1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * RSA provider for the Kernel Cryptographic Framework (KCF) 28 */ 29 30 #include <sys/types.h> 31 #include <sys/systm.h> 32 #include <sys/modctl.h> 33 #include <sys/cmn_err.h> 34 #include <sys/ddi.h> 35 #include <sys/crypto/spi.h> 36 #include <sys/sysmacros.h> 37 #include <sys/strsun.h> 38 #include <sys/md5.h> 39 #include <sys/sha1.h> 40 #define _SHA2_IMPL 41 #include <sys/sha2.h> 42 #include <sys/random.h> 43 #include <sys/crypto/impl.h> 44 #include <sha1/sha1_impl.h> 45 #include <sha2/sha2_impl.h> 46 #define _RSA_FIPS_POST 47 #include <rsa/rsa_impl.h> 48 49 extern struct mod_ops mod_cryptoops; 50 51 /* 52 * Module linkage information for the kernel. 53 */ 54 static struct modlcrypto modlcrypto = { 55 &mod_cryptoops, 56 "RSA Kernel SW Provider" 57 }; 58 59 static struct modlinkage modlinkage = { 60 MODREV_1, 61 (void *)&modlcrypto, 62 NULL 63 }; 64 65 /* 66 * CSPI information (entry points, provider info, etc.) 67 */ 68 typedef enum rsa_mech_type { 69 RSA_PKCS_MECH_INFO_TYPE, /* SUN_CKM_RSA_PKCS */ 70 RSA_X_509_MECH_INFO_TYPE, /* SUN_CKM_RSA_X_509 */ 71 MD5_RSA_PKCS_MECH_INFO_TYPE, /* SUN_MD5_RSA_PKCS */ 72 SHA1_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA1_RSA_PKCS */ 73 SHA256_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA256_RSA_PKCS */ 74 SHA384_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA384_RSA_PKCS */ 75 SHA512_RSA_PKCS_MECH_INFO_TYPE /* SUN_SHA512_RSA_PKCS */ 76 } rsa_mech_type_t; 77 78 /* 79 * Context for RSA_PKCS and RSA_X_509 mechanisms. 80 */ 81 typedef struct rsa_ctx { 82 rsa_mech_type_t mech_type; 83 crypto_key_t *key; 84 size_t keychunk_size; 85 } rsa_ctx_t; 86 87 /* 88 * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms. 89 */ 90 typedef struct digest_rsa_ctx { 91 rsa_mech_type_t mech_type; 92 crypto_key_t *key; 93 size_t keychunk_size; 94 union { 95 MD5_CTX md5ctx; 96 SHA1_CTX sha1ctx; 97 SHA2_CTX sha2ctx; 98 } dctx_u; 99 } digest_rsa_ctx_t; 100 101 #define md5_ctx dctx_u.md5ctx 102 #define sha1_ctx dctx_u.sha1ctx 103 #define sha2_ctx dctx_u.sha2ctx 104 105 /* 106 * Mechanism info structure passed to KCF during registration. 107 */ 108 static crypto_mech_info_t rsa_mech_info_tab[] = { 109 /* RSA_PKCS */ 110 {SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE, 111 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 112 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 113 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 114 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 115 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 116 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 117 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 118 119 /* RSA_X_509 */ 120 {SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE, 121 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 122 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 123 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 124 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 125 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 126 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 127 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 128 129 /* MD5_RSA_PKCS */ 130 {SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE, 131 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 132 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 133 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 134 135 /* SHA1_RSA_PKCS */ 136 {SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE, 137 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 138 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 139 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 140 141 /* SHA256_RSA_PKCS */ 142 {SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE, 143 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 144 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 145 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 146 147 /* SHA384_RSA_PKCS */ 148 {SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE, 149 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 150 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 151 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 152 153 /* SHA512_RSA_PKCS */ 154 {SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE, 155 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 156 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 157 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS} 158 159 }; 160 161 #define RSA_VALID_MECH(mech) \ 162 (((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE || \ 163 (mech)->cm_type == RSA_X_509_MECH_INFO_TYPE || \ 164 (mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE || \ 165 (mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE || \ 166 (mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE || \ 167 (mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE || \ 168 (mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0) 169 170 /* operations are in-place if the output buffer is NULL */ 171 #define RSA_ARG_INPLACE(input, output) \ 172 if ((output) == NULL) \ 173 (output) = (input); 174 175 static void rsa_provider_status(crypto_provider_handle_t, uint_t *); 176 177 static crypto_control_ops_t rsa_control_ops = { 178 rsa_provider_status 179 }; 180 181 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *, 182 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 183 static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 184 crypto_req_handle_t); 185 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 186 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 187 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 188 static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 189 crypto_req_handle_t); 190 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 191 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 192 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 193 194 /* 195 * The RSA mechanisms do not have multiple-part cipher operations. 