1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <pthread.h> 30 #include <stdlib.h> 31 #include <string.h> 32 #include <strings.h> 33 #include <sys/types.h> 34 #include <security/cryptoki.h> 35 #include <aes_impl.h> 36 #include <blowfish_impl.h> 37 #include <des_impl.h> 38 #include <arcfour.h> 39 #include "softGlobal.h" 40 #include "softSession.h" 41 #include "softObject.h" 42 #include "softDSA.h" 43 #include "softRSA.h" 44 #include "softDH.h" 45 #include "softRandom.h" 46 #include "softMAC.h" 47 #include "softOps.h" 48 #include "softKeys.h" 49 #include "softKeystore.h" 50 #include "softSSL.h" 51 #include "softASN1.h" 52 53 54 #define local_min(a, b) ((a) < (b) ? (a) : (b)) 55 56 static CK_RV 57 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *); 58 59 /* 60 * Create a temporary key object struct by filling up its template attributes. 61 */ 62 CK_RV 63 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 64 CK_ULONG *objecthandle_p, soft_session_t *sp, 65 CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode, 66 boolean_t internal) 67 { 68 69 CK_RV rv; 70 soft_object_t *new_objp = NULL; 71 72 new_objp = calloc(1, sizeof (soft_object_t)); 73 if (new_objp == NULL) { 74 return (CKR_HOST_MEMORY); 75 } 76 77 new_objp->extra_attrlistp = NULL; 78 79 /* 80 * Validate attribute template and fill in the attributes 81 * in the soft_object_t. 82 */ 83 rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type, 84 keylen, mode); 85 if (rv != CKR_OK) { 86 goto fail_cleanup1; 87 } 88 89 /* 90 * If generating a key is an internal request (i.e. not a C_XXX 91 * API request), then skip the following checks. 92 */ 93 if (!internal) { 94 rv = soft_pin_expired_check(new_objp); 95 if (rv != CKR_OK) { 96 goto fail_cleanup2; 97 } 98 99 rv = soft_object_write_access_check(sp, new_objp); 100 if (rv != CKR_OK) { 101 goto fail_cleanup2; 102 } 103 } 104 105 /* Initialize the rest of stuffs in soft_object_t. */ 106 (void) pthread_mutex_init(&new_objp->object_mutex, NULL); 107 new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC; 108 109 /* Write the new token object to the keystore */ 110 if (IS_TOKEN_OBJECT(new_objp)) { 111 new_objp->version = 1; 112 new_objp->session_handle = (CK_SESSION_HANDLE)NULL; 113 soft_add_token_object_to_slot(new_objp); 114 /* 115 * Type casting the address of an object struct to 116 * an object handle. 117 */ 118 *objecthandle_p = (CK_ULONG)new_objp; 119 120 return (CKR_OK); 121 } 122 123 new_objp->session_handle = (CK_SESSION_HANDLE)sp; 124 125 /* Add the new object to the session's object list. */ 126 soft_add_object_to_session(new_objp, sp); 127 128 /* Type casting the address of an object struct to an object handle. */ 129 *objecthandle_p = (CK_ULONG)new_objp; 130 131 return (CKR_OK); 132 133 fail_cleanup2: 134 /* 135 * When any error occurs after soft_build_key(), we will need to 136 * clean up the memory allocated by the soft_build_key(). 137 */ 138 soft_cleanup_object(new_objp); 139 140 fail_cleanup1: 141 if (new_objp) { 142 /* 143 * The storage allocated inside of this object should have 144 * been cleaned up by the soft_build_key() if it failed. 145 * Therefore, we can safely free the object. 146 */ 147 free(new_objp); 148 } 149 150 return (rv); 151 } 152 153 CK_RV 154 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 155 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey) 156 { 157 158 CK_RV rv = CKR_OK; 159 soft_object_t *secret_key; 160 CK_KEY_TYPE key_type; 161 CK_ULONG keylen = 0; 162 CK_ULONG i; 163 int des_strength = 0; 164 int retry = 0; 165 int keyfound = 0; 166 boolean_t is_ssl_mech = B_FALSE; 167 168 switch (pMechanism->mechanism) { 169 case CKM_DES_KEY_GEN: 170 key_type = CKK_DES; 171 break; 172 173 case CKM_DES3_KEY_GEN: 174 key_type = CKK_DES3; 175 break; 176 177 case CKM_AES_KEY_GEN: 178 key_type = CKK_AES; 179 break; 180 181 case CKM_BLOWFISH_KEY_GEN: 182 key_type = CKK_BLOWFISH; 183 break; 184 185 case CKM_RC4_KEY_GEN: 186 key_type = CKK_RC4; 187 break; 188 189 case CKM_SSL3_PRE_MASTER_KEY_GEN: 190 case CKM_TLS_PRE_MASTER_KEY_GEN: 191 if (pMechanism->pParameter == NULL || 192 pMechanism->ulParameterLen != sizeof (CK_VERSION)) 193 return (CKR_TEMPLATE_INCOMPLETE); 194 is_ssl_mech = B_TRUE; 195 key_type = CKK_GENERIC_SECRET; 196 keylen = 48; 197 break; 198 199 case CKM_PKCS5_PBKD2: 200 keyfound = 0; 201 for (i = 0; i < ulCount && !keyfound; i++) { 202 if (pTemplate[i].type == CKA_KEY_TYPE && 203 pTemplate[i].pValue != NULL) { 204 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 205 keyfound = 1; 206 } 207 } 208 if (!keyfound) 209 return (CKR_TEMPLATE_INCOMPLETE); 210 /* 211 * Make sure that parameters were given for this 212 * mechanism. 213 */ 214 if (pMechanism->pParameter == NULL || 215 pMechanism->ulParameterLen != 216 sizeof (CK_PKCS5_PBKD2_PARAMS)) 217 return (CKR_TEMPLATE_INCOMPLETE); 218 break; 219 220 case CKM_PBE_SHA1_RC4_128: 221 keyfound = 0; 222 for (i = 0; i < ulCount; i++) { 223 if (pTemplate[i].type == CKA_KEY_TYPE && 224 pTemplate[i].pValue != NULL) { 225 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 226 keyfound = 1; 227 } 228 if (pTemplate[i].type == CKA_VALUE_LEN && 229 pTemplate[i].pValue != NULL) { 230 keylen = *((CK_ULONG*)pTemplate[i].pValue); 231 } 232 } 233 /* If a keytype was specified, it had better be CKK_RC4 */ 234 if (keyfound && key_type != CKK_RC4) 235 return (CKR_TEMPLATE_INCONSISTENT); 236 else if (!keyfound) 237 key_type = CKK_RC4; 238 239 /* If key length was specified, it better be 16 bytes */ 240 if (keylen != 0 && keylen != 16) 241 return (CKR_TEMPLATE_INCONSISTENT); 242 243 /* 244 * Make sure that parameters were given for this 245 * mechanism. 246 */ 247 if (pMechanism->pParameter == NULL || 248 pMechanism->ulParameterLen != 249 sizeof (CK_PBE_PARAMS)) 250 return (CKR_TEMPLATE_INCOMPLETE); 251 break; 252 default: 253 return (CKR_MECHANISM_INVALID); 254 } 255 256 /* Create a new object for secret key. */ 257 rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p, 258 CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE); 259 260 if (rv != CKR_OK) { 261 return (rv); 262 } 263 264 /* Obtain the secret object pointer. */ 265 secret_key = (soft_object_t *)*phKey; 266 267 switch (pMechanism->mechanism) { 268 case CKM_DES_KEY_GEN: 269 /* 270 * Set up key value len since it is not a required 271 * attribute for C_GenerateKey. 