| blob | 374e0bbd0fe994162b5a186a8fd22a3c1b0eaf89 |
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the Netscape security libraries.
15 *
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 *
23 * Alternatively, the contents of this file may be used under the terms of
24 * either the GNU General Public License Version 2 or later (the "GPL"), or
25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26 * in which case the provisions of the GPL or the LGPL are applicable instead
27 * of those above. If you wish to allow use of your version of this file only
28 * under the terms of either the GPL or the LGPL, and not to allow others to
29 * use your version of this file under the terms of the MPL, indicate your
30 * decision by deleting the provisions above and replace them with the notice
31 * and other provisions required by the GPL or the LGPL. If you do not delete
32 * the provisions above, a recipient may use your version of this file under
33 * the terms of any one of the MPL, the GPL or the LGPL.
34 *
35 * ***** END LICENSE BLOCK ***** */
37 /*
38 * Encryption/decryption routines for CMS implementation, none of which are exported.
39 *
40 * $Id: cmscipher.c,v 1.12 2008/02/03 06:08:49 nelson%bolyard.com Exp $
41 */
51 /*
52 * -------------------------------------------------------------------
53 * Cipher stuff.
54 */
60 #define BLOCK_SIZE 4096
64 nss_cms_cipher_function doit;
65 nss_cms_cipher_destroy destroy;
71 };
73 /*
74 * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption
75 * based on the given bulk encryption key and algorithm identifier (which
76 * may include an iv).
77 *
78 * XXX Once both are working, it might be nice to combine this and the
79 * function below (for starting up encryption) into one routine, and just
80 * have two simple cover functions which call it.
81 */
82 NSSCMSCipherContext *
84 {
87 CK_MECHANISM_TYPE cryptoMechType;
90 SECOidTag algtag;
94 /* set param and mechanism */
105 }
111 }
117 }
119 /* figure out pad and block sizes */
125 /* create PK11 cipher context */
132 }
141 }
143 /*
144 * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption,
145 * based on the given bulk encryption key and algorithm tag. Fill in the
146 * algorithm identifier (which may include an iv) appropriately.
147 *
148 * XXX Once both are working, it might be nice to combine this and the
149 * function above (for starting up decryption) into one routine, and just
150 * have two simple cover functions which call it.
151 */
152 NSSCMSCipherContext *
154 {
158 SECStatus rv;
159 CK_MECHANISM_TYPE cryptoMechType;
164 /* set param and mechanism */
175 }
181 }
186 }
188 /* now find pad and block sizes for our mechanism */
194 /* and here we go, creating a PK11 cipher context */
201 }
203 /*
204 * These are placed after the CreateContextBySymKey() because some
205 * mechanisms have to generate their IVs from their card (i.e. FORTEZZA).
206 * Don't move it from here.
207 * XXX is that right? the purpose of this is to get the correct algid
208 * containing the IVs etc. for encoding. this means we need to set this up
209 * BEFORE encoding the algid in the contentInfo, right?
210 */
217 }
218 }
226 loser:
230 }
232 void
234 {
240 }
242 /*
243 * NSS_CMSCipherContext_DecryptLength - find the output length of the next call to decrypt.
244 *
245 * cc - the cipher context
246 * input_len - number of bytes used as input
247 * final - true if this is the final chunk of data
248 *
249 * Result can be used to perform memory allocations. Note that the amount
250 * is exactly accurate only when not doing a block cipher or when final
251 * is false, otherwise it is an upper bound on the amount because until
252 * we see the data we do not know how many padding bytes there are
253 * (always between 1 and bsize).
254 *
255 * Note that this can return zero, which does not mean that the decrypt
256 * operation can be skipped! (It simply means that there are not enough
257 * bytes to make up an entire block; the bytes will be reserved until
258 * there are enough to encrypt/decrypt at least one block.) However,
259 * if zero is returned it *does* mean that no output buffer need be
260 * passed in to the subsequent decrypt operation, as no output bytes
261 * will be stored.
262 */
263 unsigned int
264 NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final)
265 {
272 /*
273 * If this is not a block cipher, then we always have the same
274 * number of output bytes as we had input bytes.
275 */
279 /*
280 * On the final call, we will always use up all of the pending
281 * bytes plus all of the input bytes, *but*, there will be padding
282 * at the end and we cannot predict how many bytes of padding we
283 * will end up removing. The amount given here is actually known
284 * to be at least 1 byte too long (because we know we will have
285 * at least 1 byte of padding), but seemed clearer/better to me.
