1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  23  * Use is subject to license terms.
  24  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
  25  * Copyright (c) 2018, Joyent, Inc.
  26  */
  27 
  28 #include <stdlib.h>
  29 #include <strings.h>
  30 #include <sys/types.h>
  31 #include <security/cryptoki.h>
  32 #include "softObject.h"
  33 #include "softOps.h"
  34 #include "softSession.h"
  35 #include "softMAC.h"
  36 #include "softRSA.h"
  37 #include "softDSA.h"
  38 #include "softEC.h"
  39 #include "softCrypt.h"
  40 
  41 /*
  42  * soft_sign_init()
  43  *
  44  * Arguments:
  45  *      session_p:      pointer to soft_session_t struct
  46  *      pMechanism:     pointer to CK_MECHANISM struct provided by application
  47  *      key_p:          pointer to key soft_object_t struct
  48  *
  49  * Description:
  50  *      called by C_SignInit(). This function calls the corresponding
  51  *      sign init routine based on the mechanism.
  52  *
  53  */
  54 CK_RV
  55 soft_sign_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
  56     soft_object_t *key_p)
  57 {
  58 
  59         switch (pMechanism->mechanism) {
  60 
  61         case CKM_SSL3_MD5_MAC:
  62         case CKM_SSL3_SHA1_MAC:
  63         case CKM_MD5_HMAC_GENERAL:
  64         case CKM_MD5_HMAC:
  65         case CKM_SHA_1_HMAC_GENERAL:
  66         case CKM_SHA_1_HMAC:
  67         case CKM_SHA256_HMAC_GENERAL:
  68         case CKM_SHA256_HMAC:
  69         case CKM_SHA384_HMAC_GENERAL:
  70         case CKM_SHA384_HMAC:
  71         case CKM_SHA512_HMAC_GENERAL:
  72         case CKM_SHA512_HMAC:
  73 
  74                 return (soft_hmac_sign_verify_init_common(session_p,
  75                     pMechanism, key_p, B_TRUE));
  76 
  77         case CKM_RSA_X_509:
  78         case CKM_RSA_PKCS:
  79         case CKM_MD5_RSA_PKCS:
  80         case CKM_SHA1_RSA_PKCS:
  81         case CKM_SHA256_RSA_PKCS:
  82         case CKM_SHA384_RSA_PKCS:
  83         case CKM_SHA512_RSA_PKCS:
  84 
  85                 return (soft_rsa_sign_verify_init_common(session_p, pMechanism,
  86                     key_p, B_TRUE));
  87 
  88         case CKM_DSA:
  89         case CKM_DSA_SHA1:
  90 
  91                 return (soft_dsa_sign_verify_init_common(session_p, pMechanism,
  92                     key_p, B_TRUE));
  93 
  94         case CKM_ECDSA:
  95         case CKM_ECDSA_SHA1:
  96 
  97                 return (soft_ecc_sign_verify_init_common(session_p, pMechanism,
  98                     key_p, B_TRUE));
  99 
 100         case CKM_DES_MAC_GENERAL:
 101         case CKM_DES_MAC:
 102 
 103                 return (soft_des_sign_verify_init_common(session_p, pMechanism,
 104                     key_p, B_TRUE));
 105 
 106         case CKM_AES_CMAC_GENERAL:
 107         case CKM_AES_CMAC:
 108 
 109                 return (soft_aes_sign_verify_init_common(session_p, pMechanism,
 110                     key_p, B_TRUE));
 111 
 112         default:
 113                 return (CKR_MECHANISM_INVALID);
 114         }
 115 
 116 }
 117 
 118 
 119 /*
 120  * soft_sign()
 121  *
 122  * Arguments:
 123  *      session_p:      pointer to soft_session_t struct
 124  *      pData:          pointer to the input data to be signed
 125  *      ulDataLen:      length of the input data
 126  *      pSignature:     pointer to the signature after signing
 127  *      pulSignatureLen: pointer to the length of the signature
 128  *
 129  * Description:
 130  *      called by C_Sign(). This function calls the corresponding
 131  *      sign routine based on the mechanism.
