/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 */

#include <pthread.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <sys/types.h>
#include <security/cryptoki.h>
#include <cryptoutil.h>
#include "softGlobal.h"
#include "softSession.h"
#include "softObject.h"
#include "softDSA.h"
#include "softOps.h"
#include "softMAC.h"
#include "softCrypt.h"

/*
 * Allocate a DSA context for the active sign or verify operation.
 * This function is called without the session lock held.
 */
CK_RV
soft_dsa_sign_verify_init_common(soft_session_t *session_p,
    CK_MECHANISM_PTR pMechanism, soft_object_t *key_p,
    boolean_t sign)
{

	soft_dsa_ctx_t *dsa_ctx;
	CK_MECHANISM digest_mech;
	soft_object_t *tmp_key = NULL;
	CK_RV rv;

	if (sign) {
		if ((key_p->class != CKO_PRIVATE_KEY) ||
		    (key_p->key_type != CKK_DSA))
			return (CKR_KEY_TYPE_INCONSISTENT);
	} else {
		if ((key_p->class != CKO_PUBLIC_KEY) ||
		    (key_p->key_type != CKK_DSA))
			return (CKR_KEY_TYPE_INCONSISTENT);
	}

	if (pMechanism->mechanism == CKM_DSA_SHA1) {
		digest_mech.mechanism = CKM_SHA_1;
		rv = soft_digest_init_internal(session_p, &digest_mech);
		if (rv != CKR_OK)
			return (rv);
	}

	dsa_ctx = malloc(sizeof (soft_dsa_ctx_t));

	if (dsa_ctx == NULL) {
		return (CKR_HOST_MEMORY);
	}

	/*
	 * Make a copy of the signature or verification key, and save it
	 * in the DSA crypto context since it will be used later for
	 * signing/verification. We don't want to hold any object reference
	 * on this original key while doing signing/verification.
	 */
	(void) pthread_mutex_lock(&key_p->object_mutex);
	rv = soft_copy_object(key_p, &tmp_key, SOFT_COPY_OBJ_ORIG_SH,
	    NULL);

	if ((rv != CKR_OK) || (tmp_key == NULL)) {
		/* Most likely we ran out of space. */
		(void) pthread_mutex_unlock(&key_p->object_mutex);
		free(dsa_ctx);
		return (rv);
	}

	/* No need to hold the lock on the old object. */
	(void) pthread_mutex_unlock(&key_p->object_mutex);
	dsa_ctx->key = tmp_key;

	(void) pthread_mutex_lock(&session_p->session_mutex);

	if (sign) {
		session_p->sign.context = dsa_ctx;
		session_p->sign.mech.mechanism = pMechanism->mechanism;
	} else {
		session_p->verify.context = dsa_ctx;
		session_p->verify.mech.mechanism = pMechanism->mechanism;
	}

	(void) pthread_mutex_unlock(&session_p->session_mutex);

	return (CKR_OK);
}


static CK_RV
local_dsa_sign(soft_object_t *key, CK_BYTE_PTR in, CK_ULONG inlen,
    CK_BYTE_PTR out)
{
	CK_RV rv;
	uchar_t q[MAX_KEY_ATTR_BUFLEN];
	uchar_t p[MAX_KEY_ATTR_BUFLEN];
	uchar_t g[MAX_KEY_ATTR_BUFLEN];
	uchar_t x[MAX_KEY_ATTR_BUFLEN];
	uint_t qlen = sizeof (q);
	uint_t plen = sizeof (p);
	uint_t glen = sizeof (g);
	uint_t xlen = sizeof (x);
	DSAbytekey k;

	rv = soft_get_private_value(key, CKA_PRIME, p, &plen);
	if (rv != CKR_OK) {
		goto clean1;
	}

	rv = soft_get_private_value(key, CKA_SUBPRIME, q, &qlen);
	if (rv != CKR_OK) {
		goto clean1;
	}

	rv = soft_get_private_value(key, CKA_BASE, g, &glen);
	if (rv != CKR_OK) {
		goto clean1;
	}

	rv = soft_get_private_value(key, CKA_VALUE, x, &xlen);
	if (rv != CKR_OK) {
		goto clean1;
	}

	k.prime = p;
	k.prime_bits = CRYPTO_BYTES2BITS(plen);
	k.subprime = q;
	k.subprime_bits = CRYPTO_BYTES2BITS(qlen);
	k.base = g;
	k.base_bytes = glen;
	k.private_x_bits = CRYPTO_BYTES2BITS(xlen);
	k.private_x = x;
	k.rfunc = NULL;

