1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <pthread.h> 29 #include <stdlib.h> 30 #include <string.h> 31 #include <strings.h> 32 #include <sys/types.h> 33 #include <security/cryptoki.h> 34 #include <aes_impl.h> 35 #include <blowfish_impl.h> 36 #include <des_impl.h> 37 #include <arcfour.h> 38 #include "softGlobal.h" 39 #include "softSession.h" 40 #include "softObject.h" 41 #include "softDSA.h" 42 #include "softRSA.h" 43 #include "softDH.h" 44 #include "softEC.h" 45 #include "softRandom.h" 46 #include "softMAC.h" 47 #include "softOps.h" 48 #include "softKeys.h" 49 #include "softKeystore.h" 50 #include "softSSL.h" 51 #include "softASN1.h" 52 53 54 #define local_min(a, b) ((a) < (b) ? (a) : (b)) 55 56 static CK_RV 57 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *); 58 59 /* 60 * Create a temporary key object struct by filling up its template attributes. 61 */ 62 CK_RV 63 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 64 CK_ULONG *objecthandle_p, soft_session_t *sp, 65 CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode, 66 boolean_t internal) 67 { 68 69 CK_RV rv; 70 soft_object_t *new_objp = NULL; 71 72 new_objp = calloc(1, sizeof (soft_object_t)); 73 if (new_objp == NULL) { 74 return (CKR_HOST_MEMORY); 75 } 76 77 new_objp->extra_attrlistp = NULL; 78 79 /* 80 * Validate attribute template and fill in the attributes 81 * in the soft_object_t. 82 */ 83 rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type, 84 keylen, mode); 85 if (rv != CKR_OK) { 86 goto fail_cleanup1; 87 } 88 89 /* 90 * If generating a key is an internal request (i.e. not a C_XXX 91 * API request), then skip the following checks. 92 */ 93 if (!internal) { 94 rv = soft_pin_expired_check(new_objp); 95 if (rv != CKR_OK) { 96 goto fail_cleanup2; 97 } 98 99 rv = soft_object_write_access_check(sp, new_objp); 100 if (rv != CKR_OK) { 101 goto fail_cleanup2; 102 } 103 } 104 105 /* Initialize the rest of stuffs in soft_object_t. */ 106 (void) pthread_mutex_init(&new_objp->object_mutex, NULL); 107 new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC; 108 109 /* Write the new token object to the keystore */ 110 if (IS_TOKEN_OBJECT(new_objp)) { 111 new_objp->version = 1; 112 new_objp->session_handle = (CK_SESSION_HANDLE)NULL; 113 soft_add_token_object_to_slot(new_objp); 114 /* 115 * Type casting the address of an object struct to 116 * an object handle. 117 */ 118 *objecthandle_p = (CK_ULONG)new_objp; 119 120 return (CKR_OK); 121 } 122 123 new_objp->session_handle = (CK_SESSION_HANDLE)sp; 124 125 /* Add the new object to the session's object list. */ 126 soft_add_object_to_session(new_objp, sp); 127 128 /* Type casting the address of an object struct to an object handle. */ 129 *objecthandle_p = (CK_ULONG)new_objp; 130 131 return (CKR_OK); 132 133 fail_cleanup2: 134 /* 135 * When any error occurs after soft_build_key(), we will need to 136 * clean up the memory allocated by the soft_build_key(). 137 */ 138 soft_cleanup_object(new_objp); 139 140 fail_cleanup1: 141 if (new_objp) { 142 /* 143 * The storage allocated inside of this object should have 144 * been cleaned up by the soft_build_key() if it failed. 145 * Therefore, we can safely free the object. 146 */ 147 free(new_objp); 148 } 149 150 return (rv); 151 } 152 153 CK_RV 154 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 155 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey) 156 { 157 158 CK_RV rv = CKR_OK; 159 soft_object_t *secret_key; 160 CK_KEY_TYPE key_type; 161 CK_ULONG keylen = 0; 162 CK_ULONG i; 163 int des_strength = 0; 164 int retry = 0; 165 int keyfound = 0; 166 boolean_t is_ssl_mech = B_FALSE; 167 168 switch (pMechanism->mechanism) { 169 case CKM_DES_KEY_GEN: 170 key_type = CKK_DES; 171 break; 172 173 case CKM_DES3_KEY_GEN: 174 key_type = CKK_DES3; 175 break; 176 177 case CKM_AES_KEY_GEN: 178 key_type = CKK_AES; 179 break; 180 181 case CKM_BLOWFISH_KEY_GEN: 182 key_type = CKK_BLOWFISH; 183 break; 184 185 case CKM_RC4_KEY_GEN: 186 key_type = CKK_RC4; 187 break; 188 189 case CKM_SSL3_PRE_MASTER_KEY_GEN: 190 case CKM_TLS_PRE_MASTER_KEY_GEN: 191 if (pMechanism->pParameter == NULL || 192 pMechanism->ulParameterLen != sizeof (CK_VERSION)) 193 return (CKR_TEMPLATE_INCOMPLETE); 194 is_ssl_mech = B_TRUE; 195 key_type = CKK_GENERIC_SECRET; 196 keylen = 48; 197 break; 198 199 case CKM_PKCS5_PBKD2: 200 keyfound = 0; 201 for (i = 0; i < ulCount && !keyfound; i++) { 202 if (pTemplate[i].type == CKA_KEY_TYPE && 203 pTemplate[i].pValue != NULL) { 204 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 205 keyfound = 1; 206 } 207 } 208 if (!keyfound) 209 return (CKR_TEMPLATE_INCOMPLETE); 210 /* 211 * Make sure that parameters were given for this 212 * mechanism. 213 */ 214 if (pMechanism->pParameter == NULL || 215 pMechanism->ulParameterLen != 216 sizeof (CK_PKCS5_PBKD2_PARAMS)) 217 return (CKR_TEMPLATE_INCOMPLETE); 218 break; 219 220 case CKM_PBE_SHA1_RC4_128: 221 keyfound = 0; 222 for (i = 0; i < ulCount; i++) { 223 if (pTemplate[i].type == CKA_KEY_TYPE && 224 pTemplate[i].pValue != NULL) { 225 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 226 keyfound = 1; 227 } 228 if (pTemplate[i].type == CKA_VALUE_LEN && 229 pTemplate[i].pValue != NULL) { 230 keylen = *((CK_ULONG*)pTemplate[i].pValue); 231 } 232 } 233 /* If a keytype was specified, it had better be CKK_RC4 */ 234 if (keyfound && key_type != CKK_RC4) 235 return (CKR_TEMPLATE_INCONSISTENT); 236 else if (!keyfound) 237 key_type = CKK_RC4; 238 239 /* If key length was specified, it better be 16 bytes */ 240 if (keylen != 0 && keylen != 16) 241 return (CKR_TEMPLATE_INCONSISTENT); 242 243 /* 244 * Make sure that parameters were given for this 245 * mechanism. 246 */ 247 if (pMechanism->pParameter == NULL || 248 pMechanism->ulParameterLen != 249 sizeof (CK_PBE_PARAMS)) 250 return (CKR_TEMPLATE_INCOMPLETE); 251 break; 252 default: 253 return (CKR_MECHANISM_INVALID); 254 } 255 256 /* Create a new object for secret key. */ 257 rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p, 258 CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE); 259 260 if (rv != CKR_OK) { 261 return (rv); 262 } 263 264 /* Obtain the secret object pointer. */ 265 secret_key = (soft_object_t *)*phKey; 266 267 switch (pMechanism->mechanism) { 268 case CKM_DES_KEY_GEN: 269 /* 270 * Set up key value len since it is not a required 271 * attribute for C_GenerateKey. 