286 */
290 /*
291 * Okay, this amount is exactly what we will output on the
292 * next cipher operation. We will always hang onto the last
293 * 1 - block_size bytes for non-final operations. That is,
294 * we will do as many complete blocks as we can *except* the
295 * last block (complete or partial). (This is because until
296 * we know we are at the end, we cannot know when to interpret
297 * and removing the padding byte(s), which are guaranteed to
298 * be there.)
299 */
302 }
304 /*
305 * NSS_CMSCipherContext_EncryptLength - find the output length of the next call to encrypt.
306 *
307 * cc - the cipher context
308 * input_len - number of bytes used as input
309 * final - true if this is the final chunk of data
310 *
311 * Result can be used to perform memory allocations.
312 *
313 * Note that this can return zero, which does not mean that the encrypt
314 * operation can be skipped! (It simply means that there are not enough
315 * bytes to make up an entire block; the bytes will be reserved until
316 * there are enough to encrypt/decrypt at least one block.) However,
317 * if zero is returned it *does* mean that no output buffer need be
318 * passed in to the subsequent encrypt operation, as no output bytes
319 * will be stored.
320 */
321 unsigned int
322 NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final)
323 {
332 /*
333 * If this is not a block cipher, then we always have the same
334 * number of output bytes as we had input bytes.
335 */
339 /*
340 * On the final call, we only send out what we need for
341 * remaining bytes plus the padding. (There is always padding,
342 * so even if we have an exact number of blocks as input, we
343 * will add another full block that is just padding.)
344 */
350 blocks++;
352 }
353 }
355 /*
356 * Now, count the number of complete blocks of data we have.
357 */
362 }
365 /*
366 * NSS_CMSCipherContext_Decrypt - do the decryption
367 *
368 * cc - the cipher context
369 * output - buffer for decrypted result bytes
370 * output_len_p - number of bytes in output
371 * max_output_len - upper bound on bytes to put into output
372 * input - pointer to input bytes
373 * input_len - number of input bytes
374 * final - true if this is the final chunk of data
375 *
376 * Decrypts a given length of input buffer (starting at "input" and
377 * containing "input_len" bytes), placing the decrypted bytes in
378 * "output" and storing the output length in "*output_len_p".
379 * "cc" is the return value from NSS_CMSCipher_StartDecrypt.
380 * When "final" is true, this is the last of the data to be decrypted.
381 *
382 * This is much more complicated than it sounds when the cipher is
383 * a block-type, meaning that the decryption function will only
384 * operate on whole blocks. But our caller is operating stream-wise,
385 * and can pass in any number of bytes. So we need to keep track
386 * of block boundaries. We save excess bytes between calls in "cc".
387 * We also need to determine which bytes are padding, and remove
388 * them from the output. We can only do this step when we know we
389 * have the final block of data. PKCS #7 specifies that the padding
390 * used for a block cipher is a string of bytes, each of whose value is
391 * the same as the length of the padding, and that all data is padded.
392 * (Even data that starts out with an exact multiple of blocks gets
393 * added to it another block, all of which is padding.)
394 */
395 SECStatus
399 PRBool final)
400 {
404 SECStatus rv;
408 /*
409 * Check that we have enough room for the output. Our caller should
410 * already handle this; failure is really an internal error (i.e. bug).
411 */
415 /* PORT_SetError (XXX); */
417 }
419 /*
420 * hardware encryption does not like small decryption sizes here, so we
421 * allow both blocking and padding.
422 */
426 /*
427 * When no blocking or padding work to do, we can simply call the
428 * cipher function and we are done.
429 */
433 }
441 /*
442 * Try to fill in an entire block, starting with the bytes
443 * we already have saved away.
444 */
447 input_len--;
448 }
449 /*
450 * If we have at most a whole block and this is not our last call,
451 * then we are done for now. (We do not try to decrypt a lone
452 * single block because we cannot interpret the padding bytes
453 * until we know we are handling the very last block of all input.)
454 */
460 }
461 /*
462 * Given the logic above, we expect to have a full block by now.
463 * If we do not, there is something wrong, either with our own
464 * logic or with (length of) the data given to us.
465 */
470 }
471 /*
472 * Decrypt the block.
