1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright (c) 2018, Joyent, Inc. 25 */ 26 27 #include <pthread.h> 28 #include <stdlib.h> 29 #include <string.h> 30 #include <strings.h> 31 #include <sys/types.h> 32 #include <security/cryptoki.h> 33 #include <sys/crypto/common.h> 34 #include <aes_impl.h> 35 #include <blowfish_impl.h> 36 #include <des_impl.h> 37 #include <arcfour.h> 38 #include <cryptoutil.h> 39 #include "softGlobal.h" 40 #include "softSession.h" 41 #include "softObject.h" 42 #include "softDSA.h" 43 #include "softRSA.h" 44 #include "softDH.h" 45 #include "softEC.h" 46 #include "softMAC.h" 47 #include "softOps.h" 48 #include "softKeys.h" 49 #include "softKeystore.h" 50 #include "softSSL.h" 51 #include "softASN1.h" 52 53 54 #define local_min(a, b) ((a) < (b) ? (a) : (b)) 55 56 static CK_RV 57 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *); 58 59 /* 60 * Create a temporary key object struct by filling up its template attributes. 61 */ 62 CK_RV 63 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 64 CK_ULONG *objecthandle_p, soft_session_t *sp, 65 CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode, 66 boolean_t internal) 67 { 68 69 CK_RV rv; 70 soft_object_t *new_objp = NULL; 71 72 new_objp = calloc(1, sizeof (soft_object_t)); 73 if (new_objp == NULL) { 74 return (CKR_HOST_MEMORY); 75 } 76 77 new_objp->extra_attrlistp = NULL; 78 79 /* 80 * Validate attribute template and fill in the attributes 81 * in the soft_object_t. 82 */ 83 rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type, 84 keylen, mode); 85 if (rv != CKR_OK) { 86 goto fail_cleanup1; 87 } 88 89 /* 90 * If generating a key is an internal request (i.e. not a C_XXX 91 * API request), then skip the following checks. 92 */ 93 if (!internal) { 94 rv = soft_pin_expired_check(new_objp); 95 if (rv != CKR_OK) { 96 goto fail_cleanup2; 97 } 98 99 rv = soft_object_write_access_check(sp, new_objp); 100 if (rv != CKR_OK) { 101 goto fail_cleanup2; 102 } 103 } 104 105 /* Initialize the rest of stuffs in soft_object_t. */ 106 (void) pthread_mutex_init(&new_objp->object_mutex, NULL); 107 new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC; 108 109 /* Write the new token object to the keystore */ 110 if (IS_TOKEN_OBJECT(new_objp)) { 111 new_objp->version = 1; 112 new_objp->session_handle = (CK_SESSION_HANDLE)NULL; 113 soft_add_token_object_to_slot(new_objp); 114 /* 115 * Type casting the address of an object struct to 116 * an object handle. 117 */ 118 *objecthandle_p = (CK_ULONG)new_objp; 119 120 return (CKR_OK); 121 } 122 123 new_objp->session_handle = (CK_SESSION_HANDLE)sp; 124 125 /* Add the new object to the session's object list. */ 126 soft_add_object_to_session(new_objp, sp); 127 128 /* Type casting the address of an object struct to an object handle. */ 129 *objecthandle_p = (CK_ULONG)new_objp; 130 131 return (CKR_OK); 132 133 fail_cleanup2: 134 /* 135 * When any error occurs after soft_build_key(), we will need to 136 * clean up the memory allocated by the soft_build_key(). 137 */ 138 soft_cleanup_object(new_objp); 139 140 fail_cleanup1: 141 if (new_objp) { 142 /* 143 * The storage allocated inside of this object should have 144 * been cleaned up by the soft_build_key() if it failed. 145 * Therefore, we can safely free the object. 146 */ 147 free(new_objp); 148 } 149 150 return (rv); 151 } 152 153 CK_RV 154 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 155 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey) 156 { 157 158 CK_RV rv = CKR_OK; 159 soft_object_t *secret_key; 160 CK_KEY_TYPE key_type; 161 CK_ULONG keylen = 0; 162 CK_ULONG i; 163 int des_strength = 0; 164 int retry = 0; 165 int keyfound = 0; 166 boolean_t is_ssl_mech = B_FALSE; 167 168 switch (pMechanism->mechanism) { 169 case CKM_DES_KEY_GEN: 170 key_type = CKK_DES; 171 break; 172 173 case CKM_DES2_KEY_GEN: 174 key_type = CKK_DES2; 175 break; 176 177 case CKM_DES3_KEY_GEN: 178 key_type = CKK_DES3; 179 break; 180 181 case CKM_AES_KEY_GEN: 182 key_type = CKK_AES; 183 break; 184 185 case CKM_BLOWFISH_KEY_GEN: 186 key_type = CKK_BLOWFISH; 187 break; 188 189 case CKM_RC4_KEY_GEN: 190 key_type = CKK_RC4; 191 break; 192 193 case CKM_SSL3_PRE_MASTER_KEY_GEN: 194 case CKM_TLS_PRE_MASTER_KEY_GEN: 195 if (pMechanism->pParameter == NULL || 196 pMechanism->ulParameterLen != sizeof (CK_VERSION)) 197 return (CKR_TEMPLATE_INCOMPLETE); 198 is_ssl_mech = B_TRUE; 199 key_type = CKK_GENERIC_SECRET; 200 keylen = 48; 201 break; 202 203 case CKM_PKCS5_PBKD2: 204 keyfound = 0; 205 for (i = 0; i < ulCount && !keyfound; i++) { 206 if (pTemplate[i].type == CKA_KEY_TYPE && 207 pTemplate[i].pValue != NULL) { 208 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 209 keyfound = 1; 210 } 211 } 212 if (!keyfound) 213 return (CKR_TEMPLATE_INCOMPLETE); 214 /* 215 * Make sure that parameters were given for this 216 * mechanism. 217 */ 218 if (pMechanism->pParameter == NULL || 219 pMechanism->ulParameterLen != 220 sizeof (CK_PKCS5_PBKD2_PARAMS)) 221 return (CKR_TEMPLATE_INCOMPLETE); 222 break; 223 224 case CKM_PBE_SHA1_RC4_128: 225 keyfound = 0; 226 for (i = 0; i < ulCount; i++) { 227 if (pTemplate[i].type == CKA_KEY_TYPE && 228 pTemplate[i].pValue != NULL) { 229 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 230 keyfound = 1; 231 } 232 if (pTemplate[i].type == CKA_VALUE_LEN && 233 pTemplate[i].pValue != NULL) { 234 keylen = *((CK_ULONG*)pTemplate[i].pValue); 235 } 236 } 237 /* If a keytype was specified, it had better be CKK_RC4 */ 238 if (keyfound && key_type != CKK_RC4) 239 return (CKR_TEMPLATE_INCONSISTENT); 240 else if (!keyfound) 241 key_type = CKK_RC4; 242 243 /* If key length was specified, it better be 16 bytes */ 244 if (keylen != 0 && keylen != 16) 245 return (CKR_TEMPLATE_INCONSISTENT); 246 247 /* 248 * Make sure that parameters were given for this 249 * mechanism. 250 */ 251 if (pMechanism->pParameter == NULL || 252 pMechanism->ulParameterLen != 253 sizeof (CK_PBE_PARAMS)) 254 return (CKR_TEMPLATE_INCOMPLETE); 255 break; 256 default: 257 return (CKR_MECHANISM_INVALID); 258 } 259 260 /* Create a new object for secret key. */ 261 rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p, 262 CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE); 263 264 if (rv != CKR_OK) { 265 return (rv); 266 } 267 268 /* Obtain the secret object pointer. */ 269 secret_key = (soft_object_t *)*phKey; 270 271 switch (pMechanism->mechanism) { 272 case CKM_DES_KEY_GEN: 273 /* 274 * Set up key value len since it is not a required 275 * attribute for C_GenerateKey. 