/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*

 * This file implements PKCS 11 on top of our existing security modules

 *

 * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.

 *   This implementation has two slots:

 *      slot 1 is our generic crypto support. It does not require login.

 *   It supports Public Key ops, and all they bulk ciphers and hashes.

 *   It can also support Private Key ops for imported Private keys. It does

 *   not have any token storage.

 *      slot 2 is our private key support. It requires a login before use. It

 *   can store Private Keys and Certs as token objects. Currently only private

 *   keys and their associated Certificates are saved on the token.

 *

 *   In this implementation, session objects are only visible to the session

 *   that created or generated them.

 */

#include <limits.h> /* for UINT_MAX and ULONG_MAX */

#include "seccomon.h"

#include "secitem.h"

#include "secport.h"

#include "blapi.h"

#include "pkcs11.h"

#include "pkcs11i.h"

#include "pkcs1sig.h"

#include "lowkeyi.h"

#include "secder.h"

#include "secdig.h"

#include "lowpbe.h" /* We do PBE below */

#include "pkcs11t.h"

#include "secoid.h"

#include "cmac.h"

#include "alghmac.h"

#include "softoken.h"

#include "secasn1.h"

#include "secerr.h"

#include "kem.h"

#include "kyber.h"

#include "prprf.h"

#include "prenv.h"

#define __PASTE(x, y) x##y

#define BAD_PARAM_CAST(pMech, typeSize) (!pMech->pParameter || pMech->ulParameterLen < typeSize)

/*

 * we renamed all our internal functions, get the correct

 * definitions for them...

 */

#undef CK_PKCS11_FUNCTION_INFO

#undef CK_NEED_ARG_LIST

#define CK_PKCS11_3_0 1

#define CK_EXTERN extern

#define CK_PKCS11_FUNCTION_INFO(func) \

    CK_RV __PASTE(NS, func)

#define CK_NEED_ARG_LIST 1

#include "pkcs11f.h"

/* create a definition of SHA1 that's consistent

 * with the rest of the CKM_SHAxxx hashes*/

#define CKM_SHA1 CKM_SHA_1

#define CKM_SHA1_HMAC CKM_SHA_1_HMAC

#define CKM_SHA1_HMAC_GENERAL CKM_SHA_1_HMAC_GENERAL

typedef struct {

    PRUint8 client_version[2];

    PRUint8 random[46];

} SSL3RSAPreMasterSecret;

static void

sftk_Null(void *data, PRBool freeit)

{

    return;

}

#ifdef EC_DEBUG

#define SEC_PRINT(str1, str2, num, sitem)             \

    printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \

           str1, str2, num, sitem->len);              \

    for (i = 0; i < sitem->len; i++) {                \

        printf("%02x:", sitem->data[i]);              \

    }                                                 \

    printf("\n")

#else

#undef EC_DEBUG

#define SEC_PRINT(a, b, c, d)

#endif

/*

 * free routines.... Free local type  allocated data, and convert

 * other free routines to the destroy signature.

 */

static void

sftk_FreePrivKey(NSSLOWKEYPrivateKey *key, PRBool freeit)

{

    nsslowkey_DestroyPrivateKey(key);

}

static void

sftk_Space(void *data, PRBool freeit)

{

    PORT_Free(data);

}

static void

sftk_ZSpace(void *data, PRBool freeit)

{

    size_t len = *(size_t *)data;

    PORT_ZFree(data, len);

}

/*

 * turn a CDMF key into a des key. CDMF is an old IBM scheme to export DES by

 * Deprecating a full des key to 40 bit key strenth.

