Update NSS to 3.21 RTM and NSPR to 4.11 RTM

nss/lib/softoken/pkcs11c.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * This file implements PKCS 11 on top of our existing security modules
  *
  * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
  *   This implementation has two slots:
  *      slot 1 is our generic crypto support. It does not require login.
  *   It supports Public Key ops, and all they bulk ciphers and hashes. 
@@ skipping 55 matching lines @@
 #ifndef NSS_DISABLE_ECC
 #ifdef EC_DEBUG
 #define SEC_PRINT(str1, str2, num, sitem) \
     printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \
             str1, str2, num, sitem->len); \
     for (i = 0; i < sitem->len; i++) { \
             printf("%02x:", sitem->data[i]); \
     } \
     printf("\n") 
 #else
+#undef EC_DEBUG
 #define SEC_PRINT(a, b, c, d) 
 #endif
 #endif /* NSS_DISABLE_ECC */
 
 /*
  * free routines.... Free local type  allocated data, and convert
  * other free routines to the destroy signature.
  */
 static void
 sftk_FreePrivKey(NSSLOWKEYPrivateKey *key, PRBool freeit)
@@ skipping 2544 matching lines @@
 
     case CKM_SSL3_MD5_MAC:
         crv = sftk_doSSLMACInit(context,SEC_OID_MD5,key,
                                         *(CK_ULONG *)pMechanism->pParameter);
         break;
     case CKM_SSL3_SHA1_MAC:
         crv = sftk_doSSLMACInit(context,SEC_OID_SHA1,key,
                                         *(CK_ULONG *)pMechanism->pParameter);
         break;
     case CKM_TLS_PRF_GENERAL:
-        crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL);
+        crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0);
         break;
+    case CKM_TLS_MAC: {
+        CK_TLS_MAC_PARAMS *tls12_mac_params;
+        HASH_HashType tlsPrfHash;
+        const char *label;
+
+        if (pMechanism->ulParameterLen != sizeof(CK_TLS_MAC_PARAMS)) {
+            crv = CKR_MECHANISM_PARAM_INVALID;
+            break;
+        }
+        tls12_mac_params = (CK_TLS_MAC_PARAMS *)pMechanism->pParameter;
+        if (tls12_mac_params->prfMechanism == CKM_TLS_PRF) {
+            /* The TLS 1.0 and 1.1 PRF */
+            tlsPrfHash = HASH_AlgNULL;
+            if (tls12_mac_params->ulMacLength != 12) {
+                crv = CKR_MECHANISM_PARAM_INVALID;
+                break;
+            }
+        } else {
+            /* The hash function for the TLS 1.2 PRF */
+            tlsPrfHash =
+                GetHashTypeFromMechanism(tls12_mac_params->prfMechanism);
+            if (tlsPrfHash == HASH_AlgNULL ||
+                tls12_mac_params->ulMacLength < 12) {
+                crv = CKR_MECHANISM_PARAM_INVALID;
+                break;
+            }
+        }
+        if (tls12_mac_params->ulServerOrClient == 1) {
+            label = "server finished";
+        } else if (tls12_mac_params->ulServerOrClient == 2) {
+            label = "client finished";
+        } else {
+            crv = CKR_MECHANISM_PARAM_INVALID;
+            break;
+        }
+        crv = sftk_TLSPRFInit(context, key, key_type, tlsPrfHash,
+                              tls12_mac_params->ulMacLength);
+        if (crv == CKR_OK) {
+            context->hashUpdate(context->hashInfo, label, 15);
+        }
+        break;
+    }
     case CKM_NSS_TLS_PRF_GENERAL_SHA256:
-        crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256);
+        crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256, 0);
         break;
 
     case CKM_NSS_HMAC_CONSTANT_TIME: {
         sftk_MACConstantTimeCtx *ctx =
             sftk_HMACConstantTime_New(pMechanism,key);
         CK_ULONG *intpointer;
 
         if (ctx == NULL) {
             crv = CKR_ARGUMENTS_BAD;
             break;
         }
         intpointer = PORT_New(CK_ULONG);
         if (intpointer == NULL) {
+            PORT_Free(ctx);
             crv = CKR_HOST_MEMORY;
             break;
         }
         *intpointer = ctx->hash->length;
 
