search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
9642 PKCS#11 softtoken should use explicit_bzero
[unleashed.git] / usr / src / lib / pkcs11 / pkcs11_softtoken / common / softKeysUtil.c
blobcb06623498879dfce731a4866853aa71a923a0e9
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2018, Joyent, Inc.
25 */
26
27 #include <pthread.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <strings.h>
31 #include <sys/types.h>
32 #include <security/cryptoki.h>
33 #include <sys/crypto/common.h>
34 #include <aes_impl.h>
35 #include <blowfish_impl.h>
36 #include <des_impl.h>
37 #include <arcfour.h>
38 #include <cryptoutil.h>
39 #include "softGlobal.h"
40 #include "softSession.h"
41 #include "softObject.h"
42 #include "softDSA.h"
43 #include "softRSA.h"
44 #include "softDH.h"
45 #include "softEC.h"
46 #include "softMAC.h"
47 #include "softOps.h"
48 #include "softKeys.h"
49 #include "softKeystore.h"
50 #include "softSSL.h"
51 #include "softASN1.h"
52
53
54 #define local_min(a, b) ((a) < (b) ? (a) : (b))
55
56 static CK_RV
57 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *);
58
59 /*
60 * Create a temporary key object struct by filling up its template attributes.
61 */
62 CK_RV
63 soft_gen_keyobject(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
64 CK_ULONG *objecthandle_p, soft_session_t *sp,
65 CK_OBJECT_CLASS class, CK_KEY_TYPE key_type, CK_ULONG keylen, CK_ULONG mode,
66 boolean_t internal)
67 {
68
69 CK_RV rv;
70 soft_object_t *new_objp = NULL;
71
72 new_objp = calloc(1, sizeof (soft_object_t));
73 if (new_objp == NULL) {
74 return (CKR_HOST_MEMORY);
75 }
76
77 new_objp->extra_attrlistp = NULL;
78
79 /*
80 * Validate attribute template and fill in the attributes
81 * in the soft_object_t.
82 */
83 rv = soft_build_key(pTemplate, ulCount, new_objp, class, key_type,
84 keylen, mode);
85 if (rv != CKR_OK) {
86 goto fail_cleanup1;
87 }
88
89 /*
90 * If generating a key is an internal request (i.e. not a C_XXX
91 * API request), then skip the following checks.
92 */
93 if (!internal) {
94 rv = soft_pin_expired_check(new_objp);
95 if (rv != CKR_OK) {
96 goto fail_cleanup2;
97 }
98
99 rv = soft_object_write_access_check(sp, new_objp);
100 if (rv != CKR_OK) {
101 goto fail_cleanup2;
102 }
103 }
104
105 /* Initialize the rest of stuffs in soft_object_t. */
106 (void) pthread_mutex_init(&new_objp->object_mutex, NULL);
107 new_objp->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
108
109 /* Write the new token object to the keystore */
110 if (IS_TOKEN_OBJECT(new_objp)) {
111 new_objp->version = 1;
112 new_objp->session_handle = (CK_SESSION_HANDLE)NULL;
113 soft_add_token_object_to_slot(new_objp);
114 /*
115 * Type casting the address of an object struct to
116 * an object handle.
117 */
118 *objecthandle_p = (CK_ULONG)new_objp;
119
120 return (CKR_OK);
121 }
122
123 new_objp->session_handle = (CK_SESSION_HANDLE)sp;
124
125 /* Add the new object to the session's object list. */
126 soft_add_object_to_session(new_objp, sp);
127
128 /* Type casting the address of an object struct to an object handle. */
129 *objecthandle_p = (CK_ULONG)new_objp;
130
131 return (CKR_OK);
132
133 fail_cleanup2:
134 /*
135 * When any error occurs after soft_build_key(), we will need to
136 * clean up the memory allocated by the soft_build_key().
137 */
138 soft_cleanup_object(new_objp);
139
140 fail_cleanup1:
141 if (new_objp) {
142 /*
143 * The storage allocated inside of this object should have
144 * been cleaned up by the soft_build_key() if it failed.
145 * Therefore, we can safely free the object.
146 */
147 free(new_objp);
148 }
149
150 return (rv);
151 }
152
153 CK_RV
154 soft_genkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
155 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey)
156 {
157
158 CK_RV rv = CKR_OK;
159 soft_object_t *secret_key;
160 CK_KEY_TYPE key_type;
161 CK_ULONG keylen = 0;
162 CK_ULONG i;
163 int des_strength = 0;
164 int retry = 0;
165 int keyfound = 0;
166 boolean_t is_ssl_mech = B_FALSE;
167
168 switch (pMechanism->mechanism) {
169 case CKM_DES_KEY_GEN:
170 key_type = CKK_DES;
171 break;
172
173 case CKM_DES2_KEY_GEN:
174 key_type = CKK_DES2;
175 break;
176
177 case CKM_DES3_KEY_GEN:
178 key_type = CKK_DES3;
179 break;
180
181 case CKM_AES_KEY_GEN:
182 key_type = CKK_AES;
183 break;
184
185 case CKM_BLOWFISH_KEY_GEN:
186 key_type = CKK_BLOWFISH;
187 break;
188
189 case CKM_RC4_KEY_GEN:
190 key_type = CKK_RC4;
191 break;
192
193 case CKM_SSL3_PRE_MASTER_KEY_GEN:
194 case CKM_TLS_PRE_MASTER_KEY_GEN:
195 if (pMechanism->pParameter == NULL ||
196 pMechanism->ulParameterLen != sizeof (CK_VERSION))
197 return (CKR_TEMPLATE_INCOMPLETE);
198 is_ssl_mech = B_TRUE;
199 key_type = CKK_GENERIC_SECRET;
200 keylen = 48;
201 break;
202
203 case CKM_PKCS5_PBKD2:
204 keyfound = 0;
205 for (i = 0; i < ulCount && !keyfound; i++) {
206 if (pTemplate[i].type == CKA_KEY_TYPE &&
207 pTemplate[i].pValue != NULL) {
208 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
209 keyfound = 1;
210 }
211 }
212 if (!keyfound)
213 return (CKR_TEMPLATE_INCOMPLETE);
214 /*
215 * Make sure that parameters were given for this
216 * mechanism.
217 */
218 if (pMechanism->pParameter == NULL ||
219 pMechanism->ulParameterLen !=
220 sizeof (CK_PKCS5_PBKD2_PARAMS))
221 return (CKR_TEMPLATE_INCOMPLETE);
222 break;
223
224 case CKM_PBE_SHA1_RC4_128:
225 keyfound = 0;
226 for (i = 0; i < ulCount; i++) {
227 if (pTemplate[i].type == CKA_KEY_TYPE &&
228 pTemplate[i].pValue != NULL) {
229 key_type = *((CK_KEY_TYPE*)pTemplate[i].pValue);
230 keyfound = 1;
231 }
232 if (pTemplate[i].type == CKA_VALUE_LEN &&
233 pTemplate[i].pValue != NULL) {
234 keylen = *((CK_ULONG*)pTemplate[i].pValue);
235 }
236 }
237 /* If a keytype was specified, it had better be CKK_RC4 */
238 if (keyfound && key_type != CKK_RC4)
239 return (CKR_TEMPLATE_INCONSISTENT);
240 else if (!keyfound)
241 key_type = CKK_RC4;
242
243 /* If key length was specified, it better be 16 bytes */
244 if (keylen != 0 && keylen != 16)
245 return (CKR_TEMPLATE_INCONSISTENT);
246
247 /*
248 * Make sure that parameters were given for this
249 * mechanism.
250 */
251 if (pMechanism->pParameter == NULL ||
252 pMechanism->ulParameterLen !=
253 sizeof (CK_PBE_PARAMS))
254 return (CKR_TEMPLATE_INCOMPLETE);
255 break;
256 default:
257 return (CKR_MECHANISM_INVALID);
258 }
259
260 /* Create a new object for secret key. */
261 rv = soft_gen_keyobject(pTemplate, ulCount, phKey, session_p,
262 CKO_SECRET_KEY, key_type, keylen, SOFT_GEN_KEY, B_FALSE);
263
264 if (rv != CKR_OK) {
265 return (rv);
266 }
267
268 /* Obtain the secret object pointer. */
269 secret_key = (soft_object_t *)*phKey;
270
271 switch (pMechanism->mechanism) {
272 case CKM_DES_KEY_GEN:
273 /*
274 * Set up key value len since it is not a required
275 * attribute for C_GenerateKey.
