298 CRYPTO_SPI_VERSION_4,
299 "RSA Software Provider",
300 CRYPTO_SW_PROVIDER,
301 {&modlinkage},
302 NULL,
303 &rsa_crypto_ops,
304 sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
305 rsa_mech_info_tab
306 };
307
308 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
309 crypto_data_t *, crypto_data_t *);
310 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
311 crypto_data_t *, crypto_data_t *);
312 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
313 crypto_data_t *, crypto_data_t *);
314 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
315 crypto_data_t *, crypto_data_t *);
316 static int compare_data(crypto_data_t *, uchar_t *);
317
318 /* EXPORT DELETE START */
319
320 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, int, uchar_t *, int);
321 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, uchar_t *);
322
323 /* EXPORT DELETE END */
324
325 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
326
327 int
328 _init(void)
329 {
330 int ret;
331
332 if ((ret = mod_install(&modlinkage)) != 0)
333 return (ret);
334
335 /* Register with KCF. If the registration fails, remove the module. */
336 if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) {
337 (void) mod_remove(&modlinkage);
338 return (EACCES);
339 }
340
341 return (0);
342 }
343
344 int
356 }
357
358 int
359 _info(struct modinfo *modinfop)
360 {
361 return (mod_info(&modlinkage, modinfop));
362 }
363
364 /* ARGSUSED */
365 static void
366 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
367 {
368 *status = CRYPTO_PROVIDER_READY;
369 }
370
371 static int
372 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
373 {
374 int rv = CRYPTO_FAILED;
375
376 /* EXPORT DELETE START */
377
378 uchar_t *modulus;
379 ssize_t modulus_len; /* In bytes */
380
381 if (!RSA_VALID_MECH(mechanism))
382 return (CRYPTO_MECHANISM_INVALID);
383
384 /*
385 * We only support RSA keys that are passed as a list of
386 * object attributes.
387 */
388 if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
389 return (CRYPTO_KEY_TYPE_INCONSISTENT);
390 }
391
392 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
393 &modulus_len)) != CRYPTO_SUCCESS) {
394 return (rv);
395 }
396 if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
397 modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
398 return (CRYPTO_KEY_SIZE_RANGE);
399
400 /* EXPORT DELETE END */
401
402 return (rv);
403 }
404
405 void
406 kmemset(uint8_t *buf, char pattern, size_t len)
407 {
408 int i = 0;
409
410 while (i < len)
411 buf[i++] = pattern;
412 }
413
414 /*
415 * This function guarantees to return non-zero random numbers.
416 * This is needed as the /dev/urandom kernel interface,
417 * random_get_pseudo_bytes(), may return zeros.
418 */
419 int
420 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
421 {
581 kmem_free(ctxp->key, ctxp->keychunk_size);
582
583 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
584 ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
585 kmem_free(ctxp, sizeof (rsa_ctx_t));
586 else
587 kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
588
589 ctx->cc_provider_private = NULL;
590 }
591
592 return (CRYPTO_SUCCESS);
593 }
594
595 static int
596 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
597 crypto_data_t *plaintext, crypto_data_t *ciphertext)
598 {
599 int rv = CRYPTO_FAILED;
600
601 /* EXPORT DELETE START */
602
603 int plen;
604 uchar_t *ptptr;
605 uchar_t *modulus;
606 ssize_t modulus_len;
607 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
608 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
609 uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
610
611 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
612 &modulus_len)) != CRYPTO_SUCCESS) {
613 return (rv);
614 }
615
616 plen = plaintext->cd_length;
617 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
618 if (plen > (modulus_len - MIN_PKCS1_PADLEN))
619 return (CRYPTO_DATA_LEN_RANGE);
620 } else {
621 if (plen > modulus_len)
622 return (CRYPTO_DATA_LEN_RANGE);
639 rv = pkcs1_encode(PKCS1_ENCRYPT, ptptr, plen,
640 plain_data, modulus_len);
641
642 if (rv != CRYPTO_SUCCESS)
643 return (rv);
644 } else {
645 bzero(plain_data, modulus_len - plen);
646 bcopy(ptptr, &plain_data[modulus_len - plen], plen);
647 }
648
649 rv = core_rsa_encrypt(key, plain_data, modulus_len, cipher_data, 1);
650 if (rv == CRYPTO_SUCCESS) {
651 /* copy out to ciphertext */
652 if ((rv = crypto_put_output_data(cipher_data,
653 ciphertext, modulus_len)) != CRYPTO_SUCCESS)
654 return (rv);
655
656 ciphertext->cd_length = modulus_len;
657 }
658
659 /* EXPORT DELETE END */
660
661 return (rv);
662 }
663
664 /* EXPORT DELETE START */
665
666 static int
667 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
668 int in_len, uchar_t *out, int is_public)
669 {
670 int rv;
671 uchar_t *expo, *modulus;
672 ssize_t expo_len;
673 ssize_t modulus_len;
674 RSAbytekey k;
675
676 if (is_public) {
677 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT,
678 &expo, &expo_len)) != CRYPTO_SUCCESS)
679 return (rv);
680 } else {
681 /*
682 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
683 * RSA secret key. See the comments in core_rsa_decrypt
684 * routine which calls this routine with a private key.
