6 Need open kcfd

Reviewed by: gwr@nexenta.com, richlowe@richlowe.net, matt@greenviolet.net
Approved by: richlowe@richlowe.net

5 files changed, 0 insertions, 379 deletions

diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softFipsPost.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softFipsPost.c
deleted file mode 100644
index 7fdec8d5cf..0000000000
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softFipsPost.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License (the "License").
- * You may not use this file except in compliance with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-
-/*
- * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <strings.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <security/cryptoki.h>
-#include <sys/sha1.h>
-#include <sys/sha2.h>
-#include "softMAC.h"
-#define	_AES_FIPS_POST
-#define	_DES_FIPS_POST
-#include "softCrypt.h"
-#define	_DSA_FIPS_POST
-#include <dsa_impl.h>
-#define	_RSA_FIPS_POST
-#include <rsa_impl.h>
-#include <sha1_impl.h>
-#include <sha2_impl.h>
-#include <fips_random.h>
-
-
-extern int fips_ecdsa_post(void);
-
-
-/*
- * FIPS Power-on SelfTest for the supported FIPS ciphers and
- * components.
- */
-CK_RV
-soft_fips_post(void)
-{
-	CK_RV rv;
-
-	/*
-	 * SHA-1 Power-On SelfTest.
-	 *
-	 * 1. SHA-1 POST
-	 * 2. HMAC SHA-1 POST
-	 */
-	rv = fips_sha1_post();
-	if (rv != CKR_OK)
-		return (rv);
-
-	/*
-	 * SHA-2 Power-On SelfTest.
-	 *
-	 * 1. SHA-256 POST
-	 * 2. SHA-384 POST
-	 * 3. SHA-512 POST
-	 * 4. HMAC SHA-256 POST
-	 * 5. HMAC SHA-384 POST
-	 * 6. HMAC SHA-512 POST
-	 */
-	rv = fips_sha2_post();
-
-	if (rv != CKR_OK)
-	return (rv);
-
-
-	/*
-	 * Triple DES Power-On SelfTest.
-	 *
-	 * 1. DES3 ECB Encryption/Decryption
-	 * 2. DES3 CBC Encryption/Decryption
-	 */
-	rv = fips_des3_post();
-
-	if (rv != CKR_OK)
-		return (rv);
-
-	/* AES Power-On SelfTest for 128-bit key. */
-	rv = fips_aes_post(FIPS_AES_128_KEY_SIZE);
-
-	if (rv != CKR_OK)
-		return (rv);
-
-	/* AES Power-On SelfTest for 192-bit key. */
-	rv = fips_aes_post(FIPS_AES_192_KEY_SIZE);
-
-	if (rv != CKR_OK)
-		return (rv);
-
-	/* AES Power-On SelfTest for 256-bit key. */
-	rv = fips_aes_post(FIPS_AES_256_KEY_SIZE);
-
-	if (rv != CKR_OK)
-		return (rv);
-
-	/*
-	 * ECDSA Power-Up SelfTest
-	 *
-	 * 1. ECC Signature
-	 * 2. ECC Verification
-	 */
-	rv = fips_ecdsa_post();
-
-	if (rv != CKR_OK)
-		return (rv);
-
-	/*
-	 * RSA Power-On SelfTest
-	 *
-	 * 1. RSA Encryption
-	 * 2. RSA Decryption
-	 * 3. RSA SHA-1 Sign/Verify
-	 * 4. RSA SHA-256 Sign/Verify
-	 * 5. RSA SHA-384 Sign/Verify
-	 * 6. RSA SHA-512 Sign/Verify
-	 *
-	 */
-	rv = fips_rsa_post();
-
-	if (rv != CKR_OK)
-		return (rv);
-
-	/*
-	 * DSA Power-On SelfTest
-	 *
-	 * 1. DSA Sign on SHA-1 digest
-	 * 2. DSA Verification
-	 */
-	rv = fips_dsa_post();
-
-	if (rv != CKR_OK)
-		return (rv);
-
-	/* RNG Power-On SelfTest. */
-	rv = fips_rng_post();
-
-	if (rv != CKR_OK)
-		return (rv);
-
-	/* Passed Power-On SelfTest. */
-	return (CKR_OK);
-}
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softFipsPostUtil.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softFipsPostUtil.c
deleted file mode 100644
index 7cdb65edc8..0000000000
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softFipsPostUtil.c
+++ /dev/null
@@ -1,175 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License (the "License").
- * You may not use this file except in compliance with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-
-/*
- * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
- */
-
-#include <sys/types.h>
-#include <sys/errno.h>
-#include <sys/fcntl.h>
-#include <sys/time.h>
-#include <sys/unistd.h>
-#include <sys/kmem.h>
-#include <sys/systm.h>
-#include <sys/sysmacros.h>
-#include <sys/sha1.h>
-#define	_SHA2_IMPL
-#include <sys/sha2.h>
-#include <sys/crypto/common.h>
-#include <modes/modes.h>
-#include <stdlib.h>
