xref: /titanic_44/usr/src/uts/common/crypto/io/rsa.c (revision 0dc2366f7b9f9f36e10909b1e95edbf2a261c2ac)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * RSA provider for the Kernel Cryptographic Framework (KCF)
28  */
29 
30 #include <sys/types.h>
31 #include <sys/systm.h>
32 #include <sys/modctl.h>
33 #include <sys/cmn_err.h>
34 #include <sys/ddi.h>
35 #include <sys/crypto/spi.h>
36 #include <sys/sysmacros.h>
37 #include <sys/strsun.h>
38 #include <sys/md5.h>
39 #include <sys/sha1.h>
40 #define	_SHA2_IMPL
41 #include <sys/sha2.h>
42 #include <sys/random.h>
43 #include <sys/crypto/impl.h>
44 #include <sha1/sha1_impl.h>
45 #include <sha2/sha2_impl.h>
46 #define	_RSA_FIPS_POST
47 #include <rsa/rsa_impl.h>
48 
49 extern struct mod_ops mod_cryptoops;
50 
51 /*
52  * Module linkage information for the kernel.
53  */
54 static struct modlcrypto modlcrypto = {
55 	&mod_cryptoops,
56 	"RSA Kernel SW Provider"
57 };
58 
59 static struct modlinkage modlinkage = {
60 	MODREV_1,
61 	(void *)&modlcrypto,
62 	NULL
63 };
64 
65 /*
66  * CSPI information (entry points, provider info, etc.)
67  */
68 typedef enum rsa_mech_type {
69 	RSA_PKCS_MECH_INFO_TYPE,	/* SUN_CKM_RSA_PKCS */
70 	RSA_X_509_MECH_INFO_TYPE,	/* SUN_CKM_RSA_X_509 */
71 	MD5_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_MD5_RSA_PKCS */
72 	SHA1_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA1_RSA_PKCS */
73 	SHA256_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA256_RSA_PKCS */
74 	SHA384_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA384_RSA_PKCS */
75 	SHA512_RSA_PKCS_MECH_INFO_TYPE	/* SUN_SHA512_RSA_PKCS */
76 } rsa_mech_type_t;
77 
78 /*
79  * Context for RSA_PKCS and RSA_X_509 mechanisms.
80  */
81 typedef struct rsa_ctx {
82 	rsa_mech_type_t	mech_type;
83 	crypto_key_t *key;
84 	size_t keychunk_size;
85 } rsa_ctx_t;
86 
87 /*
88  * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms.
89  */
90 typedef struct digest_rsa_ctx {
91 	rsa_mech_type_t	mech_type;
92 	crypto_key_t *key;
93 	size_t keychunk_size;
94 	union {
95 		MD5_CTX md5ctx;
96 		SHA1_CTX sha1ctx;
97 		SHA2_CTX sha2ctx;
98 	} dctx_u;
99 } digest_rsa_ctx_t;
100 
101 #define	md5_ctx		dctx_u.md5ctx
102 #define	sha1_ctx	dctx_u.sha1ctx
103 #define	sha2_ctx	dctx_u.sha2ctx
104 
105 /*
106  * Mechanism info structure passed to KCF during registration.
107  */
108 static crypto_mech_info_t rsa_mech_info_tab[] = {
109 	/* RSA_PKCS */
110 	{SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE,
111 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
112 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
113 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
114 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
115 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
116 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
117 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
118 
119 	/* RSA_X_509 */
120 	{SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE,
121 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
122 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
123 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
124 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
125 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
126 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
127 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
128 
129 	/* MD5_RSA_PKCS */
130 	{SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE,
131 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
132 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
133 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
134 
135 	/* SHA1_RSA_PKCS */
136 	{SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE,
137 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
138 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
139 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
140 
141 	/* SHA256_RSA_PKCS */
142 	{SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE,
143 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
144 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
145 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
146 
147 	/* SHA384_RSA_PKCS */
148 	{SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE,
149 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
150 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
151 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
152 
153 	/* SHA512_RSA_PKCS */
154 	{SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE,
155 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
156 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
157 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}
158 
159 };
160 
161 #define	RSA_VALID_MECH(mech)					\
162 	(((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE ||		\
163 	(mech)->cm_type == RSA_X_509_MECH_INFO_TYPE ||		\
164 	(mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE ||	\
165 	(mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE ||	\
166 	(mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE ||	\
167 	(mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE ||	\
168 	(mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0)
169 
170 /* operations are in-place if the output buffer is NULL */
171 #define	RSA_ARG_INPLACE(input, output)				\
172 	if ((output) == NULL)					\
173 		(output) = (input);
174 
175 static void rsa_provider_status(crypto_provider_handle_t, uint_t *);
176 
177 static crypto_control_ops_t rsa_control_ops = {
178 	rsa_provider_status
179 };
180 
181 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *,
182     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
183 static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
184     crypto_req_handle_t);
185 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
186     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
187     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
188 static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
189     crypto_req_handle_t);
190 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
191     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
192     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
193 
194 /*
195  * The RSA mechanisms do not have multiple-part cipher operations.
196  * So, the update and final routines are set to NULL.
197  */
198 static crypto_cipher_ops_t rsa_cipher_ops = {
199 	rsa_common_init,
200 	rsa_encrypt,
201 	NULL,
202 	NULL,
203 	rsa_encrypt_atomic,
204 	rsa_common_init,
205 	rsa_decrypt,
206 	NULL,
207 	NULL,
208 	rsa_decrypt_atomic
209 };
210 
211 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *,
212     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
213 static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
214     crypto_req_handle_t);
215 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *,
216     crypto_req_handle_t);
217 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *,
218     crypto_req_handle_t);
219 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t,
220     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
221     crypto_spi_ctx_template_t, crypto_req_handle_t);
222 
223 /*
224  * We use the same routine for sign_init and sign_recover_init fields
225  * as they do the same thing. Same holds for sign and sign_recover fields,
226  * and sign_atomic and sign_recover_atomic fields.
