1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 *
25 * Copyright 2020 Joyent, Inc.
26 */
27
28 #include <pthread.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <strings.h>
32 #include <sys/types.h>
33 #include <security/cryptoki.h>
34 #include <sys/crypto/common.h>
35 #include <aes_impl.h>
36 #include <blowfish_impl.h>
37 #include <des_impl.h>
38 #include <arcfour.h>
39 #include <cryptoutil.h>
40 #include "softGlobal.h"
41 #include "softSession.h"
42 #include "softObject.h"
43 #include "softDSA.h"
44 #include "softRSA.h"
45 #include "softDH.h"
46 #include "softEC.h"
47 #include "softMAC.h"
48 #include "softOps.h"
49 #include "softKeys.h"
50 #include "softKeystore.h"
51 #include "softSSL.h"
52 #include "softASN1.h"
53
54
55 #define local_min(a, b) ((a) < (b) ? (a) : (b))
56
57 static CK_RV
58 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *);
59
60 /*
61 * Create a temporary key object struct by filling up its template attributes.
62 */
63 CK_RV
soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,soft_object_t ** objp,soft_session_t * sp,CK_OBJECT_CLASS class,CK_KEY_TYPE key_type,CK_ULONG keylen,CK_ULONG mode,boolean_t internal)64 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
65 soft_object_t **objp, soft_session_t *sp,
66 CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode,
67 boolean_t internal)
68 {
69 CK_RV rv;
70 soft_object_t *new_objp = NULL;
71
72 new_objp = calloc(1, sizeof (soft_object_t));
73 if (new_objp == NULL) {
74 return (CKR_HOST_MEMORY);
75 }
76
77 new_objp->extra_attrlistp = NULL;
78
79 /*
80 * Validate attribute template and fill in the attributes
81 * in the soft_object_t.
82 */
83 rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type,
84 keylen, mode);
85 if (rv != CKR_OK) {
86 goto fail_cleanup1;
87 }
88
89 /*
90 * If generating a key is an internal request (i.e. not a C_XXX
91 * API request), then skip the following checks.
92 */
93 if (!internal) {
94 rv = soft_pin_expired_check(new_objp);
95 if (rv != CKR_OK) {
96 goto fail_cleanup2;
97 }
98
99 rv = soft_object_write_access_check(sp, new_objp);
100 if (rv != CKR_OK) {
101 goto fail_cleanup2;
102 }
103 }
104
105 /* Initialize the rest of stuffs in soft_object_t. */
106 (void) pthread_mutex_init(&new_objp->object_mutex, NULL);
107 new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
108
109 /* Write the new token object to the keystore */
110 if (IS_TOKEN_OBJECT(new_objp)) {
111 new_objp->version = 1;
112 new_objp->session_handle = CK_INVALID_HANDLE;
113 soft_add_token_object_to_slot(new_objp);
114
115 set_objecthandle(new_objp);
116 *objp = new_objp;
117
118 return (CKR_OK);
119 }
120
121 new_objp->session_handle = sp->handle;
122
123 /* Add the new object to the session's object list. */
124 soft_add_object_to_session(new_objp, sp);
125
126 set_objecthandle(new_objp);
127 *objp = new_objp;
128
129 return (CKR_OK);
130
131 fail_cleanup2:
132 /*
133 * When any error occurs after soft_build_key(), we will need to
134 * clean up the memory allocated by the soft_build_key().
135 */
136 soft_cleanup_object(new_objp);
137
138 fail_cleanup1:
139 if (new_objp) {
140 /*
141 * The storage allocated inside of this object should have
142 * been cleaned up by the soft_build_key() if it failed.
143 * Therefore, we can safely free the object.
144 */
145 free(new_objp);
146 }
147
148 return (rv);
149 }
150
151 CK_RV
soft_genkey(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,CK_OBJECT_HANDLE_PTR phKey)152 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
153 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey)
154 {
155
156 CK_RV rv = CKR_OK;
157 soft_object_t *secret_key;
158 CK_KEY_TYPE key_type;
159 CK_ULONG keylen = 0;
160 CK_ULONG i;
161 int des_strength = 0;
162 int retry = 0;
163 int keyfound = 0;
164 boolean_t is_ssl_mech = B_FALSE;
165
166 switch (pMechanism->mechanism) {
167 case CKM_DES_KEY_GEN:
168 key_type = CKK_DES;
169 break;
170
171 case CKM_DES2_KEY_GEN:
172 key_type = CKK_DES2;
173 break;
174
175 case CKM_DES3_KEY_GEN:
176 key_type = CKK_DES3;
177 break;
178
179 case CKM_AES_KEY_GEN:
180 key_type = CKK_AES;
181 break;
182
183 case CKM_BLOWFISH_KEY_GEN:
184 key_type = CKK_BLOWFISH;
185 break;
186
187 case CKM_RC4_KEY_GEN:
188 key_type = CKK_RC4;
189 break;
190
191 case CKM_SSL3_PRE_MASTER_KEY_GEN:
192 case CKM_TLS_PRE_MASTER_KEY_GEN:
193 if (pMechanism->pParameter == NULL ||
194 pMechanism->ulParameterLen != sizeof (CK_VERSION))
195 return (CKR_TEMPLATE_INCOMPLETE);
196 is_ssl_mech = B_TRUE;
197 key_type = CKK_GENERIC_SECRET;
198 keylen = 48;
199 break;
200
201 case CKM_PKCS5_PBKD2:
202 keyfound = 0;
203 for (i = 0; i < ulCount && !keyfound; i++) {
204 if (pTemplate[i].type == CKA_KEY_TYPE &&
205 pTemplate[i].pValue != NULL) {
206 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
207 keyfound = 1;
208 }
209 }
210 if (!keyfound)
211 return (CKR_TEMPLATE_INCOMPLETE);
212 /*
213 * Make sure that parameters were given for this
214 * mechanism.
215 */
216 if (pMechanism->pParameter == NULL ||
217 pMechanism->ulParameterLen !=
218 sizeof (CK_PKCS5_PBKD2_PARAMS))
219 return (CKR_TEMPLATE_INCOMPLETE);
220 break;
221
222 case CKM_PBE_SHA1_RC4_128:
223 keyfound = 0;
224 for (i = 0; i < ulCount; i++) {
225 if (pTemplate[i].type == CKA_KEY_TYPE &&
226 pTemplate[i].pValue != NULL) {
227 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
228 keyfound = 1;
229 }
230 if (pTemplate[i].type == CKA_VALUE_LEN &&
231 pTemplate[i].pValue != NULL) {
232 keylen = *((CK_ULONG*)pTemplate[i].pValue);
233 }
234 }
235 /* If a keytype was specified, it had better be CKK_RC4 */
236 if (keyfound && key_type != CKK_RC4)
237 return (CKR_TEMPLATE_INCONSISTENT);
238 else if (!keyfound)
239 key_type = CKK_RC4;
240
241 /* If key length was specified, it better be 16 bytes */
242 if (keylen != 0 && keylen != 16)
243 return (CKR_TEMPLATE_INCONSISTENT);
244
245 /*
246 * Make sure that parameters were given for this
247 * mechanism.
248 */
249 if (pMechanism->pParameter == NULL ||
250 pMechanism->ulParameterLen !=
251 sizeof (CK_PBE_PARAMS))
252 return (CKR_TEMPLATE_INCOMPLETE);
253 break;
254 default:
255 return (CKR_MECHANISM_INVALID);
256 }
257
258 /* Create a new object for secret key. */
259 rv = soft_gen_keyobject(pTemplate, ulCount, &secret_key, session_p,
260 CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE);
261
262 if (rv != CKR_OK) {
263 return (rv);
264 }
265
266 switch (pMechanism->mechanism) {
267 case CKM_DES_KEY_GEN:
268 /*
269 * Set up key value len since it is not a required
270 * attribute for C_GenerateKey.
