summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/ssl/selfencrypt.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/ssl/selfencrypt.c')
-rw-r--r--security/nss/lib/ssl/selfencrypt.c57
1 files changed, 23 insertions, 34 deletions
diff --git a/security/nss/lib/ssl/selfencrypt.c b/security/nss/lib/ssl/selfencrypt.c
index 97217b4a6..6d6e25cfc 100644
--- a/security/nss/lib/ssl/selfencrypt.c
+++ b/security/nss/lib/ssl/selfencrypt.c
@@ -11,6 +11,7 @@
#include "pk11func.h"
#include "ssl.h"
#include "sslt.h"
+#include "ssl3encode.h"
#include "sslimpl.h"
#include "selfencrypt.h"
@@ -120,11 +121,12 @@ ssl_SelfEncryptProtectInt(
PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen)
{
unsigned int len;
- unsigned int lenOffset;
unsigned char iv[AES_BLOCK_SIZE];
SECItem ivItem = { siBuffer, iv, sizeof(iv) };
- /* Write directly to out. */
- sslBuffer buf = SSL_BUFFER_FIXED(out, maxOutLen);
+ unsigned char mac[SHA256_LENGTH]; /* SHA-256 */
+ unsigned int macLen;
+ SECItem outItem = { siBuffer, out, maxOutLen };
+ SECItem lengthBytesItem;
SECStatus rv;
/* Generate a random IV */
@@ -135,54 +137,52 @@ ssl_SelfEncryptProtectInt(
}
/* Add header. */
- rv = sslBuffer_Append(&buf, keyName, SELF_ENCRYPT_KEY_NAME_LEN);
+ rv = ssl3_AppendToItem(&outItem, keyName, SELF_ENCRYPT_KEY_NAME_LEN);
if (rv != SECSuccess) {
return SECFailure;
}
- rv = sslBuffer_Append(&buf, iv, sizeof(iv));
+ rv = ssl3_AppendToItem(&outItem, iv, sizeof(iv));
if (rv != SECSuccess) {
return SECFailure;
}
- /* Leave space for the length of the ciphertext. */
- rv = sslBuffer_Skip(&buf, 2, &lenOffset);
+ /* Skip forward by two so we can encode the ciphertext in place. */
+ lengthBytesItem = outItem;
+ rv = ssl3_AppendNumberToItem(&outItem, 0, 2);
if (rv != SECSuccess) {
return SECFailure;
}
- /* Encode the ciphertext in place. */
rv = PK11_Encrypt(encKey, CKM_AES_CBC_PAD, &ivItem,
- SSL_BUFFER_NEXT(&buf), &len,
- SSL_BUFFER_SPACE(&buf), in, inLen);
- if (rv != SECSuccess) {
- return SECFailure;
- }
- rv = sslBuffer_Skip(&buf, len, NULL);
+ outItem.data, &len, outItem.len, in, inLen);
if (rv != SECSuccess) {
return SECFailure;
}
- rv = sslBuffer_InsertLength(&buf, lenOffset, 2);
+ outItem.data += len;
+ outItem.len -= len;
+
+ /* Now encode the ciphertext length. */
+ rv = ssl3_AppendNumberToItem(&lengthBytesItem, len, 2);
if (rv != SECSuccess) {
return SECFailure;
}
- /* MAC the entire output buffer into the output. */
- PORT_Assert(buf.space - buf.len >= SHA256_LENGTH);
+ /* MAC the entire output buffer and append the MAC to the end. */
rv = ssl_MacBuffer(macKey, CKM_SHA256_HMAC,
- SSL_BUFFER_BASE(&buf), /* input */
- SSL_BUFFER_LEN(&buf),
- SSL_BUFFER_NEXT(&buf), &len, /* output */
- SHA256_LENGTH);
+ out, outItem.data - out,
+ mac, &macLen, sizeof(mac));
if (rv != SECSuccess) {
return SECFailure;
}
- rv = sslBuffer_Skip(&buf, len, NULL);
+ PORT_Assert(macLen == sizeof(mac));
+
+ rv = ssl3_AppendToItem(&outItem, mac, macLen);
if (rv != SECSuccess) {
return SECFailure;
}
- *outLen = SSL_BUFFER_LEN(&buf);
+ *outLen = outItem.data - out;
return SECSuccess;
}
@@ -269,17 +269,6 @@ ssl_SelfEncryptUnprotectInt(
}
#endif
-/* Predict the size of the encrypted data, including padding */
-unsigned int
-ssl_SelfEncryptGetProtectedSize(unsigned int inLen)
-{
- return SELF_ENCRYPT_KEY_NAME_LEN +
- AES_BLOCK_SIZE +
- 2 +
- ((inLen / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE + /* Padded */
- SHA256_LENGTH;
-}
-
SECStatus
ssl_SelfEncryptProtect(
sslSocket *ss, const PRUint8 *in, unsigned int inLen,