1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <pthread.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <strings.h> 30 #include <sys/types.h> 31 #include <security/cryptoki.h> 32 #include <sys/crypto/common.h> 33 #include <aes_impl.h> 34 #include <blowfish_impl.h> 35 #include <des_impl.h> 36 #include <arcfour.h> 37 #include <cryptoutil.h> 38 #include "softGlobal.h" 39 #include "softSession.h" 40 #include "softObject.h" 41 #include "softDSA.h" 42 #include "softRSA.h" 43 #include "softDH.h" 44 #include "softEC.h" 45 #include "softMAC.h" 46 #include "softOps.h" 47 #include "softKeys.h" 48 #include "softKeystore.h" 49 #include "softSSL.h" 50 #include "softASN1.h" 51 52 53 #define local_min(a, b) ((a) < (b) ? (a) : (b)) 54 55 static CK_RV 56 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *); 57 58 /* 59 * Create a temporary key object struct by filling up its template attributes. 60 */ 61 CK_RV 62 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 63 CK_ULONG *objecthandle_p, soft_session_t *sp, 64 CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode, 65 boolean_t internal) 66 { 67 68 CK_RV rv; 69 soft_object_t *new_objp = NULL; 70 71 new_objp = calloc(1, sizeof (soft_object_t)); 72 if (new_objp == NULL) { 73 return (CKR_HOST_MEMORY); 74 } 75 76 new_objp->extra_attrlistp = NULL; 77 78 /* 79 * Validate attribute template and fill in the attributes 80 * in the soft_object_t. 81 */ 82 rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type, 83 keylen, mode); 84 if (rv != CKR_OK) { 85 goto fail_cleanup1; 86 } 87 88 /* 89 * If generating a key is an internal request (i.e. not a C_XXX 90 * API request), then skip the following checks. 91 */ 92 if (!internal) { 93 rv = soft_pin_expired_check(new_objp); 94 if (rv != CKR_OK) { 95 goto fail_cleanup2; 96 } 97 98 rv = soft_object_write_access_check(sp, new_objp); 99 if (rv != CKR_OK) { 100 goto fail_cleanup2; 101 } 102 } 103 104 /* Initialize the rest of stuffs in soft_object_t. */ 105 (void) pthread_mutex_init(&new_objp->object_mutex, NULL); 106 new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC; 107 108 /* Write the new token object to the keystore */ 109 if (IS_TOKEN_OBJECT(new_objp)) { 110 new_objp->version = 1; 111 new_objp->session_handle = (CK_SESSION_HANDLE)NULL; 112 soft_add_token_object_to_slot(new_objp); 113 /* 114 * Type casting the address of an object struct to 115 * an object handle. 116 */ 117 *objecthandle_p = (CK_ULONG)new_objp; 118 119 return (CKR_OK); 120 } 121 122 new_objp->session_handle = (CK_SESSION_HANDLE)sp; 123 124 /* Add the new object to the session's object list. */ 125 soft_add_object_to_session(new_objp, sp); 126 127 /* Type casting the address of an object struct to an object handle. */ 128 *objecthandle_p = (CK_ULONG)new_objp; 129 130 return (CKR_OK); 131 132 fail_cleanup2: 133 /* 134 * When any error occurs after soft_build_key(), we will need to 135 * clean up the memory allocated by the soft_build_key(). 136 */ 137 soft_cleanup_object(new_objp); 138 139 fail_cleanup1: 140 if (new_objp) { 141 /* 142 * The storage allocated inside of this object should have 143 * been cleaned up by the soft_build_key() if it failed. 144 * Therefore, we can safely free the object. 145 */ 146 free(new_objp); 147 } 148 149 return (rv); 150 } 151 152 CK_RV 153 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 154 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey) 155 { 156 157 CK_RV rv = CKR_OK; 158 soft_object_t *secret_key; 159 CK_KEY_TYPE key_type; 160 CK_ULONG keylen = 0; 161 CK_ULONG i; 162 int des_strength = 0; 163 int retry = 0; 164 int keyfound = 0; 165 boolean_t is_ssl_mech = B_FALSE; 166 167 switch (pMechanism->mechanism) { 168 case CKM_DES_KEY_GEN: 169 key_type = CKK_DES; 170 break; 171 172 case CKM_DES3_KEY_GEN: 173 key_type = CKK_DES3; 174 break; 175 176 case CKM_AES_KEY_GEN: 177 key_type = CKK_AES; 178 break; 179 180 case CKM_BLOWFISH_KEY_GEN: 181 key_type = CKK_BLOWFISH; 182 break; 183 184 case CKM_RC4_KEY_GEN: 185 key_type = CKK_RC4; 186 break; 187 188 case CKM_SSL3_PRE_MASTER_KEY_GEN: 189 case CKM_TLS_PRE_MASTER_KEY_GEN: 190 if (pMechanism->pParameter == NULL || 191 pMechanism->ulParameterLen != sizeof (CK_VERSION)) 192 return (CKR_TEMPLATE_INCOMPLETE); 193 is_ssl_mech = B_TRUE; 194 key_type = CKK_GENERIC_SECRET; 195 keylen = 48; 196 break; 197 198 case CKM_PKCS5_PBKD2: 199 keyfound = 0; 200 for (i = 0; i < ulCount && !keyfound; i++) { 201 if (pTemplate[i].type == CKA_KEY_TYPE && 202 pTemplate[i].pValue != NULL) { 203 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 204 keyfound = 1; 205 } 206 } 207 if (!keyfound) 208 return (CKR_TEMPLATE_INCOMPLETE); 209 /* 210 * Make sure that parameters were given for this 211 * mechanism. 212 */ 213 if (pMechanism->pParameter == NULL || 214 pMechanism->ulParameterLen != 215 sizeof (CK_PKCS5_PBKD2_PARAMS)) 216 return (CKR_TEMPLATE_INCOMPLETE); 217 break; 218 219 case CKM_PBE_SHA1_RC4_128: 220 keyfound = 0; 221 for (i = 0; i < ulCount; i++) { 222 if (pTemplate[i].type == CKA_KEY_TYPE && 223 pTemplate[i].pValue != NULL) { 224 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 225 keyfound = 1; 226 } 227 if (pTemplate[i].type == CKA_VALUE_LEN && 228 pTemplate[i].pValue != NULL) { 229 keylen = *((CK_ULONG*)pTemplate[i].pValue); 230 } 231 } 232 /* If a keytype was specified, it had better be CKK_RC4 */ 233 if (keyfound && key_type != CKK_RC4) 234 return (CKR_TEMPLATE_INCONSISTENT); 235 else if (!keyfound) 236 key_type = CKK_RC4; 237 238 /* If key length was specified, it better be 16 bytes */ 239 if (keylen != 0 && keylen != 16) 240 return (CKR_TEMPLATE_INCONSISTENT); 241 242 /* 243 * Make sure that parameters were given for this 244 * mechanism. 245 */ 246 if (pMechanism->pParameter == NULL || 247 pMechanism->ulParameterLen != 248 sizeof (CK_PBE_PARAMS)) 249 return (CKR_TEMPLATE_INCOMPLETE); 250 break; 251 default: 252 return (CKR_MECHANISM_INVALID); 253 } 254 255 /* Create a new object for secret key. */ 256 rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p, 257 CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE); 258 259 if (rv != CKR_OK) { 260 return (rv); 261 } 262 263 /* Obtain the secret object pointer. */ 264 secret_key = (soft_object_t *)*phKey; 265 266 switch (pMechanism->mechanism) { 267 case CKM_DES_KEY_GEN: 268 /* 269 * Set up key value len since it is not a required 270 * attribute for C_GenerateKey. 