271 */
272 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
273 des_strength = DES;
274 break;
275
276 case CKM_DES2_KEY_GEN:
277 /*
278 * Set up key value len since it is not a required
279 * attribute for C_GenerateKey.
280 */
281 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
282 des_strength = DES2;
283 break;
284
285 case CKM_DES3_KEY_GEN:
286 /*
287 * Set up key value len since it is not a required
288 * attribute for C_GenerateKey.
289 */
290 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
291 des_strength = DES3;
292 break;
293
294 case CKM_SSL3_PRE_MASTER_KEY_GEN:
295 case CKM_TLS_PRE_MASTER_KEY_GEN:
296 secret_key->bool_attr_mask |= DERIVE_BOOL_ON;
297 /* FALLTHRU */
298
299 case CKM_AES_KEY_GEN:
300 case CKM_BLOWFISH_KEY_GEN:
301 case CKM_PBE_SHA1_RC4_128:
302 case CKM_RC4_KEY_GEN:
303 keylen = OBJ_SEC_VALUE_LEN(secret_key);
304 break;
305
306 case CKM_PKCS5_PBKD2:
307 /*
308 * PKCS#11 does not allow one to specify key
309 * sizes for DES and 3DES, so we must set it here
310 * when using PBKD2 algorithms.
311 */
312 if (key_type == CKK_DES) {
313 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
314 des_strength = DES;
315 } else if (key_type == CKK_DES3) {
316 OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
317 des_strength = DES3;
318 }
319
320 keylen = OBJ_SEC_VALUE_LEN(secret_key);
321 break;
322 }
323
324 if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) {
325 if (IS_TOKEN_OBJECT(secret_key))
326 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
327 else
328 soft_delete_object(session_p, secret_key,
329 B_FALSE, B_FALSE);
330
331 return (CKR_HOST_MEMORY);
332 }
333 switch (pMechanism->mechanism) {
334 case CKM_PBE_SHA1_RC4_128:
335 /*
336 * Use the PBE algorithm described in PKCS#11 section
337 * 12.33 to derive the key.
338 */
339 rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key);
340 break;
341 case CKM_PKCS5_PBKD2:
342 /* Generate keys using PKCS#5 PBKD2 algorithm */
343 rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism,
344 secret_key);
345 if (rv == CKR_OK && des_strength > 0) {
346 /* Perform weak key checking for DES and DES3. */
347 if (des_keycheck(OBJ_SEC_VALUE(secret_key),
348 des_strength, OBJ_SEC_VALUE(secret_key)) ==
349 B_FALSE) {
350 /* We got a weak secret key. */
351 rv = CKR_FUNCTION_FAILED;
352 }
353 }
354 break;
355 default:
356 do {
357 /* If this fails, bail out */
358 rv = CKR_OK;
359 if (pkcs11_get_urandom(
360 OBJ_SEC_VALUE(secret_key), keylen) < 0) {
361 rv = CKR_DEVICE_ERROR;
362 break;
363 }
364
365 /* Perform weak key checking for DES and DES3. */
366 if (des_strength > 0) {
367 rv = CKR_OK;
368 if (des_keycheck(OBJ_SEC_VALUE(secret_key),
369 des_strength, OBJ_SEC_VALUE(secret_key)) ==
370 B_FALSE) {
371 /* We got a weak key, retry! */
372 retry++;
373 rv = CKR_FUNCTION_FAILED;
374 }
375 }
376 /*
377 * Copy over the SSL client version For SSL mechs
378 * The first two bytes of the key is the version
379 */
380 if (is_ssl_mech)
381 bcopy(pMechanism->pParameter,
382 OBJ_SEC_VALUE(secret_key),
383 sizeof (CK_VERSION));
384
385 } while (rv != CKR_OK && retry < KEYGEN_RETRY);
386 if (retry == KEYGEN_RETRY)
387 rv = CKR_FUNCTION_FAILED;
388 break;
389 }
390
391 if (rv != CKR_OK)
392 if (IS_TOKEN_OBJECT(secret_key))
393 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
394 else
395 soft_delete_object(session_p, secret_key,
396 B_FALSE, B_FALSE);
397
398 if (IS_TOKEN_OBJECT(secret_key)) {
399 /*
400 * All the info has been filled, so we can write to
401 * keystore now.
402 */
403 rv = soft_put_object_to_keystore(secret_key);
404 if (rv != CKR_OK)
405 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
406 }
407
408 *phKey = secret_key->handle;
409 return (rv);
410 }
411
412 CK_RV
soft_genkey_pair(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pPublicKeyTemplate,CK_ULONG ulPublicAttrCount,CK_ATTRIBUTE_PTR pPrivateKeyTemplate,CK_ULONG ulPrivateAttrCount,CK_OBJECT_HANDLE_PTR phPublicKey,CK_OBJECT_HANDLE_PTR phPrivateKey)413 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
414 CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount,
415 CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount,
416 CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey)
417 {
418
419 CK_RV rv;
420 soft_object_t *public_key, *private_key;
421 CK_KEY_TYPE key_type;
422
423 switch (pMechanism->mechanism) {
424
425 case CKM_RSA_PKCS_KEY_PAIR_GEN:
426 key_type = CKK_RSA;
427 break;
428
429 case CKM_DSA_KEY_PAIR_GEN:
430 key_type = CKK_DSA;
431 break;
432
433 case CKM_DH_PKCS_KEY_PAIR_GEN:
434 key_type = CKK_DH;
435 break;
436
437 case CKM_EC_KEY_PAIR_GEN:
438 key_type = CKK_EC;
439 break;
440
441 default:
442 return (CKR_MECHANISM_INVALID);
443 }
444
445 /* Create a new object for public key. */
446 rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount,
447 &public_key, session_p, CKO_PUBLIC_KEY, key_type, 0,
448 SOFT_GEN_KEY, B_FALSE);
449
450 if (rv != CKR_OK) {
451 return (rv);
452 }
453
454 /* Create a new object for private key. */
455 rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount,
456 &private_key, session_p, CKO_PRIVATE_KEY, key_type, 0,
457 SOFT_GEN_KEY, B_FALSE);
458
459 if (rv != CKR_OK) {
460 /*
461 * Both public key and private key must be successful.
462 */
463 if (IS_TOKEN_OBJECT(public_key))
464 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
465 else
466 soft_delete_object(session_p, public_key,
467 B_FALSE, B_FALSE);
468 return (rv);
469 }
470
471 /*
472 * At this point, both public key and private key objects
473 * are settled with the application specified attributes.
474 * We are ready to generate the rest of key attributes based
475 * on the existing attributes.
476 */
477
478 switch (key_type) {
479 case CKK_RSA:
480 rv = soft_rsa_genkey_pair(public_key, private_key);
481 break;
482
483 case CKK_DSA:
484 rv = soft_dsa_genkey_pair(public_key, private_key);
485 break;
486
487 case CKK_DH:
488 rv = soft_dh_genkey_pair(public_key, private_key);
489 private_key->bool_attr_mask |= DERIVE_BOOL_ON;
490 break;
491 case CKK_EC:
492 rv = soft_ec_genkey_pair(public_key, private_key);
493 private_key->bool_attr_mask |= DERIVE_BOOL_ON;
494 break;
495 }
496
497 if (rv != CKR_OK) {
498 if (IS_TOKEN_OBJECT(public_key)) {
499 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
500 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
501 } else {
502 soft_delete_object(session_p, public_key,
503 B_FALSE, B_FALSE);
504 soft_delete_object(session_p, private_key,
505 B_FALSE, B_FALSE);
506 }
507 return (rv);
508 }
509
510 if (IS_TOKEN_OBJECT(public_key)) {
511 /*
512 * All the info has been filled, so we can write to
513 * keystore now.
514 */
515 rv = soft_put_object_to_keystore(public_key);
516 if (rv != CKR_OK) {
517 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
518 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
519 return (rv);
520 }
521 }
522
523 if (IS_TOKEN_OBJECT(private_key)) {
524 rv = soft_put_object_to_keystore(private_key);
525 if (rv != CKR_OK) {
526 /*
527 * We also need to delete the public token object
528 * from keystore.
