1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * RSA provider for the Kernel Cryptographic Framework (KCF) 28 */ 29 30 #include <sys/types.h> 31 #include <sys/systm.h> 32 #include <sys/modctl.h> 33 #include <sys/cmn_err.h> 34 #include <sys/ddi.h> 35 #include <sys/crypto/spi.h> 36 #include <sys/sysmacros.h> 37 #include <sys/strsun.h> 38 #include <sys/md5.h> 39 #include <sys/sha1.h> 40 #define _SHA2_IMPL 41 #include <sys/sha2.h> 42 #include <sys/random.h> 43 #include <sys/crypto/impl.h> 44 #include <sha1/sha1_impl.h> 45 #include <sha2/sha2_impl.h> 46 #define _RSA_FIPS_POST 47 #include <rsa/rsa_impl.h> 48 49 extern struct mod_ops mod_cryptoops; 50 51 /* 52 * Module linkage information for the kernel. 53 */ 54 static struct modlcrypto modlcrypto = { 55 &mod_cryptoops, 56 "RSA Kernel SW Provider" 57 }; 58 59 static struct modlinkage modlinkage = { 60 MODREV_1, 61 (void *)&modlcrypto, 62 NULL 63 }; 64 65 /* 66 * CSPI information (entry points, provider info, etc.) 67 */ 68 typedef enum rsa_mech_type { 69 RSA_PKCS_MECH_INFO_TYPE, /* SUN_CKM_RSA_PKCS */ 70 RSA_X_509_MECH_INFO_TYPE, /* SUN_CKM_RSA_X_509 */ 71 MD5_RSA_PKCS_MECH_INFO_TYPE, /* SUN_MD5_RSA_PKCS */ 72 SHA1_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA1_RSA_PKCS */ 73 SHA256_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA256_RSA_PKCS */ 74 SHA384_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA384_RSA_PKCS */ 75 SHA512_RSA_PKCS_MECH_INFO_TYPE /* SUN_SHA512_RSA_PKCS */ 76 } rsa_mech_type_t; 77 78 /* 79 * Context for RSA_PKCS and RSA_X_509 mechanisms. 80 */ 81 typedef struct rsa_ctx { 82 rsa_mech_type_t mech_type; 83 crypto_key_t *key; 84 size_t keychunk_size; 85 } rsa_ctx_t; 86 87 /* 88 * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms. 89 */ 90 typedef struct digest_rsa_ctx { 91 rsa_mech_type_t mech_type; 92 crypto_key_t *key; 93 size_t keychunk_size; 94 union { 95 MD5_CTX md5ctx; 96 SHA1_CTX sha1ctx; 97 SHA2_CTX sha2ctx; 98 } dctx_u; 99 } digest_rsa_ctx_t; 100 101 #define md5_ctx dctx_u.md5ctx 102 #define sha1_ctx dctx_u.sha1ctx 103 #define sha2_ctx dctx_u.sha2ctx 104 105 /* 106 * Mechanism info structure passed to KCF during registration. 107 */ 108 static crypto_mech_info_t rsa_mech_info_tab[] = { 109 /* RSA_PKCS */ 110 {SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE, 111 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 112 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 113 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 114 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 115 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 116 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 117 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 118 119 /* RSA_X_509 */ 120 {SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE, 121 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 122 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 123 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 124 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 125 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 126 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 127 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 128 129 /* MD5_RSA_PKCS */ 130 {SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE, 131 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 132 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 133 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 134 135 /* SHA1_RSA_PKCS */ 136 {SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE, 137 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 138 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 139 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 140 141 /* SHA256_RSA_PKCS */ 142 {SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE, 143 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 144 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 145 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 146 147 /* SHA384_RSA_PKCS */ 148 {SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE, 149 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 150 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 151 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 152 153 /* SHA512_RSA_PKCS */ 154 {SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE, 155 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 156 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 157 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS} 158 159 }; 160 161 #define RSA_VALID_MECH(mech) \ 162 (((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE || \ 163 (mech)->cm_type == RSA_X_509_MECH_INFO_TYPE || \ 164 (mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE || \ 165 (mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE || \ 166 (mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE || \ 167 (mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE || \ 168 (mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0) 169 170 /* operations are in-place if the output buffer is NULL */ 171 #define RSA_ARG_INPLACE(input, output) \ 172 if ((output) == NULL) \ 173 (output) = (input); 174 175 static void rsa_provider_status(crypto_provider_handle_t, uint_t *); 176 177 static crypto_control_ops_t rsa_control_ops = { 178 rsa_provider_status 179 }; 180 181 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *, 182 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 183 static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 184 crypto_req_handle_t); 185 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 186 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 187 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 188 static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 189 crypto_req_handle_t); 190 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 191 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 192 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 193 194 /* 195 * The RSA mechanisms do not have multiple-part cipher operations. 