svn rev #24248: branches/nss/src/lib/crypto/nss/ des/ enc_provider/ hash_provider/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Sat Aug 21 08:43:48 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24248
Commit By: ghudson
Log Message:
Style pass over the NSS back end.
Changed Files:
U branches/nss/src/lib/crypto/nss/des/des_int.h
U branches/nss/src/lib/crypto/nss/des/des_oldapis.c
U branches/nss/src/lib/crypto/nss/des/string2key.c
U branches/nss/src/lib/crypto/nss/des/weak_key.c
U branches/nss/src/lib/crypto/nss/enc_provider/aes.c
U branches/nss/src/lib/crypto/nss/enc_provider/des.c
U branches/nss/src/lib/crypto/nss/enc_provider/des3.c
U branches/nss/src/lib/crypto/nss/enc_provider/enc_gen.c
U branches/nss/src/lib/crypto/nss/enc_provider/enc_provider.h
U branches/nss/src/lib/crypto/nss/enc_provider/rc4.c
U branches/nss/src/lib/crypto/nss/hash_provider/hash_crc32.c
U branches/nss/src/lib/crypto/nss/hash_provider/hash_gen.c
U branches/nss/src/lib/crypto/nss/hash_provider/hash_gen.h
U branches/nss/src/lib/crypto/nss/hash_provider/hash_md4.c
U branches/nss/src/lib/crypto/nss/hash_provider/hash_md5.c
U branches/nss/src/lib/crypto/nss/hash_provider/hash_provider.h
U branches/nss/src/lib/crypto/nss/hash_provider/hash_sha1.c
U branches/nss/src/lib/crypto/nss/hmac.c
U branches/nss/src/lib/crypto/nss/md5/md5.c
U branches/nss/src/lib/crypto/nss/md5/rsa-md5.h
U branches/nss/src/lib/crypto/nss/nss_gen.h
U branches/nss/src/lib/crypto/nss/pbkdf2.c
U branches/nss/src/lib/crypto/nss/sha1/shs.c
U branches/nss/src/lib/crypto/nss/sha1/shs.h
Modified: branches/nss/src/lib/crypto/nss/des/des_int.h
===================================================================
--- branches/nss/src/lib/crypto/nss/des/des_int.h 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/des/des_int.h 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/crypto/des/des_int.h
*
@@ -53,7 +54,7 @@
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
-/* only do the whole thing once */
+/* only do the whole thing once */
#ifndef DES_INTERNAL_DEFS
#define DES_INTERNAL_DEFS
@@ -91,7 +92,7 @@
#define DES_UINT32 unsigned long
#endif
-typedef unsigned char des_cblock[8] /* crypto-block size */
+typedef unsigned char des_cblock[8] /* crypto-block size */
KRB5INT_DES_DEPRECATED;
/*
@@ -119,11 +120,11 @@
typedef des_key_schedule mit_des_key_schedule;
/* Triple-DES structures */
-typedef mit_des_cblock mit_des3_cblock[3];
-typedef mit_des_key_schedule mit_des3_key_schedule[3];
+typedef mit_des_cblock mit_des3_cblock[3];
+typedef mit_des_key_schedule mit_des3_key_schedule[3];
-#define MIT_DES_ENCRYPT 1
-#define MIT_DES_DECRYPT 0
+#define MIT_DES_ENCRYPT 1
+#define MIT_DES_DECRYPT 0
typedef struct mit_des_ran_key_seed {
krb5_encrypt_block eblock;
@@ -132,22 +133,22 @@
/* the first byte of the key is already in the keyblock */
-#define MIT_DES_BLOCK_LENGTH (8*sizeof(krb5_octet))
-#define MIT_DES_CBC_CRC_PAD_MINIMUM CRC32_CKSUM_LENGTH
+#define MIT_DES_BLOCK_LENGTH (8*sizeof(krb5_octet))
+#define MIT_DES_CBC_CRC_PAD_MINIMUM CRC32_CKSUM_LENGTH
/* This used to be 8*sizeof(krb5_octet) */
-#define MIT_DES_KEYSIZE 8
+#define MIT_DES_KEYSIZE 8
-#define MIT_DES_CBC_CKSUM_LENGTH (4*sizeof(krb5_octet))
+#define MIT_DES_CBC_CKSUM_LENGTH (4*sizeof(krb5_octet))
/*
* Check if k5-int.h has been included before us. If so, then check to see
* that our view of the DES key size is the same as k5-int.h's.
*/
-#ifdef KRB5_MIT_DES_KEYSIZE
-#if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
+#ifdef KRB5_MIT_DES_KEYSIZE
+#if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
-#endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
-#endif /* KRB5_MIT_DES_KEYSIZE */
+#endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
+#endif /* KRB5_MIT_DES_KEYSIZE */
#endif /* KRB5_MIT_DES__ */
/*
* End "mit-des.h"
@@ -163,9 +164,9 @@
/* string2key.c */
extern krb5_error_code mit_des_string_to_key
( const krb5_encrypt_block *,
- krb5_keyblock *, const krb5_data *, const krb5_data *);
+ krb5_keyblock *, const krb5_data *, const krb5_data *);
extern krb5_error_code mit_des_string_to_key_int
- (krb5_keyblock *, const krb5_data *, const krb5_data *);
+ (krb5_keyblock *, const krb5_data *, const krb5_data *);
/* weak_key.c */
extern int mit_des_is_weak_key (mit_des_cblock );
@@ -185,4 +186,4 @@
/* XXX depends on FILE being a #define! */
extern void test_set (FILE *, const char *, int, const char *, int);
#endif
-#endif /*DES_INTERNAL_DEFS*/
+#endif /*DES_INTERNAL_DEFS*/
Modified: branches/nss/src/lib/crypto/nss/des/des_oldapis.c
===================================================================
--- branches/nss/src/lib/crypto/nss/des/des_oldapis.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/des/des_oldapis.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/crypto/openssl/des/des_oldapis.c
*
@@ -33,8 +34,8 @@
unsigned long
mit_des_cbc_cksum(const krb5_octet *in, krb5_octet *out,
- unsigned long length, const mit_des_key_schedule schedule,
- const krb5_octet *ivec)
+ unsigned long length, const mit_des_key_schedule schedule,
+ const krb5_octet *ivec)
{
/* Unsupported operation */
return KRB5_CRYPTO_INTERNAL;
Modified: branches/nss/src/lib/crypto/nss/des/string2key.c
===================================================================
--- branches/nss/src/lib/crypto/nss/des/string2key.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/des/string2key.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/crypto/openssl/des/string2key.c
*
@@ -29,8 +30,8 @@
#include "nss_gen.h"
krb5_error_code
-mit_des_string_to_key_int (krb5_keyblock *key,
- const krb5_data *pw, const krb5_data *salt)
+mit_des_string_to_key_int(krb5_keyblock *key, const krb5_data *pw,
+ const krb5_data *salt)
{
PK11SlotInfo *slot = NULL;
PK11SymKey *symKey = NULL;
@@ -38,16 +39,17 @@
SECItem paramsItem;
CK_PBE_PARAMS pbe_params;
CK_MECHANISM_TYPE pbeMech = CKM_NETSCAPE_PBE_SHA1_DES_CBC;
- krb5_error_code ret = -1;
+ krb5_error_code ret;
SECItem *keyData;
- ret=k5_nss_init();
- if (ret) return ret;
+ ret = k5_nss_init();
+ if (ret)
+ return ret;
slot = PK11_GetBestSlot(pbeMech, NULL);
if (slot == NULL) {
- ret = k5_nss_map_last_error();
- goto loser;
+ ret = k5_nss_map_last_error();
+ goto loser;
}
pwItem.data = (unsigned char *)pw->data;
@@ -58,28 +60,26 @@
paramsItem.data = (unsigned char *)&pbe_params;
paramsItem.len = sizeof(pbe_params);
- symKey = PK11_RawPBEKeyGen(slot, pbeMech, ¶msItem, &pwItem,
- PR_FALSE, NULL);
+ symKey = PK11_RawPBEKeyGen(slot, pbeMech, ¶msItem, &pwItem,
+ PR_FALSE, NULL);
if (symKey == NULL) {
- ret = k5_nss_map_last_error();
- goto loser;
+ ret = k5_nss_map_last_error();
+ goto loser;
}
PK11_ExtractKeyValue(symKey);
keyData = PK11_GetKeyData(symKey);
if (!keyData) {
- ret = k5_nss_map_last_error();
- goto loser;
+ ret = k5_nss_map_last_error();
+ goto loser;
}
key->length = keyData->len;
memcpy(key->contents, keyData->data, key->length);
ret = 0;
loser:
- if (symKey) {
- PK11_FreeSymKey(symKey);
- }
- if (slot) {
- PK11_FreeSlot(slot);
- }
+ if (symKey)
+ PK11_FreeSymKey(symKey);
+ if (slot)
+ PK11_FreeSlot(slot);
return ret;
}
Modified: branches/nss/src/lib/crypto/nss/des/weak_key.c
===================================================================
--- branches/nss/src/lib/crypto/nss/des/weak_key.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/des/weak_key.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/crypto/openssl/des/weak_key.c
*
@@ -76,8 +77,8 @@
const mit_des_cblock *weak_p = weak;
for (i = 0; i < (sizeof(weak)/sizeof(mit_des_cblock)); i++) {
- if (!memcmp(weak_p++,key,sizeof(mit_des_cblock)))
- return 1;
+ if (!memcmp(weak_p++,key,sizeof(mit_des_cblock)))
+ return 1;
}
return 0;
}
Modified: branches/nss/src/lib/crypto/nss/enc_provider/aes.c
===================================================================
--- branches/nss/src/lib/crypto/nss/enc_provider/aes.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/enc_provider/aes.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/crypto/nss/enc_provider/aes.c
*
@@ -33,46 +34,42 @@
krb5_error_code
-krb5int_aes_encrypt(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
- int ret;
+ krb5_error_code ret;
+
ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_ENCRYPT);
- if (ret != 0) {
- return ret;
- }
- return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_ENCRYPT,
- ivec, data, num_data);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_ENCRYPT,
+ ivec, data, num_data);
}
krb5_error_code
-krb5int_aes_decrypt(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
- int ret;
+ krb5_error_code ret;
+
ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_DECRYPT);
- if (ret != 0) {
- return ret;
- }
- return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_DECRYPT,
- ivec, data, num_data);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_DECRYPT,
+ ivec, data, num_data);
}
/*
* perhaps we should store the NSS context in the krb5_data state here?
