Print this page
first pass
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/common/crypto/rsa/rsa_impl.c
+++ new/usr/src/common/crypto/rsa/rsa_impl.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21
22 22 /*
23 23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 24 */
25 25
26 26 /*
27 27 * This file contains RSA helper routines common to
28 28 * the PKCS11 soft token code and the kernel RSA code.
29 29 */
30 30
31 31 #include <sys/types.h>
32 32 #include <bignum.h>
33 33
34 34 #ifdef _KERNEL
35 35 #include <sys/param.h>
36 36 #else
37 37 #include <strings.h>
38 38 #include <cryptoutil.h>
39 39 #endif
40 40
41 41 #include <sys/crypto/common.h>
42 42 #include "rsa_impl.h"
43 43
44 44 /*
45 45 * DER encoding T of the DigestInfo values for MD5, SHA1, and SHA2
46 46 * from PKCS#1 v2.1: RSA Cryptography Standard Section 9.2 Note 1
47 47 *
48 48 * MD5: (0x)30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 || H
49 49 * SHA-1: (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 || H
50 50 * SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H.
51 51 * SHA-384: (0x)30 41 30 0d 06 09 60 86 48 01 65 03 04 02 02 05 00 04 30 || H.
52 52 * SHA-512: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 || H.
53 53 *
54 54 * Where H is the digested output from MD5 or SHA1. We define the constant
55 55 * byte array (the prefix) here and use it rather than doing the DER
56 56 * encoding of the OID in a separate routine.
57 57 */
58 58 const CK_BYTE MD5_DER_PREFIX[MD5_DER_PREFIX_Len] = {0x30, 0x20, 0x30, 0x0c,
59 59 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00,
60 60 0x04, 0x10};
61 61
62 62 const CK_BYTE SHA1_DER_PREFIX[SHA1_DER_PREFIX_Len] = {0x30, 0x21, 0x30,
63 63 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14};
64 64
65 65 const CK_BYTE SHA1_DER_PREFIX_OID[SHA1_DER_PREFIX_OID_Len] = {0x30, 0x1f, 0x30,
66 66 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14};
67 67
68 68 const CK_BYTE SHA256_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x31, 0x30, 0x0d,
69 69 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
70 70 0x00, 0x04, 0x20};
71 71
72 72 const CK_BYTE SHA384_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x41, 0x30, 0x0d,
73 73 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
74 74 0x00, 0x04, 0x30};
75 75
76 76 const CK_BYTE SHA512_DER_PREFIX[SHA2_DER_PREFIX_Len] = {0x30, 0x51, 0x30, 0x0d,
77 77 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
78 78 0x00, 0x04, 0x40};
79 79
80 80 const CK_BYTE DEFAULT_PUB_EXPO[DEFAULT_PUB_EXPO_Len] = { 0x01, 0x00, 0x01 };
81 81
82 82
83 83 static CK_RV
84 84 convert_rv(BIG_ERR_CODE err)
85 85 {
86 86 switch (err) {
87 87
88 88 case BIG_OK:
89 89 return (CKR_OK);
90 90
91 91 case BIG_NO_MEM:
92 92 return (CKR_HOST_MEMORY);
93 93
94 94 case BIG_NO_RANDOM:
95 95 return (CKR_DEVICE_ERROR);
96 96
97 97 case BIG_INVALID_ARGS:
98 98 return (CKR_ARGUMENTS_BAD);
99 99
100 100 case BIG_DIV_BY_0:
101 101 default:
↓ open down ↓ |
101 lines elided |
