horok/firefox
1
0
Fork 0
Code Activity
firefox/security/nss/lib/pk11wrap/pk11cxt.c
Daniel Baumann 5e9a113729
Adding upstream version 140.0. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-25 09:37:52 +02:00

1795 lines
60 KiB
C
Raw Permalink Blame History

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* This file PK11Contexts which are used in multipart hashing,
* encryption/decryption, and signing/verication operations.
*/
#include "seccomon.h"
#include "secmod.h"
#include "nssilock.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pkcs11.h"
#include "pk11func.h"
#include "secitem.h"
#include "secoid.h"
#include "sechash.h"
#include "secerr.h"
#include "blapit.h"
#include "secport.h"
static const SECItem pk11_null_params = { 0 };
/**********************************************************************
*
* Now Deal with Crypto Contexts
*
**********************************************************************/
/*
* the monitors...
*/
void
PK11_EnterContextMonitor(PK11Context *cx)
{
/* if we own the session and our slot is ThreadSafe, only monitor
* the Context */
if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
/* Should this use monitors instead? */
PZ_Lock(cx->sessionLock);
} else {
PK11_EnterSlotMonitor(cx->slot);
}
}
void
PK11_ExitContextMonitor(PK11Context *cx)
{
/* if we own the session and our slot is ThreadSafe, only monitor
* the Context */
if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
/* Should this use monitors instead? */
PZ_Unlock(cx->sessionLock);
} else {
PK11_ExitSlotMonitor(cx->slot);
}
}
/*
* Free up a Cipher Context
*/
void
PK11_DestroyContext(PK11Context *context, PRBool freeit)
{
pk11_CloseSession(context->slot, context->session, context->ownSession);
/* initialize the critical fields of the context */
if (context->savedData != NULL)
PORT_Free(context->savedData);
if (context->key)
PK11_FreeSymKey(context->key);
if (context->param && context->param != &pk11_null_params)
SECITEM_FreeItem(context->param, PR_TRUE);
if (context->sessionLock)
PZ_DestroyLock(context->sessionLock);
PK11_FreeSlot(context->slot);
if (freeit)
PORT_Free(context);
}
/*
* save the current context. Allocate Space if necessary.
*/
static unsigned char *
pk11_saveContextHelper(PK11Context *context, unsigned char *buffer,
unsigned long *savedLength)
{
CK_RV crv;
/* If buffer is NULL, this will get the length */
crv = PK11_GETTAB(context->slot)->C_GetOperationState(context->session, (CK_BYTE_PTR)buffer, savedLength);
if (!buffer || (crv == CKR_BUFFER_TOO_SMALL)) {
/* the given buffer wasn't big enough (or was NULL), but we
* have the length, so try again with a new buffer and the
* correct length
*/
unsigned long bufLen = *savedLength;
buffer = PORT_Alloc(bufLen);
if (buffer == NULL) {
return (unsigned char *)NULL;
}
crv = PK11_GETTAB(context->slot)->C_GetOperationState(context->session, (CK_BYTE_PTR)buffer, savedLength);
if (crv != CKR_OK) {
PORT_ZFree(buffer, bufLen);
}
}
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
return (unsigned char *)NULL;
}
return buffer;
}
void *
pk11_saveContext(PK11Context *context, void *space, unsigned long *savedLength)
{
return pk11_saveContextHelper(context,
(unsigned char *)space, savedLength);
}
/*
* restore the current context
*/
SECStatus
pk11_restoreContext(PK11Context *context, void *space, unsigned long savedLength)
{
CK_RV crv;
CK_OBJECT_HANDLE objectID = context->objectID;
PORT_Assert(space != NULL);
if (space == NULL) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
crv = PK11_GETTAB(context->slot)->C_SetOperationState(context->session, (CK_BYTE_PTR)space, savedLength, objectID, 0);
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
return SECFailure;
}
return SECSuccess;
}
SECStatus pk11_Finalize(PK11Context *context);
/*
* Initialize a Message function. Particular function is passed in as a
* function pointer. Since all C_Message*Init funcitons have the same
* prototype, we just pick one of the the prototypes to declare our init
* function.
*/
static CK_RV
pk11_contextInitMessage(PK11Context *context, CK_MECHANISM_PTR mech,
CK_C_MessageEncryptInit initFunc,
CK_FLAGS flags, CK_RV scrv)
{
PK11SlotInfo *slot = context->slot;
CK_VERSION version = slot->module->cryptokiVersion;
CK_RV crv = CKR_OK;
context->ivCounter = 0;
context->ivMaxCount = 0;
context->ivFixedBits = 0;
context->ivLen = 0;
context->ivGen = CKG_NO_GENERATE;
context->simulate_mechanism = (mech)->mechanism;
context->simulate_message = PR_FALSE;
/* check that we can do the Message interface. We need to check
* for either 1) are we using a PKCS #11 v3 interface and 2) is the
* Message flag set on the mechanism. If either is false we simulate
* the message interface for the Encrypt and Decrypt cases using the
* PKCS #11 V2 interface.
* Sign and verify do not have V2 interfaces, so we go ahead and fail
* if those cases */
if ((version.major >= 3) &&
PK11_DoesMechanismFlag(slot, (mech)->mechanism, flags)) {
PK11_EnterContextMonitor(context);
crv = (*initFunc)((context)->session, (mech), (context)->objectID);
PK11_ExitContextMonitor(context);
if ((crv == CKR_FUNCTION_NOT_SUPPORTED) ||
(crv == CKR_MECHANISM_INVALID)) {
/* we have a 3.0 interface, and the flag was set (or ignored)
* but the implementation was not there, use the V2 interface */
crv = (scrv);
context->simulate_message = PR_TRUE;
}
} else {
crv = (scrv);
context->simulate_message = PR_TRUE;
}
return crv;
}
/*
* Context initialization. Used by all flavors of CreateContext
*/
static SECStatus
pk11_context_init(PK11Context *context, CK_MECHANISM *mech_info)
{
CK_RV crv;
SECStatus rv = SECSuccess;
context->simulate_message = PR_FALSE;
switch (context->operation) {
case CKA_ENCRYPT:
PK11_EnterContextMonitor(context);
crv = PK11_GETTAB(context->slot)->C_EncryptInit(context->session, mech_info, context->objectID);
PK11_ExitContextMonitor(context);
break;
case CKA_DECRYPT:
PK11_EnterContextMonitor(context);
if (context->fortezzaHack) {
CK_ULONG count = 0;
/* generate the IV for fortezza */
crv = PK11_GETTAB(context->slot)->C_EncryptInit(context->session, mech_info, context->objectID);
if (crv != CKR_OK) {
PK11_ExitContextMonitor(context);
break;
}
PK11_GETTAB(context->slot)
->C_EncryptFinal(context->session,
NULL, &count);
}
crv = PK11_GETTAB(context->slot)->C_DecryptInit(context->session, mech_info, context->objectID);
PK11_ExitContextMonitor(context);
break;
case CKA_SIGN:
PK11_EnterContextMonitor(context);
crv = PK11_GETTAB(context->slot)->C_SignInit(context->session, mech_info, context->objectID);
PK11_ExitContextMonitor(context);
break;
case CKA_VERIFY:
/* NOTE: we previously has this set to C_SignInit for Macing.
