diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c index 0c9f82b18..b8b4ede04 100644 --- a/wolfcrypt/src/wc_pkcs11.c +++ b/wolfcrypt/src/wc_pkcs11.c @@ -101,6 +101,14 @@ static CK_OBJECT_CLASS secretKeyClass = CKO_SECRET_KEY; #endif #ifdef WOLFSSL_DEBUG_PKCS11 +/* Enable logging of PKCS#11 calls and return value. */ +#define PKCS11_RV(op, rv) pkcs11_rv(op, rv) +/* Enable logging of PKCS#11 calls and value. */ +#define PKCS11_VAL(op, val) pkcs11_val(op, val) +/* Enable logging of PKCS#11 tmaplate. */ +#define PKCS11_DUMP_TEMPLATE(name, templ, cnt) \ + pkcs11_dump_template(name, templ, cnt) + /* Formats of template items - used to instruct how to log information. */ enum PKCS11_TYPE_FORMATS { PKCS11_FMT_BOOLEAN, @@ -156,10 +164,12 @@ static struct PKCS11_TYPE_STR { * * This is only for debugging purposes. Only the values needed are recognised. * + * @param [in] name PKCS #11 template name. * @param [in] templ PKCS #11 template to dump. * @param [in] cnt Count of template entries. */ -static void pkcs11_dump_template(CK_ATTRIBUTE* templ, CK_ULONG cnt) +static void pkcs11_dump_template(const char* name, CK_ATTRIBUTE* templ, + CK_ULONG cnt) { CK_ULONG i; int j; @@ -169,6 +179,8 @@ static void pkcs11_dump_template(CK_ATTRIBUTE* templ, CK_ULONG cnt) CK_KEY_TYPE keyType; CK_OBJECT_CLASS keyClass; + WOLFSSL_MSG(name); + for (i = 0; i < cnt; i++) { format = PKCS11_FMT_POINTER; @@ -381,6 +393,13 @@ static void pkcs11_val(const char* op, CK_ULONG val) WOLFSSL_MSG(line); } +#else +/* Disable logging of PKCS#11 calls and return value. */ +#define PKCS11_RV(op, ev) +/* Disable logging of PKCS#11 calls and value. */ +#define PKCS11_VAL(op, val) +/* Disable logging of PKCS#11 tmaplate. */ +#define PKCS11_DUMP_TEMPLATE(name, templ, cnt) #endif /** @@ -423,9 +442,7 @@ int wc_Pkcs11_Initialize(Pkcs11Dev* dev, const char* library, void* heap) if (ret == 0) { ret = ((CK_C_GetFunctionList)func)(&dev->func); if (ret != CKR_OK) { -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("CK_C_GetFunctionList", ret); -#endif + PKCS11_RV("CK_C_GetFunctionList", ret); ret = WC_HW_E; } } @@ -435,9 +452,7 @@ int wc_Pkcs11_Initialize(Pkcs11Dev* dev, const char* library, void* heap) args.flags = CKF_OS_LOCKING_OK; ret = dev->func->C_Initialize(&args); if (ret != CKR_OK) { -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_Initialize", ret); -#endif + PKCS11_RV("C_Initialize", ret); ret = WC_INIT_E; } } @@ -496,9 +511,7 @@ int wc_Pkcs11Token_Init(Pkcs11Token* token, Pkcs11Dev* dev, int slotId, if (slotId < 0) { /* Use first available slot with a token. */ rv = dev->func->C_GetSlotList(CK_TRUE, NULL, &slotCnt); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetSlotList", rv); -#endif + PKCS11_RV("C_GetSlotList", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -510,9 +523,7 @@ int wc_Pkcs11Token_Init(Pkcs11Token* token, Pkcs11Dev* dev, int slotId, } if (ret == 0) { rv = dev->func->C_GetSlotList(CK_TRUE, slot, &slotCnt); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetSlotList", rv); -#endif + PKCS11_RV("C_GetSlotList", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -586,18 +597,14 @@ static int Pkcs11OpenSession(Pkcs11Token* token, Pkcs11Session* session, rv = token->func->C_OpenSession(token->slotId, flags, (CK_VOID_PTR)NULL, (CK_NOTIFY)NULL, &session->handle); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_OpenSession", rv); -#endif + PKCS11_RV("C_OpenSession", rv); if (rv != CKR_OK) { ret = WC_HW_E; } if (ret == 0 && token->userPin != NULL) { rv = token->func->C_Login(session->handle, CKU_USER, token->userPin, token->userPinSz); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_Login", rv); -#endif + PKCS11_RV("C_Login", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -751,16 +758,11 @@ static int Pkcs11CreateSecretKey(CK_OBJECT_HANDLE* key, Pkcs11Session* session, keyTmplCnt++; } -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Secret Key"); - pkcs11_dump_template(keyTemplate, keyTmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Secret Key", keyTemplate, keyTmplCnt); /* Create an object containing key data for device to use. */ rv = session->func->C_CreateObject(session->handle, keyTemplate, keyTmplCnt, key); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_CreateObject", rv); -#endif + PKCS11_RV("C_CreateObject", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -837,15 +839,10 @@ static int Pkcs11CreateRsaPrivateKey(CK_OBJECT_HANDLE* privateKey, keyTmplCnt++; } -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("RSA Private Key"); - pkcs11_dump_template(keyTemplate, keyTmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("RSA Private Key", keyTemplate, keyTmplCnt); rv = session->func->C_CreateObject(session->handle, keyTemplate, keyTmplCnt, privateKey); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_CreateObject", rv); -#endif + PKCS11_RV("C_CreateObject", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -955,15 +952,10 @@ static int