473 */
479 /*
480 * For now anyway, all of our ciphers have the same number of
481 * bytes of output as they do input. If this ever becomes untrue,
482 * then NSS_CMSCipherContext_DecryptLength needs to be made smarter!
483 */
486 /*
487 * Account for the bytes now in output.
488 */
492 }
494 /*
495 * If this is our last call, we expect to have an exact number of
496 * blocks left to be decrypted; we will decrypt them all.
497 *
498 * If not our last call, we always save between 1 and bsize bytes
499 * until next time. (We must do this because we cannot be sure
500 * that none of the decrypted bytes are padding bytes until we
501 * have at least another whole block of data. You cannot tell by
502 * looking -- the data could be anything -- you can only tell by
503 * context, knowing you are looking at the last block.) We could
504 * decrypt a whole block now but it is easier if we just treat it
505 * the same way we treat partial block bytes.
506 */
517 }
526 }
534 /*
535 * For now anyway, all of our ciphers have the same number of
536 * bytes of output as they do input. If this ever becomes untrue,
537 * then sec_PKCS7DecryptLength needs to be made smarter!
538 */
543 }
548 }
550 /*
551 * If we just did our very last block, "remove" the padding by
552 * adjusting the output length.
553 */
560 }
562 }
569 }
571 /*
572 * NSS_CMSCipherContext_Encrypt - do the encryption
573 *
574 * cc - the cipher context
575 * output - buffer for decrypted result bytes
576 * output_len_p - number of bytes in output
577 * max_output_len - upper bound on bytes to put into output
578 * input - pointer to input bytes
579 * input_len - number of input bytes
580 * final - true if this is the final chunk of data
581 *
582 * Encrypts a given length of input buffer (starting at "input" and
583 * containing "input_len" bytes), placing the encrypted bytes in
584 * "output" and storing the output length in "*output_len_p".
585 * "cc" is the return value from NSS_CMSCipher_StartEncrypt.
586 * When "final" is true, this is the last of the data to be encrypted.
587 *
588 * This is much more complicated than it sounds when the cipher is
589 * a block-type, meaning that the encryption function will only
590 * operate on whole blocks. But our caller is operating stream-wise,
591 * and can pass in any number of bytes. So we need to keep track
592 * of block boundaries. We save excess bytes between calls in "cc".
593 * We also need to add padding bytes at the end. PKCS #7 specifies
594 * that the padding used for a block cipher is a string of bytes,
595 * each of whose value is the same as the length of the padding,
596 * and that all data is padded. (Even data that starts out with
597 * an exact multiple of blocks gets added to it another block,
598 * all of which is padding.)
599 *
600 * XXX I would kind of like to combine this with the function above
601 * which does decryption, since they have a lot in common. But the
602 * tricky parts about padding and filling blocks would be much
603 * harder to read that way, so I left them separate. At least for
604 * now until it is clear that they are right.
605 */
606 SECStatus
610 PRBool final)
611 {
615 SECStatus rv;
619 /*
620 * Check that we have enough room for the output. Our caller should
621 * already handle this; failure is really an internal error (i.e. bug).
622 */
626 /* PORT_SetError (XXX); */
628 }
633 /*
634 * When no blocking and padding work to do, we can simply call the
635 * cipher function and we are done.
636 */
640 }
648 /*
649 * Try to fill in an entire block, starting with the bytes
650 * we already have saved away.
651 */
654 input_len--;
655 }
656 /*
657 * If we do not have a full block and we know we will be
658 * called again, then we are done for now.
659 */
665 }
666 /*
667 * If we have a whole block available, encrypt it.
668 */
675 /*
676 * For now anyway, all of our ciphers have the same number of
677 * bytes of output as they do input. If this ever becomes untrue,
678 * then sec_PKCS7EncryptLength needs to be made smarter!
679 */
682 /*
683 * Account for the bytes now in output.
684 */
690 }
691 }
705 /*
706 * For now anyway, all of our ciphers have the same number of
707 * bytes of output as they do input. If this ever becomes untrue,
708 * then sec_PKCS7EncryptLength needs to be made smarter!
709 */
715 }
721 }
731 /*
732 * For now anyway, all of our ciphers have the same number of
733 * bytes of output as they do input. If this ever becomes untrue,
734 * then sec_PKCS7EncryptLength needs to be made smarter!
735 */
740 }
747 }