rsa.c revision 6557:c6c4f66aed66
1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26#pragma ident "%Z%%M% %I% %E% SMI" 27 28/* 29 * RSA provider for the Kernel Cryptographic Framework (KCF) 30 */ 31 32#include <sys/types.h> 33#include <sys/systm.h> 34#include <sys/modctl.h> 35#include <sys/cmn_err.h> 36#include <sys/ddi.h> 37#include <sys/crypto/spi.h> 38#include <sys/sysmacros.h> 39#include <sys/strsun.h> 40#include <sys/md5.h> 41#include <sys/sha1.h> 42#include <sys/sha2.h> 43#include <sys/random.h> 44#include "rsa_impl.h" 45 46extern struct mod_ops mod_cryptoops; 47 48/* 49 * Module linkage information for the kernel. 50 */ 51static struct modlcrypto modlcrypto = { 52 &mod_cryptoops, 53 "RSA Kernel SW Provider" 54}; 55 56static struct modlinkage modlinkage = { 57 MODREV_1, 58 (void *)&modlcrypto, 59 NULL 60}; 61 62/* 63 * CSPI information (entry points, provider info, etc.) 64 */ 65typedef enum rsa_mech_type { 66 RSA_PKCS_MECH_INFO_TYPE, /* SUN_CKM_RSA_PKCS */ 67 RSA_X_509_MECH_INFO_TYPE, /* SUN_CKM_RSA_X_509 */ 68 MD5_RSA_PKCS_MECH_INFO_TYPE, /* SUN_MD5_RSA_PKCS */ 69 SHA1_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA1_RSA_PKCS */ 70 SHA256_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA256_RSA_PKCS */ 71 SHA384_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA384_RSA_PKCS */ 72 SHA512_RSA_PKCS_MECH_INFO_TYPE /* SUN_SHA512_RSA_PKCS */ 73} rsa_mech_type_t; 74 75/* 76 * Context for RSA_PKCS and RSA_X_509 mechanisms. 77 */ 78typedef struct rsa_ctx { 79 rsa_mech_type_t mech_type; 80 crypto_key_t *key; 81 size_t keychunk_size; 82} rsa_ctx_t; 83 84/* 85 * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms. 86 */ 87typedef struct digest_rsa_ctx { 88 rsa_mech_type_t mech_type; 89 crypto_key_t *key; 90 size_t keychunk_size; 91 union { 92 MD5_CTX md5ctx; 93 SHA1_CTX sha1ctx; 94 SHA2_CTX sha2ctx; 95 } dctx_u; 96} digest_rsa_ctx_t; 97 98#define md5_ctx dctx_u.md5ctx 99#define sha1_ctx dctx_u.sha1ctx 100#define sha2_ctx dctx_u.sha2ctx 101 102/* 103 * Mechanism info structure passed to KCF during registration. 104 */ 105static crypto_mech_info_t rsa_mech_info_tab[] = { 106 /* RSA_PKCS */ 107 {SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE, 108 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 109 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 110 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 111 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 112 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 113 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 114 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 115 116 /* RSA_X_509 */ 117 {SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE, 118 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 119 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 120 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 121 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC | 122 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC | 123 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC, 124 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 125 126 /* MD5_RSA_PKCS */ 127 {SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE, 128 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 129 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 130 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 131 132 /* SHA1_RSA_PKCS */ 133 {SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE, 134 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 135 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 136 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 137 138 /* SHA256_RSA_PKCS */ 139 {SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE, 140 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 141 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 142 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 143 144 /* SHA384_RSA_PKCS */ 145 {SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE, 146 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 147 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 148 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 149 150 /* SHA512_RSA_PKCS */ 151 {SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE, 152 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 153 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 154 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS} 155 156}; 157 158#define RSA_VALID_MECH(mech) \ 159 (((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE || \ 160 (mech)->cm_type == RSA_X_509_MECH_INFO_TYPE || \ 161 (mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE || \ 162 (mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE || \ 163 (mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE || \ 164 (mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE || \ 165 (mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0) 166 167/* operations are in-place if the output buffer is NULL */ 168#define RSA_ARG_INPLACE(input, output) \ 169 if ((output) == NULL) \ 170 (output) = (input); 171 172static void rsa_provider_status(crypto_provider_handle_t, uint_t *); 173 174static crypto_control_ops_t rsa_control_ops = { 175 rsa_provider_status 176}; 177 178static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *, 179 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 180static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 181 crypto_req_handle_t); 182static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 183 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 184 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 185static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 186 crypto_req_handle_t); 187static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 188 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 189 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 190 191/* 192 * The RSA mechanisms do not have multiple-part cipher operations. 193 * So, the update and final routines are set to NULL. 194 */ 195static crypto_cipher_ops_t rsa_cipher_ops = { 196 rsa_common_init, 197 rsa_encrypt, 198 NULL, 199 NULL, 200 rsa_encrypt_atomic, 201 rsa_common_init, 202 rsa_decrypt, 203 NULL, 204 NULL, 205 rsa_decrypt_atomic 206}; 207 208static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *, 209 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 210static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 211 crypto_req_handle_t); 212static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *, 213 crypto_req_handle_t); 214static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *, 215 crypto_req_handle_t); 216static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t, 217 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 218 crypto_spi_ctx_template_t, crypto_req_handle_t); 219 220/* 221 * We use the same routine for sign_init and sign_recover_init fields 222 * as they do the same thing. Same holds for sign and sign_recover fields, 223 * and sign_atomic and sign_recover_atomic fields. 