xref: /titanic_50/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c (revision 8461248208fabd3a8230615f8615e5bf1b4dcdcb)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <pthread.h>
30 #include <stdlib.h>
31 #include <string.h>
32 #include <strings.h>
33 #include <sys/types.h>
34 #include <security/cryptoki.h>
35 #include <aes_impl.h>
36 #include <des_impl.h>
37 #include <arcfour.h>
38 #include "softGlobal.h"
39 #include "softSession.h"
40 #include "softObject.h"
41 #include "softDSA.h"
42 #include "softRSA.h"
43 #include "softDH.h"
44 #include "softRandom.h"
45 #include "softMAC.h"
46 #include "softOps.h"
47 #include "softKeys.h"
48 #include "softKeystore.h"
49 #include "softSSL.h"
50 #include "softASN1.h"
51 
52 
53 #define	local_min(a, b)	((a) < (b) ? (a) : (b))
54 
55 static CK_RV
56 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *);
57 
58 /*
59  * Create a temporary key object struct by filling up its template attributes.
60  */
61 CK_RV
62 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate,  CK_ULONG ulCount,
63     CK_ULONG *objecthandle_p, soft_session_t *sp,
64     CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode,
65     boolean_t internal)
66 {
67 
68 	CK_RV rv;
69 	soft_object_t *new_objp = NULL;
70 
71 	new_objp = calloc(1, sizeof (soft_object_t));
72 	if (new_objp == NULL) {
73 		return (CKR_HOST_MEMORY);
74 	}
75 
76 	new_objp->extra_attrlistp = NULL;
77 
78 	/*
79 	 * Validate attribute template and fill in the attributes
80 	 * in the soft_object_t.
81 	 */
82 	rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type,
83 	    keylen, mode);
84 	if (rv != CKR_OK) {
85 		goto fail_cleanup1;
86 	}
87 
88 	/*
89 	 * If generating a key is an internal request (i.e. not a C_XXX
90 	 * API request), then skip the following checks.
91 	 */
92 	if (!internal) {
93 		rv = soft_pin_expired_check(new_objp);
94 		if (rv != CKR_OK) {
95 			goto fail_cleanup2;
96 		}
97 
98 		rv = soft_object_write_access_check(sp, new_objp);
99 		if (rv != CKR_OK) {
100 			goto fail_cleanup2;
101 		}
102 	}
103 
104 	/* Initialize the rest of stuffs in soft_object_t. */
105 	(void) pthread_mutex_init(&new_objp->object_mutex, NULL);
106 	new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
107 
108 	/* Write the new token object to the keystore */
109 	if (IS_TOKEN_OBJECT(new_objp)) {
110 		new_objp->version = 1;
111 		new_objp->session_handle = (CK_SESSION_HANDLE)NULL;
112 		soft_add_token_object_to_slot(new_objp);
113 		/*
114 		 * Type casting the address of an object struct to
115 		 * an object handle.
116 		 */
117 		*objecthandle_p = (CK_ULONG)new_objp;
118 
119 		return (CKR_OK);
120 	}
121 
122 	new_objp->session_handle = (CK_SESSION_HANDLE)sp;
123 
124 	/* Add the new object to the session's object list. */
125 	soft_add_object_to_session(new_objp, sp);
126 
127 	/* Type casting the address of an object struct to an object handle. */
128 	*objecthandle_p =  (CK_ULONG)new_objp;
129 
130 	return (CKR_OK);
131 
132 fail_cleanup2:
133 	/*
134 	 * When any error occurs after soft_build_key(), we will need to
135 	 * clean up the memory allocated by the soft_build_key().
136 	 */
137 	soft_cleanup_object(new_objp);
138 
139 fail_cleanup1:
140 	if (new_objp) {
141 		/*
142 		 * The storage allocated inside of this object should have
143 		 * been cleaned up by the soft_build_key() if it failed.
144 		 * Therefore, we can safely free the object.
145 		 */
146 		free(new_objp);
147 	}
148 
149 	return (rv);
150 }
151 
152 CK_RV
153 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
154     CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey)
155 {
156 
157 	CK_RV rv = CKR_OK;
158 	soft_object_t *secret_key;
159 	CK_KEY_TYPE key_type;
160 	CK_ULONG keylen = 0;
161 	CK_ULONG i;
162 	int des_strength = 0;
163 	int retry = 0;
164 	int keyfound = 0;
165 	boolean_t is_ssl_mech = B_FALSE;
166 
167 	switch (pMechanism->mechanism) {
168 	case CKM_DES_KEY_GEN:
169 		key_type = CKK_DES;
170 		break;
171 
172 	case CKM_DES3_KEY_GEN:
173 		key_type = CKK_DES3;
174 		break;
175 
176 	case CKM_AES_KEY_GEN:
177 		key_type = CKK_AES;
178 		break;
179 
180 	case CKM_RC4_KEY_GEN:
181 		key_type = CKK_RC4;
182 		break;
183 
184 	case CKM_SSL3_PRE_MASTER_KEY_GEN:
185 	case CKM_TLS_PRE_MASTER_KEY_GEN:
186 		if (pMechanism->pParameter == NULL ||
187 		    pMechanism->ulParameterLen != sizeof (CK_VERSION))
188 			return (CKR_TEMPLATE_INCOMPLETE);
189 		is_ssl_mech = B_TRUE;
190 		key_type = CKK_GENERIC_SECRET;
191 		keylen = 48;
192 		break;
193 
194 	case CKM_PKCS5_PBKD2:
195 		keyfound = 0;
196 		for (i = 0; i < ulCount && !keyfound; i++) {
197 			if (pTemplate[i].type == CKA_KEY_TYPE &&
198 			    pTemplate[i].pValue != NULL) {
199 				key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
200 				keyfound = 1;
201 			}
202 		}
203 		if (!keyfound)
204 			return (CKR_TEMPLATE_INCOMPLETE);
205 		/*
206 		 * Make sure that parameters were given for this
207 		 * mechanism.
208 		 */
209 		if (pMechanism->pParameter == NULL ||
210 		    pMechanism->ulParameterLen !=
211 			sizeof (CK_PKCS5_PBKD2_PARAMS))
212 			return (CKR_TEMPLATE_INCOMPLETE);
213 		break;
214 
215 	case CKM_PBE_SHA1_RC4_128:
216 		keyfound = 0;
217 		for (i = 0; i < ulCount; i++) {
218 			if (pTemplate[i].type == CKA_KEY_TYPE &&
219 			    pTemplate[i].pValue != NULL) {
220 				key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
221 				keyfound = 1;
222 			}
223 			if (pTemplate[i].type == CKA_VALUE_LEN &&
224 			    pTemplate[i].pValue != NULL) {
225 				keylen = *((CK_ULONG*)pTemplate[i].pValue);
226 			}
227 		}
228 		/* If a keytype was specified, it had better be CKK_RC4 */
229 		if (keyfound && key_type != CKK_RC4)
230 			return (CKR_TEMPLATE_INCONSISTENT);
231 		else if (!keyfound)
232 			key_type = CKK_RC4;
233 
234 		/* If key length was specified, it better be 16 bytes */
235 		if (keylen != 0 && keylen != 16)
236 			return (CKR_TEMPLATE_INCONSISTENT);
237 
238 		/*
239 		 * Make sure that parameters were given for this
240 		 * mechanism.
241 		 */
242 		if (pMechanism->pParameter == NULL ||
243 		    pMechanism->ulParameterLen !=
244 			sizeof (CK_PBE_PARAMS))
245 			return (CKR_TEMPLATE_INCOMPLETE);
246 		break;
247 	default:
248 		return (CKR_MECHANISM_INVALID);
249 	}
250 
251 	/* Create a new object for secret key. */
252 	rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p,
253 	    CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE);
254 
255 	if (rv != CKR_OK) {
256 		return (rv);
257 	}
258 
259 	/* Obtain the secret object pointer. */
260 	secret_key = (soft_object_t *)*phKey;
261 
262 	switch (pMechanism->mechanism) {
263 	case CKM_DES_KEY_GEN:
264 		/*
265 		 * Set up key value len since it is not a required
266 		 * attribute for C_GenerateKey.
