1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <pthread.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <strings.h> 30 #include <sys/types.h> 31 #include <security/cryptoki.h> 32 #include <sys/crypto/common.h> 33 #include <aes_impl.h> 34 #include <blowfish_impl.h> 35 #include <des_impl.h> 36 #include <arcfour.h> 37 #include <cryptoutil.h> 38 #include "softGlobal.h" 39 #include "softSession.h" 40 #include "softObject.h" 41 #include "softDSA.h" 42 #include "softRSA.h" 43 #include "softDH.h" 44 #include "softEC.h" 45 #include "softMAC.h" 46 #include "softOps.h" 47 #include "softKeys.h" 48 #include "softKeystore.h" 49 #include "softSSL.h" 50 #include "softASN1.h" 51 52 53 #define local_min(a, b) ((a) < (b) ? (a) : (b)) 54 55 static CK_RV 56 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *); 57 58 /* 59 * Create a temporary key object struct by filling up its template attributes. 60 */ 61 CK_RV 62 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 63 CK_ULONG *objecthandle_p, soft_session_t *sp, 64 CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode, 65 boolean_t internal) 66 { 67 68 CK_RV rv; 69 soft_object_t *new_objp = NULL; 70 71 new_objp = calloc(1, sizeof (soft_object_t)); 72 if (new_objp == NULL) { 73 return (CKR_HOST_MEMORY); 74 } 75 76 new_objp->extra_attrlistp = NULL; 77 78 /* 79 * Validate attribute template and fill in the attributes 80 * in the soft_object_t. 81 */ 82 rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type, 83 keylen, mode); 84 if (rv != CKR_OK) { 85 goto fail_cleanup1; 86 } 87 88 /* 89 * If generating a key is an internal request (i.e. not a C_XXX 90 * API request), then skip the following checks. 91 */ 92 if (!internal) { 93 rv = soft_pin_expired_check(new_objp); 94 if (rv != CKR_OK) { 95 goto fail_cleanup2; 96 } 97 98 rv = soft_object_write_access_check(sp, new_objp); 99 if (rv != CKR_OK) { 100 goto fail_cleanup2; 101 } 102 } 103 104 /* Initialize the rest of stuffs in soft_object_t. */ 105 (void) pthread_mutex_init(&new_objp->object_mutex, NULL); 106 new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC; 107 108 /* Write the new token object to the keystore */ 109 if (IS_TOKEN_OBJECT(new_objp)) { 110 new_objp->version = 1; 111 new_objp->session_handle = (CK_SESSION_HANDLE)NULL; 112 soft_add_token_object_to_slot(new_objp); 113 /* 114 * Type casting the address of an object struct to 115 * an object handle. 116 */ 117 *objecthandle_p = (CK_ULONG)new_objp; 118 119 return (CKR_OK); 120 } 121 122 new_objp->session_handle = (CK_SESSION_HANDLE)sp; 123 124 /* Add the new object to the session's object list. */ 125 soft_add_object_to_session(new_objp, sp); 126 127 /* Type casting the address of an object struct to an object handle. */ 128 *objecthandle_p = (CK_ULONG)new_objp; 129 130 return (CKR_OK); 131 132 fail_cleanup2: 133 /* 134 * When any error occurs after soft_build_key(), we will need to 135 * clean up the memory allocated by the soft_build_key(). 136 */ 137 soft_cleanup_object(new_objp); 138 139 fail_cleanup1: 140 if (new_objp) { 141 /* 142 * The storage allocated inside of this object should have 143 * been cleaned up by the soft_build_key() if it failed. 144 * Therefore, we can safely free the object. 145 */ 146 free(new_objp); 147 } 148 149 return (rv); 150 } 151 152 CK_RV 153 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 154 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey) 155 { 156 157 CK_RV rv = CKR_OK; 158 soft_object_t *secret_key; 159 CK_KEY_TYPE key_type; 160 CK_ULONG keylen = 0; 161 CK_ULONG i; 162 int des_strength = 0; 163 int retry = 0; 164 int keyfound = 0; 165 boolean_t is_ssl_mech = B_FALSE; 166 167 switch (pMechanism->mechanism) { 168 case CKM_DES_KEY_GEN: 169 key_type = CKK_DES; 170 break; 171 172 case CKM_DES2_KEY_GEN: 173 key_type = CKK_DES2; 174 break; 175 176 case CKM_DES3_KEY_GEN: 177 key_type = CKK_DES3; 178 break; 179 180 case CKM_AES_KEY_GEN: 181 key_type = CKK_AES; 182 break; 183 184 case CKM_BLOWFISH_KEY_GEN: 185 key_type = CKK_BLOWFISH; 186 break; 187 188 case CKM_RC4_KEY_GEN: 189 key_type = CKK_RC4; 190 break; 191 192 case CKM_SSL3_PRE_MASTER_KEY_GEN: 193 case CKM_TLS_PRE_MASTER_KEY_GEN: 194 if (pMechanism->pParameter == NULL || 195 pMechanism->ulParameterLen != sizeof (CK_VERSION)) 196 return (CKR_TEMPLATE_INCOMPLETE); 197 is_ssl_mech = B_TRUE; 198 key_type = CKK_GENERIC_SECRET; 199 keylen = 48; 200 break; 201 202 case CKM_PKCS5_PBKD2: 203 keyfound = 0; 204 for (i = 0; i < ulCount && !keyfound; i++) { 205 if (pTemplate[i].type == CKA_KEY_TYPE && 206 pTemplate[i].pValue != NULL) { 207 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 208 keyfound = 1; 209 } 210 } 211 if (!keyfound) 212 return (CKR_TEMPLATE_INCOMPLETE); 213 /* 214 * Make sure that parameters were given for this 215 * mechanism. 216 */ 217 if (pMechanism->pParameter == NULL || 218 pMechanism->ulParameterLen != 219 sizeof (CK_PKCS5_PBKD2_PARAMS)) 220 return (CKR_TEMPLATE_INCOMPLETE); 221 break; 222 223 case CKM_PBE_SHA1_RC4_128: 224 keyfound = 0; 225 for (i = 0; i < ulCount; i++) { 226 if (pTemplate[i].type == CKA_KEY_TYPE && 227 pTemplate[i].pValue != NULL) { 228 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue); 229 keyfound = 1; 230 } 231 if (pTemplate[i].type == CKA_VALUE_LEN && 232 pTemplate[i].pValue != NULL) { 233 keylen = *((CK_ULONG*)pTemplate[i].pValue); 234 } 235 } 236 /* If a keytype was specified, it had better be CKK_RC4 */ 237 if (keyfound && key_type != CKK_RC4) 238 return (CKR_TEMPLATE_INCONSISTENT); 239 else if (!keyfound) 240 key_type = CKK_RC4; 241 242 /* If key length was specified, it better be 16 bytes */ 243 if (keylen != 0 && keylen != 16) 244 return (CKR_TEMPLATE_INCONSISTENT); 245 246 /* 247 * Make sure that parameters were given for this 248 * mechanism. 249 */ 250 if (pMechanism->pParameter == NULL || 251 pMechanism->ulParameterLen != 252 sizeof (CK_PBE_PARAMS)) 253 return (CKR_TEMPLATE_INCOMPLETE); 254 break; 255 default: 256 return (CKR_MECHANISM_INVALID); 257 } 258 259 /* Create a new object for secret key. */ 260 rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p, 261 CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE); 262 263 if (rv != CKR_OK) { 264 return (rv); 265 } 266 267 /* Obtain the secret object pointer. */ 268 secret_key = (soft_object_t *)*phKey; 269 270 switch (pMechanism->mechanism) { 271 case CKM_DES_KEY_GEN: 272 /* 273 * Set up key value len since it is not a required 274 * attribute for C_GenerateKey. 