↑ open up ↑ |
102 102 return (CKR_GENERAL_ERROR);
103 103 }
104 104 }
105 105
106 106 /* psize and qsize are in bits */
107 107 static BIG_ERR_CODE
108 108 RSA_key_init(RSAkey *key, int psize, int qsize)
109 109 {
110 110 BIG_ERR_CODE err = BIG_OK;
111 111
112 -/* EXPORT DELETE START */
113 -
114 112 int plen, qlen, nlen;
115 113
116 114 plen = BITLEN2BIGNUMLEN(psize);
117 115 qlen = BITLEN2BIGNUMLEN(qsize);
118 116 nlen = plen + qlen;
119 117 key->size = psize + qsize;
120 118 if ((err = big_init(&(key->p), plen)) != BIG_OK)
121 119 return (err);
122 120 if ((err = big_init(&(key->q), qlen)) != BIG_OK)
123 121 goto ret1;
124 122 if ((err = big_init(&(key->n), nlen)) != BIG_OK)
125 123 goto ret2;
126 124 if ((err = big_init(&(key->d), nlen)) != BIG_OK)
127 125 goto ret3;
128 126 if ((err = big_init(&(key->e), nlen)) != BIG_OK)
129 127 goto ret4;
130 128 if ((err = big_init(&(key->dmodpminus1), plen)) != BIG_OK)
131 129 goto ret5;
132 130 if ((err = big_init(&(key->dmodqminus1), qlen)) != BIG_OK)
133 131 goto ret6;
134 132 if ((err = big_init(&(key->pinvmodq), qlen)) != BIG_OK)
135 133 goto ret7;
136 134 if ((err = big_init(&(key->p_rr), plen)) != BIG_OK)
137 135 goto ret8;
138 136 if ((err = big_init(&(key->q_rr), qlen)) != BIG_OK)
139 137 goto ret9;
140 138 if ((err = big_init(&(key->n_rr), nlen)) != BIG_OK)
141 139 goto ret10;
142 140
143 141 return (BIG_OK);
144 142
145 143 ret10:
146 144 big_finish(&(key->q_rr));
147 145 ret9:
148 146 big_finish(&(key->p_rr));
149 147 ret8:
150 148 big_finish(&(key->pinvmodq));
151 149 ret7:
152 150 big_finish(&(key->dmodqminus1));
153 151 ret6:
154 152 big_finish(&(key->dmodpminus1));
155 153 ret5:
↓ open down ↓ |
32 lines elided |
↑ open up ↑ |
156 154 big_finish(&(key->e));
157 155 ret4:
158 156 big_finish(&(key->d));
159 157 ret3:
160 158 big_finish(&(key->n));
161 159 ret2:
162 160 big_finish(&(key->q));
163 161 ret1:
164 162 big_finish(&(key->p));
165 163
166 -/* EXPORT DELETE END */
167 -
168 164 return (err);
169 165 }
170 166
171 167 static void
172 168 RSA_key_finish(RSAkey *key)
173 169 {
174 -
175 -/* EXPORT DELETE START */
176 -
177 170 big_finish(&(key->n_rr));
178 171 big_finish(&(key->q_rr));
179 172 big_finish(&(key->p_rr));
180 173 big_finish(&(key->pinvmodq));
181 174 big_finish(&(key->dmodqminus1));
182 175 big_finish(&(key->dmodpminus1));
183 176 big_finish(&(key->e));
184 177 big_finish(&(key->d));
185 178 big_finish(&(key->n));
186 179 big_finish(&(key->q));
187 180 big_finish(&(key->p));
188 -
189 -/* EXPORT DELETE END */
190 -
191 181 }
192 182
193 183 /*
194 184 * Generate RSA key
195 185 */
196 186 static CK_RV
197 187 generate_rsa_key(RSAkey *key, int psize, int qsize, BIGNUM *pubexp,
198 188 int (*rfunc)(void *, size_t))
199 189 {
200 190 CK_RV rv = CKR_OK;
201 191
202 -/* EXPORT DELETE START */
203 -
204 192 int (*rf)(void *, size_t);
205 193 BIGNUM a, b, c, d, e, f, g, h;
206 194 int len, keylen, size;
207 195 BIG_ERR_CODE brv = BIG_OK;
208 196
209 197 size = psize + qsize;