271 */ 272 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 273 des_strength = DES; 274 break; 275 276 case CKM_DES3_KEY_GEN: 277 /* 278 * Set up key value len since it is not a required 279 * attribute for C_GenerateKey. 280 */ 281 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 282 des_strength = DES3; 283 break; 284 285 case CKM_SSL3_PRE_MASTER_KEY_GEN: 286 case CKM_TLS_PRE_MASTER_KEY_GEN: 287 secret_key->bool_attr_mask |= DERIVE_BOOL_ON; 288 /* FALLTHRU */ 289 290 case CKM_AES_KEY_GEN: 291 case CKM_BLOWFISH_KEY_GEN: 292 case CKM_PBE_SHA1_RC4_128: 293 case CKM_RC4_KEY_GEN: 294 keylen = OBJ_SEC_VALUE_LEN(secret_key); 295 break; 296 297 case CKM_PKCS5_PBKD2: 298 /* 299 * PKCS#11 does not allow one to specify key 300 * sizes for DES and 3DES, so we must set it here 301 * when using PBKD2 algorithms. 302 */ 303 if (key_type == CKK_DES) { 304 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 305 des_strength = DES; 306 } else if (key_type == CKK_DES3) { 307 OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 308 des_strength = DES3; 309 } 310 311 keylen = OBJ_SEC_VALUE_LEN(secret_key); 312 break; 313 } 314 315 if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) { 316 if (IS_TOKEN_OBJECT(secret_key)) 317 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 318 else 319 soft_delete_object(session_p, secret_key, B_FALSE); 320 321 return (CKR_HOST_MEMORY); 322 } 323 switch (pMechanism->mechanism) { 324 case CKM_PBE_SHA1_RC4_128: 325 /* 326 * Use the PBE algorithm described in PKCS#11 section 327 * 12.33 to derive the key. 328 */ 329 rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key); 330 break; 331 case CKM_PKCS5_PBKD2: 332 /* Generate keys using PKCS#5 PBKD2 algorithm */ 333 rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism, 334 secret_key); 335 if (rv == CKR_OK && des_strength > 0) { 336 /* Perform weak key checking for DES and DES3. */ 337 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 338 des_strength, OBJ_SEC_VALUE(secret_key)) == 339 B_FALSE) { 340 /* We got a weak secret key. */ 341 rv = CKR_FUNCTION_FAILED; 342 } 343 } 344 break; 345 default: 346 do { 347 /* If this fails, bail out */ 348 rv = CKR_OK; 349 if (pkcs11_get_urandom( 350 OBJ_SEC_VALUE(secret_key), keylen) < 0) { 351 rv = CKR_DEVICE_ERROR; 352 break; 353 } 354 355 /* Perform weak key checking for DES and DES3. */ 356 if (des_strength > 0) { 357 rv = CKR_OK; 358 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 359 des_strength, OBJ_SEC_VALUE(secret_key)) == 360 B_FALSE) { 361 /* We got a weak key, retry! */ 362 retry++; 363 rv = CKR_FUNCTION_FAILED; 364 } 365 } 366 /* 367 * Copy over the SSL client version For SSL mechs 368 * The first two bytes of the key is the version 369 */ 370 if (is_ssl_mech) 371 bcopy(pMechanism->pParameter, 372 OBJ_SEC_VALUE(secret_key), 373 sizeof (CK_VERSION)); 374 375 } while (rv != CKR_OK && retry < KEYGEN_RETRY); 376 if (retry == KEYGEN_RETRY) 377 rv = CKR_FUNCTION_FAILED; 378 break; 379 } 380 381 if (rv != CKR_OK) 382 if (IS_TOKEN_OBJECT(secret_key)) 383 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 384 else 385 soft_delete_object(session_p, secret_key, B_FALSE); 386 387 if (IS_TOKEN_OBJECT(secret_key)) { 388 /* 389 * All the info has been filled, so we can write to 390 * keystore now. 391 */ 392 rv = soft_put_object_to_keystore(secret_key); 393 if (rv != CKR_OK) 394 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 395 } 396 397 return (rv); 398 } 399 400 CK_RV 401 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 402 CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount, 403 CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount, 404 CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey) 405 { 406 407 CK_RV rv; 408 soft_object_t *public_key, *private_key; 409 CK_KEY_TYPE key_type; 410 411 switch (pMechanism->mechanism) { 412 413 case CKM_RSA_PKCS_KEY_PAIR_GEN: 414 key_type = CKK_RSA; 415 break; 416 417 case CKM_DSA_KEY_PAIR_GEN: 418 key_type = CKK_DSA; 419 break; 420 421 case CKM_DH_PKCS_KEY_PAIR_GEN: 422 key_type = CKK_DH; 423 break; 424 425 case CKM_EC_KEY_PAIR_GEN: 426 key_type = CKK_EC; 427 break; 428 429 default: 430 return (CKR_MECHANISM_INVALID); 431 } 432 433 /* Create a new object for public key. */ 434 rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount, 435 phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0, 436 SOFT_GEN_KEY, B_FALSE); 437 438 if (rv != CKR_OK) { 439 return (rv); 440 } 441 442 /* Obtain the public object pointer. */ 443 public_key = (soft_object_t *)*phPublicKey; 444 445 /* Create a new object for private key. */ 446 rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount, 447 phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0, 448 SOFT_GEN_KEY, B_FALSE); 449 450 if (rv != CKR_OK) { 451 /* 452 * Both public key and private key must be successful. 453 */ 454 if (IS_TOKEN_OBJECT(public_key)) 455 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 456 else 457 soft_delete_object(session_p, public_key, B_FALSE); 458 return (rv); 459 } 460 461 /* Obtain the private object pointer. */ 462 private_key = (soft_object_t *)*phPrivateKey; 463 464 /* 465 * At this point, both public key and private key objects 466 * are settled with the application specified attributes. 467 * We are ready to generate the rest of key attributes based 468 * on the existing attributes. 469 */ 470 471 switch (key_type) { 472 case CKK_RSA: 473 rv = soft_rsa_genkey_pair(public_key, private_key); 474 break; 475 476 case CKK_DSA: 477 rv = soft_dsa_genkey_pair(public_key, private_key); 478 break; 479 480 case CKK_DH: 481 rv = soft_dh_genkey_pair(public_key, private_key); 482 private_key->bool_attr_mask |= DERIVE_BOOL_ON; 483 break; 484 case CKK_EC: 485 rv = soft_ec_genkey_pair(public_key, private_key); 486 private_key->bool_attr_mask |= DERIVE_BOOL_ON; 487 break; 488 } 489 490 if (rv != CKR_OK) { 491 if (IS_TOKEN_OBJECT(public_key)) { 492 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 493 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 494 } else { 495 soft_delete_object(session_p, public_key, B_FALSE); 496 soft_delete_object(session_p, private_key, B_FALSE); 497 } 498 } 499 500 if (IS_TOKEN_OBJECT(public_key)) { 501 /* 502 * All the info has been filled, so we can write to 503 * keystore now. 504 */ 505 rv = soft_put_object_to_keystore(public_key); 506 if (rv != CKR_OK) { 507 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 508 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 509 } 510 } 511 512 if (IS_TOKEN_OBJECT(private_key)) { 513 rv = soft_put_object_to_keystore(private_key); 514 if (rv != CKR_OK) { 515 /* 516 * We also need to delete the public token object 517 * from keystore. 