xref: /illumos-gate/usr/src/uts/common/gssapi/mechs/krb5/crypto/encrypt.c (revision 297a2ad14ba0591f210adbe7bb5c9f70af7fe56a)
1 /*
2  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 #pragma ident	"%Z%%M%	%I%	%E% SMI"
6 
7 /*
8  * Copyright (C) 1998 by the FundsXpress, INC.
9  *
10  * All rights reserved.
11  *
12  * Export of this software from the United States of America may require
13  * a specific license from the United States Government.  It is the
14  * responsibility of any person or organization contemplating export to
15  * obtain such a license before exporting.
16  *
17  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18  * distribute this software and its documentation for any purpose and
19  * without fee is hereby granted, provided that the above copyright
20  * notice appear in all copies and that both that copyright notice and
21  * this permission notice appear in supporting documentation, and that
22  * the name of FundsXpress. not be used in advertising or publicity pertaining
23  * to distribution of the software without specific, written prior
24  * permission.  FundsXpress makes no representations about the suitability of
25  * this software for any purpose.  It is provided "as is" without express
26  * or implied warranty.
27  *
28  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
29  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
30  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
31  */
32 
33 #include <k5-int.h>
34 #include <etypes.h>
35 
36 
37 #ifdef _KERNEL
38 krb5_error_code
39 update_key_template(krb5_keyblock *key)
40 {
41 	crypto_mechanism_t kef_mech;
42 	int rv = 0;
43 	krb5_error_code ret = 0;
44 
45 	KRB5_LOG0(KRB5_INFO, "update_key_template()");
46 	if (key == NULL)
47 		return (ret);
48 
49 	/*
50 	 * Preallocate the crypto_key_t records
51 	 * needed by the kernel crypto calls later.
52 	 */
53 	kef_mech.cm_type = key->kef_mt;
54 	kef_mech.cm_param = NULL;
55 	kef_mech.cm_param_len = 0;
56 	/*
57 	 * Create an template to improve HMAC performance later.
58 	 */
59 	rv = crypto_create_ctx_template(&kef_mech,
60 					&key->kef_key,
61 					&key->key_tmpl,
62 					KM_SLEEP);
63 	if (rv != CRYPTO_SUCCESS) {
64 		/*
65                  * Some mechs don't support context templates
66 		 */
67                 if (rv == CRYPTO_NOT_SUPPORTED) {
68 			ret = 0;
69 			key->key_tmpl = NULL;
70 		} else {
71 			KRB5_LOG(KRB5_ERR,"crypto_create_ctx_template "
72 				"error: %0x", rv);
73 			ret = KRB5_KEF_ERROR;
74 		}
75 	}
76 	return (ret);
77 }
78 /*
79  * initialize the KEF components of the krb5_keyblock record.
80  */
81 krb5_error_code
82 init_key_kef(crypto_mech_type_t mech_type, krb5_keyblock *key)
83 {
84 	krb5_error_code rv = 0;
85 
86 	KRB5_LOG0(KRB5_INFO, "init_key_kef()");
87 	if (key == NULL)
88 		return (rv);
89 
90 	if (key->kef_key.ck_data == NULL) {
91 		key->kef_key.ck_data = key->contents;
92 	}
93 
94 	/* kef keys are measured in bits */
95 	key->kef_key.ck_length = key->length * 8;
96 	key->kef_key.ck_format = CRYPTO_KEY_RAW;
97 	key->kef_mt = mech_type;
98 
99 	if (key->key_tmpl == NULL && mech_type != CRYPTO_MECH_INVALID) {
100 		rv = update_key_template(key);
101 	}
102 	return(rv);
103 }
104 #else
105 
106 /*
107  * init_key_uef
108  *  Initialize the Userland Encryption Framework fields of the
109  *  key block.