210 198 keylen = BITLEN2BIGNUMLEN(size);
211 199 len = keylen * 2 + 1;
212 200 key->size = size;
213 201
214 202 /*
215 203 * Note: It is not really necessary to compute e, it is in pubexp:
216 204 * (void) big_copy(&(key->e), pubexp);
217 205 */
218 206
219 207 a.malloced = 0;
220 208 b.malloced = 0;
221 209 c.malloced = 0;
222 210 d.malloced = 0;
223 211 e.malloced = 0;
224 212 f.malloced = 0;
225 213 g.malloced = 0;
226 214 h.malloced = 0;
227 215
228 216 if ((big_init(&a, len) != BIG_OK) ||
229 217 (big_init(&b, len) != BIG_OK) ||
230 218 (big_init(&c, len) != BIG_OK) ||
231 219 (big_init(&d, len) != BIG_OK) ||
232 220 (big_init(&e, len) != BIG_OK) ||
233 221 (big_init(&f, len) != BIG_OK) ||
234 222 (big_init(&g, len) != BIG_OK) ||
235 223 (big_init(&h, len) != BIG_OK)) {
236 224 big_finish(&h);
237 225 big_finish(&g);
238 226 big_finish(&f);
239 227 big_finish(&e);
240 228 big_finish(&d);
241 229 big_finish(&c);
242 230 big_finish(&b);
243 231 big_finish(&a);
244 232
245 233 return (CKR_HOST_MEMORY);
246 234 }
247 235
248 236 rf = rfunc;
249 237 if (rf == NULL) {
250 238 #ifdef _KERNEL
251 239 rf = (int (*)(void *, size_t))random_get_pseudo_bytes;
252 240 #else
253 241 rf = pkcs11_get_urandom;
254 242 #endif
255 243 }
256 244
257 245 nextp:
258 246 if ((brv = big_random(&a, psize, rf)) != BIG_OK) {
259 247 goto ret;
260 248 }
261 249
262 250 if ((brv = big_nextprime_pos(&b, &a)) != BIG_OK) {
263 251 goto ret;
264 252 }
265 253 /* b now contains the potential prime p */
266 254
267 255 (void) big_sub_pos(&a, &b, &big_One);
268 256 if ((brv = big_ext_gcd_pos(&f, &d, &g, pubexp, &a)) != BIG_OK) {
269 257 goto ret;
270 258 }
271 259 if (big_cmp_abs(&f, &big_One) != 0) {
272 260 goto nextp;
273 261 }
274 262
275 263 if ((brv = big_random(&c, qsize, rf)) != BIG_OK) {
276 264 goto ret;
277 265 }
278 266
279 267 nextq:
280 268 (void) big_add(&a, &c, &big_Two);
281 269
282 270 if (big_bitlength(&a) != qsize) {
283 271 goto nextp;
284 272 }
285 273 if (big_cmp_abs(&a, &b) == 0) {
286 274 goto nextp;
287 275 }
288 276 if ((brv = big_nextprime_pos(&c, &a)) != BIG_OK) {
289 277 goto ret;
290 278 }
291 279 /* c now contains the potential prime q */
292 280
293 281 if ((brv = big_mul(&g, &b, &c)) != BIG_OK) {
294 282 goto ret;
295 283 }
296 284 if (big_bitlength(&g) != size) {
297 285 goto nextp;
298 286 }
299 287 /* g now contains the potential modulus n */
300 288
301 289 (void) big_sub_pos(&a, &b, &big_One);
302 290 (void) big_sub_pos(&d, &c, &big_One);
303 291
304 292 if ((brv = big_mul(&a, &a, &d)) != BIG_OK) {
305 293 goto ret;
306 294 }
307 295 if ((brv = big_ext_gcd_pos(&f, &d, &h, pubexp, &a)) != BIG_OK) {
308 296 goto ret;
309 297 }
310 298 if (big_cmp_abs(&f, &big_One) != 0) {
311 299 goto nextq;
312 300 } else {
313 301 (void) big_copy(&e, pubexp);
314 302 }
315 303 if (d.sign == -1) {
316 304 if ((brv = big_add(&d, &d, &a)) != BIG_OK) {
317 305 goto ret;
318 306 }
319 307 }
320 308 (void) big_copy(&(key->p), &b);
321 309 (void) big_copy(&(key->q), &c);
322 310 (void) big_copy(&(key->n), &g);
323 311 (void) big_copy(&(key->d), &d);
324 312 (void) big_copy(&(key->e), &e);
325 313
326 314 if ((brv = big_ext_gcd_pos(&a, &f, &h, &b, &c)) != BIG_OK) {
327 315 goto ret;
328 316 }
329 317 if (f.sign == -1) {
330 318 if ((brv = big_add(&f, &f, &c)) != BIG_OK) {
331 319 goto ret;
332 320 }
333 321 }
334 322 (void) big_copy(&(key->pinvmodq), &f);
335 323
336 324 (void) big_sub(&a, &b, &big_One);
337 325 if ((brv = big_div_pos(&a, &f, &d, &a)) != BIG_OK) {
338 326 goto ret;
339 327 }
340 328 (void) big_copy(&(key->dmodpminus1), &f);
341 329 (void) big_sub(&a, &c, &big_One);
342 330 if ((brv = big_div_pos(&a, &f, &d, &a)) != BIG_OK) {
343 331 goto ret;
344 332 }
345 333 (void) big_copy(&(key->dmodqminus1), &f);
346 334
347 335 /* pairwise consistency check: decrypt and encrypt restores value */
348 336 if ((brv = big_random(&h, size, rf)) != BIG_OK) {
349 337 goto ret;
350 338 }
351 339 if ((brv = big_div_pos(&a, &h, &h, &g)) != BIG_OK) {
352 340 goto ret;
353 341 }
354 342 if ((brv = big_modexp(&a, &h, &d, &g, NULL)) != BIG_OK) {
355 343 goto ret;
356 344 }
357 345
358 346 if ((brv = big_modexp(&b, &a, &e, &g, NULL)) != BIG_OK) {
359 347 goto ret;
360 348 }
361 349
362 350 if (big_cmp_abs(&b, &h) != 0) {
363 351 /* this should not happen */
364 352 rv = generate_rsa_key(key, psize, qsize, pubexp, rf);
365 353 goto ret1;
366 354 } else {
367 355 brv = BIG_OK;
368 356 }
369 357
370 358 ret:
371 359 rv = convert_rv(brv);
↓ open down ↓ |
158 lines elided |
↑ open up ↑ |
372 360 ret1:
373 361 big_finish(&h);
374 362 big_finish(&g);
375 363 big_finish(&f);
376 364 big_finish(&e);
377 365 big_finish(&d);
378 366 big_finish(&c);
379 367 big_finish(&b);
380 368 big_finish(&a);
381 369
382 -/* EXPORT DELETE END */
383 -
384 370 return (rv);
385 371 }
386 372
387 373 CK_RV
388 374 rsa_genkey_pair(RSAbytekey *bkey)
389 375 {
390 376 /*
391 377 * NOTE: Whomever originally wrote this function swapped p and q.
392 378 * This table shows the mapping between name convention used here
393 379 * versus what is used in most texts that describe RSA key generation.
394 380 * This function: Standard convention:
395 381 * -------------- --------------------
396 382 * modulus, n -same-
397 383 * prime 1, q prime 1, p
398 384 * prime 2, p prime 2, q
399 385 * private exponent, d -same-
400 386 * public exponent, e -same-
401 387 * exponent 1, d mod (q-1) d mod (p-1)
402 388 * exponent 2, d mod (p-1) d mod (q-1)
403 389 * coefficient, p^-1 mod q q^-1 mod p
404 390 *
↓ open down ↓ |
11 lines elided |
↑ open up ↑ |
405 391 * Also notice the struct member for coefficient is named .pinvmodq
406 392 * rather than .qinvmodp, reflecting the switch.
407 393 *
408 394 * The code here wasn't unswapped, because "it works". Further,
409 395 * p and q are interchangeable as long as exponent 1 and 2 and
410 396 * the coefficient are kept straight too. This note is here to
411 397 * make the reader aware of the switcheroo.
412 398 */
413 399 CK_RV rv = CKR_OK;
414 400
415 -/* EXPORT DELETE START */
416 -
417 401 BIGNUM public_exponent = {0};
418 402 RSAkey rsakey;
419 403 uint32_t modulus_bytes;
420 404
421 405 if (bkey == NULL)
422 406 return (CKR_ARGUMENTS_BAD);
423 407
424 408 /* Must have modulus bits set */
425 409 if (bkey->modulus_bits == 0)
426 410 return (CKR_ARGUMENTS_BAD);
427 411
428 412 /* Must have public exponent set */
429 413 if (bkey->pubexpo_bytes == 0 || bkey->pubexpo == NULL)
430 414 return (CKR_ARGUMENTS_BAD);
431 415
432 416 /* Note: modulus_bits may not be same as (8 * sizeof (modulus)) */
433 417 modulus_bytes = CRYPTO_BITS2BYTES(bkey->modulus_bits);
434 418
435 419 /* Modulus length needs to be between min key size and max key size. */
436 420 if ((modulus_bytes < MIN_RSA_KEYLENGTH_IN_BYTES) ||
437 421 (modulus_bytes > MAX_RSA_KEYLENGTH_IN_BYTES)) {
438 422 return (CKR_KEY_SIZE_RANGE);
439 423 }
440 424
441 425 /*
442 426 * Initialize the RSA key.
443 427 */
444 428 if (RSA_key_init(&rsakey, modulus_bytes * 4, modulus_bytes * 4) !=
445 429 BIG_OK) {
446 430 return (CKR_HOST_MEMORY);
447 431 }
448 432
449 433 /* Create a public exponent in bignum format. */
450 434 if (big_init(&public_exponent,
451 435 CHARLEN2BIGNUMLEN(bkey->pubexpo_bytes)) != BIG_OK) {
452 436 rv = CKR_HOST_MEMORY;
453 437 goto clean1;
454 438 }
455 439 bytestring2bignum(&public_exponent, bkey->pubexpo, bkey->pubexpo_bytes);
456 440
457 441 /* Generate RSA key pair. */
458 442 if ((rv = generate_rsa_key(&rsakey,
459 443 modulus_bytes * 4, modulus_bytes * 4, &public_exponent,
460 444 bkey->rfunc)) != CKR_OK) {
461 445 big_finish(&public_exponent);
462 446 goto clean1;
463 447 }
464 448 big_finish(&public_exponent);
465 449
466 450 /* modulus_bytes = rsakey.n.len * (int)sizeof (BIG_CHUNK_TYPE); */
467 451 bignum2bytestring(bkey->modulus, &(rsakey.n), modulus_bytes);
468 452
469 453 bkey->privexpo_bytes = rsakey.d.len * (int)sizeof (BIG_CHUNK_TYPE);
470 454 bignum2bytestring(bkey->privexpo, &(rsakey.d), bkey->privexpo_bytes);
471 455
472 456 bkey->pubexpo_bytes = rsakey.e.len * (int)sizeof (BIG_CHUNK_TYPE);
473 457 bignum2bytestring(bkey->pubexpo, &(rsakey.e), bkey->pubexpo_bytes);
474 458
475 459 bkey->prime1_bytes = rsakey.q.len * (int)sizeof (BIG_CHUNK_TYPE);
476 460 bignum2bytestring(bkey->prime1, &(rsakey.q), bkey->prime1_bytes);
477 461
478 462 bkey->prime2_bytes = rsakey.p.len * (int)sizeof (BIG_CHUNK_TYPE);
479 463 bignum2bytestring(bkey->prime2, &(rsakey.p), bkey->prime2_bytes);
480 464
481 465 bkey->expo1_bytes =
482 466 rsakey.dmodqminus1.len * (int)sizeof (BIG_CHUNK_TYPE);
483 467 bignum2bytestring(bkey->expo1, &(rsakey.dmodqminus1),
484 468 bkey->expo1_bytes);
485 469
486 470 bkey->expo2_bytes =
487 471 rsakey.dmodpminus1.len * (int)sizeof (BIG_CHUNK_TYPE);
↓ open down ↓ |
61 lines elided |
↑ open up ↑ |
488 472 bignum2bytestring(bkey->expo2,
489 473 &(rsakey.dmodpminus1), bkey->expo2_bytes);