 */

static CK_RV

sftk_cdmf2des(unsigned char *cdmfkey, unsigned char *deskey)

{

    unsigned char key1[8] = { 0xc4, 0x08, 0xb0, 0x54, 0x0b, 0xa1, 0xe0, 0xae };

    unsigned char key2[8] = { 0xef, 0x2c, 0x04, 0x1c, 0xe6, 0x38, 0x2f, 0xe6 };

    unsigned char enc_src[8];

    unsigned char enc_dest[8];

    unsigned int leng, i;

    DESContext *descx;

    SECStatus rv;

    CK_RV crv = CKR_OK;

    /* zero the parity bits */

    for (i = 0; i < 8; i++) {

        enc_src[i] = cdmfkey[i] & 0xfe;

    }

    /* encrypt with key 1 */

    descx = DES_CreateContext(key1, NULL, NSS_DES, PR_TRUE);

    if (descx == NULL) {

        crv = CKR_HOST_MEMORY;

        goto done;

    }

    rv = DES_Encrypt(descx, enc_dest, &leng, 8, enc_src, 8);

    DES_DestroyContext(descx, PR_TRUE);

    if (rv != SECSuccess) {

        crv = sftk_MapCryptError(PORT_GetError());

        goto done;

    }

    /* xor source with des, zero the parity bits and deprecate the key*/

    for (i = 0; i < 8; i++) {

        if (i & 1) {

            enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0xfe;

        } else {

            enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0x0e;

        }

    }

    /* encrypt with key 2 */

    descx = DES_CreateContext(key2, NULL, NSS_DES, PR_TRUE);

    if (descx == NULL) {

        crv = CKR_HOST_MEMORY;

        goto done;

    }

    rv = DES_Encrypt(descx, deskey, &leng, 8, enc_src, 8);

    DES_DestroyContext(descx, PR_TRUE);

    if (rv != SECSuccess) {

        crv = sftk_MapCryptError(PORT_GetError());

        goto done;

    }

    /* set the corret parity on our new des key */

    sftk_FormatDESKey(deskey, 8);

done:

    PORT_Memset(enc_src, 0, sizeof enc_src);

    PORT_Memset(enc_dest, 0, sizeof enc_dest);

    return crv;

}

/* NSC_DestroyObject destroys an object. */

CK_RV

NSC_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)

{

    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);

    SFTKSession *session;

    SFTKObject *object;

    SFTKFreeStatus status;

    CHECK_FORK();

    if (slot == NULL) {

        return CKR_SESSION_HANDLE_INVALID;

    }

    /*

     * This whole block just makes sure we really can destroy the

     * requested object.

     */

    session = sftk_SessionFromHandle(hSession);

    if (session == NULL) {

        return CKR_SESSION_HANDLE_INVALID;

    }

    object = sftk_ObjectFromHandle(hObject, session);

    if (object == NULL) {

        sftk_FreeSession(session);

        return CKR_OBJECT_HANDLE_INVALID;

    }

    /* don't destroy a private object if we aren't logged in */

    if ((!slot->isLoggedIn) && (slot->needLogin) &&

        (sftk_isTrue(object, CKA_PRIVATE))) {

        sftk_FreeSession(session);

        sftk_FreeObject(object);

        return CKR_USER_NOT_LOGGED_IN;

    }

    /* don't destroy a token object if we aren't in a rw session */

    if (((session->info.flags & CKF_RW_SESSION) == 0) &&

        (sftk_isTrue(object, CKA_TOKEN))) {

        sftk_FreeSession(session);

        sftk_FreeObject(object);

        return CKR_SESSION_READ_ONLY;

    }

    sftk_DeleteObject(session, object);

    sftk_FreeSession(session);

    /*

     * get some indication if the object is destroyed. Note: this is not

     * 100%. Someone may have an object reference outstanding (though that

     * should not be the case by here. Also note that the object is "half"

     * destroyed. Our internal representation is destroyed, but it may still

     * be in the data base.

     */

    status = sftk_FreeObject(object);

    return (status != SFTK_DestroyFailure) ? CKR_OK : CKR_DEVICE_ERROR;

}

/*

 * Returns true if "params" contains a valid set of PSS parameters

 */

static PRBool

sftk_ValidatePssParams(const CK_RSA_PKCS_PSS_PARAMS *params)

{

    if (!params) {

        return PR_FALSE;

    }

    if (sftk_GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL ||

        sftk_GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) {

        return PR_FALSE;

    }

    return PR_TRUE;

}

/*

 * Returns true if "params" contains a valid set of OAEP parameters

 */

static PRBool

sftk_ValidateOaepParams(const CK_RSA_PKCS_OAEP_PARAMS *params)

{

    if (!params) {

        return PR_FALSE;

    }

    /* The requirements of ulSourceLen/pSourceData come from PKCS #11, which

     * state:

     *   If the parameter is empty, pSourceData must be NULL and

     *   ulSourceDataLen must be zero.