518 */ 519 soft_delete_token_object(public_key, B_TRUE, B_FALSE); 520 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 521 } 522 } 523 524 return (rv); 525 } 526 527 528 CK_RV 529 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen) 530 { 531 532 switch (secret_key->key_type) { 533 case CKK_GENERIC_SECRET: 534 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 535 OBJ_SEC_VALUE_LEN(secret_key) = max_keylen; 536 return (CKR_OK); 537 } else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) { 538 return (CKR_ATTRIBUTE_VALUE_INVALID); 539 } 540 break; 541 case CKK_RC4: 542 case CKK_AES: 543 case CKK_BLOWFISH: 544 if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) || 545 (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) { 546 /* RC4 and AES has variable key length */ 547 return (CKR_ATTRIBUTE_VALUE_INVALID); 548 } 549 break; 550 case CKK_DES: 551 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 552 /* DES has a well-defined length */ 553 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 554 return (CKR_OK); 555 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) { 556 return (CKR_ATTRIBUTE_VALUE_INVALID); 557 } 558 break; 559 case CKK_DES2: 560 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 561 /* DES2 has a well-defined length */ 562 OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE; 563 return (CKR_OK); 564 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) { 565 return (CKR_ATTRIBUTE_VALUE_INVALID); 566 } 567 break; 568 569 default: 570 return (CKR_MECHANISM_INVALID); 571 } 572 573 return (CKR_OK); 574 } 575 576 /* 577 * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1 578 * PBE methods. 579 */ 580 #define PKCS12_BUFFER_SIZE 64 581 /* 582 * PKCS#12 defines 3 different ID bytes to be used for 583 * deriving keys for different operations. 584 */ 585 #define PBE_ID_ENCRYPT 1 586 #define PBE_ID_IV 2 587 #define PBE_ID_MAC 3 588 #define PBE_CEIL(a, b) (((a)/(b)) + (((a)%(b)) > 0)) 589 590 static CK_RV 591 soft_pkcs12_pbe(soft_session_t *session_p, 592 CK_MECHANISM_PTR pMechanism, 593 soft_object_t *derived_key) 594 { 595 CK_RV rv = CKR_OK; 596 CK_PBE_PARAMS *params = pMechanism->pParameter; 597 CK_ULONG c, i, j, k; 598 CK_ULONG hashSize; 599 CK_ULONG buffSize; 600 /* 601 * Terse variable names are used to make following 602 * the PKCS#12 spec easier. 603 */ 604 CK_BYTE *A = NULL; 605 CK_BYTE *Ai = NULL; 606 CK_BYTE *B = NULL; 607 CK_BYTE *D = NULL; 608 CK_BYTE *I = NULL, *S, *P; 609 CK_BYTE *keybuf = NULL; 610 CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen; 611 CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key); 612 CK_MECHANISM digest_mech; 613 614 /* U = hash function output bits */ 615 if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) { 616 hashSize = SHA1_HASH_SIZE; 617 buffSize = PKCS12_BUFFER_SIZE; 618 digest_mech.mechanism = CKM_SHA_1; 619 digest_mech.pParameter = NULL; 620 digest_mech.ulParameterLen = 0; 621 } else { 622 /* we only support 1 PBE mech for now */ 623 return (CKR_MECHANISM_INVALID); 624 } 625 keybuf = OBJ_SEC_VALUE(derived_key); 626 627 Blen = Dlen = buffSize; 628 D = (CK_BYTE *)malloc(Dlen); 629 if (D == NULL) { 630 rv = CKR_HOST_MEMORY; 631 goto cleanup; 632 } 633 634 B = (CK_BYTE *)malloc(Blen); 635 if (B == NULL) { 636 rv = CKR_HOST_MEMORY; 637 goto cleanup; 638 } 639 640 /* 641 * Initialize some values and create some buffers 642 * that we need later. 643 * 644 * Slen = buffSize * CEIL(SaltLength/buffSize) 645 */ 646 Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize); 647 648 /* 649 * Plen = buffSize * CEIL(PasswordLength/buffSize) 650 */ 651 Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize); 652 653 /* 654 * From step 4: I = S + P, so: Ilen = Slen + Plen 655 */ 656 Ilen = Slen + Plen; 657 I = (CK_BYTE *)malloc(Ilen); 658 if (I == NULL) { 659 rv = CKR_HOST_MEMORY; 660 goto cleanup; 661 } 662 663 S = I; 664 P = I + Slen; 665 666 /* 667 * Step 1. 668 * We are only interested in deriving keys for encrypt/decrypt 669 * for now, so construct the "D"iversifier accordingly. 670 */ 671 (void) memset(D, PBE_ID_ENCRYPT, Dlen); 672 673 /* 674 * Step 2. 675 * Concatenate copies of the salt together to make S. 676 */ 677 for (i = 0; i < Slen; i += params->ulSaltLen) { 678 (void) memcpy(S+i, params->pSalt, 679 ((Slen - i) > params->ulSaltLen ? 680 params->ulSaltLen : (Slen - i))); 681 } 682 683 /* 684 * Step 3. 685 * Concatenate copies of the password together to make 686 * a string P. 687 */ 688 for (i = 0; i < Plen; i += params->ulPasswordLen) { 689 (void) memcpy(P+i, params->pPassword, 690 ((Plen - i) > params->ulPasswordLen ? 691 params->ulPasswordLen : (Plen - i))); 692 } 693 694 /* 695 * Step 4. 696 * I = S+P - this is now done because S and P are 697 * pointers into I. 698 * 699 * Step 5. 700 * c= CEIL[n/u] 701 * where n = pseudorandom bits of output desired. 702 */ 703 c = PBE_CEIL(keysize, hashSize); 704 705 /* 706 * Step 6. 707 */ 708 Alen = c * hashSize; 709 A = (CK_BYTE *)malloc(Alen); 710 if (A == NULL) { 711 rv = CKR_HOST_MEMORY; 712 goto cleanup; 713 } 714 AiLen = hashSize; 715 Ai = (CK_BYTE *)malloc(AiLen); 716 if (Ai == NULL) { 717 rv = CKR_HOST_MEMORY; 718 goto cleanup; 719 } 720 721 /* 722 * Step 6a. 723 * Ai = Hr(D+I) 724 */ 725 for (i = 0; i < c; i++) { 726 (void) pthread_mutex_lock(&session_p->session_mutex); 727 728 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 729 (void) pthread_mutex_unlock(&session_p->session_mutex); 730 rv = CKR_OPERATION_ACTIVE; 731 goto cleanup; 732 } 733 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 734 (void) pthread_mutex_unlock(&session_p->session_mutex); 735 736 for (j = 0; j < params->ulIteration; j++) { 737 rv = soft_digest_init(session_p, &digest_mech); 738 if (rv != CKR_OK) 739 goto digest_done; 740 741 if (j == 0) { 742 rv = soft_digest_update(session_p, D, Dlen); 743 if (rv != CKR_OK) 744 goto digest_done; 745 746 rv = soft_digest_update(session_p, I, Ilen); 747 } else { 748 rv = soft_digest_update(session_p, Ai, AiLen); 749 } 750 if (rv != CKR_OK) 751 goto digest_done; 752 753 rv = soft_digest_final(session_p, Ai, &AiLen); 754 if (rv != CKR_OK) 755 goto digest_done; 756 } 757 digest_done: 758 (void) pthread_mutex_lock(&session_p->session_mutex); 759 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 760 (void) pthread_mutex_unlock(&session_p->session_mutex); 761 762 if (rv != CKR_OK) 763 goto cleanup; 764 /* 765 * Step 6b. 766 * Concatenate Ai to make B 767 */ 768 for (j = 0; j < Blen; j += hashSize) { 769 (void) memcpy(B+j, Ai, ((Blen - j > hashSize) ? 