xref: /titanic_52/usr/src/uts/common/crypto/io/rsa.c (revision c1ecd8b9404ee0d96d93f02e82c441b9bb149a3d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * RSA provider for the Kernel Cryptographic Framework (KCF)
30  */
31 
32 #include <sys/types.h>
33 #include <sys/systm.h>
34 #include <sys/modctl.h>
35 #include <sys/cmn_err.h>
36 #include <sys/ddi.h>
37 #include <sys/crypto/spi.h>
38 #include <sys/sysmacros.h>
39 #include <sys/strsun.h>
40 #include <sys/md5.h>
41 #include <sys/sha1.h>
42 #include <sys/sha2.h>
43 #include <sys/random.h>
44 #include <sys/crypto/impl.h>
45 #include "rsa_impl.h"
46 
47 extern struct mod_ops mod_cryptoops;
48 
49 /*
50  * Module linkage information for the kernel.
51  */
52 static struct modlcrypto modlcrypto = {
53 	&mod_cryptoops,
54 	"RSA Kernel SW Provider"
55 };
56 
57 static struct modlinkage modlinkage = {
58 	MODREV_1,
59 	(void *)&modlcrypto,
60 	NULL
61 };
62 
63 /*
64  * CSPI information (entry points, provider info, etc.)
65  */
66 typedef enum rsa_mech_type {
67 	RSA_PKCS_MECH_INFO_TYPE,	/* SUN_CKM_RSA_PKCS */
68 	RSA_X_509_MECH_INFO_TYPE,	/* SUN_CKM_RSA_X_509 */
69 	MD5_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_MD5_RSA_PKCS */
70 	SHA1_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA1_RSA_PKCS */
71 	SHA256_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA256_RSA_PKCS */
72 	SHA384_RSA_PKCS_MECH_INFO_TYPE,	/* SUN_SHA384_RSA_PKCS */
73 	SHA512_RSA_PKCS_MECH_INFO_TYPE	/* SUN_SHA512_RSA_PKCS */
74 } rsa_mech_type_t;
75 
76 /*
77  * Context for RSA_PKCS and RSA_X_509 mechanisms.
78  */
79 typedef struct rsa_ctx {
80 	rsa_mech_type_t	mech_type;
81 	crypto_key_t *key;
82 	size_t keychunk_size;
83 } rsa_ctx_t;
84 
85 /*
86  * Context for MD5_RSA_PKCS and SHA*_RSA_PKCS mechanisms.
87  */
88 typedef struct digest_rsa_ctx {
89 	rsa_mech_type_t	mech_type;
90 	crypto_key_t *key;
91 	size_t keychunk_size;
92 	union {
93 		MD5_CTX md5ctx;
94 		SHA1_CTX sha1ctx;
95 		SHA2_CTX sha2ctx;
96 	} dctx_u;
97 } digest_rsa_ctx_t;
98 
99 #define	md5_ctx		dctx_u.md5ctx
100 #define	sha1_ctx	dctx_u.sha1ctx
101 #define	sha2_ctx	dctx_u.sha2ctx
102 
103 /*
104  * Mechanism info structure passed to KCF during registration.
105  */
106 static crypto_mech_info_t rsa_mech_info_tab[] = {
107 	/* RSA_PKCS */
108 	{SUN_CKM_RSA_PKCS, RSA_PKCS_MECH_INFO_TYPE,
109 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
110 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
111 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
112 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
113 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
114 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
115 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
116 
117 	/* RSA_X_509 */
118 	{SUN_CKM_RSA_X_509, RSA_X_509_MECH_INFO_TYPE,
119 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
120 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
121 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
122 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC |
123 	    CRYPTO_FG_SIGN_RECOVER | CRYPTO_FG_SIGN_RECOVER_ATOMIC |
124 	    CRYPTO_FG_VERIFY_RECOVER | CRYPTO_FG_VERIFY_RECOVER_ATOMIC,
125 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
126 
127 	/* MD5_RSA_PKCS */
128 	{SUN_CKM_MD5_RSA_PKCS, MD5_RSA_PKCS_MECH_INFO_TYPE,
129 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
130 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
131 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
132 
133 	/* SHA1_RSA_PKCS */
134 	{SUN_CKM_SHA1_RSA_PKCS, SHA1_RSA_PKCS_MECH_INFO_TYPE,
135 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
136 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
137 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
138 
139 	/* SHA256_RSA_PKCS */
140 	{SUN_CKM_SHA256_RSA_PKCS, SHA256_RSA_PKCS_MECH_INFO_TYPE,
141 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
142 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
143 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
144 
145 	/* SHA384_RSA_PKCS */
146 	{SUN_CKM_SHA384_RSA_PKCS, SHA384_RSA_PKCS_MECH_INFO_TYPE,
147 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
148 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
149 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS},
150 
151 	/* SHA512_RSA_PKCS */
152 	{SUN_CKM_SHA512_RSA_PKCS, SHA512_RSA_PKCS_MECH_INFO_TYPE,
153 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
154 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
155 	    RSA_MIN_KEY_LEN, RSA_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BITS}
156 
157 };
158 
159 #define	RSA_VALID_MECH(mech)					\
160 	(((mech)->cm_type == RSA_PKCS_MECH_INFO_TYPE ||		\
161 	(mech)->cm_type == RSA_X_509_MECH_INFO_TYPE ||		\
162 	(mech)->cm_type == MD5_RSA_PKCS_MECH_INFO_TYPE ||	\
163 	(mech)->cm_type == SHA1_RSA_PKCS_MECH_INFO_TYPE ||	\
164 	(mech)->cm_type == SHA256_RSA_PKCS_MECH_INFO_TYPE ||	\
165 	(mech)->cm_type == SHA384_RSA_PKCS_MECH_INFO_TYPE ||	\
166 	(mech)->cm_type == SHA512_RSA_PKCS_MECH_INFO_TYPE) ? 1 : 0)
167 
168 /* operations are in-place if the output buffer is NULL */
169 #define	RSA_ARG_INPLACE(input, output)				\
170 	if ((output) == NULL)					\
171 		(output) = (input);
172 
173 static void rsa_provider_status(crypto_provider_handle_t, uint_t *);
174 
175 static crypto_control_ops_t rsa_control_ops = {
176 	rsa_provider_status
177 };
178 
179 static int rsa_common_init(crypto_ctx_t *, crypto_mechanism_t *,
180     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
181 static int rsa_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
182     crypto_req_handle_t);
183 static int rsa_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
184     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
185     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
186 static int rsa_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
187     crypto_req_handle_t);
188 static int rsa_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
189     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
190     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
191 
192 /*
193  * The RSA mechanisms do not have multiple-part cipher operations.
194  * So, the update and final routines are set to NULL.