685 */
687 &expo, &expo_len)) != CRYPTO_SUCCESS)
688 return (rv);
689 }
690
691 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
692 &modulus_len)) != CRYPTO_SUCCESS) {
693 return (rv);
694 }
695
696 k.modulus = modulus;
697 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
698 k.pubexpo = expo;
699 k.pubexpo_bytes = expo_len;
700 k.rfunc = NULL;
701
702 rv = rsa_encrypt(&k, in, in_len, out);
703
704 return (rv);
705 }
706
707 /* EXPORT DELETE END */
708
709 /* ARGSUSED */
710 static int
711 rsaprov_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
712 crypto_data_t *plaintext, crypto_req_handle_t req)
713 {
714 int rv;
715 rsa_ctx_t *ctxp;
716
717 ASSERT(ctx->cc_provider_private != NULL);
718 ctxp = ctx->cc_provider_private;
719
720 RSA_ARG_INPLACE(ciphertext, plaintext);
721
722 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
723 rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
724 ciphertext, plaintext);
725
726 if (rv != CRYPTO_BUFFER_TOO_SMALL)
727 (void) rsa_free_context(ctx);
728
735 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
736 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
737 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
738 {
739 int rv;
740
741 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
742 return (rv);
743 RSA_ARG_INPLACE(ciphertext, plaintext);
744
745 return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
746 plaintext));
747 }
748
749 static int
750 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
751 crypto_data_t *ciphertext, crypto_data_t *plaintext)
752 {
753 int rv = CRYPTO_FAILED;
754
755 /* EXPORT DELETE START */
756
757 size_t plain_len;
758 uchar_t *ctptr;
759 uchar_t *modulus;
760 ssize_t modulus_len;
761 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
762 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
763
764 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
765 &modulus_len)) != CRYPTO_SUCCESS) {
766 return (rv);
767 }
768
769 /*
770 * Ciphertext length must be equal to RSA modulus size.
771 */
772 if (ciphertext->cd_length != modulus_len)
773 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
774
775 ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
776 if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data))
785 /* Strip off the PKCS block formatting data. */
786 rv = pkcs1_decode(PKCS1_DECRYPT, plain_data,
787 &plain_len);
788 if (rv != CRYPTO_SUCCESS)
789 return (rv);
790 }
791
792 if (plain_len > plaintext->cd_length) {
793 plaintext->cd_length = plain_len;
794 return (CRYPTO_BUFFER_TOO_SMALL);
795 }
796
797 if ((rv = crypto_put_output_data(
798 plain_data + modulus_len - plain_len,
799 plaintext, plain_len)) != CRYPTO_SUCCESS)
800 return (rv);
801
802 plaintext->cd_length = plain_len;
803 }
804
805 /* EXPORT DELETE END */
806
807 return (rv);
808 }
809
810 /* EXPORT DELETE START */
811
812 static int
813 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, uchar_t *out)
814 {
815 int rv;
816 uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
817 ssize_t modulus_len;
818 ssize_t prime1_len, prime2_len;
819 ssize_t expo1_len, expo2_len, coef_len;
820 RSAbytekey k;
821
822 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
823 &modulus_len)) != CRYPTO_SUCCESS) {
824 return (rv);
825 }
826
827 /*
828 * The following attributes are not required to be
829 * present in a RSA secret key. If any of them is not present
830 * we call the encrypt routine with a flag indicating use of
831 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
846
847 k.modulus = modulus;
848 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
849 k.prime1 = prime1;
850 k.prime1_bytes = prime1_len;
851 k.prime2 = prime2;
852 k.prime2_bytes = prime2_len;
853 k.expo1 = expo1;
854 k.expo1_bytes = expo1_len;
855 k.expo2 = expo2;
856 k.expo2_bytes = expo2_len;
857 k.coeff = coef;
858 k.coeff_bytes = coef_len;
859 k.rfunc = NULL;
860
861 rv = rsa_decrypt(&k, in, in_len, out);
862
863 return (rv);
864 }
865
866 /* EXPORT DELETE END */
867
868 /* ARGSUSED */
869 static int
870 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
871 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
872 crypto_req_handle_t req)
873 {
874 int rv;
875 int kmflag;
876 rsa_ctx_t *ctxp;
877 digest_rsa_ctx_t *dctxp;
878
879 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
880 return (rv);
881
882 /*
883 * Allocate a RSA context.