* It turns out now one could possibly use it that way, though,
* because PK11_HashOp() always called C_VerifyUpdate on CKA_VERIFY,
* which would have failed. So everyone just calls us with CKA_SIGN
* when Macing even when they are verifying, no need to 'do it
* for them'. It needs to be VerifyInit now so that we can do
* PKCS #11 hash/Verify combo operations. */
PK11_EnterContextMonitor(context);
crv = PK11_GETTAB(context->slot)->C_VerifyInit(context->session, mech_info, context->objectID);
PK11_ExitContextMonitor(context);
break;
case CKA_DIGEST:
PK11_EnterContextMonitor(context);
crv = PK11_GETTAB(context->slot)->C_DigestInit(context->session, mech_info);
PK11_ExitContextMonitor(context);
break;
case CKA_NSS_MESSAGE | CKA_ENCRYPT:
crv = pk11_contextInitMessage(context, mech_info,
PK11_GETTAB(context->slot)->C_MessageEncryptInit,
CKF_MESSAGE_ENCRYPT, CKR_OK);
break;
case CKA_NSS_MESSAGE | CKA_DECRYPT:
crv = pk11_contextInitMessage(context, mech_info,
PK11_GETTAB(context->slot)->C_MessageDecryptInit,
CKF_MESSAGE_DECRYPT, CKR_OK);
break;
case CKA_NSS_MESSAGE | CKA_SIGN:
crv = pk11_contextInitMessage(context, mech_info,
PK11_GETTAB(context->slot)->C_MessageSignInit,
CKF_MESSAGE_SIGN, CKR_FUNCTION_NOT_SUPPORTED);
break;
case CKA_NSS_MESSAGE | CKA_VERIFY:
crv = pk11_contextInitMessage(context, mech_info,
PK11_GETTAB(context->slot)->C_MessageVerifyInit,
CKF_MESSAGE_VERIFY, CKR_FUNCTION_NOT_SUPPORTED);
break;
default:
crv = CKR_OPERATION_NOT_INITIALIZED;
break;
}
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
return SECFailure;
}
/* handle the case where the token is using the old NSS mechanism */
if (context->simulate_message &&
!PK11_DoesMechanism(context->slot, context->simulate_mechanism)) {
if ((context->simulate_mechanism == CKM_CHACHA20_POLY1305) &&
PK11_DoesMechanism(context->slot, CKM_NSS_CHACHA20_POLY1305)) {
context->simulate_mechanism = CKM_NSS_CHACHA20_POLY1305;
} else {
PORT_SetError(PK11_MapError(CKR_MECHANISM_INVALID));
return SECFailure;
}
}
/*
* handle session starvation case.. use our last session to multiplex
*/
if (!context->ownSession) {
PK11_EnterContextMonitor(context);
context->savedData = pk11_saveContext(context, context->savedData,
&context->savedLength);
if (context->savedData == NULL)
rv = SECFailure;
/* clear out out session for others to use */
pk11_Finalize(context);
PK11_ExitContextMonitor(context);
}
return rv;
}
/*
* Testing interfaces, not for general use. This function forces
* an AEAD context into simulation mode even though the target token
* can already do PKCS #11 v3.0 Message (i.e. softoken).
*/
SECStatus
_PK11_ContextSetAEADSimulation(PK11Context *context)
{
CK_RV crv;
/* only message encrypt and message decrypt contexts can be simulated */
if ((context->operation != (CKA_NSS_MESSAGE | CKA_ENCRYPT)) &&
(context->operation != (CKA_NSS_MESSAGE | CKA_DECRYPT))) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* if we are already simulating, return */
if (context->simulate_message) {
return SECSuccess;
}
/* we need to shutdown the existing AEAD operation */
switch (context->operation) {
case CKA_NSS_MESSAGE | CKA_ENCRYPT:
crv = PK11_GETTAB(context->slot)->C_MessageEncryptFinal(context->session);
break;
case CKA_NSS_MESSAGE | CKA_DECRYPT:
crv = PK11_GETTAB(context->slot)->C_MessageDecryptFinal(context->session);
break;
default:
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
return SECFailure;
}
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
return SECFailure;
}
context->simulate_message = PR_TRUE;
return SECSuccess;
}
PRBool
_PK11_ContextGetAEADSimulation(PK11Context *context)
{
return context->simulate_message;
}
/*
* Common Helper Function do come up with a new context.
*/
static PK11Context *
pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type,
PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation,
PK11SymKey *symKey, CK_OBJECT_HANDLE objectID,
const SECItem *param, void *pwArg)
{
CK_MECHANISM mech_info;
PK11Context *context;
SECStatus rv;
PORT_Assert(slot != NULL);
if (!slot || ((objectID == CK_INVALID_HANDLE) && ((operation != CKA_DIGEST) ||
(type == CKM_SKIPJACK_CBC64)))) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
context = (PK11Context *)PORT_Alloc(sizeof(PK11Context));
if (context == NULL) {
return NULL;
}
/* now deal with the fortezza hack... the fortezza hack is an attempt
* to get around the issue of the card not allowing you to do a FORTEZZA
* LoadIV/Encrypt, which was added because such a combination could be
* use to circumvent the key escrow system. Unfortunately SSL needs to
* do this kind of operation, so in SSL we do a loadIV (to verify it),
* Then GenerateIV, and through away the first 8 bytes on either side
* of the connection.*/
context->fortezzaHack = PR_FALSE;
if (type == CKM_SKIPJACK_CBC64) {
if (symKey && (symKey->origin == PK11_OriginFortezzaHack)) {
context->fortezzaHack = PR_TRUE;
}
}
/* initialize the critical fields of the context */
context->operation = operation;
/* If we were given a symKey, keep our own reference to it so
* that the key doesn't disappear in the middle of the operation
* if the caller frees it. Public and Private keys are not reference
* counted, so the caller just has to keep his copies around until
* the operation completes */
context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL;
context->objectID = objectID;
context->slot = PK11_ReferenceSlot(slot);
context->session = pk11_GetNewSession(slot, &context->ownSession);
context->pwArg = pwArg;
/* get our session */
context->savedData = NULL;
/* save the parameters so that some digesting stuff can do multiple
* begins on a single context */
context->type = type;
if (param) {
if (param->len > 0) {
context->param = SECITEM_DupItem(param);
} else {
context->param = (SECItem *)&pk11_null_params;
}
} else {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
context->param = NULL;
}
context->init = PR_FALSE;
context->sessionLock = PZ_NewLock(nssILockPK11cxt);
if ((context->param == NULL) || (context->sessionLock == NULL)) {
PK11_DestroyContext(context, PR_TRUE);
return NULL;
}
mech_info.mechanism = type;
mech_info.pParameter = param->data;
mech_info.ulParameterLen = param->len;
rv = pk11_context_init(context, &mech_info);
if (rv != SECSuccess) {
PK11_DestroyContext(context, PR_TRUE);
return NULL;
}
context->init = PR_TRUE;
return context;
}
/*
* put together the various PK11_Create_Context calls used by different
* parts of libsec.
