xref: /titanic_52/usr/src/uts/common/crypto/io/rsa.c (revision 9e86db79b7d1bbc5f2f04e99954cbd5eae0e22bb)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * RSA provider for the Kernel Cryptographic Framework (KCF)
28  */
29 
30 #include <sys/types.h>
31 #include <sys/systm.h>
32 #include <sys/modctl.h>
33 #include <sys/cmn_err.h>
34 #include <sys/ddi.h>
35 #include <sys/crypto/spi.h>
36 #include <sys/sysmacros.h>
37 #include <sys/strsun.h>
38 #include <sys/md5.h>
39 #include <sys/sha1.h>
40 #define	_SHA2_IMPL
41 #include <sys/sha2.h>
42 #include <sys/random.h>
43 #include <sys/crypto/impl.h>
44 #include <sha1/sha1_impl.h>
45 #include <sha2/sha2_impl.h>
46 #define	_RSA_FIPS_POST
47 #include <rsa/rsa_impl.h>
48 
49 extern struct mod_ops mod_cryptoops;
50 
51 /*
52  * Module linkage information for the kernel.
53  */
54 static struct modlcrypto modlcrypto = {
55 	&mod_cryptoops,
56 	"RSA Kernel SW Provider"
57 };
58 
59 static struct modlinkage modlinkage = {
60 	MODREV_1,
61 	(void *)&modlcrypto,
62 	NULL
63 };
64 
65 /*
66  * CSPI information (entry points, provider info, etc.)
67  */
68 typedef enum rsa_mech_type {
69 	RSA_PKCS_MECH_INFO_TYPE,	/* SUN_CKM_RSA_PKCS */
70 	RSA_X_509_MECH_INFO_TYPE,	/* SUN_CKM_RSA_X_509 */
71 	MD5_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_MD5_RSA_PKCS */
72 	SHA1_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA1_RSA_PKCS */
73 	SHA256_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA256_RSA_PKCS */
74 	SHA384_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA384_RSA_PKCS */
75 	SHA512_RSA_PKCS_MECH_INFO_TYPE	/* SUN_SHA512_RSA_PKCS */
76 } rsa_mech_type_t;
77 
78 /*
79  * Context for RSA_PKCS and RSA_X_509 mechanisms.
80  */
81 typedef struct rsa_ctx {
82 	rsa_mech_type_t	mech_type;
83 	crypto_key_t *key;
84 	size_t keychunk_size;
85 } rsa_ctx_t;
86 
87 /*
88  * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms.
89  */
90 typedef struct digest_rsa_ctx {
91 	rsa_mech_type_t	mech_type;
92 	crypto_key_t *key;
93 	size_t keychunk_size;
94 	union {
95 		MD5_CTX md5ctx;
96 		SHA1_CTX sha1ctx;
97 		SHA2_CTX sha2ctx;
98 	} dctx_u;
99 } digest_rsa_ctx_t;
100 
101 #define	md5_ctx		dctx_u.md5ctx
102 #define	sha1_ctx	dctx_u.sha1ctx
103 #define	sha2_ctx	dctx_u.sha2ctx
104 
105 /*
106  * Mechanism info structure passed to KCF during registration.
107  */
108 static crypto_mech_info_t rsa_mech_info_tab[] = {
109 	/* RSA_PKCS */
110 	{SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE,
111 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
112 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
113 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
114 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
115 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
116 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
117 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
118 
119 	/* RSA_X_509 */
120 	{SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE,
121 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
122 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
123 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
124 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
125 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
126 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
127 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
128 
129 	/* MD5_RSA_PKCS */
130 	{SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE,
131 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
132 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
133 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
134 
135 	/* SHA1_RSA_PKCS */
136 	{SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE,
137 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
138 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
139 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
140 
141 	/* SHA256_RSA_PKCS */
142 	{SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE,
143 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
144 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
145 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
146 
147 	/* SHA384_RSA_PKCS */
148 	{SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE,
149 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
150 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
151 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
152 
153 	/* SHA512_RSA_PKCS */
154 	{SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE,
155 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
156 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
157 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}
158 
159 };
160 
161 #define	RSA_VALID_MECH(mech)					\
162 	(((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE ||		\
163 	(mech)->cm_type == RSA_X_509_MECH_INFO_TYPE ||		\
164 	(mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE ||	\
165 	(mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE ||	\
166 	(mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE ||	\
167 	(mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE ||	\
168 	(mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0)
169 
170 /* operations are in-place if the output buffer is NULL */
171 #define	RSA_ARG_INPLACE(input, output)				\
172 	if ((output) == NULL)					\
173 		(output) = (input);
174 
175 static void rsa_provider_status(crypto_provider_handle_t, uint_t *);
176 
177 static crypto_control_ops_t rsa_control_ops = {
178 	rsa_provider_status
179 };
180 
181 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *,
182     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
183 static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
184     crypto_req_handle_t);
185 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
186     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
187     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
188 static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
189     crypto_req_handle_t);
190 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
191     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
192     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
193 
194 /*
195  * The RSA mechanisms do not have multiple-part cipher operations.
196  * So, the update and final routines are set to NULL.
197  */
198 static crypto_cipher_ops_t rsa_cipher_ops = {
199 	rsa_common_init,
200 	rsa_encrypt,
201 	NULL,
202 	NULL,
203 	rsa_encrypt_atomic,
204 	rsa_common_init,
205 	rsa_decrypt,
206 	NULL,
207 	NULL,
208 	rsa_decrypt_atomic
209 };
210 
211 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *,
212     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
213 static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
214     crypto_req_handle_t);
215 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *,
216     crypto_req_handle_t);
217 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *,
218     crypto_req_handle_t);
219 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t,
220     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
221     crypto_spi_ctx_template_t, crypto_req_handle_t);
222 
223 /*
224  * We use the same routine for sign_init and sign_recover_init fields
225  * as they do the same thing. Same holds for sign and sign_recover fields,
226  * and sign_atomic and sign_recover_atomic fields.
