security/nss/lib/pk11wrap/pk11cxt.c@b8a032363ba2 (annotated)
security/nss/lib/pk11wrap/pk11cxt.c
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 4 | /* |
| michael@0 | 5 | * This file PK11Contexts which are used in multipart hashing, |
| michael@0 | 6 | * encryption/decryption, and signing/verication operations. |
| michael@0 | 7 | */ |
| michael@0 | 8 | |
| michael@0 | 9 | #include "seccomon.h" |
| michael@0 | 10 | #include "secmod.h" |
| michael@0 | 11 | #include "nssilock.h" |
| michael@0 | 12 | #include "secmodi.h" |
| michael@0 | 13 | #include "secmodti.h" |
| michael@0 | 14 | #include "pkcs11.h" |
| michael@0 | 15 | #include "pk11func.h" |
| michael@0 | 16 | #include "secitem.h" |
| michael@0 | 17 | #include "secoid.h" |
| michael@0 | 18 | #include "sechash.h" |
| michael@0 | 19 | #include "secerr.h" |
| michael@0 | 20 | |
| michael@0 | 21 | static const SECItem pk11_null_params = { 0 }; |
| michael@0 | 22 | |
| michael@0 | 23 | /********************************************************************** |
| michael@0 | 24 | * |
| michael@0 | 25 | * Now Deal with Crypto Contexts |
| michael@0 | 26 | * |
| michael@0 | 27 | **********************************************************************/ |
| michael@0 | 28 | |
| michael@0 | 29 | /* |
| michael@0 | 30 | * the monitors... |
| michael@0 | 31 | */ |
| michael@0 | 32 | void |
| michael@0 | 33 | PK11_EnterContextMonitor(PK11Context *cx) { |
| michael@0 | 34 | /* if we own the session and our slot is ThreadSafe, only monitor |
| michael@0 | 35 | * the Context */ |
| michael@0 | 36 | if ((cx->ownSession) && (cx->slot->isThreadSafe)) { |
| michael@0 | 37 | /* Should this use monitors instead? */ |
| michael@0 | 38 | PZ_Lock(cx->sessionLock); |
| michael@0 | 39 | } else { |
| michael@0 | 40 | PK11_EnterSlotMonitor(cx->slot); |
| michael@0 | 41 | } |
| michael@0 | 42 | } |
| michael@0 | 43 | |
| michael@0 | 44 | void |
| michael@0 | 45 | PK11_ExitContextMonitor(PK11Context *cx) { |
| michael@0 | 46 | /* if we own the session and our slot is ThreadSafe, only monitor |
| michael@0 | 47 | * the Context */ |
| michael@0 | 48 | if ((cx->ownSession) && (cx->slot->isThreadSafe)) { |
| michael@0 | 49 | /* Should this use monitors instead? */ |
| michael@0 | 50 | PZ_Unlock(cx->sessionLock); |
| michael@0 | 51 | } else { |
| michael@0 | 52 | PK11_ExitSlotMonitor(cx->slot); |
| michael@0 | 53 | } |
| michael@0 | 54 | } |
| michael@0 | 55 | |
| michael@0 | 56 | /* |
| michael@0 | 57 | * Free up a Cipher Context |
| michael@0 | 58 | */ |
| michael@0 | 59 | void |
| michael@0 | 60 | PK11_DestroyContext(PK11Context *context, PRBool freeit) |
| michael@0 | 61 | { |
| michael@0 | 62 | pk11_CloseSession(context->slot,context->session,context->ownSession); |
| michael@0 | 63 | /* initialize the critical fields of the context */ |
| michael@0 | 64 | if (context->savedData != NULL ) PORT_Free(context->savedData); |
| michael@0 | 65 | if (context->key) PK11_FreeSymKey(context->key); |
| michael@0 | 66 | if (context->param && context->param != &pk11_null_params) |
| michael@0 | 67 | SECITEM_FreeItem(context->param, PR_TRUE); |
| michael@0 | 68 | if (context->sessionLock) PZ_DestroyLock(context->sessionLock); |
| michael@0 | 69 | PK11_FreeSlot(context->slot); |
| michael@0 | 70 | if (freeit) PORT_Free(context); |
| michael@0 | 71 | } |
| michael@0 | 72 | |
| michael@0 | 73 | /* |
| michael@0 | 74 | * save the current context. Allocate Space if necessary. |
| michael@0 | 75 | */ |
| michael@0 | 76 | static unsigned char * |
| michael@0 | 77 | pk11_saveContextHelper(PK11Context *context, unsigned char *buffer, |
| michael@0 | 78 | unsigned long *savedLength) |
| michael@0 | 79 | { |
| michael@0 | 80 | CK_RV crv; |
| michael@0 | 81 | |
| michael@0 | 82 | /* If buffer is NULL, this will get the length */ |
| michael@0 | 83 | crv = PK11_GETTAB(context->slot)->C_GetOperationState(context->session, |
| michael@0 | 84 | (CK_BYTE_PTR)buffer, |
| michael@0 | 85 | savedLength); |
| michael@0 | 86 | if (!buffer || (crv == CKR_BUFFER_TOO_SMALL)) { |
| michael@0 | 87 | /* the given buffer wasn't big enough (or was NULL), but we |
| michael@0 | 88 | * have the length, so try again with a new buffer and the |
| michael@0 | 89 | * correct length |
| michael@0 | 90 | */ |
| michael@0 | 91 | unsigned long bufLen = *savedLength; |
| michael@0 | 92 | buffer = PORT_Alloc(bufLen); |
| michael@0 | 93 | if (buffer == NULL) { |
| michael@0 | 94 | return (unsigned char *)NULL; |
| michael@0 | 95 | } |
| michael@0 | 96 | crv = PK11_GETTAB(context->slot)->C_GetOperationState( |
| michael@0 | 97 | context->session, |
| michael@0 | 98 | (CK_BYTE_PTR)buffer, |
| michael@0 | 99 | savedLength); |
| michael@0 | 100 | if (crv != CKR_OK) { |
| michael@0 | 101 | PORT_ZFree(buffer, bufLen); |
| michael@0 | 102 | } |
| michael@0 | 103 | } |
| michael@0 | 104 | if (crv != CKR_OK) { |
| michael@0 | 105 | PORT_SetError( PK11_MapError(crv) ); |
| michael@0 | 106 | return (unsigned char *)NULL; |
| michael@0 | 107 | } |
| michael@0 | 108 | return buffer; |
| michael@0 | 109 | } |
| michael@0 | 110 | |
| michael@0 | 111 | void * |
| michael@0 | 112 | pk11_saveContext(PK11Context *context, void *space, unsigned long *savedLength) |
| michael@0 | 113 | { |
| michael@0 | 114 | return pk11_saveContextHelper(context, |
| michael@0 | 115 | (unsigned char *)space, savedLength); |
| michael@0 | 116 | } |
| michael@0 | 117 | |
| michael@0 | 118 | /* |
| michael@0 | 119 | * restore the current context |
| michael@0 | 120 | */ |
| michael@0 | 121 | SECStatus |
| michael@0 | 122 | pk11_restoreContext(PK11Context *context,void *space, unsigned long savedLength) |
| michael@0 | 123 | { |
| michael@0 | 124 | CK_RV crv; |
| michael@0 | 125 | CK_OBJECT_HANDLE objectID = (context->key) ? context->key->objectID: |
| michael@0 | 126 | CK_INVALID_HANDLE; |
| michael@0 | 127 | |
| michael@0 | 128 | PORT_Assert(space != NULL); |
