Print this page
9642 PKCS#11 softtoken should use explicit_bzero
Reviewed by: Dan McDonald <danmcd@joyent.com>
Reviewed by: Alex Wilson <alex.wilson@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c
+++ new/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 + * Copyright (c) 2018, Joyent, Inc.
24 25 */
25 26
26 27 #include <pthread.h>
27 28 #include <stdlib.h>
28 29 #include <string.h>
29 30 #include <strings.h>
30 31 #include <sys/types.h>
31 32 #include <security/cryptoki.h>
32 33 #include <sys/crypto/common.h>
33 34 #include <aes_impl.h>
34 35 #include <blowfish_impl.h>
35 36 #include <des_impl.h>
36 37 #include <arcfour.h>
37 38 #include <cryptoutil.h>
38 39 #include "softGlobal.h"
39 40 #include "softSession.h"
40 41 #include "softObject.h"
41 42 #include "softDSA.h"
42 43 #include "softRSA.h"
43 44 #include "softDH.h"
44 45 #include "softEC.h"
45 46 #include "softMAC.h"
46 47 #include "softOps.h"
47 48 #include "softKeys.h"
48 49 #include "softKeystore.h"
49 50 #include "softSSL.h"
50 51 #include "softASN1.h"
51 52
52 53
53 54 #define local_min(a, b) ((a) < (b) ? (a) : (b))
54 55
55 56 static CK_RV
56 57 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *);
57 58
58 59 /*
59 60 * Create a temporary key object struct by filling up its template attributes.
60 61 */
61 62 CK_RV
62 63 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
63 64 CK_ULONG *objecthandle_p, soft_session_t *sp,
64 65 CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode,
65 66 boolean_t internal)
66 67 {
67 68
68 69 CK_RV rv;
69 70 soft_object_t *new_objp = NULL;
70 71
71 72 new_objp = calloc(1, sizeof (soft_object_t));
72 73 if (new_objp == NULL) {
73 74 return (CKR_HOST_MEMORY);
74 75 }
75 76
76 77 new_objp->extra_attrlistp = NULL;
77 78
78 79 /*
79 80 * Validate attribute template and fill in the attributes
80 81 * in the soft_object_t.
81 82 */
82 83 rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type,
83 84 keylen, mode);
84 85 if (rv != CKR_OK) {
85 86 goto fail_cleanup1;
86 87 }
87 88
88 89 /*
89 90 * If generating a key is an internal request (i.e. not a C_XXX
90 91 * API request), then skip the following checks.
91 92 */
92 93 if (!internal) {
93 94 rv = soft_pin_expired_check(new_objp);
94 95 if (rv != CKR_OK) {
95 96 goto fail_cleanup2;
96 97 }
97 98
98 99 rv = soft_object_write_access_check(sp, new_objp);
99 100 if (rv != CKR_OK) {
100 101 goto fail_cleanup2;
101 102 }
102 103 }
103 104
104 105 /* Initialize the rest of stuffs in soft_object_t. */
105 106 (void) pthread_mutex_init(&new_objp->object_mutex, NULL);
106 107 new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
107 108
108 109 /* Write the new token object to the keystore */
109 110 if (IS_TOKEN_OBJECT(new_objp)) {
110 111 new_objp->version = 1;
111 112 new_objp->session_handle = (CK_SESSION_HANDLE)NULL;
112 113 soft_add_token_object_to_slot(new_objp);
113 114 /*
114 115 * Type casting the address of an object struct to
115 116 * an object handle.
116 117 */
117 118 *objecthandle_p = (CK_ULONG)new_objp;
118 119
119 120 return (CKR_OK);
120 121 }
121 122
122 123 new_objp->session_handle = (CK_SESSION_HANDLE)sp;
123 124
124 125 /* Add the new object to the session's object list. */
125 126 soft_add_object_to_session(new_objp, sp);
126 127
127 128 /* Type casting the address of an object struct to an object handle. */
128 129 *objecthandle_p = (CK_ULONG)new_objp;
129 130
130 131 return (CKR_OK);
131 132
132 133 fail_cleanup2:
133 134 /*
134 135 * When any error occurs after soft_build_key(), we will need to
135 136 * clean up the memory allocated by the soft_build_key().
136 137 */
137 138 soft_cleanup_object(new_objp);
138 139
139 140 fail_cleanup1:
140 141 if (new_objp) {
141 142 /*
142 143 * The storage allocated inside of this object should have
143 144 * been cleaned up by the soft_build_key() if it failed.
144 145 * Therefore, we can safely free the object.
145 146 */
146 147 free(new_objp);
147 148 }
148 149
149 150 return (rv);
150 151 }
151 152
152 153 CK_RV
153 154 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
154 155 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey)
155 156 {
156 157
157 158 CK_RV rv = CKR_OK;
158 159 soft_object_t *secret_key;
159 160 CK_KEY_TYPE key_type;
160 161 CK_ULONG keylen = 0;
161 162 CK_ULONG i;
162 163 int des_strength = 0;
163 164 int retry = 0;
164 165 int keyfound = 0;
165 166 boolean_t is_ssl_mech = B_FALSE;
166 167
167 168 switch (pMechanism->mechanism) {
168 169 case CKM_DES_KEY_GEN:
169 170 key_type = CKK_DES;
170 171 break;
171 172
172 173 case CKM_DES2_KEY_GEN:
173 174 key_type = CKK_DES2;
174 175 break;
175 176
176 177 case CKM_DES3_KEY_GEN:
177 178 key_type = CKK_DES3;
178 179 break;
179 180
180 181 case CKM_AES_KEY_GEN:
181 182 key_type = CKK_AES;
182 183 break;
183 184
184 185 case CKM_BLOWFISH_KEY_GEN:
185 186 key_type = CKK_BLOWFISH;
186 187 break;
187 188
188 189 case CKM_RC4_KEY_GEN:
189 190 key_type = CKK_RC4;
190 191 break;
191 192
192 193 case CKM_SSL3_PRE_MASTER_KEY_GEN:
193 194 case CKM_TLS_PRE_MASTER_KEY_GEN:
194 195 if (pMechanism->pParameter == NULL ||
195 196 pMechanism->ulParameterLen != sizeof (CK_VERSION))
196 197 return (CKR_TEMPLATE_INCOMPLETE);
197 198 is_ssl_mech = B_TRUE;
198 199 key_type = CKK_GENERIC_SECRET;
199 200 keylen = 48;
200 201 break;
201 202
202 203 case CKM_PKCS5_PBKD2:
203 204 keyfound = 0;
204 205 for (i = 0; i < ulCount && !keyfound; i++) {
205 206 if (pTemplate[i].type == CKA_KEY_TYPE &&
206 207 pTemplate[i].pValue != NULL) {
207 208 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
208 209 keyfound = 1;
209 210 }
210 211 }
211 212 if (!keyfound)
212 213 return (CKR_TEMPLATE_INCOMPLETE);
213 214 /*
214 215 * Make sure that parameters were given for this
215 216 * mechanism.
216 217 */
217 218 if (pMechanism->pParameter == NULL ||
218 219 pMechanism->ulParameterLen !=
219 220 sizeof (CK_PKCS5_PBKD2_PARAMS))
220 221 return (CKR_TEMPLATE_INCOMPLETE);
221 222 break;
222 223
223 224 case CKM_PBE_SHA1_RC4_128:
224 225 keyfound = 0;
225 226 for (i = 0; i < ulCount; i++) {
226 227 if (pTemplate[i].type == CKA_KEY_TYPE &&
227 228 pTemplate[i].pValue != NULL) {
228 229 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
229 230 keyfound = 1;
230 231 }
231 232 if (pTemplate[i].type == CKA_VALUE_LEN &&
232 233 pTemplate[i].pValue != NULL) {
233 234 keylen = *((CK_ULONG*)pTemplate[i].pValue);
234 235 }
235 236 }
236 237 /* If a keytype was specified, it had better be CKK_RC4 */
237 238 if (keyfound && key_type != CKK_RC4)
238 239 return (CKR_TEMPLATE_INCONSISTENT);
239 240 else if (!keyfound)
240 241 key_type = CKK_RC4;
241 242
242 243 /* If key length was specified, it better be 16 bytes */
243 244 if (keylen != 0 && keylen != 16)
244 245 return (CKR_TEMPLATE_INCONSISTENT);
245 246
246 247 /*
247 248 * Make sure that parameters were given for this
248 249 * mechanism.
249 250 */
250 251 if (pMechanism->pParameter == NULL ||
251 252 pMechanism->ulParameterLen !=
252 253 sizeof (CK_PBE_PARAMS))
253 254 return (CKR_TEMPLATE_INCOMPLETE);
254 255 break;
255 256 default:
256 257 return (CKR_MECHANISM_INVALID);
257 258 }
258 259
259 260 /* Create a new object for secret key. */
260 261 rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p,
261 262 CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE);
262 263
263 264 if (rv != CKR_OK) {
264 265 return (rv);
265 266 }
266 267
267 268 /* Obtain the secret object pointer. */
268 269 secret_key = (soft_object_t *)*phKey;
269 270
270 271 switch (pMechanism->mechanism) {
271 272 case CKM_DES_KEY_GEN:
272 273 /*
273 274 * Set up key value len since it is not a required
274 275 * attribute for C_GenerateKey.
