xref: /titanic_44/usr/src/uts/common/crypto/io/rsa.c (revision 528b7d8ba791f2da280ff1ddd45c61eb47a2744e)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*
27  * RSA provider for the Kernel Cryptographic Framework (KCF)
28  */
29 
30 #include <sys/types.h>
31 #include <sys/systm.h>
32 #include <sys/modctl.h>
33 #include <sys/cmn_err.h>
34 #include <sys/ddi.h>
35 #include <sys/crypto/spi.h>
36 #include <sys/sysmacros.h>
37 #include <sys/strsun.h>
38 #include <sys/md5.h>
39 #include <sys/sha1.h>
40 #define	_SHA2_IMPL
41 #include <sys/sha2.h>
42 #include <sys/random.h>
43 #include <sys/crypto/impl.h>
44 #include <sha1/sha1_impl.h>
45 #include <sha2/sha2_impl.h>
46 #include <padding/padding.h>
47 #include <rsa/rsa_impl.h>
48 
49 extern struct mod_ops mod_cryptoops;
50 
51 /*
52  * Module linkage information for the kernel.
53  */
54 static struct modlcrypto modlcrypto = {
55 	&mod_cryptoops,
56 	"RSA Kernel SW Provider"
57 };
58 
59 static struct modlinkage modlinkage = {
60 	MODREV_1,
61 	(void *)&modlcrypto,
62 	NULL
63 };
64 
65 /*
66  * CSPI information (entry points, provider info, etc.)
67  */
68 typedef enum rsa_mech_type {
69 	RSA_PKCS_MECH_INFO_TYPE,	/* SUN_CKM_RSA_PKCS */
70 	RSA_X_509_MECH_INFO_TYPE,	/* SUN_CKM_RSA_X_509 */
71 	MD5_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_MD5_RSA_PKCS */
72 	SHA1_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA1_RSA_PKCS */
73 	SHA256_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA256_RSA_PKCS */
74 	SHA384_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA384_RSA_PKCS */
75 	SHA512_RSA_PKCS_MECH_INFO_TYPE	/* SUN_SHA512_RSA_PKCS */
76 } rsa_mech_type_t;
77 
78 /*
79  * Context for RSA_PKCS and RSA_X_509 mechanisms.
80  */
81 typedef struct rsa_ctx {
82 	rsa_mech_type_t	mech_type;
83 	crypto_key_t *key;
84 	size_t keychunk_size;
85 } rsa_ctx_t;
86 
87 /*
88  * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms.
89  */
90 typedef struct digest_rsa_ctx {
91 	rsa_mech_type_t	mech_type;
92 	crypto_key_t *key;
93 	size_t keychunk_size;
94 	union {
95 		MD5_CTX md5ctx;
96 		SHA1_CTX sha1ctx;
97 		SHA2_CTX sha2ctx;
98 	} dctx_u;
99 } digest_rsa_ctx_t;
100 
101 #define	md5_ctx		dctx_u.md5ctx
102 #define	sha1_ctx	dctx_u.sha1ctx
103 #define	sha2_ctx	dctx_u.sha2ctx
104 
105 /*
106  * Mechanism info structure passed to KCF during registration.
107  */
108 static crypto_mech_info_t rsa_mech_info_tab[] = {
109 	/* RSA_PKCS */
110 	{SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE,
111 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
112 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
113 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
114 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
115 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
116 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
117 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
118 
119 	/* RSA_X_509 */
120 	{SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE,
121 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
122 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
123 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
124 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
125 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
126 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
127 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
128 
129 	/* MD5_RSA_PKCS */
130 	{SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE,
131 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
132 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
133 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
134 
135 	/* SHA1_RSA_PKCS */
136 	{SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE,
137 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
138 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
139 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
140 
141 	/* SHA256_RSA_PKCS */
142 	{SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE,
143 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
144 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
145 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
146 
147 	/* SHA384_RSA_PKCS */
148 	{SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE,
149 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
150 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
151 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
152 
153 	/* SHA512_RSA_PKCS */
154 	{SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE,
155 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
156 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
157 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}
158 
159 };
160 
161 #define	RSA_VALID_MECH(mech)					\
162 	(((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE ||		\
163 	(mech)->cm_type == RSA_X_509_MECH_INFO_TYPE ||		\
164 	(mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE ||	\
165 	(mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE ||	\
166 	(mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE ||	\
167 	(mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE ||	\
168 	(mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0)
169 
170 /* operations are in-place if the output buffer is NULL */
171 #define	RSA_ARG_INPLACE(input, output)				\
172 	if ((output) == NULL)					\
173 		(output) = (input);
174 
175 static void rsa_provider_status(crypto_provider_handle_t, uint_t *);
176 
177 static crypto_control_ops_t rsa_control_ops = {
178 	rsa_provider_status
179 };
180 
181 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *,
182     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
183 static int rsaprov_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
184     crypto_req_handle_t);
185 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
186     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
187     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
188 static int rsaprov_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
189     crypto_req_handle_t);
190 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
191     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
192     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
193 
194 /*
195  * The RSA mechanisms do not have multiple-part cipher operations.
196  * So, the update and final routines are set to NULL.
