1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * Copyright 2014 Nexenta Systems, Inc. All rights reserved. 25 * Copyright (c) 2018, Joyent, Inc. 26 */ 27 28 #include <stdlib.h> 29 #include <strings.h> 30 #include <sys/types.h> 31 #include <security/cryptoki.h> 32 #include "softObject.h" 33 #include "softOps.h" 34 #include "softSession.h" 35 #include "softMAC.h" 36 #include "softRSA.h" 37 #include "softDSA.h" 38 #include "softEC.h" 39 #include "softCrypt.h" 40 41 /* 42 * soft_sign_init() 43 * 44 * Arguments: 45 * session_p: pointer to soft_session_t struct 46 * pMechanism: pointer to CK_MECHANISM struct provided by application 47 * key_p: pointer to key soft_object_t struct 48 * 49 * Description: 50 * called by C_SignInit(). This function calls the corresponding 51 * sign init routine based on the mechanism. 52 * 53 */ 54 CK_RV 55 soft_sign_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 56 soft_object_t *key_p) 57 { 58 59 switch (pMechanism->mechanism) { 60 61 case CKM_SSL3_MD5_MAC: 62 case CKM_SSL3_SHA1_MAC: 63 case CKM_MD5_HMAC_GENERAL: 64 case CKM_MD5_HMAC: 65 case CKM_SHA_1_HMAC_GENERAL: 66 case CKM_SHA_1_HMAC: 67 case CKM_SHA256_HMAC_GENERAL: 68 case CKM_SHA256_HMAC: 69 case CKM_SHA384_HMAC_GENERAL: 70 case CKM_SHA384_HMAC: 71 case CKM_SHA512_HMAC_GENERAL: 72 case CKM_SHA512_HMAC: 73 74 return (soft_hmac_sign_verify_init_common(session_p, 75 pMechanism, key_p, B_TRUE)); 76 77 case CKM_RSA_X_509: 78 case CKM_RSA_PKCS: 79 case CKM_MD5_RSA_PKCS: 80 case CKM_SHA1_RSA_PKCS: 81 case CKM_SHA256_RSA_PKCS: 82 case CKM_SHA384_RSA_PKCS: 83 case CKM_SHA512_RSA_PKCS: 84 85 return (soft_rsa_sign_verify_init_common(session_p, pMechanism, 86 key_p, B_TRUE)); 87 88 case CKM_DSA: 89 case CKM_DSA_SHA1: 90 91 return (soft_dsa_sign_verify_init_common(session_p, pMechanism, 92 key_p, B_TRUE)); 93 94 case CKM_ECDSA: 95 case CKM_ECDSA_SHA1: 96 97 return (soft_ecc_sign_verify_init_common(session_p, pMechanism, 98 key_p, B_TRUE)); 99 100 case CKM_DES_MAC_GENERAL: 101 case CKM_DES_MAC: 102 103 return (soft_des_sign_verify_init_common(session_p, pMechanism, 104 key_p, B_TRUE)); 105 106 case CKM_AES_CMAC_GENERAL: 107 case CKM_AES_CMAC: 108 109 return (soft_aes_sign_verify_init_common(session_p, pMechanism, 110 key_p, B_TRUE)); 111 112 default: 113 return (CKR_MECHANISM_INVALID); 114 } 115 116 } 117 118 119 /* 120 * soft_sign() 121 * 122 * Arguments: 123 * session_p: pointer to soft_session_t struct 124 * pData: pointer to the input data to be signed 125 * ulDataLen: length of the input data 126 * pSignature: pointer to the signature after signing 127 * pulSignatureLen: pointer to the length of the signature 128 * 129 * Description: 130 * called by C_Sign(). This function calls the corresponding 131 * sign routine based on the mechanism. 