xref: /titanic_41/usr/src/uts/common/crypto/io/rsa.c (revision 9dd828891378a0a6a509ab601b4c5c20ca5562ec)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * RSA provider for the Kernel Cryptographic Framework (KCF)
31  */
32 
33 #include <sys/types.h>
34 #include <sys/systm.h>
35 #include <sys/modctl.h>
36 #include <sys/cmn_err.h>
37 #include <sys/ddi.h>
38 #include <sys/crypto/spi.h>
39 #include <sys/sysmacros.h>
40 #include <sys/strsun.h>
41 #include <sys/md5.h>
42 #include <sys/sha1.h>
43 #include <sys/sha2.h>
44 #include <sys/random.h>
45 #include "rsa_impl.h"
46 
47 extern struct mod_ops mod_cryptoops;
48 
49 /*
50  * Module linkage information for the kernel.
51  */
52 static struct modlcrypto modlcrypto = {
53 	&mod_cryptoops,
54 	"RSA Kernel SW Provider %I%"
55 };
56 
57 static struct modlinkage modlinkage = {
58 	MODREV_1,
59 	(void *)&modlcrypto,
60 	NULL
61 };
62 
63 /*
64  * CSPI information (entry points, provider info, etc.)
65  */
66 typedef enum rsa_mech_type {
67 	RSA_PKCS_MECH_INFO_TYPE,	/* SUN_CKM_RSA_PKCS */
68 	RSA_X_509_MECH_INFO_TYPE,	/* SUN_CKM_RSA_X_509 */
69 	MD5_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_MD5_RSA_PKCS */
70 	SHA1_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA1_RSA_PKCS */
71 	SHA256_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA256_RSA_PKCS */
72 	SHA384_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA384_RSA_PKCS */
73 	SHA512_RSA_PKCS_MECH_INFO_TYPE	/* SUN_SHA512_RSA_PKCS */
74 } rsa_mech_type_t;
75 
76 /*
77  * Context for RSA_PKCS and RSA_X_509 mechanisms.
78  */
79 typedef struct rsa_ctx {
80 	rsa_mech_type_t	mech_type;
81 	crypto_key_t *key;
82 	size_t keychunk_size;
83 } rsa_ctx_t;
84 
85 /*
86  * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms.
87  */
88 typedef struct digest_rsa_ctx {
89 	rsa_mech_type_t	mech_type;
90 	crypto_key_t *key;
91 	size_t keychunk_size;
92 	union {
93 		MD5_CTX md5ctx;
94 		SHA1_CTX sha1ctx;
95 		SHA2_CTX sha2ctx;
96 	} dctx_u;
97 } digest_rsa_ctx_t;
98 
99 #define	md5_ctx		dctx_u.md5ctx
100 #define	sha1_ctx	dctx_u.sha1ctx
101 #define	sha2_ctx	dctx_u.sha2ctx
102 
103 /*
104  * Mechanism info structure passed to KCF during registration.
105  */
106 static crypto_mech_info_t rsa_mech_info_tab[] = {
107 	/* RSA_PKCS */
108 	{SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE,
109 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
110 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
111 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
112 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
113 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
114 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
115 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
116 
117 	/* RSA_X_509 */
118 	{SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE,
119 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
120 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
121 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
122 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
123 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
124 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
125 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
126 
127 	/* MD5_RSA_PKCS */
128 	{SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE,
129 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
130 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
131 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
132 
133 	/* SHA1_RSA_PKCS */
134 	{SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE,
135 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
136 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
137 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
138 
139 	/* SHA256_RSA_PKCS */
140 	{SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE,
141 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
142 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
143 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
144 
145 	/* SHA384_RSA_PKCS */
146 	{SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE,
147 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
148 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
149 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
150 
151 	/* SHA512_RSA_PKCS */
152 	{SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE,
153 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
154 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
155 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}
156 
157 };
158 
159 #define	RSA_VALID_MECH(mech)					\
160 	(((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE ||		\
161 	(mech)->cm_type == RSA_X_509_MECH_INFO_TYPE ||		\
162 	(mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE ||	\
163 	(mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE ||	\
164 	(mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE ||	\
165 	(mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE ||	\
166 	(mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0)
167 
168 /* operations are in-place if the output buffer is NULL */
169 #define	RSA_ARG_INPLACE(input, output)				\
170 	if ((output) == NULL)					\
171 		(output) = (input);
172 
173 static void rsa_provider_status(crypto_provider_handle_t, uint_t *);
174 
175 static crypto_control_ops_t rsa_control_ops = {
176 	rsa_provider_status
177 };
178 
179 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *,
180     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
181 static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
182     crypto_req_handle_t);
183 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
184     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
185     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
186 static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
187     crypto_req_handle_t);
188 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
189     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
190     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
191 
192 /*
193  * The RSA mechanisms do not have multiple-part cipher operations.
194  * So, the update and final routines are set to NULL.
195  */
196 static crypto_cipher_ops_t rsa_cipher_ops = {
197 	rsa_common_init,
198 	rsa_encrypt,
199 	NULL,
200 	NULL,
201 	rsa_encrypt_atomic,
202 	rsa_common_init,
203 	rsa_decrypt,
204 	NULL,
205 	NULL,
206 	rsa_decrypt_atomic
207 };
208 
209 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *,
210     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
211 static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
212     crypto_req_handle_t);
213 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *,
214     crypto_req_handle_t);
215 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *,
216     crypto_req_handle_t);
217 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t,
218     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
219     crypto_spi_ctx_template_t, crypto_req_handle_t);
220 
221 /*
222  * We use the same routine for sign_init and sign_recover_init fields
223  * as they do the same thing. Same holds for sign and sign_recover fields,
224  * and sign_atomic and sign_recover_atomic fields.
225  */
226 static crypto_sign_ops_t rsa_sign_ops = {
227 	rsa_sign_verify_common_init,
228 	rsa_sign,
229 	rsa_sign_update,
230 	rsa_sign_final,
231 	rsa_sign_atomic,
232 	rsa_sign_verify_common_init,
233 	rsa_sign,
234 	rsa_sign_atomic
235 };
236 
237 static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
238     crypto_req_handle_t);
239 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *,
240     crypto_req_handle_t);
241 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *,
242     crypto_req_handle_t);
243 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
244     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
245     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
246 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *,
247     crypto_data_t *, crypto_req_handle_t);
248 static int rsa_verify_recover_atomic(crypto_provider_handle_t,
249     crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
250     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
251     crypto_req_handle_t);
252 
253 /*
254  * We use the same routine (rsa_sign_verify_common_init) for verify_init
255  * and verify_recover_init fields as they do the same thing.
256  */
257 static crypto_verify_ops_t rsa_verify_ops = {
258 	rsa_sign_verify_common_init,
259 	rsa_verify,
260 	rsa_verify_update,
261 	rsa_verify_final,
262 	rsa_verify_atomic,
263 	rsa_sign_verify_common_init,
264 	rsa_verify_recover,
265 	rsa_verify_recover_atomic
266 };
267 
268 static int rsa_free_context(crypto_ctx_t *);
269 
270 static crypto_ctx_ops_t rsa_ctx_ops = {
271 	NULL,
272 	rsa_free_context
273 };
274 
275 static crypto_ops_t rsa_crypto_ops = {
276 	&rsa_control_ops,
277 	NULL,
278 	&rsa_cipher_ops,
279 	NULL,
280 	&rsa_sign_ops,
281 	&rsa_verify_ops,
282 	NULL,
283 	NULL,
284 	NULL,
285 	NULL,
286 	NULL,
287 	NULL,
288 	NULL,
289 	&rsa_ctx_ops
290 };
291 
292 static crypto_provider_info_t rsa_prov_info = {
293 	CRYPTO_SPI_VERSION_1,
294 	"RSA Software Provider",
295 	CRYPTO_SW_PROVIDER,
296 	{&modlinkage},
297 	NULL,
298 	&rsa_crypto_ops,
299 	sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
300 	rsa_mech_info_tab
301 };
302 
303 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
304     crypto_data_t *, crypto_data_t *, int);
305 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
306     crypto_data_t *, crypto_data_t *, int);
307 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
308     crypto_data_t *, crypto_data_t *, int);
309 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
310     crypto_data_t *, crypto_data_t *, int);
311 static int compare_data(crypto_data_t *, uchar_t *);
312 
313 /* EXPORT DELETE START */
314 
315 static int core_rsa_encrypt(crypto_key_t *, uchar_t *,
316     int, uchar_t *, int, int);
317 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int,
318     uchar_t *, int);
319 
320 /* EXPORT DELETE END */
321 
322 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
323 
324 int
325 _init(void)
326 {
327 	int ret;
328 
329 	/*
330 	 * Register with KCF. If the registration fails, return error.