227  */
228 static crypto_sign_ops_t rsa_sign_ops = {
229 	rsa_sign_verify_common_init,
230 	rsa_sign,
231 	rsa_sign_update,
232 	rsa_sign_final,
233 	rsa_sign_atomic,
234 	rsa_sign_verify_common_init,
235 	rsa_sign,
236 	rsa_sign_atomic
237 };
238 
239 static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
240     crypto_req_handle_t);
241 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *,
242     crypto_req_handle_t);
243 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *,
244     crypto_req_handle_t);
245 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
246     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
247     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
248 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *,
249     crypto_data_t *, crypto_req_handle_t);
250 static int rsa_verify_recover_atomic(crypto_provider_handle_t,
251     crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
252     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
253     crypto_req_handle_t);
254 
255 /*
256  * We use the same routine (rsa_sign_verify_common_init) for verify_init
257  * and verify_recover_init fields as they do the same thing.
258  */
259 static crypto_verify_ops_t rsa_verify_ops = {
260 	rsa_sign_verify_common_init,
261 	rsa_verify,
262 	rsa_verify_update,
263 	rsa_verify_final,
264 	rsa_verify_atomic,
265 	rsa_sign_verify_common_init,
266 	rsa_verify_recover,
267 	rsa_verify_recover_atomic
268 };
269 
270 static int rsa_free_context(crypto_ctx_t *);
271 
272 static crypto_ctx_ops_t rsa_ctx_ops = {
273 	NULL,
274 	rsa_free_context
275 };
276 
277 static void rsa_POST(int *);
278 
279 static crypto_fips140_ops_t rsa_fips140_ops = {
280 	rsa_POST
281 };
282 
283 static crypto_ops_t rsa_crypto_ops = {
284 	&rsa_control_ops,
285 	NULL,
286 	&rsa_cipher_ops,
287 	NULL,
288 	&rsa_sign_ops,
289 	&rsa_verify_ops,
290 	NULL,
291 	NULL,
292 	NULL,
293 	NULL,
294 	NULL,
295 	NULL,
296 	NULL,
297 	&rsa_ctx_ops,
298 	NULL,
299 	NULL,
300 	&rsa_fips140_ops
301 };
302 
303 static crypto_provider_info_t rsa_prov_info = {
304 	CRYPTO_SPI_VERSION_4,
305 	"RSA Software Provider",
306 	CRYPTO_SW_PROVIDER,
307 	{&modlinkage},
308 	NULL,
309 	&rsa_crypto_ops,
310 	sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
311 	rsa_mech_info_tab
312 };
313 
314 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
315     crypto_data_t *, crypto_data_t *, int);
316 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
317     crypto_data_t *, crypto_data_t *, int);
318 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
319     crypto_data_t *, crypto_data_t *, int);
320 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
321     crypto_data_t *, crypto_data_t *, int);
322 static int compare_data(crypto_data_t *, uchar_t *);
323 
324 /* EXPORT DELETE START */
325 
326 static int core_rsa_encrypt(crypto_key_t *, uchar_t *,
327     int, uchar_t *, int, int);
328 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int,
329     uchar_t *, int);
330 
331 /* EXPORT DELETE END */
332 
333 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
334 
335 int
336 _init(void)
337 {
338 	int ret;
339 
340 	if ((ret = mod_install(&modlinkage)) != 0)
341 		return (ret);
342 
343 	/* Register with KCF.  If the registration fails, remove the module. */
344 	if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) {
345 		(void) mod_remove(&modlinkage);
346 		return (EACCES);
347 	}
348 
349 	return (0);
350 }
351 
352 int
353 _fini(void)
354 {
355 	/* Unregister from KCF if module is registered */
356 	if (rsa_prov_handle != NULL) {
357 		if (crypto_unregister_provider(rsa_prov_handle))
358 			return (EBUSY);
359 
360 		rsa_prov_handle = NULL;
361 	}
362 
363 	return (mod_remove(&modlinkage));
364 }
365 
366 int
367 _info(struct modinfo *modinfop)
368 {
369 	return (mod_info(&modlinkage, modinfop));
370 }
371 
372 /* ARGSUSED */
373 static void
374 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
375 {
376 	*status = CRYPTO_PROVIDER_READY;
377 }
378 
379 static int
380 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
381 {
382 	int rv = CRYPTO_FAILED;
383 
384 /* EXPORT DELETE START */
385 
386 	uchar_t *modulus;
387 	ssize_t modulus_len; /* In bytes */
388 
389 	if (!RSA_VALID_MECH(mechanism))
390 		return (CRYPTO_MECHANISM_INVALID);
391 
392 	/*
393 	 * We only support RSA keys that are passed as a list of
394 	 * object attributes.
395 	 */
396 	if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
397 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
398 	}
399 
400 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
401 	    &modulus_len)) != CRYPTO_SUCCESS) {
402 		return (rv);
403 	}
404 	if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
405 	    modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
406 		return (CRYPTO_KEY_SIZE_RANGE);
407 
408 /* EXPORT DELETE END */
409 
410 	return (rv);
411 }
412 
413 void
414 kmemset(uint8_t *buf, char pattern, size_t len)
415 {
416 	int i = 0;
417 
418 	while (i < len)
419 		buf[i++] = pattern;
420 }
421 
422 /*
423  * This function guarantees to return non-zero random numbers.
424  * This is needed as the /dev/urandom kernel interface,
425  * random_get_pseudo_bytes(), may return zeros.
426  */
427 int
428 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
429 {
430 	int rv;
431 	size_t ebc = 0; /* count of extra bytes in extrarand */
432 	size_t i = 0;
433 	uint8_t extrarand[32];
434 	size_t extrarand_len;
435 
436 	if ((rv = random_get_pseudo_bytes_fips140(ran_out, ran_len)) != 0)
437 		return (rv);
438 
439 	/*
440 	 * Walk through the returned random numbers pointed by ran_out,
441 	 * and look for any random number which is zero.
