1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
25 * Copyright (c) 2018, Joyent, Inc.
26 */
27
28 #include <stdlib.h>
29 #include <strings.h>
30 #include <sys/types.h>
31 #include <security/cryptoki.h>
32 #include "softObject.h"
33 #include "softOps.h"
34 #include "softSession.h"
35 #include "softMAC.h"
36 #include "softRSA.h"
37 #include "softDSA.h"
38 #include "softEC.h"
39 #include "softCrypt.h"
40
41 /*
42 * soft_sign_init()
43 *
44 * Arguments:
45 * session_p: pointer to soft_session_t struct
46 * pMechanism: pointer to CK_MECHANISM struct provided by application
47 * key_p: pointer to key soft_object_t struct
48 *
49 * Description:
50 * called by C_SignInit(). This function calls the corresponding
51 * sign init routine based on the mechanism.
52 *
53 */
54 CK_RV
soft_sign_init(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * key_p)55 soft_sign_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
56 soft_object_t *key_p)
57 {
58
59 switch (pMechanism->mechanism) {
60
61 case CKM_SSL3_MD5_MAC:
62 case CKM_SSL3_SHA1_MAC:
63 case CKM_MD5_HMAC_GENERAL:
64 case CKM_MD5_HMAC:
65 case CKM_SHA_1_HMAC_GENERAL:
66 case CKM_SHA_1_HMAC:
67 case CKM_SHA256_HMAC_GENERAL:
68 case CKM_SHA256_HMAC:
69 case CKM_SHA384_HMAC_GENERAL:
70 case CKM_SHA384_HMAC:
71 case CKM_SHA512_HMAC_GENERAL:
72 case CKM_SHA512_HMAC:
73
74 return (soft_hmac_sign_verify_init_common(session_p,
75 pMechanism, key_p, B_TRUE));
76
77 case CKM_RSA_X_509:
78 case CKM_RSA_PKCS:
79 case CKM_MD5_RSA_PKCS:
80 case CKM_SHA1_RSA_PKCS:
81 case CKM_SHA256_RSA_PKCS:
82 case CKM_SHA384_RSA_PKCS:
83 case CKM_SHA512_RSA_PKCS:
84
85 return (soft_rsa_sign_verify_init_common(session_p, pMechanism,
86 key_p, B_TRUE));
87
88 case CKM_DSA:
89 case CKM_DSA_SHA1:
90
91 return (soft_dsa_sign_verify_init_common(session_p, pMechanism,
92 key_p, B_TRUE));
93
94 case CKM_ECDSA:
95 case CKM_ECDSA_SHA1:
96
97 return (soft_ecc_sign_verify_init_common(session_p, pMechanism,
98 key_p, B_TRUE));
99
100 case CKM_DES_MAC_GENERAL:
101 case CKM_DES_MAC:
102
103 return (soft_des_sign_verify_init_common(session_p, pMechanism,
104 key_p, B_TRUE));
105
106 case CKM_AES_CMAC_GENERAL:
107 case CKM_AES_CMAC:
108
109 return (soft_aes_sign_verify_init_common(session_p, pMechanism,
110 key_p, B_TRUE));
111
112 default:
113 return (CKR_MECHANISM_INVALID);
114 }
115
116 }
117
118
119 /*
120 * soft_sign()
121 *
122 * Arguments:
123 * session_p: pointer to soft_session_t struct
124 * pData: pointer to the input data to be signed
125 * ulDataLen: length of the input data
126 * pSignature: pointer to the signature after signing
127 * pulSignatureLen: pointer to the length of the signature
128 *
129 * Description:
130 * called by C_Sign(). This function calls the corresponding
131 * sign routine based on the mechanism.