195  */
196 static crypto_cipher_ops_t rsa_cipher_ops = {
197 	rsa_common_init,
198 	rsa_encrypt,
199 	NULL,
200 	NULL,
201 	rsa_encrypt_atomic,
202 	rsa_common_init,
203 	rsa_decrypt,
204 	NULL,
205 	NULL,
206 	rsa_decrypt_atomic
207 };
208 
209 static int rsa_sign_verify_common_init(crypto_ctx_t *, crypto_mechanism_t *,
210     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
211 static int rsa_sign(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
212     crypto_req_handle_t);
213 static int rsa_sign_update(crypto_ctx_t *, crypto_data_t *,
214     crypto_req_handle_t);
215 static int rsa_sign_final(crypto_ctx_t *, crypto_data_t *,
216     crypto_req_handle_t);
217 static int rsa_sign_atomic(crypto_provider_handle_t, crypto_session_id_t,
218     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
219     crypto_spi_ctx_template_t, crypto_req_handle_t);
220 
221 /*
222  * We use the same routine for sign_init and sign_recover_init fields
223  * as they do the same thing. Same holds for sign and sign_recover fields,
224  * and sign_atomic and sign_recover_atomic fields.
225  */
226 static crypto_sign_ops_t rsa_sign_ops = {
227 	rsa_sign_verify_common_init,
228 	rsa_sign,
229 	rsa_sign_update,
230 	rsa_sign_final,
231 	rsa_sign_atomic,
232 	rsa_sign_verify_common_init,
233 	rsa_sign,
234 	rsa_sign_atomic
235 };
236 
237 static int rsa_verify(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
238     crypto_req_handle_t);
239 static int rsa_verify_update(crypto_ctx_t *, crypto_data_t *,
240     crypto_req_handle_t);
241 static int rsa_verify_final(crypto_ctx_t *, crypto_data_t *,
242     crypto_req_handle_t);
243 static int rsa_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
244     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
245     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
246 static int rsa_verify_recover(crypto_ctx_t *, crypto_data_t *,
247     crypto_data_t *, crypto_req_handle_t);
248 static int rsa_verify_recover_atomic(crypto_provider_handle_t,
249     crypto_session_id_t, crypto_mechanism_t *, crypto_key_t *,
250     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t,
251     crypto_req_handle_t);
252 
253 /*
254  * We use the same routine (rsa_sign_verify_common_init) for verify_init
255  * and verify_recover_init fields as they do the same thing.
256  */
257 static crypto_verify_ops_t rsa_verify_ops = {
258 	rsa_sign_verify_common_init,
259 	rsa_verify,
260 	rsa_verify_update,
261 	rsa_verify_final,
262 	rsa_verify_atomic,
263 	rsa_sign_verify_common_init,
264 	rsa_verify_recover,
265 	rsa_verify_recover_atomic
266 };
267 
268 static int rsa_free_context(crypto_ctx_t *);
269 
270 static crypto_ctx_ops_t rsa_ctx_ops = {
271 	NULL,
272 	rsa_free_context
273 };
274 
275 static crypto_ops_t rsa_crypto_ops = {
276 	&rsa_control_ops,
277 	NULL,
278 	&rsa_cipher_ops,
279 	NULL,
280 	&rsa_sign_ops,
281 	&rsa_verify_ops,
282 	NULL,
283 	NULL,
284 	NULL,
285 	NULL,
286 	NULL,
287 	NULL,
288 	NULL,
289 	&rsa_ctx_ops
290 };
291 
292 static crypto_provider_info_t rsa_prov_info = {
293 	CRYPTO_SPI_VERSION_1,
294 	"RSA Software Provider",
295 	CRYPTO_SW_PROVIDER,
296 	{&modlinkage},
297 	NULL,
298 	&rsa_crypto_ops,
299 	sizeof (rsa_mech_info_tab)/sizeof (crypto_mech_info_t),
300 	rsa_mech_info_tab
301 };
302 
303 static int rsa_encrypt_common(rsa_mech_type_t, crypto_key_t *,
304     crypto_data_t *, crypto_data_t *, int);
305 static int rsa_decrypt_common(rsa_mech_type_t, crypto_key_t *,
306     crypto_data_t *, crypto_data_t *, int);
307 static int rsa_sign_common(rsa_mech_type_t, crypto_key_t *,
308     crypto_data_t *, crypto_data_t *, int);
309 static int rsa_verify_common(rsa_mech_type_t, crypto_key_t *,
310     crypto_data_t *, crypto_data_t *, int);
311 static int compare_data(crypto_data_t *, uchar_t *);
312 
313 /* EXPORT DELETE START */
314 
315 static int core_rsa_encrypt(crypto_key_t *, uchar_t *,
316     int, uchar_t *, int, int);
317 static int core_rsa_decrypt(crypto_key_t *, uchar_t *, int,
318     uchar_t *, int);
319 
320 /* EXPORT DELETE END */
321 
322 static crypto_kcf_provider_handle_t rsa_prov_handle = NULL;
323 
324 int
325 _init(void)
326 {
327 	int ret;
328 
329 	/*
330 	 * Register with KCF. If the registration fails, return error.
331 	 */
332 	if ((ret = crypto_register_provider(&rsa_prov_info,
333 	    &rsa_prov_handle)) != CRYPTO_SUCCESS) {
334 		cmn_err(CE_WARN, "rsa _init: crypto_register_provider()"
335 		    "failed (0x%x)", ret);
336 		return (EACCES);
337 	}
338 
339 	if ((ret = mod_install(&modlinkage)) != 0) {
340 		int rv;
341 
342 		ASSERT(rsa_prov_handle != NULL);
343 		/* We should not return if the unregister returns busy. */
344 		while ((rv = crypto_unregister_provider(rsa_prov_handle))
345 		    == CRYPTO_BUSY) {
346 			cmn_err(CE_WARN, "rsa _init: "
347 			    "crypto_unregister_provider() "
348 			    "failed (0x%x). Retrying.", rv);
349 			/* wait 10 seconds and try again. */
350 			delay(10 * drv_usectohz(1000000));
351 		}
352 	}
353 
354 	return (ret);
355 }
356 
357 int
358 _fini(void)
359 {
360 	int ret;
361 
362 	/*
363 	 * Unregister from KCF if previous registration succeeded.
364 	 */
365 	if (rsa_prov_handle != NULL) {
366 		if ((ret = crypto_unregister_provider(rsa_prov_handle)) !=
367 		    CRYPTO_SUCCESS) {
368 			cmn_err(CE_WARN, "rsa _fini: "
369 			    "crypto_unregister_provider() "
370 			    "failed (0x%x)", ret);
371 			return (EBUSY);
372 		}
373 		rsa_prov_handle = NULL;
374 	}
375 
376 	return (mod_remove(&modlinkage));
377 }
378 
379 int
380 _info(struct modinfo *modinfop)
381 {
382 	return (mod_info(&modlinkage, modinfop));
383 }
384 
385 /* ARGSUSED */
386 static void
387 rsa_provider_status(crypto_provider_handle_t provider, uint_t *status)
388 {
389 	*status = CRYPTO_PROVIDER_READY;
390 }
391 
392 static int
393 check_mech_and_key(crypto_mechanism_t *mechanism, crypto_key_t *key)
394 {
395 	int rv = CRYPTO_FAILED;
396 
397 /* EXPORT DELETE START */
398 
399 	uchar_t *modulus;
400 	ssize_t modulus_len; /* In bytes */
401 
402 	if (!RSA_VALID_MECH(mechanism))
403 		return (CRYPTO_MECHANISM_INVALID);
404 
405 	/*
406 	 * We only support RSA keys that are passed as a list of
407 	 * object attributes.
