search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge commit '06307114472bd8aad5ff18ccdb8e25f128ae6652'
[unleashed.git] / usr / src / lib / pkcs11 / pkcs11_softtoken / common / softSSL.c
blobbe440cbc6212d4bdf4a72bfe39baebc6ec210f61
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2018, Joyent, Inc.
25 */
26
27 #include <fcntl.h>
28 #include <strings.h>
29 #include <sys/stat.h>
30 #include <sys/types.h>
31 #include <sys/sha1.h>
32 #include <sys/md5.h>
33 #include <sys/sysmacros.h>
34 #include <security/cryptoki.h>
35 #include "softGlobal.h"
36 #include "softKeys.h"
37 #include "softKeystore.h"
38 #include "softMAC.h"
39 #include "softObject.h"
40 #include "softSession.h"
41 #include "softSSL.h"
42
43 /*
44 * This files contains the implementation of the following PKCS#11
45 * mechanisms needed by SSL:
46 * CKM_SSL3_MASTER_KEY_DERIVE
47 * CKM_SSL3_MASTER_KEY_DERIVE_DH
48 * CKM_SSL3_KEY_AND_DERIVE
49 * CKM_TLS_MASTER_KEY_DERIVE
50 * CKM_TLS_MASTER_KEY_DERIVE_DH
51 * CKM_TLS_KEY_AND_DERIVE
52 *
53 * SSL refers to common functions between SSL v3.0 and SSL v3.1 (a.k.a TLS.)
54 */
55
56 #define MAX_KEYBLOCK 160 /* should be plenty for all known cipherspecs */
57
58 #define MAX_DEFAULT_ATTRS 10 /* Enough for major applicarions */
59
60 static char *ssl3_const_vals[] = {
61 "A",
62 "BB",
63 "CCC",
64 "DDDD",
65 "EEEEE",
66 "FFFFFF",
67 "GGGGGGG",
68 "HHHHHHHH",
69 "IIIIIIIII",
70 "JJJJJJJJJJ",
71 };
72 static uint_t ssl3_const_lens[] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
73
74 static uchar_t TLS_MASTER_SECRET_LABEL[] = {"master secret"};
75 #define TLS_MASTER_SECRET_LABEL_LEN 13
76
77 static uchar_t TLS_KEY_EXPANSION_LABEL[] = {"key expansion"};
78 #define TLS_KEY_EXPANSION_LABEL_LEN 13
79
80 static uchar_t TLS_CLIENT_KEY_LABEL[] = {"client write key"};
81 #define TLS_CLIENT_KEY_LABEL_LEN 16
82
83 static uchar_t TLS_SERVER_KEY_LABEL[] = {"server write key"};
84 #define TLS_SERVER_KEY_LABEL_LEN 16
85
86 static uchar_t TLS_IV_BLOCK_LABEL[] = {"IV block"};
87 #define TLS_IV_BLOCK_LABEL_LEN 8
88
89 static void P_MD5(uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, uint_t,
90 uchar_t *, uint_t, uchar_t *, uint_t, boolean_t);
91 static void P_SHA1(uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, uint_t,
92 uchar_t *, uint_t, uchar_t *, uint_t, boolean_t);
93
94 static CK_RV soft_add_derived_key(CK_ATTRIBUTE_PTR, CK_ULONG,
95 CK_OBJECT_HANDLE_PTR, soft_session_t *, soft_object_t *);
96 static void soft_delete_derived_key(soft_session_t *, soft_object_t *);
97 static void soft_ssl_weaken_key(CK_MECHANISM_PTR, uchar_t *, uint_t,
98 uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, boolean_t);
99
100 /*
101 * soft_ssl3_churn()
102 * Called for derivation of the master secret from the pre-master secret,
103 * and for the derivation of the key_block in an SSL3 handshake
104 * result is assumed to be larger than rounds * MD5_HASH_SIZE.
105 */
106 static void
107 soft_ssl3_churn(uchar_t *secret, uint_t secretlen, uchar_t *rand1,
108 uint_t rand1len, uchar_t *rand2, uint_t rand2len, int rounds,
109 uchar_t *result)
110 {
111 SHA1_CTX sha1_ctx;
112 MD5_CTX md5_ctx;
113 uchar_t sha1_digest[SHA1_HASH_SIZE];
114 int i;
115 uchar_t *ms = result;
116 for (i = 0; i < rounds; i++) {
117 SHA1Init(&sha1_ctx);
118 SHA1Update(&sha1_ctx, (const uint8_t *)ssl3_const_vals[i],
119 ssl3_const_lens[i]);
120 SHA1Update(&sha1_ctx, secret, secretlen);
121 SHA1Update(&sha1_ctx, rand1, rand1len);
122 SHA1Update(&sha1_ctx, rand2, rand2len);
123 SHA1Final(sha1_digest, &sha1_ctx);
124
125 MD5Init(&md5_ctx);
126 MD5Update(&md5_ctx, secret, secretlen);
127 MD5Update(&md5_ctx, sha1_digest, SHA1_HASH_SIZE);
128 MD5Final(ms, &md5_ctx);
129 ms += MD5_HASH_SIZE;
130 }
131 }
132
133 /*
134 * This TLS generic Pseudo Random Function expands a triplet
135 * {secret, label, seed} into any arbitrary length string of pseudo
136 * random bytes.
