1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * RSA provider for the Kernel Cryptographic Framework (KCF) 28 */ 29 30 #include <sys/types.h> 31 #include <sys/systm.h> 32 #include <sys/modctl.h> 33 #include <sys/cmn_err.h> 34 #include <sys/ddi.h> 35 #include <sys/crypto/spi.h> 36 #include <sys/sysmacros.h> 37 #include <sys/strsun.h> 38 #include <sys/md5.h> 39 #include <sys/sha1.h> 40 #define _SHA2_IMPL 41 #include <sys/sha2.h> 42 #include <sys/random.h> 43 #include <sys/crypto/impl.h> 44 #include <sha1/sha1_impl.h> 45 #include <sha2/sha2_impl.h> 46 #include <padding/padding.h> 47 #include <rsa/rsa_impl.h> 48 49 extern struct mod_ops mod_cryptoops; 50 51 /* 52 * Module linkage information for the kernel. 53 */ 54 static struct modlcrypto modlcrypto = { 55 &mod_cryptoops, 56 "RSA Kernel SW Provider" 57 }; 58 59 static struct modlinkage modlinkage = { 60 MODREV_1, 61 (void *)&modlcrypto, 62 NULL 63 }; 64 65 /* 66 * CSPI information (entry points, provider info, etc.) 67 */ 68 typedef enum rsa_mech_type { 69 RSA_PKCS_MECH_INFO_TYPE, /* SUN_CKM_RSA_PKCS */ 70 RSA_X_509_MECH_INFO_TYPE, /* SUN_CKM_RSA_X_509 */ 71 MD5_RSA_PKCS_MECH_INFO_TYPE, /* SUN_MD5_RSA_PKCS */ 72 SHA1_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA1_RSA_PKCS */ 73 SHA256_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA256_RSA_PKCS */ 74 SHA384_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA384_RSA_PKCS */ 75 SHA512_RSA_PKCS_MECH_INFO_TYPE /* SUN_SHA512_RSA_PKCS */ 76 } rsa_mech_type_t; 77 78 /* 79 * Context for RSA_PKCS and RSA_X_509 mechanisms. 80 */ 81 typedef struct rsa_ctx { 82 rsa_mech_type_t mech_type; 83 crypto_key_t *key; 84 size_t keychunk_size; 85 } rsa_ctx_t; 86 87 /* 88 * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms. 89 */ 90 typedef struct digest_rsa_ctx { 91 rsa_mech_type_t mech_type; 92 crypto_key_t *key; 93 size_t keychunk_size; 94 union { 95 MD5_CTX md5ctx; 96 SHA1_CTX sha1ctx; 97 SHA2_CTX sha2ctx; 98 } dctx_u; 99 } digest_rsa_ctx_t; 100 101 #define md5_ctx dctx_u.md5ctx 102 #define sha1_ctx dctx_u.sha1ctx 103 #define sha2_ctx dctx_u.sha2ctx 104 105 /* 106 * Mechanism info structure passed to KCF during registration. 107 */ 108 static crypto_mech_info_t rsa_mech_info_tab[] = { 109 /* RSA_PKCS */ 110 {SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE, 111 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 112 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 113 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 114 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 115 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 116 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 117 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 118 119 /* RSA_X_509 */ 120 {SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE, 121 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 122 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 123 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 124 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 125 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 126 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 127 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 128 129 /* MD5_RSA_PKCS */ 130 {SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE, 131 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 132 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 133 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 134 135 /* SHA1_RSA_PKCS */ 136 {SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE, 137 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 138 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 139 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 140 141 /* SHA256_RSA_PKCS */ 142 {SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE, 143 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 144 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 145 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 146 147 /* SHA384_RSA_PKCS */ 148 {SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE, 149 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 150 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 151 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 152 153 /* SHA512_RSA_PKCS */ 154 {SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE, 155 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 156 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 157 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS} 158 159 }; 160 161 #define RSA_VALID_MECH(mech) \ 162 (((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE || \ 163 (mech)->cm_type == RSA_X_509_MECH_INFO_TYPE || \ 164 (mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE || \ 165 (mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE || \ 166 (mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE || \ 167 (mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE || \ 168 (mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0) 169 170 /* operations are in-place if the output buffer is NULL */ 171 #define RSA_ARG_INPLACE(input, output) \ 172 if ((output) == NULL) \ 173 (output) = (input); 174 175 static void rsa_provider_status(crypto_provider_handle_t, uint_t *); 176 177 static crypto_control_ops_t rsa_control_ops = { 178 rsa_provider_status 179 }; 180 181 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *, 182 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 183 static int rsaprov_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 184 crypto_req_handle_t); 185 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 186 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 187 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 188 static int rsaprov_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 189 crypto_req_handle_t); 190 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 191 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 192 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 193 194 /* 195 * The RSA mechanisms do not have multiple-part cipher operations. 196 * So, the update and final routines are set to NULL. 197 */ 198 static crypto_cipher_ops_t rsa_cipher_ops = { 199 rsa_common_init, 200 rsaprov_encrypt, 201 NULL, 202 NULL, 203 rsa_encrypt_atomic, 204 rsa_common_init, 205 rsaprov_decrypt, 206 NULL, 207 NULL, 208 rsa_decrypt_atomic 209 }; 210 211 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *, 212 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 213 static int rsaprov_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 214 crypto_req_handle_t); 215 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *, 216 crypto_req_handle_t); 217 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *, 218 crypto_req_handle_t); 219 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t, 220 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 221 crypto_spi_ctx_template_t, crypto_req_handle_t); 222 223 /* 224 * We use the same routine for sign_init and sign_recover_init fields 225 * as they do the same thing. Same holds for sign and sign_recover fields, 226 * and sign_atomic and sign_recover_atomic fields. 227 */ 228 static crypto_sign_ops_t rsa_sign_ops = { 229 rsa_sign_verify_common_init, 230 rsaprov_sign, 231 rsa_sign_update, 232 rsa_sign_final, 233 rsa_sign_atomic, 234 rsa_sign_verify_common_init, 235 rsaprov_sign, 236 rsa_sign_atomic 237 }; 238 239 static int rsaprov_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 240 crypto_req_handle_t); 241 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *, 242 crypto_req_handle_t); 243 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *, 244 crypto_req_handle_t); 245 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 246 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 247 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 248 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *, 249 crypto_data_t *, crypto_req_handle_t); 250 static int rsa_verify_recover_atomic(crypto_provider_handle_t, 251 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 252 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 253 crypto_req_handle_t); 254 255 /* 256 * We use the same routine (rsa_sign_verify_common_init) for verify_init 257 * and verify_recover_init fields as they do the same thing. 258 */ 259 static crypto_verify_ops_t rsa_verify_ops = { 260 rsa_sign_verify_common_init, 261 rsaprov_verify, 262 rsa_verify_update, 263 rsa_verify_final, 264 rsa_verify_atomic, 265 rsa_sign_verify_common_init, 266 rsa_verify_recover, 267 rsa_verify_recover_atomic 268 }; 269 270 static int rsa_free_context(crypto_ctx_t *); 271 272 static crypto_ctx_ops_t rsa_ctx_ops = { 273 NULL, 274 rsa_free_context 275 }; 276 277 static crypto_ops_t rsa_crypto_ops = { 278 &rsa_control_ops, 279 NULL, 280 &rsa_cipher_ops, 281 NULL, 282 &rsa_sign_ops, 283 &rsa_verify_ops, 284 NULL, 285 NULL, 286 NULL, 287 NULL, 288 NULL, 289 NULL, 290 NULL, 291 &rsa_ctx_ops, 292 NULL, 293 NULL, 294 NULL, 295 }; 296 297 static crypto_provider_info_t rsa_prov_info = { 298 CRYPTO_SPI_VERSION_4, 299 "RSA Software Provider", 300 CRYPTO_SW_PROVIDER, 301 {&modlinkage}, 302 NULL, 303 &rsa_crypto_ops, 304 sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t), 305 rsa_mech_info_tab 306 }; 307 308 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *, 309 crypto_data_t *, crypto_data_t *); 310 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *, 311 crypto_data_t *, crypto_data_t *); 312 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *, 313 crypto_data_t *, crypto_data_t *); 314 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *, 315 crypto_data_t *, crypto_data_t *); 316 static int compare_data(crypto_data_t *, uchar_t *); 317 318 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, int, uchar_t *, int); 319 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, uchar_t *); 320 321 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL; 322 323 int 324 _init(void) 325 { 326 int ret; 327 328 if ((ret = mod_install(&modlinkage)) != 0) 329 return (ret); 330 331 /* Register with KCF. If the registration fails, remove the module. */ 332 if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) { 333 (void) mod_remove(&modlinkage); 334 return (EACCES); 335 } 336 337 return (0); 338 } 339 340 int 341 _fini(void) 342 { 343 /* Unregister from KCF if module is registered */ 344 if (rsa_prov_handle != NULL) { 345 if (crypto_unregister_provider(rsa_prov_handle)) 346 return (EBUSY); 347 348 rsa_prov_handle = NULL; 349 } 350 351 return (mod_remove(&modlinkage)); 352 } 353 354 int 355 _info(struct modinfo *modinfop) 356 { 357 return (mod_info(&modlinkage, modinfop)); 358 } 359 360 /* ARGSUSED */ 361 static void 362 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status) 363 { 364 *status = CRYPTO_PROVIDER_READY; 365 } 366 367 static int 368 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key) 369 { 370 int rv = CRYPTO_FAILED; 371 372 uchar_t *modulus; 373 ssize_t modulus_len; /* In bytes */ 374 375 if (!RSA_VALID_MECH(mechanism)) 376 return (CRYPTO_MECHANISM_INVALID); 377 378 /* 379 * We only support RSA keys that are passed as a list of 380 * object attributes. 