xref: /titanic_41/usr/src/uts/common/crypto/io/rsa.c (revision 418e2f3050b6a419bd7c37e2ed3d8dd99b7cc261)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*
27  * RSA provider for the Kernel Cryptographic Framework (KCF)
28  */
29 
30 #include <sys/types.h>
31 #include <sys/systm.h>
32 #include <sys/modctl.h>
33 #include <sys/cmn_err.h>
34 #include <sys/ddi.h>
35 #include <sys/crypto/spi.h>
36 #include <sys/sysmacros.h>
37 #include <sys/strsun.h>
38 #include <sys/md5.h>
39 #include <sys/sha1.h>
40 #define	_SHA2_IMPL
41 #include <sys/sha2.h>
42 #include <sys/random.h>
43 #include <sys/crypto/impl.h>
44 #include <sha1/sha1_impl.h>
45 #include <sha2/sha2_impl.h>
46 #include <padding/padding.h>
47 #define	_RSA_FIPS_POST
48 #include <rsa/rsa_impl.h>
49 
50 extern struct mod_ops mod_cryptoops;
51 
52 /*
53  * Module linkage information for the kernel.
54  */
55 static struct modlcrypto modlcrypto = {
56 	&mod_cryptoops,
57 	"RSA Kernel SW Provider"
58 };
59 
60 static struct modlinkage modlinkage = {
61 	MODREV_1,
62 	(void *)&modlcrypto,
63 	NULL
64 };
65 
66 /*
67  * CSPI information (entry points, provider info, etc.)
68  */
69 typedef enum rsa_mech_type {
70 	RSA_PKCS_MECH_INFO_TYPE,	/* SUN_CKM_RSA_PKCS */
71 	RSA_X_509_MECH_INFO_TYPE,	/* SUN_CKM_RSA_X_509 */
72 	MD5_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_MD5_RSA_PKCS */
73 	SHA1_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA1_RSA_PKCS */
74 	SHA256_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA256_RSA_PKCS */
75 	SHA384_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA384_RSA_PKCS */
76 	SHA512_RSA_PKCS_MECH_INFO_TYPE	/* SUN_SHA512_RSA_PKCS */
77 } rsa_mech_type_t;
78 
79 /*
80  * Context for RSA_PKCS and RSA_X_509 mechanisms.
81  */
82 typedef struct rsa_ctx {
83 	rsa_mech_type_t	mech_type;
84 	crypto_key_t *key;
85 	size_t keychunk_size;
86 } rsa_ctx_t;
87 
88 /*
89  * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms.
90  */
91 typedef struct digest_rsa_ctx {
92 	rsa_mech_type_t	mech_type;
93 	crypto_key_t *key;
94 	size_t keychunk_size;
95 	union {
96 		MD5_CTX md5ctx;
97 		SHA1_CTX sha1ctx;
98 		SHA2_CTX sha2ctx;
99 	} dctx_u;
100 } digest_rsa_ctx_t;
101 
102 #define	md5_ctx		dctx_u.md5ctx
103 #define	sha1_ctx	dctx_u.sha1ctx
104 #define	sha2_ctx	dctx_u.sha2ctx
105 
106 /*
107  * Mechanism info structure passed to KCF during registration.
108  */
109 static crypto_mech_info_t rsa_mech_info_tab[] = {
110 	/* RSA_PKCS */
111 	{SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE,
112 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
113 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
114 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
115 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
116 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
117 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
118 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
119 
120 	/* RSA_X_509 */
121 	{SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE,
122 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
123 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
124 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
125 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
126 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
127 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
128 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
129 
130 	/* MD5_RSA_PKCS */
131 	{SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE,
132 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
133 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
134 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
135 
136 	/* SHA1_RSA_PKCS */
137 	{SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE,
138 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
139 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
140 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
141 
142 	/* SHA256_RSA_PKCS */
143 	{SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE,
144 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
145 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
146 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
147 
148 	/* SHA384_RSA_PKCS */
149 	{SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE,
150 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
151 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
152 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
153 
154 	/* SHA512_RSA_PKCS */
155 	{SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE,
156 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
157 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
158 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}
159 
160 };
161 
162 #define	RSA_VALID_MECH(mech)					\
163 	(((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE ||		\
164 	(mech)->cm_type == RSA_X_509_MECH_INFO_TYPE ||		\
165 	(mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE ||	\
166 	(mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE ||	\
167 	(mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE ||	\
168 	(mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE ||	\
169 	(mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0)
170 
171 /* operations are in-place if the output buffer is NULL */
172 #define	RSA_ARG_INPLACE(input, output)				\
173 	if ((output) == NULL)					\
174 		(output) = (input);
175 
176 static void rsa_provider_status(crypto_provider_handle_t, uint_t *);
177 
178 static crypto_control_ops_t rsa_control_ops = {
179 	rsa_provider_status
180 };
181 
182 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *,
183     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
184 static int rsaprov_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
185     crypto_req_handle_t);
186 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
187     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
188     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
189 static int rsaprov_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
190     crypto_req_handle_t);
191 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
192     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
193     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
194 
195 /*
196  * The RSA mechanisms do not have multiple-part cipher operations.
197  * So, the update and final routines are set to NULL.
