3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek NSS crypto wrappers
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek Sumit Bose <sbose@redhat.com>
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek Jakub Hrozek <jhrozek@redhat.com>
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek Copyright (C) Red Hat, Inc 2010
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek This program is free software; you can redistribute it and/or modify
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek it under the terms of the GNU General Public License as published by
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek the Free Software Foundation; either version 3 of the License, or
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek (at your option) any later version.
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek This program is distributed in the hope that it will be useful,
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek but WITHOUT ANY WARRANTY; without even the implied warranty of
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek GNU General Public License for more details.
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek You should have received a copy of the GNU General Public License
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek along with this program. If not, see <http://www.gnu.org/licenses/>.
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek /* nothing to do */
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek if (nspr_nss_init_done == 1) return SECSuccess;
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Error initializing connection to NSS [%d]\n",
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek /* nothing to do */
3b08dec5ee634f83ee18e1753d5ffe0ac5e3c458Jakub Hrozek if (nspr_nss_init_done == 0) return SECSuccess;
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov "Error shutting down connection to NSS [%d]\n",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorcestatic int sss_nss_crypto_ctx_destructor(struct sss_nss_crypto_ctx *cctx)
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce if (cctx->ectx) PK11_DestroyContext(cctx->ectx, PR_TRUE);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce if (cctx->sparam) SECITEM_FreeItem(cctx->sparam, PR_TRUE);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorcestatic int generate_random_key(TALLOC_CTX *mem_ctx,
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_CRIT_FAILURE, "Failure to generate key (err %d)\n",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_CRIT_FAILURE, "Failure to extract key value (err %d)\n",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_CRIT_FAILURE, "Failure to get key data (err %d)\n",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce /* randkeydata is valid until randkey is. Copy with talloc to
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce * get a nice memory hierarchy symmetrical in encrypt
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce * and decrypt case */
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce key->data = talloc_memdup(key, randkeydata->data, randkeydata->len);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce cctx = talloc_zero(mem_ctx, struct sss_nss_crypto_ctx);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce talloc_set_destructor(cctx, sss_nss_crypto_ctx_destructor);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce cctx->slot = PK11_GetBestSlot(mech_props->cipher, NULL);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_CRIT_FAILURE, "Unable to find security device (err %d)\n",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce "Failed to allocate Key buffer\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce "Could not generate encryption key\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate IV buffer\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce "Could not generate initialization vector\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorceint nss_crypto_init(struct crypto_mech_data *mech_props,
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce /* turn the raw key into a key object */
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce cctx->keyobj = PK11_ImportSymKey(cctx->slot, mech_props->cipher,
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_CRIT_FAILURE, "Failure to import key into NSS (err %d)\n",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce if (crypto_op == op_encrypt || crypto_op == op_decrypt) {
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce /* turn the raw IV into a initialization vector object */
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce cctx->sparam = PK11_ParamFromIV(mech_props->cipher, cctx->iv);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce "Failure to set up PKCS11 param (err %d)\n",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_CRIT_FAILURE, "Failure to allocate SECItem\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce /* Create cipher context */
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce cctx->ectx = PK11_CreateContextBySymKey(mech_props->cipher, op,
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create cipher context (err %d)\n",