/src/nss/lib/pk11wrap/pk11skey.c

Source (jump to first uncovered line)
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
 * This file implements the Symkey wrapper and the PKCS context
 * Interfaces.
 */

#include <stddef.h>
#include <limits.h>

#include "seccomon.h"
#include "secmod.h"
#include "nssilock.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pkcs11.h"
#include "pk11func.h"
#include "secitem.h"
#include "secoid.h"
#include "secerr.h"
#include "hasht.h"

static ECPointEncoding pk11_ECGetPubkeyEncoding(const SECKEYPublicKey *pubKey);

static void
pk11_EnterKeyMonitor(PK11SymKey *symKey)
{
    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe))
        PK11_EnterSlotMonitor(symKey->slot);
}

static void
pk11_ExitKeyMonitor(PK11SymKey *symKey)
{
    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe))
        PK11_ExitSlotMonitor(symKey->slot);
}

/*
 * pk11_getKeyFromList returns a symKey that has a session (if needSession
 * was specified), or explicitly does not have a session (if needSession
 * was not specified).
 */
static PK11SymKey *
pk11_getKeyFromList(PK11SlotInfo *slot, PRBool needSession)
{
    PK11SymKey *symKey = NULL;

    PZ_Lock(slot->freeListLock);
    /* own session list are symkeys with sessions that the symkey owns.
     * 'most' symkeys will own their own session. */
    if (needSession) {
        if (slot->freeSymKeysWithSessionHead) {
            symKey = slot->freeSymKeysWithSessionHead;
            slot->freeSymKeysWithSessionHead = symKey->next;
            slot->keyCount--;
        }
    }
    /* if we don't need a symkey with its own session, or we couldn't find
     * one on the owner list, get one from the non-owner free list. */
    if (!symKey) {
        if (slot->freeSymKeysHead) {
            symKey = slot->freeSymKeysHead;
            slot->freeSymKeysHead = symKey->next;
            slot->keyCount--;
        }
    }
    PZ_Unlock(slot->freeListLock);
    if (symKey) {
        symKey->next = NULL;
        if (!needSession) {
            return symKey;
        }
        /* if we are getting an owner key, make sure we have a valid session.
         * session could be invalid if the token has been removed or because
         * we got it from the non-owner free list */
        if ((symKey->series != slot->series) ||
            (symKey->session == CK_INVALID_HANDLE)) {
            symKey->session = pk11_GetNewSession(slot, &symKey->sessionOwner);
        }
        PORT_Assert(symKey->session != CK_INVALID_HANDLE);
        if (symKey->session != CK_INVALID_HANDLE)
            return symKey;
        PK11_FreeSymKey(symKey);
        /* if we are here, we need a session, but couldn't get one, it's
         * unlikely we pk11_GetNewSession will succeed if we call it a second
         * time. */
        return NULL;
    }

    symKey = PORT_New(PK11SymKey);
    if (symKey == NULL) {
        return NULL;
    }

    symKey->next = NULL;
    if (needSession) {
        symKey->session = pk11_GetNewSession(slot, &symKey->sessionOwner);
        PORT_Assert(symKey->session != CK_INVALID_HANDLE);
        if (symKey->session == CK_INVALID_HANDLE) {
            PK11_FreeSymKey(symKey);
            symKey = NULL;
        }
    } else {
        symKey->session = CK_INVALID_HANDLE;
    }
    return symKey;
}

/* Caller MUST hold slot->freeListLock (or ref count == 0?) !! */
void
PK11_CleanKeyList(PK11SlotInfo *slot)
{
    PK11SymKey *symKey = NULL;

    while (slot->freeSymKeysWithSessionHead) {
        symKey = slot->freeSymKeysWithSessionHead;
        slot->freeSymKeysWithSessionHead = symKey->next;
        pk11_CloseSession(slot, symKey->session, symKey->sessionOwner);
        PORT_Free(symKey);
    }
    while (slot->freeSymKeysHead) {
        symKey = slot->freeSymKeysHead;
        slot->freeSymKeysHead = symKey->next;
        pk11_CloseSession(slot, symKey->session, symKey->sessionOwner);
        PORT_Free(symKey);
    }
    return;
}

/*
 * create a symetric key:
 *      Slot is the slot to create the key in.
 *      type is the mechanism type
 *      owner is does this symKey structure own it's object handle (rare
 *        that this is false).
 *      needSession means the returned symKey will return with a valid session
 *        allocated already.
 */
static PK11SymKey *
pk11_CreateSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                  PRBool owner, PRBool needSession, void *wincx)
{

    PK11SymKey *symKey = pk11_getKeyFromList(slot, needSession);

    if (symKey == NULL) {
        return NULL;
    }
    /* if needSession was specified, make sure we have a valid session.
     * callers which specify needSession as false should do their own
     * check of the session before returning the symKey */
    if (needSession && symKey->session == CK_INVALID_HANDLE) {
        PK11_FreeSymKey(symKey);
        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
        return NULL;
    }

    symKey->type = type;
    symKey->data.type = siBuffer;
    symKey->data.data = NULL;
    symKey->data.len = 0;
    symKey->owner = owner;
    symKey->objectID = CK_INVALID_HANDLE;
    symKey->slot = slot;
    symKey->series = slot->series;
    symKey->cx = wincx;
    symKey->size = 0;
    symKey->refCount = 1;
    symKey->origin = PK11_OriginNULL;
    symKey->parent = NULL;
    symKey->freeFunc = NULL;
    symKey->userData = NULL;
    PK11_ReferenceSlot(slot);
    return symKey;
}

/*
 * destroy a symetric key
 */
void
PK11_FreeSymKey(PK11SymKey *symKey)
{
    PK11SlotInfo *slot;
    PRBool freeit = PR_TRUE;

    if (!symKey) {
        return;
    }

    if (PR_ATOMIC_DECREMENT(&symKey->refCount) == 0) {
        PK11SymKey *parent = symKey->parent;

        symKey->parent = NULL;
        if ((symKey->owner) && symKey->objectID != CK_INVALID_HANDLE) {
            pk11_EnterKeyMonitor(symKey);
            (void)PK11_GETTAB(symKey->slot)->C_DestroyObject(symKey->session, symKey->objectID);
            pk11_ExitKeyMonitor(symKey);
        }
        if (symKey->data.data) {
            PORT_Memset(symKey->data.data, 0, symKey->data.len);
            PORT_Free(symKey->data.data);
        }
        /* free any existing data */
        if (symKey->userData && symKey->freeFunc) {
            (*symKey->freeFunc)(symKey->userData);
        }
        slot = symKey->slot;
        PZ_Lock(slot->freeListLock);
        if (slot->keyCount < slot->maxKeyCount) {
            /*
             * freeSymkeysWithSessionHead contain a list of reusable
             *  SymKey structures with valid sessions.
             *    sessionOwner must be true.
             *    session must be valid.
             * freeSymKeysHead contain a list of SymKey structures without
             *  valid session.
             *    session must be CK_INVALID_HANDLE.
             *    though sessionOwner is false, callers should not depend on
             *    this fact.
             */
            if (symKey->sessionOwner) {
                PORT_Assert(symKey->session != CK_INVALID_HANDLE);
                symKey->next = slot->freeSymKeysWithSessionHead;
                slot->freeSymKeysWithSessionHead = symKey;
            } else {
                symKey->session = CK_INVALID_HANDLE;
                symKey->next = slot->freeSymKeysHead;
                slot->freeSymKeysHead = symKey;
            }
            slot->keyCount++;
            symKey->slot = NULL;
            freeit = PR_FALSE;
        }
        PZ_Unlock(slot->freeListLock);
        if (freeit) {
            pk11_CloseSession(symKey->slot, symKey->session,
                              symKey->sessionOwner);
            PORT_Free(symKey);
        }
        PK11_FreeSlot(slot);

        if (parent) {
            PK11_FreeSymKey(parent);
        }
    }
}

PK11SymKey *
PK11_ReferenceSymKey(PK11SymKey *symKey)
{
    PR_ATOMIC_INCREMENT(&symKey->refCount);
    return symKey;
}

/*
 * Accessors
 */
CK_MECHANISM_TYPE
PK11_GetMechanism(PK11SymKey *symKey)
{
    return symKey->type;
}

/*
 * return the slot associated with a symetric key
 */
PK11SlotInfo *
PK11_GetSlotFromKey(PK11SymKey *symKey)
{
    return PK11_ReferenceSlot(symKey->slot);
}

CK_KEY_TYPE
PK11_GetSymKeyType(PK11SymKey *symKey)
{
    return PK11_GetKeyType(symKey->type, symKey->size);
}

PK11SymKey *
PK11_GetNextSymKey(PK11SymKey *symKey)
{
    return symKey ? symKey->next : NULL;
}

char *
PK11_GetSymKeyNickname(PK11SymKey *symKey)
{
    return PK11_GetObjectNickname(symKey->slot, symKey->objectID);
}

SECStatus
PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname)
{
    return PK11_SetObjectNickname(symKey->slot, symKey->objectID, nickname);
}

void *
PK11_GetSymKeyUserData(PK11SymKey *symKey)
{
    return symKey->userData;
}

void
PK11_SetSymKeyUserData(PK11SymKey *symKey, void *userData,
                       PK11FreeDataFunc freeFunc)
{
    /* free any existing data */
    if (symKey->userData && symKey->freeFunc) {
        (*symKey->freeFunc)(symKey->userData);
    }
    symKey->userData = userData;
    symKey->freeFunc = freeFunc;
    return;
}

/*
 * turn key handle into an appropriate key object
 */
PK11SymKey *
PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin,
                      CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, PRBool owner, void *wincx)
{
    PK11SymKey *symKey;
    PRBool needSession = !(owner && parent);

    if (keyID == CK_INVALID_HANDLE) {
        return NULL;
    }

    symKey = pk11_CreateSymKey(slot, type, owner, needSession, wincx);
    if (symKey == NULL) {
        return NULL;
    }

    symKey->objectID = keyID;
    symKey->origin = origin;

    /* adopt the parent's session */
    /* This is only used by SSL. What we really want here is a session
     * structure with a ref count so  the session goes away only after all the
     * keys do. */
    if (!needSession) {
        symKey->sessionOwner = PR_FALSE;
        symKey->session = parent->session;
        symKey->parent = PK11_ReferenceSymKey(parent);
        /* This is the only case where pk11_CreateSymKey does not explicitly
         * check symKey->session. We need to assert here to make sure.
         * the session isn't invalid. */
        PORT_Assert(parent->session != CK_INVALID_HANDLE);
        if (parent->session == CK_INVALID_HANDLE) {
            PK11_FreeSymKey(symKey);
            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
            return NULL;
        }
    }

    return symKey;
}

/*
 * Restore a symmetric wrapping key that was saved using PK11_SetWrapKey.
 *
 * This function is provided for ABI compatibility; see PK11_SetWrapKey below.
 */
PK11SymKey *
PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, CK_MECHANISM_TYPE type,
                int series, void *wincx)
{
    PK11SymKey *symKey = NULL;
    CK_OBJECT_HANDLE keyHandle;

    PK11_EnterSlotMonitor(slot);
    if (slot->series != series ||
        slot->refKeys[wrap] == CK_INVALID_HANDLE) {
        PK11_ExitSlotMonitor(slot);
        return NULL;
    }

    if (type == CKM_INVALID_MECHANISM) {
        type = slot->wrapMechanism;
    }

    keyHandle = slot->refKeys[wrap];
    PK11_ExitSlotMonitor(slot);
    symKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive,
                                   slot->wrapMechanism, keyHandle, PR_FALSE, wincx);
    return symKey;
}

/*
 * This function sets an attribute on the current slot with a wrapping key.  The
 * data saved is ephemeral; it needs to be run every time the program is
 * invoked.
 *
 * Since NSS 3.45, this function is marginally more thread safe.  It uses the
 * slot lock (if present) and fails silently if a value is already set.  Use
 * PK11_GetWrapKey() after calling this function to get the current wrapping key
 * in case there was an update on another thread.
 *
 * Either way, using this function is inadvisable.  It's provided for ABI
 * compatibility only.
 */
void
PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey)
{
    PK11_EnterSlotMonitor(slot);
    if (wrap >= 0) {
        size_t uwrap = (size_t)wrap;
        if (uwrap < PR_ARRAY_SIZE(slot->refKeys) &&
            slot->refKeys[uwrap] == CK_INVALID_HANDLE) {
            /* save the handle and mechanism for the wrapping key */
            /* mark the key and session as not owned by us so they don't get
             * freed when the key goes way... that lets us reuse the key
             * later */
            slot->refKeys[uwrap] = wrapKey->objectID;
            wrapKey->owner = PR_FALSE;
            wrapKey->sessionOwner = PR_FALSE;
            slot->wrapMechanism = wrapKey->type;
        }
    }
    PK11_ExitSlotMonitor(slot);
}

/*
 * figure out if a key is still valid or if it is stale.
 */
PRBool
PK11_VerifyKeyOK(PK11SymKey *key)
{
    if (!PK11_IsPresent(key->slot)) {
        return PR_FALSE;
    }
    return (PRBool)(key->series == key->slot->series);
}

static PK11SymKey *
pk11_ImportSymKeyWithTempl(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                           PK11Origin origin, PRBool isToken, CK_ATTRIBUTE *keyTemplate,
                           unsigned int templateCount, SECItem *key, void *wincx)
{
    PK11SymKey *symKey;
    SECStatus rv;

    symKey = pk11_CreateSymKey(slot, type, !isToken, PR_TRUE, wincx);
    if (symKey == NULL) {
        return NULL;
    }

    symKey->size = key->len;