     */

    if (params->source != CKZ_DATA_SPECIFIED ||

        (sftk_GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL) ||

        (sftk_GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) ||

        (params->ulSourceDataLen == 0 && params->pSourceData != NULL) ||

        (params->ulSourceDataLen != 0 && params->pSourceData == NULL)) {

        return PR_FALSE;

    }

    return PR_TRUE;

}

/*

 * return a context based on the SFTKContext type.

 */

SFTKSessionContext *

sftk_ReturnContextByType(SFTKSession *session, SFTKContextType type)

{

    switch (type) {

        case SFTK_ENCRYPT:

        case SFTK_DECRYPT:

        case SFTK_MESSAGE_ENCRYPT:

        case SFTK_MESSAGE_DECRYPT:

            return session->enc_context;

        case SFTK_HASH:

            return session->hash_context;

        case SFTK_SIGN:

        case SFTK_SIGN_RECOVER:

        case SFTK_VERIFY:

        case SFTK_VERIFY_RECOVER:

        case SFTK_MESSAGE_SIGN:

        case SFTK_MESSAGE_VERIFY:

            return session->hash_context;

    }

    return NULL;

}

/*

 * change a context based on the SFTKContext type.

 */

void

sftk_SetContextByType(SFTKSession *session, SFTKContextType type,

                      SFTKSessionContext *context)

{

    switch (type) {

        case SFTK_ENCRYPT:

        case SFTK_DECRYPT:

        case SFTK_MESSAGE_ENCRYPT:

        case SFTK_MESSAGE_DECRYPT:

            session->enc_context = context;

            break;

        case SFTK_HASH:

            session->hash_context = context;

            break;

        case SFTK_SIGN:

        case SFTK_SIGN_RECOVER:

        case SFTK_VERIFY:

        case SFTK_VERIFY_RECOVER:

        case SFTK_MESSAGE_SIGN:

        case SFTK_MESSAGE_VERIFY:

            session->hash_context = context;

            break;

    }

    return;

}

/*

 * code to grab the context. Needed by every C_XXXUpdate, C_XXXFinal,

 * and C_XXX function. The function takes a session handle, the context type,

 * and wether or not the session needs to be multipart. It returns the context,

 * and optionally returns the session pointer (if sessionPtr != NULL) if session

 * pointer is returned, the caller is responsible for freeing it.

 */

CK_RV

sftk_GetContext(CK_SESSION_HANDLE handle, SFTKSessionContext **contextPtr,

                SFTKContextType type, PRBool needMulti, SFTKSession **sessionPtr)

{

    SFTKSession *session;

    SFTKSessionContext *context;

    session = sftk_SessionFromHandle(handle);

    if (session == NULL)

        return CKR_SESSION_HANDLE_INVALID;

    context = sftk_ReturnContextByType(session, type);

    /* make sure the context is valid */

    if ((context == NULL) || (context->type != type) || (needMulti && !(context->multi))) {

        sftk_FreeSession(session);

        return CKR_OPERATION_NOT_INITIALIZED;

    }

    *contextPtr = context;

    if (sessionPtr != NULL) {

        *sessionPtr = session;

    } else {

        sftk_FreeSession(session);

    }

    return CKR_OK;

}

/** Terminate operation (in the PKCS#11 spec sense).

 *  Intuitive name for FreeContext/SetNullContext pair.

 */

void

sftk_TerminateOp(SFTKSession *session, SFTKContextType ctype,

                 SFTKSessionContext *context)

{

    session->lastOpWasFIPS = context->isFIPS;

    sftk_FreeContext(context);

    sftk_SetContextByType(session, ctype, NULL);

}

/*

 ************** Crypto Functions:     Encrypt ************************

 */

/*

 * All the NSC_InitXXX functions have a set of common checks and processing they

 * all need to do at the beginning. This is done here.

 */

CK_RV

sftk_InitGeneric(SFTKSession *session, CK_MECHANISM *pMechanism,

                 SFTKSessionContext **contextPtr,

                 SFTKContextType ctype, SFTKObject **keyPtr,

                 CK_OBJECT_HANDLE hKey, CK_KEY_TYPE *keyTypePtr,

                 CK_OBJECT_CLASS pubKeyType, CK_ATTRIBUTE_TYPE operation)

{

    SFTKObject *key = NULL;

    SFTKAttribute *att;

    SFTKSessionContext *context;

    /* We can only init if there is not current context active */

    if (sftk_ReturnContextByType(session, ctype) != NULL) {

        return CKR_OPERATION_ACTIVE;

    }

    /* find the key */

    if (keyPtr) {

        key = sftk_ObjectFromHandle(hKey, session);

        if (key == NULL) {

            return CKR_KEY_HANDLE_INVALID;

        }

        /* make sure it's a valid  key for this operation */

        if (((key->objclass != CKO_SECRET_KEY) &&

             (key->objclass != pubKeyType)) ||

            !sftk_isTrue(key, operation)) {

            sftk_FreeObject(key);

            return CKR_KEY_TYPE_INCONSISTENT;

        }

        /* get the key type */

        att = sftk_FindAttribute(key, CKA_KEY_TYPE);

        if (att == NULL) {

            sftk_FreeObject(key);

            return CKR_KEY_TYPE_INCONSISTENT;

        }

        PORT_Assert(att->attrib.ulValueLen == sizeof(CK_KEY_TYPE));

        if (att->attrib.ulValueLen != sizeof(CK_KEY_TYPE)) {

            sftk_FreeAttribute(att);

            sftk_FreeObject(key);

            return CKR_ATTRIBUTE_VALUE_INVALID;

        }

        PORT_Memcpy(keyTypePtr, att->attrib.pValue, sizeof(CK_KEY_TYPE));

        sftk_FreeAttribute(att);

        *keyPtr = key;

    }

    /* allocate the context structure */

    context = (SFTKSessionContext *)PORT_Alloc(sizeof(SFTKSessionContext));

    if (context == NULL) {

        if (key)

            sftk_FreeObject(key);

        return CKR_HOST_MEMORY;

    }

    context->type = ctype;

    context->multi = PR_TRUE;

    context->rsa = PR_FALSE;

    context->cipherInfo = NULL;

    context->hashInfo = NULL;

    context->doPad = PR_FALSE;

    context->padDataLength = 0;

    context->key = key;

    context->blockSize = 0;

    context->maxLen = 0;

    context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,

                                           operation, key);

    *contextPtr = context;

    return CKR_OK;

}

static int

sftk_aes_mode(CK_MECHANISM_TYPE mechanism)

{

    switch (mechanism) {

        case CKM_AES_CBC_PAD:

        case CKM_AES_CBC:

            return NSS_AES_CBC;

        case CKM_AES_ECB:

            return NSS_AES;

        case CKM_AES_CTS:

            return NSS_AES_CTS;

        case CKM_AES_CTR:

            return NSS_AES_CTR;

        case CKM_AES_GCM:

            return NSS_AES_GCM;

    }

    return -1;

}

static SECStatus

sftk_RSAEncryptRaw(NSSLOWKEYPublicKey *key, unsigned char *output,

                   unsigned int *outputLen, unsigned int maxLen,

                   const unsigned char *input, unsigned int inputLen)

{

    SECStatus rv = SECFailure;

    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);

    if (key->keyType != NSSLOWKEYRSAKey) {

        PORT_SetError(SEC_ERROR_INVALID_KEY);

        return SECFailure;

    }

    rv = RSA_EncryptRaw(&key->u.rsa, output, outputLen, maxLen, input,

                        inputLen);

    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {

        sftk_fatalError = PR_TRUE;

    }

    return rv;

}

static SECStatus

sftk_RSADecryptRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,

                   unsigned int *outputLen, unsigned int maxLen,

                   const unsigned char *input, unsigned int inputLen)

{

    SECStatus rv = SECFailure;

    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);

    if (key->keyType != NSSLOWKEYRSAKey) {

        PORT_SetError(SEC_ERROR_INVALID_KEY);

        return SECFailure;

