4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2018, Joyent, Inc.
30 #include <sys/types.h>
33 #include <sys/sysmacros.h>
34 #include <security/cryptoki.h>
35 #include "softGlobal.h"
37 #include "softKeystore.h"
39 #include "softObject.h"
40 #include "softSession.h"
44 * This files contains the implementation of the following PKCS#11
45 * mechanisms needed by SSL:
46 * CKM_SSL3_MASTER_KEY_DERIVE
47 * CKM_SSL3_MASTER_KEY_DERIVE_DH
48 * CKM_SSL3_KEY_AND_DERIVE
49 * CKM_TLS_MASTER_KEY_DERIVE
50 * CKM_TLS_MASTER_KEY_DERIVE_DH
51 * CKM_TLS_KEY_AND_DERIVE
53 * SSL refers to common functions between SSL v3.0 and SSL v3.1 (a.k.a TLS.)
56 #define MAX_KEYBLOCK 160 /* should be plenty for all known cipherspecs */
58 #define MAX_DEFAULT_ATTRS 10 /* Enough for major applicarions */
60 static char *ssl3_const_vals
[] = {
72 static uint_t ssl3_const_lens
[] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
74 static uchar_t TLS_MASTER_SECRET_LABEL
[] = {"master secret"};
75 #define TLS_MASTER_SECRET_LABEL_LEN 13
77 static uchar_t TLS_KEY_EXPANSION_LABEL
[] = {"key expansion"};
78 #define TLS_KEY_EXPANSION_LABEL_LEN 13
80 static uchar_t TLS_CLIENT_KEY_LABEL
[] = {"client write key"};
81 #define TLS_CLIENT_KEY_LABEL_LEN 16
83 static uchar_t TLS_SERVER_KEY_LABEL
[] = {"server write key"};
84 #define TLS_SERVER_KEY_LABEL_LEN 16
86 static uchar_t TLS_IV_BLOCK_LABEL
[] = {"IV block"};
87 #define TLS_IV_BLOCK_LABEL_LEN 8
89 static void P_MD5(uchar_t
*, uint_t
, uchar_t
*, uint_t
, uchar_t
*, uint_t
,
90 uchar_t
*, uint_t
, uchar_t
*, uint_t
, boolean_t
);
91 static void P_SHA1(uchar_t
*, uint_t
, uchar_t
*, uint_t
, uchar_t
*, uint_t
,
92 uchar_t
*, uint_t
, uchar_t
*, uint_t
, boolean_t
);
94 static CK_RV
soft_add_derived_key(CK_ATTRIBUTE_PTR
, CK_ULONG
,
95 CK_OBJECT_HANDLE_PTR
, soft_session_t
*, soft_object_t
*);
96 static void soft_delete_derived_key(soft_session_t
*, soft_object_t
*);
97 static void soft_ssl_weaken_key(CK_MECHANISM_PTR
, uchar_t
*, uint_t
,
98 uchar_t
*, uint_t
, uchar_t
*, uint_t
, uchar_t
*, boolean_t
);
102 * Called for derivation of the master secret from the pre-master secret,
103 * and for the derivation of the key_block in an SSL3 handshake
104 * result is assumed to be larger than rounds * MD5_HASH_SIZE.
107 soft_ssl3_churn(uchar_t
*secret
, uint_t secretlen
, uchar_t
*rand1
,
108 uint_t rand1len
, uchar_t
*rand2
, uint_t rand2len
, int rounds
,
113 uchar_t sha1_digest
[SHA1_HASH_SIZE
];
115 uchar_t
*ms
= result
;
116 for (i
= 0; i
< rounds
; i
++) {
118 SHA1Update(&sha1_ctx
, (const uint8_t *)ssl3_const_vals
[i
],
120 SHA1Update(&sha1_ctx
, secret
, secretlen
);
121 SHA1Update(&sha1_ctx
, rand1
, rand1len
);
122 SHA1Update(&sha1_ctx
, rand2
, rand2len
);
123 SHA1Final(sha1_digest
, &sha1_ctx
);
126 MD5Update(&md5_ctx
, secret
, secretlen
);
127 MD5Update(&md5_ctx
, sha1_digest
, SHA1_HASH_SIZE
);
128 MD5Final(ms
, &md5_ctx
);
134 * This TLS generic Pseudo Random Function expands a triplet
135 * {secret, label, seed} into any arbitrary length string of pseudo
137 * Here, it is called for the derivation of the master secret from the
138 * pre-master secret, and for the derivation of the key_block in a TLS
142 soft_tls_prf(uchar_t
*secret
, uint_t secretlen
, uchar_t
*label
, uint_t labellen
,
143 uchar_t
*rand1
, uint_t rand1len
, uchar_t
*rand2
, uint_t rand2len
,
144 uchar_t
*result
, uint_t resultlen
)
147 uchar_t md5_digested_key
[MD5_HASH_SIZE
];
148 uchar_t sha1_digested_key
[SHA1_HASH_SIZE
];
149 uint_t L_S
, L_S1
, L_S2
;
151 /* secret is NULL for IV's in exportable ciphersuites */
152 if (secret
== NULL
) {
160 L_S
= roundup(secretlen
, 2) / 2;
164 S2
= secret
+ (secretlen
/ 2); /* Possible overlap of S1 and S2. */
166 /* Reduce the half secrets if bigger than the HASH's block size */
167 if (L_S
> MD5_HMAC_BLOCK_SIZE
) {
172 MD5Update(&md5_ctx
, S1
, L_S
);
173 MD5Final(md5_digested_key
, &md5_ctx
);
174 S1
= md5_digested_key
;
175 L_S1
= MD5_HASH_SIZE
;
178 SHA1Update(&sha1_ctx
, S2
, L_S
);
179 SHA1Final(sha1_digested_key
, &sha1_ctx
);
180 S2
= sha1_digested_key
;
181 L_S2
= SHA1_HASH_SIZE
;
185 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
186 * P_SHA-1(S2, label + seed);
187 * the 'seed' here is rand1 + rand2
190 /* The first one writes directly to the result */
191 P_MD5(S1
, L_S1
, label
, labellen
, rand1
, rand1len
, rand2
, rand2len
,
192 result
, resultlen
, B_FALSE
);
194 /* The second one XOR's with the result. */
195 P_SHA1(S2
, L_S2
, label
, labellen
, rand1
, rand1len
, rand2
, rand2len
,
196 result
, resultlen
, B_TRUE
);
200 * These two expansion routines are very similar. (they can merge one day).
