xref: /titanic_51/usr/src/uts/common/crypto/io/rsa.c (revision ff17c8bf86c3e567734be83f90267edee20f580f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * RSA provider for the Kernel Cryptographic Framework (KCF)
30  */
31 
32 #include <sys/types.h>
33 #include <sys/systm.h>
34 #include <sys/modctl.h>
35 #include <sys/cmn_err.h>
36 #include <sys/ddi.h>
37 #include <sys/crypto/spi.h>
38 #include <sys/sysmacros.h>
39 #include <sys/strsun.h>
40 #include <sys/md5.h>
41 #include <sys/sha1.h>
42 #include <sys/sha2.h>
43 #include <sys/random.h>
44 #include "rsa_impl.h"
45 
46 extern struct mod_ops mod_cryptoops;
47 
48 /*
49  * Module linkage information for the kernel.
50  */
51 static struct modlcrypto modlcrypto = {
52 	&mod_cryptoops,
53 	"RSA Kernel SW Provider"
54 };
55 
56 static struct modlinkage modlinkage = {
57 	MODREV_1,
58 	(void *)&modlcrypto,
59 	NULL
60 };
61 
62 /*
63  * CSPI information (entry points, provider info, etc.)
64  */
65 typedef enum rsa_mech_type {
66 	RSA_PKCS_MECH_INFO_TYPE,	/* SUN_CKM_RSA_PKCS */
67 	RSA_X_509_MECH_INFO_TYPE,	/* SUN_CKM_RSA_X_509 */
68 	MD5_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_MD5_RSA_PKCS */
69 	SHA1_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA1_RSA_PKCS */
70 	SHA256_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA256_RSA_PKCS */
71 	SHA384_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA384_RSA_PKCS */
72 	SHA512_RSA_PKCS_MECH_INFO_TYPE	/* SUN_SHA512_RSA_PKCS */
73 } rsa_mech_type_t;
74 
75 /*
76  * Context for RSA_PKCS and RSA_X_509 mechanisms.
77  */
78 typedef struct rsa_ctx {
79 	rsa_mech_type_t	mech_type;
80 	crypto_key_t *key;
81 	size_t keychunk_size;
82 } rsa_ctx_t;
83 
84 /*
85  * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms.
86  */
87 typedef struct digest_rsa_ctx {
88 	rsa_mech_type_t	mech_type;
89 	crypto_key_t *key;
90 	size_t keychunk_size;
91 	union {
92 		MD5_CTX md5ctx;
93 		SHA1_CTX sha1ctx;
94 		SHA2_CTX sha2ctx;
95 	} dctx_u;
96 } digest_rsa_ctx_t;
97 
98 #define	md5_ctx		dctx_u.md5ctx
99 #define	sha1_ctx	dctx_u.sha1ctx
100 #define	sha2_ctx	dctx_u.sha2ctx
101 
102 /*
103  * Mechanism info structure passed to KCF during registration.
104  */
105 static crypto_mech_info_t rsa_mech_info_tab[] = {
106 	/* RSA_PKCS */
107 	{SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE,
108 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
109 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
110 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
111 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
112 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
113 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
114 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
115 
116 	/* RSA_X_509 */
117 	{SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE,
118 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
119 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
120 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
121 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
122 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
123 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
124 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
125 
126 	/* MD5_RSA_PKCS */
127 	{SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE,
128 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
129 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
130 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
131 
132 	/* SHA1_RSA_PKCS */
133 	{SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE,
134 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
135 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
136 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
137 
138 	/* SHA256_RSA_PKCS */
139 	{SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE,
140 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
141 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
142 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
143 
144 	/* SHA384_RSA_PKCS */
145 	{SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE,
146 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
147 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
148 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
149 
150 	/* SHA512_RSA_PKCS */
151 	{SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE,
152 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
153 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
154 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}
155 
156 };
157 
158 #define	RSA_VALID_MECH(mech)					\
159 	(((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE ||		\
160 	(mech)->cm_type == RSA_X_509_MECH_INFO_TYPE ||		\
161 	(mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE ||	\
162 	(mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE ||	\
163 	(mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE ||	\
164 	(mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE ||	\
165 	(mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0)
166 
167 /* operations are in-place if the output buffer is NULL */
168 #define	RSA_ARG_INPLACE(input, output)				\
169 	if ((output) == NULL)					\
170 		(output) = (input);
171 
172 static void rsa_provider_status(crypto_provider_handle_t, uint_t *);
173 
174 static crypto_control_ops_t rsa_control_ops = {
175 	rsa_provider_status
176 };
177 
178 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *,
179     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
180 static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
181     crypto_req_handle_t);
182 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
183     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
184     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
185 static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
186     crypto_req_handle_t);
187 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
188     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
189     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
190 
191 /*
192  * The RSA mechanisms do not have multiple-part cipher operations.
193  * So, the update and final routines are set to NULL.
194  */
195 static crypto_cipher_ops_t rsa_cipher_ops = {
196 	rsa_common_init,
197 	rsa_encrypt,
198 	NULL,
199 	NULL,
200 	rsa_encrypt_atomic,
201 	rsa_common_init,
202 	rsa_decrypt,
203 	NULL,
204 	NULL,
205 	rsa_decrypt_atomic
206 };
207 
208 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *,
209     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
210 static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
211     crypto_req_handle_t);
212 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *,
213     crypto_req_handle_t);
214 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *,
215     crypto_req_handle_t);
216 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t,
217     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
218     crypto_spi_ctx_template_t, crypto_req_handle_t);
219 
220 /*
221  * We use the same routine for sign_init and sign_recover_init fields
222  * as they do the same thing. Same holds for sign and sign_recover fields,
223  * and sign_atomic and sign_recover_atomic fields.
224  */
225 static crypto_sign_ops_t rsa_sign_ops = {
226 	rsa_sign_verify_common_init,
227 	rsa_sign,
228 	rsa_sign_update,
229 	rsa_sign_final,
230 	rsa_sign_atomic,
231 	rsa_sign_verify_common_init,
232 	rsa_sign,
233 	rsa_sign_atomic
234 };
235 
236 static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
237     crypto_req_handle_t);
238 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *,
239     crypto_req_handle_t);
240 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *,
241     crypto_req_handle_t);
242 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
243     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
244     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
245 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *,
246     crypto_data_t *, crypto_req_handle_t);
247 static int rsa_verify_recover_atomic(crypto_provider_handle_t,
248     crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
249     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
250     crypto_req_handle_t);
251 
252 /*
253  * We use the same routine (rsa_sign_verify_common_init) for verify_init
254  * and verify_recover_init fields as they do the same thing.
255  */
256 static crypto_verify_ops_t rsa_verify_ops = {
257 	rsa_sign_verify_common_init,
258 	rsa_verify,
259 	rsa_verify_update,
260 	rsa_verify_final,
261 	rsa_verify_atomic,
262 	rsa_sign_verify_common_init,
263 	rsa_verify_recover,
264 	rsa_verify_recover_atomic
265 };
266 
267 static int rsa_free_context(crypto_ctx_t *);
268 
269 static crypto_ctx_ops_t rsa_ctx_ops = {
270 	NULL,
271 	rsa_free_context
272 };
273 
274 static crypto_ops_t rsa_crypto_ops = {
275 	&rsa_control_ops,
276 	NULL,
277 	&rsa_cipher_ops,
278 	NULL,
279 	&rsa_sign_ops,
280 	&rsa_verify_ops,
281 	NULL,
282 	NULL,
283 	NULL,
284 	NULL,
285 	NULL,
286 	NULL,
287 	NULL,
288 	&rsa_ctx_ops
289 };
290 
291 static crypto_provider_info_t rsa_prov_info = {
292 	CRYPTO_SPI_VERSION_1,
293 	"RSA Software Provider",
294 	CRYPTO_SW_PROVIDER,
295 	{&modlinkage},
296 	NULL,
297 	&rsa_crypto_ops,
298 	sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
299 	rsa_mech_info_tab
300 };
301 
302 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
303     crypto_data_t *, crypto_data_t *, int);
304 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
305     crypto_data_t *, crypto_data_t *, int);
306 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
307     crypto_data_t *, crypto_data_t *, int);
308 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
309     crypto_data_t *, crypto_data_t *, int);
310 static int compare_data(crypto_data_t *, uchar_t *);
311 
312 /* EXPORT DELETE START */
313 
314 static int core_rsa_encrypt(crypto_key_t *, uchar_t *,
315     int, uchar_t *, int, int);
316 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int,
317     uchar_t *, int);
318 
319 /* EXPORT DELETE END */
320 
321 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
322 
323 int
324 _init(void)
325 {
326 	int ret;
327 
328 	/*
329 	 * Register with KCF. If the registration fails, return error.