331 	 */
332 	if ((ret = crypto_register_provider(&rsa_prov_info,
333 	    &rsa_prov_handle)) != CRYPTO_SUCCESS) {
334 		cmn_err(CE_WARN, "rsa _init: crypto_register_provider()"
335 		    "failed (0x%x)", ret);
336 		return (EACCES);
337 	}
338 
339 	if ((ret = mod_install(&modlinkage)) != 0) {
340 		int rv;
341 
342 		ASSERT(rsa_prov_handle != NULL);
343 		/* We should not return if the unregister returns busy. */
344 		while ((rv = crypto_unregister_provider(rsa_prov_handle))
345 		    == CRYPTO_BUSY) {
346 			cmn_err(CE_WARN, "rsa _init: "
347 			    "crypto_unregister_provider() "
348 			    "failed (0x%x). Retrying.", rv);
349 			/* wait 10 seconds and try again. */
350 			delay(10 * drv_usectohz(1000000));
351 		}
352 	}
353 
354 	return (ret);
355 }
356 
357 int
358 _fini(void)
359 {
360 	int ret;
361 
362 	/*
363 	 * Unregister from KCF if previous registration succeeded.
364 	 */
365 	if (rsa_prov_handle != NULL) {
366 		if ((ret = crypto_unregister_provider(rsa_prov_handle)) !=
367 		    CRYPTO_SUCCESS) {
368 			cmn_err(CE_WARN, "rsa _fini: "
369 			    "crypto_unregister_provider() "
370 			    "failed (0x%x)", ret);
371 			return (EBUSY);
372 		}
373 		rsa_prov_handle = NULL;
374 	}
375 
376 	return (mod_remove(&modlinkage));
377 }
378 
379 int
380 _info(struct modinfo *modinfop)
381 {
382 	return (mod_info(&modlinkage, modinfop));
383 }
384 
385 /* ARGSUSED */
386 static void
387 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
388 {
389 	*status = CRYPTO_PROVIDER_READY;
390 }
391 
392 /*
393  * Utility routine to look up a attribute of type, 'type',
394  * in the key.
395  */
396 static int
397 get_key_attr(crypto_key_t *key, crypto_attr_type_t type,
398     uchar_t **value, ssize_t *value_len)
399 {
400 	int i;
401 
402 	ASSERT(key->ck_format == CRYPTO_KEY_ATTR_LIST);
403 	for (i = 0; i < key->ck_count; i++) {
404 		if (key->ck_attrs[i].oa_type == type) {
405 			*value = (uchar_t *)key->ck_attrs[i].oa_value;
406 			*value_len = key->ck_attrs[i].oa_value_len;
407 			return (CRYPTO_SUCCESS);
408 		}
409 	}
410 
411 	return (CRYPTO_FAILED);
412 }
413 
414 static int
415 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
416 {
417 	int rv = CRYPTO_FAILED;
418 
419 /* EXPORT DELETE START */
420 
421 	uchar_t *modulus;
422 	ssize_t modulus_len; /* In bytes */
423 
424 	if (!RSA_VALID_MECH(mechanism))
425 		return (CRYPTO_MECHANISM_INVALID);
426 
427 	/*
428 	 * We only support RSA keys that are passed as a list of
429 	 * object attributes.
430 	 */
431 	if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
432 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
433 	}
434 
435 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
436 	    &modulus_len)) != CRYPTO_SUCCESS) {
437 		return (rv);
438 	}
439 	if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
440 	    modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
441 		return (CRYPTO_KEY_SIZE_RANGE);
442 
443 /* EXPORT DELETE END */
444 
445 	return (rv);
446 }
447 
448 void
449 kmemset(uint8_t *buf, char pattern, size_t len)
450 {
451 	int i = 0;
452 
453 	while (i < len)
454 		buf[i++] = pattern;
455 }
456 
457 /*
458  * This function guarantees to return non-zero random numbers.
459  * This is needed as the /dev/urandom kernel interface,
460  * random_get_pseudo_bytes(), may return zeros.
461  */
462 int
463 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
464 {
465 	int rv;
466 	size_t ebc = 0; /* count of extra bytes in extrarand */
467 	size_t i = 0;
468 	uint8_t extrarand[32];
469 	size_t extrarand_len;
470 
471 	if ((rv = random_get_pseudo_bytes(ran_out, ran_len)) != 0)
472 		return (rv);
473 
474 	/*
475 	 * Walk through the returned random numbers pointed by ran_out,
476 	 * and look for any random number which is zero.
477 	 * If we find zero, call random_get_pseudo_bytes() to generate
478 	 * another 32 random numbers pool. Replace any zeros in ran_out[]
479 	 * from the random number in pool.
480 	 */
481 	while (i < ran_len) {
482 		if (ran_out[i] != 0) {
483 			i++;
484 			continue;
485 		}
486 
487 		/*
488 		 * Note that it is 'while' so we are guaranteed a
489 		 * non-zero value on exit.
490 		 */
491 		if (ebc == 0) {
492 			/* refresh extrarand */
493 			extrarand_len = sizeof (extrarand);
494 			if ((rv = random_get_pseudo_bytes(extrarand,
495 			    extrarand_len)) != 0) {
496 				return (rv);
497 			}
498 
499 			ebc = extrarand_len;
500 		}
501 		/* Replace zero with byte from extrarand. */
502 		-- ebc;
503 
504 		/*
505 		 * The new random byte zero/non-zero will be checked in
506 		 * the next pass through the loop.
507 		 */
508 		ran_out[i] = extrarand[ebc];
509 	}
510 
511 	return (CRYPTO_SUCCESS);
512 }
513 
514 typedef enum cmd_type {
515 	COPY_FROM_DATA,
516 	COPY_TO_DATA,
517 	COMPARE_TO_DATA,
518 	MD5_DIGEST_DATA,
519 	SHA1_DIGEST_DATA,
520 	SHA2_DIGEST_DATA
521 } cmd_type_t;
522 
523 /*
524  * Utility routine to apply the command, 'cmd', to the
525  * data in the uio structure.
526  */
527 static int
528 process_uio_data(crypto_data_t *data, uchar_t *buf, int len,
529     cmd_type_t cmd, void *digest_ctx)
530 {
531 	uio_t *uiop = data->cd_uio;
532 	off_t offset = data->cd_offset;
533 	size_t length = len;
534 	uint_t vec_idx;
535 	size_t cur_len;
536 	uchar_t *datap;
537 
538 	ASSERT(data->cd_format == CRYPTO_DATA_UIO);
539 	if (uiop->uio_segflg != UIO_SYSSPACE) {
540 		return (CRYPTO_ARGUMENTS_BAD);
541 	}
542 
543 	/*
544 	 * Jump to the first iovec containing data to be
545 	 * processed.
546 	 */
547 	for (vec_idx = 0; vec_idx < uiop->uio_iovcnt &&
548 	    offset >= uiop->uio_iov[vec_idx].iov_len;
549 	    offset -= uiop->uio_iov[vec_idx++].iov_len);
550 
551 	if (vec_idx == uiop->uio_iovcnt) {
552 		/*
553 		 * The caller specified an offset that is larger than
554 		 * the total size of the buffers it provided.
