xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c (revision 8c69cc8fbe729fa7b091e901c4b50508ccc6bb33)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <pthread.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <strings.h>
30 #include <sys/types.h>
31 #include <security/cryptoki.h>
32 #include <sys/crypto/common.h>
33 #include <aes_impl.h>
34 #include <blowfish_impl.h>
35 #include <des_impl.h>
36 #include <arcfour.h>
37 #include <cryptoutil.h>
38 #include "softGlobal.h"
39 #include "softSession.h"
40 #include "softObject.h"
41 #include "softDSA.h"
42 #include "softRSA.h"
43 #include "softDH.h"
44 #include "softEC.h"
45 #include "softMAC.h"
46 #include "softOps.h"
47 #include "softKeys.h"
48 #include "softKeystore.h"
49 #include "softSSL.h"
50 #include "softASN1.h"
51 
52 
53 #define	local_min(a, b)	((a) < (b) ? (a) : (b))
54 
55 static CK_RV
56 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *);
57 
58 /*
59  * Create a temporary key object struct by filling up its template attributes.
60  */
61 CK_RV
62 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate,  CK_ULONG ulCount,
63     CK_ULONG *objecthandle_p, soft_session_t *sp,
64     CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode,
65     boolean_t internal)
66 {
67 
68 	CK_RV rv;
69 	soft_object_t *new_objp = NULL;
70 
71 	new_objp = calloc(1, sizeof (soft_object_t));
72 	if (new_objp == NULL) {
73 		return (CKR_HOST_MEMORY);
74 	}
75 
76 	new_objp->extra_attrlistp = NULL;
77 
78 	/*
79 	 * Validate attribute template and fill in the attributes
80 	 * in the soft_object_t.
81 	 */
82 	rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type,
83 	    keylen, mode);
84 	if (rv != CKR_OK) {
85 		goto fail_cleanup1;
86 	}
87 
88 	/*
89 	 * If generating a key is an internal request (i.e. not a C_XXX
90 	 * API request), then skip the following checks.
91 	 */
92 	if (!internal) {
93 		rv = soft_pin_expired_check(new_objp);
94 		if (rv != CKR_OK) {
95 			goto fail_cleanup2;
96 		}
97 
98 		rv = soft_object_write_access_check(sp, new_objp);
99 		if (rv != CKR_OK) {
100 			goto fail_cleanup2;
101 		}
102 	}
103 
104 	/* Initialize the rest of stuffs in soft_object_t. */
105 	(void) pthread_mutex_init(&new_objp->object_mutex, NULL);
106 	new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
107 
108 	/* Write the new token object to the keystore */
109 	if (IS_TOKEN_OBJECT(new_objp)) {
110 		new_objp->version = 1;
111 		new_objp->session_handle = (CK_SESSION_HANDLE)NULL;
112 		soft_add_token_object_to_slot(new_objp);
113 		/*
114 		 * Type casting the address of an object struct to
115 		 * an object handle.
116 		 */
117 		*objecthandle_p = (CK_ULONG)new_objp;
118 
119 		return (CKR_OK);
120 	}
121 
122 	new_objp->session_handle = (CK_SESSION_HANDLE)sp;
123 
124 	/* Add the new object to the session's object list. */
125 	soft_add_object_to_session(new_objp, sp);
126 
127 	/* Type casting the address of an object struct to an object handle. */
128 	*objecthandle_p =  (CK_ULONG)new_objp;
129 
130 	return (CKR_OK);
131 
132 fail_cleanup2:
133 	/*
134 	 * When any error occurs after soft_build_key(), we will need to
135 	 * clean up the memory allocated by the soft_build_key().
136 	 */
137 	soft_cleanup_object(new_objp);
138 
139 fail_cleanup1:
140 	if (new_objp) {
141 		/*
142 		 * The storage allocated inside of this object should have
143 		 * been cleaned up by the soft_build_key() if it failed.
144 		 * Therefore, we can safely free the object.
145 		 */
146 		free(new_objp);
147 	}
148 
149 	return (rv);
150 }
151 
152 CK_RV
153 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
154     CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey)
155 {
156 
157 	CK_RV rv = CKR_OK;
158 	soft_object_t *secret_key;
159 	CK_KEY_TYPE key_type;
160 	CK_ULONG keylen = 0;
161 	CK_ULONG i;
162 	int des_strength = 0;
163 	int retry = 0;
164 	int keyfound = 0;
165 	boolean_t is_ssl_mech = B_FALSE;
166 
167 	switch (pMechanism->mechanism) {
168 	case CKM_DES_KEY_GEN:
169 		key_type = CKK_DES;
170 		break;
171 
172 	case CKM_DES2_KEY_GEN:
173 		key_type = CKK_DES2;
174 		break;
175 
176 	case CKM_DES3_KEY_GEN:
177 		key_type = CKK_DES3;
178 		break;
179 
180 	case CKM_AES_KEY_GEN:
181 		key_type = CKK_AES;
182 		break;
183 
184 	case CKM_BLOWFISH_KEY_GEN:
185 		key_type = CKK_BLOWFISH;
186 		break;
187 
188 	case CKM_RC4_KEY_GEN:
189 		key_type = CKK_RC4;
190 		break;
191 
192 	case CKM_SSL3_PRE_MASTER_KEY_GEN:
193 	case CKM_TLS_PRE_MASTER_KEY_GEN:
194 		if (pMechanism->pParameter == NULL ||
195 		    pMechanism->ulParameterLen != sizeof (CK_VERSION))
196 			return (CKR_TEMPLATE_INCOMPLETE);
197 		is_ssl_mech = B_TRUE;
198 		key_type = CKK_GENERIC_SECRET;
199 		keylen = 48;
200 		break;
201 
202 	case CKM_PKCS5_PBKD2:
203 		keyfound = 0;
204 		for (i = 0; i < ulCount && !keyfound; i++) {
205 			if (pTemplate[i].type == CKA_KEY_TYPE &&
206 			    pTemplate[i].pValue != NULL) {
207 				key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
208 				keyfound = 1;
209 			}
210 		}
211 		if (!keyfound)
212 			return (CKR_TEMPLATE_INCOMPLETE);
213 		/*
214 		 * Make sure that parameters were given for this
215 		 * mechanism.
216 		 */
217 		if (pMechanism->pParameter == NULL ||
218 		    pMechanism->ulParameterLen !=
219 		    sizeof (CK_PKCS5_PBKD2_PARAMS))
220 			return (CKR_TEMPLATE_INCOMPLETE);
221 		break;
222 
223 	case CKM_PBE_SHA1_RC4_128:
224 		keyfound = 0;
225 		for (i = 0; i < ulCount; i++) {
226 			if (pTemplate[i].type == CKA_KEY_TYPE &&
227 			    pTemplate[i].pValue != NULL) {
228 				key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
229 				keyfound = 1;
230 			}
231 			if (pTemplate[i].type == CKA_VALUE_LEN &&
232 			    pTemplate[i].pValue != NULL) {
233 				keylen = *((CK_ULONG*)pTemplate[i].pValue);
234 			}
235 		}
236 		/* If a keytype was specified, it had better be CKK_RC4 */
237 		if (keyfound && key_type != CKK_RC4)
238 			return (CKR_TEMPLATE_INCONSISTENT);
239 		else if (!keyfound)
240 			key_type = CKK_RC4;
241 
242 		/* If key length was specified, it better be 16 bytes */
243 		if (keylen != 0 && keylen != 16)
244 			return (CKR_TEMPLATE_INCONSISTENT);
245 
246 		/*
247 		 * Make sure that parameters were given for this
248 		 * mechanism.
249 		 */
250 		if (pMechanism->pParameter == NULL ||
251 		    pMechanism->ulParameterLen !=
252 		    sizeof (CK_PBE_PARAMS))
253 			return (CKR_TEMPLATE_INCOMPLETE);
254 		break;
255 	default:
256 		return (CKR_MECHANISM_INVALID);
257 	}
258 
259 	/* Create a new object for secret key. */
260 	rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p,
261 	    CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE);
262 
263 	if (rv != CKR_OK) {
264 		return (rv);
265 	}
266 
267 	/* Obtain the secret object pointer. */
268 	secret_key = (soft_object_t *)*phKey;
269 
270 	switch (pMechanism->mechanism) {
271 	case CKM_DES_KEY_GEN:
272 		/*
273 		 * Set up key value len since it is not a required
274 		 * attribute for C_GenerateKey.