330 	 */
331 	if ((ret = crypto_register_provider(&rsa_prov_info,
332 	    &rsa_prov_handle)) != CRYPTO_SUCCESS) {
333 		cmn_err(CE_WARN, "rsa _init: crypto_register_provider()"
334 		    "failed (0x%x)", ret);
335 		return (EACCES);
336 	}
337 
338 	if ((ret = mod_install(&modlinkage)) != 0) {
339 		int rv;
340 
341 		ASSERT(rsa_prov_handle != NULL);
342 		/* We should not return if the unregister returns busy. */
343 		while ((rv = crypto_unregister_provider(rsa_prov_handle))
344 		    == CRYPTO_BUSY) {
345 			cmn_err(CE_WARN, "rsa _init: "
346 			    "crypto_unregister_provider() "
347 			    "failed (0x%x). Retrying.", rv);
348 			/* wait 10 seconds and try again. */
349 			delay(10 * drv_usectohz(1000000));
350 		}
351 	}
352 
353 	return (ret);
354 }
355 
356 int
357 _fini(void)
358 {
359 	int ret;
360 
361 	/*
362 	 * Unregister from KCF if previous registration succeeded.
363 	 */
364 	if (rsa_prov_handle != NULL) {
365 		if ((ret = crypto_unregister_provider(rsa_prov_handle)) !=
366 		    CRYPTO_SUCCESS) {
367 			cmn_err(CE_WARN, "rsa _fini: "
368 			    "crypto_unregister_provider() "
369 			    "failed (0x%x)", ret);
370 			return (EBUSY);
371 		}
372 		rsa_prov_handle = NULL;
373 	}
374 
375 	return (mod_remove(&modlinkage));
376 }
377 
378 int
379 _info(struct modinfo *modinfop)
380 {
381 	return (mod_info(&modlinkage, modinfop));
382 }
383 
384 /* ARGSUSED */
385 static void
386 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
387 {
388 	*status = CRYPTO_PROVIDER_READY;
389 }
390 
391 /*
392  * Utility routine to look up a attribute of type, 'type',
393  * in the key.
394  */
395 static int
396 get_key_attr(crypto_key_t *key, crypto_attr_type_t type,
397     uchar_t **value, ssize_t *value_len)
398 {
399 	int i;
400 
401 	ASSERT(key->ck_format == CRYPTO_KEY_ATTR_LIST);
402 	for (i = 0; i < key->ck_count; i++) {
403 		if (key->ck_attrs[i].oa_type == type) {
404 			*value = (uchar_t *)key->ck_attrs[i].oa_value;
405 			*value_len = key->ck_attrs[i].oa_value_len;
406 			return (CRYPTO_SUCCESS);
407 		}
408 	}
409 
410 	return (CRYPTO_FAILED);
411 }
412 
413 static int
414 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
415 {
416 	int rv = CRYPTO_FAILED;
417 
418 /* EXPORT DELETE START */
419 
420 	uchar_t *modulus;
421 	ssize_t modulus_len; /* In bytes */
422 
423 	if (!RSA_VALID_MECH(mechanism))
424 		return (CRYPTO_MECHANISM_INVALID);
425 
426 	/*
427 	 * We only support RSA keys that are passed as a list of
428 	 * object attributes.
429 	 */
430 	if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
431 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
432 	}
433 
434 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
435 	    &modulus_len)) != CRYPTO_SUCCESS) {
436 		return (rv);
437 	}
438 	if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
439 	    modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
440 		return (CRYPTO_KEY_SIZE_RANGE);
441 
442 /* EXPORT DELETE END */
443 
444 	return (rv);
445 }
446 
447 void
448 kmemset(uint8_t *buf, char pattern, size_t len)
449 {
450 	int i = 0;
451 
452 	while (i < len)
453 		buf[i++] = pattern;
454 }
455 
456 /*
457  * This function guarantees to return non-zero random numbers.
458  * This is needed as the /dev/urandom kernel interface,
459  * random_get_pseudo_bytes(), may return zeros.
460  */
461 int
462 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
463 {
464 	int rv;
465 	size_t ebc = 0; /* count of extra bytes in extrarand */
466 	size_t i = 0;
467 	uint8_t extrarand[32];
468 	size_t extrarand_len;
469 
470 	if ((rv = random_get_pseudo_bytes(ran_out, ran_len)) != 0)
471 		return (rv);
472 
473 	/*
474 	 * Walk through the returned random numbers pointed by ran_out,
475 	 * and look for any random number which is zero.
476 	 * If we find zero, call random_get_pseudo_bytes() to generate
477 	 * another 32 random numbers pool. Replace any zeros in ran_out[]
478 	 * from the random number in pool.
479 	 */
480 	while (i < ran_len) {
481 		if (ran_out[i] != 0) {
482 			i++;
483 			continue;
484 		}
485 
486 		/*
487 		 * Note that it is 'while' so we are guaranteed a
488 		 * non-zero value on exit.
489 		 */
490 		if (ebc == 0) {
491 			/* refresh extrarand */
492 			extrarand_len = sizeof (extrarand);
493 			if ((rv = random_get_pseudo_bytes(extrarand,
494 			    extrarand_len)) != 0) {
495 				return (rv);
496 			}
497 
498 			ebc = extrarand_len;
499 		}
500 		/* Replace zero with byte from extrarand. */
501 		-- ebc;
502 
503 		/*
504 		 * The new random byte zero/non-zero will be checked in
505 		 * the next pass through the loop.
506 		 */
507 		ran_out[i] = extrarand[ebc];
508 	}
509 
510 	return (CRYPTO_SUCCESS);
511 }
512 
513 typedef enum cmd_type {
514 	COPY_FROM_DATA,
515 	COPY_TO_DATA,
516 	COMPARE_TO_DATA,
517 	MD5_DIGEST_DATA,
518 	SHA1_DIGEST_DATA,
519 	SHA2_DIGEST_DATA
520 } cmd_type_t;
521 
522 /*
523  * Utility routine to apply the command, 'cmd', to the
524  * data in the uio structure.
525  */
526 static int
527 process_uio_data(crypto_data_t *data, uchar_t *buf, int len,
528     cmd_type_t cmd, void *digest_ctx)
529 {
530 	uio_t *uiop = data->cd_uio;
531 	off_t offset = data->cd_offset;
532 	size_t length = len;
533 	uint_t vec_idx;
534 	size_t cur_len;
535 	uchar_t *datap;
536 
537 	ASSERT(data->cd_format == CRYPTO_DATA_UIO);
538 	if (uiop->uio_segflg != UIO_SYSSPACE) {
539 		return (CRYPTO_ARGUMENTS_BAD);
540 	}
541 
542 	/*
543 	 * Jump to the first iovec containing data to be
544 	 * processed.
545 	 */
546 	for (vec_idx = 0; vec_idx < uiop->uio_iovcnt &&
547 	    offset >= uiop->uio_iov[vec_idx].iov_len;
548 	    offset -= uiop->uio_iov[vec_idx++].iov_len)
549 		;
550 
551 	if (vec_idx == uiop->uio_iovcnt) {
552 		/*
553 		 * The caller specified an offset that is larger than
554 		 * the total size of the buffers it provided.