         context->cipherInfo    = intpointer;
         context->hashInfo      = ctx;
         context->currentMech   = pMechanism->mechanism;
         context->hashUpdate    = sftk_HMACConstantTime_Update;
         context->hashdestroy   = sftk_MACConstantTime_DestroyContext;
         context->end           = sftk_MACConstantTime_EndHash;
         context->update        = (SFTKCipher) sftk_SignCopy;
         context->destroy       = sftk_Space;
         context->maxLen        = 64;
         context->multi         = PR_TRUE;
         break;
     }
 
     case CKM_NSS_SSL3_MAC_CONSTANT_TIME: {
         sftk_MACConstantTimeCtx *ctx =
             sftk_SSLv3MACConstantTime_New(pMechanism,key);
         CK_ULONG *intpointer;
 
         if (ctx == NULL) {
             crv = CKR_ARGUMENTS_BAD;
             break;
         }
         intpointer = PORT_New(CK_ULONG);
         if (intpointer == NULL) {
+            PORT_Free(ctx);
             crv = CKR_HOST_MEMORY;
             break;
         }
         *intpointer = ctx->hash->length;
 
         context->cipherInfo    = intpointer;
         context->hashInfo      = ctx;
         context->currentMech   = pMechanism->mechanism;
         context->hashUpdate    = sftk_SSLv3MACConstantTime_Update;
         context->hashdestroy   = sftk_MACConstantTime_DestroyContext;
@@ skipping 531 matching lines @@
 
     case CKM_SSL3_MD5_MAC:
         crv = sftk_doSSLMACInit(context,SEC_OID_MD5,key,
                                         *(CK_ULONG *)pMechanism->pParameter);
         break;
     case CKM_SSL3_SHA1_MAC:
         crv = sftk_doSSLMACInit(context,SEC_OID_SHA1,key,
                                         *(CK_ULONG *)pMechanism->pParameter);
         break;
     case CKM_TLS_PRF_GENERAL:
-        crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL);
+        crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0);
         break;
     case CKM_NSS_TLS_PRF_GENERAL_SHA256:
-        crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256);
+        crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256, 0);
         break;
 
     default:
         crv = CKR_MECHANISM_INVALID;
         break;
     }
 
     if (crv != CKR_OK) {
         if (info) PORT_Free(info);
         sftk_FreeContext(context);
@@ skipping 519 matching lines @@
     params->pbeType = NSSPKCS5_PKCS12_V2;
     params->hashType = HASH_AlgSHA1;
     params->encAlg = SEC_OID_SHA1; /* any invalid value */
     params->is2KeyDES = PR_FALSE;
     params->keyID = pbeBitGenIntegrityKey;
     pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
     params->iter = pbe_params->ulIteration;
 
     salt.data = (unsigned char *)pbe_params->pSalt;
     salt.len = (unsigned int)pbe_params->ulSaltLen;
+    salt.type = siBuffer;
     rv = SECITEM_CopyItem(arena,&params->salt,&salt);
     if (rv != SECSuccess) {
         PORT_FreeArena(arena,PR_TRUE);
         return CKR_HOST_MEMORY;
     }
     switch (pMechanism->mechanism) {
     case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
     case CKM_PBA_SHA1_WITH_SHA1_HMAC:
         params->hashType = HASH_AlgSHA1; 
         params->keyLen = 20;
@@ skipping 124 matching lines @@
     unsigned char buf[MAX_KEY_LEN];
     enum {nsc_pbe, nsc_ssl, nsc_bulk, nsc_param, nsc_jpake} key_gen_type;
     NSSPKCS5PBEParameter *pbe_param;
     SSL3RSAPreMasterSecret *rsa_pms;
     CK_VERSION *version;
     /* in very old versions of NSS, there were implementation errors with key 
      * generation methods.  We want to beable to read these, but not 
      * produce them any more.  The affected algorithm was 3DES.
      */
     PRBool faultyPBE3DES = PR_FALSE;
-    HASH_HashType hashType;
+    HASH_HashType hashType = HASH_AlgNULL;
 
     CHECK_FORK();
 
     if (!slot) {
         return CKR_SESSION_HANDLE_INVALID;
     }
     /*
      * now lets create an object to hang the attributes off of
      */
     key = sftk_NewObject(slot); /* fill in the handle later */
@@ skipping 221 matching lines @@
      *
      * For sign/verify:     CKK_RSA  => CKM_RSA_PKCS
      *                      CKK_DSA  => CKM_DSA
      *                      CKK_EC   => CKM_ECDSA
      *                      others   => CKM_INVALID_MECHANISM
      *
      * None of these mechanisms has a parameter.
      */
     CK_MECHANISM mech = {0, NULL, 0};
 
