--- misc/xmlsec1-1.2.14/src/nss/ciphers.c	2009-09-10 05:16:27.000000000 -0400
+++ misc/build/xmlsec1-1.2.14/src/nss/ciphers.c	2009-09-10 06:59:39.000000000 -0400
@@ -11,180 +11,421 @@
 
 #include <string.h>
 
-#include <nspr.h>
 #include <nss.h>
-#include <secoid.h>
 #include <pk11func.h>
 
 #include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/base64.h>
 #include <xmlsec/keys.h>
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>
 
 #include <xmlsec/nss/crypto.h>
-
-#define XMLSEC_NSS_MAX_KEY_SIZE		32
-#define XMLSEC_NSS_MAX_IV_SIZE		32
-#define XMLSEC_NSS_MAX_BLOCK_SIZE	32
+#include <xmlsec/nss/ciphers.h>
 
 /**************************************************************************
  *
- * Internal Nss Block cipher CTX
+ * Internal Nss Block Cipher Context
+ * This context is designed for repositing a block cipher for transform
  *
  *****************************************************************************/
-typedef struct _xmlSecNssBlockCipherCtx		xmlSecNssBlockCipherCtx,
-							*xmlSecNssBlockCipherCtxPtr;
+typedef struct _xmlSecNssBlockCipherCtx                xmlSecNssBlockCipherCtx ;
+typedef struct _xmlSecNssBlockCipherCtx*       xmlSecNssBlockCipherCtxPtr ;
+
 struct _xmlSecNssBlockCipherCtx {
     CK_MECHANISM_TYPE	cipher;
+    PK11SymKey*         symkey ;
     PK11Context*	cipherCtx;
     xmlSecKeyDataId	keyId;
-    int			keyInitialized;
-    int			ctxInitialized;
-    xmlSecByte		key[XMLSEC_NSS_MAX_KEY_SIZE];
-    xmlSecSize		keySize;
-    xmlSecByte		iv[XMLSEC_NSS_MAX_IV_SIZE];
-    xmlSecSize		ivSize;
 };
-static int 	xmlSecNssBlockCipherCtxInit		(xmlSecNssBlockCipherCtxPtr ctx,
-							 xmlSecBufferPtr in,
-							 xmlSecBufferPtr out,
-							 int encrypt,
-							 const xmlChar* cipherName,
-							 xmlSecTransformCtxPtr transformCtx);
-static int 	xmlSecNssBlockCipherCtxUpdate	(xmlSecNssBlockCipherCtxPtr ctx,
-							 xmlSecBufferPtr in,
-							 xmlSecBufferPtr out,
-							 int encrypt,
-							 const xmlChar* cipherName,
-							 xmlSecTransformCtxPtr transformCtx);
-static int 	xmlSecNssBlockCipherCtxFinal		(xmlSecNssBlockCipherCtxPtr ctx,
-							 xmlSecBufferPtr in,
-							 xmlSecBufferPtr out,
-							 int encrypt,
-							 const xmlChar* cipherName,
-							 xmlSecTransformCtxPtr transformCtx);
+
+#define xmlSecNssBlockCipherSize       \
+       ( sizeof( xmlSecTransform ) + sizeof( xmlSecNssBlockCipherCtx ) )
+
+#define xmlSecNssBlockCipherGetCtx( transform ) \
+       ( ( xmlSecNssBlockCipherCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) )
+
+static int
+xmlSecNssBlockCipherCheckId(
+       xmlSecTransformPtr transform
+) {
+       #ifndef XMLSEC_NO_DES
+       if( xmlSecTransformCheckId( transform, xmlSecNssTransformDes3CbcId ) ) {
+               return 1 ;
+       }
+       #endif /* XMLSEC_NO_DES */
+
+       #ifndef XMLSEC_NO_AES
+       if( xmlSecTransformCheckId( transform, xmlSecNssTransformAes128CbcId ) ||
+               xmlSecTransformCheckId( transform, xmlSecNssTransformAes192CbcId ) ||
+               xmlSecTransformCheckId( transform, xmlSecNssTransformAes256CbcId ) ) {
+
+               return 1 ;
+    }
+       #endif /* XMLSEC_NO_AES */
+    
+    return 0 ;
+}
+
+static int
+xmlSecNssBlockCipherFetchCtx(
+       xmlSecNssBlockCipherCtxPtr              context ,
+       xmlSecTransformId                               id
+) {
+       xmlSecAssert2( context != NULL, -1 ) ;
+
+       #ifndef XMLSEC_NO_DES
+       if( id == xmlSecNssTransformDes3CbcId ) {
+               context->cipher = CKM_DES3_CBC ;
+               context->keyId = xmlSecNssKeyDataDesId ;
+       } else
+       #endif          /* XMLSEC_NO_DES */
+
+       #ifndef XMLSEC_NO_AES
+       if( id == xmlSecNssTransformAes128CbcId ) {
+               context->cipher = CKM_AES_CBC ;
+               context->keyId = xmlSecNssKeyDataAesId ;
+       } else
+       if( id == xmlSecNssTransformAes192CbcId ) {
+               context->cipher = CKM_AES_CBC ;
+               context->keyId = xmlSecNssKeyDataAesId ;
+       } else
+       if( id == xmlSecNssTransformAes256CbcId ) {
+               context->cipher = CKM_AES_CBC ;
+               context->keyId = xmlSecNssKeyDataAesId ;
+       } else
+       #endif          /* XMLSEC_NO_AES */
+
+       if( 1 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   NULL ,
+                   NULL ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       return 0 ;
+}
+
+/**
+ * xmlSecTransformInitializeMethod:
+ * @transform:                 the pointer to transform object.
+ *
+ * The transform specific initialization method.
+ *
+ * Returns 0 on success or a negative value otherwise.
+ */
+static int
+xmlSecNssBlockCipherInitialize(
+       xmlSecTransformPtr transform
+) {
+       xmlSecNssBlockCipherCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ;
+       xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ;
+