555 		 */
556 		return (CRYPTO_DATA_LEN_RANGE);
557 	}
558 
559 	while (vec_idx < uiop->uio_iovcnt && length > 0) {
560 		cur_len = MIN(uiop->uio_iov[vec_idx].iov_len -
561 		    offset, length);
562 
563 		datap = (uchar_t *)(uiop->uio_iov[vec_idx].iov_base +
564 		    offset);
565 		switch (cmd) {
566 		case COPY_FROM_DATA:
567 			bcopy(datap, buf, cur_len);
568 			buf += cur_len;
569 			break;
570 		case COPY_TO_DATA:
571 			bcopy(buf, datap, cur_len);
572 			buf += cur_len;
573 			break;
574 		case COMPARE_TO_DATA:
575 			if (bcmp(datap, buf, cur_len))
576 				return (CRYPTO_SIGNATURE_INVALID);
577 			buf += cur_len;
578 			break;
579 		case MD5_DIGEST_DATA:
580 			MD5Update(digest_ctx, datap, cur_len);
581 			break;
582 		case SHA1_DIGEST_DATA:
583 			SHA1Update(digest_ctx, datap, cur_len);
584 			break;
585 		case SHA2_DIGEST_DATA:
586 			SHA2Update(digest_ctx, datap, cur_len);
587 			break;
588 		}
589 
590 		length -= cur_len;
591 		vec_idx++;
592 		offset = 0;
593 	}
594 
595 	if (vec_idx == uiop->uio_iovcnt && length > 0) {
596 		/*
597 		 * The end of the specified iovec's was reached but
598 		 * the length requested could not be processed.
599 		 */
600 		switch (cmd) {
601 		case COPY_TO_DATA:
602 			data->cd_length = len;
603 			return (CRYPTO_BUFFER_TOO_SMALL);
604 		default:
605 			return (CRYPTO_DATA_LEN_RANGE);
606 		}
607 	}
608 
609 	return (CRYPTO_SUCCESS);
610 }
611 
612 /*
613  * Utility routine to apply the command, 'cmd', to the
614  * data in the mblk structure.
615  */
616 static int
617 process_mblk_data(crypto_data_t *data, uchar_t *buf, int len,
618     cmd_type_t cmd, void *digest_ctx)
619 {
620 	off_t offset = data->cd_offset;
621 	size_t length = len;
622 	mblk_t *mp;
623 	size_t cur_len;
624 	uchar_t *datap;
625 
626 	ASSERT(data->cd_format == CRYPTO_DATA_MBLK);
627 	/*
628 	 * Jump to the first mblk_t containing data to be processed.
629 	 */
630 	for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
631 	    offset -= MBLKL(mp), mp = mp->b_cont)
632 		;
633 	if (mp == NULL) {
634 		/*
635 		 * The caller specified an offset that is larger
636 		 * than the total size of the buffers it provided.
637 		 */
638 		return (CRYPTO_DATA_LEN_RANGE);
639 	}
640 
641 	/*
642 	 * Now do the processing on the mblk chain.
643 	 */
644 	while (mp != NULL && length > 0) {
645 		cur_len = MIN(MBLKL(mp) - offset, length);
646 
647 		datap = (uchar_t *)(mp->b_rptr + offset);
648 		switch (cmd) {
649 		case COPY_FROM_DATA:
650 			bcopy(datap, buf, cur_len);
651 			buf += cur_len;
652 			break;
653 		case COPY_TO_DATA:
654 			bcopy(buf, datap, cur_len);
655 			buf += cur_len;
656 			break;
657 		case COMPARE_TO_DATA:
658 			if (bcmp(datap, buf, cur_len))
659 				return (CRYPTO_SIGNATURE_INVALID);
660 			buf += cur_len;
661 			break;
662 		case MD5_DIGEST_DATA:
663 			MD5Update(digest_ctx, datap, cur_len);
664 			break;
665 		case SHA1_DIGEST_DATA:
666 			SHA1Update(digest_ctx, datap, cur_len);
667 			break;
668 		case SHA2_DIGEST_DATA:
669 			SHA2Update(digest_ctx, datap, cur_len);
670 			break;
671 		}
672 
673 		length -= cur_len;
674 		offset = 0;
675 		mp = mp->b_cont;
676 	}
677 
678 	if (mp == NULL && length > 0) {
679 		/*
680 		 * The end of the mblk was reached but the length
681 		 * requested could not be processed.
682 		 */
683 		switch (cmd) {
684 		case COPY_TO_DATA:
685 			data->cd_length = len;
686 			return (CRYPTO_BUFFER_TOO_SMALL);
687 		default:
688 			return (CRYPTO_DATA_LEN_RANGE);
689 		}
690 	}
691 
692 	return (CRYPTO_SUCCESS);
693 }
694 
695 static int
696 compare_data(crypto_data_t *data, uchar_t *buf)
697 {
698 	int len;
699 	uchar_t *dptr;
700 
701 	len = data->cd_length;
702 	switch (data->cd_format) {
703 	case CRYPTO_DATA_RAW:
704 		dptr = (uchar_t *)(data->cd_raw.iov_base +
705 		    data->cd_offset);
706 
707 		return (bcmp(dptr, buf, len));
708 
709 	case CRYPTO_DATA_UIO:
710 		return (process_uio_data(data, buf, len,
711 		    COMPARE_TO_DATA, NULL));
712 
713 	case CRYPTO_DATA_MBLK:
714 		return (process_mblk_data(data, buf, len,
715 		    COMPARE_TO_DATA, NULL));
716 	}
717 
718 	return (CRYPTO_FAILED);
719 }
720 
721 /*
722  * Utility routine to copy a buffer to a crypto_data structure.
723  */
724 static int
725 put_output_data(uchar_t *buf, crypto_data_t *output, int len)
726 {
727 	switch (output->cd_format) {
728 	case CRYPTO_DATA_RAW:
729 		if (output->cd_raw.iov_len < len) {
730 			output->cd_length = len;
731 			return (CRYPTO_BUFFER_TOO_SMALL);
732 		}
733 		bcopy(buf, (uchar_t *)(output->cd_raw.iov_base +
734 		    output->cd_offset), len);
735 		break;
736 
737 	case CRYPTO_DATA_UIO:
738 		return (process_uio_data(output, buf, len, COPY_TO_DATA, NULL));
739 
740 	case CRYPTO_DATA_MBLK:
741 		return (process_mblk_data(output, buf, len,
742 		    COPY_TO_DATA, NULL));
743 
744 	default:
745 		return (CRYPTO_ARGUMENTS_BAD);
746 	}
747 
748 	return (CRYPTO_SUCCESS);
749 }
750 
751 /*
752  * Utility routine to get data from a crypto_data structure.
753  *
754  * '*dptr' contains a pointer to a buffer on return. 'buf'
755  * is allocated by the caller and is ignored for CRYPTO_DATA_RAW case.