196 * So, the update and final routines are set to NULL. 197 */ 198 static crypto_cipher_ops_t rsa_cipher_ops = { 199 rsa_common_init, 200 rsa_encrypt, 201 NULL, 202 NULL, 203 rsa_encrypt_atomic, 204 rsa_common_init, 205 rsa_decrypt, 206 NULL, 207 NULL, 208 rsa_decrypt_atomic 209 }; 210 211 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *, 212 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 213 static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 214 crypto_req_handle_t); 215 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *, 216 crypto_req_handle_t); 217 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *, 218 crypto_req_handle_t); 219 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t, 220 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 221 crypto_spi_ctx_template_t, crypto_req_handle_t); 222 223 /* 224 * We use the same routine for sign_init and sign_recover_init fields 225 * as they do the same thing. Same holds for sign and sign_recover fields, 226 * and sign_atomic and sign_recover_atomic fields. 227 */ 228 static crypto_sign_ops_t rsa_sign_ops = { 229 rsa_sign_verify_common_init, 230 rsa_sign, 231 rsa_sign_update, 232 rsa_sign_final, 233 rsa_sign_atomic, 234 rsa_sign_verify_common_init, 235 rsa_sign, 236 rsa_sign_atomic 237 }; 238 239 static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 240 crypto_req_handle_t); 241 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *, 242 crypto_req_handle_t); 243 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *, 244 crypto_req_handle_t); 245 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 246 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 247 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 248 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *, 249 crypto_data_t *, crypto_req_handle_t); 250 static int rsa_verify_recover_atomic(crypto_provider_handle_t, 251 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 252 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 253 crypto_req_handle_t); 254 255 /* 256 * We use the same routine (rsa_sign_verify_common_init) for verify_init 257 * and verify_recover_init fields as they do the same thing. 258 */ 259 static crypto_verify_ops_t rsa_verify_ops = { 260 rsa_sign_verify_common_init, 261 rsa_verify, 262 rsa_verify_update, 263 rsa_verify_final, 264 rsa_verify_atomic, 265 rsa_sign_verify_common_init, 266 rsa_verify_recover, 267 rsa_verify_recover_atomic 268 }; 269 270 static int rsa_free_context(crypto_ctx_t *); 271 272 static crypto_ctx_ops_t rsa_ctx_ops = { 273 NULL, 274 rsa_free_context 275 }; 276 277 static void rsa_POST(int *); 278 279 static crypto_fips140_ops_t rsa_fips140_ops = { 280 rsa_POST 281 }; 282 283 static crypto_ops_t rsa_crypto_ops = { 284 &rsa_control_ops, 285 NULL, 286 &rsa_cipher_ops, 287 NULL, 288 &rsa_sign_ops, 289 &rsa_verify_ops, 290 NULL, 291 NULL, 292 NULL, 293 NULL, 294 NULL, 295 NULL, 296 NULL, 297 &rsa_ctx_ops, 298 NULL, 299 NULL, 300 &rsa_fips140_ops 301 }; 302 303 static crypto_provider_info_t rsa_prov_info = { 304 CRYPTO_SPI_VERSION_4, 305 "RSA Software Provider", 306 CRYPTO_SW_PROVIDER, 307 {&modlinkage}, 308 NULL, 309 &rsa_crypto_ops, 310 sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t), 311 rsa_mech_info_tab 312 }; 313 314 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *, 315 crypto_data_t *, crypto_data_t *, int); 316 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *, 317 crypto_data_t *, crypto_data_t *, int); 318 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *, 319 crypto_data_t *, crypto_data_t *, int); 320 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *, 321 crypto_data_t *, crypto_data_t *, int); 322 static int compare_data(crypto_data_t *, uchar_t *); 323 324 /* EXPORT DELETE START */ 325 326 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, 327 int, uchar_t *, int, int); 328 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, 329 uchar_t *, int); 330 331 /* EXPORT DELETE END */ 332 333 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL; 334 335 int 336 _init(void) 337 { 338 int ret; 339 340 /* 341 * Register with KCF. If the registration fails, return error. 342 */ 343 if ((ret = crypto_register_provider(&rsa_prov_info, 344 &rsa_prov_handle)) != CRYPTO_SUCCESS) { 345 cmn_err(CE_WARN, "rsa _init: crypto_register_provider()" 346 "failed (0x%x)", ret); 347 return (EACCES); 348 } 349 350 if ((ret = mod_install(&modlinkage)) != 0) { 351 int rv; 352 353 ASSERT(rsa_prov_handle != NULL); 354 /* We should not return if the unregister returns busy. */ 355 while ((rv = crypto_unregister_provider(rsa_prov_handle)) 356 == CRYPTO_BUSY) { 357 cmn_err(CE_WARN, "rsa _init: " 358 "crypto_unregister_provider() " 359 "failed (0x%x). Retrying.", rv); 360 /* wait 10 seconds and try again. */ 361 delay(10 * drv_usectohz(1000000)); 362 } 363 } 364 365 return (ret); 366 } 367 368 int 369 _fini(void) 370 { 371 int ret; 372 373 /* 374 * Unregister from KCF if previous registration succeeded. 375 */ 376 if (rsa_prov_handle != NULL) { 377 if ((ret = crypto_unregister_provider(rsa_prov_handle)) != 378 CRYPTO_SUCCESS) { 379 cmn_err(CE_WARN, "rsa _fini: " 380 "crypto_unregister_provider() " 381 "failed (0x%x)", ret); 382 return (EBUSY); 383 } 384 rsa_prov_handle = NULL; 385 } 386 387 return (mod_remove(&modlinkage)); 388 } 389 390 int 391 _info(struct modinfo *modinfop) 392 { 393 return (mod_info(&modlinkage, modinfop)); 394 } 395 396 /* ARGSUSED */ 397 static void 398 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status) 399 { 400 *status = CRYPTO_PROVIDER_READY; 401 } 402 403 static int 404 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key) 405 { 406 int rv = CRYPTO_FAILED; 407 408 /* EXPORT DELETE START */ 409 410 uchar_t *modulus; 411 ssize_t modulus_len; /* In bytes */ 412 413 if (!RSA_VALID_MECH(mechanism)) 414 return (CRYPTO_MECHANISM_INVALID); 415 416 /* 417 * We only support RSA keys that are passed as a list of 418 * object attributes. 419 */ 420 if (key->ck_format != CRYPTO_KEY_ATTR_LIST) { 421 return (CRYPTO_KEY_TYPE_INCONSISTENT); 422 } 423 424 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 425 &modulus_len)) != CRYPTO_SUCCESS) { 426 return (rv); 427 } 428 if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES || 429 modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES) 430 return (CRYPTO_KEY_SIZE_RANGE); 431 432 /* EXPORT DELETE END */ 433 434 return (rv); 435 } 436 437 void 438 kmemset(uint8_t *buf, char pattern, size_t len) 439 { 440 int i = 0; 441 442 while (i < len) 443 buf[i++] = pattern; 444 } 445 446 /* 447 * This function guarantees to return non-zero random numbers. 