search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dmake: do not set MAKEFLAGS=k
[unleashed/tickless.git] / usr / src / lib / pkcs11 / pkcs11_softtoken / common / softSSL.c
blobf971f21950449f16caa235b206657ff913082cc6
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <fcntl.h>
27 #include <strings.h>
28 #include <sys/stat.h>
29 #include <sys/types.h>
30 #include <sys/sha1.h>
31 #include <sys/md5.h>
32 #include <sys/sysmacros.h>
33 #include <security/cryptoki.h>
34 #include "softGlobal.h"
35 #include "softKeys.h"
36 #include "softKeystore.h"
37 #include "softMAC.h"
38 #include "softObject.h"
39 #include "softSession.h"
40 #include "softSSL.h"
41
42 /*
43 * This files contains the implementation of the following PKCS#11
44 * mechanisms needed by SSL:
45 * CKM_SSL3_MASTER_KEY_DERIVE
46 * CKM_SSL3_MASTER_KEY_DERIVE_DH
47 * CKM_SSL3_KEY_AND_DERIVE
48 * CKM_TLS_MASTER_KEY_DERIVE
49 * CKM_TLS_MASTER_KEY_DERIVE_DH
50 * CKM_TLS_KEY_AND_DERIVE
51 *
52 * SSL refers to common functions between SSL v3.0 and SSL v3.1 (a.k.a TLS.)
53 */
54
55 #define MAX_KEYBLOCK 160 /* should be plenty for all known cipherspecs */
56
57 #define MAX_DEFAULT_ATTRS 10 /* Enough for major applicarions */
58
59 static char *ssl3_const_vals[] = {
60 "A",
61 "BB",
62 "CCC",
63 "DDDD",
64 "EEEEE",
65 "FFFFFF",
66 "GGGGGGG",
67 "HHHHHHHH",
68 "IIIIIIIII",
69 "JJJJJJJJJJ",
70 };
71 static uint_t ssl3_const_lens[] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
72
73 static uchar_t TLS_MASTER_SECRET_LABEL[] = {"master secret"};
74 #define TLS_MASTER_SECRET_LABEL_LEN 13
75
76 static uchar_t TLS_KEY_EXPANSION_LABEL[] = {"key expansion"};
77 #define TLS_KEY_EXPANSION_LABEL_LEN 13
78
79 static uchar_t TLS_CLIENT_KEY_LABEL[] = {"client write key"};
80 #define TLS_CLIENT_KEY_LABEL_LEN 16
81
82 static uchar_t TLS_SERVER_KEY_LABEL[] = {"server write key"};
83 #define TLS_SERVER_KEY_LABEL_LEN 16
84
85 static uchar_t TLS_IV_BLOCK_LABEL[] = {"IV block"};
86 #define TLS_IV_BLOCK_LABEL_LEN 8
87
88 static void P_MD5(uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, uint_t,
89 uchar_t *, uint_t, uchar_t *, uint_t, boolean_t);
90 static void P_SHA1(uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, uint_t,
91 uchar_t *, uint_t, uchar_t *, uint_t, boolean_t);
92
93 static CK_RV soft_add_derived_key(CK_ATTRIBUTE_PTR, CK_ULONG,
94 CK_OBJECT_HANDLE_PTR, soft_session_t *, soft_object_t *);
95 static void soft_delete_derived_key(soft_session_t *, soft_object_t *);
96 static void soft_ssl_weaken_key(CK_MECHANISM_PTR, uchar_t *, uint_t,
97 uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, boolean_t);
98
99 /*
100 * soft_ssl3_churn()
101 * Called for derivation of the master secret from the pre-master secret,
102 * and for the derivation of the key_block in an SSL3 handshake
103 * result is assumed to be larger than rounds * MD5_HASH_SIZE.
104 */
105 static void
106 soft_ssl3_churn(uchar_t *secret, uint_t secretlen, uchar_t *rand1,
107 uint_t rand1len, uchar_t *rand2, uint_t rand2len, int rounds,
108 uchar_t *result)
109 {
110 SHA1_CTX sha1_ctx;
111 MD5_CTX md5_ctx;
112 uchar_t sha1_digest[SHA1_HASH_SIZE];
113 int i;
114 uchar_t *ms = result;
115 for (i = 0; i < rounds; i++) {
116 SHA1Init(&sha1_ctx);
117 SHA1Update(&sha1_ctx, (const uint8_t *)ssl3_const_vals[i],
118 ssl3_const_lens[i]);
119 SHA1Update(&sha1_ctx, secret, secretlen);
120 SHA1Update(&sha1_ctx, rand1, rand1len);
121 SHA1Update(&sha1_ctx, rand2, rand2len);
122 SHA1Final(sha1_digest, &sha1_ctx);
123
124 MD5Init(&md5_ctx);
125 MD5Update(&md5_ctx, secret, secretlen);
126 MD5Update(&md5_ctx, sha1_digest, SHA1_HASH_SIZE);
127 MD5Final(ms, &md5_ctx);
128 ms += MD5_HASH_SIZE;
129 }
130 }
131
132 /*
133 * This TLS generic Pseudo Random Function expands a triplet
134 * {secret, label, seed} into any arbitrary length string of pseudo
135 * random bytes.
