1 | /* |
2 | * Copyright (C) 2006 Brad Hards <bradh@frogmouth.net> |
3 | * |
4 | * This library is free software; you can redistribute it and/or |
5 | * modify it under the terms of the GNU Lesser General Public |
6 | * License as published by the Free Software Foundation; either |
7 | * version 2.1 of the License, or (at your option) any later version. |
8 | * |
9 | * This library is distributed in the hope that it will be useful, |
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
12 | * Lesser General Public License for more details. |
13 | * |
14 | * You should have received a copy of the GNU Lesser General Public |
15 | * License along with this library; if not, write to the Free Software |
16 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
17 | * |
18 | */ |
19 | #include "hasht.h" |
20 | #include "nss.h" |
21 | #include "pk11func.h" |
22 | |
23 | #include <QtCrypto> |
24 | |
25 | #include <QDebug> |
26 | #include <QStringList> |
27 | #include <QtPlugin> |
28 | |
29 | //----------------------------------------------------------- |
30 | class nssHashContext : public QCA::HashContext |
31 | { |
32 | Q_OBJECT |
33 | public: |
34 | nssHashContext(QCA::Provider *p, const QString &type) |
35 | : QCA::HashContext(p, type) |
36 | { |
37 | SECStatus s; |
38 | |
39 | NSS_NoDB_Init(configdir: "." ); |
40 | |
41 | m_status = 0; |
42 | |
43 | /* Get a slot to use for the crypto operations */ |
44 | m_slot = PK11_GetInternalKeySlot(); |
45 | if (!m_slot) { |
46 | qDebug() << "GetInternalKeySlot failed" ; |
47 | m_status = 1; |
48 | return; |
49 | } |
50 | |
51 | if (QLatin1String("md2" ) == type) { |
52 | m_hashAlgo = SEC_OID_MD2; |
53 | } else if (QLatin1String("md5" ) == type) { |
54 | m_hashAlgo = SEC_OID_MD5; |
55 | } else if (QLatin1String("sha1" ) == type) { |
56 | m_hashAlgo = SEC_OID_SHA1; |
57 | } else if (QLatin1String("sha256" ) == type) { |
58 | m_hashAlgo = SEC_OID_SHA256; |
59 | } else if (QLatin1String("sha384" ) == type) { |
60 | m_hashAlgo = SEC_OID_SHA384; |
61 | } else if (QLatin1String("sha512" ) == type) { |
62 | m_hashAlgo = SEC_OID_SHA512; |
63 | } else { |
64 | qDebug() << "Unknown provider type: " << type; |
65 | return; /* this will probably cause a segfault... */ |
66 | } |
67 | |
68 | m_context = PK11_CreateDigestContext(hashAlg: m_hashAlgo); |
69 | if (!m_context) { |
70 | qDebug() << "CreateDigestContext failed" ; |
71 | return; |
72 | } |
73 | |
74 | s = PK11_DigestBegin(cx: m_context); |
75 | if (s != SECSuccess) { |
76 | qDebug() << "DigestBegin failed" ; |
77 | return; |
78 | } |
79 | } |
80 | |
81 | ~nssHashContext() override |
82 | { |
83 | PK11_DestroyContext(context: m_context, PR_TRUE); |
84 | if (m_slot) |
85 | PK11_FreeSlot(slot: m_slot); |
86 | } |
87 | |
88 | Context *clone() const override |
89 | { |
90 | return new nssHashContext(provider(), type()); |
91 | } |
92 | |
93 | void clear() override |
94 | { |
95 | SECStatus s; |
96 | |
97 | PK11_DestroyContext(context: m_context, PR_TRUE); |
98 | |
99 | m_context = PK11_CreateDigestContext(hashAlg: m_hashAlgo); |
100 | if (!m_context) { |
101 | qDebug() << "CreateDigestContext failed" ; |
102 | return; |
103 | } |
104 | |
105 | s = PK11_DigestBegin(cx: m_context); |
106 | if (s != SECSuccess) { |
107 | qDebug() << "DigestBegin failed" ; |
108 | return; |
109 | } |
110 | } |
111 | |
