Issue #1338 - Part 2: Update NSS to 3.48-RTM

1 files changed, 286 insertions, 3 deletions

diff --git a/security/nss/lib/softoken/sftkhmac.c b/security/nss/lib/softoken/sftkhmac.c
index be6344c70..617e6fd4e 100644
--- a/security/nss/lib/softoken/sftkhmac.c
+++ b/security/nss/lib/softoken/sftkhmac.c
@@ -9,12 +9,14 @@
 #include "softoken.h"
 #include "hmacct.h"
 
-/* MACMechanismToHash converts a PKCS#11 MAC mechanism into a freebl hash
+/* HMACMechanismToHash converts a PKCS#11 MAC mechanism into a freebl hash
  * type. */
 static HASH_HashType
-MACMechanismToHash(CK_MECHANISM_TYPE mech)
+HMACMechanismToHash(CK_MECHANISM_TYPE mech)
 {
     switch (mech) {
+        case CKM_MD2_HMAC:
+            return HASH_AlgMD2;
         case CKM_MD5_HMAC:
         case CKM_SSL3_MD5_MAC:
             return HASH_AlgMD5;
@@ -48,7 +50,7 @@ SetupMAC(CK_MECHANISM_PTR mech, SFTKObject *key)
         return NULL;
     }
 
-    alg = MACMechanismToHash(params->macAlg);
+    alg = HMACMechanismToHash(params->macAlg);
     if (alg == HASH_AlgNULL) {
         return NULL;
     }
@@ -188,3 +190,284 @@ sftk_MACConstantTime_DestroyContext(void *pctx, PRBool free)
 {
     PORT_Free(pctx);
 }
+
+CK_RV
+sftk_MAC_Create(CK_MECHANISM_TYPE mech, SFTKObject *key, sftk_MACCtx **ret_ctx)
+{
+    CK_RV ret;
+
+    if (ret_ctx == NULL || key == NULL) {
+        return CKR_HOST_MEMORY;
+    }
+
+    *ret_ctx = PORT_New(sftk_MACCtx);
+    if (*ret_ctx == NULL) {
+        return CKR_HOST_MEMORY;
+    }
+
+    ret = sftk_MAC_Init(*ret_ctx, mech, key);
+    if (ret != CKR_OK) {
+        sftk_MAC_Destroy(*ret_ctx, PR_TRUE);
+    }
+
+    return ret;
+}
+
+CK_RV
+sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, SFTKObject *key)
+{
+    SFTKAttribute *keyval = NULL;
+    PRBool isFIPS = (key->slot->slotID == FIPS_SLOT_ID);
+    CK_RV ret = CKR_OK;
+
+    /* Find the actual value of the key. */
+    keyval = sftk_FindAttribute(key, CKA_VALUE);
+    if (keyval == NULL) {
+        ret = CKR_KEY_SIZE_RANGE;
+        goto done;
+    }
+
+    ret = sftk_MAC_InitRaw(ctx, mech,
+                           (const unsigned char *)keyval->attrib.pValue,
+                           keyval->attrib.ulValueLen, isFIPS);
+
+done:
+    sftk_FreeAttribute(keyval);
+    return ret;
+}
+
+CK_RV
+sftk_MAC_InitRaw(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, const unsigned char *key, unsigned int key_len, PRBool isFIPS)
+{
+    const SECHashObject *hashObj = NULL;
+    CK_RV ret = CKR_OK;
+
+    if (ctx == NULL) {
+        return CKR_HOST_MEMORY;
+    }
+
+    /* Clear the context before use. */
+    PORT_Memset(ctx, 0, sizeof(*ctx));
+
+    /* Save the mech. */
+    ctx->mech = mech;
+
+    /* Initialize the correct MAC context. */
+    switch (mech) {
+        case CKM_MD2_HMAC:
+        case CKM_MD5_HMAC:
+        case CKM_SHA_1_HMAC:
+        case CKM_SHA224_HMAC:
+        case CKM_SHA256_HMAC:
+        case CKM_SHA384_HMAC:
+        case CKM_SHA512_HMAC:
+            hashObj = HASH_GetRawHashObject(HMACMechanismToHash(mech));
+
+            /* Because we condition above only on hashes we know to be valid,
+             * hashObj should never be NULL. This assert is only useful when
+             * adding a new hash function (for which only partial support has
+             * been added); thus there is no need to turn it into an if and
+             * avoid the NULL dereference on the following line. */
+            PR_ASSERT(hashObj != NULL);
+            ctx->mac_size = hashObj->length;
+
+            goto hmac;
+        case CKM_AES_CMAC:
+            ctx->mac.cmac = CMAC_Create(CMAC_AES, key, key_len);
+            ctx->destroy_func = (void (*)(void *, PRBool))(&CMAC_Destroy);
+
+            /* Copy the behavior of sftk_doCMACInit here. */
+            if (ctx->mac.cmac == NULL) {
+                if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) {
+                    ret = CKR_KEY_SIZE_RANGE;
+                    goto done;
+                }
+
+                ret = CKR_HOST_MEMORY;
+                goto done;
+            }
+
+            ctx->mac_size = AES_BLOCK_SIZE;
+
+            goto done;
+        default:
+            ret = CKR_MECHANISM_PARAM_INVALID;
+            goto done;
+    }
+
+hmac:
+    ctx->mac.hmac = HMAC_Create(hashObj, key, key_len, isFIPS);
+    ctx->destroy_func = (void (*)(void *, PRBool))(&HMAC_Destroy);
+
+    /* Copy the behavior of sftk_doHMACInit here. */
+    if (ctx->mac.hmac == NULL) {
+        if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) {
+            ret = CKR_KEY_SIZE_RANGE;
+            goto done;
+        }
+        ret = CKR_HOST_MEMORY;
+        goto done;
+    }
+
+    /* Semantics: HMAC and CMAC should behave the same. Begin HMAC now. */
+    HMAC_Begin(ctx->mac.hmac);
+
+done:
+    /* Handle a failure: ctx->mac.raw should be NULL, but make sure
+     * destroy_func isn't set. */
+    if (ret != CKR_OK) {
+        ctx->destroy_func = NULL;
+    }
+
+    return ret;
+}
+
+CK_RV
+sftk_MAC_Reset(sftk_MACCtx *ctx)
+{
+    /* Useful for resetting the state of MAC prior to calling update again
+     *
+     * This lets the caller keep a single MAC instance and re-use it as long
+     * as the key stays the same. */
+    switch (ctx->mech) {
+        case CKM_MD2_HMAC:
+        case CKM_MD5_HMAC:
+        case CKM_SHA_1_HMAC:
+        case CKM_SHA224_HMAC:
+        case CKM_SHA256_HMAC:
+        case CKM_SHA384_HMAC:
+        case CKM_SHA512_HMAC:
+            HMAC_Begin(ctx->mac.hmac);
+            break;
+        case CKM_AES_CMAC:
+            if (CMAC_Begin(ctx->mac.cmac) != SECSuccess) {
+                return CKR_FUNCTION_FAILED;
+            }
+            break;
+        default:
+            /* This shouldn't happen -- asserting indicates partial support
+             * for a new MAC type. */
+            PR_ASSERT(PR_FALSE);
+            return CKR_FUNCTION_FAILED;
+    }
+
+    return CKR_OK;
+}
+
+CK_RV
+sftk_MAC_Update(sftk_MACCtx *ctx, CK_BYTE_PTR data, unsigned int data_len)
+{
+    switch (ctx->mech) {
+        case CKM_MD2_HMAC:
+        case CKM_MD5_HMAC:
+        case CKM_SHA_1_HMAC:
+        case CKM_SHA224_HMAC:
+        case CKM_SHA256_HMAC:
+        case CKM_SHA384_HMAC:
+        case CKM_SHA512_HMAC:
+            /* HMAC doesn't indicate failure in the return code. */
+            HMAC_Update(ctx->mac.hmac, data, data_len);
+            break;
+        case CKM_AES_CMAC:
+            /* CMAC indicates failure in the return code, however this is
+             * unlikely to occur. */
+            if (CMAC_Update(ctx->mac.cmac, data, data_len) != SECSuccess) {
+                return CKR_FUNCTION_FAILED;
+            }
+            break;
+        default:
+            /* This shouldn't happen -- asserting indicates partial support
+             * for a new MAC type. */
+            PR_ASSERT(PR_FALSE);
+            return CKR_FUNCTION_FAILED;
+    }
+    return CKR_OK;
+}
+
+CK_RV
+sftk_MAC_Finish(sftk_MACCtx *ctx, CK_BYTE_PTR result, unsigned int *result_len, unsigned int max_result_len)
+{
+    unsigned int actual_result_len;
+
+    switch (ctx->mech) {
+        case CKM_MD2_HMAC:
+        case CKM_MD5_HMAC:
+        case CKM_SHA_1_HMAC:
+        case CKM_SHA224_HMAC:
+        case CKM_SHA256_HMAC:
+        case CKM_SHA384_HMAC:
+        case CKM_SHA512_HMAC:
+            /* HMAC doesn't indicate failure in the return code. Additionally,
+             * unlike CMAC, it doesn't support partial results. This means that we
+             * need to allocate a buffer if max_result_len < ctx->mac_size. */
+            if (max_result_len >= ctx->mac_size) {
+                /* Split this into two calls to avoid an unnecessary stack
+                 * allocation and memcpy when possible. */
+                HMAC_Finish(ctx->mac.hmac, result, &actual_result_len, max_result_len);
+            } else {
+                uint8_t tmp_buffer[SFTK_MAX_MAC_LENGTH];
+
+                /* Assumption: buffer is large enough to hold this HMAC's
+                 * output. */
+                PR_ASSERT(SFTK_MAX_MAC_LENGTH >= ctx->mac_size);
+
+                HMAC_Finish(ctx->mac.hmac, tmp_buffer, &actual_result_len, SFTK_MAX_MAC_LENGTH);
+
+                if (actual_result_len > max_result_len) {
+                    /* This should always be true since:
+                     *
+                     *   (SFTK_MAX_MAC_LENGTH >= ctx->mac_size =
+                     *       actual_result_len) > max_result_len,
+                     *
+                     * but guard this truncation just in case. */
+                    actual_result_len = max_result_len;
+                }
+
+                PORT_Memcpy(result, tmp_buffer, actual_result_len);
+            }
+            break;
+        case CKM_AES_CMAC:
+            /* CMAC indicates failure in the return code, however this is
+             * unlikely to occur. */
+            if (CMAC_Finish(ctx->mac.cmac, result, &actual_result_len, max_result_len) != SECSuccess) {
+                return CKR_FUNCTION_FAILED;
+            }
+            break;
+        default:
+            /* This shouldn't happen -- asserting indicates partial support
+             * for a new MAC type. */
+            PR_ASSERT(PR_FALSE);
+            return CKR_FUNCTION_FAILED;
+    }
+
+    if (result_len) {
+        /* When result length is passed, inform the caller of its value. */
+        *result_len = actual_result_len;
+    } else if (max_result_len == ctx->mac_size) {
+        /* Validate that the amount requested was what was actually given; the
+         * caller assumes that what they passed was the output size of the
+         * underlying MAC and that they got all the bytes the asked for. */
+        PR_ASSERT(actual_result_len == max_result_len);
+    }
+
+    return CKR_OK;
+}
+
+void
+sftk_MAC_Destroy(sftk_MACCtx *ctx, PRBool free_it)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+    if (ctx->mac.raw != NULL && ctx->destroy_func != NULL) {
+        ctx->destroy_func(ctx->mac.raw, PR_TRUE);
+    }
+
+    /* Clean up the struct so we don't double free accidentally. */
+    PORT_Memset(ctx, 0, sizeof(sftk_MACCtx));
+
+    if (free_it == PR_TRUE) {
+        PORT_Free(ctx);
+    }
+}