201 * They implement the P_HASH() function for MD5 and for SHA1, as defined in
204 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
205 * HMAC_hash(secret, A(2) + seed) +
206 * HMAC_hash(secret, A(3) + seed) + ...
207 * Where + indicates concatenation.
210 * A(i) = HMAC_hash(secret, A(i-1))
212 * The seed is the concatenation of 'babel', 'rand1', and 'rand2'.
215 P_MD5(uchar_t
*secret
, uint_t secretlen
, uchar_t
*label
, uint_t labellen
,
216 uchar_t
*rand1
, uint_t rand1len
, uchar_t
*rand2
, uint_t rand2len
,
217 uchar_t
*result
, uint_t resultlen
, boolean_t xor_it
)
219 uint32_t md5_ipad
[MD5_HMAC_INTS_PER_BLOCK
];
220 uint32_t md5_opad
[MD5_HMAC_INTS_PER_BLOCK
];
221 uchar_t md5_hmac
[MD5_HASH_SIZE
];
222 uchar_t A
[MD5_HASH_SIZE
];
223 md5_hc_ctx_t md5_hmac_ctx
;
225 uint_t left
= resultlen
;
228 /* good compilers will leverage the aligment */
229 bzero(md5_ipad
, MD5_HMAC_BLOCK_SIZE
);
230 bzero(md5_opad
, MD5_HMAC_BLOCK_SIZE
);
233 bcopy(secret
, md5_ipad
, secretlen
);
234 bcopy(secret
, md5_opad
, secretlen
);
237 /* A(1) = HMAC_MD5(secret, rand1 + rand2) */
238 md5_hmac_ctx_init(&md5_hmac_ctx
, md5_ipad
, md5_opad
);
239 SOFT_MAC_UPDATE(MD5
, &md5_hmac_ctx
, label
, labellen
);
240 SOFT_MAC_UPDATE(MD5
, &md5_hmac_ctx
, rand1
, rand1len
);
241 SOFT_MAC_UPDATE(MD5
, &md5_hmac_ctx
, rand2
, rand2len
);
242 SOFT_MAC_FINAL(MD5
, &md5_hmac_ctx
, A
);
253 * Compute HMAC_MD5(secret, A(i) + seed);
254 * The secret is already expanded in the ictx and octx, so
255 * we can call the SOFT_MAC_INIT_CTX() directly.
257 SOFT_MAC_INIT_CTX(MD5
, &md5_hmac_ctx
, md5_ipad
, md5_opad
,
258 MD5_HMAC_BLOCK_SIZE
);
259 SOFT_MAC_UPDATE(MD5
, &md5_hmac_ctx
, A
, MD5_HASH_SIZE
);
260 SOFT_MAC_UPDATE(MD5
, &md5_hmac_ctx
, label
, labellen
);
261 SOFT_MAC_UPDATE(MD5
, &md5_hmac_ctx
, rand1
, rand1len
);
262 SOFT_MAC_UPDATE(MD5
, &md5_hmac_ctx
, rand2
, rand2len
);
264 if (left
> MD5_HASH_SIZE
) {
265 SOFT_MAC_FINAL(MD5
, &md5_hmac_ctx
, res
);
267 for (i
= 0; i
< MD5_HASH_SIZE
; i
++) {
272 res
+= MD5_HASH_SIZE
;
274 left
-= MD5_HASH_SIZE
;
276 SOFT_MAC_FINAL(MD5
, &md5_hmac_ctx
, md5_hmac
);
278 for (i
= 0; i
< left
; i
++) {
283 bcopy(md5_hmac
, res
, left
);
287 /* A(i) = HMAC_MD5(secret, A(i-1) */
288 SOFT_MAC_INIT_CTX(MD5
, &md5_hmac_ctx
, md5_ipad
, md5_opad
,
289 MD5_HMAC_BLOCK_SIZE
);
290 SOFT_MAC_UPDATE(MD5
, &md5_hmac_ctx
, A
, MD5_HASH_SIZE
);
291 SOFT_MAC_FINAL(MD5
, &md5_hmac_ctx
, A
);
295 P_SHA1(uchar_t
*secret
, uint_t secretlen
, uchar_t
*label
, uint_t labellen
,
296 uchar_t
*rand1
, uint_t rand1len
, uchar_t
*rand2
, uint_t rand2len
,
297 uchar_t
*result
, uint_t resultlen
, boolean_t xor_it
)
299 uint32_t sha1_ipad
[SHA1_HMAC_INTS_PER_BLOCK
];
300 uint32_t sha1_opad
[SHA1_HMAC_INTS_PER_BLOCK