197  */
198 static crypto_cipher_ops_t rsa_cipher_ops = {
199 	rsa_common_init,
200 	rsaprov_encrypt,
201 	NULL,
202 	NULL,
203 	rsa_encrypt_atomic,
204 	rsa_common_init,
205 	rsaprov_decrypt,
206 	NULL,
207 	NULL,
208 	rsa_decrypt_atomic
209 };
210 
211 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *,
212     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
213 static int rsaprov_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
214     crypto_req_handle_t);
215 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *,
216     crypto_req_handle_t);
217 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *,
218     crypto_req_handle_t);
219 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t,
220     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
221     crypto_spi_ctx_template_t, crypto_req_handle_t);
222 
223 /*
224  * We use the same routine for sign_init and sign_recover_init fields
225  * as they do the same thing. Same holds for sign and sign_recover fields,
226  * and sign_atomic and sign_recover_atomic fields.
227  */
228 static crypto_sign_ops_t rsa_sign_ops = {
229 	rsa_sign_verify_common_init,
230 	rsaprov_sign,
231 	rsa_sign_update,
232 	rsa_sign_final,
233 	rsa_sign_atomic,
234 	rsa_sign_verify_common_init,
235 	rsaprov_sign,
236 	rsa_sign_atomic
237 };
238 
239 static int rsaprov_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
240     crypto_req_handle_t);
241 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *,
242     crypto_req_handle_t);
243 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *,
244     crypto_req_handle_t);
245 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
246     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
247     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
248 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *,
249     crypto_data_t *, crypto_req_handle_t);
250 static int rsa_verify_recover_atomic(crypto_provider_handle_t,
251     crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
252     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
253     crypto_req_handle_t);
254 
255 /*
256  * We use the same routine (rsa_sign_verify_common_init) for verify_init
257  * and verify_recover_init fields as they do the same thing.
258  */
259 static crypto_verify_ops_t rsa_verify_ops = {
260 	rsa_sign_verify_common_init,
261 	rsaprov_verify,
262 	rsa_verify_update,
263 	rsa_verify_final,
264 	rsa_verify_atomic,
265 	rsa_sign_verify_common_init,
266 	rsa_verify_recover,
267 	rsa_verify_recover_atomic
268 };
269 
270 static int rsa_free_context(crypto_ctx_t *);
271 
272 static crypto_ctx_ops_t rsa_ctx_ops = {
273 	NULL,
274 	rsa_free_context
275 };
276 
277 static crypto_ops_t rsa_crypto_ops = {
278 	&rsa_control_ops,
279 	NULL,
280 	&rsa_cipher_ops,
281 	NULL,
282 	&rsa_sign_ops,
283 	&rsa_verify_ops,
284 	NULL,
285 	NULL,
286 	NULL,
287 	NULL,
288 	NULL,
289 	NULL,
290 	NULL,
291 	&rsa_ctx_ops,
292 	NULL,
293 	NULL,
294 	NULL,
295 };
296 
297 static crypto_provider_info_t rsa_prov_info = {
298 	CRYPTO_SPI_VERSION_4,
299 	"RSA Software Provider",
300 	CRYPTO_SW_PROVIDER,
301 	{&modlinkage},
302 	NULL,
303 	&rsa_crypto_ops,
304 	sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
305 	rsa_mech_info_tab
306 };
307 
308 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
309     crypto_data_t *, crypto_data_t *);
310 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
311     crypto_data_t *, crypto_data_t *);
312 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
313     crypto_data_t *, crypto_data_t *);
314 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
315     crypto_data_t *, crypto_data_t *);
316 static int compare_data(crypto_data_t *, uchar_t *);
317 
318 /* EXPORT DELETE START */
319 
320 static int core_rsa_encrypt(crypto_key_t *, uchar_t *, int, uchar_t *, int);
321 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int, uchar_t *);
322 
323 /* EXPORT DELETE END */
324 
325 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
326 
327 int
328 _init(void)
329 {
330 	int ret;
331 
332 	if ((ret = mod_install(&modlinkage)) != 0)
333 		return (ret);
334 
335 	/* Register with KCF.  If the registration fails, remove the module. */
336 	if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) {
337 		(void) mod_remove(&modlinkage);
338 		return (EACCES);
339 	}
340 
341 	return (0);
342 }
343 
344 int
345 _fini(void)
346 {
347 	/* Unregister from KCF if module is registered */
348 	if (rsa_prov_handle != NULL) {
349 		if (crypto_unregister_provider(rsa_prov_handle))
350 			return (EBUSY);
351 
352 		rsa_prov_handle = NULL;
353 	}
354 
355 	return (mod_remove(&modlinkage));
356 }
357 
358 int
359 _info(struct modinfo *modinfop)
360 {
361 	return (mod_info(&modlinkage, modinfop));
362 }
363 
364 /* ARGSUSED */
365 static void
366 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
367 {
368 	*status = CRYPTO_PROVIDER_READY;
369 }
370 
371 static int
372 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
373 {
374 	int rv = CRYPTO_FAILED;
375 
376 /* EXPORT DELETE START */
377 
378 	uchar_t *modulus;
379 	ssize_t modulus_len; /* In bytes */
380 
381 	if (!RSA_VALID_MECH(mechanism))
382 		return (CRYPTO_MECHANISM_INVALID);
383 
384 	/*
385 	 * We only support RSA keys that are passed as a list of
386 	 * object attributes.
387 	 */
388 	if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
389 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
390 	}
391 
392 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
393 	    &modulus_len)) != CRYPTO_SUCCESS) {
394 		return (rv);
395 	}
396 	if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
397 	    modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
398 		return (CRYPTO_KEY_SIZE_RANGE);
399 
400 /* EXPORT DELETE END */
401 
402 	return (rv);
403 }
404 
405 void
406 kmemset(uint8_t *buf, char pattern, size_t len)
407 {
408 	int i = 0;
409 
410 	while (i < len)
411 		buf[i++] = pattern;
412 }
413 
414 /*
415  * This function guarantees to return non-zero random numbers.