*/
PK11Context *
__PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,
SECItem *param, void *wincx)
{
PK11SymKey *symKey = NULL;
PK11Context *context = NULL;
/* first get a slot */
if (slot == NULL) {
slot = PK11_GetBestSlot(type, wincx);
if (slot == NULL) {
PORT_SetError(SEC_ERROR_NO_MODULE);
goto loser;
}
} else {
PK11_ReferenceSlot(slot);
}
/* now import the key */
symKey = PK11_ImportSymKey(slot, type, origin, operation, key, wincx);
if (symKey == NULL)
goto loser;
context = PK11_CreateContextBySymKey(type, operation, symKey, param);
loser:
if (symKey) {
PK11_FreeSymKey(symKey);
}
if (slot) {
PK11_FreeSlot(slot);
}
return context;
}
PK11Context *
PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,
SECItem *param, void *wincx)
{
return __PK11_CreateContextByRawKey(slot, type, origin, operation,
key, param, wincx);
}
/*
* Create a context from a key. We really should make sure we aren't using
* the same key in multiple sessions!
*/
PK11Context *
PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation,
PK11SymKey *symKey, const SECItem *param)
{
PK11SymKey *newKey;
PK11Context *context;
/* if this slot doesn't support the mechanism, go to a slot that does */
newKey = pk11_ForceSlot(symKey, type, operation);
if (newKey == NULL) {
PK11_ReferenceSymKey(symKey);
} else {
symKey = newKey;
}
/* Context keeps its reference to the symKey, so it's safe to
* free our reference we we are through, even though we may have
* created the key using pk11_ForceSlot. */
context = pk11_CreateNewContextInSlot(type, symKey->slot, operation, symKey,
symKey->objectID, param, symKey->cx);
PK11_FreeSymKey(symKey);
return context;
}
/* To support multipart public key operations (like hash/verify operations),
* we need to create contexts with public keys. */
PK11Context *
PK11_CreateContextByPubKey(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation,
SECKEYPublicKey *pubKey, const SECItem *param,
void *pwArg)
{
PK11SlotInfo *slot = pubKey->pkcs11Slot;
SECItem nullparam = { 0, 0, 0 };
/* if this slot doesn't support the mechanism, go to a slot that does */
/* public keys have all their data in the public key data structure,
* so there's no need to export the old key, just import this one. The
* import manages consistancy of the public key data structure */
if (slot == NULL || !PK11_DoesMechanism(slot, type)) {
CK_OBJECT_HANDLE objectID;
slot = PK11_GetBestSlot(type, NULL);
if (slot == NULL) {
return NULL;
}
objectID = PK11_ImportPublicKey(slot, pubKey, PR_FALSE);
PK11_FreeSlot(slot);
if (objectID == CK_INVALID_HANDLE) {
return NULL;
}
}
/* unlike symkeys, we accept a NULL parameter. map a null parameter
* to the empty parameter. This matches the semantics of
* PK11_VerifyWithMechanism */
return pk11_CreateNewContextInSlot(type, pubKey->pkcs11Slot, operation,
NULL, pubKey->pkcs11ID,
param ? param : &nullparam, pwArg);
}
/* To support multipart private key operations (like hash/sign operations),
* we need to create contexts with private keys. */
PK11Context *
PK11_CreateContextByPrivKey(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation,
SECKEYPrivateKey *privKey, const SECItem *param)
{
SECItem nullparam = { 0, 0, 0 };
/* Private keys are generally not movable. If the token the
* private key lives on can't do the operation, generally we are
* stuck anyway. So no need to try to manipulate the key into
* another token */
/* if this slot doesn't support the mechanism, go to a slot that does */
/* unlike symkeys, we accept a NULL parameter. map a null parameter
* to the empty parameter. This matches the semantics of
* PK11_SignWithMechanism */
return pk11_CreateNewContextInSlot(type, privKey->pkcs11Slot, operation,
NULL, privKey->pkcs11ID,
param ? param : &nullparam,
privKey->wincx);
}
/*
* Digest contexts don't need keys, but the do need to find a slot.
* Macing should use PK11_CreateContextBySymKey.
*/
PK11Context *
PK11_CreateDigestContext(SECOidTag hashAlg)
{
/* digesting has to work without authentication to the slot */
CK_MECHANISM_TYPE type;
PK11SlotInfo *slot;
PK11Context *context;
SECItem param;
type = PK11_AlgtagToMechanism(hashAlg);
slot = PK11_GetBestSlot(type, NULL);
if (slot == NULL) {
PORT_SetError(SEC_ERROR_NO_MODULE);
return NULL;
}
/* maybe should really be PK11_GenerateNewParam?? */
param.data = NULL;
param.len = 0;
param.type = 0;
context = pk11_CreateNewContextInSlot(type, slot, CKA_DIGEST, NULL,
CK_INVALID_HANDLE, &param, NULL);
PK11_FreeSlot(slot);
return context;
}
/*
* create a new context which is the clone of the state of old context.
*/
PK11Context *
PK11_CloneContext(PK11Context *old)
{
PK11Context *newcx;
PRBool needFree = PR_FALSE;
SECStatus rv = SECSuccess;
void *data;
unsigned long len;
newcx = pk11_CreateNewContextInSlot(old->type, old->slot, old->operation,
old->key, old->objectID, old->param,
old->pwArg);
if (newcx == NULL)
return NULL;
/* now clone the save state. First we need to find the save state
* of the old session. If the old context owns it's session,
* the state needs to be saved, otherwise the state is in saveData. */
if (old->ownSession) {
PK11_EnterContextMonitor(old);
data = pk11_saveContext(old, NULL, &len);
PK11_ExitContextMonitor(old);
needFree = PR_TRUE;
} else {
data = old->savedData;
len = old->savedLength;
}
if (data == NULL) {
PK11_DestroyContext(newcx, PR_TRUE);
return NULL;
}
/* now copy that state into our new context. Again we have different
* work if the new context owns it's own session. If it does, we
* restore the state gathered above. If it doesn't, we copy the
* saveData pointer... */
if (newcx->ownSession) {
PK11_EnterContextMonitor(newcx);
rv = pk11_restoreContext(newcx, data, len);
PK11_ExitContextMonitor(newcx);
} else {
PORT_Assert(newcx->savedData != NULL);
if ((newcx->savedData == NULL) || (newcx->savedLength < len)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
rv = SECFailure;
} else {
PORT_Memcpy(newcx->savedData, data, len);
newcx->savedLength = len;
}
}
if (needFree)
PORT_Free(data);
if (rv != SECSuccess) {
PK11_DestroyContext(newcx, PR_TRUE);
return NULL;
}
return newcx;
}
/*
* save the current context state into a variable. Required to make FORTEZZA
* work.
