xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c (revision 6cb54de2051534cc59e36ddc42abe1960e47c133)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * Copyright 2020 Joyent, Inc.
26  */
27 
28 #include <pthread.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <strings.h>
32 #include <sys/types.h>
33 #include <security/cryptoki.h>
34 #include <sys/crypto/common.h>
35 #include <aes_impl.h>
36 #include <blowfish_impl.h>
37 #include <des_impl.h>
38 #include <arcfour.h>
39 #include <cryptoutil.h>
40 #include "softGlobal.h"
41 #include "softSession.h"
42 #include "softObject.h"
43 #include "softDSA.h"
44 #include "softRSA.h"
45 #include "softDH.h"
46 #include "softEC.h"
47 #include "softMAC.h"
48 #include "softOps.h"
49 #include "softKeys.h"
50 #include "softKeystore.h"
51 #include "softSSL.h"
52 #include "softASN1.h"
53 
54 
55 #define	local_min(a, b)	((a) < (b) ? (a) : (b))
56 
57 static CK_RV
58 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *);
59 
60 /*
61  * Create a temporary key object struct by filling up its template attributes.
62  */
63 CK_RV
soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,soft_object_t ** objp,soft_session_t * sp,CK_OBJECT_CLASS class,CK_KEY_TYPE key_type,CK_ULONG keylen,CK_ULONG mode,boolean_t internal)64 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate,  CK_ULONG ulCount,
65     soft_object_t **objp, soft_session_t *sp,
66     CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode,
67     boolean_t internal)
68 {
69 	CK_RV rv;
70 	soft_object_t *new_objp = NULL;
71 
72 	new_objp = calloc(1, sizeof (soft_object_t));
73 	if (new_objp == NULL) {
74 		return (CKR_HOST_MEMORY);
75 	}
76 
77 	new_objp->extra_attrlistp = NULL;
78 
79 	/*
80 	 * Validate attribute template and fill in the attributes
81 	 * in the soft_object_t.
82 	 */
83 	rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type,
84 	    keylen, mode);
85 	if (rv != CKR_OK) {
86 		goto fail_cleanup1;
87 	}
88 
89 	/*
90 	 * If generating a key is an internal request (i.e. not a C_XXX
91 	 * API request), then skip the following checks.
92 	 */
93 	if (!internal) {
94 		rv = soft_pin_expired_check(new_objp);
95 		if (rv != CKR_OK) {
96 			goto fail_cleanup2;
97 		}
98 
99 		rv = soft_object_write_access_check(sp, new_objp);
100 		if (rv != CKR_OK) {
101 			goto fail_cleanup2;
102 		}
103 	}
104 
105 	/* Initialize the rest of stuffs in soft_object_t. */
106 	(void) pthread_mutex_init(&new_objp->object_mutex, NULL);
107 	new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
108 
109 	/* Write the new token object to the keystore */
110 	if (IS_TOKEN_OBJECT(new_objp)) {
111 		new_objp->version = 1;
112 		new_objp->session_handle = CK_INVALID_HANDLE;
113 		soft_add_token_object_to_slot(new_objp);
114 
115 		set_objecthandle(new_objp);
116 		*objp = new_objp;
117 
118 		return (CKR_OK);
119 	}
120 
121 	new_objp->session_handle = sp->handle;
122 
123 	/* Add the new object to the session's object list. */
124 	soft_add_object_to_session(new_objp, sp);
125 
126 	set_objecthandle(new_objp);
127 	*objp = new_objp;
128 
129 	return (CKR_OK);
130 
131 fail_cleanup2:
132 	/*
133 	 * When any error occurs after soft_build_key(), we will need to
134 	 * clean up the memory allocated by the soft_build_key().
135 	 */
136 	soft_cleanup_object(new_objp);
137 
138 fail_cleanup1:
139 	if (new_objp) {
140 		/*
141 		 * The storage allocated inside of this object should have
142 		 * been cleaned up by the soft_build_key() if it failed.
143 		 * Therefore, we can safely free the object.
144 		 */
145 		free(new_objp);
146 	}
147 
148 	return (rv);
149 }
150 
151 CK_RV
soft_genkey(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,CK_OBJECT_HANDLE_PTR phKey)152 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
153     CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey)
154 {
155 
156 	CK_RV rv = CKR_OK;
157 	soft_object_t *secret_key;
158 	CK_KEY_TYPE key_type;
159 	CK_ULONG keylen = 0;
160 	CK_ULONG i;
161 	int des_strength = 0;
162 	int retry = 0;
163 	int keyfound = 0;
164 	boolean_t is_ssl_mech = B_FALSE;
165 
166 	switch (pMechanism->mechanism) {
167 	case CKM_DES_KEY_GEN:
168 		key_type = CKK_DES;
169 		break;
170 
171 	case CKM_DES2_KEY_GEN:
172 		key_type = CKK_DES2;
173 		break;
174 
175 	case CKM_DES3_KEY_GEN:
176 		key_type = CKK_DES3;
177 		break;
178 
179 	case CKM_AES_KEY_GEN:
180 		key_type = CKK_AES;
181 		break;
182 
183 	case CKM_BLOWFISH_KEY_GEN:
184 		key_type = CKK_BLOWFISH;
185 		break;
186 
187 	case CKM_RC4_KEY_GEN:
188 		key_type = CKK_RC4;
189 		break;
190 
191 	case CKM_SSL3_PRE_MASTER_KEY_GEN:
192 	case CKM_TLS_PRE_MASTER_KEY_GEN:
193 		if (pMechanism->pParameter == NULL ||
194 		    pMechanism->ulParameterLen != sizeof (CK_VERSION))
195 			return (CKR_TEMPLATE_INCOMPLETE);
196 		is_ssl_mech = B_TRUE;
197 		key_type = CKK_GENERIC_SECRET;
198 		keylen = 48;
199 		break;
200 
201 	case CKM_PKCS5_PBKD2:
202 		keyfound = 0;
203 		for (i = 0; i < ulCount && !keyfound; i++) {
204 			if (pTemplate[i].type == CKA_KEY_TYPE &&
205 			    pTemplate[i].pValue != NULL) {
206 				key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
207 				keyfound = 1;
208 			}
209 		}
210 		if (!keyfound)
211 			return (CKR_TEMPLATE_INCOMPLETE);
212 		/*
213 		 * Make sure that parameters were given for this
214 		 * mechanism.
215 		 */
216 		if (pMechanism->pParameter == NULL ||
217 		    pMechanism->ulParameterLen !=
218 		    sizeof (CK_PKCS5_PBKD2_PARAMS))
219 			return (CKR_TEMPLATE_INCOMPLETE);
220 		break;
221 
222 	case CKM_PBE_SHA1_RC4_128:
223 		keyfound = 0;
224 		for (i = 0; i < ulCount; i++) {
225 			if (pTemplate[i].type == CKA_KEY_TYPE &&
226 			    pTemplate[i].pValue != NULL) {
227 				key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
228 				keyfound = 1;
229 			}
230 			if (pTemplate[i].type == CKA_VALUE_LEN &&
231 			    pTemplate[i].pValue != NULL) {
232 				keylen = *((CK_ULONG*)pTemplate[i].pValue);
233 			}
234 		}
235 		/* If a keytype was specified, it had better be CKK_RC4 */
236 		if (keyfound && key_type != CKK_RC4)
237 			return (CKR_TEMPLATE_INCONSISTENT);
238 		else if (!keyfound)
239 			key_type = CKK_RC4;
240 
241 		/* If key length was specified, it better be 16 bytes */
242 		if (keylen != 0 && keylen != 16)
243 			return (CKR_TEMPLATE_INCONSISTENT);
244 
245 		/*
246 		 * Make sure that parameters were given for this
247 		 * mechanism.
248 		 */
249 		if (pMechanism->pParameter == NULL ||
250 		    pMechanism->ulParameterLen !=
251 		    sizeof (CK_PBE_PARAMS))
252 			return (CKR_TEMPLATE_INCOMPLETE);
253 		break;
254 	default:
255 		return (CKR_MECHANISM_INVALID);
256 	}
257 
258 	/* Create a new object for secret key. */
259 	rv = soft_gen_keyobject(pTemplate, ulCount, &secret_key, session_p,
260 	    CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE);
261 
262 	if (rv != CKR_OK) {
263 		return (rv);
264 	}
265 
266 	switch (pMechanism->mechanism) {
267 	case CKM_DES_KEY_GEN:
268 		/*
269 		 * Set up key value len since it is not a required
270 		 * attribute for C_GenerateKey.
