1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * RSA provider for the Kernel Cryptographic Framework (KCF) 28 */ 29 30 #include <sys/types.h> 31 #include <sys/systm.h> 32 #include <sys/modctl.h> 33 #include <sys/cmn_err.h> 34 #include <sys/ddi.h> 35 #include <sys/crypto/spi.h> 36 #include <sys/sysmacros.h> 37 #include <sys/strsun.h> 38 #include <sys/md5.h> 39 #include <sys/sha1.h> 40 #define _SHA2_IMPL 41 #include <sys/sha2.h> 42 #include <sys/random.h> 43 #include <sys/crypto/impl.h> 44 #include <sha1/sha1_impl.h> 45 #include <sha2/sha2_impl.h> 46 #include <padding/padding.h> 47 #define _RSA_FIPS_POST 48 #include <rsa/rsa_impl.h> 49 50 extern struct mod_ops mod_cryptoops; 51 52 /* 53 * Module linkage information for the kernel. 54 */ 55 static struct modlcrypto modlcrypto = { 56 &mod_cryptoops, 57 "RSA Kernel SW Provider" 58 }; 59 60 static struct modlinkage modlinkage = { 61 MODREV_1, 62 (void *)&modlcrypto, 63 NULL 64 }; 65 66 /* 67 * CSPI information (entry points, provider info, etc.) 68 */ 69 typedef enum rsa_mech_type { 70 RSA_PKCS_MECH_INFO_TYPE, /* SUN_CKM_RSA_PKCS */ 71 RSA_X_509_MECH_INFO_TYPE, /* SUN_CKM_RSA_X_509 */ 72 MD5_RSA_PKCS_MECH_INFO_TYPE, /* SUN_MD5_RSA_PKCS */ 73 SHA1_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA1_RSA_PKCS */ 74 SHA256_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA256_RSA_PKCS */ 75 SHA384_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA384_RSA_PKCS */ 76 SHA512_RSA_PKCS_MECH_INFO_TYPE /* SUN_SHA512_RSA_PKCS */ 77 } rsa_mech_type_t; 78 79 /* 80 * Context for RSA_PKCS and RSA_X_509 mechanisms. 81 */ 82 typedef struct rsa_ctx { 83 rsa_mech_type_t mech_type; 84 crypto_key_t *key; 85 size_t keychunk_size; 86 } rsa_ctx_t; 87 88 /* 89 * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms. 90 */ 91 typedef struct digest_rsa_ctx { 92 rsa_mech_type_t mech_type; 93 crypto_key_t *key; 94 size_t keychunk_size; 95 union { 96 MD5_CTX md5ctx; 97 SHA1_CTX sha1ctx; 98 SHA2_CTX sha2ctx; 99 } dctx_u; 100 } digest_rsa_ctx_t; 101 102 #define md5_ctx dctx_u.md5ctx 103 #define sha1_ctx dctx_u.sha1ctx 104 #define sha2_ctx dctx_u.sha2ctx 105 106 /* 107 * Mechanism info structure passed to KCF during registration. 108 */ 109 static crypto_mech_info_t rsa_mech_info_tab[] = { 110 /* RSA_PKCS */ 111 {SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE, 112 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 113 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 114 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 115 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 116 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 117 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 118 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 119 120 /* RSA_X_509 */ 121 {SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE, 122 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 123 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 124 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 125 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 126 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 127 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 128 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 129 130 /* MD5_RSA_PKCS */ 131 {SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE, 132 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 133 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 134 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 135 136 /* SHA1_RSA_PKCS */ 137 {SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE, 138 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 139 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 140 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 141 142 /* SHA256_RSA_PKCS */ 143 {SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE, 144 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 145 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 146 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 147 148 /* SHA384_RSA_PKCS */ 149 {SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE, 150 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 151 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 152 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 153 154 /* SHA512_RSA_PKCS */ 155 {SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE, 156 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 157 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 158 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS} 159 160 }; 161 162 #define RSA_VALID_MECH(mech) \ 163 (((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE || \ 164 (mech)->cm_type == RSA_X_509_MECH_INFO_TYPE || \ 165 (mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE || \ 166 (mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE || \ 167 (mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE || \ 168 (mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE || \ 169 (mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0) 170 171 /* operations are in-place if the output buffer is NULL */ 172 #define RSA_ARG_INPLACE(input, output) \ 173 if ((output) == NULL) \ 174 (output) = (input); 175 176 static void rsa_provider_status(crypto_provider_handle_t, uint_t *); 177 178 static crypto_control_ops_t rsa_control_ops = { 179 rsa_provider_status 180 }; 181 182 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *, 183 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 184 static int rsaprov_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 185 crypto_req_handle_t); 186 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 187 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 188 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 189 static int rsaprov_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 190 crypto_req_handle_t); 191 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 192 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 193 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 194 195 /* 196 * The RSA mechanisms do not have multiple-part cipher operations. 