krb5 commit: Remove nss libk5crypto implementation
Greg Hudson
ghudson at mit.edu
Wed Jan 20 15:58:27 EST 2016
https://github.com/krb5/krb5/commit/06ff3b5d3de2e162014eb71ab19d9e545808cacd
commit 06ff3b5d3de2e162014eb71ab19d9e545808cacd
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Jan 12 12:08:58 2016 -0500
Remove nss libk5crypto implementation
Delete the nss libk5crypto implementation because: (1) the original
contributor no longer requires it; (2) as far as we know it is rarely
or never used; (3) NSS has significant impedance mismatch with MIT
krb5's requirements, such as the inability to preserve crypto state
across fork(); (4) NSS cannot do PBKDF2 with SHA-256 or SHA-384, as
will be required for the aes-sha2 enctypes.
ticket: 8345 (new)
doc/build/options2configure.rst | 7 +-
doc/mitK5features.rst | 1 -
src/configure.in | 24 +-
src/lib/crypto/crypto_tests/t_fork.c | 11 +-
src/lib/crypto/krb/crypto_int.h | 4 +-
src/lib/crypto/krb/prng_nss.c | 59 --
src/lib/crypto/nss/Makefile.in | 49 --
src/lib/crypto/nss/aes/Makefile.in | 6 -
src/lib/crypto/nss/aes/deps | 1 -
src/lib/crypto/nss/camellia/Makefile.in | 6 -
src/lib/crypto/nss/camellia/deps | 1 -
src/lib/crypto/nss/crypto_mod.h | 39 --
src/lib/crypto/nss/deps | 46 --
src/lib/crypto/nss/des/Makefile.in | 21 -
src/lib/crypto/nss/des/deps | 15 -
src/lib/crypto/nss/des/des_keys.c | 87 ---
src/lib/crypto/nss/enc_provider/Makefile.in | 39 --
src/lib/crypto/nss/enc_provider/aes.c | 99 ----
src/lib/crypto/nss/enc_provider/camellia.c | 113 ----
src/lib/crypto/nss/enc_provider/deps | 70 ---
src/lib/crypto/nss/enc_provider/des.c | 89 ---
src/lib/crypto/nss/enc_provider/des3.c | 74 ---
src/lib/crypto/nss/enc_provider/enc_gen.c | 730 -------------------------
src/lib/crypto/nss/enc_provider/rc4.c | 99 ----
src/lib/crypto/nss/hash_provider/Makefile.in | 35 --
src/lib/crypto/nss/hash_provider/deps | 63 ---
src/lib/crypto/nss/hash_provider/hash_crc32.c | 56 --
src/lib/crypto/nss/hash_provider/hash_gen.c | 74 ---
src/lib/crypto/nss/hash_provider/hash_gen.h | 40 --
src/lib/crypto/nss/hash_provider/hash_md4.c | 61 --
src/lib/crypto/nss/hash_provider/hash_md5.c | 50 --
src/lib/crypto/nss/hash_provider/hash_sha1.c | 50 --
src/lib/crypto/nss/hmac.c | 140 -----
src/lib/crypto/nss/md4/Makefile.in | 18 -
src/lib/crypto/nss/md4/deps | 13 -
src/lib/crypto/nss/md4/md4.c | 242 --------
src/lib/crypto/nss/md4/rsa-md4.h | 90 ---
src/lib/crypto/nss/md5/Makefile.in | 6 -
src/lib/crypto/nss/md5/deps | 1 -
src/lib/crypto/nss/nss_gen.h | 110 ----
src/lib/crypto/nss/nss_prng.h | 36 --
src/lib/crypto/nss/pbkdf2.c | 120 ----
src/lib/crypto/nss/prng.c | 57 --
src/lib/crypto/nss/sha1/Makefile.in | 6 -
src/lib/crypto/nss/sha1/deps | 1 -
src/lib/crypto/nss/sha2/Makefile.in | 6 -
src/lib/crypto/nss/sha2/deps | 1 -
src/lib/crypto/nss/stubs.c | 68 ---
48 files changed, 8 insertions(+), 3026 deletions(-)
diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
index 799480b..418ec25 100644
--- a/doc/build/options2configure.rst
+++ b/doc/build/options2configure.rst
@@ -337,15 +337,12 @@ Optional packages
Use specified crypto implementation (e.g., **-**\
**-with-crypto-impl=**\ *openssl*). The default is the native MIT
Kerberos implementation ``builtin``. The other currently
- implemented crypto backends are ``openssl`` and ``nss``. (See
+ implemented crypto backend is ``openssl``. (See
:ref:`mitK5features`)
**-**\ **-with-prng-alg=**\ *ALG*
Use specified PRNG algorithm. For example, to use the OS native
- prng specify ``--with-prng-alg=os``.
-
- Default is the ``fortuna`` PRNG algorithm. For the ``nss`` crypto
- backend use one must explicitly specify ``--with-prng-alg=nss``.
+ prng specify ``--with-prng-alg=os``. The default is ``fortuna``.
(See :ref:`mitK5features`)
**-**\ **-with-pkinit-crypto-impl=**\ *IMPL*
diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index ca4b298..cdcb04f 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -32,7 +32,6 @@ Supported platforms \/ OS distributions:
Crypto backends:
- builtin - MIT Kerberos native crypto library
- OpenSSL (1.0\+) - http://www.openssl.org
- - NSS (3.12.9\+) - http://www.mozilla.org/projects/security/pki/nss
Database backends: LDAP, DB2
diff --git a/src/configure.in b/src/configure.in
index 889bd7d..a8d52df 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -225,24 +225,6 @@ builtin)
openssl)
AC_CHECK_LIB(crypto, PKCS7_get_signer_info)
;;
-nss)
- if test "${CRYPTO_IMPL_CFLAGS+set}" != set; then
- CRYPTO_IMPL_CFLAGS=`pkg-config --cflags nss`
- fi
- if test "${CRYPTO_IMPL_LIBS+set}" != set; then
- CRYPTO_IMPL_LIBS="-lnss3 $(pkg-config --libs nss-util)"
- fi
- AC_DEFINE(CRYPTO_IMPL_NSS,1,[Define if crypto implementation is NSS])
- save_CFLAGS=$CFLAGS
- CFLAGS="$CFLAGS $CRYPTO_IMPL_CFLAGS"
- AC_COMPILE_IFELSE([AC_LANG_SOURCE([
-#include <nss.h>
-#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 13)
-#error
-#endif
- ])], [], [AC_MSG_ERROR([NSS version 3.13 or later required.])])
- CFLAGS=$save_CFLAGS
- ;;
*)
AC_MSG_ERROR([Unknown crypto implementation $withval])
;;
@@ -252,15 +234,11 @@ AC_SUBST(CRYPTO_IMPL)
AC_SUBST(CRYPTO_IMPL_CFLAGS)
AC_SUBST(CRYPTO_IMPL_LIBS)
-if test "$CRYPTO_IMPL" = nss; then
- PRNG_ALG="nss"
-else
AC_ARG_WITH([prng-alg],
-AC_HELP_STRING([--with-prng-alg=ALG], [use specified PRNG algorithm. Ignored for nss. @<:@fortuna@:>@]),
+AC_HELP_STRING([--with-prng-alg=ALG], [use specified PRNG algorithm. @<:@fortuna@:>@]),
[PRNG_ALG=$withval
AC_MSG_NOTICE(k5crypto will use '$withval')
], PRNG_ALG=fortuna)
-fi
AC_CONFIG_COMMANDS(PRNG_ALG, , PRNG_ALG=$PRNG_ALG)
AC_SUBST(PRNG_ALG)
if test "$PRNG_ALG" = fortuna; then
diff --git a/src/lib/crypto/crypto_tests/t_fork.c b/src/lib/crypto/crypto_tests/t_fork.c
index 09fb314..1ccd286 100644
--- a/src/lib/crypto/crypto_tests/t_fork.c
+++ b/src/lib/crypto/crypto_tests/t_fork.c
@@ -26,7 +26,7 @@
/*
* Test basic libk5crypto behavior across forks. This is primarily interesting
- * for back ends with PKCS11-based constraints, such as the NSS back end.
+ * for back ends with PKCS11-based constraints.
*/
#include "k5-int.h"
@@ -92,13 +92,8 @@ main()
t(krb5_c_decrypt(ctx, &kb_aes, 0, NULL, &out_aes, &decrypted));
assert(data_eq(plain, decrypted));
- /*
- * Encrypt another RC4 message. This may fail because RC4 cipher state in
- * the NSS back end includes a PKCS11 handle which won't work across forks,
- * but make sure it fails in the expected manner.
- */
- ret = krb5_k_encrypt(ctx, key_rc4, 0, &state_rc4, &plain, &out_rc4);
- assert(ret == 0 || ret == EINVAL);
+ /* Encrypt another RC4 message. */
+ t(krb5_k_encrypt(ctx, key_rc4, 0, &state_rc4, &plain, &out_rc4));
t(krb5_c_free_state(ctx, &kb_rc4, &state_rc4));
/* If we're the parent, make sure the child succeeded. */
diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
index c054144..a12846a 100644
--- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h
@@ -492,12 +492,12 @@ void krb5int_crypto_impl_cleanup(void);
* These functions must never fail on valid inputs, and contexts must remain
* valid across forks. If the module cannot meet those constraints, then it
* should provide its own PRNG module and the build system should ensure that
- * it is used; for an example, see how nss uses prng_nss.
+ * it is used.
*
* The function symbols named above are also in the library export list (so
* they can be used by the t_fortuna.c test code), so even if the module
* defines them away or doesn't work with Fortuna, the module must provide
- * stubs; see stubs.c in the openssl or nss modules for examples.
+ * stubs; see stubs.c in the openssl module for examples.
*/
#include <crypto_mod.h>
diff --git a/src/lib/crypto/krb/prng_nss.c b/src/lib/crypto/krb/prng_nss.c
deleted file mode 100644
index a304054..0000000
--- a/src/lib/crypto/krb/prng_nss.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/krb/prng_nss.c */
-/*
- * Copyright (C) 2010 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "crypto_int.h"
-#include "nss_prng.h"
-
-/*
- * This PRNG module should be used whenever the NSS crypto implementation is
- * used. The Fortuna module does not work with NSS because it needs to hold
- * AES-256 and SHA-256 contexts across forks.
- */
-
-int
-k5_prng_init(void)
-{
- return 0;
-}
-
-void
-k5_prng_cleanup(void)
-{
-}
-
-krb5_error_code KRB5_CALLCONV
-krb5_c_random_add_entropy(krb5_context context, unsigned int randsource,
- const krb5_data *indata)
-{
- return k5_nss_prng_add_entropy(context, indata);
-}
-
-krb5_error_code KRB5_CALLCONV
-krb5_c_random_make_octets(krb5_context context, krb5_data *outdata)
-{
- return k5_nss_prng_make_octets(context, outdata);
-}
diff --git a/src/lib/crypto/nss/Makefile.in b/src/lib/crypto/nss/Makefile.in
deleted file mode 100644
index 06d1d76..0000000
--- a/src/lib/crypto/nss/Makefile.in
+++ /dev/null
@@ -1,49 +0,0 @@
-mydir=lib$(S)crypto$(S)nss
-BUILDTOP=$(REL)..$(S)..$(S)..
