1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /*
27 * RSA provider for the Kernel Cryptographic Framework (KCF)
28 */
29
30 #include <sys/types.h>
31 #include <sys/systm.h>
32 #include <sys/modctl.h>
33 #include <sys/cmn_err.h>
34 #include <sys/ddi.h>
35 #include <sys/crypto/spi.h>
36 #include <sys/sysmacros.h>
37 #include <sys/strsun.h>
38 #include <sys/md5.h>
39 #include <sys/sha1.h>
40 #define _SHA2_IMPL
41 #include <sys/sha2.h>
42 #include <sys/random.h>
43 #include <sys/crypto/impl.h>
44 #include <sha1/sha1_impl.h>
45 #include <sha2/sha2_impl.h>
46 #include <padding/padding.h>
47 #define _RSA_FIPS_POST
48 #include <rsa/rsa_impl.h>
49
50 extern struct mod_ops mod_cryptoops;
51
52 /*
53 * Module linkage information for the kernel.
54 */
55 static struct modlcrypto modlcrypto = {
56 &mod_cryptoops,
57 "RSA Kernel SW Provider"
58 };
59
60 static struct modlinkage modlinkage = {
61 MODREV_1,
62 (void *)&modlcrypto,
63 NULL
64 };
65
66 /*
67 * CSPI information (entry points, provider info, etc.)
68 */
69 typedef enum rsa_mech_type {
70 RSA_PKCS_MECH_INFO_TYPE, /* SUN_CKM_RSA_PKCS */
71 RSA_X_509_MECH_INFO_TYPE, /* SUN_CKM_RSA_X_509 */
72 MD5_RSA_PKCS_MECH_INFO_TYPE, /* SUN_MD5_RSA_PKCS */
73 SHA1_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA1_RSA_PKCS */
74 SHA256_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA256_RSA_PKCS */
75 SHA384_RSA_PKCS_MECH_INFO_TYPE, /* SUN_SHA384_RSA_PKCS */
76 SHA512_RSA_PKCS_MECH_INFO_TYPE /* SUN_SHA512_RSA_PKCS */
77 } rsa_mech_type_t;
78
79 /*
80 * Context for RSA_PKCS and RSA_X_509 mechanisms.
81 */
82 typedef struct rsa_ctx {
83 rsa_mech_type_t mech_type;
84 crypto_key_t *key;
85 size_t keychunk_size;
86 } rsa_ctx_t;
87
88 /*
89 * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms.
90 */
91 typedef struct digest_rsa_ctx {
92 rsa_mech_type_t mech_type;
93 crypto_key_t *key;
94 size_t keychunk_size;
95 union {
96 MD5_CTX md5ctx;
97 SHA1_CTX sha1ctx;
98 SHA2_CTX sha2ctx;
99 } dctx_u;
100 } digest_rsa_ctx_t;
101
102 #define md5_ctx dctx_u.md5ctx
103 #define sha1_ctx dctx_u.sha1ctx
104 #define sha2_ctx dctx_u.sha2ctx
105
106 /*
107 * Mechanism info structure passed to KCF during registration.
108 */
109 static crypto_mech_info_t rsa_mech_info_tab[] = {
110 /* RSA_PKCS */
111 {SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE,
112 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
113 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
114 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
115 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
116 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
117 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
118 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
119
120 /* RSA_X_509 */
121 {SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE,
122 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
123 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
124 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
125 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
126 CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
127 CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
128 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
129
130 /* MD5_RSA_PKCS */
131 {SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE,
132 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
133 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
134 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
135
136 /* SHA1_RSA_PKCS */
137 {SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE,
138 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
139 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
140 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
141
142 /* SHA256_RSA_PKCS */
143 {SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE,
144 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
145 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
146 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
147
148 /* SHA384_RSA_PKCS */
149 {SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE,
150 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
151 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
152 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
153
154 /* SHA512_RSA_PKCS */
155 {SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE,
156 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
157 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
158 RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}
159
160 };
161
162 #define RSA_VALID_MECH(mech) \
163 (((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE || \
164 (mech)->cm_type == RSA_X_509_MECH_INFO_TYPE || \
165 (mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE || \
166 (mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE || \
167 (mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE || \
168 (mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE || \
169 (mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0)
170
171 /* operations are in-place if the output buffer is NULL */
172 #define RSA_ARG_INPLACE(input, output) \
173 if ((output) == NULL) \
174 (output) = (input);
175
176 static void rsa_provider_status(crypto_provider_handle_t, uint_t *);
177
178 static crypto_control_ops_t rsa_control_ops = {
179 rsa_provider_status
180 };
181
182 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *,
183 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
184 static int rsaprov_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
185 crypto_req_handle_t);
186 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
187 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
188 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
189 static int rsaprov_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
190 crypto_req_handle_t);
191 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
192 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
193 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
194
195 /*
196 * The RSA mechanisms do not have multiple-part cipher operations.
197 * So, the update and final routines are set to NULL.
198 */
199 static crypto_cipher_ops_t rsa_cipher_ops = {
200 rsa_common_init,
201 rsaprov_encrypt,
202 NULL,
203 NULL,
204 rsa_encrypt_atomic,
205 rsa_common_init,
206 rsaprov_decrypt,
207 NULL,
208 NULL,
209 rsa_decrypt_atomic
210 };
211
212 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *,
213 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
214 static int rsaprov_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
215 crypto_req_handle_t);
216 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *,
217 crypto_req_handle_t);
218 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *,
219 crypto_req_handle_t);
220 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t,
221 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
222 crypto_spi_ctx_template_t, crypto_req_handle_t);
223
224 /*
225 * We use the same routine for sign_init and sign_recover_init fields
226 * as they do the same thing. Same holds for sign and sign_recover fields,
227 * and sign_atomic and sign_recover_atomic fields.