770 hashSize : Blen - j)); 771 } 772 773 /* 774 * Step 6c. 775 */ 776 k = Ilen / Blen; 777 for (j = 0; j < k; j++) { 778 uchar_t idx; 779 CK_ULONG m, q = 1, cbit = 0; 780 781 for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) { 782 idx = m + j*Blen; 783 784 q += (CK_ULONG)I[idx] + (CK_ULONG)B[m]; 785 q += cbit; 786 I[idx] = (CK_BYTE)(q & 0xff); 787 cbit = (q > 0xff); 788 } 789 } 790 791 /* 792 * Step 7. 793 * A += Ai 794 */ 795 (void) memcpy(A + i*hashSize, Ai, AiLen); 796 } 797 798 /* 799 * Step 8. 800 * The final output of this process is the A buffer 801 */ 802 (void) memcpy(keybuf, A, keysize); 803 804 cleanup: 805 if (A) { 806 bzero(A, Alen); 807 free(A); 808 } 809 if (Ai) { 810 bzero(Ai, AiLen); 811 free(Ai); 812 } 813 if (B) { 814 bzero(B, Blen); 815 free(B); 816 } 817 if (D) { 818 bzero(D, Dlen); 819 free(D); 820 } 821 if (I) { 822 bzero(I, Ilen); 823 free(I); 824 } 825 return (rv); 826 } 827 828 CK_RV 829 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 830 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate, 831 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) 832 { 833 834 CK_RV rv = CKR_OK; 835 soft_object_t *secret_key; 836 CK_MECHANISM digest_mech; 837 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */ 838 CK_ULONG hash_len = SHA512_DIGEST_LENGTH; 839 CK_ULONG secret_key_len; 840 CK_ULONG hash_size; 841 842 switch (pMechanism->mechanism) { 843 case CKM_DH_PKCS_DERIVE: 844 /* 845 * Create a new object for secret key. The key type should 846 * be provided in the template. 847 */ 848 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 849 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0, 850 SOFT_DERIVE_KEY_DH, B_FALSE); 851 852 if (rv != CKR_OK) { 853 return (rv); 854 } 855 856 /* Obtain the secret object pointer. */ 857 secret_key = (soft_object_t *)*phKey; 858 859 rv = soft_dh_key_derive(basekey_p, secret_key, 860 (CK_BYTE *)pMechanism->pParameter, 861 pMechanism->ulParameterLen); 862 863 if (rv != CKR_OK) { 864 if (IS_TOKEN_OBJECT(secret_key)) 865 soft_delete_token_object(secret_key, B_FALSE, 866 B_FALSE); 867 else 868 soft_delete_object(session_p, secret_key, 869 B_FALSE); 870 return (rv); 871 } 872 873 break; 874 875 case CKM_ECDH1_DERIVE: 876 /* 877 * Create a new object for secret key. The key type should 878 * be provided in the template. 879 */ 880 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 881 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0, 882 SOFT_DERIVE_KEY_DH, B_FALSE); 883 884 if (rv != CKR_OK) { 885 return (rv); 886 } 887 888 /* Obtain the secret object pointer. */ 889 secret_key = (soft_object_t *)*phKey; 890 891 rv = soft_ec_key_derive(basekey_p, secret_key, 892 (CK_BYTE *)pMechanism->pParameter, 893 pMechanism->ulParameterLen); 894 895 if (rv != CKR_OK) { 896 if (IS_TOKEN_OBJECT(secret_key)) 897 soft_delete_token_object(secret_key, B_FALSE, 898 B_FALSE); 899 else 900 soft_delete_object(session_p, secret_key, 901 B_FALSE); 902 return (rv); 903 } 904 905 break; 906 907 case CKM_SHA1_KEY_DERIVATION: 908 hash_size = SHA1_HASH_SIZE; 909 digest_mech.mechanism = CKM_SHA_1; 910 goto common; 911 912 case CKM_MD5_KEY_DERIVATION: 913 hash_size = MD5_HASH_SIZE; 914 digest_mech.mechanism = CKM_MD5; 915 goto common; 916 917 case CKM_SHA256_KEY_DERIVATION: 918 hash_size = SHA256_DIGEST_LENGTH; 919 digest_mech.mechanism = CKM_SHA256; 920 goto common; 921 922 case CKM_SHA384_KEY_DERIVATION: 923 hash_size = SHA384_DIGEST_LENGTH; 924 digest_mech.mechanism = CKM_SHA384; 925 goto common; 926 927 case CKM_SHA512_KEY_DERIVATION: 928 hash_size = SHA512_DIGEST_LENGTH; 929 digest_mech.mechanism = CKM_SHA512; 930 goto common; 931 932 common: 933 /* 934 * Create a new object for secret key. The key type is optional 935 * to be provided in the template. If it is not specified in 936 * the template, the default is CKK_GENERIC_SECRET. 937 */ 938 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 939 phKey, session_p, CKO_SECRET_KEY, 940 (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 941 SOFT_DERIVE_KEY_OTHER, B_FALSE); 942 943 if (rv != CKR_OK) { 944 return (rv); 945 } 946 947 /* Obtain the secret object pointer. */ 948 secret_key = (soft_object_t *)*phKey; 949 950 /* Validate the key type and key length */ 951 rv = soft_key_derive_check_length(secret_key, hash_size); 952 if (rv != CKR_OK) { 953 if (IS_TOKEN_OBJECT(secret_key)) 954 soft_delete_token_object(secret_key, B_FALSE, 955 B_FALSE); 956 else 957 soft_delete_object(session_p, secret_key, 958 B_FALSE); 959 return (rv); 960 } 961 962 /* 963 * Derive the secret key by digesting the value of another 964 * secret key (base key) with SHA-1 or MD5. 965 */ 966 rv = soft_digest_init_internal(session_p, &digest_mech); 967 if (rv != CKR_OK) { 968 if (IS_TOKEN_OBJECT(secret_key)) 969 soft_delete_token_object(secret_key, B_FALSE, 970 B_FALSE); 971 else 972 soft_delete_object(session_p, secret_key, 973 B_FALSE); 974 return (rv); 975 } 976 977 rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p), 978 OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len); 979 980 (void) pthread_mutex_lock(&session_p->session_mutex); 981 /* soft_digest_common() has freed the digest context */ 982 session_p->digest.flags = 0; 983 (void) pthread_mutex_unlock(&session_p->session_mutex); 984 985 if (rv != CKR_OK) { 986 if (IS_TOKEN_OBJECT(secret_key)) 987 soft_delete_token_object(secret_key, B_FALSE, 988 B_FALSE); 989 else 990 soft_delete_object(session_p, secret_key, 991 B_FALSE); 992 return (rv); 993 } 994 995 secret_key_len = OBJ_SEC_VALUE_LEN(secret_key); 996 997 if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) == 998 NULL) { 999 if (IS_TOKEN_OBJECT(secret_key)) 1000 soft_delete_token_object(secret_key, B_FALSE, 1001 B_FALSE); 1002 else 1003 soft_delete_object(session_p, secret_key, 1004 B_FALSE); 1005 return (CKR_HOST_MEMORY); 1006 } 1007 1008 /* 1009 * The key produced by this mechanism will be of the 1010 * specified type and length. 