path: root/lib/ncrypto_local.c

/* In-process crypto implementation.

Copyright 2010 Red Hat, Inc.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this
   list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

Red Hat author: Miloslav Trmač <mitr@redhat.com> */
#include <config.h>

#include <stdbool.h>
#include <stdint.h>
#include <string.h>

#include <glib.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/rand.h>

#include <ncrypto/ncrypto.h>

#include "internal.h"

 /* Helpers */

static CK_RV
ckr_openssl (void)
{
  /* FIXME: better error handling?  This will be replaced anyway. */
  return CKR_GENERAL_ERROR;
}

 /* Random numbers */

CK_RV
ncr_get_random_bytes (void *dest, size_t size)
{
  /* This is not strong enough, we need cryptographically strong random
     numbers! */
  return RAND_pseudo_bytes (dest, size) != 0 ? CKR_OK : ckr_openssl ();
}

 /* Symmetric keys */

CK_RV
ncr_symm_key_create (struct ncr_symm_key **key, CK_KEY_TYPE type,
		     const void *value, size_t value_size)
{
  struct ncr_symm_key *k;

  g_return_val_if_fail (key != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (value != NULL || value_size == 0, CKR_ARGUMENTS_BAD);
  /* FIXME? validate "type" */
  /* FIXME: PKCS#11 modules should refuse keys with incorrect parity here */

  k = malloc (sizeof (*k) + value_size);
  if (k == NULL)
    return CKR_HOST_MEMORY;

  k->type = type;
  k->size = value_size;
  memcpy (k->value, value, value_size);
  *key = k;
  return CKR_OK;
}

/* Return non-zero if the key is unusable */
#define DES_KEY_SIZE 8
static int
des3_fixup_key (uint8_t value[static 3 * DES_KEY_SIZE])
{
  static const uint8_t weak_keys[][DES_KEY_SIZE] =
    {
      "\x01\x01\x01\x01\x01\x01\x01\x01",
      "\x1F\x1F\x1F\x1F\x0E\x0E\x0E\x0E",
      "\xE0\xE0\xE0\xE0\xF1\xF1\xF1\xF1",
      "\xFE\xFE\xFE\xFE\xFE\xFE\xFE\xFE",
      "\x01\xFE\x01\xFE\x01\xFE\x01\xFE",
      "\xFE\x01\xFE\x01\xFE\x01\xFE\x01",
      "\x1F\xE0\x1F\xE0\x0E\xF1\x0E\xF1",
      "\xE0\x1F\xE0\x1F\xF1\x0E\xF1\x0E",
      "\x01\xE0\x01\xE0\x01\xF1\x01\xF1",
      "\xE0\x01\xE0\x01\xF1\x01\xF1\x01",
      "\x1F\xFE\x1F\xFE\x0E\xFE\x0E\xFE",
      "\xFE\x1F\xFE\x1F\xFE\x0E\xFE\x0E",
      "\x01\x1F\x01\x1F\x01\x0E\x01\x0E",
      "\x1F\x01\x1F\x01\x0E\x01\x0E\x01",
      "\xE0\xFE\xE0\xFE\xF1\xFE\xF1\xFE",
      "\xFE\xE0\xFE\xE0\xFE\xF1\xFE\xF1"
    };

  size_t i;

  for (i = 0; i < 3; i++)
    {
      uint8_t *key;
      size_t j;

      key = value + i * 8;
      for (j = 0; j < DES_KEY_SIZE; j++)
	{
	  uint8_t v;

	  v = key[i];
	  v ^= v >> 4; /* v & 0x0F has the same parity as key[i] */
	  v ^= v >> 2; /* v & 0x03 has the same parity as key[i] */
	  v ^= v >> 1; /* v & 0x01 has the same parity as key[i] */
	  key[i] ^= (v & 0x01) ^ 0x01; /* Ensure odd parity */
	}
      for (j = 0; j < G_N_ELEMENTS (weak_keys); j++)
	{
	  if (memcmp (key, weak_keys[j], DES_KEY_SIZE) == 0)
	    return 1;
	}
    }
  return 0;
}
#undef DES_KEY_SIZE