];
301 uchar_t sha1_hmac
[SHA1_HASH_SIZE
];
302 uchar_t A
[SHA1_HASH_SIZE
];
303 sha1_hc_ctx_t sha1_hmac_ctx
;
305 uint_t left
= resultlen
;
308 /* good compilers will leverage the aligment */
309 bzero(sha1_ipad
, SHA1_HMAC_BLOCK_SIZE
);
310 bzero(sha1_opad
, SHA1_HMAC_BLOCK_SIZE
);
313 bcopy(secret
, sha1_ipad
, secretlen
);
314 bcopy(secret
, sha1_opad
, secretlen
);
317 /* A(1) = HMAC_SHA1(secret, rand1 + rand2) */
318 sha1_hmac_ctx_init(&sha1_hmac_ctx
, sha1_ipad
, sha1_opad
);
319 SOFT_MAC_UPDATE(SHA1
, &sha1_hmac_ctx
, label
, labellen
);
320 SOFT_MAC_UPDATE(SHA1
, &sha1_hmac_ctx
, rand1
, rand1len
);
321 SOFT_MAC_UPDATE(SHA1
, &sha1_hmac_ctx
, rand2
, rand2len
);
322 SOFT_MAC_FINAL(SHA1
, &sha1_hmac_ctx
, A
);
333 * Compute HMAC_SHA1(secret, A(i) + seed);
334 * The secret is already expanded in the ictx and octx, so
335 * we can call the SOFT_MAC_INIT_CTX() directly.
337 SOFT_MAC_INIT_CTX(SHA1
, &sha1_hmac_ctx
,
338 (const uchar_t
*)sha1_ipad
, (const uchar_t
*)sha1_opad
,
339 SHA1_HMAC_BLOCK_SIZE
);
340 SOFT_MAC_UPDATE(SHA1
, &sha1_hmac_ctx
, A
, SHA1_HASH_SIZE
);
341 SOFT_MAC_UPDATE(SHA1
, &sha1_hmac_ctx
, label
, labellen
);
342 SOFT_MAC_UPDATE(SHA1
, &sha1_hmac_ctx
, rand1
, rand1len
);
343 SOFT_MAC_UPDATE(SHA1
, &sha1_hmac_ctx
, rand2
, rand2len
);
345 if (left
> SHA1_HASH_SIZE
) {
346 SOFT_MAC_FINAL(SHA1
, &sha1_hmac_ctx
, res
);
348 for (i
= 0; i
< SHA1_HASH_SIZE
; i
++) {
353 res
+= SHA1_HASH_SIZE
;
355 left
-= SHA1_HASH_SIZE
;
357 SOFT_MAC_FINAL(SHA1
, &sha1_hmac_ctx
, sha1_hmac
);
359 for (i
= 0; i
< left
; i
++) {
360 *cur
^= sha1_hmac
[i
];
364 bcopy(sha1_hmac
, res
, left
);
368 /* A(i) = HMAC_SHA1(secret, A(i-1) */
369 SOFT_MAC_INIT_CTX(SHA1
, &sha1_hmac_ctx
,
370 (const uchar_t
*)sha1_ipad
, (const uchar_t
*)sha1_opad
,
371 SHA1_HMAC_BLOCK_SIZE
);
372 SOFT_MAC_UPDATE(SHA1
, &sha1_hmac_ctx
, A
, SHA1_HASH_SIZE
);
373 SOFT_MAC_FINAL(SHA1
, &sha1_hmac_ctx
, A
);
377 /* This function handles the call from C_DeriveKey for CKM_TLS_PRF */
379 derive_tls_prf(CK_TLS_PRF_PARAMS_PTR param
, soft_object_t
*basekey_p
)
382 if (param
->pOutput
== NULL
|| param
->pulOutputLen
== 0)
383 return (CKR_BUFFER_TOO_SMALL
);
385 (void) soft_tls_prf(OBJ_SEC_VALUE(basekey_p
),
386 OBJ_SEC_VALUE_LEN(basekey_p
), param
->pLabel
, param
->ulLabelLen
,
387 param
->pSeed
, param
->ulSeedLen
, NULL
, 0, param
->pOutput
,
388 *param
->pulOutputLen
);
395 * soft_ssl_master_key_derive()
399 * . mech_p: key derivation mechanism. the mechanism parameter carries the
400 * client and master random from the Hello handshake messages.
401 * . basekey_p: The pre-master secret key.
402 * . pTemplate & ulAttributeCount: Any extra attributes for the key to be
404 * . phKey: store for handle to the derived key.