529 */
530 soft_delete_token_object(public_key, B_TRUE, B_FALSE);
531 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
532 }
533 }
534
535 *phPublicKey = public_key->handle;
536 *phPrivateKey = private_key->handle;
537
538 return (rv);
539 }
540
541
542 CK_RV
soft_key_derive_check_length(soft_object_t * secret_key,CK_ULONG max_keylen)543 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen)
544 {
545
546 switch (secret_key->key_type) {
547 case CKK_GENERIC_SECRET:
548 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
549 OBJ_SEC_VALUE_LEN(secret_key) = max_keylen;
550 return (CKR_OK);
551 } else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) {
552 return (CKR_ATTRIBUTE_VALUE_INVALID);
553 }
554 break;
555 case CKK_RC4:
556 case CKK_AES:
557 case CKK_BLOWFISH:
558 if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) ||
559 (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) {
560 /* RC4 and AES has variable key length */
561 return (CKR_ATTRIBUTE_VALUE_INVALID);
562 }
563 break;
564 case CKK_DES:
565 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
566 /* DES has a well-defined length */
567 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
568 return (CKR_OK);
569 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) {
570 return (CKR_ATTRIBUTE_VALUE_INVALID);
571 }
572 break;
573 case CKK_DES2:
574 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
575 /* DES2 has a well-defined length */
576 OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
577 return (CKR_OK);
578 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) {
579 return (CKR_ATTRIBUTE_VALUE_INVALID);
580 }
581 break;
582
583 default:
584 return (CKR_MECHANISM_INVALID);
585 }
586
587 return (CKR_OK);
588 }
589
590 /*
591 * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1
592 * PBE methods.
593 */
594 #define PKCS12_BUFFER_SIZE 64
595 /*
596 * PKCS#12 defines 3 different ID bytes to be used for
597 * deriving keys for different operations.
598 */
599 #define PBE_ID_ENCRYPT 1
600 #define PBE_ID_IV 2
601 #define PBE_ID_MAC 3
602 #define PBE_CEIL(a, b) (((a)/(b)) + (((a)%(b)) > 0))
603
604 static CK_RV
soft_pkcs12_pbe(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * derived_key)605 soft_pkcs12_pbe(soft_session_t *session_p,
606 CK_MECHANISM_PTR pMechanism, soft_object_t *derived_key)
607 {
608 CK_RV rv = CKR_OK;
609 CK_PBE_PARAMS *params = pMechanism->pParameter;
610 CK_ULONG c, i, j, k;
611 CK_ULONG hashSize;
612 CK_ULONG buffSize;
613 /*
614 * Terse variable names are used to make following
615 * the PKCS#12 spec easier.
616 */
617 CK_BYTE *A = NULL;
618 CK_BYTE *Ai = NULL;
619 CK_BYTE *B = NULL;
620 CK_BYTE *D = NULL;
621 CK_BYTE *I = NULL, *S, *P;
622 CK_BYTE *keybuf = NULL;
623 CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen;
624 CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key);
625 CK_MECHANISM digest_mech;
626
627 /* U = hash function output bits */
628 if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) {
629 hashSize = SHA1_HASH_SIZE;
630 buffSize = PKCS12_BUFFER_SIZE;
631 digest_mech.mechanism = CKM_SHA_1;
632 digest_mech.pParameter = NULL;
633 digest_mech.ulParameterLen = 0;
634 } else {
635 /* we only support 1 PBE mech for now */
636 return (CKR_MECHANISM_INVALID);
637 }
638 keybuf = OBJ_SEC_VALUE(derived_key);
639
640 Blen = Dlen = buffSize;
641 D = (CK_BYTE *)malloc(Dlen);
642 if (D == NULL) {
643 rv = CKR_HOST_MEMORY;
644 goto cleanup;
645 }
646
647 B = (CK_BYTE *)malloc(Blen);
648 if (B == NULL) {
649 rv = CKR_HOST_MEMORY;
650 goto cleanup;
651 }
652
653 /*
654 * Initialize some values and create some buffers
655 * that we need later.
656 *
657 * Slen = buffSize * CEIL(SaltLength/buffSize)
658 */
659 Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize);
660
661 /*
662 * Plen = buffSize * CEIL(PasswordLength/buffSize)
663 */
664 Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize);
665
666 /*
667 * From step 4: I = S + P, so: Ilen = Slen + Plen
668 */
669 Ilen = Slen + Plen;
670 I = (CK_BYTE *)malloc(Ilen);
671 if (I == NULL) {
672 rv = CKR_HOST_MEMORY;
673 goto cleanup;
674 }
675
676 S = I;
677 P = I + Slen;
678
679 /*
680 * Step 1.
681 * We are only interested in deriving keys for encrypt/decrypt
682 * for now, so construct the "D"iversifier accordingly.
683 */
684 (void) memset(D, PBE_ID_ENCRYPT, Dlen);
685
686 /*
687 * Step 2.
688 * Concatenate copies of the salt together to make S.
689 */
690 for (i = 0; i < Slen; i += params->ulSaltLen) {
691 (void) memcpy(S+i, params->pSalt,
692 ((Slen - i) > params->ulSaltLen ?
693 params->ulSaltLen : (Slen - i)));
694 }
695
696 /*
697 * Step 3.
698 * Concatenate copies of the password together to make
699 * a string P.
700 */
701 for (i = 0; i < Plen; i += params->ulPasswordLen) {
702 (void) memcpy(P+i, params->pPassword,
703 ((Plen - i) > params->ulPasswordLen ?
704 params->ulPasswordLen : (Plen - i)));
705 }
706
707 /*
708 * Step 4.
709 * I = S+P - this is now done because S and P are
710 * pointers into I.
711 *
712 * Step 5.
713 * c= CEIL[n/u]
714 * where n = pseudorandom bits of output desired.
715 */
716 c = PBE_CEIL(keysize, hashSize);
717
718 /*
719 * Step 6.
720 */
721 Alen = c * hashSize;
722 A = (CK_BYTE *)malloc(Alen);
723 if (A == NULL) {
724 rv = CKR_HOST_MEMORY;
725 goto cleanup;
726 }
727 AiLen = hashSize;
728 Ai = (CK_BYTE *)malloc(AiLen);
729 if (Ai == NULL) {
730 rv = CKR_HOST_MEMORY;
731 goto cleanup;
732 }
733
734 /*
735 * Step 6a.
736 * Ai = Hr(D+I)
737 */
738 for (i = 0; i < c; i++) {
739 (void) pthread_mutex_lock(&session_p->session_mutex);
740
741 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
742 (void) pthread_mutex_unlock(&session_p->session_mutex);
743 rv = CKR_OPERATION_ACTIVE;
744 goto cleanup;
745 }
746 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
747 (void) pthread_mutex_unlock(&session_p->session_mutex);
748
749 for (j = 0; j < params->ulIteration; j++) {
750 rv = soft_digest_init(session_p, &digest_mech);
751 if (rv != CKR_OK)
752 goto digest_done;
753
754 if (j == 0) {
755 rv = soft_digest_update(session_p, D, Dlen);
756 if (rv != CKR_OK)
757 goto digest_done;
758
759 rv = soft_digest_update(session_p, I, Ilen);
760 } else {
761 rv = soft_digest_update(session_p, Ai, AiLen);
762 }
763 if (rv != CKR_OK)
764 goto digest_done;
765
766 rv = soft_digest_final(session_p, Ai, &AiLen);
767 if (rv != CKR_OK)
768 goto digest_done;
769 }
770 digest_done:
771 (void) pthread_mutex_lock(&session_p->session_mutex);
772 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
773 (void) pthread_mutex_unlock(&session_p->session_mutex);
774
775 if (rv != CKR_OK)
776 goto cleanup;
777 /*
778 * Step 6b.
