1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2018, Joyent, Inc.
25 */
26
27 #include <pthread.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <strings.h>
31 #include <sys/types.h>
32 #include <security/cryptoki.h>
33 #include <modes/modes.h>
34 #include <des_impl.h>
35 #include "softSession.h"
36 #include "softObject.h"
37 #include "softCrypt.h"
38 #include "softOps.h"
39
40 /*
41 * Allocate context for the active encryption or decryption operation, and
42 * generate DES or DES3 key schedule to speed up the operation.
43 */
44 CK_RV
45 soft_des_crypt_init_common(soft_session_t *session_p,
46 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p,
47 boolean_t encrypt)
48 {
49
50 size_t size;
51 soft_des_ctx_t *soft_des_ctx;
52
53 soft_des_ctx = calloc(1, sizeof (soft_des_ctx_t));
54 if (soft_des_ctx == NULL) {
55 return (CKR_HOST_MEMORY);
56 }
57
58 /* Allocate key schedule for DES or DES3 based on key type. */
59 if (key_p->key_type == CKK_DES)
60 soft_des_ctx->key_sched = des_alloc_keysched(&size, DES, 0);
61 else
62 soft_des_ctx->key_sched = des_alloc_keysched(&size, DES3, 0);
63
64 if (soft_des_ctx->key_sched == NULL) {
65 free(soft_des_ctx);
66 return (CKR_HOST_MEMORY);
67 }
68
69 soft_des_ctx->keysched_len = size;
70 soft_des_ctx->key_type = key_p->key_type;
71
72 (void) pthread_mutex_lock(&session_p->session_mutex);
73 if (encrypt) {
74 /* Called by C_EncryptInit. */
75 session_p->encrypt.context = soft_des_ctx;
76 session_p->encrypt.mech.mechanism = pMechanism->mechanism;
77 } else {
78 /* Called by C_DecryptInit. */
79 session_p->decrypt.context = soft_des_ctx;
80 session_p->decrypt.mech.mechanism = pMechanism->mechanism;
81 }
82 (void) pthread_mutex_unlock(&session_p->session_mutex);
83
84 /*
85 * If this is a non-sensitive key and it does NOT have
86 * a key schedule yet, then allocate one and expand it.
87 * Otherwise, if its a non-sensitive key, and it DOES have
88 * a key schedule already attached to it, just copy the
89 * pre-expanded schedule to the context and avoid the
90 * extra key schedule expansion operation.
91 */
92 if (!(key_p->bool_attr_mask & SENSITIVE_BOOL_ON)) {
93 if (OBJ_KEY_SCHED(key_p) == NULL) {
94 void *ks;
95 (void) pthread_mutex_lock(&key_p->object_mutex);
96 if (OBJ_KEY_SCHED(key_p) == NULL) {
97 if (key_p->key_type == CKK_DES)
98 ks = des_alloc_keysched(&size, DES, 0);
99 else
100 ks = des_alloc_keysched(&size, DES3, 0);
101 if (ks == NULL) {
102 (void) pthread_mutex_unlock(
103 &key_p->object_mutex);
104 free(soft_des_ctx);
105 return (CKR_HOST_MEMORY);
106 }
107 /* Initialize key schedule for DES or DES3. */
108 if (key_p->key_type == CKK_DES)
109 des_init_keysched(
110 OBJ_SEC(key_p)->sk_value, DES, ks);
111 else if (key_p->key_type == CKK_DES2)
112 /*
113 * DES3 encryption/decryption needs to
114 * support a DES2 key.
115 */
116 des_init_keysched(
117 OBJ_SEC(key_p)->sk_value, DES2, ks);
118 else
119 des_init_keysched(
120 OBJ_SEC(key_p)->sk_value, DES3, ks);
121
122 OBJ_KEY_SCHED_LEN(key_p) = size;
123 OBJ_KEY_SCHED(key_p) = ks;
124 }
125 (void) pthread_mutex_unlock(&key_p->object_mutex);
126 }
127
128 /* Copy the pre-expanded key schedule from the key object */
129 (void) memcpy(soft_des_ctx->key_sched, OBJ_KEY_SCHED(key_p),
130 OBJ_KEY_SCHED_LEN(key_p));
131 soft_des_ctx->keysched_len = OBJ_KEY_SCHED_LEN(key_p);
132 } else {
133 /* for sensitive keys, we cannot cache the key schedule */
134 if (key_p->key_type == CKK_DES)
135 des_init_keysched(OBJ_SEC(key_p)->sk_value,
136 DES, soft_des_ctx->key_sched);
137 else if (key_p->key_type == CKK_DES2)
138 /*
139 * DES3 encryption/decryption needs to
140 * support a DES2 key.