407 * Derive the SSL master secret from the pre-master secret, the client
409 * In SSL 3.0, master_secret =
410 * MD5(pre_master_secret + SHA('A' + pre_master_secret +
411 * ClientHello.random + ServerHello.random)) +
412 * MD5(pre_master_secret + SHA('BB' + pre_master_secret +
413 * ClientHello.random + ServerHello.random)) +
414 * MD5(pre_master_secret + SHA('CCC' + pre_master_secret +
415 * ClientHello.random + ServerHello.random));
417 * In TLS 1.0 (a.k.a. SSL 3.1), master_secret =
418 * PRF(pre_master_secret, "master secret",
419 * ClientHello.random + ServerHello.random)
422 soft_ssl_master_key_derive(soft_session_t
*sp
, CK_MECHANISM_PTR mech
,
423 soft_object_t
*basekey_p
, CK_ATTRIBUTE_PTR pTemplate
,
424 CK_ULONG ulAttributeCount
, CK_OBJECT_HANDLE_PTR phKey
)
426 uchar_t
*pmsecret
= OBJ_SEC_VALUE(basekey_p
);
427 uint_t pmlen
= OBJ_SEC_VALUE_LEN(basekey_p
);
428 CK_SSL3_MASTER_KEY_DERIVE_PARAMS
*mkd_params
;
429 CK_SSL3_RANDOM_DATA
*random_data
;
430 CK_VERSION_PTR pVersion
;
431 uchar_t ssl_master_secret
[48];
432 CK_OBJECT_CLASS
class = CKO_SECRET_KEY
;
433 CK_KEY_TYPE keyType
= CKK_GENERIC_SECRET
;
434 CK_BBOOL
true = TRUE
;
435 CK_ATTRIBUTE obj_tmpl
[MAX_DEFAULT_ATTRS
];
436 CK_ATTRIBUTE_PTR new_tmpl
;
437 CK_ULONG newattrcount
;
438 boolean_t new_tmpl_allocated
= B_FALSE
, is_tls
= B_FALSE
;
441 uint_t ClientRandomLen
, ServerRandomLen
;
443 /* Check the validity of the mechanism's parameter */
445 mkd_params
= (CK_SSL3_MASTER_KEY_DERIVE_PARAMS
*)mech
->pParameter
;
447 if (mkd_params
== NULL
||
448 mech
->ulParameterLen
!= sizeof (CK_SSL3_MASTER_KEY_DERIVE_PARAMS
))
449 return (CKR_MECHANISM_PARAM_INVALID
);
451 pVersion
= mkd_params
->pVersion
;
453 switch (mech
->mechanism
) {
454 case CKM_TLS_MASTER_KEY_DERIVE
:
457 case CKM_SSL3_MASTER_KEY_DERIVE
:
458 /* Invalid pre-master key length. What else to return? */
460 return (CKR_ARGUMENTS_BAD
);
462 /* Get the SSL version number from the premaster secret */
463 if (pVersion
== NULL_PTR
)
464 return (CKR_MECHANISM_PARAM_INVALID
);
466 bcopy(pmsecret
, pVersion
, sizeof (CK_VERSION
));
469 case CKM_TLS_MASTER_KEY_DERIVE_DH
:
472 case CKM_SSL3_MASTER_KEY_DERIVE_DH
:
473 if (pVersion
!= NULL_PTR
)
474 return (CKR_MECHANISM_PARAM_INVALID
);
477 random_data
= &mkd_params
->RandomInfo
;
478 ClientRandomLen
= random_data
->ulClientRandomLen
;
479 ServerRandomLen
= random_data
->ulServerRandomLen
;
481 if (random_data
->pClientRandom
== NULL_PTR
|| ClientRandomLen
== 0 ||
482 random_data
->pServerRandom
== NULL_PTR
|| ServerRandomLen
== 0) {
483 return (CKR_MECHANISM_PARAM_INVALID
);
486 /* Now the actual secret derivation */
488 soft_ssl3_churn(pmsecret
, pmlen
, random_data
->pClientRandom
,
489 ClientRandomLen
, random_data
->pServerRandom
,
490 ServerRandomLen
, 3, ssl_master_secret
);
492 soft_tls_prf(pmsecret
, pmlen
, TLS_MASTER_SECRET_LABEL
,
493 TLS_MASTER_SECRET_LABEL_LEN
, random_data
->pClientRandom
,
494 ClientRandomLen
, random_data
->pServerRandom
,
495 ServerRandomLen
, ssl_master_secret
, 48);
499 * The object creation attributes need to be in one contiguous
500 * array. In addition to the attrs from the application supplied
501 * pTemplates, We need to add the class, type, value, valuelen and
503 * In the most likely case, the application passes between zero and
504 * handful of attributes, We optimize for that case by allocating
505 * the new template on the stack. Oherwise we malloc() it.
508 newattrcount
= ulAttributeCount
+ 4;
509 if (newattrcount
> MAX_DEFAULT_ATTRS
) {
510 new_tmpl
= malloc(sizeof (CK_ATTRIBUTE
) * newattrcount
);
512 if (new_tmpl
== NULL
)
513 return (CKR_HOST_MEMORY
);
515 new_tmpl_allocated
= B_TRUE
;
520 * Fill in the new template.
521 * We put the attributes contributed by the mechanism first
522 * so that they override the application supplied ones.