408 	 */
409 	if (key->ck_format != CRYPTO_KEY_ATTR_LIST) {
410 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
411 	}
412 
413 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
414 	    &modulus_len)) != CRYPTO_SUCCESS) {
415 		return (rv);
416 	}
417 	if (modulus_len < MIN_RSA_KEYLENGTH_IN_BYTES ||
418 	    modulus_len > MAX_RSA_KEYLENGTH_IN_BYTES)
419 		return (CRYPTO_KEY_SIZE_RANGE);
420 
421 /* EXPORT DELETE END */
422 
423 	return (rv);
424 }
425 
426 void
427 kmemset(uint8_t *buf, char pattern, size_t len)
428 {
429 	int i = 0;
430 
431 	while (i < len)
432 		buf[i++] = pattern;
433 }
434 
435 /*
436  * This function guarantees to return non-zero random numbers.
437  * This is needed as the /dev/urandom kernel interface,
438  * random_get_pseudo_bytes(), may return zeros.
439  */
440 int
441 knzero_random_generator(uint8_t *ran_out, size_t ran_len)
442 {
443 	int rv;
444 	size_t ebc = 0; /* count of extra bytes in extrarand */
445 	size_t i = 0;
446 	uint8_t extrarand[32];
447 	size_t extrarand_len;
448 
449 	if ((rv = random_get_pseudo_bytes(ran_out, ran_len)) != 0)
450 		return (rv);
451 
452 	/*
453 	 * Walk through the returned random numbers pointed by ran_out,
454 	 * and look for any random number which is zero.
455 	 * If we find zero, call random_get_pseudo_bytes() to generate
456 	 * another 32 random numbers pool. Replace any zeros in ran_out[]
457 	 * from the random number in pool.
458 	 */
459 	while (i < ran_len) {
460 		if (ran_out[i] != 0) {
461 			i++;
462 			continue;
463 		}
464 
465 		/*
466 		 * Note that it is 'while' so we are guaranteed a
467 		 * non-zero value on exit.
468 		 */
469 		if (ebc == 0) {
470 			/* refresh extrarand */
471 			extrarand_len = sizeof (extrarand);
472 			if ((rv = random_get_pseudo_bytes(extrarand,
473 			    extrarand_len)) != 0) {
474 				return (rv);
475 			}
476 
477 			ebc = extrarand_len;
478 		}
479 		/* Replace zero with byte from extrarand. */
480 		-- ebc;
481 
482 		/*
483 		 * The new random byte zero/non-zero will be checked in
484 		 * the next pass through the loop.
485 		 */
486 		ran_out[i] = extrarand[ebc];
487 	}
488 
489 	return (CRYPTO_SUCCESS);
490 }
491 
492 static int
493 compare_data(crypto_data_t *data, uchar_t *buf)
494 {
495 	int len;
496 	uchar_t *dptr;
497 
498 	len = data->cd_length;
499 	switch (data->cd_format) {
500 	case CRYPTO_DATA_RAW:
501 		dptr = (uchar_t *)(data->cd_raw.iov_base +
502 		    data->cd_offset);
503 
504 		return (bcmp(dptr, buf, len));
505 
506 	case CRYPTO_DATA_UIO:
507 		return (crypto_uio_data(data, buf, len,
508 		    COMPARE_TO_DATA, NULL, NULL));
509 
510 	case CRYPTO_DATA_MBLK:
511 		return (crypto_mblk_data(data, buf, len,
512 		    COMPARE_TO_DATA, NULL, NULL));
513 	}
514 
515 	return (CRYPTO_FAILED);
516 }
517 
518 /* ARGSUSED */
519 static int
520 rsa_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
521     crypto_key_t *key, crypto_spi_ctx_template_t template,
522     crypto_req_handle_t req)
523 {
524 	int rv;
525 	int kmflag;
526 	rsa_ctx_t *ctxp;
527 
528 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
529 		return (rv);
530 
531 	/*
532 	 * Allocate a RSA context.
533 	 */
534 	kmflag = crypto_kmflag(req);
535 	if ((ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag)) == NULL)
536 		return (CRYPTO_HOST_MEMORY);
537 
538 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
539 	    kmflag)) != CRYPTO_SUCCESS) {
540 		kmem_free(ctxp, sizeof (rsa_ctx_t));
541 		return (rv);
542 	}
543 	ctxp->mech_type = mechanism->cm_type;
544 
545 	ctx->cc_provider_private = ctxp;
546 
547 	return (CRYPTO_SUCCESS);
548 }
549 
550 /* ARGSUSED */
551 static int
552 rsa_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
553     crypto_data_t *ciphertext, crypto_req_handle_t req)
554 {
555 	int rv;
556 	rsa_ctx_t *ctxp;
557 
558 	ASSERT(ctx->cc_provider_private != NULL);
559 	ctxp = ctx->cc_provider_private;
560 
561 	RSA_ARG_INPLACE(plaintext, ciphertext);
562 
563 	/*
564 	 * Note on the KM_SLEEP flag passed to the routine below -
565 	 * rsa_encrypt() is a single-part encryption routine which is
566 	 * currently usable only by /dev/crypto. Since /dev/crypto calls are
567 	 * always synchronous, we can safely pass KM_SLEEP here.
568 	 */
569 	rv = rsa_encrypt_common(ctxp->mech_type, ctxp->key, plaintext,
570 	    ciphertext, KM_SLEEP);
571 
572 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
573 		(void) rsa_free_context(ctx);
574 
575 	return (rv);
576 }
577 
578 /* ARGSUSED */
579 static int
580 rsa_encrypt_atomic(crypto_provider_handle_t provider,
581     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
582     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
583     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
584 {
585 	int rv;
586 
587 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
588 		return (rv);
589 	RSA_ARG_INPLACE(plaintext, ciphertext);
590 
591 	return (rsa_encrypt_common(mechanism->cm_type, key, plaintext,
592 	    ciphertext, crypto_kmflag(req)));
593 }
594 
595 static int
596 rsa_free_context(crypto_ctx_t *ctx)
597 {
598 	rsa_ctx_t *ctxp = ctx->cc_provider_private;
599 
600 	if (ctxp != NULL) {
601 		bzero(ctxp->key, ctxp->keychunk_size);
602 		kmem_free(ctxp->key, ctxp->keychunk_size);
603 
604 		if (ctxp->mech_type == RSA_PKCS_MECH_INFO_TYPE ||
605 		    ctxp->mech_type == RSA_X_509_MECH_INFO_TYPE)
606 			kmem_free(ctxp, sizeof (rsa_ctx_t));
607 		else
608 			kmem_free(ctxp, sizeof (digest_rsa_ctx_t));
609 
610 		ctx->cc_provider_private = NULL;
611 	}
612 
613 	return (CRYPTO_SUCCESS);
614 }
615 
616 static int
617 rsa_encrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
618     crypto_data_t *plaintext, crypto_data_t *ciphertext, int kmflag)
619 {
620 	int rv = CRYPTO_FAILED;
621 
622 /* EXPORT DELETE START */
623 
624 	int plen;
625 	uchar_t *ptptr;
626 	uchar_t *modulus;
627 	ssize_t modulus_len;
628 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
629 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
630 	uchar_t cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
631 
632 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
633 	    &modulus_len)) != CRYPTO_SUCCESS) {
634 		return (rv);
635 	}
636 
637 	plen = plaintext->cd_length;
638 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
639 		if (plen > (modulus_len - MIN_PKCS1_PADLEN))
640 			return (CRYPTO_DATA_LEN_RANGE);
641 	} else {
642 		if (plen > modulus_len)
643 			return (CRYPTO_DATA_LEN_RANGE);
644 	}
645 
646 	/*
647 	 * Output buf len must not be less than RSA modulus size.