    PK11_SETATTRS(&keyTemplate[templateCount], CKA_VALUE, key->data, key->len);
    templateCount++;

    if (SECITEM_CopyItem(NULL, &symKey->data, key) != SECSuccess) {
        PK11_FreeSymKey(symKey);
        return NULL;
    }

    symKey->origin = origin;

    /* import the keys */
    rv = PK11_CreateNewObject(slot, symKey->session, keyTemplate,
                              templateCount, isToken, &symKey->objectID);
    if (rv != SECSuccess) {
        PK11_FreeSymKey(symKey);
        return NULL;
    }

    return symKey;
}

/*
 * turn key bits into an appropriate key object
 */
PK11SymKey *
PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                  PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx)
{
    PK11SymKey *symKey;
    unsigned int templateCount = 0;
    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
    CK_BBOOL cktrue = CK_TRUE; /* sigh */
    CK_ATTRIBUTE keyTemplate[5];
    CK_ATTRIBUTE *attrs = keyTemplate;

    /* CKA_NSS_MESSAGE is a fake operation to distinguish between
     * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set
     * it as a real attribute */
    if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) {
        /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT),
         * etc. Strip out the real attribute here */
        operation &= ~CKA_NSS_MESSAGE_MASK;
    }

    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
    attrs++;
    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
    attrs++;
    PK11_SETATTRS(attrs, operation, &cktrue, 1);
    attrs++;
    templateCount = attrs - keyTemplate;
    PR_ASSERT(templateCount + 1 <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));

    keyType = PK11_GetKeyType(type, key->len);
    symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, PR_FALSE,
                                        keyTemplate, templateCount, key, wincx);
    return symKey;
}
/* Import a PKCS #11 data object and return it as a key. This key is
 * only useful in a limited number of mechanisms, such as HKDF. */
PK11SymKey *
PK11_ImportDataKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, PK11Origin origin,
                   CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx)
{
    CK_OBJECT_CLASS ckoData = CKO_DATA;
    CK_ATTRIBUTE template[2] = { { CKA_CLASS, (CK_BYTE_PTR)&ckoData, sizeof(ckoData) },
                                 { CKA_VALUE, (CK_BYTE_PTR)key->data, key->len } };
    CK_OBJECT_HANDLE handle;
    PK11GenericObject *genObject;

    genObject = PK11_CreateGenericObject(slot, template, PR_ARRAY_SIZE(template), PR_FALSE);
    if (genObject == NULL) {
        return NULL;
    }
    handle = PK11_GetObjectHandle(PK11_TypeGeneric, genObject, NULL);
    /* A note about ownership of the PKCS #11 handle:
     * PK11_CreateGenericObject() will not destroy the object it creates
     * on Free, For that you want PK11_CreateManagedGenericObject().
     * Below we import the handle into the symKey structure. We pass
     * PR_TRUE as the owner so that the symKey will destroy the object
     * once it's freed. This is why it's safe to destroy genObject now. */
    PK11_DestroyGenericObject(genObject);
    if (handle == CK_INVALID_HANDLE) {
        return NULL;
    }
    return PK11_SymKeyFromHandle(slot, NULL, origin, type, handle, PR_TRUE, wincx);
}

/* turn key bits into an appropriate key object */
PK11SymKey *
PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                           PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,
                           CK_FLAGS flags, PRBool isPerm, void *wincx)
{
    PK11SymKey *symKey;
    unsigned int templateCount = 0;
    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
    CK_BBOOL cktrue = CK_TRUE; /* sigh */
    CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS];
    CK_ATTRIBUTE *attrs = keyTemplate;

    /* CKA_NSS_MESSAGE is a fake operation to distinguish between
     * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set
     * it as a real attribute */
    if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) {
        /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT),
         * etc. Strip out the real attribute here */
        operation &= ~CKA_NSS_MESSAGE_MASK;
    }

    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
    attrs++;
    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
    attrs++;
    if (isPerm) {
        PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue));
        attrs++;
        /* sigh some tokens think CKA_PRIVATE = false is a reasonable
         * default for secret keys */
        PK11_SETATTRS(attrs, CKA_PRIVATE, &cktrue, sizeof(cktrue));
        attrs++;
    }
    attrs += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);
    if ((operation != CKA_FLAGS_ONLY) &&
        !pk11_FindAttrInTemplate(keyTemplate, attrs - keyTemplate, operation)) {
        PK11_SETATTRS(attrs, operation, &cktrue, sizeof(cktrue));
        attrs++;
    }
    templateCount = attrs - keyTemplate;
    PR_ASSERT(templateCount + 1 <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));

    keyType = PK11_GetKeyType(type, key->len);
    symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, isPerm,
                                        keyTemplate, templateCount, key, wincx);
    if (symKey && isPerm) {
        symKey->owner = PR_FALSE;
    }
    return symKey;
}

PK11SymKey *
PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *keyID,
                  void *wincx)
{
    CK_ATTRIBUTE findTemp[5];
    CK_ATTRIBUTE *attrs;
    CK_BBOOL ckTrue = CK_TRUE;
    CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
    size_t tsize = 0;
    CK_OBJECT_HANDLE key_id;
    CK_KEY_TYPE keyType = PK11_GetKeyType(type, 0);

    attrs = findTemp;
    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass));
    attrs++;
    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue));
    attrs++;
    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
    attrs++;
    if (keyID) {
        PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len);
        attrs++;
    }
    tsize = attrs - findTemp;
    PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE));

    key_id = pk11_FindObjectByTemplate(slot, findTemp, tsize);
    if (key_id == CK_INVALID_HANDLE) {
        return NULL;
    }
    return PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, type, key_id,
                                 PR_FALSE, wincx);
}

PK11SymKey *
PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx)
{
    CK_ATTRIBUTE findTemp[4];
    CK_ATTRIBUTE *attrs;
    CK_BBOOL ckTrue = CK_TRUE;
    CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
    int tsize = 0;
    int objCount = 0;
    CK_OBJECT_HANDLE *key_ids;
    PK11SymKey *nextKey = NULL;
    PK11SymKey *topKey = NULL;
    int i, len;

    attrs = findTemp;
    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass));
    attrs++;
    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue));
    attrs++;
    if (nickname) {
        len = PORT_Strlen(nickname);
        PK11_SETATTRS(attrs, CKA_LABEL, nickname, len);
        attrs++;
    }
    tsize = attrs - findTemp;
    PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE));

    key_ids = pk11_FindObjectsByTemplate(slot, findTemp, tsize, &objCount);
    if (key_ids == NULL) {
        return NULL;
    }

    for (i = 0; i < objCount; i++) {
        SECItem typeData;
        CK_KEY_TYPE type = CKK_GENERIC_SECRET;
        SECStatus rv = PK11_ReadAttribute(slot, key_ids[i],
                                          CKA_KEY_TYPE, NULL, &typeData);
        if (rv == SECSuccess) {
            if (typeData.len == sizeof(CK_KEY_TYPE)) {
                type = *(CK_KEY_TYPE *)typeData.data;
            }
            PORT_Free(typeData.data);
        }
        nextKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive,
                                        PK11_GetKeyMechanism(type), key_ids[i], PR_FALSE, wincx);
        if (nextKey) {
            nextKey->next = topKey;
            topKey = nextKey;
        }
    }
    PORT_Free(key_ids);
    return topKey;
}

void *
PK11_GetWindow(PK11SymKey *key)
{
    return key->cx;
}

/*
 * extract a symmetric key value. NOTE: if the key is sensitive, we will
 * not be able to do this operation. This function is used to move
 * keys from one token to another */
SECStatus
PK11_ExtractKeyValue(PK11SymKey *symKey)
{
    SECStatus rv;

    if (symKey == NULL) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }

    if (symKey->data.data != NULL) {
        if (symKey->size == 0) {
            symKey->size = symKey->data.len;
        }
        return SECSuccess;
    }

    if (symKey->slot == NULL) {
        PORT_SetError(SEC_ERROR_INVALID_KEY);
        return SECFailure;
    }

    rv = PK11_ReadAttribute(symKey->slot, symKey->objectID, CKA_VALUE, NULL,
                            &symKey->data);
    if (rv == SECSuccess) {
        symKey->size = symKey->data.len;
    }
    return rv;
}

SECStatus
PK11_DeleteTokenSymKey(PK11SymKey *symKey)
{
    if (!PK11_IsPermObject(symKey->slot, symKey->objectID)) {
        return SECFailure;
    }
    PK11_DestroyTokenObject(symKey->slot, symKey->objectID);
    symKey->objectID = CK_INVALID_HANDLE;
    return SECSuccess;
}

SECItem *
PK11_GetKeyData(PK11SymKey *symKey)
{
    return &symKey->data;
}

/* This symbol is exported for backward compatibility. */
SECItem *
__PK11_GetKeyData(PK11SymKey *symKey)
{
    return PK11_GetKeyData(symKey);
}

/*
 * PKCS #11 key Types with predefined length
 */
unsigned int
pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType)
{
    int length = 0;
    switch (keyType) {
        case CKK_DES:
            length = 8;
            break;
        case CKK_DES2:
            length = 16;
            break;
        case CKK_DES3:
            length = 24;
            break;
        case CKK_SKIPJACK:
            length = 10;
            break;
        case CKK_BATON:
            length = 20;
            break;
        case CKK_JUNIPER:
            length = 20;
            break;
        default:
            break;
    }
    return length;
}

/* return the keylength if possible.  '0' if not */
unsigned int
PK11_GetKeyLength(PK11SymKey *key)
{
    CK_KEY_TYPE keyType;

    if (key->size != 0)
        return key->size;

    /* First try to figure out the key length from its type */
    keyType = PK11_ReadULongAttribute(key->slot, key->objectID, CKA_KEY_TYPE);
    key->size = pk11_GetPredefinedKeyLength(keyType);
    if ((keyType == CKK_GENERIC_SECRET) &&
        (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)) {
        key->size = 48;
    }

    if (key->size != 0)
        return key->size;

    if (key->data.data == NULL) {
        PK11_ExtractKeyValue(key);
    }
    /* key is probably secret. Look up its length */
    /*  this is new PKCS #11 version 2.0 functionality. */
    if (key->size == 0) {
        CK_ULONG keyLength;

        keyLength = PK11_ReadULongAttribute(key->slot, key->objectID, CKA_VALUE_LEN);
        if (keyLength != CK_UNAVAILABLE_INFORMATION) {
            key->size = (unsigned int)keyLength;
        }
    }

    return key->size;
}

/* return the strength of a key. This is different from length in that
 * 1) it returns the size in bits, and 2) it returns only the secret portions
 * of the key minus any checksums or parity.
 */
unsigned int
PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid)
{
    int size = 0;
    CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM; /* RC2 only */
    SECItem *param = NULL;                               /* RC2 only */
    CK_RC2_CBC_PARAMS *rc2_params = NULL;                /* RC2 ONLY */
    unsigned int effectiveBits = 0;                      /* RC2 ONLY */

    switch (PK11_GetKeyType(key->type, 0)) {
        case CKK_CDMF:
            return 40;
        case CKK_DES:
            return 56;
        case CKK_DES3:
        case CKK_DES2:
            size = PK11_GetKeyLength(key);
            if (size == 16) {
                /* double des */
                return 112; /* 16*7 */
            }
            return 168;
        /*
         * RC2 has is different than other ciphers in that it allows the user
         * to deprecating keysize while still requiring all the bits for the
         * original key. The info
         * on what the effective key strength is in the parameter for the key.
         * In S/MIME this parameter is stored in the DER encoded algid. In Our
         * other uses of RC2, effectiveBits == keyBits, so this code functions
         * correctly without an algid.
         */
        case CKK_RC2:
            /* if no algid was provided, fall through to default */
            if (!algid) {
                break;
            }
            /* verify that the algid is for RC2 */
            mechanism = PK11_AlgtagToMechanism(SECOID_GetAlgorithmTag(algid));
            if ((mechanism != CKM_RC2_CBC) && (mechanism != CKM_RC2_ECB)) {
                break;
            }

            /* now get effective bits from the algorithm ID. */
            param = PK11_ParamFromAlgid(algid);
            /* if we couldn't get memory just use key length */
            if (param == NULL) {
                break;
            }

            rc2_params = (CK_RC2_CBC_PARAMS *)param->data;
            /* paranoia... shouldn't happen */
            PORT_Assert(param->data != NULL);
            if (param->data == NULL) {
                SECITEM_FreeItem(param, PR_TRUE);
                break;
            }
            effectiveBits = (unsigned int)rc2_params->ulEffectiveBits;
            SECITEM_FreeItem(param, PR_TRUE);
            param = NULL;
            rc2_params = NULL; /* paranoia */

            /* we have effective bits, is and allocated memory is free, now
             * we need to return the smaller of effective bits and keysize */
            size = PK11_GetKeyLength(key);
            if ((unsigned int)size * 8 > effectiveBits) {
                return effectiveBits;
            }

            return size * 8; /* the actual key is smaller, the strength can't be
                              * greater than the actual key size */

        default:
            break;
    }
    return PK11_GetKeyLength(key) * 8;
}

/*
 * The next three utilities are to deal with the fact that a given operation
 * may be a multi-slot affair. This creates a new key object that is copied
 * into the new slot.
 */
PK11SymKey *
pk11_CopyToSlotPerm(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                    CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags,
                    PRBool isPerm, PK11SymKey *symKey)
{
    SECStatus rv;
    PK11SymKey *newKey = NULL;