132 *
133 */
134 CK_RV
soft_sign(soft_session_t * session_p,CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pSignature,CK_ULONG_PTR pulSignatureLen)135 soft_sign(soft_session_t *session_p, CK_BYTE_PTR pData,
136 CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
137 CK_ULONG_PTR pulSignatureLen)
138 {
139
140 CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
141 CK_RV rv = CKR_OK;
142
143 switch (mechanism) {
144
145 case CKM_SSL3_MD5_MAC:
146 case CKM_SSL3_SHA1_MAC:
147 case CKM_MD5_HMAC_GENERAL:
148 case CKM_MD5_HMAC:
149 case CKM_SHA_1_HMAC_GENERAL:
150 case CKM_SHA_1_HMAC:
151 case CKM_SHA256_HMAC_GENERAL:
152 case CKM_SHA256_HMAC:
153 case CKM_SHA384_HMAC_GENERAL:
154 case CKM_SHA384_HMAC:
155 case CKM_SHA512_HMAC_GENERAL:
156 case CKM_SHA512_HMAC:
157 {
158 CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */
159
160 if (pSignature != NULL) {
161 /* Pass local buffer to avoid overflow. */
162 rv = soft_hmac_sign_verify_common(session_p, pData,
163 ulDataLen, hmac, pulSignatureLen, B_TRUE);
164 } else {
165 /* Pass original pSignature, let callee to handle it. */
166 rv = soft_hmac_sign_verify_common(session_p, pData,
167 ulDataLen, pSignature, pulSignatureLen, B_TRUE);
168 }
169
170 if ((rv == CKR_OK) && (pSignature != NULL))
171 (void) memcpy(pSignature, hmac, *pulSignatureLen);
172
173 return (rv);
174 }
175 case CKM_DES_MAC_GENERAL:
176 case CKM_DES_MAC:
177 {
178 CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */
179
180 if (pSignature != NULL) {
181 /* Pass local buffer to avoid overflow. */
182 rv = soft_des_sign_verify_common(session_p, pData,
183 ulDataLen, signature, pulSignatureLen, B_TRUE,
184 B_FALSE);
185 } else {
186 /* Pass NULL, let callee to handle it. */
187 rv = soft_des_sign_verify_common(session_p, pData,
188 ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE);
189 }
190
191 if ((rv == CKR_OK) && (pSignature != NULL))
192 (void) memcpy(pSignature, signature, *pulSignatureLen);
193
194 return (rv);
195 }
196 case CKM_AES_CMAC_GENERAL:
197 case CKM_AES_CMAC:
198 {
199 CK_BYTE signature[AES_BLOCK_LEN];
200
201 if (pSignature != NULL) {
202 /* Pass local buffer to avoid overflow. */
203 rv = soft_aes_sign_verify_common(session_p, pData,
204 ulDataLen, signature, pulSignatureLen, B_TRUE,
205 B_FALSE);
206 } else {
207 /* Pass NULL, let callee handle it. */
208 rv = soft_aes_sign_verify_common(session_p, pData,
209 ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE);
210 }
211
212 if ((rv == CKR_OK) && (pSignature != NULL))
213 (void) memcpy(pSignature, signature, *pulSignatureLen);
214
215 return (rv);
216 }
217 case CKM_RSA_X_509:
218 case CKM_RSA_PKCS:
219
220 return (soft_rsa_sign_common(session_p, pData, ulDataLen,
221 pSignature, pulSignatureLen, mechanism));
222
223 case CKM_MD5_RSA_PKCS:
224 case CKM_SHA1_RSA_PKCS:
225 case CKM_SHA256_RSA_PKCS:
226 case CKM_SHA384_RSA_PKCS:
227 case CKM_SHA512_RSA_PKCS:
228
229 return (soft_rsa_digest_sign_common(session_p, pData, ulDataLen,
230 pSignature, pulSignatureLen, mechanism, B_FALSE));
231
232 case CKM_DSA:
233
234 return (soft_dsa_sign(session_p, pData, ulDataLen,
235 pSignature, pulSignatureLen));
236
237 case CKM_DSA_SHA1:
238
239 return (soft_dsa_digest_sign_common(session_p, pData, ulDataLen,
240 pSignature, pulSignatureLen, B_FALSE));
241
242 case CKM_ECDSA:
243
244 return (soft_ecc_sign(session_p, pData, ulDataLen,
245 pSignature, pulSignatureLen));
246
247 case CKM_ECDSA_SHA1:
248
249 return (soft_ecc_digest_sign_common(session_p, pData, ulDataLen,
250 pSignature, pulSignatureLen, B_FALSE));
251
252 default:
253 return (CKR_MECHANISM_INVALID);
254 }
255 }
256
257
258 /*
259 * soft_sign_update()
260 *
261 * Arguments:
262 * session_p: pointer to soft_session_t struct
263 * pPart: pointer to the input data to be signed
264 * ulPartLen: length of the input data
265 *
266 * Description:
267 * called by C_SignUpdate(). This function calls the corresponding
268 * sign update routine based on the mechanism.