224 */ 225static crypto_sign_ops_t rsa_sign_ops = { 226 rsa_sign_verify_common_init, 227 rsa_sign, 228 rsa_sign_update, 229 rsa_sign_final, 230 rsa_sign_atomic, 231 rsa_sign_verify_common_init, 232 rsa_sign, 233 rsa_sign_atomic 234}; 235 236static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 237 crypto_req_handle_t); 238static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *, 239 crypto_req_handle_t); 240static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *, 241 crypto_req_handle_t); 242static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 243 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 244 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 245static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *, 246 crypto_data_t *, crypto_req_handle_t); 247static int rsa_verify_recover_atomic(crypto_provider_handle_t, 248 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *, 249 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t, 250 crypto_req_handle_t); 251 252/* 253 * We use the same routine (rsa_sign_verify_common_init) for verify_init 254 * and verify_recover_init fields as they do the same thing. 255 */ 256static crypto_verify_ops_t rsa_verify_ops = { 257 rsa_sign_verify_common_init, 258 rsa_verify, 259 rsa_verify_update, 260 rsa_verify_final, 261 rsa_verify_atomic, 262 rsa_sign_verify_common_init, 263 rsa_verify_recover, 264 rsa_verify_recover_atomic 265}; 266 267static int rsa_free_context(crypto_ctx_t *); 268 269static crypto_ctx_ops_t rsa_ctx_ops = { 270 NULL, 271 rsa_free_context 272}; 273 274static crypto_ops_t rsa_crypto_ops = { 275 &rsa_control_ops, 276 NULL, 277 &rsa_cipher_ops, 278 NULL, 279 &rsa_sign_ops, 280 &rsa_verify_ops, 281 NULL, 282 NULL, 283 NULL, 284 NULL, 285 NULL, 286 NULL, 287 NULL, 288 &rsa_ctx_ops 289}; 290 291static crypto_provider_info_t rsa_prov_info = { 292 CRYPTO_SPI_VERSION_1, 293 "RSA Software Provider", 294 CRYPTO_SW_PROVIDER, 295 {&modlinkage}, 296 NULL, 297 &rsa_crypto_ops, 298 sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t), 299 rsa_mech_info_tab 300}; 301 302static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *, 303 crypto_data_t *, crypto_data_t *, int); 304static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *, 305 crypto_data_t *, crypto_data_t *, int); 306static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *, 307 crypto_data_t *, crypto_data_t *, int); 308static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *, 309 crypto_data_t *, crypto_data_t *, int); 310static int compare_data(crypto_data_t *, uchar_t *); 311 312/* EXPORT DELETE START */ 313 314static int core_rsa_encrypt(crypto_key_t *, uchar_t *, 315 int, uchar_t *, int, int); 316static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, 317 uchar_t *, int); 318 319/* EXPORT DELETE END */ 320 321static crypto_kcf_provider_handle_t rsa_prov_handle = NULL; 322 323int 324_init(void) 325{ 326 int ret; 327 328 /* 329 * Register with KCF. If the registration fails, return error. 330 */ 331 if ((ret = crypto_register_provider(&rsa_prov_info, 332 &rsa_prov_handle)) != CRYPTO_SUCCESS) { 333 cmn_err(CE_WARN, "rsa _init: crypto_register_provider()" 334 "failed (0x%x)", ret); 335 return (EACCES); 336 } 337 338 if ((ret = mod_install(&modlinkage)) != 0) { 339 int rv; 340 341 ASSERT(rsa_prov_handle != NULL); 342 /* We should not return if the unregister returns busy. */ 343 while ((rv = crypto_unregister_provider(rsa_prov_handle)) 344 == CRYPTO_BUSY) { 345 cmn_err(CE_WARN, "rsa _init: " 346 "crypto_unregister_provider() " 347 "failed (0x%x). Retrying.", rv); 348 /* wait 10 seconds and try again. */ 349 delay(10 * drv_usectohz(1000000)); 350 } 351 } 352 353 return (ret); 354} 355 356int 357_fini(void) 358{ 359 int ret; 360 361 /* 362 * Unregister from KCF if previous registration succeeded. 363 */ 364 if (rsa_prov_handle != NULL) { 365 if ((ret = crypto_unregister_provider(rsa_prov_handle)) != 366 CRYPTO_SUCCESS) { 367 cmn_err(CE_WARN, "rsa _fini: " 368 "crypto_unregister_provider() " 369 "failed (0x%x)", ret); 370 return (EBUSY); 371 } 372 rsa_prov_handle = NULL; 373 } 374 375 return (mod_remove(&modlinkage)); 376} 377 378int 379_info(struct modinfo *modinfop) 380{ 381 return (mod_info(&modlinkage, modinfop)); 382} 383 384/* ARGSUSED */ 385static void 386rsa_provider_status(crypto_provider_handle_t provider, uint_t *status) 387{ 388 *status = CRYPTO_PROVIDER_READY; 389} 390 391/* 392 * Utility routine to look up a attribute of type, 'type', 393 * in the key. 394 */ 395static int 396get_key_attr(crypto_key_t *key, crypto_attr_type_t type, 397 uchar_t **value, ssize_t *value_len) 398{ 399 int i; 400 401 ASSERT(key->ck_format == CRYPTO_KEY_ATTR_LIST); 402 for (i = 0; i < key->ck_count; i++) { 403 if (key->ck_attrs[i].oa_type == type) { 404 *value = (uchar_t *)key->ck_attrs[i].oa_value; 405 *value_len = key->ck_attrs[i].oa_value_len; 406 return (CRYPTO_SUCCESS); 407 } 408 } 409 410 return (CRYPTO_FAILED); 411} 412 413static int 414check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key) 415{ 416 int rv = CRYPTO_FAILED; 417 418/* EXPORT DELETE START */ 419 420 uchar_t *modulus; 421 ssize_t modulus_len; /* In bytes */ 422 423 if (!RSA_VALID_MECH(mechanism)) 424 return (CRYPTO_MECHANISM_INVALID); 425 426 /* 427 * We only support RSA keys that are passed as a list of 428 * object attributes. 429 */ 430 if (key->ck_format != CRYPTO_KEY_ATTR_LIST) { 431 return (CRYPTO_KEY_TYPE_INCONSISTENT); 432 } 433 434 if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus, 435 &modulus_len)) != CRYPTO_SUCCESS) { 436 return (rv); 437 } 438 if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES || 439 modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES) 440 return (CRYPTO_KEY_SIZE_RANGE); 441 442/* EXPORT DELETE END */ 443 444 return (rv); 445} 446 447void 448kmemset(uint8_t *buf, char pattern, size_t len) 449{ 450 int i = 0; 451 452 while (i < len) 453 buf[i++] = pattern; 454} 455 456/* 457 * This function guarantees to return non-zero random numbers. 458 * This is needed as the /dev/urandom kernel interface, 459 * random_get_pseudo_bytes(), may return zeros. 460 */ 461int 462knzero_random_generator(uint8_t *ran_out, size_t ran_len) 463{ 464 int rv; 465 size_t ebc = 0; /* count of extra bytes in extrarand */ 466 size_t i = 0; 467 uint8_t extrarand[32]; 468 size_t extrarand_len; 469 470 if ((rv = random_get_pseudo_bytes(ran_out, ran_len)) != 0) 471 return (rv); 472 473 /* 474 * Walk through the returned random numbers pointed by ran_out, 475 * and look for any random number which is zero. 476 * If we find zero, call random_get_pseudo_bytes() to generate 477 * another 32 random numbers pool. Replace any zeros in ran_out[] 478 * from the random number in pool. 479 */ 480 while (i < ran_len) { 481 if (ran_out[i] != 0) { 482 i++; 483 continue; 484 } 485 486 /* 487 * Note that it is 'while' so we are guaranteed a 488 * non-zero value on exit. 489 */ 490 if (ebc == 0) { 491 /* refresh extrarand */ 492 extrarand_len = sizeof (extrarand); 493 if ((rv = random_get_pseudo_bytes(extrarand, 494 extrarand_len)) != 0) { 495 return (rv); 496 } 497 498 ebc = extrarand_len; 499 } 500 /* Replace zero with byte from extrarand. */ 501 -- ebc; 502 503 /* 504 * The new random byte zero/non-zero will be checked in 505 * the next pass through the loop. 506 */ 507 ran_out[i] = extrarand[ebc]; 508 } 509 510 return (CRYPTO_SUCCESS); 511} 512 513typedef enum cmd_type { 514 COPY_FROM_DATA, 515 COPY_TO_DATA, 516 COMPARE_TO_DATA, 517 MD5_DIGEST_DATA, 518 SHA1_DIGEST_DATA, 519 SHA2_DIGEST_DATA 520} cmd_type_t; 521 522/* 523 * Utility routine to apply the command, 'cmd', to the 524 * data in the uio structure. 