272 */ 273 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 274 des_strength = DES; 275 break; 276 277 case CKM_DES3_KEY_GEN: 278 /* 279 * Set up key value len since it is not a required 280 * attribute for C_GenerateKey. 281 */ 282 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 283 des_strength = DES3; 284 break; 285 286 case CKM_SSL3_PRE_MASTER_KEY_GEN: 287 case CKM_TLS_PRE_MASTER_KEY_GEN: 288 secret_key->bool_attr_mask |= DERIVE_BOOL_ON; 289 /* FALLTHRU */ 290 291 case CKM_AES_KEY_GEN: 292 case CKM_BLOWFISH_KEY_GEN: 293 case CKM_PBE_SHA1_RC4_128: 294 case CKM_RC4_KEY_GEN: 295 keylen = OBJ_SEC_VALUE_LEN(secret_key); 296 break; 297 298 case CKM_PKCS5_PBKD2: 299 /* 300 * PKCS#11 does not allow one to specify key 301 * sizes for DES and 3DES, so we must set it here 302 * when using PBKD2 algorithms. 303 */ 304 if (key_type == CKK_DES) { 305 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 306 des_strength = DES; 307 } else if (key_type == CKK_DES3) { 308 OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 309 des_strength = DES3; 310 } 311 312 keylen = OBJ_SEC_VALUE_LEN(secret_key); 313 break; 314 } 315 316 if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) { 317 if (IS_TOKEN_OBJECT(secret_key)) 318 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 319 else 320 soft_delete_object(session_p, secret_key, B_FALSE); 321 322 return (CKR_HOST_MEMORY); 323 } 324 switch (pMechanism->mechanism) { 325 case CKM_PBE_SHA1_RC4_128: 326 /* 327 * Use the PBE algorithm described in PKCS#11 section 328 * 12.33 to derive the key. 329 */ 330 rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key); 331 break; 332 case CKM_PKCS5_PBKD2: 333 /* Generate keys using PKCS#5 PBKD2 algorithm */ 334 rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism, 335 secret_key); 336 if (rv == CKR_OK && des_strength > 0) { 337 /* Perform weak key checking for DES and DES3. */ 338 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 339 des_strength, OBJ_SEC_VALUE(secret_key)) == 340 B_FALSE) { 341 /* We got a weak secret key. */ 342 rv = CKR_FUNCTION_FAILED; 343 } 344 } 345 break; 346 default: 347 do { 348 rv = soft_random_generator( 349 OBJ_SEC_VALUE(secret_key), keylen, B_FALSE); 350 351 /* If this fails, bail out */ 352 if (rv != CKR_OK) 353 break; 354 355 /* Perform weak key checking for DES and DES3. */ 356 if (des_strength > 0) { 357 rv = CKR_OK; 358 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 359 des_strength, OBJ_SEC_VALUE(secret_key)) == 360 B_FALSE) { 361 /* We got a weak key, retry! */ 362 retry++; 363 rv = CKR_FUNCTION_FAILED; 364 } 365 } 366 /* 367 * Copy over the SSL client version For SSL mechs 368 * The first two bytes of the key is the version 369 */ 370 if (is_ssl_mech) 371 bcopy(pMechanism->pParameter, 372 OBJ_SEC_VALUE(secret_key), 373 sizeof (CK_VERSION)); 374 375 } while (rv != CKR_OK && retry < KEYGEN_RETRY); 376 if (retry == KEYGEN_RETRY) 377 rv = CKR_FUNCTION_FAILED; 378 break; 379 } 380 381 if (rv != CKR_OK) 382 if (IS_TOKEN_OBJECT(secret_key)) 383 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 384 else 385 soft_delete_object(session_p, secret_key, B_FALSE); 386 387 if (IS_TOKEN_OBJECT(secret_key)) { 388 /* 389 * All the info has been filled, so we can write to 390 * keystore now. 391 */ 392 rv = soft_put_object_to_keystore(secret_key); 393 if (rv != CKR_OK) 394 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 395 } 396 397 return (rv); 398 } 399 400 CK_RV 401 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 402 CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount, 403 CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount, 404 CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey) 405 { 406 407 CK_RV rv; 408 soft_object_t *public_key, *private_key; 409 CK_KEY_TYPE key_type; 410 411 switch (pMechanism->mechanism) { 412 413 case CKM_RSA_PKCS_KEY_PAIR_GEN: 414 key_type = CKK_RSA; 415 break; 416 417 case CKM_DSA_KEY_PAIR_GEN: 418 key_type = CKK_DSA; 419 break; 420 421 case CKM_DH_PKCS_KEY_PAIR_GEN: 422 key_type = CKK_DH; 423 break; 424 425 default: 426 return (CKR_MECHANISM_INVALID); 427 } 428 429 /* Create a new object for public key. */ 430 rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount, 431 phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0, 432 SOFT_GEN_KEY, B_FALSE); 433 434 if (rv != CKR_OK) { 435 return (rv); 436 } 437 438 /* Obtain the public object pointer. */ 439 public_key = (soft_object_t *)*phPublicKey; 440 441 /* Create a new object for private key. */ 442 rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount, 443 phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0, 444 SOFT_GEN_KEY, B_FALSE); 445 446 if (rv != CKR_OK) { 447 /* 448 * Both public key and private key must be successful. 449 */ 450 if (IS_TOKEN_OBJECT(public_key)) 451 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 452 else 453 soft_delete_object(session_p, public_key, B_FALSE); 454 return (rv); 455 } 456 457 /* Obtain the private object pointer. */ 458 private_key = (soft_object_t *)*phPrivateKey; 459 460 /* 461 * At this point, both public key and private key objects 462 * are settled with the application specified attributes. 463 * We are ready to generate the rest of key attributes based 464 * on the existing attributes. 465 */ 466 467 switch (key_type) { 468 case CKK_RSA: 469 rv = soft_rsa_genkey_pair(public_key, private_key); 470 break; 471 472 case CKK_DSA: 473 rv = soft_dsa_genkey_pair(public_key, private_key); 474 break; 475 476 case CKK_DH: 477 rv = soft_dh_genkey_pair(public_key, private_key); 478 private_key->bool_attr_mask |= DERIVE_BOOL_ON; 479 break; 480 } 481 482 if (rv != CKR_OK) { 483 if (IS_TOKEN_OBJECT(public_key)) { 484 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 485 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 486 } else { 487 soft_delete_object(session_p, public_key, B_FALSE); 488 soft_delete_object(session_p, private_key, B_FALSE); 489 } 490 } 491 492 if (IS_TOKEN_OBJECT(public_key)) { 493 /* 494 * All the info has been filled, so we can write to 495 * keystore now. 496 */ 497 rv = soft_put_object_to_keystore(public_key); 498 if (rv != CKR_OK) { 499 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 500 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 501 } 502 } 503 504 if (IS_TOKEN_OBJECT(private_key)) { 505 rv = soft_put_object_to_keystore(private_key); 506 if (rv != CKR_OK) { 507 /* 508 * We also need to delete the public token object 509 * from keystore. 