svn rev #24416: trunk/ src/ src/include/ src/lib/crypto/ src/lib/crypto/builtin/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Sat Oct 2 13:21:54 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24416
Commit By: ghudson
Log Message:
Merge branches/nss to trunk.
Changed Files:
U trunk/NOTICE
U trunk/src/configure.in
U trunk/src/include/k5-int.h
U trunk/src/lib/crypto/Makefile.in
U trunk/src/lib/crypto/builtin/Makefile.in
A trunk/src/lib/crypto/builtin/init.c
U trunk/src/lib/crypto/crypto_tests/Makefile.in
U trunk/src/lib/crypto/krb/Makefile.in
U trunk/src/lib/crypto/krb/crypto_libinit.c
U trunk/src/lib/crypto/krb/prng.c
A trunk/src/lib/crypto/nss/
U trunk/src/lib/crypto/openssl/Makefile.in
A trunk/src/lib/crypto/openssl/init.c
Modified: trunk/NOTICE
===================================================================
--- trunk/NOTICE 2010-10-02 17:17:35 UTC (rev 24415)
+++ trunk/NOTICE 2010-10-02 17:21:54 UTC (rev 24416)
@@ -173,7 +173,8 @@
--------------------
Portions contributed by Red Hat, including the pre-authentication
-plug-ins framework, contain the following copyright:
+plug-ins framework and the NSS crypto implementation, contain the
+following copyright:
Copyright (c) 2006 Red Hat, Inc.
Portions copyright (c) 2006 Massachusetts Institute of Technology
Modified: trunk/src/configure.in
===================================================================
--- trunk/src/configure.in 2010-10-02 17:17:35 UTC (rev 24415)
+++ trunk/src/configure.in 2010-10-02 17:21:54 UTC (rev 24416)
@@ -123,8 +123,27 @@
[CRYPTO_IMPL=$withval
AC_MSG_RESULT("k5crypto will use \'$withval\'")
], withval=builtin)
+CRYPTO_IMPL_LIBS=
+CRYPTO_IMPL_CFLAGS=
+case "$withval" in
+builtin)
+ ;;
+openssl)
+ AC_CHECK_LIB(crypto, PKCS7_get_signer_info)
+ ;;
+nss)
+ CRYPTO_IMPL_CFLAGS=`pkg-config --cflags nss`
+ CRYPTO_IMPL_LIBS="-lnss3 $(pkg-config --libs nss-util)"
+ AC_DEFINE(CRYPTO_IMPL_NSS,1,[Define if crypto implementation is NSS])
+ ;;
+*)
+ AC_MSG_ERROR([Unknown crypto implementation $withval])
+ ;;
+esac
AC_CONFIG_COMMANDS(CRYPTO_IMPL, , CRYPTO_IMPL=$CRYPTO_IMPL)
AC_SUBST(CRYPTO_IMPL)
+AC_SUBST(CRYPTO_IMPL_CFLAGS)
+AC_SUBST(CRYPTO_IMPL_LIBS)
# --with-kdc-kdb-update makes the KDC update the database with last request
# information and failure information.
Modified: trunk/src/include/k5-int.h
===================================================================
--- trunk/src/include/k5-int.h 2010-10-02 17:17:35 UTC (rev 24415)
+++ trunk/src/include/k5-int.h 2010-10-02 17:21:54 UTC (rev 24416)
@@ -823,6 +823,7 @@
* Internal - for cleanup.
*/
extern void krb5int_prng_cleanup(void);
+extern void krb5int_crypto_impl_cleanup(void);
#ifdef KRB5_OLD_CRYPTO
@@ -2654,6 +2655,7 @@
extern int krb5int_crypto_init (void);
extern int krb5int_prng_init(void);
+extern int krb5int_crypto_impl_init(void);
/*
* Referral definitions, debugging hooks, and subfunctions.
Modified: trunk/src/lib/crypto/Makefile.in
===================================================================
--- trunk/src/lib/crypto/Makefile.in 2010-10-02 17:17:35 UTC (rev 24415)
+++ trunk/src/lib/crypto/Makefile.in 2010-10-02 17:21:54 UTC (rev 24416)