*/
SECStatus
PK11_SaveContext(PK11Context *cx, unsigned char *save, int *len, int saveLength)
{
unsigned char *data = NULL;
CK_ULONG length = saveLength;
if (cx->ownSession) {
PK11_EnterContextMonitor(cx);
data = pk11_saveContextHelper(cx, save, &length);
PK11_ExitContextMonitor(cx);
if (data)
*len = length;
} else if ((unsigned)saveLength >= cx->savedLength) {
data = (unsigned char *)cx->savedData;
if (cx->savedData) {
PORT_Memcpy(save, cx->savedData, cx->savedLength);
}
*len = cx->savedLength;
}
if (data != NULL) {
if (cx->ownSession) {
PORT_ZFree(data, length);
}
return SECSuccess;
} else {
return SECFailure;
}
}
/* same as above, but may allocate the return buffer. */
unsigned char *
PK11_SaveContextAlloc(PK11Context *cx,
unsigned char *preAllocBuf, unsigned int pabLen,
unsigned int *stateLen)
{
unsigned char *stateBuf = NULL;
unsigned long length = (unsigned long)pabLen;
if (cx->ownSession) {
PK11_EnterContextMonitor(cx);
stateBuf = pk11_saveContextHelper(cx, preAllocBuf, &length);
PK11_ExitContextMonitor(cx);
*stateLen = (stateBuf != NULL) ? length : 0;
} else {
if (pabLen < cx->savedLength) {
stateBuf = (unsigned char *)PORT_Alloc(cx->savedLength);
if (!stateBuf) {
return (unsigned char *)NULL;
}
} else {
stateBuf = preAllocBuf;
}
if (cx->savedData) {
PORT_Memcpy(stateBuf, cx->savedData, cx->savedLength);
}
*stateLen = cx->savedLength;
}
return stateBuf;
}
/*
* restore the context state into a new running context. Also required for
* FORTEZZA .
*/
SECStatus
PK11_RestoreContext(PK11Context *cx, unsigned char *save, int len)
{
SECStatus rv = SECSuccess;
if (cx->ownSession) {
PK11_EnterContextMonitor(cx);
pk11_Finalize(cx);
rv = pk11_restoreContext(cx, save, len);
PK11_ExitContextMonitor(cx);
} else {
PORT_Assert(cx->savedData != NULL);
if ((cx->savedData == NULL) || (cx->savedLength < (unsigned)len)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
rv = SECFailure;
} else {
PORT_Memcpy(cx->savedData, save, len);
cx->savedLength = len;
}
}
return rv;
}
/*
* This is to get FIPS compliance until we can convert
* libjar to use PK11_ hashing functions. It returns PR_FALSE
* if we can't get a PK11 Context.
*/
PRBool
PK11_HashOK(SECOidTag algID)
{
PK11Context *cx;
cx = PK11_CreateDigestContext(algID);
if (cx == NULL)
return PR_FALSE;
PK11_DestroyContext(cx, PR_TRUE);
return PR_TRUE;
}
/*
* start a new digesting or Mac'ing operation on this context
*/
SECStatus
PK11_DigestBegin(PK11Context *cx)
{
CK_MECHANISM mech_info;
SECStatus rv;
if (cx->init == PR_TRUE) {
return SECSuccess;
}
/*
* make sure the old context is clear first
*/
PK11_EnterContextMonitor(cx);
pk11_Finalize(cx);
PK11_ExitContextMonitor(cx);
mech_info.mechanism = cx->type;
mech_info.pParameter = cx->param->data;
mech_info.ulParameterLen = cx->param->len;
rv = pk11_context_init(cx, &mech_info);
if (rv != SECSuccess) {
return SECFailure;
}
cx->init = PR_TRUE;
return SECSuccess;
}
SECStatus
PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, const unsigned char *in,
PRInt32 len)
{
PK11Context *context;
unsigned int max_length;
unsigned int out_length;
SECStatus rv;
/* len will be passed to PK11_DigestOp as unsigned. */
if (len < 0) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
context = PK11_CreateDigestContext(hashAlg);
if (context == NULL)
return SECFailure;
rv = PK11_DigestBegin(context);
if (rv != SECSuccess) {
PK11_DestroyContext(context, PR_TRUE);
return rv;
}
rv = PK11_DigestOp(context, in, len);
if (rv != SECSuccess) {
PK11_DestroyContext(context, PR_TRUE);
return rv;
}
/* XXX This really should have been an argument to this function! */
max_length = HASH_ResultLenByOidTag(hashAlg);
PORT_Assert(max_length);
if (!max_length)
max_length = HASH_LENGTH_MAX;
rv = PK11_DigestFinal(context, out, &out_length, max_length);
PK11_DestroyContext(context, PR_TRUE);
return rv;
}
/*
* execute a bulk encryption operation
*/
SECStatus
PK11_CipherOp(PK11Context *context, unsigned char *out, int *outlen,
int maxout, const unsigned char *in, int inlen)
{
CK_RV crv = CKR_OK;
CK_ULONG length = maxout;
CK_ULONG offset = 0;
SECStatus rv = SECSuccess;
unsigned char *saveOut = out;
unsigned char *allocOut = NULL;
/* if we ran out of session, we need to restore our previously stored
* state.
*/
PK11_EnterContextMonitor(context);
if (!context->ownSession) {
rv = pk11_restoreContext(context, context->savedData,
context->savedLength);
if (rv != SECSuccess) {
PK11_ExitContextMonitor(context);
return rv;
}
}
/*
* The fortezza hack is to send 8 extra bytes on the first encrypted and
* lose them on the first decrypt.
*/
if (context->fortezzaHack) {
unsigned char random[8];
if (context->operation == CKA_ENCRYPT) {
PK11_ExitContextMonitor(context);
rv = PK11_GenerateRandom(random, sizeof(random));
PK11_EnterContextMonitor(context);
/* since we are offseting the output, we can't encrypt back into
* the same buffer... allocate a temporary buffer just for this
* call. */
allocOut = out = (unsigned char *)PORT_Alloc(maxout);
if (out == NULL) {
PK11_ExitContextMonitor(context);
return SECFailure;
}
crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session, random, sizeof(random), out, &length);
out += length;
maxout -= length;
offset = length;
} else if (context->operation == CKA_DECRYPT) {
length = sizeof(random);
crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session, (CK_BYTE_PTR)in, sizeof(random), random, &length);
inlen -= length;
in += length;
context->fortezzaHack = PR_FALSE;
}
}
switch (context->operation) {
case CKA_ENCRYPT:
length = maxout;
crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session, (CK_BYTE_PTR)in, inlen, out, &length);
length += offset;
break;
case CKA_DECRYPT:
length = maxout;
crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session, (CK_BYTE_PTR)in, inlen, out, &length);
break;
default:
crv = CKR_OPERATION_NOT_INITIALIZED;
break;
}
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
*outlen = 0;
rv = SECFailure;
} else {
*outlen = length;
}
if (context->fortezzaHack) {
if (context->operation == CKA_ENCRYPT) {
PORT_Assert(allocOut);
PORT_Memcpy(saveOut, allocOut, length);
PORT_Free(allocOut);
}
context->fortezzaHack = PR_FALSE;
}
/*
* handle session starvation case.. use our last session to multiplex
*/
if (!context->ownSession) {
context->savedData = pk11_saveContext(context, context->savedData,
&context->savedLength);
if (context->savedData == NULL)
rv = SECFailure;
/* clear out out session for others to use */
pk11_Finalize(context);
}
PK11_ExitContextMonitor(context);
return rv;
}
/*
* Simulate the IV generation that normally would happen in the token.