884 */
885 kmflag = crypto_kmflag(req);
886 switch (mechanism->cm_type) {
887 case MD5_RSA_PKCS_MECH_INFO_TYPE:
944
945 return (CRYPTO_SUCCESS);
946 }
947
948 #define SHA1_DIGEST_SIZE 20
949 #define MD5_DIGEST_SIZE 16
950
951 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \
952 (data).cd_format = CRYPTO_DATA_RAW; \
953 (data).cd_offset = 0; \
954 (data).cd_raw.iov_base = (char *)base; \
955 (data).cd_raw.iov_len = len; \
956 (data).cd_length = cd_len;
957
958 static int
959 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
960 crypto_data_t *signature, uchar_t flag)
961 {
962 int rv = CRYPTO_FAILED;
963
964 /* EXPORT DELETE START */
965
966 uchar_t digest[SHA512_DIGEST_LENGTH];
967 /* The der_data size is enough for MD5 also */
968 uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
969 ulong_t der_data_len;
970 crypto_data_t der_cd;
971 rsa_mech_type_t mech_type;
972
973 ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY);
974 ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL));
975
976 mech_type = ctxp->mech_type;
977 if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
978 mech_type == RSA_X_509_MECH_INFO_TYPE)
979 return (CRYPTO_MECHANISM_INVALID);
980
981 /*
982 * We need to do the BUFFER_TOO_SMALL check before digesting
983 * the data. No check is needed for verify as signature is not
984 * an output argument for verify.
985 */
1051
1052 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1053 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1054 bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1055 SHA512_DIGEST_LENGTH);
1056 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1057 break;
1058 }
1059
1060 INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1061 /*
1062 * Now, we are ready to sign or verify the DER_ENCODED data.
1063 */
1064 if (flag & CRYPTO_DO_SIGN)
1065 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1066 signature);
1067 else
1068 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1069 signature);
1070
1071 /* EXPORT DELETE END */
1072
1073 return (rv);
1074 }
1075
1076 static int
1077 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1078 crypto_data_t *data, crypto_data_t *signature)
1079 {
1080 int rv = CRYPTO_FAILED;
1081
1082 /* EXPORT DELETE START */
1083
1084 int dlen;
1085 uchar_t *dataptr, *modulus;
1086 ssize_t modulus_len;
1087 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1088 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1089 uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1090
1091 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1092 &modulus_len)) != CRYPTO_SUCCESS) {
1093 return (rv);
1094 }
1095
1096 dlen = data->cd_length;
1097 switch (mech_type) {
1098 case RSA_PKCS_MECH_INFO_TYPE:
1099 if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1100 return (CRYPTO_DATA_LEN_RANGE);
1101 break;
1102 case RSA_X_509_MECH_INFO_TYPE:
1103 if (dlen > modulus_len)
1132 return (rv);
1133
1134 break;
1135
1136 case RSA_X_509_MECH_INFO_TYPE:
1137 bzero(plain_data, modulus_len - dlen);
1138 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1139 break;
1140 }
1141
1142 rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data);
1143 if (rv == CRYPTO_SUCCESS) {
1144 /* copy out to signature */
1145 if ((rv = crypto_put_output_data(signed_data,
1146 signature, modulus_len)) != CRYPTO_SUCCESS)
1147 return (rv);
1148
1149 signature->cd_length = modulus_len;
1150 }
1151
1152 /* EXPORT DELETE END */
1153
1154 return (rv);
1155 }
1156
1157 /* ARGSUSED */
1158 static int
1159 rsaprov_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1160 crypto_req_handle_t req)
1161 {
1162 int rv;
1163 rsa_ctx_t *ctxp;
1164
1165 ASSERT(ctx->cc_provider_private != NULL);
1166 ctxp = ctx->cc_provider_private;
1167
1168 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1169 switch (ctxp->mech_type) {