228 */
229 static crypto_sign_ops_t rsa_sign_ops = {
230 rsa_sign_verify_common_init,
231 rsaprov_sign,
232 rsa_sign_update,
233 rsa_sign_final,
234 rsa_sign_atomic,
235 rsa_sign_verify_common_init,
236 rsaprov_sign,
237 rsa_sign_atomic
238 };
239
240 static int rsaprov_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
241 crypto_req_handle_t);
242 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *,
243 crypto_req_handle_t);
244 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *,
245 crypto_req_handle_t);
246 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
247 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
248 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
249 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *,
250 crypto_data_t *, crypto_req_handle_t);
251 static int rsa_verify_recover_atomic(crypto_provider_handle_t,
252 crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
253 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
254 crypto_req_handle_t);
255
256 /*
257 * We use the same routine (rsa_sign_verify_common_init) for verify_init
258 * and verify_recover_init fields as they do the same thing.
259 */
260 static crypto_verify_ops_t rsa_verify_ops = {
261 rsa_sign_verify_common_init,
262 rsaprov_verify,
263 rsa_verify_update,
264 rsa_verify_final,
265 rsa_verify_atomic,
266 rsa_sign_verify_common_init,
267 rsa_verify_recover,
268 rsa_verify_recover_atomic
269 };
270
271 static int rsa_free_context(crypto_ctx_t *);
272
273 static crypto_ctx_ops_t rsa_ctx_ops = {
274 NULL,
275 rsa_free_context
276 };
277
278 static void rsa_POST(int *);
279
280 static crypto_fips140_ops_t rsa_fips140_ops = {
281 rsa_POST
282 };
283
284 static crypto_ops_t rsa_crypto_ops = {
285 &rsa_control_ops,
286 NULL,
287 &rsa_cipher_ops,
288 NULL,
289 &rsa_sign_ops,
290 &rsa_verify_ops,
291 NULL,
292 NULL,
293 NULL,
294 NULL,
295 NULL,
296 NULL,
297 NULL,
298 &rsa_ctx_ops,
299 NULL,
300 NULL,
301 &rsa_fips140_ops
302 };
303
304 static crypto_provider_info_t rsa_prov_info = {
305 CRYPTO_SPI_VERSION_4,
306 "RSA Software Provider",
307 CRYPTO_SW_PROVIDER,
308 {&modlinkage},
309 NULL,
310 &rsa_crypto_ops,
311 sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
312 rsa_mech_info_tab
313 };
314
315 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
316 crypto_data_t *, crypto_data_t *);
317 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
318 crypto_data_t *, crypto_data_t *);
319 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
320 crypto_data_t *, crypto_data_t *);
321 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
322 crypto_data_t *, crypto_data_t *);
323 static int compare_data(crypto_data_t *, uchar_t *);
324
325 /* EXPORT DELETE START */
326
327 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, int, uchar_t *, int);
328 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, uchar_t *);
329
330 /* EXPORT DELETE END */
331
332 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
333
334 int
_init(void)335 _init(void)
336 {
337 int ret;
338
339 if ((ret = mod_install(&modlinkage)) != 0)
340 return (ret);
341
342 /* Register with KCF. If the registration fails, remove the module. */
343 if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) {
344 (void) mod_remove(&modlinkage);
345 return (EACCES);
346 }
347
348 return (0);
349 }
350
351 int
_fini(void)352 _fini(void)
353 {
354 /* Unregister from KCF if module is registered */
355 if (rsa_prov_handle != NULL) {
356 if (crypto_unregister_provider(rsa_prov_handle))
357 return (EBUSY);
358
359 rsa_prov_handle = NULL;
360 }
361
362 return (mod_remove(&modlinkage));
363 }
364
365 int
_info(struct modinfo * modinfop)366 _info(struct modinfo *modinfop)
367 {
368 return (mod_info(&modlinkage, modinfop));
369 }
370
371 /* ARGSUSED */
372 static void
rsa_provider_status(crypto_provider_handle_t provider,uint_t * status)373 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
374 {
375 *status = CRYPTO_PROVIDER_READY;
376 }
377
378 static int
check_mech_and_key(crypto_mechanism_t * mechanism,crypto_key_t * key)379 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
380 {
381 int rv = CRYPTO_FAILED;
382
383 /* EXPORT DELETE START */
384
385 uchar_t *modulus;
386 ssize_t modulus_len; /* In bytes */
387
388 if (!RSA_VALID_MECH(mechanism))
389 return (CRYPTO_MECHANISM_INVALID);
390
391 /*
392 * We only support RSA keys that are passed as a list of
393 * object attributes.
394 */
395 if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
396 return (CRYPTO_KEY_TYPE_INCONSISTENT);
397 }
398
399 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
400 &modulus_len)) != CRYPTO_SUCCESS) {
401 return (rv);
402 }
403 if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
404 modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
405 return (CRYPTO_KEY_SIZE_RANGE);
406
407 /* EXPORT DELETE END */
408
409 return (rv);
410 }
411
412 void
kmemset(uint8_t * buf,char pattern,size_t len)413 kmemset(uint8_t *buf, char pattern, size_t len)
414 {
415 int i = 0;
416
417 while (i < len)
418 buf[i++] = pattern;
419 }
420
421 /*
422 * This function guarantees to return non-zero random numbers.
423 * This is needed as the /dev/urandom kernel interface,
424 * random_get_pseudo_bytes(), may return zeros.
425 */
426 int
knzero_random_generator(uint8_t * ran_out,size_t ran_len)427 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
428 {
429 int rv;
430 size_t ebc = 0; /* count of extra bytes in extrarand */
431 size_t i = 0;
432 uint8_t extrarand[32];
433 size_t extrarand_len;
434
435 if ((rv = random_get_pseudo_bytes_fips140(ran_out, ran_len)) != 0)
436 return (rv);
437
438 /*
439 * Walk through the returned random numbers pointed by ran_out,
440 * and look for any random number which is zero.