*
* This is a modifed copy of what is in freebl/gcm.c. We can't use the
* version in freebl because of layering, since freebl is inside the token
* boundary. These issues are traditionally handled by moving them to util,
* but we also have two different Random functions we have two switch between.
* Since this is primarily here for tokens that don't support the PKCS #11
* Message Interface, it's OK if they diverge a bit. Slight semantic
* differences from the freebl/gcm.c version shouldn't be much more than the
* sematic differences between freebl and other tokens which do implement the
* Message Interface. */
static SECStatus
pk11_GenerateIV(PK11Context *context, CK_GENERATOR_FUNCTION ivgen,
int fixedBits, unsigned char *iv, int ivLen)
{
unsigned int i;
unsigned int flexBits;
unsigned int ivOffset;
unsigned int ivNewCount;
unsigned char ivMask;
unsigned char ivSave;
SECStatus rv;
if (context->ivCounter != 0) {
/* If we've already generated a message, make sure all subsequent
* messages are using the same generator */
if ((context->ivGen != ivgen) ||
(context->ivFixedBits != fixedBits) ||
(context->ivLen != ivLen)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
} else {
/* remember these values */
context->ivGen = ivgen;
context->ivFixedBits = fixedBits;
context->ivLen = ivLen;
/* now calculate how may bits of IV we have to supply */
flexBits = ivLen * PR_BITS_PER_BYTE;
/* first make sure we aren't going to overflow */
if (flexBits < fixedBits) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
flexBits -= fixedBits;
/* if we are generating a random number reduce the acceptable bits to
* avoid birthday attacks */
if (ivgen == CKG_GENERATE_RANDOM) {
if (flexBits <= GCMIV_RANDOM_BIRTHDAY_BITS) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* see freebl/blapit.h for how GCMIV_RANDOM_BIRTHDAY_BITS is
* calculated. */
flexBits -= GCMIV_RANDOM_BIRTHDAY_BITS;
flexBits = flexBits >> 1;
}
if (flexBits == 0) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* Turn those bits into the number of IV's we can safely return */
if (flexBits >= sizeof(context->ivMaxCount) * PR_BITS_PER_BYTE) {
context->ivMaxCount = PR_UINT64(0xffffffffffffffff);
} else {
context->ivMaxCount = (PR_UINT64(1) << flexBits);
}
}
/* no generate, accept the IV from the source */
if (ivgen == CKG_NO_GENERATE) {
context->ivCounter = 1;
return SECSuccess;
}
/* make sure we haven't exceeded the number of IVs we can return
* for this key, generator, and IV size */
if (context->ivCounter >= context->ivMaxCount) {
/* use a unique error from just bad user input */
PORT_SetError(SEC_ERROR_EXTRA_INPUT);
return SECFailure;
}
/* build to mask to handle the first byte of the IV */
ivOffset = fixedBits / PR_BITS_PER_BYTE;
ivMask = 0xff >> ((PR_BITS_PER_BYTE - (fixedBits & 7)) & 7);
ivNewCount = ivLen - ivOffset;
/* finally generate the IV */
switch (ivgen) {
case CKG_GENERATE: /* default to counter */
case CKG_GENERATE_COUNTER:
iv[ivOffset] = (iv[ivOffset] & ~ivMask) |
(PORT_GET_BYTE_BE(context->ivCounter, 0, ivNewCount) & ivMask);
for (i = 1; i < ivNewCount; i++) {
iv[ivOffset + i] =
PORT_GET_BYTE_BE(context->ivCounter, i, ivNewCount);
}
break;
case CKG_GENERATE_COUNTER_XOR:
iv[ivOffset] ^=
(PORT_GET_BYTE_BE(context->ivCounter, 0, ivNewCount) & ivMask);
for (i = 1; i < ivNewCount; i++) {
iv[ivOffset + i] ^=
PORT_GET_BYTE_BE(context->ivCounter, i, ivNewCount);
}
break;
case CKG_GENERATE_RANDOM:
ivSave = iv[ivOffset] & ~ivMask;
rv = PK11_GenerateRandom(iv + ivOffset, ivNewCount);
iv[ivOffset] = ivSave | (iv[ivOffset] & ivMask);
if (rv != SECSuccess) {
return rv;
}
break;
}
context->ivCounter++;
return SECSuccess;
}
/*
* PKCS #11 v2.40 did not have a message interface. If our module can't
* do the message interface use the old method of doing AEAD */
static SECStatus
pk11_AEADSimulateOp(PK11Context *context, void *params, int paramslen,
const unsigned char *aad, int aadlen,
unsigned char *out, int *outlen,
int maxout, const unsigned char *in, int inlen)
{
unsigned int length = maxout;
SECStatus rv = SECSuccess;
unsigned char *saveOut = out;
unsigned char *allocOut = NULL;
/*
* first we need to convert the single shot (v2.40) parameters into
* the message version of the parameters. This usually involves
* copying the Nonce or IV, setting the AAD from our parameter list
* and handling the tag differences */
CK_GCM_PARAMS_V3 gcm;
CK_GCM_MESSAGE_PARAMS *gcm_message;
CK_CCM_PARAMS ccm;
CK_CCM_MESSAGE_PARAMS *ccm_message;
CK_SALSA20_CHACHA20_POLY1305_PARAMS chacha_poly;
CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS *chacha_poly_message;
CK_NSS_AEAD_PARAMS nss_chacha_poly;
CK_MECHANISM_TYPE mechanism = context->simulate_mechanism;
SECItem sim_params = { 0, NULL, 0 };
unsigned char *tag = NULL;
unsigned int taglen;
PRBool encrypt;
*outlen = 0;
/* figure out if we are encrypting or decrypting, as tags are
* handled differently in both */
switch (context->operation) {
case CKA_NSS_MESSAGE | CKA_ENCRYPT:
encrypt = PR_TRUE;
break;
case CKA_NSS_MESSAGE | CKA_DECRYPT:
encrypt = PR_FALSE;
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
switch (mechanism) {
case CKM_CHACHA20_POLY1305:
case CKM_SALSA20_POLY1305:
if (paramslen != sizeof(CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
chacha_poly_message =
(CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS *)params;
chacha_poly.pNonce = chacha_poly_message->pNonce;
chacha_poly.ulNonceLen = chacha_poly_message->ulNonceLen;
chacha_poly.pAAD = (CK_BYTE_PTR)aad;
chacha_poly.ulAADLen = aadlen;
tag = chacha_poly_message->pTag;
taglen = 16;