227  */
228 static crypto_sign_ops_t rsa_sign_ops = {
229 	rsa_sign_verify_common_init,
230 	rsa_sign,
231 	rsa_sign_update,
232 	rsa_sign_final,
233 	rsa_sign_atomic,
234 	rsa_sign_verify_common_init,
235 	rsa_sign,
236 	rsa_sign_atomic
237 };
238 
239 static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
240     crypto_req_handle_t);
241 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *,
242     crypto_req_handle_t);
243 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *,
244     crypto_req_handle_t);
245 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
246     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
247     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
248 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *,
249     crypto_data_t *, crypto_req_handle_t);
250 static int rsa_verify_recover_atomic(crypto_provider_handle_t,
251     crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
252     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
253     crypto_req_handle_t);
254 
255 /*
256  * We use the same routine (rsa_sign_verify_common_init) for verify_init
257  * and verify_recover_init fields as they do the same thing.
258  */
259 static crypto_verify_ops_t rsa_verify_ops = {
260 	rsa_sign_verify_common_init,
261 	rsa_verify,
262 	rsa_verify_update,
263 	rsa_verify_final,
264 	rsa_verify_atomic,
265 	rsa_sign_verify_common_init,
266 	rsa_verify_recover,
267 	rsa_verify_recover_atomic
268 };
269 
270 static int rsa_free_context(crypto_ctx_t *);
271 
272 static crypto_ctx_ops_t rsa_ctx_ops = {
273 	NULL,
274 	rsa_free_context
275 };
276 
277 static crypto_ops_t rsa_crypto_ops = {
278 	&rsa_control_ops,
279 	NULL,
280 	&rsa_cipher_ops,
281 	NULL,
282 	&rsa_sign_ops,
283 	&rsa_verify_ops,
284 	NULL,
285 	NULL,
286 	NULL,
287 	NULL,
288 	NULL,
289 	NULL,
290 	NULL,
291 	&rsa_ctx_ops
292 };
293 
294 static crypto_provider_info_t rsa_prov_info = {
295 	CRYPTO_SPI_VERSION_1,
296 	"RSA Software Provider",
297 	CRYPTO_SW_PROVIDER,
298 	{&modlinkage},
299 	NULL,
300 	&rsa_crypto_ops,
301 	sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
302 	rsa_mech_info_tab
303 };
304 
305 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
306     crypto_data_t *, crypto_data_t *, int);
307 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
308     crypto_data_t *, crypto_data_t *, int);
309 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
310     crypto_data_t *, crypto_data_t *, int);
311 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
312     crypto_data_t *, crypto_data_t *, int);
313 static int compare_data(crypto_data_t *, uchar_t *);
314 
315 /* EXPORT DELETE START */
316 
317 static int core_rsa_encrypt(crypto_key_t *, uchar_t *,
318     int, uchar_t *, int, int);
319 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int,
320     uchar_t *, int);
321 
322 /* EXPORT DELETE END */
323 
324 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
325 
326 int
327 _init(void)
328 {
329 	int ret;
330 
331 	/*
332 	 * Register with KCF. If the registration fails, return error.
333 	 */
334 	if ((ret = crypto_register_provider(&rsa_prov_info,
335 	    &rsa_prov_handle)) != CRYPTO_SUCCESS) {
336 		cmn_err(CE_WARN, "rsa _init: crypto_register_provider()"
337 		    "failed (0x%x)", ret);
338 		return (EACCES);
339 	}
340 
341 	if ((ret = mod_install(&modlinkage)) != 0) {
342 		int rv;
343 
344 		ASSERT(rsa_prov_handle != NULL);
345 		/* We should not return if the unregister returns busy. */
346 		while ((rv = crypto_unregister_provider(rsa_prov_handle))
347 		    == CRYPTO_BUSY) {
348 			cmn_err(CE_WARN, "rsa _init: "
349 			    "crypto_unregister_provider() "
350 			    "failed (0x%x). Retrying.", rv);
351 			/* wait 10 seconds and try again. */
352 			delay(10 * drv_usectohz(1000000));
353 		}
354 	}
355 
356 	return (ret);
357 }
358 
359 int
360 _fini(void)
361 {
362 	int ret;
363 
364 	/*
365 	 * Unregister from KCF if previous registration succeeded.
366 	 */
367 	if (rsa_prov_handle != NULL) {
368 		if ((ret = crypto_unregister_provider(rsa_prov_handle)) !=
369 		    CRYPTO_SUCCESS) {
370 			cmn_err(CE_WARN, "rsa _fini: "
371 			    "crypto_unregister_provider() "
372 			    "failed (0x%x)", ret);
373 			return (EBUSY);
374 		}
375 		rsa_prov_handle = NULL;
376 	}
377 
378 	return (mod_remove(&modlinkage));
379 }
380 
381 int
382 _info(struct modinfo *modinfop)
383 {
384 	return (mod_info(&modlinkage, modinfop));
385 }
386 
387 /* ARGSUSED */
388 static void
389 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
390 {
391 	*status = CRYPTO_PROVIDER_READY;
392 }
393 
394 static int
395 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
396 {
397 	int rv = CRYPTO_FAILED;
398 
399 /* EXPORT DELETE START */
400 
401 	uchar_t *modulus;
402 	ssize_t modulus_len; /* In bytes */
403 
404 	if (!RSA_VALID_MECH(mechanism))
405 		return (CRYPTO_MECHANISM_INVALID);
406 
407 	/*
408 	 * We only support RSA keys that are passed as a list of
409 	 * object attributes.
410 	 */
411 	if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
412 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
413 	}
414 
415 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
416 	    &modulus_len)) != CRYPTO_SUCCESS) {
417 		return (rv);
418 	}
419 	if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
420 	    modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
421 		return (CRYPTO_KEY_SIZE_RANGE);
422 
423 /* EXPORT DELETE END */
424 
425 	return (rv);
426 }
427 
428 void
429 kmemset(uint8_t *buf, char pattern, size_t len)
430 {
431 	int i = 0;
432 
433 	while (i < len)
434 		buf[i++] = pattern;
435 }
436 
437 /*
438  * This function guarantees to return non-zero random numbers.
