1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <fcntl.h>
27 #include <strings.h>
28 #include <sys/stat.h>
29 #include <sys/types.h>
30 #include <sys/sha1.h>
31 #include <sys/md5.h>
32 #include <sys/sysmacros.h>
33 #include <security/cryptoki.h>
34 #include "softGlobal.h"
35 #include "softKeys.h"
36 #include "softKeystore.h"
37 #include "softMAC.h"
38 #include "softObject.h"
39 #include "softSession.h"
40 #include "softSSL.h"
41
42 /*
43 * This files contains the implementation of the following PKCS#11
44 * mechanisms needed by SSL:
45 * CKM_SSL3_MASTER_KEY_DERIVE
46 * CKM_SSL3_MASTER_KEY_DERIVE_DH
47 * CKM_SSL3_KEY_AND_DERIVE
48 * CKM_TLS_MASTER_KEY_DERIVE
49 * CKM_TLS_MASTER_KEY_DERIVE_DH
50 * CKM_TLS_KEY_AND_DERIVE
51 *
52 * SSL refers to common functions between SSL v3.0 and SSL v3.1 (a.k.a TLS.)
53 */
54
55 #define MAX_KEYBLOCK 160 /* should be plenty for all known cipherspecs */
56
57 #define MAX_DEFAULT_ATTRS 10 /* Enough for major applicarions */
58
59 static char *ssl3_const_vals[] = {
60 "A",
61 "BB",
62 "CCC",
63 "DDDD",
64 "EEEEE",
65 "FFFFFF",
66 "GGGGGGG",
67 "HHHHHHHH",
68 "IIIIIIIII",
69 "JJJJJJJJJJ",
70 };
71 static uint_t ssl3_const_lens[] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
72
73 static uchar_t TLS_MASTER_SECRET_LABEL[] = {"master secret"};
74 #define TLS_MASTER_SECRET_LABEL_LEN 13
75
76 static uchar_t TLS_KEY_EXPANSION_LABEL[] = {"key expansion"};
77 #define TLS_KEY_EXPANSION_LABEL_LEN 13
78
79 static uchar_t TLS_CLIENT_KEY_LABEL[] = {"client write key"};
80 #define TLS_CLIENT_KEY_LABEL_LEN 16
81
82 static uchar_t TLS_SERVER_KEY_LABEL[] = {"server write key"};
83 #define TLS_SERVER_KEY_LABEL_LEN 16
84
85 static uchar_t TLS_IV_BLOCK_LABEL[] = {"IV block"};
86 #define TLS_IV_BLOCK_LABEL_LEN 8
87
88 static void P_MD5(uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, uint_t,
89 uchar_t *, uint_t, uchar_t *, uint_t, boolean_t);
90 static void P_SHA1(uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, uint_t,
91 uchar_t *, uint_t, uchar_t *, uint_t, boolean_t);
92
93 static CK_RV soft_add_derived_key(CK_ATTRIBUTE_PTR, CK_ULONG,
94 CK_OBJECT_HANDLE_PTR, soft_session_t *, soft_object_t *);
95 static void soft_delete_derived_key(soft_session_t *, soft_object_t *);
96 static void soft_ssl_weaken_key(CK_MECHANISM_PTR, uchar_t *, uint_t,
97 uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, boolean_t);
98
99 /*
100 * soft_ssl3_churn()
101 * Called for derivation of the master secret from the pre-master secret,
102 * and for the derivation of the key_block in an SSL3 handshake
103 * result is assumed to be larger than rounds * MD5_HASH_SIZE.
104 */
105 static void
106 soft_ssl3_churn(uchar_t *secret, uint_t secretlen, uchar_t *rand1,
107 uint_t rand1len, uchar_t *rand2, uint_t rand2len, int rounds,
108 uchar_t *result)
109 {
110 SHA1_CTX sha1_ctx;
111 MD5_CTX md5_ctx;
112 uchar_t sha1_digest[SHA1_HASH_SIZE];
113 int i;
114 uchar_t *ms = result;
115 for (i = 0; i < rounds; i++) {
116 SHA1Init(&sha1_ctx);
117 SHA1Update(&sha1_ctx, (const uint8_t *)ssl3_const_vals[i],
118 ssl3_const_lens[i]);
119 SHA1Update(&sha1_ctx, secret, secretlen);
120 SHA1Update(&sha1_ctx, rand1, rand1len);
121 SHA1Update(&sha1_ctx, rand2, rand2len);
122 SHA1Final(sha1_digest, &sha1_ctx);
123
124 MD5Init(&md5_ctx);
125 MD5Update(&md5_ctx, secret, secretlen);
126 MD5Update(&md5_ctx, sha1_digest, SHA1_HASH_SIZE);
127 MD5Final(ms, &md5_ctx);
128 ms += MD5_HASH_SIZE;
129 }
130 }
131
132 /*
133 * This TLS generic Pseudo Random Function expands a triplet
134 * {secret, label, seed} into any arbitrary length string of pseudo
135 * random bytes.
136 * Here, it is called for the derivation of the master secret from the
137 * pre-master secret, and for the derivation of the key_block in a TLS
138 * handshake
139 */
140 static void
141 soft_tls_prf(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
142 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
143 uchar_t *result, uint_t resultlen)
144 {
145 uchar_t *S1, *S2;
146 uchar_t md5_digested_key[MD5_HASH_SIZE];
147 uchar_t sha1_digested_key[SHA1_HASH_SIZE];
148 uint_t L_S, L_S1, L_S2;
149
150 /* secret is NULL for IV's in exportable ciphersuites */
151 if (secret == NULL) {
152 L_S = 0;
153 L_S2 = L_S1 = 0;
154 S1 = NULL;
155 S2 = NULL;
156 goto do_P_HASH;
157 }
158
159 L_S = roundup(secretlen, 2) / 2;
160 L_S1 = L_S;
161 L_S2 = L_S;
162 S1 = secret;
163 S2 = secret + (secretlen / 2); /* Possible overlap of S1 and S2. */
164
165 /* Reduce the half secrets if bigger than the HASH's block size */
166 if (L_S > MD5_HMAC_BLOCK_SIZE) {
167 MD5_CTX md5_ctx;
168 SHA1_CTX sha1_ctx;
169
170 MD5Init(&md5_ctx);
171 MD5Update(&md5_ctx, S1, L_S);
172 MD5Final(md5_digested_key, &md5_ctx);
173 S1 = md5_digested_key;
174 L_S1 = MD5_HASH_SIZE;
175
176 SHA1Init(&sha1_ctx);
177 SHA1Update(&sha1_ctx, S2, L_S);
178 SHA1Final(sha1_digested_key, &sha1_ctx);
179 S2 = sha1_digested_key;
180 L_S2 = SHA1_HASH_SIZE;
181 }
182
183 /*
184 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
185 * P_SHA-1(S2, label + seed);
186 * the 'seed' here is rand1 + rand2
187 */
188 do_P_HASH:
189 /* The first one writes directly to the result */
190 P_MD5(S1, L_S1, label, labellen, rand1, rand1len, rand2, rand2len,
191 result, resultlen, B_FALSE);
192
193 /* The second one XOR's with the result. */
194 P_SHA1(S2, L_S2, label, labellen, rand1, rand1len, rand2, rand2len,
195 result, resultlen, B_TRUE);
196 }
197
198 /*
199 * These two expansion routines are very similar. (they can merge one day).
200 * They implement the P_HASH() function for MD5 and for SHA1, as defined in
201 * RFC2246:
202 *
203 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
204 * HMAC_hash(secret, A(2) + seed) +
205 * HMAC_hash(secret, A(3) + seed) + ...
206 * Where + indicates concatenation.
207 * A() is defined as:
208 * A(0) = seed
209 * A(i) = HMAC_hash(secret, A(i-1))
210 *
211 * The seed is the concatenation of 'babel', 'rand1', and 'rand2'.
212 */
213 static void
214 P_MD5(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
215 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
216 uchar_t *result, uint_t resultlen, boolean_t xor_it)
217 {
218 uint32_t md5_ipad[MD5_HMAC_INTS_PER_BLOCK];
219 uint32_t md5_opad[MD5_HMAC_INTS_PER_BLOCK];
220 uchar_t md5_hmac[MD5_HASH_SIZE];
221 uchar_t A[MD5_HASH_SIZE];
222 md5_hc_ctx_t md5_hmac_ctx;
223 uchar_t *res, *cur;
224 uint_t left = resultlen;
225 int i;
226
227 /* good compilers will leverage the aligment */
228 bzero(md5_ipad, MD5_HMAC_BLOCK_SIZE);
229 bzero(md5_opad, MD5_HMAC_BLOCK_SIZE);
230
231 if (secretlen > 0) {
232 bcopy(secret, md5_ipad, secretlen);
233 bcopy(secret, md5_opad, secretlen);
234 }
235
236 /* A(1) = HMAC_MD5(secret, rand1 + rand2) */
237 md5_hmac_ctx_init(&md5_hmac_ctx, md5_ipad, md5_opad);
238 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, label, labellen);
239 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand1, rand1len);
240 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand2, rand2len);
241 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, A);
242
243 if (xor_it) {
244 res = md5_hmac;
245 cur = result;
246 } else {
247 res = result;
248 }
249
250 while (left > 0) {
251 /*
252 * Compute HMAC_MD5(secret, A(i) + seed);
253 * The secret is already expanded in the ictx and octx, so
254 * we can call the SOFT_MAC_INIT_CTX() directly.
255 */
256 SOFT_MAC_INIT_CTX(MD5, &md5_hmac_ctx, md5_ipad, md5_opad,
257 MD5_HMAC_BLOCK_SIZE);
258 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, A, MD5_HASH_SIZE);
259 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, label, labellen);
260 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand1, rand1len);
261 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand2, rand2len);
262
263 if (left > MD5_HASH_SIZE) {
264 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, res);
265 if (xor_it) {
266 for (i = 0; i < MD5_HASH_SIZE; i++) {
267 *cur ^= res[i];
268 cur++;
269 }
270 } else {
271 res += MD5_HASH_SIZE;
272 }
273 left -= MD5_HASH_SIZE;
274 } else {
275 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, md5_hmac);
276 if (xor_it) {
277 for (i = 0; i < left; i++) {
278 *cur ^= md5_hmac[i];
279 cur++;
280 }
281 } else {
282 bcopy(md5_hmac, res, left);
283 }
284 break;
285 }
286 /* A(i) = HMAC_MD5(secret, A(i-1) */
287 SOFT_MAC_INIT_CTX(MD5, &md5_hmac_ctx, md5_ipad, md5_opad,
288 MD5_HMAC_BLOCK_SIZE);
289 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, A, MD5_HASH_SIZE);
290 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, A);
291 }
292 }
293 static void
294 P_SHA1(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
295 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
296 uchar_t *result, uint_t resultlen, boolean_t xor_it)
297 {
298 uint32_t sha1_ipad[SHA1_HMAC_INTS_PER_BLOCK];
299 uint32_t sha1_opad[SHA1_HMAC_INTS_PER_BLOCK];
300 uchar_t sha1_hmac[SHA1_HASH_SIZE];
301 uchar_t A[SHA1_HASH_SIZE];
302 sha1_hc_ctx_t sha1_hmac_ctx;
303 uchar_t *res, *cur;
304 uint_t left = resultlen;
305 int i;
306
307 /* good compilers will leverage the aligment */
308 bzero(sha1_ipad, SHA1_HMAC_BLOCK_SIZE);
309 bzero(sha1_opad, SHA1_HMAC_BLOCK_SIZE);
310
311 if (secretlen > 0) {
312 bcopy(secret, sha1_ipad, secretlen);
313 bcopy(secret, sha1_opad, secretlen);
314 }
315
316 /* A(1) = HMAC_SHA1(secret, rand1 + rand2) */
317 sha1_hmac_ctx_init(&sha1_hmac_ctx, sha1_ipad, sha1_opad);
318 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, label, labellen);
319 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand1, rand1len);
320 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand2, rand2len);
321 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, A);
322
323 if (xor_it) {
324 res = sha1_hmac;
325 cur = result;
326 } else {
327 res = result;
328 }
329
330 while (left > 0) {
331 /*
332 * Compute HMAC_SHA1(secret, A(i) + seed);
333 * The secret is already expanded in the ictx and octx, so
334 * we can call the SOFT_MAC_INIT_CTX() directly.
335 */
336 SOFT_MAC_INIT_CTX(SHA1, &sha1_hmac_ctx,
337 (const uchar_t *)sha1_ipad, (const uchar_t *)sha1_opad,
338 SHA1_HMAC_BLOCK_SIZE);
339 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, A, SHA1_HASH_SIZE);
340 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, label, labellen);
341 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand1, rand1len);
342 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand2, rand2len);
343
344 if (left > SHA1_HASH_SIZE) {
345 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, res);
346 if (xor_it) {
347 for (i = 0; i < SHA1_HASH_SIZE; i++) {
348 *cur ^= res[i];
349 cur++;
350 }
351 } else {
352 res += SHA1_HASH_SIZE;
353 }
354 left -= SHA1_HASH_SIZE;
355 } else {
356 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, sha1_hmac);
357 if (xor_it) {
358 for (i = 0; i < left; i++) {
359 *cur ^= sha1_hmac[i];
360 cur++;
361 }
362 } else {
363 bcopy(sha1_hmac, res, left);
364 }
365 break;
366 }
367 /* A(i) = HMAC_SHA1(secret, A(i-1) */
368 SOFT_MAC_INIT_CTX(SHA1, &sha1_hmac_ctx,
369 (const uchar_t *)sha1_ipad, (const uchar_t *)sha1_opad,
370 SHA1_HMAC_BLOCK_SIZE);
371 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, A, SHA1_HASH_SIZE);
372 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, A);
373 }
374 }
375
376 /* This function handles the call from C_DeriveKey for CKM_TLS_PRF */
377 CK_RV
378 derive_tls_prf(CK_TLS_PRF_PARAMS_PTR param, soft_object_t *basekey_p)
379 {
380
381 if (param->pOutput == NULL || param->pulOutputLen == 0)
382 return (CKR_BUFFER_TOO_SMALL);
383
384 (void) soft_tls_prf(OBJ_SEC_VALUE(basekey_p),
385 OBJ_SEC_VALUE_LEN(basekey_p), param->pLabel, param->ulLabelLen,
386 param->pSeed, param->ulSeedLen, NULL, 0, param->pOutput,
387 *param->pulOutputLen);
388
389 return (CKR_OK);
390 }
391
392
393 /*
394 * soft_ssl_master_key_derive()
395 *
396 * Arguments:
397 * . session_p
398 * . mech_p: key derivation mechanism. the mechanism parameter carries the
399 * client and master random from the Hello handshake messages.
400 * . basekey_p: The pre-master secret key.
401 * . pTemplate & ulAttributeCount: Any extra attributes for the key to be
402 * created.
403 * . phKey: store for handle to the derived key.
404 *
405 * Description:
406 * Derive the SSL master secret from the pre-master secret, the client
407 * and server random.
408 * In SSL 3.0, master_secret =
409 * MD5(pre_master_secret + SHA('A' + pre_master_secret +
410 * ClientHello.random + ServerHello.random)) +
411 * MD5(pre_master_secret + SHA('BB' + pre_master_secret +
412 * ClientHello.random + ServerHello.random)) +
413 * MD5(pre_master_secret + SHA('CCC' + pre_master_secret +
414 * ClientHello.random + ServerHello.random));
415 *
416 * In TLS 1.0 (a.k.a. SSL 3.1), master_secret =
417 * PRF(pre_master_secret, "master secret",
418 * ClientHello.random + ServerHello.random)
419 */
420 CK_RV
421 soft_ssl_master_key_derive(soft_session_t *sp, CK_MECHANISM_PTR mech,
422 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
423 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
424 {
425 uchar_t *pmsecret = OBJ_SEC_VALUE(basekey_p);
426 #ifdef __sparcv9
427 /* LINTED */
428 uint_t pmlen = (uint_t)OBJ_SEC_VALUE_LEN(basekey_p);
429 #else /* __sparcv9 */
430 uint_t pmlen = OBJ_SEC_VALUE_LEN(basekey_p);
431 #endif /* __sparcv9 */
432 CK_SSL3_MASTER_KEY_DERIVE_PARAMS *mkd_params;
433 CK_SSL3_RANDOM_DATA *random_data;
434 CK_VERSION_PTR pVersion;
435 uchar_t ssl_master_secret[48];
436 CK_OBJECT_CLASS class = CKO_SECRET_KEY;
437 CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
438 CK_BBOOL true = TRUE;
439 CK_ATTRIBUTE obj_tmpl[MAX_DEFAULT_ATTRS];
440 CK_ATTRIBUTE_PTR new_tmpl;
441 CK_ULONG newattrcount;
442 boolean_t new_tmpl_allocated = B_FALSE, is_tls = B_FALSE;
443 ulong_t i;
444 CK_RV rv = CKR_OK;
445 uint_t ClientRandomLen, ServerRandomLen;
446
447 /* Check the validity of the mechanism's parameter */
448
449 mkd_params = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *)mech->pParameter;
450
451 if (mkd_params == NULL ||
452 mech->ulParameterLen != sizeof (CK_SSL3_MASTER_KEY_DERIVE_PARAMS))
453 return (CKR_MECHANISM_PARAM_INVALID);
454
455 pVersion = mkd_params->pVersion;
456
457 switch (mech->mechanism) {
458 case CKM_TLS_MASTER_KEY_DERIVE:
459 is_tls = B_TRUE;
460 /* FALLTHRU */
461 case CKM_SSL3_MASTER_KEY_DERIVE:
462 /* Invalid pre-master key length. What else to return? */
463 if (pmlen != 48)
464 return (CKR_ARGUMENTS_BAD);
465
466 /* Get the SSL version number from the premaster secret */
467 if (pVersion == NULL_PTR)
468 return (CKR_MECHANISM_PARAM_INVALID);
469
470 bcopy(pmsecret, pVersion, sizeof (CK_VERSION));
471
472 break;
473 case CKM_TLS_MASTER_KEY_DERIVE_DH:
474 is_tls = B_TRUE;
475 /* FALLTHRU */
476 case CKM_SSL3_MASTER_KEY_DERIVE_DH:
477 if (pVersion != NULL_PTR)
478 return (CKR_MECHANISM_PARAM_INVALID);
479 }
480
481 random_data = &mkd_params->RandomInfo;
482 #ifdef __sparcv9
483 /* LINTED */
484 ClientRandomLen = (uint_t)random_data->ulClientRandomLen;
485 /* LINTED */
486 ServerRandomLen = (uint_t)random_data->ulServerRandomLen;
487 #else /* __sparcv9 */
488 ClientRandomLen = random_data->ulClientRandomLen;
489 ServerRandomLen = random_data->ulServerRandomLen;
490 #endif /* __sparcv9 */
491
492 if (random_data->pClientRandom == NULL_PTR || ClientRandomLen == 0 ||
493 random_data->pServerRandom == NULL_PTR || ServerRandomLen == 0) {
494 return (CKR_MECHANISM_PARAM_INVALID);
495 }
496
497 /* Now the actual secret derivation */
498 if (!is_tls) {
499 soft_ssl3_churn(pmsecret, pmlen, random_data->pClientRandom,
500 ClientRandomLen, random_data->pServerRandom,
501 ServerRandomLen, 3, ssl_master_secret);
502 } else {
503 soft_tls_prf(pmsecret, pmlen, TLS_MASTER_SECRET_LABEL,
504 TLS_MASTER_SECRET_LABEL_LEN, random_data->pClientRandom,
505 ClientRandomLen, random_data->pServerRandom,
506 ServerRandomLen, ssl_master_secret, 48);
507 }
508
509 /*
510 * The object creation attributes need to be in one contiguous
511 * array. In addition to the attrs from the application supplied
512 * pTemplates, We need to add the class, type, value, valuelen and
513 * CKA_DERIVE.
514 * In the most likely case, the application passes between zero and
515 * handful of attributes, We optimize for that case by allocating
516 * the new template on the stack. Oherwise we malloc() it.
517 */
518
519 newattrcount = ulAttributeCount + 4;
520 if (newattrcount > MAX_DEFAULT_ATTRS) {
521 new_tmpl = malloc(sizeof (CK_ATTRIBUTE) * newattrcount);
522
523 if (new_tmpl == NULL)
524 return (CKR_HOST_MEMORY);
525
526 new_tmpl_allocated = B_TRUE;
527 } else
528 new_tmpl = obj_tmpl;
529
530 /*
531 * Fill in the new template.
532 * We put the attributes contributed by the mechanism first
533 * so that they override the application supplied ones.
534 */
535 new_tmpl[0].type = CKA_CLASS;
536 new_tmpl[0].pValue = &class;
537 new_tmpl[0].ulValueLen = sizeof (class);
538 new_tmpl[1].type = CKA_KEY_TYPE;
539 new_tmpl[1].pValue = &keyType;
540 new_tmpl[1].ulValueLen = sizeof (keyType);
541 new_tmpl[2].type = CKA_DERIVE;
542 new_tmpl[2].pValue = &true;
543 new_tmpl[2].ulValueLen = sizeof (true);
544 new_tmpl[3].type = CKA_VALUE;
545 new_tmpl[3].pValue = ssl_master_secret;
546 new_tmpl[3].ulValueLen = 48;
547
548 /* Any attributes left? */
549 if (ulAttributeCount > 0) {
550
551 /* Validate the default class and type attributes */
552 for (i = 0; i < ulAttributeCount; i++) {
553 /* The caller is responsible for proper alignment */
554 if ((pTemplate[i].type == CKA_CLASS) &&
555 (*((CK_OBJECT_CLASS *)pTemplate[i].pValue) !=
556 CKO_SECRET_KEY)) {
557 rv = CKR_TEMPLATE_INCONSISTENT;
558 goto out;
559 }
560 if ((pTemplate[i].type == CKA_KEY_TYPE) &&
561 (*((CK_KEY_TYPE *)pTemplate[i].pValue) !=
562 CKK_GENERIC_SECRET)) {
563 rv = CKR_TEMPLATE_INCONSISTENT;
564 goto out;
565 }
566 }
567 bcopy(pTemplate, &new_tmpl[4],
568 ulAttributeCount * sizeof (CK_ATTRIBUTE));
569 }
570
571 rv = soft_add_derived_key(new_tmpl, newattrcount, phKey, sp, basekey_p);
572 out:
573 if (new_tmpl_allocated)
574 free(new_tmpl);
575
576 return (rv);
577 }
578
579 /*
580 * soft_ssl3_key_and_mac_derive()
581 *
582 * Arguments:
583 * . session_p
584 * . mech_p: key derivation mechanism. the mechanism parameter carries the
585 * client and mastter random from the Hello handshake messages,
586 * the specification of the key and IV sizes, and the location
587 * for the resulting keys and IVs.
588 * . basekey_p: The master secret key.
589 * . pTemplate & ulAttributeCount: Any extra attributes for the key to be
590 * created.
591 *
592 * Description:
593 * Derive the SSL key material (Client and server MAC secrets, symmetric
594 * keys and IVs), from the master secret and the client
595 * and server random.
596 * First a keyblock is generated usining the following formula:
597 * key_block =
598 * MD5(master_secret + SHA(`A' + master_secret +
599 * ServerHello.random +
600 * ClientHello.random)) +
601 * MD5(master_secret + SHA(`BB' + master_secret +
602 * ServerHello.random +
603 * ClientHello.random)) +
604 * MD5(master_secret + SHA(`CCC' + master_secret +
605 * ServerHello.random +
606 * ClientHello.random)) + [...];
607 *
608 * In TLS 1.0 (a.k.a. SSL 3.1), key_block =
609 * PRF(master_secret, "key expansion",
610 * ServerHello.random + ClientHello.random)
611 *
612 * Then the keys materials are taken from the keyblock.
613 */
614
615 CK_RV
616 soft_ssl_key_and_mac_derive(soft_session_t *sp, CK_MECHANISM_PTR mech,
617 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
618 CK_ULONG ulAttributeCount)
619 {
620 uchar_t *msecret = OBJ_SEC_VALUE(basekey_p);
621 #ifdef __sparcv9
622 /* LINTED */
623 uint_t mslen = (uint_t)OBJ_SEC_VALUE_LEN(basekey_p);
624 #else /* __sparcv9 */
625 uint_t mslen = OBJ_SEC_VALUE_LEN(basekey_p);
626 #endif /* __sparcv9 */
627 CK_SSL3_KEY_MAT_PARAMS *km_params;
628 CK_SSL3_RANDOM_DATA *random_data;
629 CK_SSL3_KEY_MAT_OUT *kmo;
630 uchar_t key_block[MAX_KEYBLOCK], *kb, *export_keys = NULL;
631 CK_OBJECT_CLASS class = CKO_SECRET_KEY;
632 CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
633 CK_BBOOL true = TRUE;
634 CK_ATTRIBUTE obj_tmpl[MAX_DEFAULT_ATTRS];
635 CK_ATTRIBUTE_PTR new_tmpl;
636 ulong_t newattrcount, mac_key_bytes, secret_key_bytes, iv_bytes;
637 ulong_t extra_attr_count;
638 uint_t size;
639 int rounds, n = 0;
640 boolean_t new_tmpl_allocated = B_FALSE, isExport;
641 CK_RV rv = CKR_OK;
642 uint_t ClientRandomLen, ServerRandomLen;
643
644 /* Check the validity of the mechanism's parameter */
645
646 km_params = (CK_SSL3_KEY_MAT_PARAMS *)mech->pParameter;
647
648 if (km_params == NULL ||
649 mech->ulParameterLen != sizeof (CK_SSL3_KEY_MAT_PARAMS) ||
650 (kmo = km_params->pReturnedKeyMaterial) == NULL)
651 return (CKR_MECHANISM_PARAM_INVALID);
652
653 isExport = (km_params->bIsExport == TRUE);
654
655 random_data = &km_params->RandomInfo;
656 #ifdef __sparcv9
657 /* LINTED */
658 ClientRandomLen = (uint_t)random_data->ulClientRandomLen;
659 /* LINTED */
660 ServerRandomLen = (uint_t)random_data->ulServerRandomLen;
661 #else /* __sparcv9 */
662 ClientRandomLen = random_data->ulClientRandomLen;
663 ServerRandomLen = random_data->ulServerRandomLen;
664 #endif /* __sparcv9 */
665
666 if (random_data->pClientRandom == NULL_PTR || ClientRandomLen == 0 ||
667 random_data->pServerRandom == NULL_PTR || ServerRandomLen == 0) {
668 return (CKR_MECHANISM_PARAM_INVALID);
669 }
670
671 mac_key_bytes = km_params->ulMacSizeInBits / 8;
672 secret_key_bytes = km_params->ulKeySizeInBits / 8;
673 iv_bytes = km_params->ulIVSizeInBits / 8;
674
675 if ((iv_bytes > 0) &&
676 ((kmo->pIVClient == NULL) || (kmo->pIVServer == NULL)))
677 return (CKR_MECHANISM_PARAM_INVALID);
678
679 /*
680 * For exportable ciphersuites, the IV's aren't taken from the
681 * key block. They are directly derived from the client and
682 * server random data.
683 * For SSL3.0:
684 * client_write_IV = MD5(ClientHello.random + ServerHello.random);
685 * server_write_IV = MD5(ServerHello.random + ClientHello.random);
686 * For TLS1.0:
687 * iv_block = PRF("", "IV block", client_random +
688 * server_random)[0..15]
689 * client_write_IV = iv_block[0..7]
690 * server_write_IV = iv_block[8..15]
691 */
692 if ((isExport) && (iv_bytes > 0)) {
693
694 if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
695 MD5_CTX exp_md5_ctx;
696
697 if (iv_bytes > MD5_HASH_SIZE)
698 return (CKR_MECHANISM_PARAM_INVALID);
699
700 MD5Init(&exp_md5_ctx);
701 MD5Update(&exp_md5_ctx, random_data->pClientRandom,
702 ClientRandomLen);
703 MD5Update(&exp_md5_ctx, random_data->pServerRandom,
704 ServerRandomLen);
705
706 /* there's room in key_block. use it */
707 MD5Final(key_block, &exp_md5_ctx);
708 bcopy(key_block, kmo->pIVClient, iv_bytes);
709
710 MD5Init(&exp_md5_ctx);
711 MD5Update(&exp_md5_ctx, random_data->pServerRandom,
712 ServerRandomLen);
713 MD5Update(&exp_md5_ctx, random_data->pClientRandom,
714 ClientRandomLen);
715 MD5Final(key_block, &exp_md5_ctx);
716 bcopy(key_block, kmo->pIVServer, iv_bytes);
717 } else {
718 uchar_t iv_block[16];
719
720 if (iv_bytes != 8)
721 return (CKR_MECHANISM_PARAM_INVALID);
722
723 soft_tls_prf(NULL, 0, TLS_IV_BLOCK_LABEL,
724 TLS_IV_BLOCK_LABEL_LEN,
725 random_data->pClientRandom, ClientRandomLen,
726 random_data->pServerRandom, ServerRandomLen,
727 iv_block, 16);
728 bcopy(iv_block, kmo->pIVClient, 8);
729 bcopy(iv_block + 8, kmo->pIVServer, 8);
730 }
731 /* so we won't allocate a key_block bigger than needed */
732 iv_bytes = 0;
733 }
734
735 /* Now the actual secret derivation */
736
737 #ifdef __sparcv9
738 /* LINTED */
739 size = (uint_t)((mac_key_bytes + secret_key_bytes + iv_bytes) * 2);
740 #else /* __sparcv9 */
741 size = (mac_key_bytes + secret_key_bytes + iv_bytes) * 2;
742 #endif /* __sparcv9 */
743
744 /* Need to handle this better */
745 if (size > MAX_KEYBLOCK)
746 return (CKR_MECHANISM_PARAM_INVALID);
747
748 rounds = howmany(size, MD5_HASH_SIZE);
749
750 kb = key_block;
751
752 if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
753 soft_ssl3_churn(msecret, mslen, random_data->pServerRandom,
754 ServerRandomLen, random_data->pClientRandom,
755 ClientRandomLen, rounds, kb);
756 } else {
757 soft_tls_prf(msecret, mslen, TLS_KEY_EXPANSION_LABEL,
758 TLS_KEY_EXPANSION_LABEL_LEN,
759 random_data->pServerRandom, ServerRandomLen,
760 random_data->pClientRandom, ClientRandomLen,
761 kb, size);
762 }
763
764 /* Now create the objects */
765
766 kmo->hClientMacSecret = CK_INVALID_HANDLE;
767 kmo->hServerMacSecret = CK_INVALID_HANDLE;
768 kmo->hClientKey = CK_INVALID_HANDLE;
769 kmo->hServerKey = CK_INVALID_HANDLE;
770
771 /* First the MAC secrets */
772 if (mac_key_bytes > 0) {
773 obj_tmpl[0].type = CKA_CLASS;
774 obj_tmpl[0].pValue = &class; /* CKO_SECRET_KEY */
775 obj_tmpl[0].ulValueLen = sizeof (class);
776 obj_tmpl[1].type = CKA_KEY_TYPE;
777 obj_tmpl[1].pValue = &keyType; /* CKK_GENERIC_SECRET */
778 obj_tmpl[1].ulValueLen = sizeof (keyType);
779 obj_tmpl[2].type = CKA_DERIVE;
780 obj_tmpl[2].pValue = &true;
781 obj_tmpl[2].ulValueLen = sizeof (true);
782 obj_tmpl[3].type = CKA_SIGN;
783 obj_tmpl[3].pValue = &true;
784 obj_tmpl[3].ulValueLen = sizeof (true);
785 obj_tmpl[4].type = CKA_VERIFY;
786 obj_tmpl[4].pValue = &true;
787 obj_tmpl[4].ulValueLen = sizeof (true);
788 obj_tmpl[5].type = CKA_VALUE;
789 obj_tmpl[5].pValue = kb;
790 obj_tmpl[5].ulValueLen = mac_key_bytes;
791
792 rv = soft_add_derived_key(obj_tmpl, 6,
793 &(kmo->hClientMacSecret), sp, basekey_p);
794
795 if (rv != CKR_OK)
796 goto out_err;
797
798 kb += mac_key_bytes;
799
800 obj_tmpl[5].pValue = kb;
801 rv = soft_add_derived_key(obj_tmpl, 6,
802 &(kmo->hServerMacSecret), sp, basekey_p);
803
804 if (rv != CKR_OK)
805 goto out_err;
806
807 kb += mac_key_bytes;
808 }
809
810 /* Then the symmetric ciphers keys */
811
812 extra_attr_count = (secret_key_bytes == 0) ? 6 : 5;
813 newattrcount = ulAttributeCount + extra_attr_count;
814 if (newattrcount > MAX_DEFAULT_ATTRS) {
815 new_tmpl = malloc(sizeof (CK_ATTRIBUTE) * newattrcount);
816
817 if (new_tmpl == NULL)
818 return (CKR_HOST_MEMORY);
819
820 new_tmpl_allocated = B_TRUE;
821 } else
822 new_tmpl = obj_tmpl;
823
824 new_tmpl[n].type = CKA_CLASS;
825 new_tmpl[n].pValue = &class; /* CKO_SECRET_KEY */
826 new_tmpl[n].ulValueLen = sizeof (class);
827 ++n;
828 /*
829 * The keyType comes from the application's template, and depends
830 * on the ciphersuite. The only exception is authentication only
831 * ciphersuites which do not use cipher keys.
832 */
833 if (secret_key_bytes == 0) {
834 new_tmpl[n].type = CKA_KEY_TYPE;
835 new_tmpl[n].pValue = &keyType; /* CKK_GENERIC_SECRET */
836 new_tmpl[n].ulValueLen = sizeof (keyType);
837 n++;
838 }
839 new_tmpl[n].type = CKA_DERIVE;
840 new_tmpl[n].pValue = &true;
841 new_tmpl[n].ulValueLen = sizeof (true);
842 n++;
843 new_tmpl[n].type = CKA_ENCRYPT;
844 new_tmpl[n].pValue = &true;
845 new_tmpl[n].ulValueLen = sizeof (true);
846 n++;
847 new_tmpl[n].type = CKA_DECRYPT;
848 new_tmpl[n].pValue = &true;
849 new_tmpl[n].ulValueLen = sizeof (true);
850 n++;
851 new_tmpl[n].type = CKA_VALUE;
852 new_tmpl[n].pValue = NULL;
853 new_tmpl[n].ulValueLen = 0;
854
855 if (secret_key_bytes > 0) {
856 if (isExport) {
857 if (secret_key_bytes > MD5_HASH_SIZE) {
858 rv = CKR_MECHANISM_PARAM_INVALID;
859 goto out_err;
860 }
861 if ((export_keys = malloc(2 * MD5_HASH_SIZE)) == NULL) {
862 rv = CKR_HOST_MEMORY;
863 goto out_err;
864 }
865 #ifdef __sparcv9
866 /* LINTED */
867 soft_ssl_weaken_key(mech, kb, (uint_t)secret_key_bytes,
868 #else /* __sparcv9 */
869 soft_ssl_weaken_key(mech, kb, secret_key_bytes,
870 #endif /* __sparcv9 */
871 random_data->pClientRandom, ClientRandomLen,
872 random_data->pServerRandom, ServerRandomLen,
873 export_keys, B_TRUE);
874 new_tmpl[n].pValue = export_keys;
875 new_tmpl[n].ulValueLen = MD5_HASH_SIZE;
876 } else {
877 new_tmpl[n].pValue = kb;
878 new_tmpl[n].ulValueLen = secret_key_bytes;
879 }
880 }
881
882 if (ulAttributeCount > 0)
883 bcopy(pTemplate, &new_tmpl[extra_attr_count],
884 ulAttributeCount * sizeof (CK_ATTRIBUTE));
885
886 rv = soft_add_derived_key(new_tmpl, newattrcount,
887 &(kmo->hClientKey), sp, basekey_p);
888
889 if (rv != CKR_OK)
890 goto out_err;
891
892 kb += secret_key_bytes;
893
894 if (secret_key_bytes > 0) {
895 if (isExport) {
896 #ifdef __sparcv9
897 /* LINTED */
898 soft_ssl_weaken_key(mech, kb, (uint_t)secret_key_bytes,
899 #else /* __sparcv9 */
900 soft_ssl_weaken_key(mech, kb, secret_key_bytes,
901 #endif /* __sparcv9 */
902 random_data->pServerRandom, ServerRandomLen,
903 random_data->pClientRandom, ClientRandomLen,
904 export_keys + MD5_HASH_SIZE, B_FALSE);
905 new_tmpl[n].pValue = export_keys + MD5_HASH_SIZE;
906 } else
907 new_tmpl[n].pValue = kb;
908 }
909
910 rv = soft_add_derived_key(new_tmpl, newattrcount,
911 &(kmo->hServerKey), sp, basekey_p);
912
913 if (rv != CKR_OK)
914 goto out_err;
915
916 kb += secret_key_bytes;
917
918 /* Finally, the IVs */
919 if (iv_bytes > 0) {
920 bcopy(kb, kmo->pIVClient, iv_bytes);
921 kb += iv_bytes;
922 bcopy(kb, kmo->pIVServer, iv_bytes);
923 }
924
925 if (new_tmpl_allocated)
926 free(new_tmpl);
927
928 if (export_keys != NULL)
929 free(export_keys);
930
931 return (rv);
932
933 out_err:
934 if (kmo->hClientMacSecret != CK_INVALID_HANDLE) {
935 (void) soft_delete_derived_key(sp,
936 (soft_object_t *)(kmo->hClientMacSecret));
937 kmo->hClientMacSecret = CK_INVALID_HANDLE;
938 }
939 if (kmo->hServerMacSecret != CK_INVALID_HANDLE) {
940 (void) soft_delete_derived_key(sp,
941 (soft_object_t *)(kmo->hServerMacSecret));
942 kmo->hServerMacSecret = CK_INVALID_HANDLE;
943 }
944 if (kmo->hClientKey != CK_INVALID_HANDLE) {
945 (void) soft_delete_derived_key(sp,
946 (soft_object_t *)(kmo->hClientKey));
947 kmo->hClientKey = CK_INVALID_HANDLE;
948 }
949 if (kmo->hServerKey != CK_INVALID_HANDLE) {
950 (void) soft_delete_derived_key(sp,
951 (soft_object_t *)(kmo->hServerKey));
952 kmo->hServerKey = CK_INVALID_HANDLE;
953 }
954
955 if (new_tmpl_allocated)
956 free(new_tmpl);
957
958 if (export_keys != NULL)
959 free(export_keys);
960
961 return (rv);
962 }
963
964 /*
965 * Add the derived key to the session, and, if it's a token object,
966 * write it to the token.
967 */
968 static CK_RV
969 soft_add_derived_key(CK_ATTRIBUTE_PTR tmpl, CK_ULONG attrcount,
970 CK_OBJECT_HANDLE_PTR phKey, soft_session_t *sp, soft_object_t *basekey_p)
971 {
972 CK_RV rv;
973 soft_object_t *secret_key;
974
975 if ((secret_key = calloc(1, sizeof (soft_object_t))) == NULL) {
976 return (CKR_HOST_MEMORY);
977 }
978
979 if (((rv = soft_build_secret_key_object(tmpl, attrcount, secret_key,
980 SOFT_CREATE_OBJ_INT, 0, (CK_KEY_TYPE)~0UL)) != CKR_OK) ||
981 ((rv = soft_pin_expired_check(secret_key)) != CKR_OK) ||
982 ((rv = soft_object_write_access_check(sp, secret_key)) != CKR_OK)) {
983
984 free(secret_key);
985 return (rv);
986 }
987
988 /* Set the sensitivity and extractability attributes as a needed */
989 soft_derive_enforce_flags(basekey_p, secret_key);
990
991 /* Initialize the rest of stuffs in soft_object_t. */
992 (void) pthread_mutex_init(&secret_key->object_mutex, NULL);
993 secret_key->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
994
995 /* ... and, if it needs to persist, write on the token */
996 if (IS_TOKEN_OBJECT(secret_key)) {
997 secret_key->session_handle = (CK_SESSION_HANDLE)NULL;
998 soft_add_token_object_to_slot(secret_key);
999 rv = soft_put_object_to_keystore(secret_key);
1000 if (rv != CKR_OK) {
1001 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
1002 return (rv);
1003 }
1004 *phKey = (CK_OBJECT_HANDLE)secret_key;
1005
1006 return (CKR_OK);
1007 }
1008
1009 /* Add the new object to the session's object list. */
1010 soft_add_object_to_session(secret_key, sp);
1011 secret_key->session_handle = (CK_SESSION_HANDLE)sp;
1012
1013 *phKey = (CK_OBJECT_HANDLE)secret_key;
1014
1015 return (rv);
1016 }
1017
1018 /*
1019 * Delete the derived key from the session, and, if it's a token object,
1020 * remove it from the token.
1021 */
1022 static void
1023 soft_delete_derived_key(soft_session_t *sp, soft_object_t *key)
1024 {
1025 /* session_handle is the creating session. It's NULL for token objs */
1026
1027 if (IS_TOKEN_OBJECT(key))
1028 soft_delete_token_object(key, B_FALSE, B_FALSE);
1029 else
1030 soft_delete_object(sp, key, B_FALSE, B_FALSE);
1031 }
1032
1033 /*
1034 * soft_ssl_weaken_key()
1035 * Reduce the key length to an exportable size.
1036 * For SSL3.0:
1037 * final_client_write_key = MD5(client_write_key +
1038 * ClientHello.random +
1039 * ServerHello.random);
1040 * final_server_write_key = MD5(server_write_key +
1041 * ServerHello.random +
1042 * ClientHello.random);
1043 * For TLS1.0:
1044 * final_client_write_key = PRF(SecurityParameters.client_write_key,
1045 * "client write key",
1046 * SecurityParameters.client_random +
1047 * SecurityParameters.server_random)[0..15];
1048 * final_server_write_key = PRF(SecurityParameters.server_write_key,
1049 * "server write key",
1050 * SecurityParameters.client_random +
1051 * SecurityParameters.server_random)[0..15];
1052 */
1053 static void
1054 soft_ssl_weaken_key(CK_MECHANISM_PTR mech, uchar_t *secret, uint_t secretlen,
1055 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
1056 uchar_t *result, boolean_t isclient)
1057 {
1058 MD5_CTX exp_md5_ctx;
1059 uchar_t *label;
1060 uint_t labellen;
1061
1062 if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
1063 MD5Init(&exp_md5_ctx);
1064 MD5Update(&exp_md5_ctx, secret, secretlen);
1065 MD5Update(&exp_md5_ctx, rand1, rand1len);
1066 MD5Update(&exp_md5_ctx, rand2, rand2len);
1067 MD5Final(result, &exp_md5_ctx);
1068 } else {
1069 if (isclient) {
1070 label = TLS_CLIENT_KEY_LABEL;
1071 labellen = TLS_CLIENT_KEY_LABEL_LEN;
1072 soft_tls_prf(secret, secretlen, label, labellen,
1073 rand1, rand1len, rand2, rand2len, result, 16);
1074 } else {
1075 label = TLS_SERVER_KEY_LABEL;
1076 labellen = TLS_SERVER_KEY_LABEL_LEN;
1077 soft_tls_prf(secret, secretlen, label, labellen,
1078 rand2, rand2len, rand1, rand1len, result, 16);
1079 }
1080 }
1081 }