756  */
757 static int
758 get_input_data(crypto_data_t *input, uchar_t **dptr, uchar_t *buf)
759 {
760 	int rv;
761 
762 	switch (input->cd_format) {
763 	case CRYPTO_DATA_RAW:
764 		if (input->cd_raw.iov_len < input->cd_length)
765 			return (CRYPTO_ARGUMENTS_BAD);
766 		*dptr = (uchar_t *)(input->cd_raw.iov_base +
767 		    input->cd_offset);
768 		break;
769 
770 	case CRYPTO_DATA_UIO:
771 		if ((rv = process_uio_data(input, buf, input->cd_length,
772 		    COPY_FROM_DATA, NULL)) != CRYPTO_SUCCESS)
773 			return (rv);
774 		*dptr = buf;
775 		break;
776 
777 	case CRYPTO_DATA_MBLK:
778 		if ((rv = process_mblk_data(input, buf, input->cd_length,
779 		    COPY_FROM_DATA, NULL)) != CRYPTO_SUCCESS)
780 			return (rv);
781 		*dptr = buf;
782 		break;
783 
784 	default:
785 		return (CRYPTO_ARGUMENTS_BAD);
786 	}
787 
788 	return (CRYPTO_SUCCESS);
789 }
790 
791 static int
792 copy_key_to_ctx(crypto_key_t *in_key, rsa_ctx_t *ctx, int kmflag)
793 {
794 	int i, count;
795 	size_t len;
796 	caddr_t attr_val;
797 	crypto_object_attribute_t *k_attrs = NULL;
798 
799 	ASSERT(in_key->ck_format == CRYPTO_KEY_ATTR_LIST);
800 
801 	count = in_key->ck_count;
802 	/* figure out how much memory to allocate for everything */
803 	len = sizeof (crypto_key_t) +
804 	    count * sizeof (crypto_object_attribute_t);
805 	for (i = 0; i < count; i++) {
806 		len += roundup(in_key->ck_attrs[i].oa_value_len,
807 		    sizeof (caddr_t));
808 	}
809 
810 	/* one big allocation for everything */
811 	ctx->key = kmem_alloc(len, kmflag);
812 	if (ctx->key == NULL)
813 		return (CRYPTO_HOST_MEMORY);
814 	k_attrs = (crypto_object_attribute_t *)((caddr_t)(ctx->key) +
815 	    sizeof (crypto_key_t));
816 
817 	attr_val = (caddr_t)k_attrs +
818 	    count * sizeof (crypto_object_attribute_t);
819 	for (i = 0; i < count; i++) {
820 		k_attrs[i].oa_type = in_key->ck_attrs[i].oa_type;
821 		bcopy(in_key->ck_attrs[i].oa_value, attr_val,
822 		    in_key->ck_attrs[i].oa_value_len);
823 		k_attrs[i].oa_value = attr_val;
824 		k_attrs[i].oa_value_len = in_key->ck_attrs[i].oa_value_len;
825 		attr_val += roundup(k_attrs[i].oa_value_len, sizeof (caddr_t));
826 	}
827 
828 	ctx->keychunk_size = len;	/* save the size to be freed */
829 	ctx->key->ck_format = CRYPTO_KEY_ATTR_LIST;
830 	ctx->key->ck_count = count;
831 	ctx->key->ck_attrs = k_attrs;
832 
833 	return (CRYPTO_SUCCESS);
834 }
835 
836 /* ARGSUSED */
837 static int
838 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
839     crypto_key_t *key, crypto_spi_ctx_template_t template,
840     crypto_req_handle_t req)
841 {
842 	int rv;
843 	int kmflag;
844 	rsa_ctx_t *ctxp;
845 
846 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
847 		return (rv);
848 
849 	/*
850 	 * Allocate a RSA context.
851 	 */
852 	kmflag = crypto_kmflag(req);
853 	if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL)
854 		return (CRYPTO_HOST_MEMORY);
855 
856 	if ((rv = copy_key_to_ctx(key, ctxp, kmflag)) != CRYPTO_SUCCESS) {
857 		kmem_free(ctxp, sizeof (rsa_ctx_t));
858 		return (rv);
859 	}
860 	ctxp->mech_type = mechanism->cm_type;
861 
862 	ctx->cc_provider_private = ctxp;
863 
864 	return (CRYPTO_SUCCESS);
865 }
866 
867 /* ARGSUSED */
868 static int
869 rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
870     crypto_data_t *ciphertext, crypto_req_handle_t req)
871 {
872 	int rv;
873 	rsa_ctx_t *ctxp;
874 
875 	ASSERT(ctx->cc_provider_private != NULL);
876 	ctxp = ctx->cc_provider_private;
877 
878 	RSA_ARG_INPLACE(plaintext, ciphertext);
879 
880 	/*
881 	 * Note on the KM_SLEEP flag passed to the routine below -
882 	 * rsa_encrypt() is a single-part encryption routine which is
883 	 * currently usable only by /dev/crypto. Since /dev/crypto calls are
884 	 * always synchronous, we can safely pass KM_SLEEP here.
885 	 */
886 	rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext,
887 	    ciphertext, KM_SLEEP);
888 
889 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
890 		(void) rsa_free_context(ctx);
891 
892 	return (rv);
893 }
894 
895 /* ARGSUSED */
896 static int
897 rsa_encrypt_atomic(crypto_provider_handle_t provider,
898     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
899     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
900     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
901 {
902 	int rv;
903 
904 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
905 		return (rv);
906 	RSA_ARG_INPLACE(plaintext, ciphertext);
907 
908 	return (rsa_encrypt_common(mechanism->cm_type, key, plaintext,
909 	    ciphertext, crypto_kmflag(req)));
910 }
911 
912 static int
913 rsa_free_context(crypto_ctx_t *ctx)
914 {
915 	rsa_ctx_t *ctxp = ctx->cc_provider_private;
916 
917 	if (ctxp != NULL) {
918 		bzero(ctxp->key, ctxp->keychunk_size);
919 		kmem_free(ctxp->key, ctxp->keychunk_size);
920 
921 		if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
922 		    ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
923 			kmem_free(ctxp, sizeof (rsa_ctx_t));
924 		else
925 			kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
926 
927 		ctx->cc_provider_private = NULL;
928 	}
929 
930 	return (CRYPTO_SUCCESS);
931 }
932 
933 static int
934 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
935     crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag)
936 {
937 	int rv = CRYPTO_FAILED;
938 
939 /* EXPORT DELETE START */
940 
941 	int plen;
942 	uchar_t *ptptr;
943 	uchar_t *modulus;
944 	ssize_t modulus_len;
945 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
946 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
947 	uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
948 
949 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
950 	    &modulus_len)) != CRYPTO_SUCCESS) {
951 		return (rv);
952 	}
953 
954 	plen = plaintext->cd_length;
955 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
956 		if (plen > (modulus_len - MIN_PKCS1_PADLEN))
957 			return (CRYPTO_DATA_LEN_RANGE);
958 	} else {
959 		if (plen > modulus_len)
960 			return (CRYPTO_DATA_LEN_RANGE);
961 	}
962 
963 	/*
964 	 * Output buf len must not be less than RSA modulus size.
965 	 */
966 	if (ciphertext->cd_length < modulus_len) {
967 		ciphertext->cd_length = modulus_len;
968 		return (CRYPTO_BUFFER_TOO_SMALL);
969 	}
970 
971 	ASSERT(plaintext->cd_length <= sizeof (tmp_data));
972 	if ((rv = get_input_data(plaintext, &ptptr, tmp_data))
973 	    != CRYPTO_SUCCESS)
974 		return (rv);
975 
976 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
977 		rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen,
978 		    plain_data, modulus_len);
979 
980 		if (rv != CRYPTO_SUCCESS)
981 			return (rv);
982 	} else {
983 		bzero(plain_data, modulus_len - plen);
984 		bcopy(ptptr, &plain_data[modulus_len - plen], plen);
985 	}
986 
987 	rv = core_rsa_encrypt(key, plain_data, modulus_len,
988 	    cipher_data, kmflag, 1);
989 	if (rv == CRYPTO_SUCCESS) {
990 		/* copy out to ciphertext */
991 		if ((rv = put_output_data(cipher_data,
992 		    ciphertext, modulus_len)) != CRYPTO_SUCCESS)
993 			return (rv);
994 
995 		ciphertext->cd_length = modulus_len;
996 	}
997 
998 /* EXPORT DELETE END */
999 
1000 	return (rv);
1001 }
1002 
1003 /* EXPORT DELETE START */
1004 
1005 static int
1006 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
1007     int in_len, uchar_t *out, int kmflag, int is_public)
1008 {
1009 	int rv;
1010 	uchar_t *expo, *modulus;
1011 	ssize_t	expo_len;
1012 	ssize_t modulus_len;
1013 	BIGNUM msg;
1014 	RSAkey *rsakey;
1015 
1016 	if (is_public) {
1017 		if ((rv = get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT, &expo,
1018 		    &expo_len)) != CRYPTO_SUCCESS)
1019 			return (rv);
1020 	} else {
1021 		/*
1022 		 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
1023 		 * RSA secret key. See the comments in core_rsa_decrypt
1024 		 * routine which calls this routine with a private key.