136 * Here, it is called for the derivation of the master secret from the
137 * pre-master secret, and for the derivation of the key_block in a TLS
138 * handshake
139 */
140 static void
141 soft_tls_prf(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
142 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
143 uchar_t *result, uint_t resultlen)
144 {
145 uchar_t *S1, *S2;
146 uchar_t md5_digested_key[MD5_HASH_SIZE];
147 uchar_t sha1_digested_key[SHA1_HASH_SIZE];
148 uint_t L_S, L_S1, L_S2;
149
150 /* secret is NULL for IV's in exportable ciphersuites */
151 if (secret == NULL) {
152 L_S = 0;
153 L_S2 = L_S1 = 0;
154 S1 = NULL;
155 S2 = NULL;
156 goto do_P_HASH;
157 }
158
159 L_S = roundup(secretlen, 2) / 2;
160 L_S1 = L_S;
161 L_S2 = L_S;
162 S1 = secret;
163 S2 = secret + (secretlen / 2); /* Possible overlap of S1 and S2. */
164
165 /* Reduce the half secrets if bigger than the HASH's block size */
166 if (L_S > MD5_HMAC_BLOCK_SIZE) {
167 MD5_CTX md5_ctx;
168 SHA1_CTX sha1_ctx;
169
170 MD5Init(&md5_ctx);
171 MD5Update(&md5_ctx, S1, L_S);
172 MD5Final(md5_digested_key, &md5_ctx);
173 S1 = md5_digested_key;
174 L_S1 = MD5_HASH_SIZE;
175
176 SHA1Init(&sha1_ctx);
177 SHA1Update(&sha1_ctx, S2, L_S);
178 SHA1Final(sha1_digested_key, &sha1_ctx);
179 S2 = sha1_digested_key;
180 L_S2 = SHA1_HASH_SIZE;
181 }
182
183 /*
184 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
185 * P_SHA-1(S2, label + seed);
186 * the 'seed' here is rand1 + rand2
187 */
188 do_P_HASH:
189 /* The first one writes directly to the result */
190 P_MD5(S1, L_S1, label, labellen, rand1, rand1len, rand2, rand2len,
191 result, resultlen, B_FALSE);
192
193 /* The second one XOR's with the result. */
194 P_SHA1(S2, L_S2, label, labellen, rand1, rand1len, rand2, rand2len,
195 result, resultlen, B_TRUE);
196 }
197
198 /*
199 * These two expansion routines are very similar. (they can merge one day).
200 * They implement the P_HASH() function for MD5 and for SHA1, as defined in
201 * RFC2246:
202 *
203 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
204 * HMAC_hash(secret, A(2) + seed) +
205 * HMAC_hash(secret, A(3) + seed) + ...
206 * Where + indicates concatenation.
207 * A() is defined as:
208 * A(0) = seed
209 * A(i) = HMAC_hash(secret, A(i-1))
210 *
211 * The seed is the concatenation of 'babel', 'rand1', and 'rand2'.
212 */
213 static void
214 P_MD5(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
215 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
216 uchar_t *result, uint_t resultlen, boolean_t xor_it)
217 {
218 uint32_t md5_ipad[MD5_HMAC_INTS_PER_BLOCK];
219 uint32_t md5_opad[MD5_HMAC_INTS_PER_BLOCK];
220 uchar_t md5_hmac[MD5_HASH_SIZE];
221 uchar_t A[MD5_HASH_SIZE];
222 md5_hc_ctx_t md5_hmac_ctx;
223 uchar_t *res, *cur;
224 uint_t left = resultlen;
225 int i;
226
227 /* good compilers will leverage the aligment */
228 bzero(md5_ipad, MD5_HMAC_BLOCK_SIZE);
229 bzero(md5_opad, MD5_HMAC_BLOCK_SIZE);
230
231 if (secretlen > 0) {
232 bcopy(secret, md5_ipad, secretlen);
233 bcopy(secret, md5_opad, secretlen);
234 }
235
236 /* A(1) = HMAC_MD5(secret, rand1 + rand2) */
237 md5_hmac_ctx_init(&md5_hmac_ctx, md5_ipad, md5_opad);
238 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, label, labellen);
239 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand1, rand1len);
240 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand2, rand2len);
241 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, A);
242
243 if (xor_it) {
244 res = md5_hmac;
245 cur = result;
246 } else {
247 res = result;
248 }
249
250 while (left > 0) {
251 /*
252 * Compute HMAC_MD5(secret, A(i) + seed);
253 * The secret is already expanded in the ictx and octx, so
254 * we can call the SOFT_MAC_INIT_CTX() directly.