132 * 133 */ 134 CK_RV 135 soft_sign(soft_session_t *session_p, CK_BYTE_PTR pData, 136 CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, 137 CK_ULONG_PTR pulSignatureLen) 138 { 139 140 CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism; 141 CK_RV rv = CKR_OK; 142 143 switch (mechanism) { 144 145 case CKM_SSL3_MD5_MAC: 146 case CKM_SSL3_SHA1_MAC: 147 case CKM_MD5_HMAC_GENERAL: 148 case CKM_MD5_HMAC: 149 case CKM_SHA_1_HMAC_GENERAL: 150 case CKM_SHA_1_HMAC: 151 case CKM_SHA256_HMAC_GENERAL: 152 case CKM_SHA256_HMAC: 153 case CKM_SHA384_HMAC_GENERAL: 154 case CKM_SHA384_HMAC: 155 case CKM_SHA512_HMAC_GENERAL: 156 case CKM_SHA512_HMAC: 157 { 158 CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */ 159 160 if (pSignature != NULL) { 161 /* Pass local buffer to avoid overflow. */ 162 rv = soft_hmac_sign_verify_common(session_p, pData, 163 ulDataLen, hmac, pulSignatureLen, B_TRUE); 164 } else { 165 /* Pass original pSignature, let callee to handle it. */ 166 rv = soft_hmac_sign_verify_common(session_p, pData, 167 ulDataLen, pSignature, pulSignatureLen, B_TRUE); 168 } 169 170 if ((rv == CKR_OK) && (pSignature != NULL)) 171 (void) memcpy(pSignature, hmac, *pulSignatureLen); 172 173 return (rv); 174 } 175 case CKM_DES_MAC_GENERAL: 176 case CKM_DES_MAC: 177 { 178 CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */ 179 180 if (pSignature != NULL) { 181 /* Pass local buffer to avoid overflow. */ 182 rv = soft_des_sign_verify_common(session_p, pData, 183 ulDataLen, signature, pulSignatureLen, B_TRUE, 184 B_FALSE); 185 } else { 186 /* Pass NULL, let callee to handle it. */ 187 rv = soft_des_sign_verify_common(session_p, pData, 188 ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE); 189 } 190 191 if ((rv == CKR_OK) && (pSignature != NULL)) 192 (void) memcpy(pSignature, signature, *pulSignatureLen); 193 194 return (rv); 195 } 196 case CKM_AES_CMAC_GENERAL: 197 case CKM_AES_CMAC: 198 { 199 CK_BYTE signature[AES_BLOCK_LEN]; 200 201 if (pSignature != NULL) { 202 /* Pass local buffer to avoid overflow. */ 203 rv = soft_aes_sign_verify_common(session_p, pData, 204 ulDataLen, signature, pulSignatureLen, B_TRUE, 205 B_FALSE); 206 } else { 207 /* Pass NULL, let callee handle it. */ 208 rv = soft_aes_sign_verify_common(session_p, pData, 209 ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE); 210 } 211 212 if ((rv == CKR_OK) && (pSignature != NULL)) 213 (void) memcpy(pSignature, signature, *pulSignatureLen); 214 215 return (rv); 216 } 217 case CKM_RSA_X_509: 218 case CKM_RSA_PKCS: 219 220 return (soft_rsa_sign_common(session_p, pData, ulDataLen, 221 pSignature, pulSignatureLen, mechanism)); 222 223 case CKM_MD5_RSA_PKCS: 224 case CKM_SHA1_RSA_PKCS: 225 case CKM_SHA256_RSA_PKCS: 226 case CKM_SHA384_RSA_PKCS: 227 case CKM_SHA512_RSA_PKCS: 228 229 return (soft_rsa_digest_sign_common(session_p, pData, ulDataLen, 230 pSignature, pulSignatureLen, mechanism, B_FALSE)); 231 232 case CKM_DSA: 233 234 return (soft_dsa_sign(session_p, pData, ulDataLen, 235 pSignature, pulSignatureLen)); 236 237 case CKM_DSA_SHA1: 238 239 return (soft_dsa_digest_sign_common(session_p, pData, ulDataLen, 240 pSignature, pulSignatureLen, B_FALSE)); 241 242 case CKM_ECDSA: 243 244 return (soft_ecc_sign(session_p, pData, ulDataLen, 245 pSignature, pulSignatureLen)); 246 247 case CKM_ECDSA_SHA1: 248 249 return (soft_ecc_digest_sign_common(session_p, pData, ulDataLen, 250 pSignature, pulSignatureLen, B_FALSE)); 251 252 default: 253 return (CKR_MECHANISM_INVALID); 254 } 255 } 256 257 258 /* 259 * soft_sign_update() 260 * 261 * Arguments: 262 * session_p: pointer to soft_session_t struct 263 * pPart: pointer to the input data to be signed 264 * ulPartLen: length of the input data 265 * 266 * Description: 267 * called by C_SignUpdate(). This function calls the corresponding 268 * sign update routine based on the mechanism. 