|
 |
2c1758 |
commit 7b4177e8557887d196ce77a129d457e817f8cc59
|
|
|
2c1758 |
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
2c1758 |
Date: Wed Jun 30 10:47:28 2021 +0200
|
|
|
2c1758 |
|
|
|
2c1758 |
TPM: Remove deprecated OpenSSL functions
|
|
|
2c1758 |
|
|
|
2c1758 |
All low level RSA functions are deprecated in OpenSSL 3.0.
|
|
|
2c1758 |
Update the code to not use any of those, and only use the EVP
|
|
|
2c1758 |
interface.
|
|
|
2c1758 |
|
|
|
2c1758 |
Also remove support for OpenSSL < v1.1.1. This code used even more
|
|
|
2c1758 |
low level RSA, DES, and AES functions.
|
|
|
2c1758 |
|
|
|
2c1758 |
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
2c1758 |
|
|
|
2c1758 |
diff --git a/usr/lib/tpm_stdll/tpm_openssl.c b/usr/lib/tpm_stdll/tpm_openssl.c
|
|
|
2c1758 |
index 94ef9a62..0ccc543d 100644
|
|
|
2c1758 |
--- a/usr/lib/tpm_stdll/tpm_openssl.c
|
|
|
2c1758 |
+++ b/usr/lib/tpm_stdll/tpm_openssl.c
|
|
|
2c1758 |
@@ -39,50 +39,33 @@
|
|
|
2c1758 |
|
|
|
2c1758 |
#include "tpm_specific.h"
|
|
|
2c1758 |
|
|
|
2c1758 |
-/*
|
|
|
2c1758 |
- * In order to make opencryptoki compatible with
|
|
|
2c1758 |
- * OpenSSL 1.1 API Changes and backward compatible
|
|
|
2c1758 |
- * we need to check for its version
|
|
|
2c1758 |
- */
|
|
|
2c1758 |
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
2c1758 |
-#define OLDER_OPENSSL
|
|
|
2c1758 |
+#if OPENSSL_VERSION_PREREQ(3, 0)
|
|
|
2c1758 |
+#include <openssl/core_names.h>
|
|
|
2c1758 |
#endif
|
|
|
2c1758 |
|
|
|
2c1758 |
#ifdef DEBUG
|
|
|
2c1758 |
void openssl_print_errors()
|
|
|
2c1758 |
{
|
|
|
2c1758 |
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
|
|
2c1758 |
ERR_load_ERR_strings();
|
|
|
2c1758 |
+#endif
|
|
|
2c1758 |
ERR_load_crypto_strings();
|
|
|
2c1758 |
ERR_print_errors_fp(stderr);
|
|
|
2c1758 |
}
|
|
|
2c1758 |
#endif
|
|
|
2c1758 |
|
|
|
2c1758 |
-RSA *openssl_gen_key(STDLL_TokData_t *tokdata)
|
|
|
2c1758 |
+EVP_PKEY *openssl_gen_key(STDLL_TokData_t *tokdata)
|
|
|
2c1758 |
{
|
|
|
2c1758 |
- RSA *rsa = NULL;
|
|
|
2c1758 |
int rc = 0, counter = 0;
|
|
|
2c1758 |
char buf[32];
|
|
|
2c1758 |
-#ifndef OLDER_OPENSSL
|
|
|
2c1758 |
EVP_PKEY *pkey = NULL;
|
|
|
2c1758 |
EVP_PKEY_CTX *ctx = NULL;
|
|
|
2c1758 |
BIGNUM *bne = NULL;
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
|
|
|
2c1758 |
token_specific_rng(tokdata, (CK_BYTE *) buf, 32);
|
|
|
2c1758 |
RAND_seed(buf, 32);
|
|
|
2c1758 |
|
|
|
2c1758 |
regen_rsa_key:
|
|
|
2c1758 |
-#ifdef OLDER_OPENSSL
|
|
|
2c1758 |
- rsa = RSA_generate_key(2048, 65537, NULL, NULL);
|
|
|
2c1758 |
- if (rsa == NULL) {
|
|
|
2c1758 |
- fprintf(stderr, "Error generating user's RSA key\n");
|
|
|
2c1758 |
- ERR_load_crypto_strings();
|
|
|
2c1758 |
- ERR_print_errors_fp(stderr);
|
|
|
2c1758 |
- goto err;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- rc = RSA_check_key(rsa);
|
|
|
2c1758 |
-#else
|
|
|
2c1758 |
bne = BN_new();
|
|
|
2c1758 |
rc = BN_set_word(bne, 65537);
|
|
|
2c1758 |
if (!rc) {
|
|
|
2c1758 |
@@ -98,35 +81,36 @@ regen_rsa_key:
|
|
|
2c1758 |
|
|
|
2c1758 |
if (EVP_PKEY_keygen_init(ctx) <= 0
|
|
|
2c1758 |
|| EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0
|
|
|
2c1758 |
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
|
|
2c1758 |
|| EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, bne) <= 0) {
|
|
|
2c1758 |
+#else
|
|
|
2c1758 |
+ || EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, bne) <= 0) {
|
|
|
2c1758 |
+#endif
|
|
|
2c1758 |
fprintf(stderr, "Error generating user's RSA key\n");
|
|
|
2c1758 |
ERR_load_crypto_strings();
|
|
|
2c1758 |
ERR_print_errors_fp(stderr);
|
|
|
2c1758 |
goto err;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
|
|
2c1758 |
bne = NULL; // will be freed as part of the context
|
|
|
2c1758 |
- if (EVP_PKEY_keygen(ctx, &pkey) <= 0
|
|
|
2c1758 |
- || (rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) {
|
|
|
2c1758 |
+#else
|
|
|
2c1758 |
+ BN_free(bne);
|
|
|
2c1758 |
+ bne = NULL;
|
|
|
2c1758 |
+#endif
|
|
|
2c1758 |
+ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
|
|
|
2c1758 |
fprintf(stderr, "Error generating user's RSA key\n");
|
|
|
2c1758 |
ERR_load_crypto_strings();
|
|
|
2c1758 |
ERR_print_errors_fp(stderr);
|
|
|
2c1758 |
goto err;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
|
|
2c1758 |
- rc = RSA_check_key(rsa);
|
|
|
2c1758 |
-#else
|
|
|
2c1758 |
EVP_PKEY_CTX_free(ctx);
|
|
|
2c1758 |
ctx = EVP_PKEY_CTX_new(pkey, NULL);
|
|
|
2c1758 |
if (ctx == NULL)
|
|
|
2c1758 |
goto err;
|
|
|
2c1758 |
rc = (EVP_PKEY_check(ctx) == 1 ? 1 : 0);
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
switch (rc) {
|
|
|
2c1758 |
case 0:
|
|
|
2c1758 |
/* rsa is not a valid RSA key */
|
|
|
2c1758 |
- RSA_free(rsa);
|
|
|
2c1758 |
- rsa = NULL;
|
|
|
2c1758 |
counter++;
|
|
|
2c1758 |
if (counter == KEYGEN_RETRY) {
|
|
|
2c1758 |
TRACE_DEVEL("Tried %d times to generate a "
|
|
|
2c1758 |