441 * If we find zero, call random_get_pseudo_bytes() to generate
442 * another 32 random numbers pool. Replace any zeros in ran_out[]
443 * from the random number in pool.
444 */
445 while (i < ran_len) {
446 if (ran_out[i] != 0) {
447 i++;
448 continue;
449 }
450
451 /*
452 * Note that it is 'while' so we are guaranteed a
453 * non-zero value on exit.
454 */
455 if (ebc == 0) {
456 /* refresh extrarand */
457 extrarand_len = sizeof (extrarand);
458 if ((rv = random_get_pseudo_bytes_fips140(extrarand,
459 extrarand_len)) != 0) {
460 return (rv);
461 }
462
463 ebc = extrarand_len;
464 }
465 /* Replace zero with byte from extrarand. */
466 -- ebc;
467
468 /*
469 * The new random byte zero/non-zero will be checked in
470 * the next pass through the loop.
471 */
472 ran_out[i] = extrarand[ebc];
473 }
474
475 return (CRYPTO_SUCCESS);
476 }
477
478 static int
compare_data(crypto_data_t * data,uchar_t * buf)479 compare_data(crypto_data_t *data, uchar_t *buf)
480 {
481 int len;
482 uchar_t *dptr;
483
484 len = data->cd_length;
485 switch (data->cd_format) {
486 case CRYPTO_DATA_RAW:
487 dptr = (uchar_t *)(data->cd_raw.iov_base +
488 data->cd_offset);
489
490 return (bcmp(dptr, buf, len));
491
492 case CRYPTO_DATA_UIO:
493 return (crypto_uio_data(data, buf, len,
494 COMPARE_TO_DATA, NULL, NULL));
495
496 case CRYPTO_DATA_MBLK:
497 return (crypto_mblk_data(data, buf, len,
498 COMPARE_TO_DATA, NULL, NULL));
499 }
500
501 return (CRYPTO_FAILED);
502 }
503
504 /* ARGSUSED */
505 static int
rsa_common_init(crypto_ctx_t * ctx,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_spi_ctx_template_t template,crypto_req_handle_t req)506 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
507 crypto_key_t *key, crypto_spi_ctx_template_t template,
508 crypto_req_handle_t req)
509 {
510 int rv;
511 int kmflag;
512 rsa_ctx_t *ctxp;
513
514 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
515 return (rv);
516
517 /*
518 * Allocate a RSA context.
519 */
520 kmflag = crypto_kmflag(req);
521 if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL)
522 return (CRYPTO_HOST_MEMORY);
523
524 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
525 kmflag)) != CRYPTO_SUCCESS) {
526 kmem_free(ctxp, sizeof (rsa_ctx_t));
527 return (rv);
528 }
529 ctxp->mech_type = mechanism->cm_type;
530
531 ctx->cc_provider_private = ctxp;
532
533 return (CRYPTO_SUCCESS);
534 }
535
536 /* ARGSUSED */
537 static int
rsaprov_encrypt(crypto_ctx_t * ctx,crypto_data_t * plaintext,crypto_data_t * ciphertext,crypto_req_handle_t req)538 rsaprov_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
539 crypto_data_t *ciphertext, crypto_req_handle_t req)
540 {
541 int rv;
542 rsa_ctx_t *ctxp;
543
544 ASSERT(ctx->cc_provider_private != NULL);
545 ctxp = ctx->cc_provider_private;
546
547 RSA_ARG_INPLACE(plaintext, ciphertext);
548
549 /*
550 * Note on the KM_SLEEP flag passed to the routine below -
551 * rsaprov_encrypt() is a single-part encryption routine which is
552 * currently usable only by /dev/crypto. Since /dev/crypto calls are
553 * always synchronous, we can safely pass KM_SLEEP here.
554 */
555 rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext,
556 ciphertext);
557
558 if (rv != CRYPTO_BUFFER_TOO_SMALL)
559 (void) rsa_free_context(ctx);
560
561 return (rv);
562 }
563
564 /* ARGSUSED */
565 static int
rsa_encrypt_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * plaintext,crypto_data_t * ciphertext,crypto_spi_ctx_template_t template,crypto_req_handle_t req)566 rsa_encrypt_atomic(crypto_provider_handle_t provider,
567 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
568 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
569 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
570 {
571 int rv;
572
573 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
574 return (rv);
575 RSA_ARG_INPLACE(plaintext, ciphertext);
576
577 return (rsa_encrypt_common(mechanism->cm_type, key, plaintext,
578 ciphertext));
579 }
580
581 static int
rsa_free_context(crypto_ctx_t * ctx)582 rsa_free_context(crypto_ctx_t *ctx)
583 {
584 rsa_ctx_t *ctxp = ctx->cc_provider_private;
585
586 if (ctxp != NULL) {
587 bzero(ctxp->key, ctxp->keychunk_size);
588 kmem_free(ctxp->key, ctxp->keychunk_size);
589
590 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
591 ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
592 kmem_free(ctxp, sizeof (rsa_ctx_t));
593 else
594 kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
595
596 ctx->cc_provider_private = NULL;
597 }
598
599 return (CRYPTO_SUCCESS);
600 }
601
602 static int
rsa_encrypt_common(rsa_mech_type_t mech_type,crypto_key_t * key,crypto_data_t * plaintext,crypto_data_t * ciphertext)603 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
604 crypto_data_t *plaintext, crypto_data_t *ciphertext)
605 {
606 int rv = CRYPTO_FAILED;
607
608 /* EXPORT DELETE START */
609
610 int plen;
611 uchar_t *ptptr;
612 uchar_t *modulus;
613 ssize_t modulus_len;
614 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
615 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
616 uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
617
618 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
619 &modulus_len)) != CRYPTO_SUCCESS) {
620 return (rv);
621 }
622
623 plen = plaintext->cd_length;
624 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
625 if (plen > (modulus_len - MIN_PKCS1_PADLEN))
626 return (CRYPTO_DATA_LEN_RANGE);
627 } else {
628 if (plen > modulus_len)
629 return (CRYPTO_DATA_LEN_RANGE);
630 }
631
632 /*
633 * Output buf len must not be less than RSA modulus size.