275 */ 276 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 277 des_strength = DES; 278 break; 279 280 case CKM_DES2_KEY_GEN: 281 /* 282 * Set up key value len since it is not a required 283 * attribute for C_GenerateKey. 284 */ 285 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE; 286 des_strength = DES2; 287 break; 288 289 case CKM_DES3_KEY_GEN: 290 /* 291 * Set up key value len since it is not a required 292 * attribute for C_GenerateKey. 293 */ 294 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 295 des_strength = DES3; 296 break; 297 298 case CKM_SSL3_PRE_MASTER_KEY_GEN: 299 case CKM_TLS_PRE_MASTER_KEY_GEN: 300 secret_key->bool_attr_mask |= DERIVE_BOOL_ON; 301 /* FALLTHRU */ 302 303 case CKM_AES_KEY_GEN: 304 case CKM_BLOWFISH_KEY_GEN: 305 case CKM_PBE_SHA1_RC4_128: 306 case CKM_RC4_KEY_GEN: 307 keylen = OBJ_SEC_VALUE_LEN(secret_key); 308 break; 309 310 case CKM_PKCS5_PBKD2: 311 /* 312 * PKCS#11 does not allow one to specify key 313 * sizes for DES and 3DES, so we must set it here 314 * when using PBKD2 algorithms. 315 */ 316 if (key_type == CKK_DES) { 317 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 318 des_strength = DES; 319 } else if (key_type == CKK_DES3) { 320 OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE; 321 des_strength = DES3; 322 } 323 324 keylen = OBJ_SEC_VALUE_LEN(secret_key); 325 break; 326 } 327 328 if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) { 329 if (IS_TOKEN_OBJECT(secret_key)) 330 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 331 else 332 soft_delete_object(session_p, secret_key, 333 B_FALSE, B_FALSE); 334 335 return (CKR_HOST_MEMORY); 336 } 337 switch (pMechanism->mechanism) { 338 case CKM_PBE_SHA1_RC4_128: 339 /* 340 * Use the PBE algorithm described in PKCS#11 section 341 * 12.33 to derive the key. 342 */ 343 rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key); 344 break; 345 case CKM_PKCS5_PBKD2: 346 /* Generate keys using PKCS#5 PBKD2 algorithm */ 347 rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism, 348 secret_key); 349 if (rv == CKR_OK && des_strength > 0) { 350 /* Perform weak key checking for DES and DES3. */ 351 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 352 des_strength, OBJ_SEC_VALUE(secret_key)) == 353 B_FALSE) { 354 /* We got a weak secret key. */ 355 rv = CKR_FUNCTION_FAILED; 356 } 357 } 358 break; 359 default: 360 do { 361 /* If this fails, bail out */ 362 rv = CKR_OK; 363 if (pkcs11_get_urandom( 364 OBJ_SEC_VALUE(secret_key), keylen) < 0) { 365 rv = CKR_DEVICE_ERROR; 366 break; 367 } 368 369 /* Perform weak key checking for DES and DES3. */ 370 if (des_strength > 0) { 371 rv = CKR_OK; 372 if (des_keycheck(OBJ_SEC_VALUE(secret_key), 373 des_strength, OBJ_SEC_VALUE(secret_key)) == 374 B_FALSE) { 375 /* We got a weak key, retry! */ 376 retry++; 377 rv = CKR_FUNCTION_FAILED; 378 } 379 } 380 /* 381 * Copy over the SSL client version For SSL mechs 382 * The first two bytes of the key is the version 383 */ 384 if (is_ssl_mech) 385 bcopy(pMechanism->pParameter, 386 OBJ_SEC_VALUE(secret_key), 387 sizeof (CK_VERSION)); 388 389 } while (rv != CKR_OK && retry < KEYGEN_RETRY); 390 if (retry == KEYGEN_RETRY) 391 rv = CKR_FUNCTION_FAILED; 392 break; 393 } 394 395 if (rv != CKR_OK) 396 if (IS_TOKEN_OBJECT(secret_key)) 397 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 398 else 399 soft_delete_object(session_p, secret_key, 400 B_FALSE, B_FALSE); 401 402 if (IS_TOKEN_OBJECT(secret_key)) { 403 /* 404 * All the info has been filled, so we can write to 405 * keystore now. 406 */ 407 rv = soft_put_object_to_keystore(secret_key); 408 if (rv != CKR_OK) 409 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 410 } 411 412 return (rv); 413 } 414 415 CK_RV 416 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 417 CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount, 418 CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount, 419 CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey) 420 { 421 422 CK_RV rv; 423 soft_object_t *public_key, *private_key; 424 CK_KEY_TYPE key_type; 425 426 switch (pMechanism->mechanism) { 427 428 case CKM_RSA_PKCS_KEY_PAIR_GEN: 429 key_type = CKK_RSA; 430 break; 431 432 case CKM_DSA_KEY_PAIR_GEN: 433 key_type = CKK_DSA; 434 break; 435 436 case CKM_DH_PKCS_KEY_PAIR_GEN: 437 key_type = CKK_DH; 438 break; 439 440 case CKM_EC_KEY_PAIR_GEN: 441 key_type = CKK_EC; 442 break; 443 444 default: 445 return (CKR_MECHANISM_INVALID); 446 } 447 448 /* Create a new object for public key. */ 449 rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount, 450 phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0, 451 SOFT_GEN_KEY, B_FALSE); 452 453 if (rv != CKR_OK) { 454 return (rv); 455 } 456 457 /* Obtain the public object pointer. */ 458 public_key = (soft_object_t *)*phPublicKey; 459 460 /* Create a new object for private key. */ 461 rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount, 462 phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0, 463 SOFT_GEN_KEY, B_FALSE); 464 465 if (rv != CKR_OK) { 466 /* 467 * Both public key and private key must be successful. 468 */ 469 if (IS_TOKEN_OBJECT(public_key)) 470 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 471 else 472 soft_delete_object(session_p, public_key, 473 B_FALSE, B_FALSE); 474 return (rv); 475 } 476 477 /* Obtain the private object pointer. */ 478 private_key = (soft_object_t *)*phPrivateKey; 479 480 /* 481 * At this point, both public key and private key objects 482 * are settled with the application specified attributes. 483 * We are ready to generate the rest of key attributes based 484 * on the existing attributes. 485 */ 486 487 switch (key_type) { 488 case CKK_RSA: 489 rv = soft_rsa_genkey_pair(public_key, private_key); 490 break; 491 492 case CKK_DSA: 493 rv = soft_dsa_genkey_pair(public_key, private_key); 494 break; 495 496 case CKK_DH: 497 rv = soft_dh_genkey_pair(public_key, private_key); 498 private_key->bool_attr_mask |= DERIVE_BOOL_ON; 499 break; 500 case CKK_EC: 501 rv = soft_ec_genkey_pair(public_key, private_key); 502 private_key->bool_attr_mask |= DERIVE_BOOL_ON; 503 break; 504 } 505 506 if (rv != CKR_OK) { 507 if (IS_TOKEN_OBJECT(public_key)) { 508 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 509 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 510 } else { 511 soft_delete_object(session_p, public_key, 512 B_FALSE, B_FALSE); 513 soft_delete_object(session_p, private_key, 514 B_FALSE, B_FALSE); 515 } 516 } 517 518 if (IS_TOKEN_OBJECT(public_key)) { 519 /* 520 * All the info has been filled, so we can write to 521 * keystore now. 522 */ 523 rv = soft_put_object_to_keystore(public_key); 524 if (rv != CKR_OK) { 525 soft_delete_token_object(public_key, B_FALSE, B_FALSE); 526 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 527 } 528 } 529 530 if (IS_TOKEN_OBJECT(private_key)) { 531 rv = soft_put_object_to_keystore(private_key); 532 if (rv != CKR_OK) { 533 /* 534 * We also need to delete the public token object 535 * from keystore. 