*/
static krb5_error_code
-aes_init_state (const krb5_keyblock *key, krb5_keyusage usage,
- krb5_data *state)
+aes_init_state(const krb5_keyblock *key, krb5_keyusage usage,
+ krb5_data *state)
{
state->length = 16;
state->data = (void *) malloc(16);
if (state->data == NULL)
- return ENOMEM;
+ return ENOMEM;
memset(state->data, 0, state->length);
return 0;
}
Modified: branches/nss/src/lib/crypto/nss/enc_provider/des.c
===================================================================
--- branches/nss/src/lib/crypto/nss/enc_provider/des.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/enc_provider/des.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/crypto/nss/enc_provider/des.c
*
* Copyright (C) 2009 by the Massachusetts Institute of Technology.
@@ -58,18 +59,16 @@
static krb5_error_code
-k5_des_encrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des_encrypt_iov(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
- int ret;
- ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT);
- if (ret != 0) {
- return ret;
- }
- return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_ENCRYPT,
- ivec, data, num_data);
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_ENCRYPT,
+ ivec, data, num_data);
}
static krb5_error_code
@@ -78,13 +77,13 @@
krb5_crypto_iov *data,
size_t num_data)
{
- int ret;
- ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT);
- if (ret != 0) {
- return ret;
- }
- return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_DECRYPT,
- ivec, data, num_data);
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_DECRYPT,
+ ivec, data, num_data);
}
const struct krb5_enc_provider krb5int_enc_des = {
Modified: branches/nss/src/lib/crypto/nss/enc_provider/des3.c
===================================================================
--- branches/nss/src/lib/crypto/nss/enc_provider/des3.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/enc_provider/des3.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/crypto/nss/enc_provider/des3.c
*
* Copyright (C) 2009 by the Massachusetts Institute of Technology.
@@ -58,33 +59,29 @@
static krb5_error_code
-k5_des3_encrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des3_encrypt_iov(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
- int ret;
- ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT);
- if (ret != 0) {
- return ret;
- }
- return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_ENCRYPT,
- ivec, data, num_data);
+ krb5_error_code ret;
+
+ ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_ENCRYPT,
+ ivec, data, num_data);
}
static krb5_error_code
-k5_des3_decrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des3_decrypt_iov(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
- int ret;
+ krb5_error_code ret;
+
ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT);
- if (ret != 0) {
- return ret;
- }
- return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_DECRYPT,
- ivec, data, num_data);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_DECRYPT,
+ ivec, data, num_data);
}
const struct krb5_enc_provider krb5int_enc_des3 = {
Modified: branches/nss/src/lib/crypto/nss/enc_provider/enc_gen.c
===================================================================
--- branches/nss/src/lib/crypto/nss/enc_provider/enc_gen.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/enc_provider/enc_gen.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/crypto/nss/enc_provider/enc_gen.c
*
@@ -26,7 +27,7 @@
*/
/* compile options (should move to configure)... */
-#define USE_OPAQUE_KEYS 1
+#define USE_OPAQUE_KEYS 1
#define DO_FAST_XOR 1
/*#define FAKE_FIPS 1 */
@@ -49,65 +50,61 @@
#define MAX_BLOCK_SIZE 64
-krb5_error_code
-k5_nss_map_error(int nss_error)
-{
- /* currently KRB5 does not define a full set CRYPTO failures.
- * for now just use KRB5_CRYPTO_INTERNAL. We really should return
- * errors for Not logged in, and maybe a few others */
- return KRB5_CRYPTO_INTERNAL;
+krb5_error_code
+k5_nss_map_error(int nss_error)
+{
+ /* Currently KRB5 does not define a full set of CRYPTO failures.
+ * for now just use KRB5_CRYPTO_INTERNAL. We really should return
+ * errors for Not logged in, and maybe a few others. */
+ return KRB5_CRYPTO_INTERNAL;
}
-krb5_error_code
-k5_nss_map_last_error() {
- return k5_nss_map_error(PORT_GetError());
+krb5_error_code
+k5_nss_map_last_error(void)
+{
+ return k5_nss_map_error(PORT_GetError());
}
static NSSInitContext *krb5_nss_init = NULL;
/*
- * krb5 doesn't have a call into the crypto engine to initialize it, so
- * we do it here. This code will try to piggyback on any application
- * initialization done to NSS. Otherwise get get our one library init context.
+ * krb5 doesn't have a call into the crypto engine to initialize it, so we do
+ * it here. This code will try to piggyback on any application initialization
+ * done to NSS. Otherwise get our one library init context.
*/
krb5_error_code
-k5_nss_init()
+k5_nss_init(void)
{
#ifdef LINUX
- /* default to the system NSS */
+ /* Default to the system NSS. */
#define NSS_KRB5_CONFIGDIR "sql:/etc/pki/nssdb"
#define NSS_KRB5_FLAGS 0
#else
- /* other platforms don't have a system NSS defined yet, do a nodb init */
+ /* Other platforms don't have a system NSS defined yet, do a nodb init. */
#define NSS_KRB5_CONFIGDIR NULL
#define NSS_KRB5_FLAGS NSS_INIT_NOMODDB|NSS_INIT_NOCERTDB
#endif
- if (krb5_nss_init) {
- /* we've already initialized NSS */
- return 0;
- }
- if (NSS_IsInitialized()) {
- /* someone else has initialized NSS */
- return 0;
- }
- krb5_nss_init = NSS_InitContext(NSS_KRB5_CONFIGDIR, "", "", "", NULL,
- NSS_INIT_READONLY|NSS_INIT_NOROOTINIT|NSS_KRB5_FLAGS);
- if (!krb5_nss_init) {
- return k5_nss_map_last_error();
- }
- return 0;
+ if (krb5_nss_init) /* We've already initialized NSS. */
+ return 0;
+ if (NSS_IsInitialized()) /* Someone else has initialized NSS. */
+ return 0;
+ krb5_nss_init = NSS_InitContext(NSS_KRB5_CONFIGDIR, "", "", "", NULL,
+ NSS_INIT_READONLY | NSS_INIT_NOROOTINIT |
+ NSS_KRB5_FLAGS);
+ if (!krb5_nss_init)
+ return k5_nss_map_last_error();
+ return 0;
}
-
PK11Context *
k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism,
- CK_ATTRIBUTE_TYPE operation, SECItem * param)
+ CK_ATTRIBUTE_TYPE operation, SECItem * param)
{
#ifdef USE_OPAQUE_KEYS
PK11SymKey *key = (PK11SymKey *)krb_key->cache;
- return PK11_CreateContextBySymKey(mechanism, operation, key, param);
-#else
+ return PK11_CreateContextBySymKey(mechanism, operation, key, param);
+#else
PK11Context *ctx = NULL;
PK11SlotInfo *slot;
SECItem key;
@@ -115,45 +112,43 @@
key.data = krb_key->keyblock.contents;
key.len = krb_key->keyblock.length;
slot = PK11_GetBestSlot(mechanism, NULL);
- if (slot == NULL) {
- return NULL;
- }
- ctx = PK11_CreateContextByRawKey(slot,mechanism, PK11_OriginGenerated,
- operation, &key, param, NULL);
+ if (slot == NULL)
+ return NULL;