1025 		 */
1026 		if ((rv = get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT, &expo,
1027 		    &expo_len)) != CRYPTO_SUCCESS)
1028 			return (rv);
1029 	}
1030 
1031 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1032 	    &modulus_len)) != CRYPTO_SUCCESS) {
1033 		return (rv);
1034 	}
1035 
1036 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
1037 	if (rsakey == NULL)
1038 		return (CRYPTO_HOST_MEMORY);
1039 
1040 	/* psize and qsize for RSA_key_init is in bits. */
1041 	if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) {
1042 		rv = CRYPTO_HOST_MEMORY;
1043 		goto clean1;
1044 	}
1045 
1046 	/* Size for big_init is in BIG_CHUNK_TYPE words. */
1047 	if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
1048 		rv = CRYPTO_HOST_MEMORY;
1049 		goto clean2;
1050 	}
1051 
1052 	/* Convert octet string exponent to big integer format. */
1053 	bytestring2bignum(&(rsakey->e), expo, expo_len);
1054 
1055 	/* Convert octet string modulus to big integer format. */
1056 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
1057 
1058 	/* Convert octet string input data to big integer format. */
1059 	bytestring2bignum(&msg, in, in_len);
1060 
1061 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
1062 		rv = CRYPTO_DATA_LEN_RANGE;
1063 		goto clean3;
1064 	}
1065 
1066 	/* Perform RSA computation on big integer input data. */
1067 	if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL)
1068 	    != BIG_OK) {
1069 		rv = CRYPTO_HOST_MEMORY;
1070 		goto clean3;
1071 	}
1072 
1073 	/* Convert the big integer output data to octet string. */
1074 	bignum2bytestring(out, &msg, modulus_len);
1075 
1076 	/*
1077 	 * Should not free modulus and expo as both are just pointers
1078 	 * to an attribute value buffer from the caller.
1079 	 */
1080 clean3:
1081 	big_finish(&msg);
1082 clean2:
1083 	RSA_key_finish(rsakey);
1084 clean1:
1085 	kmem_free(rsakey, sizeof (RSAkey));
1086 
1087 	return (rv);
1088 }
1089 
1090 /* EXPORT DELETE END */
1091 
1092 /* ARGSUSED */
1093 static int
1094 rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
1095     crypto_data_t *plaintext, crypto_req_handle_t req)
1096 {
1097 	int rv;
1098 	rsa_ctx_t *ctxp;
1099 
1100 	ASSERT(ctx->cc_provider_private != NULL);
1101 	ctxp = ctx->cc_provider_private;
1102 
1103 	RSA_ARG_INPLACE(ciphertext, plaintext);
1104 
1105 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1106 	rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
1107 	    ciphertext, plaintext, KM_SLEEP);
1108 
1109 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1110 		(void) rsa_free_context(ctx);
1111 
1112 	return (rv);
1113 }
1114 
1115 /* ARGSUSED */
1116 static int
1117 rsa_decrypt_atomic(crypto_provider_handle_t provider,
1118     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1119     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
1120     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1121 {
1122 	int rv;
1123 
1124 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1125 		return (rv);
1126 	RSA_ARG_INPLACE(ciphertext, plaintext);
1127 
1128 	return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
1129 	    plaintext, crypto_kmflag(req)));
1130 }
1131 
1132 static int
1133 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1134     crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag)
1135 {
1136 	int rv = CRYPTO_FAILED;
1137 
1138 /* EXPORT DELETE START */
1139 
1140 	int plain_len;
1141 	uchar_t *ctptr;
1142 	uchar_t *modulus;
1143 	ssize_t modulus_len;
1144 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1145 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1146 
1147 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1148 	    &modulus_len)) != CRYPTO_SUCCESS) {
1149 		return (rv);
1150 	}
1151 
1152 	/*
1153 	 * Ciphertext length must be equal to RSA modulus size.
1154 	 */
1155 	if (ciphertext->cd_length != modulus_len)
1156 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
1157 
1158 	ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
1159 	if ((rv = get_input_data(ciphertext, &ctptr, tmp_data))
1160 	    != CRYPTO_SUCCESS)
1161 		return (rv);
1162 
1163 	rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag);
1164 	if (rv == CRYPTO_SUCCESS) {
1165 		plain_len = modulus_len;
1166 
1167 		if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
1168 			/* Strip off the PKCS block formatting data. */
1169 			rv = soft_decrypt_rsa_pkcs_decode(plain_data,
1170 			    &plain_len);
1171 			if (rv != CRYPTO_SUCCESS)
1172 				return (rv);
1173 		}
1174 
1175 		if (plain_len > plaintext->cd_length) {
1176 			plaintext->cd_length = plain_len;
1177 			return (CRYPTO_BUFFER_TOO_SMALL);
1178 		}
1179 
1180 		if ((rv = put_output_data(plain_data + modulus_len - plain_len,
1181 		    plaintext, plain_len)) != CRYPTO_SUCCESS)
1182 			return (rv);
1183 
1184 		plaintext->cd_length = plain_len;
1185 	}
1186 
1187 /* EXPORT DELETE END */
1188 
1189 	return (rv);
1190 }
1191 
1192 /* EXPORT DELETE START */
1193 
1194 static int
1195 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len,
1196     uchar_t *out, int kmflag)
1197 {
1198 	int rv;
1199 	uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
1200 	ssize_t modulus_len;
1201 	ssize_t	prime1_len, prime2_len;
1202 	ssize_t	expo1_len, expo2_len, coef_len;
1203 	BIGNUM msg;
1204 	RSAkey *rsakey;
1205 
1206 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1207 	    &modulus_len)) != CRYPTO_SUCCESS) {
1208 		return (rv);
1209 	}
1210 
1211 	/*
1212 	 * The following attributes are not required to be
1213 	 * present in a RSA secret key. If any of them is not present
1214 	 * we call the encrypt routine with a flag indicating use of
1215 	 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
1216 	 * a required attribute for a RSA secret key.
1217 	 */
1218 	if ((get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len)
1219 	    != CRYPTO_SUCCESS) ||
1220 	    (get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len)
1221 	    != CRYPTO_SUCCESS) ||
1222 	    (get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len)
1223 	    != CRYPTO_SUCCESS) ||
1224 	    (get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len)
1225 	    != CRYPTO_SUCCESS) ||
1226 	    (get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len)
1227 	    != CRYPTO_SUCCESS)) {
1228 		return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0));
1229 	}
1230 
1231 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
1232 	if (rsakey == NULL)
1233 		return (CRYPTO_HOST_MEMORY);
1234 
1235 	/* psize and qsize for RSA_key_init is in bits. */
1236 	if (RSA_key_init(rsakey, prime2_len * 8, prime1_len * 8) != BIG_OK) {
1237 		rv = CRYPTO_HOST_MEMORY;
1238 		goto clean1;
1239 	}
1240 
1241 	/* Size for big_init is in BIG_CHUNK_TYPE words. */
1242 	if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
1243 		rv = CRYPTO_HOST_MEMORY;
1244 		goto clean2;
1245 	}
1246 
1247 	/* Convert octet string input data to big integer format. */
1248 	bytestring2bignum(&msg, in, in_len);
1249 
1250 	/* Convert octet string modulus to big integer format. */
1251 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
1252 
1253 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
1254 		rv = CRYPTO_DATA_LEN_RANGE;
1255 		goto clean3;
1256 	}
1257 
1258 	/* Convert the rest of private key attributes to big integer format. */
1259 	bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len);
1260 	bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len);
1261 	bytestring2bignum(&(rsakey->p), prime2, prime2_len);
1262 	bytestring2bignum(&(rsakey->q), prime1, prime1_len);
1263 	bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len);
1264 
1265 	if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) ||
1266 	    (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) ||
1267 	    (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) {
1268 		rv = CRYPTO_KEY_SIZE_RANGE;
1269 		goto clean3;
1270 	}
1271 
1272 	/* Perform RSA computation on big integer input data. */
1273 	if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1),
1274 	    &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q),
1275 	    &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) {
1276 		rv = CRYPTO_HOST_MEMORY;
1277 		goto clean3;
1278 	}
1279 
1280 	/* Convert the big integer output data to octet string. */
1281 	bignum2bytestring(out, &msg, modulus_len);
1282 
1283 	/*
1284 	 * Should not free modulus and friends as they are just pointers
1285 	 * to an attribute value buffer from the caller.
