/* * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ /* * Copyright (C) 1998 by the FundsXpress, INC. * * All rights reserved. * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright * notice appear in all copies and that both that copyright notice and * this permission notice appear in supporting documentation, and that * the name of FundsXpress. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #include "k5-int.h" #include "etypes.h" #ifdef _KERNEL krb5_error_code update_key_template(krb5_keyblock *key) { crypto_mechanism_t kef_mech; int rv = 0; krb5_error_code ret = 0; KRB5_LOG0(KRB5_INFO, "update_key_template()"); if (key == NULL) return (ret); /* * Preallocate the crypto_key_t records * needed by the kernel crypto calls later. */ kef_mech.cm_type = key->kef_mt; kef_mech.cm_param = NULL; kef_mech.cm_param_len = 0; /* * Create an template to improve HMAC performance later. */ rv = crypto_create_ctx_template(&kef_mech, &key->kef_key, &key->key_tmpl, KM_SLEEP); if (rv != CRYPTO_SUCCESS) { /* * Some mechs don't support context templates */ if (rv == CRYPTO_NOT_SUPPORTED) { ret = 0; key->key_tmpl = NULL; } else { KRB5_LOG(KRB5_ERR,"crypto_create_ctx_template " "error: %0x", rv); ret = KRB5_KEF_ERROR; } } return (ret); } /* * initialize the KEF components of the krb5_keyblock record. */ krb5_error_code init_key_kef(crypto_mech_type_t mech_type, krb5_keyblock *key) { krb5_error_code rv = 0; KRB5_LOG0(KRB5_INFO, "init_key_kef()"); if (key == NULL) return (rv); if (key->kef_key.ck_data == NULL) { key->kef_key.ck_data = key->contents; } /* kef keys are measured in bits */ key->kef_key.ck_length = key->length * 8; key->kef_key.ck_format = CRYPTO_KEY_RAW; key->kef_mt = mech_type; if (key->key_tmpl == NULL && mech_type != CRYPTO_MECH_INVALID) { rv = update_key_template(key); } return(rv); } #else /* * init_key_uef * Initialize the Userland Encryption Framework fields of the * key block. */ krb5_error_code init_key_uef(CK_SESSION_HANDLE hSession, krb5_keyblock *key) { CK_RV rv = CKR_OK; CK_MECHANISM mechanism; CK_OBJECT_CLASS class = CKO_SECRET_KEY; CK_KEY_TYPE keyType; CK_BBOOL true = TRUE, false = FALSE; CK_ATTRIBUTE template[6]; /* If its already initialized, return OK */ /* * fork safety: if the key->pid != __krb5_current_pid then a fork has * taken place and the pkcs11 key handle must be re-acquired. */ if ((key->hKey != CK_INVALID_HANDLE) && (key->pid == __krb5_current_pid)) return (rv); /* fork safety */ key->pid = __krb5_current_pid; if ((rv = get_key_type(key->enctype, &keyType)) != CKR_OK) { KRB5_LOG0(KRB5_ERR, "failure to get key type in function " "init_key_uef."); return (PKCS_ERR); } template[0].type = CKA_CLASS; template[0].pValue = &class; template[0].ulValueLen = sizeof (class); template[1].type = CKA_KEY_TYPE; template[1].pValue = &keyType; template[1].ulValueLen = sizeof (keyType); template[2].type = CKA_TOKEN; template[2].pValue = &false; template[2].ulValueLen = sizeof (false); template[3].type = CKA_ENCRYPT; template[3].pValue = &true; template[3].ulValueLen = sizeof (true); template[4].type = CKA_DECRYPT; template[4].pValue = &true; template[4].ulValueLen = sizeof (true); template[5].type = CKA_VALUE; template[5].pValue = key->contents; template[5].ulValueLen = key->length; /* Create an object handle for the key */ if ((rv = C_CreateObject(hSession, template, sizeof(template)/sizeof(CK_ATTRIBUTE), &key->hKey)) != CKR_OK) { KRB5_LOG(KRB5_ERR, "C_CreateObject failed in " "init_key_uef: rv = 0x%x.", rv); rv = PKCS_ERR; } return (rv); } #endif /* _KERNEL */ /*ARGSUSED*/ krb5_error_code KRB5_CALLCONV krb5_c_encrypt(krb5_context context, const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec, const krb5_data *input, krb5_enc_data *output) { krb5_error_code ret; int i; KRB5_LOG(KRB5_INFO, "krb5_c_encrypt start etype = %d", key->enctype); for (i=0; ienctype) break; } if (i == krb5_enctypes_length) return(KRB5_BAD_ENCTYPE); output->magic = KV5M_ENC_DATA; output->kvno = 0; output->enctype = key->enctype; #ifdef _KERNEL context->kef_cipher_mt = krb5_enctypes_list[i].kef_cipher_mt; context->kef_hash_mt = krb5_enctypes_list[i].kef_hash_mt; if (key->kef_key.ck_data == NULL) { if ((ret = init_key_kef(context->kef_cipher_mt, (krb5_keyblock *)key))) return(ret); } #else if ((ret = init_key_uef(krb_ctx_hSession(context), (krb5_keyblock *)key))) return (ret); #endif /* _KERNEL */ KRB5_LOG0(KRB5_INFO, "krb5_c_encrypt calling encrypt."); return((*(krb5_enctypes_list[i].encrypt)) (context, krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash, key, usage, ivec, input, &output->ciphertext)); }