276 */
277 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
278 des_strength = DES;
279 break;
280
281 case CKM_DES2_KEY_GEN:
282 /*
283 * Set up key value len since it is not a required
284 * attribute for C_GenerateKey.
285 */
286 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
287 des_strength = DES2;
288 break;
289
290 case CKM_DES3_KEY_GEN:
291 /*
292 * Set up key value len since it is not a required
293 * attribute for C_GenerateKey.
294 */
295 keylen = OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
296 des_strength = DES3;
297 break;
298
299 case CKM_SSL3_PRE_MASTER_KEY_GEN:
300 case CKM_TLS_PRE_MASTER_KEY_GEN:
301 secret_key->bool_attr_mask |= DERIVE_BOOL_ON;
302 /* FALLTHRU */
303
304 case CKM_AES_KEY_GEN:
305 case CKM_BLOWFISH_KEY_GEN:
306 case CKM_PBE_SHA1_RC4_128:
307 case CKM_RC4_KEY_GEN:
308 keylen = OBJ_SEC_VALUE_LEN(secret_key);
309 break;
310
311 case CKM_PKCS5_PBKD2:
312 /*
313 * PKCS#11 does not allow one to specify key
314 * sizes for DES and 3DES, so we must set it here
315 * when using PBKD2 algorithms.
316 */
317 if (key_type == CKK_DES) {
318 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
319 des_strength = DES;
320 } else if (key_type == CKK_DES3) {
321 OBJ_SEC_VALUE_LEN(secret_key) = DES3_KEYSIZE;
322 des_strength = DES3;
323 }
324
325 keylen = OBJ_SEC_VALUE_LEN(secret_key);
326 break;
327 }
328
329 if ((OBJ_SEC_VALUE(secret_key) = malloc(keylen)) == NULL) {
330 if (IS_TOKEN_OBJECT(secret_key))
331 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
332 else
333 soft_delete_object(session_p, secret_key,
334 B_FALSE, B_FALSE);
335
336 return (CKR_HOST_MEMORY);
337 }
338 switch (pMechanism->mechanism) {
339 case CKM_PBE_SHA1_RC4_128:
340 /*
341 * Use the PBE algorithm described in PKCS#11 section
342 * 12.33 to derive the key.
343 */
344 rv = soft_pkcs12_pbe(session_p, pMechanism, secret_key);
345 break;
346 case CKM_PKCS5_PBKD2:
347 /* Generate keys using PKCS#5 PBKD2 algorithm */
348 rv = soft_generate_pkcs5_pbkdf2_key(session_p, pMechanism,
349 secret_key);
350 if (rv == CKR_OK && des_strength > 0) {
351 /* Perform weak key checking for DES and DES3. */
352 if (des_keycheck(OBJ_SEC_VALUE(secret_key),
353 des_strength, OBJ_SEC_VALUE(secret_key)) ==
354 B_FALSE) {
355 /* We got a weak secret key. */
356 rv = CKR_FUNCTION_FAILED;
357 }
358 }
359 break;
360 default:
361 do {
362 /* If this fails, bail out */
363 rv = CKR_OK;
364 if (pkcs11_get_urandom(
365 OBJ_SEC_VALUE(secret_key), keylen) < 0) {
366 rv = CKR_DEVICE_ERROR;
367 break;
368 }
369
370 /* Perform weak key checking for DES and DES3. */
371 if (des_strength > 0) {
372 rv = CKR_OK;
373 if (des_keycheck(OBJ_SEC_VALUE(secret_key),
374 des_strength, OBJ_SEC_VALUE(secret_key)) ==
375 B_FALSE) {
376 /* We got a weak key, retry! */
377 retry++;
378 rv = CKR_FUNCTION_FAILED;
379 }
380 }
381 /*
382 * Copy over the SSL client version For SSL mechs
383 * The first two bytes of the key is the version
384 */
385 if (is_ssl_mech)
386 bcopy(pMechanism->pParameter,
387 OBJ_SEC_VALUE(secret_key),
388 sizeof (CK_VERSION));
389
390 } while (rv != CKR_OK && retry < KEYGEN_RETRY);
391 if (retry == KEYGEN_RETRY)
392 rv = CKR_FUNCTION_FAILED;
393 break;
394 }
395
396 if (rv != CKR_OK)
397 if (IS_TOKEN_OBJECT(secret_key))
398 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
399 else
400 soft_delete_object(session_p, secret_key,
401 B_FALSE, B_FALSE);
402
403 if (IS_TOKEN_OBJECT(secret_key)) {
404 /*
405 * All the info has been filled, so we can write to
406 * keystore now.
407 */
408 rv = soft_put_object_to_keystore(secret_key);
409 if (rv != CKR_OK)
410 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
411 }
412
413 return (rv);
414 }
415
416 CK_RV
417 soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
418 CK_ATTRIBUTE_PTR pPublicKeyTemplate, CK_ULONG ulPublicAttrCount,
419 CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateAttrCount,
420 CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey)
421 {
422
423 CK_RV rv;
424 soft_object_t *public_key, *private_key;
425 CK_KEY_TYPE key_type;
426
427 switch (pMechanism->mechanism) {
428
429 case CKM_RSA_PKCS_KEY_PAIR_GEN:
430 key_type = CKK_RSA;
431 break;
432
433 case CKM_DSA_KEY_PAIR_GEN:
434 key_type = CKK_DSA;
435 break;
436
437 case CKM_DH_PKCS_KEY_PAIR_GEN:
438 key_type = CKK_DH;
439 break;
440
441 case CKM_EC_KEY_PAIR_GEN:
442 key_type = CKK_EC;
443 break;
444
445 default:
446 return (CKR_MECHANISM_INVALID);
447 }
448
449 /* Create a new object for public key. */
450 rv = soft_gen_keyobject(pPublicKeyTemplate, ulPublicAttrCount,
451 phPublicKey, session_p, CKO_PUBLIC_KEY, key_type, 0,
452 SOFT_GEN_KEY, B_FALSE);
453
454 if (rv != CKR_OK) {
455 return (rv);
456 }
457
458 /* Obtain the public object pointer. */
459 public_key = (soft_object_t *)*phPublicKey;
460
461 /* Create a new object for private key. */
462 rv = soft_gen_keyobject(pPrivateKeyTemplate, ulPrivateAttrCount,
463 phPrivateKey, session_p, CKO_PRIVATE_KEY, key_type, 0,
464 SOFT_GEN_KEY, B_FALSE);
465
466 if (rv != CKR_OK) {
467 /*
468 * Both public key and private key must be successful.
469 */
470 if (IS_TOKEN_OBJECT(public_key))
471 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
472 else
473 soft_delete_object(session_p, public_key,
474 B_FALSE, B_FALSE);
475 return (rv);
476 }
477
478 /* Obtain the private object pointer. */
479 private_key = (soft_object_t *)*phPrivateKey;
480
481 /*
482 * At this point, both public key and private key objects
483 * are settled with the application specified attributes.
484 * We are ready to generate the rest of key attributes based
485 * on the existing attributes.
486 */
487
488 switch (key_type) {
489 case CKK_RSA:
490 rv = soft_rsa_genkey_pair(public_key, private_key);
491 break;
492
493 case CKK_DSA:
494 rv = soft_dsa_genkey_pair(public_key, private_key);
495 break;
496
497 case CKK_DH:
498 rv = soft_dh_genkey_pair(public_key, private_key);
499 private_key->bool_attr_mask |= DERIVE_BOOL_ON;
500 break;
501 case CKK_EC:
502 rv = soft_ec_genkey_pair(public_key, private_key);
503 private_key->bool_attr_mask |= DERIVE_BOOL_ON;
504 break;
505 }
506
507 if (rv != CKR_OK) {
508 if (IS_TOKEN_OBJECT(public_key)) {
509 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
510 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
511 } else {
512 soft_delete_object(session_p, public_key,
513 B_FALSE, B_FALSE);
514 soft_delete_object(session_p, private_key,
515 B_FALSE, B_FALSE);
516 }
517 return (rv);
518 }
519
520 if (IS_TOKEN_OBJECT(public_key)) {
521 /*
522 * All the info has been filled, so we can write to
523 * keystore now.