255 */
256 SOFT_MAC_INIT_CTX(MD5, &md5_hmac_ctx, md5_ipad, md5_opad,
257 MD5_HMAC_BLOCK_SIZE);
258 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, A, MD5_HASH_SIZE);
259 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, label, labellen);
260 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand1, rand1len);
261 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand2, rand2len);
262
263 if (left > MD5_HASH_SIZE) {
264 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, res);
265 if (xor_it) {
266 for (i = 0; i < MD5_HASH_SIZE; i++) {
267 *cur ^= res[i];
268 cur++;
269 }
270 } else {
271 res += MD5_HASH_SIZE;
272 }
273 left -= MD5_HASH_SIZE;
274 } else {
275 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, md5_hmac);
276 if (xor_it) {
277 for (i = 0; i < left; i++) {
278 *cur ^= md5_hmac[i];
279 cur++;
280 }
281 } else {
282 bcopy(md5_hmac, res, left);
283 }
284 break;
285 }
286 /* A(i) = HMAC_MD5(secret, A(i-1) */
287 SOFT_MAC_INIT_CTX(MD5, &md5_hmac_ctx, md5_ipad, md5_opad,
288 MD5_HMAC_BLOCK_SIZE);
289 SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, A, MD5_HASH_SIZE);
290 SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, A);
291 }
292 }
293 static void
294 P_SHA1(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
295 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
296 uchar_t *result, uint_t resultlen, boolean_t xor_it)
297 {
298 uint32_t sha1_ipad[SHA1_HMAC_INTS_PER_BLOCK];
299 uint32_t sha1_opad[SHA1_HMAC_INTS_PER_BLOCK];
300 uchar_t sha1_hmac[SHA1_HASH_SIZE];
301 uchar_t A[SHA1_HASH_SIZE];
302 sha1_hc_ctx_t sha1_hmac_ctx;
303 uchar_t *res, *cur;
304 uint_t left = resultlen;
305 int i;
306
307 /* good compilers will leverage the aligment */
308 bzero(sha1_ipad, SHA1_HMAC_BLOCK_SIZE);
309 bzero(sha1_opad, SHA1_HMAC_BLOCK_SIZE);
310
311 if (secretlen > 0) {
312 bcopy(secret, sha1_ipad, secretlen);
313 bcopy(secret, sha1_opad, secretlen);
314 }
315
316 /* A(1) = HMAC_SHA1(secret, rand1 + rand2) */
317 sha1_hmac_ctx_init(&sha1_hmac_ctx, sha1_ipad, sha1_opad);
318 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, label, labellen);
319 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand1, rand1len);
320 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand2, rand2len);
321 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, A);
322
323 if (xor_it) {
324 res = sha1_hmac;
325 cur = result;
326 } else {
327 res = result;
328 }
329
330 while (left > 0) {
331 /*
332 * Compute HMAC_SHA1(secret, A(i) + seed);
333 * The secret is already expanded in the ictx and octx, so
334 * we can call the SOFT_MAC_INIT_CTX() directly.
335 */
336 SOFT_MAC_INIT_CTX(SHA1, &sha1_hmac_ctx,
337 (const uchar_t *)sha1_ipad, (const uchar_t *)sha1_opad,
338 SHA1_HMAC_BLOCK_SIZE);
339 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, A, SHA1_HASH_SIZE);
340 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, label, labellen);
341 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand1, rand1len);
342 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand2, rand2len);
343
344 if (left > SHA1_HASH_SIZE) {
345 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, res);
346 if (xor_it) {
347 for (i = 0; i < SHA1_HASH_SIZE; i++) {
348 *cur ^= res[i];
349 cur++;
350 }
351 } else {
352 res += SHA1_HASH_SIZE;
353 }
354 left -= SHA1_HASH_SIZE;
355 } else {
356 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, sha1_hmac);
357 if (xor_it) {
358 for (i = 0; i < left; i++) {
359 *cur ^= sha1_hmac[i];
360 cur++;
361 }
362 } else {
363 bcopy(sha1_hmac, res, left);
364 }
365 break;
366 }
367 /* A(i) = HMAC_SHA1(secret, A(i-1) */
368 SOFT_MAC_INIT_CTX(SHA1, &sha1_hmac_ctx,
369 (const uchar_t *)sha1_ipad, (const uchar_t *)sha1_opad,
370 SHA1_HMAC_BLOCK_SIZE);
371 SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, A, SHA1_HASH_SIZE);
372 SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, A);
373 }
374 }
375
376 /* This function handles the call from C_DeriveKey for CKM_TLS_PRF */
377 CK_RV
378 derive_tls_prf(CK_TLS_PRF_PARAMS_PTR param, soft_object_t *basekey_p)
379 {
380
381 if (param->pOutput == NULL || param->pulOutputLen == 0)
382 return (CKR_BUFFER_TOO_SMALL);
383
384 (void) soft_tls_prf(OBJ_SEC_VALUE(basekey_p),
385 OBJ_SEC_VALUE_LEN(basekey_p), param->pLabel, param->ulLabelLen,
386 param->pSeed, param->ulSeedLen, NULL, 0, param->pOutput,
387 *param->pulOutputLen);
388
389 return (CKR_OK);
390 }
391
392
393 /*
394 * soft_ssl_master_key_derive()
395 *
396 * Arguments:
397 * . session_p
398 * . mech_p: key derivation mechanism. the mechanism parameter carries the
399 * client and master random from the Hello handshake messages.
400 * . basekey_p: The pre-master secret key.
401 * . pTemplate & ulAttributeCount: Any extra attributes for the key to be
402 * created.
403 * . phKey: store for handle to the derived key.
404 *
405 * Description:
406 * Derive the SSL master secret from the pre-master secret, the client
407 * and server random.
408 * In SSL 3.0, master_secret =
409 * MD5(pre_master_secret + SHA('A' + pre_master_secret +
410 * ClientHello.random + ServerHello.random)) +
411 * MD5(pre_master_secret + SHA('BB' + pre_master_secret +
412 * ClientHello.random + ServerHello.random)) +
413 * MD5(pre_master_secret + SHA('CCC' + pre_master_secret +
414 * ClientHello.random + ServerHello.random));
415 *
416 * In TLS 1.0 (a.k.a. SSL 3.1), master_secret =
417 * PRF(pre_master_secret, "master secret",
418 * ClientHello.random + ServerHello.random)
419 */
420 CK_RV
421 soft_ssl_master_key_derive(soft_session_t *sp, CK_MECHANISM_PTR mech,
422 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
423 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
424 {
425 uchar_t *pmsecret = OBJ_SEC_VALUE(basekey_p);
426 uint_t pmlen = OBJ_SEC_VALUE_LEN(basekey_p);
427 CK_SSL3_MASTER_KEY_DERIVE_PARAMS *mkd_params;
428 CK_SSL3_RANDOM_DATA *random_data;
429 CK_VERSION_PTR pVersion;
430 uchar_t ssl_master_secret[48];
431 CK_OBJECT_CLASS class = CKO_SECRET_KEY;
432 CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
433 CK_BBOOL true = TRUE;
434 CK_ATTRIBUTE obj_tmpl[MAX_DEFAULT_ATTRS];
435 CK_ATTRIBUTE_PTR new_tmpl;
436 CK_ULONG newattrcount;
437 boolean_t new_tmpl_allocated = B_FALSE, is_tls = B_FALSE;
438 ulong_t i;
439 CK_RV rv = CKR_OK;
440 uint_t ClientRandomLen, ServerRandomLen;
441
442 /* Check the validity of the mechanism's parameter */
443
444 mkd_params = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *)mech->pParameter;
445
446 if (mkd_params == NULL ||
447 mech->ulParameterLen != sizeof (CK_SSL3_MASTER_KEY_DERIVE_PARAMS))
448 return (CKR_MECHANISM_PARAM_INVALID);
449
450 pVersion = mkd_params->pVersion;
451
452 switch (mech->mechanism) {
453 case CKM_TLS_MASTER_KEY_DERIVE:
454 is_tls = B_TRUE;
455 /* FALLTHRU */
456 case CKM_SSL3_MASTER_KEY_DERIVE:
457 /* Invalid pre-master key length. What else to return? */
458 if (pmlen != 48)
459 return (CKR_ARGUMENTS_BAD);
460
461 /* Get the SSL version number from the premaster secret */
462 if (pVersion == NULL_PTR)
463 return (CKR_MECHANISM_PARAM_INVALID);
464
465 bcopy(pmsecret, pVersion, sizeof (CK_VERSION));
466
467 break;
468 case CKM_TLS_MASTER_KEY_DERIVE_DH:
469 is_tls = B_TRUE;
470 /* FALLTHRU */
471 case CKM_SSL3_MASTER_KEY_DERIVE_DH:
472 if (pVersion != NULL_PTR)
473 return (CKR_MECHANISM_PARAM_INVALID);
474 }
475
476 random_data = &mkd_params->RandomInfo;
477 ClientRandomLen = random_data->ulClientRandomLen;
478 ServerRandomLen = random_data->ulServerRandomLen;
479
480 if (random_data->pClientRandom == NULL_PTR || ClientRandomLen == 0 ||
481 random_data->pServerRandom == NULL_PTR || ServerRandomLen == 0) {
482 return (CKR_MECHANISM_PARAM_INVALID);
483 }
484
485 /* Now the actual secret derivation */
486 if (!is_tls) {
487 soft_ssl3_churn(pmsecret, pmlen, random_data->pClientRandom,
488 ClientRandomLen, random_data->pServerRandom,
489 ServerRandomLen, 3, ssl_master_secret);
490 } else {
491 soft_tls_prf(pmsecret, pmlen, TLS_MASTER_SECRET_LABEL,
492 TLS_MASTER_SECRET_LABEL_LEN, random_data->pClientRandom,
493 ClientRandomLen, random_data->pServerRandom,
494 ServerRandomLen, ssl_master_secret, 48);
495 }
496
497 /*
498 * The object creation attributes need to be in one contiguous
499 * array. In addition to the attrs from the application supplied
500 * pTemplates, We need to add the class, type, value, valuelen and
501 * CKA_DERIVE.
502 * In the most likely case, the application passes between zero and
503 * handful of attributes, We optimize for that case by allocating
504 * the new template on the stack. Oherwise we malloc() it.
505 */
506
507 newattrcount = ulAttributeCount + 4;
508 if (newattrcount > MAX_DEFAULT_ATTRS) {
509 new_tmpl = malloc(sizeof (CK_ATTRIBUTE) * newattrcount);
510
511 if (new_tmpl == NULL)
512 return (CKR_HOST_MEMORY);
513
514 new_tmpl_allocated = B_TRUE;
515 } else
516 new_tmpl = obj_tmpl;
517
518 /*
519 * Fill in the new template.
520 * We put the attributes contributed by the mechanism first
521 * so that they override the application supplied ones.
522 */
523 new_tmpl[0].type = CKA_CLASS;
524 new_tmpl[0].pValue = &class;
525 new_tmpl[0].ulValueLen = sizeof (class);
526 new_tmpl[1].type = CKA_KEY_TYPE;
527 new_tmpl[1].pValue = &keyType;
528 new_tmpl[1].ulValueLen = sizeof (keyType);
529 new_tmpl[2].type = CKA_DERIVE;
530 new_tmpl[2].pValue = &true;
531 new_tmpl[2].ulValueLen = sizeof (true);
532 new_tmpl[3].type = CKA_VALUE;
533 new_tmpl[3].pValue = ssl_master_secret;
534 new_tmpl[3].ulValueLen = 48;
535
536 /* Any attributes left? */
537 if (ulAttributeCount > 0) {
538
539 /* Validate the default class and type attributes */
540 for (i = 0; i < ulAttributeCount; i++) {
541 /* The caller is responsible for proper alignment */
542 if ((pTemplate[i].type == CKA_CLASS) &&
543 (*((CK_OBJECT_CLASS *)pTemplate[i].pValue) !=
544 CKO_SECRET_KEY)) {
545 rv = CKR_TEMPLATE_INCONSISTENT;
546 goto out;
547 }
548 if ((pTemplate[i].type == CKA_KEY_TYPE) &&
549 (*((CK_KEY_TYPE *)pTemplate[i].pValue) !=
550 CKK_GENERIC_SECRET)) {
551 rv = CKR_TEMPLATE_INCONSISTENT;
552 goto out;
553 }
554 }
555 bcopy(pTemplate, &new_tmpl[4],
556 ulAttributeCount * sizeof (CK_ATTRIBUTE));
557 }
558
559 rv = soft_add_derived_key(new_tmpl, newattrcount, phKey, sp, basekey_p);
560 out:
561 if (new_tmpl_allocated)
562 free(new_tmpl);
563
564 return (rv);
565 }
566
567 /*
568 * soft_ssl3_key_and_mac_derive()
569 *
570 * Arguments:
571 * . session_p
572 * . mech_p: key derivation mechanism. the mechanism parameter carries the
573 * client and mastter random from the Hello handshake messages,
574 * the specification of the key and IV sizes, and the location
575 * for the resulting keys and IVs.
576 * . basekey_p: The master secret key.
577 * . pTemplate & ulAttributeCount: Any extra attributes for the key to be
578 * created.
579 *
580 * Description:
581 * Derive the SSL key material (Client and server MAC secrets, symmetric
582 * keys and IVs), from the master secret and the client
583 * and server random.
584 * First a keyblock is generated usining the following formula:
585 * key_block =
586 * MD5(master_secret + SHA(`A' + master_secret +
587 * ServerHello.random +
588 * ClientHello.random)) +
589 * MD5(master_secret + SHA(`BB' + master_secret +
590 * ServerHello.random +
591 * ClientHello.random)) +
592 * MD5(master_secret + SHA(`CCC' + master_secret +
593 * ServerHello.random +
594 * ClientHello.random)) + [...];
595 *
596 * In TLS 1.0 (a.k.a. SSL 3.1), key_block =
597 * PRF(master_secret, "key expansion",
598 * ServerHello.random + ClientHello.random)
599 *
600 * Then the keys materials are taken from the keyblock.
601 */
602
603 CK_RV
604 soft_ssl_key_and_mac_derive(soft_session_t *sp, CK_MECHANISM_PTR mech,
605 soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
606 CK_ULONG ulAttributeCount)
607 {
608 uchar_t *msecret = OBJ_SEC_VALUE(basekey_p);
609 uint_t mslen = OBJ_SEC_VALUE_LEN(basekey_p);
610 CK_SSL3_KEY_MAT_PARAMS *km_params;
611 CK_SSL3_RANDOM_DATA *random_data;
612 CK_SSL3_KEY_MAT_OUT *kmo;
613 uchar_t key_block[MAX_KEYBLOCK], *kb, *export_keys = NULL;
614 CK_OBJECT_CLASS class = CKO_SECRET_KEY;
615 CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
616 CK_BBOOL true = TRUE;
617 CK_ATTRIBUTE obj_tmpl[MAX_DEFAULT_ATTRS];
618 CK_ATTRIBUTE_PTR new_tmpl;
619 ulong_t newattrcount, mac_key_bytes, secret_key_bytes, iv_bytes;
620 ulong_t extra_attr_count;
621 uint_t size;
622 int rounds, n = 0;
623 boolean_t new_tmpl_allocated = B_FALSE, isExport;
624 CK_RV rv = CKR_OK;
625 uint_t ClientRandomLen, ServerRandomLen;
626
627 /* Check the validity of the mechanism's parameter */
628
629 km_params = (CK_SSL3_KEY_MAT_PARAMS *)mech->pParameter;
630
631 if (km_params == NULL ||
632 mech->ulParameterLen != sizeof (CK_SSL3_KEY_MAT_PARAMS) ||
633 (kmo = km_params->pReturnedKeyMaterial) == NULL)
634 return (CKR_MECHANISM_PARAM_INVALID);
635
636 isExport = (km_params->bIsExport == TRUE);
637
638 random_data = &km_params->RandomInfo;
639 ClientRandomLen = random_data->ulClientRandomLen;
640 ServerRandomLen = random_data->ulServerRandomLen;
641
642 if (random_data->pClientRandom == NULL_PTR || ClientRandomLen == 0 ||
643 random_data->pServerRandom == NULL_PTR || ServerRandomLen == 0) {
644 return (CKR_MECHANISM_PARAM_INVALID);
645 }
646
647 mac_key_bytes = km_params->ulMacSizeInBits / 8;
648 secret_key_bytes = km_params->ulKeySizeInBits / 8;
649 iv_bytes = km_params->ulIVSizeInBits / 8;
650
651 if ((iv_bytes > 0) &&
652 ((kmo->pIVClient == NULL) || (kmo->pIVServer == NULL)))
653 return (CKR_MECHANISM_PARAM_INVALID);
654
655 /*
656 * For exportable ciphersuites, the IV's aren't taken from the
657 * key block. They are directly derived from the client and
658 * server random data.
659 * For SSL3.0:
660 * client_write_IV = MD5(ClientHello.random + ServerHello.random);
661 * server_write_IV = MD5(ServerHello.random + ClientHello.random);
662 * For TLS1.0:
663 * iv_block = PRF("", "IV block", client_random +
664 * server_random)[0..15]
665 * client_write_IV = iv_block[0..7]
666 * server_write_IV = iv_block[8..15]
667 */
668 if ((isExport) && (iv_bytes > 0)) {
669
670 if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
671 MD5_CTX exp_md5_ctx;
672
673 if (iv_bytes > MD5_HASH_SIZE)
674 return (CKR_MECHANISM_PARAM_INVALID);
675
676 MD5Init(&exp_md5_ctx);
677 MD5Update(&exp_md5_ctx, random_data->pClientRandom,
678 ClientRandomLen);
679 MD5Update(&exp_md5_ctx, random_data->pServerRandom,
680 ServerRandomLen);
681
682 /* there's room in key_block. use it */
683 MD5Final(key_block, &exp_md5_ctx);
684 bcopy(key_block, kmo->pIVClient, iv_bytes);
685
686 MD5Init(&exp_md5_ctx);
687 MD5Update(&exp_md5_ctx, random_data->pServerRandom,
688 ServerRandomLen);
689 MD5Update(&exp_md5_ctx, random_data->pClientRandom,
690 ClientRandomLen);
691 MD5Final(key_block, &exp_md5_ctx);
692 bcopy(key_block, kmo->pIVServer, iv_bytes);
693 } else {
694 uchar_t iv_block[16];
695
696 if (iv_bytes != 8)
697 return (CKR_MECHANISM_PARAM_INVALID);
698
699 soft_tls_prf(NULL, 0, TLS_IV_BLOCK_LABEL,
700 TLS_IV_BLOCK_LABEL_LEN,
701 random_data->pClientRandom, ClientRandomLen,
702 random_data->pServerRandom, ServerRandomLen,
703 iv_block, 16);
704 bcopy(iv_block, kmo->pIVClient, 8);
705 bcopy(iv_block + 8, kmo->pIVServer, 8);
706 }
707 /* so we won't allocate a key_block bigger than needed */
708 iv_bytes = 0;
709 }
710
711 /* Now the actual secret derivation */
712
713 size = (mac_key_bytes + secret_key_bytes + iv_bytes) * 2;
714
715 /* Need to handle this better */
716 if (size > MAX_KEYBLOCK)
717 return (CKR_MECHANISM_PARAM_INVALID);
718
719 rounds = howmany(size, MD5_HASH_SIZE);
720
721 kb = key_block;
722
723 if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
724 soft_ssl3_churn(msecret, mslen, random_data->pServerRandom,
725 ServerRandomLen, random_data->pClientRandom,
726 ClientRandomLen, rounds, kb);
727 } else {
728 soft_tls_prf(msecret, mslen, TLS_KEY_EXPANSION_LABEL,
729 TLS_KEY_EXPANSION_LABEL_LEN,
730 random_data->pServerRandom, ServerRandomLen,
731 random_data->pClientRandom, ClientRandomLen,
732 kb, size);
733 }
734
735 /* Now create the objects */
736
737 kmo->hClientMacSecret = CK_INVALID_HANDLE;
738 kmo->hServerMacSecret = CK_INVALID_HANDLE;
739 kmo->hClientKey = CK_INVALID_HANDLE;
740 kmo->hServerKey = CK_INVALID_HANDLE;
741
742 /* First the MAC secrets */
743 if (mac_key_bytes > 0) {
744 obj_tmpl[0].type = CKA_CLASS;
745 obj_tmpl[0].pValue = &class; /* CKO_SECRET_KEY */
746 obj_tmpl[0].ulValueLen = sizeof (class);
747 obj_tmpl[1].type = CKA_KEY_TYPE;
748 obj_tmpl[1].pValue = &keyType; /* CKK_GENERIC_SECRET */
749 obj_tmpl[1].ulValueLen = sizeof (keyType);
750 obj_tmpl[2].type = CKA_DERIVE;
751 obj_tmpl[2].pValue = &true;
752 obj_tmpl[2].ulValueLen = sizeof (true);
753 obj_tmpl[3].type = CKA_SIGN;
754 obj_tmpl[3].pValue = &true;
755 obj_tmpl[3].ulValueLen = sizeof (true);
756 obj_tmpl[4].type = CKA_VERIFY;
757 obj_tmpl[4].pValue = &true;
758 obj_tmpl[4].ulValueLen = sizeof (true);
759 obj_tmpl[5].type = CKA_VALUE;
760 obj_tmpl[5].pValue = kb;
761 obj_tmpl[5].ulValueLen = mac_key_bytes;
762
763 rv = soft_add_derived_key(obj_tmpl, 6,
764 &(kmo->hClientMacSecret), sp, basekey_p);
765
766 if (rv != CKR_OK)
767 goto out_err;
768
769 kb += mac_key_bytes;
770
771 obj_tmpl[5].pValue = kb;
772 rv = soft_add_derived_key(obj_tmpl, 6,
773 &(kmo->hServerMacSecret), sp, basekey_p);
774
775 if (rv != CKR_OK)
776 goto out_err;
777
778 kb += mac_key_bytes;
779 }
780
781 /* Then the symmetric ciphers keys */
782
783 extra_attr_count = (secret_key_bytes == 0) ? 6 : 5;
784 newattrcount = ulAttributeCount + extra_attr_count;
785 if (newattrcount > MAX_DEFAULT_ATTRS) {
786 new_tmpl = malloc(sizeof (CK_ATTRIBUTE) * newattrcount);
787
788 if (new_tmpl == NULL)
789 return (CKR_HOST_MEMORY);
790
791 new_tmpl_allocated = B_TRUE;
792 } else
793 new_tmpl = obj_tmpl;
794
795 new_tmpl[n].type = CKA_CLASS;
796 new_tmpl[n].pValue = &class; /* CKO_SECRET_KEY */
797 new_tmpl[n].ulValueLen = sizeof (class);
798 ++n;
799 /*
800 * The keyType comes from the application's template, and depends
801 * on the ciphersuite. The only exception is authentication only
802 * ciphersuites which do not use cipher keys.
803 */
804 if (secret_key_bytes == 0) {
805 new_tmpl[n].type = CKA_KEY_TYPE;
806 new_tmpl[n].pValue = &keyType; /* CKK_GENERIC_SECRET */
807 new_tmpl[n].ulValueLen = sizeof (keyType);
808 n++;
809 }
810 new_tmpl[n].type = CKA_DERIVE;
811 new_tmpl[n].pValue = &true;
812 new_tmpl[n].ulValueLen = sizeof (true);
813 n++;
814 new_tmpl[n].type = CKA_ENCRYPT;
815 new_tmpl[n].pValue = &true;
816 new_tmpl[n].ulValueLen = sizeof (true);
817 n++;
818 new_tmpl[n].type = CKA_DECRYPT;
819 new_tmpl[n].pValue = &true;
820 new_tmpl[n].ulValueLen = sizeof (true);
821 n++;
822 new_tmpl[n].type = CKA_VALUE;
823 new_tmpl[n].pValue = NULL;
824 new_tmpl[n].ulValueLen = 0;
825
826 if (secret_key_bytes > 0) {
827 if (isExport) {
828 if (secret_key_bytes > MD5_HASH_SIZE) {
829 rv = CKR_MECHANISM_PARAM_INVALID;
830 goto out_err;
831 }
832 if ((export_keys = malloc(2 * MD5_HASH_SIZE)) == NULL) {
833 rv = CKR_HOST_MEMORY;
834 goto out_err;
835 }
836 soft_ssl_weaken_key(mech, kb, secret_key_bytes,
837 random_data->pClientRandom, ClientRandomLen,
838 random_data->pServerRandom, ServerRandomLen,
839 export_keys, B_TRUE);
840 new_tmpl[n].pValue = export_keys;
841 new_tmpl[n].ulValueLen = MD5_HASH_SIZE;
842 } else {
843 new_tmpl[n].pValue = kb;
844 new_tmpl[n].ulValueLen = secret_key_bytes;
845 }
846 }
847
848 if (ulAttributeCount > 0)
849 bcopy(pTemplate, &new_tmpl[extra_attr_count],
850 ulAttributeCount * sizeof (CK_ATTRIBUTE));
851
852 rv = soft_add_derived_key(new_tmpl, newattrcount,
853 &(kmo->hClientKey), sp, basekey_p);
854
855 if (rv != CKR_OK)
856 goto out_err;
857
858 kb += secret_key_bytes;
859
860 if (secret_key_bytes > 0) {
861 if (isExport) {
862 soft_ssl_weaken_key(mech, kb, secret_key_bytes,
863 random_data->pServerRandom, ServerRandomLen,
864 random_data->pClientRandom, ClientRandomLen,
865 export_keys + MD5_HASH_SIZE, B_FALSE);
866 new_tmpl[n].pValue = export_keys + MD5_HASH_SIZE;
867 } else
868 new_tmpl[n].pValue = kb;
869 }
870
871 rv = soft_add_derived_key(new_tmpl, newattrcount,
872 &(kmo->hServerKey), sp, basekey_p);
873
874 if (rv != CKR_OK)
875 goto out_err;
876
877 kb += secret_key_bytes;
878
879 /* Finally, the IVs */
880 if (iv_bytes > 0) {
881 bcopy(kb, kmo->pIVClient, iv_bytes);
882 kb += iv_bytes;
883 bcopy(kb, kmo->pIVServer, iv_bytes);
884 }
885
886 if (new_tmpl_allocated)
887 free(new_tmpl);
888
889 free(export_keys);
890
891 return (rv);
892
893 out_err:
894 if (kmo->hClientMacSecret != CK_INVALID_HANDLE) {
895 (void) soft_delete_derived_key(sp,
896 (soft_object_t *)(kmo->hClientMacSecret));
897 kmo->hClientMacSecret = CK_INVALID_HANDLE;
898 }
899 if (kmo->hServerMacSecret != CK_INVALID_HANDLE) {
900 (void) soft_delete_derived_key(sp,
901 (soft_object_t *)(kmo->hServerMacSecret));
902 kmo->hServerMacSecret = CK_INVALID_HANDLE;
903 }
904 if (kmo->hClientKey != CK_INVALID_HANDLE) {
905 (void) soft_delete_derived_key(sp,
906 (soft_object_t *)(kmo->hClientKey));
907 kmo->hClientKey = CK_INVALID_HANDLE;
908 }
909 if (kmo->hServerKey != CK_INVALID_HANDLE) {
910 (void) soft_delete_derived_key(sp,
911 (soft_object_t *)(kmo->hServerKey));
912 kmo->hServerKey = CK_INVALID_HANDLE;
913 }
914
915 if (new_tmpl_allocated)
916 free(new_tmpl);
917
918 free(export_keys);
919
920 return (rv);
921 }
922
923 /*
924 * Add the derived key to the session, and, if it's a token object,
925 * write it to the token.
926 */
927 static CK_RV
928 soft_add_derived_key(CK_ATTRIBUTE_PTR tmpl, CK_ULONG attrcount,
929 CK_OBJECT_HANDLE_PTR phKey, soft_session_t *sp, soft_object_t *basekey_p)
930 {
931 CK_RV rv;
932 soft_object_t *secret_key;
933
934 if ((secret_key = calloc(1, sizeof (soft_object_t))) == NULL) {
935 return (CKR_HOST_MEMORY);
936 }
937
938 if (((rv = soft_build_secret_key_object(tmpl, attrcount, secret_key,
939 SOFT_CREATE_OBJ_INT, 0, (CK_KEY_TYPE)~0UL)) != CKR_OK) ||
940 ((rv = soft_pin_expired_check(secret_key)) != CKR_OK) ||
941 ((rv = soft_object_write_access_check(sp, secret_key)) != CKR_OK)) {
942
943 free(secret_key);
944 return (rv);
945 }
946
947 /* Set the sensitivity and extractability attributes as a needed */
948 soft_derive_enforce_flags(basekey_p, secret_key);
949
950 /* Initialize the rest of stuffs in soft_object_t. */
951 (void) pthread_mutex_init(&secret_key->object_mutex, NULL);
952 secret_key->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
953
954 /* ... and, if it needs to persist, write on the token */
955 if (IS_TOKEN_OBJECT(secret_key)) {
956 secret_key->session_handle = (CK_SESSION_HANDLE)NULL;
957 soft_add_token_object_to_slot(secret_key);
958 rv = soft_put_object_to_keystore(secret_key);
959 if (rv != CKR_OK) {
960 soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
961 return (rv);
962 }
963 *phKey = (CK_OBJECT_HANDLE)secret_key;
964
965 return (CKR_OK);
966 }
967
968 /* Add the new object to the session's object list. */
969 soft_add_object_to_session(secret_key, sp);
970 secret_key->session_handle = (CK_SESSION_HANDLE)sp;
971
972 *phKey = (CK_OBJECT_HANDLE)secret_key;
973
974 return (rv);
975 }
976
977 /*
978 * Delete the derived key from the session, and, if it's a token object,
979 * remove it from the token.
980 */
981 static void
982 soft_delete_derived_key(soft_session_t *sp, soft_object_t *key)
983 {
984 /* session_handle is the creating session. It's NULL for token objs */
985
986 if (IS_TOKEN_OBJECT(key))
987 soft_delete_token_object(key, B_FALSE, B_FALSE);
988 else
989 soft_delete_object(sp, key, B_FALSE, B_FALSE);
990 }
991
992 /*
993 * soft_ssl_weaken_key()
994 * Reduce the key length to an exportable size.
995 * For SSL3.0:
996 * final_client_write_key = MD5(client_write_key +
997 * ClientHello.random +
998 * ServerHello.random);
999 * final_server_write_key = MD5(server_write_key +
1000 * ServerHello.random +
1001 * ClientHello.random);
1002 * For TLS1.0:
1003 * final_client_write_key = PRF(SecurityParameters.client_write_key,
1004 * "client write key",
1005 * SecurityParameters.client_random +
1006 * SecurityParameters.server_random)[0..15];
1007 * final_server_write_key = PRF(SecurityParameters.server_write_key,
1008 * "server write key",
1009 * SecurityParameters.client_random +
1010 * SecurityParameters.server_random)[0..15];
1011 */
1012 static void
1013 soft_ssl_weaken_key(CK_MECHANISM_PTR mech, uchar_t *secret, uint_t secretlen,
1014 uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
1015 uchar_t *result, boolean_t isclient)
1016 {
1017 MD5_CTX exp_md5_ctx;
1018 uchar_t *label;
1019 uint_t labellen;
1020
1021 if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
1022 MD5Init(&exp_md5_ctx);
1023 MD5Update(&exp_md5_ctx, secret, secretlen);
1024 MD5Update(&exp_md5_ctx, rand1, rand1len);
1025 MD5Update(&exp_md5_ctx, rand2, rand2len);
1026 MD5Final(result, &exp_md5_ctx);
1027 } else {
1028 if (isclient) {
1029 label = TLS_CLIENT_KEY_LABEL;
1030 labellen = TLS_CLIENT_KEY_LABEL_LEN;
1031 soft_tls_prf(secret, secretlen, label, labellen,
1032 rand1, rand1len, rand2, rand2len, result, 16);
1033 } else {
1034 label = TLS_SERVER_KEY_LABEL;
1035 labellen = TLS_SERVER_KEY_LABEL_LEN;
1036 soft_tls_prf(secret, secretlen, label, labellen,
1037 rand2, rand2len, rand1, rand1len, result, 16);
1038 }
1039 }
1040 }
unleashed repo fork