269 * 270 */ 271 CK_RV 272 soft_sign_update(soft_session_t *session_p, CK_BYTE_PTR pPart, 273 CK_ULONG ulPartLen) 274 { 275 CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism; 276 277 switch (mechanism) { 278 279 case CKM_SSL3_MD5_MAC: 280 case CKM_SSL3_SHA1_MAC: 281 case CKM_MD5_HMAC_GENERAL: 282 case CKM_MD5_HMAC: 283 case CKM_SHA_1_HMAC_GENERAL: 284 case CKM_SHA_1_HMAC: 285 case CKM_SHA256_HMAC_GENERAL: 286 case CKM_SHA256_HMAC: 287 case CKM_SHA384_HMAC_GENERAL: 288 case CKM_SHA384_HMAC: 289 case CKM_SHA512_HMAC_GENERAL: 290 case CKM_SHA512_HMAC: 291 292 return (soft_hmac_sign_verify_update(session_p, pPart, 293 ulPartLen, B_TRUE)); 294 295 case CKM_DES_MAC_GENERAL: 296 case CKM_DES_MAC: 297 298 return (soft_des_mac_sign_verify_update(session_p, pPart, 299 ulPartLen)); 300 301 case CKM_AES_CMAC_GENERAL: 302 case CKM_AES_CMAC: 303 304 return (soft_aes_mac_sign_verify_update(session_p, pPart, 305 ulPartLen)); 306 307 case CKM_MD5_RSA_PKCS: 308 case CKM_SHA1_RSA_PKCS: 309 case CKM_SHA256_RSA_PKCS: 310 case CKM_SHA384_RSA_PKCS: 311 case CKM_SHA512_RSA_PKCS: 312 /* 313 * The MD5/SHA1 digest value is accumulated in the context 314 * of the multiple-part digesting operation. In the final 315 * operation, the digest is encoded and then perform RSA 316 * signing. 317 */ 318 case CKM_DSA_SHA1: 319 case CKM_ECDSA_SHA1: 320 321 return (soft_digest_update(session_p, pPart, ulPartLen)); 322 323 default: 324 /* PKCS11: The mechanism only supports single-part operation. */ 325 return (CKR_MECHANISM_INVALID); 326 } 327 } 328 329 330 /* 331 * soft_sign_final() 332 * 333 * Arguments: 334 * session_p: pointer to soft_session_t struct 335 * pSignature: pointer to the signature after signing 336 * pulSignatureLen: pointer to the length of the signature 337 * 338 * Description: 339 * called by C_SignFinal(). This function calls the corresponding 340 * sign final routine based on the mechanism. 341 * 342 */ 343 CK_RV 344 soft_sign_final(soft_session_t *session_p, CK_BYTE_PTR pSignature, 345 CK_ULONG_PTR pulSignatureLen) 346 { 347 348 CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism; 349 CK_RV rv = CKR_OK; 350 351 switch (mechanism) { 352 353 case CKM_SSL3_MD5_MAC: 354 case CKM_SSL3_SHA1_MAC: 355 case CKM_MD5_HMAC_GENERAL: 356 case CKM_MD5_HMAC: 357 case CKM_SHA_1_HMAC_GENERAL: 358 case CKM_SHA_1_HMAC: 359 case CKM_SHA256_HMAC_GENERAL: 360 case CKM_SHA256_HMAC: 361 case CKM_SHA384_HMAC_GENERAL: 362 case CKM_SHA384_HMAC: 363 case CKM_SHA512_HMAC_GENERAL: 364 case CKM_SHA512_HMAC: 365 { 366 CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */ 367 368 if (pSignature != NULL) { 369 /* Pass local buffer to avoid overflow */ 370 rv = soft_hmac_sign_verify_common(session_p, NULL, 371 0, hmac, pulSignatureLen, B_TRUE); 372 } else { 373 /* Pass original pSignature, let callee to handle it. */ 374 rv = soft_hmac_sign_verify_common(session_p, NULL, 375 0, pSignature, pulSignatureLen, B_TRUE); 376 } 377 378 if ((rv == CKR_OK) && (pSignature != NULL)) 379 (void) memcpy(pSignature, hmac, *pulSignatureLen); 380 381 return (rv); 382 } 383 case CKM_DES_MAC_GENERAL: 384 case CKM_DES_MAC: 385 { 386 CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */ 387 388 if (pSignature != NULL) { 389 /* Pass local buffer to avoid overflow. */ 390 rv = soft_des_sign_verify_common(session_p, NULL, 0, 391 signature, pulSignatureLen, B_TRUE, B_TRUE); 392 } else { 393 /* Pass NULL, let callee to handle it. */ 394 rv = soft_des_sign_verify_common(session_p, NULL, 0, 395 NULL, pulSignatureLen, B_TRUE, B_TRUE); 396 } 397 398 if ((rv == CKR_OK) && (pSignature != NULL)) 399 (void) memcpy(pSignature, signature, *pulSignatureLen); 400 401 return (rv); 402 } 403 case CKM_AES_CMAC_GENERAL: 404 case CKM_AES_CMAC: 405 { 406 CK_BYTE signature[AES_BLOCK_LEN]; /* use the maximum size */ 407 408 if (pSignature != NULL) { 409 /* Pass local buffer to avoid overflow. */ 410 rv = soft_aes_sign_verify_common(session_p, NULL, 0, 411 signature, pulSignatureLen, B_TRUE, B_TRUE); 412 } else { 413 /* Pass NULL, let callee handle it. */ 414 rv = soft_aes_sign_verify_common(session_p, NULL, 0, 415 NULL, pulSignatureLen, B_TRUE, B_TRUE); 416 } 417 418 if ((rv == CKR_OK) && (pSignature != NULL)) 419 (void) memcpy(pSignature, signature, *pulSignatureLen); 420 421 return (rv); 422 } 423 case CKM_MD5_RSA_PKCS: 424 case CKM_SHA1_RSA_PKCS: 425 case CKM_SHA256_RSA_PKCS: 426 case CKM_SHA384_RSA_PKCS: 427 case CKM_SHA512_RSA_PKCS: 428 429 return (soft_rsa_digest_sign_common(session_p, NULL, 0, 430 pSignature, pulSignatureLen, mechanism, B_TRUE)); 431 432 case CKM_DSA_SHA1: 433 434 return (soft_dsa_digest_sign_common(session_p, NULL, 0, 435 pSignature, pulSignatureLen, B_TRUE)); 436 437 case CKM_ECDSA_SHA1: 438 439 return (soft_ecc_digest_sign_common(session_p, NULL, 0, 440 pSignature, pulSignatureLen, B_TRUE)); 441 442 default: 443 /* PKCS11: The mechanism only supports single-part operation. */ 444 return (CKR_MECHANISM_INVALID); 445 } 446 } 447 448 449 CK_RV 450 soft_sign_recover_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism, 451 soft_object_t *key_p) 452 { 453 454 switch (pMechanism->mechanism) { 455 456 case CKM_RSA_X_509: 457 case CKM_RSA_PKCS: 458 459 return (soft_rsa_sign_verify_init_common(session_p, pMechanism, 460 key_p, B_TRUE)); 461 462 default: 463 return (CKR_MECHANISM_INVALID); 464 } 465 } 466 467 468 CK_RV 469 soft_sign_recover(soft_session_t *session_p, CK_BYTE_PTR pData, 470 CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, 471 CK_ULONG_PTR pulSignatureLen) 472 { 473 474 CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism; 475 476 switch (mechanism) { 477 478 case CKM_RSA_X_509: 479 case CKM_RSA_PKCS: 480 481 return (soft_rsa_sign_common(session_p, pData, ulDataLen, 482 pSignature, pulSignatureLen, mechanism)); 483 484 default: 485 return (CKR_MECHANISM_INVALID); 486 } 487 } 488 489 /* 490 * This function frees the allocated active crypto context. 491 * It is only called by the first tier of sign/verify routines 492 * and the caller of this function may or may not hold the session mutex. 493 */ 494 void 495 soft_sign_verify_cleanup(soft_session_t *session_p, boolean_t sign, 496 boolean_t lock_held) 497 { 498 499 crypto_active_op_t *active_op; 500 boolean_t lock_true = B_TRUE; 501 502 if (!lock_held) 503 (void) pthread_mutex_lock(&session_p->session_mutex); 504 505 active_op = (sign) ? &(session_p->sign) : &(session_p->verify); 506 507 switch (active_op->mech.mechanism) { 508 509 case CKM_MD5_RSA_PKCS: 510 case CKM_SHA1_RSA_PKCS: 511 case CKM_SHA256_RSA_PKCS: 512 case CKM_SHA384_RSA_PKCS: 513 case CKM_SHA512_RSA_PKCS: 514 if (session_p->digest.context != NULL) { 515 free(session_p->digest.context); 516 session_p->digest.context = NULL; 517 session_p->digest.flags = 0; 518 } 519 /* FALLTHRU */ 520 521 case CKM_RSA_PKCS: 522 case CKM_RSA_X_509: 523 { 524 soft_rsa_ctx_t *rsa_ctx = 525 (soft_rsa_ctx_t *)active_op->context; 526 527 if (rsa_ctx != NULL && rsa_ctx->key != NULL) { 528 soft_cleanup_object(rsa_ctx->key); 529 free(rsa_ctx->key); 530 } 531 break; 532 533 } 534 case CKM_DSA_SHA1: 535 if (session_p->digest.context != NULL) { 536 free(session_p->digest.context); 537 session_p->digest.context = NULL; 538 session_p->digest.flags = 0; 539 } 540 541 /* FALLTHRU */ 542 case CKM_DSA: 543 { 544 soft_dsa_ctx_t *dsa_ctx = 545 (soft_dsa_ctx_t *)active_op->context; 546 547 if (dsa_ctx != NULL && dsa_ctx->key != NULL) { 548 soft_cleanup_object(dsa_ctx->key); 549 free(dsa_ctx->key); 550 } 551 break; 552 553 } 554 case CKM_SSL3_MD5_MAC: 555 case CKM_SSL3_SHA1_MAC: 556 case CKM_MD5_HMAC_GENERAL: 557 case CKM_MD5_HMAC: 558 case CKM_SHA_1_HMAC_GENERAL: 559 case CKM_SHA_1_HMAC: 560 case CKM_SHA256_HMAC_GENERAL: 561 case CKM_SHA256_HMAC: 562 case CKM_SHA384_HMAC_GENERAL: 563 case CKM_SHA384_HMAC: 564 case CKM_SHA512_HMAC_GENERAL: 565 case CKM_SHA512_HMAC: 566 if (active_op->context != NULL) { 567 explicit_bzero(active_op->context, 568 sizeof (soft_hmac_ctx_t)); 569 } 570 break; 571 case CKM_DES_MAC_GENERAL: 572 case CKM_DES_MAC: 573 if (session_p->encrypt.context != NULL) { 574 free(session_p->encrypt.context); 575 session_p->encrypt.context = NULL; 576 session_p->encrypt.flags = 0; 577 } 578 if (active_op->context != NULL) { 579 explicit_bzero(active_op->context, 580 sizeof (soft_des_ctx_t)); 581 } 582 break; 583 584 case CKM_AES_CMAC_GENERAL: 585 case CKM_AES_CMAC: 586 if (session_p->encrypt.context != NULL) { 587 free(session_p->encrypt.context); 588 session_p->encrypt.context = NULL; 589 session_p->encrypt.flags = 0; 590 } 591 if (active_op->context != NULL) { 592 explicit_bzero(active_op->context, 593 sizeof (soft_aes_ctx_t)); 594 } 595 break; 596 597 } 598 599 if (active_op->context != NULL) { 600 free(active_op->context); 601 active_op->context = NULL; 602 } 603 604 active_op->flags = 0; 605 606 if (!lock_held) 607 SES_REFRELE(session_p, lock_true); 608 }