196 * So, the update and final routines are set to NULL. 197 */ 198 static crypto_cipher_ops_t rsa_cipher_ops = { 199 rsa_common_init, 200 rsa_encrypt, 201 NULL, 202 NULL, 203 rsa_encrypt_atomic, 204 rsa_common_init, 205 rsa_decrypt, 206 NULL, 207 NULL, 208 rsa_decrypt_atomic 209 }; 210 211 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *, 212 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 213 static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 214 crypto_req_handle_t); 215 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *, 216 crypto_req_handle_t); 217 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *, 218 crypto_req_handle_t); 219 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t, 220 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 221 crypto_spi_ctx_template_t, crypto_req_handle_t); 222 223 /* 224 * We use the same routine for sign_init and sign_recover_init fields 225 * as they do the same thing. Same holds for sign and sign_recover fields, 226 * and sign_atomic and sign_recover_atomic fields. 227 */ 228 static crypto_sign_ops_t rsa_sign_ops = { 229 rsa_sign_verify_common_init, 230 rsa_sign, 231 rsa_sign_update, 232 rsa_sign_final, 233 rsa_sign_atomic, 234 rsa_sign_verify_common_init, 235 rsa_sign, 236 rsa_sign_atomic 237 }; 238 239 static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 240 crypto_req_handle_t); 241 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *, 242 crypto_req_handle_t); 243 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *, 244 crypto_req_handle_t); 245 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 246 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 247 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 248 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *, 249 crypto_data_t *, crypto_req_handle_t); 250 static int rsa_verify_recover_atomic(crypto_provider_handle_t, 251 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 252 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 253 crypto_req_handle_t); 254 255 /* 256 * We use the same routine (rsa_sign_verify_common_init) for verify_init 257 * and verify_recover_init fields as they do the same thing. 258 */ 259 static crypto_verify_ops_t rsa_verify_ops = { 260 rsa_sign_verify_common_init, 261 rsa_verify, 262 rsa_verify_update, 263 rsa_verify_final, 264 rsa_verify_atomic, 265 rsa_sign_verify_common_init, 266 rsa_verify_recover, 267 rsa_verify_recover_atomic 268 }; 269 270 static int rsa_free_context(crypto_ctx_t *); 271 272 static crypto_ctx_ops_t rsa_ctx_ops = { 273 NULL, 274 rsa_free_context 275 }; 276 277 static crypto_ops_t rsa_crypto_ops = { 278 &rsa_control_ops, 279 NULL, 280 &rsa_cipher_ops, 281 NULL, 282 &rsa_sign_ops, 283 &rsa_verify_ops, 284 NULL, 285 NULL, 286 NULL, 287 NULL, 288 NULL, 289 NULL, 290 NULL, 291 &rsa_ctx_ops 292 }; 293 294 static crypto_provider_info_t rsa_prov_info = { 295 CRYPTO_SPI_VERSION_1, 296 "RSA Software Provider", 297 CRYPTO_SW_PROVIDER, 298 {&modlinkage}, 299 NULL, 300 &rsa_crypto_ops, 301 sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t), 302 rsa_mech_info_tab 303 }; 304 305 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *, 306 crypto_data_t *, crypto_data_t *, int); 307 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *, 308 crypto_data_t *, crypto_data_t *, int); 309 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *, 310 crypto_data_t *, crypto_data_t *, int); 311 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *, 312 crypto_data_t *, crypto_data_t *, int); 313 static int compare_data(crypto_data_t *, uchar_t *); 314 315 /* EXPORT DELETE START */ 316 317 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, 318 int, uchar_t *, int, int); 319 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, 320 uchar_t *, int); 321 322 /* EXPORT DELETE END */ 323 324 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL; 325 326 int 327 _init(void) 328 { 329 int ret; 330 331 /* 332 * Register with KCF. If the registration fails, return error. 333 */ 334 if ((ret = crypto_register_provider(&rsa_prov_info, 335 &rsa_prov_handle)) != CRYPTO_SUCCESS) { 336 cmn_err(CE_WARN, "rsa _init: crypto_register_provider()" 337 "failed (0x%x)", ret); 338 return (EACCES); 339 } 340 341 if ((ret = mod_install(&modlinkage)) != 0) { 342 int rv; 343 344 ASSERT(rsa_prov_handle != NULL); 345 /* We should not return if the unregister returns busy. */ 346 while ((rv = crypto_unregister_provider(rsa_prov_handle)) 347 == CRYPTO_BUSY) { 348 cmn_err(CE_WARN, "rsa _init: " 349 "crypto_unregister_provider() " 350 "failed (0x%x). Retrying.", rv); 351 /* wait 10 seconds and try again. */ 352 delay(10 * drv_usectohz(1000000)); 353 } 354 } 355 356 return (ret); 357 } 358 359 int 360 _fini(void) 361 { 362 int ret; 363 364 /* 365 * Unregister from KCF if previous registration succeeded. 366 */ 367 if (rsa_prov_handle != NULL) { 368 if ((ret = crypto_unregister_provider(rsa_prov_handle)) != 369 CRYPTO_SUCCESS) { 370 cmn_err(CE_WARN, "rsa _fini: " 371 "crypto_unregister_provider() " 372 "failed (0x%x)", ret); 373 return (EBUSY); 374 } 375 rsa_prov_handle = NULL; 376 } 377 378 return (mod_remove(&modlinkage)); 379 } 380 381 int 382 _info(struct modinfo *modinfop) 383 { 384 return (mod_info(&modlinkage, modinfop)); 385 } 386 387 /* ARGSUSED */ 388 static void 389 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status) 390 { 391 *status = CRYPTO_PROVIDER_READY; 392 } 393 394 static int 395 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key) 396 { 397 int rv = CRYPTO_FAILED; 398 399 /* EXPORT DELETE START */ 400 401 uchar_t *modulus; 402 ssize_t modulus_len; /* In bytes */ 403 404 if (!RSA_VALID_MECH(mechanism)) 405 return (CRYPTO_MECHANISM_INVALID); 406 407 /* 408 * We only support RSA keys that are passed as a list of 409 * object attributes. 410 */ 411 if (key->ck_format != CRYPTO_KEY_ATTR_LIST) { 412 return (CRYPTO_KEY_TYPE_INCONSISTENT); 413 } 414 415 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 416 &modulus_len)) != CRYPTO_SUCCESS) { 417 return (rv); 418 } 419 if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES || 420 modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES) 421 return (CRYPTO_KEY_SIZE_RANGE); 422 423 /* EXPORT DELETE END */ 424 425 return (rv); 426 } 427 428 void 429 kmemset(uint8_t *buf, char pattern, size_t len) 430 { 431 int i = 0; 432 433 while (i < len) 434 buf[i++] = pattern; 435 } 436 437 /* 438 * This function guarantees to return non-zero random numbers. 