779 * Concatenate Ai to make B
780 */
781 for (j = 0; j < Blen; j += hashSize) {
782 (void) memcpy(B+j, Ai, ((Blen - j > hashSize) ?
783 hashSize : Blen - j));
784 }
785
786 /*
787 * Step 6c.
788 */
789 k = Ilen / Blen;
790 for (j = 0; j < k; j++) {
791 uchar_t idx;
792 CK_ULONG m, q = 1, cbit = 0;
793
794 for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) {
795 idx = m + j*Blen;
796
797 q += (CK_ULONG)I[idx] + (CK_ULONG)B[m];
798 q += cbit;
799 I[idx] = (CK_BYTE)(q & 0xff);
800 cbit = (q > 0xff);
801 }
802 }
803
804 /*
805 * Step 7.
806 * A += Ai
807 */
808 (void) memcpy(A + i*hashSize, Ai, AiLen);
809 }
810
811 /*
812 * Step 8.
813 * The final output of this process is the A buffer
814 */
815 (void) memcpy(keybuf, A, keysize);
816
817 cleanup:
818 freezero(A, Alen);
819 freezero(Ai, AiLen);
820 freezero(B, Blen);
821 freezero(D, Dlen);
822 freezero(I, Ilen);
823 return (rv);
824 }
825
826 CK_RV
soft_derivekey(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * basekey_p,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulAttributeCount,CK_OBJECT_HANDLE_PTR phKey)827 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
828 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
829 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
830 {
831
832 CK_RV rv = CKR_OK;
833 soft_object_t *secret_key;
834 CK_MECHANISM digest_mech;
835 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */
836 CK_ULONG hash_len = SHA512_DIGEST_LENGTH;
837 CK_ULONG secret_key_len;
838 CK_ULONG hash_size;
839
840 switch (pMechanism->mechanism) {
841 case CKM_DH_PKCS_DERIVE:
842 if (phKey == NULL_PTR)
843 return (CKR_ARGUMENTS_BAD);
844
845 /*
846 * Create a new object for secret key. The key type should
847 * be provided in the template.
848 */
849 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
850 &secret_key, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL,
851 0, SOFT_DERIVE_KEY_DH, B_FALSE);
852
853 if (rv != CKR_OK) {
854 return (rv);
855 }
856
857 rv = soft_dh_key_derive(basekey_p, secret_key,
858 (CK_BYTE *)pMechanism->pParameter,
859 pMechanism->ulParameterLen);
860
861 if (rv != CKR_OK) {
862 if (IS_TOKEN_OBJECT(secret_key))
863 soft_delete_token_object(secret_key, B_FALSE,
864 B_FALSE);
865 else
866 soft_delete_object(session_p, secret_key,
867 B_FALSE, B_FALSE);
868 return (rv);
869 }
870
871 break;
872
873 case CKM_ECDH1_DERIVE:
874 if (phKey == NULL_PTR)
875 return (CKR_ARGUMENTS_BAD);
876
877 /*
878 * Create a new object for secret key. The key type should
879 * be provided in the template.
880 */
881 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
882 &secret_key, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL,
883 0, SOFT_DERIVE_KEY_DH, B_FALSE);
884
885 if (rv != CKR_OK) {
886 return (rv);
887 }
888
889 rv = soft_ec_key_derive(basekey_p, secret_key,
890 (CK_BYTE *)pMechanism->pParameter,
891 pMechanism->ulParameterLen);
892
893 if (rv != CKR_OK) {
894 if (IS_TOKEN_OBJECT(secret_key))
895 soft_delete_token_object(secret_key, B_FALSE,
896 B_FALSE);
897 else
898 soft_delete_object(session_p, secret_key,
899 B_FALSE, B_FALSE);
900 return (rv);
901 }
902
903 break;
904
905 case CKM_SHA1_KEY_DERIVATION:
906 hash_size = SHA1_HASH_SIZE;
907 digest_mech.mechanism = CKM_SHA_1;
908 goto common;
909
910 case CKM_MD5_KEY_DERIVATION:
911 hash_size = MD5_HASH_SIZE;
912 digest_mech.mechanism = CKM_MD5;
913 goto common;
914
915 case CKM_SHA256_KEY_DERIVATION:
916 hash_size = SHA256_DIGEST_LENGTH;
917 digest_mech.mechanism = CKM_SHA256;
918 goto common;
919
920 case CKM_SHA384_KEY_DERIVATION:
921 hash_size = SHA384_DIGEST_LENGTH;
922 digest_mech.mechanism = CKM_SHA384;
923 goto common;
924
925 case CKM_SHA512_KEY_DERIVATION:
926 hash_size = SHA512_DIGEST_LENGTH;
927 digest_mech.mechanism = CKM_SHA512;
928 goto common;
929
930 case CKM_SHA512_224_KEY_DERIVATION:
931 hash_size = SHA512_224_DIGEST_LENGTH;
932 digest_mech.mechanism = CKM_SHA512_224;
933 goto common;
934
935 case CKM_SHA512_256_KEY_DERIVATION:
936 hash_size = SHA512_256_DIGEST_LENGTH;
937 digest_mech.mechanism = CKM_SHA512_256;
938 goto common;
939
940 common:
941 if (phKey == NULL_PTR)
942 return (CKR_ARGUMENTS_BAD);
943
944 /*
945 * Create a new object for secret key. The key type is optional
946 * to be provided in the template. If it is not specified in
947 * the template, the default is CKK_GENERIC_SECRET.
948 */
949 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
950 &secret_key, session_p, CKO_SECRET_KEY,
951 (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
952 SOFT_DERIVE_KEY_OTHER, B_FALSE);
953
954 if (rv != CKR_OK) {
955 return (rv);
956 }
957
958 /* Validate the key type and key length */
959 rv = soft_key_derive_check_length(secret_key, hash_size);
960 if (rv != CKR_OK) {
961 if (IS_TOKEN_OBJECT(secret_key))
962 soft_delete_token_object(secret_key, B_FALSE,
963 B_FALSE);
964 else
965 soft_delete_object(session_p, secret_key,
966 B_FALSE, B_FALSE);
967 return (rv);
968 }
969
970 /*
971 * Derive the secret key by digesting the value of another
972 * secret key (base key) with SHA-1 or MD5.
973 */
974 rv = soft_digest_init_internal(session_p, &digest_mech);
975 if (rv != CKR_OK) {
976 if (IS_TOKEN_OBJECT(secret_key))
977 soft_delete_token_object(secret_key, B_FALSE,
978 B_FALSE);
979 else
980 soft_delete_object(session_p, secret_key,
981 B_FALSE, B_FALSE);
982 return (rv);
983 }
984
985 rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p),
986 OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len);
987
988 (void) pthread_mutex_lock(&session_p->session_mutex);
989 /* soft_digest_common() has freed the digest context */
990 session_p->digest.flags = 0;
991 (void) pthread_mutex_unlock(&session_p->session_mutex);
992
993 if (rv != CKR_OK) {
994 if (IS_TOKEN_OBJECT(secret_key))
995 soft_delete_token_object(secret_key, B_FALSE,
996 B_FALSE);
997 else
998 soft_delete_object(session_p, secret_key,
999 B_FALSE, B_FALSE);
1000 return (rv);
1001 }
1002
1003 secret_key_len = OBJ_SEC_VALUE_LEN(secret_key);
1004
1005 if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) ==
1006 NULL) {
1007 if (IS_TOKEN_OBJECT(secret_key))
1008 soft_delete_token_object(secret_key, B_FALSE,
1009 B_FALSE);
1010 else
1011 soft_delete_object(session_p, secret_key,
1012 B_FALSE, B_FALSE);
1013 return (CKR_HOST_MEMORY);
1014 }
1015
1016 /*
1017 * The key produced by this mechanism will be of the
1018 * specified type and length.
1019 * The truncation removes extra bytes from the leading
1020 * of the digested key value.
1021 */
1022 (void) memcpy(OBJ_SEC_VALUE(secret_key),
1023 (hash + hash_len - secret_key_len),
1024 secret_key_len);
1025
1026 break;
1027
1028 /*
1029 * The key sensitivity and extractability rules for the generated
1030 * keys will be enforced inside soft_ssl_master_key_derive() and
1031 * soft_ssl_key_and_mac_derive()
1032 */
1033 case CKM_SSL3_MASTER_KEY_DERIVE:
1034 case CKM_SSL3_MASTER_KEY_DERIVE_DH:
1035 case CKM_TLS_MASTER_KEY_DERIVE:
1036 case CKM_TLS_MASTER_KEY_DERIVE_DH:
1037 if (phKey == NULL_PTR)
1038 return (CKR_ARGUMENTS_BAD);
1039 return (soft_ssl_master_key_derive(session_p, pMechanism,
1040 basekey_p, pTemplate, ulAttributeCount, phKey));
1041
1042 case CKM_SSL3_KEY_AND_MAC_DERIVE:
1043 case CKM_TLS_KEY_AND_MAC_DERIVE:
1044 /* These mechanisms do not use phKey */
1045 return (soft_ssl_key_and_mac_derive(session_p, pMechanism,
1046 basekey_p, pTemplate, ulAttributeCount));
1047
1048 case CKM_TLS_PRF:
1049 /* This mechanism does not use phKey */
1050 if (pMechanism->pParameter == NULL ||
1051 pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) ||
1052 phKey != NULL)
1053 return (CKR_ARGUMENTS_BAD);
1054
1055 if (pTemplate != NULL)
1056 return (CKR_TEMPLATE_INCONSISTENT);
1057
1058 return (derive_tls_prf(
1059 (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p));
1060
1061 default:
1062 return (CKR_MECHANISM_INVALID);
1063 }
1064
1065 soft_derive_enforce_flags(basekey_p, secret_key);
1066
1067 if (IS_TOKEN_OBJECT(secret_key)) {
1068 /*
1069 * All the info has been filled, so we can write to
1070 * keystore now.
1071 */
1072 rv = soft_put_object_to_keystore(secret_key);
1073 if (rv != CKR_OK)
1074 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
1075 }
1076
1077 /*
1078 * Some mechanisms don't use phKey either because they create
1079 * multiple key objects and instead populate a structure passed in
1080 * as a field in their pParameter parameter with the resulting key
1081 * objects (e.g. CKM_TLS_KEY_AND_MAC_DERIVE) or they instead write
1082 * their result to an output buffer passed in their pParameter
1083 * parameter (e.g. CKM_TLS_PRF). All such mechanisms return prior
1084 * to reaching here. The remaining mechanisms (which do use phKey)
1085 * should have already validated phKey is not NULL prior to doing
1086 * their key derivation.
1087 */
1088 *phKey = secret_key->handle;
1089
1090 return (rv);
1091 }
1092
1093
1094 /*
1095 * Perform key derivation rules on key's sensitivity and extractability.
1096 */
1097 void
soft_derive_enforce_flags(soft_object_t * basekey,soft_object_t * newkey)1098 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey)
1099 {
1100
1101 boolean_t new_sensitive = B_FALSE;
1102 boolean_t new_extractable = B_FALSE;
1103
1104 /*
1105 * The sensitive and extractable bits have been set when
1106 * the newkey was built.
1107 */
1108 if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) {
1109 new_sensitive = B_TRUE;
1110 }
1111
1112 if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) {
1113 new_extractable = B_TRUE;
1114 }
1115
1116 /* Derive the CKA_ALWAYS_SENSITIVE flag */
1117 if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) {
1118 /*
1119 * If the base key has its CKA_ALWAYS_SENSITIVE set to
1120 * FALSE, then the derived key will as well.
1121 */
1122 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1123 } else {
1124 /*
1125 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE,
1126 * then the derived key has the CKA_ALWAYS_SENSITIVE set to
1127 * the same value as its CKA_SENSITIVE;
1128 */
1129 if (new_sensitive) {
1130 newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON;
1131 } else {
1132 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1133 }
1134 }
1135
1136 /* Derive the CKA_NEVER_EXTRACTABLE flag */
1137 if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) {
1138 /*
1139 * If the base key has its CKA_NEVER_EXTRACTABLE set to
1140 * FALSE, then the derived key will as well.
1141 */
1142 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1143 } else {
1144 /*
1145 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE,
1146 * then the derived key has the CKA_NEVER_EXTRACTABLE set to
1147 * the opposite value from its CKA_EXTRACTABLE;
1148 */
1149 if (new_extractable) {
1150 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1151 } else {
1152 newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON;
1153 }
1154 }
1155
1156 /* Set the CKA_LOCAL flag to false */
1157 newkey->bool_attr_mask &= ~LOCAL_BOOL_ON;
1158 }
1159
1160
1161 /*
1162 * do_prf
1163 *
1164 * This routine implements Step 3. of the PBKDF2 function
1165 * defined in PKCS#5 for generating derived keys from a
1166 * password.
1167 *
1168 * Currently, PRF is always SHA_1_HMAC.
1169 */
1170 static CK_RV
do_prf(soft_session_t * session_p,CK_PKCS5_PBKD2_PARAMS_PTR params,soft_object_t * hmac_key,CK_BYTE * newsalt,CK_ULONG saltlen,CK_BYTE * blockdata,CK_ULONG blocklen)1171 do_prf(soft_session_t *session_p, CK_PKCS5_PBKD2_PARAMS_PTR params,
1172 soft_object_t *hmac_key, CK_BYTE *newsalt, CK_ULONG saltlen,
1173 CK_BYTE *blockdata, CK_ULONG blocklen)
1174 {
1175 CK_RV rv = CKR_OK;
1176 CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0};
1177 CK_BYTE buffer[2][SHA1_HASH_SIZE];
1178 CK_ULONG hmac_outlen = SHA1_HASH_SIZE;
1179 CK_ULONG inlen;
1180 CK_BYTE *input, *output;
1181 CK_ULONG i, j;
1182
1183 input = newsalt;
1184 inlen = saltlen;
1185
1186 output = buffer[1];
1187 (void) pthread_mutex_lock(&session_p->session_mutex);
1188
1189 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
1190 (void) pthread_mutex_unlock(&session_p->session_mutex);
1191 return (CKR_OPERATION_ACTIVE);
1192 }
1193 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
1194 (void) pthread_mutex_unlock(&session_p->session_mutex);
1195
1196 for (i = 0; i < params->iterations; i++) {
1197 /*
1198 * The key doesn't change, its always the
1199 * password iniitally given.
1200 */
1201 rv = soft_sign_init(session_p, &digest_mech, hmac_key);
1202
1203 if (rv != CKR_OK) {
1204 goto cleanup;
1205 }
1206
1207 /* Call PRF function (SHA1_HMAC for now). */
1208 rv = soft_sign(session_p, input, inlen, output, &hmac_outlen);
1209
1210 if (rv != CKR_OK) {
1211 goto cleanup;
1212 }
1213 /*
1214 * The first time, initialize the output buffer
1215 * with the HMAC signature.
1216 */
1217 if (i == 0) {
1218 (void) memcpy(blockdata, output,
1219 local_min(blocklen, hmac_outlen));
1220 } else {
1221 /*
1222 * XOR the existing data with output from PRF.
1223 *
1224 * Only XOR up to the length of the blockdata,
1225 * it may be less than a full hmac buffer when
1226 * the final block is being computed.
1227 */
1228 for (j = 0; j < hmac_outlen && j < blocklen; j++)
1229 blockdata[j] ^= output[j];
1230 }
1231 /* Output from previous PRF is input for next round */
1232 input = output;
1233 inlen = hmac_outlen;
1234
1235 /*
1236 * Switch buffers to avoid overuse of memcpy.
1237 * Initially we used buffer[1], so after the end of
1238 * the first iteration (i==0), we switch to buffer[0]
1239 * and continue swapping with each iteration.
1240 */
1241 output = buffer[i%2];
1242 }
1243 cleanup:
1244 (void) pthread_mutex_lock(&session_p->session_mutex);
1245 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
1246 (void) pthread_mutex_unlock(&session_p->session_mutex);
1247
1248 return (rv);
1249 }
1250
1251 static CK_RV
soft_create_hmac_key(soft_session_t * session_p,CK_BYTE * passwd,CK_ULONG passwd_len,soft_object_t ** keyp)1252 soft_create_hmac_key(soft_session_t *session_p, CK_BYTE *passwd,
1253 CK_ULONG passwd_len, soft_object_t **keyp)
1254 {
1255 CK_RV rv = CKR_OK;
1256 CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
1257 CK_KEY_TYPE keytype = CKK_GENERIC_SECRET;
1258 CK_BBOOL True = TRUE;
1259 CK_ATTRIBUTE keytemplate[4];
1260
1261 /*
1262 * We must initialize each template member individually
1263 * because at the time of initial coding for ON10, the
1264 * compiler was using the "-xc99=%none" option
1265 * which prevents us from being able to declare the whole
1266 * template in place as usual.
1267 */
1268 keytemplate[0].type = CKA_CLASS;
1269 keytemplate[0].pValue = &keyclass;
1270 keytemplate[0].ulValueLen = sizeof (keyclass);
1271
1272 keytemplate[1].type = CKA_KEY_TYPE;
1273 keytemplate[1].pValue = &keytype;
1274 keytemplate[1].ulValueLen = sizeof (keytype);
1275
1276 keytemplate[2].type = CKA_SIGN;
1277 keytemplate[2].pValue = &True;
1278 keytemplate[2].ulValueLen = sizeof (True);
1279
1280 keytemplate[3].type = CKA_VALUE;
1281 keytemplate[3].pValue = passwd;
1282 keytemplate[3].ulValueLen = passwd_len;
1283 /*
1284 * Create a generic key object to be used for HMAC operations.
1285 * The "value" for this key is the password from the
1286 * mechanism parameter structure.
1287 */
1288 rv = soft_gen_keyobject(keytemplate,
1289 sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), keyp, session_p,
1290 CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
1291 SOFT_CREATE_OBJ, B_TRUE);
1292
1293 return (rv);
1294 }
1295
1296 CK_RV
soft_generate_pkcs5_pbkdf2_key(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * secret_key)1297 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p,
1298 CK_MECHANISM_PTR pMechanism, soft_object_t *secret_key)
1299 {
1300 CK_RV rv = CKR_OK;
1301 CK_PKCS5_PBKD2_PARAMS *params =
1302 (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
1303 CK_ULONG hLen = SHA1_HASH_SIZE;
1304 CK_ULONG dkLen, i;
1305 CK_ULONG blocks, remainder;
1306 soft_object_t *hmac_key = NULL;
1307 CK_BYTE *salt = NULL;
1308 CK_BYTE *keydata = NULL;
1309
1310 params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter;
1311
1312 if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1)
1313 return (CKR_MECHANISM_PARAM_INVALID);
1314
1315 if (params->pPrfData != NULL || params->ulPrfDataLen != 0)
1316 return (CKR_DATA_INVALID);
1317
1318 if (params->saltSource != CKZ_SALT_SPECIFIED ||
1319 params->iterations == 0)
1320 return (CKR_MECHANISM_PARAM_INVALID);
1321
1322 /*
1323 * Create a key object to use for HMAC operations.
1324 */
1325 rv = soft_create_hmac_key(session_p, params->pPassword,
1326 *params->ulPasswordLen, &hmac_key);
1327
1328 if (rv != CKR_OK)
1329 return (rv);
1330
1331 /* Step 1. */
1332 dkLen = OBJ_SEC_VALUE_LEN(secret_key); /* length of desired key */
1333
1334 if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) {
1335 (void) soft_delete_object(session_p, hmac_key, B_FALSE,
1336 B_FALSE);
1337 return (CKR_KEY_SIZE_RANGE);
1338 }
1339
1340 /* Step 2. */
1341 blocks = dkLen / hLen;
1342
1343 /* crude "Ceiling" function to adjust the number of blocks to use */
1344 if (blocks * hLen != dkLen)
1345 blocks++;
1346
1347 remainder = dkLen - ((blocks - 1) * hLen);
1348
1349 /* Step 3 */
1350 salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4);
1351 if (salt == NULL) {
1352 (void) soft_delete_object(session_p, hmac_key, B_FALSE,
1353 B_FALSE);
1354 return (CKR_HOST_MEMORY);
1355 }
1356 /*
1357 * Nothing in PKCS#5 says you cannot pass an empty
1358 * salt, so we will allow for this and not return error
1359 * if the salt is not specified.
1360 */
1361 if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0)
1362 (void) memcpy(salt, params->pSaltSourceData,
1363 params->ulSaltSourceDataLen);
1364
1365 /*
1366 * Get pointer to the data section of the key,
1367 * this will be used below as output from the
1368 * PRF iteration/concatenations so that when the
1369 * blocks are all iterated, the secret_key will
1370 * have the resulting derived key value.
1371 */
1372 keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key);
1373
1374 /* Step 4. */
1375 for (i = 0; i < blocks && (rv == CKR_OK); i++) {
1376 CK_BYTE *s;
1377
1378 s = salt + params->ulSaltSourceDataLen;
1379
1380 /*
1381 * Append the block index to the salt as input
1382 * to the PRF. Block index should start at 1
1383 * not 0.
1384 */
1385 *s++ = ((i+1) >> 24) & 0xff;
1386 *s++ = ((i+1) >> 16) & 0xff;
1387 *s++ = ((i+1) >> 8) & 0xff;
1388 *s = ((i+1)) & 0xff;
1389
1390 /*
1391 * Adjust the key pointer so we always append the
1392 * PRF output to the current key.
1393 */
1394 rv = do_prf(session_p, params, hmac_key,
1395 salt, params->ulSaltSourceDataLen + 4, keydata,
1396 ((i + 1) == blocks ? remainder : hLen));
1397
1398 keydata += hLen;
1399 }
1400 (void) soft_delete_object(session_p, hmac_key, B_FALSE, B_FALSE);
1401 freezero(salt, params->ulSaltSourceDataLen);
1402
1403 return (rv);
1404 }
1405
1406 CK_RV
soft_wrapkey(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * wrappingKey_p,soft_object_t * hkey_p,CK_BYTE_PTR pWrappedKey,CK_ULONG_PTR pulWrappedKeyLen)1407 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1408 soft_object_t *wrappingKey_p, soft_object_t *hkey_p,
1409 CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen)
1410 {
1411 CK_RV rv = CKR_OK;
1412 CK_ULONG plain_len = 0;
1413 CK_BYTE_PTR plain_data = NULL;
1414 CK_ULONG padded_len = 0;
1415 CK_BYTE_PTR padded_data = NULL;
1416 CK_ULONG wkey_blksz = 1; /* so modulo will work right */
1417
1418 /* Check if the mechanism is supported. */
1419 switch (pMechanism->mechanism) {
1420 case CKM_DES_CBC_PAD:
1421 case CKM_DES3_CBC_PAD:
1422 case CKM_AES_CBC_PAD:
1423 /*
1424 * Secret key mechs with padding can be used to wrap secret
1425 * keys and private keys only. See PKCS#11, * sec 11.14,
1426 * C_WrapKey and secs 12.* for each mechanism's wrapping/
1427 * unwrapping constraints.
1428 */
1429 if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class !=
1430 CKO_PRIVATE_KEY)
1431 return (CKR_MECHANISM_INVALID);
1432 break;
1433 case CKM_RSA_PKCS:
1434 case CKM_RSA_X_509:
1435 case CKM_DES_ECB:
1436 case CKM_DES3_ECB:
1437 case CKM_AES_ECB:
1438 case CKM_DES_CBC:
1439 case CKM_DES3_CBC:
1440 case CKM_AES_CBC:
1441 case CKM_AES_CTR:
1442 case CKM_BLOWFISH_CBC:
1443 /*
1444 * Unpadded secret key mechs and private key mechs are only
1445 * defined for wrapping secret keys. See PKCS#11 refs above.
1446 */
1447 if (hkey_p->class != CKO_SECRET_KEY)
1448 return (CKR_MECHANISM_INVALID);
1449 break;
1450 default:
1451 return (CKR_MECHANISM_INVALID);
1452 }
1453
1454 if (hkey_p->class == CKO_SECRET_KEY) {
1455 plain_data = OBJ_SEC_VALUE(hkey_p);
1456 plain_len = OBJ_SEC_VALUE_LEN(hkey_p);
1457 } else {
1458 /*
1459 * BER-encode the object to be wrapped: call first with
1460 * plain_data = NULL to get the size needed, allocate that
1461 * much space, call again to fill space with actual data.
1462 */
1463 rv = soft_object_to_asn1(hkey_p, NULL, &plain_len);
1464 if (rv != CKR_OK)
1465 return (rv);
1466 if ((plain_data = malloc(plain_len)) == NULL)
1467 return (CKR_HOST_MEMORY);
1468 (void) memset(plain_data, 0x0, plain_len);
1469 rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len);
1470 if (rv != CKR_OK)
1471 goto cleanup_wrap;
1472 }
1473
1474 /*
1475 * For unpadded ECB and CBC mechanisms, the object needs to be
1476 * padded to the wrapping key's blocksize prior to the encryption.
1477 */
1478 padded_len = plain_len;
1479 padded_data = plain_data;
1480
1481 switch (pMechanism->mechanism) {
1482 case CKM_DES_ECB:
1483 case CKM_DES3_ECB:
1484 case CKM_AES_ECB:
1485 case CKM_DES_CBC:
1486 case CKM_DES3_CBC:
1487 case CKM_AES_CBC:
1488 case CKM_BLOWFISH_CBC:
1489 /* Find the block size of the wrapping key. */
1490 if (wrappingKey_p->class == CKO_SECRET_KEY) {
1491 switch (wrappingKey_p->key_type) {
1492 case CKK_DES:
1493 case CKK_DES2:
1494 case CKK_DES3:
1495 wkey_blksz = DES_BLOCK_LEN;
1496 break;
1497 case CKK_AES:
1498 wkey_blksz = AES_BLOCK_LEN;
1499 break;
1500 case CKK_BLOWFISH:
1501 wkey_blksz = BLOWFISH_BLOCK_LEN;
1502 break;
1503 default:
1504 break;
1505 }
1506 } else {
1507 rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT;
1508 goto cleanup_wrap;
1509 }
1510
1511 /* Extend the plain text data to block size boundary. */
1512 if ((padded_len % wkey_blksz) != 0) {
1513 padded_len += (wkey_blksz - (plain_len % wkey_blksz));
1514 if ((padded_data = malloc(padded_len)) == NULL) {
1515 rv = CKR_HOST_MEMORY;
1516 goto cleanup_wrap;
1517 }
1518 (void) memset(padded_data, 0x0, padded_len);
1519 (void) memcpy(padded_data, plain_data, plain_len);
1520 }
1521 break;
1522 default:
1523 break;
1524 }
1525
1526 rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p);
1527 if (rv != CKR_OK)
1528 goto cleanup_wrap;
1529
1530 rv = soft_encrypt(session_p, padded_data, padded_len,
1531 pWrappedKey, pulWrappedKeyLen);
1532
1533 cleanup_wrap:
1534 if (padded_data != NULL && padded_len != plain_len) {
1535 /* Clear buffer before returning to memory pool. */
1536 freezero(padded_data, padded_len);
1537 }
1538
1539 if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1540 /* Clear buffer before returning to memory pool. */
1541 freezero(plain_data, plain_len);
1542 }
1543
1544 return (rv);
1545 }
1546
1547 /*
1548 * Quick check for whether unwrapped key length is appropriate for key type
1549 * and whether it needs to be truncated (in case the wrapping function had
1550 * to pad the key prior to wrapping).
1551 */
1552 static CK_RV
soft_unwrap_secret_len_check(CK_KEY_TYPE keytype,CK_MECHANISM_TYPE mechtype,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulAttributeCount)1553 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype,
1554 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount)
1555 {
1556 CK_ULONG i;
1557 boolean_t isValueLen = B_FALSE;
1558
1559 /*
1560 * Based on the key type and the mech used to unwrap, need to
1561 * determine if CKA_VALUE_LEN should or should not be specified.
1562 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified
1563 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens
1564 * that restriction, perhaps because it makes it impossible to
1565 * determine the original length of unwrapped variable-length secret
1566 * keys, such as RC4, AES, and GENERIC_SECRET. These variable-length
1567 * secret keys would have been padded with trailing null-bytes so
1568 * that they could be successfully wrapped with *_ECB and *_CBC
1569 * mechanisms. Hence for unwrapping with these mechs, CKA_VALUE_LEN
1570 * must be specified. For unwrapping with other mechs, such as
1571 * *_CBC_PAD, the CKA_VALUE_LEN is not needed.
1572 */
1573
1574 /* Find out if template has CKA_VALUE_LEN. */
1575 for (i = 0; i < ulAttributeCount; i++) {
1576 if (pTemplate[i].type == CKA_VALUE_LEN &&
1577 pTemplate[i].pValue != NULL) {
1578 isValueLen = B_TRUE;
1579 break;
1580 }
1581 }
1582
1583 /* Does its presence conflict with the mech type and key type? */
1584 switch (mechtype) {
1585 case CKM_DES_ECB:
1586 case CKM_DES3_ECB:
1587 case CKM_AES_ECB:
1588 case CKM_DES_CBC:
1589 case CKM_DES3_CBC:
1590 case CKM_AES_CBC:
1591 case CKM_BLOWFISH_CBC:
1592 /*
1593 * CKA_VALUE_LEN must be specified
1594 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET
1595 * and must not be specified otherwise
1596 */
1597 switch (keytype) {
1598 case CKK_DES:
1599 case CKK_DES2:
1600 case CKK_DES3:
1601 if (isValueLen)
1602 return (CKR_TEMPLATE_INCONSISTENT);
1603 break;
1604 case CKK_GENERIC_SECRET:
1605 case CKK_RC4:
1606 case CKK_AES:
1607 case CKK_BLOWFISH:
1608 if (!isValueLen)
1609 return (CKR_TEMPLATE_INCOMPLETE);
1610 break;
1611 default:
1612 return (CKR_FUNCTION_NOT_SUPPORTED);
1613 }
1614 break;
1615 default:
1616 /* CKA_VALUE_LEN must not be specified */
1617 if (isValueLen)
1618 return (CKR_TEMPLATE_INCONSISTENT);
1619 break;
1620 }
1621
1622 return (CKR_OK);
1623 }
1624
1625 CK_RV
soft_unwrapkey(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * unwrappingkey_p,CK_BYTE_PTR pWrappedKey,CK_ULONG ulWrappedKeyLen,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulAttributeCount,CK_OBJECT_HANDLE_PTR phKey)1626 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1627 soft_object_t *unwrappingkey_p, CK_BYTE_PTR pWrappedKey,
1628 CK_ULONG ulWrappedKeyLen, CK_ATTRIBUTE_PTR pTemplate,
1629 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
1630 {
1631 CK_RV rv = CKR_OK;
1632 CK_OBJECT_CLASS new_obj_class = ~0UL;
1633 int i = 0;
1634 soft_object_t *new_objp = NULL;
1635 boolean_t persistent = B_FALSE;
1636 CK_BYTE_PTR plain_data = NULL;
1637 CK_ULONG plain_len = 0;
1638 secret_key_obj_t *sck = NULL;
1639
1640 /* Scan the attribute template for the object class. */
1641 if (pTemplate != NULL && ulAttributeCount != 0) {
1642 for (i = 0; i < ulAttributeCount; i++) {
1643 if (pTemplate[i].type == CKA_CLASS) {
1644 new_obj_class =
1645 *((CK_OBJECT_CLASS *)pTemplate[i].pValue);
1646 break;
1647 }
1648 }
1649 if (new_obj_class == ~0UL)
1650 return (CKR_TEMPLATE_INCOMPLETE);
1651 }
1652
1653 /*
1654 * Check if the mechanism is supported, and now that the new
1655 * object's class is known, the mechanism selected should be
1656 * capable of doing the unwrap.
1657 */
1658 switch (pMechanism->mechanism) {
1659 case CKM_RSA_PKCS:
1660 case CKM_RSA_X_509:
1661 case CKM_DES_ECB:
1662 case CKM_DES3_ECB:
1663 case CKM_AES_ECB:
1664 case CKM_DES_CBC:
1665 case CKM_DES3_CBC:
1666 case CKM_AES_CBC:
1667 case CKM_BLOWFISH_CBC:
1668 if (new_obj_class != CKO_SECRET_KEY)
1669 return (CKR_MECHANISM_INVALID);
1670 break;
1671 case CKM_DES_CBC_PAD:
1672 case CKM_DES3_CBC_PAD:
1673 case CKM_AES_CBC_PAD:
1674 if (new_obj_class != CKO_SECRET_KEY && new_obj_class !=
1675 CKO_PRIVATE_KEY)
1676 return (CKR_MECHANISM_INVALID);
1677 break;
1678 default:
1679 return (CKR_MECHANISM_INVALID);
1680 }
1681
1682 /* Create a new object based on the attribute template. */
1683 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
1684 &new_objp, session_p, (CK_OBJECT_CLASS)~0UL,
1685 (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE);
1686 if (rv != CKR_OK)
1687 return (rv);
1688
1689 /*
1690 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE
1691 * both set to FALSE. CKA_EXTRACTABLE will be set _by_default_ to
1692 * true -- leaving the possibility that it may be set FALSE by the
1693 * supplied attribute template. If the precise template cannot be
1694 * supported, unwrap fails. PKCS#11 spec, Sec. 11.14, C_UnwrapKey.
1695 *
1696 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and
1697 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must
1698 * have supplied them and therefore we cannot honor the unwrap.
1699 */
1700 if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) ||
1701 (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) {
1702 rv = CKR_TEMPLATE_INCONSISTENT;
1703 goto cleanup_unwrap;
1704 }
1705
1706 rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p);
1707 if (rv != CKR_OK)
1708 goto cleanup_unwrap;
1709
1710 /* First get the length of the plain data */
1711 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL,
1712 &plain_len);
1713 if (rv != CKR_OK)
1714 goto cleanup_unwrap;
1715
1716 /* Allocate space for the unwrapped data */
1717 if ((plain_data = malloc(plain_len)) == NULL) {
1718 rv = CKR_HOST_MEMORY;
1719 goto cleanup_unwrap;
1720 }
1721 (void) memset(plain_data, 0x0, plain_len);
1722
1723 /* Perform actual decryption into the allocated space. */
1724 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data,
1725 &plain_len);
1726 if (rv != CKR_OK)
1727 goto cleanup_unwrap;
1728
1729 if (new_objp->class == CKO_SECRET_KEY) {
1730 /*
1731 * Since no ASN.1 encoding is done for secret keys, check for
1732 * appropriateness and copy decrypted buffer to the key object.
1733 */
1734
1735 /* Check keytype and mechtype don't conflict with valuelen */
1736 rv = soft_unwrap_secret_len_check(new_objp->key_type,
1737 pMechanism->mechanism, pTemplate, ulAttributeCount);
1738 if (rv != CKR_OK)
1739 goto cleanup_unwrap;
1740
1741 /*
1742 * Allocate the secret key structure if not already there;
1743 * it will exist for variable length keys since CKA_VALUE_LEN
1744 * is specified and saved, but not for fixed length keys.
1745 */
1746 if (OBJ_SEC(new_objp) == NULL) {
1747 if ((sck = calloc(1, sizeof (secret_key_obj_t))) ==
1748 NULL) {
1749 rv = CKR_HOST_MEMORY;
1750 goto cleanup_unwrap;
1751 }
1752 OBJ_SEC(new_objp) = sck;
1753 }
1754
1755 switch (new_objp->key_type) {
1756 /* Fixed length secret keys don't have CKA_VALUE_LEN */
1757 case CKK_DES:
1758 OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE;
1759 break;
1760 case CKK_DES2:
1761 OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE;
1762 break;
1763 case CKK_DES3:
1764 OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE;
1765 break;
1766
1767 /*
1768 * Variable length secret keys. CKA_VALUE_LEN must be
1769 * provided by the template when mech is *_ECB or *_CBC, and
1770 * should already have been set during soft_gen_keyobject().
1771 * Otherwise we don't need CKA_VALUE_LEN.
1772 */
1773 case CKK_GENERIC_SECRET:
1774 case CKK_RC4:
1775 case CKK_AES:
1776 case CKK_BLOWFISH:
1777 break;
1778 default:
1779 rv = CKR_WRAPPED_KEY_INVALID;
1780 goto cleanup_unwrap;
1781 };
1782
1783 if (OBJ_SEC_VALUE_LEN(new_objp) == 0) {
1784 /* No CKA_VALUE_LEN set so set it now and save data */
1785 OBJ_SEC_VALUE_LEN(new_objp) = plain_len;
1786 OBJ_SEC_VALUE(new_objp) = plain_data;
1787 } else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) {
1788 /* No need to truncate, just save the data */
1789 OBJ_SEC_VALUE(new_objp) = plain_data;
1790 } else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) {
1791 /* Length can't be bigger than what was decrypted */
1792 rv = CKR_WRAPPED_KEY_LEN_RANGE;
1793 goto cleanup_unwrap;
1794 } else { /* betw 0 and plain_len, hence padded */
1795 /* Truncate the data before saving. */
1796 OBJ_SEC_VALUE(new_objp) = realloc(plain_data,
1797 OBJ_SEC_VALUE_LEN(new_objp));
1798 if (OBJ_SEC_VALUE(new_objp) == NULL) {
1799 rv = CKR_HOST_MEMORY;
1800 goto cleanup_unwrap;
1801 }
1802 }
1803 } else {
1804 /* BER-decode the object to be unwrapped. */
1805 rv = soft_asn1_to_object(new_objp, plain_data, plain_len);
1806 if (rv != CKR_OK)
1807 goto cleanup_unwrap;
1808 }
1809
1810 /* If it needs to be persistent, write it to the keystore */
1811 if (IS_TOKEN_OBJECT(new_objp)) {
1812 persistent = B_TRUE;
1813 rv = soft_put_object_to_keystore(new_objp);
1814 if (rv != CKR_OK)
1815 goto cleanup_unwrap;
1816 }
1817
1818 if (new_objp->class != CKO_SECRET_KEY) {
1819 /* Clear buffer before returning to memory pool. */
1820 freezero(plain_data, plain_len);
1821 }
1822
1823 *phKey = (CK_OBJECT_HANDLE)new_objp;
1824
1825 return (CKR_OK);
1826
1827 cleanup_unwrap:
1828 /* The decrypted private key buffer must be freed explicitly. */
1829 if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1830 /* Clear buffer before returning to memory pool. */
1831 freezero(plain_data, plain_len);
1832 }
1833
1834 /* sck and new_objp are indirectly free()d inside these functions */
1835 if (IS_TOKEN_OBJECT(new_objp))
1836 soft_delete_token_object(new_objp, persistent, B_FALSE);
1837 else
1838 soft_delete_object(session_p, new_objp, B_FALSE, B_FALSE);
1839
1840 return (rv);
1841 }
1842