@@ -145,30 +129,23 @@ regen_rsa_key:
|
|
|
2c1758 |
break;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
-#ifndef OLDER_OPENSSL
|
|
|
2c1758 |
- if (pkey != NULL)
|
|
|
2c1758 |
- EVP_PKEY_free(pkey);
|
|
|
2c1758 |
if (ctx != NULL)
|
|
|
2c1758 |
EVP_PKEY_CTX_free(ctx);
|
|
|
2c1758 |
if (bne != NULL)
|
|
|
2c1758 |
BN_free(bne);
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
- return rsa;
|
|
|
2c1758 |
+ return pkey;
|
|
|
2c1758 |
err:
|
|
|
2c1758 |
- if (rsa != NULL)
|
|
|
2c1758 |
- RSA_free(rsa);
|
|
|
2c1758 |
-#ifndef OLDER_OPENSSL
|
|
|
2c1758 |
if (pkey != NULL)
|
|
|
2c1758 |
EVP_PKEY_free(pkey);
|
|
|
2c1758 |
if (ctx != NULL)
|
|
|
2c1758 |
EVP_PKEY_CTX_free(ctx);
|
|
|
2c1758 |
if (bne != NULL)
|
|
|
2c1758 |
BN_free(bne);
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
+
|
|
|
2c1758 |
return NULL;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
-int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
|
|
|
2c1758 |
+int openssl_write_key(STDLL_TokData_t * tokdata, EVP_PKEY *pkey, char *filename,
|
|
|
2c1758 |
CK_BYTE * pPin)
|
|
|
2c1758 |
{
|
|
|
2c1758 |
BIO *b = NULL;
|
|
|
2c1758 |
@@ -193,8 +170,8 @@ int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
|
|
|
2c1758 |
return -1;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
- if (!PEM_write_bio_RSAPrivateKey(b, rsa,
|
|
|
2c1758 |
- EVP_aes_256_cbc(), NULL, 0, 0, pPin)) {
|
|
|
2c1758 |
+ if (!PEM_write_bio_PrivateKey(b, pkey,
|
|
|
2c1758 |
+ EVP_aes_256_cbc(), NULL, 0, 0, pPin)) {
|
|
|
2c1758 |
BIO_free(b);
|
|
|
2c1758 |
TRACE_ERROR("Writing key %s to disk failed.\n", loc);
|
|
|
2c1758 |
DEBUG_openssl_print_errors();
|
|
|
2c1758 |
@@ -211,10 +188,10 @@ int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
|
|
|
2c1758 |
- CK_BYTE * pPin, RSA ** ret)
|
|
|
2c1758 |
+ CK_BYTE * pPin, EVP_PKEY **ret)
|
|
|
2c1758 |
{
|
|
|
2c1758 |
BIO *b = NULL;
|
|
|
2c1758 |
- RSA *rsa = NULL;
|
|
|
2c1758 |
+ EVP_PKEY *pkey = NULL;
|
|
|
2c1758 |
char loc[PATH_MAX];
|
|
|
2c1758 |
struct passwd *pw = NULL;
|
|
|
2c1758 |
CK_RV rc = CKR_FUNCTION_FAILED;
|
|
|
2c1758 |
@@ -242,7 +219,7 @@ CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
|
|
|
2c1758 |
return CKR_FILE_NOT_FOUND;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
- if ((rsa = PEM_read_bio_RSAPrivateKey(b, NULL, 0, pPin)) == NULL) {
|
|
|
2c1758 |
+ if ((pkey = PEM_read_bio_PrivateKey(b, NULL, 0, pPin)) == NULL) {
|
|
|
2c1758 |
TRACE_ERROR("Reading key %s from disk failed.\n", loc);
|
|
|
2c1758 |
DEBUG_openssl_print_errors();
|
|
|
2c1758 |
if (ERR_GET_REASON(ERR_get_error()) == PEM_R_BAD_DECRYPT) {
|
|
|
2c1758 |
@@ -253,40 +230,54 @@ CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
BIO_free(b);
|
|
|
2c1758 |
- *ret = rsa;
|
|
|
2c1758 |
+ *ret = pkey;
|
|
|
2c1758 |
|
|
|
2c1758 |
return CKR_OK;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
-int openssl_get_modulus_and_prime(RSA * rsa, unsigned int *size_n,
|
|
|
2c1758 |
+int openssl_get_modulus_and_prime(EVP_PKEY *pkey, unsigned int *size_n,
|
|
|
2c1758 |
unsigned char *n, unsigned int *size_p,
|
|
|
2c1758 |
unsigned char *p)
|
|
|
2c1758 |
{
|
|
|
2c1758 |
-#ifndef OLDER_OPENSSL
|
|
|
2c1758 |
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
|
|
2c1758 |
const BIGNUM *n_tmp, *p_tmp;
|
|
|
2c1758 |
+ RSA *rsa;
|
|
|
2c1758 |
+#else
|
|
|
2c1758 |
+ BIGNUM *n_tmp, *p_tmp;
|
|
|
2c1758 |
#endif
|
|
|
2c1758 |
|
|
|
2c1758 |
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
|
|
2c1758 |
+ rsa = EVP_PKEY_get0_RSA(pkey);
|
|
|
2c1758 |
/* get the modulus from the RSA object */
|
|
|
2c1758 |
-#ifdef OLDER_OPENSSL
|
|
|
2c1758 |
- if ((*size_n = BN_bn2bin(rsa->n, n)) <= 0) {
|
|
|
2c1758 |
-#else
|
|
|
2c1758 |
RSA_get0_key(rsa, &n_tmp, NULL, NULL);
|
|
|
2c1758 |
if ((*size_n = BN_bn2bin(n_tmp, n)) <= 0) {
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
DEBUG_openssl_print_errors();
|
|
|
2c1758 |
return -1;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
/* get one of the primes from the RSA object */
|
|
|
2c1758 |
-#ifdef OLDER_OPENSSL
|
|
|
2c1758 |
- if ((*size_p = BN_bn2bin(rsa->p, p)) <= 0) {
|
|
|
2c1758 |
-#else
|
|
|
2c1758 |
RSA_get0_factors(rsa, &p_tmp, NULL);
|
|
|
2c1758 |
if ((*size_p = BN_bn2bin(p_tmp, p)) <= 0) {
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
DEBUG_openssl_print_errors();
|
|
|
2c1758 |
return -1;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
+#else
|
|
|
2c1758 |
+ if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &n_tmp) ||
|
|
|
2c1758 |
+ (*size_n = BN_bn2bin(n_tmp, n)) <= 0) {
|
|
|
2c1758 |
+ DEBUG_openssl_print_errors();
|
|
|
2c1758 |
+ BN_free(n_tmp);
|
|
|
2c1758 |
+ return -1;
|
|
|
2c1758 |
+ }
|
|
|
2c1758 |
+ BN_free(n_tmp);
|
|
|
2c1758 |
+
|
|
|
2c1758 |
+ if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &p_tmp) ||
|
|
|
2c1758 |
+ (*size_p = BN_bn2bin(p_tmp, p)) <= 0) {
|
|
|