524 new_tmpl
[0].type
= CKA_CLASS
;
525 new_tmpl
[0].pValue
= &class;
526 new_tmpl
[0].ulValueLen
= sizeof (class);
527 new_tmpl
[1].type
= CKA_KEY_TYPE
;
528 new_tmpl
[1].pValue
= &keyType
;
529 new_tmpl
[1].ulValueLen
= sizeof (keyType
);
530 new_tmpl
[2].type
= CKA_DERIVE
;
531 new_tmpl
[2].pValue
= &true;
532 new_tmpl
[2].ulValueLen
= sizeof (true);
533 new_tmpl
[3].type
= CKA_VALUE
;
534 new_tmpl
[3].pValue
= ssl_master_secret
;
535 new_tmpl
[3].ulValueLen
= 48;
537 /* Any attributes left? */
538 if (ulAttributeCount
> 0) {
540 /* Validate the default class and type attributes */
541 for (i
= 0; i
< ulAttributeCount
; i
++) {
542 /* The caller is responsible for proper alignment */
543 if ((pTemplate
[i
].type
== CKA_CLASS
) &&
544 (*((CK_OBJECT_CLASS
*)pTemplate
[i
].pValue
) !=
546 rv
= CKR_TEMPLATE_INCONSISTENT
;
549 if ((pTemplate
[i
].type
== CKA_KEY_TYPE
) &&
550 (*((CK_KEY_TYPE
*)pTemplate
[i
].pValue
) !=
551 CKK_GENERIC_SECRET
)) {
552 rv
= CKR_TEMPLATE_INCONSISTENT
;
556 bcopy(pTemplate
, &new_tmpl
[4],
557 ulAttributeCount
* sizeof (CK_ATTRIBUTE
));
560 rv
= soft_add_derived_key(new_tmpl
, newattrcount
, phKey
, sp
, basekey_p
);
562 if (new_tmpl_allocated
)
569 * soft_ssl3_key_and_mac_derive()
573 * . mech_p: key derivation mechanism. the mechanism parameter carries the
574 * client and mastter random from the Hello handshake messages,
575 * the specification of the key and IV sizes, and the location
576 * for the resulting keys and IVs.
577 * . basekey_p: The master secret key.
578 * . pTemplate & ulAttributeCount: Any extra attributes for the key to be
582 * Derive the SSL key material (Client and server MAC secrets, symmetric
583 * keys and IVs), from the master secret and the client
585 * First a keyblock is generated usining the following formula:
587 * MD5(master_secret + SHA(`A' + master_secret +
588 * ServerHello.random +
589 * ClientHello.random)) +
590 * MD5(master_secret + SHA(`BB' + master_secret +
591 * ServerHello.random +
592 * ClientHello.random)) +
593 * MD5(master_secret + SHA(`CCC' + master_secret +
594 * ServerHello.random +
595 * ClientHello.random)) + [...];
597 * In TLS 1.0 (a.k.a. SSL 3.1), key_block =
598 * PRF(master_secret, "key expansion",
599 * ServerHello.random + ClientHello.random)
601 * Then the keys materials are taken from the keyblock.
605 soft_ssl_key_and_mac_derive(soft_session_t
*sp
, CK_MECHANISM_PTR mech
,
606 soft_object_t
*basekey_p
, CK_ATTRIBUTE_PTR pTemplate
,
607 CK_ULONG ulAttributeCount
)
609 uchar_t
*msecret
= OBJ_SEC_VALUE(basekey_p
);
610 uint_t mslen
= OBJ_SEC_VALUE_LEN(basekey_p
);
611 CK_SSL3_KEY_MAT_PARAMS
*km_params
;
612 CK_SSL3_RANDOM_DATA
*random_data
;
613 CK_SSL3_KEY_MAT_OUT
*kmo
;
614 uchar_t key_block
[MAX_KEYBLOCK
], *kb
, *export_keys
= NULL
;
615 CK_OBJECT_CLASS
class = CKO_SECRET_KEY
;
616 CK_KEY_TYPE keyType
= CKK_GENERIC_SECRET
;
617 CK_BBOOL
true = TRUE
;
618 CK_ATTRIBUTE obj_tmpl
[MAX_DEFAULT_ATTRS
];
619 CK_ATTRIBUTE_PTR new_tmpl
;
620 ulong_t newattrcount
, mac_key_bytes
, secret_key_bytes
, iv_bytes
;
621 ulong_t extra_attr_count
;
624 boolean_t new_tmpl_allocated
= B_FALSE
, isExport
;
626 uint_t ClientRandomLen
, ServerRandomLen
;
628 /* Check the validity of the mechanism's parameter */
630 km_params
= (CK_SSL3_KEY_MAT_PARAMS
*)mech
->pParameter
;
632 if (km_params
== NULL
||
633 mech
->ulParameterLen
!= sizeof (CK_SSL3_KEY_MAT_PARAMS
) ||
634 (kmo
= km_params
->pReturnedKeyMaterial
) == NULL
)
635 return (CKR_MECHANISM_PARAM_INVALID
);
637 isExport
= (km_params
->bIsExport
== TRUE
);
639 random_data
= &km_params
->RandomInfo
;
640 ClientRandomLen
= random_data
->ulClientRandomLen
;
641 ServerRandomLen
= random_data
->ulServerRandomLen
;
643 if (random_data
->pClientRandom
== NULL_PTR
|| ClientRandomLen
== 0 ||
644 random_data
->pServerRandom
== NULL_PTR
|| ServerRandomLen
== 0) {
645 return (CKR_MECHANISM_PARAM_INVALID
);
648 mac_key_bytes
= km_params
->ulMacSizeInBits
/ 8;
649 secret_key_bytes
= km_params
->ulKeySizeInBits
/ 8;
650 iv_bytes
= km_params
->ulIVSizeInBits
/ 8;
652 if ((iv_bytes
> 0) &&
653 ((kmo
->pIVClient
== NULL
) || (kmo
->pIVServer
== NULL
)))
654 return (CKR_MECHANISM_PARAM_INVALID
);
657 * For exportable ciphersuites, the IV's aren't taken from the
658 * key block. They are directly derived from the client and
659 * server random data.