272 */ 273 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 274 des_strength = DES; 275 break; 276 277 case CKM_DES3_KEY_GEN: 278 /* 279 * Set up key value len since it is not a required 280 * attribute for C_GenerateKey. 281 */ 282 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 283 des_strength = DES3; 284 break; 285 286 case CKM_SSL3_PRE_MASTER_KEY_GEN: 287 case CKM_TLS_PRE_MASTER_KEY_GEN: 288 secret_key->bool_attr_mask |= DERIVE_BOOL_ON; 289 /* FALLTHRU */ 290 291 case CKM_AES_KEY_GEN: 292 case CKM_BLOWFISH_KEY_GEN: 293 case CKM_PBE_SHA1_RC4_128: 294 case CKM_RC4_KEY_GEN: 295 keylen = OBJ_SEC_VALUE_LEN(secret_key); 296 break; 297 298 case CKM_PKCS5_PBKD2: 299 /* 300 * PKCS#11 does not allow one to specify key 301 * sizes for DES and 3DES, so we must set it here 302 * when using PBKD2 algorithms. 303 */ 304 if (key_type == CKK_DES) { 305 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 306 des_strength = DES; 307 } else if (key_type == CKK_DES3) { 308 OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 309 des_strength = DES3; 310 } 311 312 keylen = OBJ_SEC_VALUE_LEN(secret_key); 313 break; 314 } 315 316 if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) { 317 if (IS_TOKEN_OBJECT(secret_key)) 318 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 319 else 320 soft_delete_object(session_p, secret_key, B_FALSE); 321 322 return (CKR_HOST_MEMORY); 323 } 324 switch (pMechanism->mechanism) { 325 case CKM_PBE_SHA1_RC4_128: 326 /* 327 * Use the PBE algorithm described in PKCS#11 section 328 * 12.33 to derive the key. 329 */ 330 rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key); 331 break; 332 case CKM_PKCS5_PBKD2: 333 /* Generate keys using PKCS#5 PBKD2 algorithm */ 334 rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism, 335 secret_key); 336 if (rv == CKR_OK && des_strength > 0) { 337 /* Perform weak key checking for DES and DES3. */ 338 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 339 des_strength, OBJ_SEC_VALUE(secret_key)) == 340 B_FALSE) { 341 /* We got a weak secret key. */ 342 rv = CKR_FUNCTION_FAILED; 343 } 344 } 345 break; 346 default: 347 do { 348 rv = soft_random_generator( 349 OBJ_SEC_VALUE(secret_key), keylen, B_FALSE); 350 351 /* If this fails, bail out */ 352 if (rv != CKR_OK) 353 break; 354 355 /* Perform weak key checking for DES and DES3. */ 356 if (des_strength > 0) { 357 rv = CKR_OK; 358 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 359 des_strength, OBJ_SEC_VALUE(secret_key)) == 360 B_FALSE) { 361 /* We got a weak key, retry! */ 362 retry++; 363 rv = CKR_FUNCTION_FAILED; 364 } 365 } 366 /* 367 * Copy over the SSL client version For SSL mechs 368 * The first two bytes of the key is the version 369 */ 370 if (is_ssl_mech) 371 bcopy(pMechanism->pParameter, 372 OBJ_SEC_VALUE(secret_key), 373 sizeof (CK_VERSION)); 374 375 } while (rv != CKR_OK && retry < KEYGEN_RETRY); 376 if (retry == KEYGEN_RETRY) 377 rv = CKR_FUNCTION_FAILED; 378 break; 379 } 380 381 if (rv != CKR_OK) 382 if (IS_TOKEN_OBJECT(secret_key)) 383 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 384 else 385 soft_delete_object(session_p, secret_key, B_FALSE); 386 387 if (IS_TOKEN_OBJECT(secret_key)) { 388 /* 389 * All the info has been filled, so we can write to 390 * keystore now. 391 */ 392 rv = soft_put_object_to_keystore(secret_key); 393 if (rv != CKR_OK) 394 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 395 } 396 397 return (rv); 398 } 399 400 CK_RV 401 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 402 CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount, 403 CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount, 404 CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey) 405 { 406 407 CK_RV rv; 408 soft_object_t *public_key, *private_key; 409 CK_KEY_TYPE key_type; 410 411 switch (pMechanism->mechanism) { 412 413 case CKM_RSA_PKCS_KEY_PAIR_GEN: 414 key_type = CKK_RSA; 415 break; 416 417 case CKM_DSA_KEY_PAIR_GEN: 418 key_type = CKK_DSA; 419 break; 420 421 case CKM_DH_PKCS_KEY_PAIR_GEN: 422 key_type = CKK_DH; 423 break; 424 425 case CKM_EC_KEY_PAIR_GEN: 426 key_type = CKK_EC; 427 break; 428 429 default: 430 return (CKR_MECHANISM_INVALID); 431 } 432 433 /* Create a new object for public key. */ 434 rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount, 435 phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0, 436 SOFT_GEN_KEY, B_FALSE); 437 438 if (rv != CKR_OK) { 439 return (rv); 440 } 441 442 /* Obtain the public object pointer. */ 443 public_key = (soft_object_t *)*phPublicKey; 444 445 /* Create a new object for private key. */ 446 rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount, 447 phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0, 448 SOFT_GEN_KEY, B_FALSE); 449 450 if (rv != CKR_OK) { 451 /* 452 * Both public key and private key must be successful. 453 */ 454 if (IS_TOKEN_OBJECT(public_key)) 455 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 456 else 457 soft_delete_object(session_p, public_key, B_FALSE); 458 return (rv); 459 } 460 461 /* Obtain the private object pointer. */ 462 private_key = (soft_object_t *)*phPrivateKey; 463 464 /* 465 * At this point, both public key and private key objects 466 * are settled with the application specified attributes. 467 * We are ready to generate the rest of key attributes based 468 * on the existing attributes. 469 */ 470 471 switch (key_type) { 472 case CKK_RSA: 473 rv = soft_rsa_genkey_pair(public_key, private_key); 474 break; 475 476 case CKK_DSA: 477 rv = soft_dsa_genkey_pair(public_key, private_key); 478 break; 479 480 case CKK_DH: 481 rv = soft_dh_genkey_pair(public_key, private_key); 482 private_key->bool_attr_mask |= DERIVE_BOOL_ON; 483 break; 484 case CKK_EC: 485 rv = soft_ec_genkey_pair(public_key, private_key); 486 private_key->bool_attr_mask |= DERIVE_BOOL_ON; 487 break; 488 } 489 490 if (rv != CKR_OK) { 491 if (IS_TOKEN_OBJECT(public_key)) { 492 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 493 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 494 } else { 495 soft_delete_object(session_p, public_key, B_FALSE); 496 soft_delete_object(session_p, private_key, B_FALSE); 497 } 498 } 499 500 if (IS_TOKEN_OBJECT(public_key)) { 501 /* 502 * All the info has been filled, so we can write to 503 * keystore now. 504 */ 505 rv = soft_put_object_to_keystore(public_key); 506 if (rv != CKR_OK) { 507 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 508 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 509 } 510 } 511 512 if (IS_TOKEN_OBJECT(private_key)) { 513 rv = soft_put_object_to_keystore(private_key); 514 if (rv != CKR_OK) { 515 /* 516 * We also need to delete the public token object 517 * from keystore. 