1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * RSA provider for the Kernel Cryptographic Framework (KCF) 30 */ 31 32 #include <sys/types.h> 33 #include <sys/systm.h> 34 #include <sys/modctl.h> 35 #include <sys/cmn_err.h> 36 #include <sys/ddi.h> 37 #include <sys/crypto/spi.h> 38 #include <sys/sysmacros.h> 39 #include <sys/strsun.h> 40 #include <sys/md5.h> 41 #include <sys/sha1.h> 42 #include <sys/sha2.h> 43 #include <sys/random.h> 44 #include <sys/crypto/impl.h> 45 #include "rsa_impl.h" 46 47 extern struct mod_ops mod_cryptoops; 48 49 /* 50 * Module linkage information for the kernel. 51 */ 52 static struct modlcrypto modlcrypto = { 53 &mod_cryptoops, 54 "RSA Kernel SW Provider" 55 }; 56 57 static struct modlinkage modlinkage = { 58 MODREV_1, 59 (void *)&modlcrypto, 60 NULL 61 }; 62 63 /* 64 * CSPI information (entry points, provider info, etc.) 65 */ 66 typedef enum rsa_mech_type { 67 RSA_PKCS_MECH_INFO_TYPE, /* SUN_CKM_RSA_PKCS */ 68 RSA_X_509_MECH_INFO_TYPE, /* SUN_CKM_RSA_X_509 */ 69 MD5_RSA_PKCS_MECH_INFO_TYPE, /* SUN_MD5_RSA_PKCS */ 70 SHA1_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA1_RSA_PKCS */ 71 SHA256_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA256_RSA_PKCS */ 72 SHA384_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA384_RSA_PKCS */ 73 SHA512_RSA_PKCS_MECH_INFO_TYPE /* SUN_SHA512_RSA_PKCS */ 74 } rsa_mech_type_t; 75 76 /* 77 * Context for RSA_PKCS and RSA_X_509 mechanisms. 78 */ 79 typedef struct rsa_ctx { 80 rsa_mech_type_t mech_type; 81 crypto_key_t *key; 82 size_t keychunk_size; 83 } rsa_ctx_t; 84 85 /* 86 * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms. 87 */ 88 typedef struct digest_rsa_ctx { 89 rsa_mech_type_t mech_type; 90 crypto_key_t *key; 91 size_t keychunk_size; 92 union { 93 MD5_CTX md5ctx; 94 SHA1_CTX sha1ctx; 95 SHA2_CTX sha2ctx; 96 } dctx_u; 97 } digest_rsa_ctx_t; 98 99 #define md5_ctx dctx_u.md5ctx 100 #define sha1_ctx dctx_u.sha1ctx 101 #define sha2_ctx dctx_u.sha2ctx 102 103 /* 104 * Mechanism info structure passed to KCF during registration. 105 */ 106 static crypto_mech_info_t rsa_mech_info_tab[] = { 107 /* RSA_PKCS */ 108 {SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE, 109 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 110 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 111 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 112 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 113 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 114 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 115 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 116 117 /* RSA_X_509 */ 118 {SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE, 119 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 120 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 121 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 122 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 123 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 124 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 125 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 126 127 /* MD5_RSA_PKCS */ 128 {SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE, 129 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 130 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 131 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 132 133 /* SHA1_RSA_PKCS */ 134 {SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE, 135 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 136 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 137 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 138 139 /* SHA256_RSA_PKCS */ 140 {SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE, 141 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 142 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 143 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 144 145 /* SHA384_RSA_PKCS */ 146 {SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE, 147 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 148 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 149 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 150 151 /* SHA512_RSA_PKCS */ 152 {SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE, 153 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 154 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 155 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS} 156 157 }; 158 159 #define RSA_VALID_MECH(mech) \ 160 (((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE || \ 161 (mech)->cm_type == RSA_X_509_MECH_INFO_TYPE || \ 162 (mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE || \ 163 (mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE || \ 164 (mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE || \ 165 (mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE || \ 166 (mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0) 167 168 /* operations are in-place if the output buffer is NULL */ 169 #define RSA_ARG_INPLACE(input, output) \ 170 if ((output) == NULL) \ 171 (output) = (input); 172 173 static void rsa_provider_status(crypto_provider_handle_t, uint_t *); 174 175 static crypto_control_ops_t rsa_control_ops = { 176 rsa_provider_status 177 }; 178 179 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *, 180 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 181 static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 182 crypto_req_handle_t); 183 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 184 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 185 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 186 static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 187 crypto_req_handle_t); 188 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 189 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 190 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 191 192 /* 193 * The RSA mechanisms do not have multiple-part cipher operations. 