xref: /titanic_51/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c (revision c8e880c1386b032ac975c61826ba3bc0d8dce5ac)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <pthread.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <strings.h>
32 #include <sys/types.h>
33 #include <security/cryptoki.h>
34 #include <aes_impl.h>
35 #include <blowfish_impl.h>
36 #include <des_impl.h>
37 #include <arcfour.h>
38 #include "softGlobal.h"
39 #include "softSession.h"
40 #include "softObject.h"
41 #include "softDSA.h"
42 #include "softRSA.h"
43 #include "softDH.h"
44 #include "softRandom.h"
45 #include "softMAC.h"
46 #include "softOps.h"
47 #include "softKeys.h"
48 #include "softKeystore.h"
49 #include "softSSL.h"
50 #include "softASN1.h"
51 
52 
53 #define	local_min(a, b)	((a) < (b) ? (a) : (b))
54 
55 static CK_RV
56 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *);
57 
58 /*
59  * Create a temporary key object struct by filling up its template attributes.
60  */
61 CK_RV
62 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate,  CK_ULONG ulCount,
63     CK_ULONG *objecthandle_p, soft_session_t *sp,
64     CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode,
65     boolean_t internal)
66 {
67 
68 	CK_RV rv;
69 	soft_object_t *new_objp = NULL;
70 
71 	new_objp = calloc(1, sizeof (soft_object_t));
72 	if (new_objp == NULL) {
73 		return (CKR_HOST_MEMORY);
74 	}
75 
76 	new_objp->extra_attrlistp = NULL;
77 
78 	/*
79 	 * Validate attribute template and fill in the attributes
80 	 * in the soft_object_t.
81 	 */
82 	rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type,
83 	    keylen, mode);
84 	if (rv != CKR_OK) {
85 		goto fail_cleanup1;
86 	}
87 
88 	/*
89 	 * If generating a key is an internal request (i.e. not a C_XXX
90 	 * API request), then skip the following checks.
91 	 */
92 	if (!internal) {
93 		rv = soft_pin_expired_check(new_objp);
94 		if (rv != CKR_OK) {
95 			goto fail_cleanup2;
96 		}
97 
98 		rv = soft_object_write_access_check(sp, new_objp);
99 		if (rv != CKR_OK) {
100 			goto fail_cleanup2;
101 		}
102 	}
103 
104 	/* Initialize the rest of stuffs in soft_object_t. */
105 	(void) pthread_mutex_init(&new_objp->object_mutex, NULL);
106 	new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
107 
108 	/* Write the new token object to the keystore */
109 	if (IS_TOKEN_OBJECT(new_objp)) {
110 		new_objp->version = 1;
111 		new_objp->session_handle = (CK_SESSION_HANDLE)NULL;
112 		soft_add_token_object_to_slot(new_objp);
113 		/*
114 		 * Type casting the address of an object struct to
115 		 * an object handle.
116 		 */
117 		*objecthandle_p = (CK_ULONG)new_objp;
118 
119 		return (CKR_OK);
120 	}
121 
122 	new_objp->session_handle = (CK_SESSION_HANDLE)sp;
123 
124 	/* Add the new object to the session's object list. */
125 	soft_add_object_to_session(new_objp, sp);
126 
127 	/* Type casting the address of an object struct to an object handle. */
128 	*objecthandle_p =  (CK_ULONG)new_objp;
129 
130 	return (CKR_OK);
131 
132 fail_cleanup2:
133 	/*
134 	 * When any error occurs after soft_build_key(), we will need to
135 	 * clean up the memory allocated by the soft_build_key().
136 	 */
137 	soft_cleanup_object(new_objp);
138 
139 fail_cleanup1:
140 	if (new_objp) {
141 		/*
142 		 * The storage allocated inside of this object should have
143 		 * been cleaned up by the soft_build_key() if it failed.
144 		 * Therefore, we can safely free the object.
145 		 */
146 		free(new_objp);
147 	}
148 
149 	return (rv);
150 }
151 
152 CK_RV
153 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
154     CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey)
155 {
156 
157 	CK_RV rv = CKR_OK;
158 	soft_object_t *secret_key;
159 	CK_KEY_TYPE key_type;
160 	CK_ULONG keylen = 0;
161 	CK_ULONG i;
162 	int des_strength = 0;
163 	int retry = 0;
164 	int keyfound = 0;
165 	boolean_t is_ssl_mech = B_FALSE;
166 
167 	switch (pMechanism->mechanism) {
168 	case CKM_DES_KEY_GEN:
169 		key_type = CKK_DES;
170 		break;
171 
172 	case CKM_DES3_KEY_GEN:
173 		key_type = CKK_DES3;
174 		break;
175 
176 	case CKM_AES_KEY_GEN:
177 		key_type = CKK_AES;
178 		break;
179 
180 	case CKM_BLOWFISH_KEY_GEN:
181 		key_type = CKK_BLOWFISH;
182 		break;
183 
184 	case CKM_RC4_KEY_GEN:
185 		key_type = CKK_RC4;
186 		break;
187 
188 	case CKM_SSL3_PRE_MASTER_KEY_GEN:
189 	case CKM_TLS_PRE_MASTER_KEY_GEN:
190 		if (pMechanism->pParameter == NULL ||
191 		    pMechanism->ulParameterLen != sizeof (CK_VERSION))
192 			return (CKR_TEMPLATE_INCOMPLETE);
193 		is_ssl_mech = B_TRUE;
194 		key_type = CKK_GENERIC_SECRET;
195 		keylen = 48;
196 		break;
197 
198 	case CKM_PKCS5_PBKD2:
199 		keyfound = 0;
200 		for (i = 0; i < ulCount && !keyfound; i++) {
201 			if (pTemplate[i].type == CKA_KEY_TYPE &&
202 			    pTemplate[i].pValue != NULL) {
203 				key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
204 				keyfound = 1;
205 			}
206 		}
207 		if (!keyfound)
208 			return (CKR_TEMPLATE_INCOMPLETE);
209 		/*
210 		 * Make sure that parameters were given for this
211 		 * mechanism.
212 		 */
213 		if (pMechanism->pParameter == NULL ||
214 		    pMechanism->ulParameterLen !=
215 			sizeof (CK_PKCS5_PBKD2_PARAMS))
216 			return (CKR_TEMPLATE_INCOMPLETE);
217 		break;
218 
219 	case CKM_PBE_SHA1_RC4_128:
220 		keyfound = 0;
221 		for (i = 0; i < ulCount; i++) {
222 			if (pTemplate[i].type == CKA_KEY_TYPE &&
223 			    pTemplate[i].pValue != NULL) {
224 				key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
225 				keyfound = 1;
226 			}
227 			if (pTemplate[i].type == CKA_VALUE_LEN &&
228 			    pTemplate[i].pValue != NULL) {
229 				keylen = *((CK_ULONG*)pTemplate[i].pValue);
230 			}
231 		}
232 		/* If a keytype was specified, it had better be CKK_RC4 */
233 		if (keyfound && key_type != CKK_RC4)
234 			return (CKR_TEMPLATE_INCONSISTENT);
235 		else if (!keyfound)
236 			key_type = CKK_RC4;
237 
238 		/* If key length was specified, it better be 16 bytes */
239 		if (keylen != 0 && keylen != 16)
240 			return (CKR_TEMPLATE_INCONSISTENT);
241 
242 		/*
243 		 * Make sure that parameters were given for this
244 		 * mechanism.
245 		 */
246 		if (pMechanism->pParameter == NULL ||
247 		    pMechanism->ulParameterLen !=
248 			sizeof (CK_PBE_PARAMS))
249 			return (CKR_TEMPLATE_INCOMPLETE);
250 		break;
251 	default:
252 		return (CKR_MECHANISM_INVALID);
253 	}
254 
255 	/* Create a new object for secret key. */
256 	rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p,
257 	    CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE);
258 
259 	if (rv != CKR_OK) {
260 		return (rv);
261 	}
262 
263 	/* Obtain the secret object pointer. */
264 	secret_key = (soft_object_t *)*phKey;
265 
266 	switch (pMechanism->mechanism) {
267 	case CKM_DES_KEY_GEN:
268 		/*
269 		 * Set up key value len since it is not a required
270 		 * attribute for C_GenerateKey.