+       context = xmlSecNssBlockCipherGetCtx( transform ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssBlockCipherGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       if( xmlSecNssBlockCipherFetchCtx( context , transform->id ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssBlockCipherFetchCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       context->symkey = NULL ;
+       context->cipherCtx = NULL ;
+
+       return 0 ;
+}
+
+/**
+ * xmlSecTransformFinalizeMethod:
+ * @transform:                 the pointer to transform object.
+ *
+ * The transform specific destroy method.
+ */
+static void 
+xmlSecNssBlockCipherFinalize(
+       xmlSecTransformPtr transform
+) {
+       xmlSecNssBlockCipherCtxPtr context = NULL ;
+
+       xmlSecAssert( xmlSecNssBlockCipherCheckId( transform ) ) ;
+       xmlSecAssert( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ) ) ;
+
+       context = xmlSecNssBlockCipherGetCtx( transform ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssBlockCipherGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return ;    
+       }
+
+       if( context->cipherCtx != NULL ) {
+               PK11_DestroyContext( context->cipherCtx, PR_TRUE ) ;
+               context->cipherCtx = NULL ;
+       }
+
+       if( context->symkey != NULL ) {
+               PK11_FreeSymKey( context->symkey ) ;
+               context->symkey = NULL ;
+       }
+
+       context->cipher = CKM_INVALID_MECHANISM ;
+       context->keyId = NULL ;
+}
+
+/**
+ * xmlSecTransformSetKeyRequirementsMethod:
+ * @transform:                 the pointer to transform object.
+ * @keyReq:                            the pointer to key requirements structure.
+ *
+ * Transform specific method to set transform's key requirements.
+ * 
+ * Returns 0 on success or a negative value otherwise.
+ */
+static int  
+xmlSecNssBlockCipherSetKeyReq(
+       xmlSecTransformPtr transform ,
+       xmlSecKeyReqPtr keyReq
+) {
+       xmlSecNssBlockCipherCtxPtr context = NULL ;
+       xmlSecSize cipherSize = 0 ;
+
+       xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ;
+       xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ;
+       xmlSecAssert2( keyReq != NULL , -1 ) ;
+       xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+
+       context = xmlSecNssBlockCipherGetCtx( transform ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssBlockCipherGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       keyReq->keyId = context->keyId ;
+       keyReq->keyType = xmlSecKeyDataTypeSymmetric ;
+
+       if( transform->operation == xmlSecTransformOperationEncrypt ) {
+               keyReq->keyUsage = xmlSecKeyUsageEncrypt ;
+       } else {
+               keyReq->keyUsage = xmlSecKeyUsageDecrypt ;
+       }
+
+       /*
+       if( context->symkey != NULL )
+               cipherSize = PK11_GetKeyLength( context->symkey ) ; 
+
+       keyReq->keyBitsSize = cipherSize * 8 ;
+       */
+
+       return 0 ;
+}
+
+/**
+ * xmlSecTransformSetKeyMethod:
+ * @transform:                 the pointer to transform object.
+ * @key:                               the pointer to key.
+ *
+ * The transform specific method to set the key for use.
+ * 
+ * Returns 0 on success or a negative value otherwise.
+ */
+static int
+xmlSecNssBlockCipherSetKey(
+       xmlSecTransformPtr transform ,
+       xmlSecKeyPtr key
+) {
+       xmlSecNssBlockCipherCtxPtr context = NULL ;
+       xmlSecKeyDataPtr        keyData = NULL ;
+       PK11SymKey*                     symkey = NULL ;
+       CK_ATTRIBUTE_TYPE       operation ;
+       int                                     ivLen ;
+
+       xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ;
+       xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ;
+       xmlSecAssert2( key != NULL , -1 ) ;
+    xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+
+       context = xmlSecNssBlockCipherGetCtx( transform ) ;
+       if( context == NULL || context->keyId == NULL || context->symkey != NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssBlockCipherGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+       xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ;
+
+       keyData = xmlSecKeyGetValue( key ) ;
+       if( keyData == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) ,
+                   "xmlSecKeyGetValue" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       if( ( symkey = xmlSecNssSymKeyDataGetKey( keyData ) ) == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) ,
+                   "xmlSecNssSymKeyDataGetKey" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       context->symkey = symkey ;
+
+       return 0 ;
+}
+
 static int 
 xmlSecNssBlockCipherCtxInit(xmlSecNssBlockCipherCtxPtr ctx,
 				xmlSecBufferPtr in, xmlSecBufferPtr out,
 				int encrypt,
 				const xmlChar* cipherName,
 				xmlSecTransformCtxPtr transformCtx) {
-    SECItem keyItem;
     SECItem ivItem;
-    PK11SlotInfo* slot;
-    PK11SymKey* symKey;
+    SECItem* secParam = NULL ;
+    xmlSecBufferPtr ivBuf = NULL ;
     int ivLen;
-    SECStatus rv;
-    int ret;
 
