1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * RSA provider for the Kernel Cryptographic Framework (KCF) 28 */ 29 30 #include <sys/types.h> 31 #include <sys/systm.h> 32 #include <sys/modctl.h> 33 #include <sys/cmn_err.h> 34 #include <sys/ddi.h> 35 #include <sys/crypto/spi.h> 36 #include <sys/sysmacros.h> 37 #include <sys/strsun.h> 38 #include <sys/md5.h> 39 #include <sys/sha1.h> 40 #define _SHA2_IMPL 41 #include <sys/sha2.h> 42 #include <sys/random.h> 43 #include <sys/crypto/impl.h> 44 #include <sha1/sha1_impl.h> 45 #include <sha2/sha2_impl.h> 46 #define _RSA_FIPS_POST 47 #include <rsa/rsa_impl.h> 48 49 extern struct mod_ops mod_cryptoops; 50 51 /* 52 * Module linkage information for the kernel. 53 */ 54 static struct modlcrypto modlcrypto = { 55 &mod_cryptoops, 56 "RSA Kernel SW Provider" 57 }; 58 59 static struct modlinkage modlinkage = { 60 MODREV_1, 61 (void *)&modlcrypto, 62 NULL 63 }; 64 65 /* 66 * CSPI information (entry points, provider info, etc.) 67 */ 68 typedef enum rsa_mech_type { 69 RSA_PKCS_MECH_INFO_TYPE, /* SUN_CKM_RSA_PKCS */ 70 RSA_X_509_MECH_INFO_TYPE, /* SUN_CKM_RSA_X_509 */ 71 MD5_RSA_PKCS_MECH_INFO_TYPE, /* SUN_MD5_RSA_PKCS */ 72 SHA1_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA1_RSA_PKCS */ 73 SHA256_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA256_RSA_PKCS */ 74 SHA384_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA384_RSA_PKCS */ 75 SHA512_RSA_PKCS_MECH_INFO_TYPE /* SUN_SHA512_RSA_PKCS */ 76 } rsa_mech_type_t; 77 78 /* 79 * Context for RSA_PKCS and RSA_X_509 mechanisms. 80 */ 81 typedef struct rsa_ctx { 82 rsa_mech_type_t mech_type; 83 crypto_key_t *key; 84 size_t keychunk_size; 85 } rsa_ctx_t; 86 87 /* 88 * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms. 89 */ 90 typedef struct digest_rsa_ctx { 91 rsa_mech_type_t mech_type; 92 crypto_key_t *key; 93 size_t keychunk_size; 94 union { 95 MD5_CTX md5ctx; 96 SHA1_CTX sha1ctx; 97 SHA2_CTX sha2ctx; 98 } dctx_u; 99 } digest_rsa_ctx_t; 100 101 #define md5_ctx dctx_u.md5ctx 102 #define sha1_ctx dctx_u.sha1ctx 103 #define sha2_ctx dctx_u.sha2ctx 104 105 /* 106 * Mechanism info structure passed to KCF during registration. 107 */ 108 static crypto_mech_info_t rsa_mech_info_tab[] = { 109 /* RSA_PKCS */ 110 {SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE, 111 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 112 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 113 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 114 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 115 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 116 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 117 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 118 119 /* RSA_X_509 */ 120 {SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE, 121 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 122 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 123 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 124 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 125 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 126 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 127 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 128 129 /* MD5_RSA_PKCS */ 130 {SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE, 131 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 132 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 133 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 134 135 /* SHA1_RSA_PKCS */ 136 {SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE, 137 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 138 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 139 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 140 141 /* SHA256_RSA_PKCS */ 142 {SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE, 143 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 144 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 145 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 146 147 /* SHA384_RSA_PKCS */ 148 {SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE, 149 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 150 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 151 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 152 153 /* SHA512_RSA_PKCS */ 154 {SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE, 155 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 156 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 157 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS} 158 159 }; 160 161 #define RSA_VALID_MECH(mech) \ 162 (((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE || \ 163 (mech)->cm_type == RSA_X_509_MECH_INFO_TYPE || \ 164 (mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE || \ 165 (mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE || \ 166 (mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE || \ 167 (mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE || \ 168 (mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0) 169 170 /* operations are in-place if the output buffer is NULL */ 171 #define RSA_ARG_INPLACE(input, output) \ 172 if ((output) == NULL) \ 173 (output) = (input); 174 175 static void rsa_provider_status(crypto_provider_handle_t, uint_t *); 176 177 static crypto_control_ops_t rsa_control_ops = { 178 rsa_provider_status 179 }; 180 181 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *, 182 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 183 static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 184 crypto_req_handle_t); 185 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 186 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 187 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 188 static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 189 crypto_req_handle_t); 190 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 191 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 192 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 193 194 /* 195 * The RSA mechanisms do not have multiple-part cipher operations. 