275 276 */
276 277 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
277 278 des_strength = DES;
278 279 break;
279 280
280 281 case CKM_DES2_KEY_GEN:
281 282 /*
282 283 * Set up key value len since it is not a required
283 284 * attribute for C_GenerateKey.
284 285 */
285 286 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
286 287 des_strength = DES2;
287 288 break;
288 289
289 290 case CKM_DES3_KEY_GEN:
290 291 /*
291 292 * Set up key value len since it is not a required
292 293 * attribute for C_GenerateKey.
293 294 */
294 295 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
295 296 des_strength = DES3;
296 297 break;
297 298
298 299 case CKM_SSL3_PRE_MASTER_KEY_GEN:
299 300 case CKM_TLS_PRE_MASTER_KEY_GEN:
300 301 secret_key->bool_attr_mask |= DERIVE_BOOL_ON;
301 302 /* FALLTHRU */
302 303
303 304 case CKM_AES_KEY_GEN:
304 305 case CKM_BLOWFISH_KEY_GEN:
305 306 case CKM_PBE_SHA1_RC4_128:
306 307 case CKM_RC4_KEY_GEN:
307 308 keylen = OBJ_SEC_VALUE_LEN(secret_key);
308 309 break;
309 310
310 311 case CKM_PKCS5_PBKD2:
311 312 /*
312 313 * PKCS#11 does not allow one to specify key
313 314 * sizes for DES and 3DES, so we must set it here
314 315 * when using PBKD2 algorithms.
315 316 */
316 317 if (key_type == CKK_DES) {
317 318 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
318 319 des_strength = DES;
319 320 } else if (key_type == CKK_DES3) {
320 321 OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
321 322 des_strength = DES3;
322 323 }
323 324
324 325 keylen = OBJ_SEC_VALUE_LEN(secret_key);
325 326 break;
326 327 }
327 328
328 329 if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) {
329 330 if (IS_TOKEN_OBJECT(secret_key))
330 331 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
331 332 else
332 333 soft_delete_object(session_p, secret_key,
333 334 B_FALSE, B_FALSE);
334 335
335 336 return (CKR_HOST_MEMORY);
336 337 }
337 338 switch (pMechanism->mechanism) {
338 339 case CKM_PBE_SHA1_RC4_128:
339 340 /*
340 341 * Use the PBE algorithm described in PKCS#11 section
341 342 * 12.33 to derive the key.
342 343 */
343 344 rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key);
344 345 break;
345 346 case CKM_PKCS5_PBKD2:
346 347 /* Generate keys using PKCS#5 PBKD2 algorithm */
347 348 rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism,
348 349 secret_key);
349 350 if (rv == CKR_OK && des_strength > 0) {
350 351 /* Perform weak key checking for DES and DES3. */
351 352 if (des_keycheck(OBJ_SEC_VALUE(secret_key),
352 353 des_strength, OBJ_SEC_VALUE(secret_key)) ==
353 354 B_FALSE) {
354 355 /* We got a weak secret key. */
355 356 rv = CKR_FUNCTION_FAILED;
356 357 }
357 358 }
358 359 break;
359 360 default:
360 361 do {
361 362 /* If this fails, bail out */
362 363 rv = CKR_OK;
363 364 if (pkcs11_get_urandom(
364 365 OBJ_SEC_VALUE(secret_key), keylen) < 0) {
365 366 rv = CKR_DEVICE_ERROR;
366 367 break;
367 368 }
368 369
369 370 /* Perform weak key checking for DES and DES3. */
370 371 if (des_strength > 0) {
371 372 rv = CKR_OK;
372 373 if (des_keycheck(OBJ_SEC_VALUE(secret_key),
373 374 des_strength, OBJ_SEC_VALUE(secret_key)) ==
374 375 B_FALSE) {
375 376 /* We got a weak key, retry! */
376 377 retry++;
377 378 rv = CKR_FUNCTION_FAILED;
378 379 }
379 380 }
380 381 /*
381 382 * Copy over the SSL client version For SSL mechs
382 383 * The first two bytes of the key is the version
383 384 */
384 385 if (is_ssl_mech)
385 386 bcopy(pMechanism->pParameter,
386 387 OBJ_SEC_VALUE(secret_key),
387 388 sizeof (CK_VERSION));
388 389
389 390 } while (rv != CKR_OK && retry < KEYGEN_RETRY);
390 391 if (retry == KEYGEN_RETRY)
391 392 rv = CKR_FUNCTION_FAILED;
392 393 break;
393 394 }
394 395
395 396 if (rv != CKR_OK)
396 397 if (IS_TOKEN_OBJECT(secret_key))
397 398 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
398 399 else
399 400 soft_delete_object(session_p, secret_key,
400 401 B_FALSE, B_FALSE);
401 402
402 403 if (IS_TOKEN_OBJECT(secret_key)) {
403 404 /*
404 405 * All the info has been filled, so we can write to
405 406 * keystore now.
406 407 */
407 408 rv = soft_put_object_to_keystore(secret_key);
408 409 if (rv != CKR_OK)
409 410 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
410 411 }
411 412
412 413 return (rv);
413 414 }
414 415
415 416 CK_RV
416 417 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
417 418 CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount,
418 419 CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount,
419 420 CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey)
420 421 {
421 422
422 423 CK_RV rv;
423 424 soft_object_t *public_key, *private_key;
424 425 CK_KEY_TYPE key_type;
425 426
426 427 switch (pMechanism->mechanism) {
427 428
428 429 case CKM_RSA_PKCS_KEY_PAIR_GEN:
429 430 key_type = CKK_RSA;
430 431 break;
431 432
432 433 case CKM_DSA_KEY_PAIR_GEN:
433 434 key_type = CKK_DSA;
434 435 break;
435 436
436 437 case CKM_DH_PKCS_KEY_PAIR_GEN:
437 438 key_type = CKK_DH;
438 439 break;
439 440
440 441 case CKM_EC_KEY_PAIR_GEN:
441 442 key_type = CKK_EC;
442 443 break;
443 444
444 445 default:
445 446 return (CKR_MECHANISM_INVALID);
446 447 }
447 448
448 449 /* Create a new object for public key. */
449 450 rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount,
450 451 phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0,
451 452 SOFT_GEN_KEY, B_FALSE);
452 453
453 454 if (rv != CKR_OK) {
454 455 return (rv);
455 456 }
456 457
457 458 /* Obtain the public object pointer. */
458 459 public_key = (soft_object_t *)*phPublicKey;
459 460
460 461 /* Create a new object for private key. */
461 462 rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount,
462 463 phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0,
463 464 SOFT_GEN_KEY, B_FALSE);
464 465
465 466 if (rv != CKR_OK) {
466 467 /*
467 468 * Both public key and private key must be successful.
468 469 */
469 470 if (IS_TOKEN_OBJECT(public_key))
470 471 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
471 472 else
472 473 soft_delete_object(session_p, public_key,
473 474 B_FALSE, B_FALSE);
474 475 return (rv);
475 476 }
476 477
477 478 /* Obtain the private object pointer. */
478 479 private_key = (soft_object_t *)*phPrivateKey;
479 480
480 481 /*
481 482 * At this point, both public key and private key objects
482 483 * are settled with the application specified attributes.
483 484 * We are ready to generate the rest of key attributes based
484 485 * on the existing attributes.
485 486 */
486 487
487 488 switch (key_type) {
488 489 case CKK_RSA:
489 490 rv = soft_rsa_genkey_pair(public_key, private_key);
490 491 break;
491 492
492 493 case CKK_DSA:
493 494 rv = soft_dsa_genkey_pair(public_key, private_key);
494 495 break;
495 496
496 497 case CKK_DH:
497 498 rv = soft_dh_genkey_pair(public_key, private_key);
498 499 private_key->bool_attr_mask |= DERIVE_BOOL_ON;
499 500 break;
500 501 case CKK_EC:
501 502 rv = soft_ec_genkey_pair(public_key, private_key);
502 503 private_key->bool_attr_mask |= DERIVE_BOOL_ON;
503 504 break;
504 505 }
505 506
506 507 if (rv != CKR_OK) {
507 508 if (IS_TOKEN_OBJECT(public_key)) {
508 509 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
509 510 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
510 511 } else {
511 512 soft_delete_object(session_p, public_key,
512 513 B_FALSE, B_FALSE);
513 514 soft_delete_object(session_p, private_key,
514 515 B_FALSE, B_FALSE);
515 516 }
516 517 return (rv);
517 518 }
518 519
519 520 if (IS_TOKEN_OBJECT(public_key)) {
520 521 /*
521 522 * All the info has been filled, so we can write to
522 523 * keystore now.