194 * So, the update and final routines are set to NULL. 195 */ 196 static crypto_cipher_ops_t rsa_cipher_ops = { 197 rsa_common_init, 198 rsa_encrypt, 199 NULL, 200 NULL, 201 rsa_encrypt_atomic, 202 rsa_common_init, 203 rsa_decrypt, 204 NULL, 205 NULL, 206 rsa_decrypt_atomic 207 }; 208 209 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *, 210 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 211 static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 212 crypto_req_handle_t); 213 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *, 214 crypto_req_handle_t); 215 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *, 216 crypto_req_handle_t); 217 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t, 218 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 219 crypto_spi_ctx_template_t, crypto_req_handle_t); 220 221 /* 222 * We use the same routine for sign_init and sign_recover_init fields 223 * as they do the same thing. Same holds for sign and sign_recover fields, 224 * and sign_atomic and sign_recover_atomic fields. 225 */ 226 static crypto_sign_ops_t rsa_sign_ops = { 227 rsa_sign_verify_common_init, 228 rsa_sign, 229 rsa_sign_update, 230 rsa_sign_final, 231 rsa_sign_atomic, 232 rsa_sign_verify_common_init, 233 rsa_sign, 234 rsa_sign_atomic 235 }; 236 237 static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 238 crypto_req_handle_t); 239 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *, 240 crypto_req_handle_t); 241 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *, 242 crypto_req_handle_t); 243 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 244 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 245 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 246 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *, 247 crypto_data_t *, crypto_req_handle_t); 248 static int rsa_verify_recover_atomic(crypto_provider_handle_t, 249 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 250 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 251 crypto_req_handle_t); 252 253 /* 254 * We use the same routine (rsa_sign_verify_common_init) for verify_init 255 * and verify_recover_init fields as they do the same thing. 256 */ 257 static crypto_verify_ops_t rsa_verify_ops = { 258 rsa_sign_verify_common_init, 259 rsa_verify, 260 rsa_verify_update, 261 rsa_verify_final, 262 rsa_verify_atomic, 263 rsa_sign_verify_common_init, 264 rsa_verify_recover, 265 rsa_verify_recover_atomic 266 }; 267 268 static int rsa_free_context(crypto_ctx_t *); 269 270 static crypto_ctx_ops_t rsa_ctx_ops = { 271 NULL, 272 rsa_free_context 273 }; 274 275 static crypto_ops_t rsa_crypto_ops = { 276 &rsa_control_ops, 277 NULL, 278 &rsa_cipher_ops, 279 NULL, 280 &rsa_sign_ops, 281 &rsa_verify_ops, 282 NULL, 283 NULL, 284 NULL, 285 NULL, 286 NULL, 287 NULL, 288 NULL, 289 &rsa_ctx_ops 290 }; 291 292 static crypto_provider_info_t rsa_prov_info = { 293 CRYPTO_SPI_VERSION_1, 294 "RSA Software Provider", 295 CRYPTO_SW_PROVIDER, 296 {&modlinkage}, 297 NULL, 298 &rsa_crypto_ops, 299 sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t), 300 rsa_mech_info_tab 301 }; 302 303 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *, 304 crypto_data_t *, crypto_data_t *, int); 305 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *, 306 crypto_data_t *, crypto_data_t *, int); 307 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *, 308 crypto_data_t *, crypto_data_t *, int); 309 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *, 310 crypto_data_t *, crypto_data_t *, int); 311 static int compare_data(crypto_data_t *, uchar_t *); 312 313 /* EXPORT DELETE START */ 314 315 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, 316 int, uchar_t *, int, int); 317 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, 318 uchar_t *, int); 319 320 /* EXPORT DELETE END */ 321 322 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL; 323 324 int 325 _init(void) 326 { 327 int ret; 328 329 /* 330 * Register with KCF. If the registration fails, return error. 331 */ 332 if ((ret = crypto_register_provider(&rsa_prov_info, 333 &rsa_prov_handle)) != CRYPTO_SUCCESS) { 334 cmn_err(CE_WARN, "rsa _init: crypto_register_provider()" 335 "failed (0x%x)", ret); 336 return (EACCES); 337 } 338 339 if ((ret = mod_install(&modlinkage)) != 0) { 340 int rv; 341 342 ASSERT(rsa_prov_handle != NULL); 343 /* We should not return if the unregister returns busy. */ 344 while ((rv = crypto_unregister_provider(rsa_prov_handle)) 345 == CRYPTO_BUSY) { 346 cmn_err(CE_WARN, "rsa _init: " 347 "crypto_unregister_provider() " 348 "failed (0x%x). Retrying.", rv); 349 /* wait 10 seconds and try again. */ 350 delay(10 * drv_usectohz(1000000)); 351 } 352 } 353 354 return (ret); 355 } 356 357 int 358 _fini(void) 359 { 360 int ret; 361 362 /* 363 * Unregister from KCF if previous registration succeeded. 364 */ 365 if (rsa_prov_handle != NULL) { 366 if ((ret = crypto_unregister_provider(rsa_prov_handle)) != 367 CRYPTO_SUCCESS) { 368 cmn_err(CE_WARN, "rsa _fini: " 369 "crypto_unregister_provider() " 370 "failed (0x%x)", ret); 371 return (EBUSY); 372 } 373 rsa_prov_handle = NULL; 374 } 375 376 return (mod_remove(&modlinkage)); 377 } 378 379 int 380 _info(struct modinfo *modinfop) 381 { 382 return (mod_info(&modlinkage, modinfop)); 383 } 384 385 /* ARGSUSED */ 386 static void 387 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status) 388 { 389 *status = CRYPTO_PROVIDER_READY; 390 } 391 392 static int 393 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key) 394 { 395 int rv = CRYPTO_FAILED; 396 397 /* EXPORT DELETE START */ 398 399 uchar_t *modulus; 400 ssize_t modulus_len; /* In bytes */ 401 402 if (!RSA_VALID_MECH(mechanism)) 403 return (CRYPTO_MECHANISM_INVALID); 404 405 /* 406 * We only support RSA keys that are passed as a list of 407 * object attributes. 408 */ 409 if (key->ck_format != CRYPTO_KEY_ATTR_LIST) { 410 return (CRYPTO_KEY_TYPE_INCONSISTENT); 411 } 412 413 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 414 &modulus_len)) != CRYPTO_SUCCESS) { 415 return (rv); 416 } 417 if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES || 418 modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES) 419 return (CRYPTO_KEY_SIZE_RANGE); 420 421 /* EXPORT DELETE END */ 422 423 return (rv); 424 } 425 426 void 427 kmemset(uint8_t *buf, char pattern, size_t len) 428 { 429 int i = 0; 430 431 while (i < len) 432 buf[i++] = pattern; 433 } 434 435 /* 436 * This function guarantees to return non-zero random numbers. 