442 	 * If we find zero, call random_get_pseudo_bytes() to generate
443 	 * another 32 random numbers pool. Replace any zeros in ran_out[]
444 	 * from the random number in pool.
445 	 */
446 	while (i < ran_len) {
447 		if (ran_out[i] != 0) {
448 			i++;
449 			continue;
450 		}
451 
452 		/*
453 		 * Note that it is 'while' so we are guaranteed a
454 		 * non-zero value on exit.
455 		 */
456 		if (ebc == 0) {
457 			/* refresh extrarand */
458 			extrarand_len = sizeof (extrarand);
459 			if ((rv = random_get_pseudo_bytes_fips140(extrarand,
460 			    extrarand_len)) != 0) {
461 				return (rv);
462 			}
463 
464 			ebc = extrarand_len;
465 		}
466 		/* Replace zero with byte from extrarand. */
467 		-- ebc;
468 
469 		/*
470 		 * The new random byte zero/non-zero will be checked in
471 		 * the next pass through the loop.
472 		 */
473 		ran_out[i] = extrarand[ebc];
474 	}
475 
476 	return (CRYPTO_SUCCESS);
477 }
478 
479 static int
480 compare_data(crypto_data_t *data, uchar_t *buf)
481 {
482 	int len;
483 	uchar_t *dptr;
484 
485 	len = data->cd_length;
486 	switch (data->cd_format) {
487 	case CRYPTO_DATA_RAW:
488 		dptr = (uchar_t *)(data->cd_raw.iov_base +
489 		    data->cd_offset);
490 
491 		return (bcmp(dptr, buf, len));
492 
493 	case CRYPTO_DATA_UIO:
494 		return (crypto_uio_data(data, buf, len,
495 		    COMPARE_TO_DATA, NULL, NULL));
496 
497 	case CRYPTO_DATA_MBLK:
498 		return (crypto_mblk_data(data, buf, len,
499 		    COMPARE_TO_DATA, NULL, NULL));
500 	}
501 
502 	return (CRYPTO_FAILED);
503 }
504 
505 /* ARGSUSED */
506 static int
507 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
508     crypto_key_t *key, crypto_spi_ctx_template_t template,
509     crypto_req_handle_t req)
510 {
511 	int rv;
512 	int kmflag;
513 	rsa_ctx_t *ctxp;
514 
515 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
516 		return (rv);
517 
518 	/*
519 	 * Allocate a RSA context.
520 	 */
521 	kmflag = crypto_kmflag(req);
522 	if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL)
523 		return (CRYPTO_HOST_MEMORY);
524 
525 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
526 	    kmflag)) != CRYPTO_SUCCESS) {
527 		kmem_free(ctxp, sizeof (rsa_ctx_t));
528 		return (rv);
529 	}
530 	ctxp->mech_type = mechanism->cm_type;
531 
532 	ctx->cc_provider_private = ctxp;
533 
534 	return (CRYPTO_SUCCESS);
535 }
536 
537 /* ARGSUSED */
538 static int
539 rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
540     crypto_data_t *ciphertext, crypto_req_handle_t req)
541 {
542 	int rv;
543 	rsa_ctx_t *ctxp;
544 
545 	ASSERT(ctx->cc_provider_private != NULL);
546 	ctxp = ctx->cc_provider_private;
547 
548 	RSA_ARG_INPLACE(plaintext, ciphertext);
549 
550 	/*
551 	 * Note on the KM_SLEEP flag passed to the routine below -
552 	 * rsa_encrypt() is a single-part encryption routine which is
553 	 * currently usable only by /dev/crypto. Since /dev/crypto calls are
554 	 * always synchronous, we can safely pass KM_SLEEP here.
555 	 */
556 	rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext,
557 	    ciphertext, KM_SLEEP);
558 
559 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
560 		(void) rsa_free_context(ctx);
561 
562 	return (rv);
563 }
564 
565 /* ARGSUSED */
566 static int
567 rsa_encrypt_atomic(crypto_provider_handle_t provider,
568     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
569     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
570     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
571 {
572 	int rv;
573 
574 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
575 		return (rv);
576 	RSA_ARG_INPLACE(plaintext, ciphertext);
577 
578 	return (rsa_encrypt_common(mechanism->cm_type, key, plaintext,
579 	    ciphertext, crypto_kmflag(req)));
580 }
581 
582 static int
583 rsa_free_context(crypto_ctx_t *ctx)
584 {
585 	rsa_ctx_t *ctxp = ctx->cc_provider_private;
586 
587 	if (ctxp != NULL) {
588 		bzero(ctxp->key, ctxp->keychunk_size);
589 		kmem_free(ctxp->key, ctxp->keychunk_size);
590 
591 		if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
592 		    ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
593 			kmem_free(ctxp, sizeof (rsa_ctx_t));
594 		else
595 			kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
596 
597 		ctx->cc_provider_private = NULL;
598 	}
599 
600 	return (CRYPTO_SUCCESS);
601 }
602 
603 static int
604 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
605     crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag)
606 {
607 	int rv = CRYPTO_FAILED;
608 
609 /* EXPORT DELETE START */
610 
611 	int plen;
612 	uchar_t *ptptr;
613 	uchar_t *modulus;
614 	ssize_t modulus_len;
615 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
616 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
617 	uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
618 
619 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
620 	    &modulus_len)) != CRYPTO_SUCCESS) {
621 		return (rv);
622 	}
623 
624 	plen = plaintext->cd_length;
625 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
626 		if (plen > (modulus_len - MIN_PKCS1_PADLEN))
627 			return (CRYPTO_DATA_LEN_RANGE);
628 	} else {
629 		if (plen > modulus_len)
630 			return (CRYPTO_DATA_LEN_RANGE);
631 	}
632 
633 	/*
634 	 * Output buf len must not be less than RSA modulus size.