    }

    rv = RSA_DecryptRaw(&key->u.rsa, output, outputLen, maxLen, input,

                        inputLen);

    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {

        sftk_fatalError = PR_TRUE;

    }

    return rv;

}

static SECStatus

sftk_RSAEncrypt(NSSLOWKEYPublicKey *key, unsigned char *output,

                unsigned int *outputLen, unsigned int maxLen,

                const unsigned char *input, unsigned int inputLen)

{

    SECStatus rv = SECFailure;

    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);

    if (key->keyType != NSSLOWKEYRSAKey) {

        PORT_SetError(SEC_ERROR_INVALID_KEY);

        return SECFailure;

    }

    rv = RSA_EncryptBlock(&key->u.rsa, output, outputLen, maxLen, input,

                          inputLen);

    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {

        sftk_fatalError = PR_TRUE;

    }

    return rv;

}

static SECStatus

sftk_RSADecrypt(NSSLOWKEYPrivateKey *key, unsigned char *output,

                unsigned int *outputLen, unsigned int maxLen,

                const unsigned char *input, unsigned int inputLen)

{

    SECStatus rv = SECFailure;

    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);

    if (key->keyType != NSSLOWKEYRSAKey) {

        PORT_SetError(SEC_ERROR_INVALID_KEY);

        return SECFailure;

    }

    rv = RSA_DecryptBlock(&key->u.rsa, output, outputLen, maxLen, input,

                          inputLen);

    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {

        sftk_fatalError = PR_TRUE;

    }

    return rv;

}

static void

sftk_freeRSAOAEPInfo(SFTKOAEPInfo *info, PRBool freeit)

{

    PORT_ZFree(info->params.pSourceData, info->params.ulSourceDataLen);

    PORT_ZFree(info, sizeof(SFTKOAEPInfo));

}

static SECStatus

sftk_RSAEncryptOAEP(SFTKOAEPInfo *info, unsigned char *output,

                    unsigned int *outputLen, unsigned int maxLen,

                    const unsigned char *input, unsigned int inputLen)

{

    HASH_HashType hashAlg;

    HASH_HashType maskHashAlg;

    PORT_Assert(info->key.pub->keyType == NSSLOWKEYRSAKey);

    if (info->key.pub->keyType != NSSLOWKEYRSAKey) {

        PORT_SetError(SEC_ERROR_INVALID_KEY);

        return SECFailure;

    }

    hashAlg = sftk_GetHashTypeFromMechanism(info->params.hashAlg);

    maskHashAlg = sftk_GetHashTypeFromMechanism(info->params.mgf);

    return RSA_EncryptOAEP(&info->key.pub->u.rsa, hashAlg, maskHashAlg,

                           (const unsigned char *)info->params.pSourceData,

                           info->params.ulSourceDataLen, NULL, 0,

                           output, outputLen, maxLen, input, inputLen);

}

static SECStatus

sftk_RSADecryptOAEP(SFTKOAEPInfo *info, unsigned char *output,

                    unsigned int *outputLen, unsigned int maxLen,

                    const unsigned char *input, unsigned int inputLen)

{

    SECStatus rv = SECFailure;

    HASH_HashType hashAlg;

    HASH_HashType maskHashAlg;

    PORT_Assert(info->key.priv->keyType == NSSLOWKEYRSAKey);

    if (info->key.priv->keyType != NSSLOWKEYRSAKey) {

        PORT_SetError(SEC_ERROR_INVALID_KEY);

        return SECFailure;

    }

    hashAlg = sftk_GetHashTypeFromMechanism(info->params.hashAlg);

    maskHashAlg = sftk_GetHashTypeFromMechanism(info->params.mgf);

    rv = RSA_DecryptOAEP(&info->key.priv->u.rsa, hashAlg, maskHashAlg,

                         (const unsigned char *)info->params.pSourceData,

                         info->params.ulSourceDataLen,

                         output, outputLen, maxLen, input, inputLen);

    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {

        sftk_fatalError = PR_TRUE;

    }

    return rv;

}

static SFTKChaCha20Poly1305Info *

sftk_ChaCha20Poly1305_CreateContext(const unsigned char *key,

                                    unsigned int keyLen,

                                    const CK_NSS_AEAD_PARAMS *params)