1286 	 */
1287 clean3:
1288 	big_finish(&msg);
1289 clean2:
1290 	RSA_key_finish(rsakey);
1291 clean1:
1292 	kmem_free(rsakey, sizeof (RSAkey));
1293 
1294 	return (rv);
1295 }
1296 
1297 /* EXPORT DELETE END */
1298 
1299 /* ARGSUSED */
1300 static int
1301 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
1302     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
1303     crypto_req_handle_t req)
1304 {
1305 	int rv;
1306 	int kmflag;
1307 	rsa_ctx_t *ctxp;
1308 	digest_rsa_ctx_t *dctxp;
1309 
1310 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1311 		return (rv);
1312 
1313 	/*
1314 	 * Allocate a RSA context.
1315 	 */
1316 	kmflag = crypto_kmflag(req);
1317 	switch (mechanism->cm_type) {
1318 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1319 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1320 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1321 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1322 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1323 		dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag);
1324 		ctxp = (rsa_ctx_t *)dctxp;
1325 		break;
1326 	default:
1327 		ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag);
1328 		break;
1329 	}
1330 
1331 	if (ctxp == NULL)
1332 		return (CRYPTO_HOST_MEMORY);
1333 
1334 	ctxp->mech_type = mechanism->cm_type;
1335 	if ((rv = copy_key_to_ctx(key, ctxp, kmflag)) != CRYPTO_SUCCESS) {
1336 		switch (mechanism->cm_type) {
1337 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1338 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1339 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1340 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1341 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1342 			kmem_free(dctxp, sizeof (digest_rsa_ctx_t));
1343 			break;
1344 		default:
1345 			kmem_free(ctxp, sizeof (rsa_ctx_t));
1346 			break;
1347 		}
1348 		return (rv);
1349 	}
1350 
1351 	switch (mechanism->cm_type) {
1352 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1353 		MD5Init(&(dctxp->md5_ctx));
1354 		break;
1355 
1356 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1357 		SHA1Init(&(dctxp->sha1_ctx));
1358 		break;
1359 
1360 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1361 		SHA2Init(SHA256, &(dctxp->sha2_ctx));
1362 		break;
1363 
1364 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1365 		SHA2Init(SHA384, &(dctxp->sha2_ctx));
1366 		break;
1367 
1368 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1369 		SHA2Init(SHA512, &(dctxp->sha2_ctx));
1370 		break;
1371 	}
1372 
1373 	ctx->cc_provider_private = ctxp;
1374 
1375 	return (CRYPTO_SUCCESS);
1376 }
1377 
1378 #define	SHA1_DIGEST_SIZE 20
1379 #define	MD5_DIGEST_SIZE 16
1380 
1381 #define	INIT_RAW_CRYPTO_DATA(data, base, len, cd_len)	\
1382 	(data).cd_format = CRYPTO_DATA_RAW;		\
1383 	(data).cd_offset = 0;				\
1384 	(data).cd_raw.iov_base = (char *)base;		\
1385 	(data).cd_raw.iov_len = len;			\
1386 	(data).cd_length = cd_len;
1387 
1388 #define	DO_UPDATE	0x01
1389 #define	DO_FINAL	0x02
1390 #define	DO_MD5		0x04
1391 #define	DO_SHA1		0x08
1392 #define	DO_SIGN		0x10
1393 #define	DO_VERIFY	0x20
1394 #define	DO_SHA2		0x40
1395 
1396 static int
1397 digest_data(crypto_data_t *data, void *dctx, uchar_t *digest,
1398     uchar_t flag)
1399 {
1400 	int rv, dlen;
1401 	uchar_t *dptr;
1402 
1403 	ASSERT(flag & DO_MD5 || flag & DO_SHA1 || flag & DO_SHA2);
1404 	if (data == NULL) {
1405 		ASSERT((flag & DO_UPDATE) == 0);
1406 		goto dofinal;
1407 	}
1408 
1409 	dlen = data->cd_length;
1410 
1411 	if (flag & DO_UPDATE) {
1412 
1413 		switch (data->cd_format) {
1414 		case CRYPTO_DATA_RAW:
1415 			dptr = (uchar_t *)(data->cd_raw.iov_base +
1416 			    data->cd_offset);
1417 
1418 			if (flag & DO_MD5)
1419 				MD5Update(dctx, dptr, dlen);
1420 
1421 			else if (flag & DO_SHA1)
1422 				SHA1Update(dctx, dptr, dlen);
1423 
1424 			else
1425 				SHA2Update(dctx, dptr, dlen);
1426 
1427 		break;
1428 
1429 		case CRYPTO_DATA_UIO:
1430 			if (flag & DO_MD5)
1431 				rv = process_uio_data(data, NULL, dlen,
1432 				    MD5_DIGEST_DATA, dctx);
1433 
1434 			else if (flag & DO_SHA1)
1435 				rv = process_uio_data(data, NULL, dlen,
1436 				    SHA1_DIGEST_DATA, dctx);
1437 
1438 			else
1439 				rv = process_uio_data(data, NULL, dlen,
1440 				    SHA2_DIGEST_DATA, dctx);
1441 
1442 			if (rv != CRYPTO_SUCCESS)
1443 				return (rv);
1444 
1445 			break;
1446 
1447 		case CRYPTO_DATA_MBLK:
1448 			if (flag & DO_MD5)
1449 				rv = process_mblk_data(data, NULL, dlen,
1450 				    MD5_DIGEST_DATA, dctx);
1451 
1452 			else if (flag & DO_SHA1)
1453 				rv = process_mblk_data(data, NULL, dlen,
1454 				    SHA1_DIGEST_DATA, dctx);
1455 
1456 			else
1457 				rv = process_mblk_data(data, NULL, dlen,
1458 				    SHA2_DIGEST_DATA, dctx);
1459 
1460 			if (rv != CRYPTO_SUCCESS)
1461 				return (rv);
1462 
1463 			break;
1464 		}
1465 	}
1466 
1467 dofinal:
1468 	if (flag & DO_FINAL) {
1469 		if (flag & DO_MD5)
1470 			MD5Final(digest, dctx);
1471 
1472 		else if (flag & DO_SHA1)
1473 			SHA1Final(digest, dctx);
1474 
1475 		else
1476 			SHA2Final(digest, dctx);
1477 	}
1478 
1479 	return (CRYPTO_SUCCESS);
1480 }
1481 
1482 static int
1483 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
1484     crypto_data_t *signature, int kmflag, uchar_t flag)
1485 {
1486 	int rv = CRYPTO_FAILED;
1487 
1488 /* EXPORT DELETE START */
1489 
1490 	uchar_t digest[SHA512_DIGEST_LENGTH];
1491 	/* The der_data size is enough for MD5 also */
1492 	uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
1493 	ulong_t der_data_len;
1494 	crypto_data_t der_cd;
1495 	rsa_mech_type_t mech_type;
1496 
1497 	ASSERT(flag & DO_SIGN || flag & DO_VERIFY);
1498 	ASSERT(data != NULL || (flag & DO_FINAL));
1499 
1500 	mech_type = ctxp->mech_type;
1501 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1502 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1503 		return (CRYPTO_MECHANISM_INVALID);
1504 
1505 	/*
1506 	 * We need to do the BUFFER_TOO_SMALL check before digesting
1507 	 * the data. No check is needed for verify as signature is not
1508 	 * an output argument for verify.
1509 	 */
1510 	if (flag & DO_SIGN) {
1511 		uchar_t *modulus;
1512 		ssize_t modulus_len;
1513 
1514 		if ((rv = get_key_attr(ctxp->key, SUN_CKA_MODULUS, &modulus,
1515 		    &modulus_len)) != CRYPTO_SUCCESS) {
1516 			return (rv);
1517 		}
1518 
1519 		if (signature->cd_length < modulus_len) {
1520 			signature->cd_length = modulus_len;
1521 			return (CRYPTO_BUFFER_TOO_SMALL);
1522 		}
1523 	}
1524 
1525 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1526 		rv = digest_data(data, &(ctxp->md5_ctx),
1527 		    digest, flag | DO_MD5);
1528 
1529 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1530 		rv = digest_data(data, &(ctxp->sha1_ctx),
1531 		    digest, flag | DO_SHA1);
1532 
1533 	else
1534 		rv = digest_data(data, &(ctxp->sha2_ctx),
1535 		    digest, flag | DO_SHA2);
1536 
1537 	if (rv != CRYPTO_SUCCESS)
1538 		return (rv);
1539 
1540 
1541 	/*
1542 	 * Prepare the DER encoding of the DigestInfo value as follows:
1543 	 * MD5:		MD5_DER_PREFIX || H
1544 	 * SHA-1:	SHA1_DER_PREFIX || H
1545 	 *
1546 	 * See rsa_impl.c for more details.
