xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSignUtil.c (revision 88e55da9244bc48e3b3ad957a29e4be71309adcd)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
25  */
26 
27 #include <stdlib.h>
28 #include <strings.h>
29 #include <sys/types.h>
30 #include <security/cryptoki.h>
31 #include "softObject.h"
32 #include "softOps.h"
33 #include "softSession.h"
34 #include "softMAC.h"
35 #include "softRSA.h"
36 #include "softDSA.h"
37 #include "softEC.h"
38 #include "softCrypt.h"
39 
40 /*
41  * soft_sign_init()
42  *
43  * Arguments:
44  *	session_p:	pointer to soft_session_t struct
45  *	pMechanism:	pointer to CK_MECHANISM struct provided by application
46  *	key_p:		pointer to key soft_object_t struct
47  *
48  * Description:
49  *	called by C_SignInit(). This function calls the corresponding
50  *	sign init routine based on the mechanism.
51  *
52  */
53 CK_RV
54 soft_sign_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
55     soft_object_t *key_p)
56 {
57 
58 	switch (pMechanism->mechanism) {
59 
60 	case CKM_SSL3_MD5_MAC:
61 	case CKM_SSL3_SHA1_MAC:
62 	case CKM_MD5_HMAC_GENERAL:
63 	case CKM_MD5_HMAC:
64 	case CKM_SHA_1_HMAC_GENERAL:
65 	case CKM_SHA_1_HMAC:
66 	case CKM_SHA256_HMAC_GENERAL:
67 	case CKM_SHA256_HMAC:
68 	case CKM_SHA384_HMAC_GENERAL:
69 	case CKM_SHA384_HMAC:
70 	case CKM_SHA512_HMAC_GENERAL:
71 	case CKM_SHA512_HMAC:
72 
73 		return (soft_hmac_sign_verify_init_common(session_p,
74 		    pMechanism, key_p, B_TRUE));
75 
76 	case CKM_RSA_X_509:
77 	case CKM_RSA_PKCS:
78 	case CKM_MD5_RSA_PKCS:
79 	case CKM_SHA1_RSA_PKCS:
80 	case CKM_SHA256_RSA_PKCS:
81 	case CKM_SHA384_RSA_PKCS:
82 	case CKM_SHA512_RSA_PKCS:
83 
84 		return (soft_rsa_sign_verify_init_common(session_p, pMechanism,
85 		    key_p, B_TRUE));
86 
87 	case CKM_DSA:
88 	case CKM_DSA_SHA1:
89 
90 		return (soft_dsa_sign_verify_init_common(session_p, pMechanism,
91 		    key_p, B_TRUE));
92 
93 	case CKM_ECDSA:
94 	case CKM_ECDSA_SHA1:
95 
96 		return (soft_ecc_sign_verify_init_common(session_p, pMechanism,
97 		    key_p, B_TRUE));
98 
99 	case CKM_DES_MAC_GENERAL:
100 	case CKM_DES_MAC:
101 
102 		return (soft_des_sign_verify_init_common(session_p, pMechanism,
103 		    key_p, B_TRUE));
104 
105 	case CKM_AES_CMAC_GENERAL:
106 	case CKM_AES_CMAC:
107 
108 		return (soft_aes_sign_verify_init_common(session_p, pMechanism,
109 		    key_p, B_TRUE));
110 
111 	default:
112 		return (CKR_MECHANISM_INVALID);
113 	}
114 
115 }
116 
117 
118 /*
119  * soft_sign()
120  *
121  * Arguments:
122  *      session_p:	pointer to soft_session_t struct
123  *	pData:		pointer to the input data to be signed
124  *	ulDataLen:	length of the input data
125  *	pSignature:	pointer to the signature after signing
126  *	pulSignatureLen: pointer to the length of the signature
127  *
128  * Description:
129  *      called by C_Sign(). This function calls the corresponding
130  *	sign routine based on the mechanism.