| michael@0 | 129 | if (space == NULL) { |
| michael@0 | 130 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| michael@0 | 131 | return SECFailure; |
| michael@0 | 132 | } |
| michael@0 | 133 | crv = PK11_GETTAB(context->slot)->C_SetOperationState(context->session, |
| michael@0 | 134 | (CK_BYTE_PTR)space, savedLength, objectID, 0); |
| michael@0 | 135 | if (crv != CKR_OK) { |
| michael@0 | 136 | PORT_SetError( PK11_MapError(crv)); |
| michael@0 | 137 | return SECFailure; |
| michael@0 | 138 | } |
| michael@0 | 139 | return SECSuccess; |
| michael@0 | 140 | } |
| michael@0 | 141 | |
| michael@0 | 142 | SECStatus pk11_Finalize(PK11Context *context); |
| michael@0 | 143 | |
| michael@0 | 144 | /* |
| michael@0 | 145 | * Context initialization. Used by all flavors of CreateContext |
| michael@0 | 146 | */ |
| michael@0 | 147 | static SECStatus |
| michael@0 | 148 | pk11_context_init(PK11Context *context, CK_MECHANISM *mech_info) |
| michael@0 | 149 | { |
| michael@0 | 150 | CK_RV crv; |
| michael@0 | 151 | PK11SymKey *symKey = context->key; |
| michael@0 | 152 | SECStatus rv = SECSuccess; |
| michael@0 | 153 | |
| michael@0 | 154 | switch (context->operation) { |
| michael@0 | 155 | case CKA_ENCRYPT: |
| michael@0 | 156 | crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session, |
| michael@0 | 157 | mech_info, symKey->objectID); |
| michael@0 | 158 | break; |
| michael@0 | 159 | case CKA_DECRYPT: |
| michael@0 | 160 | if (context->fortezzaHack) { |
| michael@0 | 161 | CK_ULONG count = 0;; |
| michael@0 | 162 | /* generate the IV for fortezza */ |
| michael@0 | 163 | crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session, |
| michael@0 | 164 | mech_info, symKey->objectID); |
| michael@0 | 165 | if (crv != CKR_OK) break; |
| michael@0 | 166 | PK11_GETTAB(context->slot)->C_EncryptFinal(context->session, |
| michael@0 | 167 | NULL, &count); |
| michael@0 | 168 | } |
| michael@0 | 169 | crv=PK11_GETTAB(context->slot)->C_DecryptInit(context->session, |
| michael@0 | 170 | mech_info, symKey->objectID); |
| michael@0 | 171 | break; |
| michael@0 | 172 | case CKA_SIGN: |
| michael@0 | 173 | crv=PK11_GETTAB(context->slot)->C_SignInit(context->session, |
| michael@0 | 174 | mech_info, symKey->objectID); |
| michael@0 | 175 | break; |
| michael@0 | 176 | case CKA_VERIFY: |
| michael@0 | 177 | crv=PK11_GETTAB(context->slot)->C_SignInit(context->session, |
| michael@0 | 178 | mech_info, symKey->objectID); |
| michael@0 | 179 | break; |
| michael@0 | 180 | case CKA_DIGEST: |
| michael@0 | 181 | crv=PK11_GETTAB(context->slot)->C_DigestInit(context->session, |
| michael@0 | 182 | mech_info); |
| michael@0 | 183 | break; |
| michael@0 | 184 | default: |
| michael@0 | 185 | crv = CKR_OPERATION_NOT_INITIALIZED; |
| michael@0 | 186 | break; |
| michael@0 | 187 | } |
| michael@0 | 188 | |
| michael@0 | 189 | if (crv != CKR_OK) { |
| michael@0 | 190 | PORT_SetError( PK11_MapError(crv) ); |
| michael@0 | 191 | return SECFailure; |
| michael@0 | 192 | } |
| michael@0 | 193 | |
| michael@0 | 194 | /* |
| michael@0 | 195 | * handle session starvation case.. use our last session to multiplex |
| michael@0 | 196 | */ |
| michael@0 | 197 | if (!context->ownSession) { |
| michael@0 | 198 | context->savedData = pk11_saveContext(context,context->savedData, |
| michael@0 | 199 | &context->savedLength); |
| michael@0 | 200 | if (context->savedData == NULL) rv = SECFailure; |
| michael@0 | 201 | /* clear out out session for others to use */ |
| michael@0 | 202 | pk11_Finalize(context); |
| michael@0 | 203 | } |
| michael@0 | 204 | return rv; |
| michael@0 | 205 | } |
| michael@0 | 206 | |
| michael@0 | 207 | |
| michael@0 | 208 | /* |
| michael@0 | 209 | * Common Helper Function do come up with a new context. |
| michael@0 | 210 | */ |
| michael@0 | 211 | static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type, |
| michael@0 | 212 | PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, |
| michael@0 | 213 | SECItem *param) |
| michael@0 | 214 | { |
| michael@0 | 215 | CK_MECHANISM mech_info; |
| michael@0 | 216 | PK11Context *context; |
| michael@0 | 217 | SECStatus rv; |
| michael@0 | 218 | |
| michael@0 | 219 | PORT_Assert(slot != NULL); |
| michael@0 | 220 | if (!slot || (!symKey && ((operation != CKA_DIGEST) || |
| michael@0 | 221 | (type == CKM_SKIPJACK_CBC64)))) { |
| michael@0 | 222 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| michael@0 | 223 | return NULL; |
| michael@0 | 224 | } |
| michael@0 | 225 | context = (PK11Context *) PORT_Alloc(sizeof(PK11Context)); |
| michael@0 | 226 | if (context == NULL) { |
| michael@0 | 227 | return NULL; |
| michael@0 | 228 | } |
| michael@0 | 229 | |
| michael@0 | 230 | /* now deal with the fortezza hack... the fortezza hack is an attempt |
| michael@0 | 231 | * to get around the issue of the card not allowing you to do a FORTEZZA |
| michael@0 | 232 | * LoadIV/Encrypt, which was added because such a combination could be |
| michael@0 | 233 | * use to circumvent the key escrow system. Unfortunately SSL needs to |
| michael@0 | 234 | * do this kind of operation, so in SSL we do a loadIV (to verify it), |
| michael@0 | 235 | * Then GenerateIV, and through away the first 8 bytes on either side |
| michael@0 | 236 | * of the connection.*/ |
| michael@0 | 237 | context->fortezzaHack = PR_FALSE; |
| michael@0 | 238 | if (type == CKM_SKIPJACK_CBC64) { |
| michael@0 | 239 | if (symKey->origin == PK11_OriginFortezzaHack) { |
| michael@0 | 240 | context->fortezzaHack = PR_TRUE; |
| michael@0 | 241 | } |
| michael@0 | 242 | } |
| michael@0 | 243 | |
| michael@0 | 244 | /* initialize the critical fields of the context */ |
| michael@0 | 245 | context->operation = operation; |
| michael@0 | 246 | context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL; |
| michael@0 | 247 | context->slot = PK11_ReferenceSlot(slot); |