197 * So, the update and final routines are set to NULL. 198 */ 199 static crypto_cipher_ops_t rsa_cipher_ops = { 200 rsa_common_init, 201 rsaprov_encrypt, 202 NULL, 203 NULL, 204 rsa_encrypt_atomic, 205 rsa_common_init, 206 rsaprov_decrypt, 207 NULL, 208 NULL, 209 rsa_decrypt_atomic 210 }; 211 212 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *, 213 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 214 static int rsaprov_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 215 crypto_req_handle_t); 216 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *, 217 crypto_req_handle_t); 218 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *, 219 crypto_req_handle_t); 220 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t, 221 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 222 crypto_spi_ctx_template_t, crypto_req_handle_t); 223 224 /* 225 * We use the same routine for sign_init and sign_recover_init fields 226 * as they do the same thing. Same holds for sign and sign_recover fields, 227 * and sign_atomic and sign_recover_atomic fields. 228 */ 229 static crypto_sign_ops_t rsa_sign_ops = { 230 rsa_sign_verify_common_init, 231 rsaprov_sign, 232 rsa_sign_update, 233 rsa_sign_final, 234 rsa_sign_atomic, 235 rsa_sign_verify_common_init, 236 rsaprov_sign, 237 rsa_sign_atomic 238 }; 239 240 static int rsaprov_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 241 crypto_req_handle_t); 242 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *, 243 crypto_req_handle_t); 244 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *, 245 crypto_req_handle_t); 246 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 247 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 248 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 249 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *, 250 crypto_data_t *, crypto_req_handle_t); 251 static int rsa_verify_recover_atomic(crypto_provider_handle_t, 252 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 253 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 254 crypto_req_handle_t); 255 256 /* 257 * We use the same routine (rsa_sign_verify_common_init) for verify_init 258 * and verify_recover_init fields as they do the same thing. 259 */ 260 static crypto_verify_ops_t rsa_verify_ops = { 261 rsa_sign_verify_common_init, 262 rsaprov_verify, 263 rsa_verify_update, 264 rsa_verify_final, 265 rsa_verify_atomic, 266 rsa_sign_verify_common_init, 267 rsa_verify_recover, 268 rsa_verify_recover_atomic 269 }; 270 271 static int rsa_free_context(crypto_ctx_t *); 272 273 static crypto_ctx_ops_t rsa_ctx_ops = { 274 NULL, 275 rsa_free_context 276 }; 277 278 static void rsa_POST(int *); 279 280 static crypto_fips140_ops_t rsa_fips140_ops = { 281 rsa_POST 282 }; 283 284 static crypto_ops_t rsa_crypto_ops = { 285 &rsa_control_ops, 286 NULL, 287 &rsa_cipher_ops, 288 NULL, 289 &rsa_sign_ops, 290 &rsa_verify_ops, 291 NULL, 292 NULL, 293 NULL, 294 NULL, 295 NULL, 296 NULL, 297 NULL, 298 &rsa_ctx_ops, 299 NULL, 300 NULL, 301 &rsa_fips140_ops 302 }; 303 304 static crypto_provider_info_t rsa_prov_info = { 305 CRYPTO_SPI_VERSION_4, 306 "RSA Software Provider", 307 CRYPTO_SW_PROVIDER, 308 {&modlinkage}, 309 NULL, 310 &rsa_crypto_ops, 311 sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t), 312 rsa_mech_info_tab 313 }; 314 315 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *, 316 crypto_data_t *, crypto_data_t *); 317 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *, 318 crypto_data_t *, crypto_data_t *); 319 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *, 320 crypto_data_t *, crypto_data_t *); 321 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *, 322 crypto_data_t *, crypto_data_t *); 323 static int compare_data(crypto_data_t *, uchar_t *); 324 325 /* EXPORT DELETE START */ 326 327 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, int, uchar_t *, int); 328 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, uchar_t *); 329 330 /* EXPORT DELETE END */ 331 332 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL; 333 334 int 335 _init(void) 336 { 337 int ret; 338 339 if ((ret = mod_install(&modlinkage)) != 0) 340 return (ret); 341 342 /* Register with KCF. If the registration fails, remove the module. */ 343 if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) { 344 (void) mod_remove(&modlinkage); 345 return (EACCES); 346 } 347 348 return (0); 349 } 350 351 int 352 _fini(void) 353 { 354 /* Unregister from KCF if module is registered */ 355 if (rsa_prov_handle != NULL) { 356 if (crypto_unregister_provider(rsa_prov_handle)) 357 return (EBUSY); 358 359 rsa_prov_handle = NULL; 360 } 361 362 return (mod_remove(&modlinkage)); 363 } 364 365 int 366 _info(struct modinfo *modinfop) 367 { 368 return (mod_info(&modlinkage, modinfop)); 369 } 370 371 /* ARGSUSED */ 372 static void 373 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status) 374 { 375 *status = CRYPTO_PROVIDER_READY; 376 } 377 378 static int 379 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key) 380 { 381 int rv = CRYPTO_FAILED; 382 383 /* EXPORT DELETE START */ 384 385 uchar_t *modulus; 386 ssize_t modulus_len; /* In bytes */ 387 388 if (!RSA_VALID_MECH(mechanism)) 389 return (CRYPTO_MECHANISM_INVALID); 390 391 /* 392 * We only support RSA keys that are passed as a list of 393 * object attributes. 