1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
25 * Copyright (c) 2018, Joyent, Inc.
26 */
27
28#include <stdlib.h>
29#include <strings.h>
30#include <sys/types.h>
31#include <security/cryptoki.h>
32#include "softObject.h"
33#include "softOps.h"
34#include "softSession.h"
35#include "softMAC.h"
36#include "softRSA.h"
37#include "softDSA.h"
38#include "softEC.h"
39#include "softCrypt.h"
40
41/*
42 * soft_sign_init()
43 *
44 * Arguments:
45 *	session_p:	pointer to soft_session_t struct
46 *	pMechanism:	pointer to CK_MECHANISM struct provided by application
47 *	key_p:		pointer to key soft_object_t struct
48 *
49 * Description:
50 *	called by C_SignInit(). This function calls the corresponding
51 *	sign init routine based on the mechanism.
52 *
53 */
54CK_RV
55soft_sign_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
56    soft_object_t *key_p)
57{
58
59	switch (pMechanism->mechanism) {
60
61	case CKM_SSL3_MD5_MAC:
62	case CKM_SSL3_SHA1_MAC:
63	case CKM_MD5_HMAC_GENERAL:
64	case CKM_MD5_HMAC:
65	case CKM_SHA_1_HMAC_GENERAL:
66	case CKM_SHA_1_HMAC:
67	case CKM_SHA256_HMAC_GENERAL:
68	case CKM_SHA256_HMAC:
69	case CKM_SHA384_HMAC_GENERAL:
70	case CKM_SHA384_HMAC:
71	case CKM_SHA512_HMAC_GENERAL:
72	case CKM_SHA512_HMAC:
73
74		return (soft_hmac_sign_verify_init_common(session_p,
75		    pMechanism, key_p, B_TRUE));
76
77	case CKM_RSA_X_509:
78	case CKM_RSA_PKCS:
79	case CKM_MD5_RSA_PKCS:
80	case CKM_SHA1_RSA_PKCS:
81	case CKM_SHA256_RSA_PKCS:
82	case CKM_SHA384_RSA_PKCS:
83	case CKM_SHA512_RSA_PKCS:
84
85		return (soft_rsa_sign_verify_init_common(session_p, pMechanism,
86		    key_p, B_TRUE));
87
88	case CKM_DSA:
89	case CKM_DSA_SHA1:
90
91		return (soft_dsa_sign_verify_init_common(session_p, pMechanism,
92		    key_p, B_TRUE));
93
94	case CKM_ECDSA:
95	case CKM_ECDSA_SHA1:
96
97		return (soft_ecc_sign_verify_init_common(session_p, pMechanism,
98		    key_p, B_TRUE));
99
100	case CKM_DES_MAC_GENERAL:
101	case CKM_DES_MAC:
102
103		return (soft_des_sign_verify_init_common(session_p, pMechanism,
104		    key_p, B_TRUE));
105
106	case CKM_AES_CMAC_GENERAL:
107	case CKM_AES_CMAC:
108
109		return (soft_aes_sign_verify_init_common(session_p, pMechanism,
110		    key_p, B_TRUE));
111
112	default:
113		return (CKR_MECHANISM_INVALID);
114	}
115
116}
117
118
119/*
120 * soft_sign()
121 *
122 * Arguments:
123 *      session_p:	pointer to soft_session_t struct
124 *	pData:		pointer to the input data to be signed
125 *	ulDataLen:	length of the input data
126 *	pSignature:	pointer to the signature after signing
127 *	pulSignatureLen: pointer to the length of the signature
128 *
129 * Description:
130 *      called by C_Sign(). This function calls the corresponding
131 *	sign routine based on the mechanism.
