1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <pthread.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <strings.h>
30 #include <sys/types.h>
31 #include <security/cryptoki.h>
32 #include <sys/crypto/common.h>
33 #include <aes_impl.h>
34 #include <blowfish_impl.h>
35 #include <des_impl.h>
36 #include <arcfour.h>
37 #include <cryptoutil.h>
38 #include "softGlobal.h"
39 #include "softSession.h"
40 #include "softObject.h"
41 #include "softDSA.h"
42 #include "softRSA.h"
43 #include "softDH.h"
44 #include "softEC.h"
45 #include "softMAC.h"
46 #include "softOps.h"
47 #include "softKeys.h"
48 #include "softKeystore.h"
49 #include "softSSL.h"
50 #include "softASN1.h"
51
52
53 #define local_min(a, b) ((a) < (b) ? (a) : (b))
54
55 static CK_RV
56 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *);
57
58 /*
59 * Create a temporary key object struct by filling up its template attributes.
60 */
61 CK_RV
62 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
63 CK_ULONG *objecthandle_p, soft_session_t *sp,
64 CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode,
65 boolean_t internal)
66 {
67
68 CK_RV rv;
69 soft_object_t *new_objp = NULL;
70
71 new_objp = calloc(1, sizeof (soft_object_t));
72 if (new_objp == NULL) {
73 return (CKR_HOST_MEMORY);
74 }
75
76 new_objp->extra_attrlistp = NULL;
77
78 /*
79 * Validate attribute template and fill in the attributes
80 * in the soft_object_t.
81 */
82 rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type,
83 keylen, mode);
84 if (rv != CKR_OK) {
85 goto fail_cleanup1;
86 }
87
88 /*
89 * If generating a key is an internal request (i.e. not a C_XXX
90 * API request), then skip the following checks.
91 */
92 if (!internal) {
93 rv = soft_pin_expired_check(new_objp);
94 if (rv != CKR_OK) {
95 goto fail_cleanup2;
96 }
97
98 rv = soft_object_write_access_check(sp, new_objp);
99 if (rv != CKR_OK) {
100 goto fail_cleanup2;
101 }
102 }
103
104 /* Initialize the rest of stuffs in soft_object_t. */
105 (void) pthread_mutex_init(&new_objp->object_mutex, NULL);
106 new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
107
108 /* Write the new token object to the keystore */
109 if (IS_TOKEN_OBJECT(new_objp)) {
110 new_objp->version = 1;
111 new_objp->session_handle = (CK_SESSION_HANDLE)NULL;
112 soft_add_token_object_to_slot(new_objp);
113 /*
114 * Type casting the address of an object struct to
115 * an object handle.
116 */
117 *objecthandle_p = (CK_ULONG)new_objp;
118
119 return (CKR_OK);
120 }
121
122 new_objp->session_handle = (CK_SESSION_HANDLE)sp;
123
124 /* Add the new object to the session's object list. */
125 soft_add_object_to_session(new_objp, sp);
126
127 /* Type casting the address of an object struct to an object handle. */
128 *objecthandle_p = (CK_ULONG)new_objp;
129
130 return (CKR_OK);
131
132 fail_cleanup2:
133 /*
134 * When any error occurs after soft_build_key(), we will need to
135 * clean up the memory allocated by the soft_build_key().
136 */
137 soft_cleanup_object(new_objp);
138
139 fail_cleanup1:
140 if (new_objp) {
141 /*
142 * The storage allocated inside of this object should have
143 * been cleaned up by the soft_build_key() if it failed.
144 * Therefore, we can safely free the object.
145 */
146 free(new_objp);
147 }
148
149 return (rv);
150 }
151
152 CK_RV
153 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
154 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey)
155 {
156
157 CK_RV rv = CKR_OK;
158 soft_object_t *secret_key;
159 CK_KEY_TYPE key_type;
160 CK_ULONG keylen = 0;
161 CK_ULONG i;
162 int des_strength = 0;
163 int retry = 0;
164 int keyfound = 0;
165 boolean_t is_ssl_mech = B_FALSE;
166
167 switch (pMechanism->mechanism) {
168 case CKM_DES_KEY_GEN:
169 key_type = CKK_DES;
170 break;
171
172 case CKM_DES2_KEY_GEN:
173 key_type = CKK_DES2;
174 break;
175
176 case CKM_DES3_KEY_GEN:
177 key_type = CKK_DES3;
178 break;
179
180 case CKM_AES_KEY_GEN:
181 key_type = CKK_AES;
182 break;
183
184 case CKM_BLOWFISH_KEY_GEN:
185 key_type = CKK_BLOWFISH;
186 break;
187
188 case CKM_RC4_KEY_GEN:
189 key_type = CKK_RC4;
190 break;
191
192 case CKM_SSL3_PRE_MASTER_KEY_GEN:
193 case CKM_TLS_PRE_MASTER_KEY_GEN:
194 if (pMechanism->pParameter == NULL ||
195 pMechanism->ulParameterLen != sizeof (CK_VERSION))
196 return (CKR_TEMPLATE_INCOMPLETE);
197 is_ssl_mech = B_TRUE;
198 key_type = CKK_GENERIC_SECRET;
199 keylen = 48;
200 break;
201
202 case CKM_PKCS5_PBKD2:
203 keyfound = 0;
204 for (i = 0; i < ulCount && !keyfound; i++) {
205 if (pTemplate[i].type == CKA_KEY_TYPE &&
206 pTemplate[i].pValue != NULL) {
207 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
208 keyfound = 1;
209 }
210 }
211 if (!keyfound)
212 return (CKR_TEMPLATE_INCOMPLETE);
213 /*
214 * Make sure that parameters were given for this
215 * mechanism.
216 */
217 if (pMechanism->pParameter == NULL ||
218 pMechanism->ulParameterLen !=
219 sizeof (CK_PKCS5_PBKD2_PARAMS))
220 return (CKR_TEMPLATE_INCOMPLETE);
221 break;
222
223 case CKM_PBE_SHA1_RC4_128:
224 keyfound = 0;
225 for (i = 0; i < ulCount; i++) {
226 if (pTemplate[i].type == CKA_KEY_TYPE &&
227 pTemplate[i].pValue != NULL) {
228 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
229 keyfound = 1;
230 }
231 if (pTemplate[i].type == CKA_VALUE_LEN &&
232 pTemplate[i].pValue != NULL) {
233 keylen = *((CK_ULONG*)pTemplate[i].pValue);
234 }
235 }
236 /* If a keytype was specified, it had better be CKK_RC4 */
237 if (keyfound && key_type != CKK_RC4)
238 return (CKR_TEMPLATE_INCONSISTENT);
239 else if (!keyfound)
240 key_type = CKK_RC4;
241
242 /* If key length was specified, it better be 16 bytes */
243 if (keylen != 0 && keylen != 16)
244 return (CKR_TEMPLATE_INCONSISTENT);
245
246 /*
247 * Make sure that parameters were given for this
248 * mechanism.
249 */
250 if (pMechanism->pParameter == NULL ||
251 pMechanism->ulParameterLen !=
252 sizeof (CK_PBE_PARAMS))
253 return (CKR_TEMPLATE_INCOMPLETE);
254 break;
255 default:
256 return (CKR_MECHANISM_INVALID);
257 }
258
259 /* Create a new object for secret key. */
260 rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p,
261 CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE);
262
263 if (rv != CKR_OK) {
264 return (rv);
265 }
266
267 /* Obtain the secret object pointer. */
268 secret_key = (soft_object_t *)*phKey;
269
270 switch (pMechanism->mechanism) {
271 case CKM_DES_KEY_GEN:
272 /*
273 * Set up key value len since it is not a required
274 * attribute for C_GenerateKey.