524 */
525 rv = soft_put_object_to_keystore(public_key);
526 if (rv != CKR_OK) {
527 soft_delete_token_object(public_key, B_FALSE, B_FALSE);
528 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
529 return (rv);
530 }
531 }
532
533 if (IS_TOKEN_OBJECT(private_key)) {
534 rv = soft_put_object_to_keystore(private_key);
535 if (rv != CKR_OK) {
536 /*
537 * We also need to delete the public token object
538 * from keystore.
539 */
540 soft_delete_token_object(public_key, B_TRUE, B_FALSE);
541 soft_delete_token_object(private_key, B_FALSE, B_FALSE);
542 }
543 }
544
545 return (rv);
546 }
547
548
549 CK_RV
550 soft_key_derive_check_length(soft_object_t *secret_key, CK_ULONG max_keylen)
551 {
552
553 switch (secret_key->key_type) {
554 case CKK_GENERIC_SECRET:
555 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
556 OBJ_SEC_VALUE_LEN(secret_key) = max_keylen;
557 return (CKR_OK);
558 } else if (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen) {
559 return (CKR_ATTRIBUTE_VALUE_INVALID);
560 }
561 break;
562 case CKK_RC4:
563 case CKK_AES:
564 case CKK_BLOWFISH:
565 if ((OBJ_SEC_VALUE_LEN(secret_key) == 0) ||
566 (OBJ_SEC_VALUE_LEN(secret_key) > max_keylen)) {
567 /* RC4 and AES has variable key length */
568 return (CKR_ATTRIBUTE_VALUE_INVALID);
569 }
570 break;
571 case CKK_DES:
572 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
573 /* DES has a well-defined length */
574 OBJ_SEC_VALUE_LEN(secret_key) = DES_KEYSIZE;
575 return (CKR_OK);
576 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES_KEYSIZE) {
577 return (CKR_ATTRIBUTE_VALUE_INVALID);
578 }
579 break;
580 case CKK_DES2:
581 if (OBJ_SEC_VALUE_LEN(secret_key) == 0) {
582 /* DES2 has a well-defined length */
583 OBJ_SEC_VALUE_LEN(secret_key) = DES2_KEYSIZE;
584 return (CKR_OK);
585 } else if (OBJ_SEC_VALUE_LEN(secret_key) != DES2_KEYSIZE) {
586 return (CKR_ATTRIBUTE_VALUE_INVALID);
587 }
588 break;
589
590 default:
591 return (CKR_MECHANISM_INVALID);
592 }
593
594 return (CKR_OK);
595 }
596
597 /*
598 * PKCS#11 (12.33) says that v = 512 bits (64 bytes) for SHA1
599 * PBE methods.
600 */
601 #define PKCS12_BUFFER_SIZE 64
602 /*
603 * PKCS#12 defines 3 different ID bytes to be used for
604 * deriving keys for different operations.
605 */
606 #define PBE_ID_ENCRYPT 1
607 #define PBE_ID_IV 2
608 #define PBE_ID_MAC 3
609 #define PBE_CEIL(a, b) (((a)/(b)) + (((a)%(b)) > 0))
610
611 static CK_RV
612 soft_pkcs12_pbe(soft_session_t *session_p,
613 CK_MECHANISM_PTR pMechanism, soft_object_t *derived_key)
614 {
615 CK_RV rv = CKR_OK;
616 CK_PBE_PARAMS *params = pMechanism->pParameter;
617 CK_ULONG c, i, j, k;
618 CK_ULONG hashSize;
619 CK_ULONG buffSize;
620 /*
621 * Terse variable names are used to make following
622 * the PKCS#12 spec easier.
623 */
624 CK_BYTE *A = NULL;
625 CK_BYTE *Ai = NULL;
626 CK_BYTE *B = NULL;
627 CK_BYTE *D = NULL;
628 CK_BYTE *I = NULL, *S, *P;
629 CK_BYTE *keybuf = NULL;
630 CK_ULONG Alen, Ilen, Slen, Plen, AiLen, Blen, Dlen;
631 CK_ULONG keysize = OBJ_SEC_VALUE_LEN(derived_key);
632 CK_MECHANISM digest_mech;
633
634 /* U = hash function output bits */
635 if (pMechanism->mechanism == CKM_PBE_SHA1_RC4_128) {
636 hashSize = SHA1_HASH_SIZE;
637 buffSize = PKCS12_BUFFER_SIZE;
638 digest_mech.mechanism = CKM_SHA_1;
639 digest_mech.pParameter = NULL;
640 digest_mech.ulParameterLen = 0;
641 } else {
642 /* we only support 1 PBE mech for now */
643 return (CKR_MECHANISM_INVALID);
644 }
645 keybuf = OBJ_SEC_VALUE(derived_key);
646
647 Blen = Dlen = buffSize;
648 D = (CK_BYTE *)malloc(Dlen);
649 if (D == NULL) {
650 rv = CKR_HOST_MEMORY;
651 goto cleanup;
652 }
653
654 B = (CK_BYTE *)malloc(Blen);
655 if (B == NULL) {
656 rv = CKR_HOST_MEMORY;
657 goto cleanup;
658 }
659
660 /*
661 * Initialize some values and create some buffers
662 * that we need later.
663 *
664 * Slen = buffSize * CEIL(SaltLength/buffSize)
665 */
666 Slen = buffSize * PBE_CEIL(params->ulSaltLen, buffSize);
667
668 /*
669 * Plen = buffSize * CEIL(PasswordLength/buffSize)
670 */
671 Plen = buffSize * PBE_CEIL(params->ulPasswordLen, buffSize);
672
673 /*
674 * From step 4: I = S + P, so: Ilen = Slen + Plen
675 */
676 Ilen = Slen + Plen;
677 I = (CK_BYTE *)malloc(Ilen);
678 if (I == NULL) {
679 rv = CKR_HOST_MEMORY;
680 goto cleanup;
681 }
682
683 S = I;
684 P = I + Slen;
685
686 /*
687 * Step 1.
688 * We are only interested in deriving keys for encrypt/decrypt
689 * for now, so construct the "D"iversifier accordingly.
690 */
691 (void) memset(D, PBE_ID_ENCRYPT, Dlen);
692
693 /*
694 * Step 2.
695 * Concatenate copies of the salt together to make S.
696 */
697 for (i = 0; i < Slen; i += params->ulSaltLen) {
698 (void) memcpy(S+i, params->pSalt,
699 ((Slen - i) > params->ulSaltLen ?
700 params->ulSaltLen : (Slen - i)));
701 }
702
703 /*
704 * Step 3.
705 * Concatenate copies of the password together to make
706 * a string P.
707 */
708 for (i = 0; i < Plen; i += params->ulPasswordLen) {
709 (void) memcpy(P+i, params->pPassword,
710 ((Plen - i) > params->ulPasswordLen ?
711 params->ulPasswordLen : (Plen - i)));
712 }
713
714 /*
715 * Step 4.
716 * I = S+P - this is now done because S and P are
717 * pointers into I.
718 *
719 * Step 5.
720 * c= CEIL[n/u]
721 * where n = pseudorandom bits of output desired.
722 */
723 c = PBE_CEIL(keysize, hashSize);
724
725 /*
726 * Step 6.
727 */
728 Alen = c * hashSize;
729 A = (CK_BYTE *)malloc(Alen);
730 if (A == NULL) {
731 rv = CKR_HOST_MEMORY;
732 goto cleanup;
733 }
734 AiLen = hashSize;
735 Ai = (CK_BYTE *)malloc(AiLen);
736 if (Ai == NULL) {
737 rv = CKR_HOST_MEMORY;
738 goto cleanup;
739 }
740
741 /*
742 * Step 6a.
743 * Ai = Hr(D+I)
744 */
745 for (i = 0; i < c; i++) {
746 (void) pthread_mutex_lock(&session_p->session_mutex);
747
748 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
749 (void) pthread_mutex_unlock(&session_p->session_mutex);
750 rv = CKR_OPERATION_ACTIVE;
751 goto cleanup;
752 }
753 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
754 (void) pthread_mutex_unlock(&session_p->session_mutex);
755
756 for (j = 0; j < params->ulIteration; j++) {
757 rv = soft_digest_init(session_p, &digest_mech);
758 if (rv != CKR_OK)
759 goto digest_done;
760
761 if (j == 0) {
762 rv = soft_digest_update(session_p, D, Dlen);
763 if (rv != CKR_OK)
764 goto digest_done;
765
766 rv = soft_digest_update(session_p, I, Ilen);
767 } else {
768 rv = soft_digest_update(session_p, Ai, AiLen);
769 }
770 if (rv != CKR_OK)
771 goto digest_done;
772
773 rv = soft_digest_final(session_p, Ai, &AiLen);
774 if (rv != CKR_OK)
775 goto digest_done;
776 }
777 digest_done:
778 (void) pthread_mutex_lock(&session_p->session_mutex);
779 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
780 (void) pthread_mutex_unlock(&session_p->session_mutex);
781
782 if (rv != CKR_OK)
783 goto cleanup;
784 /*
785 * Step 6b.