439 * This is needed as the /dev/urandom kernel interface, 440 * random_get_pseudo_bytes(), may return zeros. 441 */ 442 int 443 knzero_random_generator(uint8_t *ran_out, size_t ran_len) 444 { 445 int rv; 446 size_t ebc = 0; /* count of extra bytes in extrarand */ 447 size_t i = 0; 448 uint8_t extrarand[32]; 449 size_t extrarand_len; 450 451 if ((rv = random_get_pseudo_bytes(ran_out, ran_len)) != 0) 452 return (rv); 453 454 /* 455 * Walk through the returned random numbers pointed by ran_out, 456 * and look for any random number which is zero. 457 * If we find zero, call random_get_pseudo_bytes() to generate 458 * another 32 random numbers pool. Replace any zeros in ran_out[] 459 * from the random number in pool. 460 */ 461 while (i < ran_len) { 462 if (ran_out[i] != 0) { 463 i++; 464 continue; 465 } 466 467 /* 468 * Note that it is 'while' so we are guaranteed a 469 * non-zero value on exit. 470 */ 471 if (ebc == 0) { 472 /* refresh extrarand */ 473 extrarand_len = sizeof (extrarand); 474 if ((rv = random_get_pseudo_bytes(extrarand, 475 extrarand_len)) != 0) { 476 return (rv); 477 } 478 479 ebc = extrarand_len; 480 } 481 /* Replace zero with byte from extrarand. */ 482 -- ebc; 483 484 /* 485 * The new random byte zero/non-zero will be checked in 486 * the next pass through the loop. 487 */ 488 ran_out[i] = extrarand[ebc]; 489 } 490 491 return (CRYPTO_SUCCESS); 492 } 493 494 static int 495 compare_data(crypto_data_t *data, uchar_t *buf) 496 { 497 int len; 498 uchar_t *dptr; 499 500 len = data->cd_length; 501 switch (data->cd_format) { 502 case CRYPTO_DATA_RAW: 503 dptr = (uchar_t *)(data->cd_raw.iov_base + 504 data->cd_offset); 505 506 return (bcmp(dptr, buf, len)); 507 508 case CRYPTO_DATA_UIO: 509 return (crypto_uio_data(data, buf, len, 510 COMPARE_TO_DATA, NULL, NULL)); 511 512 case CRYPTO_DATA_MBLK: 513 return (crypto_mblk_data(data, buf, len, 514 COMPARE_TO_DATA, NULL, NULL)); 515 } 516 517 return (CRYPTO_FAILED); 518 } 519 520 /* ARGSUSED */ 521 static int 522 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 523 crypto_key_t *key, crypto_spi_ctx_template_t template, 524 crypto_req_handle_t req) 525 { 526 int rv; 527 int kmflag; 528 rsa_ctx_t *ctxp; 529 530 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 531 return (rv); 532 533 /* 534 * Allocate a RSA context. 535 */ 536 kmflag = crypto_kmflag(req); 537 if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL) 538 return (CRYPTO_HOST_MEMORY); 539 540 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 541 kmflag)) != CRYPTO_SUCCESS) { 542 kmem_free(ctxp, sizeof (rsa_ctx_t)); 543 return (rv); 544 } 545 ctxp->mech_type = mechanism->cm_type; 546 547 ctx->cc_provider_private = ctxp; 548 549 return (CRYPTO_SUCCESS); 550 } 551 552 /* ARGSUSED */ 553 static int 554 rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 555 crypto_data_t *ciphertext, crypto_req_handle_t req) 556 { 557 int rv; 558 rsa_ctx_t *ctxp; 559 560 ASSERT(ctx->cc_provider_private != NULL); 561 ctxp = ctx->cc_provider_private; 562 563 RSA_ARG_INPLACE(plaintext, ciphertext); 564 565 /* 566 * Note on the KM_SLEEP flag passed to the routine below - 567 * rsa_encrypt() is a single-part encryption routine which is 568 * currently usable only by /dev/crypto. Since /dev/crypto calls are 569 * always synchronous, we can safely pass KM_SLEEP here. 570 */ 571 rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext, 572 ciphertext, KM_SLEEP); 573 574 if (rv != CRYPTO_BUFFER_TOO_SMALL) 575 (void) rsa_free_context(ctx); 576 577 return (rv); 578 } 579 580 /* ARGSUSED */ 581 static int 582 rsa_encrypt_atomic(crypto_provider_handle_t provider, 583 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 584 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 585 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 586 { 587 int rv; 588 589 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 590 return (rv); 591 RSA_ARG_INPLACE(plaintext, ciphertext); 592 593 return (rsa_encrypt_common(mechanism->cm_type, key, plaintext, 594 ciphertext, crypto_kmflag(req))); 595 } 596 597 static int 598 rsa_free_context(crypto_ctx_t *ctx) 599 { 600 rsa_ctx_t *ctxp = ctx->cc_provider_private; 601 602 if (ctxp != NULL) { 603 bzero(ctxp->key, ctxp->keychunk_size); 604 kmem_free(ctxp->key, ctxp->keychunk_size); 605 606 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE || 607 ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE) 608 kmem_free(ctxp, sizeof (rsa_ctx_t)); 609 else 610 kmem_free(ctxp, sizeof (digest_rsa_ctx_t)); 611 612 ctx->cc_provider_private = NULL; 613 } 614 615 return (CRYPTO_SUCCESS); 616 } 617 618 static int 619 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 620 crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag) 621 { 622 int rv = CRYPTO_FAILED; 623 624 /* EXPORT DELETE START */ 625 626 int plen; 627 uchar_t *ptptr; 628 uchar_t *modulus; 629 ssize_t modulus_len; 630 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 631 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 632 uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 633 634 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 635 &modulus_len)) != CRYPTO_SUCCESS) { 636 return (rv); 637 } 638 639 plen = plaintext->cd_length; 640 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 641 if (plen > (modulus_len - MIN_PKCS1_PADLEN)) 642 return (CRYPTO_DATA_LEN_RANGE); 643 } else { 644 if (plen > modulus_len) 645 return (CRYPTO_DATA_LEN_RANGE); 646 } 647 648 /* 649 * Output buf len must not be less than RSA modulus size. 650 */ 651 if (ciphertext->cd_length < modulus_len) { 652 ciphertext->cd_length = modulus_len; 653 return (CRYPTO_BUFFER_TOO_SMALL); 654 } 655 656 ASSERT(plaintext->cd_length <= sizeof (tmp_data)); 657 if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data)) 658 != CRYPTO_SUCCESS) 659 return (rv); 660 661 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 662 rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen, 663 plain_data, modulus_len); 664 665 if (rv != CRYPTO_SUCCESS) 666 return (rv); 667 } else { 668 bzero(plain_data, modulus_len - plen); 669 bcopy(ptptr, &plain_data[modulus_len - plen], plen); 670 } 671 672 rv = core_rsa_encrypt(key, plain_data, modulus_len, 673 cipher_data, kmflag, 1); 674 if (rv == CRYPTO_SUCCESS) { 675 /* copy out to ciphertext */ 676 if ((rv = crypto_put_output_data(cipher_data, 677 ciphertext, modulus_len)) != CRYPTO_SUCCESS) 678 return (rv); 679 680 ciphertext->cd_length = modulus_len; 681 } 682 683 /* EXPORT DELETE END */ 684 685 return (rv); 686 } 687 688 /* EXPORT DELETE START */ 689 690 static int 691 core_rsa_encrypt(crypto_key_t *key, uchar_t *in, 692 int in_len, uchar_t *out, int kmflag, int is_public) 693 { 694 int rv; 695 uchar_t *expo, *modulus; 696 ssize_t expo_len; 697 ssize_t modulus_len; 698 BIGNUM msg; 699 RSAkey *rsakey; 700 701 if (is_public) { 702 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT, 703 &expo, &expo_len)) != CRYPTO_SUCCESS) 704 return (rv); 705 } else { 706 /* 707 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a 708 * RSA secret key. See the comments in core_rsa_decrypt 709 * routine which calls this routine with a private key. 710 */ 711 if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT, 712 &expo, &expo_len)) != CRYPTO_SUCCESS) 713 return (rv); 714 } 715 716 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 717 &modulus_len)) != CRYPTO_SUCCESS) { 718 return (rv); 719 } 720 721 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 722 if (rsakey == NULL) 723 return (CRYPTO_HOST_MEMORY); 724 725 /* psize and qsize for RSA_key_init is in bits. */ 726 if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) { 727 rv = CRYPTO_HOST_MEMORY; 728 goto clean1; 729 } 730 731 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 732 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 733 rv = CRYPTO_HOST_MEMORY; 734 goto clean2; 735 } 736 737 /* Convert octet string exponent to big integer format. */ 738 bytestring2bignum(&(rsakey->e), expo, expo_len); 739 740 /* Convert octet string modulus to big integer format. */ 741 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 742 743 /* Convert octet string input data to big integer format. */ 744 bytestring2bignum(&msg, in, in_len); 745 746 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 747 rv = CRYPTO_DATA_LEN_RANGE; 748 goto clean3; 749 } 750 751 /* Perform RSA computation on big integer input data. */ 752 if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL) 753 != BIG_OK) { 754 rv = CRYPTO_HOST_MEMORY; 755 goto clean3; 756 } 757 758 /* Convert the big integer output data to octet string. */ 759 bignum2bytestring(out, &msg, modulus_len); 760 761 /* 762 * Should not free modulus and expo as both are just pointers 763 * to an attribute value buffer from the caller. 764 */ 765 clean3: 766 big_finish(&msg); 767 clean2: 768 RSA_key_finish(rsakey); 769 clean1: 770 kmem_free(rsakey, sizeof (RSAkey)); 771 772 return (rv); 773 } 774 775 /* EXPORT DELETE END */ 776 777 /* ARGSUSED */ 778 static int 779 rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 780 crypto_data_t *plaintext, crypto_req_handle_t req) 781 { 782 int rv; 783 rsa_ctx_t *ctxp; 784 785 ASSERT(ctx->cc_provider_private != NULL); 786 ctxp = ctx->cc_provider_private; 787 788 RSA_ARG_INPLACE(ciphertext, plaintext); 789 790 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 791 rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key, 792 ciphertext, plaintext, KM_SLEEP); 793 794 if (rv != CRYPTO_BUFFER_TOO_SMALL) 795 (void) rsa_free_context(ctx); 796 797 return (rv); 798 } 799 800 /* ARGSUSED */ 801 static int 802 rsa_decrypt_atomic(crypto_provider_handle_t provider, 803 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 804 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 805 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 806 { 807 int rv; 808 809 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 810 return (rv); 811 RSA_ARG_INPLACE(ciphertext, plaintext); 812 813 return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext, 814 plaintext, crypto_kmflag(req))); 815 } 816 817 static int 818 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 819 crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag) 820 { 821 int rv = CRYPTO_FAILED; 822 823 /* EXPORT DELETE START */ 824 825 int plain_len; 826 uchar_t *ctptr; 827 uchar_t *modulus; 828 ssize_t modulus_len; 829 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 830 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 831 832 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 833 &modulus_len)) != CRYPTO_SUCCESS) { 834 return (rv); 835 } 836 837 /* 838 * Ciphertext length must be equal to RSA modulus size. 839 */ 840 if (ciphertext->cd_length != modulus_len) 841 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 842 843 ASSERT(ciphertext->cd_length <= sizeof (tmp_data)); 844 if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data)) 845 != CRYPTO_SUCCESS) 846 return (rv); 847 848 rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag); 849 if (rv == CRYPTO_SUCCESS) { 850 plain_len = modulus_len; 851 852 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 853 /* Strip off the PKCS block formatting data. */ 854 rv = soft_decrypt_rsa_pkcs_decode(plain_data, 855 &plain_len); 856 if (rv != CRYPTO_SUCCESS) 857 return (rv); 858 } 859 860 if (plain_len > plaintext->cd_length) { 861 plaintext->cd_length = plain_len; 862 return (CRYPTO_BUFFER_TOO_SMALL); 863 } 864 865 if ((rv = crypto_put_output_data( 866 plain_data + modulus_len - plain_len, 867 plaintext, plain_len)) != CRYPTO_SUCCESS) 868 return (rv); 869 870 plaintext->cd_length = plain_len; 871 } 872 873 /* EXPORT DELETE END */ 874 875 return (rv); 876 } 877 878 /* EXPORT DELETE START */ 879 880 static int 881 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, 882 uchar_t *out, int kmflag) 883 { 884 int rv; 885 uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef; 886 ssize_t modulus_len; 887 ssize_t prime1_len, prime2_len; 888 ssize_t expo1_len, expo2_len, coef_len; 889 BIGNUM msg; 890 RSAkey *rsakey; 891 892 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 893 &modulus_len)) != CRYPTO_SUCCESS) { 894 return (rv); 895 } 896 897 /* 898 * The following attributes are not required to be 899 * present in a RSA secret key. If any of them is