112 | void update(const QCA::MemoryRegion &a) override |
113 | { |
114 | PK11_DigestOp(context: m_context, in: (const unsigned char *)a.data(), len: a.size()); |
115 | } |
116 | |
117 | QCA::MemoryRegion final() override |
118 | { |
119 | unsigned int len = 0; |
120 | QCA::SecureArray a(64); |
121 | PK11_DigestFinal(context: m_context, data: (unsigned char *)a.data(), outLen: &len, length: a.size()); |
122 | a.resize(size: len); |
123 | return a; |
124 | } |
125 | |
126 | private: |
127 | PK11SlotInfo *m_slot; |
128 | int m_status; |
129 | PK11Context *m_context; |
130 | SECOidTag m_hashAlgo; |
131 | }; |
132 | |
133 | //----------------------------------------------------------- |
134 | class nssHmacContext : public QCA::MACContext |
135 | { |
136 | Q_OBJECT |
137 | public: |
138 | nssHmacContext(QCA::Provider *p, const QString &type) |
139 | : QCA::MACContext(p, type) |
140 | { |
141 | NSS_NoDB_Init(configdir: "." ); |
142 | |
143 | m_context = nullptr; |
144 | m_status = 0; |
145 | |
146 | /* Get a slot to use for the crypto operations */ |
147 | m_slot = PK11_GetInternalKeySlot(); |
148 | if (!m_slot) { |
149 | qDebug() << "GetInternalKeySlot failed" ; |
150 | m_status = 1; |
151 | return; |
152 | } |
153 | |
154 | if (QLatin1String("hmac(md5)" ) == type) { |
155 | m_macAlgo = CKM_MD5_HMAC; |
156 | } else if (QLatin1String("hmac(sha1)" ) == type) { |
157 | m_macAlgo = CKM_SHA_1_HMAC; |
158 | } else if (QLatin1String("hmac(sha256)" ) == type) { |
159 | m_macAlgo = CKM_SHA256_HMAC; |
160 | } else if (QLatin1String("hmac(sha384)" ) == type) { |
161 | m_macAlgo = CKM_SHA384_HMAC; |
162 | } else if (QLatin1String("hmac(sha512)" ) == type) { |
163 | m_macAlgo = CKM_SHA512_HMAC; |
164 | } else if (QLatin1String("hmac(ripemd160)" ) == type) { |
165 | m_macAlgo = CKM_RIPEMD160_HMAC; |
166 | } else { |
167 | qDebug() << "Unknown provider type: " << type; |
168 | return; /* this will probably cause a segfault... */ |
169 | } |
170 | } |
171 | |
172 | ~nssHmacContext() override |
173 | { |
174 | if (m_context) |
175 | PK11_DestroyContext(context: m_context, PR_TRUE); |
176 | if (m_slot) |
177 | PK11_FreeSlot(slot: m_slot); |
178 | } |
179 | |
180 | Context *clone() const override |
181 | { |
182 | return new nssHmacContext(provider(), type()); |
183 | } |
184 | |
185 | void clear() |
186 | { |
187 | PK11_DestroyContext(context: m_context, PR_TRUE); |
188 | |
189 | SECItem noParams; |
190 | noParams.data = nullptr; |
191 | noParams.len = 0; |
192 | |
193 | m_context = PK11_CreateContextBySymKey(type: m_macAlgo, CKA_SIGN, symKey: m_nssKey, param: &noParams); |
194 | if (!m_context) { |
195 | qDebug() << "CreateContextBySymKey failed" ; |
196 | return; |
197 | } |
198 | |
199 | SECStatus s = PK11_DigestBegin(cx: m_context); |
200 | if (s != SECSuccess) { |
201 | qDebug() << "DigestBegin failed" ; |
202 | return; |
203 | } |
204 | } |
205 | |
206 | QCA::KeyLength keyLength() const override |
207 | { |
208 | return anyKeyLength(); |
209 | } |
210 | |
211 | void setup(const QCA::SymmetricKey &key) override |
212 | { |
213 | /* turn the raw key into a SECItem */ |
214 | SECItem keyItem; |
215 | keyItem.data = (unsigned char *)key.data(); |
216 | keyItem.len = key.size(); |
217 | |
218 | m_nssKey = PK11_ImportSymKey(slot: m_slot, type: m_macAlgo, origin: PK11_OriginUnwrap, CKA_SIGN, key: &keyItem, wincx: nullptr); |