525 */ 526static int 527process_uio_data(crypto_data_t *data, uchar_t *buf, int len, 528 cmd_type_t cmd, void *digest_ctx) 529{ 530 uio_t *uiop = data->cd_uio; 531 off_t offset = data->cd_offset; 532 size_t length = len; 533 uint_t vec_idx; 534 size_t cur_len; 535 uchar_t *datap; 536 537 ASSERT(data->cd_format == CRYPTO_DATA_UIO); 538 if (uiop->uio_segflg != UIO_SYSSPACE) { 539 return (CRYPTO_ARGUMENTS_BAD); 540 } 541 542 /* 543 * Jump to the first iovec containing data to be 544 * processed. 545 */ 546 for (vec_idx = 0; vec_idx < uiop->uio_iovcnt && 547 offset >= uiop->uio_iov[vec_idx].iov_len; 548 offset -= uiop->uio_iov[vec_idx++].iov_len) 549 ; 550 551 if (vec_idx == uiop->uio_iovcnt) { 552 /* 553 * The caller specified an offset that is larger than 554 * the total size of the buffers it provided. 555 */ 556 return (CRYPTO_DATA_LEN_RANGE); 557 } 558 559 while (vec_idx < uiop->uio_iovcnt && length > 0) { 560 cur_len = MIN(uiop->uio_iov[vec_idx].iov_len - 561 offset, length); 562 563 datap = (uchar_t *)(uiop->uio_iov[vec_idx].iov_base + 564 offset); 565 switch (cmd) { 566 case COPY_FROM_DATA: 567 bcopy(datap, buf, cur_len); 568 buf += cur_len; 569 break; 570 case COPY_TO_DATA: 571 bcopy(buf, datap, cur_len); 572 buf += cur_len; 573 break; 574 case COMPARE_TO_DATA: 575 if (bcmp(datap, buf, cur_len)) 576 return (CRYPTO_SIGNATURE_INVALID); 577 buf += cur_len; 578 break; 579 case MD5_DIGEST_DATA: 580 MD5Update(digest_ctx, datap, cur_len); 581 break; 582 case SHA1_DIGEST_DATA: 583 SHA1Update(digest_ctx, datap, cur_len); 584 break; 585 case SHA2_DIGEST_DATA: 586 SHA2Update(digest_ctx, datap, cur_len); 587 break; 588 } 589 590 length -= cur_len; 591 vec_idx++; 592 offset = 0; 593 } 594 595 if (vec_idx == uiop->uio_iovcnt && length > 0) { 596 /* 597 * The end of the specified iovec's was reached but 598 * the length requested could not be processed. 599 */ 600 switch (cmd) { 601 case COPY_TO_DATA: 602 data->cd_length = len; 603 return (CRYPTO_BUFFER_TOO_SMALL); 604 default: 605 return (CRYPTO_DATA_LEN_RANGE); 606 } 607 } 608 609 return (CRYPTO_SUCCESS); 610} 611 612/* 613 * Utility routine to apply the command, 'cmd', to the 614 * data in the mblk structure. 615 */ 616static int 617process_mblk_data(crypto_data_t *data, uchar_t *buf, int len, 618 cmd_type_t cmd, void *digest_ctx) 619{ 620 off_t offset = data->cd_offset; 621 size_t length = len; 622 mblk_t *mp; 623 size_t cur_len; 624 uchar_t *datap; 625 626 ASSERT(data->cd_format == CRYPTO_DATA_MBLK); 627 /* 628 * Jump to the first mblk_t containing data to be processed. 629 */ 630 for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp); 631 offset -= MBLKL(mp), mp = mp->b_cont) 632 ; 633 if (mp == NULL) { 634 /* 635 * The caller specified an offset that is larger 636 * than the total size of the buffers it provided. 637 */ 638 return (CRYPTO_DATA_LEN_RANGE); 639 } 640 641 /* 642 * Now do the processing on the mblk chain. 643 */ 644 while (mp != NULL && length > 0) { 645 cur_len = MIN(MBLKL(mp) - offset, length); 646 647 datap = (uchar_t *)(mp->b_rptr + offset); 648 switch (cmd) { 649 case COPY_FROM_DATA: 650 bcopy(datap, buf, cur_len); 651 buf += cur_len; 652 break; 653 case COPY_TO_DATA: 654 bcopy(buf, datap, cur_len); 655 buf += cur_len; 656 break; 657 case COMPARE_TO_DATA: 658 if (bcmp(datap, buf, cur_len)) 659 return (CRYPTO_SIGNATURE_INVALID); 660 buf += cur_len; 661 break; 662 case MD5_DIGEST_DATA: 663 MD5Update(digest_ctx, datap, cur_len); 664 break; 665 case SHA1_DIGEST_DATA: 666 SHA1Update(digest_ctx, datap, cur_len); 667 break; 668 case SHA2_DIGEST_DATA: 669 SHA2Update(digest_ctx, datap, cur_len); 670 break; 671 } 672 673 length -= cur_len; 674 offset = 0; 675 mp = mp->b_cont; 676 } 677 678 if (mp == NULL && length > 0) { 679 /* 680 * The end of the mblk was reached but the length 681 * requested could not be processed. 682 */ 683 switch (cmd) { 684 case COPY_TO_DATA: 685 data->cd_length = len; 686 return (CRYPTO_BUFFER_TOO_SMALL); 687 default: 688 return (CRYPTO_DATA_LEN_RANGE); 689 } 690 } 691 692 return (CRYPTO_SUCCESS); 693} 694 695static int 696compare_data(crypto_data_t *data, uchar_t *buf) 697{ 698 int len; 699 uchar_t *dptr; 700 701 len = data->cd_length; 702 switch (data->cd_format) { 703 case CRYPTO_DATA_RAW: 704 dptr = (uchar_t *)(data->cd_raw.iov_base + 705 data->cd_offset); 706 707 return (bcmp(dptr, buf, len)); 708 709 case CRYPTO_DATA_UIO: 710 return (process_uio_data(data, buf, len, 711 COMPARE_TO_DATA, NULL)); 712 713 case CRYPTO_DATA_MBLK: 714 return (process_mblk_data(data, buf, len, 715 COMPARE_TO_DATA, NULL)); 716 } 717 718 return (CRYPTO_FAILED); 719} 720 721/* 722 * Utility routine to copy a buffer to a crypto_data structure. 723 */ 724static int 725put_output_data(uchar_t *buf, crypto_data_t *output, int len) 726{ 727 switch (output->cd_format) { 728 case CRYPTO_DATA_RAW: 729 if (output->cd_raw.iov_len < len) { 730 output->cd_length = len; 731 return (CRYPTO_BUFFER_TOO_SMALL); 732 } 733 bcopy(buf, (uchar_t *)(output->cd_raw.iov_base + 734 output->cd_offset), len); 735 break; 736 737 case CRYPTO_DATA_UIO: 738 return (process_uio_data(output, buf, len, COPY_TO_DATA, NULL)); 739 740 case CRYPTO_DATA_MBLK: 741 return (process_mblk_data(output, buf, len, 742 COPY_TO_DATA, NULL)); 743 744 default: 745 return (CRYPTO_ARGUMENTS_BAD); 746 } 747 748 return (CRYPTO_SUCCESS); 749} 750 751/* 752 * Utility routine to get data from a crypto_data structure. 753 * 754 * '*dptr' contains a pointer to a buffer on return. 'buf' 755 * is allocated by the caller and is ignored for CRYPTO_DATA_RAW case. 756 */ 757static int 758get_input_data(crypto_data_t *input, uchar_t **dptr, uchar_t *buf) 759{ 760 int rv; 761 762 switch (input->cd_format) { 763 case CRYPTO_DATA_RAW: 764 if (input->cd_raw.iov_len < input->cd_length) 765 return (CRYPTO_ARGUMENTS_BAD); 766 *dptr = (uchar_t *)(input->cd_raw.iov_base + 767 input->cd_offset); 768 break; 769 770 case CRYPTO_DATA_UIO: 771 if ((rv = process_uio_data(input, buf, input->cd_length, 772 COPY_FROM_DATA, NULL)) != CRYPTO_SUCCESS) 773 return (rv); 774 *dptr = buf; 775 break; 776 777 case CRYPTO_DATA_MBLK: 778 if ((rv = process_mblk_data(input, buf, input->cd_length, 779 COPY_FROM_DATA, NULL)) != CRYPTO_SUCCESS) 780 return (rv); 781 *dptr = buf; 782 break; 783 784 default: 785 return (CRYPTO_ARGUMENTS_BAD); 786 } 787 788 return (CRYPTO_SUCCESS); 789} 790 791static int 792copy_key_to_ctx(crypto_key_t *in_key, rsa_ctx_t *ctx, int kmflag) 793{ 794 int i, count; 795 size_t len; 796 caddr_t attr_val; 797 crypto_object_attribute_t *k_attrs = NULL; 798 799 ASSERT(in_key->ck_format == CRYPTO_KEY_ATTR_LIST); 800 801 count = in_key->ck_count; 802 /* figure out how much memory to allocate for everything */ 803 len = sizeof (crypto_key_t) + 804 count * sizeof (crypto_object_attribute_t); 805 for (i = 0; i < count; i++) { 806 len += roundup(in_key->ck_attrs[i].oa_value_len, 807 sizeof (caddr_t)); 808 } 809 810 /* one big allocation for everything */ 811 ctx->key = kmem_alloc(len, kmflag); 812 if (ctx->key == NULL) 813 return (CRYPTO_HOST_MEMORY); 814 k_attrs = (crypto_object_attribute_t *)((caddr_t)(ctx->key) + 815 sizeof (crypto_key_t)); 816 817 attr_val = (caddr_t)k_attrs + 818 count * sizeof (crypto_object_attribute_t); 819 for (i = 0; i < count; i++) { 820 k_attrs[i].oa_type = in_key->ck_attrs[i].oa_type; 821 bcopy(in_key->ck_attrs[i].oa_value, attr_val, 822 in_key->ck_attrs[i].oa_value_len); 823 k_attrs[i].oa_value = attr_val; 824 k_attrs[i].oa_value_len = in_key->ck_attrs[i].oa_value_len; 825 attr_val += roundup(k_attrs[i].oa_value_len, sizeof (caddr_t)); 826 } 827 828 ctx->keychunk_size = len; /* save the size to be freed */ 829 ctx->key->ck_format = CRYPTO_KEY_ATTR_LIST; 830 ctx->key->ck_count = count; 831 ctx->key->ck_attrs = k_attrs; 832 833 return (CRYPTO_SUCCESS); 834} 835 836/* ARGSUSED */ 837static int 838rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 839 crypto_key_t *key, crypto_spi_ctx_template_t template, 840 crypto_req_handle_t req) 841{ 842 int rv; 843 int kmflag; 844 rsa_ctx_t *ctxp; 845 846 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 847 return (rv); 848 849 /* 850 * Allocate a RSA context. 