2c1758 |
+ DEBUG_openssl_print_errors();
|
|
|
2c1758 |
+ BN_free(p_tmp);
|
|
|
2c1758 |
+ return -1;
|
|
|
2c1758 |
+ }
|
|
|
2c1758 |
+ BN_free(p_tmp);
|
|
|
2c1758 |
+#endif
|
|
|
2c1758 |
|
|
|
2c1758 |
return 0;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
diff --git a/usr/lib/tpm_stdll/tpm_specific.c b/usr/lib/tpm_stdll/tpm_specific.c
|
|
|
2c1758 |
index 4ebb4a88..45bc4b78 100644
|
|
|
2c1758 |
--- a/usr/lib/tpm_stdll/tpm_specific.c
|
|
|
2c1758 |
+++ b/usr/lib/tpm_stdll/tpm_specific.c
|
|
|
2c1758 |
@@ -1451,15 +1451,15 @@ CK_RV token_create_private_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
|
|
2c1758 |
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
|
|
2c1758 |
CK_RV rc;
|
|
|
2c1758 |
TSS_RESULT result;
|
|
|
2c1758 |
- RSA *rsa;
|
|
|
2c1758 |
+ EVP_PKEY *pkey;
|
|
|
2c1758 |
unsigned int size_n, size_p;
|
|
|
2c1758 |
unsigned char n[256], p[256];
|
|
|
2c1758 |
|
|
|
2c1758 |
/* all sw generated keys are 2048 bits */
|
|
|
2c1758 |
- if ((rsa = openssl_gen_key(tokdata)) == NULL)
|
|
|
2c1758 |
+ if ((pkey = openssl_gen_key(tokdata)) == NULL)
|
|
|
2c1758 |
return CKR_HOST_MEMORY;
|
|
|
2c1758 |
|
|
|
2c1758 |
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
|
|
|
2c1758 |
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
|
|
|
2c1758 |
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
|
|
|
2c1758 |
return CKR_FUNCTION_FAILED;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
@@ -1473,13 +1473,13 @@ CK_RV token_create_private_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
|
|
2c1758 |
return rc;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
- if (openssl_write_key(tokdata, rsa, TPMTOK_PRIV_ROOT_KEY_FILE, pPin)) {
|
|
|
2c1758 |
+ if (openssl_write_key(tokdata, pkey, TPMTOK_PRIV_ROOT_KEY_FILE, pPin)) {
|
|
|
2c1758 |
TRACE_DEVEL("openssl_write_key failed.\n");
|
|
|
2c1758 |
- RSA_free(rsa);
|
|
|
2c1758 |
+ EVP_PKEY_free(pkey);
|
|
|
2c1758 |
return CKR_FUNCTION_FAILED;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
- RSA_free(rsa);
|
|
|
2c1758 |
+ EVP_PKEY_free(pkey);
|
|
|
2c1758 |
|
|
|
2c1758 |
/* store the user base key in a PKCS#11 object internally */
|
|
|
2c1758 |
rc = token_store_tss_key(tokdata, tpm_data->hPrivateRootKey,
|
|
|
2c1758 |
@@ -1529,15 +1529,15 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
|
|
2c1758 |
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
|
|
2c1758 |
CK_RV rc;
|
|
|
2c1758 |
TSS_RESULT result;
|
|
|
2c1758 |
- RSA *rsa;
|
|
|
2c1758 |
+ EVP_PKEY *pkey;
|
|
|
2c1758 |
unsigned int size_n, size_p;
|
|
|
2c1758 |
unsigned char n[256], p[256];
|
|
|
2c1758 |
|
|
|
2c1758 |
/* all sw generated keys are 2048 bits */
|
|
|
2c1758 |
- if ((rsa = openssl_gen_key(tokdata)) == NULL)
|
|
|
2c1758 |
+ if ((pkey = openssl_gen_key(tokdata)) == NULL)
|
|
|
2c1758 |
return CKR_HOST_MEMORY;
|
|
|
2c1758 |
|
|
|
2c1758 |
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
|
|
|
2c1758 |
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
|
|
|
2c1758 |
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
|
|
|
2c1758 |
return CKR_FUNCTION_FAILED;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
@@ -1551,13 +1551,13 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
|
|
2c1758 |
return rc;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
- if (openssl_write_key(tokdata, rsa, TPMTOK_PUB_ROOT_KEY_FILE, pPin)) {
|
|
|
2c1758 |
+ if (openssl_write_key(tokdata, pkey, TPMTOK_PUB_ROOT_KEY_FILE, pPin)) {
|
|
|
2c1758 |
TRACE_DEVEL("openssl_write_key\n");
|
|
|
2c1758 |
- RSA_free(rsa);
|
|
|
2c1758 |
+ EVP_PKEY_free(pkey);
|
|
|
2c1758 |
return CKR_FUNCTION_FAILED;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
- RSA_free(rsa);
|
|
|
2c1758 |
+ EVP_PKEY_free(pkey);
|
|
|
2c1758 |
|
|
|
2c1758 |
result = Tspi_Key_LoadKey(tpm_data->hPublicRootKey, tpm_data->hSRK);
|
|
|
2c1758 |
if (result) {
|
|
|
2c1758 |
@@ -1602,7 +1602,7 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
|
|
2c1758 |
CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
|
|
2c1758 |
{
|
|
|
2c1758 |
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
|
|
2c1758 |
- RSA *rsa;
|
|
|
2c1758 |
+ EVP_PKEY *pkey;
|
|
|
2c1758 |
char *backup_loc;
|
|
|
2c1758 |
unsigned int size_n, size_p;
|
|
|
2c1758 |
unsigned char n[256], p[256];
|
|
|
2c1758 |
@@ -1630,7 +1630,7 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
/* read the backup key with the old pin */
|
|
|
2c1758 |
- if ((rc = openssl_read_key(tokdata, backup_loc, pin, &rsa))) {
|
|
|
2c1758 |
+ if ((rc = openssl_read_key(tokdata, backup_loc, pin, &pkey))) {
|
|
|
2c1758 |
if (rc == CKR_FILE_NOT_FOUND)
|
|
|
2c1758 |
rc = CKR_FUNCTION_FAILED;
|
|
|
2c1758 |
TRACE_DEVEL("openssl_read_key failed\n");
|
|
|
2c1758 |
@@ -1640,8 +1640,9 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
|
|
2c1758 |
/* So, reading the backup openssl key off disk succeeded with the SOs PIN.