219 | |
220 | SECItem noParams; |
221 | noParams.data = nullptr; |
222 | noParams.len = 0; |
223 | |
224 | m_context = PK11_CreateContextBySymKey(type: m_macAlgo, CKA_SIGN, symKey: m_nssKey, param: &noParams); |
225 | if (!m_context) { |
226 | qDebug() << "CreateContextBySymKey failed" ; |
227 | return; |
228 | } |
229 | |
230 | SECStatus s = PK11_DigestBegin(cx: m_context); |
231 | if (s != SECSuccess) { |
232 | qDebug() << "DigestBegin failed" ; |
233 | return; |
234 | } |
235 | } |
236 | |
237 | void update(const QCA::MemoryRegion &a) override |
238 | { |
239 | PK11_DigestOp(context: m_context, in: (const unsigned char *)a.data(), len: a.size()); |
240 | } |
241 | |
242 | void final(QCA::MemoryRegion *out) override |
243 | { |
244 | // NSS doesn't appear to be able to tell us how big the digest will |
245 | // be for a given algorithm until after we finalise it, so we work |
246 | // around the problem a bit. |
247 | QCA::SecureArray sa(HASH_LENGTH_MAX, 0); // assume the biggest hash size we know |
248 | unsigned int len = 0; |
249 | PK11_DigestFinal(context: m_context, data: (unsigned char *)sa.data(), outLen: &len, length: sa.size()); |
250 | sa.resize(size: len); // and fix it up later |
251 | *out = sa; |
252 | } |
253 | |
254 | private: |
255 | PK11SlotInfo *m_slot; |
256 | int m_status; |
257 | PK11Context *m_context; |
258 | CK_MECHANISM_TYPE m_macAlgo; |
259 | PK11SymKey *m_nssKey; |
260 | }; |
261 | |
262 | //----------------------------------------------------------- |
263 | class nssCipherContext : public QCA::CipherContext |
264 | { |
265 | Q_OBJECT |
266 | public: |
267 | nssCipherContext(QCA::Provider *p, const QString &type) |
268 | : QCA::CipherContext(p, type) |
269 | { |
270 | NSS_NoDB_Init(configdir: "." ); |
271 | |
272 | if (QLatin1String("aes128-ecb" ) == type) { |
273 | m_cipherMechanism = CKM_AES_ECB; |
274 | } else if (QLatin1String("aes128-cbc" ) == type) { |
275 | m_cipherMechanism = CKM_AES_CBC; |
276 | } else if (QLatin1String("des-ecb" ) == type) { |
277 | m_cipherMechanism = CKM_DES_ECB; |
278 | } else if (QLatin1String("des-cbc" ) == type) { |
279 | m_cipherMechanism = CKM_DES_CBC; |
280 | } else if (QLatin1String("des-cbc-pkcs7" ) == type) { |
281 | m_cipherMechanism = CKM_DES_CBC_PAD; |
282 | } else if (QLatin1String("tripledes-ecb" ) == type) { |
283 | m_cipherMechanism = CKM_DES3_ECB; |
284 | } else { |
285 | qDebug() << "Unknown provider type: " << type; |
286 | return; /* this will probably cause a segfault... */ |
287 | } |
288 | } |
289 | |
290 | ~nssCipherContext() override |
291 | { |
292 | } |
293 | |
294 | void setup(QCA::Direction dir, |
295 | const QCA::SymmetricKey &key, |
296 | const QCA::InitializationVector &iv, |
297 | const QCA::AuthTag &tag) override |
298 | { |
299 | Q_UNUSED(tag); |
300 | /* Get a slot to use for the crypto operations */ |
301 | m_slot = PK11_GetBestSlot(type: m_cipherMechanism, wincx: nullptr); |
302 | if (!m_slot) { |
303 | qDebug() << "GetBestSlot failed" ; |
304 | return; |
305 | } |
306 | |
307 | /* turn the raw key into a SECItem */ |
308 | SECItem keyItem; |
309 | keyItem.data = (unsigned char *)key.data(); |
310 | keyItem.len = key.size(); |
311 | |
312 | if (QCA::Encode == dir) { |
313 | m_nssKey = PK11_ImportSymKey(slot: m_slot, type: m_cipherMechanism, origin: PK11_OriginUnwrap, CKA_ENCRYPT, key: &keyItem, wincx: nullptr); |