851 */ 852 kmflag = crypto_kmflag(req); 853 if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL) 854 return (CRYPTO_HOST_MEMORY); 855 856 if ((rv = copy_key_to_ctx(key, ctxp, kmflag)) != CRYPTO_SUCCESS) { 857 kmem_free(ctxp, sizeof (rsa_ctx_t)); 858 return (rv); 859 } 860 ctxp->mech_type = mechanism->cm_type; 861 862 ctx->cc_provider_private = ctxp; 863 864 return (CRYPTO_SUCCESS); 865} 866 867/* ARGSUSED */ 868static int 869rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 870 crypto_data_t *ciphertext, crypto_req_handle_t req) 871{ 872 int rv; 873 rsa_ctx_t *ctxp; 874 875 ASSERT(ctx->cc_provider_private != NULL); 876 ctxp = ctx->cc_provider_private; 877 878 RSA_ARG_INPLACE(plaintext, ciphertext); 879 880 /* 881 * Note on the KM_SLEEP flag passed to the routine below - 882 * rsa_encrypt() is a single-part encryption routine which is 883 * currently usable only by /dev/crypto. Since /dev/crypto calls are 884 * always synchronous, we can safely pass KM_SLEEP here. 885 */ 886 rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext, 887 ciphertext, KM_SLEEP); 888 889 if (rv != CRYPTO_BUFFER_TOO_SMALL) 890 (void) rsa_free_context(ctx); 891 892 return (rv); 893} 894 895/* ARGSUSED */ 896static int 897rsa_encrypt_atomic(crypto_provider_handle_t provider, 898 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 899 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 900 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 901{ 902 int rv; 903 904 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 905 return (rv); 906 RSA_ARG_INPLACE(plaintext, ciphertext); 907 908 return (rsa_encrypt_common(mechanism->cm_type, key, plaintext, 909 ciphertext, crypto_kmflag(req))); 910} 911 912static int 913rsa_free_context(crypto_ctx_t *ctx) 914{ 915 rsa_ctx_t *ctxp = ctx->cc_provider_private; 916 917 if (ctxp != NULL) { 918 bzero(ctxp->key, ctxp->keychunk_size); 919 kmem_free(ctxp->key, ctxp->keychunk_size); 920 921 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE || 922 ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE) 923 kmem_free(ctxp, sizeof (rsa_ctx_t)); 924 else 925 kmem_free(ctxp, sizeof (digest_rsa_ctx_t)); 926 927 ctx->cc_provider_private = NULL; 928 } 929 930 return (CRYPTO_SUCCESS); 931} 932 933static int 934rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 935 crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag) 936{ 937 int rv = CRYPTO_FAILED; 938 939/* EXPORT DELETE START */ 940 941 int plen; 942 uchar_t *ptptr; 943 uchar_t *modulus; 944 ssize_t modulus_len; 945 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 946 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 947 uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 948 949 if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus, 950 &modulus_len)) != CRYPTO_SUCCESS) { 951 return (rv); 952 } 953 954 plen = plaintext->cd_length; 955 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 956 if (plen > (modulus_len - MIN_PKCS1_PADLEN)) 957 return (CRYPTO_DATA_LEN_RANGE); 958 } else { 959 if (plen > modulus_len) 960 return (CRYPTO_DATA_LEN_RANGE); 961 } 962 963 /* 964 * Output buf len must not be less than RSA modulus size. 965 */ 966 if (ciphertext->cd_length < modulus_len) { 967 ciphertext->cd_length = modulus_len; 968 return (CRYPTO_BUFFER_TOO_SMALL); 969 } 970 971 ASSERT(plaintext->cd_length <= sizeof (tmp_data)); 972 if ((rv = get_input_data(plaintext, &ptptr, tmp_data)) 973 != CRYPTO_SUCCESS) 974 return (rv); 975 976 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 977 rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen, 978 plain_data, modulus_len); 979 980 if (rv != CRYPTO_SUCCESS) 981 return (rv); 982 } else { 983 bzero(plain_data, modulus_len - plen); 984 bcopy(ptptr, &plain_data[modulus_len - plen], plen); 985 } 986 987 rv = core_rsa_encrypt(key, plain_data, modulus_len, 988 cipher_data, kmflag, 1); 989 if (rv == CRYPTO_SUCCESS) { 990 /* copy out to ciphertext */ 991 if ((rv = put_output_data(cipher_data, 992 ciphertext, modulus_len)) != CRYPTO_SUCCESS) 993 return (rv); 994 995 ciphertext->cd_length = modulus_len; 996 } 997 998/* EXPORT DELETE END */ 999 1000 return (rv); 1001} 1002 1003/* EXPORT DELETE START */ 1004 1005static int 1006core_rsa_encrypt(crypto_key_t *key, uchar_t *in, 1007 int in_len, uchar_t *out, int kmflag, int is_public) 1008{ 1009 int rv; 1010 uchar_t *expo, *modulus; 1011 ssize_t expo_len; 1012 ssize_t modulus_len; 1013 BIGNUM msg; 1014 RSAkey *rsakey; 1015 1016 if (is_public) { 1017 if ((rv = get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT, &expo, 1018 &expo_len)) != CRYPTO_SUCCESS) 1019 return (rv); 1020 } else { 1021 /* 1022 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a 1023 * RSA secret key. See the comments in core_rsa_decrypt 1024 * routine which calls this routine with a private key. 1025 */ 1026 if ((rv = get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT, &expo, 1027 &expo_len)) != CRYPTO_SUCCESS) 1028 return (rv); 1029 } 1030 1031 if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1032 &modulus_len)) != CRYPTO_SUCCESS) { 1033 return (rv); 1034 } 1035 1036 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 1037 if (rsakey == NULL) 1038 return (CRYPTO_HOST_MEMORY); 1039 1040 /* psize and qsize for RSA_key_init is in bits. */ 1041 if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) { 1042 rv = CRYPTO_HOST_MEMORY; 1043 goto clean1; 1044 } 1045 1046 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 1047 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 1048 rv = CRYPTO_HOST_MEMORY; 1049 goto clean2; 1050 } 1051 1052 /* Convert octet string exponent to big integer format. */ 1053 bytestring2bignum(&(rsakey->e), expo, expo_len); 1054 1055 /* Convert octet string modulus to big integer format. */ 1056 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 1057 1058 /* Convert octet string input data to big integer format. */ 1059 bytestring2bignum(&msg, in, in_len); 1060 1061 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 1062 rv = CRYPTO_DATA_LEN_RANGE; 1063 goto clean3; 1064 } 1065 1066 /* Perform RSA computation on big integer input data. */ 1067 if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL) 1068 != BIG_OK) { 1069 rv = CRYPTO_HOST_MEMORY; 1070 goto clean3; 1071 } 1072 1073 /* Convert the big integer output data to octet string. */ 1074 bignum2bytestring(out, &msg, modulus_len); 1075 1076 /* 1077 * Should not free modulus and expo as both are just pointers 1078 * to an attribute value buffer from the caller. 1079 */ 1080clean3: 1081 big_finish(&msg); 1082clean2: 1083 RSA_key_finish(rsakey); 1084clean1: 1085 kmem_free(rsakey, sizeof (RSAkey)); 1086 1087 return (rv); 1088} 1089 1090/* EXPORT DELETE END */ 1091 1092/* ARGSUSED */ 1093static int 1094rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 1095 crypto_data_t *plaintext, crypto_req_handle_t req) 1096{ 1097 int rv; 1098 rsa_ctx_t *ctxp; 1099 1100 ASSERT(ctx->cc_provider_private != NULL); 1101 ctxp = ctx->cc_provider_private; 1102 1103 RSA_ARG_INPLACE(ciphertext, plaintext); 1104 1105 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1106 rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key, 1107 ciphertext, plaintext, KM_SLEEP); 1108 1109 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1110 (void) rsa_free_context(ctx); 1111 1112 return (rv); 1113} 1114 1115/* ARGSUSED */ 1116static int 1117rsa_decrypt_atomic(crypto_provider_handle_t provider, 1118 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1119 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 1120 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 1121{ 1122 int rv; 1123 1124 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1125 return (rv); 1126 RSA_ARG_INPLACE(ciphertext, plaintext); 1127 1128 return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext, 1129 plaintext, crypto_kmflag(req))); 1130} 1131 1132static int 1133rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1134 crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag) 1135{ 1136 int rv = CRYPTO_FAILED; 1137 1138/* EXPORT DELETE START */ 1139 1140 int plain_len; 1141 uchar_t *ctptr; 1142 uchar_t *modulus; 1143 ssize_t modulus_len; 1144 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1145 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1146 1147 if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1148 &modulus_len)) != CRYPTO_SUCCESS) { 1149 return (rv); 1150 } 1151 1152 /* 1153 * Ciphertext length must be equal to RSA modulus size. 1154 */ 1155 if (ciphertext->cd_length != modulus_len) 1156 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 1157 1158 ASSERT(ciphertext->cd_length <= sizeof (tmp_data)); 1159 if ((rv = get_input_data(ciphertext, &ctptr, tmp_data)) 1160 != CRYPTO_SUCCESS) 1161 return (rv); 1162 1163 rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag); 1164 if (rv == CRYPTO_SUCCESS) { 1165 plain_len = modulus_len; 1166 1167 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 1168 /* Strip off the PKCS block formatting data. */ 1169 rv = soft_decrypt_rsa_pkcs_decode(plain_data, 1170 &plain_len); 1171 if (rv != CRYPTO_SUCCESS) 1172 return (rv); 1173 } 1174 1175 if (plain_len > plaintext->cd_length) { 1176 plaintext->cd_length = plain_len; 1177 return (CRYPTO_BUFFER_TOO_SMALL); 1178 } 1179 1180 if ((rv = put_output_data(plain_data + modulus_len - plain_len, 1181 plaintext, plain_len)) != CRYPTO_SUCCESS) 1182 return (rv); 1183 1184 plaintext->cd_length = plain_len; 1185 } 1186 1187/* EXPORT DELETE END */ 1188 1189 return (rv); 1190} 1191 1192/* EXPORT DELETE START */ 1193 1194static int 1195core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, 1196 uchar_t *out, int kmflag) 1197{ 1198 int rv; 1199 uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef; 1200 ssize_t modulus_len; 1201 ssize_t prime1_len, prime2_len; 1202 ssize_t expo1_len, expo2_len, coef_len; 1203 BIGNUM msg; 1204 RSAkey *rsakey; 1205 1206 if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1207 &modulus_len)) != CRYPTO_SUCCESS) { 1208 return (rv); 1209 } 1210 1211 /* 1212 * The following attributes are not required to be 1213 * present in a RSA secret key. If any of them is not present 1214 * we call the encrypt routine with a flag indicating use of 1215 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is 1216 * a required attribute for a RSA secret key. 1217 */ 1218 if ((get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len) 1219 != CRYPTO_SUCCESS) || 1220 (get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len) 1221 != CRYPTO_SUCCESS) || 1222 (get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len) 1223 != CRYPTO_SUCCESS) || 1224 (get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len) 1225 != CRYPTO_SUCCESS) || 1226 (get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len) 1227 != CRYPTO_SUCCESS)) { 1228 return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0)); 1229 } 1230 1231 rsakey = kmem_alloc(sizeof (RSAkey), kmflag); 1232 if (rsakey == NULL) 1233 return (CRYPTO_HOST_MEMORY); 1234 1235 /* psize and qsize for RSA_key_init is in bits. */ 1236 if (RSA_key_init(rsakey, prime2_len * 8, prime1_len * 8) != BIG_OK) { 1237 rv = CRYPTO_HOST_MEMORY; 1238 goto clean1; 1239 } 1240 1241 /* Size for big_init is in BIG_CHUNK_TYPE words. */ 1242 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) { 1243 rv = CRYPTO_HOST_MEMORY; 1244 goto clean2; 1245 } 1246 1247 /* Convert octet string input data to big integer format. */ 1248 bytestring2bignum(&msg, in, in_len); 1249 1250 /* Convert octet string modulus to big integer format. */ 1251 bytestring2bignum(&(rsakey->n), modulus, modulus_len); 1252 1253 if (big_cmp_abs(&msg, &(rsakey->n)) > 0) { 1254 rv = CRYPTO_DATA_LEN_RANGE; 1255 goto clean3; 1256 } 1257 1258 /* Convert the rest of private key attributes to big integer format. */ 1259 bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len); 1260 bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len); 1261 bytestring2bignum(&(rsakey->p), prime2, prime2_len); 1262 bytestring2bignum(&(rsakey->q), prime1, prime1_len); 1263 bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len); 1264 1265 if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) || 1266 (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) || 1267 (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) { 1268 rv = CRYPTO_KEY_SIZE_RANGE; 1269 goto clean3; 1270 } 1271 1272 /* Perform RSA computation on big integer input data. */ 1273 if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1), 1274 &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q), 1275 &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) { 1276 rv = CRYPTO_HOST_MEMORY; 1277 goto clean3; 1278 } 1279 1280 /* Convert the big integer output data to octet string. */ 1281 bignum2bytestring(out, &msg, modulus_len); 1282 1283 /* 1284 * Should not free modulus and friends as they are just pointers 1285 * to an attribute value buffer from the caller. 1286 */ 1287clean3: 1288 big_finish(&msg); 1289clean2: 1290 RSA_key_finish(rsakey); 1291clean1: 1292 kmem_free(rsakey, sizeof (RSAkey)); 1293 1294 return (rv); 1295} 1296 1297/* EXPORT DELETE END */ 1298 1299/* ARGSUSED */ 1300static int 1301rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 1302 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, 1303 crypto_req_handle_t req) 1304{ 1305 int rv; 1306 int kmflag; 1307 rsa_ctx_t *ctxp; 1308 digest_rsa_ctx_t *dctxp; 1309 1310 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1311 return (rv); 1312 1313 /* 1314 * Allocate a RSA context. 