510 */ 511 soft_delete_token_object(public_key, B_TRUE, B_FALSE); 512 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 513 } 514 } 515 516 return (rv); 517 } 518 519 520 CK_RV 521 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen) 522 { 523 524 switch (secret_key->key_type) { 525 case CKK_GENERIC_SECRET: 526 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 527 OBJ_SEC_VALUE_LEN(secret_key) = max_keylen; 528 return (CKR_OK); 529 } else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) { 530 return (CKR_ATTRIBUTE_VALUE_INVALID); 531 } 532 break; 533 case CKK_RC4: 534 case CKK_AES: 535 case CKK_BLOWFISH: 536 if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) || 537 (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) { 538 /* RC4 and AES has variable key length */ 539 return (CKR_ATTRIBUTE_VALUE_INVALID); 540 } 541 break; 542 case CKK_DES: 543 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 544 /* DES has a well-defined length */ 545 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 546 return (CKR_OK); 547 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) { 548 return (CKR_ATTRIBUTE_VALUE_INVALID); 549 } 550 break; 551 case CKK_DES2: 552 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 553 /* DES2 has a well-defined length */ 554 OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE; 555 return (CKR_OK); 556 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) { 557 return (CKR_ATTRIBUTE_VALUE_INVALID); 558 } 559 break; 560 561 default: 562 return (CKR_MECHANISM_INVALID); 563 } 564 565 return (CKR_OK); 566 } 567 568 /* 569 * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1 570 * PBE methods. 571 */ 572 #define PKCS12_BUFFER_SIZE 64 573 /* 574 * PKCS#12 defines 3 different ID bytes to be used for 575 * deriving keys for different operations. 576 */ 577 #define PBE_ID_ENCRYPT 1 578 #define PBE_ID_IV 2 579 #define PBE_ID_MAC 3 580 #define PBE_CEIL(a, b) (((a)/(b)) + (((a)%(b)) > 0)) 581 582 static CK_RV 583 soft_pkcs12_pbe(soft_session_t *session_p, 584 CK_MECHANISM_PTR pMechanism, 585 soft_object_t *derived_key) 586 { 587 CK_RV rv = CKR_OK; 588 CK_PBE_PARAMS *params = pMechanism->pParameter; 589 CK_ULONG c, i, j, k; 590 CK_ULONG hashSize; 591 CK_ULONG buffSize; 592 /* 593 * Terse variable names are used to make following 594 * the PKCS#12 spec easier. 595 */ 596 CK_BYTE *A = NULL; 597 CK_BYTE *Ai = NULL; 598 CK_BYTE *B = NULL; 599 CK_BYTE *D = NULL; 600 CK_BYTE *I = NULL, *S, *P; 601 CK_BYTE *keybuf = NULL; 602 CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen; 603 CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key); 604 CK_MECHANISM digest_mech; 605 606 /* U = hash function output bits */ 607 if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) { 608 hashSize = SHA1_HASH_SIZE; 609 buffSize = PKCS12_BUFFER_SIZE; 610 digest_mech.mechanism = CKM_SHA_1; 611 digest_mech.pParameter = NULL; 612 digest_mech.ulParameterLen = 0; 613 } else { 614 /* we only support 1 PBE mech for now */ 615 return (CKR_MECHANISM_INVALID); 616 } 617 keybuf = OBJ_SEC_VALUE(derived_key); 618 619 Blen = Dlen = buffSize; 620 D = (CK_BYTE *)malloc(Dlen); 621 if (D == NULL) { 622 rv = CKR_HOST_MEMORY; 623 goto cleanup; 624 } 625 626 B = (CK_BYTE *)malloc(Blen); 627 if (B == NULL) { 628 rv = CKR_HOST_MEMORY; 629 goto cleanup; 630 } 631 632 /* 633 * Initialize some values and create some buffers 634 * that we need later. 635 * 636 * Slen = buffSize * CEIL(SaltLength/buffSize) 637 */ 638 Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize); 639 640 /* 641 * Plen = buffSize * CEIL(PasswordLength/buffSize) 642 */ 643 Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize); 644 645 /* 646 * From step 4: I = S + P, so: Ilen = Slen + Plen 647 */ 648 Ilen = Slen + Plen; 649 I = (CK_BYTE *)malloc(Ilen); 650 if (I == NULL) { 651 rv = CKR_HOST_MEMORY; 652 goto cleanup; 653 } 654 655 S = I; 656 P = I + Slen; 657 658 /* 659 * Step 1. 660 * We are only interested in deriving keys for encrypt/decrypt 661 * for now, so construct the "D"iversifier accordingly. 662 */ 663 (void) memset(D, PBE_ID_ENCRYPT, Dlen); 664 665 /* 666 * Step 2. 667 * Concatenate copies of the salt together to make S. 668 */ 669 for (i = 0; i < Slen; i += params->ulSaltLen) { 670 (void) memcpy(S+i, params->pSalt, 671 ((Slen - i) > params->ulSaltLen ? 672 params->ulSaltLen : (Slen - i))); 673 } 674 675 /* 676 * Step 3. 677 * Concatenate copies of the password together to make 678 * a string P. 679 */ 680 for (i = 0; i < Plen; i += params->ulPasswordLen) { 681 (void) memcpy(P+i, params->pPassword, 682 ((Plen - i) > params->ulPasswordLen ? 683 params->ulPasswordLen : (Plen - i))); 684 } 685 686 /* 687 * Step 4. 688 * I = S+P - this is now done because S and P are 689 * pointers into I. 690 * 691 * Step 5. 692 * c= CEIL[n/u] 693 * where n = pseudorandom bits of output desired. 694 */ 695 c = PBE_CEIL(keysize, hashSize); 696 697 /* 698 * Step 6. 699 */ 700 Alen = c * hashSize; 701 A = (CK_BYTE *)malloc(Alen); 702 if (A == NULL) { 703 rv = CKR_HOST_MEMORY; 704 goto cleanup; 705 } 706 AiLen = hashSize; 707 Ai = (CK_BYTE *)malloc(AiLen); 708 if (Ai == NULL) { 709 rv = CKR_HOST_MEMORY; 710 goto cleanup; 711 } 712 713 /* 714 * Step 6a. 715 * Ai = Hr(D+I) 716 */ 717 for (i = 0; i < c; i++) { 718 (void) pthread_mutex_lock(&session_p->session_mutex); 719 720 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 721 (void) pthread_mutex_unlock(&session_p->session_mutex); 722 rv = CKR_OPERATION_ACTIVE; 723 goto cleanup; 724 } 725 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 726 (void) pthread_mutex_unlock(&session_p->session_mutex); 727 728 for (j = 0; j < params->ulIteration; j++) { 729 rv = soft_digest_init(session_p, &digest_mech); 730 if (rv != CKR_OK) 731 goto digest_done; 732 733 if (j == 0) { 734 rv = soft_digest_update(session_p, D, 735 Dlen); 736 if (rv != CKR_OK) 737 goto digest_done; 738 739 rv = soft_digest_update(session_p, I, 740 Ilen); 741 } else { 742 rv = soft_digest_update(session_p, 743 Ai, AiLen); 744 } 745 if (rv != CKR_OK) 746 goto digest_done; 747 748 rv = soft_digest_final(session_p, Ai, &AiLen); 749 if (rv != CKR_OK) 750 goto digest_done; 751 } 752 digest_done: 753 (void) pthread_mutex_lock(&session_p->session_mutex); 754 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 755 (void) pthread_mutex_unlock(&session_p->session_mutex); 756 757 if (rv != CKR_OK) 758 goto cleanup; 759 /* 760 * Step 6b. 761 * Concatenate Ai to make B 762 */ 763 for (j = 0; j < Blen; j += hashSize) { 764 (void) memcpy(B+j, Ai, ((Blen - j > hashSize) ? 765 hashSize : Blen - j)); 766 } 767 768 /* 769 * Step 6c. 770 */ 771 k = Ilen / Blen; 772 for (j = 0; j < k; j++) { 773 uchar_t idx; 774 CK_ULONG m, q = 1, cbit = 0; 775 776 for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) { 777 idx = m + j*Blen; 778 779 q += (CK_ULONG)I[idx] + (CK_ULONG)B[m]; 780 q += cbit; 781 I[idx] = (CK_BYTE)(q & 0xff); 782 cbit = (q > 0xff); 783 } 784 } 785 786 /* 787 * Step 7. 788 * A += Ai 789 */ 790 (void) memcpy(A + i*hashSize, Ai, AiLen); 791 } 792 793 /* 794 * Step 8. 795 * The final output of this process is the A buffer 796 */ 797 (void) memcpy(keybuf, A, keysize); 798 799 cleanup: 800 if (A) { 801 bzero(A, Alen); 802 free(A); 803 } 804 if (Ai) { 805 bzero(Ai, AiLen); 806 free(Ai); 807 } 808 if (B) { 809 bzero(B, Blen); 810 free(B); 811 } 812 if (D) { 813 bzero(D, Dlen); 814 free(D); 815 } 816 if (I) { 817 bzero(I, Ilen); 818 free(I); 819 } 820 return (rv); 821 } 822 823 CK_RV 824 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 825 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate, 826 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) 827 { 828 829 CK_RV rv = CKR_OK; 830 soft_object_t *secret_key; 831 CK_BYTE *public_value; 832 CK_ULONG public_value_len; 833 CK_MECHANISM digest_mech; 834 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */ 835 CK_ULONG hash_len = SHA512_DIGEST_LENGTH; 836 CK_ULONG secret_key_len; 837 CK_ULONG hash_size; 838 839 switch (pMechanism->mechanism) { 840 841 case CKM_DH_PKCS_DERIVE: 842 /* Get public value and value_len from the parameters. */ 843 public_value = (CK_BYTE *)(pMechanism->pParameter); 844 public_value_len = pMechanism->ulParameterLen; 845 846 if (phKey == NULL_PTR) 847 return (CKR_ARGUMENTS_BAD); 848 /* 849 * Create a new object for secret key. The key type should 850 * be provided in the template. 851 */ 852 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 853 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0, 854 SOFT_DERIVE_KEY_DH, B_FALSE); 855 856 if (rv != CKR_OK) { 857 return (rv); 858 } 859 860 /* Obtain the secret object pointer. */ 861 secret_key = (soft_object_t *)*phKey; 862 863 rv = soft_dh_key_derive(basekey_p, secret_key, public_value, 864 public_value_len); 865 866 if (rv != CKR_OK) { 867 if (IS_TOKEN_OBJECT(secret_key)) 868 soft_delete_token_object(secret_key, B_FALSE, 869 B_FALSE); 870 else 871 soft_delete_object(session_p, secret_key, 872 B_FALSE); 873 return (rv); 874 } 875 876 break; 877 878 case CKM_SHA1_KEY_DERIVATION: 879 hash_size = SHA1_HASH_SIZE; 880 digest_mech.mechanism = CKM_SHA_1; 881 goto common; 882 883 case CKM_MD5_KEY_DERIVATION: 884 hash_size = MD5_HASH_SIZE; 885 digest_mech.mechanism = CKM_MD5; 886 goto common; 887 888 case CKM_SHA256_KEY_DERIVATION: 889 hash_size = SHA256_DIGEST_LENGTH; 890 digest_mech.mechanism = CKM_SHA256; 891 goto common; 892 893 case CKM_SHA384_KEY_DERIVATION: 894 hash_size = SHA384_DIGEST_LENGTH; 895 digest_mech.mechanism = CKM_SHA384; 896 goto common; 897 898 case CKM_SHA512_KEY_DERIVATION: 899 hash_size = SHA512_DIGEST_LENGTH; 900 digest_mech.mechanism = CKM_SHA512; 901 goto common; 902 903 common: 904 /* 905 * Create a new object for secret key. The key type is optional 906 * to be provided in the template. If it is not specified in 907 * the template, the default is CKK_GENERIC_SECRET. 908 */ 909 if (phKey == NULL_PTR) 910 return (CKR_ARGUMENTS_BAD); 911 912 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 913 phKey, session_p, CKO_SECRET_KEY, 914 (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 915 SOFT_DERIVE_KEY_OTHER, B_FALSE); 916 917 if (rv != CKR_OK) { 918 return (rv); 919 } 920 921 /* Obtain the secret object pointer. */ 922 secret_key = (soft_object_t *)*phKey; 923 924 /* Validate the key type and key length */ 925 rv = soft_key_derive_check_length(secret_key, hash_size); 926 if (rv != CKR_OK) { 927 if (IS_TOKEN_OBJECT(secret_key)) 928 soft_delete_token_object(secret_key, B_FALSE, 929 B_FALSE); 930 else 931 soft_delete_object(session_p, secret_key, 932 B_FALSE); 933 return (rv); 934 } 935 936 /* 937 * Derive the secret key by digesting the value of another 938 * secret key (base key) with SHA-1 or MD5. 939 */ 940 rv = soft_digest_init_internal(session_p, &digest_mech); 941 if (rv != CKR_OK) { 942 if (IS_TOKEN_OBJECT(secret_key)) 943 soft_delete_token_object(secret_key, B_FALSE, 944 B_FALSE); 945 else 946 soft_delete_object(session_p, secret_key, 947 B_FALSE); 948 return (rv); 949 } 950 951 rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p), 952 OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len); 953 954 (void) pthread_mutex_lock(&session_p->session_mutex); 955 /* soft_digest_common() has freed the digest context */ 956 session_p->digest.flags = 0; 957 (void) pthread_mutex_unlock(&session_p->session_mutex); 958 959 if (rv != CKR_OK) { 960 if (IS_TOKEN_OBJECT(secret_key)) 961 soft_delete_token_object(secret_key, B_FALSE, 962 B_FALSE); 963 else 964 soft_delete_object(session_p, secret_key, 965 B_FALSE); 966 return (rv); 967 } 968 969 secret_key_len = OBJ_SEC_VALUE_LEN(secret_key); 970 971 if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) == 972 NULL) { 973 if (IS_TOKEN_OBJECT(secret_key)) 974 soft_delete_token_object(secret_key, B_FALSE, 975 B_FALSE); 976 else 977 soft_delete_object(session_p, secret_key, 978 B_FALSE); 979 return (CKR_HOST_MEMORY); 980 } 981 982 /* 983 * The key produced by this mechanism will be of the 984 * specified type and length. 985 * The truncation removes extra bytes from the leading 986 * of the digested key value. 