437 * This is needed as the /dev/urandom kernel interface, 438 * random_get_pseudo_bytes(), may return zeros. 439 */ 440 int 441 knzero_random_generator(uint8_t *ran_out, size_t ran_len) 442 { 443 int rv; 444 size_t ebc = 0; /* count of extra bytes in extrarand */ 445 size_t i = 0; 446 uint8_t extrarand[32]; 447 size_t extrarand_len; 448 449 if ((rv = random_get_pseudo_bytes(ran_out, ran_len)) != 0) 450 return (rv); 451 452 /* 453 * Walk through the returned random numbers pointed by ran_out, 454 * and look for any random number which is zero. 455 * If we find zero, call random_get_pseudo_bytes() to generate 456 * another 32 random numbers pool. Replace any zeros in ran_out[] 457 * from the random number in pool. 458 */ 459 while (i < ran_len) { 460 if (ran_out[i] != 0) { 461 i++; 462 continue; 463 } 464 465 /* 466 * Note that it is 'while' so we are guaranteed a 467 * non-zero value on exit. 468 */ 469 if (ebc == 0) { 470 /* refresh extrarand */ 471 extrarand_len = sizeof (extrarand); 472 if ((rv = random_get_pseudo_bytes(extrarand, 473 extrarand_len)) != 0) { 474 return (rv); 475 } 476 477 ebc = extrarand_len; 478 } 479 /* Replace zero with byte from extrarand. */ 480 -- ebc; 481 482 /* 483 * The new random byte zero/non-zero will be checked in 484 * the next pass through the loop. 485 */ 486 ran_out[i] = extrarand[ebc]; 487 } 488 489 return (CRYPTO_SUCCESS); 490 } 491 492 static int 493 compare_data(crypto_data_t *data, uchar_t *buf) 494 { 495 int len; 496 uchar_t *dptr; 497 498 len = data->cd_length; 499 switch (data->cd_format) { 500 case CRYPTO_DATA_RAW: 501 dptr = (uchar_t *)(data->cd_raw.iov_base + 502 data->cd_offset); 503 504 return (bcmp(dptr, buf, len)); 505 506 case CRYPTO_DATA_UIO: 507 return (crypto_uio_data(data, buf, len, 508 COMPARE_TO_DATA, NULL, NULL)); 509 510 case CRYPTO_DATA_MBLK: 511 return (crypto_mblk_data(data, buf, len, 512 COMPARE_TO_DATA, NULL, NULL)); 513 } 514 515 return (CRYPTO_FAILED); 516 } 517 518 /* ARGSUSED */ 519 static int 520 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 521 crypto_key_t *key, crypto_spi_ctx_template_t template, 522 crypto_req_handle_t req) 523 { 524 int rv; 525 int kmflag; 526 rsa_ctx_t *ctxp; 527 528 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 529 return (rv); 530 531 /* 532 * Allocate a RSA context. 533 */ 534 kmflag = crypto_kmflag(req); 535 if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL) 536 return (CRYPTO_HOST_MEMORY); 537 538 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 539 kmflag)) != CRYPTO_SUCCESS) { 540 kmem_free(ctxp, sizeof (rsa_ctx_t)); 541 return (rv); 542 } 543 ctxp->mech_type = mechanism->cm_type; 544 545 ctx->cc_provider_private = ctxp; 546 547 return (CRYPTO_SUCCESS); 548 } 549 550 /* ARGSUSED */ 551 static int 552 rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 553 crypto_data_t *ciphertext, crypto_req_handle_t req) 554 { 555 int rv; 556 rsa_ctx_t *ctxp; 557 558 ASSERT(ctx->cc_provider_private != NULL); 559 ctxp = ctx->cc_provider_private; 560 561 RSA_ARG_INPLACE(plaintext, ciphertext); 562 563 /* 564 * Note on the KM_SLEEP flag passed to the routine below - 565 * rsa_encrypt() is a single-part encryption routine which is 566 * currently usable only by /dev/crypto. Since /dev/crypto calls are 567 * always synchronous, we can safely pass KM_SLEEP here. 568 */ 569 rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext, 570 ciphertext, KM_SLEEP); 571 572 if (rv != CRYPTO_BUFFER_TOO_SMALL) 573 (void) rsa_free_context(ctx); 574 575 return (rv); 576 } 577 578 /* ARGSUSED */ 579 static int 580 rsa_encrypt_atomic(crypto_provider_handle_t provider, 581 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 582 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 583 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 584 { 585 int rv; 586 587 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 588 return (rv); 589 RSA_ARG_INPLACE(plaintext, ciphertext); 590 591 return (rsa_encrypt_common(mechanism->cm_type, key, plaintext, 592 ciphertext, crypto_kmflag(req))); 593 } 594 595 static int 596 rsa_free_context(crypto_ctx_t *ctx) 597 { 598 rsa_ctx_t *ctxp = ctx->cc_provider_private; 599 600 if (ctxp != NULL) { 601 bzero(ctxp->key, ctxp->keychunk_size); 602 kmem_free(ctxp->key, ctxp->keychunk_size); 603 604 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE || 605 ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE) 606 kmem_free(ctxp, sizeof (rsa_ctx_t)); 607 else 608 kmem_free(ctxp, sizeof (digest_rsa_ctx_t)); 609 610 ctx->cc_provider_private = NULL; 611 } 612 613 return (CRYPTO_SUCCESS); 614 } 615 616 static int 617 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 618 crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag) 619 { 620 int rv = CRYPTO_FAILED; 621 622 /* EXPORT DELETE START */ 623 624 int plen; 625 uchar_t *ptptr; 626 uchar_t *modulus; 627 ssize_t modulus_len; 628 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 629 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 630 uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 631 632 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 633 &modulus_len)) != CRYPTO_SUCCESS) { 634 return (rv); 635 } 636 637 plen = plaintext->cd_length; 638 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 639 if (plen > (modulus_len - MIN_PKCS1_PADLEN)) 640 return (CRYPTO_DATA_LEN_RANGE); 641 } else { 642 if (plen > modulus_len) 643 return (CRYPTO_DATA_LEN_RANGE); 644 } 645 646 /* 647 * Output buf len must not be less than RSA modulus size. 648 */ 649 if (ciphertext->cd_length < modulus_len) { 650 ciphertext->cd_length = modulus_len; 651 return (CRYPTO_BUFFER_TOO_SMALL); 652 } 653 654 ASSERT(plaintext->cd_length <= sizeof (tmp_data)); 655 if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data)) 656 != CRYPTO_SUCCESS) 657 return (rv); 658 659 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 660 rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen, 661 plain_data, modulus_len); 662 663 if (rv != CRYPTO_SUCCESS) 664 return (rv); 665 } else { 666 bzero(plain_data, modulus_len - plen); 667 bcopy(ptptr, &plain_data[modulus_len - plen], plen); 668 } 669 670 rv = core_rsa_encrypt(key, plain_data, modulus_len, 671 cipher_data, kmflag, 1); 672 if (rv == CRYPTO_SUCCESS) { 673 /* copy out to ciphertext */ 674 if ((rv = crypto_put_output_data(cipher_data, 675 ciphertext, modulus_len)) != CRYPTO_SUCCESS) 676 return (rv); 677 678 ciphertext->cd_length = modulus_len; 679 } 680 681 /* EXPORT DELETE END */ 682 683 return (rv); 684 } 685 686 /* EXPORT DELETE START */ 687 688 static int 689 core_rsa_encrypt(crypto_key_t *key, uchar_t *in, 690 int in_len, uchar_t *out, int kmflag, int is_public) 691 { 692 int rv; 693 uchar_t *expo, *modulus; 694 ssize_t expo_len; 695 ssize_t modulus_len; 696 BIGNUM msg; 697 RSAkey *rsakey; 698 699 if (is_public) { 700 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT, 701 &expo, &expo_len)) != CRYPTO_SUCCESS) 702 return (rv); 703 } else { 704 /* 705 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a 706 * RSA secret key. See the comments in core_rsa_decrypt 707 * routine which calls this routine with a private key. 708 */ 709 if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT, 710 &expo, &expo_len)) != CRYPTO_SUCCESS) 711 return (rv); 712 } 713 714 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 715 &modulus_len)) != CRYPTO_SUCCESS) { 716 return (rv); 717 } 718 719 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 720 if (rsakey == NULL) 721 return (CRYPTO_HOST_MEMORY); 722 723 /* psize and qsize for RSA_key_init is in bits. */ 724 if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) { 725 rv = CRYPTO_HOST_MEMORY; 726 goto clean1; 727 } 728 729 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 730 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 731 rv = CRYPTO_HOST_MEMORY; 732 goto clean2; 733 } 734 735 /* Convert octet string exponent to big integer format. */ 736 bytestring2bignum(&(rsakey->e), expo, expo_len); 737 738 /* Convert octet string modulus to big integer format. */ 739 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 740 741 /* Convert octet string input data to big integer format. */ 742 bytestring2bignum(&msg, in, in_len); 743 744 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 745 rv = CRYPTO_DATA_LEN_RANGE; 746 goto clean3; 747 } 748 749 /* Perform RSA computation on big integer input data. */ 750 if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL) 751 != BIG_OK) { 752 rv = CRYPTO_HOST_MEMORY; 753 goto clean3; 754 } 755 756 /* Convert the big integer output data to octet string. */ 757 bignum2bytestring(out, &msg, modulus_len); 758 759 /* 760 * Should not free modulus and expo as both are just pointers 761 * to an attribute value buffer from the caller. 762 */ 763 clean3: 764 big_finish(&msg); 765 clean2: 766 RSA_key_finish(rsakey); 767 clean1: 768 kmem_free(rsakey, sizeof (RSAkey)); 769 770 return (rv); 771 } 772 773 /* EXPORT DELETE END */ 774 775 /* ARGSUSED */ 776 static int 777 rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 778 crypto_data_t *plaintext, crypto_req_handle_t req) 779 { 780 int rv; 781 rsa_ctx_t *ctxp; 782 783 ASSERT(ctx->cc_provider_private != NULL); 784 ctxp = ctx->cc_provider_private; 785 786 RSA_ARG_INPLACE(ciphertext, plaintext); 787 788 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 789 rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key, 790 ciphertext, plaintext, KM_SLEEP); 791 792 if (rv != CRYPTO_BUFFER_TOO_SMALL) 793 (void) rsa_free_context(ctx); 794 795 return (rv); 796 } 797 798 /* ARGSUSED */ 799 static int 800 rsa_decrypt_atomic(crypto_provider_handle_t provider, 801 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 802 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 803 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 804 { 805 int rv; 806 807 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 808 return (rv); 809 RSA_ARG_INPLACE(ciphertext, plaintext); 810 811 return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext, 812 plaintext, crypto_kmflag(req))); 813 } 814 815 static int 816 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 817 crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag) 818 { 819 int rv = CRYPTO_FAILED; 820 821 /* EXPORT DELETE START */ 822 823 int plain_len; 824 uchar_t *ctptr; 825 uchar_t *modulus; 826 ssize_t modulus_len; 827 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 828 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 829 830 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 831 &modulus_len)) != CRYPTO_SUCCESS) { 832 return (rv); 833 } 834 835 /* 836 * Ciphertext length must be equal to RSA modulus size. 837 */ 838 if (ciphertext->cd_length != modulus_len) 839 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 840 841 ASSERT(ciphertext->cd_length <= sizeof (tmp_data)); 842 if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data)) 843 != CRYPTO_SUCCESS) 844 return (rv); 845 846 rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag); 847 if (rv == CRYPTO_SUCCESS) { 848 plain_len = modulus_len; 849 850 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 851 /* Strip off the PKCS block formatting data. */ 852 rv = soft_decrypt_rsa_pkcs_decode(plain_data, 853 &plain_len); 854 if (rv != CRYPTO_SUCCESS) 855 return (rv); 856 } 857 858 if (plain_len > plaintext->cd_length) { 859 plaintext->cd_length = plain_len; 860 return (CRYPTO_BUFFER_TOO_SMALL); 861 } 862 863 if ((rv = crypto_put_output_data( 864 plain_data + modulus_len - plain_len, 865 plaintext, plain_len)) != CRYPTO_SUCCESS) 866 return (rv); 867 868 plaintext->cd_length = plain_len; 869 } 870 871 /* EXPORT DELETE END */ 872 873 return (rv); 874 } 875 876 /* EXPORT DELETE START */ 877 878 static int 879 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, 880 uchar_t *out, int kmflag) 881 { 882 int rv; 883 uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef; 884 ssize_t modulus_len; 885 ssize_t prime1_len, prime2_len; 886 ssize_t expo1_len, expo2_len, coef_len; 887 BIGNUM msg; 888 RSAkey *rsakey; 889 890 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 891 &modulus_len)) != CRYPTO_SUCCESS) { 892 return (rv); 893 } 894 895 /* 896 * The following attributes are not required to be 897 * present in a RSA secret key. If any