1315 */ 1316 kmflag = crypto_kmflag(req); 1317 switch (mechanism->cm_type) { 1318 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1319 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1320 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1321 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1322 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1323 dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag); 1324 ctxp = (rsa_ctx_t *)dctxp; 1325 break; 1326 default: 1327 ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag); 1328 break; 1329 } 1330 1331 if (ctxp == NULL) 1332 return (CRYPTO_HOST_MEMORY); 1333 1334 ctxp->mech_type = mechanism->cm_type; 1335 if ((rv = copy_key_to_ctx(key, ctxp, kmflag)) != CRYPTO_SUCCESS) { 1336 switch (mechanism->cm_type) { 1337 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1338 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1339 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1340 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1341 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1342 kmem_free(dctxp, sizeof (digest_rsa_ctx_t)); 1343 break; 1344 default: 1345 kmem_free(ctxp, sizeof (rsa_ctx_t)); 1346 break; 1347 } 1348 return (rv); 1349 } 1350 1351 switch (mechanism->cm_type) { 1352 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1353 MD5Init(&(dctxp->md5_ctx)); 1354 break; 1355 1356 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1357 SHA1Init(&(dctxp->sha1_ctx)); 1358 break; 1359 1360 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1361 SHA2Init(SHA256, &(dctxp->sha2_ctx)); 1362 break; 1363 1364 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1365 SHA2Init(SHA384, &(dctxp->sha2_ctx)); 1366 break; 1367 1368 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1369 SHA2Init(SHA512, &(dctxp->sha2_ctx)); 1370 break; 1371 } 1372 1373 ctx->cc_provider_private = ctxp; 1374 1375 return (CRYPTO_SUCCESS); 1376} 1377 1378#define SHA1_DIGEST_SIZE 20 1379#define MD5_DIGEST_SIZE 16 1380 1381#define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \ 1382 (data).cd_format = CRYPTO_DATA_RAW; \ 1383 (data).cd_offset = 0; \ 1384 (data).cd_raw.iov_base = (char *)base; \ 1385 (data).cd_raw.iov_len = len; \ 1386 (data).cd_length = cd_len; 1387 1388#define DO_UPDATE 0x01 1389#define DO_FINAL 0x02 1390#define DO_MD5 0x04 1391#define DO_SHA1 0x08 1392#define DO_SIGN 0x10 1393#define DO_VERIFY 0x20 1394#define DO_SHA2 0x40 1395 1396static int 1397digest_data(crypto_data_t *data, void *dctx, uchar_t *digest, 1398 uchar_t flag) 1399{ 1400 int rv, dlen; 1401 uchar_t *dptr; 1402 1403 ASSERT(flag & DO_MD5 || flag & DO_SHA1 || flag & DO_SHA2); 1404 if (data == NULL) { 1405 ASSERT((flag & DO_UPDATE) == 0); 1406 goto dofinal; 1407 } 1408 1409 dlen = data->cd_length; 1410 1411 if (flag & DO_UPDATE) { 1412 1413 switch (data->cd_format) { 1414 case CRYPTO_DATA_RAW: 1415 dptr = (uchar_t *)(data->cd_raw.iov_base + 1416 data->cd_offset); 1417 1418 if (flag & DO_MD5) 1419 MD5Update(dctx, dptr, dlen); 1420 1421 else if (flag & DO_SHA1) 1422 SHA1Update(dctx, dptr, dlen); 1423 1424 else 1425 SHA2Update(dctx, dptr, dlen); 1426 1427 break; 1428 1429 case CRYPTO_DATA_UIO: 1430 if (flag & DO_MD5) 1431 rv = process_uio_data(data, NULL, dlen, 1432 MD5_DIGEST_DATA, dctx); 1433 1434 else if (flag & DO_SHA1) 1435 rv = process_uio_data(data, NULL, dlen, 1436 SHA1_DIGEST_DATA, dctx); 1437 1438 else 1439 rv = process_uio_data(data, NULL, dlen, 1440 SHA2_DIGEST_DATA, dctx); 1441 1442 if (rv != CRYPTO_SUCCESS) 1443 return (rv); 1444 1445 break; 1446 1447 case CRYPTO_DATA_MBLK: 1448 if (flag & DO_MD5) 1449 rv = process_mblk_data(data, NULL, dlen, 1450 MD5_DIGEST_DATA, dctx); 1451 1452 else if (flag & DO_SHA1) 1453 rv = process_mblk_data(data, NULL, dlen, 1454 SHA1_DIGEST_DATA, dctx); 1455 1456 else 1457 rv = process_mblk_data(data, NULL, dlen, 1458 SHA2_DIGEST_DATA, dctx); 1459 1460 if (rv != CRYPTO_SUCCESS) 1461 return (rv); 1462 1463 break; 1464 } 1465 } 1466 1467dofinal: 1468 if (flag & DO_FINAL) { 1469 if (flag & DO_MD5) 1470 MD5Final(digest, dctx); 1471 1472 else if (flag & DO_SHA1) 1473 SHA1Final(digest, dctx); 1474 1475 else 1476 SHA2Final(digest, dctx); 1477 } 1478 1479 return (CRYPTO_SUCCESS); 1480} 1481 1482static int 1483rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data, 1484 crypto_data_t *signature, int kmflag, uchar_t flag) 1485{ 1486 int rv = CRYPTO_FAILED; 1487 1488/* EXPORT DELETE START */ 1489 1490 uchar_t digest[SHA512_DIGEST_LENGTH]; 1491 /* The der_data size is enough for MD5 also */ 1492 uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len]; 1493 ulong_t der_data_len; 1494 crypto_data_t der_cd; 1495 rsa_mech_type_t mech_type; 1496 1497 ASSERT(flag & DO_SIGN || flag & DO_VERIFY); 1498 ASSERT(data != NULL || (flag & DO_FINAL)); 1499 1500 mech_type = ctxp->mech_type; 1501 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1502 mech_type == RSA_X_509_MECH_INFO_TYPE) 1503 return (CRYPTO_MECHANISM_INVALID); 1504 1505 /* 1506 * We need to do the BUFFER_TOO_SMALL check before digesting 1507 * the data. No check is needed for verify as signature is not 1508 * an output argument for verify. 1509 */ 1510 if (flag & DO_SIGN) { 1511 uchar_t *modulus; 1512 ssize_t modulus_len; 1513 1514 if ((rv = get_key_attr(ctxp->key, SUN_CKA_MODULUS, &modulus, 1515 &modulus_len)) != CRYPTO_SUCCESS) { 1516 return (rv); 1517 } 1518 1519 if (signature->cd_length < modulus_len) { 1520 signature->cd_length = modulus_len; 1521 return (CRYPTO_BUFFER_TOO_SMALL); 1522 } 1523 } 1524 1525 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1526 rv = digest_data(data, &(ctxp->md5_ctx), 1527 digest, flag | DO_MD5); 1528 1529 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1530 rv = digest_data(data, &(ctxp->sha1_ctx), 1531 digest, flag | DO_SHA1); 1532 1533 else 1534 rv = digest_data(data, &(ctxp->sha2_ctx), 1535 digest, flag | DO_SHA2); 1536 1537 if (rv != CRYPTO_SUCCESS) 1538 return (rv); 1539 1540 1541 /* 1542 * Prepare the DER encoding of the DigestInfo value as follows: 1543 * MD5: MD5_DER_PREFIX || H 1544 * SHA-1: SHA1_DER_PREFIX || H 1545 * 1546 * See rsa_impl.c for more details. 1547 */ 1548 switch (mech_type) { 1549 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1550 bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len); 1551 bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE); 1552 der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE; 1553 break; 1554 1555 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1556 bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len); 1557 bcopy(digest, der_data + SHA1_DER_PREFIX_Len, 1558 SHA1_DIGEST_SIZE); 1559 der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE; 1560 break; 1561 1562 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1563 bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1564 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1565 SHA256_DIGEST_LENGTH); 1566 der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH; 1567 break; 1568 1569 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1570 bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1571 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1572 SHA384_DIGEST_LENGTH); 1573 der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH; 1574 break; 1575 1576 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1577 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len); 1578 bcopy(digest, der_data + SHA2_DER_PREFIX_Len, 1579 SHA512_DIGEST_LENGTH); 1580 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH; 1581 break; 1582 } 1583 1584 INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len); 1585 /* 1586 * Now, we are ready to sign or verify the DER_ENCODED data. 1587 */ 1588 if (flag & DO_SIGN) 1589 