CK_RV
ncr_symm_key_generate (struct ncr_symm_key **key, CK_MECHANISM_TYPE mech,
		       size_t value_size)
{
  struct ncr_symm_key *k;
  CK_KEY_TYPE type;
  CK_RV res;

  g_return_val_if_fail (key != NULL, CKR_ARGUMENTS_BAD);

  switch (mech)
    {
    case CKM_AES_KEY_GEN:
      type = CKK_AES;
      g_return_val_if_fail (value_size == 16 || value_size == 24
			    || value_size == 32, CKR_TEMPLATE_INCONSISTENT);
      break;

    case CKM_DES3_KEY_GEN:
      type = CKK_DES3;
      g_return_val_if_fail (value_size == 24 || value_size == 0,
			    CKR_TEMPLATE_INCONSISTENT);
      value_size = 24;
      break;

    case CKM_GENERIC_SECRET_KEY_GEN:
      type = CKK_GENERIC_SECRET;
      g_return_val_if_fail (value_size <= SIZE_MAX - sizeof (*k),
			    CKR_HOST_MEMORY);
      break;

    default:
      g_return_val_if_reached (CKR_MECHANISM_INVALID);
    }
  k = malloc (sizeof (*k) + value_size);
  if (k == NULL)
    return CKR_HOST_MEMORY;

  k->type = type;
  k->size = value_size;
 regenerate:
  res = ncr_get_random_bytes (k->value, value_size);
  if (res != CKR_OK)
    {
      ncr_symm_key_destroy (k);
      return res;
    }

  if (type == CKK_DES3)
    {
      if (des3_fixup_key (k->value) != 0)
	goto regenerate;
    }

  *key = k;
  return CKR_OK;
}

CK_RV
ncr_symm_key_destroy (struct ncr_symm_key *key)
{
  g_return_val_if_fail (key != NULL, CKR_KEY_HANDLE_INVALID);

  memset (key->value, 0, key->size); /* FIXME: is this safe WRT optimization? */
  free (key);
  return CKR_OK;
}

 /* Digest handling */

static const EVP_MD *
digest_evp_from_mech (CK_MECHANISM_TYPE mech)
{
  switch (mech)
    {
#define E(M, E)					\
    case CKM_##M:				\
      return EVP_##E ();
      E (MD5, md5);
      E (SHA_1, sha1);
      E (SHA224, sha224);
      E (SHA256, sha256);
      E (SHA384, sha384);
      E (SHA512, sha512);
#undef E
    default:
      g_return_val_if_reached (NULL);
    }
}

struct ncr_digest_session
{
  EVP_MD_CTX ctx;
  const EVP_MD *md;
  size_t md_size;
  /* Debugging only */
  enum { NDS_NEW, NDS_INITIALIZED, NDS_UPDATED, NDS_FINISHED } state;
};

CK_RV
ncr_digest_alloc (struct ncr_digest_session **sess, CK_MECHANISM_TYPE mech)
{
  struct ncr_digest_session *s;
  const EVP_MD *md;

  g_return_val_if_fail (sess != NULL, CKR_ARGUMENTS_BAD);

  md = digest_evp_from_mech (mech);
  if (md == NULL)
    return CKR_MECHANISM_INVALID;

  s = malloc (sizeof (*s));
  if (s == NULL)
    return CKR_HOST_MEMORY;

  EVP_MD_CTX_init (&s->ctx);
  s->state = NDS_NEW;
  s->md = md;
  s->md_size = EVP_MD_size (md);
  *sess = s;
  return CKR_OK;
}

CK_RV
ncr_digest_free (struct ncr_digest_session *sess)
{
  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);

  EVP_MD_CTX_cleanup (&sess->ctx);
  free (sess);
  return CKR_OK;
}

CK_RV
ncr_digest_clone (struct ncr_digest_session **clone,
		  struct ncr_digest_session *sess)
{
  struct ncr_digest_session *c;

  g_return_val_if_fail (clone != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NDS_INITIALIZED
			|| sess->state == NDS_UPDATED,
			CKR_OPERATION_NOT_INITIALIZED);

  c = malloc (sizeof (*c));
  if (c == NULL)
    return CKR_HOST_MEMORY;