| michael@0 | 248 | context->session = pk11_GetNewSession(slot,&context->ownSession); |
| michael@0 | 249 | context->cx = symKey ? symKey->cx : NULL; |
| michael@0 | 250 | /* get our session */ |
| michael@0 | 251 | context->savedData = NULL; |
| michael@0 | 252 | |
| michael@0 | 253 | /* save the parameters so that some digesting stuff can do multiple |
| michael@0 | 254 | * begins on a single context */ |
| michael@0 | 255 | context->type = type; |
| michael@0 | 256 | if (param) { |
| michael@0 | 257 | if (param->len > 0) { |
| michael@0 | 258 | context->param = SECITEM_DupItem(param); |
| michael@0 | 259 | } else { |
| michael@0 | 260 | context->param = (SECItem *)&pk11_null_params; |
| michael@0 | 261 | } |
| michael@0 | 262 | } else { |
| michael@0 | 263 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| michael@0 | 264 | context->param = NULL; |
| michael@0 | 265 | } |
| michael@0 | 266 | context->init = PR_FALSE; |
| michael@0 | 267 | context->sessionLock = PZ_NewLock(nssILockPK11cxt); |
| michael@0 | 268 | if ((context->param == NULL) || (context->sessionLock == NULL)) { |
| michael@0 | 269 | PK11_DestroyContext(context,PR_TRUE); |
| michael@0 | 270 | return NULL; |
| michael@0 | 271 | } |
| michael@0 | 272 | |
| michael@0 | 273 | mech_info.mechanism = type; |
| michael@0 | 274 | mech_info.pParameter = param->data; |
| michael@0 | 275 | mech_info.ulParameterLen = param->len; |
| michael@0 | 276 | PK11_EnterContextMonitor(context); |
| michael@0 | 277 | rv = pk11_context_init(context,&mech_info); |
| michael@0 | 278 | PK11_ExitContextMonitor(context); |
| michael@0 | 279 | |
| michael@0 | 280 | if (rv != SECSuccess) { |
| michael@0 | 281 | PK11_DestroyContext(context,PR_TRUE); |
| michael@0 | 282 | return NULL; |
| michael@0 | 283 | } |
| michael@0 | 284 | context->init = PR_TRUE; |
| michael@0 | 285 | return context; |
| michael@0 | 286 | } |
| michael@0 | 287 | |
| michael@0 | 288 | |
| michael@0 | 289 | /* |
| michael@0 | 290 | * put together the various PK11_Create_Context calls used by different |
| michael@0 | 291 | * parts of libsec. |
| michael@0 | 292 | */ |
| michael@0 | 293 | PK11Context * |
| michael@0 | 294 | __PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, |
| michael@0 | 295 | PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, |
| michael@0 | 296 | SECItem *param, void *wincx) |
| michael@0 | 297 | { |
| michael@0 | 298 | PK11SymKey *symKey = NULL; |
| michael@0 | 299 | PK11Context *context = NULL; |
| michael@0 | 300 | |
| michael@0 | 301 | /* first get a slot */ |
| michael@0 | 302 | if (slot == NULL) { |
| michael@0 | 303 | slot = PK11_GetBestSlot(type,wincx); |
| michael@0 | 304 | if (slot == NULL) { |
| michael@0 | 305 | PORT_SetError( SEC_ERROR_NO_MODULE ); |
| michael@0 | 306 | goto loser; |
| michael@0 | 307 | } |
| michael@0 | 308 | } else { |
| michael@0 | 309 | PK11_ReferenceSlot(slot); |
| michael@0 | 310 | } |
| michael@0 | 311 | |
| michael@0 | 312 | /* now import the key */ |
| michael@0 | 313 | symKey = PK11_ImportSymKey(slot, type, origin, operation, key, wincx); |
| michael@0 | 314 | if (symKey == NULL) goto loser; |
| michael@0 | 315 | |
| michael@0 | 316 | context = PK11_CreateContextBySymKey(type, operation, symKey, param); |
| michael@0 | 317 | |
| michael@0 | 318 | loser: |
| michael@0 | 319 | if (symKey) { |
| michael@0 | 320 | PK11_FreeSymKey(symKey); |
| michael@0 | 321 | } |
| michael@0 | 322 | if (slot) { |
| michael@0 | 323 | PK11_FreeSlot(slot); |
| michael@0 | 324 | } |
| michael@0 | 325 | |
| michael@0 | 326 | return context; |
| michael@0 | 327 | } |
| michael@0 | 328 | |
| michael@0 | 329 | PK11Context * |
| michael@0 | 330 | PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, |
| michael@0 | 331 | PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, |
| michael@0 | 332 | SECItem *param, void *wincx) |
| michael@0 | 333 | { |
| michael@0 | 334 | return __PK11_CreateContextByRawKey(slot, type, origin, operation, |
| michael@0 | 335 | key, param, wincx); |
| michael@0 | 336 | } |
| michael@0 | 337 | |
| michael@0 | 338 | |
| michael@0 | 339 | /* |
| michael@0 | 340 | * Create a context from a key. We really should make sure we aren't using |
| michael@0 | 341 | * the same key in multiple session! |
| michael@0 | 342 | */ |
| michael@0 | 343 | PK11Context * |
| michael@0 | 344 | PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,CK_ATTRIBUTE_TYPE operation, |
| michael@0 | 345 | PK11SymKey *symKey, SECItem *param) |
| michael@0 | 346 | { |
| michael@0 | 347 | PK11SymKey *newKey; |
| michael@0 | 348 | PK11Context *context; |
| michael@0 | 349 | |
| michael@0 | 350 | /* if this slot doesn't support the mechanism, go to a slot that does */ |
| michael@0 | 351 | newKey = pk11_ForceSlot(symKey,type,operation); |
| michael@0 | 352 | if (newKey == NULL) { |
| michael@0 | 353 | PK11_ReferenceSymKey(symKey); |
| michael@0 | 354 | } else { |
| michael@0 | 355 | symKey = newKey; |
| michael@0 | 356 | } |
| michael@0 | 357 | |
| michael@0 | 358 | |
| michael@0 | 359 | /* Context Adopts the symKey.... */ |
| michael@0 | 360 | context = pk11_CreateNewContextInSlot(type, symKey->slot, operation, symKey, |
| michael@0 | 361 | param); |
| michael@0 | 362 | PK11_FreeSymKey(symKey); |
| michael@0 | 363 | return context; |
| michael@0 | 364 | } |
| michael@0 | 365 | |
| michael@0 | 366 | /* |
| michael@0 | 367 | * Digest contexts don't need keys, but the do need to find a slot. |
| michael@0 | 368 | * Macing should use PK11_CreateContextBySymKey. |
| michael@0 | 369 | */ |
| michael@0 | 370 | PK11Context * |
| michael@0 | 371 | PK11_CreateDigestContext(SECOidTag hashAlg) |
| michael@0 | 372 | { |
| michael@0 | 373 | /* digesting has to work without authentication to the slot */ |
| michael@0 | 374 | CK_MECHANISM_TYPE type; |
| michael@0 | 375 | PK11SlotInfo *slot; |
| michael@0 | 376 | PK11Context *context; |