448 * This is needed as the /dev/urandom kernel interface, 449 * random_get_pseudo_bytes(), may return zeros. 450 */ 451 int 452 knzero_random_generator(uint8_t *ran_out, size_t ran_len) 453 { 454 int rv; 455 size_t ebc = 0; /* count of extra bytes in extrarand */ 456 size_t i = 0; 457 uint8_t extrarand[32]; 458 size_t extrarand_len; 459 460 if ((rv = random_get_pseudo_bytes_fips140(ran_out, ran_len)) != 0) 461 return (rv); 462 463 /* 464 * Walk through the returned random numbers pointed by ran_out, 465 * and look for any random number which is zero. 466 * If we find zero, call random_get_pseudo_bytes() to generate 467 * another 32 random numbers pool. Replace any zeros in ran_out[] 468 * from the random number in pool. 469 */ 470 while (i < ran_len) { 471 if (ran_out[i] != 0) { 472 i++; 473 continue; 474 } 475 476 /* 477 * Note that it is 'while' so we are guaranteed a 478 * non-zero value on exit. 479 */ 480 if (ebc == 0) { 481 /* refresh extrarand */ 482 extrarand_len = sizeof (extrarand); 483 if ((rv = random_get_pseudo_bytes_fips140(extrarand, 484 extrarand_len)) != 0) { 485 return (rv); 486 } 487 488 ebc = extrarand_len; 489 } 490 /* Replace zero with byte from extrarand. */ 491 -- ebc; 492 493 /* 494 * The new random byte zero/non-zero will be checked in 495 * the next pass through the loop. 496 */ 497 ran_out[i] = extrarand[ebc]; 498 } 499 500 return (CRYPTO_SUCCESS); 501 } 502 503 static int 504 compare_data(crypto_data_t *data, uchar_t *buf) 505 { 506 int len; 507 uchar_t *dptr; 508 509 len = data->cd_length; 510 switch (data->cd_format) { 511 case CRYPTO_DATA_RAW: 512 dptr = (uchar_t *)(data->cd_raw.iov_base + 513 data->cd_offset); 514 515 return (bcmp(dptr, buf, len)); 516 517 case CRYPTO_DATA_UIO: 518 return (crypto_uio_data(data, buf, len, 519 COMPARE_TO_DATA, NULL, NULL)); 520 521 case CRYPTO_DATA_MBLK: 522 return (crypto_mblk_data(data, buf, len, 523 COMPARE_TO_DATA, NULL, NULL)); 524 } 525 526 return (CRYPTO_FAILED); 527 } 528 529 /* ARGSUSED */ 530 static int 531 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 532 crypto_key_t *key, crypto_spi_ctx_template_t template, 533 crypto_req_handle_t req) 534 { 535 int rv; 536 int kmflag; 537 rsa_ctx_t *ctxp; 538 539 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 540 return (rv); 541 542 /* 543 * Allocate a RSA context. 544 */ 545 kmflag = crypto_kmflag(req); 546 if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL) 547 return (CRYPTO_HOST_MEMORY); 548 549 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 550 kmflag)) != CRYPTO_SUCCESS) { 551 kmem_free(ctxp, sizeof (rsa_ctx_t)); 552 return (rv); 553 } 554 ctxp->mech_type = mechanism->cm_type; 555 556 ctx->cc_provider_private = ctxp; 557 558 return (CRYPTO_SUCCESS); 559 } 560 561 /* ARGSUSED */ 562 static int 563 rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 564 crypto_data_t *ciphertext, crypto_req_handle_t req) 565 { 566 int rv; 567 rsa_ctx_t *ctxp; 568 569 ASSERT(ctx->cc_provider_private != NULL); 570 ctxp = ctx->cc_provider_private; 571 572 RSA_ARG_INPLACE(plaintext, ciphertext); 573 574 /* 575 * Note on the KM_SLEEP flag passed to the routine below - 576 * rsa_encrypt() is a single-part encryption routine which is 577 * currently usable only by /dev/crypto. Since /dev/crypto calls are 578 * always synchronous, we can safely pass KM_SLEEP here. 579 */ 580 rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext, 581 ciphertext, KM_SLEEP); 582 583 if (rv != CRYPTO_BUFFER_TOO_SMALL) 584 (void) rsa_free_context(ctx); 585 586 return (rv); 587 } 588 589 /* ARGSUSED */ 590 static int 591 rsa_encrypt_atomic(crypto_provider_handle_t provider, 592 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 593 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 594 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 595 { 596 int rv; 597 598 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 599 return (rv); 600 RSA_ARG_INPLACE(plaintext, ciphertext); 601 602 return (rsa_encrypt_common(mechanism->cm_type, key, plaintext, 603 ciphertext, crypto_kmflag(req))); 604 } 605 606 static int 607 rsa_free_context(crypto_ctx_t *ctx) 608 { 609 rsa_ctx_t *ctxp = ctx->cc_provider_private; 610 611 if (ctxp != NULL) { 612 bzero(ctxp->key, ctxp->keychunk_size); 613 kmem_free(ctxp->key, ctxp->keychunk_size); 614 615 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE || 616 ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE) 617 kmem_free(ctxp, sizeof (rsa_ctx_t)); 618 else 619 kmem_free(ctxp, sizeof (digest_rsa_ctx_t)); 620 621 ctx->cc_provider_private = NULL; 622 } 623 624 return (CRYPTO_SUCCESS); 625 } 626 627 static int 628 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 629 crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag) 630 { 631 int rv = CRYPTO_FAILED; 632 633 /* EXPORT DELETE START */ 634 635 int plen; 636 uchar_t *ptptr; 637 uchar_t *modulus; 638 ssize_t modulus_len; 639 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 640 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 641 uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 642 643 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 644 &modulus_len)) != CRYPTO_SUCCESS) { 645 return (rv); 646 } 647 648 plen = plaintext->cd_length; 649 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 650 if (plen > (modulus_len - MIN_PKCS1_PADLEN)) 651 return (CRYPTO_DATA_LEN_RANGE); 652 } else { 653 if (plen > modulus_len) 654 return (CRYPTO_DATA_LEN_RANGE); 655 } 656 657 /* 658 * Output buf len must not be less than RSA modulus size. 659 */ 660 if (ciphertext->cd_length < modulus_len) { 661 ciphertext->cd_length = modulus_len; 662 return (CRYPTO_BUFFER_TOO_SMALL); 663 } 664 665 ASSERT(plaintext->cd_length <= sizeof (tmp_data)); 666 if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data)) 667 != CRYPTO_SUCCESS) 668 return (rv); 669 670 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 671 rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen, 672 plain_data, modulus_len); 673 674 if (rv != CRYPTO_SUCCESS) 675 