Pkcs11CreateEccPublicKey(CK_OBJECT_HANDLE* publicKey, keyTemplate[4].pValue = ecPoint; keyTemplate[4].ulValueLen = len + i; -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Ec Public Key"); - pkcs11_dump_template(keyTemplate, keyTmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Ec Public Key", keyTemplate, keyTmplCnt); rv = session->func->C_CreateObject(session->handle, keyTemplate, keyTmplCnt, publicKey); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_CreateObject", rv); -#endif + PKCS11_RV("C_CreateObject", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -1024,15 +1016,10 @@ static int Pkcs11CreateEccPrivateKey(CK_OBJECT_HANDLE* privateKey, keyTemplate[4].pValue = private_key->k.raw.buf; keyTemplate[4].ulValueLen = private_key->k.raw.len; -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Ec Private Key"); - pkcs11_dump_template(keyTemplate, keyTmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Ec Private Key", keyTemplate, keyTmplCnt); rv = session->func->C_CreateObject(session->handle, keyTemplate, keyTmplCnt, privateKey); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_CreateObject", rv); -#endif + PKCS11_RV("C_CreateObject", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -1059,9 +1046,7 @@ static int Pkcs11MechAvail(Pkcs11Session* session, CK_MECHANISM_TYPE mech) CK_MECHANISM_INFO mechInfo; rv = session->func->C_GetMechanismInfo(session->slotId, mech, &mechInfo); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetMechanismInfo", rv); -#endif + PKCS11_RV("C_GetMechanismInfo", rv); if (rv != CKR_OK) { ret = NOT_COMPILED_IN; } @@ -1314,31 +1299,22 @@ static int Pkcs11FindKeyByTemplate(CK_OBJECT_HANDLE* key, WOLFSSL_MSG("PKCS#11: Find Key By Template"); -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Find Key"); - pkcs11_dump_template(keyTemplate, keyTmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Find Key", keyTemplate, keyTmplCnt); rv = session->func->C_FindObjectsInit(session->handle, keyTemplate, keyTmplCnt); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_FindObjectsInit", rv); -#endif + PKCS11_RV("C_FindObjectsInit", rv); if (rv != CKR_OK) { ret = WC_HW_E; } if (ret == 0) { rv = session->func->C_FindObjects(session->handle, key, 1, count); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_FindObjects", rv); - pkcs11_val("C_FindObjects Count", *count); -#endif + PKCS11_RV("C_FindObjects", rv); + PKCS11_VAL("C_FindObjects Count", *count); if (rv != CKR_OK) { ret = WC_HW_E; } rv = session->func->C_FindObjectsFinal(session->handle); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_FindObjectsFinal", rv); -#endif + PKCS11_RV("C_FindObjectsFinal", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -1449,23 +1425,18 @@ static int Pkcs11FindRsaKey(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass, } /** - * Exponentiate the input with the public part of the RSA key. - * Used in public encrypt and decrypt. + * Make a handle to a public RSA key. * - * @param [in] session Session object. - * @param [in] info Cryptographic operation data. - * @return WC_HW_E when a PKCS#11 library call fails. - * 0 on success. + * @param [in] session Session object. + * @param [in] rsaKey RSA key with modulus to search on. + * @param [in] sessionKey Whether to create a session key. + * @param [out] publicKey Handle to public key object. */ -static int Pkcs11RsaPublic(Pkcs11Session* session, wc_CryptoInfo* info) +static int Pkcs11RsaPublicKey(Pkcs11Session* session, RsaKey* rsaKey, + int sessionKey, CK_OBJECT_HANDLE* publicKey) { int ret = 0; CK_RV rv; - CK_MECHANISM mech; - CK_ULONG outLen; - CK_OBJECT_HANDLE publicKey = NULL_PTR; - int sessionKey = 0; - RsaKey* rsaKey = info->pk.rsa.key; CK_ATTRIBUTE keyTemplate[] = { { CKA_CLASS, &pubKeyClass, sizeof(pubKeyClass) }, { CKA_KEY_TYPE, &rsaKeyType, sizeof(rsaKeyType) }, @@ -1475,76 +1446,30 @@ static int Pkcs11RsaPublic(Pkcs11Session* session, wc_CryptoInfo* info) }; CK_ULONG keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate); - WOLFSSL_MSG("PKCS#11: RSA Public Key Operation"); + if (sessionKey) { + /* Set the modulus and public exponent data. */ + keyTemplate[3].pValue = rsaKey->n.raw.buf; + keyTemplate[3].ulValueLen = rsaKey->n.raw.len; + keyTemplate[4].pValue = rsaKey->e.raw.buf; + keyTemplate[4].ulValueLen = rsaKey->e.raw.len; - if (info->pk.rsa.outLen == NULL) { - ret = BAD_FUNC_ARG; - } - - if (ret == 0) { - if ((sessionKey = !mp_iszero(&rsaKey->e))) { - /* Set the modulus and public exponent data. */ - keyTemplate[3].pValue = rsaKey->n.raw.buf; - keyTemplate[3].ulValueLen = rsaKey->n.raw.len; - keyTemplate[4].pValue = rsaKey->e.raw.buf; - keyTemplate[4].ulValueLen = rsaKey->e.raw.len; - -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("RSA Public Key"); - pkcs11_dump_template(keyTemplate, keyTmplCnt); -#endif - /* Create an object containing public key data for device to use. */ - rv = session->func->C_CreateObject(session->handle, keyTemplate, - keyTmplCnt, &publicKey); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_CreateObject", rv); -#endif - if (rv != CKR_OK) { - ret = WC_HW_E; - } - } - else if (info->pk.rsa.key->labelLen > 0) { - ret = Pkcs11FindKeyByLabel(&publicKey, CKO_PUBLIC_KEY, CKK_RSA, - session, info->pk.rsa.key->label, - info->pk.rsa.key->labelLen); - } - else { - ret = Pkcs11FindKeyById(&publicKey, CKO_PUBLIC_KEY, CKK_RSA, - session, rsaKey->id, rsaKey->idLen); - } - } - - if (ret == 0) { - /* Raw RSA encrypt/decrypt operation. */ - mech.mechanism = CKM_RSA_X_509; - mech.ulParameterLen = 0; - mech.pParameter = NULL; - - rv = session->func->C_EncryptInit(session->handle, &mech, publicKey); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_EncryptInit", rv); -#endif + PKCS11_DUMP_TEMPLATE("RSA Public Key", keyTemplate, keyTmplCnt); + /* Create an object containing public key data for device to use. */ + rv = session->func->C_CreateObject(session->handle, keyTemplate, + keyTmplCnt, publicKey); + PKCS11_RV("C_CreateObject", rv); if (rv != CKR_OK) { ret = WC_HW_E; } } - if (ret == 0) { - outLen = (CK_ULONG)*info->pk.rsa.outLen; - rv = session->func->C_Encrypt(session->handle, - (CK_BYTE_PTR)info->pk.rsa.in, info->pk.rsa.inLen, - info->pk.rsa.out, &outLen); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_Encrypt", rv); -#endif - if (rv != CKR_OK) { - ret = WC_HW_E; - } + else if (rsaKey->labelLen > 0) { + ret = Pkcs11FindKeyByLabel(publicKey, CKO_PUBLIC_KEY, CKK_RSA, + session, rsaKey->label, rsaKey->labelLen); + } + else { + ret = Pkcs11FindKeyById(publicKey, CKO_PUBLIC_KEY, CKK_RSA, + session, rsaKey->id, rsaKey->idLen); } - if (ret == 0) - *info->pk.rsa.outLen = (word32)outLen; - - if (sessionKey) - session->func->C_DestroyObject(session->handle, publicKey); return ret; } @@ -1573,22 +1498,14 @@ static int Pkcs11GetRsaPublicKey(RsaKey* key, Pkcs11Session* session, CK_ULONG tmplCnt = sizeof(tmpl) / sizeof(*tmpl); CK_RV rv; -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Get RSA Public Key Length"); - pkcs11_dump_template(tmpl, tmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Get RSA Public Key Length", tmpl, tmplCnt); rv = session->func->C_GetAttributeValue(session->handle, pubKey, tmpl, tmplCnt); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetAttributeValue", rv); -#endif + PKCS11_RV("C_GetAttributeValue", rv); if (rv != CKR_OK) { ret = WC_HW_E; } -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("RSA Public Key Length"); - pkcs11_dump_template(tmpl, tmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("RSA Public Key Length", tmpl, tmplCnt); if (ret == 0) { modSz = (int)tmpl[0].ulValueLen; @@ -1608,22 +1525,14 @@ static int Pkcs11GetRsaPublicKey(RsaKey* key, Pkcs11Session* session, tmpl[0].pValue = mod; tmpl[1].pValue = exp; -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Get RSA Public Key"); - pkcs11_dump_template(tmpl, tmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Get RSA Public Key", tmpl, tmplCnt); rv = session->func->C_GetAttributeValue(session->handle, pubKey, tmpl, tmplCnt); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetAttributeValue", rv); -#endif + PKCS11_RV("C_GetAttributeValue", rv); if (rv != CKR_OK) { ret = WC_HW_E; } -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("RSA Public Key"); - pkcs11_dump_template(tmpl, tmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("RSA Public Key", tmpl, tmplCnt); } if (ret == 0) ret = wc_RsaPublicKeyDecodeRaw(mod, modSz, exp, expSz, key); @@ -1636,6 +1545,93 @@ static int Pkcs11GetRsaPublicKey(RsaKey* key, Pkcs11Session* session, return ret; } +/** + * Make a handle to a private RSA key. + * + * @param [in] session Session object. + * @param [in] rsaKey RSA key with modulus to search on. + * @param [in] sessionKey Whether to create a session key. + * @param [out] publicKey Handle to private key object. + */ +static int Pkcs11RsaPrivateKey(Pkcs11Session* session, RsaKey* rsaKey, + int sessionKey, CK_OBJECT_HANDLE* privateKey) +{ + int ret; + + if (sessionKey) { + ret = Pkcs11CreateRsaPrivateKey(privateKey, session, rsaKey, 0); + } + else if (rsaKey->labelLen > 0) { + ret = Pkcs11FindKeyByLabel(privateKey, CKO_PRIVATE_KEY, CKK_RSA, + session, rsaKey->label, rsaKey->labelLen); + } + else if (rsaKey->idLen > 0) { + ret = Pkcs11FindKeyById(privateKey, CKO_PRIVATE_KEY, CKK_RSA, session, + rsaKey->id, rsaKey->idLen); + } + else { + ret = Pkcs11FindRsaKey(privateKey, CKO_PRIVATE_KEY, session, rsaKey); + } + + if ((ret == 0) && (!sessionKey)) { + ret = Pkcs11GetRsaPublicKey(rsaKey, session, *privateKey); + } + + return ret; +} + +/** + * Exponentiate the input with the public part of the RSA key. + * Used in public encrypt and decrypt. + * + * @param [in] session Session object. + * @param [in] info Cryptographic operation data. + * @return WC_HW_E when a PKCS#11 library call fails. + * 0 on success. + */ +static int Pkcs11RsaEncrypt(Pkcs11Session* session, wc_CryptoInfo* info, + CK_OBJECT_HANDLE key) +{ + int ret = 0; + CK_RV rv; + CK_MECHANISM