  EVP_MD_CTX_init (&c->ctx);
  if (EVP_MD_CTX_copy_ex (&c->ctx, &sess->ctx) == 0)
    {
      free (c);
      return ckr_openssl ();
    }
  c->state = sess->state;
  c->md = sess->md;
  c->md_size = sess->md_size;
  *clone = c;
  return CKR_OK;
}

CK_RV
ncr_digest_init (struct ncr_digest_session *sess)
{
  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NDS_NEW || sess->state == NDS_FINISHED,
			CKR_OPERATION_ACTIVE);

  if (EVP_DigestInit_ex (&sess->ctx, sess->md, NULL) == 0)
    return ckr_openssl ();

  sess->state = NDS_INITIALIZED;
  return CKR_OK;
}

CK_RV
ncr_digest_update (struct ncr_digest_session *sess, const void *data,
		   size_t size)
{
  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (data != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (sess->state == NDS_INITIALIZED
			|| sess->state == NDS_UPDATED,
			CKR_OPERATION_NOT_INITIALIZED);

  if (EVP_DigestUpdate (&sess->ctx, data, size) == 0)
    return ckr_openssl ();

  sess->state = NDS_UPDATED;
  return CKR_OK;
}

CK_RV
ncr_digest_final (struct ncr_digest_session *sess, void *dest,
		  size_t *size_ptr)
{
  int res;

  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NDS_INITIALIZED
			|| sess->state == NDS_UPDATED,
			CKR_OPERATION_NOT_INITIALIZED);
  g_return_val_if_fail (size_ptr != NULL, CKR_ARGUMENTS_BAD);

  if (dest == NULL)
    {
      *size_ptr = sess->md_size;
      return CKR_OK;
    }
  if (*size_ptr < sess->md_size)
    {
      *size_ptr = sess->md_size;
      return CKR_BUFFER_TOO_SMALL;
    }
  *size_ptr = sess->md_size;

  g_return_val_if_fail (dest != NULL, CKR_ARGUMENTS_BAD);

  res = EVP_DigestFinal_ex (&sess->ctx, dest, NULL);
  sess->state = NDS_FINISHED;
  return res ? CKR_OK : ckr_openssl ();
}

CK_RV
ncr_digest (struct ncr_digest_session *sess, void *dest, size_t *dest_size_ptr,
	    const void *data, size_t data_size)
{
  int res;

  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NDS_INITIALIZED,
			CKR_OPERATION_NOT_INITIALIZED);
  g_return_val_if_fail (dest_size_ptr != NULL, CKR_ARGUMENTS_BAD);

  if (dest == NULL)
    {
      *dest_size_ptr = sess->md_size;
      return CKR_OK;
    }
  if (*dest_size_ptr < sess->md_size)
    {
      *dest_size_ptr = sess->md_size;
      return CKR_BUFFER_TOO_SMALL;
    }
  *dest_size_ptr = sess->md_size;

  g_return_val_if_fail (data != NULL, CKR_ARGUMENTS_BAD);

  res = (EVP_DigestUpdate (&sess->ctx, data, data_size) != 0
	 && EVP_DigestFinal_ex (&sess->ctx, dest, NULL) != 0);
  sess->state = NDS_FINISHED;
  return res ? CKR_OK : ckr_openssl ();
}

CK_RV
ncr_digest_standalone (CK_MECHANISM_TYPE mech, void *dest,
		       size_t *dest_size_ptr, const void *data,
		       size_t data_size)
{
  const EVP_MD *md;
  size_t md_size;

  g_return_val_if_fail (dest_size_ptr != NULL, CKR_ARGUMENTS_BAD);

  md = digest_evp_from_mech (mech);
  if (md == NULL)
    return CKR_MECHANISM_INVALID;

  md_size = EVP_MD_size (md);
  if (dest == NULL)
    {
      *dest_size_ptr = md_size;
      return CKR_OK;
    }
  if (*dest_size_ptr < md_size)
    {
      *dest_size_ptr = md_size;
      return CKR_BUFFER_TOO_SMALL;
    }
  *dest_size_ptr = md_size;

  g_return_val_if_fail (data != NULL, CKR_ARGUMENTS_BAD);

  return EVP_Digest (data, data_size, dest, NULL, md, NULL) != 0
    ? CKR_OK : ckr_openssl ();
}

 /* Symmetric encryption */

struct ncr_symm_cipher_session
{
  EVP_CIPHER_CTX ctx;
  CK_MECHANISM_TYPE mech;
  size_t padding_size;		/* Additional space to reserve for padding */
  bool encrypting;
  /* Debugging only */
  enum { NSCS_NEW, NSCS_INITIALIZED, NSCS_UPDATED, NSCS_FINISHED } state;
};

CK_RV
ncr_symm_cipher_alloc (struct ncr_symm_cipher_session **sess,
		       CK_MECHANISM_TYPE mech)
{
  struct ncr_symm_cipher_session *s;

  g_return_val_if_fail (sess != NULL, CKR_ARGUMENTS_BAD);
  /* FIXME? Validate "mech" */

  s = malloc (sizeof (*s));
  if (s == NULL)
    return CKR_HOST_MEMORY;

  EVP_CIPHER_CTX_init (&s->ctx);
  s->mech = mech;
  s->state = NSCS_NEW;
  *sess = s;
  return CKR_OK;
}

CK_RV
ncr_symm_cipher_free (struct ncr_symm_cipher_session *sess)
{
  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);

  EVP_CIPHER_CTX_cleanup (&sess->ctx);
  free (sess);
  return CKR_OK;
}

static CK_RV
symm_cipher_init (struct ncr_symm_cipher_session *sess, bool encrypt,
		  struct ncr_symm_key *key, const void *param,
		  size_t param_size)
{
  const EVP_CIPHER *type;
  bool padding;

  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NSCS_NEW || sess->state == NSCS_FINISHED,
			CKR_OPERATION_ACTIVE);
  g_return_val_if_fail (key != NULL, CKR_KEY_HANDLE_INVALID);
  g_return_val_if_fail (param != NULL || param_size == 0, CKR_ARGUMENTS_BAD);

  switch (sess->mech)
    {
#define AES_SWITCH(MODE)				\
      switch (key->size)				\
	{						\
	  AES_ENTRY (MODE, 128);			\
	  AES_ENTRY (MODE, 192);			\
	  AES_ENTRY (MODE, 256);			\
	default:					\
	  g_return_val_if_reached (CKR_KEY_SIZE_RANGE);	\
	}
#define AES_ENTRY(MODE, SIZE)			\
	case (SIZE) / 8:			\
	  type = EVP_aes_##SIZE##_##MODE ();	\
	  break;

    case CKM_AES_ECB:
      g_return_val_if_fail (key->type == CKK_AES, CKR_KEY_TYPE_INCONSISTENT);
      g_return_val_if_fail (param_size == 0, CKR_MECHANISM_PARAM_INVALID);
      AES_SWITCH (ecb);
      padding = false;
      break;

    case CKM_AES_CBC:
    case CKM_AES_CBC_PAD:
      g_return_val_if_fail (key->type == CKK_AES, CKR_KEY_TYPE_INCONSISTENT);
      g_return_val_if_fail (param_size == 16, CKR_MECHANISM_PARAM_INVALID);
      AES_SWITCH (cbc);
      padding = sess->mech == CKM_AES_CBC_PAD;
      break;
#undef AES_ENTRY

    case CKM_DES3_ECB:
      g_return_val_if_fail (key->type == CKK_DES3, CKR_KEY_TYPE_INCONSISTENT);
      g_return_val_if_fail (key->size == 24, CKR_KEY_SIZE_RANGE);
      g_return_val_if_fail (param_size == 0, CKR_MECHANISM_PARAM_INVALID);
      type = EVP_des_ede3 ();
      padding = false;
      break;