490 474
491 475 bkey->coeff_bytes =
492 476 rsakey.pinvmodq.len * (int)sizeof (BIG_CHUNK_TYPE);
493 477 bignum2bytestring(bkey->coeff, &(rsakey.pinvmodq), bkey->coeff_bytes);
494 478
495 479 clean1:
496 480 RSA_key_finish(&rsakey);
497 481
498 -/* EXPORT DELETE END */
499 -
500 482 return (rv);
501 483 }
502 484
503 485 /*
504 486 * RSA encrypt operation
505 487 */
506 488 CK_RV
507 489 rsa_encrypt(RSAbytekey *bkey, uchar_t *in, uint32_t in_len, uchar_t *out)
508 490 {
509 491 CK_RV rv = CKR_OK;
510 492
511 -/* EXPORT DELETE START */
512 -
513 493 BIGNUM msg;
514 494 RSAkey rsakey;
515 495 uint32_t modulus_bytes;
516 496
517 497 if (bkey == NULL)
518 498 return (CKR_ARGUMENTS_BAD);
519 499
520 500 /* Must have modulus and public exponent set */
521 501 if (bkey->modulus_bits == 0 || bkey->modulus == NULL ||
522 502 bkey->pubexpo_bytes == 0 || bkey->pubexpo == NULL)
523 503 return (CKR_ARGUMENTS_BAD);
524 504
525 505 /* Note: modulus_bits may not be same as (8 * sizeof (modulus)) */
526 506 modulus_bytes = CRYPTO_BITS2BYTES(bkey->modulus_bits);
527 507
528 508 if (bkey->pubexpo_bytes > modulus_bytes) {
529 509 return (CKR_KEY_SIZE_RANGE);
530 510 }
531 511
532 512 /* psize and qsize for RSA_key_init is in bits. */
533 513 if (RSA_key_init(&rsakey, modulus_bytes * 4, modulus_bytes * 4) !=
534 514 BIG_OK) {
535 515 return (CKR_HOST_MEMORY);
536 516 }
537 517
538 518 /* Size for big_init is in BIG_CHUNK_TYPE words. */
539 519 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
540 520 rv = CKR_HOST_MEMORY;
541 521 goto clean2;
542 522 }
543 523 bytestring2bignum(&msg, in, in_len);
544 524
545 525 /* Convert public exponent and modulus to big integer format. */
546 526 bytestring2bignum(&(rsakey.e), bkey->pubexpo, bkey->pubexpo_bytes);
547 527 bytestring2bignum(&(rsakey.n), bkey->modulus, modulus_bytes);
548 528
549 529 if (big_cmp_abs(&msg, &(rsakey.n)) > 0) {
550 530 rv = CKR_DATA_LEN_RANGE;
551 531 goto clean3;
552 532 }
553 533
554 534 /* Perform RSA computation on big integer input data. */
555 535 if (big_modexp(&msg, &msg, &(rsakey.e), &(rsakey.n), NULL) !=
556 536 BIG_OK) {
557 537 rv = CKR_HOST_MEMORY;
558 538 goto clean3;
↓ open down ↓ |
36 lines elided |
↑ open up ↑ |
559 539 }
560 540
561 541 /* Convert the big integer output data to octet string. */
562 542 bignum2bytestring(out, &msg, modulus_bytes);
563 543
564 544 clean3:
565 545 big_finish(&msg);
566 546 clean2:
567 547 RSA_key_finish(&rsakey);
568 548
569 -/* EXPORT DELETE END */
570 -
571 549 return (rv);
572 550 }
573 551
574 552 /*
575 553 * RSA decrypt operation
576 554 */
577 555 CK_RV
578 556 rsa_decrypt(RSAbytekey *bkey, uchar_t *in, uint32_t in_len, uchar_t *out)
579 557 {
580 558 CK_RV rv = CKR_OK;
581 559
582 -/* EXPORT DELETE START */
583 -
584 560 BIGNUM msg;
585 561 RSAkey rsakey;
586 562 uint32_t modulus_bytes;
587 563
588 564 if (bkey == NULL)
589 565 return (CKR_ARGUMENTS_BAD);
590 566
591 567 /* Must have modulus, prime1, prime2, expo1, expo2, and coeff set */
592 568 if (bkey->modulus_bits == 0 || bkey->modulus == NULL ||
593 569 bkey->prime1_bytes == 0 || bkey->prime1 == NULL ||
594 570 bkey->prime2_bytes == 0 || bkey->prime2 == NULL ||
595 571 bkey->expo1_bytes == 0 || bkey->expo1 == NULL ||
596 572 bkey->expo2_bytes == 0 || bkey->expo2 == NULL ||
597 573 bkey->coeff_bytes == 0 || bkey->coeff == NULL)
598 574 return (CKR_ARGUMENTS_BAD);
599 575
600 576 /* Note: modulus_bits may not be same as (8 * sizeof (modulus)) */
601 577 modulus_bytes = CRYPTO_BITS2BYTES(bkey->modulus_bits);
602 578
603 579 /* psize and qsize for RSA_key_init is in bits. */
604 580 if (RSA_key_init(&rsakey, CRYPTO_BYTES2BITS(bkey->prime2_bytes),
605 581 CRYPTO_BYTES2BITS(bkey->prime1_bytes)) != BIG_OK) {
606 582 return (CKR_HOST_MEMORY);
607 583 }
608 584
609 585 /* Size for big_init is in BIG_CHUNK_TYPE words. */
610 586 if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
611 587 rv = CKR_HOST_MEMORY;
612 588 goto clean3;
613 589 }
614 590 /* Convert octet string input data to big integer format. */
615 591 bytestring2bignum(&msg, in, in_len);
616 592
617 593 /* Convert octet string modulus to big integer format. */
618 594 bytestring2bignum(&(rsakey.n), bkey->modulus, modulus_bytes);
619 595
620 596 if (big_cmp_abs(&msg, &(rsakey.n)) > 0) {
621 597 rv = CKR_DATA_LEN_RANGE;
622 598 goto clean4;
623 599 }
624 600
625 601 /* Convert the rest of private key attributes to big integer format. */
626 602 bytestring2bignum(&(rsakey.q), bkey->prime1, bkey->prime1_bytes);
627 603 bytestring2bignum(&(rsakey.p), bkey->prime2, bkey->prime2_bytes);
628 604 bytestring2bignum(&(rsakey.dmodqminus1),
629 605 bkey->expo1, bkey->expo1_bytes);
630 606 bytestring2bignum(&(rsakey.dmodpminus1),
631 607 bkey->expo2, bkey->expo2_bytes);
632 608 bytestring2bignum(&(rsakey.pinvmodq),
633 609 bkey->coeff, bkey->coeff_bytes);
634 610
635 611 if ((big_cmp_abs(&(rsakey.dmodpminus1), &(rsakey.p)) > 0) ||
636 612 (big_cmp_abs(&(rsakey.dmodqminus1), &(rsakey.q)) > 0) ||
637 613 (big_cmp_abs(&(rsakey.pinvmodq), &(rsakey.q)) > 0)) {
638 614 rv = CKR_KEY_SIZE_RANGE;
639 615 goto clean4;
640 616 }
641 617
642 618 /* Perform RSA computation on big integer input data. */
643 619 if (big_modexp_crt(&msg, &msg, &(rsakey.dmodpminus1),
644 620 &(rsakey.dmodqminus1), &(rsakey.p), &(rsakey.q),
645 621 &(rsakey.pinvmodq), NULL, NULL) != BIG_OK) {
646 622 rv = CKR_HOST_MEMORY;
647 623 goto clean4;
↓ open down ↓ |
54 lines elided |
↑ open up ↑ |
648 624 }
649 625
650 626 /* Convert the big integer output data to octet string. */
651 627 bignum2bytestring(out, &msg, modulus_bytes);
652 628
653 629 clean4:
654 630 big_finish(&msg);
655 631 clean3:
656 632 RSA_key_finish(&rsakey);
657 633
658 -/* EXPORT DELETE END */
659 -
660 634 return (rv);
661 635 }
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX