- Key generation - CBC mode with and without padding - ECB mode This token now isn't backward compatible with CCA versions lower than 4.0.
Signed-off-by: Rajiv Andrade <[email protected]> --- usr/lib/pkcs11/cca_stdll/Makefile.am | 2 +- usr/lib/pkcs11/cca_stdll/cca_specific.c | 371 ++++++++++++++++++++++++++----- usr/lib/pkcs11/cca_stdll/csulincl.h | 36 +++- usr/lib/pkcs11/cca_stdll/decr_mgr.c | 16 -- usr/lib/pkcs11/cca_stdll/key.c | 10 +- usr/lib/pkcs11/cca_stdll/mech_aes.c | 38 ++-- 6 files changed, 373 insertions(+), 100 deletions(-) diff --git a/usr/lib/pkcs11/cca_stdll/Makefile.am b/usr/lib/pkcs11/cca_stdll/Makefile.am index 0e5236c..36f631e 100644 --- a/usr/lib/pkcs11/cca_stdll/Makefile.am +++ b/usr/lib/pkcs11/cca_stdll/Makefile.am @@ -37,7 +37,7 @@ opencryptoki_stdll_libpkcs11_cca_la_SOURCES = asn1.c \ ../common/obj_mgr.c \ ../common/template.c \ ../common/data_obj.c \ - encr_mgr.c \ + ../common/encr_mgr.c \ key_mgr.c \ ../common/mech_md2.c \ mech_sha.c \ diff --git a/usr/lib/pkcs11/cca_stdll/cca_specific.c b/usr/lib/pkcs11/cca_stdll/cca_specific.c index cc5df73..8366114 100644 --- a/usr/lib/pkcs11/cca_stdll/cca_specific.c +++ b/usr/lib/pkcs11/cca_stdll/cca_specific.c @@ -44,15 +44,15 @@ CK_CHAR label[] = "IBM PKCS#11 for CCA"; MECH_LIST_ELEMENT mech_list[] = { { CKM_DES_KEY_GEN, { 8, 8, CKF_HW | CKF_GENERATE } }, { CKM_DES3_KEY_GEN, { 24, 24, CKF_HW | CKF_GENERATE } }, - { CKM_RSA_PKCS_KEY_PAIR_GEN, { 512, 2048, CKF_HW | CKF_GENERATE_KEY_PAIR } }, - { CKM_RSA_PKCS, { 512, 2048, CKF_HW | + { CKM_RSA_PKCS_KEY_PAIR_GEN, { 512, 4096, CKF_HW | CKF_GENERATE_KEY_PAIR } }, + { CKM_RSA_PKCS, { 512, 4096, CKF_HW | CKF_ENCRYPT | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY } }, - { CKM_MD2_RSA_PKCS, { 512, 2048, CKF_HW | + { CKM_MD2_RSA_PKCS, { 512, 4096, CKF_HW | CKF_SIGN | CKF_VERIFY } }, - { CKM_MD5_RSA_PKCS, { 512, 2048, CKF_HW | + { CKM_MD5_RSA_PKCS, { 512, 4096, CKF_HW | CKF_SIGN | CKF_VERIFY } }, - { CKM_SHA1_RSA_PKCS, { 512, 2048, CKF_HW | + { CKM_SHA1_RSA_PKCS, { 512, 4096, CKF_HW | CKF_SIGN | CKF_VERIFY } }, { CKM_DES_CBC, { 8, 8, CKF_HW | CKF_ENCRYPT | CKF_DECRYPT | @@ -66,9 +66,24 @@ MECH_LIST_ELEMENT mech_list[] = { { CKM_DES3_CBC_PAD, { 24, 24, CKF_HW | CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP } }, + { CKM_AES_KEY_GEN, 16, 32, CKF_HW }, + { CKM_AES_ECB, 16, 32, CKF_HW | + CKF_ENCRYPT | CKF_DECRYPT | + CKF_WRAP | CKF_UNWRAP }, + { CKM_AES_CBC, 16, 32, CKF_HW | + CKF_ENCRYPT | CKF_DECRYPT | + CKF_WRAP | CKF_UNWRAP }, + { CKM_AES_MAC, 16, 32, CKF_HW | CKF_SIGN | CKF_VERIFY }, + { CKM_AES_MAC_GENERAL, 16, 32, CKF_HW | CKF_SIGN | CKF_VERIFY }, + { CKM_AES_CBC_PAD, 16, 32, CKF_HW | + CKF_ENCRYPT | CKF_DECRYPT | + CKF_WRAP | CKF_UNWRAP }, { CKM_SHA_1, { 0, 0, CKF_DIGEST } }, { CKM_SHA_1_HMAC, { 0, 0, CKF_SIGN | CKF_VERIFY } }, { CKM_SHA_1_HMAC_GENERAL, { 0, 0, CKF_SIGN | CKF_VERIFY } }, + { CKM_SHA256, { 0, 0, CKF_HW | CKF_DIGEST } }, + { CKM_SHA256_HMAC, { 0, 0, CKF_HW | CKF_SIGN | CKF_VERIFY } }, + { CKM_SHA256_HMAC_GENERAL, { 0, 0, CKF_HW | CKF_SIGN | CKF_VERIFY } }, { CKM_MD5, { 0, 0, CKF_DIGEST } }, { CKM_MD5_HMAC, { 0, 0, CKF_SIGN | CKF_VERIFY } }, { CKM_MD5_HMAC_GENERAL, { 0, 0, CKF_SIGN | CKF_VERIFY } }, @@ -137,31 +152,10 @@ token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber) { unsigned char rule_array[256] = { 0, }; long return_code, reason_code, rule_array_count, verb_data_length; - void *lib_csulsecy; - void *lib_csulcall; - void *lib_csulsapi; - void *lib_ds30; - - /* Explictly load the dependent libraries. There are circular - * dependencies in this set of libraries, so we do lazy symbol - * resolution for the first three libraries. */ - lib_ds30 = dlopen("libds30.so", (RTLD_GLOBAL | RTLD_LAZY)); - if (lib_ds30 == NULL) { - syslog(LOG_ERR, "%s: Error loading library: [%s]\n", __FUNCTION__, dlerror()); - return CKR_FUNCTION_FAILED; - } - lib_csulsapi = dlopen("libcsulsapi.so", (RTLD_GLOBAL | RTLD_LAZY)); - if (lib_csulsapi == NULL) { - syslog(LOG_ERR, "%s: Error loading library: [%s]\n", __FUNCTION__, dlerror()); - return CKR_FUNCTION_FAILED; - } - lib_csulcall = dlopen("libcsulcall.so", (RTLD_GLOBAL | RTLD_LAZY)); - if (lib_csulcall == NULL) { - syslog(LOG_ERR, "%s: Error loading library: [%s]\n", __FUNCTION__, dlerror()); - return CKR_FUNCTION_FAILED; - } - lib_csulsecy = dlopen("libcsulsecy.so", (RTLD_GLOBAL | RTLD_NOW)); - if (lib_csulsecy == NULL) { + void *lib_csulcca; + + lib_csulcca = dlopen("libcsulcca.so", (RTLD_GLOBAL | RTLD_NOW)); + if (lib_csulcca == NULL) { syslog(LOG_ERR, "%s: Error loading library: [%s]\n", __FUNCTION__, dlerror()); return CKR_FUNCTION_FAILED; } @@ -202,22 +196,18 @@ token_specific_final() return CKR_OK; } -CK_RV -token_specific_des_key_gen(CK_BYTE *des_key, CK_ULONG len, CK_ULONG key_size) +CK_RV cca_key_gen(CK_BYTE *key, unsigned char *key_form, unsigned char *key_type_1, + CK_ULONG key_size) { + long return_code, reason_code; - unsigned char key_form[CCA_KEYWORD_SIZE], key_length[CCA_KEYWORD_SIZE]; - unsigned char key_type_1[CCA_KEYWORD_SIZE], key_type_2[CCA_KEYWORD_SIZE] = { 0, }; + unsigned char key_length[CCA_KEYWORD_SIZE]; + unsigned char key_type_2[CCA_KEYWORD_SIZE] = { 0, }; unsigned char kek_key_identifier_1[CCA_KEY_ID_SIZE] = { 0, }; unsigned char kek_key_identifier_2[CCA_KEY_ID_SIZE] = { 0, }; - unsigned char generated_key_identifier_1[CCA_KEY_ID_SIZE] = { 0, }; + unsigned char *generated_key_identifier_1 = key; unsigned char generated_key_identifier_2[CCA_KEY_ID_SIZE] = { 0, }; - DBG("Enter"); - - memcpy(key_form, "OP ", (size_t)CCA_KEYWORD_SIZE); - memcpy(key_type_1, "DATA ", (size_t)CCA_KEYWORD_SIZE); - switch (key_size) { case 8: memcpy(key_length, "KEYLN8 ", (size_t)CCA_KEYWORD_SIZE); @@ -230,6 +220,9 @@ token_specific_des_key_gen(CK_BYTE *des_key, CK_ULONG len, CK_ULONG key_size) case 24: memcpy(key_length, "KEYLN24 ", (size_t)CCA_KEYWORD_SIZE); break; + case 32: + memcpy(key_length, " ", (size_t)CCA_KEYWORD_SIZE); + break; default: DBG("Invalid key length: %lu", key_size); return CKR_KEY_SIZE_RANGE; @@ -245,26 +238,30 @@ token_specific_des_key_gen(CK_BYTE *des_key, CK_ULONG len, CK_ULONG key_size) key_type_2, kek_key_identifier_1, kek_key_identifier_2, - generated_key_identifier_1, + key, generated_key_identifier_2); if (return_code != CCA_SUCCESS) { - CCADBG("CSNBKGN (DES KEYGEN)", return_code, reason_code); + CCADBG("CSNBKGN (KEYGEN)", return_code, reason_code); return CKR_FUNCTION_FAILED; } - memcpy(des_key, generated_key_identifier_1, (size_t)CCA_KEY_ID_SIZE); + return CKR_OK; +} -#ifdef DEBUG - DBG("Created a new key of size %lu", key_size); - { - uint32_t *i = (uint32_t *) des_key, j; - for ( j = 0; j < 16; j++) - DBG("%.8x ", *i++); - } -#endif +CK_RV +token_specific_des_key_gen(CK_BYTE *des_key, CK_ULONG len, CK_ULONG key_size) +{ + long return_code, reason_code; + unsigned char key_form[CCA_KEYWORD_SIZE], key_length[CCA_KEYWORD_SIZE]; + unsigned char key_type_1[CCA_KEYWORD_SIZE]; - return CKR_OK; + DBG("Enter CCA DES keygen"); + + memcpy(key_form, "OP ", (size_t)CCA_KEYWORD_SIZE); + memcpy(key_type_1, "DATA ", (size_t)CCA_KEYWORD_SIZE); + + return cca_key_gen(des_key, key_form, key_type_1, key_size); } CK_RV @@ -349,6 +346,8 @@ token_specific_des_cbc(CK_BYTE *in_data, if (return_code != CCA_SUCCESS) { CCADBG("CSNBENC (DES ENCRYPT)", return_code, reason_code); + if (out_data != local_out) + free(local_out); #ifdef DEBUG { uint32_t *i = (uint32_t *) key_value, j; @@ -369,9 +368,11 @@ token_specific_des_cbc(CK_BYTE *in_data, DBG("CKR_BUFFER_TOO_SMALL: %ld bytes to write into %ld bytes space", length, *out_data_len); st_err_log(111, __FILE__, __LINE__); + free(local_out); return CKR_BUFFER_TOO_SMALL; } else if (local_out != out_data) { memcpy(out_data, local_out, (size_t)length); + free(local_out); } *out_data_len = length; @@ -860,10 +861,77 @@ token_specific_rsa_verify(CK_BYTE * in_data, #ifndef NOAES CK_RV -token_specific_aes_key_gen(CK_BYTE *key, CK_ULONG len) +token_specific_aes_key_gen(CK_BYTE *aes_key, CK_ULONG key_size) { - DBG("Unsupported function reached."); - return CKR_FUNCTION_NOT_SUPPORTED; + long return_code, reason_code; + unsigned char key_length[CCA_KEYWORD_SIZE]; + unsigned char key_token[CCA_KEY_ID_SIZE] = { 0, }; + unsigned char key_value[32]; + unsigned char key_form[CCA_KEYWORD_SIZE]; + unsigned char key_type[CCA_KEYWORD_SIZE] = { 0, }; + unsigned char rule_array[CCA_RULE_ARRAY_SIZE] = { 0x20, }; + long exit_data_len = 0, rule_array_count; + unsigned char exit_data[4] = { 0, }; + unsigned char reserved_1[4] = { 0, }; + unsigned char point_to_array_of_zeros = 0; + unsigned char mkvp[16] = { 0, }; + + memcpy(rule_array, "INTERNALAES NO-KEY ", (size_t) (CCA_KEYWORD_SIZE*3)); + memcpy(key_type, "DATA ", (size_t)CCA_KEYWORD_SIZE); + + switch (key_size) { + case 16: + memcpy(rule_array + 3*CCA_KEYWORD_SIZE, "KEYLN16 ", CCA_KEYWORD_SIZE); + break; + case 24: + memcpy(rule_array + 3*CCA_KEYWORD_SIZE, "KEYLN24 ", (size_t)CCA_KEYWORD_SIZE); + break; + case 32: + memcpy(rule_array + 3*CCA_KEYWORD_SIZE, "KEYLN32 ", (size_t)CCA_KEYWORD_SIZE); + break; + default: + DBG("Invalid key length: %lu", key_size); + return CKR_KEY_SIZE_RANGE; + } +#ifdef DEBUG + { + uint32_t j; + DBG("Rule Array:"); + for ( j = 0; j < 32; j++) + printf("%c", rule_array[j]); + printf("\n"); + for ( j = 0; j < 8; j++) + printf("%c", key_type[j]); + } +#endif + rule_array_count = 4; + CSNBKTB(&return_code, + &reason_code, + &exit_data_len, + exit_data, + key_token, + key_type, + &rule_array_count, + rule_array, + NULL, + reserved_1, + NULL, + &point_to_array_of_zeros, + NULL, + NULL, + NULL, + NULL, + mkvp); + + if (return_code != CCA_SUCCESS) { + CCADBG("CSNBTKB (TOKEN BUILD)", return_code, reason_code); + return CKR_FUNCTION_FAILED; + } + memcpy(key_form, "OP ", (size_t)CCA_KEYWORD_SIZE); + memcpy(key_type, "AESTOKEN", (size_t) CCA_KEYWORD_SIZE); + memcpy(aes_key, key_token, (size_t)CCA_KEY_ID_SIZE); + + return cca_key_gen(aes_key, key_form, key_type, key_size); } CK_RV @@ -875,8 +943,84 @@ token_specific_aes_ecb(CK_BYTE *in_data, CK_ULONG key_len, CK_BYTE encrypt) { - DBG("Unsupported function reached."); - return CKR_FUNCTION_NOT_SUPPORTED; + + long return_code, reason_code, rule_array_count, length; + long pad_character = 0, block_size = 16; + unsigned char chaining_vector[CCA_OCV_SIZE]; + unsigned char rule_array[CCA_RULE_ARRAY_SIZE]; + long opt_data_len = 0, key_params_len =0, exit_data_len = 0, IV_len = 0, chain_vector_len = 0; + char exit_data[0]; + CK_BYTE *local_out = out_data; + + key_len = 64; + rule_array_count = 4; + memcpy(rule_array, "AES ECB KEYIDENTINITIAL ", + rule_array_count*(size_t)CCA_KEYWORD_SIZE); + + if (encrypt) { + CSNBSAE(&return_code, + &reason_code, + &exit_data_len, + exit_data, + &rule_array_count, + rule_array, + &key_len, + key_value, + &key_params_len, + NULL, + &block_size, + &IV_len, + NULL, + &chain_vector_len, + NULL, + &in_data_len, + in_data, + out_data_len, + local_out, + &opt_data_len, + NULL); + } else { + CSNBSAD(&return_code, + &reason_code, + &exit_data_len, + exit_data, + &rule_array_count, + rule_array, + &key_len, + key_value, + &key_params_len, + NULL, + &block_size, + &IV_len, + NULL, + &chain_vector_len, + NULL, + &in_data_len, + in_data, + out_data_len, + local_out, + &opt_data_len, + NULL); + } + + if (return_code != CCA_SUCCESS) { + if (encrypt) + CCADBG("CSNBSAE (AES ENCRYPT)", return_code, reason_code); + else + CCADBG("CSNBSAD (AES DECRYPT)", return_code, reason_code); +#ifdef DEBUG + { + uint32_t *i = (uint32_t *) key_value, j; + DBG("Bad key:"); + for ( j = 0; j < 16; j++) + DBG("%.8x ", *i++); + } +#endif + (*out_data_len) = 0; + return CKR_FUNCTION_FAILED; + } + + return CKR_OK; } CK_RV @@ -889,8 +1033,117 @@ token_specific_aes_cbc(CK_BYTE *in_data, CK_BYTE *init_v, CK_BYTE encrypt) { - DBG("Unsupported function reached."); - return CKR_FUNCTION_NOT_SUPPORTED; + long return_code, reason_code, rule_array_count, length; + long pad_character = 0, block_size = 16; + unsigned char IV[8] = { 0xfe, 0x43, 0x12, 0xed, 0xaa, 0xbb, 0xdd, 0x90 }; + unsigned char chaining_vector[32]; + unsigned char rule_array[CCA_RULE_ARRAY_SIZE]; + long opt_data_len = 0, key_params_len =0, exit_data_len = 0, IV_len = 16, chain_vector_len = 32; + CK_BYTE *local_out = out_data; + char exit_data[0]; + + if (in_data_len%16 == 0) { + rule_array_count = 3; + memcpy(rule_array, "AES KEYIDENTINITIAL ", + rule_array_count*(size_t)CCA_KEYWORD_SIZE); + } else { + if ((encrypt) && (*out_data_len < (in_data_len + 16))) { + local_out = malloc(in_data_len + 16); + if (!local_out) { + DBG("Malloc of %lu bytes failed.", in_data_len + 16); + return CKR_HOST_MEMORY; + } + } + + rule_array_count = 3; + memcpy(rule_array, "AES PKCS-PADKEYIDENT", + rule_array_count*(size_t)CCA_KEYWORD_SIZE); + } + + length = in_data_len; + key_len = 64; + if (encrypt) { + CSNBSAE(&return_code, + &reason_code, + &exit_data_len, + exit_data, + &rule_array_count, + rule_array, + &key_len, + key_value, + &key_params_len, + exit_data, + &block_size, + &IV_len, + init_v, + &chain_vector_len, + chaining_vector, + &length, + in_data, + out_data_len, + out_data, + &opt_data_len, + NULL); + } else { + CSNBSAD(&return_code, + &reason_code, + &exit_data_len, + exit_data, + &rule_array_count, + rule_array, + &key_len, + key_value, + &key_params_len, + NULL, + &block_size, + &IV_len, + init_v, + &chain_vector_len, + chaining_vector, + &length, + in_data, + out_data_len, + out_data, + &opt_data_len, + NULL); + } + + if (return_code != CCA_SUCCESS) { + if (encrypt) + CCADBG("CSNBSAE (AES ENCRYPT)", return_code, reason_code); + else + CCADBG("CSNBSAD (AES DECRYPT)", return_code, reason_code); +#ifdef DEBUG + { + uint32_t *i = (uint32_t *) key_value, j; + DBG("Bad key:"); + for ( j = 0; j < 16; j++) + DBG("%.8x ", *i++); + } +#endif + (*out_data_len) = 0; + return CKR_FUNCTION_FAILED; + } + + /* If we malloc'd a new buffer due to overflow concerns and the data + * coming out turned out to be bigger than expected, return an error. + * + * Else, memcpy the data back to the user's buffer + */ + if ((local_out != out_data) && ((CK_ULONG)length > *out_data_len)) { + DBG("CKR_BUFFER_TOO_SMALL: %ld bytes to write into %ld bytes space", + length, *out_data_len); + st_err_log(111, __FILE__, __LINE__); + free(local_out); + return CKR_BUFFER_TOO_SMALL; + } else if (local_out != out_data) { + memcpy(out_data, local_out, (size_t)length); + free(local_out); + } + + *out_data_len = length; + + return CKR_OK; } #endif diff --git a/usr/lib/pkcs11/cca_stdll/csulincl.h b/usr/lib/pkcs11/cca_stdll/csulincl.h index c4304ec..6eb377e 100644 --- a/usr/lib/pkcs11/cca_stdll/csulincl.h +++ b/usr/lib/pkcs11/cca_stdll/csulincl.h @@ -35,6 +35,7 @@ #define CSNBKIM CSNBKIM_32 #define CSNBKPI CSNBKPI_32 #define CSNBKRC CSNBKRC_32 + #define CSNBAKRC CSNBAKRC_32 #define CSNBKRD CSNBKRD_32 #define CSNBKRL CSNBKRL_32 #define CSNBKRR CSNBKRR_32 @@ -110,6 +111,7 @@ #define CSNDTBC CSNDTBC_32 #define CSNDRKX CSNDRKX_32 #define CSNBKET CSNBKET_32 + #define CSNBSAE CSNBSAE_32 /* * security API prototypes @@ -236,6 +238,15 @@ extern void SECURITYAPI long * exit_data_length, unsigned char * exit_data, unsigned char * key_label); +/* AES Key Record Create */ +extern void SECURITYAPI + CSNBAKRC_32(long * return_code, + long * reason_code, + long * exit_data_length, + unsigned char * exit_data, + unsigned char * key_label, + long * key_token_length, + unsigned char * key_token); /* Key Record Delete */ extern void SECURITYAPI @@ -390,6 +401,29 @@ extern void SECURITYAPI unsigned char * form, unsigned char * random_number); +extern void SECURITYAPI + CSNBSAE_32(long * return_code, + long * reason_code, + long * exit_data_length, + unsigned char * exit_data, + long * rule_array_count, + unsigned char * rule_array, + long * key_identifier_length, + unsigned char * key_identifier, + long * key_params_length, + unsigned char * key_params, + long * block_size, + long * initialization_vector_length, + unsigned char * initialization_vector, + long * chaining_vector_length, + unsigned char * chaining_vector, + long * text_length, + unsigned char * text, + long * ciphertext_length, + unsigned char * ciphertext, + long * optional_data_length, + unsigned char * optional_data); + /* Decipher */ extern void SECURITYAPI CSNBDEC_32(long * return_code, @@ -626,7 +660,7 @@ extern void SECURITYAPI unsigned char * RSA_enciphered_key); /* Crypto Facility Query */ -extern void SECURITYAPI +extern void CSUACFQ_32(long * return_code, long * reason_code, long * exit_data_length, diff --git a/usr/lib/pkcs11/cca_stdll/decr_mgr.c b/usr/lib/pkcs11/cca_stdll/decr_mgr.c index e706b14..d645531 100644 --- a/usr/lib/pkcs11/cca_stdll/decr_mgr.c +++ b/usr/lib/pkcs11/cca_stdll/decr_mgr.c @@ -371,8 +371,6 @@ decr_mgr_init( SESSION *sess, } break; -#ifndef NOAES -#ifndef NOECB case CKM_AES_ECB: { // XXX Copied from DES3, should be verified - KEY @@ -407,7 +405,6 @@ decr_mgr_init( SESSION *sess, } break; -#endif case CKM_AES_CBC: case CKM_AES_CBC_PAD: { @@ -442,7 +439,6 @@ decr_mgr_init( SESSION *sess, } break; -#endif default: st_err_log(28, __FILE__, __LINE__); return CKR_MECHANISM_INVALID; @@ -587,25 +583,21 @@ decr_mgr_decrypt( SESSION *sess, in_data, in_data_len, out_data, out_data_len ); #endif -#ifndef NOAES case CKM_AES_CBC: return aes_cbc_decrypt( sess, length_only, ctx, in_data, in_data_len, out_data, out_data_len ); -#ifndef NOECB case CKM_AES_ECB: return aes_ecb_decrypt( sess, length_only, ctx, in_data, in_data_len, out_data, out_data_len ); -#endif case CKM_AES_CBC_PAD: return aes_cbc_pad_decrypt( sess, length_only, ctx, in_data, in_data_len, out_data, out_data_len ); -#endif default: return CKR_MECHANISM_INVALID; } @@ -687,14 +679,11 @@ decr_mgr_decrypt_update( SESSION *sess, ctx, in_data, in_data_len, out_data, out_data_len ); -#ifndef NOAES -#ifndef NOECB case CKM_AES_ECB: return aes_ecb_decrypt_update( sess, length_only, ctx, in_data, in_data_len, out_data, out_data_len ); -#endif case CKM_AES_CBC: return aes_cbc_decrypt_update( sess, length_only, ctx, @@ -706,7 +695,6 @@ decr_mgr_decrypt_update( SESSION *sess, ctx, in_data, in_data_len, out_data, out_data_len ); -#endif default: st_err_log(28, __FILE__, __LINE__); return CKR_MECHANISM_INVALID; @@ -773,13 +761,10 @@ decr_mgr_decrypt_final( SESSION *sess, return des3_cbc_pad_decrypt_final( sess, length_only, ctx, out_data, out_data_len ); -#ifndef NOAES -#ifndef NOECB case CKM_AES_ECB: return aes_ecb_decrypt_final( sess, length_only, ctx, out_data, out_data_len ); -#endif case CKM_AES_CBC: return aes_cbc_decrypt_final( sess, length_only, ctx, @@ -789,7 +774,6 @@ decr_mgr_decrypt_final( SESSION *sess, return aes_cbc_pad_decrypt_final( sess, length_only, ctx, out_data, out_data_len ); -#endif default: st_err_log(28, __FILE__, __LINE__); return CKR_MECHANISM_INVALID; diff --git a/usr/lib/pkcs11/cca_stdll/key.c b/usr/lib/pkcs11/cca_stdll/key.c index c24168c..7ce7bc8 100644 --- a/usr/lib/pkcs11/cca_stdll/key.c +++ b/usr/lib/pkcs11/cca_stdll/key.c @@ -1150,6 +1150,8 @@ secret_key_unwrap( TEMPLATE *tmpl, case CKK_DES: case CKK_DES3: case CKK_AES: + rc = aes_unwrap( tmpl, data, data_len, fromend ); + break; #endif case CKK_GENERIC_SECRET: @@ -1425,7 +1427,7 @@ rsa_publ_validate_attribute( TEMPLATE *tmpl, CK_ATTRIBUTE *attr, CK_ULONG mode ) else { CK_ULONG mod_bits = *(CK_ULONG *)attr->pValue; - if (mod_bits < 512 || mod_bits > 2048){ + if (mod_bits < 512 || mod_bits > 4096){ st_err_log(9, __FILE__, __LINE__); return CKR_ATTRIBUTE_VALUE_INVALID; } @@ -5298,7 +5300,7 @@ aes_unwrap( TEMPLATE *tmpl, } #endif - value_attr = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + key_size ); + value_attr = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) + CCA_KEY_ID_SIZE ); if (!value_attr) { if (value_attr) @@ -5309,9 +5311,9 @@ aes_unwrap( TEMPLATE *tmpl, } value_attr->type = CKA_VALUE; - value_attr->ulValueLen = key_size; + value_attr->ulValueLen = CCA_KEY_ID_SIZE; value_attr->pValue = (CK_BYTE *)value_attr + sizeof(CK_ATTRIBUTE); - memcpy( value_attr->pValue, ptr, key_size ); + memcpy( value_attr->pValue, ptr, CCA_KEY_ID_SIZE ); template_update_attribute( tmpl, value_attr ); diff --git a/usr/lib/pkcs11/cca_stdll/mech_aes.c b/usr/lib/pkcs11/cca_stdll/mech_aes.c index b14a45b..cd60ae3 100644 --- a/usr/lib/pkcs11/cca_stdll/mech_aes.c +++ b/usr/lib/pkcs11/cca_stdll/mech_aes.c @@ -39,7 +39,7 @@ aes_ecb_encrypt( SESSION *sess, { OBJECT *key = NULL; CK_ATTRIBUTE *attr = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_RV rc; @@ -104,7 +104,7 @@ aes_ecb_decrypt( SESSION *sess, { OBJECT *key = NULL; CK_ATTRIBUTE *attr = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_RV rc; @@ -170,7 +170,7 @@ aes_cbc_encrypt( SESSION *sess, { OBJECT *key = NULL; CK_ATTRIBUTE *attr = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_RV rc; @@ -236,7 +236,7 @@ aes_cbc_decrypt( SESSION *sess, { OBJECT *key = NULL; CK_ATTRIBUTE *attr = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_RV rc; @@ -304,7 +304,7 @@ aes_cbc_pad_encrypt( SESSION *sess, OBJECT *key = NULL; CK_ATTRIBUTE *attr = NULL; CK_BYTE *clear = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_ULONG padded_len; CK_RV rc; @@ -391,7 +391,7 @@ aes_cbc_pad_decrypt( SESSION *sess, OBJECT *key = NULL; CK_ATTRIBUTE *attr = NULL; CK_BYTE *clear = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_ULONG padded_len; CK_RV rc; @@ -479,7 +479,7 @@ aes_ecb_encrypt_update( SESSION *sess, CK_ATTRIBUTE * attr = NULL; OBJECT * key = NULL; CK_BYTE * clear = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_ULONG total, remain, out_len; CK_RV rc; @@ -579,7 +579,7 @@ aes_ecb_decrypt_update( SESSION *sess, CK_ATTRIBUTE * attr = NULL; OBJECT * key = NULL; CK_BYTE * cipher = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_ULONG total, remain, out_len; CK_RV rc; @@ -680,7 +680,7 @@ aes_cbc_encrypt_update( SESSION *sess, CK_ATTRIBUTE * attr = NULL; OBJECT * key = NULL; CK_BYTE * clear = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_ULONG total, remain, out_len; CK_RV rc; @@ -792,7 +792,7 @@ aes_cbc_decrypt_update( SESSION *sess, CK_ATTRIBUTE * attr = NULL; OBJECT * key = NULL; CK_BYTE * cipher = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_ULONG total, remain, out_len; CK_RV rc; @@ -905,7 +905,7 @@ aes_cbc_pad_encrypt_update( SESSION *sess, CK_ATTRIBUTE * attr = NULL; OBJECT * key = NULL; CK_BYTE * clear = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_ULONG total, remain, out_len; CK_RV rc; @@ -1021,7 +1021,7 @@ aes_cbc_pad_decrypt_update( SESSION *sess, CK_ATTRIBUTE * attr = NULL; OBJECT * key = NULL; CK_BYTE * cipher = NULL; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_ULONG total, remain, out_len; CK_RV rc; @@ -1273,7 +1273,7 @@ aes_cbc_pad_encrypt_final( SESSION *sess, OBJECT *key = NULL; CK_ATTRIBUTE *attr = NULL; CK_BYTE clear[2*AES_BLOCK_SIZE]; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_ULONG out_len; CK_RV rc; @@ -1353,7 +1353,7 @@ aes_cbc_pad_decrypt_final( SESSION *sess, OBJECT *key = NULL; CK_ATTRIBUTE *attr = NULL; CK_BYTE clear[AES_BLOCK_SIZE]; - CK_BYTE key_value[AES_KEY_SIZE_256]; + CK_BYTE key_value[CCA_KEY_ID_SIZE]; CK_KEY_TYPE keytype; CK_ULONG out_len; CK_RV rc; @@ -1454,7 +1454,7 @@ ckm_aes_key_gen( TEMPLATE *tmpl ) return CKR_ATTRIBUTE_VALUE_INVALID; } - if ((aes_key = (CK_BYTE *)malloc(key_size)) == NULL) { + if ((aes_key = (CK_BYTE *)malloc(CCA_KEY_ID_SIZE)) == NULL) { st_err_log(1, __FILE__, __LINE__); return CKR_HOST_MEMORY; } @@ -1464,7 +1464,7 @@ ckm_aes_key_gen( TEMPLATE *tmpl ) if (rc != CKR_OK) return rc; - value_attr = (CK_ATTRIBUTE *)malloc(sizeof(CK_ATTRIBUTE) + key_size ); + value_attr = (CK_ATTRIBUTE *)malloc(sizeof(CK_ATTRIBUTE) + CCA_KEY_ID_SIZE ); key_type_attr = (CK_ATTRIBUTE *)malloc(sizeof(CK_ATTRIBUTE) + sizeof(CK_KEY_TYPE) ); class_attr = (CK_ATTRIBUTE *)malloc(sizeof(CK_ATTRIBUTE) + sizeof(CK_OBJECT_CLASS) ); local_attr = (CK_ATTRIBUTE *)malloc(sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL) ); @@ -1480,9 +1480,9 @@ ckm_aes_key_gen( TEMPLATE *tmpl ) } value_attr->type = CKA_VALUE; - value_attr->ulValueLen = key_size; + value_attr->ulValueLen = CCA_KEY_ID_SIZE; value_attr->pValue = (CK_BYTE *)value_attr + sizeof(CK_ATTRIBUTE); - memcpy( value_attr->pValue, aes_key, key_size ); + memcpy( value_attr->pValue, aes_key, CCA_KEY_ID_SIZE ); free(aes_key); @@ -1665,7 +1665,7 @@ ckm_aes_wrap_format( CK_BBOOL length_only, len2 = AES_BLOCK_SIZE * ((len1 / AES_BLOCK_SIZE) + 1); if (length_only == FALSE) { - ptr = (CK_BYTE *)realloc(*data, len2); + ptr = (CK_BYTE *)realloc(*data, CCA_KEY_ID_SIZE); if (!ptr){ st_err_log(0, __FILE__, __LINE__); return CKR_HOST_MEMORY; -- 1.6.6 ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
