xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSignUtil.c (revision 78801af7286cd73dbc996d470f789e75993cf15d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
25  * Copyright (c) 2018, Joyent, Inc.
26  */
27 
28 #include <stdlib.h>
29 #include <strings.h>
30 #include <sys/types.h>
31 #include <security/cryptoki.h>
32 #include "softObject.h"
33 #include "softOps.h"
34 #include "softSession.h"
35 #include "softMAC.h"
36 #include "softRSA.h"
37 #include "softDSA.h"
38 #include "softEC.h"
39 #include "softCrypt.h"
40 
41 /*
42  * soft_sign_init()
43  *
44  * Arguments:
45  *	session_p:	pointer to soft_session_t struct
46  *	pMechanism:	pointer to CK_MECHANISM struct provided by application
47  *	key_p:		pointer to key soft_object_t struct
48  *
49  * Description:
50  *	called by C_SignInit(). This function calls the corresponding
51  *	sign init routine based on the mechanism.
52  *
53  */
54 CK_RV
55 soft_sign_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
56     soft_object_t *key_p)
57 {
58 
59 	switch (pMechanism->mechanism) {
60 
61 	case CKM_SSL3_MD5_MAC:
62 	case CKM_SSL3_SHA1_MAC:
63 	case CKM_MD5_HMAC_GENERAL:
64 	case CKM_MD5_HMAC:
65 	case CKM_SHA_1_HMAC_GENERAL:
66 	case CKM_SHA_1_HMAC:
67 	case CKM_SHA256_HMAC_GENERAL:
68 	case CKM_SHA256_HMAC:
69 	case CKM_SHA384_HMAC_GENERAL:
70 	case CKM_SHA384_HMAC:
71 	case CKM_SHA512_HMAC_GENERAL:
72 	case CKM_SHA512_HMAC:
73 
74 		return (soft_hmac_sign_verify_init_common(session_p,
75 		    pMechanism, key_p, B_TRUE));
76 
77 	case CKM_RSA_X_509:
78 	case CKM_RSA_PKCS:
79 	case CKM_MD5_RSA_PKCS:
80 	case CKM_SHA1_RSA_PKCS:
81 	case CKM_SHA256_RSA_PKCS:
82 	case CKM_SHA384_RSA_PKCS:
83 	case CKM_SHA512_RSA_PKCS:
84 
85 		return (soft_rsa_sign_verify_init_common(session_p, pMechanism,
86 		    key_p, B_TRUE));
87 
88 	case CKM_DSA:
89 	case CKM_DSA_SHA1:
90 
91 		return (soft_dsa_sign_verify_init_common(session_p, pMechanism,
92 		    key_p, B_TRUE));
93 
94 	case CKM_ECDSA:
95 	case CKM_ECDSA_SHA1:
96 
97 		return (soft_ecc_sign_verify_init_common(session_p, pMechanism,
98 		    key_p, B_TRUE));
99 
100 	case CKM_DES_MAC_GENERAL:
101 	case CKM_DES_MAC:
102 
103 		return (soft_des_sign_verify_init_common(session_p, pMechanism,
104 		    key_p, B_TRUE));
105 
106 	case CKM_AES_CMAC_GENERAL:
107 	case CKM_AES_CMAC:
108 
109 		return (soft_aes_sign_verify_init_common(session_p, pMechanism,
110 		    key_p, B_TRUE));
111 
112 	default:
113 		return (CKR_MECHANISM_INVALID);
114 	}
115 
116 }
117 
118 
119 /*
120  * soft_sign()
121  *
122  * Arguments:
123  *      session_p:	pointer to soft_session_t struct
124  *	pData:		pointer to the input data to be signed
125  *	ulDataLen:	length of the input data
126  *	pSignature:	pointer to the signature after signing
127  *	pulSignatureLen: pointer to the length of the signature
128  *
129  * Description:
130  *      called by C_Sign(). This function calls the corresponding
131  *	sign routine based on the mechanism.
132  *
133  */
134 CK_RV
135 soft_sign(soft_session_t *session_p, CK_BYTE_PTR pData,
136     CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
137     CK_ULONG_PTR pulSignatureLen)
138 {
139 
140 	CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
141 	CK_RV rv = CKR_OK;
142 
143 	switch (mechanism) {
144 
145 	case CKM_SSL3_MD5_MAC:
146 	case CKM_SSL3_SHA1_MAC:
147 	case CKM_MD5_HMAC_GENERAL:
148 	case CKM_MD5_HMAC:
149 	case CKM_SHA_1_HMAC_GENERAL:
150 	case CKM_SHA_1_HMAC:
151 	case CKM_SHA256_HMAC_GENERAL:
152 	case CKM_SHA256_HMAC:
153 	case CKM_SHA384_HMAC_GENERAL:
154 	case CKM_SHA384_HMAC:
155 	case CKM_SHA512_HMAC_GENERAL:
156 	case CKM_SHA512_HMAC:
157 	{
158 		CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */
159 
160 		if (pSignature != NULL) {
161 			/* Pass local buffer to avoid overflow. */
162 			rv = soft_hmac_sign_verify_common(session_p, pData,
163 			    ulDataLen, hmac, pulSignatureLen, B_TRUE);
164 		} else {
165 			/* Pass original pSignature, let callee to handle it. */
166 			rv = soft_hmac_sign_verify_common(session_p, pData,
167 			    ulDataLen, pSignature, pulSignatureLen, B_TRUE);
168 		}
169 
170 		if ((rv == CKR_OK) && (pSignature != NULL))
171 			(void) memcpy(pSignature, hmac, *pulSignatureLen);
172 
173 		return (rv);
174 	}
175 	case CKM_DES_MAC_GENERAL:
176 	case CKM_DES_MAC:
177 	{
178 		CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */
179 
180 		if (pSignature != NULL) {
181 			/* Pass local buffer to avoid overflow. */
182 			rv = soft_des_sign_verify_common(session_p, pData,
183 			    ulDataLen, signature, pulSignatureLen, B_TRUE,
184 			    B_FALSE);
185 		} else {
186 			/* Pass NULL, let callee to handle it. */
187 			rv = soft_des_sign_verify_common(session_p, pData,
188 			    ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE);
189 		}
190 
191 		if ((rv == CKR_OK) && (pSignature != NULL))
192 			(void) memcpy(pSignature, signature, *pulSignatureLen);
193 
194 		return (rv);
195 	}
196 	case CKM_AES_CMAC_GENERAL:
197 	case CKM_AES_CMAC:
198 	{
199 		CK_BYTE signature[AES_BLOCK_LEN];
200 
201 		if (pSignature != NULL) {
202 			/* Pass local buffer to avoid overflow. */
203 			rv = soft_aes_sign_verify_common(session_p, pData,
204 			    ulDataLen, signature, pulSignatureLen, B_TRUE,
205 			    B_FALSE);
206 		} else {
207 			/* Pass NULL, let callee handle it. */
208 			rv = soft_aes_sign_verify_common(session_p, pData,
209 			    ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE);
210 		}
211 
212 		if ((rv == CKR_OK) && (pSignature != NULL))
213 			(void) memcpy(pSignature, signature, *pulSignatureLen);
214 
215 		return (rv);
216 	}
217 	case CKM_RSA_X_509:
218 	case CKM_RSA_PKCS:
219 
220 		return (soft_rsa_sign_common(session_p, pData, ulDataLen,
221 		    pSignature, pulSignatureLen, mechanism));
222 
223 	case CKM_MD5_RSA_PKCS:
224 	case CKM_SHA1_RSA_PKCS:
225 	case CKM_SHA256_RSA_PKCS:
226 	case CKM_SHA384_RSA_PKCS:
227 	case CKM_SHA512_RSA_PKCS:
228 
229 		return (soft_rsa_digest_sign_common(session_p, pData, ulDataLen,
230 		    pSignature, pulSignatureLen, mechanism, B_FALSE));
231 
232 	case CKM_DSA:
233 
234 		return (soft_dsa_sign(session_p, pData, ulDataLen,
235 		    pSignature, pulSignatureLen));
236 
237 	case CKM_DSA_SHA1:
238 
239 		return (soft_dsa_digest_sign_common(session_p, pData, ulDataLen,
240 		    pSignature, pulSignatureLen, B_FALSE));
241 
242 	case CKM_ECDSA:
243 
244 		return (soft_ecc_sign(session_p, pData, ulDataLen,
245 		    pSignature, pulSignatureLen));
246 
247 	case CKM_ECDSA_SHA1:
248 
249 		return (soft_ecc_digest_sign_common(session_p, pData, ulDataLen,
250 		    pSignature, pulSignatureLen, B_FALSE));
251 
252 	default:
253 		return (CKR_MECHANISM_INVALID);
254 	}
255 }
256 
257 
258 /*
259  * soft_sign_update()
260  *
261  * Arguments:
262  *      session_p:	pointer to soft_session_t struct
263  *      pPart:		pointer to the input data to be signed
264  *      ulPartLen:	length of the input data
265  *
266  * Description:
267  *      called by C_SignUpdate(). This function calls the corresponding
268  *	sign update routine based on the mechanism.
269  *
270  */
271 CK_RV
272 soft_sign_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
273     CK_ULONG ulPartLen)
274 {
275 	CK_MECHANISM_TYPE	mechanism = session_p->sign.mech.mechanism;
276 
277 	switch (mechanism) {
278 
279 	case CKM_SSL3_MD5_MAC:
280 	case CKM_SSL3_SHA1_MAC:
281 	case CKM_MD5_HMAC_GENERAL:
282 	case CKM_MD5_HMAC:
283 	case CKM_SHA_1_HMAC_GENERAL:
284 	case CKM_SHA_1_HMAC:
285 	case CKM_SHA256_HMAC_GENERAL:
286 	case CKM_SHA256_HMAC:
287 	case CKM_SHA384_HMAC_GENERAL:
288 	case CKM_SHA384_HMAC:
289 	case CKM_SHA512_HMAC_GENERAL:
290 	case CKM_SHA512_HMAC:
291 
292 		return (soft_hmac_sign_verify_update(session_p, pPart,
293 		    ulPartLen, B_TRUE));
294 
295 	case CKM_DES_MAC_GENERAL:
296 	case CKM_DES_MAC:
297 
298 		return (soft_des_mac_sign_verify_update(session_p, pPart,
299 		    ulPartLen));
300 
301 	case CKM_AES_CMAC_GENERAL:
302 	case CKM_AES_CMAC:
303 
304 		return (soft_aes_mac_sign_verify_update(session_p, pPart,
305 		    ulPartLen));
306 
307 	case CKM_MD5_RSA_PKCS:
308 	case CKM_SHA1_RSA_PKCS:
309 	case CKM_SHA256_RSA_PKCS:
310 	case CKM_SHA384_RSA_PKCS:
311 	case CKM_SHA512_RSA_PKCS:
312 		/*
313 		 * The MD5/SHA1 digest value is accumulated in the context
314 		 * of the multiple-part digesting operation. In the final
315 		 * operation, the digest is encoded and then perform RSA
316 		 * signing.
317 		 */
318 	case CKM_DSA_SHA1:
319 	case CKM_ECDSA_SHA1:
320 
321 		return (soft_digest_update(session_p, pPart, ulPartLen));
322 
323 	default:
324 		/* PKCS11: The mechanism only supports single-part operation. */
325 		return (CKR_MECHANISM_INVALID);
326 	}
327 }
328 
329 
330 /*
331  * soft_sign_final()
332  *
333  * Arguments:
334  *      session_p:	pointer to soft_session_t struct
335  *      pSignature:	pointer to the signature after signing
336  *      pulSignatureLen: pointer to the	length of the signature
337  *
338  * Description:
339  *      called by C_SignFinal(). This function calls the corresponding
340  *	sign final routine based on the mechanism.
341  *
342  */
343 CK_RV
344 soft_sign_final(soft_session_t *session_p, CK_BYTE_PTR pSignature,
345     CK_ULONG_PTR pulSignatureLen)
346 {
347 
348 	CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
349 	CK_RV rv = CKR_OK;
350 
351 	switch (mechanism) {
352 
353 	case CKM_SSL3_MD5_MAC:
354 	case CKM_SSL3_SHA1_MAC:
355 	case CKM_MD5_HMAC_GENERAL:
356 	case CKM_MD5_HMAC:
357 	case CKM_SHA_1_HMAC_GENERAL:
358 	case CKM_SHA_1_HMAC:
359 	case CKM_SHA256_HMAC_GENERAL:
360 	case CKM_SHA256_HMAC:
361 	case CKM_SHA384_HMAC_GENERAL:
362 	case CKM_SHA384_HMAC:
363 	case CKM_SHA512_HMAC_GENERAL:
364 	case CKM_SHA512_HMAC:
365 	{
366 		CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */
367 
368 		if (pSignature != NULL) {
369 			/* Pass local buffer to avoid overflow */
370 			rv = soft_hmac_sign_verify_common(session_p, NULL,
371 			    0, hmac, pulSignatureLen, B_TRUE);
372 		} else {
373 			/* Pass original pSignature, let callee to handle it. */
374 			rv = soft_hmac_sign_verify_common(session_p, NULL,
375 			    0, pSignature, pulSignatureLen, B_TRUE);
376 		}
377 
378 		if ((rv == CKR_OK) && (pSignature != NULL))
379 			(void) memcpy(pSignature, hmac, *pulSignatureLen);
380 
381 		return (rv);
382 	}
383 	case CKM_DES_MAC_GENERAL:
384 	case CKM_DES_MAC:
385 	{
386 		CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */
387 
388 		if (pSignature != NULL) {
389 			/* Pass local buffer to avoid overflow. */
390 			rv = soft_des_sign_verify_common(session_p, NULL, 0,
391 			    signature, pulSignatureLen, B_TRUE, B_TRUE);
392 		} else {
393 			/* Pass NULL, let callee to handle it. */
394 			rv = soft_des_sign_verify_common(session_p, NULL, 0,
395 			    NULL, pulSignatureLen, B_TRUE, B_TRUE);
396 		}
397 
398 		if ((rv == CKR_OK) && (pSignature != NULL))
399 			(void) memcpy(pSignature, signature, *pulSignatureLen);
400 
401 		return (rv);
402 	}
403 	case CKM_AES_CMAC_GENERAL:
404 	case CKM_AES_CMAC:
405 	{
406 		CK_BYTE signature[AES_BLOCK_LEN]; /* use the maximum size */
407 
408 		if (pSignature != NULL) {
409 			/* Pass local buffer to avoid overflow. */
410 			rv = soft_aes_sign_verify_common(session_p, NULL, 0,
411 			    signature, pulSignatureLen, B_TRUE, B_TRUE);
412 		} else {
413 			/* Pass NULL, let callee handle it. */
414 			rv = soft_aes_sign_verify_common(session_p, NULL, 0,
415 			    NULL, pulSignatureLen, B_TRUE, B_TRUE);
416 		}
417 
418 		if ((rv == CKR_OK) && (pSignature != NULL))
419 			(void) memcpy(pSignature, signature, *pulSignatureLen);
420 
421 		return (rv);
422 	}
423 	case CKM_MD5_RSA_PKCS:
424 	case CKM_SHA1_RSA_PKCS:
425 	case CKM_SHA256_RSA_PKCS:
426 	case CKM_SHA384_RSA_PKCS:
427 	case CKM_SHA512_RSA_PKCS:
428 
429 		return (soft_rsa_digest_sign_common(session_p, NULL, 0,
430 		    pSignature, pulSignatureLen, mechanism, B_TRUE));
431 
432 	case CKM_DSA_SHA1:
433 
434 		return (soft_dsa_digest_sign_common(session_p, NULL, 0,
435 		    pSignature, pulSignatureLen, B_TRUE));
436 
437 	case CKM_ECDSA_SHA1:
438 
439 		return (soft_ecc_digest_sign_common(session_p, NULL, 0,
440 		    pSignature, pulSignatureLen, B_TRUE));
441 
442 	default:
443 		/* PKCS11: The mechanism only supports single-part operation. */
444 		return (CKR_MECHANISM_INVALID);
445 	}
446 }
447 
448 
449 CK_RV
450 soft_sign_recover_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
451     soft_object_t *key_p)
452 {
453 
454 	switch (pMechanism->mechanism) {
455 
456 	case CKM_RSA_X_509:
457 	case CKM_RSA_PKCS:
458 
459 		return (soft_rsa_sign_verify_init_common(session_p, pMechanism,
460 		    key_p, B_TRUE));
461 
462 	default:
463 		return (CKR_MECHANISM_INVALID);
464 	}
465 }
466 
467 
468 CK_RV
469 soft_sign_recover(soft_session_t *session_p, CK_BYTE_PTR pData,
470     CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
471     CK_ULONG_PTR pulSignatureLen)
472 {
473 
474 	CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
475 
476 	switch (mechanism) {
477 
478 	case CKM_RSA_X_509:
479 	case CKM_RSA_PKCS:
480 
481 		return (soft_rsa_sign_common(session_p, pData, ulDataLen,
482 		    pSignature, pulSignatureLen, mechanism));
483 
484 	default:
485 		return (CKR_MECHANISM_INVALID);
486 	}
487 }
488 
489 /*
490  * This function frees the allocated active crypto context.
491  * It is only called by the first tier of sign/verify routines
492  * and the caller of this function may or may not hold the session mutex.
493  */
494 void
495 soft_sign_verify_cleanup(soft_session_t *session_p, boolean_t sign,
496     boolean_t lock_held)
497 {
498 
499 	crypto_active_op_t *active_op;
500 	boolean_t lock_true = B_TRUE;
501 
502 	if (!lock_held)
503 		(void) pthread_mutex_lock(&session_p->session_mutex);
504 
505 	active_op = (sign) ? &(session_p->sign) : &(session_p->verify);
506 
507 	switch (active_op->mech.mechanism) {
508 
509 	case CKM_MD5_RSA_PKCS:
510 	case CKM_SHA1_RSA_PKCS:
511 	case CKM_SHA256_RSA_PKCS:
512 	case CKM_SHA384_RSA_PKCS:
513 	case CKM_SHA512_RSA_PKCS:
514 		if (session_p->digest.context != NULL) {
515 			free(session_p->digest.context);
516 			session_p->digest.context = NULL;
517 			session_p->digest.flags = 0;
518 		}
519 		/* FALLTHRU */
520 
521 	case CKM_RSA_PKCS:
522 	case CKM_RSA_X_509:
523 	{
524 		soft_rsa_ctx_t *rsa_ctx =
525 		    (soft_rsa_ctx_t *)active_op->context;
526 
527 		if (rsa_ctx != NULL && rsa_ctx->key != NULL) {
528 			soft_cleanup_object(rsa_ctx->key);
529 			free(rsa_ctx->key);
530 		}
531 		break;
532 
533 	}
534 	case CKM_DSA_SHA1:
535 		if (session_p->digest.context != NULL) {
536 			free(session_p->digest.context);
537 			session_p->digest.context = NULL;
538 			session_p->digest.flags = 0;
539 		}
540 
541 		/* FALLTHRU */
542 	case CKM_DSA:
543 	{
544 		soft_dsa_ctx_t *dsa_ctx =
545 		    (soft_dsa_ctx_t *)active_op->context;
546 
547 		if (dsa_ctx != NULL && dsa_ctx->key != NULL) {
548 			soft_cleanup_object(dsa_ctx->key);
549 			free(dsa_ctx->key);
550 		}
551 		break;
552 
553 	}
554 	case CKM_SSL3_MD5_MAC:
555 	case CKM_SSL3_SHA1_MAC:
556 	case CKM_MD5_HMAC_GENERAL:
557 	case CKM_MD5_HMAC:
558 	case CKM_SHA_1_HMAC_GENERAL:
559 	case CKM_SHA_1_HMAC:
560 	case CKM_SHA256_HMAC_GENERAL:
561 	case CKM_SHA256_HMAC:
562 	case CKM_SHA384_HMAC_GENERAL:
563 	case CKM_SHA384_HMAC:
564 	case CKM_SHA512_HMAC_GENERAL:
565 	case CKM_SHA512_HMAC:
566 		if (active_op->context != NULL) {
567 			explicit_bzero(active_op->context,
568 			    sizeof (soft_hmac_ctx_t));
569 		}
570 		break;
571 	case CKM_DES_MAC_GENERAL:
572 	case CKM_DES_MAC:
573 		if (session_p->encrypt.context != NULL) {
574 			free(session_p->encrypt.context);
575 			session_p->encrypt.context = NULL;
576 			session_p->encrypt.flags = 0;
577 		}
578 		if (active_op->context != NULL) {
579 			explicit_bzero(active_op->context,
580 			    sizeof (soft_des_ctx_t));
581 		}
582 		break;
583 
584 	case CKM_AES_CMAC_GENERAL:
585 	case CKM_AES_CMAC:
586 		if (session_p->encrypt.context != NULL) {
587 			soft_aes_free_ctx(session_p->encrypt.context);
588 			session_p->encrypt.context = NULL;
589 			session_p->encrypt.flags = 0;
590 		}
591 		if (active_op->context != NULL) {
592 			explicit_bzero(active_op->context,
593 			    sizeof (soft_aes_sign_ctx_t));
594 		}
595 		break;
596 
597 	}
598 
599 	if (active_op->context != NULL) {
600 		free(active_op->context);
601 		active_op->context = NULL;
602 	}
603 
604 	active_op->flags = 0;
605 
606 	if (!lock_held)
607 		SES_REFRELE(session_p, lock_true);
608 }
609