    /* Extract the raw key data if possible */
    if (symKey->data.data == NULL) {
        rv = PK11_ExtractKeyValue(symKey);
        /* KEY is sensitive, we're try key exchanging it. */
        if (rv != SECSuccess) {
            return pk11_KeyExchange(slot, type, operation,
                                    flags, isPerm, symKey);
        }
    }

    newKey = PK11_ImportSymKeyWithFlags(slot, type, symKey->origin,
                                        operation, &symKey->data, flags, isPerm, symKey->cx);
    if (newKey == NULL) {
        newKey = pk11_KeyExchange(slot, type, operation, flags, isPerm, symKey);
    }
    return newKey;
}

PK11SymKey *
pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey)
{
    return pk11_CopyToSlotPerm(slot, type, operation, 0, PR_FALSE, symKey);
}

/*
 * Make sure the slot we are in is the correct slot for the operation
 * by verifying that it supports all of the specified mechanism types.
 */
PK11SymKey *
pk11_ForceSlotMultiple(PK11SymKey *symKey, CK_MECHANISM_TYPE *type,
                       int mechCount, CK_ATTRIBUTE_TYPE operation)
{
    PK11SlotInfo *slot = symKey->slot;
    PK11SymKey *newKey = NULL;
    PRBool needToCopy = PR_FALSE;
    int i;

    if (slot == NULL) {
        needToCopy = PR_TRUE;
    } else {
        i = 0;
        while ((i < mechCount) && (needToCopy == PR_FALSE)) {
            if (!PK11_DoesMechanism(slot, type[i])) {
                needToCopy = PR_TRUE;
            }
            i++;
        }
    }

    if (needToCopy == PR_TRUE) {
        slot = PK11_GetBestSlotMultiple(type, mechCount, symKey->cx);
        if (slot == NULL) {
            PORT_SetError(SEC_ERROR_NO_MODULE);
            return NULL;
        }
        newKey = pk11_CopyToSlot(slot, type[0], operation, symKey);
        PK11_FreeSlot(slot);
    }
    return newKey;
}

/*
 * Make sure the slot we are in is the correct slot for the operation
 */
PK11SymKey *
pk11_ForceSlot(PK11SymKey *symKey, CK_MECHANISM_TYPE type,
               CK_ATTRIBUTE_TYPE operation)
{
    return pk11_ForceSlotMultiple(symKey, &type, 1, operation);
}

PK11SymKey *
PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation,
                CK_FLAGS flags, PRBool perm, PK11SymKey *symKey)
{
    if (symKey->slot == slot) {
        if (perm) {
            return PK11_ConvertSessionSymKeyToTokenSymKey(symKey, symKey->cx);
        } else {
            return PK11_ReferenceSymKey(symKey);
        }
    }

    return pk11_CopyToSlotPerm(slot, symKey->type,
                               operation, flags, perm, symKey);
}

/*
 * Use the token to generate a key.
 *
 * keySize must be 'zero' for fixed key length algorithms. A nonzero
 *  keySize causes the CKA_VALUE_LEN attribute to be added to the template
 *  for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN
 *  attribute for keys with fixed length. The exception is DES2. If you
 *  select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN
 *  parameter and use the key size to determine which underlying DES keygen
 *  function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN).
 *
 * keyType must be -1 for most algorithms. Some PBE algorthims cannot
 *  determine the correct key type from the mechanism or the parameters,
 *  so key type must be specified. Other PKCS #11 mechanisms may do so in
 *  the future. Currently there is no need to export this publically.
 *  Keep it private until there is a need in case we need to expand the
 *  keygen parameters again...
 *
 * CK_FLAGS flags: key operation flags
 * PK11AttrFlags attrFlags: PK11_ATTR_XXX key attribute flags
 */
PK11SymKey *
pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                                    SECItem *param, CK_KEY_TYPE keyType, int keySize, SECItem *keyid,
                                    CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx)
{
    PK11SymKey *symKey;
    CK_ATTRIBUTE genTemplate[MAX_TEMPL_ATTRS];
    CK_ATTRIBUTE *attrs = genTemplate;
    int count = sizeof(genTemplate) / sizeof(genTemplate[0]);
    CK_MECHANISM_TYPE keyGenType;
    CK_BBOOL cktrue = CK_TRUE;
    CK_BBOOL ckfalse = CK_FALSE;
    CK_ULONG ck_key_size; /* only used for variable-length keys */

    if (pk11_BadAttrFlags(attrFlags)) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }

    if ((keySize != 0) && (type != CKM_DES3_CBC) &&
        (type != CKM_DES3_CBC_PAD) && (type != CKM_DES3_ECB)) {
        ck_key_size = keySize; /* Convert to PK11 type */

        PK11_SETATTRS(attrs, CKA_VALUE_LEN, &ck_key_size, sizeof(ck_key_size));
        attrs++;
    }

    if (keyType != -1) {
        PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(CK_KEY_TYPE));
        attrs++;
    }

    /* Include key id value if provided */
    if (keyid) {
        PK11_SETATTRS(attrs, CKA_ID, keyid->data, keyid->len);
        attrs++;
    }

    attrs += pk11_AttrFlagsToAttributes(attrFlags, attrs, &cktrue, &ckfalse);
    attrs += pk11_OpFlagsToAttributes(opFlags, attrs, &cktrue);

    count = attrs - genTemplate;
    PR_ASSERT(count <= sizeof(genTemplate) / sizeof(CK_ATTRIBUTE));

    keyGenType = PK11_GetKeyGenWithSize(type, keySize);
    if (keyGenType == CKM_FAKE_RANDOM) {
        PORT_SetError(SEC_ERROR_NO_MODULE);
        return NULL;
    }
    symKey = PK11_KeyGenWithTemplate(slot, type, keyGenType,
                                     param, genTemplate, count, wincx);
    if (symKey != NULL) {
        symKey->size = keySize;
    }
    return symKey;
}

/*
 * Use the token to generate a key.  - Public
 *
 * keySize must be 'zero' for fixed key length algorithms. A nonzero
 *  keySize causes the CKA_VALUE_LEN attribute to be added to the template
 *  for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN
 *  attribute for keys with fixed length. The exception is DES2. If you
 *  select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN
 *  parameter and use the key size to determine which underlying DES keygen
 *  function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN).
 *
 * CK_FLAGS flags: key operation flags
 * PK11AttrFlags attrFlags: PK11_ATTR_XXX key attribute flags
 */
PK11SymKey *
PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                          SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags,
                          PK11AttrFlags attrFlags, void *wincx)
{
    return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param, -1, keySize,
                                               keyid, opFlags, attrFlags, wincx);
}

/*
 * Use the token to generate a key. keySize must be 'zero' for fixed key
 * length algorithms. A nonzero keySize causes the CKA_VALUE_LEN attribute
 * to be added to the template for the key. PKCS #11 modules fail if you
 * specify the CKA_VALUE_LEN attribute for keys with fixed length.
 * NOTE: this means to generate a DES2 key from this interface you must
 * specify CKM_DES2_KEY_GEN as the mechanism directly; specifying
 * CKM_DES3_CBC as the mechanism and 16 as keySize currently doesn't work.
 */
PK11SymKey *
PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
                 int keySize, SECItem *keyid, PRBool isToken, void *wincx)
{
    PK11SymKey *symKey;
    PRBool weird = PR_FALSE; /* hack for fortezza */
    CK_FLAGS opFlags = CKF_SIGN;
    PK11AttrFlags attrFlags = 0;

    if ((keySize == -1) && (type == CKM_SKIPJACK_CBC64)) {
        weird = PR_TRUE;
        keySize = 0;
    }

    opFlags |= weird ? CKF_DECRYPT : CKF_ENCRYPT;

    if (isToken) {
        attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE);
    }

    symKey = pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param,
                                                 -1, keySize, keyid, opFlags, attrFlags, wincx);
    if (symKey && weird) {
        PK11_SetFortezzaHack(symKey);
    }

    return symKey;
}

PK11SymKey *
PK11_KeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
            int keySize, void *wincx)
{
    return PK11_TokenKeyGen(slot, type, param, keySize, 0, PR_FALSE, wincx);
}

PK11SymKey *
PK11_KeyGenWithTemplate(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                        CK_MECHANISM_TYPE keyGenType,
                        SECItem *param, CK_ATTRIBUTE *attrs,
                        unsigned int attrsCount, void *wincx)
{
    PK11SymKey *symKey;
    CK_SESSION_HANDLE session;
    CK_MECHANISM mechanism;
    CK_RV crv;
    PRBool isToken = CK_FALSE;
    CK_ULONG keySize = 0;
    unsigned i;

    /* Extract the template's CKA_VALUE_LEN into keySize and CKA_TOKEN into
       isToken. */
    for (i = 0; i < attrsCount; ++i) {
        switch (attrs[i].type) {
            case CKA_VALUE_LEN:
                if (attrs[i].pValue == NULL ||
                    attrs[i].ulValueLen != sizeof(CK_ULONG)) {
                    PORT_SetError(PK11_MapError(CKR_TEMPLATE_INCONSISTENT));
                    return NULL;
                }
                keySize = *(CK_ULONG *)attrs[i].pValue;
                break;
            case CKA_TOKEN:
                if (attrs[i].pValue == NULL ||
                    attrs[i].ulValueLen != sizeof(CK_BBOOL)) {
                    PORT_SetError(PK11_MapError(CKR_TEMPLATE_INCONSISTENT));
                    return NULL;
                }
                isToken = (*(CK_BBOOL *)attrs[i].pValue) ? PR_TRUE : PR_FALSE;
                break;
        }
    }

    /* find a slot to generate the key into */
    /* Only do slot management if this is not a token key */
    if (!isToken && (slot == NULL || !PK11_DoesMechanism(slot, type))) {
        PK11SlotInfo *bestSlot = PK11_GetBestSlot(type, wincx);
        if (bestSlot == NULL) {
            PORT_SetError(SEC_ERROR_NO_MODULE);
            return NULL;
        }
        symKey = pk11_CreateSymKey(bestSlot, type, !isToken, PR_TRUE, wincx);
        PK11_FreeSlot(bestSlot);
    } else {
        symKey = pk11_CreateSymKey(slot, type, !isToken, PR_TRUE, wincx);
    }
    if (symKey == NULL)
        return NULL;

    symKey->size = keySize;
    symKey->origin = PK11_OriginGenerated;

    /* Set the parameters for the key gen if provided */
    mechanism.mechanism = keyGenType;
    mechanism.pParameter = NULL;
    mechanism.ulParameterLen = 0;
    if (param) {
        mechanism.pParameter = param->data;
        mechanism.ulParameterLen = param->len;
    }

    /* Get session and perform locking */
    if (isToken) {
        PK11_Authenticate(symKey->slot, PR_TRUE, wincx);
        /* Should always be original slot */
        session = PK11_GetRWSession(symKey->slot);
        symKey->owner = PR_FALSE;
    } else {
        session = symKey->session;
        if (session != CK_INVALID_HANDLE)
            pk11_EnterKeyMonitor(symKey);
    }
    if (session == CK_INVALID_HANDLE) {
        PK11_FreeSymKey(symKey);
        PORT_SetError(SEC_ERROR_BAD_DATA);
        return NULL;
    }

    crv = PK11_GETTAB(symKey->slot)->C_GenerateKey(session, &mechanism, attrs, attrsCount, &symKey->objectID);

    /* Release lock and session */
    if (isToken) {
        PK11_RestoreROSession(symKey->slot, session);
    } else {
        pk11_ExitKeyMonitor(symKey);
    }

    if (crv != CKR_OK) {
        PK11_FreeSymKey(symKey);
        PORT_SetError(PK11_MapError(crv));
        return NULL;
    }

    return symKey;
}

PK11SymKey *
PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk, void *wincx)
{
    PK11SlotInfo *slot = symk->slot;
    CK_ATTRIBUTE template[1];
    CK_ATTRIBUTE *attrs = template;
    CK_BBOOL cktrue = CK_TRUE;
    CK_RV crv;
    CK_OBJECT_HANDLE newKeyID;
    CK_SESSION_HANDLE rwsession;

    PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue));
    attrs++;

    PK11_Authenticate(slot, PR_TRUE, wincx);
    rwsession = PK11_GetRWSession(slot);
    if (rwsession == CK_INVALID_HANDLE) {
        PORT_SetError(SEC_ERROR_BAD_DATA);
        return NULL;
    }
    crv = PK11_GETTAB(slot)->C_CopyObject(rwsession, symk->objectID,
                                          template, 1, &newKeyID);
    PK11_RestoreROSession(slot, rwsession);

    if (crv != CKR_OK) {
        PORT_SetError(PK11_MapError(crv));
        return NULL;
    }

    return PK11_SymKeyFromHandle(slot, NULL /*parent*/, symk->origin,
                                 symk->type, newKeyID, PR_FALSE /*owner*/, NULL /*wincx*/);
}