648 	 */
649 	if (ciphertext->cd_length < modulus_len) {
650 		ciphertext->cd_length = modulus_len;
651 		return (CRYPTO_BUFFER_TOO_SMALL);
652 	}
653 
654 	ASSERT(plaintext->cd_length <= sizeof (tmp_data));
655 	if ((rv = crypto_get_input_data(plaintext, &ptptr, tmp_data))
656 	    != CRYPTO_SUCCESS)
657 		return (rv);
658 
659 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
660 		rv = soft_encrypt_rsa_pkcs_encode(ptptr, plen,
661 		    plain_data, modulus_len);
662 
663 		if (rv != CRYPTO_SUCCESS)
664 			return (rv);
665 	} else {
666 		bzero(plain_data, modulus_len - plen);
667 		bcopy(ptptr, &plain_data[modulus_len - plen], plen);
668 	}
669 
670 	rv = core_rsa_encrypt(key, plain_data, modulus_len,
671 	    cipher_data, kmflag, 1);
672 	if (rv == CRYPTO_SUCCESS) {
673 		/* copy out to ciphertext */
674 		if ((rv = crypto_put_output_data(cipher_data,
675 		    ciphertext, modulus_len)) != CRYPTO_SUCCESS)
676 			return (rv);
677 
678 		ciphertext->cd_length = modulus_len;
679 	}
680 
681 /* EXPORT DELETE END */
682 
683 	return (rv);
684 }
685 
686 /* EXPORT DELETE START */
687 
688 static int
689 core_rsa_encrypt(crypto_key_t *key, uchar_t *in,
690     int in_len, uchar_t *out, int kmflag, int is_public)
691 {
692 	int rv;
693 	uchar_t *expo, *modulus;
694 	ssize_t	expo_len;
695 	ssize_t modulus_len;
696 	BIGNUM msg;
697 	RSAkey *rsakey;
698 
699 	if (is_public) {
700 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PUBLIC_EXPONENT,
701 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
702 			return (rv);
703 	} else {
704 		/*
705 		 * SUN_CKA_PRIVATE_EXPONENT is a required attribute for a
706 		 * RSA secret key. See the comments in core_rsa_decrypt
707 		 * routine which calls this routine with a private key.
708 		 */
709 		if ((rv = crypto_get_key_attr(key, SUN_CKA_PRIVATE_EXPONENT,
710 		    &expo, &expo_len)) != CRYPTO_SUCCESS)
711 			return (rv);
712 	}
713 
714 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
715 	    &modulus_len)) != CRYPTO_SUCCESS) {
716 		return (rv);
717 	}
718 
719 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
720 	if (rsakey == NULL)
721 		return (CRYPTO_HOST_MEMORY);
722 
723 	/* psize and qsize for RSA_key_init is in bits. */
724 	if (RSA_key_init(rsakey, modulus_len * 4, modulus_len * 4) != BIG_OK) {
725 		rv = CRYPTO_HOST_MEMORY;
726 		goto clean1;
727 	}
728 
729 	/* Size for big_init is in BIG_CHUNK_TYPE words. */
730 	if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
731 		rv = CRYPTO_HOST_MEMORY;
732 		goto clean2;
733 	}
734 
735 	/* Convert octet string exponent to big integer format. */
736 	bytestring2bignum(&(rsakey->e), expo, expo_len);
737 
738 	/* Convert octet string modulus to big integer format. */
739 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
740 
741 	/* Convert octet string input data to big integer format. */
742 	bytestring2bignum(&msg, in, in_len);
743 
744 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
745 		rv = CRYPTO_DATA_LEN_RANGE;
746 		goto clean3;
747 	}
748 
749 	/* Perform RSA computation on big integer input data. */
750 	if (big_modexp(&msg, &msg, &(rsakey->e), &(rsakey->n), NULL)
751 	    != BIG_OK) {
752 		rv = CRYPTO_HOST_MEMORY;
753 		goto clean3;
754 	}
755 
756 	/* Convert the big integer output data to octet string. */
757 	bignum2bytestring(out, &msg, modulus_len);
758 
759 	/*
760 	 * Should not free modulus and expo as both are just pointers
761 	 * to an attribute value buffer from the caller.
762 	 */
763 clean3:
764 	big_finish(&msg);
765 clean2:
766 	RSA_key_finish(rsakey);
767 clean1:
768 	kmem_free(rsakey, sizeof (RSAkey));
769 
770 	return (rv);
771 }
772 
773 /* EXPORT DELETE END */
774 
775 /* ARGSUSED */
776 static int
777 rsa_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
778     crypto_data_t *plaintext, crypto_req_handle_t req)
779 {
780 	int rv;
781 	rsa_ctx_t *ctxp;
782 
783 	ASSERT(ctx->cc_provider_private != NULL);
784 	ctxp = ctx->cc_provider_private;
785 
786 	RSA_ARG_INPLACE(ciphertext, plaintext);
787 
788 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
789 	rv = rsa_decrypt_common(ctxp->mech_type, ctxp->key,
790 	    ciphertext, plaintext, KM_SLEEP);
791 
792 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
793 		(void) rsa_free_context(ctx);
794 
795 	return (rv);
796 }
797 
798 /* ARGSUSED */
799 static int
800 rsa_decrypt_atomic(crypto_provider_handle_t provider,
801     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
802     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
803     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
804 {
805 	int rv;
806 
807 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
808 		return (rv);
809 	RSA_ARG_INPLACE(ciphertext, plaintext);
810 
811 	return (rsa_decrypt_common(mechanism->cm_type, key, ciphertext,
812 	    plaintext, crypto_kmflag(req)));
813 }
814 
815 static int
816 rsa_decrypt_common(rsa_mech_type_t mech_type, crypto_key_t *key,
817     crypto_data_t *ciphertext, crypto_data_t *plaintext, int kmflag)
818 {
819 	int rv = CRYPTO_FAILED;
820 
821 /* EXPORT DELETE START */
822 
823 	int plain_len;
824 	uchar_t *ctptr;
825 	uchar_t *modulus;
826 	ssize_t modulus_len;
827 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
828 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
829 
830 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
831 	    &modulus_len)) != CRYPTO_SUCCESS) {
832 		return (rv);
833 	}
834 
835 	/*
836 	 * Ciphertext length must be equal to RSA modulus size.