555 		 */
556 		return (CRYPTO_DATA_LEN_RANGE);
557 	}
558 
559 	while (vec_idx < uiop->uio_iovcnt && length > 0) {
560 		cur_len = MIN(uiop->uio_iov[vec_idx].iov_len -
561 		    offset, length);
562 
563 		datap = (uchar_t *)(uiop->uio_iov[vec_idx].iov_base +
564 		    offset);
565 		switch (cmd) {
566 		case COPY_FROM_DATA:
567 			bcopy(datap, buf, cur_len);
568 			buf += cur_len;
569 			break;
570 		case COPY_TO_DATA:
571 			bcopy(buf, datap, cur_len);
572 			buf += cur_len;
573 			break;
574 		case COMPARE_TO_DATA:
575 			if (bcmp(datap, buf, cur_len))
576 				return (CRYPTO_SIGNATURE_INVALID);
577 			buf += cur_len;
578 			break;
579 		case MD5_DIGEST_DATA:
580 			MD5Update(digest_ctx, datap, cur_len);
581 			break;
582 		case SHA1_DIGEST_DATA:
583 			SHA1Update(digest_ctx, datap, cur_len);
584 			break;
585 		case SHA2_DIGEST_DATA:
586 			SHA2Update(digest_ctx, datap, cur_len);
587 			break;
588 		}
589 
590 		length -= cur_len;
591 		vec_idx++;
592 		offset = 0;
593 	}
594 
595 	if (vec_idx == uiop->uio_iovcnt && length > 0) {
596 		/*
597 		 * The end of the specified iovec's was reached but
598 		 * the length requested could not be processed.
599 		 */
600 		switch (cmd) {
601 		case COPY_TO_DATA:
602 			data->cd_length = len;
603 			return (CRYPTO_BUFFER_TOO_SMALL);
604 		default:
605 			return (CRYPTO_DATA_LEN_RANGE);
606 		}
607 	}
608 
609 	return (CRYPTO_SUCCESS);
610 }
611 
612 /*
613  * Utility routine to apply the command, 'cmd', to the
614  * data in the mblk structure.
615  */
616 static int
617 process_mblk_data(crypto_data_t *data, uchar_t *buf, int len,
618     cmd_type_t cmd, void *digest_ctx)
619 {
620 	off_t offset = data->cd_offset;
621 	size_t length = len;
622 	mblk_t *mp;
623 	size_t cur_len;
624 	uchar_t *datap;
625 
626 	ASSERT(data->cd_format == CRYPTO_DATA_MBLK);
627 	/*
628 	 * Jump to the first mblk_t containing data to be processed.
629 	 */
630 	for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
631 	    offset -= MBLKL(mp), mp = mp->b_cont);
632 	if (mp == NULL) {
633 		/*
634 		 * The caller specified an offset that is larger
635 		 * than the total size of the buffers it provided.
636 		 */
637 		return (CRYPTO_DATA_LEN_RANGE);
638 	}
639 
640 	/*
641 	 * Now do the processing on the mblk chain.
642 	 */
643 	while (mp != NULL && length > 0) {
644 		cur_len = MIN(MBLKL(mp) - offset, length);
645 
646 		datap = (uchar_t *)(mp->b_rptr + offset);
647 		switch (cmd) {
648 		case COPY_FROM_DATA:
649 			bcopy(datap, buf, cur_len);
650 			buf += cur_len;
651 			break;
652 		case COPY_TO_DATA:
653 			bcopy(buf, datap, cur_len);
654 			buf += cur_len;
655 			break;
656 		case COMPARE_TO_DATA:
657 			if (bcmp(datap, buf, cur_len))
658 				return (CRYPTO_SIGNATURE_INVALID);
659 			buf += cur_len;
660 			break;
661 		case MD5_DIGEST_DATA:
662 			MD5Update(digest_ctx, datap, cur_len);
663 			break;
664 		case SHA1_DIGEST_DATA:
665 			SHA1Update(digest_ctx, datap, cur_len);
666 			break;
667 		case SHA2_DIGEST_DATA:
668 			SHA2Update(digest_ctx, datap, cur_len);
669 			break;
670 		}
671 
672 		length -= cur_len;
673 		offset = 0;
674 		mp = mp->b_cont;
675 	}
676 
677 	if (mp == NULL && length > 0) {
678 		/*
679 		 * The end of the mblk was reached but the length
680 		 * requested could not be processed.
681 		 */
682 		switch (cmd) {
683 		case COPY_TO_DATA:
684 			data->cd_length = len;
685 			return (CRYPTO_BUFFER_TOO_SMALL);
686 		default:
687 			return (CRYPTO_DATA_LEN_RANGE);
688 		}
689 	}
690 
691 	return (CRYPTO_SUCCESS);
692 }
693 
694 static int
695 compare_data(crypto_data_t *data, uchar_t *buf)
696 {
697 	int len;
698 	uchar_t *dptr;
699 
700 	len = data->cd_length;
701 	switch (data->cd_format) {
702 	case CRYPTO_DATA_RAW:
703 		dptr = (uchar_t *)(data->cd_raw.iov_base +
704 		    data->cd_offset);
705 
706 		return (bcmp(dptr, buf, len));
707 
708 	case CRYPTO_DATA_UIO:
709 		return (process_uio_data(data, buf, len,
710 		    COMPARE_TO_DATA, NULL));
711 
712 	case CRYPTO_DATA_MBLK:
713 		return (process_mblk_data(data, buf, len,
714 		    COMPARE_TO_DATA, NULL));
715 	}
716 
717 	return (CRYPTO_FAILED);
718 }
719 
720 /*
721  * Utility routine to copy a buffer to a crypto_data structure.
722  */
723 static int
724 put_output_data(uchar_t *buf, crypto_data_t *output, int len)
725 {
726 	switch (output->cd_format) {
727 	case CRYPTO_DATA_RAW:
728 		if (output->cd_raw.iov_len < len) {
729 			output->cd_length = len;
730 			return (CRYPTO_BUFFER_TOO_SMALL);
731 		}
732 		bcopy(buf, (uchar_t *)(output->cd_raw.iov_base +
733 		    output->cd_offset), len);
734 		break;
735 
736 	case CRYPTO_DATA_UIO:
737 		return (process_uio_data(output, buf, len, COPY_TO_DATA, NULL));
738 
739 	case CRYPTO_DATA_MBLK:
740 		return (process_mblk_data(output, buf, len,
741 		    COPY_TO_DATA, NULL));
742 
743 	default:
744 		return (CRYPTO_ARGUMENTS_BAD);
745 	}
746 
747 	return (CRYPTO_SUCCESS);
748 }
749 
750 /*
751  * Utility routine to get data from a crypto_data structure.
752  *
753  * '*dptr' contains a pointer to a buffer on return. 'buf'
754  * is allocated by the caller and is ignored for CRYPTO_DATA_RAW case.
755  */
756 static int
757 get_input_data(crypto_data_t *input, uchar_t **dptr, uchar_t *buf)
758 {
759 	int rv;
760 
761 	switch (input->cd_format) {
762 	case CRYPTO_DATA_RAW:
763 		if (input->cd_raw.iov_len < input->cd_length)
764 			return (CRYPTO_ARGUMENTS_BAD);
765 		*dptr = (uchar_t *)(input->cd_raw.iov_base +
766 		    input->cd_offset);
767 		break;
768 
769 	case CRYPTO_DATA_UIO:
770 		if ((rv = process_uio_data(input, buf, input->cd_length,
771 		    COPY_FROM_DATA, NULL)) != CRYPTO_SUCCESS)
772 			return (rv);
773 		*dptr = buf;
774 		break;
775 
776 	case CRYPTO_DATA_MBLK:
777 		if ((rv = process_mblk_data(input, buf, input->cd_length,
778 		    COPY_FROM_DATA, NULL)) != CRYPTO_SUCCESS)
779 			return (rv);
780 		*dptr = buf;
781 		break;
782 
783 	default:
784 		return (CRYPTO_ARGUMENTS_BAD);
785 	}
786 
787 	return (CRYPTO_SUCCESS);
788 }
789 
790 static int
791 copy_key_to_ctx(crypto_key_t *in_key, rsa_ctx_t *ctx, int kmflag)
792 {
793 	int i, count;
794 	size_t len;
795 	caddr_t attr_val;
796 	crypto_object_attribute_t *k_attrs = NULL;
797 
798 	ASSERT(in_key->ck_format == CRYPTO_KEY_ATTR_LIST);
799 
800 	count = in_key->ck_count;
801 	/* figure out how much memory to allocate for everything */
802 	len = sizeof (crypto_key_t) +
803 	    count * sizeof (crypto_object_attribute_t);
804 	for (i = 0; i < count; i++) {
805 		len += roundup(in_key->ck_attrs[i].oa_value_len,
806 		    sizeof (caddr_t));
807 	}
808 
809 	/* one big allocation for everything */
810 	ctx->key = kmem_alloc(len, kmflag);
811 	if (ctx->key == NULL)
812 		return (CRYPTO_HOST_MEMORY);
813 	k_attrs = (crypto_object_attribute_t *)((caddr_t)(ctx->key) +
814 	    sizeof (crypto_key_t));
815 
816 	attr_val = (caddr_t)k_attrs +
817 	    count * sizeof (crypto_object_attribute_t);
818 	for (i = 0; i < count; i++) {
819 		k_attrs[i].oa_type = in_key->ck_attrs[i].oa_type;
820 		bcopy(in_key->ck_attrs[i].oa_value, attr_val,
821 		    in_key->ck_attrs[i].oa_value_len);
822 		k_attrs[i].oa_value = attr_val;
823 		k_attrs[i].oa_value_len = in_key->ck_attrs[i].oa_value_len;
824 		attr_val += roundup(k_attrs[i].oa_value_len, sizeof (caddr_t));
825 	}
826 
827 	ctx->keychunk_size = len;	/* save the size to be freed */
828 	ctx->key->ck_format = CRYPTO_KEY_ATTR_LIST;
829 	ctx->key->ck_count = count;
830 	ctx->key->ck_attrs = k_attrs;
831 
832 	return (CRYPTO_SUCCESS);
833 }
834 
835 /* ARGSUSED */
836 static int
837 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
838     crypto_key_t *key, crypto_spi_ctx_template_t template,
839     crypto_req_handle_t req)
840 {
841 	int rv;
842 	int kmflag;
843 	rsa_ctx_t *ctxp;
844 
845 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
846 		return (rv);
847 
848 	/*
849 	 * Allocate a RSA context.
850 	 */
851 	kmflag = crypto_kmflag(req);
852 	if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL)
853 		return (CRYPTO_HOST_MEMORY);
854 
855 	if ((rv = copy_key_to_ctx(key, ctxp, kmflag)) != CRYPTO_SUCCESS) {
856 		kmem_free(ctxp, sizeof (rsa_ctx_t));
857 		return (rv);
858 	}
859 	ctxp->mech_type = mechanism->cm_type;
860 
861 	ctx->cc_provider_private = ctxp;
862 
863 	return (CRYPTO_SUCCESS);
864 }
865 
866 /* ARGSUSED */
867 static int
868 rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
869     crypto_data_t *ciphertext, crypto_req_handle_t req)
870 {
871 	int rv;
872 	rsa_ctx_t *ctxp;
873 
874 	ASSERT(ctx->cc_provider_private != NULL);
875 	ctxp = ctx->cc_provider_private;
876 
877 	RSA_ARG_INPLACE(plaintext, ciphertext);
878 
879 	/*
880 	 * Note on the KM_SLEEP flag passed to the routine below -
881 	 * rsa_encrypt() is a single-part encryption routine which is
882 	 * currently usable only by /dev/crypto. Since /dev/crypto calls are
883 	 * always synchronous, we can safely pass KM_SLEEP here.
884 	 */
885 	rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext,
886 	    ciphertext, KM_SLEEP);
887 
888 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
889 		(void) rsa_free_context(ctx);
890 
891 	return (rv);
892 }
893 
894 /* ARGSUSED */
895 static int
896 rsa_encrypt_atomic(crypto_provider_handle_t provider,
897     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
898     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
899     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
900 {
901 	int rv;
902 
903 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
904 		return (rv);
905 	RSA_ARG_INPLACE(plaintext, ciphertext);
906 
907 	return (rsa_encrypt_common(mechanism->cm_type, key, plaintext,
908 	    ciphertext, crypto_kmflag(req)));
909 }
910 
911 static int
912 rsa_free_context(crypto_ctx_t *ctx)
913 {
914 	rsa_ctx_t *ctxp = ctx->cc_provider_private;
915 
916 	if (ctxp != NULL) {
917 		bzero(ctxp->key, ctxp->keychunk_size);
918 		kmem_free(ctxp->key, ctxp->keychunk_size);
919 
920 		if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
921 		    ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
922 			kmem_free(ctxp, sizeof (rsa_ctx_t));
923 		else
924 			kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
925 
926 		ctx->cc_provider_private = NULL;
927 	}
928 
929 	return (CRYPTO_SUCCESS);
930 }
931 
932 static int
933 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
934     crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag)
935 {
936 	int rv = CRYPTO_FAILED;
937 
938 /* EXPORT DELETE START */
939 
940 	int plen;
941 	uchar_t *ptptr;
942 	uchar_t *modulus;
943 	ssize_t modulus_len;
944 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
945 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
946 	uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
947 
948 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
949 	    &modulus_len)) != CRYPTO_SUCCESS) {
950 		return (rv);
951 	}
952 
953 	plen = plaintext->cd_length;
954 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
955 		if (plen > (modulus_len - MIN_PKCS1_PADLEN))
956 			return (CRYPTO_DATA_LEN_RANGE);
957 	} else {
958 		if (plen > modulus_len)
959 			return (CRYPTO_DATA_LEN_RANGE);
960 	}
961 
962 	/*
963 	 * Output buf len must not be less than RSA modulus size.
964 	 */
965 	if (ciphertext->cd_length < modulus_len) {
966 		ciphertext->cd_length = modulus_len;
967 		return (CRYPTO_BUFFER_TOO_SMALL);
968 	}
969 
970 	ASSERT(plaintext->cd_length <= sizeof (tmp_data));
971 	if ((rv = get_input_data(plaintext, &ptptr, tmp_data))
972 	    != CRYPTO_SUCCESS)
973 		return (rv);
974 
975 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
976 		rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen,
977 		    plain_data, modulus_len);
978 
979 		if (rv != CRYPTO_SUCCESS)
980 			return (rv);
981 	} else {
982 		bzero(plain_data, modulus_len - plen);
983 		bcopy(ptptr, &plain_data[modulus_len - plen], plen);
984 	}
985 
986 	rv = core_rsa_encrypt(key, plain_data, modulus_len,
987 	    cipher_data, kmflag, 1);
988 	if (rv == CRYPTO_SUCCESS) {
989 		/* copy out to ciphertext */
990 		if ((rv = put_output_data(cipher_data,
991 		    ciphertext, modulus_len)) != CRYPTO_SUCCESS)
992 			return (rv);
993 
994 		ciphertext->cd_length = modulus_len;
995 	}
996 
997 /* EXPORT DELETE END */
998 
999 	return (rv);
1000 }
1001 
1002 /* EXPORT DELETE START */
1003 
1004 static int
1005 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
1006     int in_len, uchar_t *out, int kmflag, int is_public)
1007 {
1008 	int rv;
1009 	uchar_t *expo, *modulus;
1010 	ssize_t	expo_len;
1011 	ssize_t modulus_len;
1012 	BIGNUM msg;
1013 	RSAkey *rsakey;
1014 
1015 	if (is_public) {
1016 		if ((rv = get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT, &expo,
1017 		    &expo_len)) != CRYPTO_SUCCESS)
1018 			return (rv);
1019 	} else {
1020 		/*
1021 		 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
1022 		 * RSA secret key. See the comments in core_rsa_decrypt
1023 		 * routine which calls this routine with a private key.
1024 		 */
1025 		if ((rv = get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT, &expo,
1026 		    &expo_len)) != CRYPTO_SUCCESS)
1027 			return (rv);
1028 	}
1029 
1030 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1031 	    &modulus_len)) != CRYPTO_SUCCESS) {
1032 		return (rv);
1033 	}
1034 
1035 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
1036 	if (rsakey == NULL)
1037 		return (CRYPTO_HOST_MEMORY);
1038 
1039 	/* psize and qsize for RSA_key_init is in bits. */
1040 	if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) {
1041 		rv = CRYPTO_HOST_MEMORY;
1042 		goto clean1;
1043 	}
1044 
1045 	/* Size for big_init is in (32-bit) words. */
1046 	if (big_init(&msg, (in_len + (int)sizeof (uint32_t) - 1) /
1047 	    (int)sizeof (uint32_t)) != BIG_OK) {
1048 		rv = CRYPTO_HOST_MEMORY;
1049 		goto clean2;
1050 	}
1051 
1052 	/* Convert octet string exponent to big integer format. */
1053 	bytestring2bignum(&(rsakey->e), expo, expo_len);
1054 
1055 	/* Convert octet string modulus to big integer format. */
1056 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
1057 
1058 	/* Convert octet string input data to big integer format. */
1059 	bytestring2bignum(&msg, in, in_len);
1060 
1061 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
1062 		rv = CRYPTO_DATA_LEN_RANGE;
1063 		goto clean3;
1064 	}
1065 
1066 	/* Perform RSA computation on big integer input data. */
1067 	if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL)
1068 	    != BIG_OK) {
1069 		rv = CRYPTO_HOST_MEMORY;
1070 		goto clean3;
1071 	}
1072 
1073 	/* Convert the big integer output data to octet string. */
1074 	bignum2bytestring(out, &msg, modulus_len);
1075 
1076 	/*
1077 	 * Should not free modulus and expo as both are just pointers
1078 	 * to an attribute value buffer from the caller.
1079 	 */
1080 clean3:
1081 	big_finish(&msg);
1082 clean2:
1083 	RSA_key_finish(rsakey);
1084 clean1:
1085 	kmem_free(rsakey, sizeof (RSAkey));
1086 
1087 	return (rv);
1088 }
1089 
1090 /* EXPORT DELETE END */
1091 
1092 /* ARGSUSED */
1093 static int
1094 rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
1095     crypto_data_t *plaintext, crypto_req_handle_t req)
1096 {
1097 	int rv;
1098 	rsa_ctx_t *ctxp;
1099 
1100 	ASSERT(ctx->cc_provider_private != NULL);
1101 	ctxp = ctx->cc_provider_private;
1102 
1103 	RSA_ARG_INPLACE(ciphertext, plaintext);
1104 
1105 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1106 	rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
1107 	    ciphertext, plaintext, KM_SLEEP);
1108 
1109 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1110 		(void) rsa_free_context(ctx);
1111 
1112 	return (rv);
1113 }
1114 
1115 /* ARGSUSED */
1116 static int
1117 rsa_decrypt_atomic(crypto_provider_handle_t provider,
1118     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1119     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
1120     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1121 {
1122 	int rv;
1123 
1124 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1125 		return (rv);
1126 	RSA_ARG_INPLACE(ciphertext, plaintext);
1127 
1128 	return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
1129 	    plaintext, crypto_kmflag(req)));
1130 }
1131 
1132 static int
1133 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1134     crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag)
1135 {
1136 	int rv = CRYPTO_FAILED;
1137 
1138 /* EXPORT DELETE START */
1139 
1140 	int plain_len;
1141 	uchar_t *ctptr;
1142 	uchar_t *modulus;
1143 	ssize_t modulus_len;
1144 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1145 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1146 
1147 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1148 	    &modulus_len)) != CRYPTO_SUCCESS) {
1149 		return (rv);
1150 	}
1151 
1152 	/*
1153 	 * Ciphertext length must be equal to RSA modulus size.
1154 	 */
1155 	if (ciphertext->cd_length != modulus_len)
1156 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
1157 
1158 	ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
1159 	if ((rv = get_input_data(ciphertext, &ctptr, tmp_data))
1160 	    != CRYPTO_SUCCESS)
1161 		return (rv);
1162 
1163 	rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag);
1164 	if (rv == CRYPTO_SUCCESS) {
1165 		plain_len = modulus_len;
1166 
1167 		if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
1168 			/* Strip off the PKCS block formatting data. */
1169 			rv = soft_decrypt_rsa_pkcs_decode(plain_data,
1170 			    &plain_len);
1171 			if (rv != CRYPTO_SUCCESS)
1172 				return (rv);
1173 		}
1174 
1175 		if (plain_len > plaintext->cd_length) {
1176 			plaintext->cd_length = plain_len;
1177 			return (CRYPTO_BUFFER_TOO_SMALL);
1178 		}
1179 
1180 		if ((rv = put_output_data(plain_data + modulus_len - plain_len,
1181 		    plaintext, plain_len)) != CRYPTO_SUCCESS)
1182 			return (rv);
1183 
1184 		plaintext->cd_length = plain_len;
1185 	}
1186 
1187 /* EXPORT DELETE END */
1188 
1189 	return (rv);
1190 }
1191 
1192 /* EXPORT DELETE START */
1193 
1194 static int
1195 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len,
1196     uchar_t *out, int kmflag)
1197 {
1198 	int rv;
1199 	uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
1200 	ssize_t modulus_len;
1201 	ssize_t	prime1_len, prime2_len;
1202 	ssize_t	expo1_len, expo2_len, coef_len;
1203 	BIGNUM msg;
1204 	RSAkey *rsakey;
1205 
1206 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1207 	    &modulus_len)) != CRYPTO_SUCCESS) {
1208 		return (rv);
1209 	}
1210 
1211 	/*
1212 	 * The following attributes are not required to be
1213 	 * present in a RSA secret key. If any of them is not present
1214 	 * we call the encrypt routine with a flag indicating use of
1215 	 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
1216 	 * a required attribute for a RSA secret key.
1217 	 */
1218 	if ((get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len)
1219 		!= CRYPTO_SUCCESS) ||
1220 	    (get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len)
1221 		!= CRYPTO_SUCCESS) ||
1222 	    (get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len)
1223 		!= CRYPTO_SUCCESS) ||
1224 	    (get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len)
1225 		!= CRYPTO_SUCCESS) ||
1226 	    (get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len)
1227 		!= CRYPTO_SUCCESS)) {
1228 		return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0));
1229 	}
1230 
1231 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
1232 	if (rsakey == NULL)
1233 		return (CRYPTO_HOST_MEMORY);
1234 
1235 	/* psize and qsize for RSA_key_init is in bits. */
1236 	if (RSA_key_init(rsakey, prime2_len * 8, prime1_len * 8) != BIG_OK) {
1237 		rv = CRYPTO_HOST_MEMORY;
1238 		goto clean1;
1239 	}
1240 
1241 	/* Size for big_init is in (32-bit) words. */
1242 	if (big_init(&msg, (in_len + (int)sizeof (uint32_t) - 1) /
1243 	    (int)sizeof (uint32_t)) != BIG_OK) {
1244 		rv = CRYPTO_HOST_MEMORY;
1245 		goto clean2;
1246 	}
1247 
1248 	/* Convert octet string input data to big integer format. */
1249 	bytestring2bignum(&msg, in, in_len);
1250 
1251 	/* Convert octet string modulus to big integer format. */
1252 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
1253 
1254 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
1255 		rv = CRYPTO_DATA_LEN_RANGE;
1256 		goto clean3;
1257 	}
1258 
1259 	/* Convert the rest of private key attributes to big integer format. */
1260 	bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len);
1261 	bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len);
1262 	bytestring2bignum(&(rsakey->p), prime2, prime2_len);
1263 	bytestring2bignum(&(rsakey->q), prime1, prime1_len);
1264 	bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len);
1265 
1266 	if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) ||
1267 	    (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) ||
1268 	    (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) {
1269 		rv = CRYPTO_KEY_SIZE_RANGE;
1270 		goto clean3;
1271 	}
1272 
1273 	/* Perform RSA computation on big integer input data. */
1274 	if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1),
1275 	    &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q),
1276 	    &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) {
1277 		rv = CRYPTO_HOST_MEMORY;
1278 		goto clean3;
1279 	}
1280 
1281 	/* Convert the big integer output data to octet string. */
1282 	bignum2bytestring(out, &msg, modulus_len);
1283 
1284 	/*
1285 	 * Should not free modulus and friends as they are just pointers
1286 	 * to an attribute value buffer from the caller.