518 */ 519 soft_delete_token_object(public_key, B_TRUE, B_FALSE); 520 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 521 } 522 } 523 524 return (rv); 525 } 526 527 528 CK_RV 529 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen) 530 { 531 532 switch (secret_key->key_type) { 533 case CKK_GENERIC_SECRET: 534 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 535 OBJ_SEC_VALUE_LEN(secret_key) = max_keylen; 536 return (CKR_OK); 537 } else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) { 538 return (CKR_ATTRIBUTE_VALUE_INVALID); 539 } 540 break; 541 case CKK_RC4: 542 case CKK_AES: 543 case CKK_BLOWFISH: 544 if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) || 545 (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) { 546 /* RC4 and AES has variable key length */ 547 return (CKR_ATTRIBUTE_VALUE_INVALID); 548 } 549 break; 550 case CKK_DES: 551 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 552 /* DES has a well-defined length */ 553 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 554 return (CKR_OK); 555 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) { 556 return (CKR_ATTRIBUTE_VALUE_INVALID); 557 } 558 break; 559 case CKK_DES2: 560 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 561 /* DES2 has a well-defined length */ 562 OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE; 563 return (CKR_OK); 564 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) { 565 return (CKR_ATTRIBUTE_VALUE_INVALID); 566 } 567 break; 568 569 default: 570 return (CKR_MECHANISM_INVALID); 571 } 572 573 return (CKR_OK); 574 } 575 576 /* 577 * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1 578 * PBE methods. 579 */ 580 #define PKCS12_BUFFER_SIZE 64 581 /* 582 * PKCS#12 defines 3 different ID bytes to be used for 583 * deriving keys for different operations. 584 */ 585 #define PBE_ID_ENCRYPT 1 586 #define PBE_ID_IV 2 587 #define PBE_ID_MAC 3 588 #define PBE_CEIL(a, b) (((a)/(b)) + (((a)%(b)) > 0)) 589 590 static CK_RV 591 soft_pkcs12_pbe(soft_session_t *session_p, 592 CK_MECHANISM_PTR pMechanism, 593 soft_object_t *derived_key) 594 { 595 CK_RV rv = CKR_OK; 596 CK_PBE_PARAMS *params = pMechanism->pParameter; 597 CK_ULONG c, i, j, k; 598 CK_ULONG hashSize; 599 CK_ULONG buffSize; 600 /* 601 * Terse variable names are used to make following 602 * the PKCS#12 spec easier. 603 */ 604 CK_BYTE *A = NULL; 605 CK_BYTE *Ai = NULL; 606 CK_BYTE *B = NULL; 607 CK_BYTE *D = NULL; 608 CK_BYTE *I = NULL, *S, *P; 609 CK_BYTE *keybuf = NULL; 610 CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen; 611 CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key); 612 CK_MECHANISM digest_mech; 613 614 /* U = hash function output bits */ 615 if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) { 616 hashSize = SHA1_HASH_SIZE; 617 buffSize = PKCS12_BUFFER_SIZE; 618 digest_mech.mechanism = CKM_SHA_1; 619 digest_mech.pParameter = NULL; 620 digest_mech.ulParameterLen = 0; 621 } else { 622 /* we only support 1 PBE mech for now */ 623 return (CKR_MECHANISM_INVALID); 624 } 625 keybuf = OBJ_SEC_VALUE(derived_key); 626 627 Blen = Dlen = buffSize; 628 D = (CK_BYTE *)malloc(Dlen); 629 if (D == NULL) { 630 rv = CKR_HOST_MEMORY; 631 goto cleanup; 632 } 633 634 B = (CK_BYTE *)malloc(Blen); 635 if (B == NULL) { 636 rv = CKR_HOST_MEMORY; 637 goto cleanup; 638 } 639 640 /* 641 * Initialize some values and create some buffers 642 * that we need later. 643 * 644 * Slen = buffSize * CEIL(SaltLength/buffSize) 645 */ 646 Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize); 647 648 /* 649 * Plen = buffSize * CEIL(PasswordLength/buffSize) 650 */ 651 Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize); 652 653 /* 654 * From step 4: I = S + P, so: Ilen = Slen + Plen 655 */ 656 Ilen = Slen + Plen; 657 I = (CK_BYTE *)malloc(Ilen); 658 if (I == NULL) { 659 rv = CKR_HOST_MEMORY; 660 goto cleanup; 661 } 662 663 S = I; 664 P = I + Slen; 665 666 /* 667 * Step 1. 668 * We are only interested in deriving keys for encrypt/decrypt 669 * for now, so construct the "D"iversifier accordingly. 670 */ 671 (void) memset(D, PBE_ID_ENCRYPT, Dlen); 672 673 /* 674 * Step 2. 675 * Concatenate copies of the salt together to make S. 676 */ 677 for (i = 0; i < Slen; i += params->ulSaltLen) { 678 (void) memcpy(S+i, params->pSalt, 679 ((Slen - i) > params->ulSaltLen ? 680 params->ulSaltLen : (Slen - i))); 681 } 682 683 /* 684 * Step 3. 685 * Concatenate copies of the password together to make 686 * a string P. 687 */ 688 for (i = 0; i < Plen; i += params->ulPasswordLen) { 689 (void) memcpy(P+i, params->pPassword, 690 ((Plen - i) > params->ulPasswordLen ? 691 params->ulPasswordLen : (Plen - i))); 692 } 693 694 /* 695 * Step 4. 696 * I = S+P - this is now done because S and P are 697 * pointers into I. 698 * 699 * Step 5. 700 * c= CEIL[n/u] 701 * where n = pseudorandom bits of output desired. 702 */ 703 c = PBE_CEIL(keysize, hashSize); 704 705 /* 706 * Step 6. 707 */ 708 Alen = c * hashSize; 709 A = (CK_BYTE *)malloc(Alen); 710 if (A == NULL) { 711 rv = CKR_HOST_MEMORY; 712 goto cleanup; 713 } 714 AiLen = hashSize; 715 Ai = (CK_BYTE *)malloc(AiLen); 716 if (Ai == NULL) { 717 rv = CKR_HOST_MEMORY; 718 goto cleanup; 719 } 720 721 /* 722 * Step 6a. 723 * Ai = Hr(D+I) 724 */ 725 for (i = 0; i < c; i++) { 726 (void) pthread_mutex_lock(&session_p->session_mutex); 727 728 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 729 (void) pthread_mutex_unlock(&session_p->session_mutex); 730 rv = CKR_OPERATION_ACTIVE; 731 goto cleanup; 732 } 733 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 734 (void) pthread_mutex_unlock(&session_p->session_mutex); 735 736 for (j = 0; j < params->ulIteration; j++) { 737 rv = soft_digest_init(session_p, &digest_mech); 738 if (rv != CKR_OK) 739 goto digest_done; 740 741 if (j == 0) { 742 rv = soft_digest_update(session_p, D, Dlen); 743 if (rv != CKR_OK) 744 goto digest_done; 745 746 rv = soft_digest_update(session_p, I, Ilen); 747 } else { 748 rv = soft_digest_update(session_p, Ai, AiLen); 749 } 750 if (rv != CKR_OK) 751 goto digest_done; 752 753 rv = soft_digest_final(session_p, Ai, &AiLen); 754 if (rv != CKR_OK) 755 goto digest_done; 756 } 757 digest_done: 758 (void) pthread_mutex_lock(&session_p->session_mutex); 759 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 760 (void) pthread_mutex_unlock(&session_p->session_mutex); 761 762 if (rv != CKR_OK) 763 goto cleanup; 764 /* 765 * Step 6b. 766 * Concatenate Ai to make B 767 */ 768 for (j = 0; j < Blen; j += hashSize) { 769 (void) memcpy(B+j, Ai, ((Blen - j > hashSize) ? 