439  * This is needed as the /dev/urandom kernel interface,
440  * random_get_pseudo_bytes(), may return zeros.
441  */
442 int
443 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
444 {
445 	int rv;
446 	size_t ebc = 0; /* count of extra bytes in extrarand */
447 	size_t i = 0;
448 	uint8_t extrarand[32];
449 	size_t extrarand_len;
450 
451 	if ((rv = random_get_pseudo_bytes(ran_out, ran_len)) != 0)
452 		return (rv);
453 
454 	/*
455 	 * Walk through the returned random numbers pointed by ran_out,
456 	 * and look for any random number which is zero.
457 	 * If we find zero, call random_get_pseudo_bytes() to generate
458 	 * another 32 random numbers pool. Replace any zeros in ran_out[]
459 	 * from the random number in pool.
460 	 */
461 	while (i < ran_len) {
462 		if (ran_out[i] != 0) {
463 			i++;
464 			continue;
465 		}
466 
467 		/*
468 		 * Note that it is 'while' so we are guaranteed a
469 		 * non-zero value on exit.
470 		 */
471 		if (ebc == 0) {
472 			/* refresh extrarand */
473 			extrarand_len = sizeof (extrarand);
474 			if ((rv = random_get_pseudo_bytes(extrarand,
475 			    extrarand_len)) != 0) {
476 				return (rv);
477 			}
478 
479 			ebc = extrarand_len;
480 		}
481 		/* Replace zero with byte from extrarand. */
482 		-- ebc;
483 
484 		/*
485 		 * The new random byte zero/non-zero will be checked in
486 		 * the next pass through the loop.
487 		 */
488 		ran_out[i] = extrarand[ebc];
489 	}
490 
491 	return (CRYPTO_SUCCESS);
492 }
493 
494 static int
495 compare_data(crypto_data_t *data, uchar_t *buf)
496 {
497 	int len;
498 	uchar_t *dptr;
499 
500 	len = data->cd_length;
501 	switch (data->cd_format) {
502 	case CRYPTO_DATA_RAW:
503 		dptr = (uchar_t *)(data->cd_raw.iov_base +
504 		    data->cd_offset);
505 
506 		return (bcmp(dptr, buf, len));
507 
508 	case CRYPTO_DATA_UIO:
509 		return (crypto_uio_data(data, buf, len,
510 		    COMPARE_TO_DATA, NULL, NULL));
511 
512 	case CRYPTO_DATA_MBLK:
513 		return (crypto_mblk_data(data, buf, len,
514 		    COMPARE_TO_DATA, NULL, NULL));
515 	}
516 
517 	return (CRYPTO_FAILED);
518 }
519 
520 /* ARGSUSED */
521 static int
522 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
523     crypto_key_t *key, crypto_spi_ctx_template_t template,
524     crypto_req_handle_t req)
525 {
526 	int rv;
527 	int kmflag;
528 	rsa_ctx_t *ctxp;
529 
530 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
531 		return (rv);
532 
533 	/*
534 	 * Allocate a RSA context.
535 	 */
536 	kmflag = crypto_kmflag(req);
537 	if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL)
538 		return (CRYPTO_HOST_MEMORY);
539 
540 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
541 	    kmflag)) != CRYPTO_SUCCESS) {
542 		kmem_free(ctxp, sizeof (rsa_ctx_t));
543 		return (rv);
544 	}
545 	ctxp->mech_type = mechanism->cm_type;
546 
547 	ctx->cc_provider_private = ctxp;
548 
549 	return (CRYPTO_SUCCESS);
550 }
551 
552 /* ARGSUSED */
553 static int
554 rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
555     crypto_data_t *ciphertext, crypto_req_handle_t req)
556 {
557 	int rv;
558 	rsa_ctx_t *ctxp;
559 
560 	ASSERT(ctx->cc_provider_private != NULL);
561 	ctxp = ctx->cc_provider_private;
562 
563 	RSA_ARG_INPLACE(plaintext, ciphertext);
564 
565 	/*
566 	 * Note on the KM_SLEEP flag passed to the routine below -
567 	 * rsa_encrypt() is a single-part encryption routine which is
568 	 * currently usable only by /dev/crypto. Since /dev/crypto calls are
569 	 * always synchronous, we can safely pass KM_SLEEP here.
570 	 */
571 	rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext,
572 	    ciphertext, KM_SLEEP);
573 
574 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
575 		(void) rsa_free_context(ctx);
576 
577 	return (rv);
578 }
579 
580 /* ARGSUSED */
581 static int
582 rsa_encrypt_atomic(crypto_provider_handle_t provider,
583     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
584     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
585     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
586 {
587 	int rv;
588 
589 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
590 		return (rv);
591 	RSA_ARG_INPLACE(plaintext, ciphertext);
592 
593 	return (rsa_encrypt_common(mechanism->cm_type, key, plaintext,
594 	    ciphertext, crypto_kmflag(req)));
595 }
596 
597 static int
598 rsa_free_context(crypto_ctx_t *ctx)
599 {
600 	rsa_ctx_t *ctxp = ctx->cc_provider_private;
601 
602 	if (ctxp != NULL) {
603 		bzero(ctxp->key, ctxp->keychunk_size);
604 		kmem_free(ctxp->key, ctxp->keychunk_size);
605 
606 		if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
607 		    ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
608 			kmem_free(ctxp, sizeof (rsa_ctx_t));
609 		else
610 			kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
611 
612 		ctx->cc_provider_private = NULL;
613 	}
614 
615 	return (CRYPTO_SUCCESS);
616 }
617 
618 static int
619 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
620     crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag)
621 {
622 	int rv = CRYPTO_FAILED;
623 
624 /* EXPORT DELETE START */
625 
626 	int plen;
627 	uchar_t *ptptr;
628 	uchar_t *modulus;
629 	ssize_t modulus_len;
630 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
631 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
632 	uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
633 
634 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
635 	    &modulus_len)) != CRYPTO_SUCCESS) {
636 		return (rv);
637 	}
638 
639 	plen = plaintext->cd_length;
640 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
641 		if (plen > (modulus_len - MIN_PKCS1_PADLEN))
642 			return (CRYPTO_DATA_LEN_RANGE);
643 	} else {
644 		if (plen > modulus_len)
645 			return (CRYPTO_DATA_LEN_RANGE);
646 	}
647 
648 	/*
649 	 * Output buf len must not be less than RSA modulus size.