137 * Here, it is called for the derivation of the master secret from the
138 * pre-master secret, and for the derivation of the key_block in a TLS
139 * handshake
140 */
141 static void
142 soft_tls_prf(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
143 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
144 uchar_t *result, uint_t resultlen)
145 {
146 uchar_t *S1, *S2;
147 uchar_t md5_digested_key[MD5_HASH_SIZE];
148 uchar_t sha1_digested_key[SHA1_HASH_SIZE];
149 uint_t L_S, L_S1, L_S2;
150
151 /* secret is NULL for IV's in exportable ciphersuites */
152 if (secret == NULL) {
153 L_S = 0;
154 L_S2 = L_S1 = 0;
155 S1 = NULL;
156 S2 = NULL;
157 goto do_P_HASH;
158 }
159
160 L_S = roundup(secretlen, 2) / 2;
161 L_S1 = L_S;
162 L_S2 = L_S;
163 S1 = secret;
164 S2 = secret + (secretlen / 2); /* Possible overlap of S1 and S2. */
165
166 /* Reduce the half secrets if bigger than the HASH's block size */
167 if (L_S > MD5_HMAC_BLOCK_SIZE) {
168 MD5_CTX md5_ctx;
169 SHA1_CTX sha1_ctx;
170
171 MD5Init(&md5_ctx);
172 MD5Update(&md5_ctx, S1, L_S);
173 MD5Final(md5_digested_key, &md5_ctx);
174 S1 = md5_digested_key;
175 L_S1 = MD5_HASH_SIZE;
176
177 SHA1Init(&sha1_ctx);
178 SHA1Update(&sha1_ctx, S2, L_S);
179 SHA1Final(sha1_digested_key, &sha1_ctx);
180 S2 = sha1_digested_key;
181 L_S2 = SHA1_HASH_SIZE;
182 }
183
184 /*
185 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
186 * P_SHA-1(S2, label + seed);
187 * the 'seed' here is rand1 + rand2
188 */
189 do_P_HASH:
190 /* The first one writes directly to the result */
191 P_MD5(S1, L_S1, label, labellen, rand1, rand1len, rand2, rand2len,
192 result, resultlen, B_FALSE);
193
194 /* The second one XOR's with the result. */
195 P_SHA1(S2, L_S2, label, labellen, rand1, rand1len, rand2, rand2len,
196 result, resultlen, B_TRUE);
197 }
198
199 /*
200 * These two expansion routines are very similar. (they can merge one day).
201 * They implement the P_HASH() function for MD5 and for SHA1, as defined in
202 * RFC2246:
203 *
204 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
205 * HMAC_hash(secret, A(2) + seed) +
206 * HMAC_hash(secret, A(3) + seed) + ...
207 * Where + indicates concatenation.
208 * A() is defined as:
209 * A(0) = seed
210 * A(i) = HMAC_hash(secret, A(i-1))
211 *
212 * The seed is the concatenation of 'babel', 'rand1', and 'rand2'.
213 */
214 static void
215 P_MD5(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
216 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
217 uchar_t *result, uint_t resultlen, boolean_t xor_it)
218 {
219 uint32_t md5_ipad[MD5_HMAC_INTS_PER_BLOCK];
220 uint32_t md5_opad[MD5_HMAC_INTS_PER_BLOCK];
221 uchar_t md5_hmac[MD5_HASH_SIZE];
222 uchar_t A[MD5_HASH_SIZE];
223 md5_hc_ctx_t md5_hmac_ctx;
224 uchar_t *res, *cur;
225 uint_t left = resultlen;
226 int i;
227
228 /* good compilers will leverage the aligment */
229 bzero(md5_ipad, MD5_HMAC_BLOCK_SIZE);
230 bzero(md5_opad, MD5_HMAC_BLOCK_SIZE);
231
232 if (secretlen > 0) {
233 bcopy(secret, md5_ipad, secretlen);
234 bcopy(secret, md5_opad, secretlen);
235 }
236
237 /* A(1) = HMAC_MD5(secret, rand1 + rand2) */
238 md5_hmac_ctx_init(&md5_hmac_ctx, md5_ipad, md5_opad);
239 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, label, labellen);
240 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand1, rand1len);
241 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand2, rand2len);
242 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, A);
243
244 if (xor_it) {
245 res = md5_hmac;
246 cur = result;
247 } else {
248 res = result;
249 }
250
251 while (left > 0) {
252 /*
253 * Compute HMAC_MD5(secret, A(i) + seed);
254 * The secret is already expanded in the ictx and octx, so
255 * we can call the SOFT_MAC_INIT_CTX() directly.