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
+    xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+    xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
     xmlSecAssert2(ctx->cipherCtx == NULL, -1);
-    xmlSecAssert2(ctx->keyInitialized != 0, -1);
-    xmlSecAssert2(ctx->ctxInitialized == 0, -1);
+    xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
     xmlSecAssert2(in != NULL, -1);
     xmlSecAssert2(out != NULL, -1);
     xmlSecAssert2(transformCtx != NULL, -1);
 
     ivLen = PK11_GetIVLength(ctx->cipher);
-    xmlSecAssert2(ivLen > 0, -1);
-    xmlSecAssert2((xmlSecSize)ivLen <= sizeof(ctx->iv), -1);
+    if( ivLen < 0 ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                    NULL ,
+                    "PK11_GetIVLength" ,
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+            return -1 ;    
+    }
+
+    if( ( ivBuf = xmlSecBufferCreate( ivLen ) ) == NULL ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                    NULL ,
+                    "xmlSecBufferCreate" ,
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+            return -1 ;    
+    }
     
     if(encrypt) {
-        /* generate random iv */
-        rv = PK11_GenerateRandom(ctx->iv, ivLen);
-	if(rv != SECSuccess) {
+	if( PK11_GenerateRandom( ivBuf->data , ivLen ) != SECSuccess ) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
 			xmlSecErrorsSafeString(cipherName),
 			"PK11_GenerateRandom",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			"size=%d", ivLen);
+			XMLSEC_ERRORS_NO_MESSAGE);
+	    xmlSecBufferDestroy( ivBuf ) ;
 	    return(-1);    
 	}
+        if( xmlSecBufferSetSize( ivBuf , ivLen ) < 0 ) {
+                xmlSecError( XMLSEC_ERRORS_HERE ,
+                        NULL ,
+                        "xmlSecBufferSetSize" ,
+                        XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                        XMLSEC_ERRORS_NO_MESSAGE ) ;
+                xmlSecBufferDestroy( ivBuf ) ;
+                return -1 ;  
+        }
 	
-	/* write iv to the output */
-	ret = xmlSecBufferAppend(out, ctx->iv, ivLen);
-	if(ret < 0) {
+	if( xmlSecBufferAppend( out , ivBuf->data , ivLen ) < 0 ) {
 	    xmlSecError(XMLSEC_ERRORS_HERE, 
 			xmlSecErrorsSafeString(cipherName),
 			"xmlSecBufferAppend",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"size=%d", ivLen);
+			XMLSEC_ERRORS_R_CRYPTO_FAILED,
+			XMLSEC_ERRORS_NO_MESSAGE);
+	    xmlSecBufferDestroy( ivBuf ) ;
 	    return(-1);
 	}
 	
     } else {
-	/* if we don't have enough data, exit and hope that 
-	 * we'll have iv next time */
-	if(xmlSecBufferGetSize(in) < (xmlSecSize)ivLen) {
-	    return(0);
-	}
-	
-	/* copy iv to our buffer*/
-	xmlSecAssert2(xmlSecBufferGetData(in) != NULL, -1);
-	memcpy(ctx->iv, xmlSecBufferGetData(in), ivLen);
-	
-	/* and remove from input */
-	ret = xmlSecBufferRemoveHead(in, ivLen);
-	if(ret < 0) {
+	if( xmlSecBufferSetData( ivBuf , in->data , ivLen ) < 0 ) {
 	    xmlSecError(XMLSEC_ERRORS_HERE, 
 			xmlSecErrorsSafeString(cipherName),
-			"xmlSecBufferRemoveHead",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"size=%d", ivLen);
+			"xmlSecBufferSetData",
+			XMLSEC_ERRORS_R_CRYPTO_FAILED,
+			XMLSEC_ERRORS_NO_MESSAGE);
+	    xmlSecBufferDestroy( ivBuf ) ;
 	    return(-1);
 	}
     }
 