196 * So, the update and final routines are set to NULL. 197 */ 198 static crypto_cipher_ops_t rsa_cipher_ops = { 199 rsa_common_init, 200 rsa_encrypt, 201 NULL, 202 NULL, 203 rsa_encrypt_atomic, 204 rsa_common_init, 205 rsa_decrypt, 206 NULL, 207 NULL, 208 rsa_decrypt_atomic 209 }; 210 211 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *, 212 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 213 static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 214 crypto_req_handle_t); 215 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *, 216 crypto_req_handle_t); 217 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *, 218 crypto_req_handle_t); 219 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t, 220 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 221 crypto_spi_ctx_template_t, crypto_req_handle_t); 222 223 /* 224 * We use the same routine for sign_init and sign_recover_init fields 225 * as they do the same thing. Same holds for sign and sign_recover fields, 226 * and sign_atomic and sign_recover_atomic fields. 227 */ 228 static crypto_sign_ops_t rsa_sign_ops = { 229 rsa_sign_verify_common_init, 230 rsa_sign, 231 rsa_sign_update, 232 rsa_sign_final, 233 rsa_sign_atomic, 234 rsa_sign_verify_common_init, 235 rsa_sign, 236 rsa_sign_atomic 237 }; 238 239 static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 240 crypto_req_handle_t); 241 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *, 242 crypto_req_handle_t); 243 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *, 244 crypto_req_handle_t); 245 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 246 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 247 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 248 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *, 249 crypto_data_t *, crypto_req_handle_t); 250 static int rsa_verify_recover_atomic(crypto_provider_handle_t, 251 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 252 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 253 crypto_req_handle_t); 254 255 /* 256 * We use the same routine (rsa_sign_verify_common_init) for verify_init 257 * and verify_recover_init fields as they do the same thing. 258 */ 259 static crypto_verify_ops_t rsa_verify_ops = { 260 rsa_sign_verify_common_init, 261 rsa_verify, 262 rsa_verify_update, 263 rsa_verify_final, 264 rsa_verify_atomic, 265 rsa_sign_verify_common_init, 266 rsa_verify_recover, 267 rsa_verify_recover_atomic 268 }; 269 270 static int rsa_free_context(crypto_ctx_t *); 271 272 static crypto_ctx_ops_t rsa_ctx_ops = { 273 NULL, 274 rsa_free_context 275 }; 276 277 static void rsa_POST(int *); 278 279 static crypto_fips140_ops_t rsa_fips140_ops = { 280 rsa_POST 281 }; 282 283 static crypto_ops_t rsa_crypto_ops = { 284 &rsa_control_ops, 285 NULL, 286 &rsa_cipher_ops, 287 NULL, 288 &rsa_sign_ops, 289 &rsa_verify_ops, 290 NULL, 291 NULL, 292 NULL, 293 NULL, 294 NULL, 295 NULL, 296 NULL, 297 &rsa_ctx_ops, 298 NULL, 299 NULL, 300 &rsa_fips140_ops 301 }; 302 303 static crypto_provider_info_t rsa_prov_info = { 304 CRYPTO_SPI_VERSION_4, 305 "RSA Software Provider", 306 CRYPTO_SW_PROVIDER, 307 {&modlinkage}, 308 NULL, 309 &rsa_crypto_ops, 310 sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t), 311 rsa_mech_info_tab 312 }; 313 314 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *, 315 crypto_data_t *, crypto_data_t *, int); 316 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *, 317 crypto_data_t *, crypto_data_t *, int); 318 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *, 319 crypto_data_t *, crypto_data_t *, int); 320 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *, 321 crypto_data_t *, crypto_data_t *, int); 322 static int compare_data(crypto_data_t *, uchar_t *); 323 324 /* EXPORT DELETE START */ 325 326 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, 327 int, uchar_t *, int, int); 328 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, 329 uchar_t *, int); 330 331 /* EXPORT DELETE END */ 332 333 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL; 334 335 int 336 _init(void) 337 { 338 int ret; 339 340 if ((ret = mod_install(&modlinkage)) != 0) 341 return (ret); 342 343 /* Register with KCF. If the registration fails, remove the module. */ 344 if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) { 345 (void) mod_remove(&modlinkage); 346 return (EACCES); 347 } 348 349 return (0); 350 } 351 352 int 353 _fini(void) 354 { 355 /* Unregister from KCF if module is registered */ 356 if (rsa_prov_handle != NULL) { 357 if (crypto_unregister_provider(rsa_prov_handle)) 358 return (EBUSY); 359 360 rsa_prov_handle = NULL; 361 } 362 363 return (mod_remove(&modlinkage)); 364 } 365 366 int 367 _info(struct modinfo *modinfop) 368 { 369 return (mod_info(&modlinkage, modinfop)); 370 } 371 372 /* ARGSUSED */ 373 static void 374 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status) 375 { 376 *status = CRYPTO_PROVIDER_READY; 377 } 378 379 static int 380 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key) 381 { 382 int rv = CRYPTO_FAILED; 383 384 /* EXPORT DELETE START */ 385 386 uchar_t *modulus; 387 ssize_t modulus_len; /* In bytes */ 388 389 if (!RSA_VALID_MECH(mechanism)) 390 return (CRYPTO_MECHANISM_INVALID); 391 392 /* 393 * We only support RSA keys that are passed as a list of 394 * object attributes. 395 */ 396 if (key->ck_format != CRYPTO_KEY_ATTR_LIST) { 397 return (CRYPTO_KEY_TYPE_INCONSISTENT); 398 } 399 400 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 401 &modulus_len)) != CRYPTO_SUCCESS) { 402 return (rv); 403 } 404 if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES || 405 modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES) 406 return (CRYPTO_KEY_SIZE_RANGE); 407 408 /* EXPORT DELETE END */ 409 410 return (rv); 411 } 412 413 void 414 kmemset(uint8_t *buf, char pattern, size_t len) 415 { 416 int i = 0; 417 418 while (i < len) 419 buf[i++] = pattern; 420 } 421 422 /* 423 * This function guarantees to return non-zero random numbers. 424 * This is needed as the /dev/urandom kernel interface, 425 * random_get_pseudo_bytes(), may return zeros. 