/* This function does a straight public key wrap with the CKM_RSA_PKCS
 * mechanism. */
SECStatus
PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
                   PK11SymKey *symKey, SECItem *wrappedKey)
{
    CK_MECHANISM_TYPE inferred = pk11_mapWrapKeyType(pubKey->keyType);
    return PK11_PubWrapSymKeyWithMechanism(pubKey, inferred, NULL, symKey,
                                           wrappedKey);
}

/* This function wraps a symmetric key with a public key, such as with the
 * CKM_RSA_PKCS and CKM_RSA_PKCS_OAEP mechanisms. */
SECStatus
PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey *pubKey,
                                CK_MECHANISM_TYPE mechType, SECItem *param,
                                PK11SymKey *symKey, SECItem *wrappedKey)
{
    PK11SlotInfo *slot;
    CK_ULONG len = wrappedKey->len;
    PK11SymKey *newKey = NULL;
    CK_OBJECT_HANDLE id;
    CK_MECHANISM mechanism;
    PRBool owner = PR_TRUE;
    CK_SESSION_HANDLE session;
    CK_RV crv;

    if (symKey == NULL) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }

    /* if this slot doesn't support the mechanism, go to a slot that does */
    newKey = pk11_ForceSlot(symKey, mechType, CKA_ENCRYPT);
    if (newKey != NULL) {
        symKey = newKey;
    }

    if (symKey->slot == NULL) {
        PORT_SetError(SEC_ERROR_NO_MODULE);
        return SECFailure;
    }

    slot = symKey->slot;

    mechanism.mechanism = mechType;
    if (param == NULL) {
        mechanism.pParameter = NULL;
        mechanism.ulParameterLen = 0;
    } else {
        mechanism.pParameter = param->data;
        mechanism.ulParameterLen = param->len;
    }

    id = PK11_ImportPublicKey(slot, pubKey, PR_FALSE);
    if (id == CK_INVALID_HANDLE) {
        if (newKey) {
            PK11_FreeSymKey(newKey);
        }
        return SECFailure; /* Error code has been set. */
    }

    session = pk11_GetNewSession(slot, &owner);
    if (!owner || !(slot->isThreadSafe))
        PK11_EnterSlotMonitor(slot);
    crv = PK11_GETTAB(slot)->C_WrapKey(session, &mechanism,
                                       id, symKey->objectID, wrappedKey->data, &len);
    if (!owner || !(slot->isThreadSafe))
        PK11_ExitSlotMonitor(slot);
    pk11_CloseSession(slot, session, owner);
    if (newKey) {
        PK11_FreeSymKey(newKey);
    }

    if (crv != CKR_OK) {
        PORT_SetError(PK11_MapError(crv));
        return SECFailure;
    }
    wrappedKey->len = len;
    return SECSuccess;
}

/*
 * this little function uses the Encrypt function to wrap a key, just in
 * case we have problems with the wrap implementation for a token.
 */
static SECStatus
pk11_HandWrap(PK11SymKey *wrappingKey, SECItem *param, CK_MECHANISM_TYPE type,
              SECItem *inKey, SECItem *outKey)
{
    PK11SlotInfo *slot;
    CK_ULONG len;
    SECItem *data;
    CK_MECHANISM mech;
    PRBool owner = PR_TRUE;
    CK_SESSION_HANDLE session;
    CK_RV crv;

    slot = wrappingKey->slot;
    /* use NULL IV's for wrapping */
    mech.mechanism = type;
    if (param) {
        mech.pParameter = param->data;
        mech.ulParameterLen = param->len;
    } else {
        mech.pParameter = NULL;
        mech.ulParameterLen = 0;
    }
    session = pk11_GetNewSession(slot, &owner);
    if (!owner || !(slot->isThreadSafe))
        PK11_EnterSlotMonitor(slot);
    crv = PK11_GETTAB(slot)->C_EncryptInit(session, &mech,
                                           wrappingKey->objectID);
    if (crv != CKR_OK) {
        if (!owner || !(slot->isThreadSafe))
            PK11_ExitSlotMonitor(slot);
        pk11_CloseSession(slot, session, owner);
        PORT_SetError(PK11_MapError(crv));
        return SECFailure;
    }

    /* keys are almost always aligned, but if we get this far,
     * we've gone above and beyond anyway... */
    data = PK11_BlockData(inKey, PK11_GetBlockSize(type, param));
    if (data == NULL) {
        if (!owner || !(slot->isThreadSafe))
            PK11_ExitSlotMonitor(slot);
        pk11_CloseSession(slot, session, owner);
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        return SECFailure;
    }
    len = outKey->len;
    crv = PK11_GETTAB(slot)->C_Encrypt(session, data->data, data->len,
                                       outKey->data, &len);
    if (!owner || !(slot->isThreadSafe))
        PK11_ExitSlotMonitor(slot);
    pk11_CloseSession(slot, session, owner);
    SECITEM_FreeItem(data, PR_TRUE);
    outKey->len = len;
    if (crv != CKR_OK) {
        PORT_SetError(PK11_MapError(crv));
        return SECFailure;
    }
    return SECSuccess;
}

/*
 * helper function which moves two keys into a new slot based on the
 * desired mechanism.
 */
static SECStatus
pk11_moveTwoKeys(CK_MECHANISM_TYPE mech,
                 CK_ATTRIBUTE_TYPE preferedOperation,
                 CK_ATTRIBUTE_TYPE movingOperation,
                 PK11SymKey *preferedKey, PK11SymKey *movingKey,
                 PK11SymKey **newPreferedKey, PK11SymKey **newMovingKey)
{
    PK11SlotInfo *newSlot;
    *newMovingKey = NULL;
    *newPreferedKey = NULL;

    newSlot = PK11_GetBestSlot(mech, preferedKey->cx);
    if (newSlot == NULL) {
        return SECFailure;
    }
    *newMovingKey = pk11_CopyToSlot(newSlot, movingKey->type,
                                    movingOperation, movingKey);
    if (*newMovingKey == NULL) {
        goto loser;
    }
    *newPreferedKey = pk11_CopyToSlot(newSlot, preferedKey->type,
                                      preferedOperation, preferedKey);
    if (*newPreferedKey == NULL) {
        goto loser;
    }

    PK11_FreeSlot(newSlot);
    return SECSuccess;
loser:
    PK11_FreeSlot(newSlot);
    PK11_FreeSymKey(*newMovingKey);
    PK11_FreeSymKey(*newPreferedKey);
    *newMovingKey = NULL;
    *newPreferedKey = NULL;
    return SECFailure;
}

/*
 * To do joint operations, we often need two keys in the same slot.
 * Usually the PKCS #11 wrappers handle this correctly (like for PK11_WrapKey),
 * but sometimes the wrappers don't know about mechanism specific keys in
 * the Mechanism params. This function makes sure the two keys are in the
 * same slot by copying one or both of the keys into a common slot. This
 * functions makes sure the slot can handle the target mechanism. If the copy
 * is warranted, this function will prefer to move the movingKey first, then
 * the preferedKey. If the keys are moved, the new keys are returned in
 * newMovingKey and/or newPreferedKey. The application is responsible
 * for freeing those keys once the operation is complete.
 */
SECStatus
PK11_SymKeysToSameSlot(CK_MECHANISM_TYPE mech,
                       CK_ATTRIBUTE_TYPE preferedOperation,
                       CK_ATTRIBUTE_TYPE movingOperation,
                       PK11SymKey *preferedKey, PK11SymKey *movingKey,
                       PK11SymKey **newPreferedKey, PK11SymKey **newMovingKey)
{
    /* usually don't return new keys */
    *newMovingKey = NULL;
    *newPreferedKey = NULL;
    if (movingKey->slot == preferedKey->slot) {

        /* this should be the most common case */
        if ((preferedKey->slot != NULL) &&
            PK11_DoesMechanism(preferedKey->slot, mech)) {
            return SECSuccess;
        }

        /* we are in the same slot, but it doesn't do the operation,
         * move both keys to an appropriate target slot */
        return pk11_moveTwoKeys(mech, preferedOperation, movingOperation,
                                preferedKey, movingKey,
                                newPreferedKey, newMovingKey);
    }

    /* keys are in different slot, try moving the moving key to the prefered
     * key's slot */
    if ((preferedKey->slot != NULL) &&
        PK11_DoesMechanism(preferedKey->slot, mech)) {
        *newMovingKey = pk11_CopyToSlot(preferedKey->slot, movingKey->type,
                                        movingOperation, movingKey);
        if (*newMovingKey != NULL) {
            return SECSuccess;
        }
    }
    /* couldn't moving the moving key to the prefered slot, try moving
     * the prefered key */
    if ((movingKey->slot != NULL) &&
        PK11_DoesMechanism(movingKey->slot, mech)) {
        *newPreferedKey = pk11_CopyToSlot(movingKey->slot, preferedKey->type,
                                          preferedOperation, preferedKey);
        if (*newPreferedKey != NULL) {
            return SECSuccess;
        }
    }
    /* Neither succeeded, but that could be that they were not in slots that
     * supported the operation, try moving both keys into a common slot that
     * can do the operation. */
    return pk11_moveTwoKeys(mech, preferedOperation, movingOperation,
                            preferedKey, movingKey,
                            newPreferedKey, newMovingKey);
}

/*
 * This function does a symetric based wrap.
 */
SECStatus
PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *param,
                PK11SymKey *wrappingKey, PK11SymKey *symKey,
                SECItem *wrappedKey)
{
    PK11SlotInfo *slot;
    CK_ULONG len = wrappedKey->len;
    PK11SymKey *newSymKey = NULL;
    PK11SymKey *newWrappingKey = NULL;
    SECItem *param_save = NULL;
    CK_MECHANISM mechanism;
    PRBool owner = PR_TRUE;
    CK_SESSION_HANDLE session;
    CK_RV crv;
    SECStatus rv;

    /* force the keys into same slot */
    rv = PK11_SymKeysToSameSlot(type, CKA_ENCRYPT, CKA_WRAP,
                                symKey, wrappingKey,
                                &newSymKey, &newWrappingKey);
    if (rv != SECSuccess) {
        /* Couldn't move the keys as desired, try to hand unwrap if possible */
        if (symKey->data.data == NULL) {
            rv = PK11_ExtractKeyValue(symKey);
            if (rv != SECSuccess) {
                PORT_SetError(SEC_ERROR_NO_MODULE);
                return SECFailure;
            }
        }
        if (param == NULL) {
            param_save = param = PK11_ParamFromIV(type, NULL);
        }
        rv = pk11_HandWrap(wrappingKey, param, type, &symKey->data, wrappedKey);
        if (param_save)
            SECITEM_FreeItem(param_save, PR_TRUE);
        return rv;
    }
    if (newSymKey) {
        symKey = newSymKey;
    }
    if (newWrappingKey) {
        wrappingKey = newWrappingKey;
    }

    /* at this point both keys are in the same token */
    slot = wrappingKey->slot;
    mechanism.mechanism = type;
    /* use NULL IV's for wrapping */
    if (param == NULL) {
        param_save = param = PK11_ParamFromIV(type, NULL);
    }
    if (param) {
        mechanism.pParameter = param->data;
        mechanism.ulParameterLen = param->len;
    } else {
        mechanism.pParameter = NULL;
        mechanism.ulParameterLen = 0;
    }

    len = wrappedKey->len;

    session = pk11_GetNewSession(slot, &owner);
    if (!owner || !(slot->isThreadSafe))
        PK11_EnterSlotMonitor(slot);
    crv = PK11_GETTAB(slot)->C_WrapKey(session, &mechanism,
                                       wrappingKey->objectID, symKey->objectID,
                                       wrappedKey->data, &len);
    if (!owner || !(slot->isThreadSafe))
        PK11_ExitSlotMonitor(slot);
    pk11_CloseSession(slot, session, owner);
    rv = SECSuccess;
    if (crv != CKR_OK) {
        /* can't wrap it? try hand wrapping it... */
        do {
            if (symKey->data.data == NULL) {
                rv = PK11_ExtractKeyValue(symKey);
                if (rv != SECSuccess)
                    break;
            }
            rv = pk11_HandWrap(wrappingKey, param, type, &symKey->data,
                               wrappedKey);
        } while (PR_FALSE);
    } else {
        wrappedKey->len = len;
    }
    PK11_FreeSymKey(newSymKey);
    PK11_FreeSymKey(newWrappingKey);
    if (param_save)
        SECITEM_FreeItem(param_save, PR_TRUE);
    return rv;
}

/*
 * This Generates a new key based on a symetricKey
 */
PK11SymKey *
PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, SECItem *param,
            CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
            int keySize)
{
    return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation,
                                   keySize, NULL, 0, PR_FALSE);
}

PK11SymKey *
PK11_DeriveWithFlags(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive,
                     SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
                     int keySize, CK_FLAGS flags)
{
    CK_BBOOL ckTrue = CK_TRUE;
    CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS];
    unsigned int templateCount;

    templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue);
    return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation,
                                   keySize, keyTemplate, templateCount, PR_FALSE);
}

PK11SymKey *
PK11_DeriveWithFlagsPerm(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive,
                         SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
                         int keySize, CK_FLAGS flags, PRBool isPerm)
{
    CK_BBOOL cktrue = CK_TRUE;
    CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS];
    CK_ATTRIBUTE *attrs;
    unsigned int templateCount = 0;

    attrs = keyTemplate;
    if (isPerm) {
        PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL));
        attrs++;
    }
    templateCount = attrs - keyTemplate;
    templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);
    return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation,
                                   keySize, keyTemplate, templateCount, isPerm);
}

