227 lines
8.0 KiB
Diff
227 lines
8.0 KiB
Diff
commit 62fc2bcd98672c5d0ff8a2c926f3103110e91ed7
|
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
Date: Thu Jul 1 13:37:04 2021 +0200
|
|
|
|
COMMON: Perform proper context cleanup for 3DES/AES CMAC mechanisms
|
|
|
|
The handling of 3DES/AES CMAC mechanisms use a complex context structure,
|
|
that contains pointers. Such state can not be saved, and needs a custom
|
|
context free routine to properly clean up the context.
|
|
|
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
|
diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c
|
|
index ad6af16b..59f82482 100644
|
|
--- a/usr/lib/common/mech_aes.c
|
|
+++ b/usr/lib/common/mech_aes.c
|
|
@@ -2691,6 +2691,24 @@ CK_RV aes_mac_verify_final(STDLL_TokData_t *tokdata,
|
|
return CKR_SIGNATURE_INVALID;
|
|
}
|
|
|
|
+static void aes_cmac_cleanup(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
+ CK_BYTE *context, CK_ULONG context_len)
|
|
+{
|
|
+ UNUSED(tokdata);
|
|
+ UNUSED(sess);
|
|
+ UNUSED(context_len);
|
|
+
|
|
+ if (((AES_CMAC_CONTEXT *)context)->ctx != NULL) {
|
|
+ token_specific.t_aes_cmac(tokdata, (CK_BYTE *)"", 0, NULL,
|
|
+ ((AES_CMAC_CONTEXT *)context)->iv,
|
|
+ CK_FALSE, CK_TRUE,
|
|
+ ((AES_CMAC_CONTEXT *)context)->ctx);
|
|
+ ((AES_CMAC_CONTEXT *)context)->ctx = NULL;
|
|
+ }
|
|
+
|
|
+ free(context);
|
|
+}
|
|
+
|
|
CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
|
|
SESSION *sess,
|
|
CK_BBOOL length_only,
|
|
@@ -2743,6 +2761,8 @@ CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
|
|
if (((AES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
|
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
|
+
|
|
memcpy(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
|
|
*out_data_len = mac_len;
|
|
|
|
@@ -2816,6 +2836,8 @@ CK_RV aes_cmac_sign_update(STDLL_TokData_t *tokdata,
|
|
|
|
if (context->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
+
|
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
|
} else {
|
|
TRACE_DEVEL("Token specific aes cmac failed.\n");
|
|
}
|
|
@@ -2882,6 +2904,8 @@ CK_RV aes_cmac_sign_final(STDLL_TokData_t *tokdata,
|
|
if (context->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
|
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
|
+
|
|
memcpy(out_data, context->iv, mac_len);
|
|
*out_data_len = mac_len;
|
|
|
|
@@ -2941,6 +2965,8 @@ CK_RV aes_cmac_verify(STDLL_TokData_t *tokdata,
|
|
if (((AES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
|
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
|
+
|
|
if (CRYPTO_memcmp(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv,
|
|
out_data_len) == 0) {
|
|
return CKR_OK;
|
|
@@ -3012,6 +3038,8 @@ CK_RV aes_cmac_verify_update(STDLL_TokData_t *tokdata,
|
|
|
|
if (context->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
+
|
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
|
} else {
|
|
TRACE_DEVEL("Token specific aes cmac failed.\n");
|
|
}
|
|
@@ -3070,6 +3098,8 @@ CK_RV aes_cmac_verify_final(STDLL_TokData_t *tokdata,
|
|
if (context->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
|
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
|
+
|
|
if (rc != CKR_OK) {
|
|
TRACE_DEVEL("Token specific aes mac failed.\n");
|
|
return rc;
|
|
diff --git a/usr/lib/common/mech_des3.c b/usr/lib/common/mech_des3.c
|
|
index be8d6075..591ad3fa 100644
|
|
--- a/usr/lib/common/mech_des3.c
|
|
+++ b/usr/lib/common/mech_des3.c
|
|
@@ -2334,6 +2334,24 @@ CK_RV des3_mac_verify_final(STDLL_TokData_t *tokdata,
|
|
return CKR_SIGNATURE_INVALID;
|
|
}
|
|
|
|
+static void des3_cmac_cleanup(STDLL_TokData_t *tokdata, SESSION *sess,
|
|
+ CK_BYTE *context, CK_ULONG context_len)
|
|
+{
|
|
+ UNUSED(tokdata);
|
|
+ UNUSED(sess);
|
|
+ UNUSED(context_len);
|
|
+
|
|
+ if (((DES_CMAC_CONTEXT *)context)->ctx != NULL) {