mech; + CK_ULONG outLen; + + WOLFSSL_MSG("PKCS#11: RSA Public Key Operation"); + + if (info->pk.rsa.outLen == NULL) { + ret = BAD_FUNC_ARG; + } + + if (ret == 0) { + /* Raw RSA encrypt/decrypt operation. */ + mech.mechanism = CKM_RSA_X_509; + mech.ulParameterLen = 0; + mech.pParameter = NULL; + + rv = session->func->C_EncryptInit(session->handle, &mech, key); + PKCS11_RV("C_EncryptInit", rv); + if (rv != CKR_OK) { + ret = WC_HW_E; + } + } + if (ret == 0) { + outLen = (CK_ULONG)*info->pk.rsa.outLen; + rv = session->func->C_Encrypt(session->handle, + (CK_BYTE_PTR)info->pk.rsa.in, info->pk.rsa.inLen, + info->pk.rsa.out, &outLen); + PKCS11_RV("C_Encrypt", rv); + if (rv != CKR_OK) { + ret = WC_HW_E; + } + } + if (ret == 0) { + *info->pk.rsa.outLen = (word32)outLen; + } + + return ret; +} + /** * Exponentiate the input with the private part of the RSA key. * Used in private encrypt and decrypt. @@ -1646,15 +1642,13 @@ static int Pkcs11GetRsaPublicKey(RsaKey* key, Pkcs11Session* session, * @return WC_HW_E when a PKCS#11 library call fails. * @return 0 on success. */ -static int Pkcs11RsaPrivate(Pkcs11Session* session, wc_CryptoInfo* info, - int func) +static int Pkcs11RsaDecrypt(Pkcs11Session* session, wc_CryptoInfo* info, + CK_OBJECT_HANDLE key) { int ret = 0; CK_RV rv; CK_MECHANISM mech; CK_ULONG outLen; - CK_OBJECT_HANDLE privateKey = NULL_PTR; - int sessionKey = 0; WOLFSSL_MSG("PKCS#11: RSA Private Key Operation"); @@ -1663,28 +1657,58 @@ static int Pkcs11RsaPrivate(Pkcs11Session* session, wc_CryptoInfo* info, } if (ret == 0) { - if ((sessionKey = !mp_iszero(&info->pk.rsa.key->d))) { - ret = Pkcs11CreateRsaPrivateKey(&privateKey, session, - info->pk.rsa.key, 0); - } - else if (info->pk.rsa.key->labelLen > 0) { - ret = Pkcs11FindKeyByLabel(&privateKey, CKO_PRIVATE_KEY, CKK_RSA, - session, info->pk.rsa.key->label, - info->pk.rsa.key->labelLen); - } - else if (info->pk.rsa.key->idLen > 0) { - ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_RSA, - session, info->pk.rsa.key->id, - info->pk.rsa.key->idLen); - } - else { - ret = Pkcs11FindRsaKey(&privateKey, CKO_PRIVATE_KEY, session, - info->pk.rsa.key); + /* Raw RSA encrypt/decrypt operation. */ + mech.mechanism = CKM_RSA_X_509; + mech.ulParameterLen = 0; + mech.pParameter = NULL; + + rv = session->func->C_DecryptInit(session->handle, &mech, key); + PKCS11_RV("C_DecryptInit", rv); + if (rv != CKR_OK) { + ret = WC_HW_E; } } + if (ret == 0) { + PKCS11_VAL("C_Decrypt inLen", info->pk.rsa.inLen); + PKCS11_VAL("C_Decrypt outLen", *info->pk.rsa.outLen); + outLen = (CK_ULONG)*info->pk.rsa.outLen; + rv = session->func->C_Decrypt(session->handle, + (CK_BYTE_PTR)info->pk.rsa.in, info->pk.rsa.inLen, + info->pk.rsa.out, &outLen); + PKCS11_RV("C_Decrypt", rv); + if (rv != CKR_OK) { + ret = WC_HW_E; + } + } + if (ret == 0) { + *info->pk.rsa.outLen = (word32)outLen; + } - if ((ret == 0) && (!sessionKey)) { - ret = Pkcs11GetRsaPublicKey(info->pk.rsa.key, session, privateKey); + return ret; +} + +/** + * Exponentiate the input with the private part of the RSA key. + * Used in private encrypt and decrypt. + * + * @param [in] session Session object. + * @param [in] info Cryptographic operation data. + * @param [in] func Function to perform - decrypt or sign. + * @return WC_HW_E when a PKCS#11 library call fails. + * @return 0 on success. + */ +static int Pkcs11RsaSign(Pkcs11Session* session, wc_CryptoInfo* info, + CK_OBJECT_HANDLE key) +{ + int ret = 0; + CK_RV rv; + CK_MECHANISM mech; + CK_ULONG outLen; + + WOLFSSL_MSG("PKCS#11: RSA Private Key Operation"); + + if (info->pk.rsa.outLen == NULL) { + ret = BAD_FUNC_ARG; } if (ret == 0) { @@ -1693,50 +1717,20 @@ static int Pkcs11RsaPrivate(Pkcs11Session* session, wc_CryptoInfo* info, mech.ulParameterLen = 0; mech.pParameter = NULL; - if (func == CKF_DECRYPT) { - rv = session->func->C_DecryptInit(session->handle, &mech, - privateKey); - #ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_DecryptInit", rv); - #endif - } - else { - rv = session->func->C_SignInit(session->handle, &mech, privateKey); - #ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_SignInit", rv); - #endif - } + rv = session->func->C_SignInit(session->handle, &mech, key); + PKCS11_RV("C_SignInit", rv); if (rv != CKR_OK) { ret = WC_HW_E; } } if (ret == 0) { - if (func == CKF_DECRYPT) { - #ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_val("C_Decrypt inLen", info->pk.rsa.inLen); - pkcs11_val("C_Decrypt outLen", *info->pk.rsa.outLen); - #endif - outLen = (CK_ULONG)*info->pk.rsa.outLen; - rv = session->func->C_Decrypt(session->handle, - (CK_BYTE_PTR)info->pk.rsa.in, info->pk.rsa.inLen, - info->pk.rsa.out, &outLen); - #ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_Decrypt", rv); - #endif - } - else { - #ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_val("C_Sign inLen", info->pk.rsa.inLen); - pkcs11_val("C_Sign outLen", *info->pk.rsa.outLen); - #endif - outLen = (CK_ULONG)*info->pk.rsa.outLen; - rv = session->func->C_Sign(session->handle, - (CK_BYTE_PTR)info->pk.rsa.in, info->pk.rsa.inLen, - info->pk.rsa.out, &outLen); - #ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_Sign", rv); - #endif - } + PKCS11_VAL("C_Sign inLen", info->pk.rsa.inLen); + PKCS11_VAL("C_Sign outLen", *info->pk.rsa.outLen); + outLen = (CK_ULONG)*info->pk.rsa.outLen; + rv = session->func->C_Sign(session->handle, + (CK_BYTE_PTR)info->pk.rsa.in, info->pk.rsa.inLen, + info->pk.rsa.out, &outLen); + PKCS11_RV("C_Sign", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -1744,8 +1738,6 @@ static int Pkcs11RsaPrivate(Pkcs11Session* session, wc_CryptoInfo* info, if (ret == 0) *info->pk.rsa.outLen = (word32)outLen; - if (sessionKey) - session->func->C_DestroyObject(session->handle, privateKey); return ret; } @@ -1763,42 +1755,73 @@ static int Pkcs11Rsa(Pkcs11Session* session, wc_CryptoInfo* info) int ret = 0; CK_RV rv; CK_MECHANISM_INFO mechInfo; + int sessionKey = 0; + CK_OBJECT_HANDLE key; + RsaKey* rsaKey = info->pk.rsa.key; + int type = info->pk.rsa.type; /* Check operation is supported. */ rv = session->func->C_GetMechanismInfo(session->slotId, CKM_RSA_X_509, &mechInfo); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetMechanismInfo", rv); -#endif + PKCS11_RV("C_GetMechanismInfo", rv); if (rv != CKR_OK) { ret = NOT_COMPILED_IN; } if (ret == 0) { - if (info->pk.rsa.type == RSA_PUBLIC_ENCRYPT || - info->pk.rsa.type == RSA_PUBLIC_DECRYPT) { - if ((mechInfo.flags & CKF_ENCRYPT) == 0) - ret = NOT_COMPILED_IN; - else - ret = Pkcs11RsaPublic(session, info); + if ((type == RSA_PUBLIC_ENCRYPT) || (type == RSA_PUBLIC_DECRYPT)) { + sessionKey = !mp_iszero(&rsaKey->e); + + /* Make a handle to a public key. */ + ret = Pkcs11RsaPublicKey(session, rsaKey, sessionKey, &key); } - else if (info->pk.rsa.type == RSA_PRIVATE_ENCRYPT || - info->pk.rsa.type == RSA_PRIVATE_DECRYPT) { - if ((mechInfo.flags & CKF_DECRYPT) == 0 && - (mechInfo.flags & CKF_SIGN) == 0) { + else { + sessionKey = !mp_iszero(&rsaKey->d); + + /* Make a handle to a private key. */ + ret = Pkcs11RsaPrivateKey(session, rsaKey, sessionKey, &key); + } + + if (type == RSA_PUBLIC_ENCRYPT) { + WOLFSSL_MSG("PKCS#11: Public Encrypt"); + if ((mechInfo.flags & CKF_ENCRYPT) != 0) { + ret = Pkcs11RsaEncrypt(session, info, key); + } + else { ret = NOT_COMPILED_IN; } - else if ((info->pk.rsa.type == RSA_PRIVATE_ENCRYPT && - (mechInfo.flags & CKF_SIGN) != 0) || - (info->pk.rsa.type == RSA_PRIVATE_DECRYPT && - (mechInfo.flags & CKF_DECRYPT) == 0)) { - ret = Pkcs11RsaPrivate(session, info, CKF_SIGN); - } - else - ret = Pkcs11RsaPrivate(session, info, CKF_DECRYPT); } - else - ret = NOT_COMPILED_IN; + else if (type == RSA_PUBLIC_DECRYPT) { + WOLFSSL_MSG("PKCS#11: Public Decrypt"); + if ((mechInfo.flags & CKF_DECRYPT) != 0) { + ret = Pkcs11RsaEncrypt(session, info, key); + } + else { + ret = NOT_COMPILED_IN; + } + } + else if (type == RSA_PRIVATE_DECRYPT) { + WOLFSSL_MSG("PKCS#11: Private Decrypt"); + if ((mechInfo.flags & CKF_DECRYPT) != 0) { + ret = Pkcs11RsaDecrypt(session, info, key); + } + else { + ret = Pkcs11RsaSign(session, info, key); + } + } + else if (type == RSA_PRIVATE_ENCRYPT) { + WOLFSSL_MSG("PKCS#11: Private Encrypt"); + if ((mechInfo.flags & CKF_SIGN) != 0) { + ret = Pkcs11RsaSign(session, info, key); + } + else { + ret = Pkcs11RsaDecrypt(session, info, key); + } + } + } + + if (sessionKey) { + session->func->C_DestroyObject(session->handle, key); } return ret; @@ -1871,19 +1894,13 @@ static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) mech.ulParameterLen = 0; mech.pParameter = NULL; -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Public Key"); - pkcs11_dump_template(pubKeyTmpl, pubTmplCnt); - WOLFSSL_MSG("Private Key"); - pkcs11_dump_template(privKeyTmpl, privTmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Public Key", pubKeyTmpl, pubTmplCnt); + PKCS11_DUMP_TEMPLATE("Private Key", privKeyTmpl, privTmplCnt); rv = session->func->C_GenerateKeyPair(session->handle, &mech, pubKeyTmpl, pubTmplCnt, privKeyTmpl, privTmplCnt, &pubKey, &privKey); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GenerateKeyPair", rv); -#endif + PKCS11_RV("C_GenerateKeyPair", rv); if (rv != CKR_OK) { ret = -1; } @@ -1960,32 +1977,23 @@ static int Pkcs11FindEccKey(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass, attrCnt++; } if (ret == 0) { -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Find Ec Key"); - pkcs11_dump_template(keyTemplate, attrCnt); -#endif + PKCS11_DUMP_TEMPLATE("Find Ec Key", keyTemplate, attrCnt); rv = session->func->C_FindObjectsInit(session->handle, keyTemplate, attrCnt); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_FindObjectsInit", rv); -#endif + PKCS11_RV("C_FindObjectsInit", rv); if (rv != CKR_OK) { ret = WC_HW_E; } } if (ret == 0) { rv = session->func->C_FindObjects(session->handle, key, 1, &count); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_FindObjects", rv); - pkcs11_val("C_FindObjects Count", count); -#endif + PKCS11_RV("C_FindObjects", rv); + PKCS11_VAL("C_FindObjects Count", count); if (rv != CKR_OK) { ret = WC_HW_E; } rv = session->func->C_FindObjectsFinal(session->handle); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_FindObjectsFinal", rv); -#endif + PKCS11_RV("C_FindObjectsFinal", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -2024,9 +2032,7 @@ static int Pkcs11GetEccPublicKey(ecc_key* key, Pkcs11Session* session, rv = session->func->C_GetAttributeValue(session->handle, pubKey, tmpl, tmplCnt); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetAttributeValue", rv); -#endif + PKCS11_RV("C_GetAttributeValue", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -2040,22 +2046,14 @@ static int Pkcs11GetEccPublicKey(ecc_key* key, Pkcs11Session* session, if (ret == 0) { tmpl[0].pValue = point; -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Get Ec Public Key"); - pkcs11_dump_template(tmpl, tmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Get Ec Public Key", tmpl, tmplCnt); rv = session->func->C_GetAttributeValue(session->handle, pubKey, tmpl, tmplCnt); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetAttributeValue", rv); -#endif + PKCS11_RV("C_GetAttributeValue", rv); if (rv != CKR_OK) { ret = WC_HW_E; } -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Ec Public Key"); - pkcs11_dump_template(tmpl, tmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Ec Public Key", tmpl, tmplCnt); } /* Make sure the data is big enough for ASN.1: OCT + uncompressed point */ @@ -2162,20 +2160,14 @@ static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) mech.ulParameterLen = 0; mech.pParameter = NULL; -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Ec Private"); - pkcs11_dump_template(privKeyTmpl, privTmplCnt); - WOLFSSL_MSG("Ec Public"); - pkcs11_dump_template(pubKeyTmpl, pubTmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Ec Private", privKeyTmpl, privTmplCnt); + PKCS11_DUMP_TEMPLATE("Ec Public", pubKeyTmpl, pubTmplCnt); rv = session->func->C_GenerateKeyPair(session->handle, &mech, pubKeyTmpl, pubTmplCnt, privKeyTmpl, privTmplCnt, &pubKey, &privKey); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GenerateKeyPair", rv); -#endif + PKCS11_RV("C_GenerateKeyPair", rv); if (rv != CKR_OK) { ret = -1; } @@ -2215,44 +2207,28 @@ static int Pkcs11ExtractSecret(Pkcs11Session* session, CK_OBJECT_HANDLE secret, CK_ULONG tmplCnt = sizeof(tmpl) / sizeof(*tmpl); CK_RV rv; -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Get Secret Length"); - pkcs11_dump_template(tmpl, tmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Get Secret Length", tmpl, tmplCnt); rv = session->func->C_GetAttributeValue(session->handle, secret, tmpl, tmplCnt); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetAttributeValue", rv); -#endif + PKCS11_RV("C_GetAttributeValue", rv); if (rv != CKR_OK) { ret = WC_HW_E; } -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Secret Length"); - pkcs11_dump_template(tmpl, tmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Secret Length", tmpl, tmplCnt); if (ret == 0) { if (tmpl[0].ulValueLen > *outLen) ret = BUFFER_E; } if (ret == 0) { tmpl[0].pValue = out; -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Get Secret"); - pkcs11_dump_template(tmpl, tmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Get Secret", tmpl, tmplCnt); rv = session->func->C_GetAttributeValue(session->handle, secret, tmpl, tmplCnt); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetAttributeValue", rv); -#endif + PKCS11_RV("C_GetAttributeValue", rv); if (rv != CKR_OK) { ret = WC_HW_E; } -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Secret"); - pkcs11_dump_template(tmpl, tmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("Secret", tmpl, tmplCnt); *outLen = (word32)tmpl[0].ulValueLen; } @@ -2342,15 +2318,10 @@ static int Pkcs11ECDH(Pkcs11Session* session, wc_CryptoInfo* info) mech.ulParameterLen = sizeof(params); mech.pParameter = ¶ms; -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("ECDH key"); - pkcs11_dump_template(tmpl, tmplCnt); -#endif + PKCS11_DUMP_TEMPLATE("ECDH key", tmpl, tmplCnt); rv = session->func->C_DeriveKey(session->handle, &mech, privateKey, tmpl, tmplCnt, &secret); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_DeriveKey", rv); -#endif + PKCS11_RV("C_DeriveKey", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -2536,22 +2507,14 @@ static int Pkcs11GetEccParams(Pkcs11Session* session, CK_OBJECT_HANDLE privKey, { CKA_EC_PARAMS, (CK_VOID_PTR)oid, sizeof(oid) } }; -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Get Ec Params"); - pkcs11_dump_template(template, 1); -#endif + PKCS11_DUMP_TEMPLATE("Get Ec Params", template, 1); rv = session->func->C_GetAttributeValue(session->handle, privKey, template, 1); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetAttributeValue", rv); -#endif + PKCS11_RV("C_GetAttributeValue", rv); if (rv != CKR_OK) { ret = WC_HW_E; } -#ifdef WOLFSSL_DEBUG_PKCS11 - WOLFSSL_MSG("Ec Params"); - pkcs11_dump_template(template, 