269 *
270 */
271 CK_RV
soft_sign_update(soft_session_t * session_p,CK_BYTE_PTR pPart,CK_ULONG ulPartLen)272 soft_sign_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
273 CK_ULONG ulPartLen)
274 {
275 CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
276
277 switch (mechanism) {
278
279 case CKM_SSL3_MD5_MAC:
280 case CKM_SSL3_SHA1_MAC:
281 case CKM_MD5_HMAC_GENERAL:
282 case CKM_MD5_HMAC:
283 case CKM_SHA_1_HMAC_GENERAL:
284 case CKM_SHA_1_HMAC:
285 case CKM_SHA256_HMAC_GENERAL:
286 case CKM_SHA256_HMAC:
287 case CKM_SHA384_HMAC_GENERAL:
288 case CKM_SHA384_HMAC:
289 case CKM_SHA512_HMAC_GENERAL:
290 case CKM_SHA512_HMAC:
291
292 return (soft_hmac_sign_verify_update(session_p, pPart,
293 ulPartLen, B_TRUE));
294
295 case CKM_DES_MAC_GENERAL:
296 case CKM_DES_MAC:
297
298 return (soft_des_mac_sign_verify_update(session_p, pPart,
299 ulPartLen));
300
301 case CKM_AES_CMAC_GENERAL:
302 case CKM_AES_CMAC:
303
304 return (soft_aes_mac_sign_verify_update(session_p, pPart,
305 ulPartLen));
306
307 case CKM_MD5_RSA_PKCS:
308 case CKM_SHA1_RSA_PKCS:
309 case CKM_SHA256_RSA_PKCS:
310 case CKM_SHA384_RSA_PKCS:
311 case CKM_SHA512_RSA_PKCS:
312 /*
313 * The MD5/SHA1 digest value is accumulated in the context
314 * of the multiple-part digesting operation. In the final
315 * operation, the digest is encoded and then perform RSA
316 * signing.
317 */
318 case CKM_DSA_SHA1:
319 case CKM_ECDSA_SHA1:
320
321 return (soft_digest_update(session_p, pPart, ulPartLen));
322
323 default:
324 /* PKCS11: The mechanism only supports single-part operation. */
325 return (CKR_MECHANISM_INVALID);
326 }
327 }
328
329
330 /*
331 * soft_sign_final()
332 *
333 * Arguments:
334 * session_p: pointer to soft_session_t struct
335 * pSignature: pointer to the signature after signing
336 * pulSignatureLen: pointer to the length of the signature
337 *
338 * Description:
339 * called by C_SignFinal(). This function calls the corresponding
340 * sign final routine based on the mechanism.
341 *
342 */
343 CK_RV
soft_sign_final(soft_session_t * session_p,CK_BYTE_PTR pSignature,CK_ULONG_PTR pulSignatureLen)344 soft_sign_final(soft_session_t *session_p, CK_BYTE_PTR pSignature,
345 CK_ULONG_PTR pulSignatureLen)
346 {
347
348 CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
349 CK_RV rv = CKR_OK;
350
351 switch (mechanism) {
352
353 case CKM_SSL3_MD5_MAC:
354 case CKM_SSL3_SHA1_MAC:
355 case CKM_MD5_HMAC_GENERAL:
356 case CKM_MD5_HMAC:
357 case CKM_SHA_1_HMAC_GENERAL:
358 case CKM_SHA_1_HMAC:
359 case CKM_SHA256_HMAC_GENERAL:
360 case CKM_SHA256_HMAC:
361 case CKM_SHA384_HMAC_GENERAL:
362 case CKM_SHA384_HMAC:
363 case CKM_SHA512_HMAC_GENERAL:
364 case CKM_SHA512_HMAC:
365 {
366 CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */
367
368 if (pSignature != NULL) {
369 /* Pass local buffer to avoid overflow */
370 rv = soft_hmac_sign_verify_common(session_p, NULL,
371 0, hmac, pulSignatureLen, B_TRUE);
372 } else {
373 /* Pass original pSignature, let callee to handle it. */
374 rv = soft_hmac_sign_verify_common(session_p, NULL,
375 0, pSignature, pulSignatureLen, B_TRUE);
376 }
377
378 if ((rv == CKR_OK) && (pSignature != NULL))