not present 900 * we call the encrypt routine with a flag indicating use of 901 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is 902 * a required attribute for a RSA secret key. 903 */ 904 if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len) 905 != CRYPTO_SUCCESS) || 906 (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len) 907 != CRYPTO_SUCCESS) || 908 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len) 909 != CRYPTO_SUCCESS) || 910 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len) 911 != CRYPTO_SUCCESS) || 912 (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len) 913 != CRYPTO_SUCCESS)) { 914 return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0)); 915 } 916 917 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 918 if (rsakey == NULL) 919 return (CRYPTO_HOST_MEMORY); 920 921 /* psize and qsize for RSA_key_init is in bits. */ 922 if (RSA_key_init(rsakey, prime2_len * 8, prime1_len * 8) != BIG_OK) { 923 rv = CRYPTO_HOST_MEMORY; 924 goto clean1; 925 } 926 927 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 928 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 929 rv = CRYPTO_HOST_MEMORY; 930 goto clean2; 931 } 932 933 /* Convert octet string input data to big integer format. */ 934 bytestring2bignum(&msg, in, in_len); 935 936 /* Convert octet string modulus to big integer format. */ 937 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 938 939 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 940 rv = CRYPTO_DATA_LEN_RANGE; 941 goto clean3; 942 } 943 944 /* Convert the rest of private key attributes to big integer format. */ 945 bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len); 946 bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len); 947 bytestring2bignum(&(rsakey->p), prime2, prime2_len); 948 bytestring2bignum(&(rsakey->q), prime1, prime1_len); 949 bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len); 950 951 if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) || 952 (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) || 953 (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) { 954 rv = CRYPTO_KEY_SIZE_RANGE; 955 goto clean3; 956 } 957 958 /* Perform RSA computation on big integer input data. */ 959 if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1), 960 &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q), 961 &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) { 962 rv = CRYPTO_HOST_MEMORY; 963 goto clean3; 964 } 965 966 /* Convert the big integer output data to octet string. */ 967 bignum2bytestring(out, &msg, modulus_len); 968 969 /* 970 * Should not free modulus and friends as they are just pointers 971 * to an attribute value buffer from the caller. 972 */ 973 clean3: 974 big_finish(&msg); 975 clean2: 976 RSA_key_finish(rsakey); 977 clean1: 978 kmem_free(rsakey, sizeof (RSAkey)); 979 980 return (rv); 981 } 982 983 /* EXPORT DELETE END */ 984 985 /* ARGSUSED */ 986 static int 987 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 988 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, 989 crypto_req_handle_t req) 990 { 991 int rv; 992 int kmflag; 993 rsa_ctx_t *ctxp; 994 digest_rsa_ctx_t *dctxp; 995 996 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 997 return (rv); 998 999 /* 1000 * Allocate a RSA context. 1001 */ 1002 kmflag = crypto_kmflag(req); 1003 switch (mechanism->cm_type) { 1004 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1005 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1006 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1007 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1008 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1009 dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag); 1010 ctxp = (rsa_ctx_t *)dctxp; 1011 break; 1012 default: 1013 ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag); 1014 break; 1015 } 1016 1017 if (ctxp == NULL) 1018 return (CRYPTO_HOST_MEMORY); 1019 1020 ctxp->mech_type = mechanism->cm_type; 1021 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 1022 kmflag)) != CRYPTO_SUCCESS) { 1023 switch (mechanism->cm_type) { 1024 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1025 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1026 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1027 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1028 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1029 kmem_free(dctxp, sizeof (digest_rsa_ctx_t)); 1030 break; 1031 default: 1032 kmem_free(ctxp, sizeof (rsa_ctx_t)); 1033 break; 1034 } 1035 return (rv); 1036 } 1037 1038 switch (mechanism->cm_type) { 1039 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1040 MD5Init(&(dctxp->md5_ctx)); 1041 break; 1042 1043 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1044 SHA1Init(&(dctxp->sha1_ctx)); 1045 break; 1046 1047 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1048 SHA2Init(SHA256, &(dctxp->sha2_ctx)); 1049 break; 1050 1051 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1052 SHA2Init(SHA384, &(dctxp->sha2_ctx)); 1053 break; 1054 1055 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1056 SHA2Init(SHA512, &(dctxp->sha2_ctx)); 1057 break; 1058 } 1059 1060 ctx->cc_provider_private = ctxp; 1061 1062 return (CRYPTO_SUCCESS); 1063 } 1064 1065 #define SHA1_DIGEST_SIZE 20 1066 #define MD5_DIGEST_SIZE 16 1067 1068 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \ 1069 (data).cd_format = CRYPTO_DATA_RAW; \ 1070 (data).cd_offset = 0; \ 1071 (data).cd_raw.iov_base = (char *)base; \ 1072 (data).cd_raw.iov_len = len; \ 1073 (data).cd_length = cd_len; 1074 1075 static int 1076 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data, 1077 crypto_data_t *signature, int kmflag, uchar_t flag) 1078 { 1079 int rv = CRYPTO_FAILED; 1080 1081 /* EXPORT DELETE START */ 1082 1083 uchar_t digest[SHA512_DIGEST_LENGTH]; 1084 /* The der_data size is enough for MD5 also */ 1085 uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 1086 ulong_t der_data_len; 1087 crypto_data_t der_cd; 1088 rsa_mech_type_t mech_type; 1089 1090 ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY); 1091 ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL)); 1092 1093 mech_type = ctxp->mech_type; 1094 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1095 mech_type == RSA_X_509_MECH_INFO_TYPE) 1096 return (CRYPTO_MECHANISM_INVALID); 1097 1098 /* 1099 * We need to do the BUFFER_TOO_SMALL check before digesting 1100 * the data. No check is needed for verify as signature is not 1101 * an output argument for verify. 