275 		 */
276 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
277 		des_strength = DES;
278 		break;
279 
280 	case CKM_DES2_KEY_GEN:
281 		/*
282 		 * Set up key value len since it is not a required
283 		 * attribute for C_GenerateKey.
284 		 */
285 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
286 		des_strength = DES2;
287 		break;
288 
289 	case CKM_DES3_KEY_GEN:
290 		/*
291 		 * Set up key value len since it is not a required
292 		 * attribute for C_GenerateKey.
293 		 */
294 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
295 		des_strength = DES3;
296 		break;
297 
298 	case CKM_SSL3_PRE_MASTER_KEY_GEN:
299 	case CKM_TLS_PRE_MASTER_KEY_GEN:
300 		secret_key->bool_attr_mask |= DERIVE_BOOL_ON;
301 	/* FALLTHRU */
302 
303 	case CKM_AES_KEY_GEN:
304 	case CKM_BLOWFISH_KEY_GEN:
305 	case CKM_PBE_SHA1_RC4_128:
306 	case CKM_RC4_KEY_GEN:
307 		keylen = OBJ_SEC_VALUE_LEN(secret_key);
308 		break;
309 
310 	case CKM_PKCS5_PBKD2:
311 		/*
312 		 * PKCS#11 does not allow one to specify key
313 		 * sizes for DES and 3DES, so we must set it here
314 		 * when using PBKD2 algorithms.
315 		 */
316 		if (key_type == CKK_DES) {
317 			OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
318 			des_strength = DES;
319 		} else if (key_type == CKK_DES3) {
320 			OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
321 			des_strength = DES3;
322 		}
323 
324 		keylen = OBJ_SEC_VALUE_LEN(secret_key);
325 		break;
326 	}
327 
328 	if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) {
329 		if (IS_TOKEN_OBJECT(secret_key))
330 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
331 		else
332 			soft_delete_object(session_p, secret_key,
333 			    B_FALSE, B_FALSE);
334 
335 		return (CKR_HOST_MEMORY);
336 	}
337 	switch (pMechanism->mechanism) {
338 	case CKM_PBE_SHA1_RC4_128:
339 		/*
340 		 * Use the PBE algorithm described in PKCS#11 section
341 		 * 12.33 to derive the key.
342 		 */
343 		rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key);
344 		break;
345 	case CKM_PKCS5_PBKD2:
346 		/* Generate keys using PKCS#5 PBKD2 algorithm */
347 		rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism,
348 		    secret_key);
349 		if (rv == CKR_OK && des_strength > 0) {
350 			/* Perform weak key checking for DES and DES3. */
351 			if (des_keycheck(OBJ_SEC_VALUE(secret_key),
352 			    des_strength, OBJ_SEC_VALUE(secret_key)) ==
353 			    B_FALSE) {
354 				/* We got a weak secret key. */
355 				rv = CKR_FUNCTION_FAILED;
356 			}
357 		}
358 		break;
359 	default:
360 		do {
361 			/* If this fails, bail out */
362 			rv = CKR_OK;
363 			if (pkcs11_get_urandom(
364 			    OBJ_SEC_VALUE(secret_key), keylen) < 0) {
365 				rv = CKR_DEVICE_ERROR;
366 				break;
367 			}
368 
369 			/* Perform weak key checking for DES and DES3. */
370 			if (des_strength > 0) {
371 				rv = CKR_OK;
372 				if (des_keycheck(OBJ_SEC_VALUE(secret_key),
373 				    des_strength, OBJ_SEC_VALUE(secret_key)) ==
374 				    B_FALSE) {
375 					/* We got a weak key, retry! */
376 					retry++;
377 					rv = CKR_FUNCTION_FAILED;
378 				}
379 			}
380 			/*
381 			 * Copy over the SSL client version For SSL mechs
382 			 * The first two bytes of the key is the version
383 			 */
384 			if (is_ssl_mech)
385 				bcopy(pMechanism->pParameter,
386 				    OBJ_SEC_VALUE(secret_key),
387 				    sizeof (CK_VERSION));
388 
389 		} while (rv != CKR_OK && retry < KEYGEN_RETRY);
390 		if (retry == KEYGEN_RETRY)
391 			rv = CKR_FUNCTION_FAILED;
392 		break;
393 	}
394 
395 	if (rv != CKR_OK)
396 		if (IS_TOKEN_OBJECT(secret_key))
397 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
398 		else
399 			soft_delete_object(session_p, secret_key,
400 			    B_FALSE, B_FALSE);
401 
402 	if (IS_TOKEN_OBJECT(secret_key)) {
403 		/*
404 		 * All the info has been filled, so we can write to
405 		 * keystore now.
406 		 */
407 		rv = soft_put_object_to_keystore(secret_key);
408 		if (rv != CKR_OK)
409 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
410 	}
411 
412 	return (rv);
413 }
414 
415 CK_RV
416 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
417     CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount,
418     CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount,
419     CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey)
420 {
421 
422 	CK_RV rv;
423 	soft_object_t *public_key, *private_key;
424 	CK_KEY_TYPE key_type;
425 
426 	switch (pMechanism->mechanism) {
427 
428 	case CKM_RSA_PKCS_KEY_PAIR_GEN:
429 		key_type = CKK_RSA;
430 		break;
431 
432 	case CKM_DSA_KEY_PAIR_GEN:
433 		key_type = CKK_DSA;
434 		break;
435 
436 	case CKM_DH_PKCS_KEY_PAIR_GEN:
437 		key_type = CKK_DH;
438 		break;
439 
440 	case CKM_EC_KEY_PAIR_GEN:
441 		key_type = CKK_EC;
442 		break;
443 
444 	default:
445 		return (CKR_MECHANISM_INVALID);
446 	}
447 
448 	/* Create a new object for public key. */
449 	rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount,
450 	    phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0,
451 	    SOFT_GEN_KEY, B_FALSE);
452 
453 	if (rv != CKR_OK) {
454 		return (rv);
455 	}
456 
457 	/* Obtain the public object pointer. */
458 	public_key = (soft_object_t *)*phPublicKey;
459 
460 	/* Create a new object for private key. */
461 	rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount,
462 	    phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0,
463 	    SOFT_GEN_KEY, B_FALSE);
464 
465 	if (rv != CKR_OK) {
466 		/*
467 		 * Both public key and private key must be successful.
468 		 */
469 		if (IS_TOKEN_OBJECT(public_key))
470 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
471 		else
472 			soft_delete_object(session_p, public_key,
473 			    B_FALSE, B_FALSE);
474 		return (rv);
475 	}
476 
477 	/* Obtain the private object pointer. */
478 	private_key = (soft_object_t *)*phPrivateKey;
479 
480 	/*
481 	 * At this point, both public key and private key objects
482 	 * are settled with the application specified attributes.
483 	 * We are ready to generate the rest of key attributes based
484 	 * on the existing attributes.
485 	 */
486 
487 	switch (key_type) {
488 	case CKK_RSA:
489 		rv = soft_rsa_genkey_pair(public_key, private_key);
490 		break;
491 
492 	case CKK_DSA:
493 		rv = soft_dsa_genkey_pair(public_key, private_key);
494 		break;
495 
496 	case CKK_DH:
497 		rv = soft_dh_genkey_pair(public_key, private_key);
498 		private_key->bool_attr_mask |= DERIVE_BOOL_ON;
499 		break;
500 	case CKK_EC:
501 		rv = soft_ec_genkey_pair(public_key, private_key);
502 		private_key->bool_attr_mask |= DERIVE_BOOL_ON;
503 		break;
504 	}
505 
506 	if (rv != CKR_OK) {
507 		if (IS_TOKEN_OBJECT(public_key)) {
508 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
509 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
510 		} else {
511 			soft_delete_object(session_p, public_key,
512 			    B_FALSE, B_FALSE);
513 			soft_delete_object(session_p, private_key,
514 			    B_FALSE, B_FALSE);
515 		}
516 		return (rv);
517 	}
518 
519 	if (IS_TOKEN_OBJECT(public_key)) {
520 		/*
521 		 * All the info has been filled, so we can write to
522 		 * keystore now.
