Make CKM_AES_GCM usable.

mozilla/security/nss/lib/pk11wrap/pk11obj.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * This file manages object type indepentent functions.
  */
 #include "seccomon.h"
 #include "secmod.h"
 #include "secmodi.h"
 #include "secmodti.h"
@@ skipping 804 matching lines @@
     if (haslock) PK11_ExitSlotMonitor(slot);
     pk11_CloseSession(slot,session,owner);
     sig->len = len;
     if (crv != CKR_OK) {
         PORT_SetError( PK11_MapError(crv) );
         return SECFailure;
     }
     return SECSuccess;
 }
 
+SECStatus
+PK11_EncryptWithSymKey(PK11SymKey *symKey,

[wtc, 2013/03/26 18:24:46]

The two new functions are very similar to the PK11_SignWithSymKey
function above and the PK11_PrivDecryptPKCS1 and
PK11_PubEncryptPKCS1 functions below. Unfortunately
they use different conventions (SECItems vs.
unsigned char* buffer plus unsigned int length)
to represent inputs and outputs. I chose the latter.

[Ryan Sleevi, 2013/03/26 18:39:14]

I don't have strong feelings about this, although i will note that
PK11_SignWithSymKey is the new function we added following Lucky 13, so it seems
weird to add a sym equivalent that follows a different API pattern (the SECItem
vs unsigned char asymmetry that you noted)

+                       CK_MECHANISM_TYPE mechanism, SECItem *param,
+                       unsigned char *out, unsigned int *outLen,
+                       unsigned int maxLen,
+                       const unsigned char *data, unsigned dataLen)
+{
+    PK11SlotInfo *slot = symKey->slot;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    CK_ULONG len = maxLen;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    PRBool haslock = PR_FALSE;
+    CK_RV crv;
+
+    mech.mechanism = mechanism;
+    if (param) {
+        mech.pParameter = param->data;
+        mech.ulParameterLen = param->len;
+    }
+
+    session = pk11_GetNewSession(slot, &owner);
+    haslock = (!owner || !slot->isThreadSafe);
+    if (haslock) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_EncryptInit(session, &mech, symKey->objectID);
+    if (crv != CKR_OK) {
+        if (haslock) PK11_ExitSlotMonitor(slot);
+        pk11_CloseSession(slot,session,owner);
+        PORT_SetError( PK11_MapError(crv) );
+        return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_Encrypt(session, (unsigned char *)data,
+                                       dataLen, out, &len);
+    if (haslock) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    *outLen = len;
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+PK11_DecryptWithSymKey(PK11SymKey *symKey,
+                       CK_MECHANISM_TYPE mechanism, SECItem *param,
+                       unsigned char *out, unsigned int *outLen,
+                       unsigned int maxLen,
+                       const unsigned char *enc, unsigned encLen)
+{
+    PK11SlotInfo *slot = symKey->slot;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    CK_ULONG len = maxLen;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    PRBool haslock = PR_FALSE;
+    CK_RV crv;
+
+    mech.mechanism = mechanism;
+    if (param) {
+        mech.pParameter = param->data;
+        mech.ulParameterLen = param->len;
+    }
+
+    session = pk11_GetNewSession(slot, &owner);
+    haslock = (!owner || !slot->isThreadSafe);
+    if (haslock) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_DecryptInit(session, &mech, symKey->objectID);
+    if (crv != CKR_OK) {
+        if (haslock) PK11_ExitSlotMonitor(slot);
+        pk11_CloseSession(slot, session, owner);
+        PORT_SetError( PK11_MapError(crv) );
+        return SECFailure;
+    }
+
+    crv = PK11_GETTAB(slot)->C_Decrypt(session, (unsigned char *)enc, encLen,
+                                       out, &len);
+    if (haslock) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot, session, owner);
+    *outLen = len;
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
 /*
  * Now SSL 2.0 uses raw RSA stuff. These next to functions *must* use
  * RSA keys, or they'll fail. We do the checks up front. If anyone comes
  * up with a meaning for rawdecrypt for any other public key operation,
  * then we need to move this check into some of PK11_PubDecrypt callers,
  * (namely SSL 2.0).
  */
 static SECStatus
 pk11_PrivDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, 
         unsigned *outLen, unsigned int maxLen, unsigned char *enc,
@@ skipping 1045 matching lines @@
         PORT_SetError( PK11_MapError(crv) );
         return NULL;
     }
 
     item->data = (unsigned char*) theTemplate[0].pValue;
     item->len =theTemplate[0].ulValueLen;
 
     return item;
 }