-    CK_ULONG modulusLen;
-    CK_ULONG subPrimeLen;
+    CK_ULONG modulusLen = 0;
+    CK_ULONG subPrimeLen = 0;
     PRBool isEncryptable = PR_FALSE;
     PRBool canSignVerify = PR_FALSE;
     PRBool isDerivable = PR_FALSE;
     CK_RV crv;
 
     /* Variables used for Encrypt/Decrypt functions. */
     unsigned char *known_message = (unsigned char *)"Known Crypto Message";
     unsigned char plaintext[PAIRWISE_MESSAGE_LENGTH];
     CK_ULONG bytes_decrypted;
     unsigned char *ciphertext;
@@ skipping 277 matching lines @@
     int                 public_modulus_bits = 0;
     SECItem             pubExp;
     RSAPrivateKey *     rsaPriv;
 
     /* DSA */
     PQGParams           pqgParam;
     DHParams            dhParam;
     DSAPrivateKey *     dsaPriv;
 
     /* Diffie Hellman */
-    int                 private_value_bits = 0;
     DHPrivateKey *      dhPriv;
 
 #ifndef NSS_DISABLE_ECC
     /* Elliptic Curve Cryptography */
     SECItem             ecEncodedParams;  /* DER Encoded parameters */
     ECPrivateKey *      ecPriv;
     ECParams *          ecParams;
 #endif /* NSS_DISABLE_ECC */
 
     CHECK_FORK();
@@ skipping 31 matching lines @@
     privateKey = sftk_NewObject(slot); /* fill in the handle later */
     if (privateKey == NULL) {
         sftk_FreeObject(publicKey);
         return CKR_HOST_MEMORY;
     }
     /*
      * now load the private key template
      */
     for (i=0; i < (int) ulPrivateKeyAttributeCount; i++) {
         if (pPrivateKeyTemplate[i].type == CKA_VALUE_BITS) {
-            private_value_bits = *(CK_ULONG *)pPrivateKeyTemplate[i].pValue;
             continue;
         }
 
         crv = sftk_AddAttributeType(privateKey,
                                     sftk_attr_expand(&pPrivateKeyTemplate[i]));
         if (crv != CKR_OK) break;
     }
 
     if (crv != CKR_OK) {
         sftk_FreeObject(publicKey);
@@ skipping 449 matching lines @@
 {
     NSSLOWKEYPrivateKey *lk = NULL;
     NSSLOWKEYPrivateKeyInfo *pki = NULL;
     SFTKAttribute *attribute = NULL;
     PLArenaPool *arena = NULL;
     SECOidTag algorithm = SEC_OID_UNKNOWN;
     void *dummy, *param = NULL;
     SECStatus rv = SECSuccess;
     SECItem *encodedKey = NULL;
 #ifndef NSS_DISABLE_ECC
+#ifdef EC_DEBUG
     SECItem *fordebug;
+#endif
     int savelen;
 #endif
 
     if(!key) {
         *crvp = CKR_KEY_HANDLE_INVALID; /* really can't happen */
         return NULL;
     }
 
     attribute = sftk_FindAttribute(key, CKA_KEY_TYPE);
     if(!attribute) {
@@ skipping 52 matching lines @@
              * length before encoding and restore it later.
              */
             lk->u.ec.publicValue.len <<= 3;
             savelen = lk->u.ec.ecParams.curveOID.len;
             lk->u.ec.ecParams.curveOID.len = 0;
             dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
                                        nsslowkey_ECPrivateKeyTemplate);
             lk->u.ec.ecParams.curveOID.len = savelen;
             lk->u.ec.publicValue.len >>= 3;
 
+#ifdef EC_DEBUG
             fordebug = &pki->privateKey;
             SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKey", lk->keyType,
                       fordebug);
+#endif
 
             param = SECITEM_DupItem(&lk->u.ec.ecParams.DEREncoding);
 
             algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
             break;
 #endif /* NSS_DISABLE_ECC */
         case NSSLOWKEYDHKey:
         default:
             dummy = NULL;
             break;
@@ skipping 18 matching lines @@
     if(!dummy) {
         *crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
         rv = SECFailure;
         goto loser;
     }
 
     encodedKey = SEC_ASN1EncodeItem(NULL, NULL, pki, 
                                     nsslowkey_PrivateKeyInfoTemplate);
     *crvp = encodedKey ? CKR_OK : CKR_DEVICE_ERROR;
 
