1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * RSA provider for the Kernel Cryptographic Framework (KCF) 28 */ 29 30 #include <sys/types.h> 31 #include <sys/systm.h> 32 #include <sys/modctl.h> 33 #include <sys/cmn_err.h> 34 #include <sys/ddi.h> 35 #include <sys/crypto/spi.h> 36 #include <sys/sysmacros.h> 37 #include <sys/strsun.h> 38 #include <sys/md5.h> 39 #include <sys/sha1.h> 40 #define _SHA2_IMPL 41 #include <sys/sha2.h> 42 #include <sys/random.h> 43 #include <sys/crypto/impl.h> 44 #include <sha1/sha1_impl.h> 45 #include <sha2/sha2_impl.h> 46 #define _RSA_FIPS_POST 47 #include <rsa/rsa_impl.h> 48 49 extern struct mod_ops mod_cryptoops; 50 51 /* 52 * Module linkage information for the kernel. 53 */ 54 static struct modlcrypto modlcrypto = { 55 &mod_cryptoops, 56 "RSA Kernel SW Provider" 57 }; 58 59 static struct modlinkage modlinkage = { 60 MODREV_1, 61 (void *)&modlcrypto, 62 NULL 63 }; 64 65 /* 66 * CSPI information (entry points, provider info, etc.) 67 */ 68 typedef enum rsa_mech_type { 69 RSA_PKCS_MECH_INFO_TYPE, /* SUN_CKM_RSA_PKCS */ 70 RSA_X_509_MECH_INFO_TYPE, /* SUN_CKM_RSA_X_509 */ 71 MD5_RSA_PKCS_MECH_INFO_TYPE, /* SUN_MD5_RSA_PKCS */ 72 SHA1_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA1_RSA_PKCS */ 73 SHA256_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA256_RSA_PKCS */ 74 SHA384_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA384_RSA_PKCS */ 75 SHA512_RSA_PKCS_MECH_INFO_TYPE /* SUN_SHA512_RSA_PKCS */ 76 } rsa_mech_type_t; 77 78 /* 79 * Context for RSA_PKCS and RSA_X_509 mechanisms. 80 */ 81 typedef struct rsa_ctx { 82 rsa_mech_type_t mech_type; 83 crypto_key_t *key; 84 size_t keychunk_size; 85 } rsa_ctx_t; 86 87 /* 88 * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms. 89 */ 90 typedef struct digest_rsa_ctx { 91 rsa_mech_type_t mech_type; 92 crypto_key_t *key; 93 size_t keychunk_size; 94 union { 95 MD5_CTX md5ctx; 96 SHA1_CTX sha1ctx; 97 SHA2_CTX sha2ctx; 98 } dctx_u; 99 } digest_rsa_ctx_t; 100 101 #define md5_ctx dctx_u.md5ctx 102 #define sha1_ctx dctx_u.sha1ctx 103 #define sha2_ctx dctx_u.sha2ctx 104 105 /* 106 * Mechanism info structure passed to KCF during registration. 107 */ 108 static crypto_mech_info_t rsa_mech_info_tab[] = { 109 /* RSA_PKCS */ 110 {SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE, 111 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 112 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 113 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 114 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 115 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 116 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 117 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 118 119 /* RSA_X_509 */ 120 {SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE, 121 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 122 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 123 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 124 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 125 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 126 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 127 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 128 129 /* MD5_RSA_PKCS */ 130 {SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE, 131 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 132 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 133 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 134 135 /* SHA1_RSA_PKCS */ 136 {SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE, 137 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 138 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 139 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 140 141 /* SHA256_RSA_PKCS */ 142 {SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE, 143 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 144 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 145 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 146 147 /* SHA384_RSA_PKCS */ 148 {SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE, 149 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 150 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 151 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 152 153 /* SHA512_RSA_PKCS */ 154 {SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE, 155 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 156 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 157 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS} 158 159 }; 160 161 #define RSA_VALID_MECH(mech) \ 162 (((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE || \ 163 (mech)->cm_type == RSA_X_509_MECH_INFO_TYPE || \ 164 (mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE || \ 165 (mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE || \ 166 (mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE || \ 167 (mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE || \ 168 (mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0) 169 170 /* operations are in-place if the output buffer is NULL */ 171 #define RSA_ARG_INPLACE(input, output) \ 172 if ((output) == NULL) \ 173 (output) = (input); 174 175 static void rsa_provider_status(crypto_provider_handle_t, uint_t *); 176 177 static crypto_control_ops_t rsa_control_ops = { 178 rsa_provider_status 179 }; 180 181 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *, 182 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 183 static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 184 crypto_req_handle_t); 185 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 186 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 187 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 188 static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 189 crypto_req_handle_t); 190 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 191 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 192 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 193 194 /* 195 * The RSA mechanisms do not have multiple-part cipher operations. 