-SUBDIRS=des aes camellia md4 md5 sha1 sha2 enc_provider hash_provider
-CRYPTO_IMPL_CFLAGS=@CRYPTO_IMPL_CFLAGS@
-LOCALINCLUDES = -I$(srcdir)/../krb -I$(srcdir) $(CRYPTO_IMPL_CFLAGS)
-
-STLIBOBJS=\
- hmac.o \
- pbkdf2.o \
- prng.o \
- stubs.o
-
-OBJS=\
- $(OUTPRE)hmac.$(OBJEXT) \
- $(OUTPRE)pbkdf2.$(OBJEXT) \
- $(OUTPRE)prng.$(OBJEXT) \
- $(OUTPRE)stubs.$(OBJEXT)
-
-SRCS=\
- $(srcdir)/hmac.c \
- $(srcdir)/pbkdf2.c \
- $(srcdir)/prng.c \
- $(srcdir)/stubs.c
-
-STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
- md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
- enc_provider/OBJS.ST \
- hash_provider/OBJS.ST \
- aes/OBJS.ST \
- camellia/OBJS.ST \
- OBJS.ST
-
-SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST \
- md5/OBJS.ST sha1/OBJS.ST sha2/OBJS.ST \
- enc_provider/OBJS.ST \
- hash_provider/OBJS.ST \
- aes/OBJS.ST \
- camellia/OBJS.ST
-
-all-unix:: all-libobjs
-includes:: depend
-
-depend:: $(SRCS)
-
-clean-unix:: clean-libobjs
-
- at lib_frag@
- at libobj_frag@
-
diff --git a/src/lib/crypto/nss/aes/Makefile.in b/src/lib/crypto/nss/aes/Makefile.in
deleted file mode 100644
index 89f074c..0000000
--- a/src/lib/crypto/nss/aes/Makefile.in
+++ /dev/null
@@ -1,6 +0,0 @@
-# Placeholder since all crypto modules must have the same structure.
-mydir=lib$(S)crypto$(S)nss$(S)aes
-BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-all-unix:: all-libobjs
-clean-unix:: clean-libobjs
- at libobj_frag@
diff --git a/src/lib/crypto/nss/aes/deps b/src/lib/crypto/nss/aes/deps
deleted file mode 100644
index 2feac3c..0000000
--- a/src/lib/crypto/nss/aes/deps
+++ /dev/null
@@ -1 +0,0 @@
-# No dependencies here.
diff --git a/src/lib/crypto/nss/camellia/Makefile.in b/src/lib/crypto/nss/camellia/Makefile.in
deleted file mode 100644
index 590c902..0000000
--- a/src/lib/crypto/nss/camellia/Makefile.in
+++ /dev/null
@@ -1,6 +0,0 @@
-# Placeholder since all crypto modules must have the same structure.
-mydir=lib$(S)crypto$(S)nss$(S)camellia
-BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-all-unix:: all-libobjs
-clean-unix:: clean-libobjs
- at libobj_frag@
diff --git a/src/lib/crypto/nss/camellia/deps b/src/lib/crypto/nss/camellia/deps
deleted file mode 100644
index 2feac3c..0000000
--- a/src/lib/crypto/nss/camellia/deps
+++ /dev/null
@@ -1 +0,0 @@
-# No dependencies here.
diff --git a/src/lib/crypto/nss/crypto_mod.h b/src/lib/crypto/nss/crypto_mod.h
deleted file mode 100644
index 2f82a2b..0000000
--- a/src/lib/crypto/nss/crypto_mod.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/crypto_mod.h - NSS crypto module declarations */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * This header is included from lib/crypto/krb/crypto_int.h to provide
- * module-specific declarations. It is not included directly from source
- * files.
- */
-
-#ifndef CRYPTO_MOD_H
-#define CRYPTO_MOD_H
-
-/* Because the NSS crypto module doesn't work with the Fortuna PRNG, we don't
- * need to declare anything here. */
-
-#endif /* CRYPTO_MOD_H */
diff --git a/src/lib/crypto/nss/deps b/src/lib/crypto/nss/deps
deleted file mode 100644
index 547a6ba..0000000
--- a/src/lib/crypto/nss/deps
+++ /dev/null
@@ -1,46 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb/crypto_int.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- crypto_mod.h hmac.c nss_gen.h
-pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb/crypto_int.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- crypto_mod.h nss_gen.h pbkdf2.c
-prng.so prng.po $(OUTPRE)prng.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb/crypto_int.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- crypto_mod.h nss_gen.h nss_prng.h prng.c
-stubs.so stubs.po $(OUTPRE)stubs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h stubs.c
diff --git a/src/lib/crypto/nss/des/Makefile.in b/src/lib/crypto/nss/des/Makefile.in
deleted file mode 100644
index 6b240e6..0000000
--- a/src/lib/crypto/nss/des/Makefile.in
+++ /dev/null
@@ -1,21 +0,0 @@
-mydir=lib$(S)crypto$(S)nss$(S)des
-BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-CRYPTO_IMPL_CFLAGS=@CRYPTO_IMPL_CFLAGS@
-LOCALINCLUDES = -I$(srcdir)/../../krb -I$(srcdir)/.. $(CRYPTO_IMPL_CFLAGS)
-
-STLIBOBJS= des_keys.o
-
-OBJS= $(OUTPRE)des_keys.$(OBJEXT)
-
-SRCS= $(srcdir)/des_keys.c
-
-all-unix:: all-libobjs
-
-includes:: depend
-
-depend:: $(SRCS)
-
-clean-unix:: clean-libobjs
-
- at libobj_frag@
-
diff --git a/src/lib/crypto/nss/des/deps b/src/lib/crypto/nss/des/deps
deleted file mode 100644
index 21b904f..0000000
--- a/src/lib/crypto/nss/des/deps
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-des_keys.so des_keys.po $(OUTPRE)des_keys.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- des_keys.c
diff --git a/src/lib/crypto/nss/des/des_keys.c b/src/lib/crypto/nss/des/des_keys.c
deleted file mode 100644
index 4ff0e84..0000000
--- a/src/lib/crypto/nss/des/des_keys.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/des/des_keys.c - Key functions used by Kerberos code */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "crypto_int.h"
-
-/*
- * des_fixup_key_parity: Forces odd parity per byte; parity is bits
- * 8,16,...64 in des order, implies 0, 8, 16, ...
- * vax order.
- */
-#define smask(step) ((1<<step)-1)
-#define pstep(x,step) (((x)&smask(step))^(((x)>>step)&smask(step)))
-#define parity_char(x) pstep(pstep(pstep((x),4),2),1)
-
-void
-k5_des_fixup_key_parity(unsigned char *keybits)
-{
- unsigned int i;
-
- for (i = 0; i < 8; i++) {
- keybits[i] &= 0xfe;
- keybits[i] |= 1^parity_char(keybits[i]);
- }
-}
-
-/* The following are the weak DES keys: */
-static const unsigned char weak[16][8] = {
- /* Weak keys */
- {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
- {0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe},
- {0x1f,0x1f,0x1f,0x1f,0x0e,0x0e,0x0e,0x0e},
- {0xe0,0xe0,0xe0,0xe0,0xf1,0xf1,0xf1,0xf1},
-
- /* Semi-weak */
- {0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe},
- {0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01},
-
- {0x1f,0xe0,0x1f,0xe0,0x0e,0xf1,0x0e,0xf1},
- {0xe0,0x1f,0xe0,0x1f,0xf1,0x0e,0xf1,0x0e},
-
- {0x01,0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1},
- {0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1,0x01},
-
- {0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e,0xfe},
- {0xfe,0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e},
-
- {0x01,0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e},
- {0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e,0x01},
-
- {0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1,0xfe},
- {0xfe,0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1}
-};
-
-krb5_boolean
-k5_des_is_weak_key(unsigned char *keybits)
-{
- unsigned int i;
-
- for (i = 0; i < sizeof(weak) / 8; i++) {
- if (memcmp(weak[i], keybits, 8) == 0)
- return TRUE;
- }
- return FALSE;
-}
diff --git a/src/lib/crypto/nss/enc_provider/Makefile.in b/src/lib/crypto/nss/enc_provider/Makefile.in
deleted file mode 100644
index e1d382e..0000000
--- a/src/lib/crypto/nss/enc_provider/Makefile.in
+++ /dev/null
@@ -1,39 +0,0 @@
-mydir=lib$(S)crypto$(S)nss$(S)enc_provider
-BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-CRYPTO_IMPL_CFLAGS=@CRYPTO_IMPL_CFLAGS@
-LOCALINCLUDES = -I$(srcdir)/../../krb -I$(srcdir)/.. $(CRYPTO_IMPL_CFLAGS)
-
-STLIBOBJS= \
- enc_gen.o \
- des.o \
- des3.o \
- rc4.o \
- aes.o \
- camellia.o
-
-OBJS= \
- $(OUTPRE)enc_gen.$(OBJEXT) \
- $(OUTPRE)des.$(OBJEXT) \
- $(OUTPRE)des3.$(OBJEXT) \
- $(OUTPRE)aes.$(OBJEXT) \
- $(OUTPRE)camellia.$(OBJEXT) \
- $(OUTPRE)rc4.$(OBJEXT)
-
-SRCS= \
- $(srcdir)/enc_gen.c \
- $(srcdir)/des.c \
- $(srcdir)/des3.c \
- $(srcdir)/aes.c \
- $(srcdir)/camellia.c \
- $(srcdir)/rc4.c
-
-all-unix:: all-libobjs
-
-includes:: depend
-
-depend:: $(SRCS)
-
-clean-unix:: clean-libobjs
-
- at libobj_frag@
-
diff --git a/src/lib/crypto/nss/enc_provider/aes.c b/src/lib/crypto/nss/enc_provider/aes.c
deleted file mode 100644
index 3fe7996..0000000
--- a/src/lib/crypto/nss/enc_provider/aes.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/enc_provider/aes.c */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "crypto_int.h"
-#include "nss_gen.h"
-
-krb5_error_code
-krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_ENCRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_ENCRYPT,
- ivec, data, num_data);
-}
-
-krb5_error_code
-krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_AES_CBC, CKA_DECRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_cts_iov(key, CKM_AES_CBC, CKA_DECRYPT,
- ivec, data, num_data);
-}
-
-/*
- * perhaps we should store the NSS context in the krb5_data state here?