837 	 */
838 	if (ciphertext->cd_length != modulus_len)
839 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
840 
841 	ASSERT(ciphertext->cd_length <= sizeof (tmp_data));
842 	if ((rv = crypto_get_input_data(ciphertext, &ctptr, tmp_data))
843 	    != CRYPTO_SUCCESS)
844 		return (rv);
845 
846 	rv = core_rsa_decrypt(key, ctptr, modulus_len, plain_data, kmflag);
847 	if (rv == CRYPTO_SUCCESS) {
848 		plain_len = modulus_len;
849 
850 		if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
851 			/* Strip off the PKCS block formatting data. */
852 			rv = soft_decrypt_rsa_pkcs_decode(plain_data,
853 			    &plain_len);
854 			if (rv != CRYPTO_SUCCESS)
855 				return (rv);
856 		}
857 
858 		if (plain_len > plaintext->cd_length) {
859 			plaintext->cd_length = plain_len;
860 			return (CRYPTO_BUFFER_TOO_SMALL);
861 		}
862 
863 		if ((rv = crypto_put_output_data(
864 		    plain_data + modulus_len - plain_len,
865 		    plaintext, plain_len)) != CRYPTO_SUCCESS)
866 			return (rv);
867 
868 		plaintext->cd_length = plain_len;
869 	}
870 
871 /* EXPORT DELETE END */
872 
873 	return (rv);
874 }
875 
876 /* EXPORT DELETE START */
877 
878 static int
879 core_rsa_decrypt(crypto_key_t *key, uchar_t *in, int in_len,
880     uchar_t *out, int kmflag)
881 {
882 	int rv;
883 	uchar_t *modulus, *prime1, *prime2, *expo1, *expo2, *coef;
884 	ssize_t modulus_len;
885 	ssize_t	prime1_len, prime2_len;
886 	ssize_t	expo1_len, expo2_len, coef_len;
887 	BIGNUM msg;
888 	RSAkey *rsakey;
889 
890 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
891 	    &modulus_len)) != CRYPTO_SUCCESS) {
892 		return (rv);
893 	}
894 
895 	/*
896 	 * The following attributes are not required to be
897 	 * present in a RSA secret key. If any of them is not present
898 	 * we call the encrypt routine with a flag indicating use of
899 	 * private exponent (d). Note that SUN_CKA_PRIVATE_EXPONENT is
900 	 * a required attribute for a RSA secret key.
901 	 */
902 	if ((crypto_get_key_attr(key, SUN_CKA_PRIME_1, &prime1, &prime1_len)
903 	    != CRYPTO_SUCCESS) ||
904 	    (crypto_get_key_attr(key, SUN_CKA_PRIME_2, &prime2, &prime2_len)
905 	    != CRYPTO_SUCCESS) ||
906 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_1, &expo1, &expo1_len)
907 	    != CRYPTO_SUCCESS) ||
908 	    (crypto_get_key_attr(key, SUN_CKA_EXPONENT_2, &expo2, &expo2_len)
909 	    != CRYPTO_SUCCESS) ||
910 	    (crypto_get_key_attr(key, SUN_CKA_COEFFICIENT, &coef, &coef_len)
911 	    != CRYPTO_SUCCESS)) {
912 		return (core_rsa_encrypt(key, in, in_len, out, kmflag, 0));
913 	}
914 
915 	rsakey = kmem_alloc(sizeof (RSAkey), kmflag);
916 	if (rsakey == NULL)
917 		return (CRYPTO_HOST_MEMORY);
918 
919 	/* psize and qsize for RSA_key_init is in bits. */
920 	if (RSA_key_init(rsakey, prime2_len * 8, prime1_len * 8) != BIG_OK) {
921 		rv = CRYPTO_HOST_MEMORY;
922 		goto clean1;
923 	}
924 
925 	/* Size for big_init is in BIG_CHUNK_TYPE words. */
926 	if (big_init(&msg, CHARLEN2BIGNUMLEN(in_len)) != BIG_OK) {
927 		rv = CRYPTO_HOST_MEMORY;
928 		goto clean2;
929 	}
930 
931 	/* Convert octet string input data to big integer format. */
932 	bytestring2bignum(&msg, in, in_len);
933 
934 	/* Convert octet string modulus to big integer format. */
935 	bytestring2bignum(&(rsakey->n), modulus, modulus_len);
936 
937 	if (big_cmp_abs(&msg, &(rsakey->n)) > 0) {
938 		rv = CRYPTO_DATA_LEN_RANGE;
939 		goto clean3;
940 	}
941 
942 	/* Convert the rest of private key attributes to big integer format. */
943 	bytestring2bignum(&(rsakey->dmodpminus1), expo2, expo2_len);
944 	bytestring2bignum(&(rsakey->dmodqminus1), expo1, expo1_len);
945 	bytestring2bignum(&(rsakey->p), prime2, prime2_len);
946 	bytestring2bignum(&(rsakey->q), prime1, prime1_len);
947 	bytestring2bignum(&(rsakey->pinvmodq), coef, coef_len);
948 
949 	if ((big_cmp_abs(&(rsakey->dmodpminus1), &(rsakey->p)) > 0) ||
950 	    (big_cmp_abs(&(rsakey->dmodqminus1), &(rsakey->q)) > 0) ||
951 	    (big_cmp_abs(&(rsakey->pinvmodq), &(rsakey->q)) > 0)) {
952 		rv = CRYPTO_KEY_SIZE_RANGE;
953 		goto clean3;
954 	}
955 
956 	/* Perform RSA computation on big integer input data. */
957 	if (big_modexp_crt(&msg, &msg, &(rsakey->dmodpminus1),
958 	    &(rsakey->dmodqminus1), &(rsakey->p), &(rsakey->q),
959 	    &(rsakey->pinvmodq), NULL, NULL) != BIG_OK) {
960 		rv = CRYPTO_HOST_MEMORY;
961 		goto clean3;
962 	}
963 
964 	/* Convert the big integer output data to octet string. */
965 	bignum2bytestring(out, &msg, modulus_len);
966 
967 	/*
968 	 * Should not free modulus and friends as they are just pointers
969 	 * to an attribute value buffer from the caller.
970 	 */
971 clean3:
972 	big_finish(&msg);
973 clean2:
974 	RSA_key_finish(rsakey);
975 clean1:
976 	kmem_free(rsakey, sizeof (RSAkey));
977 
978 	return (rv);
979 }
980 
981 /* EXPORT DELETE END */
982 
983 /* ARGSUSED */
984 static int
985 rsa_sign_verify_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
986     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
987     crypto_req_handle_t req)
988 {
989 	int rv;
990 	int kmflag;
991 	rsa_ctx_t *ctxp;
992 	digest_rsa_ctx_t *dctxp;
993 
994 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
995 		return (rv);
996 
997 	/*
998 	 * Allocate a RSA context.