+ ctx = PK11_CreateContextByRawKey(slot,mechanism, PK11_OriginGenerated,
+ operation, &key, param, NULL);
PK11_FreeSlot(slot);
return ctx;
#endif
}
static void inline
-xor(unsigned char *x, unsigned char *y, int size)
+xor(unsigned char *x, unsigned char *y, int size)
{
int i;
+
#ifdef DO_FAST_XOR
#define ALIGNED(x,type) (!(((size_t)(x))&(sizeof(type)-1)))
- if (ALIGNED(x,unsigned long) && ALIGNED(y, unsigned long)
- && ALIGNED(size, unsigned long)) {
- unsigned long *ux = (unsigned long *)x;
- unsigned long *uy = (unsigned long *)y;
- for (i=0; i < (int)(size/sizeof(unsigned long)); i++) {
- *ux++ ^= *uy++;
- }
- return;
+ if (ALIGNED(x,unsigned long) && ALIGNED(y, unsigned long)
+ && ALIGNED(size, unsigned long)) {
+ unsigned long *ux = (unsigned long *)x;
+ unsigned long *uy = (unsigned long *)y;
+ for (i=0; i < (int)(size/sizeof(unsigned long)); i++) {
+ *ux++ ^= *uy++;
+ }
+ return;
}
#endif
for (i=0; i < size; i++) {
- *x++ ^= *y++;
+ *x++ ^= *y++;
}
}
krb5_error_code
-k5_nss_gen_block_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_nss_gen_block_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
- int ret = 0;
+ krb5_error_code ret = 0;
PK11Context *ctx = NULL;
SECStatus rv;
SECItem *param = NULL;
@@ -167,7 +162,6 @@
int lastblock = -1;
int currentblock;
-
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
@@ -175,97 +169,88 @@
assert(blocksize <= sizeof(storage));
if (ivec && ivec->data) {
- iv.data = (unsigned char *)ivec->data;
- iv.len = ivec->length;
- if (operation == CKA_DECRYPT) {
- int i, inputlength;
+ iv.data = (unsigned char *)ivec->data;
+ iv.len = ivec->length;
+ if (operation == CKA_DECRYPT) {
+ int i, inputlength;
- /* count the blocks so we know which block is last */
- for (i=0, inputlength=0; i < (int)num_data; i++) {
- krb5_crypto_iov *iov=&data[i];
+ /* Count the blocks so we know which block is last. */
+ for (i = 0, inputlength = 0; i < (int)num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
- if (ENCRYPT_IOV(iov)) {
- inputlength += iov->data.length;
- }
- }
- lastblock = (inputlength/blocksize) -1;
- }
+ if (ENCRYPT_IOV(iov))
+ inputlength += iov->data.length;
+ }
+ lastblock = (inputlength/blocksize) -1;
+ }
} else {
- memset(iv0, 0, sizeof(iv0));
- iv.data = iv0;
- iv.len = blocksize;
+ memset(iv0, 0, sizeof(iv0));
+ iv.data = iv0;
+ iv.len = blocksize;
}
param = PK11_ParamFromIV(mech, &iv);
ctx = k5_nss_create_context(krb_key, mech, operation, param);
if (ctx == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
+ ret = k5_nss_map_last_error();
+ goto done;
}
for (currentblock = 0;;currentblock++) {
- ptr = iov_next_block(storage, blocksize, data, num_data,
- &input_pos);
+ ptr = iov_next_block(storage, blocksize, data, num_data, &input_pos);
if (ptr == NULL)
break;
- lastptr = NULL;
+ lastptr = NULL;
- /* only set if we are decrypting */
- if (lastblock == currentblock) {
- memcpy(ivec->data, ptr, blocksize);
- }
+ /* only set if we are decrypting */
+ if (lastblock == currentblock)
+ memcpy(ivec->data, ptr, blocksize);
- rv = PK11_CipherOp(ctx, ptr, &length, blocksize, ptr, blocksize);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- break;
- }
+ rv = PK11_CipherOp(ctx, ptr, &length, blocksize, ptr, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ break;
+ }
- lastptr = ptr;
+ lastptr = ptr;
iov_store_block(data, num_data, ptr, storage, blocksize,
&output_pos);
}
-
+
if (lastptr && ivec && ivec->data && operation == CKA_ENCRYPT) {
- memcpy(ivec->data, lastptr, blocksize);
+ memcpy(ivec->data, lastptr, blocksize);
}
done:
- if (ctx) {
+ if (ctx)
PK11_Finalize(ctx);
- }
-
- if (param) {
- SECITEM_FreeItem(param, PR_TRUE);
- }
+ if (param)
+ SECITEM_FreeItem(param, PR_TRUE);
return ret;
}
krb5_error_code
k5_nss_stream_init_state(krb5_data *new_state)
{
- new_state->data = NULL;
- new_state->length = 0;
- return 0;
+ new_state->data = NULL;
+ new_state->length = 0;
+ return 0;
}
krb5_error_code
k5_nss_stream_free_state(krb5_data *state)
{
- if (state->length == (unsigned)-1 && state->data) {
- PK11_Finalize((PK11Context *)state->data);
- }
- return 0;
+ if (state->length == (unsigned)-1 && state->data)
+ PK11_Finalize((PK11Context *)state->data);
+ return 0;
}
krb5_error_code
k5_nss_gen_stream_iov(krb5_key krb_key, krb5_data *state,
- CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation,
- krb5_crypto_iov *data,
- size_t num_data)
+ CK_MECHANISM_TYPE mech, CK_ATTRIBUTE_TYPE operation,
+ krb5_crypto_iov *data, size_t num_data)
{
- int ret = 0;
+ int ret = 0;
PK11Context *ctx = NULL;
SECStatus rv;
SECItem param;
@@ -276,51 +261,50 @@
param.len = 0;
if (state && state->data) {
- ctx = (PK11Context *)state->data;
+ ctx = (PK11Context *)state->data;
} else {
ctx = k5_nss_create_context(krb_key, mech, operation, ¶m);
- if (state && ctx) {
- state->data = (char *)ctx;
- state->length = -1; /* you don't get to copy this, */
- /* blow up if you try */
- }
+ if (state && ctx) {
+ state->data = (char *)ctx;
+ state->length = -1; /* you don't get to copy this, */
+ /* blow up if you try */
+ }
}
if (ctx == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
+ ret = k5_nss_map_last_error();
+ goto done;
}
for (i=0; i < (int)num_data; i++) {
- int return_length;
- iov = &data[i];
- if (iov->data.length <= 0) break;
+ int return_length;
+ iov = &data[i];
+ if (iov->data.length <= 0)
+ break;
- if (ENCRYPT_IOV(iov)) {
- rv = PK11_CipherOp(ctx, (unsigned char *)iov->data.data,
- &return_length, iov->data.length,
- (unsigned char *)iov->data.data, iov->data.length);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- iov->data.length = return_length;
- }
+ if (ENCRYPT_IOV(iov)) {
+ rv = PK11_CipherOp(ctx, (unsigned char *)iov->data.data,
+ &return_length, iov->data.length,
+ (unsigned char *)iov->data.data,
+ iov->data.length);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ iov->data.length = return_length;
+ }
}
done:
- if (!state && ctx) {
+ if (!state && ctx)
PK11_Finalize(ctx);
- }
return ret;
}
krb5_error_code
-k5_nss_gen_cts_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_nss_gen_cts_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
- int ret = 0;
+ krb5_error_code ret = 0;
PK11Context *ctx = NULL;
SECStatus rv;
SECItem *param = NULL;
@@ -346,167 +330,163 @@
assert(blocksize <= sizeof(storage));
if (ivec) {
- iv.data = (unsigned char *)ivec->data;
- iv.len = ivec->length;
+ iv.data = (unsigned char *)ivec->data;
+ iv.len = ivec->length;
} else {
- memset(iv0, 0, sizeof(iv0));
- iv.data = iv0;
- iv.len = blocksize;
+ memset(iv0, 0, sizeof(iv0));
+ iv.data = iv0;
+ iv.len = blocksize;
}
param = PK11_ParamFromIV(mech, &iv);
- for (i=0, input_length=0; i < (int)num_data; i++) {
- krb5_crypto_iov *iov=&data[i];
+ for (i = 0, input_length = 0; i < (int)num_data; i++) {
+ krb5_crypto_iov *iov = &data[i];
- if (ENCRYPT_IOV(iov)) {
- input_length += iov->data.length;
- }
+ if (ENCRYPT_IOV(iov))