198  */
199 static crypto_cipher_ops_t rsa_cipher_ops = {
200 	rsa_common_init,
201 	rsaprov_encrypt,
202 	NULL,
203 	NULL,
204 	rsa_encrypt_atomic,
205 	rsa_common_init,
206 	rsaprov_decrypt,
207 	NULL,
208 	NULL,
209 	rsa_decrypt_atomic
210 };
211 
212 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *,
213     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
214 static int rsaprov_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
215     crypto_req_handle_t);
216 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *,
217     crypto_req_handle_t);
218 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *,
219     crypto_req_handle_t);
220 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t,
221     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
222     crypto_spi_ctx_template_t, crypto_req_handle_t);
223 
224 /*
225  * We use the same routine for sign_init and sign_recover_init fields
226  * as they do the same thing. Same holds for sign and sign_recover fields,
227  * and sign_atomic and sign_recover_atomic fields.
228  */
229 static crypto_sign_ops_t rsa_sign_ops = {
230 	rsa_sign_verify_common_init,
231 	rsaprov_sign,
232 	rsa_sign_update,
233 	rsa_sign_final,
234 	rsa_sign_atomic,
235 	rsa_sign_verify_common_init,
236 	rsaprov_sign,
237 	rsa_sign_atomic
238 };
239 
240 static int rsaprov_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
241     crypto_req_handle_t);
242 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *,
243     crypto_req_handle_t);
244 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *,
245     crypto_req_handle_t);
246 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
247     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
248     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
249 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *,
250     crypto_data_t *, crypto_req_handle_t);
251 static int rsa_verify_recover_atomic(crypto_provider_handle_t,
252     crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
253     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
254     crypto_req_handle_t);
255 
256 /*
257  * We use the same routine (rsa_sign_verify_common_init) for verify_init
258  * and verify_recover_init fields as they do the same thing.
259  */
260 static crypto_verify_ops_t rsa_verify_ops = {
261 	rsa_sign_verify_common_init,
262 	rsaprov_verify,
263 	rsa_verify_update,
264 	rsa_verify_final,
265 	rsa_verify_atomic,
266 	rsa_sign_verify_common_init,
267 	rsa_verify_recover,
268 	rsa_verify_recover_atomic
269 };
270 
271 static int rsa_free_context(crypto_ctx_t *);
272 
273 static crypto_ctx_ops_t rsa_ctx_ops = {
274 	NULL,
275 	rsa_free_context
276 };
277 
278 static void rsa_POST(int *);
279 
280 static crypto_fips140_ops_t rsa_fips140_ops = {
281 	rsa_POST
282 };
283 
284 static crypto_ops_t rsa_crypto_ops = {
285 	&rsa_control_ops,
286 	NULL,
287 	&rsa_cipher_ops,
288 	NULL,
289 	&rsa_sign_ops,
290 	&rsa_verify_ops,
291 	NULL,
292 	NULL,
293 	NULL,
294 	NULL,
295 	NULL,
296 	NULL,
297 	NULL,
298 	&rsa_ctx_ops,
299 	NULL,
300 	NULL,
301 	&rsa_fips140_ops
302 };
303 
304 static crypto_provider_info_t rsa_prov_info = {
305 	CRYPTO_SPI_VERSION_4,
306 	"RSA Software Provider",
307 	CRYPTO_SW_PROVIDER,
308 	{&modlinkage},
309 	NULL,
310 	&rsa_crypto_ops,
311 	sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
312 	rsa_mech_info_tab
313 };
314 
315 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
316     crypto_data_t *, crypto_data_t *);
317 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
318     crypto_data_t *, crypto_data_t *);
319 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
320     crypto_data_t *, crypto_data_t *);
321 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
322     crypto_data_t *, crypto_data_t *);
323 static int compare_data(crypto_data_t *, uchar_t *);
324 
325 /* EXPORT DELETE START */
326 
327 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, int, uchar_t *, int);
328 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, uchar_t *);
329 
330 /* EXPORT DELETE END */
331 
332 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
333 
334 int
335 _init(void)
336 {
337 	int ret;
338 
339 	if ((ret = mod_install(&modlinkage)) != 0)
340 		return (ret);
341 
342 	/* Register with KCF.  If the registration fails, remove the module. */
343 	if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) {
344 		(void) mod_remove(&modlinkage);
345 		return (EACCES);
346 	}
347 
348 	return (0);
349 }
350 
351 int
352 _fini(void)
353 {
354 	/* Unregister from KCF if module is registered */
355 	if (rsa_prov_handle != NULL) {
356 		if (crypto_unregister_provider(rsa_prov_handle))
357 			return (EBUSY);
358 
359 		rsa_prov_handle = NULL;
360 	}
361 
362 	return (mod_remove(&modlinkage));
363 }
364 
365 int
366 _info(struct modinfo *modinfop)
367 {
368 	return (mod_info(&modlinkage, modinfop));
369 }
370 
371 /* ARGSUSED */
372 static void
373 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
374 {
375 	*status = CRYPTO_PROVIDER_READY;
376 }
377 
378 static int
379 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
380 {
381 	int rv = CRYPTO_FAILED;
382 
383 /* EXPORT DELETE START */
384 
385 	uchar_t *modulus;
386 	ssize_t modulus_len; /* In bytes */
387 
388 	if (!RSA_VALID_MECH(mechanism))
389 		return (CRYPTO_MECHANISM_INVALID);
390 
391 	/*
392 	 * We only support RSA keys that are passed as a list of
393 	 * object attributes.
394 	 */
395 	if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
396 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
397 	}
398 
399 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
400 	    &modulus_len)) != CRYPTO_SUCCESS) {
401 		return (rv);
402 	}
403 	if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
404 	    modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
405 		return (CRYPTO_KEY_SIZE_RANGE);
406 
407 /* EXPORT DELETE END */
408 
409 	return (rv);
410 }
411 
412 void
413 kmemset(uint8_t *buf, char pattern, size_t len)
414 {
415 	int i = 0;
416 
417 	while (i < len)
418 		buf[i++] = pattern;
419 }
420 
421 /*
422  * This function guarantees to return non-zero random numbers.