634 */
635 if (ciphertext->cd_length < modulus_len) {
636 ciphertext->cd_length = modulus_len;
637 return (CRYPTO_BUFFER_TOO_SMALL);
638 }
639
640 ASSERT(plaintext->cd_length <= sizeof (tmp_data));
641 if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data))
642 != CRYPTO_SUCCESS)
643 return (rv);
644
645 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
646 rv = pkcs1_encode(PKCS1_ENCRYPT, ptptr, plen,
647 plain_data, modulus_len);
648
649 if (rv != CRYPTO_SUCCESS)
650 return (rv);
651 } else {
652 bzero(plain_data, modulus_len - plen);
653 bcopy(ptptr, &plain_data[modulus_len - plen], plen);
654 }
655
656 rv = core_rsa_encrypt(key, plain_data, modulus_len, cipher_data, 1);
657 if (rv == CRYPTO_SUCCESS) {
658 /* copy out to ciphertext */
659 if ((rv = crypto_put_output_data(cipher_data,
660 ciphertext, modulus_len)) != CRYPTO_SUCCESS)
661 return (rv);
662
663 ciphertext->cd_length = modulus_len;
664 }
665
666 /* EXPORT DELETE END */
667
668 return (rv);
669 }
670
671 /* EXPORT DELETE START */
672
673 static int
core_rsa_encrypt(crypto_key_t * key,uchar_t * in,int in_len,uchar_t * out,int is_public)674 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
675 int in_len, uchar_t *out, int is_public)
676 {
677 int rv;
678 uchar_t *expo, *modulus;
679 ssize_t expo_len;
680 ssize_t modulus_len;
681 RSAbytekey k;
682
683 if (is_public) {
684 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT,
685 &expo, &expo_len)) != CRYPTO_SUCCESS)
686 return (rv);
687 } else {
688 /*
689 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
690 * RSA secret key. See the comments in core_rsa_decrypt
691 * routine which calls this routine with a private key.
692 */
693 if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT,
694 &expo, &expo_len)) != CRYPTO_SUCCESS)
695 return (rv);
696 }
697
698 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
699 &modulus_len)) != CRYPTO_SUCCESS) {
700 return (rv);
701 }
702
703 k.modulus = modulus;
704 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
705 k.pubexpo = expo;
706 k.pubexpo_bytes = expo_len;
707 k.rfunc = NULL;
708
709 rv = rsa_encrypt(&k, in, in_len, out);
710
711 return (rv);
712 }
713
714 /* EXPORT DELETE END */
715
716 /* ARGSUSED */
717 static int
rsaprov_decrypt(crypto_ctx_t * ctx,crypto_data_t * ciphertext,crypto_data_t * plaintext,crypto_req_handle_t req)718 rsaprov_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
719 crypto_data_t *plaintext, crypto_req_handle_t req)
720 {
721 int rv;
722 rsa_ctx_t *ctxp;
723
724 ASSERT(ctx->cc_provider_private != NULL);
725 ctxp = ctx->cc_provider_private;
726
727 RSA_ARG_INPLACE(ciphertext, plaintext);
728
729 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
730 rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
731 ciphertext, plaintext);
732
733 if (rv != CRYPTO_BUFFER_TOO_SMALL)
734 (void) rsa_free_context(ctx);
735
736 return (rv);
737 }
738
739 /* ARGSUSED */
740 static int
rsa_decrypt_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * ciphertext,crypto_data_t * plaintext,crypto_spi_ctx_template_t template,crypto_req_handle_t req)741 rsa_decrypt_atomic(crypto_provider_handle_t provider,
742 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
743 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
744 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
745 {
746 int rv;
747
748 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
749 return (rv);
750 RSA_ARG_INPLACE(ciphertext, plaintext);
751
752 return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
753 plaintext));
754 }
755
756 static int
rsa_decrypt_common(rsa_mech_type_t mech_type,crypto_key_t * key,crypto_data_t * ciphertext,crypto_data_t * plaintext)757 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
758 crypto_data_t *ciphertext, crypto_data_t *plaintext)
759 {
760 int rv = CRYPTO_FAILED;
761
762 /* EXPORT DELETE START */
763
764 size_t plain_len;
765 uchar_t *ctptr;
766 uchar_t *modulus;
767 ssize_t modulus_len;
768 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
769 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
770
771 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
772 &modulus_len)) != CRYPTO_SUCCESS) {
773 return (rv);
774 }
775
776 /*
777 * Ciphertext length must be equal to RSA modulus size.
778 */
779 if (ciphertext->cd_length != modulus_len)
780 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
781
782 ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
783 if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data))
784 != CRYPTO_SUCCESS)
785 return (rv);
786
787 rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data);
788 if (rv == CRYPTO_SUCCESS) {
789 plain_len = modulus_len;
790
791 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
792 /* Strip off the PKCS block formatting data. */
793 rv = pkcs1_decode(PKCS1_DECRYPT, plain_data,
794 &plain_len);
795 if (rv != CRYPTO_SUCCESS)
796 return (rv);
797 }
798
799 if (plain_len > plaintext->cd_length) {
800 plaintext->cd_length = plain_len;
801 return (CRYPTO_BUFFER_TOO_SMALL);
802 }
803
804 if ((rv = crypto_put_output_data(
805 plain_data + modulus_len - plain_len,
806 plaintext, plain_len)) != CRYPTO_SUCCESS)
807 return (rv);
808
809 plaintext->cd_length = plain_len;
810 }
811
812 /* EXPORT DELETE END */
813
814 return (rv);
815 }
816
817 /* EXPORT DELETE START */
818
819 static int
core_rsa_decrypt(crypto_key_t * key,uchar_t * in,int in_len,uchar_t * out)820 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, uchar_t *out)
821 {
822 int rv;
823 uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
824 ssize_t modulus_len;
825 ssize_t prime1_len, prime2_len;
826 ssize_t expo1_len, expo2_len, coef_len;
827 RSAbytekey k;
828
829 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
830 &modulus_len)) != CRYPTO_SUCCESS) {
831 return (rv);
832 }
833
834 /*
835 * The following attributes are not required to be
836 * present in a RSA secret key. If any of them is not present
837 * we call the encrypt routine with a flag indicating use of
838 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
839 * a required attribute for a RSA secret key.