987 */ 988 (void) memcpy(OBJ_SEC_VALUE(secret_key), 989 (hash + hash_len - secret_key_len), 990 secret_key_len); 991 992 break; 993 994 /* 995 * The key sensitivity and extractability rules for the generated 996 * keys will be enforced inside soft_ssl_master_key_derive() and 997 * soft_ssl_key_and_mac_derive() 998 */ 999 case CKM_SSL3_MASTER_KEY_DERIVE: 1000 case CKM_SSL3_MASTER_KEY_DERIVE_DH: 1001 case CKM_TLS_MASTER_KEY_DERIVE: 1002 case CKM_TLS_MASTER_KEY_DERIVE_DH: 1003 if (phKey == NULL_PTR) 1004 return (CKR_ARGUMENTS_BAD); 1005 return (soft_ssl_master_key_derive(session_p, pMechanism, 1006 basekey_p, pTemplate, ulAttributeCount, phKey)); 1007 1008 case CKM_SSL3_KEY_AND_MAC_DERIVE: 1009 case CKM_TLS_KEY_AND_MAC_DERIVE: 1010 return (soft_ssl_key_and_mac_derive(session_p, pMechanism, 1011 basekey_p, pTemplate, ulAttributeCount)); 1012 1013 case CKM_TLS_PRF: 1014 if (pMechanism->pParameter == NULL || 1015 pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) || 1016 phKey != NULL) 1017 return (CKR_ARGUMENTS_BAD); 1018 1019 if (pTemplate != NULL) 1020 return (CKR_TEMPLATE_INCONSISTENT); 1021 1022 return (derive_tls_prf( 1023 (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, 1024 basekey_p)); 1025 1026 default: 1027 return (CKR_MECHANISM_INVALID); 1028 } 1029 1030 soft_derive_enforce_flags(basekey_p, secret_key); 1031 1032 if (IS_TOKEN_OBJECT(secret_key)) { 1033 /* 1034 * All the info has been filled, so we can write to 1035 * keystore now. 1036 */ 1037 rv = soft_put_object_to_keystore(secret_key); 1038 if (rv != CKR_OK) 1039 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 1040 } 1041 1042 return (rv); 1043 } 1044 1045 1046 /* 1047 * Perform key derivation rules on key's sensitivity and extractability. 1048 */ 1049 void 1050 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey) 1051 { 1052 1053 boolean_t new_sensitive = B_FALSE; 1054 boolean_t new_extractable = B_FALSE; 1055 1056 /* 1057 * The sensitive and extractable bits have been set when 1058 * the newkey was built. 1059 */ 1060 if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) { 1061 new_sensitive = B_TRUE; 1062 } 1063 1064 if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) { 1065 new_extractable = B_TRUE; 1066 } 1067 1068 /* Derive the CKA_ALWAYS_SENSITIVE flag */ 1069 if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) { 1070 /* 1071 * If the base key has its CKA_ALWAYS_SENSITIVE set to 1072 * FALSE, then the derived key will as well. 1073 */ 1074 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1075 } else { 1076 /* 1077 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE, 1078 * then the derived key has the CKA_ALWAYS_SENSITIVE set to 1079 * the same value as its CKA_SENSITIVE; 1080 */ 1081 if (new_sensitive) { 1082 newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON; 1083 } else { 1084 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1085 } 1086 } 1087 1088 /* Derive the CKA_NEVER_EXTRACTABLE flag */ 1089 if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) { 1090 /* 1091 * If the base key has its CKA_NEVER_EXTRACTABLE set to 1092 * FALSE, then the derived key will as well. 1093 */ 1094 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1095 } else { 1096 /* 1097 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE, 1098 * then the derived key has the CKA_NEVER_EXTRACTABLE set to 1099 * the opposite value from its CKA_EXTRACTABLE; 1100 */ 1101 if (new_extractable) { 1102 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1103 } else { 1104 newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON; 1105 } 1106 } 1107 1108 /* Set the CKA_LOCAL flag to false */ 1109 newkey->bool_attr_mask &= ~LOCAL_BOOL_ON; 1110 } 1111 1112 1113 /* 1114 * do_prf 1115 * 1116 * This routine implements Step 3. of the PBKDF2 function 1117 * defined in PKCS#5 for generating derived keys from a 1118 * password. 1119 * 1120 * Currently, PRF is always SHA_1_HMAC. 1121 */ 1122 static CK_RV 1123 do_prf(soft_session_t *session_p, 1124 CK_PKCS5_PBKD2_PARAMS_PTR params, 1125 soft_object_t *hmac_key, 1126 CK_BYTE *newsalt, CK_ULONG saltlen, 1127 CK_BYTE *blockdata, CK_ULONG blocklen) 1128 { 1129 CK_RV rv = CKR_OK; 1130 CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0}; 1131 CK_BYTE buffer[2][SHA1_HASH_SIZE]; 1132 CK_ULONG hmac_outlen = SHA1_HASH_SIZE; 1133 CK_ULONG inlen; 1134 CK_BYTE *input, *output; 1135 CK_ULONG i, j; 1136 1137 input = newsalt; 1138 inlen = saltlen; 1139 1140 output = buffer[1]; 1141 (void) pthread_mutex_lock(&session_p->session_mutex); 1142 1143 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 1144 (void) pthread_mutex_unlock(&session_p->session_mutex); 1145 return (CKR_OPERATION_ACTIVE); 1146 } 1147 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 1148 (void) pthread_mutex_unlock(&session_p->session_mutex); 1149 1150 for (i = 0; i < params->iterations; i++) { 1151 /* 1152 * The key doesn't change, its always the 1153 * password iniitally given. 1154 */ 1155 rv = soft_sign_init(session_p, &digest_mech, hmac_key); 1156 1157 if (rv != CKR_OK) { 1158 goto cleanup; 1159 } 1160 1161 /* Call PRF function (SHA1_HMAC for now). */ 1162 rv = soft_sign(session_p, input, inlen, 1163 output, &hmac_outlen); 1164 1165 if (rv != CKR_OK) { 1166 goto cleanup; 1167 } 1168 /* 1169 * The first time, initialize the output buffer 1170 * with the HMAC signature. 1171 */ 1172 if (i == 0) { 1173 (void) memcpy(blockdata, output, 1174 local_min(blocklen, hmac_outlen)); 1175 } else { 1176 /* 1177 * XOR the existing data with output from PRF. 1178 * 1179 * Only XOR up to the length of the blockdata, 1180 * it may be less than a full hmac buffer when 1181 * the final block is being computed. 1182 */ 1183 for (j = 0; j < hmac_outlen && j < blocklen; j++) 1184 blockdata[j] ^= output[j]; 1185 } 1186 /* Output from previous PRF is input for next round */ 1187 input = output; 1188 inlen = hmac_outlen; 1189 1190 /* 1191 * Switch buffers to avoid overuse of memcpy. 1192 * Initially we used buffer[1], so after the end of 1193 * the first iteration (i==0), we switch to buffer[0] 1194 * and continue swapping with each iteration. 