return (rv); 676 } else { 677 bzero(plain_data, modulus_len - plen); 678 bcopy(ptptr, &plain_data[modulus_len - plen], plen); 679 } 680 681 rv = core_rsa_encrypt(key, plain_data, modulus_len, 682 cipher_data, kmflag, 1); 683 if (rv == CRYPTO_SUCCESS) { 684 /* copy out to ciphertext */ 685 if ((rv = crypto_put_output_data(cipher_data, 686 ciphertext, modulus_len)) != CRYPTO_SUCCESS) 687 return (rv); 688 689 ciphertext->cd_length = modulus_len; 690 } 691 692 /* EXPORT DELETE END */ 693 694 return (rv); 695 } 696 697 /* EXPORT DELETE START */ 698 699 static int 700 core_rsa_encrypt(crypto_key_t *key, uchar_t *in, 701 int in_len, uchar_t *out, int kmflag, int is_public) 702 { 703 int rv; 704 uchar_t *expo, *modulus; 705 ssize_t expo_len; 706 ssize_t modulus_len; 707 BIGNUM msg; 708 RSAkey *rsakey; 709 710 if (is_public) { 711 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT, 712 &expo, &expo_len)) != CRYPTO_SUCCESS) 713 return (rv); 714 } else { 715 /* 716 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a 717 * RSA secret key. See the comments in core_rsa_decrypt 718 * routine which calls this routine with a private key. 719 */ 720 if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT, 721 &expo, &expo_len)) != CRYPTO_SUCCESS) 722 return (rv); 723 } 724 725 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 726 &modulus_len)) != CRYPTO_SUCCESS) { 727 return (rv); 728 } 729 730 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 731 if (rsakey == NULL) 732 return (CRYPTO_HOST_MEMORY); 733 734 /* psize and qsize for RSA_key_init is in bits. */ 735 if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) { 736 rv = CRYPTO_HOST_MEMORY; 737 goto clean1; 738 } 739 740 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 741 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 742 rv = CRYPTO_HOST_MEMORY; 743 goto clean2; 744 } 745 746 /* Convert octet string exponent to big integer format. */ 747 bytestring2bignum(&(rsakey->e), expo, expo_len); 748 749 /* Convert octet string modulus to big integer format. */ 750 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 751 752 /* Convert octet string input data to big integer format. */ 753 bytestring2bignum(&msg, in, in_len); 754 755 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 756 rv = CRYPTO_DATA_LEN_RANGE; 757 goto clean3; 758 } 759 760 /* Perform RSA computation on big integer input data. */ 761 if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL) 762 != BIG_OK) { 763 rv = CRYPTO_HOST_MEMORY; 764 goto clean3; 765 } 766 767 /* Convert the big integer output data to octet string. */ 768 bignum2bytestring(out, &msg, modulus_len); 769 770 /* 771 * Should not free modulus and expo as both are just pointers 772 * to an attribute value buffer from the caller. 773 */ 774 clean3: 775 big_finish(&msg); 776 clean2: 777 RSA_key_finish(rsakey); 778 clean1: 779 kmem_free(rsakey, sizeof (RSAkey)); 780 781 return (rv); 782 } 783 784 /* EXPORT DELETE END */ 785 786 /* ARGSUSED */ 787 static int 788 rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 789 crypto_data_t *plaintext, crypto_req_handle_t req) 790 { 791 int rv; 792 rsa_ctx_t *ctxp; 793 794 ASSERT(ctx->cc_provider_private != NULL); 795 ctxp = ctx->cc_provider_private; 796 797 RSA_ARG_INPLACE(ciphertext, plaintext); 798 799 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 800 rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key, 801 ciphertext, plaintext, KM_SLEEP); 802 803 if (rv != CRYPTO_BUFFER_TOO_SMALL) 804 (void) rsa_free_context(ctx); 805 806 return (rv); 807 } 808 809 /* ARGSUSED */ 810 static int 811 rsa_decrypt_atomic(crypto_provider_handle_t provider, 812 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 813 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 814 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 815 { 816 int rv; 817 818 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 819 return (rv); 820 RSA_ARG_INPLACE(ciphertext, plaintext); 821 822 return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext, 823 plaintext, crypto_kmflag(req))); 824 } 825 826 static int 827 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 828 crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag) 829 { 830 int rv = CRYPTO_FAILED; 831 832 /* EXPORT DELETE START */ 833 834 int plain_len; 835 uchar_t *ctptr; 836 uchar_t *modulus; 837 ssize_t modulus_len; 838 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 839 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 840 841 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 842 &modulus_len)) != CRYPTO_SUCCESS) { 843 return (rv); 844 } 845 846 /* 847 * Ciphertext length must be equal to RSA modulus size. 848 */ 849 if (ciphertext->cd_length != modulus_len) 850 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 851 852 ASSERT(ciphertext->cd_length <= sizeof (tmp_data)); 853 if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data)) 854 != CRYPTO_SUCCESS) 855 return (rv); 856 857 rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag); 858 if (rv == CRYPTO_SUCCESS) { 859 plain_len = modulus_len; 860 861 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 862 /* Strip off the PKCS block formatting data. */ 863 rv = soft_decrypt_rsa_pkcs_decode(plain_data, 864 &plain_len); 865 if (rv != CRYPTO_SUCCESS) 866 return (rv); 867 } 868 869 if (plain_len > plaintext->cd_length) { 870 plaintext->cd_length = plain_len; 871 return (CRYPTO_BUFFER_TOO_SMALL); 872 } 873 874 if ((rv = crypto_put_output_data( 875 plain_data + modulus_len - plain_len, 876 plaintext, plain_len)) != CRYPTO_SUCCESS) 877 return (rv); 878 879 plaintext->cd_length = plain_len; 880 } 881 882 /* EXPORT DELETE END */ 883 884 return (rv); 885 } 886 887 /* EXPORT DELETE START */ 888 889 static int 890 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, 891 uchar_t *out, int kmflag) 892 { 893 int rv; 894 uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef; 895 ssize_t modulus_len; 896 ssize_t prime1_len, prime2_len; 897 ssize_t expo1_len, expo2_len, coef_len; 898 BIGNUM msg; 899 RSAkey *rsakey; 900 901 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 902 &modulus_len)) != CRYPTO_SUCCESS) { 903 return (rv); 904 } 905 906 /* 907 * The following attributes are not