196 * So, the update and final routines are set to NULL. 197 */ 198 static crypto_cipher_ops_t rsa_cipher_ops = { 199 rsa_common_init, 200 rsa_encrypt, 201 NULL, 202 NULL, 203 rsa_encrypt_atomic, 204 rsa_common_init, 205 rsa_decrypt, 206 NULL, 207 NULL, 208 rsa_decrypt_atomic 209 }; 210 211 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *, 212 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 213 static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 214 crypto_req_handle_t); 215 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *, 216 crypto_req_handle_t); 217 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *, 218 crypto_req_handle_t); 219 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t, 220 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 221 crypto_spi_ctx_template_t, crypto_req_handle_t); 222 223 /* 224 * We use the same routine for sign_init and sign_recover_init fields 225 * as they do the same thing. Same holds for sign and sign_recover fields, 226 * and sign_atomic and sign_recover_atomic fields. 227 */ 228 static crypto_sign_ops_t rsa_sign_ops = { 229 rsa_sign_verify_common_init, 230 rsa_sign, 231 rsa_sign_update, 232 rsa_sign_final, 233 rsa_sign_atomic, 234 rsa_sign_verify_common_init, 235 rsa_sign, 236 rsa_sign_atomic 237 }; 238 239 static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 240 crypto_req_handle_t); 241 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *, 242 crypto_req_handle_t); 243 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *, 244 crypto_req_handle_t); 245 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 246 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 247 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 248 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *, 249 crypto_data_t *, crypto_req_handle_t); 250 static int rsa_verify_recover_atomic(crypto_provider_handle_t, 251 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 252 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 253 crypto_req_handle_t); 254 255 /* 256 * We use the same routine (rsa_sign_verify_common_init) for verify_init 257 * and verify_recover_init fields as they do the same thing. 258 */ 259 static crypto_verify_ops_t rsa_verify_ops = { 260 rsa_sign_verify_common_init, 261 rsa_verify, 262 rsa_verify_update, 263 rsa_verify_final, 264 rsa_verify_atomic, 265 rsa_sign_verify_common_init, 266 rsa_verify_recover, 267 rsa_verify_recover_atomic 268 }; 269 270 static int rsa_free_context(crypto_ctx_t *); 271 272 static crypto_ctx_ops_t rsa_ctx_ops = { 273 NULL, 274 rsa_free_context 275 }; 276 277 static void rsa_POST(int *); 278 279 static crypto_fips140_ops_t rsa_fips140_ops = { 280 rsa_POST 281 }; 282 283 static crypto_ops_t rsa_crypto_ops = { 284 &rsa_control_ops, 285 NULL, 286 &rsa_cipher_ops, 287 NULL, 288 &rsa_sign_ops, 289 &rsa_verify_ops, 290 NULL, 291 NULL, 292 NULL, 293 NULL, 294 NULL, 295 NULL, 296 NULL, 297 &rsa_ctx_ops, 298 NULL, 299 NULL, 300 &rsa_fips140_ops 301 }; 302 303 static crypto_provider_info_t rsa_prov_info = { 304 CRYPTO_SPI_VERSION_4, 305 "RSA Software Provider", 306 CRYPTO_SW_PROVIDER, 307 {&modlinkage}, 308 NULL, 309 &rsa_crypto_ops, 310 sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t), 311 rsa_mech_info_tab 312 }; 313 314 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *, 315 crypto_data_t *, crypto_data_t *, int); 316 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *, 317 crypto_data_t *, crypto_data_t *, int); 318 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *, 319 crypto_data_t *, crypto_data_t *, int); 320 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *, 321 crypto_data_t *, crypto_data_t *, int); 322 static int compare_data(crypto_data_t *, uchar_t *); 323 324 /* EXPORT DELETE START */ 325 326 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, 327 int, uchar_t *, int, int); 328 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, 329 uchar_t *, int); 330 331 /* EXPORT DELETE END */ 332 333 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL; 334 335 int 336 _init(void) 337 { 338 int ret; 339 340 /* 341 * Register with KCF. If the registration fails, return error. 342 */ 343 if ((ret = crypto_register_provider(&rsa_prov_info, 344 &rsa_prov_handle)) != CRYPTO_SUCCESS) { 345 cmn_err(CE_WARN, "rsa _init: crypto_register_provider()" 346 "failed (0x%x)", ret); 347 return (EACCES); 348 } 349 350 if ((ret = mod_install(&modlinkage)) != 0) { 351 int rv; 352 353 ASSERT(rsa_prov_handle != NULL); 354 /* We should not return if the unregister returns busy. */ 355 while ((rv = crypto_unregister_provider(rsa_prov_handle)) 356 == CRYPTO_BUSY) { 357 cmn_err(CE_WARN, "rsa _init: " 358 "crypto_unregister_provider() " 359 "failed (0x%x). Retrying.", rv); 360 /* wait 10 seconds and try again. */ 361 delay(10 * drv_usectohz(1000000)); 362 } 363 } 364 365 return (ret); 366 } 367 368 int 369 _fini(void) 370 { 371 int ret; 372 373 /* 374 * Unregister from KCF if previous registration succeeded. 375 */ 376 if (rsa_prov_handle != NULL) { 377 if ((ret = crypto_unregister_provider(rsa_prov_handle)) != 378 CRYPTO_SUCCESS) { 379 cmn_err(CE_WARN, "rsa _fini: " 380 "crypto_unregister_provider() " 381 "failed (0x%x)", ret); 382 return (EBUSY); 383 } 384 rsa_prov_handle = NULL; 385 } 386 387 return (mod_remove(&modlinkage)); 388 } 389 390 int 391 _info(struct modinfo *modinfop) 392 { 393 return (mod_info(&modlinkage, modinfop)); 394 } 395 396 /* ARGSUSED */ 397 static void 398 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status) 399 { 400 *status = CRYPTO_PROVIDER_READY; 401 } 402 403 static int 404 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key) 405 { 406 int rv = CRYPTO_FAILED; 407 408 /* EXPORT DELETE START */ 409 410 uchar_t *modulus; 411 ssize_t modulus_len; /* In bytes */ 412 413 if (!RSA_VALID_MECH(mechanism)) 414 return (CRYPTO_MECHANISM_INVALID); 415 416 /* 417 * We only support RSA keys that are passed as a list of 418 * object attributes. 419 */ 420 if (key->ck_format != CRYPTO_KEY_ATTR_LIST) { 421 return (CRYPTO_KEY_TYPE_INCONSISTENT); 422 } 423 424 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 425 &modulus_len)) != CRYPTO_SUCCESS) { 426 return (rv); 427 } 428 if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES || 429 modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES) 430 return (CRYPTO_KEY_SIZE_RANGE); 431 432 /* EXPORT DELETE END */ 433 434 return (rv); 435 } 436 437 void 438 kmemset(uint8_t *buf, char pattern, size_t len) 439 { 440 int i = 0; 441 442 while (i < len) 443 buf[i++] = pattern; 444 } 445 446 /* 447 * This function guarantees to return non-zero random numbers. 