1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 #include "seccomon.h"
6 #include "secerr.h"
7 #include "blapi.h"
8 #include "pkcs11i.h"
9 #include "softoken.h"
10 #include "hmacct.h"
11
12 /* sftk_HMACMechanismToHash converts a PKCS#11 MAC mechanism into a freebl hash
13 * type. */
14 HASH_HashType
sftk_HMACMechanismToHash(CK_MECHANISM_TYPE mech)15 sftk_HMACMechanismToHash(CK_MECHANISM_TYPE mech)
16 {
17 switch (mech) {
18 case CKM_MD2_HMAC:
19 return HASH_AlgMD2;
20 case CKM_MD5_HMAC:
21 case CKM_SSL3_MD5_MAC:
22 return HASH_AlgMD5;
23 case CKM_SHA_1_HMAC:
24 case CKM_SSL3_SHA1_MAC:
25 return HASH_AlgSHA1;
26 case CKM_SHA224_HMAC:
27 return HASH_AlgSHA224;
28 case CKM_SHA256_HMAC:
29 return HASH_AlgSHA256;
30 case CKM_SHA384_HMAC:
31 return HASH_AlgSHA384;
32 case CKM_SHA512_HMAC:
33 return HASH_AlgSHA512;
34 }
35 return HASH_AlgNULL;
36 }
37
38 static sftk_MACConstantTimeCtx *
SetupMAC(CK_MECHANISM_PTR mech,SFTKObject * key)39 SetupMAC(CK_MECHANISM_PTR mech, SFTKObject *key)
40 {
41 CK_NSS_MAC_CONSTANT_TIME_PARAMS *params =
42 (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter;
43 sftk_MACConstantTimeCtx *ctx;
44 HASH_HashType alg;
45 SFTKAttribute *keyval;
46 unsigned char secret[sizeof(ctx->secret)];
47 unsigned int secretLength;
48
49 if (mech->ulParameterLen != sizeof(CK_NSS_MAC_CONSTANT_TIME_PARAMS)) {
50 return NULL;
51 }
52
53 alg = sftk_HMACMechanismToHash(params->macAlg);
54 if (alg == HASH_AlgNULL) {
55 return NULL;
56 }
57
58 keyval = sftk_FindAttribute(key, CKA_VALUE);
59 if (keyval == NULL) {
60 return NULL;
61 }
62 secretLength = keyval->attrib.ulValueLen;
63 if (secretLength > sizeof(secret)) {
64 sftk_FreeAttribute(keyval);
65 return NULL;
66 }
67 memcpy(secret, keyval->attrib.pValue, secretLength);
68 sftk_FreeAttribute(keyval);
69
70 ctx = PORT_Alloc(sizeof(sftk_MACConstantTimeCtx));
71 if (!ctx) {
72 return NULL;
73 }
74
75 memcpy(ctx->secret, secret, secretLength);
76 ctx->secretLength = secretLength;
77 ctx->hash = HASH_GetRawHashObject(alg);
78 ctx->totalLength = params->ulBodyTotalLen;
79
80 return ctx;
81 }
82
83 sftk_MACConstantTimeCtx *
sftk_HMACConstantTime_New(CK_MECHANISM_PTR mech,SFTKObject * key)84 sftk_HMACConstantTime_New(CK_MECHANISM_PTR mech, SFTKObject *key)
85 {
86 CK_NSS_MAC_CONSTANT_TIME_PARAMS *params =
87 (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter;
88 sftk_MACConstantTimeCtx *ctx;
89
90 if (params->ulHeaderLen > sizeof(ctx->header)) {
91 return NULL;
92 }
93 ctx = SetupMAC(mech, key);
94 if (!ctx) {
95 return NULL;
96 }
97
98 ctx->headerLength = params->ulHeaderLen;
99 memcpy(ctx->header, params->pHeader, params->ulHeaderLen);
100 return ctx;
101 }
102
103 sftk_MACConstantTimeCtx *
sftk_SSLv3MACConstantTime_New(CK_MECHANISM_PTR mech,SFTKObject * key)104 sftk_SSLv3MACConstantTime_New(CK_MECHANISM_PTR mech, SFTKObject *key)
105 {
106 CK_NSS_MAC_CONSTANT_TIME_PARAMS *params =
107 (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter;
108 unsigned int padLength = 40, j;
109 sftk_MACConstantTimeCtx *ctx;
110
111 if (params->macAlg != CKM_SSL3_MD5_MAC &&
112 params->macAlg != CKM_SSL3_SHA1_MAC) {
113 return NULL;
114 }
115 ctx = SetupMAC(mech, key);
116 if (!ctx) {
117 return NULL;
118 }
119
120 if (params->macAlg == CKM_SSL3_MD5_MAC) {
121 padLength = 48;
122 }
123
124 ctx->headerLength =
125 ctx->secretLength +
126 padLength +
127 params->ulHeaderLen;
128
129 if (ctx->headerLength > sizeof(ctx->header)) {
130 goto loser;