1011 * The truncation removes extra bytes from the leading 1012 * of the digested key value. 1013 */ 1014 (void) memcpy(OBJ_SEC_VALUE(secret_key), 1015 (hash + hash_len - secret_key_len), 1016 secret_key_len); 1017 1018 break; 1019 1020 /* 1021 * The key sensitivity and extractability rules for the generated 1022 * keys will be enforced inside soft_ssl_master_key_derive() and 1023 * soft_ssl_key_and_mac_derive() 1024 */ 1025 case CKM_SSL3_MASTER_KEY_DERIVE: 1026 case CKM_SSL3_MASTER_KEY_DERIVE_DH: 1027 case CKM_TLS_MASTER_KEY_DERIVE: 1028 case CKM_TLS_MASTER_KEY_DERIVE_DH: 1029 if (phKey == NULL_PTR) 1030 return (CKR_ARGUMENTS_BAD); 1031 return (soft_ssl_master_key_derive(session_p, pMechanism, 1032 basekey_p, pTemplate, ulAttributeCount, phKey)); 1033 1034 case CKM_SSL3_KEY_AND_MAC_DERIVE: 1035 case CKM_TLS_KEY_AND_MAC_DERIVE: 1036 return (soft_ssl_key_and_mac_derive(session_p, pMechanism, 1037 basekey_p, pTemplate, ulAttributeCount)); 1038 1039 case CKM_TLS_PRF: 1040 if (pMechanism->pParameter == NULL || 1041 pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) || 1042 phKey != NULL) 1043 return (CKR_ARGUMENTS_BAD); 1044 1045 if (pTemplate != NULL) 1046 return (CKR_TEMPLATE_INCONSISTENT); 1047 1048 return (derive_tls_prf( 1049 (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p)); 1050 1051 default: 1052 return (CKR_MECHANISM_INVALID); 1053 } 1054 1055 soft_derive_enforce_flags(basekey_p, secret_key); 1056 1057 if (IS_TOKEN_OBJECT(secret_key)) { 1058 /* 1059 * All the info has been filled, so we can write to 1060 * keystore now. 1061 */ 1062 rv = soft_put_object_to_keystore(secret_key); 1063 if (rv != CKR_OK) 1064 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 1065 } 1066 1067 return (rv); 1068 } 1069 1070 1071 /* 1072 * Perform key derivation rules on key's sensitivity and extractability. 1073 */ 1074 void 1075 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey) 1076 { 1077 1078 boolean_t new_sensitive = B_FALSE; 1079 boolean_t new_extractable = B_FALSE; 1080 1081 /* 1082 * The sensitive and extractable bits have been set when 1083 * the newkey was built. 1084 */ 1085 if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) { 1086 new_sensitive = B_TRUE; 1087 } 1088 1089 if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) { 1090 new_extractable = B_TRUE; 1091 } 1092 1093 /* Derive the CKA_ALWAYS_SENSITIVE flag */ 1094 if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) { 1095 /* 1096 * If the base key has its CKA_ALWAYS_SENSITIVE set to 1097 * FALSE, then the derived key will as well. 1098 */ 1099 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1100 } else { 1101 /* 1102 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE, 1103 * then the derived key has the CKA_ALWAYS_SENSITIVE set to 1104 * the same value as its CKA_SENSITIVE; 1105 */ 1106 if (new_sensitive) { 1107 newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON; 1108 } else { 1109 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1110 } 1111 } 1112 1113 /* Derive the CKA_NEVER_EXTRACTABLE flag */ 1114 if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) { 1115 /* 1116 * If the base key has its CKA_NEVER_EXTRACTABLE set to 1117 * FALSE, then the derived key will as well. 1118 */ 1119 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1120 } else { 1121 /* 1122 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE, 1123 * then the derived key has the CKA_NEVER_EXTRACTABLE set to 1124 * the opposite value from its CKA_EXTRACTABLE; 1125 */ 1126 if (new_extractable) { 1127 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1128 } else { 1129 newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON; 1130 } 1131 } 1132 1133 /* Set the CKA_LOCAL flag to false */ 1134 newkey->bool_attr_mask &= ~LOCAL_BOOL_ON; 1135 } 1136 1137 1138 /* 1139 * do_prf 1140 * 1141 * This routine implements Step 3. of the PBKDF2 function 1142 * defined in PKCS#5 for generating derived keys from a 1143 * password. 1144 * 1145 * Currently, PRF is always SHA_1_HMAC. 1146 */ 1147 static CK_RV 1148 do_prf(soft_session_t *session_p, 1149 CK_PKCS5_PBKD2_PARAMS_PTR params, 1150 soft_object_t *hmac_key, 1151 CK_BYTE *newsalt, CK_ULONG saltlen, 1152 CK_BYTE *blockdata, CK_ULONG blocklen) 1153 { 1154 CK_RV rv = CKR_OK; 1155 CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0}; 1156 CK_BYTE buffer[2][SHA1_HASH_SIZE]; 1157 CK_ULONG hmac_outlen = SHA1_HASH_SIZE; 1158 CK_ULONG inlen; 1159 CK_BYTE *input, *output; 1160 CK_ULONG i, j; 1161 1162 input = newsalt; 1163 inlen = saltlen; 1164 1165 output = buffer[1]; 1166 (void) pthread_mutex_lock(&session_p->session_mutex); 1167 1168 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 1169 (void) pthread_mutex_unlock(&session_p->session_mutex); 1170 return (CKR_OPERATION_ACTIVE); 1171 } 1172 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 1173 (void) pthread_mutex_unlock(&session_p->session_mutex); 1174 1175 for (i = 0; i < params->iterations; i++) { 1176 /* 1177 * The key doesn't change, its always the 1178 * password iniitally given. 1179 */ 1180 rv = soft_sign_init(session_p, &digest_mech, hmac_key); 1181 1182 if (rv != CKR_OK) { 1183 goto cleanup; 1184 } 1185 1186 /* Call PRF function (SHA1_HMAC for now). */ 1187 rv = soft_sign(session_p, input, inlen, output, &hmac_outlen); 1188 1189 if (rv != CKR_OK) { 1190 goto cleanup; 1191 } 1192 /* 1193 * The first time, initialize the output buffer 1194 * with the HMAC signature. 1195 */ 1196 if (i == 0) { 1197 (void) memcpy(blockdata, output, 1198 local_min(blocklen, hmac_outlen)); 1199 } else { 1200 /* 1201 * XOR the existing data with output from PRF. 1202 * 1203 * Only XOR up to the length of the blockdata, 1204 * it may be less than a full hmac buffer when 1205 * the final block is being computed. 1206 */ 1207 for (j = 0; j < hmac_outlen && j < blocklen; j++) 1208 blockdata[j] ^= output[j]; 1209 } 1210 /* Output from previous PRF is input for next round */ 1211 input = output; 1212 inlen = hmac_outlen; 1213 1214 /* 1215 * Switch buffers to avoid overuse of memcpy. 1216 * Initially we used buffer[1], so after the end of 1217 * the first iteration (i==0), we switch to buffer[0] 1218 * and continue swapping with each iteration. 