ica_specific.c

来自「IBM的Linux上的PKCS#11实现」· C语言 代码 · 共 1,839 行 · 第 1/5 页

CK_RV
token_specific_final()
{
   icaCloseAdapter(adapter_handle);
   return CKR_OK;
}

// count_ones_in_byte: for use in adjust_des_key_parity_bits below
CK_BYTE 
count_ones_in_byte(CK_BYTE byte)
{  
   CK_BYTE and_mask,   // bit selector
           number_of_ones = 0;

   for (and_mask = 1; and_mask != 0; and_mask <<= 1) // for each bit,
      if (byte & and_mask) // if it's a one,                         
         ++number_of_ones; // count it

   return number_of_ones;
}

#define EVEN_PARITY TRUE
#define ODD_PARITY FALSE
 // adjust_des_key_parity_bits: to conform to NIST spec for DES and 3DES keys
void adjust_des_key_parity_bits(CK_BYTE *des_key, CK_ULONG key_size, CK_BBOOL parity)
{
   CK_BYTE *des_key_byte;

   for (des_key_byte = des_key; des_key_byte - des_key < key_size; ++des_key_byte)
         // look at each byte in the key
   {
      if ((count_ones_in_byte(*des_key_byte) % 2) ^ (parity == ODD_PARITY))
      {
         // if parity for this byte isn't what it should be,
         // flip the parity (least significant) bit
         *des_key_byte ^= 1;
      }
   }
}







CK_RV
token_specific_des_key_gen(CK_BYTE  *des_key,CK_ULONG len)
{
      
   // Nothing different to do for DES or TDES here as this is just
   // random data...  Validation handles the rest
        rng_generate(des_key,len);
        adjust_des_key_parity_bits(des_key, len, ODD_PARITY);

        
   // we really need to validate the key for parity etc...
   // we should do that here... The caller validates the single des keys
   // against the known and suspected poor keys..<<
        return CKR_OK;

}

CK_RV
token_specific_des_ecb(CK_BYTE * in_data,
                       CK_ULONG in_data_len,
                       CK_BYTE *out_data,
                       CK_ULONG *out_data_len,
                       CK_BYTE  *key_value,
                       CK_BYTE  encrypt)
{
   ICA_DES_VECTOR  empty_iv;
   CK_RV rc;
   unsigned int temp = 0;
   temp = (unsigned int) *out_data_len; 

   bzero(&empty_iv,sizeof(empty_iv));
   if ( encrypt) {
      rc = icaDesEncrypt(adapter_handle, MODE_DES_ECB, (unsigned int)in_data_len, in_data,
                &empty_iv, (ICA_KEY_DES_SINGLE *)key_value, 
                &temp, out_data);

   } else {
      rc = icaDesDecrypt(adapter_handle, MODE_DES_ECB, (unsigned int)in_data_len, in_data,
                   &empty_iv, (ICA_KEY_DES_SINGLE *)key_value, 
                   &temp, out_data);

   }
   *out_data_len = (CK_ULONG)temp;
   if (rc != 0) {
      rc = CKR_FUNCTION_FAILED;
   }else {
      *out_data_len = in_data_len;
      rc = CKR_OK;
   }

   return rc;


}

CK_RV
token_specific_des_cbc(CK_BYTE * in_data,
                       CK_ULONG in_data_len,
                       CK_BYTE *out_data,
                       CK_ULONG *out_data_len,
                       CK_BYTE  *key_value, 
                       CK_BYTE *init_v,
                       CK_BYTE  encrypt)
{

   CK_RV rc;
   unsigned int temp = 0;
   temp = (unsigned int) *out_data_len;  

   if ( encrypt ){
   rc = icaDesEncrypt(adapter_handle, MODE_DES_CBC, (unsigned int)in_data_len, in_data,
                            (ICA_DES_VECTOR *)init_v, 
                            (ICA_KEY_DES_SINGLE *)key_value, 
                            &temp, 
                            (unsigned char *)out_data);
   } else {
   rc = icaDesDecrypt(adapter_handle, MODE_DES_CBC, (unsigned int)in_data_len, in_data,
                            (ICA_DES_VECTOR *)init_v, 
                            (ICA_KEY_DES_SINGLE *)key_value, 
                            &temp, 
                            (unsigned char *)out_data);
   }
   *out_data_len = (CK_ULONG) temp;
   if (rc != 0) {
         rc = CKR_FUNCTION_FAILED;
   }else {
         *out_data_len = in_data_len;
         rc = CKR_OK;
   }

