From a885868181c07ba9ab5cdfdad1d66d387b2a4428 Mon Sep 17 00:00:00 2001 From: Jan Friesse Date: Tue, 20 Jun 2017 15:25:09 +0200 Subject: [PATCH] totemcrypto: Refactor symmetric key importing Signed-off-by: Jan Friesse Reviewed-by: Fabio M. Di Nitto Reviewed-by: Christine Caulfield --- exec/totemcrypto.c | 96 +++++++++++++++++++++++++++++----------------------- 1 files changed, 54 insertions(+), 42 deletions(-) diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c index a97ba62..0e98f27 100644 --- a/exec/totemcrypto.c +++ b/exec/totemcrypto.c @@ -206,6 +206,11 @@ do { \ (const char *)format, ##args); \ } while (0); +enum sym_key_type { + SYM_KEY_TYPE_CRYPT, + SYM_KEY_TYPE_HASH +}; + /* * crypt/decrypt functions */ @@ -226,38 +231,65 @@ static int string_to_crypto_cipher_type(const char* crypto_cipher_type) return CRYPTO_CIPHER_TYPE_AES256; } -static int init_nss_crypto(struct crypto_instance *instance) +static PK11SymKey *import_symmetric_key(struct crypto_instance *instance, enum sym_key_type key_type) { - PK11SlotInfo* crypt_slot = NULL; - SECItem crypt_param; + SECItem key_item; + PK11SlotInfo *slot; + PK11SymKey *res_key; + CK_MECHANISM_TYPE cipher; + CK_ATTRIBUTE_TYPE operation; + + memset(&key_item, 0, sizeof(key_item)); + slot = NULL; + + key_item.type = siBuffer; + key_item.data = instance->private_key; + + switch (key_type) { + case SYM_KEY_TYPE_CRYPT: + key_item.len = cipher_key_len[instance->crypto_cipher_type]; + cipher = cipher_to_nss[instance->crypto_cipher_type]; + operation = CKA_ENCRYPT|CKA_DECRYPT; + break; + case SYM_KEY_TYPE_HASH: + key_item.len = instance->private_key_len; + cipher = hash_to_nss[instance->crypto_hash_type]; + operation = CKA_SIGN; + break; + } + + slot = PK11_GetBestSlot(cipher, NULL); + if (slot == NULL) { + log_printf(instance->log_level_security, "Unable to find security slot (%d): %s", + PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); + return (NULL); + } - if (!cipher_to_nss[instance->crypto_cipher_type]) { - return 0; + res_key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, operation, &key_item, NULL); + if (res_key == NULL) { + log_printf(instance->log_level_security, "Failure to import key into NSS (%d): %s", + PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); + goto exit_err; } - crypt_param.type = siBuffer; - crypt_param.data = instance->private_key; - crypt_param.len = cipher_key_len[instance->crypto_cipher_type]; +exit_err: + PK11_FreeSlot(slot); - crypt_slot = PK11_GetBestSlot(cipher_to_nss[instance->crypto_cipher_type], NULL); - if (crypt_slot == NULL) { - log_printf(instance->log_level_security, "Unable to find security slot (err %d)", - PR_GetError()); - return -1; + return (res_key); +} + +static int init_nss_crypto(struct crypto_instance *instance) +{ + + if (!cipher_to_nss[instance->crypto_cipher_type]) { + return 0; } - instance->nss_sym_key = PK11_ImportSymKey(crypt_slot, - cipher_to_nss[instance->crypto_cipher_type], - PK11_OriginUnwrap, CKA_ENCRYPT|CKA_DECRYPT, - &crypt_param, NULL); + instance->nss_sym_key = import_symmetric_key(instance, SYM_KEY_TYPE_CRYPT); if (instance->nss_sym_key == NULL) { - log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)", - PR_GetError()); return -1; } - PK11_FreeSlot(crypt_slot); - return 0; } @@ -447,36 +479,16 @@ static int string_to_crypto_hash_type(const char* crypto_hash_type) static int init_nss_hash(struct crypto_instance *instance) { - PK11SlotInfo* hash_slot = NULL; - SECItem hash_param; if (!hash_to_nss[instance->crypto_hash_type]) { return 0; } - hash_param.type = siBuffer; - hash_param.data = instance->private_key; - hash_param.len = instance->private_key_len; - - hash_slot = PK11_GetBestSlot(hash_to_nss[instance->crypto_hash_type], NULL); - if (hash_slot == NULL) { - log_printf(instance->log_level_security, "Unable to find security slot (err %d)", - PR_GetError()); - return -1; - } - - instance->nss_sym_key_sign = PK11_ImportSymKey(hash_slot, - hash_to_nss[instance->crypto_hash_type], - PK11_OriginUnwrap, CKA_SIGN, - &hash_param, NULL); + instance->nss_sym_key_sign = import_symmetric_key(instance, SYM_KEY_TYPE_HASH); if (instance->nss_sym_key_sign == NULL) { - log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)", - PR_GetError()); return -1; } - PK11_FreeSlot(hash_slot); - return 0; } -- 1.7.1