-#ifndef NSS_DISABLE_ECC
+#ifdef EC_DEBUG
     fordebug = encodedKey;
     SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKeyInfo", lk->keyType,
               fordebug);
 #endif
 loser:
     if(arena) {
         PORT_FreeArena(arena, PR_TRUE);
     }
 
     if(lk && (lk != key->objectInfo)) {
@@ skipping 828 matching lines @@
     MD2Context *    md2;
     CK_ULONG        macSize;
     CK_ULONG        tmpKeySize;
     CK_ULONG        IVSize;
     CK_ULONG        keySize     = 0;
     CK_RV           crv         = CKR_OK;
     CK_BBOOL        cktrue      = CK_TRUE;
     CK_KEY_TYPE     keyType     = CKK_GENERIC_SECRET;
     CK_OBJECT_CLASS classType   = CKO_SECRET_KEY;
     CK_KEY_DERIVATION_STRING_DATA *stringPtr;
+    CK_MECHANISM_TYPE mechanism = pMechanism->mechanism;
     PRBool          isTLS = PR_FALSE;
-    PRBool          isSHA256 = PR_FALSE;
     PRBool          isDH = PR_FALSE;
+    HASH_HashType   tlsPrfHash = HASH_AlgNULL;
     SECStatus       rv;
     int             i;
     unsigned int    outLen;
     unsigned char   sha_out[SHA1_LENGTH];
     unsigned char   key_block[NUM_MIXERS * MD5_LENGTH];
     unsigned char   key_block2[MD5_LENGTH];
     PRBool          isFIPS;             
     HASH_HashType   hashType;
     PRBool          extractValue = PR_TRUE;
 
@@ skipping 26 matching lines @@
         if (pTemplate[i].type == CKA_VALUE_LEN) {
             keySize = *(CK_ULONG *)pTemplate[i].pValue;
         }
     }
     if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
 
     if (keySize == 0) {
         keySize = sftk_MapKeySize(keyType);
     }
 
-    switch (pMechanism->mechanism) {
+    switch (mechanism) {
       case CKM_NSS_JPAKE_ROUND2_SHA1:   /* fall through */
       case CKM_NSS_JPAKE_ROUND2_SHA256: /* fall through */
       case CKM_NSS_JPAKE_ROUND2_SHA384: /* fall through */
       case CKM_NSS_JPAKE_ROUND2_SHA512:
           extractValue = PR_FALSE;
           classType = CKO_PRIVATE_KEY;
           break;
       case CKM_NSS_JPAKE_FINAL_SHA1:   /* fall through */
       case CKM_NSS_JPAKE_FINAL_SHA256: /* fall through */
       case CKM_NSS_JPAKE_FINAL_SHA384: /* fall through */
@@ skipping 27 matching lines @@
     if (extractValue) {
         /* get the value of the base key */
         att = sftk_FindAttribute(sourceKey,CKA_VALUE);
         if (att == NULL) {
             sftk_FreeObject(key);
             sftk_FreeObject(sourceKey);
             return CKR_KEY_HANDLE_INVALID;
         }
     }
 
-    switch (pMechanism->mechanism) {
+    switch (mechanism) {
     /*
      * generate the master secret 
      */
+    case CKM_TLS12_MASTER_KEY_DERIVE:
+    case CKM_TLS12_MASTER_KEY_DERIVE_DH:
     case CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256:
     case CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256:
-        isSHA256 = PR_TRUE;
-        /* fall thru */
     case CKM_TLS_MASTER_KEY_DERIVE:
     case CKM_TLS_MASTER_KEY_DERIVE_DH:
-        isTLS = PR_TRUE;
-        /* fall thru */
     case CKM_SSL3_MASTER_KEY_DERIVE:
     case CKM_SSL3_MASTER_KEY_DERIVE_DH:
       {
         CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ssl3_master;
         SSL3RSAPreMasterSecret *          rsa_pms;
         unsigned char                     crsrdata[SSL3_RANDOM_LENGTH * 2];
 