271 		 */
272 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
273 		des_strength = DES;
274 		break;
275 
276 	case CKM_DES2_KEY_GEN:
277 		/*
278 		 * Set up key value len since it is not a required
279 		 * attribute for C_GenerateKey.
280 		 */
281 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
282 		des_strength = DES2;
283 		break;
284 
285 	case CKM_DES3_KEY_GEN:
286 		/*
287 		 * Set up key value len since it is not a required
288 		 * attribute for C_GenerateKey.
289 		 */
290 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
291 		des_strength = DES3;
292 		break;
293 
294 	case CKM_SSL3_PRE_MASTER_KEY_GEN:
295 	case CKM_TLS_PRE_MASTER_KEY_GEN:
296 		secret_key->bool_attr_mask |= DERIVE_BOOL_ON;
297 	/* FALLTHRU */
298 
299 	case CKM_AES_KEY_GEN:
300 	case CKM_BLOWFISH_KEY_GEN:
301 	case CKM_PBE_SHA1_RC4_128:
302 	case CKM_RC4_KEY_GEN:
303 		keylen = OBJ_SEC_VALUE_LEN(secret_key);
304 		break;
305 
306 	case CKM_PKCS5_PBKD2:
307 		/*
308 		 * PKCS#11 does not allow one to specify key
309 		 * sizes for DES and 3DES, so we must set it here
310 		 * when using PBKD2 algorithms.
311 		 */
312 		if (key_type == CKK_DES) {
313 			OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
314 			des_strength = DES;
315 		} else if (key_type == CKK_DES3) {
316 			OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
317 			des_strength = DES3;
318 		}
319 
320 		keylen = OBJ_SEC_VALUE_LEN(secret_key);
321 		break;
322 	}
323 
324 	if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) {
325 		if (IS_TOKEN_OBJECT(secret_key))
326 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
327 		else
328 			soft_delete_object(session_p, secret_key,
329 			    B_FALSE, B_FALSE);
330 
331 		return (CKR_HOST_MEMORY);
332 	}
333 	switch (pMechanism->mechanism) {
334 	case CKM_PBE_SHA1_RC4_128:
335 		/*
336 		 * Use the PBE algorithm described in PKCS#11 section
337 		 * 12.33 to derive the key.
338 		 */
339 		rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key);
340 		break;
341 	case CKM_PKCS5_PBKD2:
342 		/* Generate keys using PKCS#5 PBKD2 algorithm */
343 		rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism,
344 		    secret_key);
345 		if (rv == CKR_OK && des_strength > 0) {
346 			/* Perform weak key checking for DES and DES3. */
347 			if (des_keycheck(OBJ_SEC_VALUE(secret_key),
348 			    des_strength, OBJ_SEC_VALUE(secret_key)) ==
349 			    B_FALSE) {
350 				/* We got a weak secret key. */
351 				rv = CKR_FUNCTION_FAILED;
352 			}
353 		}
354 		break;
355 	default:
356 		do {
357 			/* If this fails, bail out */
358 			rv = CKR_OK;
359 			if (pkcs11_get_urandom(
360 			    OBJ_SEC_VALUE(secret_key), keylen) < 0) {
361 				rv = CKR_DEVICE_ERROR;
362 				break;
363 			}
364 
365 			/* Perform weak key checking for DES and DES3. */
366 			if (des_strength > 0) {
367 				rv = CKR_OK;
368 				if (des_keycheck(OBJ_SEC_VALUE(secret_key),
369 				    des_strength, OBJ_SEC_VALUE(secret_key)) ==
370 				    B_FALSE) {
371 					/* We got a weak key, retry! */
372 					retry++;
373 					rv = CKR_FUNCTION_FAILED;
374 				}
375 			}
376 			/*
377 			 * Copy over the SSL client version For SSL mechs
378 			 * The first two bytes of the key is the version
379 			 */
380 			if (is_ssl_mech)
381 				bcopy(pMechanism->pParameter,
382 				    OBJ_SEC_VALUE(secret_key),
383 				    sizeof (CK_VERSION));
384 
385 		} while (rv != CKR_OK && retry < KEYGEN_RETRY);
386 		if (retry == KEYGEN_RETRY)
387 			rv = CKR_FUNCTION_FAILED;
388 		break;
389 	}
390 
391 	if (rv != CKR_OK)
392 		if (IS_TOKEN_OBJECT(secret_key))
393 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
394 		else
395 			soft_delete_object(session_p, secret_key,
396 			    B_FALSE, B_FALSE);
397 
398 	if (IS_TOKEN_OBJECT(secret_key)) {
399 		/*
400 		 * All the info has been filled, so we can write to
401 		 * keystore now.
402 		 */
403 		rv = soft_put_object_to_keystore(secret_key);
404 		if (rv != CKR_OK)
405 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
406 	}
407 
408 	*phKey = secret_key->handle;
409 	return (rv);
410 }
411 
412 CK_RV
soft_genkey_pair(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pPublicKeyTemplate,CK_ULONG ulPublicAttrCount,CK_ATTRIBUTE_PTR pPrivateKeyTemplate,CK_ULONG ulPrivateAttrCount,CK_OBJECT_HANDLE_PTR phPublicKey,CK_OBJECT_HANDLE_PTR phPrivateKey)413 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
414     CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount,
415     CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount,
416     CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey)
417 {
418 
419 	CK_RV rv;
420 	soft_object_t *public_key, *private_key;
421 	CK_KEY_TYPE key_type;
422 
423 	switch (pMechanism->mechanism) {
424 
425 	case CKM_RSA_PKCS_KEY_PAIR_GEN:
426 		key_type = CKK_RSA;
427 		break;
428 
429 	case CKM_DSA_KEY_PAIR_GEN:
430 		key_type = CKK_DSA;
431 		break;
432 
433 	case CKM_DH_PKCS_KEY_PAIR_GEN:
434 		key_type = CKK_DH;
435 		break;
436 
437 	case CKM_EC_KEY_PAIR_GEN:
438 		key_type = CKK_EC;
439 		break;
440 
441 	default:
442 		return (CKR_MECHANISM_INVALID);
443 	}
444 
445 	/* Create a new object for public key. */
446 	rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount,
447 	    &public_key, session_p, CKO_PUBLIC_KEY, key_type, 0,
448 	    SOFT_GEN_KEY, B_FALSE);
449 
450 	if (rv != CKR_OK) {
451 		return (rv);
452 	}
453 
454 	/* Create a new object for private key. */
455 	rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount,
456 	    &private_key, session_p, CKO_PRIVATE_KEY, key_type, 0,
457 	    SOFT_GEN_KEY, B_FALSE);
458 
459 	if (rv != CKR_OK) {
460 		/*
461 		 * Both public key and private key must be successful.
462 		 */
463 		if (IS_TOKEN_OBJECT(public_key))
464 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
465 		else
466 			soft_delete_object(session_p, public_key,
467 			    B_FALSE, B_FALSE);
468 		return (rv);
469 	}
470 
471 	/*
472 	 * At this point, both public key and private key objects
473 	 * are settled with the application specified attributes.
474 	 * We are ready to generate the rest of key attributes based
475 	 * on the existing attributes.
476 	 */
477 
478 	switch (key_type) {
479 	case CKK_RSA:
480 		rv = soft_rsa_genkey_pair(public_key, private_key);
481 		break;
482 
483 	case CKK_DSA:
484 		rv = soft_dsa_genkey_pair(public_key, private_key);
485 		break;
486 
487 	case CKK_DH:
488 		rv = soft_dh_genkey_pair(public_key, private_key);
489 		private_key->bool_attr_mask |= DERIVE_BOOL_ON;
490 		break;
491 	case CKK_EC:
492 		rv = soft_ec_genkey_pair(public_key, private_key);
493 		private_key->bool_attr_mask |= DERIVE_BOOL_ON;
494 		break;
495 	}
496 
497 	if (rv != CKR_OK) {
498 		if (IS_TOKEN_OBJECT(public_key)) {
499 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
500 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
501 		} else {
502 			soft_delete_object(session_p, public_key,
503 			    B_FALSE, B_FALSE);
504 			soft_delete_object(session_p, private_key,
505 			    B_FALSE, B_FALSE);
506 		}
507 		return (rv);
508 	}
509 
510 	if (IS_TOKEN_OBJECT(public_key)) {
511 		/*
512 		 * All the info has been filled, so we can write to
513 		 * keystore now.