394 */ 395 if (key->ck_format != CRYPTO_KEY_ATTR_LIST) { 396 return (CRYPTO_KEY_TYPE_INCONSISTENT); 397 } 398 399 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 400 &modulus_len)) != CRYPTO_SUCCESS) { 401 return (rv); 402 } 403 if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES || 404 modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES) 405 return (CRYPTO_KEY_SIZE_RANGE); 406 407 /* EXPORT DELETE END */ 408 409 return (rv); 410 } 411 412 void 413 kmemset(uint8_t *buf, char pattern, size_t len) 414 { 415 int i = 0; 416 417 while (i < len) 418 buf[i++] = pattern; 419 } 420 421 /* 422 * This function guarantees to return non-zero random numbers. 423 * This is needed as the /dev/urandom kernel interface, 424 * random_get_pseudo_bytes(), may return zeros. 425 */ 426 int 427 knzero_random_generator(uint8_t *ran_out, size_t ran_len) 428 { 429 int rv; 430 size_t ebc = 0; /* count of extra bytes in extrarand */ 431 size_t i = 0; 432 uint8_t extrarand[32]; 433 size_t extrarand_len; 434 435 if ((rv = random_get_pseudo_bytes_fips140(ran_out, ran_len)) != 0) 436 return (rv); 437 438 /* 439 * Walk through the returned random numbers pointed by ran_out, 440 * and look for any random number which is zero. 441 * If we find zero, call random_get_pseudo_bytes() to generate 442 * another 32 random numbers pool. Replace any zeros in ran_out[] 443 * from the random number in pool. 444 */ 445 while (i < ran_len) { 446 if (ran_out[i] != 0) { 447 i++; 448 continue; 449 } 450 451 /* 452 * Note that it is 'while' so we are guaranteed a 453 * non-zero value on exit. 454 */ 455 if (ebc == 0) { 456 /* refresh extrarand */ 457 extrarand_len = sizeof (extrarand); 458 if ((rv = random_get_pseudo_bytes_fips140(extrarand, 459 extrarand_len)) != 0) { 460 return (rv); 461 } 462 463 ebc = extrarand_len; 464 } 465 /* Replace zero with byte from extrarand. */ 466 -- ebc; 467 468 /* 469 * The new random byte zero/non-zero will be checked in 470 * the next pass through the loop. 471 */ 472 ran_out[i] = extrarand[ebc]; 473 } 474 475 return (CRYPTO_SUCCESS); 476 } 477 478 static int 479 compare_data(crypto_data_t *data, uchar_t *buf) 480 { 481 int len; 482 uchar_t *dptr; 483 484 len = data->cd_length; 485 switch (data->cd_format) { 486 case CRYPTO_DATA_RAW: 487 dptr = (uchar_t *)(data->cd_raw.iov_base + 488 data->cd_offset); 489 490 return (bcmp(dptr, buf, len)); 491 492 case CRYPTO_DATA_UIO: 493 return (crypto_uio_data(data, buf, len, 494 COMPARE_TO_DATA, NULL, NULL)); 495 496 case CRYPTO_DATA_MBLK: 497 return (crypto_mblk_data(data, buf, len, 498 COMPARE_TO_DATA, NULL, NULL)); 499 } 500 501 return (CRYPTO_FAILED); 502 } 503 504 /* ARGSUSED */ 505 static int 506 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 507 crypto_key_t *key, crypto_spi_ctx_template_t template, 508 crypto_req_handle_t req) 509 { 510 int rv; 511 int kmflag; 512 rsa_ctx_t *ctxp; 513 514 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 515 return (rv); 516 517 /* 518 * Allocate a RSA context. 519 */ 520 kmflag = crypto_kmflag(req); 521 if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL) 522 return (CRYPTO_HOST_MEMORY); 523 524 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 525 kmflag)) != CRYPTO_SUCCESS) { 526 kmem_free(ctxp, sizeof (rsa_ctx_t)); 527 return (rv); 528 } 529 ctxp->mech_type = mechanism->cm_type; 530 531 ctx->cc_provider_private = ctxp; 532 533 return (CRYPTO_SUCCESS); 534 } 535 536 /* ARGSUSED */ 537 static int 538 rsaprov_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 539 crypto_data_t *ciphertext, crypto_req_handle_t req) 540 { 541 int rv; 542 rsa_ctx_t *ctxp; 543 544 ASSERT(ctx->cc_provider_private != NULL); 545 ctxp = ctx->cc_provider_private; 546 547 RSA_ARG_INPLACE(plaintext, ciphertext); 548 549 /* 550 * Note on the KM_SLEEP flag passed to the routine below - 551 * rsaprov_encrypt() is a single-part encryption routine which is 552 * currently usable only by /dev/crypto. Since /dev/crypto calls are 553 * always synchronous, we can safely pass KM_SLEEP here. 554 */ 555 rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext, 556 ciphertext); 557 558 if (rv != CRYPTO_BUFFER_TOO_SMALL) 559 (void) rsa_free_context(ctx); 560 561 return (rv); 562 } 563 564 /* ARGSUSED */ 565 static int 566 rsa_encrypt_atomic(crypto_provider_handle_t provider, 567 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 568 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 569 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 570 { 571 int rv; 572 573 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 574 return (rv); 575 RSA_ARG_INPLACE(plaintext, ciphertext); 576 577 return (rsa_encrypt_common(mechanism->cm_type, key, plaintext, 578 ciphertext)); 579 } 580 581 static int 582 rsa_free_context(crypto_ctx_t *ctx) 583 { 584 rsa_ctx_t *ctxp = ctx->cc_provider_private; 585 586 if (ctxp != NULL) { 587 bzero(ctxp->key, ctxp->keychunk_size); 588 kmem_free(ctxp->key, ctxp->keychunk_size); 589 590 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE || 591 ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE) 592 kmem_free(ctxp, sizeof (rsa_ctx_t)); 593 else 594 kmem_free(ctxp, sizeof (digest_rsa_ctx_t)); 595 596 ctx->cc_provider_private = NULL; 597 } 598 599 return (CRYPTO_SUCCESS); 600 } 601 602 static int 603 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 604 crypto_data_t *plaintext, crypto_data_t *ciphertext) 605 { 606 int rv = CRYPTO_FAILED; 607 608 /* EXPORT DELETE START */ 609 610 int plen; 611 uchar_t *ptptr; 612 uchar_t *modulus; 613 ssize_t modulus_len; 614 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 615 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 616 uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 617 618 