1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <pthread.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <strings.h> 30 #include <sys/types.h> 31 #include <security/cryptoki.h> 32 #include <sys/crypto/common.h> 33 #include <aes_impl.h> 34 #include <blowfish_impl.h> 35 #include <des_impl.h> 36 #include <arcfour.h> 37 #include <cryptoutil.h> 38 #include "softGlobal.h" 39 #include "softSession.h" 40 #include "softObject.h" 41 #include "softDSA.h" 42 #include "softRSA.h" 43 #include "softDH.h" 44 #include "softEC.h" 45 #include "softMAC.h" 46 #include "softOps.h" 47 #include "softKeys.h" 48 #include "softKeystore.h" 49 #include "softSSL.h" 50 #include "softASN1.h" 51 52 53 #define local_min(a, b) ((a) < (b) ? (a) : (b)) 54 55 extern CK_RV fips_pairwise_check(soft_session_t *, 56 soft_object_t *, soft_object_t *, CK_KEY_TYPE); 57 58 static CK_RV 59 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *); 60 61 /* 62 * Create a temporary key object struct by filling up its template attributes. 63 */ 64 CK_RV 65 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 66 CK_ULONG *objecthandle_p, soft_session_t *sp, 67 CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode, 68 boolean_t internal) 69 { 70 71 CK_RV rv; 72 soft_object_t *new_objp = NULL; 73 74 new_objp = calloc(1, sizeof (soft_object_t)); 75 if (new_objp == NULL) { 76 return (CKR_HOST_MEMORY); 77 } 78 79 new_objp->extra_attrlistp = NULL; 80 81 /* 82 * Validate attribute template and fill in the attributes 83 * in the soft_object_t. 84 */ 85 rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type, 86 keylen, mode); 87 if (rv != CKR_OK) { 88 goto fail_cleanup1; 89 } 90 91 /* 92 * If generating a key is an internal request (i.e. not a C_XXX 93 * API request), then skip the following checks. 94 */ 95 if (!internal) { 96 rv = soft_pin_expired_check(new_objp); 97 if (rv != CKR_OK) { 98 goto fail_cleanup2; 99 } 100 101 rv = soft_object_write_access_check(sp, new_objp); 102 if (rv != CKR_OK) { 103 goto fail_cleanup2; 104 } 105 } 106 107 /* Initialize the rest of stuffs in soft_object_t. */ 108 (void) pthread_mutex_init(&new_objp->object_mutex, NULL); 109 new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC; 110 111 /* Write the new token object to the keystore */ 112 if (IS_TOKEN_OBJECT(new_objp)) { 113 new_objp->version = 1; 114 new_objp->session_handle = (CK_SESSION_HANDLE)NULL; 115 soft_add_token_object_to_slot(new_objp); 116 /* 117 * Type casting the address of an object struct to 118 * an object handle. 119 */ 120 *objecthandle_p = (CK_ULONG)new_objp; 121 122 return (CKR_OK); 123 } 124 125 new_objp->session_handle = (CK_SESSION_HANDLE)sp; 126 127 /* Add the new object to the session's object list. */ 128 soft_add_object_to_session(new_objp, sp); 129 130 /* Type casting the address of an object struct to an object handle. */ 131 *objecthandle_p = (CK_ULONG)new_objp; 132 133 return (CKR_OK); 134 135 fail_cleanup2: 136 /* 137 * When any error occurs after soft_build_key(), we will need to 138 * clean up the memory allocated by the soft_build_key(). 139 */ 140 soft_cleanup_object(new_objp); 141 142 fail_cleanup1: 143 if (new_objp) { 144 /* 145 * The storage allocated inside of this object should have 146 * been cleaned up by the soft_build_key() if it failed. 147 * Therefore, we can safely free the object. 148 */ 149 free(new_objp); 150 } 151 152 return (rv); 153 } 154 155 CK_RV 156 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 157 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey) 158 { 159 160 CK_RV rv = CKR_OK; 161 soft_object_t *secret_key; 162 CK_KEY_TYPE key_type; 163 CK_ULONG keylen = 0; 164 CK_ULONG i; 165 int des_strength = 0; 166 int retry = 0; 167 int keyfound = 0; 168 boolean_t is_ssl_mech = B_FALSE; 169 170 switch (pMechanism->mechanism) { 171 case CKM_DES_KEY_GEN: 172 key_type = CKK_DES; 173 break; 174 175 case CKM_DES2_KEY_GEN: 176 key_type = CKK_DES2; 177 break; 178 179 case CKM_DES3_KEY_GEN: 180 key_type = CKK_DES3; 181 break; 182 183 case CKM_AES_KEY_GEN: 184 key_type = CKK_AES; 185 break; 186 187 case CKM_BLOWFISH_KEY_GEN: 188 key_type = CKK_BLOWFISH; 189 break; 190 191 case CKM_RC4_KEY_GEN: 192 key_type = CKK_RC4; 193 break; 194 195 case CKM_SSL3_PRE_MASTER_KEY_GEN: 196 case CKM_TLS_PRE_MASTER_KEY_GEN: 197 if (pMechanism->pParameter == NULL || 198 pMechanism->ulParameterLen != sizeof (CK_VERSION)) 199 return (CKR_TEMPLATE_INCOMPLETE); 200 is_ssl_mech = B_TRUE; 201 key_type = CKK_GENERIC_SECRET; 202 keylen = 48; 203 break; 204 205 case CKM_PKCS5_PBKD2: 206 keyfound = 0; 207 for (i = 0; i < ulCount && !keyfound; i++) { 208 if (pTemplate[i].type == CKA_KEY_TYPE && 209 pTemplate[i].pValue != NULL) { 210 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 211 keyfound = 1; 212 } 213 } 214 if (!keyfound) 215 return (CKR_TEMPLATE_INCOMPLETE); 216 /* 217 * Make sure that parameters were given for this 218 * mechanism. 219 */ 220 if (pMechanism->pParameter == NULL || 221 pMechanism->ulParameterLen != 222 sizeof (CK_PKCS5_PBKD2_PARAMS)) 223 return (CKR_TEMPLATE_INCOMPLETE); 224 break; 225 226 case CKM_PBE_SHA1_RC4_128: 227 keyfound = 0; 228 for (i = 0; i < ulCount; i++) { 229 if (pTemplate[i].type == CKA_KEY_TYPE && 230 pTemplate[i].pValue != NULL) { 231 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 232 keyfound = 1; 233 } 234 if (pTemplate[i].type == CKA_VALUE_LEN && 235 pTemplate[i].pValue != NULL) { 236 keylen = *((CK_ULONG*)pTemplate[i].pValue); 237 } 238 } 239 /* If a keytype was specified, it had better be CKK_RC4 */ 240 if (keyfound && key_type != CKK_RC4) 241 return (CKR_TEMPLATE_INCONSISTENT); 242 else if (!keyfound) 243 key_type = CKK_RC4; 244 245 /* If key length was specified, it better be 16 bytes */ 246 if (keylen != 0 && keylen != 16) 247 return (CKR_TEMPLATE_INCONSISTENT); 248 249 /* 250 * Make sure that parameters were given for this 251 * mechanism. 252 */ 253 if (pMechanism->pParameter == NULL || 254 pMechanism->ulParameterLen != 255 sizeof (CK_PBE_PARAMS)) 256 return (CKR_TEMPLATE_INCOMPLETE); 257 break; 258 default: 259 return (CKR_MECHANISM_INVALID); 260 } 261 262 /* Create a new object for secret key. */ 263 rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p, 264 CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE); 265 266 if (rv != CKR_OK) { 267 return (rv); 268 } 269 270 /* Obtain the secret object pointer. */ 271 secret_key = (soft_object_t *)*phKey; 272 273 switch (pMechanism->mechanism) { 274 case CKM_DES_KEY_GEN: 275 /* 276 * Set up key value len since it is not a required 277 * attribute for C_GenerateKey. 