381 */ 382 if (key->ck_format != CRYPTO_KEY_ATTR_LIST) { 383 return (CRYPTO_KEY_TYPE_INCONSISTENT); 384 } 385 386 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 387 &modulus_len)) != CRYPTO_SUCCESS) { 388 return (rv); 389 } 390 if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES || 391 modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES) 392 return (CRYPTO_KEY_SIZE_RANGE); 393 394 return (rv); 395 } 396 397 void 398 kmemset(uint8_t *buf, char pattern, size_t len) 399 { 400 int i = 0; 401 402 while (i < len) 403 buf[i++] = pattern; 404 } 405 406 /* 407 * This function guarantees to return non-zero random numbers. 408 * This is needed as the /dev/urandom kernel interface, 409 * random_get_pseudo_bytes(), may return zeros. 410 */ 411 int 412 knzero_random_generator(uint8_t *ran_out, size_t ran_len) 413 { 414 int rv; 415 size_t ebc = 0; /* count of extra bytes in extrarand */ 416 size_t i = 0; 417 uint8_t extrarand[32]; 418 size_t extrarand_len; 419 420 if ((rv = random_get_pseudo_bytes(ran_out, ran_len)) != 0) 421 return (rv); 422 423 /* 424 * Walk through the returned random numbers pointed by ran_out, 425 * and look for any random number which is zero. 426 * If we find zero, call random_get_pseudo_bytes() to generate 427 * another 32 random numbers pool. Replace any zeros in ran_out[] 428 * from the random number in pool. 429 */ 430 while (i < ran_len) { 431 if (ran_out[i] != 0) { 432 i++; 433 continue; 434 } 435 436 /* 437 * Note that it is 'while' so we are guaranteed a 438 * non-zero value on exit. 439 */ 440 if (ebc == 0) { 441 /* refresh extrarand */ 442 extrarand_len = sizeof (extrarand); 443 if ((rv = random_get_pseudo_bytes(extrarand, 444 extrarand_len)) != 0) { 445 return (rv); 446 } 447 448 ebc = extrarand_len; 449 } 450 /* Replace zero with byte from extrarand. */ 451 -- ebc; 452 453 /* 454 * The new random byte zero/non-zero will be checked in 455 * the next pass through the loop. 456 */ 457 ran_out[i] = extrarand[ebc]; 458 } 459 460 return (CRYPTO_SUCCESS); 461 } 462 463 static int 464 compare_data(crypto_data_t *data, uchar_t *buf) 465 { 466 int len; 467 uchar_t *dptr; 468 469 len = data->cd_length; 470 switch (data->cd_format) { 471 case CRYPTO_DATA_RAW: 472 dptr = (uchar_t *)(data->cd_raw.iov_base + 473 data->cd_offset); 474 475 return (bcmp(dptr, buf, len)); 476 477 case CRYPTO_DATA_UIO: 478 return (crypto_uio_data(data, buf, len, 479 COMPARE_TO_DATA, NULL, NULL)); 480 481 case CRYPTO_DATA_MBLK: 482 return (crypto_mblk_data(data, buf, len, 483 COMPARE_TO_DATA, NULL, NULL)); 484 } 485 486 return (CRYPTO_FAILED); 487 } 488 489 /* ARGSUSED */ 490 static int 491 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 492 crypto_key_t *key, crypto_spi_ctx_template_t template, 493 crypto_req_handle_t req) 494 { 495 int rv; 496 int kmflag; 497 rsa_ctx_t *ctxp; 498 499 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 500 return (rv); 501 502 /* 503 * Allocate a RSA context. 504 */ 505 kmflag = crypto_kmflag(req); 506 if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL) 507 return (CRYPTO_HOST_MEMORY); 508 509 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 510 kmflag)) != CRYPTO_SUCCESS) { 511 kmem_free(ctxp, sizeof (rsa_ctx_t)); 512 return (rv); 513 } 514 ctxp->mech_type = mechanism->cm_type; 515 516 ctx->cc_provider_private = ctxp; 517 518 return (CRYPTO_SUCCESS); 519 } 520 521 /* ARGSUSED */ 522 static int 523 rsaprov_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 524 crypto_data_t *ciphertext, crypto_req_handle_t req) 525 { 526 int rv; 527 rsa_ctx_t *ctxp; 528 529 ASSERT(ctx->cc_provider_private != NULL); 530 ctxp = ctx->cc_provider_private; 531 532 RSA_ARG_INPLACE(plaintext, ciphertext); 533 534 /* 535 * Note on the KM_SLEEP flag passed to the routine below - 536 * rsaprov_encrypt() is a single-part encryption routine which is 537 * currently usable only by /dev/crypto. Since /dev/crypto calls are 538 * always synchronous, we can safely pass KM_SLEEP here. 539 */ 540 rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext, 541 ciphertext); 542 543 if (rv != CRYPTO_BUFFER_TOO_SMALL) 544 (void) rsa_free_context(ctx); 545 546 return (rv); 547 } 548 549 /* ARGSUSED */ 550 static int 551 rsa_encrypt_atomic(crypto_provider_handle_t provider, 552 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 553 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 554 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 555 { 556 int rv; 557 558 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 559 return (rv); 560 RSA_ARG_INPLACE(plaintext, ciphertext); 561 562 return (rsa_encrypt_common(mechanism->cm_type, key, plaintext, 563 ciphertext)); 564 } 565 566 static int 567 rsa_free_context(crypto_ctx_t *ctx) 568 { 569 rsa_ctx_t *ctxp = ctx->cc_provider_private; 570 571 if (ctxp != NULL) { 572 bzero(ctxp->key, ctxp->keychunk_size); 573 kmem_free(ctxp->key, ctxp->keychunk_size); 574 575 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE || 576 ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE) 577 kmem_free(ctxp, sizeof (rsa_ctx_t)); 578 else 579 kmem_free(ctxp, sizeof (digest_rsa_ctx_t)); 580 581 ctx->cc_provider_private = NULL; 582 } 583 584 return (CRYPTO_SUCCESS); 585 } 586 587 static int 588 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 589 crypto_data_t *plaintext, crypto_data_t *ciphertext) 590 { 591 int rv = CRYPTO_FAILED; 592 593 int plen; 594 uchar_t *ptptr; 595 uchar_t *modulus; 596 ssize_t modulus_len; 597 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 598 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 599 uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 