786 * Concatenate Ai to make B
787 */
788 for (j = 0; j < Blen; j += hashSize) {
789 (void) memcpy(B+j, Ai, ((Blen - j > hashSize) ?
790 hashSize : Blen - j));
791 }
792
793 /*
794 * Step 6c.
795 */
796 k = Ilen / Blen;
797 for (j = 0; j < k; j++) {
798 uchar_t idx;
799 CK_ULONG m, q = 1, cbit = 0;
800
801 for (m = Blen - 1; m >= (CK_ULONG)0; m--, q = 0) {
802 idx = m + j*Blen;
803
804 q += (CK_ULONG)I[idx] + (CK_ULONG)B[m];
805 q += cbit;
806 I[idx] = (CK_BYTE)(q & 0xff);
807 cbit = (q > 0xff);
808 }
809 }
810
811 /*
812 * Step 7.
813 * A += Ai
814 */
815 (void) memcpy(A + i*hashSize, Ai, AiLen);
816 }
817
818 /*
819 * Step 8.
820 * The final output of this process is the A buffer
821 */
822 (void) memcpy(keybuf, A, keysize);
823
824 cleanup:
825 freezero(A, Alen);
826 freezero(Ai, AiLen);
827 freezero(B, Blen);
828 freezero(D, Dlen);
829 freezero(I, Ilen);
830 return (rv);
831 }
832
833 CK_RV
834 soft_derivekey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
835 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
836 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
837 {
838
839 CK_RV rv = CKR_OK;
840 soft_object_t *secret_key;
841 CK_MECHANISM digest_mech;
842 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */
843 CK_ULONG hash_len = SHA512_DIGEST_LENGTH;
844 CK_ULONG secret_key_len;
845 CK_ULONG hash_size;
846
847 switch (pMechanism->mechanism) {
848 case CKM_DH_PKCS_DERIVE:
849 /*
850 * Create a new object for secret key. The key type should
851 * be provided in the template.
852 */
853 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
854 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
855 SOFT_DERIVE_KEY_DH, B_FALSE);
856
857 if (rv != CKR_OK) {
858 return (rv);
859 }
860
861 /* Obtain the secret object pointer. */
862 secret_key = (soft_object_t *)*phKey;
863
864 rv = soft_dh_key_derive(basekey_p, secret_key,
865 (CK_BYTE *)pMechanism->pParameter,
866 pMechanism->ulParameterLen);
867
868 if (rv != CKR_OK) {
869 if (IS_TOKEN_OBJECT(secret_key))
870 soft_delete_token_object(secret_key, B_FALSE,
871 B_FALSE);
872 else
873 soft_delete_object(session_p, secret_key,
874 B_FALSE, B_FALSE);
875 return (rv);
876 }
877
878 break;
879
880 case CKM_ECDH1_DERIVE:
881 /*
882 * Create a new object for secret key. The key type should
883 * be provided in the template.
884 */
885 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
886 phKey, session_p, CKO_SECRET_KEY, (CK_KEY_TYPE)~0UL, 0,
887 SOFT_DERIVE_KEY_DH, B_FALSE);
888
889 if (rv != CKR_OK) {
890 return (rv);
891 }
892
893 /* Obtain the secret object pointer. */
894 secret_key = (soft_object_t *)*phKey;
895
896 rv = soft_ec_key_derive(basekey_p, secret_key,
897 (CK_BYTE *)pMechanism->pParameter,
898 pMechanism->ulParameterLen);
899
900 if (rv != CKR_OK) {
901 if (IS_TOKEN_OBJECT(secret_key))
902 soft_delete_token_object(secret_key, B_FALSE,
903 B_FALSE);
904 else
905 soft_delete_object(session_p, secret_key,
906 B_FALSE, B_FALSE);
907 return (rv);
908 }
909
910 break;
911
912 case CKM_SHA1_KEY_DERIVATION:
913 hash_size = SHA1_HASH_SIZE;
914 digest_mech.mechanism = CKM_SHA_1;
915 goto common;
916
917 case CKM_MD5_KEY_DERIVATION:
918 hash_size = MD5_HASH_SIZE;
919 digest_mech.mechanism = CKM_MD5;
920 goto common;
921
922 case CKM_SHA256_KEY_DERIVATION:
923 hash_size = SHA256_DIGEST_LENGTH;
924 digest_mech.mechanism = CKM_SHA256;
925 goto common;
926
927 case CKM_SHA384_KEY_DERIVATION:
928 hash_size = SHA384_DIGEST_LENGTH;
929 digest_mech.mechanism = CKM_SHA384;
930 goto common;
931
932 case CKM_SHA512_KEY_DERIVATION:
933 hash_size = SHA512_DIGEST_LENGTH;
934 digest_mech.mechanism = CKM_SHA512;
935 goto common;
936
937 common:
938 /*
939 * Create a new object for secret key. The key type is optional
940 * to be provided in the template. If it is not specified in
941 * the template, the default is CKK_GENERIC_SECRET.
942 */
943 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
944 phKey, session_p, CKO_SECRET_KEY,
945 (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
946 SOFT_DERIVE_KEY_OTHER, B_FALSE);
947
948 if (rv != CKR_OK) {
949 return (rv);
950 }
951
952 /* Obtain the secret object pointer. */
953 secret_key = (soft_object_t *)*phKey;
954
955 /* Validate the key type and key length */
956 rv = soft_key_derive_check_length(secret_key, hash_size);
957 if (rv != CKR_OK) {
958 if (IS_TOKEN_OBJECT(secret_key))
959 soft_delete_token_object(secret_key, B_FALSE,
960 B_FALSE);
961 else
962 soft_delete_object(session_p, secret_key,
963 B_FALSE, B_FALSE);
964 return (rv);
965 }
966
967 /*
968 * Derive the secret key by digesting the value of another
969 * secret key (base key) with SHA-1 or MD5.
970 */
971 rv = soft_digest_init_internal(session_p, &digest_mech);
972 if (rv != CKR_OK) {
973 if (IS_TOKEN_OBJECT(secret_key))
974 soft_delete_token_object(secret_key, B_FALSE,
975 B_FALSE);
976 else
977 soft_delete_object(session_p, secret_key,
978 B_FALSE, B_FALSE);
979 return (rv);
980 }
981
982 rv = soft_digest(session_p, OBJ_SEC_VALUE(basekey_p),
983 OBJ_SEC_VALUE_LEN(basekey_p), hash, &hash_len);
984
985 (void) pthread_mutex_lock(&session_p->session_mutex);
986 /* soft_digest_common() has freed the digest context */
987 session_p->digest.flags = 0;
988 (void) pthread_mutex_unlock(&session_p->session_mutex);
989
990 if (rv != CKR_OK) {
991 if (IS_TOKEN_OBJECT(secret_key))
992 soft_delete_token_object(secret_key, B_FALSE,
993 B_FALSE);
994 else
995 soft_delete_object(session_p, secret_key,
996 B_FALSE, B_FALSE);
997 return (rv);
998 }
999
1000 secret_key_len = OBJ_SEC_VALUE_LEN(secret_key);
1001
1002 if ((OBJ_SEC_VALUE(secret_key) = malloc(secret_key_len)) ==
1003 NULL) {
1004 if (IS_TOKEN_OBJECT(secret_key))
1005 soft_delete_token_object(secret_key, B_FALSE,
1006 B_FALSE);
1007 else
1008 soft_delete_object(session_p, secret_key,
1009 B_FALSE, B_FALSE);
1010 return (CKR_HOST_MEMORY);
1011 }
1012
1013 /*
1014 * The key produced by this mechanism will be of the
1015 * specified type and length.
1016 * The truncation removes extra bytes from the leading
1017 * of the digested key value.