-    memset(&keyItem, 0, sizeof(keyItem));
-    keyItem.data = ctx->key;
-    keyItem.len  = ctx->keySize; 
-    memset(&ivItem, 0, sizeof(ivItem));
-    ivItem.data = ctx->iv;
-    ivItem.len  = ctx->ivSize; 
-
-    slot = PK11_GetBestSlot(ctx->cipher, NULL);
-    if(slot == NULL) {
+    if( xmlSecBufferRemoveHead( in , ivLen ) < 0 ) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(cipherName),
-		    "PK11_GetBestSlot",
+		    "xmlSecBufferRemoveHead",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
 		    XMLSEC_ERRORS_NO_MESSAGE);
+	xmlSecBufferDestroy( ivBuf ) ;
 	return(-1);
     }
 	
-    symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginDerive, 
-			       CKA_SIGN, &keyItem, NULL);
-    if(symKey == NULL) {
+    ivItem.data = xmlSecBufferGetData( ivBuf ) ;
+    ivItem.len = xmlSecBufferGetSize( ivBuf ) ;
+    if( ( secParam = PK11_ParamFromIV( ctx->cipher , &ivItem ) ) == NULL ) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(cipherName),
-		    "PK11_ImportSymKey",
+		    "PK11_ParamFromIV",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
 		    XMLSEC_ERRORS_NO_MESSAGE);
-        PK11_FreeSlot(slot);
+        xmlSecBufferDestroy( ivBuf ) ;
 	return(-1);
     }
 
     ctx->cipherCtx = PK11_CreateContextBySymKey(ctx->cipher, 
 			(encrypt) ? CKA_ENCRYPT : CKA_DECRYPT, 
-			symKey, &ivItem);
+			ctx->symkey, secParam);
     if(ctx->cipherCtx == NULL) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(cipherName),
-		    "PK11_CreateContextBySymKey",
+		    "xmlSecBufferRemoveHead",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
 		    XMLSEC_ERRORS_NO_MESSAGE);
-	PK11_FreeSymKey(symKey);
-        PK11_FreeSlot(slot);
+	SECITEM_FreeItem( secParam , PR_TRUE ) ;
+        xmlSecBufferDestroy( ivBuf ) ;
 	return(-1);
     }
 
-    ctx->ctxInitialized = 1;
-    PK11_FreeSymKey(symKey);
-    PK11_FreeSlot(slot);
+    SECITEM_FreeItem( secParam , PR_TRUE ) ;
+    xmlSecBufferDestroy( ivBuf ) ;
     return(0);
 }
 
+/**
+ * Block cipher transform update
+ */
 static int 
 xmlSecNssBlockCipherCtxUpdate(xmlSecNssBlockCipherCtxPtr ctx,
 				  xmlSecBufferPtr in, xmlSecBufferPtr out,
@@ -192,54 +433,49 @@
 				  const xmlChar* cipherName,
 				  xmlSecTransformCtxPtr transformCtx) {
     xmlSecSize inSize, inBlocks, outSize;
-    int blockLen;
+    int blockSize;
     int outLen = 0;
     xmlSecByte* outBuf;
-    SECStatus rv;
-    int ret;
     
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
+    xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+    xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
     xmlSecAssert2(ctx->cipherCtx != NULL, -1);
-    xmlSecAssert2(ctx->ctxInitialized != 0, -1);
+    xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
     xmlSecAssert2(in != NULL, -1);
     xmlSecAssert2(out != NULL, -1);
     xmlSecAssert2(transformCtx != NULL, -1);
 
-    blockLen = PK11_GetBlockSize(ctx->cipher, NULL);
-    xmlSecAssert2(blockLen > 0, -1);
+    if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString( cipherName ) ,
+            "PK11_GetBlockSize" ,
+            XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+        return -1 ;    
+    }
 
     inSize = xmlSecBufferGetSize(in);
     outSize = xmlSecBufferGetSize(out);
-    
-    if(inSize < (xmlSecSize)blockLen) {
-	return(0);
+   
+    inBlocks = ( encrypt != 0 ? inSize : ( inSize - 1 ) ) / blockSize ;
+    inSize = inBlocks * blockSize ;
+
+    if( inSize < blockSize ) {
+        return 0 ;
     }
 
-    if(encrypt) {
-        inBlocks = inSize / ((xmlSecSize)blockLen);
-    } else {
-	/* we want to have the last block in the input buffer 
-	 * for padding check */
-        inBlocks = (inSize - 1) / ((xmlSecSize)blockLen);
-    }
-    inSize = inBlocks * ((xmlSecSize)blockLen);
-
-    /* we write out the input size plus may be one block */
-    ret = xmlSecBufferSetMaxSize(out, outSize + inSize + blockLen);
-    if(ret < 0) {
+    if( xmlSecBufferSetMaxSize( out , outSize + inSize + blockSize ) < 0 ) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(cipherName),
 		    "xmlSecBufferSetMaxSize",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", outSize + inSize + blockLen);
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
 	return(-1);
     }
     outBuf = xmlSecBufferGetData(out) + outSize;
     