- */
-static krb5_error_code
-aes_init_state(const krb5_keyblock *key, krb5_keyusage usage,
- krb5_data *state)
-{
- state->length = 16;
- state->data = (void *) malloc(16);
- if (state->data == NULL)
- return ENOMEM;
- memset(state->data, 0, state->length);
- return 0;
-}
-
-const struct krb5_enc_provider krb5int_enc_aes128 = {
- 16,
- 16, 16,
- krb5int_aes_encrypt,
- krb5int_aes_decrypt,
- NULL,
- aes_init_state,
- krb5int_default_free_state,
-};
-
-const struct krb5_enc_provider krb5int_enc_aes256 = {
- 16,
- 32, 32,
- krb5int_aes_encrypt,
- krb5int_aes_decrypt,
- NULL,
- aes_init_state,
- krb5int_default_free_state,
- k5_nss_gen_cleanup
-};
diff --git a/src/lib/crypto/nss/enc_provider/camellia.c b/src/lib/crypto/nss/enc_provider/camellia.c
deleted file mode 100644
index 9859efa..0000000
--- a/src/lib/crypto/nss/enc_provider/camellia.c
+++ /dev/null
@@ -1,113 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/enc_provider/camellia.c */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "crypto_int.h"
-#include "nss_gen.h"
-
-static krb5_error_code
-krb5int_camellia_encrypt(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_CAMELLIA_CBC, CKA_ENCRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_cts_iov(key, CKM_CAMELLIA_CBC, CKA_ENCRYPT,
- ivec, data, num_data);
-}
-
-static krb5_error_code
-krb5int_camellia_decrypt(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_CAMELLIA_CBC, CKA_DECRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_cts_iov(key, CKM_CAMELLIA_CBC, CKA_DECRYPT,
- ivec, data, num_data);
-}
-
-krb5_error_code
-krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
- size_t num_data, const krb5_data *ivec,
- krb5_data *output)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_CAMELLIA_CBC, CKA_ENCRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_cbcmac_iov(key, CKM_CAMELLIA_CBC, ivec, data, num_data,
- output);
-}
-
-/*
- * perhaps we should store the NSS context in the krb5_data state here?
- */
-static krb5_error_code
-camellia_init_state(const krb5_keyblock *key, krb5_keyusage usage,
- krb5_data *state)
-{
- state->length = 16;
- state->data = (void *) malloc(16);
- if (state->data == NULL)
- return ENOMEM;
- memset(state->data, 0, state->length);
- return 0;
-}
-
-const struct krb5_enc_provider krb5int_enc_camellia128 = {
- 16,
- 16, 16,
- krb5int_camellia_encrypt,
- krb5int_camellia_decrypt,
- krb5int_camellia_cbc_mac,
- camellia_init_state,
- krb5int_default_free_state,
-};
-
-const struct krb5_enc_provider krb5int_enc_camellia256 = {
- 16,
- 32, 32,
- krb5int_camellia_encrypt,
- krb5int_camellia_decrypt,
- krb5int_camellia_cbc_mac,
- camellia_init_state,
- krb5int_default_free_state,
- k5_nss_gen_cleanup
-};
diff --git a/src/lib/crypto/nss/enc_provider/deps b/src/lib/crypto/nss/enc_provider/deps
deleted file mode 100644
index b0c2ab8..0000000
--- a/src/lib/crypto/nss/enc_provider/deps
+++ /dev/null
@@ -1,70 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-enc_gen.so enc_gen.po $(OUTPRE)enc_gen.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \
- $(srcdir)/../crypto_mod.h $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h enc_gen.c
-des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \
- $(srcdir)/../crypto_mod.h $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h des.c
-des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \
- $(srcdir)/../crypto_mod.h $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h des3.c
-aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \
- $(srcdir)/../crypto_mod.h $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h aes.c
-camellia.so camellia.po $(OUTPRE)camellia.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \
- $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h camellia.c
-rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h \
- $(srcdir)/../crypto_mod.h $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h rc4.c
diff --git a/src/lib/crypto/nss/enc_provider/des.c b/src/lib/crypto/nss/enc_provider/des.c
deleted file mode 100644
index bb1f1c0..0000000
--- a/src/lib/crypto/nss/enc_provider/des.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/enc_provider/des.c */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "crypto_int.h"
-#include "nss_gen.h"
-
-static krb5_error_code
-k5_des_encrypt_iov(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_ENCRYPT,
- ivec, data, num_data);
-}
-
-static krb5_error_code
-k5_des_decrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_DECRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_block_iov(key, CKM_DES_CBC, CKA_DECRYPT,
- ivec, data, num_data);
-}
-
-static krb5_error_code
-k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data,
- const krb5_data *ivec, krb5_data *output)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_DES_CBC, CKA_ENCRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_cbcmac_iov(key, CKM_DES_CBC, ivec, data, num_data,
- output);
-}
-
-const struct krb5_enc_provider krb5int_enc_des = {
- 8,
- 7, 8,
- k5_des_encrypt_iov,
- k5_des_decrypt_iov,
- k5_des_cbc_mac,
- krb5int_des_init_state,
- krb5int_default_free_state,
- k5_nss_gen_cleanup
-};
diff --git a/src/lib/crypto/nss/enc_provider/des3.c b/src/lib/crypto/nss/enc_provider/des3.c
deleted file mode 100644
index 6217709..0000000
--- a/src/lib/crypto/nss/enc_provider/des3.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/enc_provider/des3.c */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "crypto_int.h"
-#include "nss_gen.h"
-
-static krb5_error_code
-k5_des3_encrypt_iov(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_ENCRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_ENCRYPT,
- ivec, data, num_data);
-}
-
-static krb5_error_code
-k5_des3_decrypt_iov(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_DES3_CBC, CKA_DECRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_block_iov(key, CKM_DES3_CBC, CKA_DECRYPT,
- ivec, data, num_data);
-}
-
-const struct krb5_enc_provider krb5int_enc_des3 = {
- 8,
- 21, 24,
- k5_des3_encrypt_iov,
- k5_des3_decrypt_iov,
- NULL,
- krb5int_des_init_state,
- krb5int_default_free_state,
- k5_nss_gen_cleanup
-};
diff --git a/src/lib/crypto/nss/enc_provider/enc_gen.c b/src/lib/crypto/nss/enc_provider/enc_gen.c
deleted file mode 100644
index cfe0d65..0000000
--- a/src/lib/crypto/nss/enc_provider/enc_gen.c
+++ /dev/null
@@ -1,730 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/enc_provider/enc_gen.c */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "crypto_int.h"
-#include "nss_gen.h"
-#include "seccomon.h"
-#include "secmod.h"
-#include "pk11pub.h"
-#include "nss.h"
-
-/* 512 bits is bigger than anything defined to date */
-#define MAX_KEY_LENGTH 64
-#define MAX_BLOCK_SIZE 64
-
-static NSSInitContext *k5_nss_ctx = NULL;
-static pid_t k5_nss_pid = 0;
-static k5_mutex_t k5_nss_lock = K5_MUTEX_PARTIAL_INITIALIZER;
-
-struct stream_state {
- struct stream_state *loopback; /* To detect copying */
- pid_t pid; /* To detect use across fork */
- PK11Context *ctx;
-};
-
-struct cached_key {
- pid_t pid; /* To detect use across fork */
- PK11SymKey *symkey;
-};
-
-krb5_error_code
-k5_nss_map_error(int nss_error)
-{
- /* Currently KRB5 does not define a full set of CRYPTO failures.
- * for now just use KRB5_CRYPTO_INTERNAL. We really should return
- * errors for Not logged in, and maybe a few others. */
- return KRB5_CRYPTO_INTERNAL;
-}
-
-krb5_error_code
-k5_nss_map_last_error(void)
-{
- return k5_nss_map_error(PORT_GetError());
-}
-
-int
-krb5int_crypto_impl_init(void)
-{
- return k5_mutex_finish_init(&k5_nss_lock);
-}
-
-void
-krb5int_crypto_impl_cleanup(void)
-{
- k5_mutex_destroy(&k5_nss_lock);
-}
-
-/*
- * krb5 doesn't have a call into the crypto engine to initialize it, so we do
- * it here. This code will try to piggyback on any application initialization
- * done to NSS. Otherwise get our one library init context.
- */
-#define NSS_KRB5_CONFIGDIR "sql:/etc/pki/nssdb"
-krb5_error_code
-k5_nss_init(void)
-{
- PRUint32 flags = NSS_INIT_READONLY | NSS_INIT_NOROOTINIT;
- krb5_error_code ret = 0;
- SECStatus rv;
- pid_t pid;
-
- k5_mutex_lock(&k5_nss_lock);
- pid = getpid();
- if (k5_nss_ctx != NULL) {
- /* Do nothing if the existing context is still good. */
- if (k5_nss_pid == pid)
- goto cleanup;
- /* The caller has forked. Restart the NSS modules. This will
- * invalidate all of our PKCS11 handles, which we're prepared for. */
- rv = SECMOD_RestartModules(TRUE);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto cleanup;
- }
- k5_nss_pid = pid;
- goto cleanup;
- }
- k5_nss_ctx = NSS_InitContext(NSS_KRB5_CONFIGDIR, "", "", "", NULL, flags);
- if (k5_nss_ctx == NULL) {
- /* There may be no system database; try again without it. */
- flags |= NSS_INIT_NOMODDB | NSS_INIT_NOCERTDB;
- k5_nss_ctx = NSS_InitContext(NULL, "", "", "", NULL, flags);