379 (void) memcpy(pSignature, hmac, *pulSignatureLen);
380
381 return (rv);
382 }
383 case CKM_DES_MAC_GENERAL:
384 case CKM_DES_MAC:
385 {
386 CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */
387
388 if (pSignature != NULL) {
389 /* Pass local buffer to avoid overflow. */
390 rv = soft_des_sign_verify_common(session_p, NULL, 0,
391 signature, pulSignatureLen, B_TRUE, B_TRUE);
392 } else {
393 /* Pass NULL, let callee to handle it. */
394 rv = soft_des_sign_verify_common(session_p, NULL, 0,
395 NULL, pulSignatureLen, B_TRUE, B_TRUE);
396 }
397
398 if ((rv == CKR_OK) && (pSignature != NULL))
399 (void) memcpy(pSignature, signature, *pulSignatureLen);
400
401 return (rv);
402 }
403 case CKM_AES_CMAC_GENERAL:
404 case CKM_AES_CMAC:
405 {
406 CK_BYTE signature[AES_BLOCK_LEN]; /* use the maximum size */
407
408 if (pSignature != NULL) {
409 /* Pass local buffer to avoid overflow. */
410 rv = soft_aes_sign_verify_common(session_p, NULL, 0,
411 signature, pulSignatureLen, B_TRUE, B_TRUE);
412 } else {
413 /* Pass NULL, let callee handle it. */
414 rv = soft_aes_sign_verify_common(session_p, NULL, 0,
415 NULL, pulSignatureLen, B_TRUE, B_TRUE);
416 }
417
418 if ((rv == CKR_OK) && (pSignature != NULL))
419 (void) memcpy(pSignature, signature, *pulSignatureLen);
420
421 return (rv);
422 }
423 case CKM_MD5_RSA_PKCS:
424 case CKM_SHA1_RSA_PKCS:
425 case CKM_SHA256_RSA_PKCS:
426 case CKM_SHA384_RSA_PKCS:
427 case CKM_SHA512_RSA_PKCS:
428
429 return (soft_rsa_digest_sign_common(session_p, NULL, 0,
430 pSignature, pulSignatureLen, mechanism, B_TRUE));
431
432 case CKM_DSA_SHA1:
433
434 return (soft_dsa_digest_sign_common(session_p, NULL, 0,
435 pSignature, pulSignatureLen, B_TRUE));
436
437 case CKM_ECDSA_SHA1:
438
439 return (soft_ecc_digest_sign_common(session_p, NULL, 0,
440 pSignature, pulSignatureLen, B_TRUE));
441
442 default:
443 /* PKCS11: The mechanism only supports single-part operation. */
444 return (CKR_MECHANISM_INVALID);
445 }
446 }
447
448
449 CK_RV
soft_sign_recover_init(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * key_p)450 soft_sign_recover_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
451 soft_object_t *key_p)
452 {
453
454 switch (pMechanism->mechanism) {
455
456 case CKM_RSA_X_509:
457 case CKM_RSA_PKCS:
458
459 return (soft_rsa_sign_verify_init_common(session_p, pMechanism,
460 key_p, B_TRUE));
461
462 default:
463 return (CKR_MECHANISM_INVALID);
464 }
465 }
466
467
468 CK_RV
soft_sign_recover(soft_session_t * session_p,CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pSignature,CK_ULONG_PTR pulSignatureLen)469 soft_sign_recover(soft_session_t *session_p, CK_BYTE_PTR pData,
470 CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
471 CK_ULONG_PTR pulSignatureLen)
472 {
473
474 CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
475
476 switch (mechanism) {
477
478 case CKM_RSA_X_509:
479 case CKM_RSA_PKCS:
480
481 return (soft_rsa_sign_common(session_p, pData, ulDataLen,
482 pSignature, pulSignatureLen, mechanism));
483
484 default:
485 return (CKR_MECHANISM_INVALID);
486 }
487 }
488
489 /*
490 * This function frees the allocated active crypto context.