1195 */ 1196 output = buffer[i%2]; 1197 } 1198 cleanup: 1199 (void) pthread_mutex_lock(&session_p->session_mutex); 1200 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 1201 (void) pthread_mutex_unlock(&session_p->session_mutex); 1202 1203 return (rv); 1204 } 1205 1206 static CK_RV 1207 soft_create_hmac_key(soft_session_t *session_p, CK_BYTE *passwd, 1208 CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey) 1209 { 1210 CK_RV rv = CKR_OK; 1211 CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY; 1212 CK_KEY_TYPE keytype = CKK_GENERIC_SECRET; 1213 CK_BBOOL True = TRUE; 1214 CK_ATTRIBUTE keytemplate[4]; 1215 /* 1216 * We must initialize each template member individually 1217 * because at the time of initial coding for ON10, the 1218 * compiler was using the "-xc99=%none" option 1219 * which prevents us from being able to declare the whole 1220 * template in place as usual. 1221 */ 1222 keytemplate[0].type = CKA_CLASS; 1223 keytemplate[0].pValue = &keyclass; 1224 keytemplate[0].ulValueLen = sizeof (keyclass); 1225 1226 keytemplate[1].type = CKA_KEY_TYPE; 1227 keytemplate[1].pValue = &keytype; 1228 keytemplate[1].ulValueLen = sizeof (keytype); 1229 1230 keytemplate[2].type = CKA_SIGN; 1231 keytemplate[2].pValue = &True; 1232 keytemplate[2].ulValueLen = sizeof (True); 1233 1234 keytemplate[3].type = CKA_VALUE; 1235 keytemplate[3].pValue = passwd; 1236 keytemplate[3].ulValueLen = passwd_len; 1237 /* 1238 * Create a generic key object to be used for HMAC operations. 1239 * The "value" for this key is the password from the 1240 * mechanism parameter structure. 1241 */ 1242 rv = soft_gen_keyobject(keytemplate, 1243 sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), 1244 phKey, session_p, CKO_SECRET_KEY, 1245 (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 1246 SOFT_CREATE_OBJ, B_TRUE); 1247 1248 return (rv); 1249 } 1250 1251 CK_RV 1252 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p, 1253 CK_MECHANISM_PTR pMechanism, 1254 soft_object_t *secret_key) 1255 { 1256 CK_RV rv = CKR_OK; 1257 CK_PKCS5_PBKD2_PARAMS *params = 1258 (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter; 1259 CK_ULONG hLen = SHA1_HASH_SIZE; 1260 CK_ULONG dkLen, i; 1261 CK_ULONG blocks, remainder; 1262 CK_OBJECT_HANDLE phKey = 0; 1263 soft_object_t *hmac_key = NULL; 1264 CK_BYTE *salt = NULL; 1265 CK_BYTE *keydata = NULL; 1266 1267 params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter; 1268 1269 if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1) 1270 return (CKR_MECHANISM_PARAM_INVALID); 1271 1272 if (params->pPrfData != NULL || params->ulPrfDataLen != 0) 1273 return (CKR_DATA_INVALID); 1274 1275 if (params->saltSource != CKZ_SALT_SPECIFIED || 1276 params->iterations == 0) 1277 return (CKR_MECHANISM_PARAM_INVALID); 1278 1279 /* 1280 * Create a key object to use for HMAC operations. 1281 */ 1282 rv = soft_create_hmac_key(session_p, params->pPassword, 1283 *params->ulPasswordLen, &phKey); 1284 1285 if (rv != CKR_OK) 1286 return (rv); 1287 1288 hmac_key = (soft_object_t *)phKey; 1289 1290 /* Step 1. */ 1291 dkLen = OBJ_SEC_VALUE_LEN(secret_key); /* length of desired key */ 1292 1293 if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) { 1294 (void) soft_delete_object(session_p, hmac_key, B_FALSE); 1295 return (CKR_KEY_SIZE_RANGE); 1296 } 1297 1298 /* Step 2. */ 1299 blocks = dkLen / hLen; 1300 1301 /* crude "Ceiling" function to adjust the number of blocks to use */ 1302 if (blocks * hLen != dkLen) 1303 blocks++; 1304 1305 remainder = dkLen - ((blocks - 1) * hLen); 1306 1307 /* Step 3 */ 1308 salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4); 1309 if (salt == NULL) { 1310 (void) soft_delete_object(session_p, hmac_key, B_FALSE); 1311 return (CKR_HOST_MEMORY); 1312 } 1313 /* 1314 * Nothing in PKCS#5 says you cannot pass an empty 1315 * salt, so we will allow for this and not return error 1316 * if the salt is not specified. 1317 */ 1318 if (params->pSaltSourceData != NULL && 1319 params->ulSaltSourceDataLen > 0) 1320 (void) memcpy(salt, params->pSaltSourceData, 1321 params->ulSaltSourceDataLen); 1322 1323 /* 1324 * Get pointer to the data section of the key, 1325 * this will be used below as output from the 1326 * PRF iteration/concatenations so that when the 1327 * blocks are all iterated, the secret_key will 1328 * have the resulting derived key value. 1329 */ 1330 keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key); 1331 1332 /* Step 4. */ 1333 for (i = 0; i < blocks && (rv == CKR_OK); i++) { 1334 CK_BYTE *s; 1335 1336 s = salt + params->ulSaltSourceDataLen; 1337 1338 /* 1339 * Append the block index to the salt as input 1340 * to the PRF. Block index should start at 1 1341 * not 0. 1342 */ 1343 *s++ = ((i+1) >> 24) & 0xff; 1344 *s++ = ((i+1) >> 16) & 0xff; 1345 *s++ = ((i+1) >> 8) & 0xff; 1346 *s = ((i+1)) & 0xff; 1347 1348 /* 1349 * Adjust the key pointer so we always append the 1350 * PRF output to the current key. 1351 */ 1352 rv = do_prf(session_p, params, hmac_key, 1353 salt, params->ulSaltSourceDataLen + 4, 1354 keydata, 1355 ((i + 1) == blocks ? remainder : hLen)); 1356 1357 keydata += hLen; 1358 } 1359 (void) soft_delete_object(session_p, hmac_key, B_FALSE); 1360 free(salt); 1361 1362 return (rv); 1363 } 1364 1365 CK_RV 1366 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1367 soft_object_t *wrappingKey_p, soft_object_t *hkey_p, 1368 CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen) 1369 { 1370 CK_RV rv = CKR_OK; 1371 CK_ULONG plain_len = 0; 1372 CK_BYTE_PTR plain_data = NULL; 1373 CK_ULONG padded_len = 0; 1374 CK_BYTE_PTR padded_data = NULL; 1375 CK_ULONG wkey_blksz = 1; /* so modulo will work right */ 1376 1377 /* Check if the mechanism is supported. */ 1378 switch (pMechanism->mechanism) { 1379 case CKM_DES_CBC_PAD: 1380 case CKM_DES3_CBC_PAD: 1381 case CKM_AES_CBC_PAD: 1382 /* 1383 * Secret key mechs with padding can be used to wrap secret 1384 * keys and private keys only. See PKCS#11, * sec 11.14, 1385 * C_WrapKey and secs 12.* for each mechanism's wrapping/ 1386 * unwrapping constraints. 1387 */ 1388 if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class != 1389 CKO_PRIVATE_KEY) 1390 return (CKR_MECHANISM_INVALID); 1391 break; 1392 case CKM_RSA_PKCS: 1393 case CKM_RSA_X_509: 1394 case CKM_DES_ECB: 1395 case CKM_DES3_ECB: 1396 case CKM_AES_ECB: 1397 case CKM_DES_CBC: 1398 case CKM_DES3_CBC: 1399 case CKM_AES_CBC: 1400 case CKM_BLOWFISH_CBC: 1401 /* 1402 * Unpadded secret key mechs and private key mechs are only 1403 * defined for wrapping secret keys. See PKCS#11 refs above. 