   return rc;
}

CK_RV
token_specific_tdes_ecb(CK_BYTE * in_data,
                       CK_ULONG in_data_len,
                       CK_BYTE *out_data,
                       CK_ULONG *out_data_len,
                       CK_BYTE  *key_value,
                       CK_BYTE  encrypt)
{
   ICA_DES_VECTOR  empty_iv;
   CK_RV rc;
   unsigned int temp;
   temp = (unsigned int) *out_data_len; 

   bzero(&empty_iv,sizeof(empty_iv));
   if ( encrypt) {
      rc = icaTDesEncrypt(adapter_handle, MODE_DES_ECB, (unsigned int)in_data_len, in_data,
                &empty_iv, 
                (ICA_KEY_DES_TRIPLE *)key_value, 
                &temp, out_data);

   } else {
      rc = icaTDesDecrypt(adapter_handle, MODE_DES_ECB, (unsigned int)in_data_len, in_data,
                   &empty_iv, 
                   (ICA_KEY_DES_TRIPLE *)key_value, 
                   &temp, out_data);

   }
   *out_data_len = (CK_ULONG) temp;
   if (rc != 0) {
      rc = CKR_FUNCTION_FAILED;
   }else {
      *out_data_len = in_data_len;
      rc = CKR_OK;
   }

   return rc;


}

CK_RV
token_specific_tdes_cbc(CK_BYTE * in_data,
                       CK_ULONG in_data_len,
                       CK_BYTE *out_data,
                       CK_ULONG *out_data_len,
                       CK_BYTE  *key_value, 
                       CK_BYTE *init_v,
                       CK_BYTE  encrypt)
{

   CK_RV rc;
   unsigned int temp = 0;
   temp = (unsigned int) *out_data_len;

   if ( encrypt ){
   rc = icaTDesEncrypt(adapter_handle, MODE_DES_CBC, (unsigned int)in_data_len, in_data,
                            (ICA_DES_VECTOR *)init_v, 
                            (ICA_KEY_DES_TRIPLE *)key_value, 
                            &temp, 
                            (unsigned char *)out_data);
   } else {
   rc = icaTDesDecrypt(adapter_handle, MODE_DES_CBC, (unsigned int)in_data_len, in_data,
                            (ICA_DES_VECTOR *)init_v, 
                            (ICA_KEY_DES_TRIPLE *)key_value, 
                            &temp, 
                            (unsigned char *)out_data);
   }
   *out_data_len = (CK_ULONG) temp;
   if (rc != 0) {
         rc = CKR_FUNCTION_FAILED;
   }else {
         *out_data_len = in_data_len;
         rc = CKR_OK;
   }

   return rc;
}

CK_RV
token_specific_sha_init( DIGEST_CONTEXT * ctx )
{
	oc_sha1_ctx	*sc;

	/* For the C_DigestInit, C_Digest case, we may have already 
	 * created ctx->context... - KEY 
	 */
	if(ctx->context) {
		sc = (oc_sha1_ctx *)ctx->context;
		if(sc->dev_ctx)
			free(sc->dev_ctx);
		free(ctx->context);
	}
	
	/* The caller will check to see if ctx->context == NULL */
	ctx->context_len = sizeof(oc_sha1_ctx);
	ctx->context = malloc(sizeof(oc_sha1_ctx));

	if(ctx->context == NULL) 
		return CKR_HOST_MEMORY;
	
	memset(ctx->context, 0, ctx->context_len);
	sc = (oc_sha1_ctx *)ctx->context;
	sc->hash_len = SHA1_HASH_SIZE;
	sc->message_part = SHA_MSG_PART_ONLY;
	/* This is libica's LENGTH_SHA_CONTEXT */
	sc->dev_ctx = malloc(LENGTH_SHA_CONTEXT);

	if(sc->dev_ctx == NULL){
		free(ctx->context);
		return CKR_HOST_MEMORY;
	}
	memset(sc->dev_ctx, 0, LENGTH_SHA_CONTEXT);
	
	return CKR_OK;
}

CK_RV
token_specific_sha_update(	DIGEST_CONTEXT	*ctx,
				CK_BYTE		*in_data,
				CK_ULONG	in_data_len )
{
	unsigned int	rc, i, fill_size = 0;
	oc_sha1_ctx	*oc_sha_ctx = (oc_sha1_ctx *)ctx->context;
	SHA_CONTEXT	*ica_sha_ctx = (SHA_CONTEXT *)oc_sha_ctx->dev_ctx;
	
	if( !ctx )
		return CKR_OPERATION_NOT_INITIALIZED;
	
	if( !in_data )
		return CKR_FUNCTION_FAILED;
	
	if( ctx->multi == TRUE ){
		if (oc_sha_ctx->tail_len == 64) {
                        /* Submit the filled out save buffer */
                        if( icaSha1(    adapter_handle,
                                        ica_sha_ctx->runningLength == 0 ? SHA_MSG_PART_FIRST : SHA_MSG_PART_MIDDLE,
                                        64, oc_sha_ctx->tail,
                                        LENGTH_SHA_CONTEXT, ica_sha_ctx,
                                        &oc_sha_ctx->hash_len, oc_sha_ctx->hash))
                                return CKR_FUNCTION_FAILED;
                        oc_sha_ctx->tail_len = 0;
                }