1219 */ 1220 output = buffer[i%2]; 1221 } 1222 cleanup: 1223 (void) pthread_mutex_lock(&session_p->session_mutex); 1224 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 1225 (void) pthread_mutex_unlock(&session_p->session_mutex); 1226 1227 return (rv); 1228 } 1229 1230 static CK_RV 1231 soft_create_hmac_key(soft_session_t *session_p, CK_BYTE *passwd, 1232 CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey) 1233 { 1234 CK_RV rv = CKR_OK; 1235 CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY; 1236 CK_KEY_TYPE keytype = CKK_GENERIC_SECRET; 1237 CK_BBOOL True = TRUE; 1238 CK_ATTRIBUTE keytemplate[4]; 1239 /* 1240 * We must initialize each template member individually 1241 * because at the time of initial coding for ON10, the 1242 * compiler was using the "-xc99=%none" option 1243 * which prevents us from being able to declare the whole 1244 * template in place as usual. 1245 */ 1246 keytemplate[0].type = CKA_CLASS; 1247 keytemplate[0].pValue = &keyclass; 1248 keytemplate[0].ulValueLen = sizeof (keyclass); 1249 1250 keytemplate[1].type = CKA_KEY_TYPE; 1251 keytemplate[1].pValue = &keytype; 1252 keytemplate[1].ulValueLen = sizeof (keytype); 1253 1254 keytemplate[2].type = CKA_SIGN; 1255 keytemplate[2].pValue = &True; 1256 keytemplate[2].ulValueLen = sizeof (True); 1257 1258 keytemplate[3].type = CKA_VALUE; 1259 keytemplate[3].pValue = passwd; 1260 keytemplate[3].ulValueLen = passwd_len; 1261 /* 1262 * Create a generic key object to be used for HMAC operations. 1263 * The "value" for this key is the password from the 1264 * mechanism parameter structure. 1265 */ 1266 rv = soft_gen_keyobject(keytemplate, 1267 sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), phKey, session_p, 1268 CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 1269 SOFT_CREATE_OBJ, B_TRUE); 1270 1271 return (rv); 1272 } 1273 1274 CK_RV 1275 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p, 1276 CK_MECHANISM_PTR pMechanism, 1277 soft_object_t *secret_key) 1278 { 1279 CK_RV rv = CKR_OK; 1280 CK_PKCS5_PBKD2_PARAMS *params = 1281 (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter; 1282 CK_ULONG hLen = SHA1_HASH_SIZE; 1283 CK_ULONG dkLen, i; 1284 CK_ULONG blocks, remainder; 1285 CK_OBJECT_HANDLE phKey = 0; 1286 soft_object_t *hmac_key = NULL; 1287 CK_BYTE *salt = NULL; 1288 CK_BYTE *keydata = NULL; 1289 1290 params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter; 1291 1292 if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1) 1293 return (CKR_MECHANISM_PARAM_INVALID); 1294 1295 if (params->pPrfData != NULL || params->ulPrfDataLen != 0) 1296 return (CKR_DATA_INVALID); 1297 1298 if (params->saltSource != CKZ_SALT_SPECIFIED || 1299 params->iterations == 0) 1300 return (CKR_MECHANISM_PARAM_INVALID); 1301 1302 /* 1303 * Create a key object to use for HMAC operations. 1304 */ 1305 rv = soft_create_hmac_key(session_p, params->pPassword, 1306 *params->ulPasswordLen, &phKey); 1307 1308 if (rv != CKR_OK) 1309 return (rv); 1310 1311 hmac_key = (soft_object_t *)phKey; 1312 1313 /* Step 1. */ 1314 dkLen = OBJ_SEC_VALUE_LEN(secret_key); /* length of desired key */ 1315 1316 if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) { 1317 (void) soft_delete_object(session_p, hmac_key, B_FALSE); 1318 return (CKR_KEY_SIZE_RANGE); 1319 } 1320 1321 /* Step 2. */ 1322 blocks = dkLen / hLen; 1323 1324 /* crude "Ceiling" function to adjust the number of blocks to use */ 1325 if (blocks * hLen != dkLen) 1326 blocks++; 1327 1328 remainder = dkLen - ((blocks - 1) * hLen); 1329 1330 /* Step 3 */ 1331 salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4); 1332 if (salt == NULL) { 1333 (void) soft_delete_object(session_p, hmac_key, B_FALSE); 1334 return (CKR_HOST_MEMORY); 1335 } 1336 /* 1337 * Nothing in PKCS#5 says you cannot pass an empty 1338 * salt, so we will allow for this and not return error 1339 * if the salt is not specified. 1340 */ 1341 if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0) 1342 (void) memcpy(salt, params->pSaltSourceData, 1343 params->ulSaltSourceDataLen); 1344 1345 /* 1346 * Get pointer to the data section of the key, 1347 * this will be used below as output from the 1348 * PRF iteration/concatenations so that when the 1349 * blocks are all iterated, the secret_key will 1350 * have the resulting derived key value. 1351 */ 1352 keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key); 1353 1354 /* Step 4. */ 1355 for (i = 0; i < blocks && (rv == CKR_OK); i++) { 1356 CK_BYTE *s; 1357 1358 s = salt + params->ulSaltSourceDataLen; 1359 1360 /* 1361 * Append the block index to the salt as input 1362 * to the PRF. Block index should start at 1 1363 * not 0. 1364 */ 1365 *s++ = ((i+1) >> 24) & 0xff; 1366 *s++ = ((i+1) >> 16) & 0xff; 1367 *s++ = ((i+1) >> 8) & 0xff; 1368 *s = ((i+1)) & 0xff; 1369 1370 /* 1371 * Adjust the key pointer so we always append the 1372 * PRF output to the current key. 1373 */ 1374 rv = do_prf(session_p, params, hmac_key, 1375 salt, params->ulSaltSourceDataLen + 4, keydata, 1376 ((i + 1) == blocks ? remainder : hLen)); 1377 1378 keydata += hLen; 1379 } 1380 (void) soft_delete_object(session_p, hmac_key, B_FALSE); 1381 free(salt); 1382 1383 return (rv); 1384 } 1385 1386 CK_RV 1387 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1388 soft_object_t *wrappingKey_p, soft_object_t *hkey_p, 1389 CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen) 1390 { 1391 CK_RV rv = CKR_OK; 1392 CK_ULONG plain_len = 0; 1393 CK_BYTE_PTR plain_data = NULL; 1394 CK_ULONG padded_len = 0; 1395 CK_BYTE_PTR padded_data = NULL; 1396 CK_ULONG wkey_blksz = 1; /* so modulo will work right */ 1397 1398 /* Check if the mechanism is supported. */ 1399 switch (pMechanism->mechanism) { 1400 case CKM_DES_CBC_PAD: 1401 case CKM_DES3_CBC_PAD: 1402 case CKM_AES_CBC_PAD: 1403 /* 1404 * Secret key mechs with padding can be used to wrap secret 1405 * keys and private keys only. See PKCS#11, * sec 11.14, 1406 * C_WrapKey and secs 12.* for each mechanism's wrapping/ 1407 * unwrapping constraints. 1408 */ 1409 if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class != 1410 CKO_PRIVATE_KEY) 1411 return (CKR_MECHANISM_INVALID); 1412 break; 1413 case CKM_RSA_PKCS: 1414 case CKM_RSA_X_509: 1415 case CKM_DES_ECB: 1416 case CKM_DES3_ECB: 1417 case CKM_AES_ECB: 1418 case CKM_DES_CBC: 1419 case CKM_DES3_CBC: 1420 case CKM_AES_CBC: 1421 case CKM_AES_CTR: 1422 case CKM_BLOWFISH_CBC: 1423 /* 1424 * Unpadded secret key mechs and private key mechs are only 1425 * defined for wrapping secret keys. See PKCS#11 refs above. 