1102 */ 1103 if (flag & CRYPTO_DO_SIGN) { 1104 uchar_t *modulus; 1105 ssize_t modulus_len; 1106 1107 if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS, 1108 &modulus, &modulus_len)) != CRYPTO_SUCCESS) { 1109 return (rv); 1110 } 1111 1112 if (signature->cd_length < modulus_len) { 1113 signature->cd_length = modulus_len; 1114 return (CRYPTO_BUFFER_TOO_SMALL); 1115 } 1116 } 1117 1118 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1119 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1120 digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5); 1121 1122 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1123 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1124 digest, SHA1Update, SHA1Final, flag | CRYPTO_DO_SHA1); 1125 1126 else 1127 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1128 digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2); 1129 1130 if (rv != CRYPTO_SUCCESS) 1131 return (rv); 1132 1133 1134 /* 1135 * Prepare the DER encoding of the DigestInfo value as follows: 1136 * MD5: MD5_DER_PREFIX || H 1137 * SHA-1: SHA1_DER_PREFIX || H 1138 * 1139 * See rsa_impl.c for more details. 1140 */ 1141 switch (mech_type) { 1142 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1143 bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len); 1144 bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE); 1145 der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE; 1146 break; 1147 1148 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1149 bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len); 1150 bcopy(digest, der_data + SHA1_DER_PREFIX_Len, 1151 SHA1_DIGEST_SIZE); 1152 der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE; 1153 break; 1154 1155 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1156 bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1157 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1158 SHA256_DIGEST_LENGTH); 1159 der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH; 1160 break; 1161 1162 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1163 bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1164 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1165 SHA384_DIGEST_LENGTH); 1166 der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH; 1167 break; 1168 1169 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1170 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1171 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1172 SHA512_DIGEST_LENGTH); 1173 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH; 1174 break; 1175 } 1176 1177 INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len); 1178 /* 1179 * Now, we are ready to sign or verify the DER_ENCODED data. 1180 */ 1181 if (flag & CRYPTO_DO_SIGN) 1182 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd, 1183 signature, kmflag); 1184 else 1185 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd, 1186 signature, kmflag); 1187 1188 /* EXPORT DELETE END */ 1189 1190 return (rv); 1191 } 1192 1193 static int 1194 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1195 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1196 { 1197 int rv = CRYPTO_FAILED; 1198 1199 /* EXPORT DELETE START */ 1200 1201 int dlen; 1202 uchar_t *dataptr, *modulus; 1203 ssize_t modulus_len; 1204 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1205 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1206 uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1207 1208 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1209 &modulus_len)) != CRYPTO_SUCCESS) { 1210 return (rv); 1211 } 1212 1213 dlen = data->cd_length; 1214 switch (mech_type) { 1215 case RSA_PKCS_MECH_INFO_TYPE: 1216 if (dlen > (modulus_len - MIN_PKCS1_PADLEN)) 1217 return (CRYPTO_DATA_LEN_RANGE); 1218 break; 1219 case RSA_X_509_MECH_INFO_TYPE: 1220 if (dlen > modulus_len) 1221 return (CRYPTO_DATA_LEN_RANGE); 1222 break; 1223 } 1224 1225 if (signature->cd_length < modulus_len) { 1226 signature->cd_length = modulus_len; 1227 return (CRYPTO_BUFFER_TOO_SMALL); 1228 } 1229 1230 ASSERT(data->cd_length <= sizeof (tmp_data)); 1231 if ((rv = crypto_get_input_data(data, &dataptr, tmp_data)) 1232 != CRYPTO_SUCCESS) 1233 return (rv); 1234 1235 switch (mech_type) { 1236 case RSA_PKCS_MECH_INFO_TYPE: 1237 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1238 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1239 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1240 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1241 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1242 /* 1243 * Add PKCS padding to the input data to format a block 1244 * type "01" encryption block. 1245 */ 1246 rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data, 1247 modulus_len); 1248 if (rv != CRYPTO_SUCCESS) 1249 return (rv); 1250 1251 break; 1252 1253 case RSA_X_509_MECH_INFO_TYPE: 1254 bzero(plain_data, modulus_len - dlen); 1255 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen); 1256 break; 1257 } 1258 1259 rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data, 1260 kmflag); 1261 if (rv == CRYPTO_SUCCESS) { 1262 /* copy out to signature */ 1263 if ((rv = crypto_put_output_data(signed_data, 1264 signature, modulus_len)) != CRYPTO_SUCCESS) 1265 return (rv); 1266 1267 signature->cd_length = modulus_len; 1268 } 1269 1270 /* EXPORT DELETE END */ 1271 1272 return (rv); 1273 } 1274 1275 /* ARGSUSED */ 1276 static int 1277 rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1278 crypto_req_handle_t req) 1279 { 1280 int rv; 1281 rsa_ctx_t *ctxp; 1282 1283 ASSERT(ctx->cc_provider_private != NULL); 1284 ctxp = ctx->cc_provider_private; 1285 1286 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1287 switch (ctxp->mech_type) { 1288 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1289 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1290 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1291 