600 601 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 602 &modulus_len)) != CRYPTO_SUCCESS) { 603 return (rv); 604 } 605 606 plen = plaintext->cd_length; 607 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 608 if (plen > (modulus_len - MIN_PKCS1_PADLEN)) 609 return (CRYPTO_DATA_LEN_RANGE); 610 } else { 611 if (plen > modulus_len) 612 return (CRYPTO_DATA_LEN_RANGE); 613 } 614 615 /* 616 * Output buf len must not be less than RSA modulus size. 617 */ 618 if (ciphertext->cd_length < modulus_len) { 619 ciphertext->cd_length = modulus_len; 620 return (CRYPTO_BUFFER_TOO_SMALL); 621 } 622 623 ASSERT(plaintext->cd_length <= sizeof (tmp_data)); 624 if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data)) 625 != CRYPTO_SUCCESS) 626 return (rv); 627 628 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 629 rv = pkcs1_encode(PKCS1_ENCRYPT, ptptr, plen, 630 plain_data, modulus_len); 631 632 if (rv != CRYPTO_SUCCESS) 633 return (rv); 634 } else { 635 bzero(plain_data, modulus_len - plen); 636 bcopy(ptptr, &plain_data[modulus_len - plen], plen); 637 } 638 639 rv = core_rsa_encrypt(key, plain_data, modulus_len, cipher_data, 1); 640 if (rv == CRYPTO_SUCCESS) { 641 /* copy out to ciphertext */ 642 if ((rv = crypto_put_output_data(cipher_data, 643 ciphertext, modulus_len)) != CRYPTO_SUCCESS) 644 return (rv); 645 646 ciphertext->cd_length = modulus_len; 647 } 648 649 return (rv); 650 } 651 652 static int 653 core_rsa_encrypt(crypto_key_t *key, uchar_t *in, 654 int in_len, uchar_t *out, int is_public) 655 { 656 int rv; 657 uchar_t *expo, *modulus; 658 ssize_t expo_len; 659 ssize_t modulus_len; 660 RSAbytekey k; 661 662 if (is_public) { 663 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT, 664 &expo, &expo_len)) != CRYPTO_SUCCESS) 665 return (rv); 666 } else { 667 /* 668 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a 669 * RSA secret key. See the comments in core_rsa_decrypt 670 * routine which calls this routine with a private key. 671 */ 672 if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT, 673 &expo, &expo_len)) != CRYPTO_SUCCESS) 674 return (rv); 675 } 676 677 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 678 &modulus_len)) != CRYPTO_SUCCESS) { 679 return (rv); 680 } 681 682 k.modulus = modulus; 683 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len); 684 k.pubexpo = expo; 685 k.pubexpo_bytes = expo_len; 686 k.rfunc = NULL; 687 688 rv = rsa_encrypt(&k, in, in_len, out); 689 690 return (rv); 691 } 692 693 /* ARGSUSED */ 694 static int 695 rsaprov_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 696 crypto_data_t *plaintext, crypto_req_handle_t req) 697 { 698 int rv; 699 rsa_ctx_t *ctxp; 700 701 ASSERT(ctx->cc_provider_private != NULL); 702 ctxp = ctx->cc_provider_private; 703 704 RSA_ARG_INPLACE(ciphertext, plaintext); 705 706 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */ 707 rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key, 708 ciphertext, plaintext); 709 710 if (rv != CRYPTO_BUFFER_TOO_SMALL) 711 (void) rsa_free_context(ctx); 712 713 return (rv); 714 } 715 716 /* ARGSUSED */ 717 static int 718 rsa_decrypt_atomic(crypto_provider_handle_t provider, 719 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 720 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 721 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 722 { 723 int rv; 724 725 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 726 return (rv); 727 RSA_ARG_INPLACE(ciphertext, plaintext); 728 729 return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext, 730 plaintext)); 731 } 732 733 static int 734 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 735 crypto_data_t *ciphertext, crypto_data_t *plaintext) 736 { 737 int rv = CRYPTO_FAILED; 738 739 size_t plain_len; 740 uchar_t *ctptr; 741 uchar_t *modulus; 742 ssize_t modulus_len; 743 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 744 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 745 746 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 747 &modulus_len)) != CRYPTO_SUCCESS) { 748 return (rv); 749 } 750 751 /* 752 * Ciphertext length must be equal to RSA modulus size. 753 */ 754 if (ciphertext->cd_length != modulus_len) 755 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 756 757 ASSERT(ciphertext->cd_length <= sizeof (tmp_data)); 758 if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data)) 759 != CRYPTO_SUCCESS) 760 return (rv); 761 762 rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data); 763 if (rv == CRYPTO_SUCCESS) { 764 plain_len = modulus_len; 765 766 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 767 /* Strip off the PKCS block formatting data. */ 768 rv = pkcs1_decode(PKCS1_DECRYPT, plain_data, 769 &plain_len); 770 if (rv != CRYPTO_SUCCESS) 771 return (rv); 772 } 773 774 if (plain_len > plaintext->cd_length) { 775 plaintext->cd_length = plain_len; 776 return (CRYPTO_BUFFER_TOO_SMALL); 777 } 778 779 if ((rv = crypto_put_output_data( 780 plain_data + modulus_len - plain_len, 781 plaintext, plain_len)) != CRYPTO_SUCCESS) 782 return (rv); 783 784 plaintext->cd_length = plain_len; 785 } 786 787 return (rv); 788 } 789 790 static int 791 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, uchar_t *out) 792 { 793 int rv; 794 uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef; 795 ssize_t modulus_len; 796 ssize_t prime1_len, prime2_len; 797 ssize_t expo1_len, expo2_len, coef_len; 798 RSAbytekey k; 799 800 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 801 &modulus_len)) != CRYPTO_SUCCESS) { 802 return (rv); 803 } 804 805 /* 806 * The following attributes