275 */
276 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
277 des_strength = DES;
278 break;
279
280 case CKM_DES2_KEY_GEN:
281 /*
282 * Set up key value len since it is not a required
283 * attribute for C_GenerateKey.
284 */
285 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
286 des_strength = DES2;
287 break;
288
289 case CKM_DES3_KEY_GEN:
290 /*
291 * Set up key value len since it is not a required
292 * attribute for C_GenerateKey.
293 */
294 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
295 des_strength = DES3;
296 break;
297
298 case CKM_SSL3_PRE_MASTER_KEY_GEN:
299 case CKM_TLS_PRE_MASTER_KEY_GEN:
300 secret_key->bool_attr_mask |= DERIVE_BOOL_ON;
301 /* FALLTHRU */
302
303 case CKM_AES_KEY_GEN:
304 case CKM_BLOWFISH_KEY_GEN:
305 case CKM_PBE_SHA1_RC4_128:
306 case CKM_RC4_KEY_GEN:
307 keylen = OBJ_SEC_VALUE_LEN(secret_key);
308 break;
309
310 case CKM_PKCS5_PBKD2:
311 /*
312 * PKCS#11 does not allow one to specify key
313 * sizes for DES and 3DES, so we must set it here
314 * when using PBKD2 algorithms.
315 */
316 if (key_type == CKK_DES) {
317 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
318 des_strength = DES;
319 } else if (key_type == CKK_DES3) {
320 OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
321 des_strength = DES3;
322 }
323
324 keylen = OBJ_SEC_VALUE_LEN(secret_key);
325 break;
326 }
327
328 if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) {
329 if (IS_TOKEN_OBJECT(secret_key))
330 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
331 else
332 soft_delete_object(session_p, secret_key,
333 B_FALSE, B_FALSE);
334
335 return (CKR_HOST_MEMORY);
336 }
337 switch (pMechanism->mechanism) {
338 case CKM_PBE_SHA1_RC4_128:
339 /*
340 * Use the PBE algorithm described in PKCS#11 section
341 * 12.33 to derive the key.
342 */
343 rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key);
344 break;
345 case CKM_PKCS5_PBKD2:
346 /* Generate keys using PKCS#5 PBKD2 algorithm */
347 rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism,
348 secret_key);
349 if (rv == CKR_OK && des_strength > 0) {
350 /* Perform weak key checking for DES and DES3. */
351 if (des_keycheck(OBJ_SEC_VALUE(secret_key),
352 des_strength, OBJ_SEC_VALUE(secret_key)) ==
353 B_FALSE) {
354 /* We got a weak secret key. */
355 rv = CKR_FUNCTION_FAILED;
356 }
357 }
358 break;
359 default:
360 do {
361 /* If this fails, bail out */
362 rv = CKR_OK;
363 if (pkcs11_get_urandom(
364 OBJ_SEC_VALUE(secret_key), keylen) < 0) {
365 rv = CKR_DEVICE_ERROR;
366 break;
367 }
368
369 /* Perform weak key checking for DES and DES3. */
370 if (des_strength > 0) {
371 rv = CKR_OK;
372 if (des_keycheck(OBJ_SEC_VALUE(secret_key),
373 des_strength, OBJ_SEC_VALUE(secret_key)) ==
374 B_FALSE) {
375 /* We got a weak key, retry! */
376 retry++;
377 rv = CKR_FUNCTION_FAILED;
378 }
379 }
380 /*
381 * Copy over the SSL client version For SSL mechs
382 * The first two bytes of the key is the version
383 */
384 if (is_ssl_mech)
385 bcopy(pMechanism->pParameter,
386 OBJ_SEC_VALUE(secret_key),
387 sizeof (CK_VERSION));
388
389 } while (rv != CKR_OK && retry < KEYGEN_RETRY);
390 if (retry == KEYGEN_RETRY)
391 rv = CKR_FUNCTION_FAILED;
392 break;
393 }
394
395 if (rv != CKR_OK)
396 if (IS_TOKEN_OBJECT(secret_key))
397 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
398 else
399 soft_delete_object(session_p, secret_key,
400 B_FALSE, B_FALSE);
401
402 if (IS_TOKEN_OBJECT(secret_key)) {
403 /*
404 * All the info has been filled, so we can write to
405 * keystore now.
406 */
407 rv = soft_put_object_to_keystore(secret_key);
408 if (rv != CKR_OK)
409 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
410 }
411
412 return (rv);
413 }
414
415 CK_RV
416 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
417 CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount,
418 CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount,
419 CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey)
420 {
421
422 CK_RV rv;
423 soft_object_t *public_key, *private_key;
424 CK_KEY_TYPE key_type;
425
426 switch (pMechanism->mechanism) {
427
428 case CKM_RSA_PKCS_KEY_PAIR_GEN:
429 key_type = CKK_RSA;
430 break;
431
432 case CKM_DSA_KEY_PAIR_GEN:
433 key_type = CKK_DSA;
434 break;
435
436 case CKM_DH_PKCS_KEY_PAIR_GEN:
437 key_type = CKK_DH;
438 break;
439
440 case CKM_EC_KEY_PAIR_GEN:
441 key_type = CKK_EC;
442 break;
443
444 default:
445 return (CKR_MECHANISM_INVALID);
446 }
447
448 /* Create a new object for public key. */
449 rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount,
450 phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0,
451 SOFT_GEN_KEY, B_FALSE);
452
453 if (rv != CKR_OK) {
454 return (rv);
455 }
456
457 /* Obtain the public object pointer. */
458 public_key = (soft_object_t *)*phPublicKey;
459
460 /* Create a new object for private key. */
461 rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount,
462 phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0,
463 SOFT_GEN_KEY, B_FALSE);
464
465 if (rv != CKR_OK) {
466 /*
467 * Both public key and private key must be successful.
468 */
469 if (IS_TOKEN_OBJECT(public_key))
470 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
471 else
472 soft_delete_object(session_p, public_key,
473 B_FALSE, B_FALSE);
474 return (rv);
475 }
476
477 /* Obtain the private object pointer. */
478 private_key = (soft_object_t *)*phPrivateKey;
479
480 /*
481 * At this point, both public key and private key objects
482 * are settled with the application specified attributes.
483 * We are ready to generate the rest of key attributes based
484 * on the existing attributes.
485 */
486
487 switch (key_type) {
488 case CKK_RSA:
489 rv = soft_rsa_genkey_pair(public_key, private_key);
490 break;
491
492 case CKK_DSA:
493 rv = soft_dsa_genkey_pair(public_key, private_key);
494 break;
495
496 case CKK_DH:
497 rv = soft_dh_genkey_pair(public_key, private_key);
498 private_key->bool_attr_mask |= DERIVE_BOOL_ON;
499 break;
500 case CKK_EC:
501 rv = soft_ec_genkey_pair(public_key, private_key);
502 private_key->bool_attr_mask |= DERIVE_BOOL_ON;
503 break;
504 }
505
506 if (rv != CKR_OK) {
507 if (IS_TOKEN_OBJECT(public_key)) {
508 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
509 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
510 } else {
511 soft_delete_object(session_p, public_key,
512 B_FALSE, B_FALSE);
513 soft_delete_object(session_p, private_key,
514 B_FALSE, B_FALSE);
515 }
516 return (rv);
517 }
518
519 if (IS_TOKEN_OBJECT(public_key)) {
520 /*
521 * All the info has been filled, so we can write to
522 * keystore now.
