/* * Return the final digested or signed data... * this routine can either take pre initialized data, or allocate data * either out of an arena or out of the standard heap. */ SECStatus PK11_DigestFinal(PK11Context *context,unsigned char *data, unsigned int *outLen, unsigned int length) { CK_ULONG len; CK_RV crv; SECStatus rv; /* if we ran out of session, we need to restore our previously stored * state. */ PK11_EnterContextMonitor(context); if (!context->ownSession) { rv = pk11_restoreContext(context,context->savedData, context->savedLength); if (rv != SECSuccess) { PK11_ExitContextMonitor(context); return rv; } } len = length; switch (context->operation) { case CKA_SIGN: crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session, data,&len); break; case CKA_VERIFY: crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session, data,len); break; case CKA_DIGEST: crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session, data,&len); break; case CKA_ENCRYPT: crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session, data, &len); break; case CKA_DECRYPT: crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session, data, &len); break; default: crv = CKR_OPERATION_NOT_INITIALIZED; break; } PK11_ExitContextMonitor(context); *outLen = (unsigned int) len; context->init = PR_FALSE; /* allow Begin to start up again */ if (crv != CKR_OK) { PORT_SetError( PK11_MapError(crv) ); return SECFailure; } return SECSuccess; }
/* * create a new context which is the clone of the state of old context. */ PK11Context * PK11_CloneContext(PK11Context *old) { PK11Context *newcx; PRBool needFree = PR_FALSE; SECStatus rv = SECSuccess; void *data; unsigned long len; newcx = pk11_CreateNewContextInSlot(old->type, old->slot, old->operation, old->key, old->param); if (newcx == NULL) return NULL; /* now clone the save state. First we need to find the save state * of the old session. If the old context owns it's session, * the state needs to be saved, otherwise the state is in saveData. */ if (old->ownSession) { PK11_EnterContextMonitor(old); data = pk11_saveContext(old, NULL, &len); PK11_ExitContextMonitor(old); needFree = PR_TRUE; } else { data = old->savedData; len = old->savedLength; } if (data == NULL) { PK11_DestroyContext(newcx, PR_TRUE); return NULL; } /* now copy that state into our new context. Again we have different * work if the new context owns it's own session. If it does, we * restore the state gathered above. If it doesn't, we copy the * saveData pointer... */ if (newcx->ownSession) { PK11_EnterContextMonitor(newcx); rv = pk11_restoreContext(newcx, data, len); PK11_ExitContextMonitor(newcx); } else { PORT_Assert(newcx->savedData != NULL); if ((newcx->savedData == NULL) || (newcx->savedLength < len)) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); rv = SECFailure; } else { PORT_Memcpy(newcx->savedData, data, len); newcx->savedLength = len; } } if (needFree) PORT_Free(data); if (rv != SECSuccess) { PK11_DestroyContext(newcx, PR_TRUE); return NULL; } return newcx; }
/* * restore the context state into a new running context. Also required for * FORTEZZA . */ SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len) { SECStatus rv = SECSuccess; if (cx->ownSession) { PK11_EnterContextMonitor(cx); pk11_Finalize(cx); rv = pk11_restoreContext(cx,save,len); PK11_ExitContextMonitor(cx); } else { PORT_Assert(cx->savedData != NULL); if ((cx->savedData == NULL) || (cx->savedLength < (unsigned) len)) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); rv = SECFailure; } else { PORT_Memcpy(cx->savedData,save,len); cx->savedLength = len; } } return rv; }
/* * Digest a key if possible./ */ SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key) { CK_RV crv = CKR_OK; SECStatus rv = SECSuccess; PK11SymKey *newKey = NULL; if (!context || !key) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } /* if we ran out of session, we need to restore our previously stored * state. */ if (context->slot != key->slot) { newKey = pk11_CopyToSlot(context->slot,CKM_SSL3_SHA1_MAC,CKA_SIGN,key); } else { newKey = PK11_ReferenceSymKey(key); } context->init = PR_FALSE; PK11_EnterContextMonitor(context); if (!context->ownSession) { rv = pk11_restoreContext(context,context->savedData, context->savedLength); if (rv != SECSuccess) { PK11_ExitContextMonitor(context); PK11_FreeSymKey(newKey); return rv; } } if (newKey == NULL) { crv = CKR_KEY_TYPE_INCONSISTENT; if (key->data.data) { crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session, key->data.data,key->data.len); } } else { crv=PK11_GETTAB(context->slot)->C_DigestKey(context->session, newKey->objectID); } if (crv != CKR_OK) { PORT_SetError( PK11_MapError(crv) ); rv = SECFailure; } /* * handle session starvation case.. use our last session to multiplex */ if (!context->ownSession) { context->savedData = pk11_saveContext(context,context->savedData, &context->savedLength); if (context->savedData == NULL) rv = SECFailure; /* clear out out session for others to use */ pk11_Finalize(context); } PK11_ExitContextMonitor(context); if (newKey) PK11_FreeSymKey(newKey); return rv; }