423  * This is needed as the /dev/urandom kernel interface,
424  * random_get_pseudo_bytes(), may return zeros.
425  */
426 int
427 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
428 {
429 	int rv;
430 	size_t ebc = 0; /* count of extra bytes in extrarand */
431 	size_t i = 0;
432 	uint8_t extrarand[32];
433 	size_t extrarand_len;
434 
435 	if ((rv = random_get_pseudo_bytes_fips140(ran_out, ran_len)) != 0)
436 		return (rv);
437 
438 	/*
439 	 * Walk through the returned random numbers pointed by ran_out,
440 	 * and look for any random number which is zero.
441 	 * If we find zero, call random_get_pseudo_bytes() to generate
442 	 * another 32 random numbers pool. Replace any zeros in ran_out[]
443 	 * from the random number in pool.
444 	 */
445 	while (i < ran_len) {
446 		if (ran_out[i] != 0) {
447 			i++;
448 			continue;
449 		}
450 
451 		/*
452 		 * Note that it is 'while' so we are guaranteed a
453 		 * non-zero value on exit.
454 		 */
455 		if (ebc == 0) {
456 			/* refresh extrarand */
457 			extrarand_len = sizeof (extrarand);
458 			if ((rv = random_get_pseudo_bytes_fips140(extrarand,
459 			    extrarand_len)) != 0) {
460 				return (rv);
461 			}
462 
463 			ebc = extrarand_len;
464 		}
465 		/* Replace zero with byte from extrarand. */
466 		-- ebc;
467 
468 		/*
469 		 * The new random byte zero/non-zero will be checked in
470 		 * the next pass through the loop.
471 		 */
472 		ran_out[i] = extrarand[ebc];
473 	}
474 
475 	return (CRYPTO_SUCCESS);
476 }
477 
478 static int
479 compare_data(crypto_data_t *data, uchar_t *buf)
480 {
481 	int len;
482 	uchar_t *dptr;
483 
484 	len = data->cd_length;
485 	switch (data->cd_format) {
486 	case CRYPTO_DATA_RAW:
487 		dptr = (uchar_t *)(data->cd_raw.iov_base +
488 		    data->cd_offset);
489 
490 		return (bcmp(dptr, buf, len));
491 
492 	case CRYPTO_DATA_UIO:
493 		return (crypto_uio_data(data, buf, len,
494 		    COMPARE_TO_DATA, NULL, NULL));
495 
496 	case CRYPTO_DATA_MBLK:
497 		return (crypto_mblk_data(data, buf, len,
498 		    COMPARE_TO_DATA, NULL, NULL));
499 	}
500 
501 	return (CRYPTO_FAILED);
502 }
503 
504 /* ARGSUSED */
505 static int
506 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
507     crypto_key_t *key, crypto_spi_ctx_template_t template,
508     crypto_req_handle_t req)
509 {
510 	int rv;
511 	int kmflag;
512 	rsa_ctx_t *ctxp;
513 
514 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
515 		return (rv);
516 
517 	/*
518 	 * Allocate a RSA context.
519 	 */
520 	kmflag = crypto_kmflag(req);
521 	if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL)
522 		return (CRYPTO_HOST_MEMORY);
523 
524 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
525 	    kmflag)) != CRYPTO_SUCCESS) {
526 		kmem_free(ctxp, sizeof (rsa_ctx_t));
527 		return (rv);
528 	}
529 	ctxp->mech_type = mechanism->cm_type;
530 
531 	ctx->cc_provider_private = ctxp;
532 
533 	return (CRYPTO_SUCCESS);
534 }
535 
536 /* ARGSUSED */
537 static int
538 rsaprov_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
539     crypto_data_t *ciphertext, crypto_req_handle_t req)
540 {
541 	int rv;
542 	rsa_ctx_t *ctxp;
543 
544 	ASSERT(ctx->cc_provider_private != NULL);
545 	ctxp = ctx->cc_provider_private;
546 
547 	RSA_ARG_INPLACE(plaintext, ciphertext);
548 
549 	/*
550 	 * Note on the KM_SLEEP flag passed to the routine below -
551 	 * rsaprov_encrypt() is a single-part encryption routine which is
552 	 * currently usable only by /dev/crypto. Since /dev/crypto calls are
553 	 * always synchronous, we can safely pass KM_SLEEP here.
554 	 */
555 	rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext,
556 	    ciphertext);
557 
558 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
559 		(void) rsa_free_context(ctx);
560 
561 	return (rv);
562 }
563 
564 /* ARGSUSED */
565 static int
566 rsa_encrypt_atomic(crypto_provider_handle_t provider,
567     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
568     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
569     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
570 {
571 	int rv;
572 
573 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
574 		return (rv);
575 	RSA_ARG_INPLACE(plaintext, ciphertext);
576 
577 	return (rsa_encrypt_common(mechanism->cm_type, key, plaintext,
578 	    ciphertext));
579 }
580 
581 static int
582 rsa_free_context(crypto_ctx_t *ctx)
583 {
584 	rsa_ctx_t *ctxp = ctx->cc_provider_private;
585 
586 	if (ctxp != NULL) {
587 		bzero(ctxp->key, ctxp->keychunk_size);
588 		kmem_free(ctxp->key, ctxp->keychunk_size);
589 
590 		if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
591 		    ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
592 			kmem_free(ctxp, sizeof (rsa_ctx_t));
593 		else
594 			kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
595 
596 		ctx->cc_provider_private = NULL;
597 	}
598 
599 	return (CRYPTO_SUCCESS);
600 }
601 
602 static int
603 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
604     crypto_data_t *plaintext, crypto_data_t *ciphertext)
605 {
606 	int rv = CRYPTO_FAILED;
607 
608 /* EXPORT DELETE START */
609 
610 	int plen;
611 	uchar_t *ptptr;
612 	uchar_t *modulus;
613 	ssize_t modulus_len;
614 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
615 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
616 	uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
617 
618 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
619 	    &modulus_len)) != CRYPTO_SUCCESS) {
620 		return (rv);
621 	}
622 
623 	plen = plaintext->cd_length;
624 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
625 		if (plen > (modulus_len - MIN_PKCS1_PADLEN))
626 			return (CRYPTO_DATA_LEN_RANGE);
627 	} else {
628 		if (plen > modulus_len)
629 			return (CRYPTO_DATA_LEN_RANGE);
630 	}
631 
632 	/*
633 	 * Output buf len must not be less than RSA modulus size.