1018 */
1019 (void) memcpy(OBJ_SEC_VALUE(secret_key),
1020 (hash + hash_len - secret_key_len),
1021 secret_key_len);
1022
1023 break;
1024
1025 /*
1026 * The key sensitivity and extractability rules for the generated
1027 * keys will be enforced inside soft_ssl_master_key_derive() and
1028 * soft_ssl_key_and_mac_derive()
1029 */
1030 case CKM_SSL3_MASTER_KEY_DERIVE:
1031 case CKM_SSL3_MASTER_KEY_DERIVE_DH:
1032 case CKM_TLS_MASTER_KEY_DERIVE:
1033 case CKM_TLS_MASTER_KEY_DERIVE_DH:
1034 if (phKey == NULL_PTR)
1035 return (CKR_ARGUMENTS_BAD);
1036 return (soft_ssl_master_key_derive(session_p, pMechanism,
1037 basekey_p, pTemplate, ulAttributeCount, phKey));
1038
1039 case CKM_SSL3_KEY_AND_MAC_DERIVE:
1040 case CKM_TLS_KEY_AND_MAC_DERIVE:
1041 return (soft_ssl_key_and_mac_derive(session_p, pMechanism,
1042 basekey_p, pTemplate, ulAttributeCount));
1043
1044 case CKM_TLS_PRF:
1045 if (pMechanism->pParameter == NULL ||
1046 pMechanism->ulParameterLen != sizeof (CK_TLS_PRF_PARAMS) ||
1047 phKey != NULL)
1048 return (CKR_ARGUMENTS_BAD);
1049
1050 if (pTemplate != NULL)
1051 return (CKR_TEMPLATE_INCONSISTENT);
1052
1053 return (derive_tls_prf(
1054 (CK_TLS_PRF_PARAMS_PTR)pMechanism->pParameter, basekey_p));
1055
1056 default:
1057 return (CKR_MECHANISM_INVALID);
1058 }
1059
1060 soft_derive_enforce_flags(basekey_p, secret_key);
1061
1062 if (IS_TOKEN_OBJECT(secret_key)) {
1063 /*
1064 * All the info has been filled, so we can write to
1065 * keystore now.
1066 */
1067 rv = soft_put_object_to_keystore(secret_key);
1068 if (rv != CKR_OK)
1069 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
1070 }
1071
1072 return (rv);
1073 }
1074
1075
1076 /*
1077 * Perform key derivation rules on key's sensitivity and extractability.
1078 */
1079 void
1080 soft_derive_enforce_flags(soft_object_t *basekey, soft_object_t *newkey)
1081 {
1082
1083 boolean_t new_sensitive = B_FALSE;
1084 boolean_t new_extractable = B_FALSE;
1085
1086 /*
1087 * The sensitive and extractable bits have been set when
1088 * the newkey was built.
1089 */
1090 if (newkey->bool_attr_mask & SENSITIVE_BOOL_ON) {
1091 new_sensitive = B_TRUE;
1092 }
1093
1094 if (newkey->bool_attr_mask & EXTRACTABLE_BOOL_ON) {
1095 new_extractable = B_TRUE;
1096 }
1097
1098 /* Derive the CKA_ALWAYS_SENSITIVE flag */
1099 if (!basekey->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON) {
1100 /*
1101 * If the base key has its CKA_ALWAYS_SENSITIVE set to
1102 * FALSE, then the derived key will as well.
1103 */
1104 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1105 } else {
1106 /*
1107 * If the base key has its CKA_ALWAYS_SENSITIVE set to TRUE,
1108 * then the derived key has the CKA_ALWAYS_SENSITIVE set to
1109 * the same value as its CKA_SENSITIVE;
1110 */
1111 if (new_sensitive) {
1112 newkey->bool_attr_mask |= ALWAYS_SENSITIVE_BOOL_ON;
1113 } else {
1114 newkey->bool_attr_mask &= ~ALWAYS_SENSITIVE_BOOL_ON;
1115 }
1116 }
1117
1118 /* Derive the CKA_NEVER_EXTRACTABLE flag */
1119 if (!basekey->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) {
1120 /*
1121 * If the base key has its CKA_NEVER_EXTRACTABLE set to
1122 * FALSE, then the derived key will as well.
1123 */
1124 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1125 } else {
1126 /*
1127 * If the base key has its CKA_NEVER_EXTRACTABLE set to TRUE,
1128 * then the derived key has the CKA_NEVER_EXTRACTABLE set to
1129 * the opposite value from its CKA_EXTRACTABLE;
1130 */
1131 if (new_extractable) {
1132 newkey->bool_attr_mask &= ~NEVER_EXTRACTABLE_BOOL_ON;
1133 } else {
1134 newkey->bool_attr_mask |= NEVER_EXTRACTABLE_BOOL_ON;
1135 }
1136 }
1137
1138 /* Set the CKA_LOCAL flag to false */
1139 newkey->bool_attr_mask &= ~LOCAL_BOOL_ON;
1140 }
1141
1142
1143 /*
1144 * do_prf
1145 *
1146 * This routine implements Step 3. of the PBKDF2 function
1147 * defined in PKCS#5 for generating derived keys from a
1148 * password.
1149 *
1150 * Currently, PRF is always SHA_1_HMAC.
1151 */
1152 static CK_RV
1153 do_prf(soft_session_t *session_p, CK_PKCS5_PBKD2_PARAMS_PTR params,
1154 soft_object_t *hmac_key, CK_BYTE *newsalt, CK_ULONG saltlen,
1155 CK_BYTE *blockdata, CK_ULONG blocklen)
1156 {
1157 CK_RV rv = CKR_OK;
1158 CK_MECHANISM digest_mech = {CKM_SHA_1_HMAC, NULL, 0};
1159 CK_BYTE buffer[2][SHA1_HASH_SIZE];
1160 CK_ULONG hmac_outlen = SHA1_HASH_SIZE;
1161 CK_ULONG inlen;
1162 CK_BYTE *input, *output;
1163 CK_ULONG i, j;
1164
1165 input = newsalt;
1166 inlen = saltlen;
1167
1168 output = buffer[1];
1169 (void) pthread_mutex_lock(&session_p->session_mutex);
1170
1171 if (session_p->sign.flags & CRYPTO_OPERATION_ACTIVE) {
1172 (void) pthread_mutex_unlock(&session_p->session_mutex);
1173 return (CKR_OPERATION_ACTIVE);
1174 }
1175 session_p->sign.flags |= CRYPTO_OPERATION_ACTIVE;
1176 (void) pthread_mutex_unlock(&session_p->session_mutex);
1177
1178 for (i = 0; i < params->iterations; i++) {
1179 /*
1180 * The key doesn't change, its always the
1181 * password iniitally given.
1182 */
1183 rv = soft_sign_init(session_p, &digest_mech, hmac_key);
1184
1185 if (rv != CKR_OK) {
1186 goto cleanup;
1187 }
1188
1189 /* Call PRF function (SHA1_HMAC for now). */
1190 rv = soft_sign(session_p, input, inlen, output, &hmac_outlen);
1191
1192 if (rv != CKR_OK) {
1193 goto cleanup;
1194 }
1195 /*
1196 * The first time, initialize the output buffer
1197 * with the HMAC signature.
1198 */
1199 if (i == 0) {
1200 (void) memcpy(blockdata, output,
1201 local_min(blocklen, hmac_outlen));
1202 } else {
1203 /*
1204 * XOR the existing data with output from PRF.
1205 *
1206 * Only XOR up to the length of the blockdata,
1207 * it may be less than a full hmac buffer when
1208 * the final block is being computed.
1209 */
1210 for (j = 0; j < hmac_outlen && j < blocklen; j++)
1211 blockdata[j] ^= output[j];
1212 }
1213 /* Output from previous PRF is input for next round */
1214 input = output;
1215 inlen = hmac_outlen;
1216
1217 /*
1218 * Switch buffers to avoid overuse of memcpy.
1219 * Initially we used buffer[1], so after the end of
1220 * the first iteration (i==0), we switch to buffer[0]
1221 * and continue swapping with each iteration.