1); -#endif + PKCS11_DUMP_TEMPLATE("Ec Params", template, 1); if (ret == 0) { /* PKCS #11 wraps the OID in ASN.1 */ curveId = wc_ecc_get_curve_id_from_oid(oid + 2, @@ -2587,9 +2550,7 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info) /* Check operation is supported. */ rv = session->func->C_GetMechanismInfo(session->slotId, CKM_ECDSA, &mechInfo); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetMechanismInfo", rv); -#endif + PKCS11_RV("C_GetMechanismInfo", rv); if (rv != CKR_OK || (mechInfo.flags & CKF_SIGN) == 0) ret = NOT_COMPILED_IN; @@ -2642,9 +2603,7 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info) mech.pParameter = NULL; rv = session->func->C_SignInit(session->handle, &mech, privateKey); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_SignInit", rv); -#endif + PKCS11_RV("C_SignInit", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -2656,9 +2615,7 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info) (CK_BYTE_PTR)info->pk.eccsign.in, info->pk.eccsign.inlen, info->pk.eccsign.out, &outLen); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_Sign", rv); -#endif + PKCS11_RV("C_Sign", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -2697,9 +2654,7 @@ static int Pkcs11ECDSA_Verify(Pkcs11Session* session, wc_CryptoInfo* info) /* Check operation is supported. */ rv = session->func->C_GetMechanismInfo(session->slotId, CKM_ECDSA, &mechInfo); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetMechanismInfo", rv); -#endif + PKCS11_RV("C_GetMechanismInfo", rv); if (rv != CKR_OK || (mechInfo.flags & CKF_VERIFY) == 0) ret = NOT_COMPILED_IN; @@ -2731,9 +2686,7 @@ static int Pkcs11ECDSA_Verify(Pkcs11Session* session, wc_CryptoInfo* info) mech.pParameter = NULL; rv = session->func->C_VerifyInit(session->handle, &mech, publicKey); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_VerifyInit", rv); -#endif + PKCS11_RV("C_VerifyInit", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -2745,9 +2698,7 @@ static int Pkcs11ECDSA_Verify(Pkcs11Session* session, wc_CryptoInfo* info) (CK_BYTE_PTR)info->pk.eccverify.hash, info->pk.eccverify.hashlen, (CK_BYTE_PTR)sig, sz * 2); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_Verify", rv); -#endif + PKCS11_RV("C_Verify", rv); if (rv == CKR_SIGNATURE_INVALID) { } else if (rv != CKR_OK) @@ -2998,9 +2949,7 @@ static int Pkcs11AesGcmEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) /* Check operation is supported. */ rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_GCM, &mechInfo); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetMechanismInfo", rv); -#endif + PKCS11_RV("C_GetMechanismInfo", rv); if (rv != CKR_OK || (mechInfo.flags & CKF_ENCRYPT) == 0) ret = NOT_COMPILED_IN; @@ -3036,9 +2985,7 @@ static int Pkcs11AesGcmEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) mech.pParameter = ¶ms; rv = session->func->C_EncryptInit(session->handle, &mech, key); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_EncryptInit", rv); -#endif + PKCS11_RV("C_EncryptInit", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3050,9 +2997,7 @@ static int Pkcs11AesGcmEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) info->cipher.aesgcm_enc.sz, info->cipher.aesgcm_enc.out, &outLen); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_EncryptUpdate", rv); -#endif + PKCS11_RV("C_EncryptUpdate", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3063,9 +3008,7 @@ static int Pkcs11AesGcmEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) rv = session->func->C_EncryptFinal(session->handle, info->cipher.aesgcm_enc.authTag, &outLen); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_EncryptFinal", rv); -#endif + PKCS11_RV("C_EncryptFinal", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3101,9 +3044,7 @@ static int Pkcs11AesGcmDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) /* Check operation is supported. */ rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_GCM, &mechInfo); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetMechanismInfo", rv); -#endif + PKCS11_RV("C_GetMechanismInfo", rv); if (rv != CKR_OK || (mechInfo.flags & CKF_DECRYPT) == 0) ret = NOT_COMPILED_IN; @@ -3139,9 +3080,7 @@ static int Pkcs11AesGcmDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) mech.pParameter = ¶ms; rv = session->func->C_DecryptInit(session->handle, &mech, key); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_DecryptInit", rv); -#endif + PKCS11_RV("C_DecryptInit", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3153,9 +3092,7 @@ static int Pkcs11AesGcmDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) info->cipher.aesgcm_dec.sz, info->cipher.aesgcm_dec.out, &outLen); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_DecryptUpdate", rv); -#endif + PKCS11_RV("C_DecryptUpdate", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3169,9 +3106,7 @@ static int