Print this page
3882 remove xmod & friends


 298         CRYPTO_SPI_VERSION_4,
 299         "RSA Software Provider",
 300         CRYPTO_SW_PROVIDER,
 301         {&modlinkage},
 302         NULL,
 303         &rsa_crypto_ops,
 304         sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
 305         rsa_mech_info_tab
 306 };
 307 
 308 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
 309     crypto_data_t *, crypto_data_t *);
 310 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
 311     crypto_data_t *, crypto_data_t *);
 312 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
 313     crypto_data_t *, crypto_data_t *);
 314 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
 315     crypto_data_t *, crypto_data_t *);
 316 static int compare_data(crypto_data_t *, uchar_t *);
 317 
 318 /* EXPORT DELETE START */
 319 
 320 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, int, uchar_t *, int);
 321 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, uchar_t *);
 322 
 323 /* EXPORT DELETE END */
 324 
 325 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
 326 
 327 int
 328 _init(void)
 329 {
 330         int ret;
 331 
 332         if ((ret = mod_install(&modlinkage)) != 0)
 333                 return (ret);
 334 
 335         /* Register with KCF.  If the registration fails, remove the module. */
 336         if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) {
 337                 (void) mod_remove(&modlinkage);
 338                 return (EACCES);
 339         }
 340 
 341         return (0);
 342 }
 343 
 344 int


 356 }
 357 
 358 int
 359 _info(struct modinfo *modinfop)
 360 {
 361         return (mod_info(&modlinkage, modinfop));
 362 }
 363 
 364 /* ARGSUSED */
 365 static void
 366 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
 367 {
 368         *status = CRYPTO_PROVIDER_READY;
 369 }
 370 
 371 static int
 372 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
 373 {
 374         int rv = CRYPTO_FAILED;
 375 
 376 /* EXPORT DELETE START */
 377 
 378         uchar_t *modulus;
 379         ssize_t modulus_len; /* In bytes */
 380 
 381         if (!RSA_VALID_MECH(mechanism))
 382                 return (CRYPTO_MECHANISM_INVALID);
 383 
 384         /*
 385          * We only support RSA keys that are passed as a list of
 386          * object attributes.
 387          */
 388         if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
 389                 return (CRYPTO_KEY_TYPE_INCONSISTENT);
 390         }
 391 
 392         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
 393             &modulus_len)) != CRYPTO_SUCCESS) {
 394                 return (rv);
 395         }
 396         if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
 397             modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
 398                 return (CRYPTO_KEY_SIZE_RANGE);
 399 
 400 /* EXPORT DELETE END */
 401 
 402         return (rv);
 403 }
 404 
 405 void
 406 kmemset(uint8_t *buf, char pattern, size_t len)
 407 {
 408         int i = 0;
 409 
 410         while (i < len)
 411                 buf[i++] = pattern;
 412 }
 413 
 414 /*
 415  * This function guarantees to return non-zero random numbers.
 416  * This is needed as the /dev/urandom kernel interface,
 417  * random_get_pseudo_bytes(), may return zeros.
 418  */
 419 int
 420 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
 421 {


 581                 kmem_free(ctxp->key, ctxp->keychunk_size);
 582 
 583                 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
 584                     ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
 585                         kmem_free(ctxp, sizeof (rsa_ctx_t));
 586                 else
 587                         kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
 588 
 589                 ctx->cc_provider_private = NULL;
 590         }
 591 
 592         return (CRYPTO_SUCCESS);
 593 }
 594 
 595 static int
 596 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
 597     crypto_data_t *plaintext, crypto_data_t *ciphertext)
 598 {
 599         int rv = CRYPTO_FAILED;
 600 
 601 /* EXPORT DELETE START */
 602 
 603         int plen;
 604         uchar_t *ptptr;
 605         uchar_t *modulus;
 606         ssize_t modulus_len;
 607         uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 608         uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 609         uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 610 
 611         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
 612             &modulus_len)) != CRYPTO_SUCCESS) {
 613                 return (rv);
 614         }
 615 
 616         plen = plaintext->cd_length;
 617         if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
 618                 if (plen > (modulus_len - MIN_PKCS1_PADLEN))
 619                         return (CRYPTO_DATA_LEN_RANGE);
 620         } else {
 621                 if (plen > modulus_len)
 622                         return (CRYPTO_DATA_LEN_RANGE);