635 	 */
636 	if (ciphertext->cd_length < modulus_len) {
637 		ciphertext->cd_length = modulus_len;
638 		return (CRYPTO_BUFFER_TOO_SMALL);
639 	}
640 
641 	ASSERT(plaintext->cd_length <= sizeof (tmp_data));
642 	if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data))
643 	    != CRYPTO_SUCCESS)
644 		return (rv);
645 
646 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
647 		rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen,
648 		    plain_data, modulus_len);
649 
650 		if (rv != CRYPTO_SUCCESS)
651 			return (rv);
652 	} else {
653 		bzero(plain_data, modulus_len - plen);
654 		bcopy(ptptr, &plain_data[modulus_len - plen], plen);
655 	}
656 
657 	rv = core_rsa_encrypt(key, plain_data, modulus_len,
658 	    cipher_data, kmflag, 1);
659 	if (rv == CRYPTO_SUCCESS) {
660 		/* copy out to ciphertext */
661 		if ((rv = crypto_put_output_data(cipher_data,
662 		    ciphertext, modulus_len)) != CRYPTO_SUCCESS)
663 			return (rv);
664 
665 		ciphertext->cd_length = modulus_len;
666 	}
667 
668 /* EXPORT DELETE END */
669 
670 	return (rv);
671 }
672 
673 /* EXPORT DELETE START */
674 
675 static int
676 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
677     int in_len, uchar_t *out, int kmflag, int is_public)
678 {
679 	int rv;
680 	uchar_t *expo, *modulus;
681 	ssize_t	expo_len;
682 	ssize_t modulus_len;
683 	BIGNUM msg;
684 	RSAkey *rsakey;
685 
686 	if (is_public) {
687 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT,
688 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
689 			return (rv);
690 	} else {
691 		/*
692 		 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
693 		 * RSA secret key. See the comments in core_rsa_decrypt
694 		 * routine which calls this routine with a private key.
695 		 */
696 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT,
697 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
698 			return (rv);
699 	}
700 
701 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
702 	    &modulus_len)) != CRYPTO_SUCCESS) {
703 		return (rv);
704 	}
705 
706 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
707 	if (rsakey == NULL)
708 		return (CRYPTO_HOST_MEMORY);
709 
710 	/* psize and qsize for RSA_key_init is in bits. */
711 	if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) {
712 		rv = CRYPTO_HOST_MEMORY;
713 		goto clean1;
714 	}
715 
716 	/* Size for big_init is in BIG_CHUNK_TYPE words. */
717 	if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
718 		rv = CRYPTO_HOST_MEMORY;
719 		goto clean2;
720 	}
721 
722 	/* Convert octet string exponent to big integer format. */
723 	bytestring2bignum(&(rsakey->e), expo, expo_len);
724 
725 	/* Convert octet string modulus to big integer format. */
726 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
727 
728 	/* Convert octet string input data to big integer format. */
729 	bytestring2bignum(&msg, in, in_len);
730 
731 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
732 		rv = CRYPTO_DATA_LEN_RANGE;
733 		goto clean3;
734 	}
735 
736 	/* Perform RSA computation on big integer input data. */
737 	if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL)
738 	    != BIG_OK) {
739 		rv = CRYPTO_HOST_MEMORY;
740 		goto clean3;
741 	}
742 
743 	/* Convert the big integer output data to octet string. */
744 	bignum2bytestring(out, &msg, modulus_len);
745 
746 	/*
747 	 * Should not free modulus and expo as both are just pointers
748 	 * to an attribute value buffer from the caller.
749 	 */
750 clean3:
751 	big_finish(&msg);
752 clean2:
753 	RSA_key_finish(rsakey);
754 clean1:
755 	kmem_free(rsakey, sizeof (RSAkey));
756 
757 	return (rv);
758 }
759 
760 /* EXPORT DELETE END */
761 
762 /* ARGSUSED */
763 static int
764 rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
765     crypto_data_t *plaintext, crypto_req_handle_t req)
766 {
767 	int rv;
768 	rsa_ctx_t *ctxp;
769 
770 	ASSERT(ctx->cc_provider_private != NULL);
771 	ctxp = ctx->cc_provider_private;
772 
773 	RSA_ARG_INPLACE(ciphertext, plaintext);
774 
775 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
776 	rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
777 	    ciphertext, plaintext, KM_SLEEP);
778 
779 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
780 		(void) rsa_free_context(ctx);
781 
782 	return (rv);
783 }
784 
785 /* ARGSUSED */
786 static int
787 rsa_decrypt_atomic(crypto_provider_handle_t provider,
788     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
789     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
790     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
791 {
792 	int rv;
793 
794 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
795 		return (rv);
796 	RSA_ARG_INPLACE(ciphertext, plaintext);
797 
798 	return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
799 	    plaintext, crypto_kmflag(req)));
800 }
801 
802 static int
803 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
804     crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag)
805 {
806 	int rv = CRYPTO_FAILED;
807 
808 /* EXPORT DELETE START */
809 
810 	int plain_len;
811 	uchar_t *ctptr;
812 	uchar_t *modulus;
813 	ssize_t modulus_len;
814 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
815 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
816 
817 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
818 	    &modulus_len)) != CRYPTO_SUCCESS) {
819 		return (rv);
820 	}
821 
822 	/*
823 	 * Ciphertext length must be equal to RSA modulus size.
824 	 */
825 	if (ciphertext->cd_length != modulus_len)
826 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
827 
828 	ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
829 	if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data))
830 	    != CRYPTO_SUCCESS)
831 		return (rv);
832 
833 	rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag);
834 	if (rv == CRYPTO_SUCCESS) {
835 		plain_len = modulus_len;
836 
837 		if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
838 			/* Strip off the PKCS block formatting data. */
839 			rv = soft_decrypt_rsa_pkcs_decode(plain_data,
840 			    &plain_len);
841 			if (rv != CRYPTO_SUCCESS)
842 				return (rv);
843 		}
844 
845 		if (plain_len > plaintext->cd_length) {
846 			plaintext->cd_length = plain_len;
847 			return (CRYPTO_BUFFER_TOO_SMALL);
848 		}
849 
850 		if ((rv = crypto_put_output_data(
851 		    plain_data + modulus_len - plain_len,
852 		    plaintext, plain_len)) != CRYPTO_SUCCESS)
853 			return (rv);
854 
855 		plaintext->cd_length = plain_len;
856 	}
857 
858 /* EXPORT DELETE END */
859 
860 	return (rv);
861 }
862 
863 /* EXPORT DELETE START */
864 
865 static int
866 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len,
867     uchar_t *out, int kmflag)
868 {
869 	int rv;
870 	uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
871 	ssize_t modulus_len;
872 	ssize_t	prime1_len, prime2_len;
873 	ssize_t	expo1_len, expo2_len, coef_len;
874 	BIGNUM msg;
875 	RSAkey *rsakey;
876 
877 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
878 	    &modulus_len)) != CRYPTO_SUCCESS) {
879 		return (rv);
880 	}
881 
882 	/*
883 	 * The following attributes are not required to be
884 	 * present in a RSA secret key. If any of them is not present
885 	 * we call the encrypt routine with a flag indicating use of
886 	 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
887 	 * a required attribute for a RSA secret key.
888 	 */
889 	if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len)
890 	    != CRYPTO_SUCCESS) ||
891 	    (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len)
892 	    != CRYPTO_SUCCESS) ||
893 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len)
894 	    != CRYPTO_SUCCESS) ||
895 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len)
896 	    != CRYPTO_SUCCESS) ||
897 	    (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len)
898 	    != CRYPTO_SUCCESS)) {
899 		return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0));
900 	}
901 
902 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
903 	if (rsakey == NULL)
904 		return (CRYPTO_HOST_MEMORY);
905 
906 	/* psize and qsize for RSA_key_init is in bits. */
907 	if (RSA_key_init(rsakey, CRYPTO_BYTES2BITS(prime2_len),
908 	    CRYPTO_BYTES2BITS(prime1_len)) != BIG_OK) {
909 		rv = CRYPTO_HOST_MEMORY;
910 		goto clean1;
911 	}
912 
913 	/* Size for big_init is in BIG_CHUNK_TYPE words. */
914 	if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
915 		rv = CRYPTO_HOST_MEMORY;
916 		goto clean2;
917 	}
918 
919 	/* Convert octet string input data to big integer format. */
920 	bytestring2bignum(&msg, in, in_len);
921 
922 	/* Convert octet string modulus to big integer format. */
923 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
924 
925 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
926 		rv = CRYPTO_DATA_LEN_RANGE;
927 		goto clean3;
928 	}
929 
930 	/* Convert the rest of private key attributes to big integer format. */
931 	bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len);
932 	bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len);
933 	bytestring2bignum(&(rsakey->p), prime2, prime2_len);
934 	bytestring2bignum(&(rsakey->q), prime1, prime1_len);
935 	bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len);
936 
937 	if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) ||
938 	    (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) ||
939 	    (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) {
940 		rv = CRYPTO_KEY_SIZE_RANGE;
941 		goto clean3;
942 	}
943 
944 	/* Perform RSA computation on big integer input data. */
945 	if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1),
946 	    &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q),
947 	    &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) {
948 		rv = CRYPTO_HOST_MEMORY;
949 		goto clean3;
950 	}
951 
952 	/* Convert the big integer output data to octet string. */
953 	bignum2bytestring(out, &msg, modulus_len);
954 
955 	/*
956 	 * Should not free modulus and friends as they are just pointers
957 	 * to an attribute value buffer from the caller.
958 	 */
959 clean3:
960 	big_finish(&msg);
961 clean2:
962 	RSA_key_finish(rsakey);
963 clean1:
964 	kmem_free(rsakey, sizeof (RSAkey));
965 
966 	return (rv);
967 }
968 
969 /* EXPORT DELETE END */
970 
971 /* ARGSUSED */
972 static int
973 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
974     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
975     crypto_req_handle_t req)
976 {
977 	int rv;
978 	int kmflag;
979 	rsa_ctx_t *ctxp;
980 	digest_rsa_ctx_t *dctxp;
981 
982 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
983 		return (rv);
984 
985 	/*
986 	 * Allocate a RSA context.
987 	 */
988 	kmflag = crypto_kmflag(req);
989 	switch (mechanism->cm_type) {
990 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
991 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
992 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
993 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
994 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
995 		dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag);
996 		ctxp = (rsa_ctx_t *)dctxp;
997 		break;
998 	default:
999 		ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag);
1000 		break;
1001 	}
1002 
1003 	if (ctxp == NULL)
1004 		return (CRYPTO_HOST_MEMORY);
1005 
1006 	ctxp->mech_type = mechanism->cm_type;
1007 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
1008 	    kmflag)) != CRYPTO_SUCCESS) {
1009 		switch (mechanism->cm_type) {
1010 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1011 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1012 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1013 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1014 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1015 			kmem_free(dctxp, sizeof (digest_rsa_ctx_t));
1016 			break;
1017 		default:
1018 			kmem_free(ctxp, sizeof (rsa_ctx_t));
1019 			break;
1020 		}
1021 		return (rv);
1022 	}
1023 
1024 	switch (mechanism->cm_type) {
1025 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1026 		MD5Init(&(dctxp->md5_ctx));
1027 		break;
1028 
1029 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1030 		SHA1Init(&(dctxp->sha1_ctx));
1031 		break;
1032 
1033 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1034 		SHA2Init(SHA256, &(dctxp->sha2_ctx));
1035 		break;
1036 
1037 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1038 		SHA2Init(SHA384, &(dctxp->sha2_ctx));
1039 		break;
1040 
1041 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1042 		SHA2Init(SHA512, &(dctxp->sha2_ctx));
1043 		break;
1044 	}
1045 
1046 	ctx->cc_provider_private = ctxp;
1047 
1048 	return (CRYPTO_SUCCESS);
1049 }
1050 
1051 #define	SHA1_DIGEST_SIZE 20
1052 #define	MD5_DIGEST_SIZE 16
1053 
1054 #define	INIT_RAW_CRYPTO_DATA(data, base, len, cd_len)	\
1055 	(data).cd_format = CRYPTO_DATA_RAW;		\
1056 	(data).cd_offset = 0;				\
1057 	(data).cd_raw.iov_base = (char *)base;		\
1058 	(data).cd_raw.iov_len = len;			\
1059 	(data).cd_length = cd_len;
1060 
1061 static int
1062 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
1063     crypto_data_t *signature, int kmflag, uchar_t flag)
1064 {
1065 	int rv = CRYPTO_FAILED;
1066 
1067 /* EXPORT DELETE START */
1068 
1069 	uchar_t digest[SHA512_DIGEST_LENGTH];
1070 	/* The der_data size is enough for MD5 also */
1071 	uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
1072 	ulong_t der_data_len;
1073 	crypto_data_t der_cd;
1074 	rsa_mech_type_t mech_type;
1075 
1076 	ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY);
1077 	ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL));
1078 
1079 	mech_type = ctxp->mech_type;
1080 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1081 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1082 		return (CRYPTO_MECHANISM_INVALID);
1083 
1084 	/*
1085 	 * We need to do the BUFFER_TOO_SMALL check before digesting
1086 	 * the data. No check is needed for verify as signature is not
1087 	 * an output argument for verify.
1088 	 */
1089 	if (flag & CRYPTO_DO_SIGN) {
1090 		uchar_t *modulus;
1091 		ssize_t modulus_len;
1092 
1093 		if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS,
1094 		    &modulus, &modulus_len)) != CRYPTO_SUCCESS) {
1095 			return (rv);
1096 		}
1097 
1098 		if (signature->cd_length < modulus_len) {
1099 			signature->cd_length = modulus_len;
1100 			return (CRYPTO_BUFFER_TOO_SMALL);
1101 		}
1102 	}
1103 
1104 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1105 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1106 		    digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5);
1107 
1108 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1109 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1110 		    digest, SHA1Update, SHA1Final,  flag | CRYPTO_DO_SHA1);
1111 
1112 	else
1113 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1114 		    digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2);
1115 
1116 	if (rv != CRYPTO_SUCCESS)
1117 		return (rv);
1118 
1119 
1120 	/*
1121 	 * Prepare the DER encoding of the DigestInfo value as follows:
1122 	 * MD5:		MD5_DER_PREFIX || H
1123 	 * SHA-1:	SHA1_DER_PREFIX || H
1124 	 *
1125 	 * See rsa_impl.c for more details.
1126 	 */
1127 	switch (mech_type) {
1128 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1129 		bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len);
1130 		bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE);
1131 		der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE;
1132 		break;
1133 
1134 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1135 		bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len);
1136 		bcopy(digest, der_data + SHA1_DER_PREFIX_Len,
1137 		    SHA1_DIGEST_SIZE);
1138 		der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE;
1139 		break;
1140 
1141 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1142 		bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1143 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1144 		    SHA256_DIGEST_LENGTH);
1145 		der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH;
1146 		break;
1147 
1148 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1149 		bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1150 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1151 		    SHA384_DIGEST_LENGTH);
1152 		der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH;
1153 		break;
1154 
1155 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1156 		bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1157 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1158 		    SHA512_DIGEST_LENGTH);
1159 		der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1160 		break;
1161 	}
1162 
1163 	INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1164 	/*
1165 	 * Now, we are ready to sign or verify the DER_ENCODED data.
1166 	 */
1167 	if (flag & CRYPTO_DO_SIGN)
1168 		rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1169 		    signature, kmflag);
1170 	else
1171 		rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1172 		    signature, kmflag);
1173 
1174 /* EXPORT DELETE END */
1175 
1176 	return (rv);
1177 }
1178 
1179 static int
1180 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1181     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1182 {
1183 	int rv = CRYPTO_FAILED;
1184 
1185 /* EXPORT DELETE START */
1186 
1187 	int dlen;
1188 	uchar_t *dataptr, *modulus;
1189 	ssize_t modulus_len;
1190 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1191 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1192 	uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1193 
1194 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1195 	    &modulus_len)) != CRYPTO_SUCCESS) {
1196 		return (rv);
1197 	}
1198 
1199 	dlen = data->cd_length;
1200 	switch (mech_type) {
1201 	case RSA_PKCS_MECH_INFO_TYPE:
1202 		if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1203 			return (CRYPTO_DATA_LEN_RANGE);
1204 		break;
1205 	case RSA_X_509_MECH_INFO_TYPE:
1206 		if (dlen > modulus_len)
1207 			return (CRYPTO_DATA_LEN_RANGE);
1208 		break;
1209 	}
1210 
1211 	if (signature->cd_length < modulus_len) {
1212 		signature->cd_length = modulus_len;
1213 		return (CRYPTO_BUFFER_TOO_SMALL);
1214 	}
1215 
1216 	ASSERT(data->cd_length <= sizeof (tmp_data));
1217 	if ((rv = crypto_get_input_data(data, &dataptr, tmp_data))
1218 	    != CRYPTO_SUCCESS)
1219 		return (rv);
1220 
1221 	switch (mech_type) {
1222 	case RSA_PKCS_MECH_INFO_TYPE:
1223 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1224 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1225 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1226 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1227 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1228 		/*
1229 		 * Add PKCS padding to the input data to format a block
1230 		 * type "01" encryption block.