    case CKM_DES3_CBC:
    case CKM_DES3_CBC_PAD:
      g_return_val_if_fail (key->type == CKK_DES3, CKR_KEY_TYPE_INCONSISTENT);
      g_return_val_if_fail (key->size == 24, CKR_KEY_SIZE_RANGE);
      g_return_val_if_fail (param_size == 8, CKR_MECHANISM_PARAM_INVALID);
      type = EVP_des_ede3_cbc ();
      padding = sess->mech == CKM_DES3_CBC_PAD;
      break;

    default:
      g_return_val_if_reached (CKR_MECHANISM_INVALID);
    }

  if (EVP_CipherInit_ex (&sess->ctx, type, NULL, key->value,
			 param_size != 0 ? param : NULL, encrypt ? 1 : 0) == 0)
    return ckr_openssl ();
  if (!padding && EVP_CIPHER_CTX_set_padding (&sess->ctx, 0) == 0)
    return ckr_openssl ();

  sess->padding_size = padding ? EVP_CIPHER_block_size (type) : 0;
  sess->encrypting = encrypt;
  sess->state = NSCS_INITIALIZED;
  return CKR_OK;
}

static CK_RV
symm_cipher_update (struct ncr_symm_cipher_session *sess, bool encrypt,
		    void *dest, size_t *dest_size_ptr, const void *src,
		    size_t src_size)
{
  int outl;

  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (dest_size_ptr != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (sess->state == NSCS_INITIALIZED
			|| sess->state == NSCS_UPDATED,
			CKR_OPERATION_NOT_INITIALIZED);
  g_return_val_if_fail (sess->encrypting == encrypt,
			CKR_OPERATION_NOT_INITIALIZED);

  if (dest == NULL)
    {
      *dest_size_ptr = src_size + sess->padding_size;
      return CKR_OK;
    }
  if (*dest_size_ptr < src_size) /* FIXME? this does not handle partial data */
    {
      *dest_size_ptr = src_size;
      return CKR_BUFFER_TOO_SMALL;
    }

  g_return_val_if_fail (dest != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (src != NULL || src_size == 0, CKR_ARGUMENTS_BAD);

  if (EVP_CipherUpdate (&sess->ctx, dest, &outl, src, src_size) == 0)
    return ckr_openssl ();

  *dest_size_ptr = outl;
  sess->state = NSCS_UPDATED;
  return CKR_OK;
}

/* EVP_CipherUpdate + EVP_CipherFinal_ex */
static CK_RV
do_symm_cipher_update_final (struct ncr_symm_cipher_session *sess,
			     bool encrypt, void *dest, size_t *dest_size_ptr,
			     const void *src, size_t src_size)
{
  int outl;
  size_t dest_size;

  /* The caller has verified session and its state. */
  g_return_val_if_fail (dest_size_ptr != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (sess->encrypting == encrypt,
			CKR_OPERATION_NOT_INITIALIZED);

  if (dest == NULL)
    {
      *dest_size_ptr = src_size + sess->padding_size;
      return CKR_OK;
    }
  /* FIXME? this does not handle partial data or padding. */
  if (*dest_size_ptr < src_size)
    {
      *dest_size_ptr = src_size;
      return CKR_BUFFER_TOO_SMALL;
    }

  g_return_val_if_fail (dest != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (src != NULL || src_size == 0, CKR_ARGUMENTS_BAD);

  if (EVP_CipherUpdate (&sess->ctx, dest, &outl, src, src_size) == 0)
    {
      sess->state = NSCS_FINISHED;
      return ckr_openssl ();
    }

  dest_size = outl;

  if (EVP_CipherFinal_ex (&sess->ctx, (uint8_t *)dest + outl, &outl) == 0)
    {
      sess->state = NSCS_FINISHED;
      return ckr_openssl ();
    }