are not required to be 807 * present in a RSA secret key. If any of them is not present 808 * we call the encrypt routine with a flag indicating use of 809 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is 810 * a required attribute for a RSA secret key. 811 */ 812 if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len) 813 != CRYPTO_SUCCESS) || 814 (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len) 815 != CRYPTO_SUCCESS) || 816 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len) 817 != CRYPTO_SUCCESS) || 818 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len) 819 != CRYPTO_SUCCESS) || 820 (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len) 821 != CRYPTO_SUCCESS)) { 822 return (core_rsa_encrypt(key, in, in_len, out, 0)); 823 } 824 825 k.modulus = modulus; 826 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len); 827 k.prime1 = prime1; 828 k.prime1_bytes = prime1_len; 829 k.prime2 = prime2; 830 k.prime2_bytes = prime2_len; 831 k.expo1 = expo1; 832 k.expo1_bytes = expo1_len; 833 k.expo2 = expo2; 834 k.expo2_bytes = expo2_len; 835 k.coeff = coef; 836 k.coeff_bytes = coef_len; 837 k.rfunc = NULL; 838 839 rv = rsa_decrypt(&k, in, in_len, out); 840 841 return (rv); 842 } 843 844 /* ARGSUSED */ 845 static int 846 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 847 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, 848 crypto_req_handle_t req) 849 { 850 int rv; 851 int kmflag; 852 rsa_ctx_t *ctxp; 853 digest_rsa_ctx_t *dctxp; 854 855 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 856 return (rv); 857 858 /* 859 * Allocate a RSA context. 860 */ 861 kmflag = crypto_kmflag(req); 862 switch (mechanism->cm_type) { 863 case MD5_RSA_PKCS_MECH_INFO_TYPE: 864 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 865 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 866 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 867 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 868 dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag); 869 ctxp = (rsa_ctx_t *)dctxp; 870 break; 871 default: 872 ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag); 873 break; 874 } 875 876 if (ctxp == NULL) 877 return (CRYPTO_HOST_MEMORY); 878 879 ctxp->mech_type = mechanism->cm_type; 880 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 881 kmflag)) != CRYPTO_SUCCESS) { 882 switch (mechanism->cm_type) { 883 case MD5_RSA_PKCS_MECH_INFO_TYPE: 884 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 885 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 886 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 887 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 888 kmem_free(dctxp, sizeof (digest_rsa_ctx_t)); 889 break; 890 default: 891 kmem_free(ctxp, sizeof (rsa_ctx_t)); 892 break; 893 } 894 return (rv); 895 } 896 897 switch (mechanism->cm_type) { 898 case MD5_RSA_PKCS_MECH_INFO_TYPE: 899 MD5Init(&(dctxp->md5_ctx)); 900 break; 901 902 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 903 SHA1Init(&(dctxp->sha1_ctx)); 904 break; 905 906 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 907 SHA2Init(SHA256, &(dctxp->sha2_ctx)); 908 break; 909 910 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 911 SHA2Init(SHA384, &(dctxp->sha2_ctx)); 912 break; 913 914 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 915 SHA2Init(SHA512, &(dctxp->sha2_ctx)); 916 break; 917 } 918 919 ctx->cc_provider_private = ctxp; 920 921 return (CRYPTO_SUCCESS); 922 } 923 924 #define SHA1_DIGEST_SIZE 20 925 #define MD5_DIGEST_SIZE 16 926 927 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \ 928 (data).cd_format = CRYPTO_DATA_RAW; \ 929 (data).cd_offset = 0; \ 930 (data).cd_raw.iov_base = (char *)base; \ 931 (data).cd_raw.iov_len = len; \ 932 (data).cd_length = cd_len; 933 934 static int 935 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data, 936 crypto_data_t *signature, uchar_t flag) 937 { 938 int rv = CRYPTO_FAILED; 939 940 uchar_t digest[SHA512_DIGEST_LENGTH]; 941 /* The der_data size is enough for MD5 also */ 942 uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 943 ulong_t der_data_len; 944 crypto_data_t der_cd; 945 rsa_mech_type_t mech_type; 946 947 ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY); 948 ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL)); 949 950 mech_type = ctxp->mech_type; 951 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 952 mech_type == RSA_X_509_MECH_INFO_TYPE) 953 return (CRYPTO_MECHANISM_INVALID); 954 955 /* 956 * We need to do the BUFFER_TOO_SMALL check before digesting 957 * the data. No check is needed for verify as signature is not 958 * an output argument for verify. 959 */ 960 if (flag & CRYPTO_DO_SIGN) { 961 uchar_t *modulus; 962 ssize_t modulus_len; 963 964 if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS, 965 &modulus, &modulus_len)) != CRYPTO_SUCCESS) { 966 return (rv); 967 } 968 969 if (signature->cd_length < modulus_len) { 970 signature->cd_length = modulus_len; 971 return (CRYPTO_BUFFER_TOO_SMALL); 972 } 973 } 974 975 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 976 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 977 digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5); 978 979 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 980 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 981 digest, SHA1Update, SHA1Final, flag | CRYPTO_DO_SHA1); 982 983 else 984 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 985 digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2); 986 987 if (rv != CRYPTO_SUCCESS) 988 return (rv); 989 990 991 /* 992 * Prepare the DER encoding of the DigestInfo value as follows: 993 * MD5: MD5_DER_PREFIX || H 994 * SHA-1: SHA1_DER_PREFIX || H 995 * 996 * See rsa_impl.c for more details. 997 */ 998 switch (mech_type) { 999 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1000 bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len); 1001 bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE); 1002 der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE; 1003 break; 1004 1005 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1006 bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len); 1007 bcopy(digest, der_data + SHA1_DER_PREFIX_Len, 1008 SHA1_DIGEST_SIZE); 1009 der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE; 1010 break; 1011 1012 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1013 bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1014 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1015 SHA256_DIGEST_LENGTH); 1016 der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH; 1017 break; 1018 1019 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1020 bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1021 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1022 SHA384_DIGEST_LENGTH); 1023 der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH; 1024 break; 1025 1026 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1027 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1028 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1029 SHA512_DIGEST_LENGTH); 1030 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH; 1031 break; 1032 } 1033 1034 INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len); 1035 /* 1036 * Now, we are ready to sign or verify the DER_ENCODED data. 1037 */ 1038 if (flag & CRYPTO_DO_SIGN) 1039 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd, 1040 signature); 1041 else 1042 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd, 1043 signature); 1044 1045 return (rv); 1046 } 1047 1048 static int 1049 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1050 crypto_data_t *data, crypto_data_t *signature) 1051 { 1052 int rv = CRYPTO_FAILED; 1053 1054 int dlen; 1055 uchar_t *dataptr, *modulus; 1056 ssize_t modulus_len; 1057 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1058 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1059 uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1060 1061 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1062 &modulus_len)) != CRYPTO_SUCCESS) { 1063 return (rv); 1064 } 1065 1066 dlen = data->cd_length; 1067 switch (mech_type) { 1068 case RSA_PKCS_MECH_INFO_TYPE: 1069 if (dlen > (modulus_len - MIN_PKCS1_PADLEN)) 1070 return (CRYPTO_DATA_LEN_RANGE); 1071 break; 1072 case RSA_X_509_MECH_INFO_TYPE: 1073 if (dlen > modulus_len) 1074 return (CRYPTO_DATA_LEN_RANGE); 1075 break; 1076 } 1077 1078 if (signature->cd_length < modulus_len) { 1079 signature->cd_length = modulus_len; 1080 return (CRYPTO_BUFFER_TOO_SMALL); 1081 } 1082 1083 ASSERT(data->cd_length <= sizeof (tmp_data)); 1084 if ((rv = crypto_get_input_data(data, &dataptr, tmp_data)) 1085 != CRYPTO_SUCCESS) 1086 return (rv); 1087 1088 switch (mech_type) { 1089 case RSA_PKCS_MECH_INFO_TYPE: 1090 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1091 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1092 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1093 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1094 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1095 /* 1096 * Add PKCS padding to the input data to format a block 1097 * type "01" encryption block. 1098 */ 1099 rv = pkcs1_encode(PKCS1_SIGN, dataptr, dlen, plain_data, 1100 modulus_len); 1101 if (rv != CRYPTO_SUCCESS) 1102 return (rv); 1103 1104 break; 1105 1106 case RSA_X_509_MECH_INFO_TYPE: 1107 bzero(plain_data, modulus_len - dlen); 1108 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen); 1109 break; 1110 } 1111 1112 rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data); 1113 if (rv == CRYPTO_SUCCESS) { 1114 /* copy out to signature */ 1115 if ((rv = crypto_put_output_data(signed_data, 1116 signature, modulus_len)) != CRYPTO_SUCCESS) 1117 return (rv); 1118 1119 signature->cd_length = modulus_len; 1120 } 1121 1122 return (rv); 1123 } 1124 1125 /* ARGSUSED */ 1126 static int 1127 rsaprov_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1128 crypto_req_handle_t req) 1129 { 1130 int rv; 1131 rsa_ctx_t *ctxp; 1132 1133 ASSERT(ctx->cc_provider_private != NULL); 1134 ctxp = ctx->cc_provider_private; 1135 1136 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */ 1137 switch (ctxp->mech_type) { 1138 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1139 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1140 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1141 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1142 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1143 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1144 signature, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1145 CRYPTO_DO_FINAL); 1146 break; 1147 default: 1148 rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data, 1149 signature); 1150 break; 1151 } 1152 1153 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1154 (void) rsa_free_context(ctx); 1155 1156 return (rv); 1157 } 1158 1159 /* ARGSUSED */ 1160 static int 1161 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req) 1162 { 1163 int rv; 1164 digest_rsa_ctx_t *ctxp; 1165 rsa_mech_type_t mech_type; 1166 1167 ASSERT(ctx->cc_provider_private != NULL); 1168 ctxp = ctx->cc_provider_private; 1169 mech_type = ctxp->mech_type; 1170 1171 