@@ -46,7 +46,7 @@
# link editor and loader support it.
DEPLIBS=
SHLIB_DIRS=-L$(TOPLIBD)
-SHLIB_EXPLIBS= $(SUPPORT_LIB) @CRYPTO_LIBS@ $(LIBS)
+SHLIB_EXPLIBS= $(SUPPORT_LIB) @CRYPTO_LIBS@ @CRYPTO_IMPL_LIBS@ $(LIBS)
SHLIB_EXPDEPLIBS= $(SUPPORT_DEPLIB)
SHLIB_LDFLAGS= $(LDFLAGS) @SHLIB_RPATH_DIRS@
SHLIB_LIBDIRS= @SHLIB_LIBDIRS@
Modified: trunk/src/lib/crypto/builtin/Makefile.in
===================================================================
--- trunk/src/lib/crypto/builtin/Makefile.in 2010-10-02 17:17:35 UTC (rev 24415)
+++ trunk/src/lib/crypto/builtin/Makefile.in 2010-10-02 17:21:54 UTC (rev 24416)
@@ -27,14 +27,17 @@
STLIBOBJS=\
hmac.o \
- pbkdf2.o
+ init.o \
+ pbkdf2.o
OBJS=\
$(OUTPRE)hmac.$(OBJEXT) \
- $(OUTPRE)pbkdf2.$(OBJEXT)
+ $(OUTPRE)init.$(OBJEXT) \
+ $(OUTPRE)pbkdf2.$(OBJEXT)
SRCS=\
$(srcdir)/hmac.c \
+ $(srcdir)/init.c \
$(srcdir)/pbkdf2.c
STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
Copied: trunk/src/lib/crypto/builtin/init.c (from rev 24415, branches/nss/src/lib/crypto/builtin/init.c)
===================================================================
--- trunk/src/lib/crypto/builtin/init.c (rev 0)
+++ trunk/src/lib/crypto/builtin/init.c 2010-10-02 17:21:54 UTC (rev 24416)
@@ -0,0 +1,40 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/builtin/init.c
+ *
+ * Copyright (C) 2010 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Built-in back-end library init functions
+ */
+
+int
+krb5int_crypto_impl_init(void)
+{
+ return 0;
+}
+
+void
+krb5int_crypto_impl_cleanup(void)
+{
+}
Modified: trunk/src/lib/crypto/crypto_tests/Makefile.in
===================================================================
--- trunk/src/lib/crypto/crypto_tests/Makefile.in 2010-10-02 17:17:35 UTC (rev 24415)
+++ trunk/src/lib/crypto/crypto_tests/Makefile.in 2010-10-02 17:21:54 UTC (rev 24416)
@@ -45,6 +45,9 @@
# NOTE: The t_cksum known checksum values are primarily for regression
# testing. They are not derived a priori, but are known to produce
# checksums that interoperate.
+#
+# We use the NSS PRNG when NSS is the crypto back end, so don't test
+# against the expected output for Yarrow.
check-unix:: t_nfold t_encrypt t_prf t_prng t_cmac t_hmac \
t_cksum4 t_cksum5 \
aes-test \
@@ -53,8 +56,9 @@
t_crc t_cts t_short t_str2key t_camellia_ccm
$(RUN_SETUP) $(VALGRIND) ./t_nfold
$(RUN_SETUP) $(VALGRIND) ./t_encrypt
- $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
- diff t_prng.output $(srcdir)/t_prng.expected
+ if [ @CRYPTO_IMPL@ != nss ]; then \
+ $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
+ diff t_prng.output $(srcdir)/t_prng.expected; fi
$(RUN_SETUP) $(VALGRIND) ./t_cmac
$(RUN_SETUP) $(VALGRIND) ./t_hmac
$(RUN_SETUP) $(VALGRIND) ./t_prf <$(srcdir)/t_prf.in >t_prf.output
Modified: trunk/src/lib/crypto/krb/Makefile.in
===================================================================
--- trunk/src/lib/crypto/krb/Makefile.in 2010-10-02 17:17:35 UTC (rev 24415)
+++ trunk/src/lib/crypto/krb/Makefile.in 2010-10-02 17:21:54 UTC (rev 24416)
@@ -9,7 +9,8 @@
-I$(srcdir)/../@CRYPTO_IMPL@/ -I$(srcdir)/../@CRYPTO_IMPL@/des \
-I$(srcdir)/../@CRYPTO_IMPL@/aes -I$(srcdir)/arcfour \
-I$(srcdir)/../@CRYPTO_IMPL@/camellia \
- -I$(srcdir)/../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../@CRYPTO_IMPL@
+ -I$(srcdir)/../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../@CRYPTO_IMPL@ \
+ @CRYPTO_IMPL_CFLAGS@
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
DEFS=
Modified: trunk/src/lib/crypto/krb/crypto_libinit.c
===================================================================
--- trunk/src/lib/crypto/krb/crypto_libinit.c 2010-10-02 17:17:35 UTC (rev 24415)
+++ trunk/src/lib/crypto/krb/crypto_libinit.c 2010-10-02 17:21:54 UTC (rev 24416)
@@ -14,7 +14,11 @@
int cryptoint_initialize_library (void)
{
- return krb5int_prng_init();
+ int err;
+ err = krb5int_prng_init();
+ if (err)
+ return err;
+ return krb5int_crypto_impl_init();
}
int krb5int_crypto_init(void)
@@ -30,5 +34,6 @@
{
if (!INITIALIZER_RAN(cryptoint_initialize_library))
return;
- krb5int_prng_cleanup ();
+ krb5int_prng_cleanup();
+ krb5int_crypto_impl_cleanup();
}
Modified: trunk/src/lib/crypto/krb/prng.c
===================================================================
--- trunk/src/lib/crypto/krb/prng.c 2010-10-02 17:17:35 UTC (rev 24415)
+++ trunk/src/lib/crypto/krb/prng.c 2010-10-02 17:21:54 UTC (rev 24416)
@@ -29,11 +29,77 @@
#include <assert.h>
#include "k5-thread.h"
-#include "yarrow.h"
-static Yarrow_CTX y_ctx;
#define yarrow_lock krb5int_yarrow_lock
k5_mutex_t yarrow_lock = K5_MUTEX_PARTIAL_INITIALIZER;
+#ifdef CRYPTO_IMPL_NSS
+
+/*
+ * Using Yarrow with NSS is a bit problematic because the MD5 contexts it holds
+ * open for the entropy pools would be invalidated by a fork(), causing us to
+ * lose the entropy contained therein.