426 */ 427 int 428 knzero_random_generator(uint8_t *ran_out, size_t ran_len) 429 { 430 int rv; 431 size_t ebc = 0; /* count of extra bytes in extrarand */ 432 size_t i = 0; 433 uint8_t extrarand[32]; 434 size_t extrarand_len; 435 436 if ((rv = random_get_pseudo_bytes_fips140(ran_out, ran_len)) != 0) 437 return (rv); 438 439 /* 440 * Walk through the returned random numbers pointed by ran_out, 441 * and look for any random number which is zero. 442 * If we find zero, call random_get_pseudo_bytes() to generate 443 * another 32 random numbers pool. Replace any zeros in ran_out[] 444 * from the random number in pool. 445 */ 446 while (i < ran_len) { 447 if (ran_out[i] != 0) { 448 i++; 449 continue; 450 } 451 452 /* 453 * Note that it is 'while' so we are guaranteed a 454 * non-zero value on exit. 455 */ 456 if (ebc == 0) { 457 /* refresh extrarand */ 458 extrarand_len = sizeof (extrarand); 459 if ((rv = random_get_pseudo_bytes_fips140(extrarand, 460 extrarand_len)) != 0) { 461 return (rv); 462 } 463 464 ebc = extrarand_len; 465 } 466 /* Replace zero with byte from extrarand. */ 467 -- ebc; 468 469 /* 470 * The new random byte zero/non-zero will be checked in 471 * the next pass through the loop. 472 */ 473 ran_out[i] = extrarand[ebc]; 474 } 475 476 return (CRYPTO_SUCCESS); 477 } 478 479 static int 480 compare_data(crypto_data_t *data, uchar_t *buf) 481 { 482 int len; 483 uchar_t *dptr; 484 485 len = data->cd_length; 486 switch (data->cd_format) { 487 case CRYPTO_DATA_RAW: 488 dptr = (uchar_t *)(data->cd_raw.iov_base + 489 data->cd_offset); 490 491 return (bcmp(dptr, buf, len)); 492 493 case CRYPTO_DATA_UIO: 494 return (crypto_uio_data(data, buf, len, 495 COMPARE_TO_DATA, NULL, NULL)); 496 497 case CRYPTO_DATA_MBLK: 498 return (crypto_mblk_data(data, buf, len, 499 COMPARE_TO_DATA, NULL, NULL)); 500 } 501 502 return (CRYPTO_FAILED); 503 } 504 505 /* ARGSUSED */ 506 static int 507 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 508 crypto_key_t *key, crypto_spi_ctx_template_t template, 509 crypto_req_handle_t req) 510 { 511 int rv; 512 int kmflag; 513 rsa_ctx_t *ctxp; 514 515 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 516 return (rv); 517 518 /* 519 * Allocate a RSA context. 520 */ 521 kmflag = crypto_kmflag(req); 522 if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL) 523 return (CRYPTO_HOST_MEMORY); 524 525 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 526 kmflag)) != CRYPTO_SUCCESS) { 527 kmem_free(ctxp, sizeof (rsa_ctx_t)); 528 return (rv); 529 } 530 ctxp->mech_type = mechanism->cm_type; 531 532 ctx->cc_provider_private = ctxp; 533 534 return (CRYPTO_SUCCESS); 535 } 536 537 /* ARGSUSED */ 538 static int 539 rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 540 crypto_data_t *ciphertext, crypto_req_handle_t req) 541 { 542 int rv; 543 rsa_ctx_t *ctxp; 544 545 ASSERT(ctx->cc_provider_private != NULL); 546 ctxp = ctx->cc_provider_private; 547 548 RSA_ARG_INPLACE(plaintext, ciphertext); 549 550 /* 551 * Note on the KM_SLEEP flag passed to the routine below - 552 * rsa_encrypt() is a single-part encryption routine which is 553 * currently usable only by /dev/crypto. Since /dev/crypto calls are 554 * always synchronous, we can safely pass KM_SLEEP here. 555 */ 556 rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext, 557 ciphertext, KM_SLEEP); 558 559 if (rv != CRYPTO_BUFFER_TOO_SMALL) 560 (void) rsa_free_context(ctx); 561 562 return (rv); 563 } 564 565 /* ARGSUSED */ 566 static int 567 rsa_encrypt_atomic(crypto_provider_handle_t provider, 568 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 569 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 570 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 571 { 572 int rv; 573 574 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 575 return (rv); 576 RSA_ARG_INPLACE(plaintext, ciphertext); 577 578 return (rsa_encrypt_common(mechanism->cm_type, key, plaintext, 579 ciphertext, crypto_kmflag(req))); 580 } 581 582 static int 583 rsa_free_context(crypto_ctx_t *ctx) 584 { 585 rsa_ctx_t *ctxp = ctx->cc_provider_private; 586 587 if (ctxp != NULL) { 588 bzero(ctxp->key, ctxp->keychunk_size); 589 kmem_free(ctxp->key, ctxp->keychunk_size); 590 591 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE || 592 ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE) 593 kmem_free(ctxp, sizeof (rsa_ctx_t)); 594 else 595 kmem_free(ctxp, sizeof (digest_rsa_ctx_t)); 596 597 ctx->cc_provider_private = NULL; 598 } 599 600 return (CRYPTO_SUCCESS); 601 } 602 603 static int 604 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 605 crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag) 606 { 607 int rv = CRYPTO_FAILED; 608 609 /* EXPORT DELETE START */ 610 611 int plen; 612 uchar_t *ptptr; 613 uchar_t *modulus; 614 ssize_t modulus_len; 615 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 616 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 617 uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 618 619 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 620 &modulus_len)) != CRYPTO_SUCCESS) { 621 return (rv); 622 } 623 624 plen = plaintext->cd_length; 625 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 626 if (plen > (modulus_len - MIN_PKCS1_PADLEN)) 627 return (CRYPTO_DATA_LEN_RANGE); 628 } else { 629 if (plen > modulus_len) 630 return (CRYPTO_DATA_LEN_RANGE); 631 } 632 633 /* 634 * Output buf len must not be less than RSA modulus size. 635 */ 636 if (ciphertext->cd_length < modulus_len) { 637 ciphertext->cd_length = modulus_len; 638 return (CRYPTO_BUFFER_TOO_SMALL); 639 } 640 641 ASSERT(plaintext->cd_length <= sizeof (tmp_data)); 642 if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data)) 643 != CRYPTO_SUCCESS) 644 return (rv); 645 646 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 647 rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen, 648 plain_data, modulus_len); 649 650 if (rv != CRYPTO_SUCCESS) 651 return (rv); 652 } else { 653 bzero(plain_data, modulus_len - plen); 654 bcopy(ptptr, &plain_data[modulus_len - plen], plen); 655 } 656 657 rv = core_rsa_encrypt(key, plain_data, modulus_len, 658 cipher_data, kmflag, 1); 659 if (rv == CRYPTO_SUCCESS) { 660 /* copy out to ciphertext */ 661 if ((rv = crypto_put_output_data(cipher_data, 662 ciphertext, modulus_len)) != CRYPTO_SUCCESS) 663 return (rv); 664 665 ciphertext->cd_length = modulus_len; 666 } 667 668 /* EXPORT DELETE END */ 669 670 return (rv); 671 } 672 673 /* EXPORT DELETE START */ 674 675 static int 676 core_rsa_encrypt(crypto_key_t *key, uchar_t *in, 677 int in_len, uchar_t *out, int kmflag, int is_public) 678 { 679 int rv; 680 uchar_t *expo, *modulus; 681 ssize_t expo_len; 682 ssize_t modulus_len; 683 BIGNUM msg; 684 RSAkey *rsakey; 685 686 if (is_public) { 687 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT, 688 &expo, &expo_len)) != CRYPTO_SUCCESS) 689 return (rv); 690 } else { 691 /* 692 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a 693 * RSA secret key. See the comments in core_rsa_decrypt 694 * routine which calls this routine with a private key. 695 */ 696 if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT, 697 &expo, &expo_len)) != CRYPTO_SUCCESS) 698 return (rv); 699 } 700 701 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 702 &modulus_len)) != CRYPTO_SUCCESS) { 703 return (rv); 704 } 705 706 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 707 if (rsakey == NULL) 708 return (CRYPTO_HOST_MEMORY); 709 710 /* psize and qsize for RSA_key_init is in bits. */ 711 if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) { 712 rv = CRYPTO_HOST_MEMORY; 713 goto clean1; 714 } 715 716 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 717 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 718 rv = CRYPTO_HOST_MEMORY; 719 goto clean2; 720 } 721 722 /* Convert octet string exponent to big integer format. */ 723 bytestring2bignum(&(rsakey->e), expo, expo_len); 724 725 /* Convert octet string modulus to big integer format. */ 726 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 727 728 /* Convert octet string input data to big integer format. */ 729 bytestring2bignum(&msg, in, in_len); 730 731 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 732 rv = CRYPTO_DATA_LEN_RANGE; 733 goto clean3; 734 } 735 736 /* Perform RSA computation on big integer input data. */ 737 if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL) 738 != BIG_OK) { 739 rv = CRYPTO_HOST_MEMORY; 740 goto clean3; 741 } 742 743 /* Convert the big integer output data to octet string. */ 744 bignum2bytestring(out, &msg, modulus_len); 745 746 /* 747 * Should not free modulus and expo as both are just pointers 748 * to an attribute value buffer from the caller. 749 */ 750 clean3: 751 big_finish(&msg); 752 clean2: 753 RSA_key_finish(rsakey); 754 clean1: 755 kmem_free(rsakey, sizeof (RSAkey)); 756 757 return (rv); 758 } 759 760 /* EXPORT DELETE END */ 761 762 /* ARGSUSED */ 763 static int 764 rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 765 crypto_data_t *plaintext, crypto_req_handle_t req) 766 { 767 int rv; 768 rsa_ctx_t *ctxp; 769 770 ASSERT(ctx->cc_provider_private != NULL); 771 ctxp = ctx->cc_provider_private; 772 773 RSA_ARG_INPLACE(ciphertext, plaintext); 774 775 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 776 rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key, 777 ciphertext, plaintext, KM_SLEEP); 778 779 if (rv != CRYPTO_BUFFER_TOO_SMALL) 780 (void) rsa_free_context(ctx); 781 782 return (rv); 783 } 784 785 /* ARGSUSED */ 786 static int 787 rsa_decrypt_atomic(crypto_provider_handle_t provider, 788 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 789 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 790 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 791 { 792 int rv; 793 794 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 795 return (rv); 796 RSA_ARG_INPLACE(ciphertext, plaintext); 797 798 return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext, 799 plaintext, crypto_kmflag(req))); 800 } 801 802 static int 803 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 804 crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag) 805 { 806 int rv = CRYPTO_FAILED; 807 808 /* EXPORT DELETE START */ 809 810 int plain_len; 811 uchar_t *ctptr; 812 uchar_t *modulus; 813 ssize_t modulus_len; 814 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 815 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 816 817 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 818 &modulus_len)) != CRYPTO_SUCCESS) { 819 return (rv); 820 } 821 822 /* 823 * Ciphertext length must be equal to RSA modulus size. 824 */ 825 if (ciphertext->cd_length != modulus_len) 826 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 827 828 ASSERT(ciphertext->cd_length <= sizeof (tmp_data)); 829 if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data)) 830 != CRYPTO_SUCCESS) 831 return (rv); 832 833 rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag); 834 if (rv == CRYPTO_SUCCESS) { 835 plain_len = modulus_len; 836 837 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 838 /* Strip off the PKCS block formatting data. */ 839 rv = soft_decrypt_rsa_pkcs_decode(plain_data, 840 &plain_len); 841 if (rv != CRYPTO_SUCCESS) 842 return (rv); 843 } 844 845 if (plain_len > plaintext->cd_length) { 846 plaintext->cd_length = plain_len; 847 return (CRYPTO_BUFFER_TOO_SMALL); 848 } 849 850 if ((rv = crypto_put_output_data( 851 plain_data + modulus_len - plain_len, 852 plaintext, plain_len)) != CRYPTO_SUCCESS) 853 return (rv); 854 855 plaintext->cd_length = plain_len; 856 } 857 858 /* EXPORT DELETE END */ 859 860 return (rv); 861 } 862 863 /* EXPORT DELETE START */ 864 865 static int 866 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, 867 uchar_t *out, int kmflag) 868 { 869 int rv; 870 uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef; 871 ssize_t modulus_len; 872 ssize_t prime1_len, prime2_len; 873 ssize_t expo1_len, expo2_len, coef_len; 874 BIGNUM msg; 875 RSAkey *rsakey; 876 877 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 878 &modulus_len)) != CRYPTO_SUCCESS) { 879 return (rv); 880 } 881 882 /* 883 * The following attributes are not required to be 884 * present in a RSA secret key. If any of them is not present 885 * we call the encrypt routine with a flag indicating use of 886 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is 887 * a required attribute for a RSA secret key. 888 */ 889 if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len) 