-#include <string.h>
-#include <strings.h>
-#include <stdio.h>
-#include <security/cryptoki.h>
-#include <cryptoutil.h>
-#include "softCrypt.h"
-#include "softGlobal.h"
-#include "softRSA.h"
-#include "softDSA.h"
-#include "softOps.h"
-#include "softMAC.h"
-#include <fips_post.h>
-
-#define	MAX_ECKEY_LEN		72
-
-
-/*
- * FIPS 140-2 pairwise consistency check utilized to validate key pair.
- *
- * This function returns
- *   CKR_OK               if pairwise consistency check passed
- *   CKR_GENERAL_ERROR    if pairwise consistency check failed
- *   other error codes    if pairwise consistency check could not be
- *                        performed, for example, CKR_HOST_MEMORY.
- *
- *                      Key type    Mechanism type
- *                      --------------------------------
- *
- * For sign/verify:     CKK_RSA  => CKM_SHA1_RSA_PKCS
- *                      CKK_DSA  => CKM_DSA_SHA1
- *                      CKK_EC   => CKM_ECDSA_SHA1
- *                      others   => CKM_INVALID_MECHANISM
- *
- * None of these mechanisms has a parameter.
- */
-CK_RV
-fips_pairwise_check(soft_session_t *session_p,
-	soft_object_t *publicKey, soft_object_t *privateKey,
-	CK_KEY_TYPE keyType)
-{
-
-	CK_MECHANISM mech = {0, NULL, 0};
-	uchar_t modulus[MAX_KEY_ATTR_BUFLEN];
-	uint32_t modulus_len = sizeof (modulus);
-	boolean_t can_sign_verify = B_FALSE;
-	CK_RV rv;
-
-	/* Variables used for Signature/Verification functions. */
-	/* always uses SHA-1 digest */
-	unsigned char *known_digest = (unsigned char *)"OpenSolarisCommunity";
-	unsigned char *signature;
-	CK_ULONG signature_length;
-
-	if (keyType == CKK_RSA) {
-		/* Get modulus length of private key. */
-		rv = soft_get_private_value(privateKey, CKA_MODULUS,
-		    modulus, &modulus_len);
-		if (rv != CKR_OK) {
-			return (CKR_DEVICE_ERROR);
-		}
-	}
-
-	/*
-	 * Pairwise Consistency Check of Sign/Verify
-	 */
-
-	/* Check to see if key object supports signature. */
-	can_sign_verify = (privateKey->bool_attr_mask & SIGN_BOOL_ON);
-
-	if (can_sign_verify) {
-		/* Determine length of signature. */
-		switch (keyType) {
-		case CKK_RSA:
-			signature_length = modulus_len;
-			mech.mechanism = CKM_SHA1_RSA_PKCS;
-			break;
-
-		case CKK_DSA:
-			signature_length = FIPS_DSA_SIGNATURE_LENGTH;
-			mech.mechanism = CKM_DSA_SHA1;
-			break;
-
-		case CKK_EC:
-			signature_length = MAX_ECKEY_LEN * 2;
-			mech.mechanism = CKM_ECDSA_SHA1;
-			break;
-
-		default:
-			return (CKR_DEVICE_ERROR);
-		}
-
-		/* Allocate space for signature data. */
-		signature = (unsigned char *) calloc(1, signature_length);
-		if (signature == NULL) {
-			return (CKR_HOST_MEMORY);
-		}
-
-		/* Sign the known hash using the private key. */
-		rv = soft_sign_init(session_p, &mech, privateKey);
-		if (rv != CKR_OK) {
-			free(signature);
-			return (rv);
-		}
-
-		rv = soft_sign(session_p, known_digest, PAIRWISE_DIGEST_LENGTH,
-		    signature, &signature_length);
-		if (rv != CKR_OK) {
-			free(signature);
-			return (rv);
-		}
-
-		/* Verify the known hash using the public key. */
-		rv = soft_verify_init(session_p, &mech, publicKey);
-		if (rv != CKR_OK) {
-			free(signature);
-			return (rv);
-		}
-
-		rv = soft_verify(session_p, known_digest,
-		    PAIRWISE_DIGEST_LENGTH, signature,
-		    signature_length);
-
-		/* Free signature data. */
-		free(signature);
-		if ((rv == CKR_SIGNATURE_LEN_RANGE) ||
-		    (rv == CKR_SIGNATURE_INVALID)) {
-			return (CKR_GENERAL_ERROR);
-		}
-
-		if (rv != CKR_OK) {
-			return (rv);
-		}
-	}
-
-	return (CKR_OK);
-}
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
index d8a36a7b3f..396a3c5bf4 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
@@ -129,9 +129,6 @@ ses_to_be_freed_list_t ses_delay_freed;
 /* protects softtoken_initialized and access to C_Initialize/C_Finalize */
 pthread_mutex_t soft_giant_mutex = PTHREAD_MUTEX_INITIALIZER;
 
-/* fips mode setting */
-int softtoken_fips_mode = CRYPTO_FIPS_MODE_DISABLED;
-
 static CK_RV finalize_common(boolean_t force, CK_VOID_PTR pReserved);
 static void softtoken_init();
 static void softtoken_fini();
@@ -278,15 +275,6 @@ C_Initialize(CK_VOID_PTR pInitArgs)
 	ses_delay_freed.first = NULL;
 	ses_delay_freed.last = NULL;
 
-	/*
-	 * Perform POST when fips mode is enabled.
-	 */
-	if ((rv = get_fips_mode(&softtoken_fips_mode)) == CKR_OK) {
-		if (softtoken_fips_mode == CRYPTO_FIPS_MODE_ENABLED) {
-			rv = soft_fips_post();
-		}
-	}
-
 	if (rv != CKR_OK) {
 		(void) pthread_mutex_destroy(
 		    &ses_delay_freed.ses_to_be_free_mutex);
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGlobal.h b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGlobal.h
index a9cb8ab446..bbb4d73152 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGlobal.h
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGlobal.h
@@ -41,7 +41,6 @@ extern pthread_mutex_t soft_giant_mutex;
 extern struct slot soft_slot;
 extern struct obj_to_be_freed_list obj_delay_freed;
 extern struct ses_to_be_freed_list ses_delay_freed;
-extern int softtoken_fips_mode;
 
 #define	SOFTTOKEN_SLOTID	1
 
@@ -71,8 +70,6 @@ extern int softtoken_fips_mode;
 				CKF_DUAL_CRYPTO_OPERATIONS|\
 				CKF_TOKEN_INITIALIZED
 
-extern CK_RV soft_fips_post(void);
-
 #ifdef	__cplusplus
 }
 #endif
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c
index 778f63d3e6..a48ade7224 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeysUtil.c
@@ -52,9 +52,6 @@
 
 #define	local_min(a, b)	((a) < (b) ? (a) : (b))
 
-extern CK_RV fips_pairwise_check(soft_session_t *,
-    soft_object_t *, soft_object_t *, CK_KEY_TYPE);
-
 static CK_RV
 soft_pkcs12_pbe(soft_session_t *, CK_MECHANISM_PTR, soft_object_t *);
 
@@ -519,32 +516,6 @@ soft_genkey_pair(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
 		return (rv);
 	}
 
-	/*
-	 * FIPS 140-2 pairwise consistency check utilized to
-	 * validate key pair
-	 */
-	if ((key_type == CKK_RSA) || (key_type == CKK_DSA) ||
-	    (key_type == CKK_EC)) {
-		if (softtoken_fips_mode == CRYPTO_FIPS_MODE_ENABLED) {
-			rv = fips_pairwise_check(session_p, public_key,
-			    private_key, key_type);
-			if (rv != CKR_OK) {
-				if (IS_TOKEN_OBJECT(public_key)) {
-					soft_delete_token_object(public_key,
-					    B_FALSE, B_FALSE);
-					soft_delete_token_object(private_key,
-					    B_FALSE, B_FALSE);
-				} else {
-					soft_delete_object(session_p,
-					    public_key, B_FALSE, B_FALSE);
-					soft_delete_object(session_p,
-					    private_key, B_FALSE, B_FALSE);
-				}
-				return (rv);
-			}
-		}
-	}
-
 	if (IS_TOKEN_OBJECT(public_key)) {
 		/*
 		 * All the info has been filled, so we can write to