276 */ 277 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 278 des_strength = DES; 279 break; 280 281 case CKM_DES2_KEY_GEN: 282 /* 283 * Set up key value len since it is not a required 284 * attribute for C_GenerateKey. 285 */ 286 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE; 287 des_strength = DES2; 288 break; 289 290 case CKM_DES3_KEY_GEN: 291 /* 292 * Set up key value len since it is not a required 293 * attribute for C_GenerateKey. 294 */ 295 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 296 des_strength = DES3; 297 break; 298 299 case CKM_SSL3_PRE_MASTER_KEY_GEN: 300 case CKM_TLS_PRE_MASTER_KEY_GEN: 301 secret_key->bool_attr_mask |= DERIVE_BOOL_ON; 302 /* FALLTHRU */ 303 304 case CKM_AES_KEY_GEN: 305 case CKM_BLOWFISH_KEY_GEN: 306 case CKM_PBE_SHA1_RC4_128: 307 case CKM_RC4_KEY_GEN: 308 keylen = OBJ_SEC_VALUE_LEN(secret_key); 309 break; 310 311 case CKM_PKCS5_PBKD2: 312 /* 313 * PKCS#11 does not allow one to specify key 314 * sizes for DES and 3DES, so we must set it here 315 * when using PBKD2 algorithms. 316 */ 317 if (key_type == CKK_DES) { 318 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 319 des_strength = DES; 320 } else if (key_type == CKK_DES3) { 321 OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 322 des_strength = DES3; 323 } 324 325 keylen = OBJ_SEC_VALUE_LEN(secret_key); 326 break; 327 } 328 329 if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) { 330 if (IS_TOKEN_OBJECT(secret_key)) 331 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 332 else 333 soft_delete_object(session_p, secret_key, 334 B_FALSE, B_FALSE); 335 336 return (CKR_HOST_MEMORY); 337 } 338 switch (pMechanism->mechanism) { 339 case CKM_PBE_SHA1_RC4_128: 340 /* 341 * Use the PBE algorithm described in PKCS#11 section 342 * 12.33 to derive the key. 343 */ 344 rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key); 345 break; 346 case CKM_PKCS5_PBKD2: 347 /* Generate keys using PKCS#5 PBKD2 algorithm */ 348 rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism, 349 secret_key); 350 if (rv == CKR_OK && des_strength > 0) { 351 /* Perform weak key checking for DES and DES3. */ 352 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 353 des_strength, OBJ_SEC_VALUE(secret_key)) == 354 B_FALSE) { 355 /* We got a weak secret key. */ 356 rv = CKR_FUNCTION_FAILED; 357 } 358 } 359 break; 360 default: 361 do { 362 /* If this fails, bail out */ 363 rv = CKR_OK; 364 if (pkcs11_get_urandom( 365 OBJ_SEC_VALUE(secret_key), keylen) < 0) { 366 rv = CKR_DEVICE_ERROR; 367 break; 368 } 369 370 /* Perform weak key checking for DES and DES3. */ 371 if (des_strength > 0) { 372 rv = CKR_OK; 373 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 374 des_strength, OBJ_SEC_VALUE(secret_key)) == 375 B_FALSE) { 376 /* We got a weak key, retry! */ 377 retry++; 378 rv = CKR_FUNCTION_FAILED; 379 } 380 } 381 /* 382 * Copy over the SSL client version For SSL mechs 383 * The first two bytes of the key is the version 384 */ 385 if (is_ssl_mech) 386 bcopy(pMechanism->pParameter, 387 OBJ_SEC_VALUE(secret_key), 388 sizeof (CK_VERSION)); 389 390 } while (rv != CKR_OK && retry < KEYGEN_RETRY); 391 if (retry == KEYGEN_RETRY) 392 rv = CKR_FUNCTION_FAILED; 393 break; 394 } 395 396 if (rv != CKR_OK) 397 if (IS_TOKEN_OBJECT(secret_key)) 398 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 399 else 400 soft_delete_object(session_p, secret_key, 401 B_FALSE, B_FALSE); 402 403 if (IS_TOKEN_OBJECT(secret_key)) { 404 /* 405 * All the info has been filled, so we can write to 406 * keystore now. 407 */ 408 rv = soft_put_object_to_keystore(secret_key); 409 if (rv != CKR_OK) 410 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 411 } 412 413 return (rv); 414 } 415 416 CK_RV 417 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 418 CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount, 419 CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount, 420 CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey) 421 { 422 423 CK_RV rv; 424 soft_object_t *public_key, *private_key; 425 CK_KEY_TYPE key_type; 426 427 switch (pMechanism->mechanism) { 428 429 case CKM_RSA_PKCS_KEY_PAIR_GEN: 430 key_type = CKK_RSA; 431 break; 432 433 case CKM_DSA_KEY_PAIR_GEN: 434 key_type = CKK_DSA; 435 break; 436 437 case CKM_DH_PKCS_KEY_PAIR_GEN: 438 key_type = CKK_DH; 439 break; 440 441 case CKM_EC_KEY_PAIR_GEN: 442 key_type = CKK_EC; 443 break; 444 445 default: 446 return (CKR_MECHANISM_INVALID); 447 } 448 449 /* Create a new object for public key. */ 450 rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount, 451 phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0, 452 SOFT_GEN_KEY, B_FALSE); 453 454 if (rv != CKR_OK) { 455 return (rv); 456 } 457 458 /* Obtain the public object pointer. */ 459 public_key = (soft_object_t *)*phPublicKey; 460 461 /* Create a new object for private key. */ 462 rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount, 463 phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0, 464 SOFT_GEN_KEY, B_FALSE); 465 466 if (rv != CKR_OK) { 467 /* 468 * Both public key and private key must be successful. 469 */ 470 if (IS_TOKEN_OBJECT(public_key)) 471 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 472 else 473 soft_delete_object(session_p, public_key, 474 B_FALSE, B_FALSE); 475 return (rv); 476 } 477 478 /* Obtain the private object pointer. */ 479 private_key = (soft_object_t *)*phPrivateKey; 480 481 /* 482 * At this point, both public key and private key objects 483 * are settled with the application specified attributes. 484 * We are ready to generate the rest of key attributes based 485 * on the existing attributes. 486 */ 487 488 switch (key_type) { 489 case CKK_RSA: 490 rv = soft_rsa_genkey_pair(public_key, private_key); 491 break; 492 493 case CKK_DSA: 494 rv = soft_dsa_genkey_pair(public_key, private_key); 495 break; 496 497 case CKK_DH: 498 rv = soft_dh_genkey_pair(public_key, private_key); 499 private_key->bool_attr_mask |= DERIVE_BOOL_ON; 500 break; 501 case CKK_EC: 502 rv = soft_ec_genkey_pair(public_key, private_key); 503 private_key->bool_attr_mask |= DERIVE_BOOL_ON; 504 break; 505 } 506 507 if (rv != CKR_OK) { 508 if (IS_TOKEN_OBJECT(public_key)) { 509 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 510 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 511 } else { 512 soft_delete_object(session_p, public_key, 513 B_FALSE, B_FALSE); 514 soft_delete_object(session_p, private_key, 515 B_FALSE, B_FALSE); 516 } 517 return (rv); 518 } 519 520 if (IS_TOKEN_OBJECT(public_key)) { 521 /* 522 * All the info has been filled, so we can write to 523 * keystore now. 524 */ 525 rv = soft_put_object_to_keystore(public_key); 526 if (rv != CKR_OK) { 527 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 528 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 529 return (rv); 530 } 531 } 532 533 if (IS_TOKEN_OBJECT(private_key)) { 534 rv = soft_put_object_to_keystore(private_key); 535 if (rv != CKR_OK) { 536 /* 537 * We also need to delete the public token object 538 * from keystore. 