  *dest_size_ptr = dest_size + outl;

  sess->state = NSCS_FINISHED;
  return CKR_OK;
}

static CK_RV
symm_cipher_final (struct ncr_symm_cipher_session *sess, bool encrypt,
		   void *dest, size_t *dest_size_ptr, const void *src,
		   size_t src_size)
{
  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NSCS_INITIALIZED
			|| sess->state == NSCS_UPDATED,
			CKR_OPERATION_NOT_INITIALIZED);

  return do_symm_cipher_update_final (sess, encrypt, dest, dest_size_ptr, src,
				      src_size);
}

static CK_RV
symm_cipher (struct ncr_symm_cipher_session *sess, bool encrypt, void *dest,
	     size_t *dest_size_ptr, const void *src, size_t src_size)
{
  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NSCS_INITIALIZED,
			CKR_OPERATION_NOT_INITIALIZED);

  return do_symm_cipher_update_final (sess, encrypt, dest, dest_size_ptr, src,
				      src_size);
}

CK_RV
ncr_symm_cipher_encrypt_init (struct ncr_symm_cipher_session *sess,
			      struct ncr_symm_key *key, const void *param,
			      size_t param_size)
{
  return symm_cipher_init (sess, true, key, param, param_size);
}

CK_RV
ncr_symm_cipher_encrypt_update (struct ncr_symm_cipher_session *sess,
				void *dest, size_t *dest_size_ptr,
				const void *src, size_t src_size)
{
  return symm_cipher_update (sess, true, dest, dest_size_ptr, src, src_size);
}

CK_RV
ncr_symm_cipher_encrypt_final (struct ncr_symm_cipher_session *sess, void *dest,
			       size_t *dest_size_ptr, const void *src,
			       size_t src_size)
{
  return symm_cipher_final (sess, true, dest, dest_size_ptr, src, src_size);
}

CK_RV
ncr_symm_cipher_encrypt (struct ncr_symm_cipher_session *sess, void *dest,
			 size_t *dest_size_ptr, const void *src,
			 size_t src_size)
{
  return symm_cipher (sess, true, dest, dest_size_ptr, src, src_size);
}

CK_RV
ncr_symm_cipher_decrypt_init (struct ncr_symm_cipher_session *sess,
			      struct ncr_symm_key *key, const void *param,
			      size_t param_size)
{
  return symm_cipher_init (sess, false, key, param, param_size);
}

CK_RV
ncr_symm_cipher_decrypt_update (struct ncr_symm_cipher_session *sess,
				void *dest, size_t *dest_size_ptr,
				const void *src, size_t src_size)
{
  return symm_cipher_update (sess, false, dest, dest_size_ptr, src, src_size);
}

CK_RV
ncr_symm_cipher_decrypt_final (struct ncr_symm_cipher_session *sess, void *dest,
			       size_t *dest_size_ptr, const void *src,
			       size_t src_size)
{
  return symm_cipher_final (sess, false, dest, dest_size_ptr, src, src_size);
}

CK_RV
ncr_symm_cipher_decrypt (struct ncr_symm_cipher_session *sess, void *dest,
			 size_t *dest_size_ptr, const void *src,
			 size_t src_size)
{
  return symm_cipher (sess, false, dest, dest_size_ptr, src, src_size);
}

 /* Symmetric signature handling */

static const EVP_MD *
symm_signature_evp_from_hmac_mech (CK_MECHANISM_TYPE mech)
{
  switch (mech)
    {
#define E(M, E)					\
    case CKM_##M##_HMAC:			\
      return EVP_##E ();
      E (MD5, md5);
      E (SHA_1, sha1);
      E (SHA224, sha224);
      E (SHA256, sha256);
      E (SHA384, sha384);
      E (SHA512, sha512);
#undef E
    default:
      g_return_val_if_reached (NULL);
    }
}

struct ncr_symm_signature_session
{
  HMAC_CTX ctx;
  const EVP_MD *md;
  size_t md_size;
  bool signing;
  /* Debugging only */
  enum { NSSS_NEW, NSSS_INITIALIZED, NSSS_UPDATED, NSSS_FINISHED } state;
};

CK_RV
ncr_symm_signature_alloc (struct ncr_symm_signature_session **sess,
			  CK_MECHANISM_TYPE mech)
{
  struct ncr_symm_signature_session *s;
  const EVP_MD *md;

  g_return_val_if_fail (sess != NULL, CKR_ARGUMENTS_BAD);

  md = symm_signature_evp_from_hmac_mech (mech);
  if (md == NULL)
    return CKR_MECHANISM_INVALID;

  s = malloc (sizeof (*s));
  if (s == NULL)
    return CKR_HOST_MEMORY;