650 	 */
651 	if (ciphertext->cd_length < modulus_len) {
652 		ciphertext->cd_length = modulus_len;
653 		return (CRYPTO_BUFFER_TOO_SMALL);
654 	}
655 
656 	ASSERT(plaintext->cd_length <= sizeof (tmp_data));
657 	if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data))
658 	    != CRYPTO_SUCCESS)
659 		return (rv);
660 
661 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
662 		rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen,
663 		    plain_data, modulus_len);
664 
665 		if (rv != CRYPTO_SUCCESS)
666 			return (rv);
667 	} else {
668 		bzero(plain_data, modulus_len - plen);
669 		bcopy(ptptr, &plain_data[modulus_len - plen], plen);
670 	}
671 
672 	rv = core_rsa_encrypt(key, plain_data, modulus_len,
673 	    cipher_data, kmflag, 1);
674 	if (rv == CRYPTO_SUCCESS) {
675 		/* copy out to ciphertext */
676 		if ((rv = crypto_put_output_data(cipher_data,
677 		    ciphertext, modulus_len)) != CRYPTO_SUCCESS)
678 			return (rv);
679 
680 		ciphertext->cd_length = modulus_len;
681 	}
682 
683 /* EXPORT DELETE END */
684 
685 	return (rv);
686 }
687 
688 /* EXPORT DELETE START */
689 
690 static int
691 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
692     int in_len, uchar_t *out, int kmflag, int is_public)
693 {
694 	int rv;
695 	uchar_t *expo, *modulus;
696 	ssize_t	expo_len;
697 	ssize_t modulus_len;
698 	BIGNUM msg;
699 	RSAkey *rsakey;
700 
701 	if (is_public) {
702 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT,
703 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
704 			return (rv);
705 	} else {
706 		/*
707 		 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
708 		 * RSA secret key. See the comments in core_rsa_decrypt
709 		 * routine which calls this routine with a private key.
710 		 */
711 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT,
712 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
713 			return (rv);
714 	}
715 
716 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
717 	    &modulus_len)) != CRYPTO_SUCCESS) {
718 		return (rv);
719 	}
720 
721 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
722 	if (rsakey == NULL)
723 		return (CRYPTO_HOST_MEMORY);
724 
725 	/* psize and qsize for RSA_key_init is in bits. */
726 	if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) {
727 		rv = CRYPTO_HOST_MEMORY;
728 		goto clean1;
729 	}
730 
731 	/* Size for big_init is in BIG_CHUNK_TYPE words. */
732 	if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
733 		rv = CRYPTO_HOST_MEMORY;
734 		goto clean2;
735 	}
736 
737 	/* Convert octet string exponent to big integer format. */
738 	bytestring2bignum(&(rsakey->e), expo, expo_len);
739 
740 	/* Convert octet string modulus to big integer format. */
741 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
742 
743 	/* Convert octet string input data to big integer format. */
744 	bytestring2bignum(&msg, in, in_len);
745 
746 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
747 		rv = CRYPTO_DATA_LEN_RANGE;
748 		goto clean3;
749 	}
750 
751 	/* Perform RSA computation on big integer input data. */
752 	if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL)
753 	    != BIG_OK) {
754 		rv = CRYPTO_HOST_MEMORY;
755 		goto clean3;
756 	}
757 
758 	/* Convert the big integer output data to octet string. */
759 	bignum2bytestring(out, &msg, modulus_len);
760 
761 	/*
762 	 * Should not free modulus and expo as both are just pointers
763 	 * to an attribute value buffer from the caller.
764 	 */
765 clean3:
766 	big_finish(&msg);
767 clean2:
768 	RSA_key_finish(rsakey);
769 clean1:
770 	kmem_free(rsakey, sizeof (RSAkey));
771 
772 	return (rv);
773 }
774 
775 /* EXPORT DELETE END */
776 
777 /* ARGSUSED */
778 static int
779 rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
780     crypto_data_t *plaintext, crypto_req_handle_t req)
781 {
782 	int rv;
783 	rsa_ctx_t *ctxp;
784 
785 	ASSERT(ctx->cc_provider_private != NULL);
786 	ctxp = ctx->cc_provider_private;
787 
788 	RSA_ARG_INPLACE(ciphertext, plaintext);
789 
790 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
791 	rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
792 	    ciphertext, plaintext, KM_SLEEP);
793 
794 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
795 		(void) rsa_free_context(ctx);
796 
797 	return (rv);
798 }
799 
800 /* ARGSUSED */
801 static int
802 rsa_decrypt_atomic(crypto_provider_handle_t provider,
803     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
804     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
805     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
806 {
807 	int rv;
808 
809 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
810 		return (rv);
811 	RSA_ARG_INPLACE(ciphertext, plaintext);
812 
813 	return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
814 	    plaintext, crypto_kmflag(req)));
815 }
816 
817 static int
818 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
819     crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag)
820 {
821 	int rv = CRYPTO_FAILED;
822 
823 /* EXPORT DELETE START */
824 
825 	int plain_len;
826 	uchar_t *ctptr;
827 	uchar_t *modulus;
828 	ssize_t modulus_len;
829 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
830 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
831 
832 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
833 	    &modulus_len)) != CRYPTO_SUCCESS) {
834 		return (rv);
835 	}
836 
837 	/*
838 	 * Ciphertext length must be equal to RSA modulus size.