1426 */ 1427 if (hkey_p->class != CKO_SECRET_KEY) 1428 return (CKR_MECHANISM_INVALID); 1429 break; 1430 default: 1431 return (CKR_MECHANISM_INVALID); 1432 } 1433 1434 if (hkey_p->class == CKO_SECRET_KEY) { 1435 plain_data = OBJ_SEC_VALUE(hkey_p); 1436 plain_len = OBJ_SEC_VALUE_LEN(hkey_p); 1437 } else { 1438 /* 1439 * BER-encode the object to be wrapped: call first with 1440 * plain_data = NULL to get the size needed, allocate that 1441 * much space, call again to fill space with actual data. 1442 */ 1443 rv = soft_object_to_asn1(hkey_p, NULL, &plain_len); 1444 if (rv != CKR_OK) 1445 return (rv); 1446 if ((plain_data = malloc(plain_len)) == NULL) 1447 return (CKR_HOST_MEMORY); 1448 (void) memset(plain_data, 0x0, plain_len); 1449 rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len); 1450 if (rv != CKR_OK) 1451 goto cleanup_wrap; 1452 } 1453 1454 /* 1455 * For unpadded ECB and CBC mechanisms, the object needs to be 1456 * padded to the wrapping key's blocksize prior to the encryption. 1457 */ 1458 padded_len = plain_len; 1459 padded_data = plain_data; 1460 1461 switch (pMechanism->mechanism) { 1462 case CKM_DES_ECB: 1463 case CKM_DES3_ECB: 1464 case CKM_AES_ECB: 1465 case CKM_DES_CBC: 1466 case CKM_DES3_CBC: 1467 case CKM_AES_CBC: 1468 case CKM_BLOWFISH_CBC: 1469 /* Find the block size of the wrapping key. */ 1470 if (wrappingKey_p->class == CKO_SECRET_KEY) { 1471 switch (wrappingKey_p->key_type) { 1472 case CKK_DES: 1473 case CKK_DES2: 1474 case CKK_DES3: 1475 wkey_blksz = DES_BLOCK_LEN; 1476 break; 1477 case CKK_AES: 1478 wkey_blksz = AES_BLOCK_LEN; 1479 break; 1480 case CKK_BLOWFISH: 1481 wkey_blksz = BLOWFISH_BLOCK_LEN; 1482 break; 1483 default: 1484 break; 1485 } 1486 } else { 1487 rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT; 1488 goto cleanup_wrap; 1489 } 1490 1491 /* Extend the plain text data to block size boundary. */ 1492 if ((padded_len % wkey_blksz) != 0) { 1493 padded_len += (wkey_blksz - (plain_len % wkey_blksz)); 1494 if ((padded_data = malloc(padded_len)) == NULL) { 1495 rv = CKR_HOST_MEMORY; 1496 goto cleanup_wrap; 1497 } 1498 (void) memset(padded_data, 0x0, padded_len); 1499 (void) memcpy(padded_data, plain_data, plain_len); 1500 } 1501 break; 1502 default: 1503 break; 1504 } 1505 1506 rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p); 1507 if (rv != CKR_OK) 1508 goto cleanup_wrap; 1509 1510 rv = soft_encrypt(session_p, padded_data, padded_len, 1511 pWrappedKey, pulWrappedKeyLen); 1512 1513 cleanup_wrap: 1514 if (padded_data != NULL && padded_len != plain_len) { 1515 /* Clear buffer before returning to memory pool. */ 1516 (void) memset(padded_data, 0x0, padded_len); 1517 free(padded_data); 1518 } 1519 1520 if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1521 /* Clear buffer before returning to memory pool. */ 1522 (void) memset(plain_data, 0x0, plain_len); 1523 free(plain_data); 1524 } 1525 1526 return (rv); 1527 } 1528 1529 /* 1530 * Quick check for whether unwrapped key length is appropriate for key type 1531 * and whether it needs to be truncated (in case the wrapping function had 1532 * to pad the key prior to wrapping). 1533 */ 1534 static CK_RV 1535 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype, 1536 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount) 1537 { 1538 CK_ULONG i; 1539 boolean_t isValueLen = B_FALSE; 1540 1541 /* 1542 * Based on the key type and the mech used to unwrap, need to 1543 * determine if CKA_VALUE_LEN should or should not be specified. 1544 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified 1545 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens 1546 * that restriction, perhaps because it makes it impossible to 1547 * determine the original length of unwrapped variable-length secret 1548 * keys, such as RC4, AES, and GENERIC_SECRET. These variable-length 1549 * secret keys would have been padded with trailing null-bytes so 1550 * that they could be successfully wrapped with *_ECB and *_CBC 1551 * mechanisms. Hence for unwrapping with these mechs, CKA_VALUE_LEN 1552 * must be specified. For unwrapping with other mechs, such as 1553 * *_CBC_PAD, the CKA_VALUE_LEN is not needed. 1554 */ 1555 1556 /* Find out if template has CKA_VALUE_LEN. */ 1557 for (i = 0; i < ulAttributeCount; i++) { 1558 if (pTemplate[i].type == CKA_VALUE_LEN && 1559 pTemplate[i].pValue != NULL) { 1560 isValueLen = B_TRUE; 1561 break; 1562 } 1563 } 1564 1565 /* Does its presence conflict with the mech type and key type? */ 1566 switch (mechtype) { 1567 case CKM_DES_ECB: 1568 case CKM_DES3_ECB: 1569 case CKM_AES_ECB: 1570 case CKM_DES_CBC: 1571 case CKM_DES3_CBC: 1572 case CKM_AES_CBC: 1573 case CKM_BLOWFISH_CBC: 1574 /* 1575 * CKA_VALUE_LEN must be specified 1576 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET 1577 * and must not be specified otherwise 1578 */ 1579 switch (keytype) { 1580 case CKK_DES: 1581 case CKK_DES2: 1582 case CKK_DES3: 1583 if (isValueLen) 1584 return (CKR_TEMPLATE_INCONSISTENT); 1585 break; 1586 case CKK_GENERIC_SECRET: 1587 case CKK_RC4: 1588 case CKK_AES: 1589 case CKK_BLOWFISH: 1590 if (!isValueLen) 1591 return (CKR_TEMPLATE_INCOMPLETE); 1592 break; 1593 default: 1594 return (CKR_FUNCTION_NOT_SUPPORTED); 1595 } 1596 break; 1597 default: 1598 /* CKA_VALUE_LEN must not be specified */ 1599 if (isValueLen) 1600 return (CKR_TEMPLATE_INCONSISTENT); 1601 break; 1602 } 1603 1604 return (CKR_OK); 1605 } 1606 1607 CK_RV 1608 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1609 soft_object_t *unwrappingkey_p, 1610 CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, 1611 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, 1612 CK_OBJECT_HANDLE_PTR phKey) 1613 { 1614 CK_RV rv = CKR_OK; 1615 CK_OBJECT_CLASS new_obj_class = ~0UL; 1616 int i = 0; 1617 soft_object_t *new_objp = NULL; 1618 boolean_t persistent = B_FALSE; 1619 CK_BYTE_PTR plain_data = NULL; 1620 CK_ULONG plain_len = 0; 1621 secret_key_obj_t *sck = NULL; 1622 1623 /* Scan the attribute template for the object class. */ 1624 if (pTemplate != NULL && ulAttributeCount != 0) { 1625 for (i = 0; i < ulAttributeCount; i++) { 1626 if (pTemplate[i].type == CKA_CLASS) { 1627 new_obj_class = 1628 *((CK_OBJECT_CLASS *)pTemplate[i].pValue); 1629 break; 1630 } 1631 } 1632 if (new_obj_class == ~0UL) 1633 return (CKR_TEMPLATE_INCOMPLETE); 1634 } 1635 1636 /* 1637 * Check if the mechanism is supported, and now that the new 1638 * object's class is known, the mechanism selected should be 1639 * capable of doing the unwrap. 1640 */ 1641 switch (pMechanism->mechanism) { 1642 case CKM_RSA_PKCS: 1643 case CKM_RSA_X_509: 1644 case CKM_DES_ECB: 1645 case CKM_DES3_ECB: 1646 case CKM_AES_ECB: 1647 case CKM_DES_CBC: 1648 case CKM_DES3_CBC: 1649 case CKM_AES_CBC: 1650 case CKM_BLOWFISH_CBC: 1651 if (new_obj_class != CKO_SECRET_KEY) 1652 return (CKR_MECHANISM_INVALID); 1653 break; 1654 case CKM_DES_CBC_PAD: 1655 case CKM_DES3_CBC_PAD: 1656 case CKM_AES_CBC_PAD: 1657 if (new_obj_class != CKO_SECRET_KEY && new_obj_class != 1658 CKO_PRIVATE_KEY) 1659 return (CKR_MECHANISM_INVALID); 1660 break; 1661 default: 1662 return (CKR_MECHANISM_INVALID); 1663 } 1664 1665 /* Create a new object based on the attribute template. */ 1666 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 1667 (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL, 1668 (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE); 1669 if (rv != CKR_OK) 1670 return (rv); 1671 1672 /* 1673 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE 1674 * both set to FALSE. CKA_EXTRACTABLE will be set _by_default_ to 1675 * true -- leaving the possibility that it may be set FALSE by the 1676 * supplied attribute template. If the precise template cannot be 1677 * supported, unwrap fails. PKCS#11 spec, Sec. 11.14, C_UnwrapKey. 1678 * 1679 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and 1680 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must 1681 * have supplied them and therefore we cannot honor the unwrap. 1682 */ 1683 if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) || 1684 (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) { 1685 rv = CKR_TEMPLATE_INCONSISTENT; 1686 goto cleanup_unwrap; 1687 } 1688 1689 rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p); 1690 if (rv != CKR_OK) 1691 goto cleanup_unwrap; 1692 1693 /* First get the length of the plain data */ 1694 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL, 1695 &plain_len); 1696 if (rv != CKR_OK) 1697 goto cleanup_unwrap; 1698 1699 /* Allocate space for the unwrapped data */ 1700 if ((plain_data = malloc(plain_len)) == NULL) { 1701 rv = CKR_HOST_MEMORY; 1702 goto cleanup_unwrap; 1703 } 1704 (void) memset(plain_data, 0x0, plain_len); 1705 1706 /* Perform actual decryption into the allocated space. */ 1707 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data, 1708 &plain_len); 1709 if (rv != CKR_OK) 1710 goto cleanup_unwrap; 1711 1712 if (new_objp->class == CKO_SECRET_KEY) { 1713 /* 1714 * Since no ASN.1 encoding is done for secret keys, check for 1715 * appropriateness and copy decrypted buffer to the key object. 1716 */ 1717 1718 /* Check keytype and mechtype don't conflict with valuelen */ 1719 rv = soft_unwrap_secret_len_check(new_objp->key_type, 1720 pMechanism->mechanism, pTemplate, ulAttributeCount); 1721 if (rv != CKR_OK) 1722 goto cleanup_unwrap; 1723 1724 /* 1725 * Allocate the secret key structure if not already there; 1726 * it will exist for variable length keys since CKA_VALUE_LEN 1727 * is specified and saved, but not for fixed length keys. 1728 */ 1729 if (OBJ_SEC(new_objp) == NULL) { 1730 if ((sck = calloc(1, sizeof (secret_key_obj_t))) == 1731 NULL) { 1732 rv = CKR_HOST_MEMORY; 1733 goto cleanup_unwrap; 1734 } 1735 OBJ_SEC(new_objp) = sck; 1736 } 1737 1738 switch (new_objp->key_type) { 1739 /* Fixed length secret keys don't have CKA_VALUE_LEN */ 1740 case CKK_DES: 1741 OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE; 1742 break; 1743 case CKK_DES2: 1744 OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE; 1745 break; 1746 case CKK_DES3: 1747 OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE; 1748 break; 1749 1750 /* 1751 * Variable length secret keys. CKA_VALUE_LEN must be 1752 * provided by the template when mech is *_ECB or *_CBC, and 1753 * should already have been set during soft_gen_keyobject(). 1754 * Otherwise we don't need CKA_VALUE_LEN. 1755 */ 1756 case CKK_GENERIC_SECRET: 1757 case CKK_RC4: 1758 case CKK_AES: 1759 case CKK_BLOWFISH: 1760 break; 1761 default: 1762 rv = CKR_WRAPPED_KEY_INVALID; 1763 goto cleanup_unwrap; 1764 }; 1765 1766 if (OBJ_SEC_VALUE_LEN(new_objp) == 0) { 1767 /* No CKA_VALUE_LEN set so set it now and save data */ 1768 OBJ_SEC_VALUE_LEN(new_objp) = plain_len; 1769 OBJ_SEC_VALUE(new_objp) = plain_data; 1770 } else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) { 1771 /* No need to truncate, just save the data */ 1772 OBJ_SEC_VALUE(new_objp) = plain_data; 1773 } else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) { 1774 /* Length can't be bigger than what was decrypted */ 1775 rv = CKR_WRAPPED_KEY_LEN_RANGE; 1776 goto cleanup_unwrap; 1777 } else { /* betw 0 and plain_len, hence padded */ 1778 /* Truncate the data before saving. */ 1779 OBJ_SEC_VALUE(new_objp) = realloc(plain_data, 1780 OBJ_SEC_VALUE_LEN(new_objp)); 1781 if (OBJ_SEC_VALUE(new_objp) == NULL) { 1782 rv = CKR_HOST_MEMORY; 1783 goto cleanup_unwrap; 1784 } 1785 } 1786 } else { 1787 /* BER-decode the object to be unwrapped. */ 1788 rv = soft_asn1_to_object(new_objp, plain_data, plain_len); 1789 if (rv != CKR_OK) 1790 goto cleanup_unwrap; 1791 } 1792 1793 /* If it needs to be persistent, write it to the keystore */ 1794 if (IS_TOKEN_OBJECT(new_objp)) { 1795 persistent = B_TRUE; 1796 rv = soft_put_object_to_keystore(new_objp); 1797 if (rv != CKR_OK) 1798 goto cleanup_unwrap; 1799 } 1800 1801 if (new_objp->class != CKO_SECRET_KEY) { 1802 /* Clear buffer before returning to memory pool. */ 1803 (void) memset(plain_data, 0x0, plain_len); 1804 free(plain_data); 1805 } 1806 1807 *phKey = (CK_OBJECT_HANDLE)new_objp; 1808 1809 return (CKR_OK); 1810 1811 cleanup_unwrap: 1812 /* The decrypted private key buffer must be freed explicitly. */ 1813 if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1814 /* Clear buffer before returning to memory pool. */ 1815 (void) memset(plain_data, 0x0, plain_len); 1816 free(plain_data); 1817 } 1818 1819 /* sck and new_objp are indirectly free()d inside these functions */ 1820 if (IS_TOKEN_OBJECT(new_objp)) 1821 soft_delete_token_object(new_objp, persistent, B_FALSE); 1822 else 1823 soft_delete_object(session_p, new_objp, B_FALSE); 1824 1825 return (rv); 1826 } 1827