-    rv = PK11_CipherOp(ctx->cipherCtx, outBuf, &outLen, inSize + blockLen,
-			xmlSecBufferGetData(in), inSize);
-    if(rv != SECSuccess) {
+    if(PK11_CipherOp( ctx->cipherCtx , outBuf , &outLen , inSize + blockSize , xmlSecBufferGetData( in ) , inSize ) != SECSuccess ) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(cipherName),
 		    "PK11_CipherOp",
@@ -247,27 +483,22 @@
 		    XMLSEC_ERRORS_NO_MESSAGE);
 	return(-1);
     }
-    xmlSecAssert2((xmlSecSize)outLen == inSize, -1);
     
-    /* set correct output buffer size */
-    ret = xmlSecBufferSetSize(out, outSize + outLen);
-    if(ret < 0) {
+    if( xmlSecBufferSetSize( out , outSize + outLen ) < 0 ) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(cipherName),
 		    "xmlSecBufferSetSize",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", outSize + outLen);
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
 	return(-1);
     }
         
-    /* remove the processed block from input */
-    ret = xmlSecBufferRemoveHead(in, inSize);
-    if(ret < 0) {
+    if( xmlSecBufferRemoveHead( in , inSize ) < 0 ) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(cipherName),
 		    "xmlSecBufferRemoveHead",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", inSize);
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
 	return(-1);
     }
     return(0);
@@ -281,81 +512,82 @@
 				 const xmlChar* cipherName,
 				 xmlSecTransformCtxPtr transformCtx) {
     xmlSecSize inSize, outSize;
-    int blockLen, outLen = 0;
+    int blockSize, outLen = 0;
     xmlSecByte* inBuf;
     xmlSecByte* outBuf;
-    SECStatus rv;
-    int ret;
     
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
+    xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+    xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
     xmlSecAssert2(ctx->cipherCtx != NULL, -1);
-    xmlSecAssert2(ctx->ctxInitialized != 0, -1);
+    xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
     xmlSecAssert2(in != NULL, -1);
     xmlSecAssert2(out != NULL, -1);
     xmlSecAssert2(transformCtx != NULL, -1);
 
-    blockLen = PK11_GetBlockSize(ctx->cipher, NULL);
-    xmlSecAssert2(blockLen > 0, -1);
+    if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString( cipherName ) ,
+            "PK11_GetBlockSize" ,
+            XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+        return -1 ;    
+    }
 
     inSize = xmlSecBufferGetSize(in);
     outSize = xmlSecBufferGetSize(out);
 
+    /******************************************************************/
     if(encrypt != 0) {
-        xmlSecAssert2(inSize < (xmlSecSize)blockLen, -1);        
+        xmlSecAssert2( inSize < blockSize, -1 ) ;
     
 	/* create padding */
-        ret = xmlSecBufferSetMaxSize(in, blockLen);
-	if(ret < 0) {
+	if( xmlSecBufferSetMaxSize( in , blockSize ) < 0 ) {
 	    xmlSecError(XMLSEC_ERRORS_HERE, 
 			xmlSecErrorsSafeString(cipherName),
 			"xmlSecBufferSetMaxSize",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"size=%d", blockLen);
+			XMLSEC_ERRORS_R_CRYPTO_FAILED,
+			XMLSEC_ERRORS_NO_MESSAGE);
 	    return(-1);
 	}
 	inBuf = xmlSecBufferGetData(in);
 
-        /* generate random padding */
-	if((xmlSecSize)blockLen > (inSize + 1)) {
-	    rv = PK11_GenerateRandom(inBuf + inSize, blockLen - inSize - 1);
-	    if(rv != SECSuccess) {
+        /* generate random */
+	if( blockSize > ( inSize + 1 ) ) {
+	    if( PK11_GenerateRandom( inBuf + inSize, blockSize - inSize - 1 ) != SECSuccess ) {
 		xmlSecError(XMLSEC_ERRORS_HERE,
 			    xmlSecErrorsSafeString(cipherName),
 			    "PK11_GenerateRandom",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    "size=%d", blockLen - inSize - 1); 
+			    XMLSEC_ERRORS_NO_MESSAGE); 
 		return(-1);    
 	    }
 	}
-	inBuf[blockLen - 1] = blockLen - inSize;
-	inSize = blockLen;
+	inBuf[blockSize-1] = blockSize - inSize ;
+	inSize = blockSize ;
     } else {
-	if(inSize != (xmlSecSize)blockLen) {
+	if( inSize != blockSize ) {
 	    xmlSecError(XMLSEC_ERRORS_HERE, 
 			xmlSecErrorsSafeString(cipherName),
 			NULL,
-			XMLSEC_ERRORS_R_INVALID_DATA,
-			"data=%d;block=%d", inSize, blockLen);
+			XMLSEC_ERRORS_R_CRYPTO_FAILED,
+			XMLSEC_ERRORS_NO_MESSAGE);
 	    return(-1);
 	}
     }
     
-    /* process last block */
-    ret = xmlSecBufferSetMaxSize(out, outSize + 2 * blockLen);
-    if(ret < 0) {
+    /* process the last block */
+    if( xmlSecBufferSetMaxSize( out , outSize + inSize + blockSize ) < 0 ) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(cipherName),
 		    "xmlSecBufferSetMaxSize",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", outSize + 2 * blockLen);
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
 	return(-1);
     }
     outBuf = xmlSecBufferGetData(out) + outSize;
 