|
|
|
2c1758 |
* We will now try to re-wrap that key with the current SRK
|
|
|
2c1758 |
*/
|
|
|
2c1758 |
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
|
|
|
2c1758 |
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
|
|
|
2c1758 |
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
|
|
|
2c1758 |
+ EVP_PKEY_free(pkey);
|
|
|
2c1758 |
return CKR_FUNCTION_FAILED;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
@@ -1650,10 +1651,10 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
|
|
2c1758 |
phKey);
|
|
|
2c1758 |
if (rc != CKR_OK) {
|
|
|
2c1758 |
TRACE_DEVEL("token_wrap_sw_key failed. rc=0x%lx\n", rc);
|
|
|
2c1758 |
- RSA_free(rsa);
|
|
|
2c1758 |
+ EVP_PKEY_free(pkey);
|
|
|
2c1758 |
return rc;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
- RSA_free(rsa);
|
|
|
2c1758 |
+ EVP_PKEY_free(pkey);
|
|
|
2c1758 |
|
|
|
2c1758 |
result = Tspi_Key_LoadKey(*phKey, tpm_data->hSRK);
|
|
|
2c1758 |
if (result) {
|
|
|
2c1758 |
@@ -1998,7 +1999,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
|
2c1758 |
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
|
|
2c1758 |
CK_BYTE oldpin_hash[SHA1_HASH_SIZE], newpin_hash[SHA1_HASH_SIZE];
|
|
|
2c1758 |
CK_RV rc;
|
|
|
2c1758 |
- RSA *rsa_root;
|
|
|
2c1758 |
+ EVP_PKEY *pkey_root;
|
|
|
2c1758 |
TSS_RESULT result;
|
|
|
2c1758 |
|
|
|
2c1758 |
if (!sess) {
|
|
|
2c1758 |
@@ -2094,7 +2095,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
|
2c1758 |
|
|
|
2c1758 |
/* read the backup key with the old pin */
|
|
|
2c1758 |
rc = openssl_read_key(tokdata, TPMTOK_PRIV_ROOT_KEY_FILE, pOldPin,
|
|
|
2c1758 |
- &rsa_root);
|
|
|
2c1758 |
+ &pkey_root);
|
|
|
2c1758 |
if (rc != CKR_OK) {
|
|
|
2c1758 |
if (rc == CKR_FILE_NOT_FOUND) {
|
|
|
2c1758 |
/* If the user has moved his backup PEM file off site, allow a
|
|
|
2c1758 |
@@ -2107,14 +2108,14 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
/* write it out using the new pin */
|
|
|
2c1758 |
- rc = openssl_write_key(tokdata, rsa_root, TPMTOK_PRIV_ROOT_KEY_FILE,
|
|
|
2c1758 |
+ rc = openssl_write_key(tokdata, pkey_root, TPMTOK_PRIV_ROOT_KEY_FILE,
|
|
|
2c1758 |
pNewPin);
|
|
|
2c1758 |
if (rc != CKR_OK) {
|
|
|
2c1758 |
- RSA_free(rsa_root);
|
|
|
2c1758 |
+ EVP_PKEY_free(pkey_root);
|
|
|
2c1758 |
TRACE_DEVEL("openssl_write_key failed\n");
|
|
|
2c1758 |
return CKR_FUNCTION_FAILED;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
- RSA_free(rsa_root);
|
|
|
2c1758 |
+ EVP_PKEY_free(pkey_root);
|
|
|
2c1758 |
} else if (sess->session_info.state == CKS_RW_SO_FUNCTIONS) {
|
|
|
2c1758 |
if (tpm_data->not_initialized) {
|
|
|
2c1758 |
if (memcmp(default_so_pin_sha, oldpin_hash, SHA1_HASH_SIZE)) {
|
|
|
2c1758 |
@@ -2166,7 +2167,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
|
2c1758 |
|
|
|
2c1758 |
/* change auth on the public root key's openssl backup */
|
|
|
2c1758 |
rc = openssl_read_key(tokdata, TPMTOK_PUB_ROOT_KEY_FILE, pOldPin,
|
|
|
2c1758 |
- &rsa_root);
|
|
|
2c1758 |
+ &pkey_root);
|
|
|
2c1758 |
if (rc != CKR_OK) {
|
|
|
2c1758 |
if (rc == CKR_FILE_NOT_FOUND) {
|
|
|
2c1758 |
/* If the user has moved his backup PEM file off site, allow a
|
|
|
2c1758 |
@@ -2179,14 +2180,14 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
/* write it out using the new pin */
|
|
|
2c1758 |
- rc = openssl_write_key(tokdata, rsa_root, TPMTOK_PUB_ROOT_KEY_FILE,
|
|
|
2c1758 |
+ rc = openssl_write_key(tokdata, pkey_root, TPMTOK_PUB_ROOT_KEY_FILE,
|
|
|
2c1758 |
pNewPin);
|
|
|
2c1758 |
if (rc != CKR_OK) {
|
|
|
2c1758 |
- RSA_free(rsa_root);
|
|
|
2c1758 |
+ EVP_PKEY_free(pkey_root);
|
|
|
2c1758 |
TRACE_DEVEL("openssl_write_key failed\n");
|
|
|
2c1758 |
return CKR_FUNCTION_FAILED;
|
|
|
2c1758 |
}
|
|
|
2c1758 |
- RSA_free(rsa_root);
|
|
|
2c1758 |
+ EVP_PKEY_free(pkey_root);
|
|
|
2c1758 |
} else {
|
|
|
2c1758 |
TRACE_ERROR("%s\n", ock_err(ERR_SESSION_READ_ONLY));
|
|
|
2c1758 |
rc = CKR_SESSION_READ_ONLY;
|
|
|
2c1758 |
@@ -2401,60 +2402,6 @@ CK_RV token_specific_des_ecb(STDLL_TokData_t * tokdata,
|
|
|
2c1758 |
CK_ULONG * out_data_len,
|
|
|
2c1758 |
OBJECT * key, CK_BYTE encrypt)
|
|
|
2c1758 |
{
|
|
|
2c1758 |
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
2c1758 |
- CK_RV rc;
|
|
|
2c1758 |
- CK_ATTRIBUTE *attr = NULL;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- DES_key_schedule des_key2;
|
|
|
2c1758 |
- const_DES_cblock key_val_SSL, in_key_data;
|
|
|
2c1758 |
- DES_cblock out_key_data;
|
|
|
2c1758 |
- unsigned int i, j;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- UNUSED(tokdata);