141 */
142 des_init_keysched(OBJ_SEC(key_p)->sk_value,
143 DES2, soft_des_ctx->key_sched);
144 else
145 des_init_keysched(OBJ_SEC(key_p)->sk_value,
146 DES3, soft_des_ctx->key_sched);
147 }
148
149 return (CKR_OK);
150 }
151
152
153 /*
154 * soft_des_encrypt_common()
155 *
156 * Arguments:
157 * session_p: pointer to soft_session_t struct
158 * pData: pointer to the input data to be encrypted
159 * ulDataLen: length of the input data
160 * pEncrypted: pointer to the output data after encryption
161 * pulEncryptedLen: pointer to the length of the output data
162 * update: boolean flag indicates caller is soft_encrypt
163 * or soft_encrypt_update
164 *
165 * Description:
166 * This function calls the corresponding encrypt routine based
167 * on the mechanism.
168 *
169 * Returns:
170 * CKR_OK: success
171 * CKR_BUFFER_TOO_SMALL: the output buffer provided by application
172 * is too small
173 * CKR_FUNCTION_FAILED: encrypt function failed
174 * CKR_DATA_LEN_RANGE: the input data is not a multiple of blocksize
175 */
176 CK_RV
177 soft_des_encrypt_common(soft_session_t *session_p, CK_BYTE_PTR pData,
178 CK_ULONG ulDataLen, CK_BYTE_PTR pEncrypted,
179 CK_ULONG_PTR pulEncryptedLen, boolean_t update)
180 {
181 int rc = 0;
182 CK_RV rv = CKR_OK;
183 soft_des_ctx_t *soft_des_ctx =
184 (soft_des_ctx_t *)session_p->encrypt.context;
185 des_ctx_t *des_ctx;
186 CK_MECHANISM_TYPE mechanism = session_p->encrypt.mech.mechanism;
187 CK_BYTE *in_buf = NULL;
188 CK_BYTE *out_buf = NULL;
189 CK_ULONG out_len;
190 CK_ULONG total_len;
191 CK_ULONG remain;
192 boolean_t pad_mechanism = B_FALSE;
193
194 pad_mechanism = (mechanism == CKM_DES_CBC_PAD ||
195 mechanism == CKM_DES3_CBC_PAD);
196 /*
197 * DES only takes input length that is a multiple of blocksize
198 * for C_Encrypt function with the mechanism CKM_DES<n>_ECB or
199 * CKM_DES<n>_CBC.
200 *
201 * DES allows any input length for C_Encrypt function with the
202 * mechanism CKM_DES<n>_CBC_PAD and for C_EncryptUpdate function.
203 */
204 if (!update && !pad_mechanism) {
205 if ((ulDataLen % DES_BLOCK_LEN) != 0) {
206 rv = CKR_DATA_LEN_RANGE;
207 goto cleanup;
208 }
209 }
210
211 if (!update) {
212 /*
213 * Called by C_Encrypt
214 */
215 if (pad_mechanism) {
216 /*
217 * For CKM_DES<n>_CBC_PAD, compute output length to
218 * count for the padding. If the length of input
219 * data is a multiple of blocksize, then make output
220 * length to be the sum of the input length and
221 * one blocksize. Otherwise, output length will
222 * be rounded up to the next multiple of blocksize.
223 */
224 out_len = DES_BLOCK_LEN *
225 (ulDataLen / DES_BLOCK_LEN + 1);
226 } else {
227 /*
228 * For non-padding mode, the output length will
229 * be same as the input length.
230 */
231 out_len = ulDataLen;
232 }
233
234 /*
235 * If application asks for the length of the output buffer
236 * to hold the ciphertext?
237 */
238 if (pEncrypted == NULL) {
239 *pulEncryptedLen = out_len;
240 return (CKR_OK);
241 }
242
243 /* Is the application-supplied buffer large enough? */
244 if (*pulEncryptedLen < out_len) {
245 *pulEncryptedLen = out_len;
246 return (CKR_BUFFER_TOO_SMALL);
247 }
248
249 /* Encrypt pad bytes in a separate operation */
250 if (pad_mechanism) {
251 out_len -= DES_BLOCK_LEN;
252 }
253
254 in_buf = pData;
255 out_buf = pEncrypted;
256 } else {
257 /*
258 * Called by C_EncryptUpdate
259 *
260 * Add the lengths of last remaining data and current
261 * plaintext together to get the total input length.
262 */
263 total_len = soft_des_ctx->remain_len + ulDataLen;
264
265 /*
266 * If the total input length is less than one blocksize,
267 * or if the total input length is just one blocksize and
268 * the mechanism is CKM_DES<n>_CBC_PAD, we will need to delay
269 * encryption until when more data comes in next
270 * C_EncryptUpdate or when C_EncryptFinal is called.
271 */
272 if ((total_len < DES_BLOCK_LEN) ||
273 (pad_mechanism && (total_len == DES_BLOCK_LEN))) {
274 if (pData != NULL) {
275 /*
276 * Save input data and its length in
277 * the remaining buffer of DES context.