131  *
132  */
133 CK_RV
134 soft_sign(soft_session_t *session_p, CK_BYTE_PTR pData,
135     CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
136     CK_ULONG_PTR pulSignatureLen)
137 {
138 
139 	CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
140 	CK_RV rv = CKR_OK;
141 
142 	switch (mechanism) {
143 
144 	case CKM_SSL3_MD5_MAC:
145 	case CKM_SSL3_SHA1_MAC:
146 	case CKM_MD5_HMAC_GENERAL:
147 	case CKM_MD5_HMAC:
148 	case CKM_SHA_1_HMAC_GENERAL:
149 	case CKM_SHA_1_HMAC:
150 	case CKM_SHA256_HMAC_GENERAL:
151 	case CKM_SHA256_HMAC:
152 	case CKM_SHA384_HMAC_GENERAL:
153 	case CKM_SHA384_HMAC:
154 	case CKM_SHA512_HMAC_GENERAL:
155 	case CKM_SHA512_HMAC:
156 	{
157 		CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */
158 
159 		if (pSignature != NULL) {
160 			/* Pass local buffer to avoid overflow. */
161 			rv = soft_hmac_sign_verify_common(session_p, pData,
162 			    ulDataLen, hmac, pulSignatureLen, B_TRUE);
163 		} else {
164 			/* Pass original pSignature, let callee to handle it. */
165 			rv = soft_hmac_sign_verify_common(session_p, pData,
166 			    ulDataLen, pSignature, pulSignatureLen, B_TRUE);
167 		}
168 
169 		if ((rv == CKR_OK) && (pSignature != NULL))
170 			(void) memcpy(pSignature, hmac, *pulSignatureLen);
171 
172 		return (rv);
173 	}
174 	case CKM_DES_MAC_GENERAL:
175 	case CKM_DES_MAC:
176 	{
177 		CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */
178 
179 		if (pSignature != NULL) {
180 			/* Pass local buffer to avoid overflow. */
181 			rv = soft_des_sign_verify_common(session_p, pData,
182 			    ulDataLen, signature, pulSignatureLen, B_TRUE,
183 			    B_FALSE);
184 		} else {
185 			/* Pass NULL, let callee to handle it. */
186 			rv = soft_des_sign_verify_common(session_p, pData,
187 			    ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE);
188 		}
189 
190 		if ((rv == CKR_OK) && (pSignature != NULL))
191 			(void) memcpy(pSignature, signature, *pulSignatureLen);
192 
193 		return (rv);
194 	}
195 	case CKM_AES_CMAC_GENERAL:
196 	case CKM_AES_CMAC:
197 	{
198 		CK_BYTE signature[AES_BLOCK_LEN];
199 
200 		if (pSignature != NULL) {
201 			/* Pass local buffer to avoid overflow. */
202 			rv = soft_aes_sign_verify_common(session_p, pData,
203 			    ulDataLen, signature, pulSignatureLen, B_TRUE,
204 			    B_FALSE);
205 		} else {
206 			/* Pass NULL, let callee handle it. */
207 			rv = soft_aes_sign_verify_common(session_p, pData,
208 			    ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE);
209 		}
210 
211 		if ((rv == CKR_OK) && (pSignature != NULL))
212 			(void) memcpy(pSignature, signature, *pulSignatureLen);
213 
214 		return (rv);
215 	}
216 	case CKM_RSA_X_509:
217 	case CKM_RSA_PKCS:
218 
219 		return (soft_rsa_sign_common(session_p, pData, ulDataLen,
220 		    pSignature, pulSignatureLen, mechanism));
221 
222 	case CKM_MD5_RSA_PKCS:
223 	case CKM_SHA1_RSA_PKCS:
224 	case CKM_SHA256_RSA_PKCS:
225 	case CKM_SHA384_RSA_PKCS:
226 	case CKM_SHA512_RSA_PKCS:
227 
228 		return (soft_rsa_digest_sign_common(session_p, pData, ulDataLen,
229 		    pSignature, pulSignatureLen, mechanism, B_FALSE));
230 
231 	case CKM_DSA:
232 
233 		return (soft_dsa_sign(session_p, pData, ulDataLen,
234 		    pSignature, pulSignatureLen));
235 
236 	case CKM_DSA_SHA1:
237 
238 		return (soft_dsa_digest_sign_common(session_p, pData, ulDataLen,
239 		    pSignature, pulSignatureLen, B_FALSE));
240 
241 	case CKM_ECDSA:
242 
243 		return (soft_ecc_sign(session_p, pData, ulDataLen,
244 		    pSignature, pulSignatureLen));
245 
246 	case CKM_ECDSA_SHA1:
247 
248 		return (soft_ecc_digest_sign_common(session_p, pData, ulDataLen,
249 		    pSignature, pulSignatureLen, B_FALSE));
250 
251 	default:
252 		return (CKR_MECHANISM_INVALID);
253 	}
254 }
255 
256 
257 /*
258  * soft_sign_update()
259  *
260  * Arguments:
261  *      session_p:	pointer to soft_session_t struct
262  *      pPart:		pointer to the input data to be signed
263  *      ulPartLen:	length of the input data
264  *
265  * Description:
266  *      called by C_SignUpdate(). This function calls the corresponding
267  *	sign update routine based on the mechanism.