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // get the key value
|
|
|
2c1758 |
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
|
|
2c1758 |
- if (rc != CKR_OK) {
|
|
|
2c1758 |
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // Create the key schedule
|
|
|
2c1758 |
- memcpy(&key_val_SSL, attr->pValue, 8);
|
|
|
2c1758 |
- DES_set_key_unchecked(&key_val_SSL, &des_key2);
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // the des decrypt will only fail if the data length is not evenly divisible
|
|
|
2c1758 |
- // by 8
|
|
|
2c1758 |
- if (in_data_len % DES_BLOCK_SIZE) {
|
|
|
2c1758 |
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
|
|
2c1758 |
- return CKR_DATA_LEN_RANGE;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
- // Both the encrypt and the decrypt are done 8 bytes at a time
|
|
|
2c1758 |
- if (encrypt) {
|
|
|
2c1758 |
- for (i = 0; i < in_data_len; i = i + 8) {
|
|
|
2c1758 |
- memcpy(in_key_data, in_data + i, 8);
|
|
|
2c1758 |
- DES_ecb_encrypt(&in_key_data, &out_key_data, &des_key2,
|
|
|
2c1758 |
- DES_ENCRYPT);
|
|
|
2c1758 |
- memcpy(out_data + i, out_key_data, 8);
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- *out_data_len = in_data_len;
|
|
|
2c1758 |
- rc = CKR_OK;
|
|
|
2c1758 |
- } else {
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- for (j = 0; j < in_data_len; j = j + 8) {
|
|
|
2c1758 |
- memcpy(in_key_data, in_data + j, 8);
|
|
|
2c1758 |
- DES_ecb_encrypt(&in_key_data, &out_key_data, &des_key2,
|
|
|
2c1758 |
- DES_DECRYPT);
|
|
|
2c1758 |
- memcpy(out_data + j, out_key_data, 8);
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- *out_data_len = in_data_len;
|
|
|
2c1758 |
- rc = CKR_OK;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
-#else
|
|
|
2c1758 |
const EVP_CIPHER *cipher = EVP_des_ecb();
|
|
|
2c1758 |
EVP_CIPHER_CTX *ctx = NULL;
|
|
|
2c1758 |
CK_ATTRIBUTE *attr = NULL;
|
|
|
2c1758 |
@@ -2501,7 +2448,6 @@ done:
|
|
|
2c1758 |
OPENSSL_cleanse(dkey, sizeof(dkey));
|
|
|
2c1758 |
EVP_CIPHER_CTX_free(ctx);
|
|
|
2c1758 |
return rc;
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
CK_RV token_specific_des_cbc(STDLL_TokData_t * tokdata,
|
|
|
2c1758 |
@@ -2511,50 +2457,6 @@ CK_RV token_specific_des_cbc(STDLL_TokData_t * tokdata,
|
|
|
2c1758 |
CK_ULONG * out_data_len,
|
|
|
2c1758 |
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
|
|
|
2c1758 |
{
|
|
|
2c1758 |
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
2c1758 |
- CK_RV rc;
|
|
|
2c1758 |
- CK_ATTRIBUTE *attr = NULL;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- DES_cblock ivec;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- DES_key_schedule des_key2;
|
|
|
2c1758 |
- const_DES_cblock key_val_SSL;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- UNUSED(tokdata);
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // get the key value
|
|
|
2c1758 |
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
|
|
2c1758 |
- if (rc != CKR_OK) {
|
|
|
2c1758 |
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // Create the key schedule
|
|
|
2c1758 |
- memcpy(&key_val_SSL, attr->pValue, 8);
|
|
|
2c1758 |
- DES_set_key_unchecked(&key_val_SSL, &des_key2);
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- memcpy(&ivec, init_v, 8);
|
|
|
2c1758 |
- // the des decrypt will only fail if the data length is not evenly divisible
|
|
|
2c1758 |
- // by 8
|
|
|
2c1758 |
- if (in_data_len % DES_BLOCK_SIZE) {
|
|
|
2c1758 |
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
|
|
2c1758 |
- return CKR_DATA_LEN_RANGE;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- if (encrypt) {
|
|
|
2c1758 |
- DES_ncbc_encrypt(in_data, out_data, in_data_len, &des_key2, &ivec,
|
|
|
2c1758 |
- DES_ENCRYPT);
|
|
|
2c1758 |
- *out_data_len = in_data_len;
|
|
|
2c1758 |
- rc = CKR_OK;
|
|
|
2c1758 |
- } else {
|
|
|
2c1758 |
- DES_ncbc_encrypt(in_data, out_data, in_data_len, &des_key2, &ivec,
|
|
|
2c1758 |
- DES_DECRYPT);
|
|
|
2c1758 |
- *out_data_len = in_data_len;
|
|
|
2c1758 |
- rc = CKR_OK;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
-#else
|
|
|
2c1758 |
const EVP_CIPHER *cipher = EVP_des_cbc();
|
|
|
2c1758 |
EVP_CIPHER_CTX *ctx = NULL;
|
|
|
2c1758 |
CK_ATTRIBUTE *attr = NULL;
|
|
|
2c1758 |
@@ -2601,7 +2503,6 @@ done:
|
|
|
2c1758 |
OPENSSL_cleanse(dkey, sizeof(dkey));
|
|
|
2c1758 |
EVP_CIPHER_CTX_free(ctx);
|
|
|
2c1758 |
return rc;
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
CK_RV token_specific_tdes_ecb(STDLL_TokData_t * tokdata,
|
|
|
2c1758 |