278 */ 279 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 280 des_strength = DES; 281 break; 282 283 case CKM_DES2_KEY_GEN: 284 /* 285 * Set up key value len since it is not a required 286 * attribute for C_GenerateKey. 287 */ 288 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE; 289 des_strength = DES2; 290 break; 291 292 case CKM_DES3_KEY_GEN: 293 /* 294 * Set up key value len since it is not a required 295 * attribute for C_GenerateKey. 296 */ 297 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 298 des_strength = DES3; 299 break; 300 301 case CKM_SSL3_PRE_MASTER_KEY_GEN: 302 case CKM_TLS_PRE_MASTER_KEY_GEN: 303 secret_key->bool_attr_mask |= DERIVE_BOOL_ON; 304 /* FALLTHRU */ 305 306 case CKM_AES_KEY_GEN: 307 case CKM_BLOWFISH_KEY_GEN: 308 case CKM_PBE_SHA1_RC4_128: 309 case CKM_RC4_KEY_GEN: 310 keylen = OBJ_SEC_VALUE_LEN(secret_key); 311 break; 312 313 case CKM_PKCS5_PBKD2: 314 /* 315 * PKCS#11 does not allow one to specify key 316 * sizes for DES and 3DES, so we must set it here 317 * when using PBKD2 algorithms. 318 */ 319 if (key_type == CKK_DES) { 320 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 321 des_strength = DES; 322 } else if (key_type == CKK_DES3) { 323 OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 324 des_strength = DES3; 325 } 326 327 keylen = OBJ_SEC_VALUE_LEN(secret_key); 328 break; 329 } 330 331 if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) { 332 if (IS_TOKEN_OBJECT(secret_key)) 333 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 334 else 335 soft_delete_object(session_p, secret_key, 336 B_FALSE, B_FALSE); 337 338 return (CKR_HOST_MEMORY); 339 } 340 switch (pMechanism->mechanism) { 341 case CKM_PBE_SHA1_RC4_128: 342 /* 343 * Use the PBE algorithm described in PKCS#11 section 344 * 12.33 to derive the key. 345 */ 346 rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key); 347 break; 348 case CKM_PKCS5_PBKD2: 349 /* Generate keys using PKCS#5 PBKD2 algorithm */ 350 rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism, 351 secret_key); 352 if (rv == CKR_OK && des_strength > 0) { 353 /* Perform weak key checking for DES and DES3. */ 354 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 355 des_strength, OBJ_SEC_VALUE(secret_key)) == 356 B_FALSE) { 357 /* We got a weak secret key. */ 358 rv = CKR_FUNCTION_FAILED; 359 } 360 } 361 break; 362 default: 363 do { 364 /* If this fails, bail out */ 365 rv = CKR_OK; 366 if (pkcs11_get_urandom( 367 OBJ_SEC_VALUE(secret_key), keylen) < 0) { 368 rv = CKR_DEVICE_ERROR; 369 break; 370 } 371 372 /* Perform weak key checking for DES and DES3. */ 373 if (des_strength > 0) { 374 rv = CKR_OK; 375 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 376 des_strength, OBJ_SEC_VALUE(secret_key)) == 377 B_FALSE) { 378 /* We got a weak key, retry! */ 379 retry++; 380 rv = CKR_FUNCTION_FAILED; 381 } 382 } 383 /* 384 * Copy over the SSL client version For SSL mechs 385 * The first two bytes of the key is the version 386 */ 387 if (is_ssl_mech) 388 bcopy(pMechanism->pParameter, 389 OBJ_SEC_VALUE(secret_key), 390 sizeof (CK_VERSION)); 391 392 } while (rv != CKR_OK && retry < KEYGEN_RETRY); 393 if (retry == KEYGEN_RETRY) 394 rv = CKR_FUNCTION_FAILED; 395 break; 396 } 397 398 if (rv != CKR_OK) 399 if (IS_TOKEN_OBJECT(secret_key)) 400 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 401 else 402 soft_delete_object(session_p, secret_key, 403 B_FALSE, B_FALSE); 404 405 if (IS_TOKEN_OBJECT(secret_key)) { 406 /* 407 * All the info has been filled, so we can write to 408 * keystore now. 409 */ 410 rv = soft_put_object_to_keystore(secret_key); 411 if (rv != CKR_OK) 412 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 413 } 414 415 return (rv); 416 } 417 418 CK_RV 419 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 420 CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount, 421 CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount, 422 CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey) 423 { 424 425 CK_RV rv; 426 soft_object_t *public_key, *private_key; 427 CK_KEY_TYPE key_type; 428 429 switch (pMechanism->mechanism) { 430 431 case CKM_RSA_PKCS_KEY_PAIR_GEN: 432 key_type = CKK_RSA; 433 break; 434 435 case CKM_DSA_KEY_PAIR_GEN: 436 key_type = CKK_DSA; 437 break; 438 439 case CKM_DH_PKCS_KEY_PAIR_GEN: 440 key_type = CKK_DH; 441 break; 442 443 case CKM_EC_KEY_PAIR_GEN: 444 key_type = CKK_EC; 445 break; 446 447 default: 448 return (CKR_MECHANISM_INVALID); 449 } 450 451 /* Create a new object for public key. */ 452 rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount, 453 phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0, 454 SOFT_GEN_KEY, B_FALSE); 455 456 if (rv != CKR_OK) { 457 return (rv); 458 } 459 460 /* Obtain the public object pointer. */ 461 public_key = (soft_object_t *)*phPublicKey; 462 463 /* Create a new object for private key. */ 464 rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount, 465 phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0, 466 SOFT_GEN_KEY, B_FALSE); 467 468 if (rv != CKR_OK) { 469 /* 470 * Both public key and private key must be successful. 471 */ 472 if (IS_TOKEN_OBJECT(public_key)) 473 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 474 else 475 soft_delete_object(session_p, public_key, 476 B_FALSE, B_FALSE); 477 return (rv); 478 } 479 480 /* Obtain the private object pointer. */ 481 private_key = (soft_object_t *)*phPrivateKey; 482 483 /* 484 * At this point, both public key and private key objects 485 * are settled with the application specified attributes. 486 * We are ready to generate the rest of key attributes based 487 * on the existing attributes. 488 */ 489 490 switch (key_type) { 491 case CKK_RSA: 492 rv = soft_rsa_genkey_pair(public_key, private_key); 493 break; 494 495 case CKK_DSA: 496 rv = soft_dsa_genkey_pair(public_key, private_key); 497 break; 498 499 case CKK_DH: 500 rv = soft_dh_genkey_pair(public_key, private_key); 501 private_key->bool_attr_mask |= DERIVE_BOOL_ON; 502 break; 503 case CKK_EC: 504 rv = soft_ec_genkey_pair(public_key, private_key); 505 private_key->bool_attr_mask |= DERIVE_BOOL_ON; 506 break; 507 } 508 509 if (rv != CKR_OK) { 510 if (IS_TOKEN_OBJECT(public_key)) { 511 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 512 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 513 } else { 514 soft_delete_object(session_p, public_key, 515 B_FALSE, B_FALSE); 516 soft_delete_object(session_p, private_key, 517 B_FALSE, B_FALSE); 518 } 519 return (rv); 520 } 521 522 /* 523 * FIPS 140-2 pairwise consistency check utilized to 524 * validate key pair 525 */ 526 if ((key_type == CKK_RSA) || (key_type == CKK_DSA) || 527 (key_type == CKK_EC)) { 528 if (softtoken_fips_mode == CRYPTO_FIPS_MODE_ENABLED) { 529 rv = fips_pairwise_check(session_p, public_key, 530 private_key, key_type); 531 if (rv != CKR_OK) { 532 if (IS_TOKEN_OBJECT(public_key)) { 533 soft_delete_token_object(public_key, 534 B_FALSE, B_FALSE); 535 soft_delete_token_object(private_key, 536 B_FALSE, B_FALSE); 537 } else { 538 soft_delete_object(session_p, 539 public_key, B_FALSE, B_FALSE); 540 soft_delete_object(session_p, 541 private_key, B_FALSE, B_FALSE); 542 } 543 return (rv); 544 } 545 } 546 } 547 548 if (IS_TOKEN_OBJECT(public_key)) { 549 /* 550 * All the info has been filled, so we can write to 551 * keystore now. 552 */ 553 rv = soft_put_object_to_keystore(public_key); 554 if (rv != CKR_OK) { 555 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 556 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 557 return (rv); 558 } 559 } 560 561 if (IS_TOKEN_OBJECT(private_key)) { 562 rv = soft_put_object_to_keystore(private_key); 563 if (rv != CKR_OK) { 564 /* 565 * We also need to delete the public token object 566 * from keystore. 567 */ 568 soft_delete_token_object(public_key, B_TRUE, B_FALSE); 569 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 570 } 571 } 572 573 return (rv); 574 } 575 576 577 CK_RV 578 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen) 579 { 580 581 switch (secret_key->key_type) { 582 case CKK_GENERIC_SECRET: 583 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 584 OBJ_SEC_VALUE_LEN(secret_key) = max_keylen; 585 return (CKR_OK); 586 } else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) { 587 return (CKR_ATTRIBUTE_VALUE_INVALID); 588 } 589 break; 590 case CKK_RC4: 591 case CKK_AES: 592 case CKK_BLOWFISH: 593 if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) || 594 (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) { 595 /* RC4 and AES has variable key length */ 596 return (CKR_ATTRIBUTE_VALUE_INVALID); 597 } 598 break; 599 case CKK_DES: 600 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 601 /* DES has a well-defined length */ 602 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 603 return (CKR_OK); 604 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) { 605 return (CKR_ATTRIBUTE_VALUE_INVALID); 606 } 607 break; 608 case CKK_DES2: 609 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 610 /* DES2 has a well-defined length */ 611 OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE; 612 return (CKR_OK); 613 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) { 614 return (CKR_ATTRIBUTE_VALUE_INVALID); 615 } 616 break; 617 618 default: 619 return (CKR_MECHANISM_INVALID); 620 } 621 622 return (CKR_OK); 623 } 624 625 /* 626 * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1 627 * PBE methods. 628 */ 629 #define PKCS12_BUFFER_SIZE 64 630 /* 631 * PKCS#12 defines 3 different ID bytes to be used for 632 * deriving keys for different operations. 633 */ 634 #define PBE_ID_ENCRYPT 1 635 #define PBE_ID_IV 2 636 #define PBE_ID_MAC 3 637 #define PBE_CEIL(a, b) (((a)/(b)) + (((a)%(b)) > 0)) 638 639 static CK_RV 640 soft_pkcs12_pbe(soft_session_t *session_p, 641 CK_MECHANISM_PTR pMechanism, 642 soft_object_t *derived_key) 643 { 644 CK_RV rv = CKR_OK; 645 CK_PBE_PARAMS *params = pMechanism->pParameter; 646 CK_ULONG c, i, j, k; 647 CK_ULONG hashSize; 648 CK_ULONG buffSize; 649 /* 650 * Terse variable names are used to make following 651 * the PKCS#12 spec easier. 652 */ 653 CK_BYTE *A = NULL; 654 CK_BYTE *Ai = NULL; 655 CK_BYTE *B = NULL; 656 CK_BYTE *D = NULL; 657 CK_BYTE *I = NULL, *S, *P; 658 CK_BYTE *keybuf = NULL; 659 CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen; 660 CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key); 661 CK_MECHANISM digest_mech; 662 663 /* U = hash function output bits */ 664 if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) { 665 hashSize = SHA1_HASH_SIZE; 666 buffSize = PKCS12_BUFFER_SIZE; 667 digest_mech.mechanism = CKM_SHA_1; 668 digest_mech.pParameter = NULL; 669 digest_mech.ulParameterLen = 0; 670 } else { 671 /* we only support 1 PBE mech for now */ 672 return (CKR_MECHANISM_INVALID); 673 } 674 keybuf = OBJ_SEC_VALUE(derived_key); 675 676 Blen = Dlen = buffSize; 677 D = (CK_BYTE *)malloc(Dlen); 678 if (D == NULL) { 679 rv = CKR_HOST_MEMORY; 680 goto cleanup; 681 } 682 683 B = (CK_BYTE *)malloc(Blen); 684 if (B == NULL) { 685 rv = CKR_HOST_MEMORY; 686 goto cleanup; 687 } 688 689 /* 690 * Initialize some values and create some buffers 691 * that we need later. 692 * 693 * Slen = buffSize * CEIL(SaltLength/buffSize) 694 */ 695 Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize); 696 697 /* 698 * Plen = buffSize * CEIL(PasswordLength/buffSize) 699 */ 700 Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize); 701 702 /* 703 * From step 4: I = S + P, so: Ilen = Slen + Plen 704 */ 705 Ilen = Slen + Plen; 706 I = (CK_BYTE *)malloc(Ilen); 707 if (I == NULL) { 708 rv = CKR_HOST_MEMORY; 709 goto cleanup; 710 } 711 712 S = I; 713 P = I + Slen; 714 715 /* 716 * Step 1. 717 * We are only interested in deriving keys for encrypt/decrypt 718 * for now, so construct the "D"iversifier accordingly. 719 */ 720 (void) memset(D, PBE_ID_ENCRYPT, Dlen); 721 722 /* 723 * Step 2. 724 * Concatenate copies of the salt together to make S. 725 */ 726 for (i = 0; i < Slen; i += params->ulSaltLen) { 727 (void) memcpy(S+i, params->pSalt, 728 ((Slen - i) > params->ulSaltLen ? 729 params->ulSaltLen : (Slen - i))); 730 } 731 732 /* 733 * Step 3. 734 * Concatenate copies of the password together to make 735 * a string P. 736 */ 737 for (i = 0; i < Plen; i += params->ulPasswordLen) { 738 (void) memcpy(P+i, params->pPassword, 739 ((Plen - i) > params->ulPasswordLen ? 740 params->ulPasswordLen : (Plen - i))); 741 } 742 743 /* 744 * Step 4. 745 * I = S+P - this is now done because S and P are 746 * pointers into I. 747 * 748 * Step 5. 749 * c= CEIL[n/u] 750 * where n = pseudorandom bits of output desired. 751 */ 752 c = PBE_CEIL(keysize, hashSize); 753 754 /* 755 * Step 6. 756 */ 757 Alen = c * hashSize; 758 A = (CK_BYTE *)malloc(Alen); 759 if (A == NULL) { 760 rv = CKR_HOST_MEMORY; 761 goto cleanup; 762 } 763 AiLen = hashSize; 764 Ai = (CK_BYTE *)malloc(AiLen); 765 if (Ai == NULL) { 766 rv = CKR_HOST_MEMORY; 767 goto cleanup; 768 } 769 770 /* 771 * Step 6a. 772 * Ai = Hr(D+I) 773 */ 774 for (i = 0; i < c; i++) { 775 (void) pthread_mutex_lock(&session_p->session_mutex); 776 777 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 778 (void) pthread_mutex_unlock(&session_p->session_mutex); 779 rv = CKR_OPERATION_ACTIVE; 780 goto cleanup; 781 } 782 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 783 (void) pthread_mutex_unlock(&session_p->session_mutex); 784 785 for (j = 0; j < params->ulIteration; j++) { 786 rv = soft_digest_init(session_p, &digest_mech); 787 if (rv != CKR_OK) 788 goto digest_done; 789 790 if (j == 0) { 791 rv = soft_digest_update(session_p, D, Dlen); 792 if (rv != CKR_OK) 793 goto digest_done; 794 795 rv = soft_digest_update(session_p, I, Ilen); 796 } else { 797 rv = soft_digest_update(session_p, Ai, AiLen); 798 } 799 if (rv != CKR_OK) 800 goto digest_done; 801 802 rv = soft_digest_final(session_p, Ai, &AiLen); 803 if (rv != CKR_OK) 804 goto digest_done; 805 } 806 digest_done: 807 (void) pthread_mutex_lock(&session_p->session_mutex); 808 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 809 (void) pthread_mutex_unlock(&session_p->session_mutex); 810 811 if (rv != CKR_OK) 812 goto cleanup; 813 /* 814 * Step 6b. 815 * Concatenate Ai to make B 816 */ 817 for (j = 0; j < Blen; j += hashSize) { 818 (void) memcpy(B+j, Ai, ((Blen - j > hashSize) ? 819 hashSize : Blen - j)); 820 } 821 822 /* 823 * Step 6c. 824 */ 825 k = Ilen / Blen; 826 for (j = 0; j < k; j++) { 827 uchar_t idx; 828 CK_ULONG m, q = 1, cbit = 0; 829 830 for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) { 831 idx = m + j*Blen; 832 833 q += (CK_ULONG)I[idx] + (CK_ULONG)B[m]; 834 q += cbit; 835 I[idx] = (CK_BYTE)(q & 0xff); 836 cbit = (q > 0xff); 837 } 838 } 839 840 /* 841 * Step 7. 842 * A += Ai 843 */ 844 (void) memcpy(A + i*hashSize, Ai, AiLen); 845 } 846 847 /* 848 * Step 8. 849 * The final output of this process is the A buffer 850 */ 851 (void) memcpy(keybuf, A, keysize); 852 853 cleanup: 854 if (A) { 855 bzero(A, Alen); 856 free(A); 857 } 858 if (Ai) { 859 bzero(Ai, AiLen); 860 free(Ai); 861 } 862 if (B) { 863 bzero(B, Blen); 864 free(B); 865 } 866 if (D) { 867 bzero(D, Dlen); 868 free(D); 869 } 870 if (I) { 871 bzero(I, Ilen); 872 free(I); 873 } 874 return (rv); 875 } 876 877 CK_RV 878 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 879 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate, 880 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) 881 { 882 883 CK_RV rv = CKR_OK; 884 soft_object_t *secret_key; 885 CK_MECHANISM digest_mech; 886 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */ 887 CK_ULONG hash_len = SHA512_DIGEST_LENGTH; 888 CK_ULONG secret_key_len; 889 CK_ULONG hash_size; 890 891 switch (pMechanism->mechanism) { 892 case CKM_DH_PKCS_DERIVE: 893 /* 894 * Create a new object for secret key. The key type should 895 * be provided in the template. 896 */ 897 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 898 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0, 899 SOFT_DERIVE_KEY_DH, B_FALSE); 900 901 if (rv != CKR_OK) { 902 return (rv); 903 } 904 905 /* Obtain the secret object pointer. */ 906 secret_key = (soft_object_t *)*phKey; 907 908 rv = soft_dh_key_derive(basekey_p, secret_key, 909 (CK_BYTE *)pMechanism->pParameter, 910 pMechanism->ulParameterLen); 911 912 if (rv != CKR_OK) { 913 if (IS_TOKEN_OBJECT(secret_key)) 914 soft_delete_token_object(secret_key, B_FALSE, 915 B_FALSE); 916 else 917 soft_delete_object(session_p, secret_key, 918 B_FALSE, B_FALSE); 919 return (rv); 920 } 921 922 break; 923 924 case CKM_ECDH1_DERIVE: 925 /* 926 * Create a new object for secret key. The key type should 927 * be provided in the template. 928 */ 929 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 930 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0, 931 SOFT_DERIVE_KEY_DH, B_FALSE); 932 933 if (rv != CKR_OK) { 934 return (rv); 935 } 936 937 /* Obtain the secret object pointer. */ 938 secret_key = (soft_object_t *)*phKey; 939 940 rv = soft_ec_key_derive(basekey_p, secret_key, 941 (CK_BYTE *)pMechanism->pParameter, 942 pMechanism->ulParameterLen); 943 944 if (rv != CKR_OK) { 945 if (IS_TOKEN_OBJECT(secret_key)) 946 soft_delete_token_object(secret_key, B_FALSE, 947 B_FALSE); 948 else 949 soft_delete_object(session_p, secret_key, 950 B_FALSE, B_FALSE); 951 return (rv); 952 } 953 954 break; 955 956 case CKM_SHA1_KEY_DERIVATION: 957 hash_size = SHA1_HASH_SIZE; 958 digest_mech.mechanism = CKM_SHA_1; 959 goto common; 960 961 case CKM_MD5_KEY_DERIVATION: 962 hash_size = MD5_HASH_SIZE; 963 digest_mech.mechanism = CKM_MD5; 964 goto common; 965 966 case CKM_SHA256_KEY_DERIVATION: 967 hash_size = SHA256_DIGEST_LENGTH; 968 digest_mech.mechanism = CKM_SHA256; 969 goto common; 970 971 case CKM_SHA384_KEY_DERIVATION: 972 hash_size = SHA384_DIGEST_LENGTH; 973 digest_mech.mechanism = CKM_SHA384; 974 goto common; 975 976 case CKM_SHA512_KEY_DERIVATION: 977 hash_size = SHA512_DIGEST_LENGTH; 978 digest_mech.mechanism = CKM_SHA512; 979 goto common; 980 981 common: 982 /* 983 * Create a new object for secret key. The key type is optional 984 * to be provided in the template. If it is not specified in 985 * the template, the default is CKK_GENERIC_SECRET. 986 */ 987 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 988 phKey, session_p, CKO_SECRET_KEY, 989 (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 990 SOFT_DERIVE_KEY_OTHER, B_FALSE); 991 992 if (rv != CKR_OK) { 993 return (rv); 994 } 995 996 /* Obtain the secret object pointer. */ 997 secret_key = (soft_object_t *)*phKey; 998 999 /* Validate the key type and key length */ 1000 rv = soft_key_derive_check_length(secret_key, hash_size); 1001 if (rv != CKR_OK) { 1002 if (IS_TOKEN_OBJECT(secret_key)) 1003 soft_delete_token_object(secret_key, B_FALSE, 1004 B_FALSE); 1005 else 1006 soft_delete_object(session_p, secret_key, 1007 B_FALSE, B_FALSE); 1008 return (rv); 1009 } 1010 1011 /* 1012 * Derive the secret key by digesting the value of another 1013 * secret key (base key) with SHA-1 or MD5. 1014 */ 1015 rv = soft_digest_init_internal(session_p, &digest_mech); 1016 if (rv != CKR_OK) { 1017 if (IS_TOKEN_OBJECT(secret_key)) 1018 soft_delete_token_object(secret_key, B_FALSE, 1019 B_FALSE); 1020 else 1021 soft_delete_object(session_p, secret_key, 1022 B_FALSE, B_FALSE); 1023 return (rv); 1024 } 1025 1026 rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p), 1027 OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len); 1028 1029 (void) pthread_mutex_lock(&session_p->session_mutex); 1030 /* soft_digest_common() has freed the digest context */ 1031 session_p->digest.flags = 0; 1032 (void) pthread_mutex_unlock(&session_p->session_mutex); 1033 1034 if (rv != CKR_OK) { 1035 if (IS_TOKEN_OBJECT(secret_key)) 1036 soft_delete_token_object(secret_key, B_FALSE, 1037 B_FALSE); 1038 else 1039 soft_delete_object(session_p, secret_key, 1040 B_FALSE, B_FALSE); 1041 return (rv); 1042 } 1043 1044 secret_key_len = OBJ_SEC_VALUE_LEN(secret_key); 1045 1046 if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) == 1047 NULL) { 1048 if (IS_TOKEN_OBJECT(secret_key)) 1049 soft_delete_token_object(secret_key, B_FALSE, 1050 B_FALSE); 1051 else 1052 soft_delete_object(session_p, secret_key, 1053 B_FALSE, B_FALSE); 1054 return (CKR_HOST_MEMORY); 1055 } 1056 1057 /* 1058 * The key produced by this mechanism will be of the 1059 * specified type and length. 1060 * The truncation removes extra bytes from the leading 1061 * of the digested key value. 1062 */ 1063 (void) memcpy(OBJ_SEC_VALUE(secret_key), 1064 (hash + hash_len - secret_key_len), 1065 secret_key_len); 1066 1067 break; 1068 1069 /* 1070 * The key sensitivity and extractability rules for the generated 1071 * keys will be enforced inside soft_ssl_master_key_derive() and 1072 * soft_ssl_key_and_mac_derive() 1073 */ 1074 case CKM_SSL3_MASTER_KEY_DERIVE: 1075 case CKM_SSL3_MASTER_KEY_DERIVE_DH: 1076 case CKM_TLS_MASTER_KEY_DERIVE: 1077 case CKM_TLS_MASTER_KEY_DERIVE_DH: 1078 if (phKey == NULL_PTR) 1079 return (CKR_ARGUMENTS_BAD); 1080 return (soft_ssl_master_key_derive(session_p, pMechanism, 1081 basekey_p, pTemplate, ulAttributeCount, phKey)); 1082 1083 case CKM_SSL3_KEY_AND_MAC_DERIVE: 1084 case CKM_TLS_KEY_AND_MAC_DERIVE: 1085 return (soft_ssl_key_and_mac_derive(session_p, pMechanism, 1086 basekey_p, pTemplate, ulAttributeCount)); 1087 1088 case CKM_TLS_PRF: 1089 if (pMechanism->pParameter == NULL || 1090 pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) || 1091 phKey != NULL) 1092 return (CKR_ARGUMENTS_BAD); 1093 1094 if (pTemplate != NULL) 1095 return (CKR_TEMPLATE_INCONSISTENT); 1096 1097 return (derive_tls_prf( 1098 (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p)); 1099 1100 default: 1101 return (CKR_MECHANISM_INVALID); 1102 } 1103 1104 soft_derive_enforce_flags(basekey_p, secret_key); 1105 1106 if (IS_TOKEN_OBJECT(secret_key)) { 1107 /* 1108 * All the info has been filled, so we can write to 1109 * keystore now. 1110 */ 1111 rv = soft_put_object_to_keystore(secret_key); 1112 if (rv != CKR_OK) 1113 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 1114 } 1115 1116 return (rv); 1117 } 1118 1119 1120 /* 1121 * Perform key derivation rules on key's sensitivity and extractability. 1122 */ 1123 void 1124 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey) 1125 { 1126 1127 boolean_t new_sensitive = B_FALSE; 1128 boolean_t new_extractable = B_FALSE; 1129 1130 /* 1131 * The sensitive and extractable bits have been set when 1132 * the newkey was built. 1133 */ 1134 if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) { 1135 new_sensitive = B_TRUE; 1136 } 1137 1138 if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) { 1139 new_extractable = B_TRUE; 1140 } 1141 1142 /* Derive the CKA_ALWAYS_SENSITIVE flag */ 1143 if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) { 1144 /* 1145 * If the base key has its CKA_ALWAYS_SENSITIVE set to 1146 * FALSE, then the derived key will as well. 1147 */ 1148 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1149 } else { 1150 /* 1151 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE, 1152 * then the derived key has the CKA_ALWAYS_SENSITIVE set to 1153 * the same value as its CKA_SENSITIVE; 1154 */ 1155 if (new_sensitive) { 1156 newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON; 1157 } else { 1158 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1159 } 1160 } 1161 1162 /* Derive the CKA_NEVER_EXTRACTABLE flag */ 1163 if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) { 1164 /* 1165 * If the base key has its CKA_NEVER_EXTRACTABLE set to 1166 * FALSE, then the derived key will as well. 1167 */ 1168 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1169 } else { 1170 /* 1171 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE, 1172 * then the derived key has the CKA_NEVER_EXTRACTABLE set to 1173 * the opposite value from its CKA_EXTRACTABLE; 1174 */ 1175 if (new_extractable) { 1176 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1177 } else { 1178 newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON; 1179 } 1180 } 1181 1182 /* Set the CKA_LOCAL flag to false */ 1183 newkey->bool_attr_mask &= ~LOCAL_BOOL_ON; 1184 } 1185 1186 1187 /* 1188 * do_prf 1189 * 1190 * This routine implements Step 3. of the PBKDF2 function 1191 * defined in PKCS#5 for generating derived keys from a 1192 * password. 1193 * 1194 * Currently, PRF is always SHA_1_HMAC. 1195 */ 1196 static CK_RV 1197 do_prf(soft_session_t *session_p, 1198 CK_PKCS5_PBKD2_PARAMS_PTR params, 1199 soft_object_t *hmac_key, 1200 CK_BYTE *newsalt, CK_ULONG saltlen, 1201 CK_BYTE *blockdata, CK_ULONG blocklen) 1202 { 1203 CK_RV rv = CKR_OK; 1204 CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0}; 1205 CK_BYTE buffer[2][SHA1_HASH_SIZE]; 1206 CK_ULONG hmac_outlen = SHA1_HASH_SIZE; 1207 CK_ULONG inlen; 1208 CK_BYTE *input, *output; 1209 CK_ULONG i, j; 1210 1211 input = newsalt; 1212 inlen = saltlen; 1213 1214 output = buffer[1]; 1215 (void) pthread_mutex_lock(&session_p->session_mutex); 1216 1217 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 1218 (void) pthread_mutex_unlock(&session_p->session_mutex); 1219 return (CKR_OPERATION_ACTIVE); 1220 } 1221 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 1222 (void) pthread_mutex_unlock(&session_p->session_mutex); 1223 1224 for (i = 0; i < params->iterations; i++) { 1225 /* 1226 * The key doesn't change, its always the 1227 * password iniitally given. 1228 */ 1229 rv = soft_sign_init(session_p, &digest_mech, hmac_key); 1230 1231 if (rv != CKR_OK) { 1232 goto cleanup; 1233 } 1234 1235 /* Call PRF function (SHA1_HMAC for now). */ 1236 rv = soft_sign(session_p, input, inlen, output, &hmac_outlen); 1237 1238 if (rv != CKR_OK) { 1239 goto cleanup; 1240 } 1241 /* 1242 * The first time, initialize the output buffer 1243 * with the HMAC signature. 1244 */ 1245 if (i == 0) { 1246 (void) memcpy(blockdata, output, 1247 local_min(blocklen, hmac_outlen)); 1248 } else { 1249 /* 1250 * XOR the existing data with output from PRF. 1251 * 1252 * Only XOR up to the length of the blockdata, 1253 * it may be less than a full hmac buffer when 1254 * the final block is being computed. 1255 */ 1256 for (j = 0; j < hmac_outlen && j < blocklen; j++) 1257 blockdata[j] ^= output[j]; 1258 } 1259 /* Output from previous PRF is input for next round */ 1260 input = output; 1261 inlen = hmac_outlen; 1262 1263 /* 1264 * Switch buffers to avoid overuse of memcpy. 1265 * Initially we used buffer[1], so after the end of 1266 * the first iteration (i==0), we switch to buffer[0] 1267 * and continue swapping with each iteration. 1268 */ 1269 output = buffer[i%2]; 1270 } 1271 cleanup: 1272 (void) pthread_mutex_lock(&session_p->session_mutex); 1273 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 1274 (void) pthread_mutex_unlock(&session_p->session_mutex); 1275 1276 return (rv); 1277 } 1278 1279 static CK_RV 1280 soft_create_hmac_key(soft_session_t *session_p, CK_BYTE *passwd, 1281 CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey) 1282 { 1283 CK_RV rv = CKR_OK; 1284 CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY; 1285 CK_KEY_TYPE keytype = CKK_GENERIC_SECRET; 1286 CK_BBOOL True = TRUE; 1287 CK_ATTRIBUTE keytemplate[4]; 1288 /* 1289 * We must initialize each template member individually 1290 * because at the time of initial coding for ON10, the 1291 * compiler was using the "-xc99=%none" option 1292 * which prevents us from being able to declare the whole 1293 * template in place as usual. 1294 */ 1295 keytemplate[0].type = CKA_CLASS; 1296 keytemplate[0].pValue = &keyclass; 1297 keytemplate[0].ulValueLen = sizeof (keyclass); 1298 1299 keytemplate[1].type = CKA_KEY_TYPE; 1300 keytemplate[1].pValue = &keytype; 1301 keytemplate[1].ulValueLen = sizeof (keytype); 1302 1303 keytemplate[2].type = CKA_SIGN; 1304 keytemplate[2].pValue = &True; 1305 keytemplate[2].ulValueLen = sizeof (True); 1306 1307 keytemplate[3].type = CKA_VALUE; 1308 keytemplate[3].pValue = passwd; 1309 keytemplate[3].ulValueLen = passwd_len; 1310 /* 1311 * Create a generic key object to be used for HMAC operations. 1312 * The "value" for this key is the password from the 1313 * mechanism parameter structure. 1314 */ 1315 rv = soft_gen_keyobject(keytemplate, 1316 sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), phKey, session_p, 1317 CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 1318 SOFT_CREATE_OBJ, B_TRUE); 1319 1320 return (rv); 1321 } 1322 1323 CK_RV 1324 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p, 1325 CK_MECHANISM_PTR pMechanism, 1326 soft_object_t *secret_key) 1327 { 1328 CK_RV rv = CKR_OK; 1329 CK_PKCS5_PBKD2_PARAMS *params = 1330 (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter; 1331 CK_ULONG hLen = SHA1_HASH_SIZE; 1332 CK_ULONG dkLen, i; 1333 CK_ULONG blocks, remainder; 1334 CK_OBJECT_HANDLE phKey = 0; 1335 soft_object_t *hmac_key = NULL; 1336 CK_BYTE *salt = NULL; 1337 CK_BYTE *keydata = NULL; 1338 1339 params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter; 1340 1341 if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1) 1342 return (CKR_MECHANISM_PARAM_INVALID); 1343 1344 if (params->pPrfData != NULL || params->ulPrfDataLen != 0) 1345 return (CKR_DATA_INVALID); 1346 1347 if (params->saltSource != CKZ_SALT_SPECIFIED || 1348 params->iterations == 0) 1349 return (CKR_MECHANISM_PARAM_INVALID); 1350 1351 /* 1352 * Create a key object to use for HMAC operations. 1353 */ 1354 rv = soft_create_hmac_key(session_p, params->pPassword, 1355 *params->ulPasswordLen, &phKey); 1356 1357 if (rv != CKR_OK) 1358 return (rv); 1359 1360 hmac_key = (soft_object_t *)phKey; 1361 1362 /* Step 1. */ 1363 dkLen = OBJ_SEC_VALUE_LEN(secret_key); /* length of desired key */ 1364 1365 if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) { 1366 (void) soft_delete_object(session_p, hmac_key, B_FALSE, 1367 B_FALSE); 1368 return (CKR_KEY_SIZE_RANGE); 1369 } 1370 1371 /* Step 2. */ 1372 blocks = dkLen / hLen; 1373 1374 /* crude "Ceiling" function to adjust the number of blocks to use */ 1375 if (blocks * hLen != dkLen) 1376 blocks++; 1377 1378 remainder = dkLen - ((blocks - 1) * hLen); 1379 1380 /* Step 3 */ 1381 salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4); 1382 if (salt == NULL) { 1383 (void) soft_delete_object(session_p, hmac_key, B_FALSE, 1384 B_FALSE); 1385 return (CKR_HOST_MEMORY); 1386 } 1387 /* 1388 * Nothing in PKCS#5 says you cannot pass an empty 1389 * salt, so we will allow for this and not return error 1390 * if the salt is not specified. 1391 */ 1392 if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0) 1393 (void) memcpy(salt, params->pSaltSourceData, 1394 params->ulSaltSourceDataLen); 1395 1396 /* 1397 * Get pointer to the data section of the key, 1398 * this will be used below as output from the 1399 * PRF iteration/concatenations so that when the 1400 * blocks are all iterated, the secret_key will 1401 * have the resulting derived key value. 1402 */ 1403 keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key); 1404 1405 /* Step 4. */ 1406 for (i = 0; i < blocks && (rv == CKR_OK); i++) { 1407 CK_BYTE *s; 1408 1409 s = salt + params->ulSaltSourceDataLen; 1410 1411 /* 1412 * Append the block index to the salt as input 1413 * to the PRF. Block index should start at 1 1414 * not 0. 1415 */ 1416 *s++ = ((i+1) >> 24) & 0xff; 1417 *s++ = ((i+1) >> 16) & 0xff; 1418 *s++ = ((i+1) >> 8) & 0xff; 1419 *s = ((i+1)) & 0xff; 1420 1421 /* 1422 * Adjust the key pointer so we always append the 1423 * PRF output to the current key. 1424 */ 1425 rv = do_prf(session_p, params, hmac_key, 1426 salt, params->ulSaltSourceDataLen + 4, keydata, 1427 ((i + 1) == blocks ? remainder : hLen)); 1428 1429 keydata += hLen; 1430 } 1431 (void) soft_delete_object(session_p, hmac_key, B_FALSE, B_FALSE); 1432 free(salt); 1433 1434 return (rv); 1435 } 1436 1437 CK_RV 1438 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1439 soft_object_t *wrappingKey_p, soft_object_t *hkey_p, 1440 CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen) 1441 { 1442 CK_RV rv = CKR_OK; 1443 CK_ULONG plain_len = 0; 1444 CK_BYTE_PTR plain_data = NULL; 1445 CK_ULONG padded_len = 0; 1446 CK_BYTE_PTR padded_data = NULL; 1447 CK_ULONG wkey_blksz = 1; /* so modulo will work right */ 1448 1449 /* Check if the mechanism is supported. */ 1450 switch (pMechanism->mechanism) { 1451 case CKM_DES_CBC_PAD: 1452 case CKM_DES3_CBC_PAD: 1453 case CKM_AES_CBC_PAD: 1454 /* 1455 * Secret key mechs with padding can be used to wrap secret 1456 * keys and private keys only. See PKCS#11, * sec 11.14, 1457 * C_WrapKey and secs 12.* for each mechanism's wrapping/ 1458 * unwrapping constraints. 1459 */ 1460 if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class != 1461 CKO_PRIVATE_KEY) 1462 return (CKR_MECHANISM_INVALID); 1463 break; 1464 case CKM_RSA_PKCS: 1465 case CKM_RSA_X_509: 1466 case CKM_DES_ECB: 1467 case CKM_DES3_ECB: 1468 case CKM_AES_ECB: 1469 case CKM_DES_CBC: 1470 case CKM_DES3_CBC: 1471 case CKM_AES_CBC: 1472 case CKM_AES_CTR: 1473 case CKM_BLOWFISH_CBC: 1474 /* 1475 * Unpadded secret key mechs and private key mechs are only 1476 * defined for wrapping secret keys. See PKCS#11 refs above. 1477 */ 1478 if (hkey_p->class != CKO_SECRET_KEY) 1479 return (CKR_MECHANISM_INVALID); 1480 break; 1481 default: 1482 return (CKR_MECHANISM_INVALID); 1483 } 1484 1485 if (hkey_p->class == CKO_SECRET_KEY) { 1486 plain_data = OBJ_SEC_VALUE(hkey_p); 1487 plain_len = OBJ_SEC_VALUE_LEN(hkey_p); 1488 } else { 1489 /* 1490 * BER-encode the object to be wrapped: call first with 1491 * plain_data = NULL to get the size needed, allocate that 1492 * much space, call again to fill space with actual data. 1493 */ 1494 rv = soft_object_to_asn1(hkey_p, NULL, &plain_len); 1495 if (rv != CKR_OK) 1496 return (rv); 1497 if ((plain_data = malloc(plain_len)) == NULL) 1498 return (CKR_HOST_MEMORY); 1499 (void) memset(plain_data, 0x0, plain_len); 1500 rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len); 1501 if (rv != CKR_OK) 1502 goto cleanup_wrap; 1503 } 1504 1505 /* 1506 * For unpadded ECB and CBC mechanisms, the object needs to be 1507 * padded to the wrapping key's blocksize prior to the encryption. 1508 */ 1509 padded_len = plain_len; 1510 padded_data = plain_data; 1511 1512 switch (pMechanism->mechanism) { 1513 case CKM_DES_ECB: 1514 case CKM_DES3_ECB: 1515 case CKM_AES_ECB: 1516 case CKM_DES_CBC: 1517 case CKM_DES3_CBC: 1518 case CKM_AES_CBC: 1519 case CKM_BLOWFISH_CBC: 1520 /* Find the block size of the wrapping key. */ 1521 if (wrappingKey_p->class == CKO_SECRET_KEY) { 1522 switch (wrappingKey_p->key_type) { 1523 case CKK_DES: 1524 case CKK_DES2: 1525 case CKK_DES3: 1526 wkey_blksz = DES_BLOCK_LEN; 1527 break; 1528 case CKK_AES: 1529 wkey_blksz = AES_BLOCK_LEN; 1530 break; 1531 case CKK_BLOWFISH: 1532 wkey_blksz = BLOWFISH_BLOCK_LEN; 1533 break; 1534 default: 1535 break; 1536 } 1537 } else { 1538 rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT; 1539 goto cleanup_wrap; 1540 } 1541 1542 /* Extend the plain text data to block size boundary. */ 1543 if ((padded_len % wkey_blksz) != 0) { 1544 padded_len += (wkey_blksz - (plain_len % wkey_blksz)); 1545 if ((padded_data = malloc(padded_len)) == NULL) { 1546 rv = CKR_HOST_MEMORY; 1547 goto cleanup_wrap; 1548 } 1549 (void) memset(padded_data, 0x0, padded_len); 1550 (void) memcpy(padded_data, plain_data, plain_len); 1551 } 1552 break; 1553 default: 1554 break; 1555 } 1556 1557 rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p); 1558 if (rv != CKR_OK) 1559 goto cleanup_wrap; 1560 1561 rv = soft_encrypt(session_p, padded_data, padded_len, 1562 pWrappedKey, pulWrappedKeyLen); 1563 1564 cleanup_wrap: 1565 if (padded_data != NULL && padded_len != plain_len) { 1566 /* Clear buffer before returning to memory pool. */ 1567 (void) memset(padded_data, 0x0, padded_len); 1568 free(padded_data); 1569 } 1570 1571 if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1572 /* Clear buffer before returning to memory pool. */ 1573 (void) memset(plain_data, 0x0, plain_len); 1574 free(plain_data); 1575 } 1576 1577 return (rv); 1578 } 1579 1580 /* 1581 * Quick check for whether unwrapped key length is appropriate for key type 1582 * and whether it needs to be truncated (in case the wrapping function had 1583 * to pad the key prior to wrapping). 1584 */ 1585 static CK_RV 1586 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype, 1587 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount) 1588 { 1589 CK_ULONG i; 1590 boolean_t isValueLen = B_FALSE; 1591 1592 /* 1593 * Based on the key type and the mech used to unwrap, need to 1594 * determine if CKA_VALUE_LEN should or should not be specified. 1595 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified 1596 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens 1597 * that restriction, perhaps because it makes it impossible to 1598 * determine the original length of unwrapped variable-length secret 1599 * keys, such as RC4, AES, and GENERIC_SECRET. These variable-length 1600 * secret keys would have been padded with trailing null-bytes so 1601 * that they could be successfully wrapped with *_ECB and *_CBC 1602 * mechanisms. Hence for unwrapping with these mechs, CKA_VALUE_LEN 1603 * must be specified. For unwrapping with other mechs, such as 1604 * *_CBC_PAD, the CKA_VALUE_LEN is not needed. 1605 */ 1606 1607 /* Find out if template has CKA_VALUE_LEN. */ 1608 for (i = 0; i < ulAttributeCount; i++) { 1609 if (pTemplate[i].type == CKA_VALUE_LEN && 1610 pTemplate[i].pValue != NULL) { 1611 isValueLen = B_TRUE; 1612 break; 1613 } 1614 } 1615 1616 /* Does its presence conflict with the mech type and key type? */ 1617 switch (mechtype) { 1618 case CKM_DES_ECB: 1619 case CKM_DES3_ECB: 1620 case CKM_AES_ECB: 1621 case CKM_DES_CBC: 1622 case CKM_DES3_CBC: 1623 case CKM_AES_CBC: 1624 case CKM_BLOWFISH_CBC: 1625 /* 1626 * CKA_VALUE_LEN must be specified 1627 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET 1628 * and must not be specified otherwise 1629 */ 1630 switch (keytype) { 1631 case CKK_DES: 1632 case CKK_DES2: 1633 case CKK_DES3: 1634 if (isValueLen) 1635 return (CKR_TEMPLATE_INCONSISTENT); 1636 break; 1637 case CKK_GENERIC_SECRET: 1638 case CKK_RC4: 1639 case CKK_AES: 1640 case CKK_BLOWFISH: 1641 if (!isValueLen) 1642 return (CKR_TEMPLATE_INCOMPLETE); 1643 break; 1644 default: 1645 return (CKR_FUNCTION_NOT_SUPPORTED); 1646 } 1647 break; 1648 default: 1649 /* CKA_VALUE_LEN must not be specified */ 1650 if (isValueLen) 1651 return (CKR_TEMPLATE_INCONSISTENT); 1652 break; 1653 } 1654 1655 return (CKR_OK); 1656 } 1657 1658 CK_RV 1659 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1660 soft_object_t *unwrappingkey_p, 1661 CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, 1662 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, 1663 CK_OBJECT_HANDLE_PTR phKey) 1664 { 1665 CK_RV rv = CKR_OK; 1666 CK_OBJECT_CLASS new_obj_class = ~0UL; 1667 int i = 0; 1668 soft_object_t *new_objp = NULL; 1669 boolean_t persistent = B_FALSE; 1670 CK_BYTE_PTR plain_data = NULL; 1671 CK_ULONG plain_len = 0; 1672 secret_key_obj_t *sck = NULL; 1673 1674 /* Scan the attribute template for the object class. */ 1675 if (pTemplate != NULL && ulAttributeCount != 0) { 1676 for (i = 0; i < ulAttributeCount; i++) { 1677 if (pTemplate[i].type == CKA_CLASS) { 1678 new_obj_class = 1679 *((CK_OBJECT_CLASS *)pTemplate[i].pValue); 1680 break; 1681 } 1682 } 1683 if (new_obj_class == ~0UL) 1684 return (CKR_TEMPLATE_INCOMPLETE); 1685 } 1686 1687 /* 1688 * Check if the mechanism is supported, and now that the new 1689 * object's class is known, the mechanism selected should be 1690 * capable of doing the unwrap. 1691 */ 1692 switch (pMechanism->mechanism) { 1693 case CKM_RSA_PKCS: 1694 case CKM_RSA_X_509: 1695 case CKM_DES_ECB: 1696 case CKM_DES3_ECB: 1697 case CKM_AES_ECB: 1698 case CKM_DES_CBC: 1699 case CKM_DES3_CBC: 1700 case CKM_AES_CBC: 1701 case CKM_BLOWFISH_CBC: 1702 if (new_obj_class != CKO_SECRET_KEY) 1703 return (CKR_MECHANISM_INVALID); 1704 break; 1705 case CKM_DES_CBC_PAD: 1706 case CKM_DES3_CBC_PAD: 1707 case CKM_AES_CBC_PAD: 1708 if (new_obj_class != CKO_SECRET_KEY && new_obj_class != 1709 CKO_PRIVATE_KEY) 1710 return (CKR_MECHANISM_INVALID); 1711 break; 1712 default: 1713 return (CKR_MECHANISM_INVALID); 1714 } 1715 1716 /* Create a new object based on the attribute template. */ 1717 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 1718 (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL, 1719 (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE); 1720 if (rv != CKR_OK) 1721 return (rv); 1722 1723 /* 1724 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE 1725 * both set to FALSE. CKA_EXTRACTABLE will be set _by_default_ to 1726 * true -- leaving the possibility that it may be set FALSE by the 1727 * supplied attribute template. If the precise template cannot be 1728 * supported, unwrap fails. PKCS#11 spec, Sec. 11.14, C_UnwrapKey. 1729 * 1730 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and 1731 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must 1732 * have supplied them and therefore we cannot honor the unwrap. 1733 */ 1734 if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) || 1735 (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) { 1736 rv = CKR_TEMPLATE_INCONSISTENT; 1737 goto cleanup_unwrap; 1738 } 1739 1740 rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p); 1741 if (rv != CKR_OK) 1742 goto cleanup_unwrap; 1743 1744 /* First get the length of the plain data */ 1745 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL, 1746 &plain_len); 1747 if (rv != CKR_OK) 1748 goto cleanup_unwrap; 1749 1750 /* Allocate space for the unwrapped data */ 1751 if ((plain_data = malloc(plain_len)) == NULL) { 1752 rv = CKR_HOST_MEMORY; 1753 goto cleanup_unwrap; 1754 } 1755 (void) memset(plain_data, 0x0, plain_len); 1756 1757 /* Perform actual decryption into the allocated space. */ 1758 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data, 1759 &plain_len); 1760 if (rv != CKR_OK) 1761 goto cleanup_unwrap; 1762 1763 if (new_objp->class == CKO_SECRET_KEY) { 1764 /* 1765 * Since no ASN.1 encoding is done for secret keys, check for 1766 * appropriateness and copy decrypted buffer to the key object. 1767 */ 1768 1769 /* Check keytype and mechtype don't conflict with valuelen */ 1770 rv = soft_unwrap_secret_len_check(new_objp->key_type, 1771 pMechanism->mechanism, pTemplate, ulAttributeCount); 1772 if (rv != CKR_OK) 1773 goto cleanup_unwrap; 1774 1775 /* 1776 * Allocate the secret key structure if not already there; 1777 * it will exist for variable length keys since CKA_VALUE_LEN 1778 * is specified and saved, but not for fixed length keys. 1779 */ 1780 if (OBJ_SEC(new_objp) == NULL) { 1781 if ((sck = calloc(1, sizeof (secret_key_obj_t))) == 1782 NULL) { 1783 rv = CKR_HOST_MEMORY; 1784 goto cleanup_unwrap; 1785 } 1786 OBJ_SEC(new_objp) = sck; 1787 } 1788 1789 switch (new_objp->key_type) { 1790 /* Fixed length secret keys don't have CKA_VALUE_LEN */ 1791 case CKK_DES: 1792 OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE; 1793 break; 1794 case CKK_DES2: 1795 OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE; 1796 break; 1797 case CKK_DES3: 1798 OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE; 1799 break; 1800 1801 /* 1802 * Variable length secret keys. CKA_VALUE_LEN must be 1803 * provided by the template when mech is *_ECB or *_CBC, and 1804 * should already have been set during soft_gen_keyobject(). 1805 * Otherwise we don't need CKA_VALUE_LEN. 1806 */ 1807 case CKK_GENERIC_SECRET: 1808 case CKK_RC4: 1809 case CKK_AES: 1810 case CKK_BLOWFISH: 1811 break; 1812 default: 1813 rv = CKR_WRAPPED_KEY_INVALID; 1814 goto cleanup_unwrap; 1815 }; 1816 1817 if (OBJ_SEC_VALUE_LEN(new_objp) == 0) { 1818 /* No CKA_VALUE_LEN set so set it now and save data */ 1819 OBJ_SEC_VALUE_LEN(new_objp) = plain_len; 1820 OBJ_SEC_VALUE(new_objp) = plain_data; 1821 } else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) { 1822 /* No need to truncate, just save the data */ 1823 OBJ_SEC_VALUE(new_objp) = plain_data; 1824 } else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) { 1825 /* Length can't be bigger than what was decrypted */ 1826 rv = CKR_WRAPPED_KEY_LEN_RANGE; 1827 goto cleanup_unwrap; 1828 } else { /* betw 0 and plain_len, hence padded */ 1829 /* Truncate the data before saving. */ 1830 OBJ_SEC_VALUE(new_objp) = realloc(plain_data, 1831 OBJ_SEC_VALUE_LEN(new_objp)); 1832 if (OBJ_SEC_VALUE(new_objp) == NULL) { 1833 rv = CKR_HOST_MEMORY; 1834 goto cleanup_unwrap; 1835 } 1836 } 1837 } else { 1838 /* BER-decode the object to be unwrapped. */ 1839 rv = soft_asn1_to_object(new_objp, plain_data, plain_len); 1840 if (rv != CKR_OK) 1841 goto cleanup_unwrap; 1842 } 1843 1844 /* If it needs to be persistent, write it to the keystore */ 1845 if (IS_TOKEN_OBJECT(new_objp)) { 1846 persistent = B_TRUE; 1847 rv = soft_put_object_to_keystore(new_objp); 1848 if (rv != CKR_OK) 1849 goto cleanup_unwrap; 1850 } 1851 1852 if (new_objp->class != CKO_SECRET_KEY) { 1853 /* Clear buffer before returning to memory pool. */ 1854 (void) memset(plain_data, 0x0, plain_len); 1855 free(plain_data); 1856 } 1857 1858 *phKey = (CK_OBJECT_HANDLE)new_objp; 1859 1860 return (CKR_OK); 1861 1862 cleanup_unwrap: 1863 /* The decrypted private key buffer must be freed explicitly. */ 1864 if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1865 /* Clear buffer before returning to memory pool. */ 1866 (void) memset(plain_data, 0x0, plain_len); 1867 free(plain_data); 1868 } 1869 1870 /* sck and new_objp are indirectly free()d inside these functions */ 1871 if (IS_TOKEN_OBJECT(new_objp)) 1872 soft_delete_token_object(new_objp, persistent, B_FALSE); 1873 else 1874 soft_delete_object(session_p, new_objp, B_FALSE, B_FALSE); 1875 1876 return (rv); 1877 } 1878