+remainder, block2+remainder, blocksize-remainder); - } - rv = PK11_CipherOp(ctx, block1, &len, blocksize, block1, blocksize); - if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto done; - } - if (operation == CKA_DECRYPT) { - /* block1 now has p'n xor cn-1 */ - xor(block1, recover1, blocksize); - /* block 1 now has pn-1 */ - } else { - if (ivec && ivec->data) { - memcpy(ivec->data, block1, blocksize); - } - } - krb5int_c_iov_put_block(data,num_data, block1, blocksize, &output_pos); - krb5int_c_iov_put_block(data,num_data, block2, remainder, &output_pos); + if (operation == CKA_DECRYPT) { + if (bulk_length > blocksize) { + /* we need to save cn-2 */ + ptr = iov_next_block(storage, blocksize, data, num_data, + &input_pos); + if (ptr == NULL) + goto done; /* shouldn't happen */ + + /* save cn-2 */ + memcpy(recover1, ptr, blocksize); + memcpy(recover2, ptr, blocksize); + + /* now process it as normal */ + rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize); + if (rv != SECSuccess) { + ret = k5_nss_map_last_error(); + goto done; + } + + iov_store_block(data, num_data, ptr, storage, blocksize, + &output_pos); + } + } + /* fetch the last 2 blocks */ + memset(block1, 0, blocksize); /* last block, could be partial */ + krb5int_c_iov_get_block(block2, blocksize, data, num_data, &input_pos); + krb5int_c_iov_get_block(block1, remainder, data, num_data, &input_pos); + if (operation == CKA_DECRYPT) { + /* recover1 and recover2 are xor values to recover the true + * underlying data of the last 2 decrypts. This keeps us from + * having to try to reset our IV to do the final decryption. */ + /* Currently: block1 is cn || 0, block2 is cn-1. + * recover1 & recover2 is set to cn-2. */ + /* recover2 recovers pn || c' from p'n-1. The raw decrypted block + * will be p'n-1 xor with cn-2 while pn || c' = p'n-1 xor cn || 0. + * recover2 is cn-2 xor cn || 0, so we can simple xor recover1 + * with the raw decrypted block. */ + /* recover1 recovers pn-1 from the raw decryption of cn || c'. + * the raw decrypt of cn || c' = p'n xor cn-1 while + * pn-1 = p'n xor cn-2 + * recover1 is cn-2 xor cn-1, so we can simple xor recover 2 with + * the raw decrypt of cn||c' to get pn-1. */ + xor(recover1, block2, blocksize); + xor(recover2, block1, blocksize); + if (ivec && ivec->data) + memcpy(ivec->data, block2, blocksize); + } + rv = PK11_CipherOp(ctx, block2, &len, blocksize, block2, blocksize); + if (rv != SECSuccess) { + ret = k5_nss_map_last_error(); + goto done; + } + if (operation == CKA_DECRYPT) { + /* block2 now has p'n-1 xor cn-2. */ + xor(block2, recover2, blocksize); + /* block 2 now has pn || c'. */ + /* copy c' into cn || c'. */ + memcpy(block1 + remainder, block2 + remainder, + blocksize - remainder); + } + rv = PK11_CipherOp(ctx, block1, &len, blocksize, block1, blocksize); + if (rv != SECSuccess) { + ret = k5_nss_map_last_error(); + goto done; + } + if (operation == CKA_DECRYPT) { + /* block1 now has p'n xor cn-1 */ + xor(block1, recover1, blocksize); + /* block 1 now has pn-1 */ + } else { + if (ivec && ivec->data) { + memcpy(ivec->data, block1, blocksize); + } + } + krb5int_c_iov_put_block(data,num_data, block1, blocksize, &output_pos); + krb5int_c_iov_put_block(data,num_data, block2, remainder, &output_pos); } done: - if (ctx) { + if (ctx) PK11_Finalize(ctx); - } - - if (param) { - SECITEM_FreeItem(param, PR_TRUE); - } + if (param) + SECITEM_FreeItem(param, PR_TRUE); return ret; } @@ -517,17 +497,17 @@ k5_nss_gen_cleanup(krb5_key krb_key) PK11SymKey *key = (PK11SymKey *)krb_key->cache; if (key) { - PK11_FreeSymKey(key); + PK11_FreeSymKey(key); krb_key->cache = NULL; - } + } #endif } krb5_error_code -k5_nss_gen_import(krb5_key krb_key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation) +k5_nss_gen_import(krb5_key krb_key, CK_MECHANISM_TYPE mech, + CK_ATTRIBUTE_TYPE operation) { - int ret = 0; + krb5_error_code ret = 0; #ifdef USE_OPAQUE_KEYS PK11SymKey *key = (PK11SymKey *)krb_key->cache; PK11SlotInfo *slot = NULL; @@ -545,48 +525,51 @@ k5_nss_gen_import(krb5_key krb_key, CK_MECHANISM_TYPE mech, SECStatus rv; #endif - if (key) { return 0; } + if (key) + return 0; ret = k5_nss_init(); - if (ret) return ret; + if (ret) + return ret; slot = PK11_GetBestSlot(mech, NULL); if (slot == NULL) { - ret = k5_nss_map_last_error(); - goto done; + ret = k5_nss_map_last_error(); + goto done; } raw_key.data = krb_key->keyblock.contents; raw_key.len = krb_key->keyblock.length; #ifdef FAKE_FIPS - /* first, fetch a wrapping key */ + /* First, fetch a wrapping key. */ wrapping_index = PK11_GetCurrentWrapIndex(slot); series = PK11_GetSlotSeries(slot); - wrapping_key =PK11_GetWrapKey(slot, wrapping_index, - CKM_INVALID_MECHANISM, series, NULL); + wrapping_key = PK11_GetWrapKey(slot, wrapping_index, + CKM_INVALID_MECHANISM, series, NULL); if (wrapping_key == NULL) { - /* one doesn't exist, create one */ - mechanism = PK11_GetBestWrapMechanism(slot); - keyLength = PK11_GetBestKeyLength(slot, mechanism); - wrapping_key = PK11_TokenKeyGenWithFlags(slot, mechanism, NULL, - keyLength, NULL, CKF_UNWRAP|CKF_ENCRYPT, 0, - NULL); - if (!wrapping_key) { - ret = k5_nss_map_last_error(); - goto done; - } - PK11_SetWrapKey(slot, wrapping_index, wrapping_key); - } - - /* now encrypt the data with the wrapping key */ + /* One doesn't exist, create one. */ + mechanism = PK11_GetBestWrapMechanism(slot); + keyLength = PK11_GetBestKeyLength(slot, mechanism); + wrapping_key = PK11_TokenKeyGenWithFlags(slot, mechanism, NULL, + keyLength, NULL, + CKF_UNWRAP | CKF_ENCRYPT, 0, + NULL); + if (!wrapping_key) { + ret = k5_nss_map_last_error(); + goto done; + } + PK11_SetWrapKey(slot, wrapping_index, wrapping_key); + } + + /* Now encrypt the data with the wrapping key. */ mechanism = PK11_GetMechanism(wrapping_key); params.data = NULL; params.len = 0; - ctx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, - wrapping_key, ¶ms); + ctx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, + wrapping_key, ¶ms); if (ctx == NULL) { - ret = k5_nss_map_last_error(); - goto done; + ret = k5_nss_map_last_error(); + goto done; } wrapped_key.data = wrapped_key_data; @@ -600,55 +583,52 @@ k5_nss_gen_import(krb5_key krb_key, CK_MECHANISM_TYPE mech, * will use the length parameter to appropriately set the key. */ if ((raw_key.len % blocksize) != 0) { - int keyblocks = (raw_key.len +(blocksize-1))/blocksize; - keyLength = keyblocks * blocksize; - assert(keyLength <= sizeof(padded_key_data)); - memset(padded_key_data, 0, keyLength); - memcpy(padded_key_data,raw_key.data, raw_key.len); - raw_key.data = padded_key_data; - } - rv = PK11_CipherOp(ctx, wrapped_key.data, (int *)&wrapped_key.len, - sizeof(wrapped_key_data), raw_key.data, keyLength); + int keyblocks = (raw_key.len + (blocksize - 1)) / blocksize; + keyLength = keyblocks * blocksize; + assert(keyLength <= sizeof(padded_key_data)); + memset(padded_key_data, 0, keyLength); + memcpy(padded_key_data, raw_key.data, raw_key.len); + raw_key.data = padded_key_data; + } + rv = PK11_CipherOp(ctx, wrapped_key.data, (int *)&wrapped_key.len, + sizeof(wrapped_key_data), raw_key.data, keyLength); if (keyLength != raw_key.len) { - /* clear our copy of the key bits */ - memset(padded_key_data, 0, keyLength); + /* Clear our copy of the key bits. */ + memset(padded_key_data, 0, keyLength); } if (rv != SECSuccess) { - ret = k5_nss_map_last_error(); - goto done; + ret = k5_nss_map_last_error(); + goto done; } PK11_Finalize(ctx); ctx = NULL; - /* now now we have a 'wrapped' version of the, we can import it into + /* Now now we have a 'wrapped' version of the, we can import it into * the token without running afoul with FIPS. */ - key = PK11_UnwrapSymKey(wrapping_key, mechanism, ¶ms, &wrapped_key, - mech, operation, raw_key.len); + key = PK11_UnwrapSymKey(wrapping_key, mechanism, ¶ms, &wrapped_key, + mech, operation, raw_key.len); #else - key = PK11_ImportSymKey(slot, mech, PK11_OriginGenerated, operation, - &raw_key, NULL); + key = PK11_ImportSymKey(slot, mech, PK11_OriginGenerated, operation, + &raw_key, NULL); #endif if (key == NULL) { - ret = k5_nss_map_last_error(); - goto done; + ret = k5_nss_map_last_error(); + goto done; } krb_key->cache = (void *) key; done: - if (slot) { - PK11_FreeSlot(slot); - } + if (slot) + PK11_FreeSlot(slot); #ifdef FAKE_FIPS - if (ctx) { - PK11_Finalize(ctx); - } - if (wrapping_key) { - PK11_FreeSymKey(wrapping_key); - } + if (ctx) + PK11_Finalize(ctx); + if (wrapping_key) + PK11_FreeSymKey(wrapping_key); #endif #else ret = k5_nss_init(); -#endif +#endif return ret; } diff --git a/src/lib/crypto/nss/enc_provider/enc_provider.h b/src/lib/crypto/nss/enc_provider/enc_provider.h index 49ffaaf..8144b65 100644 --- a/src/lib/crypto/nss/enc_provider/enc_provider.h +++ b/src/lib/crypto/nss/enc_provider/enc_provider.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 1998 by the FundsXpress, INC. * diff --git a/src/lib/crypto/nss/enc_provider/rc4.c b/src/lib/crypto/nss/enc_provider/rc4.c index 155dbe8..926bd9c 100644 --- a/src/lib/crypto/nss/enc_provider/rc4.c +++ b/src/lib/crypto/nss/enc_provider/rc4.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* lib/crypto/nss/enc_provider/rc4.c * * #include STD_DISCLAIMER @@ -45,54 +46,49 @@ /* In-place IOV crypto */ static krb5_error_code -k5_arcfour_encrypt_iov(krb5_key key, - const krb5_data *state, - krb5_crypto_iov *data, - size_t num_data) +k5_arcfour_encrypt_iov(krb5_key key, const krb5_data *state, + krb5_crypto_iov *data, size_t num_data) { - int ret; + krb5_error_code ret; + ret = k5_nss_gen_import(key, CKM_RC4, CKA_ENCRYPT); - if (ret != 0) { - return ret; - } - return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_ENCRYPT, - data, num_data); + if (ret != 0) + return ret; + return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_ENCRYPT, + data, num_data); } /* In-place IOV crypto */ static krb5_error_code -k5_arcfour_decrypt_iov(krb5_key key, - const krb5_data *state, - krb5_crypto_iov *data, - size_t num_data) +k5_arcfour_decrypt_iov(krb5_key key, const krb5_data *state, + krb5_crypto_iov *data, size_t num_data) { - int ret; + krb5_error_code ret; + ret = k5_nss_gen_import(key, CKM_RC4, CKA_DECRYPT); - if (ret != 0) { - return ret; - } - return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_DECRYPT, - data, num_data); + if (ret != 0) + return ret; + return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_DECRYPT, + data, num_data); } static krb5_error_code -k5_arcfour_free_state ( krb5_data *state) +k5_arcfour_free_state(krb5_data *state) { - return k5_nss_stream_free_state(state); + return k5_nss_stream_free_state(state); } static krb5_error_code -k5_arcfour_init_state (const krb5_keyblock *key, - krb5_keyusage keyusage, krb5_data *new_state) +k5_arcfour_init_state(const krb5_keyblock *key, + krb5_keyusage keyusage, krb5_data *new_state) { - /* key can't quite be used here. see comment in k5_arcfour_init_state */ - return k5_nss_stream_init_state(new_state); - + /* key can't quite be used here. See comment in k5_arcfour_init_state. */ + return k5_nss_stream_init_state(new_state); } const struct krb5_enc_provider krb5int_enc_arcfour = { /* This seems to work... although I am not sure what the - implications are in other places in the kerberos library */ + implications are in other places in the kerberos library. */ RC4_BLOCK_SIZE, /* Keysize is arbitrary in arcfour, but the constraints of the system, and to attempt to work with the MSFT system forces us @@ -103,7 +99,7 @@ const struct krb5_enc_provider krb5int_enc_arcfour = { k5_arcfour_decrypt_iov, NULL, krb5int_arcfour_make_key, - k5_arcfour_init_state, + k5_arcfour_init_state, k5_arcfour_free_state, k5_nss_gen_cleanup }; diff --git a/src/lib/crypto/nss/hash_provider/hash_crc32.c b/src/lib/crypto/nss/hash_provider/hash_crc32.c index ad30f85..3a2f94a 100644 --- a/src/lib/crypto/nss/hash_provider/hash_crc32.c +++ b/src/lib/crypto/nss/hash_provider/hash_crc32.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 1998 by the FundsXpress, INC. * @@ -36,18 +37,18 @@ k5_crc32_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) unsigned int i; if (output->length != CRC32_CKSUM_LENGTH) - return(KRB5_CRYPTO_INTERNAL); + return KRB5_CRYPTO_INTERNAL; c = 0; for (i=0; i < num_data; i++) { - const krb5_crypto_iov *iov=&data[i]; + const krb5_crypto_iov *iov = &data[i]; - if (SIGN_IOV(iov)) - mit_crc32(iov->data.data, iov->data.length, &c); + if (SIGN_IOV(iov)) + mit_crc32(iov->data.data, iov->data.length, &c); } store_32_le(c, output->data); - return(0); + return 0; } const struct krb5_hash_provider krb5int_hash_crc32 = { diff --git a/src/lib/crypto/nss/hash_provider/hash_gen.c b/src/lib/crypto/nss/hash_provider/hash_gen.c index 0448674..98a8cc6 100644 --- a/src/lib/crypto/nss/hash_provider/hash_gen.c +++ b/src/lib/crypto/nss/hash_provider/hash_gen.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 2010 Red Hat, Inc. * @@ -31,34 +32,36 @@ krb5_error_code k5_nss_gen_hash(HASH_HashType hashType, const krb5_crypto_iov *data, - size_t num_data, krb5_data *output) + size_t num_data, krb5_data *output) { unsigned int i; HASHContext *ctx; krb5_error_code ret; ret = k5_nss_init(); - if (ret) return ret; + if (ret) + return ret; if (output->length != HASH_ResultLen(hashType)) - return(KRB5_CRYPTO_INTERNAL); + return KRB5_CRYPTO_INTERNAL; ctx = HASH_Create(hashType); - if (!ctx) - return(ENOMEM); + if (!ctx) + return ENOMEM; HASH_Begin(ctx); for (i=0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; + const krb5_crypto_iov *iov = &data[i]; - if (iov->data.length && SIGN_IOV(iov)) - HASH_Update(ctx, (unsigned char *) iov->data.data, - iov->data.length); + if (iov->data.length && SIGN_IOV(iov)) { + HASH_Update(ctx, (unsigned char *) iov->data.data, + iov->data.length); + } } - HASH_End(ctx, (unsigned char *)output->data, - &output->length, output->length); + HASH_End(ctx, (unsigned char *)output->data, + &output->length, output->length); - return(0); + return 0; } diff --git a/src/lib/crypto/nss/hash_provider/hash_gen.h b/src/lib/crypto/nss/hash_provider/hash_gen.h index fbf4f62..11faab0 100644 --- a/src/lib/crypto/nss/hash_provider/hash_gen.h +++ b/src/lib/crypto/nss/hash_provider/hash_gen.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 2010 Red Hat, Inc. * @@ -27,7 +28,5 @@ #include "sechash.h" #include "k5-int.h" -krb5_error_code k5_nss_gen_hash(HASH_HashType hashType, unsigned int icount, - const krb5_data *input, - krb5_data *output); - +krb5_error_code k5_nss_gen_hash(HASH_HashType hashType, unsigned int icount, + const krb5_data *input, krb5_data *output); diff --git a/src/lib/crypto/nss/hash_provider/hash_md4.c b/src/lib/crypto/nss/hash_provider/hash_md4.c index b6a1022..91482f7 100644 --- a/src/lib/crypto/nss/hash_provider/hash_md4.c +++ b/src/lib/crypto/nss/hash_provider/hash_md4.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 2010 Red Hat, Inc. * @@ -32,21 +33,20 @@ static krb5_error_code k5_md4_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) { - krb5_MD4_CTX ctx; - unsigned long i; + krb5_MD4_CTX ctx; + unsigned long i; - if (output->length != RSA_MD4_CKSUM_LENGTH) { - return KRB5_CRYPTO_INTERNAL; - } + if (output->length != RSA_MD4_CKSUM_LENGTH) + return KRB5_CRYPTO_INTERNAL; - krb5int_MD4Init(&ctx); - for (i=0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; + krb5int_MD4Init(&ctx); + for (i=0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; - if (SIGN_IOV(iov)) { - krb5int_MD4Update(&ctx, (unsigned char *)iov->data.data, - iov->data.length); - } + if (SIGN_IOV(iov)) { + krb5int_MD4Update(&ctx, (unsigned char *)iov->data.data, + iov->data.length); + } } krb5int_MD4Final(&ctx); diff --git a/src/lib/crypto/nss/hash_provider/hash_md5.c b/src/lib/crypto/nss/hash_provider/hash_md5.c index d9eb648..7e1b82b 100644 --- a/src/lib/crypto/nss/hash_provider/hash_md5.c +++ b/src/lib/crypto/nss/hash_provider/hash_md5.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 2010 Red Hat, Inc. * @@ -31,7 +32,6 @@ static krb5_error_code k5_md5_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) { - return k5_nss_gen_hash(HASH_AlgMD5, data, num_data, output); } diff --git a/src/lib/crypto/nss/hash_provider/hash_provider.h b/src/lib/crypto/nss/hash_provider/hash_provider.h index 1023d1a..eebe845 100644 --- a/src/lib/crypto/nss/hash_provider/hash_provider.h +++ b/src/lib/crypto/nss/hash_provider/hash_provider.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 1998 by the FundsXpress, INC. * diff --git a/src/lib/crypto/nss/hash_provider/hash_sha1.c b/src/lib/crypto/nss/hash_provider/hash_sha1.c index 99a60c0..49e6864 100644 --- a/src/lib/crypto/nss/hash_provider/hash_sha1.c +++ b/src/lib/crypto/nss/hash_provider/hash_sha1.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 2010 Red Hat, Inc. * @@ -31,7 +32,6 @@ static krb5_error_code k5_sha1_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output) { - return k5_nss_gen_hash(HASH_AlgSHA1, data, num_data, output); } diff --git a/src/lib/crypto/nss/hmac.c b/src/lib/crypto/nss/hmac.c index 5910333..ceed1d1 100644 --- a/src/lib/crypto/nss/hmac.c +++ b/src/lib/crypto/nss/hmac.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* lib/crypto/openssl/hmac.c * * Copyright (C) 2009 by the Massachusetts Institute of Technology. @@ -77,34 +78,29 @@ digest_to_hmac(const struct krb5_hash_provider *hash) /* use strcmp so we don't confuse SHA1 with SHA128 */ /* handle the obvious cases first */ - if (!strcmp(hash->hash_name, "SHA1")) { - return CKM_SHA_1_HMAC; - } - if (!strcmp(hash->hash_name, "MD5")) { - return CKM_MD5_HMAC; - } + if (!strcmp(hash->hash_name, "SHA1")) + return CKM_SHA_1_HMAC; + if (!strcmp(hash->hash_name, "MD5")) + return CKM_MD5_HMAC; /* the following coudes needs HASH_GetHMACOidTagByHashOidTag() to be * exported before it will work */ #ifdef NSS_LOOKUP_STRING /* See if the currently loaded version of NSS recognizes this hash */ hmacTag = SEC_OID_UNKNOWN; for (hashTag=1; (oid=SECOID_FindOIDByTag(hashTag)) != NULL; hashTag++) { - if (oid->mechanism == CKM_INVALID_MECHANISM) { - continue; - } - if (!strcasecmp(oid->desc, hash->hash_name)) { - continue; - } - /* now map the hash oid to an hmac oid */ - hmacTag = HASH_GetHMACOidTagByHashOidTag(hashTag); + if (oid->mechanism == CKM_INVALID_MECHANISM) + continue; + if (!strcasecmp(oid->desc, hash->hash_name)) + continue; + /* now map the hash oid to an hmac oid */ + hmacTag = HASH_GetHMACOidTagByHashOidTag(hashTag); HASH_GetHMACOidTagByHashOidTag - if (hmacTag != SEC_OID_UNKNOWN) { - break; - } + if (hmacTag != SEC_OID_UNKNOWN) + break; } oid = SECOID_FindOIDByTag(hmacTag); if (oid) { - return oid->mechanism; + return oid->mechanism; } #endif return CKM_INVALID_MECHANISM; @@ -112,8 +108,7 @@ digest_to_hmac(const struct krb5_hash_provider *hash) krb5_error_code krb5int_hmac(const struct krb5_hash_provider *hash, krb5_key key, - const krb5_crypto_iov *data, size_t num_data, - krb5_data *output) + const krb5_crypto_iov *data, size_t num_data, krb5_data *output) { unsigned int i = 0; CK_MECHANISM_TYPE mech; @@ -123,71 +118,69 @@ krb5int_hmac(const struct krb5_hash_provider *hash, krb5_key key, SECItem param; if (output->length < hash->hashsize) - return(KRB5_BAD_MSIZE); + return KRB5_BAD_MSIZE; mech = digest_to_hmac(hash); if (mech == CKM_INVALID_MECHANISM) - return(KRB5_CRYPTO_INTERNAL); // unsupported alg + return KRB5_CRYPTO_INTERNAL; /* unsupported alg */ - ret = k5_nss_gen_import(key, mech, CKA_SIGN); - if (ret != 0) { - return ret; - } + ret = k5_nss_gen_import(key, mech, CKA_SIGN); + if (ret != 0) + return ret; param.data = NULL; param.len = 0; ctx = k5_nss_create_context(key, mech, CKA_SIGN, ¶m); - if (ctx == NULL) { - goto fail; - } + if (ctx == NULL) + goto fail; rv = PK11_DigestBegin(ctx); - if (rv != SECSuccess) goto fail; + if (rv != SECSuccess) + goto fail; for (i=0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; + const krb5_crypto_iov *iov = &data[i]; - if (iov->data.length && SIGN_IOV(iov)) { - rv = PK11_DigestOp(ctx,(const unsigned char*)iov->data.data, - iov->data.length); - if (rv != SECSuccess) goto fail; - } + if (iov->data.length && SIGN_IOV(iov)) { + rv = PK11_DigestOp(ctx,(const unsigned char*)iov->data.data, + iov->data.length); + if (rv != SECSuccess) + goto fail; + } } rv = PK11_DigestFinal(ctx, (unsigned char *) output->data, &output->length, - output->length); + output->length); ctx = NULL; - if (rv != SECSuccess) goto fail; + if (rv != SECSuccess) + goto fail; return 0; fail: ret = k5_nss_map_last_error(); - if (ctx) { - PK11_Finalize(ctx); - } + if (ctx) + PK11_Finalize(ctx); return ret; } krb5_error_code krb5int_hmac_keyblock(const struct krb5_hash_provider *hash, - const krb5_keyblock *keyblock, - const krb5_crypto_iov *data, size_t num_data, - krb5_data *output) + const krb5_keyblock *keyblock, + const krb5_crypto_iov *data, size_t num_data, + krb5_data *output) { krb5_key key; krb5_error_code code; if (keyblock->length > hash->blocksize) - return(KRB5_CRYPTO_INTERNAL); + return KRB5_CRYPTO_INTERNAL; memset(&key, 0, sizeof(key)); code = krb5_k_create_key(NULL, keyblock, &key); - if (code) { - return code; - } + if (code) + return code; code = krb5int_hmac(hash, key, data, num_data, output); krb5_k_free_key(NULL, key); return code; } - diff --git a/src/lib/crypto/nss/md5/md5.c b/src/lib/crypto/nss/md5/md5.c index a361a84..8fa32fa 100644 --- a/src/lib/crypto/nss/md5/md5.c +++ b/src/lib/crypto/nss/md5/md5.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* lib/crypto/openssl/md5/md5.c * * Copyright (C) 2009 by the Massachusetts Institute of Technology. @@ -29,50 +30,45 @@ #include "nss_gen.h" -/* The routine krb5int_MD5Init initializes the message-digest context - mdContext. - */ +/* Initialize the message-digest context mdContext. */ void -krb5int_MD5Init (krb5_MD5_CTX *mdContext) +krb5int_MD5Init(krb5_MD5_CTX *mdContext) { if (k5_nss_init()) { - mdContext->nss_ctxt = NULL; - return; + mdContext->nss_ctxt = NULL; + return; } mdContext->nss_ctxt = PK11_CreateDigestContext(SEC_OID_MD5); - if (mdContext->nss_ctxt == NULL) { - return; - } + if (mdContext->nss_ctxt == NULL) + return; PK11_DigestBegin((PK11Context *)mdContext->nss_ctxt); } -/* The routine krb5int_MD5Update updates the message-digest context to - account for the presence of each of the characters inBuf[0..inLen-1] - in the message whose digest is being computed. +/* + * Update the message-digest context to account for the presence of each of the + * characters inBuf[0..inLen-1] in the message whose digest is being computed. */ void -krb5int_MD5Update (krb5_MD5_CTX *mdContext, const unsigned char *inBuf, unsigned int inLen) +krb5int_MD5Update(krb5_MD5_CTX *mdContext, const unsigned char *inBuf, + unsigned int inLen) { - if (mdContext->nss_ctxt == NULL) { - return; - } + if (mdContext->nss_ctxt == NULL) + return; PK11_DigestOp((PK11Context *)mdContext->nss_ctxt, inBuf, inLen); } -/* The routine krb5int_MD5Final terminates the message-digest computation and - ends with the desired message digest in mdContext->digest[0...15]. - */ +/* Terminate the message-digest computation and end with the desired message + * digest in mdContext->digest[0...15]. */ void -krb5int_MD5Final (krb5_MD5_CTX *mdContext) +krb5int_MD5Final(krb5_MD5_CTX *mdContext) { unsigned int digestLength; - if (mdContext->nss_ctxt == NULL) { - return; - } - PK11_DigestFinal((PK11Context *)mdContext->nss_ctxt, mdContext->digest, - &digestLength, sizeof (mdContext->digest)); - /* since there is not separate cleanup step, free the context now. + if (mdContext->nss_ctxt == NULL) + return; + PK11_DigestFinal((PK11Context *)mdContext->nss_ctxt, mdContext->digest, + &digestLength, sizeof (mdContext->digest)); + /* since there is not separate cleanup step, free the context now. * (otherwise we could have reused the context for another MD5 operation * in the future). */ diff --git a/src/lib/crypto/nss/md5/rsa-md5.h b/src/lib/crypto/nss/md5/rsa-md5.h index 6fecb04..228eb09 100644 --- a/src/lib/crypto/nss/md5/rsa-md5.h +++ b/src/lib/crypto/nss/md5/rsa-md5.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* lib/crypto/openssl/md5/rsa-md5.h * * Copyright (C) 2009 by the Massachusetts Institute of Technology. @@ -77,7 +78,8 @@ typedef struct { } krb5_MD5_CTX; extern void krb5int_MD5Init(krb5_MD5_CTX *); -extern void krb5int_MD5Update(krb5_MD5_CTX *,const unsigned char *,unsigned int); +extern void krb5int_MD5Update(krb5_MD5_CTX *, const unsigned char *, + unsigned int); extern void krb5int_MD5Final(krb5_MD5_CTX *); #define RSA_MD5_CKSUM_LENGTH 16 diff --git a/src/lib/crypto/nss/nss_gen.h b/src/lib/crypto/nss/nss_gen.h index d93e723..1d41946 100644 --- a/src/lib/crypto/nss/nss_gen.h +++ b/src/lib/crypto/nss/nss_gen.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * * Copyright (C) 2003, 2007, 2008, 2009 by the Massachusetts Institute of Technology. @@ -34,64 +35,62 @@ #define MAX_BLOCK_SIZE 64 /* - * common nss utils + * Common nss utils */ -/* Make sure NSS is properly initialized */ + +/* Make sure NSS is properly initialized. */ krb5_error_code k5_nss_init(void); -/* import a key into NSS and store the handle in krb5_key */ +/* Import a key into NSS and store the handle in krb5_key. */ krb5_error_code -k5_nss_gen_import(krb5_key key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation); -/* clean up an imported key */ +k5_nss_gen_import(krb5_key key, CK_MECHANISM_TYPE mech, + CK_ATTRIBUTE_TYPE operation); + +/* Clean up an imported key. */ void k5_nss_gen_cleanup(krb5_key key); -/* create a new crypto/hash/sign context from a krb5_key */ +/* Create a new crypto/hash/sign context from a krb5_key. */ PK11Context * k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism, - CK_ATTRIBUTE_TYPE operation, SECItem * param); + CK_ATTRIBUTE_TYPE operation, SECItem * param); -/* mapp and NSS error into a krb5_error_code */ -krb5_error_code k5_nss_map_error (int nss_error); -krb5_error_code k5_nss_map_last_error (void); +/* Map an NSS error into a krb5_error_code. */ +krb5_error_code k5_nss_map_error(int nss_error); +krb5_error_code k5_nss_map_last_error(void); /* - * common encryption functions + * Common encryption functions */ -/* encrypt/decrypt block modes except cts using iov */ -krb5_error_code -k5_nss_gen_block_iov(krb5_key key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data); -/* encrypt/decrypt stream modes using iov */ -krb5_error_code -k5_nss_gen_stream_iov(krb5_key key, krb5_data *state, - CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation, - krb5_crypto_iov *data, - size_t num_data); -/* encrypt/decrypt block modes using cts */ + +/* Encrypt/decrypt block modes except cts using iov. */ krb5_error_code -k5_nss_gen_cts_iov(krb5_key key, CK_MECHANISM_TYPE mech, - CK_ATTRIBUTE_TYPE operation, - const krb5_data *ivec, - krb5_crypto_iov *data, - size_t num_data); +k5_nss_gen_block_iov(krb5_key key, CK_MECHANISM_TYPE mech, + CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); -/* stream state management calls */ +/* Encrypt/decrypt stream modes using iov. */ krb5_error_code -k5_nss_stream_init_state(krb5_data *new_state); +k5_nss_gen_stream_iov(krb5_key key, krb5_data *state, CK_MECHANISM_TYPE mech, + CK_ATTRIBUTE_TYPE operation, krb5_crypto_iov *data, + size_t num_data); + +/* Encrypt/decrypt block modes using cts. */ krb5_error_code -k5_nss_stream_free_state(krb5_data *state); +k5_nss_gen_cts_iov(krb5_key key, CK_MECHANISM_TYPE mech, + CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec, + krb5_crypto_iov *data, size_t num_data); + +/* Stream state management calls. */ +krb5_error_code k5_nss_stream_init_state(krb5_data *new_state); +krb5_error_code k5_nss_stream_free_state(krb5_data *state); /* - * common hash functions + * Common hash functions */ -/* all hash modes */ -krb5_error_code + +/* All hash modes. */ +krb5_error_code k5_nss_gen_hash(HASH_HashType hashType, const krb5_crypto_iov *data, - size_t num_data, krb5_data *output); + size_t num_data, krb5_data *output); diff --git a/src/lib/crypto/nss/pbkdf2.c b/src/lib/crypto/nss/pbkdf2.c index b1b1e35..de92456 100644 --- a/src/lib/crypto/nss/pbkdf2.c +++ b/src/lib/crypto/nss/pbkdf2.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/crypto/nss/pbkdf2.c * @@ -24,8 +25,7 @@ * or implied warranty. * * - * Implementation of PBKDF2 from RFC 2898. - * Not currently used; likely to be used when we get around to AES support. + * Implementation of PBKDF2 using NSS. */ #include <ctype.h> @@ -36,8 +36,8 @@ krb5_error_code -krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count, - const krb5_data *pass, const krb5_data *salt) +krb5int_pbkdf2_hmac_sha1(const krb5_data *out, unsigned long count, + const krb5_data *pass, const krb5_data *salt) { PK11SlotInfo *slot = NULL; @@ -45,18 +45,18 @@ krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count, PK11SymKey *symKey = NULL; SECItem saltItem, pwItem; const SECItem *keydata = NULL; - SECOidTag pbeAlg = SEC_OID_PKCS5_PBKDF2; - SECOidTag cipherAlg = SEC_OID_AES_256_CBC; - SECOidTag prfAlg = SEC_OID_HMAC_SHA1; + SECOidTag pbeAlg = SEC_OID_PKCS5_PBKDF2; + SECOidTag cipherAlg = SEC_OID_AES_256_CBC; + SECOidTag prfAlg = SEC_OID_HMAC_SHA1; krb5_error_code ret; ret = k5_nss_init(); - if (ret) return ret; + if (ret) + return ret; slot = PK11_GetBestSlot(PK11_AlgtagToMechanism(pbeAlg), NULL); - if (slot == NULL) { - return k5_nss_map_last_error(); - } + if (slot == NULL) + return k5_nss_map_last_error(); saltItem.type = siBuffer; saltItem.data = (unsigned char *)salt->data; @@ -68,10 +68,10 @@ krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count, * Kerberos already had to solve it's crypto agility issues, so the * algid is just and extra step we need that we will throw away */ algid = PK11_CreatePBEV2AlgorithmID(pbeAlg, cipherAlg, prfAlg, - out->length, count, &saltItem); + out->length, count, &saltItem); if (algid == NULL) { - ret = k5_nss_map_last_error(); - goto loser; + ret = k5_nss_map_last_error(); + goto loser; } pwItem.type = siBuffer; @@ -80,38 +80,36 @@ krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count, symKey = PK11_PBEKeyGen(slot, algid, &pwItem, PR_FALSE, NULL); if (symKey == NULL) { - ret = k5_nss_map_last_error(); - goto loser; + ret = k5_nss_map_last_error(); + goto loser; } - /* at this point we should return symKey as a key, but kerberos is - * still passing bits around instead of key handles */ + + /* At this point we should return symKey as a key, but kerberos is + * still passing bits around instead of key handles. */ PK11_ExtractKeyValue(symKey); /* keydata here is a const * and is valid as long as the key has not been * destroyed. */ keydata = PK11_GetKeyData(symKey); if (keydata == NULL) { - ret = k5_nss_map_last_error(); - goto loser; + ret = k5_nss_map_last_error(); + goto loser; } if (out->length != keydata->len) { - ret = -1; /* XXXXX */ - goto loser; + ret = -1; /* XXXXX */ + goto loser; } memcpy(out->data, keydata->data, keydata->len); ret = 0; loser: - if (symKey) { - PK11_FreeSymKey(symKey); - } - if (algid) { - SECOID_DestroyAlgorithmID(algid, PR_TRUE); - } - if (slot) { - PK11_FreeSlot(slot); - } - + if (symKey) + PK11_FreeSymKey(symKey); + if (algid) + SECOID_DestroyAlgorithmID(algid, PR_TRUE); + if (slot) + PK11_FreeSlot(slot); + return ret; } diff --git a/src/lib/crypto/nss/sha1/shs.c b/src/lib/crypto/nss/sha1/shs.c index 3de9bb5..de515e0 100644 --- a/src/lib/crypto/nss/sha1/shs.c +++ b/src/lib/crypto/nss/sha1/shs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* lib/crypto/openssl/sha1/shs.c * * Copyright (C) 2009 by the Massachusetts Institute of Technology. @@ -32,40 +33,36 @@ void shsInit(SHS_INFO *shsInfo) { if (k5_nss_init()) { - shsInfo->nss_ctxt = NULL; - return; + shsInfo->nss_ctxt = NULL; + return; } shsInfo->nss_ctxt = PK11_CreateDigestContext(SEC_OID_SHA1); - if (shsInfo->nss_ctxt == NULL) { - return; - } + if (shsInfo->nss_ctxt == NULL) + return; PK11_DigestBegin((PK11Context *)shsInfo->nss_ctxt); } /* Update SHS for a block of data */ void shsUpdate(SHS_INFO *shsInfo, const SHS_BYTE *buffer, unsigned int count) { - if (shsInfo->nss_ctxt == NULL) { - return; - } - PK11_DigestOp((PK11Context *)shsInfo->nss_ctxt, buffer, count); + if (shsInfo->nss_ctxt == NULL) + return; + PK11_DigestOp((PK11Context *)shsInfo->nss_ctxt, buffer, count); } /* Final wrapup - pad to SHS_DATASIZE-byte boundary with the bit pattern - 1 0* (64-bit count of bits processed, MSB-first) */ + * 1 0* (64-bit count of bits processed, MSB-first) */ void shsFinal(SHS_INFO *shsInfo) { - if (shsInfo->nss_ctxt == NULL) { - return; - } - PK11_DigestFinal((PK11Context *)shsInfo->nss_ctxt, shsInfo->digestBuf, - &shsInfo->digestLen, sizeof (shsInfo->digestBuf)); - /* since there is not separate cleanup step, free the context now. + if (shsInfo->nss_ctxt == NULL) + return; + PK11_DigestFinal((PK11Context *)shsInfo->nss_ctxt, shsInfo->digestBuf, + &shsInfo->digestLen, sizeof (shsInfo->digestBuf)); + /* Since there is not separate cleanup step, free the context now. * (otherwise we could have reused the context for another MD5 operation * in the future). */ PK11_DestroyContext((PK11Context *)shsInfo->nss_ctxt, PR_TRUE); shsInfo->nss_ctxt = NULL; } - diff --git a/src/lib/crypto/nss/sha1/shs.h b/src/lib/crypto/nss/sha1/shs.h index 9e03018..7019504 100644 --- a/src/lib/crypto/nss/sha1/shs.h +++ b/src/lib/crypto/nss/sha1/shs.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef _SHS_DEFINED #include "k5-int.h" @@ -6,8 +7,8 @@ /* Some useful types */ -typedef krb5_octet SHS_BYTE; -typedef krb5_ui_4 SHS_LONG; +typedef krb5_octet SHS_BYTE; +typedef krb5_ui_4 SHS_LONG; /* Define the following to use the updated SHS implementation */ #define NEW_SHS /**/ @@ -33,13 +34,13 @@ void shsFinal(SHS_INFO *shsInfo); /* Keyed Message digest functions (hmac_sha.c) */ krb5_error_code hmac_sha(krb5_octet *text, - int text_len, - krb5_octet *key, - int key_len, - krb5_octet *digest); + int text_len, + krb5_octet *key, + int key_len, + krb5_octet *digest); -#define NIST_SHA_CKSUM_LENGTH SHS_DIGESTSIZE -#define HMAC_SHA_CKSUM_LENGTH SHS_DIGESTSIZE +#define NIST_SHA_CKSUM_LENGTH SHS_DIGESTSIZE +#define HMAC_SHA_CKSUM_LENGTH SHS_DIGESTSIZE #endif /* _SHS_DEFINED */ |