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 619 &modulus_len)) != CRYPTO_SUCCESS) { 620 return (rv); 621 } 622 623 plen = plaintext->cd_length; 624 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 625 if (plen > (modulus_len - MIN_PKCS1_PADLEN)) 626 return (CRYPTO_DATA_LEN_RANGE); 627 } else { 628 if (plen > modulus_len) 629 return (CRYPTO_DATA_LEN_RANGE); 630 } 631 632 /* 633 * Output buf len must not be less than RSA modulus size. 634 */ 635 if (ciphertext->cd_length < modulus_len) { 636 ciphertext->cd_length = modulus_len; 637 return (CRYPTO_BUFFER_TOO_SMALL); 638 } 639 640 ASSERT(plaintext->cd_length <= sizeof (tmp_data)); 641 if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data)) 642 != CRYPTO_SUCCESS) 643 return (rv); 644 645 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 646 rv = pkcs1_encode(PKCS1_ENCRYPT, ptptr, plen, 647 plain_data, modulus_len); 648 649 if (rv != CRYPTO_SUCCESS) 650 return (rv); 651 } else { 652 bzero(plain_data, modulus_len - plen); 653 bcopy(ptptr, &plain_data[modulus_len - plen], plen); 654 } 655 656 rv = core_rsa_encrypt(key, plain_data, modulus_len, cipher_data, 1); 657 if (rv == CRYPTO_SUCCESS) { 658 /* copy out to ciphertext */ 659 if ((rv = crypto_put_output_data(cipher_data, 660 ciphertext, modulus_len)) != CRYPTO_SUCCESS) 661 return (rv); 662 663 ciphertext->cd_length = modulus_len; 664 } 665 666 /* EXPORT DELETE END */ 667 668 return (rv); 669 } 670 671 /* EXPORT DELETE START */ 672 673 static int 674 core_rsa_encrypt(crypto_key_t *key, uchar_t *in, 675 int in_len, uchar_t *out, int is_public) 676 { 677 int rv; 678 uchar_t *expo, *modulus; 679 ssize_t expo_len; 680 ssize_t modulus_len; 681 RSAbytekey k; 682 683 if (is_public) { 684 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT, 685 &expo, &expo_len)) != CRYPTO_SUCCESS) 686 return (rv); 687 } else { 688 /* 689 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a 690 * RSA secret key. See the comments in core_rsa_decrypt 691 * routine which calls this routine with a private key. 692 */ 693 if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT, 694 &expo, &expo_len)) != CRYPTO_SUCCESS) 695 return (rv); 696 } 697 698 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 699 &modulus_len)) != CRYPTO_SUCCESS) { 700 return (rv); 701 } 702 703 k.modulus = modulus; 704 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len); 705 k.pubexpo = expo; 706 k.pubexpo_bytes = expo_len; 707 k.rfunc = NULL; 708 709 rv = rsa_encrypt(&k, in, in_len, out); 710 711 return (rv); 712 } 713 714 /* EXPORT DELETE END */ 715 716 /* ARGSUSED */ 717 static int 718 rsaprov_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 719 crypto_data_t *plaintext, crypto_req_handle_t req) 720 { 721 int rv; 722 rsa_ctx_t *ctxp; 723 724 ASSERT(ctx->cc_provider_private != NULL); 725 ctxp = ctx->cc_provider_private; 726 727 RSA_ARG_INPLACE(ciphertext, plaintext); 728 729 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */ 730 rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key, 731 ciphertext, plaintext); 732 733 if (rv != CRYPTO_BUFFER_TOO_SMALL) 734 (void) rsa_free_context(ctx); 735 736 return (rv); 737 } 738 739 /* ARGSUSED */ 740 static int 741 rsa_decrypt_atomic(crypto_provider_handle_t provider, 742 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 743 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 744 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 745 { 746 int rv; 747 748 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 749 return (rv); 750 RSA_ARG_INPLACE(ciphertext, plaintext); 751 752 return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext, 753 plaintext)); 754 } 755 756 static int 757 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 758 crypto_data_t *ciphertext, crypto_data_t *plaintext) 759 { 760 int rv = CRYPTO_FAILED; 761 762 /* EXPORT DELETE START */ 763 764 size_t plain_len; 765 uchar_t *ctptr; 766 uchar_t *modulus; 767 ssize_t modulus_len; 768 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 769 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 770 771 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 772 &modulus_len)) != CRYPTO_SUCCESS) { 773 return (rv); 774 } 775 776 /* 777 * Ciphertext length must be equal to RSA modulus size. 778 */ 779 if (ciphertext->cd_length != modulus_len) 780 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 781 782 ASSERT(ciphertext->cd_length <= sizeof (tmp_data)); 783 if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data)) 784 != CRYPTO_SUCCESS) 785 return (rv); 786 787 rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data); 788 if (rv == CRYPTO_SUCCESS) { 789 plain_len = modulus_len; 790 791 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 792 /* Strip off the PKCS block formatting data. */ 793 rv = pkcs1_decode(PKCS1_DECRYPT, plain_data, 794 &plain_len); 795 if (rv != CRYPTO_SUCCESS) 796 return (rv); 797 } 798 799 if (plain_len > plaintext->cd_length) { 800 plaintext->cd_length = plain_len; 801 return (CRYPTO_BUFFER_TOO_SMALL); 802 } 803 804 if ((rv = crypto_put_output_data( 805 plain_data + modulus_len - plain_len, 806 plaintext, plain_len)) != CRYPTO_SUCCESS) 807 return (rv); 808 809 plaintext->cd_length = plain_len; 810 } 811 812 /* EXPORT DELETE END */ 813 814 return (rv); 815 } 816 817 /* EXPORT DELETE START */ 818 819 static int 820 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, uchar_t *out) 821 { 822 int rv; 823 uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef; 824 ssize_t modulus_len; 825 ssize_t prime1_len, prime2_len; 826 ssize_t expo1_len, expo2_len, coef_len; 827 RSAbytekey k; 828 829 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 830 &modulus_len)) != CRYPTO_SUCCESS) { 831 return (rv); 832 } 833 834 /* 835 * The following attributes are not required to be 836 * present in a RSA secret key. If any of them is not present 837 * we call the encrypt routine with a flag indicating use of 838 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is 839 * a required attribute for a RSA secret key. 840 */ 841 if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len) 842 != CRYPTO_SUCCESS) || 843 (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len) 844 != CRYPTO_SUCCESS) || 845 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len) 846 != CRYPTO_SUCCESS) || 847 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len) 848 != CRYPTO_SUCCESS) || 849 (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len) 850 != CRYPTO_SUCCESS)) { 851 return (core_rsa_encrypt(key, in, in_len, out, 0)); 852 } 853 854 k.modulus = modulus; 855 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len); 856 k.prime1 = prime1; 857 k.prime1_bytes = prime1_len; 858 k.prime2 = prime2; 859 k.prime2_bytes = prime2_len; 860 k.expo1 = expo1; 861 k.expo1_bytes = expo1_len; 862 k.expo2 = expo2; 863 k.expo2_bytes = expo2_len; 864 k.coeff = coef; 865 k.coeff_bytes = coef_len; 866 k.rfunc = NULL; 867 868 rv = rsa_decrypt(&k, in, in_len, out); 869 870 return (rv); 871 } 872 873 /* EXPORT DELETE END */ 874 875 /* ARGSUSED */ 876 static int 877 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 878 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, 879 crypto_req_handle_t req) 880 { 881 int rv; 882 int kmflag; 883 rsa_ctx_t *ctxp; 884 digest_rsa_ctx_t *dctxp; 885 886 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 887 return (rv); 888 889 /* 890 * Allocate a RSA context. 891 */ 892 kmflag = crypto_kmflag(req); 893 switch (mechanism->cm_type) { 894 case MD5_RSA_PKCS_MECH_INFO_TYPE: 895 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 896 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 897 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 898 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 899 dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag); 900 ctxp = (rsa_ctx_t *)dctxp; 901 break; 902 default: 903 ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag); 904 break; 905 } 906 907 if (ctxp == NULL) 908 return (CRYPTO_HOST_MEMORY); 909 910 ctxp->mech_type = mechanism->cm_type; 911 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 912 kmflag)) != CRYPTO_SUCCESS) { 913 switch (mechanism->cm_type) { 914 case MD5_RSA_PKCS_MECH_INFO_TYPE: 915 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 916 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 917 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 918 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 919 kmem_free(dctxp, sizeof (digest_rsa_ctx_t)); 920 break; 921 default: 922 kmem_free(ctxp, sizeof (rsa_ctx_t)); 923 break; 924 } 925 return (rv); 926 } 927 928 switch (mechanism->cm_type) { 929 case MD5_RSA_PKCS_MECH_INFO_TYPE: 930 MD5Init(&(dctxp->md5_ctx)); 931 break; 932 933 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 934 SHA1Init(&(dctxp->sha1_ctx)); 935 break; 936 937 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 938 SHA2Init(SHA256, &(dctxp->sha2_ctx)); 939 break; 940 941 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 942 SHA2Init(SHA384, &(dctxp->sha2_ctx)); 943 break; 944 945 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 946 SHA2Init(SHA512, &(dctxp->sha2_ctx)); 947 break; 948 } 949 950 ctx->cc_provider_private = ctxp; 951 952 return (CRYPTO_SUCCESS); 953 } 954 955 #define SHA1_DIGEST_SIZE 20 956 #define MD5_DIGEST_SIZE 16 957 958 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \ 959 (data).cd_format = CRYPTO_DATA_RAW; \ 960 (data).cd_offset = 0; \ 961 (data).cd_raw.iov_base = (char *)base; \ 962 (data).cd_raw.iov_len = len; \ 963 (data).cd_length = cd_len; 964 965 static int 966 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data, 967 crypto_data_t *signature, uchar_t flag) 968 { 969 int rv = CRYPTO_FAILED; 970 971 /* EXPORT DELETE START */ 972 973 uchar_t digest[SHA512_DIGEST_LENGTH]; 974 /* The der_data size is enough for MD5 also */ 975 uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 976 ulong_t der_data_len; 977 crypto_data_t der_cd; 978 rsa_mech_type_t mech_type; 979 980 ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY); 981 ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL)); 982 983 mech_type = ctxp->mech_type; 984 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 985 mech_type == RSA_X_509_MECH_INFO_TYPE) 986 return (CRYPTO_MECHANISM_INVALID); 987 988 /* 989 * We need to do the BUFFER_TOO_SMALL check before digesting 990 * the data. No check is needed for verify as signature is not 991 * an output argument for verify. 992 */ 993 if (flag & CRYPTO_DO_SIGN) { 994 uchar_t *modulus; 995 ssize_t modulus_len; 996 997 if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS, 998 &modulus, &modulus_len)) != CRYPTO_SUCCESS) { 999 return (rv); 1000 } 1001 1002 if (signature->cd_length < modulus_len) { 1003 signature->cd_length = modulus_len; 1004 return (CRYPTO_BUFFER_TOO_SMALL); 1005 } 1006 } 1007 1008 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1009 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1010 digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5); 1011 1012 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1013 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1014 digest, SHA1Update, SHA1Final, flag | CRYPTO_DO_SHA1); 1015 1016 else 1017 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1018 digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2); 1019 1020 if (rv != CRYPTO_SUCCESS) 1021 return (rv); 1022 1023 1024 /* 1025 * Prepare the DER encoding of the DigestInfo value as follows: 1026 * MD5: MD5_DER_PREFIX || H 1027 * SHA-1: SHA1_DER_PREFIX || H 1028 * 1029 * See rsa_impl.c for more details. 