267 		 */
268 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
269 		des_strength = DES;
270 		break;
271 
272 	case CKM_DES3_KEY_GEN:
273 		/*
274 		 * Set up key value len since it is not a required
275 		 * attribute for C_GenerateKey.
276 		 */
277 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
278 		des_strength = DES3;
279 		break;
280 
281 	case CKM_SSL3_PRE_MASTER_KEY_GEN:
282 	case CKM_TLS_PRE_MASTER_KEY_GEN:
283 		secret_key->bool_attr_mask |= DERIVE_BOOL_ON;
284 	/* FALLTHRU */
285 
286 	case CKM_AES_KEY_GEN:
287 	case CKM_PBE_SHA1_RC4_128:
288 	case CKM_RC4_KEY_GEN:
289 		keylen = OBJ_SEC_VALUE_LEN(secret_key);
290 		break;
291 
292 	case CKM_PKCS5_PBKD2:
293 		/*
294 		 * PKCS#11 does not allow one to specify key
295 		 * sizes for DES and 3DES, so we must set it here
296 		 * when using PBKD2 algorithms.
297 		 */
298 		if (key_type == CKK_DES) {
299 			OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
300 			des_strength = DES;
301 		} else if (key_type == CKK_DES3) {
302 			OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
303 			des_strength = DES3;
304 		}
305 
306 		keylen = OBJ_SEC_VALUE_LEN(secret_key);
307 		break;
308 	}
309 
310 	if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) {
311 		if (IS_TOKEN_OBJECT(secret_key))
312 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
313 		else
314 			soft_delete_object(session_p, secret_key, B_FALSE);
315 
316 		return (CKR_HOST_MEMORY);
317 	}
318 	switch (pMechanism->mechanism) {
319 	case CKM_PBE_SHA1_RC4_128:
320 		/*
321 		 * Use the PBE algorithm described in PKCS#11 section
322 		 * 12.33 to derive the key.
323 		 */
324 		rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key);
325 		break;
326 	case CKM_PKCS5_PBKD2:
327 		/* Generate keys using PKCS#5 PBKD2 algorithm */
328 		rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism,
329 					secret_key);
330 		if (rv == CKR_OK && des_strength > 0) {
331 			/* Perform weak key checking for DES and DES3. */
332 			if (des_keycheck(OBJ_SEC_VALUE(secret_key),
333 			    des_strength, OBJ_SEC_VALUE(secret_key)) ==
334 			    B_FALSE) {
335 				/* We got a weak secret key. */
336 				rv = CKR_FUNCTION_FAILED;
337 			}
338 		}
339 		break;
340 	default:
341 		do {
342 			rv = soft_random_generator(
343 				OBJ_SEC_VALUE(secret_key), keylen, B_FALSE);
344 
345 			/* If this fails, bail out */
346 			if (rv != CKR_OK)
347 				break;
348 
349 			/* Perform weak key checking for DES and DES3. */
350 			if (des_strength > 0) {
351 				rv = CKR_OK;
352 				if (des_keycheck(OBJ_SEC_VALUE(secret_key),
353 				    des_strength, OBJ_SEC_VALUE(secret_key)) ==
354 				    B_FALSE) {
355 					/* We got a weak key, retry! */
356 					retry++;
357 					rv = CKR_FUNCTION_FAILED;
358 				}
359 			}
360 			/*
361 			 * Copy over the SSL client version For SSL mechs
362 			 * The first two bytes of the key is the version
363 			 */
364 			if (is_ssl_mech)
365 				bcopy(pMechanism->pParameter,
366 				    OBJ_SEC_VALUE(secret_key),
367 				    sizeof (CK_VERSION));
368 
369 		} while (rv != CKR_OK && retry < KEYGEN_RETRY);
370 		if (retry == KEYGEN_RETRY)
371 			rv = CKR_FUNCTION_FAILED;
372 		break;
373 	}
374 
375 	if (rv != CKR_OK)
376 		if (IS_TOKEN_OBJECT(secret_key))
377 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
378 		else
379 			soft_delete_object(session_p, secret_key, B_FALSE);
380 
381 	if (IS_TOKEN_OBJECT(secret_key)) {
382 		/*
383 		 * All the info has been filled, so we can write to
384 		 * keystore now.
385 		 */
386 		rv = soft_put_object_to_keystore(secret_key);
387 		if (rv != CKR_OK)
388 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
389 	}
390 
391 	return (rv);
392 }
393 
394 CK_RV
395 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
396     CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount,
397     CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount,
398     CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey)
399 {
400 
401 	CK_RV rv;
402 	soft_object_t *public_key, *private_key;
403 	CK_KEY_TYPE key_type;
404 
405 	switch (pMechanism->mechanism) {
406 
407 	case CKM_RSA_PKCS_KEY_PAIR_GEN:
408 		key_type = CKK_RSA;
409 		break;
410 
411 	case CKM_DSA_KEY_PAIR_GEN:
412 		key_type = CKK_DSA;
413 		break;
414 
415 	case CKM_DH_PKCS_KEY_PAIR_GEN:
416 		key_type = CKK_DH;
417 		break;
418 
419 	default:
420 		return (CKR_MECHANISM_INVALID);
421 	}
422 
423 	/* Create a new object for public key. */
424 	rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount,
425 	    phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0,
426 	    SOFT_GEN_KEY, B_FALSE);
427 
428 	if (rv != CKR_OK) {
429 		return (rv);
430 	}
431 
432 	/* Obtain the public object pointer. */
433 	public_key = (soft_object_t *)*phPublicKey;
434 
435 	/* Create a new object for private key. */
436 	rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount,
437 	    phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0,
438 	    SOFT_GEN_KEY, B_FALSE);
439 
440 	if (rv != CKR_OK) {
441 		/*
442 		 * Both public key and private key must be successful.
443 		 */
444 		if (IS_TOKEN_OBJECT(public_key))
445 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
446 		else
447 			soft_delete_object(session_p, public_key, B_FALSE);
448 		return (rv);
449 	}
450 
451 	/* Obtain the private object pointer. */
452 	private_key = (soft_object_t *)*phPrivateKey;
453 
454 	/*
455 	 * At this point, both public key and private key objects
456 	 * are settled with the application specified attributes.
457 	 * We are ready to generate the rest of key attributes based
458 	 * on the existing attributes.
459 	 */
460 
461 	switch (key_type) {
462 	case CKK_RSA:
463 		rv = soft_rsa_genkey_pair(public_key, private_key);
464 		break;
465 
466 	case CKK_DSA:
467 		rv = soft_dsa_genkey_pair(public_key, private_key);
468 		break;
469 
470 	case CKK_DH:
471 		rv = soft_dh_genkey_pair(public_key, private_key);
472 		private_key->bool_attr_mask |= DERIVE_BOOL_ON;
473 		break;
474 	}
475 
476 	if (rv != CKR_OK) {
477 		if (IS_TOKEN_OBJECT(public_key)) {
478 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
479 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
480 		} else {
481 			soft_delete_object(session_p, public_key, B_FALSE);
482 			soft_delete_object(session_p, private_key, B_FALSE);
483 		}
484 	}
485 
486 	if (IS_TOKEN_OBJECT(public_key)) {
487 		/*
488 		 * All the info has been filled, so we can write to
489 		 * keystore now.
490 		 */
491 		rv = soft_put_object_to_keystore(public_key);
492 		if (rv != CKR_OK) {
493 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
494 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
495 		}
496 	}
497 
498 	if (IS_TOKEN_OBJECT(private_key)) {
499 		rv = soft_put_object_to_keystore(private_key);
500 		if (rv != CKR_OK) {
501 			/*
502 			 * We also need to delete the public token object
503 			 * from keystore.
504 			 */
505 			soft_delete_token_object(public_key, B_TRUE, B_FALSE);
506 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
507 		}
508 	}
509 
510 	return (rv);
511 }
512 
513 
514 CK_RV
515 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen)
516 {
517 
518 	switch (secret_key->key_type) {
519 	case CKK_GENERIC_SECRET:
520 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
521 			OBJ_SEC_VALUE_LEN(secret_key) = max_keylen;
522 			return (CKR_OK);
523 		} else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) {
524 			return (CKR_ATTRIBUTE_VALUE_INVALID);
525 		}
526 		break;
527 	case CKK_RC4:
528 	case CKK_AES:
529 		if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) ||
530 			(OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) {
531 			/* RC4 and AES has variable key length */
532 			return (CKR_ATTRIBUTE_VALUE_INVALID);
533 		}
534 		break;
535 	case CKK_DES:
536 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
537 			/* DES has a well-defined length */
538 			OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
539 			return (CKR_OK);
540 		} else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) {
541 			return (CKR_ATTRIBUTE_VALUE_INVALID);
542 		}
543 		break;
544 	case CKK_DES2:
545 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
546 			/* DES2 has a well-defined length */
547 			OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
548 			return (CKR_OK);
549 		} else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) {
550 			return (CKR_ATTRIBUTE_VALUE_INVALID);
551 		}
552 		break;
553 
554 	default:
555 		return (CKR_MECHANISM_INVALID);
556 	}
557 
558 	return (CKR_OK);
559 }
560 
561 /*
562  * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1
563  * PBE methods.
564  */
565 #define	PKCS12_BUFFER_SIZE 64
566 /*
567  * PKCS#12 defines 3 different ID bytes to be used for
568  * deriving keys for different operations.
569  */
570 #define	PBE_ID_ENCRYPT	1
571 #define	PBE_ID_IV	2
572 #define	PBE_ID_MAC	3
573 #define	PBE_CEIL(a, b)	(((a)/(b)) + (((a)%(b)) > 0))
574 
575 static CK_RV
576 soft_pkcs12_pbe(soft_session_t *session_p,
577 		CK_MECHANISM_PTR pMechanism,
578 		soft_object_t *derived_key)
579 {
580 	CK_RV rv = CKR_OK;
581 	CK_PBE_PARAMS *params = pMechanism->pParameter;
582 	CK_ULONG c, i, j, k;
583 	CK_ULONG hashSize;
584 	CK_ULONG buffSize;
585 	/*
586 	 * Terse variable names are used to make following
587 	 * the PKCS#12 spec easier.
588 	 */
589 	CK_BYTE *A = NULL;
590 	CK_BYTE *Ai = NULL;
591 	CK_BYTE *B = NULL;
592 	CK_BYTE *D = NULL;
593 	CK_BYTE *I = NULL, *S, *P;
594 	CK_BYTE *keybuf = NULL;
595 	CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen;
596 	CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key);
597 	CK_MECHANISM digest_mech;
598 
599 	/* U = hash function output bits */
600 	if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) {
601 		hashSize = SHA1_HASH_SIZE;
602 		buffSize = PKCS12_BUFFER_SIZE;
603 		digest_mech.mechanism = CKM_SHA_1;
604 		digest_mech.pParameter = NULL;
605 		digest_mech.ulParameterLen = 0;
606 	} else {
607 		/* we only support 1 PBE mech for now */
608 		return (CKR_MECHANISM_INVALID);
609 	}
610 	keybuf = OBJ_SEC_VALUE(derived_key);
611 
612 	Blen = Dlen = buffSize;
613 	D = (CK_BYTE *)malloc(Dlen);
614 	if (D == NULL) {
615 		rv = CKR_HOST_MEMORY;
616 		goto cleanup;
617 	}
618 
619 	B = (CK_BYTE *)malloc(Blen);
620 	if (B == NULL) {
621 		rv = CKR_HOST_MEMORY;
622 		goto cleanup;
623 	}
624 
625 	/*
626 	 * Initialize some values and create some buffers
627 	 * that we need later.
628 	 *
629 	 * Slen = buffSize * CEIL(SaltLength/buffSize)
630 	 */
631 	Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize);
632 
633 	/*
634 	 * Plen = buffSize * CEIL(PasswordLength/buffSize)
635 	 */
636 	Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize);
637 
638 	/*
639 	 * From step 4: I = S + P, so: Ilen = Slen + Plen
640 	 */
641 	Ilen = Slen + Plen;
642 	I = (CK_BYTE *)malloc(Ilen);
643 	if (I == NULL) {
644 		rv = CKR_HOST_MEMORY;
645 		goto cleanup;
646 	}
647 
648 	S = I;
649 	P = I + Slen;
650 
651 	/*
652 	 * Step 1.
653 	 * We are only interested in deriving keys for encrypt/decrypt
654 	 * for now, so construct the "D"iversifier accordingly.
655 	 */
656 	(void) memset(D, PBE_ID_ENCRYPT, Dlen);
657 
658 	/*
659 	 * Step 2.
660 	 * Concatenate copies of the salt together to make S.
661 	 */
662 	for (i = 0; i < Slen; i += params->ulSaltLen) {
663 		(void) memcpy(S+i, params->pSalt,
664 			((Slen - i) > params->ulSaltLen ?
665 			params->ulSaltLen : (Slen - i)));
666 	}
667 
668 	/*
669 	 * Step 3.
670 	 * Concatenate copies of the password together to make
671 	 * a string P.
672 	 */
673 	for (i = 0; i < Plen; i += params->ulPasswordLen) {
674 		(void) memcpy(P+i, params->pPassword,
675 			((Plen - i) > params->ulPasswordLen ?
676 			params->ulPasswordLen : (Plen - i)));
677 	}
678 
679 	/*
680 	 * Step 4.
681 	 * I = S+P - this is now done because S and P are
682 	 * pointers into I.
683 	 *
684 	 * Step 5.
685 	 * c= CEIL[n/u]
686 	 * where n = pseudorandom bits of output desired.
687 	 */
688 	c = PBE_CEIL(keysize, hashSize);
689 
690 	/*
691 	 * Step 6.
692 	 */
693 	Alen = c * hashSize;
694 	A = (CK_BYTE *)malloc(Alen);
695 	if (A == NULL) {
696 		rv = CKR_HOST_MEMORY;
697 		goto cleanup;
698 	}
699 	AiLen = hashSize;
700 	Ai = (CK_BYTE *)malloc(AiLen);
701 	if (Ai == NULL) {
702 		rv = CKR_HOST_MEMORY;
703 		goto cleanup;
704 	}
705 
706 	/*
707 	 * Step 6a.
708 	 * Ai = Hr(D+I)
709 	 */
710 	for (i = 0; i < c; i++) {
711 		(void) pthread_mutex_lock(&session_p->session_mutex);
712 
713 		if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
714 			(void) pthread_mutex_unlock(&session_p->session_mutex);
715 			rv = CKR_OPERATION_ACTIVE;
716 			goto cleanup;
717 		}
718 		session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
719 		(void) pthread_mutex_unlock(&session_p->session_mutex);
720 
721 		for (j = 0; j < params->ulIteration; j++) {
722 			rv = soft_digest_init(session_p, &digest_mech);
723 			if (rv != CKR_OK)
724 				goto digest_done;
725 
726 			if (j == 0) {
727 				rv = soft_digest_update(session_p, D,
728 					Dlen);
729 				if (rv != CKR_OK)
730 					goto digest_done;
731 
732 				rv = soft_digest_update(session_p, I,
733 					Ilen);
734 			} else {
735 				rv = soft_digest_update(session_p,
736 					Ai, AiLen);
737 			}
738 			if (rv != CKR_OK)
739 				goto digest_done;
740 
741 			rv = soft_digest_final(session_p, Ai, &AiLen);
742 			if (rv != CKR_OK)
743 				goto digest_done;
744 		}
745 digest_done:
746 		(void) pthread_mutex_lock(&session_p->session_mutex);
747 		session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
748 		(void) pthread_mutex_unlock(&session_p->session_mutex);
749 
750 		if (rv != CKR_OK)
751 			goto cleanup;
752 		/*
753 		 * Step 6b.