1547 	 */
1548 	switch (mech_type) {
1549 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1550 		bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len);
1551 		bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE);
1552 		der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE;
1553 		break;
1554 
1555 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1556 		bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len);
1557 		bcopy(digest, der_data + SHA1_DER_PREFIX_Len,
1558 		    SHA1_DIGEST_SIZE);
1559 		der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE;
1560 		break;
1561 
1562 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1563 		bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1564 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1565 		    SHA256_DIGEST_LENGTH);
1566 		der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH;
1567 		break;
1568 
1569 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1570 		bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1571 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1572 		    SHA384_DIGEST_LENGTH);
1573 		der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH;
1574 		break;
1575 
1576 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1577 		bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1578 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1579 		    SHA512_DIGEST_LENGTH);
1580 		der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1581 		break;
1582 	}
1583 
1584 	INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1585 	/*
1586 	 * Now, we are ready to sign or verify the DER_ENCODED data.
1587 	 */
1588 	if (flag & DO_SIGN)
1589 		rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1590 		    signature, kmflag);
1591 	else
1592 		rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1593 		    signature, kmflag);
1594 
1595 /* EXPORT DELETE END */
1596 
1597 	return (rv);
1598 }
1599 
1600 static int
1601 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1602     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1603 {
1604 	int rv = CRYPTO_FAILED;
1605 
1606 /* EXPORT DELETE START */
1607 
1608 	int dlen;
1609 	uchar_t *dataptr, *modulus;
1610 	ssize_t modulus_len;
1611 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1612 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1613 	uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1614 
1615 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1616 	    &modulus_len)) != CRYPTO_SUCCESS) {
1617 		return (rv);
1618 	}
1619 
1620 	dlen = data->cd_length;
1621 	switch (mech_type) {
1622 	case RSA_PKCS_MECH_INFO_TYPE:
1623 		if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1624 			return (CRYPTO_DATA_LEN_RANGE);
1625 		break;
1626 	case RSA_X_509_MECH_INFO_TYPE:
1627 		if (dlen > modulus_len)
1628 			return (CRYPTO_DATA_LEN_RANGE);
1629 		break;
1630 	}
1631 
1632 	if (signature->cd_length < modulus_len) {
1633 		signature->cd_length = modulus_len;
1634 		return (CRYPTO_BUFFER_TOO_SMALL);
1635 	}
1636 
1637 	ASSERT(data->cd_length <= sizeof (tmp_data));
1638 	if ((rv = get_input_data(data, &dataptr, tmp_data))
1639 	    != CRYPTO_SUCCESS)
1640 		return (rv);
1641 
1642 	switch (mech_type) {
1643 	case RSA_PKCS_MECH_INFO_TYPE:
1644 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1645 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1646 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1647 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1648 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1649 		/*
1650 		 * Add PKCS padding to the input data to format a block
1651 		 * type "01" encryption block.
1652 		 */
1653 		rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data,
1654 		    modulus_len);
1655 		if (rv != CRYPTO_SUCCESS)
1656 			return (rv);
1657 
1658 		break;
1659 
1660 	case RSA_X_509_MECH_INFO_TYPE:
1661 		bzero(plain_data, modulus_len - dlen);
1662 		bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1663 		break;
1664 	}
1665 
1666 	rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data,
1667 	    kmflag);
1668 	if (rv == CRYPTO_SUCCESS) {
1669 		/* copy out to signature */
1670 		if ((rv = put_output_data(signed_data,
1671 		    signature, modulus_len)) != CRYPTO_SUCCESS)
1672 			return (rv);
1673 
1674 		signature->cd_length = modulus_len;
1675 	}
1676 
1677 /* EXPORT DELETE END */
1678 
1679 	return (rv);
1680 }
1681 
1682 /* ARGSUSED */
1683 static int
1684 rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1685     crypto_req_handle_t req)
1686 {
1687 	int rv;
1688 	rsa_ctx_t *ctxp;
1689 
1690 	ASSERT(ctx->cc_provider_private != NULL);
1691 	ctxp = ctx->cc_provider_private;
1692 
1693 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1694 	switch (ctxp->mech_type) {
1695 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1696 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1697 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1698 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1699 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1700 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1701 		    signature, KM_SLEEP, DO_SIGN | DO_UPDATE | DO_FINAL);
1702 		break;
1703 	default:
1704 		rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data,
1705 		    signature, KM_SLEEP);
1706 		break;
1707 	}
1708 
1709 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1710 		(void) rsa_free_context(ctx);
1711 
1712 	return (rv);
1713 }
1714 
1715 /* ARGSUSED */
1716 static int
1717 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
1718 {
1719 	int rv;
1720 	digest_rsa_ctx_t *ctxp;
1721 	rsa_mech_type_t mech_type;
1722 
1723 	ASSERT(ctx->cc_provider_private != NULL);
1724 	ctxp = ctx->cc_provider_private;
1725 	mech_type = ctxp->mech_type;
1726 
1727 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1728 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1729 		return (CRYPTO_MECHANISM_INVALID);
1730 
1731 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1732 		rv = digest_data(data, &(ctxp->md5_ctx),
1733 		    NULL, DO_MD5 | DO_UPDATE);
1734 
1735 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1736 		rv = digest_data(data, &(ctxp->sha1_ctx),
1737 		    NULL, DO_SHA1 | DO_UPDATE);
1738 
1739 	else
1740 		rv = digest_data(data, &(ctxp->sha2_ctx),
1741 		    NULL, DO_SHA2 | DO_UPDATE);
1742 
1743 	return (rv);
1744 }
1745 
1746 static int
1747 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1748     crypto_req_handle_t req)
1749 {
1750 	int rv;
1751 	digest_rsa_ctx_t *ctxp;
1752 
1753 	ASSERT(ctx->cc_provider_private != NULL);
1754 	ctxp = ctx->cc_provider_private;
1755 
1756 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1757 	    crypto_kmflag(req), DO_SIGN | DO_FINAL);
1758 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1759 		(void) rsa_free_context(ctx);
1760 
1761 	return (rv);
1762 }
1763 
1764 /* ARGSUSED */
1765 static int
1766 rsa_sign_atomic(crypto_provider_handle_t provider,
1767     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1768     crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature,
1769     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1770 {
1771 	int rv;
1772 	digest_rsa_ctx_t dctx;
1773 
1774 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1775 		return (rv);
1776 
1777 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1778 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1779 		rv = rsa_sign_common(mechanism->cm_type, key, data,
1780 		    signature, crypto_kmflag(req));
1781 
1782 	else {
1783 		dctx.mech_type = mechanism->cm_type;
1784 		dctx.key = key;
1785 		switch (mechanism->cm_type) {
1786 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1787 			MD5Init(&(dctx.md5_ctx));
1788 			break;
1789 
1790 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1791 			SHA1Init(&(dctx.sha1_ctx));
1792 			break;
1793 
1794 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1795 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1796 			break;
1797 
1798 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1799 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1800 			break;
1801 
1802 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1803 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1804 			break;
1805 		}
1806 
1807 		rv = rsa_digest_svrfy_common(&dctx, data, signature,
1808 		    crypto_kmflag(req), DO_SIGN | DO_UPDATE | DO_FINAL);
1809 	}
1810 
1811 	return (rv);
1812 }
1813 
1814 static int
1815 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1816     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1817 {
1818 	int rv = CRYPTO_FAILED;
1819 
1820 /* EXPORT DELETE START */
1821 
1822 	uchar_t *sigptr, *modulus;
1823 	ssize_t modulus_len;
1824 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1825 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1826 
1827 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1828 	    &modulus_len)) != CRYPTO_SUCCESS) {
1829 		return (rv);
1830 	}
1831 
1832 	if (signature->cd_length != modulus_len)
1833 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1834 
1835 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1836 	if ((rv = get_input_data(signature, &sigptr, tmp_data))
1837 	    != CRYPTO_SUCCESS)
1838 		return (rv);
1839 
1840 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
1841 	if (rv != CRYPTO_SUCCESS)
1842 		return (rv);
1843 
1844 	if (mech_type == RSA_X_509_MECH_INFO_TYPE) {
1845 		if (compare_data(data, (plain_data + modulus_len
1846 		    - data->cd_length)) != 0)
1847 			rv = CRYPTO_SIGNATURE_INVALID;
1848 
1849 	} else {
1850 		int data_len = modulus_len;
1851 
1852 		/*
1853 		 * Strip off the encoded padding bytes in front of the
1854 		 * recovered data, then compare the recovered data with
1855 		 * the original data.
1856 		 */
1857 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
1858 		if (rv != CRYPTO_SUCCESS)
1859 			return (rv);
1860 
1861 		if (data_len != data->cd_length)
1862 			return (CRYPTO_SIGNATURE_LEN_RANGE);
1863 
1864 		if (compare_data(data, (plain_data + modulus_len
1865 		    - data_len)) != 0)
1866 			rv = CRYPTO_SIGNATURE_INVALID;
1867 	}
1868 
1869 /* EXPORT DELETE END */
1870 
1871 	return (rv);
1872 }
1873 
1874 /* ARGSUSED */
1875 static int
1876 rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1877     crypto_req_handle_t req)
1878 {
1879 	int rv;
1880 	rsa_ctx_t *ctxp;
1881 
1882 	ASSERT(ctx->cc_provider_private != NULL);
1883 	ctxp = ctx->cc_provider_private;
1884 
1885 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1886 	switch (ctxp->mech_type) {
1887 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1888 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1889 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1890 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1891 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1892 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1893 		    signature, KM_SLEEP, DO_VERIFY | DO_UPDATE | DO_FINAL);
1894 		break;
1895 	default:
1896 		rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data,
1897 		    signature, KM_SLEEP);
1898 		break;
1899 	}
1900 
1901 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1902 		(void) rsa_free_context(ctx);
1903 
1904 	return (rv);
1905 }
1906 
1907 /* ARGSUSED */
1908 static int
1909 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data,
1910     crypto_req_handle_t req)
1911 {
1912 	int rv;
1913 	digest_rsa_ctx_t *ctxp;
1914 
1915 	ASSERT(ctx->cc_provider_private != NULL);
1916 	ctxp = ctx->cc_provider_private;
1917 
1918 	switch (ctxp->mech_type) {
1919 
1920 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1921 		rv = digest_data(data, &(ctxp->md5_ctx),
1922 		    NULL, DO_MD5 | DO_UPDATE);
1923 		break;
1924 
1925 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1926 		rv = digest_data(data, &(ctxp->sha1_ctx),
1927 		    NULL, DO_SHA1 | DO_UPDATE);
1928 		break;
1929 
1930 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1931 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1932 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1933 		rv = digest_data(data, &(ctxp->sha2_ctx),
1934 		    NULL, DO_SHA2 | DO_UPDATE);
1935 		break;
1936 
1937 	default:
1938 		return (CRYPTO_MECHANISM_INVALID);
1939 	}
1940 
1941 	return (rv);
1942 }
1943 
1944 static int
1945 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1946     crypto_req_handle_t req)
1947 {
1948 	int rv;
1949 	digest_rsa_ctx_t *ctxp;
1950 
1951 	ASSERT(ctx->cc_provider_private != NULL);
1952 	ctxp = ctx->cc_provider_private;
1953 
1954 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1955 	    crypto_kmflag(req), DO_VERIFY | DO_FINAL);
1956 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1957 		(void) rsa_free_context(ctx);
1958 
1959 	return (rv);
1960 }
1961 
1962 
1963 /* ARGSUSED */
1964 static int
1965 rsa_verify_atomic(crypto_provider_handle_t provider,
1966     crypto_session_id_t session_id,
1967     crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data,
1968     crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template,
1969     crypto_req_handle_t req)
1970 {
1971 	int rv;
1972 	digest_rsa_ctx_t dctx;
1973 
1974 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1975 		return (rv);
1976 
1977 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1978 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1979 		rv = rsa_verify_common(mechanism->cm_type, key, data,
1980 		    signature, crypto_kmflag(req));
1981 
1982 	else {
1983 		dctx.mech_type = mechanism->cm_type;
1984 		dctx.key = key;
1985 
1986 		switch (mechanism->cm_type) {
1987 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1988 			MD5Init(&(dctx.md5_ctx));
1989 			break;
1990 
1991 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1992 			SHA1Init(&(dctx.sha1_ctx));
1993 			break;
1994 
1995 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1996 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1997 			break;
1998 
1999 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
2000 			SHA2Init(SHA384, &(dctx.sha2_ctx));
2001 			break;
2002 
2003 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
2004 			SHA2Init(SHA512, &(dctx.sha2_ctx));
2005 			break;
2006 		}
2007 
2008 		rv = rsa_digest_svrfy_common(&dctx, data,
2009 		    signature, crypto_kmflag(req),
2010 		    DO_VERIFY | DO_UPDATE | DO_FINAL);
2011 	}
2012 
2013 	return (rv);
2014 }
2015 
2016 static int
2017 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
2018     crypto_data_t *signature, crypto_data_t *data, int kmflag)
2019 {
2020 	int rv = CRYPTO_FAILED;
2021 
2022 /* EXPORT DELETE START */
2023 
2024 	int data_len;
2025 	uchar_t *sigptr, *modulus;
2026 	ssize_t modulus_len;
2027 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
2028 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
2029 
2030 	if ((rv = get_key_attr(key, SUN_CKA_MODULUS, &modulus,
2031 	    &modulus_len)) != CRYPTO_SUCCESS) {
2032 		return (rv);
2033 	}
2034 
2035 	if (signature->cd_length != modulus_len)
2036 		return (CRYPTO_SIGNATURE_LEN_RANGE);
2037 
2038 	ASSERT(signature->cd_length <= sizeof (tmp_data));
2039 	if ((rv = get_input_data(signature, &sigptr, tmp_data))
2040 	    != CRYPTO_SUCCESS)
2041 		return (rv);
2042 
2043 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
2044 	if (rv != CRYPTO_SUCCESS)
2045 		return (rv);
2046 
2047 	data_len = modulus_len;
2048 
2049 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
2050 		/*
2051 		 * Strip off the encoded padding bytes in front of the
2052 		 * recovered data, then compare the recovered data with
2053 		 * the original data.
2054 		 */
2055 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
2056 		if (rv != CRYPTO_SUCCESS)
2057 			return (rv);
2058 	}
2059 
2060 	if (data->cd_length < data_len) {
2061 		data->cd_length = data_len;
2062 		return (CRYPTO_BUFFER_TOO_SMALL);
2063 	}
2064 
2065 	if ((rv = put_output_data(plain_data + modulus_len - data_len,
2066 	    data, data_len)) != CRYPTO_SUCCESS)
2067 		return (rv);
2068 	data->cd_length = data_len;
2069 
2070 /* EXPORT DELETE END */
2071 
2072 	return (rv);
2073 }
2074 
2075 /* ARGSUSED */
2076 static int
2077 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
2078     crypto_data_t *data, crypto_req_handle_t req)
2079 {
2080 	int rv;
2081 	rsa_ctx_t *ctxp;
2082 
2083 	ASSERT(ctx->cc_provider_private != NULL);
2084 	ctxp = ctx->cc_provider_private;
2085 
2086 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
2087 	rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
2088 	    signature, data, KM_SLEEP);
2089 
2090 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
2091 		(void) rsa_free_context(ctx);
2092 
2093 	return (rv);
2094 }
2095 
2096 /* ARGSUSED */
2097 static int
2098 rsa_verify_recover_atomic(crypto_provider_handle_t provider,
2099     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
2100     crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data,
2101     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
2102 {
2103 	int rv;
2104 
2105 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
2106 		return (rv);
2107 
2108 	return (rsa_verify_recover_common(mechanism->cm_type, key,
2109 	    signature, data, crypto_kmflag(req)));
2110 }
2111