sim_params.data = (unsigned char *)&chacha_poly;
sim_params.len = sizeof(chacha_poly);
/* SALSA20_POLY1305 and CHACHA20_POLY1305 do not generate the iv
* internally, don't simulate it either */
break;
case CKM_NSS_CHACHA20_POLY1305:
if (paramslen != sizeof(CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
chacha_poly_message =
(CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS *)params;
tag = chacha_poly_message->pTag;
taglen = 16;
nss_chacha_poly.pNonce = chacha_poly_message->pNonce;
nss_chacha_poly.ulNonceLen = chacha_poly_message->ulNonceLen;
nss_chacha_poly.pAAD = (CK_BYTE_PTR)aad;
nss_chacha_poly.ulAADLen = aadlen;
nss_chacha_poly.ulTagLen = taglen;
sim_params.data = (unsigned char *)&nss_chacha_poly;
sim_params.len = sizeof(nss_chacha_poly);
/* CKM_NSS_CHACHA20_POLY1305 does not generate the iv
* internally, don't simulate it either */
break;
case CKM_AES_CCM:
if (paramslen != sizeof(CK_CCM_MESSAGE_PARAMS)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
ccm_message = (CK_CCM_MESSAGE_PARAMS *)params;
ccm.ulDataLen = ccm_message->ulDataLen;
ccm.pNonce = ccm_message->pNonce;
ccm.ulNonceLen = ccm_message->ulNonceLen;
ccm.pAAD = (CK_BYTE_PTR)aad;
ccm.ulAADLen = aadlen;
ccm.ulMACLen = ccm_message->ulMACLen;
tag = ccm_message->pMAC;
taglen = ccm_message->ulMACLen;
sim_params.data = (unsigned char *)&ccm;
sim_params.len = sizeof(ccm);
if (encrypt) {
/* simulate generating the IV */
rv = pk11_GenerateIV(context, ccm_message->nonceGenerator,
ccm_message->ulNonceFixedBits,
ccm_message->pNonce,
ccm_message->ulNonceLen);
if (rv != SECSuccess) {
return rv;
}
}
break;
case CKM_AES_GCM:
if (paramslen != sizeof(CK_GCM_MESSAGE_PARAMS)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
gcm_message = (CK_GCM_MESSAGE_PARAMS *)params;
gcm.pIv = gcm_message->pIv;
gcm.ulIvLen = gcm_message->ulIvLen;
gcm.ulIvBits = gcm.ulIvLen * PR_BITS_PER_BYTE;
gcm.pAAD = (CK_BYTE_PTR)aad;
gcm.ulAADLen = aadlen;
gcm.ulTagBits = gcm_message->ulTagBits;
tag = gcm_message->pTag;
taglen = (gcm_message->ulTagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
sim_params.data = (unsigned char *)&gcm;
sim_params.len = sizeof(gcm);
if (encrypt) {
/* simulate generating the IV */
rv = pk11_GenerateIV(context, gcm_message->ivGenerator,
gcm_message->ulIvFixedBits,
gcm_message->pIv, gcm_message->ulIvLen);
if (rv != SECSuccess) {
return rv;
}
}
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
/* now handle the tag. The message interface separates the tag from
* the data, while the single shot gets and puts the tag at the end of
* the encrypted data. */
if (!encrypt) {
/* In the decrypt case, if the tag is already at the end of the
* input buffer we are golden, otherwise we'll need a new input
* buffer and copy the tag at the end of it */
if (tag != in + inlen) {
allocOut = PORT_Alloc(inlen + taglen);
if (allocOut == NULL) {
return SECFailure;
}
PORT_Memcpy(allocOut, in, inlen);
PORT_Memcpy(allocOut + inlen, tag, taglen);
in = allocOut;
}
inlen = inlen + taglen;
} else {
/* if we end up allocating, we don't want to overrun this buffer,
* so we fail early here */
if (maxout < inlen) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* in the encrypt case, we are fine if maxout is big enough to hold
* the tag. We'll copy the tag after the operation */
if (maxout < inlen + taglen) {
allocOut = PORT_Alloc(inlen + taglen);
if (allocOut == NULL) {
return SECFailure;
}
out = allocOut;
length = maxout = inlen + taglen;
}
}
/* now do the operation */
if (encrypt) {
rv = PK11_Encrypt(context->key, mechanism, &sim_params, out, &length,
maxout, in, inlen);
} else {
rv = PK11_Decrypt(context->key, mechanism, &sim_params, out, &length,
maxout, in, inlen);
}
if (rv != SECSuccess) {
/* If the mechanism was CKM_AES_GCM, the module may have been
* following the same error as old versions of NSS. Retry with
* the CK_NSS_GCM_PARAMS */
if ((mechanism == CKM_AES_GCM) &&
(PORT_GetError() == SEC_ERROR_BAD_DATA)) {
CK_NSS_GCM_PARAMS gcm_nss;
gcm_message = (CK_GCM_MESSAGE_PARAMS *)params;
gcm_nss.pIv = gcm_message->pIv;
gcm_nss.ulIvLen = gcm_message->ulIvLen;
gcm_nss.pAAD = (CK_BYTE_PTR)aad;
gcm_nss.ulAADLen = aadlen;
gcm_nss.ulTagBits = gcm_message->ulTagBits;
sim_params.data = (unsigned char *)&gcm_nss;
sim_params.len = sizeof(gcm_nss);
if (encrypt) {
rv = PK11_Encrypt(context->key, mechanism, &sim_params, out,
&length, maxout, in, inlen);
} else {
rv = PK11_Decrypt(context->key, mechanism, &sim_params, out,
&length, maxout, in, inlen);
}
if (rv != SECSuccess) {
goto fail;
}
} else {
goto fail;
}
}
/* on encrypt, separate the output buffer from the tag */
if (encrypt) {
if ((length < taglen) || (length > inlen + taglen)) {
/* PKCS #11 module should not return a length smaller than
* taglen, or bigger than inlen+taglen */
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
rv = SECFailure;
goto fail;
}
length = length - taglen;
if (allocOut) {
/*
* If we used a temporary buffer, copy it out to the original
* buffer.
*/
PORT_Memcpy(saveOut, allocOut, length);
}
/* if the tag isn't in the right place, copy it out */
if (tag != out + length) {
PORT_Memcpy(tag, out + length, taglen);
}
}
*outlen = length;
rv = SECSuccess;
fail:
if (allocOut) {
PORT_Free(allocOut);
}
return rv;
}
/*
* Do an AEAD operation. This function optionally returns
* and IV on Encrypt for all mechanism. NSS knows which mechanisms
* generate IV's in the token and which don't. This allows the
* applications to make a single call without special handling for
* each AEAD mechanism (the special handling is all contained here.