271 		 */
272 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
273 		des_strength = DES;
274 		break;
275 
276 	case CKM_DES3_KEY_GEN:
277 		/*
278 		 * Set up key value len since it is not a required
279 		 * attribute for C_GenerateKey.
280 		 */
281 		keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
282 		des_strength = DES3;
283 		break;
284 
285 	case CKM_SSL3_PRE_MASTER_KEY_GEN:
286 	case CKM_TLS_PRE_MASTER_KEY_GEN:
287 		secret_key->bool_attr_mask |= DERIVE_BOOL_ON;
288 	/* FALLTHRU */
289 
290 	case CKM_AES_KEY_GEN:
291 	case CKM_BLOWFISH_KEY_GEN:
292 	case CKM_PBE_SHA1_RC4_128:
293 	case CKM_RC4_KEY_GEN:
294 		keylen = OBJ_SEC_VALUE_LEN(secret_key);
295 		break;
296 
297 	case CKM_PKCS5_PBKD2:
298 		/*
299 		 * PKCS#11 does not allow one to specify key
300 		 * sizes for DES and 3DES, so we must set it here
301 		 * when using PBKD2 algorithms.
302 		 */
303 		if (key_type == CKK_DES) {
304 			OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
305 			des_strength = DES;
306 		} else if (key_type == CKK_DES3) {
307 			OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
308 			des_strength = DES3;
309 		}
310 
311 		keylen = OBJ_SEC_VALUE_LEN(secret_key);
312 		break;
313 	}
314 
315 	if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) {
316 		if (IS_TOKEN_OBJECT(secret_key))
317 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
318 		else
319 			soft_delete_object(session_p, secret_key, B_FALSE);
320 
321 		return (CKR_HOST_MEMORY);
322 	}
323 	switch (pMechanism->mechanism) {
324 	case CKM_PBE_SHA1_RC4_128:
325 		/*
326 		 * Use the PBE algorithm described in PKCS#11 section
327 		 * 12.33 to derive the key.
328 		 */
329 		rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key);
330 		break;
331 	case CKM_PKCS5_PBKD2:
332 		/* Generate keys using PKCS#5 PBKD2 algorithm */
333 		rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism,
334 					secret_key);
335 		if (rv == CKR_OK && des_strength > 0) {
336 			/* Perform weak key checking for DES and DES3. */
337 			if (des_keycheck(OBJ_SEC_VALUE(secret_key),
338 			    des_strength, OBJ_SEC_VALUE(secret_key)) ==
339 			    B_FALSE) {
340 				/* We got a weak secret key. */
341 				rv = CKR_FUNCTION_FAILED;
342 			}
343 		}
344 		break;
345 	default:
346 		do {
347 			rv = soft_random_generator(
348 				OBJ_SEC_VALUE(secret_key), keylen, B_FALSE);
349 
350 			/* If this fails, bail out */
351 			if (rv != CKR_OK)
352 				break;
353 
354 			/* Perform weak key checking for DES and DES3. */
355 			if (des_strength > 0) {
356 				rv = CKR_OK;
357 				if (des_keycheck(OBJ_SEC_VALUE(secret_key),
358 				    des_strength, OBJ_SEC_VALUE(secret_key)) ==
359 				    B_FALSE) {
360 					/* We got a weak key, retry! */
361 					retry++;
362 					rv = CKR_FUNCTION_FAILED;
363 				}
364 			}
365 			/*
366 			 * Copy over the SSL client version For SSL mechs
367 			 * The first two bytes of the key is the version
368 			 */
369 			if (is_ssl_mech)
370 				bcopy(pMechanism->pParameter,
371 				    OBJ_SEC_VALUE(secret_key),
372 				    sizeof (CK_VERSION));
373 
374 		} while (rv != CKR_OK && retry < KEYGEN_RETRY);
375 		if (retry == KEYGEN_RETRY)
376 			rv = CKR_FUNCTION_FAILED;
377 		break;
378 	}
379 
380 	if (rv != CKR_OK)
381 		if (IS_TOKEN_OBJECT(secret_key))
382 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
383 		else
384 			soft_delete_object(session_p, secret_key, B_FALSE);
385 
386 	if (IS_TOKEN_OBJECT(secret_key)) {
387 		/*
388 		 * All the info has been filled, so we can write to
389 		 * keystore now.
390 		 */
391 		rv = soft_put_object_to_keystore(secret_key);
392 		if (rv != CKR_OK)
393 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
394 	}
395 
396 	return (rv);
397 }
398 
399 CK_RV
400 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
401     CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount,
402     CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount,
403     CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey)
404 {
405 
406 	CK_RV rv;
407 	soft_object_t *public_key, *private_key;
408 	CK_KEY_TYPE key_type;
409 
410 	switch (pMechanism->mechanism) {
411 
412 	case CKM_RSA_PKCS_KEY_PAIR_GEN:
413 		key_type = CKK_RSA;
414 		break;
415 
416 	case CKM_DSA_KEY_PAIR_GEN:
417 		key_type = CKK_DSA;
418 		break;
419 
420 	case CKM_DH_PKCS_KEY_PAIR_GEN:
421 		key_type = CKK_DH;
422 		break;
423 
424 	case CKM_EC_KEY_PAIR_GEN:
425 		key_type = CKK_EC;
426 
427 	default:
428 		return (CKR_MECHANISM_INVALID);
429 	}
430 
431 	/* Create a new object for public key. */
432 	rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount,
433 	    phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0,
434 	    SOFT_GEN_KEY, B_FALSE);
435 
436 	if (rv != CKR_OK) {
437 		return (rv);
438 	}
439 
440 	/* Obtain the public object pointer. */
441 	public_key = (soft_object_t *)*phPublicKey;
442 
443 	/* Create a new object for private key. */
444 	rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount,
445 	    phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0,
446 	    SOFT_GEN_KEY, B_FALSE);
447 
448 	if (rv != CKR_OK) {
449 		/*
450 		 * Both public key and private key must be successful.
451 		 */
452 		if (IS_TOKEN_OBJECT(public_key))
453 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
454 		else
455 			soft_delete_object(session_p, public_key, B_FALSE);
456 		return (rv);
457 	}
458 
459 	/* Obtain the private object pointer. */
460 	private_key = (soft_object_t *)*phPrivateKey;
461 
462 	/*
463 	 * At this point, both public key and private key objects
464 	 * are settled with the application specified attributes.
465 	 * We are ready to generate the rest of key attributes based
466 	 * on the existing attributes.
467 	 */
468 
469 	switch (key_type) {
470 	case CKK_RSA:
471 		rv = soft_rsa_genkey_pair(public_key, private_key);
472 		break;
473 
474 	case CKK_DSA:
475 		rv = soft_dsa_genkey_pair(public_key, private_key);
476 		break;
477 
478 	case CKK_DH:
479 		rv = soft_dh_genkey_pair(public_key, private_key);
480 		private_key->bool_attr_mask |= DERIVE_BOOL_ON;
481 		break;
482 	}
483 
484 	if (rv != CKR_OK) {
485 		if (IS_TOKEN_OBJECT(public_key)) {
486 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
487 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
488 		} else {
489 			soft_delete_object(session_p, public_key, B_FALSE);
490 			soft_delete_object(session_p, private_key, B_FALSE);
491 		}
492 	}
493 
494 	if (IS_TOKEN_OBJECT(public_key)) {
495 		/*
496 		 * All the info has been filled, so we can write to
497 		 * keystore now.