required to be 908 * present in a RSA secret key. If any of them is not present 909 * we call the encrypt routine with a flag indicating use of 910 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is 911 * a required attribute for a RSA secret key. 912 */ 913 if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len) 914 != CRYPTO_SUCCESS) || 915 (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len) 916 != CRYPTO_SUCCESS) || 917 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len) 918 != CRYPTO_SUCCESS) || 919 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len) 920 != CRYPTO_SUCCESS) || 921 (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len) 922 != CRYPTO_SUCCESS)) { 923 return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0)); 924 } 925 926 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 927 if (rsakey == NULL) 928 return (CRYPTO_HOST_MEMORY); 929 930 /* psize and qsize for RSA_key_init is in bits. */ 931 if (RSA_key_init(rsakey, CRYPTO_BYTES2BITS(prime2_len), 932 CRYPTO_BYTES2BITS(prime1_len)) != BIG_OK) { 933 rv = CRYPTO_HOST_MEMORY; 934 goto clean1; 935 } 936 937 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 938 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 939 rv = CRYPTO_HOST_MEMORY; 940 goto clean2; 941 } 942 943 /* Convert octet string input data to big integer format. */ 944 bytestring2bignum(&msg, in, in_len); 945 946 /* Convert octet string modulus to big integer format. */ 947 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 948 949 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 950 rv = CRYPTO_DATA_LEN_RANGE; 951 goto clean3; 952 } 953 954 /* Convert the rest of private key attributes to big integer format. */ 955 bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len); 956 bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len); 957 bytestring2bignum(&(rsakey->p), prime2, prime2_len); 958 bytestring2bignum(&(rsakey->q), prime1, prime1_len); 959 bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len); 960 961 if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) || 962 (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) || 963 (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) { 964 rv = CRYPTO_KEY_SIZE_RANGE; 965 goto clean3; 966 } 967 968 /* Perform RSA computation on big integer input data. */ 969 if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1), 970 &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q), 971 &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) { 972 rv = CRYPTO_HOST_MEMORY; 973 goto clean3; 974 } 975 976 /* Convert the big integer output data to octet string. */ 977 bignum2bytestring(out, &msg, modulus_len); 978 979 /* 980 * Should not free modulus and friends as they are just pointers 981 * to an attribute value buffer from the caller. 982 */ 983 clean3: 984 big_finish(&msg); 985 clean2: 986 RSA_key_finish(rsakey); 987 clean1: 988 kmem_free(rsakey, sizeof (RSAkey)); 989 990 return (rv); 991 } 992 993 /* EXPORT DELETE END */ 994 995 /* ARGSUSED */ 996 static int 997 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 998 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, 999 crypto_req_handle_t req) 1000 { 1001 int rv; 1002 int kmflag; 1003 rsa_ctx_t *ctxp; 1004 digest_rsa_ctx_t *dctxp; 1005 1006 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1007 return (rv); 1008 1009 /* 1010 * Allocate a RSA context. 1011 */ 1012 kmflag = crypto_kmflag(req); 1013 switch (mechanism->cm_type) { 1014 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1015 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1016 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1017 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1018 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1019 dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag); 1020 ctxp = (rsa_ctx_t *)dctxp; 1021 break; 1022 default: 1023 ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag); 1024 break; 1025 } 1026 1027 if (ctxp == NULL) 1028 return (CRYPTO_HOST_MEMORY); 1029 1030 ctxp->mech_type = mechanism->cm_type; 1031 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 1032 kmflag)) != CRYPTO_SUCCESS) { 1033 switch (mechanism->cm_type) { 1034 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1035 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1036 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1037 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1038 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1039 kmem_free(dctxp, sizeof (digest_rsa_ctx_t)); 1040 break; 1041 default: 1042 kmem_free(ctxp, sizeof (rsa_ctx_t)); 1043 break; 1044 } 1045 return (rv); 1046 } 1047 1048 switch (mechanism->cm_type) { 1049 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1050 MD5Init(&(dctxp->md5_ctx)); 1051 break; 1052 1053 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1054 SHA1Init(&(dctxp->sha1_ctx)); 1055 break; 1056 1057 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1058 SHA2Init(SHA256, &(dctxp->sha2_ctx)); 1059 break; 1060 1061 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1062 SHA2Init(SHA384, &(dctxp->sha2_ctx)); 1063 break; 1064 1065 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1066 SHA2Init(SHA512, &(dctxp->sha2_ctx)); 1067 break; 1068 } 1069 1070 ctx->cc_provider_private = ctxp; 1071 1072 return (CRYPTO_SUCCESS); 1073 } 1074 1075 #define SHA1_DIGEST_SIZE 20 1076 #define MD5_DIGEST_SIZE 16 1077 1078 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \ 1079 (data).cd_format = CRYPTO_DATA_RAW; \ 1080 (data).cd_offset = 0; \ 1081 (data).cd_raw.iov_base = (char *)base; \ 1082 (data).cd_raw.iov_len = len; \ 1083 (data).cd_length = cd_len; 1084 1085 static int 1086 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data, 1087 crypto_data_t *signature, int kmflag, uchar_t flag) 1088 { 1089 int rv = CRYPTO_FAILED; 1090 1091 /* EXPORT DELETE START */ 1092 1093 uchar_t digest[SHA512_DIGEST_LENGTH]; 1094 /* The der_data size is enough for MD5 also */ 1095 uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 1096 ulong_t der_data_len; 1097 crypto_data_t der_cd; 1098 rsa_mech_type_t mech_type; 1099 1100 ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY); 1101 ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL)); 1102 1103 mech_type = ctxp->mech_type; 1104 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1105 mech_type == RSA_X_509_MECH_INFO_TYPE) 1106 return (CRYPTO_MECHANISM_INVALID); 1107 1108 /* 1109 * We need to do the BUFFER_TOO_SMALL check before digesting 1110 * the data. No check is needed for verify as signature is not 1111 * an output argument for verify. 