514 		 */
515 		rv = soft_put_object_to_keystore(public_key);
516 		if (rv != CKR_OK) {
517 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
518 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
519 			return (rv);
520 		}
521 	}
522 
523 	if (IS_TOKEN_OBJECT(private_key)) {
524 		rv = soft_put_object_to_keystore(private_key);
525 		if (rv != CKR_OK) {
526 			/*
527 			 * We also need to delete the public token object
528 			 * from keystore.
529 			 */
530 			soft_delete_token_object(public_key, B_TRUE, B_FALSE);
531 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
532 		}
533 	}
534 
535 	*phPublicKey = public_key->handle;
536 	*phPrivateKey = private_key->handle;
537 
538 	return (rv);
539 }
540 
541 
542 CK_RV
soft_key_derive_check_length(soft_object_t * secret_key,CK_ULONG max_keylen)543 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen)
544 {
545 
546 	switch (secret_key->key_type) {
547 	case CKK_GENERIC_SECRET:
548 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
549 			OBJ_SEC_VALUE_LEN(secret_key) = max_keylen;
550 			return (CKR_OK);
551 		} else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) {
552 			return (CKR_ATTRIBUTE_VALUE_INVALID);
553 		}
554 		break;
555 	case CKK_RC4:
556 	case CKK_AES:
557 	case CKK_BLOWFISH:
558 		if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) ||
559 		    (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) {
560 			/* RC4 and AES has variable key length */
561 			return (CKR_ATTRIBUTE_VALUE_INVALID);
562 		}
563 		break;
564 	case CKK_DES:
565 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
566 			/* DES has a well-defined length */
567 			OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
568 			return (CKR_OK);
569 		} else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) {
570 			return (CKR_ATTRIBUTE_VALUE_INVALID);
571 		}
572 		break;
573 	case CKK_DES2:
574 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
575 			/* DES2 has a well-defined length */
576 			OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
577 			return (CKR_OK);
578 		} else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) {
579 			return (CKR_ATTRIBUTE_VALUE_INVALID);
580 		}
581 		break;
582 
583 	default:
584 		return (CKR_MECHANISM_INVALID);
585 	}
586 
587 	return (CKR_OK);
588 }
589 
590 /*
591  * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1
592  * PBE methods.
593  */
594 #define	PKCS12_BUFFER_SIZE 64
595 /*
596  * PKCS#12 defines 3 different ID bytes to be used for
597  * deriving keys for different operations.
598  */
599 #define	PBE_ID_ENCRYPT	1
600 #define	PBE_ID_IV	2
601 #define	PBE_ID_MAC	3
602 #define	PBE_CEIL(a, b)	(((a)/(b)) + (((a)%(b)) > 0))
603 
604 static CK_RV
soft_pkcs12_pbe(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * derived_key)605 soft_pkcs12_pbe(soft_session_t *session_p,
606     CK_MECHANISM_PTR pMechanism, soft_object_t *derived_key)
607 {
608 	CK_RV rv = CKR_OK;
609 	CK_PBE_PARAMS *params = pMechanism->pParameter;
610 	CK_ULONG c, i, j, k;
611 	CK_ULONG hashSize;
612 	CK_ULONG buffSize;
613 	/*
614 	 * Terse variable names are used to make following
615 	 * the PKCS#12 spec easier.
616 	 */
617 	CK_BYTE *A = NULL;
618 	CK_BYTE *Ai = NULL;
619 	CK_BYTE *B = NULL;
620 	CK_BYTE *D = NULL;
621 	CK_BYTE *I = NULL, *S, *P;
622 	CK_BYTE *keybuf = NULL;
623 	CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen;
624 	CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key);
625 	CK_MECHANISM digest_mech;
626 
627 	/* U = hash function output bits */
628 	if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) {
629 		hashSize = SHA1_HASH_SIZE;
630 		buffSize = PKCS12_BUFFER_SIZE;
631 		digest_mech.mechanism = CKM_SHA_1;
632 		digest_mech.pParameter = NULL;
633 		digest_mech.ulParameterLen = 0;
634 	} else {
635 		/* we only support 1 PBE mech for now */
636 		return (CKR_MECHANISM_INVALID);
637 	}
638 	keybuf = OBJ_SEC_VALUE(derived_key);
639 
640 	Blen = Dlen = buffSize;
641 	D = (CK_BYTE *)malloc(Dlen);
642 	if (D == NULL) {
643 		rv = CKR_HOST_MEMORY;
644 		goto cleanup;
645 	}
646 
647 	B = (CK_BYTE *)malloc(Blen);
648 	if (B == NULL) {
649 		rv = CKR_HOST_MEMORY;
650 		goto cleanup;
651 	}
652 
653 	/*
654 	 * Initialize some values and create some buffers
655 	 * that we need later.
656 	 *
657 	 * Slen = buffSize * CEIL(SaltLength/buffSize)
658 	 */
659 	Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize);
660 
661 	/*
662 	 * Plen = buffSize * CEIL(PasswordLength/buffSize)
663 	 */
664 	Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize);
665 
666 	/*
667 	 * From step 4: I = S + P, so: Ilen = Slen + Plen
668 	 */
669 	Ilen = Slen + Plen;
670 	I = (CK_BYTE *)malloc(Ilen);
671 	if (I == NULL) {
672 		rv = CKR_HOST_MEMORY;
673 		goto cleanup;
674 	}
675 
676 	S = I;
677 	P = I + Slen;
678 
679 	/*
680 	 * Step 1.
681 	 * We are only interested in deriving keys for encrypt/decrypt
682 	 * for now, so construct the "D"iversifier accordingly.
683 	 */
684 	(void) memset(D, PBE_ID_ENCRYPT, Dlen);
685 
686 	/*
687 	 * Step 2.
688 	 * Concatenate copies of the salt together to make S.
689 	 */
690 	for (i = 0; i < Slen; i += params->ulSaltLen) {
691 		(void) memcpy(S+i, params->pSalt,
692 		    ((Slen - i) > params->ulSaltLen ?
693 		    params->ulSaltLen : (Slen - i)));
694 	}
695 
696 	/*
697 	 * Step 3.
698 	 * Concatenate copies of the password together to make
699 	 * a string P.
700 	 */
701 	for (i = 0; i < Plen; i += params->ulPasswordLen) {
702 		(void) memcpy(P+i, params->pPassword,
703 		    ((Plen - i) > params->ulPasswordLen ?
704 		    params->ulPasswordLen : (Plen - i)));
705 	}
706 
707 	/*
708 	 * Step 4.
709 	 * I = S+P - this is now done because S and P are
710 	 * pointers into I.
711 	 *
712 	 * Step 5.
713 	 * c= CEIL[n/u]
714 	 * where n = pseudorandom bits of output desired.
715 	 */
716 	c = PBE_CEIL(keysize, hashSize);
717 
718 	/*
719 	 * Step 6.
720 	 */
721 	Alen = c * hashSize;
722 	A = (CK_BYTE *)malloc(Alen);
723 	if (A == NULL) {
724 		rv = CKR_HOST_MEMORY;
725 		goto cleanup;
726 	}
727 	AiLen = hashSize;
728 	Ai = (CK_BYTE *)malloc(AiLen);
729 	if (Ai == NULL) {
730 		rv = CKR_HOST_MEMORY;
731 		goto cleanup;
732 	}
733 
734 	/*
735 	 * Step 6a.
736 	 * Ai = Hr(D+I)
737 	 */
738 	for (i = 0; i < c; i++) {
739 		(void) pthread_mutex_lock(&session_p->session_mutex);
740 
741 		if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
742 			(void) pthread_mutex_unlock(&session_p->session_mutex);
743 			rv = CKR_OPERATION_ACTIVE;
744 			goto cleanup;
745 		}
746 		session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
747 		(void) pthread_mutex_unlock(&session_p->session_mutex);
748 
749 		for (j = 0; j < params->ulIteration; j++) {
750 			rv = soft_digest_init(session_p, &digest_mech);
751 			if (rv != CKR_OK)
752 				goto digest_done;
753 
754 			if (j == 0) {
755 				rv = soft_digest_update(session_p, D, Dlen);
756 				if (rv != CKR_OK)
757 					goto digest_done;
758 
759 				rv = soft_digest_update(session_p, I, Ilen);
760 			} else {
761 				rv = soft_digest_update(session_p, Ai, AiLen);
762 			}
763 			if (rv != CKR_OK)
764 				goto digest_done;
765 
766 			rv = soft_digest_final(session_p, Ai, &AiLen);
767 			if (rv != CKR_OK)
768 				goto digest_done;
769 		}
770 digest_done:
771 		(void) pthread_mutex_lock(&session_p->session_mutex);
772 		session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
773 		(void) pthread_mutex_unlock(&session_p->session_mutex);
774 
775 		if (rv != CKR_OK)
776 			goto cleanup;
777 		/*
778 		 * Step 6b.