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1292 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1293 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1294 signature, KM_SLEEP, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1295 CRYPTO_DO_FINAL); 1296 break; 1297 default: 1298 rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data, 1299 signature, KM_SLEEP); 1300 break; 1301 } 1302 1303 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1304 (void) rsa_free_context(ctx); 1305 1306 return (rv); 1307 } 1308 1309 /* ARGSUSED */ 1310 static int 1311 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req) 1312 { 1313 int rv; 1314 digest_rsa_ctx_t *ctxp; 1315 rsa_mech_type_t mech_type; 1316 1317 ASSERT(ctx->cc_provider_private != NULL); 1318 ctxp = ctx->cc_provider_private; 1319 mech_type = ctxp->mech_type; 1320 1321 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1322 mech_type == RSA_X_509_MECH_INFO_TYPE) 1323 return (CRYPTO_MECHANISM_INVALID); 1324 1325 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1326 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1327 NULL, MD5Update, MD5Final, 1328 CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE); 1329 1330 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1331 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1332 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1333 CRYPTO_DO_UPDATE); 1334 1335 else 1336 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1337 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1338 CRYPTO_DO_UPDATE); 1339 1340 return (rv); 1341 } 1342 1343 static int 1344 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1345 crypto_req_handle_t req) 1346 { 1347 int rv; 1348 digest_rsa_ctx_t *ctxp; 1349 1350 ASSERT(ctx->cc_provider_private != NULL); 1351 ctxp = ctx->cc_provider_private; 1352 1353 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1354 crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_FINAL); 1355 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1356 (void) rsa_free_context(ctx); 1357 1358 return (rv); 1359 } 1360 1361 /* ARGSUSED */ 1362 static int 1363 rsa_sign_atomic(crypto_provider_handle_t provider, 1364 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1365 crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature, 1366 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1367 { 1368 int rv; 1369 digest_rsa_ctx_t dctx; 1370 1371 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1372 return (rv); 1373 1374 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1375 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1376 rv = rsa_sign_common(mechanism->cm_type, key, data, 1377 signature, crypto_kmflag(req)); 1378 1379 else { 1380 dctx.mech_type = mechanism->cm_type; 1381 dctx.key = key; 1382 switch (mechanism->cm_type) { 1383 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1384 MD5Init(&(dctx.md5_ctx)); 1385 break; 1386 1387 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1388 SHA1Init(&(dctx.sha1_ctx)); 1389 break; 1390 1391 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1392 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1393 break; 1394 1395 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1396 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1397 break; 1398 1399 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1400 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1401 break; 1402 } 1403 1404 rv = rsa_digest_svrfy_common(&dctx, data, signature, 1405 crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1406 CRYPTO_DO_FINAL); 1407 } 1408 1409 return (rv); 1410 } 1411 1412 static int 1413 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1414 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1415 { 1416 int rv = CRYPTO_FAILED; 1417 1418 /* EXPORT DELETE START */ 1419 1420 uchar_t *sigptr, *modulus; 1421 ssize_t modulus_len; 1422 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1423 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1424 1425 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1426 &modulus_len)) != CRYPTO_SUCCESS) { 1427 return (rv); 1428 } 1429 1430 if (signature->cd_length != modulus_len) 1431 return (CRYPTO_SIGNATURE_LEN_RANGE); 1432 1433 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1434 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1435 != CRYPTO_SUCCESS) 1436 return (rv); 1437 1438 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 1439 if (rv != CRYPTO_SUCCESS) 1440 return (rv); 1441 1442 if (mech_type == RSA_X_509_MECH_INFO_TYPE) { 1443 if (compare_data(data, (plain_data + modulus_len 1444 - data->cd_length)) != 0) 1445 rv = CRYPTO_SIGNATURE_INVALID; 1446 1447 } else { 1448 int data_len = modulus_len; 1449 1450 /* 1451 * Strip off the encoded padding bytes in front of the 1452 * recovered data, then compare the recovered data with 1453 * the original data. 1454 */ 1455 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1456 if (rv != CRYPTO_SUCCESS) 1457 return (rv); 1458 1459 if (data_len != data->cd_length) 1460 return (CRYPTO_SIGNATURE_LEN_RANGE); 1461 1462 if (compare_data(data, (plain_data + modulus_len 1463 - data_len)) != 0) 1464 rv = CRYPTO_SIGNATURE_INVALID; 1465 } 1466 1467 /* EXPORT DELETE END */ 1468 1469 return (rv); 1470 } 1471 1472 /* ARGSUSED */ 1473 static int 1474 rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1475 crypto_req_handle_t req) 1476 { 1477 int rv; 1478 rsa_ctx_t *ctxp; 1479 1480 ASSERT(ctx->cc_provider_private != NULL); 1481 ctxp = ctx->cc_provider_private; 1482 1483 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1484 switch (ctxp->mech_type) { 1485 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1486 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1487 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1488 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1489 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1490 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1491 signature, KM_SLEEP, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | 1492 CRYPTO_DO_FINAL); 1493 break; 1494 default: 1495 rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data, 1496 signature, KM_SLEEP); 1497 break; 1498 } 1499 1500 