999 	 */
1000 	kmflag = crypto_kmflag(req);
1001 	switch (mechanism->cm_type) {
1002 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1003 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1004 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1005 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1006 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1007 		dctxp = kmem_zalloc(sizeof (digest_rsa_ctx_t), kmflag);
1008 		ctxp = (rsa_ctx_t *)dctxp;
1009 		break;
1010 	default:
1011 		ctxp = kmem_zalloc(sizeof (rsa_ctx_t), kmflag);
1012 		break;
1013 	}
1014 
1015 	if (ctxp == NULL)
1016 		return (CRYPTO_HOST_MEMORY);
1017 
1018 	ctxp->mech_type = mechanism->cm_type;
1019 	if ((rv = crypto_copy_key_to_ctx(key, &ctxp->key, &ctxp->keychunk_size,
1020 	    kmflag)) != CRYPTO_SUCCESS) {
1021 		switch (mechanism->cm_type) {
1022 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1023 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1024 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1025 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1026 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1027 			kmem_free(dctxp, sizeof (digest_rsa_ctx_t));
1028 			break;
1029 		default:
1030 			kmem_free(ctxp, sizeof (rsa_ctx_t));
1031 			break;
1032 		}
1033 		return (rv);
1034 	}
1035 
1036 	switch (mechanism->cm_type) {
1037 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1038 		MD5Init(&(dctxp->md5_ctx));
1039 		break;
1040 
1041 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1042 		SHA1Init(&(dctxp->sha1_ctx));
1043 		break;
1044 
1045 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1046 		SHA2Init(SHA256, &(dctxp->sha2_ctx));
1047 		break;
1048 
1049 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1050 		SHA2Init(SHA384, &(dctxp->sha2_ctx));
1051 		break;
1052 
1053 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1054 		SHA2Init(SHA512, &(dctxp->sha2_ctx));
1055 		break;
1056 	}
1057 
1058 	ctx->cc_provider_private = ctxp;
1059 
1060 	return (CRYPTO_SUCCESS);
1061 }
1062 
1063 #define	SHA1_DIGEST_SIZE 20
1064 #define	MD5_DIGEST_SIZE 16
1065 
1066 #define	INIT_RAW_CRYPTO_DATA(data, base, len, cd_len)	\
1067 	(data).cd_format = CRYPTO_DATA_RAW;		\
1068 	(data).cd_offset = 0;				\
1069 	(data).cd_raw.iov_base = (char *)base;		\
1070 	(data).cd_raw.iov_len = len;			\
1071 	(data).cd_length = cd_len;
1072 
1073 static int
1074 rsa_digest_svrfy_common(digest_rsa_ctx_t *ctxp, crypto_data_t *data,
1075     crypto_data_t *signature, int kmflag, uchar_t flag)
1076 {
1077 	int rv = CRYPTO_FAILED;
1078 
1079 /* EXPORT DELETE START */
1080 
1081 	uchar_t digest[SHA512_DIGEST_LENGTH];
1082 	/* The der_data size is enough for MD5 also */
1083 	uchar_t der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
1084 	ulong_t der_data_len;
1085 	crypto_data_t der_cd;
1086 	rsa_mech_type_t mech_type;
1087 
1088 	ASSERT(flag & CRYPTO_DO_SIGN || flag & CRYPTO_DO_VERIFY);
1089 	ASSERT(data != NULL || (flag & CRYPTO_DO_FINAL));
1090 
1091 	mech_type = ctxp->mech_type;
1092 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1093 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1094 		return (CRYPTO_MECHANISM_INVALID);
1095 
1096 	/*
1097 	 * We need to do the BUFFER_TOO_SMALL check before digesting
1098 	 * the data. No check is needed for verify as signature is not
1099 	 * an output argument for verify.
1100 	 */
1101 	if (flag & CRYPTO_DO_SIGN) {
1102 		uchar_t *modulus;
1103 		ssize_t modulus_len;
1104 
1105 		if ((rv = crypto_get_key_attr(ctxp->key, SUN_CKA_MODULUS,
1106 		    &modulus, &modulus_len)) != CRYPTO_SUCCESS) {
1107 			return (rv);
1108 		}
1109 
1110 		if (signature->cd_length < modulus_len) {
1111 			signature->cd_length = modulus_len;
1112 			return (CRYPTO_BUFFER_TOO_SMALL);
1113 		}
1114 	}
1115 
1116 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1117 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1118 		    digest, MD5Update, MD5Final, flag | CRYPTO_DO_MD5);
1119 
1120 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1121 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1122 		    digest, SHA1Update, SHA1Final,  flag | CRYPTO_DO_SHA1);
1123 
1124 	else
1125 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1126 		    digest, SHA2Update, SHA2Final, flag | CRYPTO_DO_SHA2);
1127 
1128 	if (rv != CRYPTO_SUCCESS)
1129 		return (rv);
1130 
1131 
1132 	/*
1133 	 * Prepare the DER encoding of the DigestInfo value as follows:
1134 	 * MD5:		MD5_DER_PREFIX || H
1135 	 * SHA-1:	SHA1_DER_PREFIX || H
1136 	 *
1137 	 * See rsa_impl.c for more details.
1138 	 */
1139 	switch (mech_type) {
1140 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1141 		bcopy(MD5_DER_PREFIX, der_data, MD5_DER_PREFIX_Len);
1142 		bcopy(digest, der_data + MD5_DER_PREFIX_Len, MD5_DIGEST_SIZE);
1143 		der_data_len = MD5_DER_PREFIX_Len + MD5_DIGEST_SIZE;
1144 		break;
1145 
1146 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1147 		bcopy(SHA1_DER_PREFIX, der_data, SHA1_DER_PREFIX_Len);
1148 		bcopy(digest, der_data + SHA1_DER_PREFIX_Len,
1149 		    SHA1_DIGEST_SIZE);
1150 		der_data_len = SHA1_DER_PREFIX_Len + SHA1_DIGEST_SIZE;
1151 		break;
1152 
1153 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1154 		bcopy(SHA256_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1155 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1156 		    SHA256_DIGEST_LENGTH);
1157 		der_data_len = SHA2_DER_PREFIX_Len + SHA256_DIGEST_LENGTH;
1158 		break;
1159 
1160 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1161 		bcopy(SHA384_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1162 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1163 		    SHA384_DIGEST_LENGTH);
1164 		der_data_len = SHA2_DER_PREFIX_Len + SHA384_DIGEST_LENGTH;
1165 		break;
1166 
1167 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1168 		bcopy(SHA512_DER_PREFIX, der_data, SHA2_DER_PREFIX_Len);
1169 		bcopy(digest, der_data + SHA2_DER_PREFIX_Len,
1170 		    SHA512_DIGEST_LENGTH);
1171 		der_data_len = SHA2_DER_PREFIX_Len + SHA512_DIGEST_LENGTH;
1172 		break;
1173 	}
1174 
1175 	INIT_RAW_CRYPTO_DATA(der_cd, der_data, der_data_len, der_data_len);
1176 	/*
1177 	 * Now, we are ready to sign or verify the DER_ENCODED data.
1178 	 */
1179 	if (flag & CRYPTO_DO_SIGN)
1180 		rv = rsa_sign_common(mech_type, ctxp->key, &der_cd,
1181 		    signature, kmflag);
1182 	else
1183 		rv = rsa_verify_common(mech_type, ctxp->key, &der_cd,
1184 		    signature, kmflag);
1185 
1186 /* EXPORT DELETE END */
1187 
1188 	return (rv);
1189 }
1190 
1191 static int
1192 rsa_sign_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1193     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1194 {
1195 	int rv = CRYPTO_FAILED;
1196 
1197 /* EXPORT DELETE START */
1198 
1199 	int dlen;
1200 	uchar_t *dataptr, *modulus;
1201 	ssize_t modulus_len;
1202 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1203 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1204 	uchar_t signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1205 
1206 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1207 	    &modulus_len)) != CRYPTO_SUCCESS) {
1208 		return (rv);
1209 	}
1210 
1211 	dlen = data->cd_length;
1212 	switch (mech_type) {
1213 	case RSA_PKCS_MECH_INFO_TYPE:
1214 		if (dlen > (modulus_len - MIN_PKCS1_PADLEN))
1215 			return (CRYPTO_DATA_LEN_RANGE);
1216 		break;
1217 	case RSA_X_509_MECH_INFO_TYPE:
1218 		if (dlen > modulus_len)
1219 			return (CRYPTO_DATA_LEN_RANGE);
1220 		break;
1221 	}
1222 
1223 	if (signature->cd_length < modulus_len) {
1224 		signature->cd_length = modulus_len;
1225 		return (CRYPTO_BUFFER_TOO_SMALL);
1226 	}
1227 
1228 	ASSERT(data->cd_length <= sizeof (tmp_data));
1229 	if ((rv = crypto_get_input_data(data, &dataptr, tmp_data))
1230 	    != CRYPTO_SUCCESS)
1231 		return (rv);
1232 
1233 	switch (mech_type) {
1234 	case RSA_PKCS_MECH_INFO_TYPE:
1235 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1236 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1237 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1238 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1239 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1240 		/*
1241 		 * Add PKCS padding to the input data to format a block
1242 		 * type "01" encryption block.