754 		 * Concatenate Ai to make B
755 		 */
756 		for (j = 0; j < Blen; j += hashSize) {
757 			(void) memcpy(B+j, Ai, ((Blen - j > hashSize) ?
758 				hashSize : Blen - j));
759 		}
760 
761 		/*
762 		 * Step 6c.
763 		 */
764 		k = Ilen / Blen;
765 		for (j = 0; j < k; j++) {
766 			uchar_t idx;
767 			CK_ULONG m, q = 1, cbit = 0;
768 
769 			for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) {
770 				idx = m + j*Blen;
771 
772 				q += (CK_ULONG)I[idx] + (CK_ULONG)B[m];
773 				q += cbit;
774 				I[idx] = (CK_BYTE)(q & 0xff);
775 				cbit = (q > 0xff);
776 			}
777 		}
778 
779 		/*
780 		 * Step 7.
781 		 *  A += Ai
782 		 */
783 		(void) memcpy(A + i*hashSize, Ai, AiLen);
784 	}
785 
786 	/*
787 	 * Step 8.
788 	 * The final output of this process is the A buffer
789 	 */
790 	(void) memcpy(keybuf, A, keysize);
791 
792 cleanup:
793 	if (A) {
794 		bzero(A, Alen);
795 		free(A);
796 	}
797 	if (Ai) {
798 		bzero(Ai, AiLen);
799 		free(Ai);
800 	}
801 	if (B) {
802 		bzero(B, Blen);
803 		free(B);
804 	}
805 	if (D) {
806 		bzero(D, Dlen);
807 		free(D);
808 	}
809 	if (I) {
810 		bzero(I, Ilen);
811 		free(I);
812 	}
813 	return (rv);
814 }
815 
816 CK_RV
817 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
818     soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
819     CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
820 {
821 
822 	CK_RV rv = CKR_OK;
823 	soft_object_t *secret_key;
824 	CK_BYTE *public_value;
825 	CK_ULONG public_value_len;
826 	CK_MECHANISM digest_mech;
827 	CK_BYTE hash[SHA1_HASH_SIZE];  /* space enough for SHA1 and MD5 */
828 	CK_ULONG hash_len = SHA1_HASH_SIZE;
829 	CK_ULONG secret_key_len;
830 	CK_ULONG hash_size;
831 
832 	switch (pMechanism->mechanism) {
833 
834 	case CKM_DH_PKCS_DERIVE:
835 		/* Get public value and value_len from the parameters. */
836 		public_value = (CK_BYTE *)(pMechanism->pParameter);
837 		public_value_len = pMechanism->ulParameterLen;
838 
839 		if (phKey == NULL_PTR)
840 			return (CKR_ARGUMENTS_BAD);
841 		/*
842 		 * Create a new object for secret key. The key type should
843 		 * be provided in the template.
844 		 */
845 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
846 		    phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
847 		    SOFT_DERIVE_KEY_DH, B_FALSE);
848 
849 		if (rv != CKR_OK) {
850 			return (rv);
851 		}
852 
853 		/* Obtain the secret object pointer. */
854 		secret_key = (soft_object_t *)*phKey;
855 
856 		rv = soft_dh_key_derive(basekey_p, secret_key, public_value,
857 			public_value_len);
858 
859 		if (rv != CKR_OK) {
860 			if (IS_TOKEN_OBJECT(secret_key))
861 				soft_delete_token_object(secret_key, B_FALSE,
862 				    B_FALSE);
863 			else
864 				soft_delete_object(session_p, secret_key,
865 				    B_FALSE);
866 			return (rv);
867 		}
868 
869 		break;
870 
871 	case CKM_SHA1_KEY_DERIVATION:
872 		hash_size = SHA1_HASH_SIZE;
873 		digest_mech.mechanism = CKM_SHA_1;
874 		goto common;
875 
876 	case CKM_MD5_KEY_DERIVATION:
877 		hash_size = MD5_HASH_SIZE;
878 		digest_mech.mechanism = CKM_MD5;
879 common:
880 		/*
881 		 * Create a new object for secret key. The key type is optional
882 		 * to be provided in the template. If it is not specified in
883 		 * the template, the default is CKK_GENERIC_SECRET.
884 		 */
885 		if (phKey == NULL_PTR)
886 			return (CKR_ARGUMENTS_BAD);
887 
888 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
889 		    phKey, session_p, CKO_SECRET_KEY,
890 		    (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
891 		    SOFT_DERIVE_KEY_OTHER, B_FALSE);
892 
893 		if (rv != CKR_OK) {
894 			return (rv);
895 		}
896 
897 		/* Obtain the secret object pointer. */
898 		secret_key = (soft_object_t *)*phKey;
899 
900 		/* Validate the key type and key length */
901 		rv = soft_key_derive_check_length(secret_key, hash_size);
902 		if (rv != CKR_OK) {
903 			if (IS_TOKEN_OBJECT(secret_key))
904 				soft_delete_token_object(secret_key, B_FALSE,
905 				    B_FALSE);
906 			else
907 				soft_delete_object(session_p, secret_key,
908 				    B_FALSE);
909 			return (rv);
910 		}
911 
912 		/*
913 		 * Derive the secret key by digesting the value of another
914 		 * secret key (base key) with SHA-1 or MD5.
915 		 */
916 		rv = soft_digest_init_internal(session_p, &digest_mech);
917 		if (rv != CKR_OK) {
918 			if (IS_TOKEN_OBJECT(secret_key))
919 				soft_delete_token_object(secret_key, B_FALSE,
920 				    B_FALSE);
921 			else
922 				soft_delete_object(session_p, secret_key,
923 				    B_FALSE);
924 			return (rv);
925 		}
926 
927 		rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p),
928 			OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len);
929 
930 		(void) pthread_mutex_lock(&session_p->session_mutex);
931 		/* soft_digest_common() has freed the digest context */
932 		session_p->digest.flags = 0;
933 		(void) pthread_mutex_unlock(&session_p->session_mutex);
934 
935 		if (rv != CKR_OK) {
936 			if (IS_TOKEN_OBJECT(secret_key))
937 				soft_delete_token_object(secret_key, B_FALSE,
938 				    B_FALSE);
939 			else
940 				soft_delete_object(session_p, secret_key,
941 				    B_FALSE);
942 			return (rv);
943 		}
944 
945 		secret_key_len = OBJ_SEC_VALUE_LEN(secret_key);
946 
947 		if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) ==
948 		    NULL) {
949 			if (IS_TOKEN_OBJECT(secret_key))
950 				soft_delete_token_object(secret_key, B_FALSE,
951 				    B_FALSE);
952 			else
953 				soft_delete_object(session_p, secret_key,
954 				    B_FALSE);
955 			return (CKR_HOST_MEMORY);
956 		}
957 
958 		/*
959 		 * The key produced by this mechanism will be of the
960 		 * specified type and length.
961 		 * The truncation removes extra bytes from the leading
962 		 * of the digested key value.
963 		 */
964 		(void) memcpy(OBJ_SEC_VALUE(secret_key),
965 		    (hash + hash_len - secret_key_len),
966 		    secret_key_len);
967 
968 		break;
969 
970 	/*
971 	 * The key sensitivity and extractability rules for the generated
972 	 * keys will be enforced inside soft_ssl_master_key_derive() and
973 	 * soft_ssl_key_and_mac_derive()
974 	 */
975 	case CKM_SSL3_MASTER_KEY_DERIVE:
976 	case CKM_SSL3_MASTER_KEY_DERIVE_DH:
977 	case CKM_TLS_MASTER_KEY_DERIVE:
978 	case CKM_TLS_MASTER_KEY_DERIVE_DH:
979 		if (phKey == NULL_PTR)
980 			return (CKR_ARGUMENTS_BAD);
981 		return (soft_ssl_master_key_derive(session_p, pMechanism,
982 		    basekey_p, pTemplate, ulAttributeCount, phKey));
983 
984 	case CKM_SSL3_KEY_AND_MAC_DERIVE:
985 	case CKM_TLS_KEY_AND_MAC_DERIVE:
986 		return (soft_ssl_key_and_mac_derive(session_p, pMechanism,
987 		    basekey_p, pTemplate, ulAttributeCount));
988 
989 	default:
990 		return (CKR_MECHANISM_INVALID);
991 	}
992 
993 	soft_derive_enforce_flags(basekey_p, secret_key);
994 
995 	if (IS_TOKEN_OBJECT(secret_key)) {
996 		/*
997 		 * All the info has been filled, so we can write to
998 		 * keystore now.
999 		 */
1000 		rv = soft_put_object_to_keystore(secret_key);
1001 		if (rv != CKR_OK)
1002 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
1003 	}
1004 
1005 	return (rv);
1006 }
1007 
1008 
1009 /*
1010  * Perform key derivation rules on key's sensitivity and extractability.
1011  */
1012 void
1013 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey)
1014 {
1015 
1016 	boolean_t new_sensitive = B_FALSE;
1017 	boolean_t new_extractable = B_FALSE;
1018 
1019 	/*
1020 	 * The sensitive and extractable bits have been set when
1021 	 * the newkey was built.
1022 	 */
1023 	if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) {
1024 		new_sensitive = B_TRUE;
1025 	}
1026 
1027 	if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) {
1028 		new_extractable = B_TRUE;
1029 	}
1030 
1031 	/* Derive the CKA_ALWAYS_SENSITIVE flag */
1032 	if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) {
1033 		/*
1034 		 * If the base key has its CKA_ALWAYS_SENSITIVE set to
1035 		 * FALSE, then the derived key will as well.
1036 		 */
1037 		newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1038 	} else {
1039 		/*
1040 		 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE,
1041 		 * then the derived key has the CKA_ALWAYS_SENSITIVE set to
1042 		 * the same value as its CKA_SENSITIVE;
1043 		 */
1044 		if (new_sensitive) {
1045 			newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON;
1046 		} else {
1047 			newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1048 		}
1049 	}
1050 
1051 	/* Derive the CKA_NEVER_EXTRACTABLE flag */
1052 	if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) {
1053 		/*
1054 		 * If the base key has its CKA_NEVER_EXTRACTABLE set to
1055 		 * FALSE, then the derived key will as well.
1056 		 */
1057 		newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1058 	} else {
1059 		/*
1060 		 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE,
1061 		 * then the derived key has the CKA_NEVER_EXTRACTABLE set to
1062 		 * the opposite value from its CKA_EXTRACTABLE;
1063 		 */
1064 		if (new_extractable) {
1065 			newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1066 		} else {
1067 			newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON;
1068 		}
1069 	}
1070 
1071 	/* Set the CKA_LOCAL flag to false */
1072 	newkey->bool_attr_mask &= ~LOCAL_BOOL_ON;
1073 }
1074 
1075 
1076 /*
1077  * do_prf
1078  *
1079  * This routine implements Step 3. of the PBKDF2 function
1080  * defined in PKCS#5 for generating derived keys from a
1081  * password.
1082  *
1083  * Currently, PRF is always SHA_1_HMAC.
1084  */
1085 static CK_RV
1086 do_prf(soft_session_t *session_p,
1087 	CK_PKCS5_PBKD2_PARAMS_PTR params,
1088 	soft_object_t *hmac_key,
1089 	CK_BYTE *newsalt, CK_ULONG saltlen,
1090 	CK_BYTE *blockdata, CK_ULONG blocklen)
1091 {
1092 	CK_RV rv = CKR_OK;
1093 	CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0};
1094 	CK_BYTE buffer[2][SHA1_HASH_SIZE];
1095 	CK_ULONG hmac_outlen = SHA1_HASH_SIZE;
1096 	CK_ULONG inlen;
1097 	CK_BYTE *input, *output;
1098 	CK_ULONG i, j;
1099 
1100 	input = newsalt;
1101 	inlen = saltlen;
1102 
1103 	output = buffer[1];
1104 	(void) pthread_mutex_lock(&session_p->session_mutex);
1105 
1106 	if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
1107 		(void) pthread_mutex_unlock(&session_p->session_mutex);
1108 		return (CKR_OPERATION_ACTIVE);
1109 	}
1110 	session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
1111 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1112 
1113 	for (i = 0; i < params->iterations; i++) {
1114 		/*
1115 		 * The key doesn't change, its always the
1116 		 * password iniitally given.
1117 		 */
1118 		rv = soft_sign_init(session_p, &digest_mech, hmac_key);
1119 
1120 		if (rv != CKR_OK) {
1121 			goto cleanup;
1122 		}
1123 
1124 		/* Call PRF function (SHA1_HMAC for now). */
1125 		rv = soft_sign(session_p, input, inlen,
1126 			output, &hmac_outlen);
1127 
1128 		if (rv != CKR_OK) {
1129 			goto cleanup;
1130 		}
1131 		/*
1132 		 * The first time, initialize the output buffer
1133 		 * with the HMAC signature.
1134 		 */
1135 		if (i == 0) {
1136 			(void) memcpy(blockdata, output,
1137 				local_min(blocklen, hmac_outlen));
1138 		} else {
1139 			/*
1140 			 * XOR the existing data with output from PRF.
1141 			 *
1142 			 * Only XOR up to the length of the blockdata,
1143 			 * it may be less than a full hmac buffer when
1144 			 * the final block is being computed.
1145 			 */
1146 			for (j = 0; j < hmac_outlen && j < blocklen; j++)
1147 				blockdata[j] ^= output[j];
1148 		}
1149 		/* Output from previous PRF is input for next round */
1150 		input = output;
1151 		inlen = hmac_outlen;
1152 
1153 		/*
1154 		 * Switch buffers to avoid overuse of memcpy.
1155 		 * Initially we used buffer[1], so after the end of
1156 		 * the first iteration (i==0), we switch to buffer[0]
1157 		 * and continue swapping with each iteration.
1158 		 */
1159 		output = buffer[i%2];
1160 	}
1161 cleanup:
1162 	(void) pthread_mutex_lock(&session_p->session_mutex);
1163 	session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
1164 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1165 
1166 	return (rv);
1167 }
1168 
1169 static CK_RV
1170 soft_create_hmac_key(soft_session_t *session_p,  CK_BYTE *passwd,
1171 		CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey)
1172 {
1173 	CK_RV rv = CKR_OK;
1174 	CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
1175 	CK_KEY_TYPE keytype = CKK_GENERIC_SECRET;
1176 	CK_BBOOL True = TRUE;
1177 	CK_ATTRIBUTE keytemplate[4];
1178 	/*
1179 	 * We must initialize each template member individually
1180 	 * because at the time of initial coding for ON10, the
1181 	 * compiler was using the "-xc99=%none" option
1182 	 * which prevents us from being able to declare the whole
1183 	 * template in place as usual.
1184 	 */
1185 	keytemplate[0].type = CKA_CLASS;
1186 	keytemplate[0].pValue = &keyclass;
1187 	keytemplate[0].ulValueLen =  sizeof (keyclass);
1188 
1189 	keytemplate[1].type = CKA_KEY_TYPE;
1190 	keytemplate[1].pValue = &keytype;
1191 	keytemplate[1].ulValueLen =  sizeof (keytype);
1192 
1193 	keytemplate[2].type = CKA_SIGN;
1194 	keytemplate[2].pValue = &True;
1195 	keytemplate[2].ulValueLen =  sizeof (True);
1196 
1197 	keytemplate[3].type = CKA_VALUE;
1198 	keytemplate[3].pValue = passwd;
1199 	keytemplate[3].ulValueLen = passwd_len;
1200 	/*
1201 	 * Create a generic key object to be used for HMAC operations.
1202 	 * The "value" for this key is the password from the
1203 	 * mechanism parameter structure.
1204 	 */
1205 	rv = soft_gen_keyobject(keytemplate,
1206 			sizeof (keytemplate)/sizeof (CK_ATTRIBUTE),
1207 			phKey, session_p, CKO_SECRET_KEY,
1208 			(CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
1209 			SOFT_CREATE_OBJ, B_TRUE);
1210 
1211 	return (rv);
1212 }
1213 
1214 CK_RV
1215 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p,
1216 		CK_MECHANISM_PTR pMechanism,
1217 		soft_object_t *secret_key)
1218 {
1219 	CK_RV rv = CKR_OK;
1220 	CK_PKCS5_PBKD2_PARAMS	*params =
1221 		(CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
1222 	CK_ULONG hLen = SHA1_HASH_SIZE;
1223 	CK_ULONG dkLen, i;
1224 	CK_ULONG blocks, remainder;
1225 	CK_OBJECT_HANDLE phKey = 0;
1226 	soft_object_t *hmac_key = NULL;
1227 	CK_BYTE *salt = NULL;
1228 	CK_BYTE *keydata = NULL;
1229 
1230 	params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter;
1231 
1232 	if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1)
1233 		return (CKR_MECHANISM_PARAM_INVALID);
1234 
1235 	if (params->pPrfData != NULL || params->ulPrfDataLen != 0)
1236 		return (CKR_DATA_INVALID);
1237 
1238 	if (params->saltSource != CKZ_SALT_SPECIFIED ||
1239 	    params->iterations == 0)
1240 		return (CKR_MECHANISM_PARAM_INVALID);
1241 
1242 	/*
1243 	 * Create a key object to use for HMAC operations.
1244 	 */
1245 	rv = soft_create_hmac_key(session_p, params->pPassword,
1246 		*params->ulPasswordLen, &phKey);
1247 
1248 	if (rv != CKR_OK)
1249 		return (rv);
1250 
1251 	hmac_key = (soft_object_t *)phKey;
1252 
1253 	/* Step 1. */
1254 	dkLen = OBJ_SEC_VALUE_LEN(secret_key);  /* length of desired key */
1255 
1256 	if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) {
1257 		(void) soft_delete_object(session_p, hmac_key, B_FALSE);
1258 		return (CKR_KEY_SIZE_RANGE);
1259 	}
1260 
1261 	/* Step 2. */
1262 	blocks = dkLen / hLen;
1263 
1264 	/* crude "Ceiling" function to adjust the number of blocks to use */
1265 	if (blocks * hLen != dkLen)
1266 		blocks++;
1267 
1268 	remainder = dkLen - ((blocks - 1) * hLen);
1269 
1270 	/* Step 3 */
1271 	salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4);
1272 	if (salt == NULL) {
1273 		(void) soft_delete_object(session_p, hmac_key, B_FALSE);
1274 		return (CKR_HOST_MEMORY);
1275 	}
1276 	/*
1277 	 * Nothing in PKCS#5 says you cannot pass an empty
1278 	 * salt, so we will allow for this and not return error
1279 	 * if the salt is not specified.
1280 	 */
1281 	if (params->pSaltSourceData != NULL &&
1282 		params->ulSaltSourceDataLen > 0)
1283 		(void) memcpy(salt, params->pSaltSourceData,
1284 			params->ulSaltSourceDataLen);
1285 
1286 	/*
1287 	 * Get pointer to the data section of the key,
1288 	 * this will be used below as output from the
1289 	 * PRF iteration/concatenations so that when the
1290 	 * blocks are all iterated, the secret_key will
1291 	 * have the resulting derived key value.
1292 	 */
1293 	keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key);
1294 
1295 	/* Step 4. */
1296 	for (i = 0; i < blocks && (rv == CKR_OK); i++) {
1297 		CK_BYTE *s;
1298 
1299 		s = salt + params->ulSaltSourceDataLen;
1300 
1301 		/*
1302 		 * Append the block index to the salt as input
1303 		 * to the PRF.  Block index should start at 1
1304 		 * not 0.
1305 		 */
1306 		*s++ = ((i+1) >> 24) & 0xff;
1307 		*s++ = ((i+1) >> 16) & 0xff;
1308 		*s++ = ((i+1) >> 8) & 0xff;
1309 		*s   = ((i+1)) & 0xff;
1310 
1311 		/*
1312 		 * Adjust the key pointer so we always append the
1313 		 * PRF output to the current key.
1314 		 */
1315 		rv = do_prf(session_p, params, hmac_key,
1316 			salt, params->ulSaltSourceDataLen + 4,
1317 			keydata,
1318 			((i + 1) == blocks ? remainder : hLen));
1319 
1320 		keydata += hLen;
1321 	}
1322 	(void) soft_delete_object(session_p, hmac_key, B_FALSE);
1323 	free(salt);
1324 
1325 	return (rv);
1326 }
1327 
1328 CK_RV
1329 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1330 		soft_object_t *wrappingKey_p, soft_object_t *hkey_p,
1331 		CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen)
1332 {
1333 	CK_RV		rv = CKR_OK;
1334 	CK_ULONG	plain_len = 0;
1335 	CK_BYTE_PTR	plain_data = NULL;
1336 	CK_ULONG	padded_len = 0;
1337 	CK_BYTE_PTR	padded_data = NULL;
1338 	CK_ULONG	wkey_blksz = 1;		/* so modulo will work right */
1339 
1340 	/* Check if the mechanism is supported. */
1341 	switch (pMechanism->mechanism) {
1342 	case CKM_DES_CBC_PAD:
1343 	case CKM_DES3_CBC_PAD:
1344 	case CKM_AES_CBC_PAD:
1345 		/*
1346 		 * Secret key mechs with padding can be used to wrap secret
1347 		 * keys and private keys only.  See PKCS#11, * sec 11.14,
1348 		 * C_WrapKey and secs 12.* for each mechanism's wrapping/
1349 		 * unwrapping constraints.
1350 		 */
1351 		if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class !=
1352 		    CKO_PRIVATE_KEY)
1353 			return (CKR_MECHANISM_INVALID);
1354 		break;
1355 	case CKM_RSA_PKCS:
1356 	case CKM_RSA_X_509:
1357 	case CKM_DES_ECB:
1358 	case CKM_DES3_ECB:
1359 	case CKM_AES_ECB:
1360 	case CKM_DES_CBC:
1361 	case CKM_DES3_CBC:
1362 	case CKM_AES_CBC:
1363 		/*
1364 		 * Unpadded secret key mechs and private key mechs are only
1365 		 * defined for wrapping secret keys.  See PKCS#11 refs above.
1366 		 */
1367 		if (hkey_p->class != CKO_SECRET_KEY)
1368 			return (CKR_MECHANISM_INVALID);
1369 		break;
1370 	default:
1371 		return (CKR_MECHANISM_INVALID);
1372 	}
1373 
1374 	if (hkey_p->class == CKO_SECRET_KEY) {
1375 		plain_data = OBJ_SEC_VALUE(hkey_p);
1376 		plain_len = OBJ_SEC_VALUE_LEN(hkey_p);
1377 	} else {
1378 		/*
1379 		 * BER-encode the object to be wrapped:  call first with
1380 		 * plain_data = NULL to get the size needed, allocate that
1381 		 * much space, call again to fill space with actual data.
1382 		 */
1383 		rv = soft_object_to_asn1(hkey_p, NULL, &plain_len);
1384 		if (rv != CKR_OK)
1385 			return (rv);
1386 		if ((plain_data = malloc(plain_len)) == NULL)
1387 			return (CKR_HOST_MEMORY);
1388 		(void) memset(plain_data, 0x0, plain_len);
1389 		rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len);
1390 		if (rv != CKR_OK)
1391 			goto cleanup_wrap;
1392 	}
1393 
1394 	/*
1395 	 * For unpadded ECB and CBC mechanisms, the object needs to be
1396 	 * padded to the wrapping key's blocksize prior to the encryption.
1397 	 */
1398 	padded_len = plain_len;
1399 	padded_data = plain_data;
1400 
1401 	switch (pMechanism->mechanism) {
1402 	case CKM_DES_ECB:
1403 	case CKM_DES3_ECB:
1404 	case CKM_AES_ECB:
1405 	case CKM_DES_CBC:
1406 	case CKM_DES3_CBC:
1407 	case CKM_AES_CBC:
1408 		/* Find the block size of the wrapping key. */
1409 		if (wrappingKey_p->class == CKO_SECRET_KEY) {
1410 			switch (wrappingKey_p->key_type) {
1411 			case CKK_DES:
1412 			case CKK_DES2:
1413 			case CKK_DES3:
1414 				wkey_blksz = DES_BLOCK_LEN;
1415 				break;
1416 			case CKK_AES:
1417 				wkey_blksz = AES_BLOCK_LEN;
1418 				break;
1419 			default:
1420 				break;
1421 			}
1422 		} else {
1423 			rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT;
1424 			goto cleanup_wrap;
1425 		}
1426 
1427 		/* Extend the plain text data to block size boundary.  */
1428 		if ((padded_len % wkey_blksz) != 0) {
1429 			padded_len += (wkey_blksz - (plain_len % wkey_blksz));
1430 			if ((padded_data = malloc(padded_len)) == NULL) {
1431 				rv = CKR_HOST_MEMORY;
1432 				goto cleanup_wrap;
1433 			}
1434 			(void) memset(padded_data, 0x0, padded_len);
1435 			(void) memcpy(padded_data, plain_data, plain_len);
1436 		}
1437 		break;
1438 	default:
1439 		break;
1440 	}
1441 
1442 	rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p);
1443 	if (rv != CKR_OK)
1444 		goto cleanup_wrap;
1445 
1446 	rv = soft_encrypt(session_p, padded_data, padded_len,
1447 	    pWrappedKey, pulWrappedKeyLen);
1448 
1449 cleanup_wrap:
1450 	if (padded_data != NULL && padded_len != plain_len) {
1451 		/* Clear buffer before returning to memory pool. */
1452 		(void) memset(padded_data, 0x0, padded_len);
1453 		free(padded_data);
1454 	}
1455 
1456 	if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1457 		/* Clear buffer before returning to memory pool. */
1458 		(void) memset(plain_data, 0x0, plain_len);
1459 		free(plain_data);
1460 	}
1461 
1462 	return (rv);
1463 }
1464 
1465 /*
1466  * Quick check for whether unwrapped key length is appropriate for key type
1467  * and whether it needs to be truncated (in case the wrapping function had
1468  * to pad the key prior to wrapping).
1469  */
1470 static CK_RV
1471 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype,
1472 	CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount)
1473 {
1474 	CK_ULONG	i;
1475 	boolean_t	isValueLen = B_FALSE;
1476 
1477 	/*
1478 	 * Based on the key type and the mech used to unwrap, need to
1479 	 * determine if CKA_VALUE_LEN should or should not be specified.
1480 	 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified
1481 	 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens
1482 	 * that restriction, perhaps because it makes it impossible to
1483 	 * determine the original length of unwrapped variable-length secret
1484 	 * keys, such as RC4, AES, and GENERIC_SECRET.  These variable-length
1485 	 * secret keys would have been padded with trailing null-bytes so
1486 	 * that they could be successfully wrapped with *_ECB and *_CBC
1487 	 * mechanisms.  Hence for unwrapping with these mechs, CKA_VALUE_LEN
1488 	 * must be specified.  For unwrapping with other mechs, such as
1489 	 * *_CBC_PAD, the CKA_VALUE_LEN is not needed.
1490 	 */
1491 
1492 	/* Find out if template has CKA_VALUE_LEN. */
1493 	for (i = 0; i < ulAttributeCount; i++) {
1494 		if (pTemplate[i].type == CKA_VALUE_LEN &&
1495 		    pTemplate[i].pValue != NULL) {
1496 			isValueLen = B_TRUE;
1497 			break;
1498 		    }
1499 	}
1500 
1501 	/* Does its presence  conflict with the mech type and key type? */
1502 	switch (mechtype) {
1503 	case CKM_DES_ECB:
1504 	case CKM_DES3_ECB:
1505 	case CKM_AES_ECB:
1506 	case CKM_DES_CBC:
1507 	case CKM_DES3_CBC:
1508 	case CKM_AES_CBC:
1509 		/*
1510 		 * CKA_VALUE_LEN must be specified
1511 		 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET
1512 		 * and must not be specified otherwise
1513 		 */
1514 		switch (keytype) {
1515 		case CKK_DES:
1516 		case CKK_DES2:
1517 		case CKK_DES3:
1518 			if (isValueLen)
1519 				return (CKR_TEMPLATE_INCONSISTENT);
1520 			break;
1521 		case CKK_GENERIC_SECRET:
1522 		case CKK_RC4:
1523 		case CKK_AES:
1524 			if (!isValueLen)
1525 				return (CKR_TEMPLATE_INCOMPLETE);
1526 			break;
1527 		default:
1528 			return (CKR_FUNCTION_NOT_SUPPORTED);
1529 		}
1530 		break;
1531 	default:
1532 		/* CKA_VALUE_LEN must not be specified */
1533 		if (isValueLen)
1534 			return (CKR_TEMPLATE_INCONSISTENT);
1535 		break;
1536 	}
1537 
1538 	return (CKR_OK);
1539 }
1540 
1541 CK_RV
1542 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1543 		soft_object_t *unwrappingkey_p,
1544 		CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
1545 		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
1546 		CK_OBJECT_HANDLE_PTR phKey)
1547 {
1548 	CK_RV			rv = CKR_OK;
1549 	CK_OBJECT_CLASS		new_obj_class = ~0UL;
1550 	int			i = 0;
1551 	soft_object_t		*new_objp = NULL;
1552 	boolean_t		persistent = B_FALSE;
1553 	CK_BYTE_PTR		plain_data = NULL;
1554 	CK_ULONG		plain_len = 0;
1555 	secret_key_obj_t	*sck = NULL;
1556 
1557 	/* Scan the attribute template for the object class. */
1558 	if (pTemplate != NULL && ulAttributeCount != 0) {
1559 		for (i = 0; i < ulAttributeCount; i++) {
1560 			if (pTemplate[i].type == CKA_CLASS) {
1561 				new_obj_class =
1562 				    *((CK_OBJECT_CLASS *)pTemplate[i].pValue);
1563 				break;
1564 			}
1565 		}
1566 		if (new_obj_class == ~0UL)
1567 			return (CKR_TEMPLATE_INCOMPLETE);
1568 	}
1569 
1570 	/*
1571 	 * Check if the mechanism is supported, and now that the new
1572 	 * object's class is known, the mechanism selected should be
1573 	 * capable of doing the unwrap.
1574 	 */
1575 	switch (pMechanism->mechanism) {
1576 	case CKM_RSA_PKCS:
1577 	case CKM_RSA_X_509:
1578 	case CKM_DES_ECB:
1579 	case CKM_DES3_ECB:
1580 	case CKM_AES_ECB:
1581 	case CKM_DES_CBC:
1582 	case CKM_DES3_CBC:
1583 	case CKM_AES_CBC:
1584 		if (new_obj_class != CKO_SECRET_KEY)
1585 			return (CKR_MECHANISM_INVALID);
1586 		break;
1587 	case CKM_DES_CBC_PAD:
1588 	case CKM_DES3_CBC_PAD:
1589 	case CKM_AES_CBC_PAD:
1590 		if (new_obj_class != CKO_SECRET_KEY && new_obj_class !=
1591 		    CKO_PRIVATE_KEY)
1592 			return (CKR_MECHANISM_INVALID);
1593 		break;
1594 	default:
1595 		return (CKR_MECHANISM_INVALID);
1596 	}
1597 
1598 	/* Create a new object based on the attribute template. */
1599 	rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
1600 	    (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL,
1601 	    (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE);
1602 	if (rv != CKR_OK)
1603 		return (rv);
1604 
1605 	/*
1606 	 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE
1607 	 * both set to FALSE.  CKA_EXTRACTABLE will be set _by_default_ to
1608 	 * true -- leaving the possibility that it may be set FALSE by the
1609 	 * supplied attribute template.  If the precise template cannot be
1610 	 * supported, unwrap fails.  PKCS#11 spec, Sec. 11.14, C_UnwrapKey.
1611 	 *
1612 	 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and
1613 	 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must
1614 	 * have supplied them and therefore we cannot honor the unwrap.
1615 	 */
1616 	if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) ||
1617 	    (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) {
1618 		rv = CKR_TEMPLATE_INCONSISTENT;
1619 		goto cleanup_unwrap;
1620 	}
1621 
1622 	rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p);
1623 	if (rv != CKR_OK)
1624 		goto cleanup_unwrap;
1625 
1626 	/* First get the length of the plain data */
1627 	rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL,
1628 	    &plain_len);
1629 	if (rv != CKR_OK)
1630 		goto cleanup_unwrap;
1631 
1632 	/* Allocate space for the unwrapped data */
1633 	if ((plain_data = malloc(plain_len)) == NULL) {
1634 		rv = CKR_HOST_MEMORY;
1635 		goto cleanup_unwrap;
1636 	}
1637 	(void) memset(plain_data, 0x0, plain_len);
1638 
1639 	/* Perform actual decryption into the allocated space. */
1640 	rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data,
1641 	    &plain_len);
1642 	if (rv != CKR_OK)
1643 		goto cleanup_unwrap;
1644 
1645 	if (new_objp->class == CKO_SECRET_KEY) {
1646 		/*
1647 		 * Since no ASN.1 encoding is done for secret keys, check for
1648 		 * appropriateness and copy decrypted buffer to the key object.
1649 		 */
1650 
1651 		/* Check keytype and mechtype don't conflict with valuelen */
1652 		rv = soft_unwrap_secret_len_check(new_objp->key_type,
1653 		    pMechanism->mechanism, pTemplate, ulAttributeCount);
1654 		if (rv != CKR_OK)
1655 			goto cleanup_unwrap;
1656 
1657 		/*
1658 		 * Allocate the secret key structure if not already there;
1659 		 * it will exist for variable length keys since CKA_VALUE_LEN
1660 		 * is specified and saved, but not for fixed length keys.
1661 		 */
1662 		if (OBJ_SEC(new_objp) == NULL) {
1663 			if ((sck = calloc(1, sizeof (secret_key_obj_t))) ==
1664 			    NULL) {
1665 				rv = CKR_HOST_MEMORY;
1666 				goto cleanup_unwrap;
1667 			}
1668 			OBJ_SEC(new_objp) = sck;
1669 		}
1670 
1671 		switch (new_objp->key_type) {
1672 		/* Fixed length secret keys don't have CKA_VALUE_LEN */
1673 		case CKK_DES:
1674 			OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE;
1675 			break;
1676 		case CKK_DES2:
1677 			OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE;
1678 			break;
1679 		case CKK_DES3:
1680 			OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE;
1681 			break;
1682 
1683 		/*
1684 		 * Variable length secret keys.  CKA_VALUE_LEN must be
1685 		 * provided by the template when mech is *_ECB or *_CBC, and
1686 		 * should already have been set during soft_gen_keyobject().
1687 		 * Otherwise we don't need CKA_VALUE_LEN.
1688 		 */
1689 		case CKK_GENERIC_SECRET:
1690 		case CKK_RC4:
1691 		case CKK_AES:
1692 			break;
1693 		default:
1694 			rv = CKR_WRAPPED_KEY_INVALID;
1695 			goto cleanup_unwrap;
1696 		};
1697 
1698 		if (OBJ_SEC_VALUE_LEN(new_objp) == 0) {
1699 			/* No CKA_VALUE_LEN set so set it now and save data */
1700 			OBJ_SEC_VALUE_LEN(new_objp) = plain_len;
1701 			OBJ_SEC_VALUE(new_objp) = plain_data;
1702 		} else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) {
1703 			/* No need to truncate, just save the data */
1704 			OBJ_SEC_VALUE(new_objp) = plain_data;
1705 		} else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) {
1706 			/* Length can't be bigger than what was decrypted */
1707 			rv = CKR_WRAPPED_KEY_LEN_RANGE;
1708 			goto cleanup_unwrap;
1709 		} else {	/* betw 0 and plain_len, hence padded */
1710 			/* Truncate the data before saving. */
1711 			OBJ_SEC_VALUE(new_objp) = realloc(plain_data,
1712 			    OBJ_SEC_VALUE_LEN(new_objp));
1713 			if (OBJ_SEC_VALUE(new_objp) == NULL) {
1714 				rv = CKR_HOST_MEMORY;
1715 				goto cleanup_unwrap;
1716 			}
1717 		}
1718 	} else {
1719 		/* BER-decode the object to be unwrapped. */
1720 		rv = soft_asn1_to_object(new_objp, plain_data, plain_len);
1721 		if (rv != CKR_OK)
1722 			goto cleanup_unwrap;
1723 	}
1724 
1725 	/* If it needs to be persistent, write it to the keystore */
1726 	if (IS_TOKEN_OBJECT(new_objp)) {
1727 		persistent = B_TRUE;
1728 		rv = soft_put_object_to_keystore(new_objp);
1729 		if (rv != CKR_OK)
1730 			goto cleanup_unwrap;
1731 	}
1732 
1733 	if (new_objp->class != CKO_SECRET_KEY) {
1734 		/* Clear buffer before returning to memory pool. */
1735 		(void) memset(plain_data, 0x0, plain_len);
1736 		free(plain_data);
1737 	}
1738 
1739 	*phKey = (CK_OBJECT_HANDLE)new_objp;
1740 
1741 	return (CKR_OK);
1742 
1743 cleanup_unwrap:
1744 	/* The decrypted private key buffer must be freed explicitly. */
1745 	if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1746 		/* Clear buffer before returning to memory pool. */
1747 		(void) memset(plain_data, 0x0, plain_len);
1748 		free(plain_data);
1749 	}
1750 
1751 	/* sck and new_objp are indirectly free()d inside these functions */
1752 	if (IS_TOKEN_OBJECT(new_objp))
1753 		soft_delete_token_object(new_objp, persistent, B_FALSE);
1754 	else
1755 		soft_delete_object(session_p, new_objp, B_FALSE);
1756 
1757 	return (rv);
1758 }
1759