314 | } else { |
315 | // decryption |
316 | m_nssKey = PK11_ImportSymKey(slot: m_slot, type: m_cipherMechanism, origin: PK11_OriginUnwrap, CKA_DECRYPT, key: &keyItem, wincx: nullptr); |
317 | } |
318 | |
319 | SECItem ivItem; |
320 | ivItem.data = (unsigned char *)iv.data(); |
321 | ivItem.len = iv.size(); |
322 | |
323 | m_params = PK11_ParamFromIV(type: m_cipherMechanism, iv: &ivItem); |
324 | |
325 | if (QCA::Encode == dir) { |
326 | m_context = PK11_CreateContextBySymKey(type: m_cipherMechanism, CKA_ENCRYPT, symKey: m_nssKey, param: m_params); |
327 | } else { |
328 | // decryption |
329 | m_context = PK11_CreateContextBySymKey(type: m_cipherMechanism, CKA_DECRYPT, symKey: m_nssKey, param: m_params); |
330 | } |
331 | |
332 | if (!m_context) { |
333 | qDebug() << "CreateContextBySymKey failed" ; |
334 | return; |
335 | } |
336 | } |
337 | |
338 | QCA::Provider::Context *clone() const override |
339 | { |
340 | return new nssCipherContext(*this); |
341 | } |
342 | |
343 | int blockSize() const override |
344 | { |
345 | return PK11_GetBlockSize(type: m_cipherMechanism, params: m_params); |
346 | } |
347 | |
348 | QCA::AuthTag tag() const override |
349 | { |
350 | // For future implementation |
351 | return QCA::AuthTag(); |
352 | } |
353 | |
354 | bool update(const QCA::SecureArray &in, QCA::SecureArray *out) override |
355 | { |
356 | out->resize(size: in.size() + blockSize()); |
357 | int resultLength; |
358 | |
359 | PK11_CipherOp( |
360 | context: m_context, out: (unsigned char *)out->data(), outlen: &resultLength, maxout: out->size(), in: (unsigned char *)in.data(), inlen: in.size()); |
361 | out->resize(size: resultLength); |
362 | |
363 | return true; |
364 | } |
365 | |
366 | bool final(QCA::SecureArray *out) override |
367 | { |
368 | out->resize(size: blockSize()); |
369 | unsigned int resultLength; |
370 | |
371 | PK11_DigestFinal(context: m_context, data: (unsigned char *)out->data(), outLen: &resultLength, length: out->size()); |
372 | out->resize(size: resultLength); |
373 | |
374 | return true; |
375 | } |
376 | |
377 | QCA::KeyLength keyLength() const override |
378 | { |
379 | int min = 0; |
380 | int max = 0; |
381 | int multiple = 0; |
382 | |
383 | switch (m_cipherMechanism) { |
384 | case CKM_AES_ECB: |
385 | case CKM_AES_CBC: |
386 | min = max = 16; |
387 | multiple = 1; |
388 | break; |
389 | |
390 | case CKM_DES_ECB: |
391 | case CKM_DES_CBC: |
392 | case CKM_DES_CBC_PAD: |
393 | min = max = 8; |
394 | multiple = 1; |
395 | break; |
396 | |
397 | case CKM_DES3_ECB: |
398 | min = 16; |
399 | max = 24; |
400 | multiple = 1; |
401 | break; |
402 | } |
403 | |
404 | return QCA::KeyLength(min, max, multiple); |
405 | } |
406 | |
407 | private: |
408 | PK11SymKey *m_nssKey; |
409 | CK_MECHANISM_TYPE m_cipherMechanism; |
410 | PK11SlotInfo *m_slot; |
411 | PK11Context *m_context; |
412 | SECItem *m_params; |
413 | }; |
414 | |
415 | //========================================================== |
416 | class nssProvider : public QCA::Provider |
417 | { |
418 | public: |
419 | void init() override |
420 | { |
421 | } |
422 | |
423 | ~nssProvider() override |
424 | { |
425 | } |
426 | |
427 | int qcaVersion() const override |
428 | { |
429 | return QCA_VERSION; |
430 | } |
431 | |
432 | QString name() const override |