268  *
269  */
270 CK_RV
271 soft_sign_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
272     CK_ULONG ulPartLen)
273 {
274 	CK_MECHANISM_TYPE	mechanism = session_p->sign.mech.mechanism;
275 
276 	switch (mechanism) {
277 
278 	case CKM_SSL3_MD5_MAC:
279 	case CKM_SSL3_SHA1_MAC:
280 	case CKM_MD5_HMAC_GENERAL:
281 	case CKM_MD5_HMAC:
282 	case CKM_SHA_1_HMAC_GENERAL:
283 	case CKM_SHA_1_HMAC:
284 	case CKM_SHA256_HMAC_GENERAL:
285 	case CKM_SHA256_HMAC:
286 	case CKM_SHA384_HMAC_GENERAL:
287 	case CKM_SHA384_HMAC:
288 	case CKM_SHA512_HMAC_GENERAL:
289 	case CKM_SHA512_HMAC:
290 
291 		return (soft_hmac_sign_verify_update(session_p, pPart,
292 		    ulPartLen, B_TRUE));
293 
294 	case CKM_DES_MAC_GENERAL:
295 	case CKM_DES_MAC:
296 
297 		return (soft_des_mac_sign_verify_update(session_p, pPart,
298 		    ulPartLen));
299 
300 	case CKM_AES_CMAC_GENERAL:
301 	case CKM_AES_CMAC:
302 
303 		return (soft_aes_mac_sign_verify_update(session_p, pPart,
304 		    ulPartLen));
305 
306 	case CKM_MD5_RSA_PKCS:
307 	case CKM_SHA1_RSA_PKCS:
308 	case CKM_SHA256_RSA_PKCS:
309 	case CKM_SHA384_RSA_PKCS:
310 	case CKM_SHA512_RSA_PKCS:
311 		/*
312 		 * The MD5/SHA1 digest value is accumulated in the context
313 		 * of the multiple-part digesting operation. In the final
314 		 * operation, the digest is encoded and then perform RSA
315 		 * signing.
316 		 */
317 	case CKM_DSA_SHA1:
318 	case CKM_ECDSA_SHA1:
319 
320 		return (soft_digest_update(session_p, pPart, ulPartLen));
321 
322 	default:
323 		/* PKCS11: The mechanism only supports single-part operation. */
324 		return (CKR_MECHANISM_INVALID);
325 	}
326 }
327 
328 
329 /*
330  * soft_sign_final()
331  *
332  * Arguments:
333  *      session_p:	pointer to soft_session_t struct
334  *      pSignature:	pointer to the signature after signing
335  *      pulSignatureLen: pointer to the	length of the signature
336  *
337  * Description:
338  *      called by C_SignFinal(). This function calls the corresponding
339  *	sign final routine based on the mechanism.
