bug 401928 softoken updates for pkcs5 v2

r= nelsonb
2007-12-21 01:30:02 +00:00 · 2007-12-21 01:30:02 +00:00 · 9f23ab0bb9
--- a/security/nss/lib/softoken/lowpbe.c
+++ b/security/nss/lib/softoken/lowpbe.c
@ -362,7 +362,7 @@ nsspkcs5_PBKFD2_F(const SECHashObject *hashobj, SECItem *pwitem, SECItem *salt,
    unsigned int lastLength = salt->len + 4;
    unsigned int lastBufLength;

-    cx=HMAC_Create(hashobj,pwitem->data,pwitem->len,PR_TRUE);
+    cx=HMAC_Create(hashobj,pwitem->data,pwitem->len,PR_FALSE);
    if (cx == NULL) {
 	goto loser;
    }
@ -406,7 +406,7 @@ nsspkcs5_PBKDF2(const SECHashObject *hashobj, NSSPKCS5PBEParameter *pbe_param,
    int bytesNeeded = pbe_param->keyLen;
    unsigned int dkLen = bytesNeeded;
    unsigned int hLen = hashobj->length;
-    unsigned int l = (dkLen+hLen-1) / hLen;
+    unsigned int nblocks = (dkLen+hLen-1) / hLen;
    unsigned int i;
    unsigned char *rp;
    unsigned char *T = NULL;
@ -414,7 +414,7 @@ nsspkcs5_PBKDF2(const SECHashObject *hashobj, NSSPKCS5PBEParameter *pbe_param,
    SECItem *salt = &pbe_param->salt;
    SECStatus rv = SECFailure;

-    result = SECITEM_AllocItem(NULL,NULL,l*hLen);
+    result = SECITEM_AllocItem(NULL,NULL,nblocks*hLen);
    if (result == NULL) {
 	return NULL;
    }
@ -424,7 +424,7 @@ nsspkcs5_PBKDF2(const SECHashObject *hashobj, NSSPKCS5PBEParameter *pbe_param,
 	goto loser;
    }

-    for (i=0,rp=result->data; i < l ; i++, rp +=hLen) {
+    for (i=1,rp=result->data; i <= nblocks ; i++, rp +=hLen) {
 	rv = nsspkcs5_PBKFD2_F(hashobj,pwitem,salt,iterations,i,T);
 	if (rv != SECSuccess) {
 	    break;
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@ -450,6 +450,7 @@ static const struct mechanismList mechanisms[] = {
     {CKM_PBE_SHA1_RC4_40,		     {40,40, CKF_GENERATE}, PR_TRUE},
     {CKM_PBE_SHA1_RC4_128,		     {128,128, CKF_GENERATE}, PR_TRUE},
     {CKM_PBA_SHA1_WITH_SHA1_HMAC,	     {20,20, CKF_GENERATE}, PR_TRUE},
+     {CKM_PKCS5_PBKD2,   		     {1,256, CKF_GENERATE}, PR_TRUE},
     {CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN,    {20,20, CKF_GENERATE}, PR_TRUE},
     {CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN,     {16,16, CKF_GENERATE}, PR_TRUE},
     {CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN,     {16,16, CKF_GENERATE}, PR_TRUE},
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@ -628,8 +628,14 @@ finish_des:
    case CKM_CAMELLIA_CBC_PAD:
 	context->doPad = PR_TRUE;
 	/* fall thru */
-    case CKM_CAMELLIA_ECB:
    case CKM_CAMELLIA_CBC:
+	if (!pMechanism->pParameter ||
+		 pMechanism->ulParameterLen != 16) {
+	    crv = CKR_MECHANISM_PARAM_INVALID;
+	    break;
+	}
+	/* fall thru */
+    case CKM_CAMELLIA_ECB:
 	context->blockSize = 16;
 	if (key_type != CKK_CAMELLIA) {
 	    crv = CKR_KEY_TYPE_INCONSISTENT;
@ -2630,11 +2636,12 @@ nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism,
    if (pMechanism->mechanism == CKM_PKCS5_PBKD2) {
 	pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
 	pwitem.data = (unsigned char *)pbkd2_params->pPassword;
-	pwitem.len = (unsigned int)pbkd2_params->ulPasswordLen;
+	/* was this a typo in the PKCS #11 spec? */
+	pwitem.len = *pbkd2_params->ulPasswordLen;
    } else {
 	pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
 	pwitem.data = (unsigned char *)pbe_params->pPassword;
-	pwitem.len = (unsigned int)pbe_params->ulPasswordLen;
+	pwitem.len = pbe_params->ulPasswordLen;
    }
    pbe_key = nsspkcs5_ComputeKeyAndIV(pkcs5_pbe, &pwitem, &iv, faulty3DES);
    if (pbe_key == NULL) {
@ -3053,6 +3060,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
    case CKM_PBE_SHA1_RC4_40:
    case CKM_PBE_MD5_DES_CBC:
    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PKCS5_PBKD2:
 	key_gen_type = nsc_pbe;
 	crv = nsc_SetupPBEKeyGen(pMechanism,&pbe_param, &key_type, &key_length);
 	break;