Blame SOURCES/0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch

253609
From 51ed2d7171e5423cfec86c36ffa32e8e9e0de01c Mon Sep 17 00:00:00 2001
253609
From: Ingo Franzki <ifranzki@linux.ibm.com>
253609
Date: Tue, 1 Mar 2022 16:55:01 +0100
253609
Subject: [PATCH 27/34] EP11: Add support for encrypt/decrypt and KEM
253609
 operations with Kyber
253609
253609
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
253609
---
253609
 usr/lib/ep11_stdll/ep11_specific.c | 174 ++++++++++++++++++++++++++++++++++---
253609
 usr/lib/ep11_stdll/new_host.c      |  24 +++--
253609
 2 files changed, 180 insertions(+), 18 deletions(-)
253609
253609
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
253609
index bc17b07a..9efce053 100644
253609
--- a/usr/lib/ep11_stdll/ep11_specific.c
253609
+++ b/usr/lib/ep11_stdll/ep11_specific.c
253609
@@ -5196,6 +5196,126 @@ CK_RV token_specific_aes_cmac(STDLL_TokData_t *tokdata,
253609
     return rc;
253609
 }
253609
 
253609
+struct EP11_KYBER_MECH {
253609
+    CK_MECHANISM mech;
253609
+    struct XCP_KYBER_KEM_PARAMS params;
253609
+};
253609
+
253609
+static CK_RV ep11tok_kyber_mech_pre_process(STDLL_TokData_t *tokdata,
253609
+                                            CK_MECHANISM *mech,
253609
+                                            struct EP11_KYBER_MECH *mech_ep11,
253609
+                                            OBJECT **secret_key_obj)
253609
+{
253609
+    CK_IBM_KYBER_PARAMS *kyber_params;
253609
+    CK_RV rc;
253609
+
253609
+    kyber_params = mech->pParameter;
253609
+    if (mech->ulParameterLen != sizeof(CK_IBM_KYBER_PARAMS)) {
253609
+        TRACE_ERROR("Mechanism parameter length not as expected\n");
253609
+        return CKR_MECHANISM_PARAM_INVALID;
253609
+    }
253609
+
253609
+    if (kyber_params->ulVersion != CK_IBM_KYBER_KEM_VERSION) {
253609
+        TRACE_ERROR("Unsupported version in Kyber mechanism param\n");
253609
+        return CKR_MECHANISM_PARAM_INVALID;
253609
+    }
253609
+
253609
+    mech_ep11->mech.mechanism = mech->mechanism;
253609
+    mech_ep11->mech.pParameter = &mech_ep11->params;
253609
+    mech_ep11->mech.ulParameterLen = sizeof(mech_ep11->params);
253609
+
253609
+    memset(&mech_ep11->params, 0, sizeof(mech_ep11->params));
253609
+    mech_ep11->params.version = XCP_KYBER_KEM_VERSION;
253609
+    mech_ep11->params.mode = kyber_params->mode;
253609
+    mech_ep11->params.kdf = kyber_params->kdf;
253609
+    mech_ep11->params.prepend = kyber_params->bPrepend;
253609
+    mech_ep11->params.pSharedData = kyber_params->pSharedData;
253609
+    mech_ep11->params.ulSharedDataLen = kyber_params->ulSharedDataLen;
253609
+
253609
+    switch (kyber_params->mode) {
253609
+    case CK_IBM_KYBER_KEM_ENCAPSULATE:
253609
+        if (kyber_params->ulCipherLen > 0 && kyber_params->pCipher == NULL) {
253609
+            TRACE_ERROR("Unsupported cipher buffer in Kyber mechnism param "
253609
+                        "cannot be NULL\n");
253609
+            return CKR_MECHANISM_PARAM_INVALID;
253609
+        }
253609
+
253609
+        mech_ep11->params.pCipher = NULL;
253609
+        mech_ep11->params.ulCipherLen = 0;
253609
+        /* Cipher is returned in 2nd output param of m_DeriveKey */
253609
+        break;
253609
+
253609
+    case CK_IBM_KEM_DECAPSULATE:
253609
+        mech_ep11->params.pCipher = kyber_params->pCipher;
253609
+        mech_ep11->params.ulCipherLen = kyber_params->ulCipherLen;
253609
+        break;
253609
+
253609
+    default:
253609
+        TRACE_ERROR("Unsupported mode in Kyber mechanism param\n");
253609
+        return CKR_MECHANISM_PARAM_INVALID;
253609
+    }
253609
+
253609
+    if (kyber_params->bPrepend) {
253609
+        rc = h_opaque_2_blob(tokdata, kyber_params->hSecret,