@@ -2611,83 +2512,6 @@ CK_RV token_specific_tdes_ecb(STDLL_TokData_t * tokdata,
|
|
|
2c1758 |
CK_ULONG * out_data_len,
|
|
|
2c1758 |
OBJECT * key, CK_BYTE encrypt)
|
|
|
2c1758 |
{
|
|
|
2c1758 |
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
2c1758 |
- CK_RV rc;
|
|
|
2c1758 |
- CK_ATTRIBUTE *attr = NULL;
|
|
|
2c1758 |
- CK_KEY_TYPE keytype;
|
|
|
2c1758 |
- CK_BYTE key_value[3 * DES_KEY_SIZE];
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- unsigned int k, j;
|
|
|
2c1758 |
- DES_key_schedule des_key1;
|
|
|
2c1758 |
- DES_key_schedule des_key2;
|
|
|
2c1758 |
- DES_key_schedule des_key3;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data;
|
|
|
2c1758 |
- DES_cblock out_key_data;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- UNUSED(tokdata);
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // get the key type
|
|
|
2c1758 |
- rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
|
|
2c1758 |
- if (rc != CKR_OK) {
|
|
|
2c1758 |
- TRACE_ERROR("Could not find CKA_KEY_TYPE for the key\n");
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // get the key value
|
|
|
2c1758 |
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
|
|
2c1758 |
- if (rc != CKR_OK) {
|
|
|
2c1758 |
- TRACE_ERROR("Could not find CKA_VALUE for the key\n");
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- if (keytype == CKK_DES2) {
|
|
|
2c1758 |
- memcpy(key_value, attr->pValue, 2 * DES_KEY_SIZE);
|
|
|
2c1758 |
- memcpy(key_value + (2 * DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
|
|
|
2c1758 |
- } else {
|
|
|
2c1758 |
- memcpy(key_value, attr->pValue, 3 * DES_KEY_SIZE);
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // The key as passed is a 24 byte long string containing three des keys
|
|
|
2c1758 |
- // pick them apart and create the 3 corresponding key schedules
|
|
|
2c1758 |
- memcpy(&key_SSL1, key_value, 8);
|
|
|
2c1758 |
- memcpy(&key_SSL2, key_value + 8, 8);
|
|
|
2c1758 |
- memcpy(&key_SSL3, key_value + 16, 8);
|
|
|
2c1758 |
- DES_set_key_unchecked(&key_SSL1, &des_key1);
|
|
|
2c1758 |
- DES_set_key_unchecked(&key_SSL2, &des_key2);
|
|
|
2c1758 |
- DES_set_key_unchecked(&key_SSL3, &des_key3);
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // the des decrypt will only fail if the data length is not evenly divisible
|
|
|
2c1758 |
- // by 8
|
|
|
2c1758 |
- if (in_data_len % DES_BLOCK_SIZE) {
|
|
|
2c1758 |
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
|
|
2c1758 |
- return CKR_DATA_LEN_RANGE;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
- // the encrypt and decrypt are done 8 bytes at a time
|
|
|
2c1758 |
- if (encrypt) {
|
|
|
2c1758 |
- for (k = 0; k < in_data_len; k = k + 8) {
|
|
|
2c1758 |
- memcpy(in_key_data, in_data + k, 8);
|
|
|
2c1758 |
- DES_ecb3_encrypt((const_DES_cblock *) & in_key_data,
|
|
|
2c1758 |
- (DES_cblock *) & out_key_data,
|
|
|
2c1758 |
- &des_key1, &des_key2, &des_key3, DES_ENCRYPT);
|
|
|
2c1758 |
- memcpy(out_data + k, out_key_data, 8);
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
- *out_data_len = in_data_len;
|
|
|
2c1758 |
- rc = CKR_OK;
|
|
|
2c1758 |
- } else {
|
|
|
2c1758 |
- for (j = 0; j < in_data_len; j = j + 8) {
|
|
|
2c1758 |
- memcpy(in_key_data, in_data + j, 8);
|
|
|
2c1758 |
- DES_ecb3_encrypt((const_DES_cblock *) & in_key_data,
|
|
|
2c1758 |
- (DES_cblock *) & out_key_data,
|
|
|
2c1758 |
- &des_key1, &des_key2, &des_key3, DES_DECRYPT);
|
|
|
2c1758 |
- memcpy(out_data + j, out_key_data, 8);
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
- *out_data_len = in_data_len;
|
|
|
2c1758 |
- rc = CKR_OK;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
-#else
|
|
|
2c1758 |
const EVP_CIPHER *cipher = EVP_des_ede3_ecb();
|
|
|
2c1758 |
EVP_CIPHER_CTX *ctx = NULL;
|
|
|
2c1758 |
CK_ATTRIBUTE *attr = NULL;
|
|
|
2c1758 |
@@ -2747,7 +2571,6 @@ done:
|
|
|
2c1758 |
OPENSSL_cleanse(dkey, sizeof(dkey));
|
|
|
2c1758 |
EVP_CIPHER_CTX_free(ctx);
|
|
|
2c1758 |
return rc;
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
CK_RV token_specific_tdes_cbc(STDLL_TokData_t * tokdata,
|
|
|
2c1758 |
@@ -2757,81 +2580,6 @@ CK_RV token_specific_tdes_cbc(STDLL_TokData_t * tokdata,
|
|
|
2c1758 |
CK_ULONG * out_data_len,
|
|
|
2c1758 |
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
|
|
|
2c1758 |
{
|
|
|
2c1758 |
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
2c1758 |
- CK_RV rc = CKR_OK;
|
|
|
2c1758 |
- CK_ATTRIBUTE *attr = NULL;
|
|
|
2c1758 |
- CK_KEY_TYPE keytype;
|
|
|
2c1758 |
- CK_BYTE key_value[3 * DES_KEY_SIZE];
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- DES_key_schedule des_key1;
|
|
|
2c1758 |
- DES_key_schedule des_key2;
|
|
|
2c1758 |
- DES_key_schedule des_key3;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3;
|
|
|
2c1758 |
- DES_cblock ivec;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- UNUSED(tokdata);
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // get the key type
|
|
|
2c1758 |
- rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
|
|
2c1758 |
- if (rc != CKR_OK) {
|
|
|
2c1758 |
- TRACE_ERROR("Could not find CKA_KEY_TYPE for the key\n");
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // get the key value
|
|
|
2c1758 |
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
|
|
2c1758 |
- if (rc != CKR_OK) {
|
|
|
2c1758 |
- TRACE_ERROR("Could not find CKA_VALUE for the key\n");
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- if (keytype == CKK_DES2) {
|
|
|
2c1758 |
- memcpy(key_value, attr->pValue, 2 * DES_KEY_SIZE);
|
|
|
2c1758 |
- memcpy(key_value + (2 * DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
|
|
|
2c1758 |
- } else {
|
|
|
2c1758 |
- memcpy(key_value, attr->pValue, 3 * DES_KEY_SIZE);
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // The key as passed in is a 24 byte string containing 3 keys
|
|
|
2c1758 |
- // pick it apart and create the key schedules
|
|
|
2c1758 |
- memcpy(&key_SSL1, key_value, 8);
|
|
|
2c1758 |
- memcpy(&key_SSL2, key_value + 8, 8);
|
|
|
2c1758 |
- memcpy(&key_SSL3, key_value + 16, 8);
|
|
|
2c1758 |
- DES_set_key_unchecked(&key_SSL1, &des_key1);
|
|
|
2c1758 |
- DES_set_key_unchecked(&key_SSL2, &des_key2);
|
|
|
2c1758 |
- DES_set_key_unchecked(&key_SSL3, &des_key3);
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- memcpy(ivec, init_v, sizeof(ivec));
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // the des decrypt will only fail if the data length is not evenly divisible
|
|
|
2c1758 |
- // by 8
|
|
|
2c1758 |
- if (in_data_len % DES_BLOCK_SIZE) {
|
|
|
2c1758 |
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
|
|
2c1758 |
- return CKR_DATA_LEN_RANGE;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
- // Encrypt or decrypt the data
|
|
|
2c1758 |
- if (encrypt) {
|
|
|
2c1758 |
- DES_ede3_cbc_encrypt(in_data,
|
|
|
2c1758 |
- out_data,
|
|
|
2c1758 |
- in_data_len,
|
|
|
2c1758 |
- &des_key1,
|
|
|
2c1758 |
- &des_key2, &des_key3, &ivec, DES_ENCRYPT);
|
|
|
2c1758 |
- *out_data_len = in_data_len;
|
|
|
2c1758 |
- rc = CKR_OK;
|
|
|
2c1758 |
- } else {
|
|
|
2c1758 |
- DES_ede3_cbc_encrypt(in_data,
|
|
|
2c1758 |
- out_data,
|
|
|
2c1758 |
- in_data_len,
|
|
|
2c1758 |
- &des_key1,
|
|
|
2c1758 |
- &des_key2, &des_key3, &ivec, DES_DECRYPT);
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- *out_data_len = in_data_len;
|
|
|
2c1758 |
- rc = CKR_OK;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
-#else
|
|
|
2c1758 |
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
|
|
|
2c1758 |
EVP_CIPHER_CTX *ctx = NULL;
|
|
|
2c1758 |
CK_ATTRIBUTE *attr = NULL;
|
|
|
2c1758 |
@@ -2891,7 +2639,6 @@ done:
|
|
|
2c1758 |
OPENSSL_cleanse(dkey, sizeof(dkey));
|
|
|
2c1758 |
EVP_CIPHER_CTX_free(ctx);
|
|
|
2c1758 |
return rc;
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
/* wrap the 20 bytes of auth data @authData and store in an attribute of the two
|
|
|
2c1758 |
@@ -3626,49 +3373,6 @@ CK_RV token_specific_aes_ecb(STDLL_TokData_t * tokdata,
|
|
|
2c1758 |
CK_ULONG * out_data_len,
|
|
|
2c1758 |
OBJECT * key, CK_BYTE encrypt)
|
|
|
2c1758 |
{
|
|
|
2c1758 |
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
2c1758 |
- CK_ATTRIBUTE *attr = NULL;
|
|
|
2c1758 |
- AES_KEY ssl_aes_key;
|
|
|
2c1758 |
- unsigned int i;
|
|
|
2c1758 |
- /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0,
|
|
|
2c1758 |
- * so this is fine */
|
|
|
2c1758 |
- CK_ULONG loops = (CK_ULONG) (in_data_len / AES_BLOCK_SIZE);
|
|
|
2c1758 |
- CK_RV rc;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- UNUSED(tokdata);
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // get the key value
|
|
|
2c1758 |
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
|
|
2c1758 |
- if (rc != CKR_OK) {
|
|
|
2c1758 |
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- memset(&ssl_aes_key, 0, sizeof(AES_KEY));
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // AES_ecb_encrypt encrypts only a single block, so we have to break up the
|
|
|
2c1758 |
- // input data here
|
|
|
2c1758 |
- if (encrypt) {
|
|
|
2c1758 |
- AES_set_encrypt_key((unsigned char *) attr->pValue,
|
|
|
2c1758 |
- (attr->ulValueLen * 8), &ssl_aes_key);