448 * This is needed as the /dev/urandom kernel interface, 449 * random_get_pseudo_bytes(), may return zeros. 450 */ 451 int 452 knzero_random_generator(uint8_t *ran_out, size_t ran_len) 453 { 454 int rv; 455 size_t ebc = 0; /* count of extra bytes in extrarand */ 456 size_t i = 0; 457 uint8_t extrarand[32]; 458 size_t extrarand_len; 459 460 if ((rv = random_get_pseudo_bytes_fips140(ran_out, ran_len)) != 0) 461 return (rv); 462 463 /* 464 * Walk through the returned random numbers pointed by ran_out, 465 * and look for any random number which is zero. 466 * If we find zero, call random_get_pseudo_bytes() to generate 467 * another 32 random numbers pool. Replace any zeros in ran_out[] 468 * from the random number in pool. 469 */ 470 while (i < ran_len) { 471 if (ran_out[i] != 0) { 472 i++; 473 continue; 474 } 475 476 /* 477 * Note that it is 'while' so we are guaranteed a 478 * non-zero value on exit. 479 */ 480 if (ebc == 0) { 481 /* refresh extrarand */ 482 extrarand_len = sizeof (extrarand); 483 if ((rv = random_get_pseudo_bytes_fips140(extrarand, 484 extrarand_len)) != 0) { 485 return (rv); 486 } 487 488 ebc = extrarand_len; 489 } 490 /* Replace zero with byte from extrarand. */ 491 -- ebc; 492 493 /* 494 * The new random byte zero/non-zero will be checked in 495 * the next pass through the loop. 496 */ 497 ran_out[i] = extrarand[ebc]; 498 } 499 500 return (CRYPTO_SUCCESS); 501 } 502 503 static int 504 compare_data(crypto_data_t *data, uchar_t *buf) 505 { 506 int len; 507 uchar_t *dptr; 508 509 len = data->cd_length; 510 switch (data->cd_format) { 511 case CRYPTO_DATA_RAW: 512 dptr = (uchar_t *)(data->cd_raw.iov_base + 513 data->cd_offset); 514 515 return (bcmp(dptr, buf, len)); 516 517 case CRYPTO_DATA_UIO: 518 return (crypto_uio_data(data, buf, len, 519 COMPARE_TO_DATA, NULL, NULL)); 520 521 case CRYPTO_DATA_MBLK: 522 return (crypto_mblk_data(data, buf, len, 523 COMPARE_TO_DATA, NULL, NULL)); 524 } 525 526 return (CRYPTO_FAILED); 527 } 528 529 /* ARGSUSED */ 530 static int 531 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 532 crypto_key_t *key, crypto_spi_ctx_template_t template, 533 crypto_req_handle_t req) 534 { 535 int rv; 536 int kmflag; 537 rsa_ctx_t *ctxp; 538 539 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 540 return (rv); 541 542 /* 543 * Allocate a RSA context. 544 */ 545 kmflag = crypto_kmflag(req); 546 if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL) 547 return (CRYPTO_HOST_MEMORY); 548 549 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 550 kmflag)) != CRYPTO_SUCCESS) { 551 kmem_free(ctxp, sizeof (rsa_ctx_t)); 552 return (rv); 553 } 554 ctxp->mech_type = mechanism->cm_type; 555 556 ctx->cc_provider_private = ctxp; 557 558 return (CRYPTO_SUCCESS); 559 } 560 561 /* ARGSUSED */ 562 static int 563 rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 564 crypto_data_t *ciphertext, crypto_req_handle_t req) 565 { 566 int rv; 567 rsa_ctx_t *ctxp; 568 569 ASSERT(ctx->cc_provider_private != NULL); 570 ctxp = ctx->cc_provider_private; 571 572 RSA_ARG_INPLACE(plaintext, ciphertext); 573 574 /* 575 * Note on the KM_SLEEP flag passed to the routine below - 576 * rsa_encrypt() is a single-part encryption routine which is 577 * currently usable only by /dev/crypto. Since /dev/crypto calls are 578 * always synchronous, we can safely pass KM_SLEEP here. 579 */ 580 rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext, 581 ciphertext, KM_SLEEP); 582 583 if (rv != CRYPTO_BUFFER_TOO_SMALL) 584 (void) rsa_free_context(ctx); 585 586 return (rv); 587 } 588 589 /* ARGSUSED */ 590 static int 591 rsa_encrypt_atomic(crypto_provider_handle_t provider, 592 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 593 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 594 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 595 { 596 int rv; 597 598 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 599 return (rv); 600 RSA_ARG_INPLACE(plaintext, ciphertext); 601 602 return (rsa_encrypt_common(mechanism->cm_type, key, plaintext, 603 ciphertext, crypto_kmflag(req))); 604 } 605 606 static int 607 rsa_free_context(crypto_ctx_t *ctx) 608 { 609 rsa_ctx_t *ctxp = ctx->cc_provider_private; 610 611 if (ctxp != NULL) { 612 bzero(ctxp->key, ctxp->keychunk_size); 613 kmem_free(ctxp->key, ctxp->keychunk_size); 614 615 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE || 616 ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE) 617 kmem_free(ctxp, sizeof (rsa_ctx_t)); 618 else 619 kmem_free(ctxp, sizeof (digest_rsa_ctx_t)); 620 621 ctx->cc_provider_private = NULL; 622 } 623 624 return (CRYPTO_SUCCESS); 625 } 626 627 static int 628 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 629 crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag) 630 { 631 int rv = CRYPTO_FAILED; 632 633 /* EXPORT DELETE START */ 634 635 int plen; 636 uchar_t *ptptr; 637 uchar_t *modulus; 638 ssize_t modulus_len; 639 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 640 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 641 uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 642 643 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 644 &modulus_len)) != CRYPTO_SUCCESS) { 645 return (rv); 646 } 647 648 plen = plaintext->cd_length; 649 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 650 if (plen > (modulus_len - MIN_PKCS1_PADLEN)) 651 return (CRYPTO_DATA_LEN_RANGE); 652 } else { 653 if (plen > modulus_len) 654 return (CRYPTO_DATA_LEN_RANGE); 655 } 656 657 /* 658 * Output buf len must not be less than RSA modulus size. 659 */ 660 if (ciphertext->cd_length < modulus_len) { 661 ciphertext->cd_length = modulus_len; 662 return (CRYPTO_BUFFER_TOO_SMALL); 663 } 664 665 ASSERT(plaintext->cd_length <= sizeof (tmp_data)); 666 if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data)) 667 != CRYPTO_SUCCESS) 668 return (rv); 669 670 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 671 rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen, 672 plain_data, modulus_len); 673 674 if (rv != CRYPTO_SUCCESS) 