416  * This is needed as the /dev/urandom kernel interface,
417  * random_get_pseudo_bytes(), may return zeros.
418  */
419 int
420 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
421 {
422 	int rv;
423 	size_t ebc = 0; /* count of extra bytes in extrarand */
424 	size_t i = 0;
425 	uint8_t extrarand[32];
426 	size_t extrarand_len;
427 
428 	if ((rv = random_get_pseudo_bytes(ran_out, ran_len)) != 0)
429 		return (rv);
430 
431 	/*
432 	 * Walk through the returned random numbers pointed by ran_out,
433 	 * and look for any random number which is zero.
434 	 * If we find zero, call random_get_pseudo_bytes() to generate
435 	 * another 32 random numbers pool. Replace any zeros in ran_out[]
436 	 * from the random number in pool.
437 	 */
438 	while (i < ran_len) {
439 		if (ran_out[i] != 0) {
440 			i++;
441 			continue;
442 		}
443 
444 		/*
445 		 * Note that it is 'while' so we are guaranteed a
446 		 * non-zero value on exit.
447 		 */
448 		if (ebc == 0) {
449 			/* refresh extrarand */
450 			extrarand_len = sizeof (extrarand);
451 			if ((rv = random_get_pseudo_bytes(extrarand,
452 			    extrarand_len)) != 0) {
453 				return (rv);
454 			}
455 
456 			ebc = extrarand_len;
457 		}
458 		/* Replace zero with byte from extrarand. */
459 		-- ebc;
460 
461 		/*
462 		 * The new random byte zero/non-zero will be checked in
463 		 * the next pass through the loop.
464 		 */
465 		ran_out[i] = extrarand[ebc];
466 	}
467 
468 	return (CRYPTO_SUCCESS);
469 }
470 
471 static int
472 compare_data(crypto_data_t *data, uchar_t *buf)
473 {
474 	int len;
475 	uchar_t *dptr;
476 
477 	len = data->cd_length;
478 	switch (data->cd_format) {
479 	case CRYPTO_DATA_RAW:
480 		dptr = (uchar_t *)(data->cd_raw.iov_base +
481 		    data->cd_offset);
482 
483 		return (bcmp(dptr, buf, len));
484 
485 	case CRYPTO_DATA_UIO:
486 		return (crypto_uio_data(data, buf, len,
487 		    COMPARE_TO_DATA, NULL, NULL));
488 
489 	case CRYPTO_DATA_MBLK:
490 		return (crypto_mblk_data(data, buf, len,
491 		    COMPARE_TO_DATA, NULL, NULL));
492 	}
493 
494 	return (CRYPTO_FAILED);
495 }
496 
497 /* ARGSUSED */
498 static int
499 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
500     crypto_key_t *key, crypto_spi_ctx_template_t template,
501     crypto_req_handle_t req)
502 {
503 	int rv;
504 	int kmflag;
505 	rsa_ctx_t *ctxp;
506 
507 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
508 		return (rv);
509 
510 	/*
511 	 * Allocate a RSA context.
512 	 */
513 	kmflag = crypto_kmflag(req);
514 	if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL)
515 		return (CRYPTO_HOST_MEMORY);
516 
517 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
518 	    kmflag)) != CRYPTO_SUCCESS) {
519 		kmem_free(ctxp, sizeof (rsa_ctx_t));
520 		return (rv);
521 	}
522 	ctxp->mech_type = mechanism->cm_type;
523 
524 	ctx->cc_provider_private = ctxp;
525 
526 	return (CRYPTO_SUCCESS);
527 }
528 
529 /* ARGSUSED */
530 static int
531 rsaprov_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
532     crypto_data_t *ciphertext, crypto_req_handle_t req)
533 {
534 	int rv;
535 	rsa_ctx_t *ctxp;
536 
537 	ASSERT(ctx->cc_provider_private != NULL);
538 	ctxp = ctx->cc_provider_private;
539 
540 	RSA_ARG_INPLACE(plaintext, ciphertext);
541 
542 	/*
543 	 * Note on the KM_SLEEP flag passed to the routine below -
544 	 * rsaprov_encrypt() is a single-part encryption routine which is
545 	 * currently usable only by /dev/crypto. Since /dev/crypto calls are
546 	 * always synchronous, we can safely pass KM_SLEEP here.
547 	 */
548 	rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext,
549 	    ciphertext);
550 
551 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
552 		(void) rsa_free_context(ctx);
553 
554 	return (rv);
555 }
556 
557 /* ARGSUSED */
558 static int
559 rsa_encrypt_atomic(crypto_provider_handle_t provider,
560     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
561     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
562     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
563 {
564 	int rv;
565 
566 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
567 		return (rv);
568 	RSA_ARG_INPLACE(plaintext, ciphertext);
569 
570 	return (rsa_encrypt_common(mechanism->cm_type, key, plaintext,
571 	    ciphertext));
572 }
573 
574 static int
575 rsa_free_context(crypto_ctx_t *ctx)
576 {
577 	rsa_ctx_t *ctxp = ctx->cc_provider_private;
578 
579 	if (ctxp != NULL) {
580 		bzero(ctxp->key, ctxp->keychunk_size);
581 		kmem_free(ctxp->key, ctxp->keychunk_size);
582 
583 		if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
584 		    ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
585 			kmem_free(ctxp, sizeof (rsa_ctx_t));
586 		else
587 			kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
588 
589 		ctx->cc_provider_private = NULL;
590 	}
591 
592 	return (CRYPTO_SUCCESS);
593 }
594 
595 static int
596 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
597     crypto_data_t *plaintext, crypto_data_t *ciphertext)
598 {
599 	int rv = CRYPTO_FAILED;
600 
601 /* EXPORT DELETE START */
602 
603 	int plen;
604 	uchar_t *ptptr;
605 	uchar_t *modulus;
606 	ssize_t modulus_len;
607 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
608 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
609 	uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
610 
611 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
612 	    &modulus_len)) != CRYPTO_SUCCESS) {
613 		return (rv);
614 	}
615 
616 	plen = plaintext->cd_length;
617 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
618 		if (plen > (modulus_len - MIN_PKCS1_PADLEN))
619 			return (CRYPTO_DATA_LEN_RANGE);
620 	} else {
621 		if (plen > modulus_len)
622 			return (CRYPTO_DATA_LEN_RANGE);
623 	}
624 
625 	/*
626 	 * Output buf len must not be less than RSA modulus size.
627 	 */
628 	if (ciphertext->cd_length < modulus_len) {
629 		ciphertext->cd_length = modulus_len;
630 		return (CRYPTO_BUFFER_TOO_SMALL);
631 	}
632 
633 	ASSERT(plaintext->cd_length <= sizeof (tmp_data));
634 	if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data))
635 	    != CRYPTO_SUCCESS)
636 		return (rv);
637 
638 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
639 		rv = pkcs1_encode(PKCS1_ENCRYPT, ptptr, plen,
640 		    plain_data, modulus_len);
641 
642 		if (rv != CRYPTO_SUCCESS)
643 			return (rv);
644 	} else {
645 		bzero(plain_data, modulus_len - plen);
646 		bcopy(ptptr, &plain_data[modulus_len - plen], plen);
647 	}
648 
649 	rv = core_rsa_encrypt(key, plain_data, modulus_len, cipher_data, 1);
650 	if (rv == CRYPTO_SUCCESS) {
651 		/* copy out to ciphertext */
652 		if ((rv = crypto_put_output_data(cipher_data,
653 		    ciphertext, modulus_len)) != CRYPTO_SUCCESS)
654 			return (rv);
655 
656 		ciphertext->cd_length = modulus_len;
657 	}
658 
659 /* EXPORT DELETE END */
660 
661 	return (rv);
662 }
663 
664 /* EXPORT DELETE START */
665 
666 static int
667 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
668     int in_len, uchar_t *out, int is_public)
669 {
670 	int rv;
671 	uchar_t *expo, *modulus;
672 	ssize_t	expo_len;
673 	ssize_t modulus_len;
674 	RSAbytekey k;
675 
676 	if (is_public) {
677 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT,
678 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
679 			return (rv);
680 	} else {
681 		/*
682 		 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
683 		 * RSA secret key. See the comments in core_rsa_decrypt
684 		 * routine which calls this routine with a private key.
685 		 */
686 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT,
687 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
688 			return (rv);
689 	}
690 
691 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
692 	    &modulus_len)) != CRYPTO_SUCCESS) {
693 		return (rv);
694 	}
695 
696 	k.modulus = modulus;
697 	k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
698 	k.pubexpo = expo;
699 	k.pubexpo_bytes = expo_len;
700 	k.rfunc = NULL;
701 
702 	rv = rsa_encrypt(&k, in, in_len, out);
703 
704 	return (rv);
705 }
706 
707 /* EXPORT DELETE END */
708 
709 /* ARGSUSED */
710 static int
711 rsaprov_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
712     crypto_data_t *plaintext, crypto_req_handle_t req)
713 {
714 	int rv;
715 	rsa_ctx_t *ctxp;
716 
717 	ASSERT(ctx->cc_provider_private != NULL);
718 	ctxp = ctx->cc_provider_private;
719 
720 	RSA_ARG_INPLACE(ciphertext, plaintext);
721 
722 	/* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
723 	rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
724 	    ciphertext, plaintext);
725 
726 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
727 		(void) rsa_free_context(ctx);
728 
729 	return (rv);
730 }
731 
732 /* ARGSUSED */
733 static int
734 rsa_decrypt_atomic(crypto_provider_handle_t provider,
735     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
736     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
737     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
738 {
739 	int rv;
740 
741 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
742 		return (rv);
743 	RSA_ARG_INPLACE(ciphertext, plaintext);
744 
745 	return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
746 	    plaintext));
747 }
748 
749 static int
750 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
751     crypto_data_t *ciphertext, crypto_data_t *plaintext)
752 {
753 	int rv = CRYPTO_FAILED;
754 
755 /* EXPORT DELETE START */
756 
757 	size_t plain_len;
758 	uchar_t *ctptr;
759 	uchar_t *modulus;
760 	ssize_t modulus_len;
761 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
762 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
763 
764 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
765 	    &modulus_len)) != CRYPTO_SUCCESS) {
766 		return (rv);
767 	}
768 
769 	/*
770 	 * Ciphertext length must be equal to RSA modulus size.
771 	 */
772 	if (ciphertext->cd_length != modulus_len)
773 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
774 
775 	ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
776 	if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data))
777 	    != CRYPTO_SUCCESS)
778 		return (rv);
779 
780 	rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data);
781 	if (rv == CRYPTO_SUCCESS) {
782 		plain_len = modulus_len;
783 
784 		if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
785 			/* Strip off the PKCS block formatting data. */
786 			rv = pkcs1_decode(PKCS1_DECRYPT, plain_data,
787 			    &plain_len);
788 			if (rv != CRYPTO_SUCCESS)
789 				return (rv);
790 		}
791 
792 		if (plain_len > plaintext->cd_length) {
793 			plaintext->cd_length = plain_len;
794 			return (CRYPTO_BUFFER_TOO_SMALL);
795 		}
796 
797 		if ((rv = crypto_put_output_data(
798 		    plain_data + modulus_len - plain_len,
799 		    plaintext, plain_len)) != CRYPTO_SUCCESS)
800 			return (rv);
801 
802 		plaintext->cd_length = plain_len;
803 	}
804 
805 /* EXPORT DELETE END */
806 
807 	return (rv);
808 }
809 
810 /* EXPORT DELETE START */
811 
812 static int
813 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len, uchar_t *out)
814 {
815 	int rv;
816 	uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
817 	ssize_t modulus_len;
818 	ssize_t	prime1_len, prime2_len;
819 	ssize_t	expo1_len, expo2_len, coef_len;
820 	RSAbytekey k;
821 
822 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
823 	    &modulus_len)) != CRYPTO_SUCCESS) {
824 		return (rv);
825 	}
826 
827 	/*
828 	 * The following attributes are not required to be
829 	 * present in a RSA secret key. If any of them is not present
830 	 * we call the encrypt routine with a flag indicating use of
831 	 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
832 	 * a required attribute for a RSA secret key.
833 	 */
834 	if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len)
835 	    != CRYPTO_SUCCESS) ||
836 	    (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len)
837 	    != CRYPTO_SUCCESS) ||
838 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len)
839 	    != CRYPTO_SUCCESS) ||
840 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len)
841 	    != CRYPTO_SUCCESS) ||
842 	    (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len)
843 	    != CRYPTO_SUCCESS)) {
844 		return (core_rsa_encrypt(key, in, in_len, out, 0));
845 	}
846 
847 	k.modulus = modulus;
848 	k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
849 	k.prime1 = prime1;
850 	k.prime1_bytes = prime1_len;
851 	k.prime2 = prime2;
852 	k.prime2_bytes = prime2_len;
853 	k.expo1 = expo1;
854 	k.expo1_bytes = expo1_len;
855 	k.expo2 = expo2;
856 	k.expo2_bytes = expo2_len;
857 	k.coeff = coef;
858 	k.coeff_bytes = coef_len;
859 	k.rfunc = NULL;
860 
861 	rv = rsa_decrypt(&k, in, in_len, out);
862 
863 	return (rv);
864 }
865 
866 /* EXPORT DELETE END */
867 
868 /* ARGSUSED */
869 static int
870 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
871     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
872     crypto_req_handle_t req)
873 {
874 	int rv;
875 	int kmflag;
876 	rsa_ctx_t *ctxp;
877 	digest_rsa_ctx_t *dctxp;
878 
879 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
880 		return (rv);
881 
882 	/*
883 	 * Allocate a RSA context.
884 	 */
885 	kmflag = crypto_kmflag(req);
886 	switch (mechanism->cm_type) {
887 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
888 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
889 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
890 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
891 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
892 		dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag);
893 		ctxp = (rsa_ctx_t *)dctxp;
894 		break;
895 	default:
896 		ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag);
897 		break;
898 	}
899 
900 	if (ctxp == NULL)
901 		return (CRYPTO_HOST_MEMORY);
902 
903 	ctxp->mech_type = mechanism->cm_type;
904 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
905 	    kmflag)) != CRYPTO_SUCCESS) {
906 		switch (mechanism->cm_type) {
907 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
908 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
909 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
910 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
911 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
912 			kmem_free(dctxp, sizeof (digest_rsa_ctx_t));
913 			break;
914 		default:
915 			kmem_free(ctxp, sizeof (rsa_ctx_t));
916 			break;
917 		}
918 		return (rv);
919 	}
920 
921 	switch (mechanism->cm_type) {
922 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
923 		MD5Init(&(dctxp->md5_ctx));
924 		break;
925 
926 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
927 		SHA1Init(&(dctxp->sha1_ctx));
928 		break;
929 
930 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
931 		SHA2Init(SHA256, &(dctxp->sha2_ctx));
932 		break;
933 
934 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
935 		SHA2Init(SHA384, &(dctxp->sha2_ctx));
936 		break;
937 
938 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
939 		SHA2Init(SHA512, &(dctxp->sha2_ctx));
940 		break;
941 	}
942 
943 	ctx->cc_provider_private = ctxp;
944 
945 	return (CRYPTO_SUCCESS);
946 }
947 
948 #define	SHA1_DIGEST_SIZE 20
949 #define	MD5_DIGEST_SIZE 16
950 
951 #define	INIT_RAW_CRYPTO_DATA(data, base, len, cd_len)	\
952 	(data).cd_format = CRYPTO_DATA_RAW;		\
953 	(data).cd_offset = 0;				\
954 	(data).cd_raw.iov_base = (char *)base;		\
955 	(data).cd_raw.iov_len = len;			\
956 	(data).cd_length = cd_len;
957 
958 static int
959 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
960     crypto_data_t *signature, uchar_t flag)
961 {
962 	int rv = CRYPTO_FAILED;
963 
964 /* EXPORT DELETE START */
965 
966 	uchar_t digest[SHA512_DIGEST_LENGTH];
967 	/* The der_data size is enough for MD5 also */
968 	uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
969 	ulong_t der_data_len;
970 	crypto_data_t der_cd;
971 	rsa_mech_type_t mech_type;
972 
973 	ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY);
974 	ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL));
975 
976 	mech_type = ctxp->mech_type;
977 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
978 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
979 		return (CRYPTO_MECHANISM_INVALID);
980 
981 	/*
982 	 * We need to do the BUFFER_TOO_SMALL check before digesting
983 	 * the data. No check is needed for verify as signature is not
984 	 * an output argument for verify.
985 	 */
986 	if (flag & CRYPTO_DO_SIGN) {
987 		uchar_t *modulus;
988 		ssize_t modulus_len;
989 
990 		if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS,
991 		    &modulus, &modulus_len)) != CRYPTO_SUCCESS) {
992 			return (rv);
993 		}
994 
995 		if (signature->cd_length < modulus_len) {
996 			signature->cd_length = modulus_len;
997 			return (CRYPTO_BUFFER_TOO_SMALL);
998 		}
999 	}
1000 
1001 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1002 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1003 		    digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5);
1004 
1005 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1006 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1007 		    digest, SHA1Update, SHA1Final,  flag | CRYPTO_DO_SHA1);
1008 
1009 	else
1010 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1011 		    digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2);
1012 
1013 	if (rv != CRYPTO_SUCCESS)
1014 		return (rv);
1015 
1016 
1017 	/*
1018 	 * Prepare the DER encoding of the DigestInfo value as follows:
1019 	 * MD5:		MD5_DER_PREFIX || H
1020 	 * SHA-1:	SHA1_DER_PREFIX || H
1021 	 *
1022 	 * See rsa_impl.c for more details.
1023 	 */
1024 	switch (mech_type) {
1025 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1026 		bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len);
1027 		bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE);
1028 		der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE;
1029 		break;
1030 
1031 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1032 		bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len);
1033 		bcopy(digest, der_data + SHA1_DER_PREFIX_Len,
1034 		    SHA1_DIGEST_SIZE);
1035 		der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE;
1036 		break;
1037 
1038 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1039 		bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1040 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1041 		    SHA256_DIGEST_LENGTH);
1042 		der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH;
1043 		break;
1044 
1045 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1046 		bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1047 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1048 		    SHA384_DIGEST_LENGTH);
1049 		der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH;
1050 		break;
1051 
1052 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1053 		bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1054 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1055 		    SHA512_DIGEST_LENGTH);
1056 		der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1057 		break;
1058 	}
1059 
1060 	INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1061 	/*
1062 	 * Now, we are ready to sign or verify the DER_ENCODED data.
1063 	 */
1064 	if (flag & CRYPTO_DO_SIGN)
1065 		rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1066 		    signature);
1067 	else
1068 		rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1069 		    signature);
1070 
1071 /* EXPORT DELETE END */
1072 
1073 	return (rv);
1074 }
1075 
1076 static int
1077 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1078     crypto_data_t *data, crypto_data_t *signature)
1079 {
1080 	int rv = CRYPTO_FAILED;
1081 
1082 /* EXPORT DELETE START */
1083 
1084 	int dlen;
1085 	uchar_t *dataptr, *modulus;
1086 	ssize_t modulus_len;
1087 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1088 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1089 	uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1090 
1091 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1092 	    &modulus_len)) != CRYPTO_SUCCESS) {
1093 		return (rv);
1094 	}
1095 
1096 	dlen = data->cd_length;
1097 	switch (mech_type) {
1098 	case RSA_PKCS_MECH_INFO_TYPE:
1099 		if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1100 			return (CRYPTO_DATA_LEN_RANGE);
1101 		break;
1102 	case RSA_X_509_MECH_INFO_TYPE:
1103 		if (dlen > modulus_len)
1104 			return (CRYPTO_DATA_LEN_RANGE);
1105 		break;
1106 	}
1107 
1108 	if (signature->cd_length < modulus_len) {
1109 		signature->cd_length = modulus_len;
1110 		return (CRYPTO_BUFFER_TOO_SMALL);
1111 	}
1112 
1113 	ASSERT(data->cd_length <= sizeof (tmp_data));
1114 	if ((rv = crypto_get_input_data(data, &dataptr, tmp_data))
1115 	    != CRYPTO_SUCCESS)
1116 		return (rv);
1117 
1118 	switch (mech_type) {
1119 	case RSA_PKCS_MECH_INFO_TYPE:
1120 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1121 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1122 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1123 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1124 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1125 		/*
1126 		 * Add PKCS padding to the input data to format a block
1127 		 * type "01" encryption block.
1128 		 */
1129 		rv = pkcs1_encode(PKCS1_SIGN, dataptr, dlen, plain_data,
1130 		    modulus_len);
1131 		if (rv != CRYPTO_SUCCESS)
1132 			return (rv);
1133 
1134 		break;
1135 
1136 	case RSA_X_509_MECH_INFO_TYPE:
1137 		bzero(plain_data, modulus_len - dlen);
1138 		bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1139 		break;
1140 	}
1141 
1142 	rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data);
1143 	if (rv == CRYPTO_SUCCESS) {
1144 		/* copy out to signature */
1145 		if ((rv = crypto_put_output_data(signed_data,
1146 		    signature, modulus_len)) != CRYPTO_SUCCESS)
1147 			return (rv);
1148 
1149 		signature->cd_length = modulus_len;
1150 	}
1151 
1152 /* EXPORT DELETE END */
1153 
1154 	return (rv);
1155 }
1156 
1157 /* ARGSUSED */
1158 static int
1159 rsaprov_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1160     crypto_req_handle_t req)
1161 {
1162 	int rv;
1163 	rsa_ctx_t *ctxp;
1164 
1165 	ASSERT(ctx->cc_provider_private != NULL);
1166 	ctxp = ctx->cc_provider_private;
1167 
1168 	/* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1169 	switch (ctxp->mech_type) {
1170 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1171 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1172 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1173 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1174 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1175 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1176 		    signature, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE |
1177 		    CRYPTO_DO_FINAL);
1178 		break;
1179 	default:
1180 		rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data,
1181 		    signature);
1182 		break;
1183 	}
1184 
1185 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1186 		(void) rsa_free_context(ctx);
1187 
1188 	return (rv);
1189 }
1190 
1191 /* ARGSUSED */
1192 static int
1193 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
1194 {
1195 	int rv;
1196 	digest_rsa_ctx_t *ctxp;
1197 	rsa_mech_type_t mech_type;
1198 
1199 	ASSERT(ctx->cc_provider_private != NULL);
1200 	ctxp = ctx->cc_provider_private;
1201 	mech_type = ctxp->mech_type;
1202 
1203 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1204 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1205 		return (CRYPTO_MECHANISM_INVALID);
1206 
1207 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1208 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1209 		    NULL, MD5Update, MD5Final,
1210 		    CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE);
1211 
1212 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1213 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1214 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1215 		    CRYPTO_DO_UPDATE);
1216 
1217 	else
1218 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1219 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1220 		    CRYPTO_DO_UPDATE);
1221 
1222 	return (rv);
1223 }
1224 
1225 /* ARGSUSED2 */
1226 static int
1227 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1228     crypto_req_handle_t req)
1229 {
1230 	int rv;
1231 	digest_rsa_ctx_t *ctxp;
1232 
1233 	ASSERT(ctx->cc_provider_private != NULL);
1234 	ctxp = ctx->cc_provider_private;
1235 
1236 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1237 	    CRYPTO_DO_SIGN | CRYPTO_DO_FINAL);
1238 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1239 		(void) rsa_free_context(ctx);
1240 
1241 	return (rv);
1242 }
1243 
1244 /* ARGSUSED */
1245 static int
1246 rsa_sign_atomic(crypto_provider_handle_t provider,
1247     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1248     crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature,
1249     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1250 {
1251 	int rv;
1252 	digest_rsa_ctx_t dctx;
1253 
1254 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1255 		return (rv);
1256 
1257 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1258 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1259 		rv = rsa_sign_common(mechanism->cm_type, key, data,
1260 		    signature);
1261 
1262 	else {
1263 		dctx.mech_type = mechanism->cm_type;
1264 		dctx.key = key;
1265 		switch (mechanism->cm_type) {
1266 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1267 			MD5Init(&(dctx.md5_ctx));
1268 			break;
1269 
1270 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1271 			SHA1Init(&(dctx.sha1_ctx));
1272 			break;
1273 
1274 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1275 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1276 			break;
1277 
1278 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1279 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1280 			break;
1281 
1282 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1283 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1284 			break;
1285 		}
1286 
1287 		rv = rsa_digest_svrfy_common(&dctx, data, signature,
1288 		    CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1289 	}
1290 
1291 	return (rv);
1292 }
1293 
1294 static int
1295 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1296     crypto_data_t *data, crypto_data_t *signature)
1297 {
1298 	int rv = CRYPTO_FAILED;
1299 
1300 /* EXPORT DELETE START */
1301 
1302 	uchar_t *sigptr, *modulus;
1303 	ssize_t modulus_len;
1304 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1305 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1306 
1307 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1308 	    &modulus_len)) != CRYPTO_SUCCESS) {
1309 		return (rv);
1310 	}
1311 
1312 	if (signature->cd_length != modulus_len)
1313 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1314 
1315 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1316 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1317 	    != CRYPTO_SUCCESS)
1318 		return (rv);
1319 
1320 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1321 	if (rv != CRYPTO_SUCCESS)
1322 		return (rv);
1323 
1324 	if (mech_type == RSA_X_509_MECH_INFO_TYPE) {
1325 		if (compare_data(data, (plain_data + modulus_len
1326 		    - data->cd_length)) != 0)
1327 			rv = CRYPTO_SIGNATURE_INVALID;
1328 
1329 	} else {
1330 		size_t data_len = modulus_len;
1331 
1332 		/*
1333 		 * Strip off the encoded padding bytes in front of the
1334 		 * recovered data, then compare the recovered data with
1335 		 * the original data.