523 */
524 rv = soft_put_object_to_keystore(public_key);
525 if (rv != CKR_OK) {
526 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
527 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
528 return (rv);
529 }
530 }
531
532 if (IS_TOKEN_OBJECT(private_key)) {
533 rv = soft_put_object_to_keystore(private_key);
534 if (rv != CKR_OK) {
535 /*
536 * We also need to delete the public token object
537 * from keystore.
538 */
539 soft_delete_token_object(public_key, B_TRUE, B_FALSE);
540 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
541 }
542 }
543
544 return (rv);
545 }
546
547
548 CK_RV
549 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen)
550 {
551
552 switch (secret_key->key_type) {
553 case CKK_GENERIC_SECRET:
554 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
555 OBJ_SEC_VALUE_LEN(secret_key) = max_keylen;
556 return (CKR_OK);
557 } else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) {
558 return (CKR_ATTRIBUTE_VALUE_INVALID);
559 }
560 break;
561 case CKK_RC4:
562 case CKK_AES:
563 case CKK_BLOWFISH:
564 if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) ||
565 (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) {
566 /* RC4 and AES has variable key length */
567 return (CKR_ATTRIBUTE_VALUE_INVALID);
568 }
569 break;
570 case CKK_DES:
571 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
572 /* DES has a well-defined length */
573 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
574 return (CKR_OK);
575 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) {
576 return (CKR_ATTRIBUTE_VALUE_INVALID);
577 }
578 break;
579 case CKK_DES2:
580 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
581 /* DES2 has a well-defined length */
582 OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
583 return (CKR_OK);
584 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) {
585 return (CKR_ATTRIBUTE_VALUE_INVALID);
586 }
587 break;
588
589 default:
590 return (CKR_MECHANISM_INVALID);
591 }
592
593 return (CKR_OK);
594 }
595
596 /*
597 * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1
598 * PBE methods.
599 */
600 #define PKCS12_BUFFER_SIZE 64
601 /*
602 * PKCS#12 defines 3 different ID bytes to be used for
603 * deriving keys for different operations.
604 */
605 #define PBE_ID_ENCRYPT 1
606 #define PBE_ID_IV 2
607 #define PBE_ID_MAC 3
608 #define PBE_CEIL(a, b) (((a)/(b)) + (((a)%(b)) > 0))
609
610 static CK_RV
611 soft_pkcs12_pbe(soft_session_t *session_p,
612 CK_MECHANISM_PTR pMechanism,
613 soft_object_t *derived_key)
614 {
615 CK_RV rv = CKR_OK;
616 CK_PBE_PARAMS *params = pMechanism->pParameter;
617 CK_ULONG c, i, j, k;
618 CK_ULONG hashSize;
619 CK_ULONG buffSize;
620 /*
621 * Terse variable names are used to make following
622 * the PKCS#12 spec easier.
623 */
624 CK_BYTE *A = NULL;
625 CK_BYTE *Ai = NULL;
626 CK_BYTE *B = NULL;
627 CK_BYTE *D = NULL;
628 CK_BYTE *I = NULL, *S, *P;
629 CK_BYTE *keybuf = NULL;
630 CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen;
631 CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key);
632 CK_MECHANISM digest_mech;
633
634 /* U = hash function output bits */
635 if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) {
636 hashSize = SHA1_HASH_SIZE;
637 buffSize = PKCS12_BUFFER_SIZE;
638 digest_mech.mechanism = CKM_SHA_1;
639 digest_mech.pParameter = NULL;
640 digest_mech.ulParameterLen = 0;
641 } else {
642 /* we only support 1 PBE mech for now */
643 return (CKR_MECHANISM_INVALID);
644 }
645 keybuf = OBJ_SEC_VALUE(derived_key);
646
647 Blen = Dlen = buffSize;
648 D = (CK_BYTE *)malloc(Dlen);
649 if (D == NULL) {
650 rv = CKR_HOST_MEMORY;
651 goto cleanup;
652 }
653
654 B = (CK_BYTE *)malloc(Blen);
655 if (B == NULL) {
656 rv = CKR_HOST_MEMORY;
657 goto cleanup;
658 }
659
660 /*
661 * Initialize some values and create some buffers
662 * that we need later.
663 *
664 * Slen = buffSize * CEIL(SaltLength/buffSize)
665 */
666 Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize);
667
668 /*
669 * Plen = buffSize * CEIL(PasswordLength/buffSize)
670 */
671 Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize);
672
673 /*
674 * From step 4: I = S + P, so: Ilen = Slen + Plen
675 */
676 Ilen = Slen + Plen;
677 I = (CK_BYTE *)malloc(Ilen);
678 if (I == NULL) {
679 rv = CKR_HOST_MEMORY;
680 goto cleanup;
681 }
682
683 S = I;
684 P = I + Slen;
685
686 /*
687 * Step 1.
688 * We are only interested in deriving keys for encrypt/decrypt
689 * for now, so construct the "D"iversifier accordingly.
690 */
691 (void) memset(D, PBE_ID_ENCRYPT, Dlen);
692
693 /*
694 * Step 2.
695 * Concatenate copies of the salt together to make S.
696 */
697 for (i = 0; i < Slen; i += params->ulSaltLen) {
698 (void) memcpy(S+i, params->pSalt,
699 ((Slen - i) > params->ulSaltLen ?
700 params->ulSaltLen : (Slen - i)));
701 }
702
703 /*
704 * Step 3.
705 * Concatenate copies of the password together to make
706 * a string P.
707 */
708 for (i = 0; i < Plen; i += params->ulPasswordLen) {
709 (void) memcpy(P+i, params->pPassword,
710 ((Plen - i) > params->ulPasswordLen ?
711 params->ulPasswordLen : (Plen - i)));
712 }
713
714 /*
715 * Step 4.
716 * I = S+P - this is now done because S and P are
717 * pointers into I.
718 *
719 * Step 5.
720 * c= CEIL[n/u]
721 * where n = pseudorandom bits of output desired.
722 */
723 c = PBE_CEIL(keysize, hashSize);
724
725 /*
726 * Step 6.
727 */
728 Alen = c * hashSize;
729 A = (CK_BYTE *)malloc(Alen);
730 if (A == NULL) {
731 rv = CKR_HOST_MEMORY;
732 goto cleanup;
733 }
734 AiLen = hashSize;
735 Ai = (CK_BYTE *)malloc(AiLen);
736 if (Ai == NULL) {
737 rv = CKR_HOST_MEMORY;
738 goto cleanup;
739 }
740
741 /*
742 * Step 6a.
743 * Ai = Hr(D+I)
744 */
745 for (i = 0; i < c; i++) {
746 (void) pthread_mutex_lock(&session_p->session_mutex);
747
748 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
749 (void) pthread_mutex_unlock(&session_p->session_mutex);
750 rv = CKR_OPERATION_ACTIVE;
751 goto cleanup;
752 }
753 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
754 (void) pthread_mutex_unlock(&session_p->session_mutex);
755
756 for (j = 0; j < params->ulIteration; j++) {
757 rv = soft_digest_init(session_p, &digest_mech);
758 if (rv != CKR_OK)
759 goto digest_done;
760
761 if (j == 0) {
762 rv = soft_digest_update(session_p, D, Dlen);
763 if (rv != CKR_OK)
764 goto digest_done;
765
766 rv = soft_digest_update(session_p, I, Ilen);
767 } else {
768 rv = soft_digest_update(session_p, Ai, AiLen);
769 }
770 if (rv != CKR_OK)
771 goto digest_done;
772
773 rv = soft_digest_final(session_p, Ai, &AiLen);
774 if (rv != CKR_OK)
775 goto digest_done;
776 }
777 digest_done:
778 (void) pthread_mutex_lock(&session_p->session_mutex);
779 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
780 (void) pthread_mutex_unlock(&session_p->session_mutex);
781
782 if (rv != CKR_OK)
783 goto cleanup;
784 /*
785 * Step 6b.
786 * Concatenate Ai to make B
787 */
788 for (j = 0; j < Blen; j += hashSize) {
789 (void) memcpy(B+j, Ai, ((Blen - j > hashSize) ?
790 hashSize : Blen - j));
791 }
792
793 /*
794 * Step 6c.
795 */
796 k = Ilen / Blen;
797 for (j = 0; j < k; j++) {
798 uchar_t idx;
799 CK_ULONG m, q = 1, cbit = 0;
800
801 for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) {
802 idx = m + j*Blen;
803
804 q += (CK_ULONG)I[idx] + (CK_ULONG)B[m];
805 q += cbit;
806 I[idx] = (CK_BYTE)(q & 0xff);
807 cbit = (q > 0xff);
808 }
809 }
810
811 /*
812 * Step 7.
813 * A += Ai
814 */
815 (void) memcpy(A + i*hashSize, Ai, AiLen);
816 }
817
818 /*
819 * Step 8.
820 * The final output of this process is the A buffer
821 */
822 (void) memcpy(keybuf, A, keysize);
823
824 cleanup:
825 if (A) {
826 bzero(A, Alen);
827 free(A);
828 }
829 if (Ai) {
830 bzero(Ai, AiLen);
831 free(Ai);
832 }
833 if (B) {
834 bzero(B, Blen);
835 free(B);
836 }
837 if (D) {
838 bzero(D, Dlen);
839 free(D);
840 }
841 if (I) {
842 bzero(I, Ilen);
843 free(I);
844 }
845 return (rv);
846 }
847
848 CK_RV
849 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
850 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
851 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
852 {
853
854 CK_RV rv = CKR_OK;
855 soft_object_t *secret_key;
856 CK_MECHANISM digest_mech;
857 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */
858 CK_ULONG hash_len = SHA512_DIGEST_LENGTH;
859 CK_ULONG secret_key_len;
860 CK_ULONG hash_size;
861
862 switch (pMechanism->mechanism) {
863 case CKM_DH_PKCS_DERIVE:
864 /*
865 * Create a new object for secret key. The key type should
866 * be provided in the template.
867 */
868 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
869 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
870 SOFT_DERIVE_KEY_DH, B_FALSE);
871
872 if (rv != CKR_OK) {
873 return (rv);
874 }
875
876 /* Obtain the secret object pointer. */
877 secret_key = (soft_object_t *)*phKey;
878
879 rv = soft_dh_key_derive(basekey_p, secret_key,
880 (CK_BYTE *)pMechanism->pParameter,
881 pMechanism->ulParameterLen);
882
883 if (rv != CKR_OK) {
884 if (IS_TOKEN_OBJECT(secret_key))
885 soft_delete_token_object(secret_key, B_FALSE,
886 B_FALSE);
887 else
888 soft_delete_object(session_p, secret_key,
889 B_FALSE, B_FALSE);
890 return (rv);
891 }
892
893 break;
894
895 case CKM_ECDH1_DERIVE:
896 /*
897 * Create a new object for secret key. The key type should
898 * be provided in the template.
899 */
900 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
901 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
902 SOFT_DERIVE_KEY_DH, B_FALSE);
903
904 if (rv != CKR_OK) {
905 return (rv);
906 }
907
908 /* Obtain the secret object pointer. */
909 secret_key = (soft_object_t *)*phKey;
910
911 rv = soft_ec_key_derive(basekey_p, secret_key,
912 (CK_BYTE *)pMechanism->pParameter,
913 pMechanism->ulParameterLen);
914
915 if (rv != CKR_OK) {
916 if (IS_TOKEN_OBJECT(secret_key))
917 soft_delete_token_object(secret_key, B_FALSE,
918 B_FALSE);
919 else
920 soft_delete_object(session_p, secret_key,
921 B_FALSE, B_FALSE);
922 return (rv);
923 }
924
925 break;
926
927 case CKM_SHA1_KEY_DERIVATION:
928 hash_size = SHA1_HASH_SIZE;
929 digest_mech.mechanism = CKM_SHA_1;
930 goto common;
931
932 case CKM_MD5_KEY_DERIVATION:
933 hash_size = MD5_HASH_SIZE;
934 digest_mech.mechanism = CKM_MD5;
935 goto common;
936
937 case CKM_SHA256_KEY_DERIVATION:
938 hash_size = SHA256_DIGEST_LENGTH;
939 digest_mech.mechanism = CKM_SHA256;
940 goto common;
941
942 case CKM_SHA384_KEY_DERIVATION:
943 hash_size = SHA384_DIGEST_LENGTH;
944 digest_mech.mechanism = CKM_SHA384;
945 goto common;
946
947 case CKM_SHA512_KEY_DERIVATION:
948 hash_size = SHA512_DIGEST_LENGTH;
949 digest_mech.mechanism = CKM_SHA512;
950 goto common;
951
952 common:
953 /*
954 * Create a new object for secret key. The key type is optional
955 * to be provided in the template. If it is not specified in
956 * the template, the default is CKK_GENERIC_SECRET.
957 */
958 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
959 phKey, session_p, CKO_SECRET_KEY,
960 (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
961 SOFT_DERIVE_KEY_OTHER, B_FALSE);
962
963 if (rv != CKR_OK) {
964 return (rv);
965 }
966
967 /* Obtain the secret object pointer. */
968 secret_key = (soft_object_t *)*phKey;
969
970 /* Validate the key type and key length */
971 rv = soft_key_derive_check_length(secret_key, hash_size);
972 if (rv != CKR_OK) {
973 if (IS_TOKEN_OBJECT(secret_key))
974 soft_delete_token_object(secret_key, B_FALSE,
975 B_FALSE);
976 else
977 soft_delete_object(session_p, secret_key,
978 B_FALSE, B_FALSE);
979 return (rv);
980 }
981
982 /*
983 * Derive the secret key by digesting the value of another
984 * secret key (base key) with SHA-1 or MD5.
985 */
986 rv = soft_digest_init_internal(session_p, &digest_mech);
987 if (rv != CKR_OK) {
988 if (IS_TOKEN_OBJECT(secret_key))
989 soft_delete_token_object(secret_key, B_FALSE,
990 B_FALSE);
991 else
992 soft_delete_object(session_p, secret_key,
993 B_FALSE, B_FALSE);
994 return (rv);
995 }
996
997 rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p),
998 OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len);
999
1000 (void) pthread_mutex_lock(&session_p->session_mutex);
1001 /* soft_digest_common() has freed the digest context */
1002 session_p->digest.flags = 0;
1003 (void) pthread_mutex_unlock(&session_p->session_mutex);
1004
1005 if (rv != CKR_OK) {
1006 if (IS_TOKEN_OBJECT(secret_key))
1007 soft_delete_token_object(secret_key, B_FALSE,
1008 B_FALSE);
1009 else
1010 soft_delete_object(session_p, secret_key,
1011 B_FALSE, B_FALSE);
1012 return (rv);
1013 }
1014
1015 secret_key_len = OBJ_SEC_VALUE_LEN(secret_key);
1016
1017 if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) ==
1018 NULL) {
1019 if (IS_TOKEN_OBJECT(secret_key))
1020 soft_delete_token_object(secret_key, B_FALSE,
1021 B_FALSE);
1022 else
1023 soft_delete_object(session_p, secret_key,
1024 B_FALSE, B_FALSE);
1025 return (CKR_HOST_MEMORY);
1026 }
1027
1028 /*
1029 * The key produced by this mechanism will be of the
1030 * specified type and length.
1031 * The truncation removes extra bytes from the leading
1032 * of the digested key value.
1033 */
1034 (void) memcpy(OBJ_SEC_VALUE(secret_key),
1035 (hash + hash_len - secret_key_len),
1036 secret_key_len);
1037
1038 break;
1039
1040 /*
1041 * The key sensitivity and extractability rules for the generated
1042 * keys will be enforced inside soft_ssl_master_key_derive() and
1043 * soft_ssl_key_and_mac_derive()
1044 */
1045 case CKM_SSL3_MASTER_KEY_DERIVE:
1046 case CKM_SSL3_MASTER_KEY_DERIVE_DH:
1047 case CKM_TLS_MASTER_KEY_DERIVE:
1048 case CKM_TLS_MASTER_KEY_DERIVE_DH:
1049 if (phKey == NULL_PTR)
1050 return (CKR_ARGUMENTS_BAD);
1051 return (soft_ssl_master_key_derive(session_p, pMechanism,
1052 basekey_p, pTemplate, ulAttributeCount, phKey));
1053
1054 case CKM_SSL3_KEY_AND_MAC_DERIVE:
1055 case CKM_TLS_KEY_AND_MAC_DERIVE:
1056 return (soft_ssl_key_and_mac_derive(session_p, pMechanism,
1057 basekey_p, pTemplate, ulAttributeCount));
1058
1059 case CKM_TLS_PRF:
1060 if (pMechanism->pParameter == NULL ||
1061 pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) ||
1062 phKey != NULL)
1063 return (CKR_ARGUMENTS_BAD);
1064
1065 if (pTemplate != NULL)
1066 return (CKR_TEMPLATE_INCONSISTENT);
1067
1068 return (derive_tls_prf(
1069 (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p));
1070
1071 default:
1072 return (CKR_MECHANISM_INVALID);
1073 }
1074
1075 soft_derive_enforce_flags(basekey_p, secret_key);
1076
1077 if (IS_TOKEN_OBJECT(secret_key)) {
1078 /*
1079 * All the info has been filled, so we can write to
1080 * keystore now.
1081 */
1082 rv = soft_put_object_to_keystore(secret_key);
1083 if (rv != CKR_OK)
1084 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
1085 }
1086
1087 return (rv);
1088 }
1089
1090
1091 /*
1092 * Perform key derivation rules on key's sensitivity and extractability.
1093 */
1094 void
1095 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey)
1096 {
1097
1098 boolean_t new_sensitive = B_FALSE;
1099 boolean_t new_extractable = B_FALSE;
1100
1101 /*
1102 * The sensitive and extractable bits have been set when
1103 * the newkey was built.
1104 */
1105 if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) {
1106 new_sensitive = B_TRUE;
1107 }
1108
1109 if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) {
1110 new_extractable = B_TRUE;
1111 }
1112
1113 /* Derive the CKA_ALWAYS_SENSITIVE flag */
1114 if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) {
1115 /*
1116 * If the base key has its CKA_ALWAYS_SENSITIVE set to
1117 * FALSE, then the derived key will as well.
1118 */
1119 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1120 } else {
1121 /*
1122 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE,
1123 * then the derived key has the CKA_ALWAYS_SENSITIVE set to
1124 * the same value as its CKA_SENSITIVE;
1125 */
1126 if (new_sensitive) {
1127 newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON;
1128 } else {
1129 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1130 }
1131 }
1132
1133 /* Derive the CKA_NEVER_EXTRACTABLE flag */
1134 if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) {
1135 /*
1136 * If the base key has its CKA_NEVER_EXTRACTABLE set to
1137 * FALSE, then the derived key will as well.
1138 */
1139 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1140 } else {
1141 /*
1142 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE,
1143 * then the derived key has the CKA_NEVER_EXTRACTABLE set to
1144 * the opposite value from its CKA_EXTRACTABLE;
1145 */
1146 if (new_extractable) {
1147 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1148 } else {
1149 newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON;
1150 }
1151 }
1152
1153 /* Set the CKA_LOCAL flag to false */
1154 newkey->bool_attr_mask &= ~LOCAL_BOOL_ON;
1155 }
1156
1157
1158 /*
1159 * do_prf
1160 *
1161 * This routine implements Step 3. of the PBKDF2 function
1162 * defined in PKCS#5 for generating derived keys from a
1163 * password.
1164 *
1165 * Currently, PRF is always SHA_1_HMAC.
1166 */
1167 static CK_RV
1168 do_prf(soft_session_t *session_p,
1169 CK_PKCS5_PBKD2_PARAMS_PTR params,
1170 soft_object_t *hmac_key,
1171 CK_BYTE *newsalt, CK_ULONG saltlen,
1172 CK_BYTE *blockdata, CK_ULONG blocklen)
1173 {
1174 CK_RV rv = CKR_OK;
1175 CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0};
1176 CK_BYTE buffer[2][SHA1_HASH_SIZE];
1177 CK_ULONG hmac_outlen = SHA1_HASH_SIZE;
1178 CK_ULONG inlen;
1179 CK_BYTE *input, *output;
1180 CK_ULONG i, j;
1181
1182 input = newsalt;
1183 inlen = saltlen;
1184
1185 output = buffer[1];
1186 (void) pthread_mutex_lock(&session_p->session_mutex);
1187
1188 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
1189 (void) pthread_mutex_unlock(&session_p->session_mutex);
1190 return (CKR_OPERATION_ACTIVE);
1191 }
1192 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
1193 (void) pthread_mutex_unlock(&session_p->session_mutex);
1194
1195 for (i = 0; i < params->iterations; i++) {
1196 /*
1197 * The key doesn't change, its always the
1198 * password iniitally given.
1199 */
1200 rv = soft_sign_init(session_p, &digest_mech, hmac_key);
1201
1202 if (rv != CKR_OK) {
1203 goto cleanup;
1204 }
1205
1206 /* Call PRF function (SHA1_HMAC for now). */
1207 rv = soft_sign(session_p, input, inlen, output, &hmac_outlen);
1208
1209 if (rv != CKR_OK) {
1210 goto cleanup;
1211 }
1212 /*
1213 * The first time, initialize the output buffer
1214 * with the HMAC signature.
1215 */
1216 if (i == 0) {
1217 (void) memcpy(blockdata, output,
1218 local_min(blocklen, hmac_outlen));
1219 } else {
1220 /*
1221 * XOR the existing data with output from PRF.
1222 *
1223 * Only XOR up to the length of the blockdata,
1224 * it may be less than a full hmac buffer when
1225 * the final block is being computed.
1226 */
1227 for (j = 0; j < hmac_outlen && j < blocklen; j++)
1228 blockdata[j] ^= output[j];
1229 }
1230 /* Output from previous PRF is input for next round */
1231 input = output;
1232 inlen = hmac_outlen;
1233
1234 /*
1235 * Switch buffers to avoid overuse of memcpy.
1236 * Initially we used buffer[1], so after the end of
1237 * the first iteration (i==0), we switch to buffer[0]
1238 * and continue swapping with each iteration.
1239 */
1240 output = buffer[i%2];
1241 }
1242 cleanup:
1243 (void) pthread_mutex_lock(&session_p->session_mutex);
1244 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
1245 (void) pthread_mutex_unlock(&session_p->session_mutex);
1246
1247 return (rv);
1248 }
1249
1250 static CK_RV
1251 soft_create_hmac_key(soft_session_t *session_p, CK_BYTE *passwd,
1252 CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey)
1253 {
1254 CK_RV rv = CKR_OK;
1255 CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
1256 CK_KEY_TYPE keytype = CKK_GENERIC_SECRET;
1257 CK_BBOOL True = TRUE;
1258 CK_ATTRIBUTE keytemplate[4];
1259 /*
1260 * We must initialize each template member individually
1261 * because at the time of initial coding for ON10, the
1262 * compiler was using the "-xc99=%none" option
1263 * which prevents us from being able to declare the whole
1264 * template in place as usual.
1265 */
1266 keytemplate[0].type = CKA_CLASS;
1267 keytemplate[0].pValue = &keyclass;
1268 keytemplate[0].ulValueLen = sizeof (keyclass);
1269
1270 keytemplate[1].type = CKA_KEY_TYPE;
1271 keytemplate[1].pValue = &keytype;
1272 keytemplate[1].ulValueLen = sizeof (keytype);
1273
1274 keytemplate[2].type = CKA_SIGN;
1275 keytemplate[2].pValue = &True;
1276 keytemplate[2].ulValueLen = sizeof (True);
1277
1278 keytemplate[3].type = CKA_VALUE;
1279 keytemplate[3].pValue = passwd;
1280 keytemplate[3].ulValueLen = passwd_len;
1281 /*
1282 * Create a generic key object to be used for HMAC operations.
1283 * The "value" for this key is the password from the
1284 * mechanism parameter structure.
1285 */
1286 rv = soft_gen_keyobject(keytemplate,
1287 sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), phKey, session_p,
1288 CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
1289 SOFT_CREATE_OBJ, B_TRUE);
1290
1291 return (rv);
1292 }
1293
1294 CK_RV
1295 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p,
1296 CK_MECHANISM_PTR pMechanism,
1297 soft_object_t *secret_key)
1298 {
1299 CK_RV rv = CKR_OK;
1300 CK_PKCS5_PBKD2_PARAMS *params =
1301 (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
1302 CK_ULONG hLen = SHA1_HASH_SIZE;
1303 CK_ULONG dkLen, i;
1304 CK_ULONG blocks, remainder;
1305 CK_OBJECT_HANDLE phKey = 0;
1306 soft_object_t *hmac_key = NULL;
1307 CK_BYTE *salt = NULL;
1308 CK_BYTE *keydata = NULL;
1309
1310 params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter;
1311
1312 if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1)
1313 return (CKR_MECHANISM_PARAM_INVALID);
1314
1315 if (params->pPrfData != NULL || params->ulPrfDataLen != 0)
1316 return (CKR_DATA_INVALID);
1317
1318 if (params->saltSource != CKZ_SALT_SPECIFIED ||
1319 params->iterations == 0)
1320 return (CKR_MECHANISM_PARAM_INVALID);
1321
1322 /*
1323 * Create a key object to use for HMAC operations.
1324 */
1325 rv = soft_create_hmac_key(session_p, params->pPassword,
1326 *params->ulPasswordLen, &phKey);
1327
1328 if (rv != CKR_OK)
1329 return (rv);
1330
1331 hmac_key = (soft_object_t *)phKey;
1332
1333 /* Step 1. */
1334 dkLen = OBJ_SEC_VALUE_LEN(secret_key); /* length of desired key */
1335
1336 if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) {
1337 (void) soft_delete_object(session_p, hmac_key, B_FALSE,
1338 B_FALSE);
1339 return (CKR_KEY_SIZE_RANGE);
1340 }
1341
1342 /* Step 2. */
1343 blocks = dkLen / hLen;
1344
1345 /* crude "Ceiling" function to adjust the number of blocks to use */
1346 if (blocks * hLen != dkLen)
1347 blocks++;
1348
1349 remainder = dkLen - ((blocks - 1) * hLen);
1350
1351 /* Step 3 */
1352 salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4);
1353 if (salt == NULL) {
1354 (void) soft_delete_object(session_p, hmac_key, B_FALSE,
1355 B_FALSE);
1356 return (CKR_HOST_MEMORY);
1357 }
1358 /*
1359 * Nothing in PKCS#5 says you cannot pass an empty
1360 * salt, so we will allow for this and not return error
1361 * if the salt is not specified.
1362 */
1363 if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0)
1364 (void) memcpy(salt, params->pSaltSourceData,
1365 params->ulSaltSourceDataLen);
1366
1367 /*
1368 * Get pointer to the data section of the key,
1369 * this will be used below as output from the
1370 * PRF iteration/concatenations so that when the
1371 * blocks are all iterated, the secret_key will
1372 * have the resulting derived key value.
1373 */
1374 keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key);
1375
1376 /* Step 4. */
1377 for (i = 0; i < blocks && (rv == CKR_OK); i++) {
1378 CK_BYTE *s;
1379
1380 s = salt + params->ulSaltSourceDataLen;
1381
1382 /*
1383 * Append the block index to the salt as input
1384 * to the PRF. Block index should start at 1
1385 * not 0.
1386 */
1387 *s++ = ((i+1) >> 24) & 0xff;
1388 *s++ = ((i+1) >> 16) & 0xff;
1389 *s++ = ((i+1) >> 8) & 0xff;
1390 *s = ((i+1)) & 0xff;
1391
1392 /*
1393 * Adjust the key pointer so we always append the
1394 * PRF output to the current key.
1395 */
1396 rv = do_prf(session_p, params, hmac_key,
1397 salt, params->ulSaltSourceDataLen + 4, keydata,
1398 ((i + 1) == blocks ? remainder : hLen));
1399
1400 keydata += hLen;
1401 }
1402 (void) soft_delete_object(session_p, hmac_key, B_FALSE, B_FALSE);
1403 free(salt);
1404
1405 return (rv);
1406 }
1407
1408 CK_RV
1409 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1410 soft_object_t *wrappingKey_p, soft_object_t *hkey_p,
1411 CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen)
1412 {
1413 CK_RV rv = CKR_OK;
1414 CK_ULONG plain_len = 0;
1415 CK_BYTE_PTR plain_data = NULL;
1416 CK_ULONG padded_len = 0;
1417 CK_BYTE_PTR padded_data = NULL;
1418 CK_ULONG wkey_blksz = 1; /* so modulo will work right */
1419
1420 /* Check if the mechanism is supported. */
1421 switch (pMechanism->mechanism) {
1422 case CKM_DES_CBC_PAD:
1423 case CKM_DES3_CBC_PAD:
1424 case CKM_AES_CBC_PAD:
1425 /*
1426 * Secret key mechs with padding can be used to wrap secret
1427 * keys and private keys only. See PKCS#11, * sec 11.14,
1428 * C_WrapKey and secs 12.* for each mechanism's wrapping/
1429 * unwrapping constraints.
1430 */
1431 if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class !=
1432 CKO_PRIVATE_KEY)
1433 return (CKR_MECHANISM_INVALID);
1434 break;
1435 case CKM_RSA_PKCS:
1436 case CKM_RSA_X_509:
1437 case CKM_DES_ECB:
1438 case CKM_DES3_ECB:
1439 case CKM_AES_ECB:
1440 case CKM_DES_CBC:
1441 case CKM_DES3_CBC:
1442 case CKM_AES_CBC:
1443 case CKM_AES_CTR:
1444 case CKM_BLOWFISH_CBC:
1445 /*
1446 * Unpadded secret key mechs and private key mechs are only
1447 * defined for wrapping secret keys. See PKCS#11 refs above.
1448 */
1449 if (hkey_p->class != CKO_SECRET_KEY)
1450 return (CKR_MECHANISM_INVALID);
1451 break;
1452 default:
1453 return (CKR_MECHANISM_INVALID);
1454 }
1455
1456 if (hkey_p->class == CKO_SECRET_KEY) {
1457 plain_data = OBJ_SEC_VALUE(hkey_p);
1458 plain_len = OBJ_SEC_VALUE_LEN(hkey_p);
1459 } else {
1460 /*
1461 * BER-encode the object to be wrapped: call first with
1462 * plain_data = NULL to get the size needed, allocate that
1463 * much space, call again to fill space with actual data.
1464 */
1465 rv = soft_object_to_asn1(hkey_p, NULL, &plain_len);
1466 if (rv != CKR_OK)
1467 return (rv);
1468 if ((plain_data = malloc(plain_len)) == NULL)
1469 return (CKR_HOST_MEMORY);
1470 (void) memset(plain_data, 0x0, plain_len);
1471 rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len);
1472 if (rv != CKR_OK)
1473 goto cleanup_wrap;
1474 }
1475
1476 /*
1477 * For unpadded ECB and CBC mechanisms, the object needs to be
1478 * padded to the wrapping key's blocksize prior to the encryption.
1479 */
1480 padded_len = plain_len;
1481 padded_data = plain_data;
1482
1483 switch (pMechanism->mechanism) {
1484 case CKM_DES_ECB:
1485 case CKM_DES3_ECB:
1486 case CKM_AES_ECB:
1487 case CKM_DES_CBC:
1488 case CKM_DES3_CBC:
1489 case CKM_AES_CBC:
1490 case CKM_BLOWFISH_CBC:
1491 /* Find the block size of the wrapping key. */
1492 if (wrappingKey_p->class == CKO_SECRET_KEY) {
1493 switch (wrappingKey_p->key_type) {
1494 case CKK_DES:
1495 case CKK_DES2:
1496 case CKK_DES3:
1497 wkey_blksz = DES_BLOCK_LEN;
1498 break;
1499 case CKK_AES:
1500 wkey_blksz = AES_BLOCK_LEN;
1501 break;
1502 case CKK_BLOWFISH:
1503 wkey_blksz = BLOWFISH_BLOCK_LEN;
1504 break;
1505 default:
1506 break;
1507 }
1508 } else {
1509 rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT;
1510 goto cleanup_wrap;
1511 }
1512
1513 /* Extend the plain text data to block size boundary. */
1514 if ((padded_len % wkey_blksz) != 0) {
1515 padded_len += (wkey_blksz - (plain_len % wkey_blksz));
1516 if ((padded_data = malloc(padded_len)) == NULL) {
1517 rv = CKR_HOST_MEMORY;
1518 goto cleanup_wrap;
1519 }
1520 (void) memset(padded_data, 0x0, padded_len);
1521 (void) memcpy(padded_data, plain_data, plain_len);
1522 }
1523 break;
1524 default:
1525 break;
1526 }
1527
1528 rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p);
1529 if (rv != CKR_OK)
1530 goto cleanup_wrap;
1531
1532 rv = soft_encrypt(session_p, padded_data, padded_len,
1533 pWrappedKey, pulWrappedKeyLen);
1534
1535 cleanup_wrap:
1536 if (padded_data != NULL && padded_len != plain_len) {
1537 /* Clear buffer before returning to memory pool. */
1538 (void) memset(padded_data, 0x0, padded_len);
1539 free(padded_data);
1540 }
1541
1542 if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1543 /* Clear buffer before returning to memory pool. */
1544 (void) memset(plain_data, 0x0, plain_len);
1545 free(plain_data);
1546 }
1547
1548 return (rv);
1549 }
1550
1551 /*
1552 * Quick check for whether unwrapped key length is appropriate for key type
1553 * and whether it needs to be truncated (in case the wrapping function had
1554 * to pad the key prior to wrapping).
1555 */
1556 static CK_RV
1557 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype,
1558 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount)
1559 {
1560 CK_ULONG i;
1561 boolean_t isValueLen = B_FALSE;
1562
1563 /*
1564 * Based on the key type and the mech used to unwrap, need to
1565 * determine if CKA_VALUE_LEN should or should not be specified.
1566 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified
1567 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens
1568 * that restriction, perhaps because it makes it impossible to
1569 * determine the original length of unwrapped variable-length secret
1570 * keys, such as RC4, AES, and GENERIC_SECRET. These variable-length
1571 * secret keys would have been padded with trailing null-bytes so
1572 * that they could be successfully wrapped with *_ECB and *_CBC
1573 * mechanisms. Hence for unwrapping with these mechs, CKA_VALUE_LEN
1574 * must be specified. For unwrapping with other mechs, such as
1575 * *_CBC_PAD, the CKA_VALUE_LEN is not needed.
1576 */
1577
1578 /* Find out if template has CKA_VALUE_LEN. */
1579 for (i = 0; i < ulAttributeCount; i++) {
1580 if (pTemplate[i].type == CKA_VALUE_LEN &&
1581 pTemplate[i].pValue != NULL) {
1582 isValueLen = B_TRUE;
1583 break;
1584 }
1585 }
1586
1587 /* Does its presence conflict with the mech type and key type? */
1588 switch (mechtype) {
1589 case CKM_DES_ECB:
1590 case CKM_DES3_ECB:
1591 case CKM_AES_ECB:
1592 case CKM_DES_CBC:
1593 case CKM_DES3_CBC:
1594 case CKM_AES_CBC:
1595 case CKM_BLOWFISH_CBC:
1596 /*
1597 * CKA_VALUE_LEN must be specified
1598 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET
1599 * and must not be specified otherwise
1600 */
1601 switch (keytype) {
1602 case CKK_DES:
1603 case CKK_DES2:
1604 case CKK_DES3:
1605 if (isValueLen)
1606 return (CKR_TEMPLATE_INCONSISTENT);
1607 break;
1608 case CKK_GENERIC_SECRET:
1609 case CKK_RC4:
1610 case CKK_AES:
1611 case CKK_BLOWFISH:
1612 if (!isValueLen)
1613 return (CKR_TEMPLATE_INCOMPLETE);
1614 break;
1615 default:
1616 return (CKR_FUNCTION_NOT_SUPPORTED);
1617 }
1618 break;
1619 default:
1620 /* CKA_VALUE_LEN must not be specified */
1621 if (isValueLen)
1622 return (CKR_TEMPLATE_INCONSISTENT);
1623 break;
1624 }
1625
1626 return (CKR_OK);
1627 }
1628
1629 CK_RV
1630 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1631 soft_object_t *unwrappingkey_p,
1632 CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
1633 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
1634 CK_OBJECT_HANDLE_PTR phKey)
1635 {
1636 CK_RV rv = CKR_OK;
1637 CK_OBJECT_CLASS new_obj_class = ~0UL;
1638 int i = 0;
1639 soft_object_t *new_objp = NULL;
1640 boolean_t persistent = B_FALSE;
1641 CK_BYTE_PTR plain_data = NULL;
1642 CK_ULONG plain_len = 0;
1643 secret_key_obj_t *sck = NULL;
1644
1645 /* Scan the attribute template for the object class. */
1646 if (pTemplate != NULL && ulAttributeCount != 0) {
1647 for (i = 0; i < ulAttributeCount; i++) {
1648 if (pTemplate[i].type == CKA_CLASS) {
1649 new_obj_class =
1650 *((CK_OBJECT_CLASS *)pTemplate[i].pValue);
1651 break;
1652 }
1653 }
1654 if (new_obj_class == ~0UL)
1655 return (CKR_TEMPLATE_INCOMPLETE);
1656 }
1657
1658 /*
1659 * Check if the mechanism is supported, and now that the new
1660 * object's class is known, the mechanism selected should be
1661 * capable of doing the unwrap.
1662 */
1663 switch (pMechanism->mechanism) {
1664 case CKM_RSA_PKCS:
1665 case CKM_RSA_X_509:
1666 case CKM_DES_ECB:
1667 case CKM_DES3_ECB:
1668 case CKM_AES_ECB:
1669 case CKM_DES_CBC:
1670 case CKM_DES3_CBC:
1671 case CKM_AES_CBC:
1672 case CKM_BLOWFISH_CBC:
1673 if (new_obj_class != CKO_SECRET_KEY)
1674 return (CKR_MECHANISM_INVALID);
1675 break;
1676 case CKM_DES_CBC_PAD:
1677 case CKM_DES3_CBC_PAD:
1678 case CKM_AES_CBC_PAD:
1679 if (new_obj_class != CKO_SECRET_KEY && new_obj_class !=
1680 CKO_PRIVATE_KEY)
1681 return (CKR_MECHANISM_INVALID);
1682 break;
1683 default:
1684 return (CKR_MECHANISM_INVALID);
1685 }
1686
1687 /* Create a new object based on the attribute template. */
1688 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
1689 (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL,
1690 (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE);
1691 if (rv != CKR_OK)
1692 return (rv);
1693
1694 /*
1695 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE
1696 * both set to FALSE. CKA_EXTRACTABLE will be set _by_default_ to
1697 * true -- leaving the possibility that it may be set FALSE by the
1698 * supplied attribute template. If the precise template cannot be
1699 * supported, unwrap fails. PKCS#11 spec, Sec. 11.14, C_UnwrapKey.
1700 *
1701 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and
1702 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must
1703 * have supplied them and therefore we cannot honor the unwrap.
1704 */
1705 if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) ||
1706 (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) {
1707 rv = CKR_TEMPLATE_INCONSISTENT;
1708 goto cleanup_unwrap;
1709 }
1710
1711 rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p);
1712 if (rv != CKR_OK)
1713 goto cleanup_unwrap;
1714
1715 /* First get the length of the plain data */
1716 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL,
1717 &plain_len);
1718 if (rv != CKR_OK)
1719 goto cleanup_unwrap;
1720
1721 /* Allocate space for the unwrapped data */
1722 if ((plain_data = malloc(plain_len)) == NULL) {
1723 rv = CKR_HOST_MEMORY;
1724 goto cleanup_unwrap;
1725 }
1726 (void) memset(plain_data, 0x0, plain_len);
1727
1728 /* Perform actual decryption into the allocated space. */
1729 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data,
1730 &plain_len);
1731 if (rv != CKR_OK)
1732 goto cleanup_unwrap;
1733
1734 if (new_objp->class == CKO_SECRET_KEY) {
1735 /*
1736 * Since no ASN.1 encoding is done for secret keys, check for
1737 * appropriateness and copy decrypted buffer to the key object.
1738 */
1739
1740 /* Check keytype and mechtype don't conflict with valuelen */
1741 rv = soft_unwrap_secret_len_check(new_objp->key_type,
1742 pMechanism->mechanism, pTemplate, ulAttributeCount);
1743 if (rv != CKR_OK)
1744 goto cleanup_unwrap;
1745
1746 /*
1747 * Allocate the secret key structure if not already there;
1748 * it will exist for variable length keys since CKA_VALUE_LEN
1749 * is specified and saved, but not for fixed length keys.
1750 */
1751 if (OBJ_SEC(new_objp) == NULL) {
1752 if ((sck = calloc(1, sizeof (secret_key_obj_t))) ==
1753 NULL) {
1754 rv = CKR_HOST_MEMORY;
1755 goto cleanup_unwrap;
1756 }
1757 OBJ_SEC(new_objp) = sck;
1758 }
1759
1760 switch (new_objp->key_type) {
1761 /* Fixed length secret keys don't have CKA_VALUE_LEN */
1762 case CKK_DES:
1763 OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE;
1764 break;
1765 case CKK_DES2:
1766 OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE;
1767 break;
1768 case CKK_DES3:
1769 OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE;
1770 break;
1771
1772 /*
1773 * Variable length secret keys. CKA_VALUE_LEN must be
1774 * provided by the template when mech is *_ECB or *_CBC, and
1775 * should already have been set during soft_gen_keyobject().
1776 * Otherwise we don't need CKA_VALUE_LEN.
1777 */
1778 case CKK_GENERIC_SECRET:
1779 case CKK_RC4:
1780 case CKK_AES:
1781 case CKK_BLOWFISH:
1782 break;
1783 default:
1784 rv = CKR_WRAPPED_KEY_INVALID;
1785 goto cleanup_unwrap;
1786 };
1787
1788 if (OBJ_SEC_VALUE_LEN(new_objp) == 0) {
1789 /* No CKA_VALUE_LEN set so set it now and save data */
1790 OBJ_SEC_VALUE_LEN(new_objp) = plain_len;
1791 OBJ_SEC_VALUE(new_objp) = plain_data;
1792 } else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) {
1793 /* No need to truncate, just save the data */
1794 OBJ_SEC_VALUE(new_objp) = plain_data;
1795 } else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) {
1796 /* Length can't be bigger than what was decrypted */
1797 rv = CKR_WRAPPED_KEY_LEN_RANGE;
1798 goto cleanup_unwrap;
1799 } else { /* betw 0 and plain_len, hence padded */
1800 /* Truncate the data before saving. */
1801 OBJ_SEC_VALUE(new_objp) = realloc(plain_data,
1802 OBJ_SEC_VALUE_LEN(new_objp));
1803 if (OBJ_SEC_VALUE(new_objp) == NULL) {
1804 rv = CKR_HOST_MEMORY;
1805 goto cleanup_unwrap;
1806 }
1807 }
1808 } else {
1809 /* BER-decode the object to be unwrapped. */
1810 rv = soft_asn1_to_object(new_objp, plain_data, plain_len);
1811 if (rv != CKR_OK)
1812 goto cleanup_unwrap;
1813 }
1814
1815 /* If it needs to be persistent, write it to the keystore */
1816 if (IS_TOKEN_OBJECT(new_objp)) {
1817 persistent = B_TRUE;
1818 rv = soft_put_object_to_keystore(new_objp);
1819 if (rv != CKR_OK)
1820 goto cleanup_unwrap;
1821 }
1822
1823 if (new_objp->class != CKO_SECRET_KEY) {
1824 /* Clear buffer before returning to memory pool. */
1825 (void) memset(plain_data, 0x0, plain_len);
1826 free(plain_data);
1827 }
1828
1829 *phKey = (CK_OBJECT_HANDLE)new_objp;
1830
1831 return (CKR_OK);
1832
1833 cleanup_unwrap:
1834 /* The decrypted private key buffer must be freed explicitly. */
1835 if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1836 /* Clear buffer before returning to memory pool. */
1837 (void) memset(plain_data, 0x0, plain_len);
1838 free(plain_data);
1839 }
1840
1841 /* sck and new_objp are indirectly free()d inside these functions */
1842 if (IS_TOKEN_OBJECT(new_objp))
1843 soft_delete_token_object(new_objp, persistent, B_FALSE);
1844 else
1845 soft_delete_object(session_p, new_objp, B_FALSE, B_FALSE);
1846
1847 return (rv);
1848 }