675 return (rv); 676 } else { 677 bzero(plain_data, modulus_len - plen); 678 bcopy(ptptr, &plain_data[modulus_len - plen], plen); 679 } 680 681 rv = core_rsa_encrypt(key, plain_data, modulus_len, 682 cipher_data, kmflag, 1); 683 if (rv == CRYPTO_SUCCESS) { 684 /* copy out to ciphertext */ 685 if ((rv = crypto_put_output_data(cipher_data, 686 ciphertext, modulus_len)) != CRYPTO_SUCCESS) 687 return (rv); 688 689 ciphertext->cd_length = modulus_len; 690 } 691 692 /* EXPORT DELETE END */ 693 694 return (rv); 695 } 696 697 /* EXPORT DELETE START */ 698 699 static int 700 core_rsa_encrypt(crypto_key_t *key, uchar_t *in, 701 int in_len, uchar_t *out, int kmflag, int is_public) 702 { 703 int rv; 704 uchar_t *expo, *modulus; 705 ssize_t expo_len; 706 ssize_t modulus_len; 707 BIGNUM msg; 708 RSAkey *rsakey; 709 710 if (is_public) { 711 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT, 712 &expo, &expo_len)) != CRYPTO_SUCCESS) 713 return (rv); 714 } else { 715 /* 716 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a 717 * RSA secret key. See the comments in core_rsa_decrypt 718 * routine which calls this routine with a private key. 719 */ 720 if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT, 721 &expo, &expo_len)) != CRYPTO_SUCCESS) 722 return (rv); 723 } 724 725 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 726 &modulus_len)) != CRYPTO_SUCCESS) { 727 return (rv); 728 } 729 730 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 731 if (rsakey == NULL) 732 return (CRYPTO_HOST_MEMORY); 733 734 /* psize and qsize for RSA_key_init is in bits. */ 735 if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) { 736 rv = CRYPTO_HOST_MEMORY; 737 goto clean1; 738 } 739 740 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 741 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 742 rv = CRYPTO_HOST_MEMORY; 743 goto clean2; 744 } 745 746 /* Convert octet string exponent to big integer format. */ 747 bytestring2bignum(&(rsakey->e), expo, expo_len); 748 749 /* Convert octet string modulus to big integer format. */ 750 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 751 752 /* Convert octet string input data to big integer format. */ 753 bytestring2bignum(&msg, in, in_len); 754 755 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 756 rv = CRYPTO_DATA_LEN_RANGE; 757 goto clean3; 758 } 759 760 /* Perform RSA computation on big integer input data. */ 761 if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL) 762 != BIG_OK) { 763 rv = CRYPTO_HOST_MEMORY; 764 goto clean3; 765 } 766 767 /* Convert the big integer output data to octet string. */ 768 bignum2bytestring(out, &msg, modulus_len); 769 770 /* 771 * Should not free modulus and expo as both are just pointers 772 * to an attribute value buffer from the caller. 773 */ 774 clean3: 775 big_finish(&msg); 776 clean2: 777 RSA_key_finish(rsakey); 778 clean1: 779 kmem_free(rsakey, sizeof (RSAkey)); 780 781 return (rv); 782 } 783 784 /* EXPORT DELETE END */ 785 786 /* ARGSUSED */ 787 static int 788 rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 789 crypto_data_t *plaintext, crypto_req_handle_t req) 790 { 791 int rv; 792 rsa_ctx_t *ctxp; 793 794 ASSERT(ctx->cc_provider_private != NULL); 795 ctxp = ctx->cc_provider_private; 796 797 RSA_ARG_INPLACE(ciphertext, plaintext); 798 799 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 800 rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key, 801 ciphertext, plaintext, KM_SLEEP); 802 803 if (rv != CRYPTO_BUFFER_TOO_SMALL) 804 (void) rsa_free_context(ctx); 805 806 return (rv); 807 } 808 809 /* ARGSUSED */ 810 static int 811 rsa_decrypt_atomic(crypto_provider_handle_t provider, 812 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 813 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 814 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 815 { 816 int rv; 817 818 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 819 return (rv); 820 RSA_ARG_INPLACE(ciphertext, plaintext); 821 822 return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext, 823 plaintext, crypto_kmflag(req))); 824 } 825 826 static int 827 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 828 crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag) 829 { 830 int rv = CRYPTO_FAILED; 831 832 /* EXPORT DELETE START */ 833 834 int plain_len; 835 uchar_t *ctptr; 836 uchar_t *modulus; 837 ssize_t modulus_len; 838 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 839 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 840 841 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 842 &modulus_len)) != CRYPTO_SUCCESS) { 843 return (rv); 844 } 845 846 /* 847 * Ciphertext length must be equal to RSA modulus size. 848 */ 849 if (ciphertext->cd_length != modulus_len) 850 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 851 852 ASSERT(ciphertext->cd_length <= sizeof (tmp_data)); 853 if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data)) 854 != CRYPTO_SUCCESS) 855 return (rv); 856 857 rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag); 858 if (rv == CRYPTO_SUCCESS) { 859 plain_len = modulus_len; 860 861 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 862 /* Strip off the PKCS block formatting data. */ 863 rv = soft_decrypt_rsa_pkcs_decode(plain_data, 864 &plain_len); 865 if (rv != CRYPTO_SUCCESS) 866 return (rv); 867 } 868 869 if (plain_len > plaintext->cd_length) { 870 plaintext->cd_length = plain_len; 871 return (CRYPTO_BUFFER_TOO_SMALL); 872 } 873 874 if ((rv = crypto_put_output_data( 875 plain_data + modulus_len - plain_len, 876 plaintext, plain_len)) != CRYPTO_SUCCESS) 877 return (rv); 878 879 plaintext->cd_length = plain_len; 880 } 881 882 /* EXPORT DELETE END */ 883 884 return (rv); 885 } 886 887 /* EXPORT DELETE START */ 888 889 static int 890 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, 891 uchar_t *out, int kmflag) 892 { 893 int rv; 894 uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef; 895 ssize_t modulus_len; 896 ssize_t prime1_len, prime2_len; 897 ssize_t expo1_len, expo2_len, coef_len; 898 BIGNUM msg; 899 RSAkey *rsakey; 900 901 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 902 &modulus_len)) != CRYPTO_SUCCESS) { 903 return (rv); 904 } 905 906 /* 907 * The following attributes