278 */
279 (void) memcpy(soft_des_ctx->data +
280 soft_des_ctx->remain_len, pData, ulDataLen);
281 soft_des_ctx->remain_len += ulDataLen;
282 }
283
284 /* Set encrypted data length to 0. */
285 *pulEncryptedLen = 0;
286 return (CKR_OK);
287 }
288
289 /* Compute the length of remaing data. */
290 remain = total_len % DES_BLOCK_LEN;
291
292 /*
293 * Make sure that the output length is a multiple of
294 * blocksize.
295 */
296 out_len = total_len - remain;
297
298 /*
299 * If application asks for the length of the output buffer
300 * to hold the ciphertext?
301 */
302 if (pEncrypted == NULL) {
303 *pulEncryptedLen = out_len;
304 return (CKR_OK);
305 }
306
307 /* Is the application-supplied buffer large enough? */
308 if (*pulEncryptedLen < out_len) {
309 *pulEncryptedLen = out_len;
310 return (CKR_BUFFER_TOO_SMALL);
311 }
312
313 if (soft_des_ctx->remain_len != 0) {
314 /*
315 * Copy last remaining data and current input data
316 * to the output buffer.
317 */
318 (void) memmove(pEncrypted + soft_des_ctx->remain_len,
319 pData, out_len - soft_des_ctx->remain_len);
320 (void) memcpy(pEncrypted, soft_des_ctx->data,
321 soft_des_ctx->remain_len);
322 bzero(soft_des_ctx->data, soft_des_ctx->remain_len);
323
324 in_buf = pEncrypted;
325 } else {
326 in_buf = pData;
327 }
328 out_buf = pEncrypted;
329 }
330
331 /*
332 * Begin Encryption now.
333 */
334 switch (mechanism) {
335
336 case CKM_DES_ECB:
337 case CKM_DES3_ECB:
338 {
339
340 ulong_t i;
341 uint8_t *tmp_inbuf;
342 uint8_t *tmp_outbuf;
343
344 for (i = 0; i < out_len; i += DES_BLOCK_LEN) {
345 tmp_inbuf = &in_buf[i];
346 tmp_outbuf = &out_buf[i];
347 /* Crunch one block of data for DES. */
348 if (soft_des_ctx->key_type == CKK_DES)
349 (void) des_crunch_block(
350 soft_des_ctx->key_sched,
351 tmp_inbuf, tmp_outbuf, B_FALSE);
352 else
353 (void) des3_crunch_block(
354 soft_des_ctx->key_sched,
355 tmp_inbuf, tmp_outbuf, B_FALSE);
356 }
357
358 if (update) {
359 /*
360 * For encrypt update, if there is remaining
361 * data, save it and its length in the context.
362 */
363 if (remain != 0)
364 (void) memcpy(soft_des_ctx->data, pData +
365 (ulDataLen - remain), remain);
366 soft_des_ctx->remain_len = remain;
367 }
368
369 *pulEncryptedLen = out_len;
370 break;
371 }
372
373 case CKM_DES_CBC:
374 case CKM_DES_CBC_PAD:
375 case CKM_DES3_CBC:
376 case CKM_DES3_CBC_PAD:
377 {
378 crypto_data_t out;
379
380 out.cd_format = CRYPTO_DATA_RAW;
381 out.cd_offset = 0;
382 out.cd_length = out_len;
383 out.cd_raw.iov_base = (char *)out_buf;
384 out.cd_raw.iov_len = out_len;
385
386 /* Encrypt multiple blocks of data. */
387 rc = des_encrypt_contiguous_blocks(
388 (des_ctx_t *)soft_des_ctx->des_cbc,
389 (char *)in_buf, out_len, &out);
390
391 if (rc != 0)
392 goto encrypt_failed;
393
394 if (update) {
395 /*
396 * For encrypt update, if there is remaining data,
397 * save it and its length in the context.
398 */
399 if (remain != 0)
400 (void) memcpy(soft_des_ctx->data, pData +
401 (ulDataLen - remain), remain);
402 soft_des_ctx->remain_len = remain;
403 } else if (pad_mechanism) {
404 /*
405 * Save the remainder of the input
406 * block in a temporary block because
407 * we don't want to overrun the input buffer
408 * by tacking on pad bytes.
409 */
410 CK_BYTE tmpblock[DES_BLOCK_LEN];
411 (void) memcpy(tmpblock, in_buf + out_len,
412 ulDataLen - out_len);
413 soft_add_pkcs7_padding(tmpblock +
414 (ulDataLen - out_len),
415 DES_BLOCK_LEN, ulDataLen - out_len);
416
417 out.cd_offset = out_len;
418 out.cd_length = DES_BLOCK_LEN;
419 out.cd_raw.iov_base = (char *)out_buf;
420 out.cd_raw.iov_len = out_len + DES_BLOCK_LEN;
421
422 /* Encrypt last block containing pad bytes. */
423 rc = des_encrypt_contiguous_blocks(
424 (des_ctx_t *)soft_des_ctx->des_cbc,
425 (char *)tmpblock, DES_BLOCK_LEN, &out);
426 out_len += DES_BLOCK_LEN;
427 }
428
429 if (rc == 0) {
430 *pulEncryptedLen = out_len;
431 break;
432 }
433 encrypt_failed:
434 *pulEncryptedLen = 0;
435 rv = CKR_FUNCTION_FAILED;
436 goto cleanup;
437
438 }
439 } /* end switch */
440
441 if (update)
442 return (CKR_OK);
443
444 /*
445 * The following code will be executed if the caller is
446 * soft_encrypt() or an error occurred. The encryption
447 * operation will be terminated so we need to do some cleanup.
