diff options
| author | Lorry Tar Creator <lorry-tar-importer@lorry> | 2017-01-04 14:24:24 +0000 |
|---|---|---|
| committer | Lorry Tar Creator <lorry-tar-importer@lorry> | 2017-01-04 14:24:24 +0000 |
| commit | dc1565216a5d20ae0d75872151523252309a1292 (patch) | |
| tree | d57454ba9a40386552179eddf60d28bd1e8f3d54 /nss/lib/pk11wrap/pk11pbe.c | |
| parent | 26c046fbc57d53136b4fb3b5e0d18298318125d4 (diff) | |
| download | nss-dc1565216a5d20ae0d75872151523252309a1292.tar.gz | |
nss-3.28.1nss-3.28.1
Diffstat (limited to 'nss/lib/pk11wrap/pk11pbe.c')
| -rw-r--r-- | nss/lib/pk11wrap/pk11pbe.c | 1347 |
1 files changed, 674 insertions, 673 deletions
diff --git a/nss/lib/pk11wrap/pk11pbe.c b/nss/lib/pk11wrap/pk11pbe.c index cc72faf..7837bfe 100644 --- a/nss/lib/pk11wrap/pk11pbe.c +++ b/nss/lib/pk11wrap/pk11pbe.c @@ -26,80 +26,78 @@ typedef struct SEC_PKCS5PBEParameterStr SEC_PKCS5PBEParameter; struct SEC_PKCS5PBEParameterStr { - PLArenaPool *poolp; - SECItem salt; /* octet string */ - SECItem iteration; /* integer */ - SECItem keyLength; /* PKCS5v2 only */ - SECAlgorithmID *pPrfAlgId; /* PKCS5v2 only */ - SECAlgorithmID prfAlgId; /* PKCS5v2 only */ + PLArenaPool *poolp; + SECItem salt; /* octet string */ + SECItem iteration; /* integer */ + SECItem keyLength; /* PKCS5v2 only */ + SECAlgorithmID *pPrfAlgId; /* PKCS5v2 only */ + SECAlgorithmID prfAlgId; /* PKCS5v2 only */ }; -/* PKCS5 V2 has an algorithm ID for the encryption and for - * the key generation. This is valid for SEC_OID_PKCS5_PBES2 +/* PKCS5 V2 has an algorithm ID for the encryption and for + * the key generation. This is valid for SEC_OID_PKCS5_PBES2 * and SEC_OID_PKCS5_PBMAC1 */ struct sec_pkcs5V2ParameterStr { - PLArenaPool *poolp; - SECAlgorithmID pbeAlgId; /* real pbe algorithms */ + PLArenaPool *poolp; + SECAlgorithmID pbeAlgId; /* real pbe algorithms */ SECAlgorithmID cipherAlgId; /* encryption/mac */ }; typedef struct sec_pkcs5V2ParameterStr sec_pkcs5V2Parameter; - /* template for PKCS 5 PBE Parameter. This template has been expanded * based upon the additions in PKCS 12. This should eventually be moved * if RSA updates PKCS 5. */ const SEC_ASN1Template SEC_PKCS5PBEParameterTemplate[] = -{ - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, - { SEC_ASN1_OCTET_STRING, - offsetof(SEC_PKCS5PBEParameter, salt) }, - { SEC_ASN1_INTEGER, - offsetof(SEC_PKCS5PBEParameter, iteration) }, - { 0 } -}; + { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, + { SEC_ASN1_OCTET_STRING, + offsetof(SEC_PKCS5PBEParameter, salt) }, + { SEC_ASN1_INTEGER, + offsetof(SEC_PKCS5PBEParameter, iteration) }, + { 0 } + }; const SEC_ASN1Template SEC_V2PKCS12PBEParameterTemplate[] = -{ - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, - { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) }, - { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) }, - { 0 } -}; + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, + { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) }, + { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) }, + { 0 } + }; SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) /* SECOID_PKCS5_PBKDF2 */ const SEC_ASN1Template SEC_PKCS5V2PBEParameterTemplate[] = -{ - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, - /* This is really a choice, but since we only understand this + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, + /* This is really a choice, but since we only understand this * choice, just inline it */ - { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) }, - { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) }, - { SEC_ASN1_INTEGER|SEC_ASN1_OPTIONAL, - offsetof(SEC_PKCS5PBEParameter, keyLength) }, - { SEC_ASN1_POINTER | SEC_ASN1_XTRN | SEC_ASN1_OPTIONAL, - offsetof(SEC_PKCS5PBEParameter, pPrfAlgId), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { 0 } -}; + { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) }, + { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) }, + { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, + offsetof(SEC_PKCS5PBEParameter, keyLength) }, + { SEC_ASN1_POINTER | SEC_ASN1_XTRN | SEC_ASN1_OPTIONAL, + offsetof(SEC_PKCS5PBEParameter, pPrfAlgId), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } + }; /* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */ const SEC_ASN1Template SEC_PKCS5V2ParameterTemplate[] = -{ - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(sec_pkcs5V2Parameter, pbeAlgId), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(sec_pkcs5V2Parameter, cipherAlgId), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { 0 } -}; - + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(sec_pkcs5V2Parameter, pbeAlgId), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(sec_pkcs5V2Parameter, cipherAlgId), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } + }; /* * maps a PBE algorithm to a crypto algorithm. for PKCS12 and PKCS5v1 @@ -108,32 +106,31 @@ const SEC_ASN1Template SEC_PKCS5V2ParameterTemplate[] = SECOidTag sec_pkcs5GetCryptoFromAlgTag(SECOidTag algorithm) { - switch(algorithm) - { - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: - return SEC_OID_DES_EDE3_CBC; - case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: - case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: - case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: - return SEC_OID_DES_CBC; - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: - return SEC_OID_RC2_CBC; - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: - return SEC_OID_RC4; - case SEC_OID_PKCS5_PBKDF2: - case SEC_OID_PKCS5_PBES2: - case SEC_OID_PKCS5_PBMAC1: - return SEC_OID_PKCS5_PBKDF2; - default: - break; + switch (algorithm) { + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: + return SEC_OID_DES_EDE3_CBC; + case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: + case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: + case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: + return SEC_OID_DES_CBC; + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + return SEC_OID_RC2_CBC; + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: + return SEC_OID_RC4; + case SEC_OID_PKCS5_PBKDF2: + case SEC_OID_PKCS5_PBES2: + case SEC_OID_PKCS5_PBMAC1: + return SEC_OID_PKCS5_PBKDF2; + default: + break; } return SEC_OID_UNKNOWN; @@ -151,27 +148,27 @@ sec_pkcs5_v2_get_v2_param(PLArenaPool *arena, SECAlgorithmID *algid) SECStatus rv; if (arena == NULL) { - localArena = arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); - if (arena == NULL) { - return NULL; - } + localArena = arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (arena == NULL) { + return NULL; + } } pbeV2_param = PORT_ArenaZNew(arena, sec_pkcs5V2Parameter); if (pbeV2_param == NULL) { - goto loser; + goto loser; } - + rv = SEC_ASN1DecodeItem(arena, pbeV2_param, - SEC_PKCS5V2ParameterTemplate, &algid->parameters); + SEC_PKCS5V2ParameterTemplate, &algid->parameters); if (rv == SECFailure) { - goto loser; + goto loser; } pbeV2_param->poolp = arena; return pbeV2_param; loser: if (localArena) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return NULL; } @@ -179,50 +176,49 @@ loser: void sec_pkcs5_v2_destroy_v2_param(sec_pkcs5V2Parameter *param) { - if (param && param->poolp) { - PORT_FreeArena(param->poolp, PR_TRUE); - } + if (param && param->poolp) { + PORT_FreeArena(param->poolp, PR_TRUE); + } } - /* maps crypto algorithm from PBE algorithm. */ -SECOidTag +SECOidTag SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid) { SECOidTag pbeAlg; SECOidTag cipherAlg; - if(algid == NULL) - return SEC_OID_UNKNOWN; + if (algid == NULL) + return SEC_OID_UNKNOWN; pbeAlg = SECOID_GetAlgorithmTag(algid); cipherAlg = sec_pkcs5GetCryptoFromAlgTag(pbeAlg); - if ((cipherAlg == SEC_OID_PKCS5_PBKDF2) && - (pbeAlg != SEC_OID_PKCS5_PBKDF2)) { - sec_pkcs5V2Parameter *pbeV2_param; - cipherAlg = SEC_OID_UNKNOWN; + if ((cipherAlg == SEC_OID_PKCS5_PBKDF2) && + (pbeAlg != SEC_OID_PKCS5_PBKDF2)) { + sec_pkcs5V2Parameter *pbeV2_param; + cipherAlg = SEC_OID_UNKNOWN; - pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); - if (pbeV2_param != NULL) { - cipherAlg = SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId); - sec_pkcs5_v2_destroy_v2_param(pbeV2_param); - } + pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); + if (pbeV2_param != NULL) { + cipherAlg = SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId); + sec_pkcs5_v2_destroy_v2_param(pbeV2_param); + } } return cipherAlg; } /* check to see if an oid is a pbe algorithm - */ -PRBool + */ +PRBool SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid) { return (PRBool)(SEC_PKCS5GetCryptoAlgorithm(algid) != SEC_OID_UNKNOWN); } -PRBool +PRBool SEC_PKCS5IsAlgorithmPBEAlgTag(SECOidTag algtag) { return (PRBool)(sec_pkcs5GetCryptoFromAlgTag(algtag) != SEC_OID_UNKNOWN); @@ -237,70 +233,69 @@ sec_pkcs5v2_get_pbe(SECOidTag algTag) { /* if it's a valid hash oid... */ if (HASH_GetHashOidTagByHMACOidTag(algTag) != SEC_OID_UNKNOWN) { - /* use the MAC tag */ - return SEC_OID_PKCS5_PBMAC1; + /* use the MAC tag */ + return SEC_OID_PKCS5_PBMAC1; } if (HASH_GetHashTypeByOidTag(algTag) != HASH_AlgNULL) { - /* eliminate Hash algorithms */ - return SEC_OID_UNKNOWN; + /* eliminate Hash algorithms */ + return SEC_OID_UNKNOWN; } if (PK11_AlgtagToMechanism(algTag) != CKM_INVALID_MECHANISM) { - /* it's not a hash, if it has a PKCS #11 mechanism associated - * with it, assume it's a cipher. (NOTE this will generate - * some false positives). */ - return SEC_OID_PKCS5_PBES2; + /* it's not a hash, if it has a PKCS #11 mechanism associated + * with it, assume it's a cipher. (NOTE this will generate + * some false positives). */ + return SEC_OID_PKCS5_PBES2; } return SEC_OID_UNKNOWN; } -/* +/* * maps PBE algorithm from crypto algorithm, assumes SHA1 hashing. * input keyLen in bits. */ -SECOidTag +SECOidTag SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen) { - switch(algTag) - { - case SEC_OID_DES_EDE3_CBC: - switch(keyLen) { - case 168: - case 192: - case 0: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC; - case 128: - case 92: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC; - default: - break; - } - break; - case SEC_OID_DES_CBC: - return SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC; - case SEC_OID_RC2_CBC: - switch(keyLen) { - case 40: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC; - case 128: - case 0: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC; - default: - break; - } - break; - case SEC_OID_RC4: - switch(keyLen) { - case 40: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4; - case 128: - case 0: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4; - default: - break; - } - break; - default: - return sec_pkcs5v2_get_pbe(algTag); + switch (algTag) { + case SEC_OID_DES_EDE3_CBC: + switch (keyLen) { + case 168: + case 192: + case 0: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC; + case 128: + case 92: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC; + default: + break; + } + break; + case SEC_OID_DES_CBC: + return SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC; + case SEC_OID_RC2_CBC: + switch (keyLen) { + case 40: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC; + case 128: + case 0: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC; + default: + break; + } + break; + case SEC_OID_RC4: + switch (keyLen) { + case 40: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4; + case 128: + case 0: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4; + default: + break; + } + break; + default: + return sec_pkcs5v2_get_pbe(algTag); } return SEC_OID_UNKNOWN; @@ -321,18 +316,18 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid) algorithm = SECOID_GetAlgorithmTag(algid); /* sanity check, they should all be PBKDF2 here */ if (algorithm != SEC_OID_PKCS5_PBKDF2) { - return -1; + return -1; } arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); if (arena == NULL) { - goto loser; + goto loser; } PORT_Memset(&p5_param, 0, sizeof(p5_param)); - rv = SEC_ASN1DecodeItem(arena,&p5_param, - SEC_PKCS5V2PBEParameterTemplate, &algid->parameters); + rv = SEC_ASN1DecodeItem(arena, &p5_param, + SEC_PKCS5V2PBEParameterTemplate, &algid->parameters); if (rv != SECSuccess) { - goto loser; + goto loser; } if (p5_param.keyLength.data != NULL) { @@ -341,7 +336,7 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid) loser: if (arena) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return length; } @@ -349,76 +344,72 @@ loser: /* * get the key length in bytes needed for the PBE algorithm */ -int +int SEC_PKCS5GetKeyLength(SECAlgorithmID *algid) { SECOidTag algorithm; - if(algid == NULL) - return SEC_OID_UNKNOWN; + if (algid == NULL) + return SEC_OID_UNKNOWN; algorithm = SECOID_GetAlgorithmTag(algid); - switch(algorithm) - { - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: - return 24; - case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: - case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: - case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: - return 8; - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: - return 5; - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: - return 16; - case SEC_OID_PKCS5_PBKDF2: - return sec_pkcs5v2_key_length(algid); - case SEC_OID_PKCS5_PBES2: - case SEC_OID_PKCS5_PBMAC1: - { - sec_pkcs5V2Parameter *pbeV2_param; - int length = -1; - pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); - if (pbeV2_param != NULL) { - length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId); - sec_pkcs5_v2_destroy_v2_param(pbeV2_param); - } - return