+ input_length += iov->data.length;
}
- /* must be at least a block or we fail */
+ /* Must be at least a block or we fail. */
if (input_length < blocksize) {
- ret = -1;
- goto done;
+ ret = EINVAL;
+ goto done;
}
bulk_length = (input_length / blocksize)*blocksize;
remainder = input_length - bulk_length;
- /* do the block swap even if the input data is aligned, only
- * drop it if we are encrypting exactly one block */
+ /* Do the block swap even if the input data is aligned, only
+ * drop it if we are encrypting exactly one block. */
if (remainder == 0 && bulk_length != blocksize) {
- remainder = blocksize;
- bulk_length -= blocksize;
+ remainder = blocksize;
+ bulk_length -= blocksize;
}
ctx = k5_nss_create_context(krb_key, mech, operation, param);
if (ctx == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
+ ret = k5_nss_map_last_error();
+ goto done;
}
- /* now we bulk encrypt each block in the loop. We need to know where
- * to stop to do special processing. For single block operations
- * we stop at the end. For all others we stop and the last second to last
- * block (counting partial blocks). For decrypt operations we need to save
- * cn-2 so we stop at the third to last block if it exists, Otherwise
- * cn-2 = the iv */
+ /* Now we bulk encrypt each block in the loop. We need to know where to
+ * stop to do special processing. For single block operations we stop at
+ * the end. For all others we stop and the last second to last block
+ * (counting partial blocks). For decrypt operations we need to save cn-2
+ * so we stop at the third to last block if it exists, otherwise cn-2 = the
+ * iv. */
lastblock = bulk_length;
if (remainder) {
- /* we need to process the last full block and last partitial block
- * differently */
- lastblock = bulk_length - blocksize;
- if (operation == CKA_DECRYPT) {
- if (bulk_length > blocksize) {
- /* stop at cn-2 so we can save it before going on */
- lastblock = bulk_length - 2*blocksize;
- } else {
- /* iv is cn-2, save it now, cn - 2 */
- memcpy(recover1, iv.data, blocksize);
- memcpy(recover2, iv.data, blocksize);
- }
- }
- }
+ /* We need to process the last full block and last partitial block
+ * differently. */
+ lastblock = bulk_length - blocksize;
+ if (operation == CKA_DECRYPT) {
+ if (bulk_length > blocksize) {
+ /* Stop at cn-2 so we can save it before going on. */
+ lastblock = bulk_length - 2*blocksize;
+ } else {
+ /* iv is cn-2, save it now, cn - 2. */
+ memcpy(recover1, iv.data, blocksize);
+ memcpy(recover2, iv.data, blocksize);
+ }
+ }
+ }
for (length = 0; length < lastblock; length += blocksize) {
ptr = iov_next_block(storage, blocksize, data, num_data,
&input_pos);
if (ptr == NULL)
break;
- rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- break;
- }
+ rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ break;
+ }
iov_store_block(data, num_data, ptr, storage, blocksize,
&output_pos);
}
if (remainder) {
- if (operation == CKA_DECRYPT) {
- if (bulk_length > blocksize) {
- /* we need to save cn-2 */
- ptr = iov_next_block(storage, blocksize, data, num_data,
- &input_pos);
- if (ptr == NULL)
- goto done; /* shouldn't happen */
+ if (operation == CKA_DECRYPT) {
+ if (bulk_length > blocksize) {
+ /* we need to save cn-2 */
+ ptr = iov_next_block(storage, blocksize, data, num_data,
+ &input_pos);
+ if (ptr == NULL)
+ goto done; /* shouldn't happen */
- /* save cn-2 */
- memcpy(recover1, ptr, blocksize);
- memcpy(recover2, ptr, blocksize);
+ /* save cn-2 */
+ memcpy(recover1, ptr, blocksize);
+ memcpy(recover2, ptr, blocksize);
- /* now process it as normal */
- rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto done;
- }
+ /* now process it as normal */
+ rv = PK11_CipherOp(ctx, ptr, &len, blocksize, ptr, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
- iov_store_block(data, num_data, ptr, storage, blocksize,
- &output_pos);
- }
- }
- /* fetch the last 2 blocks */
- memset(block1, 0, blocksize); /* last block, could be partial */
- krb5int_c_iov_get_block(block2, blocksize, data, num_data, &input_pos);
- krb5int_c_iov_get_block(block1, remainder, data, num_data, &input_pos);
- if (operation == CKA_DECRYPT) {
- /* recover1 and recover2 are xor values to recover the true
- * underlying data of the last 2 decrypts. This keeps us from having
- * to try to reset our IV to do the final decryption. */
- /* currently: block1 is cn || 0, block2 is cn-1.
- * recover1 & recover2 is set to cn-2 */
- /* recover2 recovers pn || c' from p'n-1. The raw decrypted block
- * will be p'n-1 xor with cn-2 while pn || c' = p'n-1 xor cn || 0.
- * recover2 is cn-2 xor cn || 0, so we can simple xor recover1
- * with the raw decrypted block */
- /* recover1 recovers pn-1 from the raw decryption of cn || c'.
- * the raw decrypt of cn || c' = p'n xor cn-1 while
- * pn-1 = p'n xor cn-2
- * recover1 is cn-2 xor cn-1, so we can simple xor recover 2 with
- * the raw decrypt of cn||c' to get pn-1 */
- xor(recover1, block2, blocksize);
- xor(recover2, block1, blocksize);
- if (ivec && ivec->data) {
- memcpy(ivec->data, block2, blocksize);
- }
- }
- rv = PK11_CipherOp(ctx, block2, &len, blocksize, block2, blocksize);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- if (operation == CKA_DECRYPT) {
- /* block2 now has p'n-1 xor cn-2 */
- xor(block2, recover2, blocksize);
- /* block 2 now has pn || c' */
- /* copy c' into cn || c' */
- memcpy(block1+remainder, block2+remainder, blocksize-remainder);
- }
- rv = PK11_CipherOp(ctx, block1, &len, blocksize, block1, blocksize);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- if (operation == CKA_DECRYPT) {
- /* block1 now has p'n xor cn-1 */
- xor(block1, recover1, blocksize);
- /* block 1 now has pn-1 */
- } else {
- if (ivec && ivec->data) {
- memcpy(ivec->data, block1, blocksize);
- }
- }
- krb5int_c_iov_put_block(data,num_data, block1, blocksize, &output_pos);
- krb5int_c_iov_put_block(data,num_data, block2, remainder, &output_pos);
+ iov_store_block(data, num_data, ptr, storage, blocksize,
+ &output_pos);
+ }
+ }
+ /* fetch the last 2 blocks */
+ memset(block1, 0, blocksize); /* last block, could be partial */
+ krb5int_c_iov_get_block(block2, blocksize, data, num_data, &input_pos);
+ krb5int_c_iov_get_block(block1, remainder, data, num_data, &input_pos);
+ if (operation == CKA_DECRYPT) {
+ /* recover1 and recover2 are xor values to recover the true
+ * underlying data of the last 2 decrypts. This keeps us from
+ * having to try to reset our IV to do the final decryption. */
+ /* Currently: block1 is cn || 0, block2 is cn-1.
+ * recover1 & recover2 is set to cn-2. */
+ /* recover2 recovers pn || c' from p'n-1. The raw decrypted block
+ * will be p'n-1 xor with cn-2 while pn || c' = p'n-1 xor cn || 0.
+ * recover2 is cn-2 xor cn || 0, so we can simple xor recover1
+ * with the raw decrypted block. */
+ /* recover1 recovers pn-1 from the raw decryption of cn || c'.