1222 */
1223 output = buffer[i%2];
1224 }
1225 cleanup:
1226 (void) pthread_mutex_lock(&session_p->session_mutex);
1227 session_p->sign.flags &= ~CRYPTO_OPERATION_ACTIVE;
1228 (void) pthread_mutex_unlock(&session_p->session_mutex);
1229
1230 return (rv);
1231 }
1232
1233 static CK_RV
1234 soft_create_hmac_key(soft_session_t *session_p, CK_BYTE *passwd,
1235 CK_ULONG passwd_len, CK_OBJECT_HANDLE_PTR phKey)
1236 {
1237 CK_RV rv = CKR_OK;
1238 CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
1239 CK_KEY_TYPE keytype = CKK_GENERIC_SECRET;
1240 CK_BBOOL True = TRUE;
1241 CK_ATTRIBUTE keytemplate[4];
1242 /*
1243 * We must initialize each template member individually
1244 * because at the time of initial coding for ON10, the
1245 * compiler was using the "-xc99=%none" option
1246 * which prevents us from being able to declare the whole
1247 * template in place as usual.
1248 */
1249 keytemplate[0].type = CKA_CLASS;
1250 keytemplate[0].pValue = &keyclass;
1251 keytemplate[0].ulValueLen = sizeof (keyclass);
1252
1253 keytemplate[1].type = CKA_KEY_TYPE;
1254 keytemplate[1].pValue = &keytype;
1255 keytemplate[1].ulValueLen = sizeof (keytype);
1256
1257 keytemplate[2].type = CKA_SIGN;
1258 keytemplate[2].pValue = &True;
1259 keytemplate[2].ulValueLen = sizeof (True);
1260
1261 keytemplate[3].type = CKA_VALUE;
1262 keytemplate[3].pValue = passwd;
1263 keytemplate[3].ulValueLen = passwd_len;
1264 /*
1265 * Create a generic key object to be used for HMAC operations.
1266 * The "value" for this key is the password from the
1267 * mechanism parameter structure.
1268 */
1269 rv = soft_gen_keyobject(keytemplate,
1270 sizeof (keytemplate)/sizeof (CK_ATTRIBUTE), phKey, session_p,
1271 CKO_SECRET_KEY, (CK_KEY_TYPE)CKK_GENERIC_SECRET, 0,
1272 SOFT_CREATE_OBJ, B_TRUE);
1273
1274 return (rv);
1275 }
1276
1277 CK_RV
1278 soft_generate_pkcs5_pbkdf2_key(soft_session_t *session_p,
1279 CK_MECHANISM_PTR pMechanism, soft_object_t *secret_key)
1280 {
1281 CK_RV rv = CKR_OK;
1282 CK_PKCS5_PBKD2_PARAMS *params =
1283 (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
1284 CK_ULONG hLen = SHA1_HASH_SIZE;
1285 CK_ULONG dkLen, i;
1286 CK_ULONG blocks, remainder;
1287 CK_OBJECT_HANDLE phKey = 0;
1288 soft_object_t *hmac_key = NULL;
1289 CK_BYTE *salt = NULL;
1290 CK_BYTE *keydata = NULL;
1291
1292 params = (CK_PKCS5_PBKD2_PARAMS_PTR) pMechanism->pParameter;
1293
1294 if (params->prf != CKP_PKCS5_PBKD2_HMAC_SHA1)
1295 return (CKR_MECHANISM_PARAM_INVALID);
1296
1297 if (params->pPrfData != NULL || params->ulPrfDataLen != 0)
1298 return (CKR_DATA_INVALID);
1299
1300 if (params->saltSource != CKZ_SALT_SPECIFIED ||
1301 params->iterations == 0)
1302 return (CKR_MECHANISM_PARAM_INVALID);
1303
1304 /*
1305 * Create a key object to use for HMAC operations.
1306 */
1307 rv = soft_create_hmac_key(session_p, params->pPassword,
1308 *params->ulPasswordLen, &phKey);
1309
1310 if (rv != CKR_OK)
1311 return (rv);
1312
1313 hmac_key = (soft_object_t *)phKey;
1314
1315 /* Step 1. */
1316 dkLen = OBJ_SEC_VALUE_LEN(secret_key); /* length of desired key */
1317
1318 if (dkLen > ((((u_longlong_t)1)<<32)-1)*hLen) {
1319 (void) soft_delete_object(session_p, hmac_key, B_FALSE,
1320 B_FALSE);
1321 return (CKR_KEY_SIZE_RANGE);
1322 }
1323
1324 /* Step 2. */
1325 blocks = dkLen / hLen;
1326
1327 /* crude "Ceiling" function to adjust the number of blocks to use */
1328 if (blocks * hLen != dkLen)
1329 blocks++;
1330
1331 remainder = dkLen - ((blocks - 1) * hLen);
1332
1333 /* Step 3 */
1334 salt = (CK_BYTE *)malloc(params->ulSaltSourceDataLen + 4);
1335 if (salt == NULL) {
1336 (void) soft_delete_object(session_p, hmac_key, B_FALSE,
1337 B_FALSE);
1338 return (CKR_HOST_MEMORY);
1339 }
1340 /*
1341 * Nothing in PKCS#5 says you cannot pass an empty
1342 * salt, so we will allow for this and not return error
1343 * if the salt is not specified.
1344 */
1345 if (params->pSaltSourceData != NULL && params->ulSaltSourceDataLen > 0)
1346 (void) memcpy(salt, params->pSaltSourceData,
1347 params->ulSaltSourceDataLen);
1348
1349 /*
1350 * Get pointer to the data section of the key,
1351 * this will be used below as output from the
1352 * PRF iteration/concatenations so that when the
1353 * blocks are all iterated, the secret_key will
1354 * have the resulting derived key value.
1355 */
1356 keydata = (CK_BYTE *)OBJ_SEC_VALUE(secret_key);
1357
1358 /* Step 4. */
1359 for (i = 0; i < blocks && (rv == CKR_OK); i++) {
1360 CK_BYTE *s;
1361
1362 s = salt + params->ulSaltSourceDataLen;
1363
1364 /*
1365 * Append the block index to the salt as input
1366 * to the PRF. Block index should start at 1
1367 * not 0.
1368 */
1369 *s++ = ((i+1) >> 24) & 0xff;
1370 *s++ = ((i+1) >> 16) & 0xff;
1371 *s++ = ((i+1) >> 8) & 0xff;
1372 *s = ((i+1)) & 0xff;
1373
1374 /*
1375 * Adjust the key pointer so we always append the
1376 * PRF output to the current key.
1377 */
1378 rv = do_prf(session_p, params, hmac_key,
1379 salt, params->ulSaltSourceDataLen + 4, keydata,
1380 ((i + 1) == blocks ? remainder : hLen));
1381
1382 keydata += hLen;
1383 }
1384 (void) soft_delete_object(session_p, hmac_key, B_FALSE, B_FALSE);
1385 freezero(salt, params->ulSaltSourceDataLen);
1386
1387 return (rv);
1388 }
1389
1390 CK_RV
1391 soft_wrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1392 soft_object_t *wrappingKey_p, soft_object_t *hkey_p,
1393 CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen)
1394 {
1395 CK_RV rv = CKR_OK;
1396 CK_ULONG plain_len = 0;
1397 CK_BYTE_PTR plain_data = NULL;
1398 CK_ULONG padded_len = 0;
1399 CK_BYTE_PTR padded_data = NULL;
1400 CK_ULONG wkey_blksz = 1; /* so modulo will work right */
1401
1402 /* Check if the mechanism is supported. */
1403 switch (pMechanism->mechanism) {
1404 case CKM_DES_CBC_PAD:
1405 case CKM_DES3_CBC_PAD:
1406 case CKM_AES_CBC_PAD:
1407 /*
1408 * Secret key mechs with padding can be used to wrap secret
1409 * keys and private keys only. See PKCS#11, * sec 11.14,
1410 * C_WrapKey and secs 12.* for each mechanism's wrapping/
1411 * unwrapping constraints.
1412 */
1413 if (hkey_p->class != CKO_SECRET_KEY && hkey_p->class !=
1414 CKO_PRIVATE_KEY)
1415 return (CKR_MECHANISM_INVALID);
1416 break;
1417 case CKM_RSA_PKCS:
1418 case CKM_RSA_X_509:
1419 case CKM_DES_ECB:
1420 case CKM_DES3_ECB:
1421 case CKM_AES_ECB:
1422 case CKM_DES_CBC:
1423 case CKM_DES3_CBC:
1424 case CKM_AES_CBC:
1425 case CKM_AES_CTR:
1426 case CKM_BLOWFISH_CBC:
1427 /*
1428 * Unpadded secret key mechs and private key mechs are only
1429 * defined for wrapping secret keys. See PKCS#11 refs above.