{

    SFTKChaCha20Poly1305Info *ctx;

    if (params->ulNonceLen != sizeof(ctx->nonce)) {

        PORT_SetError(SEC_ERROR_INPUT_LEN);

        return NULL;

    }

    ctx = PORT_New(SFTKChaCha20Poly1305Info);

    if (ctx == NULL) {

        return NULL;

    }

    if (ChaCha20Poly1305_InitContext(&ctx->freeblCtx, key, keyLen,

                                     params->ulTagLen) != SECSuccess) {

        PORT_Free(ctx);

        return NULL;

    }

    PORT_Memcpy(ctx->nonce, params->pNonce, sizeof(ctx->nonce));

    /* AAD data and length must both be null, or both non-null. */

    PORT_Assert((params->pAAD == NULL) == (params->ulAADLen == 0));

    if (params->ulAADLen > sizeof(ctx->ad)) {

        /* Need to allocate an overflow buffer for the additional data. */

        ctx->adOverflow = (unsigned char *)PORT_Alloc(params->ulAADLen);

        if (!ctx->adOverflow) {

            PORT_Free(ctx);

            return NULL;

        }

        PORT_Memcpy(ctx->adOverflow, params->pAAD, params->ulAADLen);

    } else {

        ctx->adOverflow = NULL;

        if (params->pAAD) {

            PORT_Memcpy(ctx->ad, params->pAAD, params->ulAADLen);

        }

    }

    ctx->adLen = params->ulAADLen;

    return ctx;

}

static void

sftk_ChaCha20Poly1305_DestroyContext(SFTKChaCha20Poly1305Info *ctx,

                                     PRBool freeit)

{

    ChaCha20Poly1305_DestroyContext(&ctx->freeblCtx, PR_FALSE);

    if (ctx->adOverflow != NULL) {

        PORT_ZFree(ctx->adOverflow, ctx->adLen);

        ctx->adOverflow = NULL;

    } else {

        PORT_Memset(ctx->ad, 0, ctx->adLen);

    }

    ctx->adLen = 0;

    if (freeit) {

        PORT_Free(ctx);

    }

}

static SECStatus

sftk_ChaCha20Poly1305_Encrypt(const SFTKChaCha20Poly1305Info *ctx,

                              unsigned char *output, unsigned int *outputLen,

                              unsigned int maxOutputLen,

                              const unsigned char *input, unsigned int inputLen)

{

    const unsigned char *ad = ctx->adOverflow;

    if (ad == NULL) {

        ad = ctx->ad;

    }

    return ChaCha20Poly1305_Seal(&ctx->freeblCtx, output, outputLen,

                                 maxOutputLen, input, inputLen, ctx->nonce,

                                 sizeof(ctx->nonce), ad, ctx->adLen);

}

static SECStatus

sftk_ChaCha20Poly1305_Decrypt(const SFTKChaCha20Poly1305Info *ctx,

                              unsigned char *output, unsigned int *outputLen,

                              unsigned int maxOutputLen,

                              const unsigned char *input, unsigned int inputLen)

{

    const unsigned char *ad = ctx->adOverflow;

    if (ad == NULL) {

        ad = ctx->ad;

    }

    return ChaCha20Poly1305_Open(&ctx->freeblCtx, output, outputLen,

                                 maxOutputLen, input, inputLen, ctx->nonce,

                                 sizeof(ctx->nonce), ad, ctx->adLen);

}

static SECStatus

sftk_ChaCha20Ctr(const SFTKChaCha20CtrInfo *ctx,

                 unsigned char *output, unsigned int *outputLen,

                 unsigned int maxOutputLen,

                 const unsigned char *input, unsigned int inputLen)

{

    if (maxOutputLen < inputLen) {

        PORT_SetError(SEC_ERROR_OUTPUT_LEN);

        return SECFailure;

    }

    ChaCha20_Xor(output, input, inputLen, ctx->key,

                 ctx->nonce, ctx->counter);

    *outputLen = inputLen;

    return SECSuccess;

}

static void

sftk_ChaCha20Ctr_DestroyContext(SFTKChaCha20CtrInfo *ctx,

                                PRBool freeit)

{

    memset(ctx, 0, sizeof(*ctx));

    if (freeit) {

        PORT_Free(ctx);

    }

}

/** NSC_CryptInit initializes an encryption/Decryption operation.