448 */
449 cleanup:
450 (void) pthread_mutex_lock(&session_p->session_mutex);
451 des_ctx = (des_ctx_t *)soft_des_ctx->des_cbc;
452 free(des_ctx);
453 freezero(soft_des_ctx->key_sched, soft_des_ctx->keysched_len);
454 freezero(session_p->encrypt.context, sizeof (soft_des_ctx_t));
455 session_p->encrypt.context = NULL;
456 (void) pthread_mutex_unlock(&session_p->session_mutex);
457
458 return (rv);
459 }
460
461
462 /*
463 * soft_des_decrypt_common()
464 *
465 * Arguments:
466 * session_p: pointer to soft_session_t struct
467 * pEncrypted: pointer to the input data to be decrypted
468 * ulEncryptedLen: length of the input data
469 * pData: pointer to the output data
470 * pulDataLen: pointer to the length of the output data
471 * Update: boolean flag indicates caller is soft_decrypt
472 * or soft_decrypt_update
473 *
474 * Description:
475 * This function calls the corresponding decrypt routine based
476 * on the mechanism.
477 *
478 * Returns:
479 * CKR_OK: success
480 * CKR_BUFFER_TOO_SMALL: the output buffer provided by application
481 * is too small
482 * CKR_ENCRYPTED_DATA_LEN_RANGE: the input data is not a multiple
483 * of blocksize
484 * CKR_FUNCTION_FAILED: decrypt function failed
485 */
486 CK_RV
487 soft_des_decrypt_common(soft_session_t *session_p, CK_BYTE_PTR pEncrypted,
488 CK_ULONG ulEncryptedLen, CK_BYTE_PTR pData,
489 CK_ULONG_PTR pulDataLen, boolean_t update)
490 {
491
492 int rc = 0;
493 CK_RV rv = CKR_OK;
494 soft_des_ctx_t *soft_des_ctx =
495 (soft_des_ctx_t *)session_p->decrypt.context;
496 des_ctx_t *des_ctx;
497 CK_MECHANISM_TYPE mechanism = session_p->decrypt.mech.mechanism;
498 CK_BYTE *in_buf = NULL;
499 CK_BYTE *out_buf = NULL;
500 CK_ULONG out_len;
501 CK_ULONG total_len;
502 CK_ULONG remain;
503 boolean_t pad_mechanism = B_FALSE;
504
505 pad_mechanism = (mechanism == CKM_DES_CBC_PAD ||
506 mechanism == CKM_DES3_CBC_PAD);
507 /*
508 * DES only takes input length that is a multiple of 8 bytes
509 * for C_Decrypt function with the mechanism CKM_DES<n>_ECB,
510 * CKM_DES<n>_CBC or CKM_DES<n>_CBC_PAD.
511 *
512 * DES allows any input length for C_DecryptUpdate function.
513 */
514 if (!update) {
515 /*
516 * Called by C_Decrypt
517 */
518 if ((ulEncryptedLen % DES_BLOCK_LEN) != 0) {
519 rv = CKR_ENCRYPTED_DATA_LEN_RANGE;
520 goto cleanup;
521 }
522
523 /*
524 * If application asks for the length of the output buffer
525 * to hold the plaintext?
526 */
527 if (pData == NULL) {
528 *pulDataLen = ulEncryptedLen;
529 return (CKR_OK);
530 }
531
532 /* Is the application-supplied buffer large enough? */
533 if (!pad_mechanism) {
534 if (*pulDataLen < ulEncryptedLen) {
535 *pulDataLen = ulEncryptedLen;
536 return (CKR_BUFFER_TOO_SMALL);
537 }
538
539 /* Set output length same as input length. */
540 out_len = ulEncryptedLen;
541 } else {
542 /*
543 * For CKM_DES<n>_CBC_PAD, we don't know how
544 * many bytes for padding at this time, so
545 * we'd assume one block was padded.
546 */
547 if (*pulDataLen < (ulEncryptedLen - DES_BLOCK_LEN)) {
548 *pulDataLen = ulEncryptedLen - DES_BLOCK_LEN;
549 return (CKR_BUFFER_TOO_SMALL);
550 }
551 out_len = ulEncryptedLen - DES_BLOCK_LEN;
552 }
553 in_buf = pEncrypted;
554 out_buf = pData;
555 } else {
556 /*
557 * Called by C_DecryptUpdate
558 *
559 * Add the lengths of last remaining data and current
560 * input data together to get the total input length.