 132  *
 133  */
 134 CK_RV
 135 soft_sign(soft_session_t *session_p, CK_BYTE_PTR pData,
 136     CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
 137     CK_ULONG_PTR pulSignatureLen)
 138 {
 139 
 140         CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
 141         CK_RV rv = CKR_OK;
 142 
 143         switch (mechanism) {
 144 
 145         case CKM_SSL3_MD5_MAC:
 146         case CKM_SSL3_SHA1_MAC:
 147         case CKM_MD5_HMAC_GENERAL:
 148         case CKM_MD5_HMAC:
 149         case CKM_SHA_1_HMAC_GENERAL:
 150         case CKM_SHA_1_HMAC:
 151         case CKM_SHA256_HMAC_GENERAL:
 152         case CKM_SHA256_HMAC:
 153         case CKM_SHA384_HMAC_GENERAL:
 154         case CKM_SHA384_HMAC:
 155         case CKM_SHA512_HMAC_GENERAL:
 156         case CKM_SHA512_HMAC:
 157         {
 158                 CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */
 159 
 160                 if (pSignature != NULL) {
 161                         /* Pass local buffer to avoid overflow. */
 162                         rv = soft_hmac_sign_verify_common(session_p, pData,
 163                             ulDataLen, hmac, pulSignatureLen, B_TRUE);
 164                 } else {
 165                         /* Pass original pSignature, let callee to handle it. */
 166                         rv = soft_hmac_sign_verify_common(session_p, pData,
 167                             ulDataLen, pSignature, pulSignatureLen, B_TRUE);
 168                 }
 169 
 170                 if ((rv == CKR_OK) && (pSignature != NULL))
 171                         (void) memcpy(pSignature, hmac, *pulSignatureLen);
 172 
 173                 return (rv);
 174         }
 175         case CKM_DES_MAC_GENERAL:
 176         case CKM_DES_MAC:
 177         {
 178                 CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */
 179 
 180                 if (pSignature != NULL) {
 181                         /* Pass local buffer to avoid overflow. */
 182                         rv = soft_des_sign_verify_common(session_p, pData,
 183                             ulDataLen, signature, pulSignatureLen, B_TRUE,
 184                             B_FALSE);
 185                 } else {
 186                         /* Pass NULL, let callee to handle it. */
 187                         rv = soft_des_sign_verify_common(session_p, pData,
 188                             ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE);
 189                 }
 190 
 191                 if ((rv == CKR_OK) && (pSignature != NULL))
 192                         (void) memcpy(pSignature, signature, *pulSignatureLen);
 193 
 194                 return (rv);
 195         }
 196         case CKM_AES_CMAC_GENERAL:
 197         case CKM_AES_CMAC:
 198         {
 199                 CK_BYTE signature[AES_BLOCK_LEN];
 200 
 201                 if (pSignature != NULL) {
 202                         /* Pass local buffer to avoid overflow. */
 203                         rv = soft_aes_sign_verify_common(session_p, pData,
 204                             ulDataLen, signature, pulSignatureLen, B_TRUE,
 205                             B_FALSE);
 206                 } else {
 207                         /* Pass NULL, let callee handle it. */
 208                         rv = soft_aes_sign_verify_common(session_p, pData,
 209                             ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE);
 210                 }
 211 
 212                 if ((rv == CKR_OK) && (pSignature != NULL))
 213                         (void) memcpy(pSignature, signature, *pulSignatureLen);
 214 
 215                 return (rv);
 216         }
 217         case CKM_RSA_X_509:
 218         case CKM_RSA_PKCS:
 219 
 220                 return (soft_rsa_sign_common(session_p, pData, ulDataLen,
 221                     pSignature, pulSignatureLen, mechanism));
 222 
 223         case CKM_MD5_RSA_PKCS:
 224         case CKM_SHA1_RSA_PKCS:
 225         case CKM_SHA256_RSA_PKCS:
 226         case CKM_SHA384_RSA_PKCS:
 227         case CKM_SHA512_RSA_PKCS:
 228 
 229                 return (soft_rsa_digest_sign_common(session_p, pData, ulDataLen,
 230                     pSignature, pulSignatureLen, mechanism, B_FALSE));
 231 
 232         case CKM_DSA:
 233 
 234                 return (soft_dsa_sign(session_p, pData, ulDataLen,
 235                     pSignature, pulSignatureLen));
 236 
 237         case CKM_DSA_SHA1:
 238 
 239                 return (soft_dsa_digest_sign_common(session_p, pData, ulDataLen,
 240                     pSignature, pulSignatureLen, B_FALSE));
 241 
 242         case CKM_ECDSA:
 243 
 244                 return (soft_ecc_sign(session_p, pData, ulDataLen,
 245                     pSignature, pulSignatureLen));
 246 
 247         case CKM_ECDSA_SHA1:
 248 
 249                 return (soft_ecc_digest_sign_common(session_p, pData, ulDataLen,
 250                     pSignature, pulSignatureLen, B_FALSE));
 251 
 252         default:
 253                 return (CKR_MECHANISM_INVALID);
 254         }
 255 }
 256 
 257 
 258 /*
 259  * soft_sign_update()
 260  *
 261  * Arguments:
 262  *      session_p:      pointer to soft_session_t struct
 263  *      pPart:          pointer to the input data to be signed
 264  *      ulPartLen:      length of the input data
 265  *
 266  * Description:
 267  *      called by C_SignUpdate(). This function calls the corresponding
 268  *      sign update routine based on the mechanism.