length; - } - - default: - break; + switch (algorithm) { + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: + return 24; + case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: + case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: + case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: + return 8; + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + return 5; + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: + return 16; + case SEC_OID_PKCS5_PBKDF2: + return sec_pkcs5v2_key_length(algid); + case SEC_OID_PKCS5_PBES2: + case SEC_OID_PKCS5_PBMAC1: { + sec_pkcs5V2Parameter *pbeV2_param; + int length = -1; + pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); + if (pbeV2_param != NULL) { + length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId); + sec_pkcs5_v2_destroy_v2_param(pbeV2_param); + } + return length; + } + + default: + break; } return -1; } - /* the PKCS12 V2 algorithms only encode the salt, there is no iteration * count so we need a check for V2 algorithm parameters. */ static PRBool sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(SECOidTag algorithm) { - switch(algorithm) - { - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: - return PR_TRUE; - default: - break; + switch (algorithm) { + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + return PR_TRUE; + default: + break; } return PR_FALSE; @@ -427,28 +418,27 @@ sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(SECOidTag algorithm) static PRBool sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(SECOidTag algorithm) { - switch(algorithm) - { - case SEC_OID_PKCS5_PBES2: - case SEC_OID_PKCS5_PBMAC1: - case SEC_OID_PKCS5_PBKDF2: - return PR_TRUE; - default: - break; + switch (algorithm) { + case SEC_OID_PKCS5_PBES2: + case SEC_OID_PKCS5_PBMAC1: + case SEC_OID_PKCS5_PBKDF2: + return PR_TRUE; + default: + break; } return PR_FALSE; } -/* destroy a pbe parameter. it assumes that the parameter was +/* destroy a pbe parameter. it assumes that the parameter was * generated using the appropriate create function and therefor * contains an arena pool. */ -static void +static void sec_pkcs5_destroy_pbe_param(SEC_PKCS5PBEParameter *pbe_param) { - if(pbe_param != NULL) - PORT_FreeArena(pbe_param->poolp, PR_TRUE); + if (pbe_param != NULL) + PORT_FreeArena(pbe_param->poolp, PR_TRUE); } /* creates a PBE parameter based on the PBE algorithm. the only required @@ -460,84 +450,84 @@ sec_pkcs5_destroy_pbe_param(SEC_PKCS5PBEParameter *pbe_param) * iteration - number of iterations to perform hashing. * keyLength - only used in variable key length algorithms. if specified, * should be in bytes. - * once a parameter is allocated, it should be destroyed calling + * once a parameter is allocated, it should be destroyed calling * sec_pkcs5_destroy_pbe_parameter or SEC_PKCS5DestroyPBEParameter. */ #define DEFAULT_SALT_LENGTH 16 static SEC_PKCS5PBEParameter * -sec_pkcs5_create_pbe_parameter(SECOidTag algorithm, - SECItem *salt, - int iteration, - int keyLength, - SECOidTag prfAlg) +sec_pkcs5_create_pbe_parameter(SECOidTag algorithm, + SECItem *salt, + int iteration, + int keyLength, + SECOidTag prfAlg) { PLArenaPool *poolp = NULL; SEC_PKCS5PBEParameter *pbe_param = NULL; - SECStatus rv= SECSuccess; + SECStatus rv = SECSuccess; void *dummy = NULL; - if(iteration < 0) { - return NULL; + if (iteration < 0) { + return NULL; } poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); - if(poolp == NULL) - return NULL; + if (poolp == NULL) + return NULL; pbe_param = (SEC_PKCS5PBEParameter *)PORT_ArenaZAlloc(poolp, - sizeof(SEC_PKCS5PBEParameter)); - if(!pbe_param) { - PORT_FreeArena(poolp, PR_TRUE); - return NULL; + sizeof(SEC_PKCS5PBEParameter)); + if (!pbe_param) { + PORT_FreeArena(poolp, PR_TRUE); + return NULL; } pbe_param->poolp = poolp; rv = SECFailure; if (salt && salt->data) { - rv = SECITEM_CopyItem(poolp, &pbe_param->salt, salt); + rv = SECITEM_CopyItem(poolp, &pbe_param->salt, salt); } else { - /* sigh, the old interface generated salt on the fly, so we have to - * preserve the semantics */ - pbe_param->salt.len = DEFAULT_SALT_LENGTH; - pbe_param->salt.data = PORT_ArenaZAlloc(poolp,DEFAULT_SALT_LENGTH); - if (pbe_param->salt.data) { - rv = PK11_GenerateRandom(pbe_param->salt.data,DEFAULT_SALT_LENGTH); - } + /* sigh, the old interface generated salt on the fly, so we have to + * preserve the semantics */ + pbe_param->salt.len = DEFAULT_SALT_LENGTH; + pbe_param->salt.data = PORT_ArenaZAlloc(poolp, DEFAULT_SALT_LENGTH); + if (pbe_param->salt.data) { + rv = PK11_GenerateRandom(pbe_param->salt.data, DEFAULT_SALT_LENGTH); + } } - if(rv != SECSuccess) { - PORT_FreeArena(poolp, PR_TRUE); - return NULL; + if (rv != SECSuccess) { + PORT_FreeArena(poolp, PR_TRUE); + return NULL; } /* encode the integer */ - dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->iteration, - iteration); + dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->iteration, + iteration); rv = (dummy) ? SECSuccess : SECFailure; - if(rv != SECSuccess) { - PORT_FreeArena(poolp, PR_FALSE); - return NULL; + if (rv != SECSuccess) { + PORT_FreeArena(poolp, PR_FALSE); + return NULL; } /* * for PKCS5 v2 Add the keylength and the prf */ if (algorithm == SEC_OID_PKCS5_PBKDF2) { - dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->keyLength, - keyLength); - rv = (dummy) ? SECSuccess : SECFailure; - if (rv != SECSuccess) { - PORT_FreeArena(poolp, PR_FALSE); - return NULL; - } - rv = SECOID_SetAlgorithmID(poolp, &pbe_param->prfAlgId, prfAlg, NULL); - if (rv != SECSuccess) { - PORT_FreeArena(poolp, PR_FALSE); - return NULL; - } - pbe_param->pPrfAlgId = &pbe_param->prfAlgId; + dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->keyLength, + keyLength); + rv = (dummy) ? SECSuccess : SECFailure; + if (rv != SECSuccess) { + PORT_FreeArena(poolp, PR_FALSE); + return NULL; + } + rv = SECOID_SetAlgorithmID(poolp, &pbe_param->prfAlgId, prfAlg, NULL); + if (rv != SECSuccess) { + PORT_FreeArena(poolp, PR_FALSE); + return NULL; + } + pbe_param->pPrfAlgId = &pbe_param->prfAlgId; } return pbe_param; @@ -545,19 +535,19 @@ sec_pkcs5_create_pbe_parameter(SECOidTag algorithm, /* creates a algorithm ID containing the PBE algorithm and appropriate * parameters. the required parameter is the algorithm. if salt is - * not specified, it is generated randomly. + * not specified, it is generated randomly. * - * the returned SECAlgorithmID should be destroyed using + * the returned SECAlgorithmID should be destroyed using * SECOID_DestroyAlgorithmID */ SECAlgorithmID * -sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, - SECOidTag cipherAlgorithm, - SECOidTag prfAlg, - SECOidTag *pPbeAlgorithm, - int keyLength, - SECItem *salt, - int iteration) +sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, + SECOidTag