/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* Copyright (C) 1998 by the FundsXpress, INC.
*
* All rights reserved.
*
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of FundsXpress. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#include "k5-int.h"
#include "etypes.h"
#ifdef _KERNEL
krb5_error_code
update_key_template(krb5_keyblock *key)
{
crypto_mechanism_t kef_mech;
int rv = 0;
krb5_error_code ret = 0;
KRB5_LOG0(KRB5_INFO, "update_key_template()");
if (key == NULL)
return (ret);
/*
* Preallocate the crypto_key_t records
* needed by the kernel crypto calls later.
*/
kef_mech.cm_type = key->kef_mt;
kef_mech.cm_param = NULL;
kef_mech.cm_param_len = 0;
/*
* Create an template to improve HMAC performance later.
*/
rv = crypto_create_ctx_template(&kef_mech,
&key->kef_key,
&key->key_tmpl,
KM_SLEEP);
if (rv != CRYPTO_SUCCESS) {
/*
* Some mechs don't support context templates
*/
if (rv == CRYPTO_NOT_SUPPORTED) {
ret = 0;
key->key_tmpl = NULL;
} else {
KRB5_LOG(KRB5_ERR,"crypto_create_ctx_template "
"error: %0x", rv);
ret = KRB5_KEF_ERROR;
}
}
return (ret);
}
/*
* initialize the KEF components of the krb5_keyblock record.
*/
krb5_error_code
init_key_kef(crypto_mech_type_t mech_type, krb5_keyblock *key)
{
krb5_error_code rv = 0;
KRB5_LOG0(KRB5_INFO, "init_key_kef()");
if (key == NULL)
return (rv);
if (key->kef_key.ck_data == NULL) {
key->kef_key.ck_data = key->contents;
}
/* kef keys are measured in bits */
key->kef_key.ck_length = key->length * 8;
key->kef_key.ck_format = CRYPTO_KEY_RAW;
key->kef_mt = mech_type;
if (key->key_tmpl == NULL && mech_type != CRYPTO_MECH_INVALID) {
rv = update_key_template(key);
}
return(rv);
}
#else
/*
* init_key_uef
* Initialize the Userland Encryption Framework fields of the
* key block.
*/
krb5_error_code
init_key_uef(CK_SESSION_HANDLE hSession, krb5_keyblock *key)
{
CK_RV rv = CKR_OK;
CK_MECHANISM mechanism;
CK_OBJECT_CLASS class = CKO_SECRET_KEY;
CK_KEY_TYPE keyType;
CK_BBOOL true = TRUE, false = FALSE;
CK_ATTRIBUTE template[6];
/* If its already initialized, return OK */
/*
* fork safety: if the key->pid != __krb5_current_pid then a fork has
* taken place and the pkcs11 key handle must be re-acquired.
*/
if ((key->hKey != CK_INVALID_HANDLE) &&
(key->pid == __krb5_current_pid))
return (rv);
/* fork safety */
key->pid = __krb5_current_pid;
if ((rv = get_key_type(key->enctype, &keyType)) != CKR_OK) {
KRB5_LOG0(KRB5_ERR, "failure to get key type in function "
"init_key_uef.");
return (PKCS_ERR);
}
template[0].type = CKA_CLASS;
template[0].pValue = &class;
template[0].ulValueLen = sizeof (class);
template[1].type = CKA_KEY_TYPE;
template[1].pValue = &keyType;
template[1].ulValueLen = sizeof (keyType);
template[2].type = CKA_TOKEN;
template[2].pValue = &false;
template[2].ulValueLen = sizeof (false);
template[3].type = CKA_ENCRYPT;
template[3].pValue = &true;
template[3].ulValueLen = sizeof (true);
template[4].type = CKA_DECRYPT;
template[4].pValue = &true;
template[4].ulValueLen = sizeof (true);
template[5].type = CKA_VALUE;
template[5].pValue = key->contents;
template[5].ulValueLen = key->length;
/* Create an object handle for the key */
if ((rv = C_CreateObject(hSession, template,
sizeof(template)/sizeof(CK_ATTRIBUTE),
&key->hKey)) != CKR_OK) {
KRB5_LOG(KRB5_ERR, "C_CreateObject failed in "
"init_key_uef: rv = 0x%x.", rv);
rv = PKCS_ERR;
}
return (rv);
}
#endif /* _KERNEL */
/*ARGSUSED*/
krb5_error_code KRB5_CALLCONV
krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
krb5_keyusage usage, const krb5_data *ivec,
const krb5_data *input, krb5_enc_data *output)
{
krb5_error_code ret;
int i;
KRB5_LOG(KRB5_INFO, "krb5_c_encrypt start etype = %d", key->enctype);
for (i=0; i<krb5_enctypes_length; i++) {
if (krb5_enctypes_list[i].etype == key->enctype)
break;
}
if (i == krb5_enctypes_length)
return(KRB5_BAD_ENCTYPE);
output->magic = KV5M_ENC_DATA;
output->kvno = 0;
output->enctype = key->enctype;
#ifdef _KERNEL
context->kef_cipher_mt = krb5_enctypes_list[i].kef_cipher_mt;
context->kef_hash_mt = krb5_enctypes_list[i].kef_hash_mt;
if (key->kef_key.ck_data == NULL) {
if ((ret = init_key_kef(context->kef_cipher_mt,
(krb5_keyblock *)key)))
return(ret);
}
#else
if ((ret = init_key_uef(krb_ctx_hSession(context), (krb5_keyblock *)key)))
return (ret);
#endif /* _KERNEL */
KRB5_LOG0(KRB5_INFO, "krb5_c_encrypt calling encrypt.");
return((*(krb5_enctypes_list[i].encrypt))
(context, krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
key, usage, ivec, input, &output->ciphertext));
}