840 */
841 if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len)
842 != CRYPTO_SUCCESS) ||
843 (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len)
844 != CRYPTO_SUCCESS) ||
845 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len)
846 != CRYPTO_SUCCESS) ||
847 (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len)
848 != CRYPTO_SUCCESS) ||
849 (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len)
850 != CRYPTO_SUCCESS)) {
851 return (core_rsa_encrypt(key, in, in_len, out, 0));
852 }
853
854 k.modulus = modulus;
855 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
856 k.prime1 = prime1;
857 k.prime1_bytes = prime1_len;
858 k.prime2 = prime2;
859 k.prime2_bytes = prime2_len;
860 k.expo1 = expo1;
861 k.expo1_bytes = expo1_len;
862 k.expo2 = expo2;
863 k.expo2_bytes = expo2_len;
864 k.coeff = coef;
865 k.coeff_bytes = coef_len;
866 k.rfunc = NULL;
867
868 rv = rsa_decrypt(&k, in, in_len, out);
869
870 return (rv);
871 }
872
873 /* EXPORT DELETE END */
874
875 /* ARGSUSED */
876 static int
rsa_sign_verify_common_init(crypto_ctx_t * ctx,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_spi_ctx_template_t ctx_template,crypto_req_handle_t req)877 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
878 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
879 crypto_req_handle_t req)
880 {
881 int rv;
882 int kmflag;
883 rsa_ctx_t *ctxp;
884 digest_rsa_ctx_t *dctxp;
885
886 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
887 return (rv);
888
889 /*
890 * Allocate a RSA context.
891 */
892 kmflag = crypto_kmflag(req);
893 switch (mechanism->cm_type) {
894 case MD5_RSA_PKCS_MECH_INFO_TYPE:
895 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
896 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
897 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
898 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
899 dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag);
900 ctxp = (rsa_ctx_t *)dctxp;
901 break;
902 default:
903 ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag);
904 break;
905 }
906
907 if (ctxp == NULL)
908 return (CRYPTO_HOST_MEMORY);
909
910 ctxp->mech_type = mechanism->cm_type;
911 if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
912 kmflag)) != CRYPTO_SUCCESS) {
913 switch (mechanism->cm_type) {
914 case MD5_RSA_PKCS_MECH_INFO_TYPE:
915 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
916 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
917 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
918 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
919 kmem_free(dctxp, sizeof (digest_rsa_ctx_t));
920 break;
921 default:
922 kmem_free(ctxp, sizeof (rsa_ctx_t));
923 break;
924 }
925 return (rv);
926 }
927
928 switch (mechanism->cm_type) {
929 case MD5_RSA_PKCS_MECH_INFO_TYPE:
930 MD5Init(&(dctxp->md5_ctx));
931 break;
932
933 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
934 SHA1Init(&(dctxp->sha1_ctx));
935 break;
936
937 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
938 SHA2Init(SHA256, &(dctxp->sha2_ctx));
939 break;
940
941 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
942 SHA2Init(SHA384, &(dctxp->sha2_ctx));
943 break;
944
945 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
946 SHA2Init(SHA512, &(dctxp->sha2_ctx));
947 break;
948 }
949
950 ctx->cc_provider_private = ctxp;
951
952 return (CRYPTO_SUCCESS);
953 }
954
955 #define SHA1_DIGEST_SIZE 20
956 #define MD5_DIGEST_SIZE 16
957
958 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \
959 (data).cd_format = CRYPTO_DATA_RAW; \
960 (data).cd_offset = 0; \
961 (data).cd_raw.iov_base = (char *)base; \
962 (data).cd_raw.iov_len = len; \
963 (data).cd_length = cd_len;
964
965 static int
rsa_digest_svrfy_common(digest_rsa_ctx_t * ctxp,crypto_data_t * data,crypto_data_t * signature,uchar_t flag)966 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
967 crypto_data_t *signature, uchar_t flag)
968 {
969 int rv = CRYPTO_FAILED;
970
971 /* EXPORT DELETE START */
972
973 uchar_t digest[SHA512_DIGEST_LENGTH];
974 /* The der_data size is enough for MD5 also */
975 uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
976 ulong_t der_data_len;
977 crypto_data_t der_cd;
978 rsa_mech_type_t mech_type;
979
980 ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY);
981 ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL));
982
983 mech_type = ctxp->mech_type;
984 if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
985 mech_type == RSA_X_509_MECH_INFO_TYPE)
986 return (CRYPTO_MECHANISM_INVALID);
987
988 /*
989 * We need to do the BUFFER_TOO_SMALL check before digesting
990 * the data. No check is needed for verify as signature is not
991 * an output argument for verify.
992 */
993 if (flag & CRYPTO_DO_SIGN) {
994 uchar_t *modulus;
995 ssize_t modulus_len;
996
997 if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS,
998 &modulus, &modulus_len)) != CRYPTO_SUCCESS) {
999 return (rv);
1000 }
1001
1002 if (signature->cd_length < modulus_len) {
1003 signature->cd_length = modulus_len;
1004 return (CRYPTO_BUFFER_TOO_SMALL);
1005 }
1006 }
1007
1008 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1009 rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1010 digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5);
1011
1012 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1013 rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1014 digest, SHA1Update, SHA1Final, flag | CRYPTO_DO_SHA1);
1015
1016 else
1017 rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1018 digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2);
1019
1020 if (rv != CRYPTO_SUCCESS)
1021 return (rv);
1022
1023
1024 /*
1025 * Prepare the DER encoding of the DigestInfo value as follows:
1026 * MD5: MD5_DER_PREFIX || H
1027 * SHA-1: SHA1_DER_PREFIX || H
1028 *
1029 * See rsa_impl.c for more details.