779 		 * Concatenate Ai to make B
780 		 */
781 		for (j = 0; j < Blen; j += hashSize) {
782 			(void) memcpy(B+j, Ai, ((Blen - j > hashSize) ?
783 			    hashSize : Blen - j));
784 		}
785 
786 		/*
787 		 * Step 6c.
788 		 */
789 		k = Ilen / Blen;
790 		for (j = 0; j < k; j++) {
791 			uchar_t idx;
792 			CK_ULONG m, q = 1, cbit = 0;
793 
794 			for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) {
795 				idx = m + j*Blen;
796 
797 				q += (CK_ULONG)I[idx] + (CK_ULONG)B[m];
798 				q += cbit;
799 				I[idx] = (CK_BYTE)(q & 0xff);
800 				cbit = (q > 0xff);
801 			}
802 		}
803 
804 		/*
805 		 * Step 7.
806 		 *  A += Ai
807 		 */
808 		(void) memcpy(A + i*hashSize, Ai, AiLen);
809 	}
810 
811 	/*
812 	 * Step 8.
813 	 * The final output of this process is the A buffer
814 	 */
815 	(void) memcpy(keybuf, A, keysize);
816 
817 cleanup:
818 	freezero(A, Alen);
819 	freezero(Ai, AiLen);
820 	freezero(B, Blen);
821 	freezero(D, Dlen);
822 	freezero(I, Ilen);
823 	return (rv);
824 }
825 
826 CK_RV
soft_derivekey(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * basekey_p,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulAttributeCount,CK_OBJECT_HANDLE_PTR phKey)827 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
828     soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
829     CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
830 {
831 
832 	CK_RV rv = CKR_OK;
833 	soft_object_t *secret_key;
834 	CK_MECHANISM digest_mech;
835 	CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */
836 	CK_ULONG hash_len = SHA512_DIGEST_LENGTH;
837 	CK_ULONG secret_key_len;
838 	CK_ULONG hash_size;
839 
840 	switch (pMechanism->mechanism) {
841 	case CKM_DH_PKCS_DERIVE:
842 		if (phKey == NULL_PTR)
843 			return (CKR_ARGUMENTS_BAD);
844 
845 		/*
846 		 * Create a new object for secret key. The key type should
847 		 * be provided in the template.
848 		 */
849 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
850 		    &secret_key, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL,
851 		    0, SOFT_DERIVE_KEY_DH, B_FALSE);
852 
853 		if (rv != CKR_OK) {
854 			return (rv);
855 		}
856 
857 		rv = soft_dh_key_derive(basekey_p, secret_key,
858 		    (CK_BYTE *)pMechanism->pParameter,
859 		    pMechanism->ulParameterLen);
860 
861 		if (rv != CKR_OK) {
862 			if (IS_TOKEN_OBJECT(secret_key))
863 				soft_delete_token_object(secret_key, B_FALSE,
864 				    B_FALSE);
865 			else
866 				soft_delete_object(session_p, secret_key,
867 				    B_FALSE, B_FALSE);
868 			return (rv);
869 		}
870 
871 		break;
872 
873 	case CKM_ECDH1_DERIVE:
874 		if (phKey == NULL_PTR)
875 			return (CKR_ARGUMENTS_BAD);
876 
877 		/*
878 		 * Create a new object for secret key. The key type should
879 		 * be provided in the template.
880 		 */
881 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
882 		    &secret_key, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL,
883 		    0, SOFT_DERIVE_KEY_DH, B_FALSE);
884 
885 		if (rv != CKR_OK) {
886 			return (rv);
887 		}
888 
889 		rv = soft_ec_key_derive(basekey_p, secret_key,
890 		    (CK_BYTE *)pMechanism->pParameter,
891 		    pMechanism->ulParameterLen);
892 
893 		if (rv != CKR_OK) {
894 			if (IS_TOKEN_OBJECT(secret_key))
895 				soft_delete_token_object(secret_key, B_FALSE,
896 				    B_FALSE);
897 			else
898 				soft_delete_object(session_p, secret_key,
899 				    B_FALSE, B_FALSE);
900 			return (rv);
901 		}
902 
903 		break;
904 
905 	case CKM_SHA1_KEY_DERIVATION:
906 		hash_size = SHA1_HASH_SIZE;
907 		digest_mech.mechanism = CKM_SHA_1;
908 		goto common;
909 
910 	case CKM_MD5_KEY_DERIVATION:
911 		hash_size = MD5_HASH_SIZE;
912 		digest_mech.mechanism = CKM_MD5;
913 		goto common;
914 
915 	case CKM_SHA256_KEY_DERIVATION:
916 		hash_size = SHA256_DIGEST_LENGTH;
917 		digest_mech.mechanism = CKM_SHA256;
918 		goto common;
919 
920 	case CKM_SHA384_KEY_DERIVATION:
921 		hash_size = SHA384_DIGEST_LENGTH;
922 		digest_mech.mechanism = CKM_SHA384;
923 		goto common;
924 
925 	case CKM_SHA512_KEY_DERIVATION:
926 		hash_size = SHA512_DIGEST_LENGTH;
927 		digest_mech.mechanism = CKM_SHA512;
928 		goto common;
929 
930 	case CKM_SHA512_224_KEY_DERIVATION:
931 		hash_size = SHA512_224_DIGEST_LENGTH;
932 		digest_mech.mechanism = CKM_SHA512_224;
933 		goto common;
934 
935 	case CKM_SHA512_256_KEY_DERIVATION:
936 		hash_size = SHA512_256_DIGEST_LENGTH;
937 		digest_mech.mechanism = CKM_SHA512_256;
938 		goto common;
939 
940 common:
941 		if (phKey == NULL_PTR)
942 			return (CKR_ARGUMENTS_BAD);
943 
944 		/*
945 		 * Create a new object for secret key. The key type is optional
946 		 * to be provided in the template. If it is not specified in
947 		 * the template, the default is CKK_GENERIC_SECRET.
948 		 */
949 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
950 		    &secret_key, session_p, CKO_SECRET_KEY,
951 		    (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
952 		    SOFT_DERIVE_KEY_OTHER, B_FALSE);
953 
954 		if (rv != CKR_OK) {
955 			return (rv);
956 		}
957 
958 		/* Validate the key type and key length */
959 		rv = soft_key_derive_check_length(secret_key, hash_size);
960 		if (rv != CKR_OK) {
961 			if (IS_TOKEN_OBJECT(secret_key))
962 				soft_delete_token_object(secret_key, B_FALSE,
963 				    B_FALSE);
964 			else
965 				soft_delete_object(session_p, secret_key,
966 				    B_FALSE, B_FALSE);
967 			return (rv);
968 		}
969 
970 		/*
971 		 * Derive the secret key by digesting the value of another
972 		 * secret key (base key) with SHA-1 or MD5.
973 		 */
974 		rv = soft_digest_init_internal(session_p, &digest_mech);
975 		if (rv != CKR_OK) {
976 			if (IS_TOKEN_OBJECT(secret_key))
977 				soft_delete_token_object(secret_key, B_FALSE,
978 				    B_FALSE);
979 			else
980 				soft_delete_object(session_p, secret_key,
981 				    B_FALSE, B_FALSE);
982 			return (rv);
983 		}
984 
985 		rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p),
986 		    OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len);
987 
988 		(void) pthread_mutex_lock(&session_p->session_mutex);
989 		/* soft_digest_common() has freed the digest context */
990 		session_p->digest.flags = 0;
991 		(void) pthread_mutex_unlock(&session_p->session_mutex);
992 
993 		if (rv != CKR_OK) {
994 			if (IS_TOKEN_OBJECT(secret_key))
995 				soft_delete_token_object(secret_key, B_FALSE,
996 				    B_FALSE);
997 			else
998 				soft_delete_object(session_p, secret_key,
999 				    B_FALSE, B_FALSE);
1000 			return (rv);
1001 		}
1002 
1003 		secret_key_len = OBJ_SEC_VALUE_LEN(secret_key);
1004 
1005 		if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) ==
1006 		    NULL) {
1007 			if (IS_TOKEN_OBJECT(secret_key))
1008 				soft_delete_token_object(secret_key, B_FALSE,
1009 				    B_FALSE);
1010 			else
1011 				soft_delete_object(session_p, secret_key,
1012 				    B_FALSE, B_FALSE);
1013 			return (CKR_HOST_MEMORY);
1014 		}
1015 
1016 		/*
1017 		 * The key produced by this mechanism will be of the
1018 		 * specified type and length.
1019 		 * The truncation removes extra bytes from the leading
1020 		 * of the digested key value.
1021 		 */
1022 		(void) memcpy(OBJ_SEC_VALUE(secret_key),
1023 		    (hash + hash_len - secret_key_len),
1024 		    secret_key_len);
1025 
1026 		break;
1027 
1028 	/*
1029 	 * The key sensitivity and extractability rules for the generated
1030 	 * keys will be enforced inside soft_ssl_master_key_derive() and
1031 	 * soft_ssl_key_and_mac_derive()
1032 	 */
1033 	case CKM_SSL3_MASTER_KEY_DERIVE:
1034 	case CKM_SSL3_MASTER_KEY_DERIVE_DH:
1035 	case CKM_TLS_MASTER_KEY_DERIVE:
1036 	case CKM_TLS_MASTER_KEY_DERIVE_DH:
1037 		if (phKey == NULL_PTR)
1038 			return (CKR_ARGUMENTS_BAD);
1039 		return (soft_ssl_master_key_derive(session_p, pMechanism,
1040 		    basekey_p, pTemplate, ulAttributeCount, phKey));
1041 
1042 	case CKM_SSL3_KEY_AND_MAC_DERIVE:
1043 	case CKM_TLS_KEY_AND_MAC_DERIVE:
1044 		/* These mechanisms do not use phKey */
1045 		return (soft_ssl_key_and_mac_derive(session_p, pMechanism,
1046 		    basekey_p, pTemplate, ulAttributeCount));
1047 
1048 	case CKM_TLS_PRF:
1049 		/* This mechanism does not use phKey */
1050 		if (pMechanism->pParameter == NULL ||
1051 		    pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) ||
1052 		    phKey != NULL)
1053 			return (CKR_ARGUMENTS_BAD);
1054 
1055 		if (pTemplate != NULL)
1056 			return (CKR_TEMPLATE_INCONSISTENT);
1057 
1058 		return (derive_tls_prf(
1059 		    (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p));
1060 
1061 	default:
1062 		return (CKR_MECHANISM_INVALID);
1063 	}
1064 
1065 	soft_derive_enforce_flags(basekey_p, secret_key);
1066 
1067 	if (IS_TOKEN_OBJECT(secret_key)) {
1068 		/*
1069 		 * All the info has been filled, so we can write to
1070 		 * keystore now.
1071 		 */
1072 		rv = soft_put_object_to_keystore(secret_key);
1073 		if (rv != CKR_OK)
1074 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
1075 	}
1076 
1077 	/*
1078 	 * Some mechanisms don't use phKey either because they create
1079 	 * multiple key objects and instead populate a structure passed in
1080 	 * as a field in their pParameter parameter with the resulting key
1081 	 * objects (e.g. CKM_TLS_KEY_AND_MAC_DERIVE) or they instead write
1082 	 * their result to an output buffer passed in their pParameter
1083 	 * parameter (e.g. CKM_TLS_PRF). All such mechanisms return prior
1084 	 * to reaching here. The remaining mechanisms (which do use phKey)
1085 	 * should have already validated phKey is not NULL prior to doing
1086 	 * their key derivation.
1087 	 */
1088 	*phKey = secret_key->handle;
1089 
1090 	return (rv);
1091 }
1092 
1093 
1094 /*
1095  * Perform key derivation rules on key's sensitivity and extractability.
1096  */
1097 void
soft_derive_enforce_flags(soft_object_t * basekey,soft_object_t * newkey)1098 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey)
1099 {
1100 
1101 	boolean_t new_sensitive = B_FALSE;
1102 	boolean_t new_extractable = B_FALSE;
1103 
1104 	/*
1105 	 * The sensitive and extractable bits have been set when
1106 	 * the newkey was built.
1107 	 */
1108 	if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) {
1109 		new_sensitive = B_TRUE;
1110 	}
1111 
1112 	if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) {
1113 		new_extractable = B_TRUE;
1114 	}
1115 
1116 	/* Derive the CKA_ALWAYS_SENSITIVE flag */
1117 	if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) {
1118 		/*
1119 		 * If the base key has its CKA_ALWAYS_SENSITIVE set to
1120 		 * FALSE, then the derived key will as well.
1121 		 */
1122 		newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1123 	} else {
1124 		/*
1125 		 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE,
1126 		 * then the derived key has the CKA_ALWAYS_SENSITIVE set to
1127 		 * the same value as its CKA_SENSITIVE;
1128 		 */
1129 		if (new_sensitive) {
1130 			newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON;
1131 		} else {
1132 			newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1133 		}
1134 	}
1135 
1136 	/* Derive the CKA_NEVER_EXTRACTABLE flag */
1137 	if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) {
1138 		/*
1139 		 * If the base key has its CKA_NEVER_EXTRACTABLE set to
1140 		 * FALSE, then the derived key will as well.
1141 		 */
1142 		newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1143 	} else {
1144 		/*
1145 		 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE,
1146 		 * then the derived key has the CKA_NEVER_EXTRACTABLE set to
1147 		 * the opposite value from its CKA_EXTRACTABLE;
1148 		 */
1149 		if (new_extractable) {
1150 			newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1151 		} else {
1152 			newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON;
1153 		}
1154 	}
1155 
1156 	/* Set the CKA_LOCAL flag to false */
1157 	newkey->bool_attr_mask &= ~LOCAL_BOOL_ON;
1158 }
1159 
1160 
1161 /*
1162  * do_prf
1163  *
1164  * This routine implements Step 3. of the PBKDF2 function
1165  * defined in PKCS#5 for generating derived keys from a
1166  * password.
1167  *
1168  * Currently, PRF is always SHA_1_HMAC.
1169  */
1170 static CK_RV
do_prf(soft_session_t * session_p,CK_PKCS5_PBKD2_PARAMS_PTR params,soft_object_t * hmac_key,CK_BYTE * newsalt,CK_ULONG saltlen,CK_BYTE * blockdata,CK_ULONG blocklen)1171 do_prf(soft_session_t *session_p, CK_PKCS5_PBKD2_PARAMS_PTR params,
1172     soft_object_t *hmac_key, CK_BYTE *newsalt, CK_ULONG saltlen,
1173     CK_BYTE *blockdata, CK_ULONG blocklen)
1174 {
1175 	CK_RV rv = CKR_OK;
1176 	CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0};
1177 	CK_BYTE buffer[2][SHA1_HASH_SIZE];
1178 	CK_ULONG hmac_outlen = SHA1_HASH_SIZE;
1179 	CK_ULONG inlen;
1180 	CK_BYTE *input, *output;
1181 	CK_ULONG i, j;
1182 
1183 	input = newsalt;
1184 	inlen = saltlen;
1185 
1186 	output = buffer[1];
1187 	(void) pthread_mutex_lock(&session_p->session_mutex);
1188 
1189 	if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
1190 		(void) pthread_mutex_unlock(&session_p->session_mutex);
1191 		return (CKR_OPERATION_ACTIVE);
1192 	}
1193 	session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
1194 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1195 
1196 	for (i = 0; i < params->iterations; i++) {
1197 		/*
1198 		 * The key doesn't change, its always the
1199 		 * password iniitally given.
1200 		 */
1201 		rv = soft_sign_init(session_p, &digest_mech, hmac_key);
1202 
1203 		if (rv != CKR_OK) {
1204 			goto cleanup;
1205 		}
1206 
1207 		/* Call PRF function (SHA1_HMAC for now). */
1208 		rv = soft_sign(session_p, input, inlen, output, &hmac_outlen);
1209 
1210 		if (rv != CKR_OK) {
1211 			goto cleanup;
1212 		}
1213 		/*
1214 		 * The first time, initialize the output buffer
1215 		 * with the HMAC signature.
1216 		 */
1217 		if (i == 0) {
1218 			(void) memcpy(blockdata, output,
1219 			    local_min(blocklen, hmac_outlen));
1220 		} else {
1221 			/*
1222 			 * XOR the existing data with output from PRF.
1223 			 *
1224 			 * Only XOR up to the length of the blockdata,
1225 			 * it may be less than a full hmac buffer when
1226 			 * the final block is being computed.
1227 			 */
1228 			for (j = 0; j < hmac_outlen && j < blocklen; j++)
1229 				blockdata[j] ^= output[j];
1230 		}
1231 		/* Output from previous PRF is input for next round */
1232 		input = output;
1233 		inlen = hmac_outlen;
1234 
1235 		/*
1236 		 * Switch buffers to avoid overuse of memcpy.