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1172 mech_type == RSA_X_509_MECH_INFO_TYPE) 1173 return (CRYPTO_MECHANISM_INVALID); 1174 1175 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1176 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1177 NULL, MD5Update, MD5Final, 1178 CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE); 1179 1180 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1181 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1182 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1183 CRYPTO_DO_UPDATE); 1184 1185 else 1186 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1187 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1188 CRYPTO_DO_UPDATE); 1189 1190 return (rv); 1191 } 1192 1193 /* ARGSUSED2 */ 1194 static int 1195 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1196 crypto_req_handle_t req) 1197 { 1198 int rv; 1199 digest_rsa_ctx_t *ctxp; 1200 1201 ASSERT(ctx->cc_provider_private != NULL); 1202 ctxp = ctx->cc_provider_private; 1203 1204 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1205 CRYPTO_DO_SIGN | CRYPTO_DO_FINAL); 1206 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1207 (void) rsa_free_context(ctx); 1208 1209 return (rv); 1210 } 1211 1212 /* ARGSUSED */ 1213 static int 1214 rsa_sign_atomic(crypto_provider_handle_t provider, 1215 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1216 crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature, 1217 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1218 { 1219 int rv; 1220 digest_rsa_ctx_t dctx; 1221 1222 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1223 return (rv); 1224 1225 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1226 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1227 rv = rsa_sign_common(mechanism->cm_type, key, data, 1228 signature); 1229 1230 else { 1231 dctx.mech_type = mechanism->cm_type; 1232 dctx.key = key; 1233 switch (mechanism->cm_type) { 1234 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1235 MD5Init(&(dctx.md5_ctx)); 1236 break; 1237 1238 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1239 SHA1Init(&(dctx.sha1_ctx)); 1240 break; 1241 1242 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1243 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1244 break; 1245 1246 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1247 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1248 break; 1249 1250 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1251 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1252 break; 1253 } 1254 1255 rv = rsa_digest_svrfy_common(&dctx, data, signature, 1256 CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL); 1257 } 1258 1259 return (rv); 1260 } 1261 1262 static int 1263 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1264 crypto_data_t *data, crypto_data_t *signature) 1265 { 1266 int rv = CRYPTO_FAILED; 1267 1268 uchar_t *sigptr, *modulus; 1269 ssize_t modulus_len; 1270 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1271 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1272 1273 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1274 &modulus_len)) != CRYPTO_SUCCESS) { 1275 return (rv); 1276 } 1277 1278 if (signature->cd_length != modulus_len) 1279 return (CRYPTO_SIGNATURE_LEN_RANGE); 1280 1281 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1282 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1283 != CRYPTO_SUCCESS) 1284 return (rv); 1285 1286 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1); 1287 if (rv != CRYPTO_SUCCESS) 1288 return (rv); 1289 1290 if (mech_type == RSA_X_509_MECH_INFO_TYPE) { 1291 if (compare_data(data, (plain_data + modulus_len 1292 - data->cd_length)) != 0) 1293 rv = CRYPTO_SIGNATURE_INVALID; 1294 1295 } else { 1296 size_t data_len = modulus_len; 1297 1298 /* 1299 * Strip off the encoded padding bytes in front of the 1300 * recovered data, then compare the recovered data with 1301 * the original data. 1302 */ 1303 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len); 1304 if (rv != CRYPTO_SUCCESS) 1305 return (rv); 1306 1307 if (data_len != data->cd_length) 1308 return (CRYPTO_SIGNATURE_LEN_RANGE); 1309 1310 if (compare_data(data, (plain_data + modulus_len 1311 - data_len)) != 0) 1312 rv = CRYPTO_SIGNATURE_INVALID; 1313 } 1314 1315 return (rv); 1316 } 1317 1318 /* ARGSUSED */ 1319 static int 1320 rsaprov_verify(crypto_ctx_t *ctx, crypto_data_t *data, 1321 crypto_data_t *signature, crypto_req_handle_t req) 1322 { 1323 int rv; 1324 rsa_ctx_t *ctxp; 1325 1326 ASSERT(ctx->cc_provider_private != NULL); 1327 ctxp = ctx->cc_provider_private; 1328 1329 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */ 1330 switch (ctxp->mech_type) { 1331 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1332 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1333 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1334 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1335 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1336 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1337 signature, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | 1338 CRYPTO_DO_FINAL); 1339 break; 1340 default: 1341 rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data, 1342 signature); 1343 break; 1344 } 1345 1346 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1347 (void) rsa_free_context(ctx); 1348 1349 return (rv); 1350 } 1351 1352 /* ARGSUSED */ 1353 static int 1354 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data, 1355 crypto_req_handle_t req) 1356 { 1357 int rv; 1358 digest_rsa_ctx_t *ctxp; 1359 1360 ASSERT(ctx->cc_provider_private != NULL); 1361 ctxp = ctx->cc_provider_private; 1362 1363 switch (ctxp->mech_type) { 1364 1365 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1366 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1367 NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 | 1368 CRYPTO_DO_UPDATE); 1369 break; 1370 1371 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1372 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1373 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1374 CRYPTO_DO_UPDATE); 1375 break; 1376 1377 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1378 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1379 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1380 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1381 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1382 CRYPTO_DO_UPDATE); 1383 break; 1384 1385 default: 1386 return (CRYPTO_MECHANISM_INVALID); 1387 } 1388 1389 return (rv); 1390 } 1391 1392 /* ARGSUSED2 */ 1393 static int 1394 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1395 crypto_req_handle_t req) 1396 { 1397 int rv; 1398 digest_rsa_ctx_t *ctxp; 1399 1400 ASSERT(ctx->cc_provider_private != NULL); 1401 ctxp = ctx->cc_provider_private; 1402 1403 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1404 CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL); 1405 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1406 (void) rsa_free_context(ctx); 1407 1408 return (rv); 1409 } 1410 1411 1412 /* ARGSUSED */ 1413 static int 1414 rsa_verify_atomic(crypto_provider_handle_t provider, 1415 crypto_session_id_t session_id, 1416 crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, 1417 crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template, 1418 crypto_req_handle_t req) 1419 { 1420 int rv; 1421 digest_rsa_ctx_t dctx; 1422 1423 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1424 return (rv); 1425 1426 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1427 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1428 rv = rsa_verify_common(mechanism->cm_type, key, data, 1429 signature); 1430 1431 else { 1432 dctx.mech_type = mechanism->cm_type; 1433 dctx.key = key; 1434 1435 switch (mechanism->cm_type) { 1436 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1437 MD5Init(&(dctx.md5_ctx)); 1438 break; 1439 1440 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1441 SHA1Init(&(dctx.sha1_ctx)); 1442 break; 1443 1444 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1445 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1446 break; 1447 1448 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1449 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1450 break; 1451 1452 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1453 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1454 break; 1455 } 1456 1457 rv = rsa_digest_svrfy_common(&dctx, data, signature, 1458 CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL); 1459 } 1460 1461 return (rv); 1462 } 1463 1464 static int 1465 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1466 crypto_data_t *signature, crypto_data_t *data) 1467 { 1468 int rv = CRYPTO_FAILED; 1469 1470 size_t data_len; 1471 uchar_t *sigptr, *modulus; 1472 ssize_t modulus_len; 1473 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1474 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1475 1476 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1477 &modulus_len)) != CRYPTO_SUCCESS) { 1478 return (rv); 1479 } 1480 1481 if (signature->cd_length != modulus_len) 1482 return (CRYPTO_SIGNATURE_LEN_RANGE); 1483 1484 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1485 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1486 != CRYPTO_SUCCESS) 1487 return (rv); 1488 1489 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1); 1490 if (rv != CRYPTO_SUCCESS) 1491 return (rv); 1492 1493 data_len = modulus_len; 1494 1495 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 1496 /* 1497 * Strip off the encoded padding bytes in front of the 1498 * recovered data, then compare the recovered data with 1499 * the original data. 1500 */ 1501 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len); 1502 if (rv != CRYPTO_SUCCESS) 1503 return (rv); 1504 } 1505 1506 if (data->cd_length < data_len) { 1507 data->cd_length = data_len; 1508 return (CRYPTO_BUFFER_TOO_SMALL); 1509 } 1510 1511 if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len, 1512 data, data_len)) != CRYPTO_SUCCESS) 1513 return (rv); 1514 data->cd_length = data_len; 1515 1516 return (rv); 1517 } 1518 1519 /* ARGSUSED */ 1520 static int 1521 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature, 1522 crypto_data_t *data, crypto_req_handle_t req) 1523 { 1524 int rv; 1525 rsa_ctx_t *ctxp; 1526 1527 ASSERT(ctx->cc_provider_private != NULL); 1528 ctxp = ctx->cc_provider_private; 1529 1530 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */ 1531 rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key, 1532 signature, data); 1533 1534 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1535 (void) rsa_free_context(ctx); 1536 1537 return (rv); 1538 } 1539 1540 /* ARGSUSED */ 1541 static int 1542 rsa_verify_recover_atomic(crypto_provider_handle_t provider, 1543 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1544 crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data, 1545 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1546 { 1547 int rv; 1548 1549 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1550 return (rv); 1551 1552 return (rsa_verify_recover_common(mechanism->cm_type, key, 1553 signature, data)); 1554 } 1555