634 	 */
635 	if (ciphertext->cd_length < modulus_len) {
636 		ciphertext->cd_length = modulus_len;
637 		return (CRYPTO_BUFFER_TOO_SMALL);
638 	}
639 
640 	ASSERT(plaintext->cd_length <= sizeof (tmp_data));
641 	if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data))
642 	    != CRYPTO_SUCCESS)
643 		return (rv);
644 
645 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
646 		rv = pkcs1_encode(PKCS1_ENCRYPT, ptptr, plen,
647 		    plain_data, modulus_len);
648 
649 		if (rv != CRYPTO_SUCCESS)
650 			return (rv);
651 	} else {
652 		bzero(plain_data, modulus_len - plen);
653 		bcopy(ptptr, &plain_data[modulus_len - plen], plen);
654 	}
655 
656 	rv = core_rsa_encrypt(key, plain_data, modulus_len, cipher_data, 1);
657 	if (rv == CRYPTO_SUCCESS) {
658 		/* copy out to ciphertext */
659 		if ((rv = crypto_put_output_data(cipher_data,
660 		    ciphertext, modulus_len)) != CRYPTO_SUCCESS)
661 			return (rv);
662 
663 		ciphertext->cd_length = modulus_len;
664 	}
665 
666 /* EXPORT DELETE END */
667 
668 	return (rv);
669 }
670 
671 /* EXPORT DELETE START */
672 
673 static int
674 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
675     int in_len, uchar_t *out, int is_public)
676 {
677 	int rv;
678 	uchar_t *expo, *modulus;
679 	ssize_t	expo_len;
680 	ssize_t modulus_len;
681 	RSAbytekey k;
682 
683 	if (is_public) {
684 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT,
685 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
686 			return (rv);
687 	} else {
688 		/*
689 		 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
690 		 * RSA secret key. See the comments in core_rsa_decrypt
691 		 * routine which calls this routine with a private key.
692 		 */
693 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT,
694 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
695 			return (rv);
696 	}
697 
698 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
699 	    &modulus_len)) != CRYPTO_SUCCESS) {
700 		return (rv);
701 	}
702 
703 	k.modulus = modulus;
704 	k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
705 	k.pubexpo = expo;
706 	k.pubexpo_bytes = expo_len;
707 	k.rfunc = NULL;
708 
709 	rv = rsa_encrypt(&k, in, in_len, out);
710 
711 	return (rv);
712 }
713 
714 /* EXPORT DELETE END */
715 
716 /* ARGSUSED */
717 static int
718 rsaprov_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
719     crypto_data_t *plaintext, crypto_req_handle_t req)
720 {
721 	int rv;
722 	rsa_ctx_t *ctxp;
723 
724 	ASSERT(ctx->cc_provider_private != NULL);
725 	ctxp = ctx->cc_provider_private;
726 
727 	RSA_ARG_INPLACE(ciphertext, plaintext);
728 
729 	/* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
730 	rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
731 	    ciphertext, plaintext);
732 
733 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
734 		(void) rsa_free_context(ctx);
735 
736 	return (rv);
737 }
738 
739 /* ARGSUSED */
740 static int
741 rsa_decrypt_atomic(crypto_provider_handle_t provider,
742     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
743     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
744     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
745 {
746 	int rv;
747 
748 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
749 		return (rv);
750 	RSA_ARG_INPLACE(ciphertext, plaintext);
751 
752 	return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
753 	    plaintext));
754 }
755 
756 static int
757 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
758     crypto_data_t *ciphertext, crypto_data_t *plaintext)
759 {
760 	int rv = CRYPTO_FAILED;
761 
762 /* EXPORT DELETE START */
763 
764 	size_t plain_len;
765 	uchar_t *ctptr;
766 	uchar_t *modulus;
767 	ssize_t modulus_len;
768 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
769 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
770 
771 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
772 	    &modulus_len)) != CRYPTO_SUCCESS) {
773 		return (rv);
774 	}
775 
776 	/*
777 	 * Ciphertext length must be equal to RSA modulus size.