-    rv = PK11_CipherOp(ctx->cipherCtx, outBuf, &outLen, 2 * blockLen,
-			xmlSecBufferGetData(in), inSize);
-    if(rv != SECSuccess) {
+    if( PK11_CipherOp( ctx->cipherCtx , outBuf , &outLen , inSize + blockSize , xmlSecBufferGetData( in ) , inSize ) != SECSuccess ) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(cipherName),
 		    "PK11_CipherOp",
@@ -363,300 +595,169 @@
 		    XMLSEC_ERRORS_NO_MESSAGE);
 	return(-1);
     }
-    xmlSecAssert2((xmlSecSize)outLen == inSize, -1);
     
     if(encrypt == 0) {
 	/* check padding */
-	if(outLen < outBuf[blockLen - 1]) {
+	if( outLen < outBuf[blockSize-1] ) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
 			xmlSecErrorsSafeString(cipherName),
 			NULL,
-			XMLSEC_ERRORS_R_INVALID_DATA,
-			"padding=%d;buffer=%d",
-			outBuf[blockLen - 1], outLen);
+			XMLSEC_ERRORS_R_CRYPTO_FAILED,
+			XMLSEC_ERRORS_NO_MESSAGE);
 	    return(-1);	
 	}
-	outLen -= outBuf[blockLen - 1];
+	outLen -= outBuf[blockSize-1] ;
     } 
 
-    /* set correct output buffer size */
-    ret = xmlSecBufferSetSize(out, outSize + outLen);
-    if(ret < 0) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "xmlSecBufferSetSize",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", outSize + outLen);
-	return(-1);
-    }
+    /******************************************************************/
 
-    /* remove the processed block from input */
-    ret = xmlSecBufferRemoveHead(in, inSize);
-    if(ret < 0) {
+    /******************************************************************
+    if( xmlSecBufferSetMaxSize( out , outSize + blockSize ) < 0 ) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(cipherName),
-		    "xmlSecBufferRemoveHead",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", inSize);
-	return(-1);
-    }
-
-    return(0);
-}
-
-
-/******************************************************************************
- *
- * EVP Block Cipher transforms
- *
- * xmlSecNssBlockCipherCtx block is located after xmlSecTransform structure
- * 
- *****************************************************************************/
-#define xmlSecNssBlockCipherSize	\
-    (sizeof(xmlSecTransform) + sizeof(xmlSecNssBlockCipherCtx))
-#define xmlSecNssBlockCipherGetCtx(transform) \
-    ((xmlSecNssBlockCipherCtxPtr)(((xmlSecByte*)(transform)) + sizeof(xmlSecTransform)))
-
-static int	xmlSecNssBlockCipherInitialize	(xmlSecTransformPtr transform);
-static void	xmlSecNssBlockCipherFinalize		(xmlSecTransformPtr transform);
-static int  	xmlSecNssBlockCipherSetKeyReq	(xmlSecTransformPtr transform, 
-							 xmlSecKeyReqPtr keyReq);
-static int	xmlSecNssBlockCipherSetKey		(xmlSecTransformPtr transform,
-							 xmlSecKeyPtr key);
-static int	xmlSecNssBlockCipherExecute		(xmlSecTransformPtr transform,
-							 int last,
-							 xmlSecTransformCtxPtr transformCtx);
-static int	xmlSecNssBlockCipherCheckId		(xmlSecTransformPtr transform);
-							 
-
-
-static int
-xmlSecNssBlockCipherCheckId(xmlSecTransformPtr transform) {
-#ifndef XMLSEC_NO_DES
-    if(xmlSecTransformCheckId(transform, xmlSecNssTransformDes3CbcId)) {
-	return(1);
-    }
-#endif /* XMLSEC_NO_DES */
-
-#ifndef XMLSEC_NO_AES
-    if(xmlSecTransformCheckId(transform, xmlSecNssTransformAes128CbcId) ||
-       xmlSecTransformCheckId(transform, xmlSecNssTransformAes192CbcId) ||
-       xmlSecTransformCheckId(transform, xmlSecNssTransformAes256CbcId)) {
-       
-       return(1);
-    }
-#endif /* XMLSEC_NO_AES */
-    
-    return(0);
-}
-
-static int 
-xmlSecNssBlockCipherInitialize(xmlSecTransformPtr transform) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-    
-    xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
-
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
-    
-    memset(ctx, 0, sizeof(xmlSecNssBlockCipherCtx));
-
-#ifndef XMLSEC_NO_DES
-    if(transform->id == xmlSecNssTransformDes3CbcId) {
-	ctx->cipher 	= CKM_DES3_CBC;
-	ctx->keyId 	= xmlSecNssKeyDataDesId;
-	ctx->keySize	= 24;
-    } else 
-#endif /* XMLSEC_NO_DES */
-
-#ifndef XMLSEC_NO_AES
-    if(transform->id == xmlSecNssTransformAes128CbcId) {
-	ctx->cipher 	= CKM_AES_CBC;	
-	ctx->keyId 	= xmlSecNssKeyDataAesId;
-	ctx->keySize	= 16;
-    } else if(transform->id == xmlSecNssTransformAes192CbcId) {
-	ctx->cipher 	= CKM_AES_CBC;	
-	ctx->keyId 	= xmlSecNssKeyDataAesId;
-	ctx->keySize	= 24;
-    } else if(transform->id == xmlSecNssTransformAes256CbcId) {
-	ctx->cipher 	= CKM_AES_CBC;	
-	ctx->keyId 	= xmlSecNssKeyDataAesId;
-	ctx->keySize	= 32;
-    } else 
-#endif /* XMLSEC_NO_AES */
-
-    if(1) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-		    NULL,
-		    XMLSEC_ERRORS_R_INVALID_TRANSFORM,
+		    "xmlSecBufferSetMaxSize",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
 		    XMLSEC_ERRORS_NO_MESSAGE);
 	return(-1);
-    }        
-    
-    return(0);
-}
-
-static void 
-xmlSecNssBlockCipherFinalize(xmlSecTransformPtr transform) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-
-    xmlSecAssert(xmlSecNssBlockCipherCheckId(transform));
-    xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize));
-
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert(ctx != NULL);
-
-    if(ctx->cipherCtx != NULL) {
-        PK11_DestroyContext(ctx->cipherCtx, PR_TRUE);
     }
-    
-    memset(ctx, 0, sizeof(xmlSecNssBlockCipherCtx));
-}
 