131 }
132
133 j = 0;
134 memcpy(&ctx->header[j], ctx->secret, ctx->secretLength);
135 j += ctx->secretLength;
136 memset(&ctx->header[j], 0x36, padLength);
137 j += padLength;
138 memcpy(&ctx->header[j], params->pHeader, params->ulHeaderLen);
139
140 return ctx;
141
142 loser:
143 PORT_Free(ctx);
144 return NULL;
145 }
146
147 void
sftk_HMACConstantTime_Update(void * pctx,const void * data,unsigned int len)148 sftk_HMACConstantTime_Update(void *pctx, const void *data, unsigned int len)
149 {
150 sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx;
151 PORT_CheckSuccess(HMAC_ConstantTime(
152 ctx->mac, NULL, sizeof(ctx->mac),
153 ctx->hash,
154 ctx->secret, ctx->secretLength,
155 ctx->header, ctx->headerLength,
156 data, len,
157 ctx->totalLength));
158 }
159
160 void
sftk_SSLv3MACConstantTime_Update(void * pctx,const void * data,unsigned int len)161 sftk_SSLv3MACConstantTime_Update(void *pctx, const void *data, unsigned int len)
162 {
163 sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx;
164 PORT_CheckSuccess(SSLv3_MAC_ConstantTime(
165 ctx->mac, NULL, sizeof(ctx->mac),
166 ctx->hash,
167 ctx->secret, ctx->secretLength,
168 ctx->header, ctx->headerLength,
169 data, len,
170 ctx->totalLength));
171 }
172
173 void
sftk_MACConstantTime_EndHash(void * pctx,void * out,unsigned int * outLength,unsigned int maxLength)174 sftk_MACConstantTime_EndHash(void *pctx, void *out, unsigned int *outLength,
175 unsigned int maxLength)
176 {
177 const sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx;
178 unsigned int toCopy = ctx->hash->length;
179 if (toCopy > maxLength) {
180 toCopy = maxLength;
181 }
182 memcpy(out, ctx->mac, toCopy);
183 if (outLength) {
184 *outLength = toCopy;
185 }
186 }
187
188 void
sftk_MACConstantTime_DestroyContext(void * pctx,PRBool free)189 sftk_MACConstantTime_DestroyContext(void *pctx, PRBool free)
190 {
191 PORT_Free(pctx);
192 }
193
194 CK_RV
sftk_MAC_Create(CK_MECHANISM_TYPE mech,SFTKObject * key,sftk_MACCtx ** ret_ctx)195 sftk_MAC_Create(CK_MECHANISM_TYPE mech, SFTKObject *key, sftk_MACCtx **ret_ctx)
196 {
197 CK_RV ret;
198
199 if (ret_ctx == NULL || key == NULL) {
200 return CKR_HOST_MEMORY;
201 }
202
203 *ret_ctx = PORT_New(sftk_MACCtx);
204 if (*ret_ctx == NULL) {
205 return CKR_HOST_MEMORY;
206 }
207
208 ret = sftk_MAC_Init(*ret_ctx, mech, key);
209 if (ret != CKR_OK) {
210 sftk_MAC_Destroy(*ret_ctx, PR_TRUE);
211 }
212
213 return ret;
214 }
215
216 CK_RV
sftk_MAC_Init(sftk_MACCtx * ctx,CK_MECHANISM_TYPE mech,SFTKObject * key)217 sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, SFTKObject *key)
218 {
219 SFTKAttribute *keyval = NULL;
220 PRBool isFIPS = (key->slot->slotID == FIPS_SLOT_ID);
221 CK_RV ret = CKR_OK;
222
223 /* Find the actual value of the key. */
224 keyval = sftk_FindAttribute(key, CKA_VALUE);
225 if (keyval == NULL) {
226 ret = CKR_KEY_SIZE_RANGE;
227 goto done;
228 }
229
230 ret = sftk_MAC_InitRaw(ctx, mech,
231 (const unsigned char *)keyval->attrib.pValue,
232 keyval->attrib.ulValueLen, isFIPS);
233
234 done:
235 sftk_FreeAttribute(keyval);
236 return ret;
237 }
238
239 CK_RV
sftk_MAC_InitRaw(sftk_MACCtx * ctx,CK_MECHANISM_TYPE mech,const unsigned char * key,unsigned int key_len,PRBool isFIPS)240 sftk_MAC_InitRaw(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, const unsigned char *key, unsigned int key_len, PRBool isFIPS)
241 {
242 const SECHashObject *hashObj = NULL;
243 CK_RV ret = CKR_OK;
244
245 if (ctx == NULL) {