1112 */ 1113 if (flag & CRYPTO_DO_SIGN) { 1114 uchar_t *modulus; 1115 ssize_t modulus_len; 1116 1117 if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS, 1118 &modulus, &modulus_len)) != CRYPTO_SUCCESS) { 1119 return (rv); 1120 } 1121 1122 if (signature->cd_length < modulus_len) { 1123 signature->cd_length = modulus_len; 1124 return (CRYPTO_BUFFER_TOO_SMALL); 1125 } 1126 } 1127 1128 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1129 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1130 digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5); 1131 1132 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1133 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1134 digest, SHA1Update, SHA1Final, flag | CRYPTO_DO_SHA1); 1135 1136 else 1137 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1138 digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2); 1139 1140 if (rv != CRYPTO_SUCCESS) 1141 return (rv); 1142 1143 1144 /* 1145 * Prepare the DER encoding of the DigestInfo value as follows: 1146 * MD5: MD5_DER_PREFIX || H 1147 * SHA-1: SHA1_DER_PREFIX || H 1148 * 1149 * See rsa_impl.c for more details. 1150 */ 1151 switch (mech_type) { 1152 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1153 bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len); 1154 bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE); 1155 der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE; 1156 break; 1157 1158 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1159 bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len); 1160 bcopy(digest, der_data + SHA1_DER_PREFIX_Len, 1161 SHA1_DIGEST_SIZE); 1162 der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE; 1163 break; 1164 1165 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1166 bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1167 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1168 SHA256_DIGEST_LENGTH); 1169 der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH; 1170 break; 1171 1172 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1173 bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1174 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1175 SHA384_DIGEST_LENGTH); 1176 der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH; 1177 break; 1178 1179 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1180 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1181 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1182 SHA512_DIGEST_LENGTH); 1183 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH; 1184 break; 1185 } 1186 1187 INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len); 1188 /* 1189 * Now, we are ready to sign or verify the DER_ENCODED data. 1190 */ 1191 if (flag & CRYPTO_DO_SIGN) 1192 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd, 1193 signature, kmflag); 1194 else 1195 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd, 1196 signature, kmflag); 1197 1198 /* EXPORT DELETE END */ 1199 1200 return (rv); 1201 } 1202 1203 static int 1204 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1205 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1206 { 1207 int rv = CRYPTO_FAILED; 1208 1209 /* EXPORT DELETE START */ 1210 1211 int dlen; 1212 uchar_t *dataptr, *modulus; 1213 ssize_t modulus_len; 1214 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1215 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1216 uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1217 1218 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1219 &modulus_len)) != CRYPTO_SUCCESS) { 1220 return (rv); 1221 } 1222 1223 dlen = data->cd_length; 1224 switch (mech_type) { 1225 case RSA_PKCS_MECH_INFO_TYPE: 1226 if (dlen > (modulus_len - MIN_PKCS1_PADLEN)) 1227 return (CRYPTO_DATA_LEN_RANGE); 1228 break; 1229 case RSA_X_509_MECH_INFO_TYPE: 1230 if (dlen > modulus_len) 1231 return (CRYPTO_DATA_LEN_RANGE); 1232 break; 1233 } 1234 1235 if (signature->cd_length < modulus_len) { 1236 signature->cd_length = modulus_len; 1237 return (CRYPTO_BUFFER_TOO_SMALL); 1238 } 1239 1240 ASSERT(data->cd_length <= sizeof (tmp_data)); 1241 if ((rv = crypto_get_input_data(data, &dataptr, tmp_data)) 1242 != CRYPTO_SUCCESS) 1243 return (rv); 1244 1245 switch (mech_type) { 1246 case RSA_PKCS_MECH_INFO_TYPE: 1247 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1248 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1249 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1250 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1251 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1252 /* 1253 * Add PKCS padding to the input data to format a block 1254 * type "01" encryption block. 1255 */ 1256 rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data, 1257 modulus_len); 1258 if (rv != CRYPTO_SUCCESS) 1259 return (rv); 1260 1261 break; 1262 1263 case RSA_X_509_MECH_INFO_TYPE: 1264 bzero(plain_data, modulus_len - dlen); 1265 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen); 1266 break; 1267 } 1268 1269 rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data, 1270 kmflag); 1271 if (rv == CRYPTO_SUCCESS) { 1272 /* copy out to signature */ 1273 if ((rv = crypto_put_output_data(signed_data, 1274 signature, modulus_len)) != CRYPTO_SUCCESS) 1275 return (rv); 1276 1277 signature->cd_length = modulus_len; 1278 } 1279 1280 /* EXPORT DELETE END */ 1281 1282 return (rv); 1283 } 1284 1285 /* ARGSUSED */ 1286 static int 1287 rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1288 crypto_req_handle_t req) 1289 { 1290 int rv; 1291 rsa_ctx_t *ctxp; 1292 1293 ASSERT(ctx->cc_provider_private != NULL); 1294 ctxp = ctx->cc_provider_private; 1295 1296 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1297 switch (ctxp->mech_type) { 1298 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1299 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1300 