From a885868181c07ba9ab5cdfdad1d66d387b2a4428 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Tue, 20 Jun 2017 15:25:09 +0200
Subject: [PATCH] totemcrypto: Refactor symmetric key importing

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Fabio M. Di Nitto <fdinitto@redhat.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
---
 exec/totemcrypto.c |   96 +++++++++++++++++++++++++++++-----------------------
 1 files changed, 54 insertions(+), 42 deletions(-)

diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
index a97ba62..0e98f27 100644
--- a/exec/totemcrypto.c
+++ b/exec/totemcrypto.c
@@ -206,6 +206,11 @@ do {									\
 		(const char *)format, ##args);				\
 } while (0);
 
+enum sym_key_type {
+	SYM_KEY_TYPE_CRYPT,
+	SYM_KEY_TYPE_HASH
+};
+
 /*
  * crypt/decrypt functions
  */
@@ -226,38 +231,65 @@ static int string_to_crypto_cipher_type(const char* crypto_cipher_type)
 	return CRYPTO_CIPHER_TYPE_AES256;
 }
 
-static int init_nss_crypto(struct crypto_instance *instance)
+static PK11SymKey *import_symmetric_key(struct crypto_instance *instance, enum sym_key_type key_type)
 {
-	PK11SlotInfo*	crypt_slot = NULL;
-	SECItem		crypt_param;
+	SECItem key_item;
+	PK11SlotInfo *slot;
+	PK11SymKey *res_key;
+	CK_MECHANISM_TYPE cipher;
+	CK_ATTRIBUTE_TYPE operation;
+
+	memset(&key_item, 0, sizeof(key_item));
+	slot = NULL;
+
+	key_item.type = siBuffer;
+	key_item.data = instance->private_key;
+
+	switch (key_type) {
+	case SYM_KEY_TYPE_CRYPT:
+		key_item.len = cipher_key_len[instance->crypto_cipher_type];
+		cipher = cipher_to_nss[instance->crypto_cipher_type];
+		operation = CKA_ENCRYPT|CKA_DECRYPT;
+		break;
+	case SYM_KEY_TYPE_HASH:
+		key_item.len = instance->private_key_len;
+		cipher = hash_to_nss[instance->crypto_hash_type];
+		operation = CKA_SIGN;
+		break;
+	}
+
+	slot = PK11_GetBestSlot(cipher, NULL);
+	if (slot == NULL) {
+		log_printf(instance->log_level_security, "Unable to find security slot (%d): %s",
+			   PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		return (NULL);
+	}
 
-	if (!cipher_to_nss[instance->crypto_cipher_type]) {
-		return 0;
+	res_key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, operation, &key_item, NULL);
+	if (res_key == NULL) {
+		log_printf(instance->log_level_security, "Failure to import key into NSS (%d): %s",
+			   PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
+		goto exit_err;
 	}
 
-	crypt_param.type = siBuffer;
-	crypt_param.data = instance->private_key;
-	crypt_param.len = cipher_key_len[instance->crypto_cipher_type];
+exit_err:
+	PK11_FreeSlot(slot);
 
-	crypt_slot = PK11_GetBestSlot(cipher_to_nss[instance->crypto_cipher_type], NULL);
-	if (crypt_slot == NULL) {
-		log_printf(instance->log_level_security, "Unable to find security slot (err %d)",
-			   PR_GetError());
-		return -1;
+	return (res_key);
+}
+
+static int init_nss_crypto(struct crypto_instance *instance)
+{
+
+	if (!cipher_to_nss[instance->crypto_cipher_type]) {
+		return 0;
 	}
 
-	instance->nss_sym_key = PK11_ImportSymKey(crypt_slot,
-						  cipher_to_nss[instance->crypto_cipher_type],
-						  PK11_OriginUnwrap, CKA_ENCRYPT|CKA_DECRYPT,
-						  &crypt_param, NULL);
+	instance->nss_sym_key = import_symmetric_key(instance, SYM_KEY_TYPE_CRYPT);
 	if (instance->nss_sym_key == NULL) {
-		log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)",
-			   PR_GetError());
 		return -1;
 	}
 
-	PK11_FreeSlot(crypt_slot);
-
 	return 0;
 }
 
@@ -447,36 +479,16 @@ static int string_to_crypto_hash_type(const char* crypto_hash_type)
 
 static int init_nss_hash(struct crypto_instance *instance)
 {
-	PK11SlotInfo*	hash_slot = NULL;
-	SECItem		hash_param;
 
 	if (!hash_to_nss[instance->crypto_hash_type]) {
 		return 0;
 	}
 
-	hash_param.type = siBuffer;
-	hash_param.data = instance->private_key;
-	hash_param.len = instance->private_key_len;
-
-	hash_slot = PK11_GetBestSlot(hash_to_nss[instance->crypto_hash_type], NULL);
-	if (hash_slot == NULL) {
-		log_printf(instance->log_level_security, "Unable to find security slot (err %d)",
-			   PR_GetError());
-		return -1;
-	}
-
-	instance->nss_sym_key_sign = PK11_ImportSymKey(hash_slot,
-						       hash_to_nss[instance->crypto_hash_type],
-						       PK11_OriginUnwrap, CKA_SIGN,
-						       &hash_param, NULL);
+	instance->nss_sym_key_sign = import_symmetric_key(instance, SYM_KEY_TYPE_HASH);
 	if (instance->nss_sym_key_sign == NULL) {
-		log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)",
-			   PR_GetError());
 		return -1;
 	}
 
-	PK11_FreeSlot(hash_slot);
-
 	return 0;
 }
 
-- 
1.7.1