1030 */ 1031 switch (mech_type) { 1032 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1033 bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len); 1034 bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE); 1035 der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE; 1036 break; 1037 1038 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1039 bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len); 1040 bcopy(digest, der_data + SHA1_DER_PREFIX_Len, 1041 SHA1_DIGEST_SIZE); 1042 der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE; 1043 break; 1044 1045 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1046 bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1047 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1048 SHA256_DIGEST_LENGTH); 1049 der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH; 1050 break; 1051 1052 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1053 bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1054 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1055 SHA384_DIGEST_LENGTH); 1056 der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH; 1057 break; 1058 1059 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1060 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1061 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1062 SHA512_DIGEST_LENGTH); 1063 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH; 1064 break; 1065 } 1066 1067 INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len); 1068 /* 1069 * Now, we are ready to sign or verify the DER_ENCODED data. 1070 */ 1071 if (flag & CRYPTO_DO_SIGN) 1072 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd, 1073 signature); 1074 else 1075 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd, 1076 signature); 1077 1078 /* EXPORT DELETE END */ 1079 1080 return (rv); 1081 } 1082 1083 static int 1084 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1085 crypto_data_t *data, crypto_data_t *signature) 1086 { 1087 int rv = CRYPTO_FAILED; 1088 1089 /* EXPORT DELETE START */ 1090 1091 int dlen; 1092 uchar_t *dataptr, *modulus; 1093 ssize_t modulus_len; 1094 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1095 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1096 uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1097 1098 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1099 &modulus_len)) != CRYPTO_SUCCESS) { 1100 return (rv); 1101 } 1102 1103 dlen = data->cd_length; 1104 switch (mech_type) { 1105 case RSA_PKCS_MECH_INFO_TYPE: 1106 if (dlen > (modulus_len - MIN_PKCS1_PADLEN)) 1107 return (CRYPTO_DATA_LEN_RANGE); 1108 break; 1109 case RSA_X_509_MECH_INFO_TYPE: 1110 if (dlen > modulus_len) 1111 return (CRYPTO_DATA_LEN_RANGE); 1112 break; 1113 } 1114 1115 if (signature->cd_length < modulus_len) { 1116 signature->cd_length = modulus_len; 1117 return (CRYPTO_BUFFER_TOO_SMALL); 1118 } 1119 1120 ASSERT(data->cd_length <= sizeof (tmp_data)); 1121 if ((rv = crypto_get_input_data(data, &dataptr, tmp_data)) 1122 != CRYPTO_SUCCESS) 1123 return (rv); 1124 1125 switch (mech_type) { 1126 case RSA_PKCS_MECH_INFO_TYPE: 1127 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1128 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1129 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1130 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1131 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1132 /* 1133 * Add PKCS padding to the input data to format a block 1134 * type "01" encryption block. 1135 */ 1136 rv = pkcs1_encode(PKCS1_SIGN, dataptr, dlen, plain_data, 1137 modulus_len); 1138 if (rv != CRYPTO_SUCCESS) 1139 return (rv); 1140 1141 break; 1142 1143 case RSA_X_509_MECH_INFO_TYPE: 1144 bzero(plain_data, modulus_len - dlen); 1145 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen); 1146 break; 1147 } 1148 1149 rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data); 1150 if (rv == CRYPTO_SUCCESS) { 1151 /* copy out to signature */ 1152 if ((rv = crypto_put_output_data(signed_data, 1153 signature, modulus_len)) != CRYPTO_SUCCESS) 1154 return (rv); 1155 1156 signature->cd_length = modulus_len; 1157 } 1158 1159 /* EXPORT DELETE END */ 1160 1161 return (rv); 1162 } 1163 1164 /* ARGSUSED */ 1165 static int 1166 rsaprov_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1167 crypto_req_handle_t req) 1168 { 1169 int rv; 1170 rsa_ctx_t *ctxp; 1171 1172 ASSERT(ctx->cc_provider_private != NULL); 1173 ctxp = ctx->cc_provider_private; 1174 1175 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */ 1176 switch (ctxp->mech_type) { 1177 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1178 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1179 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1180 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1181 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1182 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1183 signature, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1184 CRYPTO_DO_FINAL); 1185 break; 1186 default: 1187 rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data, 1188 signature); 1189 break; 1190 } 1191 1192 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1193 (void) rsa_free_context(ctx); 1194 1195 return (rv); 1196 } 1197 1198 /* ARGSUSED */ 1199 static int 1200 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req) 1201 { 1202 int rv; 1203 digest_rsa_ctx_t *ctxp; 1204 rsa_mech_type_t mech_type; 1205 1206 ASSERT(ctx->cc_provider_private != NULL); 1207 ctxp = ctx->cc_provider_private; 1208 mech_type = ctxp->mech_type; 1209 1210 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1211 