1336 		 */
1337 		rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1338 		if (rv != CRYPTO_SUCCESS)
1339 			return (rv);
1340 
1341 		if (data_len != data->cd_length)
1342 			return (CRYPTO_SIGNATURE_LEN_RANGE);
1343 
1344 		if (compare_data(data, (plain_data + modulus_len
1345 		    - data_len)) != 0)
1346 			rv = CRYPTO_SIGNATURE_INVALID;
1347 	}
1348 
1349 /* EXPORT DELETE END */
1350 
1351 	return (rv);
1352 }
1353 
1354 /* ARGSUSED */
1355 static int
1356 rsaprov_verify(crypto_ctx_t *ctx, crypto_data_t *data,
1357     crypto_data_t *signature, crypto_req_handle_t req)
1358 {
1359 	int rv;
1360 	rsa_ctx_t *ctxp;
1361 
1362 	ASSERT(ctx->cc_provider_private != NULL);
1363 	ctxp = ctx->cc_provider_private;
1364 
1365 	/* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1366 	switch (ctxp->mech_type) {
1367 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1368 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1369 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1370 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1371 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1372 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1373 		    signature, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE |
1374 		    CRYPTO_DO_FINAL);
1375 		break;
1376 	default:
1377 		rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data,
1378 		    signature);
1379 		break;
1380 	}
1381 
1382 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1383 		(void) rsa_free_context(ctx);
1384 
1385 	return (rv);
1386 }
1387 
1388 /* ARGSUSED */
1389 static int
1390 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data,
1391     crypto_req_handle_t req)
1392 {
1393 	int rv;
1394 	digest_rsa_ctx_t *ctxp;
1395 
1396 	ASSERT(ctx->cc_provider_private != NULL);
1397 	ctxp = ctx->cc_provider_private;
1398 
1399 	switch (ctxp->mech_type) {
1400 
1401 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1402 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1403 		    NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 |
1404 		    CRYPTO_DO_UPDATE);
1405 		break;
1406 
1407 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1408 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1409 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1410 		    CRYPTO_DO_UPDATE);
1411 		break;
1412 
1413 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1414 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1415 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1416 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1417 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1418 		    CRYPTO_DO_UPDATE);
1419 		break;
1420 
1421 	default:
1422 		return (CRYPTO_MECHANISM_INVALID);
1423 	}
1424 
1425 	return (rv);
1426 }
1427 
1428 /* ARGSUSED2 */
1429 static int
1430 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1431     crypto_req_handle_t req)
1432 {
1433 	int rv;
1434 	digest_rsa_ctx_t *ctxp;
1435 
1436 	ASSERT(ctx->cc_provider_private != NULL);
1437 	ctxp = ctx->cc_provider_private;
1438 
1439 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1440 	    CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL);
1441 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1442 		(void) rsa_free_context(ctx);
1443 
1444 	return (rv);
1445 }
1446 
1447 
1448 /* ARGSUSED */
1449 static int
1450 rsa_verify_atomic(crypto_provider_handle_t provider,
1451     crypto_session_id_t session_id,
1452     crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data,
1453     crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template,
1454     crypto_req_handle_t req)
1455 {
1456 	int rv;
1457 	digest_rsa_ctx_t dctx;
1458 
1459 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1460 		return (rv);
1461 
1462 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1463 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1464 		rv = rsa_verify_common(mechanism->cm_type, key, data,
1465 		    signature);
1466 
1467 	else {
1468 		dctx.mech_type = mechanism->cm_type;
1469 		dctx.key = key;
1470 
1471 		switch (mechanism->cm_type) {
1472 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1473 			MD5Init(&(dctx.md5_ctx));
1474 			break;
1475 
1476 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1477 			SHA1Init(&(dctx.sha1_ctx));
1478 			break;
1479 
1480 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1481 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1482 			break;
1483 
1484 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1485 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1486 			break;
1487 
1488 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1489 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1490 			break;
1491 		}
1492 
1493 		rv = rsa_digest_svrfy_common(&dctx, data, signature,
1494 		    CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1495 	}
1496 
1497 	return (rv);
1498 }
1499 
1500 static int
1501 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1502     crypto_data_t *signature, crypto_data_t *data)
1503 {
1504 	int rv = CRYPTO_FAILED;
1505 
1506 /* EXPORT DELETE START */
1507 
1508 	size_t data_len;
1509 	uchar_t *sigptr, *modulus;
1510 	ssize_t modulus_len;
1511 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1512 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1513 
1514 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1515 	    &modulus_len)) != CRYPTO_SUCCESS) {
1516 		return (rv);
1517 	}
1518 
1519 	if (signature->cd_length != modulus_len)
1520 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1521 
1522 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1523 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1524 	    != CRYPTO_SUCCESS)
1525 		return (rv);
1526 
1527 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, 1);
1528 	if (rv != CRYPTO_SUCCESS)
1529 		return (rv);
1530 
1531 	data_len = modulus_len;
1532 
1533 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
1534 		/*
1535 		 * Strip off the encoded padding bytes in front of the
1536 		 * recovered data, then compare the recovered data with
1537 		 * the original data.
1538 		 */
1539 		rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1540 		if (rv != CRYPTO_SUCCESS)
1541 			return (rv);
1542 	}
1543 
1544 	if (data->cd_length < data_len) {
1545 		data->cd_length = data_len;
1546 		return (CRYPTO_BUFFER_TOO_SMALL);
1547 	}
1548 
1549 	if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len,
1550 	    data, data_len)) != CRYPTO_SUCCESS)
1551 		return (rv);
1552 	data->cd_length = data_len;
1553 
1554 /* EXPORT DELETE END */
1555 
1556 	return (rv);
1557 }
1558 
1559 /* ARGSUSED */
1560 static int
1561 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
1562     crypto_data_t *data, crypto_req_handle_t req)
1563 {
1564 	int rv;
1565 	rsa_ctx_t *ctxp;
1566 
1567 	ASSERT(ctx->cc_provider_private != NULL);
1568 	ctxp = ctx->cc_provider_private;
1569 
1570 	/* See the comments on KM_SLEEP flag in rsaprov_encrypt() */
1571 	rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
1572 	    signature, data);
1573 
1574 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1575 		(void) rsa_free_context(ctx);
1576 
1577 	return (rv);
1578 }
1579 
1580 /* ARGSUSED */
1581 static int
1582 rsa_verify_recover_atomic(crypto_provider_handle_t provider,
1583     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1584     crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data,
1585     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1586 {
1587 	int rv;
1588 
1589 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1590 		return (rv);
1591 
1592 	return (rsa_verify_recover_common(mechanism->cm_type, key,
1593 	    signature, data));
1594 }
1595