523 524 */
524 525 rv = soft_put_object_to_keystore(public_key);
525 526 if (rv != CKR_OK) {
526 527 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
527 528 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
528 529 return (rv);
529 530 }
530 531 }
531 532
532 533 if (IS_TOKEN_OBJECT(private_key)) {
533 534 rv = soft_put_object_to_keystore(private_key);
534 535 if (rv != CKR_OK) {
535 536 /*
536 537 * We also need to delete the public token object
537 538 * from keystore.
538 539 */
539 540 soft_delete_token_object(public_key, B_TRUE, B_FALSE);
540 541 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
541 542 }
542 543 }
543 544
544 545 return (rv);
545 546 }
546 547
547 548
548 549 CK_RV
549 550 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen)
550 551 {
551 552
552 553 switch (secret_key->key_type) {
553 554 case CKK_GENERIC_SECRET:
554 555 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
555 556 OBJ_SEC_VALUE_LEN(secret_key) = max_keylen;
556 557 return (CKR_OK);
557 558 } else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) {
558 559 return (CKR_ATTRIBUTE_VALUE_INVALID);
559 560 }
560 561 break;
561 562 case CKK_RC4:
562 563 case CKK_AES:
563 564 case CKK_BLOWFISH:
564 565 if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) ||
565 566 (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) {
566 567 /* RC4 and AES has variable key length */
567 568 return (CKR_ATTRIBUTE_VALUE_INVALID);
568 569 }
569 570 break;
570 571 case CKK_DES:
571 572 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
572 573 /* DES has a well-defined length */
573 574 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
574 575 return (CKR_OK);
575 576 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) {
576 577 return (CKR_ATTRIBUTE_VALUE_INVALID);
577 578 }
578 579 break;
579 580 case CKK_DES2:
580 581 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
581 582 /* DES2 has a well-defined length */
582 583 OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
583 584 return (CKR_OK);
584 585 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) {
585 586 return (CKR_ATTRIBUTE_VALUE_INVALID);
586 587 }
587 588 break;
588 589
589 590 default:
590 591 return (CKR_MECHANISM_INVALID);
591 592 }
592 593
593 594 return (CKR_OK);
594 595 }
595 596
596 597 /*
597 598 * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1
598 599 * PBE methods.
599 600 */
600 601 #define PKCS12_BUFFER_SIZE 64
601 602 /*
602 603 * PKCS#12 defines 3 different ID bytes to be used for
603 604 * deriving keys for different operations.
604 605 */
605 606 #define PBE_ID_ENCRYPT 1
606 607 #define PBE_ID_IV 2
607 608 #define PBE_ID_MAC 3
608 609 #define PBE_CEIL(a, b) (((a)/(b)) + (((a)%(b)) > 0))
609 610
610 611 static CK_RV
611 612 soft_pkcs12_pbe(soft_session_t *session_p,
612 613 CK_MECHANISM_PTR pMechanism,
613 614 soft_object_t *derived_key)
614 615 {
615 616 CK_RV rv = CKR_OK;
616 617 CK_PBE_PARAMS *params = pMechanism->pParameter;
617 618 CK_ULONG c, i, j, k;
618 619 CK_ULONG hashSize;
619 620 CK_ULONG buffSize;
620 621 /*
621 622 * Terse variable names are used to make following
622 623 * the PKCS#12 spec easier.
623 624 */
624 625 CK_BYTE *A = NULL;
625 626 CK_BYTE *Ai = NULL;
626 627 CK_BYTE *B = NULL;
627 628 CK_BYTE *D = NULL;
628 629 CK_BYTE *I = NULL, *S, *P;
629 630 CK_BYTE *keybuf = NULL;
630 631 CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen;
631 632 CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key);
632 633 CK_MECHANISM digest_mech;
633 634
634 635 /* U = hash function output bits */
635 636 if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) {
636 637 hashSize = SHA1_HASH_SIZE;
637 638 buffSize = PKCS12_BUFFER_SIZE;
638 639 digest_mech.mechanism = CKM_SHA_1;
639 640 digest_mech.pParameter = NULL;
640 641 digest_mech.ulParameterLen = 0;
641 642 } else {
642 643 /* we only support 1 PBE mech for now */
643 644 return (CKR_MECHANISM_INVALID);
644 645 }
645 646 keybuf = OBJ_SEC_VALUE(derived_key);
646 647
647 648 Blen = Dlen = buffSize;
648 649 D = (CK_BYTE *)malloc(Dlen);
649 650 if (D == NULL) {
650 651 rv = CKR_HOST_MEMORY;
651 652 goto cleanup;
652 653 }
653 654
654 655 B = (CK_BYTE *)malloc(Blen);
655 656 if (B == NULL) {
656 657 rv = CKR_HOST_MEMORY;
657 658 goto cleanup;
658 659 }
659 660
660 661 /*
661 662 * Initialize some values and create some buffers
662 663 * that we need later.
663 664 *
664 665 * Slen = buffSize * CEIL(SaltLength/buffSize)
665 666 */
666 667 Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize);
667 668
668 669 /*
669 670 * Plen = buffSize * CEIL(PasswordLength/buffSize)
670 671 */
671 672 Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize);
672 673
673 674 /*
674 675 * From step 4: I = S + P, so: Ilen = Slen + Plen
675 676 */
676 677 Ilen = Slen + Plen;
677 678 I = (CK_BYTE *)malloc(Ilen);
678 679 if (I == NULL) {
679 680 rv = CKR_HOST_MEMORY;
680 681 goto cleanup;
681 682 }
682 683
683 684 S = I;
684 685 P = I + Slen;
685 686
686 687 /*
687 688 * Step 1.
688 689 * We are only interested in deriving keys for encrypt/decrypt
689 690 * for now, so construct the "D"iversifier accordingly.
690 691 */
691 692 (void) memset(D, PBE_ID_ENCRYPT, Dlen);
692 693
693 694 /*
694 695 * Step 2.
695 696 * Concatenate copies of the salt together to make S.
696 697 */
697 698 for (i = 0; i < Slen; i += params->ulSaltLen) {
698 699 (void) memcpy(S+i, params->pSalt,
699 700 ((Slen - i) > params->ulSaltLen ?
700 701 params->ulSaltLen : (Slen - i)));
701 702 }
702 703
703 704 /*
704 705 * Step 3.
705 706 * Concatenate copies of the password together to make
706 707 * a string P.
707 708 */
708 709 for (i = 0; i < Plen; i += params->ulPasswordLen) {
709 710 (void) memcpy(P+i, params->pPassword,
710 711 ((Plen - i) > params->ulPasswordLen ?
711 712 params->ulPasswordLen : (Plen - i)));
712 713 }
713 714
714 715 /*
715 716 * Step 4.
716 717 * I = S+P - this is now done because S and P are
717 718 * pointers into I.
718 719 *
719 720 * Step 5.
720 721 * c= CEIL[n/u]
721 722 * where n = pseudorandom bits of output desired.
722 723 */
723 724 c = PBE_CEIL(keysize, hashSize);
724 725
725 726 /*
726 727 * Step 6.
727 728 */
728 729 Alen = c * hashSize;
729 730 A = (CK_BYTE *)malloc(Alen);
730 731 if (A == NULL) {
731 732 rv = CKR_HOST_MEMORY;
732 733 goto cleanup;
733 734 }
734 735 AiLen = hashSize;
735 736 Ai = (CK_BYTE *)malloc(AiLen);
736 737 if (Ai == NULL) {
737 738 rv = CKR_HOST_MEMORY;
738 739 goto cleanup;
739 740 }
740 741
741 742 /*
742 743 * Step 6a.
743 744 * Ai = Hr(D+I)
744 745 */
745 746 for (i = 0; i < c; i++) {
746 747 (void) pthread_mutex_lock(&session_p->session_mutex);
747 748
748 749 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
749 750 (void) pthread_mutex_unlock(&session_p->session_mutex);
750 751 rv = CKR_OPERATION_ACTIVE;
751 752 goto cleanup;
752 753 }
753 754 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
754 755 (void) pthread_mutex_unlock(&session_p->session_mutex);
755 756
756 757 for (j = 0; j < params->ulIteration; j++) {
757 758 rv = soft_digest_init(session_p, &digest_mech);
758 759 if (rv != CKR_OK)
759 760 goto digest_done;
760 761
761 762 if (j == 0) {
762 763 rv = soft_digest_update(session_p, D, Dlen);
763 764 if (rv != CKR_OK)
764 765 goto digest_done;
765 766
766 767 rv = soft_digest_update(session_p, I, Ilen);
767 768 } else {
768 769 rv = soft_digest_update(session_p, Ai, AiLen);
769 770 }
770 771 if (rv != CKR_OK)
771 772 goto digest_done;
772 773
773 774 rv = soft_digest_final(session_p, Ai, &AiLen);
774 775 if (rv != CKR_OK)
775 776 goto digest_done;
776 777 }
777 778 digest_done:
778 779 (void) pthread_mutex_lock(&session_p->session_mutex);
779 780 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
780 781 (void) pthread_mutex_unlock(&session_p->session_mutex);
781 782
782 783 if (rv != CKR_OK)
783 784 goto cleanup;
784 785 /*
785 786 * Step 6b.