536 */ 537 soft_delete_token_object(public_key, B_TRUE, B_FALSE); 538 soft_delete_token_object(private_key, B_FALSE, B_FALSE); 539 } 540 } 541 542 return (rv); 543 } 544 545 546 CK_RV 547 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen) 548 { 549 550 switch (secret_key->key_type) { 551 case CKK_GENERIC_SECRET: 552 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 553 OBJ_SEC_VALUE_LEN(secret_key) = max_keylen; 554 return (CKR_OK); 555 } else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) { 556 return (CKR_ATTRIBUTE_VALUE_INVALID); 557 } 558 break; 559 case CKK_RC4: 560 case CKK_AES: 561 case CKK_BLOWFISH: 562 if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) || 563 (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) { 564 /* RC4 and AES has variable key length */ 565 return (CKR_ATTRIBUTE_VALUE_INVALID); 566 } 567 break; 568 case CKK_DES: 569 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 570 /* DES has a well-defined length */ 571 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE; 572 return (CKR_OK); 573 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) { 574 return (CKR_ATTRIBUTE_VALUE_INVALID); 575 } 576 break; 577 case CKK_DES2: 578 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) { 579 /* DES2 has a well-defined length */ 580 OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE; 581 return (CKR_OK); 582 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) { 583 return (CKR_ATTRIBUTE_VALUE_INVALID); 584 } 585 break; 586 587 default: 588 return (CKR_MECHANISM_INVALID); 589 } 590 591 return (CKR_OK); 592 } 593 594 /* 595 * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1 596 * PBE methods. 597 */ 598 #define PKCS12_BUFFER_SIZE 64 599 /* 600 * PKCS#12 defines 3 different ID bytes to be used for 601 * deriving keys for different operations. 602 */ 603 #define PBE_ID_ENCRYPT 1 604 #define PBE_ID_IV 2 605 #define PBE_ID_MAC 3 606 #define PBE_CEIL(a, b) (((a)/(b)) + (((a)%(b)) > 0)) 607 608 static CK_RV 609 soft_pkcs12_pbe(soft_session_t *session_p, 610 CK_MECHANISM_PTR pMechanism, 611 soft_object_t *derived_key) 612 { 613 CK_RV rv = CKR_OK; 614 CK_PBE_PARAMS *params = pMechanism->pParameter; 615 CK_ULONG c, i, j, k; 616 CK_ULONG hashSize; 617 CK_ULONG buffSize; 618 /* 619 * Terse variable names are used to make following 620 * the PKCS#12 spec easier. 621 */ 622 CK_BYTE *A = NULL; 623 CK_BYTE *Ai = NULL; 624 CK_BYTE *B = NULL; 625 CK_BYTE *D = NULL; 626 CK_BYTE *I = NULL, *S, *P; 627 CK_BYTE *keybuf = NULL; 628 CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen; 629 CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key); 630 CK_MECHANISM digest_mech; 631 632 /* U = hash function output bits */ 633 if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) { 634 hashSize = SHA1_HASH_SIZE; 635 buffSize = PKCS12_BUFFER_SIZE; 636 digest_mech.mechanism = CKM_SHA_1; 637 digest_mech.pParameter = NULL; 638 digest_mech.ulParameterLen = 0; 639 } else { 640 /* we only support 1 PBE mech for now */ 641 return (CKR_MECHANISM_INVALID); 642 } 643 keybuf = OBJ_SEC_VALUE(derived_key); 644 645 Blen = Dlen = buffSize; 646 D = (CK_BYTE *)malloc(Dlen); 647 if (D == NULL) { 648 rv = CKR_HOST_MEMORY; 649 goto cleanup; 650 } 651 652 B = (CK_BYTE *)malloc(Blen); 653 if (B == NULL) { 654 rv = CKR_HOST_MEMORY; 655 goto cleanup; 656 } 657 658 /* 659 * Initialize some values and create some buffers 660 * that we need later. 661 * 662 * Slen = buffSize * CEIL(SaltLength/buffSize) 663 */ 664 Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize); 665 666 /* 667 * Plen = buffSize * CEIL(PasswordLength/buffSize) 668 */ 669 Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize); 670 671 /* 672 * From step 4: I = S + P, so: Ilen = Slen + Plen 673 */ 674 Ilen = Slen + Plen; 675 I = (CK_BYTE *)malloc(Ilen); 676 if (I == NULL) { 677 rv = CKR_HOST_MEMORY; 678 goto cleanup; 679 } 680 681 S = I; 682 P = I + Slen; 683 684 /* 685 * Step 1. 686 * We are only interested in deriving keys for encrypt/decrypt 687 * for now, so construct the "D"iversifier accordingly. 688 */ 689 (void) memset(D, PBE_ID_ENCRYPT, Dlen); 690 691 /* 692 * Step 2. 693 * Concatenate copies of the salt together to make S. 694 */ 695 for (i = 0; i < Slen; i += params->ulSaltLen) { 696 (void) memcpy(S+i, params->pSalt, 697 ((Slen - i) > params->ulSaltLen ? 698 params->ulSaltLen : (Slen - i))); 699 } 700 701 /* 702 * Step 3. 703 * Concatenate copies of the password together to make 704 * a string P. 705 */ 706 for (i = 0; i < Plen; i += params->ulPasswordLen) { 707 (void) memcpy(P+i, params->pPassword, 708 ((Plen - i) > params->ulPasswordLen ? 709 params->ulPasswordLen : (Plen - i))); 710 } 711 712 /* 713 * Step 4. 714 * I = S+P - this is now done because S and P are 715 * pointers into I. 716 * 717 * Step 5. 718 * c= CEIL[n/u] 719 * where n = pseudorandom bits of output desired. 720 */ 721 c = PBE_CEIL(keysize, hashSize); 722 723 /* 724 * Step 6. 725 */ 726 Alen = c * hashSize; 727 A = (CK_BYTE *)malloc(Alen); 728 if (A == NULL) { 729 rv = CKR_HOST_MEMORY; 730 goto cleanup; 731 } 732 AiLen = hashSize; 733 Ai = (CK_BYTE *)malloc(AiLen); 734 if (Ai == NULL) { 735 rv = CKR_HOST_MEMORY; 736 goto cleanup; 737 } 738 739 /* 740 * Step 6a. 741 * Ai = Hr(D+I) 742 */ 743 for (i = 0; i < c; i++) { 744 (void) pthread_mutex_lock(&session_p->session_mutex); 745 746 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 747 (void) pthread_mutex_unlock(&session_p->session_mutex); 748 rv = CKR_OPERATION_ACTIVE; 749 goto cleanup; 750 } 751 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 752 (void) pthread_mutex_unlock(&session_p->session_mutex); 753 754 for (j = 0; j < params->ulIteration; j++) { 755 rv = soft_digest_init(session_p, &digest_mech); 756 if (rv != CKR_OK) 757 goto digest_done; 758 759 if (j == 0) { 760 rv = soft_digest_update(session_p, D, Dlen); 761 if (rv != CKR_OK) 762 goto digest_done; 763 764 rv = soft_digest_update(session_p, I, Ilen); 765 } else { 766 rv = soft_digest_update(session_p, Ai, AiLen); 767 } 768 if (rv != CKR_OK) 769 goto digest_done; 770 771 rv = soft_digest_final(session_p, Ai, &AiLen); 772 if (rv != CKR_OK) 773 goto digest_done; 774 } 775 digest_done: 776 (void) pthread_mutex_lock(&session_p->session_mutex); 777 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 778 (void) pthread_mutex_unlock(&session_p->session_mutex); 779 780 if (rv != CKR_OK) 781 goto cleanup; 782 /* 783 * Step 6b. 784 * Concatenate Ai to make B 785 */ 786 for (j = 0; j < Blen; j += hashSize) { 787 (void) memcpy(B+j, Ai, ((Blen - j > hashSize) ? 