1170 case MD5_RSA_PKCS_MECH_INFO_TYPE:
1171 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1172 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1173 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1280 break;
1281
1282 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1283 SHA2Init(SHA512, &(dctx.sha2_ctx));
1284 break;
1285 }
1286
1287 rv = rsa_digest_svrfy_common(&dctx, data, signature,
1288 CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1289 }
1290
1291 return (rv);
1292 }
1293
1294 static int
1295 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1296 crypto_data_t *data, crypto_data_t *signature)
1297 {
1298 int rv = CRYPTO_FAILED;
1299
1300 /* EXPORT DELETE START */
1301
1302 uchar_t *sigptr, *modulus;
1303 ssize_t modulus_len;
1304 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1305 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1306
1307 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1308 &modulus_len)) != CRYPTO_SUCCESS) {
1309 return (rv);
1310 }
1311
1312 if (signature->cd_length != modulus_len)
1313 return (CRYPTO_SIGNATURE_LEN_RANGE);
1314
1315 ASSERT(signature->cd_length <= sizeof (tmp_data));
1316 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1317 != CRYPTO_SUCCESS)
1318 return (rv);
1319
1320 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1321 if (rv != CRYPTO_SUCCESS)
1329 } else {
1330 size_t data_len = modulus_len;
1331
1332 /*
1333 * Strip off the encoded padding bytes in front of the
1334 * recovered data, then compare the recovered data with
1335 * the original data.
1336 */
1337 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1338 if (rv != CRYPTO_SUCCESS)
1339 return (rv);
1340
1341 if (data_len != data->cd_length)
1342 return (CRYPTO_SIGNATURE_LEN_RANGE);
1343
1344 if (compare_data(data, (plain_data + modulus_len
1345 - data_len)) != 0)
1346 rv = CRYPTO_SIGNATURE_INVALID;
1347 }
1348
1349 /* EXPORT DELETE END */
1350
1351 return (rv);
1352 }
1353
1354 /* ARGSUSED */
1355 static int
1356 rsaprov_verify(crypto_ctx_t *ctx, crypto_data_t *data,
1357 crypto_data_t *signature, crypto_req_handle_t req)
1358 {
1359 int rv;
1360 rsa_ctx_t *ctxp;
1361
1362 ASSERT(ctx->cc_provider_private != NULL);
1363 ctxp = ctx->cc_provider_private;
1364
1365 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1366 switch (ctxp->mech_type) {
1367 case MD5_RSA_PKCS_MECH_INFO_TYPE:
1368 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1369 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1370 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1486 break;
1487
1488 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1489 SHA2Init(SHA512, &(dctx.sha2_ctx));
1490 break;
1491 }
1492
1493 rv = rsa_digest_svrfy_common(&dctx, data, signature,
1494 CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1495 }
1496
1497 return (rv);
1498 }
1499
1500 static int
1501 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1502 crypto_data_t *signature, crypto_data_t *data)
1503 {
1504 int rv = CRYPTO_FAILED;
1505
1506 /* EXPORT DELETE START */
1507
1508 size_t data_len;
1509 uchar_t *sigptr, *modulus;
1510 ssize_t modulus_len;
1511 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1512 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1513
1514 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1515 &modulus_len)) != CRYPTO_SUCCESS) {
1516 return (rv);
1517 }
1518
1519 if (signature->cd_length != modulus_len)
1520 return (CRYPTO_SIGNATURE_LEN_RANGE);
1521
1522 ASSERT(signature->cd_length <= sizeof (tmp_data));
1523 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1524 != CRYPTO_SUCCESS)
1525 return (rv);
1526
1527 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1534 /*
1535 * Strip off the encoded padding bytes in front of the
1536 * recovered data, then compare the recovered data with
1537 * the original data.