 *

 * Always called by NSC_EncryptInit, NSC_DecryptInit, NSC_WrapKey,NSC_UnwrapKey.

 * Called by NSC_SignInit, NSC_VerifyInit (via sftk_InitCBCMac) only for block

 *  ciphers MAC'ing.

 */

CK_RV

sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,

               CK_OBJECT_HANDLE hKey,

               CK_ATTRIBUTE_TYPE mechUsage, CK_ATTRIBUTE_TYPE keyUsage,

               SFTKContextType contextType, PRBool isEncrypt)

{

    SFTKSession *session;

    SFTKObject *key;

    SFTKSessionContext *context;

    SFTKAttribute *att;

#ifndef NSS_DISABLE_DEPRECATED_RC2

    CK_RC2_CBC_PARAMS *rc2_param;

    unsigned effectiveKeyLength;

#endif

#if NSS_SOFTOKEN_DOES_RC5

    CK_RC5_CBC_PARAMS *rc5_param;

    SECItem rc5Key;

#endif

    CK_NSS_GCM_PARAMS nss_gcm_param;

    void *aes_param;

    CK_NSS_AEAD_PARAMS nss_aead_params;

    CK_NSS_AEAD_PARAMS *nss_aead_params_ptr = NULL;

    CK_KEY_TYPE key_type;

    CK_RV crv = CKR_OK;

    unsigned char newdeskey[24];

    PRBool useNewKey = PR_FALSE;

    int t;

    if (!pMechanism) {

        return CKR_MECHANISM_PARAM_INVALID;

    }

    crv = sftk_MechAllowsOperation(pMechanism->mechanism, mechUsage);

    if (crv != CKR_OK)

        return crv;

    session = sftk_SessionFromHandle(hSession);

    if (session == NULL)

        return CKR_SESSION_HANDLE_INVALID;

    crv = sftk_InitGeneric(session, pMechanism, &context, contextType, &key,

                           hKey, &key_type,

                           isEncrypt ? CKO_PUBLIC_KEY : CKO_PRIVATE_KEY,

                           keyUsage);

    if (crv != CKR_OK) {

        sftk_FreeSession(session);

        return crv;

    }

    context->doPad = PR_FALSE;

    switch (pMechanism->mechanism) {

        case CKM_RSA_PKCS:

        case CKM_RSA_X_509:

            if (key_type != CKK_RSA) {

                crv = CKR_KEY_TYPE_INCONSISTENT;

                break;

            }

            context->multi = PR_FALSE;

            context->rsa = PR_TRUE;

            if (isEncrypt) {

                NSSLOWKEYPublicKey *pubKey = sftk_GetPubKey(key, CKK_RSA, &crv);

                if (pubKey == NULL) {

                    crv = CKR_KEY_HANDLE_INVALID;

                    break;

                }

                context->maxLen = nsslowkey_PublicModulusLen(pubKey);

                context->cipherInfo = (void *)pubKey;

                context->update = (SFTKCipher)(pMechanism->mechanism == CKM_RSA_X_509

                                                   ? sftk_RSAEncryptRaw

                                                   : sftk_RSAEncrypt);

            } else {

                NSSLOWKEYPrivateKey *privKey = sftk_GetPrivKey(key, CKK_RSA, &crv);

                if (privKey == NULL) {

                    crv = CKR_KEY_HANDLE_INVALID;

                    break;

                }

                context->maxLen = nsslowkey_PrivateModulusLen(privKey);

                context->cipherInfo = (void *)privKey;

                context->update = (SFTKCipher)(pMechanism->mechanism == CKM_RSA_X_509

                                                   ? sftk_RSADecryptRaw

                                                   : sftk_RSADecrypt);

            }

            context->destroy = sftk_Null;

            break;

        case CKM_RSA_PKCS_OAEP:

            if (key_type != CKK_RSA) {

                crv = CKR_KEY_TYPE_INCONSISTENT;

                break;

