diff -up ./nss/lib/softoken/pkcs11.c.add_encrypt_derive ./nss/lib/softoken/pkcs11.c
--- ./nss/lib/softoken/pkcs11.c.add_encrypt_derive 2014-06-24 13:45:27.000000000 -0700
+++ ./nss/lib/softoken/pkcs11.c 2014-10-31 17:24:58.021526521 -0700
@@ -442,11 +442,22 @@ static const struct mechanismList mechan
#endif
/* --------------------- Secret Key Operations ------------------------ */
{CKM_GENERIC_SECRET_KEY_GEN, {1, 32, CKF_GENERATE}, PR_TRUE},
- {CKM_CONCATENATE_BASE_AND_KEY, {1, 32, CKF_GENERATE}, PR_FALSE},
- {CKM_CONCATENATE_BASE_AND_DATA, {1, 32, CKF_GENERATE}, PR_FALSE},
- {CKM_CONCATENATE_DATA_AND_BASE, {1, 32, CKF_GENERATE}, PR_FALSE},
- {CKM_XOR_BASE_AND_DATA, {1, 32, CKF_GENERATE}, PR_FALSE},
+ {CKM_CONCATENATE_BASE_AND_KEY, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_CONCATENATE_BASE_AND_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_CONCATENATE_DATA_AND_BASE, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_XOR_BASE_AND_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
{CKM_EXTRACT_KEY_FROM_KEY, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_EXTRACT_KEY_FROM_KEY, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_DES_ECB_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_DES_CBC_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_DES3_ECB_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_DES3_CBC_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_AES_ECB_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_AES_CBC_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_CAMELLIA_ECB_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_CAMELLIA_CBC_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_SEED_ECB_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_SEED_CBC_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
/* ---------------------- SSL Key Derivations ------------------------- */
{CKM_SSL3_PRE_MASTER_KEY_GEN, {48, 48, CKF_GENERATE}, PR_FALSE},
{CKM_SSL3_MASTER_KEY_DERIVE, {48, 48, CKF_DERIVE}, PR_FALSE},
diff -up ./nss/lib/softoken/pkcs11c.c.add_encrypt_derive ./nss/lib/softoken/pkcs11c.c
--- ./nss/lib/softoken/pkcs11c.c.add_encrypt_derive 2014-10-31 17:24:58.007526287 -0700
+++ ./nss/lib/softoken/pkcs11c.c 2014-10-31 17:33:59.457507480 -0700
@@ -5840,6 +5840,44 @@ static CK_RV sftk_ANSI_X9_63_kdf(CK_BYTE
#endif /* NSS_DISABLE_ECC */
/*
+ * Handle The derive from a block encryption cipher
+ */
+CK_RV
+sftk_DeriveEncrypt(SFTKObject *key, CK_ULONG keySize, void *cipherInfo,
+ int blockSize, unsigned char *data, CK_ULONG len, SFTKCipher encrypt)
+{
+ unsigned char *tmpdata = NULL;
+ SECStatus rv;
+ unsigned int outLen;
+ CK_RV crv;
+
+ if ((len % blockSize) != 0) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ if (keySize && (len < keySize)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ if (keySize == 0) {
+ keySize = len;
+ }
+
+ tmpdata = PORT_Alloc(len);
+ if (tmpdata == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = (*encrypt)(cipherInfo, tmpdata, &outLen, len, data, len);
+ if (rv != SECSuccess) {
+ crv = sftk_MapCryptError(PORT_GetError());
+ PORT_ZFree(tmpdata, len);
+ return crv;
+ }
+
+ crv = sftk_forceAttribute (key,CKA_VALUE,tmpdata,keySize);
+ PORT_ZFree(tmpdata,len);
+ return crv;
+}
+
+/*
* SSL Key generation given pre master secret
*/
#define NUM_MIXERS 9
@@ -5883,6 +5921,9 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE h
CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
CK_OBJECT_CLASS classType = CKO_SECRET_KEY;
CK_KEY_DERIVATION_STRING_DATA *stringPtr;
+ CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
+ CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr;
+ void *cipherInfo;
PRBool isTLS = PR_FALSE;
PRBool isSHA256 = PR_FALSE;
PRBool isDH = PR_FALSE;
@@ -5892,6 +5933,7 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE h
unsigned char sha_out[SHA1_LENGTH];
unsigned char key_block[NUM_MIXERS * MD5_LENGTH];
unsigned char key_block2[MD5_LENGTH];
+ unsigned char des3key[24];
PRBool isFIPS;
HASH_HashType hashType;
PRBool extractValue = PR_TRUE;
@@ -6544,6 +6586,136 @@ key_and_mac_derive_fail:
break;
}
+ case CKM_DES_ECB_ENCRYPT_DATA:
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
+ cipherInfo = DES_CreateContext( (unsigned char*)att->attrib.pValue,
+ NULL, NSS_DES, PR_TRUE);
+ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
+ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8,
+ stringPtr->pData, stringPtr->ulLen, (SFTKCipher) DES_Encrypt);
+ DES_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+
+ case CKM_DES_CBC_ENCRYPT_DATA:
+ desEncryptPtr = (CK_DES_CBC_ENCRYPT_DATA_PARAMS *)
+ pMechanism->pParameter;
+ cipherInfo = DES_CreateContext( (unsigned char*)att->attrib.pValue,