are not required to be 908 * present in a RSA secret key. If any of them is not present 909 * we call the encrypt routine with a flag indicating use of 910 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is 911 * a required attribute for a RSA secret key. 912 */ 913 if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len) 914 != CRYPTO_SUCCESS) || 915 (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len) 916 != CRYPTO_SUCCESS) || 917 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len) 918 != CRYPTO_SUCCESS) || 919 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len) 920 != CRYPTO_SUCCESS) || 921 (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len) 922 != CRYPTO_SUCCESS)) { 923 return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0)); 924 } 925 926 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 927 if (rsakey == NULL) 928 return (CRYPTO_HOST_MEMORY); 929 930 /* psize and qsize for RSA_key_init is in bits. */ 931 if (RSA_key_init(rsakey, prime2_len * 8, prime1_len * 8) != BIG_OK) { 932 rv = CRYPTO_HOST_MEMORY; 933 goto clean1; 934 } 935 936 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 937 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 938 rv = CRYPTO_HOST_MEMORY; 939 goto clean2; 940 } 941 942 /* Convert octet string input data to big integer format. */ 943 bytestring2bignum(&msg, in, in_len); 944 945 /* Convert octet string modulus to big integer format. */ 946 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 947 948 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 949 rv = CRYPTO_DATA_LEN_RANGE; 950 goto clean3; 951 } 952 953 /* Convert the rest of private key attributes to big integer format. */ 954 bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len); 955 bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len); 956 bytestring2bignum(&(rsakey->p), prime2, prime2_len); 957 bytestring2bignum(&(rsakey->q), prime1, prime1_len); 958 bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len); 959 960 if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) || 961 (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) || 962 (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) { 963 rv = CRYPTO_KEY_SIZE_RANGE; 964 goto clean3; 965 } 966 967 /* Perform RSA computation on big integer input data. */ 968 if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1), 969 &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q), 970 &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) { 971 rv = CRYPTO_HOST_MEMORY; 972 goto clean3; 973 } 974 975 /* Convert the big integer output data to octet string. */ 976 bignum2bytestring(out, &msg, modulus_len); 977 978 /* 979 * Should not free modulus and friends as they are just pointers 980 * to an attribute value buffer from the caller. 981 */ 982 clean3: 983 big_finish(&msg); 984 clean2: 985 RSA_key_finish(rsakey); 986 clean1: 987 kmem_free(rsakey, sizeof (RSAkey)); 988 989 return (rv); 990 } 991 992 /* EXPORT DELETE END */ 993 994 /* ARGSUSED */ 995 static int 996 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 997 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, 998 crypto_req_handle_t req) 999 { 1000 int rv; 1001 int kmflag; 1002 rsa_ctx_t *ctxp; 1003 digest_rsa_ctx_t *dctxp; 1004 1005 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1006 return (rv); 1007 1008 /* 1009 * Allocate a RSA context. 1010 */ 1011 kmflag = crypto_kmflag(req); 1012 switch (mechanism->cm_type) { 1013 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1014 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1015 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1016 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1017 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1018 dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag); 1019 ctxp = (rsa_ctx_t *)dctxp; 1020 break; 1021 default: 1022 ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag); 1023 break; 1024 } 1025 1026 if (ctxp == NULL) 1027 return (CRYPTO_HOST_MEMORY); 1028 1029 ctxp->mech_type = mechanism->cm_type; 1030 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size, 1031 kmflag)) != CRYPTO_SUCCESS) { 1032 switch (mechanism->cm_type) { 1033 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1034 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1035 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1036 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1037 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1038 kmem_free(dctxp, sizeof (digest_rsa_ctx_t)); 1039 break; 1040 default: 1041 kmem_free(ctxp, sizeof (rsa_ctx_t)); 1042 break; 1043 } 1044 return (rv); 1045 } 1046 1047 switch (mechanism->cm_type) { 1048 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1049 MD5Init(&(dctxp->md5_ctx)); 1050 break; 1051 1052 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1053 SHA1Init(&(dctxp->sha1_ctx)); 1054 break; 1055 1056 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1057 SHA2Init(SHA256, &(dctxp->sha2_ctx)); 1058 break; 1059 1060 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1061 SHA2Init(SHA384, &(dctxp->sha2_ctx)); 1062 break; 1063 1064 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1065 SHA2Init(SHA512, &(dctxp->sha2_ctx)); 1066 break; 1067 } 1068 1069 ctx->cc_provider_private = ctxp; 1070 1071 return (CRYPTO_SUCCESS); 1072 } 1073 1074 #define SHA1_DIGEST_SIZE 20 1075 #define MD5_DIGEST_SIZE 16 1076 1077 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \ 1078 (data).cd_format = CRYPTO_DATA_RAW; \ 1079 (data).cd_offset = 0; \ 1080 (data).cd_raw.iov_base = (char *)base; \ 1081 (data).cd_raw.iov_len = len; \ 1082 (data).cd_length = cd_len; 1083 1084 static int 1085 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data, 1086 crypto_data_t *signature, int kmflag, uchar_t flag) 1087 { 1088 int rv = CRYPTO_FAILED; 1089 1090 /* EXPORT DELETE START */ 1091 1092 uchar_t digest[SHA512_DIGEST_LENGTH]; 1093 /* The der_data size is enough for MD5 also */ 1094 uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 1095 ulong_t der_data_len; 1096 crypto_data_t der_cd; 1097 rsa_mech_type_t mech_type; 1098 1099 ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY); 1100 ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL)); 1101 1102 mech_type = ctxp->mech_type; 1103 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1104 mech_type == RSA_X_509_MECH_INFO_TYPE) 1105 return (CRYPTO_MECHANISM_INVALID); 1106 1107 /* 1108 * We need to do the BUFFER_TOO_SMALL check before digesting 1109 * the data. No check is needed for verify as signature is not 1110 * an output argument for verify. 