  HMAC_CTX_init (&s->ctx);
  s->state = NSSS_NEW;
  s->md = md;
  s->md_size = EVP_MD_size (md);
  g_assert (s->md_size <= EVP_MAX_MD_SIZE);
  *sess = s;
  return CKR_OK;
}

CK_RV
ncr_symm_signature_free (struct ncr_symm_signature_session *sess)
{
  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);

  HMAC_CTX_cleanup (&sess->ctx);
  free (sess);
  return CKR_OK;
}

CK_RV
ncr_symm_signature_clone (struct ncr_symm_signature_session **clone,
			  struct ncr_symm_signature_session *sess)
{
  struct ncr_symm_signature_session *c;

  g_return_val_if_fail (clone != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NSSS_INITIALIZED
			|| sess->state == NSSS_UPDATED,
			CKR_OPERATION_NOT_INITIALIZED);

  c = malloc (sizeof (*c));
  if (c == NULL)
    return CKR_HOST_MEMORY;

  /* HMAC_CTX_copy is undocumented, and seems not to need MD_CTX_init, but
     openssl internally calls HMAC_CTX_init before HMAC_CTX_copy, so we do as
     well. */
  HMAC_CTX_init (&c->ctx);
  if (HMAC_CTX_copy (&c->ctx, &sess->ctx) == 0)
    {
      free (c);
      return ckr_openssl ();
    }
  c->state = sess->state;
  c->md = sess->md;
  c->md_size = sess->md_size;
  c->signing = sess->signing;
  *clone = c;
  return CKR_OK;
}

static CK_RV
symm_signature_init (struct ncr_symm_signature_session *sess, bool sign,
		     struct ncr_symm_key *key)
{
  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NSSS_NEW || sess->state == NSSS_FINISHED,
			CKR_OPERATION_ACTIVE);
  g_return_val_if_fail (key != NULL, CKR_KEY_HANDLE_INVALID);

  /* This is not assured, but holds for supported mechanisms. */
  g_return_val_if_fail (key->type == CKK_GENERIC_SECRET,
			CKR_KEY_TYPE_INCONSISTENT);

  if (HMAC_Init_ex (&sess->ctx, key->value, key->size, sess->md, NULL) == 0)
    return ckr_openssl ();

  sess->signing = sign;
  sess->state = NSSS_INITIALIZED;
  return CKR_OK;
}

static CK_RV
symm_signature_update (struct ncr_symm_signature_session *sess, bool sign,
		       const void *data, size_t size)
{
  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (data != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (sess->state == NSSS_INITIALIZED
			|| sess->state == NSSS_UPDATED,
			CKR_OPERATION_NOT_INITIALIZED);
  g_return_val_if_fail (sess->signing == sign, CKR_OPERATION_NOT_INITIALIZED);

  if (HMAC_Update (&sess->ctx, data, size) == 0)
    return ckr_openssl ();

  sess->state = NSSS_UPDATED;
  return CKR_OK;
}

CK_RV
ncr_symm_signature_sign_init (struct ncr_symm_signature_session *sess,
			      struct ncr_symm_key *key)
{
  return symm_signature_init (sess, true, key);
}

CK_RV
ncr_symm_signature_sign_update (struct ncr_symm_signature_session *sess,
				const void *data, size_t size)
{
  return symm_signature_update (sess, true, data, size);
}

CK_RV
ncr_symm_signature_sign_final (struct ncr_symm_signature_session *sess,
			       void *dest, size_t *size_ptr)
{
  int res;