786 787 * Concatenate Ai to make B
787 788 */
788 789 for (j = 0; j < Blen; j += hashSize) {
789 790 (void) memcpy(B+j, Ai, ((Blen - j > hashSize) ?
790 791 hashSize : Blen - j));
791 792 }
792 793
793 794 /*
794 795 * Step 6c.
795 796 */
796 797 k = Ilen / Blen;
797 798 for (j = 0; j < k; j++) {
798 799 uchar_t idx;
799 800 CK_ULONG m, q = 1, cbit = 0;
800 801
801 802 for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) {
802 803 idx = m + j*Blen;
803 804
804 805 q += (CK_ULONG)I[idx] + (CK_ULONG)B[m];
805 806 q += cbit;
806 807 I[idx] = (CK_BYTE)(q & 0xff);
807 808 cbit = (q > 0xff);
808 809 }
809 810 }
810 811
811 812 /*
812 813 * Step 7.
813 814 * A += Ai
814 815 */
|
↓ open down ↓ |
781 lines elided |
↑ open up ↑ |
815 816 (void) memcpy(A + i*hashSize, Ai, AiLen);
816 817 }
817 818
818 819 /*
819 820 * Step 8.
820 821 * The final output of this process is the A buffer
821 822 */
822 823 (void) memcpy(keybuf, A, keysize);
823 824
824 825 cleanup:
825 - if (A) {
826 - bzero(A, Alen);
827 - free(A);
828 - }
829 - if (Ai) {
830 - bzero(Ai, AiLen);
831 - free(Ai);
832 - }
833 - if (B) {
834 - bzero(B, Blen);
835 - free(B);
836 - }
837 - if (D) {
838 - bzero(D, Dlen);
839 - free(D);
840 - }
841 - if (I) {
842 - bzero(I, Ilen);
843 - free(I);
844 - }
826 + freezero(A, Alen);
827 + freezero(Ai, AiLen);
828 + freezero(B, Blen);
829 + freezero(D, Dlen);
830 + freezero(I, Ilen);
845 831 return (rv);
846 832 }
847 833
848 834 CK_RV
849 835 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
850 836 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
851 837 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
852 838 {
853 839
854 840 CK_RV rv = CKR_OK;
855 841 soft_object_t *secret_key;
856 842 CK_MECHANISM digest_mech;
857 843 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */
858 844 CK_ULONG hash_len = SHA512_DIGEST_LENGTH;
859 845 CK_ULONG secret_key_len;
860 846 CK_ULONG hash_size;
861 847
862 848 switch (pMechanism->mechanism) {
863 849 case CKM_DH_PKCS_DERIVE:
864 850 /*
865 851 * Create a new object for secret key. The key type should
866 852 * be provided in the template.
867 853 */
868 854 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
869 855 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
870 856 SOFT_DERIVE_KEY_DH, B_FALSE);
871 857
872 858 if (rv != CKR_OK) {
873 859 return (rv);
874 860 }
875 861
876 862 /* Obtain the secret object pointer. */
877 863 secret_key = (soft_object_t *)*phKey;
878 864
879 865 rv = soft_dh_key_derive(basekey_p, secret_key,
880 866 (CK_BYTE *)pMechanism->pParameter,
881 867 pMechanism->ulParameterLen);
882 868
883 869 if (rv != CKR_OK) {
884 870 if (IS_TOKEN_OBJECT(secret_key))
885 871 soft_delete_token_object(secret_key, B_FALSE,
886 872 B_FALSE);
887 873 else
888 874 soft_delete_object(session_p, secret_key,
889 875 B_FALSE, B_FALSE);
890 876 return (rv);
891 877 }
892 878
893 879 break;
894 880
895 881 case CKM_ECDH1_DERIVE:
896 882 /*
897 883 * Create a new object for secret key. The key type should
898 884 * be provided in the template.
899 885 */
900 886 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
901 887 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
902 888 SOFT_DERIVE_KEY_DH, B_FALSE);
903 889
904 890 if (rv != CKR_OK) {
905 891 return (rv);
906 892 }
907 893
908 894 /* Obtain the secret object pointer. */
909 895 secret_key = (soft_object_t *)*phKey;
910 896
911 897 rv = soft_ec_key_derive(basekey_p, secret_key,
912 898 (CK_BYTE *)pMechanism->pParameter,
913 899 pMechanism->ulParameterLen);
914 900
915 901 if (rv != CKR_OK) {
916 902 if (IS_TOKEN_OBJECT(secret_key))
917 903 soft_delete_token_object(secret_key, B_FALSE,
918 904 B_FALSE);
919 905 else
920 906 soft_delete_object(session_p, secret_key,
921 907 B_FALSE, B_FALSE);
922 908 return (rv);
923 909 }
924 910
925 911 break;
926 912
927 913 case CKM_SHA1_KEY_DERIVATION:
928 914 hash_size = SHA1_HASH_SIZE;
929 915 digest_mech.mechanism = CKM_SHA_1;
930 916 goto common;
931 917
932 918 case CKM_MD5_KEY_DERIVATION:
933 919 hash_size = MD5_HASH_SIZE;
934 920 digest_mech.mechanism = CKM_MD5;
935 921 goto common;
936 922
937 923 case CKM_SHA256_KEY_DERIVATION:
938 924 hash_size = SHA256_DIGEST_LENGTH;
939 925 digest_mech.mechanism = CKM_SHA256;
940 926 goto common;
941 927
942 928 case CKM_SHA384_KEY_DERIVATION:
943 929 hash_size = SHA384_DIGEST_LENGTH;
944 930 digest_mech.mechanism = CKM_SHA384;
945 931 goto common;
946 932
947 933 case CKM_SHA512_KEY_DERIVATION:
948 934 hash_size = SHA512_DIGEST_LENGTH;
949 935 digest_mech.mechanism = CKM_SHA512;
950 936 goto common;
951 937
952 938 common:
953 939 /*
954 940 * Create a new object for secret key. The key type is optional
955 941 * to be provided in the template. If it is not specified in
956 942 * the template, the default is CKK_GENERIC_SECRET.
957 943 */
958 944 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
959 945 phKey, session_p, CKO_SECRET_KEY,
960 946 (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
961 947 SOFT_DERIVE_KEY_OTHER, B_FALSE);
962 948
963 949 if (rv != CKR_OK) {
964 950 return (rv);
965 951 }
966 952
967 953 /* Obtain the secret object pointer. */
968 954 secret_key = (soft_object_t *)*phKey;
969 955
970 956 /* Validate the key type and key length */
971 957 rv = soft_key_derive_check_length(secret_key, hash_size);
972 958 if (rv != CKR_OK) {
973 959 if (IS_TOKEN_OBJECT(secret_key))
974 960 soft_delete_token_object(secret_key, B_FALSE,
975 961 B_FALSE);
976 962 else
977 963 soft_delete_object(session_p, secret_key,
978 964 B_FALSE, B_FALSE);
979 965 return (rv);
980 966 }
981 967
982 968 /*
983 969 * Derive the secret key by digesting the value of another
984 970 * secret key (base key) with SHA-1 or MD5.
985 971 */
986 972 rv = soft_digest_init_internal(session_p, &digest_mech);
987 973 if (rv != CKR_OK) {
988 974 if (IS_TOKEN_OBJECT(secret_key))
989 975 soft_delete_token_object(secret_key, B_FALSE,
990 976 B_FALSE);
991 977 else
992 978 soft_delete_object(session_p, secret_key,
993 979 B_FALSE, B_FALSE);
994 980 return (rv);
995 981 }
996 982
997 983 rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p),
998 984 OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len);
999 985
1000 986 (void) pthread_mutex_lock(&session_p->session_mutex);
1001 987 /* soft_digest_common() has freed the digest context */
1002 988 session_p->digest.flags = 0;
1003 989 (void) pthread_mutex_unlock(&session_p->session_mutex);
1004 990
1005 991 if (rv != CKR_OK) {
1006 992 if (IS_TOKEN_OBJECT(secret_key))
1007 993 soft_delete_token_object(secret_key, B_FALSE,
1008 994 B_FALSE);
1009 995 else
1010 996 soft_delete_object(session_p, secret_key,
1011 997 B_FALSE, B_FALSE);
1012 998 return (rv);
1013 999 }
1014 1000
1015 1001 secret_key_len = OBJ_SEC_VALUE_LEN(secret_key);
1016 1002
1017 1003 if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) ==
1018 1004 NULL) {
1019 1005 if (IS_TOKEN_OBJECT(secret_key))
1020 1006 soft_delete_token_object(secret_key, B_FALSE,
1021 1007 B_FALSE);
1022 1008 else
1023 1009 soft_delete_object(session_p, secret_key,
1024 1010 B_FALSE, B_FALSE);
1025 1011 return (CKR_HOST_MEMORY);
1026 1012 }
1027 1013
1028 1014 /*
1029 1015 * The key produced by this mechanism will be of the
1030 1016 * specified type and length.
1031 1017 * The truncation removes extra bytes from the leading
1032 1018 * of the digested key value.