253609
+                             &mech_ep11->params.pBlob,
253609
+                             &mech_ep11->params.ulBlobLen,
253609
+                             secret_key_obj, READ_LOCK);
253609
+         if (rc != CKR_OK) {
253609
+             TRACE_ERROR("%s failed hSecret=0x%lx\n", __func__,
253609
+                        kyber_params->hSecret);
253609
+             return rc;
253609
+         }
253609
+    }
253609
+
253609
+    return CKR_OK;
253609
+}
253609
+
253609
+static CK_RV ep11tok_kyber_mech_post_process(STDLL_TokData_t *tokdata,
253609
+                                             CK_MECHANISM *mech,
253609
+                                             CK_BYTE *csum, CK_ULONG cslen)
253609
+{
253609
+    CK_IBM_KYBER_PARAMS *kyber_params;
253609
+    CK_ULONG cipher_len;
253609
+
253609
+    UNUSED(tokdata);
253609
+
253609
+    kyber_params = mech->pParameter;
253609
+    if (mech->ulParameterLen != sizeof(CK_IBM_KYBER_PARAMS)) {
253609
+        TRACE_ERROR("Mechanism parameter length not as expected\n");
253609
+        return CKR_MECHANISM_PARAM_INVALID;
253609
+    }
253609
+
253609
+    if (kyber_params->mode != CK_IBM_KYBER_KEM_ENCAPSULATE)
253609
+        return CKR_OK;
253609
+
253609
+    /*
253609
+     * For encapsulate:
253609
+     * Generated cipher is returned in csum prepended with the checksum of
253609
+     * the generated symmetric key and its bit count (in total 7 bytes).
253609
+     */
253609
+    if (cslen < EP11_CSUMSIZE + 4) {
253609
+        TRACE_ERROR("%s returned cipher size is invalid: %lu\n",
253609
+                    __func__, cslen);
253609
+        return CKR_FUNCTION_FAILED;
253609
+    }
253609
+
253609
+    cipher_len = cslen - (EP11_CSUMSIZE + 4);
253609
+
253609
+    if (kyber_params->ulCipherLen < cipher_len) {
253609
+        TRACE_ERROR("%s Cipher buffer in kyber mechanism param too small, required: %lu\n",
253609
+                    __func__, cipher_len);
253609
+        kyber_params->ulCipherLen = cipher_len;
253609
+        OPENSSL_cleanse(&csum[EP11_CSUMSIZE + 4], cipher_len);
253609
+        return CKR_BUFFER_TOO_SMALL;
253609
+    }
253609
+
253609
+    memcpy(kyber_params->pCipher, &csum[EP11_CSUMSIZE + 4], cipher_len);
253609
+    kyber_params->ulCipherLen = cipher_len;
253609
+
253609
+    OPENSSL_cleanse(&csum[EP11_CSUMSIZE + 4], cipher_len);
253609
+    return CKR_OK;
253609
+}
253609
+
253609
 CK_RV ep11tok_derive_key(STDLL_TokData_t * tokdata, SESSION * session,
253609
                          CK_MECHANISM_PTR mech, CK_OBJECT_HANDLE hBaseKey,
253609
                          CK_OBJECT_HANDLE_PTR handle, CK_ATTRIBUTE_PTR attrs,
253609
@@ -5236,6 +5356,8 @@ CK_RV ep11tok_derive_key(STDLL_TokData_t * tokdata, SESSION * session,
253609
     CK_BYTE *spki = NULL;
253609
     CK_ULONG spki_length = 0;
253609
     CK_ATTRIBUTE *spki_attr = NULL;
253609
+    struct EP11_KYBER_MECH mech_ep11;
253609
+    OBJECT *kyber_secret_obj = NULL;
253609
 
253609
     memset(newblob, 0, sizeof(newblob));
253609
 
253609
@@ -5517,16 +5639,29 @@ CK_RV ep11tok_derive_key(STDLL_TokData_t * tokdata, SESSION * session,
253609
         }
253609
     }
253609
 
253609
+    if (mech->mechanism == CKM_IBM_KYBER) {
253609
+        rc = ep11tok_kyber_mech_pre_process(tokdata, mech, &mech_ep11,
253609
+                                            &kyber_secret_obj);
253609
+        if (rc != CKR_OK)
253609
+            goto error;
253609
+        mech = &mech_ep11.mech;
253609
+    }
253609
+
253609
     trace_attributes(__func__, "Derive:", new_attrs2, new_attrs2_len);
253609
 
253609
     ep11_get_pin_blob(ep11_session, ep11_is_session_object(attrs, attrs_len),
253609
                       &ep11_pin_blob, &ep11_pin_blob_len);
253609
 