of them is not present 898 * we call the encrypt routine with a flag indicating use of 899 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is 900 * a required attribute for a RSA secret key. 901 */ 902 if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len) 903 != CRYPTO_SUCCESS) || 904 (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len) 905 != CRYPTO_SUCCESS) || 906 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len) 907 != CRYPTO_SUCCESS) || 908 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len) 909 != CRYPTO_SUCCESS) || 910 (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len) 911 != CRYPTO_SUCCESS)) { 912 return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0)); 913 } 914 915 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 916 if (rsakey == NULL) 917 return (CRYPTO_HOST_MEMORY); 918 919 /* psize and qsize for RSA_key_init is in bits. */ 920 if (RSA_key_init(rsakey, prime2_len * 8, prime1_len * 8) != BIG_OK) { 921 rv = CRYPTO_HOST_MEMORY; 922 goto clean1; 923 } 924 925 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 926 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 927 rv = CRYPTO_HOST_MEMORY; 928 goto clean2; 929 } 930 931 /* Convert octet string input data to big integer format. */ 932 bytestring2bignum(&msg, in, in_len); 933 934 /* Convert octet string modulus to big integer format. */ 935 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 936 937 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 938 rv = CRYPTO_DATA_LEN_RANGE; 939 goto clean3; 940 } 941 942 /* Convert the rest of private key attributes to big integer format. */ 943 bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len); 944 bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len); 945 bytestring2bignum(&(rsakey->p), prime2, prime2_len); 946 bytestring2bignum(&(rsakey->q), prime1, prime1_len); 947 bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len); 948 949 if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) || 950 (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) || 951 (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) { 952 rv = CRYPTO_KEY_SIZE_RANGE; 953 goto clean3; 954 } 955 956 /* Perform RSA computation on big integer input data. */ 957 if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1), 958 &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q), 959 &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) { 960 rv = CRYPTO_HOST_MEMORY; 961 goto clean3; 962 } 963 964 /* Convert the big integer output data to octet string. */ 965 bignum2bytestring(out, &msg, modulus_len); 966 967 /* 968 * Should not free modulus and friends as they are just pointers 969 * to an attribute value buffer from the caller. 970 */ 971 clean3: 972 big_finish(&msg); 973 clean2: 974 RSA_key_finish(rsakey); 975 clean1: 976 kmem_free(rsakey, sizeof (RSAkey)); 977 978 return (rv); 979 } 980 981 /* EXPORT DELETE END */ 982 983 /* ARGSUSED */ 984 static int 985 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 986 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, 987 crypto_req_handle_t req) 988 { 989 int rv; 990 int kmflag; 991 rsa_ctx_t *ctxp; 992 digest_rsa_ctx_t *dctxp; 993 994 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 995 return (rv); 996 997 /* 998 * Allocate a RSA context. 999 */ 1000 kmflag = crypto_kmflag(req); 1001 switch (mechanism->cm_type) { 1002 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1003 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1004 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1005 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1006 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1007 dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag); 1008 ctxp = (rsa_ctx_t *)dctxp; 1009 break; 1010 default: 1011 ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag); 1012 break; 1013 } 1014 1015 if (ctxp == NULL) 1016 return (CRYPTO_HOST_MEMORY); 1017 1018 ctxp->mech_type = mechanism->cm_type; 1019 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 1020 kmflag)) != CRYPTO_SUCCESS) { 1021 switch (mechanism->cm_type) { 1022 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1023 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1024 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1025 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1026 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1027 kmem_free(dctxp, sizeof (digest_rsa_ctx_t)); 1028 break; 1029 default: 1030 kmem_free(ctxp, sizeof (rsa_ctx_t)); 1031 break; 1032 } 1033 return (rv); 1034 } 1035 1036 switch (mechanism->cm_type) { 1037 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1038 MD5Init(&(dctxp->md5_ctx)); 1039 break; 1040 1041 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1042 SHA1Init(&(dctxp->sha1_ctx)); 1043 break; 1044 1045 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1046 SHA2Init(SHA256, &(dctxp->sha2_ctx)); 1047 break; 1048 1049 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1050 SHA2Init(SHA384, &(dctxp->sha2_ctx)); 1051 break; 1052 1053 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1054 SHA2Init(SHA512, &(dctxp->sha2_ctx)); 1055 break; 1056 } 1057 1058 ctx->cc_provider_private = ctxp; 1059 1060 return (CRYPTO_SUCCESS); 1061 } 1062 1063 #define SHA1_DIGEST_SIZE 20 1064 #define MD5_DIGEST_SIZE 16 1065 1066 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \ 1067 (data).cd_format = CRYPTO_DATA_RAW; \ 1068 (data).cd_offset = 0; \ 1069 (data).cd_raw.iov_base = (char *)base; \ 1070 (data).cd_raw.iov_len = len; \ 1071 (data).cd_length = cd_len; 1072 1073 static int 1074 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data, 1075 crypto_data_t *signature, int kmflag, uchar_t flag) 1076 { 1077 int rv = CRYPTO_FAILED; 1078 1079 /* EXPORT DELETE START */ 1080 1081 uchar_t digest[SHA512_DIGEST_LENGTH]; 1082 /* The der_data size is enough for MD5 also */ 1083 uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 1084 ulong_t der_data_len; 1085 crypto_data_t der_cd; 1086 rsa_mech_type_t mech_type; 1087 1088 ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY); 1089 ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL)); 1090 1091 mech_type = ctxp->mech_type; 1092 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1093 mech_type == RSA_X_509_MECH_INFO_TYPE) 1094 return (CRYPTO_MECHANISM_INVALID); 1095 1096 /* 1097 * We need to do the BUFFER_TOO_SMALL check before digesting 1098 * the data. No check is needed for verify as signature is not 1099 * an output argument for verify. 