1404 */ 1405 if (hkey_p->class != CKO_SECRET_KEY) 1406 return (CKR_MECHANISM_INVALID); 1407 break; 1408 default: 1409 return (CKR_MECHANISM_INVALID); 1410 } 1411 1412 if (hkey_p->class == CKO_SECRET_KEY) { 1413 plain_data = OBJ_SEC_VALUE(hkey_p); 1414 plain_len = OBJ_SEC_VALUE_LEN(hkey_p); 1415 } else { 1416 /* 1417 * BER-encode the object to be wrapped: call first with 1418 * plain_data = NULL to get the size needed, allocate that 1419 * much space, call again to fill space with actual data. 1420 */ 1421 rv = soft_object_to_asn1(hkey_p, NULL, &plain_len); 1422 if (rv != CKR_OK) 1423 return (rv); 1424 if ((plain_data = malloc(plain_len)) == NULL) 1425 return (CKR_HOST_MEMORY); 1426 (void) memset(plain_data, 0x0, plain_len); 1427 rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len); 1428 if (rv != CKR_OK) 1429 goto cleanup_wrap; 1430 } 1431 1432 /* 1433 * For unpadded ECB and CBC mechanisms, the object needs to be 1434 * padded to the wrapping key's blocksize prior to the encryption. 1435 */ 1436 padded_len = plain_len; 1437 padded_data = plain_data; 1438 1439 switch (pMechanism->mechanism) { 1440 case CKM_DES_ECB: 1441 case CKM_DES3_ECB: 1442 case CKM_AES_ECB: 1443 case CKM_DES_CBC: 1444 case CKM_DES3_CBC: 1445 case CKM_AES_CBC: 1446 case CKM_BLOWFISH_CBC: 1447 /* Find the block size of the wrapping key. */ 1448 if (wrappingKey_p->class == CKO_SECRET_KEY) { 1449 switch (wrappingKey_p->key_type) { 1450 case CKK_DES: 1451 case CKK_DES2: 1452 case CKK_DES3: 1453 wkey_blksz = DES_BLOCK_LEN; 1454 break; 1455 case CKK_AES: 1456 wkey_blksz = AES_BLOCK_LEN; 1457 break; 1458 case CKK_BLOWFISH: 1459 wkey_blksz = BLOWFISH_BLOCK_LEN; 1460 break; 1461 default: 1462 break; 1463 } 1464 } else { 1465 rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT; 1466 goto cleanup_wrap; 1467 } 1468 1469 /* Extend the plain text data to block size boundary. */ 1470 if ((padded_len % wkey_blksz) != 0) { 1471 padded_len += (wkey_blksz - (plain_len % wkey_blksz)); 1472 if ((padded_data = malloc(padded_len)) == NULL) { 1473 rv = CKR_HOST_MEMORY; 1474 goto cleanup_wrap; 1475 } 1476 (void) memset(padded_data, 0x0, padded_len); 1477 (void) memcpy(padded_data, plain_data, plain_len); 1478 } 1479 break; 1480 default: 1481 break; 1482 } 1483 1484 rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p); 1485 if (rv != CKR_OK) 1486 goto cleanup_wrap; 1487 1488 rv = soft_encrypt(session_p, padded_data, padded_len, 1489 pWrappedKey, pulWrappedKeyLen); 1490 1491 cleanup_wrap: 1492 if (padded_data != NULL && padded_len != plain_len) { 1493 /* Clear buffer before returning to memory pool. */ 1494 (void) memset(padded_data, 0x0, padded_len); 1495 free(padded_data); 1496 } 1497 1498 if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1499 /* Clear buffer before returning to memory pool. */ 1500 (void) memset(plain_data, 0x0, plain_len); 1501 free(plain_data); 1502 } 1503 1504 return (rv); 1505 } 1506 1507 /* 1508 * Quick check for whether unwrapped key length is appropriate for key type 1509 * and whether it needs to be truncated (in case the wrapping function had 1510 * to pad the key prior to wrapping). 1511 */ 1512 static CK_RV 1513 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype, 1514 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount) 1515 { 1516 CK_ULONG i; 1517 boolean_t isValueLen = B_FALSE; 1518 1519 /* 1520 * Based on the key type and the mech used to unwrap, need to 1521 * determine if CKA_VALUE_LEN should or should not be specified. 1522 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified 1523 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens 1524 * that restriction, perhaps because it makes it impossible to 1525 * determine the original length of unwrapped variable-length secret 1526 * keys, such as RC4, AES, and GENERIC_SECRET. These variable-length 1527 * secret keys would have been padded with trailing null-bytes so 1528 * that they could be successfully wrapped with *_ECB and *_CBC 1529 * mechanisms. Hence for unwrapping with these mechs, CKA_VALUE_LEN 1530 * must be specified. For unwrapping with other mechs, such as 1531 * *_CBC_PAD, the CKA_VALUE_LEN is not needed. 1532 */ 1533 1534 /* Find out if template has CKA_VALUE_LEN. */ 1535 for (i = 0; i < ulAttributeCount; i++) { 1536 if (pTemplate[i].type == CKA_VALUE_LEN && 1537 pTemplate[i].pValue != NULL) { 1538 isValueLen = B_TRUE; 1539 break; 1540 } 1541 } 1542 1543 /* Does its presence conflict with the mech type and key type? */ 1544 switch (mechtype) { 1545 case CKM_DES_ECB: 1546 case CKM_DES3_ECB: 1547 case CKM_AES_ECB: 1548 case CKM_DES_CBC: 1549 case CKM_DES3_CBC: 1550 case CKM_AES_CBC: 1551 case CKM_BLOWFISH_CBC: 1552 /* 1553 * CKA_VALUE_LEN must be specified 1554 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET 1555 * and must not be specified otherwise 1556 */ 1557 switch (keytype) { 1558 case CKK_DES: 1559 case CKK_DES2: 1560 case CKK_DES3: 1561 if (isValueLen) 1562 return (CKR_TEMPLATE_INCONSISTENT); 1563 break; 1564 case CKK_GENERIC_SECRET: 1565 case CKK_RC4: 1566 case CKK_AES: 1567 case CKK_BLOWFISH: 1568 if (!isValueLen) 1569 return (CKR_TEMPLATE_INCOMPLETE); 1570 break; 1571 default: 1572 return (CKR_FUNCTION_NOT_SUPPORTED); 1573 } 1574 break; 1575 default: 1576 /* CKA_VALUE_LEN must not be specified */ 1577 if (isValueLen) 1578 return (CKR_TEMPLATE_INCONSISTENT); 1579 break; 1580 } 1581 1582 return (CKR_OK); 1583 } 1584 1585 CK_RV 1586 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1587 soft_object_t *unwrappingkey_p, 1588 CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, 1589 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, 1590 CK_OBJECT_HANDLE_PTR phKey) 1591 { 1592 CK_RV rv = CKR_OK; 1593 CK_OBJECT_CLASS new_obj_class = ~0UL; 1594 int i = 0; 1595 soft_object_t *new_objp = NULL; 1596 boolean_t persistent = B_FALSE; 1597 CK_BYTE_PTR plain_data = NULL; 1598 CK_ULONG plain_len = 0; 1599 secret_key_obj_t *sck = NULL; 1600 1601 /* Scan the attribute template for the object class. */ 1602 if (pTemplate != NULL && ulAttributeCount != 0) { 1603 for (i = 0; i < ulAttributeCount; i++) { 1604 if (pTemplate[i].type == CKA_CLASS) { 1605 new_obj_class = 1606 *((CK_OBJECT_CLASS *)pTemplate[i].pValue); 1607 break; 1608 } 1609 } 1610 if (new_obj_class == ~0UL) 1611 return (CKR_TEMPLATE_INCOMPLETE); 1612 } 1613 1614 /* 1615 * Check if the mechanism is supported, and now that the new 1616 * object's class is known, the mechanism selected should be 1617 * capable of doing the unwrap. 