+ desEncryptPtr->iv, NSS_DES_CBC, PR_TRUE);
+ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
+ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8,
+ desEncryptPtr->pData, desEncryptPtr->length,
+ (SFTKCipher) DES_Encrypt);
+ DES_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+
+ case CKM_DES3_ECB_ENCRYPT_DATA:
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
+ if (att->attrib.ulValueLen == 16) {
+ PORT_Memcpy(des3key, att->attrib.pValue, 16);
+ PORT_Memcpy(des3key + 16, des3key, 8);
+ } else if (att->attrib.ulValueLen == 24) {
+ PORT_Memcpy(des3key, att->attrib.pValue, 24);
+ } else {
+ crv = CKR_KEY_SIZE_RANGE; break;
+ }
+ cipherInfo = DES_CreateContext( des3key, NULL, NSS_DES_EDE3, PR_TRUE);
+ PORT_Memset(des3key, 0, 24);
+ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
+ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8,
+ stringPtr->pData, stringPtr->ulLen, (SFTKCipher) DES_Encrypt);
+ DES_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+
+ case CKM_DES3_CBC_ENCRYPT_DATA:
+ desEncryptPtr = (CK_DES_CBC_ENCRYPT_DATA_PARAMS *)
+ pMechanism->pParameter;
+ if (att->attrib.ulValueLen == 16) {
+ PORT_Memcpy(des3key, att->attrib.pValue, 16);
+ PORT_Memcpy(des3key + 16, des3key, 8);
+ } else if (att->attrib.ulValueLen == 24) {
+ PORT_Memcpy(des3key, att->attrib.pValue, 24);
+ } else {
+ crv = CKR_KEY_SIZE_RANGE; break;
+ }
+ cipherInfo = DES_CreateContext( des3key, desEncryptPtr->iv,
+ NSS_DES_EDE3_CBC, PR_TRUE);
+ PORT_Memset(des3key, 0, 24);
+ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
+ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8,
+ desEncryptPtr->pData, desEncryptPtr->length,
+ (SFTKCipher) DES_Encrypt);
+ DES_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+
+ case CKM_AES_ECB_ENCRYPT_DATA:
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
+ cipherInfo = AES_CreateContext( (unsigned char*)att->attrib.pValue,
+ NULL, NSS_AES, PR_TRUE, att->attrib.ulValueLen, 16);
+ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
+ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
+ stringPtr->pData, stringPtr->ulLen, (SFTKCipher) AES_Encrypt);
+ AES_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+
+ case CKM_AES_CBC_ENCRYPT_DATA:
+ aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
+ pMechanism->pParameter;
+ cipherInfo = AES_CreateContext( (unsigned char*)att->attrib.pValue,
+ aesEncryptPtr->iv, NSS_AES_CBC,
+ PR_TRUE, att->attrib.ulValueLen, 16);
+ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
+ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
+ aesEncryptPtr->pData, aesEncryptPtr->length,
+ (SFTKCipher) AES_Encrypt);
+ AES_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+
+ case CKM_CAMELLIA_ECB_ENCRYPT_DATA:
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
+ cipherInfo = Camellia_CreateContext( (unsigned char*)att->attrib.pValue,
+ NULL, NSS_CAMELLIA, PR_TRUE,att->attrib.ulValueLen);
+ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
+ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
+ stringPtr->pData, stringPtr->ulLen,
+ (SFTKCipher) Camellia_Encrypt);
+ Camellia_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+
+ case CKM_CAMELLIA_CBC_ENCRYPT_DATA:
+ aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
+ pMechanism->pParameter;
+ cipherInfo = Camellia_CreateContext((unsigned char*)att->attrib.pValue,
+ aesEncryptPtr->iv,NSS_CAMELLIA_CBC,
+ PR_TRUE, att->attrib.ulValueLen);
+ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
+ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
+ aesEncryptPtr->pData, aesEncryptPtr->length,
+ (SFTKCipher) Camellia_Encrypt);
+ Camellia_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+
+ case CKM_SEED_ECB_ENCRYPT_DATA:
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
+ cipherInfo = SEED_CreateContext( (unsigned char*)att->attrib.pValue,
+ NULL, NSS_SEED, PR_TRUE);
+ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
+ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
+ stringPtr->pData, stringPtr->ulLen, (SFTKCipher) SEED_Encrypt);
+ SEED_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+
+ case CKM_SEED_CBC_ENCRYPT_DATA:
+ aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
+ pMechanism->pParameter;
+ cipherInfo = SEED_CreateContext( (unsigned char*)att->attrib.pValue,
+ aesEncryptPtr->iv, NSS_SEED_CBC, PR_TRUE);
+ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
+ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
+ aesEncryptPtr->pData, aesEncryptPtr->length,
+ (SFTKCipher) SEED_Encrypt);
+ SEED_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+
case CKM_CONCATENATE_BASE_AND_DATA:
crv = sftk_DeriveSensitiveCheck(sourceKey,key);
if (crv != CKR_OK) break;