1538 */
1539 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1540 if (rv != CRYPTO_SUCCESS)
1541 return (rv);
1542 }
1543
1544 if (data->cd_length < data_len) {
1545 data->cd_length = data_len;
1546 return (CRYPTO_BUFFER_TOO_SMALL);
1547 }
1548
1549 if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len,
1550 data, data_len)) != CRYPTO_SUCCESS)
1551 return (rv);
1552 data->cd_length = data_len;
1553
1554 /* EXPORT DELETE END */
1555
1556 return (rv);
1557 }
1558
1559 /* ARGSUSED */
1560 static int
1561 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
1562 crypto_data_t *data, crypto_req_handle_t req)
1563 {
1564 int rv;
1565 rsa_ctx_t *ctxp;
1566
1567 ASSERT(ctx->cc_provider_private != NULL);
1568 ctxp = ctx->cc_provider_private;
1569
1570 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1571 rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
1572 signature, data);
1573
1574 if (rv != CRYPTO_BUFFER_TOO_SMALL)
1575 (void) rsa_free_context(ctx);
|
298 CRYPTO_SPI_VERSION_4,
299 "RSA Software Provider",
300 CRYPTO_SW_PROVIDER,
301 {&modlinkage},
302 NULL,
303 &rsa_crypto_ops,
304 sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
305 rsa_mech_info_tab
306 };
307
308 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
309 crypto_data_t *, crypto_data_t *);
310 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
311 crypto_data_t *, crypto_data_t *);
312 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
313 crypto_data_t *, crypto_data_t *);
314 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
315 crypto_data_t *, crypto_data_t *);
316 static int compare_data(crypto_data_t *, uchar_t *);
317
318 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, int, uchar_t *, int);
319 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, uchar_t *);
320
321 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
322
323 int
324 _init(void)
325 {
326 int ret;
327
328 if ((ret = mod_install(&modlinkage)) != 0)
329 return (ret);
330
331 /* Register with KCF. If the registration fails, remove the module. */
332 if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) {
333 (void) mod_remove(&modlinkage);
334 return (EACCES);
335 }
336
337 return (0);
338 }
339
340 int
352 }
353
354 int
355 _info(struct modinfo *modinfop)
356 {
357 return (mod_info(&modlinkage, modinfop));
358 }
359
360 /* ARGSUSED */
361 static void
362 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
363 {
364 *status = CRYPTO_PROVIDER_READY;
365 }
366
367 static int
368 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
369 {
370 int rv = CRYPTO_FAILED;
371
372 uchar_t *modulus;
373 ssize_t modulus_len; /* In bytes */
374
375 if (!RSA_VALID_MECH(mechanism))
376 return (CRYPTO_MECHANISM_INVALID);
377
378 /*
379 * We only support RSA keys that are passed as a list of
380 * object attributes.
381 */
382 if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
383 return (CRYPTO_KEY_TYPE_INCONSISTENT);
384 }
385
386 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
387 &modulus_len)) != CRYPTO_SUCCESS) {
388 return (rv);
389 }
390 if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
391 modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
392 return (CRYPTO_KEY_SIZE_RANGE);
393
394 return (rv);
395 }
396
397 void
398 kmemset(uint8_t *buf, char pattern, size_t len)
399 {
400 int i = 0;
401
402 while (i < len)
403 buf[i++] = pattern;
404 }
405
406 /*
407 * This function guarantees to return non-zero random numbers.
408 * This is needed as the /dev/urandom kernel interface,
409 * random_get_pseudo_bytes(), may return zeros.
410 */
411 int
412 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
413 {
573 kmem_free(ctxp->key, ctxp->keychunk_size);
574
575 if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
576 ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
577 kmem_free(ctxp, sizeof (rsa_ctx_t));
578 else
579 kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
580
581 ctx->cc_provider_private = NULL;
582 }
583
584 return (CRYPTO_SUCCESS);
585 }
586
587 static int
588 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
589 crypto_data_t *plaintext, crypto_data_t *ciphertext)
590 {
591 int rv = CRYPTO_FAILED;
592
593 int plen;
594 uchar_t *ptptr;
595 uchar_t *modulus;
596 ssize_t modulus_len;
597 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
598 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
599 uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
600
601 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
602 &modulus_len)) != CRYPTO_SUCCESS) {
603 return (rv);
604 }
605
606 plen = plaintext->cd_length;
607 if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
608 if (plen > (modulus_len - MIN_PKCS1_PADLEN))
609 return (CRYPTO_DATA_LEN_RANGE);
610 } else {
611 if (plen > modulus_len)
612 return (CRYPTO_DATA_LEN_RANGE);
629 rv = pkcs1_encode(PKCS1_ENCRYPT, ptptr, plen,
630 plain_data, modulus_len);
631
632 if (rv != CRYPTO_SUCCESS)
633 return (rv);
634 } else {
635 bzero(plain_data, modulus_len - plen);
636 bcopy(ptptr, &plain_data[modulus_len - plen], plen);
637 }
638
639 rv = core_rsa_encrypt(key, plain_data, modulus_len, cipher_data, 1);
640 if (rv == CRYPTO_SUCCESS) {
641 /* copy out to ciphertext */
642 if ((rv = crypto_put_output_data(cipher_data,
643 ciphertext, modulus_len)) != CRYPTO_SUCCESS)
644 return (rv);
645
646 ciphertext->cd_length = modulus_len;
647 }
648
649 return (rv);
650 }
651
652 static int
653 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
654 int in_len, uchar_t *out, int is_public)
655 {
656 int rv;
657 uchar_t *expo, *modulus;
658 ssize_t expo_len;
659 ssize_t modulus_len;
660 RSAbytekey k;
661
662 if (is_public) {
663 if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT,
664 &expo, &expo_len)) != CRYPTO_SUCCESS)
665 return (rv);
666 } else {
667 /*
668 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
669 * RSA secret key. See the comments in core_rsa_decrypt
670 * routine which calls this routine with a private key.