1100 */ 1101 if (flag & CRYPTO_DO_SIGN) { 1102 uchar_t *modulus; 1103 ssize_t modulus_len; 1104 1105 if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS, 1106 &modulus, &modulus_len)) != CRYPTO_SUCCESS) { 1107 return (rv); 1108 } 1109 1110 if (signature->cd_length < modulus_len) { 1111 signature->cd_length = modulus_len; 1112 return (CRYPTO_BUFFER_TOO_SMALL); 1113 } 1114 } 1115 1116 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1117 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1118 digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5); 1119 1120 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1121 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1122 digest, SHA1Update, SHA1Final, flag | CRYPTO_DO_SHA1); 1123 1124 else 1125 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1126 digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2); 1127 1128 if (rv != CRYPTO_SUCCESS) 1129 return (rv); 1130 1131 1132 /* 1133 * Prepare the DER encoding of the DigestInfo value as follows: 1134 * MD5: MD5_DER_PREFIX || H 1135 * SHA-1: SHA1_DER_PREFIX || H 1136 * 1137 * See rsa_impl.c for more details. 1138 */ 1139 switch (mech_type) { 1140 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1141 bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len); 1142 bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE); 1143 der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE; 1144 break; 1145 1146 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1147 bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len); 1148 bcopy(digest, der_data + SHA1_DER_PREFIX_Len, 1149 SHA1_DIGEST_SIZE); 1150 der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE; 1151 break; 1152 1153 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1154 bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1155 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1156 SHA256_DIGEST_LENGTH); 1157 der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH; 1158 break; 1159 1160 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1161 bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1162 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1163 SHA384_DIGEST_LENGTH); 1164 der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH; 1165 break; 1166 1167 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1168 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1169 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1170 SHA512_DIGEST_LENGTH); 1171 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH; 1172 break; 1173 } 1174 1175 INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len); 1176 /* 1177 * Now, we are ready to sign or verify the DER_ENCODED data. 1178 */ 1179 if (flag & CRYPTO_DO_SIGN) 1180 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd, 1181 signature, kmflag); 1182 else 1183 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd, 1184 signature, kmflag); 1185 1186 /* EXPORT DELETE END */ 1187 1188 return (rv); 1189 } 1190 1191 static int 1192 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1193 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1194 { 1195 int rv = CRYPTO_FAILED; 1196 1197 /* EXPORT DELETE START */ 1198 1199 int dlen; 1200 uchar_t *dataptr, *modulus; 1201 ssize_t modulus_len; 1202 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1203 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1204 uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1205 1206 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1207 &modulus_len)) != CRYPTO_SUCCESS) { 1208 return (rv); 1209 } 1210 1211 dlen = data->cd_length; 1212 switch (mech_type) { 1213 case RSA_PKCS_MECH_INFO_TYPE: 1214 if (dlen > (modulus_len - MIN_PKCS1_PADLEN)) 1215 return (CRYPTO_DATA_LEN_RANGE); 1216 break; 1217 case RSA_X_509_MECH_INFO_TYPE: 1218 if (dlen > modulus_len) 1219 return (CRYPTO_DATA_LEN_RANGE); 1220 break; 1221 } 1222 1223 if (signature->cd_length < modulus_len) { 1224 signature->cd_length = modulus_len; 1225 return (CRYPTO_BUFFER_TOO_SMALL); 1226 } 1227 1228 ASSERT(data->cd_length <= sizeof (tmp_data)); 1229 if ((rv = crypto_get_input_data(data, &dataptr, tmp_data)) 1230 != CRYPTO_SUCCESS) 1231 return (rv); 1232 1233 switch (mech_type) { 1234 case RSA_PKCS_MECH_INFO_TYPE: 1235 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1236 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1237 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1238 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1239 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1240 /* 1241 * Add PKCS padding to the input data to format a block 1242 * type "01" encryption block. 1243 */ 1244 rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data, 1245 modulus_len); 1246 if (rv != CRYPTO_SUCCESS) 1247 return (rv); 1248 1249 break; 1250 1251 case RSA_X_509_MECH_INFO_TYPE: 1252 bzero(plain_data, modulus_len - dlen); 1253 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen); 1254 break; 1255 } 1256 1257 rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data, 1258 kmflag); 1259 if (rv == CRYPTO_SUCCESS) { 1260 /* copy out to signature */ 1261 if ((rv = crypto_put_output_data(signed_data, 1262 signature, modulus_len)) != CRYPTO_SUCCESS) 1263 return (rv); 1264 1265 signature->cd_length = modulus_len; 1266 } 1267 1268 /* EXPORT DELETE END */ 1269 1270 return (rv); 1271 } 1272 1273 /* ARGSUSED */ 1274 static int 1275 rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1276 crypto_req_handle_t req) 1277 { 1278 int rv; 1279 rsa_ctx_t *ctxp; 1280 1281 ASSERT(ctx->cc_provider_private != NULL); 1282 ctxp = ctx->cc_provider_private; 1283 1284 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1285 switch (ctxp->mech_type) { 1286 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1287 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1288 