770 hashSize : Blen - j)); 771 } 772 773 /* 774 * Step 6c. 775 */ 776 k = Ilen / Blen; 777 for (j = 0; j < k; j++) { 778 uchar_t idx; 779 CK_ULONG m, q = 1, cbit = 0; 780 781 for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) { 782 idx = m + j*Blen; 783 784 q += (CK_ULONG)I[idx] + (CK_ULONG)B[m]; 785 q += cbit; 786 I[idx] = (CK_BYTE)(q & 0xff); 787 cbit = (q > 0xff); 788 } 789 } 790 791 /* 792 * Step 7. 793 * A += Ai 794 */ 795 (void) memcpy(A + i*hashSize, Ai, AiLen); 796 } 797 798 /* 799 * Step 8. 800 * The final output of this process is the A buffer 801 */ 802 (void) memcpy(keybuf, A, keysize); 803 804 cleanup: 805 if (A) { 806 bzero(A, Alen); 807 free(A); 808 } 809 if (Ai) { 810 bzero(Ai, AiLen); 811 free(Ai); 812 } 813 if (B) { 814 bzero(B, Blen); 815 free(B); 816 } 817 if (D) { 818 bzero(D, Dlen); 819 free(D); 820 } 821 if (I) { 822 bzero(I, Ilen); 823 free(I); 824 } 825 return (rv); 826 } 827 828 CK_RV 829 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 830 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate, 831 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) 832 { 833 834 CK_RV rv = CKR_OK; 835 soft_object_t *secret_key; 836 CK_MECHANISM digest_mech; 837 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */ 838 CK_ULONG hash_len = SHA512_DIGEST_LENGTH; 839 CK_ULONG secret_key_len; 840 CK_ULONG hash_size; 841 842 switch (pMechanism->mechanism) { 843 case CKM_DH_PKCS_DERIVE: 844 /* 845 * Create a new object for secret key. The key type should 846 * be provided in the template. 847 */ 848 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 849 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0, 850 SOFT_DERIVE_KEY_DH, B_FALSE); 851 852 if (rv != CKR_OK) { 853 return (rv); 854 } 855 856 /* Obtain the secret object pointer. */ 857 secret_key = (soft_object_t *)*phKey; 858 859 rv = soft_dh_key_derive(basekey_p, secret_key, 860 (CK_BYTE *)pMechanism->pParameter, 861 pMechanism->ulParameterLen); 862 863 if (rv != CKR_OK) { 864 if (IS_TOKEN_OBJECT(secret_key)) 865 soft_delete_token_object(secret_key, B_FALSE, 866 B_FALSE); 867 else 868 soft_delete_object(session_p, secret_key, 869 B_FALSE); 870 return (rv); 871 } 872 873 break; 874 875 case CKM_ECDH1_DERIVE: 876 /* 877 * Create a new object for secret key. The key type should 878 * be provided in the template. 879 */ 880 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 881 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0, 882 SOFT_DERIVE_KEY_DH, B_FALSE); 883 884 if (rv != CKR_OK) { 885 return (rv); 886 } 887 888 /* Obtain the secret object pointer. */ 889 secret_key = (soft_object_t *)*phKey; 890 891 rv = soft_ec_key_derive(basekey_p, secret_key, 892 (CK_BYTE *)pMechanism->pParameter, 893 pMechanism->ulParameterLen); 894 895 if (rv != CKR_OK) { 896 if (IS_TOKEN_OBJECT(secret_key)) 897 soft_delete_token_object(secret_key, B_FALSE, 898 B_FALSE); 899 else 900 soft_delete_object(session_p, secret_key, 901 B_FALSE); 902 return (rv); 903 } 904 905 break; 906 907 case CKM_SHA1_KEY_DERIVATION: 908 hash_size = SHA1_HASH_SIZE; 909 digest_mech.mechanism = CKM_SHA_1; 910 goto common; 911 912 case CKM_MD5_KEY_DERIVATION: 913 hash_size = MD5_HASH_SIZE; 914 digest_mech.mechanism = CKM_MD5; 915 goto common; 916 917 case CKM_SHA256_KEY_DERIVATION: 918 hash_size = SHA256_DIGEST_LENGTH; 919 digest_mech.mechanism = CKM_SHA256; 920 goto common; 921 922 case CKM_SHA384_KEY_DERIVATION: 923 hash_size = SHA384_DIGEST_LENGTH; 924 digest_mech.mechanism = CKM_SHA384; 925 goto common; 926 927 case CKM_SHA512_KEY_DERIVATION: 928 hash_size = SHA512_DIGEST_LENGTH; 929 digest_mech.mechanism = CKM_SHA512; 930 goto common; 931 932 common: 933 /* 934 * Create a new object for secret key. The key type is optional 935 * to be provided in the template. If it is not specified in 936 * the template, the default is CKK_GENERIC_SECRET. 937 */ 938 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 939 phKey, session_p, CKO_SECRET_KEY, 940 (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 941 SOFT_DERIVE_KEY_OTHER, B_FALSE); 942 943 if (rv != CKR_OK) { 944 return (rv); 945 } 946 947 /* Obtain the secret object pointer. */ 948 secret_key = (soft_object_t *)*phKey; 949 950 /* Validate the key type and key length */ 951 rv = soft_key_derive_check_length(secret_key, hash_size); 952 if (rv != CKR_OK) { 953 if (IS_TOKEN_OBJECT(secret_key)) 954 soft_delete_token_object(secret_key, B_FALSE, 955 B_FALSE); 956 else 957 soft_delete_object(session_p, secret_key, 958 B_FALSE); 959 return (rv); 960 } 961 962 /* 963 * Derive the secret key by digesting the value of another 964 * secret key (base key) with SHA-1 or MD5. 965 */ 966 rv = soft_digest_init_internal(session_p, &digest_mech); 967 if (rv != CKR_OK) { 968 if (IS_TOKEN_OBJECT(secret_key)) 969 soft_delete_token_object(secret_key, B_FALSE, 970 B_FALSE); 971 else 972 soft_delete_object(session_p, secret_key, 973 B_FALSE); 974 return (rv); 975 } 976 977 rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p), 978 OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len); 979 980 (void) pthread_mutex_lock(&session_p->session_mutex); 981 /* soft_digest_common() has freed the digest context */ 982 session_p->digest.flags = 0; 983 (void) pthread_mutex_unlock(&session_p->session_mutex); 984 985 if (rv != CKR_OK) { 986 if (IS_TOKEN_OBJECT(secret_key)) 987 soft_delete_token_object(secret_key, B_FALSE, 988 B_FALSE); 989 else 990 soft_delete_object(session_p, secret_key, 991 B_FALSE); 992 return (rv); 993 } 994 995 secret_key_len = OBJ_SEC_VALUE_LEN(secret_key); 996 997 if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) == 998 NULL) { 999 if (IS_TOKEN_OBJECT(secret_key)) 1000 soft_delete_token_object(secret_key, B_FALSE, 1001 B_FALSE); 1002 else 1003 soft_delete_object(session_p, secret_key, 1004 B_FALSE); 1005 return (CKR_HOST_MEMORY); 1006 } 1007 1008 /* 1009 * The key produced by this mechanism will be of the 1010 * specified type and length. 1011 * The truncation removes extra bytes from the leading 1012 * of the digested key value. 1013 */ 1014 (void) memcpy(OBJ_SEC_VALUE(secret_key), 1015 (hash + hash_len - secret_key_len), 1016 secret_key_len); 1017 1018 break; 1019 1020 /* 1021 * The key sensitivity and extractability rules for the generated 1022 * keys will be enforced inside soft_ssl_master_key_derive() and 1023 * soft_ssl_key_and_mac_derive() 1024 */ 1025 case CKM_SSL3_MASTER_KEY_DERIVE: 1026 case CKM_SSL3_MASTER_KEY_DERIVE_DH: 1027 case CKM_TLS_MASTER_KEY_DERIVE: 1028 case CKM_TLS_MASTER_KEY_DERIVE_DH: 1029 if (phKey == NULL_PTR) 1030 return (CKR_ARGUMENTS_BAD); 1031 return (soft_ssl_master_key_derive(session_p, pMechanism, 1032 basekey_p, pTemplate, ulAttributeCount, phKey)); 1033 1034 case CKM_SSL3_KEY_AND_MAC_DERIVE: 1035 case CKM_TLS_KEY_AND_MAC_DERIVE: 1036 return (soft_ssl_key_and_mac_derive(session_p, pMechanism, 1037 basekey_p, pTemplate, ulAttributeCount)); 1038 1039 case CKM_TLS_PRF: 1040 if (pMechanism->pParameter == NULL || 1041 pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) || 1042 phKey != NULL) 1043 return (CKR_ARGUMENTS_BAD); 1044 1045 if (pTemplate != NULL) 1046 return (CKR_TEMPLATE_INCONSISTENT); 1047 1048 return (derive_tls_prf( 1049 (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p)); 1050 1051 default: 1052 return (CKR_MECHANISM_INVALID); 1053 } 1054 1055 soft_derive_enforce_flags(basekey_p, secret_key); 1056 1057 if (IS_TOKEN_OBJECT(secret_key)) { 1058 /* 1059 * All the info has been filled, so we can write to 1060 * keystore now. 1061 */ 1062 rv = soft_put_object_to_keystore(secret_key); 1063 if (rv != CKR_OK) 1064 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 1065 } 1066 1067 return (rv); 1068 } 1069 1070 1071 /* 1072 * Perform key derivation rules on key's sensitivity and extractability. 1073 */ 1074 void 1075 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey) 1076 { 1077 1078 boolean_t new_sensitive = B_FALSE; 1079 boolean_t new_extractable = B_FALSE; 1080 1081 /* 1082 * The sensitive and extractable bits have been set when 1083 * the newkey was built. 1084 */ 1085 if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) { 1086 new_sensitive = B_TRUE; 1087 } 1088 1089 if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) { 1090 new_extractable = B_TRUE; 1091 } 1092 1093 /* Derive the CKA_ALWAYS_SENSITIVE flag */ 1094 if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) { 1095 /* 1096 * If the base key has its CKA_ALWAYS_SENSITIVE set to 1097 * FALSE, then the derived key will as well. 1098 */ 1099 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1100 } else { 1101 /* 1102 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE, 1103 * then the derived key has the CKA_ALWAYS_SENSITIVE set to 1104 * the same value as its CKA_SENSITIVE; 1105 */ 1106 if (new_sensitive) { 1107 newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON; 1108 } else { 1109 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1110 } 1111 } 1112 1113 /* Derive the CKA_NEVER_EXTRACTABLE flag */ 1114 if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) { 1115 /* 1116 * If the base key has its CKA_NEVER_EXTRACTABLE set to 1117 * FALSE, then the derived key will as well. 1118 */ 1119 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1120 } else { 1121 /* 1122 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE, 1123 * then the derived key has the CKA_NEVER_EXTRACTABLE set to 1124 * the opposite value from its CKA_EXTRACTABLE; 1125 */ 1126 if (new_extractable) { 1127 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1128 } else { 1129 newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON; 1130 } 1131 } 1132 1133 /* Set the CKA_LOCAL flag to false */ 1134 newkey->bool_attr_mask &= ~LOCAL_BOOL_ON; 1135 } 1136 1137 1138 /* 1139 * do_prf 1140 * 1141 * This routine implements Step 3. of the PBKDF2 function 1142 * defined in PKCS#5 for generating derived keys from a 1143 * password. 1144 * 1145 * Currently, PRF is always SHA_1_HMAC. 1146 */ 1147 static CK_RV 1148 do_prf(soft_session_t *session_p, 1149 CK_PKCS5_PBKD2_PARAMS_PTR params, 1150 soft_object_t *hmac_key, 1151 CK_BYTE *newsalt, CK_ULONG saltlen, 1152 CK_BYTE *blockdata, CK_ULONG blocklen) 1153 { 1154 CK_RV rv = CKR_OK; 1155 CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0}; 1156 CK_BYTE buffer[2][SHA1_HASH_SIZE]; 1157 CK_ULONG hmac_outlen = SHA1_HASH_SIZE; 1158 CK_ULONG inlen; 1159 CK_BYTE *input, *output; 1160 CK_ULONG i, j; 1161 1162 input = newsalt; 1163 inlen = saltlen; 1164 1165 output = buffer[1]; 1166 (void) pthread_mutex_lock(&session_p->session_mutex); 1167 1168 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 1169 (void) pthread_mutex_unlock(&session_p->session_mutex); 1170 return (CKR_OPERATION_ACTIVE); 1171 } 1172 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 1173 (void) pthread_mutex_unlock(&session_p->session_mutex); 1174 1175 for (i = 0; i < params->iterations; i++) { 1176 /* 1177 * The key doesn't change, its always the 1178 * password iniitally given. 1179 */ 1180 rv = soft_sign_init(session_p, &digest_mech, hmac_key); 1181 1182 if (rv != CKR_OK) { 1183 goto cleanup; 1184 } 1185 1186 /* Call PRF function (SHA1_HMAC for now). */ 1187 rv = soft_sign(session_p, input, inlen, output, &hmac_outlen); 1188 1189 if (rv != CKR_OK) { 1190 goto cleanup; 1191 } 1192 /* 1193 * The first time, initialize the output buffer 1194 * with the HMAC signature. 1195 */ 1196 if (i == 0) { 1197 (void) memcpy(blockdata, output, 1198 local_min(blocklen, hmac_outlen)); 1199 } else { 1200 /* 1201 * XOR the existing data with output from PRF. 1202 * 1203 * Only XOR up to the length of the blockdata, 1204 * it may be less than a full hmac buffer when 1205 * the final block is being computed. 1206 */ 1207 for (j = 0; j < hmac_outlen && j < blocklen; j++) 1208 blockdata[j] ^= output[j]; 1209 } 1210 /* Output from previous PRF is input for next round */ 1211 input = output; 1212 inlen = hmac_outlen; 1213 1214 /* 1215 * Switch buffers to avoid overuse of memcpy. 1216 * Initially we used buffer[1], so after the end of 1217 * the first iteration (i==0), we switch to buffer[0] 1218 * and continue swapping with each iteration. 1219 */ 1220 output = buffer[i%2]; 1221 } 1222 cleanup: 1223 (void) pthread_mutex_lock(&session_p->session_mutex); 1224 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 1225 (void) pthread_mutex_unlock(&session_p->session_mutex); 1226 1227 return (rv); 1228 } 1229 1230 static CK_RV 1231 soft_create_hmac_key(soft_session_t *session_p, CK_BYTE *passwd, 1232 CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey) 1233 { 1234 CK_RV rv = CKR_OK; 1235 CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY; 1236 CK_KEY_TYPE keytype = CKK_GENERIC_SECRET; 1237 CK_BBOOL True = TRUE; 1238 CK_ATTRIBUTE keytemplate[4]; 1239 /* 1240 * We must initialize each template member individually 1241 * because at the time of initial coding for ON10, the 1242 * compiler was using the "-xc99=%none" option 1243 * which prevents us from being able to declare the whole 1244 * template in place as usual. 1245 */ 1246 keytemplate[0].type = CKA_CLASS; 1247 keytemplate[0].pValue = &keyclass; 1248 keytemplate[0].ulValueLen = sizeof (keyclass); 1249 1250 keytemplate[1].type = CKA_KEY_TYPE; 1251 keytemplate[1].pValue = &keytype; 1252 keytemplate[1].ulValueLen = sizeof (keytype); 1253 1254 keytemplate[2].type = CKA_SIGN; 1255 keytemplate[2].pValue = &True; 1256 keytemplate[2].ulValueLen = sizeof (True); 1257 1258 keytemplate[3].type = CKA_VALUE; 1259 keytemplate[3].pValue = passwd; 1260 keytemplate[3].ulValueLen = passwd_len; 1261 /* 1262 * Create a generic key object to be used for HMAC operations. 1263 * The "value" for this key is the password from the 1264 * mechanism parameter structure. 1265 */ 1266 rv = soft_gen_keyobject(keytemplate, 1267 sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), phKey, session_p, 1268 CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 1269 SOFT_CREATE_OBJ, B_TRUE); 1270 1271 return (rv); 1272 } 1273 1274 CK_RV 1275 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p, 1276 CK_MECHANISM_PTR pMechanism, 1277 soft_object_t *secret_key) 1278 { 1279 CK_RV rv = CKR_OK; 1280 CK_PKCS5_PBKD2_PARAMS *params = 1281 (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter; 1282 CK_ULONG hLen = SHA1_HASH_SIZE; 1283 CK_ULONG dkLen, i; 1284 CK_ULONG blocks, remainder; 1285 CK_OBJECT_HANDLE phKey = 0; 1286 soft_object_t *hmac_key = NULL; 1287 CK_BYTE *salt = NULL; 1288 CK_BYTE *keydata = NULL; 1289 1290 params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter; 1291 1292 if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1) 1293 return (CKR_MECHANISM_PARAM_INVALID); 1294 1295 if (params->pPrfData != NULL || params->ulPrfDataLen != 0) 1296 return (CKR_DATA_INVALID); 1297 1298 if (params->saltSource != CKZ_SALT_SPECIFIED || 1299 params->iterations == 0) 1300 return (CKR_MECHANISM_PARAM_INVALID); 1301 1302 /* 1303 * Create a key object to use for HMAC operations. 1304 */ 1305 rv = soft_create_hmac_key(session_p, params->pPassword, 1306 *params->ulPasswordLen, &phKey); 1307 1308 if (rv != CKR_OK) 1309 return (rv); 1310 1311 hmac_key = (soft_object_t *)phKey; 1312 1313 /* Step 1. */ 1314 dkLen = OBJ_SEC_VALUE_LEN(secret_key); /* length of desired key */ 1315 1316 if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) { 1317 (void) soft_delete_object(session_p, hmac_key, B_FALSE); 1318 return (CKR_KEY_SIZE_RANGE); 1319 } 1320 1321 /* Step 2. */ 1322 blocks = dkLen / hLen; 1323 1324 /* crude "Ceiling" function to adjust the number of blocks to use */ 1325 if (blocks * hLen != dkLen) 1326 blocks++; 1327 1328 remainder = dkLen - ((blocks - 1) * hLen); 1329 1330 /* Step 3 */ 1331 salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4); 1332 if (salt == NULL) { 1333 (void) soft_delete_object(session_p, hmac_key, B_FALSE); 1334 return (CKR_HOST_MEMORY); 1335 } 1336 /* 1337 * Nothing in PKCS#5 says you cannot pass an empty 1338 * salt, so we will allow for this and not return error 1339 * if the salt is not specified. 1340 */ 1341 if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0) 1342 (void) memcpy(salt, params->pSaltSourceData, 1343 params->ulSaltSourceDataLen); 1344 1345 /* 1346 * Get pointer to the data section of the key, 1347 * this will be used below as output from the 1348 * PRF iteration/concatenations so that when the 1349 * blocks are all iterated, the secret_key will 1350 * have the resulting derived key value. 1351 */ 1352 keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key); 1353 1354 /* Step 4. */ 1355 for (i = 0; i < blocks && (rv == CKR_OK); i++) { 1356 CK_BYTE *s; 1357 1358 s = salt + params->ulSaltSourceDataLen; 1359 1360 /* 1361 * Append the block index to the salt as input 1362 * to the PRF. Block index should start at 1 1363 * not 0. 1364 */ 1365 *s++ = ((i+1) >> 24) & 0xff; 1366 *s++ = ((i+1) >> 16) & 0xff; 1367 *s++ = ((i+1) >> 8) & 0xff; 1368 *s = ((i+1)) & 0xff; 1369 1370 /* 1371 * Adjust the key pointer so we always append the 1372 * PRF output to the current key. 1373 */ 1374 rv = do_prf(session_p, params, hmac_key, 1375 salt, params->ulSaltSourceDataLen + 4, keydata, 1376 ((i + 1) == blocks ? remainder : hLen)); 1377 1378 keydata += hLen; 1379 } 1380 (void) soft_delete_object(session_p, hmac_key, B_FALSE); 1381 free(salt); 1382 1383 return (rv); 1384 } 1385 1386 CK_RV 1387 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1388 soft_object_t *wrappingKey_p, soft_object_t *hkey_p, 1389 CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen) 1390 { 1391 CK_RV rv = CKR_OK; 1392 CK_ULONG plain_len = 0; 1393 CK_BYTE_PTR plain_data = NULL; 1394 CK_ULONG padded_len = 0; 1395 CK_BYTE_PTR padded_data = NULL; 1396 CK_ULONG wkey_blksz = 1; /* so modulo will work right */ 1397 1398 /* Check if the mechanism is supported. */ 1399 switch (pMechanism->mechanism) { 1400 case CKM_DES_CBC_PAD: 1401 case CKM_DES3_CBC_PAD: 1402 case CKM_AES_CBC_PAD: 1403 /* 1404 * Secret key mechs with padding can be used to wrap secret 1405 * keys and private keys only. See PKCS#11, * sec 11.14, 1406 * C_WrapKey and secs 12.* for each mechanism's wrapping/ 1407 * unwrapping constraints. 1408 */ 1409 if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class != 1410 CKO_PRIVATE_KEY) 1411 return (CKR_MECHANISM_INVALID); 1412 break; 1413 case CKM_RSA_PKCS: 1414 case CKM_RSA_X_509: 1415 case CKM_DES_ECB: 1416 case CKM_DES3_ECB: 1417 case CKM_AES_ECB: 1418 case CKM_DES_CBC: 1419 case CKM_DES3_CBC: 1420 case CKM_AES_CBC: 1421 case CKM_BLOWFISH_CBC: 1422 /* 1423 * Unpadded secret key mechs and private key mechs are only 1424 * defined for wrapping secret keys. See PKCS#11 refs above. 1425 */ 1426 if (hkey_p->class != CKO_SECRET_KEY) 1427 return (CKR_MECHANISM_INVALID); 1428 break; 1429 default: 1430 return (CKR_MECHANISM_INVALID); 1431 } 1432 1433 if (hkey_p->class == CKO_SECRET_KEY) { 1434 plain_data = OBJ_SEC_VALUE(hkey_p); 1435 plain_len = OBJ_SEC_VALUE_LEN(hkey_p); 1436 } else { 1437 /* 1438 * BER-encode the object to be wrapped: call first with 1439 * plain_data = NULL to get the size needed, allocate that 1440 * much space, call again to fill space with actual data. 1441 */ 1442 rv = soft_object_to_asn1(hkey_p, NULL, &plain_len); 1443 if (rv != CKR_OK) 1444 return (rv); 1445 if ((plain_data = malloc(plain_len)) == NULL) 1446 return (CKR_HOST_MEMORY); 1447 (void) memset(plain_data, 0x0, plain_len); 1448 rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len); 1449 if (rv != CKR_OK) 1450 goto cleanup_wrap; 1451 } 1452 1453 /* 1454 * For unpadded ECB and CBC mechanisms, the object needs to be 1455 * padded to the wrapping key's blocksize prior to the encryption. 1456 */ 1457 padded_len = plain_len; 1458 padded_data = plain_data; 1459 1460 switch (pMechanism->mechanism) { 1461 case CKM_DES_ECB: 1462 case CKM_DES3_ECB: 1463 case CKM_AES_ECB: 1464 case CKM_DES_CBC: 1465 case CKM_DES3_CBC: 1466 case CKM_AES_CBC: 1467 case CKM_BLOWFISH_CBC: 1468 /* Find the block size of the wrapping key. */ 1469 if (wrappingKey_p->class == CKO_SECRET_KEY) { 1470 switch (wrappingKey_p->key_type) { 1471 case CKK_DES: 1472 case CKK_DES2: 1473 case CKK_DES3: 1474 wkey_blksz = DES_BLOCK_LEN; 1475 break; 1476 case CKK_AES: 1477 wkey_blksz = AES_BLOCK_LEN; 1478 break; 1479 case CKK_BLOWFISH: 1480 wkey_blksz = BLOWFISH_BLOCK_LEN; 1481 break; 1482 default: 1483 break; 1484 } 1485 } else { 1486 rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT; 1487 goto cleanup_wrap; 1488 } 1489 1490 /* Extend the plain text data to block size boundary. */ 1491 if ((padded_len % wkey_blksz) != 0) { 1492 padded_len += (wkey_blksz - (plain_len % wkey_blksz)); 1493 if ((padded_data = malloc(padded_len)) == NULL) { 1494 rv = CKR_HOST_MEMORY; 1495 goto cleanup_wrap; 1496 } 1497 (void) memset(padded_data, 0x0, padded_len); 1498 (void) memcpy(padded_data, plain_data, plain_len); 1499 } 1500 break; 1501 default: 1502 break; 1503 } 1504 1505 rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p); 1506 if (rv != CKR_OK) 1507 goto cleanup_wrap; 1508 1509 rv = soft_encrypt(session_p, padded_data, padded_len, 1510 pWrappedKey, pulWrappedKeyLen); 1511 1512 cleanup_wrap: 1513 if (padded_data != NULL && padded_len != plain_len) { 1514 /* Clear buffer before returning to memory pool. */ 1515 (void) memset(padded_data, 0x0, padded_len); 1516 free(padded_data); 1517 } 1518 1519 if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1520 /* Clear buffer before returning to memory pool. */ 1521 (void) memset(plain_data, 0x0, plain_len); 1522 free(plain_data); 1523 } 1524 1525 return (rv); 1526 } 1527 1528 /* 1529 * Quick check for whether unwrapped key length is appropriate for key type 1530 * and whether it needs to be truncated (in case the wrapping function had 1531 * to pad the key prior to wrapping). 1532 */ 1533 static CK_RV 1534 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype, 1535 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount) 1536 { 1537 CK_ULONG i; 1538 boolean_t isValueLen = B_FALSE; 1539 1540 /* 1541 * Based on the key type and the mech used to unwrap, need to 1542 * determine if CKA_VALUE_LEN should or should not be specified. 1543 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified 1544 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens 1545 * that restriction, perhaps because it makes it impossible to 1546 * determine the original length of unwrapped variable-length secret 1547 * keys, such as RC4, AES, and GENERIC_SECRET. These variable-length 1548 * secret keys would have been padded with trailing null-bytes so 1549 * that they could be successfully wrapped with *_ECB and *_CBC 1550 * mechanisms. Hence for unwrapping with these mechs, CKA_VALUE_LEN 1551 * must be specified. For unwrapping with other mechs, such as 1552 * *_CBC_PAD, the CKA_VALUE_LEN is not needed. 1553 */ 1554 1555 /* Find out if template has CKA_VALUE_LEN. */ 1556 for (i = 0; i < ulAttributeCount; i++) { 1557 if (pTemplate[i].type == CKA_VALUE_LEN && 1558 pTemplate[i].pValue != NULL) { 1559 isValueLen = B_TRUE; 1560 break; 1561 } 1562 } 1563 1564 /* Does its presence conflict with the mech type and key type? */ 1565 switch (mechtype) { 1566 case CKM_DES_ECB: 1567 case CKM_DES3_ECB: 1568 case CKM_AES_ECB: 1569 case CKM_DES_CBC: 1570 case CKM_DES3_CBC: 1571 case CKM_AES_CBC: 1572 case CKM_BLOWFISH_CBC: 1573 /* 1574 * CKA_VALUE_LEN must be specified 1575 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET 1576 * and must not be specified otherwise 1577 */ 1578 switch (keytype) { 1579 case CKK_DES: 1580 case CKK_DES2: 1581 case CKK_DES3: 1582 if (isValueLen) 1583 return (CKR_TEMPLATE_INCONSISTENT); 1584 break; 1585 case CKK_GENERIC_SECRET: 1586 case CKK_RC4: 1587 case CKK_AES: 1588 case CKK_BLOWFISH: 1589 if (!isValueLen) 1590 return (CKR_TEMPLATE_INCOMPLETE); 1591 break; 1592 default: 1593 return (CKR_FUNCTION_NOT_SUPPORTED); 1594 } 1595 break; 1596 default: 1597 /* CKA_VALUE_LEN must not be specified */ 1598 if (isValueLen) 1599 return (CKR_TEMPLATE_INCONSISTENT); 1600 break; 1601 } 1602 1603 return (CKR_OK); 1604 } 1605 1606 CK_RV 1607 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1608 soft_object_t *unwrappingkey_p, 1609 CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, 1610 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, 1611 CK_OBJECT_HANDLE_PTR phKey) 1612 { 1613 CK_RV rv = CKR_OK; 1614 CK_OBJECT_CLASS new_obj_class = ~0UL; 1615 int i = 0; 1616 soft_object_t *new_objp = NULL; 1617 boolean_t persistent = B_FALSE; 1618 CK_BYTE_PTR plain_data = NULL; 1619 CK_ULONG plain_len = 0; 1620 secret_key_obj_t *sck = NULL; 1621 1622 /* Scan the attribute template for the object class. */ 1623 if (pTemplate != NULL && ulAttributeCount != 0) { 1624 for (i = 0; i < ulAttributeCount; i++) { 1625 if (pTemplate[i].type == CKA_CLASS) { 1626 new_obj_class = 1627 *((CK_OBJECT_CLASS *)pTemplate[i].pValue); 1628 break; 1629 } 1630 } 1631 if (new_obj_class == ~0UL) 1632 return (CKR_TEMPLATE_INCOMPLETE); 1633 } 1634 1635 /* 1636 * Check if the mechanism is supported, and now that the new 1637 * object's class is known, the mechanism selected should be 1638 * capable of doing the unwrap. 1639 */ 1640 switch (pMechanism->mechanism) { 1641 case CKM_RSA_PKCS: 1642 case CKM_RSA_X_509: 1643 case CKM_DES_ECB: 1644 case CKM_DES3_ECB: 1645 case CKM_AES_ECB: 1646 case CKM_DES_CBC: 1647 case CKM_DES3_CBC: 1648 case CKM_AES_CBC: 1649 case CKM_BLOWFISH_CBC: 1650 if (new_obj_class != CKO_SECRET_KEY) 1651 return (CKR_MECHANISM_INVALID); 1652 break; 1653 case CKM_DES_CBC_PAD: 1654 case CKM_DES3_CBC_PAD: 1655 case CKM_AES_CBC_PAD: 1656 if (new_obj_class != CKO_SECRET_KEY && new_obj_class != 1657 CKO_PRIVATE_KEY) 1658 return (CKR_MECHANISM_INVALID); 1659 break; 1660 default: 1661 return (CKR_MECHANISM_INVALID); 1662 } 1663 1664 /* Create a new object based on the attribute template. */ 1665 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 1666 (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL, 1667 (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE); 1668 if (rv != CKR_OK) 1669 return (rv); 1670 1671 /* 1672 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE 1673 * both set to FALSE. CKA_EXTRACTABLE will be set _by_default_ to 1674 * true -- leaving the possibility that it may be set FALSE by the 1675 * supplied attribute template. If the precise template cannot be 1676 * supported, unwrap fails. PKCS#11 spec, Sec. 11.14, C_UnwrapKey. 1677 * 1678 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and 1679 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must 1680 * have supplied them and therefore we cannot honor the unwrap. 1681 */ 1682 if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) || 1683 (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) { 1684 rv = CKR_TEMPLATE_INCONSISTENT; 1685 goto cleanup_unwrap; 1686 } 1687 1688 rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p); 1689 if (rv != CKR_OK) 1690 goto cleanup_unwrap; 1691 1692 /* First get the length of the plain data */ 1693 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL, 1694 &plain_len); 1695 if (rv != CKR_OK) 1696 goto cleanup_unwrap; 1697 1698 /* Allocate space for the unwrapped data */ 1699 if ((plain_data = malloc(plain_len)) == NULL) { 1700 rv = CKR_HOST_MEMORY; 1701 goto cleanup_unwrap; 1702 } 1703 (void) memset(plain_data, 0x0, plain_len); 1704 1705 /* Perform actual decryption into the allocated space. */ 1706 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data, 1707 &plain_len); 1708 if (rv != CKR_OK) 1709 goto cleanup_unwrap; 1710 1711 if (new_objp->class == CKO_SECRET_KEY) { 1712 /* 1713 * Since no ASN.1 encoding is done for secret keys, check for 1714 * appropriateness and copy decrypted buffer to the key object. 1715 */ 1716 1717 /* Check keytype and mechtype don't conflict with valuelen */ 1718 rv = soft_unwrap_secret_len_check(new_objp->key_type, 1719 pMechanism->mechanism, pTemplate, ulAttributeCount); 1720 if (rv != CKR_OK) 1721 goto cleanup_unwrap; 1722 1723 /* 1724 * Allocate the secret key structure if not already there; 1725 * it will exist for variable length keys since CKA_VALUE_LEN 1726 * is specified and saved, but not for fixed length keys. 1727 */ 1728 if (OBJ_SEC(new_objp) == NULL) { 1729 if ((sck = calloc(1, sizeof (secret_key_obj_t))) == 1730 NULL) { 1731 rv = CKR_HOST_MEMORY; 1732 goto cleanup_unwrap; 1733 } 1734 OBJ_SEC(new_objp) = sck; 1735 } 1736 1737 switch (new_objp->key_type) { 1738 /* Fixed length secret keys don't have CKA_VALUE_LEN */ 1739 case CKK_DES: 1740 OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE; 1741 break; 1742 case CKK_DES2: 1743 OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE; 1744 break; 1745 case CKK_DES3: 1746 OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE; 1747 break; 1748 1749 /* 1750 * Variable length secret keys. CKA_VALUE_LEN must be 1751 * provided by the template when mech is *_ECB or *_CBC, and 1752 * should already have been set during soft_gen_keyobject(). 1753 * Otherwise we don't need CKA_VALUE_LEN. 1754 */ 1755 case CKK_GENERIC_SECRET: 1756 case CKK_RC4: 1757 case CKK_AES: 1758 case CKK_BLOWFISH: 1759 break; 1760 default: 1761 rv = CKR_WRAPPED_KEY_INVALID; 1762 goto cleanup_unwrap; 1763 }; 1764 1765 if (OBJ_SEC_VALUE_LEN(new_objp) == 0) { 1766 /* No CKA_VALUE_LEN set so set it now and save data */ 1767 OBJ_SEC_VALUE_LEN(new_objp) = plain_len; 1768 OBJ_SEC_VALUE(new_objp) = plain_data; 1769 } else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) { 1770 /* No need to truncate, just save the data */ 1771 OBJ_SEC_VALUE(new_objp) = plain_data; 1772 } else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) { 1773 /* Length can't be bigger than what was decrypted */ 1774 rv = CKR_WRAPPED_KEY_LEN_RANGE; 1775 goto cleanup_unwrap; 1776 } else { /* betw 0 and plain_len, hence padded */ 1777 /* Truncate the data before saving. */ 1778 OBJ_SEC_VALUE(new_objp) = realloc(plain_data, 1779 OBJ_SEC_VALUE_LEN(new_objp)); 1780 if (OBJ_SEC_VALUE(new_objp) == NULL) { 1781 rv = CKR_HOST_MEMORY; 1782 goto cleanup_unwrap; 1783 } 1784 } 1785 } else { 1786 /* BER-decode the object to be unwrapped. */ 1787 rv = soft_asn1_to_object(new_objp, plain_data, plain_len); 1788 if (rv != CKR_OK) 1789 goto cleanup_unwrap; 1790 } 1791 1792 /* If it needs to be persistent, write it to the keystore */ 1793 if (IS_TOKEN_OBJECT(new_objp)) { 1794 persistent = B_TRUE; 1795 rv = soft_put_object_to_keystore(new_objp); 1796 if (rv != CKR_OK) 1797 goto cleanup_unwrap; 1798 } 1799 1800 if (new_objp->class != CKO_SECRET_KEY) { 1801 /* Clear buffer before returning to memory pool. */ 1802 (void) memset(plain_data, 0x0, plain_len); 1803 free(plain_data); 1804 } 1805 1806 *phKey = (CK_OBJECT_HANDLE)new_objp; 1807 1808 return (CKR_OK); 1809 1810 cleanup_unwrap: 1811 /* The decrypted private key buffer must be freed explicitly. */ 1812 if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1813 /* Clear buffer before returning to memory pool. */ 1814 (void) memset(plain_data, 0x0, plain_len); 1815 free(plain_data); 1816 } 1817 1818 /* sck and new_objp are indirectly free()d inside these functions */ 1819 if (IS_TOKEN_OBJECT(new_objp)) 1820 soft_delete_token_object(new_objp, persistent, B_FALSE); 1821 else 1822 soft_delete_object(session_p, new_objp, B_FALSE); 1823 1824 return (rv); 1825 } 1826