| michael@0 | 377 | SECItem param; |
| michael@0 | 378 | |
| michael@0 | 379 | type = PK11_AlgtagToMechanism(hashAlg); |
| michael@0 | 380 | slot = PK11_GetBestSlot(type, NULL); |
| michael@0 | 381 | if (slot == NULL) { |
| michael@0 | 382 | PORT_SetError( SEC_ERROR_NO_MODULE ); |
| michael@0 | 383 | return NULL; |
| michael@0 | 384 | } |
| michael@0 | 385 | |
| michael@0 | 386 | /* maybe should really be PK11_GenerateNewParam?? */ |
| michael@0 | 387 | param.data = NULL; |
| michael@0 | 388 | param.len = 0; |
| michael@0 | 389 | param.type = 0; |
| michael@0 | 390 | |
| michael@0 | 391 | context = pk11_CreateNewContextInSlot(type, slot, CKA_DIGEST, NULL, ¶m); |
| michael@0 | 392 | PK11_FreeSlot(slot); |
| michael@0 | 393 | return context; |
| michael@0 | 394 | } |
| michael@0 | 395 | |
| michael@0 | 396 | /* |
| michael@0 | 397 | * create a new context which is the clone of the state of old context. |
| michael@0 | 398 | */ |
| michael@0 | 399 | PK11Context * PK11_CloneContext(PK11Context *old) |
| michael@0 | 400 | { |
| michael@0 | 401 | PK11Context *newcx; |
| michael@0 | 402 | PRBool needFree = PR_FALSE; |
| michael@0 | 403 | SECStatus rv = SECSuccess; |
| michael@0 | 404 | void *data; |
| michael@0 | 405 | unsigned long len; |
| michael@0 | 406 | |
| michael@0 | 407 | newcx = pk11_CreateNewContextInSlot(old->type, old->slot, old->operation, |
| michael@0 | 408 | old->key, old->param); |
| michael@0 | 409 | if (newcx == NULL) return NULL; |
| michael@0 | 410 | |
| michael@0 | 411 | /* now clone the save state. First we need to find the save state |
| michael@0 | 412 | * of the old session. If the old context owns it's session, |
| michael@0 | 413 | * the state needs to be saved, otherwise the state is in saveData. */ |
| michael@0 | 414 | if (old->ownSession) { |
| michael@0 | 415 | PK11_EnterContextMonitor(old); |
| michael@0 | 416 | data=pk11_saveContext(old,NULL,&len); |
| michael@0 | 417 | PK11_ExitContextMonitor(old); |
| michael@0 | 418 | needFree = PR_TRUE; |
| michael@0 | 419 | } else { |
| michael@0 | 420 | data = old->savedData; |
| michael@0 | 421 | len = old->savedLength; |
| michael@0 | 422 | } |
| michael@0 | 423 | |
| michael@0 | 424 | if (data == NULL) { |
| michael@0 | 425 | PK11_DestroyContext(newcx,PR_TRUE); |
| michael@0 | 426 | return NULL; |
| michael@0 | 427 | } |
| michael@0 | 428 | |
| michael@0 | 429 | /* now copy that state into our new context. Again we have different |
| michael@0 | 430 | * work if the new context owns it's own session. If it does, we |
| michael@0 | 431 | * restore the state gathered above. If it doesn't, we copy the |
| michael@0 | 432 | * saveData pointer... */ |
| michael@0 | 433 | if (newcx->ownSession) { |
| michael@0 | 434 | PK11_EnterContextMonitor(newcx); |
| michael@0 | 435 | rv = pk11_restoreContext(newcx,data,len); |
| michael@0 | 436 | PK11_ExitContextMonitor(newcx); |
| michael@0 | 437 | } else { |
| michael@0 | 438 | PORT_Assert(newcx->savedData != NULL); |
| michael@0 | 439 | if ((newcx->savedData == NULL) || (newcx->savedLength < len)) { |
| michael@0 | 440 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| michael@0 | 441 | rv = SECFailure; |
| michael@0 | 442 | } else { |
| michael@0 | 443 | PORT_Memcpy(newcx->savedData,data,len); |
| michael@0 | 444 | newcx->savedLength = len; |
| michael@0 | 445 | } |
| michael@0 | 446 | } |
| michael@0 | 447 | |
| michael@0 | 448 | if (needFree) PORT_Free(data); |
| michael@0 | 449 | |
| michael@0 | 450 | if (rv != SECSuccess) { |
| michael@0 | 451 | PK11_DestroyContext(newcx,PR_TRUE); |
| michael@0 | 452 | return NULL; |
| michael@0 | 453 | } |
| michael@0 | 454 | return newcx; |
| michael@0 | 455 | } |
| michael@0 | 456 | |
| michael@0 | 457 | /* |
| michael@0 | 458 | * save the current context state into a variable. Required to make FORTEZZA |
| michael@0 | 459 | * work. |
| michael@0 | 460 | */ |
| michael@0 | 461 | SECStatus |
| michael@0 | 462 | PK11_SaveContext(PK11Context *cx,unsigned char *save,int *len, int saveLength) |
| michael@0 | 463 | { |
| michael@0 | 464 | unsigned char * data = NULL; |
| michael@0 | 465 | CK_ULONG length = saveLength; |
| michael@0 | 466 | |
| michael@0 | 467 | if (cx->ownSession) { |
| michael@0 | 468 | PK11_EnterContextMonitor(cx); |
| michael@0 | 469 | data = pk11_saveContextHelper(cx, save, &length); |
| michael@0 | 470 | PK11_ExitContextMonitor(cx); |
| michael@0 | 471 | if (data) *len = length; |
| michael@0 | 472 | } else if ((unsigned) saveLength >= cx->savedLength) { |
| michael@0 | 473 | data = (unsigned char*)cx->savedData; |
| michael@0 | 474 | if (cx->savedData) { |
| michael@0 | 475 | PORT_Memcpy(save,cx->savedData,cx->savedLength); |
| michael@0 | 476 | } |
| michael@0 | 477 | *len = cx->savedLength; |
| michael@0 | 478 | } |
| michael@0 | 479 | if (data != NULL) { |
| michael@0 | 480 | if (cx->ownSession) { |
| michael@0 | 481 | PORT_ZFree(data, length); |
| michael@0 | 482 | } |
| michael@0 | 483 | return SECSuccess; |
| michael@0 | 484 | } else { |
| michael@0 | 485 | return SECFailure; |
| michael@0 | 486 | } |
| michael@0 | 487 | } |
| michael@0 | 488 | |
| michael@0 | 489 | /* same as above, but may allocate the return buffer. */ |
| michael@0 | 490 | unsigned char * |
| michael@0 | 491 | PK11_SaveContextAlloc(PK11Context *cx, |
| michael@0 | 492 | unsigned char *preAllocBuf, unsigned int pabLen, |
| michael@0 | 493 | unsigned int *stateLen) |
| michael@0 | 494 | { |
| michael@0 | 495 | unsigned char *stateBuf = NULL; |
| michael@0 | 496 | unsigned long length = (unsigned long)pabLen; |
| michael@0 | 497 | |
| michael@0 | 498 | if (cx->ownSession) { |
| michael@0 | 499 | PK11_EnterContextMonitor(cx); |
| michael@0 | 500 | stateBuf = pk11_saveContextHelper(cx, preAllocBuf, &length); |
| michael@0 | 501 | PK11_ExitContextMonitor(cx); |
| michael@0 | 502 | *stateLen = (stateBuf != NULL) ? length : 0; |
| michael@0 | 503 | } else { |
| michael@0 | 504 | if (pabLen < cx->savedLength) { |
| michael@0 | 505 | stateBuf = (unsigned char *)PORT_Alloc(cx->savedLength); |
| michael@0 | 506 | if (!stateBuf) { |
| michael@0 | 507 | return (unsigned char *)NULL; |
| michael@0 | 508 | } |
| michael@0 | 509 | } else { |
| michael@0 | 510 | stateBuf = preAllocBuf; |
| michael@0 | 511 | } |
| michael@0 | 512 | if (cx->savedData) { |
| michael@0 | 513 | PORT_Memcpy(stateBuf, cx->savedData, cx->savedLength); |
| michael@0 | 514 | } |
| michael@0 | 515 | *stateLen = cx->savedLength; |
| michael@0 | 516 | } |
| michael@0 | 517 | return stateBuf; |
| michael@0 | 518 | } |
| michael@0 | 519 | |
| michael@0 | 520 | /* |
| michael@0 | 521 | * restore the context state into a new running context. Also required for |
| michael@0 | 522 | * FORTEZZA . |
| michael@0 | 523 | */ |
| michael@0 | 524 | SECStatus |
| michael@0 | 525 | PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len) |
| michael@0 | 526 | { |
| michael@0 | 527 | SECStatus rv = SECSuccess; |
| michael@0 | 528 | if (cx->ownSession) { |
| michael@0 | 529 | PK11_EnterContextMonitor(cx); |
| michael@0 | 530 | pk11_Finalize(cx); |
| michael@0 | 531 | rv = pk11_restoreContext(cx,save,len); |
| michael@0 | 532 | PK11_ExitContextMonitor(cx); |
| michael@0 | 533 | } else { |
| michael@0 | 534 | PORT_Assert(cx->savedData != NULL); |
| michael@0 | 535 | if ((cx->savedData == NULL) || (cx->savedLength < (unsigned) len)) { |
| michael@0 | 536 | PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| michael@0 | 537 | rv = SECFailure; |
| michael@0 | 538 | } else { |
| michael@0 | 539 | PORT_Memcpy(cx->savedData,save,len); |
| michael@0 | 540 | cx->savedLength = len; |
| michael@0 | 541 | } |
| michael@0 | 542 | } |
| michael@0 | 543 | return rv; |
| michael@0 | 544 | } |
| michael@0 | 545 | |
| michael@0 | 546 | /* |
| michael@0 | 547 | * This is to get FIPS compliance until we can convert |
| michael@0 | 548 | * libjar to use PK11_ hashing functions. It returns PR_FALSE |
| michael@0 | 549 | * if we can't get a PK11 Context. |
| michael@0 | 550 | */ |
| michael@0 | 551 | PRBool |
| michael@0 | 552 | PK11_HashOK(SECOidTag algID) { |
| michael@0 | 553 | PK11Context *cx; |
| michael@0 | 554 | |
| michael@0 | 555 | cx = PK11_CreateDigestContext(algID); |
| michael@0 | 556 | if (cx == NULL) return PR_FALSE; |
| michael@0 | 557 | PK11_DestroyContext(cx, PR_TRUE); |
| michael@0 | 558 | return PR_TRUE; |
| michael@0 | 559 | } |
| michael@0 | 560 | |
| michael@0 | 561 | |
| michael@0 | 562 | |
| michael@0 | 563 | /* |
| michael@0 | 564 | * start a new digesting or Mac'ing operation on this context |
| michael@0 | 565 | */ |
| michael@0 | 566 | SECStatus PK11_DigestBegin(PK11Context *cx) |
| michael@0 | 567 | { |
| michael@0 | 568 | CK_MECHANISM mech_info; |
| michael@0 | 569 | SECStatus rv; |
| michael@0 | 570 | |
| michael@0 | 571 | if (cx->init == PR_TRUE) { |
| michael@0 | 572 | return SECSuccess; |
| michael@0 | 573 | } |
| michael@0 | 574 | |
| michael@0 | 575 | /* |
| michael@0 | 576 | * make sure the old context is clear first |
| michael@0 | 577 | */ |
| michael@0 | 578 | PK11_EnterContextMonitor(cx); |
| michael@0 | 579 | pk11_Finalize(cx); |
| michael@0 | 580 | |
| michael@0 | 581 | mech_info.mechanism = cx->type; |
| michael@0 | 582 | mech_info.pParameter = cx->param->data; |
| michael@0 | 583 | mech_info.ulParameterLen = cx->param->len; |
| michael@0 | 584 | rv = pk11_context_init(cx,&mech_info); |
| michael@0 | 585 | PK11_ExitContextMonitor(cx); |
| michael@0 | 586 | |
| michael@0 | 587 | if (rv != SECSuccess) { |
| michael@0 | 588 | return SECFailure; |
| michael@0 | 589 | } |
| michael@0 | 590 | cx->init = PR_TRUE; |
| michael@0 | 591 | return SECSuccess; |
| michael@0 | 592 | } |
| michael@0 | 593 | |
| michael@0 | 594 | SECStatus |
| michael@0 | 595 | PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, const unsigned char *in, |
| michael@0 | 596 | PRInt32 len) { |
| michael@0 | 597 | PK11Context *context; |
| michael@0 | 598 | unsigned int max_length; |
| michael@0 | 599 | unsigned int out_length; |
| michael@0 | 600 | SECStatus rv; |
| michael@0 | 601 | |
| michael@0 | 602 | /* len will be passed to PK11_DigestOp as unsigned. */ |
| michael@0 | 603 | if (len < 0) { |
| michael@0 | 604 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| michael@0 | 605 | return SECFailure; |
| michael@0 | 606 | } |
| michael@0 | 607 | |
| michael@0 | 608 | context = PK11_CreateDigestContext(hashAlg); |
| michael@0 | 609 | if (context == NULL) return SECFailure; |
| michael@0 | 610 | |
| michael@0 | 611 | rv = PK11_DigestBegin(context); |
| michael@0 | 612 | if (rv != SECSuccess) { |
| michael@0 | 613 | PK11_DestroyContext(context, PR_TRUE); |
| michael@0 | 614 | return rv; |
| michael@0 | 615 | } |
| michael@0 | 616 | |
| michael@0 | 617 | rv = PK11_DigestOp(context, in, len); |
| michael@0 | 618 | if (rv != SECSuccess) { |
| michael@0 | 619 | PK11_DestroyContext(context, PR_TRUE); |
| michael@0 | 620 | return rv; |
| michael@0 | 621 | } |
| michael@0 | 622 | |
| michael@0 | 623 | /* XXX This really should have been an argument to this function! */ |
| michael@0 | 624 | max_length = HASH_ResultLenByOidTag(hashAlg); |
| michael@0 | 625 | PORT_Assert(max_length); |
| michael@0 | 626 | if (!max_length) |
| michael@0 | 627 | max_length = HASH_LENGTH_MAX; |
| michael@0 | 628 | |
| michael@0 | 629 | rv = PK11_DigestFinal(context,out,&out_length,max_length); |
| michael@0 | 630 | PK11_DestroyContext(context, PR_TRUE); |
| michael@0 | 631 | return rv; |
| michael@0 | 632 | } |
| michael@0 | 633 | |
| michael@0 | 634 | |
| michael@0 | 635 | /* |
| michael@0 | 636 | * execute a bulk encryption operation |
| michael@0 | 637 | */ |
| michael@0 | 638 | SECStatus |
| michael@0 | 639 | PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, |
| michael@0 | 640 | int maxout, const unsigned char *in, int inlen) |
| michael@0 | 641 | { |
| michael@0 | 642 | CK_RV crv = CKR_OK; |
| michael@0 | 643 | CK_ULONG length = maxout; |
| michael@0 | 644 | CK_ULONG offset =0; |
| michael@0 | 645 | SECStatus rv = SECSuccess; |
| michael@0 | 646 | unsigned char *saveOut = out; |
| michael@0 | 647 | unsigned char *allocOut = NULL; |
| michael@0 | 648 | |
| michael@0 | 649 | /* if we ran out of session, we need to restore our previously stored |
| michael@0 | 650 | * state. |
| michael@0 | 651 | */ |
| michael@0 | 652 | PK11_EnterContextMonitor(context); |
| michael@0 | 653 | if (!context->ownSession) { |
| michael@0 | 654 | rv = pk11_restoreContext(context,context->savedData, |
| michael@0 | 655 | context->savedLength); |
| michael@0 | 656 | if (rv != SECSuccess) { |
| michael@0 | 657 | PK11_ExitContextMonitor(context); |
| michael@0 | 658 | return rv; |
| michael@0 | 659 | } |
| michael@0 | 660 | } |
| michael@0 | 661 | |
| michael@0 | 662 | /* |
| michael@0 | 663 | * The fortezza hack is to send 8 extra bytes on the first encrypted and |
| michael@0 | 664 | * lose them on the first decrypt. |
| michael@0 | 665 | */ |
| michael@0 | 666 | if (context->fortezzaHack) { |
| michael@0 | 667 | unsigned char random[8]; |
| michael@0 | 668 | if (context->operation == CKA_ENCRYPT) { |
| michael@0 | 669 | PK11_ExitContextMonitor(context); |
| michael@0 | 670 | rv = PK11_GenerateRandom(random,sizeof(random)); |
| michael@0 | 671 | PK11_EnterContextMonitor(context); |
| michael@0 | 672 | |
| michael@0 | 673 | /* since we are offseting the output, we can't encrypt back into |
| michael@0 | 674 | * the same buffer... allocate a temporary buffer just for this |
| michael@0 | 675 | * call. */ |
| michael@0 | 676 | allocOut = out = (unsigned char*)PORT_Alloc(maxout); |
| michael@0 | 677 | if (out == NULL) { |
| michael@0 | 678 | PK11_ExitContextMonitor(context); |
| michael@0 | 679 | return SECFailure; |
| michael@0 | 680 | } |
| michael@0 | 681 | crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session, |
| michael@0 | 682 | random,sizeof(random),out,&length); |
| michael@0 | 683 | |
| michael@0 | 684 | out += length; |
| michael@0 | 685 | maxout -= length; |
| michael@0 | 686 | offset = length; |
| michael@0 | 687 | } else if (context->operation == CKA_DECRYPT) { |
| michael@0 | 688 | length = sizeof(random); |
| michael@0 | 689 | crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session, |
| michael@0 | 690 | (CK_BYTE_PTR)in,sizeof(random),random,&length); |
| michael@0 | 691 | inlen -= length; |
| michael@0 | 692 | in += length; |
| michael@0 | 693 | context->fortezzaHack = PR_FALSE; |
| michael@0 | 694 | } |
| michael@0 | 695 | } |
| michael@0 | 696 | |
| michael@0 | 697 | switch (context->operation) { |
| michael@0 | 698 | case CKA_ENCRYPT: |
| michael@0 | 699 | length = maxout; |
| michael@0 | 700 | crv=PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session, |
| michael@0 | 701 | (CK_BYTE_PTR)in, inlen, |
| michael@0 | 702 | out, &length); |
| michael@0 | 703 | length += offset; |
| michael@0 | 704 | break; |
| michael@0 | 705 | case CKA_DECRYPT: |
| michael@0 | 706 | length = maxout; |
| michael@0 | 707 | crv=PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session, |
| michael@0 | 708 | (CK_BYTE_PTR)in, inlen, |
| michael@0 | 709 | out, &length); |
| michael@0 | 710 | break; |
| michael@0 | 711 | default: |
| michael@0 | 712 | crv = CKR_OPERATION_NOT_INITIALIZED; |
| michael@0 | 713 | break; |
| michael@0 | 714 | } |
| michael@0 | 715 | |
| michael@0 | 716 | if (crv != CKR_OK) { |
| michael@0 | 717 | PORT_SetError( PK11_MapError(crv) ); |
| michael@0 | 718 | *outlen = 0; |
| michael@0 | 719 | rv = SECFailure; |
| michael@0 | 720 | } else { |
| michael@0 | 721 | *outlen = length; |
| michael@0 | 722 | } |
| michael@0 | 723 | |
| michael@0 | 724 | if (context->fortezzaHack) { |
| michael@0 | 725 | if (context->operation == CKA_ENCRYPT) { |
| michael@0 | 726 | PORT_Assert(allocOut); |
| michael@0 | 727 | PORT_Memcpy(saveOut, allocOut, length); |
| michael@0 | 728 | PORT_Free(allocOut); |
| michael@0 | 729 | } |
| michael@0 | 730 | context->fortezzaHack = PR_FALSE; |
| michael@0 | 731 | } |
| michael@0 | 732 | |
| michael@0 | 733 | /* |
| michael@0 | 734 | * handle session starvation case.. use our last session to multiplex |
| michael@0 | 735 | */ |
| michael@0 | 736 | if (!context->ownSession) { |
| michael@0 | 737 | context->savedData = pk11_saveContext(context,context->savedData, |
| michael@0 | 738 | &context->savedLength); |
| michael@0 | 739 | if (context->savedData == NULL) rv = SECFailure; |
| michael@0 | 740 | |
| michael@0 | 741 | /* clear out out session for others to use */ |
| michael@0 | 742 | pk11_Finalize(context); |
| michael@0 | 743 | } |
| michael@0 | 744 | PK11_ExitContextMonitor(context); |
| michael@0 | 745 | return rv; |
| michael@0 | 746 | } |
| michael@0 | 747 | |
| michael@0 | 748 | /* |
| michael@0 | 749 | * execute a digest/signature operation |
| michael@0 | 750 | */ |
| michael@0 | 751 | SECStatus |
| michael@0 | 752 | PK11_DigestOp(PK11Context *context, const unsigned char * in, unsigned inLen) |
| michael@0 | 753 | { |
| michael@0 | 754 | CK_RV crv = CKR_OK; |
| michael@0 | 755 | SECStatus rv = SECSuccess; |
| michael@0 | 756 | |
| michael@0 | 757 | if (inLen == 0) { |
| michael@0 | 758 | return SECSuccess; |
| michael@0 | 759 | } |
| michael@0 | 760 | if (!in) { |
| michael@0 | 761 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| michael@0 | 762 | return SECFailure; |
| michael@0 | 763 | } |
| michael@0 | 764 | |
| michael@0 | 765 | /* if we ran out of session, we need to restore our previously stored |
| michael@0 | 766 | * state. |
| michael@0 | 767 | */ |
| michael@0 | 768 | context->init = PR_FALSE; |
| michael@0 | 769 | PK11_EnterContextMonitor(context); |
| michael@0 | 770 | if (!context->ownSession) { |
| michael@0 | 771 | rv = pk11_restoreContext(context,context->savedData, |
| michael@0 | 772 | context->savedLength); |
| michael@0 | 773 | if (rv != SECSuccess) { |
| michael@0 | 774 | PK11_ExitContextMonitor(context); |
| michael@0 | 775 | return rv; |
| michael@0 | 776 | } |
| michael@0 | 777 | } |
| michael@0 | 778 | |
| michael@0 | 779 | switch (context->operation) { |
| michael@0 | 780 | /* also for MAC'ing */ |
| michael@0 | 781 | case CKA_SIGN: |
| michael@0 | 782 | crv=PK11_GETTAB(context->slot)->C_SignUpdate(context->session, |
| michael@0 | 783 | (unsigned char *)in, |
| michael@0 | 784 | inLen); |
| michael@0 | 785 | break; |
| michael@0 | 786 | case CKA_VERIFY: |
| michael@0 | 787 | crv=PK11_GETTAB(context->slot)->C_VerifyUpdate(context->session, |
| michael@0 | 788 | (unsigned char *)in, |
| michael@0 | 789 | inLen); |
| michael@0 | 790 | break; |
| michael@0 | 791 | case CKA_DIGEST: |
| michael@0 | 792 | crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session, |
| michael@0 | 793 | (unsigned char *)in, |
| michael@0 | 794 | inLen); |
| michael@0 | 795 | break; |
| michael@0 | 796 | default: |
| michael@0 | 797 | crv = CKR_OPERATION_NOT_INITIALIZED; |
| michael@0 | 798 | break; |
| michael@0 | 799 | } |
| michael@0 | 800 | |
| michael@0 | 801 | if (crv != CKR_OK) { |
| michael@0 | 802 | PORT_SetError( PK11_MapError(crv) ); |
| michael@0 | 803 | rv = SECFailure; |
| michael@0 | 804 | } |
| michael@0 | 805 | |
| michael@0 | 806 | /* |
| michael@0 | 807 | * handle session starvation case.. use our last session to multiplex |
| michael@0 | 808 | */ |
| michael@0 | 809 | if (!context->ownSession) { |
| michael@0 | 810 | context->savedData = pk11_saveContext(context,context->savedData, |
| michael@0 | 811 | &context->savedLength); |
| michael@0 | 812 | if (context->savedData == NULL) rv = SECFailure; |
| michael@0 | 813 | |
| michael@0 | 814 | /* clear out out session for others to use */ |
| michael@0 | 815 | pk11_Finalize(context); |
| michael@0 | 816 | } |
| michael@0 | 817 | PK11_ExitContextMonitor(context); |
| michael@0 | 818 | return rv; |
| michael@0 | 819 | } |
| michael@0 | 820 | |
| michael@0 | 821 | /* |
| michael@0 | 822 | * Digest a key if possible./ |
| michael@0 | 823 | */ |
| michael@0 | 824 | SECStatus |
| michael@0 | 825 | PK11_DigestKey(PK11Context *context, PK11SymKey *key) |
| michael@0 | 826 | { |
| michael@0 | 827 | CK_RV crv = CKR_OK; |
| michael@0 | 828 | SECStatus rv = SECSuccess; |
| michael@0 | 829 | PK11SymKey *newKey = NULL; |
| michael@0 | 830 | |
| michael@0 | 831 | if (!context || !key) { |
| michael@0 | 832 | PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| michael@0 | 833 | return SECFailure; |
| michael@0 | 834 | } |
| michael@0 | 835 | |
| michael@0 | 836 | /* if we ran out of session, we need to restore our previously stored |
| michael@0 | 837 | * state. |
| michael@0 | 838 | */ |
| michael@0 | 839 | if (context->slot != key->slot) { |
| michael@0 | 840 | newKey = pk11_CopyToSlot(context->slot,CKM_SSL3_SHA1_MAC,CKA_SIGN,key); |
| michael@0 | 841 | } else { |
| michael@0 | 842 | newKey = PK11_ReferenceSymKey(key); |
| michael@0 | 843 | } |
| michael@0 | 844 | |
| michael@0 | 845 | context->init = PR_FALSE; |
| michael@0 | 846 | PK11_EnterContextMonitor(context); |
| michael@0 | 847 | if (!context->ownSession) { |
| michael@0 | 848 | rv = pk11_restoreContext(context,context->savedData, |
| michael@0 | 849 | context->savedLength); |
| michael@0 | 850 | if (rv != SECSuccess) { |
| michael@0 | 851 | PK11_ExitContextMonitor(context); |
| michael@0 | 852 | PK11_FreeSymKey(newKey); |
| michael@0 | 853 | return rv; |
| michael@0 | 854 | } |
| michael@0 | 855 | } |
| michael@0 | 856 | |
| michael@0 | 857 | |
| michael@0 | 858 | if (newKey == NULL) { |
| michael@0 | 859 | crv = CKR_KEY_TYPE_INCONSISTENT; |
| michael@0 | 860 | if (key->data.data) { |
| michael@0 | 861 | crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session, |
| michael@0 | 862 | key->data.data,key->data.len); |
| michael@0 | 863 | } |
| michael@0 | 864 | } else { |
| michael@0 | 865 | crv=PK11_GETTAB(context->slot)->C_DigestKey(context->session, |
| michael@0 | 866 | newKey->objectID); |
| michael@0 | 867 | } |
| michael@0 | 868 | |
| michael@0 | 869 | if (crv != CKR_OK) { |
| michael@0 | 870 | PORT_SetError( PK11_MapError(crv) ); |
| michael@0 | 871 | rv = SECFailure; |
| michael@0 | 872 | } |
| michael@0 | 873 | |
| michael@0 | 874 | /* |
| michael@0 | 875 | * handle session starvation case.. use our last session to multiplex |
| michael@0 | 876 | */ |
| michael@0 | 877 | if (!context->ownSession) { |
| michael@0 | 878 | context->savedData = pk11_saveContext(context,context->savedData, |
| michael@0 | 879 | &context->savedLength); |
| michael@0 | 880 | if (context->savedData == NULL) rv = SECFailure; |
| michael@0 | 881 | |
| michael@0 | 882 | /* clear out out session for others to use */ |
| michael@0 | 883 | pk11_Finalize(context); |
| michael@0 | 884 | } |
| michael@0 | 885 | PK11_ExitContextMonitor(context); |
| michael@0 | 886 | if (newKey) PK11_FreeSymKey(newKey); |
| michael@0 | 887 | return rv; |
| michael@0 | 888 | } |
| michael@0 | 889 | |
| michael@0 | 890 | /* |
| michael@0 | 891 | * externally callable version of the lowercase pk11_finalize(). |
| michael@0 | 892 | */ |
| michael@0 | 893 | SECStatus |
| michael@0 | 894 | PK11_Finalize(PK11Context *context) { |
| michael@0 | 895 | SECStatus rv; |
| michael@0 | 896 | |
| michael@0 | 897 | PK11_EnterContextMonitor(context); |
| michael@0 | 898 | rv = pk11_Finalize(context); |
| michael@0 | 899 | PK11_ExitContextMonitor(context); |
| michael@0 | 900 | return rv; |
| michael@0 | 901 | } |
| michael@0 | 902 | |
| michael@0 | 903 | /* |
| michael@0 | 904 | * clean up a cipher operation, so the session can be used by |
| michael@0 | 905 | * someone new. |
| michael@0 | 906 | */ |
| michael@0 | 907 | SECStatus |
| michael@0 | 908 | pk11_Finalize(PK11Context *context) |
| michael@0 | 909 | { |
| michael@0 | 910 | CK_ULONG count = 0; |
| michael@0 | 911 | CK_RV crv; |
| michael@0 | 912 | unsigned char stackBuf[256]; |
| michael@0 | 913 | unsigned char *buffer = NULL; |
| michael@0 | 914 | |
| michael@0 | 915 | if (!context->ownSession) { |
| michael@0 | 916 | return SECSuccess; |
| michael@0 | 917 | } |
| michael@0 | 918 | |
| michael@0 | 919 | finalize: |
| michael@0 | 920 | switch (context->operation) { |
| michael@0 | 921 | case CKA_ENCRYPT: |
| michael@0 | 922 | crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session, |
| michael@0 | 923 | buffer, &count); |
| michael@0 | 924 | break; |
| michael@0 | 925 | case CKA_DECRYPT: |
| michael@0 | 926 | crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session, |
| michael@0 | 927 | buffer, &count); |
| michael@0 | 928 | break; |
| michael@0 | 929 | case CKA_SIGN: |
| michael@0 | 930 | crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session, |
| michael@0 | 931 | buffer, &count); |
| michael@0 | 932 | break; |
| michael@0 | 933 | case CKA_VERIFY: |
| michael@0 | 934 | crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session, |
| michael@0 | 935 | buffer, count); |
| michael@0 | 936 | break; |
| michael@0 | 937 | case CKA_DIGEST: |
| michael@0 | 938 | crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session, |
| michael@0 | 939 | buffer, &count); |
| michael@0 | 940 | break; |
| michael@0 | 941 | default: |
| michael@0 | 942 | crv = CKR_OPERATION_NOT_INITIALIZED; |
| michael@0 | 943 | break; |
| michael@0 | 944 | } |
| michael@0 | 945 | |
| michael@0 | 946 | if (crv != CKR_OK) { |
| michael@0 | 947 | if (buffer != stackBuf) { |
| michael@0 | 948 | PORT_Free(buffer); |
| michael@0 | 949 | } |
| michael@0 | 950 | if (crv == CKR_OPERATION_NOT_INITIALIZED) { |
| michael@0 | 951 | /* if there's no operation, it is finalized */ |
| michael@0 | 952 | return SECSuccess; |
| michael@0 | 953 | } |
| michael@0 | 954 | PORT_SetError( PK11_MapError(crv) ); |
| michael@0 | 955 | return SECFailure; |
| michael@0 | 956 | } |
| michael@0 | 957 | |
| michael@0 | 958 | /* try to finalize the session with a buffer */ |
| michael@0 | 959 | if (buffer == NULL) { |
| michael@0 | 960 | if (count <= sizeof stackBuf) { |
| michael@0 | 961 | buffer = stackBuf; |
| michael@0 | 962 | } else { |
| michael@0 | 963 | buffer = PORT_Alloc(count); |
| michael@0 | 964 | if (buffer == NULL) { |
| michael@0 | 965 | PORT_SetError(SEC_ERROR_NO_MEMORY); |
| michael@0 | 966 | return SECFailure; |
| michael@0 | 967 | } |
| michael@0 | 968 | } |
| michael@0 | 969 | goto finalize; |
| michael@0 | 970 | } |
| michael@0 | 971 | if (buffer != stackBuf) { |
| michael@0 | 972 | PORT_Free(buffer); |
| michael@0 | 973 | } |
| michael@0 | 974 | return SECSuccess; |
| michael@0 | 975 | } |
| michael@0 | 976 | |
| michael@0 | 977 | /* |
| michael@0 | 978 | * Return the final digested or signed data... |
| michael@0 | 979 | * this routine can either take pre initialized data, or allocate data |
| michael@0 | 980 | * either out of an arena or out of the standard heap. |
| michael@0 | 981 | */ |
| michael@0 | 982 | SECStatus |
| michael@0 | 983 | PK11_DigestFinal(PK11Context *context,unsigned char *data, |
| michael@0 | 984 | unsigned int *outLen, unsigned int length) |
| michael@0 | 985 | { |
| michael@0 | 986 | CK_ULONG len; |
| michael@0 | 987 | CK_RV crv; |
| michael@0 | 988 | SECStatus rv; |
| michael@0 | 989 | |
| michael@0 | 990 | |
| michael@0 | 991 | /* if we ran out of session, we need to restore our previously stored |
| michael@0 | 992 | * state. |
| michael@0 | 993 | */ |
| michael@0 | 994 | PK11_EnterContextMonitor(context); |
| michael@0 | 995 | if (!context->ownSession) { |
| michael@0 | 996 | rv = pk11_restoreContext(context,context->savedData, |
| michael@0 | 997 | context->savedLength); |
| michael@0 | 998 | if (rv != SECSuccess) { |
| michael@0 | 999 | PK11_ExitContextMonitor(context); |
| michael@0 | 1000 | return rv; |
| michael@0 | 1001 | } |
| michael@0 | 1002 | } |
| michael@0 | 1003 | |
| michael@0 | 1004 | len = length; |
| michael@0 | 1005 | switch (context->operation) { |
| michael@0 | 1006 | case CKA_SIGN: |
| michael@0 | 1007 | crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session, |
| michael@0 | 1008 | data,&len); |
| michael@0 | 1009 | break; |
| michael@0 | 1010 | case CKA_VERIFY: |
| michael@0 | 1011 | crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session, |
| michael@0 | 1012 | data,len); |
| michael@0 | 1013 | break; |
| michael@0 | 1014 | case CKA_DIGEST: |
| michael@0 | 1015 | crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session, |
| michael@0 | 1016 | data,&len); |
| michael@0 | 1017 | break; |
| michael@0 | 1018 | case CKA_ENCRYPT: |
| michael@0 | 1019 | crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session, |
| michael@0 | 1020 | data, &len); |
| michael@0 | 1021 | break; |
| michael@0 | 1022 | case CKA_DECRYPT: |
| michael@0 | 1023 | crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session, |
| michael@0 | 1024 | data, &len); |
| michael@0 | 1025 | break; |
| michael@0 | 1026 | default: |
| michael@0 | 1027 | crv = CKR_OPERATION_NOT_INITIALIZED; |
| michael@0 | 1028 | break; |
| michael@0 | 1029 | } |
| michael@0 | 1030 | PK11_ExitContextMonitor(context); |
| michael@0 | 1031 | |
| michael@0 | 1032 | *outLen = (unsigned int) len; |
| michael@0 | 1033 | context->init = PR_FALSE; /* allow Begin to start up again */ |
| michael@0 | 1034 | |
| michael@0 | 1035 | |
| michael@0 | 1036 | if (crv != CKR_OK) { |
| michael@0 | 1037 | PORT_SetError( PK11_MapError(crv) ); |
| michael@0 | 1038 | return SECFailure; |
| michael@0 | 1039 | } |
| michael@0 | 1040 | return SECSuccess; |
| michael@0 | 1041 | } |
| michael@0 | 1042 |