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1289 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1290 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1291 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1292 signature, KM_SLEEP, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1293 CRYPTO_DO_FINAL); 1294 break; 1295 default: 1296 rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data, 1297 signature, KM_SLEEP); 1298 break; 1299 } 1300 1301 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1302 (void) rsa_free_context(ctx); 1303 1304 return (rv); 1305 } 1306 1307 /* ARGSUSED */ 1308 static int 1309 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req) 1310 { 1311 int rv; 1312 digest_rsa_ctx_t *ctxp; 1313 rsa_mech_type_t mech_type; 1314 1315 ASSERT(ctx->cc_provider_private != NULL); 1316 ctxp = ctx->cc_provider_private; 1317 mech_type = ctxp->mech_type; 1318 1319 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1320 mech_type == RSA_X_509_MECH_INFO_TYPE) 1321 return (CRYPTO_MECHANISM_INVALID); 1322 1323 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1324 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1325 NULL, MD5Update, MD5Final, 1326 CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE); 1327 1328 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1329 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1330 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1331 CRYPTO_DO_UPDATE); 1332 1333 else 1334 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1335 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1336 CRYPTO_DO_UPDATE); 1337 1338 return (rv); 1339 } 1340 1341 static int 1342 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1343 crypto_req_handle_t req) 1344 { 1345 int rv; 1346 digest_rsa_ctx_t *ctxp; 1347 1348 ASSERT(ctx->cc_provider_private != NULL); 1349 ctxp = ctx->cc_provider_private; 1350 1351 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1352 crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_FINAL); 1353 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1354 (void) rsa_free_context(ctx); 1355 1356 return (rv); 1357 } 1358 1359 /* ARGSUSED */ 1360 static int 1361 rsa_sign_atomic(crypto_provider_handle_t provider, 1362 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1363 crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature, 1364 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1365 { 1366 int rv; 1367 digest_rsa_ctx_t dctx; 1368 1369 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1370 return (rv); 1371 1372 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1373 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1374 rv = rsa_sign_common(mechanism->cm_type, key, data, 1375 signature, crypto_kmflag(req)); 1376 1377 else { 1378 dctx.mech_type = mechanism->cm_type; 1379 dctx.key = key; 1380 switch (mechanism->cm_type) { 1381 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1382 MD5Init(&(dctx.md5_ctx)); 1383 break; 1384 1385 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1386 SHA1Init(&(dctx.sha1_ctx)); 1387 break; 1388 1389 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1390 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1391 break; 1392 1393 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1394 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1395 break; 1396 1397 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1398 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1399 break; 1400 } 1401 1402 rv = rsa_digest_svrfy_common(&dctx, data, signature, 1403 crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1404 CRYPTO_DO_FINAL); 1405 } 1406 1407 return (rv); 1408 } 1409 1410 static int 1411 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1412 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1413 { 1414 int rv = CRYPTO_FAILED; 1415 1416 /* EXPORT DELETE START */ 1417 1418 uchar_t *sigptr, *modulus; 1419 ssize_t modulus_len; 1420 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1421 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1422 1423 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1424 &modulus_len)) != CRYPTO_SUCCESS) { 1425 return (rv); 1426 } 1427 1428 if (signature->cd_length != modulus_len) 1429 return (CRYPTO_SIGNATURE_LEN_RANGE); 1430 1431 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1432 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1433 != CRYPTO_SUCCESS) 1434 return (rv); 1435 1436 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 1437 if (rv != CRYPTO_SUCCESS) 1438 return (rv); 1439 1440 if (mech_type == RSA_X_509_MECH_INFO_TYPE) { 1441 if (compare_data(data, (plain_data + modulus_len 1442 - data->cd_length)) != 0) 1443 rv = CRYPTO_SIGNATURE_INVALID; 1444 1445 } else { 1446 int data_len = modulus_len; 1447 1448 /* 1449 * Strip off the encoded padding bytes in front of the 1450 * recovered data, then compare the recovered data with 1451 * the original data. 1452 */ 1453 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1454 if (rv != CRYPTO_SUCCESS) 1455 return (rv); 1456 1457 if (data_len != data->cd_length) 1458 return (CRYPTO_SIGNATURE_LEN_RANGE); 1459 1460 if (compare_data(data, (plain_data + modulus_len 1461 - data_len)) != 0) 1462 rv = CRYPTO_SIGNATURE_INVALID; 1463 } 1464 1465 /* EXPORT DELETE END */ 1466 1467 return (rv); 1468 } 1469 1470 /* ARGSUSED */ 1471 static int 1472 rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1473 crypto_req_handle_t req) 1474 { 1475 int rv; 1476 rsa_ctx_t *ctxp; 1477 1478 ASSERT(ctx->cc_provider_private != NULL); 1479 ctxp = ctx->cc_provider_private; 1480 1481 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1482 switch (ctxp->mech_type) { 1483 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1484 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1485 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1486 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1487 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1488 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1489 signature, KM_SLEEP, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | 1490 CRYPTO_DO_FINAL); 1491 break; 1492 default: 1493 rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data, 1494 signature, KM_SLEEP); 1495 break; 1496 } 1497 1498 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1499 (void) rsa_free_context(ctx); 1500 1501 return (rv); 1502 } 1503 1504 /* ARGSUSED */ 1505 static int 1506 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data, 1507 crypto_req_handle_t req) 1508 { 1509 int rv; 1510 digest_rsa_ctx_t *ctxp; 1511 1512 ASSERT(ctx->cc_provider_private != NULL); 1513 ctxp = ctx->cc_provider_private; 1514 1515 switch (ctxp->mech_type) { 1516 1517 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1518 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1519 NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 | 1520 CRYPTO_DO_UPDATE); 1521 break; 1522 1523 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1524 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1525 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1526 CRYPTO_DO_UPDATE); 1527 break; 1528 1529 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1530 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1531 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1532 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1533 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1534 CRYPTO_DO_UPDATE); 1535 break; 1536 1537 default: 1538 return (CRYPTO_MECHANISM_INVALID); 1539 } 1540 1541 return (rv); 1542 } 1543 1544 static int 1545 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1546 crypto_req_handle_t req) 1547 { 1548 int rv; 1549 digest_rsa_ctx_t *ctxp; 1550 1551 ASSERT(ctx->cc_provider_private != NULL); 1552 ctxp = ctx->cc_provider_private; 1553 1554 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1555 crypto_kmflag(req), CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL); 1556 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1557 (void) rsa_free_context(ctx); 1558 1559 return (rv); 1560 } 1561 1562 1563 /* ARGSUSED */ 1564 static int 1565 rsa_verify_atomic(crypto_provider_handle_t provider, 1566 crypto_session_id_t session_id, 1567 crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, 1568 crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template, 1569 crypto_req_handle_t req) 1570 { 1571 int rv; 1572 digest_rsa_ctx_t dctx; 1573 1574 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1575 return (rv); 1576 1577 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1578 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1579 rv = rsa_verify_common(mechanism->cm_type, key, data, 1580 signature, crypto_kmflag(req)); 1581 1582 else { 1583 dctx.mech_type = mechanism->cm_type; 1584 dctx.key = key; 1585 1586 switch (mechanism->cm_type) { 1587 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1588 MD5Init(&(dctx.md5_ctx)); 1589 break; 1590 1591 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1592 SHA1Init(&(dctx.sha1_ctx)); 1593 break; 1594 1595 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1596 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1597 break; 1598 1599 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1600 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1601 break; 1602 1603 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1604 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1605 break; 1606 } 1607 1608 rv = rsa_digest_svrfy_common(&dctx, data, 1609 signature, crypto_kmflag(req), 1610 CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL); 1611 } 1612 1613 return (rv); 1614 } 1615 1616 static int 1617 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1618 crypto_data_t *signature, crypto_data_t *data, int kmflag) 1619 { 1620 int rv = CRYPTO_FAILED; 1621 1622 /* EXPORT DELETE START */ 1623 1624 int data_len; 1625 uchar_t *sigptr, *modulus; 1626 ssize_t modulus_len; 1627 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1628 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1629 1630 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1631 &modulus_len)) != CRYPTO_SUCCESS) { 1632 return (rv); 1633 } 1634 1635 if (signature->cd_length != modulus_len) 1636 return (CRYPTO_SIGNATURE_LEN_RANGE); 1637 1638 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1639 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1640 != CRYPTO_SUCCESS) 1641 return (rv); 1642 1643 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 1644 if (rv != CRYPTO_SUCCESS) 1645 return (rv); 1646 1647 data_len = modulus_len; 1648 1649 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 1650 /* 1651 * Strip off the encoded padding bytes in front of the 1652 * recovered data, then compare the recovered data with 1653 * the original data. 1654 */ 1655 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1656 if (rv != CRYPTO_SUCCESS) 1657 return (rv); 1658 } 1659 1660 if (data->cd_length < data_len) { 1661 data->cd_length = data_len; 1662 return (CRYPTO_BUFFER_TOO_SMALL); 1663 } 1664 1665 if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len, 1666 data, data_len)) != CRYPTO_SUCCESS) 1667 return (rv); 1668 data->cd_length = data_len; 1669 1670 /* EXPORT DELETE END */ 1671 1672 return (rv); 1673 } 1674 1675 /* ARGSUSED */ 1676 static int 1677 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature, 1678 crypto_data_t *data, crypto_req_handle_t req) 1679 { 1680 int rv; 1681 rsa_ctx_t *ctxp; 1682 1683 ASSERT(ctx->cc_provider_private != NULL); 1684 ctxp = ctx->cc_provider_private; 1685 1686 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1687 rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key, 1688 signature, data, KM_SLEEP); 1689 1690 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1691 (void) rsa_free_context(ctx); 1692 1693 return (rv); 1694 } 1695 1696 /* ARGSUSED */ 1697 static int 1698 rsa_verify_recover_atomic(crypto_provider_handle_t provider, 1699 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1700 crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data, 1701 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1702 { 1703 int rv; 1704 1705 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1706 return (rv); 1707 1708 return (rsa_verify_recover_common(mechanism->cm_type, key, 1709 signature, data, crypto_kmflag(req))); 1710 } 1711