778 	 */
779 	if (ciphertext->cd_length != modulus_len)
780 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
781 
782 	ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
783 	if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data))
784 	    != CRYPTO_SUCCESS)
785 		return (rv);
786 
787 	rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data);
788 	if (rv == CRYPTO_SUCCESS) {
789 		plain_len = modulus_len;
790 
791 		if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
792 			/* Strip off the PKCS block formatting data. */
793 			rv = pkcs1_decode(PKCS1_DECRYPT, plain_data,
794 			    &plain_len);
795 			if (rv != CRYPTO_SUCCESS)
796 				return (rv);
797 		}
798 
799 		if (plain_len > plaintext->cd_length) {
800 			plaintext->cd_length = plain_len;
801 			return (CRYPTO_BUFFER_TOO_SMALL);
802 		}
803 
804 		if ((rv = crypto_put_output_data(
805 		    plain_data + modulus_len - plain_len,
806 		    plaintext, plain_len)) != CRYPTO_SUCCESS)
807 			return (rv);
808 
809 		plaintext->cd_length = plain_len;
810 	}
811 
812 /* EXPORT DELETE END */
813 
814 	return (rv);
815 }
816 
817 /* EXPORT DELETE START */
818 
819 static int
820 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, uchar_t *out)
821 {
822 	int rv;
823 	uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
824 	ssize_t modulus_len;
825 	ssize_t	prime1_len, prime2_len;
826 	ssize_t	expo1_len, expo2_len, coef_len;
827 	RSAbytekey k;
828 
829 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
830 	    &modulus_len)) != CRYPTO_SUCCESS) {
831 		return (rv);
832 	}
833 
834 	/*
835 	 * The following attributes are not required to be
836 	 * present in a RSA secret key. If any of them is not present
837 	 * we call the encrypt routine with a flag indicating use of
838 	 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
839 	 * a required attribute for a RSA secret key.
840 	 */
841 	if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len)
842 	    != CRYPTO_SUCCESS) ||
843 	    (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len)
844 	    != CRYPTO_SUCCESS) ||
845 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len)
846 	    != CRYPTO_SUCCESS) ||
847 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len)
848 	    != CRYPTO_SUCCESS) ||
849 	    (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len)
850 	    != CRYPTO_SUCCESS)) {
851 		return (core_rsa_encrypt(key, in, in_len, out, 0));
852 	}
853 
854 	k.modulus = modulus;
855 	k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
856 	k.prime1 = prime1;
857 	k.prime1_bytes = prime1_len;
858 	k.prime2 = prime2;
859 	k.prime2_bytes = prime2_len;
860 	k.expo1 = expo1;
861 	k.expo1_bytes = expo1_len;
862 	k.expo2 = expo2;
863 	k.expo2_bytes = expo2_len;
864 	k.coeff = coef;
865 	k.coeff_bytes = coef_len;
866 	k.rfunc = NULL;
867 
868 	rv = rsa_decrypt(&k, in, in_len, out);
869 
870 	return (rv);
871 }
872 
873 /* EXPORT DELETE END */
874 
875 /* ARGSUSED */
876 static int
877 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
878     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
879     crypto_req_handle_t req)
880 {
881 	int rv;
882 	int kmflag;
883 	rsa_ctx_t *ctxp;
884 	digest_rsa_ctx_t *dctxp;
885 
886 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
887 		return (rv);
888 
889 	/*
890 	 * Allocate a RSA context.
891 	 */
892 	kmflag = crypto_kmflag(req);
893 	switch (mechanism->cm_type) {
894 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
895 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
896 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
897 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
898 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
899 		dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag);
900 		ctxp = (rsa_ctx_t *)dctxp;
901 		break;
902 	default:
903 		ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag);
904 		break;
905 	}
906 
907 	if (ctxp == NULL)
908 		return (CRYPTO_HOST_MEMORY);
909 
910 	ctxp->mech_type = mechanism->cm_type;
911 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
912 	    kmflag)) != CRYPTO_SUCCESS) {
913 		switch (mechanism->cm_type) {
914 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
915 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
916 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
917 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
918 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
919 			kmem_free(dctxp, sizeof (digest_rsa_ctx_t));
920 			break;
921 		default:
922 			kmem_free(ctxp, sizeof (rsa_ctx_t));
923 			break;
924 		}
925 		return (rv);
926 	}
927 
928 	switch (mechanism->cm_type) {
929 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
930 		MD5Init(&(dctxp->md5_ctx));
931 		break;
932 
933 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
934 		SHA1Init(&(dctxp->sha1_ctx));
935 		break;
936 
937 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
938 		SHA2Init(SHA256, &(dctxp->sha2_ctx));
939 		break;
940 
941 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
942 		SHA2Init(SHA384, &(dctxp->sha2_ctx));
943 		break;
944 
945 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
946 		SHA2Init(SHA512, &(dctxp->sha2_ctx));
947 		break;
948 	}
949 
950 	ctx->cc_provider_private = ctxp;
951 
952 	return (CRYPTO_SUCCESS);
953 }
954 
955 #define	SHA1_DIGEST_SIZE 20
956 #define	MD5_DIGEST_SIZE 16
957 
958 #define	INIT_RAW_CRYPTO_DATA(data, base, len, cd_len)	\
959 	(data).cd_format = CRYPTO_DATA_RAW;		\
960 	(data).cd_offset = 0;				\
961 	(data).cd_raw.iov_base = (char *)base;		\
962 	(data).cd_raw.iov_len = len;			\
963 	(data).cd_length = cd_len;
964 
965 static int
966 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
967     crypto_data_t *signature, uchar_t flag)
968 {
969 	int rv = CRYPTO_FAILED;
970 
971 /* EXPORT DELETE START */
972 
973 	uchar_t digest[SHA512_DIGEST_LENGTH];
974 	/* The der_data size is enough for MD5 also */
975 	uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
976 	ulong_t der_data_len;
977 	crypto_data_t der_cd;
978 	rsa_mech_type_t mech_type;
979 
980 	ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY);
981 	ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL));
982 
983 	mech_type = ctxp->mech_type;
984 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
985 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
986 		return (CRYPTO_MECHANISM_INVALID);
987 
988 	/*
989 	 * We need to do the BUFFER_TOO_SMALL check before digesting
990 	 * the data. No check is needed for verify as signature is not
991 	 * an output argument for verify.