+ *
+ * Therefore, use the NSS PRNG if NSS is the crypto implementation. Doing this
+ * via ifdefs here is temporary until we come up with better build logic for
+ * it.
+ */
+
+#include "../nss/nss_gen.h"
+#include <pk11pub.h>
+
+/*
+ * NSS gathers its own OS entropy, so it doesn't really matter how much we read
+ * in krb5_c_random_os_entropy. Use the same value as Yarrow (without using a
+ * Yarrow constant), so that we don't read too much from /dev/random.
+ */
+#define OS_ENTROPY_LEN 20
+
+int krb5int_prng_init(void)
+{
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_add_entropy(krb5_context context, unsigned int randsource,
+ const krb5_data *data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_init();
+ if (ret)
+ return ret;
+ if (PK11_RandomUpdate(data->data, data->length) != SECSuccess)
+ return k5_nss_map_last_error();
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_make_octets(krb5_context context, krb5_data *data)
+{
+ krb5_error_code ret;
+
+ ret = k5_nss_init();
+ if (ret)
+ return ret;
+ if (PK11_GenerateRandom((unsigned char *)data->data,
+ data->length) != SECSuccess)
+ return k5_nss_map_last_error();
+ return 0;
+}
+
+void
+krb5int_prng_cleanup (void)
+{
+}
+
+#else /* CRYPTO_IMPL_NSS */
+
+#include "yarrow.h"
+static Yarrow_CTX y_ctx;
+
+/* Gather enough OS entropy per call to trigger a Yarrow reseed. */
+#define OS_ENTROPY_LEN (YARROW_SLOW_THRESH/8)
+
/* Helper function to estimate entropy based on sample length
* and where it comes from.
*/
@@ -100,12 +166,6 @@
}
krb5_error_code KRB5_CALLCONV
-krb5_c_random_seed(krb5_context context, krb5_data *data)
-{
- return krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OLDAPI, data);
-}
-
-krb5_error_code KRB5_CALLCONV
krb5_c_random_make_octets(krb5_context context, krb5_data *data)
{
int yerr;
@@ -127,7 +187,14 @@
k5_mutex_destroy(&yarrow_lock);
}
+#endif /* not CRYPTO_IMPL_NSS */
+krb5_error_code KRB5_CALLCONV
+krb5_c_random_seed(krb5_context context, krb5_data *data)
+{
+ return krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OLDAPI, data);
+}
+
/*
* Routines to get entropy from the OS. For UNIX we try /dev/urandom
* and /dev/random. Currently we don't do anything for Windows.
@@ -163,7 +230,7 @@
krb5_data data;
struct stat sb;
int fd;
- unsigned char buf[YARROW_SLOW_THRESH/8], *bp;
+ unsigned char buf[OS_ENTROPY_LEN], *bp;
int left;
fd = open (device, O_RDONLY);
Modified: trunk/src/lib/crypto/openssl/Makefile.in
===================================================================
--- trunk/src/lib/crypto/openssl/Makefile.in 2010-10-02 17:17:35 UTC (rev 24415)
+++ trunk/src/lib/crypto/openssl/Makefile.in 2010-10-02 17:21:54 UTC (rev 24416)
@@ -22,14 +22,17 @@
STLIBOBJS=\
hmac.o \
- pbkdf2.o
+ init.o \
+ pbkdf2.o
OBJS=\
$(OUTPRE)hmac.$(OBJEXT) \
- $(OUTPRE)pbkdf2.$(OBJEXT)
+ $(OUTPRE)init.$(OBJEXT) \
+ $(OUTPRE)pbkdf2.$(OBJEXT)
SRCS=\
$(srcdir)/hmac.c \
+ $(srcdir)/init.c \
$(srcdir)/pbkdf2.c
STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
Copied: trunk/src/lib/crypto/openssl/init.c (from rev 24415, branches/nss/src/lib/crypto/openssl/init.c)
===================================================================
--- trunk/src/lib/crypto/openssl/init.c (rev 0)
+++ trunk/src/lib/crypto/openssl/init.c 2010-10-02 17:21:54 UTC (rev 24416)
@@ -0,0 +1,40 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/openssl/init.c
+ *
+ * Copyright (C) 2010 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * OpenSSL back-end library init functions
+ */
+
+int
+krb5int_crypto_impl_init(void)
+{
+ return 0;
+}
+
+void
+krb5int_crypto_impl_cleanup(void)
+{
+}
More information about the cvs-krb5
mailing list