1237 		 * Initially we used buffer[1], so after the end of
1238 		 * the first iteration (i==0), we switch to buffer[0]
1239 		 * and continue swapping with each iteration.
1240 		 */
1241 		output = buffer[i%2];
1242 	}
1243 cleanup:
1244 	(void) pthread_mutex_lock(&session_p->session_mutex);
1245 	session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
1246 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1247 
1248 	return (rv);
1249 }
1250 
1251 static CK_RV
soft_create_hmac_key(soft_session_t * session_p,CK_BYTE * passwd,CK_ULONG passwd_len,soft_object_t ** keyp)1252 soft_create_hmac_key(soft_session_t *session_p,  CK_BYTE *passwd,
1253     CK_ULONG passwd_len, soft_object_t **keyp)
1254 {
1255 	CK_RV rv = CKR_OK;
1256 	CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
1257 	CK_KEY_TYPE keytype = CKK_GENERIC_SECRET;
1258 	CK_BBOOL True = TRUE;
1259 	CK_ATTRIBUTE keytemplate[4];
1260 
1261 	/*
1262 	 * We must initialize each template member individually
1263 	 * because at the time of initial coding for ON10, the
1264 	 * compiler was using the "-xc99=%none" option
1265 	 * which prevents us from being able to declare the whole
1266 	 * template in place as usual.
1267 	 */
1268 	keytemplate[0].type = CKA_CLASS;
1269 	keytemplate[0].pValue = &keyclass;
1270 	keytemplate[0].ulValueLen =  sizeof (keyclass);
1271 
1272 	keytemplate[1].type = CKA_KEY_TYPE;
1273 	keytemplate[1].pValue = &keytype;
1274 	keytemplate[1].ulValueLen =  sizeof (keytype);
1275 
1276 	keytemplate[2].type = CKA_SIGN;
1277 	keytemplate[2].pValue = &True;
1278 	keytemplate[2].ulValueLen =  sizeof (True);
1279 
1280 	keytemplate[3].type = CKA_VALUE;
1281 	keytemplate[3].pValue = passwd;
1282 	keytemplate[3].ulValueLen = passwd_len;
1283 	/*
1284 	 * Create a generic key object to be used for HMAC operations.
1285 	 * The "value" for this key is the password from the
1286 	 * mechanism parameter structure.
1287 	 */
1288 	rv = soft_gen_keyobject(keytemplate,
1289 	    sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), keyp, session_p,
1290 	    CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
1291 	    SOFT_CREATE_OBJ, B_TRUE);
1292 
1293 	return (rv);
1294 }
1295 
1296 CK_RV
soft_generate_pkcs5_pbkdf2_key(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * secret_key)1297 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p,
1298     CK_MECHANISM_PTR pMechanism, soft_object_t *secret_key)
1299 {
1300 	CK_RV rv = CKR_OK;
1301 	CK_PKCS5_PBKD2_PARAMS	*params =
1302 	    (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
1303 	CK_ULONG hLen = SHA1_HASH_SIZE;
1304 	CK_ULONG dkLen, i;
1305 	CK_ULONG blocks, remainder;
1306 	soft_object_t *hmac_key = NULL;
1307 	CK_BYTE *salt = NULL;
1308 	CK_BYTE *keydata = NULL;
1309 
1310 	params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter;
1311 
1312 	if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1)
1313 		return (CKR_MECHANISM_PARAM_INVALID);
1314 
1315 	if (params->pPrfData != NULL || params->ulPrfDataLen != 0)
1316 		return (CKR_DATA_INVALID);
1317 
1318 	if (params->saltSource != CKZ_SALT_SPECIFIED ||
1319 	    params->iterations == 0)
1320 		return (CKR_MECHANISM_PARAM_INVALID);
1321 
1322 	/*
1323 	 * Create a key object to use for HMAC operations.
1324 	 */
1325 	rv = soft_create_hmac_key(session_p, params->pPassword,
1326 	    *params->ulPasswordLen, &hmac_key);
1327 
1328 	if (rv != CKR_OK)
1329 		return (rv);
1330 
1331 	/* Step 1. */
1332 	dkLen = OBJ_SEC_VALUE_LEN(secret_key);  /* length of desired key */
1333 
1334 	if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) {
1335 		(void) soft_delete_object(session_p, hmac_key, B_FALSE,
1336 		    B_FALSE);
1337 		return (CKR_KEY_SIZE_RANGE);
1338 	}
1339 
1340 	/* Step 2. */
1341 	blocks = dkLen / hLen;
1342 
1343 	/* crude "Ceiling" function to adjust the number of blocks to use */
1344 	if (blocks * hLen != dkLen)
1345 		blocks++;
1346 
1347 	remainder = dkLen - ((blocks - 1) * hLen);
1348 
1349 	/* Step 3 */
1350 	salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4);
1351 	if (salt == NULL) {
1352 		(void) soft_delete_object(session_p, hmac_key, B_FALSE,
1353 		    B_FALSE);
1354 		return (CKR_HOST_MEMORY);
1355 	}
1356 	/*
1357 	 * Nothing in PKCS#5 says you cannot pass an empty
1358 	 * salt, so we will allow for this and not return error
1359 	 * if the salt is not specified.
1360 	 */
1361 	if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0)
1362 		(void) memcpy(salt, params->pSaltSourceData,
1363 		    params->ulSaltSourceDataLen);
1364 
1365 	/*
1366 	 * Get pointer to the data section of the key,
1367 	 * this will be used below as output from the
1368 	 * PRF iteration/concatenations so that when the
1369 	 * blocks are all iterated, the secret_key will
1370 	 * have the resulting derived key value.
1371 	 */
1372 	keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key);
1373 
1374 	/* Step 4. */
1375 	for (i = 0; i < blocks && (rv == CKR_OK); i++) {
1376 		CK_BYTE *s;
1377 
1378 		s = salt + params->ulSaltSourceDataLen;
1379 
1380 		/*
1381 		 * Append the block index to the salt as input
1382 		 * to the PRF.  Block index should start at 1
1383 		 * not 0.
1384 		 */
1385 		*s++ = ((i+1) >> 24) & 0xff;
1386 		*s++ = ((i+1) >> 16) & 0xff;
1387 		*s++ = ((i+1) >> 8) & 0xff;
1388 		*s   = ((i+1)) & 0xff;
1389 
1390 		/*
1391 		 * Adjust the key pointer so we always append the
1392 		 * PRF output to the current key.
1393 		 */
1394 		rv = do_prf(session_p, params, hmac_key,
1395 		    salt, params->ulSaltSourceDataLen + 4, keydata,
1396 		    ((i + 1) == blocks ? remainder : hLen));
1397 
1398 		keydata += hLen;
1399 	}
1400 	(void) soft_delete_object(session_p, hmac_key, B_FALSE, B_FALSE);
1401 	freezero(salt, params->ulSaltSourceDataLen);
1402 
1403 	return (rv);
1404 }
1405 
1406 CK_RV
soft_wrapkey(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * wrappingKey_p,soft_object_t * hkey_p,CK_BYTE_PTR pWrappedKey,CK_ULONG_PTR pulWrappedKeyLen)1407 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1408     soft_object_t *wrappingKey_p, soft_object_t *hkey_p,
1409     CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen)
1410 {
1411 	CK_RV		rv = CKR_OK;
1412 	CK_ULONG	plain_len = 0;
1413 	CK_BYTE_PTR	plain_data = NULL;
1414 	CK_ULONG	padded_len = 0;
1415 	CK_BYTE_PTR	padded_data = NULL;
1416 	CK_ULONG	wkey_blksz = 1;		/* so modulo will work right */
1417 
1418 	/* Check if the mechanism is supported. */
1419 	switch (pMechanism->mechanism) {
1420 	case CKM_DES_CBC_PAD:
1421 	case CKM_DES3_CBC_PAD:
1422 	case CKM_AES_CBC_PAD:
1423 		/*
1424 		 * Secret key mechs with padding can be used to wrap secret
1425 		 * keys and private keys only.  See PKCS#11, * sec 11.14,
1426 		 * C_WrapKey and secs 12.* for each mechanism's wrapping/
1427 		 * unwrapping constraints.