433 | { |
434 | return QStringLiteral("qca-nss" ); |
435 | } |
436 | |
437 | QStringList features() const override |
438 | { |
439 | QStringList list; |
440 | |
441 | list += QStringLiteral("md2" ); |
442 | list += QStringLiteral("md5" ); |
443 | list += QStringLiteral("sha1" ); |
444 | list += QStringLiteral("sha256" ); |
445 | list += QStringLiteral("sha384" ); |
446 | list += QStringLiteral("sha512" ); |
447 | |
448 | list += QStringLiteral("hmac(md5)" ); |
449 | list += QStringLiteral("hmac(sha1)" ); |
450 | list += QStringLiteral("hmac(sha256)" ); |
451 | list += QStringLiteral("hmac(sha384)" ); |
452 | list += QStringLiteral("hmac(sha512)" ); |
453 | // appears to not be implemented in NSS yet |
454 | // list += QStringLiteral("hmac(ripemd160)"); |
455 | |
456 | list += QStringLiteral("aes128-ecb" ); |
457 | list += QStringLiteral("aes128-cbc" ); |
458 | list += QStringLiteral("des-ecb" ); |
459 | list += QStringLiteral("des-cbc" ); |
460 | list += QStringLiteral("des-cbc-pkcs7" ); |
461 | list += QStringLiteral("tripledes-ecb" ); |
462 | |
463 | return list; |
464 | } |
465 | |
466 | Context *createContext(const QString &type) override |
467 | { |
468 | if (type == QLatin1String("md2" )) |
469 | return new nssHashContext(this, type); |
470 | if (type == QLatin1String("md5" )) |
471 | return new nssHashContext(this, type); |
472 | if (type == QLatin1String("sha1" )) |
473 | return new nssHashContext(this, type); |
474 | if (type == QLatin1String("sha256" )) |
475 | return new nssHashContext(this, type); |
476 | if (type == QLatin1String("sha384" )) |
477 | return new nssHashContext(this, type); |
478 | if (type == QLatin1String("sha512" )) |
479 | return new nssHashContext(this, type); |
480 | |
481 | if (type == QLatin1String("hmac(md5)" )) |
482 | return new nssHmacContext(this, type); |
483 | if (type == QLatin1String("hmac(sha1)" )) |
484 | return new nssHmacContext(this, type); |
485 | if (type == QLatin1String("hmac(sha256)" )) |
486 | return new nssHmacContext(this, type); |
487 | if (type == QLatin1String("hmac(sha384)" )) |
488 | return new nssHmacContext(this, type); |
489 | if (type == QLatin1String("hmac(sha512)" )) |
490 | return new nssHmacContext(this, type); |
491 | if (type == QLatin1String("hmac(ripemd160)" )) |
492 | return new nssHmacContext(this, type); |
493 | |
494 | if (type == QLatin1String("aes128-ecb" )) |
495 | return new nssCipherContext(this, type); |
496 | if (type == QLatin1String("aes128-cbc" )) |
497 | return new nssCipherContext(this, type); |
498 | if (type == QLatin1String("des-ecb" )) |
499 | return new nssCipherContext(this, type); |
500 | if (type == QLatin1String("des-cbc" )) |
501 | return new nssCipherContext(this, type); |
502 | if (type == QLatin1String("des-cbc-pkcs7" )) |
503 | return new nssCipherContext(this, type); |
504 | if (type == QLatin1String("tripledes-ecb" )) |
505 | return new nssCipherContext(this, type); |
506 | else |
507 | return nullptr; |
508 | } |
509 | }; |
510 | |
511 | class nssPlugin : public QObject, public QCAPlugin |
512 | { |
513 | Q_OBJECT |
514 | Q_PLUGIN_METADATA(IID "com.affinix.qca.Plugin/1.0" ) |
515 | Q_INTERFACES(QCAPlugin) |
516 | public: |
517 | QCA::Provider *createProvider() override |
518 | { |
519 | return new nssProvider; |
520 | } |
521 | }; |
522 | |
523 | #include "qca-nss.moc" |
524 | |