839 	 */
840 	if (ciphertext->cd_length != modulus_len)
841 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
842 
843 	ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
844 	if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data))
845 	    != CRYPTO_SUCCESS)
846 		return (rv);
847 
848 	rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag);
849 	if (rv == CRYPTO_SUCCESS) {
850 		plain_len = modulus_len;
851 
852 		if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
853 			/* Strip off the PKCS block formatting data. */
854 			rv = soft_decrypt_rsa_pkcs_decode(plain_data,
855 			    &plain_len);
856 			if (rv != CRYPTO_SUCCESS)
857 				return (rv);
858 		}
859 
860 		if (plain_len > plaintext->cd_length) {
861 			plaintext->cd_length = plain_len;
862 			return (CRYPTO_BUFFER_TOO_SMALL);
863 		}
864 
865 		if ((rv = crypto_put_output_data(
866 		    plain_data + modulus_len - plain_len,
867 		    plaintext, plain_len)) != CRYPTO_SUCCESS)
868 			return (rv);
869 
870 		plaintext->cd_length = plain_len;
871 	}
872 
873 /* EXPORT DELETE END */
874 
875 	return (rv);
876 }
877 
878 /* EXPORT DELETE START */
879 
880 static int
881 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len,
882     uchar_t *out, int kmflag)
883 {
884 	int rv;
885 	uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
886 	ssize_t modulus_len;
887 	ssize_t	prime1_len, prime2_len;
888 	ssize_t	expo1_len, expo2_len, coef_len;
889 	BIGNUM msg;
890 	RSAkey *rsakey;
891 
892 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
893 	    &modulus_len)) != CRYPTO_SUCCESS) {
894 		return (rv);
895 	}
896 
897 	/*
898 	 * The following attributes are not required to be
899 	 * present in a RSA secret key. If any of them is not present
900 	 * we call the encrypt routine with a flag indicating use of
901 	 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
902 	 * a required attribute for a RSA secret key.
903 	 */
904 	if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len)
905 	    != CRYPTO_SUCCESS) ||
906 	    (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len)
907 	    != CRYPTO_SUCCESS) ||
908 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len)
909 	    != CRYPTO_SUCCESS) ||
910 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len)
911 	    != CRYPTO_SUCCESS) ||
912 	    (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len)
913 	    != CRYPTO_SUCCESS)) {
914 		return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0));
915 	}
916 
917 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
918 	if (rsakey == NULL)
919 		return (CRYPTO_HOST_MEMORY);
920 
921 	/* psize and qsize for RSA_key_init is in bits. */
922 	if (RSA_key_init(rsakey, prime2_len * 8, prime1_len * 8) != BIG_OK) {
923 		rv = CRYPTO_HOST_MEMORY;
924 		goto clean1;
925 	}
926 
927 	/* Size for big_init is in BIG_CHUNK_TYPE words. */
928 	if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
929 		rv = CRYPTO_HOST_MEMORY;
930 		goto clean2;
931 	}
932 
933 	/* Convert octet string input data to big integer format. */
934 	bytestring2bignum(&msg, in, in_len);
935 
936 	/* Convert octet string modulus to big integer format. */
937 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
938 
939 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
940 		rv = CRYPTO_DATA_LEN_RANGE;
941 		goto clean3;
942 	}
943 
944 	/* Convert the rest of private key attributes to big integer format. */
945 	bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len);
946 	bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len);
947 	bytestring2bignum(&(rsakey->p), prime2, prime2_len);
948 	bytestring2bignum(&(rsakey->q), prime1, prime1_len);
949 	bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len);
950 
951 	if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) ||
952 	    (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) ||
953 	    (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) {
954 		rv = CRYPTO_KEY_SIZE_RANGE;
955 		goto clean3;
956 	}
957 
958 	/* Perform RSA computation on big integer input data. */
959 	if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1),
960 	    &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q),
961 	    &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) {
962 		rv = CRYPTO_HOST_MEMORY;
963 		goto clean3;
964 	}
965 
966 	/* Convert the big integer output data to octet string. */
967 	bignum2bytestring(out, &msg, modulus_len);
968 
969 	/*
970 	 * Should not free modulus and friends as they are just pointers
971 	 * to an attribute value buffer from the caller.
972 	 */
973 clean3:
974 	big_finish(&msg);
975 clean2:
976 	RSA_key_finish(rsakey);
977 clean1:
978 	kmem_free(rsakey, sizeof (RSAkey));
979 
980 	return (rv);
981 }
982 
983 /* EXPORT DELETE END */
984 
985 /* ARGSUSED */
986 static int
987 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
988     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
989     crypto_req_handle_t req)
990 {
991 	int rv;
992 	int kmflag;
993 	rsa_ctx_t *ctxp;
994 	digest_rsa_ctx_t *dctxp;
995 
996 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
997 		return (rv);
998 
999 	/*
1000 	 * Allocate a RSA context.
1001 	 */
1002 	kmflag = crypto_kmflag(req);
1003 	switch (mechanism->cm_type) {
1004 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1005 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1006 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1007 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1008 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1009 		dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag);
1010 		ctxp = (rsa_ctx_t *)dctxp;
1011 		break;
1012 	default:
1013 		ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag);
1014 		break;
1015 	}
1016 
1017 	if (ctxp == NULL)
1018 		return (CRYPTO_HOST_MEMORY);
1019 
1020 	ctxp->mech_type = mechanism->cm_type;
1021 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
1022 	    kmflag)) != CRYPTO_SUCCESS) {
1023 		switch (mechanism->cm_type) {
1024 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1025 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1026 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1027 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1028 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1029 			kmem_free(dctxp, sizeof (digest_rsa_ctx_t));
1030 			break;
1031 		default:
1032 			kmem_free(ctxp, sizeof (rsa_ctx_t));
1033 			break;
1034 		}
1035 		return (rv);
1036 	}
1037 
1038 	switch (mechanism->cm_type) {
1039 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1040 		MD5Init(&(dctxp->md5_ctx));
1041 		break;
1042 
1043 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1044 		SHA1Init(&(dctxp->sha1_ctx));
1045 		break;
1046 
1047 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1048 		SHA2Init(SHA256, &(dctxp->sha2_ctx));
1049 		break;
1050 
1051 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1052 		SHA2Init(SHA384, &(dctxp->sha2_ctx));
1053 		break;
1054 
1055 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1056 		SHA2Init(SHA512, &(dctxp->sha2_ctx));
1057 		break;
1058 	}
1059 
1060 	ctx->cc_provider_private = ctxp;
1061 
1062 	return (CRYPTO_SUCCESS);
1063 }
1064 
1065 #define	SHA1_DIGEST_SIZE 20
1066 #define	MD5_DIGEST_SIZE 16
1067 
1068 #define	INIT_RAW_CRYPTO_DATA(data, base, len, cd_len)	\
1069 	(data).cd_format = CRYPTO_DATA_RAW;		\
1070 	(data).cd_offset = 0;				\
1071 	(data).cd_raw.iov_base = (char *)base;		\
1072 	(data).cd_raw.iov_len = len;			\
1073 	(data).cd_length = cd_len;
1074 
1075 static int
1076 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
1077     crypto_data_t *signature, int kmflag, uchar_t flag)
1078 {
1079 	int rv = CRYPTO_FAILED;
1080 
1081 /* EXPORT DELETE START */
1082 
1083 	uchar_t digest[SHA512_DIGEST_LENGTH];
1084 	/* The der_data size is enough for MD5 also */
1085 	uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
1086 	ulong_t der_data_len;
1087 	crypto_data_t der_cd;
1088 	rsa_mech_type_t mech_type;
1089 
1090 	ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY);
1091 	ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL));
1092 
1093 	mech_type = ctxp->mech_type;
1094 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1095 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1096 		return (CRYPTO_MECHANISM_INVALID);
1097 
1098 	/*
1099 	 * We need to do the BUFFER_TOO_SMALL check before digesting
1100 	 * the data. No check is needed for verify as signature is not
1101 	 * an output argument for verify.
1102 	 */
1103 	if (flag & CRYPTO_DO_SIGN) {
1104 		uchar_t *modulus;
1105 		ssize_t modulus_len;
1106 
1107 		if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS,
1108 		    &modulus, &modulus_len)) != CRYPTO_SUCCESS) {
1109 			return (rv);
1110 		}
1111 
1112 		if (signature->cd_length < modulus_len) {
1113 			signature->cd_length = modulus_len;
1114 			return (CRYPTO_BUFFER_TOO_SMALL);
1115 		}
1116 	}
1117 
1118 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1119 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1120 		    digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5);
1121 
1122 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1123 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1124 		    digest, SHA1Update, SHA1Final,  flag | CRYPTO_DO_SHA1);
1125 
1126 	else
1127 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1128 		    digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2);
1129 
1130 	if (rv != CRYPTO_SUCCESS)
1131 		return (rv);
1132 
1133 
1134 	/*
1135 	 * Prepare the DER encoding of the DigestInfo value as follows:
1136 	 * MD5:		MD5_DER_PREFIX || H
1137 	 * SHA-1:	SHA1_DER_PREFIX || H
1138 	 *
1139 	 * See rsa_impl.c for more details.
1140 	 */
1141 	switch (mech_type) {
1142 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1143 		bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len);
1144 		bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE);
1145 		der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE;
1146 		break;
1147 
1148 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1149 		bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len);
1150 		bcopy(digest, der_data + SHA1_DER_PREFIX_Len,
1151 		    SHA1_DIGEST_SIZE);
1152 		der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE;
1153 		break;
1154 
1155 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1156 		bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1157 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1158 		    SHA256_DIGEST_LENGTH);
1159 		der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH;
1160 		break;
1161 
1162 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1163 		bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1164 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1165 		    SHA384_DIGEST_LENGTH);
1166 		der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH;
1167 		break;
1168 
1169 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1170 		bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1171 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1172 		    SHA512_DIGEST_LENGTH);
1173 		der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1174 		break;
1175 	}
1176 
1177 	INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1178 	/*
1179 	 * Now, we are ready to sign or verify the DER_ENCODED data.
1180 	 */
1181 	if (flag & CRYPTO_DO_SIGN)
1182 		rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1183 		    signature, kmflag);
1184 	else
1185 		rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1186 		    signature, kmflag);
1187 
1188 /* EXPORT DELETE END */
1189 
1190 	return (rv);
1191 }
1192 
1193 static int
1194 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1195     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1196 {
1197 	int rv = CRYPTO_FAILED;
1198 
1199 /* EXPORT DELETE START */
1200 
1201 	int dlen;
1202 	uchar_t *dataptr, *modulus;
1203 	ssize_t modulus_len;
1204 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1205 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1206 	uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1207 
1208 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1209 	    &modulus_len)) != CRYPTO_SUCCESS) {
1210 		return (rv);
1211 	}
1212 
1213 	dlen = data->cd_length;
1214 	switch (mech_type) {
1215 	case RSA_PKCS_MECH_INFO_TYPE:
1216 		if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1217 			return (CRYPTO_DATA_LEN_RANGE);
1218 		break;
1219 	case RSA_X_509_MECH_INFO_TYPE:
1220 		if (dlen > modulus_len)
1221 			return (CRYPTO_DATA_LEN_RANGE);
1222 		break;
1223 	}
1224 
1225 	if (signature->cd_length < modulus_len) {
1226 		signature->cd_length = modulus_len;
1227 		return (CRYPTO_BUFFER_TOO_SMALL);
1228 	}
1229 
1230 	ASSERT(data->cd_length <= sizeof (tmp_data));
1231 	if ((rv = crypto_get_input_data(data, &dataptr, tmp_data))
1232 	    != CRYPTO_SUCCESS)
1233 		return (rv);
1234 
1235 	switch (mech_type) {
1236 	case RSA_PKCS_MECH_INFO_TYPE:
1237 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1238 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1239 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1240 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1241 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1242 		/*
1243 		 * Add PKCS padding to the input data to format a block
1244 		 * type "01" encryption block.
1245 		 */
1246 		rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data,
1247 		    modulus_len);
1248 		if (rv != CRYPTO_SUCCESS)
1249 			return (rv);
1250 
1251 		break;
1252 
1253 	case RSA_X_509_MECH_INFO_TYPE:
1254 		bzero(plain_data, modulus_len - dlen);
1255 		bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1256 		break;
1257 	}
1258 
1259 	rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data,
1260 	    kmflag);
1261 	if (rv == CRYPTO_SUCCESS) {
1262 		/* copy out to signature */
1263 		if ((rv = crypto_put_output_data(signed_data,
1264 		    signature, modulus_len)) != CRYPTO_SUCCESS)
1265 			return (rv);
1266 
1267 		signature->cd_length = modulus_len;
1268 	}
1269 
1270 /* EXPORT DELETE END */
1271 
1272 	return (rv);
1273 }
1274 
1275 /* ARGSUSED */
1276 static int
1277 rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1278     crypto_req_handle_t req)
1279 {
1280 	int rv;
1281 	rsa_ctx_t *ctxp;
1282 
1283 	ASSERT(ctx->cc_provider_private != NULL);
1284 	ctxp = ctx->cc_provider_private;
1285 
1286 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1287 	switch (ctxp->mech_type) {
1288 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1289 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1290 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1291 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1292 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1293 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1294 		    signature, KM_SLEEP, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE |
1295 		    CRYPTO_DO_FINAL);
1296 		break;
1297 	default:
1298 		rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data,
1299 		    signature, KM_SLEEP);
1300 		break;
1301 	}
1302 
1303 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1304 		(void) rsa_free_context(ctx);
1305 
1306 	return (rv);
1307 }
1308 
1309 /* ARGSUSED */
1310 static int
1311 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
1312 {
1313 	int rv;
1314 	digest_rsa_ctx_t *ctxp;
1315 	rsa_mech_type_t mech_type;
1316 
1317 	ASSERT(ctx->cc_provider_private != NULL);
1318 	ctxp = ctx->cc_provider_private;
1319 	mech_type = ctxp->mech_type;
1320 
1321 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1322 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1323 		return (CRYPTO_MECHANISM_INVALID);
1324 
1325 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1326 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1327 		    NULL, MD5Update, MD5Final,
1328 		    CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE);
1329 
1330 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1331 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1332 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1333 		    CRYPTO_DO_UPDATE);
1334 
1335 	else
1336 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1337 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1338 		    CRYPTO_DO_UPDATE);
1339 
1340 	return (rv);
1341 }
1342 
1343 static int
1344 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1345     crypto_req_handle_t req)
1346 {
1347 	int rv;
1348 	digest_rsa_ctx_t *ctxp;
1349 
1350 	ASSERT(ctx->cc_provider_private != NULL);
1351 	ctxp = ctx->cc_provider_private;
1352 
1353 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1354 	    crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_FINAL);
1355 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1356 		(void) rsa_free_context(ctx);
1357 
1358 	return (rv);
1359 }
1360 
1361 /* ARGSUSED */
1362 static int
1363 rsa_sign_atomic(crypto_provider_handle_t provider,
1364     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1365     crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature,
1366     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1367 {
1368 	int rv;
1369 	digest_rsa_ctx_t dctx;
1370 
1371 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1372 		return (rv);
1373 
1374 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1375 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1376 		rv = rsa_sign_common(mechanism->cm_type, key, data,
1377 		    signature, crypto_kmflag(req));
1378 
1379 	else {
1380 		dctx.mech_type = mechanism->cm_type;
1381 		dctx.key = key;
1382 		switch (mechanism->cm_type) {
1383 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1384 			MD5Init(&(dctx.md5_ctx));
1385 			break;
1386 
1387 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1388 			SHA1Init(&(dctx.sha1_ctx));
1389 			break;
1390 
1391 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1392 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1393 			break;
1394 
1395 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1396 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1397 			break;
1398 
1399 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1400 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1401 			break;
1402 		}
1403 
1404 		rv = rsa_digest_svrfy_common(&dctx, data, signature,
1405 		    crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE |
1406 		    CRYPTO_DO_FINAL);
1407 	}
1408 
1409 	return (rv);
1410 }
1411 
1412 static int
1413 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1414     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1415 {
1416 	int rv = CRYPTO_FAILED;
1417 
1418 /* EXPORT DELETE START */
1419 
1420 	uchar_t *sigptr, *modulus;
1421 	ssize_t modulus_len;
1422 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1423 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1424 
1425 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1426 	    &modulus_len)) != CRYPTO_SUCCESS) {
1427 		return (rv);
1428 	}
1429 
1430 	if (signature->cd_length != modulus_len)
1431 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1432 
1433 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1434 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1435 	    != CRYPTO_SUCCESS)
1436 		return (rv);
1437 
1438 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
1439 	if (rv != CRYPTO_SUCCESS)
1440 		return (rv);
1441 
1442 	if (mech_type == RSA_X_509_MECH_INFO_TYPE) {
1443 		if (compare_data(data, (plain_data + modulus_len
1444 		    - data->cd_length)) != 0)
1445 			rv = CRYPTO_SIGNATURE_INVALID;
1446 
1447 	} else {
1448 		int data_len = modulus_len;
1449 
1450 		/*
1451 		 * Strip off the encoded padding bytes in front of the
1452 		 * recovered data, then compare the recovered data with
1453 		 * the original data.
1454 		 */
1455 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
1456 		if (rv != CRYPTO_SUCCESS)
1457 			return (rv);
1458 
1459 		if (data_len != data->cd_length)
1460 			return (CRYPTO_SIGNATURE_LEN_RANGE);
1461 
1462 		if (compare_data(data, (plain_data + modulus_len
1463 		    - data_len)) != 0)
1464 			rv = CRYPTO_SIGNATURE_INVALID;
1465 	}
1466 
1467 /* EXPORT DELETE END */
1468 
1469 	return (rv);
1470 }
1471 
1472 /* ARGSUSED */
1473 static int
1474 rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1475     crypto_req_handle_t req)
1476 {
1477 	int rv;
1478 	rsa_ctx_t *ctxp;
1479 
1480 	ASSERT(ctx->cc_provider_private != NULL);
1481 	ctxp = ctx->cc_provider_private;
1482 
1483 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1484 	switch (ctxp->mech_type) {
1485 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1486 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1487 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1488 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1489 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1490 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1491 		    signature, KM_SLEEP, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE |
1492 		    CRYPTO_DO_FINAL);
1493 		break;
1494 	default:
1495 		rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data,
1496 		    signature, KM_SLEEP);
1497 		break;
1498 	}
1499 
1500 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1501 		(void) rsa_free_context(ctx);
1502 
1503 	return (rv);
1504 }
1505 
1506 /* ARGSUSED */
1507 static int
1508 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data,
1509     crypto_req_handle_t req)
1510 {
1511 	int rv;
1512 	digest_rsa_ctx_t *ctxp;
1513 
1514 	ASSERT(ctx->cc_provider_private != NULL);
1515 	ctxp = ctx->cc_provider_private;
1516 
1517 	switch (ctxp->mech_type) {
1518 
1519 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1520 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1521 		    NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 |
1522 		    CRYPTO_DO_UPDATE);
1523 		break;
1524 
1525 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1526 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1527 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1528 		    CRYPTO_DO_UPDATE);
1529 		break;
1530 
1531 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1532 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1533 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1534 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1535 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1536 		    CRYPTO_DO_UPDATE);
1537 		break;
1538 
1539 	default:
1540 		return (CRYPTO_MECHANISM_INVALID);
1541 	}
1542 
1543 	return (rv);
1544 }
1545 
1546 static int
1547 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1548     crypto_req_handle_t req)
1549 {
1550 	int rv;
1551 	digest_rsa_ctx_t *ctxp;
1552 
1553 	ASSERT(ctx->cc_provider_private != NULL);
1554 	ctxp = ctx->cc_provider_private;
1555 
1556 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1557 	    crypto_kmflag(req), CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL);
1558 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1559 		(void) rsa_free_context(ctx);
1560 
1561 	return (rv);
1562 }
1563 
1564 
1565 /* ARGSUSED */
1566 static int
1567 rsa_verify_atomic(crypto_provider_handle_t provider,
1568     crypto_session_id_t session_id,
1569     crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data,
1570     crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template,
1571     crypto_req_handle_t req)
1572 {
1573 	int rv;
1574 	digest_rsa_ctx_t dctx;
1575 
1576 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1577 		return (rv);
1578 
1579 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1580 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1581 		rv = rsa_verify_common(mechanism->cm_type, key, data,
1582 		    signature, crypto_kmflag(req));
1583 
1584 	else {
1585 		dctx.mech_type = mechanism->cm_type;
1586 		dctx.key = key;
1587 
1588 		switch (mechanism->cm_type) {
1589 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1590 			MD5Init(&(dctx.md5_ctx));
1591 			break;
1592 
1593 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1594 			SHA1Init(&(dctx.sha1_ctx));
1595 			break;
1596 
1597 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1598 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1599 			break;
1600 
1601 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1602 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1603 			break;
1604 
1605 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1606 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1607 			break;
1608 		}
1609 
1610 		rv = rsa_digest_svrfy_common(&dctx, data,
1611 		    signature, crypto_kmflag(req),
1612 		    CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1613 	}
1614 
1615 	return (rv);
1616 }
1617 
1618 static int
1619 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1620     crypto_data_t *signature, crypto_data_t *data, int kmflag)
1621 {
1622 	int rv = CRYPTO_FAILED;
1623 
1624 /* EXPORT DELETE START */
1625 
1626 	int data_len;
1627 	uchar_t *sigptr, *modulus;
1628 	ssize_t modulus_len;
1629 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1630 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1631 
1632 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1633 	    &modulus_len)) != CRYPTO_SUCCESS) {
1634 		return (rv);
1635 	}
1636 
1637 	if (signature->cd_length != modulus_len)
1638 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1639 
1640 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1641 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1642 	    != CRYPTO_SUCCESS)
1643 		return (rv);
1644 
1645 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
1646 	if (rv != CRYPTO_SUCCESS)
1647 		return (rv);
1648 
1649 	data_len = modulus_len;
1650 
1651 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
1652 		/*
1653 		 * Strip off the encoded padding bytes in front of the
1654 		 * recovered data, then compare the recovered data with
1655 		 * the original data.
1656 		 */
1657 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
1658 		if (rv != CRYPTO_SUCCESS)
1659 			return (rv);
1660 	}
1661 
1662 	if (data->cd_length < data_len) {
1663 		data->cd_length = data_len;
1664 		return (CRYPTO_BUFFER_TOO_SMALL);
1665 	}
1666 
1667 	if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len,
1668 	    data, data_len)) != CRYPTO_SUCCESS)
1669 		return (rv);
1670 	data->cd_length = data_len;
1671 
1672 /* EXPORT DELETE END */
1673 
1674 	return (rv);
1675 }
1676 
1677 /* ARGSUSED */
1678 static int
1679 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
1680     crypto_data_t *data, crypto_req_handle_t req)
1681 {
1682 	int rv;
1683 	rsa_ctx_t *ctxp;
1684 
1685 	ASSERT(ctx->cc_provider_private != NULL);
1686 	ctxp = ctx->cc_provider_private;
1687 
1688 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1689 	rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
1690 	    signature, data, KM_SLEEP);
1691 
1692 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1693 		(void) rsa_free_context(ctx);
1694 
1695 	return (rv);
1696 }
1697 
1698 /* ARGSUSED */
1699 static int
1700 rsa_verify_recover_atomic(crypto_provider_handle_t provider,
1701     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1702     crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data,
1703     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1704 {
1705 	int rv;
1706 
1707 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1708 		return (rv);
1709 
1710 	return (rsa_verify_recover_common(mechanism->cm_type, key,
1711 	    signature, data, crypto_kmflag(req)));
1712 }
1713 
1714 /*
1715  * RSA Power-Up Self-Test
1716  */
1717 void
1718 rsa_POST(int *rc)
1719 {
1720 
1721 	*rc = fips_rsa_post();
1722 
1723 }
1724