cipherAlgorithm, + SECOidTag prfAlg, + SECOidTag *pPbeAlgorithm, + int keyLength, + SECItem *salt, + int iteration) { PLArenaPool *poolp = NULL; SECAlgorithmID *algid, *ret_algid = NULL; @@ -568,174 +558,173 @@ sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, SEC_PKCS5PBEParameter *pbe_param = NULL; sec_pkcs5V2Parameter pbeV2_param; - if(iteration <= 0) { - return NULL; + if (iteration <= 0) { + return NULL; } poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); - if(!poolp) { - goto loser; + if (!poolp) { + goto loser; } if (!SEC_PKCS5IsAlgorithmPBEAlgTag(algorithm) || - sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) { - /* use PKCS 5 v2 */ - SECItem *cipherParams; - - /* - * if we ask for pkcs5 Algorithms directly, then the - * application needs to supply the cipher algorithm, - * otherwise we are implicitly using pkcs5 v2 and the - * passed in algorithm is the encryption algorithm. - */ - if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) { - if (cipherAlgorithm == SEC_OID_UNKNOWN) { - goto loser; - } - } else { - cipherAlgorithm = algorithm; - /* force algorithm to be chosen below */ - algorithm = SEC_OID_PKCS5_PBKDF2; - } - - pbeAlgorithm = SEC_OID_PKCS5_PBKDF2; - /* - * 'algorithm' is the overall algorithm oid tag used to wrap the - * entire algoithm ID block. For PKCS5v1 and PKCS12, this - * algorithm OID has encoded in it both the PBE KDF function - * and the encryption algorithm. For PKCS 5v2, PBE KDF and - * encryption/macing oids are encoded as parameters in - * the algorithm ID block. - * - * Thus in PKCS5 v1 and PKCS12, this algorithm maps to a pkcs #11 - * mechanism, where as in PKCS 5v2, this alogithm tag does not map - * directly to a PKCS #11 mechanim, instead the 2 oids in the - * algorithm ID block map the the actual PKCS #11 mechanism. - * gorithm is). We use choose this algorithm oid based on the - * cipherAlgorithm to determine what this should be (MAC1 or PBES2). - */ - if (algorithm == SEC_OID_PKCS5_PBKDF2) { - /* choose mac or pbes */ - algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm); - } - - /* set the PKCS5v2 specific parameters */ - if (keyLength == 0) { - SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); - if (hashAlg != SEC_OID_UNKNOWN) { - keyLength = HASH_ResultLenByOidTag(hashAlg); - } else { - CK_MECHANISM_TYPE cryptoMech; - cryptoMech = PK11_AlgtagToMechanism(cipherAlgorithm); - if (cryptoMech == CKM_INVALID_MECHANISM) { - goto loser; - } - keyLength = PK11_GetMaxKeyLength(cryptoMech); - } - if (keyLength == 0) { - goto loser; - } - } - /* currently only SEC_OID_HMAC_SHA1 is defined */ - if (prfAlg == SEC_OID_UNKNOWN) { - prfAlg = SEC_OID_HMAC_SHA1; - } - - /* build the PKCS5v2 cipher algorithm id */ - cipherParams = pk11_GenerateNewParamWithKeyLen( - PK11_AlgtagToMechanism(cipherAlgorithm), keyLength); - if (!cipherParams) { - goto loser; - } - - PORT_Memset(&pbeV2_param, 0, sizeof (pbeV2_param)); - - rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams, - poolp, &pbeV2_param.cipherAlgId); - SECITEM_FreeItem(cipherParams, PR_TRUE); - if (rv != SECSuccess) { - goto loser; - } - } - + sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) { + /* use PKCS 5 v2 */ + SECItem *cipherParams; + + /* + * if we ask for pkcs5 Algorithms directly, then the + * application needs to supply the cipher algorithm, + * otherwise we are implicitly using pkcs5 v2 and the + * passed in algorithm is the encryption algorithm. + */ + if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) { + if (cipherAlgorithm == SEC_OID_UNKNOWN) { + goto loser; + } + } else { + cipherAlgorithm = algorithm; + /* force algorithm to be chosen below */ + algorithm = SEC_OID_PKCS5_PBKDF2; + } + + pbeAlgorithm = SEC_OID_PKCS5_PBKDF2; + /* + * 'algorithm' is the overall algorithm oid tag used to wrap the + * entire algoithm ID block. For PKCS5v1 and PKCS12, this + * algorithm OID has encoded in it both the PBE KDF function + * and the encryption algorithm. For PKCS 5v2, PBE KDF and + * encryption/macing oids are encoded as parameters in + * the algorithm ID block. + * + * Thus in PKCS5 v1 and PKCS12, this algorithm maps to a pkcs #11 + * mechanism, where as in PKCS 5v2, this alogithm tag does not map + * directly to a PKCS #11 mechanim, instead the 2 oids in the + * algorithm ID block map the the actual PKCS #11 mechanism. + * gorithm is). We use choose this algorithm oid based on the + * cipherAlgorithm to determine what this should be (MAC1 or PBES2). + */ + if (algorithm == SEC_OID_PKCS5_PBKDF2) { + /* choose mac or pbes */ + algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm); + } + + /* set the PKCS5v2 specific parameters */ + if (keyLength == 0) { + SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); + if (hashAlg != SEC_OID_UNKNOWN) { + keyLength = HASH_ResultLenByOidTag(hashAlg); + } else { + CK_MECHANISM_TYPE cryptoMech; + cryptoMech = PK11_AlgtagToMechanism(cipherAlgorithm); + if (cryptoMech == CKM_INVALID_MECHANISM) { + goto loser; + } + keyLength = PK11_GetMaxKeyLength(cryptoMech); + } + if (keyLength == 0) { + goto loser; + } + } + /* currently SEC_OID_HMAC_SHA1 is the default */ + if (prfAlg == SEC_OID_UNKNOWN) { + prfAlg = SEC_OID_HMAC_SHA1; + } + + /* build the PKCS5v2 cipher algorithm id */ + cipherParams = pk11_GenerateNewParamWithKeyLen( + PK11_AlgtagToMechanism(cipherAlgorithm), keyLength); + if (!cipherParams) { + goto loser; + } + + PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param)); + + rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams, + poolp, &pbeV2_param.cipherAlgId); + SECITEM_FreeItem(cipherParams, PR_TRUE); + if (rv != SECSuccess) { + goto loser; + } + } /* generate the parameter */ pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration, - keyLength, prfAlg); - if(!pbe_param) { - goto loser; + keyLength, prfAlg); + if (!pbe_param) { + goto loser; } /* generate the algorithm id */ algid = (SECAlgorithmID *)PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID)); - if(algid == NULL) { - goto loser; + if (algid == NULL) { + goto loser; } der_param.data = NULL; der_param.len = 0; if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) { - /* first encode the PBE algorithm ID */ - dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, - SEC_PKCS5V2PBEParameterTemplate); - if (dummy == NULL) { - goto loser; - } - rv = SECOID_SetAlgorithmID(poolp, &pbeV2_param.pbeAlgId, - pbeAlgorithm, &der_param); - if (rv != SECSuccess) { - goto loser; - } - - /* now encode the Full PKCS 5 parameter */ - der_param.data = NULL; - der_param.len = 0; - dummy = SEC_ASN1EncodeItem(poolp, &der_param, &pbeV2_param, - SEC_PKCS5V2ParameterTemplate); - } else if(!sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) { - dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, - SEC_PKCS5PBEParameterTemplate); + /* first