1030 */
1031 switch (mech_type) {
1032 case MD5_RSA_PKCS_MECH_INFO_TYPE:
1033 bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len);
1034 bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE);
1035 der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE;
1036 break;
1037
1038 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1039 bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len);
1040 bcopy(digest, der_data + SHA1_DER_PREFIX_Len,
1041 SHA1_DIGEST_SIZE);
1042 der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE;
1043 break;
1044
1045 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1046 bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1047 bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1048 SHA256_DIGEST_LENGTH);
1049 der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH;
1050 break;
1051
1052 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1053 bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1054 bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1055 SHA384_DIGEST_LENGTH);
1056 der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH;
1057 break;
1058
1059 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1060 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1061 bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1062 SHA512_DIGEST_LENGTH);
1063 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1064 break;
1065 }
1066
1067 INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1068 /*
1069 * Now, we are ready to sign or verify the DER_ENCODED data.
1070 */
1071 if (flag & CRYPTO_DO_SIGN)
1072 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1073 signature);
1074 else
1075 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1076 signature);
1077
1078 /* EXPORT DELETE END */
1079
1080 return (rv);
1081 }
1082
1083 static int
rsa_sign_common(rsa_mech_type_t mech_type,crypto_key_t * key,crypto_data_t * data,crypto_data_t * signature)1084 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1085 crypto_data_t *data, crypto_data_t *signature)
1086 {
1087 int rv = CRYPTO_FAILED;
1088
1089 /* EXPORT DELETE START */
1090
1091 int dlen;
1092 uchar_t *dataptr, *modulus;
1093 ssize_t modulus_len;
1094 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1095 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1096 uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1097
1098 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1099 &modulus_len)) != CRYPTO_SUCCESS) {
1100 return (rv);
1101 }
1102
1103 dlen = data->cd_length;
1104 switch (mech_type) {
1105 case RSA_PKCS_MECH_INFO_TYPE:
1106 if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1107 return (CRYPTO_DATA_LEN_RANGE);
1108 break;
1109 case RSA_X_509_MECH_INFO_TYPE:
1110 if (dlen > modulus_len)
1111 return (CRYPTO_DATA_LEN_RANGE);
1112 break;
1113 }
1114
1115 if (signature->cd_length < modulus_len) {
1116 signature->cd_length = modulus_len;
1117 return (CRYPTO_BUFFER_TOO_SMALL);
1118 }
1119
1120 ASSERT(data->cd_length <= sizeof (tmp_data));
1121 if ((rv = crypto_get_input_data(data, &dataptr, tmp_data))
1122 != CRYPTO_SUCCESS)
1123 return (rv);
1124
1125 switch (mech_type) {
1126 case RSA_PKCS_MECH_INFO_TYPE:
1127 case MD5_RSA_PKCS_MECH_INFO_TYPE:
1128 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1129 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1130 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1131 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1132 /*
1133 * Add PKCS padding to the input data to format a block
1134 * type "01" encryption block.
1135 */
1136 rv = pkcs1_encode(PKCS1_SIGN, dataptr, dlen, plain_data,
1137 modulus_len);
1138 if (rv != CRYPTO_SUCCESS)
1139 return (rv);
1140
1141 break;
1142
1143 case RSA_X_509_MECH_INFO_TYPE:
1144 bzero(plain_data, modulus_len - dlen);
1145 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1146 break;
1147 }
1148
1149 rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data);
1150 if (rv == CRYPTO_SUCCESS) {
1151 /* copy out to signature */
1152 if ((rv = crypto_put_output_data(signed_data,
1153 signature, modulus_len)) != CRYPTO_SUCCESS)
1154 return (rv);
1155
1156 signature->cd_length = modulus_len;
1157 }
1158
1159 /* EXPORT DELETE END */
1160
1161 return (rv);
1162 }
1163
1164 /* ARGSUSED */
1165 static int
rsaprov_sign(crypto_ctx_t * ctx,crypto_data_t * data,crypto_data_t * signature,crypto_req_handle_t req)1166 rsaprov_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1167 crypto_req_handle_t req)
1168 {
1169 int rv;
1170 rsa_ctx_t *ctxp;
1171
1172 ASSERT(ctx->cc_provider_private != NULL);
1173 ctxp = ctx->cc_provider_private;
1174
1175 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1176 switch (ctxp->mech_type) {
1177 case MD5_RSA_PKCS_MECH_INFO_TYPE:
1178 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1179 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1180 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1181 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1182 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1183 signature, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE |
1184 CRYPTO_DO_FINAL);
1185 break;
1186 default:
1187 rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data,
1188 signature);
1189 break;
1190 }
1191
1192 if (rv != CRYPTO_BUFFER_TOO_SMALL)
1193 (void) rsa_free_context(ctx);
1194
1195 return (rv);
1196 }
1197
1198 /* ARGSUSED */
1199 static int
rsa_sign_update(crypto_ctx_t * ctx,crypto_data_t * data,crypto_req_handle_t req)1200 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
1201 {
1202 int rv;
1203 digest_rsa_ctx_t *ctxp;
1204 rsa_mech_type_t mech_type;
1205
1206 ASSERT(ctx->cc_provider_private != NULL);
1207 ctxp = ctx->cc_provider_private;
1208 mech_type = ctxp->mech_type;
1209
1210 if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1211 mech_type == RSA_X_509_MECH_INFO_TYPE)
1212 return (CRYPTO_MECHANISM_INVALID);
1213
1214 if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1215 rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1216 NULL, MD5Update, MD5Final,