992 	 */
993 	if (flag & CRYPTO_DO_SIGN) {
994 		uchar_t *modulus;
995 		ssize_t modulus_len;
996 
997 		if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS,
998 		    &modulus, &modulus_len)) != CRYPTO_SUCCESS) {
999 			return (rv);
1000 		}
1001 
1002 		if (signature->cd_length < modulus_len) {
1003 			signature->cd_length = modulus_len;
1004 			return (CRYPTO_BUFFER_TOO_SMALL);
1005 		}
1006 	}
1007 
1008 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1009 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1010 		    digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5);
1011 
1012 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1013 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1014 		    digest, SHA1Update, SHA1Final,  flag | CRYPTO_DO_SHA1);
1015 
1016 	else
1017 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1018 		    digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2);
1019 
1020 	if (rv != CRYPTO_SUCCESS)
1021 		return (rv);
1022 
1023 
1024 	/*
1025 	 * Prepare the DER encoding of the DigestInfo value as follows:
1026 	 * MD5:		MD5_DER_PREFIX || H
1027 	 * SHA-1:	SHA1_DER_PREFIX || H
1028 	 *
1029 	 * See rsa_impl.c for more details.
1030 	 */
1031 	switch (mech_type) {
1032 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1033 		bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len);
1034 		bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE);
1035 		der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE;
1036 		break;
1037 
1038 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1039 		bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len);
1040 		bcopy(digest, der_data + SHA1_DER_PREFIX_Len,
1041 		    SHA1_DIGEST_SIZE);
1042 		der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE;
1043 		break;
1044 
1045 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1046 		bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1047 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1048 		    SHA256_DIGEST_LENGTH);
1049 		der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH;
1050 		break;
1051 
1052 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1053 		bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1054 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1055 		    SHA384_DIGEST_LENGTH);
1056 		der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH;
1057 		break;
1058 
1059 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1060 		bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1061 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1062 		    SHA512_DIGEST_LENGTH);
1063 		der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1064 		break;
1065 	}
1066 
1067 	INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1068 	/*
1069 	 * Now, we are ready to sign or verify the DER_ENCODED data.
1070 	 */
1071 	if (flag & CRYPTO_DO_SIGN)
1072 		rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1073 		    signature);
1074 	else
1075 		rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1076 		    signature);
1077 
1078 /* EXPORT DELETE END */
1079 
1080 	return (rv);
1081 }
1082 
1083 static int
1084 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1085     crypto_data_t *data, crypto_data_t *signature)
1086 {
1087 	int rv = CRYPTO_FAILED;
1088 
1089 /* EXPORT DELETE START */
1090 
1091 	int dlen;
1092 	uchar_t *dataptr, *modulus;
1093 	ssize_t modulus_len;
1094 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1095 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1096 	uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1097 
1098 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1099 	    &modulus_len)) != CRYPTO_SUCCESS) {
1100 		return (rv);
1101 	}
1102 
1103 	dlen = data->cd_length;
1104 	switch (mech_type) {
1105 	case RSA_PKCS_MECH_INFO_TYPE:
1106 		if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1107 			return (CRYPTO_DATA_LEN_RANGE);
1108 		break;
1109 	case RSA_X_509_MECH_INFO_TYPE:
1110 		if (dlen > modulus_len)
1111 			return (CRYPTO_DATA_LEN_RANGE);
1112 		break;
1113 	}
1114 
1115 	if (signature->cd_length < modulus_len) {
1116 		signature->cd_length = modulus_len;
1117 		return (CRYPTO_BUFFER_TOO_SMALL);
1118 	}
1119 
1120 	ASSERT(data->cd_length <= sizeof (tmp_data));
1121 	if ((rv = crypto_get_input_data(data, &dataptr, tmp_data))
1122 	    != CRYPTO_SUCCESS)
1123 		return (rv);
1124 
1125 	switch (mech_type) {
1126 	case RSA_PKCS_MECH_INFO_TYPE:
1127 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1128 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1129 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1130 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1131 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1132 		/*
1133 		 * Add PKCS padding to the input data to format a block
1134 		 * type "01" encryption block.