	rv = dsa_sign(&k, in, inlen, out);

clean1:
	return (rv);
}

static CK_RV
local_dsa_verify(soft_object_t *key, CK_BYTE_PTR data, CK_BYTE_PTR sig)
{
	CK_RV rv;
	uchar_t g[MAX_KEY_ATTR_BUFLEN];
	uchar_t y[MAX_KEY_ATTR_BUFLEN];
	uchar_t p[MAX_KEY_ATTR_BUFLEN];
	uchar_t q[MAX_KEY_ATTR_BUFLEN];
	uint_t glen = sizeof (g);
	uint_t ylen = sizeof (y);
	uint_t plen = sizeof (p);
	uint_t qlen = sizeof (q);
	DSAbytekey k;

	rv = soft_get_public_value(key, CKA_PRIME, p, &plen);
	if (rv != CKR_OK) {
		goto clean1;
	}

	rv = soft_get_public_value(key, CKA_SUBPRIME, q, &qlen);
	if (rv != CKR_OK) {
		goto clean1;
	}

	rv = soft_get_public_value(key, CKA_BASE, g, &glen);
	if (rv != CKR_OK) {
		goto clean1;
	}

	rv = soft_get_public_value(key, CKA_VALUE, y, &ylen);
	if (rv != CKR_OK) {
		goto clean1;
	}

	k.prime = p;
	k.prime_bits = CRYPTO_BYTES2BITS(plen);
	k.subprime = q;
	k.subprime_bits = CRYPTO_BYTES2BITS(qlen);
	k.base = g;
	k.base_bytes = glen;
	k.public_y_bits = CRYPTO_BYTES2BITS(ylen);
	k.public_y = y;
	k.rfunc = NULL;

	rv = dsa_verify(&k, data, sig);

clean1:
	return (rv);
}


CK_RV
soft_dsa_digest_sign_common(soft_session_t *session_p, CK_BYTE_PTR pData,
    CK_ULONG ulDataLen, CK_BYTE_PTR pSigned,
    CK_ULONG_PTR pulSignedLen, boolean_t Final)
{

	CK_RV rv = CKR_OK;
	CK_BYTE hash[SHA1_HASH_SIZE];  /* space enough for SHA1 and MD5 */
	CK_ULONG hash_len = SHA1_HASH_SIZE;
	soft_dsa_ctx_t *dsa_ctx = session_p->sign.context;
	soft_object_t *key = dsa_ctx->key;

	/* Check arguments before performing message digest. */
	if (pSigned == NULL) {
		/* Application asks for the length of the output buffer. */
		*pulSignedLen = DSA_SIGNATURE_LENGTH;
		goto clean1;
	}

	/* Is the application-supplied buffer large enough? */
	if (*pulSignedLen < DSA_SIGNATURE_LENGTH) {
		*pulSignedLen = DSA_SIGNATURE_LENGTH;
		rv = CKR_BUFFER_TOO_SMALL;
		goto clean1;
	}

	if (Final) {
		rv = soft_digest_final(session_p, hash, &hash_len);
	} else {
		rv = soft_digest(session_p, pData, ulDataLen, hash, &hash_len);
	}

	if (rv != CKR_OK) {
		/* free the signature key */
		soft_cleanup_object(key);
		free(key);
		goto clean_exit;
	}

	/*
	 * Now, we are ready to sign the data
	 * soft_dsa_sign() will free the signature key.
	 */
	rv = soft_dsa_sign(session_p, hash, hash_len, pSigned, pulSignedLen);

clean_exit:
	(void) pthread_mutex_lock(&session_p->session_mutex);
	/* soft_digest_common() has freed the digest context */
	session_p->digest.flags = 0;
	(void) pthread_mutex_unlock(&session_p->session_mutex);

clean1:
	return (rv);
}


CK_RV
soft_dsa_sign(soft_session_t *session_p, CK_BYTE_PTR pData,
    CK_ULONG ulDataLen, CK_BYTE_PTR pSigned,
    CK_ULONG_PTR pulSignedLen)
{

	CK_RV rv = CKR_OK;
	soft_dsa_ctx_t *dsa_ctx = session_p->sign.context;
	soft_object_t *key = dsa_ctx->key;

	if ((key->class != CKO_PRIVATE_KEY) || (key->key_type != CKK_DSA)) {
		rv = CKR_KEY_TYPE_INCONSISTENT;
		goto clean_exit;
	}

	/* Output length is always 40 bytes. */
	if (pSigned == NULL) {
		/* Application asks for the length of the output buffer. */
		*pulSignedLen = DSA_SIGNATURE_LENGTH;
		return (CKR_OK);
	}