890 != CRYPTO_SUCCESS) || 891 (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len) 892 != CRYPTO_SUCCESS) || 893 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len) 894 != CRYPTO_SUCCESS) || 895 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len) 896 != CRYPTO_SUCCESS) || 897 (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len) 898 != CRYPTO_SUCCESS)) { 899 return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0)); 900 } 901 902 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 903 if (rsakey == NULL) 904 return (CRYPTO_HOST_MEMORY); 905 906 /* psize and qsize for RSA_key_init is in bits. */ 907 if (RSA_key_init(rsakey, CRYPTO_BYTES2BITS(prime2_len), 908 CRYPTO_BYTES2BITS(prime1_len)) != BIG_OK) { 909 rv = CRYPTO_HOST_MEMORY; 910 goto clean1; 911 } 912 913 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 914 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 915 rv = CRYPTO_HOST_MEMORY; 916 goto clean2; 917 } 918 919 /* Convert octet string input data to big integer format. */ 920 bytestring2bignum(&msg, in, in_len); 921 922 /* Convert octet string modulus to big integer format. */ 923 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 924 925 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 926 rv = CRYPTO_DATA_LEN_RANGE; 927 goto clean3; 928 } 929 930 /* Convert the rest of private key attributes to big integer format. */ 931 bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len); 932 bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len); 933 bytestring2bignum(&(rsakey->p), prime2, prime2_len); 934 bytestring2bignum(&(rsakey->q), prime1, prime1_len); 935 bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len); 936 937 if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) || 938 (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) || 939 (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) { 940 rv = CRYPTO_KEY_SIZE_RANGE; 941 goto clean3; 942 } 943 944 /* Perform RSA computation on big integer input data. */ 945 if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1), 946 &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q), 947 &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) { 948 rv = CRYPTO_HOST_MEMORY; 949 goto clean3; 950 } 951 952 /* Convert the big integer output data to octet string. */ 953 bignum2bytestring(out, &msg, modulus_len); 954 955 /* 956 * Should not free modulus and friends as they are just pointers 957 * to an attribute value buffer from the caller. 958 */ 959 clean3: 960 big_finish(&msg); 961 clean2: 962 RSA_key_finish(rsakey); 963 clean1: 964 kmem_free(rsakey, sizeof (RSAkey)); 965 966 return (rv); 967 } 968 969 /* EXPORT DELETE END */ 970 971 /* ARGSUSED */ 972 static int 973 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 974 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, 975 crypto_req_handle_t req) 976 { 977 int rv; 978 int kmflag; 979 rsa_ctx_t *ctxp; 980 digest_rsa_ctx_t *dctxp; 981 982 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 983 return (rv); 984 985 /* 986 * Allocate a RSA context. 987 */ 988 kmflag = crypto_kmflag(req); 989 switch (mechanism->cm_type) { 990 case MD5_RSA_PKCS_MECH_INFO_TYPE: 991 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 992 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 993 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 994 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 995 dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag); 996 ctxp = (rsa_ctx_t *)dctxp; 997 break; 998 default: 999 ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag); 1000 break; 1001 } 1002 1003 if (ctxp == NULL) 1004 return (CRYPTO_HOST_MEMORY); 1005 1006 ctxp->mech_type = mechanism->cm_type; 1007 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 1008 kmflag)) != CRYPTO_SUCCESS) { 1009 switch (mechanism->cm_type) { 1010 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1011 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1012 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1013 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1014 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1015 kmem_free(dctxp, sizeof (digest_rsa_ctx_t)); 1016 break; 1017 default: 1018 kmem_free(ctxp, sizeof (rsa_ctx_t)); 1019 break; 1020 } 1021 return (rv); 1022 } 1023 1024 switch (mechanism->cm_type) { 1025 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1026 MD5Init(&(dctxp->md5_ctx)); 1027 break; 1028 1029 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1030 SHA1Init(&(dctxp->sha1_ctx)); 1031 break; 1032 1033 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1034 SHA2Init(SHA256, &(dctxp->sha2_ctx)); 1035 break; 1036 1037 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1038 SHA2Init(SHA384, &(dctxp->sha2_ctx)); 1039 break; 1040 1041 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1042 SHA2Init(SHA512, &(dctxp->sha2_ctx)); 1043 break; 1044 } 1045 1046 ctx->cc_provider_private = ctxp; 1047 1048 return (CRYPTO_SUCCESS); 1049 } 1050 1051 #define SHA1_DIGEST_SIZE 20 1052 #define MD5_DIGEST_SIZE 16 1053 1054 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \ 1055 (data).cd_format = CRYPTO_DATA_RAW; \ 1056 (data).cd_offset = 0; \ 1057 (data).cd_raw.iov_base = (char *)base; \ 1058 (data).cd_raw.iov_len = len; \ 1059 (data).cd_length = cd_len; 1060 1061 static int 1062 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data, 1063 crypto_data_t *signature, int kmflag, uchar_t flag) 1064 { 1065 int rv = CRYPTO_FAILED; 1066 1067 /* EXPORT DELETE START */ 1068 1069 uchar_t digest[SHA512_DIGEST_LENGTH]; 1070 /* The der_data size is enough for MD5 also */ 1071 uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 1072 ulong_t der_data_len; 1073 crypto_data_t der_cd; 1074 rsa_mech_type_t mech_type; 1075 1076 ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY); 1077 ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL)); 1078 1079 mech_type = ctxp->mech_type; 1080 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1081 mech_type == RSA_X_509_MECH_INFO_TYPE) 1082 return (CRYPTO_MECHANISM_INVALID); 1083 1084 /* 1085 * We need to do the BUFFER_TOO_SMALL check before digesting 1086 * the data. No check is needed for verify as signature is not 1087 * an output argument for verify. 