1033 1019 */
1034 1020 (void) memcpy(OBJ_SEC_VALUE(secret_key),
1035 1021 (hash + hash_len - secret_key_len),
1036 1022 secret_key_len);
1037 1023
1038 1024 break;
1039 1025
1040 1026 /*
1041 1027 * The key sensitivity and extractability rules for the generated
1042 1028 * keys will be enforced inside soft_ssl_master_key_derive() and
1043 1029 * soft_ssl_key_and_mac_derive()
1044 1030 */
1045 1031 case CKM_SSL3_MASTER_KEY_DERIVE:
1046 1032 case CKM_SSL3_MASTER_KEY_DERIVE_DH:
1047 1033 case CKM_TLS_MASTER_KEY_DERIVE:
1048 1034 case CKM_TLS_MASTER_KEY_DERIVE_DH:
1049 1035 if (phKey == NULL_PTR)
1050 1036 return (CKR_ARGUMENTS_BAD);
1051 1037 return (soft_ssl_master_key_derive(session_p, pMechanism,
1052 1038 basekey_p, pTemplate, ulAttributeCount, phKey));
1053 1039
1054 1040 case CKM_SSL3_KEY_AND_MAC_DERIVE:
1055 1041 case CKM_TLS_KEY_AND_MAC_DERIVE:
1056 1042 return (soft_ssl_key_and_mac_derive(session_p, pMechanism,
1057 1043 basekey_p, pTemplate, ulAttributeCount));
1058 1044
1059 1045 case CKM_TLS_PRF:
1060 1046 if (pMechanism->pParameter == NULL ||
1061 1047 pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) ||
1062 1048 phKey != NULL)
1063 1049 return (CKR_ARGUMENTS_BAD);
1064 1050
1065 1051 if (pTemplate != NULL)
1066 1052 return (CKR_TEMPLATE_INCONSISTENT);
1067 1053
1068 1054 return (derive_tls_prf(
1069 1055 (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p));
1070 1056
1071 1057 default:
1072 1058 return (CKR_MECHANISM_INVALID);
1073 1059 }
1074 1060
1075 1061 soft_derive_enforce_flags(basekey_p, secret_key);
1076 1062
1077 1063 if (IS_TOKEN_OBJECT(secret_key)) {
1078 1064 /*
1079 1065 * All the info has been filled, so we can write to
1080 1066 * keystore now.
1081 1067 */
1082 1068 rv = soft_put_object_to_keystore(secret_key);
1083 1069 if (rv != CKR_OK)
1084 1070 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
1085 1071 }
1086 1072
1087 1073 return (rv);
1088 1074 }
1089 1075
1090 1076
1091 1077 /*
1092 1078 * Perform key derivation rules on key's sensitivity and extractability.
1093 1079 */
1094 1080 void
1095 1081 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey)
1096 1082 {
1097 1083
1098 1084 boolean_t new_sensitive = B_FALSE;
1099 1085 boolean_t new_extractable = B_FALSE;
1100 1086
1101 1087 /*
1102 1088 * The sensitive and extractable bits have been set when
1103 1089 * the newkey was built.
1104 1090 */
1105 1091 if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) {
1106 1092 new_sensitive = B_TRUE;
1107 1093 }
1108 1094
1109 1095 if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) {
1110 1096 new_extractable = B_TRUE;
1111 1097 }
1112 1098
1113 1099 /* Derive the CKA_ALWAYS_SENSITIVE flag */
1114 1100 if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) {
1115 1101 /*
1116 1102 * If the base key has its CKA_ALWAYS_SENSITIVE set to
1117 1103 * FALSE, then the derived key will as well.
1118 1104 */
1119 1105 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1120 1106 } else {
1121 1107 /*
1122 1108 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE,
1123 1109 * then the derived key has the CKA_ALWAYS_SENSITIVE set to
1124 1110 * the same value as its CKA_SENSITIVE;
1125 1111 */
1126 1112 if (new_sensitive) {
1127 1113 newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON;
1128 1114 } else {
1129 1115 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1130 1116 }
1131 1117 }
1132 1118
1133 1119 /* Derive the CKA_NEVER_EXTRACTABLE flag */
1134 1120 if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) {
1135 1121 /*
1136 1122 * If the base key has its CKA_NEVER_EXTRACTABLE set to
1137 1123 * FALSE, then the derived key will as well.
1138 1124 */
1139 1125 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1140 1126 } else {
1141 1127 /*
1142 1128 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE,
1143 1129 * then the derived key has the CKA_NEVER_EXTRACTABLE set to
1144 1130 * the opposite value from its CKA_EXTRACTABLE;
1145 1131 */
1146 1132 if (new_extractable) {
1147 1133 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1148 1134 } else {
1149 1135 newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON;
1150 1136 }
1151 1137 }
1152 1138
1153 1139 /* Set the CKA_LOCAL flag to false */
1154 1140 newkey->bool_attr_mask &= ~LOCAL_BOOL_ON;
1155 1141 }
1156 1142
1157 1143
1158 1144 /*
1159 1145 * do_prf
1160 1146 *
1161 1147 * This routine implements Step 3. of the PBKDF2 function
1162 1148 * defined in PKCS#5 for generating derived keys from a
1163 1149 * password.
1164 1150 *
1165 1151 * Currently, PRF is always SHA_1_HMAC.
1166 1152 */
1167 1153 static CK_RV
1168 1154 do_prf(soft_session_t *session_p,
1169 1155 CK_PKCS5_PBKD2_PARAMS_PTR params,
1170 1156 soft_object_t *hmac_key,
1171 1157 CK_BYTE *newsalt, CK_ULONG saltlen,
1172 1158 CK_BYTE *blockdata, CK_ULONG blocklen)
1173 1159 {
1174 1160 CK_RV rv = CKR_OK;
1175 1161 CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0};
1176 1162 CK_BYTE buffer[2][SHA1_HASH_SIZE];
1177 1163 CK_ULONG hmac_outlen = SHA1_HASH_SIZE;
1178 1164 CK_ULONG inlen;
1179 1165 CK_BYTE *input, *output;
1180 1166 CK_ULONG i, j;
1181 1167
1182 1168 input = newsalt;
1183 1169 inlen = saltlen;
1184 1170
1185 1171 output = buffer[1];
1186 1172 (void) pthread_mutex_lock(&session_p->session_mutex);
1187 1173
1188 1174 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
1189 1175 (void) pthread_mutex_unlock(&session_p->session_mutex);
1190 1176 return (CKR_OPERATION_ACTIVE);
1191 1177 }
1192 1178 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
1193 1179 (void) pthread_mutex_unlock(&session_p->session_mutex);
1194 1180
1195 1181 for (i = 0; i < params->iterations; i++) {
1196 1182 /*
1197 1183 * The key doesn't change, its always the
1198 1184 * password iniitally given.
1199 1185 */
1200 1186 rv = soft_sign_init(session_p, &digest_mech, hmac_key);
1201 1187
1202 1188 if (rv != CKR_OK) {
1203 1189 goto cleanup;
1204 1190 }
1205 1191
1206 1192 /* Call PRF function (SHA1_HMAC for now). */
1207 1193 rv = soft_sign(session_p, input, inlen, output, &hmac_outlen);
1208 1194
1209 1195 if (rv != CKR_OK) {
1210 1196 goto cleanup;
1211 1197 }
1212 1198 /*
1213 1199 * The first time, initialize the output buffer
1214 1200 * with the HMAC signature.
1215 1201 */
1216 1202 if (i == 0) {
1217 1203 (void) memcpy(blockdata, output,
1218 1204 local_min(blocklen, hmac_outlen));
1219 1205 } else {
1220 1206 /*
1221 1207 * XOR the existing data with output from PRF.
1222 1208 *
1223 1209 * Only XOR up to the length of the blockdata,
1224 1210 * it may be less than a full hmac buffer when
1225 1211 * the final block is being computed.
1226 1212 */
1227 1213 for (j = 0; j < hmac_outlen && j < blocklen; j++)
1228 1214 blockdata[j] ^= output[j];
1229 1215 }
1230 1216 /* Output from previous PRF is input for next round */
1231 1217 input = output;
1232 1218 inlen = hmac_outlen;
1233 1219
1234 1220 /*
1235 1221 * Switch buffers to avoid overuse of memcpy.
1236 1222 * Initially we used buffer[1], so after the end of
1237 1223 * the first iteration (i==0), we switch to buffer[0]
1238 1224 * and continue swapping with each iteration.
1239 1225 */
1240 1226 output = buffer[i%2];
1241 1227 }
1242 1228 cleanup:
1243 1229 (void) pthread_mutex_lock(&session_p->session_mutex);
1244 1230 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
1245 1231 (void) pthread_mutex_unlock(&session_p->session_mutex);
1246 1232
1247 1233 return (rv);
1248 1234 }
1249 1235
1250 1236 static CK_RV
1251 1237 soft_create_hmac_key(soft_session_t *session_p, CK_BYTE *passwd,
1252 1238 CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey)
1253 1239 {
1254 1240 CK_RV rv = CKR_OK;
1255 1241 CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
1256 1242 CK_KEY_TYPE keytype = CKK_GENERIC_SECRET;
1257 1243 CK_BBOOL True = TRUE;
1258 1244 CK_ATTRIBUTE keytemplate[4];
1259 1245 /*
1260 1246 * We must initialize each template member individually
1261 1247 * because at the time of initial coding for ON10, the
1262 1248 * compiler was using the "-xc99=%none" option
1263 1249 * which prevents us from being able to declare the whole
1264 1250 * template in place as usual.