+ * the raw decrypt of cn || c' = p'n xor cn-1 while
+ * pn-1 = p'n xor cn-2
+ * recover1 is cn-2 xor cn-1, so we can simple xor recover 2 with
+ * the raw decrypt of cn||c' to get pn-1. */
+ xor(recover1, block2, blocksize);
+ xor(recover2, block1, blocksize);
+ if (ivec && ivec->data)
+ memcpy(ivec->data, block2, blocksize);
+ }
+ rv = PK11_CipherOp(ctx, block2, &len, blocksize, block2, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ if (operation == CKA_DECRYPT) {
+ /* block2 now has p'n-1 xor cn-2. */
+ xor(block2, recover2, blocksize);
+ /* block 2 now has pn || c'. */
+ /* copy c' into cn || c'. */
+ memcpy(block1 + remainder, block2 + remainder,
+ blocksize - remainder);
+ }
+ rv = PK11_CipherOp(ctx, block1, &len, blocksize, block1, blocksize);
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ if (operation == CKA_DECRYPT) {
+ /* block1 now has p'n xor cn-1 */
+ xor(block1, recover1, blocksize);
+ /* block 1 now has pn-1 */
+ } else {
+ if (ivec && ivec->data) {
+ memcpy(ivec->data, block1, blocksize);
+ }
+ }
+ krb5int_c_iov_put_block(data,num_data, block1, blocksize, &output_pos);
+ krb5int_c_iov_put_block(data,num_data, block2, remainder, &output_pos);
}
done:
- if (ctx) {
+ if (ctx)
PK11_Finalize(ctx);
- }
-
- if (param) {
- SECITEM_FreeItem(param, PR_TRUE);
- }
+ if (param)
+ SECITEM_FreeItem(param, PR_TRUE);
return ret;
}
@@ -517,17 +497,17 @@
PK11SymKey *key = (PK11SymKey *)krb_key->cache;
if (key) {
- PK11_FreeSymKey(key);
+ PK11_FreeSymKey(key);
krb_key->cache = NULL;
- }
+ }
#endif
}
krb5_error_code
-k5_nss_gen_import(krb5_key krb_key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation)
+k5_nss_gen_import(krb5_key krb_key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation)
{
- int ret = 0;
+ krb5_error_code ret = 0;
#ifdef USE_OPAQUE_KEYS
PK11SymKey *key = (PK11SymKey *)krb_key->cache;
PK11SlotInfo *slot = NULL;
@@ -545,48 +525,51 @@
SECStatus rv;
#endif
- if (key) { return 0; }
+ if (key)
+ return 0;
ret = k5_nss_init();
- if (ret) return ret;
+ if (ret)
+ return ret;
slot = PK11_GetBestSlot(mech, NULL);
if (slot == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
+ ret = k5_nss_map_last_error();
+ goto done;
}
raw_key.data = krb_key->keyblock.contents;
raw_key.len = krb_key->keyblock.length;
#ifdef FAKE_FIPS
- /* first, fetch a wrapping key */
+ /* First, fetch a wrapping key. */
wrapping_index = PK11_GetCurrentWrapIndex(slot);
series = PK11_GetSlotSeries(slot);
- wrapping_key =PK11_GetWrapKey(slot, wrapping_index,
- CKM_INVALID_MECHANISM, series, NULL);
+ wrapping_key = PK11_GetWrapKey(slot, wrapping_index,
+ CKM_INVALID_MECHANISM, series, NULL);
if (wrapping_key == NULL) {
- /* one doesn't exist, create one */
- mechanism = PK11_GetBestWrapMechanism(slot);
- keyLength = PK11_GetBestKeyLength(slot, mechanism);
- wrapping_key = PK11_TokenKeyGenWithFlags(slot, mechanism, NULL,
- keyLength, NULL, CKF_UNWRAP|CKF_ENCRYPT, 0,
- NULL);
- if (!wrapping_key) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- PK11_SetWrapKey(slot, wrapping_index, wrapping_key);
+ /* One doesn't exist, create one. */
+ mechanism = PK11_GetBestWrapMechanism(slot);
+ keyLength = PK11_GetBestKeyLength(slot, mechanism);
+ wrapping_key = PK11_TokenKeyGenWithFlags(slot, mechanism, NULL,
+ keyLength, NULL,
+ CKF_UNWRAP | CKF_ENCRYPT, 0,
+ NULL);
+ if (!wrapping_key) {
+ ret = k5_nss_map_last_error();
+ goto done;
+ }
+ PK11_SetWrapKey(slot, wrapping_index, wrapping_key);
}
- /* now encrypt the data with the wrapping key */
+ /* Now encrypt the data with the wrapping key. */
mechanism = PK11_GetMechanism(wrapping_key);
params.data = NULL;
params.len = 0;
- ctx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT,
- wrapping_key, ¶ms);
+ ctx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT,
+ wrapping_key, ¶ms);
if (ctx == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
+ ret = k5_nss_map_last_error();
+ goto done;
}
wrapped_key.data = wrapped_key_data;
@@ -600,55 +583,52 @@
* will use the length parameter to appropriately set the key.
*/
if ((raw_key.len % blocksize) != 0) {
- int keyblocks = (raw_key.len +(blocksize-1))/blocksize;
- keyLength = keyblocks * blocksize;
- assert(keyLength <= sizeof(padded_key_data));
- memset(padded_key_data, 0, keyLength);
- memcpy(padded_key_data,raw_key.data, raw_key.len);
- raw_key.data = padded_key_data;
+ int keyblocks = (raw_key.len + (blocksize - 1)) / blocksize;
+ keyLength = keyblocks * blocksize;
+ assert(keyLength <= sizeof(padded_key_data));
+ memset(padded_key_data, 0, keyLength);
+ memcpy(padded_key_data, raw_key.data, raw_key.len);
+ raw_key.data = padded_key_data;
}
- rv = PK11_CipherOp(ctx, wrapped_key.data, (int *)&wrapped_key.len,
- sizeof(wrapped_key_data), raw_key.data, keyLength);
+ rv = PK11_CipherOp(ctx, wrapped_key.data, (int *)&wrapped_key.len,
+ sizeof(wrapped_key_data), raw_key.data, keyLength);
if (keyLength != raw_key.len) {
- /* clear our copy of the key bits */
- memset(padded_key_data, 0, keyLength);
+ /* Clear our copy of the key bits. */
+ memset(padded_key_data, 0, keyLength);
}
if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto done;
+ ret = k5_nss_map_last_error();
+ goto done;
}
PK11_Finalize(ctx);
ctx = NULL;
- /* now now we have a 'wrapped' version of the, we can import it into
+ /* Now now we have a 'wrapped' version of the, we can import it into
* the token without running afoul with FIPS. */
- key = PK11_UnwrapSymKey(wrapping_key, mechanism, ¶ms, &wrapped_key,
- mech, operation, raw_key.len);
+ key = PK11_UnwrapSymKey(wrapping_key, mechanism, ¶ms, &wrapped_key,
+ mech, operation, raw_key.len);
#else
- key = PK11_ImportSymKey(slot, mech, PK11_OriginGenerated, operation,
- &raw_key, NULL);
+ key = PK11_ImportSymKey(slot, mech, PK11_OriginGenerated, operation,
+ &raw_key, NULL);
#endif
if (key == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
+ ret = k5_nss_map_last_error();
+ goto done;
}
krb_key->cache = (void *) key;
done:
- if (slot) {
- PK11_FreeSlot(slot);
- }
+ if (slot)
+ PK11_FreeSlot(slot);
#ifdef FAKE_FIPS
- if (ctx) {
- PK11_Finalize(ctx);
- }
- if (wrapping_key) {
- PK11_FreeSymKey(wrapping_key);
- }
+ if (ctx)
+ PK11_Finalize(ctx);
+ if (wrapping_key)
+ PK11_FreeSymKey(wrapping_key);
#endif
#else
ret = k5_nss_init();
-#endif
+#endif
return ret;
}
Modified: branches/nss/src/lib/crypto/nss/enc_provider/enc_provider.h
===================================================================
--- branches/nss/src/lib/crypto/nss/enc_provider/enc_provider.h 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/enc_provider/enc_provider.h 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 1998 by the FundsXpress, INC.
*
Modified: branches/nss/src/lib/crypto/nss/enc_provider/rc4.c
===================================================================
--- branches/nss/src/lib/crypto/nss/enc_provider/rc4.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/enc_provider/rc4.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/crypto/nss/enc_provider/rc4.c
*
* #include STD_DISCLAIMER
@@ -45,54 +46,49 @@
/* In-place IOV crypto */
static krb5_error_code
-k5_arcfour_encrypt_iov(krb5_key key,
- const krb5_data *state,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_arcfour_encrypt_iov(krb5_key key, const krb5_data *state,
+ krb5_crypto_iov *data, size_t num_data)
{
- int ret;
+ krb5_error_code ret;
+
ret = k5_nss_gen_import(key, CKM_RC4, CKA_ENCRYPT);
- if (ret != 0) {
- return ret;
- }
- return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_ENCRYPT,
- data, num_data);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_ENCRYPT,
+ data, num_data);
}
/* In-place IOV crypto */
static krb5_error_code
-k5_arcfour_decrypt_iov(krb5_key key,
- const krb5_data *state,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_arcfour_decrypt_iov(krb5_key key, const krb5_data *state,
+ krb5_crypto_iov *data, size_t num_data)
{
- int ret;
+ krb5_error_code ret;
+
ret = k5_nss_gen_import(key, CKM_RC4, CKA_DECRYPT);
- if (ret != 0) {
- return ret;
- }
- return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_DECRYPT,
- data, num_data);
+ if (ret != 0)
+ return ret;
+ return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_DECRYPT,
+ data, num_data);
}
static krb5_error_code
-k5_arcfour_free_state ( krb5_data *state)
+k5_arcfour_free_state(krb5_data *state)
{
- return k5_nss_stream_free_state(state);
+ return k5_nss_stream_free_state(state);
}
static krb5_error_code
-k5_arcfour_init_state (const krb5_keyblock *key,
- krb5_keyusage keyusage, krb5_data *new_state)
+k5_arcfour_init_state(const krb5_keyblock *key,
+ krb5_keyusage keyusage, krb5_data *new_state)
{
- /* key can't quite be used here. see comment in k5_arcfour_init_state */
- return k5_nss_stream_init_state(new_state);
-
+ /* key can't quite be used here. See comment in k5_arcfour_init_state. */
+ return k5_nss_stream_init_state(new_state);
}
const struct krb5_enc_provider krb5int_enc_arcfour = {
/* This seems to work... although I am not sure what the
- implications are in other places in the kerberos library */
+ implications are in other places in the kerberos library. */
RC4_BLOCK_SIZE,
/* Keysize is arbitrary in arcfour, but the constraints of the
system, and to attempt to work with the MSFT system forces us
@@ -103,7 +99,7 @@
k5_arcfour_decrypt_iov,
NULL,
krb5int_arcfour_make_key,
- k5_arcfour_init_state,
+ k5_arcfour_init_state,
k5_arcfour_free_state,
k5_nss_gen_cleanup
};
Modified: branches/nss/src/lib/crypto/nss/hash_provider/hash_crc32.c
===================================================================
--- branches/nss/src/lib/crypto/nss/hash_provider/hash_crc32.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/hash_provider/hash_crc32.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 1998 by the FundsXpress, INC.