|
|
+ token_specific.t_tdes_cmac(tokdata, (CK_BYTE *)"", 0, NULL,
|
|
+ ((DES_CMAC_CONTEXT *)context)->iv,
|
|
+ CK_FALSE, CK_TRUE,
|
|
+ ((DES_CMAC_CONTEXT *)context)->ctx);
|
|
+ ((DES_CMAC_CONTEXT *)context)->ctx = NULL;
|
|
+ }
|
|
+
|
|
+ free(context);
|
|
+}
|
|
+
|
|
CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
|
|
SESSION *sess,
|
|
CK_BBOOL length_only,
|
|
@@ -2383,6 +2401,8 @@ CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
|
|
if (((DES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
|
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
|
+
|
|
memcpy(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
|
|
|
|
*out_data_len = mac_len;
|
|
@@ -2456,6 +2476,8 @@ CK_RV des3_cmac_sign_update(STDLL_TokData_t *tokdata,
|
|
|
|
if (context->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
+
|
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
|
} else {
|
|
TRACE_DEVEL("Token specific des3 cmac failed.\n");
|
|
}
|
|
@@ -2521,6 +2543,8 @@ CK_RV des3_cmac_sign_final(STDLL_TokData_t *tokdata,
|
|
if (context->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
|
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
|
+
|
|
memcpy(out_data, context->iv, mac_len);
|
|
|
|
*out_data_len = mac_len;
|
|
@@ -2577,6 +2601,8 @@ CK_RV des3_cmac_verify(STDLL_TokData_t *tokdata,
|
|
if (((DES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
|
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
|
+
|
|
if (CRYPTO_memcmp(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv,
|
|
out_data_len) == 0) {
|
|
return CKR_OK;
|
|
@@ -2646,6 +2672,8 @@ CK_RV des3_cmac_verify_update(STDLL_TokData_t *tokdata,
|
|
|
|
if (context->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
+
|
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
|
} else {
|
|
TRACE_DEVEL("Token specific des3 cmac failed.\n");
|
|
}
|
|
@@ -2709,6 +2737,8 @@ CK_RV des3_cmac_verify_final(STDLL_TokData_t *tokdata,
|
|
if (context->ctx != NULL)
|
|
ctx->state_unsaveable = CK_TRUE;
|
|
|
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
|
+
|
|
if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
|
|
return CKR_OK;
|
|
|
|
diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c
|
|
index 77876467..881a430c 100644
|
|
--- a/usr/lib/ica_s390_stdll/ica_specific.c
|
|
+++ b/usr/lib/ica_s390_stdll/ica_specific.c
|
|
@@ -713,6 +713,9 @@ CK_RV token_specific_tdes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
|
UNUSED(tokdata);
|
|
UNUSED(ctx);
|
|
|
|
+ if (key == NULL)
|
|
+ return CKR_ARGUMENTS_BAD;
|
|
+
|
|
// get the key type
|
|
rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
|
if (rc != CKR_OK) {
|
|
@@ -3621,6 +3624,9 @@ CK_RV token_specific_aes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
|
UNUSED(tokdata);
|
|
UNUSED(ctx);
|
|
|
|
+ if (key == NULL)
|
|
+ return CKR_ARGUMENTS_BAD;
|
|
+
|
|
rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
|
if (rc != CKR_OK) {
|
|
TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
|
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
|
|
index aeff39a9..5ca22693 100644
|
|
--- a/usr/lib/soft_stdll/soft_specific.c
|
|
+++ b/usr/lib/soft_stdll/soft_specific.c
|
|
@@ -3994,6 +3994,9 @@ CK_RV token_specific_tdes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
|
UNUSED(tokdata);
|
|
|
|
if (first) {
|
|
+ if (key == NULL)
|
|
+ return CKR_ARGUMENTS_BAD;
|
|
+
|
|
// get the key type
|
|
rv = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
|
if (rv != CKR_OK) {
|
|
@@ -4194,6 +4197,9 @@ CK_RV token_specific_aes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
|
UNUSED(tokdata);
|
|
|
|
if (first) {
|
|
+ if (key == NULL)
|
|
+ return CKR_ARGUMENTS_BAD;
|
|
+
|
|
// get the key value
|
|
rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
|
if (rc != CKR_OK) {
|