1088 */ 1089 if (flag & CRYPTO_DO_SIGN) { 1090 uchar_t *modulus; 1091 ssize_t modulus_len; 1092 1093 if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS, 1094 &modulus, &modulus_len)) != CRYPTO_SUCCESS) { 1095 return (rv); 1096 } 1097 1098 if (signature->cd_length < modulus_len) { 1099 signature->cd_length = modulus_len; 1100 return (CRYPTO_BUFFER_TOO_SMALL); 1101 } 1102 } 1103 1104 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1105 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1106 digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5); 1107 1108 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1109 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1110 digest, SHA1Update, SHA1Final, flag | CRYPTO_DO_SHA1); 1111 1112 else 1113 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1114 digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2); 1115 1116 if (rv != CRYPTO_SUCCESS) 1117 return (rv); 1118 1119 1120 /* 1121 * Prepare the DER encoding of the DigestInfo value as follows: 1122 * MD5: MD5_DER_PREFIX || H 1123 * SHA-1: SHA1_DER_PREFIX || H 1124 * 1125 * See rsa_impl.c for more details. 1126 */ 1127 switch (mech_type) { 1128 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1129 bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len); 1130 bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE); 1131 der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE; 1132 break; 1133 1134 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1135 bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len); 1136 bcopy(digest, der_data + SHA1_DER_PREFIX_Len, 1137 SHA1_DIGEST_SIZE); 1138 der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE; 1139 break; 1140 1141 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1142 bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1143 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1144 SHA256_DIGEST_LENGTH); 1145 der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH; 1146 break; 1147 1148 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1149 bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1150 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1151 SHA384_DIGEST_LENGTH); 1152 der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH; 1153 break; 1154 1155 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1156 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1157 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1158 SHA512_DIGEST_LENGTH); 1159 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH; 1160 break; 1161 } 1162 1163 INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len); 1164 /* 1165 * Now, we are ready to sign or verify the DER_ENCODED data. 1166 */ 1167 if (flag & CRYPTO_DO_SIGN) 1168 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd, 1169 signature, kmflag); 1170 else 1171 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd, 1172 signature, kmflag); 1173 1174 /* EXPORT DELETE END */ 1175 1176 return (rv); 1177 } 1178 1179 static int 1180 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1181 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1182 { 1183 int rv = CRYPTO_FAILED; 1184 1185 /* EXPORT DELETE START */ 1186 1187 int dlen; 1188 uchar_t *dataptr, *modulus; 1189 ssize_t modulus_len; 1190 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1191 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1192 uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1193 1194 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1195 &modulus_len)) != CRYPTO_SUCCESS) { 1196 return (rv); 1197 } 1198 1199 dlen = data->cd_length; 1200 switch (mech_type) { 1201 case RSA_PKCS_MECH_INFO_TYPE: 1202 if (dlen > (modulus_len - MIN_PKCS1_PADLEN)) 1203 return (CRYPTO_DATA_LEN_RANGE); 1204 break; 1205 case RSA_X_509_MECH_INFO_TYPE: 1206 if (dlen > modulus_len) 1207 return (CRYPTO_DATA_LEN_RANGE); 1208 break; 1209 } 1210 1211 if (signature->cd_length < modulus_len) { 1212 signature->cd_length = modulus_len; 1213 return (CRYPTO_BUFFER_TOO_SMALL); 1214 } 1215 1216 ASSERT(data->cd_length <= sizeof (tmp_data)); 1217 if ((rv = crypto_get_input_data(data, &dataptr, tmp_data)) 1218 != CRYPTO_SUCCESS) 1219 return (rv); 1220 1221 switch (mech_type) { 1222 case RSA_PKCS_MECH_INFO_TYPE: 1223 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1224 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1225 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1226 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1227 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1228 /* 1229 * Add PKCS padding to the input data to format a block 1230 * type "01" encryption block. 1231 */ 1232 rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data, 1233 modulus_len); 1234 if (rv != CRYPTO_SUCCESS) 1235 return (rv); 1236 1237 break; 1238 1239 case RSA_X_509_MECH_INFO_TYPE: 1240 bzero(plain_data, modulus_len - dlen); 1241 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen); 1242 break; 1243 } 1244 1245 rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data, 1246 kmflag); 1247 if (rv == CRYPTO_SUCCESS) { 1248 /* copy out to signature */ 1249 if ((rv = crypto_put_output_data(signed_data, 1250 signature, modulus_len)) != CRYPTO_SUCCESS) 1251 return (rv); 1252 1253 signature->cd_length = modulus_len; 1254 } 1255 1256 /* EXPORT DELETE END */ 1257 1258 return (rv); 1259 } 1260 1261 /* ARGSUSED */ 1262 static int 1263 rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1264 crypto_req_handle_t req) 1265 { 1266 int rv; 1267 rsa_ctx_t *ctxp; 1268 1269 ASSERT(ctx->cc_provider_private != NULL); 1270 ctxp = ctx->cc_provider_private; 1271 1272 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1273 switch (ctxp->mech_type) { 1274 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1275 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1276 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1277 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1278 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1279 