1231 		 */
1232 		rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data,
1233 		    modulus_len);
1234 		if (rv != CRYPTO_SUCCESS)
1235 			return (rv);
1236 
1237 		break;
1238 
1239 	case RSA_X_509_MECH_INFO_TYPE:
1240 		bzero(plain_data, modulus_len - dlen);
1241 		bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1242 		break;
1243 	}
1244 
1245 	rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data,
1246 	    kmflag);
1247 	if (rv == CRYPTO_SUCCESS) {
1248 		/* copy out to signature */
1249 		if ((rv = crypto_put_output_data(signed_data,
1250 		    signature, modulus_len)) != CRYPTO_SUCCESS)
1251 			return (rv);
1252 
1253 		signature->cd_length = modulus_len;
1254 	}
1255 
1256 /* EXPORT DELETE END */
1257 
1258 	return (rv);
1259 }
1260 
1261 /* ARGSUSED */
1262 static int
1263 rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1264     crypto_req_handle_t req)
1265 {
1266 	int rv;
1267 	rsa_ctx_t *ctxp;
1268 
1269 	ASSERT(ctx->cc_provider_private != NULL);
1270 	ctxp = ctx->cc_provider_private;
1271 
1272 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1273 	switch (ctxp->mech_type) {
1274 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1275 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1276 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1277 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1278 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1279 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1280 		    signature, KM_SLEEP, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE |
1281 		    CRYPTO_DO_FINAL);
1282 		break;
1283 	default:
1284 		rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data,
1285 		    signature, KM_SLEEP);
1286 		break;
1287 	}
1288 
1289 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1290 		(void) rsa_free_context(ctx);
1291 
1292 	return (rv);
1293 }
1294 
1295 /* ARGSUSED */
1296 static int
1297 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
1298 {
1299 	int rv;
1300 	digest_rsa_ctx_t *ctxp;
1301 	rsa_mech_type_t mech_type;
1302 
1303 	ASSERT(ctx->cc_provider_private != NULL);
1304 	ctxp = ctx->cc_provider_private;
1305 	mech_type = ctxp->mech_type;
1306 
1307 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1308 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1309 		return (CRYPTO_MECHANISM_INVALID);
1310 
1311 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1312 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1313 		    NULL, MD5Update, MD5Final,
1314 		    CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE);
1315 
1316 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1317 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1318 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1319 		    CRYPTO_DO_UPDATE);
1320 
1321 	else
1322 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1323 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1324 		    CRYPTO_DO_UPDATE);
1325 
1326 	return (rv);
1327 }
1328 
1329 static int
1330 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1331     crypto_req_handle_t req)
1332 {
1333 	int rv;
1334 	digest_rsa_ctx_t *ctxp;
1335 
1336 	ASSERT(ctx->cc_provider_private != NULL);
1337 	ctxp = ctx->cc_provider_private;
1338 
1339 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1340 	    crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_FINAL);
1341 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1342 		(void) rsa_free_context(ctx);
1343 
1344 	return (rv);
1345 }
1346 
1347 /* ARGSUSED */
1348 static int
1349 rsa_sign_atomic(crypto_provider_handle_t provider,
1350     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1351     crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature,
1352     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1353 {
1354 	int rv;
1355 	digest_rsa_ctx_t dctx;
1356 
1357 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1358 		return (rv);
1359 
1360 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1361 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1362 		rv = rsa_sign_common(mechanism->cm_type, key, data,
1363 		    signature, crypto_kmflag(req));
1364 
1365 	else {
1366 		dctx.mech_type = mechanism->cm_type;
1367 		dctx.key = key;
1368 		switch (mechanism->cm_type) {
1369 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1370 			MD5Init(&(dctx.md5_ctx));
1371 			break;
1372 
1373 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1374 			SHA1Init(&(dctx.sha1_ctx));
1375 			break;
1376 
1377 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1378 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1379 			break;
1380 
1381 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1382 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1383 			break;
1384 
1385 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1386 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1387 			break;
1388 		}
1389 
1390 		rv = rsa_digest_svrfy_common(&dctx, data, signature,
1391 		    crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE |
1392 		    CRYPTO_DO_FINAL);
1393 	}
1394 
1395 	return (rv);
1396 }
1397 
1398 static int
1399 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1400     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1401 {
1402 	int rv = CRYPTO_FAILED;
1403 
1404 /* EXPORT DELETE START */
1405 
1406 	uchar_t *sigptr, *modulus;
1407 	ssize_t modulus_len;
1408 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1409 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1410 
1411 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1412 	    &modulus_len)) != CRYPTO_SUCCESS) {
1413 		return (rv);
1414 	}
1415 
1416 	if (signature->cd_length != modulus_len)
1417 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1418 
1419 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1420 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1421 	    != CRYPTO_SUCCESS)
1422 		return (rv);
1423 
1424 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
1425 	if (rv != CRYPTO_SUCCESS)
1426 		return (rv);
1427 
1428 	if (mech_type == RSA_X_509_MECH_INFO_TYPE) {
1429 		if (compare_data(data, (plain_data + modulus_len
1430 		    - data->cd_length)) != 0)
1431 			rv = CRYPTO_SIGNATURE_INVALID;
1432 
1433 	} else {
1434 		int data_len = modulus_len;
1435 
1436 		/*
1437 		 * Strip off the encoded padding bytes in front of the
1438 		 * recovered data, then compare the recovered data with
1439 		 * the original data.
1440 		 */
1441 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
1442 		if (rv != CRYPTO_SUCCESS)
1443 			return (rv);
1444 
1445 		if (data_len != data->cd_length)
1446 			return (CRYPTO_SIGNATURE_LEN_RANGE);
1447 
1448 		if (compare_data(data, (plain_data + modulus_len
1449 		    - data_len)) != 0)
1450 			rv = CRYPTO_SIGNATURE_INVALID;
1451 	}
1452 
1453 /* EXPORT DELETE END */
1454 
1455 	return (rv);
1456 }
1457 
1458 /* ARGSUSED */
1459 static int
1460 rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1461     crypto_req_handle_t req)
1462 {
1463 	int rv;
1464 	rsa_ctx_t *ctxp;
1465 
1466 	ASSERT(ctx->cc_provider_private != NULL);
1467 	ctxp = ctx->cc_provider_private;
1468 
1469 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1470 	switch (ctxp->mech_type) {
1471 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1472 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1473 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1474 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1475 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1476 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1477 		    signature, KM_SLEEP, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE |
1478 		    CRYPTO_DO_FINAL);
1479 		break;
1480 	default:
1481 		rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data,
1482 		    signature, KM_SLEEP);
1483 		break;
1484 	}
1485 
1486 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1487 		(void) rsa_free_context(ctx);
1488 
1489 	return (rv);
1490 }
1491 
1492 /* ARGSUSED */
1493 static int
1494 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data,
1495     crypto_req_handle_t req)
1496 {
1497 	int rv;
1498 	digest_rsa_ctx_t *ctxp;
1499 
1500 	ASSERT(ctx->cc_provider_private != NULL);
1501 	ctxp = ctx->cc_provider_private;
1502 
1503 	switch (ctxp->mech_type) {
1504 
1505 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1506 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1507 		    NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 |
1508 		    CRYPTO_DO_UPDATE);
1509 		break;
1510 
1511 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1512 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1513 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1514 		    CRYPTO_DO_UPDATE);
1515 		break;
1516 
1517 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1518 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1519 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1520 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1521 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1522 		    CRYPTO_DO_UPDATE);
1523 		break;
1524 
1525 	default:
1526 		return (CRYPTO_MECHANISM_INVALID);
1527 	}
1528 
1529 	return (rv);
1530 }
1531 
1532 static int
1533 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1534     crypto_req_handle_t req)
1535 {
1536 	int rv;
1537 	digest_rsa_ctx_t *ctxp;
1538 
1539 	ASSERT(ctx->cc_provider_private != NULL);
1540 	ctxp = ctx->cc_provider_private;
1541 
1542 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1543 	    crypto_kmflag(req), CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL);
1544 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1545 		(void) rsa_free_context(ctx);
1546 
1547 	return (rv);
1548 }
1549 
1550 
1551 /* ARGSUSED */
1552 static int
1553 rsa_verify_atomic(crypto_provider_handle_t provider,
1554     crypto_session_id_t session_id,
1555     crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data,
1556     crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template,
1557     crypto_req_handle_t req)
1558 {
1559 	int rv;
1560 	digest_rsa_ctx_t dctx;
1561 
1562 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1563 		return (rv);
1564 
1565 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1566 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1567 		rv = rsa_verify_common(mechanism->cm_type, key, data,
1568 		    signature, crypto_kmflag(req));
1569 
1570 	else {
1571 		dctx.mech_type = mechanism->cm_type;
1572 		dctx.key = key;
1573 
1574 		switch (mechanism->cm_type) {
1575 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1576 			MD5Init(&(dctx.md5_ctx));
1577 			break;
1578 
1579 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1580 			SHA1Init(&(dctx.sha1_ctx));
1581 			break;
1582 
1583 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1584 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1585 			break;
1586 
1587 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1588 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1589 			break;
1590 
1591 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1592 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1593 			break;
1594 		}
1595 
1596 		rv = rsa_digest_svrfy_common(&dctx, data,
1597 		    signature, crypto_kmflag(req),
1598 		    CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1599 	}
1600 
1601 	return (rv);
1602 }
1603 
1604 static int
1605 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1606     crypto_data_t *signature, crypto_data_t *data, int kmflag)
1607 {
1608 	int rv = CRYPTO_FAILED;
1609 
1610 /* EXPORT DELETE START */
1611 
1612 	int data_len;
1613 	uchar_t *sigptr, *modulus;
1614 	ssize_t modulus_len;
1615 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1616 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1617 
1618 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1619 	    &modulus_len)) != CRYPTO_SUCCESS) {
1620 		return (rv);
1621 	}
1622 
1623 	if (signature->cd_length != modulus_len)
1624 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1625 
1626 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1627 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1628 	    != CRYPTO_SUCCESS)
1629 		return (rv);
1630 
1631 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
1632 	if (rv != CRYPTO_SUCCESS)
1633 		return (rv);
1634 
1635 	data_len = modulus_len;
1636 
1637 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
1638 		/*
1639 		 * Strip off the encoded padding bytes in front of the
1640 		 * recovered data, then compare the recovered data with
1641 		 * the original data.
1642 		 */
1643 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
1644 		if (rv != CRYPTO_SUCCESS)
1645 			return (rv);
1646 	}
1647 
1648 	if (data->cd_length < data_len) {
1649 		data->cd_length = data_len;
1650 		return (CRYPTO_BUFFER_TOO_SMALL);
1651 	}
1652 
1653 	if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len,
1654 	    data, data_len)) != CRYPTO_SUCCESS)
1655 		return (rv);
1656 	data->cd_length = data_len;
1657 
1658 /* EXPORT DELETE END */
1659 
1660 	return (rv);
1661 }
1662 
1663 /* ARGSUSED */
1664 static int
1665 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
1666     crypto_data_t *data, crypto_req_handle_t req)
1667 {
1668 	int rv;
1669 	rsa_ctx_t *ctxp;
1670 
1671 	ASSERT(ctx->cc_provider_private != NULL);
1672 	ctxp = ctx->cc_provider_private;
1673 
1674 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1675 	rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
1676 	    signature, data, KM_SLEEP);
1677 
1678 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1679 		(void) rsa_free_context(ctx);
1680 
1681 	return (rv);
1682 }
1683 
1684 /* ARGSUSED */
1685 static int
1686 rsa_verify_recover_atomic(crypto_provider_handle_t provider,
1687     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1688     crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data,
1689     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1690 {
1691 	int rv;
1692 
1693 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1694 		return (rv);
1695 
1696 	return (rsa_verify_recover_common(mechanism->cm_type, key,
1697 	    signature, data, crypto_kmflag(req)));
1698 }
1699 
1700 /*
1701  * RSA Power-Up Self-Test
1702  */
1703 void
1704 rsa_POST(int *rc)
1705 {
1706 
1707 	*rc = fips_rsa_post();
1708 
1709 }
1710