539 */ 540 soft_delete_token_object(public_key, B_TRUE, B_FALSE); 541 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 542 } 543 } 544 545 return (rv); 546 } 547 548 549 CK_RV 550 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen) 551 { 552 553 switch (secret_key->key_type) { 554 case CKK_GENERIC_SECRET: 555 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 556 OBJ_SEC_VALUE_LEN(secret_key) = max_keylen; 557 return (CKR_OK); 558 } else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) { 559 return (CKR_ATTRIBUTE_VALUE_INVALID); 560 } 561 break; 562 case CKK_RC4: 563 case CKK_AES: 564 case CKK_BLOWFISH: 565 if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) || 566 (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) { 567 /* RC4 and AES has variable key length */ 568 return (CKR_ATTRIBUTE_VALUE_INVALID); 569 } 570 break; 571 case CKK_DES: 572 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 573 /* DES has a well-defined length */ 574 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 575 return (CKR_OK); 576 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) { 577 return (CKR_ATTRIBUTE_VALUE_INVALID); 578 } 579 break; 580 case CKK_DES2: 581 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 582 /* DES2 has a well-defined length */ 583 OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE; 584 return (CKR_OK); 585 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) { 586 return (CKR_ATTRIBUTE_VALUE_INVALID); 587 } 588 break; 589 590 default: 591 return (CKR_MECHANISM_INVALID); 592 } 593 594 return (CKR_OK); 595 } 596 597 /* 598 * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1 599 * PBE methods. 600 */ 601 #define PKCS12_BUFFER_SIZE 64 602 /* 603 * PKCS#12 defines 3 different ID bytes to be used for 604 * deriving keys for different operations. 605 */ 606 #define PBE_ID_ENCRYPT 1 607 #define PBE_ID_IV 2 608 #define PBE_ID_MAC 3 609 #define PBE_CEIL(a, b) (((a)/(b)) + (((a)%(b)) > 0)) 610 611 static CK_RV 612 soft_pkcs12_pbe(soft_session_t *session_p, 613 CK_MECHANISM_PTR pMechanism, soft_object_t *derived_key) 614 { 615 CK_RV rv = CKR_OK; 616 CK_PBE_PARAMS *params = pMechanism->pParameter; 617 CK_ULONG c, i, j, k; 618 CK_ULONG hashSize; 619 CK_ULONG buffSize; 620 /* 621 * Terse variable names are used to make following 622 * the PKCS#12 spec easier. 623 */ 624 CK_BYTE *A = NULL; 625 CK_BYTE *Ai = NULL; 626 CK_BYTE *B = NULL; 627 CK_BYTE *D = NULL; 628 CK_BYTE *I = NULL, *S, *P; 629 CK_BYTE *keybuf = NULL; 630 CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen; 631 CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key); 632 CK_MECHANISM digest_mech; 633 634 /* U = hash function output bits */ 635 if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) { 636 hashSize = SHA1_HASH_SIZE; 637 buffSize = PKCS12_BUFFER_SIZE; 638 digest_mech.mechanism = CKM_SHA_1; 639 digest_mech.pParameter = NULL; 640 digest_mech.ulParameterLen = 0; 641 } else { 642 /* we only support 1 PBE mech for now */ 643 return (CKR_MECHANISM_INVALID); 644 } 645 keybuf = OBJ_SEC_VALUE(derived_key); 646 647 Blen = Dlen = buffSize; 648 D = (CK_BYTE *)malloc(Dlen); 649 if (D == NULL) { 650 rv = CKR_HOST_MEMORY; 651 goto cleanup; 652 } 653 654 B = (CK_BYTE *)malloc(Blen); 655 if (B == NULL) { 656 rv = CKR_HOST_MEMORY; 657 goto cleanup; 658 } 659 660 /* 661 * Initialize some values and create some buffers 662 * that we need later. 663 * 664 * Slen = buffSize * CEIL(SaltLength/buffSize) 665 */ 666 Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize); 667 668 /* 669 * Plen = buffSize * CEIL(PasswordLength/buffSize) 670 */ 671 Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize); 672 673 /* 674 * From step 4: I = S + P, so: Ilen = Slen + Plen 675 */ 676 Ilen = Slen + Plen; 677 I = (CK_BYTE *)malloc(Ilen); 678 if (I == NULL) { 679 rv = CKR_HOST_MEMORY; 680 goto cleanup; 681 } 682 683 S = I; 684 P = I + Slen; 685 686 /* 687 * Step 1. 688 * We are only interested in deriving keys for encrypt/decrypt 689 * for now, so construct the "D"iversifier accordingly. 690 */ 691 (void) memset(D, PBE_ID_ENCRYPT, Dlen); 692 693 /* 694 * Step 2. 695 * Concatenate copies of the salt together to make S. 696 */ 697 for (i = 0; i < Slen; i += params->ulSaltLen) { 698 (void) memcpy(S+i, params->pSalt, 699 ((Slen - i) > params->ulSaltLen ? 700 params->ulSaltLen : (Slen - i))); 701 } 702 703 /* 704 * Step 3. 705 * Concatenate copies of the password together to make 706 * a string P. 707 */ 708 for (i = 0; i < Plen; i += params->ulPasswordLen) { 709 (void) memcpy(P+i, params->pPassword, 710 ((Plen - i) > params->ulPasswordLen ? 711 params->ulPasswordLen : (Plen - i))); 712 } 713 714 /* 715 * Step 4. 716 * I = S+P - this is now done because S and P are 717 * pointers into I. 718 * 719 * Step 5. 720 * c= CEIL[n/u] 721 * where n = pseudorandom bits of output desired. 722 */ 723 c = PBE_CEIL(keysize, hashSize); 724 725 /* 726 * Step 6. 727 */ 728 Alen = c * hashSize; 729 A = (CK_BYTE *)malloc(Alen); 730 if (A == NULL) { 731 rv = CKR_HOST_MEMORY; 732 goto cleanup; 733 } 734 AiLen = hashSize; 735 Ai = (CK_BYTE *)malloc(AiLen); 736 if (Ai == NULL) { 737 rv = CKR_HOST_MEMORY; 738 goto cleanup; 739 } 740 741 /* 742 * Step 6a. 743 * Ai = Hr(D+I) 744 */ 745 for (i = 0; i < c; i++) { 746 (void) pthread_mutex_lock(&session_p->session_mutex); 747 748 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 749 (void) pthread_mutex_unlock(&session_p->session_mutex); 750 rv = CKR_OPERATION_ACTIVE; 751 goto cleanup; 752 } 753 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 754 (void) pthread_mutex_unlock(&session_p->session_mutex); 755 756 for (j = 0; j < params->ulIteration; j++) { 757 rv = soft_digest_init(session_p, &digest_mech); 758 if (rv != CKR_OK) 759 goto digest_done; 760 761 if (j == 0) { 762 rv = soft_digest_update(session_p, D, Dlen); 763 if (rv != CKR_OK) 764 goto digest_done; 765 766 rv = soft_digest_update(session_p, I, Ilen); 767 } else { 768 rv = soft_digest_update(session_p, Ai, AiLen); 769 } 770 if (rv != CKR_OK) 771 goto digest_done; 772 773 rv = soft_digest_final(session_p, Ai, &AiLen); 774 if (rv != CKR_OK) 775 goto digest_done; 776 } 777 digest_done: 778 (void) pthread_mutex_lock(&session_p->session_mutex); 779 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 780 (void) pthread_mutex_unlock(&session_p->session_mutex); 781 782 if (rv != CKR_OK) 783 goto cleanup; 784 /* 785 * Step 6b. 786 * Concatenate Ai to make B 787 */ 788 for (j = 0; j < Blen; j += hashSize) { 789 (void) memcpy(B+j, Ai, ((Blen - j > hashSize) ? 