encode the PBE algorithm ID */ + dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, + SEC_PKCS5V2PBEParameterTemplate); + if (dummy == NULL) { + goto loser; + } + rv = SECOID_SetAlgorithmID(poolp, &pbeV2_param.pbeAlgId, + pbeAlgorithm, &der_param); + if (rv != SECSuccess) { + goto loser; + } + + /* now encode the Full PKCS 5 parameter */ + der_param.data = NULL; + der_param.len = 0; + dummy = SEC_ASN1EncodeItem(poolp, &der_param, &pbeV2_param, + SEC_PKCS5V2ParameterTemplate); + } else if (!sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) { + dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, + SEC_PKCS5PBEParameterTemplate); } else { - dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, - SEC_V2PKCS12PBEParameterTemplate); + dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, + SEC_V2PKCS12PBEParameterTemplate); } if (dummy == NULL) { - goto loser; + goto loser; } rv = SECOID_SetAlgorithmID(poolp, algid, algorithm, &der_param); if (rv != SECSuccess) { - goto loser; + goto loser; } ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID)); if (ret_algid == NULL) { - goto loser; + goto loser; } rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid); if (rv != SECSuccess) { - SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE); - ret_algid = NULL; + SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE); + ret_algid = NULL; } else if (pPbeAlgorithm) { - *pPbeAlgorithm = pbeAlgorithm; + *pPbeAlgorithm = pbeAlgorithm; } loser: if (poolp != NULL) { - PORT_FreeArena(poolp, PR_TRUE); - algid = NULL; + PORT_FreeArena(poolp, PR_TRUE); + algid = NULL; } if (pbe_param) { - sec_pkcs5_destroy_pbe_param(pbe_param); + sec_pkcs5_destroy_pbe_param(pbe_param); } return ret_algid; } SECStatus -pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech) +pbe_PK11AlgidToParam(SECAlgorithmID *algid, SECItem *mech) { SEC_PKCS5PBEParameter p5_param; SECItem *salt = NULL; @@ -747,14 +736,12 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech) CK_ULONG iterations; int paramLen = 0; int iv_len; - arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); if (arena == NULL) { - goto loser; + goto loser; } - /* * decode the algid based on the pbe type */ @@ -762,131 +749,145 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech) if (sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) { iv_len = PK11_GetIVLength(PK11_AlgtagToMechanism(algorithm)); rv = SEC_ASN1DecodeItem(arena, &p5_param, - SEC_V2PKCS12PBEParameterTemplate, &algid->parameters); + SEC_V2PKCS12PBEParameterTemplate, &algid->parameters); } else if (algorithm == SEC_OID_PKCS5_PBKDF2) { - iv_len = 0; - rv = SEC_ASN1DecodeItem(arena,&p5_param, - SEC_PKCS5V2PBEParameterTemplate, &algid->parameters); + iv_len = 0; + rv = SEC_ASN1DecodeItem(arena, &p5_param, + SEC_PKCS5V2PBEParameterTemplate, &algid->parameters); } else { iv_len = PK11_GetIVLength(PK11_AlgtagToMechanism(algorithm)); - rv = SEC_ASN1DecodeItem(arena,&p5_param,SEC_PKCS5PBEParameterTemplate, - &algid->parameters); + rv = SEC_ASN1DecodeItem(arena, &p5_param, SEC_PKCS5PBEParameterTemplate, + &algid->parameters); } if (iv_len < 0) { - goto loser; + goto loser; } if (rv != SECSuccess) { - goto loser; + goto loser; } - + /* get salt */ salt = &p5_param.salt; - iterations = (CK_ULONG) DER_GetInteger(&p5_param.iteration); + iterations = (CK_ULONG)DER_GetInteger(&p5_param.iteration); /* allocate and fill in the PKCS #11 parameters * based on the algorithm. */ if (algorithm == SEC_OID_PKCS5_PBKDF2) { - SECOidTag prfAlgTag; - CK_PKCS5_PBKD2_PARAMS *pbeV2_params = - (CK_PKCS5_PBKD2_PARAMS *)PORT_ZAlloc( - sizeof(CK_PKCS5_PBKD2_PARAMS)+ salt->len); - - if (pbeV2_params == NULL) { - goto loser; - } - paramData = (unsigned char *)pbeV2_params; - paramLen = sizeof(CK_PKCS5_PBKD2_PARAMS); - - /* set the prf */ - prfAlgTag = SEC_OID_HMAC_SHA1; - if (p5_param.pPrfAlgId && - p5_param.pPrfAlgId->algorithm.data != 0) { - prfAlgTag = SECOID_GetAlgorithmTag(p5_param.pPrfAlgId); - } - if (prfAlgTag == SEC_OID_HMAC_SHA1) { - pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA1; - } else { - /* only SHA1_HMAC is currently supported by PKCS #11 */ - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - goto loser; - } - - /* probably should fetch these from the prfAlgid */ - pbeV2_params->pPrfData = NULL; - pbeV2_params->ulPrfDataLen = 0; - pbeV2_params->saltSource = CKZ_SALT_SPECIFIED; - pSalt = ((CK_CHAR_PTR) pbeV2_params)+sizeof(CK_PKCS5_PBKD2_PARAMS); + SECOidTag prfAlgTag; + CK_PKCS5_PBKD2_PARAMS *pbeV2_params = + (CK_PKCS5_PBKD2_PARAMS *)PORT_ZAlloc( + sizeof(CK_PKCS5_PBKD2_PARAMS) + salt->len); + + if (pbeV2_params == NULL) { + goto loser; + } + paramData = (unsigned char *)pbeV2_params; + paramLen = sizeof(CK_PKCS5_PBKD2_PARAMS); + + /* set the prf */ + prfAlgTag = SEC_OID_HMAC_SHA1; + if (p5_param.pPrfAlgId && + p5_param.pPrfAlgId->algorithm.data != 0) { + prfAlgTag = SECOID_GetAlgorithmTag(p5_param.pPrfAlgId); + } + switch (prfAlgTag) { + case SEC_OID_HMAC_SHA1: + pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA1; + break; + case SEC_OID_HMAC_SHA224: + pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA224; + break; + case SEC_OID_HMAC_SHA256: + pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA256; + break; + case SEC_OID_HMAC_SHA384: + pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA384; + break; + case SEC_OID_HMAC_SHA512: + pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA512; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + goto loser; + } + + /* probably should fetch these from the prfAlgid */ + pbeV2_params->pPrfData = NULL; + pbeV2_params->ulPrfDataLen = 0; + pbeV2_params->saltSource = CKZ_SALT_SPECIFIED; + pSalt = ((CK_CHAR_PTR)pbeV2_params) + sizeof(CK_PKCS5_PBKD2_PARAMS); PORT_Memcpy(pSalt, salt->data, salt->len); - pbeV2_params->pSaltSourceData = pSalt; - pbeV2_params->ulSaltSourceDataLen = salt->len; - pbeV2_params->iterations = iterations; + pbeV2_params->pSaltSourceData = pSalt; + pbeV2_params->ulSaltSourceDataLen = salt->len; + pbeV2_params->iterations = iterations; } else { - CK_PBE_PARAMS *pbe_params = NULL; - pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(sizeof(CK_PBE_PARAMS)+ - salt->len+iv_len); - if (pbe_params == NULL) { - goto loser; - } - paramData = (unsigned char *)pbe_params; - paramLen = sizeof(CK_PBE_PARAMS); - - pSalt = ((CK_CHAR_PTR) pbe_params)+sizeof(CK_PBE_PARAMS); - pbe_params->pSalt = pSalt; + CK_PBE_PARAMS *pbe_params = NULL; + pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(sizeof(CK_PBE_PARAMS) + + salt->len + iv_len); + if (pbe_params == NULL) { + goto loser; + } + paramData = (unsigned char *)pbe_params; + paramLen = sizeof(CK_PBE_PARAMS); + + pSalt = ((CK_CHAR_PTR)pbe_params) + sizeof(CK_PBE_PARAMS); + pbe_params->pSalt = pSalt; PORT_Memcpy(pSalt, salt->data, salt->len); - pbe_params->ulSaltLen = salt->len; - if (iv_len) { - pbe_params->pInitVector = - ((CK_CHAR_PTR) pbe_params)+ sizeof(CK_PBE_PARAMS)+salt->len; - } - pbe_params->ulIteration = iterations; + pbe_params->ulSaltLen = salt->len; + if (iv_len) { + pbe_params->pInitVector = + ((CK_CHAR_PTR)pbe_params) + sizeof(CK_PBE_PARAMS) + salt->len; + } + pbe_params->ulIteration = iterations; } /* copy into the mechanism sec item */ mech->data = paramData; mech->len = paramLen; if (arena) { - PORT_FreeArena(arena,PR_TRUE); + PORT_FreeArena(arena, PR_TRUE); } return SECSuccess; loser: if (paramData) { - PORT_Free(paramData); + PORT_Free(paramData); } if (arena) { - PORT_FreeArena(arena,PR_TRUE); + PORT_FreeArena(arena, PR_TRUE); } return SECFailure; } /* - * public, deprecated, not valid for pkcs5 v2 - * + * public, deprecated, not valid for pkcs5 v2 + * * use PK11_CreatePBEV2AlgorithmID or PK11_CreatePBEAlgorithmID to create * PBE algorithmID's directly. */ SECStatus PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, PLArenaPool *arena, - SECAlgorithmID *algId) + SECAlgorithmID *algId) { CK_PBE_PARAMS *pbe_param; SECItem pbeSalt; SECAlgorithmID *pbeAlgID = NULL; SECStatus rv; - if(!param || !algId) { - return SECFailure; + if (!param || !algId) { + return SECFailure; } pbe_param = (CK_PBE_PARAMS *)param->data; pbeSalt.data = (unsigned char *)pbe_param->pSalt; pbeSalt.len = pbe_param->ulSaltLen; - pbeAlgID = sec_pkcs5CreateAlgorithmID(algTag, SEC_OID_UNKNOWN, - SEC_OID_UNKNOWN, NULL, 0, &pbeSalt, (int)pbe_param->ulIteration); - if(!pbeAlgID) { - return SECFailure; + pbeAlgID = sec_pkcs5CreateAlgorithmID(algTag, SEC_OID_UNKNOWN, + SEC_OID_UNKNOWN, NULL, 0, + &pbeSalt, (int)pbe_param->ulIteration); + if (!pbeAlgID) { + return SECFailure; } rv = SECOID_CopyAlgorithmID(arena, algId, pbeAlgID); @@ -895,7 +896,7 @@ PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, PLArenaPool *arena, } /* - * public, Deprecated, This function is only for binary compatibility with + * public, Deprecated, This function is only for binary compatibility with * older applications. Does not support PKCS5v2. * * Applications should use PK11_PBEKeyGen() for keys and PK11_GetPBEIV() for @@ -903,8 +904,8 @@ PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, PLArenaPool *arena, */ PBEBitGenContext * PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose, - SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded, - unsigned int iterations) + SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded, + unsigned int iterations) { SECItem *context = NULL; SECItem mechItem; @@ -913,57 +914,56 @@ PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose, PK11SlotInfo *slot; PK11SymKey *symKey = NULL; unsigned char ivData[8]; - /* use the purpose to select the low level keygen algorithm */ switch (bitGenPurpose) { - case pbeBitGenIntegrityKey: - switch (hashAlgorithm) { - case SEC_OID_SHA1: - mechanism = CKM_PBA_SHA1_WITH_SHA1_HMAC; - break; - case SEC_OID_MD2: - mechanism = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN; - break; - case SEC_OID_MD5: - mechanism = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN; - break; - default: - break; - } - break; - case pbeBitGenCipherIV: - if (bitsNeeded > 64) { - break; - } - if (hashAlgorithm != SEC_OID_SHA1) { - break; - } - mechanism = CKM_PBE_SHA1_DES3_EDE_CBC; - break; - case pbeBitGenCipherKey: - if (hashAlgorithm != SEC_OID_SHA1) { - break; - } - switch (bitsNeeded) { - case 40: - mechanism = CKM_PBE_SHA1_RC4_40; - break; - case 128: - mechanism = CKM_PBE_SHA1_RC4_128; - break; - default: - break; - } - case pbeBitGenIDNull: - break; + case pbeBitGenIntegrityKey: + switch (hashAlgorithm) { + case SEC_OID_SHA1: + mechanism = CKM_PBA_SHA1_WITH_SHA1_HMAC; + break; + case SEC_OID_MD2: + mechanism = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN; + break; + case SEC_OID_MD5: + mechanism = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN; + break; + default: + break; + } + break; + case pbeBitGenCipherIV: + if (bitsNeeded > 64) { + break; + } + if (hashAlgorithm != SEC_OID_SHA1) { + break; + } + mechanism = CKM_PBE_SHA1_DES3_EDE_CBC; + break; + case pbeBitGenCipherKey: + if (hashAlgorithm != SEC_OID_SHA1) { + break; + } + switch (bitsNeeded) { + case 40: + mechanism = CKM_PBE_SHA1_RC4_40; + break; + case 128: + mechanism = CKM_PBE_SHA1_RC4_128; + break; + default: + break; + } + case pbeBitGenIDNull: + break; } if (mechanism == CKM_INVALID_MECHANISM) { - /* we should set an error, but this is a deprecated function, and - * we are keeping bug for bug compatibility;)... */ - return NULL; - } + /* we should set an error, but this is a deprecated function, and + * we are keeping bug for bug compatibility;)... */ + return NULL; + } pbe_params.pInitVector = ivData; pbe_params.pPassword = pwitem->data; @@ -971,42 +971,41 @@ PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose, pbe_params.pSalt = salt->data; pbe_params.ulSaltLen = salt->len; pbe_params.ulIteration = iterations; - mechItem.data = (unsigned char *) &pbe_params; + mechItem.data = (unsigned char *)&pbe_params; mechItem.len = sizeof(pbe_params); - slot = PK11_GetInternalSlot(); - symKey = PK11_RawPBEKeyGen(slot,mechanism, - &mechItem, pwitem, PR_FALSE, NULL); + symKey = PK11_RawPBEKeyGen(slot, mechanism, + &mechItem, pwitem, PR_FALSE, NULL); PK11_FreeSlot(slot); if (symKey != NULL) { - if (bitGenPurpose == pbeBitGenCipherIV) { - /* NOTE: this assumes that bitsNeeded is a multiple of 8! */ - SECItem ivItem; - - ivItem.data = ivData; - ivItem.len = bitsNeeded/8; - context = SECITEM_DupItem(&ivItem); - } else { - SECItem *keyData; - PK11_ExtractKeyValue(symKey); - keyData = PK11_GetKeyData(symKey); - - /* assert bitsNeeded with length? */ - if (keyData) { - context = SECITEM_DupItem(keyData); - } - } - PK11_FreeSymKey(symKey); + if (bitGenPurpose == pbeBitGenCipherIV) { + /* NOTE: this assumes that bitsNeeded is a multiple of 8! */ + SECItem ivItem; + + ivItem.data = ivData; + ivItem.len = bitsNeeded / 8; + context = SECITEM_DupItem(&ivItem); + } else { + SECItem *keyData; + PK11_ExtractKeyValue(symKey); + keyData = PK11_GetKeyData(symKey); + + /* assert bitsNeeded with length? */ + if (keyData) { + context = SECITEM_DupItem(keyData); + } + } + PK11_FreeSymKey(symKey); } return (PBEBitGenContext *)context; } /* - * public, Deprecated, This function is only for binary compatibility with + * public, Deprecated, This function is only for binary compatibility with * older applications. Does not support PKCS5v2. - * + * * Applications should use PK11_PBEKeyGen() for keys and PK11_GetIV() for * iv values rather than generating PBE bits directly. */ @@ -1017,16 +1016,16 @@ PBE_GenerateBits(PBEBitGenContext *context) } /* - * public, Deprecated, This function is only for binary compatibility with + * public, Deprecated, This function is only for binary compatibility with * older applications. Does not support PKCS5v2. - * + * * Applications should use PK11_PBEKeyGen() for keys and PK11_GetPBEIV() for * iv values rather than generating PBE bits directly. */ void PBE_DestroyContext(PBEBitGenContext *context) { - SECITEM_FreeItem((SECItem *)context,PR_TRUE); + SECITEM_FreeItem((SECItem *)context, PR_TRUE); } /* @@ -1044,48 +1043,48 @@ SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES) PK11SymKey *symKey; PK11SlotInfo *slot; CK_PBE_PARAMS_PTR pPBEparams; - SECOidTag pbeAlg; + SECOidTag pbeAlg; pbeAlg = SECOID_GetAlgorithmTag(algid); if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(pbeAlg)) { - unsigned char *ivData; - sec_pkcs5V2Parameter *pbeV2_param = NULL; - - /* can only return the IV if the crypto Algorithm exists */ - if (pbeAlg == SEC_OID_PKCS5_PBKDF2) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - goto loser; - } - pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); - if (pbeV2_param == NULL) { - goto loser; - } - /* extract the IV from the cipher algid portion of our pkcs 5 v2 - * algorithm id */ - type = PK11_AlgtagToMechanism( - SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId)); - param = PK11_ParamFromAlgid(&pbeV2_param->cipherAlgId); - sec_pkcs5_v2_destroy_v2_param(pbeV2_param); - if (!param) { - goto loser; - } - /* NOTE: NULL is a permissible return here */ - ivData = PK11_IVFromParam(type, param, &iv_len); - src.data = ivData; - src.len = iv_len; - goto done; + unsigned char *ivData; + sec_pkcs5V2Parameter *pbeV2_param = NULL; + + /* can only return the IV if the crypto Algorithm exists */ + if (pbeAlg == SEC_OID_PKCS5_PBKDF2) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + goto loser; + } + pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); + if (pbeV2_param == NULL) { + goto loser; + } + /* extract the IV from the cipher algid portion of our pkcs 5 v2 + * algorithm id */ + type = PK11_AlgtagToMechanism( + SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId)); + param = PK11_ParamFromAlgid(&pbeV2_param->cipherAlgId); + sec_pkcs5_v2_destroy_v2_param(pbeV2_param); + if (!param) { + goto loser; + } + /* NOTE: NULL is a permissible return here */ + ivData = PK11_IVFromParam(type, param, &iv_len); + src.data = ivData; + src.len = iv_len; + goto done; } type = PK11_AlgtagToMechanism(pbeAlg); param = PK11_ParamFromAlgid(algid); if (param == NULL) { - goto done; + goto done; } slot = PK11_GetInternalSlot(); symKey = PK11_RawPBEKeyGen(slot, type, param, pwitem, faulty3DES, NULL); PK11_FreeSlot(slot); if (symKey == NULL) { - goto loser; + goto loser; } PK11_FreeSymKey(symKey); pPBEparams = (CK_PBE_PARAMS_PTR)param->data; @@ -1099,7 +1098,7 @@ done: loser: if (param) { - SECITEM_ZfreeItem(param, PR_TRUE); + SECITEM_ZfreeItem(param, PR_TRUE); } return iv; } @@ -1109,8 +1108,8 @@ loser: */ PBEBitGenContext * __PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose, - SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded, - unsigned int iterations) + SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded, + unsigned int iterations) { PORT_Assert("__PBE_CreateContext is Deprecated" == NULL); return NULL; @@ -1147,29 +1146,29 @@ static void pk11_destroy_ck_pbe_params(CK_PBE_PARAMS *pbe_params) { if (pbe_params) { - if (pbe_params->pPassword) - PORT_ZFree(pbe_params->pPassword, pbe_params->ulPasswordLen); - if (pbe_params->pSalt) - PORT_ZFree(pbe_params->pSalt, pbe_params->ulSaltLen); - PORT_ZFree(pbe_params, sizeof(CK_PBE_PARAMS)); + if (pbe_params->pPassword) + PORT_ZFree(pbe_params->pPassword, pbe_params->ulPasswordLen); + if (pbe_params->pSalt) + PORT_ZFree(pbe_params->pSalt, pbe_params->ulSaltLen); + PORT_ZFree(pbe_params, sizeof(CK_PBE_PARAMS)); } } /* - * public, deprecated. use PK11_CreatePBEAlgorithmID or - * PK11_CreatePBEV2AlgorithmID instead. If you needthe pkcs #11 parameters, - * use PK11_ParamFromAlgid from the algorithm id you created using + * public, deprecated. use PK11_CreatePBEAlgorithmID or + * PK11_CreatePBEV2AlgorithmID instead. If you needthe pkcs #11 parameters, + * use PK11_ParamFromAlgid from the algorithm id you created using * PK11_CreatePBEAlgorithmID or PK11_CreatePBEV2AlgorithmID. */ -SECItem * +SECItem * PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations) { CK_PBE_PARAMS *pbe_params = NULL; SECItem *paramRV = NULL; paramRV = SECITEM_AllocItem(NULL, NULL, sizeof(CK_PBE_PARAMS)); - if (!paramRV ) { - goto loser; + if (!paramRV) { + goto loser; } /* init paramRV->data with zeros. SECITEM_AllocItem does not do it */ PORT_Memset(paramRV->data, 0, sizeof(CK_PBE_PARAMS)); @@ -1184,7 +1183,7 @@ PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations) pbe_params->pSalt = (CK_CHAR_PTR)PORT_ZAlloc(salt->len); if (!pbe_params->pSalt) { - goto loser; + goto loser; } PORT_Memcpy(pbe_params->pSalt, salt->data, salt->len); pbe_params->ulSaltLen = salt->len; @@ -1195,8 +1194,8 @@ PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations) loser: if (pbe_params) pk11_destroy_ck_pbe_params(pbe_params); - if (paramRV) - PORT_ZFree(paramRV, sizeof(SECItem)); + if (paramRV) + PORT_ZFree(paramRV, sizeof(SECItem)); return NULL; } @@ -1207,10 +1206,10 @@ void PK11_DestroyPBEParams(SECItem *pItem) { if (pItem) { - CK_PBE_PARAMS * params = (CK_PBE_PARAMS *)(pItem->data); - if (params) - pk11_destroy_ck_pbe_params(params); - PORT_ZFree(pItem, sizeof(SECItem)); + CK_PBE_PARAMS *params = (CK_PBE_PARAMS *)(pItem->data); + if (params) + pk11_destroy_ck_pbe_params(params); + PORT_ZFree(pItem, sizeof(SECItem)); } } @@ -1224,7 +1223,8 @@ PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt) { SECAlgorithmID *algid = NULL; algid = sec_pkcs5CreateAlgorithmID(algorithm, - SEC_OID_UNKNOWN, SEC_OID_UNKNOWN, NULL, 0, salt, iteration); + SEC_OID_UNKNOWN, SEC_OID_UNKNOWN, NULL, + 0, salt, iteration); return algid; } @@ -1233,12 +1233,12 @@ PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt) */ SECAlgorithmID * PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag, - SECOidTag prfAlgTag, int keyLength, int iteration, - SECItem *salt) + SECOidTag prfAlgTag, int keyLength, int iteration, + SECItem *salt) { SECAlgorithmID *algid = NULL; algid = sec_pkcs5CreateAlgorithmID(pbeAlgTag, cipherAlgTag, prfAlgTag, - NULL, keyLength, salt, iteration); + NULL, keyLength, salt, iteration); return algid; } @@ -1246,48 +1246,49 @@ PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag, * private. */ PK11SymKey * -pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - SECItem *params, CK_KEY_TYPE keyType, int keyLen, - SECItem *pwitem, void *wincx) +pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + SECItem *params, CK_KEY_TYPE keyType, int keyLen, + SECItem *pwitem, void *wincx) { CK_ULONG pwLen; /* do some sanity checks */ if ((params == NULL) || (params->data == NULL)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } if (type == CKM_INVALID_MECHANISM) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; } /* set the password pointer in the parameters... */ if (type == CKM_PKCS5_PBKD2) { - CK_PKCS5_PBKD2_PARAMS *pbev2_params; - if (params->len < sizeof(CK_PKCS5_PBKD2_PARAMS)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } - pbev2_params = (CK_PKCS5_PBKD2_PARAMS *)params->data; - pbev2_params->pPassword = pwitem->data; - pwLen = pwitem->len; - pbev2_params->ulPasswordLen = &pwLen; + CK_PKCS5_PBKD2_PARAMS *pbev2_params; + if (params->len < sizeof(CK_PKCS5_PBKD2_PARAMS)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + pbev2_params = (CK_PKCS5_PBKD2_PARAMS *)params->data; + pbev2_params->pPassword = pwitem->data; + pwLen = pwitem->len; + pbev2_params->ulPasswordLen = &pwLen; } else { - CK_PBE_PARAMS *pbe_params; - if (params->len < sizeof(CK_PBE_PARAMS)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } - pbe_params = (CK_PBE_PARAMS *)params->data; - pbe_params->pPassword = pwitem->data; - pbe_params->ulPasswordLen = pwitem->len; + CK_PBE_PARAMS *pbe_params; + if (params->len < sizeof(CK_PBE_PARAMS)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + pbe_params = (CK_PBE_PARAMS *)params->data; + pbe_params->pPassword = pwitem->data; + pbe_params->ulPasswordLen = pwitem->len; } /* generate the key (and sometimes the IV as a side effect...) */ - return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, params, keyType, - keyLen, NULL, CKF_SIGN|CKF_ENCRYPT|CKF_DECRYPT|CKF_UNWRAP|CKF_WRAP, - 0, wincx); + return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, params, keyType, + keyLen, NULL, + CKF_SIGN | CKF_ENCRYPT | CKF_DECRYPT | CKF_UNWRAP | CKF_WRAP, + 0, wincx); } /* @@ -1295,10 +1296,10 @@ pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, */ PK11SymKey * PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *mech, - SECItem *pwitem, PRBool faulty3DES, void *wincx) + SECItem *pwitem, PRBool faulty3DES, void *wincx) { - if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) { - type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC; + if (faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) { + type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC; } return pk11_RawPBEKeyGenWithKeyType(slot, type, mech, -1, 0, pwitem, wincx); } @@ -1312,12 +1313,12 @@ PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *mech, */ PK11SymKey * PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, - PRBool faulty3DES, void *wincx) + PRBool faulty3DES, void *wincx) { CK_MECHANISM_TYPE type; SECItem *param = NULL; PK11SymKey *symKey = NULL; - SECOidTag pbeAlg; + SECOidTag pbeAlg; CK_KEY_TYPE keyType = -1; int keyLen = 0; @@ -1325,45 +1326,45 @@ PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, /* if we're using PKCS5v2, extract the additional information we need * (key length, key type, and pbeAlg). */ if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(pbeAlg)) { - CK_MECHANISM_TYPE cipherMech; - sec_pkcs5V2Parameter *pbeV2_param; - - pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); - if (pbeV2_param == NULL) { - return NULL; - } - cipherMech = PK11_AlgtagToMechanism( - SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId)); - pbeAlg = SECOID_GetAlgorithmTag(&pbeV2_param->pbeAlgId); - param = PK11_ParamFromAlgid(&pbeV2_param->pbeAlgId); - sec_pkcs5_v2_destroy_v2_param(pbeV2_param); - keyLen = SEC_PKCS5GetKeyLength(algid); - if (keyLen == -1) { - keyLen = 0; - } - keyType = PK11_GetKeyType(cipherMech, keyLen); + CK_MECHANISM_TYPE cipherMech; + sec_pkcs5V2Parameter *pbeV2_param; + + pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); + if (pbeV2_param == NULL) { + return NULL; + } + cipherMech = PK11_AlgtagToMechanism( + SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId)); + pbeAlg = SECOID_GetAlgorithmTag(&pbeV2_param->pbeAlgId); + param = PK11_ParamFromAlgid(&pbeV2_param->pbeAlgId); + sec_pkcs5_v2_destroy_v2_param(pbeV2_param); + keyLen = SEC_PKCS5GetKeyLength(algid); + if (keyLen == -1) { + keyLen = 0; + } + keyType = PK11_GetKeyType(cipherMech, keyLen); } else { - param = PK11_ParamFromAlgid(algid); + param = PK11_ParamFromAlgid(algid); } - if(param == NULL) { - goto loser; + if (param == NULL) { + goto loser; } - type = PK11_AlgtagToMechanism(pbeAlg); + type = PK11_AlgtagToMechanism(pbeAlg); if (type == CKM_INVALID_MECHANISM) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - goto loser; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + goto loser; } - if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) { - type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC; + if (faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) { + type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC; } - symKey = pk11_RawPBEKeyGenWithKeyType(slot, type, param, keyType, keyLen, - pwitem, wincx); + symKey = pk11_RawPBEKeyGenWithKeyType(slot, type, param, keyType, keyLen, + pwitem, wincx); loser: if (param) { - SECITEM_ZfreeItem(param, PR_TRUE); + SECITEM_ZfreeItem(param, PR_TRUE); } return symKey; } @@ -1378,8 +1379,8 @@ PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem) } CK_MECHANISM_TYPE -pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, - SECItem *pbe_pwd, PRBool faulty3DES) +pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, + SECItem *pbe_pwd, PRBool faulty3DES) { int keyLen = 0; SECOidTag algTag = SEC_PKCS5GetCryptoAlgorithm(algid); @@ -1388,27 +1389,27 @@ pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, SECItem *iv = NULL; if (mech == CKM_INVALID_MECHANISM) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - goto loser; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + goto loser; } if (PK11_GetIVLength(mech)) { - iv = SEC_PKCS5GetIV(algid, pbe_pwd, faulty3DES); - if (iv == NULL) { - goto loser; - } + iv = SEC_PKCS5GetIV(algid, pbe_pwd, faulty3DES); + if (iv == NULL) { + goto loser; + } } keyLen = SEC_PKCS5GetKeyLength(algid); *param = pk11_ParamFromIVWithLen(mech, iv, keyLen); if (*param == NULL) { - goto loser; + goto loser; } returnedMechanism = mech; loser: if (iv) { - SECITEM_FreeItem(iv,PR_TRUE); + SECITEM_FreeItem(iv, PR_TRUE); } return returnedMechanism; } @@ -1425,8 +1426,8 @@ loser: * The caller is responsible for freeing the parameter. */ CK_MECHANISM_TYPE -PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, - SECItem *pbe_pwd) +PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, + SECItem *pbe_pwd) { return pk11_GetPBECryptoMechanism(algid, param, pbe_pwd, PR_FALSE); } |