		/* libICA (and SHA1) demands that if this is a PART_FIRST or a 
		 * PART_MIDDLE operation, the amount of data passed in
		 * must be a multiple of 64 bytes. - KEY
		 */
		if( ica_sha_ctx->runningLength == 0 && 
			oc_sha_ctx->tail_len == 0) {
			oc_sha_ctx->message_part = SHA_MSG_PART_FIRST;

                        /* Just copying the last <64 bytes will not work in the case
                         * of a user who SHA's a large chunk of data in 64 byte
                         * pieces because we need to cache the last 64 bytes so that
                         * we're not stuck with 0 bytes when the MSG_PART_FINAL
                         * comes in. - KEY
                         */
                        if (!(in_data_len % 64)) {
                                oc_sha_ctx->tail_len = 64;
                                memcpy(oc_sha_ctx->tail, in_data + in_data_len - 64, 64);
                                in_data_len -= 64;
                        } else
                                oc_sha_ctx->tail_len = in_data_len & 0x3f;
		
			if(oc_sha_ctx->tail_len < 64) {
				in_data_len &= ~0x3f;	
				memcpy(oc_sha_ctx->tail, in_data + in_data_len, oc_sha_ctx->tail_len);
			}
		}
		else if( ica_sha_ctx->runningLength == 0 &&
				oc_sha_ctx->tail_len > 0 ) {

			/* Here we need to fill out the temporary tail buffer until
			 * it has 64 bytes in it, then call icaSha1 on that buffer.
			 * If there weren't enough bytes passed in to fill it out,
			 * just copy in what we can and return success without calling
			 * icaSha1. - KEY
			 */

			fill_size = 64 - oc_sha_ctx->tail_len;
			if(fill_size < in_data_len) {
				memcpy(oc_sha_ctx->tail + oc_sha_ctx->tail_len, in_data, fill_size);
			
				/* Submit the filled out save buffer */
				if( icaSha1(    adapter_handle, SHA_MSG_PART_FIRST,
						64, oc_sha_ctx->tail,
						LENGTH_SHA_CONTEXT, ica_sha_ctx,
						&oc_sha_ctx->hash_len, oc_sha_ctx->hash))
					return CKR_FUNCTION_FAILED;
			} else {
				memcpy(oc_sha_ctx->tail + oc_sha_ctx->tail_len,
					in_data, in_data_len);
				oc_sha_ctx->tail_len += in_data_len;

				return CKR_OK;
			}
			
                        /* We had to use 'fill_size' bytes from in_data to fill out the
                         * empty part of save data, so adjust in_data_len
                         */
                        in_data_len -= fill_size;

                        oc_sha_ctx->tail_len = in_data_len & 0x3f;
                        if(oc_sha_ctx->tail_len) {
                                memcpy(oc_sha_ctx->tail, 
					in_data + fill_size, 
					oc_sha_ctx->tail_len);
                                in_data_len &= ~0x3f;
                        }
		}
		else if( ica_sha_ctx->runningLength > 0 ) {
			oc_sha_ctx->message_part = SHA_MSG_PART_MIDDLE;

			if(oc_sha_ctx->tail_len) {
	                        fill_size = 64 - oc_sha_ctx->tail_len;
        	                if(fill_size < in_data_len) {
                	                memcpy(oc_sha_ctx->tail + oc_sha_ctx->tail_len, 
							in_data, fill_size);

                        	        /* Submit the filled out save buffer */
                                	if( icaSha1(    adapter_handle, oc_sha_ctx->message_part,
                                        	        64, oc_sha_ctx->tail,
                                                	LENGTH_SHA_CONTEXT, ica_sha_ctx,
	                                                &oc_sha_ctx->hash_len, oc_sha_ctx->hash))
        	                                return CKR_FUNCTION_FAILED;
                	        } else {
                        	        memcpy(oc_sha_ctx->tail + oc_sha_ctx->tail_len,
                                	        in_data, in_data_len);