diff options
Diffstat (limited to 'libxmlsec/xmlsec1-nssmangleciphers.patch')
| -rw-r--r-- | libxmlsec/xmlsec1-nssmangleciphers.patch | 1134 |
1 files changed, 1134 insertions, 0 deletions
diff --git a/libxmlsec/xmlsec1-nssmangleciphers.patch b/libxmlsec/xmlsec1-nssmangleciphers.patch new file mode 100644 index 000000000000..96f5049f68ae --- /dev/null +++ b/libxmlsec/xmlsec1-nssmangleciphers.patch @@ -0,0 +1,1134 @@ +--- misc/xmlsec1-1.2.14/src/nss/ciphers.c 2009-09-10 05:16:27.000000000 -0400 ++++ misc/build/xmlsec1-1.2.14/src/nss/ciphers.c 2009-09-10 06:59:39.000000000 -0400 +@@ -11,180 +11,421 @@ + + #include <string.h> + +-#include <nspr.h> + #include <nss.h> +-#include <secoid.h> + #include <pk11func.h> + + #include <xmlsec/xmlsec.h> ++#include <xmlsec/xmltree.h> ++#include <xmlsec/base64.h> + #include <xmlsec/keys.h> + #include <xmlsec/transforms.h> + #include <xmlsec/errors.h> + + #include <xmlsec/nss/crypto.h> +- +-#define XMLSEC_NSS_MAX_KEY_SIZE 32 +-#define XMLSEC_NSS_MAX_IV_SIZE 32 +-#define XMLSEC_NSS_MAX_BLOCK_SIZE 32 ++#include <xmlsec/nss/ciphers.h> + + /************************************************************************** + * +- * Internal Nss Block cipher CTX ++ * Internal Nss Block Cipher Context ++ * This context is designed for repositing a block cipher for transform + * + *****************************************************************************/ +-typedef struct _xmlSecNssBlockCipherCtx xmlSecNssBlockCipherCtx, +- *xmlSecNssBlockCipherCtxPtr; ++typedef struct _xmlSecNssBlockCipherCtx xmlSecNssBlockCipherCtx ; ++typedef struct _xmlSecNssBlockCipherCtx* xmlSecNssBlockCipherCtxPtr ; ++ + struct _xmlSecNssBlockCipherCtx { + CK_MECHANISM_TYPE cipher; ++ PK11SymKey* symkey ; + PK11Context* cipherCtx; + xmlSecKeyDataId keyId; +- int keyInitialized; +- int ctxInitialized; +- xmlSecByte key[XMLSEC_NSS_MAX_KEY_SIZE]; +- xmlSecSize keySize; +- xmlSecByte iv[XMLSEC_NSS_MAX_IV_SIZE]; +- xmlSecSize ivSize; + }; +-static int xmlSecNssBlockCipherCtxInit (xmlSecNssBlockCipherCtxPtr ctx, +- xmlSecBufferPtr in, +- xmlSecBufferPtr out, +- int encrypt, +- const xmlChar* cipherName, +- xmlSecTransformCtxPtr transformCtx); +-static int xmlSecNssBlockCipherCtxUpdate (xmlSecNssBlockCipherCtxPtr ctx, +- xmlSecBufferPtr in, +- xmlSecBufferPtr out, +- int encrypt, +- const xmlChar* cipherName, +- xmlSecTransformCtxPtr transformCtx); +-static int xmlSecNssBlockCipherCtxFinal (xmlSecNssBlockCipherCtxPtr ctx, +- xmlSecBufferPtr in, +- xmlSecBufferPtr out, +- int encrypt, +- const xmlChar* cipherName, +- xmlSecTransformCtxPtr transformCtx); ++ ++#define xmlSecNssBlockCipherSize \ ++ ( sizeof( xmlSecTransform ) + sizeof( xmlSecNssBlockCipherCtx ) ) ++ ++#define xmlSecNssBlockCipherGetCtx( transform ) \ ++ ( ( xmlSecNssBlockCipherCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) ) ++ ++static int ++xmlSecNssBlockCipherCheckId( ++ xmlSecTransformPtr transform ++) { ++ #ifndef XMLSEC_NO_DES ++ if( xmlSecTransformCheckId( transform, xmlSecNssTransformDes3CbcId ) ) { ++ return 1 ; ++ } ++ #endif /* XMLSEC_NO_DES */ ++ ++ #ifndef XMLSEC_NO_AES ++ if( xmlSecTransformCheckId( transform, xmlSecNssTransformAes128CbcId ) || ++ xmlSecTransformCheckId( transform, xmlSecNssTransformAes192CbcId ) || ++ xmlSecTransformCheckId( transform, xmlSecNssTransformAes256CbcId ) ) { ++ ++ return 1 ; ++ } ++ #endif /* XMLSEC_NO_AES */ ++ ++ return 0 ; ++} ++ ++static int ++xmlSecNssBlockCipherFetchCtx( ++ xmlSecNssBlockCipherCtxPtr context , ++ xmlSecTransformId id ++) { ++ xmlSecAssert2( context != NULL, -1 ) ; ++ ++ #ifndef XMLSEC_NO_DES ++ if( id == xmlSecNssTransformDes3CbcId ) { ++ context->cipher = CKM_DES3_CBC ; ++ context->keyId = xmlSecNssKeyDataDesId ; ++ } else ++ #endif /* XMLSEC_NO_DES */ ++ ++ #ifndef XMLSEC_NO_AES ++ if( id == xmlSecNssTransformAes128CbcId ) { ++ context->cipher = CKM_AES_CBC ; ++ context->keyId = xmlSecNssKeyDataAesId ; ++ } else ++ if( id == xmlSecNssTransformAes192CbcId ) { ++ context->cipher = CKM_AES_CBC ; ++ context->keyId = xmlSecNssKeyDataAesId ; ++ } else ++ if( id == xmlSecNssTransformAes256CbcId ) { ++ context->cipher = CKM_AES_CBC ; ++ context->keyId = xmlSecNssKeyDataAesId ; ++ } else ++ #endif /* XMLSEC_NO_AES */ ++ ++ if( 1 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ return 0 ; ++} ++ ++/** ++ * xmlSecTransformInitializeMethod: ++ * @transform: the pointer to transform object. ++ * ++ * The transform specific initialization method. ++ * ++ * Returns 0 on success or a negative value otherwise. ++ */ ++static int ++xmlSecNssBlockCipherInitialize( ++ xmlSecTransformPtr transform ++) { ++ xmlSecNssBlockCipherCtxPtr context = NULL ; ++ ++ xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ; ++ xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ; ++ ++ context = xmlSecNssBlockCipherGetCtx( transform ) ; ++ if( context == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ "xmlSecNssBlockCipherGetCtx" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ if( xmlSecNssBlockCipherFetchCtx( context , transform->id ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ "xmlSecNssBlockCipherFetchCtx" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ context->symkey = NULL ; ++ context->cipherCtx = NULL ; ++ ++ return 0 ; ++} ++ ++/** ++ * xmlSecTransformFinalizeMethod: ++ * @transform: the pointer to transform object. ++ * ++ * The transform specific destroy method. ++ */ ++static void ++xmlSecNssBlockCipherFinalize( ++ xmlSecTransformPtr transform ++) { ++ xmlSecNssBlockCipherCtxPtr context = NULL ; ++ ++ xmlSecAssert( xmlSecNssBlockCipherCheckId( transform ) ) ; ++ xmlSecAssert( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ) ) ; ++ ++ context = xmlSecNssBlockCipherGetCtx( transform ) ; ++ if( context == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ "xmlSecNssBlockCipherGetCtx" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return ; ++ } ++ ++ if( context->cipherCtx != NULL ) { ++ PK11_DestroyContext( context->cipherCtx, PR_TRUE ) ; ++ context->cipherCtx = NULL ; ++ } ++ ++ if( context->symkey != NULL ) { ++ PK11_FreeSymKey( context->symkey ) ; ++ context->symkey = NULL ; ++ } ++ ++ context->cipher = CKM_INVALID_MECHANISM ; ++ context->keyId = NULL ; ++} ++ ++/** ++ * xmlSecTransformSetKeyRequirementsMethod: ++ * @transform: the pointer to transform object. ++ * @keyReq: the pointer to key requirements structure. ++ * ++ * Transform specific method to set transform's key requirements. ++ * ++ * Returns 0 on success or a negative value otherwise. ++ */ ++static int ++xmlSecNssBlockCipherSetKeyReq( ++ xmlSecTransformPtr transform , ++ xmlSecKeyReqPtr keyReq ++) { ++ xmlSecNssBlockCipherCtxPtr context = NULL ; ++ xmlSecSize cipherSize = 0 ; ++ ++ xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ; ++ xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ; ++ xmlSecAssert2( keyReq != NULL , -1 ) ; ++ xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ; ++ ++ context = xmlSecNssBlockCipherGetCtx( transform ) ; ++ if( context == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ "xmlSecNssBlockCipherGetCtx" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ keyReq->keyId = context->keyId ; ++ keyReq->keyType = xmlSecKeyDataTypeSymmetric ; ++ ++ if( transform->operation == xmlSecTransformOperationEncrypt ) { ++ keyReq->keyUsage = xmlSecKeyUsageEncrypt ; ++ } else { ++ keyReq->keyUsage = xmlSecKeyUsageDecrypt ; ++ } ++ ++ /* ++ if( context->symkey != NULL ) ++ cipherSize = PK11_GetKeyLength( context->symkey ) ; ++ ++ keyReq->keyBitsSize = cipherSize * 8 ; ++ */ ++ ++ return 0 ; ++} ++ ++/** ++ * xmlSecTransformSetKeyMethod: ++ * @transform: the pointer to transform object. ++ * @key: the pointer to key. ++ * ++ * The transform specific method to set the key for use. ++ * ++ * Returns 0 on success or a negative value otherwise. ++ */ ++static int ++xmlSecNssBlockCipherSetKey( ++ xmlSecTransformPtr transform , ++ xmlSecKeyPtr key ++) { ++ xmlSecNssBlockCipherCtxPtr context = NULL ; ++ xmlSecKeyDataPtr keyData = NULL ; ++ PK11SymKey* symkey = NULL ; ++ CK_ATTRIBUTE_TYPE operation ; ++ int ivLen ; ++ ++ xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ; ++ xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ; ++ xmlSecAssert2( key != NULL , -1 ) ; ++ xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ; ++ ++ context = xmlSecNssBlockCipherGetCtx( transform ) ; ++ if( context == NULL || context->keyId == NULL || context->symkey != NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ "xmlSecNssBlockCipherGetCtx" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ; ++ ++ keyData = xmlSecKeyGetValue( key ) ; ++ if( keyData == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) , ++ "xmlSecKeyGetValue" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ if( ( symkey = xmlSecNssSymKeyDataGetKey( keyData ) ) == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) , ++ "xmlSecNssSymKeyDataGetKey" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ context->symkey = symkey ; ++ ++ return 0 ; ++} ++ + static int + xmlSecNssBlockCipherCtxInit(xmlSecNssBlockCipherCtxPtr ctx, + xmlSecBufferPtr in, xmlSecBufferPtr out, + int encrypt, + const xmlChar* cipherName, + xmlSecTransformCtxPtr transformCtx) { +- SECItem keyItem; + SECItem ivItem; +- PK11SlotInfo* slot; +- PK11SymKey* symKey; ++ SECItem* secParam = NULL ; ++ xmlSecBufferPtr ivBuf = NULL ; + int ivLen; +- SECStatus rv; +- int ret; + + xmlSecAssert2(ctx != NULL, -1); +- xmlSecAssert2(ctx->cipher != 0, -1); ++ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; ++ xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2(ctx->cipherCtx == NULL, -1); +- xmlSecAssert2(ctx->keyInitialized != 0, -1); +- xmlSecAssert2(ctx->ctxInitialized == 0, -1); ++ xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2(in != NULL, -1); + xmlSecAssert2(out != NULL, -1); + xmlSecAssert2(transformCtx != NULL, -1); + + ivLen = PK11_GetIVLength(ctx->cipher); +- xmlSecAssert2(ivLen > 0, -1); +- xmlSecAssert2((xmlSecSize)ivLen <= sizeof(ctx->iv), -1); ++ if( ivLen < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "PK11_GetIVLength" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ if( ( ivBuf = xmlSecBufferCreate( ivLen ) ) == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferCreate" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } + + if(encrypt) { +- /* generate random iv */ +- rv = PK11_GenerateRandom(ctx->iv, ivLen); +- if(rv != SECSuccess) { ++ if( PK11_GenerateRandom( ivBuf->data , ivLen ) != SECSuccess ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "PK11_GenerateRandom", + XMLSEC_ERRORS_R_CRYPTO_FAILED, +- "size=%d", ivLen); ++ XMLSEC_ERRORS_NO_MESSAGE); ++ xmlSecBufferDestroy( ivBuf ) ; + return(-1); + } ++ if( xmlSecBufferSetSize( ivBuf , ivLen ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferSetSize" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecBufferDestroy( ivBuf ) ; ++ return -1 ; ++ } + +- /* write iv to the output */ +- ret = xmlSecBufferAppend(out, ctx->iv, ivLen); +- if(ret < 0) { ++ if( xmlSecBufferAppend( out , ivBuf->data , ivLen ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "xmlSecBufferAppend", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "size=%d", ivLen); ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ xmlSecBufferDestroy( ivBuf ) ; + return(-1); + } + + } else { +- /* if we don't have enough data, exit and hope that +- * we'll have iv next time */ +- if(xmlSecBufferGetSize(in) < (xmlSecSize)ivLen) { +- return(0); +- } +- +- /* copy iv to our buffer*/ +- xmlSecAssert2(xmlSecBufferGetData(in) != NULL, -1); +- memcpy(ctx->iv, xmlSecBufferGetData(in), ivLen); +- +- /* and remove from input */ +- ret = xmlSecBufferRemoveHead(in, ivLen); +- if(ret < 0) { ++ if( xmlSecBufferSetData( ivBuf , in->data , ivLen ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), +- "xmlSecBufferRemoveHead", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "size=%d", ivLen); ++ "xmlSecBufferSetData", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ xmlSecBufferDestroy( ivBuf ) ; + return(-1); + } + } + +- memset(&keyItem, 0, sizeof(keyItem)); +- keyItem.data = ctx->key; +- keyItem.len = ctx->keySize; +- memset(&ivItem, 0, sizeof(ivItem)); +- ivItem.data = ctx->iv; +- ivItem.len = ctx->ivSize; +- +- slot = PK11_GetBestSlot(ctx->cipher, NULL); +- if(slot == NULL) { ++ if( xmlSecBufferRemoveHead( in , ivLen ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), +- "PK11_GetBestSlot", ++ "xmlSecBufferRemoveHead", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); ++ xmlSecBufferDestroy( ivBuf ) ; + return(-1); + } + +- symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginDerive, +- CKA_SIGN, &keyItem, NULL); +- if(symKey == NULL) { ++ ivItem.data = xmlSecBufferGetData( ivBuf ) ; ++ ivItem.len = xmlSecBufferGetSize( ivBuf ) ; ++ if( ( secParam = PK11_ParamFromIV( ctx->cipher , &ivItem ) ) == NULL ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), +- "PK11_ImportSymKey", ++ "PK11_ParamFromIV", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); +- PK11_FreeSlot(slot); ++ xmlSecBufferDestroy( ivBuf ) ; + return(-1); + } + + ctx->cipherCtx = PK11_CreateContextBySymKey(ctx->cipher, + (encrypt) ? CKA_ENCRYPT : CKA_DECRYPT, +- symKey, &ivItem); ++ ctx->symkey, secParam); + if(ctx->cipherCtx == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), +- "PK11_CreateContextBySymKey", ++ "xmlSecBufferRemoveHead", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); +- PK11_FreeSymKey(symKey); +- PK11_FreeSlot(slot); ++ SECITEM_FreeItem( secParam , PR_TRUE ) ; ++ xmlSecBufferDestroy( ivBuf ) ; + return(-1); + } + +- ctx->ctxInitialized = 1; +- PK11_FreeSymKey(symKey); +- PK11_FreeSlot(slot); ++ SECITEM_FreeItem( secParam , PR_TRUE ) ; ++ xmlSecBufferDestroy( ivBuf ) ; + return(0); + } + ++/** ++ * Block cipher transform update ++ */ + static int + xmlSecNssBlockCipherCtxUpdate(xmlSecNssBlockCipherCtxPtr ctx, + xmlSecBufferPtr in, xmlSecBufferPtr out, +@@ -192,54 +433,49 @@ + const xmlChar* cipherName, + xmlSecTransformCtxPtr transformCtx) { + xmlSecSize inSize, inBlocks, outSize; +- int blockLen; ++ int blockSize; + int outLen = 0; + xmlSecByte* outBuf; +- SECStatus rv; +- int ret; + + xmlSecAssert2(ctx != NULL, -1); +- xmlSecAssert2(ctx->cipher != 0, -1); ++ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; ++ xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2(ctx->cipherCtx != NULL, -1); +- xmlSecAssert2(ctx->ctxInitialized != 0, -1); ++ xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2(in != NULL, -1); + xmlSecAssert2(out != NULL, -1); + xmlSecAssert2(transformCtx != NULL, -1); + +- blockLen = PK11_GetBlockSize(ctx->cipher, NULL); +- xmlSecAssert2(blockLen > 0, -1); ++ if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( cipherName ) , ++ "PK11_GetBlockSize" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } + + inSize = xmlSecBufferGetSize(in); + outSize = xmlSecBufferGetSize(out); +- +- if(inSize < (xmlSecSize)blockLen) { +- return(0); ++ ++ inBlocks = ( encrypt != 0 ? inSize : ( inSize - 1 ) ) / blockSize ; ++ inSize = inBlocks * blockSize ; ++ ++ if( inSize < blockSize ) { ++ return 0 ; + } + +- if(encrypt) { +- inBlocks = inSize / ((xmlSecSize)blockLen); +- } else { +- /* we want to have the last block in the input buffer +- * for padding check */ +- inBlocks = (inSize - 1) / ((xmlSecSize)blockLen); +- } +- inSize = inBlocks * ((xmlSecSize)blockLen); +- +- /* we write out the input size plus may be one block */ +- ret = xmlSecBufferSetMaxSize(out, outSize + inSize + blockLen); +- if(ret < 0) { ++ if( xmlSecBufferSetMaxSize( out , outSize + inSize + blockSize ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "xmlSecBufferSetMaxSize", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "size=%d", outSize + inSize + blockLen); ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + outBuf = xmlSecBufferGetData(out) + outSize; + +- rv = PK11_CipherOp(ctx->cipherCtx, outBuf, &outLen, inSize + blockLen, +- xmlSecBufferGetData(in), inSize); +- if(rv != SECSuccess) { ++ if(PK11_CipherOp( ctx->cipherCtx , outBuf , &outLen , inSize + blockSize , xmlSecBufferGetData( in ) , inSize ) != SECSuccess ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "PK11_CipherOp", +@@ -247,27 +483,22 @@ + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } +- xmlSecAssert2((xmlSecSize)outLen == inSize, -1); + +- /* set correct output buffer size */ +- ret = xmlSecBufferSetSize(out, outSize + outLen); +- if(ret < 0) { ++ if( xmlSecBufferSetSize( out , outSize + outLen ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "xmlSecBufferSetSize", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "size=%d", outSize + outLen); ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + +- /* remove the processed block from input */ +- ret = xmlSecBufferRemoveHead(in, inSize); +- if(ret < 0) { ++ if( xmlSecBufferRemoveHead( in , inSize ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "xmlSecBufferRemoveHead", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "size=%d", inSize); ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + return(0); +@@ -281,81 +512,82 @@ + const xmlChar* cipherName, + xmlSecTransformCtxPtr transformCtx) { + xmlSecSize inSize, outSize; +- int blockLen, outLen = 0; ++ int blockSize, outLen = 0; + xmlSecByte* inBuf; + xmlSecByte* outBuf; +- SECStatus rv; +- int ret; + + xmlSecAssert2(ctx != NULL, -1); +- xmlSecAssert2(ctx->cipher != 0, -1); ++ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; ++ xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2(ctx->cipherCtx != NULL, -1); +- xmlSecAssert2(ctx->ctxInitialized != 0, -1); ++ xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2(in != NULL, -1); + xmlSecAssert2(out != NULL, -1); + xmlSecAssert2(transformCtx != NULL, -1); + +- blockLen = PK11_GetBlockSize(ctx->cipher, NULL); +- xmlSecAssert2(blockLen > 0, -1); ++ if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( cipherName ) , ++ "PK11_GetBlockSize" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } + + inSize = xmlSecBufferGetSize(in); + outSize = xmlSecBufferGetSize(out); + ++ /******************************************************************/ + if(encrypt != 0) { +- xmlSecAssert2(inSize < (xmlSecSize)blockLen, -1); ++ xmlSecAssert2( inSize < blockSize, -1 ) ; + + /* create padding */ +- ret = xmlSecBufferSetMaxSize(in, blockLen); +- if(ret < 0) { ++ if( xmlSecBufferSetMaxSize( in , blockSize ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "xmlSecBufferSetMaxSize", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "size=%d", blockLen); ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + inBuf = xmlSecBufferGetData(in); + +- /* generate random padding */ +- if((xmlSecSize)blockLen > (inSize + 1)) { +- rv = PK11_GenerateRandom(inBuf + inSize, blockLen - inSize - 1); +- if(rv != SECSuccess) { ++ /* generate random */ ++ if( blockSize > ( inSize + 1 ) ) { ++ if( PK11_GenerateRandom( inBuf + inSize, blockSize - inSize - 1 ) != SECSuccess ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "PK11_GenerateRandom", + XMLSEC_ERRORS_R_CRYPTO_FAILED, +- "size=%d", blockLen - inSize - 1); ++ XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } +- inBuf[blockLen - 1] = blockLen - inSize; +- inSize = blockLen; ++ inBuf[blockSize-1] = blockSize - inSize ; ++ inSize = blockSize ; + } else { +- if(inSize != (xmlSecSize)blockLen) { ++ if( inSize != blockSize ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + NULL, +- XMLSEC_ERRORS_R_INVALID_DATA, +- "data=%d;block=%d", inSize, blockLen); ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } + +- /* process last block */ +- ret = xmlSecBufferSetMaxSize(out, outSize + 2 * blockLen); +- if(ret < 0) { ++ /* process the last block */ ++ if( xmlSecBufferSetMaxSize( out , outSize + inSize + blockSize ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "xmlSecBufferSetMaxSize", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "size=%d", outSize + 2 * blockLen); ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + outBuf = xmlSecBufferGetData(out) + outSize; + +- rv = PK11_CipherOp(ctx->cipherCtx, outBuf, &outLen, 2 * blockLen, +- xmlSecBufferGetData(in), inSize); +- if(rv != SECSuccess) { ++ if( PK11_CipherOp( ctx->cipherCtx , outBuf , &outLen , inSize + blockSize , xmlSecBufferGetData( in ) , inSize ) != SECSuccess ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "PK11_CipherOp", +@@ -363,300 +595,169 @@ + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } +- xmlSecAssert2((xmlSecSize)outLen == inSize, -1); + + if(encrypt == 0) { + /* check padding */ +- if(outLen < outBuf[blockLen - 1]) { ++ if( outLen < outBuf[blockSize-1] ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + NULL, +- XMLSEC_ERRORS_R_INVALID_DATA, +- "padding=%d;buffer=%d", +- outBuf[blockLen - 1], outLen); ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } +- outLen -= outBuf[blockLen - 1]; ++ outLen -= outBuf[blockSize-1] ; + } + +- /* set correct output buffer size */ +- ret = xmlSecBufferSetSize(out, outSize + outLen); +- if(ret < 0) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- xmlSecErrorsSafeString(cipherName), +- "xmlSecBufferSetSize", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "size=%d", outSize + outLen); +- return(-1); +- } ++ /******************************************************************/ + +- /* remove the processed block from input */ +- ret = xmlSecBufferRemoveHead(in, inSize); +- if(ret < 0) { ++ /****************************************************************** ++ if( xmlSecBufferSetMaxSize( out , outSize + blockSize ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), +- "xmlSecBufferRemoveHead", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "size=%d", inSize); +- return(-1); +- } +- +- return(0); +-} +- +- +-/****************************************************************************** +- * +- * EVP Block Cipher transforms +- * +- * xmlSecNssBlockCipherCtx block is located after xmlSecTransform structure +- * +- *****************************************************************************/ +-#define xmlSecNssBlockCipherSize \ +- (sizeof(xmlSecTransform) + sizeof(xmlSecNssBlockCipherCtx)) +-#define xmlSecNssBlockCipherGetCtx(transform) \ +- ((xmlSecNssBlockCipherCtxPtr)(((xmlSecByte*)(transform)) + sizeof(xmlSecTransform))) +- +-static int xmlSecNssBlockCipherInitialize (xmlSecTransformPtr transform); +-static void xmlSecNssBlockCipherFinalize (xmlSecTransformPtr transform); +-static int xmlSecNssBlockCipherSetKeyReq (xmlSecTransformPtr transform, +- xmlSecKeyReqPtr keyReq); +-static int xmlSecNssBlockCipherSetKey (xmlSecTransformPtr transform, +- xmlSecKeyPtr key); +-static int xmlSecNssBlockCipherExecute (xmlSecTransformPtr transform, +- int last, +- xmlSecTransformCtxPtr transformCtx); +-static int xmlSecNssBlockCipherCheckId (xmlSecTransformPtr transform); +- +- +- +-static int +-xmlSecNssBlockCipherCheckId(xmlSecTransformPtr transform) { +-#ifndef XMLSEC_NO_DES +- if(xmlSecTransformCheckId(transform, xmlSecNssTransformDes3CbcId)) { +- return(1); +- } +-#endif /* XMLSEC_NO_DES */ +- +-#ifndef XMLSEC_NO_AES +- if(xmlSecTransformCheckId(transform, xmlSecNssTransformAes128CbcId) || +- xmlSecTransformCheckId(transform, xmlSecNssTransformAes192CbcId) || +- xmlSecTransformCheckId(transform, xmlSecNssTransformAes256CbcId)) { +- +- return(1); +- } +-#endif /* XMLSEC_NO_AES */ +- +- return(0); +-} +- +-static int +-xmlSecNssBlockCipherInitialize(xmlSecTransformPtr transform) { +- xmlSecNssBlockCipherCtxPtr ctx; +- +- xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1); +- xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1); +- +- ctx = xmlSecNssBlockCipherGetCtx(transform); +- xmlSecAssert2(ctx != NULL, -1); +- +- memset(ctx, 0, sizeof(xmlSecNssBlockCipherCtx)); +- +-#ifndef XMLSEC_NO_DES +- if(transform->id == xmlSecNssTransformDes3CbcId) { +- ctx->cipher = CKM_DES3_CBC; +- ctx->keyId = xmlSecNssKeyDataDesId; +- ctx->keySize = 24; +- } else +-#endif /* XMLSEC_NO_DES */ +- +-#ifndef XMLSEC_NO_AES +- if(transform->id == xmlSecNssTransformAes128CbcId) { +- ctx->cipher = CKM_AES_CBC; +- ctx->keyId = xmlSecNssKeyDataAesId; +- ctx->keySize = 16; +- } else if(transform->id == xmlSecNssTransformAes192CbcId) { +- ctx->cipher = CKM_AES_CBC; +- ctx->keyId = xmlSecNssKeyDataAesId; +- ctx->keySize = 24; +- } else if(transform->id == xmlSecNssTransformAes256CbcId) { +- ctx->cipher = CKM_AES_CBC; +- ctx->keyId = xmlSecNssKeyDataAesId; +- ctx->keySize = 32; +- } else +-#endif /* XMLSEC_NO_AES */ +- +- if(1) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), +- NULL, +- XMLSEC_ERRORS_R_INVALID_TRANSFORM, ++ "xmlSecBufferSetMaxSize", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); +- } +- +- return(0); +-} +- +-static void +-xmlSecNssBlockCipherFinalize(xmlSecTransformPtr transform) { +- xmlSecNssBlockCipherCtxPtr ctx; +- +- xmlSecAssert(xmlSecNssBlockCipherCheckId(transform)); +- xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize)); +- +- ctx = xmlSecNssBlockCipherGetCtx(transform); +- xmlSecAssert(ctx != NULL); +- +- if(ctx->cipherCtx != NULL) { +- PK11_DestroyContext(ctx->cipherCtx, PR_TRUE); + } +- +- memset(ctx, 0, sizeof(xmlSecNssBlockCipherCtx)); +-} + +-static int +-xmlSecNssBlockCipherSetKeyReq(xmlSecTransformPtr transform, xmlSecKeyReqPtr keyReq) { +- xmlSecNssBlockCipherCtxPtr ctx; +- +- xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1); +- xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1); +- xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1); +- xmlSecAssert2(keyReq != NULL, -1); +- +- ctx = xmlSecNssBlockCipherGetCtx(transform); +- xmlSecAssert2(ctx != NULL, -1); +- xmlSecAssert2(ctx->keyId != NULL, -1); ++ outBuf = xmlSecBufferGetData( out ) + outSize ; ++ if( PK11_DigestFinal( ctx->cipherCtx , outBuf , &outLen , blockSize ) != SECSuccess ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( cipherName ) , ++ "PK11_DigestFinal" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ******************************************************************/ ++ ++ if( xmlSecBufferSetSize( out , outSize + outLen ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( cipherName ) , ++ "xmlSecBufferSetSize" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ if( xmlSecBufferRemoveHead( in , inSize ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( cipherName ) , ++ "xmlSecBufferRemoveHead" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++/* PK11_Finalize( ctx->cipherCtx ) ;*/ ++ PK11_DestroyContext(ctx->cipherCtx, PR_TRUE); ++ ctx->cipherCtx = NULL ; + +- keyReq->keyId = ctx->keyId; +- keyReq->keyType = xmlSecKeyDataTypeSymmetric; +- if(transform->operation == xmlSecTransformOperationEncrypt) { +- keyReq->keyUsage = xmlSecKeyUsageEncrypt; +- } else { +- keyReq->keyUsage = xmlSecKeyUsageDecrypt; +- } +- keyReq->keyBitsSize = 8 * ctx->keySize; + return(0); + } + +-static int +-xmlSecNssBlockCipherSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { +- xmlSecNssBlockCipherCtxPtr ctx; +- xmlSecBufferPtr buffer; ++/** ++ * xmlSecTransformExecuteMethod: ++ * @transform: the pointer to transform object. ++ * @last: the flag: if set to 1 then it's the last data chunk. ++ * @transformCtx: the pointer to transform context object. ++ * ++ * Transform specific method to process a chunk of data. ++ * ++ * Returns 0 on success or a negative value otherwise. ++ */ ++xmlSecNssBlockCipherExecute( ++ xmlSecTransformPtr transform , ++ int last , ++ xmlSecTransformCtxPtr transformCtx ++) { ++ xmlSecNssBlockCipherCtxPtr context = NULL ; ++ xmlSecBufferPtr inBuf = NULL ; ++ xmlSecBufferPtr outBuf = NULL ; ++ const xmlChar* cipherName ; ++ int operation ; ++ int rtv ; + + xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1); +- xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1); +- xmlSecAssert2(key != NULL, -1); +- +- ctx = xmlSecNssBlockCipherGetCtx(transform); +- xmlSecAssert2(ctx != NULL, -1); +- xmlSecAssert2(ctx->cipher != 0, -1); +- xmlSecAssert2(ctx->keyInitialized == 0, -1); +- xmlSecAssert2(ctx->keyId != NULL, -1); +- xmlSecAssert2(xmlSecKeyCheckId(key, ctx->keyId), -1); +- +- xmlSecAssert2(ctx->keySize > 0, -1); +- xmlSecAssert2(ctx->keySize <= sizeof(ctx->key), -1); + +- buffer = xmlSecKeyDataBinaryValueGetBuffer(xmlSecKeyGetValue(key)); +- xmlSecAssert2(buffer != NULL, -1); ++ xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ; ++ xmlSecAssert2( transformCtx != NULL , -1 ) ; + +- if(xmlSecBufferGetSize(buffer) < ctx->keySize) { ++ context = xmlSecNssBlockCipherGetCtx( transform ) ; ++ if( context == NULL ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), +- NULL, +- XMLSEC_ERRORS_R_INVALID_KEY_DATA_SIZE, +- "keySize=%d;expected=%d", +- xmlSecBufferGetSize(buffer), ctx->keySize); +- return(-1); ++ "xmlSecNssBlockCipherGetCtx" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; + } +- +- xmlSecAssert2(xmlSecBufferGetData(buffer) != NULL, -1); +- memcpy(ctx->key, xmlSecBufferGetData(buffer), ctx->keySize); +- +- ctx->keyInitialized = 1; +- return(0); +-} +- +-static int +-xmlSecNssBlockCipherExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) { +- xmlSecNssBlockCipherCtxPtr ctx; +- xmlSecBufferPtr in, out; +- int ret; +- +- xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1); +- xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1); +- xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1); +- xmlSecAssert2(transformCtx != NULL, -1); + +- in = &(transform->inBuf); +- out = &(transform->outBuf); +- +- ctx = xmlSecNssBlockCipherGetCtx(transform); +- xmlSecAssert2(ctx != NULL, -1); ++ inBuf = &( transform->inBuf ) ; ++ outBuf = &( transform->outBuf ) ; + + if(transform->status == xmlSecTransformStatusNone) { + transform->status = xmlSecTransformStatusWorking; + } + ++ operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ; ++ cipherName = xmlSecTransformGetName( transform ) ; ++ + if(transform->status == xmlSecTransformStatusWorking) { +- if(ctx->ctxInitialized == 0) { +- ret = xmlSecNssBlockCipherCtxInit(ctx, in, out, +- (transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0, +- xmlSecTransformGetName(transform), transformCtx); +- if(ret < 0) { ++ if( context->cipherCtx == NULL ) { ++ rtv = xmlSecNssBlockCipherCtxInit( context, inBuf , outBuf , operation , cipherName , transformCtx ) ; ++ if( rtv < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "xmlSecNssBlockCipherCtxInit", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_R_INVALID_STATUS, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } +- if((ctx->ctxInitialized == 0) && (last != 0)) { ++ if( context->cipherCtx == NULL && last != 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + NULL, +- XMLSEC_ERRORS_R_INVALID_DATA, ++ XMLSEC_ERRORS_R_INVALID_STATUS, + "not enough data to initialize transform"); + return(-1); + } + +- if(ctx->ctxInitialized != 0) { +- ret = xmlSecNssBlockCipherCtxUpdate(ctx, in, out, +- (transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0, +- xmlSecTransformGetName(transform), transformCtx); +- if(ret < 0) { ++ if( context->cipherCtx != NULL ) { ++ rtv = xmlSecNssBlockCipherCtxUpdate( context, inBuf , outBuf , operation , cipherName , transformCtx ) ; ++ if( rtv < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "xmlSecNssBlockCipherCtxUpdate", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_R_INVALID_STATUS, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } + + if(last) { +- ret = xmlSecNssBlockCipherCtxFinal(ctx, in, out, +- (transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0, +- xmlSecTransformGetName(transform), transformCtx); +- if(ret < 0) { ++ rtv = xmlSecNssBlockCipherCtxFinal( context, inBuf , outBuf , operation , cipherName , transformCtx ) ; ++ if( rtv < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "xmlSecNssBlockCipherCtxFinal", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_R_INVALID_STATUS, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + transform->status = xmlSecTransformStatusFinished; + } + } else if(transform->status == xmlSecTransformStatusFinished) { +- /* the only way we can get here is if there is no input */ +- xmlSecAssert2(xmlSecBufferGetSize(in) == 0, -1); +- } else if(transform->status == xmlSecTransformStatusNone) { +- /* the only way we can get here is if there is no enough data in the input */ +- xmlSecAssert2(last == 0, -1); ++ if( xmlSecBufferGetSize( inBuf ) != 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ NULL , ++ XMLSEC_ERRORS_R_INVALID_STATUS , ++ "status=%d", transform->status ) ; ++ return -1 ; ++ } + } else { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), |