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd, 1590 signature, kmflag); 1591 else 1592 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd, 1593 signature, kmflag); 1594 1595/* EXPORT DELETE END */ 1596 1597 return (rv); 1598} 1599 1600static int 1601rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1602 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1603{ 1604 int rv = CRYPTO_FAILED; 1605 1606/* EXPORT DELETE START */ 1607 1608 int dlen; 1609 uchar_t *dataptr, *modulus; 1610 ssize_t modulus_len; 1611 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1612 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1613 uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1614 1615 if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1616 &modulus_len)) != CRYPTO_SUCCESS) { 1617 return (rv); 1618 } 1619 1620 dlen = data->cd_length; 1621 switch (mech_type) { 1622 case RSA_PKCS_MECH_INFO_TYPE: 1623 if (dlen > (modulus_len - MIN_PKCS1_PADLEN)) 1624 return (CRYPTO_DATA_LEN_RANGE); 1625 break; 1626 case RSA_X_509_MECH_INFO_TYPE: 1627 if (dlen > modulus_len) 1628 return (CRYPTO_DATA_LEN_RANGE); 1629 break; 1630 } 1631 1632 if (signature->cd_length < modulus_len) { 1633 signature->cd_length = modulus_len; 1634 return (CRYPTO_BUFFER_TOO_SMALL); 1635 } 1636 1637 ASSERT(data->cd_length <= sizeof (tmp_data)); 1638 if ((rv = get_input_data(data, &dataptr, tmp_data)) 1639 != CRYPTO_SUCCESS) 1640 return (rv); 1641 1642 switch (mech_type) { 1643 case RSA_PKCS_MECH_INFO_TYPE: 1644 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1645 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1646 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1647 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1648 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1649 /* 1650 * Add PKCS padding to the input data to format a block 1651 * type "01" encryption block. 1652 */ 1653 rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data, 1654 modulus_len); 1655 if (rv != CRYPTO_SUCCESS) 1656 return (rv); 1657 1658 break; 1659 1660 case RSA_X_509_MECH_INFO_TYPE: 1661 bzero(plain_data, modulus_len - dlen); 1662 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen); 1663 break; 1664 } 1665 1666 rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data, 1667 kmflag); 1668 if (rv == CRYPTO_SUCCESS) { 1669 /* copy out to signature */ 1670 if ((rv = put_output_data(signed_data, 1671 signature, modulus_len)) != CRYPTO_SUCCESS) 1672 return (rv); 1673 1674 signature->cd_length = modulus_len; 1675 } 1676 1677/* EXPORT DELETE END */ 1678 1679 return (rv); 1680} 1681 1682/* ARGSUSED */ 1683static int 1684rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1685 crypto_req_handle_t req) 1686{ 1687 int rv; 1688 rsa_ctx_t *ctxp; 1689 1690 ASSERT(ctx->cc_provider_private != NULL); 1691 ctxp = ctx->cc_provider_private; 1692 1693 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1694 switch (ctxp->mech_type) { 1695 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1696 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1697 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1698 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1699 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1700 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1701 signature, KM_SLEEP, DO_SIGN | DO_UPDATE | DO_FINAL); 1702 break; 1703 default: 1704 rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data, 1705 signature, KM_SLEEP); 1706 break; 1707 } 1708 1709 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1710 (void) rsa_free_context(ctx); 1711 1712 return (rv); 1713} 1714 1715/* ARGSUSED */ 1716static int 1717rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req) 1718{ 1719 int rv; 1720 digest_rsa_ctx_t *ctxp; 1721 rsa_mech_type_t mech_type; 1722 1723 ASSERT(ctx->cc_provider_private != NULL); 1724 ctxp = ctx->cc_provider_private; 1725 mech_type = ctxp->mech_type; 1726 1727 if (mech_type == RSA_PKCS_MECH_INFO_TYPE || 1728 mech_type == RSA_X_509_MECH_INFO_TYPE) 1729 return (CRYPTO_MECHANISM_INVALID); 1730 1731 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE) 1732 rv = digest_data(data, &(ctxp->md5_ctx), 1733 NULL, DO_MD5 | DO_UPDATE); 1734 1735 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE) 1736 rv = digest_data(data, &(ctxp->sha1_ctx), 1737 NULL, DO_SHA1 | DO_UPDATE); 1738 1739 else 1740 rv = digest_data(data, &(ctxp->sha2_ctx), 1741 NULL, DO_SHA2 | DO_UPDATE); 1742 1743 return (rv); 1744} 1745 1746static int 1747rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1748 crypto_req_handle_t req) 1749{ 1750 int rv; 1751 digest_rsa_ctx_t *ctxp; 1752 1753 ASSERT(ctx->cc_provider_private != NULL); 1754 ctxp = ctx->cc_provider_private; 1755 1756 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1757 crypto_kmflag(req), DO_SIGN | DO_FINAL); 1758 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1759 (void) rsa_free_context(ctx); 1760 1761 return (rv); 1762} 1763 1764/* ARGSUSED */ 1765static int 1766rsa_sign_atomic(crypto_provider_handle_t provider, 1767 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1768 crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature, 1769 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1770{ 1771 int rv; 1772 digest_rsa_ctx_t dctx; 1773 1774 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1775 return (rv); 1776 1777 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1778 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1779 rv = rsa_sign_common(mechanism->cm_type, key, data, 1780 signature, crypto_kmflag(req)); 1781 1782 else { 1783 dctx.mech_type = mechanism->cm_type; 1784 dctx.key = key; 1785 switch (mechanism->cm_type) { 1786 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1787 MD5Init(&(dctx.md5_ctx)); 1788 break; 1789 1790 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1791 SHA1Init(&(dctx.sha1_ctx)); 1792 break; 1793 1794 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1795 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1796 break; 1797 1798 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1799 SHA2Init(SHA384, &(dctx.sha2_ctx)); 1800 break; 1801 1802 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1803 SHA2Init(SHA512, &(dctx.sha2_ctx)); 1804 break; 1805 } 1806 1807 rv = rsa_digest_svrfy_common(&dctx, data, signature, 1808 crypto_kmflag(req), DO_SIGN | DO_UPDATE | DO_FINAL); 1809 } 1810 1811 return (rv); 1812} 1813 1814static int 1815rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key, 1816 crypto_data_t *data, crypto_data_t *signature, int kmflag) 1817{ 1818 int rv = CRYPTO_FAILED; 1819 1820/* EXPORT DELETE START */ 1821 1822 uchar_t *sigptr, *modulus; 1823 ssize_t modulus_len; 1824 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1825 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 1826 1827 if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus, 1828 &modulus_len)) != CRYPTO_SUCCESS) { 1829 return (rv); 1830 } 1831 1832 if (signature->cd_length != modulus_len) 1833 return (CRYPTO_SIGNATURE_LEN_RANGE); 1834 1835 ASSERT(signature->cd_length <= sizeof (tmp_data)); 1836 if ((rv = get_input_data(signature, &sigptr, tmp_data)) 1837 != CRYPTO_SUCCESS) 1838 return (rv); 1839 1840 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 1841 if (rv != CRYPTO_SUCCESS) 1842 return (rv); 1843 1844 if (mech_type == RSA_X_509_MECH_INFO_TYPE) { 