1618 */ 1619 switch (pMechanism->mechanism) { 1620 case CKM_RSA_PKCS: 1621 case CKM_RSA_X_509: 1622 case CKM_DES_ECB: 1623 case CKM_DES3_ECB: 1624 case CKM_AES_ECB: 1625 case CKM_DES_CBC: 1626 case CKM_DES3_CBC: 1627 case CKM_AES_CBC: 1628 case CKM_BLOWFISH_CBC: 1629 if (new_obj_class != CKO_SECRET_KEY) 1630 return (CKR_MECHANISM_INVALID); 1631 break; 1632 case CKM_DES_CBC_PAD: 1633 case CKM_DES3_CBC_PAD: 1634 case CKM_AES_CBC_PAD: 1635 if (new_obj_class != CKO_SECRET_KEY && new_obj_class != 1636 CKO_PRIVATE_KEY) 1637 return (CKR_MECHANISM_INVALID); 1638 break; 1639 default: 1640 return (CKR_MECHANISM_INVALID); 1641 } 1642 1643 /* Create a new object based on the attribute template. */ 1644 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 1645 (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL, 1646 (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE); 1647 if (rv != CKR_OK) 1648 return (rv); 1649 1650 /* 1651 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE 1652 * both set to FALSE. CKA_EXTRACTABLE will be set _by_default_ to 1653 * true -- leaving the possibility that it may be set FALSE by the 1654 * supplied attribute template. If the precise template cannot be 1655 * supported, unwrap fails. PKCS#11 spec, Sec. 11.14, C_UnwrapKey. 1656 * 1657 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and 1658 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must 1659 * have supplied them and therefore we cannot honor the unwrap. 1660 */ 1661 if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) || 1662 (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) { 1663 rv = CKR_TEMPLATE_INCONSISTENT; 1664 goto cleanup_unwrap; 1665 } 1666 1667 rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p); 1668 if (rv != CKR_OK) 1669 goto cleanup_unwrap; 1670 1671 /* First get the length of the plain data */ 1672 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL, 1673 &plain_len); 1674 if (rv != CKR_OK) 1675 goto cleanup_unwrap; 1676 1677 /* Allocate space for the unwrapped data */ 1678 if ((plain_data = malloc(plain_len)) == NULL) { 1679 rv = CKR_HOST_MEMORY; 1680 goto cleanup_unwrap; 1681 } 1682 (void) memset(plain_data, 0x0, plain_len); 1683 1684 /* Perform actual decryption into the allocated space. */ 1685 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data, 1686 &plain_len); 1687 if (rv != CKR_OK) 1688 goto cleanup_unwrap; 1689 1690 if (new_objp->class == CKO_SECRET_KEY) { 1691 /* 1692 * Since no ASN.1 encoding is done for secret keys, check for 1693 * appropriateness and copy decrypted buffer to the key object. 1694 */ 1695 1696 /* Check keytype and mechtype don't conflict with valuelen */ 1697 rv = soft_unwrap_secret_len_check(new_objp->key_type, 1698 pMechanism->mechanism, pTemplate, ulAttributeCount); 1699 if (rv != CKR_OK) 1700 goto cleanup_unwrap; 1701 1702 /* 1703 * Allocate the secret key structure if not already there; 1704 * it will exist for variable length keys since CKA_VALUE_LEN 1705 * is specified and saved, but not for fixed length keys. 1706 */ 1707 if (OBJ_SEC(new_objp) == NULL) { 1708 if ((sck = calloc(1, sizeof (secret_key_obj_t))) == 1709 NULL) { 1710 rv = CKR_HOST_MEMORY; 1711 goto cleanup_unwrap; 1712 } 1713 OBJ_SEC(new_objp) = sck; 1714 } 1715 1716 switch (new_objp->key_type) { 1717 /* Fixed length secret keys don't have CKA_VALUE_LEN */ 1718 case CKK_DES: 1719 OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE; 1720 break; 1721 case CKK_DES2: 1722 OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE; 1723 break; 1724 case CKK_DES3: 1725 OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE; 1726 break; 1727 1728 /* 1729 * Variable length secret keys. CKA_VALUE_LEN must be 1730 * provided by the template when mech is *_ECB or *_CBC, and 1731 * should already have been set during soft_gen_keyobject(). 1732 * Otherwise we don't need CKA_VALUE_LEN. 1733 */ 1734 case CKK_GENERIC_SECRET: 1735 case CKK_RC4: 1736 case CKK_AES: 1737 case CKK_BLOWFISH: 1738 break; 1739 default: 1740 rv = CKR_WRAPPED_KEY_INVALID; 1741 goto cleanup_unwrap; 1742 }; 1743 1744 if (OBJ_SEC_VALUE_LEN(new_objp) == 0) { 1745 /* No CKA_VALUE_LEN set so set it now and save data */ 1746 OBJ_SEC_VALUE_LEN(new_objp) = plain_len; 1747 OBJ_SEC_VALUE(new_objp) = plain_data; 1748 } else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) { 1749 /* No need to truncate, just save the data */ 1750 OBJ_SEC_VALUE(new_objp) = plain_data; 1751 } else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) { 1752 /* Length can't be bigger than what was decrypted */ 1753 rv = CKR_WRAPPED_KEY_LEN_RANGE; 1754 goto cleanup_unwrap; 1755 } else { /* betw 0 and plain_len, hence padded */ 1756 /* Truncate the data before saving. */ 1757 OBJ_SEC_VALUE(new_objp) = realloc(plain_data, 1758 OBJ_SEC_VALUE_LEN(new_objp)); 1759 if (OBJ_SEC_VALUE(new_objp) == NULL) { 1760 rv = CKR_HOST_MEMORY; 1761 goto cleanup_unwrap; 1762 } 1763 } 1764 } else { 1765 /* BER-decode the object to be unwrapped. */ 1766 rv = soft_asn1_to_object(new_objp, plain_data, plain_len); 1767 if (rv != CKR_OK) 1768 goto cleanup_unwrap; 1769 } 1770 1771 /* If it needs to be persistent, write it to the keystore */ 1772 if (IS_TOKEN_OBJECT(new_objp)) { 1773 persistent = B_TRUE; 1774 rv = soft_put_object_to_keystore(new_objp); 1775 if (rv != CKR_OK) 1776 goto cleanup_unwrap; 1777 } 1778 1779 if (new_objp->class != CKO_SECRET_KEY) { 1780 /* Clear buffer before returning to memory pool. */ 1781 (void) memset(plain_data, 0x0, plain_len); 1782 free(plain_data); 1783 } 1784 1785 *phKey = (CK_OBJECT_HANDLE)new_objp; 1786 1787 return (CKR_OK); 1788 1789 cleanup_unwrap: 1790 /* The decrypted private key buffer must be freed explicitly. */ 1791 if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1792 /* Clear buffer before returning to memory pool. */ 1793 (void) memset(plain_data, 0x0, plain_len); 1794 free(plain_data); 1795 } 1796 1797 /* sck and new_objp are indirectly free()d inside these functions */ 1798 if (IS_TOKEN_OBJECT(new_objp)) 1799 soft_delete_token_object(new_objp, persistent, B_FALSE); 1800 else 1801 soft_delete_object(session_p, new_objp, B_FALSE); 1802 1803 return (rv); 1804 } 1805