1265 1251 */
1266 1252 keytemplate[0].type = CKA_CLASS;
1267 1253 keytemplate[0].pValue = &keyclass;
1268 1254 keytemplate[0].ulValueLen = sizeof (keyclass);
1269 1255
1270 1256 keytemplate[1].type = CKA_KEY_TYPE;
1271 1257 keytemplate[1].pValue = &keytype;
1272 1258 keytemplate[1].ulValueLen = sizeof (keytype);
1273 1259
1274 1260 keytemplate[2].type = CKA_SIGN;
1275 1261 keytemplate[2].pValue = &True;
1276 1262 keytemplate[2].ulValueLen = sizeof (True);
1277 1263
1278 1264 keytemplate[3].type = CKA_VALUE;
1279 1265 keytemplate[3].pValue = passwd;
1280 1266 keytemplate[3].ulValueLen = passwd_len;
1281 1267 /*
1282 1268 * Create a generic key object to be used for HMAC operations.
1283 1269 * The "value" for this key is the password from the
1284 1270 * mechanism parameter structure.
1285 1271 */
1286 1272 rv = soft_gen_keyobject(keytemplate,
1287 1273 sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), phKey, session_p,
1288 1274 CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
1289 1275 SOFT_CREATE_OBJ, B_TRUE);
1290 1276
1291 1277 return (rv);
1292 1278 }
1293 1279
1294 1280 CK_RV
1295 1281 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p,
1296 1282 CK_MECHANISM_PTR pMechanism,
1297 1283 soft_object_t *secret_key)
1298 1284 {
1299 1285 CK_RV rv = CKR_OK;
1300 1286 CK_PKCS5_PBKD2_PARAMS *params =
1301 1287 (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
1302 1288 CK_ULONG hLen = SHA1_HASH_SIZE;
1303 1289 CK_ULONG dkLen, i;
1304 1290 CK_ULONG blocks, remainder;
1305 1291 CK_OBJECT_HANDLE phKey = 0;
1306 1292 soft_object_t *hmac_key = NULL;
1307 1293 CK_BYTE *salt = NULL;
1308 1294 CK_BYTE *keydata = NULL;
1309 1295
1310 1296 params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter;
1311 1297
1312 1298 if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1)
1313 1299 return (CKR_MECHANISM_PARAM_INVALID);
1314 1300
1315 1301 if (params->pPrfData != NULL || params->ulPrfDataLen != 0)
1316 1302 return (CKR_DATA_INVALID);
1317 1303
1318 1304 if (params->saltSource != CKZ_SALT_SPECIFIED ||
1319 1305 params->iterations == 0)
1320 1306 return (CKR_MECHANISM_PARAM_INVALID);
1321 1307
1322 1308 /*
1323 1309 * Create a key object to use for HMAC operations.
1324 1310 */
1325 1311 rv = soft_create_hmac_key(session_p, params->pPassword,
1326 1312 *params->ulPasswordLen, &phKey);
1327 1313
1328 1314 if (rv != CKR_OK)
1329 1315 return (rv);
1330 1316
1331 1317 hmac_key = (soft_object_t *)phKey;
1332 1318
1333 1319 /* Step 1. */
1334 1320 dkLen = OBJ_SEC_VALUE_LEN(secret_key); /* length of desired key */
1335 1321
1336 1322 if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) {
1337 1323 (void) soft_delete_object(session_p, hmac_key, B_FALSE,
1338 1324 B_FALSE);
1339 1325 return (CKR_KEY_SIZE_RANGE);
1340 1326 }
1341 1327
1342 1328 /* Step 2. */
1343 1329 blocks = dkLen / hLen;
1344 1330
1345 1331 /* crude "Ceiling" function to adjust the number of blocks to use */
1346 1332 if (blocks * hLen != dkLen)
1347 1333 blocks++;
1348 1334
1349 1335 remainder = dkLen - ((blocks - 1) * hLen);
1350 1336
1351 1337 /* Step 3 */
1352 1338 salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4);
1353 1339 if (salt == NULL) {
1354 1340 (void) soft_delete_object(session_p, hmac_key, B_FALSE,
1355 1341 B_FALSE);
1356 1342 return (CKR_HOST_MEMORY);
1357 1343 }
1358 1344 /*
1359 1345 * Nothing in PKCS#5 says you cannot pass an empty
1360 1346 * salt, so we will allow for this and not return error
1361 1347 * if the salt is not specified.
1362 1348 */
1363 1349 if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0)
1364 1350 (void) memcpy(salt, params->pSaltSourceData,
1365 1351 params->ulSaltSourceDataLen);
1366 1352
1367 1353 /*
1368 1354 * Get pointer to the data section of the key,
1369 1355 * this will be used below as output from the
1370 1356 * PRF iteration/concatenations so that when the
1371 1357 * blocks are all iterated, the secret_key will
1372 1358 * have the resulting derived key value.
1373 1359 */
1374 1360 keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key);
1375 1361
1376 1362 /* Step 4. */
1377 1363 for (i = 0; i < blocks && (rv == CKR_OK); i++) {
1378 1364 CK_BYTE *s;
1379 1365
1380 1366 s = salt + params->ulSaltSourceDataLen;
1381 1367
1382 1368 /*
1383 1369 * Append the block index to the salt as input
1384 1370 * to the PRF. Block index should start at 1
1385 1371 * not 0.
1386 1372 */
1387 1373 *s++ = ((i+1) >> 24) & 0xff;
1388 1374 *s++ = ((i+1) >> 16) & 0xff;
1389 1375 *s++ = ((i+1) >> 8) & 0xff;
1390 1376 *s = ((i+1)) & 0xff;
1391 1377
1392 1378 /*
|
↓ open down ↓ |
538 lines elided |
↑ open up ↑ |
1393 1379 * Adjust the key pointer so we always append the
1394 1380 * PRF output to the current key.
1395 1381 */
1396 1382 rv = do_prf(session_p, params, hmac_key,
1397 1383 salt, params->ulSaltSourceDataLen + 4, keydata,
1398 1384 ((i + 1) == blocks ? remainder : hLen));
1399 1385
1400 1386 keydata += hLen;
1401 1387 }
1402 1388 (void) soft_delete_object(session_p, hmac_key, B_FALSE, B_FALSE);
1403 - free(salt);
1389 + freezero(salt, params->ulSaltSourceDataLen);
1404 1390
1405 1391 return (rv);
1406 1392 }
1407 1393
1408 1394 CK_RV
1409 1395 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1410 1396 soft_object_t *wrappingKey_p, soft_object_t *hkey_p,
1411 1397 CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen)
1412 1398 {
1413 1399 CK_RV rv = CKR_OK;
1414 1400 CK_ULONG plain_len = 0;
1415 1401 CK_BYTE_PTR plain_data = NULL;
1416 1402 CK_ULONG padded_len = 0;
1417 1403 CK_BYTE_PTR padded_data = NULL;
1418 1404 CK_ULONG wkey_blksz = 1; /* so modulo will work right */
1419 1405
1420 1406 /* Check if the mechanism is supported. */
1421 1407 switch (pMechanism->mechanism) {
1422 1408 case CKM_DES_CBC_PAD:
1423 1409 case CKM_DES3_CBC_PAD:
1424 1410 case CKM_AES_CBC_PAD:
1425 1411 /*
1426 1412 * Secret key mechs with padding can be used to wrap secret
1427 1413 * keys and private keys only. See PKCS#11, * sec 11.14,
1428 1414 * C_WrapKey and secs 12.* for each mechanism's wrapping/
1429 1415 * unwrapping constraints.
1430 1416 */
1431 1417 if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class !=
1432 1418 CKO_PRIVATE_KEY)
1433 1419 return (CKR_MECHANISM_INVALID);
1434 1420 break;
1435 1421 case CKM_RSA_PKCS:
1436 1422 case CKM_RSA_X_509:
1437 1423 case CKM_DES_ECB:
1438 1424 case CKM_DES3_ECB:
1439 1425 case CKM_AES_ECB:
1440 1426 case CKM_DES_CBC:
1441 1427 case CKM_DES3_CBC:
1442 1428 case CKM_AES_CBC:
1443 1429 case CKM_AES_CTR:
1444 1430 case CKM_BLOWFISH_CBC:
1445 1431 /*
1446 1432 * Unpadded secret key mechs and private key mechs are only
1447 1433 * defined for wrapping secret keys. See PKCS#11 refs above.
1448 1434 */
1449 1435 if (hkey_p->class != CKO_SECRET_KEY)
1450 1436 return (CKR_MECHANISM_INVALID);
1451 1437 break;
1452 1438 default:
1453 1439 return (CKR_MECHANISM_INVALID);
1454 1440 }
1455 1441
1456 1442 if (hkey_p->class == CKO_SECRET_KEY) {
1457 1443 plain_data = OBJ_SEC_VALUE(hkey_p);
1458 1444 plain_len = OBJ_SEC_VALUE_LEN(hkey_p);
1459 1445 } else {
1460 1446 /*
1461 1447 * BER-encode the object to be wrapped: call first with
1462 1448 * plain_data = NULL to get the size needed, allocate that
1463 1449 * much space, call again to fill space with actual data.
1464 1450 */
1465 1451 rv = soft_object_to_asn1(hkey_p, NULL, &plain_len);
1466 1452 if (rv != CKR_OK)
1467 1453 return (rv);
1468 1454 if ((plain_data = malloc(plain_len)) == NULL)
1469 1455 return (CKR_HOST_MEMORY);
1470 1456 (void) memset(plain_data, 0x0, plain_len);
1471 1457 rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len);
1472 1458 if (rv != CKR_OK)
1473 1459 goto cleanup_wrap;
1474 1460 }
1475 1461
1476 1462 /*
1477 1463 * For unpadded ECB and CBC mechanisms, the object needs to be
1478 1464 * padded to the wrapping key's blocksize prior to the encryption.
1479 1465 */
1480 1466 padded_len = plain_len;
1481 1467 padded_data = plain_data;
1482 1468
1483 1469 switch (pMechanism->mechanism) {
1484 1470 case CKM_DES_ECB:
1485 1471 case CKM_DES3_ECB:
1486 1472 case CKM_AES_ECB:
1487 1473 case CKM_DES_CBC:
1488 1474 case CKM_DES3_CBC:
1489 1475 case CKM_AES_CBC:
1490 1476 case CKM_BLOWFISH_CBC:
1491 1477 /* Find the block size of the wrapping key. */
1492 1478 if (wrappingKey_p->class == CKO_SECRET_KEY) {
1493 1479 switch (wrappingKey_p->key_type) {
1494 1480 case CKK_DES:
1495 1481 case CKK_DES2:
1496 1482 case CKK_DES3:
1497 1483 wkey_blksz = DES_BLOCK_LEN;
1498 1484 break;
1499 1485 case CKK_AES:
1500 1486 wkey_blksz = AES_BLOCK_LEN;
1501 1487 break;
1502 1488 case CKK_BLOWFISH:
1503 1489 wkey_blksz = BLOWFISH_BLOCK_LEN;
1504 1490 break;
1505 1491 default:
1506 1492 break;
1507 1493 }
1508 1494 } else {
1509 1495 rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT;
1510 1496 goto cleanup_wrap;
1511 1497 }
1512 1498
1513 1499 /* Extend the plain text data to block size boundary. */
1514 1500 if ((padded_len % wkey_blksz) != 0) {
1515 1501 padded_len += (wkey_blksz - (plain_len % wkey_blksz));
1516 1502 if ((padded_data = malloc(padded_len)) == NULL) {
1517 1503 rv = CKR_HOST_MEMORY;
1518 1504 goto cleanup_wrap;
1519 1505 }
1520 1506 (void) memset(padded_data, 0x0, padded_len);
1521 1507 (void) memcpy(padded_data, plain_data, plain_len);
1522 1508 }
1523 1509 break;
1524 1510 default:
1525 1511 break;
1526 1512 }
1527 1513
|
↓ open down ↓ |
114 lines elided |
↑ open up ↑ |
1528 1514 rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p);
1529 1515 if (rv != CKR_OK)
1530 1516 goto cleanup_wrap;
1531 1517
1532 1518 rv = soft_encrypt(session_p, padded_data, padded_len,
1533 1519 pWrappedKey, pulWrappedKeyLen);
1534 1520
1535 1521 cleanup_wrap:
1536 1522 if (padded_data != NULL && padded_len != plain_len) {
1537 1523 /* Clear buffer before returning to memory pool. */
1538 - (void) memset(padded_data, 0x0, padded_len);
1539 - free(padded_data);
1524 + freezero(padded_data, padded_len);
1540 1525 }
1541 1526
1542 1527 if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1543 1528 /* Clear buffer before returning to memory pool. */
1544 - (void) memset(plain_data, 0x0, plain_len);
1545 - free(plain_data);
1529 + freezero(plain_data, plain_len);
1546 1530 }
1547 1531
1548 1532 return (rv);
1549 1533 }
1550 1534
1551 1535 /*
1552 1536 * Quick check for whether unwrapped key length is appropriate for key type
1553 1537 * and whether it needs to be truncated (in case the wrapping function had
1554 1538 * to pad the key prior to wrapping).
1555 1539 */
1556 1540 static CK_RV
1557 1541 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype,
1558 1542 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount)
1559 1543 {
1560 1544 CK_ULONG i;
1561 1545 boolean_t isValueLen = B_FALSE;
1562 1546
1563 1547 /*
1564 1548 * Based on the key type and the mech used to unwrap, need to
1565 1549 * determine if CKA_VALUE_LEN should or should not be specified.
1566 1550 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified
1567 1551 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens
1568 1552 * that restriction, perhaps because it makes it impossible to
1569 1553 * determine the original length of unwrapped variable-length secret
1570 1554 * keys, such as RC4, AES, and GENERIC_SECRET. These variable-length
1571 1555 * secret keys would have been padded with trailing null-bytes so
1572 1556 * that they could be successfully wrapped with *_ECB and *_CBC
1573 1557 * mechanisms. Hence for unwrapping with these mechs, CKA_VALUE_LEN
1574 1558 * must be specified. For unwrapping with other mechs, such as
1575 1559 * *_CBC_PAD, the CKA_VALUE_LEN is not needed.
1576 1560 */
1577 1561
1578 1562 /* Find out if template has CKA_VALUE_LEN. */
1579 1563 for (i = 0; i < ulAttributeCount; i++) {
1580 1564 if (pTemplate[i].type == CKA_VALUE_LEN &&
1581 1565 pTemplate[i].pValue != NULL) {
1582 1566 isValueLen = B_TRUE;
1583 1567 break;
1584 1568 }
1585 1569 }
1586 1570
1587 1571 /* Does its presence conflict with the mech type and key type? */
1588 1572 switch (mechtype) {
1589 1573 case CKM_DES_ECB:
1590 1574 case CKM_DES3_ECB:
1591 1575 case CKM_AES_ECB:
1592 1576 case CKM_DES_CBC:
1593 1577 case CKM_DES3_CBC:
1594 1578 case CKM_AES_CBC:
1595 1579 case CKM_BLOWFISH_CBC:
1596 1580 /*
1597 1581 * CKA_VALUE_LEN must be specified
1598 1582 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET
1599 1583 * and must not be specified otherwise
1600 1584 */
1601 1585 switch (keytype) {
1602 1586 case CKK_DES:
1603 1587 case CKK_DES2:
1604 1588 case CKK_DES3:
1605 1589 if (isValueLen)
1606 1590 return (CKR_TEMPLATE_INCONSISTENT);
1607 1591 break;
1608 1592 case CKK_GENERIC_SECRET:
1609 1593 case CKK_RC4:
1610 1594 case CKK_AES:
1611 1595 case CKK_BLOWFISH:
1612 1596 if (!isValueLen)
1613 1597 return (CKR_TEMPLATE_INCOMPLETE);
1614 1598 break;
1615 1599 default:
1616 1600 return (CKR_FUNCTION_NOT_SUPPORTED);
1617 1601 }
1618 1602 break;
1619 1603 default:
1620 1604 /* CKA_VALUE_LEN must not be specified */
1621 1605 if (isValueLen)
1622 1606 return (CKR_TEMPLATE_INCONSISTENT);
1623 1607 break;
1624 1608 }
1625 1609
1626 1610 return (CKR_OK);
1627 1611 }
1628 1612
1629 1613 CK_RV
1630 1614 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1631 1615 soft_object_t *unwrappingkey_p,
1632 1616 CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
1633 1617 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
1634 1618 CK_OBJECT_HANDLE_PTR phKey)
1635 1619 {
1636 1620 CK_RV rv = CKR_OK;
1637 1621 CK_OBJECT_CLASS new_obj_class = ~0UL;
1638 1622 int i = 0;
1639 1623 soft_object_t *new_objp = NULL;
1640 1624 boolean_t persistent = B_FALSE;
1641 1625 CK_BYTE_PTR plain_data = NULL;
1642 1626 CK_ULONG plain_len = 0;
1643 1627 secret_key_obj_t *sck = NULL;
1644 1628
1645 1629 /* Scan the attribute template for the object class. */
1646 1630 if (pTemplate != NULL && ulAttributeCount != 0) {
1647 1631 for (i = 0; i < ulAttributeCount; i++) {
1648 1632 if (pTemplate[i].type == CKA_CLASS) {
1649 1633 new_obj_class =
1650 1634 *((CK_OBJECT_CLASS *)pTemplate[i].pValue);
1651 1635 break;
1652 1636 }
1653 1637 }
1654 1638 if (new_obj_class == ~0UL)
1655 1639 return (CKR_TEMPLATE_INCOMPLETE);
1656 1640 }
1657 1641
1658 1642 /*
1659 1643 * Check if the mechanism is supported, and now that the new
1660 1644 * object's class is known, the mechanism selected should be
1661 1645 * capable of doing the unwrap.
1662 1646 */
1663 1647 switch (pMechanism->mechanism) {
1664 1648 case CKM_RSA_PKCS:
1665 1649 case CKM_RSA_X_509:
1666 1650 case CKM_DES_ECB:
1667 1651 case CKM_DES3_ECB:
1668 1652 case CKM_AES_ECB:
1669 1653 case CKM_DES_CBC:
1670 1654 case CKM_DES3_CBC:
1671 1655 case CKM_AES_CBC:
1672 1656 case CKM_BLOWFISH_CBC:
1673 1657 if (new_obj_class != CKO_SECRET_KEY)
1674 1658 return (CKR_MECHANISM_INVALID);
1675 1659 break;
1676 1660 case CKM_DES_CBC_PAD:
1677 1661 case CKM_DES3_CBC_PAD:
1678 1662 case CKM_AES_CBC_PAD:
1679 1663 if (new_obj_class != CKO_SECRET_KEY && new_obj_class !=
1680 1664 CKO_PRIVATE_KEY)
1681 1665 return (CKR_MECHANISM_INVALID);
1682 1666 break;
1683 1667 default:
1684 1668 return (CKR_MECHANISM_INVALID);
1685 1669 }
1686 1670
1687 1671 /* Create a new object based on the attribute template. */
1688 1672 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
1689 1673 (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL,
1690 1674 (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE);
1691 1675 if (rv != CKR_OK)
1692 1676 return (rv);
1693 1677
1694 1678 /*
1695 1679 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE
1696 1680 * both set to FALSE. CKA_EXTRACTABLE will be set _by_default_ to
1697 1681 * true -- leaving the possibility that it may be set FALSE by the
1698 1682 * supplied attribute template. If the precise template cannot be
1699 1683 * supported, unwrap fails. PKCS#11 spec, Sec. 11.14, C_UnwrapKey.
1700 1684 *
1701 1685 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and
1702 1686 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must
1703 1687 * have supplied them and therefore we cannot honor the unwrap.
1704 1688 */
1705 1689 if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) ||
1706 1690 (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) {
1707 1691 rv = CKR_TEMPLATE_INCONSISTENT;
1708 1692 goto cleanup_unwrap;
1709 1693 }
1710 1694
1711 1695 rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p);
1712 1696 if (rv != CKR_OK)
1713 1697 goto cleanup_unwrap;
1714 1698
1715 1699 /* First get the length of the plain data */
1716 1700 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL,
1717 1701 &plain_len);
1718 1702 if (rv != CKR_OK)
1719 1703 goto cleanup_unwrap;
1720 1704
1721 1705 /* Allocate space for the unwrapped data */
1722 1706 if ((plain_data = malloc(plain_len)) == NULL) {
1723 1707 rv = CKR_HOST_MEMORY;
1724 1708 goto cleanup_unwrap;
1725 1709 }
1726 1710 (void) memset(plain_data, 0x0, plain_len);
1727 1711
1728 1712 /* Perform actual decryption into the allocated space. */
1729 1713 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data,
1730 1714 &plain_len);
1731 1715 if (rv != CKR_OK)
1732 1716 goto cleanup_unwrap;
1733 1717
1734 1718 if (new_objp->class == CKO_SECRET_KEY) {
1735 1719 /*
1736 1720 * Since no ASN.1 encoding is done for secret keys, check for
1737 1721 * appropriateness and copy decrypted buffer to the key object.
1738 1722 */
1739 1723
1740 1724 /* Check keytype and mechtype don't conflict with valuelen */
1741 1725 rv = soft_unwrap_secret_len_check(new_objp->key_type,
1742 1726 pMechanism->mechanism, pTemplate, ulAttributeCount);
1743 1727 if (rv != CKR_OK)
1744 1728 goto cleanup_unwrap;
1745 1729
1746 1730 /*
1747 1731 * Allocate the secret key structure if not already there;
1748 1732 * it will exist for variable length keys since CKA_VALUE_LEN
1749 1733 * is specified and saved, but not for fixed length keys.
1750 1734 */
1751 1735 if (OBJ_SEC(new_objp) == NULL) {
1752 1736 if ((sck = calloc(1, sizeof (secret_key_obj_t))) ==
1753 1737 NULL) {
1754 1738 rv = CKR_HOST_MEMORY;
1755 1739 goto cleanup_unwrap;
1756 1740 }
1757 1741 OBJ_SEC(new_objp) = sck;
1758 1742 }
1759 1743
1760 1744 switch (new_objp->key_type) {
1761 1745 /* Fixed length secret keys don't have CKA_VALUE_LEN */
1762 1746 case CKK_DES:
1763 1747 OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE;
1764 1748 break;
1765 1749 case CKK_DES2:
1766 1750 OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE;
1767 1751 break;
1768 1752 case CKK_DES3:
1769 1753 OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE;
1770 1754 break;
1771 1755
1772 1756 /*
1773 1757 * Variable length secret keys. CKA_VALUE_LEN must be
1774 1758 * provided by the template when mech is *_ECB or *_CBC, and
1775 1759 * should already have been set during soft_gen_keyobject().
1776 1760 * Otherwise we don't need CKA_VALUE_LEN.
1777 1761 */
1778 1762 case CKK_GENERIC_SECRET:
1779 1763 case CKK_RC4:
1780 1764 case CKK_AES:
1781 1765 case CKK_BLOWFISH:
1782 1766 break;
1783 1767 default:
1784 1768 rv = CKR_WRAPPED_KEY_INVALID;
1785 1769 goto cleanup_unwrap;
1786 1770 };
1787 1771
1788 1772 if (OBJ_SEC_VALUE_LEN(new_objp) == 0) {
1789 1773 /* No CKA_VALUE_LEN set so set it now and save data */
1790 1774 OBJ_SEC_VALUE_LEN(new_objp) = plain_len;
1791 1775 OBJ_SEC_VALUE(new_objp) = plain_data;
1792 1776 } else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) {
1793 1777 /* No need to truncate, just save the data */
1794 1778 OBJ_SEC_VALUE(new_objp) = plain_data;
1795 1779 } else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) {
1796 1780 /* Length can't be bigger than what was decrypted */
1797 1781 rv = CKR_WRAPPED_KEY_LEN_RANGE;
1798 1782 goto cleanup_unwrap;
1799 1783 } else { /* betw 0 and plain_len, hence padded */
1800 1784 /* Truncate the data before saving. */
1801 1785 OBJ_SEC_VALUE(new_objp) = realloc(plain_data,
1802 1786 OBJ_SEC_VALUE_LEN(new_objp));
1803 1787 if (OBJ_SEC_VALUE(new_objp) == NULL) {
1804 1788 rv = CKR_HOST_MEMORY;
1805 1789 goto cleanup_unwrap;
1806 1790 }
1807 1791 }
1808 1792 } else {
1809 1793 /* BER-decode the object to be unwrapped. */
1810 1794 rv = soft_asn1_to_object(new_objp, plain_data, plain_len);
1811 1795 if (rv != CKR_OK)
1812 1796 goto cleanup_unwrap;
1813 1797 }
1814 1798
|
↓ open down ↓ |
259 lines elided |
↑ open up ↑ |
1815 1799 /* If it needs to be persistent, write it to the keystore */
1816 1800 if (IS_TOKEN_OBJECT(new_objp)) {
1817 1801 persistent = B_TRUE;
1818 1802 rv = soft_put_object_to_keystore(new_objp);
1819 1803 if (rv != CKR_OK)
1820 1804 goto cleanup_unwrap;
1821 1805 }
1822 1806
1823 1807 if (new_objp->class != CKO_SECRET_KEY) {
1824 1808 /* Clear buffer before returning to memory pool. */
1825 - (void) memset(plain_data, 0x0, plain_len);
1826 - free(plain_data);
1809 + freezero(plain_data, plain_len);
1827 1810 }
1828 1811
1829 1812 *phKey = (CK_OBJECT_HANDLE)new_objp;
1830 1813
1831 1814 return (CKR_OK);
1832 1815
1833 1816 cleanup_unwrap:
1834 1817 /* The decrypted private key buffer must be freed explicitly. */
1835 1818 if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1836 1819 /* Clear buffer before returning to memory pool. */
1837 - (void) memset(plain_data, 0x0, plain_len);
1838 - free(plain_data);
1820 + freezero(plain_data, plain_len);
1839 1821 }
1840 1822
1841 1823 /* sck and new_objp are indirectly free()d inside these functions */
1842 1824 if (IS_TOKEN_OBJECT(new_objp))
1843 1825 soft_delete_token_object(new_objp, persistent, B_FALSE);
1844 1826 else
1845 1827 soft_delete_object(session_p, new_objp, B_FALSE, B_FALSE);
1846 1828
1847 1829 return (rv);
1848 1830 }
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX