xref: /titanic_50/usr/src/uts/common/crypto/io/rsa.c (revision 69b3e10436272b0970d58743de375d0dd61046ce)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * RSA provider for the Kernel Cryptographic Framework (KCF)
28  */
29 
30 #include <sys/types.h>
31 #include <sys/systm.h>
32 #include <sys/modctl.h>
33 #include <sys/cmn_err.h>
34 #include <sys/ddi.h>
35 #include <sys/crypto/spi.h>
36 #include <sys/sysmacros.h>
37 #include <sys/strsun.h>
38 #include <sys/md5.h>
39 #include <sys/sha1.h>
40 #define	_SHA2_IMPL
41 #include <sys/sha2.h>
42 #include <sys/random.h>
43 #include <sys/crypto/impl.h>
44 #include <sha1/sha1_impl.h>
45 #include <sha2/sha2_impl.h>
46 #define	_RSA_FIPS_POST
47 #include <rsa/rsa_impl.h>
48 
49 extern struct mod_ops mod_cryptoops;
50 
51 /*
52  * Module linkage information for the kernel.
53  */
54 static struct modlcrypto modlcrypto = {
55 	&mod_cryptoops,
56 	"RSA Kernel SW Provider"
57 };
58 
59 static struct modlinkage modlinkage = {
60 	MODREV_1,
61 	(void *)&modlcrypto,
62 	NULL
63 };
64 
65 /*
66  * CSPI information (entry points, provider info, etc.)
67  */
68 typedef enum rsa_mech_type {
69 	RSA_PKCS_MECH_INFO_TYPE,	/* SUN_CKM_RSA_PKCS */
70 	RSA_X_509_MECH_INFO_TYPE,	/* SUN_CKM_RSA_X_509 */
71 	MD5_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_MD5_RSA_PKCS */
72 	SHA1_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA1_RSA_PKCS */
73 	SHA256_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA256_RSA_PKCS */
74 	SHA384_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA384_RSA_PKCS */
75 	SHA512_RSA_PKCS_MECH_INFO_TYPE	/* SUN_SHA512_RSA_PKCS */
76 } rsa_mech_type_t;
77 
78 /*
79  * Context for RSA_PKCS and RSA_X_509 mechanisms.
80  */
81 typedef struct rsa_ctx {
82 	rsa_mech_type_t	mech_type;
83 	crypto_key_t *key;
84 	size_t keychunk_size;
85 } rsa_ctx_t;
86 
87 /*
88  * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms.
89  */
90 typedef struct digest_rsa_ctx {
91 	rsa_mech_type_t	mech_type;
92 	crypto_key_t *key;
93 	size_t keychunk_size;
94 	union {
95 		MD5_CTX md5ctx;
96 		SHA1_CTX sha1ctx;
97 		SHA2_CTX sha2ctx;
98 	} dctx_u;
99 } digest_rsa_ctx_t;
100 
101 #define	md5_ctx		dctx_u.md5ctx
102 #define	sha1_ctx	dctx_u.sha1ctx
103 #define	sha2_ctx	dctx_u.sha2ctx
104 
105 /*
106  * Mechanism info structure passed to KCF during registration.
107  */
108 static crypto_mech_info_t rsa_mech_info_tab[] = {
109 	/* RSA_PKCS */
110 	{SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE,
111 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
112 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
113 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
114 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
115 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
116 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
117 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
118 
119 	/* RSA_X_509 */
120 	{SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE,
121 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
122 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
123 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
124 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
125 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
126 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
127 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
128 
129 	/* MD5_RSA_PKCS */
130 	{SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE,
131 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
132 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
133 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
134 
135 	/* SHA1_RSA_PKCS */
136 	{SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE,
137 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
138 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
139 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
140 
141 	/* SHA256_RSA_PKCS */
142 	{SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE,
143 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
144 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
145 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
146 
147 	/* SHA384_RSA_PKCS */
148 	{SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE,
149 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
150 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
151 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
152 
153 	/* SHA512_RSA_PKCS */
154 	{SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE,
155 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
156 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
157 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}
158 
159 };
160 
161 #define	RSA_VALID_MECH(mech)					\
162 	(((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE ||		\
163 	(mech)->cm_type == RSA_X_509_MECH_INFO_TYPE ||		\
164 	(mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE ||	\
165 	(mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE ||	\
166 	(mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE ||	\
167 	(mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE ||	\
168 	(mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0)
169 
170 /* operations are in-place if the output buffer is NULL */
171 #define	RSA_ARG_INPLACE(input, output)				\
172 	if ((output) == NULL)					\
173 		(output) = (input);
174 
175 static void rsa_provider_status(crypto_provider_handle_t, uint_t *);
176 
177 static crypto_control_ops_t rsa_control_ops = {
178 	rsa_provider_status
179 };
180 
181 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *,
182     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
183 static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
184     crypto_req_handle_t);
185 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
186     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
187     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
188 static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
189     crypto_req_handle_t);
190 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
191     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
192     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
193 
194 /*
195  * The RSA mechanisms do not have multiple-part cipher operations.
196  * So, the update and final routines are set to NULL.
197  */
198 static crypto_cipher_ops_t rsa_cipher_ops = {
199 	rsa_common_init,
200 	rsa_encrypt,
201 	NULL,
202 	NULL,
203 	rsa_encrypt_atomic,
204 	rsa_common_init,
205 	rsa_decrypt,
206 	NULL,
207 	NULL,
208 	rsa_decrypt_atomic
209 };
210 
211 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *,
212     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
213 static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
214     crypto_req_handle_t);
215 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *,
216     crypto_req_handle_t);
217 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *,
218     crypto_req_handle_t);
219 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t,
220     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
221     crypto_spi_ctx_template_t, crypto_req_handle_t);
222 
223 /*
224  * We use the same routine for sign_init and sign_recover_init fields
225  * as they do the same thing. Same holds for sign and sign_recover fields,
226  * and sign_atomic and sign_recover_atomic fields.
227  */
228 static crypto_sign_ops_t rsa_sign_ops = {
229 	rsa_sign_verify_common_init,
230 	rsa_sign,
231 	rsa_sign_update,
232 	rsa_sign_final,
233 	rsa_sign_atomic,
234 	rsa_sign_verify_common_init,
235 	rsa_sign,
236 	rsa_sign_atomic
237 };
238 
239 static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
240     crypto_req_handle_t);
241 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *,
242     crypto_req_handle_t);
243 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *,
244     crypto_req_handle_t);
245 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
246     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
247     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
248 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *,
249     crypto_data_t *, crypto_req_handle_t);
250 static int rsa_verify_recover_atomic(crypto_provider_handle_t,
251     crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
252     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
253     crypto_req_handle_t);
254 
255 /*
256  * We use the same routine (rsa_sign_verify_common_init) for verify_init
257  * and verify_recover_init fields as they do the same thing.
258  */
259 static crypto_verify_ops_t rsa_verify_ops = {
260 	rsa_sign_verify_common_init,
261 	rsa_verify,
262 	rsa_verify_update,
263 	rsa_verify_final,
264 	rsa_verify_atomic,
265 	rsa_sign_verify_common_init,
266 	rsa_verify_recover,
267 	rsa_verify_recover_atomic
268 };
269 
270 static int rsa_free_context(crypto_ctx_t *);
271 
272 static crypto_ctx_ops_t rsa_ctx_ops = {
273 	NULL,
274 	rsa_free_context
275 };
276 
277 static void rsa_POST(int *);
278 
279 static crypto_fips140_ops_t rsa_fips140_ops = {
280 	rsa_POST
281 };
282 
283 static crypto_ops_t rsa_crypto_ops = {
284 	&rsa_control_ops,
285 	NULL,
286 	&rsa_cipher_ops,
287 	NULL,
288 	&rsa_sign_ops,
289 	&rsa_verify_ops,
290 	NULL,
291 	NULL,
292 	NULL,
293 	NULL,
294 	NULL,
295 	NULL,
296 	NULL,
297 	&rsa_ctx_ops,
298 	NULL,
299 	NULL,
300 	&rsa_fips140_ops
301 };
302 
303 static crypto_provider_info_t rsa_prov_info = {
304 	CRYPTO_SPI_VERSION_4,
305 	"RSA Software Provider",
306 	CRYPTO_SW_PROVIDER,
307 	{&modlinkage},
308 	NULL,
309 	&rsa_crypto_ops,
310 	sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
311 	rsa_mech_info_tab
312 };
313 
314 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
315     crypto_data_t *, crypto_data_t *, int);
316 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
317     crypto_data_t *, crypto_data_t *, int);
318 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
319     crypto_data_t *, crypto_data_t *, int);
320 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
321     crypto_data_t *, crypto_data_t *, int);
322 static int compare_data(crypto_data_t *, uchar_t *);
323 
324 /* EXPORT DELETE START */
325 
326 static int core_rsa_encrypt(crypto_key_t *, uchar_t *,
327     int, uchar_t *, int, int);
328 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int,
329     uchar_t *, int);
330 
331 /* EXPORT DELETE END */
332 
333 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
334 
335 int
336 _init(void)
337 {
338 	int ret;
339 
340 	/*
341 	 * Register with KCF. If the registration fails, return error.
342 	 */
343 	if ((ret = crypto_register_provider(&rsa_prov_info,
344 	    &rsa_prov_handle)) != CRYPTO_SUCCESS) {
345 		cmn_err(CE_WARN, "rsa _init: crypto_register_provider()"
346 		    "failed (0x%x)", ret);
347 		return (EACCES);
348 	}
349 
350 	if ((ret = mod_install(&modlinkage)) != 0) {
351 		int rv;
352 
353 		ASSERT(rsa_prov_handle != NULL);
354 		/* We should not return if the unregister returns busy. */
355 		while ((rv = crypto_unregister_provider(rsa_prov_handle))
356 		    == CRYPTO_BUSY) {
357 			cmn_err(CE_WARN, "rsa _init: "
358 			    "crypto_unregister_provider() "
359 			    "failed (0x%x). Retrying.", rv);
360 			/* wait 10 seconds and try again. */
361 			delay(10 * drv_usectohz(1000000));
362 		}
363 	}
364 
365 	return (ret);
366 }
367 
368 int
369 _fini(void)
370 {
371 	int ret;
372 
373 	/*
374 	 * Unregister from KCF if previous registration succeeded.
375 	 */
376 	if (rsa_prov_handle != NULL) {
377 		if ((ret = crypto_unregister_provider(rsa_prov_handle)) !=
378 		    CRYPTO_SUCCESS) {
379 			cmn_err(CE_WARN, "rsa _fini: "
380 			    "crypto_unregister_provider() "
381 			    "failed (0x%x)", ret);
382 			return (EBUSY);
383 		}
384 		rsa_prov_handle = NULL;
385 	}
386 
387 	return (mod_remove(&modlinkage));
388 }
389 
390 int
391 _info(struct modinfo *modinfop)
392 {
393 	return (mod_info(&modlinkage, modinfop));
394 }
395 
396 /* ARGSUSED */
397 static void
398 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
399 {
400 	*status = CRYPTO_PROVIDER_READY;
401 }
402 
403 static int
404 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
405 {
406 	int rv = CRYPTO_FAILED;
407 
408 /* EXPORT DELETE START */
409 
410 	uchar_t *modulus;
411 	ssize_t modulus_len; /* In bytes */
412 
413 	if (!RSA_VALID_MECH(mechanism))
414 		return (CRYPTO_MECHANISM_INVALID);
415 
416 	/*
417 	 * We only support RSA keys that are passed as a list of
418 	 * object attributes.
419 	 */
420 	if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
421 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
422 	}
423 
424 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
425 	    &modulus_len)) != CRYPTO_SUCCESS) {
426 		return (rv);
427 	}
428 	if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
429 	    modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
430 		return (CRYPTO_KEY_SIZE_RANGE);
431 
432 /* EXPORT DELETE END */
433 
434 	return (rv);
435 }
436 
437 void
438 kmemset(uint8_t *buf, char pattern, size_t len)
439 {
440 	int i = 0;
441 
442 	while (i < len)
443 		buf[i++] = pattern;
444 }
445 
446 /*
447  * This function guarantees to return non-zero random numbers.
448  * This is needed as the /dev/urandom kernel interface,
449  * random_get_pseudo_bytes(), may return zeros.
450  */
451 int
452 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
453 {
454 	int rv;
455 	size_t ebc = 0; /* count of extra bytes in extrarand */
456 	size_t i = 0;
457 	uint8_t extrarand[32];
458 	size_t extrarand_len;
459 
460 	if ((rv = random_get_pseudo_bytes_fips140(ran_out, ran_len)) != 0)
461 		return (rv);
462 
463 	/*
464 	 * Walk through the returned random numbers pointed by ran_out,
465 	 * and look for any random number which is zero.
466 	 * If we find zero, call random_get_pseudo_bytes() to generate
467 	 * another 32 random numbers pool. Replace any zeros in ran_out[]
468 	 * from the random number in pool.
469 	 */
470 	while (i < ran_len) {
471 		if (ran_out[i] != 0) {
472 			i++;
473 			continue;
474 		}
475 
476 		/*
477 		 * Note that it is 'while' so we are guaranteed a
478 		 * non-zero value on exit.
479 		 */
480 		if (ebc == 0) {
481 			/* refresh extrarand */
482 			extrarand_len = sizeof (extrarand);
483 			if ((rv = random_get_pseudo_bytes_fips140(extrarand,
484 			    extrarand_len)) != 0) {
485 				return (rv);
486 			}
487 
488 			ebc = extrarand_len;
489 		}
490 		/* Replace zero with byte from extrarand. */
491 		-- ebc;
492 
493 		/*
494 		 * The new random byte zero/non-zero will be checked in
495 		 * the next pass through the loop.
496 		 */
497 		ran_out[i] = extrarand[ebc];
498 	}
499 
500 	return (CRYPTO_SUCCESS);
501 }
502 
503 static int
504 compare_data(crypto_data_t *data, uchar_t *buf)
505 {
506 	int len;
507 	uchar_t *dptr;
508 
509 	len = data->cd_length;
510 	switch (data->cd_format) {
511 	case CRYPTO_DATA_RAW:
512 		dptr = (uchar_t *)(data->cd_raw.iov_base +
513 		    data->cd_offset);
514 
515 		return (bcmp(dptr, buf, len));
516 
517 	case CRYPTO_DATA_UIO:
518 		return (crypto_uio_data(data, buf, len,
519 		    COMPARE_TO_DATA, NULL, NULL));
520 
521 	case CRYPTO_DATA_MBLK:
522 		return (crypto_mblk_data(data, buf, len,
523 		    COMPARE_TO_DATA, NULL, NULL));
524 	}
525 
526 	return (CRYPTO_FAILED);
527 }
528 
529 /* ARGSUSED */
530 static int
531 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
532     crypto_key_t *key, crypto_spi_ctx_template_t template,
533     crypto_req_handle_t req)
534 {
535 	int rv;
536 	int kmflag;
537 	rsa_ctx_t *ctxp;
538 
539 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
540 		return (rv);
541 
542 	/*
543 	 * Allocate a RSA context.
544 	 */
545 	kmflag = crypto_kmflag(req);
546 	if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL)
547 		return (CRYPTO_HOST_MEMORY);
548 
549 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
550 	    kmflag)) != CRYPTO_SUCCESS) {
551 		kmem_free(ctxp, sizeof (rsa_ctx_t));
552 		return (rv);
553 	}
554 	ctxp->mech_type = mechanism->cm_type;
555 
556 	ctx->cc_provider_private = ctxp;
557 
558 	return (CRYPTO_SUCCESS);
559 }
560 
561 /* ARGSUSED */
562 static int
563 rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
564     crypto_data_t *ciphertext, crypto_req_handle_t req)
565 {
566 	int rv;
567 	rsa_ctx_t *ctxp;
568 
569 	ASSERT(ctx->cc_provider_private != NULL);
570 	ctxp = ctx->cc_provider_private;
571 
572 	RSA_ARG_INPLACE(plaintext, ciphertext);
573 
574 	/*
575 	 * Note on the KM_SLEEP flag passed to the routine below -
576 	 * rsa_encrypt() is a single-part encryption routine which is
577 	 * currently usable only by /dev/crypto. Since /dev/crypto calls are
578 	 * always synchronous, we can safely pass KM_SLEEP here.
579 	 */
580 	rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext,
581 	    ciphertext, KM_SLEEP);
582 
583 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
584 		(void) rsa_free_context(ctx);
585 
586 	return (rv);
587 }
588 
589 /* ARGSUSED */
590 static int
591 rsa_encrypt_atomic(crypto_provider_handle_t provider,
592     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
593     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
594     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
595 {
596 	int rv;
597 
598 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
599 		return (rv);
600 	RSA_ARG_INPLACE(plaintext, ciphertext);
601 
602 	return (rsa_encrypt_common(mechanism->cm_type, key, plaintext,
603 	    ciphertext, crypto_kmflag(req)));
604 }
605 
606 static int
607 rsa_free_context(crypto_ctx_t *ctx)
608 {
609 	rsa_ctx_t *ctxp = ctx->cc_provider_private;
610 
611 	if (ctxp != NULL) {
612 		bzero(ctxp->key, ctxp->keychunk_size);
613 		kmem_free(ctxp->key, ctxp->keychunk_size);
614 
615 		if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
616 		    ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
617 			kmem_free(ctxp, sizeof (rsa_ctx_t));
618 		else
619 			kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
620 
621 		ctx->cc_provider_private = NULL;
622 	}
623 
624 	return (CRYPTO_SUCCESS);
625 }
626 
627 static int
628 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
629     crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag)
630 {
631 	int rv = CRYPTO_FAILED;
632 
633 /* EXPORT DELETE START */
634 
635 	int plen;
636 	uchar_t *ptptr;
637 	uchar_t *modulus;
638 	ssize_t modulus_len;
639 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
640 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
641 	uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
642 
643 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
644 	    &modulus_len)) != CRYPTO_SUCCESS) {
645 		return (rv);
646 	}
647 
648 	plen = plaintext->cd_length;
649 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
650 		if (plen > (modulus_len - MIN_PKCS1_PADLEN))
651 			return (CRYPTO_DATA_LEN_RANGE);
652 	} else {
653 		if (plen > modulus_len)
654 			return (CRYPTO_DATA_LEN_RANGE);
655 	}
656 
657 	/*
658 	 * Output buf len must not be less than RSA modulus size.
659 	 */
660 	if (ciphertext->cd_length < modulus_len) {
661 		ciphertext->cd_length = modulus_len;
662 		return (CRYPTO_BUFFER_TOO_SMALL);
663 	}
664 
665 	ASSERT(plaintext->cd_length <= sizeof (tmp_data));
666 	if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data))
667 	    != CRYPTO_SUCCESS)
668 		return (rv);
669 
670 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
671 		rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen,
672 		    plain_data, modulus_len);
673 
674 		if (rv != CRYPTO_SUCCESS)
675 			return (rv);
676 	} else {
677 		bzero(plain_data, modulus_len - plen);
678 		bcopy(ptptr, &plain_data[modulus_len - plen], plen);
679 	}
680 
681 	rv = core_rsa_encrypt(key, plain_data, modulus_len,
682 	    cipher_data, kmflag, 1);
683 	if (rv == CRYPTO_SUCCESS) {
684 		/* copy out to ciphertext */
685 		if ((rv = crypto_put_output_data(cipher_data,
686 		    ciphertext, modulus_len)) != CRYPTO_SUCCESS)
687 			return (rv);
688 
689 		ciphertext->cd_length = modulus_len;
690 	}
691 
692 /* EXPORT DELETE END */
693 
694 	return (rv);
695 }
696 
697 /* EXPORT DELETE START */
698 
699 static int
700 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
701     int in_len, uchar_t *out, int kmflag, int is_public)
702 {
703 	int rv;
704 	uchar_t *expo, *modulus;
705 	ssize_t	expo_len;
706 	ssize_t modulus_len;
707 	BIGNUM msg;
708 	RSAkey *rsakey;
709 
710 	if (is_public) {
711 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT,
712 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
713 			return (rv);
714 	} else {
715 		/*
716 		 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
717 		 * RSA secret key. See the comments in core_rsa_decrypt
718 		 * routine which calls this routine with a private key.
719 		 */
720 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT,
721 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
722 			return (rv);
723 	}
724 
725 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
726 	    &modulus_len)) != CRYPTO_SUCCESS) {
727 		return (rv);
728 	}
729 
730 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
731 	if (rsakey == NULL)
732 		return (CRYPTO_HOST_MEMORY);
733 
734 	/* psize and qsize for RSA_key_init is in bits. */
735 	if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) {
736 		rv = CRYPTO_HOST_MEMORY;
737 		goto clean1;
738 	}
739 
740 	/* Size for big_init is in BIG_CHUNK_TYPE words. */
741 	if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
742 		rv = CRYPTO_HOST_MEMORY;
743 		goto clean2;
744 	}
745 
746 	/* Convert octet string exponent to big integer format. */
747 	bytestring2bignum(&(rsakey->e), expo, expo_len);
748 
749 	/* Convert octet string modulus to big integer format. */
750 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
751 
752 	/* Convert octet string input data to big integer format. */
753 	bytestring2bignum(&msg, in, in_len);
754 
755 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
756 		rv = CRYPTO_DATA_LEN_RANGE;
757 		goto clean3;
758 	}
759 
760 	/* Perform RSA computation on big integer input data. */
761 	if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL)
762 	    != BIG_OK) {
763 		rv = CRYPTO_HOST_MEMORY;
764 		goto clean3;
765 	}
766 
767 	/* Convert the big integer output data to octet string. */
768 	bignum2bytestring(out, &msg, modulus_len);
769 
770 	/*
771 	 * Should not free modulus and expo as both are just pointers
772 	 * to an attribute value buffer from the caller.
773 	 */
774 clean3:
775 	big_finish(&msg);
776 clean2:
777 	RSA_key_finish(rsakey);
778 clean1:
779 	kmem_free(rsakey, sizeof (RSAkey));
780 
781 	return (rv);
782 }
783 
784 /* EXPORT DELETE END */
785 
786 /* ARGSUSED */
787 static int
788 rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
789     crypto_data_t *plaintext, crypto_req_handle_t req)
790 {
791 	int rv;
792 	rsa_ctx_t *ctxp;
793 
794 	ASSERT(ctx->cc_provider_private != NULL);
795 	ctxp = ctx->cc_provider_private;
796 
797 	RSA_ARG_INPLACE(ciphertext, plaintext);
798 
799 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
800 	rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
801 	    ciphertext, plaintext, KM_SLEEP);
802 
803 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
804 		(void) rsa_free_context(ctx);
805 
806 	return (rv);
807 }
808 
809 /* ARGSUSED */
810 static int
811 rsa_decrypt_atomic(crypto_provider_handle_t provider,
812     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
813     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
814     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
815 {
816 	int rv;
817 
818 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
819 		return (rv);
820 	RSA_ARG_INPLACE(ciphertext, plaintext);
821 
822 	return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
823 	    plaintext, crypto_kmflag(req)));
824 }
825 
826 static int
827 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
828     crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag)
829 {
830 	int rv = CRYPTO_FAILED;
831 
832 /* EXPORT DELETE START */
833 
834 	int plain_len;
835 	uchar_t *ctptr;
836 	uchar_t *modulus;
837 	ssize_t modulus_len;
838 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
839 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
840 
841 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
842 	    &modulus_len)) != CRYPTO_SUCCESS) {
843 		return (rv);
844 	}
845 
846 	/*
847 	 * Ciphertext length must be equal to RSA modulus size.
848 	 */
849 	if (ciphertext->cd_length != modulus_len)
850 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
851 
852 	ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
853 	if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data))
854 	    != CRYPTO_SUCCESS)
855 		return (rv);
856 
857 	rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag);
858 	if (rv == CRYPTO_SUCCESS) {
859 		plain_len = modulus_len;
860 
861 		if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
862 			/* Strip off the PKCS block formatting data. */
863 			rv = soft_decrypt_rsa_pkcs_decode(plain_data,
864 			    &plain_len);
865 			if (rv != CRYPTO_SUCCESS)
866 				return (rv);
867 		}
868 
869 		if (plain_len > plaintext->cd_length) {
870 			plaintext->cd_length = plain_len;
871 			return (CRYPTO_BUFFER_TOO_SMALL);
872 		}
873 
874 		if ((rv = crypto_put_output_data(
875 		    plain_data + modulus_len - plain_len,
876 		    plaintext, plain_len)) != CRYPTO_SUCCESS)
877 			return (rv);
878 
879 		plaintext->cd_length = plain_len;
880 	}
881 
882 /* EXPORT DELETE END */
883 
884 	return (rv);
885 }
886 
887 /* EXPORT DELETE START */
888 
889 static int
890 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len,
891     uchar_t *out, int kmflag)
892 {
893 	int rv;
894 	uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
895 	ssize_t modulus_len;
896 	ssize_t	prime1_len, prime2_len;
897 	ssize_t	expo1_len, expo2_len, coef_len;
898 	BIGNUM msg;
899 	RSAkey *rsakey;
900 
901 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
902 	    &modulus_len)) != CRYPTO_SUCCESS) {
903 		return (rv);
904 	}
905 
906 	/*
907 	 * The following attributes are not required to be
908 	 * present in a RSA secret key. If any of them is not present
909 	 * we call the encrypt routine with a flag indicating use of
910 	 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
911 	 * a required attribute for a RSA secret key.
912 	 */
913 	if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len)
914 	    != CRYPTO_SUCCESS) ||
915 	    (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len)
916 	    != CRYPTO_SUCCESS) ||
917 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len)
918 	    != CRYPTO_SUCCESS) ||
919 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len)
920 	    != CRYPTO_SUCCESS) ||
921 	    (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len)
922 	    != CRYPTO_SUCCESS)) {
923 		return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0));
924 	}
925 
926 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
927 	if (rsakey == NULL)
928 		return (CRYPTO_HOST_MEMORY);
929 
930 	/* psize and qsize for RSA_key_init is in bits. */
931 	if (RSA_key_init(rsakey, CRYPTO_BYTES2BITS(prime2_len),
932 	    CRYPTO_BYTES2BITS(prime1_len)) != BIG_OK) {
933 		rv = CRYPTO_HOST_MEMORY;
934 		goto clean1;
935 	}
936 
937 	/* Size for big_init is in BIG_CHUNK_TYPE words. */
938 	if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
939 		rv = CRYPTO_HOST_MEMORY;
940 		goto clean2;
941 	}
942 
943 	/* Convert octet string input data to big integer format. */
944 	bytestring2bignum(&msg, in, in_len);
945 
946 	/* Convert octet string modulus to big integer format. */
947 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
948 
949 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
950 		rv = CRYPTO_DATA_LEN_RANGE;
951 		goto clean3;
952 	}
953 
954 	/* Convert the rest of private key attributes to big integer format. */
955 	bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len);
956 	bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len);
957 	bytestring2bignum(&(rsakey->p), prime2, prime2_len);
958 	bytestring2bignum(&(rsakey->q), prime1, prime1_len);
959 	bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len);
960 
961 	if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) ||
962 	    (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) ||
963 	    (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) {
964 		rv = CRYPTO_KEY_SIZE_RANGE;
965 		goto clean3;
966 	}
967 
968 	/* Perform RSA computation on big integer input data. */
969 	if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1),
970 	    &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q),
971 	    &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) {
972 		rv = CRYPTO_HOST_MEMORY;
973 		goto clean3;
974 	}
975 
976 	/* Convert the big integer output data to octet string. */
977 	bignum2bytestring(out, &msg, modulus_len);
978 
979 	/*
980 	 * Should not free modulus and friends as they are just pointers
981 	 * to an attribute value buffer from the caller.
982 	 */
983 clean3:
984 	big_finish(&msg);
985 clean2:
986 	RSA_key_finish(rsakey);
987 clean1:
988 	kmem_free(rsakey, sizeof (RSAkey));
989 
990 	return (rv);
991 }
992 
993 /* EXPORT DELETE END */
994 
995 /* ARGSUSED */
996 static int
997 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
998     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
999     crypto_req_handle_t req)
1000 {
1001 	int rv;
1002 	int kmflag;
1003 	rsa_ctx_t *ctxp;
1004 	digest_rsa_ctx_t *dctxp;
1005 
1006 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1007 		return (rv);
1008 
1009 	/*
1010 	 * Allocate a RSA context.
1011 	 */
1012 	kmflag = crypto_kmflag(req);
1013 	switch (mechanism->cm_type) {
1014 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1015 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1016 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1017 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1018 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1019 		dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag);
1020 		ctxp = (rsa_ctx_t *)dctxp;
1021 		break;
1022 	default:
1023 		ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag);
1024 		break;
1025 	}
1026 
1027 	if (ctxp == NULL)
1028 		return (CRYPTO_HOST_MEMORY);
1029 
1030 	ctxp->mech_type = mechanism->cm_type;
1031 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
1032 	    kmflag)) != CRYPTO_SUCCESS) {
1033 		switch (mechanism->cm_type) {
1034 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1035 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1036 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1037 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1038 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1039 			kmem_free(dctxp, sizeof (digest_rsa_ctx_t));
1040 			break;
1041 		default:
1042 			kmem_free(ctxp, sizeof (rsa_ctx_t));
1043 			break;
1044 		}
1045 		return (rv);
1046 	}
1047 
1048 	switch (mechanism->cm_type) {
1049 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1050 		MD5Init(&(dctxp->md5_ctx));
1051 		break;
1052 
1053 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1054 		SHA1Init(&(dctxp->sha1_ctx));
1055 		break;
1056 
1057 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1058 		SHA2Init(SHA256, &(dctxp->sha2_ctx));
1059 		break;
1060 
1061 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1062 		SHA2Init(SHA384, &(dctxp->sha2_ctx));
1063 		break;
1064 
1065 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1066 		SHA2Init(SHA512, &(dctxp->sha2_ctx));
1067 		break;
1068 	}
1069 
1070 	ctx->cc_provider_private = ctxp;
1071 
1072 	return (CRYPTO_SUCCESS);
1073 }
1074 
1075 #define	SHA1_DIGEST_SIZE 20
1076 #define	MD5_DIGEST_SIZE 16
1077 
1078 #define	INIT_RAW_CRYPTO_DATA(data, base, len, cd_len)	\
1079 	(data).cd_format = CRYPTO_DATA_RAW;		\
1080 	(data).cd_offset = 0;				\
1081 	(data).cd_raw.iov_base = (char *)base;		\
1082 	(data).cd_raw.iov_len = len;			\
1083 	(data).cd_length = cd_len;
1084 
1085 static int
1086 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
1087     crypto_data_t *signature, int kmflag, uchar_t flag)
1088 {
1089 	int rv = CRYPTO_FAILED;
1090 
1091 /* EXPORT DELETE START */
1092 
1093 	uchar_t digest[SHA512_DIGEST_LENGTH];
1094 	/* The der_data size is enough for MD5 also */
1095 	uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
1096 	ulong_t der_data_len;
1097 	crypto_data_t der_cd;
1098 	rsa_mech_type_t mech_type;
1099 
1100 	ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY);
1101 	ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL));
1102 
1103 	mech_type = ctxp->mech_type;
1104 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1105 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1106 		return (CRYPTO_MECHANISM_INVALID);
1107 
1108 	/*
1109 	 * We need to do the BUFFER_TOO_SMALL check before digesting
1110 	 * the data. No check is needed for verify as signature is not
1111 	 * an output argument for verify.
1112 	 */
1113 	if (flag & CRYPTO_DO_SIGN) {
1114 		uchar_t *modulus;
1115 		ssize_t modulus_len;
1116 
1117 		if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS,
1118 		    &modulus, &modulus_len)) != CRYPTO_SUCCESS) {
1119 			return (rv);
1120 		}
1121 
1122 		if (signature->cd_length < modulus_len) {
1123 			signature->cd_length = modulus_len;
1124 			return (CRYPTO_BUFFER_TOO_SMALL);
1125 		}
1126 	}
1127 
1128 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1129 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1130 		    digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5);
1131 
1132 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1133 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1134 		    digest, SHA1Update, SHA1Final,  flag | CRYPTO_DO_SHA1);
1135 
1136 	else
1137 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1138 		    digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2);
1139 
1140 	if (rv != CRYPTO_SUCCESS)
1141 		return (rv);
1142 
1143 
1144 	/*
1145 	 * Prepare the DER encoding of the DigestInfo value as follows:
1146 	 * MD5:		MD5_DER_PREFIX || H
1147 	 * SHA-1:	SHA1_DER_PREFIX || H
1148 	 *
1149 	 * See rsa_impl.c for more details.
1150 	 */
1151 	switch (mech_type) {
1152 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1153 		bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len);
1154 		bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE);
1155 		der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE;
1156 		break;
1157 
1158 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1159 		bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len);
1160 		bcopy(digest, der_data + SHA1_DER_PREFIX_Len,
1161 		    SHA1_DIGEST_SIZE);
1162 		der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE;
1163 		break;
1164 
1165 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1166 		bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1167 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1168 		    SHA256_DIGEST_LENGTH);
1169 		der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH;
1170 		break;
1171 
1172 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1173 		bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1174 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1175 		    SHA384_DIGEST_LENGTH);
1176 		der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH;
1177 		break;
1178 
1179 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1180 		bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1181 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1182 		    SHA512_DIGEST_LENGTH);
1183 		der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1184 		break;
1185 	}
1186 
1187 	INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1188 	/*
1189 	 * Now, we are ready to sign or verify the DER_ENCODED data.
1190 	 */
1191 	if (flag & CRYPTO_DO_SIGN)
1192 		rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1193 		    signature, kmflag);
1194 	else
1195 		rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1196 		    signature, kmflag);
1197 
1198 /* EXPORT DELETE END */
1199 
1200 	return (rv);
1201 }
1202 
1203 static int
1204 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1205     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1206 {
1207 	int rv = CRYPTO_FAILED;
1208 
1209 /* EXPORT DELETE START */
1210 
1211 	int dlen;
1212 	uchar_t *dataptr, *modulus;
1213 	ssize_t modulus_len;
1214 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1215 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1216 	uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1217 
1218 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1219 	    &modulus_len)) != CRYPTO_SUCCESS) {
1220 		return (rv);
1221 	}
1222 
1223 	dlen = data->cd_length;
1224 	switch (mech_type) {
1225 	case RSA_PKCS_MECH_INFO_TYPE:
1226 		if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1227 			return (CRYPTO_DATA_LEN_RANGE);
1228 		break;
1229 	case RSA_X_509_MECH_INFO_TYPE:
1230 		if (dlen > modulus_len)
1231 			return (CRYPTO_DATA_LEN_RANGE);
1232 		break;
1233 	}
1234 
1235 	if (signature->cd_length < modulus_len) {
1236 		signature->cd_length = modulus_len;
1237 		return (CRYPTO_BUFFER_TOO_SMALL);
1238 	}
1239 
1240 	ASSERT(data->cd_length <= sizeof (tmp_data));
1241 	if ((rv = crypto_get_input_data(data, &dataptr, tmp_data))
1242 	    != CRYPTO_SUCCESS)
1243 		return (rv);
1244 
1245 	switch (mech_type) {
1246 	case RSA_PKCS_MECH_INFO_TYPE:
1247 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1248 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1249 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1250 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1251 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1252 		/*
1253 		 * Add PKCS padding to the input data to format a block
1254 		 * type "01" encryption block.
1255 		 */
1256 		rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data,
1257 		    modulus_len);
1258 		if (rv != CRYPTO_SUCCESS)
1259 			return (rv);
1260 
1261 		break;
1262 
1263 	case RSA_X_509_MECH_INFO_TYPE:
1264 		bzero(plain_data, modulus_len - dlen);
1265 		bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1266 		break;
1267 	}
1268 
1269 	rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data,
1270 	    kmflag);
1271 	if (rv == CRYPTO_SUCCESS) {
1272 		/* copy out to signature */
1273 		if ((rv = crypto_put_output_data(signed_data,
1274 		    signature, modulus_len)) != CRYPTO_SUCCESS)
1275 			return (rv);
1276 
1277 		signature->cd_length = modulus_len;
1278 	}
1279 
1280 /* EXPORT DELETE END */
1281 
1282 	return (rv);
1283 }
1284 
1285 /* ARGSUSED */
1286 static int
1287 rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1288     crypto_req_handle_t req)
1289 {
1290 	int rv;
1291 	rsa_ctx_t *ctxp;
1292 
1293 	ASSERT(ctx->cc_provider_private != NULL);
1294 	ctxp = ctx->cc_provider_private;
1295 
1296 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1297 	switch (ctxp->mech_type) {
1298 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1299 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1300 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1301 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1302 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1303 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1304 		    signature, KM_SLEEP, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE |
1305 		    CRYPTO_DO_FINAL);
1306 		break;
1307 	default:
1308 		rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data,
1309 		    signature, KM_SLEEP);
1310 		break;
1311 	}
1312 
1313 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1314 		(void) rsa_free_context(ctx);
1315 
1316 	return (rv);
1317 }
1318 
1319 /* ARGSUSED */
1320 static int
1321 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
1322 {
1323 	int rv;
1324 	digest_rsa_ctx_t *ctxp;
1325 	rsa_mech_type_t mech_type;
1326 
1327 	ASSERT(ctx->cc_provider_private != NULL);
1328 	ctxp = ctx->cc_provider_private;
1329 	mech_type = ctxp->mech_type;
1330 
1331 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1332 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1333 		return (CRYPTO_MECHANISM_INVALID);
1334 
1335 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1336 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1337 		    NULL, MD5Update, MD5Final,
1338 		    CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE);
1339 
1340 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1341 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1342 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1343 		    CRYPTO_DO_UPDATE);
1344 
1345 	else
1346 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1347 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1348 		    CRYPTO_DO_UPDATE);
1349 
1350 	return (rv);
1351 }
1352 
1353 static int
1354 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1355     crypto_req_handle_t req)
1356 {
1357 	int rv;
1358 	digest_rsa_ctx_t *ctxp;
1359 
1360 	ASSERT(ctx->cc_provider_private != NULL);
1361 	ctxp = ctx->cc_provider_private;
1362 
1363 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1364 	    crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_FINAL);
1365 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1366 		(void) rsa_free_context(ctx);
1367 
1368 	return (rv);
1369 }
1370 
1371 /* ARGSUSED */
1372 static int
1373 rsa_sign_atomic(crypto_provider_handle_t provider,
1374     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1375     crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature,
1376     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1377 {
1378 	int rv;
1379 	digest_rsa_ctx_t dctx;
1380 
1381 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1382 		return (rv);
1383 
1384 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1385 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1386 		rv = rsa_sign_common(mechanism->cm_type, key, data,
1387 		    signature, crypto_kmflag(req));
1388 
1389 	else {
1390 		dctx.mech_type = mechanism->cm_type;
1391 		dctx.key = key;
1392 		switch (mechanism->cm_type) {
1393 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1394 			MD5Init(&(dctx.md5_ctx));
1395 			break;
1396 
1397 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1398 			SHA1Init(&(dctx.sha1_ctx));
1399 			break;
1400 
1401 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1402 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1403 			break;
1404 
1405 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1406 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1407 			break;
1408 
1409 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1410 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1411 			break;
1412 		}
1413 
1414 		rv = rsa_digest_svrfy_common(&dctx, data, signature,
1415 		    crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE |
1416 		    CRYPTO_DO_FINAL);
1417 	}
1418 
1419 	return (rv);
1420 }
1421 
1422 static int
1423 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1424     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1425 {
1426 	int rv = CRYPTO_FAILED;
1427 
1428 /* EXPORT DELETE START */
1429 
1430 	uchar_t *sigptr, *modulus;
1431 	ssize_t modulus_len;
1432 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1433 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1434 
1435 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1436 	    &modulus_len)) != CRYPTO_SUCCESS) {
1437 		return (rv);
1438 	}
1439 
1440 	if (signature->cd_length != modulus_len)
1441 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1442 
1443 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1444 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1445 	    != CRYPTO_SUCCESS)
1446 		return (rv);
1447 
1448 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
1449 	if (rv != CRYPTO_SUCCESS)
1450 		return (rv);
1451 
1452 	if (mech_type == RSA_X_509_MECH_INFO_TYPE) {
1453 		if (compare_data(data, (plain_data + modulus_len
1454 		    - data->cd_length)) != 0)
1455 			rv = CRYPTO_SIGNATURE_INVALID;
1456 
1457 	} else {
1458 		int data_len = modulus_len;
1459 
1460 		/*
1461 		 * Strip off the encoded padding bytes in front of the
1462 		 * recovered data, then compare the recovered data with
1463 		 * the original data.
1464 		 */
1465 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
1466 		if (rv != CRYPTO_SUCCESS)
1467 			return (rv);
1468 
1469 		if (data_len != data->cd_length)
1470 			return (CRYPTO_SIGNATURE_LEN_RANGE);
1471 
1472 		if (compare_data(data, (plain_data + modulus_len
1473 		    - data_len)) != 0)
1474 			rv = CRYPTO_SIGNATURE_INVALID;
1475 	}
1476 
1477 /* EXPORT DELETE END */
1478 
1479 	return (rv);
1480 }
1481 
1482 /* ARGSUSED */
1483 static int
1484 rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1485     crypto_req_handle_t req)
1486 {
1487 	int rv;
1488 	rsa_ctx_t *ctxp;
1489 
1490 	ASSERT(ctx->cc_provider_private != NULL);
1491 	ctxp = ctx->cc_provider_private;
1492 
1493 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1494 	switch (ctxp->mech_type) {
1495 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1496 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1497 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1498 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1499 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1500 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1501 		    signature, KM_SLEEP, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE |
1502 		    CRYPTO_DO_FINAL);
1503 		break;
1504 	default:
1505 		rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data,
1506 		    signature, KM_SLEEP);
1507 		break;
1508 	}
1509 
1510 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1511 		(void) rsa_free_context(ctx);
1512 
1513 	return (rv);
1514 }
1515 
1516 /* ARGSUSED */
1517 static int
1518 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data,
1519     crypto_req_handle_t req)
1520 {
1521 	int rv;
1522 	digest_rsa_ctx_t *ctxp;
1523 
1524 	ASSERT(ctx->cc_provider_private != NULL);
1525 	ctxp = ctx->cc_provider_private;
1526 
1527 	switch (ctxp->mech_type) {
1528 
1529 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1530 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1531 		    NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 |
1532 		    CRYPTO_DO_UPDATE);
1533 		break;
1534 
1535 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1536 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1537 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1538 		    CRYPTO_DO_UPDATE);
1539 		break;
1540 
1541 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1542 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1543 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1544 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1545 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1546 		    CRYPTO_DO_UPDATE);
1547 		break;
1548 
1549 	default:
1550 		return (CRYPTO_MECHANISM_INVALID);
1551 	}
1552 
1553 	return (rv);
1554 }
1555 
1556 static int
1557 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1558     crypto_req_handle_t req)
1559 {
1560 	int rv;
1561 	digest_rsa_ctx_t *ctxp;
1562 
1563 	ASSERT(ctx->cc_provider_private != NULL);
1564 	ctxp = ctx->cc_provider_private;
1565 
1566 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1567 	    crypto_kmflag(req), CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL);
1568 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1569 		(void) rsa_free_context(ctx);
1570 
1571 	return (rv);
1572 }
1573 
1574 
1575 /* ARGSUSED */
1576 static int
1577 rsa_verify_atomic(crypto_provider_handle_t provider,
1578     crypto_session_id_t session_id,
1579     crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data,
1580     crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template,
1581     crypto_req_handle_t req)
1582 {
1583 	int rv;
1584 	digest_rsa_ctx_t dctx;
1585 
1586 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1587 		return (rv);
1588 
1589 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1590 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1591 		rv = rsa_verify_common(mechanism->cm_type, key, data,
1592 		    signature, crypto_kmflag(req));
1593 
1594 	else {
1595 		dctx.mech_type = mechanism->cm_type;
1596 		dctx.key = key;
1597 
1598 		switch (mechanism->cm_type) {
1599 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1600 			MD5Init(&(dctx.md5_ctx));
1601 			break;
1602 
1603 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1604 			SHA1Init(&(dctx.sha1_ctx));
1605 			break;
1606 
1607 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1608 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1609 			break;
1610 
1611 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1612 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1613 			break;
1614 
1615 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1616 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1617 			break;
1618 		}
1619 
1620 		rv = rsa_digest_svrfy_common(&dctx, data,
1621 		    signature, crypto_kmflag(req),
1622 		    CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1623 	}
1624 
1625 	return (rv);
1626 }
1627 
1628 static int
1629 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1630     crypto_data_t *signature, crypto_data_t *data, int kmflag)
1631 {
1632 	int rv = CRYPTO_FAILED;
1633 
1634 /* EXPORT DELETE START */
1635 
1636 	int data_len;
1637 	uchar_t *sigptr, *modulus;
1638 	ssize_t modulus_len;
1639 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1640 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1641 
1642 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1643 	    &modulus_len)) != CRYPTO_SUCCESS) {
1644 		return (rv);
1645 	}
1646 
1647 	if (signature->cd_length != modulus_len)
1648 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1649 
1650 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1651 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1652 	    != CRYPTO_SUCCESS)
1653 		return (rv);
1654 
1655 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
1656 	if (rv != CRYPTO_SUCCESS)
1657 		return (rv);
1658 
1659 	data_len = modulus_len;
1660 
1661 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
1662 		/*
1663 		 * Strip off the encoded padding bytes in front of the
1664 		 * recovered data, then compare the recovered data with
1665 		 * the original data.
1666 		 */
1667 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
1668 		if (rv != CRYPTO_SUCCESS)
1669 			return (rv);
1670 	}
1671 
1672 	if (data->cd_length < data_len) {
1673 		data->cd_length = data_len;
1674 		return (CRYPTO_BUFFER_TOO_SMALL);
1675 	}
1676 
1677 	if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len,
1678 	    data, data_len)) != CRYPTO_SUCCESS)
1679 		return (rv);
1680 	data->cd_length = data_len;
1681 
1682 /* EXPORT DELETE END */
1683 
1684 	return (rv);
1685 }
1686 
1687 /* ARGSUSED */
1688 static int
1689 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
1690     crypto_data_t *data, crypto_req_handle_t req)
1691 {
1692 	int rv;
1693 	rsa_ctx_t *ctxp;
1694 
1695 	ASSERT(ctx->cc_provider_private != NULL);
1696 	ctxp = ctx->cc_provider_private;
1697 
1698 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1699 	rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
1700 	    signature, data, KM_SLEEP);
1701 
1702 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1703 		(void) rsa_free_context(ctx);
1704 
1705 	return (rv);
1706 }
1707 
1708 /* ARGSUSED */
1709 static int
1710 rsa_verify_recover_atomic(crypto_provider_handle_t provider,
1711     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1712     crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data,
1713     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1714 {
1715 	int rv;
1716 
1717 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1718 		return (rv);
1719 
1720 	return (rsa_verify_recover_common(mechanism->cm_type, key,
1721 	    signature, data, crypto_kmflag(req)));
1722 }
1723 
1724 /*
1725  * RSA Power-Up Self-Test
1726  */
1727 void
1728 rsa_POST(int *rc)
1729 {
1730 
1731 	*rc = fips_rsa_post();
1732 
1733 }
1734