256 */
257 SOFT_MAC_INIT_CTX(MD5, &md5_hmac_ctx, md5_ipad, md5_opad,
258 MD5_HMAC_BLOCK_SIZE);
259 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, A, MD5_HASH_SIZE);
260 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, label, labellen);
261 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand1, rand1len);
262 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand2, rand2len);
263
264 if (left > MD5_HASH_SIZE) {
265 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, res);
266 if (xor_it) {
267 for (i = 0; i < MD5_HASH_SIZE; i++) {
268 *cur ^= res[i];
269 cur++;
270 }
271 } else {
272 res += MD5_HASH_SIZE;
273 }
274 left -= MD5_HASH_SIZE;
275 } else {
276 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, md5_hmac);
277 if (xor_it) {
278 for (i = 0; i < left; i++) {
279 *cur ^= md5_hmac[i];
280 cur++;
281 }
282 } else {
283 bcopy(md5_hmac, res, left);
284 }
285 break;
286 }
287 /* A(i) = HMAC_MD5(secret, A(i-1) */
288 SOFT_MAC_INIT_CTX(MD5, &md5_hmac_ctx, md5_ipad, md5_opad,
289 MD5_HMAC_BLOCK_SIZE);
290 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, A, MD5_HASH_SIZE);
291 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, A);
292 }
293 }
294 static void
295 P_SHA1(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
296 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
297 uchar_t *result, uint_t resultlen, boolean_t xor_it)
298 {
299 uint32_t sha1_ipad[SHA1_HMAC_INTS_PER_BLOCK];
300 uint32_t sha1_opad[SHA1_HMAC_INTS_PER_BLOCK];
301 uchar_t sha1_hmac[SHA1_HASH_SIZE];
302 uchar_t A[SHA1_HASH_SIZE];
303 sha1_hc_ctx_t sha1_hmac_ctx;
304 uchar_t *res, *cur;
305 uint_t left = resultlen;
306 int i;
307
308 /* good compilers will leverage the aligment */
309 bzero(sha1_ipad, SHA1_HMAC_BLOCK_SIZE);
310 bzero(sha1_opad, SHA1_HMAC_BLOCK_SIZE);
311
312 if (secretlen > 0) {
313 bcopy(secret, sha1_ipad, secretlen);
314 bcopy(secret, sha1_opad, secretlen);
315 }
316
317 /* A(1) = HMAC_SHA1(secret, rand1 + rand2) */
318 sha1_hmac_ctx_init(&sha1_hmac_ctx, sha1_ipad, sha1_opad);
319 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, label, labellen);
320 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand1, rand1len);
321 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand2, rand2len);
322 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, A);
323
324 if (xor_it) {
325 res = sha1_hmac;
326 cur = result;
327 } else {
328 res = result;
329 }
330
331 while (left > 0) {
332 /*
333 * Compute HMAC_SHA1(secret, A(i) + seed);
334 * The secret is already expanded in the ictx and octx, so
335 * we can call the SOFT_MAC_INIT_CTX() directly.
336 */
337 SOFT_MAC_INIT_CTX(SHA1, &sha1_hmac_ctx,
338 (const uchar_t *)sha1_ipad, (const uchar_t *)sha1_opad,
339 SHA1_HMAC_BLOCK_SIZE);
340 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, A, SHA1_HASH_SIZE);
341 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, label, labellen);
342 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand1, rand1len);
343 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand2, rand2len);
344
345 if (left > SHA1_HASH_SIZE) {
346 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, res);
347 if (xor_it) {
348 for (i = 0; i < SHA1_HASH_SIZE; i++) {
349 *cur ^= res[i];
350 cur++;
351 }
352 } else {
353 res += SHA1_HASH_SIZE;
354 }
355 left -= SHA1_HASH_SIZE;
356 } else {
357 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, sha1_hmac);
358 if (xor_it) {
359 for (i = 0; i < left; i++) {
360 *cur ^= sha1_hmac[i];
361 cur++;
362 }
363 } else {
364 bcopy(sha1_hmac, res, left);
365 }
366 break;
367 }
368 /* A(i) = HMAC_SHA1(secret, A(i-1) */
369 SOFT_MAC_INIT_CTX(SHA1, &sha1_hmac_ctx,
370 (const uchar_t *)sha1_ipad, (const uchar_t *)sha1_opad,
371 SHA1_HMAC_BLOCK_SIZE);
372 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, A, SHA1_HASH_SIZE);
373 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, A);
374 }
375 }
376
377 /* This function handles the call from C_DeriveKey for CKM_TLS_PRF */
378 CK_RV
379 derive_tls_prf(CK_TLS_PRF_PARAMS_PTR param, soft_object_t *basekey_p)
380 {
381
382 if (param->pOutput == NULL || param->pulOutputLen == 0)
383 return (CKR_BUFFER_TOO_SMALL);
384
385 (void) soft_tls_prf(OBJ_SEC_VALUE(basekey_p),
386 OBJ_SEC_VALUE_LEN(basekey_p), param->pLabel, param->ulLabelLen,
387 param->pSeed, param->ulSeedLen, NULL, 0, param->pOutput,
388 *param->pulOutputLen);
389
390 return (CKR_OK);
391 }
392
393
394 /*
395 * soft_ssl_master_key_derive()
396 *
397 * Arguments:
398 * . session_p
399 * . mech_p: key derivation mechanism. the mechanism parameter carries the
400 * client and master random from the Hello handshake messages.
401 * . basekey_p: The pre-master secret key.
402 * . pTemplate & ulAttributeCount: Any extra attributes for the key to be
403 * created.
404 * . phKey: store for handle to the derived key.
405 *
406 * Description:
407 * Derive the SSL master secret from the pre-master secret, the client
408 * and server random.