PK11SymKey *
PK11_DeriveWithTemplate(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive,
                        SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
                        int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs,
                        PRBool isPerm)
{
    PK11SlotInfo *slot = baseKey->slot;
    PK11SymKey *symKey;
    PK11SymKey *newBaseKey = NULL;
    CK_BBOOL cktrue = CK_TRUE;
    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
    CK_ULONG valueLen = 0;
    CK_MECHANISM mechanism;
    CK_RV crv;
#define MAX_ADD_ATTRS 4
    CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS];
#undef MAX_ADD_ATTRS
    CK_ATTRIBUTE *attrs = keyTemplate;
    CK_SESSION_HANDLE session;
    unsigned int templateCount;

    if (numAttrs > MAX_TEMPL_ATTRS) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }
    /* CKA_NSS_MESSAGE is a fake operation to distinguish between
     * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set
     * it as a real attribute */
    if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) {
        /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT),
         * etc. Strip out the real attribute here */
        operation &= ~CKA_NSS_MESSAGE_MASK;
    }

    /* first copy caller attributes in. */
    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
        *attrs++ = *userAttr++;
    }

    /* We only add the following attributes to the template if the caller
    ** didn't already supply them.
    */
    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
        PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof keyClass);
        attrs++;
    }
    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
        keyType = PK11_GetKeyType(target, keySize);
        PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof keyType);
        attrs++;
    }
    if (keySize > 0 &&
        !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
        valueLen = (CK_ULONG)keySize;
        PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen);
        attrs++;
    }
    if ((operation != CKA_FLAGS_ONLY) &&
        !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
        PK11_SETATTRS(attrs, operation, &cktrue, sizeof cktrue);
        attrs++;
    }

    templateCount = attrs - keyTemplate;
    PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));

    /* move the key to a slot that can do the function */
    if (!PK11_DoesMechanism(slot, derive)) {
        /* get a new base key & slot */
        PK11SlotInfo *newSlot = PK11_GetBestSlot(derive, baseKey->cx);

        if (newSlot == NULL)
            return NULL;

        newBaseKey = pk11_CopyToSlot(newSlot, derive, CKA_DERIVE,
                                     baseKey);
        PK11_FreeSlot(newSlot);
        if (newBaseKey == NULL)
            return NULL;
        baseKey = newBaseKey;
        slot = baseKey->slot;
    }

    /* get our key Structure */
    symKey = pk11_CreateSymKey(slot, target, !isPerm, PR_TRUE, baseKey->cx);
    if (symKey == NULL) {
        return NULL;
    }

    symKey->size = keySize;

    mechanism.mechanism = derive;
    if (param) {
        mechanism.pParameter = param->data;
        mechanism.ulParameterLen = param->len;
    } else {
        mechanism.pParameter = NULL;
        mechanism.ulParameterLen = 0;
    }
    symKey->origin = PK11_OriginDerive;

    if (isPerm) {
        session = PK11_GetRWSession(slot);
    } else {
        pk11_EnterKeyMonitor(symKey);
        session = symKey->session;
    }
    if (session == CK_INVALID_HANDLE) {
        if (!isPerm)
            pk11_ExitKeyMonitor(symKey);
        crv = CKR_SESSION_HANDLE_INVALID;
    } else {
        crv = PK11_GETTAB(slot)->C_DeriveKey(session, &mechanism,
                                             baseKey->objectID, keyTemplate, templateCount, &symKey->objectID);
        if (isPerm) {
            PK11_RestoreROSession(slot, session);
        } else {
            pk11_ExitKeyMonitor(symKey);
        }
    }
    if (newBaseKey)
        PK11_FreeSymKey(newBaseKey);
    if (crv != CKR_OK) {
        PK11_FreeSymKey(symKey);
        PORT_SetError(PK11_MapError(crv));
        return NULL;
    }
    return symKey;
}

/* Create a new key by concatenating base and data
 */
static PK11SymKey *
pk11_ConcatenateBaseAndData(PK11SymKey *base,
                            CK_BYTE *data, CK_ULONG dataLen, CK_MECHANISM_TYPE target,
                            CK_ATTRIBUTE_TYPE operation)
{
    CK_KEY_DERIVATION_STRING_DATA mechParams;
    SECItem param;

    if (base == NULL) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }

    mechParams.pData = data;
    mechParams.ulLen = dataLen;
    param.data = (unsigned char *)&mechParams;
    param.len = sizeof(CK_KEY_DERIVATION_STRING_DATA);

    return PK11_Derive(base, CKM_CONCATENATE_BASE_AND_DATA,
                       &param, target, operation, 0);
}

/* Create a new key by concatenating base and key
 */
static PK11SymKey *
pk11_ConcatenateBaseAndKey(PK11SymKey *base,
                           PK11SymKey *key, CK_MECHANISM_TYPE target,
                           CK_ATTRIBUTE_TYPE operation, CK_ULONG keySize)
{
    SECItem param;

    if ((base == NULL) || (key == NULL)) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }

    param.data = (unsigned char *)&(key->objectID);
    param.len = sizeof(CK_OBJECT_HANDLE);

    return PK11_Derive(base, CKM_CONCATENATE_BASE_AND_KEY,
                       &param, target, operation, keySize);
}

PK11SymKey *
PK11_ConcatSymKeys(PK11SymKey *left, PK11SymKey *right, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation)
{
    PK11SymKey *out = NULL;
    PK11SymKey *copyOfLeft = NULL;
    PK11SymKey *copyOfRight = NULL;

    if ((left == NULL) || (right == NULL)) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }

    SECStatus rv = PK11_SymKeysToSameSlot(CKM_CONCATENATE_BASE_AND_KEY,
                                          CKA_DERIVE, CKA_DERIVE, left, right,
                                          &copyOfLeft, &copyOfRight);
    if (rv != SECSuccess) {
        /* error code already set */
        return NULL;
    }

    out = pk11_ConcatenateBaseAndKey(copyOfLeft ? copyOfLeft : left, copyOfRight ? copyOfRight : right, target, operation, 0);
    PK11_FreeSymKey(copyOfLeft);
    PK11_FreeSymKey(copyOfRight);
    return out;
}

/* Create a new key whose value is the hash of tobehashed.
 * type is the mechanism for the derived key.
 */
static PK11SymKey *
pk11_HashKeyDerivation(PK11SymKey *toBeHashed,
                       CK_MECHANISM_TYPE hashMechanism, CK_MECHANISM_TYPE target,
                       CK_ATTRIBUTE_TYPE operation, CK_ULONG keySize)
{
    return PK11_Derive(toBeHashed, hashMechanism, NULL, target, operation, keySize);
}

/* This function implements the ANSI X9.63 key derivation function
 */
static PK11SymKey *
pk11_ANSIX963Derive(PK11SymKey *sharedSecret,
                    CK_EC_KDF_TYPE kdf, SECItem *sharedData,
                    CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
                    CK_ULONG keySize)
{
    CK_KEY_TYPE keyType;
    CK_MECHANISM_TYPE hashMechanism, mechanismArray[4];
    CK_ULONG derivedKeySize, HashLen, counter, maxCounter, bufferLen;
    CK_ULONG SharedInfoLen;
    CK_BYTE *buffer = NULL;
    PK11SymKey *toBeHashed, *hashOutput;
    PK11SymKey *newSharedSecret = NULL;
    PK11SymKey *oldIntermediateResult, *intermediateResult = NULL;

    if (sharedSecret == NULL) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }

    switch (kdf) {
        case CKD_SHA1_KDF:
            HashLen = SHA1_LENGTH;
            hashMechanism = CKM_SHA1_KEY_DERIVATION;
            break;
        case CKD_SHA224_KDF:
            HashLen = SHA224_LENGTH;
            hashMechanism = CKM_SHA224_KEY_DERIVATION;
            break;
        case CKD_SHA256_KDF:
            HashLen = SHA256_LENGTH;
            hashMechanism = CKM_SHA256_KEY_DERIVATION;
            break;
        case CKD_SHA384_KDF:
            HashLen = SHA384_LENGTH;
            hashMechanism = CKM_SHA384_KEY_DERIVATION;
            break;
        case CKD_SHA512_KDF:
            HashLen = SHA512_LENGTH;
            hashMechanism = CKM_SHA512_KEY_DERIVATION;
            break;
        default:
            PORT_SetError(SEC_ERROR_INVALID_ARGS);
            return NULL;
    }

    derivedKeySize = keySize;
    if (derivedKeySize == 0) {
        keyType = PK11_GetKeyType(target, keySize);
        derivedKeySize = pk11_GetPredefinedKeyLength(keyType);
        if (derivedKeySize == 0) {
            derivedKeySize = HashLen;
        }
    }

    /* Check that key_len isn't too long.  The maximum key length could be
     * greatly increased if the code below did not limit the 4-byte counter
     * to a maximum value of 255. */
    if (derivedKeySize > 254 * HashLen) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }

    maxCounter = derivedKeySize / HashLen;
    if (derivedKeySize > maxCounter * HashLen)
        maxCounter++;

    if ((sharedData == NULL) || (sharedData->data == NULL))
        SharedInfoLen = 0;
    else
        SharedInfoLen = sharedData->len;

    bufferLen = SharedInfoLen + 4;

    /* Populate buffer with Counter || sharedData
     * where Counter is 0x00000001. */
    buffer = (unsigned char *)PORT_Alloc(bufferLen);
    if (buffer == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        return NULL;
    }

    buffer[0] = 0;
    buffer[1] = 0;
    buffer[2] = 0;
    buffer[3] = 1;
    if (SharedInfoLen > 0) {
        PORT_Memcpy(&buffer[4], sharedData->data, SharedInfoLen);
    }

    /* Look for a slot that supports the mechanisms needed
     * to implement the ANSI X9.63 KDF as well as the
     * target mechanism.
     */
    mechanismArray[0] = CKM_CONCATENATE_BASE_AND_DATA;
    mechanismArray[1] = hashMechanism;
    mechanismArray[2] = CKM_CONCATENATE_BASE_AND_KEY;
    mechanismArray[3] = target;

    newSharedSecret = pk11_ForceSlotMultiple(sharedSecret,
                                             mechanismArray, 4, operation);
    if (newSharedSecret != NULL) {
        sharedSecret = newSharedSecret;
    }

    for (counter = 1; counter <= maxCounter; counter++) {
        /* Concatenate shared_secret and buffer */
        toBeHashed = pk11_ConcatenateBaseAndData(sharedSecret, buffer,
                                                 bufferLen, hashMechanism, operation);
        if (toBeHashed == NULL) {
            goto loser;
        }

        /* Hash value */
        if (maxCounter == 1) {
            /* In this case the length of the key to be derived is
             * less than or equal to the length of the hash output.
             * So, the output of the hash operation will be the
             * dervied key. */
            hashOutput = pk11_HashKeyDerivation(toBeHashed, hashMechanism,
                                                target, operation, keySize);
        } else {
            /* In this case, the output of the hash operation will be
             * concatenated with other data to create the derived key. */
            hashOutput = pk11_HashKeyDerivation(toBeHashed, hashMechanism,
                                                CKM_CONCATENATE_BASE_AND_KEY, operation, 0);
        }
        PK11_FreeSymKey(toBeHashed);
        if (hashOutput == NULL) {
            goto loser;
        }

        /* Append result to intermediate result, if necessary */
        oldIntermediateResult = intermediateResult;

        if (oldIntermediateResult == NULL) {
            intermediateResult = hashOutput;
        } else {
            if (counter == maxCounter) {
                /* This is the final concatenation, and so the output
                 * will be the derived key. */
                intermediateResult =
                    pk11_ConcatenateBaseAndKey(oldIntermediateResult,
                                               hashOutput, target, operation, keySize);
            } else {
                /* The output of this concatenation will be concatenated
                 * with other data to create the derived key. */
                intermediateResult =
                    pk11_ConcatenateBaseAndKey(oldIntermediateResult,
                                               hashOutput, CKM_CONCATENATE_BASE_AND_KEY,
                                               operation, 0);
            }

            PK11_FreeSymKey(hashOutput);
            PK11_FreeSymKey(oldIntermediateResult);
            if (intermediateResult == NULL) {
                goto loser;
            }
        }

        /* Increment counter (assumes maxCounter < 255) */
        buffer[3]++;
    }

    PORT_ZFree(buffer, bufferLen);
    if (newSharedSecret != NULL)
        PK11_FreeSymKey(newSharedSecret);
    return intermediateResult;

loser:
    PORT_ZFree(buffer, bufferLen);
    if (newSharedSecret != NULL)
        PK11_FreeSymKey(newSharedSecret);
    if (intermediateResult != NULL)
        PK11_FreeSymKey(intermediateResult);
    return NULL;
}

/*
 * This regenerate a public key from a private key. This function is currently
 * NSS private. If we want to make it public, we need to add and optional
 * template or at least flags (a.la. PK11_DeriveWithFlags).
 */
CK_OBJECT_HANDLE
PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey)
{
    PK11SlotInfo *slot = privKey->pkcs11Slot;
    CK_MECHANISM mechanism;
    CK_OBJECT_HANDLE objectID = CK_INVALID_HANDLE;
    CK_RV crv;

    mechanism.mechanism = CKM_NSS_PUB_FROM_PRIV;
    mechanism.pParameter = NULL;
    mechanism.ulParameterLen = 0;