790 hashSize : Blen - j)); 791 } 792 793 /* 794 * Step 6c. 795 */ 796 k = Ilen / Blen; 797 for (j = 0; j < k; j++) { 798 uchar_t idx; 799 CK_ULONG m, q = 1, cbit = 0; 800 801 for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) { 802 idx = m + j*Blen; 803 804 q += (CK_ULONG)I[idx] + (CK_ULONG)B[m]; 805 q += cbit; 806 I[idx] = (CK_BYTE)(q & 0xff); 807 cbit = (q > 0xff); 808 } 809 } 810 811 /* 812 * Step 7. 813 * A += Ai 814 */ 815 (void) memcpy(A + i*hashSize, Ai, AiLen); 816 } 817 818 /* 819 * Step 8. 820 * The final output of this process is the A buffer 821 */ 822 (void) memcpy(keybuf, A, keysize); 823 824 cleanup: 825 freezero(A, Alen); 826 freezero(Ai, AiLen); 827 freezero(B, Blen); 828 freezero(D, Dlen); 829 freezero(I, Ilen); 830 return (rv); 831 } 832 833 CK_RV 834 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 835 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate, 836 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) 837 { 838 839 CK_RV rv = CKR_OK; 840 soft_object_t *secret_key; 841 CK_MECHANISM digest_mech; 842 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */ 843 CK_ULONG hash_len = SHA512_DIGEST_LENGTH; 844 CK_ULONG secret_key_len; 845 CK_ULONG hash_size; 846 847 switch (pMechanism->mechanism) { 848 case CKM_DH_PKCS_DERIVE: 849 /* 850 * Create a new object for secret key. The key type should 851 * be provided in the template. 852 */ 853 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 854 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0, 855 SOFT_DERIVE_KEY_DH, B_FALSE); 856 857 if (rv != CKR_OK) { 858 return (rv); 859 } 860 861 /* Obtain the secret object pointer. */ 862 secret_key = (soft_object_t *)*phKey; 863 864 rv = soft_dh_key_derive(basekey_p, secret_key, 865 (CK_BYTE *)pMechanism->pParameter, 866 pMechanism->ulParameterLen); 867 868 if (rv != CKR_OK) { 869 if (IS_TOKEN_OBJECT(secret_key)) 870 soft_delete_token_object(secret_key, B_FALSE, 871 B_FALSE); 872 else 873 soft_delete_object(session_p, secret_key, 874 B_FALSE, B_FALSE); 875 return (rv); 876 } 877 878 break; 879 880 case CKM_ECDH1_DERIVE: 881 /* 882 * Create a new object for secret key. The key type should 883 * be provided in the template. 884 */ 885 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 886 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0, 887 SOFT_DERIVE_KEY_DH, B_FALSE); 888 889 if (rv != CKR_OK) { 890 return (rv); 891 } 892 893 /* Obtain the secret object pointer. */ 894 secret_key = (soft_object_t *)*phKey; 895 896 rv = soft_ec_key_derive(basekey_p, secret_key, 897 (CK_BYTE *)pMechanism->pParameter, 898 pMechanism->ulParameterLen); 899 900 if (rv != CKR_OK) { 901 if (IS_TOKEN_OBJECT(secret_key)) 902 soft_delete_token_object(secret_key, B_FALSE, 903 B_FALSE); 904 else 905 soft_delete_object(session_p, secret_key, 906 B_FALSE, B_FALSE); 907 return (rv); 908 } 909 910 break; 911 912 case CKM_SHA1_KEY_DERIVATION: 913 hash_size = SHA1_HASH_SIZE; 914 digest_mech.mechanism = CKM_SHA_1; 915 goto common; 916 917 case CKM_MD5_KEY_DERIVATION: 918 hash_size = MD5_HASH_SIZE; 919 digest_mech.mechanism = CKM_MD5; 920 goto common; 921 922 case CKM_SHA256_KEY_DERIVATION: 923 hash_size = SHA256_DIGEST_LENGTH; 924 digest_mech.mechanism = CKM_SHA256; 925 goto common; 926 927 case CKM_SHA384_KEY_DERIVATION: 928 hash_size = SHA384_DIGEST_LENGTH; 929 digest_mech.mechanism = CKM_SHA384; 930 goto common; 931 932 case CKM_SHA512_KEY_DERIVATION: 933 hash_size = SHA512_DIGEST_LENGTH; 934 digest_mech.mechanism = CKM_SHA512; 935 goto common; 936 937 case CKM_SHA512_224_KEY_DERIVATION: 938 hash_size = SHA512_224_DIGEST_LENGTH; 939 digest_mech.mechanism = CKM_SHA512_224; 940 goto common; 941 942 case CKM_SHA512_256_KEY_DERIVATION: 943 hash_size = SHA512_256_DIGEST_LENGTH; 944 digest_mech.mechanism = CKM_SHA512_256; 945 goto common; 946 947 common: 948 /* 949 * Create a new object for secret key. The key type is optional 950 * to be provided in the template. If it is not specified in 951 * the template, the default is CKK_GENERIC_SECRET. 952 */ 953 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 954 phKey, session_p, CKO_SECRET_KEY, 955 (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 956 SOFT_DERIVE_KEY_OTHER, B_FALSE); 957 958 if (rv != CKR_OK) { 959 return (rv); 960 } 961 962 /* Obtain the secret object pointer. */ 963 secret_key = (soft_object_t *)*phKey; 964 965 /* Validate the key type and key length */ 966 rv = soft_key_derive_check_length(secret_key, hash_size); 967 if (rv != CKR_OK) { 968 if (IS_TOKEN_OBJECT(secret_key)) 969 soft_delete_token_object(secret_key, B_FALSE, 970 B_FALSE); 971 else 972 soft_delete_object(session_p, secret_key, 973 B_FALSE, B_FALSE); 974 return (rv); 975 } 976 977 /* 978 * Derive the secret key by digesting the value of another 979 * secret key (base key) with SHA-1 or MD5. 980 */ 981 rv = soft_digest_init_internal(session_p, &digest_mech); 982 if (rv != CKR_OK) { 983 if (IS_TOKEN_OBJECT(secret_key)) 984 soft_delete_token_object(secret_key, B_FALSE, 985 B_FALSE); 986 else 987 soft_delete_object(session_p, secret_key, 988 B_FALSE, B_FALSE); 989 return (rv); 990 } 991 992 rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p), 993 OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len); 994 995 (void) pthread_mutex_lock(&session_p->session_mutex); 996 /* soft_digest_common() has freed the digest context */ 997 session_p->digest.flags = 0; 998 (void) pthread_mutex_unlock(&session_p->session_mutex); 999 1000 if (rv != CKR_OK) { 1001 if (IS_TOKEN_OBJECT(secret_key)) 1002 soft_delete_token_object(secret_key, B_FALSE, 1003 B_FALSE); 1004 else 1005 soft_delete_object(session_p, secret_key, 1006 B_FALSE, B_FALSE); 1007 return (rv); 1008 } 1009 1010 secret_key_len = OBJ_SEC_VALUE_LEN(secret_key); 1011 1012 if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) == 1013 NULL) { 1014 if (IS_TOKEN_OBJECT(secret_key)) 1015 soft_delete_token_object(secret_key, B_FALSE, 1016 B_FALSE); 1017 else 1018 soft_delete_object(session_p, secret_key, 1019 B_FALSE, B_FALSE); 1020 return (CKR_HOST_MEMORY); 1021 } 1022 1023 /* 1024 * The key produced by this mechanism will be of the 1025 * specified type and length. 