561 */
562 total_len = soft_des_ctx->remain_len + ulEncryptedLen;
563
564 /*
565 * If the total input length is less than one blocksize,
566 * or if the total input length is just one blocksize and
567 * the mechanism is CKM_DES<n>_CBC_PAD, we will need to delay
568 * decryption until when more data comes in next
569 * C_DecryptUpdate or when C_DecryptFinal is called.
570 */
571 if ((total_len < DES_BLOCK_LEN) ||
572 (pad_mechanism && (total_len == DES_BLOCK_LEN))) {
573 if (pEncrypted != NULL) {
574 /*
575 * Save input data and its length in
576 * the remaining buffer of DES context.
577 */
578 (void) memcpy(soft_des_ctx->data +
579 soft_des_ctx->remain_len,
580 pEncrypted, ulEncryptedLen);
581 soft_des_ctx->remain_len += ulEncryptedLen;
582 }
583
584 /* Set output data length to 0. */
585 *pulDataLen = 0;
586 return (CKR_OK);
587 }
588
589 /* Compute the length of remaing data. */
590 remain = total_len % DES_BLOCK_LEN;
591
592 /*
593 * Make sure that the output length is a multiple of
594 * blocksize.
595 */
596 out_len = total_len - remain;
597
598 if (pad_mechanism) {
599 /*
600 * If the input data length is a multiple of
601 * blocksize, then save the last block of input
602 * data in the remaining buffer. C_DecryptFinal
603 * will handle this last block of data.
604 */
605 if (remain == 0) {
606 remain = DES_BLOCK_LEN;
607 out_len -= DES_BLOCK_LEN;
608 }
609 }
610
611 /*
612 * If application asks for the length of the output buffer
613 * to hold the plaintext?
614 */
615 if (pData == NULL) {
616 *pulDataLen = out_len;
617 return (CKR_OK);
618 }
619
620 /*
621 * Is the application-supplied buffer large enough?
622 */
623 if (*pulDataLen < out_len) {
624 *pulDataLen = out_len;
625 return (CKR_BUFFER_TOO_SMALL);
626 }
627
628 if (soft_des_ctx->remain_len != 0) {
629 /*
630 * Copy last remaining data and current input data
631 * to the output buffer.
632 */
633 (void) memmove(pData + soft_des_ctx->remain_len,
634 pEncrypted, out_len - soft_des_ctx->remain_len);
635 (void) memcpy(pData, soft_des_ctx->data,
636 soft_des_ctx->remain_len);
637 bzero(soft_des_ctx->data, soft_des_ctx->remain_len);
638
639 in_buf = pData;
640 } else {
641 in_buf = pEncrypted;
642 }
643 out_buf = pData;
644 }
645
646 /*
647 * Begin Decryption.
648 */
649 switch (mechanism) {
650
651 case CKM_DES_ECB:
652 case CKM_DES3_ECB:
653 {
654 uint8_t *tmp_inbuf;
655 uint8_t *tmp_outbuf;
656 ulong_t i;
657
658 for (i = 0; i < out_len; i += DES_BLOCK_LEN) {
659 tmp_inbuf = &in_buf[i];
660 tmp_outbuf = &out_buf[i];
661 /* Crunch one block of data for DES. */
662 if (soft_des_ctx->key_type == CKK_DES)
663 (void) des_crunch_block(
664 soft_des_ctx->key_sched,
665 tmp_inbuf, tmp_outbuf, B_TRUE);
666 else
667 (void) des3_crunch_block(
668 soft_des_ctx->key_sched,
669 tmp_inbuf, tmp_outbuf, B_TRUE);
670 }
671
672 if (update) {
673 /*
674 * For decrypt update, if there is remaining
675 * data, save it and its length in the context.
676 */
677 if (remain != 0)
678 (void) memcpy(soft_des_ctx->data, pEncrypted +
679 (ulEncryptedLen - remain), remain);
680 soft_des_ctx->remain_len = remain;
681 }
682
683 *pulDataLen = out_len;
684 break;
685 }
686
687 case CKM_DES_CBC:
688 case CKM_DES_CBC_PAD:
689 case CKM_DES3_CBC:
690 case CKM_DES3_CBC_PAD:
691 {
692 crypto_data_t out;
693 CK_ULONG rem_len;
694 uint8_t last_block[DES_BLOCK_LEN];
695
696 out.cd_format = CRYPTO_DATA_RAW;
697 out.cd_offset = 0;
698 out.cd_length = out_len;
699 out.cd_raw.iov_base = (char *)out_buf;
700 out.cd_raw.iov_len = out_len;
701
702 /* Decrypt multiple blocks of data. */
703 rc = des_decrypt_contiguous_blocks(
704 (des_ctx_t *)soft_des_ctx->des_cbc,
705 (char *)in_buf, out_len, &out);
706
707 if (rc != 0)
708 goto decrypt_failed;
709
710 if (pad_mechanism && !update) {
711 /* Decrypt last block containing pad bytes. */
712 out.cd_offset = 0;
713 out.cd_length = DES_BLOCK_LEN;
714 out.cd_raw.iov_base = (char *)last_block;
715 out.cd_raw.iov_len = DES_BLOCK_LEN;
716
717 /* Decrypt last block containing pad bytes. */
718 rc = des_decrypt_contiguous_blocks(
719 (des_ctx_t *)soft_des_ctx->des_cbc,
720 (char *)in_buf + out_len, DES_BLOCK_LEN, &out);
721
722 if (rc != 0)
723 goto decrypt_failed;
724
725 /*
726 * Remove padding bytes after decryption of
727 * ciphertext block to produce the original
728 * plaintext.