    PK11_EnterSlotMonitor(slot);
    crv = PK11_GETTAB(slot)->C_DeriveKey(slot->session, &mechanism,
                                         privKey->pkcs11ID, NULL, 0,
                                         &objectID);
    PK11_ExitSlotMonitor(slot);
    if (crv != CKR_OK) {
        PORT_SetError(PK11_MapError(crv));
        return CK_INVALID_HANDLE;
    }
    return objectID;
}

/*
 * This Generates a wrapping key based on a privateKey, publicKey, and two
 * random numbers. For Mail usage RandomB should be NULL. In the Sender's
 * case RandomA is generate, otherwise it is passed.
 */
PK11SymKey *
PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
               PRBool isSender, SECItem *randomA, SECItem *randomB,
               CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
               CK_ATTRIBUTE_TYPE operation, int keySize, void *wincx)
{
    PK11SlotInfo *slot = privKey->pkcs11Slot;
    CK_MECHANISM mechanism;
    PK11SymKey *symKey;
    CK_RV crv;

    /* get our key Structure */
    symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx);
    if (symKey == NULL) {
        return NULL;
    }

    /* CKA_NSS_MESSAGE is a fake operation to distinguish between
     * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set
     * it as a real attribute */
    if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) {
        /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT),
         * etc. Strip out the real attribute here */
        operation &= ~CKA_NSS_MESSAGE_MASK;
    }

    symKey->origin = PK11_OriginDerive;

    switch (privKey->keyType) {
        case rsaKey:
        case rsaPssKey:
        case rsaOaepKey:
        case kyberKey:
        case nullKey:
        case edKey:
        case ecMontKey:
            PORT_SetError(SEC_ERROR_BAD_KEY);
            break;
        case dsaKey:
        case keaKey:
        case fortezzaKey: {
            static unsigned char rb_email[128] = { 0 };
            CK_KEA_DERIVE_PARAMS param;
            param.isSender = (CK_BBOOL)isSender;
            param.ulRandomLen = randomA->len;
            param.pRandomA = randomA->data;
            param.pRandomB = rb_email;
            param.pRandomB[127] = 1;
            if (randomB)
                param.pRandomB = randomB->data;
            if (pubKey->keyType == fortezzaKey) {
                param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
                param.pPublicData = pubKey->u.fortezza.KEAKey.data;
            } else {
                /* assert type == keaKey */
                /* XXX change to match key key types */
                param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
                param.pPublicData = pubKey->u.fortezza.KEAKey.data;
            }

            mechanism.mechanism = derive;
            mechanism.pParameter = &param;
            mechanism.ulParameterLen = sizeof(param);

            /* get a new symKey structure */
            pk11_EnterKeyMonitor(symKey);
            crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
                                                 privKey->pkcs11ID, NULL, 0,
                                                 &symKey->objectID);
            pk11_ExitKeyMonitor(symKey);
            if (crv == CKR_OK)
                return symKey;
            PORT_SetError(PK11_MapError(crv));
        } break;
        case dhKey: {
            CK_BBOOL cktrue = CK_TRUE;
            CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
            CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
            CK_ULONG key_size = 0;
            CK_ATTRIBUTE keyTemplate[4];
            int templateCount;
            CK_ATTRIBUTE *attrs = keyTemplate;

            if (pubKey->keyType != dhKey) {
                PORT_SetError(SEC_ERROR_BAD_KEY);
                break;
            }

            PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
            attrs++;
            PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
            attrs++;
            PK11_SETATTRS(attrs, operation, &cktrue, 1);
            attrs++;
            PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size));
            attrs++;
            templateCount = attrs - keyTemplate;
            PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));

            keyType = PK11_GetKeyType(target, keySize);
            key_size = keySize;
            symKey->size = keySize;
            if (key_size == 0)
                templateCount--;

            mechanism.mechanism = derive;

            /* we can undefine these when we define diffie-helman keys */

            mechanism.pParameter = pubKey->u.dh.publicValue.data;
            mechanism.ulParameterLen = pubKey->u.dh.publicValue.len;

            pk11_EnterKeyMonitor(symKey);
            crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
                                                 privKey->pkcs11ID, keyTemplate,
                                                 templateCount, &symKey->objectID);
            pk11_ExitKeyMonitor(symKey);
            if (crv == CKR_OK)
                return symKey;
            PORT_SetError(PK11_MapError(crv));
        } break;
        case ecKey: {
            CK_BBOOL cktrue = CK_TRUE;
            CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
            CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
            CK_ULONG key_size = 0;
            CK_ATTRIBUTE keyTemplate[4];
            int templateCount;
            CK_ATTRIBUTE *attrs = keyTemplate;
            CK_ECDH1_DERIVE_PARAMS *mechParams = NULL;

            if (pubKey->keyType != ecKey) {
                PORT_SetError(SEC_ERROR_BAD_KEY);
                break;
            }

            PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
            attrs++;
            PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
            attrs++;
            PK11_SETATTRS(attrs, operation, &cktrue, 1);
            attrs++;
            PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size));
            attrs++;
            templateCount = attrs - keyTemplate;
            PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));

            keyType = PK11_GetKeyType(target, keySize);
            key_size = keySize;
            if (key_size == 0) {
                if ((key_size = pk11_GetPredefinedKeyLength(keyType))) {
                    templateCount--;
                } else {
                    /* sigh, some tokens can't figure this out and require
                     * CKA_VALUE_LEN to be set */
                    key_size = SHA1_LENGTH;
                }
            }
            symKey->size = key_size;

            mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS);
            mechParams->kdf = CKD_SHA1_KDF;
            mechParams->ulSharedDataLen = 0;
            mechParams->pSharedData = NULL;
            mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len;
            mechParams->pPublicData = pubKey->u.ec.publicValue.data;

            mechanism.mechanism = derive;
            mechanism.pParameter = mechParams;
            mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS);

            pk11_EnterKeyMonitor(symKey);
            crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session,
                                                 &mechanism, privKey->pkcs11ID, keyTemplate,
                                                 templateCount, &symKey->objectID);
            pk11_ExitKeyMonitor(symKey);

            /* old PKCS #11 spec was ambiguous on what needed to be passed,
             * try this again with and encoded public key */
            if (crv != CKR_OK && pk11_ECGetPubkeyEncoding(pubKey) != ECPoint_XOnly) {
                SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL,
                                                       &pubKey->u.ec.publicValue,
                                                       SEC_ASN1_GET(SEC_OctetStringTemplate));
                if (pubValue == NULL) {
                    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
                    break;
                }
                mechParams->ulPublicDataLen = pubValue->len;
                mechParams->pPublicData = pubValue->data;

                pk11_EnterKeyMonitor(symKey);
                crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session,
                                                     &mechanism, privKey->pkcs11ID, keyTemplate,
                                                     templateCount, &symKey->objectID);
                pk11_ExitKeyMonitor(symKey);

                SECITEM_FreeItem(pubValue, PR_TRUE);
            }

            PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));

            if (crv == CKR_OK)
                return symKey;
            PORT_SetError(PK11_MapError(crv));
        }
    }

    PK11_FreeSymKey(symKey);
    return NULL;
}

/* Test for curves that are known to use a special encoding.
 * Extend this function when additional curves are added. */
static ECPointEncoding
pk11_ECGetPubkeyEncoding(const SECKEYPublicKey *pubKey)
{
    SECItem oid;
    SECStatus rv;
    PORTCheapArenaPool tmpArena;
    ECPointEncoding encoding = ECPoint_Undefined;

    PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);

    /* decode the OID tag */
    rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid,
                                SEC_ASN1_GET(SEC_ObjectIDTemplate),
                                &pubKey->u.ec.DEREncodedParams);
    if (rv == SECSuccess) {
        SECOidTag tag = SECOID_FindOIDTag(&oid);
        switch (tag) {
            case SEC_OID_X25519:
            case SEC_OID_CURVE25519:
                encoding = ECPoint_XOnly;
                break;
            case SEC_OID_SECG_EC_SECP256R1:
            case SEC_OID_SECG_EC_SECP384R1:
            case SEC_OID_SECG_EC_SECP521R1:
            default:
                /* unknown curve, default to uncompressed */
                encoding = ECPoint_Uncompressed;
        }
    }
    PORT_DestroyCheapArena(&tmpArena);
    return encoding;
}

/* Returns the size of the public key, or 0 if there
 * is an error. */
static CK_ULONG
pk11_ECPubKeySize(SECKEYPublicKey *pubKey)
{
    SECItem *publicValue = &pubKey->u.ec.publicValue;

    ECPointEncoding encoding = pk11_ECGetPubkeyEncoding(pubKey);
    if (encoding == ECPoint_XOnly) {
        return publicValue->len;
    }
    if (encoding == ECPoint_Uncompressed) {
        /* key encoded in uncompressed form */
        return ((publicValue->len - 1) / 2);
    }
    /* key encoding not recognized */
    return 0;
}

static PK11SymKey *
pk11_PubDeriveECKeyWithKDF(
    SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
    PRBool isSender, SECItem *randomA, SECItem *randomB,
    CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
    CK_ATTRIBUTE_TYPE operation, int keySize,
    CK_ULONG kdf, SECItem *sharedData, void *wincx)
{
    PK11SlotInfo *slot = privKey->pkcs11Slot;
    PK11SymKey *symKey;
    PK11SymKey *SharedSecret;
    CK_MECHANISM mechanism;
    CK_RV crv;
    CK_BBOOL cktrue = CK_TRUE;
    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
    CK_ULONG key_size = 0;
    CK_ATTRIBUTE keyTemplate[4];
    int templateCount;
    CK_ATTRIBUTE *attrs = keyTemplate;
    CK_ECDH1_DERIVE_PARAMS *mechParams = NULL;

    if (pubKey->keyType != ecKey && pubKey->keyType != ecMontKey) {
        PORT_SetError(SEC_ERROR_BAD_KEY);
        return NULL;
    }
    if ((kdf != CKD_NULL) && (kdf != CKD_SHA1_KDF) &&
        (kdf != CKD_SHA224_KDF) && (kdf != CKD_SHA256_KDF) &&
        (kdf != CKD_SHA384_KDF) && (kdf != CKD_SHA512_KDF)) {
        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
        return NULL;
    }

    /* get our key Structure */
    symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx);
    if (symKey == NULL) {
        return NULL;
    }
    /* CKA_NSS_MESSAGE is a fake operation to distinguish between
     * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set
     * it as a real attribute */
    if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) {
        /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT),
         * etc. Strip out the real attribute here */
        operation &= ~CKA_NSS_MESSAGE_MASK;
    }

    symKey->origin = PK11_OriginDerive;

    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
    attrs++;
    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
    attrs++;
    PK11_SETATTRS(attrs, operation, &cktrue, 1);
    attrs++;
    PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size));
    attrs++;
    templateCount = attrs - keyTemplate;
    PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));

    keyType = PK11_GetKeyType(target, keySize);
    key_size = keySize;
    if (key_size == 0) {
        if ((key_size = pk11_GetPredefinedKeyLength(keyType))) {
            templateCount--;
        } else {
            /* sigh, some tokens can't figure this out and require
             * CKA_VALUE_LEN to be set */
            switch (kdf) {
                case CKD_NULL:
                    key_size = pk11_ECPubKeySize(pubKey);
                    if (key_size == 0) {
                        PK11_FreeSymKey(symKey);
                        return NULL;
                    }
                    break;
                case CKD_SHA1_KDF:
                    key_size = SHA1_LENGTH;
                    break;
                case CKD_SHA224_KDF:
                    key_size = SHA224_LENGTH;
                    break;
                case CKD_SHA256_KDF:
                    key_size = SHA256_LENGTH;
                    break;
                case CKD_SHA384_KDF:
                    key_size = SHA384_LENGTH;
                    break;
                case CKD_SHA512_KDF:
                    key_size = SHA512_LENGTH;
                    break;
                default:
                    PORT_AssertNotReached("Invalid CKD");
                    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
                    PK11_FreeSymKey(symKey);
                    return NULL;
            }
        }
    }
    symKey->size = key_size;

    mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS);
    if (!mechParams) {
        PK11_FreeSymKey(symKey);
        return NULL;
    }
    mechParams->kdf = kdf;
    if (sharedData == NULL) {
        mechParams->ulSharedDataLen = 0;
        mechParams->pSharedData = NULL;
    } else {
        mechParams->ulSharedDataLen = sharedData->len;
        mechParams->pSharedData = sharedData->data;
    }
    mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len;
    mechParams->pPublicData = pubKey->u.ec.publicValue.data;

    mechanism.mechanism = derive;
    mechanism.pParameter = mechParams;
    mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS);

    pk11_EnterKeyMonitor(symKey);
    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
                                         privKey->pkcs11ID, keyTemplate,
                                         templateCount, &symKey->objectID);
    pk11_ExitKeyMonitor(symKey);