1428 		 */
1429 		if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class !=
1430 		    CKO_PRIVATE_KEY)
1431 			return (CKR_MECHANISM_INVALID);
1432 		break;
1433 	case CKM_RSA_PKCS:
1434 	case CKM_RSA_X_509:
1435 	case CKM_DES_ECB:
1436 	case CKM_DES3_ECB:
1437 	case CKM_AES_ECB:
1438 	case CKM_DES_CBC:
1439 	case CKM_DES3_CBC:
1440 	case CKM_AES_CBC:
1441 	case CKM_AES_CTR:
1442 	case CKM_BLOWFISH_CBC:
1443 		/*
1444 		 * Unpadded secret key mechs and private key mechs are only
1445 		 * defined for wrapping secret keys.  See PKCS#11 refs above.
1446 		 */
1447 		if (hkey_p->class != CKO_SECRET_KEY)
1448 			return (CKR_MECHANISM_INVALID);
1449 		break;
1450 	default:
1451 		return (CKR_MECHANISM_INVALID);
1452 	}
1453 
1454 	if (hkey_p->class == CKO_SECRET_KEY) {
1455 		plain_data = OBJ_SEC_VALUE(hkey_p);
1456 		plain_len = OBJ_SEC_VALUE_LEN(hkey_p);
1457 	} else {
1458 		/*
1459 		 * BER-encode the object to be wrapped:  call first with
1460 		 * plain_data = NULL to get the size needed, allocate that
1461 		 * much space, call again to fill space with actual data.
1462 		 */
1463 		rv = soft_object_to_asn1(hkey_p, NULL, &plain_len);
1464 		if (rv != CKR_OK)
1465 			return (rv);
1466 		if ((plain_data = malloc(plain_len)) == NULL)
1467 			return (CKR_HOST_MEMORY);
1468 		(void) memset(plain_data, 0x0, plain_len);
1469 		rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len);
1470 		if (rv != CKR_OK)
1471 			goto cleanup_wrap;
1472 	}
1473 
1474 	/*
1475 	 * For unpadded ECB and CBC mechanisms, the object needs to be
1476 	 * padded to the wrapping key's blocksize prior to the encryption.
1477 	 */
1478 	padded_len = plain_len;
1479 	padded_data = plain_data;
1480 
1481 	switch (pMechanism->mechanism) {
1482 	case CKM_DES_ECB:
1483 	case CKM_DES3_ECB:
1484 	case CKM_AES_ECB:
1485 	case CKM_DES_CBC:
1486 	case CKM_DES3_CBC:
1487 	case CKM_AES_CBC:
1488 	case CKM_BLOWFISH_CBC:
1489 		/* Find the block size of the wrapping key. */
1490 		if (wrappingKey_p->class == CKO_SECRET_KEY) {
1491 			switch (wrappingKey_p->key_type) {
1492 			case CKK_DES:
1493 			case CKK_DES2:
1494 			case CKK_DES3:
1495 				wkey_blksz = DES_BLOCK_LEN;
1496 				break;
1497 			case CKK_AES:
1498 				wkey_blksz = AES_BLOCK_LEN;
1499 				break;
1500 			case CKK_BLOWFISH:
1501 				wkey_blksz = BLOWFISH_BLOCK_LEN;
1502 				break;
1503 			default:
1504 				break;
1505 			}
1506 		} else {
1507 			rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT;
1508 			goto cleanup_wrap;
1509 		}
1510 
1511 		/* Extend the plain text data to block size boundary.  */
1512 		if ((padded_len % wkey_blksz) != 0) {
1513 			padded_len += (wkey_blksz - (plain_len % wkey_blksz));
1514 			if ((padded_data = malloc(padded_len)) == NULL) {
1515 				rv = CKR_HOST_MEMORY;
1516 				goto cleanup_wrap;
1517 			}
1518 			(void) memset(padded_data, 0x0, padded_len);
1519 			(void) memcpy(padded_data, plain_data, plain_len);
1520 		}
1521 		break;
1522 	default:
1523 		break;
1524 	}
1525 
1526 	rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p);
1527 	if (rv != CKR_OK)
1528 		goto cleanup_wrap;
1529 
1530 	rv = soft_encrypt(session_p, padded_data, padded_len,
1531 	    pWrappedKey, pulWrappedKeyLen);
1532 
1533 cleanup_wrap:
1534 	if (padded_data != NULL && padded_len != plain_len) {
1535 		/* Clear buffer before returning to memory pool. */
1536 		freezero(padded_data, padded_len);
1537 	}
1538 
1539 	if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1540 		/* Clear buffer before returning to memory pool. */
1541 		freezero(plain_data, plain_len);
1542 	}
1543 
1544 	return (rv);
1545 }
1546 
1547 /*
1548  * Quick check for whether unwrapped key length is appropriate for key type
1549  * and whether it needs to be truncated (in case the wrapping function had
1550  * to pad the key prior to wrapping).
1551  */
1552 static CK_RV
soft_unwrap_secret_len_check(CK_KEY_TYPE keytype,CK_MECHANISM_TYPE mechtype,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulAttributeCount)1553 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype,
1554     CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount)
1555 {
1556 	CK_ULONG	i;
1557 	boolean_t	isValueLen = B_FALSE;
1558 
1559 	/*
1560 	 * Based on the key type and the mech used to unwrap, need to
1561 	 * determine if CKA_VALUE_LEN should or should not be specified.
1562 	 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified
1563 	 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens
1564 	 * that restriction, perhaps because it makes it impossible to
1565 	 * determine the original length of unwrapped variable-length secret
1566 	 * keys, such as RC4, AES, and GENERIC_SECRET.  These variable-length
1567 	 * secret keys would have been padded with trailing null-bytes so
1568 	 * that they could be successfully wrapped with *_ECB and *_CBC
1569 	 * mechanisms.  Hence for unwrapping with these mechs, CKA_VALUE_LEN
1570 	 * must be specified.  For unwrapping with other mechs, such as
1571 	 * *_CBC_PAD, the CKA_VALUE_LEN is not needed.
1572 	 */
1573 
1574 	/* Find out if template has CKA_VALUE_LEN. */
1575 	for (i = 0; i < ulAttributeCount; i++) {
1576 		if (pTemplate[i].type == CKA_VALUE_LEN &&
1577 		    pTemplate[i].pValue != NULL) {
1578 			isValueLen = B_TRUE;
1579 			break;
1580 		}
1581 	}
1582 
1583 	/* Does its presence  conflict with the mech type and key type? */
1584 	switch (mechtype) {
1585 	case CKM_DES_ECB:
1586 	case CKM_DES3_ECB:
1587 	case CKM_AES_ECB:
1588 	case CKM_DES_CBC:
1589 	case CKM_DES3_CBC:
1590 	case CKM_AES_CBC:
1591 	case CKM_BLOWFISH_CBC:
1592 		/*
1593 		 * CKA_VALUE_LEN must be specified
1594 		 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET
1595 		 * and must not be specified otherwise
1596 		 */
1597 		switch (keytype) {
1598 		case CKK_DES:
1599 		case CKK_DES2:
1600 		case CKK_DES3:
1601 			if (isValueLen)
1602 				return (CKR_TEMPLATE_INCONSISTENT);
1603 			break;
1604 		case CKK_GENERIC_SECRET:
1605 		case CKK_RC4:
1606 		case CKK_AES:
1607 		case CKK_BLOWFISH:
1608 			if (!isValueLen)
1609 				return (CKR_TEMPLATE_INCOMPLETE);
1610 			break;
1611 		default:
1612 			return (CKR_FUNCTION_NOT_SUPPORTED);
1613 		}
1614 		break;
1615 	default:
1616 		/* CKA_VALUE_LEN must not be specified */
1617 		if (isValueLen)
1618 			return (CKR_TEMPLATE_INCONSISTENT);
1619 		break;
1620 	}
1621 
1622 	return (CKR_OK);
1623 }
1624 
1625 CK_RV
soft_unwrapkey(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * unwrappingkey_p,CK_BYTE_PTR pWrappedKey,CK_ULONG ulWrappedKeyLen,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulAttributeCount,CK_OBJECT_HANDLE_PTR phKey)1626 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1627     soft_object_t *unwrappingkey_p, CK_BYTE_PTR pWrappedKey,
1628     CK_ULONG ulWrappedKeyLen, CK_ATTRIBUTE_PTR pTemplate,
1629     CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
1630 {
1631 	CK_RV			rv = CKR_OK;
1632 	CK_OBJECT_CLASS		new_obj_class = ~0UL;
1633 	int			i = 0;
1634 	soft_object_t		*new_objp = NULL;
1635 	boolean_t		persistent = B_FALSE;
1636 	CK_BYTE_PTR		plain_data = NULL;
1637 	CK_ULONG		plain_len = 0;
1638 	secret_key_obj_t	*sck = NULL;
1639 
1640 	/* Scan the attribute template for the object class. */
1641 	if (pTemplate != NULL && ulAttributeCount != 0) {
1642 		for (i = 0; i < ulAttributeCount; i++) {
1643 			if (pTemplate[i].type == CKA_CLASS) {
1644 				new_obj_class =
1645 				    *((CK_OBJECT_CLASS *)pTemplate[i].pValue);
1646 				break;
1647 			}
1648 		}
1649 		if (new_obj_class == ~0UL)
1650 			return (CKR_TEMPLATE_INCOMPLETE);
1651 	}
1652 
1653 	/*
1654 	 * Check if the mechanism is supported, and now that the new
1655 	 * object's class is known, the mechanism selected should be
1656 	 * capable of doing the unwrap.