132 *
133 */
134CK_RV
135soft_sign(soft_session_t *session_p, CK_BYTE_PTR pData,
136    CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
137    CK_ULONG_PTR pulSignatureLen)
138{
139
140	CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
141	CK_RV rv = CKR_OK;
142
143	switch (mechanism) {
144
145	case CKM_SSL3_MD5_MAC:
146	case CKM_SSL3_SHA1_MAC:
147	case CKM_MD5_HMAC_GENERAL:
148	case CKM_MD5_HMAC:
149	case CKM_SHA_1_HMAC_GENERAL:
150	case CKM_SHA_1_HMAC:
151	case CKM_SHA256_HMAC_GENERAL:
152	case CKM_SHA256_HMAC:
153	case CKM_SHA384_HMAC_GENERAL:
154	case CKM_SHA384_HMAC:
155	case CKM_SHA512_HMAC_GENERAL:
156	case CKM_SHA512_HMAC:
157	{
158		CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */
159
160		if (pSignature != NULL) {
161			/* Pass local buffer to avoid overflow. */
162			rv = soft_hmac_sign_verify_common(session_p, pData,
163			    ulDataLen, hmac, pulSignatureLen, B_TRUE);
164		} else {
165			/* Pass original pSignature, let callee to handle it. */
166			rv = soft_hmac_sign_verify_common(session_p, pData,
167			    ulDataLen, pSignature, pulSignatureLen, B_TRUE);
168		}
169
170		if ((rv == CKR_OK) && (pSignature != NULL))
171			(void) memcpy(pSignature, hmac, *pulSignatureLen);
172
173		return (rv);
174	}
175	case CKM_DES_MAC_GENERAL:
176	case CKM_DES_MAC:
177	{
178		CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */
179
180		if (pSignature != NULL) {
181			/* Pass local buffer to avoid overflow. */
182			rv = soft_des_sign_verify_common(session_p, pData,
183			    ulDataLen, signature, pulSignatureLen, B_TRUE,
184			    B_FALSE);
185		} else {
186			/* Pass NULL, let callee to handle it. */
187			rv = soft_des_sign_verify_common(session_p, pData,
188			    ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE);
189		}
190
191		if ((rv == CKR_OK) && (pSignature != NULL))
192			(void) memcpy(pSignature, signature, *pulSignatureLen);
193
194		return (rv);
195	}
196	case CKM_AES_CMAC_GENERAL:
197	case CKM_AES_CMAC:
198	{
199		CK_BYTE signature[AES_BLOCK_LEN];
200
201		if (pSignature != NULL) {
202			/* Pass local buffer to avoid overflow. */
203			rv = soft_aes_sign_verify_common(session_p, pData,
204			    ulDataLen, signature, pulSignatureLen, B_TRUE,
205			    B_FALSE);
206		} else {
207			/* Pass NULL, let callee handle it. */
208			rv = soft_aes_sign_verify_common(session_p, pData,
209			    ulDataLen, NULL, pulSignatureLen, B_TRUE, B_FALSE);
210		}
211
212		if ((rv == CKR_OK) && (pSignature != NULL))
213			(void) memcpy(pSignature, signature, *pulSignatureLen);
214
215		return (rv);
216	}
217	case CKM_RSA_X_509:
218	case CKM_RSA_PKCS:
219
220		return (soft_rsa_sign_common(session_p, pData, ulDataLen,
221		    pSignature, pulSignatureLen, mechanism));
222
223	case CKM_MD5_RSA_PKCS:
224	case CKM_SHA1_RSA_PKCS:
225	case CKM_SHA256_RSA_PKCS:
226	case CKM_SHA384_RSA_PKCS:
227	case CKM_SHA512_RSA_PKCS:
228
229		return (soft_rsa_digest_sign_common(session_p, pData, ulDataLen,
230		    pSignature, pulSignatureLen, mechanism, B_FALSE));
231
232	case CKM_DSA:
233
234		return (soft_dsa_sign(session_p, pData, ulDataLen,
235		    pSignature, pulSignatureLen));
236
237	case CKM_DSA_SHA1:
238
239		return (soft_dsa_digest_sign_common(session_p, pData, ulDataLen,
240		    pSignature, pulSignatureLen, B_FALSE));
241
242	case CKM_ECDSA:
243
244		return (soft_ecc_sign(session_p, pData, ulDataLen,
245		    pSignature, pulSignatureLen));
246
247	case CKM_ECDSA_SHA1:
248
249		return (soft_ecc_digest_sign_common(session_p, pData, ulDataLen,
250		    pSignature, pulSignatureLen, B_FALSE));
251
252	default:
253		return (CKR_MECHANISM_INVALID);
254	}
255}
256
257
258/*
259 * soft_sign_update()
260 *
261 * Arguments:
262 *      session_p:	pointer to soft_session_t struct
263 *      pPart:		pointer to the input data to be signed
264 *      ulPartLen:	length of the input data
265 *
266 * Description:
267 *      called by C_SignUpdate(). This function calls the corresponding
268 *	sign update routine based on the mechanism.