729 */
730 rv = soft_remove_pkcs7_padding(last_block,
731 DES_BLOCK_LEN, &rem_len);
732 if (rv == CKR_OK) {
733 if (rem_len != 0)
734 (void) memcpy(out_buf + out_len,
735 last_block, rem_len);
736 *pulDataLen = out_len + rem_len;
737 } else {
738 *pulDataLen = 0;
739 goto cleanup;
740 }
741 } else {
742 *pulDataLen = out_len;
743 }
744
745 if (update) {
746 /*
747 * For decrypt update, if there is remaining data,
748 * save it and its length in the context.
749 */
750 if (remain != 0)
751 (void) memcpy(soft_des_ctx->data, pEncrypted +
752 (ulEncryptedLen - remain), remain);
753 soft_des_ctx->remain_len = remain;
754 }
755
756 if (rc == 0)
757 break;
758 decrypt_failed:
759 *pulDataLen = 0;
760 rv = CKR_FUNCTION_FAILED;
761 goto cleanup;
762 }
763 } /* end switch */
764
765 if (update)
766 return (CKR_OK);
767
768 /*
769 * The following code will be executed if the caller is
770 * soft_decrypt() or an error occurred. The decryption
771 * operation will be terminated so we need to do some cleanup.
772 */
773 cleanup:
774 (void) pthread_mutex_lock(&session_p->session_mutex);
775 des_ctx = (des_ctx_t *)soft_des_ctx->des_cbc;
776 free(des_ctx);
777 freezero(soft_des_ctx->key_sched, soft_des_ctx->keysched_len);
778 freezero(session_p->decrypt.context, sizeof (soft_des_ctx_t));
779 (void) pthread_mutex_unlock(&session_p->session_mutex);
780
781 return (rv);
782 }
783
784
785 /*
786 * Allocate and initialize a context for DES CBC mode of operation.
787 */
788 void *
789 des_cbc_ctx_init(void *key_sched, size_t size, uint8_t *ivec, CK_KEY_TYPE type)
790 {
791
792 cbc_ctx_t *cbc_ctx;
793
794 if ((cbc_ctx = calloc(1, sizeof (cbc_ctx_t))) == NULL)
795 return (NULL);
796
797 cbc_ctx->cbc_keysched = key_sched;
798
799 (void) memcpy(&cbc_ctx->cbc_iv[0], ivec, DES_BLOCK_LEN);
800
801 cbc_ctx->cbc_lastp = (uint8_t *)&cbc_ctx->cbc_iv[0];
802 cbc_ctx->cbc_keysched_len = size;
803 if (type == CKK_DES)
804 cbc_ctx->cbc_flags |= CBC_MODE;
805 else
806 cbc_ctx->cbc_flags |= CBC_MODE | DES3_STRENGTH;
807
808 return (cbc_ctx);
809
810 }
811
812 /*
813 * Allocate and initialize DES contexts for both signing and encrypting,
814 * saving both context pointers in the session struct. For general-length DES
815 * MAC, check the length in the parameter to see if it is in the right range.
816 */
817 CK_RV
818 soft_des_sign_verify_init_common(soft_session_t *session_p,
819 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, boolean_t sign_op)
820 {
821 soft_des_ctx_t *soft_des_ctx;
822 CK_MECHANISM encrypt_mech;
823 CK_RV rv;
824
825 if ((key_p->class != CKO_SECRET_KEY) || (key_p->key_type != CKK_DES)) {
826 return (CKR_KEY_TYPE_INCONSISTENT);
827 }
828
829 /* allocate memory for the sign/verify context */
830 soft_des_ctx = malloc(sizeof (soft_des_ctx_t));
831 if (soft_des_ctx == NULL) {
832 return (CKR_HOST_MEMORY);
833 }
834
835 soft_des_ctx->key_type = key_p->key_type;
836
837 /* initialization vector is zero for DES MAC */
838 bzero(soft_des_ctx->ivec, DES_BLOCK_LEN);
839
840 switch (pMechanism->mechanism) {
841
842 case CKM_DES_MAC_GENERAL:
843
844 if (pMechanism->ulParameterLen !=
845 sizeof (CK_MAC_GENERAL_PARAMS)) {
846 free(soft_des_ctx);
847 return (CKR_MECHANISM_PARAM_INVALID);
848 }
849
850 if (*(CK_MAC_GENERAL_PARAMS *)pMechanism->pParameter >
851 DES_BLOCK_LEN) {
852 free(soft_des_ctx);
853 return (CKR_MECHANISM_PARAM_INVALID);
854 }
855
856 soft_des_ctx->mac_len = *((CK_MAC_GENERAL_PARAMS_PTR)
857 pMechanism->pParameter);
858
859 /*FALLTHRU*/
860 case CKM_DES_MAC:
861
862 /*
863 * For non-general DES MAC, output is always half as
864 * large as block size
865 */
866 if (pMechanism->mechanism == CKM_DES_MAC) {
867 soft_des_ctx->mac_len = DES_MAC_LEN;
868 }
869
870 /* allocate a context for DES encryption */
871 encrypt_mech.mechanism = CKM_DES_CBC_PAD;
872 encrypt_mech.pParameter = (void *)soft_des_ctx->ivec;
873 encrypt_mech.ulParameterLen = DES_BLOCK_LEN;
874 rv = soft_encrypt_init_internal(session_p, &encrypt_mech,
875 key_p);
876 if (rv != CKR_OK) {
877 free(soft_des_ctx);
878 return (rv);
879 }
880
881 (void) pthread_mutex_lock(&session_p->session_mutex);
882
883 if (sign_op) {
884 session_p->sign.context = soft_des_ctx;
885 session_p->sign.mech.mechanism = pMechanism->mechanism;
886 } else {
887 session_p->verify.context = soft_des_ctx;
888 session_p->verify.mech.mechanism =
889 pMechanism->mechanism;
890 }
891
892 (void) pthread_mutex_unlock(&session_p->session_mutex);
893
894 break;
895 }
896 return (CKR_OK);
897 }
898
899 /*
900 * Called by soft_sign(), soft_sign_final(), soft_verify() or
901 * soft_verify_final().
902 */
903 CK_RV
904 soft_des_sign_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData,
905 CK_ULONG ulDataLen, CK_BYTE_PTR pSigned, CK_ULONG_PTR pulSignedLen,
906 boolean_t sign_op, boolean_t Final)
907 {
908 soft_des_ctx_t *soft_des_ctx_sign_verify;
909 soft_des_ctx_t *soft_des_ctx_encrypt;
910 CK_RV rv;
911 CK_BYTE *pEncrypted = NULL;
912 CK_ULONG ulEncryptedLen = 0;
913 uint8_t remainder;
914 CK_BYTE last_block[DES_BLOCK_LEN];
915 des_ctx_t *des_ctx = NULL;
916
917 if (sign_op) {
918 soft_des_ctx_sign_verify =
919 (soft_des_ctx_t *)session_p->sign.context;
920
921 if (soft_des_ctx_sign_verify->mac_len == 0) {
922 *pulSignedLen = 0;
923 goto clean_exit;
924 }
925
926 /* Application asks for the length of the output buffer. */
927 if (pSigned == NULL) {
928 *pulSignedLen = soft_des_ctx_sign_verify->mac_len;
929 return (CKR_OK);
930 }
931
932 /* Is the application-supplied buffer large enough? */
933 if (*pulSignedLen < soft_des_ctx_sign_verify->mac_len) {
934 *pulSignedLen = soft_des_ctx_sign_verify->mac_len;
935 return (CKR_BUFFER_TOO_SMALL);
936 }
937 } else {
938 soft_des_ctx_sign_verify =
939 (soft_des_ctx_t *)session_p->verify.context;
940 }
941
942 if (Final) {
943 soft_des_ctx_encrypt =
944 (soft_des_ctx_t *)session_p->encrypt.context;
945
946 /*
947 * If there is data left in the buffer from a previous
948 * SignUpdate() call, pass enough zeroed data to a
949 * soft_sign_update call to pad the remainder
950 */
951 if (soft_des_ctx_encrypt->remain_len != 0) {
952 bzero(last_block, DES_BLOCK_LEN);
953 ulEncryptedLen = DES_BLOCK_LEN;
954
955 /*
956 * By passing a buffer to soft_encrypt_final,
957 * we force it to pad the remaining block
958 * and encrypt it.
959 */
960 rv = soft_encrypt_final(session_p, last_block,
961 &ulEncryptedLen);
962 if (rv != CKR_OK) {
963 goto clean_exit;
964 }
965 } else {
966 /*
967 * The last block of enciphered data is stored in:
968 * soft_des_ctx_encrypt->des_cbc->des_ctx->dc_lastp
969 * Copy that data to last_block
970 */
971 soft_des_ctx_encrypt =
972 (soft_des_ctx_t *)session_p->encrypt.context;
973 des_ctx = (des_ctx_t *)soft_des_ctx_encrypt->des_cbc;
974 (void) memcpy(last_block, des_ctx->dc_lastp,
975 DES_BLOCK_LEN);
976
977 /*
978 * Passing a NULL output buffer here
979 * forces the routine to just return.
980 */
981 rv = soft_encrypt_final(session_p, NULL,
982 &ulEncryptedLen);
983 }
984
985 } else {
986 /*
987 * If the input length is not multiple of block size, then
988 * determine the correct encrypted data length by rounding
989 */
990 remainder = ulDataLen % DES_BLOCK_LEN;
991 /*
992 * Because we always use DES_CBC_PAD mechanism
993 * for sign/verify operations, the input will
994 * be padded to the next 8 byte boundary.
995 * Adjust the length fields here accordingly.
996 */
997 ulEncryptedLen = ulDataLen + (DES_BLOCK_LEN - remainder);
998
999 pEncrypted = malloc(sizeof (CK_BYTE) * ulEncryptedLen);
1000 if (pEncrypted == NULL) {
1001 rv = CKR_HOST_MEMORY;
1002 goto clean_exit;
1003 }
1004
1005 /*
1006 * Pad the last block with zeros by copying pData into a zeroed
1007 * pEncrypted. Then pass pEncrypted into soft_encrypt as input
1008 */
1009 bzero(pEncrypted, ulEncryptedLen);
1010 (void) memcpy(pEncrypted, pData, ulDataLen);
1011
1012 rv = soft_encrypt(session_p, pEncrypted, ulDataLen,
1013 pEncrypted, &ulEncryptedLen);
1014 (void) memcpy(last_block,
1015 &pEncrypted[ulEncryptedLen - DES_BLOCK_LEN], DES_BLOCK_LEN);
1016 }
1017
1018 if (rv == CKR_OK) {
1019 *pulSignedLen = soft_des_ctx_sign_verify->mac_len;
1020
1021 /* the leftmost mac_len bytes of last_block is our MAC */
1022 (void) memcpy(pSigned, last_block, *pulSignedLen);
1023 }
1024
1025 clean_exit:
1026
1027 (void) pthread_mutex_lock(&session_p->session_mutex);
1028
1029 /* soft_encrypt_common() has freed the encrypt context */
1030 if (sign_op) {
1031 free(session_p->sign.context);
1032 session_p->sign.context = NULL;
1033 } else {
1034 free(session_p->verify.context);
1035 session_p->verify.context = NULL;
1036 }
1037 session_p->encrypt.flags = 0;
1038
1039 (void) pthread_mutex_unlock(&session_p->session_mutex);
1040
1041 if (pEncrypted) {
1042 free(pEncrypted);
1043 }
1044
1045 return (rv);
1046 }
1047
1048 /*
1049 * Called by soft_sign_update()
1050 */
1051 CK_RV
1052 soft_des_mac_sign_verify_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
1053 CK_ULONG ulPartLen)
1054 {
1055 /*
1056 * The DES MAC is calculated by taking the specified number of
1057 * left-most bytes within the last block of
1058 * encrypted data, while the context of the multi-part
1059 * encryption stores the block necessary for XORing with the
1060 * input as per cipher block chaining . Therefore, none of the
1061 * intermediary encrypted blocks of data are necessary for
1062 * the DES MAC, and we can create a placeholder local buffer
1063 * for the encrypted data, which is immediately throw away.
1064 */
1065
1066 soft_des_ctx_t *soft_des_ctx_encrypt;
1067 CK_BYTE *pEncrypted = NULL;
1068 CK_ULONG ulEncryptedLen;
1069 CK_ULONG total_len;
1070 uint8_t remainder;
1071 CK_RV rv;
1072
1073 soft_des_ctx_encrypt = (soft_des_ctx_t *)session_p->encrypt.context;
1074
1075 /* Avoid the malloc if we won't be encrypting any data */
1076 total_len = soft_des_ctx_encrypt->remain_len + ulPartLen;
1077
1078 if (total_len < DES_BLOCK_LEN) {
1079 rv = soft_encrypt_update(session_p, pPart, ulPartLen, NULL,
1080 &ulEncryptedLen);
1081 } else {
1082 remainder = ulPartLen % DES_BLOCK_LEN;
1083
1084 /* round up to the nearest multiple of block size */
1085 ulEncryptedLen = ulPartLen + (DES_BLOCK_LEN - remainder);
1086 pEncrypted = malloc(sizeof (CK_BYTE) * ulEncryptedLen);
1087
1088 if (pEncrypted != NULL) {
1089 rv = soft_encrypt_update(session_p, pPart, ulPartLen,
1090 pEncrypted, &ulEncryptedLen);
1091 free(pEncrypted);
1092 } else {
1093 rv = CKR_HOST_MEMORY;
1094 }
1095 }
1096 return (rv);
1097 }