1026 * The truncation removes extra bytes from the leading 1027 * of the digested key value. 1028 */ 1029 (void) memcpy(OBJ_SEC_VALUE(secret_key), 1030 (hash + hash_len - secret_key_len), 1031 secret_key_len); 1032 1033 break; 1034 1035 /* 1036 * The key sensitivity and extractability rules for the generated 1037 * keys will be enforced inside soft_ssl_master_key_derive() and 1038 * soft_ssl_key_and_mac_derive() 1039 */ 1040 case CKM_SSL3_MASTER_KEY_DERIVE: 1041 case CKM_SSL3_MASTER_KEY_DERIVE_DH: 1042 case CKM_TLS_MASTER_KEY_DERIVE: 1043 case CKM_TLS_MASTER_KEY_DERIVE_DH: 1044 if (phKey == NULL_PTR) 1045 return (CKR_ARGUMENTS_BAD); 1046 return (soft_ssl_master_key_derive(session_p, pMechanism, 1047 basekey_p, pTemplate, ulAttributeCount, phKey)); 1048 1049 case CKM_SSL3_KEY_AND_MAC_DERIVE: 1050 case CKM_TLS_KEY_AND_MAC_DERIVE: 1051 return (soft_ssl_key_and_mac_derive(session_p, pMechanism, 1052 basekey_p, pTemplate, ulAttributeCount)); 1053 1054 case CKM_TLS_PRF: 1055 if (pMechanism->pParameter == NULL || 1056 pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) || 1057 phKey != NULL) 1058 return (CKR_ARGUMENTS_BAD); 1059 1060 if (pTemplate != NULL) 1061 return (CKR_TEMPLATE_INCONSISTENT); 1062 1063 return (derive_tls_prf( 1064 (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p)); 1065 1066 default: 1067 return (CKR_MECHANISM_INVALID); 1068 } 1069 1070 soft_derive_enforce_flags(basekey_p, secret_key); 1071 1072 if (IS_TOKEN_OBJECT(secret_key)) { 1073 /* 1074 * All the info has been filled, so we can write to 1075 * keystore now. 1076 */ 1077 rv = soft_put_object_to_keystore(secret_key); 1078 if (rv != CKR_OK) 1079 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 1080 } 1081 1082 return (rv); 1083 } 1084 1085 1086 /* 1087 * Perform key derivation rules on key's sensitivity and extractability. 1088 */ 1089 void 1090 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey) 1091 { 1092 1093 boolean_t new_sensitive = B_FALSE; 1094 boolean_t new_extractable = B_FALSE; 1095 1096 /* 1097 * The sensitive and extractable bits have been set when 1098 * the newkey was built. 1099 */ 1100 if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) { 1101 new_sensitive = B_TRUE; 1102 } 1103 1104 if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) { 1105 new_extractable = B_TRUE; 1106 } 1107 1108 /* Derive the CKA_ALWAYS_SENSITIVE flag */ 1109 if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) { 1110 /* 1111 * If the base key has its CKA_ALWAYS_SENSITIVE set to 1112 * FALSE, then the derived key will as well. 1113 */ 1114 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1115 } else { 1116 /* 1117 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE, 1118 * then the derived key has the CKA_ALWAYS_SENSITIVE set to 1119 * the same value as its CKA_SENSITIVE; 1120 */ 1121 if (new_sensitive) { 1122 newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON; 1123 } else { 1124 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1125 } 1126 } 1127 1128 /* Derive the CKA_NEVER_EXTRACTABLE flag */ 1129 if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) { 1130 /* 1131 * If the base key has its CKA_NEVER_EXTRACTABLE set to 1132 * FALSE, then the derived key will as well. 1133 */ 1134 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1135 } else { 1136 /* 1137 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE, 1138 * then the derived key has the CKA_NEVER_EXTRACTABLE set to 1139 * the opposite value from its CKA_EXTRACTABLE; 1140 */ 1141 if (new_extractable) { 1142 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1143 } else { 1144 newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON; 1145 } 1146 } 1147 1148 /* Set the CKA_LOCAL flag to false */ 1149 newkey->bool_attr_mask &= ~LOCAL_BOOL_ON; 1150 } 1151 1152 1153 /* 1154 * do_prf 1155 * 1156 * This routine implements Step 3. of the PBKDF2 function 1157 * defined in PKCS#5 for generating derived keys from a 1158 * password. 1159 * 1160 * Currently, PRF is always SHA_1_HMAC. 1161 */ 1162 static CK_RV 1163 do_prf(soft_session_t *session_p, CK_PKCS5_PBKD2_PARAMS_PTR params, 1164 soft_object_t *hmac_key, CK_BYTE *newsalt, CK_ULONG saltlen, 1165 CK_BYTE *blockdata, CK_ULONG blocklen) 1166 { 1167 CK_RV rv = CKR_OK; 1168 CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0}; 1169 CK_BYTE buffer[2][SHA1_HASH_SIZE]; 1170 CK_ULONG hmac_outlen = SHA1_HASH_SIZE; 1171 CK_ULONG inlen; 1172 CK_BYTE *input, *output; 1173 CK_ULONG i, j; 1174 1175 input = newsalt; 1176 inlen = saltlen; 1177 1178 output = buffer[1]; 1179 (void) pthread_mutex_lock(&session_p->session_mutex); 1180 1181 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 1182 (void) pthread_mutex_unlock(&session_p->session_mutex); 1183 return (CKR_OPERATION_ACTIVE); 1184 } 1185 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 1186 (void) pthread_mutex_unlock(&session_p->session_mutex); 1187 1188 for (i = 0; i < params->iterations; i++) { 1189 /* 1190 * The key doesn't change, its always the 1191 * password iniitally given. 1192 */ 1193 rv = soft_sign_init(session_p, &digest_mech, hmac_key); 1194 1195 if (rv != CKR_OK) { 1196 goto cleanup; 1197 } 1198 1199 /* Call PRF function (SHA1_HMAC for now). */ 1200 rv = soft_sign(session_p, input, inlen, output, &hmac_outlen); 1201 1202 if (rv != CKR_OK) { 1203 goto cleanup; 1204 } 1205 /* 1206 * The first time, initialize the output buffer 1207 * with the HMAC signature. 1208 */ 1209 if (i == 0) { 1210 (void) memcpy(blockdata, output, 1211 local_min(blocklen, hmac_outlen)); 1212 } else { 1213 /* 1214 * XOR the existing data with output from PRF. 1215 * 1216 * Only XOR up to the length of the blockdata, 1217 * it may be less than a full hmac buffer when 1218 * the final block is being computed. 1219 */ 1220 for (j = 0; j < hmac_outlen && j < blocklen; j++) 1221 blockdata[j] ^= output[j]; 1222 } 1223 /* Output from previous PRF is input for next round */ 1224 input = output; 1225 inlen = hmac_outlen; 1226 1227 /* 1228 * Switch buffers to avoid overuse of memcpy. 1229 * Initially we used buffer[1], so after the end of 1230 * the first iteration (i==0), we switch to buffer[0] 1231 * and continue swapping with each iteration. 1232 */ 1233 output = buffer[i%2]; 1234 } 1235 cleanup: 1236 (void) pthread_mutex_lock(&session_p->session_mutex); 1237 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 1238 (void) pthread_mutex_unlock(&session_p->session_mutex); 1239 1240 return (rv); 1241 } 1242 1243 static CK_RV 1244 soft_create_hmac_key(soft_session_t *session_p, CK_BYTE *passwd, 1245 CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey) 1246 { 1247 CK_RV rv = CKR_OK; 1248 CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY; 1249 CK_KEY_TYPE keytype = CKK_GENERIC_SECRET; 1250 CK_BBOOL True = TRUE; 1251 CK_ATTRIBUTE keytemplate[4]; 1252 /* 1253 * We must initialize each template member individually 1254 * because at the time of initial coding for ON10, the 1255 * compiler was using the "-xc99=%none" option 1256 * which prevents us from being able to declare the whole 1257 * template in place as usual. 1258 */ 1259 keytemplate[0].type = CKA_CLASS; 1260 keytemplate[0].pValue = &keyclass; 1261 keytemplate[0].ulValueLen = sizeof (keyclass); 1262 1263 keytemplate[1].type = CKA_KEY_TYPE; 1264 keytemplate[1].pValue = &keytype; 1265 keytemplate[1].ulValueLen = sizeof (keytype); 1266 1267 keytemplate[2].type = CKA_SIGN; 1268 keytemplate[2].pValue = &True; 1269 keytemplate[2].ulValueLen = sizeof (True); 1270 1271 keytemplate[3].type = CKA_VALUE; 1272 keytemplate[3].pValue = passwd; 1273 keytemplate[3].ulValueLen = passwd_len; 1274 /* 1275 * Create a generic key object to be used for HMAC operations. 1276 * The "value" for this key is the password from the 1277 * mechanism parameter structure. 1278 */ 1279 rv = soft_gen_keyobject(keytemplate, 1280 sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), phKey, session_p, 1281 CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 1282 SOFT_CREATE_OBJ, B_TRUE); 1283 1284 return (rv); 1285 } 1286 1287 CK_RV 1288 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p, 1289 CK_MECHANISM_PTR pMechanism, soft_object_t *secret_key) 1290 { 1291 CK_RV rv = CKR_OK; 1292 CK_PKCS5_PBKD2_PARAMS *params = 1293 (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter; 1294 CK_ULONG hLen = SHA1_HASH_SIZE; 1295 CK_ULONG dkLen, i; 1296 CK_ULONG blocks, remainder; 1297 CK_OBJECT_HANDLE phKey = 0; 1298 soft_object_t *hmac_key = NULL; 1299 CK_BYTE *salt = NULL; 1300 CK_BYTE *keydata = NULL; 1301 1302 params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter; 1303 1304 if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1) 1305 return (CKR_MECHANISM_PARAM_INVALID); 1306 1307 if (params->pPrfData != NULL || params->ulPrfDataLen != 0) 1308 return (CKR_DATA_INVALID); 1309 1310 if (params->saltSource != CKZ_SALT_SPECIFIED || 1311 params->iterations == 0) 1312 return (CKR_MECHANISM_PARAM_INVALID); 1313 1314 /* 1315 * Create a key object to use for HMAC operations. 1316 */ 1317 rv = soft_create_hmac_key(session_p, params->pPassword, 1318 *params->ulPasswordLen, &phKey); 1319 1320 if (rv != CKR_OK) 1321 return (rv); 1322 1323 hmac_key = (soft_object_t *)phKey; 1324 1325 /* Step 1. */ 1326 dkLen = OBJ_SEC_VALUE_LEN(secret_key); /* length of desired key */ 1327 1328 if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) { 1329 (void) soft_delete_object(session_p, hmac_key, B_FALSE, 1330 B_FALSE); 1331 return (CKR_KEY_SIZE_RANGE); 1332 } 1333 1334 /* Step 2. */ 1335 blocks = dkLen / hLen; 1336 1337 /* crude "Ceiling" function to adjust the number of blocks to use */ 1338 if (blocks * hLen != dkLen) 1339 blocks++; 1340 1341 remainder = dkLen - ((blocks - 1) * hLen); 1342 1343 /* Step 3 */ 1344 salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4); 1345 if (salt == NULL) { 1346 (void) soft_delete_object(session_p, hmac_key, B_FALSE, 1347 B_FALSE); 1348 return (CKR_HOST_MEMORY); 1349 } 1350 /* 1351 * Nothing in PKCS#5 says you cannot pass an empty 1352 * salt, so we will allow for this and not return error 1353 * if the salt is not specified. 1354 */ 1355 if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0) 1356 (void) memcpy(salt, params->pSaltSourceData, 1357 params->ulSaltSourceDataLen); 1358 1359 /* 1360 * Get pointer to the data section of the key, 1361 * this will be used below as output from the 1362 * PRF iteration/concatenations so that when the 1363 * blocks are all iterated, the secret_key will 1364 * have the resulting derived key value. 1365 */ 1366 keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key); 1367 1368 /* Step 4. */ 1369 for (i = 0; i < blocks && (rv == CKR_OK); i++) { 1370 CK_BYTE *s; 1371 1372 s = salt + params->ulSaltSourceDataLen; 1373 1374 /* 1375 * Append the block index to the salt as input 1376 * to the PRF. Block index should start at 1 1377 * not 0. 1378 */ 1379 *s++ = ((i+1) >> 24) & 0xff; 1380 *s++ = ((i+1) >> 16) & 0xff; 1381 *s++ = ((i+1) >> 8) & 0xff; 1382 *s = ((i+1)) & 0xff; 1383 1384 /* 1385 * Adjust the key pointer so we always append the 1386 * PRF output to the current key. 1387 */ 1388 rv = do_prf(session_p, params, hmac_key, 1389 salt, params->ulSaltSourceDataLen + 4, keydata, 1390 ((i + 1) == blocks ? remainder : hLen)); 1391 1392 keydata += hLen; 1393 } 1394 (void) soft_delete_object(session_p, hmac_key, B_FALSE, B_FALSE); 1395 freezero(salt, params->ulSaltSourceDataLen); 1396 1397 return (rv); 1398 } 1399 1400 CK_RV 1401 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1402 soft_object_t *wrappingKey_p, soft_object_t *hkey_p, 1403 CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen) 1404 { 1405 CK_RV rv = CKR_OK; 1406 CK_ULONG plain_len = 0; 1407 CK_BYTE_PTR plain_data = NULL; 1408 CK_ULONG padded_len = 0; 1409 CK_BYTE_PTR padded_data = NULL; 1410 CK_ULONG wkey_blksz = 1; /* so modulo will work right */ 1411 1412 /* Check if the mechanism is supported. */ 1413 switch (pMechanism->mechanism) { 1414 case CKM_DES_CBC_PAD: 1415 case CKM_DES3_CBC_PAD: 1416 case CKM_AES_CBC_PAD: 1417 /* 1418 * Secret key mechs with padding can be used to wrap secret 1419 * keys and private keys only. See PKCS#11, * sec 11.14, 1420 * C_WrapKey and secs 12.* for each mechanism's wrapping/ 1421 * unwrapping constraints. 1422 */ 1423 if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class != 1424 CKO_PRIVATE_KEY) 1425 return (CKR_MECHANISM_INVALID); 1426 break; 1427 case CKM_RSA_PKCS: 1428 case CKM_RSA_X_509: 1429 case CKM_DES_ECB: 1430 case CKM_DES3_ECB: 1431 case CKM_AES_ECB: 1432 case CKM_DES_CBC: 1433 case CKM_DES3_CBC: 1434 case CKM_AES_CBC: 1435 case CKM_AES_CTR: 1436 case CKM_BLOWFISH_CBC: 1437 /* 1438 * Unpadded secret key mechs and private key mechs are only 1439 * defined for wrapping secret keys. See PKCS#11 refs above. 1440 */ 1441 if (hkey_p->class != CKO_SECRET_KEY) 1442 return (CKR_MECHANISM_INVALID); 1443 break; 1444 default: 1445 return (CKR_MECHANISM_INVALID); 1446 } 1447 1448 if (hkey_p->class == CKO_SECRET_KEY) { 1449 plain_data = OBJ_SEC_VALUE(hkey_p); 1450 plain_len = OBJ_SEC_VALUE_LEN(hkey_p); 1451 } else { 1452 /* 1453 * BER-encode the object to be wrapped: call first with 1454 * plain_data = NULL to get the size needed, allocate that 1455 * much space, call again to fill space with actual data. 1456 */ 1457 rv = soft_object_to_asn1(hkey_p, NULL, &plain_len); 1458 if (rv != CKR_OK) 1459 return (rv); 1460 if ((plain_data = malloc(plain_len)) == NULL) 1461 return (CKR_HOST_MEMORY); 1462 (void) memset(plain_data, 0x0, plain_len); 1463 rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len); 1464 if (rv != CKR_OK) 1465 goto cleanup_wrap; 1466 } 1467 1468 /* 1469 * For unpadded ECB and CBC mechanisms, the object needs to be 1470 * padded to the wrapping key's blocksize prior to the encryption. 1471 */ 1472 padded_len = plain_len; 1473 padded_data = plain_data; 1474 1475 switch (pMechanism->mechanism) { 1476 case CKM_DES_ECB: 1477 case CKM_DES3_ECB: 1478 case CKM_AES_ECB: 1479 case CKM_DES_CBC: 1480 case CKM_DES3_CBC: 1481 case CKM_AES_CBC: 1482 case CKM_BLOWFISH_CBC: 1483 /* Find the block size of the wrapping key. */ 1484 if (wrappingKey_p->class == CKO_SECRET_KEY) { 1485 switch (wrappingKey_p->key_type) { 1486 case CKK_DES: 1487 case CKK_DES2: 1488 case CKK_DES3: 1489 wkey_blksz = DES_BLOCK_LEN; 1490 break; 1491 case CKK_AES: 1492 wkey_blksz = AES_BLOCK_LEN; 1493 break; 1494 case CKK_BLOWFISH: 1495 wkey_blksz = BLOWFISH_BLOCK_LEN; 1496 break; 1497 default: 1498 break; 1499 } 1500 } else { 1501 rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT; 1502 goto cleanup_wrap; 1503 } 1504 1505 /* Extend the plain text data to block size boundary. */ 1506 if ((padded_len % wkey_blksz) != 0) { 1507 padded_len += (wkey_blksz - (plain_len % wkey_blksz)); 1508 if ((padded_data = malloc(padded_len)) == NULL) { 1509 rv = CKR_HOST_MEMORY; 1510 goto cleanup_wrap; 1511 } 1512 (void) memset(padded_data, 0x0, padded_len); 1513 (void) memcpy(padded_data, plain_data, plain_len); 1514 } 1515 break; 1516 default: 1517 break; 1518 } 1519 1520 rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p); 1521 if (rv != CKR_OK) 1522 goto cleanup_wrap; 1523 1524 rv = soft_encrypt(session_p, padded_data, padded_len, 1525 pWrappedKey, pulWrappedKeyLen); 1526 1527 cleanup_wrap: 1528 if (padded_data != NULL && padded_len != plain_len) { 1529 /* Clear buffer before returning to memory pool. */ 1530 freezero(padded_data, padded_len); 1531 } 1532 1533 if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1534 /* Clear buffer before returning to memory pool. */ 1535 freezero(plain_data, plain_len); 1536 } 1537 1538 return (rv); 1539 } 1540 1541 /* 1542 * Quick check for whether unwrapped key length is appropriate for key type 1543 * and whether it needs to be truncated (in case the wrapping function had 1544 * to pad the key prior to wrapping). 1545 */ 1546 static CK_RV 1547 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype, 1548 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount) 1549 { 1550 CK_ULONG i; 1551 boolean_t isValueLen = B_FALSE; 1552 1553 /* 1554 * Based on the key type and the mech used to unwrap, need to 1555 * determine if CKA_VALUE_LEN should or should not be specified. 1556 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified 1557 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens 1558 * that restriction, perhaps because it makes it impossible to 1559 * determine the original length of unwrapped variable-length secret 1560 * keys, such as RC4, AES, and GENERIC_SECRET. These variable-length 1561 * secret keys would have been padded with trailing null-bytes so 1562 * that they could be successfully wrapped with *_ECB and *_CBC 1563 * mechanisms. Hence for unwrapping with these mechs, CKA_VALUE_LEN 1564 * must be specified. For unwrapping with other mechs, such as 1565 * *_CBC_PAD, the CKA_VALUE_LEN is not needed. 1566 */ 1567 1568 /* Find out if template has CKA_VALUE_LEN. */ 1569 for (i = 0; i < ulAttributeCount; i++) { 1570 if (pTemplate[i].type == CKA_VALUE_LEN && 1571 pTemplate[i].pValue != NULL) { 1572 isValueLen = B_TRUE; 1573 break; 1574 } 1575 } 1576 1577 /* Does its presence conflict with the mech type and key type? */ 1578 switch (mechtype) { 1579 case CKM_DES_ECB: 1580 case CKM_DES3_ECB: 1581 case CKM_AES_ECB: 1582 case CKM_DES_CBC: 1583 case CKM_DES3_CBC: 1584 case CKM_AES_CBC: 1585 case CKM_BLOWFISH_CBC: 1586 /* 1587 * CKA_VALUE_LEN must be specified 1588 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET 1589 * and must not be specified otherwise 1590 */ 1591 switch (keytype) { 1592 case CKK_DES: 1593 case CKK_DES2: 1594 case CKK_DES3: 1595 if (isValueLen) 1596 return (CKR_TEMPLATE_INCONSISTENT); 1597 break; 1598 case CKK_GENERIC_SECRET: 1599 case CKK_RC4: 1600 case CKK_AES: 1601 case CKK_BLOWFISH: 1602 if (!isValueLen) 1603 return (CKR_TEMPLATE_INCOMPLETE); 1604 break; 1605 default: 1606 return (CKR_FUNCTION_NOT_SUPPORTED); 1607 } 1608 break; 1609 default: 1610 /* CKA_VALUE_LEN must not be specified */ 1611 if (isValueLen) 1612 return (CKR_TEMPLATE_INCONSISTENT); 1613 break; 1614 } 1615 1616 return (CKR_OK); 1617 } 1618 1619 CK_RV 1620 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1621 soft_object_t *unwrappingkey_p, CK_BYTE_PTR pWrappedKey, 1622 CK_ULONG ulWrappedKeyLen, CK_ATTRIBUTE_PTR pTemplate, 1623 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) 1624 { 1625 CK_RV rv = CKR_OK; 1626 CK_OBJECT_CLASS new_obj_class = ~0UL; 1627 int i = 0; 1628 soft_object_t *new_objp = NULL; 1629 boolean_t persistent = B_FALSE; 1630 CK_BYTE_PTR plain_data = NULL; 1631 CK_ULONG plain_len = 0; 1632 secret_key_obj_t *sck = NULL; 1633 1634 /* Scan the attribute template for the object class. */ 1635 if (pTemplate != NULL && ulAttributeCount != 0) { 1636 for (i = 0; i < ulAttributeCount; i++) { 1637 if (pTemplate[i].type == CKA_CLASS) { 1638 new_obj_class = 1639 *((CK_OBJECT_CLASS *)pTemplate[i].pValue); 1640 break; 1641 } 1642 } 1643 if (new_obj_class == ~0UL) 1644 return (CKR_TEMPLATE_INCOMPLETE); 1645 } 1646 1647 /* 1648 * Check if the mechanism is supported, and now that the new 1649 * object's class is known, the mechanism selected should be 1650 * capable of doing the unwrap. 1651 */ 1652 switch (pMechanism->mechanism) { 1653 case CKM_RSA_PKCS: 1654 case CKM_RSA_X_509: 1655 case CKM_DES_ECB: 1656 case CKM_DES3_ECB: 1657 case CKM_AES_ECB: 1658 case CKM_DES_CBC: 1659 case CKM_DES3_CBC: 1660 case CKM_AES_CBC: 1661 case CKM_BLOWFISH_CBC: 1662 if (new_obj_class != CKO_SECRET_KEY) 1663 return (CKR_MECHANISM_INVALID); 1664 break; 1665 case CKM_DES_CBC_PAD: 1666 case CKM_DES3_CBC_PAD: 1667 case CKM_AES_CBC_PAD: 1668 if (new_obj_class != CKO_SECRET_KEY && new_obj_class != 1669 CKO_PRIVATE_KEY) 1670 return (CKR_MECHANISM_INVALID); 1671 break; 1672 default: 1673 return (CKR_MECHANISM_INVALID); 1674 } 1675 1676 /* Create a new object based on the attribute template. */ 1677 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 1678 (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL, 1679 (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE); 1680 if (rv != CKR_OK) 1681 return (rv); 1682 1683 /* 1684 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE 1685 * both set to FALSE. CKA_EXTRACTABLE will be set _by_default_ to 1686 * true -- leaving the possibility that it may be set FALSE by the 1687 * supplied attribute template. If the precise template cannot be 1688 * supported, unwrap fails. PKCS#11 spec, Sec. 11.14, C_UnwrapKey. 1689 * 1690 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and 1691 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must 1692 * have supplied them and therefore we cannot honor the unwrap. 1693 */ 1694 if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) || 1695 (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) { 1696 rv = CKR_TEMPLATE_INCONSISTENT; 1697 goto cleanup_unwrap; 1698 } 1699 1700 rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p); 1701 if (rv != CKR_OK) 1702 goto cleanup_unwrap; 1703 1704 /* First get the length of the plain data */ 1705 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL, 1706 &plain_len); 1707 if (rv != CKR_OK) 1708 goto cleanup_unwrap; 1709 1710 /* Allocate space for the unwrapped data */ 1711 if ((plain_data = malloc(plain_len)) == NULL) { 1712 rv = CKR_HOST_MEMORY; 1713 goto cleanup_unwrap; 1714 } 1715 (void) memset(plain_data, 0x0, plain_len); 1716 1717 /* Perform actual decryption into the allocated space. */ 1718 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data, 1719 &plain_len); 1720 if (rv != CKR_OK) 1721 goto cleanup_unwrap; 1722 1723 if (new_objp->class == CKO_SECRET_KEY) { 1724 /* 1725 * Since no ASN.1 encoding is done for secret keys, check for 1726 * appropriateness and copy decrypted buffer to the key object. 1727 */ 1728 1729 /* Check keytype and mechtype don't conflict with valuelen */ 1730 rv = soft_unwrap_secret_len_check(new_objp->key_type, 1731 pMechanism->mechanism, pTemplate, ulAttributeCount); 1732 if (rv != CKR_OK) 1733 goto cleanup_unwrap; 1734 1735 /* 1736 * Allocate the secret key structure if not already there; 1737 * it will exist for variable length keys since CKA_VALUE_LEN 1738 * is specified and saved, but not for fixed length keys. 1739 */ 1740 if (OBJ_SEC(new_objp) == NULL) { 1741 if ((sck = calloc(1, sizeof (secret_key_obj_t))) == 1742 NULL) { 1743 rv = CKR_HOST_MEMORY; 1744 goto cleanup_unwrap; 1745 } 1746 OBJ_SEC(new_objp) = sck; 1747 } 1748 1749 switch (new_objp->key_type) { 1750 /* Fixed length secret keys don't have CKA_VALUE_LEN */ 1751 case CKK_DES: 1752 OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE; 1753 break; 1754 case CKK_DES2: 1755 OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE; 1756 break; 1757 case CKK_DES3: 1758 OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE; 1759 break; 1760 1761 /* 1762 * Variable length secret keys. CKA_VALUE_LEN must be 1763 * provided by the template when mech is *_ECB or *_CBC, and 1764 * should already have been set during soft_gen_keyobject(). 1765 * Otherwise we don't need CKA_VALUE_LEN. 1766 */ 1767 case CKK_GENERIC_SECRET: 1768 case CKK_RC4: 1769 case CKK_AES: 1770 case CKK_BLOWFISH: 1771 break; 1772 default: 1773 rv = CKR_WRAPPED_KEY_INVALID; 1774 goto cleanup_unwrap; 1775 }; 1776 1777 if (OBJ_SEC_VALUE_LEN(new_objp) == 0) { 1778 /* No CKA_VALUE_LEN set so set it now and save data */ 1779 OBJ_SEC_VALUE_LEN(new_objp) = plain_len; 1780 OBJ_SEC_VALUE(new_objp) = plain_data; 1781 } else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) { 1782 /* No need to truncate, just save the data */ 1783 OBJ_SEC_VALUE(new_objp) = plain_data; 1784 } else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) { 1785 /* Length can't be bigger than what was decrypted */ 1786 rv = CKR_WRAPPED_KEY_LEN_RANGE; 1787 goto cleanup_unwrap; 1788 } else { /* betw 0 and plain_len, hence padded */ 1789 /* Truncate the data before saving. */ 1790 OBJ_SEC_VALUE(new_objp) = realloc(plain_data, 1791 OBJ_SEC_VALUE_LEN(new_objp)); 1792 if (OBJ_SEC_VALUE(new_objp) == NULL) { 1793 rv = CKR_HOST_MEMORY; 1794 goto cleanup_unwrap; 1795 } 1796 } 1797 } else { 1798 /* BER-decode the object to be unwrapped. */ 1799 rv = soft_asn1_to_object(new_objp, plain_data, plain_len); 1800 if (rv != CKR_OK) 1801 goto cleanup_unwrap; 1802 } 1803 1804 /* If it needs to be persistent, write it to the keystore */ 1805 if (IS_TOKEN_OBJECT(new_objp)) { 1806 persistent = B_TRUE; 1807 rv = soft_put_object_to_keystore(new_objp); 1808 if (rv != CKR_OK) 1809 goto cleanup_unwrap; 1810 } 1811 1812 if (new_objp->class != CKO_SECRET_KEY) { 1813 /* Clear buffer before returning to memory pool. */ 1814 freezero(plain_data, plain_len); 1815 } 1816 1817 *phKey = (CK_OBJECT_HANDLE)new_objp; 1818 1819 return (CKR_OK); 1820 1821 cleanup_unwrap: 1822 /* The decrypted private key buffer must be freed explicitly. */ 1823 if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1824 /* Clear buffer before returning to memory pool. */ 1825 freezero(plain_data, plain_len); 1826 } 1827 1828 /* sck and new_objp are indirectly free()d inside these functions */ 1829 if (IS_TOKEN_OBJECT(new_objp)) 1830 soft_delete_token_object(new_objp, persistent, B_FALSE); 1831 else 1832 soft_delete_object(session_p, new_objp, B_FALSE, B_FALSE); 1833 1834 return (rv); 1835 } 1836