	/* Input data length needs to be 20 bytes. */
	if (ulDataLen != DSA_SUBPRIME_BYTES) {
		rv = CKR_DATA_LEN_RANGE;
		goto clean_exit;
	}

	if (*pulSignedLen < DSA_SIGNATURE_LENGTH) {
		*pulSignedLen = DSA_SIGNATURE_LENGTH;
		return (CKR_BUFFER_TOO_SMALL);
	}

	rv = local_dsa_sign(key, pData, ulDataLen, pSigned);
	if (rv == CKR_OK) {
		*pulSignedLen = DSA_SIGNATURE_LENGTH;
	}

clean_exit:
	(void) pthread_mutex_lock(&session_p->session_mutex);
	free(session_p->sign.context);
	session_p->sign.context = NULL;
	(void) pthread_mutex_unlock(&session_p->session_mutex);
	soft_cleanup_object(key);
	free(key);
	return (rv);
}


CK_RV
soft_dsa_verify(soft_session_t *session_p, CK_BYTE_PTR pData,
    CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
    CK_ULONG ulSignatureLen)
{

	CK_RV rv = CKR_OK;
	soft_dsa_ctx_t *dsa_ctx = session_p->verify.context;
	soft_object_t *key = dsa_ctx->key;

	if ((key->class != CKO_PUBLIC_KEY) ||(key->key_type != CKK_DSA)) {
		rv = CKR_KEY_TYPE_INCONSISTENT;
		goto clean_exit;
	}

	/* Input data length needs to be 20 bytes. */
	if (ulDataLen != DSA_SUBPRIME_BYTES) {
		rv = CKR_DATA_LEN_RANGE;
		goto clean_exit;
	}

	/* The signature length is always 40 bytes. */
	if (ulSignatureLen != DSA_SIGNATURE_LENGTH) {
		rv = CKR_SIGNATURE_LEN_RANGE;
		goto clean_exit;
	}

	rv = local_dsa_verify(key, pData, pSignature);

clean_exit:
	(void) pthread_mutex_lock(&session_p->session_mutex);
	free(session_p->verify.context);
	session_p->verify.context = NULL;
	(void) pthread_mutex_unlock(&session_p->session_mutex);
	soft_cleanup_object(key);
	free(key);
	return (rv);
}


CK_RV
soft_dsa_digest_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData,
    CK_ULONG ulDataLen, CK_BYTE_PTR pSigned,
    CK_ULONG ulSignedLen, boolean_t Final)
{

	CK_RV rv;
	CK_BYTE hash[SHA1_HASH_SIZE];  /* space enough for SHA1 and MD5 */
	CK_ULONG hash_len = SHA1_HASH_SIZE;
	soft_dsa_ctx_t *dsa_ctx = session_p->verify.context;
	soft_object_t *key = dsa_ctx->key;

	if (Final) {
		rv = soft_digest_final(session_p, hash, &hash_len);
	} else {
		rv = soft_digest(session_p, pData, ulDataLen, hash, &hash_len);
	}

	if (rv != CKR_OK) {
		/* free the verification key */
		soft_cleanup_object(key);
		free(key);
		goto clean_exit;
	}

	/*
	 * Now, we are ready to verify the data using signature.
	 * soft_dsa_verify() will free the verification key.
	 */
	rv = soft_dsa_verify(session_p, hash, hash_len,
	    pSigned, ulSignedLen);

clean_exit:
	(void) pthread_mutex_lock(&session_p->session_mutex);
	/* soft_digest_common() has freed the digest context */
	session_p->digest.flags = 0;
	(void) pthread_mutex_unlock(&session_p->session_mutex);
	return (rv);
}


static CK_RV
soft_genDSAkey_set_attribute(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
    uchar_t *value, uint32_t value_len, boolean_t public)
{

	CK_RV rv = CKR_OK;
	biginteger_t *dst = NULL;
	biginteger_t src;

	switch (type) {

	case CKA_VALUE:
		if (public)
			dst = OBJ_PUB_DSA_VALUE(key);
		else
			dst = OBJ_PRI_DSA_VALUE(key);
		break;

	case CKA_PRIME:
		if (public)
			dst = OBJ_PUB_DSA_PRIME(key);
		else
			dst = OBJ_PRI_DSA_PRIME(key);
		break;

	case CKA_SUBPRIME:
		if (public)
			dst = OBJ_PUB_DSA_SUBPRIME(key);
		else
			dst = OBJ_PRI_DSA_SUBPRIME(key);
		break;

	case CKA_BASE:
		if (public)
			dst = OBJ_PUB_DSA_BASE(key);
		else
			dst = OBJ_PRI_DSA_BASE(key);
		break;
	}