1287 	 */
1288 clean3:
1289 	big_finish(&msg);
1290 clean2:
1291 	RSA_key_finish(rsakey);
1292 clean1:
1293 	kmem_free(rsakey, sizeof (RSAkey));
1294 
1295 	return (rv);
1296 }
1297 
1298 /* EXPORT DELETE END */
1299 
1300 /* ARGSUSED */
1301 static int
1302 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
1303     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
1304     crypto_req_handle_t req)
1305 {
1306 	int rv;
1307 	int kmflag;
1308 	rsa_ctx_t *ctxp;
1309 	digest_rsa_ctx_t *dctxp;
1310 
1311 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1312 		return (rv);
1313 
1314 	/*
1315 	 * Allocate a RSA context.
1316 	 */
1317 	kmflag = crypto_kmflag(req);
1318 	switch (mechanism->cm_type) {
1319 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1320 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1321 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1322 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1323 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1324 		dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag);
1325 		ctxp = (rsa_ctx_t *)dctxp;
1326 		break;
1327 	default:
1328 		ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag);
1329 		break;
1330 	}
1331 
1332 	if (ctxp == NULL)
1333 		return (CRYPTO_HOST_MEMORY);
1334 
1335 	ctxp->mech_type = mechanism->cm_type;
1336 	if ((rv = copy_key_to_ctx(key, ctxp, kmflag)) != CRYPTO_SUCCESS) {
1337 		switch (mechanism->cm_type) {
1338 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1339 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1340 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1341 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1342 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1343 			kmem_free(dctxp, sizeof (digest_rsa_ctx_t));
1344 			break;
1345 		default:
1346 			kmem_free(ctxp, sizeof (rsa_ctx_t));
1347 			break;
1348 		}
1349 		return (rv);
1350 	}
1351 
1352 	switch (mechanism->cm_type) {
1353 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1354 		MD5Init(&(dctxp->md5_ctx));
1355 		break;
1356 
1357 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1358 		SHA1Init(&(dctxp->sha1_ctx));
1359 		break;
1360 
1361 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1362 		SHA2Init(SHA256, &(dctxp->sha2_ctx));
1363 		break;
1364 
1365 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1366 		SHA2Init(SHA384, &(dctxp->sha2_ctx));
1367 		break;
1368 
1369 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1370 		SHA2Init(SHA512, &(dctxp->sha2_ctx));
1371 		break;
1372 	}
1373 
1374 	ctx->cc_provider_private = ctxp;
1375 
1376 	return (CRYPTO_SUCCESS);
1377 }
1378 
1379 #define	SHA1_DIGEST_SIZE 20
1380 #define	MD5_DIGEST_SIZE 16
1381 
1382 #define	INIT_RAW_CRYPTO_DATA(data, base, len, cd_len)	\
1383 	(data).cd_format = CRYPTO_DATA_RAW;		\
1384 	(data).cd_offset = 0;				\
1385 	(data).cd_raw.iov_base = (char *)base;		\
1386 	(data).cd_raw.iov_len = len;			\
1387 	(data).cd_length = cd_len;
1388 
1389 #define	DO_UPDATE	0x01
1390 #define	DO_FINAL	0x02
1391 #define	DO_MD5		0x04
1392 #define	DO_SHA1		0x08
1393 #define	DO_SIGN		0x10
1394 #define	DO_VERIFY	0x20
1395 #define	DO_SHA2		0x40
1396 
1397 static int
1398 digest_data(crypto_data_t *data, void *dctx, uchar_t *digest,
1399     uchar_t flag)
1400 {
1401 	int rv, dlen;
1402 	uchar_t *dptr;
1403 
1404 	ASSERT(flag & DO_MD5 || flag & DO_SHA1 || flag & DO_SHA2);
1405 	if (data == NULL) {
1406 		ASSERT((flag & DO_UPDATE) == 0);
1407 		goto dofinal;
1408 	}
1409 
1410 	dlen = data->cd_length;
1411 
1412 	if (flag & DO_UPDATE) {
1413 
1414 		switch (data->cd_format) {
1415 		case CRYPTO_DATA_RAW:
1416 			dptr = (uchar_t *)(data->cd_raw.iov_base +
1417 			    data->cd_offset);
1418 
1419 			if (flag & DO_MD5)
1420 				MD5Update(dctx, dptr, dlen);
1421 
1422 			else if (flag & DO_SHA1)
1423 				SHA1Update(dctx, dptr, dlen);
1424 
1425 			else
1426 				SHA2Update(dctx, dptr, dlen);
1427 
1428 		break;
1429 
1430 		case CRYPTO_DATA_UIO:
1431 			if (flag & DO_MD5)
1432 				rv = process_uio_data(data, NULL, dlen,
1433 				    MD5_DIGEST_DATA, dctx);
1434 
1435 			else if (flag & DO_SHA1)
1436 				rv = process_uio_data(data, NULL, dlen,
1437 				    SHA1_DIGEST_DATA, dctx);
1438 
1439 			else
1440 				rv = process_uio_data(data, NULL, dlen,
1441 				    SHA2_DIGEST_DATA, dctx);
1442 
1443 			if (rv != CRYPTO_SUCCESS)
1444 				return (rv);
1445 
1446 			break;
1447 
1448 		case CRYPTO_DATA_MBLK:
1449 			if (flag & DO_MD5)
1450 				rv = process_mblk_data(data, NULL, dlen,
1451 				    MD5_DIGEST_DATA, dctx);
1452 
1453 			else if (flag & DO_SHA1)
1454 				rv = process_mblk_data(data, NULL, dlen,
1455 				    SHA1_DIGEST_DATA, dctx);
1456 
1457 			else
1458 				rv = process_mblk_data(data, NULL, dlen,
1459 				    SHA2_DIGEST_DATA, dctx);
1460 
1461 			if (rv != CRYPTO_SUCCESS)
1462 				return (rv);
1463 
1464 			break;
1465 		}
1466 	}
1467 
1468 dofinal:
1469 	if (flag & DO_FINAL) {
1470 		if (flag & DO_MD5)
1471 			MD5Final(digest, dctx);
1472 
1473 		else if (flag & DO_SHA1)
1474 			SHA1Final(digest, dctx);
1475 
1476 		else
1477 			SHA2Final(digest, dctx);
1478 	}
1479 
1480 	return (CRYPTO_SUCCESS);
1481 }
1482 
1483 static int
1484 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
1485     crypto_data_t *signature, int kmflag, uchar_t flag)
1486 {
1487 	int rv = CRYPTO_FAILED;
1488 
1489 /* EXPORT DELETE START */
1490 
1491 	uchar_t digest[SHA512_DIGEST_LENGTH];
1492 	/* The der_data size is enough for MD5 also */
1493 	uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
1494 	ulong_t der_data_len;
1495 	crypto_data_t der_cd;
1496 	rsa_mech_type_t mech_type;
1497 
1498 	ASSERT(flag & DO_SIGN || flag & DO_VERIFY);
1499 	ASSERT(data != NULL || (flag & DO_FINAL));
1500 
1501 	mech_type = ctxp->mech_type;
1502 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1503 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1504 		return (CRYPTO_MECHANISM_INVALID);
1505 
1506 	/*
1507 	 * We need to do the BUFFER_TOO_SMALL check before digesting
1508 	 * the data. No check is needed for verify as signature is not
1509 	 * an output argument for verify.
1510 	 */
1511 	if (flag & DO_SIGN) {
1512 		uchar_t *modulus;
1513 		ssize_t modulus_len;
1514 
1515 		if ((rv = get_key_attr(ctxp->key, SUN_CKA_MODULUS, &modulus,
1516 		    &modulus_len)) != CRYPTO_SUCCESS) {
1517 			return (rv);
1518 		}
1519 
1520 		if (signature->cd_length < modulus_len) {
1521 			signature->cd_length = modulus_len;
1522 			return (CRYPTO_BUFFER_TOO_SMALL);
1523 		}
1524 	}
1525 
1526 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1527 		rv = digest_data(data, &(ctxp->md5_ctx),
1528 		    digest, flag | DO_MD5);
1529 
1530 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1531 		rv = digest_data(data, &(ctxp->sha1_ctx),
1532 		    digest, flag | DO_SHA1);
1533 
1534 	else
1535 		rv = digest_data(data, &(ctxp->sha2_ctx),
1536 		    digest, flag | DO_SHA2);
1537 
1538 	if (rv != CRYPTO_SUCCESS)
1539 		return (rv);
1540 
1541 
1542 	/*
1543 	 * Prepare the DER encoding of the DigestInfo value as follows:
1544 	 * MD5:		MD5_DER_PREFIX || H
1545 	 * SHA-1:	SHA1_DER_PREFIX || H
1546 	 *
1547 	 * See rsa_impl.c for more details.
1548 	 */
1549 	switch (mech_type) {
1550 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1551 		bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len);
1552 		bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE);
1553 		der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE;
1554 		break;
1555 
1556 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1557 		bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len);
1558 		bcopy(digest, der_data + SHA1_DER_PREFIX_Len,
1559 		    SHA1_DIGEST_SIZE);
1560 		der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE;
1561 		break;
1562 
1563 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1564 		bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1565 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1566 		    SHA256_DIGEST_LENGTH);
1567 		der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH;
1568 		break;
1569 
1570 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1571 		bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1572 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1573 		    SHA384_DIGEST_LENGTH);
1574 		der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH;
1575 		break;
1576 
1577 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1578 		bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1579 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1580 		    SHA512_DIGEST_LENGTH);
1581 		der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1582 		break;
1583 	}
1584 
1585 	INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1586 	/*
1587 	 * Now, we are ready to sign or verify the DER_ENCODED data.
1588 	 */
1589 	if (flag & DO_SIGN)
1590 		rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1591 		    signature, kmflag);
1592 	else
1593 		rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1594 		    signature, kmflag);
1595 
1596 /* EXPORT DELETE END */
1597 
1598 	return (rv);
1599 }
1600 
1601 static int
1602 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1603     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1604 {
1605 	int rv = CRYPTO_FAILED;
1606 
1607 /* EXPORT DELETE START */
1608 
1609 	int dlen;
1610 	uchar_t *dataptr, *modulus;
1611 	ssize_t modulus_len;
1612 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1613 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1614 	uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1615 
1616 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1617 	    &modulus_len)) != CRYPTO_SUCCESS) {
1618 		return (rv);
1619 	}
1620 
1621 	dlen = data->cd_length;
1622 	switch (mech_type) {
1623 	case RSA_PKCS_MECH_INFO_TYPE:
1624 		if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1625 			return (CRYPTO_DATA_LEN_RANGE);
1626 		break;
1627 	case RSA_X_509_MECH_INFO_TYPE:
1628 		if (dlen > modulus_len)
1629 			return (CRYPTO_DATA_LEN_RANGE);
1630 		break;
1631 	}
1632 
1633 	if (signature->cd_length < modulus_len) {
1634 		signature->cd_length = modulus_len;
1635 		return (CRYPTO_BUFFER_TOO_SMALL);
1636 	}
1637 
1638 	ASSERT(data->cd_length <= sizeof (tmp_data));
1639 	if ((rv = get_input_data(data, &dataptr, tmp_data))
1640 	    != CRYPTO_SUCCESS)
1641 		return (rv);
1642 
1643 	switch (mech_type) {
1644 	case RSA_PKCS_MECH_INFO_TYPE:
1645 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1646 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1647 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1648 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1649 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1650 		/*
1651 		 * Add PKCS padding to the input data to format a block
1652 		 * type "01" encryption block.
1653 		 */
1654 		rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data,
1655 		    modulus_len);
1656 		if (rv != CRYPTO_SUCCESS)
1657 			return (rv);
1658 
1659 		break;
1660 
1661 	case RSA_X_509_MECH_INFO_TYPE:
1662 		bzero(plain_data, modulus_len - dlen);
1663 		bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1664 		break;
1665 	}
1666 
1667 	rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data,
1668 	    kmflag);
1669 	if (rv == CRYPTO_SUCCESS) {
1670 		/* copy out to signature */
1671 		if ((rv = put_output_data(signed_data,
1672 		    signature, modulus_len)) != CRYPTO_SUCCESS)
1673 			return (rv);
1674 
1675 		signature->cd_length = modulus_len;
1676 	}
1677 
1678 /* EXPORT DELETE END */
1679 
1680 	return (rv);
1681 }
1682 
1683 /* ARGSUSED */
1684 static int
1685 rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1686     crypto_req_handle_t req)
1687 {
1688 	int rv;
1689 	rsa_ctx_t *ctxp;
1690 
1691 	ASSERT(ctx->cc_provider_private != NULL);
1692 	ctxp = ctx->cc_provider_private;
1693 
1694 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1695 	switch (ctxp->mech_type) {
1696 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1697 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1698 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1699 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1700 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1701 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1702 		    signature, KM_SLEEP, DO_SIGN | DO_UPDATE | DO_FINAL);
1703 		break;
1704 	default:
1705 		rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data,
1706 		    signature, KM_SLEEP);
1707 		break;
1708 	}
1709 
1710 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1711 		(void) rsa_free_context(ctx);
1712 
1713 	return (rv);
1714 }
1715 
1716 /* ARGSUSED */
1717 static int
1718 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
1719 {
1720 	int rv;
1721 	digest_rsa_ctx_t *ctxp;
1722 	rsa_mech_type_t mech_type;
1723 
1724 	ASSERT(ctx->cc_provider_private != NULL);
1725 	ctxp = ctx->cc_provider_private;
1726 	mech_type = ctxp->mech_type;
1727 
1728 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1729 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1730 		return (CRYPTO_MECHANISM_INVALID);
1731 
1732 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1733 		rv = digest_data(data, &(ctxp->md5_ctx),
1734 		    NULL, DO_MD5 | DO_UPDATE);
1735 
1736 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1737 		rv = digest_data(data, &(ctxp->sha1_ctx),
1738 		    NULL, DO_SHA1 | DO_UPDATE);
1739 
1740 	else
1741 		rv = digest_data(data, &(ctxp->sha2_ctx),
1742 		    NULL, DO_SHA2 | DO_UPDATE);
1743 
1744 	return (rv);
1745 }
1746 
1747 static int
1748 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1749     crypto_req_handle_t req)
1750 {
1751 	int rv;
1752 	digest_rsa_ctx_t *ctxp;
1753 
1754 	ASSERT(ctx->cc_provider_private != NULL);
1755 	ctxp = ctx->cc_provider_private;
1756 
1757 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1758 	    crypto_kmflag(req), DO_SIGN | DO_FINAL);
1759 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1760 		(void) rsa_free_context(ctx);
1761 
1762 	return (rv);
1763 }
1764 
1765 /* ARGSUSED */
1766 static int
1767 rsa_sign_atomic(crypto_provider_handle_t provider,
1768     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1769     crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature,
1770     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1771 {
1772 	int rv;
1773 	digest_rsa_ctx_t dctx;
1774 
1775 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1776 		return (rv);
1777 
1778 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1779 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1780 		rv = rsa_sign_common(mechanism->cm_type, key, data,
1781 		    signature, crypto_kmflag(req));
1782 
1783 	else {
1784 		dctx.mech_type = mechanism->cm_type;
1785 		dctx.key = key;
1786 		switch (mechanism->cm_type) {
1787 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1788 			MD5Init(&(dctx.md5_ctx));
1789 			break;
1790 
1791 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1792 			SHA1Init(&(dctx.sha1_ctx));
1793 			break;
1794 
1795 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1796 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1797 			break;
1798 
1799 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1800 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1801 			break;
1802 
1803 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1804 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1805 			break;
1806 		}
1807 
1808 		rv = rsa_digest_svrfy_common(&dctx, data, signature,
1809 		    crypto_kmflag(req), DO_SIGN | DO_UPDATE | DO_FINAL);
1810 	}
1811 
1812 	return (rv);
1813 }
1814 
1815 static int
1816 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1817     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1818 {
1819 	int rv = CRYPTO_FAILED;
1820 
1821 /* EXPORT DELETE START */
1822 
1823 	uchar_t *sigptr, *modulus;
1824 	ssize_t modulus_len;
1825 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1826 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1827 
1828 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1829 	    &modulus_len)) != CRYPTO_SUCCESS) {
1830 		return (rv);
1831 	}
1832 
1833 	if (signature->cd_length != modulus_len)
1834 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1835 
1836 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1837 	if ((rv = get_input_data(signature, &sigptr, tmp_data))
1838 	    != CRYPTO_SUCCESS)
1839 		return (rv);
1840 
1841 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
1842 	if (rv != CRYPTO_SUCCESS)
1843 		return (rv);
1844 
1845 	if (mech_type == RSA_X_509_MECH_INFO_TYPE) {
1846 		if (compare_data(data, (plain_data + modulus_len
1847 		    - data->cd_length)) != 0)
1848 			rv = CRYPTO_SIGNATURE_INVALID;
1849 
1850 	} else {
1851 		int data_len = modulus_len;
1852 
1853 		/*
1854 		 * Strip off the encoded padding bytes in front of the
1855 		 * recovered data, then compare the recovered data with
1856 		 * the original data.
1857 		 */
1858 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
1859 		if (rv != CRYPTO_SUCCESS)
1860 			return (rv);
1861 
1862 		if (data_len != data->cd_length)
1863 			return (CRYPTO_SIGNATURE_LEN_RANGE);
1864 
1865 		if (compare_data(data, (plain_data + modulus_len
1866 		    - data_len)) != 0)
1867 			rv = CRYPTO_SIGNATURE_INVALID;
1868 	}
1869 
1870 /* EXPORT DELETE END */
1871 
1872 	return (rv);
1873 }
1874 
1875 /* ARGSUSED */
1876 static int
1877 rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1878     crypto_req_handle_t req)
1879 {
1880 	int rv;
1881 	rsa_ctx_t *ctxp;
1882 
1883 	ASSERT(ctx->cc_provider_private != NULL);
1884 	ctxp = ctx->cc_provider_private;
1885 
1886 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1887 	switch (ctxp->mech_type) {
1888 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1889 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1890 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1891 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1892 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1893 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1894 		    signature, KM_SLEEP, DO_VERIFY | DO_UPDATE | DO_FINAL);
1895 		break;
1896 	default:
1897 		rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data,
1898 		    signature, KM_SLEEP);
1899 		break;
1900 	}
1901 
1902 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1903 		(void) rsa_free_context(ctx);
1904 
1905 	return (rv);
1906 }
1907 
1908 /* ARGSUSED */
1909 static int
1910 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data,
1911     crypto_req_handle_t req)
1912 {
1913 	int rv;
1914 	digest_rsa_ctx_t *ctxp;
1915 
1916 	ASSERT(ctx->cc_provider_private != NULL);
1917 	ctxp = ctx->cc_provider_private;
1918 
1919 	switch (ctxp->mech_type) {
1920 
1921 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1922 		rv = digest_data(data, &(ctxp->md5_ctx),
1923 		    NULL, DO_MD5 | DO_UPDATE);
1924 		break;
1925 
1926 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1927 		rv = digest_data(data, &(ctxp->sha1_ctx),
1928 		    NULL, DO_SHA1 | DO_UPDATE);
1929 		break;
1930 
1931 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1932 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1933 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1934 		rv = digest_data(data, &(ctxp->sha2_ctx),
1935 		    NULL, DO_SHA2 | DO_UPDATE);
1936 		break;
1937 
1938 	default:
1939 		return (CRYPTO_MECHANISM_INVALID);
1940 	}
1941 
1942 	return (rv);
1943 }
1944 
1945 static int
1946 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1947     crypto_req_handle_t req)
1948 {
1949 	int rv;
1950 	digest_rsa_ctx_t *ctxp;
1951 
1952 	ASSERT(ctx->cc_provider_private != NULL);
1953 	ctxp = ctx->cc_provider_private;
1954 
1955 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1956 	    crypto_kmflag(req), DO_VERIFY | DO_FINAL);
1957 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1958 		(void) rsa_free_context(ctx);
1959 
1960 	return (rv);
1961 }
1962 
1963 
1964 /* ARGSUSED */
1965 static int
1966 rsa_verify_atomic(crypto_provider_handle_t provider,
1967     crypto_session_id_t session_id,
1968     crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data,
1969     crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template,
1970     crypto_req_handle_t req)
1971 {
1972 	int rv;
1973 	digest_rsa_ctx_t dctx;
1974 
1975 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1976 		return (rv);
1977 
1978 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1979 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1980 		rv = rsa_verify_common(mechanism->cm_type, key, data,
1981 		    signature, crypto_kmflag(req));
1982 
1983 	else {
1984 		dctx.mech_type = mechanism->cm_type;
1985 		dctx.key = key;
1986 
1987 		switch (mechanism->cm_type) {
1988 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1989 			MD5Init(&(dctx.md5_ctx));
1990 			break;
1991 
1992 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1993 			SHA1Init(&(dctx.sha1_ctx));
1994 			break;
1995 
1996 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1997 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1998 			break;
1999 
2000 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
2001 			SHA2Init(SHA384, &(dctx.sha2_ctx));
2002 			break;
2003 
2004 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
2005 			SHA2Init(SHA512, &(dctx.sha2_ctx));
2006 			break;
2007 		}
2008 
2009 		rv = rsa_digest_svrfy_common(&dctx, data,
2010 		    signature, crypto_kmflag(req),
2011 		    DO_VERIFY | DO_UPDATE | DO_FINAL);
2012 	}
2013 
2014 	return (rv);
2015 }
2016 
2017 static int
2018 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
2019     crypto_data_t *signature, crypto_data_t *data, int kmflag)
2020 {
2021 	int rv = CRYPTO_FAILED;
2022 
2023 /* EXPORT DELETE START */
2024 
2025 	int data_len;
2026 	uchar_t *sigptr, *modulus;
2027 	ssize_t modulus_len;
2028 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
2029 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
2030 
2031 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
2032 	    &modulus_len)) != CRYPTO_SUCCESS) {
2033 		return (rv);
2034 	}
2035 
2036 	if (signature->cd_length != modulus_len)
2037 		return (CRYPTO_SIGNATURE_LEN_RANGE);
2038 
2039 	ASSERT(signature->cd_length <= sizeof (tmp_data));
2040 	if ((rv = get_input_data(signature, &sigptr, tmp_data))
2041 	    != CRYPTO_SUCCESS)
2042 		return (rv);
2043 
2044 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
2045 	if (rv != CRYPTO_SUCCESS)
2046 		return (rv);
2047 
2048 	data_len = modulus_len;
2049 
2050 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
2051 		/*
2052 		 * Strip off the encoded padding bytes in front of the
2053 		 * recovered data, then compare the recovered data with
2054 		 * the original data.
2055 		 */
2056 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
2057 		if (rv != CRYPTO_SUCCESS)
2058 			return (rv);
2059 	}
2060 
2061 	if (data->cd_length < data_len) {
2062 		data->cd_length = data_len;
2063 		return (CRYPTO_BUFFER_TOO_SMALL);
2064 	}
2065 
2066 	if ((rv = put_output_data(plain_data + modulus_len - data_len,
2067 	    data, data_len)) != CRYPTO_SUCCESS)
2068 		return (rv);
2069 	data->cd_length = data_len;
2070 
2071 /* EXPORT DELETE END */
2072 
2073 	return (rv);
2074 }
2075 
2076 /* ARGSUSED */
2077 static int
2078 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
2079     crypto_data_t *data, crypto_req_handle_t req)
2080 {
2081 	int rv;
2082 	rsa_ctx_t *ctxp;
2083 
2084 	ASSERT(ctx->cc_provider_private != NULL);
2085 	ctxp = ctx->cc_provider_private;
2086 
2087 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
2088 	rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
2089 	    signature, data, KM_SLEEP);
2090 
2091 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
2092 		(void) rsa_free_context(ctx);
2093 
2094 	return (rv);
2095 }
2096 
2097 /* ARGSUSED */
2098 static int
2099 rsa_verify_recover_atomic(crypto_provider_handle_t provider,
2100     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
2101     crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data,
2102     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
2103 {
2104 	int rv;
2105 
2106 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
2107 		return (rv);
2108 
2109 	return (rsa_verify_recover_common(mechanism->cm_type, key,
2110 	    signature, data, crypto_kmflag(req)));
2111 }
2112