mech_type == RSA_X_509_MECH_INFO_TYPE) 1212 return (CRYPTO_MECHANISM_INVALID); 1213 1214 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1215 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1216 NULL, MD5Update, MD5Final, 1217 CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE); 1218 1219 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1220 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1221 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1222 CRYPTO_DO_UPDATE); 1223 1224 else 1225 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1226 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1227 CRYPTO_DO_UPDATE); 1228 1229 return (rv); 1230 } 1231 1232 /* ARGSUSED2 */ 1233 static int 1234 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1235 crypto_req_handle_t req) 1236 { 1237 int rv; 1238 digest_rsa_ctx_t *ctxp; 1239 1240 ASSERT(ctx->cc_provider_private != NULL); 1241 ctxp = ctx->cc_provider_private; 1242 1243 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1244 CRYPTO_DO_SIGN | CRYPTO_DO_FINAL); 1245 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1246 (void) rsa_free_context(ctx); 1247 1248 return (rv); 1249 } 1250 1251 /* ARGSUSED */ 1252 static int 1253 rsa_sign_atomic(crypto_provider_handle_t provider, 1254 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1255 crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature, 1256 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1257 { 1258 int rv; 1259 digest_rsa_ctx_t dctx; 1260 1261 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1262 return (rv); 1263 1264 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1265 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1266 rv = rsa_sign_common(mechanism->cm_type, key, data, 1267 signature); 1268 1269 else { 1270 dctx.mech_type = mechanism->cm_type; 1271 dctx.key = key; 1272 switch (mechanism->cm_type) { 1273 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1274 MD5Init(&(dctx.md5_ctx)); 1275 break; 1276 1277 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1278 SHA1Init(&(dctx.sha1_ctx)); 1279 break; 1280 1281 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1282 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1283 break; 1284 1285 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1286 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1287 break; 1288 1289 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1290 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1291 break; 1292 } 1293 1294 rv = rsa_digest_svrfy_common(&dctx, data, signature, 1295 CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL); 1296 } 1297 1298 return (rv); 1299 } 1300 1301 static int 1302 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1303 crypto_data_t *data, crypto_data_t *signature) 1304 { 1305 int rv = CRYPTO_FAILED; 1306 1307 /* EXPORT DELETE START */ 1308 1309 uchar_t *sigptr, *modulus; 1310 ssize_t modulus_len; 1311 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1312 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1313 1314 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1315 &modulus_len)) != CRYPTO_SUCCESS) { 1316 return (rv); 1317 } 1318 1319 if (signature->cd_length != modulus_len) 1320 return (CRYPTO_SIGNATURE_LEN_RANGE); 1321 1322 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1323 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1324 != CRYPTO_SUCCESS) 1325 return (rv); 1326 1327 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1); 1328 if (rv != CRYPTO_SUCCESS) 1329 return (rv); 1330 1331 if (mech_type == RSA_X_509_MECH_INFO_TYPE) { 1332 if (compare_data(data, (plain_data + modulus_len 1333 - data->cd_length)) != 0) 1334 rv = CRYPTO_SIGNATURE_INVALID; 1335 1336 } else { 1337 size_t data_len = modulus_len; 1338 1339 /* 1340 * Strip off the encoded padding bytes in front of the 1341 * recovered data, then compare the recovered data with 1342 * the original data. 1343 */ 1344 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len); 1345 if (rv != CRYPTO_SUCCESS) 1346 return (rv); 1347 1348 if (data_len != data->cd_length) 1349 return (CRYPTO_SIGNATURE_LEN_RANGE); 1350 1351 if (compare_data(data, (plain_data + modulus_len 1352 - data_len)) != 0) 1353 rv = CRYPTO_SIGNATURE_INVALID; 1354 } 1355 1356 /* EXPORT DELETE END */ 1357 1358 return (rv); 1359 } 1360 1361 /* ARGSUSED */ 1362 static int 1363 rsaprov_verify(crypto_ctx_t *ctx, crypto_data_t *data, 1364 crypto_data_t *signature, crypto_req_handle_t req) 1365 { 1366 int rv; 1367 rsa_ctx_t *ctxp; 1368 1369 ASSERT(ctx->cc_provider_private != NULL); 1370 ctxp = ctx->cc_provider_private; 1371 1372 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */ 1373 switch (ctxp->mech_type) { 1374 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1375 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1376 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1377 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1378 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1379 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1380 signature, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | 1381 CRYPTO_DO_FINAL); 1382 break; 1383 default: 1384 rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data, 1385 signature); 1386 break; 1387 } 1388 1389 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1390 (void) rsa_free_context(ctx); 1391 1392 return (rv); 1393 } 1394 1395 /* ARGSUSED */ 1396 static int 1397 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data, 1398 crypto_req_handle_t req) 1399 { 1400 int rv; 1401 digest_rsa_ctx_t *ctxp; 1402 1403 ASSERT(ctx->cc_provider_private != NULL); 1404 ctxp = ctx->cc_provider_private; 1405 1406 switch (ctxp->mech_type) { 1407 1408 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1409 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1410 NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 | 1411 CRYPTO_DO_UPDATE); 1412 break; 1413 1414 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1415 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1416 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1417 CRYPTO_DO_UPDATE); 1418 break; 1419 1420 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1421 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1422 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1423 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1424 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1425 CRYPTO_DO_UPDATE); 1426 break; 1427 1428 default: 1429 return (CRYPTO_MECHANISM_INVALID); 1430 } 1431 1432 return (rv); 1433 } 1434 1435 /* ARGSUSED2 */ 1436 static int 1437 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1438 crypto_req_handle_t req) 1439 { 1440 int rv; 1441 digest_rsa_ctx_t *ctxp; 1442 1443 ASSERT(ctx->cc_provider_private != NULL); 1444 ctxp = ctx->cc_provider_private; 1445 1446 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1447 CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL); 1448 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1449 (void) rsa_free_context(ctx); 1450 1451 return (rv); 1452 } 1453 1454 1455 /* ARGSUSED */ 1456 static int 1457 rsa_verify_atomic(crypto_provider_handle_t provider, 1458 crypto_session_id_t session_id, 1459 crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, 1460 crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template, 1461 crypto_req_handle_t req) 1462 { 1463 int rv; 1464 digest_rsa_ctx_t dctx; 1465 1466 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1467 return (rv); 1468 1469 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1470 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1471 rv = rsa_verify_common(mechanism->cm_type, key, data, 1472 signature); 1473 1474 else { 1475 dctx.mech_type = mechanism->cm_type; 1476 dctx.key = key; 1477 1478 switch (mechanism->cm_type) { 1479 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1480 MD5Init(&(dctx.md5_ctx)); 1481 break; 1482 1483 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1484 SHA1Init(&(dctx.sha1_ctx)); 1485 break; 1486 1487 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1488 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1489 break; 1490 1491 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1492 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1493 break; 1494 1495 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1496 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1497 break; 1498 } 1499 1500 rv = rsa_digest_svrfy_common(&dctx, data, signature, 1501 CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL); 1502 } 1503 1504 return (rv); 1505 } 1506 1507 static int 1508 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1509 crypto_data_t *signature, crypto_data_t *data) 1510 { 1511 int rv = CRYPTO_FAILED; 1512 1513 /* EXPORT DELETE START */ 1514 1515 size_t data_len; 1516 uchar_t *sigptr, *modulus; 1517 ssize_t modulus_len; 1518 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1519 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1520 1521 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1522 &modulus_len)) != CRYPTO_SUCCESS) { 1523 return (rv); 1524 } 1525 1526 if (signature->cd_length != modulus_len) 1527 return (CRYPTO_SIGNATURE_LEN_RANGE); 1528 1529 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1530 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1531 != CRYPTO_SUCCESS) 1532 return (rv); 1533 1534 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1); 1535 if (rv != CRYPTO_SUCCESS) 1536 return (rv); 1537 1538 data_len = modulus_len; 1539 1540 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 1541 /* 1542 * Strip off the encoded padding bytes in front of the 1543 * recovered data, then compare the recovered data with 1544 * the original data. 1545 */ 1546 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len); 1547 if (rv != CRYPTO_SUCCESS) 1548 return (rv); 1549 } 1550 1551 if (data->cd_length < data_len) { 1552 data->cd_length = data_len; 1553 return (CRYPTO_BUFFER_TOO_SMALL); 1554 } 1555 1556 if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len, 1557 data, data_len)) != CRYPTO_SUCCESS) 1558 return (rv); 1559 data->cd_length = data_len; 1560 1561 /* EXPORT DELETE END */ 1562 1563 return (rv); 1564 } 1565 1566 /* ARGSUSED */ 1567 static int 1568 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature, 1569 crypto_data_t *data, crypto_req_handle_t req) 1570 { 1571 int rv; 1572 rsa_ctx_t *ctxp; 1573 1574 ASSERT(ctx->cc_provider_private != NULL); 1575 ctxp = ctx->cc_provider_private; 1576 1577 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */ 1578 rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key, 1579 signature, data); 1580 1581 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1582 (void) rsa_free_context(ctx); 1583 1584 return (rv); 1585 } 1586 1587 /* ARGSUSED */ 1588 static int 1589 rsa_verify_recover_atomic(crypto_provider_handle_t provider, 1590 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1591 crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data, 1592 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1593 { 1594 int rv; 1595 1596 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1597 return (rv); 1598 1599 return (rsa_verify_recover_common(mechanism->cm_type, key, 1600 signature, data)); 1601 } 1602 1603 /* 1604 * RSA Power-On Self-Test 1605 */ 1606 void 1607 rsa_POST(int *rc) 1608 { 1609 1610 *rc = fips_rsa_post(); 1611 1612 } 1613