409 * In SSL 3.0, master_secret =
410 * MD5(pre_master_secret + SHA('A' + pre_master_secret +
411 * ClientHello.random + ServerHello.random)) +
412 * MD5(pre_master_secret + SHA('BB' + pre_master_secret +
413 * ClientHello.random + ServerHello.random)) +
414 * MD5(pre_master_secret + SHA('CCC' + pre_master_secret +
415 * ClientHello.random + ServerHello.random));
416 *
417 * In TLS 1.0 (a.k.a. SSL 3.1), master_secret =
418 * PRF(pre_master_secret, "master secret",
419 * ClientHello.random + ServerHello.random)
420 */
421 CK_RV
422 soft_ssl_master_key_derive(soft_session_t *sp, CK_MECHANISM_PTR mech,
423 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
424 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
425 {
426 uchar_t *pmsecret = OBJ_SEC_VALUE(basekey_p);
427 uint_t pmlen = OBJ_SEC_VALUE_LEN(basekey_p);
428 CK_SSL3_MASTER_KEY_DERIVE_PARAMS *mkd_params;
429 CK_SSL3_RANDOM_DATA *random_data;
430 CK_VERSION_PTR pVersion;
431 uchar_t ssl_master_secret[48];
432 CK_OBJECT_CLASS class = CKO_SECRET_KEY;
433 CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
434 CK_BBOOL true = TRUE;
435 CK_ATTRIBUTE obj_tmpl[MAX_DEFAULT_ATTRS];
436 CK_ATTRIBUTE_PTR new_tmpl;
437 CK_ULONG newattrcount;
438 boolean_t new_tmpl_allocated = B_FALSE, is_tls = B_FALSE;
439 ulong_t i;
440 CK_RV rv = CKR_OK;
441 uint_t ClientRandomLen, ServerRandomLen;
442
443 /* Check the validity of the mechanism's parameter */
444
445 mkd_params = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *)mech->pParameter;
446
447 if (mkd_params == NULL ||
448 mech->ulParameterLen != sizeof (CK_SSL3_MASTER_KEY_DERIVE_PARAMS))
449 return (CKR_MECHANISM_PARAM_INVALID);
450
451 pVersion = mkd_params->pVersion;
452
453 switch (mech->mechanism) {
454 case CKM_TLS_MASTER_KEY_DERIVE:
455 is_tls = B_TRUE;
456 /* FALLTHRU */
457 case CKM_SSL3_MASTER_KEY_DERIVE:
458 /* Invalid pre-master key length. What else to return? */
459 if (pmlen != 48)
460 return (CKR_ARGUMENTS_BAD);
461
462 /* Get the SSL version number from the premaster secret */
463 if (pVersion == NULL_PTR)
464 return (CKR_MECHANISM_PARAM_INVALID);
465
466 bcopy(pmsecret, pVersion, sizeof (CK_VERSION));
467
468 break;
469 case CKM_TLS_MASTER_KEY_DERIVE_DH:
470 is_tls = B_TRUE;
471 /* FALLTHRU */
472 case CKM_SSL3_MASTER_KEY_DERIVE_DH:
473 if (pVersion != NULL_PTR)
474 return (CKR_MECHANISM_PARAM_INVALID);
475 }
476
477 random_data = &mkd_params->RandomInfo;
478 ClientRandomLen = random_data->ulClientRandomLen;
479 ServerRandomLen = random_data->ulServerRandomLen;
480
481 if (random_data->pClientRandom == NULL_PTR || ClientRandomLen == 0 ||
482 random_data->pServerRandom == NULL_PTR || ServerRandomLen == 0) {
483 return (CKR_MECHANISM_PARAM_INVALID);
484 }
485
486 /* Now the actual secret derivation */
487 if (!is_tls) {
488 soft_ssl3_churn(pmsecret, pmlen, random_data->pClientRandom,
489 ClientRandomLen, random_data->pServerRandom,
490 ServerRandomLen, 3, ssl_master_secret);
491 } else {
492 soft_tls_prf(pmsecret, pmlen, TLS_MASTER_SECRET_LABEL,
493 TLS_MASTER_SECRET_LABEL_LEN, random_data->pClientRandom,
494 ClientRandomLen, random_data->pServerRandom,
495 ServerRandomLen, ssl_master_secret, 48);
496 }
497
498 /*
499 * The object creation attributes need to be in one contiguous
500 * array. In addition to the attrs from the application supplied
501 * pTemplates, We need to add the class, type, value, valuelen and
502 * CKA_DERIVE.
503 * In the most likely case, the application passes between zero and
504 * handful of attributes, We optimize for that case by allocating
505 * the new template on the stack. Oherwise we malloc() it.
506 */
507
508 newattrcount = ulAttributeCount + 4;
509 if (newattrcount > MAX_DEFAULT_ATTRS) {
510 new_tmpl = malloc(sizeof (CK_ATTRIBUTE) * newattrcount);
511
512 if (new_tmpl == NULL)
513 return (CKR_HOST_MEMORY);
514
515 new_tmpl_allocated = B_TRUE;
516 } else
517 new_tmpl = obj_tmpl;
518
519 /*
520 * Fill in the new template.
521 * We put the attributes contributed by the mechanism first
522 * so that they override the application supplied ones.
523 */
524 new_tmpl[0].type = CKA_CLASS;
525 new_tmpl[0].pValue = &class;
526 new_tmpl[0].ulValueLen = sizeof (class);
527 new_tmpl[1].type = CKA_KEY_TYPE;
528 new_tmpl[1].pValue = &keyType;
529 new_tmpl[1].ulValueLen = sizeof (keyType);
530 new_tmpl[2].type = CKA_DERIVE;
531 new_tmpl[2].pValue = &true;
532 new_tmpl[2].ulValueLen = sizeof (true);
533 new_tmpl[3].type = CKA_VALUE;
534 new_tmpl[3].pValue = ssl_master_secret;
535 new_tmpl[3].ulValueLen = 48;
536
537 /* Any attributes left? */
538 if (ulAttributeCount > 0) {
539
540 /* Validate the default class and type attributes */
541 for (i = 0; i < ulAttributeCount; i++) {
542 /* The caller is responsible for proper alignment */
543 if ((pTemplate[i].type == CKA_CLASS) &&
544 (*((CK_OBJECT_CLASS *)pTemplate[i].pValue) !=
545 CKO_SECRET_KEY)) {
546 rv = CKR_TEMPLATE_INCONSISTENT;
547 goto out;
548 }
549 if ((pTemplate[i].type == CKA_KEY_TYPE) &&
550 (*((CK_KEY_TYPE *)pTemplate[i].pValue) !=
551 CKK_GENERIC_SECRET)) {
552 rv = CKR_TEMPLATE_INCONSISTENT;
553 goto out;
554 }
555 }
556 bcopy(pTemplate, &new_tmpl[4],
557 ulAttributeCount * sizeof (CK_ATTRIBUTE));
558 }
559
560 rv = soft_add_derived_key(new_tmpl, newattrcount, phKey, sp, basekey_p);
561 out:
562 if (new_tmpl_allocated)
563 free(new_tmpl);
564
565 return (rv);
566 }
567
568 /*
569 * soft_ssl3_key_and_mac_derive()
570 *
571 * Arguments:
572 * . session_p
573 * . mech_p: key derivation mechanism. the mechanism parameter carries the
574 * client and mastter random from the Hello handshake messages,
575 * the specification of the key and IV sizes, and the location
576 * for the resulting keys and IVs.
577 * . basekey_p: The master secret key.
578 * . pTemplate & ulAttributeCount: Any extra attributes for the key to be
579 * created.
580 *
581 * Description:
582 * Derive the SSL key material (Client and server MAC secrets, symmetric
583 * keys and IVs), from the master secret and the client
584 * and server random.
585 * First a keyblock is generated usining the following formula:
586 * key_block =
587 * MD5(master_secret + SHA(`A' + master_secret +
588 * ServerHello.random +
589 * ClientHello.random)) +
590 * MD5(master_secret + SHA(`BB' + master_secret +
591 * ServerHello.random +
592 * ClientHello.random)) +
593 * MD5(master_secret + SHA(`CCC' + master_secret +
594 * ServerHello.random +
595 * ClientHello.random)) + [...];
596 *
597 * In TLS 1.0 (a.k.a. SSL 3.1), key_block =
598 * PRF(master_secret, "key expansion",
599 * ServerHello.random + ClientHello.random)
600 *
601 * Then the keys materials are taken from the keyblock.
602 */
603
604 CK_RV
605 soft_ssl_key_and_mac_derive(soft_session_t *sp, CK_MECHANISM_PTR mech,
606 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
607 CK_ULONG ulAttributeCount)
608 {
609 uchar_t *msecret = OBJ_SEC_VALUE(basekey_p);
610 uint_t mslen = OBJ_SEC_VALUE_LEN(basekey_p);
611 CK_SSL3_KEY_MAT_PARAMS *km_params;
612 CK_SSL3_RANDOM_DATA *random_data;
613 CK_SSL3_KEY_MAT_OUT *kmo;
614 uchar_t key_block[MAX_KEYBLOCK], *kb, *export_keys = NULL;
615 CK_OBJECT_CLASS class = CKO_SECRET_KEY;
616 CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
617 CK_BBOOL true = TRUE;
618 CK_ATTRIBUTE obj_tmpl[MAX_DEFAULT_ATTRS];
619 CK_ATTRIBUTE_PTR new_tmpl;
620 ulong_t newattrcount, mac_key_bytes, secret_key_bytes, iv_bytes;
621 ulong_t extra_attr_count;
622 uint_t size;
623 int rounds, n = 0;
624 boolean_t new_tmpl_allocated = B_FALSE, isExport;
625 CK_RV rv = CKR_OK;
626 uint_t ClientRandomLen, ServerRandomLen;
627
628 /* Check the validity of the mechanism's parameter */
629
630 km_params = (CK_SSL3_KEY_MAT_PARAMS *)mech->pParameter;
631
632 if (km_params == NULL ||
633 mech->ulParameterLen != sizeof (CK_SSL3_KEY_MAT_PARAMS) ||
634 (kmo = km_params->pReturnedKeyMaterial) == NULL)
635 return (CKR_MECHANISM_PARAM_INVALID);
636
637 isExport = (km_params->bIsExport == TRUE);
638
639 random_data = &km_params->RandomInfo;
640 ClientRandomLen = random_data->ulClientRandomLen;
641 ServerRandomLen = random_data->ulServerRandomLen;
642
643 if (random_data->pClientRandom == NULL_PTR || ClientRandomLen == 0 ||
644 random_data->pServerRandom == NULL_PTR || ServerRandomLen == 0) {
645 return (CKR_MECHANISM_PARAM_INVALID);
646 }
647
648 mac_key_bytes = km_params->ulMacSizeInBits / 8;
649 secret_key_bytes = km_params->ulKeySizeInBits / 8;
650 iv_bytes = km_params->ulIVSizeInBits / 8;
651
652 if ((iv_bytes > 0) &&
653 ((kmo->pIVClient == NULL) || (kmo->pIVServer == NULL)))
654 return (CKR_MECHANISM_PARAM_INVALID);
655
656 /*
657 * For exportable ciphersuites, the IV's aren't taken from the
658 * key block. They are directly derived from the client and
659 * server random data.
660 * For SSL3.0:
661 * client_write_IV = MD5(ClientHello.random + ServerHello.random);
662 * server_write_IV = MD5(ServerHello.random + ClientHello.random);
663 * For TLS1.0:
664 * iv_block = PRF("", "IV block", client_random +
665 * server_random)[0..15]
666 * client_write_IV = iv_block[0..7]
667 * server_write_IV = iv_block[8..15]
668 */
669 if ((isExport) && (iv_bytes > 0)) {
670
671 if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
672 MD5_CTX exp_md5_ctx;
673
674 if (iv_bytes > MD5_HASH_SIZE)
675 return (CKR_MECHANISM_PARAM_INVALID);
676
677 MD5Init(&exp_md5_ctx);
678 MD5Update(&exp_md5_ctx, random_data->pClientRandom,
679 ClientRandomLen);
680 MD5Update(&exp_md5_ctx, random_data->pServerRandom,
681 ServerRandomLen);
682
683 /* there's room in key_block. use it */
684 MD5Final(key_block, &exp_md5_ctx);
685 bcopy(key_block, kmo->pIVClient, iv_bytes);
686
687 MD5Init(&exp_md5_ctx);
688 MD5Update(&exp_md5_ctx, random_data->pServerRandom,
689 ServerRandomLen);
690 MD5Update(&exp_md5_ctx, random_data->pClientRandom,
691 ClientRandomLen);
692 MD5Final(key_block, &exp_md5_ctx);
693 bcopy(key_block, kmo->pIVServer, iv_bytes);
694 } else {
695 uchar_t iv_block[16];
696
697 if (iv_bytes != 8)
698 return (CKR_MECHANISM_PARAM_INVALID);
699
700 soft_tls_prf(NULL, 0, TLS_IV_BLOCK_LABEL,
701 TLS_IV_BLOCK_LABEL_LEN,
702 random_data->pClientRandom, ClientRandomLen,
703 random_data->pServerRandom, ServerRandomLen,
704 iv_block, 16);
705 bcopy(iv_block, kmo->pIVClient, 8);
706 bcopy(iv_block + 8, kmo->pIVServer, 8);
707 }
708 /* so we won't allocate a key_block bigger than needed */
709 iv_bytes = 0;
710 }
711
712 /* Now the actual secret derivation */
713
714 size = (mac_key_bytes + secret_key_bytes + iv_bytes) * 2;
715
716 /* Need to handle this better */
717 if (size > MAX_KEYBLOCK)
718 return (CKR_MECHANISM_PARAM_INVALID);
719
720 rounds = howmany(size, MD5_HASH_SIZE);
721
722 kb = key_block;
723
724 if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
725 soft_ssl3_churn(msecret, mslen, random_data->pServerRandom,
726 ServerRandomLen, random_data->pClientRandom,
727 ClientRandomLen, rounds, kb);
728 } else {
729 soft_tls_prf(msecret, mslen, TLS_KEY_EXPANSION_LABEL,
730 TLS_KEY_EXPANSION_LABEL_LEN,
731 random_data->pServerRandom, ServerRandomLen,
732 random_data->pClientRandom, ClientRandomLen,
733 kb, size);
734 }
735
736 /* Now create the objects */
737
738 kmo->hClientMacSecret = CK_INVALID_HANDLE;
739 kmo->hServerMacSecret = CK_INVALID_HANDLE;
740 kmo->hClientKey = CK_INVALID_HANDLE;
741 kmo->hServerKey = CK_INVALID_HANDLE;
742
743 /* First the MAC secrets */
744 if (mac_key_bytes > 0) {
745 obj_tmpl[0].type = CKA_CLASS;
746 obj_tmpl[0].pValue = &class; /* CKO_SECRET_KEY */
747 obj_tmpl[0].ulValueLen = sizeof (class);
748 obj_tmpl[1].type = CKA_KEY_TYPE;
749 obj_tmpl[1].pValue = &keyType; /* CKK_GENERIC_SECRET */
750 obj_tmpl[1].ulValueLen = sizeof (keyType);
751 obj_tmpl[2].type = CKA_DERIVE;
752 obj_tmpl[2].pValue = &true;
753 obj_tmpl[2].ulValueLen = sizeof (true);
754 obj_tmpl[3].type = CKA_SIGN;
755 obj_tmpl[3].pValue = &true;
756 obj_tmpl[3].ulValueLen = sizeof (true);
757 obj_tmpl[4].type = CKA_VERIFY;
758 obj_tmpl[4].pValue = &true;
759 obj_tmpl[4].ulValueLen = sizeof (true);
760 obj_tmpl[5].type = CKA_VALUE;
761 obj_tmpl[5].pValue = kb;
762 obj_tmpl[5].ulValueLen = mac_key_bytes;
763
764 rv = soft_add_derived_key(obj_tmpl, 6,
765 &(kmo->hClientMacSecret), sp, basekey_p);
766
767 if (rv != CKR_OK)
768 goto out_err;
769
770 kb += mac_key_bytes;
771
772 obj_tmpl[5].pValue = kb;
773 rv = soft_add_derived_key(obj_tmpl, 6,
774 &(kmo->hServerMacSecret), sp, basekey_p);
775
776 if (rv != CKR_OK)
777 goto out_err;
778
779 kb += mac_key_bytes;
780 }
781
782 /* Then the symmetric ciphers keys */
783
784 extra_attr_count = (secret_key_bytes == 0) ? 6 : 5;
785 newattrcount = ulAttributeCount + extra_attr_count;
786 if (newattrcount > MAX_DEFAULT_ATTRS) {
787 new_tmpl = malloc(sizeof (CK_ATTRIBUTE) * newattrcount);
788
789 if (new_tmpl == NULL)
790 return (CKR_HOST_MEMORY);
791
792 new_tmpl_allocated = B_TRUE;
793 } else
794 new_tmpl = obj_tmpl;
795
796 new_tmpl[n].type = CKA_CLASS;
797 new_tmpl[n].pValue = &class; /* CKO_SECRET_KEY */
798 new_tmpl[n].ulValueLen = sizeof (class);
799 ++n;
800 /*
801 * The keyType comes from the application's template, and depends
802 * on the ciphersuite. The only exception is authentication only
803 * ciphersuites which do not use cipher keys.
804 */
805 if (secret_key_bytes == 0) {
806 new_tmpl[n].type = CKA_KEY_TYPE;
807 new_tmpl[n].pValue = &keyType; /* CKK_GENERIC_SECRET */
808 new_tmpl[n].ulValueLen = sizeof (keyType);
809 n++;
810 }
811 new_tmpl[n].type = CKA_DERIVE;
812 new_tmpl[n].pValue = &true;
813 new_tmpl[n].ulValueLen = sizeof (true);
814 n++;
815 new_tmpl[n].type = CKA_ENCRYPT;
816 new_tmpl[n].pValue = &true;
817 new_tmpl[n].ulValueLen = sizeof (true);
818 n++;
819 new_tmpl[n].type = CKA_DECRYPT;
820 new_tmpl[n].pValue = &true;
821 new_tmpl[n].ulValueLen = sizeof (true);
822 n++;
823 new_tmpl[n].type = CKA_VALUE;
824 new_tmpl[n].pValue = NULL;
825 new_tmpl[n].ulValueLen = 0;
826
827 if (secret_key_bytes > 0) {
828 if (isExport) {
829 if (secret_key_bytes > MD5_HASH_SIZE) {
830 rv = CKR_MECHANISM_PARAM_INVALID;
831 goto out_err;
832 }
833 if ((export_keys = malloc(2 * MD5_HASH_SIZE)) == NULL) {
834 rv = CKR_HOST_MEMORY;
835 goto out_err;
836 }
837 soft_ssl_weaken_key(mech, kb, secret_key_bytes,
838 random_data->pClientRandom, ClientRandomLen,
839 random_data->pServerRandom, ServerRandomLen,
840 export_keys, B_TRUE);
841 new_tmpl[n].pValue = export_keys;
842 new_tmpl[n].ulValueLen = MD5_HASH_SIZE;
843 } else {
844 new_tmpl[n].pValue = kb;
845 new_tmpl[n].ulValueLen = secret_key_bytes;
846 }
847 }
848
849 if (ulAttributeCount > 0)
850 bcopy(pTemplate, &new_tmpl[extra_attr_count],
851 ulAttributeCount * sizeof (CK_ATTRIBUTE));
852
853 rv = soft_add_derived_key(new_tmpl, newattrcount,
854 &(kmo->hClientKey), sp, basekey_p);
855
856 if (rv != CKR_OK)
857 goto out_err;
858
859 kb += secret_key_bytes;
860
861 if (secret_key_bytes > 0) {
862 if (isExport) {
863 soft_ssl_weaken_key(mech, kb, secret_key_bytes,
864 random_data->pServerRandom, ServerRandomLen,
865 random_data->pClientRandom, ClientRandomLen,
866 export_keys + MD5_HASH_SIZE, B_FALSE);
867 new_tmpl[n].pValue = export_keys + MD5_HASH_SIZE;
868 } else
869 new_tmpl[n].pValue = kb;
870 }
871
872 rv = soft_add_derived_key(new_tmpl, newattrcount,
873 &(kmo->hServerKey), sp, basekey_p);
874
875 if (rv != CKR_OK)
876 goto out_err;
877
878 kb += secret_key_bytes;
879
880 /* Finally, the IVs */
881 if (iv_bytes > 0) {
882 bcopy(kb, kmo->pIVClient, iv_bytes);
883 kb += iv_bytes;
884 bcopy(kb, kmo->pIVServer, iv_bytes);
885 }
886
887 if (new_tmpl_allocated)
888 free(new_tmpl);
889
890 freezero(export_keys, 2 * MD5_HASH_SIZE);
891
892 return (rv);
893
894 out_err:
895 if (kmo->hClientMacSecret != CK_INVALID_HANDLE) {
896 (void) soft_delete_derived_key(sp,
897 (soft_object_t *)(kmo->hClientMacSecret));
898 kmo->hClientMacSecret = CK_INVALID_HANDLE;
899 }
900 if (kmo->hServerMacSecret != CK_INVALID_HANDLE) {
901 (void) soft_delete_derived_key(sp,
902 (soft_object_t *)(kmo->hServerMacSecret));
903 kmo->hServerMacSecret = CK_INVALID_HANDLE;
904 }
905 if (kmo->hClientKey != CK_INVALID_HANDLE) {
906 (void) soft_delete_derived_key(sp,
907 (soft_object_t *)(kmo->hClientKey));
908 kmo->hClientKey = CK_INVALID_HANDLE;
909 }
910 if (kmo->hServerKey != CK_INVALID_HANDLE) {
911 (void) soft_delete_derived_key(sp,
912 (soft_object_t *)(kmo->hServerKey));
913 kmo->hServerKey = CK_INVALID_HANDLE;
914 }
915
916 if (new_tmpl_allocated)
917 free(new_tmpl);
918
919 freezero(export_keys, 2 * MD5_HASH_SIZE);
920
921 return (rv);
922 }
923
924 /*
925 * Add the derived key to the session, and, if it's a token object,
926 * write it to the token.