1217 CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE);
1218
1219 else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1220 rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1221 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1222 CRYPTO_DO_UPDATE);
1223
1224 else
1225 rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1226 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1227 CRYPTO_DO_UPDATE);
1228
1229 return (rv);
1230 }
1231
1232 /* ARGSUSED2 */
1233 static int
rsa_sign_final(crypto_ctx_t * ctx,crypto_data_t * signature,crypto_req_handle_t req)1234 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1235 crypto_req_handle_t req)
1236 {
1237 int rv;
1238 digest_rsa_ctx_t *ctxp;
1239
1240 ASSERT(ctx->cc_provider_private != NULL);
1241 ctxp = ctx->cc_provider_private;
1242
1243 rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1244 CRYPTO_DO_SIGN | CRYPTO_DO_FINAL);
1245 if (rv != CRYPTO_BUFFER_TOO_SMALL)
1246 (void) rsa_free_context(ctx);
1247
1248 return (rv);
1249 }
1250
1251 /* ARGSUSED */
1252 static int
rsa_sign_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * data,crypto_data_t * signature,crypto_spi_ctx_template_t ctx_template,crypto_req_handle_t req)1253 rsa_sign_atomic(crypto_provider_handle_t provider,
1254 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1255 crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature,
1256 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1257 {
1258 int rv;
1259 digest_rsa_ctx_t dctx;
1260
1261 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1262 return (rv);
1263
1264 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1265 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1266 rv = rsa_sign_common(mechanism->cm_type, key, data,
1267 signature);
1268
1269 else {
1270 dctx.mech_type = mechanism->cm_type;
1271 dctx.key = key;
1272 switch (mechanism->cm_type) {
1273 case MD5_RSA_PKCS_MECH_INFO_TYPE:
1274 MD5Init(&(dctx.md5_ctx));
1275 break;
1276
1277 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1278 SHA1Init(&(dctx.sha1_ctx));
1279 break;
1280
1281 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1282 SHA2Init(SHA256, &(dctx.sha2_ctx));
1283 break;
1284
1285 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1286 SHA2Init(SHA384, &(dctx.sha2_ctx));
1287 break;
1288
1289 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1290 SHA2Init(SHA512, &(dctx.sha2_ctx));
1291 break;
1292 }
1293
1294 rv = rsa_digest_svrfy_common(&dctx, data, signature,
1295 CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1296 }
1297
1298 return (rv);
1299 }
1300
1301 static int
rsa_verify_common(rsa_mech_type_t mech_type,crypto_key_t * key,crypto_data_t * data,crypto_data_t * signature)1302 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1303 crypto_data_t *data, crypto_data_t *signature)
1304 {
1305 int rv = CRYPTO_FAILED;
1306
1307 /* EXPORT DELETE START */
1308
1309 uchar_t *sigptr, *modulus;
1310 ssize_t modulus_len;
1311 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1312 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1313
1314 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1315 &modulus_len)) != CRYPTO_SUCCESS) {
1316 return (rv);
1317 }
1318
1319 if (signature->cd_length != modulus_len)
1320 return (CRYPTO_SIGNATURE_LEN_RANGE);
1321
1322 ASSERT(signature->cd_length <= sizeof (tmp_data));
1323 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1324 != CRYPTO_SUCCESS)
1325 return (rv);
1326
1327 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1328 if (rv != CRYPTO_SUCCESS)
1329 return (rv);
1330
1331 if (mech_type == RSA_X_509_MECH_INFO_TYPE) {
1332 if (compare_data(data, (plain_data + modulus_len
1333 - data->cd_length)) != 0)
1334 rv = CRYPTO_SIGNATURE_INVALID;
1335
1336 } else {
1337 size_t data_len = modulus_len;
1338
1339 /*
1340 * Strip off the encoded padding bytes in front of the
1341 * recovered data, then compare the recovered data with
1342 * the original data.
1343 */
1344 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1345 if (rv != CRYPTO_SUCCESS)
1346 return (rv);
1347
1348 if (data_len != data->cd_length)
1349 return (CRYPTO_SIGNATURE_LEN_RANGE);
1350
1351 if (compare_data(data, (plain_data + modulus_len
1352 - data_len)) != 0)
1353 rv = CRYPTO_SIGNATURE_INVALID;
1354 }
1355
1356 /* EXPORT DELETE END */
1357
1358 return (rv);
1359 }
1360
1361 /* ARGSUSED */
1362 static int
rsaprov_verify(crypto_ctx_t * ctx,crypto_data_t * data,crypto_data_t * signature,crypto_req_handle_t req)1363 rsaprov_verify(crypto_ctx_t *ctx, crypto_data_t *data,
1364 crypto_data_t *signature, crypto_req_handle_t req)
1365 {
1366 int rv;
1367 rsa_ctx_t *ctxp;
1368
1369 ASSERT(ctx->cc_provider_private != NULL);
1370 ctxp = ctx->cc_provider_private;
1371
1372 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1373 switch (ctxp->mech_type) {
1374 case MD5_RSA_PKCS_MECH_INFO_TYPE:
1375 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1376 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1377 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1378 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1379 rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1380 signature, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE |
1381 CRYPTO_DO_FINAL);
1382 break;
1383 default:
1384 rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data,
1385 signature);
1386 break;
1387 }
1388
1389 if (rv != CRYPTO_BUFFER_TOO_SMALL)
1390 (void) rsa_free_context(ctx);
1391
1392 return (rv);
1393 }
1394
1395 /* ARGSUSED */
1396 static int
rsa_verify_update(crypto_ctx_t * ctx,crypto_data_t * data,crypto_req_handle_t req)1397 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data,
1398 crypto_req_handle_t req)
1399 {
1400 int rv;
1401 digest_rsa_ctx_t *ctxp;
1402
1403 ASSERT(ctx->cc_provider_private != NULL);
1404 ctxp = ctx->cc_provider_private;
1405
1406 switch (ctxp->mech_type) {
1407
1408 case MD5_RSA_PKCS_MECH_INFO_TYPE:
1409 rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1410 NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 |
1411 CRYPTO_DO_UPDATE);
1412 break;
1413
1414 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1415 rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1416 NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1417 CRYPTO_DO_UPDATE);
1418 break;
1419
1420 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1421 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1422 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1423 rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1424 NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1425 CRYPTO_DO_UPDATE);
1426 break;
1427
1428 default:
1429 return (CRYPTO_MECHANISM_INVALID);
1430 }
1431
1432 return (rv);
1433 }
1434
1435 /* ARGSUSED2 */
1436 static int
rsa_verify_final(crypto_ctx_t * ctx,crypto_data_t * signature,crypto_req_handle_t req)1437 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1438 crypto_req_handle_t req)
1439 {
1440 int rv;
1441 digest_rsa_ctx_t *ctxp;
1442
1443 ASSERT(ctx->cc_provider_private != NULL);
1444 ctxp = ctx->cc_provider_private;
1445
1446 rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1447 CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL);
1448 if (rv != CRYPTO_BUFFER_TOO_SMALL)
1449 (void) rsa_free_context(ctx);
1450
1451 return (rv);
1452 }
1453
1454
1455 /* ARGSUSED */
1456 static int
rsa_verify_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * data,crypto_data_t * signature,crypto_spi_ctx_template_t ctx_template,crypto_req_handle_t req)1457 rsa_verify_atomic(crypto_provider_handle_t provider,
1458 crypto_session_id_t session_id,
1459 crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data,
1460 crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template,
1461 crypto_req_handle_t req)
1462 {
1463 int rv;
1464 digest_rsa_ctx_t dctx;
1465
1466 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1467 return (rv);
1468
1469 if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1470 mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1471 rv = rsa_verify_common(mechanism->cm_type, key, data,
1472 signature);
1473
1474 else {
1475 dctx.mech_type = mechanism->cm_type;
1476 dctx.key = key;
1477
1478 switch (mechanism->cm_type) {
1479 case MD5_RSA_PKCS_MECH_INFO_TYPE:
1480 MD5Init(&(dctx.md5_ctx));
1481 break;
1482
1483 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1484 SHA1Init(&(dctx.sha1_ctx));
1485 break;
1486
1487 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1488 SHA2Init(SHA256, &(dctx.sha2_ctx));
1489 break;
1490
1491 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1492 SHA2Init(SHA384, &(dctx.sha2_ctx));
1493 break;
1494
1495 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1496 SHA2Init(SHA512, &(dctx.sha2_ctx));
1497 break;
1498 }
1499
1500 rv = rsa_digest_svrfy_common(&dctx, data, signature,
1501 CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1502 }
1503
1504 return (rv);
1505 }
1506
1507 static int
rsa_verify_recover_common(rsa_mech_type_t mech_type,crypto_key_t * key,crypto_data_t * signature,crypto_data_t * data)1508 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1509 crypto_data_t *signature, crypto_data_t *data)
1510 {
1511 int rv = CRYPTO_FAILED;
1512
1513 /* EXPORT DELETE START */
1514
1515 size_t data_len;
1516 uchar_t *sigptr, *modulus;
1517 ssize_t modulus_len;
1518 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1519 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1520
1521 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1522 &modulus_len)) != CRYPTO_SUCCESS) {
1523 return (rv);
1524 }
1525
1526 if (signature->cd_length != modulus_len)
1527 return (CRYPTO_SIGNATURE_LEN_RANGE);
1528
1529 ASSERT(signature->cd_length <= sizeof (tmp_data));
1530 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1531 != CRYPTO_SUCCESS)
1532 return (rv);
1533
1534 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1535 if (rv != CRYPTO_SUCCESS)
1536 return (rv);
1537
1538 data_len = modulus_len;
1539
1540 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
1541 /*
1542 * Strip off the encoded padding bytes in front of the
1543 * recovered data, then compare the recovered data with
1544 * the original data.
1545 */
1546 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1547 if (rv != CRYPTO_SUCCESS)
1548 return (rv);
1549 }
1550
1551 if (data->cd_length < data_len) {
1552 data->cd_length = data_len;
1553 return (CRYPTO_BUFFER_TOO_SMALL);
1554 }
1555
1556 if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len,
1557 data, data_len)) != CRYPTO_SUCCESS)
1558 return (rv);
1559 data->cd_length = data_len;
1560
1561 /* EXPORT DELETE END */
1562
1563 return (rv);
1564 }
1565
1566 /* ARGSUSED */
1567 static int
rsa_verify_recover(crypto_ctx_t * ctx,crypto_data_t * signature,crypto_data_t * data,crypto_req_handle_t req)1568 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
1569 crypto_data_t *data, crypto_req_handle_t req)
1570 {
1571 int rv;
1572 rsa_ctx_t *ctxp;
1573
1574 ASSERT(ctx->cc_provider_private != NULL);
1575 ctxp = ctx->cc_provider_private;
1576
1577 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1578 rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
1579 signature, data);
1580
1581 if (rv != CRYPTO_BUFFER_TOO_SMALL)
1582 (void) rsa_free_context(ctx);
1583
1584 return (rv);
1585 }
1586
1587 /* ARGSUSED */
1588 static int
rsa_verify_recover_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * signature,crypto_data_t * data,crypto_spi_ctx_template_t ctx_template,crypto_req_handle_t req)1589 rsa_verify_recover_atomic(crypto_provider_handle_t provider,
1590 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1591 crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data,
1592 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1593 {
1594 int rv;
1595
1596 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1597 return (rv);
1598
1599 return (rsa_verify_recover_common(mechanism->cm_type, key,
1600 signature, data));
1601 }
1602
1603 /*
1604 * RSA Power-On Self-Test
1605 */
1606 void
rsa_POST(int * rc)1607 rsa_POST(int *rc)
1608 {
1609
1610 *rc = fips_rsa_post();
1611
1612 }
1613