498 		 */
499 		rv = soft_put_object_to_keystore(public_key);
500 		if (rv != CKR_OK) {
501 			soft_delete_token_object(public_key, B_FALSE, B_FALSE);
502 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
503 		}
504 	}
505 
506 	if (IS_TOKEN_OBJECT(private_key)) {
507 		rv = soft_put_object_to_keystore(private_key);
508 		if (rv != CKR_OK) {
509 			/*
510 			 * We also need to delete the public token object
511 			 * from keystore.
512 			 */
513 			soft_delete_token_object(public_key, B_TRUE, B_FALSE);
514 			soft_delete_token_object(private_key, B_FALSE, B_FALSE);
515 		}
516 	}
517 
518 	return (rv);
519 }
520 
521 
522 CK_RV
523 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen)
524 {
525 
526 	switch (secret_key->key_type) {
527 	case CKK_GENERIC_SECRET:
528 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
529 			OBJ_SEC_VALUE_LEN(secret_key) = max_keylen;
530 			return (CKR_OK);
531 		} else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) {
532 			return (CKR_ATTRIBUTE_VALUE_INVALID);
533 		}
534 		break;
535 	case CKK_RC4:
536 	case CKK_AES:
537 	case CKK_BLOWFISH:
538 		if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) ||
539 			(OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) {
540 			/* RC4 and AES has variable key length */
541 			return (CKR_ATTRIBUTE_VALUE_INVALID);
542 		}
543 		break;
544 	case CKK_DES:
545 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
546 			/* DES has a well-defined length */
547 			OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
548 			return (CKR_OK);
549 		} else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) {
550 			return (CKR_ATTRIBUTE_VALUE_INVALID);
551 		}
552 		break;
553 	case CKK_DES2:
554 		if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
555 			/* DES2 has a well-defined length */
556 			OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
557 			return (CKR_OK);
558 		} else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) {
559 			return (CKR_ATTRIBUTE_VALUE_INVALID);
560 		}
561 		break;
562 
563 	default:
564 		return (CKR_MECHANISM_INVALID);
565 	}
566 
567 	return (CKR_OK);
568 }
569 
570 /*
571  * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1
572  * PBE methods.
573  */
574 #define	PKCS12_BUFFER_SIZE 64
575 /*
576  * PKCS#12 defines 3 different ID bytes to be used for
577  * deriving keys for different operations.
578  */
579 #define	PBE_ID_ENCRYPT	1
580 #define	PBE_ID_IV	2
581 #define	PBE_ID_MAC	3
582 #define	PBE_CEIL(a, b)	(((a)/(b)) + (((a)%(b)) > 0))
583 
584 static CK_RV
585 soft_pkcs12_pbe(soft_session_t *session_p,
586 		CK_MECHANISM_PTR pMechanism,
587 		soft_object_t *derived_key)
588 {
589 	CK_RV rv = CKR_OK;
590 	CK_PBE_PARAMS *params = pMechanism->pParameter;
591 	CK_ULONG c, i, j, k;
592 	CK_ULONG hashSize;
593 	CK_ULONG buffSize;
594 	/*
595 	 * Terse variable names are used to make following
596 	 * the PKCS#12 spec easier.
597 	 */
598 	CK_BYTE *A = NULL;
599 	CK_BYTE *Ai = NULL;
600 	CK_BYTE *B = NULL;
601 	CK_BYTE *D = NULL;
602 	CK_BYTE *I = NULL, *S, *P;
603 	CK_BYTE *keybuf = NULL;
604 	CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen;
605 	CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key);
606 	CK_MECHANISM digest_mech;
607 
608 	/* U = hash function output bits */
609 	if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) {
610 		hashSize = SHA1_HASH_SIZE;
611 		buffSize = PKCS12_BUFFER_SIZE;
612 		digest_mech.mechanism = CKM_SHA_1;
613 		digest_mech.pParameter = NULL;
614 		digest_mech.ulParameterLen = 0;
615 	} else {
616 		/* we only support 1 PBE mech for now */
617 		return (CKR_MECHANISM_INVALID);
618 	}
619 	keybuf = OBJ_SEC_VALUE(derived_key);
620 
621 	Blen = Dlen = buffSize;
622 	D = (CK_BYTE *)malloc(Dlen);
623 	if (D == NULL) {
624 		rv = CKR_HOST_MEMORY;
625 		goto cleanup;
626 	}
627 
628 	B = (CK_BYTE *)malloc(Blen);
629 	if (B == NULL) {
630 		rv = CKR_HOST_MEMORY;
631 		goto cleanup;
632 	}
633 
634 	/*
635 	 * Initialize some values and create some buffers
636 	 * that we need later.
637 	 *
638 	 * Slen = buffSize * CEIL(SaltLength/buffSize)
639 	 */
640 	Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize);
641 
642 	/*
643 	 * Plen = buffSize * CEIL(PasswordLength/buffSize)
644 	 */
645 	Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize);
646 
647 	/*
648 	 * From step 4: I = S + P, so: Ilen = Slen + Plen
649 	 */
650 	Ilen = Slen + Plen;
651 	I = (CK_BYTE *)malloc(Ilen);
652 	if (I == NULL) {
653 		rv = CKR_HOST_MEMORY;
654 		goto cleanup;
655 	}
656 
657 	S = I;
658 	P = I + Slen;
659 
660 	/*
661 	 * Step 1.
662 	 * We are only interested in deriving keys for encrypt/decrypt
663 	 * for now, so construct the "D"iversifier accordingly.
664 	 */
665 	(void) memset(D, PBE_ID_ENCRYPT, Dlen);
666 
667 	/*
668 	 * Step 2.
669 	 * Concatenate copies of the salt together to make S.
670 	 */
671 	for (i = 0; i < Slen; i += params->ulSaltLen) {
672 		(void) memcpy(S+i, params->pSalt,
673 			((Slen - i) > params->ulSaltLen ?
674 			params->ulSaltLen : (Slen - i)));
675 	}
676 
677 	/*
678 	 * Step 3.
679 	 * Concatenate copies of the password together to make
680 	 * a string P.
681 	 */
682 	for (i = 0; i < Plen; i += params->ulPasswordLen) {
683 		(void) memcpy(P+i, params->pPassword,
684 			((Plen - i) > params->ulPasswordLen ?
685 			params->ulPasswordLen : (Plen - i)));
686 	}
687 
688 	/*
689 	 * Step 4.
690 	 * I = S+P - this is now done because S and P are
691 	 * pointers into I.
692 	 *
693 	 * Step 5.
694 	 * c= CEIL[n/u]
695 	 * where n = pseudorandom bits of output desired.
696 	 */
697 	c = PBE_CEIL(keysize, hashSize);
698 
699 	/*
700 	 * Step 6.
701 	 */
702 	Alen = c * hashSize;
703 	A = (CK_BYTE *)malloc(Alen);
704 	if (A == NULL) {
705 		rv = CKR_HOST_MEMORY;
706 		goto cleanup;
707 	}
708 	AiLen = hashSize;
709 	Ai = (CK_BYTE *)malloc(AiLen);
710 	if (Ai == NULL) {
711 		rv = CKR_HOST_MEMORY;
712 		goto cleanup;
713 	}
714 
715 	/*
716 	 * Step 6a.
717 	 * Ai = Hr(D+I)
718 	 */
719 	for (i = 0; i < c; i++) {
720 		(void) pthread_mutex_lock(&session_p->session_mutex);
721 
722 		if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
723 			(void) pthread_mutex_unlock(&session_p->session_mutex);
724 			rv = CKR_OPERATION_ACTIVE;
725 			goto cleanup;
726 		}
727 		session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
728 		(void) pthread_mutex_unlock(&session_p->session_mutex);
729 
730 		for (j = 0; j < params->ulIteration; j++) {
731 			rv = soft_digest_init(session_p, &digest_mech);
732 			if (rv != CKR_OK)
733 				goto digest_done;
734 
735 			if (j == 0) {
736 				rv = soft_digest_update(session_p, D,
737 					Dlen);
738 				if (rv != CKR_OK)
739 					goto digest_done;
740 
741 				rv = soft_digest_update(session_p, I,
742 					Ilen);
743 			} else {
744 				rv = soft_digest_update(session_p,
745 					Ai, AiLen);
746 			}
747 			if (rv != CKR_OK)
748 				goto digest_done;
749 
750 			rv = soft_digest_final(session_p, Ai, &AiLen);
751 			if (rv != CKR_OK)
752 				goto digest_done;
753 		}
754 digest_done:
755 		(void) pthread_mutex_lock(&session_p->session_mutex);
756 		session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
757 		(void) pthread_mutex_unlock(&session_p->session_mutex);
758 
759 		if (rv != CKR_OK)
760 			goto cleanup;
761 		/*
762 		 * Step 6b.
763 		 * Concatenate Ai to make B
764 		 */
765 		for (j = 0; j < Blen; j += hashSize) {
766 			(void) memcpy(B+j, Ai, ((Blen - j > hashSize) ?
767 				hashSize : Blen - j));
768 		}
769 
770 		/*
771 		 * Step 6c.
772 		 */
773 		k = Ilen / Blen;
774 		for (j = 0; j < k; j++) {
775 			uchar_t idx;
776 			CK_ULONG m, q = 1, cbit = 0;
777 
778 			for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) {
779 				idx = m + j*Blen;
780 
781 				q += (CK_ULONG)I[idx] + (CK_ULONG)B[m];
782 				q += cbit;
783 				I[idx] = (CK_BYTE)(q & 0xff);
784 				cbit = (q > 0xff);
785 			}
786 		}
787 
788 		/*
789 		 * Step 7.
790 		 *  A += Ai
791 		 */
792 		(void) memcpy(A + i*hashSize, Ai, AiLen);
793 	}
794 
795 	/*
796 	 * Step 8.
797 	 * The final output of this process is the A buffer
798 	 */
799 	(void) memcpy(keybuf, A, keysize);
800 
801 cleanup:
802 	if (A) {
803 		bzero(A, Alen);
804 		free(A);
805 	}
806 	if (Ai) {
807 		bzero(Ai, AiLen);
808 		free(Ai);
809 	}
810 	if (B) {
811 		bzero(B, Blen);
812 		free(B);
813 	}
814 	if (D) {
815 		bzero(D, Dlen);
816 		free(D);
817 	}
818 	if (I) {
819 		bzero(I, Ilen);
820 		free(I);
821 	}
822 	return (rv);
823 }
824 
825 CK_RV
826 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
827     soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
828     CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
829 {
830 
831 	CK_RV rv = CKR_OK;
832 	soft_object_t *secret_key;
833 	CK_MECHANISM digest_mech;
834 	CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */
835 	CK_ULONG hash_len = SHA512_DIGEST_LENGTH;
836 	CK_ULONG secret_key_len;
837 	CK_ULONG hash_size;
838 
839 	switch (pMechanism->mechanism) {
840 	case CKM_DH_PKCS_DERIVE:
841 		/*
842 		 * Create a new object for secret key. The key type should
843 		 * be provided in the template.
844 		 */
845 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
846 		    phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
847 		    SOFT_DERIVE_KEY_DH, B_FALSE);
848 
849 		if (rv != CKR_OK) {
850 			return (rv);
851 		}
852 
853 		/* Obtain the secret object pointer. */
854 		secret_key = (soft_object_t *)*phKey;
855 
856 		rv = soft_dh_key_derive(basekey_p, secret_key,
857 		    (CK_BYTE *)pMechanism->pParameter,
858 		    pMechanism->ulParameterLen);
859 
860 		if (rv != CKR_OK) {
861 			if (IS_TOKEN_OBJECT(secret_key))
862 				soft_delete_token_object(secret_key, B_FALSE,
863 				    B_FALSE);
864 			else
865 				soft_delete_object(session_p, secret_key,
866 				    B_FALSE);
867 			return (rv);
868 		}
869 
870 		break;
871 
872 	case CKM_SHA1_KEY_DERIVATION:
873 		hash_size = SHA1_HASH_SIZE;
874 		digest_mech.mechanism = CKM_SHA_1;
875 		goto common;
876 
877 	case CKM_MD5_KEY_DERIVATION:
878 		hash_size = MD5_HASH_SIZE;
879 		digest_mech.mechanism = CKM_MD5;
880 		goto common;
881 
882 	case CKM_SHA256_KEY_DERIVATION:
883 		hash_size = SHA256_DIGEST_LENGTH;
884 		digest_mech.mechanism = CKM_SHA256;
885 		goto common;
886 
887 	case CKM_SHA384_KEY_DERIVATION:
888 		hash_size = SHA384_DIGEST_LENGTH;
889 		digest_mech.mechanism = CKM_SHA384;
890 		goto common;
891 
892 	case CKM_SHA512_KEY_DERIVATION:
893 		hash_size = SHA512_DIGEST_LENGTH;
894 		digest_mech.mechanism = CKM_SHA512;
895 		goto common;
896 
897 common:
898 		/*
899 		 * Create a new object for secret key. The key type is optional
900 		 * to be provided in the template. If it is not specified in
901 		 * the template, the default is CKK_GENERIC_SECRET.
902 		 */
903 		rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
904 		    phKey, session_p, CKO_SECRET_KEY,
905 		    (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
906 		    SOFT_DERIVE_KEY_OTHER, B_FALSE);
907 
908 		if (rv != CKR_OK) {
909 			return (rv);
910 		}
911 
912 		/* Obtain the secret object pointer. */
913 		secret_key = (soft_object_t *)*phKey;
914 
915 		/* Validate the key type and key length */
916 		rv = soft_key_derive_check_length(secret_key, hash_size);
917 		if (rv != CKR_OK) {
918 			if (IS_TOKEN_OBJECT(secret_key))
919 				soft_delete_token_object(secret_key, B_FALSE,
920 				    B_FALSE);
921 			else
922 				soft_delete_object(session_p, secret_key,
923 				    B_FALSE);
924 			return (rv);
925 		}
926 
927 		/*
928 		 * Derive the secret key by digesting the value of another
929 		 * secret key (base key) with SHA-1 or MD5.
930 		 */
931 		rv = soft_digest_init_internal(session_p, &digest_mech);
932 		if (rv != CKR_OK) {
933 			if (IS_TOKEN_OBJECT(secret_key))
934 				soft_delete_token_object(secret_key, B_FALSE,
935 				    B_FALSE);
936 			else
937 				soft_delete_object(session_p, secret_key,
938 				    B_FALSE);
939 			return (rv);
940 		}
941 
942 		rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p),
943 			OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len);
944 
945 		(void) pthread_mutex_lock(&session_p->session_mutex);
946 		/* soft_digest_common() has freed the digest context */
947 		session_p->digest.flags = 0;
948 		(void) pthread_mutex_unlock(&session_p->session_mutex);
949 
950 		if (rv != CKR_OK) {
951 			if (IS_TOKEN_OBJECT(secret_key))
952 				soft_delete_token_object(secret_key, B_FALSE,
953 				    B_FALSE);
954 			else
955 				soft_delete_object(session_p, secret_key,
956 				    B_FALSE);
957 			return (rv);
958 		}
959 
960 		secret_key_len = OBJ_SEC_VALUE_LEN(secret_key);
961 
962 		if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) ==
963 		    NULL) {
964 			if (IS_TOKEN_OBJECT(secret_key))
965 				soft_delete_token_object(secret_key, B_FALSE,
966 				    B_FALSE);
967 			else
968 				soft_delete_object(session_p, secret_key,
969 				    B_FALSE);
970 			return (CKR_HOST_MEMORY);
971 		}
972 
973 		/*
974 		 * The key produced by this mechanism will be of the
975 		 * specified type and length.
976 		 * The truncation removes extra bytes from the leading
977 		 * of the digested key value.
978 		 */
979 		(void) memcpy(OBJ_SEC_VALUE(secret_key),
980 		    (hash + hash_len - secret_key_len),
981 		    secret_key_len);
982 
983 		break;
984 
985 	/*
986 	 * The key sensitivity and extractability rules for the generated
987 	 * keys will be enforced inside soft_ssl_master_key_derive() and
988 	 * soft_ssl_key_and_mac_derive()
989 	 */
990 	case CKM_SSL3_MASTER_KEY_DERIVE:
991 	case CKM_SSL3_MASTER_KEY_DERIVE_DH:
992 	case CKM_TLS_MASTER_KEY_DERIVE:
993 	case CKM_TLS_MASTER_KEY_DERIVE_DH:
994 		if (phKey == NULL_PTR)
995 			return (CKR_ARGUMENTS_BAD);
996 		return (soft_ssl_master_key_derive(session_p, pMechanism,
997 		    basekey_p, pTemplate, ulAttributeCount, phKey));
998 
999 	case CKM_SSL3_KEY_AND_MAC_DERIVE:
1000 	case CKM_TLS_KEY_AND_MAC_DERIVE:
1001 		return (soft_ssl_key_and_mac_derive(session_p, pMechanism,
1002 		    basekey_p, pTemplate, ulAttributeCount));
1003 
1004 	case CKM_TLS_PRF:
1005 		if (pMechanism->pParameter == NULL ||
1006 		    pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) ||
1007 		    phKey != NULL)
1008 			return (CKR_ARGUMENTS_BAD);
1009 
1010 		if (pTemplate != NULL)
1011 			return (CKR_TEMPLATE_INCONSISTENT);
1012 
1013 		return (derive_tls_prf(
1014 			(CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter,
1015 			basekey_p));
1016 
1017 	default:
1018 		return (CKR_MECHANISM_INVALID);
1019 	}
1020 
1021 	soft_derive_enforce_flags(basekey_p, secret_key);
1022 
1023 	if (IS_TOKEN_OBJECT(secret_key)) {
1024 		/*
1025 		 * All the info has been filled, so we can write to
1026 		 * keystore now.
1027 		 */
1028 		rv = soft_put_object_to_keystore(secret_key);
1029 		if (rv != CKR_OK)
1030 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
1031 	}
1032 
1033 	return (rv);
1034 }
1035 
1036 
1037 /*
1038  * Perform key derivation rules on key's sensitivity and extractability.
1039  */
1040 void
1041 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey)
1042 {
1043 
1044 	boolean_t new_sensitive = B_FALSE;
1045 	boolean_t new_extractable = B_FALSE;
1046 
1047 	/*
1048 	 * The sensitive and extractable bits have been set when
1049 	 * the newkey was built.
1050 	 */
1051 	if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) {
1052 		new_sensitive = B_TRUE;
1053 	}
1054 
1055 	if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) {
1056 		new_extractable = B_TRUE;
1057 	}
1058 
1059 	/* Derive the CKA_ALWAYS_SENSITIVE flag */
1060 	if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) {
1061 		/*
1062 		 * If the base key has its CKA_ALWAYS_SENSITIVE set to
1063 		 * FALSE, then the derived key will as well.
1064 		 */
1065 		newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1066 	} else {
1067 		/*
1068 		 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE,
1069 		 * then the derived key has the CKA_ALWAYS_SENSITIVE set to
1070 		 * the same value as its CKA_SENSITIVE;
1071 		 */
1072 		if (new_sensitive) {
1073 			newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON;
1074 		} else {
1075 			newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1076 		}
1077 	}
1078 
1079 	/* Derive the CKA_NEVER_EXTRACTABLE flag */
1080 	if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) {
1081 		/*
1082 		 * If the base key has its CKA_NEVER_EXTRACTABLE set to
1083 		 * FALSE, then the derived key will as well.
1084 		 */
1085 		newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1086 	} else {
1087 		/*
1088 		 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE,
1089 		 * then the derived key has the CKA_NEVER_EXTRACTABLE set to
1090 		 * the opposite value from its CKA_EXTRACTABLE;
1091 		 */
1092 		if (new_extractable) {
1093 			newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1094 		} else {
1095 			newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON;
1096 		}
1097 	}
1098 
1099 	/* Set the CKA_LOCAL flag to false */
1100 	newkey->bool_attr_mask &= ~LOCAL_BOOL_ON;
1101 }
1102 
1103 
1104 /*
1105  * do_prf
1106  *
1107  * This routine implements Step 3. of the PBKDF2 function
1108  * defined in PKCS#5 for generating derived keys from a
1109  * password.
1110  *
1111  * Currently, PRF is always SHA_1_HMAC.
1112  */
1113 static CK_RV
1114 do_prf(soft_session_t *session_p,
1115 	CK_PKCS5_PBKD2_PARAMS_PTR params,
1116 	soft_object_t *hmac_key,
1117 	CK_BYTE *newsalt, CK_ULONG saltlen,
1118 	CK_BYTE *blockdata, CK_ULONG blocklen)
1119 {
1120 	CK_RV rv = CKR_OK;
1121 	CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0};
1122 	CK_BYTE buffer[2][SHA1_HASH_SIZE];
1123 	CK_ULONG hmac_outlen = SHA1_HASH_SIZE;
1124 	CK_ULONG inlen;
1125 	CK_BYTE *input, *output;
1126 	CK_ULONG i, j;
1127 
1128 	input = newsalt;
1129 	inlen = saltlen;
1130 
1131 	output = buffer[1];
1132 	(void) pthread_mutex_lock(&session_p->session_mutex);
1133 
1134 	if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
1135 		(void) pthread_mutex_unlock(&session_p->session_mutex);
1136 		return (CKR_OPERATION_ACTIVE);
1137 	}
1138 	session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
1139 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1140 
1141 	for (i = 0; i < params->iterations; i++) {
1142 		/*
1143 		 * The key doesn't change, its always the
1144 		 * password iniitally given.
1145 		 */
1146 		rv = soft_sign_init(session_p, &digest_mech, hmac_key);
1147 
1148 		if (rv != CKR_OK) {
1149 			goto cleanup;
1150 		}
1151 
1152 		/* Call PRF function (SHA1_HMAC for now). */
1153 		rv = soft_sign(session_p, input, inlen,
1154 			output, &hmac_outlen);
1155 
1156 		if (rv != CKR_OK) {
1157 			goto cleanup;
1158 		}
1159 		/*
1160 		 * The first time, initialize the output buffer
1161 		 * with the HMAC signature.
1162 		 */
1163 		if (i == 0) {
1164 			(void) memcpy(blockdata, output,
1165 				local_min(blocklen, hmac_outlen));
1166 		} else {
1167 			/*
1168 			 * XOR the existing data with output from PRF.
1169 			 *
1170 			 * Only XOR up to the length of the blockdata,
1171 			 * it may be less than a full hmac buffer when
1172 			 * the final block is being computed.
1173 			 */
1174 			for (j = 0; j < hmac_outlen && j < blocklen; j++)
1175 				blockdata[j] ^= output[j];
1176 		}
1177 		/* Output from previous PRF is input for next round */
1178 		input = output;
1179 		inlen = hmac_outlen;
1180 
1181 		/*
1182 		 * Switch buffers to avoid overuse of memcpy.
1183 		 * Initially we used buffer[1], so after the end of
1184 		 * the first iteration (i==0), we switch to buffer[0]
1185 		 * and continue swapping with each iteration.
1186 		 */
1187 		output = buffer[i%2];
1188 	}
1189 cleanup:
1190 	(void) pthread_mutex_lock(&session_p->session_mutex);
1191 	session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
1192 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1193 
1194 	return (rv);
1195 }
1196 
1197 static CK_RV
1198 soft_create_hmac_key(soft_session_t *session_p,  CK_BYTE *passwd,
1199 		CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey)
1200 {
1201 	CK_RV rv = CKR_OK;
1202 	CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
1203 	CK_KEY_TYPE keytype = CKK_GENERIC_SECRET;
1204 	CK_BBOOL True = TRUE;
1205 	CK_ATTRIBUTE keytemplate[4];
1206 	/*
1207 	 * We must initialize each template member individually
1208 	 * because at the time of initial coding for ON10, the
1209 	 * compiler was using the "-xc99=%none" option
1210 	 * which prevents us from being able to declare the whole
1211 	 * template in place as usual.
1212 	 */
1213 	keytemplate[0].type = CKA_CLASS;
1214 	keytemplate[0].pValue = &keyclass;
1215 	keytemplate[0].ulValueLen =  sizeof (keyclass);
1216 
1217 	keytemplate[1].type = CKA_KEY_TYPE;
1218 	keytemplate[1].pValue = &keytype;
1219 	keytemplate[1].ulValueLen =  sizeof (keytype);
1220 
1221 	keytemplate[2].type = CKA_SIGN;
1222 	keytemplate[2].pValue = &True;
1223 	keytemplate[2].ulValueLen =  sizeof (True);
1224 
1225 	keytemplate[3].type = CKA_VALUE;
1226 	keytemplate[3].pValue = passwd;
1227 	keytemplate[3].ulValueLen = passwd_len;
1228 	/*
1229 	 * Create a generic key object to be used for HMAC operations.
1230 	 * The "value" for this key is the password from the
1231 	 * mechanism parameter structure.
1232 	 */
1233 	rv = soft_gen_keyobject(keytemplate,
1234 			sizeof (keytemplate)/sizeof (CK_ATTRIBUTE),
1235 			phKey, session_p, CKO_SECRET_KEY,
1236 			(CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
1237 			SOFT_CREATE_OBJ, B_TRUE);
1238 
1239 	return (rv);
1240 }
1241 
1242 CK_RV
1243 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p,
1244 		CK_MECHANISM_PTR pMechanism,
1245 		soft_object_t *secret_key)
1246 {
1247 	CK_RV rv = CKR_OK;
1248 	CK_PKCS5_PBKD2_PARAMS	*params =
1249 		(CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
1250 	CK_ULONG hLen = SHA1_HASH_SIZE;
1251 	CK_ULONG dkLen, i;
1252 	CK_ULONG blocks, remainder;
1253 	CK_OBJECT_HANDLE phKey = 0;
1254 	soft_object_t *hmac_key = NULL;
1255 	CK_BYTE *salt = NULL;
1256 	CK_BYTE *keydata = NULL;
1257 
1258 	params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter;
1259 
1260 	if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1)
1261 		return (CKR_MECHANISM_PARAM_INVALID);
1262 
1263 	if (params->pPrfData != NULL || params->ulPrfDataLen != 0)
1264 		return (CKR_DATA_INVALID);
1265 
1266 	if (params->saltSource != CKZ_SALT_SPECIFIED ||
1267 	    params->iterations == 0)
1268 		return (CKR_MECHANISM_PARAM_INVALID);
1269 
1270 	/*
1271 	 * Create a key object to use for HMAC operations.
1272 	 */
1273 	rv = soft_create_hmac_key(session_p, params->pPassword,
1274 		*params->ulPasswordLen, &phKey);
1275 
1276 	if (rv != CKR_OK)
1277 		return (rv);
1278 
1279 	hmac_key = (soft_object_t *)phKey;
1280 
1281 	/* Step 1. */
1282 	dkLen = OBJ_SEC_VALUE_LEN(secret_key);  /* length of desired key */
1283 
1284 	if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) {
1285 		(void) soft_delete_object(session_p, hmac_key, B_FALSE);
1286 		return (CKR_KEY_SIZE_RANGE);
1287 	}
1288 
1289 	/* Step 2. */
1290 	blocks = dkLen / hLen;
1291 
1292 	/* crude "Ceiling" function to adjust the number of blocks to use */
1293 	if (blocks * hLen != dkLen)
1294 		blocks++;
1295 
1296 	remainder = dkLen - ((blocks - 1) * hLen);
1297 
1298 	/* Step 3 */
1299 	salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4);
1300 	if (salt == NULL) {
1301 		(void) soft_delete_object(session_p, hmac_key, B_FALSE);
1302 		return (CKR_HOST_MEMORY);
1303 	}
1304 	/*
1305 	 * Nothing in PKCS#5 says you cannot pass an empty
1306 	 * salt, so we will allow for this and not return error
1307 	 * if the salt is not specified.
1308 	 */
1309 	if (params->pSaltSourceData != NULL &&
1310 		params->ulSaltSourceDataLen > 0)
1311 		(void) memcpy(salt, params->pSaltSourceData,
1312 			params->ulSaltSourceDataLen);
1313 
1314 	/*
1315 	 * Get pointer to the data section of the key,
1316 	 * this will be used below as output from the
1317 	 * PRF iteration/concatenations so that when the
1318 	 * blocks are all iterated, the secret_key will
1319 	 * have the resulting derived key value.
1320 	 */
1321 	keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key);
1322 
1323 	/* Step 4. */
1324 	for (i = 0; i < blocks && (rv == CKR_OK); i++) {
1325 		CK_BYTE *s;
1326 
1327 		s = salt + params->ulSaltSourceDataLen;
1328 
1329 		/*
1330 		 * Append the block index to the salt as input
1331 		 * to the PRF.  Block index should start at 1
1332 		 * not 0.
1333 		 */
1334 		*s++ = ((i+1) >> 24) & 0xff;
1335 		*s++ = ((i+1) >> 16) & 0xff;
1336 		*s++ = ((i+1) >> 8) & 0xff;
1337 		*s   = ((i+1)) & 0xff;
1338 
1339 		/*
1340 		 * Adjust the key pointer so we always append the
1341 		 * PRF output to the current key.
1342 		 */
1343 		rv = do_prf(session_p, params, hmac_key,
1344 			salt, params->ulSaltSourceDataLen + 4,
1345 			keydata,
1346 			((i + 1) == blocks ? remainder : hLen));
1347 
1348 		keydata += hLen;
1349 	}
1350 	(void) soft_delete_object(session_p, hmac_key, B_FALSE);
1351 	free(salt);
1352 
1353 	return (rv);
1354 }
1355 
1356 CK_RV
1357 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1358 		soft_object_t *wrappingKey_p, soft_object_t *hkey_p,
1359 		CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen)
1360 {
1361 	CK_RV		rv = CKR_OK;
1362 	CK_ULONG	plain_len = 0;
1363 	CK_BYTE_PTR	plain_data = NULL;
1364 	CK_ULONG	padded_len = 0;
1365 	CK_BYTE_PTR	padded_data = NULL;
1366 	CK_ULONG	wkey_blksz = 1;		/* so modulo will work right */
1367 
1368 	/* Check if the mechanism is supported. */
1369 	switch (pMechanism->mechanism) {
1370 	case CKM_DES_CBC_PAD:
1371 	case CKM_DES3_CBC_PAD:
1372 	case CKM_AES_CBC_PAD:
1373 		/*
1374 		 * Secret key mechs with padding can be used to wrap secret
1375 		 * keys and private keys only.  See PKCS#11, * sec 11.14,
1376 		 * C_WrapKey and secs 12.* for each mechanism's wrapping/
1377 		 * unwrapping constraints.
1378 		 */
1379 		if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class !=
1380 		    CKO_PRIVATE_KEY)
1381 			return (CKR_MECHANISM_INVALID);
1382 		break;
1383 	case CKM_RSA_PKCS:
1384 	case CKM_RSA_X_509:
1385 	case CKM_DES_ECB:
1386 	case CKM_DES3_ECB:
1387 	case CKM_AES_ECB:
1388 	case CKM_DES_CBC:
1389 	case CKM_DES3_CBC:
1390 	case CKM_AES_CBC:
1391 	case CKM_BLOWFISH_CBC:
1392 		/*
1393 		 * Unpadded secret key mechs and private key mechs are only
1394 		 * defined for wrapping secret keys.  See PKCS#11 refs above.
1395 		 */
1396 		if (hkey_p->class != CKO_SECRET_KEY)
1397 			return (CKR_MECHANISM_INVALID);
1398 		break;
1399 	default:
1400 		return (CKR_MECHANISM_INVALID);
1401 	}
1402 
1403 	if (hkey_p->class == CKO_SECRET_KEY) {
1404 		plain_data = OBJ_SEC_VALUE(hkey_p);
1405 		plain_len = OBJ_SEC_VALUE_LEN(hkey_p);
1406 	} else {
1407 		/*
1408 		 * BER-encode the object to be wrapped:  call first with
1409 		 * plain_data = NULL to get the size needed, allocate that
1410 		 * much space, call again to fill space with actual data.
1411 		 */
1412 		rv = soft_object_to_asn1(hkey_p, NULL, &plain_len);
1413 		if (rv != CKR_OK)
1414 			return (rv);
1415 		if ((plain_data = malloc(plain_len)) == NULL)
1416 			return (CKR_HOST_MEMORY);
1417 		(void) memset(plain_data, 0x0, plain_len);
1418 		rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len);
1419 		if (rv != CKR_OK)
1420 			goto cleanup_wrap;
1421 	}
1422 
1423 	/*
1424 	 * For unpadded ECB and CBC mechanisms, the object needs to be
1425 	 * padded to the wrapping key's blocksize prior to the encryption.
1426 	 */
1427 	padded_len = plain_len;
1428 	padded_data = plain_data;
1429 
1430 	switch (pMechanism->mechanism) {
1431 	case CKM_DES_ECB:
1432 	case CKM_DES3_ECB:
1433 	case CKM_AES_ECB:
1434 	case CKM_DES_CBC:
1435 	case CKM_DES3_CBC:
1436 	case CKM_AES_CBC:
1437 	case CKM_BLOWFISH_CBC:
1438 		/* Find the block size of the wrapping key. */
1439 		if (wrappingKey_p->class == CKO_SECRET_KEY) {
1440 			switch (wrappingKey_p->key_type) {
1441 			case CKK_DES:
1442 			case CKK_DES2:
1443 			case CKK_DES3:
1444 				wkey_blksz = DES_BLOCK_LEN;
1445 				break;
1446 			case CKK_AES:
1447 				wkey_blksz = AES_BLOCK_LEN;
1448 				break;
1449 			case CKK_BLOWFISH:
1450 				wkey_blksz = BLOWFISH_BLOCK_LEN;
1451 				break;
1452 			default:
1453 				break;
1454 			}
1455 		} else {
1456 			rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT;
1457 			goto cleanup_wrap;
1458 		}
1459 
1460 		/* Extend the plain text data to block size boundary.  */
1461 		if ((padded_len % wkey_blksz) != 0) {
1462 			padded_len += (wkey_blksz - (plain_len % wkey_blksz));
1463 			if ((padded_data = malloc(padded_len)) == NULL) {
1464 				rv = CKR_HOST_MEMORY;
1465 				goto cleanup_wrap;
1466 			}
1467 			(void) memset(padded_data, 0x0, padded_len);
1468 			(void) memcpy(padded_data, plain_data, plain_len);
1469 		}
1470 		break;
1471 	default:
1472 		break;
1473 	}
1474 
1475 	rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p);
1476 	if (rv != CKR_OK)
1477 		goto cleanup_wrap;
1478 
1479 	rv = soft_encrypt(session_p, padded_data, padded_len,
1480 	    pWrappedKey, pulWrappedKeyLen);
1481 
1482 cleanup_wrap:
1483 	if (padded_data != NULL && padded_len != plain_len) {
1484 		/* Clear buffer before returning to memory pool. */
1485 		(void) memset(padded_data, 0x0, padded_len);
1486 		free(padded_data);
1487 	}
1488 
1489 	if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1490 		/* Clear buffer before returning to memory pool. */
1491 		(void) memset(plain_data, 0x0, plain_len);
1492 		free(plain_data);
1493 	}
1494 
1495 	return (rv);
1496 }
1497 
1498 /*
1499  * Quick check for whether unwrapped key length is appropriate for key type
1500  * and whether it needs to be truncated (in case the wrapping function had
1501  * to pad the key prior to wrapping).
1502  */
1503 static CK_RV
1504 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype,
1505 	CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount)
1506 {
1507 	CK_ULONG	i;
1508 	boolean_t	isValueLen = B_FALSE;
1509 
1510 	/*
1511 	 * Based on the key type and the mech used to unwrap, need to
1512 	 * determine if CKA_VALUE_LEN should or should not be specified.
1513 	 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified
1514 	 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens
1515 	 * that restriction, perhaps because it makes it impossible to
1516 	 * determine the original length of unwrapped variable-length secret
1517 	 * keys, such as RC4, AES, and GENERIC_SECRET.  These variable-length
1518 	 * secret keys would have been padded with trailing null-bytes so
1519 	 * that they could be successfully wrapped with *_ECB and *_CBC
1520 	 * mechanisms.  Hence for unwrapping with these mechs, CKA_VALUE_LEN
1521 	 * must be specified.  For unwrapping with other mechs, such as
1522 	 * *_CBC_PAD, the CKA_VALUE_LEN is not needed.
1523 	 */
1524 
1525 	/* Find out if template has CKA_VALUE_LEN. */
1526 	for (i = 0; i < ulAttributeCount; i++) {
1527 		if (pTemplate[i].type == CKA_VALUE_LEN &&
1528 		    pTemplate[i].pValue != NULL) {
1529 			isValueLen = B_TRUE;
1530 			break;
1531 		    }
1532 	}
1533 
1534 	/* Does its presence  conflict with the mech type and key type? */
1535 	switch (mechtype) {
1536 	case CKM_DES_ECB:
1537 	case CKM_DES3_ECB:
1538 	case CKM_AES_ECB:
1539 	case CKM_DES_CBC:
1540 	case CKM_DES3_CBC:
1541 	case CKM_AES_CBC:
1542 	case CKM_BLOWFISH_CBC:
1543 		/*
1544 		 * CKA_VALUE_LEN must be specified
1545 		 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET
1546 		 * and must not be specified otherwise
1547 		 */
1548 		switch (keytype) {
1549 		case CKK_DES:
1550 		case CKK_DES2:
1551 		case CKK_DES3:
1552 			if (isValueLen)
1553 				return (CKR_TEMPLATE_INCONSISTENT);
1554 			break;
1555 		case CKK_GENERIC_SECRET:
1556 		case CKK_RC4:
1557 		case CKK_AES:
1558 		case CKK_BLOWFISH:
1559 			if (!isValueLen)
1560 				return (CKR_TEMPLATE_INCOMPLETE);
1561 			break;
1562 		default:
1563 			return (CKR_FUNCTION_NOT_SUPPORTED);
1564 		}
1565 		break;
1566 	default:
1567 		/* CKA_VALUE_LEN must not be specified */
1568 		if (isValueLen)
1569 			return (CKR_TEMPLATE_INCONSISTENT);
1570 		break;
1571 	}
1572 
1573 	return (CKR_OK);
1574 }
1575 
1576 CK_RV
1577 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1578 		soft_object_t *unwrappingkey_p,
1579 		CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
1580 		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
1581 		CK_OBJECT_HANDLE_PTR phKey)
1582 {
1583 	CK_RV			rv = CKR_OK;
1584 	CK_OBJECT_CLASS		new_obj_class = ~0UL;
1585 	int			i = 0;
1586 	soft_object_t		*new_objp = NULL;
1587 	boolean_t		persistent = B_FALSE;
1588 	CK_BYTE_PTR		plain_data = NULL;
1589 	CK_ULONG		plain_len = 0;
1590 	secret_key_obj_t	*sck = NULL;
1591 
1592 	/* Scan the attribute template for the object class. */
1593 	if (pTemplate != NULL && ulAttributeCount != 0) {
1594 		for (i = 0; i < ulAttributeCount; i++) {
1595 			if (pTemplate[i].type == CKA_CLASS) {
1596 				new_obj_class =
1597 				    *((CK_OBJECT_CLASS *)pTemplate[i].pValue);
1598 				break;
1599 			}
1600 		}
1601 		if (new_obj_class == ~0UL)
1602 			return (CKR_TEMPLATE_INCOMPLETE);
1603 	}
1604 
1605 	/*
1606 	 * Check if the mechanism is supported, and now that the new
1607 	 * object's class is known, the mechanism selected should be
1608 	 * capable of doing the unwrap.
1609 	 */
1610 	switch (pMechanism->mechanism) {
1611 	case CKM_RSA_PKCS:
1612 	case CKM_RSA_X_509:
1613 	case CKM_DES_ECB:
1614 	case CKM_DES3_ECB:
1615 	case CKM_AES_ECB:
1616 	case CKM_DES_CBC:
1617 	case CKM_DES3_CBC:
1618 	case CKM_AES_CBC:
1619 	case CKM_BLOWFISH_CBC:
1620 		if (new_obj_class != CKO_SECRET_KEY)
1621 			return (CKR_MECHANISM_INVALID);
1622 		break;
1623 	case CKM_DES_CBC_PAD:
1624 	case CKM_DES3_CBC_PAD:
1625 	case CKM_AES_CBC_PAD:
1626 		if (new_obj_class != CKO_SECRET_KEY && new_obj_class !=
1627 		    CKO_PRIVATE_KEY)
1628 			return (CKR_MECHANISM_INVALID);
1629 		break;
1630 	default:
1631 		return (CKR_MECHANISM_INVALID);
1632 	}
1633 
1634 	/* Create a new object based on the attribute template. */
1635 	rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
1636 	    (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL,
1637 	    (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE);
1638 	if (rv != CKR_OK)
1639 		return (rv);
1640 
1641 	/*
1642 	 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE
1643 	 * both set to FALSE.  CKA_EXTRACTABLE will be set _by_default_ to
1644 	 * true -- leaving the possibility that it may be set FALSE by the
1645 	 * supplied attribute template.  If the precise template cannot be
1646 	 * supported, unwrap fails.  PKCS#11 spec, Sec. 11.14, C_UnwrapKey.
1647 	 *
1648 	 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and
1649 	 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must
1650 	 * have supplied them and therefore we cannot honor the unwrap.
1651 	 */
1652 	if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) ||
1653 	    (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) {
1654 		rv = CKR_TEMPLATE_INCONSISTENT;
1655 		goto cleanup_unwrap;
1656 	}
1657 
1658 	rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p);
1659 	if (rv != CKR_OK)
1660 		goto cleanup_unwrap;
1661 
1662 	/* First get the length of the plain data */
1663 	rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL,
1664 	    &plain_len);
1665 	if (rv != CKR_OK)
1666 		goto cleanup_unwrap;
1667 
1668 	/* Allocate space for the unwrapped data */
1669 	if ((plain_data = malloc(plain_len)) == NULL) {
1670 		rv = CKR_HOST_MEMORY;
1671 		goto cleanup_unwrap;
1672 	}
1673 	(void) memset(plain_data, 0x0, plain_len);
1674 
1675 	/* Perform actual decryption into the allocated space. */
1676 	rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data,
1677 	    &plain_len);
1678 	if (rv != CKR_OK)
1679 		goto cleanup_unwrap;
1680 
1681 	if (new_objp->class == CKO_SECRET_KEY) {
1682 		/*
1683 		 * Since no ASN.1 encoding is done for secret keys, check for
1684 		 * appropriateness and copy decrypted buffer to the key object.
1685 		 */
1686 
1687 		/* Check keytype and mechtype don't conflict with valuelen */
1688 		rv = soft_unwrap_secret_len_check(new_objp->key_type,
1689 		    pMechanism->mechanism, pTemplate, ulAttributeCount);
1690 		if (rv != CKR_OK)
1691 			goto cleanup_unwrap;
1692 
1693 		/*
1694 		 * Allocate the secret key structure if not already there;
1695 		 * it will exist for variable length keys since CKA_VALUE_LEN
1696 		 * is specified and saved, but not for fixed length keys.
1697 		 */
1698 		if (OBJ_SEC(new_objp) == NULL) {
1699 			if ((sck = calloc(1, sizeof (secret_key_obj_t))) ==
1700 			    NULL) {
1701 				rv = CKR_HOST_MEMORY;
1702 				goto cleanup_unwrap;
1703 			}
1704 			OBJ_SEC(new_objp) = sck;
1705 		}
1706 
1707 		switch (new_objp->key_type) {
1708 		/* Fixed length secret keys don't have CKA_VALUE_LEN */
1709 		case CKK_DES:
1710 			OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE;
1711 			break;
1712 		case CKK_DES2:
1713 			OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE;
1714 			break;
1715 		case CKK_DES3:
1716 			OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE;
1717 			break;
1718 
1719 		/*
1720 		 * Variable length secret keys.  CKA_VALUE_LEN must be
1721 		 * provided by the template when mech is *_ECB or *_CBC, and
1722 		 * should already have been set during soft_gen_keyobject().
1723 		 * Otherwise we don't need CKA_VALUE_LEN.
1724 		 */
1725 		case CKK_GENERIC_SECRET:
1726 		case CKK_RC4:
1727 		case CKK_AES:
1728 		case CKK_BLOWFISH:
1729 			break;
1730 		default:
1731 			rv = CKR_WRAPPED_KEY_INVALID;
1732 			goto cleanup_unwrap;
1733 		};
1734 
1735 		if (OBJ_SEC_VALUE_LEN(new_objp) == 0) {
1736 			/* No CKA_VALUE_LEN set so set it now and save data */
1737 			OBJ_SEC_VALUE_LEN(new_objp) = plain_len;
1738 			OBJ_SEC_VALUE(new_objp) = plain_data;
1739 		} else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) {
1740 			/* No need to truncate, just save the data */
1741 			OBJ_SEC_VALUE(new_objp) = plain_data;
1742 		} else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) {
1743 			/* Length can't be bigger than what was decrypted */
1744 			rv = CKR_WRAPPED_KEY_LEN_RANGE;
1745 			goto cleanup_unwrap;
1746 		} else {	/* betw 0 and plain_len, hence padded */
1747 			/* Truncate the data before saving. */
1748 			OBJ_SEC_VALUE(new_objp) = realloc(plain_data,
1749 			    OBJ_SEC_VALUE_LEN(new_objp));
1750 			if (OBJ_SEC_VALUE(new_objp) == NULL) {
1751 				rv = CKR_HOST_MEMORY;
1752 				goto cleanup_unwrap;
1753 			}
1754 		}
1755 	} else {
1756 		/* BER-decode the object to be unwrapped. */
1757 		rv = soft_asn1_to_object(new_objp, plain_data, plain_len);
1758 		if (rv != CKR_OK)
1759 			goto cleanup_unwrap;
1760 	}
1761 
1762 	/* If it needs to be persistent, write it to the keystore */
1763 	if (IS_TOKEN_OBJECT(new_objp)) {
1764 		persistent = B_TRUE;
1765 		rv = soft_put_object_to_keystore(new_objp);
1766 		if (rv != CKR_OK)
1767 			goto cleanup_unwrap;
1768 	}
1769 
1770 	if (new_objp->class != CKO_SECRET_KEY) {
1771 		/* Clear buffer before returning to memory pool. */
1772 		(void) memset(plain_data, 0x0, plain_len);
1773 		free(plain_data);
1774 	}
1775 
1776 	*phKey = (CK_OBJECT_HANDLE)new_objp;
1777 
1778 	return (CKR_OK);
1779 
1780 cleanup_unwrap:
1781 	/* The decrypted private key buffer must be freed explicitly. */
1782 	if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1783 		/* Clear buffer before returning to memory pool. */
1784 		(void) memset(plain_data, 0x0, plain_len);
1785 		free(plain_data);
1786 	}
1787 
1788 	/* sck and new_objp are indirectly free()d inside these functions */
1789 	if (IS_TOKEN_OBJECT(new_objp))
1790 		soft_delete_token_object(new_objp, persistent, B_FALSE);
1791 	else
1792 		soft_delete_object(session_p, new_objp, B_FALSE);
1793 
1794 	return (rv);
1795 }
1796