927 */
928 static CK_RV
929 soft_add_derived_key(CK_ATTRIBUTE_PTR tmpl, CK_ULONG attrcount,
930 CK_OBJECT_HANDLE_PTR phKey, soft_session_t *sp, soft_object_t *basekey_p)
931 {
932 CK_RV rv;
933 soft_object_t *secret_key;
934
935 if ((secret_key = calloc(1, sizeof (soft_object_t))) == NULL) {
936 return (CKR_HOST_MEMORY);
937 }
938
939 if (((rv = soft_build_secret_key_object(tmpl, attrcount, secret_key,
940 SOFT_CREATE_OBJ_INT, 0, (CK_KEY_TYPE)~0UL)) != CKR_OK) ||
941 ((rv = soft_pin_expired_check(secret_key)) != CKR_OK) ||
942 ((rv = soft_object_write_access_check(sp, secret_key)) != CKR_OK)) {
943
944 free(secret_key);
945 return (rv);
946 }
947
948 /* Set the sensitivity and extractability attributes as a needed */
949 soft_derive_enforce_flags(basekey_p, secret_key);
950
951 /* Initialize the rest of stuffs in soft_object_t. */
952 (void) pthread_mutex_init(&secret_key->object_mutex, NULL);
953 secret_key->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
954
955 /* ... and, if it needs to persist, write on the token */
956 if (IS_TOKEN_OBJECT(secret_key)) {
957 secret_key->session_handle = (CK_SESSION_HANDLE)NULL;
958 soft_add_token_object_to_slot(secret_key);
959 rv = soft_put_object_to_keystore(secret_key);
960 if (rv != CKR_OK) {
961 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
962 return (rv);
963 }
964 *phKey = (CK_OBJECT_HANDLE)secret_key;
965
966 return (CKR_OK);
967 }
968
969 /* Add the new object to the session's object list. */
970 soft_add_object_to_session(secret_key, sp);
971 secret_key->session_handle = (CK_SESSION_HANDLE)sp;
972
973 *phKey = (CK_OBJECT_HANDLE)secret_key;
974
975 return (rv);
976 }
977
978 /*
979 * Delete the derived key from the session, and, if it's a token object,
980 * remove it from the token.
981 */
982 static void
983 soft_delete_derived_key(soft_session_t *sp, soft_object_t *key)
984 {
985 /* session_handle is the creating session. It's NULL for token objs */
986
987 if (IS_TOKEN_OBJECT(key))
988 soft_delete_token_object(key, B_FALSE, B_FALSE);
989 else
990 soft_delete_object(sp, key, B_FALSE, B_FALSE);
991 }
992
993 /*
994 * soft_ssl_weaken_key()
995 * Reduce the key length to an exportable size.
996 * For SSL3.0:
997 * final_client_write_key = MD5(client_write_key +
998 * ClientHello.random +
999 * ServerHello.random);
1000 * final_server_write_key = MD5(server_write_key +
1001 * ServerHello.random +
1002 * ClientHello.random);
1003 * For TLS1.0:
1004 * final_client_write_key = PRF(SecurityParameters.client_write_key,
1005 * "client write key",
1006 * SecurityParameters.client_random +
1007 * SecurityParameters.server_random)[0..15];
1008 * final_server_write_key = PRF(SecurityParameters.server_write_key,
1009 * "server write key",
1010 * SecurityParameters.client_random +
1011 * SecurityParameters.server_random)[0..15];
1012 */
1013 static void
1014 soft_ssl_weaken_key(CK_MECHANISM_PTR mech, uchar_t *secret, uint_t secretlen,
1015 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
1016 uchar_t *result, boolean_t isclient)
1017 {
1018 MD5_CTX exp_md5_ctx;
1019 uchar_t *label;
1020 uint_t labellen;
1021
1022 if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
1023 MD5Init(&exp_md5_ctx);
1024 MD5Update(&exp_md5_ctx, secret, secretlen);
1025 MD5Update(&exp_md5_ctx, rand1, rand1len);
1026 MD5Update(&exp_md5_ctx, rand2, rand2len);
1027 MD5Final(result, &exp_md5_ctx);
1028 } else {
1029 if (isclient) {
1030 label = TLS_CLIENT_KEY_LABEL;
1031 labellen = TLS_CLIENT_KEY_LABEL_LEN;
1032 soft_tls_prf(secret, secretlen, label, labellen,
1033 rand1, rand1len, rand2, rand2len, result, 16);
1034 } else {
1035 label = TLS_SERVER_KEY_LABEL;
1036 labellen = TLS_SERVER_KEY_LABEL_LEN;
1037 soft_tls_prf(secret, secretlen, label, labellen,
1038 rand2, rand2len, rand1, rand1len, result, 16);
1039 }
1040 }
1041 }
Unleashed OS