1111 */ 1112 if (flag & CRYPTO_DO_SIGN) { 1113 uchar_t *modulus; 1114 ssize_t modulus_len; 1115 1116 if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS, 1117 &modulus, &modulus_len)) != CRYPTO_SUCCESS) { 1118 return (rv); 1119 } 1120 1121 if (signature->cd_length < modulus_len) { 1122 signature->cd_length = modulus_len; 1123 return (CRYPTO_BUFFER_TOO_SMALL); 1124 } 1125 } 1126 1127 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1128 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1129 digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5); 1130 1131 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1132 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1133 digest, SHA1Update, SHA1Final, flag | CRYPTO_DO_SHA1); 1134 1135 else 1136 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1137 digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2); 1138 1139 if (rv != CRYPTO_SUCCESS) 1140 return (rv); 1141 1142 1143 /* 1144 * Prepare the DER encoding of the DigestInfo value as follows: 1145 * MD5: MD5_DER_PREFIX || H 1146 * SHA-1: SHA1_DER_PREFIX || H 1147 * 1148 * See rsa_impl.c for more details. 1149 */ 1150 switch (mech_type) { 1151 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1152 bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len); 1153 bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE); 1154 der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE; 1155 break; 1156 1157 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1158 bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len); 1159 bcopy(digest, der_data + SHA1_DER_PREFIX_Len, 1160 SHA1_DIGEST_SIZE); 1161 der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE; 1162 break; 1163 1164 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1165 bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1166 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1167 SHA256_DIGEST_LENGTH); 1168 der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH; 1169 break; 1170 1171 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1172 bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1173 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1174 SHA384_DIGEST_LENGTH); 1175 der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH; 1176 break; 1177 1178 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1179 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1180 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1181 SHA512_DIGEST_LENGTH); 1182 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH; 1183 break; 1184 } 1185 1186 INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len); 1187 /* 1188 * Now, we are ready to sign or verify the DER_ENCODED data. 1189 */ 1190 if (flag & CRYPTO_DO_SIGN) 1191 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd, 1192 signature, kmflag); 1193 else 1194 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd, 1195 signature, kmflag); 1196 1197 /* EXPORT DELETE END */ 1198 1199 return (rv); 1200 } 1201 1202 static int 1203 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1204 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1205 { 1206 int rv = CRYPTO_FAILED; 1207 1208 /* EXPORT DELETE START */ 1209 1210 int dlen; 1211 uchar_t *dataptr, *modulus; 1212 ssize_t modulus_len; 1213 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1214 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1215 uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1216 1217 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1218 &modulus_len)) != CRYPTO_SUCCESS) { 1219 return (rv); 1220 } 1221 1222 dlen = data->cd_length; 1223 switch (mech_type) { 1224 case RSA_PKCS_MECH_INFO_TYPE: 1225 if (dlen > (modulus_len - MIN_PKCS1_PADLEN)) 1226 return (CRYPTO_DATA_LEN_RANGE); 1227 break; 1228 case RSA_X_509_MECH_INFO_TYPE: 1229 if (dlen > modulus_len) 1230 return (CRYPTO_DATA_LEN_RANGE); 1231 break; 1232 } 1233 1234 if (signature->cd_length < modulus_len) { 1235 signature->cd_length = modulus_len; 1236 return (CRYPTO_BUFFER_TOO_SMALL); 1237 } 1238 1239 ASSERT(data->cd_length <= sizeof (tmp_data)); 1240 if ((rv = crypto_get_input_data(data, &dataptr, tmp_data)) 1241 != CRYPTO_SUCCESS) 1242 return (rv); 1243 1244 switch (mech_type) { 1245 case RSA_PKCS_MECH_INFO_TYPE: 1246 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1247 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1248 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1249 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1250 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1251 /* 1252 * Add PKCS padding to the input data to format a block 1253 * type "01" encryption block. 1254 */ 1255 rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data, 1256 modulus_len); 1257 if (rv != CRYPTO_SUCCESS) 1258 return (rv); 1259 1260 break; 1261 1262 case RSA_X_509_MECH_INFO_TYPE: 1263 bzero(plain_data, modulus_len - dlen); 1264 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen); 1265 break; 1266 } 1267 1268 rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data, 1269 kmflag); 1270 if (rv == CRYPTO_SUCCESS) { 1271 /* copy out to signature */ 1272 if ((rv = crypto_put_output_data(signed_data, 1273 signature, modulus_len)) != CRYPTO_SUCCESS) 1274 return (rv); 1275 1276 signature->cd_length = modulus_len; 1277 } 1278 1279 /* EXPORT DELETE END */ 1280 1281 return (rv); 1282 } 1283 1284 /* ARGSUSED */ 1285 static int 1286 rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1287 crypto_req_handle_t req) 1288 { 1289 int rv; 1290 rsa_ctx_t *ctxp; 1291 1292 ASSERT(ctx->cc_provider_private != NULL); 1293 ctxp = ctx->cc_provider_private; 1294 1295 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1296 switch (ctxp->mech_type) { 1297 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1298 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1299 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1300 