671 */
673 &expo, &expo_len)) != CRYPTO_SUCCESS)
674 return (rv);
675 }
676
677 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
678 &modulus_len)) != CRYPTO_SUCCESS) {
679 return (rv);
680 }
681
682 k.modulus = modulus;
683 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
684 k.pubexpo = expo;
685 k.pubexpo_bytes = expo_len;
686 k.rfunc = NULL;
687
688 rv = rsa_encrypt(&k, in, in_len, out);
689
690 return (rv);
691 }
692
693 /* ARGSUSED */
694 static int
695 rsaprov_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
696 crypto_data_t *plaintext, crypto_req_handle_t req)
697 {
698 int rv;
699 rsa_ctx_t *ctxp;
700
701 ASSERT(ctx->cc_provider_private != NULL);
702 ctxp = ctx->cc_provider_private;
703
704 RSA_ARG_INPLACE(ciphertext, plaintext);
705
706 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
707 rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
708 ciphertext, plaintext);
709
710 if (rv != CRYPTO_BUFFER_TOO_SMALL)
711 (void) rsa_free_context(ctx);
712
719 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
720 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
721 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
722 {
723 int rv;
724
725 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
726 return (rv);
727 RSA_ARG_INPLACE(ciphertext, plaintext);
728
729 return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
730 plaintext));
731 }
732
733 static int
734 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
735 crypto_data_t *ciphertext, crypto_data_t *plaintext)
736 {
737 int rv = CRYPTO_FAILED;
738
739 size_t plain_len;
740 uchar_t *ctptr;
741 uchar_t *modulus;
742 ssize_t modulus_len;
743 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
744 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
745
746 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
747 &modulus_len)) != CRYPTO_SUCCESS) {
748 return (rv);
749 }
750
751 /*
752 * Ciphertext length must be equal to RSA modulus size.
753 */
754 if (ciphertext->cd_length != modulus_len)
755 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
756
757 ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
758 if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data))
767 /* Strip off the PKCS block formatting data. */
768 rv = pkcs1_decode(PKCS1_DECRYPT, plain_data,
769 &plain_len);
770 if (rv != CRYPTO_SUCCESS)
771 return (rv);
772 }
773
774 if (plain_len > plaintext->cd_length) {
775 plaintext->cd_length = plain_len;
776 return (CRYPTO_BUFFER_TOO_SMALL);
777 }
778
779 if ((rv = crypto_put_output_data(
780 plain_data + modulus_len - plain_len,
781 plaintext, plain_len)) != CRYPTO_SUCCESS)
782 return (rv);
783
784 plaintext->cd_length = plain_len;
785 }
786
787 return (rv);
788 }
789
790 static int
791 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, uchar_t *out)
792 {
793 int rv;
794 uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
795 ssize_t modulus_len;
796 ssize_t prime1_len, prime2_len;
797 ssize_t expo1_len, expo2_len, coef_len;
798 RSAbytekey k;
799
800 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
801 &modulus_len)) != CRYPTO_SUCCESS) {
802 return (rv);
803 }
804
805 /*
806 * The following attributes are not required to be
807 * present in a RSA secret key. If any of them is not present
808 * we call the encrypt routine with a flag indicating use of
809 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
824
825 k.modulus = modulus;
826 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
827 k.prime1 = prime1;
828 k.prime1_bytes = prime1_len;
829 k.prime2 = prime2;
830 k.prime2_bytes = prime2_len;
831 k.expo1 = expo1;
832 k.expo1_bytes = expo1_len;
833 k.expo2 = expo2;
834 k.expo2_bytes = expo2_len;
835 k.coeff = coef;
836 k.coeff_bytes = coef_len;
837 k.rfunc = NULL;
838
839 rv = rsa_decrypt(&k, in, in_len, out);
840
841 return (rv);
842 }
843
844 /* ARGSUSED */
845 static int
846 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
847 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
848 crypto_req_handle_t req)
849 {
850 int rv;
851 int kmflag;
852 rsa_ctx_t *ctxp;
853 digest_rsa_ctx_t *dctxp;
854
855 if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
856 return (rv);
857
858 /*
859 * Allocate a RSA context.
860 */
861 kmflag = crypto_kmflag(req);
862 switch (mechanism->cm_type) {
863 case MD5_RSA_PKCS_MECH_INFO_TYPE:
920
921 return (CRYPTO_SUCCESS);
922 }
923
924 #define SHA1_DIGEST_SIZE 20
925 #define MD5_DIGEST_SIZE 16
926
927 #define INIT_RAW_CRYPTO_DATA(data, base, len, cd_len) \
928 (data).cd_format = CRYPTO_DATA_RAW; \
929 (data).cd_offset = 0; \
930 (data).cd_raw.iov_base = (char *)base; \
931 (data).cd_raw.iov_len = len; \
932 (data).cd_length = cd_len;
933
934 static int
935 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
936 crypto_data_t *signature, uchar_t flag)
937 {
938 int rv = CRYPTO_FAILED;
939
940 uchar_t digest[SHA512_DIGEST_LENGTH];
941 /* The der_data size is enough for MD5 also */
942 uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
943 ulong_t der_data_len;
944 crypto_data_t der_cd;
945 rsa_mech_type_t mech_type;
946
947 ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY);
948 ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL));
949
950 mech_type = ctxp->mech_type;
951 if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
952 mech_type == RSA_X_509_MECH_INFO_TYPE)
953 return (CRYPTO_MECHANISM_INVALID);
954
955 /*
956 * We need to do the BUFFER_TOO_SMALL check before digesting
957 * the data. No check is needed for verify as signature is not
958 * an output argument for verify.
959 */
1025
1026 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1027 bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1028 bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1029 SHA512_DIGEST_LENGTH);
1030 der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1031 break;
1032 }
1033
1034 INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1035 /*
1036 * Now, we are ready to sign or verify the DER_ENCODED data.
1037 */
1038 if (flag & CRYPTO_DO_SIGN)
1039 rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1040 signature);
1041 else
1042 rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1043 signature);
1044
1045 return (rv);
1046 }
1047
1048 static int
1049 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1050 crypto_data_t *data, crypto_data_t *signature)
1051 {
1052 int rv = CRYPTO_FAILED;
1053
1054 int dlen;
1055 uchar_t *dataptr, *modulus;
1056 ssize_t modulus_len;
1057 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1058 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1059 uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1060
1061 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1062 &modulus_len)) != CRYPTO_SUCCESS) {
1063 return (rv);
1064 }
1065
1066 dlen = data->cd_length;
1067 switch (mech_type) {
1068 case RSA_PKCS_MECH_INFO_TYPE:
1069 if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1070 return (CRYPTO_DATA_LEN_RANGE);
1071 break;
1072 case RSA_X_509_MECH_INFO_TYPE:
1073 if (dlen > modulus_len)
1102 return (rv);
1103
1104 break;
1105
1106 case RSA_X_509_MECH_INFO_TYPE:
1107 bzero(plain_data, modulus_len - dlen);
1108 bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1109 break;
1110 }
1111
1112 rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data);
1113 if (rv == CRYPTO_SUCCESS) {
1114 /* copy out to signature */
1115 if ((rv = crypto_put_output_data(signed_data,
1116 signature, modulus_len)) != CRYPTO_SUCCESS)
1117 return (rv);
1118
1119 signature->cd_length = modulus_len;
1120 }
1121
1122 return (rv);
1123 }
1124
1125 /* ARGSUSED */
1126 static int
1127 rsaprov_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1128 crypto_req_handle_t req)
1129 {
1130 int rv;
1131 rsa_ctx_t *ctxp;
1132
1133 ASSERT(ctx->cc_provider_private != NULL);
1134 ctxp = ctx->cc_provider_private;
1135
1136 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1137 switch (ctxp->mech_type) {
1138 case MD5_RSA_PKCS_MECH_INFO_TYPE:
1139 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1140 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1141 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1248 break;
1249
1250 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1251 SHA2Init(SHA512, &(dctx.sha2_ctx));
1252 break;
1253 }
1254
1255 rv = rsa_digest_svrfy_common(&dctx, data, signature,
1256 CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1257 }
1258
1259 return (rv);
1260 }
1261
1262 static int
1263 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1264 crypto_data_t *data, crypto_data_t *signature)
1265 {
1266 int rv = CRYPTO_FAILED;
1267
1268 uchar_t *sigptr, *modulus;
1269 ssize_t modulus_len;
1270 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1271 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1272
1273 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1274 &modulus_len)) != CRYPTO_SUCCESS) {
1275 return (rv);
1276 }
1277
1278 if (signature->cd_length != modulus_len)
1279 return (CRYPTO_SIGNATURE_LEN_RANGE);
1280
1281 ASSERT(signature->cd_length <= sizeof (tmp_data));
1282 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1283 != CRYPTO_SUCCESS)
1284 return (rv);
1285
1286 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1287 if (rv != CRYPTO_SUCCESS)
1295 } else {
1296 size_t data_len = modulus_len;
1297
1298 /*
1299 * Strip off the encoded padding bytes in front of the
1300 * recovered data, then compare the recovered data with
1301 * the original data.
1302 */
1303 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1304 if (rv != CRYPTO_SUCCESS)
1305 return (rv);
1306
1307 if (data_len != data->cd_length)
1308 return (CRYPTO_SIGNATURE_LEN_RANGE);
1309
1310 if (compare_data(data, (plain_data + modulus_len
1311 - data_len)) != 0)
1312 rv = CRYPTO_SIGNATURE_INVALID;
1313 }
1314
1315 return (rv);
1316 }
1317
1318 /* ARGSUSED */
1319 static int
1320 rsaprov_verify(crypto_ctx_t *ctx, crypto_data_t *data,
1321 crypto_data_t *signature, crypto_req_handle_t req)
1322 {
1323 int rv;
1324 rsa_ctx_t *ctxp;
1325
1326 ASSERT(ctx->cc_provider_private != NULL);
1327 ctxp = ctx->cc_provider_private;
1328
1329 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1330 switch (ctxp->mech_type) {
1331 case MD5_RSA_PKCS_MECH_INFO_TYPE:
1332 case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1333 case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1334 case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1450 break;
1451
1452 case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1453 SHA2Init(SHA512, &(dctx.sha2_ctx));
1454 break;
1455 }
1456
1457 rv = rsa_digest_svrfy_common(&dctx, data, signature,
1458 CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1459 }
1460
1461 return (rv);
1462 }
1463
1464 static int
1465 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1466 crypto_data_t *signature, crypto_data_t *data)
1467 {
1468 int rv = CRYPTO_FAILED;
1469
1470 size_t data_len;
1471 uchar_t *sigptr, *modulus;
1472 ssize_t modulus_len;
1473 uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1474 uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1475
1476 if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1477 &modulus_len)) != CRYPTO_SUCCESS) {
1478 return (rv);
1479 }
1480
1481 if (signature->cd_length != modulus_len)
1482 return (CRYPTO_SIGNATURE_LEN_RANGE);
1483
1484 ASSERT(signature->cd_length <= sizeof (tmp_data));
1485 if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1486 != CRYPTO_SUCCESS)
1487 return (rv);
1488
1489 rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1496 /*
1497 * Strip off the encoded padding bytes in front of the
1498 * recovered data, then compare the recovered data with
1499 * the original data.
1500 */
1501 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1502 if (rv != CRYPTO_SUCCESS)
1503 return (rv);
1504 }
1505
1506 if (data->cd_length < data_len) {
1507 data->cd_length = data_len;
1508 return (CRYPTO_BUFFER_TOO_SMALL);
1509 }
1510
1511 if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len,
1512 data, data_len)) != CRYPTO_SUCCESS)
1513 return (rv);
1514 data->cd_length = data_len;
1515
1516 return (rv);
1517 }
1518
1519 /* ARGSUSED */
1520 static int
1521 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
1522 crypto_data_t *data, crypto_req_handle_t req)
1523 {
1524 int rv;
1525 rsa_ctx_t *ctxp;
1526
1527 ASSERT(ctx->cc_provider_private != NULL);
1528 ctxp = ctx->cc_provider_private;
1529
1530 /* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1531 rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
1532 signature, data);
1533
1534 if (rv != CRYPTO_BUFFER_TOO_SMALL)
1535 (void) rsa_free_context(ctx);
|