 269  *
 270  */
 271 CK_RV
 272 soft_sign_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
 273     CK_ULONG ulPartLen)
 274 {
 275         CK_MECHANISM_TYPE       mechanism = session_p->sign.mech.mechanism;
 276 
 277         switch (mechanism) {
 278 
 279         case CKM_SSL3_MD5_MAC:
 280         case CKM_SSL3_SHA1_MAC:
 281         case CKM_MD5_HMAC_GENERAL:
 282         case CKM_MD5_HMAC:
 283         case CKM_SHA_1_HMAC_GENERAL:
 284         case CKM_SHA_1_HMAC:
 285         case CKM_SHA256_HMAC_GENERAL:
 286         case CKM_SHA256_HMAC:
 287         case CKM_SHA384_HMAC_GENERAL:
 288         case CKM_SHA384_HMAC:
 289         case CKM_SHA512_HMAC_GENERAL:
 290         case CKM_SHA512_HMAC:
 291 
 292                 return (soft_hmac_sign_verify_update(session_p, pPart,
 293                     ulPartLen, B_TRUE));
 294 
 295         case CKM_DES_MAC_GENERAL:
 296         case CKM_DES_MAC:
 297 
 298                 return (soft_des_mac_sign_verify_update(session_p, pPart,
 299                     ulPartLen));
 300 
 301         case CKM_AES_CMAC_GENERAL:
 302         case CKM_AES_CMAC:
 303 
 304                 return (soft_aes_mac_sign_verify_update(session_p, pPart,
 305                     ulPartLen));
 306 
 307         case CKM_MD5_RSA_PKCS:
 308         case CKM_SHA1_RSA_PKCS:
 309         case CKM_SHA256_RSA_PKCS:
 310         case CKM_SHA384_RSA_PKCS:
 311         case CKM_SHA512_RSA_PKCS:
 312                 /*
 313                  * The MD5/SHA1 digest value is accumulated in the context
 314                  * of the multiple-part digesting operation. In the final
 315                  * operation, the digest is encoded and then perform RSA
 316                  * signing.
 317                  */
 318         case CKM_DSA_SHA1:
 319         case CKM_ECDSA_SHA1:
 320 
 321                 return (soft_digest_update(session_p, pPart, ulPartLen));
 322 
 323         default:
 324                 /* PKCS11: The mechanism only supports single-part operation. */
 325                 return (CKR_MECHANISM_INVALID);
 326         }
 327 }
 328 
 329 
 330 /*
 331  * soft_sign_final()
 332  *
 333  * Arguments:
 334  *      session_p:      pointer to soft_session_t struct
 335  *      pSignature:     pointer to the signature after signing
 336  *      pulSignatureLen: pointer to the length of the signature
 337  *
 338  * Description:
 339  *      called by C_SignFinal(). This function calls the corresponding
 340  *      sign final routine based on the mechanism.
 341  *
 342  */
 343 CK_RV
 344 soft_sign_final(soft_session_t *session_p, CK_BYTE_PTR pSignature,
 345     CK_ULONG_PTR pulSignatureLen)
 346 {
 347 
 348         CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
 349         CK_RV rv = CKR_OK;
 350 
 351         switch (mechanism) {
 352 
 353         case CKM_SSL3_MD5_MAC:
 354         case CKM_SSL3_SHA1_MAC:
 355         case CKM_MD5_HMAC_GENERAL:
 356         case CKM_MD5_HMAC:
 357         case CKM_SHA_1_HMAC_GENERAL:
 358         case CKM_SHA_1_HMAC:
 359         case CKM_SHA256_HMAC_GENERAL:
 360         case CKM_SHA256_HMAC:
 361         case CKM_SHA384_HMAC_GENERAL:
 362         case CKM_SHA384_HMAC:
 363         case CKM_SHA512_HMAC_GENERAL:
 364         case CKM_SHA512_HMAC:
 365         {
 366                 CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */
 367 
 368                 if (pSignature != NULL) {
 369                         /* Pass local buffer to avoid overflow */
 370                         rv = soft_hmac_sign_verify_common(session_p, NULL,
 371                             0, hmac, pulSignatureLen, B_TRUE);
 372                 } else {
 373                         /* Pass original pSignature, let callee to handle it. */
 374                         rv = soft_hmac_sign_verify_common(session_p, NULL,
 375                             0, pSignature, pulSignatureLen, B_TRUE);
 376                 }
 377 
 378                 if ((rv == CKR_OK) && (pSignature != NULL))
 379                         (void) memcpy(pSignature, hmac, *pulSignatureLen);
 380 
 381                 return (rv);
 382         }
 383         case CKM_DES_MAC_GENERAL:
 384         case CKM_DES_MAC:
 385         {
 386                 CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */
 387 
 388                 if (pSignature != NULL) {
 389                         /* Pass local buffer to avoid overflow. */
 390                         rv = soft_des_sign_verify_common(session_p, NULL, 0,
 391                             signature, pulSignatureLen, B_TRUE, B_TRUE);
 392                 } else {
 393                         /* Pass NULL, let callee to handle it. */
 394                         rv = soft_des_sign_verify_common(session_p, NULL, 0,
 395                             NULL, pulSignatureLen, B_TRUE, B_TRUE);
 396                 }
 397 
 398                 if ((rv == CKR_OK) && (pSignature != NULL))
 399                         (void) memcpy(pSignature, signature, *pulSignatureLen);
 400 
 401                 return (rv);
 402         }
 403         case CKM_AES_CMAC_GENERAL:
 404         case CKM_AES_CMAC:
 405         {
 406                 CK_BYTE signature[AES_BLOCK_LEN]; /* use the maximum size */
 407 
 408                 if (pSignature != NULL) {
 409                         /* Pass local buffer to avoid overflow. */
 410                         rv = soft_aes_sign_verify_common(session_p, NULL, 0,
 411                             signature, pulSignatureLen, B_TRUE, B_TRUE);
 412                 } else {
 413                         /* Pass NULL, let callee handle it. */
 414                         rv = soft_aes_sign_verify_common(session_p, NULL, 0,
 415                             NULL, pulSignatureLen, B_TRUE, B_TRUE);
 416                 }
 417 
 418                 if ((rv == CKR_OK) && (pSignature != NULL))
 419                         (void) memcpy(pSignature, signature, *pulSignatureLen);
 420 
 421                 return (rv);
 422         }
 423         case CKM_MD5_RSA_PKCS:
 424         case CKM_SHA1_RSA_PKCS:
 425         case CKM_SHA256_RSA_PKCS:
 426         case CKM_SHA384_RSA_PKCS:
 427         case CKM_SHA512_RSA_PKCS:
 428 
 429                 return (soft_rsa_digest_sign_common(session_p, NULL, 0,
 430                     pSignature, pulSignatureLen, mechanism, B_TRUE));
 431 
 432         case CKM_DSA_SHA1:
 433 
 434                 return (soft_dsa_digest_sign_common(session_p, NULL, 0,
 435                     pSignature, pulSignatureLen, B_TRUE));
 436 
 437         case CKM_ECDSA_SHA1:
 438 
 439                 return (soft_ecc_digest_sign_common(session_p, NULL, 0,
 440                     pSignature, pulSignatureLen, B_TRUE));
 441 
 442         default:
 443                 /* PKCS11: The mechanism only supports single-part operation. */
 444                 return (CKR_MECHANISM_INVALID);
 445         }
 446 }
 447 
 448 
 449 CK_RV
 450 soft_sign_recover_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
 451     soft_object_t *key_p)
 452 {
 453 
 454         switch (pMechanism->mechanism) {
 455 
 456         case CKM_RSA_X_509:
 457         case CKM_RSA_PKCS:
 458 
 459                 return (soft_rsa_sign_verify_init_common(session_p, pMechanism,
 460                     key_p, B_TRUE));
 461 
 462         default:
 463                 return (CKR_MECHANISM_INVALID);
 464         }
 465 }
 466 
 467 
 468 CK_RV
 469 soft_sign_recover(soft_session_t *session_p, CK_BYTE_PTR pData,
 470     CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
 471     CK_ULONG_PTR pulSignatureLen)
 472 {
 473 
 474         CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
 475 
 476         switch (mechanism) {
 477 
 478         case CKM_RSA_X_509:
 479         case CKM_RSA_PKCS:
 480 
 481                 return (soft_rsa_sign_common(session_p, pData, ulDataLen,
 482                     pSignature, pulSignatureLen, mechanism));
 483 
 484         default:
 485                 return (CKR_MECHANISM_INVALID);
 486         }
 487 }
 488 
 489 /*
 490  * This function frees the allocated active crypto context.
 491  * It is only called by the first tier of sign/verify routines
 492  * and the caller of this function may or may not hold the session mutex.
 493  */
 494 void
 495 soft_sign_verify_cleanup(soft_session_t *session_p, boolean_t sign,
 496     boolean_t lock_held)
 497 {
 498 
 499         crypto_active_op_t *active_op;
 500         boolean_t lock_true = B_TRUE;
 501 
 502         if (!lock_held)
 503                 (void) pthread_mutex_lock(&session_p->session_mutex);
 504 
 505         active_op = (sign) ? &(session_p->sign) : &(session_p->verify);
 506 
 507         switch (active_op->mech.mechanism) {
 508 
 509         case CKM_MD5_RSA_PKCS:
 510         case CKM_SHA1_RSA_PKCS:
 511         case CKM_SHA256_RSA_PKCS:
 512         case CKM_SHA384_RSA_PKCS:
 513         case CKM_SHA512_RSA_PKCS:
 514                 if (session_p->digest.context != NULL) {
 515                         free(session_p->digest.context);
 516                         session_p->digest.context = NULL;
 517                         session_p->digest.flags = 0;
 518                 }
 519                 /* FALLTHRU */
 520 
 521         case CKM_RSA_PKCS:
 522         case CKM_RSA_X_509:
 523         {
 524                 soft_rsa_ctx_t *rsa_ctx =
 525                     (soft_rsa_ctx_t *)active_op->context;
 526 
 527                 if (rsa_ctx != NULL && rsa_ctx->key != NULL) {
 528                         soft_cleanup_object(rsa_ctx->key);
 529                         free(rsa_ctx->key);
 530                 }
 531                 break;
 532 
 533         }
 534         case CKM_DSA_SHA1:
 535                 if (session_p->digest.context != NULL) {
 536                         free(session_p->digest.context);
 537                         session_p->digest.context = NULL;
 538                         session_p->digest.flags = 0;
 539                 }
 540 
 541                 /* FALLTHRU */
 542         case CKM_DSA:
 543         {
 544                 soft_dsa_ctx_t *dsa_ctx =
 545                     (soft_dsa_ctx_t *)active_op->context;
 546 
 547                 if (dsa_ctx != NULL && dsa_ctx->key != NULL) {
 548                         soft_cleanup_object(dsa_ctx->key);
 549                         free(dsa_ctx->key);
 550                 }
 551                 break;
 552 
 553         }
 554         case CKM_SSL3_MD5_MAC:
 555         case CKM_SSL3_SHA1_MAC:
 556         case CKM_MD5_HMAC_GENERAL:
 557         case CKM_MD5_HMAC:
 558         case CKM_SHA_1_HMAC_GENERAL:
 559         case CKM_SHA_1_HMAC:
 560         case CKM_SHA256_HMAC_GENERAL:
 561         case CKM_SHA256_HMAC:
 562         case CKM_SHA384_HMAC_GENERAL:
 563         case CKM_SHA384_HMAC:
 564         case CKM_SHA512_HMAC_GENERAL:
 565         case CKM_SHA512_HMAC:
 566                 if (active_op->context != NULL) {
 567                         explicit_bzero(active_op->context,
 568                             sizeof (soft_hmac_ctx_t));
 569                 }
 570                 break;
 571         case CKM_DES_MAC_GENERAL:
 572         case CKM_DES_MAC:
 573                 if (session_p->encrypt.context != NULL) {
 574                         free(session_p->encrypt.context);
 575                         session_p->encrypt.context = NULL;
 576                         session_p->encrypt.flags = 0;
 577                 }
 578                 if (active_op->context != NULL) {
 579                         explicit_bzero(active_op->context,
 580                             sizeof (soft_des_ctx_t));
 581                 }
 582                 break;
 583 
 584         case CKM_AES_CMAC_GENERAL:
 585         case CKM_AES_CMAC:
 586                 if (session_p->encrypt.context != NULL) {
 587                         free(session_p->encrypt.context);
 588                         session_p->encrypt.context = NULL;
 589                         session_p->encrypt.flags = 0;
 590                 }
 591                 if (active_op->context != NULL) {
 592                         explicit_bzero(active_op->context,
 593                             sizeof (soft_aes_ctx_t));
 594                 }
 595                 break;
 596 
 597         }
 598 
 599         if (active_op->context != NULL) {
 600                 free(active_op->context);
 601                 active_op->context = NULL;
 602         }
 603 
 604         active_op->flags = 0;
 605 
 606         if (!lock_held)
 607                 SES_REFRELE(session_p, lock_true);
 608 }