340  *
341  */
342 CK_RV
343 soft_sign_final(soft_session_t *session_p, CK_BYTE_PTR pSignature,
344     CK_ULONG_PTR pulSignatureLen)
345 {
346 
347 	CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
348 	CK_RV rv = CKR_OK;
349 
350 	switch (mechanism) {
351 
352 	case CKM_SSL3_MD5_MAC:
353 	case CKM_SSL3_SHA1_MAC:
354 	case CKM_MD5_HMAC_GENERAL:
355 	case CKM_MD5_HMAC:
356 	case CKM_SHA_1_HMAC_GENERAL:
357 	case CKM_SHA_1_HMAC:
358 	case CKM_SHA256_HMAC_GENERAL:
359 	case CKM_SHA256_HMAC:
360 	case CKM_SHA384_HMAC_GENERAL:
361 	case CKM_SHA384_HMAC:
362 	case CKM_SHA512_HMAC_GENERAL:
363 	case CKM_SHA512_HMAC:
364 	{
365 		CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */
366 
367 		if (pSignature != NULL) {
368 			/* Pass local buffer to avoid overflow */
369 			rv = soft_hmac_sign_verify_common(session_p, NULL,
370 			    0, hmac, pulSignatureLen, B_TRUE);
371 		} else {
372 			/* Pass original pSignature, let callee to handle it. */
373 			rv = soft_hmac_sign_verify_common(session_p, NULL,
374 			    0, pSignature, pulSignatureLen, B_TRUE);
375 		}
376 
377 		if ((rv == CKR_OK) && (pSignature != NULL))
378 			(void) memcpy(pSignature, hmac, *pulSignatureLen);
379 
380 		return (rv);
381 	}
382 	case CKM_DES_MAC_GENERAL:
383 	case CKM_DES_MAC:
384 	{
385 		CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */
386 
387 		if (pSignature != NULL) {
388 			/* Pass local buffer to avoid overflow. */
389 			rv = soft_des_sign_verify_common(session_p, NULL, 0,
390 			    signature, pulSignatureLen, B_TRUE, B_TRUE);
391 		} else {
392 			/* Pass NULL, let callee to handle it. */
393 			rv = soft_des_sign_verify_common(session_p, NULL, 0,
394 			    NULL, pulSignatureLen, B_TRUE, B_TRUE);
395 		}
396 
397 		if ((rv == CKR_OK) && (pSignature != NULL))
398 			(void) memcpy(pSignature, signature, *pulSignatureLen);
399 
400 		return (rv);
401 	}
402 	case CKM_AES_CMAC_GENERAL:
403 	case CKM_AES_CMAC:
404 	{
405 		CK_BYTE signature[AES_BLOCK_LEN]; /* use the maximum size */
406 
407 		if (pSignature != NULL) {
408 			/* Pass local buffer to avoid overflow. */
409 			rv = soft_aes_sign_verify_common(session_p, NULL, 0,
410 			    signature, pulSignatureLen, B_TRUE, B_TRUE);
411 		} else {
412 			/* Pass NULL, let callee handle it. */
413 			rv = soft_aes_sign_verify_common(session_p, NULL, 0,
414 			    NULL, pulSignatureLen, B_TRUE, B_TRUE);
415 		}
416 
417 		if ((rv == CKR_OK) && (pSignature != NULL))
418 			(void) memcpy(pSignature, signature, *pulSignatureLen);
419 
420 		return (rv);
421 	}
422 	case CKM_MD5_RSA_PKCS:
423 	case CKM_SHA1_RSA_PKCS:
424 	case CKM_SHA256_RSA_PKCS:
425 	case CKM_SHA384_RSA_PKCS:
426 	case CKM_SHA512_RSA_PKCS:
427 
428 		return (soft_rsa_digest_sign_common(session_p, NULL, 0,
429 		    pSignature, pulSignatureLen, mechanism, B_TRUE));
430 
431 	case CKM_DSA_SHA1:
432 
433 		return (soft_dsa_digest_sign_common(session_p, NULL, 0,
434 		    pSignature, pulSignatureLen, B_TRUE));
435 
436 	case CKM_ECDSA_SHA1:
437 
438 		return (soft_ecc_digest_sign_common(session_p, NULL, 0,
439 		    pSignature, pulSignatureLen, B_TRUE));
440 
441 	default:
442 		/* PKCS11: The mechanism only supports single-part operation. */
443 		return (CKR_MECHANISM_INVALID);
444 	}
445 }
446 
447 
448 CK_RV
449 soft_sign_recover_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
450     soft_object_t *key_p)
451 {
452 
453 	switch (pMechanism->mechanism) {
454 
455 	case CKM_RSA_X_509:
456 	case CKM_RSA_PKCS:
457 
458 		return (soft_rsa_sign_verify_init_common(session_p, pMechanism,
459 		    key_p, B_TRUE));
460 
461 	default:
462 		return (CKR_MECHANISM_INVALID);
463 	}
464 }
465 
466 
467 CK_RV
468 soft_sign_recover(soft_session_t *session_p, CK_BYTE_PTR pData,
469     CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
470     CK_ULONG_PTR pulSignatureLen)
471 {
472 
473 	CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
474 
475 	switch (mechanism) {
476 
477 	case CKM_RSA_X_509:
478 	case CKM_RSA_PKCS:
479 
480 		return (soft_rsa_sign_common(session_p, pData, ulDataLen,
481 		    pSignature, pulSignatureLen, mechanism));
482 
483 	default:
484 		return (CKR_MECHANISM_INVALID);
485 	}
486 }
487 
488 /*
489  * This function frees the allocated active crypto context.