-static int  
-xmlSecNssBlockCipherSetKeyReq(xmlSecTransformPtr transform,  xmlSecKeyReqPtr keyReq) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-
-    xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
-    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
-    xmlSecAssert2(keyReq != NULL, -1);
-
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->keyId != NULL, -1);
+    outBuf = xmlSecBufferGetData( out ) + outSize ;
+    if( PK11_DigestFinal( ctx->cipherCtx , outBuf , &outLen , blockSize ) != SECSuccess ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                    xmlSecErrorsSafeString( cipherName ) ,
+                    "PK11_DigestFinal" ,
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+            return -1 ;    
+    }
+    ******************************************************************/
+
+    if( xmlSecBufferSetSize( out , outSize + outLen ) < 0 ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                    xmlSecErrorsSafeString( cipherName ) ,
+                    "xmlSecBufferSetSize" ,
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+            return -1 ;    
+    }
+
+    if( xmlSecBufferRemoveHead( in , inSize ) < 0 ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                    xmlSecErrorsSafeString( cipherName ) ,
+                    "xmlSecBufferRemoveHead" ,
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+            return -1 ;    
+    }
+
+/*    PK11_Finalize( ctx->cipherCtx ) ;*/
+    PK11_DestroyContext(ctx->cipherCtx, PR_TRUE);
+    ctx->cipherCtx = NULL ;
 
-    keyReq->keyId 	= ctx->keyId;
-    keyReq->keyType 	= xmlSecKeyDataTypeSymmetric;
-    if(transform->operation == xmlSecTransformOperationEncrypt) {
-	keyReq->keyUsage = xmlSecKeyUsageEncrypt;
-    } else {
-	keyReq->keyUsage = xmlSecKeyUsageDecrypt;
-    }
-    keyReq->keyBitsSize = 8 * ctx->keySize;
     return(0);
 }
 
-static int
-xmlSecNssBlockCipherSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-    xmlSecBufferPtr buffer;
+/**
+ * xmlSecTransformExecuteMethod:
+ * @transform:                 the pointer to transform object.
+ * @last:                      the flag: if set to 1 then it's the last data chunk.
+ * @transformCtx:              the pointer to transform context object.
+ *
+ * Transform specific method to process a chunk of data.
+ *
+ * Returns 0 on success or a negative value otherwise.
+ */
+xmlSecNssBlockCipherExecute(
+    xmlSecTransformPtr transform ,
+    int last ,
+    xmlSecTransformCtxPtr transformCtx
+) {
+    xmlSecNssBlockCipherCtxPtr context = NULL ;
+    xmlSecBufferPtr inBuf = NULL ;
+    xmlSecBufferPtr outBuf = NULL ;
+    const xmlChar* cipherName ;
+    int operation ;
+    int rtv ;
     
     xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
     xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
-    xmlSecAssert2(key != NULL, -1);
-
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
-    xmlSecAssert2(ctx->keyInitialized == 0, -1);
-    xmlSecAssert2(ctx->keyId != NULL, -1);
-    xmlSecAssert2(xmlSecKeyCheckId(key, ctx->keyId), -1);
-
-    xmlSecAssert2(ctx->keySize > 0, -1);
-    xmlSecAssert2(ctx->keySize <= sizeof(ctx->key), -1);
 
-    buffer = xmlSecKeyDataBinaryValueGetBuffer(xmlSecKeyGetValue(key));
-    xmlSecAssert2(buffer != NULL, -1);
+    xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+    xmlSecAssert2( transformCtx != NULL , -1 ) ;
 