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1301 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1302 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1303 signature, KM_SLEEP, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1304 CRYPTO_DO_FINAL); 1305 break; 1306 default: 1307 rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data, 1308 signature, KM_SLEEP); 1309 break; 1310 } 1311 1312 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1313 (void) rsa_free_context(ctx); 1314 1315 return (rv); 1316 } 1317 1318 /* ARGSUSED */ 1319 static int 1320 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req) 1321 { 1322 int rv; 1323 digest_rsa_ctx_t *ctxp; 1324 rsa_mech_type_t mech_type; 1325 1326 ASSERT(ctx->cc_provider_private != NULL); 1327 ctxp = ctx->cc_provider_private; 1328 mech_type = ctxp->mech_type; 1329 1330 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1331 mech_type == RSA_X_509_MECH_INFO_TYPE) 1332 return (CRYPTO_MECHANISM_INVALID); 1333 1334 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1335 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1336 NULL, MD5Update, MD5Final, 1337 CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE); 1338 1339 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1340 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1341 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1342 CRYPTO_DO_UPDATE); 1343 1344 else 1345 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1346 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1347 CRYPTO_DO_UPDATE); 1348 1349 return (rv); 1350 } 1351 1352 static int 1353 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1354 crypto_req_handle_t req) 1355 { 1356 int rv; 1357 digest_rsa_ctx_t *ctxp; 1358 1359 ASSERT(ctx->cc_provider_private != NULL); 1360 ctxp = ctx->cc_provider_private; 1361 1362 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1363 crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_FINAL); 1364 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1365 (void) rsa_free_context(ctx); 1366 1367 return (rv); 1368 } 1369 1370 /* ARGSUSED */ 1371 static int 1372 rsa_sign_atomic(crypto_provider_handle_t provider, 1373 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1374 crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature, 1375 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1376 { 1377 int rv; 1378 digest_rsa_ctx_t dctx; 1379 1380 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1381 return (rv); 1382 1383 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1384 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1385 rv = rsa_sign_common(mechanism->cm_type, key, data, 1386 signature, crypto_kmflag(req)); 1387 1388 else { 1389 dctx.mech_type = mechanism->cm_type; 1390 dctx.key = key; 1391 switch (mechanism->cm_type) { 1392 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1393 MD5Init(&(dctx.md5_ctx)); 1394 break; 1395 1396 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1397 SHA1Init(&(dctx.sha1_ctx)); 1398 break; 1399 1400 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1401 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1402 break; 1403 1404 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1405 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1406 break; 1407 1408 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1409 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1410 break; 1411 } 1412 1413 rv = rsa_digest_svrfy_common(&dctx, data, signature, 1414 crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | 1415 CRYPTO_DO_FINAL); 1416 } 1417 1418 return (rv); 1419 } 1420 1421 static int 1422 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1423 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1424 { 1425 int rv = CRYPTO_FAILED; 1426 1427 /* EXPORT DELETE START */ 1428 1429 uchar_t *sigptr, *modulus; 1430 ssize_t modulus_len; 1431 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1432 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1433 1434 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1435 &modulus_len)) != CRYPTO_SUCCESS) { 1436 return (rv); 1437 } 1438 1439 if (signature->cd_length != modulus_len) 1440 return (CRYPTO_SIGNATURE_LEN_RANGE); 1441 1442 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1443 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1444 != CRYPTO_SUCCESS) 1445 return (rv); 1446 1447 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 1448 if (rv != CRYPTO_SUCCESS) 1449 return (rv); 1450 1451 if (mech_type == RSA_X_509_MECH_INFO_TYPE) { 1452 if (compare_data(data, (plain_data + modulus_len 1453 - data->cd_length)) != 0) 1454 rv = CRYPTO_SIGNATURE_INVALID; 1455 1456 } else { 1457 int data_len = modulus_len; 1458 1459 /* 1460 * Strip off the encoded padding bytes in front of the 1461 * recovered data, then compare the recovered data with 1462 * the original data. 1463 */ 1464 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1465 if (rv != CRYPTO_SUCCESS) 1466 return (rv); 1467 1468 if (data_len != data->cd_length) 1469 return (CRYPTO_SIGNATURE_LEN_RANGE); 1470 1471 if (compare_data(data, (plain_data + modulus_len 1472 - data_len)) != 0) 1473 rv = CRYPTO_SIGNATURE_INVALID; 1474 } 1475 1476 /* EXPORT DELETE END */ 1477 1478 return (rv); 1479 } 1480 1481 /* ARGSUSED */ 1482 static int 1483 rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1484 crypto_req_handle_t req) 1485 { 1486 int rv; 1487 rsa_ctx_t *ctxp; 1488 1489 ASSERT(ctx->cc_provider_private != NULL); 1490 ctxp = ctx->cc_provider_private; 1491 1492 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1493 switch (ctxp->mech_type) { 1494 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1495 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1496 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1497 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1498 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1499 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1500 signature, KM_SLEEP, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | 1501 CRYPTO_DO_FINAL); 1502 break; 1503 default: 1504 rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data, 1505 signature, KM_SLEEP); 1506 break; 