*/
SECStatus
PK11_AEADOp(PK11Context *context, CK_GENERATOR_FUNCTION ivgen,
int fixedbits, unsigned char *iv, int ivlen,
const unsigned char *aad, int aadlen,
unsigned char *out, int *outlen,
int maxout, unsigned char *tag, int taglen,
const unsigned char *in, int inlen)
{
CK_GCM_MESSAGE_PARAMS gcm_message;
CK_CCM_MESSAGE_PARAMS ccm_message;
CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS chacha_poly_message;
void *params;
int paramslen;
SECStatus rv;
switch (context->simulate_mechanism) {
case CKM_CHACHA20_POLY1305:
case CKM_SALSA20_POLY1305:
case CKM_NSS_CHACHA20_POLY1305:
chacha_poly_message.pNonce = iv;
chacha_poly_message.ulNonceLen = ivlen;
chacha_poly_message.pTag = tag;
params = &chacha_poly_message;
paramslen = sizeof(CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS);
/* SALSA20_POLY1305 and CHACHA20_POLY1305 do not generate the iv
* internally, Do it here. */
if (context->operation == (CKA_NSS_MESSAGE | CKA_ENCRYPT)) {
/* simulate generating the IV */
rv = pk11_GenerateIV(context, ivgen, fixedbits, iv, ivlen);
if (rv != SECSuccess) {
return rv;
}
}
break;
case CKM_AES_GCM:
gcm_message.pIv = iv;
gcm_message.ulIvLen = ivlen;
gcm_message.ivGenerator = ivgen;
gcm_message.ulIvFixedBits = fixedbits;
gcm_message.pTag = tag;
gcm_message.ulTagBits = taglen * 8;
params = &gcm_message;
paramslen = sizeof(CK_GCM_MESSAGE_PARAMS);
/* GCM generates IV internally */
break;
case CKM_AES_CCM:
ccm_message.ulDataLen = inlen;
ccm_message.pNonce = iv;
ccm_message.ulNonceLen = ivlen;
ccm_message.nonceGenerator = ivgen;
ccm_message.ulNonceFixedBits = fixedbits;
ccm_message.pMAC = tag;
ccm_message.ulMACLen = taglen;
params = &ccm_message;
paramslen = sizeof(CK_GCM_MESSAGE_PARAMS);
/* CCM generates IV internally */
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
return PK11_AEADRawOp(context, params, paramslen, aad, aadlen, out, outlen,
maxout, in, inlen);
}
/* Do and AED operation. The application builds the params on it's own
* and passes them in. This allows applications direct access to the params
* so they can use mechanisms not yet understood by, NSS, or get semantics
* not suppied by PK11_AEAD. */
SECStatus
PK11_AEADRawOp(PK11Context *context, void *params, int paramslen,
const unsigned char *aad, int aadlen,
unsigned char *out, int *outlen,
int maxout, const unsigned char *in, int inlen)
{
CK_RV crv = CKR_OK;
CK_ULONG length = maxout;
SECStatus rv = SECSuccess;
PORT_Assert(outlen != NULL);
*outlen = 0;
if (((context->operation) & CKA_NSS_MESSAGE_MASK) != CKA_NSS_MESSAGE) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/*
* The PKCS 11 module does not support the message interface, fall
* back to using single shot operation */
if (context->simulate_message) {
return pk11_AEADSimulateOp(context, params, paramslen, aad, aadlen,
out, outlen, maxout, in, inlen);
}
/* if we ran out of session, we need to restore our previously stored
* state.
*/
PK11_EnterContextMonitor(context);
if (!context->ownSession) {
rv = pk11_restoreContext(context, context->savedData,
context->savedLength);
if (rv != SECSuccess) {
PK11_ExitContextMonitor(context);
return rv;
}
}
switch (context->operation) {
case CKA_NSS_MESSAGE | CKA_ENCRYPT:
length = maxout;
crv = PK11_GETTAB(context->slot)->C_EncryptMessage(context->session, params, paramslen, (CK_BYTE_PTR)aad, aadlen, (CK_BYTE_PTR)in, inlen, out, &length);
break;
case CKA_NSS_MESSAGE | CKA_DECRYPT:
length = maxout;
crv = PK11_GETTAB(context->slot)->C_DecryptMessage(context->session, params, paramslen, (CK_BYTE_PTR)aad, aadlen, (CK_BYTE_PTR)in, inlen, out, &length);
break;
case CKA_NSS_MESSAGE | CKA_SIGN:
length = maxout;
crv = PK11_GETTAB(context->slot)->C_SignMessage(context->session, params, paramslen, (CK_BYTE_PTR)in, inlen, out, &length);
break;
case CKA_NSS_MESSAGE | CKA_VERIFY:
length = maxout; /* sig length */
crv = PK11_GETTAB(context->slot)->C_VerifyMessage(context->session, params, paramslen, (CK_BYTE_PTR)in, inlen, out /* sig */, length);
break;
default:
crv = CKR_OPERATION_NOT_INITIALIZED;
break;
}
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
rv = SECFailure;
} else {
*outlen = length;
}
/*
* handle session starvation case.. use our last session to multiplex
*/
if (!context->ownSession) {
context->savedData = pk11_saveContext(context, context->savedData,
&context->savedLength);
if (context->savedData == NULL)
rv = SECFailure;
/* clear out out session for others to use */
pk11_Finalize(context);
}
PK11_ExitContextMonitor(context);
return rv;
}
/*
* execute a digest/signature operation
*/
SECStatus
PK11_DigestOp(PK11Context *context, const unsigned char *in, unsigned inLen)
{
CK_RV crv = CKR_OK;
SECStatus rv = SECSuccess;
if (inLen == 0) {
return SECSuccess;
}
if (!in) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* if we ran out of session, we need to restore our previously stored
* state.
*/
context->init = PR_FALSE;
PK11_EnterContextMonitor(context);
if (!context->ownSession) {
rv = pk11_restoreContext(context, context->savedData,
context->savedLength);
if (rv != SECSuccess) {
PK11_ExitContextMonitor(context);
return rv;
}
}
switch (context->operation) {
/* also for MAC'ing */
case CKA_SIGN:
crv = PK11_GETTAB(context->slot)->C_SignUpdate(context->session, (unsigned char *)in, inLen);
break;
case CKA_VERIFY:
crv = PK11_GETTAB(context->slot)->C_VerifyUpdate(context->session, (unsigned char *)in, inLen);
break;
case CKA_DIGEST:
crv = PK11_GETTAB(context->slot)->C_DigestUpdate(context->session, (unsigned char *)in, inLen);
break;
default:
crv = CKR_OPERATION_NOT_INITIALIZED;
break;
}
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
rv = SECFailure;
}
/*
* handle session starvation case.. use our last session to multiplex
*/
if (!context->ownSession) {
context->savedData = pk11_saveContext(context, context->savedData,
&context->savedLength);
if (context->savedData == NULL)
rv = SECFailure;
/* clear out out session for others to use */
pk11_Finalize(context);
}
PK11_ExitContextMonitor(context);
return rv;
}
/*
* Digest a key if possible./
*/
SECStatus
PK11_DigestKey(PK11Context *context, PK11SymKey *key)
{
CK_RV crv = CKR_OK;
SECStatus rv = SECSuccess;
PK11SymKey *newKey = NULL;
if (!context || !key) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* if we ran out of session, we need to restore our previously stored
* state.