1135 		 */
1136 		rv = pkcs1_encode(PKCS1_SIGN, dataptr, dlen, plain_data,
1137 		    modulus_len);
1138 		if (rv != CRYPTO_SUCCESS)
1139 			return (rv);
1140 
1141 		break;
1142 
1143 	case RSA_X_509_MECH_INFO_TYPE:
1144 		bzero(plain_data, modulus_len - dlen);
1145 		bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1146 		break;
1147 	}
1148 
1149 	rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data);
1150 	if (rv == CRYPTO_SUCCESS) {
1151 		/* copy out to signature */
1152 		if ((rv = crypto_put_output_data(signed_data,
1153 		    signature, modulus_len)) != CRYPTO_SUCCESS)
1154 			return (rv);
1155 
1156 		signature->cd_length = modulus_len;
1157 	}
1158 
1159 /* EXPORT DELETE END */
1160 
1161 	return (rv);
1162 }
1163 
1164 /* ARGSUSED */
1165 static int
1166 rsaprov_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1167     crypto_req_handle_t req)
1168 {
1169 	int rv;
1170 	rsa_ctx_t *ctxp;
1171 
1172 	ASSERT(ctx->cc_provider_private != NULL);
1173 	ctxp = ctx->cc_provider_private;
1174 
1175 	/* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1176 	switch (ctxp->mech_type) {
1177 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1178 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1179 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1180 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1181 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1182 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1183 		    signature, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE |
1184 		    CRYPTO_DO_FINAL);
1185 		break;
1186 	default:
1187 		rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data,
1188 		    signature);
1189 		break;
1190 	}
1191 
1192 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1193 		(void) rsa_free_context(ctx);
1194 
1195 	return (rv);
1196 }
1197 
1198 /* ARGSUSED */
1199 static int
1200 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
1201 {
1202 	int rv;
1203 	digest_rsa_ctx_t *ctxp;
1204 	rsa_mech_type_t mech_type;
1205 
1206 	ASSERT(ctx->cc_provider_private != NULL);
1207 	ctxp = ctx->cc_provider_private;
1208 	mech_type = ctxp->mech_type;
1209 
1210 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1211 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1212 		return (CRYPTO_MECHANISM_INVALID);
1213 
1214 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1215 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1216 		    NULL, MD5Update, MD5Final,
1217 		    CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE);
1218 
1219 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1220 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1221 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1222 		    CRYPTO_DO_UPDATE);
1223 
1224 	else
1225 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1226 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1227 		    CRYPTO_DO_UPDATE);
1228 
1229 	return (rv);
1230 }
1231 
1232 /* ARGSUSED2 */
1233 static int
1234 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1235     crypto_req_handle_t req)
1236 {
1237 	int rv;
1238 	digest_rsa_ctx_t *ctxp;
1239 
1240 	ASSERT(ctx->cc_provider_private != NULL);
1241 	ctxp = ctx->cc_provider_private;
1242 
1243 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1244 	    CRYPTO_DO_SIGN | CRYPTO_DO_FINAL);
1245 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1246 		(void) rsa_free_context(ctx);
1247 
1248 	return (rv);
1249 }
1250 
1251 /* ARGSUSED */
1252 static int
1253 rsa_sign_atomic(crypto_provider_handle_t provider,
1254     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1255     crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature,
1256     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1257 {
1258 	int rv;
1259 	digest_rsa_ctx_t dctx;
1260 
1261 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1262 		return (rv);
1263 
1264 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1265 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1266 		rv = rsa_sign_common(mechanism->cm_type, key, data,
1267 		    signature);
1268 
1269 	else {
1270 		dctx.mech_type = mechanism->cm_type;
1271 		dctx.key = key;
1272 		switch (mechanism->cm_type) {
1273 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1274 			MD5Init(&(dctx.md5_ctx));
1275 			break;
1276 
1277 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1278 			SHA1Init(&(dctx.sha1_ctx));
1279 			break;
1280 
1281 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1282 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1283 			break;
1284 
1285 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1286 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1287 			break;
1288 
1289 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1290 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1291 			break;
1292 		}
1293 
1294 		rv = rsa_digest_svrfy_common(&dctx, data, signature,
1295 		    CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1296 	}
1297 
1298 	return (rv);
1299 }
1300 
1301 static int
1302 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1303     crypto_data_t *data, crypto_data_t *signature)
1304 {
1305 	int rv = CRYPTO_FAILED;
1306 
1307 /* EXPORT DELETE START */
1308 
1309 	uchar_t *sigptr, *modulus;
1310 	ssize_t modulus_len;
1311 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1312 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1313 
1314 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1315 	    &modulus_len)) != CRYPTO_SUCCESS) {
1316 		return (rv);
1317 	}
1318 
1319 	if (signature->cd_length != modulus_len)
1320 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1321 
1322 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1323 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1324 	    != CRYPTO_SUCCESS)
1325 		return (rv);
1326 
1327 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1328 	if (rv != CRYPTO_SUCCESS)
1329 		return (rv);
1330 
1331 	if (mech_type == RSA_X_509_MECH_INFO_TYPE) {
1332 		if (compare_data(data, (plain_data + modulus_len
1333 		    - data->cd_length)) != 0)
1334 			rv = CRYPTO_SIGNATURE_INVALID;
1335 
1336 	} else {
1337 		size_t data_len = modulus_len;
1338 
1339 		/*
1340 		 * Strip off the encoded padding bytes in front of the
1341 		 * recovered data, then compare the recovered data with
1342 		 * the original data.
1343 		 */
1344 		rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1345 		if (rv != CRYPTO_SUCCESS)
1346 			return (rv);
1347 
1348 		if (data_len != data->cd_length)
1349 			return (CRYPTO_SIGNATURE_LEN_RANGE);
1350 
1351 		if (compare_data(data, (plain_data + modulus_len
1352 		    - data_len)) != 0)
1353 			rv = CRYPTO_SIGNATURE_INVALID;
1354 	}
1355 
1356 /* EXPORT DELETE END */
1357 
1358 	return (rv);
1359 }
1360 
1361 /* ARGSUSED */
1362 static int
1363 rsaprov_verify(crypto_ctx_t *ctx, crypto_data_t *data,
1364     crypto_data_t *signature, crypto_req_handle_t req)
1365 {
1366 	int rv;
1367 	rsa_ctx_t *ctxp;
1368 
1369 	ASSERT(ctx->cc_provider_private != NULL);
1370 	ctxp = ctx->cc_provider_private;
1371 
1372 	/* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1373 	switch (ctxp->mech_type) {
1374 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1375 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1376 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1377 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1378 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1379 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1380 		    signature, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE |
1381 		    CRYPTO_DO_FINAL);
1382 		break;
1383 	default:
1384 		rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data,
1385 		    signature);
1386 		break;
1387 	}
1388 
1389 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1390 		(void) rsa_free_context(ctx);
1391 
1392 	return (rv);
1393 }
1394 
1395 /* ARGSUSED */
1396 static int
1397 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data,
1398     crypto_req_handle_t req)
1399 {
1400 	int rv;
1401 	digest_rsa_ctx_t *ctxp;
1402 
1403 	ASSERT(ctx->cc_provider_private != NULL);
1404 	ctxp = ctx->cc_provider_private;
1405 
1406 	switch (ctxp->mech_type) {
1407 
1408 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1409 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1410 		    NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 |
1411 		    CRYPTO_DO_UPDATE);
1412 		break;
1413 
1414 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1415 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1416 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1417 		    CRYPTO_DO_UPDATE);
1418 		break;
1419 
1420 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1421 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1422 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1423 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1424 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1425 		    CRYPTO_DO_UPDATE);
1426 		break;
1427 
1428 	default:
1429 		return (CRYPTO_MECHANISM_INVALID);
1430 	}
1431 
1432 	return (rv);
1433 }
1434 
1435 /* ARGSUSED2 */
1436 static int
1437 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1438     crypto_req_handle_t req)
1439 {
1440 	int rv;
1441 	digest_rsa_ctx_t *ctxp;
1442 
1443 	ASSERT(ctx->cc_provider_private != NULL);
1444 	ctxp = ctx->cc_provider_private;
1445 
1446 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1447 	    CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL);
1448 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1449 		(void) rsa_free_context(ctx);
1450 
1451 	return (rv);
1452 }
1453 
1454 
1455 /* ARGSUSED */
1456 static int
1457 rsa_verify_atomic(crypto_provider_handle_t provider,
1458     crypto_session_id_t session_id,
1459     crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data,
1460     crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template,
1461     crypto_req_handle_t req)
1462 {
1463 	int rv;
1464 	digest_rsa_ctx_t dctx;
1465 
1466 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1467 		return (rv);
1468 
1469 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1470 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1471 		rv = rsa_verify_common(mechanism->cm_type, key, data,
1472 		    signature);
1473 
1474 	else {
1475 		dctx.mech_type = mechanism->cm_type;
1476 		dctx.key = key;
1477 
1478 		switch (mechanism->cm_type) {
1479 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1480 			MD5Init(&(dctx.md5_ctx));
1481 			break;
1482 
1483 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1484 			SHA1Init(&(dctx.sha1_ctx));
1485 			break;
1486 
1487 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1488 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1489 			break;
1490 
1491 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1492 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1493 			break;
1494 
1495 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1496 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1497 			break;
1498 		}
1499 
1500 		rv = rsa_digest_svrfy_common(&dctx, data, signature,
1501 		    CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1502 	}
1503 
1504 	return (rv);
1505 }
1506 
1507 static int
1508 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1509     crypto_data_t *signature, crypto_data_t *data)
1510 {
1511 	int rv = CRYPTO_FAILED;
1512 
1513 /* EXPORT DELETE START */
1514 
1515 	size_t data_len;
1516 	uchar_t *sigptr, *modulus;
1517 	ssize_t modulus_len;
1518 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1519 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1520 
1521 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1522 	    &modulus_len)) != CRYPTO_SUCCESS) {
1523 		return (rv);
1524 	}
1525 
1526 	if (signature->cd_length != modulus_len)
1527 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1528 
1529 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1530 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1531 	    != CRYPTO_SUCCESS)
1532 		return (rv);
1533 
1534 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1535 	if (rv != CRYPTO_SUCCESS)
1536 		return (rv);
1537 
1538 	data_len = modulus_len;
1539 
1540 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
1541 		/*
1542 		 * Strip off the encoded padding bytes in front of the
1543 		 * recovered data, then compare the recovered data with
1544 		 * the original data.
1545 		 */
1546 		rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1547 		if (rv != CRYPTO_SUCCESS)
1548 			return (rv);
1549 	}
1550 
1551 	if (data->cd_length < data_len) {
1552 		data->cd_length = data_len;
1553 		return (CRYPTO_BUFFER_TOO_SMALL);
1554 	}
1555 
1556 	if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len,
1557 	    data, data_len)) != CRYPTO_SUCCESS)
1558 		return (rv);
1559 	data->cd_length = data_len;
1560 
1561 /* EXPORT DELETE END */
1562 
1563 	return (rv);
1564 }
1565 
1566 /* ARGSUSED */
1567 static int
1568 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
1569     crypto_data_t *data, crypto_req_handle_t req)
1570 {
1571 	int rv;
1572 	rsa_ctx_t *ctxp;
1573 
1574 	ASSERT(ctx->cc_provider_private != NULL);
1575 	ctxp = ctx->cc_provider_private;
1576 
1577 	/* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1578 	rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
1579 	    signature, data);
1580 
1581 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1582 		(void) rsa_free_context(ctx);
1583 
1584 	return (rv);
1585 }
1586 
1587 /* ARGSUSED */
1588 static int
1589 rsa_verify_recover_atomic(crypto_provider_handle_t provider,
1590     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1591     crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data,
1592     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1593 {
1594 	int rv;
1595 
1596 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1597 		return (rv);
1598 
1599 	return (rsa_verify_recover_common(mechanism->cm_type, key,
1600 	    signature, data));
1601 }
1602 
1603 /*
1604  * RSA Power-On Self-Test
1605  */
1606 void
1607 rsa_POST(int *rc)
1608 {
1609 
1610 	*rc = fips_rsa_post();
1611 
1612 }
1613