1430 */
1431 if (hkey_p->class != CKO_SECRET_KEY)
1432 return (CKR_MECHANISM_INVALID);
1433 break;
1434 default:
1435 return (CKR_MECHANISM_INVALID);
1436 }
1437
1438 if (hkey_p->class == CKO_SECRET_KEY) {
1439 plain_data = OBJ_SEC_VALUE(hkey_p);
1440 plain_len = OBJ_SEC_VALUE_LEN(hkey_p);
1441 } else {
1442 /*
1443 * BER-encode the object to be wrapped: call first with
1444 * plain_data = NULL to get the size needed, allocate that
1445 * much space, call again to fill space with actual data.
1446 */
1447 rv = soft_object_to_asn1(hkey_p, NULL, &plain_len);
1448 if (rv != CKR_OK)
1449 return (rv);
1450 if ((plain_data = malloc(plain_len)) == NULL)
1451 return (CKR_HOST_MEMORY);
1452 (void) memset(plain_data, 0x0, plain_len);
1453 rv = soft_object_to_asn1(hkey_p, plain_data, &plain_len);
1454 if (rv != CKR_OK)
1455 goto cleanup_wrap;
1456 }
1457
1458 /*
1459 * For unpadded ECB and CBC mechanisms, the object needs to be
1460 * padded to the wrapping key's blocksize prior to the encryption.
1461 */
1462 padded_len = plain_len;
1463 padded_data = plain_data;
1464
1465 switch (pMechanism->mechanism) {
1466 case CKM_DES_ECB:
1467 case CKM_DES3_ECB:
1468 case CKM_AES_ECB:
1469 case CKM_DES_CBC:
1470 case CKM_DES3_CBC:
1471 case CKM_AES_CBC:
1472 case CKM_BLOWFISH_CBC:
1473 /* Find the block size of the wrapping key. */
1474 if (wrappingKey_p->class == CKO_SECRET_KEY) {
1475 switch (wrappingKey_p->key_type) {
1476 case CKK_DES:
1477 case CKK_DES2:
1478 case CKK_DES3:
1479 wkey_blksz = DES_BLOCK_LEN;
1480 break;
1481 case CKK_AES:
1482 wkey_blksz = AES_BLOCK_LEN;
1483 break;
1484 case CKK_BLOWFISH:
1485 wkey_blksz = BLOWFISH_BLOCK_LEN;
1486 break;
1487 default:
1488 break;
1489 }
1490 } else {
1491 rv = CKR_WRAPPING_KEY_TYPE_INCONSISTENT;
1492 goto cleanup_wrap;
1493 }
1494
1495 /* Extend the plain text data to block size boundary. */
1496 if ((padded_len % wkey_blksz) != 0) {
1497 padded_len += (wkey_blksz - (plain_len % wkey_blksz));
1498 if ((padded_data = malloc(padded_len)) == NULL) {
1499 rv = CKR_HOST_MEMORY;
1500 goto cleanup_wrap;
1501 }
1502 (void) memset(padded_data, 0x0, padded_len);
1503 (void) memcpy(padded_data, plain_data, plain_len);
1504 }
1505 break;
1506 default:
1507 break;
1508 }
1509
1510 rv = soft_encrypt_init(session_p, pMechanism, wrappingKey_p);
1511 if (rv != CKR_OK)
1512 goto cleanup_wrap;
1513
1514 rv = soft_encrypt(session_p, padded_data, padded_len,
1515 pWrappedKey, pulWrappedKeyLen);
1516
1517 cleanup_wrap:
1518 if (padded_data != NULL && padded_len != plain_len) {
1519 /* Clear buffer before returning to memory pool. */
1520 freezero(padded_data, padded_len);
1521 }
1522
1523 if ((hkey_p->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1524 /* Clear buffer before returning to memory pool. */
1525 freezero(plain_data, plain_len);
1526 }
1527
1528 return (rv);
1529 }
1530
1531 /*
1532 * Quick check for whether unwrapped key length is appropriate for key type
1533 * and whether it needs to be truncated (in case the wrapping function had
1534 * to pad the key prior to wrapping).
1535 */
1536 static CK_RV
1537 soft_unwrap_secret_len_check(CK_KEY_TYPE keytype, CK_MECHANISM_TYPE mechtype,
1538 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount)
1539 {
1540 CK_ULONG i;
1541 boolean_t isValueLen = B_FALSE;
1542
1543 /*
1544 * Based on the key type and the mech used to unwrap, need to
1545 * determine if CKA_VALUE_LEN should or should not be specified.
1546 * PKCS#11 v2.11 restricts CKA_VALUE_LEN from being specified
1547 * for C_UnwrapKey for all mechs and key types, but v2.20 loosens
1548 * that restriction, perhaps because it makes it impossible to
1549 * determine the original length of unwrapped variable-length secret
1550 * keys, such as RC4, AES, and GENERIC_SECRET. These variable-length
1551 * secret keys would have been padded with trailing null-bytes so
1552 * that they could be successfully wrapped with *_ECB and *_CBC
1553 * mechanisms. Hence for unwrapping with these mechs, CKA_VALUE_LEN
1554 * must be specified. For unwrapping with other mechs, such as
1555 * *_CBC_PAD, the CKA_VALUE_LEN is not needed.
1556 */
1557
1558 /* Find out if template has CKA_VALUE_LEN. */
1559 for (i = 0; i < ulAttributeCount; i++) {
1560 if (pTemplate[i].type == CKA_VALUE_LEN &&
1561 pTemplate[i].pValue != NULL) {
1562 isValueLen = B_TRUE;
1563 break;
1564 }
1565 }
1566
1567 /* Does its presence conflict with the mech type and key type? */
1568 switch (mechtype) {
1569 case CKM_DES_ECB:
1570 case CKM_DES3_ECB:
1571 case CKM_AES_ECB:
1572 case CKM_DES_CBC:
1573 case CKM_DES3_CBC:
1574 case CKM_AES_CBC:
1575 case CKM_BLOWFISH_CBC:
1576 /*
1577 * CKA_VALUE_LEN must be specified
1578 * if keytype is CKK_RC4, CKK_AES and CKK_GENERIC_SECRET
1579 * and must not be specified otherwise
1580 */
1581 switch (keytype) {
1582 case CKK_DES:
1583 case CKK_DES2:
1584 case CKK_DES3:
1585 if (isValueLen)
1586 return (CKR_TEMPLATE_INCONSISTENT);
1587 break;
1588 case CKK_GENERIC_SECRET:
1589 case CKK_RC4:
1590 case CKK_AES:
1591 case CKK_BLOWFISH:
1592 if (!isValueLen)
1593 return (CKR_TEMPLATE_INCOMPLETE);
1594 break;
1595 default:
1596 return (CKR_FUNCTION_NOT_SUPPORTED);
1597 }
1598 break;
1599 default:
1600 /* CKA_VALUE_LEN must not be specified */
1601 if (isValueLen)
1602 return (CKR_TEMPLATE_INCONSISTENT);
1603 break;
1604 }
1605
1606 return (CKR_OK);
1607 }
1608
1609 CK_RV
1610 soft_unwrapkey(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
1611 soft_object_t *unwrappingkey_p, CK_BYTE_PTR pWrappedKey,
1612 CK_ULONG ulWrappedKeyLen, CK_ATTRIBUTE_PTR pTemplate,
1613 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
1614 {
1615 CK_RV rv = CKR_OK;
1616 CK_OBJECT_CLASS new_obj_class = ~0UL;
1617 int i = 0;
1618 soft_object_t *new_objp = NULL;
1619 boolean_t persistent = B_FALSE;
1620 CK_BYTE_PTR plain_data = NULL;
1621 CK_ULONG plain_len = 0;
1622 secret_key_obj_t *sck = NULL;
1623
1624 /* Scan the attribute template for the object class. */
1625 if (pTemplate != NULL && ulAttributeCount != 0) {
1626 for (i = 0; i < ulAttributeCount; i++) {
1627 if (pTemplate[i].type == CKA_CLASS) {
1628 new_obj_class =
1629 *((CK_OBJECT_CLASS *)pTemplate[i].pValue);
1630 break;
1631 }
1632 }
1633 if (new_obj_class == ~0UL)
1634 return (CKR_TEMPLATE_INCOMPLETE);
1635 }
1636
1637 /*
1638 * Check if the mechanism is supported, and now that the new
1639 * object's class is known, the mechanism selected should be
1640 * capable of doing the unwrap.
