xref: /titanic_51/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c (revision 7ff836697c120cb94bd30d5c2204eb9b74718e4c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <pthread.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <strings.h>
30 #include <sys/types.h>
31 #include <security/cryptoki.h>
32 #include <sys/crypto/common.h>
33 #include <aes_impl.h>
34 #include <blowfish_impl.h>
35 #include <des_impl.h>
36 #include <arcfour.h>
37 #include <cryptoutil.h>
38 #include "softGlobal.h"
39 #include "softSession.h"
40 #include "softObject.h"
41 #include "softDSA.h"
42 #include "softRSA.h"
43 #include "softDH.h"
44 #include "softEC.h"
45 #include "softMAC.h"
46 #include "softOps.h"
47 #include "softKeys.h"
48 #include "softKeystore.h"
49 #include "softSSL.h"
50 #include "softASN1.h"
51 
52 
53 #define	local_min(a, b)	((a) < (b) ? (a) : (b))
54 
55 static CK_RV
56 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *);
57 
58 /*
59  * Create a temporary key object struct by filling up its template attributes.
60  */
61 CK_RV
62 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate,  CK_ULONG ulCount,
63     CK_ULONG *objecthandle_p, soft_session_t *sp,
64     CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode,
65     boolean_t internal)
66 {
67 
68 	CK_RV rv;
69 	soft_object_t *new_objp = NULL;
70 
71 	new_objp = calloc(1, sizeof (soft_object_t));
72 	if (new_objp == NULL) {
73 		return (CKR_HOST_MEMORY);
74 	}
75 
76 	new_objp->extra_attrlistp = NULL;
77 
78 	/*
79 	 * Validate attribute template and fill in the attributes
80 	 * in the soft_object_t.
81 	 */
82 	rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type,
83 	    keylen, mode);
84 	if (rv != CKR_OK) {
85 		goto fail_cleanup1;
86 	}
87 
88 	/*
89 	 * If generating a key is an internal request (i.e. not a C_XXX
90 	 * API request), then skip the following checks.
91 	 */
92 	if (!internal) {
93 		rv = soft_pin_expired_check(new_objp);
94 		if (rv != CKR_OK) {
95 			goto fail_cleanup2;
96 		}
97 
98 		rv = soft_object_write_access_check(sp, new_objp);
99 		if (rv != CKR_OK) {
100 			goto fail_cleanup2;
101 		}
102 	}
103 
104 	/* Initialize the rest of stuffs in soft_object_t. */
105 	(void) pthread_mutex_init(&new_objp->object_mutex, NULL);
106 	new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
107 
108 	/* Write the new token object to the keystore */
109 	if (IS_TOKEN_OBJECT(new_objp)) {
110 		new_objp->version = 1;
111 		new_objp->session_handle = (CK_SESSION_HANDLE)NULL;
112 		soft_add_token_object_to_slot(new_objp);
113 		/*
114 		 * Type casting the address of an object struct to
115 		 * an object handle.
116 		 */
117 		*objecthandle_p = (CK_ULONG)new_objp;
118 
119 		return (CKR_OK);
120 	}
121 
122 	new_objp->session_handle = (CK_SESSION_HANDLE)sp;
123 
124 	/* Add the new object to the session's object list. */
125 	soft_add_object_to_session(new_objp, sp);
126 
127 	/* Type casting the address of an object struct to an object handle. */
128 	*objecthandle_p =  (CK_ULONG)new_objp;
129 
130 	return (CKR_OK);
131 
132 fail_cleanup2:
133 	/*
134 	 * When any error occurs after soft_build_key(), we will need to
135 	 * clean up the memory allocated by the soft_build_key().
136 	 */
137 	soft_cleanup_object(new_objp);
138 
139 fail_cleanup1:
140 	if (new_objp) {
141 		/*
142 		 * The storage allocated inside of this object should have
143 		 * been cleaned up by the soft_build_key() if it failed.
144 		 * Therefore, we can safely free the object.
145 		 */
146 		free(new_objp);
147 	}
148 
149 	return (rv);
150 }
151 
152 CK_RV
153 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
154     CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey)
155 {
156 
157 	CK_RV rv = CKR_OK;
158 	soft_object_t *secret_key;
159 	CK_KEY_TYPE key_type;
160 	CK_ULONG keylen = 0;
161 	CK_ULONG i;
162 	int des_strength = 0;
163 	int retry = 0;
164 	int keyfound = 0;
165 	boolean_t is_ssl_mech = B_FALSE;
166 
167 	switch (pMechanism->mechanism) {
168 	case CKM_DES_KEY_GEN:
169 		key_type = CKK_DES;
170 		break;
171 
172 	case CKM_DES3_KEY_GEN:
173 		key_type = CKK_DES3;
174 		break;
175 
176 	case CKM_AES_KEY_GEN:
177 		key_type = CKK_AES;
178 		break;
179 
180 	case CKM_BLOWFISH_KEY_GEN:
181 		key_type = CKK_BLOWFISH;
182 		break;
183 
184 	case CKM_RC4_KEY_GEN:
185 		key_type = CKK_RC4;
186 		break;
187 
188 	case CKM_SSL3_PRE_MASTER_KEY_GEN:
189 	case CKM_TLS_PRE_MASTER_KEY_GEN:
190 		if (pMechanism->pParameter == NULL ||
191 		    pMechanism->ulParameterLen != sizeof (CK_VERSION))
192 			return (CKR_TEMPLATE_INCOMPLETE);
193 		is_ssl_mech = B_TRUE;
194 		key_type = CKK_GENERIC_SECRET;
195 		keylen = 48;
196 		break;
197 
198 	case CKM_PKCS5_PBKD2:
199 		keyfound = 0;
200 		for (i = 0; i < ulCount && !keyfound; i++) {
201 			if (pTemplate[i].type == CKA_KEY_TYPE &&
202 			    pTemplate[i].pValue != NULL) {
203 				key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
204 				keyfound = 1;
205 			}
206 		}
207 		if (!keyfound)
208 			return (CKR_TEMPLATE_INCOMPLETE);
209 		/*
210 		 * Make sure that parameters were given for this
211 		 * mechanism.
212 		 */
213 		if (pMechanism->pParameter == NULL ||
214 		    pMechanism->ulParameterLen !=
215 		    sizeof (CK_PKCS5_PBKD2_PARAMS))
216 			return (CKR_TEMPLATE_INCOMPLETE);
217 		break;
218 
219 	case CKM_PBE_SHA1_RC4_128:
220 		keyfound = 0;
221 		for (i = 0; i < ulCount; i++) {
222 			if (pTemplate[i].type == CKA_KEY_TYPE &&
223 			    pTemplate[i].pValue != NULL) {
224 				key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
225 				keyfound = 1;
226 			}
227 			if (pTemplate[i].type == CKA_VALUE_LEN &&
228 			    pTemplate[i].pValue != NULL) {
229 				keylen = *((CK_ULONG*)pTemplate[i].pValue);
230 			}
231 		}
232 		/* If a keytype was specified, it had better be CKK_RC4 */
233 		if (keyfound && key_type != CKK_RC4)
234 			return (CKR_TEMPLATE_INCONSISTENT);
235 		else if (!keyfound)
236 			key_type = CKK_RC4;
237 
238 		/* If key length was specified, it better be 16 bytes */
239 		if (keylen != 0 && keylen != 16)
240 			return (CKR_TEMPLATE_INCONSISTENT);
241 
242 		/*
243 		 * Make sure that parameters were given for this
244 		 * mechanism.
245 		 */
246 		if (pMechanism->pParameter == NULL ||
247 		    pMechanism->ulParameterLen !=
248 		    sizeof (CK_PBE_PARAMS))
249 			return (CKR_TEMPLATE_INCOMPLETE);
250 		break;
251 	default:
252 		return (CKR_MECHANISM_INVALID);
253 	}
254 
255 	/* Create a new object for secret key. */
256 	rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p,
257 	    CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE);
258 
259 	if (rv != CKR_OK) {
260 		return (rv);
261 	}
262 
263 	/* Obtain the secret object pointer. */
264 	secret_key = (soft_object_t *)*phKey;
265 
266 	switch (pMechanism->mechanism) {
267 	case CKM_DES_KEY_GEN:
268 		/*
269 		 * Set up key value len since it is not a required
270 		 * attribute for C_GenerateKey.
271 		 */
272 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
273 		des_strength = DES;
274 		break;
275 
276 	case CKM_DES3_KEY_GEN:
277 		/*
278 		 * Set up key value len since it is not a required
279 		 * attribute for C_GenerateKey.
280 		 */
281 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
282 		des_strength = DES3;
283 		break;
284 
285 	case CKM_SSL3_PRE_MASTER_KEY_GEN:
286 	case CKM_TLS_PRE_MASTER_KEY_GEN:
287 		secret_key->bool_attr_mask |= DERIVE_BOOL_ON;
288 	/* FALLTHRU */
289 
290 	case CKM_AES_KEY_GEN:
291 	case CKM_BLOWFISH_KEY_GEN:
292 	case CKM_PBE_SHA1_RC4_128:
293 	case CKM_RC4_KEY_GEN:
294 		keylen = OBJ_SEC_VALUE_LEN(secret_key);
295 		break;
296 
297 	case CKM_PKCS5_PBKD2:
298 		/*
299 		 * PKCS#11 does not allow one to specify key
300 		 * sizes for DES and 3DES, so we must set it here
301 		 * when using PBKD2 algorithms.
302 		 */
303 		if (key_type == CKK_DES) {
304 			OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
305 			des_strength = DES;
306 		} else if (key_type == CKK_DES3) {
307 			OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
308 			des_strength = DES3;
309 		}
310 
311 		keylen = OBJ_SEC_VALUE_LEN(secret_key);
312 		break;
313 	}
314 
315 	if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) {
316 		if (IS_TOKEN_OBJECT(secret_key))
317 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
318 		else
319 			soft_delete_object(session_p, secret_key,
320 			    B_FALSE, B_FALSE);
321 
322 		return (CKR_HOST_MEMORY);
323 	}
324 	switch (pMechanism->mechanism) {
325 	case CKM_PBE_SHA1_RC4_128:
326 		/*
327 		 * Use the PBE algorithm described in PKCS#11 section
328 		 * 12.33 to derive the key.
329 		 */
330 		rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key);
331 		break;
332 	case CKM_PKCS5_PBKD2:
333 		/* Generate keys using PKCS#5 PBKD2 algorithm */
334 		rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism,
335 		    secret_key);
336 		if (rv == CKR_OK && des_strength > 0) {
337 			/* Perform weak key checking for DES and DES3. */
338 			if (des_keycheck(OBJ_SEC_VALUE(secret_key),
339 			    des_strength, OBJ_SEC_VALUE(secret_key)) ==
340 			    B_FALSE) {
341 				/* We got a weak secret key. */
342 				rv = CKR_FUNCTION_FAILED;
343 			}
344 		}
345 		break;
346 	default:
347 		do {
348 			/* If this fails, bail out */
349 			rv = CKR_OK;
350 			if (pkcs11_get_urandom(
351 			    OBJ_SEC_VALUE(secret_key), keylen) < 0) {
352 				rv = CKR_DEVICE_ERROR;
353 				break;
354 			}
355 
356 			/* Perform weak key checking for DES and DES3. */
357 			if (des_strength > 0) {
358 				rv = CKR_OK;
359 				if (des_keycheck(OBJ_SEC_VALUE(secret_key),
360 				    des_strength, OBJ_SEC_VALUE(secret_key)) ==
361 				    B_FALSE) {
362 					/* We got a weak key, retry! */
363 					retry++;
364 					rv = CKR_FUNCTION_FAILED;
365 				}
366 			}
367 			/*
368 			 * Copy over the SSL client version For SSL mechs
369 			 * The first two bytes of the key is the version
370 			 */
371 			if (is_ssl_mech)
372 				bcopy(pMechanism->pParameter,
373 				    OBJ_SEC_VALUE(secret_key),
374 				    sizeof (CK_VERSION));
375 
376 		} while (rv != CKR_OK && retry < KEYGEN_RETRY);
377 		if (retry == KEYGEN_RETRY)
378 			rv = CKR_FUNCTION_FAILED;
379 		break;
380 	}
381 
382 	if (rv != CKR_OK)
383 		if (IS_TOKEN_OBJECT(secret_key))
384 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
385 		else
386 			soft_delete_object(session_p, secret_key,
387 			    B_FALSE, B_FALSE);
388 
389 	if (IS_TOKEN_OBJECT(secret_key)) {
390 		/*
391 		 * All the info has been filled, so we can write to
392 		 * keystore now.
393 		 */
394 		rv = soft_put_object_to_keystore(secret_key);
395 		if (rv != CKR_OK)
396 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
397 	}
398 
399 	return (rv);
400 }
401 
402 CK_RV
403 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
404     CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount,
405     CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount,
406     CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey)
407 {
408 
409 	CK_RV rv;
410 	soft_object_t *public_key, *private_key;
411 	CK_KEY_TYPE key_type;
412 
413 	switch (pMechanism->mechanism) {
414 
415 	case CKM_RSA_PKCS_KEY_PAIR_GEN:
416 		key_type = CKK_RSA;
417 		break;
418 
419 	case CKM_DSA_KEY_PAIR_GEN:
420 		key_type = CKK_DSA;
421 		break;
422 
423 	case CKM_DH_PKCS_KEY_PAIR_GEN:
424 		key_type = CKK_DH;
425 		break;
426 
427 	case CKM_EC_KEY_PAIR_GEN:
428 		key_type = CKK_EC;
429 		break;
430 
431 	default:
432 		return (CKR_MECHANISM_INVALID);
433 	}
434 
435 	/* Create a new object for public key. */
436 	rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount,
437 	    phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0,
438 	    SOFT_GEN_KEY, B_FALSE);
439 
440 	if (rv != CKR_OK) {
441 		return (rv);
442 	}
443 
444 	/* Obtain the public object pointer. */
445 	public_key = (soft_object_t *)*phPublicKey;
446 
447 	/* Create a new object for private key. */
448 	rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount,
449 	    phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0,
450 	    SOFT_GEN_KEY, B_FALSE);
451 
452 	if (rv != CKR_OK) {
453 		/*
454 		 * Both public key and private key must be successful.
455 		 */
456 		if (IS_TOKEN_OBJECT(public_key))
457 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
458 		else
459 			soft_delete_object(session_p, public_key,
460 			    B_FALSE, B_FALSE);
461 		return (rv);
462 	}
463 
464 	/* Obtain the private object pointer. */
465 	private_key = (soft_object_t *)*phPrivateKey;
466 
467 	/*
468 	 * At this point, both public key and private key objects
469 	 * are settled with the application specified attributes.
470 	 * We are ready to generate the rest of key attributes based
471 	 * on the existing attributes.
472 	 */
473 
474 	switch (key_type) {
475 	case CKK_RSA:
476 		rv = soft_rsa_genkey_pair(public_key, private_key);
477 		break;
478 
479 	case CKK_DSA:
480 		rv = soft_dsa_genkey_pair(public_key, private_key);
481 		break;
482 
483 	case CKK_DH:
484 		rv = soft_dh_genkey_pair(public_key, private_key);
485 		private_key->bool_attr_mask |= DERIVE_BOOL_ON;
486 		break;
487 	case CKK_EC:
488 		rv = soft_ec_genkey_pair(public_key, private_key);
489 		private_key->bool_attr_mask |= DERIVE_BOOL_ON;
490 		break;
491 	}
492 
493 	if (rv != CKR_OK) {
494 		if (IS_TOKEN_OBJECT(public_key)) {
495 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
496 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
497 		} else {
498 			soft_delete_object(session_p, public_key,
499 			    B_FALSE, B_FALSE);
500 			soft_delete_object(session_p, private_key,
501 			    B_FALSE, B_FALSE);
502 		}
503 	}
504 
505 	if (IS_TOKEN_OBJECT(public_key)) {
506 		/*
507 		 * All the info has been filled, so we can write to
508 		 * keystore now.
509 		 */
510 		rv = soft_put_object_to_keystore(public_key);
511 		if (rv != CKR_OK) {
512 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
513 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
514 		}
515 	}
516 
517 	if (IS_TOKEN_OBJECT(private_key)) {
518 		rv = soft_put_object_to_keystore(private_key);
519 		if (rv != CKR_OK) {
520 			/*
521 			 * We also need to delete the public token object
522 			 * from keystore.
523 			 */
524 			soft_delete_token_object(public_key, B_TRUE, B_FALSE);
525 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
526 		}
527 	}
528 
529 	return (rv);
530 }
531 
532 
533 CK_RV
534 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen)
535 {
536 
537 	switch (secret_key->key_type) {
538 	case CKK_GENERIC_SECRET:
539 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
540 			OBJ_SEC_VALUE_LEN(secret_key) = max_keylen;
541 			return (CKR_OK);
542 		} else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) {
543 			return (CKR_ATTRIBUTE_VALUE_INVALID);
544 		}
545 		break;
546 	case CKK_RC4:
547 	case CKK_AES:
548 	case CKK_BLOWFISH:
549 		if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) ||
550 		    (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) {
551 			/* RC4 and AES has variable key length */
552 			return (CKR_ATTRIBUTE_VALUE_INVALID);
553 		}
554 		break;
555 	case CKK_DES:
556 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
557 			/* DES has a well-defined length */
558 			OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
559 			return (CKR_OK);
560 		} else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) {
561 			return (CKR_ATTRIBUTE_VALUE_INVALID);
562 		}
563 		break;
564 	case CKK_DES2:
565 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
566 			/* DES2 has a well-defined length */
567 			OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
568 			return (CKR_OK);
569 		} else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) {
570 			return (CKR_ATTRIBUTE_VALUE_INVALID);
571 		}
572 		break;
573 
574 	default:
575 		return (CKR_MECHANISM_INVALID);
576 	}
577 
578 	return (CKR_OK);
579 }
580 
581 /*
582  * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1
583  * PBE methods.
584  */
585 #define	PKCS12_BUFFER_SIZE 64
586 /*
587  * PKCS#12 defines 3 different ID bytes to be used for
588  * deriving keys for different operations.
589  */
590 #define	PBE_ID_ENCRYPT	1
591 #define	PBE_ID_IV	2
592 #define	PBE_ID_MAC	3
593 #define	PBE_CEIL(a, b)	(((a)/(b)) + (((a)%(b)) > 0))
594 
595 static CK_RV
596 soft_pkcs12_pbe(soft_session_t *session_p,
597 		CK_MECHANISM_PTR pMechanism,
598 		soft_object_t *derived_key)
599 {
600 	CK_RV rv = CKR_OK;
601 	CK_PBE_PARAMS *params = pMechanism->pParameter;
602 	CK_ULONG c, i, j, k;
603 	CK_ULONG hashSize;
604 	CK_ULONG buffSize;
605 	/*
606 	 * Terse variable names are used to make following
607 	 * the PKCS#12 spec easier.
608 	 */
609 	CK_BYTE *A = NULL;
610 	CK_BYTE *Ai = NULL;
611 	CK_BYTE *B = NULL;
612 	CK_BYTE *D = NULL;
613 	CK_BYTE *I = NULL, *S, *P;
614 	CK_BYTE *keybuf = NULL;
615 	CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen;
616 	CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key);
617 	CK_MECHANISM digest_mech;
618 
619 	/* U = hash function output bits */
620 	if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) {
621 		hashSize = SHA1_HASH_SIZE;
622 		buffSize = PKCS12_BUFFER_SIZE;
623 		digest_mech.mechanism = CKM_SHA_1;
624 		digest_mech.pParameter = NULL;
625 		digest_mech.ulParameterLen = 0;
626 	} else {
627 		/* we only support 1 PBE mech for now */
628 		return (CKR_MECHANISM_INVALID);
629 	}
630 	keybuf = OBJ_SEC_VALUE(derived_key);
631 
632 	Blen = Dlen = buffSize;
633 	D = (CK_BYTE *)malloc(Dlen);
634 	if (D == NULL) {
635 		rv = CKR_HOST_MEMORY;
636 		goto cleanup;
637 	}
638 
639 	B = (CK_BYTE *)malloc(Blen);
640 	if (B == NULL) {
641 		rv = CKR_HOST_MEMORY;
642 		goto cleanup;
643 	}
644 
645 	/*
646 	 * Initialize some values and create some buffers
647 	 * that we need later.
648 	 *
649 	 * Slen = buffSize * CEIL(SaltLength/buffSize)
650 	 */
651 	Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize);
652 
653 	/*
654 	 * Plen = buffSize * CEIL(PasswordLength/buffSize)
655 	 */
656 	Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize);
657 
658 	/*
659 	 * From step 4: I = S + P, so: Ilen = Slen + Plen
660 	 */
661 	Ilen = Slen + Plen;
662 	I = (CK_BYTE *)malloc(Ilen);
663 	if (I == NULL) {
664 		rv = CKR_HOST_MEMORY;
665 		goto cleanup;
666 	}
667 
668 	S = I;
669 	P = I + Slen;
670 
671 	/*
672 	 * Step 1.
673 	 * We are only interested in deriving keys for encrypt/decrypt
674 	 * for now, so construct the "D"iversifier accordingly.
675 	 */
676 	(void) memset(D, PBE_ID_ENCRYPT, Dlen);
677 
678 	/*
679 	 * Step 2.
680 	 * Concatenate copies of the salt together to make S.
681 	 */
682 	for (i = 0; i < Slen; i += params->ulSaltLen) {
683 		(void) memcpy(S+i, params->pSalt,
684 		    ((Slen - i) > params->ulSaltLen ?
685 		    params->ulSaltLen : (Slen - i)));
686 	}
687 
688 	/*
689 	 * Step 3.
690 	 * Concatenate copies of the password together to make
691 	 * a string P.
692 	 */
693 	for (i = 0; i < Plen; i += params->ulPasswordLen) {
694 		(void) memcpy(P+i, params->pPassword,
695 		    ((Plen - i) > params->ulPasswordLen ?
696 		    params->ulPasswordLen : (Plen - i)));
697 	}
698 
699 	/*
700 	 * Step 4.
701 	 * I = S+P - this is now done because S and P are
702 	 * pointers into I.
703 	 *
704 	 * Step 5.
705 	 * c= CEIL[n/u]
706 	 * where n = pseudorandom bits of output desired.
707 	 */
708 	c = PBE_CEIL(keysize, hashSize);
709 
710 	/*
711 	 * Step 6.
712 	 */
713 	Alen = c * hashSize;
714 	A = (CK_BYTE *)malloc(Alen);
715 	if (A == NULL) {
716 		rv = CKR_HOST_MEMORY;
717 		goto cleanup;
718 	}
719 	AiLen = hashSize;
720 	Ai = (CK_BYTE *)malloc(AiLen);
721 	if (Ai == NULL) {
722 		rv = CKR_HOST_MEMORY;
723 		goto cleanup;
724 	}
725 
726 	/*
727 	 * Step 6a.
728 	 * Ai = Hr(D+I)
729 	 */
730 	for (i = 0; i < c; i++) {
731 		(void) pthread_mutex_lock(&session_p->session_mutex);
732 
733 		if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
734 			(void) pthread_mutex_unlock(&session_p->session_mutex);
735 			rv = CKR_OPERATION_ACTIVE;
736 			goto cleanup;
737 		}
738 		session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
739 		(void) pthread_mutex_unlock(&session_p->session_mutex);
740 
741 		for (j = 0; j < params->ulIteration; j++) {
742 			rv = soft_digest_init(session_p, &digest_mech);
743 			if (rv != CKR_OK)
744 				goto digest_done;
745 
746 			if (j == 0) {
747 				rv = soft_digest_update(session_p, D, Dlen);
748 				if (rv != CKR_OK)
749 					goto digest_done;
750 
751 				rv = soft_digest_update(session_p, I, Ilen);
752 			} else {
753 				rv = soft_digest_update(session_p, Ai, AiLen);
754 			}
755 			if (rv != CKR_OK)
756 				goto digest_done;
757 
758 			rv = soft_digest_final(session_p, Ai, &AiLen);
759 			if (rv != CKR_OK)
760 				goto digest_done;
761 		}
762 digest_done:
763 		(void) pthread_mutex_lock(&session_p->session_mutex);
764 		session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
765 		(void) pthread_mutex_unlock(&session_p->session_mutex);
766 
767 		if (rv != CKR_OK)
768 			goto cleanup;
769 		/*
770 		 * Step 6b.
771 		 * Concatenate Ai to make B
772 		 */
773 		for (j = 0; j < Blen; j += hashSize) {
774 			(void) memcpy(B+j, Ai, ((Blen - j > hashSize) ?
775 			    hashSize : Blen - j));
776 		}
777 
778 		/*
779 		 * Step 6c.
780 		 */
781 		k = Ilen / Blen;
782 		for (j = 0; j < k; j++) {
783 			uchar_t idx;
784 			CK_ULONG m, q = 1, cbit = 0;
785 
786 			for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) {
787 				idx = m + j*Blen;
788 
789 				q += (CK_ULONG)I[idx] + (CK_ULONG)B[m];
790 				q += cbit;
791 				I[idx] = (CK_BYTE)(q & 0xff);
792 				cbit = (q > 0xff);
793 			}
794 		}
795 
796 		/*
797 		 * Step 7.
798 		 *  A += Ai
799 		 */
800 		(void) memcpy(A + i*hashSize, Ai, AiLen);
801 	}
802 
803 	/*
804 	 * Step 8.
805 	 * The final output of this process is the A buffer
806 	 */
807 	(void) memcpy(keybuf, A, keysize);
808 
809 cleanup:
810 	if (A) {
811 		bzero(A, Alen);
812 		free(A);
813 	}
814 	if (Ai) {
815 		bzero(Ai, AiLen);
816 		free(Ai);
817 	}
818 	if (B) {
819 		bzero(B, Blen);
820 		free(B);
821 	}
822 	if (D) {
823 		bzero(D, Dlen);
824 		free(D);
825 	}
826 	if (I) {
827 		bzero(I, Ilen);
828 		free(I);
829 	}
830 	return (rv);
831 }
832 
833 CK_RV
834 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
835     soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
836     CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
837 {
838 
839 	CK_RV rv = CKR_OK;
840 	soft_object_t *secret_key;
841 	CK_MECHANISM digest_mech;
842 	CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */
843 	CK_ULONG hash_len = SHA512_DIGEST_LENGTH;
844 	CK_ULONG secret_key_len;
845 	CK_ULONG hash_size;
846 
847 	switch (pMechanism->mechanism) {
848 	case CKM_DH_PKCS_DERIVE:
849 		/*
850 		 * Create a new object for secret key. The key type should
851 		 * be provided in the template.
852 		 */
853 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
854 		    phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
855 		    SOFT_DERIVE_KEY_DH, B_FALSE);
856 
857 		if (rv != CKR_OK) {
858 			return (rv);
859 		}
860 
861 		/* Obtain the secret object pointer. */
862 		secret_key = (soft_object_t *)*phKey;
863 
864 		rv = soft_dh_key_derive(basekey_p, secret_key,
865 		    (CK_BYTE *)pMechanism->pParameter,
866 		    pMechanism->ulParameterLen);
867 
868 		if (rv != CKR_OK) {
869 			if (IS_TOKEN_OBJECT(secret_key))
870 				soft_delete_token_object(secret_key, B_FALSE,
871 				    B_FALSE);
872 			else
873 				soft_delete_object(session_p, secret_key,
874 				    B_FALSE, B_FALSE);
875 			return (rv);
876 		}
877 
878 		break;
879 
880 	case CKM_ECDH1_DERIVE:
881 		/*
882 		 * Create a new object for secret key. The key type should
883 		 * be provided in the template.
884 		 */
885 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
886 		    phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
887 		    SOFT_DERIVE_KEY_DH, B_FALSE);
888 
889 		if (rv != CKR_OK) {
890 			return (rv);
891 		}
892 
893 		/* Obtain the secret object pointer. */
894 		secret_key = (soft_object_t *)*phKey;
895 
896 		rv = soft_ec_key_derive(basekey_p, secret_key,
897 		    (CK_BYTE *)pMechanism->pParameter,
898 		    pMechanism->ulParameterLen);
899 
900 		if (rv != CKR_OK) {
901 			if (IS_TOKEN_OBJECT(secret_key))
902 				soft_delete_token_object(secret_key, B_FALSE,
903 				    B_FALSE);
904 			else
905 				soft_delete_object(session_p, secret_key,
906 				    B_FALSE, B_FALSE);
907 			return (rv);
908 		}
909 
910 		break;
911 
912 	case CKM_SHA1_KEY_DERIVATION:
913 		hash_size = SHA1_HASH_SIZE;
914 		digest_mech.mechanism = CKM_SHA_1;
915 		goto common;
916 
917 	case CKM_MD5_KEY_DERIVATION:
918 		hash_size = MD5_HASH_SIZE;
919 		digest_mech.mechanism = CKM_MD5;
920 		goto common;
921 
922 	case CKM_SHA256_KEY_DERIVATION:
923 		hash_size = SHA256_DIGEST_LENGTH;
924 		digest_mech.mechanism = CKM_SHA256;
925 		goto common;
926 
927 	case CKM_SHA384_KEY_DERIVATION:
928 		hash_size = SHA384_DIGEST_LENGTH;
929 		digest_mech.mechanism = CKM_SHA384;
930 		goto common;
931 
932 	case CKM_SHA512_KEY_DERIVATION:
933 		hash_size = SHA512_DIGEST_LENGTH;
934 		digest_mech.mechanism = CKM_SHA512;
935 		goto common;
936 
937 common:
938 		/*
939 		 * Create a new object for secret key. The key type is optional
940 		 * to be provided in the template. If it is not specified in
941 		 * the template, the default is CKK_GENERIC_SECRET.
942 		 */
943 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
944 		    phKey, session_p, CKO_SECRET_KEY,
945 		    (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
946 		    SOFT_DERIVE_KEY_OTHER, B_FALSE);
947 
948 		if (rv != CKR_OK) {
949 			return (rv);
950 		}
951 
952 		/* Obtain the secret object pointer. */
953 		secret_key = (soft_object_t *)*phKey;
954 
955 		/* Validate the key type and key length */
956 		rv = soft_key_derive_check_length(secret_key, hash_size);
957 		if (rv != CKR_OK) {
958 			if (IS_TOKEN_OBJECT(secret_key))
959 				soft_delete_token_object(secret_key, B_FALSE,
960 				    B_FALSE);
961 			else
962 				soft_delete_object(session_p, secret_key,
963 				    B_FALSE, B_FALSE);
964 			return (rv);
965 		}
966 
967 		/*
968 		 * Derive the secret key by digesting the value of another
969 		 * secret key (base key) with SHA-1 or MD5.
970 		 */
971 		rv = soft_digest_init_internal(session_p, &digest_mech);
972 		if (rv != CKR_OK) {
973 			if (IS_TOKEN_OBJECT(secret_key))
974 				soft_delete_token_object(secret_key, B_FALSE,
975 				    B_FALSE);
976 			else
977 				soft_delete_object(session_p, secret_key,
978 				    B_FALSE, B_FALSE);
979 			return (rv);
980 		}
981 
982 		rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p),
983 		    OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len);
984 
985 		(void) pthread_mutex_lock(&session_p->session_mutex);
986 		/* soft_digest_common() has freed the digest context */
987 		session_p->digest.flags = 0;
988 		(void) pthread_mutex_unlock(&session_p->session_mutex);
989 
990 		if (rv != CKR_OK) {
991 			if (IS_TOKEN_OBJECT(secret_key))
992 				soft_delete_token_object(secret_key, B_FALSE,
993 				    B_FALSE);
994 			else
995 				soft_delete_object(session_p, secret_key,
996 				    B_FALSE, B_FALSE);
997 			return (rv);
998 		}
999 
1000 		secret_key_len = OBJ_SEC_VALUE_LEN(secret_key);
1001 
1002 		if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) ==
1003 		    NULL) {
1004 			if (IS_TOKEN_OBJECT(secret_key))
1005 				soft_delete_token_object(secret_key, B_FALSE,
1006 				    B_FALSE);
1007 			else
1008 				soft_delete_object(session_p, secret_key,
1009 				    B_FALSE, B_FALSE);
1010 			return (CKR_HOST_MEMORY);
1011 		}
1012 
1013 		/*
1014 		 * The key produced by this mechanism will be of the
1015 		 * specified type and length.
1016 		 * The truncation removes extra bytes from the leading
1017 		 * of the digested key value.
1018 		 */
1019 		(void) memcpy(OBJ_SEC_VALUE(secret_key),
1020 		    (hash + hash_len - secret_key_len),
1021 		    secret_key_len);
1022 
1023 		break;
1024 
1025 	/*
1026 	 * The key sensitivity and extractability rules for the generated
1027 	 * keys will be enforced inside soft_ssl_master_key_derive() and
1028 	 * soft_ssl_key_and_mac_derive()
1029 	 */
1030 	case CKM_SSL3_MASTER_KEY_DERIVE:
1031 	case CKM_SSL3_MASTER_KEY_DERIVE_DH:
1032 	case CKM_TLS_MASTER_KEY_DERIVE:
1033 	case CKM_TLS_MASTER_KEY_DERIVE_DH:
1034 		if (phKey == NULL_PTR)
1035 			return (CKR_ARGUMENTS_BAD);
1036 		return (soft_ssl_master_key_derive(session_p, pMechanism,
1037 		    basekey_p, pTemplate, ulAttributeCount, phKey));
1038 
1039 	case CKM_SSL3_KEY_AND_MAC_DERIVE:
1040 	case CKM_TLS_KEY_AND_MAC_DERIVE:
1041 		return (soft_ssl_key_and_mac_derive(session_p, pMechanism,
1042 		    basekey_p, pTemplate, ulAttributeCount));
1043 
1044 	case CKM_TLS_PRF:
1045 		if (pMechanism->pParameter == NULL ||
1046 		    pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) ||
1047 		    phKey != NULL)
1048 			return (CKR_ARGUMENTS_BAD);
1049 
1050 		if (pTemplate != NULL)
1051 			return (CKR_TEMPLATE_INCONSISTENT);
1052 
1053 		return (derive_tls_prf(
1054 		    (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p));
1055 
1056 	default:
1057 		return (CKR_MECHANISM_INVALID);
1058 	}
1059 
1060 	soft_derive_enforce_flags(basekey_p, secret_key);
1061 
1062 	if (IS_TOKEN_OBJECT(secret_key)) {
1063 		/*
1064 		 * All the info has been filled, so we can write to
1065 		 * keystore now.
1066 		 */
1067 		rv = soft_put_object_to_keystore(secret_key);
1068 		if (rv != CKR_OK)
1069 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
1070 	}
1071 
1072 	return (rv);
1073 }
1074 
1075 
1076 /*
1077  * Perform key derivation rules on key's sensitivity and extractability.
1078  */
1079 void
1080 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey)
1081 {
1082 
1083 	boolean_t new_sensitive = B_FALSE;
1084 	boolean_t new_extractable = B_FALSE;
1085 
1086 	/*
1087 	 * The sensitive and extractable bits have been set when
1088 	 * the newkey was built.
1089 	 */
1090 	if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) {
1091 		new_sensitive = B_TRUE;
1092 	}
1093 
1094 	if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) {
1095 		new_extractable = B_TRUE;
1096 	}
1097 
1098 	/* Derive the CKA_ALWAYS_SENSITIVE flag */
1099 	if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) {
1100 		/*
1101 		 * If the base key has its CKA_ALWAYS_SENSITIVE set to
1102 		 * FALSE, then the derived key will as well.
1103 		 */
1104 		newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1105 	} else {
1106 		/*
1107 		 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE,
1108 		 * then the derived key has the CKA_ALWAYS_SENSITIVE set to
1109 		 * the same value as its CKA_SENSITIVE;
1110 		 */
1111 		if (new_sensitive) {
1112 			newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON;
1113 		} else {
1114 			newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1115 		}
1116 	}
1117 
1118 	/* Derive the CKA_NEVER_EXTRACTABLE flag */
1119 	if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) {
1120 		/*
1121 		 * If the base key has its CKA_NEVER_EXTRACTABLE set to
1122 		 * FALSE, then the derived key will as well.
1123 		 */
1124 		newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1125 	} else {
1126 		/*
1127 		 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE,
1128 		 * then the derived key has the CKA_NEVER_EXTRACTABLE set to
1129 		 * the opposite value from its CKA_EXTRACTABLE;
1130 		 */
1131 		if (new_extractable) {
1132 			newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1133 		} else {
1134 			newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON;
1135 		}
1136 	}
1137 
1138 	/* Set the CKA_LOCAL flag to false */
1139 	newkey->bool_attr_mask &= ~LOCAL_BOOL_ON;
1140 }
1141 
1142 
1143 /*
1144  * do_prf
1145  *
1146  * This routine implements Step 3. of the PBKDF2 function
1147  * defined in PKCS#5 for generating derived keys from a
1148  * password.
1149  *
1150  * Currently, PRF is always SHA_1_HMAC.
1151  */
1152 static CK_RV
1153 do_prf(soft_session_t *session_p,
1154 	CK_PKCS5_PBKD2_PARAMS_PTR params,
1155 	soft_object_t *hmac_key,
1156 	CK_BYTE *newsalt, CK_ULONG saltlen,
1157 	CK_BYTE *blockdata, CK_ULONG blocklen)
1158 {
1159 	CK_RV rv = CKR_OK;
1160 	CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0};
1161 	CK_BYTE buffer[2][SHA1_HASH_SIZE];
1162 	CK_ULONG hmac_outlen = SHA1_HASH_SIZE;
1163 	CK_ULONG inlen;
1164 	CK_BYTE *input, *output;
1165 	CK_ULONG i, j;
1166 
1167 	input = newsalt;
1168 	inlen = saltlen;
1169 
1170 	output = buffer[1];
1171 	(void) pthread_mutex_lock(&session_p->session_mutex);
1172 
1173 	if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
1174 		(void) pthread_mutex_unlock(&session_p->session_mutex);
1175 		return (CKR_OPERATION_ACTIVE);
1176 	}
1177 	session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
1178 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1179 
1180 	for (i = 0; i < params->iterations; i++) {
1181 		/*
1182 		 * The key doesn't change, its always the
1183 		 * password iniitally given.
1184 		 */
1185 		rv = soft_sign_init(session_p, &digest_mech, hmac_key);
1186 
1187 		if (rv != CKR_OK) {
1188 			goto cleanup;
1189 		}
1190 
1191 		/* Call PRF function (SHA1_HMAC for now). */
1192 		rv = soft_sign(session_p, input, inlen, output, &hmac_outlen);
1193 
1194 		if (rv != CKR_OK) {
1195 			goto cleanup;
1196 		}
1197 		/*
1198 		 * The first time, initialize the output buffer
1199 		 * with the HMAC signature.
1200 		 */
1201 		if (i == 0) {
1202 			(void) memcpy(blockdata, output,
1203 			    local_min(blocklen, hmac_outlen));
1204 		} else {
1205 			/*
1206 			 * XOR the existing data with output from PRF.
1207 			 *
1208 			 * Only XOR up to the length of the blockdata,
1209 			 * it may be less than a full hmac buffer when
1210 			 * the final block is being computed.
1211 			 */
1212 			for (j = 0; j < hmac_outlen && j < blocklen; j++)
1213 				blockdata[j] ^= output[j];
1214 		}
1215 		/* Output from previous PRF is input for next round */
1216 		input = output;
1217 		inlen = hmac_outlen;
1218 
1219 		/*
1220 		 * Switch buffers to avoid overuse of memcpy.
1221 		 * Initially we used buffer[1], so after the end of
1222 		 * the first iteration (i==0), we switch to buffer[0]
1223 		 * and continue swapping with each iteration.
1224 		 */
1225 		output = buffer[i%2];
1226 	}
1227 cleanup:
1228 	(void) pthread_mutex_lock(&session_p->session_mutex);
1229 	session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
1230 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1231 
1232 	return (rv);
1233 }
1234 
1235 static CK_RV
1236 soft_create_hmac_key(soft_session_t *session_p,  CK_BYTE *passwd,
1237 		CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey)
1238 {
1239 	CK_RV rv = CKR_OK;
1240 	CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
1241 	CK_KEY_TYPE keytype = CKK_GENERIC_SECRET;
1242 	CK_BBOOL True = TRUE;
1243 	CK_ATTRIBUTE keytemplate[4];
1244 	/*
1245 	 * We must initialize each template member individually
1246 	 * because at the time of initial coding for ON10, the
1247 	 * compiler was using the "-xc99=%none" option
1248 	 * which prevents us from being able to declare the whole
1249 	 * template in place as usual.
1250 	 */
1251 	keytemplate[0].type = CKA_CLASS;
1252 	keytemplate[0].pValue = &keyclass;
1253 	keytemplate[0].ulValueLen =  sizeof (keyclass);
1254 
1255 	keytemplate[1].type = CKA_KEY_TYPE;
1256 	keytemplate[1].pValue = &keytype;
1257 	keytemplate[1].ulValueLen =  sizeof (keytype);
1258 
1259 	keytemplate[2].type = CKA_SIGN;
1260 	keytemplate[2].pValue = &True;
1261 	keytemplate[2].ulValueLen =  sizeof (True);
1262 
1263 	keytemplate[3].type = CKA_VALUE;
1264 	keytemplate[3].pValue = passwd;
1265 	keytemplate[3].ulValueLen = passwd_len;
1266 	/*
1267 	 * Create a generic key object to be used for HMAC operations.
1268 	 * The "value" for this key is the password from the
1269 	 * mechanism parameter structure.
1270 	 */
1271 	rv = soft_gen_keyobject(keytemplate,
1272 	    sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), phKey, session_p,
1273 	    CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
1274 	    SOFT_CREATE_OBJ, B_TRUE);
1275 
1276 	return (rv);
1277 }
1278 
1279 CK_RV
1280 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p,
1281 		CK_MECHANISM_PTR pMechanism,
1282 		soft_object_t *secret_key)
1283 {
1284 	CK_RV rv = CKR_OK;
1285 	CK_PKCS5_PBKD2_PARAMS	*params =
1286 	    (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
1287 	CK_ULONG hLen = SHA1_HASH_SIZE;
1288 	CK_ULONG dkLen, i;
1289 	CK_ULONG blocks, remainder;
1290 	CK_OBJECT_HANDLE phKey = 0;
1291 	soft_object_t *hmac_key = NULL;
1292 	CK_BYTE *salt = NULL;
1293 	CK_BYTE *keydata = NULL;
1294 
1295 	params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter;
1296 
1297 	if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1)
1298 		return (CKR_MECHANISM_PARAM_INVALID);
1299 
1300 	if (params->pPrfData != NULL || params->ulPrfDataLen != 0)
1301 		return (CKR_DATA_INVALID);
1302 
1303 	if (params->saltSource != CKZ_SALT_SPECIFIED ||
1304 	    params->iterations == 0)
1305 		return (CKR_MECHANISM_PARAM_INVALID);
1306 
1307 	/*
1308 	 * Create a key object to use for HMAC operations.
1309 	 */
1310 	rv = soft_create_hmac_key(session_p, params->pPassword,
1311 	    *params->ulPasswordLen, &phKey);
1312 
1313 	if (rv != CKR_OK)
1314 		return (rv);
1315 
1316 	hmac_key = (soft_object_t *)phKey;
1317 
1318 	/* Step 1. */
1319 	dkLen = OBJ_SEC_VALUE_LEN(secret_key);  /* length of desired key */
1320 
1321 	if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) {
1322 		(void) soft_delete_object(session_p, hmac_key, B_FALSE,
1323 		    B_FALSE);
1324 		return (CKR_KEY_SIZE_RANGE);
1325 	}
1326 
1327 	/* Step 2. */
1328 	blocks = dkLen / hLen;
1329 
1330 	/* crude "Ceiling" function to adjust the number of blocks to use */
1331 	if (blocks * hLen != dkLen)
1332 		blocks++;
1333 
1334 	remainder = dkLen - ((blocks - 1) * hLen);
1335 
1336 	/* Step 3 */
1337 	salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4);
1338 	if (salt == NULL) {
1339 		(void) soft_delete_object(session_p, hmac_key, B_FALSE,
1340 		    B_FALSE);
1341 		return (CKR_HOST_MEMORY);
1342 	}
1343 	/*
1344 	 * Nothing in PKCS#5 says you cannot pass an empty
1345 	 * salt, so we will allow for this and not return error
1346 	 * if the salt is not specified.
1347 	 */
1348 	if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0)
1349 		(void) memcpy(salt, params->pSaltSourceData,
1350 		    params->ulSaltSourceDataLen);
1351 
1352 	/*
1353 	 * Get pointer to the data section of the key,
1354 	 * this will be used below as output from the
1355 	 * PRF iteration/concatenations so that when the
1356 	 * blocks are all iterated, the secret_key will
1357 	 * have the resulting derived key value.
1358 	 */
1359 	keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key);
1360 
1361 	/* Step 4. */
1362 	for (i = 0; i < blocks && (rv == CKR_OK); i++) {
1363 		CK_BYTE *s;
1364 
1365 		s = salt + params->ulSaltSourceDataLen;
1366 
1367 		/*
1368 		 * Append the block index to the salt as input
1369 		 * to the PRF.  Block index should start at 1
1370 		 * not 0.
1371 		 */
1372 		*s++ = ((i+1) >> 24) & 0xff;
1373 		*s++ = ((i+1) >> 16) & 0xff;
1374 		*s++ = ((i+1) >> 8) & 0xff;
1375 		*s   = ((i+1)) & 0xff;
1376 
1377 		/*
1378 		 * Adjust the key pointer so we always append the
1379 		 * PRF output to the current key.
1380 		 */
1381 		rv = do_prf(session_p, params, hmac_key,
1382 		    salt, params->ulSaltSourceDataLen + 4, keydata,
1383 		    ((i + 1) == blocks ? remainder : hLen));
1384 
1385 		keydata += hLen;
1386 	}
1387 	(void) soft_delete_object(session_p, hmac_key, B_FALSE, B_FALSE);
1388 	free(salt);
1389 
1390 	return (rv);
1391 }
1392 
1393 CK_RV
1394 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1395 		soft_object_t *wrappingKey_p, soft_object_t *hkey_p,
1396 		CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen)
1397 {
1398 	CK_RV		rv = CKR_OK;
1399 	CK_ULONG	plain_len = 0;
1400 	CK_BYTE_PTR	plain_data = NULL;
1401 	CK_ULONG	padded_len = 0;
1402 	CK_BYTE_PTR	padded_data = NULL;
1403 	CK_ULONG	wkey_blksz = 1;		/* so modulo will work right */
1404 
1405 	/* Check if the mechanism is supported. */
1406 	switch (pMechanism->mechanism) {
1407 	case CKM_DES_CBC_PAD:
1408 	case CKM_DES3_CBC_PAD:
1409 	case CKM_AES_CBC_PAD:
1410 		/*
1411 		 * Secret key mechs with padding can be used to wrap secret
1412 		 * keys and private keys only.  See PKCS#11, * sec 11.14,
1413 		 * C_WrapKey and secs 12.* for each mechanism's wrapping/
1414 		 * unwrapping constraints.
1415 		 */
1416 		if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class !=
1417 		    CKO_PRIVATE_KEY)
1418 			return (CKR_MECHANISM_INVALID);
1419 		break;
1420 	case CKM_RSA_PKCS:
1421 	case CKM_RSA_X_509:
1422 	case CKM_DES_ECB:
1423 	case CKM_DES3_ECB:
1424 	case CKM_AES_ECB:
1425 	case CKM_DES_CBC:
1426 	case CKM_DES3_CBC:
1427 	case CKM_AES_CBC:
1428 	case CKM_AES_CTR:
1429 	case CKM_BLOWFISH_CBC:
1430 		/*
1431 		 * Unpadded secret key mechs and private key mechs are only
1432 		 * defined for wrapping secret keys.  See PKCS#11 refs above.
1433 		 */
1434 		if (hkey_p->class != CKO_SECRET_KEY)
1435 			return (CKR_MECHANISM_INVALID);
1436 		break;
1437 	default:
1438 		return (CKR_MECHANISM_INVALID);
1439 	}
1440 
1441 	if (hkey_p->class == CKO_SECRET_KEY) {
1442 		plain_data = OBJ_SEC_VALUE(hkey_p);
1443 		plain_len = OBJ_SEC_VALUE_LEN(hkey_p);
1444 	} else {
1445 		/*
1446 		 * BER-encode the object to be wrapped:  call first with
1447 		 * plain_data = NULL to get the size needed, allocate that
1448 		 * much space, call again to fill space with actual data.
1449 		 */
1450 		rv = soft_object_to_asn1(hkey_p, NULL, &plain_len);
1451 		if (rv != CKR_OK)
1452 			return (rv);
1453 		if ((plain_data = malloc(plain_len)) == NULL)
1454 			return (CKR_HOST_MEMORY);
1455 		(void) memset(plain_data, 0x0, plain_len);
1456 		rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len);
1457 		if (rv != CKR_OK)
1458 			goto cleanup_wrap;
1459 	}
1460 
1461 	/*
1462 	 * For unpadded ECB and CBC mechanisms, the object needs to be
1463 	 * padded to the wrapping key's blocksize prior to the encryption.
1464 	 */
1465 	padded_len = plain_len;
1466 	padded_data = plain_data;
1467 
1468 	switch (pMechanism->mechanism) {
1469 	case CKM_DES_ECB:
1470 	case CKM_DES3_ECB:
1471 	case CKM_AES_ECB:
1472 	case CKM_DES_CBC:
1473 	case CKM_DES3_CBC:
1474 	case CKM_AES_CBC:
1475 	case CKM_BLOWFISH_CBC:
1476 		/* Find the block size of the wrapping key. */
1477 		if (wrappingKey_p->class == CKO_SECRET_KEY) {
1478 			switch (wrappingKey_p->key_type) {
1479 			case CKK_DES:
1480 			case CKK_DES2:
1481 			case CKK_DES3:
1482 				wkey_blksz = DES_BLOCK_LEN;
1483 				break;
1484 			case CKK_AES:
1485 				wkey_blksz = AES_BLOCK_LEN;
1486 				break;
1487 			case CKK_BLOWFISH:
1488 				wkey_blksz = BLOWFISH_BLOCK_LEN;
1489 				break;
1490 			default:
1491 				break;
1492 			}
1493 		} else {
1494 			rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT;
1495 			goto cleanup_wrap;
1496 		}
1497 
1498 		/* Extend the plain text data to block size boundary.  */
1499 		if ((padded_len % wkey_blksz) != 0) {
1500 			padded_len += (wkey_blksz - (plain_len % wkey_blksz));
1501 			if ((padded_data = malloc(padded_len)) == NULL) {
1502 				rv = CKR_HOST_MEMORY;
1503 				goto cleanup_wrap;
1504 			}
1505 			(void) memset(padded_data, 0x0, padded_len);
1506 			(void) memcpy(padded_data, plain_data, plain_len);
1507 		}
1508 		break;
1509 	default:
1510 		break;
1511 	}
1512 
1513 	rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p);
1514 	if (rv != CKR_OK)
1515 		goto cleanup_wrap;
1516 
1517 	rv = soft_encrypt(session_p, padded_data, padded_len,
1518 	    pWrappedKey, pulWrappedKeyLen);
1519 
1520 cleanup_wrap:
1521 	if (padded_data != NULL && padded_len != plain_len) {
1522 		/* Clear buffer before returning to memory pool. */
1523 		(void) memset(padded_data, 0x0, padded_len);
1524 		free(padded_data);
1525 	}
1526 
1527 	if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1528 		/* Clear buffer before returning to memory pool. */
1529 		(void) memset(plain_data, 0x0, plain_len);
1530 		free(plain_data);
1531 	}
1532 
1533 	return (rv);
1534 }
1535 
1536 /*
1537  * Quick check for whether unwrapped key length is appropriate for key type
1538  * and whether it needs to be truncated (in case the wrapping function had
1539  * to pad the key prior to wrapping).
1540  */
1541 static CK_RV
1542 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype,
1543 	CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount)
1544 {
1545 	CK_ULONG	i;
1546 	boolean_t	isValueLen = B_FALSE;
1547 
1548 	/*
1549 	 * Based on the key type and the mech used to unwrap, need to
1550 	 * determine if CKA_VALUE_LEN should or should not be specified.
1551 	 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified
1552 	 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens
1553 	 * that restriction, perhaps because it makes it impossible to
1554 	 * determine the original length of unwrapped variable-length secret
1555 	 * keys, such as RC4, AES, and GENERIC_SECRET.  These variable-length
1556 	 * secret keys would have been padded with trailing null-bytes so
1557 	 * that they could be successfully wrapped with *_ECB and *_CBC
1558 	 * mechanisms.  Hence for unwrapping with these mechs, CKA_VALUE_LEN
1559 	 * must be specified.  For unwrapping with other mechs, such as
1560 	 * *_CBC_PAD, the CKA_VALUE_LEN is not needed.
1561 	 */
1562 
1563 	/* Find out if template has CKA_VALUE_LEN. */
1564 	for (i = 0; i < ulAttributeCount; i++) {
1565 		if (pTemplate[i].type == CKA_VALUE_LEN &&
1566 		    pTemplate[i].pValue != NULL) {
1567 			isValueLen = B_TRUE;
1568 			break;
1569 		}
1570 	}
1571 
1572 	/* Does its presence  conflict with the mech type and key type? */
1573 	switch (mechtype) {
1574 	case CKM_DES_ECB:
1575 	case CKM_DES3_ECB:
1576 	case CKM_AES_ECB:
1577 	case CKM_DES_CBC:
1578 	case CKM_DES3_CBC:
1579 	case CKM_AES_CBC:
1580 	case CKM_BLOWFISH_CBC:
1581 		/*
1582 		 * CKA_VALUE_LEN must be specified
1583 		 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET
1584 		 * and must not be specified otherwise
1585 		 */
1586 		switch (keytype) {
1587 		case CKK_DES:
1588 		case CKK_DES2:
1589 		case CKK_DES3:
1590 			if (isValueLen)
1591 				return (CKR_TEMPLATE_INCONSISTENT);
1592 			break;
1593 		case CKK_GENERIC_SECRET:
1594 		case CKK_RC4:
1595 		case CKK_AES:
1596 		case CKK_BLOWFISH:
1597 			if (!isValueLen)
1598 				return (CKR_TEMPLATE_INCOMPLETE);
1599 			break;
1600 		default:
1601 			return (CKR_FUNCTION_NOT_SUPPORTED);
1602 		}
1603 		break;
1604 	default:
1605 		/* CKA_VALUE_LEN must not be specified */
1606 		if (isValueLen)
1607 			return (CKR_TEMPLATE_INCONSISTENT);
1608 		break;
1609 	}
1610 
1611 	return (CKR_OK);
1612 }
1613 
1614 CK_RV
1615 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1616 		soft_object_t *unwrappingkey_p,
1617 		CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
1618 		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
1619 		CK_OBJECT_HANDLE_PTR phKey)
1620 {
1621 	CK_RV			rv = CKR_OK;
1622 	CK_OBJECT_CLASS		new_obj_class = ~0UL;
1623 	int			i = 0;
1624 	soft_object_t		*new_objp = NULL;
1625 	boolean_t		persistent = B_FALSE;
1626 	CK_BYTE_PTR		plain_data = NULL;
1627 	CK_ULONG		plain_len = 0;
1628 	secret_key_obj_t	*sck = NULL;
1629 
1630 	/* Scan the attribute template for the object class. */
1631 	if (pTemplate != NULL && ulAttributeCount != 0) {
1632 		for (i = 0; i < ulAttributeCount; i++) {
1633 			if (pTemplate[i].type == CKA_CLASS) {
1634 				new_obj_class =
1635 				    *((CK_OBJECT_CLASS *)pTemplate[i].pValue);
1636 				break;
1637 			}
1638 		}
1639 		if (new_obj_class == ~0UL)
1640 			return (CKR_TEMPLATE_INCOMPLETE);
1641 	}
1642 
1643 	/*
1644 	 * Check if the mechanism is supported, and now that the new
1645 	 * object's class is known, the mechanism selected should be
1646 	 * capable of doing the unwrap.
1647 	 */
1648 	switch (pMechanism->mechanism) {
1649 	case CKM_RSA_PKCS:
1650 	case CKM_RSA_X_509:
1651 	case CKM_DES_ECB:
1652 	case CKM_DES3_ECB:
1653 	case CKM_AES_ECB:
1654 	case CKM_DES_CBC:
1655 	case CKM_DES3_CBC:
1656 	case CKM_AES_CBC:
1657 	case CKM_BLOWFISH_CBC:
1658 		if (new_obj_class != CKO_SECRET_KEY)
1659 			return (CKR_MECHANISM_INVALID);
1660 		break;
1661 	case CKM_DES_CBC_PAD:
1662 	case CKM_DES3_CBC_PAD:
1663 	case CKM_AES_CBC_PAD:
1664 		if (new_obj_class != CKO_SECRET_KEY && new_obj_class !=
1665 		    CKO_PRIVATE_KEY)
1666 			return (CKR_MECHANISM_INVALID);
1667 		break;
1668 	default:
1669 		return (CKR_MECHANISM_INVALID);
1670 	}
1671 
1672 	/* Create a new object based on the attribute template. */
1673 	rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
1674 	    (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL,
1675 	    (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE);
1676 	if (rv != CKR_OK)
1677 		return (rv);
1678 
1679 	/*
1680 	 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE
1681 	 * both set to FALSE.  CKA_EXTRACTABLE will be set _by_default_ to
1682 	 * true -- leaving the possibility that it may be set FALSE by the
1683 	 * supplied attribute template.  If the precise template cannot be
1684 	 * supported, unwrap fails.  PKCS#11 spec, Sec. 11.14, C_UnwrapKey.
1685 	 *
1686 	 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and
1687 	 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must
1688 	 * have supplied them and therefore we cannot honor the unwrap.
1689 	 */
1690 	if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) ||
1691 	    (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) {
1692 		rv = CKR_TEMPLATE_INCONSISTENT;
1693 		goto cleanup_unwrap;
1694 	}
1695 
1696 	rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p);
1697 	if (rv != CKR_OK)
1698 		goto cleanup_unwrap;
1699 
1700 	/* First get the length of the plain data */
1701 	rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL,
1702 	    &plain_len);
1703 	if (rv != CKR_OK)
1704 		goto cleanup_unwrap;
1705 
1706 	/* Allocate space for the unwrapped data */
1707 	if ((plain_data = malloc(plain_len)) == NULL) {
1708 		rv = CKR_HOST_MEMORY;
1709 		goto cleanup_unwrap;
1710 	}
1711 	(void) memset(plain_data, 0x0, plain_len);
1712 
1713 	/* Perform actual decryption into the allocated space. */
1714 	rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data,
1715 	    &plain_len);
1716 	if (rv != CKR_OK)
1717 		goto cleanup_unwrap;
1718 
1719 	if (new_objp->class == CKO_SECRET_KEY) {
1720 		/*
1721 		 * Since no ASN.1 encoding is done for secret keys, check for
1722 		 * appropriateness and copy decrypted buffer to the key object.
1723 		 */
1724 
1725 		/* Check keytype and mechtype don't conflict with valuelen */
1726 		rv = soft_unwrap_secret_len_check(new_objp->key_type,
1727 		    pMechanism->mechanism, pTemplate, ulAttributeCount);
1728 		if (rv != CKR_OK)
1729 			goto cleanup_unwrap;
1730 
1731 		/*
1732 		 * Allocate the secret key structure if not already there;
1733 		 * it will exist for variable length keys since CKA_VALUE_LEN
1734 		 * is specified and saved, but not for fixed length keys.
1735 		 */
1736 		if (OBJ_SEC(new_objp) == NULL) {
1737 			if ((sck = calloc(1, sizeof (secret_key_obj_t))) ==
1738 			    NULL) {
1739 				rv = CKR_HOST_MEMORY;
1740 				goto cleanup_unwrap;
1741 			}
1742 			OBJ_SEC(new_objp) = sck;
1743 		}
1744 
1745 		switch (new_objp->key_type) {
1746 		/* Fixed length secret keys don't have CKA_VALUE_LEN */
1747 		case CKK_DES:
1748 			OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE;
1749 			break;
1750 		case CKK_DES2:
1751 			OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE;
1752 			break;
1753 		case CKK_DES3:
1754 			OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE;
1755 			break;
1756 
1757 		/*
1758 		 * Variable length secret keys.  CKA_VALUE_LEN must be
1759 		 * provided by the template when mech is *_ECB or *_CBC, and
1760 		 * should already have been set during soft_gen_keyobject().
1761 		 * Otherwise we don't need CKA_VALUE_LEN.
1762 		 */
1763 		case CKK_GENERIC_SECRET:
1764 		case CKK_RC4:
1765 		case CKK_AES:
1766 		case CKK_BLOWFISH:
1767 			break;
1768 		default:
1769 			rv = CKR_WRAPPED_KEY_INVALID;
1770 			goto cleanup_unwrap;
1771 		};
1772 
1773 		if (OBJ_SEC_VALUE_LEN(new_objp) == 0) {
1774 			/* No CKA_VALUE_LEN set so set it now and save data */
1775 			OBJ_SEC_VALUE_LEN(new_objp) = plain_len;
1776 			OBJ_SEC_VALUE(new_objp) = plain_data;
1777 		} else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) {
1778 			/* No need to truncate, just save the data */
1779 			OBJ_SEC_VALUE(new_objp) = plain_data;
1780 		} else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) {
1781 			/* Length can't be bigger than what was decrypted */
1782 			rv = CKR_WRAPPED_KEY_LEN_RANGE;
1783 			goto cleanup_unwrap;
1784 		} else {	/* betw 0 and plain_len, hence padded */
1785 			/* Truncate the data before saving. */
1786 			OBJ_SEC_VALUE(new_objp) = realloc(plain_data,
1787 			    OBJ_SEC_VALUE_LEN(new_objp));
1788 			if (OBJ_SEC_VALUE(new_objp) == NULL) {
1789 				rv = CKR_HOST_MEMORY;
1790 				goto cleanup_unwrap;
1791 			}
1792 		}
1793 	} else {
1794 		/* BER-decode the object to be unwrapped. */
1795 		rv = soft_asn1_to_object(new_objp, plain_data, plain_len);
1796 		if (rv != CKR_OK)
1797 			goto cleanup_unwrap;
1798 	}
1799 
1800 	/* If it needs to be persistent, write it to the keystore */
1801 	if (IS_TOKEN_OBJECT(new_objp)) {
1802 		persistent = B_TRUE;
1803 		rv = soft_put_object_to_keystore(new_objp);
1804 		if (rv != CKR_OK)
1805 			goto cleanup_unwrap;
1806 	}
1807 
1808 	if (new_objp->class != CKO_SECRET_KEY) {
1809 		/* Clear buffer before returning to memory pool. */
1810 		(void) memset(plain_data, 0x0, plain_len);
1811 		free(plain_data);
1812 	}
1813 
1814 	*phKey = (CK_OBJECT_HANDLE)new_objp;
1815 
1816 	return (CKR_OK);
1817 
1818 cleanup_unwrap:
1819 	/* The decrypted private key buffer must be freed explicitly. */
1820 	if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1821 		/* Clear buffer before returning to memory pool. */
1822 		(void) memset(plain_data, 0x0, plain_len);
1823 		free(plain_data);
1824 	}
1825 
1826 	/* sck and new_objp are indirectly free()d inside these functions */
1827 	if (IS_TOKEN_OBJECT(new_objp))
1828 		soft_delete_token_object(new_objp, persistent, B_FALSE);
1829 	else
1830 		soft_delete_object(session_p, new_objp, B_FALSE, B_FALSE);
1831 
1832 	return (rv);
1833 }
1834