 639                 rv = pkcs1_encode(PKCS1_ENCRYPT, ptptr, plen,
 640                     plain_data, modulus_len);
 641 
 642                 if (rv != CRYPTO_SUCCESS)
 643                         return (rv);
 644         } else {
 645                 bzero(plain_data, modulus_len - plen);
 646                 bcopy(ptptr, &plain_data[modulus_len - plen], plen);
 647         }
 648 
 649         rv = core_rsa_encrypt(key, plain_data, modulus_len, cipher_data, 1);
 650         if (rv == CRYPTO_SUCCESS) {
 651                 /* copy out to ciphertext */
 652                 if ((rv = crypto_put_output_data(cipher_data,
 653                     ciphertext, modulus_len)) != CRYPTO_SUCCESS)
 654                         return (rv);
 655 
 656                 ciphertext->cd_length = modulus_len;
 657         }
 658 
 659 /* EXPORT DELETE END */
 660 
 661         return (rv);
 662 }
 663 
 664 /* EXPORT DELETE START */
 665 
 666 static int
 667 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
 668     int in_len, uchar_t *out, int is_public)
 669 {
 670         int rv;
 671         uchar_t *expo, *modulus;
 672         ssize_t expo_len;
 673         ssize_t modulus_len;
 674         RSAbytekey k;
 675 
 676         if (is_public) {
 677                 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT,
 678                     &expo, &expo_len)) != CRYPTO_SUCCESS)
 679                         return (rv);
 680         } else {
 681                 /*
 682                  * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
 683                  * RSA secret key. See the comments in core_rsa_decrypt
 684                  * routine which calls this routine with a private key.
 685                  */


 687                     &expo, &expo_len)) != CRYPTO_SUCCESS)
 688                         return (rv);
 689         }
 690 
 691         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
 692             &modulus_len)) != CRYPTO_SUCCESS) {
 693                 return (rv);
 694         }
 695 
 696         k.modulus = modulus;
 697         k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
 698         k.pubexpo = expo;
 699         k.pubexpo_bytes = expo_len;
 700         k.rfunc = NULL;
 701 
 702         rv = rsa_encrypt(&k, in, in_len, out);
 703 
 704         return (rv);
 705 }
 706 
 707 /* EXPORT DELETE END */
 708 
 709 /* ARGSUSED */
 710 static int
 711 rsaprov_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
 712     crypto_data_t *plaintext, crypto_req_handle_t req)
 713 {
 714         int rv;
 715         rsa_ctx_t *ctxp;
 716 
 717         ASSERT(ctx->cc_provider_private != NULL);
 718         ctxp = ctx->cc_provider_private;
 719 
 720         RSA_ARG_INPLACE(ciphertext, plaintext);
 721 
 722         /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
 723         rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
 724             ciphertext, plaintext);
 725 
 726         if (rv != CRYPTO_BUFFER_TOO_SMALL)
 727                 (void) rsa_free_context(ctx);
 728 


 735     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
 736     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
 737     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
 738 {
 739         int rv;
 740 
 741         if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
 742                 return (rv);
 743         RSA_ARG_INPLACE(ciphertext, plaintext);
 744 
 745         return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
 746             plaintext));
 747 }
 748 
 749 static int
 750 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
 751     crypto_data_t *ciphertext, crypto_data_t *plaintext)
 752 {
 753         int rv = CRYPTO_FAILED;
 754 
 755 /* EXPORT DELETE START */
 756 
 757         size_t plain_len;
 758         uchar_t *ctptr;
 759         uchar_t *modulus;
 760         ssize_t modulus_len;
 761         uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 762         uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 763 
 764         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
 765             &modulus_len)) != CRYPTO_SUCCESS) {
 766                 return (rv);
 767         }
 768 
 769         /*
 770          * Ciphertext length must be equal to RSA modulus size.
 771          */
 772         if (ciphertext->cd_length != modulus_len)
 773                 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
 774 
 775         ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
 776         if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data))


 785                         /* Strip off the PKCS block formatting data. */
 786                         rv = pkcs1_decode(PKCS1_DECRYPT, plain_data,
 787                             &plain_len);
 788                         if (rv != CRYPTO_SUCCESS)
 789                                 return (rv);
 790                 }
 791 
 792                 if (plain_len > plaintext->cd_length) {
 793                         plaintext->cd_length = plain_len;
 794                         return (CRYPTO_BUFFER_TOO_SMALL);
 795                 }
 796 
 797                 if ((rv = crypto_put_output_data(
 798                     plain_data + modulus_len - plain_len,
 799                     plaintext, plain_len)) != CRYPTO_SUCCESS)
 800                         return (rv);
 801 
 802                 plaintext->cd_length = plain_len;
 803         }
 804 
 805 /* EXPORT DELETE END */
 806 
 807         return (rv);
 808 }
 809 
 810 /* EXPORT DELETE START */
 811 
 812 static int
 813 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, uchar_t *out)
 814 {
 815         int rv;
 816         uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
 817         ssize_t modulus_len;
 818         ssize_t prime1_len, prime2_len;
 819         ssize_t expo1_len, expo2_len, coef_len;
 820         RSAbytekey k;
 821 
 822         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
 823             &modulus_len)) != CRYPTO_SUCCESS) {
 824                 return (rv);
 825         }
 826 
 827         /*
 828          * The following attributes are not required to be
 829          * present in a RSA secret key. If any of them is not present
 830          * we call the encrypt routine with a flag indicating use of
 831          * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is