246 return CKR_HOST_MEMORY;
247 }
248
249 /* Clear the context before use. */
250 PORT_Memset(ctx, 0, sizeof(*ctx));
251
252 /* Save the mech. */
253 ctx->mech = mech;
254
255 /* Initialize the correct MAC context. */
256 switch (mech) {
257 case CKM_MD2_HMAC:
258 case CKM_MD5_HMAC:
259 case CKM_SHA_1_HMAC:
260 case CKM_SHA224_HMAC:
261 case CKM_SHA256_HMAC:
262 case CKM_SHA384_HMAC:
263 case CKM_SHA512_HMAC:
264 hashObj = HASH_GetRawHashObject(sftk_HMACMechanismToHash(mech));
265
266 /* Because we condition above only on hashes we know to be valid,
267 * hashObj should never be NULL. This assert is only useful when
268 * adding a new hash function (for which only partial support has
269 * been added); thus there is no need to turn it into an if and
270 * avoid the NULL dereference on the following line. */
271 PR_ASSERT(hashObj != NULL);
272 ctx->mac_size = hashObj->length;
273
274 goto hmac;
275 case CKM_AES_CMAC:
276 ctx->mac.cmac = CMAC_Create(CMAC_AES, key, key_len);
277 ctx->destroy_func = (void (*)(void *, PRBool))(&CMAC_Destroy);
278
279 /* Copy the behavior of sftk_doCMACInit here. */
280 if (ctx->mac.cmac == NULL) {
281 if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) {
282 ret = CKR_KEY_SIZE_RANGE;
283 goto done;
284 }
285
286 ret = CKR_HOST_MEMORY;
287 goto done;
288 }
289
290 ctx->mac_size = AES_BLOCK_SIZE;
291
292 goto done;
293 default:
294 ret = CKR_MECHANISM_PARAM_INVALID;
295 goto done;
296 }
297
298 hmac:
299 ctx->mac.hmac = HMAC_Create(hashObj, key, key_len, isFIPS);
300 ctx->destroy_func = (void (*)(void *, PRBool))(&HMAC_Destroy);
301
302 /* Copy the behavior of sftk_doHMACInit here. */
303 if (ctx->mac.hmac == NULL) {
304 if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) {
305 ret = CKR_KEY_SIZE_RANGE;
306 goto done;
307 }
308 ret = CKR_HOST_MEMORY;
309 goto done;
310 }
311
312 /* Semantics: HMAC and CMAC should behave the same. Begin HMAC now. */
313 HMAC_Begin(ctx->mac.hmac);
314
315 done:
316 /* Handle a failure: ctx->mac.raw should be NULL, but make sure
317 * destroy_func isn't set. */
318 if (ret != CKR_OK) {
319 ctx->destroy_func = NULL;
320 }
321
322 return ret;
323 }
324
325 CK_RV
sftk_MAC_Reset(sftk_MACCtx * ctx)326 sftk_MAC_Reset(sftk_MACCtx *ctx)
327 {
328 /* Useful for resetting the state of MAC prior to calling update again
329 *
330 * This lets the caller keep a single MAC instance and re-use it as long
331 * as the key stays the same. */
332 switch (ctx->mech) {
333 case CKM_MD2_HMAC:
334 case CKM_MD5_HMAC:
335 case CKM_SHA_1_HMAC:
336 case CKM_SHA224_HMAC:
337 case CKM_SHA256_HMAC:
338 case CKM_SHA384_HMAC:
339 case CKM_SHA512_HMAC:
340 HMAC_Begin(ctx->mac.hmac);
341 break;
342 case CKM_AES_CMAC:
343 if (CMAC_Begin(ctx->mac.cmac) != SECSuccess) {
344 return CKR_FUNCTION_FAILED;
345 }
346 break;
347 default:
348 /* This shouldn't happen -- asserting indicates partial support
349 * for a new MAC type. */
350 PR_ASSERT(PR_FALSE);
351 return CKR_FUNCTION_FAILED;
352 }
353
354 return CKR_OK;
355 }
356
357 CK_RV
sftk_MAC_Update(sftk_MACCtx * ctx,CK_BYTE_PTR data,unsigned int data_len)358 sftk_MAC_Update(sftk_MACCtx *ctx, CK_BYTE_PTR data, unsigned int data_len)
359 {
360 switch (ctx->mech) {
361 case CKM_MD2_HMAC:
362 case CKM_MD5_HMAC:
363 case CKM_SHA_1_HMAC:
364 case CKM_SHA224_HMAC:
365 case CKM_SHA256_HMAC:
366 case CKM_SHA384_HMAC:
367 case CKM_SHA512_HMAC:
368 /* HMAC doesn't indicate failure in the return code. */