    /* old PKCS #11 spec was ambiguous on what needed to be passed,
     * try this again with an encoded public key */
    if (crv != CKR_OK) {
        /* For curves that only use X as public value and no encoding we don't
         * have to try again. (Currently only Curve25519) */
        if (pk11_ECGetPubkeyEncoding(pubKey) == ECPoint_XOnly) {
            goto loser;
        }
        SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL,
                                               &pubKey->u.ec.publicValue,
                                               SEC_ASN1_GET(SEC_OctetStringTemplate));
        if (pubValue == NULL) {
            goto loser;
        }
        mechParams->ulPublicDataLen = pubValue->len;
        mechParams->pPublicData = pubValue->data;

        pk11_EnterKeyMonitor(symKey);
        crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session,
                                             &mechanism, privKey->pkcs11ID, keyTemplate,
                                             templateCount, &symKey->objectID);
        pk11_ExitKeyMonitor(symKey);

        if ((crv != CKR_OK) && (kdf != CKD_NULL)) {
            /* Some PKCS #11 libraries cannot perform the key derivation
             * function. So, try calling C_DeriveKey with CKD_NULL and then
             * performing the KDF separately.
             */
            CK_ULONG derivedKeySize = key_size;

            keyType = CKK_GENERIC_SECRET;
            key_size = pk11_ECPubKeySize(pubKey);
            if (key_size == 0) {
                SECITEM_FreeItem(pubValue, PR_TRUE);
                goto loser;
            }
            SharedSecret = symKey;
            SharedSecret->size = key_size;

            mechParams->kdf = CKD_NULL;
            mechParams->ulSharedDataLen = 0;
            mechParams->pSharedData = NULL;
            mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len;
            mechParams->pPublicData = pubKey->u.ec.publicValue.data;

            pk11_EnterKeyMonitor(SharedSecret);
            crv = PK11_GETTAB(slot)->C_DeriveKey(SharedSecret->session,
                                                 &mechanism, privKey->pkcs11ID, keyTemplate,
                                                 templateCount, &SharedSecret->objectID);
            pk11_ExitKeyMonitor(SharedSecret);

            if (crv != CKR_OK) {
                /* old PKCS #11 spec was ambiguous on what needed to be passed,
                 * try this one final time with an encoded public key */
                mechParams->ulPublicDataLen = pubValue->len;
                mechParams->pPublicData = pubValue->data;

                pk11_EnterKeyMonitor(SharedSecret);
                crv = PK11_GETTAB(slot)->C_DeriveKey(SharedSecret->session,
                                                     &mechanism, privKey->pkcs11ID, keyTemplate,
                                                     templateCount, &SharedSecret->objectID);
                pk11_ExitKeyMonitor(SharedSecret);
            }

            /* Perform KDF. */
            if (crv == CKR_OK) {
                symKey = pk11_ANSIX963Derive(SharedSecret, kdf,
                                             sharedData, target, operation,
                                             derivedKeySize);
                PK11_FreeSymKey(SharedSecret);
                if (symKey == NULL) {
                    SECITEM_FreeItem(pubValue, PR_TRUE);
                    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
                    return NULL;
                }
            }
        }
        SECITEM_FreeItem(pubValue, PR_TRUE);
    }

loser:
    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));

    if (crv != CKR_OK) {
        PK11_FreeSymKey(symKey);
        symKey = NULL;
        PORT_SetError(PK11_MapError(crv));
    }
    return symKey;
}

PK11SymKey *
PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
                      PRBool isSender, SECItem *randomA, SECItem *randomB,
                      CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
                      CK_ATTRIBUTE_TYPE operation, int keySize,
                      CK_ULONG kdf, SECItem *sharedData, void *wincx)
{

    switch (privKey->keyType) {
        case rsaKey:
        case nullKey:
        case dsaKey:
        case keaKey:
        case fortezzaKey:
        case dhKey:
            return PK11_PubDerive(privKey, pubKey, isSender, randomA, randomB,
                                  derive, target, operation, keySize, wincx);
        case ecKey:
        case ecMontKey:
            return pk11_PubDeriveECKeyWithKDF(privKey, pubKey, isSender,
                                              randomA, randomB, derive, target,
                                              operation, keySize,
                                              kdf, sharedData, wincx);
        default:
            PORT_SetError(SEC_ERROR_BAD_KEY);
            break;
    }

    return NULL;
}

/*
 * this little function uses the Decrypt function to unwrap a key, just in
 * case we are having problem with unwrap. NOTE: The key size may
 * not be preserved properly for some algorithms!
 */
static PK11SymKey *
pk11_HandUnwrap(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
                CK_MECHANISM *mech, SECItem *inKey, CK_MECHANISM_TYPE target,
                CK_ATTRIBUTE *keyTemplate, unsigned int templateCount,
                int key_size, void *wincx, CK_RV *crvp, PRBool isPerm)
{
    CK_ULONG len;
    SECItem outKey;
    PK11SymKey *symKey;
    CK_RV crv;
    PRBool owner = PR_TRUE;
    CK_SESSION_HANDLE session;

    /* remove any VALUE_LEN parameters */
    if (keyTemplate[templateCount - 1].type == CKA_VALUE_LEN) {
        templateCount--;
    }

    /* keys are almost always aligned, but if we get this far,
     * we've gone above and beyond anyway... */
    outKey.data = (unsigned char *)PORT_Alloc(inKey->len);
    if (outKey.data == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        if (crvp)
            *crvp = CKR_HOST_MEMORY;
        return NULL;
    }
    len = inKey->len;

    /* use NULL IV's for wrapping */
    session = pk11_GetNewSession(slot, &owner);
    if (!owner || !(slot->isThreadSafe))
        PK11_EnterSlotMonitor(slot);
    crv = PK11_GETTAB(slot)->C_DecryptInit(session, mech, wrappingKey);
    if (crv != CKR_OK) {
        if (!owner || !(slot->isThreadSafe))
            PK11_ExitSlotMonitor(slot);
        pk11_CloseSession(slot, session, owner);
        PORT_Free(outKey.data);
        PORT_SetError(PK11_MapError(crv));
        if (crvp)
            *crvp = crv;
        return NULL;
    }
    crv = PK11_GETTAB(slot)->C_Decrypt(session, inKey->data, inKey->len,
                                       outKey.data, &len);
    if (!owner || !(slot->isThreadSafe))
        PK11_ExitSlotMonitor(slot);
    pk11_CloseSession(slot, session, owner);
    if (crv != CKR_OK) {
        PORT_Free(outKey.data);
        PORT_SetError(PK11_MapError(crv));
        if (crvp)
            *crvp = crv;
        return NULL;
    }

    outKey.len = (key_size == 0) ? len : key_size;
    outKey.type = siBuffer;

    if (PK11_DoesMechanism(slot, target)) {
        symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap,
                                            isPerm, keyTemplate,
                                            templateCount, &outKey, wincx);
    } else {
        slot = PK11_GetBestSlot(target, wincx);
        if (slot == NULL) {
            PORT_SetError(SEC_ERROR_NO_MODULE);
            PORT_Free(outKey.data);
            if (crvp)
                *crvp = CKR_DEVICE_ERROR;
            return NULL;
        }
        symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap,
                                            isPerm, keyTemplate,
                                            templateCount, &outKey, wincx);
        PK11_FreeSlot(slot);
    }
    PORT_Free(outKey.data);

    if (crvp)
        *crvp = symKey ? CKR_OK : CKR_DEVICE_ERROR;
    return symKey;
}

/*
 * The wrap/unwrap function is pretty much the same for private and
 * public keys. It's just getting the Object ID and slot right. This is
 * the combined unwrap function.
 */
static PK11SymKey *
pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
                  CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey,
                  CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize,
                  void *wincx, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, PRBool isPerm)
{
    PK11SymKey *symKey;
    SECItem *param_free = NULL;
    CK_BBOOL cktrue = CK_TRUE;
    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
    CK_ULONG valueLen = 0;
    CK_MECHANISM mechanism;
    CK_SESSION_HANDLE rwsession;
    CK_RV crv;
    CK_MECHANISM_INFO mechanism_info;
#define MAX_ADD_ATTRS 4
    CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS];
#undef MAX_ADD_ATTRS
    CK_ATTRIBUTE *attrs = keyTemplate;
    unsigned int templateCount;

    if (numAttrs > MAX_TEMPL_ATTRS) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return NULL;
    }
    /* CKA_NSS_MESSAGE is a fake operation to distinguish between
     * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set
     * it as a real attribute */
    if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) {
        /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT),
         * etc. Strip out the real attribute here */
        operation &= ~CKA_NSS_MESSAGE_MASK;
    }

    /* first copy caller attributes in. */
    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
        *attrs++ = *userAttr++;
    }

    /* We only add the following attributes to the template if the caller
    ** didn't already supply them.
    */
    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
        PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof keyClass);
        attrs++;
    }
    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
        keyType = PK11_GetKeyType(target, keySize);
        PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof keyType);
        attrs++;
    }
    if ((operation != CKA_FLAGS_ONLY) &&
        !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
        PK11_SETATTRS(attrs, operation, &cktrue, 1);
        attrs++;
    }

    /*
     * must be last in case we need to use this template to import the key
     */
    if (keySize > 0 &&
        !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
        valueLen = (CK_ULONG)keySize;
        PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen);
        attrs++;
    }

    templateCount = attrs - keyTemplate;
    PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));

    /* find out if we can do wrap directly. Because the RSA case if *very*
     * common, cache the results for it. */
    if ((wrapType == CKM_RSA_PKCS) && (slot->hasRSAInfo)) {
        mechanism_info.flags = slot->RSAInfoFlags;
    } else {
        if (!slot->isThreadSafe)
            PK11_EnterSlotMonitor(slot);
        crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, wrapType,
                                                    &mechanism_info);
        if (!slot->isThreadSafe)
            PK11_ExitSlotMonitor(slot);
        if (crv != CKR_OK) {
            mechanism_info.flags = 0;
        }
        if (wrapType == CKM_RSA_PKCS) {
            slot->RSAInfoFlags = mechanism_info.flags;
            slot->hasRSAInfo = PR_TRUE;
        }
    }

    /* initialize the mechanism structure */
    mechanism.mechanism = wrapType;
    /* use NULL IV's for wrapping */
    if (param == NULL)
        param = param_free = PK11_ParamFromIV(wrapType, NULL);
    if (param) {
        mechanism.pParameter = param->data;
        mechanism.ulParameterLen = param->len;
    } else {
        mechanism.pParameter = NULL;
        mechanism.ulParameterLen = 0;
    }

    if ((mechanism_info.flags & CKF_DECRYPT) && !PK11_DoesMechanism(slot, target)) {
        symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey,
                                 target, keyTemplate, templateCount, keySize,
                                 wincx, &crv, isPerm);
        if (symKey) {
            if (param_free)
                SECITEM_FreeItem(param_free, PR_TRUE);
            return symKey;
        }
        /*
         * if the RSA OP simply failed, don't try to unwrap again
         * with this module.
         */
        if (crv == CKR_DEVICE_ERROR) {
            if (param_free)
                SECITEM_FreeItem(param_free, PR_TRUE);
            return NULL;
        }
        /* fall through, maybe they incorrectly set CKF_DECRYPT */
    }

    /* get our key Structure */
    symKey = pk11_CreateSymKey(slot, target, !isPerm, PR_TRUE, wincx);
    if (symKey == NULL) {
        if (param_free)
            SECITEM_FreeItem(param_free, PR_TRUE);
        return NULL;
    }

    symKey->size = keySize;
    symKey->origin = PK11_OriginUnwrap;

    if (isPerm) {
        rwsession = PK11_GetRWSession(slot);
    } else {
        pk11_EnterKeyMonitor(symKey);
        rwsession = symKey->session;
    }
    PORT_Assert(rwsession != CK_INVALID_HANDLE);
    if (rwsession == CK_INVALID_HANDLE)
        crv = CKR_SESSION_HANDLE_INVALID;
    else
        crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, wrappingKey,
                                             wrappedKey->data, wrappedKey->len,
                                             keyTemplate, templateCount,
                                             &symKey->objectID);
    if (isPerm) {
        if (rwsession != CK_INVALID_HANDLE)
            PK11_RestoreROSession(slot, rwsession);
    } else {
        pk11_ExitKeyMonitor(symKey);
    }
    if (param_free)
        SECITEM_FreeItem(param_free, PR_TRUE);
    if (crv != CKR_OK) {
        PK11_FreeSymKey(symKey);
        symKey = NULL;
        if (crv != CKR_DEVICE_ERROR) {
            /* try hand Unwrapping */
            symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey,
                                     target, keyTemplate, templateCount,
                                     keySize, wincx, NULL, isPerm);
        }
    }

    return symKey;
}

/* use a symetric key to unwrap another symetric key */
PK11SymKey *
PK11_UnwrapSymKey(PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
                  SECItem *param, SECItem *wrappedKey,
                  CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
                  int keySize)
{
    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
                             wrapType, param, wrappedKey, target, operation, keySize,
                             wrappingKey->cx, NULL, 0, PR_FALSE);
}

/* use a symetric key to unwrap another symetric key */
PK11SymKey *
PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
                           SECItem *param, SECItem *wrappedKey,
                           CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
                           int keySize, CK_FLAGS flags)
{
    CK_BBOOL ckTrue = CK_TRUE;
    CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS];
    unsigned int templateCount;

    templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue);
    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
                             wrapType, param, wrappedKey, target, operation, keySize,
                             wrappingKey->cx, keyTemplate, templateCount, PR_FALSE);
}

PK11SymKey *
PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey,
                               CK_MECHANISM_TYPE wrapType,
                               SECItem *param, SECItem *wrappedKey,
                               CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
                               int keySize, CK_FLAGS flags, PRBool isPerm)
{
    CK_BBOOL cktrue = CK_TRUE;
    CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS];
    CK_ATTRIBUTE *attrs;
    unsigned int templateCount;

    attrs = keyTemplate;
    if (isPerm) {
        PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL));
        attrs++;
    }
    templateCount = attrs - keyTemplate;
    templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);