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1280 signature, KM_SLEEP, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1281 CRYPTO_DO_FINAL); 1282 break; 1283 default: 1284 rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data, 1285 signature, KM_SLEEP); 1286 break; 1287 } 1288 1289 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1290 (void) rsa_free_context(ctx); 1291 1292 return (rv); 1293 } 1294 1295 /* ARGSUSED */ 1296 static int 1297 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req) 1298 { 1299 int rv; 1300 digest_rsa_ctx_t *ctxp; 1301 rsa_mech_type_t mech_type; 1302 1303 ASSERT(ctx->cc_provider_private != NULL); 1304 ctxp = ctx->cc_provider_private; 1305 mech_type = ctxp->mech_type; 1306 1307 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1308 mech_type == RSA_X_509_MECH_INFO_TYPE) 1309 return (CRYPTO_MECHANISM_INVALID); 1310 1311 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1312 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1313 NULL, MD5Update, MD5Final, 1314 CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE); 1315 1316 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1317 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1318 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1319 CRYPTO_DO_UPDATE); 1320 1321 else 1322 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1323 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1324 CRYPTO_DO_UPDATE); 1325 1326 return (rv); 1327 } 1328 1329 static int 1330 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1331 crypto_req_handle_t req) 1332 { 1333 int rv; 1334 digest_rsa_ctx_t *ctxp; 1335 1336 ASSERT(ctx->cc_provider_private != NULL); 1337 ctxp = ctx->cc_provider_private; 1338 1339 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1340 crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_FINAL); 1341 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1342 (void) rsa_free_context(ctx); 1343 1344 return (rv); 1345 } 1346 1347 /* ARGSUSED */ 1348 static int 1349 rsa_sign_atomic(crypto_provider_handle_t provider, 1350 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1351 crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature, 1352 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1353 { 1354 int rv; 1355 digest_rsa_ctx_t dctx; 1356 1357 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1358 return (rv); 1359 1360 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1361 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1362 rv = rsa_sign_common(mechanism->cm_type, key, data, 1363 signature, crypto_kmflag(req)); 1364 1365 else { 1366 dctx.mech_type = mechanism->cm_type; 1367 dctx.key = key; 1368 switch (mechanism->cm_type) { 1369 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1370 MD5Init(&(dctx.md5_ctx)); 1371 break; 1372 1373 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1374 SHA1Init(&(dctx.sha1_ctx)); 1375 break; 1376 1377 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1378 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1379 break; 1380 1381 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1382 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1383 break; 1384 1385 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1386 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1387 break; 1388 } 1389 1390 rv = rsa_digest_svrfy_common(&dctx, data, signature, 1391 crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1392 CRYPTO_DO_FINAL); 1393 } 1394 1395 return (rv); 1396 } 1397 1398 static int 1399 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1400 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1401 { 1402 int rv = CRYPTO_FAILED; 1403 1404 /* EXPORT DELETE START */ 1405 1406 uchar_t *sigptr, *modulus; 1407 ssize_t modulus_len; 1408 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1409 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1410 1411 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1412 &modulus_len)) != CRYPTO_SUCCESS) { 1413 return (rv); 1414 } 1415 1416 if (signature->cd_length != modulus_len) 1417 return (CRYPTO_SIGNATURE_LEN_RANGE); 1418 1419 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1420 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1421 != CRYPTO_SUCCESS) 1422 return (rv); 1423 1424 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 1425 if (rv != CRYPTO_SUCCESS) 1426 return (rv); 1427 1428 if (mech_type == RSA_X_509_MECH_INFO_TYPE) { 1429 if (compare_data(data, (plain_data + modulus_len 1430 - data->cd_length)) != 0) 1431 rv = CRYPTO_SIGNATURE_INVALID; 1432 1433 } else { 1434 int data_len = modulus_len; 1435 1436 /* 1437 * Strip off the encoded padding bytes in front of the 1438 * recovered data, then compare the recovered data with 1439 * the original data. 1440 */ 1441 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1442 if (rv != CRYPTO_SUCCESS) 1443 return (rv); 1444 1445 if (data_len != data->cd_length) 1446 return (CRYPTO_SIGNATURE_LEN_RANGE); 1447 1448 if (compare_data(data, (plain_data + modulus_len 1449 - data_len)) != 0) 1450 rv = CRYPTO_SIGNATURE_INVALID; 1451 } 1452 1453 /* EXPORT DELETE END */ 1454 1455 return (rv); 1456 } 1457 1458 /* ARGSUSED */ 1459 static int 1460 rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1461 crypto_req_handle_t req) 1462 { 1463 int rv; 1464 rsa_ctx_t *ctxp; 1465 1466 ASSERT(ctx->cc_provider_private != NULL); 1467 ctxp = ctx->cc_provider_private; 1468 1469 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1470 switch (ctxp->mech_type) { 1471 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1472 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1473 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1474 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1475 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1476 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1477 signature, KM_SLEEP, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | 1478 CRYPTO_DO_FINAL); 1479 break; 1480 default: 1481 rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data, 1482 signature, KM_SLEEP); 1483 break; 1484 } 1485 1486 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1487 (void) rsa_free_context(ctx); 1488 1489 return (rv); 1490 } 1491 1492 /* ARGSUSED */ 1493 static int 1494 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data, 1495 crypto_req_handle_t req) 1496 { 1497 int rv; 1498 digest_rsa_ctx_t *ctxp; 1499 1500 ASSERT(ctx->cc_provider_private != NULL); 1501 ctxp = ctx->cc_provider_private; 1502 1503 switch (ctxp->mech_type) { 1504 1505 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1506 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1507 NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 | 1508 CRYPTO_DO_UPDATE); 1509 break; 1510 1511 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1512 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1513 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1514 CRYPTO_DO_UPDATE); 1515 break; 1516 1517 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1518 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1519 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1520 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1521 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1522 CRYPTO_DO_UPDATE); 1523 break; 1524 1525 default: 1526 return (CRYPTO_MECHANISM_INVALID); 1527 } 1528 1529 return (rv); 1530 } 1531 1532 static int 1533 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1534 crypto_req_handle_t req) 1535 { 1536 int rv; 1537 digest_rsa_ctx_t *ctxp; 1538 1539 ASSERT(ctx->cc_provider_private != NULL); 1540 ctxp = ctx->cc_provider_private; 1541 1542 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1543 crypto_kmflag(req), CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL); 1544 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1545 (void) rsa_free_context(ctx); 1546 1547 return (rv); 1548 } 1549 1550 1551 /* ARGSUSED */ 1552 static int 1553 rsa_verify_atomic(crypto_provider_handle_t provider, 1554 crypto_session_id_t session_id, 1555 crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, 1556 crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template, 1557 crypto_req_handle_t req) 1558 { 1559 int rv; 1560 digest_rsa_ctx_t dctx; 1561 1562 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1563 return (rv); 1564 1565 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1566 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1567 rv = rsa_verify_common(mechanism->cm_type, key, data, 1568 signature, crypto_kmflag(req)); 1569 1570 else { 1571 dctx.mech_type = mechanism->cm_type; 1572 dctx.key = key; 1573 1574 switch (mechanism->cm_type) { 1575 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1576 MD5Init(&(dctx.md5_ctx)); 1577 break; 1578 1579 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1580 SHA1Init(&(dctx.sha1_ctx)); 1581 break; 1582 1583 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1584 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1585 break; 1586 1587 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1588 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1589 break; 1590 1591 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1592 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1593 break; 1594 } 1595 1596 rv = rsa_digest_svrfy_common(&dctx, data, 1597 signature, crypto_kmflag(req), 1598 CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL); 1599 } 1600 1601 return (rv); 1602 } 1603 1604 static int 1605 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1606 crypto_data_t *signature, crypto_data_t *data, int kmflag) 1607 { 1608 int rv = CRYPTO_FAILED; 1609 1610 /* EXPORT DELETE START */ 1611 1612 int data_len; 1613 uchar_t *sigptr, *modulus; 1614 ssize_t modulus_len; 1615 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1616 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1617 1618 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1619 &modulus_len)) != CRYPTO_SUCCESS) { 1620 return (rv); 1621 } 1622 1623 if (signature->cd_length != modulus_len) 1624 return (CRYPTO_SIGNATURE_LEN_RANGE); 1625 1626 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1627 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1628 != CRYPTO_SUCCESS) 1629 return (rv); 1630 1631 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 1632 if (rv != CRYPTO_SUCCESS) 1633 return (rv); 1634 1635 data_len = modulus_len; 1636 1637 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 1638 /* 1639 * Strip off the encoded padding bytes in front of the 1640 * recovered data, then compare the recovered data with 1641 * the original data. 1642 */ 1643 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1644 if (rv != CRYPTO_SUCCESS) 1645 return (rv); 1646 } 1647 1648 if (data->cd_length < data_len) { 1649 data->cd_length = data_len; 1650 return (CRYPTO_BUFFER_TOO_SMALL); 1651 } 1652 1653 if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len, 1654 data, data_len)) != CRYPTO_SUCCESS) 1655 return (rv); 1656 data->cd_length = data_len; 1657 1658 /* EXPORT DELETE END */ 1659 1660 return (rv); 1661 } 1662 1663 /* ARGSUSED */ 1664 static int 1665 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature, 1666 crypto_data_t *data, crypto_req_handle_t req) 1667 { 1668 int rv; 1669 rsa_ctx_t *ctxp; 1670 1671 ASSERT(ctx->cc_provider_private != NULL); 1672 ctxp = ctx->cc_provider_private; 1673 1674 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1675 rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key, 1676 signature, data, KM_SLEEP); 1677 1678 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1679 (void) rsa_free_context(ctx); 1680 1681 return (rv); 1682 } 1683 1684 /* ARGSUSED */ 1685 static int 1686 rsa_verify_recover_atomic(crypto_provider_handle_t provider, 1687 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1688 crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data, 1689 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1690 { 1691 int rv; 1692 1693 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1694 return (rv); 1695 1696 return (rsa_verify_recover_common(mechanism->cm_type, key, 1697 signature, data, crypto_kmflag(req))); 1698 } 1699 1700 /* 1701 * RSA Power-Up Self-Test 1702 */ 1703 void 1704 rsa_POST(int *rc) 1705 { 1706 1707 *rc = fips_rsa_post(); 1708 1709 } 1710