*/
if (context->slot != key->slot) {
newKey = pk11_CopyToSlot(context->slot, CKM_SSL3_SHA1_MAC, CKA_SIGN, key);
} else {
newKey = PK11_ReferenceSymKey(key);
}
context->init = PR_FALSE;
PK11_EnterContextMonitor(context);
if (!context->ownSession) {
rv = pk11_restoreContext(context, context->savedData,
context->savedLength);
if (rv != SECSuccess) {
PK11_ExitContextMonitor(context);
PK11_FreeSymKey(newKey);
return rv;
}
}
if (newKey == NULL) {
crv = CKR_KEY_TYPE_INCONSISTENT;
if (key->data.data) {
crv = PK11_GETTAB(context->slot)->C_DigestUpdate(context->session, key->data.data, key->data.len);
}
} else {
crv = PK11_GETTAB(context->slot)->C_DigestKey(context->session, newKey->objectID);
}
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
rv = SECFailure;
}
/*
* handle session starvation case.. use our last session to multiplex
*/
if (!context->ownSession) {
context->savedData = pk11_saveContext(context, context->savedData,
&context->savedLength);
if (context->savedData == NULL)
rv = SECFailure;
/* clear out out session for others to use */
pk11_Finalize(context);
}
PK11_ExitContextMonitor(context);
if (newKey)
PK11_FreeSymKey(newKey);
return rv;
}
/*
* externally callable version of the lowercase pk11_finalize().
*/
SECStatus
PK11_Finalize(PK11Context *context)
{
SECStatus rv;
PK11_EnterContextMonitor(context);
rv = pk11_Finalize(context);
PK11_ExitContextMonitor(context);
return rv;
}
/*
* clean up a cipher operation, so the session can be used by
* someone new.
*/
SECStatus
pk11_Finalize(PK11Context *context)
{
CK_ULONG count = 0;
CK_RV crv;
unsigned char stackBuf[256];
unsigned char *buffer = NULL;
if (!context->ownSession) {
return SECSuccess;
}
finalize:
switch (context->operation) {
case CKA_ENCRYPT:
crv = PK11_GETTAB(context->slot)->C_EncryptFinal(context->session, buffer, &count);
break;
case CKA_DECRYPT:
crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session, buffer, &count);
break;
case CKA_SIGN:
crv = PK11_GETTAB(context->slot)->C_SignFinal(context->session, buffer, &count);
break;
case CKA_VERIFY:
crv = PK11_GETTAB(context->slot)->C_VerifyFinal(context->session, buffer, count);
break;
case CKA_DIGEST:
crv = PK11_GETTAB(context->slot)->C_DigestFinal(context->session, buffer, &count);
break;
case CKA_NSS_MESSAGE | CKA_ENCRYPT:
crv = PK11_GETTAB(context->slot)->C_MessageEncryptFinal(context->session);
break;
case CKA_NSS_MESSAGE | CKA_DECRYPT:
crv = PK11_GETTAB(context->slot)->C_MessageDecryptFinal(context->session);
break;
case CKA_NSS_MESSAGE | CKA_SIGN:
crv = PK11_GETTAB(context->slot)->C_MessageSignFinal(context->session);
break;
case CKA_NSS_MESSAGE | CKA_VERIFY:
crv = PK11_GETTAB(context->slot)->C_MessageVerifyFinal(context->session);
break;
default:
crv = CKR_OPERATION_NOT_INITIALIZED;
break;
}
if (crv != CKR_OK) {
if (buffer != stackBuf) {
PORT_Free(buffer);
}
if (crv == CKR_OPERATION_NOT_INITIALIZED) {
/* if there's no operation, it is finalized */
return SECSuccess;
}
PORT_SetError(PK11_MapError(crv));
return SECFailure;
}
/* Message interface does not need to allocate a final buffer */
if (((context->operation) & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) {
return SECSuccess;
}
/* try to finalize the session with a buffer */
if (buffer == NULL) {
if (count <= sizeof stackBuf) {
buffer = stackBuf;
} else {
buffer = PORT_Alloc(count);
if (buffer == NULL) {
return SECFailure;
}
}
goto finalize;
}
if (buffer != stackBuf) {
PORT_Free(buffer);
}
return SECSuccess;
}
/*
* Return the final digested or signed data...
* this routine can either take pre initialized data, or allocate data
* either out of an arena or out of the standard heap.
*/
SECStatus
PK11_DigestFinal(PK11Context *context, unsigned char *data,
unsigned int *outLen, unsigned int length)
{
CK_ULONG len;
CK_RV crv;
SECStatus rv;
/* message interface returns no data on Final, Should not use DigestFinal
* in this case */
if (((context->operation) & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* if we ran out of session, we need to restore our previously stored
* state.
*/
PK11_EnterContextMonitor(context);
if (!context->ownSession) {
rv = pk11_restoreContext(context, context->savedData,
context->savedLength);
if (rv != SECSuccess) {
PK11_ExitContextMonitor(context);
return rv;
}
}
len = length;
switch (context->operation) {
case CKA_SIGN:
crv = PK11_GETTAB(context->slot)->C_SignFinal(context->session, data, &len);
break;
case CKA_VERIFY:
crv = PK11_GETTAB(context->slot)->C_VerifyFinal(context->session, data, len);
break;
case CKA_DIGEST:
crv = PK11_GETTAB(context->slot)->C_DigestFinal(context->session, data, &len);
break;
case CKA_ENCRYPT:
crv = PK11_GETTAB(context->slot)->C_EncryptFinal(context->session, data, &len);
break;
case CKA_DECRYPT:
crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session, data, &len);
break;
default:
crv = CKR_OPERATION_NOT_INITIALIZED;
break;
}
PK11_ExitContextMonitor(context);
context->init = PR_FALSE; /* allow Begin to start up again */
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
return SECFailure;
}
*outLen = (unsigned int)len;
return SECSuccess;
}
PRBool
PK11_ContextGetFIPSStatus(PK11Context *context)
{
if (context->slot == NULL) {
return PR_FALSE;
}
return pk11slot_GetFIPSStatus(context->slot, context->session,
CK_INVALID_HANDLE, context->init ? CKT_NSS_SESSION_CHECK : CKT_NSS_SESSION_LAST_CHECK);
}
View git blame Copy permalink