diff options
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/apr_crypto.c | 523 | ||||
| -rw-r--r-- | crypto/apr_crypto_nss.c | 865 | ||||
| -rw-r--r-- | crypto/apr_crypto_nss.dsp | 203 | ||||
| -rw-r--r-- | crypto/apr_crypto_openssl.c | 797 | ||||
| -rw-r--r-- | crypto/apr_crypto_openssl.dsp | 203 | ||||
| -rw-r--r-- | crypto/apr_md4.c | 404 | ||||
| -rw-r--r-- | crypto/apr_md5.c | 756 | ||||
| -rw-r--r-- | crypto/apr_sha1.c | 368 | ||||
| -rw-r--r-- | crypto/getuuid.c | 208 | ||||
| -rw-r--r-- | crypto/uuid.c | 130 |
10 files changed, 4457 insertions, 0 deletions
diff --git a/crypto/apr_crypto.c b/crypto/apr_crypto.c new file mode 100644 index 0000000..4a1049c --- /dev/null +++ b/crypto/apr_crypto.c @@ -0,0 +1,523 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <ctype.h> +#include <stdio.h> + +#include "apu_config.h" +#include "apu.h" +#include "apr_pools.h" +#include "apr_dso.h" +#include "apr_strings.h" +#include "apr_hash.h" +#include "apr_thread_mutex.h" +#include "apr_lib.h" + +#if APU_HAVE_CRYPTO + +#include "apu_internal.h" +#include "apr_crypto_internal.h" +#include "apr_crypto.h" +#include "apu_version.h" + +static apr_hash_t *drivers = NULL; + +#define ERROR_SIZE 1024 + +#define CLEANUP_CAST (apr_status_t (*)(void*)) + +#define APR_TYPEDEF_STRUCT(type, incompletion) \ +struct type { \ + incompletion \ + void *unk[]; \ +}; + +APR_TYPEDEF_STRUCT(apr_crypto_t, + apr_pool_t *pool; + apr_crypto_driver_t *provider; +) + +APR_TYPEDEF_STRUCT(apr_crypto_key_t, + apr_pool_t *pool; + apr_crypto_driver_t *provider; + const apr_crypto_t *f; +) + +APR_TYPEDEF_STRUCT(apr_crypto_block_t, + apr_pool_t *pool; + apr_crypto_driver_t *provider; + const apr_crypto_t *f; +) + +typedef struct apr_crypto_clear_t { + void *buffer; + apr_size_t size; +} apr_crypto_clear_t; + +#if !APU_DSO_BUILD +#define DRIVER_LOAD(name,driver,pool,params) \ + { \ + extern const apr_crypto_driver_t driver; \ + apr_hash_set(drivers,name,APR_HASH_KEY_STRING,&driver); \ + if (driver.init) { \ + driver.init(pool, params); \ + } \ + } +#endif + +static apr_status_t apr_crypto_term(void *ptr) +{ + /* set drivers to NULL so init can work again */ + drivers = NULL; + + /* Everything else we need is handled by cleanups registered + * when we created mutexes and loaded DSOs + */ + return APR_SUCCESS; +} + +APU_DECLARE(apr_status_t) apr_crypto_init(apr_pool_t *pool) +{ + apr_status_t ret = APR_SUCCESS; + apr_pool_t *parent; + + if (drivers != NULL) { + return APR_SUCCESS; + } + + /* Top level pool scope, need process-scope lifetime */ + for (parent = pool; parent; parent = apr_pool_parent_get(pool)) + pool = parent; +#if APU_DSO_BUILD + /* deprecate in 2.0 - permit implicit initialization */ + apu_dso_init(pool); +#endif + drivers = apr_hash_make(pool); + +#if !APU_DSO_BUILD + /* Load statically-linked drivers: */ +#if APU_HAVE_OPENSSL + DRIVER_LOAD("openssl", apr_crypto_openssl_driver, pool, params); +#endif +#if APU_HAVE_NSS + DRIVER_LOAD("nss", apr_crypto_nss_driver, pool, params); +#endif +#if APU_HAVE_MSCAPI + DRIVER_LOAD("mscapi", apr_crypto_mscapi_driver, pool, params); +#endif +#if APU_HAVE_MSCNG + DRIVER_LOAD("mscng", apr_crypto_mscng_driver, pool, params); +#endif +#endif /* APU_DSO_BUILD */ + + apr_pool_cleanup_register(pool, NULL, apr_crypto_term, + apr_pool_cleanup_null); + + return ret; +} + +static apr_status_t crypto_clear(void *ptr) +{ + apr_crypto_clear_t *clear = (apr_crypto_clear_t *)ptr; + + memset(clear->buffer, 0, clear->size); + clear->buffer = NULL; + clear->size = 0; + + return APR_SUCCESS; +} + +APU_DECLARE(apr_status_t) apr_crypto_clear(apr_pool_t *pool, + void *buffer, apr_size_t size) +{ + apr_crypto_clear_t *clear = apr_palloc(pool, sizeof(apr_crypto_clear_t)); + + clear->buffer = buffer; + clear->size = size; + + apr_pool_cleanup_register(pool, clear, crypto_clear, + apr_pool_cleanup_null); + + return APR_SUCCESS; +} + +APU_DECLARE(apr_status_t) apr_crypto_get_driver( + const apr_crypto_driver_t **driver, const char *name, + const char *params, const apu_err_t **result, apr_pool_t *pool) +{ +#if APU_DSO_BUILD + char modname[32]; + char symname[34]; + apr_dso_handle_t *dso; + apr_dso_handle_sym_t symbol; +#endif + apr_status_t rv; + int rc = 0; + +#if APU_DSO_BUILD + rv = apu_dso_mutex_lock(); + if (rv) { + return rv; + } +#endif + *driver = apr_hash_get(drivers, name, APR_HASH_KEY_STRING); + if (*driver) { +#if APU_DSO_BUILD + apu_dso_mutex_unlock(); +#endif + return APR_SUCCESS; + } + +#if APU_DSO_BUILD + /* The driver DSO must have exactly the same lifetime as the + * drivers hash table; ignore the passed-in pool */ + pool = apr_hash_pool_get(drivers); + +#if defined(NETWARE) + apr_snprintf(modname, sizeof(modname), "crypto%s.nlm", name); +#elif defined(WIN32) + apr_snprintf(modname, sizeof(modname), + "apr_crypto_%s-" APU_STRINGIFY(APU_MAJOR_VERSION) ".dll", name); +#else + apr_snprintf(modname, sizeof(modname), + "apr_crypto_%s-" APU_STRINGIFY(APU_MAJOR_VERSION) ".so", name); +#endif + apr_snprintf(symname, sizeof(symname), "apr_crypto_%s_driver", name); + rv = apu_dso_load(&dso, &symbol, modname, symname, pool); + if (rv != APR_SUCCESS) { /* APR_EDSOOPEN or APR_ESYMNOTFOUND? */ + if (rv == APR_EINIT) { /* previously loaded?!? */ + name = apr_pstrdup(pool, name); + apr_hash_set(drivers, name, APR_HASH_KEY_STRING, *driver); + rv = APR_SUCCESS; + } + goto unlock; + } + *driver = symbol; + if ((*driver)->init) { + rv = (*driver)->init(pool, params, &rc); + } + name = apr_pstrdup(pool, name); + apr_hash_set(drivers, name, APR_HASH_KEY_STRING, *driver); + + unlock: apu_dso_mutex_unlock(); + + if (APR_SUCCESS != rv && result) { + char *buffer = apr_pcalloc(pool, ERROR_SIZE); + apu_err_t *err = apr_pcalloc(pool, sizeof(apu_err_t)); + if (err && buffer) { + apr_dso_error(dso, buffer, ERROR_SIZE - 1); + err->msg = buffer; + err->reason = modname; + err->rc = rc; + *result = err; + } + } + +#else /* not builtin and !APR_HAS_DSO => not implemented */ + rv = APR_ENOTIMPL; +#endif + + return rv; +} + +/** + * @brief Return the name of the driver. + * + * @param driver - The driver in use. + * @return The name of the driver. + */ +APU_DECLARE(const char *)apr_crypto_driver_name ( + const apr_crypto_driver_t *driver) +{ + return driver->name; +} + +/** + * @brief Get the result of the last operation on a context. If the result + * is NULL, the operation was successful. + * @param result - the result structure + * @param f - context pointer + * @return APR_SUCCESS for success + */ +APU_DECLARE(apr_status_t) apr_crypto_error(const apu_err_t **result, + const apr_crypto_t *f) +{ + return f->provider->error(result, f); +} + +/** + * @brief Create a context for supporting encryption. Keys, certificates, + * algorithms and other parameters will be set per context. More than + * one context can be created at one time. A cleanup will be automatically + * registered with the given pool to guarantee a graceful shutdown. + * @param f - context pointer will be written here + * @param driver - driver to use + * @param params - array of key parameters + * @param pool - process pool + * @return APR_ENOENGINE when the engine specified does not exist. APR_EINITENGINE + * if the engine cannot be initialised. + * @remarks NSS: currently no params are supported. + * @remarks OpenSSL: the params can have "engine" as a key, followed by an equal + * sign and a value. + */ +APU_DECLARE(apr_status_t) apr_crypto_make(apr_crypto_t **f, + const apr_crypto_driver_t *driver, const char *params, apr_pool_t *pool) +{ + return driver->make(f, driver, params, pool); +} + +/** + * @brief Get a hash table of key types, keyed by the name of the type against + * an integer pointer constant. + * + * @param types - hashtable of key types keyed to constants. + * @param f - encryption context + * @return APR_SUCCESS for success + */ +APU_DECLARE(apr_status_t) apr_crypto_get_block_key_types(apr_hash_t **types, + const apr_crypto_t *f) +{ + return f->provider->get_block_key_types(types, f); +} + +/** + * @brief Get a hash table of key modes, keyed by the name of the mode against + * an integer pointer constant. + * + * @param modes - hashtable of key modes keyed to constants. + * @param f - encryption context + * @return APR_SUCCESS for success + */ +APU_DECLARE(apr_status_t) apr_crypto_get_block_key_modes(apr_hash_t **modes, + const apr_crypto_t *f) +{ + return f->provider->get_block_key_modes(modes, f); +} + +/** + * @brief Create a key from the given passphrase. By default, the PBKDF2 + * algorithm is used to generate the key from the passphrase. It is expected + * that the same pass phrase will generate the same key, regardless of the + * backend crypto platform used. The key is cleaned up when the context + * is cleaned, and may be reused with multiple encryption or decryption + * operations. + * @note If *key is NULL, a apr_crypto_key_t will be created from a pool. If + * *key is not NULL, *key must point at a previously created structure. + * @param key The key returned, see note. + * @param ivSize The size of the initialisation vector will be returned, based + * on whether an IV is relevant for this type of crypto. + * @param pass The passphrase to use. + * @param passLen The passphrase length in bytes + * @param salt The salt to use. + * @param saltLen The salt length in bytes + * @param type 3DES_192, AES_128, AES_192, AES_256. + * @param mode Electronic Code Book / Cipher Block Chaining. + * @param doPad Pad if necessary. + * @param iterations Number of iterations to use in algorithm + * @param f The context to use. + * @param p The pool to use. + * @return Returns APR_ENOKEY if the pass phrase is missing or empty, or if a backend + * error occurred while generating the key. APR_ENOCIPHER if the type or mode + * is not supported by the particular backend. APR_EKEYTYPE if the key type is + * not known. APR_EPADDING if padding was requested but is not supported. + * APR_ENOTIMPL if not implemented. + */ +APU_DECLARE(apr_status_t) apr_crypto_passphrase(apr_crypto_key_t **key, + apr_size_t *ivSize, const char *pass, apr_size_t passLen, + const unsigned char * salt, apr_size_t saltLen, + const apr_crypto_block_key_type_e type, + const apr_crypto_block_key_mode_e mode, const int doPad, + const int iterations, const apr_crypto_t *f, apr_pool_t *p) +{ + return f->provider->passphrase(key, ivSize, pass, passLen, salt, saltLen, + type, mode, doPad, iterations, f, p); +} + +/** + * @brief Initialise a context for encrypting arbitrary data using the given key. + * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If + * *ctx is not NULL, *ctx must point at a previously created structure. + * @param ctx The block context returned, see note. + * @param iv Optional initialisation vector. If the buffer pointed to is NULL, + * an IV will be created at random, in space allocated from the pool. + * If the buffer pointed to is not NULL, the IV in the buffer will be + * used. + * @param key The key structure to use. + * @param blockSize The block size of the cipher. + * @param p The pool to use. + * @return Returns APR_ENOIV if an initialisation vector is required but not specified. + * Returns APR_EINIT if the backend failed to initialise the context. Returns + * APR_ENOTIMPL if not implemented. + */ +APU_DECLARE(apr_status_t) apr_crypto_block_encrypt_init( + apr_crypto_block_t **ctx, const unsigned char **iv, + const apr_crypto_key_t *key, apr_size_t *blockSize, apr_pool_t *p) +{ + return key->provider->block_encrypt_init(ctx, iv, key, blockSize, p); +} + +/** + * @brief Encrypt data provided by in, write it to out. + * @note The number of bytes written will be written to outlen. If + * out is NULL, outlen will contain the maximum size of the + * buffer needed to hold the data, including any data + * generated by apr_crypto_block_encrypt_finish below. If *out points + * to NULL, a buffer sufficiently large will be created from + * the pool provided. If *out points to a not-NULL value, this + * value will be used as a buffer instead. + * @param out Address of a buffer to which data will be written, + * see note. + * @param outlen Length of the output will be written here. + * @param in Address of the buffer to read. + * @param inlen Length of the buffer to read. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if + * not implemented. + */ +APU_DECLARE(apr_status_t) apr_crypto_block_encrypt(unsigned char **out, + apr_size_t *outlen, const unsigned char *in, apr_size_t inlen, + apr_crypto_block_t *ctx) +{ + return ctx->provider->block_encrypt(out, outlen, in, inlen, ctx); +} + +/** + * @brief Encrypt final data block, write it to out. + * @note If necessary the final block will be written out after being + * padded. Typically the final block will be written to the + * same buffer used by apr_crypto_block_encrypt, offset by the + * number of bytes returned as actually written by the + * apr_crypto_block_encrypt() call. After this call, the context + * is cleaned and can be reused by apr_crypto_block_encrypt_init(). + * @param out Address of a buffer to which data will be written. This + * buffer must already exist, and is usually the same + * buffer used by apr_evp_crypt(). See note. + * @param outlen Length of the output will be written here. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. + * @return APR_EPADDING if padding was enabled and the block was incorrectly + * formatted. + * @return APR_ENOTIMPL if not implemented. + */ +APU_DECLARE(apr_status_t) apr_crypto_block_encrypt_finish(unsigned char *out, + apr_size_t *outlen, apr_crypto_block_t *ctx) +{ + return ctx->provider->block_encrypt_finish(out, outlen, ctx); +} + +/** + * @brief Initialise a context for decrypting arbitrary data using the given key. + * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If + * *ctx is not NULL, *ctx must point at a previously created structure. + * @param ctx The block context returned, see note. + * @param blockSize The block size of the cipher. + * @param iv Optional initialisation vector. + * @param key The key structure to use. + * @param p The pool to use. + * @return Returns APR_ENOIV if an initialisation vector is required but not specified. + * Returns APR_EINIT if the backend failed to initialise the context. Returns + * APR_ENOTIMPL if not implemented. + */ +APU_DECLARE(apr_status_t) apr_crypto_block_decrypt_init( + apr_crypto_block_t **ctx, apr_size_t *blockSize, + const unsigned char *iv, const apr_crypto_key_t *key, apr_pool_t *p) +{ + return key->provider->block_decrypt_init(ctx, blockSize, iv, key, p); +} + +/** + * @brief Decrypt data provided by in, write it to out. + * @note The number of bytes written will be written to outlen. If + * out is NULL, outlen will contain the maximum size of the + * buffer needed to hold the data, including any data + * generated by apr_crypto_block_decrypt_finish below. If *out points + * to NULL, a buffer sufficiently large will be created from + * the pool provided. If *out points to a not-NULL value, this + * value will be used as a buffer instead. + * @param out Address of a buffer to which data will be written, + * see note. + * @param outlen Length of the output will be written here. + * @param in Address of the buffer to read. + * @param inlen Length of the buffer to read. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if + * not implemented. + */ +APU_DECLARE(apr_status_t) apr_crypto_block_decrypt(unsigned char **out, + apr_size_t *outlen, const unsigned char *in, apr_size_t inlen, + apr_crypto_block_t *ctx) +{ + return ctx->provider->block_decrypt(out, outlen, in, inlen, ctx); +} + +/** + * @brief Decrypt final data block, write it to out. + * @note If necessary the final block will be written out after being + * padded. Typically the final block will be written to the + * same buffer used by apr_crypto_block_decrypt, offset by the + * number of bytes returned as actually written by the + * apr_crypto_block_decrypt() call. After this call, the context + * is cleaned and can be reused by apr_crypto_block_decrypt_init(). + * @param out Address of a buffer to which data will be written. This + * buffer must already exist, and is usually the same + * buffer used by apr_evp_crypt(). See note. + * @param outlen Length of the output will be written here. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. + * @return APR_EPADDING if padding was enabled and the block was incorrectly + * formatted. + * @return APR_ENOTIMPL if not implemented. + */ +APU_DECLARE(apr_status_t) apr_crypto_block_decrypt_finish(unsigned char *out, + apr_size_t *outlen, apr_crypto_block_t *ctx) +{ + return ctx->provider->block_decrypt_finish(out, outlen, ctx); +} + +/** + * @brief Clean encryption / decryption context. + * @note After cleanup, a context is free to be reused if necessary. + * @param ctx The block context to use. + * @return Returns APR_ENOTIMPL if not supported. + */ +APU_DECLARE(apr_status_t) apr_crypto_block_cleanup(apr_crypto_block_t *ctx) +{ + return ctx->provider->block_cleanup(ctx); +} + +/** + * @brief Clean encryption / decryption context. + * @note After cleanup, a context is free to be reused if necessary. + * @param f The context to use. + * @return Returns APR_ENOTIMPL if not supported. + */ +APU_DECLARE(apr_status_t) apr_crypto_cleanup(apr_crypto_t *f) +{ + return f->provider->cleanup(f); +} + +/** + * @brief Shutdown the crypto library. + * @note After shutdown, it is expected that the init function can be called again. + * @param driver - driver to use + * @return Returns APR_ENOTIMPL if not supported. + */ +APU_DECLARE(apr_status_t) apr_crypto_shutdown(const apr_crypto_driver_t *driver) +{ + return driver->shutdown(); +} + +#endif /* APU_HAVE_CRYPTO */ diff --git a/crypto/apr_crypto_nss.c b/crypto/apr_crypto_nss.c new file mode 100644 index 0000000..0d1d2ca --- /dev/null +++ b/crypto/apr_crypto_nss.c @@ -0,0 +1,865 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "apr_lib.h" +#include "apu.h" +#include "apu_config.h" +#include "apu_errno.h" + +#include <ctype.h> +#include <stdlib.h> + +#include "apr_strings.h" +#include "apr_time.h" +#include "apr_buckets.h" + +#include "apr_crypto_internal.h" + +#if APU_HAVE_CRYPTO + +#include <prerror.h> + +#ifdef HAVE_NSS_NSS_H +#include <nss/nss.h> +#endif +#ifdef HAVE_NSS_H +#include <nss.h> +#endif + +#ifdef HAVE_NSS_PK11PUB_H +#include <nss/pk11pub.h> +#endif +#ifdef HAVE_PK11PUB_H +#include <pk11pub.h> +#endif + +struct apr_crypto_t { + apr_pool_t *pool; + const apr_crypto_driver_t *provider; + apu_err_t *result; + apr_array_header_t *keys; + apr_crypto_config_t *config; + apr_hash_t *types; + apr_hash_t *modes; +}; + +struct apr_crypto_config_t { + void *opaque; +}; + +struct apr_crypto_key_t { + apr_pool_t *pool; + const apr_crypto_driver_t *provider; + const apr_crypto_t *f; + CK_MECHANISM_TYPE cipherMech; + SECOidTag cipherOid; + PK11SymKey *symKey; + int ivSize; +}; + +struct apr_crypto_block_t { + apr_pool_t *pool; + const apr_crypto_driver_t *provider; + const apr_crypto_t *f; + PK11Context *ctx; + apr_crypto_key_t *key; + int blockSize; +}; + +static int key_3des_192 = APR_KEY_3DES_192; +static int key_aes_128 = APR_KEY_AES_128; +static int key_aes_192 = APR_KEY_AES_192; +static int key_aes_256 = APR_KEY_AES_256; + +static int mode_ecb = APR_MODE_ECB; +static int mode_cbc = APR_MODE_CBC; + +/** + * Fetch the most recent error from this driver. + */ +static apr_status_t crypto_error(const apu_err_t **result, + const apr_crypto_t *f) +{ + *result = f->result; + return APR_SUCCESS; +} + +/** + * Shutdown the crypto library and release resources. + * + * It is safe to shut down twice. + */ +static apr_status_t crypto_shutdown(void) +{ + if (NSS_IsInitialized()) { + SECStatus s = NSS_Shutdown(); + if (s != SECSuccess) { + return APR_EINIT; + } + } + return APR_SUCCESS; +} + +static apr_status_t crypto_shutdown_helper(void *data) +{ + return crypto_shutdown(); +} + +/** + * Initialise the crypto library and perform one time initialisation. + */ +static apr_status_t crypto_init(apr_pool_t *pool, const char *params, int *rc) +{ + SECStatus s; + const char *dir = NULL; + const char *keyPrefix = NULL; + const char *certPrefix = NULL; + const char *secmod = NULL; + int noinit = 0; + PRUint32 flags = 0; + + struct { + const char *field; + const char *value; + int set; + } fields[] = { + { "dir", NULL, 0 }, + { "key3", NULL, 0 }, + { "cert7", NULL, 0 }, + { "secmod", NULL, 0 }, + { "noinit", NULL, 0 }, + { NULL, NULL, 0 } + }; + const char *ptr; + size_t klen; + char **elts = NULL; + char *elt; + int i = 0, j; + apr_status_t status; + + if (params) { + if (APR_SUCCESS != (status = apr_tokenize_to_argv(params, &elts, pool))) { + return status; + } + while ((elt = elts[i])) { + ptr = strchr(elt, '='); + if (ptr) { + for (klen = ptr - elt; klen && apr_isspace(elt[klen - 1]); --klen) + ; + ptr++; + } + else { + for (klen = strlen(elt); klen && apr_isspace(elt[klen - 1]); --klen) + ; + } + elt[klen] = 0; + + for (j = 0; fields[j].field != NULL; ++j) { + if (klen && !strcasecmp(fields[j].field, elt)) { + fields[j].set = 1; + if (ptr) { + fields[j].value = ptr; + } + break; + } + } + + i++; + } + dir = fields[0].value; + keyPrefix = fields[1].value; + certPrefix = fields[2].value; + secmod = fields[3].value; + noinit = fields[4].set; + } + + /* if we've been asked to bypass, do so here */ + if (noinit) { + return APR_SUCCESS; + } + + /* sanity check - we can only initialise NSS once */ + if (NSS_IsInitialized()) { + return APR_EREINIT; + } + + apr_pool_cleanup_register(pool, pool, crypto_shutdown_helper, + apr_pool_cleanup_null); + + if (keyPrefix || certPrefix || secmod) { + s = NSS_Initialize(dir, certPrefix, keyPrefix, secmod, flags); + } + else if (dir) { + s = NSS_InitReadWrite(dir); + } + else { + s = NSS_NoDB_Init(NULL); + } + if (s != SECSuccess) { + if (rc) { + *rc = PR_GetError(); + } + return APR_ECRYPT; + } + + return APR_SUCCESS; + +} + +/** + * @brief Clean encryption / decryption context. + * @note After cleanup, a context is free to be reused if necessary. + * @param f The context to use. + * @return Returns APR_ENOTIMPL if not supported. + */ +static apr_status_t crypto_block_cleanup(apr_crypto_block_t *block) +{ + + if (block->ctx) { + PK11_DestroyContext(block->ctx, PR_TRUE); + block->ctx = NULL; + } + + return APR_SUCCESS; + +} + +static apr_status_t crypto_block_cleanup_helper(void *data) +{ + apr_crypto_block_t *block = (apr_crypto_block_t *) data; + return crypto_block_cleanup(block); +} + +/** + * @brief Clean encryption / decryption context. + * @note After cleanup, a context is free to be reused if necessary. + * @param f The context to use. + * @return Returns APR_ENOTIMPL if not supported. + */ +static apr_status_t crypto_cleanup(apr_crypto_t *f) +{ + apr_crypto_key_t *key; + if (f->keys) { + while ((key = apr_array_pop(f->keys))) { + if (key->symKey) { + PK11_FreeSymKey(key->symKey); + key->symKey = NULL; + } + } + } + return APR_SUCCESS; +} + +static apr_status_t crypto_cleanup_helper(void *data) +{ + apr_crypto_t *f = (apr_crypto_t *) data; + return crypto_cleanup(f); +} + +/** + * @brief Create a context for supporting encryption. Keys, certificates, + * algorithms and other parameters will be set per context. More than + * one context can be created at one time. A cleanup will be automatically + * registered with the given pool to guarantee a graceful shutdown. + * @param f - context pointer will be written here + * @param provider - provider to use + * @param params - parameter string + * @param pool - process pool + * @return APR_ENOENGINE when the engine specified does not exist. APR_EINITENGINE + * if the engine cannot be initialised. + */ +static apr_status_t crypto_make(apr_crypto_t **ff, + const apr_crypto_driver_t *provider, const char *params, + apr_pool_t *pool) +{ + apr_crypto_config_t *config = NULL; + apr_crypto_t *f; + + f = apr_pcalloc(pool, sizeof(apr_crypto_t)); + if (!f) { + return APR_ENOMEM; + } + *ff = f; + f->pool = pool; + f->provider = provider; + config = f->config = apr_pcalloc(pool, sizeof(apr_crypto_config_t)); + if (!config) { + return APR_ENOMEM; + } + f->result = apr_pcalloc(pool, sizeof(apu_err_t)); + if (!f->result) { + return APR_ENOMEM; + } + f->keys = apr_array_make(pool, 10, sizeof(apr_crypto_key_t)); + + f->types = apr_hash_make(pool); + if (!f->types) { + return APR_ENOMEM; + } + apr_hash_set(f->types, "3des192", APR_HASH_KEY_STRING, &(key_3des_192)); + apr_hash_set(f->types, "aes128", APR_HASH_KEY_STRING, &(key_aes_128)); + apr_hash_set(f->types, "aes192", APR_HASH_KEY_STRING, &(key_aes_192)); + apr_hash_set(f->types, "aes256", APR_HASH_KEY_STRING, &(key_aes_256)); + + f->modes = apr_hash_make(pool); + if (!f->modes) { + return APR_ENOMEM; + } + apr_hash_set(f->modes, "ecb", APR_HASH_KEY_STRING, &(mode_ecb)); + apr_hash_set(f->modes, "cbc", APR_HASH_KEY_STRING, &(mode_cbc)); + + apr_pool_cleanup_register(pool, f, crypto_cleanup_helper, + apr_pool_cleanup_null); + + return APR_SUCCESS; + +} + +/** + * @brief Get a hash table of key types, keyed by the name of the type against + * an integer pointer constant. + * + * @param types - hashtable of key types keyed to constants. + * @param f - encryption context + * @return APR_SUCCESS for success + */ +static apr_status_t crypto_get_block_key_types(apr_hash_t **types, + const apr_crypto_t *f) +{ + *types = f->types; + return APR_SUCCESS; +} + +/** + * @brief Get a hash table of key modes, keyed by the name of the mode against + * an integer pointer constant. + * + * @param modes - hashtable of key modes keyed to constants. + * @param f - encryption context + * @return APR_SUCCESS for success + */ +static apr_status_t crypto_get_block_key_modes(apr_hash_t **modes, + const apr_crypto_t *f) +{ + *modes = f->modes; + return APR_SUCCESS; +} + +/** + * @brief Create a key from the given passphrase. By default, the PBKDF2 + * algorithm is used to generate the key from the passphrase. It is expected + * that the same pass phrase will generate the same key, regardless of the + * backend crypto platform used. The key is cleaned up when the context + * is cleaned, and may be reused with multiple encryption or decryption + * operations. + * @note If *key is NULL, a apr_crypto_key_t will be created from a pool. If + * *key is not NULL, *key must point at a previously created structure. + * @param key The key returned, see note. + * @param ivSize The size of the initialisation vector will be returned, based + * on whether an IV is relevant for this type of crypto. + * @param pass The passphrase to use. + * @param passLen The passphrase length in bytes + * @param salt The salt to use. + * @param saltLen The salt length in bytes + * @param type 3DES_192, AES_128, AES_192, AES_256. + * @param mode Electronic Code Book / Cipher Block Chaining. + * @param doPad Pad if necessary. + * @param iterations Iteration count + * @param f The context to use. + * @param p The pool to use. + * @return Returns APR_ENOKEY if the pass phrase is missing or empty, or if a backend + * error occurred while generating the key. APR_ENOCIPHER if the type or mode + * is not supported by the particular backend. APR_EKEYTYPE if the key type is + * not known. APR_EPADDING if padding was requested but is not supported. + * APR_ENOTIMPL if not implemented. + */ +static apr_status_t crypto_passphrase(apr_crypto_key_t **k, apr_size_t *ivSize, + const char *pass, apr_size_t passLen, const unsigned char * salt, + apr_size_t saltLen, const apr_crypto_block_key_type_e type, + const apr_crypto_block_key_mode_e mode, const int doPad, + const int iterations, const apr_crypto_t *f, apr_pool_t *p) +{ + apr_status_t rv = APR_SUCCESS; + PK11SlotInfo * slot; + SECItem passItem; + SECItem saltItem; + SECAlgorithmID *algid; + void *wincx = NULL; /* what is wincx? */ + apr_crypto_key_t *key = *k; + + if (!key) { + *k = key = apr_array_push(f->keys); + } + if (!key) { + return APR_ENOMEM; + } + + key->f = f; + key->provider = f->provider; + + /* decide on what cipher mechanism we will be using */ + switch (type) { + + case (APR_KEY_3DES_192): + if (APR_MODE_CBC == mode) { + key->cipherOid = SEC_OID_DES_EDE3_CBC; + } + else if (APR_MODE_ECB == mode) { + return APR_ENOCIPHER; + /* No OID for CKM_DES3_ECB; */ + } + break; + case (APR_KEY_AES_128): + if (APR_MODE_CBC == mode) { + key->cipherOid = SEC_OID_AES_128_CBC; + } + else { + key->cipherOid = SEC_OID_AES_128_ECB; + } + break; + case (APR_KEY_AES_192): + if (APR_MODE_CBC == mode) { + key->cipherOid = SEC_OID_AES_192_CBC; + } + else { + key->cipherOid = SEC_OID_AES_192_ECB; + } + break; + case (APR_KEY_AES_256): + if (APR_MODE_CBC == mode) { + key->cipherOid = SEC_OID_AES_256_CBC; + } + else { + key->cipherOid = SEC_OID_AES_256_ECB; + } + break; + default: + /* unknown key type, give up */ + return APR_EKEYTYPE; + } + + /* AES_128_CBC --> CKM_AES_CBC --> CKM_AES_CBC_PAD */ + key->cipherMech = PK11_AlgtagToMechanism(key->cipherOid); + if (key->cipherMech == CKM_INVALID_MECHANISM) { + return APR_ENOCIPHER; + } + if (doPad) { + CK_MECHANISM_TYPE paddedMech; + paddedMech = PK11_GetPadMechanism(key->cipherMech); + if (CKM_INVALID_MECHANISM == paddedMech || key->cipherMech + == paddedMech) { + return APR_EPADDING; + } + key->cipherMech = paddedMech; + } + + /* Turn the raw passphrase and salt into SECItems */ + passItem.data = (unsigned char*) pass; + passItem.len = passLen; + saltItem.data = (unsigned char*) salt; + saltItem.len = saltLen; + + /* generate the key */ + /* pbeAlg and cipherAlg are the same. NSS decides the keylength. */ + algid = PK11_CreatePBEV2AlgorithmID(key->cipherOid, key->cipherOid, + SEC_OID_HMAC_SHA1, 0, iterations, &saltItem); + if (algid) { + slot = PK11_GetBestSlot(key->cipherMech, wincx); + if (slot) { + key->symKey = PK11_PBEKeyGen(slot, algid, &passItem, PR_FALSE, + wincx); + PK11_FreeSlot(slot); + } + SECOID_DestroyAlgorithmID(algid, PR_TRUE); + } + + /* sanity check? */ + if (!key->symKey) { + PRErrorCode perr = PORT_GetError(); + if (perr) { + f->result->rc = perr; + f->result->msg = PR_ErrorToName(perr); + rv = APR_ENOKEY; + } + } + + key->ivSize = PK11_GetIVLength(key->cipherMech); + if (ivSize) { + *ivSize = key->ivSize; + } + + return rv; +} + +/** + * @brief Initialise a context for encrypting arbitrary data using the given key. + * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If + * *ctx is not NULL, *ctx must point at a previously created structure. + * @param ctx The block context returned, see note. + * @param iv Optional initialisation vector. If the buffer pointed to is NULL, + * an IV will be created at random, in space allocated from the pool. + * If the buffer pointed to is not NULL, the IV in the buffer will be + * used. + * @param key The key structure. + * @param blockSize The block size of the cipher. + * @param p The pool to use. + * @return Returns APR_ENOIV if an initialisation vector is required but not specified. + * Returns APR_EINIT if the backend failed to initialise the context. Returns + * APR_ENOTIMPL if not implemented. + */ +static apr_status_t crypto_block_encrypt_init(apr_crypto_block_t **ctx, + const unsigned char **iv, const apr_crypto_key_t *key, + apr_size_t *blockSize, apr_pool_t *p) +{ + PRErrorCode perr; + SECItem * secParam; + SECItem ivItem; + unsigned char * usedIv; + apr_crypto_block_t *block = *ctx; + if (!block) { + *ctx = block = apr_pcalloc(p, sizeof(apr_crypto_block_t)); + } + if (!block) { + return APR_ENOMEM; + } + block->f = key->f; + block->pool = p; + block->provider = key->provider; + + apr_pool_cleanup_register(p, block, crypto_block_cleanup_helper, + apr_pool_cleanup_null); + + if (key->ivSize) { + if (iv == NULL) { + return APR_ENOIV; + } + if (*iv == NULL) { + SECStatus s; + usedIv = apr_pcalloc(p, key->ivSize); + if (!usedIv) { + return APR_ENOMEM; + } + apr_crypto_clear(p, usedIv, key->ivSize); + s = PK11_GenerateRandom(usedIv, key->ivSize); + if (s != SECSuccess) { + return APR_ENOIV; + } + *iv = usedIv; + } + else { + usedIv = (unsigned char *) *iv; + } + ivItem.data = usedIv; + ivItem.len = key->ivSize; + secParam = PK11_ParamFromIV(key->cipherMech, &ivItem); + } + else { + secParam = PK11_GenerateNewParam(key->cipherMech, key->symKey); + } + block->blockSize = PK11_GetBlockSize(key->cipherMech, secParam); + block->ctx = PK11_CreateContextBySymKey(key->cipherMech, CKA_ENCRYPT, + key->symKey, secParam); + + /* did an error occur? */ + perr = PORT_GetError(); + if (perr || !block->ctx) { + key->f->result->rc = perr; + key->f->result->msg = PR_ErrorToName(perr); + return APR_EINIT; + } + + if (blockSize) { + *blockSize = PK11_GetBlockSize(key->cipherMech, secParam); + } + + return APR_SUCCESS; + +} + +/** + * @brief Encrypt data provided by in, write it to out. + * @note The number of bytes written will be written to outlen. If + * out is NULL, outlen will contain the maximum size of the + * buffer needed to hold the data, including any data + * generated by apr_crypto_block_encrypt_finish below. If *out points + * to NULL, a buffer sufficiently large will be created from + * the pool provided. If *out points to a not-NULL value, this + * value will be used as a buffer instead. + * @param out Address of a buffer to which data will be written, + * see note. + * @param outlen Length of the output will be written here. + * @param in Address of the buffer to read. + * @param inlen Length of the buffer to read. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if + * not implemented. + */ +static apr_status_t crypto_block_encrypt(unsigned char **out, + apr_size_t *outlen, const unsigned char *in, apr_size_t inlen, + apr_crypto_block_t *block) +{ + + unsigned char *buffer; + int outl = (int) *outlen; + SECStatus s; + if (!out) { + *outlen = inlen + block->blockSize; + return APR_SUCCESS; + } + if (!*out) { + buffer = apr_palloc(block->pool, inlen + block->blockSize); + if (!buffer) { + return APR_ENOMEM; + } + apr_crypto_clear(block->pool, buffer, inlen + block->blockSize); + *out = buffer; + } + + s = PK11_CipherOp(block->ctx, *out, &outl, inlen, (unsigned char*) in, + inlen); + if (s != SECSuccess) { + PRErrorCode perr = PORT_GetError(); + if (perr) { + block->f->result->rc = perr; + block->f->result->msg = PR_ErrorToName(perr); + } + return APR_ECRYPT; + } + *outlen = outl; + + return APR_SUCCESS; + +} + +/** + * @brief Encrypt final data block, write it to out. + * @note If necessary the final block will be written out after being + * padded. Typically the final block will be written to the + * same buffer used by apr_crypto_block_encrypt, offset by the + * number of bytes returned as actually written by the + * apr_crypto_block_encrypt() call. After this call, the context + * is cleaned and can be reused by apr_crypto_block_encrypt_init(). + * @param out Address of a buffer to which data will be written. This + * buffer must already exist, and is usually the same + * buffer used by apr_evp_crypt(). See note. + * @param outlen Length of the output will be written here. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. + * @return APR_EPADDING if padding was enabled and the block was incorrectly + * formatted. + * @return APR_ENOTIMPL if not implemented. + */ +static apr_status_t crypto_block_encrypt_finish(unsigned char *out, + apr_size_t *outlen, apr_crypto_block_t *block) +{ + + apr_status_t rv = APR_SUCCESS; + unsigned int outl = *outlen; + + SECStatus s = PK11_DigestFinal(block->ctx, out, &outl, block->blockSize); + *outlen = outl; + + if (s != SECSuccess) { + PRErrorCode perr = PORT_GetError(); + if (perr) { + block->f->result->rc = perr; + block->f->result->msg = PR_ErrorToName(perr); + } + rv = APR_ECRYPT; + } + crypto_block_cleanup(block); + + return rv; + +} + +/** + * @brief Initialise a context for decrypting arbitrary data using the given key. + * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If + * *ctx is not NULL, *ctx must point at a previously created structure. + * @param ctx The block context returned, see note. + * @param blockSize The block size of the cipher. + * @param iv Optional initialisation vector. If the buffer pointed to is NULL, + * an IV will be created at random, in space allocated from the pool. + * If the buffer is not NULL, the IV in the buffer will be used. + * @param key The key structure. + * @param p The pool to use. + * @return Returns APR_ENOIV if an initialisation vector is required but not specified. + * Returns APR_EINIT if the backend failed to initialise the context. Returns + * APR_ENOTIMPL if not implemented. + */ +static apr_status_t crypto_block_decrypt_init(apr_crypto_block_t **ctx, + apr_size_t *blockSize, const unsigned char *iv, + const apr_crypto_key_t *key, apr_pool_t *p) +{ + PRErrorCode perr; + SECItem * secParam; + apr_crypto_block_t *block = *ctx; + if (!block) { + *ctx = block = apr_pcalloc(p, sizeof(apr_crypto_block_t)); + } + if (!block) { + return APR_ENOMEM; + } + block->f = key->f; + block->pool = p; + block->provider = key->provider; + + apr_pool_cleanup_register(p, block, crypto_block_cleanup_helper, + apr_pool_cleanup_null); + + if (key->ivSize) { + SECItem ivItem; + if (iv == NULL) { + return APR_ENOIV; /* Cannot initialise without an IV */ + } + ivItem.data = (unsigned char*) iv; + ivItem.len = key->ivSize; + secParam = PK11_ParamFromIV(key->cipherMech, &ivItem); + } + else { + secParam = PK11_GenerateNewParam(key->cipherMech, key->symKey); + } + block->blockSize = PK11_GetBlockSize(key->cipherMech, secParam); + block->ctx = PK11_CreateContextBySymKey(key->cipherMech, CKA_DECRYPT, + key->symKey, secParam); + + /* did an error occur? */ + perr = PORT_GetError(); + if (perr || !block->ctx) { + key->f->result->rc = perr; + key->f->result->msg = PR_ErrorToName(perr); + return APR_EINIT; + } + + if (blockSize) { + *blockSize = PK11_GetBlockSize(key->cipherMech, secParam); + } + + return APR_SUCCESS; + +} + +/** + * @brief Decrypt data provided by in, write it to out. + * @note The number of bytes written will be written to outlen. If + * out is NULL, outlen will contain the maximum size of the + * buffer needed to hold the data, including any data + * generated by apr_crypto_block_decrypt_finish below. If *out points + * to NULL, a buffer sufficiently large will be created from + * the pool provided. If *out points to a not-NULL value, this + * value will be used as a buffer instead. + * @param out Address of a buffer to which data will be written, + * see note. + * @param outlen Length of the output will be written here. + * @param in Address of the buffer to read. + * @param inlen Length of the buffer to read. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if + * not implemented. + */ +static apr_status_t crypto_block_decrypt(unsigned char **out, + apr_size_t *outlen, const unsigned char *in, apr_size_t inlen, + apr_crypto_block_t *block) +{ + + unsigned char *buffer; + int outl = (int) *outlen; + SECStatus s; + if (!out) { + *outlen = inlen + block->blockSize; + return APR_SUCCESS; + } + if (!*out) { + buffer = apr_palloc(block->pool, inlen + block->blockSize); + if (!buffer) { + return APR_ENOMEM; + } + apr_crypto_clear(block->pool, buffer, inlen + block->blockSize); + *out = buffer; + } + + s = PK11_CipherOp(block->ctx, *out, &outl, inlen, (unsigned char*) in, + inlen); + if (s != SECSuccess) { + PRErrorCode perr = PORT_GetError(); + if (perr) { + block->f->result->rc = perr; + block->f->result->msg = PR_ErrorToName(perr); + } + return APR_ECRYPT; + } + *outlen = outl; + + return APR_SUCCESS; + +} + +/** + * @brief Decrypt final data block, write it to out. + * @note If necessary the final block will be written out after being + * padded. Typically the final block will be written to the + * same buffer used by apr_crypto_block_decrypt, offset by the + * number of bytes returned as actually written by the + * apr_crypto_block_decrypt() call. After this call, the context + * is cleaned and can be reused by apr_crypto_block_decrypt_init(). + * @param out Address of a buffer to which data will be written. This + * buffer must already exist, and is usually the same + * buffer used by apr_evp_crypt(). See note. + * @param outlen Length of the output will be written here. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. + * @return APR_EPADDING if padding was enabled and the block was incorrectly + * formatted. + * @return APR_ENOTIMPL if not implemented. + */ +static apr_status_t crypto_block_decrypt_finish(unsigned char *out, + apr_size_t *outlen, apr_crypto_block_t *block) +{ + + apr_status_t rv = APR_SUCCESS; + unsigned int outl = *outlen; + + SECStatus s = PK11_DigestFinal(block->ctx, out, &outl, block->blockSize); + *outlen = outl; + + if (s != SECSuccess) { + PRErrorCode perr = PORT_GetError(); + if (perr) { + block->f->result->rc = perr; + block->f->result->msg = PR_ErrorToName(perr); + } + rv = APR_ECRYPT; + } + crypto_block_cleanup(block); + + return rv; + +} + +/** + * NSS module. + */ +APU_MODULE_DECLARE_DATA const apr_crypto_driver_t apr_crypto_nss_driver = { + "nss", crypto_init, crypto_make, crypto_get_block_key_types, + crypto_get_block_key_modes, crypto_passphrase, + crypto_block_encrypt_init, crypto_block_encrypt, + crypto_block_encrypt_finish, crypto_block_decrypt_init, + crypto_block_decrypt, crypto_block_decrypt_finish, + crypto_block_cleanup, crypto_cleanup, crypto_shutdown, crypto_error +}; + +#endif diff --git a/crypto/apr_crypto_nss.dsp b/crypto/apr_crypto_nss.dsp new file mode 100644 index 0000000..663b240 --- /dev/null +++ b/crypto/apr_crypto_nss.dsp @@ -0,0 +1,203 @@ +# Microsoft Developer Studio Project File - Name="apr_crypto_nss" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=apr_crypto_nss - Win32 Release +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "apr_crypto_nss.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "apr_crypto_nss.mak" CFG="apr_crypto_nss - Win32 Release" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "apr_crypto_nss - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "apr_crypto_nss - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "apr_crypto_nss - x64 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "apr_crypto_nss - x64 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "apr_crypto_nss - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MD /W3 /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /FD /c +# ADD CPP /nologo /MD /W3 /Zi /O2 /Oy- /I "../include" /I "../../apr/include" /I "../include/private" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "APU_DSO_MODULE_BUILD" /D APU_HAVE_NSS=1 /D HAVE_NSS_H=1 /D HAVE_PK11PUB_H=1 /Fo"$(INTDIR)\" /Fd"$(INTDIR)\apr_crypto_nss_src" /FD /c +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /o /win32 "NUL" +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /o /win32 "NUL" +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /fo"Release/apr_crypto_nss-1.res" /d DLL_NAME="apr_crypto_nss" /d "NDEBUG" /d "APU_VERSION_ONLY" /I "../include" /I "../../apr/include" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib nss3.lib nspr4.lib /nologo /base:"0x6F110000" /subsystem:windows /dll /incremental:no /debug /opt:ref +# ADD LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib nss3.lib nspr4.lib nspr4.lib /nologo /base:"0x6F110000" /subsystem:windows /dll /incremental:no /debug /out:"Release\apr_crypto_nss-1.dll" /pdb:"Release\apr_crypto_nss-1.pdb" /implib:"Release\apr_crypto_nss-1.lib" /MACHINE:X86 /opt:ref +# Begin Special Build Tool +TargetPath=Release\apr_crypto_nss-1.dll +SOURCE="$(InputPath)" +PostBuild_Desc=Embed .manifest +PostBuild_Cmds=if exist $(TargetPath).manifest mt.exe -manifest $(TargetPath).manifest -outputresource:$(TargetPath);2 +# End Special Build Tool + +!ELSEIF "$(CFG)" == "apr_crypto_nss - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MDd /W3 /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FD /EHsc /c +# ADD CPP /nologo /MDd /W3 /Zi /Od /I "../include" /I "../../apr/include" /I "../include/private" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "APU_DSO_MODULE_BUILD" /D APU_HAVE_NSS=1 /D HAVE_NSS_H=1 /D HAVE_PK11PUB_H=1 /D /Fo"$(INTDIR)\" /Fd"$(INTDIR)\apr_crypto_nss_src" /FD /EHsc /c +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /o /win32 "NUL" +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /o /win32 "NUL" +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /fo"Debug/apr_crypto_nss-1.res" /d DLL_NAME="apr_crypto_nss" /d "_DEBUG" /d "APU_VERSION_ONLY" /I "../include" /I "../../apr/include" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib nss3.lib nspr4.lib /nologo /base:"0x6F110000" /subsystem:windows /dll /incremental:no /debug +# ADD LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib nss3.lib nspr4.lib /nologo /base:"0x6F110000" /subsystem:windows /dll /incremental:no /debug /out:"Debug\apr_crypto_nss-1.dll" /pdb:"Debug\apr_crypto_nss-1.pdb" /implib:"Debug\apr_crypto_nss-1.lib" /MACHINE:X86 +# Begin Special Build Tool +TargetPath=Debug\apr_crypto_nss-1.dll +SOURCE="$(InputPath)" +PostBuild_Desc=Embed .manifest +PostBuild_Cmds=if exist $(TargetPath).manifest mt.exe -manifest $(TargetPath).manifest -outputresource:$(TargetPath);2 +# End Special Build Tool + +!ELSEIF "$(CFG)" == "apr_crypto_nss - x64 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "x64\Release" +# PROP BASE Intermediate_Dir "x64\Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "x64\Release" +# PROP Intermediate_Dir "x64\Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MD /W3 /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /FD /c +# ADD CPP /nologo /MD /W3 /Zi /O2 /Oy- /I "../include" /I "../../apr/include" /I "../include/private" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "APU_DSO_MODULE_BUILD" /D APU_HAVE_NSS=1 /D HAVE_NSS_H=1 /D HAVE_PK11PUB_H=1 /D /Fo"$(INTDIR)\" /Fd"$(INTDIR)\apr_crypto_nss_src" /FD /c +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /o /win32 "NUL" +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /o /win32 "NUL" +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /fo"x64/Release/apr_crypto_nss-1.res" /d DLL_NAME="apr_crypto_nss" /d "NDEBUG" /d "APU_VERSION_ONLY" /I "../include" /I "../../apr/include" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib nss3.lib nspr4.lib /nologo /base:"0x6F110000" /subsystem:windows /dll /incremental:no /debug /opt:ref +# ADD LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib nss3.lib nspr4.lib /nologo /base:"0x6F110000" /subsystem:windows /dll /incremental:no /debug /out:"x64\Release\apr_crypto_nss-1.dll" /pdb:"x64\Release\apr_crypto_nss-1.pdb" /implib:"x64\Release\apr_crypto_nss-1.lib" /MACHINE:X64 /opt:ref +# Begin Special Build Tool +TargetPath=x64\Release\apr_crypto_nss-1.dll +SOURCE="$(InputPath)" +PostBuild_Desc=Embed .manifest +PostBuild_Cmds=if exist $(TargetPath).manifest mt.exe -manifest $(TargetPath).manifest -outputresource:$(TargetPath);2 +# End Special Build Tool + +!ELSEIF "$(CFG)" == "apr_crypto_nss - x64 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "x64\Debug" +# PROP BASE Intermediate_Dir "x64\Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "x64\Debug" +# PROP Intermediate_Dir "x64\Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MDd /W3 /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FD /EHsc /c +# ADD CPP /nologo /MDd /W3 /Zi /Od /I "../include" /I "../../apr/include" /I "../include/private" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "APU_DSO_MODULE_BUILD" /D APU_HAVE_NSS=1 /D HAVE_NSS_H=1 /D HAVE_PK11PUB_H=1 /D /Fo"$(INTDIR)\" /Fd"$(INTDIR)\apr_crypto_nss_src" /FD /EHsc /c +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /o /win32 "NUL" +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /o /win32 "NUL" +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /fo"x64/Debug/apr_crypto_nss-1.res" /d DLL_NAME="apr_crypto_nss" /d "_DEBUG" /d "APU_VERSION_ONLY" /I "../include" /I "../../apr/include" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib nss3.lib nspr4.lib /nologo /base:"0x6F110000" /subsystem:windows /dll /incremental:no /debug +# ADD LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib nss3.lib nspr4.lib /nologo /base:"0x6F110000" /subsystem:windows /dll /incremental:no /debug /out:"x64\Debug\apr_crypto_nss-1.dll" /pdb:"x64\Debug\apr_crypto_nss-1.pdb" /implib:"x64\Debug\apr_crypto_nss-1.lib" /MACHINE:X64 +# Begin Special Build Tool +TargetPath=x64\Debug\apr_crypto_nss-1.dll +SOURCE="$(InputPath)" +PostBuild_Desc=Embed .manifest +PostBuild_Cmds=if exist $(TargetPath).manifest mt.exe -manifest $(TargetPath).manifest -outputresource:$(TargetPath);2 +# End Special Build Tool + +!ENDIF + +# Begin Target + +# Name "apr_crypto_nss - Win32 Release" +# Name "apr_crypto_nss - Win32 Debug" +# Name "apr_crypto_nss - x64 Release" +# Name "apr_crypto_nss - x64 Debug" +# Begin Group "Source Files" + +# PROP Default_Filter "" +# Begin Source File + +SOURCE=.\apr_crypto_nss.c +# End Source File +# End Group +# Begin Group "Public Header Files" + +# PROP Default_Filter "" +# Begin Source File + +SOURCE=..\include\apr_crypto.h +# End Source File +# End Group +# Begin Group "Internal Header Files" + +# PROP Default_Filter "" +# Begin Source File + +SOURCE=..\include\private\apu_config.h +# End Source File +# Begin Source File + +SOURCE=..\include\private\apu_internal.h +# End Source File +# End Group +# Begin Source File + +SOURCE=..\libaprutil.rc +# End Source File +# End Target +# End Project diff --git a/crypto/apr_crypto_openssl.c b/crypto/apr_crypto_openssl.c new file mode 100644 index 0000000..97e6008 --- /dev/null +++ b/crypto/apr_crypto_openssl.c @@ -0,0 +1,797 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "apr_lib.h" +#include "apu.h" +#include "apu_errno.h" + +#include <ctype.h> +#include <assert.h> +#include <stdlib.h> + +#include "apr_strings.h" +#include "apr_time.h" +#include "apr_buckets.h" + +#include "apr_crypto_internal.h" + +#if APU_HAVE_CRYPTO + +#include <openssl/evp.h> +#include <openssl/engine.h> + +#define LOG_PREFIX "apr_crypto_openssl: " + +struct apr_crypto_t { + apr_pool_t *pool; + const apr_crypto_driver_t *provider; + apu_err_t *result; + apr_array_header_t *keys; + apr_crypto_config_t *config; + apr_hash_t *types; + apr_hash_t *modes; +}; + +struct apr_crypto_config_t { + ENGINE *engine; +}; + +struct apr_crypto_key_t { + apr_pool_t *pool; + const apr_crypto_driver_t *provider; + const apr_crypto_t *f; + const EVP_CIPHER * cipher; + unsigned char *key; + int keyLen; + int doPad; + int ivSize; +}; + +struct apr_crypto_block_t { + apr_pool_t *pool; + const apr_crypto_driver_t *provider; + const apr_crypto_t *f; + EVP_CIPHER_CTX cipherCtx; + int initialised; + int ivSize; + int blockSize; + int doPad; +}; + +static int key_3des_192 = APR_KEY_3DES_192; +static int key_aes_128 = APR_KEY_AES_128; +static int key_aes_192 = APR_KEY_AES_192; +static int key_aes_256 = APR_KEY_AES_256; + +static int mode_ecb = APR_MODE_ECB; +static int mode_cbc = APR_MODE_CBC; + +/** + * Fetch the most recent error from this driver. + */ +static apr_status_t crypto_error(const apu_err_t **result, + const apr_crypto_t *f) +{ + *result = f->result; + return APR_SUCCESS; +} + +/** + * Shutdown the crypto library and release resources. + */ +static apr_status_t crypto_shutdown(void) +{ + ERR_free_strings(); + EVP_cleanup(); + ENGINE_cleanup(); + return APR_SUCCESS; +} + +static apr_status_t crypto_shutdown_helper(void *data) +{ + return crypto_shutdown(); +} + +/** + * Initialise the crypto library and perform one time initialisation. + */ +static apr_status_t crypto_init(apr_pool_t *pool, const char *params, int *rc) +{ + CRYPTO_malloc_init(); + ERR_load_crypto_strings(); + /* SSL_load_error_strings(); */ + OpenSSL_add_all_algorithms(); + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + + apr_pool_cleanup_register(pool, pool, crypto_shutdown_helper, + apr_pool_cleanup_null); + + return APR_SUCCESS; +} + +/** + * @brief Clean encryption / decryption context. + * @note After cleanup, a context is free to be reused if necessary. + * @param ctx The block context to use. + * @return Returns APR_ENOTIMPL if not supported. + */ +static apr_status_t crypto_block_cleanup(apr_crypto_block_t *ctx) +{ + + if (ctx->initialised) { + EVP_CIPHER_CTX_cleanup(&ctx->cipherCtx); + ctx->initialised = 0; + } + + return APR_SUCCESS; + +} + +static apr_status_t crypto_block_cleanup_helper(void *data) +{ + apr_crypto_block_t *block = (apr_crypto_block_t *) data; + return crypto_block_cleanup(block); +} + +/** + * @brief Clean encryption / decryption context. + * @note After cleanup, a context is free to be reused if necessary. + * @param f The context to use. + * @return Returns APR_ENOTIMPL if not supported. + */ +static apr_status_t crypto_cleanup(apr_crypto_t *f) +{ + + if (f->config->engine) { + ENGINE_finish(f->config->engine); + ENGINE_free(f->config->engine); + f->config->engine = NULL; + } + return APR_SUCCESS; + +} + +static apr_status_t crypto_cleanup_helper(void *data) +{ + apr_crypto_t *f = (apr_crypto_t *) data; + return crypto_cleanup(f); +} + +/** + * @brief Create a context for supporting encryption. Keys, certificates, + * algorithms and other parameters will be set per context. More than + * one context can be created at one time. A cleanup will be automatically + * registered with the given pool to guarantee a graceful shutdown. + * @param f - context pointer will be written here + * @param provider - provider to use + * @param params - array of key parameters + * @param pool - process pool + * @return APR_ENOENGINE when the engine specified does not exist. APR_EINITENGINE + * if the engine cannot be initialised. + */ +static apr_status_t crypto_make(apr_crypto_t **ff, + const apr_crypto_driver_t *provider, const char *params, + apr_pool_t *pool) +{ + apr_crypto_config_t *config = NULL; + apr_crypto_t *f = apr_pcalloc(pool, sizeof(apr_crypto_t)); + + const char *engine = NULL; + + struct { + const char *field; + const char *value; + int set; + } fields[] = { + { "engine", NULL, 0 }, + { NULL, NULL, 0 } + }; + const char *ptr; + size_t klen; + char **elts = NULL; + char *elt; + int i = 0, j; + apr_status_t status; + + if (params) { + if (APR_SUCCESS != (status = apr_tokenize_to_argv(params, &elts, pool))) { + return status; + } + while ((elt = elts[i])) { + ptr = strchr(elt, '='); + if (ptr) { + for (klen = ptr - elt; klen && apr_isspace(elt[klen - 1]); --klen) + ; + ptr++; + } + else { + for (klen = strlen(elt); klen && apr_isspace(elt[klen - 1]); --klen) + ; + } + elt[klen] = 0; + + for (j = 0; fields[j].field != NULL; ++j) { + if (!strcasecmp(fields[j].field, elt)) { + fields[j].set = 1; + if (ptr) { + fields[j].value = ptr; + } + break; + } + } + + i++; + } + engine = fields[0].value; + } + + if (!f) { + return APR_ENOMEM; + } + *ff = f; + f->pool = pool; + f->provider = provider; + config = f->config = apr_pcalloc(pool, sizeof(apr_crypto_config_t)); + if (!config) { + return APR_ENOMEM; + } + + f->result = apr_pcalloc(pool, sizeof(apu_err_t)); + if (!f->result) { + return APR_ENOMEM; + } + + f->keys = apr_array_make(pool, 10, sizeof(apr_crypto_key_t)); + if (!f->keys) { + return APR_ENOMEM; + } + + f->types = apr_hash_make(pool); + if (!f->types) { + return APR_ENOMEM; + } + apr_hash_set(f->types, "3des192", APR_HASH_KEY_STRING, &(key_3des_192)); + apr_hash_set(f->types, "aes128", APR_HASH_KEY_STRING, &(key_aes_128)); + apr_hash_set(f->types, "aes192", APR_HASH_KEY_STRING, &(key_aes_192)); + apr_hash_set(f->types, "aes256", APR_HASH_KEY_STRING, &(key_aes_256)); + + f->modes = apr_hash_make(pool); + if (!f->modes) { + return APR_ENOMEM; + } + apr_hash_set(f->modes, "ecb", APR_HASH_KEY_STRING, &(mode_ecb)); + apr_hash_set(f->modes, "cbc", APR_HASH_KEY_STRING, &(mode_cbc)); + + apr_pool_cleanup_register(pool, f, crypto_cleanup_helper, + apr_pool_cleanup_null); + + if (engine) { + config->engine = ENGINE_by_id(engine); + if (!config->engine) { + return APR_ENOENGINE; + } + if (!ENGINE_init(config->engine)) { + ENGINE_free(config->engine); + config->engine = NULL; + return APR_EINITENGINE; + } + } + + return APR_SUCCESS; + +} + +/** + * @brief Get a hash table of key types, keyed by the name of the type against + * an integer pointer constant. + * + * @param types - hashtable of key types keyed to constants. + * @param f - encryption context + * @return APR_SUCCESS for success + */ +static apr_status_t crypto_get_block_key_types(apr_hash_t **types, + const apr_crypto_t *f) +{ + *types = f->types; + return APR_SUCCESS; +} + +/** + * @brief Get a hash table of key modes, keyed by the name of the mode against + * an integer pointer constant. + * + * @param modes - hashtable of key modes keyed to constants. + * @param f - encryption context + * @return APR_SUCCESS for success + */ +static apr_status_t crypto_get_block_key_modes(apr_hash_t **modes, + const apr_crypto_t *f) +{ + *modes = f->modes; + return APR_SUCCESS; +} + +/** + * @brief Create a key from the given passphrase. By default, the PBKDF2 + * algorithm is used to generate the key from the passphrase. It is expected + * that the same pass phrase will generate the same key, regardless of the + * backend crypto platform used. The key is cleaned up when the context + * is cleaned, and may be reused with multiple encryption or decryption + * operations. + * @note If *key is NULL, a apr_crypto_key_t will be created from a pool. If + * *key is not NULL, *key must point at a previously created structure. + * @param key The key returned, see note. + * @param ivSize The size of the initialisation vector will be returned, based + * on whether an IV is relevant for this type of crypto. + * @param pass The passphrase to use. + * @param passLen The passphrase length in bytes + * @param salt The salt to use. + * @param saltLen The salt length in bytes + * @param type 3DES_192, AES_128, AES_192, AES_256. + * @param mode Electronic Code Book / Cipher Block Chaining. + * @param doPad Pad if necessary. + * @param iterations Iteration count + * @param f The context to use. + * @param p The pool to use. + * @return Returns APR_ENOKEY if the pass phrase is missing or empty, or if a backend + * error occurred while generating the key. APR_ENOCIPHER if the type or mode + * is not supported by the particular backend. APR_EKEYTYPE if the key type is + * not known. APR_EPADDING if padding was requested but is not supported. + * APR_ENOTIMPL if not implemented. + */ +static apr_status_t crypto_passphrase(apr_crypto_key_t **k, apr_size_t *ivSize, + const char *pass, apr_size_t passLen, const unsigned char * salt, + apr_size_t saltLen, const apr_crypto_block_key_type_e type, + const apr_crypto_block_key_mode_e mode, const int doPad, + const int iterations, const apr_crypto_t *f, apr_pool_t *p) +{ + apr_crypto_key_t *key = *k; + + if (!key) { + *k = key = apr_array_push(f->keys); + } + if (!key) { + return APR_ENOMEM; + } + + key->f = f; + key->provider = f->provider; + + /* determine the cipher to be used */ + switch (type) { + + case (APR_KEY_3DES_192): + + /* A 3DES key */ + if (mode == APR_MODE_CBC) { + key->cipher = EVP_des_ede3_cbc(); + } + else { + key->cipher = EVP_des_ede3_ecb(); + } + break; + + case (APR_KEY_AES_128): + + if (mode == APR_MODE_CBC) { + key->cipher = EVP_aes_128_cbc(); + } + else { + key->cipher = EVP_aes_128_ecb(); + } + break; + + case (APR_KEY_AES_192): + + if (mode == APR_MODE_CBC) { + key->cipher = EVP_aes_192_cbc(); + } + else { + key->cipher = EVP_aes_192_ecb(); + } + break; + + case (APR_KEY_AES_256): + + if (mode == APR_MODE_CBC) { + key->cipher = EVP_aes_256_cbc(); + } + else { + key->cipher = EVP_aes_256_ecb(); + } + break; + + default: + + /* unknown key type, give up */ + return APR_EKEYTYPE; + + } + + /* find the length of the key we need */ + key->keyLen = EVP_CIPHER_key_length(key->cipher); + + /* make space for the key */ + key->key = apr_pcalloc(p, key->keyLen); + if (!key->key) { + return APR_ENOMEM; + } + apr_crypto_clear(p, key->key, key->keyLen); + + /* generate the key */ + if (PKCS5_PBKDF2_HMAC_SHA1(pass, passLen, (unsigned char *) salt, saltLen, + iterations, key->keyLen, key->key) == 0) { + return APR_ENOKEY; + } + + key->doPad = doPad; + + /* note: openssl incorrectly returns non zero IV size values for ECB + * algorithms, so work around this by ignoring the IV size. + */ + if (APR_MODE_ECB != mode) { + key->ivSize = EVP_CIPHER_iv_length(key->cipher); + } + if (ivSize) { + *ivSize = key->ivSize; + } + + return APR_SUCCESS; +} + +/** + * @brief Initialise a context for encrypting arbitrary data using the given key. + * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If + * *ctx is not NULL, *ctx must point at a previously created structure. + * @param ctx The block context returned, see note. + * @param iv Optional initialisation vector. If the buffer pointed to is NULL, + * an IV will be created at random, in space allocated from the pool. + * If the buffer pointed to is not NULL, the IV in the buffer will be + * used. + * @param key The key structure. + * @param blockSize The block size of the cipher. + * @param p The pool to use. + * @return Returns APR_ENOIV if an initialisation vector is required but not specified. + * Returns APR_EINIT if the backend failed to initialise the context. Returns + * APR_ENOTIMPL if not implemented. + */ +static apr_status_t crypto_block_encrypt_init(apr_crypto_block_t **ctx, + const unsigned char **iv, const apr_crypto_key_t *key, + apr_size_t *blockSize, apr_pool_t *p) +{ + unsigned char *usedIv; + apr_crypto_config_t *config = key->f->config; + apr_crypto_block_t *block = *ctx; + if (!block) { + *ctx = block = apr_pcalloc(p, sizeof(apr_crypto_block_t)); + } + if (!block) { + return APR_ENOMEM; + } + block->f = key->f; + block->pool = p; + block->provider = key->provider; + + apr_pool_cleanup_register(p, block, crypto_block_cleanup_helper, + apr_pool_cleanup_null); + + /* create a new context for encryption */ + EVP_CIPHER_CTX_init(&block->cipherCtx); + block->initialised = 1; + + /* generate an IV, if necessary */ + usedIv = NULL; + if (key->ivSize) { + if (iv == NULL) { + return APR_ENOIV; + } + if (*iv == NULL) { + usedIv = apr_pcalloc(p, key->ivSize); + if (!usedIv) { + return APR_ENOMEM; + } + apr_crypto_clear(p, usedIv, key->ivSize); + if (!((RAND_status() == 1) + && (RAND_bytes(usedIv, key->ivSize) == 1))) { + return APR_ENOIV; + } + *iv = usedIv; + } + else { + usedIv = (unsigned char *) *iv; + } + } + + /* set up our encryption context */ +#if CRYPTO_OPENSSL_CONST_BUFFERS + if (!EVP_EncryptInit_ex(&block->cipherCtx, key->cipher, config->engine, + key->key, usedIv)) { +#else + if (!EVP_EncryptInit_ex(&block->cipherCtx, key->cipher, config->engine, (unsigned char *) key->key, (unsigned char *) usedIv)) { +#endif + return APR_EINIT; + } + + /* Clear up any read padding */ + if (!EVP_CIPHER_CTX_set_padding(&block->cipherCtx, key->doPad)) { + return APR_EPADDING; + } + + if (blockSize) { + *blockSize = EVP_CIPHER_block_size(key->cipher); + } + + return APR_SUCCESS; + +} + +/** + * @brief Encrypt data provided by in, write it to out. + * @note The number of bytes written will be written to outlen. If + * out is NULL, outlen will contain the maximum size of the + * buffer needed to hold the data, including any data + * generated by apr_crypto_block_encrypt_finish below. If *out points + * to NULL, a buffer sufficiently large will be created from + * the pool provided. If *out points to a not-NULL value, this + * value will be used as a buffer instead. + * @param out Address of a buffer to which data will be written, + * see note. + * @param outlen Length of the output will be written here. + * @param in Address of the buffer to read. + * @param inlen Length of the buffer to read. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if + * not implemented. + */ +static apr_status_t crypto_block_encrypt(unsigned char **out, + apr_size_t *outlen, const unsigned char *in, apr_size_t inlen, + apr_crypto_block_t *ctx) +{ + int outl = *outlen; + unsigned char *buffer; + + /* are we after the maximum size of the out buffer? */ + if (!out) { + *outlen = inlen + EVP_MAX_BLOCK_LENGTH; + return APR_SUCCESS; + } + + /* must we allocate the output buffer from a pool? */ + if (!*out) { + buffer = apr_palloc(ctx->pool, inlen + EVP_MAX_BLOCK_LENGTH); + if (!buffer) { + return APR_ENOMEM; + } + apr_crypto_clear(ctx->pool, buffer, inlen + EVP_MAX_BLOCK_LENGTH); + *out = buffer; + } + +#if CRYPT_OPENSSL_CONST_BUFFERS + if (!EVP_EncryptUpdate(&ctx->cipherCtx, (*out), &outl, in, inlen)) { +#else + if (!EVP_EncryptUpdate(&ctx->cipherCtx, (*out), &outl, + (unsigned char *) in, inlen)) { +#endif + return APR_ECRYPT; + } + *outlen = outl; + + return APR_SUCCESS; + +} + +/** + * @brief Encrypt final data block, write it to out. + * @note If necessary the final block will be written out after being + * padded. Typically the final block will be written to the + * same buffer used by apr_crypto_block_encrypt, offset by the + * number of bytes returned as actually written by the + * apr_crypto_block_encrypt() call. After this call, the context + * is cleaned and can be reused by apr_crypto_block_encrypt_init(). + * @param out Address of a buffer to which data will be written. This + * buffer must already exist, and is usually the same + * buffer used by apr_evp_crypt(). See note. + * @param outlen Length of the output will be written here. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. + * @return APR_EPADDING if padding was enabled and the block was incorrectly + * formatted. + * @return APR_ENOTIMPL if not implemented. + */ +static apr_status_t crypto_block_encrypt_finish(unsigned char *out, + apr_size_t *outlen, apr_crypto_block_t *ctx) +{ + int len = *outlen; + + if (EVP_EncryptFinal_ex(&ctx->cipherCtx, out, &len) == 0) { + return APR_EPADDING; + } + *outlen = len; + + return APR_SUCCESS; + +} + +/** + * @brief Initialise a context for decrypting arbitrary data using the given key. + * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If + * *ctx is not NULL, *ctx must point at a previously created structure. + * @param ctx The block context returned, see note. + * @param blockSize The block size of the cipher. + * @param iv Optional initialisation vector. If the buffer pointed to is NULL, + * an IV will be created at random, in space allocated from the pool. + * If the buffer is not NULL, the IV in the buffer will be used. + * @param key The key structure. + * @param p The pool to use. + * @return Returns APR_ENOIV if an initialisation vector is required but not specified. + * Returns APR_EINIT if the backend failed to initialise the context. Returns + * APR_ENOTIMPL if not implemented. + */ +static apr_status_t crypto_block_decrypt_init(apr_crypto_block_t **ctx, + apr_size_t *blockSize, const unsigned char *iv, + const apr_crypto_key_t *key, apr_pool_t *p) +{ + apr_crypto_config_t *config = key->f->config; + apr_crypto_block_t *block = *ctx; + if (!block) { + *ctx = block = apr_pcalloc(p, sizeof(apr_crypto_block_t)); + } + if (!block) { + return APR_ENOMEM; + } + block->f = key->f; + block->pool = p; + block->provider = key->provider; + + apr_pool_cleanup_register(p, block, crypto_block_cleanup_helper, + apr_pool_cleanup_null); + + /* create a new context for encryption */ + EVP_CIPHER_CTX_init(&block->cipherCtx); + block->initialised = 1; + + /* generate an IV, if necessary */ + if (key->ivSize) { + if (iv == NULL) { + return APR_ENOIV; + } + } + + /* set up our encryption context */ +#if CRYPTO_OPENSSL_CONST_BUFFERS + if (!EVP_DecryptInit_ex(&block->cipherCtx, key->cipher, config->engine, + key->key, iv)) { +#else + if (!EVP_DecryptInit_ex(&block->cipherCtx, key->cipher, config->engine, (unsigned char *) key->key, (unsigned char *) iv)) { +#endif + return APR_EINIT; + } + + /* Clear up any read padding */ + if (!EVP_CIPHER_CTX_set_padding(&block->cipherCtx, key->doPad)) { + return APR_EPADDING; + } + + if (blockSize) { + *blockSize = EVP_CIPHER_block_size(key->cipher); + } + + return APR_SUCCESS; + +} + +/** + * @brief Decrypt data provided by in, write it to out. + * @note The number of bytes written will be written to outlen. If + * out is NULL, outlen will contain the maximum size of the + * buffer needed to hold the data, including any data + * generated by apr_crypto_block_decrypt_finish below. If *out points + * to NULL, a buffer sufficiently large will be created from + * the pool provided. If *out points to a not-NULL value, this + * value will be used as a buffer instead. + * @param out Address of a buffer to which data will be written, + * see note. + * @param outlen Length of the output will be written here. + * @param in Address of the buffer to read. + * @param inlen Length of the buffer to read. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if + * not implemented. + */ +static apr_status_t crypto_block_decrypt(unsigned char **out, + apr_size_t *outlen, const unsigned char *in, apr_size_t inlen, + apr_crypto_block_t *ctx) +{ + int outl = *outlen; + unsigned char *buffer; + + /* are we after the maximum size of the out buffer? */ + if (!out) { + *outlen = inlen + EVP_MAX_BLOCK_LENGTH; + return APR_SUCCESS; + } + + /* must we allocate the output buffer from a pool? */ + if (!(*out)) { + buffer = apr_palloc(ctx->pool, inlen + EVP_MAX_BLOCK_LENGTH); + if (!buffer) { + return APR_ENOMEM; + } + apr_crypto_clear(ctx->pool, buffer, inlen + EVP_MAX_BLOCK_LENGTH); + *out = buffer; + } + +#if CRYPT_OPENSSL_CONST_BUFFERS + if (!EVP_DecryptUpdate(&ctx->cipherCtx, *out, &outl, in, inlen)) { +#else + if (!EVP_DecryptUpdate(&ctx->cipherCtx, *out, &outl, (unsigned char *) in, + inlen)) { +#endif + return APR_ECRYPT; + } + *outlen = outl; + + return APR_SUCCESS; + +} + +/** + * @brief Decrypt final data block, write it to out. + * @note If necessary the final block will be written out after being + * padded. Typically the final block will be written to the + * same buffer used by apr_crypto_block_decrypt, offset by the + * number of bytes returned as actually written by the + * apr_crypto_block_decrypt() call. After this call, the context + * is cleaned and can be reused by apr_crypto_block_decrypt_init(). + * @param out Address of a buffer to which data will be written. This + * buffer must already exist, and is usually the same + * buffer used by apr_evp_crypt(). See note. + * @param outlen Length of the output will be written here. + * @param ctx The block context to use. + * @return APR_ECRYPT if an error occurred. + * @return APR_EPADDING if padding was enabled and the block was incorrectly + * formatted. + * @return APR_ENOTIMPL if not implemented. + */ +static apr_status_t crypto_block_decrypt_finish(unsigned char *out, + apr_size_t *outlen, apr_crypto_block_t *ctx) +{ + + int len = *outlen; + + if (EVP_DecryptFinal_ex(&ctx->cipherCtx, out, &len) == 0) { + return APR_EPADDING; + } + *outlen = len; + + return APR_SUCCESS; + +} + +/** + * OpenSSL module. + */ +APU_MODULE_DECLARE_DATA const apr_crypto_driver_t apr_crypto_openssl_driver = { + "openssl", crypto_init, crypto_make, crypto_get_block_key_types, + crypto_get_block_key_modes, crypto_passphrase, + crypto_block_encrypt_init, crypto_block_encrypt, + crypto_block_encrypt_finish, crypto_block_decrypt_init, + crypto_block_decrypt, crypto_block_decrypt_finish, + crypto_block_cleanup, crypto_cleanup, crypto_shutdown, crypto_error +}; + +#endif diff --git a/crypto/apr_crypto_openssl.dsp b/crypto/apr_crypto_openssl.dsp new file mode 100644 index 0000000..90114ce --- /dev/null +++ b/crypto/apr_crypto_openssl.dsp @@ -0,0 +1,203 @@ +# Microsoft Developer Studio Project File - Name="apr_crypto_openssl" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=apr_crypto_openssl - Win32 Release +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "apr_crypto_openssl.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "apr_crypto_openssl.mak" CFG="apr_crypto_openssl - Win32 Release" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "apr_crypto_openssl - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "apr_crypto_openssl - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "apr_crypto_openssl - x64 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "apr_crypto_openssl - x64 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "apr_crypto_openssl - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MD /W3 /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /FD /c +# ADD CPP /nologo /MD /W3 /Zi /O2 /Oy- /I "../include" /I "../../apr/include" /I "../include/private" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "APU_DSO_MODULE_BUILD" /D APU_HAVE_OPENSSL=1 /Fo"$(INTDIR)\" /Fd"$(INTDIR)\apr_crypto_openssl_src" /FD /c +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /o /win32 "NUL" +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /o /win32 "NUL" +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /fo"Release/apr_crypto_openssl-1.res" /d DLL_NAME="apr_crypto_openssl" /d "NDEBUG" /d "APU_VERSION_ONLY" /I "../include" /I "../../apr/include" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib libeay32.lib ssleay32.lib /nologo /base:"0x6F100000" /subsystem:windows /dll /incremental:no /debug /opt:ref +# ADD LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib libeay32.lib ssleay32.lib /nologo /base:"0x6F100000" /subsystem:windows /dll /incremental:no /debug /out:"Release\apr_crypto_openssl-1.dll" /pdb:"Release\apr_crypto_openssl-1.pdb" /implib:"Release\apr_crypto_openssl-1.lib" /MACHINE:X86 /opt:ref +# Begin Special Build Tool +TargetPath=Release\apr_crypto_openssl-1.dll +SOURCE="$(InputPath)" +PostBuild_Desc=Embed .manifest +PostBuild_Cmds=if exist $(TargetPath).manifest mt.exe -manifest $(TargetPath).manifest -outputresource:$(TargetPath);2 +# End Special Build Tool + +!ELSEIF "$(CFG)" == "apr_crypto_openssl - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MDd /W3 /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FD /EHsc /c +# ADD CPP /nologo /MDd /W3 /Zi /Od /I "../include" /I "../../apr/include" /I "../include/private" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "APU_DSO_MODULE_BUILD" /D APU_HAVE_OPENSSL=1 /D /Fo"$(INTDIR)\" /Fd"$(INTDIR)\apr_crypto_openssl_src" /FD /EHsc /c +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /o /win32 "NUL" +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /o /win32 "NUL" +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /fo"Debug/apr_crypto_openssl-1.res" /d DLL_NAME="apr_crypto_openssl" /d "_DEBUG" /d "APU_VERSION_ONLY" /I "../include" /I "../../apr/include" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib libeay32.lib ssleay32.lib /nologo /base:"0x6F100000" /subsystem:windows /dll /incremental:no /debug +# ADD LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib libeay32.lib ssleay32.lib /nologo /base:"0x6F100000" /subsystem:windows /dll /incremental:no /debug /out:"Debug\apr_crypto_openssl-1.dll" /pdb:"Debug\apr_crypto_openssl-1.pdb" /implib:"Debug\apr_crypto_openssl-1.lib" /MACHINE:X86 +# Begin Special Build Tool +TargetPath=Debug\apr_crypto_openssl-1.dll +SOURCE="$(InputPath)" +PostBuild_Desc=Embed .manifest +PostBuild_Cmds=if exist $(TargetPath).manifest mt.exe -manifest $(TargetPath).manifest -outputresource:$(TargetPath);2 +# End Special Build Tool + +!ELSEIF "$(CFG)" == "apr_crypto_openssl - x64 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "x64\Release" +# PROP BASE Intermediate_Dir "x64\Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "x64\Release" +# PROP Intermediate_Dir "x64\Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MD /W3 /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /FD /c +# ADD CPP /nologo /MD /W3 /Zi /O2 /Oy- /I "../include" /I "../../apr/include" /I "../include/private" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "APU_DSO_MODULE_BUILD" /D APU_HAVE_OPENSSL=1 /D /Fo"$(INTDIR)\" /Fd"$(INTDIR)\apr_crypto_openssl_src" /FD /c +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /o /win32 "NUL" +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /o /win32 "NUL" +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /fo"x64/Release/apr_crypto_openssl-1.res" /d DLL_NAME="apr_crypto_openssl" /d "NDEBUG" /d "APU_VERSION_ONLY" /I "../include" /I "../../apr/include" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib libeay32.lib ssleay32.lib /nologo /base:"0x6F100000" /subsystem:windows /dll /incremental:no /debug /opt:ref +# ADD LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib libeay32.lib ssleay32.lib /nologo /base:"0x6F100000" /subsystem:windows /dll /incremental:no /debug /out:"x64\Release\apr_crypto_openssl-1.dll" /pdb:"x64\Release\apr_crypto_openssl-1.pdb" /implib:"x64\Release\apr_crypto_openssl-1.lib" /MACHINE:X64 /opt:ref +# Begin Special Build Tool +TargetPath=x64\Release\apr_crypto_openssl-1.dll +SOURCE="$(InputPath)" +PostBuild_Desc=Embed .manifest +PostBuild_Cmds=if exist $(TargetPath).manifest mt.exe -manifest $(TargetPath).manifest -outputresource:$(TargetPath);2 +# End Special Build Tool + +!ELSEIF "$(CFG)" == "apr_crypto_openssl - x64 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "x64\Debug" +# PROP BASE Intermediate_Dir "x64\Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "x64\Debug" +# PROP Intermediate_Dir "x64\Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MDd /W3 /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FD /EHsc /c +# ADD CPP /nologo /MDd /W3 /Zi /Od /I "../include" /I "../../apr/include" /I "../include/private" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "APU_DSO_MODULE_BUILD" /D APU_HAVE_OPENSSL=1 /D /Fo"$(INTDIR)\" /Fd"$(INTDIR)\apr_crypto_openssl_src" /FD /EHsc /c +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /o /win32 "NUL" +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /o /win32 "NUL" +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /fo"x64/Debug/apr_crypto_openssl-1.res" /d DLL_NAME="apr_crypto_openssl" /d "_DEBUG" /d "APU_VERSION_ONLY" /I "../include" /I "../../apr/include" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib libeay32.lib ssleay32.lib /nologo /base:"0x6F100000" /subsystem:windows /dll /incremental:no /debug +# ADD LINK32 kernel32.lib advapi32.lib ws2_32.lib mswsock.lib ole32.lib libeay32.lib ssleay32.lib /nologo /base:"0x6F100000" /subsystem:windows /dll /incremental:no /debug /out:"x64\Debug\apr_crypto_openssl-1.dll" /pdb:"x64\Debug\apr_crypto_openssl-1.pdb" /implib:"x64\Debug\apr_crypto_openssl-1.lib" /MACHINE:X64 +# Begin Special Build Tool +TargetPath=x64\Debug\apr_crypto_openssl-1.dll +SOURCE="$(InputPath)" +PostBuild_Desc=Embed .manifest +PostBuild_Cmds=if exist $(TargetPath).manifest mt.exe -manifest $(TargetPath).manifest -outputresource:$(TargetPath);2 +# End Special Build Tool + +!ENDIF + +# Begin Target + +# Name "apr_crypto_openssl - Win32 Release" +# Name "apr_crypto_openssl - Win32 Debug" +# Name "apr_crypto_openssl - x64 Release" +# Name "apr_crypto_openssl - x64 Debug" +# Begin Group "Source Files" + +# PROP Default_Filter "" +# Begin Source File + +SOURCE=.\apr_crypto_openssl.c +# End Source File +# End Group +# Begin Group "Public Header Files" + +# PROP Default_Filter "" +# Begin Source File + +SOURCE=..\include\apr_crypto.h +# End Source File +# End Group +# Begin Group "Internal Header Files" + +# PROP Default_Filter "" +# Begin Source File + +SOURCE=..\include\private\apu_config.h +# End Source File +# Begin Source File + +SOURCE=..\include\private\apu_internal.h +# End Source File +# End Group +# Begin Source File + +SOURCE=..\libaprutil.rc +# End Source File +# End Target +# End Project diff --git a/crypto/apr_md4.c b/crypto/apr_md4.c new file mode 100644 index 0000000..ada5140 --- /dev/null +++ b/crypto/apr_md4.c @@ -0,0 +1,404 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This is derived from material copyright RSA Data Security, Inc. + * Their notice is reproduced below in its entirety. + * + * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + * rights reserved. + * + * License to copy and use this software is granted provided that it + * is identified as the "RSA Data Security, Inc. MD4 Message-Digest + * Algorithm" in all material mentioning or referencing this software + * or this function. + * + * License is also granted to make and use derivative works provided + * that such works are identified as "derived from the RSA Data + * Security, Inc. MD4 Message-Digest Algorithm" in all material + * mentioning or referencing the derived work. + * + * RSA Data Security, Inc. makes no representations concerning either + * the merchantability of this software or the suitability of this + * software for any particular purpose. It is provided "as is" + * without express or implied warranty of any kind. + * + * These notices must be retained in any copies of any part of this + * documentation and/or software. + */ + +#include "apr_strings.h" +#include "apr_md4.h" +#include "apr_lib.h" + +#if APR_HAVE_STRING_H +#include <string.h> +#endif +#if APR_HAVE_UNISTD_H +#include <unistd.h> +#endif + +/* Constants for MD4Transform routine. + */ + +#define S11 3 +#define S12 7 +#define S13 11 +#define S14 19 +#define S21 3 +#define S22 5 +#define S23 9 +#define S24 13 +#define S31 3 +#define S32 9 +#define S33 11 +#define S34 15 + +static void MD4Transform(apr_uint32_t state[4], const unsigned char block[64]); +static void Encode(unsigned char *output, const apr_uint32_t *input, + unsigned int len); +static void Decode(apr_uint32_t *output, const unsigned char *input, + unsigned int len); + +static unsigned char PADDING[64] = +{ + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +#if APR_CHARSET_EBCDIC +static apr_xlate_t *xlate_ebcdic_to_ascii; /* used in apr_md4_encode() */ +#endif + +/* F, G and I are basic MD4 functions. + */ +#define F(x, y, z) (((x) & (y)) | ((~x) & (z))) +#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z))) +#define H(x, y, z) ((x) ^ (y) ^ (z)) + +/* ROTATE_LEFT rotates x left n bits. + */ +#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) + +/* FF, GG and HH are transformations for rounds 1, 2 and 3 */ +/* Rotation is separate from addition to prevent recomputation */ + +#define FF(a, b, c, d, x, s) { \ + (a) += F ((b), (c), (d)) + (x); \ + (a) = ROTATE_LEFT ((a), (s)); \ + } +#define GG(a, b, c, d, x, s) { \ + (a) += G ((b), (c), (d)) + (x) + (apr_uint32_t)0x5a827999; \ + (a) = ROTATE_LEFT ((a), (s)); \ + } +#define HH(a, b, c, d, x, s) { \ + (a) += H ((b), (c), (d)) + (x) + (apr_uint32_t)0x6ed9eba1; \ + (a) = ROTATE_LEFT ((a), (s)); \ + } + +/* MD4 initialization. Begins an MD4 operation, writing a new context. + */ +APU_DECLARE(apr_status_t) apr_md4_init(apr_md4_ctx_t *context) +{ + context->count[0] = context->count[1] = 0; + + /* Load magic initialization constants. */ + context->state[0] = 0x67452301; + context->state[1] = 0xefcdab89; + context->state[2] = 0x98badcfe; + context->state[3] = 0x10325476; + +#if APR_HAS_XLATE + context->xlate = NULL; +#endif + + return APR_SUCCESS; +} + +#if APR_HAS_XLATE +/* MD4 translation setup. Provides the APR translation handle + * to be used for translating the content before calculating the + * digest. + */ +APU_DECLARE(apr_status_t) apr_md4_set_xlate(apr_md4_ctx_t *context, + apr_xlate_t *xlate) +{ + apr_status_t rv; + int is_sb; + + /* TODO: remove the single-byte-only restriction from this code + */ + rv = apr_xlate_sb_get(xlate, &is_sb); + if (rv != APR_SUCCESS) { + return rv; + } + if (!is_sb) { + return APR_EINVAL; + } + context->xlate = xlate; + return APR_SUCCESS; +} +#endif /* APR_HAS_XLATE */ + +/* MD4 block update operation. Continues an MD4 message-digest + * operation, processing another message block, and updating the + * context. + */ +APU_DECLARE(apr_status_t) apr_md4_update(apr_md4_ctx_t *context, + const unsigned char *input, + apr_size_t inputLen) +{ + unsigned int i, idx, partLen; +#if APR_HAS_XLATE + apr_size_t inbytes_left, outbytes_left; +#endif + + /* Compute number of bytes mod 64 */ + idx = (unsigned int)((context->count[0] >> 3) & 0x3F); + + /* Update number of bits */ + if ((context->count[0] += ((apr_uint32_t)inputLen << 3)) + < ((apr_uint32_t)inputLen << 3)) + context->count[1]++; + context->count[1] += (apr_uint32_t)inputLen >> 29; + + partLen = 64 - idx; + + /* Transform as many times as possible. */ +#if !APR_HAS_XLATE + if (inputLen >= partLen) { + memcpy(&context->buffer[idx], input, partLen); + MD4Transform(context->state, context->buffer); + + for (i = partLen; i + 63 < inputLen; i += 64) + MD4Transform(context->state, &input[i]); + + idx = 0; + } + else + i = 0; + + /* Buffer remaining input */ + memcpy(&context->buffer[idx], &input[i], inputLen - i); +#else /*APR_HAS_XLATE*/ + if (inputLen >= partLen) { + if (context->xlate) { + inbytes_left = outbytes_left = partLen; + apr_xlate_conv_buffer(context->xlate, (const char *)input, + &inbytes_left, + (char *)&context->buffer[idx], + &outbytes_left); + } + else { + memcpy(&context->buffer[idx], input, partLen); + } + MD4Transform(context->state, context->buffer); + + for (i = partLen; i + 63 < inputLen; i += 64) { + if (context->xlate) { + unsigned char inp_tmp[64]; + inbytes_left = outbytes_left = 64; + apr_xlate_conv_buffer(context->xlate, (const char *)&input[i], + &inbytes_left, + (char *)inp_tmp, &outbytes_left); + MD4Transform(context->state, inp_tmp); + } + else { + MD4Transform(context->state, &input[i]); + } + } + + idx = 0; + } + else + i = 0; + + /* Buffer remaining input */ + if (context->xlate) { + inbytes_left = outbytes_left = inputLen - i; + apr_xlate_conv_buffer(context->xlate, (const char *)&input[i], + &inbytes_left, (char *)&context->buffer[idx], + &outbytes_left); + } + else { + memcpy(&context->buffer[idx], &input[i], inputLen - i); + } +#endif /*APR_HAS_XLATE*/ + return APR_SUCCESS; +} + +/* MD4 finalization. Ends an MD4 message-digest operation, writing the + * the message digest and zeroizing the context. + */ +APU_DECLARE(apr_status_t) apr_md4_final( + unsigned char digest[APR_MD4_DIGESTSIZE], + apr_md4_ctx_t *context) +{ + unsigned char bits[8]; + unsigned int idx, padLen; + + /* Save number of bits */ + Encode(bits, context->count, 8); + +#if APR_HAS_XLATE + /* apr_md4_update() should not translate for this final round. */ + context->xlate = NULL; +#endif /*APR_HAS_XLATE*/ + + /* Pad out to 56 mod 64. */ + idx = (unsigned int) ((context->count[0] >> 3) & 0x3f); + padLen = (idx < 56) ? (56 - idx) : (120 - idx); + apr_md4_update(context, PADDING, padLen); + + /* Append length (before padding) */ + apr_md4_update(context, bits, 8); + + /* Store state in digest */ + Encode(digest, context->state, APR_MD4_DIGESTSIZE); + + /* Zeroize sensitive information. */ + memset(context, 0, sizeof(*context)); + + return APR_SUCCESS; +} + +/* MD4 computation in one step (init, update, final) + */ +APU_DECLARE(apr_status_t) apr_md4(unsigned char digest[APR_MD4_DIGESTSIZE], + const unsigned char *input, + apr_size_t inputLen) +{ + apr_md4_ctx_t ctx; + apr_status_t rv; + + apr_md4_init(&ctx); + + if ((rv = apr_md4_update(&ctx, input, inputLen)) != APR_SUCCESS) + return rv; + + return apr_md4_final(digest, &ctx); +} + +/* MD4 basic transformation. Transforms state based on block. */ +static void MD4Transform(apr_uint32_t state[4], const unsigned char block[64]) +{ + apr_uint32_t a = state[0], b = state[1], c = state[2], d = state[3], + x[APR_MD4_DIGESTSIZE]; + + Decode(x, block, 64); + + /* Round 1 */ + FF (a, b, c, d, x[ 0], S11); /* 1 */ + FF (d, a, b, c, x[ 1], S12); /* 2 */ + FF (c, d, a, b, x[ 2], S13); /* 3 */ + FF (b, c, d, a, x[ 3], S14); /* 4 */ + FF (a, b, c, d, x[ 4], S11); /* 5 */ + FF (d, a, b, c, x[ 5], S12); /* 6 */ + FF (c, d, a, b, x[ 6], S13); /* 7 */ + FF (b, c, d, a, x[ 7], S14); /* 8 */ + FF (a, b, c, d, x[ 8], S11); /* 9 */ + FF (d, a, b, c, x[ 9], S12); /* 10 */ + FF (c, d, a, b, x[10], S13); /* 11 */ + FF (b, c, d, a, x[11], S14); /* 12 */ + FF (a, b, c, d, x[12], S11); /* 13 */ + FF (d, a, b, c, x[13], S12); /* 14 */ + FF (c, d, a, b, x[14], S13); /* 15 */ + FF (b, c, d, a, x[15], S14); /* 16 */ + + /* Round 2 */ + GG (a, b, c, d, x[ 0], S21); /* 17 */ + GG (d, a, b, c, x[ 4], S22); /* 18 */ + GG (c, d, a, b, x[ 8], S23); /* 19 */ + GG (b, c, d, a, x[12], S24); /* 20 */ + GG (a, b, c, d, x[ 1], S21); /* 21 */ + GG (d, a, b, c, x[ 5], S22); /* 22 */ + GG (c, d, a, b, x[ 9], S23); /* 23 */ + GG (b, c, d, a, x[13], S24); /* 24 */ + GG (a, b, c, d, x[ 2], S21); /* 25 */ + GG (d, a, b, c, x[ 6], S22); /* 26 */ + GG (c, d, a, b, x[10], S23); /* 27 */ + GG (b, c, d, a, x[14], S24); /* 28 */ + GG (a, b, c, d, x[ 3], S21); /* 29 */ + GG (d, a, b, c, x[ 7], S22); /* 30 */ + GG (c, d, a, b, x[11], S23); /* 31 */ + GG (b, c, d, a, x[15], S24); /* 32 */ + + /* Round 3 */ + HH (a, b, c, d, x[ 0], S31); /* 33 */ + HH (d, a, b, c, x[ 8], S32); /* 34 */ + HH (c, d, a, b, x[ 4], S33); /* 35 */ + HH (b, c, d, a, x[12], S34); /* 36 */ + HH (a, b, c, d, x[ 2], S31); /* 37 */ + HH (d, a, b, c, x[10], S32); /* 38 */ + HH (c, d, a, b, x[ 6], S33); /* 39 */ + HH (b, c, d, a, x[14], S34); /* 40 */ + HH (a, b, c, d, x[ 1], S31); /* 41 */ + HH (d, a, b, c, x[ 9], S32); /* 42 */ + HH (c, d, a, b, x[ 5], S33); /* 43 */ + HH (b, c, d, a, x[13], S34); /* 44 */ + HH (a, b, c, d, x[ 3], S31); /* 45 */ + HH (d, a, b, c, x[11], S32); /* 46 */ + HH (c, d, a, b, x[ 7], S33); /* 47 */ + HH (b, c, d, a, x[15], S34); /* 48 */ + + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + + /* Zeroize sensitive information. */ + memset(x, 0, sizeof(x)); +} + +/* Encodes input (apr_uint32_t) into output (unsigned char). Assumes len is + * a multiple of 4. + */ +static void Encode(unsigned char *output, const apr_uint32_t *input, + unsigned int len) +{ + unsigned int i, j; + apr_uint32_t k; + + for (i = 0, j = 0; j < len; i++, j += 4) { + k = input[i]; + output[j] = (unsigned char)(k & 0xff); + output[j + 1] = (unsigned char)((k >> 8) & 0xff); + output[j + 2] = (unsigned char)((k >> 16) & 0xff); + output[j + 3] = (unsigned char)((k >> 24) & 0xff); + } +} + +/* Decodes input (unsigned char) into output (apr_uint32_t). Assumes len is + * a multiple of 4. + */ +static void Decode(apr_uint32_t *output, const unsigned char *input, + unsigned int len) +{ + unsigned int i, j; + + for (i = 0, j = 0; j < len; i++, j += 4) + output[i] = ((apr_uint32_t)input[j]) | + (((apr_uint32_t)input[j + 1]) << 8) | + (((apr_uint32_t)input[j + 2]) << 16) | + (((apr_uint32_t)input[j + 3]) << 24); +} + +#if APR_CHARSET_EBCDIC +APU_DECLARE(apr_status_t) apr_MD4InitEBCDIC(apr_xlate_t *xlate) +{ + xlate_ebcdic_to_ascii = xlate; + return APR_SUCCESS; +} +#endif diff --git a/crypto/apr_md5.c b/crypto/apr_md5.c new file mode 100644 index 0000000..691cc87 --- /dev/null +++ b/crypto/apr_md5.c @@ -0,0 +1,756 @@ +/* + * This is work is derived from material Copyright RSA Data Security, Inc. + * + * The RSA copyright statement and Licence for that original material is + * included below. This is followed by the Apache copyright statement and + * licence for the modifications made to that material. + */ + +/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm + */ + +/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + rights reserved. + + License to copy and use this software is granted provided that it + is identified as the "RSA Data Security, Inc. MD5 Message-Digest + Algorithm" in all material mentioning or referencing this software + or this function. + + License is also granted to make and use derivative works provided + that such works are identified as "derived from the RSA Data + Security, Inc. MD5 Message-Digest Algorithm" in all material + mentioning or referencing the derived work. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" + without express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + */ + +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * The apr_md5_encode() routine uses much code obtained from the FreeBSD 3.0 + * MD5 crypt() function, which is licenced as follows: + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ +#include "apr_strings.h" +#include "apr_md5.h" +#include "apr_lib.h" +#include "apu_config.h" +#include "apr_sha1.h" + +#if APR_HAVE_STRING_H +#include <string.h> +#endif +#if APR_HAVE_CRYPT_H +#include <crypt.h> +#endif +#if APR_HAVE_UNISTD_H +#include <unistd.h> +#endif +#if APR_HAVE_PTHREAD_H +#include <pthread.h> +#endif + +/* Constants for MD5Transform routine. + */ + +#define S11 7 +#define S12 12 +#define S13 17 +#define S14 22 +#define S21 5 +#define S22 9 +#define S23 14 +#define S24 20 +#define S31 4 +#define S32 11 +#define S33 16 +#define S34 23 +#define S41 6 +#define S42 10 +#define S43 15 +#define S44 21 + +static void MD5Transform(apr_uint32_t state[4], const unsigned char block[64]); +static void Encode(unsigned char *output, const apr_uint32_t *input, + unsigned int len); +static void Decode(apr_uint32_t *output, const unsigned char *input, + unsigned int len); + +static const unsigned char PADDING[64] = +{ + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +#if APR_CHARSET_EBCDIC +static apr_xlate_t *xlate_ebcdic_to_ascii; /* used in apr_md5_encode() */ +#endif +#define DO_XLATE 0 +#define SKIP_XLATE 1 + +/* F, G, H and I are basic MD5 functions. + */ +#define F(x, y, z) (((x) & (y)) | ((~x) & (z))) +#define G(x, y, z) (((x) & (z)) | ((y) & (~z))) +#define H(x, y, z) ((x) ^ (y) ^ (z)) +#define I(x, y, z) ((y) ^ ((x) | (~z))) + +/* ROTATE_LEFT rotates x left n bits. + */ +#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) + +/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. + * Rotation is separate from addition to prevent recomputation. + */ +#define FF(a, b, c, d, x, s, ac) { \ + (a) += F ((b), (c), (d)) + (x) + (apr_uint32_t)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + (a) += (b); \ + } +#define GG(a, b, c, d, x, s, ac) { \ + (a) += G ((b), (c), (d)) + (x) + (apr_uint32_t)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + (a) += (b); \ + } +#define HH(a, b, c, d, x, s, ac) { \ + (a) += H ((b), (c), (d)) + (x) + (apr_uint32_t)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + (a) += (b); \ + } +#define II(a, b, c, d, x, s, ac) { \ + (a) += I ((b), (c), (d)) + (x) + (apr_uint32_t)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + (a) += (b); \ + } + +/* MD5 initialization. Begins an MD5 operation, writing a new context. + */ +APU_DECLARE(apr_status_t) apr_md5_init(apr_md5_ctx_t *context) +{ + context->count[0] = context->count[1] = 0; + + /* Load magic initialization constants. */ + context->state[0] = 0x67452301; + context->state[1] = 0xefcdab89; + context->state[2] = 0x98badcfe; + context->state[3] = 0x10325476; + context->xlate = NULL; + + return APR_SUCCESS; +} + +/* MD5 translation setup. Provides the APR translation handle + * to be used for translating the content before calculating the + * digest. + */ +APU_DECLARE(apr_status_t) apr_md5_set_xlate(apr_md5_ctx_t *context, + apr_xlate_t *xlate) +{ +#if APR_HAS_XLATE + apr_status_t rv; + int is_sb; + + /* TODO: remove the single-byte-only restriction from this code + */ + rv = apr_xlate_sb_get(xlate, &is_sb); + if (rv != APR_SUCCESS) { + return rv; + } + if (!is_sb) { + return APR_EINVAL; + } + context->xlate = xlate; + return APR_SUCCESS; +#else + return APR_ENOTIMPL; +#endif /* APR_HAS_XLATE */ +} + +/* MD5 block update operation. Continues an MD5 message-digest + * operation, processing another message block, and updating the + * context. + */ +static apr_status_t md5_update_buffer(apr_md5_ctx_t *context, + const void *vinput, + apr_size_t inputLen, + int xlate_buffer) +{ + const unsigned char *input = vinput; + unsigned int i, idx, partLen; +#if APR_HAS_XLATE + apr_size_t inbytes_left, outbytes_left; +#endif + + /* Compute number of bytes mod 64 */ + idx = (unsigned int)((context->count[0] >> 3) & 0x3F); + + /* Update number of bits */ + if ((context->count[0] += ((apr_uint32_t)inputLen << 3)) + < ((apr_uint32_t)inputLen << 3)) + context->count[1]++; + context->count[1] += (apr_uint32_t)inputLen >> 29; + + partLen = 64 - idx; + + /* Transform as many times as possible. */ +#if !APR_HAS_XLATE + if (inputLen >= partLen) { + memcpy(&context->buffer[idx], input, partLen); + MD5Transform(context->state, context->buffer); + + for (i = partLen; i + 63 < inputLen; i += 64) + MD5Transform(context->state, &input[i]); + + idx = 0; + } + else + i = 0; + + /* Buffer remaining input */ + memcpy(&context->buffer[idx], &input[i], inputLen - i); +#else /*APR_HAS_XLATE*/ + if (inputLen >= partLen) { + if (context->xlate && (xlate_buffer == DO_XLATE)) { + inbytes_left = outbytes_left = partLen; + apr_xlate_conv_buffer(context->xlate, (const char *)input, + &inbytes_left, + (char *)&context->buffer[idx], + &outbytes_left); + } + else { + memcpy(&context->buffer[idx], input, partLen); + } + MD5Transform(context->state, context->buffer); + + for (i = partLen; i + 63 < inputLen; i += 64) { + if (context->xlate && (xlate_buffer == DO_XLATE)) { + unsigned char inp_tmp[64]; + inbytes_left = outbytes_left = 64; + apr_xlate_conv_buffer(context->xlate, (const char *)&input[i], + &inbytes_left, (char *)inp_tmp, + &outbytes_left); + MD5Transform(context->state, inp_tmp); + } + else { + MD5Transform(context->state, &input[i]); + } + } + + idx = 0; + } + else + i = 0; + + /* Buffer remaining input */ + if (context->xlate && (xlate_buffer == DO_XLATE)) { + inbytes_left = outbytes_left = inputLen - i; + apr_xlate_conv_buffer(context->xlate, (const char *)&input[i], + &inbytes_left, (char *)&context->buffer[idx], + &outbytes_left); + } + else { + memcpy(&context->buffer[idx], &input[i], inputLen - i); + } +#endif /*APR_HAS_XLATE*/ + return APR_SUCCESS; +} + +/* MD5 block update operation. API with the default setting + * for EBCDIC translations + */ +APU_DECLARE(apr_status_t) apr_md5_update(apr_md5_ctx_t *context, + const void *input, + apr_size_t inputLen) +{ + return md5_update_buffer(context, input, inputLen, DO_XLATE); +} + +/* MD5 finalization. Ends an MD5 message-digest operation, writing the + * the message digest and zeroizing the context. + */ +APU_DECLARE(apr_status_t) apr_md5_final(unsigned char digest[APR_MD5_DIGESTSIZE], + apr_md5_ctx_t *context) +{ + unsigned char bits[8]; + unsigned int idx, padLen; + + /* Save number of bits */ + Encode(bits, context->count, 8); + +#if APR_HAS_XLATE + /* apr_md5_update() should not translate for this final round. */ + context->xlate = NULL; +#endif /*APR_HAS_XLATE*/ + + /* Pad out to 56 mod 64. */ + idx = (unsigned int)((context->count[0] >> 3) & 0x3f); + padLen = (idx < 56) ? (56 - idx) : (120 - idx); + apr_md5_update(context, PADDING, padLen); + + /* Append length (before padding) */ + apr_md5_update(context, bits, 8); + + /* Store state in digest */ + Encode(digest, context->state, APR_MD5_DIGESTSIZE); + + /* Zeroize sensitive information. */ + memset(context, 0, sizeof(*context)); + + return APR_SUCCESS; +} + +/* MD5 in one step (init, update, final) + */ +APU_DECLARE(apr_status_t) apr_md5(unsigned char digest[APR_MD5_DIGESTSIZE], + const void *_input, + apr_size_t inputLen) +{ + const unsigned char *input = _input; + apr_md5_ctx_t ctx; + apr_status_t rv; + + apr_md5_init(&ctx); + + if ((rv = apr_md5_update(&ctx, input, inputLen)) != APR_SUCCESS) + return rv; + + return apr_md5_final(digest, &ctx); +} + +/* MD5 basic transformation. Transforms state based on block. */ +static void MD5Transform(apr_uint32_t state[4], const unsigned char block[64]) +{ + apr_uint32_t a = state[0], b = state[1], c = state[2], d = state[3], + x[APR_MD5_DIGESTSIZE]; + + Decode(x, block, 64); + + /* Round 1 */ + FF(a, b, c, d, x[0], S11, 0xd76aa478); /* 1 */ + FF(d, a, b, c, x[1], S12, 0xe8c7b756); /* 2 */ + FF(c, d, a, b, x[2], S13, 0x242070db); /* 3 */ + FF(b, c, d, a, x[3], S14, 0xc1bdceee); /* 4 */ + FF(a, b, c, d, x[4], S11, 0xf57c0faf); /* 5 */ + FF(d, a, b, c, x[5], S12, 0x4787c62a); /* 6 */ + FF(c, d, a, b, x[6], S13, 0xa8304613); /* 7 */ + FF(b, c, d, a, x[7], S14, 0xfd469501); /* 8 */ + FF(a, b, c, d, x[8], S11, 0x698098d8); /* 9 */ + FF(d, a, b, c, x[9], S12, 0x8b44f7af); /* 10 */ + FF(c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */ + FF(b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */ + FF(a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ + FF(d, a, b, c, x[13], S12, 0xfd987193); /* 14 */ + FF(c, d, a, b, x[14], S13, 0xa679438e); /* 15 */ + FF(b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ + + /* Round 2 */ + GG(a, b, c, d, x[1], S21, 0xf61e2562); /* 17 */ + GG(d, a, b, c, x[6], S22, 0xc040b340); /* 18 */ + GG(c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ + GG(b, c, d, a, x[0], S24, 0xe9b6c7aa); /* 20 */ + GG(a, b, c, d, x[5], S21, 0xd62f105d); /* 21 */ + GG(d, a, b, c, x[10], S22, 0x2441453); /* 22 */ + GG(c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */ + GG(b, c, d, a, x[4], S24, 0xe7d3fbc8); /* 24 */ + GG(a, b, c, d, x[9], S21, 0x21e1cde6); /* 25 */ + GG(d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */ + GG(c, d, a, b, x[3], S23, 0xf4d50d87); /* 27 */ + GG(b, c, d, a, x[8], S24, 0x455a14ed); /* 28 */ + GG(a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */ + GG(d, a, b, c, x[2], S22, 0xfcefa3f8); /* 30 */ + GG(c, d, a, b, x[7], S23, 0x676f02d9); /* 31 */ + GG(b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */ + + /* Round 3 */ + HH(a, b, c, d, x[5], S31, 0xfffa3942); /* 33 */ + HH(d, a, b, c, x[8], S32, 0x8771f681); /* 34 */ + HH(c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */ + HH(b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */ + HH(a, b, c, d, x[1], S31, 0xa4beea44); /* 37 */ + HH(d, a, b, c, x[4], S32, 0x4bdecfa9); /* 38 */ + HH(c, d, a, b, x[7], S33, 0xf6bb4b60); /* 39 */ + HH(b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */ + HH(a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */ + HH(d, a, b, c, x[0], S32, 0xeaa127fa); /* 42 */ + HH(c, d, a, b, x[3], S33, 0xd4ef3085); /* 43 */ + HH(b, c, d, a, x[6], S34, 0x4881d05); /* 44 */ + HH(a, b, c, d, x[9], S31, 0xd9d4d039); /* 45 */ + HH(d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */ + HH(c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */ + HH(b, c, d, a, x[2], S34, 0xc4ac5665); /* 48 */ + + /* Round 4 */ + II(a, b, c, d, x[0], S41, 0xf4292244); /* 49 */ + II(d, a, b, c, x[7], S42, 0x432aff97); /* 50 */ + II(c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */ + II(b, c, d, a, x[5], S44, 0xfc93a039); /* 52 */ + II(a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */ + II(d, a, b, c, x[3], S42, 0x8f0ccc92); /* 54 */ + II(c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */ + II(b, c, d, a, x[1], S44, 0x85845dd1); /* 56 */ + II(a, b, c, d, x[8], S41, 0x6fa87e4f); /* 57 */ + II(d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */ + II(c, d, a, b, x[6], S43, 0xa3014314); /* 59 */ + II(b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */ + II(a, b, c, d, x[4], S41, 0xf7537e82); /* 61 */ + II(d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */ + II(c, d, a, b, x[2], S43, 0x2ad7d2bb); /* 63 */ + II(b, c, d, a, x[9], S44, 0xeb86d391); /* 64 */ + + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + + /* Zeroize sensitive information. */ + memset(x, 0, sizeof(x)); +} + +/* Encodes input (apr_uint32_t) into output (unsigned char). Assumes len is + * a multiple of 4. + */ +static void Encode(unsigned char *output, const apr_uint32_t *input, + unsigned int len) +{ + unsigned int i, j; + apr_uint32_t k; + + for (i = 0, j = 0; j < len; i++, j += 4) { + k = input[i]; + output[j] = (unsigned char)(k & 0xff); + output[j + 1] = (unsigned char)((k >> 8) & 0xff); + output[j + 2] = (unsigned char)((k >> 16) & 0xff); + output[j + 3] = (unsigned char)((k >> 24) & 0xff); + } +} + +/* Decodes input (unsigned char) into output (apr_uint32_t). Assumes len is + * a multiple of 4. + */ +static void Decode(apr_uint32_t *output, const unsigned char *input, + unsigned int len) +{ + unsigned int i, j; + + for (i = 0, j = 0; j < len; i++, j += 4) + output[i] = ((apr_uint32_t)input[j]) | + (((apr_uint32_t)input[j + 1]) << 8) | + (((apr_uint32_t)input[j + 2]) << 16) | + (((apr_uint32_t)input[j + 3]) << 24); +} + +#if APR_CHARSET_EBCDIC +APU_DECLARE(apr_status_t) apr_MD5InitEBCDIC(apr_xlate_t *xlate) +{ + xlate_ebcdic_to_ascii = xlate; + return APR_SUCCESS; +} +#endif + +/* + * Define the Magic String prefix that identifies a password as being + * hashed using our algorithm. + */ +static const char *apr1_id = "$apr1$"; + +/* + * The following MD5 password encryption code was largely borrowed from + * the FreeBSD 3.0 /usr/src/lib/libcrypt/crypt.c file, which is + * licenced as stated at the top of this file. + */ + +static void to64(char *s, unsigned long v, int n) +{ + static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */ + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + + while (--n >= 0) { + *s++ = itoa64[v&0x3f]; + v >>= 6; + } +} + +APU_DECLARE(apr_status_t) apr_md5_encode(const char *pw, const char *salt, + char *result, apr_size_t nbytes) +{ + /* + * Minimum size is 8 bytes for salt, plus 1 for the trailing NUL, + * plus 4 for the '$' separators, plus the password hash itself. + * Let's leave a goodly amount of leeway. + */ + + char passwd[120], *p; + const char *sp, *ep; + unsigned char final[APR_MD5_DIGESTSIZE]; + apr_ssize_t sl, pl, i; + apr_md5_ctx_t ctx, ctx1; + unsigned long l; + + /* + * Refine the salt first. It's possible we were given an already-hashed + * string as the salt argument, so extract the actual salt value from it + * if so. Otherwise just use the string up to the first '$' as the salt. + */ + sp = salt; + + /* + * If it starts with the magic string, then skip that. + */ + if (!strncmp(sp, apr1_id, strlen(apr1_id))) { + sp += strlen(apr1_id); + } + + /* + * It stops at the first '$' or 8 chars, whichever comes first + */ + for (ep = sp; (*ep != '\0') && (*ep != '$') && (ep < (sp + 8)); ep++) { + continue; + } + + /* + * Get the length of the true salt + */ + sl = ep - sp; + + /* + * 'Time to make the doughnuts..' + */ + apr_md5_init(&ctx); +#if APR_CHARSET_EBCDIC + apr_md5_set_xlate(&ctx, xlate_ebcdic_to_ascii); +#endif + + /* + * The password first, since that is what is most unknown + */ + apr_md5_update(&ctx, pw, strlen(pw)); + + /* + * Then our magic string + */ + apr_md5_update(&ctx, apr1_id, strlen(apr1_id)); + + /* + * Then the raw salt + */ + apr_md5_update(&ctx, sp, sl); + + /* + * Then just as many characters of the MD5(pw, salt, pw) + */ + apr_md5_init(&ctx1); +#if APR_CHARSET_EBCDIC + apr_md5_set_xlate(&ctx1, xlate_ebcdic_to_ascii); +#endif + apr_md5_update(&ctx1, pw, strlen(pw)); + apr_md5_update(&ctx1, sp, sl); + apr_md5_update(&ctx1, pw, strlen(pw)); + apr_md5_final(final, &ctx1); + for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) { + md5_update_buffer(&ctx, final, + (pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl, SKIP_XLATE); + } + + /* + * Don't leave anything around in vm they could use. + */ + memset(final, 0, sizeof(final)); + + /* + * Then something really weird... + */ + for (i = strlen(pw); i != 0; i >>= 1) { + if (i & 1) { + md5_update_buffer(&ctx, final, 1, SKIP_XLATE); + } + else { + apr_md5_update(&ctx, pw, 1); + } + } + + /* + * Now make the output string. We know our limitations, so we + * can use the string routines without bounds checking. + */ + strcpy(passwd, apr1_id); + strncat(passwd, sp, sl); + strcat(passwd, "$"); + + apr_md5_final(final, &ctx); + + /* + * And now, just to make sure things don't run too fast.. + * On a 60 Mhz Pentium this takes 34 msec, so you would + * need 30 seconds to build a 1000 entry dictionary... + */ + for (i = 0; i < 1000; i++) { + apr_md5_init(&ctx1); + /* + * apr_md5_final clears out ctx1.xlate at the end of each loop, + * so need to to set it each time through + */ +#if APR_CHARSET_EBCDIC + apr_md5_set_xlate(&ctx1, xlate_ebcdic_to_ascii); +#endif + if (i & 1) { + apr_md5_update(&ctx1, pw, strlen(pw)); + } + else { + md5_update_buffer(&ctx1, final, APR_MD5_DIGESTSIZE, SKIP_XLATE); + } + if (i % 3) { + apr_md5_update(&ctx1, sp, sl); + } + + if (i % 7) { + apr_md5_update(&ctx1, pw, strlen(pw)); + } + + if (i & 1) { + md5_update_buffer(&ctx1, final, APR_MD5_DIGESTSIZE, SKIP_XLATE); + } + else { + apr_md5_update(&ctx1, pw, strlen(pw)); + } + apr_md5_final(final,&ctx1); + } + + p = passwd + strlen(passwd); + + l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p, l, 4); p += 4; + l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p, l, 4); p += 4; + l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p, l, 4); p += 4; + l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p, l, 4); p += 4; + l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p, l, 4); p += 4; + l = final[11] ; to64(p, l, 2); p += 2; + *p = '\0'; + + /* + * Don't leave anything around in vm they could use. + */ + memset(final, 0, sizeof(final)); + + apr_cpystrn(result, passwd, nbytes - 1); + return APR_SUCCESS; +} + +#if !defined(WIN32) && !defined(BEOS) && !defined(NETWARE) +#if defined(APU_CRYPT_THREADSAFE) || !APR_HAS_THREADS || \ + defined(CRYPT_R_CRYPTD) || defined(CRYPT_R_STRUCT_CRYPT_DATA) + +#define crypt_mutex_lock() +#define crypt_mutex_unlock() + +#elif APR_HAVE_PTHREAD_H && defined(PTHREAD_MUTEX_INITIALIZER) + +static pthread_mutex_t crypt_mutex = PTHREAD_MUTEX_INITIALIZER; +static void crypt_mutex_lock(void) +{ + pthread_mutex_lock(&crypt_mutex); +} + +static void crypt_mutex_unlock(void) +{ + pthread_mutex_unlock(&crypt_mutex); +} + +#else + +#error apr_password_validate() is not threadsafe. rebuild APR without thread support. + +#endif +#endif + +/* + * Validate a plaintext password against a smashed one. Uses either + * crypt() (if available) or apr_md5_encode() or apr_sha1_base64(), depending + * upon the format of the smashed input password. Returns APR_SUCCESS if + * they match, or APR_EMISMATCH if they don't. If the platform doesn't + * support crypt, then the default check is against a clear text string. + */ +APU_DECLARE(apr_status_t) apr_password_validate(const char *passwd, + const char *hash) +{ + char sample[120]; +#if !defined(WIN32) && !defined(BEOS) && !defined(NETWARE) + char *crypt_pw; +#endif + if (!strncmp(hash, apr1_id, strlen(apr1_id))) { + /* + * The hash was created using our custom algorithm. + */ + apr_md5_encode(passwd, hash, sample, sizeof(sample)); + } + else if (!strncmp(hash, APR_SHA1PW_ID, APR_SHA1PW_IDLEN)) { + apr_sha1_base64(passwd, (int)strlen(passwd), sample); + } + else { + /* + * It's not our algorithm, so feed it to crypt() if possible. + */ +#if defined(WIN32) || defined(BEOS) || defined(NETWARE) + apr_cpystrn(sample, passwd, sizeof(sample) - 1); +#elif defined(CRYPT_R_CRYPTD) + CRYPTD buffer; + + crypt_pw = crypt_r(passwd, hash, &buffer); + apr_cpystrn(sample, crypt_pw, sizeof(sample) - 1); +#elif defined(CRYPT_R_STRUCT_CRYPT_DATA) + struct crypt_data buffer; + + /* having to clear this seems bogus... GNU doc is + * confusing... user report found from google says + * the crypt_data struct had to be cleared to get + * the same result as plain crypt() + */ + memset(&buffer, 0, sizeof(buffer)); + crypt_pw = crypt_r(passwd, hash, &buffer); + apr_cpystrn(sample, crypt_pw, sizeof(sample) - 1); +#else + /* Do a bit of sanity checking since we know that crypt_r() + * should always be used for threaded builds on AIX, and + * problems in configure logic can result in the wrong + * choice being made. + */ +#if defined(_AIX) && APR_HAS_THREADS +#error Configuration error! crypt_r() should have been selected! +#endif + + /* Handle thread safety issues by holding a mutex around the + * call to crypt(). + */ + crypt_mutex_lock(); + crypt_pw = crypt(passwd, hash); + apr_cpystrn(sample, crypt_pw, sizeof(sample) - 1); + crypt_mutex_unlock(); +#endif + } + return (strcmp(sample, hash) == 0) ? APR_SUCCESS : APR_EMISMATCH; +} diff --git a/crypto/apr_sha1.c b/crypto/apr_sha1.c new file mode 100644 index 0000000..8959ffc --- /dev/null +++ b/crypto/apr_sha1.c @@ -0,0 +1,368 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * The exported function: + * + * apr_sha1_base64(const char *clear, int len, char *out); + * + * provides a means to SHA1 crypt/encode a plaintext password in + * a way which makes password files compatible with those commonly + * used in netscape web and ldap installations. It was put together + * by Clinton Wong <clintdw@netcom.com>, who also notes that: + * + * Note: SHA1 support is useful for migration purposes, but is less + * secure than Apache's password format, since Apache's (MD5) + * password format uses a random eight character salt to generate + * one of many possible hashes for the same password. Netscape + * uses plain SHA1 without a salt, so the same password + * will always generate the same hash, making it easier + * to break since the search space is smaller. + * + * See also the documentation in support/SHA1 as to hints on how to + * migrate an existing netscape installation and other supplied utitlites. + * + * This software also makes use of the following component: + * + * NIST Secure Hash Algorithm + * heavily modified by Uwe Hollerbach uh@alumni.caltech edu + * from Peter C. Gutmann's implementation as found in + * Applied Cryptography by Bruce Schneier + * This code is hereby placed in the public domain + */ + +#include "apr_sha1.h" +#include "apr_base64.h" +#include "apr_strings.h" +#include "apr_lib.h" +#if APR_CHARSET_EBCDIC +#include "apr_xlate.h" +#endif /*APR_CHARSET_EBCDIC*/ +#include <string.h> + +/* a bit faster & bigger, if defined */ +#define UNROLL_LOOPS + +/* NIST's proposed modification to SHA, 7/11/94 */ +#define USE_MODIFIED_SHA + +/* SHA f()-functions */ +#define f1(x,y,z) ((x & y) | (~x & z)) +#define f2(x,y,z) (x ^ y ^ z) +#define f3(x,y,z) ((x & y) | (x & z) | (y & z)) +#define f4(x,y,z) (x ^ y ^ z) + +/* SHA constants */ +#define CONST1 0x5a827999L +#define CONST2 0x6ed9eba1L +#define CONST3 0x8f1bbcdcL +#define CONST4 0xca62c1d6L + +/* 32-bit rotate */ + +#define ROT32(x,n) ((x << n) | (x >> (32 - n))) + +#define FUNC(n,i) \ + temp = ROT32(A,5) + f##n(B,C,D) + E + W[i] + CONST##n; \ + E = D; D = C; C = ROT32(B,30); B = A; A = temp + +#define SHA_BLOCKSIZE 64 + +#if APR_CHARSET_EBCDIC +static apr_xlate_t *ebcdic2ascii_xlate; + +APU_DECLARE(apr_status_t) apr_SHA1InitEBCDIC(apr_xlate_t *x) +{ + apr_status_t rv; + int onoff; + + /* Only single-byte conversion is supported. + */ + rv = apr_xlate_sb_get(x, &onoff); + if (rv) { + return rv; + } + if (!onoff) { /* If conversion is not single-byte-only */ + return APR_EINVAL; + } + ebcdic2ascii_xlate = x; + return APR_SUCCESS; +} +#endif + +/* do SHA transformation */ +static void sha_transform(apr_sha1_ctx_t *sha_info) +{ + int i; + apr_uint32_t temp, A, B, C, D, E, W[80]; + + for (i = 0; i < 16; ++i) { + W[i] = sha_info->data[i]; + } + for (i = 16; i < 80; ++i) { + W[i] = W[i-3] ^ W[i-8] ^ W[i-14] ^ W[i-16]; +#ifdef USE_MODIFIED_SHA + W[i] = ROT32(W[i], 1); +#endif /* USE_MODIFIED_SHA */ + } + A = sha_info->digest[0]; + B = sha_info->digest[1]; + C = sha_info->digest[2]; + D = sha_info->digest[3]; + E = sha_info->digest[4]; +#ifdef UNROLL_LOOPS + FUNC(1, 0); FUNC(1, 1); FUNC(1, 2); FUNC(1, 3); FUNC(1, 4); + FUNC(1, 5); FUNC(1, 6); FUNC(1, 7); FUNC(1, 8); FUNC(1, 9); + FUNC(1,10); FUNC(1,11); FUNC(1,12); FUNC(1,13); FUNC(1,14); + FUNC(1,15); FUNC(1,16); FUNC(1,17); FUNC(1,18); FUNC(1,19); + + FUNC(2,20); FUNC(2,21); FUNC(2,22); FUNC(2,23); FUNC(2,24); + FUNC(2,25); FUNC(2,26); FUNC(2,27); FUNC(2,28); FUNC(2,29); + FUNC(2,30); FUNC(2,31); FUNC(2,32); FUNC(2,33); FUNC(2,34); + FUNC(2,35); FUNC(2,36); FUNC(2,37); FUNC(2,38); FUNC(2,39); + + FUNC(3,40); FUNC(3,41); FUNC(3,42); FUNC(3,43); FUNC(3,44); + FUNC(3,45); FUNC(3,46); FUNC(3,47); FUNC(3,48); FUNC(3,49); + FUNC(3,50); FUNC(3,51); FUNC(3,52); FUNC(3,53); FUNC(3,54); + FUNC(3,55); FUNC(3,56); FUNC(3,57); FUNC(3,58); FUNC(3,59); + + FUNC(4,60); FUNC(4,61); FUNC(4,62); FUNC(4,63); FUNC(4,64); + FUNC(4,65); FUNC(4,66); FUNC(4,67); FUNC(4,68); FUNC(4,69); + FUNC(4,70); FUNC(4,71); FUNC(4,72); FUNC(4,73); FUNC(4,74); + FUNC(4,75); FUNC(4,76); FUNC(4,77); FUNC(4,78); FUNC(4,79); +#else /* !UNROLL_LOOPS */ + for (i = 0; i < 20; ++i) { + FUNC(1,i); + } + for (i = 20; i < 40; ++i) { + FUNC(2,i); + } + for (i = 40; i < 60; ++i) { + FUNC(3,i); + } + for (i = 60; i < 80; ++i) { + FUNC(4,i); + } +#endif /* !UNROLL_LOOPS */ + sha_info->digest[0] += A; + sha_info->digest[1] += B; + sha_info->digest[2] += C; + sha_info->digest[3] += D; + sha_info->digest[4] += E; +} + +union endianTest { + long Long; + char Char[sizeof(long)]; +}; + +static char isLittleEndian(void) +{ + static union endianTest u; + u.Long = 1; + return (u.Char[0] == 1); +} + +/* change endianness of data */ + +/* count is the number of bytes to do an endian flip */ +static void maybe_byte_reverse(apr_uint32_t *buffer, int count) +{ + int i; + apr_byte_t ct[4], *cp; + + if (isLittleEndian()) { /* do the swap only if it is little endian */ + count /= sizeof(apr_uint32_t); + cp = (apr_byte_t *) buffer; + for (i = 0; i < count; ++i) { + ct[0] = cp[0]; + ct[1] = cp[1]; + ct[2] = cp[2]; + ct[3] = cp[3]; + cp[0] = ct[3]; + cp[1] = ct[2]; + cp[2] = ct[1]; + cp[3] = ct[0]; + cp += sizeof(apr_uint32_t); + } + } +} + +/* initialize the SHA digest */ + +APU_DECLARE(void) apr_sha1_init(apr_sha1_ctx_t *sha_info) +{ + sha_info->digest[0] = 0x67452301L; + sha_info->digest[1] = 0xefcdab89L; + sha_info->digest[2] = 0x98badcfeL; + sha_info->digest[3] = 0x10325476L; + sha_info->digest[4] = 0xc3d2e1f0L; + sha_info->count_lo = 0L; + sha_info->count_hi = 0L; + sha_info->local = 0; +} + +/* update the SHA digest */ + +APU_DECLARE(void) apr_sha1_update_binary(apr_sha1_ctx_t *sha_info, + const unsigned char *buffer, + unsigned int count) +{ + unsigned int i; + + if ((sha_info->count_lo + ((apr_uint32_t) count << 3)) < sha_info->count_lo) { + ++sha_info->count_hi; + } + sha_info->count_lo += (apr_uint32_t) count << 3; + sha_info->count_hi += (apr_uint32_t) count >> 29; + if (sha_info->local) { + i = SHA_BLOCKSIZE - sha_info->local; + if (i > count) { + i = count; + } + memcpy(((apr_byte_t *) sha_info->data) + sha_info->local, buffer, i); + count -= i; + buffer += i; + sha_info->local += i; + if (sha_info->local == SHA_BLOCKSIZE) { + maybe_byte_reverse(sha_info->data, SHA_BLOCKSIZE); + sha_transform(sha_info); + } + else { + return; + } + } + while (count >= SHA_BLOCKSIZE) { + memcpy(sha_info->data, buffer, SHA_BLOCKSIZE); + buffer += SHA_BLOCKSIZE; + count -= SHA_BLOCKSIZE; + maybe_byte_reverse(sha_info->data, SHA_BLOCKSIZE); + sha_transform(sha_info); + } + memcpy(sha_info->data, buffer, count); + sha_info->local = count; +} + +APU_DECLARE(void) apr_sha1_update(apr_sha1_ctx_t *sha_info, const char *buf, + unsigned int count) +{ +#if APR_CHARSET_EBCDIC + int i; + const apr_byte_t *buffer = (const apr_byte_t *) buf; + apr_size_t inbytes_left, outbytes_left; + + if ((sha_info->count_lo + ((apr_uint32_t) count << 3)) < sha_info->count_lo) { + ++sha_info->count_hi; + } + sha_info->count_lo += (apr_uint32_t) count << 3; + sha_info->count_hi += (apr_uint32_t) count >> 29; + /* Is there a remainder of the previous Update operation? */ + if (sha_info->local) { + i = SHA_BLOCKSIZE - sha_info->local; + if (i > count) { + i = count; + } + inbytes_left = outbytes_left = i; + apr_xlate_conv_buffer(ebcdic2ascii_xlate, buffer, &inbytes_left, + ((apr_byte_t *) sha_info->data) + sha_info->local, + &outbytes_left); + count -= i; + buffer += i; + sha_info->local += i; + if (sha_info->local == SHA_BLOCKSIZE) { + maybe_byte_reverse(sha_info->data, SHA_BLOCKSIZE); + sha_transform(sha_info); + } + else { + return; + } + } + while (count >= SHA_BLOCKSIZE) { + inbytes_left = outbytes_left = SHA_BLOCKSIZE; + apr_xlate_conv_buffer(ebcdic2ascii_xlate, buffer, &inbytes_left, + (apr_byte_t *) sha_info->data, &outbytes_left); + buffer += SHA_BLOCKSIZE; + count -= SHA_BLOCKSIZE; + maybe_byte_reverse(sha_info->data, SHA_BLOCKSIZE); + sha_transform(sha_info); + } + inbytes_left = outbytes_left = count; + apr_xlate_conv_buffer(ebcdic2ascii_xlate, buffer, &inbytes_left, + (apr_byte_t *) sha_info->data, &outbytes_left); + sha_info->local = count; +#else + apr_sha1_update_binary(sha_info, (const unsigned char *) buf, count); +#endif +} + +/* finish computing the SHA digest */ + +APU_DECLARE(void) apr_sha1_final(unsigned char digest[APR_SHA1_DIGESTSIZE], + apr_sha1_ctx_t *sha_info) +{ + int count, i, j; + apr_uint32_t lo_bit_count, hi_bit_count, k; + + lo_bit_count = sha_info->count_lo; + hi_bit_count = sha_info->count_hi; + count = (int) ((lo_bit_count >> 3) & 0x3f); + ((apr_byte_t *) sha_info->data)[count++] = 0x80; + if (count > SHA_BLOCKSIZE - 8) { + memset(((apr_byte_t *) sha_info->data) + count, 0, SHA_BLOCKSIZE - count); + maybe_byte_reverse(sha_info->data, SHA_BLOCKSIZE); + sha_transform(sha_info); + memset((apr_byte_t *) sha_info->data, 0, SHA_BLOCKSIZE - 8); + } + else { + memset(((apr_byte_t *) sha_info->data) + count, 0, + SHA_BLOCKSIZE - 8 - count); + } + maybe_byte_reverse(sha_info->data, SHA_BLOCKSIZE); + sha_info->data[14] = hi_bit_count; + sha_info->data[15] = lo_bit_count; + sha_transform(sha_info); + + for (i = 0, j = 0; j < APR_SHA1_DIGESTSIZE; i++) { + k = sha_info->digest[i]; + digest[j++] = (unsigned char) ((k >> 24) & 0xff); + digest[j++] = (unsigned char) ((k >> 16) & 0xff); + digest[j++] = (unsigned char) ((k >> 8) & 0xff); + digest[j++] = (unsigned char) (k & 0xff); + } +} + + +APU_DECLARE(void) apr_sha1_base64(const char *clear, int len, char *out) +{ + int l; + apr_sha1_ctx_t context; + apr_byte_t digest[APR_SHA1_DIGESTSIZE]; + + apr_sha1_init(&context); + apr_sha1_update(&context, clear, len); + apr_sha1_final(digest, &context); + + /* private marker. */ + apr_cpystrn(out, APR_SHA1PW_ID, APR_SHA1PW_IDLEN + 1); + + /* SHA1 hash is always 20 chars */ + l = apr_base64_encode_binary(out + APR_SHA1PW_IDLEN, digest, sizeof(digest)); + out[l + APR_SHA1PW_IDLEN] = '\0'; + + /* + * output of base64 encoded SHA1 is always 28 chars + APR_SHA1PW_IDLEN + */ +} diff --git a/crypto/getuuid.c b/crypto/getuuid.c new file mode 100644 index 0000000..d973c0f --- /dev/null +++ b/crypto/getuuid.c @@ -0,0 +1,208 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * This attempts to generate V1 UUIDs according to the Internet Draft + * located at http://www.webdav.org/specs/draft-leach-uuids-guids-01.txt + */ +#include "apr.h" +#include "apr_uuid.h" +#include "apr_md5.h" +#include "apr_general.h" +#include "apr_portable.h" + + +#if APR_HAVE_UNISTD_H +#include <unistd.h> /* for getpid, gethostname */ +#endif +#if APR_HAVE_STDLIB_H +#include <stdlib.h> /* for rand, srand */ +#endif + + +#if APR_HAVE_STRING_H +#include <string.h> +#endif +#if APR_HAVE_STRINGS_H +#include <strings.h> +#endif +#if APR_HAVE_NETDB_H +#include <netdb.h> +#endif +#if APR_HAVE_SYS_TIME_H +#include <sys/time.h> /* for gettimeofday */ +#endif + +#define NODE_LENGTH 6 + +static int uuid_state_seqnum; +static unsigned char uuid_state_node[NODE_LENGTH] = { 0 }; + + +static void get_random_info(unsigned char node[NODE_LENGTH]) +{ +#if APR_HAS_RANDOM + + (void) apr_generate_random_bytes(node, NODE_LENGTH); + +#else + + unsigned char seed[APR_MD5_DIGESTSIZE]; + apr_md5_ctx_t c; + + /* ### probably should revise some of this to be a bit more portable */ + + /* Leach & Salz use Linux-specific struct sysinfo; + * replace with pid/tid for portability (in the spirit of mod_unique_id) */ + struct { + /* Add thread id here, if applicable, when we get to pthread or apr */ + pid_t pid; +#ifdef NETWARE + apr_uint64_t t; +#else + struct timeval t; +#endif + char hostname[257]; + + } r; + + apr_md5_init(&c); +#ifdef NETWARE + r.pid = NXThreadGetId(); + NXGetTime(NX_SINCE_BOOT, NX_USECONDS, &(r.t)); +#else + r.pid = getpid(); + gettimeofday(&r.t, (struct timezone *)0); +#endif + gethostname(r.hostname, 256); + apr_md5_update(&c, (const unsigned char *)&r, sizeof(r)); + apr_md5_final(seed, &c); + + memcpy(node, seed, NODE_LENGTH); /* use a subset of the seed bytes */ +#endif +} + +/* This implementation generates a random node ID instead of a + system-dependent call to get IEEE node ID. This is also more secure: + we aren't passing out our MAC address. +*/ +static void get_pseudo_node_identifier(unsigned char *node) +{ + get_random_info(node); + node[0] |= 0x01; /* this designates a random multicast node ID */ +} + +static void get_system_time(apr_uint64_t *uuid_time) +{ + /* ### fix this call to be more portable? */ + *uuid_time = apr_time_now(); + + /* Offset between UUID formatted times and Unix formatted times. + UUID UTC base time is October 15, 1582. + Unix base time is January 1, 1970. */ + *uuid_time = (*uuid_time * 10) + APR_TIME_C(0x01B21DD213814000); +} + +/* true_random -- generate a crypto-quality random number. */ +static int true_random(void) +{ + apr_uint64_t time_now; + +#if APR_HAS_RANDOM + unsigned char buf[2]; + + if (apr_generate_random_bytes(buf, 2) == APR_SUCCESS) { + return (buf[0] << 8) | buf[1]; + } +#endif + + /* crap. this isn't crypto quality, but it will be Good Enough */ + + time_now = apr_time_now(); + srand((unsigned int)(((time_now >> 32) ^ time_now) & 0xffffffff)); + + return rand() & 0x0FFFF; +} + +static void init_state(void) +{ + uuid_state_seqnum = true_random(); + get_pseudo_node_identifier(uuid_state_node); +} + +static void get_current_time(apr_uint64_t *timestamp) +{ + /* ### this needs to be made thread-safe! */ + + apr_uint64_t time_now; + static apr_uint64_t time_last = 0; + static apr_uint64_t fudge = 0; + + get_system_time(&time_now); + + /* if clock reading changed since last UUID generated... */ + if (time_last != time_now) { + /* The clock reading has changed since the last UUID was generated. + Reset the fudge factor. if we are generating them too fast, then + the fudge may need to be reset to something greater than zero. */ + if (time_last + fudge > time_now) + fudge = time_last + fudge - time_now + 1; + else + fudge = 0; + time_last = time_now; + } + else { + /* We generated two really fast. Bump the fudge factor. */ + ++fudge; + } + + *timestamp = time_now + fudge; +} + +APU_DECLARE(void) apr_uuid_get(apr_uuid_t *uuid) +{ + apr_uint64_t timestamp; + unsigned char *d = uuid->data; + +#if APR_HAS_OS_UUID + if (apr_os_uuid_get(d) == APR_SUCCESS) { + return; + } +#endif /* !APR_HAS_OS_UUID */ + + if (!uuid_state_node[0]) + init_state(); + + get_current_time(×tamp); + + /* time_low, uint32 */ + d[3] = (unsigned char)timestamp; + d[2] = (unsigned char)(timestamp >> 8); + d[1] = (unsigned char)(timestamp >> 16); + d[0] = (unsigned char)(timestamp >> 24); + /* time_mid, uint16 */ + d[5] = (unsigned char)(timestamp >> 32); + d[4] = (unsigned char)(timestamp >> 40); + /* time_hi_and_version, uint16 */ + d[7] = (unsigned char)(timestamp >> 48); + d[6] = (unsigned char)(((timestamp >> 56) & 0x0F) | 0x10); + /* clock_seq_hi_and_reserved, uint8 */ + d[8] = (unsigned char)(((uuid_state_seqnum >> 8) & 0x3F) | 0x80); + /* clock_seq_low, uint8 */ + d[9] = (unsigned char)uuid_state_seqnum; + /* node, byte[6] */ + memcpy(&d[10], uuid_state_node, NODE_LENGTH); +} diff --git a/crypto/uuid.c b/crypto/uuid.c new file mode 100644 index 0000000..6e45d71 --- /dev/null +++ b/crypto/uuid.c @@ -0,0 +1,130 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <stdio.h> /* for sprintf */ + +#include "apr.h" +#include "apr_uuid.h" +#include "apr_errno.h" +#include "apr_lib.h" + + +APU_DECLARE(void) apr_uuid_format(char *buffer, const apr_uuid_t *uuid) +{ + const unsigned char *d = uuid->data; + + sprintf(buffer, + "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x", + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], + d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); +} + +/* convert a pair of hex digits to an integer value [0,255] */ +#if 'A' == 65 +static unsigned char parse_hexpair(const char *s) +{ + int result; + int temp; + + result = s[0] - '0'; + if (result > 48) + result = (result - 39) << 4; + else if (result > 16) + result = (result - 7) << 4; + else + result = result << 4; + + temp = s[1] - '0'; + if (temp > 48) + result |= temp - 39; + else if (temp > 16) + result |= temp - 7; + else + result |= temp; + + return (unsigned char)result; +} +#else +static unsigned char parse_hexpair(const char *s) +{ + int result; + + if (isdigit(*s)) { + result = (*s - '0') << 4; + } + else { + if (isupper(*s)) { + result = (*s - 'A' + 10) << 4; + } + else { + result = (*s - 'a' + 10) << 4; + } + } + + ++s; + if (isdigit(*s)) { + result |= (*s - '0'); + } + else { + if (isupper(*s)) { + result |= (*s - 'A' + 10); + } + else { + result |= (*s - 'a' + 10); + } + } + + return (unsigned char)result; +} +#endif + +APU_DECLARE(apr_status_t) apr_uuid_parse(apr_uuid_t *uuid, + const char *uuid_str) +{ + int i; + unsigned char *d = uuid->data; + + for (i = 0; i < 36; ++i) { + char c = uuid_str[i]; + if (!apr_isxdigit(c) && + !(c == '-' && (i == 8 || i == 13 || i == 18 || i == 23))) + /* ### need a better value */ + return APR_BADARG; + } + if (uuid_str[36] != '\0') { + /* ### need a better value */ + return APR_BADARG; + } + + d[0] = parse_hexpair(&uuid_str[0]); + d[1] = parse_hexpair(&uuid_str[2]); + d[2] = parse_hexpair(&uuid_str[4]); + d[3] = parse_hexpair(&uuid_str[6]); + + d[4] = parse_hexpair(&uuid_str[9]); + d[5] = parse_hexpair(&uuid_str[11]); + + d[6] = parse_hexpair(&uuid_str[14]); + d[7] = parse_hexpair(&uuid_str[16]); + + d[8] = parse_hexpair(&uuid_str[19]); + d[9] = parse_hexpair(&uuid_str[21]); + + for (i = 6; i--;) + d[10 + i] = parse_hexpair(&uuid_str[i*2+24]); + + return APR_SUCCESS; +} |