10Sstevel@tonic-gate /*
2*7934SMark.Phalan@Sun.COM * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
30Sstevel@tonic-gate * Use is subject to license terms.
40Sstevel@tonic-gate */
50Sstevel@tonic-gate
60Sstevel@tonic-gate /*
70Sstevel@tonic-gate * Copyright (C) 1998 by the FundsXpress, INC.
80Sstevel@tonic-gate *
90Sstevel@tonic-gate * All rights reserved.
100Sstevel@tonic-gate *
110Sstevel@tonic-gate * Export of this software from the United States of America may require
120Sstevel@tonic-gate * a specific license from the United States Government. It is the
130Sstevel@tonic-gate * responsibility of any person or organization contemplating export to
140Sstevel@tonic-gate * obtain such a license before exporting.
150Sstevel@tonic-gate *
160Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
170Sstevel@tonic-gate * distribute this software and its documentation for any purpose and
180Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright
190Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and
200Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that
210Sstevel@tonic-gate * the name of FundsXpress. not be used in advertising or publicity pertaining
220Sstevel@tonic-gate * to distribution of the software without specific, written prior
230Sstevel@tonic-gate * permission. FundsXpress makes no representations about the suitability of
240Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express
250Sstevel@tonic-gate * or implied warranty.
260Sstevel@tonic-gate *
270Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
280Sstevel@tonic-gate * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
290Sstevel@tonic-gate * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
300Sstevel@tonic-gate */
310Sstevel@tonic-gate
32*7934SMark.Phalan@Sun.COM #include "k5-int.h"
33*7934SMark.Phalan@Sun.COM #include "etypes.h"
340Sstevel@tonic-gate
350Sstevel@tonic-gate
360Sstevel@tonic-gate #ifdef _KERNEL
370Sstevel@tonic-gate krb5_error_code
update_key_template(krb5_keyblock * key)380Sstevel@tonic-gate update_key_template(krb5_keyblock *key)
390Sstevel@tonic-gate {
400Sstevel@tonic-gate crypto_mechanism_t kef_mech;
410Sstevel@tonic-gate int rv = 0;
420Sstevel@tonic-gate krb5_error_code ret = 0;
430Sstevel@tonic-gate
440Sstevel@tonic-gate KRB5_LOG0(KRB5_INFO, "update_key_template()");
450Sstevel@tonic-gate if (key == NULL)
460Sstevel@tonic-gate return (ret);
470Sstevel@tonic-gate
480Sstevel@tonic-gate /*
490Sstevel@tonic-gate * Preallocate the crypto_key_t records
500Sstevel@tonic-gate * needed by the kernel crypto calls later.
510Sstevel@tonic-gate */
520Sstevel@tonic-gate kef_mech.cm_type = key->kef_mt;
530Sstevel@tonic-gate kef_mech.cm_param = NULL;
540Sstevel@tonic-gate kef_mech.cm_param_len = 0;
550Sstevel@tonic-gate /*
560Sstevel@tonic-gate * Create an template to improve HMAC performance later.
570Sstevel@tonic-gate */
580Sstevel@tonic-gate rv = crypto_create_ctx_template(&kef_mech,
590Sstevel@tonic-gate &key->kef_key,
600Sstevel@tonic-gate &key->key_tmpl,
610Sstevel@tonic-gate KM_SLEEP);
620Sstevel@tonic-gate if (rv != CRYPTO_SUCCESS) {
630Sstevel@tonic-gate /*
640Sstevel@tonic-gate * Some mechs don't support context templates
650Sstevel@tonic-gate */
660Sstevel@tonic-gate if (rv == CRYPTO_NOT_SUPPORTED) {
670Sstevel@tonic-gate ret = 0;
680Sstevel@tonic-gate key->key_tmpl = NULL;
690Sstevel@tonic-gate } else {
700Sstevel@tonic-gate KRB5_LOG(KRB5_ERR,"crypto_create_ctx_template "
710Sstevel@tonic-gate "error: %0x", rv);
720Sstevel@tonic-gate ret = KRB5_KEF_ERROR;
730Sstevel@tonic-gate }
740Sstevel@tonic-gate }
750Sstevel@tonic-gate return (ret);
760Sstevel@tonic-gate }
770Sstevel@tonic-gate /*
780Sstevel@tonic-gate * initialize the KEF components of the krb5_keyblock record.
790Sstevel@tonic-gate */
800Sstevel@tonic-gate krb5_error_code
init_key_kef(crypto_mech_type_t mech_type,krb5_keyblock * key)810Sstevel@tonic-gate init_key_kef(crypto_mech_type_t mech_type, krb5_keyblock *key)
820Sstevel@tonic-gate {
830Sstevel@tonic-gate krb5_error_code rv = 0;
840Sstevel@tonic-gate
850Sstevel@tonic-gate KRB5_LOG0(KRB5_INFO, "init_key_kef()");
860Sstevel@tonic-gate if (key == NULL)
870Sstevel@tonic-gate return (rv);
880Sstevel@tonic-gate
890Sstevel@tonic-gate if (key->kef_key.ck_data == NULL) {
900Sstevel@tonic-gate key->kef_key.ck_data = key->contents;
910Sstevel@tonic-gate }
920Sstevel@tonic-gate
930Sstevel@tonic-gate /* kef keys are measured in bits */
940Sstevel@tonic-gate key->kef_key.ck_length = key->length * 8;
950Sstevel@tonic-gate key->kef_key.ck_format = CRYPTO_KEY_RAW;
960Sstevel@tonic-gate key->kef_mt = mech_type;
970Sstevel@tonic-gate
980Sstevel@tonic-gate if (key->key_tmpl == NULL && mech_type != CRYPTO_MECH_INVALID) {
990Sstevel@tonic-gate rv = update_key_template(key);
1000Sstevel@tonic-gate }
1010Sstevel@tonic-gate return(rv);
1020Sstevel@tonic-gate }
1030Sstevel@tonic-gate #else
1040Sstevel@tonic-gate
1050Sstevel@tonic-gate /*
1060Sstevel@tonic-gate * init_key_uef
1070Sstevel@tonic-gate * Initialize the Userland Encryption Framework fields of the
1080Sstevel@tonic-gate * key block.
1090Sstevel@tonic-gate */
1100Sstevel@tonic-gate krb5_error_code
init_key_uef(CK_SESSION_HANDLE hSession,krb5_keyblock * key)1110Sstevel@tonic-gate init_key_uef(CK_SESSION_HANDLE hSession, krb5_keyblock *key)
1120Sstevel@tonic-gate {
1130Sstevel@tonic-gate CK_RV rv = CKR_OK;
1140Sstevel@tonic-gate CK_MECHANISM mechanism;
1150Sstevel@tonic-gate CK_OBJECT_CLASS class = CKO_SECRET_KEY;
1160Sstevel@tonic-gate CK_KEY_TYPE keyType;
1170Sstevel@tonic-gate CK_BBOOL true = TRUE, false = FALSE;
1180Sstevel@tonic-gate CK_ATTRIBUTE template[6];
1190Sstevel@tonic-gate
1200Sstevel@tonic-gate /* If its already initialized, return OK */
1210Sstevel@tonic-gate /*
1220Sstevel@tonic-gate * fork safety: if the key->pid != __krb5_current_pid then a fork has
1230Sstevel@tonic-gate * taken place and the pkcs11 key handle must be re-acquired.
1240Sstevel@tonic-gate */
1250Sstevel@tonic-gate if ((key->hKey != CK_INVALID_HANDLE) &&
1260Sstevel@tonic-gate (key->pid == __krb5_current_pid))
1270Sstevel@tonic-gate return (rv);
1280Sstevel@tonic-gate
1290Sstevel@tonic-gate /* fork safety */
1300Sstevel@tonic-gate key->pid = __krb5_current_pid;
1310Sstevel@tonic-gate
1320Sstevel@tonic-gate if ((rv = get_key_type(key->enctype, &keyType)) != CKR_OK) {
1330Sstevel@tonic-gate KRB5_LOG0(KRB5_ERR, "failure to get key type in function "
1340Sstevel@tonic-gate "init_key_uef.");
1350Sstevel@tonic-gate return (PKCS_ERR);
1360Sstevel@tonic-gate }
1370Sstevel@tonic-gate
1380Sstevel@tonic-gate template[0].type = CKA_CLASS;
1390Sstevel@tonic-gate template[0].pValue = &class;
1400Sstevel@tonic-gate template[0].ulValueLen = sizeof (class);
1410Sstevel@tonic-gate template[1].type = CKA_KEY_TYPE;
1420Sstevel@tonic-gate template[1].pValue = &keyType;
1430Sstevel@tonic-gate template[1].ulValueLen = sizeof (keyType);
1440Sstevel@tonic-gate template[2].type = CKA_TOKEN;
1450Sstevel@tonic-gate template[2].pValue = &false;
1460Sstevel@tonic-gate template[2].ulValueLen = sizeof (false);
1470Sstevel@tonic-gate template[3].type = CKA_ENCRYPT;
1480Sstevel@tonic-gate template[3].pValue = &true;
1490Sstevel@tonic-gate template[3].ulValueLen = sizeof (true);
1500Sstevel@tonic-gate template[4].type = CKA_DECRYPT;
1510Sstevel@tonic-gate template[4].pValue = &true;
1520Sstevel@tonic-gate template[4].ulValueLen = sizeof (true);
1530Sstevel@tonic-gate template[5].type = CKA_VALUE;
1540Sstevel@tonic-gate template[5].pValue = key->contents;
1550Sstevel@tonic-gate template[5].ulValueLen = key->length;
1560Sstevel@tonic-gate
1570Sstevel@tonic-gate /* Create an object handle for the key */
1580Sstevel@tonic-gate if ((rv = C_CreateObject(hSession, template,
1590Sstevel@tonic-gate sizeof(template)/sizeof(CK_ATTRIBUTE),
1600Sstevel@tonic-gate &key->hKey)) != CKR_OK) {
1610Sstevel@tonic-gate
1620Sstevel@tonic-gate KRB5_LOG(KRB5_ERR, "C_CreateObject failed in "
1630Sstevel@tonic-gate "init_key_uef: rv = 0x%x.", rv);
1640Sstevel@tonic-gate rv = PKCS_ERR;
1650Sstevel@tonic-gate }
1660Sstevel@tonic-gate
1670Sstevel@tonic-gate return (rv);
1680Sstevel@tonic-gate
1690Sstevel@tonic-gate }
1700Sstevel@tonic-gate
1710Sstevel@tonic-gate #endif /* _KERNEL */
1720Sstevel@tonic-gate
1730Sstevel@tonic-gate /*ARGSUSED*/
174781Sgtb krb5_error_code KRB5_CALLCONV
krb5_c_encrypt(krb5_context context,const krb5_keyblock * key,krb5_keyusage usage,const krb5_data * ivec,const krb5_data * input,krb5_enc_data * output)175781Sgtb krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
176*7934SMark.Phalan@Sun.COM krb5_keyusage usage, const krb5_data *ivec,
177*7934SMark.Phalan@Sun.COM const krb5_data *input, krb5_enc_data *output)
1780Sstevel@tonic-gate {
1790Sstevel@tonic-gate krb5_error_code ret;
1800Sstevel@tonic-gate int i;
1810Sstevel@tonic-gate
1820Sstevel@tonic-gate KRB5_LOG(KRB5_INFO, "krb5_c_encrypt start etype = %d", key->enctype);
1830Sstevel@tonic-gate for (i=0; i<krb5_enctypes_length; i++) {
1840Sstevel@tonic-gate if (krb5_enctypes_list[i].etype == key->enctype)
1850Sstevel@tonic-gate break;
1860Sstevel@tonic-gate }
1870Sstevel@tonic-gate
1880Sstevel@tonic-gate if (i == krb5_enctypes_length)
1890Sstevel@tonic-gate return(KRB5_BAD_ENCTYPE);
1900Sstevel@tonic-gate
1910Sstevel@tonic-gate output->magic = KV5M_ENC_DATA;
1920Sstevel@tonic-gate output->kvno = 0;
1930Sstevel@tonic-gate output->enctype = key->enctype;
1940Sstevel@tonic-gate
1950Sstevel@tonic-gate #ifdef _KERNEL
1960Sstevel@tonic-gate context->kef_cipher_mt = krb5_enctypes_list[i].kef_cipher_mt;
1970Sstevel@tonic-gate context->kef_hash_mt = krb5_enctypes_list[i].kef_hash_mt;
1980Sstevel@tonic-gate if (key->kef_key.ck_data == NULL) {
1990Sstevel@tonic-gate if ((ret = init_key_kef(context->kef_cipher_mt,
2000Sstevel@tonic-gate (krb5_keyblock *)key)))
2010Sstevel@tonic-gate return(ret);
2020Sstevel@tonic-gate }
2030Sstevel@tonic-gate #else
2040Sstevel@tonic-gate if ((ret = init_key_uef(krb_ctx_hSession(context), (krb5_keyblock *)key)))
2050Sstevel@tonic-gate return (ret);
2060Sstevel@tonic-gate
2070Sstevel@tonic-gate #endif /* _KERNEL */
2080Sstevel@tonic-gate
2090Sstevel@tonic-gate KRB5_LOG0(KRB5_INFO, "krb5_c_encrypt calling encrypt.");
2100Sstevel@tonic-gate return((*(krb5_enctypes_list[i].encrypt))
2110Sstevel@tonic-gate (context, krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
2120Sstevel@tonic-gate key, usage, ivec, input, &output->ciphertext));
2130Sstevel@tonic-gate }
214