1507 } 1508 1509 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1510 (void) rsa_free_context(ctx); 1511 1512 return (rv); 1513 } 1514 1515 /* ARGSUSED */ 1516 static int 1517 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data, 1518 crypto_req_handle_t req) 1519 { 1520 int rv; 1521 digest_rsa_ctx_t *ctxp; 1522 1523 ASSERT(ctx->cc_provider_private != NULL); 1524 ctxp = ctx->cc_provider_private; 1525 1526 switch (ctxp->mech_type) { 1527 1528 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1529 rv = crypto_digest_data(data, &(ctxp->md5_ctx), 1530 NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 | 1531 CRYPTO_DO_UPDATE); 1532 break; 1533 1534 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1535 rv = crypto_digest_data(data, &(ctxp->sha1_ctx), 1536 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 | 1537 CRYPTO_DO_UPDATE); 1538 break; 1539 1540 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1541 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1542 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1543 rv = crypto_digest_data(data, &(ctxp->sha2_ctx), 1544 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 | 1545 CRYPTO_DO_UPDATE); 1546 break; 1547 1548 default: 1549 return (CRYPTO_MECHANISM_INVALID); 1550 } 1551 1552 return (rv); 1553 } 1554 1555 static int 1556 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1557 crypto_req_handle_t req) 1558 { 1559 int rv; 1560 digest_rsa_ctx_t *ctxp; 1561 1562 ASSERT(ctx->cc_provider_private != NULL); 1563 ctxp = ctx->cc_provider_private; 1564 1565 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1566 crypto_kmflag(req), CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL); 1567 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1568 (void) rsa_free_context(ctx); 1569 1570 return (rv); 1571 } 1572 1573 1574 /* ARGSUSED */ 1575 static int 1576 rsa_verify_atomic(crypto_provider_handle_t provider, 1577 crypto_session_id_t session_id, 1578 crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, 1579 crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template, 1580 crypto_req_handle_t req) 1581 { 1582 int rv; 1583 digest_rsa_ctx_t dctx; 1584 1585 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1586 return (rv); 1587 1588 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1589 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1590 rv = rsa_verify_common(mechanism->cm_type, key, data, 1591 signature, crypto_kmflag(req)); 1592 1593 else { 1594 dctx.mech_type = mechanism->cm_type; 1595 dctx.key = key; 1596 1597 switch (mechanism->cm_type) { 1598 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1599 MD5Init(&(dctx.md5_ctx)); 1600 break; 1601 1602 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1603 SHA1Init(&(dctx.sha1_ctx)); 1604 break; 1605 1606 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1607 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1608 break; 1609 1610 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1611 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1612 break; 1613 1614 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1615 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1616 break; 1617 } 1618 1619 rv = rsa_digest_svrfy_common(&dctx, data, 1620 signature, crypto_kmflag(req), 1621 CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL); 1622 } 1623 1624 return (rv); 1625 } 1626 1627 static int 1628 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1629 crypto_data_t *signature, crypto_data_t *data, int kmflag) 1630 { 1631 int rv = CRYPTO_FAILED; 1632 1633 /* EXPORT DELETE START */ 1634 1635 int data_len; 1636 uchar_t *sigptr, *modulus; 1637 ssize_t modulus_len; 1638 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1639 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1640 1641 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1642 &modulus_len)) != CRYPTO_SUCCESS) { 1643 return (rv); 1644 } 1645 1646 if (signature->cd_length != modulus_len) 1647 return (CRYPTO_SIGNATURE_LEN_RANGE); 1648 1649 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1650 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data)) 1651 != CRYPTO_SUCCESS) 1652 return (rv); 1653 1654 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 1655 if (rv != CRYPTO_SUCCESS) 1656 return (rv); 1657 1658 data_len = modulus_len; 1659 1660 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 1661 /* 1662 * Strip off the encoded padding bytes in front of the 1663 * recovered data, then compare the recovered data with 1664 * the original data. 1665 */ 1666 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1667 if (rv != CRYPTO_SUCCESS) 1668 return (rv); 1669 } 1670 1671 if (data->cd_length < data_len) { 1672 data->cd_length = data_len; 1673 return (CRYPTO_BUFFER_TOO_SMALL); 1674 } 1675 1676 if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len, 1677 data, data_len)) != CRYPTO_SUCCESS) 1678 return (rv); 1679 data->cd_length = data_len; 1680 1681 /* EXPORT DELETE END */ 1682 1683 return (rv); 1684 } 1685 1686 /* ARGSUSED */ 1687 static int 1688 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature, 1689 crypto_data_t *data, crypto_req_handle_t req) 1690 { 1691 int rv; 1692 rsa_ctx_t *ctxp; 1693 1694 ASSERT(ctx->cc_provider_private != NULL); 1695 ctxp = ctx->cc_provider_private; 1696 1697 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1698 rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key, 1699 signature, data, KM_SLEEP); 1700 1701 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1702 (void) rsa_free_context(ctx); 1703 1704 return (rv); 1705 } 1706 1707 /* ARGSUSED */ 1708 static int 1709 rsa_verify_recover_atomic(crypto_provider_handle_t provider, 1710 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1711 crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data, 1712 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1713 { 1714 int rv; 1715 1716 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1717 return (rv); 1718 1719 return (rsa_verify_recover_common(mechanism->cm_type, key, 1720 signature, data, crypto_kmflag(req))); 1721 } 1722 1723 /* 1724 * RSA Power-Up Self-Test 1725 */ 1726 void 1727 rsa_POST(int *rc) 1728 { 1729 1730 *rc = fips_rsa_post(); 1731 1732 } 1733