-        if ((pMechanism->mechanism == CKM_SSL3_MASTER_KEY_DERIVE_DH) ||
-            (pMechanism->mechanism == CKM_TLS_MASTER_KEY_DERIVE_DH) ||
-            (pMechanism->mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256))
-                isDH = PR_TRUE;
+        if ((mechanism == CKM_TLS12_MASTER_KEY_DERIVE) ||
+            (mechanism == CKM_TLS12_MASTER_KEY_DERIVE_DH)) {
+            CK_TLS12_MASTER_KEY_DERIVE_PARAMS *tls12_master =
+                (CK_TLS12_MASTER_KEY_DERIVE_PARAMS *) pMechanism->pParameter;
+            tlsPrfHash = GetHashTypeFromMechanism(tls12_master->prfHashMechanism);
+            if (tlsPrfHash == HASH_AlgNULL) {
+                crv = CKR_MECHANISM_PARAM_INVALID;
+                break;
+            }
+        } else if ((mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256) ||
+                   (mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) {
+            tlsPrfHash = HASH_AlgSHA256;
+        }
 
-        /* first do the consistancy checks */
+        if ((mechanism != CKM_SSL3_MASTER_KEY_DERIVE) &&
+            (mechanism != CKM_SSL3_MASTER_KEY_DERIVE_DH)) {
+            isTLS = PR_TRUE;
+        }
+        if ((mechanism == CKM_SSL3_MASTER_KEY_DERIVE_DH) ||
+            (mechanism == CKM_TLS_MASTER_KEY_DERIVE_DH) ||
+            (mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256) ||
+            (mechanism == CKM_TLS12_MASTER_KEY_DERIVE_DH)) {
+            isDH = PR_TRUE;
+        }
+
+        /* first do the consistency checks */
         if (!isDH && (att->attrib.ulValueLen != SSL3_PMS_LENGTH)) {
             crv = CKR_KEY_TYPE_INCONSISTENT;
             break;
         }
         att2 = sftk_FindAttribute(sourceKey,CKA_KEY_TYPE);
         if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
                                         CKK_GENERIC_SECRET)) {
             if (att2) sftk_FreeAttribute(att2);
             crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
             break;
@@ skipping 44 matching lines @@
             SECItem master = { siBuffer, NULL, 0 };
             SECItem pms    = { siBuffer, NULL, 0 };
 
             crsr.data   = crsrdata;
             crsr.len    = sizeof crsrdata;
             master.data = key_block;
             master.len  = SSL3_MASTER_SECRET_LENGTH;
             pms.data    = (unsigned char*)att->attrib.pValue;
             pms.len     =                 att->attrib.ulValueLen;
 
-            if (isSHA256) {
-                status = TLS_P_hash(HASH_AlgSHA256, &pms, "master secret",
+            if (tlsPrfHash != HASH_AlgNULL) {
+                status = TLS_P_hash(tlsPrfHash, &pms, "master secret",
                                     &crsr, &master, isFIPS);
             } else {
                 status = TLS_PRF(&pms, "master secret", &crsr, &master, isFIPS);
             }
             if (status != SECSuccess) {
                 crv = CKR_FUNCTION_FAILED;
                 break;
             }
         } else {
             /* now allocate the hash contexts */
@@ skipping 42 matching lines @@
             if (crv != CKR_OK) break;
             crv = sftk_forceAttribute(key,CKA_VERIFY,&cktrue,sizeof(CK_BBOOL));
             if (crv != CKR_OK) break;
             /* While we're here, we might as well force this, too. */
             crv = sftk_forceAttribute(key,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
             if (crv != CKR_OK) break;
         }
         break;
       }
 