369 HMAC_Update(ctx->mac.hmac, data, data_len);
370 break;
371 case CKM_AES_CMAC:
372 /* CMAC indicates failure in the return code, however this is
373 * unlikely to occur. */
374 if (CMAC_Update(ctx->mac.cmac, data, data_len) != SECSuccess) {
375 return CKR_FUNCTION_FAILED;
376 }
377 break;
378 default:
379 /* This shouldn't happen -- asserting indicates partial support
380 * for a new MAC type. */
381 PR_ASSERT(PR_FALSE);
382 return CKR_FUNCTION_FAILED;
383 }
384 return CKR_OK;
385 }
386
387 CK_RV
sftk_MAC_Finish(sftk_MACCtx * ctx,CK_BYTE_PTR result,unsigned int * result_len,unsigned int max_result_len)388 sftk_MAC_Finish(sftk_MACCtx *ctx, CK_BYTE_PTR result, unsigned int *result_len, unsigned int max_result_len)
389 {
390 unsigned int actual_result_len;
391
392 switch (ctx->mech) {
393 case CKM_MD2_HMAC:
394 case CKM_MD5_HMAC:
395 case CKM_SHA_1_HMAC:
396 case CKM_SHA224_HMAC:
397 case CKM_SHA256_HMAC:
398 case CKM_SHA384_HMAC:
399 case CKM_SHA512_HMAC:
400 /* HMAC doesn't indicate failure in the return code. Additionally,
401 * unlike CMAC, it doesn't support partial results. This means that we
402 * need to allocate a buffer if max_result_len < ctx->mac_size. */
403 if (max_result_len >= ctx->mac_size) {
404 /* Split this into two calls to avoid an unnecessary stack
405 * allocation and memcpy when possible. */
406 HMAC_Finish(ctx->mac.hmac, result, &actual_result_len, max_result_len);
407 } else {
408 uint8_t tmp_buffer[SFTK_MAX_MAC_LENGTH];
409
410 /* Assumption: buffer is large enough to hold this HMAC's
411 * output. */
412 PR_ASSERT(SFTK_MAX_MAC_LENGTH >= ctx->mac_size);
413
414 HMAC_Finish(ctx->mac.hmac, tmp_buffer, &actual_result_len, SFTK_MAX_MAC_LENGTH);
415
416 if (actual_result_len > max_result_len) {
417 /* This should always be true since:
418 *
419 * (SFTK_MAX_MAC_LENGTH >= ctx->mac_size =
420 * actual_result_len) > max_result_len,
421 *
422 * but guard this truncation just in case. */
423 actual_result_len = max_result_len;
424 }
425
426 PORT_Memcpy(result, tmp_buffer, actual_result_len);
427 }
428 break;
429 case CKM_AES_CMAC:
430 /* CMAC indicates failure in the return code, however this is
431 * unlikely to occur. */
432 if (CMAC_Finish(ctx->mac.cmac, result, &actual_result_len, max_result_len) != SECSuccess) {
433 return CKR_FUNCTION_FAILED;
434 }
435 break;
436 default:
437 /* This shouldn't happen -- asserting indicates partial support
438 * for a new MAC type. */
439 PR_ASSERT(PR_FALSE);
440 return CKR_FUNCTION_FAILED;
441 }
442
443 if (result_len) {
444 /* When result length is passed, inform the caller of its value. */
445 *result_len = actual_result_len;
446 } else if (max_result_len == ctx->mac_size) {
447 /* Validate that the amount requested was what was actually given; the
448 * caller assumes that what they passed was the output size of the
449 * underlying MAC and that they got all the bytes the asked for. */
450 PR_ASSERT(actual_result_len == max_result_len);
451 }
452
453 return CKR_OK;
454 }
455
456 void
sftk_MAC_Destroy(sftk_MACCtx * ctx,PRBool free_it)457 sftk_MAC_Destroy(sftk_MACCtx *ctx, PRBool free_it)
458 {
459 if (ctx == NULL) {
460 return;
461 }
462
463 if (ctx->mac.raw != NULL && ctx->destroy_func != NULL) {
464 ctx->destroy_func(ctx->mac.raw, PR_TRUE);
465 }
466
467 /* Clean up the struct so we don't double free accidentally. */
468 PORT_Memset(ctx, 0, sizeof(sftk_MACCtx));
469
470 if (free_it == PR_TRUE) {
471 PORT_Free(ctx);
472 }
473 }
474