            }

            if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_OAEP_PARAMS) ||

                !sftk_ValidateOaepParams((CK_RSA_PKCS_OAEP_PARAMS *)pMechanism->pParameter)) {

                crv = CKR_MECHANISM_PARAM_INVALID;

                break;

            }

            context->multi = PR_FALSE;

            context->rsa = PR_TRUE;

            {

                SFTKOAEPInfo *info;

                CK_RSA_PKCS_OAEP_PARAMS *params =

                    (CK_RSA_PKCS_OAEP_PARAMS *)pMechanism->pParameter;

                /* make a copy of the source data value for future

                 * use (once the user has reclaimed his data in pParameter)*/

                void *newSource = NULL;

                if (params->pSourceData) {

                    newSource = PORT_Alloc(params->ulSourceDataLen);

                    if (newSource == NULL) {

                        crv = CKR_HOST_MEMORY;

                        break;

                    }

                    PORT_Memcpy(newSource, params->pSourceData, params->ulSourceDataLen);

                }

                info = PORT_New(SFTKOAEPInfo);

                if (info == NULL) {

                    PORT_ZFree(newSource, params->ulSourceDataLen);

                    crv = CKR_HOST_MEMORY;

                    break;

                }

                info->params = *params;

                info->params.pSourceData = newSource;

                info->isEncrypt = isEncrypt;

                /* now setup encryption and decryption contexts */

                if (isEncrypt) {

                    info->key.pub = sftk_GetPubKey(key, CKK_RSA, &crv);

                    if (info->key.pub == NULL) {

                        sftk_freeRSAOAEPInfo(info, PR_TRUE);

                        crv = CKR_KEY_HANDLE_INVALID;

                        break;

                    }

                    context->update = (SFTKCipher)sftk_RSAEncryptOAEP;

                    context->maxLen = nsslowkey_PublicModulusLen(info->key.pub);

                } else {

                    info->key.priv = sftk_GetPrivKey(key, CKK_RSA, &crv);

                    if (info->key.priv == NULL) {

                        sftk_freeRSAOAEPInfo(info, PR_TRUE);

                        crv = CKR_KEY_HANDLE_INVALID;

                        break;

                    }

                    context->update = (SFTKCipher)sftk_RSADecryptOAEP;

                    context->maxLen = nsslowkey_PrivateModulusLen(info->key.priv);

                }

                context->cipherInfo = info;

            }

            context->destroy = (SFTKDestroy)sftk_freeRSAOAEPInfo;

            break;

#ifndef NSS_DISABLE_DEPRECATED_RC2

        case CKM_RC2_CBC_PAD:

            context->doPad = PR_TRUE;

        /* fall thru */

        case CKM_RC2_ECB:

        case CKM_RC2_CBC:

            context->blockSize = 8;

            if (key_type != CKK_RC2) {

                crv = CKR_KEY_TYPE_INCONSISTENT;

                break;

            }

            att = sftk_FindAttribute(key, CKA_VALUE);

            if (att == NULL) {

                crv = CKR_KEY_HANDLE_INVALID;

                break;

            }

            if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC2_CBC_PARAMS))) {

                crv = CKR_MECHANISM_PARAM_INVALID;

                break;

            }

            rc2_param = (CK_RC2_CBC_PARAMS *)pMechanism->pParameter;

            effectiveKeyLength = (rc2_param->ulEffectiveBits + 7) / 8;

            context->cipherInfo =

                RC2_CreateContext((unsigned char *)att->attrib.pValue,

                                  att->attrib.ulValueLen, rc2_param->iv,

                                  pMechanism->mechanism == CKM_RC2_ECB ? NSS_RC2 : NSS_RC2_CBC, effectiveKeyLength);

            sftk_FreeAttribute(att);

            if (context->cipherInfo == NULL) {

                crv = CKR_HOST_MEMORY;

                break;

            }

            context->update = (SFTKCipher)(isEncrypt ? RC2_Encrypt : RC2_Decrypt);

            context->destroy = (SFTKDestroy)RC2_DestroyContext;

            break;

#endif /* NSS_DISABLE_DEPRECATED_RC2 */

#if NSS_SOFTOKEN_DOES_RC5