788 hashSize : Blen - j)); 789 } 790 791 /* 792 * Step 6c. 793 */ 794 k = Ilen / Blen; 795 for (j = 0; j < k; j++) { 796 uchar_t idx; 797 CK_ULONG m, q = 1, cbit = 0; 798 799 for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) { 800 idx = m + j*Blen; 801 802 q += (CK_ULONG)I[idx] + (CK_ULONG)B[m]; 803 q += cbit; 804 I[idx] = (CK_BYTE)(q & 0xff); 805 cbit = (q > 0xff); 806 } 807 } 808 809 /* 810 * Step 7. 811 * A += Ai 812 */ 813 (void) memcpy(A + i*hashSize, Ai, AiLen); 814 } 815 816 /* 817 * Step 8. 818 * The final output of this process is the A buffer 819 */ 820 (void) memcpy(keybuf, A, keysize); 821 822 cleanup: 823 if (A) { 824 bzero(A, Alen); 825 free(A); 826 } 827 if (Ai) { 828 bzero(Ai, AiLen); 829 free(Ai); 830 } 831 if (B) { 832 bzero(B, Blen); 833 free(B); 834 } 835 if (D) { 836 bzero(D, Dlen); 837 free(D); 838 } 839 if (I) { 840 bzero(I, Ilen); 841 free(I); 842 } 843 return (rv); 844 } 845 846 CK_RV 847 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 848 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate, 849 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) 850 { 851 852 CK_RV rv = CKR_OK; 853 soft_object_t *secret_key; 854 CK_MECHANISM digest_mech; 855 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */ 856 CK_ULONG hash_len = SHA512_DIGEST_LENGTH; 857 CK_ULONG secret_key_len; 858 CK_ULONG hash_size; 859 860 switch (pMechanism->mechanism) { 861 case CKM_DH_PKCS_DERIVE: 862 /* 863 * Create a new object for secret key. The key type should 864 * be provided in the template. 865 */ 866 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 867 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0, 868 SOFT_DERIVE_KEY_DH, B_FALSE); 869 870 if (rv != CKR_OK) { 871 return (rv); 872 } 873 874 /* Obtain the secret object pointer. */ 875 secret_key = (soft_object_t *)*phKey; 876 877 rv = soft_dh_key_derive(basekey_p, secret_key, 878 (CK_BYTE *)pMechanism->pParameter, 879 pMechanism->ulParameterLen); 880 881 if (rv != CKR_OK) { 882 if (IS_TOKEN_OBJECT(secret_key)) 883 soft_delete_token_object(secret_key, B_FALSE, 884 B_FALSE); 885 else 886 soft_delete_object(session_p, secret_key, 887 B_FALSE, B_FALSE); 888 return (rv); 889 } 890 891 break; 892 893 case CKM_ECDH1_DERIVE: 894 /* 895 * Create a new object for secret key. The key type should 896 * be provided in the template. 897 */ 898 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 899 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0, 900 SOFT_DERIVE_KEY_DH, B_FALSE); 901 902 if (rv != CKR_OK) { 903 return (rv); 904 } 905 906 /* Obtain the secret object pointer. */ 907 secret_key = (soft_object_t *)*phKey; 908 909 rv = soft_ec_key_derive(basekey_p, secret_key, 910 (CK_BYTE *)pMechanism->pParameter, 911 pMechanism->ulParameterLen); 912 913 if (rv != CKR_OK) { 914 if (IS_TOKEN_OBJECT(secret_key)) 915 soft_delete_token_object(secret_key, B_FALSE, 916 B_FALSE); 917 else 918 soft_delete_object(session_p, secret_key, 919 B_FALSE, B_FALSE); 920 return (rv); 921 } 922 923 break; 924 925 case CKM_SHA1_KEY_DERIVATION: 926 hash_size = SHA1_HASH_SIZE; 927 digest_mech.mechanism = CKM_SHA_1; 928 goto common; 929 930 case CKM_MD5_KEY_DERIVATION: 931 hash_size = MD5_HASH_SIZE; 932 digest_mech.mechanism = CKM_MD5; 933 goto common; 934 935 case CKM_SHA256_KEY_DERIVATION: 936 hash_size = SHA256_DIGEST_LENGTH; 937 digest_mech.mechanism = CKM_SHA256; 938 goto common; 939 940 case CKM_SHA384_KEY_DERIVATION: 941 hash_size = SHA384_DIGEST_LENGTH; 942 digest_mech.mechanism = CKM_SHA384; 943 goto common; 944 945 case CKM_SHA512_KEY_DERIVATION: 946 hash_size = SHA512_DIGEST_LENGTH; 947 digest_mech.mechanism = CKM_SHA512; 948 goto common; 949 950 common: 951 /* 952 * Create a new object for secret key. The key type is optional 953 * to be provided in the template. If it is not specified in 954 * the template, the default is CKK_GENERIC_SECRET. 955 */ 956 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 957 phKey, session_p, CKO_SECRET_KEY, 958 (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 959 SOFT_DERIVE_KEY_OTHER, B_FALSE); 960 961 if (rv != CKR_OK) { 962 return (rv); 963 } 964 965 /* Obtain the secret object pointer. */ 966 secret_key = (soft_object_t *)*phKey; 967 968 /* Validate the key type and key length */ 969 rv = soft_key_derive_check_length(secret_key, hash_size); 970 if (rv != CKR_OK) { 971 if (IS_TOKEN_OBJECT(secret_key)) 972 soft_delete_token_object(secret_key, B_FALSE, 973 B_FALSE); 974 else 975 soft_delete_object(session_p, secret_key, 976 B_FALSE, B_FALSE); 977 return (rv); 978 } 979 980 /* 981 * Derive the secret key by digesting the value of another 982 * secret key (base key) with SHA-1 or MD5. 983 */ 984 rv = soft_digest_init_internal(session_p, &digest_mech); 985 if (rv != CKR_OK) { 986 if (IS_TOKEN_OBJECT(secret_key)) 987 soft_delete_token_object(secret_key, B_FALSE, 988 B_FALSE); 989 else 990 soft_delete_object(session_p, secret_key, 991 B_FALSE, B_FALSE); 992 return (rv); 993 } 994 995 rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p), 996 OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len); 997 998 (void) pthread_mutex_lock(&session_p->session_mutex); 999 /* soft_digest_common() has freed the digest context */ 1000 session_p->digest.flags = 0; 1001 (void) pthread_mutex_unlock(&session_p->session_mutex); 1002 1003 if (rv != CKR_OK) { 1004 if (IS_TOKEN_OBJECT(secret_key)) 1005 soft_delete_token_object(secret_key, B_FALSE, 1006 B_FALSE); 1007 else 1008 soft_delete_object(session_p, secret_key, 1009 B_FALSE, B_FALSE); 1010 return (rv); 1011 } 1012 1013 secret_key_len = OBJ_SEC_VALUE_LEN(secret_key); 1014 1015 if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) == 1016 NULL) { 1017 if (IS_TOKEN_OBJECT(secret_key)) 1018 soft_delete_token_object(secret_key, B_FALSE, 1019 B_FALSE); 1020 else 1021 soft_delete_object(session_p, secret_key, 1022 B_FALSE, B_FALSE); 1023 return (CKR_HOST_MEMORY); 1024 } 1025 1026 /* 1027 * The key produced by this mechanism will be of the 1028 * specified type and length. 1029 * The truncation removes extra bytes from the leading 1030 * of the digested key value. 1031 */ 1032 (void) memcpy(OBJ_SEC_VALUE(secret_key), 1033 (hash + hash_len - secret_key_len), 1034 secret_key_len); 1035 1036 break; 1037 1038 /* 1039 * The key sensitivity and extractability rules for the generated 1040 * keys will be enforced inside soft_ssl_master_key_derive() and 1041 * soft_ssl_key_and_mac_derive() 1042 */ 1043 case CKM_SSL3_MASTER_KEY_DERIVE: 1044 case CKM_SSL3_MASTER_KEY_DERIVE_DH: 1045 case CKM_TLS_MASTER_KEY_DERIVE: 1046 case CKM_TLS_MASTER_KEY_DERIVE_DH: 1047 if (phKey == NULL_PTR) 1048 return (CKR_ARGUMENTS_BAD); 1049 return (soft_ssl_master_key_derive(session_p, pMechanism, 1050 basekey_p, pTemplate, ulAttributeCount, phKey)); 1051 1052 case CKM_SSL3_KEY_AND_MAC_DERIVE: 1053 case CKM_TLS_KEY_AND_MAC_DERIVE: 1054 return (soft_ssl_key_and_mac_derive(session_p, pMechanism, 1055 basekey_p, pTemplate, ulAttributeCount)); 1056 1057 case CKM_TLS_PRF: 1058 if (pMechanism->pParameter == NULL || 1059 pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) || 1060 phKey != NULL) 1061 return (CKR_ARGUMENTS_BAD); 1062 1063 if (pTemplate != NULL) 1064 return (CKR_TEMPLATE_INCONSISTENT); 1065 1066 return (derive_tls_prf( 1067 (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p)); 1068 1069 default: 1070 return (CKR_MECHANISM_INVALID); 1071 } 1072 1073 soft_derive_enforce_flags(basekey_p, secret_key); 1074 1075 if (IS_TOKEN_OBJECT(secret_key)) { 1076 /* 1077 * All the info has been filled, so we can write to 1078 * keystore now. 1079 */ 1080 rv = soft_put_object_to_keystore(secret_key); 1081 if (rv != CKR_OK) 1082 soft_delete_token_object(secret_key, B_FALSE, B_FALSE); 1083 } 1084 1085 return (rv); 1086 } 1087 1088 1089 /* 1090 * Perform key derivation rules on key's sensitivity and extractability. 1091 */ 1092 void 1093 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey) 1094 { 1095 1096 boolean_t new_sensitive = B_FALSE; 1097 boolean_t new_extractable = B_FALSE; 1098 1099 /* 1100 * The sensitive and extractable bits have been set when 1101 * the newkey was built. 1102 */ 1103 if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) { 1104 new_sensitive = B_TRUE; 1105 } 1106 1107 if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) { 1108 new_extractable = B_TRUE; 1109 } 1110 1111 /* Derive the CKA_ALWAYS_SENSITIVE flag */ 1112 if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) { 1113 /* 1114 * If the base key has its CKA_ALWAYS_SENSITIVE set to 1115 * FALSE, then the derived key will as well. 1116 */ 1117 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1118 } else { 1119 /* 1120 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE, 1121 * then the derived key has the CKA_ALWAYS_SENSITIVE set to 1122 * the same value as its CKA_SENSITIVE; 1123 */ 1124 if (new_sensitive) { 1125 newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON; 1126 } else { 1127 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON; 1128 } 1129 } 1130 1131 /* Derive the CKA_NEVER_EXTRACTABLE flag */ 1132 if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) { 1133 /* 1134 * If the base key has its CKA_NEVER_EXTRACTABLE set to 1135 * FALSE, then the derived key will as well. 1136 */ 1137 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1138 } else { 1139 /* 1140 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE, 1141 * then the derived key has the CKA_NEVER_EXTRACTABLE set to 1142 * the opposite value from its CKA_EXTRACTABLE; 1143 */ 1144 if (new_extractable) { 1145 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON; 1146 } else { 1147 newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON; 1148 } 1149 } 1150 1151 /* Set the CKA_LOCAL flag to false */ 1152 newkey->bool_attr_mask &= ~LOCAL_BOOL_ON; 1153 } 1154 1155 1156 /* 1157 * do_prf 1158 * 1159 * This routine implements Step 3. of the PBKDF2 function 1160 * defined in PKCS#5 for generating derived keys from a 1161 * password. 1162 * 1163 * Currently, PRF is always SHA_1_HMAC. 1164 */ 1165 static CK_RV 1166 do_prf(soft_session_t *session_p, 1167 CK_PKCS5_PBKD2_PARAMS_PTR params, 1168 soft_object_t *hmac_key, 1169 CK_BYTE *newsalt, CK_ULONG saltlen, 1170 CK_BYTE *blockdata, CK_ULONG blocklen) 1171 { 1172 CK_RV rv = CKR_OK; 1173 CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0}; 1174 CK_BYTE buffer[2][SHA1_HASH_SIZE]; 1175 CK_ULONG hmac_outlen = SHA1_HASH_SIZE; 1176 CK_ULONG inlen; 1177 CK_BYTE *input, *output; 1178 CK_ULONG i, j; 1179 1180 input = newsalt; 1181 inlen = saltlen; 1182 1183 output = buffer[1]; 1184 (void) pthread_mutex_lock(&session_p->session_mutex); 1185 1186 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) { 1187 (void) pthread_mutex_unlock(&session_p->session_mutex); 1188 return (CKR_OPERATION_ACTIVE); 1189 } 1190 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE; 1191 (void) pthread_mutex_unlock(&session_p->session_mutex); 1192 1193 for (i = 0; i < params->iterations; i++) { 1194 /* 1195 * The key doesn't change, its always the 1196 * password iniitally given. 1197 */ 1198 rv = soft_sign_init(session_p, &digest_mech, hmac_key); 1199 1200 if (rv != CKR_OK) { 1201 goto cleanup; 1202 } 1203 1204 /* Call PRF function (SHA1_HMAC for now). */ 1205 rv = soft_sign(session_p, input, inlen, output, &hmac_outlen); 1206 1207 if (rv != CKR_OK) { 1208 goto cleanup; 1209 } 1210 /* 1211 * The first time, initialize the output buffer 1212 * with the HMAC signature. 1213 */ 1214 if (i == 0) { 1215 (void) memcpy(blockdata, output, 1216 local_min(blocklen, hmac_outlen)); 1217 } else { 1218 /* 1219 * XOR the existing data with output from PRF. 1220 * 1221 * Only XOR up to the length of the blockdata, 1222 * it may be less than a full hmac buffer when 1223 * the final block is being computed. 1224 */ 1225 for (j = 0; j < hmac_outlen && j < blocklen; j++) 1226 blockdata[j] ^= output[j]; 1227 } 1228 /* Output from previous PRF is input for next round */ 1229 input = output; 1230 inlen = hmac_outlen; 1231 1232 /* 1233 * Switch buffers to avoid overuse of memcpy. 1234 * Initially we used buffer[1], so after the end of 1235 * the first iteration (i==0), we switch to buffer[0] 1236 * and continue swapping with each iteration. 1237 */ 1238 output = buffer[i%2]; 1239 } 1240 cleanup: 1241 (void) pthread_mutex_lock(&session_p->session_mutex); 1242 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE; 1243 (void) pthread_mutex_unlock(&session_p->session_mutex); 1244 1245 return (rv); 1246 } 1247 1248 static CK_RV 1249 soft_create_hmac_key(soft_session_t *session_p, CK_BYTE *passwd, 1250 CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey) 1251 { 1252 CK_RV rv = CKR_OK; 1253 CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY; 1254 CK_KEY_TYPE keytype = CKK_GENERIC_SECRET; 1255 CK_BBOOL True = TRUE; 1256 CK_ATTRIBUTE keytemplate[4]; 1257 /* 1258 * We must initialize each template member individually 1259 * because at the time of initial coding for ON10, the 1260 * compiler was using the "-xc99=%none" option 1261 * which prevents us from being able to declare the whole 1262 * template in place as usual. 1263 */ 1264 keytemplate[0].type = CKA_CLASS; 1265 keytemplate[0].pValue = &keyclass; 1266 keytemplate[0].ulValueLen = sizeof (keyclass); 1267 1268 keytemplate[1].type = CKA_KEY_TYPE; 1269 keytemplate[1].pValue = &keytype; 1270 keytemplate[1].ulValueLen = sizeof (keytype); 1271 1272 keytemplate[2].type = CKA_SIGN; 1273 keytemplate[2].pValue = &True; 1274 keytemplate[2].ulValueLen = sizeof (True); 1275 1276 keytemplate[3].type = CKA_VALUE; 1277 keytemplate[3].pValue = passwd; 1278 keytemplate[3].ulValueLen = passwd_len; 1279 /* 1280 * Create a generic key object to be used for HMAC operations. 1281 * The "value" for this key is the password from the 1282 * mechanism parameter structure. 1283 */ 1284 rv = soft_gen_keyobject(keytemplate, 1285 sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), phKey, session_p, 1286 CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0, 1287 SOFT_CREATE_OBJ, B_TRUE); 1288 1289 return (rv); 1290 } 1291 1292 CK_RV 1293 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p, 1294 CK_MECHANISM_PTR pMechanism, 1295 soft_object_t *secret_key) 1296 { 1297 CK_RV rv = CKR_OK; 1298 CK_PKCS5_PBKD2_PARAMS *params = 1299 (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter; 1300 CK_ULONG hLen = SHA1_HASH_SIZE; 1301 CK_ULONG dkLen, i; 1302 CK_ULONG blocks, remainder; 1303 CK_OBJECT_HANDLE phKey = 0; 1304 soft_object_t *hmac_key = NULL; 1305 CK_BYTE *salt = NULL; 1306 CK_BYTE *keydata = NULL; 1307 1308 params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter; 1309 1310 if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1) 1311 return (CKR_MECHANISM_PARAM_INVALID); 1312 1313 if (params->pPrfData != NULL || params->ulPrfDataLen != 0) 1314 return (CKR_DATA_INVALID); 1315 1316 if (params->saltSource != CKZ_SALT_SPECIFIED || 1317 params->iterations == 0) 1318 return (CKR_MECHANISM_PARAM_INVALID); 1319 1320 /* 1321 * Create a key object to use for HMAC operations. 1322 */ 1323 rv = soft_create_hmac_key(session_p, params->pPassword, 1324 *params->ulPasswordLen, &phKey); 1325 1326 if (rv != CKR_OK) 1327 return (rv); 1328 1329 hmac_key = (soft_object_t *)phKey; 1330 1331 /* Step 1. */ 1332 dkLen = OBJ_SEC_VALUE_LEN(secret_key); /* length of desired key */ 1333 1334 if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) { 1335 (void) soft_delete_object(session_p, hmac_key, B_FALSE, 1336 B_FALSE); 1337 return (CKR_KEY_SIZE_RANGE); 1338 } 1339 1340 /* Step 2. */ 1341 blocks = dkLen / hLen; 1342 1343 /* crude "Ceiling" function to adjust the number of blocks to use */ 1344 if (blocks * hLen != dkLen) 1345 blocks++; 1346 1347 remainder = dkLen - ((blocks - 1) * hLen); 1348 1349 /* Step 3 */ 1350 salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4); 1351 if (salt == NULL) { 1352 (void) soft_delete_object(session_p, hmac_key, B_FALSE, 1353 B_FALSE); 1354 return (CKR_HOST_MEMORY); 1355 } 1356 /* 1357 * Nothing in PKCS#5 says you cannot pass an empty 1358 * salt, so we will allow for this and not return error 1359 * if the salt is not specified. 1360 */ 1361 if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0) 1362 (void) memcpy(salt, params->pSaltSourceData, 1363 params->ulSaltSourceDataLen); 1364 1365 /* 1366 * Get pointer to the data section of the key, 1367 * this will be used below as output from the 1368 * PRF iteration/concatenations so that when the 1369 * blocks are all iterated, the secret_key will 1370 * have the resulting derived key value. 1371 */ 1372 keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key); 1373 1374 /* Step 4. */ 1375 for (i = 0; i < blocks && (rv == CKR_OK); i++) { 1376 CK_BYTE *s; 1377 1378 s = salt + params->ulSaltSourceDataLen; 1379 1380 /* 1381 * Append the block index to the salt as input 1382 * to the PRF. Block index should start at 1 1383 * not 0. 1384 */ 1385 *s++ = ((i+1) >> 24) & 0xff; 1386 *s++ = ((i+1) >> 16) & 0xff; 1387 *s++ = ((i+1) >> 8) & 0xff; 1388 *s = ((i+1)) & 0xff; 1389 1390 /* 1391 * Adjust the key pointer so we always append the 1392 * PRF output to the current key. 1393 */ 1394 rv = do_prf(session_p, params, hmac_key, 1395 salt, params->ulSaltSourceDataLen + 4, keydata, 1396 ((i + 1) == blocks ? remainder : hLen)); 1397 1398 keydata += hLen; 1399 } 1400 (void) soft_delete_object(session_p, hmac_key, B_FALSE, B_FALSE); 1401 free(salt); 1402 1403 return (rv); 1404 } 1405 1406 CK_RV 1407 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1408 soft_object_t *wrappingKey_p, soft_object_t *hkey_p, 1409 CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen) 1410 { 1411 CK_RV rv = CKR_OK; 1412 CK_ULONG plain_len = 0; 1413 CK_BYTE_PTR plain_data = NULL; 1414 CK_ULONG padded_len = 0; 1415 CK_BYTE_PTR padded_data = NULL; 1416 CK_ULONG wkey_blksz = 1; /* so modulo will work right */ 1417 1418 /* Check if the mechanism is supported. */ 1419 switch (pMechanism->mechanism) { 1420 case CKM_DES_CBC_PAD: 1421 case CKM_DES3_CBC_PAD: 1422 case CKM_AES_CBC_PAD: 1423 /* 1424 * Secret key mechs with padding can be used to wrap secret 1425 * keys and private keys only. See PKCS#11, * sec 11.14, 1426 * C_WrapKey and secs 12.* for each mechanism's wrapping/ 1427 * unwrapping constraints. 1428 */ 1429 if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class != 1430 CKO_PRIVATE_KEY) 1431 return (CKR_MECHANISM_INVALID); 1432 break; 1433 case CKM_RSA_PKCS: 1434 case CKM_RSA_X_509: 1435 case CKM_DES_ECB: 1436 case CKM_DES3_ECB: 1437 case CKM_AES_ECB: 1438 case CKM_DES_CBC: 1439 case CKM_DES3_CBC: 1440 case CKM_AES_CBC: 1441 case CKM_AES_CTR: 1442 case CKM_BLOWFISH_CBC: 1443 /* 1444 * Unpadded secret key mechs and private key mechs are only 1445 * defined for wrapping secret keys. See PKCS#11 refs above. 1446 */ 1447 if (hkey_p->class != CKO_SECRET_KEY) 1448 return (CKR_MECHANISM_INVALID); 1449 break; 1450 default: 1451 return (CKR_MECHANISM_INVALID); 1452 } 1453 1454 if (hkey_p->class == CKO_SECRET_KEY) { 1455 plain_data = OBJ_SEC_VALUE(hkey_p); 1456 plain_len = OBJ_SEC_VALUE_LEN(hkey_p); 1457 } else { 1458 /* 1459 * BER-encode the object to be wrapped: call first with 1460 * plain_data = NULL to get the size needed, allocate that 1461 * much space, call again to fill space with actual data. 1462 */ 1463 rv = soft_object_to_asn1(hkey_p, NULL, &plain_len); 1464 if (rv != CKR_OK) 1465 return (rv); 1466 if ((plain_data = malloc(plain_len)) == NULL) 1467 return (CKR_HOST_MEMORY); 1468 (void) memset(plain_data, 0x0, plain_len); 1469 rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len); 1470 if (rv != CKR_OK) 1471 goto cleanup_wrap; 1472 } 1473 1474 /* 1475 * For unpadded ECB and CBC mechanisms, the object needs to be 1476 * padded to the wrapping key's blocksize prior to the encryption. 1477 */ 1478 padded_len = plain_len; 1479 padded_data = plain_data; 1480 1481 switch (pMechanism->mechanism) { 1482 case CKM_DES_ECB: 1483 case CKM_DES3_ECB: 1484 case CKM_AES_ECB: 1485 case CKM_DES_CBC: 1486 case CKM_DES3_CBC: 1487 case CKM_AES_CBC: 1488 case CKM_BLOWFISH_CBC: 1489 /* Find the block size of the wrapping key. */ 1490 if (wrappingKey_p->class == CKO_SECRET_KEY) { 1491 switch (wrappingKey_p->key_type) { 1492 case CKK_DES: 1493 case CKK_DES2: 1494 case CKK_DES3: 1495 wkey_blksz = DES_BLOCK_LEN; 1496 break; 1497 case CKK_AES: 1498 wkey_blksz = AES_BLOCK_LEN; 1499 break; 1500 case CKK_BLOWFISH: 1501 wkey_blksz = BLOWFISH_BLOCK_LEN; 1502 break; 1503 default: 1504 break; 1505 } 1506 } else { 1507 rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT; 1508 goto cleanup_wrap; 1509 } 1510 1511 /* Extend the plain text data to block size boundary. */ 1512 if ((padded_len % wkey_blksz) != 0) { 1513 padded_len += (wkey_blksz - (plain_len % wkey_blksz)); 1514 if ((padded_data = malloc(padded_len)) == NULL) { 1515 rv = CKR_HOST_MEMORY; 1516 goto cleanup_wrap; 1517 } 1518 (void) memset(padded_data, 0x0, padded_len); 1519 (void) memcpy(padded_data, plain_data, plain_len); 1520 } 1521 break; 1522 default: 1523 break; 1524 } 1525 1526 rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p); 1527 if (rv != CKR_OK) 1528 goto cleanup_wrap; 1529 1530 rv = soft_encrypt(session_p, padded_data, padded_len, 1531 pWrappedKey, pulWrappedKeyLen); 1532 1533 cleanup_wrap: 1534 if (padded_data != NULL && padded_len != plain_len) { 1535 /* Clear buffer before returning to memory pool. */ 1536 (void) memset(padded_data, 0x0, padded_len); 1537 free(padded_data); 1538 } 1539 1540 if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1541 /* Clear buffer before returning to memory pool. */ 1542 (void) memset(plain_data, 0x0, plain_len); 1543 free(plain_data); 1544 } 1545 1546 return (rv); 1547 } 1548 1549 /* 1550 * Quick check for whether unwrapped key length is appropriate for key type 1551 * and whether it needs to be truncated (in case the wrapping function had 1552 * to pad the key prior to wrapping). 1553 */ 1554 static CK_RV 1555 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype, 1556 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount) 1557 { 1558 CK_ULONG i; 1559 boolean_t isValueLen = B_FALSE; 1560 1561 /* 1562 * Based on the key type and the mech used to unwrap, need to 1563 * determine if CKA_VALUE_LEN should or should not be specified. 1564 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified 1565 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens 1566 * that restriction, perhaps because it makes it impossible to 1567 * determine the original length of unwrapped variable-length secret 1568 * keys, such as RC4, AES, and GENERIC_SECRET. These variable-length 1569 * secret keys would have been padded with trailing null-bytes so 1570 * that they could be successfully wrapped with *_ECB and *_CBC 1571 * mechanisms. Hence for unwrapping with these mechs, CKA_VALUE_LEN 1572 * must be specified. For unwrapping with other mechs, such as 1573 * *_CBC_PAD, the CKA_VALUE_LEN is not needed. 1574 */ 1575 1576 /* Find out if template has CKA_VALUE_LEN. */ 1577 for (i = 0; i < ulAttributeCount; i++) { 1578 if (pTemplate[i].type == CKA_VALUE_LEN && 1579 pTemplate[i].pValue != NULL) { 1580 isValueLen = B_TRUE; 1581 break; 1582 } 1583 } 1584 1585 /* Does its presence conflict with the mech type and key type? */ 1586 switch (mechtype) { 1587 case CKM_DES_ECB: 1588 case CKM_DES3_ECB: 1589 case CKM_AES_ECB: 1590 case CKM_DES_CBC: 1591 case CKM_DES3_CBC: 1592 case CKM_AES_CBC: 1593 case CKM_BLOWFISH_CBC: 1594 /* 1595 * CKA_VALUE_LEN must be specified 1596 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET 1597 * and must not be specified otherwise 1598 */ 1599 switch (keytype) { 1600 case CKK_DES: 1601 case CKK_DES2: 1602 case CKK_DES3: 1603 if (isValueLen) 1604 return (CKR_TEMPLATE_INCONSISTENT); 1605 break; 1606 case CKK_GENERIC_SECRET: 1607 case CKK_RC4: 1608 case CKK_AES: 1609 case CKK_BLOWFISH: 1610 if (!isValueLen) 1611 return (CKR_TEMPLATE_INCOMPLETE); 1612 break; 1613 default: 1614 return (CKR_FUNCTION_NOT_SUPPORTED); 1615 } 1616 break; 1617 default: 1618 /* CKA_VALUE_LEN must not be specified */ 1619 if (isValueLen) 1620 return (CKR_TEMPLATE_INCONSISTENT); 1621 break; 1622 } 1623 1624 return (CKR_OK); 1625 } 1626 1627 CK_RV 1628 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 1629 soft_object_t *unwrappingkey_p, 1630 CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, 1631 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, 1632 CK_OBJECT_HANDLE_PTR phKey) 1633 { 1634 CK_RV rv = CKR_OK; 1635 CK_OBJECT_CLASS new_obj_class = ~0UL; 1636 int i = 0; 1637 soft_object_t *new_objp = NULL; 1638 boolean_t persistent = B_FALSE; 1639 CK_BYTE_PTR plain_data = NULL; 1640 CK_ULONG plain_len = 0; 1641 secret_key_obj_t *sck = NULL; 1642 1643 /* Scan the attribute template for the object class. */ 1644 if (pTemplate != NULL && ulAttributeCount != 0) { 1645 for (i = 0; i < ulAttributeCount; i++) { 1646 if (pTemplate[i].type == CKA_CLASS) { 1647 new_obj_class = 1648 *((CK_OBJECT_CLASS *)pTemplate[i].pValue); 1649 break; 1650 } 1651 } 1652 if (new_obj_class == ~0UL) 1653 return (CKR_TEMPLATE_INCOMPLETE); 1654 } 1655 1656 /* 1657 * Check if the mechanism is supported, and now that the new 1658 * object's class is known, the mechanism selected should be 1659 * capable of doing the unwrap. 1660 */ 1661 switch (pMechanism->mechanism) { 1662 case CKM_RSA_PKCS: 1663 case CKM_RSA_X_509: 1664 case CKM_DES_ECB: 1665 case CKM_DES3_ECB: 1666 case CKM_AES_ECB: 1667 case CKM_DES_CBC: 1668 case CKM_DES3_CBC: 1669 case CKM_AES_CBC: 1670 case CKM_BLOWFISH_CBC: 1671 if (new_obj_class != CKO_SECRET_KEY) 1672 return (CKR_MECHANISM_INVALID); 1673 break; 1674 case CKM_DES_CBC_PAD: 1675 case CKM_DES3_CBC_PAD: 1676 case CKM_AES_CBC_PAD: 1677 if (new_obj_class != CKO_SECRET_KEY && new_obj_class != 1678 CKO_PRIVATE_KEY) 1679 return (CKR_MECHANISM_INVALID); 1680 break; 1681 default: 1682 return (CKR_MECHANISM_INVALID); 1683 } 1684 1685 /* Create a new object based on the attribute template. */ 1686 rv = soft_gen_keyobject(pTemplate, ulAttributeCount, 1687 (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL, 1688 (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE); 1689 if (rv != CKR_OK) 1690 return (rv); 1691 1692 /* 1693 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE 1694 * both set to FALSE. CKA_EXTRACTABLE will be set _by_default_ to 1695 * true -- leaving the possibility that it may be set FALSE by the 1696 * supplied attribute template. If the precise template cannot be 1697 * supported, unwrap fails. PKCS#11 spec, Sec. 11.14, C_UnwrapKey. 1698 * 1699 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and 1700 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must 1701 * have supplied them and therefore we cannot honor the unwrap. 1702 */ 1703 if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) || 1704 (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) { 1705 rv = CKR_TEMPLATE_INCONSISTENT; 1706 goto cleanup_unwrap; 1707 } 1708 1709 rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p); 1710 if (rv != CKR_OK) 1711 goto cleanup_unwrap; 1712 1713 /* First get the length of the plain data */ 1714 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL, 1715 &plain_len); 1716 if (rv != CKR_OK) 1717 goto cleanup_unwrap; 1718 1719 /* Allocate space for the unwrapped data */ 1720 if ((plain_data = malloc(plain_len)) == NULL) { 1721 rv = CKR_HOST_MEMORY; 1722 goto cleanup_unwrap; 1723 } 1724 (void) memset(plain_data, 0x0, plain_len); 1725 1726 /* Perform actual decryption into the allocated space. */ 1727 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data, 1728 &plain_len); 1729 if (rv != CKR_OK) 1730 goto cleanup_unwrap; 1731 1732 if (new_objp->class == CKO_SECRET_KEY) { 1733 /* 1734 * Since no ASN.1 encoding is done for secret keys, check for 1735 * appropriateness and copy decrypted buffer to the key object. 1736 */ 1737 1738 /* Check keytype and mechtype don't conflict with valuelen */ 1739 rv = soft_unwrap_secret_len_check(new_objp->key_type, 1740 pMechanism->mechanism, pTemplate, ulAttributeCount); 1741 if (rv != CKR_OK) 1742 goto cleanup_unwrap; 1743 1744 /* 1745 * Allocate the secret key structure if not already there; 1746 * it will exist for variable length keys since CKA_VALUE_LEN 1747 * is specified and saved, but not for fixed length keys. 1748 */ 1749 if (OBJ_SEC(new_objp) == NULL) { 1750 if ((sck = calloc(1, sizeof (secret_key_obj_t))) == 1751 NULL) { 1752 rv = CKR_HOST_MEMORY; 1753 goto cleanup_unwrap; 1754 } 1755 OBJ_SEC(new_objp) = sck; 1756 } 1757 1758 switch (new_objp->key_type) { 1759 /* Fixed length secret keys don't have CKA_VALUE_LEN */ 1760 case CKK_DES: 1761 OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE; 1762 break; 1763 case CKK_DES2: 1764 OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE; 1765 break; 1766 case CKK_DES3: 1767 OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE; 1768 break; 1769 1770 /* 1771 * Variable length secret keys. CKA_VALUE_LEN must be 1772 * provided by the template when mech is *_ECB or *_CBC, and 1773 * should already have been set during soft_gen_keyobject(). 1774 * Otherwise we don't need CKA_VALUE_LEN. 1775 */ 1776 case CKK_GENERIC_SECRET: 1777 case CKK_RC4: 1778 case CKK_AES: 1779 case CKK_BLOWFISH: 1780 break; 1781 default: 1782 rv = CKR_WRAPPED_KEY_INVALID; 1783 goto cleanup_unwrap; 1784 }; 1785 1786 if (OBJ_SEC_VALUE_LEN(new_objp) == 0) { 1787 /* No CKA_VALUE_LEN set so set it now and save data */ 1788 OBJ_SEC_VALUE_LEN(new_objp) = plain_len; 1789 OBJ_SEC_VALUE(new_objp) = plain_data; 1790 } else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) { 1791 /* No need to truncate, just save the data */ 1792 OBJ_SEC_VALUE(new_objp) = plain_data; 1793 } else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) { 1794 /* Length can't be bigger than what was decrypted */ 1795 rv = CKR_WRAPPED_KEY_LEN_RANGE; 1796 goto cleanup_unwrap; 1797 } else { /* betw 0 and plain_len, hence padded */ 1798 /* Truncate the data before saving. */ 1799 OBJ_SEC_VALUE(new_objp) = realloc(plain_data, 1800 OBJ_SEC_VALUE_LEN(new_objp)); 1801 if (OBJ_SEC_VALUE(new_objp) == NULL) { 1802 rv = CKR_HOST_MEMORY; 1803 goto cleanup_unwrap; 1804 } 1805 } 1806 } else { 1807 /* BER-decode the object to be unwrapped. */ 1808 rv = soft_asn1_to_object(new_objp, plain_data, plain_len); 1809 if (rv != CKR_OK) 1810 goto cleanup_unwrap; 1811 } 1812 1813 /* If it needs to be persistent, write it to the keystore */ 1814 if (IS_TOKEN_OBJECT(new_objp)) { 1815 persistent = B_TRUE; 1816 rv = soft_put_object_to_keystore(new_objp); 1817 if (rv != CKR_OK) 1818 goto cleanup_unwrap; 1819 } 1820 1821 if (new_objp->class != CKO_SECRET_KEY) { 1822 /* Clear buffer before returning to memory pool. */ 1823 (void) memset(plain_data, 0x0, plain_len); 1824 free(plain_data); 1825 } 1826 1827 *phKey = (CK_OBJECT_HANDLE)new_objp; 1828 1829 return (CKR_OK); 1830 1831 cleanup_unwrap: 1832 /* The decrypted private key buffer must be freed explicitly. */ 1833 if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) { 1834 /* Clear buffer before returning to memory pool. */ 1835 (void) memset(plain_data, 0x0, plain_len); 1836 free(plain_data); 1837 } 1838 1839 /* sck and new_objp are indirectly free()d inside these functions */ 1840 if (IS_TOKEN_OBJECT(new_objp)) 1841 soft_delete_token_object(new_objp, persistent, B_FALSE); 1842 else 1843 soft_delete_object(session_p, new_objp, B_FALSE, B_FALSE); 1844 1845 return (rv); 1846 } 1847