523 		 */
524 		rv = soft_put_object_to_keystore(public_key);
525 		if (rv != CKR_OK) {
526 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
527 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
528 			return (rv);
529 		}
530 	}
531 
532 	if (IS_TOKEN_OBJECT(private_key)) {
533 		rv = soft_put_object_to_keystore(private_key);
534 		if (rv != CKR_OK) {
535 			/*
536 			 * We also need to delete the public token object
537 			 * from keystore.
538 			 */
539 			soft_delete_token_object(public_key, B_TRUE, B_FALSE);
540 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
541 		}
542 	}
543 
544 	return (rv);
545 }
546 
547 
548 CK_RV
549 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen)
550 {
551 
552 	switch (secret_key->key_type) {
553 	case CKK_GENERIC_SECRET:
554 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
555 			OBJ_SEC_VALUE_LEN(secret_key) = max_keylen;
556 			return (CKR_OK);
557 		} else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) {
558 			return (CKR_ATTRIBUTE_VALUE_INVALID);
559 		}
560 		break;
561 	case CKK_RC4:
562 	case CKK_AES:
563 	case CKK_BLOWFISH:
564 		if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) ||
565 		    (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) {
566 			/* RC4 and AES has variable key length */
567 			return (CKR_ATTRIBUTE_VALUE_INVALID);
568 		}
569 		break;
570 	case CKK_DES:
571 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
572 			/* DES has a well-defined length */
573 			OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
574 			return (CKR_OK);
575 		} else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) {
576 			return (CKR_ATTRIBUTE_VALUE_INVALID);
577 		}
578 		break;
579 	case CKK_DES2:
580 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
581 			/* DES2 has a well-defined length */
582 			OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
583 			return (CKR_OK);
584 		} else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) {
585 			return (CKR_ATTRIBUTE_VALUE_INVALID);
586 		}
587 		break;
588 
589 	default:
590 		return (CKR_MECHANISM_INVALID);
591 	}
592 
593 	return (CKR_OK);
594 }
595 
596 /*
597  * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1
598  * PBE methods.
599  */
600 #define	PKCS12_BUFFER_SIZE 64
601 /*
602  * PKCS#12 defines 3 different ID bytes to be used for
603  * deriving keys for different operations.
604  */
605 #define	PBE_ID_ENCRYPT	1
606 #define	PBE_ID_IV	2
607 #define	PBE_ID_MAC	3
608 #define	PBE_CEIL(a, b)	(((a)/(b)) + (((a)%(b)) > 0))
609 
610 static CK_RV
611 soft_pkcs12_pbe(soft_session_t *session_p,
612 		CK_MECHANISM_PTR pMechanism,
613 		soft_object_t *derived_key)
614 {
615 	CK_RV rv = CKR_OK;
616 	CK_PBE_PARAMS *params = pMechanism->pParameter;
617 	CK_ULONG c, i, j, k;
618 	CK_ULONG hashSize;
619 	CK_ULONG buffSize;
620 	/*
621 	 * Terse variable names are used to make following
622 	 * the PKCS#12 spec easier.
623 	 */
624 	CK_BYTE *A = NULL;
625 	CK_BYTE *Ai = NULL;
626 	CK_BYTE *B = NULL;
627 	CK_BYTE *D = NULL;
628 	CK_BYTE *I = NULL, *S, *P;
629 	CK_BYTE *keybuf = NULL;
630 	CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen;
631 	CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key);
632 	CK_MECHANISM digest_mech;
633 
634 	/* U = hash function output bits */
635 	if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) {
636 		hashSize = SHA1_HASH_SIZE;
637 		buffSize = PKCS12_BUFFER_SIZE;
638 		digest_mech.mechanism = CKM_SHA_1;
639 		digest_mech.pParameter = NULL;
640 		digest_mech.ulParameterLen = 0;
641 	} else {
642 		/* we only support 1 PBE mech for now */
643 		return (CKR_MECHANISM_INVALID);
644 	}
645 	keybuf = OBJ_SEC_VALUE(derived_key);
646 
647 	Blen = Dlen = buffSize;
648 	D = (CK_BYTE *)malloc(Dlen);
649 	if (D == NULL) {
650 		rv = CKR_HOST_MEMORY;
651 		goto cleanup;
652 	}
653 
654 	B = (CK_BYTE *)malloc(Blen);
655 	if (B == NULL) {
656 		rv = CKR_HOST_MEMORY;
657 		goto cleanup;
658 	}
659 
660 	/*
661 	 * Initialize some values and create some buffers
662 	 * that we need later.
663 	 *
664 	 * Slen = buffSize * CEIL(SaltLength/buffSize)
665 	 */
666 	Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize);
667 
668 	/*
669 	 * Plen = buffSize * CEIL(PasswordLength/buffSize)
670 	 */
671 	Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize);
672 
673 	/*
674 	 * From step 4: I = S + P, so: Ilen = Slen + Plen
675 	 */
676 	Ilen = Slen + Plen;
677 	I = (CK_BYTE *)malloc(Ilen);
678 	if (I == NULL) {
679 		rv = CKR_HOST_MEMORY;
680 		goto cleanup;
681 	}
682 
683 	S = I;
684 	P = I + Slen;
685 
686 	/*
687 	 * Step 1.
688 	 * We are only interested in deriving keys for encrypt/decrypt
689 	 * for now, so construct the "D"iversifier accordingly.
690 	 */
691 	(void) memset(D, PBE_ID_ENCRYPT, Dlen);
692 
693 	/*
694 	 * Step 2.
695 	 * Concatenate copies of the salt together to make S.
696 	 */
697 	for (i = 0; i < Slen; i += params->ulSaltLen) {
698 		(void) memcpy(S+i, params->pSalt,
699 		    ((Slen - i) > params->ulSaltLen ?
700 		    params->ulSaltLen : (Slen - i)));
701 	}
702 
703 	/*
704 	 * Step 3.
705 	 * Concatenate copies of the password together to make
706 	 * a string P.
707 	 */
708 	for (i = 0; i < Plen; i += params->ulPasswordLen) {
709 		(void) memcpy(P+i, params->pPassword,
710 		    ((Plen - i) > params->ulPasswordLen ?
711 		    params->ulPasswordLen : (Plen - i)));
712 	}
713 
714 	/*
715 	 * Step 4.
716 	 * I = S+P - this is now done because S and P are
717 	 * pointers into I.
718 	 *
719 	 * Step 5.
720 	 * c= CEIL[n/u]
721 	 * where n = pseudorandom bits of output desired.
722 	 */
723 	c = PBE_CEIL(keysize, hashSize);
724 
725 	/*
726 	 * Step 6.
727 	 */
728 	Alen = c * hashSize;
729 	A = (CK_BYTE *)malloc(Alen);
730 	if (A == NULL) {
731 		rv = CKR_HOST_MEMORY;
732 		goto cleanup;
733 	}
734 	AiLen = hashSize;
735 	Ai = (CK_BYTE *)malloc(AiLen);
736 	if (Ai == NULL) {
737 		rv = CKR_HOST_MEMORY;
738 		goto cleanup;
739 	}
740 
741 	/*
742 	 * Step 6a.
743 	 * Ai = Hr(D+I)
744 	 */
745 	for (i = 0; i < c; i++) {
746 		(void) pthread_mutex_lock(&session_p->session_mutex);
747 
748 		if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
749 			(void) pthread_mutex_unlock(&session_p->session_mutex);
750 			rv = CKR_OPERATION_ACTIVE;
751 			goto cleanup;
752 		}
753 		session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
754 		(void) pthread_mutex_unlock(&session_p->session_mutex);
755 
756 		for (j = 0; j < params->ulIteration; j++) {
757 			rv = soft_digest_init(session_p, &digest_mech);
758 			if (rv != CKR_OK)
759 				goto digest_done;
760 
761 			if (j == 0) {
762 				rv = soft_digest_update(session_p, D, Dlen);
763 				if (rv != CKR_OK)
764 					goto digest_done;
765 
766 				rv = soft_digest_update(session_p, I, Ilen);
767 			} else {
768 				rv = soft_digest_update(session_p, Ai, AiLen);
769 			}
770 			if (rv != CKR_OK)
771 				goto digest_done;
772 
773 			rv = soft_digest_final(session_p, Ai, &AiLen);
774 			if (rv != CKR_OK)
775 				goto digest_done;
776 		}
777 digest_done:
778 		(void) pthread_mutex_lock(&session_p->session_mutex);
779 		session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
780 		(void) pthread_mutex_unlock(&session_p->session_mutex);
781 
782 		if (rv != CKR_OK)
783 			goto cleanup;
784 		/*
785 		 * Step 6b.
786 		 * Concatenate Ai to make B
787 		 */
788 		for (j = 0; j < Blen; j += hashSize) {
789 			(void) memcpy(B+j, Ai, ((Blen - j > hashSize) ?
790 			    hashSize : Blen - j));
791 		}
792 
793 		/*
794 		 * Step 6c.
795 		 */
796 		k = Ilen / Blen;
797 		for (j = 0; j < k; j++) {
798 			uchar_t idx;
799 			CK_ULONG m, q = 1, cbit = 0;
800 
801 			for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) {
802 				idx = m + j*Blen;
803 
804 				q += (CK_ULONG)I[idx] + (CK_ULONG)B[m];
805 				q += cbit;
806 				I[idx] = (CK_BYTE)(q & 0xff);
807 				cbit = (q > 0xff);
808 			}
809 		}
810 
811 		/*
812 		 * Step 7.
813 		 *  A += Ai
814 		 */
815 		(void) memcpy(A + i*hashSize, Ai, AiLen);
816 	}
817 
818 	/*
819 	 * Step 8.
820 	 * The final output of this process is the A buffer
821 	 */
822 	(void) memcpy(keybuf, A, keysize);
823 
824 cleanup:
825 	if (A) {
826 		bzero(A, Alen);
827 		free(A);
828 	}
829 	if (Ai) {
830 		bzero(Ai, AiLen);
831 		free(Ai);
832 	}
833 	if (B) {
834 		bzero(B, Blen);
835 		free(B);
836 	}
837 	if (D) {
838 		bzero(D, Dlen);
839 		free(D);
840 	}
841 	if (I) {
842 		bzero(I, Ilen);
843 		free(I);
844 	}
845 	return (rv);
846 }
847 
848 CK_RV
849 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
850     soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
851     CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
852 {
853 
854 	CK_RV rv = CKR_OK;
855 	soft_object_t *secret_key;
856 	CK_MECHANISM digest_mech;
857 	CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */
858 	CK_ULONG hash_len = SHA512_DIGEST_LENGTH;
859 	CK_ULONG secret_key_len;
860 	CK_ULONG hash_size;
861 
862 	switch (pMechanism->mechanism) {
863 	case CKM_DH_PKCS_DERIVE:
864 		/*
865 		 * Create a new object for secret key. The key type should
866 		 * be provided in the template.
867 		 */
868 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
869 		    phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
870 		    SOFT_DERIVE_KEY_DH, B_FALSE);
871 
872 		if (rv != CKR_OK) {
873 			return (rv);
874 		}
875 
876 		/* Obtain the secret object pointer. */
877 		secret_key = (soft_object_t *)*phKey;
878 
879 		rv = soft_dh_key_derive(basekey_p, secret_key,
880 		    (CK_BYTE *)pMechanism->pParameter,
881 		    pMechanism->ulParameterLen);
882 
883 		if (rv != CKR_OK) {
884 			if (IS_TOKEN_OBJECT(secret_key))
885 				soft_delete_token_object(secret_key, B_FALSE,
886 				    B_FALSE);
887 			else
888 				soft_delete_object(session_p, secret_key,
889 				    B_FALSE, B_FALSE);
890 			return (rv);
891 		}
892 
893 		break;
894 
895 	case CKM_ECDH1_DERIVE:
896 		/*
897 		 * Create a new object for secret key. The key type should
898 		 * be provided in the template.
899 		 */
900 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
901 		    phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
902 		    SOFT_DERIVE_KEY_DH, B_FALSE);
903 
904 		if (rv != CKR_OK) {
905 			return (rv);
906 		}
907 
908 		/* Obtain the secret object pointer. */
909 		secret_key = (soft_object_t *)*phKey;
910 
911 		rv = soft_ec_key_derive(basekey_p, secret_key,
912 		    (CK_BYTE *)pMechanism->pParameter,
913 		    pMechanism->ulParameterLen);
914 
915 		if (rv != CKR_OK) {
916 			if (IS_TOKEN_OBJECT(secret_key))
917 				soft_delete_token_object(secret_key, B_FALSE,
918 				    B_FALSE);
919 			else
920 				soft_delete_object(session_p, secret_key,
921 				    B_FALSE, B_FALSE);
922 			return (rv);
923 		}
924 
925 		break;
926 
927 	case CKM_SHA1_KEY_DERIVATION:
928 		hash_size = SHA1_HASH_SIZE;
929 		digest_mech.mechanism = CKM_SHA_1;
930 		goto common;
931 
932 	case CKM_MD5_KEY_DERIVATION:
933 		hash_size = MD5_HASH_SIZE;
934 		digest_mech.mechanism = CKM_MD5;
935 		goto common;
936 
937 	case CKM_SHA256_KEY_DERIVATION:
938 		hash_size = SHA256_DIGEST_LENGTH;
939 		digest_mech.mechanism = CKM_SHA256;
940 		goto common;
941 
942 	case CKM_SHA384_KEY_DERIVATION:
943 		hash_size = SHA384_DIGEST_LENGTH;
944 		digest_mech.mechanism = CKM_SHA384;
945 		goto common;
946 
947 	case CKM_SHA512_KEY_DERIVATION:
948 		hash_size = SHA512_DIGEST_LENGTH;
949 		digest_mech.mechanism = CKM_SHA512;
950 		goto common;
951 
952 common:
953 		/*
954 		 * Create a new object for secret key. The key type is optional
955 		 * to be provided in the template. If it is not specified in
956 		 * the template, the default is CKK_GENERIC_SECRET.
957 		 */
958 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
959 		    phKey, session_p, CKO_SECRET_KEY,
960 		    (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
961 		    SOFT_DERIVE_KEY_OTHER, B_FALSE);
962 
963 		if (rv != CKR_OK) {
964 			return (rv);
965 		}
966 
967 		/* Obtain the secret object pointer. */
968 		secret_key = (soft_object_t *)*phKey;
969 
970 		/* Validate the key type and key length */
971 		rv = soft_key_derive_check_length(secret_key, hash_size);
972 		if (rv != CKR_OK) {
973 			if (IS_TOKEN_OBJECT(secret_key))
974 				soft_delete_token_object(secret_key, B_FALSE,
975 				    B_FALSE);
976 			else
977 				soft_delete_object(session_p, secret_key,
978 				    B_FALSE, B_FALSE);
979 			return (rv);
980 		}
981 
982 		/*
983 		 * Derive the secret key by digesting the value of another
984 		 * secret key (base key) with SHA-1 or MD5.
985 		 */
986 		rv = soft_digest_init_internal(session_p, &digest_mech);
987 		if (rv != CKR_OK) {
988 			if (IS_TOKEN_OBJECT(secret_key))
989 				soft_delete_token_object(secret_key, B_FALSE,
990 				    B_FALSE);
991 			else
992 				soft_delete_object(session_p, secret_key,
993 				    B_FALSE, B_FALSE);
994 			return (rv);
995 		}
996 
997 		rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p),
998 		    OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len);
999 
1000 		(void) pthread_mutex_lock(&session_p->session_mutex);
1001 		/* soft_digest_common() has freed the digest context */
1002 		session_p->digest.flags = 0;
1003 		(void) pthread_mutex_unlock(&session_p->session_mutex);
1004 
1005 		if (rv != CKR_OK) {
1006 			if (IS_TOKEN_OBJECT(secret_key))
1007 				soft_delete_token_object(secret_key, B_FALSE,
1008 				    B_FALSE);
1009 			else
1010 				soft_delete_object(session_p, secret_key,
1011 				    B_FALSE, B_FALSE);
1012 			return (rv);
1013 		}
1014 
1015 		secret_key_len = OBJ_SEC_VALUE_LEN(secret_key);
1016 
1017 		if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) ==
1018 		    NULL) {
1019 			if (IS_TOKEN_OBJECT(secret_key))
1020 				soft_delete_token_object(secret_key, B_FALSE,
1021 				    B_FALSE);
1022 			else
1023 				soft_delete_object(session_p, secret_key,
1024 				    B_FALSE, B_FALSE);
1025 			return (CKR_HOST_MEMORY);
1026 		}
1027 
1028 		/*
1029 		 * The key produced by this mechanism will be of the
1030 		 * specified type and length.
1031 		 * The truncation removes extra bytes from the leading
1032 		 * of the digested key value.
1033 		 */
1034 		(void) memcpy(OBJ_SEC_VALUE(secret_key),
1035 		    (hash + hash_len - secret_key_len),
1036 		    secret_key_len);
1037 
1038 		break;
1039 
1040 	/*
1041 	 * The key sensitivity and extractability rules for the generated
1042 	 * keys will be enforced inside soft_ssl_master_key_derive() and
1043 	 * soft_ssl_key_and_mac_derive()
1044 	 */
1045 	case CKM_SSL3_MASTER_KEY_DERIVE:
1046 	case CKM_SSL3_MASTER_KEY_DERIVE_DH:
1047 	case CKM_TLS_MASTER_KEY_DERIVE:
1048 	case CKM_TLS_MASTER_KEY_DERIVE_DH:
1049 		if (phKey == NULL_PTR)
1050 			return (CKR_ARGUMENTS_BAD);
1051 		return (soft_ssl_master_key_derive(session_p, pMechanism,
1052 		    basekey_p, pTemplate, ulAttributeCount, phKey));
1053 
1054 	case CKM_SSL3_KEY_AND_MAC_DERIVE:
1055 	case CKM_TLS_KEY_AND_MAC_DERIVE:
1056 		return (soft_ssl_key_and_mac_derive(session_p, pMechanism,
1057 		    basekey_p, pTemplate, ulAttributeCount));
1058 
1059 	case CKM_TLS_PRF:
1060 		if (pMechanism->pParameter == NULL ||
1061 		    pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) ||
1062 		    phKey != NULL)
1063 			return (CKR_ARGUMENTS_BAD);
1064 
1065 		if (pTemplate != NULL)
1066 			return (CKR_TEMPLATE_INCONSISTENT);
1067 
1068 		return (derive_tls_prf(
1069 		    (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p));
1070 
1071 	default:
1072 		return (CKR_MECHANISM_INVALID);
1073 	}
1074 
1075 	soft_derive_enforce_flags(basekey_p, secret_key);
1076 
1077 	if (IS_TOKEN_OBJECT(secret_key)) {
1078 		/*
1079 		 * All the info has been filled, so we can write to
1080 		 * keystore now.
1081 		 */
1082 		rv = soft_put_object_to_keystore(secret_key);
1083 		if (rv != CKR_OK)
1084 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
1085 	}
1086 
1087 	return (rv);
1088 }
1089 
1090 
1091 /*
1092  * Perform key derivation rules on key's sensitivity and extractability.
1093  */
1094 void
1095 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey)
1096 {
1097 
1098 	boolean_t new_sensitive = B_FALSE;
1099 	boolean_t new_extractable = B_FALSE;
1100 
1101 	/*
1102 	 * The sensitive and extractable bits have been set when
1103 	 * the newkey was built.
1104 	 */
1105 	if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) {
1106 		new_sensitive = B_TRUE;
1107 	}
1108 
1109 	if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) {
1110 		new_extractable = B_TRUE;
1111 	}
1112 
1113 	/* Derive the CKA_ALWAYS_SENSITIVE flag */
1114 	if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) {
1115 		/*
1116 		 * If the base key has its CKA_ALWAYS_SENSITIVE set to
1117 		 * FALSE, then the derived key will as well.
1118 		 */
1119 		newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1120 	} else {
1121 		/*
1122 		 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE,
1123 		 * then the derived key has the CKA_ALWAYS_SENSITIVE set to
1124 		 * the same value as its CKA_SENSITIVE;
1125 		 */
1126 		if (new_sensitive) {
1127 			newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON;
1128 		} else {
1129 			newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1130 		}
1131 	}
1132 
1133 	/* Derive the CKA_NEVER_EXTRACTABLE flag */
1134 	if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) {
1135 		/*
1136 		 * If the base key has its CKA_NEVER_EXTRACTABLE set to
1137 		 * FALSE, then the derived key will as well.
1138 		 */
1139 		newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1140 	} else {
1141 		/*
1142 		 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE,
1143 		 * then the derived key has the CKA_NEVER_EXTRACTABLE set to
1144 		 * the opposite value from its CKA_EXTRACTABLE;
1145 		 */
1146 		if (new_extractable) {
1147 			newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1148 		} else {
1149 			newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON;
1150 		}
1151 	}
1152 
1153 	/* Set the CKA_LOCAL flag to false */
1154 	newkey->bool_attr_mask &= ~LOCAL_BOOL_ON;
1155 }
1156 
1157 
1158 /*
1159  * do_prf
1160  *
1161  * This routine implements Step 3. of the PBKDF2 function
1162  * defined in PKCS#5 for generating derived keys from a
1163  * password.
1164  *
1165  * Currently, PRF is always SHA_1_HMAC.
1166  */
1167 static CK_RV
1168 do_prf(soft_session_t *session_p,
1169 	CK_PKCS5_PBKD2_PARAMS_PTR params,
1170 	soft_object_t *hmac_key,
1171 	CK_BYTE *newsalt, CK_ULONG saltlen,
1172 	CK_BYTE *blockdata, CK_ULONG blocklen)
1173 {
1174 	CK_RV rv = CKR_OK;
1175 	CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0};
1176 	CK_BYTE buffer[2][SHA1_HASH_SIZE];
1177 	CK_ULONG hmac_outlen = SHA1_HASH_SIZE;
1178 	CK_ULONG inlen;
1179 	CK_BYTE *input, *output;
1180 	CK_ULONG i, j;
1181 
1182 	input = newsalt;
1183 	inlen = saltlen;
1184 
1185 	output = buffer[1];
1186 	(void) pthread_mutex_lock(&session_p->session_mutex);
1187 
1188 	if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
1189 		(void) pthread_mutex_unlock(&session_p->session_mutex);
1190 		return (CKR_OPERATION_ACTIVE);
1191 	}
1192 	session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
1193 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1194 
1195 	for (i = 0; i < params->iterations; i++) {
1196 		/*
1197 		 * The key doesn't change, its always the
1198 		 * password iniitally given.
1199 		 */
1200 		rv = soft_sign_init(session_p, &digest_mech, hmac_key);
1201 
1202 		if (rv != CKR_OK) {
1203 			goto cleanup;
1204 		}
1205 
1206 		/* Call PRF function (SHA1_HMAC for now). */
1207 		rv = soft_sign(session_p, input, inlen, output, &hmac_outlen);
1208 
1209 		if (rv != CKR_OK) {
1210 			goto cleanup;
1211 		}
1212 		/*
1213 		 * The first time, initialize the output buffer
1214 		 * with the HMAC signature.
1215 		 */
1216 		if (i == 0) {
1217 			(void) memcpy(blockdata, output,
1218 			    local_min(blocklen, hmac_outlen));
1219 		} else {
1220 			/*
1221 			 * XOR the existing data with output from PRF.
1222 			 *
1223 			 * Only XOR up to the length of the blockdata,
1224 			 * it may be less than a full hmac buffer when
1225 			 * the final block is being computed.
1226 			 */
1227 			for (j = 0; j < hmac_outlen && j < blocklen; j++)
1228 				blockdata[j] ^= output[j];
1229 		}
1230 		/* Output from previous PRF is input for next round */
1231 		input = output;
1232 		inlen = hmac_outlen;
1233 
1234 		/*
1235 		 * Switch buffers to avoid overuse of memcpy.
1236 		 * Initially we used buffer[1], so after the end of
1237 		 * the first iteration (i==0), we switch to buffer[0]
1238 		 * and continue swapping with each iteration.
1239 		 */
1240 		output = buffer[i%2];
1241 	}
1242 cleanup:
1243 	(void) pthread_mutex_lock(&session_p->session_mutex);
1244 	session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
1245 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1246 
1247 	return (rv);
1248 }
1249 
1250 static CK_RV
1251 soft_create_hmac_key(soft_session_t *session_p,  CK_BYTE *passwd,
1252 		CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey)
1253 {
1254 	CK_RV rv = CKR_OK;
1255 	CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
1256 	CK_KEY_TYPE keytype = CKK_GENERIC_SECRET;
1257 	CK_BBOOL True = TRUE;
1258 	CK_ATTRIBUTE keytemplate[4];
1259 	/*
1260 	 * We must initialize each template member individually
1261 	 * because at the time of initial coding for ON10, the
1262 	 * compiler was using the "-xc99=%none" option
1263 	 * which prevents us from being able to declare the whole
1264 	 * template in place as usual.
1265 	 */
1266 	keytemplate[0].type = CKA_CLASS;
1267 	keytemplate[0].pValue = &keyclass;
1268 	keytemplate[0].ulValueLen =  sizeof (keyclass);
1269 
1270 	keytemplate[1].type = CKA_KEY_TYPE;
1271 	keytemplate[1].pValue = &keytype;
1272 	keytemplate[1].ulValueLen =  sizeof (keytype);
1273 
1274 	keytemplate[2].type = CKA_SIGN;
1275 	keytemplate[2].pValue = &True;
1276 	keytemplate[2].ulValueLen =  sizeof (True);
1277 
1278 	keytemplate[3].type = CKA_VALUE;
1279 	keytemplate[3].pValue = passwd;
1280 	keytemplate[3].ulValueLen = passwd_len;
1281 	/*
1282 	 * Create a generic key object to be used for HMAC operations.
1283 	 * The "value" for this key is the password from the
1284 	 * mechanism parameter structure.
1285 	 */
1286 	rv = soft_gen_keyobject(keytemplate,
1287 	    sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), phKey, session_p,
1288 	    CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
1289 	    SOFT_CREATE_OBJ, B_TRUE);
1290 
1291 	return (rv);
1292 }
1293 
1294 CK_RV
1295 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p,
1296 		CK_MECHANISM_PTR pMechanism,
1297 		soft_object_t *secret_key)
1298 {
1299 	CK_RV rv = CKR_OK;
1300 	CK_PKCS5_PBKD2_PARAMS	*params =
1301 	    (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
1302 	CK_ULONG hLen = SHA1_HASH_SIZE;
1303 	CK_ULONG dkLen, i;
1304 	CK_ULONG blocks, remainder;
1305 	CK_OBJECT_HANDLE phKey = 0;
1306 	soft_object_t *hmac_key = NULL;
1307 	CK_BYTE *salt = NULL;
1308 	CK_BYTE *keydata = NULL;
1309 
1310 	params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter;
1311 
1312 	if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1)
1313 		return (CKR_MECHANISM_PARAM_INVALID);
1314 
1315 	if (params->pPrfData != NULL || params->ulPrfDataLen != 0)
1316 		return (CKR_DATA_INVALID);
1317 
1318 	if (params->saltSource != CKZ_SALT_SPECIFIED ||
1319 	    params->iterations == 0)
1320 		return (CKR_MECHANISM_PARAM_INVALID);
1321 
1322 	/*
1323 	 * Create a key object to use for HMAC operations.
1324 	 */
1325 	rv = soft_create_hmac_key(session_p, params->pPassword,
1326 	    *params->ulPasswordLen, &phKey);
1327 
1328 	if (rv != CKR_OK)
1329 		return (rv);
1330 
1331 	hmac_key = (soft_object_t *)phKey;
1332 
1333 	/* Step 1. */
1334 	dkLen = OBJ_SEC_VALUE_LEN(secret_key);  /* length of desired key */
1335 
1336 	if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) {
1337 		(void) soft_delete_object(session_p, hmac_key, B_FALSE,
1338 		    B_FALSE);
1339 		return (CKR_KEY_SIZE_RANGE);
1340 	}
1341 
1342 	/* Step 2. */
1343 	blocks = dkLen / hLen;
1344 
1345 	/* crude "Ceiling" function to adjust the number of blocks to use */
1346 	if (blocks * hLen != dkLen)
1347 		blocks++;
1348 
1349 	remainder = dkLen - ((blocks - 1) * hLen);
1350 
1351 	/* Step 3 */
1352 	salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4);
1353 	if (salt == NULL) {
1354 		(void) soft_delete_object(session_p, hmac_key, B_FALSE,
1355 		    B_FALSE);
1356 		return (CKR_HOST_MEMORY);
1357 	}
1358 	/*
1359 	 * Nothing in PKCS#5 says you cannot pass an empty
1360 	 * salt, so we will allow for this and not return error
1361 	 * if the salt is not specified.
1362 	 */
1363 	if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0)
1364 		(void) memcpy(salt, params->pSaltSourceData,
1365 		    params->ulSaltSourceDataLen);
1366 
1367 	/*
1368 	 * Get pointer to the data section of the key,
1369 	 * this will be used below as output from the
1370 	 * PRF iteration/concatenations so that when the
1371 	 * blocks are all iterated, the secret_key will
1372 	 * have the resulting derived key value.
1373 	 */
1374 	keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key);
1375 
1376 	/* Step 4. */
1377 	for (i = 0; i < blocks && (rv == CKR_OK); i++) {
1378 		CK_BYTE *s;
1379 
1380 		s = salt + params->ulSaltSourceDataLen;
1381 
1382 		/*
1383 		 * Append the block index to the salt as input
1384 		 * to the PRF.  Block index should start at 1
1385 		 * not 0.
1386 		 */
1387 		*s++ = ((i+1) >> 24) & 0xff;
1388 		*s++ = ((i+1) >> 16) & 0xff;
1389 		*s++ = ((i+1) >> 8) & 0xff;
1390 		*s   = ((i+1)) & 0xff;
1391 
1392 		/*
1393 		 * Adjust the key pointer so we always append the
1394 		 * PRF output to the current key.
1395 		 */
1396 		rv = do_prf(session_p, params, hmac_key,
1397 		    salt, params->ulSaltSourceDataLen + 4, keydata,
1398 		    ((i + 1) == blocks ? remainder : hLen));
1399 
1400 		keydata += hLen;
1401 	}
1402 	(void) soft_delete_object(session_p, hmac_key, B_FALSE, B_FALSE);
1403 	free(salt);
1404 
1405 	return (rv);
1406 }
1407 
1408 CK_RV
1409 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1410 		soft_object_t *wrappingKey_p, soft_object_t *hkey_p,
1411 		CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen)
1412 {
1413 	CK_RV		rv = CKR_OK;
1414 	CK_ULONG	plain_len = 0;
1415 	CK_BYTE_PTR	plain_data = NULL;
1416 	CK_ULONG	padded_len = 0;
1417 	CK_BYTE_PTR	padded_data = NULL;
1418 	CK_ULONG	wkey_blksz = 1;		/* so modulo will work right */
1419 
1420 	/* Check if the mechanism is supported. */
1421 	switch (pMechanism->mechanism) {
1422 	case CKM_DES_CBC_PAD:
1423 	case CKM_DES3_CBC_PAD:
1424 	case CKM_AES_CBC_PAD:
1425 		/*
1426 		 * Secret key mechs with padding can be used to wrap secret
1427 		 * keys and private keys only.  See PKCS#11, * sec 11.14,
1428 		 * C_WrapKey and secs 12.* for each mechanism's wrapping/
1429 		 * unwrapping constraints.
1430 		 */
1431 		if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class !=
1432 		    CKO_PRIVATE_KEY)
1433 			return (CKR_MECHANISM_INVALID);
1434 		break;
1435 	case CKM_RSA_PKCS:
1436 	case CKM_RSA_X_509:
1437 	case CKM_DES_ECB:
1438 	case CKM_DES3_ECB:
1439 	case CKM_AES_ECB:
1440 	case CKM_DES_CBC:
1441 	case CKM_DES3_CBC:
1442 	case CKM_AES_CBC:
1443 	case CKM_AES_CTR:
1444 	case CKM_BLOWFISH_CBC:
1445 		/*
1446 		 * Unpadded secret key mechs and private key mechs are only
1447 		 * defined for wrapping secret keys.  See PKCS#11 refs above.
1448 		 */
1449 		if (hkey_p->class != CKO_SECRET_KEY)
1450 			return (CKR_MECHANISM_INVALID);
1451 		break;
1452 	default:
1453 		return (CKR_MECHANISM_INVALID);
1454 	}
1455 
1456 	if (hkey_p->class == CKO_SECRET_KEY) {
1457 		plain_data = OBJ_SEC_VALUE(hkey_p);
1458 		plain_len = OBJ_SEC_VALUE_LEN(hkey_p);
1459 	} else {
1460 		/*
1461 		 * BER-encode the object to be wrapped:  call first with
1462 		 * plain_data = NULL to get the size needed, allocate that
1463 		 * much space, call again to fill space with actual data.
1464 		 */
1465 		rv = soft_object_to_asn1(hkey_p, NULL, &plain_len);
1466 		if (rv != CKR_OK)
1467 			return (rv);
1468 		if ((plain_data = malloc(plain_len)) == NULL)
1469 			return (CKR_HOST_MEMORY);
1470 		(void) memset(plain_data, 0x0, plain_len);
1471 		rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len);
1472 		if (rv != CKR_OK)
1473 			goto cleanup_wrap;
1474 	}
1475 
1476 	/*
1477 	 * For unpadded ECB and CBC mechanisms, the object needs to be
1478 	 * padded to the wrapping key's blocksize prior to the encryption.
1479 	 */
1480 	padded_len = plain_len;
1481 	padded_data = plain_data;
1482 
1483 	switch (pMechanism->mechanism) {
1484 	case CKM_DES_ECB:
1485 	case CKM_DES3_ECB:
1486 	case CKM_AES_ECB:
1487 	case CKM_DES_CBC:
1488 	case CKM_DES3_CBC:
1489 	case CKM_AES_CBC:
1490 	case CKM_BLOWFISH_CBC:
1491 		/* Find the block size of the wrapping key. */
1492 		if (wrappingKey_p->class == CKO_SECRET_KEY) {
1493 			switch (wrappingKey_p->key_type) {
1494 			case CKK_DES:
1495 			case CKK_DES2:
1496 			case CKK_DES3:
1497 				wkey_blksz = DES_BLOCK_LEN;
1498 				break;
1499 			case CKK_AES:
1500 				wkey_blksz = AES_BLOCK_LEN;
1501 				break;
1502 			case CKK_BLOWFISH:
1503 				wkey_blksz = BLOWFISH_BLOCK_LEN;
1504 				break;
1505 			default:
1506 				break;
1507 			}
1508 		} else {
1509 			rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT;
1510 			goto cleanup_wrap;
1511 		}
1512 
1513 		/* Extend the plain text data to block size boundary.  */
1514 		if ((padded_len % wkey_blksz) != 0) {
1515 			padded_len += (wkey_blksz - (plain_len % wkey_blksz));
1516 			if ((padded_data = malloc(padded_len)) == NULL) {
1517 				rv = CKR_HOST_MEMORY;
1518 				goto cleanup_wrap;
1519 			}
1520 			(void) memset(padded_data, 0x0, padded_len);
1521 			(void) memcpy(padded_data, plain_data, plain_len);
1522 		}
1523 		break;
1524 	default:
1525 		break;
1526 	}
1527 
1528 	rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p);
1529 	if (rv != CKR_OK)
1530 		goto cleanup_wrap;
1531 
1532 	rv = soft_encrypt(session_p, padded_data, padded_len,
1533 	    pWrappedKey, pulWrappedKeyLen);
1534 
1535 cleanup_wrap:
1536 	if (padded_data != NULL && padded_len != plain_len) {
1537 		/* Clear buffer before returning to memory pool. */
1538 		(void) memset(padded_data, 0x0, padded_len);
1539 		free(padded_data);
1540 	}
1541 
1542 	if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1543 		/* Clear buffer before returning to memory pool. */
1544 		(void) memset(plain_data, 0x0, plain_len);
1545 		free(plain_data);
1546 	}
1547 
1548 	return (rv);
1549 }
1550 
1551 /*
1552  * Quick check for whether unwrapped key length is appropriate for key type
1553  * and whether it needs to be truncated (in case the wrapping function had
1554  * to pad the key prior to wrapping).
1555  */
1556 static CK_RV
1557 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype,
1558 	CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount)
1559 {
1560 	CK_ULONG	i;
1561 	boolean_t	isValueLen = B_FALSE;
1562 
1563 	/*
1564 	 * Based on the key type and the mech used to unwrap, need to
1565 	 * determine if CKA_VALUE_LEN should or should not be specified.
1566 	 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified
1567 	 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens
1568 	 * that restriction, perhaps because it makes it impossible to
1569 	 * determine the original length of unwrapped variable-length secret
1570 	 * keys, such as RC4, AES, and GENERIC_SECRET.  These variable-length
1571 	 * secret keys would have been padded with trailing null-bytes so
1572 	 * that they could be successfully wrapped with *_ECB and *_CBC
1573 	 * mechanisms.  Hence for unwrapping with these mechs, CKA_VALUE_LEN
1574 	 * must be specified.  For unwrapping with other mechs, such as
1575 	 * *_CBC_PAD, the CKA_VALUE_LEN is not needed.
1576 	 */
1577 
1578 	/* Find out if template has CKA_VALUE_LEN. */
1579 	for (i = 0; i < ulAttributeCount; i++) {
1580 		if (pTemplate[i].type == CKA_VALUE_LEN &&
1581 		    pTemplate[i].pValue != NULL) {
1582 			isValueLen = B_TRUE;
1583 			break;
1584 		}
1585 	}
1586 
1587 	/* Does its presence  conflict with the mech type and key type? */
1588 	switch (mechtype) {
1589 	case CKM_DES_ECB:
1590 	case CKM_DES3_ECB:
1591 	case CKM_AES_ECB:
1592 	case CKM_DES_CBC:
1593 	case CKM_DES3_CBC:
1594 	case CKM_AES_CBC:
1595 	case CKM_BLOWFISH_CBC:
1596 		/*
1597 		 * CKA_VALUE_LEN must be specified
1598 		 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET
1599 		 * and must not be specified otherwise
1600 		 */
1601 		switch (keytype) {
1602 		case CKK_DES:
1603 		case CKK_DES2:
1604 		case CKK_DES3:
1605 			if (isValueLen)
1606 				return (CKR_TEMPLATE_INCONSISTENT);
1607 			break;
1608 		case CKK_GENERIC_SECRET:
1609 		case CKK_RC4:
1610 		case CKK_AES:
1611 		case CKK_BLOWFISH:
1612 			if (!isValueLen)
1613 				return (CKR_TEMPLATE_INCOMPLETE);
1614 			break;
1615 		default:
1616 			return (CKR_FUNCTION_NOT_SUPPORTED);
1617 		}
1618 		break;
1619 	default:
1620 		/* CKA_VALUE_LEN must not be specified */
1621 		if (isValueLen)
1622 			return (CKR_TEMPLATE_INCONSISTENT);
1623 		break;
1624 	}
1625 
1626 	return (CKR_OK);
1627 }
1628 
1629 CK_RV
1630 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1631 		soft_object_t *unwrappingkey_p,
1632 		CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
1633 		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
1634 		CK_OBJECT_HANDLE_PTR phKey)
1635 {
1636 	CK_RV			rv = CKR_OK;
1637 	CK_OBJECT_CLASS		new_obj_class = ~0UL;
1638 	int			i = 0;
1639 	soft_object_t		*new_objp = NULL;
1640 	boolean_t		persistent = B_FALSE;
1641 	CK_BYTE_PTR		plain_data = NULL;
1642 	CK_ULONG		plain_len = 0;
1643 	secret_key_obj_t	*sck = NULL;
1644 
1645 	/* Scan the attribute template for the object class. */
1646 	if (pTemplate != NULL && ulAttributeCount != 0) {
1647 		for (i = 0; i < ulAttributeCount; i++) {
1648 			if (pTemplate[i].type == CKA_CLASS) {
1649 				new_obj_class =
1650 				    *((CK_OBJECT_CLASS *)pTemplate[i].pValue);
1651 				break;
1652 			}
1653 		}
1654 		if (new_obj_class == ~0UL)
1655 			return (CKR_TEMPLATE_INCOMPLETE);
1656 	}
1657 
1658 	/*
1659 	 * Check if the mechanism is supported, and now that the new
1660 	 * object's class is known, the mechanism selected should be
1661 	 * capable of doing the unwrap.
1662 	 */
1663 	switch (pMechanism->mechanism) {
1664 	case CKM_RSA_PKCS:
1665 	case CKM_RSA_X_509:
1666 	case CKM_DES_ECB:
1667 	case CKM_DES3_ECB:
1668 	case CKM_AES_ECB:
1669 	case CKM_DES_CBC:
1670 	case CKM_DES3_CBC:
1671 	case CKM_AES_CBC:
1672 	case CKM_BLOWFISH_CBC:
1673 		if (new_obj_class != CKO_SECRET_KEY)
1674 			return (CKR_MECHANISM_INVALID);
1675 		break;
1676 	case CKM_DES_CBC_PAD:
1677 	case CKM_DES3_CBC_PAD:
1678 	case CKM_AES_CBC_PAD:
1679 		if (new_obj_class != CKO_SECRET_KEY && new_obj_class !=
1680 		    CKO_PRIVATE_KEY)
1681 			return (CKR_MECHANISM_INVALID);
1682 		break;
1683 	default:
1684 		return (CKR_MECHANISM_INVALID);
1685 	}
1686 
1687 	/* Create a new object based on the attribute template. */
1688 	rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
1689 	    (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL,
1690 	    (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE);
1691 	if (rv != CKR_OK)
1692 		return (rv);
1693 
1694 	/*
1695 	 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE
1696 	 * both set to FALSE.  CKA_EXTRACTABLE will be set _by_default_ to
1697 	 * true -- leaving the possibility that it may be set FALSE by the
1698 	 * supplied attribute template.  If the precise template cannot be
1699 	 * supported, unwrap fails.  PKCS#11 spec, Sec. 11.14, C_UnwrapKey.
1700 	 *
1701 	 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and
1702 	 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must
1703 	 * have supplied them and therefore we cannot honor the unwrap.
1704 	 */
1705 	if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) ||
1706 	    (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) {
1707 		rv = CKR_TEMPLATE_INCONSISTENT;
1708 		goto cleanup_unwrap;
1709 	}
1710 
1711 	rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p);
1712 	if (rv != CKR_OK)
1713 		goto cleanup_unwrap;
1714 
1715 	/* First get the length of the plain data */
1716 	rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL,
1717 	    &plain_len);
1718 	if (rv != CKR_OK)
1719 		goto cleanup_unwrap;
1720 
1721 	/* Allocate space for the unwrapped data */
1722 	if ((plain_data = malloc(plain_len)) == NULL) {
1723 		rv = CKR_HOST_MEMORY;
1724 		goto cleanup_unwrap;
1725 	}
1726 	(void) memset(plain_data, 0x0, plain_len);
1727 
1728 	/* Perform actual decryption into the allocated space. */
1729 	rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data,
1730 	    &plain_len);
1731 	if (rv != CKR_OK)
1732 		goto cleanup_unwrap;
1733 
1734 	if (new_objp->class == CKO_SECRET_KEY) {
1735 		/*
1736 		 * Since no ASN.1 encoding is done for secret keys, check for
1737 		 * appropriateness and copy decrypted buffer to the key object.
1738 		 */
1739 
1740 		/* Check keytype and mechtype don't conflict with valuelen */
1741 		rv = soft_unwrap_secret_len_check(new_objp->key_type,
1742 		    pMechanism->mechanism, pTemplate, ulAttributeCount);
1743 		if (rv != CKR_OK)
1744 			goto cleanup_unwrap;
1745 
1746 		/*
1747 		 * Allocate the secret key structure if not already there;
1748 		 * it will exist for variable length keys since CKA_VALUE_LEN
1749 		 * is specified and saved, but not for fixed length keys.
1750 		 */
1751 		if (OBJ_SEC(new_objp) == NULL) {
1752 			if ((sck = calloc(1, sizeof (secret_key_obj_t))) ==
1753 			    NULL) {
1754 				rv = CKR_HOST_MEMORY;
1755 				goto cleanup_unwrap;
1756 			}
1757 			OBJ_SEC(new_objp) = sck;
1758 		}
1759 
1760 		switch (new_objp->key_type) {
1761 		/* Fixed length secret keys don't have CKA_VALUE_LEN */
1762 		case CKK_DES:
1763 			OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE;
1764 			break;
1765 		case CKK_DES2:
1766 			OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE;
1767 			break;
1768 		case CKK_DES3:
1769 			OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE;
1770 			break;
1771 
1772 		/*
1773 		 * Variable length secret keys.  CKA_VALUE_LEN must be
1774 		 * provided by the template when mech is *_ECB or *_CBC, and
1775 		 * should already have been set during soft_gen_keyobject().
1776 		 * Otherwise we don't need CKA_VALUE_LEN.
1777 		 */
1778 		case CKK_GENERIC_SECRET:
1779 		case CKK_RC4:
1780 		case CKK_AES:
1781 		case CKK_BLOWFISH:
1782 			break;
1783 		default:
1784 			rv = CKR_WRAPPED_KEY_INVALID;
1785 			goto cleanup_unwrap;
1786 		};
1787 
1788 		if (OBJ_SEC_VALUE_LEN(new_objp) == 0) {
1789 			/* No CKA_VALUE_LEN set so set it now and save data */
1790 			OBJ_SEC_VALUE_LEN(new_objp) = plain_len;
1791 			OBJ_SEC_VALUE(new_objp) = plain_data;
1792 		} else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) {
1793 			/* No need to truncate, just save the data */
1794 			OBJ_SEC_VALUE(new_objp) = plain_data;
1795 		} else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) {
1796 			/* Length can't be bigger than what was decrypted */
1797 			rv = CKR_WRAPPED_KEY_LEN_RANGE;
1798 			goto cleanup_unwrap;
1799 		} else {	/* betw 0 and plain_len, hence padded */
1800 			/* Truncate the data before saving. */
1801 			OBJ_SEC_VALUE(new_objp) = realloc(plain_data,
1802 			    OBJ_SEC_VALUE_LEN(new_objp));
1803 			if (OBJ_SEC_VALUE(new_objp) == NULL) {
1804 				rv = CKR_HOST_MEMORY;
1805 				goto cleanup_unwrap;
1806 			}
1807 		}
1808 	} else {
1809 		/* BER-decode the object to be unwrapped. */
1810 		rv = soft_asn1_to_object(new_objp, plain_data, plain_len);
1811 		if (rv != CKR_OK)
1812 			goto cleanup_unwrap;
1813 	}
1814 
1815 	/* If it needs to be persistent, write it to the keystore */
1816 	if (IS_TOKEN_OBJECT(new_objp)) {
1817 		persistent = B_TRUE;
1818 		rv = soft_put_object_to_keystore(new_objp);
1819 		if (rv != CKR_OK)
1820 			goto cleanup_unwrap;
1821 	}
1822 
1823 	if (new_objp->class != CKO_SECRET_KEY) {
1824 		/* Clear buffer before returning to memory pool. */
1825 		(void) memset(plain_data, 0x0, plain_len);
1826 		free(plain_data);
1827 	}
1828 
1829 	*phKey = (CK_OBJECT_HANDLE)new_objp;
1830 
1831 	return (CKR_OK);
1832 
1833 cleanup_unwrap:
1834 	/* The decrypted private key buffer must be freed explicitly. */
1835 	if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1836 		/* Clear buffer before returning to memory pool. */
1837 		(void) memset(plain_data, 0x0, plain_len);
1838 		free(plain_data);
1839 	}
1840 
1841 	/* sck and new_objp are indirectly free()d inside these functions */
1842 	if (IS_TOKEN_OBJECT(new_objp))
1843 		soft_delete_token_object(new_objp, persistent, B_FALSE);
1844 	else
1845 		soft_delete_object(session_p, new_objp, B_FALSE, B_FALSE);
1846 
1847 	return (rv);
1848 }
1849