Pkcs11AesGcmDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) info->cipher.aesgcm_dec.authTagSz, info->cipher.aesgcm_dec.out, &outLen); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_DecryptUpdate", rv); -#endif + PKCS11_RV("C_DecryptUpdate", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3182,9 +3117,7 @@ static int Pkcs11AesGcmDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) rv = session->func->C_DecryptFinal(session->handle, info->cipher.aesgcm_dec.out, &outLen); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_DecryptFinal", rv); -#endif + PKCS11_RV("C_DecryptFinal", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3220,9 +3153,7 @@ static int Pkcs11AesCbcEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) /* Check operation is supported. */ rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_CBC, &mechInfo); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetMechanismInfo", rv); -#endif + PKCS11_RV("C_GetMechanismInfo", rv); if (rv != CKR_OK || (mechInfo.flags & CKF_ENCRYPT) == 0) ret = NOT_COMPILED_IN; @@ -3252,9 +3183,7 @@ static int Pkcs11AesCbcEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) mech.pParameter = (CK_BYTE_PTR)info->cipher.aescbc.aes->reg; rv = session->func->C_EncryptInit(session->handle, &mech, key); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_EncryptInit", rv); -#endif + PKCS11_RV("C_EncryptInit", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3266,9 +3195,7 @@ static int Pkcs11AesCbcEncrypt(Pkcs11Session* session, wc_CryptoInfo* info) info->cipher.aescbc.sz, info->cipher.aescbc.out, &outLen); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_Encrypt", rv); -#endif + PKCS11_RV("C_Encrypt", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3302,9 +3229,7 @@ static int Pkcs11AesCbcDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) /* Check operation is supported. */ rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_CBC, &mechInfo); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetMechanismInfo", rv); -#endif + PKCS11_RV("C_GetMechanismInfo", rv); if (rv != CKR_OK || (mechInfo.flags & CKF_DECRYPT) == 0) ret = NOT_COMPILED_IN; @@ -3334,9 +3259,7 @@ static int Pkcs11AesCbcDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) mech.pParameter = (CK_BYTE_PTR)info->cipher.aescbc.aes->reg; rv = session->func->C_DecryptInit(session->handle, &mech, key); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_DecryptInit", rv); -#endif + PKCS11_RV("C_DecryptInit", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3348,9 +3271,7 @@ static int Pkcs11AesCbcDecrypt(Pkcs11Session* session, wc_CryptoInfo* info) info->cipher.aescbc.sz, info->cipher.aescbc.out, &outLen); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_DecryptUpdate", rv); -#endif + PKCS11_RV("C_DecryptUpdate", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3393,9 +3314,7 @@ static int Pkcs11Hmac(Pkcs11Session* session, wc_CryptoInfo* info) /* Check operation is supported. */ rv = session->func->C_GetMechanismInfo(session->slotId, mechType, &mechInfo); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GetMechanismInfo", rv); -#endif + PKCS11_RV("C_GetMechanismInfo", rv); if (rv != CKR_OK || (mechInfo.flags & CKF_SIGN) == 0) ret = NOT_COMPILED_IN; } @@ -3450,9 +3369,7 @@ static int Pkcs11Hmac(Pkcs11Session* session, wc_CryptoInfo* info) mech.pParameter = NULL; rv = session->func->C_SignInit(session->handle, &mech, key); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_SignInit", rv); -#endif + PKCS11_RV("C_SignInit", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3469,9 +3386,7 @@ static int Pkcs11Hmac(Pkcs11Session* session, wc_CryptoInfo* info) rv = session->func->C_SignUpdate(session->handle, (CK_BYTE_PTR)info->hmac.in, info->hmac.inSz); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_SignUpdate", rv); -#endif + PKCS11_RV("C_SignUpdate", rv); /* Some algorithm implementations only support C_Sign. */ if (rv == CKR_MECHANISM_INVALID) { WOLFSSL_MSG("PKCS#11: HMAC Update/Final not supported"); @@ -3490,9 +3405,7 @@ static int Pkcs11Hmac(Pkcs11Session* session, wc_CryptoInfo* info) rv = session->func->C_SignFinal(session->handle, (CK_BYTE_PTR)info->hmac.digest, &outLen); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_SignFinal", rv); -#endif + PKCS11_RV("C_SignFinal", rv); /* Some algorithm implementations only support C_Sign. */ if (rv != CKR_OK) { ret = WC_HW_E; @@ -3527,9 +3440,7 @@ static int Pkcs11RandomBlock(Pkcs11Session* session, wc_CryptoInfo* info) rv = session->func->C_GenerateRandom(session->handle, info->rng.out, info->rng.sz); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GenerateRandom", rv); -#endif + PKCS11_RV("C_GenerateRandom", rv); if (rv != CKR_OK) { ret = WC_HW_E; } @@ -3554,9 +3465,7 @@ static int Pkcs11RandomSeed(Pkcs11Session* session, wc_CryptoInfo* info) rv = session->func->C_GenerateRandom(session->handle, info->seed.seed, info->seed.sz); -#ifdef WOLFSSL_DEBUG_PKCS11 - pkcs11_rv("C_GenerateRandom", rv); -#endif + PKCS11_RV("C_GenerateRandom", rv); if (rv != CKR_OK) { ret = WC_HW_E; }