491 * It is only called by the first tier of sign/verify routines
492 * and the caller of this function may or may not hold the session mutex.
493 */
494 void
soft_sign_verify_cleanup(soft_session_t * session_p,boolean_t sign,boolean_t lock_held)495 soft_sign_verify_cleanup(soft_session_t *session_p, boolean_t sign,
496 boolean_t lock_held)
497 {
498
499 crypto_active_op_t *active_op;
500 boolean_t lock_true = B_TRUE;
501
502 if (!lock_held)
503 (void) pthread_mutex_lock(&session_p->session_mutex);
504
505 active_op = (sign) ? &(session_p->sign) : &(session_p->verify);
506
507 switch (active_op->mech.mechanism) {
508
509 case CKM_MD5_RSA_PKCS:
510 case CKM_SHA1_RSA_PKCS:
511 case CKM_SHA256_RSA_PKCS:
512 case CKM_SHA384_RSA_PKCS:
513 case CKM_SHA512_RSA_PKCS:
514 if (session_p->digest.context != NULL) {
515 free(session_p->digest.context);
516 session_p->digest.context = NULL;
517 session_p->digest.flags = 0;
518 }
519 /* FALLTHRU */
520
521 case CKM_RSA_PKCS:
522 case CKM_RSA_X_509:
523 {
524 soft_rsa_ctx_t *rsa_ctx =
525 (soft_rsa_ctx_t *)active_op->context;
526
527 if (rsa_ctx != NULL && rsa_ctx->key != NULL) {
528 soft_cleanup_object(rsa_ctx->key);
529 free(rsa_ctx->key);
530 }
531 break;
532
533 }
534 case CKM_DSA_SHA1:
535 if (session_p->digest.context != NULL) {
536 free(session_p->digest.context);
537 session_p->digest.context = NULL;
538 session_p->digest.flags = 0;
539 }
540
541 /* FALLTHRU */
542 case CKM_DSA:
543 {
544 soft_dsa_ctx_t *dsa_ctx =
545 (soft_dsa_ctx_t *)active_op->context;
546
547 if (dsa_ctx != NULL && dsa_ctx->key != NULL) {
548 soft_cleanup_object(dsa_ctx->key);
549 free(dsa_ctx->key);
550 }
551 break;
552
553 }
554 case CKM_SSL3_MD5_MAC:
555 case CKM_SSL3_SHA1_MAC:
556 case CKM_MD5_HMAC_GENERAL:
557 case CKM_MD5_HMAC:
558 case CKM_SHA_1_HMAC_GENERAL:
559 case CKM_SHA_1_HMAC:
560 case CKM_SHA256_HMAC_GENERAL:
561 case CKM_SHA256_HMAC:
562 case CKM_SHA384_HMAC_GENERAL:
563 case CKM_SHA384_HMAC:
564 case CKM_SHA512_HMAC_GENERAL:
565 case CKM_SHA512_HMAC:
566 if (active_op->context != NULL) {
567 explicit_bzero(active_op->context,
568 sizeof (soft_hmac_ctx_t));
569 }
570 break;
571 case CKM_DES_MAC_GENERAL:
572 case CKM_DES_MAC:
573 if (session_p->encrypt.context != NULL) {
574 free(session_p->encrypt.context);
575 session_p->encrypt.context = NULL;
576 session_p->encrypt.flags = 0;
577 }
578 if (active_op->context != NULL) {
579 explicit_bzero(active_op->context,
580 sizeof (soft_des_ctx_t));
581 }
582 break;
583
584 case CKM_AES_CMAC_GENERAL:
585 case CKM_AES_CMAC:
586 if (session_p->encrypt.context != NULL) {
587 soft_aes_free_ctx(session_p->encrypt.context);
588 session_p->encrypt.context = NULL;
589 session_p->encrypt.flags = 0;
590 }
591 if (active_op->context != NULL) {
592 explicit_bzero(active_op->context,
593 sizeof (soft_aes_sign_ctx_t));
594 }
595 break;
596
597 }
598
599 if (active_op->context != NULL) {
600 free(active_op->context);
601 active_op->context = NULL;
602 }
603
604 active_op->flags = 0;
605
606 if (!lock_held)
607 SES_REFRELE(session_p, lock_true);
608 }
609