661 * client_write_IV = MD5(ClientHello.random + ServerHello.random);
662 * server_write_IV = MD5(ServerHello.random + ClientHello.random);
664 * iv_block = PRF("", "IV block", client_random +
665 * server_random)[0..15]
666 * client_write_IV = iv_block[0..7]
667 * server_write_IV = iv_block[8..15]
669 if ((isExport
) && (iv_bytes
> 0)) {
671 if (mech
->mechanism
== CKM_SSL3_KEY_AND_MAC_DERIVE
) {
674 if (iv_bytes
> MD5_HASH_SIZE
)
675 return (CKR_MECHANISM_PARAM_INVALID
);
677 MD5Init(&exp_md5_ctx
);
678 MD5Update(&exp_md5_ctx
, random_data
->pClientRandom
,
680 MD5Update(&exp_md5_ctx
, random_data
->pServerRandom
,
683 /* there's room in key_block. use it */
684 MD5Final(key_block
, &exp_md5_ctx
);
685 bcopy(key_block
, kmo
->pIVClient
, iv_bytes
);
687 MD5Init(&exp_md5_ctx
);
688 MD5Update(&exp_md5_ctx
, random_data
->pServerRandom
,
690 MD5Update(&exp_md5_ctx
, random_data
->pClientRandom
,
692 MD5Final(key_block
, &exp_md5_ctx
);
693 bcopy(key_block
, kmo
->pIVServer
, iv_bytes
);
695 uchar_t iv_block
[16];
698 return (CKR_MECHANISM_PARAM_INVALID
);
700 soft_tls_prf(NULL
, 0, TLS_IV_BLOCK_LABEL
,
701 TLS_IV_BLOCK_LABEL_LEN
,
702 random_data
->pClientRandom
, ClientRandomLen
,
703 random_data
->pServerRandom
, ServerRandomLen
,
705 bcopy(iv_block
, kmo
->pIVClient
, 8);
706 bcopy(iv_block
+ 8, kmo
->pIVServer
, 8);
708 /* so we won't allocate a key_block bigger than needed */
712 /* Now the actual secret derivation */
714 size
= (mac_key_bytes
+ secret_key_bytes
+ iv_bytes
) * 2;
716 /* Need to handle this better */
717 if (size
> MAX_KEYBLOCK
)
718 return (CKR_MECHANISM_PARAM_INVALID
);
720 rounds
= howmany(size
, MD5_HASH_SIZE
);
724 if (mech
->mechanism
== CKM_SSL3_KEY_AND_MAC_DERIVE
) {
725 soft_ssl3_churn(msecret
, mslen
, random_data
->pServerRandom
,
726 ServerRandomLen
, random_data
->pClientRandom
,
727 ClientRandomLen
, rounds
, kb
);
729 soft_tls_prf(msecret
, mslen
, TLS_KEY_EXPANSION_LABEL
,
730 TLS_KEY_EXPANSION_LABEL_LEN
,
731 random_data
->pServerRandom
, ServerRandomLen
,
732 random_data
->pClientRandom
, ClientRandomLen
,
736 /* Now create the objects */
738 kmo
->hClientMacSecret
= CK_INVALID_HANDLE
;
739 kmo
->hServerMacSecret
= CK_INVALID_HANDLE
;
740 kmo
->hClientKey
= CK_INVALID_HANDLE
;
741 kmo
->hServerKey
= CK_INVALID_HANDLE
;
743 /* First the MAC secrets */
744 if (mac_key_bytes
> 0) {
745 obj_tmpl
[0].type
= CKA_CLASS
;
746 obj_tmpl
[0].pValue
= &class; /* CKO_SECRET_KEY */
747 obj_tmpl
[0].ulValueLen
= sizeof (class);
748 obj_tmpl
[1].type
= CKA_KEY_TYPE
;
749 obj_tmpl
[1].pValue
= &keyType
; /* CKK_GENERIC_SECRET */
750 obj_tmpl
[1].ulValueLen
= sizeof (keyType
);
751 obj_tmpl
[2].type
= CKA_DERIVE
;
752 obj_tmpl
[2].pValue
= &true;
753 obj_tmpl
[2].ulValueLen
= sizeof (true);
754 obj_tmpl
[3].type
= CKA_SIGN
;
755 obj_tmpl
[3].pValue
= &true;
756 obj_tmpl
[3].ulValueLen
= sizeof (true);
757 obj_tmpl
[4].type
= CKA_VERIFY
;
758 obj_tmpl
[4].pValue
= &true;
759 obj_tmpl
[4].ulValueLen
= sizeof (true);
760 obj_tmpl
[5].type
= CKA_VALUE
;
761 obj_tmpl
[5].pValue
= kb
;
762 obj_tmpl
[5].ulValueLen
= mac_key_bytes
;
764 rv
= soft_add_derived_key(obj_tmpl
, 6,
765 &(kmo
->hClientMacSecret
), sp
, basekey_p
);
772 obj_tmpl
[5].pValue
= kb
;
773 rv
= soft_add_derived_key(obj_tmpl
, 6,
774 &(kmo
->hServerMacSecret
), sp
, basekey_p
);
782 /* Then the symmetric ciphers keys */
784 extra_attr_count
= (secret_key_bytes
== 0) ? 6 : 5;
785 newattrcount
= ulAttributeCount
+ extra_attr_count
;
786 if (newattrcount
> MAX_DEFAULT_ATTRS
) {
787 new_tmpl
= malloc(sizeof (CK_ATTRIBUTE
) * newattrcount
);
789 if (new_tmpl
== NULL
)
790 return (CKR_HOST_MEMORY
);
792 new_tmpl_allocated
= B_TRUE
;
796 new_tmpl
[n
].type
= CKA_CLASS
;
797 new_tmpl
[n
].pValue
= &class; /* CKO_SECRET_KEY */
798 new_tmpl
[n
].ulValueLen
= sizeof (class);
801 * The keyType comes from the application's template, and depends
802 * on the ciphersuite. The only exception is authentication only
803 * ciphersuites which do not use cipher keys.
805 if (secret_key_bytes
== 0) {
806 new_tmpl
[n
].type
= CKA_KEY_TYPE
;
807 new_tmpl
[n
].pValue
= &keyType
; /* CKK_GENERIC_SECRET */
808 new_tmpl
[n
].ulValueLen
= sizeof (keyType
);
811 new_tmpl
[n
].type
= CKA_DERIVE
;
812 new_tmpl
[n
].pValue
= &true;
813 new_tmpl
[n
].ulValueLen
= sizeof (true);
815 new_tmpl
[n
].type
= CKA_ENCRYPT
;
816 new_tmpl
[n
].pValue
= &true;
817 new_tmpl
[n
].ulValueLen
= sizeof (true);
819 new_tmpl
[n
].type
= CKA_DECRYPT
;
820 new_tmpl
[n
].pValue
= &true;
821 new_tmpl
[n
].ulValueLen
= sizeof (true);
823 new_tmpl
[n
].type
= CKA_VALUE
;
824 new_tmpl
[n
].pValue
= NULL
;
825 new_tmpl
[n
].ulValueLen
= 0;
827 if (secret_key_bytes
> 0) {
829 if (secret_key_bytes
> MD5_HASH_SIZE
) {
830 rv
= CKR_MECHANISM_PARAM_INVALID
;
833 if ((export_keys
= malloc(2 * MD5_HASH_SIZE
)) == NULL
) {
834 rv
= CKR_HOST_MEMORY
;
837 soft_ssl_weaken_key(mech
, kb
, secret_key_bytes
,
838 random_data
->pClientRandom
, ClientRandomLen
,
839 random_data
->pServerRandom
, ServerRandomLen
,
840 export_keys
, B_TRUE
);
841 new_tmpl
[n
].pValue
= export_keys
;
842 new_tmpl
[n
].ulValueLen
= MD5_HASH_SIZE
;
844 new_tmpl
[n
].pValue
= kb
;
845 new_tmpl
[n
].ulValueLen
= secret_key_bytes
;
849 if (ulAttributeCount
> 0)
850 bcopy(pTemplate
, &new_tmpl
[extra_attr_count
],
851 ulAttributeCount
* sizeof (CK_ATTRIBUTE
));
853 rv
= soft_add_derived_key(new_tmpl
, newattrcount
,
854 &(kmo
->hClientKey
), sp
, basekey_p
);
859 kb
+= secret_key_bytes
;
861 if (secret_key_bytes
> 0) {
863 soft_ssl_weaken_key(mech
, kb
, secret_key_bytes
,
864 random_data
->pServerRandom
, ServerRandomLen
,
865 random_data
->pClientRandom
, ClientRandomLen
,
866 export_keys
+ MD5_HASH_SIZE
, B_FALSE
);
867 new_tmpl
[n
].pValue
= export_keys
+ MD5_HASH_SIZE
;
869 new_tmpl
[n
].pValue
= kb
;
872 rv
= soft_add_derived_key(new_tmpl
, newattrcount
,
873 &(kmo
->hServerKey
), sp
, basekey_p
);
878 kb
+= secret_key_bytes
;
880 /* Finally, the IVs */
882 bcopy(kb
, kmo
->pIVClient
, iv_bytes
);
884 bcopy(kb
, kmo
->pIVServer
, iv_bytes
);
887 if (new_tmpl_allocated
)
890 freezero(export_keys
, 2 * MD5_HASH_SIZE
);
895 if (kmo
->hClientMacSecret
!= CK_INVALID_HANDLE
) {
896 (void) soft_delete_derived_key(sp
,
897 (soft_object_t
*)(kmo
->hClientMacSecret
));
898 kmo
->hClientMacSecret
= CK_INVALID_HANDLE
;
900 if (kmo
->hServerMacSecret
!= CK_INVALID_HANDLE
) {
901 (void) soft_delete_derived_key(sp
,
902 (soft_object_t
*)(kmo
->hServerMacSecret
));
903 kmo
->hServerMacSecret
= CK_INVALID_HANDLE
;
905 if (kmo
->hClientKey
!= CK_INVALID_HANDLE
) {
906 (void) soft_delete_derived_key(sp
,
907 (soft_object_t
*)(kmo
->hClientKey
));
908 kmo
->hClientKey
= CK_INVALID_HANDLE
;
910 if (kmo
->hServerKey
!= CK_INVALID_HANDLE
) {
911 (void) soft_delete_derived_key(sp
,
912 (soft_object_t
*)(kmo
->hServerKey
));
913 kmo
->hServerKey
= CK_INVALID_HANDLE
;
916 if (new_tmpl_allocated
)
919 freezero(export_keys
, 2 * MD5_HASH_SIZE
);
925 * Add the derived key to the session, and, if it's a token object,
926 * write it to the token.