- if (k5_nss_ctx == NULL) {
- ret = k5_nss_map_last_error();
- goto cleanup;
- }
- }
- k5_nss_pid = pid;
-
-cleanup:
- k5_mutex_unlock(&k5_nss_lock);
- return ret;
-}
-
-PK11Context *
-k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism,
- CK_ATTRIBUTE_TYPE operation, SECItem *param)
-{
- struct cached_key *ckey = krb_key->cache;
-
- return PK11_CreateContextBySymKey(mechanism, operation, ckey->symkey,
- param);
-}
-
-static void inline
-xor(unsigned char *x, unsigned char *y, int size)
-{
- int i;
-
-#define ALIGNED(x,type) (!(((size_t)(x))&(sizeof(type)-1)))
- if (ALIGNED(x,unsigned long) && ALIGNED(y, unsigned long)
- && ALIGNED(size, unsigned long)) {
- unsigned long *ux = (unsigned long *)x;
- unsigned long *uy = (unsigned long *)y;
- for (i=0; i < (int)(size/sizeof(unsigned long)); i++) {
- *ux++ ^= *uy++;
- }
- return;
- }
- for (i=0; i < size; i++) {
- *x++ ^= *y++;
- }
-}
-
-krb5_error_code
-k5_nss_gen_block_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data)
-{
- krb5_error_code ret = 0;
- PK11Context *ctx = NULL;
- SECStatus rv;
- SECItem *param = NULL;
- struct iov_cursor cursor;
- unsigned char block[MAX_BLOCK_SIZE];
- unsigned char iv0[MAX_BLOCK_SIZE];
- unsigned char *lastptr = NULL;
- SECItem iv;
- size_t blocksize;
- int length = 0;
- int lastblock = -1;
- int currentblock;
-
- blocksize = PK11_GetBlockSize(mech, NULL);
- assert(blocksize <= sizeof(block));
-
- if (ivec && ivec->data) {
- iv.data = (unsigned char *)ivec->data;
- iv.len = ivec->length;
- if (operation == CKA_DECRYPT) {
- /* Count the blocks so we know which block is last. */
- int inputlength = iov_total_length(data, num_data, FALSE);
- lastblock = (inputlength/blocksize) -1;
- }
- } else {
- memset(iv0, 0, sizeof(iv0));
- iv.data = iv0;
- iv.len = blocksize;
- }
- param = PK11_ParamFromIV(mech, &iv);
-
- ctx = k5_nss_create_context(krb_key, mech, operation, param);
- if (ctx == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
- }
-
- k5_iov_cursor_init(&cursor, data, num_data, blocksize, FALSE);
- for (currentblock = 0;;currentblock++) {
- if (!k5_iov_cursor_get(&cursor, block))
- break;
-
- lastptr = NULL;
-
- /* only set if we are decrypting */
- if (lastblock == currentblock)
- memcpy(ivec->data, block, blocksize);
-
- rv = PK11_CipherOp(ctx, block, &length, blocksize, block, blocksize);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- break;
- }
-
- lastptr = block;
- k5_iov_cursor_put(&cursor, block);
- }
-
- if (lastptr && ivec && ivec->data && operation == CKA_ENCRYPT) {
- memcpy(ivec->data, lastptr, blocksize);
- }
-done:
- if (ctx) {
- PK11_Finalize(ctx);
- PK11_DestroyContext(ctx, PR_TRUE);
- }
- if (param)
- SECITEM_FreeItem(param, PR_TRUE);
- return ret;
-}
-
-krb5_error_code
-k5_nss_stream_init_state(krb5_data *new_state)
-{
- struct stream_state *sstate;
-
- /* Create a state structure with an uninitialized context. */
- sstate = calloc(1, sizeof(*sstate));
- if (sstate == NULL)
- return ENOMEM;
- sstate->loopback = NULL;
- new_state->data = (char *) sstate;
- new_state->length = sizeof(*sstate);
- return 0;
-}
-
-void
-k5_nss_stream_free_state(krb5_data *state)
-{
- struct stream_state *sstate = (struct stream_state *) state->data;
-
- /* Clean up the OpenSSL context if it was initialized. */
- if (sstate && sstate->loopback == sstate) {
- PK11_Finalize(sstate->ctx);
- PK11_DestroyContext(sstate->ctx, PR_TRUE);
- }
- free(sstate);
-}
-
-krb5_error_code
-k5_nss_gen_stream_iov(krb5_key krb_key, krb5_data *state,
- CK_MECHANISM_TYPE mech, CK_ATTRIBUTE_TYPE operation,
- krb5_crypto_iov *data, size_t num_data)
-{
- int ret = 0;
- PK11Context *ctx = NULL;
- SECStatus rv;
- SECItem param;
- krb5_crypto_iov *iov;
- struct stream_state *sstate = NULL;
- int i;
-
- param.data = NULL;
- param.len = 0;
-
- sstate = (state == NULL) ? NULL : (struct stream_state *) state->data;
- if (sstate == NULL || sstate->loopback == NULL) {
- ctx = k5_nss_create_context(krb_key, mech, operation, ¶m);
- if (ctx == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- if (sstate) {
- sstate->loopback = sstate;
- sstate->pid = getpid();
- sstate->ctx = ctx;
- }
- } else {
- /* Cipher state can't be copied or used across a fork. */
- if (sstate->loopback != sstate || sstate->pid != getpid())
- return EINVAL;
- ctx = sstate->ctx;
- }
-
- for (i=0; i < (int)num_data; i++) {
- int return_length;
- iov = &data[i];
- if (iov->data.length <= 0)
- continue;
-
- if (ENCRYPT_IOV(iov)) {
- rv = PK11_CipherOp(ctx, (unsigned char *)iov->data.data,
- &return_length, iov->data.length,
- (unsigned char *)iov->data.data,
- iov->data.length);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- iov->data.length = return_length;
- }
- }
-done:
- if (!state && ctx) {
- PK11_Finalize(ctx);
- PK11_DestroyContext(ctx, PR_TRUE);
- }
- return ret;
-}
-
-krb5_error_code
-k5_nss_gen_cts_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data)
-{
- krb5_error_code ret = 0;
- PK11Context *ctx = NULL;
- SECStatus rv;
- SECItem *param = NULL;
- struct iov_cursor cursor;
- unsigned char block[MAX_BLOCK_SIZE];
- unsigned char recover1[MAX_BLOCK_SIZE];
- unsigned char recover2[MAX_BLOCK_SIZE];
- unsigned char block1[MAX_BLOCK_SIZE];
- unsigned char block2[MAX_BLOCK_SIZE];
- unsigned char iv0[MAX_BLOCK_SIZE];
- SECItem iv;
- size_t blocksize;
- size_t bulk_length, remainder;
- size_t input_length, lastblock;
- size_t length;
- int len;
-
- blocksize = PK11_GetBlockSize(mech, NULL);
- assert(blocksize <= sizeof(block));
-
- if (ivec) {
- iv.data = (unsigned char *)ivec->data;
- iv.len = ivec->length;
- } else {
- memset(iv0, 0, sizeof(iv0));
- iv.data = iv0;
- iv.len = blocksize;
- }
- param = PK11_ParamFromIV(mech, &iv);
-
- input_length = iov_total_length(data, num_data, FALSE);
- /* Must be at least a block or we fail. */
- if (input_length < blocksize) {
- ret = EINVAL;
- goto done;
- }
-
- bulk_length = (input_length / blocksize)*blocksize;
- remainder = input_length - bulk_length;
- /* Do the block swap even if the input data is aligned, only
- * drop it if we are encrypting exactly one block. */
- if (remainder == 0 && bulk_length != blocksize) {
- remainder = blocksize;
- bulk_length -= blocksize;
- }
-
- ctx = k5_nss_create_context(krb_key, mech, operation, param);
- if (ctx == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
- }
-
- /* Now we bulk encrypt each block in the loop. We need to know where to
- * stop to do special processing. For single block operations we stop at
- * the end. For all others we stop and the last second to last block
- * (counting partial blocks). For decrypt operations we need to save cn-2
- * so we stop at the third to last block if it exists, otherwise cn-2 = the
- * iv. */
- lastblock = bulk_length;
- if (remainder) {
- /* We need to process the last full block and last partitial block
- * differently. */
- lastblock = bulk_length - blocksize;
- if (operation == CKA_DECRYPT) {
- if (bulk_length > blocksize) {
- /* Stop at cn-2 so we can save it before going on. */
- lastblock = bulk_length - 2*blocksize;
- } else {
- /* iv is cn-2, save it now, cn - 2. */
- memcpy(recover1, iv.data, blocksize);
- memcpy(recover2, iv.data, blocksize);
- }
- }
- }
- k5_iov_cursor_init(&cursor, data, num_data, blocksize, FALSE);
- for (length = 0; length < lastblock; length += blocksize) {
- if (!k5_iov_cursor_get(&cursor, block))
- break;
-
- rv = PK11_CipherOp(ctx, block, &len, blocksize, block, blocksize);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- break;
- }
-
- k5_iov_cursor_put(&cursor, block);
- }
- if (remainder) {
- if (operation == CKA_DECRYPT) {
- if (bulk_length > blocksize) {
- /* we need to save cn-2 */
- if (!k5_iov_cursor_get(&cursor, block))
- goto done; /* shouldn't happen */
-
- /* save cn-2 */
- memcpy(recover1, block, blocksize);
- memcpy(recover2, block, blocksize);
-
- /* now process it as normal */
- rv = PK11_CipherOp(ctx, block, &len, blocksize, block,
- blocksize);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto done;
- }
-
- k5_iov_cursor_put(&cursor, block);
- }
- }
- /* fetch the last 2 blocks */
- k5_iov_cursor_get(&cursor, block2);
- k5_iov_cursor_get(&cursor, block1);
- if (operation == CKA_DECRYPT) {
- /* recover1 and recover2 are xor values to recover the true
- * underlying data of the last 2 decrypts. This keeps us from
- * having to try to reset our IV to do the final decryption. */
- /* Currently: block1 is cn || 0, block2 is cn-1.
- * recover1 & recover2 is set to cn-2. */
- /* recover2 recovers pn || c' from p'n-1. The raw decrypted block
- * will be p'n-1 xor with cn-2 while pn || c' = p'n-1 xor cn || 0.
- * recover2 is cn-2 xor cn || 0, so we can simple xor recover1
- * with the raw decrypted block. */
- /* recover1 recovers pn-1 from the raw decryption of cn || c'.
- * the raw decrypt of cn || c' = p'n xor cn-1 while
- * pn-1 = p'n xor cn-2
- * recover1 is cn-2 xor cn-1, so we can simple xor recover 2 with
- * the raw decrypt of cn||c' to get pn-1. */
- xor(recover1, block2, blocksize);
- xor(recover2, block1, blocksize);
- if (ivec && ivec->data)
- memcpy(ivec->data, block2, blocksize);
- }
- rv = PK11_CipherOp(ctx, block2, &len, blocksize, block2, blocksize);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- if (operation == CKA_DECRYPT) {
- /* block2 now has p'n-1 xor cn-2. */
- xor(block2, recover2, blocksize);
- /* block 2 now has pn || c'. */
- /* copy c' into cn || c'. */
- memcpy(block1 + remainder, block2 + remainder,
- blocksize - remainder);
- }
- rv = PK11_CipherOp(ctx, block1, &len, blocksize, block1, blocksize);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- if (operation == CKA_DECRYPT) {
- /* block1 now has p'n xor cn-1 */
- xor(block1, recover1, blocksize);
- /* block 1 now has pn-1 */
- } else {
- if (ivec && ivec->data) {
- memcpy(ivec->data, block1, blocksize);
- }
- }
- k5_iov_cursor_put(&cursor, block1);
- k5_iov_cursor_put(&cursor, block2);
- }
-
-done:
- if (ctx) {
- PK11_Finalize(ctx);
- PK11_DestroyContext(ctx, PR_TRUE);
- }
- if (param)
- SECITEM_FreeItem(param, PR_TRUE);
- return ret;
-}
-
-krb5_error_code
-k5_nss_gen_cbcmac_iov(krb5_key krb_key, CK_MECHANISM_TYPE mech,
- const krb5_data *ivec, const krb5_crypto_iov *data,
- size_t num_data, krb5_data *output)
-{
- krb5_error_code ret = 0;
- PK11Context *ctx = NULL;
- SECStatus rv;
- SECItem *param = NULL;
- struct iov_cursor cursor;
- unsigned char block[MAX_BLOCK_SIZE], *lastblock;
- unsigned char iv0[MAX_BLOCK_SIZE];
- SECItem iv;
- size_t blocksize;
- int length = 0;
- int currentblock;
-
- blocksize = PK11_GetBlockSize(mech, NULL);
- assert(blocksize <= sizeof(block));
- if (output->length < blocksize)
- return KRB5_BAD_MSIZE;
-
- if (ivec && ivec->data) {
- iv.data = (unsigned char *)ivec->data;
- iv.len = ivec->length;
- } else {
- memset(iv0, 0, sizeof(iv0));
- iv.data = iv0;
- iv.len = blocksize;
- }
- param = PK11_ParamFromIV(mech, &iv);
-
- ctx = k5_nss_create_context(krb_key, mech, CKA_ENCRYPT, param);
- if (ctx == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
- }
-
- lastblock = iv.data;
- k5_iov_cursor_init(&cursor, data, num_data, blocksize, FALSE);
- for (currentblock = 0;;currentblock++) {
- if (!k5_iov_cursor_get(&cursor, block))
- break;
- rv = PK11_CipherOp(ctx, block, &length, blocksize, block, blocksize);
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- lastblock = block;
- }
- memcpy(output->data, lastblock, blocksize);
-
-done:
- if (ctx) {
- PK11_Finalize(ctx);
- PK11_DestroyContext(ctx, PR_TRUE);
- }
- if (param)
- SECITEM_FreeItem(param, PR_TRUE);
- return ret;
-}
-
-void
-k5_nss_gen_cleanup(krb5_key krb_key)
-{
- struct cached_key *ckey = krb_key->cache;
-
- if (ckey) {
- PK11_FreeSymKey(ckey->symkey);
- free(ckey);
- krb_key->cache = NULL;
- }
-}
-
-krb5_error_code
-k5_nss_gen_import(krb5_key krb_key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation)
-{
- krb5_error_code ret = 0;
- pid_t pid = getpid();
- struct cached_key *ckey = krb_key->cache;
- PK11SymKey *symkey;
- PK11SlotInfo *slot = NULL;
- SECItem raw_key;
-#ifdef FAKE_FIPS
- PK11SymKey *wrapping_key = NULL;
- PK11Context *ctx = NULL;
- SECItem wrapped_key;
- SECItem params;
- unsigned char wrapped_key_data[MAX_KEY_LENGTH];
- unsigned char padded_key_data[MAX_KEY_LENGTH];
- int wrapping_index, series, blocksize;
- int keyLength;
- CK_MECHANISM_TYPE mechanism;
- SECStatus rv;
-#endif
-
- if (ckey && ckey->pid == pid)
- return 0;
-
- ret = k5_nss_init();
- if (ret)
- return ret;
-
- if (ckey) {
- /* Discard the no-longer-valid symkey and steal its container. */
- PK11_FreeSymKey(ckey->symkey);
- ckey->symkey = NULL;
- krb_key->cache = NULL;
- } else {
- /* Allocate a new container. */
- ckey = k5alloc(sizeof(*ckey), &ret);
- if (ckey == NULL)
- return ret;
- }
-
- slot = PK11_GetBestSlot(mech, NULL);
- if (slot == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- raw_key.data = krb_key->keyblock.contents;
- raw_key.len = krb_key->keyblock.length;
-
-#ifdef FAKE_FIPS
- /* First, fetch a wrapping key. */
- wrapping_index = PK11_GetCurrentWrapIndex(slot);
- series = PK11_GetSlotSeries(slot);
- wrapping_key = PK11_GetWrapKey(slot, wrapping_index,
- CKM_INVALID_MECHANISM, series, NULL);
- if (wrapping_key == NULL) {
- /* One doesn't exist, create one. */
- mechanism = PK11_GetBestWrapMechanism(slot);
- keyLength = PK11_GetBestKeyLength(slot, mechanism);
- wrapping_key = PK11_TokenKeyGenWithFlags(slot, mechanism, NULL,
- keyLength, NULL,
- CKF_UNWRAP | CKF_ENCRYPT, 0,
- NULL);
- if (!wrapping_key) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- PK11_SetWrapKey(slot, wrapping_index, wrapping_key);
- }
-
- /* Now encrypt the data with the wrapping key. */
- mechanism = PK11_GetMechanism(wrapping_key);
- params.data = NULL;
- params.len = 0;
- ctx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT,
- wrapping_key, ¶ms);
- if (ctx == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
- }
-
- wrapped_key.data = wrapped_key_data;
- wrapped_key.len = sizeof(wrapped_key_data);
- blocksize = PK11_GetBlockSize(mechanism, NULL);
- keyLength = raw_key.len;
-
- /*
- * ECB modes need keys in integral multiples of the block size.
- * if the key isn't and integral multiple, pad it with zero. Unwrap
- * will use the length parameter to appropriately set the key.
- */
- if ((raw_key.len % blocksize) != 0) {
- int keyblocks = (raw_key.len + (blocksize - 1)) / blocksize;
- keyLength = keyblocks * blocksize;
- assert(keyLength <= sizeof(padded_key_data));
- memset(padded_key_data, 0, keyLength);
- memcpy(padded_key_data, raw_key.data, raw_key.len);
- raw_key.data = padded_key_data;
- }
- rv = PK11_CipherOp(ctx, wrapped_key.data, (int *)&wrapped_key.len,
- sizeof(wrapped_key_data), raw_key.data, keyLength);
- if (keyLength != raw_key.len) {
- /* Clear our copy of the key bits. */
- memset(padded_key_data, 0, keyLength);
- }
- if (rv != SECSuccess) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- PK11_Finalize(ctx);
- PK11_DestroyContext(ctx, PR_TRUE);
- ctx = NULL;
-
- /* Now now we have a 'wrapped' version of the, we can import it into
- * the token without running afoul with FIPS. */
- symkey = PK11_UnwrapSymKey(wrapping_key, mechanism, ¶ms, &wrapped_key,
- mech, operation, raw_key.len);
-#else
- symkey = PK11_ImportSymKey(slot, mech, PK11_OriginGenerated, operation,
- &raw_key, NULL);
-#endif
- if (symkey == NULL) {
- ret = k5_nss_map_last_error();
- goto done;
- }
- ckey->pid = pid;
- ckey->symkey = symkey;
- krb_key->cache = ckey;
- ckey = NULL;
-
-done:
- free(ckey);
- if (slot)
- PK11_FreeSlot(slot);
-#ifdef FAKE_FIPS
- if (ctx) {
- PK11_Finalize(ctx);
- PK11_DestroyContext(ctx, PR_TRUE);
- }
- if (wrapping_key)
- PK11_FreeSymKey(wrapping_key);
-#endif
-
- return ret;
-}
diff --git a/src/lib/crypto/nss/enc_provider/rc4.c b/src/lib/crypto/nss/enc_provider/rc4.c
deleted file mode 100644
index 17d90d9..0000000
--- a/src/lib/crypto/nss/enc_provider/rc4.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/enc_provider/rc4.c */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "crypto_int.h"
-#include "nss_gen.h"
-
-#define RC4_KEY_SIZE 16
-#define RC4_BLOCK_SIZE 1
-
-/* In-place IOV crypto */
-static krb5_error_code
-k5_arcfour_encrypt_iov(krb5_key key, const krb5_data *state,
- krb5_crypto_iov *data, size_t num_data)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_RC4, CKA_ENCRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_ENCRYPT,
- data, num_data);
-}
-
-/* In-place IOV crypto */
-static krb5_error_code
-k5_arcfour_decrypt_iov(krb5_key key, const krb5_data *state,
- krb5_crypto_iov *data, size_t num_data)
-{
- krb5_error_code ret;
-
- ret = k5_nss_gen_import(key, CKM_RC4, CKA_DECRYPT);
- if (ret != 0)
- return ret;
- return k5_nss_gen_stream_iov(key, state, CKM_RC4, CKA_DECRYPT,
- data, num_data);
-}
-
-static void
-k5_arcfour_free_state(krb5_data *state)
-{
- (void)k5_nss_stream_free_state(state);
-}
-
-static krb5_error_code
-k5_arcfour_init_state(const krb5_keyblock *key,
- krb5_keyusage keyusage, krb5_data *new_state)
-{
- /* key can't quite be used here. See comment in k5_arcfour_init_state. */
- return k5_nss_stream_init_state(new_state);
-}
-
-const struct krb5_enc_provider krb5int_enc_arcfour = {
- /* This seems to work... although I am not sure what the
- implications are in other places in the kerberos library. */
- RC4_BLOCK_SIZE,
- /* Keysize is arbitrary in arcfour, but the constraints of the
- system, and to attempt to work with the MSFT system forces us
- to 16byte/128bit. Since there is no parity in the key, the
- byte and length are the same. */
- RC4_KEY_SIZE, RC4_KEY_SIZE,
- k5_arcfour_encrypt_iov,
- k5_arcfour_decrypt_iov,
- NULL,
- k5_arcfour_init_state,
- k5_arcfour_free_state,
- k5_nss_gen_cleanup
-};
diff --git a/src/lib/crypto/nss/hash_provider/Makefile.in b/src/lib/crypto/nss/hash_provider/Makefile.in
deleted file mode 100644
index 495309b..0000000
--- a/src/lib/crypto/nss/hash_provider/Makefile.in
+++ /dev/null
@@ -1,35 +0,0 @@
-mydir=lib$(S)crypto$(S)nss$(S)hash_provider
-BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-CRYPTO_IMPL_CFLAGS=@CRYPTO_IMPL_CFLAGS@
-LOCALINCLUDES = -I$(srcdir)/../../krb -I$(srcdir)/.. -I$(srcdir)/../md4 \
- $(CRYPTO_IMPL_CFLAGS)
-
-STLIBOBJS= \
- hash_gen.o \
- hash_crc32.o \
- hash_md4.o \
- hash_md5.o \
- hash_sha1.o
-
-OBJS= $(OUTPRE)hash_gen.$(OBJEXT) \
- $(OUTPRE)hash_crc32.$(OBJEXT) \
- $(OUTPRE)hash_md4.$(OBJEXT) \
- $(OUTPRE)hash_md5.$(OBJEXT) \
- $(OUTPRE)hash_sha1.$(OBJEXT)
-
-SRCS= $(srcdir)/hash_gen.c \
- $(srcdir)/hash_crc32.c \
- $(srcdir)/hash_md4.c \
- $(srcdir)/hash_md5.c \
- $(srcdir)/hash_sha1.c
-
-all-unix:: all-libobjs
-
-includes:: depend
-
-depend:: $(SRCS)
-
-clean-unix:: clean-libobjs
-
- at libobj_frag@
-
diff --git a/src/lib/crypto/nss/hash_provider/deps b/src/lib/crypto/nss/hash_provider/deps
deleted file mode 100644
index f16b148..0000000
--- a/src/lib/crypto/nss/hash_provider/deps
+++ /dev/null
@@ -1,63 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-hash_gen.so hash_gen.po $(OUTPRE)hash_gen.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \
- $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h hash_gen.c
-hash_crc32.so hash_crc32.po $(OUTPRE)hash_crc32.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- hash_crc32.c
-hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \
- $(srcdir)/../md4/rsa-md4.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h hash_md4.c
-hash_md5.so hash_md5.po $(OUTPRE)hash_md5.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \
- $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h hash_md5.c
-hash_sha1.so hash_sha1.po $(OUTPRE)hash_sha1.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../../krb/crypto_int.h $(srcdir)/../crypto_mod.h \
- $(srcdir)/../nss_gen.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h hash_sha1.c
diff --git a/src/lib/crypto/nss/hash_provider/hash_crc32.c b/src/lib/crypto/nss/hash_provider/hash_crc32.c
deleted file mode 100644
index c8d0e08..0000000
--- a/src/lib/crypto/nss/hash_provider/hash_crc32.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#include "crypto_int.h"
-
-static krb5_error_code
-k5_crc32_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
-{
- unsigned long c;
- unsigned int i;
-
- if (output->length != CRC32_CKSUM_LENGTH)
- return KRB5_CRYPTO_INTERNAL;
-
- c = 0;
- for (i=0; i < num_data; i++) {
- const krb5_crypto_iov *iov = &data[i];
-
- if (SIGN_IOV(iov))
- mit_crc32(iov->data.data, iov->data.length, &c);
- }
-
- store_32_le(c, output->data);
- return 0;
-}
-
-const struct krb5_hash_provider krb5int_hash_crc32 = {
- "CRC32",
- CRC32_CKSUM_LENGTH,
- 1,
- k5_crc32_hash
-};
diff --git a/src/lib/crypto/nss/hash_provider/hash_gen.c b/src/lib/crypto/nss/hash_provider/hash_gen.c
deleted file mode 100644
index 9364a6c..0000000
--- a/src/lib/crypto/nss/hash_provider/hash_gen.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/hash_provider/hash_gen.c */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "crypto_int.h"
-#include "sechash.h"
-#include "nss_gen.h"
-
-krb5_error_code
-k5_nss_gen_hash(HASH_HashType hashType, const krb5_crypto_iov *data,
- size_t num_data, krb5_data *output)
-{
- unsigned int i;
- HASHContext *ctx;
- krb5_error_code ret;
-
- ret = k5_nss_init();
- if (ret)
- return ret;
-
- if (output->length != HASH_ResultLen(hashType))
- return KRB5_CRYPTO_INTERNAL;
-
- ctx = HASH_Create(hashType);
- if (!ctx)
- return ENOMEM;
-
- HASH_Begin(ctx);
- for (i=0; i < num_data; i++) {
- const krb5_crypto_iov *iov = &data[i];
-
- if (iov->data.length && SIGN_IOV(iov)) {
- HASH_Update(ctx, (unsigned char *) iov->data.data,
- iov->data.length);
- }
- }
-
- HASH_End(ctx, (unsigned char *)output->data,
- &output->length, output->length);
- HASH_Destroy(ctx);
-
- return 0;
-}
diff --git a/src/lib/crypto/nss/hash_provider/hash_gen.h b/src/lib/crypto/nss/hash_provider/hash_gen.h
deleted file mode 100644
index 2b84da5..0000000
--- a/src/lib/crypto/nss/hash_provider/hash_gen.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/hash_provider/hash_gen.h */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "k5-int.h"
-#include "sechash.h"
-
-krb5_error_code k5_nss_gen_hash(HASH_HashType hashType, unsigned int icount,
- const krb5_data *input, krb5_data *output);
diff --git a/src/lib/crypto/nss/hash_provider/hash_md4.c b/src/lib/crypto/nss/hash_provider/hash_md4.c
deleted file mode 100644
index 7bf6890..0000000
--- a/src/lib/crypto/nss/hash_provider/hash_md4.c
+++ /dev/null
@@ -1,61 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * Copyright (C) 2010 Red Hat, Inc.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#include "crypto_int.h"
-#include "rsa-md4.h"
-
-static krb5_error_code
-k5_md4_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
-{
- krb5_MD4_CTX ctx;
- unsigned long i;
-
- if (output->length != RSA_MD4_CKSUM_LENGTH)
- return KRB5_CRYPTO_INTERNAL;
-
- krb5int_MD4Init(&ctx);
- for (i=0; i < num_data; i++) {
- const krb5_crypto_iov *iov = &data[i];
-
- if (SIGN_IOV(iov)) {
- krb5int_MD4Update(&ctx, (unsigned char *)iov->data.data,
- iov->data.length);
- }
- }
- krb5int_MD4Final(&ctx);
-
- memcpy(output->data, ctx.digest, RSA_MD4_CKSUM_LENGTH);
-
- return 0;
-}
-
-const struct krb5_hash_provider krb5int_hash_md4 = {
- "MD4",
- RSA_MD4_CKSUM_LENGTH,
- 64,
- k5_md4_hash
-};
diff --git a/src/lib/crypto/nss/hash_provider/hash_md5.c b/src/lib/crypto/nss/hash_provider/hash_md5.c
deleted file mode 100644
index 167114f..0000000
--- a/src/lib/crypto/nss/hash_provider/hash_md5.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/hash_provider/hash_md5.c */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "crypto_int.h"
-#include "nss_gen.h"
-
-static krb5_error_code
-k5_md5_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
-{
- return k5_nss_gen_hash(HASH_AlgMD5, data, num_data, output);
-}
-
-const struct krb5_hash_provider krb5int_hash_md5 = {
- "MD5",
- MD5_LENGTH,
- 64,
- k5_md5_hash
-};
diff --git a/src/lib/crypto/nss/hash_provider/hash_sha1.c b/src/lib/crypto/nss/hash_provider/hash_sha1.c
deleted file mode 100644
index bd84d74..0000000
--- a/src/lib/crypto/nss/hash_provider/hash_sha1.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/hash_provider/hash_sha1.c */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "crypto_int.h"
-#include "nss_gen.h"
-
-static krb5_error_code
-k5_sha1_hash(const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
-{
- return k5_nss_gen_hash(HASH_AlgSHA1, data, num_data, output);
-}
-
-const struct krb5_hash_provider krb5int_hash_sha1 = {
- "SHA1",
- SHA1_LENGTH,
- 64,
- k5_sha1_hash
-};
diff --git a/src/lib/crypto/nss/hmac.c b/src/lib/crypto/nss/hmac.c
deleted file mode 100644
index 8de0d7a..0000000
--- a/src/lib/crypto/nss/hmac.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/hmac.c */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "crypto_int.h"
-#include "nss_gen.h"
-#include "pk11pub.h"
-
-/*
- * the HMAC transform looks like:
- *
- * H(K XOR opad, H(K XOR ipad, text))
- *
- * where H is a cryptographic hash
- * K is an n byte key
- * ipad is the byte 0x36 repeated blocksize times
- * opad is the byte 0x5c repeated blocksize times
- * and text is the data being protected
- */
-
-static CK_MECHANISM_TYPE
-digest_to_hmac(const struct krb5_hash_provider *hash)
-{
- /* use strcmp so we don't confuse SHA1 with SHA128 */
- /* handle the obvious cases first */
- if (!strcmp(hash->hash_name, "SHA1"))
- return CKM_SHA_1_HMAC;
- if (!strcmp(hash->hash_name, "MD5"))
- return CKM_MD5_HMAC;
- return CKM_INVALID_MECHANISM;
-}
-
-krb5_error_code
-krb5int_hmac(const struct krb5_hash_provider *hash, krb5_key key,
- const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
-{
- unsigned int i = 0;
- CK_MECHANISM_TYPE mech;
- PK11Context *ctx = NULL;
- krb5_error_code ret = 0;
- SECStatus rv;
- SECItem param;
-
- if (output->length < hash->hashsize)
- return KRB5_BAD_MSIZE;
-
- mech = digest_to_hmac(hash);
- if (mech == CKM_INVALID_MECHANISM)
- return KRB5_CRYPTO_INTERNAL; /* unsupported alg */
-
- ret = k5_nss_gen_import(key, mech, CKA_SIGN);
- if (ret != 0)
- return ret;
-
- param.data = NULL;
- param.len = 0;
- ctx = k5_nss_create_context(key, mech, CKA_SIGN, ¶m);
- if (ctx == NULL)
- goto fail;
-
- rv = PK11_DigestBegin(ctx);
- if (rv != SECSuccess)
- goto fail;
-
- for (i=0; i < num_data; i++) {
- const krb5_crypto_iov *iov = &data[i];
-
- if (iov->data.length && SIGN_IOV(iov)) {
- rv = PK11_DigestOp(ctx,(const unsigned char*)iov->data.data,
- iov->data.length);
- if (rv != SECSuccess)
- goto fail;
- }
-
- }
- rv = PK11_DigestFinal(ctx, (unsigned char *) output->data, &output->length,
- output->length);
- if (rv != SECSuccess)
- goto fail;
- PK11_DestroyContext(ctx, PR_TRUE);
- return 0;
-fail:
- ret = k5_nss_map_last_error();
- if (ctx)
- PK11_DestroyContext(ctx, PR_TRUE);
- return ret;
-}
-
-krb5_error_code
-krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
- const krb5_keyblock *keyblock,
- const krb5_crypto_iov *data, size_t num_data,
- krb5_data *output)
-{
- krb5_key key;
- krb5_error_code code;
-
- if (keyblock->length > hash->blocksize)
- return KRB5_CRYPTO_INTERNAL;
-
- memset(&key, 0, sizeof(key));
-
- code = krb5_k_create_key(NULL, keyblock, &key);
- if (code)
- return code;
- code = krb5int_hmac(hash, key, data, num_data, output);
- krb5_k_free_key(NULL, key);
- return code;
-}
diff --git a/src/lib/crypto/nss/md4/Makefile.in b/src/lib/crypto/nss/md4/Makefile.in
deleted file mode 100644
index b71c192..0000000
--- a/src/lib/crypto/nss/md4/Makefile.in
+++ /dev/null
@@ -1,18 +0,0 @@
-mydir=lib$(S)crypto$(S)nss$(S)md4
-BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-
-STLIBOBJS= md4.o
-
-OBJS= $(OUTPRE)md4.$(OBJEXT)
-
-SRCS= $(srcdir)/md4.c
-
-all-unix:: all-libobjs
-
-includes:: depend
-
-depend:: $(SRCS)
-
-clean-unix:: clean-libobjs
-
- at libobj_frag@
diff --git a/src/lib/crypto/nss/md4/deps b/src/lib/crypto/nss/md4/deps
deleted file mode 100644
index 55d209b..0000000
--- a/src/lib/crypto/nss/md4/deps
+++ /dev/null
@@ -1,13 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-md4.so md4.po $(OUTPRE)md4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h md4.c rsa-md4.h
diff --git a/src/lib/crypto/nss/md4/md4.c b/src/lib/crypto/nss/md4/md4.c
deleted file mode 100644
index 1853207..0000000
--- a/src/lib/crypto/nss/md4/md4.c
+++ /dev/null
@@ -1,242 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/md4/md4.c */
-/*
- * Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
- *
- * License to copy and use this software is granted provided that
- * it is identified as the "RSA Data Security, Inc. MD4 Message
- * Digest Algorithm" in all material mentioning or referencing this
- * software or this function.
- *
- * License is also granted to make and use derivative works
- * provided that such works are identified as "derived from the RSA
- * Data Security, Inc. MD4 Message Digest Algorithm" in all
- * material mentioning or referencing the derived work.
- *
- * RSA Data Security, Inc. makes no representations concerning
- * either the merchantability of this software or the suitability
- * of this software for any particular purpose. It is provided "as
- * is" without express or implied warranty of any kind.
- *
- * These notices must be retained in any copies of any part of this
- * documentation and/or software.
- */
-
-/*
-**********************************************************************
-** md4.c **
-** RSA Data Security, Inc. MD4 Message Digest Algorithm **
-** Created: 2/17/90 RLR **
-** Revised: 1/91 SRD,AJ,BSK,JT Reference C Version **
-**********************************************************************
-*/
-
-#include "k5-int.h"
-#include "rsa-md4.h"
-
-/* forward declaration */
-static void Transform (krb5_ui_4 *, krb5_ui_4 *);
-
-static const unsigned char PADDING[64] = {
- 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-/* F, G and H are basic MD4 functions: selection, majority, parity */
-#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
-#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
-#define H(x, y, z) ((x) ^ (y) ^ (z))
-
-/* ROTATE_LEFT rotates x left n bits */
-#define ROTATE_LEFT(x, n) ((((x) << (n)) & 0xffffffff) | ((x) >> (32-(n))))
-
-/* FF, GG and HH are MD4 transformations for rounds 1, 2 and 3 */
-/* Rotation is separate from addition to prevent recomputation */
-#define FF(a, b, c, d, x, s) \
- {(a) += F ((b), (c), (d)) + (x); \
- (a) &= 0xffffffff; \
- (a) = ROTATE_LEFT ((a), (s));}
-#define GG(a, b, c, d, x, s) \
- {(a) += G ((b), (c), (d)) + (x) + 013240474631UL; \
- (a) &= 0xffffffff; \
- (a) = ROTATE_LEFT ((a), (s));}
-#define HH(a, b, c, d, x, s) \
- {(a) += H ((b), (c), (d)) + (x) + 015666365641UL; \
- (a) &= 0xffffffff; \
- (a) = ROTATE_LEFT ((a), (s));}
-
-void
-krb5int_MD4Init (krb5_MD4_CTX *mdContext)
-{
- mdContext->i[0] = mdContext->i[1] = (krb5_ui_4)0;
-
- /* Load magic initialization constants.
- */
- mdContext->buf[0] = 0x67452301UL;
- mdContext->buf[1] = 0xefcdab89UL;
- mdContext->buf[2] = 0x98badcfeUL;
- mdContext->buf[3] = 0x10325476UL;
-}
-
-void
-krb5int_MD4Update (krb5_MD4_CTX *mdContext, const unsigned char *inBuf, unsigned int inLen)
-{
- krb5_ui_4 in[16];
- int mdi;
- unsigned int i, ii;
-
- /* compute number of bytes mod 64 */
- mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
-
- /* update number of bits */
- if ((mdContext->i[0] + ((krb5_ui_4)inLen << 3)) < mdContext->i[0])
- mdContext->i[1]++;
- mdContext->i[0] += ((krb5_ui_4)inLen << 3);
- mdContext->i[1] += ((krb5_ui_4)inLen >> 29);
-
- while (inLen--) {
- /* add new character to buffer, increment mdi */
- mdContext->in[mdi++] = *inBuf++;
-
- /* transform if necessary */
- if (mdi == 0x40) {
- for (i = 0, ii = 0; i < 16; i++, ii += 4) {
- in[i] = load_32_le(mdContext->in+ii);
- }
- Transform (mdContext->buf, in);
- mdi = 0;
- }
- }
-}
-
-void
-krb5int_MD4Final (krb5_MD4_CTX *mdContext)
-{
- krb5_ui_4 in[16];
- int mdi;
- unsigned int i, ii;
- unsigned int padLen;
-
- /* save number of bits */
- in[14] = mdContext->i[0];
- in[15] = mdContext->i[1];
-
- /* compute number of bytes mod 64 */
- mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
-
- /* pad out to 56 mod 64 */
- padLen = (mdi < 56) ? (56 - mdi) : (120 - mdi);
- krb5int_MD4Update (mdContext, PADDING, padLen);
-
- /* append length in bits and transform */
- for (i = 0, ii = 0; i < 14; i++, ii += 4)
- in[i] = load_32_le(mdContext->in+ii);
- Transform (mdContext->buf, in);
-
-
- /* store buffer in digest */
- for (i = 0, ii = 0; i < 4; i++, ii += 4) {
- store_32_le(mdContext->buf[i], mdContext->digest+ii);
- }
-}
-
-/* Basic MD4 step. Transform buf based on in.
- */
-static void Transform (krb5_ui_4 *buf, krb5_ui_4 *in)
-{
- register krb5_ui_4 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
-
-#if defined(CONFIG_SMALL) && !defined(CONFIG_SMALL_NO_CRYPTO)
- int i;
-#define ROTATE { krb5_ui_4 temp; temp = d, d = c, c = b, b = a, a = temp; }
- for (i = 0; i < 16; i++) {
- static const unsigned char round1consts[] = { 3, 7, 11, 19, };
- FF (a, b, c, d, in[i], round1consts[i%4]); ROTATE;
- }
- for (i = 0; i < 16; i++) {
- static const unsigned char round2indices[] = {
- 0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15
- };
- static const unsigned char round2consts[] = { 3, 5, 9, 13 };
- GG (a, b, c, d, in[round2indices[i]], round2consts[i%4]); ROTATE;
- }
- for (i = 0; i < 16; i++) {
- static const unsigned char round3indices[] = {
- 0, 8, 4, 12, 2, 10, 6, 14, 1, 9, 5, 13, 3, 11, 7, 15
- };
- static const unsigned char round3consts[] = { 3, 9, 11, 15 };
- HH (a, b, c, d, in[round3indices[i]], round3consts[i%4]); ROTATE;
- }
-#else
- /* Round 1 */
- FF (a, b, c, d, in[ 0], 3);
- FF (d, a, b, c, in[ 1], 7);
- FF (c, d, a, b, in[ 2], 11);
- FF (b, c, d, a, in[ 3], 19);
- FF (a, b, c, d, in[ 4], 3);
- FF (d, a, b, c, in[ 5], 7);
- FF (c, d, a, b, in[ 6], 11);
- FF (b, c, d, a, in[ 7], 19);
- FF (a, b, c, d, in[ 8], 3);
- FF (d, a, b, c, in[ 9], 7);
- FF (c, d, a, b, in[10], 11);
- FF (b, c, d, a, in[11], 19);
- FF (a, b, c, d, in[12], 3);
- FF (d, a, b, c, in[13], 7);
- FF (c, d, a, b, in[14], 11);
- FF (b, c, d, a, in[15], 19);
-
- /* Round 2 */
- GG (a, b, c, d, in[ 0], 3);
- GG (d, a, b, c, in[ 4], 5);
- GG (c, d, a, b, in[ 8], 9);
- GG (b, c, d, a, in[12], 13);
- GG (a, b, c, d, in[ 1], 3);
- GG (d, a, b, c, in[ 5], 5);
- GG (c, d, a, b, in[ 9], 9);
- GG (b, c, d, a, in[13], 13);
- GG (a, b, c, d, in[ 2], 3);
- GG (d, a, b, c, in[ 6], 5);
- GG (c, d, a, b, in[10], 9);
- GG (b, c, d, a, in[14], 13);
- GG (a, b, c, d, in[ 3], 3);
- GG (d, a, b, c, in[ 7], 5);
- GG (c, d, a, b, in[11], 9);
- GG (b, c, d, a, in[15], 13);
-
- /* Round 3 */
- HH (a, b, c, d, in[ 0], 3);
- HH (d, a, b, c, in[ 8], 9);
- HH (c, d, a, b, in[ 4], 11);
- HH (b, c, d, a, in[12], 15);
- HH (a, b, c, d, in[ 2], 3);
- HH (d, a, b, c, in[10], 9);
- HH (c, d, a, b, in[ 6], 11);
- HH (b, c, d, a, in[14], 15);
- HH (a, b, c, d, in[ 1], 3);
- HH (d, a, b, c, in[ 9], 9);
- HH (c, d, a, b, in[ 5], 11);
- HH (b, c, d, a, in[13], 15);
- HH (a, b, c, d, in[ 3], 3);
- HH (d, a, b, c, in[11], 9);
- HH (c, d, a, b, in[ 7], 11);
- HH (b, c, d, a, in[15], 15);
-#endif
-
- buf[0] += a;
- buf[1] += b;
- buf[2] += c;
- buf[3] += d;
-}
-
-/*
-**********************************************************************
-** End of md4.c **
-******************************* (cut) ********************************
-*/
diff --git a/src/lib/crypto/nss/md4/rsa-md4.h b/src/lib/crypto/nss/md4/rsa-md4.h
deleted file mode 100644
index d44869a..0000000
--- a/src/lib/crypto/nss/md4/rsa-md4.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/md4/rsa-md4.h */
-/*
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-/*
- * Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
- *
- * License to copy and use this software is granted provided that
- * it is identified as the "RSA Data Security, Inc. MD4 Message
- * Digest Algorithm" in all material mentioning or referencing this
- * software or this function.
- *
- * License is also granted to make and use derivative works
- * provided that such works are identified as "derived from the RSA
- * Data Security, Inc. MD4 Message Digest Algorithm" in all
- * material mentioning or referencing the derived work.
- *
- * RSA Data Security, Inc. makes no representations concerning
- * either the merchantability of this software or the suitability
- * of this software for any particular purpose. It is provided "as
- * is" without express or implied warranty of any kind.
- *
- * These notices must be retained in any copies of any part of this
- * documentation and/or software.
- */
-
-/* RSA MD4 header file, with Kerberos/STDC additions */
-
-#ifndef __KRB5_RSA_MD4_H__
-#define __KRB5_RSA_MD4_H__
-
-#ifdef unicos61
-#include <sys/types.h>
-#endif /* unicos61 */
-
-/* 16 u_char's in the digest */
-#define RSA_MD4_CKSUM_LENGTH 16
-/* des blocksize is 8, so this works nicely... */
-#define OLD_RSA_MD4_DES_CKSUM_LENGTH 16
-#define NEW_RSA_MD4_DES_CKSUM_LENGTH 24
-#define RSA_MD4_DES_CONFOUND_LENGTH 8
-
-/*
-**********************************************************************
-** md4.h -- Header file for implementation of MD4 **
-** RSA Data Security, Inc. MD4 Message Digest Algorithm **
-** Created: 2/17/90 RLR **
-** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version **
-**********************************************************************
-*/
-
-/* Data structure for MD4 (Message Digest) computation */
-typedef struct {
- krb5_ui_4 i[2]; /* number of _bits_ handled mod 2^64 */
- krb5_ui_4 buf[4]; /* scratch buffer */
- unsigned char in[64]; /* input buffer */
- unsigned char digest[16]; /* actual digest after MD4Final call */
-} krb5_MD4_CTX;
-
-extern void krb5int_MD4Init(krb5_MD4_CTX *);
-extern void krb5int_MD4Update(krb5_MD4_CTX *, const unsigned char *, unsigned int);
-extern void krb5int_MD4Final(krb5_MD4_CTX *);
-
-/*
-**********************************************************************
-** End of md4.h **
-******************************* (cut) ********************************
-*/
-#endif /* __KRB5_RSA_MD4_H__ */
diff --git a/src/lib/crypto/nss/md5/Makefile.in b/src/lib/crypto/nss/md5/Makefile.in
deleted file mode 100644
index 5a292e1..0000000
--- a/src/lib/crypto/nss/md5/Makefile.in
+++ /dev/null
@@ -1,6 +0,0 @@
-# Placeholder since all crypto modules must have the same structure.
-mydir=lib$(S)crypto$(S)nss$(S)md5
-BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-all-unix:: all-libobjs
-clean-unix:: clean-libobjs
- at libobj_frag@
diff --git a/src/lib/crypto/nss/md5/deps b/src/lib/crypto/nss/md5/deps
deleted file mode 100644
index 2feac3c..0000000
--- a/src/lib/crypto/nss/md5/deps
+++ /dev/null
@@ -1 +0,0 @@
-# No dependencies here.
diff --git a/src/lib/crypto/nss/nss_gen.h b/src/lib/crypto/nss/nss_gen.h
deleted file mode 100644
index ccf9219..0000000
--- a/src/lib/crypto/nss/nss_gen.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/nss_gen.h */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "k5-int.h"
-#include "pkcs11t.h"
-#include "sechash.h"
-#include "secmodt.h"
-
-/* 512 bits is bigger than anything defined to date */
-#define MAX_KEY_LENGTH 64
-#define MAX_BLOCK_SIZE 64
-
-/*
- * Common nss utils
- */
-
-/* Make sure NSS is properly initialized. */
-krb5_error_code k5_nss_init(void);
-
-/* Import a key into NSS and store the handle in krb5_key. */
-krb5_error_code
-k5_nss_gen_import(krb5_key key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation);
-
-/* Clean up an imported key. */
-void
-k5_nss_gen_cleanup(krb5_key key);
-
-/* Create a new crypto/hash/sign context from a krb5_key. */
-PK11Context *
-k5_nss_create_context(krb5_key krb_key, CK_MECHANISM_TYPE mechanism,
- CK_ATTRIBUTE_TYPE operation, SECItem * param);
-
-/* Map an NSS error into a krb5_error_code. */
-krb5_error_code k5_nss_map_error(int nss_error);
-krb5_error_code k5_nss_map_last_error(void);
-
-
-/*
- * Common encryption functions
- */
-
-/* Encrypt/decrypt block modes except cts using iov. */
-krb5_error_code
-k5_nss_gen_block_iov(krb5_key key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data);
-
-/* Encrypt/decrypt stream modes using iov. */
-krb5_error_code
-k5_nss_gen_stream_iov(krb5_key key, krb5_data *state, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation, krb5_crypto_iov *data,
- size_t num_data);
-
-/* Encrypt/decrypt block modes using cts. */
-krb5_error_code
-k5_nss_gen_cts_iov(krb5_key key, CK_MECHANISM_TYPE mech,
- CK_ATTRIBUTE_TYPE operation, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data);
-
-/* Compute a CBC-MAC. */
-krb5_error_code
-k5_nss_gen_cbcmac_iov(krb5_key key, CK_MECHANISM_TYPE mech,
- const krb5_data *ivec, const krb5_crypto_iov *data,
- size_t num_data, krb5_data *output);
-
-/* Stream state management calls. */
-krb5_error_code k5_nss_stream_init_state(krb5_data *new_state);
-void k5_nss_stream_free_state(krb5_data *state);
-
-/*
- * Common hash functions
- */
-
-/* All hash modes. */
-krb5_error_code
-k5_nss_gen_hash(HASH_HashType hashType, const krb5_crypto_iov *data,
- size_t num_data, krb5_data *output);
diff --git a/src/lib/crypto/nss/nss_prng.h b/src/lib/crypto/nss/nss_prng.h
deleted file mode 100644
index 11bf9ed..0000000
--- a/src/lib/crypto/nss/nss_prng.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/nss_prng.h - Declarations for NSS PRNG wrappers */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#ifndef NSS_PRNG_H
-#define NSS_PRNG_H
-
-krb5_error_code
-k5_nss_prng_add_entropy(krb5_context context, const krb5_data *indata);
-
-krb5_error_code
-k5_nss_prng_make_octets(krb5_context context, krb5_data *outdata);
-
-#endif /* NSS_PRNG_H */
diff --git a/src/lib/crypto/nss/pbkdf2.c b/src/lib/crypto/nss/pbkdf2.c
deleted file mode 100644
index 10272c8..0000000
--- a/src/lib/crypto/nss/pbkdf2.c
+++ /dev/null
@@ -1,120 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/pbkdf2.c */
-/*
- * Copyright (c) 2010 Red Hat, Inc.
- * All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * * Neither the name of Red Hat, Inc., nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <ctype.h>
-#include "crypto_int.h"
-#include "pk11pub.h"
-#include "nss_gen.h"
-
-
-krb5_error_code
-krb5int_pbkdf2_hmac_sha1(const krb5_data *out, unsigned long count,
- const krb5_data *pass, const krb5_data *salt)
-{
-
- PK11SlotInfo *slot = NULL;
- SECAlgorithmID *algid = NULL;
- PK11SymKey *symKey = NULL;
- SECItem saltItem, pwItem;
- const SECItem *keydata = NULL;
- SECOidTag pbeAlg = SEC_OID_PKCS5_PBKDF2;
- SECOidTag cipherAlg = SEC_OID_AES_256_CBC;
- SECOidTag prfAlg = SEC_OID_HMAC_SHA1;
- krb5_error_code ret;
-
- ret = k5_nss_init();
- if (ret)
- return ret;
-
- slot = PK11_GetBestSlot(PK11_AlgtagToMechanism(pbeAlg), NULL);
- if (slot == NULL)
- return k5_nss_map_last_error();
-
- /* NSS treats a null saltItem.data as a request for a random salt. */
- saltItem.type = siBuffer;
- saltItem.data = (salt->data == NULL) ? "" : (unsigned char *)salt->data;
- saltItem.len = salt->length;
-
- /* PKCS 5 was designed to be DER encoded. Algid's carry all the
- * information needed to describe the encoding the the recipient.
- * This usually allows for crypto agility in the protocol automatically.
- * Kerberos already had to solve it's crypto agility issues, so the
- * algid is just and extra step we need that we will throw away */
- algid = PK11_CreatePBEV2AlgorithmID(pbeAlg, cipherAlg, prfAlg,
- out->length, count, &saltItem);
- if (algid == NULL) {
- ret = k5_nss_map_last_error();
- goto loser;
- }
-
- pwItem.type = siBuffer;
- pwItem.data = (unsigned char *)pass->data;
- pwItem.len = pass->length;
-
- symKey = PK11_PBEKeyGen(slot, algid, &pwItem, PR_FALSE, NULL);
- if (symKey == NULL) {
- ret = k5_nss_map_last_error();
- goto loser;
- }
-
- /* At this point we should return symKey as a key, but kerberos is
- * still passing bits around instead of key handles. */
- PK11_ExtractKeyValue(symKey);
-
- /* keydata here is a const * and is valid as long as the key has not been
- * destroyed. */
- keydata = PK11_GetKeyData(symKey);
- if (keydata == NULL) {
- ret = k5_nss_map_last_error();
- goto loser;
- }
-
- if (out->length != keydata->len) {
- ret = -1; /* XXXXX */
- goto loser;
- }
- memcpy(out->data, keydata->data, keydata->len);
- ret = 0;
-
-loser:
- if (symKey)
- PK11_FreeSymKey(symKey);
- if (algid)
- SECOID_DestroyAlgorithmID(algid, PR_TRUE);
- if (slot)
- PK11_FreeSlot(slot);
-
- return ret;
-}
diff --git a/src/lib/crypto/nss/prng.c b/src/lib/crypto/nss/prng.c
deleted file mode 100644
index ebd1d3a..0000000
--- a/src/lib/crypto/nss/prng.c
+++ /dev/null
@@ -1,57 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/prng.c - NSS prng functions */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "crypto_int.h"
-#include "nss_gen.h"
-#include "nss_prng.h"
-#include <pk11pub.h>
-
-krb5_error_code
-k5_nss_prng_add_entropy(krb5_context context, const krb5_data *indata)
-{
- krb5_error_code ret;
-
- ret = k5_nss_init();
- if (ret)
- return ret;
- if (PK11_RandomUpdate(indata->data, indata->length) != SECSuccess)
- return k5_nss_map_last_error();
- return 0;
-}
-
-krb5_error_code
-k5_nss_prng_make_octets(krb5_context context, krb5_data *outdata)
-{
- krb5_error_code ret;
-
- ret = k5_nss_init();
- if (ret)
- return ret;
- if (PK11_GenerateRandom((unsigned char *)outdata->data,
- outdata->length) != SECSuccess)
- return k5_nss_map_last_error();
- return 0;
-}
diff --git a/src/lib/crypto/nss/sha1/Makefile.in b/src/lib/crypto/nss/sha1/Makefile.in
deleted file mode 100644
index 26d9859..0000000
--- a/src/lib/crypto/nss/sha1/Makefile.in
+++ /dev/null
@@ -1,6 +0,0 @@
-# Placeholder since all crypto modules must have the same structure.
-mydir=lib$(S)crypto$(S)nss$(S)sha1
-BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-all-unix:: all-libobjs
-clean-unix:: clean-libobjs
- at libobj_frag@
diff --git a/src/lib/crypto/nss/sha1/deps b/src/lib/crypto/nss/sha1/deps
deleted file mode 100644
index 2feac3c..0000000
--- a/src/lib/crypto/nss/sha1/deps
+++ /dev/null
@@ -1 +0,0 @@
-# No dependencies here.
diff --git a/src/lib/crypto/nss/sha2/Makefile.in b/src/lib/crypto/nss/sha2/Makefile.in
deleted file mode 100644
index 89f074c..0000000
--- a/src/lib/crypto/nss/sha2/Makefile.in
+++ /dev/null
@@ -1,6 +0,0 @@
-# Placeholder since all crypto modules must have the same structure.
-mydir=lib$(S)crypto$(S)nss$(S)aes
-BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-all-unix:: all-libobjs
-clean-unix:: clean-libobjs
- at libobj_frag@
diff --git a/src/lib/crypto/nss/sha2/deps b/src/lib/crypto/nss/sha2/deps
deleted file mode 100644
index 2feac3c..0000000
--- a/src/lib/crypto/nss/sha2/deps
+++ /dev/null
@@ -1 +0,0 @@
-# No dependencies here.
diff --git a/src/lib/crypto/nss/stubs.c b/src/lib/crypto/nss/stubs.c
deleted file mode 100644
index 034e7e6..0000000
--- a/src/lib/crypto/nss/stubs.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/nss/stubs.c - NSS stub functions */
-/*
- * Copyright (C) 2011 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * This file defines symbols which must be exported by libk5crypto because they
- * are in the export list (for the sake of test programs), but which are not
- * used when NSS is the back end.
- */
-
-#include "k5-int.h"
-
-/*
- * These functions are used by the Fortuna PRNG and test program. The Fortuna
- * PRNG is not used when NSS is the back end (the NSS PRNG is always used).
- */
-void krb5int_aes_enc_blk(void);
-void krb5int_aes_enc_key(void);
-void k5_sha256_final(void);
-void k5_sha256_init(void);
-void k5_sha256_update(void);
-
-void krb5int_aes_enc_blk(void)
-{
- abort();
-}
-
-void krb5int_aes_enc_key(void)
-{
- abort();
-}
-
-void k5_sha256_final(void)
-{
- abort();
-}
-
-void k5_sha256_init(void)
-{
- abort();
-}
-
-void k5_sha256_update(void)
-{
- abort();
-}
More information about the cvs-krb5
mailing list