1657 	 */
1658 	switch (pMechanism->mechanism) {
1659 	case CKM_RSA_PKCS:
1660 	case CKM_RSA_X_509:
1661 	case CKM_DES_ECB:
1662 	case CKM_DES3_ECB:
1663 	case CKM_AES_ECB:
1664 	case CKM_DES_CBC:
1665 	case CKM_DES3_CBC:
1666 	case CKM_AES_CBC:
1667 	case CKM_BLOWFISH_CBC:
1668 		if (new_obj_class != CKO_SECRET_KEY)
1669 			return (CKR_MECHANISM_INVALID);
1670 		break;
1671 	case CKM_DES_CBC_PAD:
1672 	case CKM_DES3_CBC_PAD:
1673 	case CKM_AES_CBC_PAD:
1674 		if (new_obj_class != CKO_SECRET_KEY && new_obj_class !=
1675 		    CKO_PRIVATE_KEY)
1676 			return (CKR_MECHANISM_INVALID);
1677 		break;
1678 	default:
1679 		return (CKR_MECHANISM_INVALID);
1680 	}
1681 
1682 	/* Create a new object based on the attribute template. */
1683 	rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
1684 	    &new_objp, session_p, (CK_OBJECT_CLASS)~0UL,
1685 	    (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE);
1686 	if (rv != CKR_OK)
1687 		return (rv);
1688 
1689 	/*
1690 	 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE
1691 	 * both set to FALSE.  CKA_EXTRACTABLE will be set _by_default_ to
1692 	 * true -- leaving the possibility that it may be set FALSE by the
1693 	 * supplied attribute template.  If the precise template cannot be
1694 	 * supported, unwrap fails.  PKCS#11 spec, Sec. 11.14, C_UnwrapKey.
1695 	 *
1696 	 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and
1697 	 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must
1698 	 * have supplied them and therefore we cannot honor the unwrap.
1699 	 */
1700 	if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) ||
1701 	    (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) {
1702 		rv = CKR_TEMPLATE_INCONSISTENT;
1703 		goto cleanup_unwrap;
1704 	}
1705 
1706 	rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p);
1707 	if (rv != CKR_OK)
1708 		goto cleanup_unwrap;
1709 
1710 	/* First get the length of the plain data */
1711 	rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL,
1712 	    &plain_len);
1713 	if (rv != CKR_OK)
1714 		goto cleanup_unwrap;
1715 
1716 	/* Allocate space for the unwrapped data */
1717 	if ((plain_data = malloc(plain_len)) == NULL) {
1718 		rv = CKR_HOST_MEMORY;
1719 		goto cleanup_unwrap;
1720 	}
1721 	(void) memset(plain_data, 0x0, plain_len);
1722 
1723 	/* Perform actual decryption into the allocated space. */
1724 	rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data,
1725 	    &plain_len);
1726 	if (rv != CKR_OK)
1727 		goto cleanup_unwrap;
1728 
1729 	if (new_objp->class == CKO_SECRET_KEY) {
1730 		/*
1731 		 * Since no ASN.1 encoding is done for secret keys, check for
1732 		 * appropriateness and copy decrypted buffer to the key object.
1733 		 */
1734 
1735 		/* Check keytype and mechtype don't conflict with valuelen */
1736 		rv = soft_unwrap_secret_len_check(new_objp->key_type,
1737 		    pMechanism->mechanism, pTemplate, ulAttributeCount);
1738 		if (rv != CKR_OK)
1739 			goto cleanup_unwrap;
1740 
1741 		/*
1742 		 * Allocate the secret key structure if not already there;
1743 		 * it will exist for variable length keys since CKA_VALUE_LEN
1744 		 * is specified and saved, but not for fixed length keys.
1745 		 */
1746 		if (OBJ_SEC(new_objp) == NULL) {
1747 			if ((sck = calloc(1, sizeof (secret_key_obj_t))) ==
1748 			    NULL) {
1749 				rv = CKR_HOST_MEMORY;
1750 				goto cleanup_unwrap;
1751 			}
1752 			OBJ_SEC(new_objp) = sck;
1753 		}
1754 
1755 		switch (new_objp->key_type) {
1756 		/* Fixed length secret keys don't have CKA_VALUE_LEN */
1757 		case CKK_DES:
1758 			OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE;
1759 			break;
1760 		case CKK_DES2:
1761 			OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE;
1762 			break;
1763 		case CKK_DES3:
1764 			OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE;
1765 			break;
1766 
1767 		/*
1768 		 * Variable length secret keys.  CKA_VALUE_LEN must be
1769 		 * provided by the template when mech is *_ECB or *_CBC, and
1770 		 * should already have been set during soft_gen_keyobject().
1771 		 * Otherwise we don't need CKA_VALUE_LEN.
1772 		 */
1773 		case CKK_GENERIC_SECRET:
1774 		case CKK_RC4:
1775 		case CKK_AES:
1776 		case CKK_BLOWFISH:
1777 			break;
1778 		default:
1779 			rv = CKR_WRAPPED_KEY_INVALID;
1780 			goto cleanup_unwrap;
1781 		};
1782 
1783 		if (OBJ_SEC_VALUE_LEN(new_objp) == 0) {
1784 			/* No CKA_VALUE_LEN set so set it now and save data */
1785 			OBJ_SEC_VALUE_LEN(new_objp) = plain_len;
1786 			OBJ_SEC_VALUE(new_objp) = plain_data;
1787 		} else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) {
1788 			/* No need to truncate, just save the data */
1789 			OBJ_SEC_VALUE(new_objp) = plain_data;
1790 		} else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) {
1791 			/* Length can't be bigger than what was decrypted */
1792 			rv = CKR_WRAPPED_KEY_LEN_RANGE;
1793 			goto cleanup_unwrap;
1794 		} else {	/* betw 0 and plain_len, hence padded */
1795 			/* Truncate the data before saving. */
1796 			OBJ_SEC_VALUE(new_objp) = realloc(plain_data,
1797 			    OBJ_SEC_VALUE_LEN(new_objp));
1798 			if (OBJ_SEC_VALUE(new_objp) == NULL) {
1799 				rv = CKR_HOST_MEMORY;
1800 				goto cleanup_unwrap;
1801 			}
1802 		}
1803 	} else {
1804 		/* BER-decode the object to be unwrapped. */
1805 		rv = soft_asn1_to_object(new_objp, plain_data, plain_len);
1806 		if (rv != CKR_OK)
1807 			goto cleanup_unwrap;
1808 	}
1809 
1810 	/* If it needs to be persistent, write it to the keystore */
1811 	if (IS_TOKEN_OBJECT(new_objp)) {
1812 		persistent = B_TRUE;
1813 		rv = soft_put_object_to_keystore(new_objp);
1814 		if (rv != CKR_OK)
1815 			goto cleanup_unwrap;
1816 	}
1817 
1818 	if (new_objp->class != CKO_SECRET_KEY) {
1819 		/* Clear buffer before returning to memory pool. */
1820 		freezero(plain_data, plain_len);
1821 	}
1822 
1823 	*phKey = (CK_OBJECT_HANDLE)new_objp;
1824 
1825 	return (CKR_OK);
1826 
1827 cleanup_unwrap:
1828 	/* The decrypted private key buffer must be freed explicitly. */
1829 	if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1830 		/* Clear buffer before returning to memory pool. */
1831 		freezero(plain_data, plain_len);
1832 	}
1833 
1834 	/* sck and new_objp are indirectly free()d inside these functions */
1835 	if (IS_TOKEN_OBJECT(new_objp))
1836 		soft_delete_token_object(new_objp, persistent, B_FALSE);
1837 	else
1838 		soft_delete_object(session_p, new_objp, B_FALSE, B_FALSE);
1839 
1840 	return (rv);
1841 }
1842