1845 if (compare_data(data, (plain_data + modulus_len 1846 - data->cd_length)) != 0) 1847 rv = CRYPTO_SIGNATURE_INVALID; 1848 1849 } else { 1850 int data_len = modulus_len; 1851 1852 /* 1853 * Strip off the encoded padding bytes in front of the 1854 * recovered data, then compare the recovered data with 1855 * the original data. 1856 */ 1857 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 1858 if (rv != CRYPTO_SUCCESS) 1859 return (rv); 1860 1861 if (data_len != data->cd_length) 1862 return (CRYPTO_SIGNATURE_LEN_RANGE); 1863 1864 if (compare_data(data, (plain_data + modulus_len 1865 - data_len)) != 0) 1866 rv = CRYPTO_SIGNATURE_INVALID; 1867 } 1868 1869/* EXPORT DELETE END */ 1870 1871 return (rv); 1872} 1873 1874/* ARGSUSED */ 1875static int 1876rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature, 1877 crypto_req_handle_t req) 1878{ 1879 int rv; 1880 rsa_ctx_t *ctxp; 1881 1882 ASSERT(ctx->cc_provider_private != NULL); 1883 ctxp = ctx->cc_provider_private; 1884 1885 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 1886 switch (ctxp->mech_type) { 1887 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1888 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1889 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1890 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1891 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1892 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data, 1893 signature, KM_SLEEP, DO_VERIFY | DO_UPDATE | DO_FINAL); 1894 break; 1895 default: 1896 rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data, 1897 signature, KM_SLEEP); 1898 break; 1899 } 1900 1901 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1902 (void) rsa_free_context(ctx); 1903 1904 return (rv); 1905} 1906 1907/* ARGSUSED */ 1908static int 1909rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data, 1910 crypto_req_handle_t req) 1911{ 1912 int rv; 1913 digest_rsa_ctx_t *ctxp; 1914 1915 ASSERT(ctx->cc_provider_private != NULL); 1916 ctxp = ctx->cc_provider_private; 1917 1918 switch (ctxp->mech_type) { 1919 1920 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1921 rv = digest_data(data, &(ctxp->md5_ctx), 1922 NULL, DO_MD5 | DO_UPDATE); 1923 break; 1924 1925 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1926 rv = digest_data(data, &(ctxp->sha1_ctx), 1927 NULL, DO_SHA1 | DO_UPDATE); 1928 break; 1929 1930 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1931 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 1932 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 1933 rv = digest_data(data, &(ctxp->sha2_ctx), 1934 NULL, DO_SHA2 | DO_UPDATE); 1935 break; 1936 1937 default: 1938 return (CRYPTO_MECHANISM_INVALID); 1939 } 1940 1941 return (rv); 1942} 1943 1944static int 1945rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature, 1946 crypto_req_handle_t req) 1947{ 1948 int rv; 1949 digest_rsa_ctx_t *ctxp; 1950 1951 ASSERT(ctx->cc_provider_private != NULL); 1952 ctxp = ctx->cc_provider_private; 1953 1954 rv = rsa_digest_svrfy_common(ctxp, NULL, signature, 1955 crypto_kmflag(req), DO_VERIFY | DO_FINAL); 1956 if (rv != CRYPTO_BUFFER_TOO_SMALL) 1957 (void) rsa_free_context(ctx); 1958 1959 return (rv); 1960} 1961 1962 1963/* ARGSUSED */ 1964static int 1965rsa_verify_atomic(crypto_provider_handle_t provider, 1966 crypto_session_id_t session_id, 1967 crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data, 1968 crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template, 1969 crypto_req_handle_t req) 1970{ 1971 int rv; 1972 digest_rsa_ctx_t dctx; 1973 1974 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 1975 return (rv); 1976 1977 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE || 1978 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE) 1979 rv = rsa_verify_common(mechanism->cm_type, key, data, 1980 signature, crypto_kmflag(req)); 1981 1982 else { 1983 dctx.mech_type = mechanism->cm_type; 1984 dctx.key = key; 1985 1986 switch (mechanism->cm_type) { 1987 case MD5_RSA_PKCS_MECH_INFO_TYPE: 1988 MD5Init(&(dctx.md5_ctx)); 1989 break; 1990 1991 case SHA1_RSA_PKCS_MECH_INFO_TYPE: 1992 SHA1Init(&(dctx.sha1_ctx)); 1993 break; 1994 1995 case SHA256_RSA_PKCS_MECH_INFO_TYPE: 1996 SHA2Init(SHA256, &(dctx.sha2_ctx)); 1997 break; 1998 1999 case SHA384_RSA_PKCS_MECH_INFO_TYPE: 2000 SHA2Init(SHA384, &(dctx.sha2_ctx)); 2001 break; 2002 2003 case SHA512_RSA_PKCS_MECH_INFO_TYPE: 2004 SHA2Init(SHA512, &(dctx.sha2_ctx)); 2005 break; 2006 } 2007 2008 rv = rsa_digest_svrfy_common(&dctx, data, 2009 signature, crypto_kmflag(req), 2010 DO_VERIFY | DO_UPDATE | DO_FINAL); 2011 } 2012 2013 return (rv); 2014} 2015 2016static int 2017rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key, 2018 crypto_data_t *signature, crypto_data_t *data, int kmflag) 2019{ 2020 int rv = CRYPTO_FAILED; 2021 2022/* EXPORT DELETE START */ 2023 2024 int data_len; 2025 uchar_t *sigptr, *modulus; 2026 ssize_t modulus_len; 2027 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 2028 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES]; 2029 2030 if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus, 2031 &modulus_len)) != CRYPTO_SUCCESS) { 2032 return (rv); 2033 } 2034 2035 if (signature->cd_length != modulus_len) 2036 return (CRYPTO_SIGNATURE_LEN_RANGE); 2037 2038 ASSERT(signature->cd_length <= sizeof (tmp_data)); 2039 if ((rv = get_input_data(signature, &sigptr, tmp_data)) 2040 != CRYPTO_SUCCESS) 2041 return (rv); 2042 2043 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1); 2044 if (rv != CRYPTO_SUCCESS) 2045 return (rv); 2046 2047 data_len = modulus_len; 2048 2049 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) { 2050 /* 2051 * Strip off the encoded padding bytes in front of the 2052 * recovered data, then compare the recovered data with 2053 * the original data. 2054 */ 2055 rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len); 2056 if (rv != CRYPTO_SUCCESS) 2057 return (rv); 2058 } 2059 2060 if (data->cd_length < data_len) { 2061 data->cd_length = data_len; 2062 return (CRYPTO_BUFFER_TOO_SMALL); 2063 } 2064 2065 if ((rv = put_output_data(plain_data + modulus_len - data_len, 2066 data, data_len)) != CRYPTO_SUCCESS) 2067 return (rv); 2068 data->cd_length = data_len; 2069 2070/* EXPORT DELETE END */ 2071 2072 return (rv); 2073} 2074 2075/* ARGSUSED */ 2076static int 2077rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature, 2078 crypto_data_t *data, crypto_req_handle_t req) 2079{ 2080 int rv; 2081 rsa_ctx_t *ctxp; 2082 2083 ASSERT(ctx->cc_provider_private != NULL); 2084 ctxp = ctx->cc_provider_private; 2085 2086 /* See the comments on KM_SLEEP flag in rsa_encrypt() */ 2087 rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key, 2088 signature, data, KM_SLEEP); 2089 2090 if (rv != CRYPTO_BUFFER_TOO_SMALL) 2091 (void) rsa_free_context(ctx); 2092 2093 return (rv); 2094} 2095 2096/* ARGSUSED */ 2097static int 2098rsa_verify_recover_atomic(crypto_provider_handle_t provider, 2099 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 2100 crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data, 2101 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 2102{ 2103 int rv; 2104 2105 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS) 2106 return (rv); 2107 2108 return (rsa_verify_recover_common(mechanism->cm_type, key, 2109 signature, data, crypto_kmflag(req))); 2110} 2111