490  * It is only called by the first tier of sign/verify routines
491  * and the caller of this function may or may not hold the session mutex.
492  */
493 void
494 soft_sign_verify_cleanup(soft_session_t *session_p, boolean_t sign,
495     boolean_t lock_held)
496 {
497 
498 	crypto_active_op_t *active_op;
499 	boolean_t lock_true = B_TRUE;
500 
501 	if (!lock_held)
502 		(void) pthread_mutex_lock(&session_p->session_mutex);
503 
504 	active_op = (sign) ? &(session_p->sign) : &(session_p->verify);
505 
506 	switch (active_op->mech.mechanism) {
507 
508 	case CKM_MD5_RSA_PKCS:
509 	case CKM_SHA1_RSA_PKCS:
510 	case CKM_SHA256_RSA_PKCS:
511 	case CKM_SHA384_RSA_PKCS:
512 	case CKM_SHA512_RSA_PKCS:
513 		if (session_p->digest.context != NULL) {
514 			free(session_p->digest.context);
515 			session_p->digest.context = NULL;
516 			session_p->digest.flags = 0;
517 		}
518 		/* FALLTHRU */
519 
520 	case CKM_RSA_PKCS:
521 	case CKM_RSA_X_509:
522 	{
523 		soft_rsa_ctx_t *rsa_ctx =
524 		    (soft_rsa_ctx_t *)active_op->context;
525 
526 		if (rsa_ctx != NULL && rsa_ctx->key != NULL) {
527 			soft_cleanup_object(rsa_ctx->key);
528 			free(rsa_ctx->key);
529 		}
530 		break;
531 
532 	}
533 	case CKM_DSA_SHA1:
534 		if (session_p->digest.context != NULL) {
535 			free(session_p->digest.context);
536 			session_p->digest.context = NULL;
537 			session_p->digest.flags = 0;
538 		}
539 
540 		/* FALLTHRU */
541 	case CKM_DSA:
542 	{
543 		soft_dsa_ctx_t *dsa_ctx =
544 		    (soft_dsa_ctx_t *)active_op->context;
545 
546 		if (dsa_ctx != NULL && dsa_ctx->key != NULL) {
547 			soft_cleanup_object(dsa_ctx->key);
548 			free(dsa_ctx->key);
549 		}
550 		break;
551 
552 	}
553 	case CKM_SSL3_MD5_MAC:
554 	case CKM_SSL3_SHA1_MAC:
555 	case CKM_MD5_HMAC_GENERAL:
556 	case CKM_MD5_HMAC:
557 	case CKM_SHA_1_HMAC_GENERAL:
558 	case CKM_SHA_1_HMAC:
559 	case CKM_SHA256_HMAC_GENERAL:
560 	case CKM_SHA256_HMAC:
561 	case CKM_SHA384_HMAC_GENERAL:
562 	case CKM_SHA384_HMAC:
563 	case CKM_SHA512_HMAC_GENERAL:
564 	case CKM_SHA512_HMAC:
565 		if (active_op->context != NULL)
566 			bzero(active_op->context, sizeof (soft_hmac_ctx_t));
567 		break;
568 	case CKM_DES_MAC_GENERAL:
569 	case CKM_DES_MAC:
570 		if (session_p->encrypt.context != NULL) {
571 			free(session_p->encrypt.context);
572 			session_p->encrypt.context = NULL;
573 			session_p->encrypt.flags = 0;
574 		}
575 		if (active_op->context != NULL)
576 			bzero(active_op->context, sizeof (soft_des_ctx_t));
577 		break;
578 
579 	case CKM_AES_CMAC_GENERAL:
580 	case CKM_AES_CMAC:
581 		if (session_p->encrypt.context != NULL) {
582 			free(session_p->encrypt.context);
583 			session_p->encrypt.context = NULL;
584 			session_p->encrypt.flags = 0;
585 		}
586 		if (active_op->context != NULL)
587 			bzero(active_op->context, sizeof (soft_aes_ctx_t));
588 		break;
589 
590 	}
591 
592 	if (active_op->context != NULL) {
593 		free(active_op->context);
594 		active_op->context = NULL;
595 	}
596 
597 	active_op->flags = 0;
598 
599 	if (!lock_held)
600 		SES_REFRELE(session_p, lock_true);
601 }
602