253609
     RETRY_START(rc, tokdata)
253609
-        rc =
253609
-        dll_m_DeriveKey(mech, new_attrs2, new_attrs2_len, keyblob, keyblobsize,
253609
-                        NULL, 0, ep11_pin_blob, ep11_pin_blob_len, newblob,
253609
-                        &newblobsize, csum, &cslen, target_info->target);
253609
+        if (ep11_pqc_obj_strength_supported(target_info, mech->mechanism,
253609
+                                            base_key_obj))
253609
+            rc = dll_m_DeriveKey(mech, new_attrs2, new_attrs2_len,
253609
+                                 keyblob, keyblobsize, NULL, 0,
253609
+                                 ep11_pin_blob, ep11_pin_blob_len, newblob,
253609
+                                 &newblobsize, csum, &cslen,
253609
+                                 target_info->target);
253609
+        else
253609
+            rc = CKR_KEY_SIZE_RANGE;
253609
     RETRY_END(rc, tokdata, session)
253609
 
253609
     if (rc != CKR_OK) {
253609
@@ -5610,6 +5745,12 @@ CK_RV ep11tok_derive_key(STDLL_TokData_t * tokdata, SESSION * session,
253609
         }
253609
     }
253609
 
253609
+    if (mech->mechanism == CKM_IBM_KYBER) {
253609
+        rc = ep11tok_kyber_mech_post_process(tokdata, mech_orig, csum, cslen);
253609
+        if (rc != CKR_OK)
253609
+            goto error;
253609
+    }
253609
+
253609
     if (class == CKO_SECRET_KEY && cslen >= EP11_CSUMSIZE) {
253609
         /* First 3 bytes of csum is the check value */
253609
         rc = build_attribute(CKA_CHECK_VALUE, csum, EP11_CSUMSIZE, &chk_attr);
253609
@@ -5666,6 +5807,8 @@ error:
253609
 
253609
     object_put(tokdata, base_key_obj, TRUE);
253609
     base_key_obj = NULL;
253609
+    object_put(tokdata, kyber_secret_obj, TRUE);
253609
+    kyber_secret_obj = NULL;
253609
 
253609
     return rc;
253609
 }
253609
@@ -7399,6 +7542,7 @@ CK_BOOL ep11tok_mech_single_only(CK_MECHANISM *mech)
253609
 {
253609
     switch (mech->mechanism) {
253609
     case CKM_IBM_ECDSA_OTHER:
253609
+    case CKM_IBM_KYBER:
253609
         return CK_TRUE;
253609
     default:
253609
         return CK_FALSE;
253609
@@ -8301,9 +8445,14 @@ CK_RV ep11tok_decrypt_single(STDLL_TokData_t *tokdata, SESSION *session,
253609
     }
253609
 
253609
     RETRY_START(rc, tokdata)
253609
-    rc = dll_m_DecryptSingle(keyblob, keyblobsize, mech, input_data,
253609
-                             input_data_len, output_data, p_output_data_len,
253609
-                             target_info->target);
253609
+        if (ep11_pqc_obj_strength_supported(target_info, mech->mechanism,
253609
+                                            key_obj))
253609
+            rc = dll_m_DecryptSingle(keyblob, keyblobsize, mech, input_data,
253609
+                                     input_data_len, output_data,
253609
+                                     p_output_data_len,
253609
+                                     target_info->target);
253609
+        else
253609
+            rc = CKR_KEY_SIZE_RANGE;
253609
     RETRY_END(rc, tokdata, session)
253609
     if (rc != CKR_OK) {
253609
         rc = ep11_error_to_pkcs11_error(rc, session);
253609
@@ -8511,9 +8660,14 @@ CK_RV ep11tok_encrypt_single(STDLL_TokData_t *tokdata, SESSION *session,
253609
     }
253609
 
253609
     RETRY_START(rc, tokdata)
253609
-    rc = dll_m_EncryptSingle(keyblob, keyblobsize, mech, input_data,
253609
-                             input_data_len, output_data, p_output_data_len,
253609
-                             target_info->target);
253609
+        if (ep11_pqc_obj_strength_supported(target_info, mech->mechanism,
253609
+                                            key_obj))
253609
+            rc = dll_m_EncryptSingle(keyblob, keyblobsize, mech, input_data,
253609
+                                     input_data_len, output_data,
253609
+                                     p_output_data_len,
253609
+                                     target_info->target);
253609
+        else
253609
+            rc = CKR_KEY_SIZE_RANGE;
253609
     RETRY_END(rc, tokdata, session)
253609
     if (rc != CKR_OK) {
253609
         rc = ep11_error_to_pkcs11_error(rc, session);
253609
diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c
253609
index dccdfe96..60027c85 100644
253609
--- a/usr/lib/ep11_stdll/new_host.c
253609
+++ b/usr/lib/ep11_stdll/new_host.c
253609
@@ -2061,7 +2061,8 @@ CK_RV SC_EncryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
253609
     sess->encr_ctx.multi_init = FALSE;
253609
     sess->encr_ctx.multi = FALSE;
253609
 