1243 		 */
1244 		rv = soft_sign_rsa_pkcs_encode(dataptr, dlen, plain_data,
1245 		    modulus_len);
1246 		if (rv != CRYPTO_SUCCESS)
1247 			return (rv);
1248 
1249 		break;
1250 
1251 	case RSA_X_509_MECH_INFO_TYPE:
1252 		bzero(plain_data, modulus_len - dlen);
1253 		bcopy(dataptr, &plain_data[modulus_len - dlen], dlen);
1254 		break;
1255 	}
1256 
1257 	rv = core_rsa_decrypt(key, plain_data, modulus_len, signed_data,
1258 	    kmflag);
1259 	if (rv == CRYPTO_SUCCESS) {
1260 		/* copy out to signature */
1261 		if ((rv = crypto_put_output_data(signed_data,
1262 		    signature, modulus_len)) != CRYPTO_SUCCESS)
1263 			return (rv);
1264 
1265 		signature->cd_length = modulus_len;
1266 	}
1267 
1268 /* EXPORT DELETE END */
1269 
1270 	return (rv);
1271 }
1272 
1273 /* ARGSUSED */
1274 static int
1275 rsa_sign(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1276     crypto_req_handle_t req)
1277 {
1278 	int rv;
1279 	rsa_ctx_t *ctxp;
1280 
1281 	ASSERT(ctx->cc_provider_private != NULL);
1282 	ctxp = ctx->cc_provider_private;
1283 
1284 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1285 	switch (ctxp->mech_type) {
1286 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1287 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1288 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1289 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1290 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1291 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1292 		    signature, KM_SLEEP, CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE |
1293 		    CRYPTO_DO_FINAL);
1294 		break;
1295 	default:
1296 		rv = rsa_sign_common(ctxp->mech_type, ctxp->key, data,
1297 		    signature, KM_SLEEP);
1298 		break;
1299 	}
1300 
1301 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1302 		(void) rsa_free_context(ctx);
1303 
1304 	return (rv);
1305 }
1306 
1307 /* ARGSUSED */
1308 static int
1309 rsa_sign_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
1310 {
1311 	int rv;
1312 	digest_rsa_ctx_t *ctxp;
1313 	rsa_mech_type_t mech_type;
1314 
1315 	ASSERT(ctx->cc_provider_private != NULL);
1316 	ctxp = ctx->cc_provider_private;
1317 	mech_type = ctxp->mech_type;
1318 
1319 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE ||
1320 	    mech_type == RSA_X_509_MECH_INFO_TYPE)
1321 		return (CRYPTO_MECHANISM_INVALID);
1322 
1323 	if (mech_type == MD5_RSA_PKCS_MECH_INFO_TYPE)
1324 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1325 		    NULL, MD5Update, MD5Final,
1326 		    CRYPTO_DO_MD5 | CRYPTO_DO_UPDATE);
1327 
1328 	else if (mech_type == SHA1_RSA_PKCS_MECH_INFO_TYPE)
1329 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1330 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1331 		    CRYPTO_DO_UPDATE);
1332 
1333 	else
1334 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1335 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1336 		    CRYPTO_DO_UPDATE);
1337 
1338 	return (rv);
1339 }
1340 
1341 static int
1342 rsa_sign_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1343     crypto_req_handle_t req)
1344 {
1345 	int rv;
1346 	digest_rsa_ctx_t *ctxp;
1347 
1348 	ASSERT(ctx->cc_provider_private != NULL);
1349 	ctxp = ctx->cc_provider_private;
1350 
1351 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1352 	    crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_FINAL);
1353 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1354 		(void) rsa_free_context(ctx);
1355 
1356 	return (rv);
1357 }
1358 
1359 /* ARGSUSED */
1360 static int
1361 rsa_sign_atomic(crypto_provider_handle_t provider,
1362     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1363     crypto_key_t *key, crypto_data_t *data, crypto_data_t *signature,
1364     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1365 {
1366 	int rv;
1367 	digest_rsa_ctx_t dctx;
1368 
1369 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1370 		return (rv);
1371 
1372 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1373 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1374 		rv = rsa_sign_common(mechanism->cm_type, key, data,
1375 		    signature, crypto_kmflag(req));
1376 
1377 	else {
1378 		dctx.mech_type = mechanism->cm_type;
1379 		dctx.key = key;
1380 		switch (mechanism->cm_type) {
1381 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1382 			MD5Init(&(dctx.md5_ctx));
1383 			break;
1384 
1385 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1386 			SHA1Init(&(dctx.sha1_ctx));
1387 			break;
1388 
1389 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1390 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1391 			break;
1392 
1393 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1394 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1395 			break;
1396 
1397 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1398 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1399 			break;
1400 		}
1401 
1402 		rv = rsa_digest_svrfy_common(&dctx, data, signature,
1403 		    crypto_kmflag(req), CRYPTO_DO_SIGN | CRYPTO_DO_UPDATE |
1404 		    CRYPTO_DO_FINAL);
1405 	}
1406 
1407 	return (rv);
1408 }
1409 
1410 static int
1411 rsa_verify_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1412     crypto_data_t *data, crypto_data_t *signature, int kmflag)
1413 {
1414 	int rv = CRYPTO_FAILED;
1415 
1416 /* EXPORT DELETE START */
1417 
1418 	uchar_t *sigptr, *modulus;
1419 	ssize_t modulus_len;
1420 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1421 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1422 
1423 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1424 	    &modulus_len)) != CRYPTO_SUCCESS) {
1425 		return (rv);
1426 	}
1427 
1428 	if (signature->cd_length != modulus_len)
1429 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1430 
1431 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1432 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1433 	    != CRYPTO_SUCCESS)
1434 		return (rv);
1435 
1436 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
1437 	if (rv != CRYPTO_SUCCESS)
1438 		return (rv);
1439 
1440 	if (mech_type == RSA_X_509_MECH_INFO_TYPE) {
1441 		if (compare_data(data, (plain_data + modulus_len
1442 		    - data->cd_length)) != 0)
1443 			rv = CRYPTO_SIGNATURE_INVALID;
1444 
1445 	} else {
1446 		int data_len = modulus_len;
1447 
1448 		/*
1449 		 * Strip off the encoded padding bytes in front of the
1450 		 * recovered data, then compare the recovered data with
1451 		 * the original data.