*
@@ -36,18 +37,18 @@
unsigned int i;
if (output->length != CRC32_CKSUM_LENGTH)
- return(KRB5_CRYPTO_INTERNAL);
+ return KRB5_CRYPTO_INTERNAL;
c = 0;
for (i=0; i < num_data; i++) {
- const krb5_crypto_iov *iov=&data[i];
+ const krb5_crypto_iov *iov = &data[i];
- if (SIGN_IOV(iov))
- mit_crc32(iov->data.data, iov->data.length, &c);
+ if (SIGN_IOV(iov))
+ mit_crc32(iov->data.data, iov->data.length, &c);
}
store_32_le(c, output->data);
- return(0);
+ return 0;
}
const struct krb5_hash_provider krb5int_hash_crc32 = {
Modified: branches/nss/src/lib/crypto/nss/hash_provider/hash_gen.c
===================================================================
--- branches/nss/src/lib/crypto/nss/hash_provider/hash_gen.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/hash_provider/hash_gen.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 2010 Red Hat, Inc.
*
@@ -31,34 +32,36 @@
krb5_error_code
k5_nss_gen_hash(HASH_HashType hashType, const krb5_crypto_iov *data,
- size_t num_data, krb5_data *output)
+ size_t num_data, krb5_data *output)
{
unsigned int i;
HASHContext *ctx;
krb5_error_code ret;
ret = k5_nss_init();
- if (ret) return ret;
+ if (ret)
+ return ret;
if (output->length != HASH_ResultLen(hashType))
- return(KRB5_CRYPTO_INTERNAL);
+ return KRB5_CRYPTO_INTERNAL;
ctx = HASH_Create(hashType);
- if (!ctx)
- return(ENOMEM);
+ if (!ctx)
+ return ENOMEM;
HASH_Begin(ctx);
for (i=0; i < num_data; i++) {
- const krb5_crypto_iov *iov = &data[i];
+ const krb5_crypto_iov *iov = &data[i];
- if (iov->data.length && SIGN_IOV(iov))
- HASH_Update(ctx, (unsigned char *) iov->data.data,
- iov->data.length);
+ if (iov->data.length && SIGN_IOV(iov)) {
+ HASH_Update(ctx, (unsigned char *) iov->data.data,
+ iov->data.length);
+ }
}
- HASH_End(ctx, (unsigned char *)output->data,
- &output->length, output->length);
+ HASH_End(ctx, (unsigned char *)output->data,
+ &output->length, output->length);
- return(0);
+ return 0;
}
Modified: branches/nss/src/lib/crypto/nss/hash_provider/hash_gen.h
===================================================================
--- branches/nss/src/lib/crypto/nss/hash_provider/hash_gen.h 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/hash_provider/hash_gen.h 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 2010 Red Hat, Inc.
*
@@ -27,7 +28,5 @@
#include "sechash.h"
#include "k5-int.h"
-krb5_error_code k5_nss_gen_hash(HASH_HashType hashType, unsigned int icount,
- const krb5_data *input,
- krb5_data *output);
-
+krb5_error_code k5_nss_gen_hash(HASH_HashType hashType, unsigned int icount,
+ const krb5_data *input, krb5_data *output);
Modified: branches/nss/src/lib/crypto/nss/hash_provider/hash_md4.c
===================================================================
--- branches/nss/src/lib/crypto/nss/hash_provider/hash_md4.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/hash_provider/hash_md4.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 2010 Red Hat, Inc.
*
@@ -32,21 +33,20 @@
static krb5_error_code
k5_md4_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
{
- krb5_MD4_CTX ctx;
- unsigned long i;
+ krb5_MD4_CTX ctx;
+ unsigned long i;
- if (output->length != RSA_MD4_CKSUM_LENGTH) {
- return KRB5_CRYPTO_INTERNAL;
- }
+ if (output->length != RSA_MD4_CKSUM_LENGTH)
+ return KRB5_CRYPTO_INTERNAL;
- krb5int_MD4Init(&ctx);
- for (i=0; i < num_data; i++) {
- const krb5_crypto_iov *iov = &data[i];
+ krb5int_MD4Init(&ctx);
+ for (i=0; i < num_data; i++) {
+ const krb5_crypto_iov *iov = &data[i];
- if (SIGN_IOV(iov)) {
- krb5int_MD4Update(&ctx, (unsigned char *)iov->data.data,
- iov->data.length);
- }
+ if (SIGN_IOV(iov)) {
+ krb5int_MD4Update(&ctx, (unsigned char *)iov->data.data,
+ iov->data.length);
+ }
}
krb5int_MD4Final(&ctx);
Modified: branches/nss/src/lib/crypto/nss/hash_provider/hash_md5.c
===================================================================
--- branches/nss/src/lib/crypto/nss/hash_provider/hash_md5.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/hash_provider/hash_md5.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 2010 Red Hat, Inc.
*
@@ -31,7 +32,6 @@
static krb5_error_code
k5_md5_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
{
-
return k5_nss_gen_hash(HASH_AlgMD5, data, num_data, output);
}
Modified: branches/nss/src/lib/crypto/nss/hash_provider/hash_provider.h
===================================================================
--- branches/nss/src/lib/crypto/nss/hash_provider/hash_provider.h 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/hash_provider/hash_provider.h 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 1998 by the FundsXpress, INC.
*
Modified: branches/nss/src/lib/crypto/nss/hash_provider/hash_sha1.c
===================================================================
--- branches/nss/src/lib/crypto/nss/hash_provider/hash_sha1.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/hash_provider/hash_sha1.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (C) 2010 Red Hat, Inc.
*
@@ -31,7 +32,6 @@
static krb5_error_code
k5_sha1_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
{
-
return k5_nss_gen_hash(HASH_AlgSHA1, data, num_data, output);
}
Modified: branches/nss/src/lib/crypto/nss/hmac.c
===================================================================
--- branches/nss/src/lib/crypto/nss/hmac.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/hmac.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/crypto/openssl/hmac.c
*
* Copyright (C) 2009 by the Massachusetts Institute of Technology.
@@ -77,34 +78,29 @@
/* use strcmp so we don't confuse SHA1 with SHA128 */
/* handle the obvious cases first */
- if (!strcmp(hash->hash_name, "SHA1")) {
- return CKM_SHA_1_HMAC;
- }
- if (!strcmp(hash->hash_name, "MD5")) {
- return CKM_MD5_HMAC;
- }
+ if (!strcmp(hash->hash_name, "SHA1"))
+ return CKM_SHA_1_HMAC;
+ if (!strcmp(hash->hash_name, "MD5"))
+ return CKM_MD5_HMAC;
/* the following coudes needs HASH_GetHMACOidTagByHashOidTag() to be
* exported before it will work */
#ifdef NSS_LOOKUP_STRING
/* See if the currently loaded version of NSS recognizes this hash */
hmacTag = SEC_OID_UNKNOWN;
for (hashTag=1; (oid=SECOID_FindOIDByTag(hashTag)) != NULL; hashTag++) {
- if (oid->mechanism == CKM_INVALID_MECHANISM) {
- continue;
- }
- if (!strcasecmp(oid->desc, hash->hash_name)) {
- continue;
- }
- /* now map the hash oid to an hmac oid */
- hmacTag = HASH_GetHMACOidTagByHashOidTag(hashTag);
+ if (oid->mechanism == CKM_INVALID_MECHANISM)
+ continue;
+ if (!strcasecmp(oid->desc, hash->hash_name))
+ continue;
+ /* now map the hash oid to an hmac oid */
+ hmacTag = HASH_GetHMACOidTagByHashOidTag(hashTag);
HASH_GetHMACOidTagByHashOidTag
- if (hmacTag != SEC_OID_UNKNOWN) {
- break;
- }
+ if (hmacTag != SEC_OID_UNKNOWN)
+ break;
}
oid = SECOID_FindOIDByTag(hmacTag);
if (oid) {
- return oid->mechanism;
+ return oid->mechanism;
}
#endif
return CKM_INVALID_MECHANISM;
@@ -112,8 +108,7 @@
krb5_error_code
krb5int_hmac(const struct krb5_hash_provider *hash, krb5_key key,
- const krb5_crypto_iov *data, size_t num_data,
- krb5_data *output)
+ const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
{
unsigned int i = 0;
CK_MECHANISM_TYPE mech;
@@ -123,71 +118,69 @@
SECItem param;
if (output->length < hash->hashsize)
- return(KRB5_BAD_MSIZE);
+ return KRB5_BAD_MSIZE;
mech = digest_to_hmac(hash);
if (mech == CKM_INVALID_MECHANISM)
- return(KRB5_CRYPTO_INTERNAL); // unsupported alg
+ return KRB5_CRYPTO_INTERNAL; /* unsupported alg */
- ret = k5_nss_gen_import(key, mech, CKA_SIGN);
- if (ret != 0) {
- return ret;
- }
+ ret = k5_nss_gen_import(key, mech, CKA_SIGN);
+ if (ret != 0)
+ return ret;
param.data = NULL;
param.len = 0;
ctx = k5_nss_create_context(key, mech, CKA_SIGN, ¶m);
- if (ctx == NULL) {
- goto fail;
- }
+ if (ctx == NULL)
+ goto fail;
rv = PK11_DigestBegin(ctx);
- if (rv != SECSuccess) goto fail;
+ if (rv != SECSuccess)
+ goto fail;
for (i=0; i < num_data; i++) {
- const krb5_crypto_iov *iov = &data[i];
+ const krb5_crypto_iov *iov = &data[i];
- if (iov->data.length && SIGN_IOV(iov)) {
- rv = PK11_DigestOp(ctx,(const unsigned char*)iov->data.data,
- iov->data.length);
- if (rv != SECSuccess) goto fail;
- }
+ if (iov->data.length && SIGN_IOV(iov)) {
+ rv = PK11_DigestOp(ctx,(const unsigned char*)iov->data.data,
+ iov->data.length);
+ if (rv != SECSuccess)
+ goto fail;
+ }
}
rv = PK11_DigestFinal(ctx, (unsigned char *) output->data, &output->length,
- output->length);
+ output->length);
ctx = NULL;
- if (rv != SECSuccess) goto fail;
+ if (rv != SECSuccess)
+ goto fail;
return 0;
fail:
ret = k5_nss_map_last_error();
- if (ctx) {
- PK11_Finalize(ctx);
- }
+ if (ctx)
+ PK11_Finalize(ctx);
return ret;
}
krb5_error_code
krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
- const krb5_keyblock *keyblock,
- const krb5_crypto_iov *data, size_t num_data,
- krb5_data *output)
+ const krb5_keyblock *keyblock,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output)
{
krb5_key key;
krb5_error_code code;
if (keyblock->length > hash->blocksize)
- return(KRB5_CRYPTO_INTERNAL);
+ return KRB5_CRYPTO_INTERNAL;
memset(&key, 0, sizeof(key));
code = krb5_k_create_key(NULL, keyblock, &key);
- if (code) {
- return code;
- }
+ if (code)
+ return code;
code = krb5int_hmac(hash, key, data, num_data, output);
krb5_k_free_key(NULL, key);
return code;
}
-
Modified: branches/nss/src/lib/crypto/nss/md5/md5.c
===================================================================
--- branches/nss/src/lib/crypto/nss/md5/md5.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/md5/md5.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/crypto/openssl/md5/md5.c
*
* Copyright (C) 2009 by the Massachusetts Institute of Technology.
@@ -29,50 +30,45 @@
#include "nss_gen.h"
-/* The routine krb5int_MD5Init initializes the message-digest context
- mdContext.
- */
+/* Initialize the message-digest context mdContext. */
void
-krb5int_MD5Init (krb5_MD5_CTX *mdContext)
+krb5int_MD5Init(krb5_MD5_CTX *mdContext)
{
if (k5_nss_init()) {
- mdContext->nss_ctxt = NULL;
- return;
+ mdContext->nss_ctxt = NULL;
+ return;
}
mdContext->nss_ctxt = PK11_CreateDigestContext(SEC_OID_MD5);
- if (mdContext->nss_ctxt == NULL) {
- return;
- }
+ if (mdContext->nss_ctxt == NULL)
+ return;
PK11_DigestBegin((PK11Context *)mdContext->nss_ctxt);
}
-/* The routine krb5int_MD5Update updates the message-digest context to
- account for the presence of each of the characters inBuf[0..inLen-1]
- in the message whose digest is being computed.
+/*
+ * Update the message-digest context to account for the presence of each of the
+ * characters inBuf[0..inLen-1] in the message whose digest is being computed.
*/
void
-krb5int_MD5Update (krb5_MD5_CTX *mdContext, const unsigned char *inBuf, unsigned int inLen)
+krb5int_MD5Update(krb5_MD5_CTX *mdContext, const unsigned char *inBuf,
+ unsigned int inLen)
{
- if (mdContext->nss_ctxt == NULL) {
- return;
- }
+ if (mdContext->nss_ctxt == NULL)
+ return;
PK11_DigestOp((PK11Context *)mdContext->nss_ctxt, inBuf, inLen);
}
-/* The routine krb5int_MD5Final terminates the message-digest computation and
- ends with the desired message digest in mdContext->digest[0...15].
- */
+/* Terminate the message-digest computation and end with the desired message
+ * digest in mdContext->digest[0...15]. */
void
-krb5int_MD5Final (krb5_MD5_CTX *mdContext)
+krb5int_MD5Final(krb5_MD5_CTX *mdContext)
{
unsigned int digestLength;
- if (mdContext->nss_ctxt == NULL) {
- return;
- }
- PK11_DigestFinal((PK11Context *)mdContext->nss_ctxt, mdContext->digest,
- &digestLength, sizeof (mdContext->digest));
- /* since there is not separate cleanup step, free the context now.
+ if (mdContext->nss_ctxt == NULL)
+ return;
+ PK11_DigestFinal((PK11Context *)mdContext->nss_ctxt, mdContext->digest,
+ &digestLength, sizeof (mdContext->digest));
+ /* since there is not separate cleanup step, free the context now.
* (otherwise we could have reused the context for another MD5 operation
* in the future).
*/
Modified: branches/nss/src/lib/crypto/nss/md5/rsa-md5.h
===================================================================
--- branches/nss/src/lib/crypto/nss/md5/rsa-md5.h 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/md5/rsa-md5.h 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/crypto/openssl/md5/rsa-md5.h
*
* Copyright (C) 2009 by the Massachusetts Institute of Technology.
@@ -77,7 +78,8 @@
} krb5_MD5_CTX;
extern void krb5int_MD5Init(krb5_MD5_CTX *);
-extern void krb5int_MD5Update(krb5_MD5_CTX *,const unsigned char *,unsigned int);
+extern void krb5int_MD5Update(krb5_MD5_CTX *, const unsigned char *,
+ unsigned int);
extern void krb5int_MD5Final(krb5_MD5_CTX *);
#define RSA_MD5_CKSUM_LENGTH 16
Modified: branches/nss/src/lib/crypto/nss/nss_gen.h
===================================================================
--- branches/nss/src/lib/crypto/nss/nss_gen.h 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/nss_gen.h 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
*
* Copyright (C) 2003, 2007, 2008, 2009 by the Massachusetts Institute of Technology.
@@ -34,64 +35,62 @@
#define MAX_BLOCK_SIZE 64
/*
- * common nss utils
+ * Common nss utils
*/
-/* Make sure NSS is properly initialized */
+
+/* Make sure NSS is properly initialized. */
krb5_error_code k5_nss_init(void);
-/* import a key into NSS and store the handle in krb5_key */
+/* Import a key into NSS and store the handle in krb5_key. */
krb5_error_code
-k5_nss_gen_import(krb5_key key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation);
-/* clean up an imported key */
+k5_nss_gen_import(krb5_key key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation);
+
+/* Clean up an imported key. */
void
k5_nss_gen_cleanup(krb5_key key);
-/* create a new crypto/hash/sign context from a krb5_key */
+/* Create a new crypto/hash/sign context from a krb5_key. */
PK11Context *
k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism,
- CK_ATTRIBUTE_TYPE operation, SECItem * param);
+ CK_ATTRIBUTE_TYPE operation, SECItem * param);
-/* mapp and NSS error into a krb5_error_code */
-krb5_error_code k5_nss_map_error (int nss_error);
-krb5_error_code k5_nss_map_last_error (void);
+/* Map an NSS error into a krb5_error_code. */
+krb5_error_code k5_nss_map_error(int nss_error);
+krb5_error_code k5_nss_map_last_error(void);
/*
- * common encryption functions
+ * Common encryption functions
*/
-/* encrypt/decrypt block modes except cts using iov */
+
+/* Encrypt/decrypt block modes except cts using iov. */
krb5_error_code
-k5_nss_gen_block_iov(krb5_key key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data);
-/* encrypt/decrypt stream modes using iov */
+k5_nss_gen_block_iov(krb5_key key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
+
+/* Encrypt/decrypt stream modes using iov. */
krb5_error_code
-k5_nss_gen_stream_iov(krb5_key key, krb5_data *state,
- CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation,
- krb5_crypto_iov *data,
- size_t num_data);
-/* encrypt/decrypt block modes using cts */
-krb5_error_code
-k5_nss_gen_cts_iov(krb5_key key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data);
+k5_nss_gen_stream_iov(krb5_key key, krb5_data *state, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation, krb5_crypto_iov *data,
+ size_t num_data);
-/* stream state management calls */
+/* Encrypt/decrypt block modes using cts. */
krb5_error_code
-k5_nss_stream_init_state(krb5_data *new_state);
-krb5_error_code
-k5_nss_stream_free_state(krb5_data *state);
+k5_nss_gen_cts_iov(krb5_key key, CK_MECHANISM_TYPE mech,
+ CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data);
+/* Stream state management calls. */
+krb5_error_code k5_nss_stream_init_state(krb5_data *new_state);
+krb5_error_code k5_nss_stream_free_state(krb5_data *state);
+
/*
- * common hash functions
+ * Common hash functions
*/
-/* all hash modes */
-krb5_error_code
+
+/* All hash modes. */
+krb5_error_code
k5_nss_gen_hash(HASH_HashType hashType, const krb5_crypto_iov *data,
- size_t num_data, krb5_data *output);
+ size_t num_data, krb5_data *output);
Modified: branches/nss/src/lib/crypto/nss/pbkdf2.c
===================================================================
--- branches/nss/src/lib/crypto/nss/pbkdf2.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/pbkdf2.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/crypto/nss/pbkdf2.c
*
@@ -24,8 +25,7 @@
* or implied warranty.
*
*
- * Implementation of PBKDF2 from RFC 2898.
- * Not currently used; likely to be used when we get around to AES support.
+ * Implementation of PBKDF2 using NSS.
*/
#include <ctype.h>
@@ -36,8 +36,8 @@
krb5_error_code
-krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count,
- const krb5_data *pass, const krb5_data *salt)
+krb5int_pbkdf2_hmac_sha1(const krb5_data *out, unsigned long count,
+ const krb5_data *pass, const krb5_data *salt)
{
PK11SlotInfo *slot = NULL;
@@ -45,18 +45,18 @@
PK11SymKey *symKey = NULL;
SECItem saltItem, pwItem;
const SECItem *keydata = NULL;
- SECOidTag pbeAlg = SEC_OID_PKCS5_PBKDF2;
- SECOidTag cipherAlg = SEC_OID_AES_256_CBC;
- SECOidTag prfAlg = SEC_OID_HMAC_SHA1;
+ SECOidTag pbeAlg = SEC_OID_PKCS5_PBKDF2;
+ SECOidTag cipherAlg = SEC_OID_AES_256_CBC;
+ SECOidTag prfAlg = SEC_OID_HMAC_SHA1;
krb5_error_code ret;
ret = k5_nss_init();
- if (ret) return ret;
+ if (ret)
+ return ret;
slot = PK11_GetBestSlot(PK11_AlgtagToMechanism(pbeAlg), NULL);
- if (slot == NULL) {
- return k5_nss_map_last_error();
- }
+ if (slot == NULL)
+ return k5_nss_map_last_error();
saltItem.type = siBuffer;
saltItem.data = (unsigned char *)salt->data;
@@ -68,10 +68,10 @@
* Kerberos already had to solve it's crypto agility issues, so the
* algid is just and extra step we need that we will throw away */
algid = PK11_CreatePBEV2AlgorithmID(pbeAlg, cipherAlg, prfAlg,
- out->length, count, &saltItem);
+ out->length, count, &saltItem);
if (algid == NULL) {
- ret = k5_nss_map_last_error();
- goto loser;
+ ret = k5_nss_map_last_error();
+ goto loser;
}
pwItem.type = siBuffer;
@@ -80,38 +80,36 @@
symKey = PK11_PBEKeyGen(slot, algid, &pwItem, PR_FALSE, NULL);
if (symKey == NULL) {
- ret = k5_nss_map_last_error();
- goto loser;
+ ret = k5_nss_map_last_error();
+ goto loser;
}
- /* at this point we should return symKey as a key, but kerberos is
- * still passing bits around instead of key handles */
+
+ /* At this point we should return symKey as a key, but kerberos is
+ * still passing bits around instead of key handles. */
PK11_ExtractKeyValue(symKey);
/* keydata here is a const * and is valid as long as the key has not been
* destroyed. */
keydata = PK11_GetKeyData(symKey);
if (keydata == NULL) {
- ret = k5_nss_map_last_error();
- goto loser;
+ ret = k5_nss_map_last_error();
+ goto loser;
}
if (out->length != keydata->len) {
- ret = -1; /* XXXXX */
- goto loser;
+ ret = -1; /* XXXXX */
+ goto loser;
}
memcpy(out->data, keydata->data, keydata->len);
ret = 0;
loser:
- if (symKey) {
- PK11_FreeSymKey(symKey);
- }
- if (algid) {
- SECOID_DestroyAlgorithmID(algid, PR_TRUE);
- }
- if (slot) {
- PK11_FreeSlot(slot);
- }
-
+ if (symKey)
+ PK11_FreeSymKey(symKey);
+ if (algid)
+ SECOID_DestroyAlgorithmID(algid, PR_TRUE);
+ if (slot)
+ PK11_FreeSlot(slot);
+
return ret;
}
Modified: branches/nss/src/lib/crypto/nss/sha1/shs.c
===================================================================
--- branches/nss/src/lib/crypto/nss/sha1/shs.c 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/sha1/shs.c 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* lib/crypto/openssl/sha1/shs.c
*
* Copyright (C) 2009 by the Massachusetts Institute of Technology.
@@ -32,40 +33,36 @@
void shsInit(SHS_INFO *shsInfo)
{
if (k5_nss_init()) {
- shsInfo->nss_ctxt = NULL;
- return;
+ shsInfo->nss_ctxt = NULL;
+ return;
}
shsInfo->nss_ctxt = PK11_CreateDigestContext(SEC_OID_SHA1);
- if (shsInfo->nss_ctxt == NULL) {
- return;
- }
+ if (shsInfo->nss_ctxt == NULL)
+ return;
PK11_DigestBegin((PK11Context *)shsInfo->nss_ctxt);
}
/* Update SHS for a block of data */
void shsUpdate(SHS_INFO *shsInfo, const SHS_BYTE *buffer, unsigned int count)
{
- if (shsInfo->nss_ctxt == NULL) {
- return;
- }
- PK11_DigestOp((PK11Context *)shsInfo->nss_ctxt, buffer, count);
+ if (shsInfo->nss_ctxt == NULL)
+ return;
+ PK11_DigestOp((PK11Context *)shsInfo->nss_ctxt, buffer, count);
}
/* Final wrapup - pad to SHS_DATASIZE-byte boundary with the bit pattern
- 1 0* (64-bit count of bits processed, MSB-first) */
+ * 1 0* (64-bit count of bits processed, MSB-first) */
void shsFinal(SHS_INFO *shsInfo)
{
- if (shsInfo->nss_ctxt == NULL) {
- return;
- }
- PK11_DigestFinal((PK11Context *)shsInfo->nss_ctxt, shsInfo->digestBuf,
- &shsInfo->digestLen, sizeof (shsInfo->digestBuf));
- /* since there is not separate cleanup step, free the context now.
+ if (shsInfo->nss_ctxt == NULL)
+ return;
+ PK11_DigestFinal((PK11Context *)shsInfo->nss_ctxt, shsInfo->digestBuf,
+ &shsInfo->digestLen, sizeof (shsInfo->digestBuf));
+ /* Since there is not separate cleanup step, free the context now.
* (otherwise we could have reused the context for another MD5 operation
* in the future).
*/
PK11_DestroyContext((PK11Context *)shsInfo->nss_ctxt, PR_TRUE);
shsInfo->nss_ctxt = NULL;
}
-
Modified: branches/nss/src/lib/crypto/nss/sha1/shs.h
===================================================================
--- branches/nss/src/lib/crypto/nss/sha1/shs.h 2010-08-19 20:23:56 UTC (rev 24247)
+++ branches/nss/src/lib/crypto/nss/sha1/shs.h 2010-08-21 12:43:48 UTC (rev 24248)
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
#ifndef _SHS_DEFINED
#include "k5-int.h"
@@ -6,8 +7,8 @@
/* Some useful types */
-typedef krb5_octet SHS_BYTE;
-typedef krb5_ui_4 SHS_LONG;
+typedef krb5_octet SHS_BYTE;
+typedef krb5_ui_4 SHS_LONG;
/* Define the following to use the updated SHS implementation */
#define NEW_SHS /**/
@@ -33,13 +34,13 @@
/* Keyed Message digest functions (hmac_sha.c) */
krb5_error_code hmac_sha(krb5_octet *text,
- int text_len,
- krb5_octet *key,
- int key_len,
- krb5_octet *digest);
+ int text_len,
+ krb5_octet *key,
+ int key_len,
+ krb5_octet *digest);
-#define NIST_SHA_CKSUM_LENGTH SHS_DIGESTSIZE
-#define HMAC_SHA_CKSUM_LENGTH SHS_DIGESTSIZE
+#define NIST_SHA_CKSUM_LENGTH SHS_DIGESTSIZE
+#define HMAC_SHA_CKSUM_LENGTH SHS_DIGESTSIZE
#endif /* _SHS_DEFINED */
More information about the cvs-krb5
mailing list