269 *
270 */
271CK_RV
272soft_sign_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
273    CK_ULONG ulPartLen)
274{
275	CK_MECHANISM_TYPE	mechanism = session_p->sign.mech.mechanism;
276
277	switch (mechanism) {
278
279	case CKM_SSL3_MD5_MAC:
280	case CKM_SSL3_SHA1_MAC:
281	case CKM_MD5_HMAC_GENERAL:
282	case CKM_MD5_HMAC:
283	case CKM_SHA_1_HMAC_GENERAL:
284	case CKM_SHA_1_HMAC:
285	case CKM_SHA256_HMAC_GENERAL:
286	case CKM_SHA256_HMAC:
287	case CKM_SHA384_HMAC_GENERAL:
288	case CKM_SHA384_HMAC:
289	case CKM_SHA512_HMAC_GENERAL:
290	case CKM_SHA512_HMAC:
291
292		return (soft_hmac_sign_verify_update(session_p, pPart,
293		    ulPartLen, B_TRUE));
294
295	case CKM_DES_MAC_GENERAL:
296	case CKM_DES_MAC:
297
298		return (soft_des_mac_sign_verify_update(session_p, pPart,
299		    ulPartLen));
300
301	case CKM_AES_CMAC_GENERAL:
302	case CKM_AES_CMAC:
303
304		return (soft_aes_mac_sign_verify_update(session_p, pPart,
305		    ulPartLen));
306
307	case CKM_MD5_RSA_PKCS:
308	case CKM_SHA1_RSA_PKCS:
309	case CKM_SHA256_RSA_PKCS:
310	case CKM_SHA384_RSA_PKCS:
311	case CKM_SHA512_RSA_PKCS:
312		/*
313		 * The MD5/SHA1 digest value is accumulated in the context
314		 * of the multiple-part digesting operation. In the final
315		 * operation, the digest is encoded and then perform RSA
316		 * signing.
317		 */
318	case CKM_DSA_SHA1:
319	case CKM_ECDSA_SHA1:
320
321		return (soft_digest_update(session_p, pPart, ulPartLen));
322
323	default:
324		/* PKCS11: The mechanism only supports single-part operation. */
325		return (CKR_MECHANISM_INVALID);
326	}
327}
328
329
330/*
331 * soft_sign_final()
332 *
333 * Arguments:
334 *      session_p:	pointer to soft_session_t struct
335 *      pSignature:	pointer to the signature after signing
336 *      pulSignatureLen: pointer to the	length of the signature
337 *
338 * Description:
339 *      called by C_SignFinal(). This function calls the corresponding
340 *	sign final routine based on the mechanism.
341 *
342 */
343CK_RV
344soft_sign_final(soft_session_t *session_p, CK_BYTE_PTR pSignature,
345    CK_ULONG_PTR pulSignatureLen)
346{
347
348	CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
349	CK_RV rv = CKR_OK;
350
351	switch (mechanism) {
352
353	case CKM_SSL3_MD5_MAC:
354	case CKM_SSL3_SHA1_MAC:
355	case CKM_MD5_HMAC_GENERAL:
356	case CKM_MD5_HMAC:
357	case CKM_SHA_1_HMAC_GENERAL:
358	case CKM_SHA_1_HMAC:
359	case CKM_SHA256_HMAC_GENERAL:
360	case CKM_SHA256_HMAC:
361	case CKM_SHA384_HMAC_GENERAL:
362	case CKM_SHA384_HMAC:
363	case CKM_SHA512_HMAC_GENERAL:
364	case CKM_SHA512_HMAC:
365	{
366		CK_BYTE hmac[SHA512_DIGEST_LENGTH]; /* use the maximum size */
367
368		if (pSignature != NULL) {
369			/* Pass local buffer to avoid overflow */
370			rv = soft_hmac_sign_verify_common(session_p, NULL,
371			    0, hmac, pulSignatureLen, B_TRUE);
372		} else {
373			/* Pass original pSignature, let callee to handle it. */
374			rv = soft_hmac_sign_verify_common(session_p, NULL,
375			    0, pSignature, pulSignatureLen, B_TRUE);
376		}
377
378		if ((rv == CKR_OK) && (pSignature != NULL))