    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
                             wrapType, param, wrappedKey, target, operation, keySize,
                             wrappingKey->cx, keyTemplate, templateCount, isPerm);
}

/* unwrap a symmetric key with a private key. Only supports CKM_RSA_PKCS. */
PK11SymKey *
PK11_PubUnwrapSymKey(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey,
                     CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize)
{
    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);

    return PK11_PubUnwrapSymKeyWithMechanism(wrappingKey, wrapType, NULL,
                                             wrappedKey, target, operation,
                                             keySize);
}

/* unwrap a symmetric key with a private key with the given parameters. */
PK11SymKey *
PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey *wrappingKey,
                                  CK_MECHANISM_TYPE mechType, SECItem *param,
                                  SECItem *wrappedKey, CK_MECHANISM_TYPE target,
                                  CK_ATTRIBUTE_TYPE operation, int keySize)
{
    PK11SlotInfo *slot = wrappingKey->pkcs11Slot;

    if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) {
        PK11_HandlePasswordCheck(slot, wrappingKey->wincx);
    }

    return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID, mechType, param,
                             wrappedKey, target, operation, keySize,
                             wrappingKey->wincx, NULL, 0, PR_FALSE);
}

/* unwrap a symetric key with a private key. */
PK11SymKey *
PK11_PubUnwrapSymKeyWithFlags(SECKEYPrivateKey *wrappingKey,
                              SECItem *wrappedKey, CK_MECHANISM_TYPE target,
                              CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags)
{
    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
    CK_BBOOL ckTrue = CK_TRUE;
    CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS];
    unsigned int templateCount;
    PK11SlotInfo *slot = wrappingKey->pkcs11Slot;

    templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue);

    if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) {
        PK11_HandlePasswordCheck(slot, wrappingKey->wincx);
    }

    return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID,
                             wrapType, NULL, wrappedKey, target, operation, keySize,
                             wrappingKey->wincx, keyTemplate, templateCount, PR_FALSE);
}

PK11SymKey *
PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey,
                                  SECItem *wrappedKey, CK_MECHANISM_TYPE target,
                                  CK_ATTRIBUTE_TYPE operation, int keySize,
                                  CK_FLAGS flags, PRBool isPerm)
{
    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
    CK_BBOOL cktrue = CK_TRUE;
    CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS];
    CK_ATTRIBUTE *attrs;
    unsigned int templateCount;
    PK11SlotInfo *slot = wrappingKey->pkcs11Slot;

    attrs = keyTemplate;
    if (isPerm) {
        PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL));
        attrs++;
    }
    templateCount = attrs - keyTemplate;

    templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);

    if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) {
        PK11_HandlePasswordCheck(slot, wrappingKey->wincx);
    }

    return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID,
                             wrapType, NULL, wrappedKey, target, operation, keySize,
                             wrappingKey->wincx, keyTemplate, templateCount, isPerm);
}

PK11SymKey *
PK11_CopySymKeyForSigning(PK11SymKey *originalKey, CK_MECHANISM_TYPE mech)
{
    CK_RV crv;
    CK_ATTRIBUTE setTemplate;
    CK_BBOOL ckTrue = CK_TRUE;
    PK11SlotInfo *slot = originalKey->slot;

    /* first just try to set this key up for signing */
    PK11_SETATTRS(&setTemplate, CKA_SIGN, &ckTrue, sizeof(ckTrue));
    pk11_EnterKeyMonitor(originalKey);
    crv = PK11_GETTAB(slot)->C_SetAttributeValue(originalKey->session,
                                                 originalKey->objectID, &setTemplate, 1);
    pk11_ExitKeyMonitor(originalKey);
    if (crv == CKR_OK) {
        return PK11_ReferenceSymKey(originalKey);
    }

    /* nope, doesn't like it, use the pk11 copy object command */
    return pk11_CopyToSlot(slot, mech, CKA_SIGN, originalKey);
}

void
PK11_SetFortezzaHack(PK11SymKey *symKey)
{
    symKey->origin = PK11_OriginFortezzaHack;
}

/*
 * This is required to allow FORTEZZA_NULL and FORTEZZA_RC4
 * working. This function simply gets a valid IV for the keys.
 */
SECStatus
PK11_GenerateFortezzaIV(PK11SymKey *symKey, unsigned char *iv, int len)
{
    CK_MECHANISM mech_info;
    CK_ULONG count = 0;
    CK_RV crv;
    SECStatus rv = SECFailure;

    mech_info.mechanism = CKM_SKIPJACK_CBC64;
    mech_info.pParameter = iv;
    mech_info.ulParameterLen = len;

    /* generate the IV for fortezza */
    PK11_EnterSlotMonitor(symKey->slot);
    crv = PK11_GETTAB(symKey->slot)->C_EncryptInit(symKey->slot->session, &mech_info, symKey->objectID);
    if (crv == CKR_OK) {
        PK11_GETTAB(symKey->slot)->C_EncryptFinal(symKey->slot->session, NULL, &count);
        rv = SECSuccess;
    }
    PK11_ExitSlotMonitor(symKey->slot);
    return rv;
}

CK_OBJECT_HANDLE
PK11_GetSymKeyHandle(PK11SymKey *symKey)
{
    return symKey->objectID;
}

static CK_ULONG
pk11_KyberCiphertextLength(SECKEYKyberPublicKey *pubKey)
{
    switch (pubKey->params) {
        case params_kyber768_round3:
        case params_kyber768_round3_test_mode:
        case params_ml_kem768:
        case params_ml_kem768_test_mode:
            return KYBER768_CIPHERTEXT_BYTES;
        default:
            // unreachable
            return 0;
    }
}

static CK_ULONG
pk11_KEMCiphertextLength(SECKEYPublicKey *pubKey)
{
    switch (pubKey->keyType) {
        case kyberKey:
            return pk11_KyberCiphertextLength(&pubKey->u.kyber);
        default:
            // unreachable
            PORT_Assert(0);
            return 0;
    }
}

SECStatus
PK11_Encapsulate(SECKEYPublicKey *pubKey, CK_MECHANISM_TYPE target, PK11AttrFlags attrFlags, CK_FLAGS opFlags, PK11SymKey **outKey, SECItem **outCiphertext)
{
    PORT_Assert(pubKey);
    PORT_Assert(outKey);
    PORT_Assert(outCiphertext);

    PK11SlotInfo *slot = pubKey->pkcs11Slot;

    PK11SymKey *sharedSecret = NULL;
    SECItem *ciphertext = NULL;

    CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS];
    unsigned int templateCount;

    CK_ATTRIBUTE *attrs;
    CK_BBOOL cktrue = CK_TRUE;
    CK_BBOOL ckfalse = CK_FALSE;
    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;

    CK_INTERFACE_PTR KEMInterface = NULL;
    CK_UTF8CHAR_PTR KEMInterfaceName = (CK_UTF8CHAR_PTR) "Vendor NSS KEM Interface";
    CK_VERSION KEMInterfaceVersion = { 1, 0 };
    CK_NSS_KEM_FUNCTIONS *KEMInterfaceFunctions = NULL;

    CK_RV crv;

    *outKey = NULL;
    *outCiphertext = NULL;

    CK_MECHANISM_TYPE kemType;
    CK_NSS_KEM_PARAMETER_SET_TYPE kemParameterSet = PK11_ReadULongAttribute(slot, pubKey->pkcs11ID, CKA_NSS_PARAMETER_SET);
    switch (kemParameterSet) {
        case CKP_NSS_KYBER_768_ROUND3:
            kemType = CKM_NSS_KYBER;
            break;
        case CKP_NSS_ML_KEM_768:
            kemType = CKM_NSS_ML_KEM;
            break;
        default:
            PORT_SetError(SEC_ERROR_INVALID_KEY);
            return SECFailure;
    }
    CK_MECHANISM mech = { kemType, &kemParameterSet, sizeof(kemParameterSet) };

    sharedSecret = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, NULL);
    if (sharedSecret == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        return SECFailure;
    }
    sharedSecret->origin = PK11_OriginGenerated;

    attrs = keyTemplate;
    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
    attrs++;

    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
    attrs++;

    attrs += pk11_AttrFlagsToAttributes(attrFlags, attrs, &cktrue, &ckfalse);
    attrs += pk11_OpFlagsToAttributes(opFlags, attrs, &cktrue);

    templateCount = attrs - keyTemplate;
    PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));

    crv = PK11_GETTAB(slot)->C_GetInterface(KEMInterfaceName, &KEMInterfaceVersion, &KEMInterface, 0);
    if (crv != CKR_OK) {
        goto error;
    }
    KEMInterfaceFunctions = (CK_NSS_KEM_FUNCTIONS *)(KEMInterface->pFunctionList);

    CK_ULONG ciphertextLen = pk11_KEMCiphertextLength(pubKey);
    ciphertext = SECITEM_AllocItem(NULL, NULL, ciphertextLen);
    if (ciphertext == NULL) {
        crv = CKR_HOST_MEMORY;
        goto error;
    }

    pk11_EnterKeyMonitor(sharedSecret);
    crv = KEMInterfaceFunctions->C_Encapsulate(sharedSecret->session,
                                               &mech,
                                               pubKey->pkcs11ID,
                                               keyTemplate,
                                               templateCount,
                                               &sharedSecret->objectID,
                                               ciphertext->data,
                                               &ciphertextLen);
    pk11_ExitKeyMonitor(sharedSecret);
    if (crv != CKR_OK) {
        goto error;
    }

    PORT_Assert(ciphertextLen == ciphertext->len);

    *outKey = sharedSecret;
    *outCiphertext = ciphertext;

    return SECSuccess;

error:
    PORT_SetError(PK11_MapError(crv));
    PK11_FreeSymKey(sharedSecret);
    SECITEM_FreeItem(ciphertext, PR_TRUE);
    return SECFailure;
}

SECStatus
PK11_Decapsulate(SECKEYPrivateKey *privKey, const SECItem *ciphertext, CK_MECHANISM_TYPE target, PK11AttrFlags attrFlags, CK_FLAGS opFlags, PK11SymKey **outKey)
{
    PORT_Assert(privKey);
    PORT_Assert(ciphertext);
    PORT_Assert(outKey);

    PK11SlotInfo *slot = privKey->pkcs11Slot;

    PK11SymKey *sharedSecret;

    CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS];
    unsigned int templateCount;

    CK_ATTRIBUTE *attrs;
    CK_BBOOL cktrue = CK_TRUE;
    CK_BBOOL ckfalse = CK_FALSE;
    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;

    CK_INTERFACE_PTR KEMInterface = NULL;
    CK_UTF8CHAR_PTR KEMInterfaceName = (CK_UTF8CHAR_PTR) "Vendor NSS KEM Interface";
    CK_VERSION KEMInterfaceVersion = { 1, 0 };
    CK_NSS_KEM_FUNCTIONS *KEMInterfaceFunctions = NULL;

    CK_RV crv;

    *outKey = NULL;

    CK_MECHANISM_TYPE kemType;
    CK_NSS_KEM_PARAMETER_SET_TYPE kemParameterSet = PK11_ReadULongAttribute(slot, privKey->pkcs11ID, CKA_NSS_PARAMETER_SET);
    switch (kemParameterSet) {
        case CKP_NSS_KYBER_768_ROUND3:
            kemType = CKM_NSS_KYBER;
            break;
        case CKP_NSS_ML_KEM_768:
            kemType = CKM_NSS_ML_KEM;
            break;
        default:
            PORT_SetError(SEC_ERROR_INVALID_KEY);
            return SECFailure;
    }
    CK_MECHANISM mech = { kemType, &kemParameterSet, sizeof(kemParameterSet) };

    sharedSecret = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, NULL);
    if (sharedSecret == NULL) {
        PORT_SetError(SEC_ERROR_NO_MEMORY);
        return SECFailure;
    }
    sharedSecret->origin = PK11_OriginUnwrap;

    attrs = keyTemplate;
    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
    attrs++;

    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
    attrs++;

    attrs += pk11_AttrFlagsToAttributes(attrFlags, attrs, &cktrue, &ckfalse);
    attrs += pk11_OpFlagsToAttributes(opFlags, attrs, &cktrue);

    templateCount = attrs - keyTemplate;
    PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));

    crv = PK11_GETTAB(slot)->C_GetInterface(KEMInterfaceName, &KEMInterfaceVersion, &KEMInterface, 0);
    if (crv != CKR_OK) {
        PORT_SetError(PK11_MapError(crv));
        goto error;
    }
    KEMInterfaceFunctions = (CK_NSS_KEM_FUNCTIONS *)(KEMInterface->pFunctionList);

    pk11_EnterKeyMonitor(sharedSecret);
    crv = KEMInterfaceFunctions->C_Decapsulate(sharedSecret->session,
                                               &mech,
                                               privKey->pkcs11ID,
                                               ciphertext->data,
                                               ciphertext->len,
                                               keyTemplate,
                                               templateCount,
                                               &sharedSecret->objectID);
    pk11_ExitKeyMonitor(sharedSecret);
    if (crv != CKR_OK) {
        goto error;
    }

    *outKey = sharedSecret;
    return SECSuccess;

error:
    PK11_FreeSymKey(sharedSecret);
    return SECFailure;
}

Coverage Report

Created: 2025-06-24 06:49