1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 #include "seccomon.h"
6 #include "secerr.h"
7 #include "blapi.h"
8 #include "pkcs11i.h"
9 #include "softoken.h"
10 #include "hmacct.h"
11
12 /* sftk_HMACMechanismToHash converts a PKCS#11 MAC mechanism into a freebl hash
13 * type. */
14 HASH_HashType
sftk_HMACMechanismToHash(CK_MECHANISM_TYPE mech)15 sftk_HMACMechanismToHash(CK_MECHANISM_TYPE mech)
16 {
17 switch (mech) {
18 case CKM_MD2_HMAC:
19 return HASH_AlgMD2;
20 case CKM_MD5_HMAC:
21 case CKM_SSL3_MD5_MAC:
22 return HASH_AlgMD5;
23 case CKM_SHA_1_HMAC:
24 case CKM_SSL3_SHA1_MAC:
25 return HASH_AlgSHA1;
26 case CKM_SHA224_HMAC:
27 return HASH_AlgSHA224;
28 case CKM_SHA256_HMAC:
29 return HASH_AlgSHA256;
30 case CKM_SHA384_HMAC:
31 return HASH_AlgSHA384;
32 case CKM_SHA512_HMAC:
33 return HASH_AlgSHA512;
34 }
35 return HASH_AlgNULL;
36 }
37
38 static sftk_MACConstantTimeCtx *
SetupMAC(CK_MECHANISM_PTR mech,SFTKObject * key)39 SetupMAC(CK_MECHANISM_PTR mech, SFTKObject *key)
40 {
41 CK_NSS_MAC_CONSTANT_TIME_PARAMS *params =
42 (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter;
43 sftk_MACConstantTimeCtx *ctx;
44 HASH_HashType alg;
45 SFTKAttribute *keyval;
46 unsigned char secret[sizeof(ctx->secret)];
47 unsigned int secretLength;
48
49 if (mech->ulParameterLen != sizeof(CK_NSS_MAC_CONSTANT_TIME_PARAMS)) {
50 return NULL;
51 }
52
53 alg = sftk_HMACMechanismToHash(params->macAlg);
54 if (alg == HASH_AlgNULL) {
55 return NULL;
56 }
57
58 keyval = sftk_FindAttribute(key, CKA_VALUE);
59 if (keyval == NULL) {
60 return NULL;
61 }
62 secretLength = keyval->attrib.ulValueLen;
63 if (secretLength > sizeof(secret)) {
64 sftk_FreeAttribute(keyval);
65 return NULL;
66 }
67 memcpy(secret, keyval->attrib.pValue, secretLength);
68 sftk_FreeAttribute(keyval);
69
70 ctx = PORT_Alloc(sizeof(sftk_MACConstantTimeCtx));
71 if (!ctx) {
72 PORT_Memset(secret, 0, secretLength);
73 return NULL;
74 }
75
76 memcpy(ctx->secret, secret, secretLength);
77 ctx->secretLength = secretLength;
78 ctx->hash = HASH_GetRawHashObject(alg);
79 ctx->totalLength = params->ulBodyTotalLen;
80 PORT_Memset(secret, 0, secretLength);
81
82 return ctx;
83 }
84
85 sftk_MACConstantTimeCtx *
sftk_HMACConstantTime_New(CK_MECHANISM_PTR mech,SFTKObject * key)86 sftk_HMACConstantTime_New(CK_MECHANISM_PTR mech, SFTKObject *key)
87 {
88 CK_NSS_MAC_CONSTANT_TIME_PARAMS *params =
89 (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter;
90 sftk_MACConstantTimeCtx *ctx;
91
92 if (params->ulHeaderLen > sizeof(ctx->header)) {
93 return NULL;
94 }
95 ctx = SetupMAC(mech, key);
96 if (!ctx) {
97 return NULL;
98 }
99
100 ctx->headerLength = params->ulHeaderLen;
101 memcpy(ctx->header, params->pHeader, params->ulHeaderLen);
102 return ctx;
103 }
104
105 sftk_MACConstantTimeCtx *
sftk_SSLv3MACConstantTime_New(CK_MECHANISM_PTR mech,SFTKObject * key)106 sftk_SSLv3MACConstantTime_New(CK_MECHANISM_PTR mech, SFTKObject *key)
107 {
108 CK_NSS_MAC_CONSTANT_TIME_PARAMS *params =
109 (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter;
110 unsigned int padLength = 40, j;
111 sftk_MACConstantTimeCtx *ctx;
112
113 if (params->macAlg != CKM_SSL3_MD5_MAC &&
114 params->macAlg != CKM_SSL3_SHA1_MAC) {
115 return NULL;
116 }
117 ctx = SetupMAC(mech, key);
118 if (!ctx) {
119 return NULL;
120 }
121
122 if (params->macAlg == CKM_SSL3_MD5_MAC) {
123 padLength = 48;
124 }
125
126 ctx->headerLength =
127 ctx->secretLength +
128 padLength +
129 params->ulHeaderLen;
130
131 if (ctx->headerLength > sizeof(ctx->header)) {
132 goto loser;
133 }
134
135 j = 0;
136 memcpy(&ctx->header[j], ctx->secret, ctx->secretLength);
137 j += ctx->secretLength;
138 memset(&ctx->header[j], 0x36, padLength);
139 j += padLength;
140 memcpy(&ctx->header[j], params->pHeader, params->ulHeaderLen);
141
142 return ctx;
143
144 loser:
145 PORT_Free(ctx);
146 return NULL;
147 }
148
149 void
sftk_HMACConstantTime_Update(void * pctx,const void * data,unsigned int len)150 sftk_HMACConstantTime_Update(void *pctx, const void *data, unsigned int len)
151 {
152 sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx;
153 PORT_CheckSuccess(HMAC_ConstantTime(
154 ctx->mac, NULL, sizeof(ctx->mac),
155 ctx->hash,
156 ctx->secret, ctx->secretLength,
157 ctx->header, ctx->headerLength,
158 data, len,
159 ctx->totalLength));
160 }
161
162 void
sftk_SSLv3MACConstantTime_Update(void * pctx,const void * data,unsigned int len)163 sftk_SSLv3MACConstantTime_Update(void *pctx, const void *data, unsigned int len)
164 {
165 sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx;
166 PORT_CheckSuccess(SSLv3_MAC_ConstantTime(
167 ctx->mac, NULL, sizeof(ctx->mac),
168 ctx->hash,
169 ctx->secret, ctx->secretLength,
170 ctx->header, ctx->headerLength,
171 data, len,
172 ctx->totalLength));
173 }
174
175 void
sftk_MACConstantTime_EndHash(void * pctx,void * out,unsigned int * outLength,unsigned int maxLength)176 sftk_MACConstantTime_EndHash(void *pctx, void *out, unsigned int *outLength,
177 unsigned int maxLength)
178 {
179 const sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx;
180 unsigned int toCopy = ctx->hash->length;
181 if (toCopy > maxLength) {
182 toCopy = maxLength;
183 }
184 memcpy(out, ctx->mac, toCopy);
185 if (outLength) {
186 *outLength = toCopy;
187 }
188 }
189
190 void
sftk_MACConstantTime_DestroyContext(void * pctx,PRBool free)191 sftk_MACConstantTime_DestroyContext(void *pctx, PRBool free)
192 {
193 PORT_ZFree(pctx, sizeof(sftk_MACConstantTimeCtx));
194 }
195
196 CK_RV
sftk_MAC_Create(CK_MECHANISM_TYPE mech,SFTKObject * key,sftk_MACCtx ** ret_ctx)197 sftk_MAC_Create(CK_MECHANISM_TYPE mech, SFTKObject *key, sftk_MACCtx **ret_ctx)
198 {
199 CK_RV ret;
200
201 if (ret_ctx == NULL || key == NULL) {
202 return CKR_HOST_MEMORY;
203 }
204
205 *ret_ctx = PORT_New(sftk_MACCtx);
206 if (*ret_ctx == NULL) {
207 return CKR_HOST_MEMORY;
208 }
209
210 ret = sftk_MAC_Init(*ret_ctx, mech, key);
211 if (ret != CKR_OK) {
212 sftk_MAC_Destroy(*ret_ctx, PR_TRUE);
213 }
214
215 return ret;
216 }
217
218 CK_RV
sftk_MAC_Init(sftk_MACCtx * ctx,CK_MECHANISM_TYPE mech,SFTKObject * key)219 sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, SFTKObject *key)
220 {
221 SFTKAttribute *keyval = NULL;
222 PRBool isFIPS = sftk_isFIPS(key->slot->slotID);
223 CK_RV ret = CKR_OK;
224
225 /* Find the actual value of the key. */
226 keyval = sftk_FindAttribute(key, CKA_VALUE);
227 if (keyval == NULL) {
228 ret = CKR_KEY_SIZE_RANGE;
229 goto done;
230 }
231
232 ret = sftk_MAC_InitRaw(ctx, mech,
233 (const unsigned char *)keyval->attrib.pValue,
234 keyval->attrib.ulValueLen, isFIPS);
235
236 done:
237 sftk_FreeAttribute(keyval);
238 return ret;
239 }
240
241 CK_RV
sftk_MAC_InitRaw(sftk_MACCtx * ctx,CK_MECHANISM_TYPE mech,const unsigned char * key,unsigned int key_len,PRBool isFIPS)242 sftk_MAC_InitRaw(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, const unsigned char *key, unsigned int key_len, PRBool isFIPS)
243 {
244 const SECHashObject *hashObj = NULL;
245 CK_RV ret = CKR_OK;
246
247 if (ctx == NULL) {
248 return CKR_HOST_MEMORY;
249 }
250
251 /* Clear the context before use. */
252 PORT_Memset(ctx, 0, sizeof(*ctx));
253
254 /* Save the mech. */
255 ctx->mech = mech;
256
257 /* Initialize the correct MAC context. */
258 switch (mech) {
259 case CKM_MD2_HMAC:
260 case CKM_MD5_HMAC:
261 case CKM_SHA_1_HMAC:
262 case CKM_SHA224_HMAC:
263 case CKM_SHA256_HMAC:
264 case CKM_SHA384_HMAC:
265 case CKM_SHA512_HMAC:
266 hashObj = HASH_GetRawHashObject(sftk_HMACMechanismToHash(mech));
267
268 /* Because we condition above only on hashes we know to be valid,
269 * hashObj should never be NULL. This assert is only useful when
270 * adding a new hash function (for which only partial support has
271 * been added); thus there is no need to turn it into an if and
272 * avoid the NULL dereference on the following line. */
273 PR_ASSERT(hashObj != NULL);
274 ctx->mac_size = hashObj->length;
275
276 goto hmac;
277 case CKM_AES_CMAC:
278 ctx->mac.cmac = CMAC_Create(CMAC_AES, key, key_len);
279 ctx->destroy_func = (void (*)(void *, PRBool))(&CMAC_Destroy);
280
281 /* Copy the behavior of sftk_doCMACInit here. */
282 if (ctx->mac.cmac == NULL) {
283 if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) {
284 ret = CKR_KEY_SIZE_RANGE;
285 goto done;
286 }
287
288 ret = CKR_HOST_MEMORY;
289 goto done;
290 }
291
292 ctx->mac_size = AES_BLOCK_SIZE;
293
294 goto done;
295 default:
296 ret = CKR_MECHANISM_PARAM_INVALID;
297 goto done;
298 }
299
300 hmac:
301 ctx->mac.hmac = HMAC_Create(hashObj, key, key_len, isFIPS);
302 ctx->destroy_func = (void (*)(void *, PRBool))(&HMAC_Destroy);
303
304 /* Copy the behavior of sftk_doHMACInit here. */
305 if (ctx->mac.hmac == NULL) {
306 if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) {
307 ret = CKR_KEY_SIZE_RANGE;
308 goto done;
309 }
310 ret = CKR_HOST_MEMORY;
311 goto done;
312 }
313
314 /* Semantics: HMAC and CMAC should behave the same. Begin HMAC now. */
315 HMAC_Begin(ctx->mac.hmac);
316
317 done:
318 /* Handle a failure: ctx->mac.raw should be NULL, but make sure
319 * destroy_func isn't set. */
320 if (ret != CKR_OK) {
321 ctx->destroy_func = NULL;
322 }
323
324 return ret;
325 }
326
327 CK_RV
sftk_MAC_Reset(sftk_MACCtx * ctx)328 sftk_MAC_Reset(sftk_MACCtx *ctx)
329 {
330 /* Useful for resetting the state of MAC prior to calling update again
331 *
332 * This lets the caller keep a single MAC instance and re-use it as long
333 * as the key stays the same. */
334 switch (ctx->mech) {
335 case CKM_MD2_HMAC:
336 case CKM_MD5_HMAC:
337 case CKM_SHA_1_HMAC:
338 case CKM_SHA224_HMAC:
339 case CKM_SHA256_HMAC:
340 case CKM_SHA384_HMAC:
341 case CKM_SHA512_HMAC:
342 HMAC_Begin(ctx->mac.hmac);
343 break;
344 case CKM_AES_CMAC:
345 if (CMAC_Begin(ctx->mac.cmac) != SECSuccess) {
346 return CKR_FUNCTION_FAILED;
347 }
348 break;
349 default:
350 /* This shouldn't happen -- asserting indicates partial support
351 * for a new MAC type. */
352 PR_ASSERT(PR_FALSE);
353 return CKR_FUNCTION_FAILED;
354 }
355
356 return CKR_OK;
357 }
358
359 CK_RV
sftk_MAC_Update(sftk_MACCtx * ctx,const CK_BYTE * data,unsigned int data_len)360 sftk_MAC_Update(sftk_MACCtx *ctx, const CK_BYTE *data, unsigned int data_len)
361 {
362 switch (ctx->mech) {
363 case CKM_MD2_HMAC:
364 case CKM_MD5_HMAC:
365 case CKM_SHA_1_HMAC:
366 case CKM_SHA224_HMAC:
367 case CKM_SHA256_HMAC:
368 case CKM_SHA384_HMAC:
369 case CKM_SHA512_HMAC:
370 /* HMAC doesn't indicate failure in the return code. */
371 HMAC_Update(ctx->mac.hmac, data, data_len);
372 break;
373 case CKM_AES_CMAC:
374 /* CMAC indicates failure in the return code, however this is
375 * unlikely to occur. */
376 if (CMAC_Update(ctx->mac.cmac, data, data_len) != SECSuccess) {
377 return CKR_FUNCTION_FAILED;
378 }
379 break;
380 default:
381 /* This shouldn't happen -- asserting indicates partial support
382 * for a new MAC type. */
383 PR_ASSERT(PR_FALSE);
384 return CKR_FUNCTION_FAILED;
385 }
386 return CKR_OK;
387 }
388
389 CK_RV
sftk_MAC_Finish(sftk_MACCtx * ctx,CK_BYTE_PTR result,unsigned int * result_len,unsigned int max_result_len)390 sftk_MAC_Finish(sftk_MACCtx *ctx, CK_BYTE_PTR result, unsigned int *result_len, unsigned int max_result_len)
391 {
392 unsigned int actual_result_len;
393
394 switch (ctx->mech) {
395 case CKM_MD2_HMAC:
396 case CKM_MD5_HMAC:
397 case CKM_SHA_1_HMAC:
398 case CKM_SHA224_HMAC:
399 case CKM_SHA256_HMAC:
400 case CKM_SHA384_HMAC:
401 case CKM_SHA512_HMAC:
402 /* HMAC doesn't indicate failure in the return code. Additionally,
403 * unlike CMAC, it doesn't support partial results. This means that we
404 * need to allocate a buffer if max_result_len < ctx->mac_size. */
405 if (max_result_len >= ctx->mac_size) {
406 /* Split this into two calls to avoid an unnecessary stack
407 * allocation and memcpy when possible. */
408 HMAC_Finish(ctx->mac.hmac, result, &actual_result_len, max_result_len);
409 } else {
410 uint8_t tmp_buffer[SFTK_MAX_MAC_LENGTH];
411
412 /* Assumption: buffer is large enough to hold this HMAC's
413 * output. */
414 PR_ASSERT(SFTK_MAX_MAC_LENGTH >= ctx->mac_size);
415
416 HMAC_Finish(ctx->mac.hmac, tmp_buffer, &actual_result_len, SFTK_MAX_MAC_LENGTH);
417
418 if (actual_result_len > max_result_len) {
419 /* This should always be true since:
420 *
421 * (SFTK_MAX_MAC_LENGTH >= ctx->mac_size =
422 * actual_result_len) > max_result_len,
423 *
424 * but guard this truncation just in case. */
425 actual_result_len = max_result_len;
426 }
427
428 PORT_Memcpy(result, tmp_buffer, actual_result_len);
429 }
430 break;
431 case CKM_AES_CMAC:
432 /* CMAC indicates failure in the return code, however this is
433 * unlikely to occur. */
434 if (CMAC_Finish(ctx->mac.cmac, result, &actual_result_len, max_result_len) != SECSuccess) {
435 return CKR_FUNCTION_FAILED;
436 }
437 break;
438 default:
439 /* This shouldn't happen -- asserting indicates partial support
440 * for a new MAC type. */
441 PR_ASSERT(PR_FALSE);
442 return CKR_FUNCTION_FAILED;
443 }
444
445 if (result_len) {
446 /* When result length is passed, inform the caller of its value. */
447 *result_len = actual_result_len;
448 } else if (max_result_len == ctx->mac_size) {
449 /* Validate that the amount requested was what was actually given; the
450 * caller assumes that what they passed was the output size of the
451 * underlying MAC and that they got all the bytes the asked for. */
452 PR_ASSERT(actual_result_len == max_result_len);
453 }
454
455 return CKR_OK;
456 }
457
458 void
sftk_MAC_Destroy(sftk_MACCtx * ctx,PRBool free_it)459 sftk_MAC_Destroy(sftk_MACCtx *ctx, PRBool free_it)
460 {
461 if (ctx == NULL) {
462 return;
463 }
464
465 if (ctx->mac.raw != NULL && ctx->destroy_func != NULL) {
466 ctx->destroy_func(ctx->mac.raw, PR_TRUE);
467 }
468
469 /* Clean up the struct so we don't double free accidentally. */
470 PORT_Memset(ctx, 0, sizeof(sftk_MACCtx));
471
472 if (free_it == PR_TRUE) {
473 PORT_Free(ctx);
474 }
475 }
476