253609
-    if (ep11tok_optimize_single_ops(tokdata) &&
253609
+    if ((ep11tok_optimize_single_ops(tokdata) ||
253609
+         ep11tok_mech_single_only(pMechanism)) &&
253609
         !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
253609
         /* In case of a single part encrypt operation we don't need the
253609
          * EncryptInit, instead we can use the EncryptSingle which is much
253609
@@ -2159,7 +2160,8 @@ CK_RV SC_Encrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
253609
         goto done;
253609
     }
253609
 
253609
-    if (ep11tok_optimize_single_ops(tokdata) &&
253609
+    if ((ep11tok_optimize_single_ops(tokdata) ||
253609
+         ep11tok_mech_single_only(&sess->encr_ctx.mech)) &&
253609
         !ep11tok_pkey_usage_ok(tokdata, sess, sess->encr_ctx.key, &sess->encr_ctx.mech)) {
253609
         rc = ep11tok_encrypt_single(tokdata, sess, &sess->encr_ctx.mech,
253609
                                     length_only, sess->encr_ctx.key,
253609
@@ -2217,7 +2219,8 @@ CK_RV SC_EncryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
253609
         goto done;
253609
     }
253609
 
253609
-    if (sess->encr_ctx.active == FALSE) {
253609
+    if (sess->encr_ctx.active == FALSE ||
253609
+        ep11tok_mech_single_only(&sess->encr_ctx.mech)) {
253609
         TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
253609
         rc = CKR_OPERATION_NOT_INITIALIZED;
253609
         goto done;
253609
@@ -2293,7 +2296,8 @@ CK_RV SC_EncryptFinal(STDLL_TokData_t * tokdata, ST_SESSION_HANDLE * sSession,
253609
         goto done;
253609
     }
253609
 
253609
-    if (sess->encr_ctx.active == FALSE) {
253609
+    if (sess->encr_ctx.active == FALSE ||
253609
+        ep11tok_mech_single_only(&sess->encr_ctx.mech)) {
253609
         TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
253609
         rc = CKR_OPERATION_NOT_INITIALIZED;
253609
         goto done;
253609
@@ -2385,7 +2389,8 @@ CK_RV SC_DecryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
253609
     sess->decr_ctx.multi_init = FALSE;
253609
     sess->decr_ctx.multi = FALSE;
253609
 
253609
-    if (ep11tok_optimize_single_ops(tokdata) &&
253609
+    if ((ep11tok_optimize_single_ops(tokdata) ||
253609
+         ep11tok_mech_single_only(pMechanism)) &&
253609
         !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
253609
         /* In case of a single part decrypt operation we don't need the
253609
          * DecryptInit, instead we can use the EncryptSingle which is much
253609
@@ -2483,7 +2488,8 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
253609
         goto done;
253609
     }
253609
 
253609
-    if (ep11tok_optimize_single_ops(tokdata) &&
253609
+    if ((ep11tok_optimize_single_ops(tokdata) ||
253609
+         ep11tok_mech_single_only(&sess->decr_ctx.mech)) &&
253609
         !ep11tok_pkey_usage_ok(tokdata, sess, sess->decr_ctx.key, &sess->decr_ctx.mech)) {
253609
         rc = ep11tok_decrypt_single(tokdata, sess, &sess->decr_ctx.mech,
253609
                                     length_only, sess->decr_ctx.key,
253609
@@ -2541,7 +2547,8 @@ CK_RV SC_DecryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
253609
         goto done;
253609
     }
253609
 
253609
-    if (sess->decr_ctx.active == FALSE) {
253609
+    if (sess->decr_ctx.active == FALSE ||
253609
+        ep11tok_mech_single_only(&sess->decr_ctx.mech)) {
253609
         TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
253609
         rc = CKR_OPERATION_NOT_INITIALIZED;
253609
         goto done;
253609
@@ -2617,7 +2624,8 @@ CK_RV SC_DecryptFinal(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
253609
         goto done;
253609
     }
253609
 
253609
-    if (sess->decr_ctx.active == FALSE) {
253609
+    if (sess->decr_ctx.active == FALSE ||
253609
+        ep11tok_mech_single_only(&sess->decr_ctx.mech)) {
253609
         TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
253609
         rc = CKR_OPERATION_NOT_INITIALIZED;
253609
         goto done;
253609
-- 
253609
2.16.2.windows.1
253609