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1301 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1302 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1303 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1304 signature, KM_SLEEP, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1305 CRYPTO_DO_FINAL); 1306 break; 1307 default: 1308 rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data, 1309 signature, KM_SLEEP); 1310 break; 1311 } 1312 1313 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1314 (void) rsa_free_context(ctx); 1315 1316 return (rv); 1317 } 1318 1319 /* ARGSUSED */ 1320 static int 1321 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req) 1322 { 1323 int rv; 1324 digest_rsa_ctx_t *ctxp; 1325 rsa_mech_type_t mech_type; 1326 1327 ASSERT(ctx->cc_provider_private != NULL); 1328 ctxp = ctx->cc_provider_private; 1329 mech_type = ctxp->mech_type; 1330 1331 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1332 mech_type == RSA_X_509_MECH_INFO_TYPE) 1333 return (CRYPTO_MECHANISM_INVALID); 1334 1335 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1336 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1337 NULL, MD5Update, MD5Final, 1338 CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE); 1339 1340 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1341 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1342 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1343 CRYPTO_DO_UPDATE); 1344 1345 else 1346 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1347 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1348 CRYPTO_DO_UPDATE); 1349 1350 return (rv); 1351 } 1352 1353 static int 1354 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1355 crypto_req_handle_t req) 1356 { 1357 int rv; 1358 digest_rsa_ctx_t *ctxp; 1359 1360 ASSERT(ctx->cc_provider_private != NULL); 1361 ctxp = ctx->cc_provider_private; 1362 1363 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1364 crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_FINAL); 1365 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1366 (void) rsa_free_context(ctx); 1367 1368 return (rv); 1369 } 1370 1371 /* ARGSUSED */ 1372 static int 1373 rsa_sign_atomic(crypto_provider_handle_t provider, 1374 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1375 crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature, 1376 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1377 { 1378 int rv; 1379 digest_rsa_ctx_t dctx; 1380 1381 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1382 return (rv); 1383 1384 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1385 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1386 rv = rsa_sign_common(mechanism->cm_type, key, data, 1387 signature, crypto_kmflag(req)); 1388 1389 else { 1390 dctx.mech_type = mechanism->cm_type; 1391 dctx.key = key; 1392 switch (mechanism->cm_type) { 1393 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1394 MD5Init(&(dctx.md5_ctx)); 1395 break; 1396 1397 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1398 SHA1Init(&(dctx.sha1_ctx)); 1399 break; 1400 1401 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1402 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1403 break; 1404 1405 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1406 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1407 break; 1408 1409 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1410 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1411 break; 1412 } 1413 1414 rv = rsa_digest_svrfy_common(&dctx, data, signature, 1415 crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1416 CRYPTO_DO_FINAL); 1417 } 1418 1419 return (rv); 1420 } 1421 1422 static int 1423 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1424 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1425 { 1426 int rv = CRYPTO_FAILED; 1427 1428 /* EXPORT DELETE START */ 1429 1430 uchar_t *sigptr, *modulus; 1431 ssize_t modulus_len; 1432 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1433 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1434 1435 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1436 &modulus_len)) != CRYPTO_SUCCESS) { 1437 return (rv); 1438 } 1439 1440 if (signature->cd_length != modulus_len) 1441 return (CRYPTO_SIGNATURE_LEN_RANGE); 1442 1443 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1444 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1445 != CRYPTO_SUCCESS) 1446 return (rv); 1447 1448 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 1449 if (rv != CRYPTO_SUCCESS) 1450 return (rv); 1451 1452 if (mech_type == RSA_X_509_MECH_INFO_TYPE) { 1453 if (compare_data(data, (plain_data + modulus_len 1454 - data->cd_length)) != 0) 1455 rv = CRYPTO_SIGNATURE_INVALID; 1456 1457 } else { 1458 int data_len = modulus_len; 1459 1460 /* 1461 * Strip off the encoded padding bytes in front of the 1462 * recovered data, then compare the recovered data with 1463 * the original data. 1464 */ 1465 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1466 if (rv != CRYPTO_SUCCESS) 1467 return (rv); 1468 1469 if (data_len != data->cd_length) 1470 return (CRYPTO_SIGNATURE_LEN_RANGE); 1471 1472 if (compare_data(data, (plain_data + modulus_len 1473 - data_len)) != 0) 1474 rv = CRYPTO_SIGNATURE_INVALID; 1475 } 1476 1477 /* EXPORT DELETE END */ 1478 1479 return (rv); 1480 } 1481 1482 /* ARGSUSED */ 1483 static int 1484 rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1485 crypto_req_handle_t req) 1486 { 1487 int rv; 1488 rsa_ctx_t *ctxp; 1489 1490 ASSERT(ctx->cc_provider_private != NULL); 1491 ctxp = ctx->cc_provider_private; 1492 1493 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1494 switch (ctxp->mech_type) { 1495 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1496 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1497 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1498 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1499 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1500 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1501 signature, KM_SLEEP, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | 1502 CRYPTO_DO_FINAL); 1503 break; 1504 default: 1505 rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data, 1506 signature, KM_SLEEP); 1507 break; 1508 } 1509 1510 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1511 (void) rsa_free_context(ctx); 1512 1513 return (rv); 1514 } 1515 1516 /* ARGSUSED */ 1517 static int 1518 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data, 1519 crypto_req_handle_t req) 1520 { 1521 int rv; 1522 digest_rsa_ctx_t *ctxp; 1523 1524 ASSERT(ctx->cc_provider_private != NULL); 1525 ctxp = ctx->cc_provider_private; 1526 1527 switch (ctxp->mech_type) { 1528 1529 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1530 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1531 NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 | 1532 CRYPTO_DO_UPDATE); 1533 break; 1534 1535 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1536 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1537 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1538 CRYPTO_DO_UPDATE); 1539 break; 1540 1541 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1542 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1543 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1544 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1545 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1546 CRYPTO_DO_UPDATE); 1547 break; 1548 1549 default: 1550 return (CRYPTO_MECHANISM_INVALID); 1551 } 1552 1553 return (rv); 1554 } 1555 1556 static int 1557 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1558 crypto_req_handle_t req) 1559 { 1560 int rv; 1561 digest_rsa_ctx_t *ctxp; 1562 1563 ASSERT(ctx->cc_provider_private != NULL); 1564 ctxp = ctx->cc_provider_private; 1565 1566 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1567 crypto_kmflag(req), CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL); 1568 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1569 (void) rsa_free_context(ctx); 1570 1571 return (rv); 1572 } 1573 1574 1575 /* ARGSUSED */ 1576 static int 1577 rsa_verify_atomic(crypto_provider_handle_t provider, 1578 crypto_session_id_t session_id, 1579 crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, 1580 crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template, 1581 crypto_req_handle_t req) 1582 { 1583 int rv; 1584 digest_rsa_ctx_t dctx; 1585 1586 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1587 return (rv); 1588 1589 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1590 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1591 rv = rsa_verify_common(mechanism->cm_type, key, data, 1592 signature, crypto_kmflag(req)); 1593 1594 else { 1595 dctx.mech_type = mechanism->cm_type; 1596 dctx.key = key; 1597 1598 switch (mechanism->cm_type) { 1599 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1600 MD5Init(&(dctx.md5_ctx)); 1601 break; 1602 1603 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1604 SHA1Init(&(dctx.sha1_ctx)); 1605 break; 1606 1607 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1608 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1609 break; 1610 1611 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1612 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1613 break; 1614 1615 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1616 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1617 break; 1618 } 1619 1620 rv = rsa_digest_svrfy_common(&dctx, data, 1621 signature, crypto_kmflag(req), 1622 CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL); 1623 } 1624 1625 return (rv); 1626 } 1627 1628 static int 1629 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1630 crypto_data_t *signature, crypto_data_t *data, int kmflag) 1631 { 1632 int rv = CRYPTO_FAILED; 1633 1634 /* EXPORT DELETE START */ 1635 1636 int data_len; 1637 uchar_t *sigptr, *modulus; 1638 ssize_t modulus_len; 1639 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1640 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1641 1642 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1643 &modulus_len)) != CRYPTO_SUCCESS) { 1644 return (rv); 1645 } 1646 1647 if (signature->cd_length != modulus_len) 1648 return (CRYPTO_SIGNATURE_LEN_RANGE); 1649 1650 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1651 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1652 != CRYPTO_SUCCESS) 1653 return (rv); 1654 1655 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 1656 if (rv != CRYPTO_SUCCESS) 1657 return (rv); 1658 1659 data_len = modulus_len; 1660 1661 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 1662 /* 1663 * Strip off the encoded padding bytes in front of the 1664 * recovered data, then compare the recovered data with 1665 * the original data. 1666 */ 1667 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1668 if (rv != CRYPTO_SUCCESS) 1669 return (rv); 1670 } 1671 1672 if (data->cd_length < data_len) { 1673 data->cd_length = data_len; 1674 return (CRYPTO_BUFFER_TOO_SMALL); 1675 } 1676 1677 if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len, 1678 data, data_len)) != CRYPTO_SUCCESS) 1679 return (rv); 1680 data->cd_length = data_len; 1681 1682 /* EXPORT DELETE END */ 1683 1684 return (rv); 1685 } 1686 1687 /* ARGSUSED */ 1688 static int 1689 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature, 1690 crypto_data_t *data, crypto_req_handle_t req) 1691 { 1692 int rv; 1693 rsa_ctx_t *ctxp; 1694 1695 ASSERT(ctx->cc_provider_private != NULL); 1696 ctxp = ctx->cc_provider_private; 1697 1698 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1699 rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key, 1700 signature, data, KM_SLEEP); 1701 1702 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1703 (void) rsa_free_context(ctx); 1704 1705 return (rv); 1706 } 1707 1708 /* ARGSUSED */ 1709 static int 1710 rsa_verify_recover_atomic(crypto_provider_handle_t provider, 1711 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1712 crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data, 1713 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1714 { 1715 int rv; 1716 1717 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1718 return (rv); 1719 1720 return (rsa_verify_recover_common(mechanism->cm_type, key, 1721 signature, data, crypto_kmflag(req))); 1722 } 1723 1724 /* 1725 * RSA Power-Up Self-Test 1726 */ 1727 void 1728 rsa_POST(int *rc) 1729 { 1730 1731 *rc = fips_rsa_post(); 1732 1733 } 1734