|
|
|
2c1758 |
- for (i = 0; i < loops; i++) {
|
|
|
2c1758 |
- AES_ecb_encrypt((unsigned char *) in_data + (i * AES_BLOCK_SIZE),
|
|
|
2c1758 |
- (unsigned char *) out_data + (i * AES_BLOCK_SIZE),
|
|
|
2c1758 |
- &ssl_aes_key, AES_ENCRYPT);
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
- } else {
|
|
|
2c1758 |
- AES_set_decrypt_key((unsigned char *) attr->pValue,
|
|
|
2c1758 |
- (attr->ulValueLen * 8), &ssl_aes_key);
|
|
|
2c1758 |
- for (i = 0; i < loops; i++) {
|
|
|
2c1758 |
- AES_ecb_encrypt((unsigned char *) in_data + (i * AES_BLOCK_SIZE),
|
|
|
2c1758 |
- (unsigned char *) out_data + (i * AES_BLOCK_SIZE),
|
|
|
2c1758 |
- &ssl_aes_key, AES_DECRYPT);
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
- *out_data_len = in_data_len;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- return CKR_OK;
|
|
|
2c1758 |
-#else
|
|
|
2c1758 |
CK_RV rc;
|
|
|
2c1758 |
int outlen;
|
|
|
2c1758 |
unsigned char akey[AES_KEY_SIZE_256];
|
|
|
2c1758 |
@@ -3729,7 +3433,6 @@ done:
|
|
|
2c1758 |
OPENSSL_cleanse(akey, sizeof(akey));
|
|
|
2c1758 |
EVP_CIPHER_CTX_free(ctx);
|
|
|
2c1758 |
return rc;
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
CK_RV token_specific_aes_cbc(STDLL_TokData_t * tokdata,
|
|
|
2c1758 |
@@ -3739,39 +3442,6 @@ CK_RV token_specific_aes_cbc(STDLL_TokData_t * tokdata,
|
|
|
2c1758 |
CK_ULONG * out_data_len,
|
|
|
2c1758 |
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
|
|
|
2c1758 |
{
|
|
|
2c1758 |
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
2c1758 |
- AES_KEY ssl_aes_key;
|
|
|
2c1758 |
- CK_ATTRIBUTE *attr = NULL;
|
|
|
2c1758 |
- CK_RV rc;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- UNUSED(tokdata);
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // get the key value
|
|
|
2c1758 |
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
|
|
2c1758 |
- if (rc != CKR_OK) {
|
|
|
2c1758 |
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
|
|
2c1758 |
- return rc;
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- memset(&ssl_aes_key, 0, sizeof(AES_KEY));
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike
|
|
|
2c1758 |
- // AES_ecb_encrypt, so no looping required.
|
|
|
2c1758 |
- if (encrypt) {
|
|
|
2c1758 |
- AES_set_encrypt_key((unsigned char *) attr->pValue,
|
|
|
2c1758 |
- (attr->ulValueLen * 8), &ssl_aes_key);
|
|
|
2c1758 |
- AES_cbc_encrypt((unsigned char *) in_data, (unsigned char *) out_data,
|
|
|
2c1758 |
- in_data_len, &ssl_aes_key, init_v, AES_ENCRYPT);
|
|
|
2c1758 |
- } else {
|
|
|
2c1758 |
- AES_set_decrypt_key((unsigned char *) attr->pValue,
|
|
|
2c1758 |
- (attr->ulValueLen * 8), &ssl_aes_key);
|
|
|
2c1758 |
- AES_cbc_encrypt((unsigned char *) in_data, (unsigned char *) out_data,
|
|
|
2c1758 |
- in_data_len, &ssl_aes_key, init_v, AES_DECRYPT);
|
|
|
2c1758 |
- }
|
|
|
2c1758 |
- *out_data_len = in_data_len;
|
|
|
2c1758 |
-
|
|
|
2c1758 |
- return CKR_OK;
|
|
|
2c1758 |
-#else
|
|
|
2c1758 |
CK_RV rc;
|
|
|
2c1758 |
int outlen;
|
|
|
2c1758 |
unsigned char akey[AES_KEY_SIZE_256];
|
|
|
2c1758 |
@@ -3832,7 +3502,6 @@ done:
|
|
|
2c1758 |
OPENSSL_cleanse(akey, sizeof(akey));
|
|
|
2c1758 |
EVP_CIPHER_CTX_free(ctx);
|
|
|
2c1758 |
return rc;
|
|
|
2c1758 |
-#endif
|
|
|
2c1758 |
}
|
|
|
2c1758 |
|
|
|
2c1758 |
CK_RV token_specific_get_mechanism_list(STDLL_TokData_t * tokdata,
|
|
|
2c1758 |
diff --git a/usr/lib/tpm_stdll/tpm_specific.h b/usr/lib/tpm_stdll/tpm_specific.h
|
|
|
2c1758 |
index 81af2744..2ffd0afc 100644
|
|
|
2c1758 |
--- a/usr/lib/tpm_stdll/tpm_specific.h
|
|
|
2c1758 |
+++ b/usr/lib/tpm_stdll/tpm_specific.h
|
|
|
2c1758 |
@@ -56,10 +56,10 @@
|
|
|
2c1758 |
/* retry count for generating software RSA keys */
|
|
|
2c1758 |
#define KEYGEN_RETRY 5
|
|
|
2c1758 |
|
|
|
2c1758 |
-RSA *openssl_gen_key(STDLL_TokData_t *);
|
|
|
2c1758 |
-int openssl_write_key(STDLL_TokData_t *, RSA *, char *, CK_BYTE *);
|
|
|
2c1758 |
-CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, RSA **);
|
|
|
2c1758 |
-int openssl_get_modulus_and_prime(RSA *, unsigned int *, unsigned char *,
|
|
|
2c1758 |
+EVP_PKEY *openssl_gen_key(STDLL_TokData_t *);
|
|
|
2c1758 |
+int openssl_write_key(STDLL_TokData_t *, EVP_PKEY *, char *, CK_BYTE *);
|
|
|
2c1758 |
+CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, EVP_PKEY **);
|
|
|
2c1758 |
+int openssl_get_modulus_and_prime(EVP_PKEY *, unsigned int *, unsigned char *,
|
|
|
2c1758 |
unsigned int *, unsigned char *);
|
|
|
2c1758 |
int util_set_file_mode(char *, mode_t);
|
|
|
2c1758 |
CK_BYTE *util_create_id(int);
|