110  */
111 krb5_error_code
112 init_key_uef(CK_SESSION_HANDLE hSession, krb5_keyblock *key)
113 {
114         CK_RV rv = CKR_OK;
115         CK_MECHANISM mechanism;
116         CK_OBJECT_CLASS class = CKO_SECRET_KEY;
117         CK_KEY_TYPE keyType;
118         CK_BBOOL true = TRUE, false =  FALSE;
119         CK_ATTRIBUTE template[6];
120 
121 	/* If its already initialized, return OK */
122 	/*
123 	 * fork safety: if the key->pid != __krb5_current_pid then a fork has
124 	 * taken place and the pkcs11 key handle must be re-acquired.
125 	 */
126 	if ((key->hKey != CK_INVALID_HANDLE) &&
127 	    (key->pid == __krb5_current_pid))
128 		return (rv);
129 
130 	/* fork safety */
131 	key->pid = __krb5_current_pid;
132 
133 	if ((rv = get_key_type(key->enctype, &keyType)) != CKR_OK) {
134                 KRB5_LOG0(KRB5_ERR, "failure to get key type in function "
135                 "init_key_uef.");
136                 return (PKCS_ERR);
137         }
138 
139         template[0].type = CKA_CLASS;
140         template[0].pValue = &class;
141         template[0].ulValueLen = sizeof (class);
142         template[1].type = CKA_KEY_TYPE;
143         template[1].pValue = &keyType;
144         template[1].ulValueLen = sizeof (keyType);
145         template[2].type = CKA_TOKEN;
146         template[2].pValue = &false;
147         template[2].ulValueLen = sizeof (false);
148         template[3].type = CKA_ENCRYPT;
149         template[3].pValue = &true;
150         template[3].ulValueLen = sizeof (true);
151         template[4].type = CKA_DECRYPT;
152         template[4].pValue = &true;
153         template[4].ulValueLen = sizeof (true);
154         template[5].type = CKA_VALUE;
155         template[5].pValue = key->contents;
156         template[5].ulValueLen = key->length;
157 
158         /* Create an object handle for the key */
159         if ((rv = C_CreateObject(hSession, template,
160                 sizeof(template)/sizeof(CK_ATTRIBUTE),
161                 &key->hKey)) != CKR_OK) {
162 
163                 KRB5_LOG(KRB5_ERR, "C_CreateObject failed in "
164                 	"init_key_uef: rv = 0x%x.", rv);
165 		rv = PKCS_ERR;
166         }
167 
168         return (rv);
169 
170 }
171 
172 #endif /* _KERNEL */
173 
174 /*ARGSUSED*/
175 krb5_error_code KRB5_CALLCONV
176 krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
177 	    krb5_keyusage usage, const krb5_data *ivec,
178 	    const krb5_data *input, krb5_enc_data *output)
179 {
180     krb5_error_code ret;
181     int i;
182 
183     KRB5_LOG(KRB5_INFO, "krb5_c_encrypt start etype = %d", key->enctype);
184     for (i=0; i<krb5_enctypes_length; i++) {
185 	if (krb5_enctypes_list[i].etype == key->enctype)
186 	    break;
187     }
188 
189     if (i == krb5_enctypes_length)
190 	return(KRB5_BAD_ENCTYPE);
191 
192     output->magic = KV5M_ENC_DATA;
193     output->kvno = 0;
194     output->enctype = key->enctype;
195 
196 #ifdef _KERNEL
197     context->kef_cipher_mt = krb5_enctypes_list[i].kef_cipher_mt;
198     context->kef_hash_mt = krb5_enctypes_list[i].kef_hash_mt;
199     if (key->kef_key.ck_data == NULL) {
200 	if ((ret = init_key_kef(context->kef_cipher_mt,
201 			    (krb5_keyblock *)key)))
202 	    	return(ret);
203     }
204 #else
205     if ((ret = init_key_uef(krb_ctx_hSession(context), (krb5_keyblock *)key)))
206 	return (ret);
207 
208 #endif /* _KERNEL */
209 
210     KRB5_LOG0(KRB5_INFO, "krb5_c_encrypt calling encrypt.");
211     return((*(krb5_enctypes_list[i].encrypt))
212 	   (context, krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
213 	    key, usage, ivec, input, &output->ciphertext));
214 }
215