379			(void) memcpy(pSignature, hmac, *pulSignatureLen);
380
381		return (rv);
382	}
383	case CKM_DES_MAC_GENERAL:
384	case CKM_DES_MAC:
385	{
386		CK_BYTE signature[DES_BLOCK_LEN]; /* use the maximum size */
387
388		if (pSignature != NULL) {
389			/* Pass local buffer to avoid overflow. */
390			rv = soft_des_sign_verify_common(session_p, NULL, 0,
391			    signature, pulSignatureLen, B_TRUE, B_TRUE);
392		} else {
393			/* Pass NULL, let callee to handle it. */
394			rv = soft_des_sign_verify_common(session_p, NULL, 0,
395			    NULL, pulSignatureLen, B_TRUE, B_TRUE);
396		}
397
398		if ((rv == CKR_OK) && (pSignature != NULL))
399			(void) memcpy(pSignature, signature, *pulSignatureLen);
400
401		return (rv);
402	}
403	case CKM_AES_CMAC_GENERAL:
404	case CKM_AES_CMAC:
405	{
406		CK_BYTE signature[AES_BLOCK_LEN]; /* use the maximum size */
407
408		if (pSignature != NULL) {
409			/* Pass local buffer to avoid overflow. */
410			rv = soft_aes_sign_verify_common(session_p, NULL, 0,
411			    signature, pulSignatureLen, B_TRUE, B_TRUE);
412		} else {
413			/* Pass NULL, let callee handle it. */
414			rv = soft_aes_sign_verify_common(session_p, NULL, 0,
415			    NULL, pulSignatureLen, B_TRUE, B_TRUE);
416		}
417
418		if ((rv == CKR_OK) && (pSignature != NULL))
419			(void) memcpy(pSignature, signature, *pulSignatureLen);
420
421		return (rv);
422	}
423	case CKM_MD5_RSA_PKCS:
424	case CKM_SHA1_RSA_PKCS:
425	case CKM_SHA256_RSA_PKCS:
426	case CKM_SHA384_RSA_PKCS:
427	case CKM_SHA512_RSA_PKCS:
428
429		return (soft_rsa_digest_sign_common(session_p, NULL, 0,
430		    pSignature, pulSignatureLen, mechanism, B_TRUE));
431
432	case CKM_DSA_SHA1:
433
434		return (soft_dsa_digest_sign_common(session_p, NULL, 0,
435		    pSignature, pulSignatureLen, B_TRUE));
436
437	case CKM_ECDSA_SHA1:
438
439		return (soft_ecc_digest_sign_common(session_p, NULL, 0,
440		    pSignature, pulSignatureLen, B_TRUE));
441
442	default:
443		/* PKCS11: The mechanism only supports single-part operation. */
444		return (CKR_MECHANISM_INVALID);
445	}
446}
447
448
449CK_RV
450soft_sign_recover_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
451    soft_object_t *key_p)
452{
453
454	switch (pMechanism->mechanism) {
455
456	case CKM_RSA_X_509:
457	case CKM_RSA_PKCS:
458
459		return (soft_rsa_sign_verify_init_common(session_p, pMechanism,
460		    key_p, B_TRUE));
461
462	default:
463		return (CKR_MECHANISM_INVALID);
464	}
465}
466
467
468CK_RV
469soft_sign_recover(soft_session_t *session_p, CK_BYTE_PTR pData,
470    CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
471    CK_ULONG_PTR pulSignatureLen)
472{
473
474	CK_MECHANISM_TYPE mechanism = session_p->sign.mech.mechanism;
475
476	switch (mechanism) {
477
478	case CKM_RSA_X_509:
479	case CKM_RSA_PKCS:
480
481		return (soft_rsa_sign_common(session_p, pData, ulDataLen,
482		    pSignature, pulSignatureLen, mechanism));
483
484	default:
485		return (CKR_MECHANISM_INVALID);
486	}
487}
488
489/*
490 * This function frees the allocated active crypto context.
491 * It is only called by the first tier of sign/verify routines
492 * and the caller of this function may or may not hold the session mutex.
493 */
494void
495soft_sign_verify_cleanup(soft_session_t *session_p, boolean_t sign,
496    boolean_t lock_held)
497{
498
499	crypto_active_op_t *active_op;
500	boolean_t lock_true = B_TRUE;
501
502	if (!lock_held)
503		(void) pthread_mutex_lock(&session_p->session_mutex);
504
505	active_op = (sign) ? &(session_p->sign) : &(session_p->verify);
506
507	switch (active_op->mech.mechanism) {
508
509	case CKM_MD5_RSA_PKCS:
510	case CKM_SHA1_RSA_PKCS:
511	case CKM_SHA256_RSA_PKCS:
512	case CKM_SHA384_RSA_PKCS:
513	case CKM_SHA512_RSA_PKCS:
514		if (session_p->digest.context != NULL) {
515			free(session_p->digest.context);
516			session_p->digest.context = NULL;
517			session_p->digest.flags = 0;
518		}
519		/* FALLTHRU */
520
521	case CKM_RSA_PKCS:
522	case CKM_RSA_X_509:
523	{
524		soft_rsa_ctx_t *rsa_ctx =
525		    (soft_rsa_ctx_t *)active_op->context;
526
527		if (rsa_ctx != NULL && rsa_ctx->key != NULL) {
528			soft_cleanup_object(rsa_ctx->key);
529			free(rsa_ctx->key);
530		}
531		break;
532
533	}
534	case CKM_DSA_SHA1:
535		if (session_p->digest.context != NULL) {
536			free(session_p->digest.context);
537			session_p->digest.context = NULL;
538			session_p->digest.flags = 0;
539		}
540
541		/* FALLTHRU */
542	case CKM_DSA:
543	{
544		soft_dsa_ctx_t *dsa_ctx =
545		    (soft_dsa_ctx_t *)active_op->context;
546
547		if (dsa_ctx != NULL && dsa_ctx->key != NULL) {
548			soft_cleanup_object(dsa_ctx->key);
549			free(dsa_ctx->key);
550		}
551		break;
552
553	}
554	case CKM_SSL3_MD5_MAC:
555	case CKM_SSL3_SHA1_MAC:
556	case CKM_MD5_HMAC_GENERAL:
557	case CKM_MD5_HMAC:
558	case CKM_SHA_1_HMAC_GENERAL:
559	case CKM_SHA_1_HMAC:
560	case CKM_SHA256_HMAC_GENERAL:
561	case CKM_SHA256_HMAC:
562	case CKM_SHA384_HMAC_GENERAL:
563	case CKM_SHA384_HMAC:
564	case CKM_SHA512_HMAC_GENERAL:
565	case CKM_SHA512_HMAC:
566		if (active_op->context != NULL) {
567			explicit_bzero(active_op->context,
568			    sizeof (soft_hmac_ctx_t));
569		}
570		break;
571	case CKM_DES_MAC_GENERAL:
572	case CKM_DES_MAC:
573		if (session_p->encrypt.context != NULL) {
574			free(session_p->encrypt.context);
575			session_p->encrypt.context = NULL;
576			session_p->encrypt.flags = 0;
577		}
578		if (active_op->context != NULL) {
579			explicit_bzero(active_op->context,
580			    sizeof (soft_des_ctx_t));
581		}
582		break;
583
584	case CKM_AES_CMAC_GENERAL:
585	case CKM_AES_CMAC:
586		if (session_p->encrypt.context != NULL) {
587			soft_aes_free_ctx(session_p->encrypt.context);
588			session_p->encrypt.context = NULL;
589			session_p->encrypt.flags = 0;
590		}
591		if (active_op->context != NULL) {
592			explicit_bzero(active_op->context,
593			    sizeof (soft_aes_sign_ctx_t));
594		}
595		break;
596
597	}
598
599	if (active_op->context != NULL) {
600		free(active_op->context);
601		active_op->context = NULL;
602	}
603
604	active_op->flags = 0;
605
606	if (!lock_held)
607		SES_REFRELE(session_p, lock_true);
608}
609