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1501 (void) rsa_free_context(ctx); 1502 1503 return (rv); 1504 } 1505 1506 /* ARGSUSED */ 1507 static int 1508 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data, 1509 crypto_req_handle_t req) 1510 { 1511 int rv; 1512 digest_rsa_ctx_t *ctxp; 1513 1514 ASSERT(ctx->cc_provider_private != NULL); 1515 ctxp = ctx->cc_provider_private; 1516 1517 switch (ctxp->mech_type) { 1518 1519 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1520 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1521 NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 | 1522 CRYPTO_DO_UPDATE); 1523 break; 1524 1525 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1526 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1527 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1528 CRYPTO_DO_UPDATE); 1529 break; 1530 1531 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1532 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1533 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1534 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1535 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1536 CRYPTO_DO_UPDATE); 1537 break; 1538 1539 default: 1540 return (CRYPTO_MECHANISM_INVALID); 1541 } 1542 1543 return (rv); 1544 } 1545 1546 static int 1547 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1548 crypto_req_handle_t req) 1549 { 1550 int rv; 1551 digest_rsa_ctx_t *ctxp; 1552 1553 ASSERT(ctx->cc_provider_private != NULL); 1554 ctxp = ctx->cc_provider_private; 1555 1556 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1557 crypto_kmflag(req), CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL); 1558 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1559 (void) rsa_free_context(ctx); 1560 1561 return (rv); 1562 } 1563 1564 1565 /* ARGSUSED */ 1566 static int 1567 rsa_verify_atomic(crypto_provider_handle_t provider, 1568 crypto_session_id_t session_id, 1569 crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, 1570 crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template, 1571 crypto_req_handle_t req) 1572 { 1573 int rv; 1574 digest_rsa_ctx_t dctx; 1575 1576 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1577 return (rv); 1578 1579 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1580 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1581 rv = rsa_verify_common(mechanism->cm_type, key, data, 1582 signature, crypto_kmflag(req)); 1583 1584 else { 1585 dctx.mech_type = mechanism->cm_type; 1586 dctx.key = key; 1587 1588 switch (mechanism->cm_type) { 1589 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1590 MD5Init(&(dctx.md5_ctx)); 1591 break; 1592 1593 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1594 SHA1Init(&(dctx.sha1_ctx)); 1595 break; 1596 1597 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1598 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1599 break; 1600 1601 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1602 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1603 break; 1604 1605 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1606 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1607 break; 1608 } 1609 1610 rv = rsa_digest_svrfy_common(&dctx, data, 1611 signature, crypto_kmflag(req), 1612 CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL); 1613 } 1614 1615 return (rv); 1616 } 1617 1618 static int 1619 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1620 crypto_data_t *signature, crypto_data_t *data, int kmflag) 1621 { 1622 int rv = CRYPTO_FAILED; 1623 1624 /* EXPORT DELETE START */ 1625 1626 int data_len; 1627 uchar_t *sigptr, *modulus; 1628 ssize_t modulus_len; 1629 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1630 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1631 1632 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1633 &modulus_len)) != CRYPTO_SUCCESS) { 1634 return (rv); 1635 } 1636 1637 if (signature->cd_length != modulus_len) 1638 return (CRYPTO_SIGNATURE_LEN_RANGE); 1639 1640 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1641 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1642 != CRYPTO_SUCCESS) 1643 return (rv); 1644 1645 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 1646 if (rv != CRYPTO_SUCCESS) 1647 return (rv); 1648 1649 data_len = modulus_len; 1650 1651 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 1652 /* 1653 * Strip off the encoded padding bytes in front of the 1654 * recovered data, then compare the recovered data with 1655 * the original data. 1656 */ 1657 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1658 if (rv != CRYPTO_SUCCESS) 1659 return (rv); 1660 } 1661 1662 if (data->cd_length < data_len) { 1663 data->cd_length = data_len; 1664 return (CRYPTO_BUFFER_TOO_SMALL); 1665 } 1666 1667 if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len, 1668 data, data_len)) != CRYPTO_SUCCESS) 1669 return (rv); 1670 data->cd_length = data_len; 1671 1672 /* EXPORT DELETE END */ 1673 1674 return (rv); 1675 } 1676 1677 /* ARGSUSED */ 1678 static int 1679 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature, 1680 crypto_data_t *data, crypto_req_handle_t req) 1681 { 1682 int rv; 1683 rsa_ctx_t *ctxp; 1684 1685 ASSERT(ctx->cc_provider_private != NULL); 1686 ctxp = ctx->cc_provider_private; 1687 1688 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1689 rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key, 1690 signature, data, KM_SLEEP); 1691 1692 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1693 (void) rsa_free_context(ctx); 1694 1695 return (rv); 1696 } 1697 1698 /* ARGSUSED */ 1699 static int 1700 rsa_verify_recover_atomic(crypto_provider_handle_t provider, 1701 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1702 crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data, 1703 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1704 { 1705 int rv; 1706 1707 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1708 return (rv); 1709 1710 return (rsa_verify_recover_common(mechanism->cm_type, key, 1711 signature, data, crypto_kmflag(req))); 1712 } 1713 1714 /* 1715 * RSA Power-Up Self-Test 1716 */ 1717 void 1718 rsa_POST(int *rc) 1719 { 1720 1721 *rc = fips_rsa_post(); 1722 1723 } 1724