diff options
| author | Jason King <jason.king@joyent.com> | 2018-01-25 18:49:57 +0000 |
|---|---|---|
| committer | Jason King <jason.king@joyent.com> | 2018-10-04 21:14:57 -0500 |
| commit | 80ecbe59bad54b13cd87628cff232f7fd4335b4b (patch) | |
| tree | 22a630e6c4ffef3ea824cba5374c9d2b4d233464 /usr/src/lib/pkcs11/pkcs11_kernel/common/kernelDecrypt.c | |
| parent | 4c14c4cff5adaaa79d7099e153c3ace3a0d65148 (diff) | |
| download | illumos-joyent-80ecbe59bad54b13cd87628cff232f7fd4335b4b.tar.gz | |
OS-6576 Add CCM and GCM mode support to AES in pkcs11_softtokenOS-6576
Reviewed by: Dan McDonald <danmcd@joyent.com>
Reviewed by: Robert Mustacchi <rm@joyent.com>
Approved by: Dan McDonald <danmcd@joyent.com>
Diffstat (limited to 'usr/src/lib/pkcs11/pkcs11_kernel/common/kernelDecrypt.c')
| -rw-r--r-- | usr/src/lib/pkcs11/pkcs11_kernel/common/kernelDecrypt.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelDecrypt.c b/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelDecrypt.c index 57b5cbae3a..916bdc0625 100644 --- a/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelDecrypt.c +++ b/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelDecrypt.c @@ -21,6 +21,7 @@ /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * Copyright 2018, Joyent, Inc. */ #include <pthread.h> @@ -45,6 +46,7 @@ kernel_decrypt_init(kernel_session_t *session_p, kernel_object_t *key_p, crypto_mech_type_t k_mech_type; boolean_t ses_lock_held = B_FALSE; int r; + CK_AES_CCM_PARAMS ccm_params = { 0 }; /* Check to see if key object allows for decryption. */ if (key_p->is_lib_obj && !(key_p->bool_attr_mask & DECRYPT_BOOL_ON)) { @@ -109,6 +111,23 @@ kernel_decrypt_init(kernel_session_t *session_p, kernel_object_t *key_p, decrypt_init.di_mech.cm_param = pMechanism->pParameter; decrypt_init.di_mech.cm_param_len = pMechanism->ulParameterLen; + /* + * PKCS#11 uses CK_CCM_PARAMS as its mechanism parameter, while the + * kernel uses CK_AES_CCM_PARAMS. Unlike + * CK_GCM_PARAMS / CK_AES_GCM_PARAMS, the two definitions are not + * equivalent -- the fields are defined in different orders, so + * we must translate. + */ + if (session_p->decrypt.mech.mechanism == CKM_AES_CCM) { + if (pMechanism->ulParameterLen != sizeof (CK_CCM_PARAMS)) { + rv = CKR_MECHANISM_PARAM_INVALID; + goto clean_exit; + } + p11_to_kernel_ccm_params(pMechanism->pParameter, &ccm_params); + decrypt_init.di_mech.cm_param = (caddr_t)&ccm_params; + decrypt_init.di_mech.cm_param_len = sizeof (ccm_params); + } + while ((r = ioctl(kernel_fd, CRYPTO_DECRYPT_INIT, &decrypt_init)) < 0) { if (errno != EINTR) break; @@ -129,7 +148,10 @@ kernel_decrypt_init(kernel_session_t *session_p, kernel_object_t *key_p, } clean_exit: - + /* + * ccm_params does not contain any key material -- just lengths and + * pointers, therefore it does not need to be zeroed on exit. + */ if (!ses_lock_held) { (void) pthread_mutex_lock(&session_p->session_mutex); ses_lock_held = B_TRUE; |