+    /* Extended master key derivation [draft-ietf-tls-session-hash] */
+    case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE:
+    case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH:
+      {
+        CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS *ems_params;
+        SSL3RSAPreMasterSecret *rsa_pms;
+        SECStatus status;
+        SECItem pms    = { siBuffer, NULL, 0 };
+        SECItem seed   = { siBuffer, NULL, 0 };
+        SECItem master = { siBuffer, NULL, 0 };
+
+        ems_params = (CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS*)
+            pMechanism->pParameter;
+
+        /* First do the consistency checks */
+        if ((mechanism == CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE) &&
+            (att->attrib.ulValueLen != SSL3_PMS_LENGTH)) {
+            crv = CKR_KEY_TYPE_INCONSISTENT;
+            break;
+        }
+        att2 = sftk_FindAttribute(sourceKey,CKA_KEY_TYPE);
+        if ((att2 == NULL) ||
+            (*(CK_KEY_TYPE *)att2->attrib.pValue != CKK_GENERIC_SECRET)) {
+            if (att2) sftk_FreeAttribute(att2);
+            crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+            break;
+        }
+        sftk_FreeAttribute(att2);
+        if (keyType != CKK_GENERIC_SECRET) {
+            crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+            break;
+        }
+        if ((keySize != 0) && (keySize != SSL3_MASTER_SECRET_LENGTH)) {
+            crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+            break;
+        }
+
+        /* Do the key derivation */
+        pms.data    = (unsigned char*) att->attrib.pValue;
+        pms.len     =                  att->attrib.ulValueLen;
+        seed.data   = ems_params->pSessionHash;
+        seed.len    = ems_params->ulSessionHashLen;
+        master.data = key_block;
+        master.len  = SSL3_MASTER_SECRET_LENGTH;
+        if (ems_params-> prfHashMechanism == CKM_TLS_PRF) {
+            /*
+             * In this case, the session hash is the concatenation of SHA-1
+             * and MD5, so it should be 36 bytes long.
+             */
+            if (seed.len != MD5_LENGTH + SHA1_LENGTH) {
+                crv = CKR_TEMPLATE_INCONSISTENT;
+                break;
+            }
+
+            status = TLS_PRF(&pms, "extended master secret",
+                             &seed, &master, isFIPS);
+        } else {
+            const SECHashObject *hashObj;
+
+            tlsPrfHash = GetHashTypeFromMechanism(ems_params->prfHashMechanism);
+            if (tlsPrfHash == HASH_AlgNULL) {
+                crv = CKR_MECHANISM_PARAM_INVALID;
+                break;
+            }
+
+            hashObj = HASH_GetRawHashObject(tlsPrfHash);
+            if (seed.len != hashObj->length) {
+                crv = CKR_TEMPLATE_INCONSISTENT;
+                break;
+            }
+
+            status = TLS_P_hash(tlsPrfHash, &pms, "extended master secret",
+                                &seed, &master, isFIPS);
+        }
+        if (status != SECSuccess) {
+            crv = CKR_FUNCTION_FAILED;
+            break;
+        }
+
+        /* Reflect the version if required */
+        if (ems_params->pVersion) {
+            SFTKSessionObject *sessKey = sftk_narrowToSessionObject(key);
+            rsa_pms = (SSL3RSAPreMasterSecret *) att->attrib.pValue;
+            /* don't leak more key material than necessary for SSL to work */
+            if ((sessKey == NULL) || sessKey->wasDerived) {
+                ems_params->pVersion->major = 0xff;
+                ems_params->pVersion->minor = 0xff;
+            } else {
+                ems_params->pVersion->major = rsa_pms->client_version[0];
+                ems_params->pVersion->minor = rsa_pms->client_version[1];
+            }
+        }
+
+        /* Store the results */
+        crv = sftk_forceAttribute(key, CKA_VALUE, key_block,
+                                  SSL3_MASTER_SECRET_LENGTH);
+        break;
+      }
+
+    case CKM_TLS12_KEY_AND_MAC_DERIVE:
     case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256:
-        isSHA256 = PR_TRUE;
-        /* fall thru */
     case CKM_TLS_KEY_AND_MAC_DERIVE:
-        isTLS = PR_TRUE;
-        /* fall thru */
     case CKM_SSL3_KEY_AND_MAC_DERIVE:
       {
         CK_SSL3_KEY_MAT_PARAMS *ssl3_keys;
         CK_SSL3_KEY_MAT_OUT *   ssl3_keys_out;
         CK_ULONG                effKeySize;
         unsigned int            block_needed;
         unsigned char           srcrdata[SSL3_RANDOM_LENGTH * 2];
         unsigned char           crsrdata[SSL3_RANDOM_LENGTH * 2];
 