1641 */
1642 switch (pMechanism->mechanism) {
1643 case CKM_RSA_PKCS:
1644 case CKM_RSA_X_509:
1645 case CKM_DES_ECB:
1646 case CKM_DES3_ECB:
1647 case CKM_AES_ECB:
1648 case CKM_DES_CBC:
1649 case CKM_DES3_CBC:
1650 case CKM_AES_CBC:
1651 case CKM_BLOWFISH_CBC:
1652 if (new_obj_class != CKO_SECRET_KEY)
1653 return (CKR_MECHANISM_INVALID);
1654 break;
1655 case CKM_DES_CBC_PAD:
1656 case CKM_DES3_CBC_PAD:
1657 case CKM_AES_CBC_PAD:
1658 if (new_obj_class != CKO_SECRET_KEY && new_obj_class !=
1659 CKO_PRIVATE_KEY)
1660 return (CKR_MECHANISM_INVALID);
1661 break;
1662 default:
1663 return (CKR_MECHANISM_INVALID);
1664 }
1665
1666 /* Create a new object based on the attribute template. */
1667 rv = soft_gen_keyobject(pTemplate, ulAttributeCount,
1668 (CK_ULONG *)&new_objp, session_p, (CK_OBJECT_CLASS)~0UL,
1669 (CK_KEY_TYPE)~0UL, 0, SOFT_UNWRAP_KEY, B_FALSE);
1670 if (rv != CKR_OK)
1671 return (rv);
1672
1673 /*
1674 * New key will have CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE
1675 * both set to FALSE. CKA_EXTRACTABLE will be set _by_default_ to
1676 * true -- leaving the possibility that it may be set FALSE by the
1677 * supplied attribute template. If the precise template cannot be
1678 * supported, unwrap fails. PKCS#11 spec, Sec. 11.14, C_UnwrapKey.
1679 *
1680 * Therefore, check the new object's NEVER_EXTRACTABLE_BOOL_ON and
1681 * ALWAYS_SENSITVE_BOOL_ON; if they are TRUE, the template must
1682 * have supplied them and therefore we cannot honor the unwrap.
1683 */
1684 if ((new_objp->bool_attr_mask & NEVER_EXTRACTABLE_BOOL_ON) ||
1685 (new_objp->bool_attr_mask & ALWAYS_SENSITIVE_BOOL_ON)) {
1686 rv = CKR_TEMPLATE_INCONSISTENT;
1687 goto cleanup_unwrap;
1688 }
1689
1690 rv = soft_decrypt_init(session_p, pMechanism, unwrappingkey_p);
1691 if (rv != CKR_OK)
1692 goto cleanup_unwrap;
1693
1694 /* First get the length of the plain data */
1695 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, NULL,
1696 &plain_len);
1697 if (rv != CKR_OK)
1698 goto cleanup_unwrap;
1699
1700 /* Allocate space for the unwrapped data */
1701 if ((plain_data = malloc(plain_len)) == NULL) {
1702 rv = CKR_HOST_MEMORY;
1703 goto cleanup_unwrap;
1704 }
1705 (void) memset(plain_data, 0x0, plain_len);
1706
1707 /* Perform actual decryption into the allocated space. */
1708 rv = soft_decrypt(session_p, pWrappedKey, ulWrappedKeyLen, plain_data,
1709 &plain_len);
1710 if (rv != CKR_OK)
1711 goto cleanup_unwrap;
1712
1713 if (new_objp->class == CKO_SECRET_KEY) {
1714 /*
1715 * Since no ASN.1 encoding is done for secret keys, check for
1716 * appropriateness and copy decrypted buffer to the key object.
1717 */
1718
1719 /* Check keytype and mechtype don't conflict with valuelen */
1720 rv = soft_unwrap_secret_len_check(new_objp->key_type,
1721 pMechanism->mechanism, pTemplate, ulAttributeCount);
1722 if (rv != CKR_OK)
1723 goto cleanup_unwrap;
1724
1725 /*
1726 * Allocate the secret key structure if not already there;
1727 * it will exist for variable length keys since CKA_VALUE_LEN
1728 * is specified and saved, but not for fixed length keys.
1729 */
1730 if (OBJ_SEC(new_objp) == NULL) {
1731 if ((sck = calloc(1, sizeof (secret_key_obj_t))) ==
1732 NULL) {
1733 rv = CKR_HOST_MEMORY;
1734 goto cleanup_unwrap;
1735 }
1736 OBJ_SEC(new_objp) = sck;
1737 }
1738
1739 switch (new_objp->key_type) {
1740 /* Fixed length secret keys don't have CKA_VALUE_LEN */
1741 case CKK_DES:
1742 OBJ_SEC_VALUE_LEN(new_objp) = DES_KEYSIZE;
1743 break;
1744 case CKK_DES2:
1745 OBJ_SEC_VALUE_LEN(new_objp) = DES2_KEYSIZE;
1746 break;
1747 case CKK_DES3:
1748 OBJ_SEC_VALUE_LEN(new_objp) = DES3_KEYSIZE;
1749 break;
1750
1751 /*
1752 * Variable length secret keys. CKA_VALUE_LEN must be
1753 * provided by the template when mech is *_ECB or *_CBC, and
1754 * should already have been set during soft_gen_keyobject().
1755 * Otherwise we don't need CKA_VALUE_LEN.
1756 */
1757 case CKK_GENERIC_SECRET:
1758 case CKK_RC4:
1759 case CKK_AES:
1760 case CKK_BLOWFISH:
1761 break;
1762 default:
1763 rv = CKR_WRAPPED_KEY_INVALID;
1764 goto cleanup_unwrap;
1765 };
1766
1767 if (OBJ_SEC_VALUE_LEN(new_objp) == 0) {
1768 /* No CKA_VALUE_LEN set so set it now and save data */
1769 OBJ_SEC_VALUE_LEN(new_objp) = plain_len;
1770 OBJ_SEC_VALUE(new_objp) = plain_data;
1771 } else if (OBJ_SEC_VALUE_LEN(new_objp) == plain_len) {
1772 /* No need to truncate, just save the data */
1773 OBJ_SEC_VALUE(new_objp) = plain_data;
1774 } else if (OBJ_SEC_VALUE_LEN(new_objp) > plain_len) {
1775 /* Length can't be bigger than what was decrypted */
1776 rv = CKR_WRAPPED_KEY_LEN_RANGE;
1777 goto cleanup_unwrap;
1778 } else { /* betw 0 and plain_len, hence padded */
1779 /* Truncate the data before saving. */
1780 OBJ_SEC_VALUE(new_objp) = realloc(plain_data,
1781 OBJ_SEC_VALUE_LEN(new_objp));
1782 if (OBJ_SEC_VALUE(new_objp) == NULL) {
1783 rv = CKR_HOST_MEMORY;
1784 goto cleanup_unwrap;
1785 }
1786 }
1787 } else {
1788 /* BER-decode the object to be unwrapped. */
1789 rv = soft_asn1_to_object(new_objp, plain_data, plain_len);
1790 if (rv != CKR_OK)
1791 goto cleanup_unwrap;
1792 }
1793
1794 /* If it needs to be persistent, write it to the keystore */
1795 if (IS_TOKEN_OBJECT(new_objp)) {
1796 persistent = B_TRUE;
1797 rv = soft_put_object_to_keystore(new_objp);
1798 if (rv != CKR_OK)
1799 goto cleanup_unwrap;
1800 }
1801
1802 if (new_objp->class != CKO_SECRET_KEY) {
1803 /* Clear buffer before returning to memory pool. */
1804 freezero(plain_data, plain_len);
1805 }
1806
1807 *phKey = (CK_OBJECT_HANDLE)new_objp;
1808
1809 return (CKR_OK);
1810
1811 cleanup_unwrap:
1812 /* The decrypted private key buffer must be freed explicitly. */
1813 if ((new_objp->class != CKO_SECRET_KEY) && (plain_data != NULL)) {
1814 /* Clear buffer before returning to memory pool. */
1815 freezero(plain_data, plain_len);
1816 }
1817
1818 /* sck and new_objp are indirectly free()d inside these functions */
1819 if (IS_TOKEN_OBJECT(new_objp))
1820 soft_delete_token_object(new_objp, persistent, B_FALSE);
1821 else
1822 soft_delete_object(session_p, new_objp, B_FALSE, B_FALSE);
1823
1824 return (rv);
1825 }
Unleashed OS