Update NSS to NSS 3.14 pre-release snapshot 2012-06-26 01:00:00 PDT.

mozilla/security/nss/lib/softoken/pkcs11c.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * This file implements PKCS 11 on top of our existing security modules
  *
  * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
  *   This implementation has two slots:
  *      slot 1 is our generic crypto support. It does not require login.
  *   It supports Public Key ops, and all they bulk ciphers and hashes. 
@@ skipping 2039 matching lines @@
             break;
         }
         privKey = sftk_GetPrivKey(key,CKK_DSA,&crv);
         if (privKey == NULL) {
             break;
         }
         context->cipherInfo = privKey;
         context->update     = (SFTKCipher) nsc_DSA_Sign_Stub;
         context->destroy    = (privKey == key->objectInfo) ?
                 (SFTKDestroy) sftk_Null:(SFTKDestroy)sftk_FreePrivKey;
-        context->maxLen     = DSA_SIGNATURE_LEN;
+        context->maxLen     = DSA_MAX_SIGNATURE_LEN;
 
         break;
 
 #ifdef NSS_ENABLE_ECC
     case CKM_ECDSA_SHA1:
         context->multi = PR_TRUE;
         crv = sftk_doSubSHA1(context);
         if (crv != CKR_OK) break;
         /* fall through */
     case CKM_ECDSA:
@@ skipping 827 matching lines @@
 
     if (iv.data) {
         if (pbe_params && pbe_params->pInitVector != NULL) {
             PORT_Memcpy(pbe_params->pInitVector, iv.data, iv.len);
         }
         PORT_Free(iv.data);
     }
 
     return CKR_OK;
 }
+
+/* 
+ * this is coded for "full" support. These selections will be limitted to
+ * the official subset by freebl.
+ */
+static unsigned int
+sftk_GetSubPrimeFromPrime(unsigned int primeBits)
+{
+   if (primeBits <= 1024) {
+        return 160;
+   } else if (primeBits <= 2048) {
+        return 224;
+   } else if (primeBits <= 3072) {
+        return 256;
+   } else if (primeBits <= 7680) {
+        return 384;
+   } else {
+        return 512;
+   }
+}
+
 static CK_RV
 nsc_parameter_gen(CK_KEY_TYPE key_type, SFTKObject *key)
 {
     SFTKAttribute *attribute;
     CK_ULONG counter;
     unsigned int seedBits = 0;
+    unsigned int subprimeBits = 0;
     unsigned int primeBits;
-    unsigned int j;
+    unsigned int j = 8; /* default to 1024 bits */
     CK_RV crv = CKR_OK;
     PQGParams *params = NULL;
     PQGVerify *vfy = NULL;
     SECStatus rv;
 
     attribute = sftk_FindAttribute(key, CKA_PRIME_BITS);
     if (attribute == NULL) {
         return CKR_TEMPLATE_INCOMPLETE;
     }
     primeBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
     sftk_FreeAttribute(attribute);
-    j = PQG_PBITS_TO_INDEX(primeBits);
-    if (j == (unsigned int)-1) {
-        return CKR_ATTRIBUTE_VALUE_INVALID;
+    if (primeBits < 1024) {
+        j = PQG_PBITS_TO_INDEX(primeBits);
+        if (j == (unsigned int)-1) {
+            return CKR_ATTRIBUTE_VALUE_INVALID;
+        }
     }
 
     attribute = sftk_FindAttribute(key, CKA_NETSCAPE_PQG_SEED_BITS);
     if (attribute != NULL) {
         seedBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
         sftk_FreeAttribute(attribute);
     }
 
+    attribute = sftk_FindAttribute(key, CKA_SUBPRIME_BITS);
+    if (attribute != NULL) {
+        subprimeBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
+        sftk_FreeAttribute(attribute);
+    }
+
     sftk_DeleteAttributeType(key,CKA_PRIME_BITS);
+    sftk_DeleteAttributeType(key,CKA_SUBPRIME_BITS);
     sftk_DeleteAttributeType(key,CKA_NETSCAPE_PQG_SEED_BITS);
 
-    if (seedBits == 0) {
-        rv = PQG_ParamGen(j, &params, &vfy);
+    /* use the old PQG interface if we have old input data */
+    if ((primeBits < 1024) || ((primeBits == 1024) && (subprimeBits == 0))) {
+        if (seedBits == 0) {
+            rv = PQG_ParamGen(j, &params, &vfy);
+        } else {
+            rv = PQG_ParamGenSeedLen(j,seedBits/8, &params, &vfy);
+        }
     } else {
-        rv = PQG_ParamGenSeedLen(j,seedBits/8, &params, &vfy);
+        if (subprimeBits == 0) {
+            subprimeBits = sftk_GetSubPrimeFromPrime(primeBits);
+        }
+        if (seedBits == 0) {
+            seedBits = primeBits;
+        }
+        rv = PQG_ParamGenV2(primeBits, subprimeBits, seedBits/8, &params, &vfy);
     }
+        
+
 
     if (rv != SECSuccess) {
         if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
             sftk_fatalError = PR_TRUE;
         }
         return sftk_MapCryptError(PORT_GetError());
     }
     crv = sftk_AddAttributeType(key,CKA_PRIME,
                                  params->prime.data, params->prime.len);
     if (crv != CKR_OK) goto loser;
@@ skipping 496 matching lines @@
      * For sign/verify:     CKK_RSA  => CKM_RSA_PKCS
      *                      CKK_DSA  => CKM_DSA
      *                      CKK_EC   => CKM_ECDSA
      *                      others   => CKM_INVALID_MECHANISM
      *
      * None of these mechanisms has a parameter.
      */
     CK_MECHANISM mech = {0, NULL, 0};
 
     CK_ULONG modulusLen;
+    CK_ULONG subPrimeLen;
     PRBool isEncryptable = PR_FALSE;
     PRBool canSignVerify = PR_FALSE;
     PRBool isDerivable = PR_FALSE;
     CK_RV crv;
 
     /* Variables used for Encrypt/Decrypt functions. */
     unsigned char *known_message = (unsigned char *)"Known Crypto Message";
     unsigned char plaintext[PAIRWISE_MESSAGE_LENGTH];
     CK_ULONG bytes_decrypted;
     unsigned char *ciphertext;
     unsigned char *text_compared;
     CK_ULONG bytes_encrypted;
     CK_ULONG bytes_compared;
+    CK_ULONG pairwise_digest_length = PAIRWISE_DIGEST_LENGTH;
 
     /* Variables used for Signature/Verification functions. */
-    /* always uses SHA-1 digest */
-    unsigned char *known_digest = (unsigned char *)"Mozilla Rules World!";
+    /* Must be at least 256 bits for DSA2 digest */
+    unsigned char *known_digest = (unsigned char *)
+                                "Mozilla Rules the World through NSS!";
     unsigned char *signature;
     CK_ULONG signature_length;
 
     if (keyType == CKK_RSA) {
         SFTKAttribute *attribute;
 
         /* Get modulus length of private key. */
         attribute = sftk_FindAttribute(privateKey, CKA_MODULUS);
         if (attribute == NULL) {
             return CKR_DEVICE_ERROR;
         }
         modulusLen = attribute->attrib.ulValueLen;
         if (*(unsigned char *)attribute->attrib.pValue == 0) {
             modulusLen--;
         }
         sftk_FreeAttribute(attribute);
+    } else if (keyType == CKK_DSA) {
+        SFTKAttribute *attribute;
+
+        /* Get subprime length of private key. */
+        attribute = sftk_FindAttribute(privateKey, CKA_SUBPRIME);
+        if (attribute == NULL) {
+            return CKR_DEVICE_ERROR;
+        }
+        subPrimeLen = attribute->attrib.ulValueLen;
+        if (subPrimeLen > 1 && *(unsigned char *)attribute->attrib.pValue == 0) {
+            subPrimeLen--;
+        }
+        sftk_FreeAttribute(attribute);
     }
 
     /**************************************************/
     /* Pairwise Consistency Check of Encrypt/Decrypt. */
     /**************************************************/
 
     isEncryptable = sftk_isTrue(privateKey, CKA_DECRYPT); 
 
     /*
      * If the decryption attribute is set, attempt to encrypt
@@ skipping 105 matching lines @@
     canSignVerify = sftk_isTrue(privateKey, CKA_SIGN);
     
     if (canSignVerify) {
         /* Determine length of signature. */
         switch (keyType) {
         case CKK_RSA:
             signature_length = modulusLen;
             mech.mechanism = CKM_RSA_PKCS;
             break;
         case CKK_DSA:
-            signature_length = DSA_SIGNATURE_LEN;
+            signature_length = DSA_MAX_SIGNATURE_LEN;
+            pairwise_digest_length = subPrimeLen;
             mech.mechanism = CKM_DSA;
             break;
 #ifdef NSS_ENABLE_ECC
         case CKK_EC:
             signature_length = MAX_ECKEY_LEN * 2;
             mech.mechanism = CKM_ECDSA;
             break;
 #endif
         default:
             return CKR_DEVICE_ERROR;
         }
         
         /* Allocate space for signature data. */
         signature = (unsigned char *) PORT_ZAlloc(signature_length);
         if (signature == NULL) {
             return CKR_HOST_MEMORY;
         }
         
         /* Sign the known hash using the private key. */
         crv = NSC_SignInit(hSession, &mech, privateKey->handle);
         if (crv != CKR_OK) {
             PORT_Free(signature);
             return crv;
         }
 
         crv = NSC_Sign(hSession,
                        known_digest,
-                       PAIRWISE_DIGEST_LENGTH,
+                       pairwise_digest_length,
                        signature,
                        &signature_length);
         if (crv != CKR_OK) {
             PORT_Free(signature);
             return crv;
         }
         
         /* Verify the known hash using the public key. */
         crv = NSC_VerifyInit(hSession, &mech, publicKey->handle);
         if (crv != CKR_OK) {
             PORT_Free(signature);
             return crv;
         }
 
         crv = NSC_Verify(hSession,
                          known_digest,
-                         PAIRWISE_DIGEST_LENGTH,
+                         pairwise_digest_length,
                          signature,
                          signature_length);
 
         /* Free signature data. */
         PORT_Free(signature);
 
         if ((crv == CKR_SIGNATURE_LEN_RANGE) ||
                 (crv == CKR_SIGNATURE_INVALID)) {
             return CKR_GENERAL_ERROR;
         }
@@ skipping 262 matching lines @@
         }
         crv = sftk_AddAttributeType(privateKey,CKA_BASE,
                                     sftk_item_expand(&pqgParam.base));
         if (crv != CKR_OK) {
             PORT_Free(pqgParam.prime.data);
             PORT_Free(pqgParam.subPrime.data);
             PORT_Free(pqgParam.base.data);
             break;
         }
 
+        /*
+         * these are checked by DSA_NewKey
+         */
         bitSize = sftk_GetLengthInBits(pqgParam.subPrime.data, 
                                                         pqgParam.subPrime.len);
-        if (bitSize != DSA_Q_BITS)  {
+        if ((bitSize < DSA_MIN_Q_BITS) || (bitSize > DSA_MAX_Q_BITS))  {
             crv = CKR_TEMPLATE_INCOMPLETE;
             PORT_Free(pqgParam.prime.data);
             PORT_Free(pqgParam.subPrime.data);
             PORT_Free(pqgParam.base.data);
             break;
         }
         bitSize = sftk_GetLengthInBits(pqgParam.prime.data,pqgParam.prime.len);
         if ((bitSize <  DSA_MIN_P_BITS) || (bitSize > DSA_MAX_P_BITS)) {
             crv = CKR_TEMPLATE_INCOMPLETE;
             PORT_Free(pqgParam.prime.data);
             PORT_Free(pqgParam.subPrime.data);
             PORT_Free(pqgParam.base.data);
             break;
         }
         bitSize = sftk_GetLengthInBits(pqgParam.base.data,pqgParam.base.len);
-        if ((bitSize <  1) || (bitSize > DSA_MAX_P_BITS)) {
+        if ((bitSize <  2) || (bitSize > DSA_MAX_P_BITS)) {
             crv = CKR_TEMPLATE_INCOMPLETE;
             PORT_Free(pqgParam.prime.data);
             PORT_Free(pqgParam.subPrime.data);
             PORT_Free(pqgParam.base.data);
             break;
         }
             
         /* Generate the key */
         rv = DSA_NewKey(&pqgParam, &dsaPriv);
 
@@ skipping 1081 matching lines @@
         return 16;
     case CKK_DES3:
         return 24;
     /* IDEA and CAST need to be added */
     default:
         break;
     }
     return 0;
 }
 
+/* Inputs:
+ *  key_len: Length of derived key to be generated.
+ *  SharedSecret: a shared secret that is the output of a key agreement primitive.
+ *  SharedInfo: (Optional) some data shared by the entities computing the secret key.
+ *  SharedInfoLen: the length in octets of SharedInfo
+ *  Hash: The hash function to be used in the KDF
+ *  HashLen: the length in octets of the output of Hash
+ * Output:
+ *  key: Pointer to a buffer containing derived key, if return value is SECSuccess.
+ */
+static CK_RV sftk_compute_ANSI_X9_63_kdf(CK_BYTE **key, CK_ULONG key_len, SECItem *SharedSecret,
+                CK_BYTE_PTR SharedInfo, CK_ULONG SharedInfoLen,
+                SECStatus Hash(unsigned char *, const unsigned char *, uint32),
+                CK_ULONG HashLen)
+{
+    unsigned char *buffer = NULL, *output_buffer = NULL;
+    uint32 buffer_len, max_counter, i;
+    SECStatus rv;
+
+    /* Check that key_len isn't too long.  The maximum key length could be
+     * greatly increased if the code below did not limit the 4-byte counter
+     * to a maximum value of 255. */
+    if (key_len > 254 * HashLen)
+        return SEC_ERROR_INVALID_ARGS;
+
+    if (SharedInfo == NULL)
+        SharedInfoLen = 0;
+
+    buffer_len = SharedSecret->len + 4 + SharedInfoLen;
+    buffer = (CK_BYTE *)PORT_Alloc(buffer_len);
+    if (buffer == NULL) {
+        rv = SEC_ERROR_NO_MEMORY;
+        goto loser;
+    }
+
+    max_counter = key_len/HashLen;
+    if (key_len > max_counter * HashLen)
+        max_counter++;
+
+    output_buffer = (CK_BYTE *)PORT_Alloc(max_counter * HashLen);
+    if (output_buffer == NULL) {
+        rv = SEC_ERROR_NO_MEMORY;
+        goto loser;
+    }
+
+    /* Populate buffer with SharedSecret || Counter || [SharedInfo]
+     * where Counter is 0x00000001 */
+    PORT_Memcpy(buffer, SharedSecret->data, SharedSecret->len);
+    buffer[SharedSecret->len] = 0;
+    buffer[SharedSecret->len + 1] = 0;
+    buffer[SharedSecret->len + 2] = 0;
+    buffer[SharedSecret->len + 3] = 1;
+    if (SharedInfo) {
+        PORT_Memcpy(&buffer[SharedSecret->len + 4], SharedInfo, SharedInfoLen);
+    }
+
+    for(i=0; i < max_counter; i++) {
+        rv = Hash(&output_buffer[i * HashLen], buffer, buffer_len);
+        if (rv != SECSuccess)
+            goto loser;
+
+        /* Increment counter (assumes max_counter < 255) */
+        buffer[SharedSecret->len + 3]++;
+    }
+
+    PORT_ZFree(buffer, buffer_len);
+    if (key_len < max_counter * HashLen) {
+        PORT_Memset(output_buffer + key_len, 0, max_counter * HashLen - key_len);
+    }
+    *key = output_buffer;
+
+    return SECSuccess;
+
+    loser:
+        if (buffer) {
+            PORT_ZFree(buffer, buffer_len);
+        }
+        if (output_buffer) {
+            PORT_ZFree(output_buffer, max_counter * HashLen);
+        }
+        return rv;
+}
+
+static CK_RV sftk_ANSI_X9_63_kdf(CK_BYTE **key, CK_ULONG key_len,
+                SECItem *SharedSecret,
+                CK_BYTE_PTR SharedInfo, CK_ULONG SharedInfoLen,
+                CK_EC_KDF_TYPE kdf)
+{
+    if (kdf == CKD_SHA1_KDF)
+        return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
+                                 SharedInfoLen, SHA1_HashBuf, SHA1_LENGTH);
+    else if (kdf == CKD_SHA224_KDF)
+        return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
+                                 SharedInfoLen, SHA224_HashBuf, SHA224_LENGTH);
+    else if (kdf == CKD_SHA256_KDF)
+        return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
+                                 SharedInfoLen, SHA256_HashBuf, SHA256_LENGTH);
+    else if (kdf == CKD_SHA384_KDF)
+        return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
+                                 SharedInfoLen, SHA384_HashBuf, SHA384_LENGTH);
+    else if (kdf == CKD_SHA512_KDF)
+        return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
+                                 SharedInfoLen, SHA512_HashBuf, SHA512_LENGTH);
+    else
+        return SEC_ERROR_INVALID_ALGORITHM;
+}
+
 /*
  * SSL Key generation given pre master secret
  */
 #define NUM_MIXERS 9
 static const char * const mixers[NUM_MIXERS] = { 
     "A", 
     "BB", 
     "CCC", 
     "DDDD", 
     "EEEEE", 
@@ skipping 882 matching lines @@
         break;
       }
 
 #ifdef NSS_ENABLE_ECC
     case CKM_ECDH1_DERIVE:
     case CKM_ECDH1_COFACTOR_DERIVE:
       {
         SECItem  ecScalar, ecPoint;
         SECItem  tmp;
         PRBool   withCofactor = PR_FALSE;
-        unsigned char secret_hash[20];
         unsigned char *secret;
         unsigned char *keyData = NULL;
         int secretlen, curveLen, pubKeyLen;
         CK_ECDH1_DERIVE_PARAMS *mechParams;
         NSSLOWKEYPrivateKey *privKey;
         PLArenaPool *arena = NULL;
 
         /* Check mechanism parameters */
         mechParams = (CK_ECDH1_DERIVE_PARAMS *) pMechanism->pParameter;
         if ((pMechanism->ulParameterLen != sizeof(CK_ECDH1_DERIVE_PARAMS)) ||
@@ skipping 65 matching lines @@
         if (arena) {
             PORT_FreeArena(arena,PR_FALSE);
             arena=NULL;
         }
 
         if (rv != SECSuccess) {
             crv = sftk_MapCryptError(PORT_GetError());
             break;
         }
 
-        /*
-         * tmp is the raw data created by ECDH_Derive,
-         * secret and secretlen are the values we will eventually pass as our
-         * generated key.
-         */
-        secret = tmp.data;
-        secretlen = tmp.len;
 
         /*
          * apply the kdf function.
          */
-        if (mechParams->kdf == CKD_SHA1_KDF) {
-            /* Compute SHA1 hash */
-            PORT_Memset(secret_hash, 0, 20);
-            rv = SHA1_HashBuf(secret_hash, tmp.data, tmp.len);
+        if (mechParams->kdf == CKD_NULL) {
+            /*
+             * tmp is the raw data created by ECDH_Derive,
+             * secret and secretlen are the values we will
+             * eventually pass as our generated key.
+             */
+            secret = tmp.data;
+            secretlen = tmp.len;
+        } else {
+            secretlen = keySize;
+            rv = sftk_ANSI_X9_63_kdf(&secret, keySize,
+                        &tmp, mechParams->pSharedData,
+                        mechParams->ulSharedDataLen, mechParams->kdf);
+            PORT_ZFree(tmp.data, tmp.len);
             if (rv != SECSuccess) {
-                PORT_ZFree(tmp.data, tmp.len);
                 crv = CKR_HOST_MEMORY;
                 break;
-            } 
-            secret = secret_hash;
-            secretlen = 20;
+            }
+            tmp.data = secret;
+            tmp.len = secretlen;
         }
 
         /*
          * if keySize is supplied, then we are generating a key of a specific 
          * length. This is done by taking the least significant 'keySize' 
          * bytes from the unsigned value calculated by ECDH. Note: this may 
          * mean padding temp with extra leading zeros from what ECDH_Derive 
          * already returned (which itself may contain leading zeros).
          */
         if (keySize) {
@@ skipping 10 matching lines @@
                 secret += (secretlen - keySize);
             }
             secretlen = keySize;
         }
 
         sftk_forceAttribute(key, CKA_VALUE, secret, secretlen);
         PORT_ZFree(tmp.data, tmp.len);
         if (keyData) {
             PORT_ZFree(keyData, keySize);
         }
-        PORT_Memset(secret_hash, 0, 20);
-            
         break;
 
 ec_loser:
         crv = CKR_ARGUMENTS_BAD;
         PORT_Free(ecScalar.data);
         if (privKey != sourceKey->objectInfo)
             nsslowkey_DestroyPrivateKey(privKey);
         if (arena) {
             PORT_FreeArena(arena, PR_FALSE);
         }
@@ skipping 412 matching lines @@
     att = sftk_FindAttribute(key,CKA_VALUE);
     sftk_FreeObject(key);
     if (!att) {
         return CKR_KEY_HANDLE_INVALID;        
     }
     crv = NSC_DigestUpdate(hSession,(CK_BYTE_PTR)att->attrib.pValue,
                            att->attrib.ulValueLen);
     sftk_FreeAttribute(att);
     return crv;
 }