  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NSSS_INITIALIZED
			|| sess->state == NSSS_UPDATED,
			CKR_OPERATION_NOT_INITIALIZED);
  g_return_val_if_fail (size_ptr != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (sess->signing == true, CKR_OPERATION_NOT_INITIALIZED);

  if (dest == NULL)
    {
      *size_ptr = sess->md_size;
      return CKR_OK;
    }
  if (*size_ptr < sess->md_size)
    {
      *size_ptr = sess->md_size;
      return CKR_BUFFER_TOO_SMALL;
    }
  *size_ptr = sess->md_size;

  g_return_val_if_fail (dest != NULL, CKR_ARGUMENTS_BAD);

  res = HMAC_Final (&sess->ctx, dest, NULL);
  sess->state = NSSS_FINISHED;
  return res ? CKR_OK : ckr_openssl ();
}

CK_RV
ncr_symm_signature_sign (struct ncr_symm_signature_session *sess, void *dest,
			 size_t *dest_size_ptr, const void *data,
			 size_t data_size)
{
  int res;

  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NSSS_INITIALIZED,
			CKR_OPERATION_NOT_INITIALIZED);
  g_return_val_if_fail (dest_size_ptr != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (sess->signing == true, CKR_OPERATION_NOT_INITIALIZED);

  if (dest == NULL)
    {
      *dest_size_ptr = sess->md_size;
      return CKR_OK;
    }
  if (*dest_size_ptr < sess->md_size)
    {
      *dest_size_ptr = sess->md_size;
      return CKR_BUFFER_TOO_SMALL;
    }
  *dest_size_ptr = sess->md_size;

  g_return_val_if_fail (data != NULL, CKR_ARGUMENTS_BAD);

  res = (HMAC_Update (&sess->ctx, data, data_size) != 0
	 && HMAC_Final (&sess->ctx, dest, NULL) != 0);
  sess->state = NSSS_FINISHED;
  return res ? CKR_OK : ckr_openssl ();
}

CK_RV
ncr_symm_signature_verify_init (struct ncr_symm_signature_session *sess,
				struct ncr_symm_key *key)
{
  return symm_signature_init (sess, false, key);
}

CK_RV
ncr_symm_signature_verify_update (struct ncr_symm_signature_session *sess,
				  const void *data, size_t size)
{
  return symm_signature_update (sess, false, data, size);
}

CK_RV
ncr_symm_signature_verify_final (struct ncr_symm_signature_session *sess,
				 const void *signature, size_t size)
{
  uint8_t buf[EVP_MAX_MD_SIZE];
  int res;

  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NSSS_INITIALIZED
			|| sess->state == NSSS_UPDATED,
			CKR_OPERATION_NOT_INITIALIZED);
  g_return_val_if_fail (signature != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (sess->signing == false, CKR_OPERATION_NOT_INITIALIZED);

  res = HMAC_Final (&sess->ctx, buf, NULL);
  sess->state = NSSS_FINISHED;
  if (res == 0)
    return ckr_openssl ();
  if (size != sess->md_size)
    return CKR_SIGNATURE_LEN_RANGE;
  if (memcmp (signature, buf, size) != 0)
    return CKR_SIGNATURE_INVALID;
  return CKR_OK;
}

CK_RV
ncr_symm_signature_verify (struct ncr_symm_signature_session *sess,
			   const void *signature, size_t signature_size,
			   const void *data, size_t data_size)
{
  uint8_t buf[EVP_MAX_MD_SIZE];
  int res;

  g_return_val_if_fail (sess != NULL, CKR_SESSION_HANDLE_INVALID);
  g_return_val_if_fail (sess->state == NSSS_INITIALIZED,
			CKR_OPERATION_NOT_INITIALIZED);
  g_return_val_if_fail (data != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (signature != NULL, CKR_ARGUMENTS_BAD);
  g_return_val_if_fail (sess->signing == false, CKR_OPERATION_NOT_INITIALIZED);

  res = (HMAC_Update (&sess->ctx, data, data_size) != 0
	 && HMAC_Final (&sess->ctx, buf, NULL) != 0);
  sess->state = NSSS_FINISHED;
  if (res == 0)
    return ckr_openssl ();
  if (signature_size != sess->md_size)
    return CKR_SIGNATURE_LEN_RANGE;
  if (memcmp (signature, buf, signature_size) != 0)
    return CKR_SIGNATURE_INVALID;
  return CKR_OK;
}