 846 
 847         k.modulus = modulus;
 848         k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
 849         k.prime1 = prime1;
 850         k.prime1_bytes = prime1_len;
 851         k.prime2 = prime2;
 852         k.prime2_bytes = prime2_len;
 853         k.expo1 = expo1;
 854         k.expo1_bytes = expo1_len;
 855         k.expo2 = expo2;
 856         k.expo2_bytes = expo2_len;
 857         k.coeff = coef;
 858         k.coeff_bytes = coef_len;
 859         k.rfunc = NULL;
 860 
 861         rv = rsa_decrypt(&k, in, in_len, out);
 862 
 863         return (rv);
 864 }
 865 
 866 /* EXPORT DELETE END */
 867 
 868 /* ARGSUSED */
 869 static int
 870 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
 871     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
 872     crypto_req_handle_t req)
 873 {
 874         int rv;
 875         int kmflag;
 876         rsa_ctx_t *ctxp;
 877         digest_rsa_ctx_t *dctxp;
 878 
 879         if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
 880                 return (rv);
 881 
 882         /*
 883          * Allocate a RSA context.
 884          */
 885         kmflag = crypto_kmflag(req);
 886         switch (mechanism->cm_type) {
 887         case MD5_RSA_PKCS_MECH_INFO_TYPE:


 944 
 945         return (CRYPTO_SUCCESS);
 946 }
 947 
 948 #define SHA1_DIGEST_SIZE 20
 949 #define MD5_DIGEST_SIZE 16
 950 
 951 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len)   \
 952         (data).cd_format = CRYPTO_DATA_RAW;             \
 953         (data).cd_offset = 0;                           \
 954         (data).cd_raw.iov_base = (char *)base;          \
 955         (data).cd_raw.iov_len = len;                    \
 956         (data).cd_length = cd_len;
 957 
 958 static int
 959 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
 960     crypto_data_t *signature, uchar_t flag)
 961 {
 962         int rv = CRYPTO_FAILED;
 963 
 964 /* EXPORT DELETE START */
 965 
 966         uchar_t digest[SHA512_DIGEST_LENGTH];
 967         /* The der_data size is enough for MD5 also */
 968         uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
 969         ulong_t der_data_len;
 970         crypto_data_t der_cd;
 971         rsa_mech_type_t mech_type;
 972 
 973         ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY);
 974         ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL));
 975 
 976         mech_type = ctxp->mech_type;
 977         if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
 978             mech_type == RSA_X_509_MECH_INFO_TYPE)
 979                 return (CRYPTO_MECHANISM_INVALID);
 980 
 981         /*
 982          * We need to do the BUFFER_TOO_SMALL check before digesting
 983          * the data. No check is needed for verify as signature is not
 984          * an output argument for verify.
 985          */


1051 
1052         case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1053                 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1054                 bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1055                     SHA512_DIGEST_LENGTH);
1056                 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1057                 break;
1058         }
1059 
1060         INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1061         /*
1062          * Now, we are ready to sign or verify the DER_ENCODED data.
1063          */
1064         if (flag & CRYPTO_DO_SIGN)
1065                 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1066                     signature);
1067         else
1068                 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1069                     signature);
1070 
1071 /* EXPORT DELETE END */
1072 
1073         return (rv);
1074 }
1075 
1076 static int
1077 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1078     crypto_data_t *data, crypto_data_t *signature)
1079 {
1080         int rv = CRYPTO_FAILED;
1081 
1082 /* EXPORT DELETE START */
1083 
1084         int dlen;
1085         uchar_t *dataptr, *modulus;
1086         ssize_t modulus_len;
1087         uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1088         uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1089         uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1090 
1091         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1092             &modulus_len)) != CRYPTO_SUCCESS) {
1093                 return (rv);
1094         }
1095 
1096         dlen = data->cd_length;
1097         switch (mech_type) {
1098         case RSA_PKCS_MECH_INFO_TYPE:
1099                 if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1100                         return (CRYPTO_DATA_LEN_RANGE);
1101                 break;
1102         case RSA_X_509_MECH_INFO_TYPE:
1103                 if (dlen > modulus_len)


1132                         return (rv);
1133 
1134                 break;
1135 
1136         case RSA_X_509_MECH_INFO_TYPE:
1137                 bzero(plain_data, modulus_len - dlen);
1138                 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1139                 break;
1140         }
1141 
1142         rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data);
1143         if (rv == CRYPTO_SUCCESS) {
1144                 /* copy out to signature */
1145                 if ((rv = crypto_put_output_data(signed_data,
1146                     signature, modulus_len)) != CRYPTO_SUCCESS)
1147                         return (rv);
1148 
1149                 signature->cd_length = modulus_len;
1150         }
1151 
1152 /* EXPORT DELETE END */
1153 
1154         return (rv);
1155 }
1156 
1157 /* ARGSUSED */
1158 static int
1159 rsaprov_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1160     crypto_req_handle_t req)
1161 {
1162         int rv;
1163         rsa_ctx_t *ctxp;
1164 
1165         ASSERT(ctx->cc_provider_private != NULL);
1166         ctxp = ctx->cc_provider_private;
1167 
1168         /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1169         switch (ctxp->mech_type) {
1170         case MD5_RSA_PKCS_MECH_INFO_TYPE:
1171         case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1172         case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1173         case SHA384_RSA_PKCS_MECH_INFO_TYPE:


1280                         break;
1281 
1282                 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1283                         SHA2Init(SHA512, &(dctx.sha2_ctx));
1284                         break;
1285                 }
1286 
1287                 rv = rsa_digest_svrfy_common(&dctx, data, signature,
1288                     CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1289         }
1290 
1291         return (rv);
1292 }
1293 
1294 static int
1295 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1296     crypto_data_t *data, crypto_data_t *signature)
1297 {
1298         int rv = CRYPTO_FAILED;
1299 
1300 /* EXPORT DELETE START */
1301 
1302         uchar_t *sigptr, *modulus;
1303         ssize_t modulus_len;
1304         uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1305         uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1306 
1307         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1308             &modulus_len)) != CRYPTO_SUCCESS) {
1309                 return (rv);
1310         }
1311 
1312         if (signature->cd_length != modulus_len)
1313                 return (CRYPTO_SIGNATURE_LEN_RANGE);
1314 
1315         ASSERT(signature->cd_length <= sizeof (tmp_data));
1316         if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1317             != CRYPTO_SUCCESS)
1318                 return (rv);
1319 
1320         rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1321         if (rv != CRYPTO_SUCCESS)


1329         } else {
1330                 size_t data_len = modulus_len;
1331 
1332                 /*
1333                  * Strip off the encoded padding bytes in front of the
1334                  * recovered data, then compare the recovered data with
1335                  * the original data.
1336                  */
1337                 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1338                 if (rv != CRYPTO_SUCCESS)
1339                         return (rv);
1340 
1341                 if (data_len != data->cd_length)
1342                         return (CRYPTO_SIGNATURE_LEN_RANGE);
1343 
1344                 if (compare_data(data, (plain_data + modulus_len
1345                     - data_len)) != 0)
1346                         rv = CRYPTO_SIGNATURE_INVALID;
1347         }
1348 
1349 /* EXPORT DELETE END */
1350 
1351         return (rv);
1352 }
1353 
1354 /* ARGSUSED */
1355 static int
1356 rsaprov_verify(crypto_ctx_t *ctx, crypto_data_t *data,
1357     crypto_data_t *signature, crypto_req_handle_t req)
1358 {
1359         int rv;
1360         rsa_ctx_t *ctxp;
1361 
1362         ASSERT(ctx->cc_provider_private != NULL);
1363         ctxp = ctx->cc_provider_private;
1364 
1365         /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1366         switch (ctxp->mech_type) {
1367         case MD5_RSA_PKCS_MECH_INFO_TYPE:
1368         case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1369         case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1370         case SHA384_RSA_PKCS_MECH_INFO_TYPE:


1486                         break;
1487 
1488                 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1489                         SHA2Init(SHA512, &(dctx.sha2_ctx));
1490                         break;
1491                 }
1492 
1493                 rv = rsa_digest_svrfy_common(&dctx, data, signature,
1494                     CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1495         }
1496 
1497         return (rv);
1498 }
1499 
1500 static int
1501 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1502     crypto_data_t *signature, crypto_data_t *data)
1503 {
1504         int rv = CRYPTO_FAILED;
1505 
1506 /* EXPORT DELETE START */
1507 
1508         size_t data_len;
1509         uchar_t *sigptr, *modulus;
1510         ssize_t modulus_len;
1511         uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1512         uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1513 
1514         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1515             &modulus_len)) != CRYPTO_SUCCESS) {
1516                 return (rv);
1517         }
1518 
1519         if (signature->cd_length != modulus_len)
1520                 return (CRYPTO_SIGNATURE_LEN_RANGE);
1521 
1522         ASSERT(signature->cd_length <= sizeof (tmp_data));
1523         if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1524             != CRYPTO_SUCCESS)
1525                 return (rv);
1526 
1527         rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);


1534                 /*
1535                  * Strip off the encoded padding bytes in front of the
1536                  * recovered data, then compare the recovered data with
1537                  * the original data.
1538                  */
1539                 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1540                 if (rv != CRYPTO_SUCCESS)
1541                         return (rv);
1542         }
1543 
1544         if (data->cd_length < data_len) {
1545                 data->cd_length = data_len;
1546                 return (CRYPTO_BUFFER_TOO_SMALL);
1547         }
1548 
1549         if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len,
1550             data, data_len)) != CRYPTO_SUCCESS)
1551                 return (rv);
1552         data->cd_length = data_len;
1553 
1554 /* EXPORT DELETE END */
1555 
1556         return (rv);
1557 }
1558 
1559 /* ARGSUSED */
1560 static int
1561 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
1562     crypto_data_t *data, crypto_req_handle_t req)
1563 {
1564         int rv;
1565         rsa_ctx_t *ctxp;
1566 
1567         ASSERT(ctx->cc_provider_private != NULL);
1568         ctxp = ctx->cc_provider_private;
1569 
1570         /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1571         rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
1572             signature, data);
1573 
1574         if (rv != CRYPTO_BUFFER_TOO_SMALL)
1575                 (void) rsa_free_context(ctx);


 298         CRYPTO_SPI_VERSION_4,
 299         "RSA Software Provider",
 300         CRYPTO_SW_PROVIDER,
 301         {&modlinkage},
 302         NULL,
 303         &rsa_crypto_ops,
 304         sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
 305         rsa_mech_info_tab
 306 };
 307 
 308 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
 309     crypto_data_t *, crypto_data_t *);
 310 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
 311     crypto_data_t *, crypto_data_t *);
 312 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
 313     crypto_data_t *, crypto_data_t *);
 314 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
 315     crypto_data_t *, crypto_data_t *);
 316 static int compare_data(crypto_data_t *, uchar_t *);
 317 


 318 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, int, uchar_t *, int);
 319 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, uchar_t *);
 320 


 321 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
 322 
 323 int
 324 _init(void)
 325 {
 326         int ret;
 327 
 328         if ((ret = mod_install(&modlinkage)) != 0)
 329                 return (ret);
 330 
 331         /* Register with KCF.  If the registration fails, remove the module. */
 332         if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) {
 333                 (void) mod_remove(&modlinkage);
 334                 return (EACCES);
 335         }
 336 
 337         return (0);
 338 }
 339 
 340 int


 352 }
 353 
 354 int
 355 _info(struct modinfo *modinfop)
 356 {
 357         return (mod_info(&modlinkage, modinfop));
 358 }
 359 
 360 /* ARGSUSED */
 361 static void
 362 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
 363 {
 364         *status = CRYPTO_PROVIDER_READY;
 365 }
 366 
 367 static int
 368 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
 369 {
 370         int rv = CRYPTO_FAILED;
 371 


 372         uchar_t *modulus;
 373         ssize_t modulus_len; /* In bytes */
 374 
 375         if (!RSA_VALID_MECH(mechanism))
 376                 return (CRYPTO_MECHANISM_INVALID);
 377 
 378         /*
 379          * We only support RSA keys that are passed as a list of
 380          * object attributes.
 381          */
 382         if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
 383                 return (CRYPTO_KEY_TYPE_INCONSISTENT);
 384         }
 385 
 386         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
 387             &modulus_len)) != CRYPTO_SUCCESS) {
 388                 return (rv);
 389         }
 390         if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
 391             modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
 392                 return (CRYPTO_KEY_SIZE_RANGE);
 393 


 394         return (rv);
 395 }
 396 
 397 void
 398 kmemset(uint8_t *buf, char pattern, size_t len)
 399 {
 400         int i = 0;
 401 
 402         while (i < len)
 403                 buf[i++] = pattern;
 404 }
 405 
 406 /*
 407  * This function guarantees to return non-zero random numbers.
 408  * This is needed as the /dev/urandom kernel interface,
 409  * random_get_pseudo_bytes(), may return zeros.
 410  */
 411 int
 412 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
 413 {


 573                 kmem_free(ctxp->key, ctxp->keychunk_size);
 574 
 575                 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
 576                     ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
 577                         kmem_free(ctxp, sizeof (rsa_ctx_t));
 578                 else
 579                         kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
 580 
 581                 ctx->cc_provider_private = NULL;
 582         }
 583 
 584         return (CRYPTO_SUCCESS);
 585 }
 586 
 587 static int
 588 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
 589     crypto_data_t *plaintext, crypto_data_t *ciphertext)
 590 {
 591         int rv = CRYPTO_FAILED;
 592 


 593         int plen;
 594         uchar_t *ptptr;
 595         uchar_t *modulus;
 596         ssize_t modulus_len;
 597         uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 598         uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 599         uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 600 
 601         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
 602             &modulus_len)) != CRYPTO_SUCCESS) {
 603                 return (rv);
 604         }
 605 
 606         plen = plaintext->cd_length;
 607         if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
 608                 if (plen > (modulus_len - MIN_PKCS1_PADLEN))
 609                         return (CRYPTO_DATA_LEN_RANGE);
 610         } else {
 611                 if (plen > modulus_len)
 612                         return (CRYPTO_DATA_LEN_RANGE);


 629                 rv = pkcs1_encode(PKCS1_ENCRYPT, ptptr, plen,
 630                     plain_data, modulus_len);
 631 
 632                 if (rv != CRYPTO_SUCCESS)
 633                         return (rv);
 634         } else {
 635                 bzero(plain_data, modulus_len - plen);
 636                 bcopy(ptptr, &plain_data[modulus_len - plen], plen);
 637         }
 638 
 639         rv = core_rsa_encrypt(key, plain_data, modulus_len, cipher_data, 1);
 640         if (rv == CRYPTO_SUCCESS) {
 641                 /* copy out to ciphertext */
 642                 if ((rv = crypto_put_output_data(cipher_data,
 643                     ciphertext, modulus_len)) != CRYPTO_SUCCESS)
 644                         return (rv);
 645 
 646                 ciphertext->cd_length = modulus_len;
 647         }
 648 


 649         return (rv);
 650 }
 651 


 652 static int
 653 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
 654     int in_len, uchar_t *out, int is_public)
 655 {
 656         int rv;
 657         uchar_t *expo, *modulus;
 658         ssize_t expo_len;
 659         ssize_t modulus_len;
 660         RSAbytekey k;
 661 
 662         if (is_public) {
 663                 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT,
 664                     &expo, &expo_len)) != CRYPTO_SUCCESS)
 665                         return (rv);
 666         } else {
 667                 /*
 668                  * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
 669                  * RSA secret key. See the comments in core_rsa_decrypt
 670                  * routine which calls this routine with a private key.
 671                  */


 673                     &expo, &expo_len)) != CRYPTO_SUCCESS)
 674                         return (rv);
 675         }
 676 
 677         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
 678             &modulus_len)) != CRYPTO_SUCCESS) {
 679                 return (rv);
 680         }
 681 
 682         k.modulus = modulus;
 683         k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
 684         k.pubexpo = expo;
 685         k.pubexpo_bytes = expo_len;
 686         k.rfunc = NULL;
 687 
 688         rv = rsa_encrypt(&k, in, in_len, out);
 689 
 690         return (rv);
 691 }
 692 


 693 /* ARGSUSED */
 694 static int
 695 rsaprov_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
 696     crypto_data_t *plaintext, crypto_req_handle_t req)
 697 {
 698         int rv;
 699         rsa_ctx_t *ctxp;
 700 
 701         ASSERT(ctx->cc_provider_private != NULL);
 702         ctxp = ctx->cc_provider_private;
 703 
 704         RSA_ARG_INPLACE(ciphertext, plaintext);
 705 
 706         /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
 707         rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
 708             ciphertext, plaintext);
 709 
 710         if (rv != CRYPTO_BUFFER_TOO_SMALL)
 711                 (void) rsa_free_context(ctx);
 712 


 719     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
 720     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
 721     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
 722 {
 723         int rv;
 724 
 725         if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
 726                 return (rv);
 727         RSA_ARG_INPLACE(ciphertext, plaintext);
 728 
 729         return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
 730             plaintext));
 731 }
 732 
 733 static int
 734 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
 735     crypto_data_t *ciphertext, crypto_data_t *plaintext)
 736 {
 737         int rv = CRYPTO_FAILED;
 738 


 739         size_t plain_len;
 740         uchar_t *ctptr;
 741         uchar_t *modulus;
 742         ssize_t modulus_len;
 743         uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 744         uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 745 
 746         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
 747             &modulus_len)) != CRYPTO_SUCCESS) {
 748                 return (rv);
 749         }
 750 
 751         /*
 752          * Ciphertext length must be equal to RSA modulus size.
 753          */
 754         if (ciphertext->cd_length != modulus_len)
 755                 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
 756 
 757         ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
 758         if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data))


 767                         /* Strip off the PKCS block formatting data. */
 768                         rv = pkcs1_decode(PKCS1_DECRYPT, plain_data,
 769                             &plain_len);
 770                         if (rv != CRYPTO_SUCCESS)
 771                                 return (rv);
 772                 }
 773 
 774                 if (plain_len > plaintext->cd_length) {
 775                         plaintext->cd_length = plain_len;
 776                         return (CRYPTO_BUFFER_TOO_SMALL);
 777                 }
 778 
 779                 if ((rv = crypto_put_output_data(
 780                     plain_data + modulus_len - plain_len,
 781                     plaintext, plain_len)) != CRYPTO_SUCCESS)
 782                         return (rv);
 783 
 784                 plaintext->cd_length = plain_len;
 785         }
 786 


 787         return (rv);
 788 }
 789 


 790 static int
 791 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, uchar_t *out)
 792 {
 793         int rv;
 794         uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
 795         ssize_t modulus_len;
 796         ssize_t prime1_len, prime2_len;
 797         ssize_t expo1_len, expo2_len, coef_len;
 798         RSAbytekey k;
 799 
 800         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
 801             &modulus_len)) != CRYPTO_SUCCESS) {
 802                 return (rv);
 803         }
 804 
 805         /*
 806          * The following attributes are not required to be
 807          * present in a RSA secret key. If any of them is not present
 808          * we call the encrypt routine with a flag indicating use of
 809          * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is


 824 
 825         k.modulus = modulus;
 826         k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
 827         k.prime1 = prime1;
 828         k.prime1_bytes = prime1_len;
 829         k.prime2 = prime2;
 830         k.prime2_bytes = prime2_len;
 831         k.expo1 = expo1;
 832         k.expo1_bytes = expo1_len;
 833         k.expo2 = expo2;
 834         k.expo2_bytes = expo2_len;
 835         k.coeff = coef;
 836         k.coeff_bytes = coef_len;
 837         k.rfunc = NULL;
 838 
 839         rv = rsa_decrypt(&k, in, in_len, out);
 840 
 841         return (rv);
 842 }
 843 


 844 /* ARGSUSED */
 845 static int
 846 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
 847     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
 848     crypto_req_handle_t req)
 849 {
 850         int rv;
 851         int kmflag;
 852         rsa_ctx_t *ctxp;
 853         digest_rsa_ctx_t *dctxp;
 854 
 855         if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
 856                 return (rv);
 857 
 858         /*
 859          * Allocate a RSA context.
 860          */
 861         kmflag = crypto_kmflag(req);
 862         switch (mechanism->cm_type) {
 863         case MD5_RSA_PKCS_MECH_INFO_TYPE:


 920 
 921         return (CRYPTO_SUCCESS);
 922 }
 923 
 924 #define SHA1_DIGEST_SIZE 20
 925 #define MD5_DIGEST_SIZE 16
 926 
 927 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len)   \
 928         (data).cd_format = CRYPTO_DATA_RAW;             \
 929         (data).cd_offset = 0;                           \
 930         (data).cd_raw.iov_base = (char *)base;          \
 931         (data).cd_raw.iov_len = len;                    \
 932         (data).cd_length = cd_len;
 933 
 934 static int
 935 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
 936     crypto_data_t *signature, uchar_t flag)
 937 {
 938         int rv = CRYPTO_FAILED;
 939 


 940         uchar_t digest[SHA512_DIGEST_LENGTH];
 941         /* The der_data size is enough for MD5 also */
 942         uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
 943         ulong_t der_data_len;
 944         crypto_data_t der_cd;
 945         rsa_mech_type_t mech_type;
 946 
 947         ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY);
 948         ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL));
 949 
 950         mech_type = ctxp->mech_type;
 951         if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
 952             mech_type == RSA_X_509_MECH_INFO_TYPE)
 953                 return (CRYPTO_MECHANISM_INVALID);
 954 
 955         /*
 956          * We need to do the BUFFER_TOO_SMALL check before digesting
 957          * the data. No check is needed for verify as signature is not
 958          * an output argument for verify.
 959          */


1025 
1026         case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1027                 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1028                 bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1029                     SHA512_DIGEST_LENGTH);
1030                 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1031                 break;
1032         }
1033 
1034         INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1035         /*
1036          * Now, we are ready to sign or verify the DER_ENCODED data.
1037          */
1038         if (flag & CRYPTO_DO_SIGN)
1039                 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1040                     signature);
1041         else
1042                 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1043                     signature);
1044 


1045         return (rv);
1046 }
1047 
1048 static int
1049 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1050     crypto_data_t *data, crypto_data_t *signature)
1051 {
1052         int rv = CRYPTO_FAILED;
1053 


1054         int dlen;
1055         uchar_t *dataptr, *modulus;
1056         ssize_t modulus_len;
1057         uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1058         uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1059         uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1060 
1061         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1062             &modulus_len)) != CRYPTO_SUCCESS) {
1063                 return (rv);
1064         }
1065 
1066         dlen = data->cd_length;
1067         switch (mech_type) {
1068         case RSA_PKCS_MECH_INFO_TYPE:
1069                 if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1070                         return (CRYPTO_DATA_LEN_RANGE);
1071                 break;
1072         case RSA_X_509_MECH_INFO_TYPE:
1073                 if (dlen > modulus_len)


1102                         return (rv);
1103 
1104                 break;
1105 
1106         case RSA_X_509_MECH_INFO_TYPE:
1107                 bzero(plain_data, modulus_len - dlen);
1108                 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1109                 break;
1110         }
1111 
1112         rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data);
1113         if (rv == CRYPTO_SUCCESS) {
1114                 /* copy out to signature */
1115                 if ((rv = crypto_put_output_data(signed_data,
1116                     signature, modulus_len)) != CRYPTO_SUCCESS)
1117                         return (rv);
1118 
1119                 signature->cd_length = modulus_len;
1120         }
1121 


1122         return (rv);
1123 }
1124 
1125 /* ARGSUSED */
1126 static int
1127 rsaprov_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1128     crypto_req_handle_t req)
1129 {
1130         int rv;
1131         rsa_ctx_t *ctxp;
1132 
1133         ASSERT(ctx->cc_provider_private != NULL);
1134         ctxp = ctx->cc_provider_private;
1135 
1136         /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1137         switch (ctxp->mech_type) {
1138         case MD5_RSA_PKCS_MECH_INFO_TYPE:
1139         case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1140         case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1141         case SHA384_RSA_PKCS_MECH_INFO_TYPE:


1248                         break;
1249 
1250                 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1251                         SHA2Init(SHA512, &(dctx.sha2_ctx));
1252                         break;
1253                 }
1254 
1255                 rv = rsa_digest_svrfy_common(&dctx, data, signature,
1256                     CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1257         }
1258 
1259         return (rv);
1260 }
1261 
1262 static int
1263 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1264     crypto_data_t *data, crypto_data_t *signature)
1265 {
1266         int rv = CRYPTO_FAILED;
1267 


1268         uchar_t *sigptr, *modulus;
1269         ssize_t modulus_len;
1270         uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1271         uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1272 
1273         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1274             &modulus_len)) != CRYPTO_SUCCESS) {
1275                 return (rv);
1276         }
1277 
1278         if (signature->cd_length != modulus_len)
1279                 return (CRYPTO_SIGNATURE_LEN_RANGE);
1280 
1281         ASSERT(signature->cd_length <= sizeof (tmp_data));
1282         if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1283             != CRYPTO_SUCCESS)
1284                 return (rv);
1285 
1286         rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1287         if (rv != CRYPTO_SUCCESS)


1295         } else {
1296                 size_t data_len = modulus_len;
1297 
1298                 /*
1299                  * Strip off the encoded padding bytes in front of the
1300                  * recovered data, then compare the recovered data with
1301                  * the original data.
1302                  */
1303                 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1304                 if (rv != CRYPTO_SUCCESS)
1305                         return (rv);
1306 
1307                 if (data_len != data->cd_length)
1308                         return (CRYPTO_SIGNATURE_LEN_RANGE);
1309 
1310                 if (compare_data(data, (plain_data + modulus_len
1311                     - data_len)) != 0)
1312                         rv = CRYPTO_SIGNATURE_INVALID;
1313         }
1314 


1315         return (rv);
1316 }
1317 
1318 /* ARGSUSED */
1319 static int
1320 rsaprov_verify(crypto_ctx_t *ctx, crypto_data_t *data,
1321     crypto_data_t *signature, crypto_req_handle_t req)
1322 {
1323         int rv;
1324         rsa_ctx_t *ctxp;
1325 
1326         ASSERT(ctx->cc_provider_private != NULL);
1327         ctxp = ctx->cc_provider_private;
1328 
1329         /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1330         switch (ctxp->mech_type) {
1331         case MD5_RSA_PKCS_MECH_INFO_TYPE:
1332         case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1333         case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1334         case SHA384_RSA_PKCS_MECH_INFO_TYPE:


1450                         break;
1451 
1452                 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1453                         SHA2Init(SHA512, &(dctx.sha2_ctx));
1454                         break;
1455                 }
1456 
1457                 rv = rsa_digest_svrfy_common(&dctx, data, signature,
1458                     CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1459         }
1460 
1461         return (rv);
1462 }
1463 
1464 static int
1465 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1466     crypto_data_t *signature, crypto_data_t *data)
1467 {
1468         int rv = CRYPTO_FAILED;
1469 


1470         size_t data_len;
1471         uchar_t *sigptr, *modulus;
1472         ssize_t modulus_len;
1473         uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1474         uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1475 
1476         if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1477             &modulus_len)) != CRYPTO_SUCCESS) {
1478                 return (rv);
1479         }
1480 
1481         if (signature->cd_length != modulus_len)
1482                 return (CRYPTO_SIGNATURE_LEN_RANGE);
1483 
1484         ASSERT(signature->cd_length <= sizeof (tmp_data));
1485         if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1486             != CRYPTO_SUCCESS)
1487                 return (rv);
1488 
1489         rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);


1496                 /*
1497                  * Strip off the encoded padding bytes in front of the
1498                  * recovered data, then compare the recovered data with
1499                  * the original data.
1500                  */
1501                 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1502                 if (rv != CRYPTO_SUCCESS)
1503                         return (rv);
1504         }
1505 
1506         if (data->cd_length < data_len) {
1507                 data->cd_length = data_len;
1508                 return (CRYPTO_BUFFER_TOO_SMALL);
1509         }
1510 
1511         if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len,
1512             data, data_len)) != CRYPTO_SUCCESS)
1513                 return (rv);
1514         data->cd_length = data_len;
1515 


1516         return (rv);
1517 }
1518 
1519 /* ARGSUSED */
1520 static int
1521 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
1522     crypto_data_t *data, crypto_req_handle_t req)
1523 {
1524         int rv;
1525         rsa_ctx_t *ctxp;
1526 
1527         ASSERT(ctx->cc_provider_private != NULL);
1528         ctxp = ctx->cc_provider_private;
1529 
1530         /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1531         rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
1532             signature, data);
1533 
1534         if (rv != CRYPTO_BUFFER_TOO_SMALL)
1535                 (void) rsa_free_context(ctx);