	/* Note: removal of preceding 0x00 imitates similar code in RSA */
	while (value[0] == 0) {		/* remove preceding 0x00 */
		value++;
		value_len--;
	}

	if ((rv = dup_bigint_attr(&src, value, value_len)) != CKR_OK)
		goto cleanexit;

	/* Copy the attribute in the key object. */
	copy_bigint_attr(&src, dst);

cleanexit:
	/* No need to free big_value because dst holds it now after copy. */
	return (rv);

}


CK_RV
soft_dsa_genkey_pair(soft_object_t *pubkey, soft_object_t *prikey)
{
	CK_RV rv;
	uchar_t prime[MAX_KEY_ATTR_BUFLEN];
	uint32_t prime_len = sizeof (prime);
	uchar_t	subprime[MAX_KEY_ATTR_BUFLEN];
	uint32_t subprime_len = sizeof (subprime);
	uchar_t	base[MAX_KEY_ATTR_BUFLEN];
	uint32_t base_len = sizeof (base);
	uchar_t	pubvalue[MAX_KEY_ATTR_BUFLEN];
	uint32_t pubvalue_len = sizeof (pubvalue);
	uchar_t	privalue[DSA_SUBPRIME_BYTES];
	uint32_t privalue_len = sizeof (privalue);
	DSAbytekey k;

	if ((pubkey == NULL) || (prikey == NULL)) {
		return (CKR_ARGUMENTS_BAD);
	}

	/* lookup prime, subprime and base */
	rv = soft_get_public_value(pubkey, CKA_PRIME, prime, &prime_len);
	if (rv != CKR_OK) {
		rv = CKR_TEMPLATE_INCOMPLETE;
		goto cleanexit;
	}

	rv = soft_get_public_value(pubkey, CKA_SUBPRIME, subprime,
	    &subprime_len);
	if (rv != CKR_OK) {
		rv = CKR_TEMPLATE_INCOMPLETE;
		goto cleanexit;
	}

	rv = soft_get_public_value(pubkey, CKA_BASE, base, &base_len);
	if (rv != CKR_OK) {
		rv = CKR_TEMPLATE_INCOMPLETE;
		goto cleanexit;
	}

	/* Inputs to DSA key pair generation. */
	k.prime = prime;
	k.prime_bits = CRYPTO_BYTES2BITS(prime_len);
	k.subprime = subprime;
	k.subprime_bits = CRYPTO_BYTES2BITS(subprime_len);
	k.base = base;
	k.base_bytes = base_len;
	k.rfunc = (IS_TOKEN_OBJECT(pubkey) || IS_TOKEN_OBJECT(prikey)) ?
	    pkcs11_get_random : pkcs11_get_urandom;

	/* Outputs from DSA key pair generation. */
	k.public_y = pubvalue;
	k.public_y_bits = CRYPTO_BYTES2BITS(pubvalue_len);
	k.private_x = privalue;
	k.private_x_bits = CRYPTO_BYTES2BITS(privalue_len);

	rv = dsa_genkey_pair(&k);

	if (rv != CKR_OK) {
		goto cleanexit;
	}

	/* Update attribute in public key. */
	if ((rv = soft_genDSAkey_set_attribute(pubkey, CKA_VALUE,
	    pubvalue, CRYPTO_BITS2BYTES(k.public_y_bits), B_TRUE)) != CKR_OK) {
		goto cleanexit;
	}
	/* Update attributes in private key. */
	if ((rv = soft_genDSAkey_set_attribute(prikey, CKA_PRIME,
	    prime, CRYPTO_BITS2BYTES(k.prime_bits), B_FALSE)) != CKR_OK) {
		goto cleanexit;
	}

	if ((rv = soft_genDSAkey_set_attribute(prikey, CKA_SUBPRIME, subprime,
	    CRYPTO_BITS2BYTES(k.subprime_bits), B_FALSE)) != CKR_OK) {
		goto cleanexit;
	}

	if ((rv = soft_genDSAkey_set_attribute(prikey, CKA_BASE,
	    base, k.base_bytes, B_FALSE)) != CKR_OK) {
		goto cleanexit;
	}

	if ((rv = soft_genDSAkey_set_attribute(prikey, CKA_VALUE, privalue,
	    CRYPTO_BITS2BYTES(k.private_x_bits), B_FALSE)) != CKR_OK) {
		goto cleanexit;
	}

cleanexit:
	return (rv);
}