/* * execute a digest/signature operation */ SECStatus PK11_DigestOp(PK11Context *context, const unsigned char * in, unsigned inLen) { CK_RV crv = CKR_OK; SECStatus rv = SECSuccess; if (!in) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } /* if we ran out of session, we need to restore our previously stored * state. */ context->init = PR_FALSE; PK11_EnterContextMonitor(context); if (!context->ownSession) { rv = pk11_restoreContext(context,context->savedData, context->savedLength); if (rv != SECSuccess) { PK11_ExitContextMonitor(context); return rv; } } switch (context->operation) { /* also for MAC'ing */ case CKA_SIGN: crv=PK11_GETTAB(context->slot)->C_SignUpdate(context->session, (unsigned char *)in, inLen); break; case CKA_VERIFY: crv=PK11_GETTAB(context->slot)->C_VerifyUpdate(context->session, (unsigned char *)in, inLen); break; case CKA_DIGEST: crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session, (unsigned char *)in, inLen); break; default: crv = CKR_OPERATION_NOT_INITIALIZED; break; } if (crv != CKR_OK) { PORT_SetError( PK11_MapError(crv) ); rv = SECFailure; } /* * handle session starvation case.. use our last session to multiplex */ if (!context->ownSession) { context->savedData = pk11_saveContext(context,context->savedData, &context->savedLength); if (context->savedData == NULL) rv = SECFailure; /* clear out out session for others to use */ pk11_Finalize(context); } PK11_ExitContextMonitor(context); return rv; }
/* * execute a bulk encryption operation */ SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, int maxout, unsigned char *in, int inlen) { CK_RV crv = CKR_OK; CK_ULONG length = maxout; CK_ULONG offset =0; SECStatus rv = SECSuccess; unsigned char *saveOut = out; unsigned char *allocOut = NULL; /* if we ran out of session, we need to restore our previously stored * state. */ PK11_EnterContextMonitor(context); if (!context->ownSession) { rv = pk11_restoreContext(context,context->savedData, context->savedLength); if (rv != SECSuccess) { PK11_ExitContextMonitor(context); return rv; } } /* * The fortezza hack is to send 8 extra bytes on the first encrypted and * loose them on the first decrypt. */ if (context->fortezzaHack) { unsigned char random[8]; if (context->operation == CKA_ENCRYPT) { PK11_ExitContextMonitor(context); rv = PK11_GenerateRandom(random,sizeof(random)); PK11_EnterContextMonitor(context); /* since we are offseting the output, we can't encrypt back into * the same buffer... allocate a temporary buffer just for this * call. */ allocOut = out = (unsigned char*)PORT_Alloc(maxout); if (out == NULL) { PK11_ExitContextMonitor(context); return SECFailure; } crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session, random,sizeof(random),out,&length); out += length; maxout -= length; offset = length; } else if (context->operation == CKA_DECRYPT) { length = sizeof(random); crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session, in,sizeof(random),random,&length); inlen -= length; in += length; context->fortezzaHack = PR_FALSE; } } switch (context->operation) { case CKA_ENCRYPT: length = maxout; crv=PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session, in, inlen, out, &length); length += offset; break; case CKA_DECRYPT: length = maxout; crv=PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session, in, inlen, out, &length); break; default: crv = CKR_OPERATION_NOT_INITIALIZED; break; } if (crv != CKR_OK) { PORT_SetError( PK11_MapError(crv) ); *outlen = 0; rv = SECFailure; } else { *outlen = length; } if (context->fortezzaHack) { if (context->operation == CKA_ENCRYPT) { PORT_Assert(allocOut); PORT_Memcpy(saveOut, allocOut, length); PORT_Free(allocOut); } context->fortezzaHack = PR_FALSE; } /* * handle session starvation case.. use our last session to multiplex */ if (!context->ownSession) { context->savedData = pk11_saveContext(context,context->savedData, &context->savedLength); if (context->savedData == NULL) rv = SECFailure; /* clear out out session for others to use */ pk11_Finalize(context); } PK11_ExitContextMonitor(context); return rv; }