929 soft_add_derived_key(CK_ATTRIBUTE_PTR tmpl
, CK_ULONG attrcount
,
930 CK_OBJECT_HANDLE_PTR phKey
, soft_session_t
*sp
, soft_object_t
*basekey_p
)
933 soft_object_t
*secret_key
;
935 if ((secret_key
= calloc(1, sizeof (soft_object_t
))) == NULL
) {
936 return (CKR_HOST_MEMORY
);
939 if (((rv
= soft_build_secret_key_object(tmpl
, attrcount
, secret_key
,
940 SOFT_CREATE_OBJ_INT
, 0, (CK_KEY_TYPE
)~0UL)) != CKR_OK
) ||
941 ((rv
= soft_pin_expired_check(secret_key
)) != CKR_OK
) ||
942 ((rv
= soft_object_write_access_check(sp
, secret_key
)) != CKR_OK
)) {
948 /* Set the sensitivity and extractability attributes as a needed */
949 soft_derive_enforce_flags(basekey_p
, secret_key
);
951 /* Initialize the rest of stuffs in soft_object_t. */
952 (void) pthread_mutex_init(&secret_key
->object_mutex
, NULL
);
953 secret_key
->magic_marker
= SOFTTOKEN_OBJECT_MAGIC
;
955 /* ... and, if it needs to persist, write on the token */
956 if (IS_TOKEN_OBJECT(secret_key
)) {
957 secret_key
->session_handle
= (CK_SESSION_HANDLE
)NULL
;
958 soft_add_token_object_to_slot(secret_key
);
959 rv
= soft_put_object_to_keystore(secret_key
);
961 soft_delete_token_object(secret_key
, B_FALSE
, B_FALSE
);
964 *phKey
= (CK_OBJECT_HANDLE
)secret_key
;
969 /* Add the new object to the session's object list. */
970 soft_add_object_to_session(secret_key
, sp
);
971 secret_key
->session_handle
= (CK_SESSION_HANDLE
)sp
;
973 *phKey
= (CK_OBJECT_HANDLE
)secret_key
;
979 * Delete the derived key from the session, and, if it's a token object,
980 * remove it from the token.
983 soft_delete_derived_key(soft_session_t
*sp
, soft_object_t
*key
)
985 /* session_handle is the creating session. It's NULL for token objs */
987 if (IS_TOKEN_OBJECT(key
))
988 soft_delete_token_object(key
, B_FALSE
, B_FALSE
);
990 soft_delete_object(sp
, key
, B_FALSE
, B_FALSE
);
994 * soft_ssl_weaken_key()
995 * Reduce the key length to an exportable size.
997 * final_client_write_key = MD5(client_write_key +
998 * ClientHello.random +
999 * ServerHello.random);
1000 * final_server_write_key = MD5(server_write_key +
1001 * ServerHello.random +
1002 * ClientHello.random);
1004 * final_client_write_key = PRF(SecurityParameters.client_write_key,
1005 * "client write key",
1006 * SecurityParameters.client_random +
1007 * SecurityParameters.server_random)[0..15];
1008 * final_server_write_key = PRF(SecurityParameters.server_write_key,
1009 * "server write key",
1010 * SecurityParameters.client_random +
1011 * SecurityParameters.server_random)[0..15];
1014 soft_ssl_weaken_key(CK_MECHANISM_PTR mech
, uchar_t
*secret
, uint_t secretlen
,
1015 uchar_t
*rand1
, uint_t rand1len
, uchar_t
*rand2
, uint_t rand2len
,
1016 uchar_t
*result
, boolean_t isclient
)
1018 MD5_CTX exp_md5_ctx
;
1022 if (mech
->mechanism
== CKM_SSL3_KEY_AND_MAC_DERIVE
) {
1023 MD5Init(&exp_md5_ctx
);
1024 MD5Update(&exp_md5_ctx
, secret
, secretlen
);
1025 MD5Update(&exp_md5_ctx
, rand1
, rand1len
);
1026 MD5Update(&exp_md5_ctx
, rand2
, rand2len
);
1027 MD5Final(result
, &exp_md5_ctx
);
1030 label
= TLS_CLIENT_KEY_LABEL
;
1031 labellen
= TLS_CLIENT_KEY_LABEL_LEN
;
1032 soft_tls_prf(secret
, secretlen
, label
, labellen
,
1033 rand1
, rand1len
, rand2
, rand2len
, result
, 16);
1035 label
= TLS_SERVER_KEY_LABEL
;
1036 labellen
= TLS_SERVER_KEY_LABEL_LEN
;
1037 soft_tls_prf(secret
, secretlen
, label
, labellen
,
1038 rand2
, rand2len
, rand1
, rand1len
, result
, 16);