+        if (mechanism == CKM_TLS12_KEY_AND_MAC_DERIVE) {
+            CK_TLS12_KEY_MAT_PARAMS *tls12_keys =
+                (CK_TLS12_KEY_MAT_PARAMS *) pMechanism->pParameter;
+            tlsPrfHash = GetHashTypeFromMechanism(tls12_keys->prfHashMechanism);
+            if (tlsPrfHash == HASH_AlgNULL) {
+                crv = CKR_MECHANISM_PARAM_INVALID;
+                break;
+            }
+        } else if (mechanism == CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) {
+            tlsPrfHash = HASH_AlgSHA256;
+        }
+
+        if (mechanism != CKM_SSL3_KEY_AND_MAC_DERIVE) {
+            isTLS = PR_TRUE;
+        }
+
         crv = sftk_DeriveSensitiveCheck(sourceKey,key);
         if (crv != CKR_OK) break;
 
         if (att->attrib.ulValueLen != SSL3_MASTER_SECRET_LENGTH) {
             crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
             break;
         }
         att2 = sftk_FindAttribute(sourceKey,CKA_KEY_TYPE);
         if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
                                         CKK_GENERIC_SECRET)) {
@@ skipping 59 matching lines @@
             SECItem       keyblk = { siBuffer, NULL, 0 };
             SECItem       master = { siBuffer, NULL, 0 }; 
 
             srcr.data   = srcrdata;
             srcr.len    = sizeof srcrdata;
             keyblk.data = key_block;
             keyblk.len  = block_needed;
             master.data = (unsigned char*)att->attrib.pValue;
             master.len  =                 att->attrib.ulValueLen;
 
-            if (isSHA256) {
-                status = TLS_P_hash(HASH_AlgSHA256, &master, "key expansion",
+            if (tlsPrfHash != HASH_AlgNULL) {
+                status = TLS_P_hash(tlsPrfHash, &master, "key expansion",
                                     &srcr, &keyblk, isFIPS);
             } else {
                 status = TLS_PRF(&master, "key expansion", &srcr, &keyblk,
                                  isFIPS);
             }
             if (status != SECSuccess) {
                 goto key_and_mac_derive_fail;
             }
         } else {
             unsigned int block_bytes = 0;
@@ skipping 543 matching lines @@
 
 #ifndef NSS_DISABLE_ECC
     case CKM_ECDH1_DERIVE:
     case CKM_ECDH1_COFACTOR_DERIVE:
       {
         SECItem  ecScalar, ecPoint;
         SECItem  tmp;
         PRBool   withCofactor = PR_FALSE;
         unsigned char *secret;
         unsigned char *keyData = NULL;
-        int secretlen, curveLen, pubKeyLen;
+        unsigned int secretlen, curveLen, pubKeyLen;
         CK_ECDH1_DERIVE_PARAMS *mechParams;
         NSSLOWKEYPrivateKey *privKey;
         PLArenaPool *arena = NULL;
 
         /* Check mechanism parameters */
         mechParams = (CK_ECDH1_DERIVE_PARAMS *) pMechanism->pParameter;
         if ((pMechanism->ulParameterLen != sizeof(CK_ECDH1_DERIVE_PARAMS)) ||
             ((mechParams->kdf == CKD_NULL) &&
                 ((mechParams->ulSharedDataLen != 0) || 
                     (mechParams->pSharedData != NULL)))) {
@@ skipping 31 matching lines @@
 
             rv = SEC_QuickDERDecodeItem(arena, &newPoint, 
                                         SEC_ASN1_GET(SEC_OctetStringTemplate), 
                                         &ecPoint);
             if (rv != SECSuccess) {
                 goto ec_loser;
             }
             ecPoint = newPoint;
         }
 
-        if (pMechanism->mechanism == CKM_ECDH1_COFACTOR_DERIVE) {
+        if (mechanism == CKM_ECDH1_COFACTOR_DERIVE) {
             withCofactor = PR_TRUE;
         } else {
             /* When not using cofactor derivation, one should
              * validate the public key to avoid small subgroup
              * attacks.
              */
             if (EC_ValidatePublicKey(&privKey->u.ec.ecParams, &ecPoint) 
                 != SECSuccess) {
                 goto ec_loser;
             }
@@ skipping 495 matching lines @@
     att = sftk_FindAttribute(key,CKA_VALUE);
     sftk_FreeObject(key);
     if (!att) {
         return CKR_KEY_HANDLE_INVALID;        
     }
     crv = NSC_DigestUpdate(hSession,(CK_BYTE_PTR)att->attrib.pValue,
                            att->attrib.ulValueLen);
     sftk_FreeAttribute(att);
     return crv;
 }