-    if(xmlSecBufferGetSize(buffer) < ctx->keySize) {
+    context = xmlSecNssBlockCipherGetCtx( transform ) ;
+    if( context == NULL ) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-		    NULL,
-		    XMLSEC_ERRORS_R_INVALID_KEY_DATA_SIZE,
-		    "keySize=%d;expected=%d",
-		    xmlSecBufferGetSize(buffer), ctx->keySize);
-	return(-1);
+                    "xmlSecNssBlockCipherGetCtx" ,
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
     }
-    
-    xmlSecAssert2(xmlSecBufferGetData(buffer) != NULL, -1);
-    memcpy(ctx->key, xmlSecBufferGetData(buffer), ctx->keySize);
-    
-    ctx->keyInitialized = 1;
-    return(0);
-}
-
-static int 
-xmlSecNssBlockCipherExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-    xmlSecBufferPtr in, out;
-    int ret;
-    
-    xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
-    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
-    xmlSecAssert2(transformCtx != NULL, -1);
 
-    in = &(transform->inBuf);
-    out = &(transform->outBuf);
-
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
+    inBuf = &( transform->inBuf ) ;
+    outBuf = &( transform->outBuf ) ;
 
     if(transform->status == xmlSecTransformStatusNone) {
 	transform->status = xmlSecTransformStatusWorking;
     }
 
+    operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ;
+    cipherName = xmlSecTransformGetName( transform ) ;
+
     if(transform->status == xmlSecTransformStatusWorking) {
-	if(ctx->ctxInitialized == 0) {
-	    ret = xmlSecNssBlockCipherCtxInit(ctx, in, out, 
-			(transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0,
-			xmlSecTransformGetName(transform), transformCtx);
-	    if(ret < 0) {
+	if( context->cipherCtx == NULL ) {
+	    rtv = xmlSecNssBlockCipherCtxInit( context, inBuf , outBuf , operation , cipherName , transformCtx ) ;
+	    if( rtv < 0 ) {
 		xmlSecError(XMLSEC_ERRORS_HERE, 
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "xmlSecNssBlockCipherCtxInit",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			    XMLSEC_ERRORS_R_INVALID_STATUS,
 			    XMLSEC_ERRORS_NO_MESSAGE);
 		return(-1);
 	    }
 	}
-	if((ctx->ctxInitialized == 0) && (last != 0)) {
+	if( context->cipherCtx == NULL && last != 0 ) {
 	    xmlSecError(XMLSEC_ERRORS_HERE, 
 			xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			NULL,
-			XMLSEC_ERRORS_R_INVALID_DATA,
+			XMLSEC_ERRORS_R_INVALID_STATUS,
 			"not enough data to initialize transform");
 	    return(-1);
 	}
 
-	if(ctx->ctxInitialized != 0) {
-	    ret = xmlSecNssBlockCipherCtxUpdate(ctx, in, out, 
-			(transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0,
-			xmlSecTransformGetName(transform), transformCtx);
-	    if(ret < 0) {
+	if( context->cipherCtx != NULL ) {
+	    rtv = xmlSecNssBlockCipherCtxUpdate( context, inBuf , outBuf , operation , cipherName , transformCtx ) ;
+	    if( rtv < 0 ) {
 		xmlSecError(XMLSEC_ERRORS_HERE, 
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "xmlSecNssBlockCipherCtxUpdate",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			    XMLSEC_ERRORS_R_INVALID_STATUS,
 			    XMLSEC_ERRORS_NO_MESSAGE);
 		return(-1);
 	    }
 	}
 	
 	if(last) {
-	    ret = xmlSecNssBlockCipherCtxFinal(ctx, in, out, 
-			(transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0,
-			xmlSecTransformGetName(transform), transformCtx);
-	    if(ret < 0) {
+	    rtv = xmlSecNssBlockCipherCtxFinal( context, inBuf , outBuf , operation , cipherName , transformCtx ) ;
+	    if( rtv < 0 ) {
 		xmlSecError(XMLSEC_ERRORS_HERE, 
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "xmlSecNssBlockCipherCtxFinal",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			    XMLSEC_ERRORS_R_INVALID_STATUS,
 			    XMLSEC_ERRORS_NO_MESSAGE);
 		return(-1);
 	    }
 	    transform->status = xmlSecTransformStatusFinished;
 	} 
     } else if(transform->status == xmlSecTransformStatusFinished) {
-	/* the only way we can get here is if there is no input */
-	xmlSecAssert2(xmlSecBufferGetSize(in) == 0, -1);
-    } else if(transform->status == xmlSecTransformStatusNone) {
-	/* the only way we can get here is if there is no enough data in the input */
-	xmlSecAssert2(last == 0, -1);
+        if( xmlSecBufferGetSize( inBuf ) != 0 ) {
+            xmlSecError( XMLSEC_ERRORS_HERE , 
+                    xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                    NULL ,
+                    XMLSEC_ERRORS_R_INVALID_STATUS ,
+                    "status=%d", transform->status ) ;
+            return -1 ;
+        }
     } else {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),