1452 		 */
1453 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
1454 		if (rv != CRYPTO_SUCCESS)
1455 			return (rv);
1456 
1457 		if (data_len != data->cd_length)
1458 			return (CRYPTO_SIGNATURE_LEN_RANGE);
1459 
1460 		if (compare_data(data, (plain_data + modulus_len
1461 		    - data_len)) != 0)
1462 			rv = CRYPTO_SIGNATURE_INVALID;
1463 	}
1464 
1465 /* EXPORT DELETE END */
1466 
1467 	return (rv);
1468 }
1469 
1470 /* ARGSUSED */
1471 static int
1472 rsa_verify(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *signature,
1473     crypto_req_handle_t req)
1474 {
1475 	int rv;
1476 	rsa_ctx_t *ctxp;
1477 
1478 	ASSERT(ctx->cc_provider_private != NULL);
1479 	ctxp = ctx->cc_provider_private;
1480 
1481 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1482 	switch (ctxp->mech_type) {
1483 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1484 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1485 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1486 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1487 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1488 		rv = rsa_digest_svrfy_common((digest_rsa_ctx_t *)ctxp, data,
1489 		    signature, KM_SLEEP, CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE |
1490 		    CRYPTO_DO_FINAL);
1491 		break;
1492 	default:
1493 		rv = rsa_verify_common(ctxp->mech_type, ctxp->key, data,
1494 		    signature, KM_SLEEP);
1495 		break;
1496 	}
1497 
1498 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1499 		(void) rsa_free_context(ctx);
1500 
1501 	return (rv);
1502 }
1503 
1504 /* ARGSUSED */
1505 static int
1506 rsa_verify_update(crypto_ctx_t *ctx, crypto_data_t *data,
1507     crypto_req_handle_t req)
1508 {
1509 	int rv;
1510 	digest_rsa_ctx_t *ctxp;
1511 
1512 	ASSERT(ctx->cc_provider_private != NULL);
1513 	ctxp = ctx->cc_provider_private;
1514 
1515 	switch (ctxp->mech_type) {
1516 
1517 	case MD5_RSA_PKCS_MECH_INFO_TYPE:
1518 		rv = crypto_digest_data(data, &(ctxp->md5_ctx),
1519 		    NULL, MD5Update, MD5Final, CRYPTO_DO_MD5 |
1520 		    CRYPTO_DO_UPDATE);
1521 		break;
1522 
1523 	case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1524 		rv = crypto_digest_data(data, &(ctxp->sha1_ctx),
1525 		    NULL, SHA1Update, SHA1Final, CRYPTO_DO_SHA1 |
1526 		    CRYPTO_DO_UPDATE);
1527 		break;
1528 
1529 	case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1530 	case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1531 	case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1532 		rv = crypto_digest_data(data, &(ctxp->sha2_ctx),
1533 		    NULL, SHA2Update, SHA2Final, CRYPTO_DO_SHA2 |
1534 		    CRYPTO_DO_UPDATE);
1535 		break;
1536 
1537 	default:
1538 		return (CRYPTO_MECHANISM_INVALID);
1539 	}
1540 
1541 	return (rv);
1542 }
1543 
1544 static int
1545 rsa_verify_final(crypto_ctx_t *ctx, crypto_data_t *signature,
1546     crypto_req_handle_t req)
1547 {
1548 	int rv;
1549 	digest_rsa_ctx_t *ctxp;
1550 
1551 	ASSERT(ctx->cc_provider_private != NULL);
1552 	ctxp = ctx->cc_provider_private;
1553 
1554 	rv = rsa_digest_svrfy_common(ctxp, NULL, signature,
1555 	    crypto_kmflag(req), CRYPTO_DO_VERIFY | CRYPTO_DO_FINAL);
1556 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1557 		(void) rsa_free_context(ctx);
1558 
1559 	return (rv);
1560 }
1561 
1562 
1563 /* ARGSUSED */
1564 static int
1565 rsa_verify_atomic(crypto_provider_handle_t provider,
1566     crypto_session_id_t session_id,
1567     crypto_mechanism_t *mechanism, crypto_key_t *key, crypto_data_t *data,
1568     crypto_data_t *signature, crypto_spi_ctx_template_t ctx_template,
1569     crypto_req_handle_t req)
1570 {
1571 	int rv;
1572 	digest_rsa_ctx_t dctx;
1573 
1574 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1575 		return (rv);
1576 
1577 	if (mechanism->cm_type == RSA_PKCS_MECH_INFO_TYPE ||
1578 	    mechanism->cm_type == RSA_X_509_MECH_INFO_TYPE)
1579 		rv = rsa_verify_common(mechanism->cm_type, key, data,
1580 		    signature, crypto_kmflag(req));
1581 
1582 	else {
1583 		dctx.mech_type = mechanism->cm_type;
1584 		dctx.key = key;
1585 
1586 		switch (mechanism->cm_type) {
1587 		case MD5_RSA_PKCS_MECH_INFO_TYPE:
1588 			MD5Init(&(dctx.md5_ctx));
1589 			break;
1590 
1591 		case SHA1_RSA_PKCS_MECH_INFO_TYPE:
1592 			SHA1Init(&(dctx.sha1_ctx));
1593 			break;
1594 
1595 		case SHA256_RSA_PKCS_MECH_INFO_TYPE:
1596 			SHA2Init(SHA256, &(dctx.sha2_ctx));
1597 			break;
1598 
1599 		case SHA384_RSA_PKCS_MECH_INFO_TYPE:
1600 			SHA2Init(SHA384, &(dctx.sha2_ctx));
1601 			break;
1602 
1603 		case SHA512_RSA_PKCS_MECH_INFO_TYPE:
1604 			SHA2Init(SHA512, &(dctx.sha2_ctx));
1605 			break;
1606 		}
1607 
1608 		rv = rsa_digest_svrfy_common(&dctx, data,
1609 		    signature, crypto_kmflag(req),
1610 		    CRYPTO_DO_VERIFY | CRYPTO_DO_UPDATE | CRYPTO_DO_FINAL);
1611 	}
1612 
1613 	return (rv);
1614 }
1615 
1616 static int
1617 rsa_verify_recover_common(rsa_mech_type_t mech_type, crypto_key_t *key,
1618     crypto_data_t *signature, crypto_data_t *data, int kmflag)
1619 {
1620 	int rv = CRYPTO_FAILED;
1621 
1622 /* EXPORT DELETE START */
1623 
1624 	int data_len;
1625 	uchar_t *sigptr, *modulus;
1626 	ssize_t modulus_len;
1627 	uchar_t plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1628 	uchar_t tmp_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1629 
1630 	if ((rv = crypto_get_key_attr(key, SUN_CKA_MODULUS, &modulus,
1631 	    &modulus_len)) != CRYPTO_SUCCESS) {
1632 		return (rv);
1633 	}
1634 
1635 	if (signature->cd_length != modulus_len)
1636 		return (CRYPTO_SIGNATURE_LEN_RANGE);
1637 
1638 	ASSERT(signature->cd_length <= sizeof (tmp_data));
1639 	if ((rv = crypto_get_input_data(signature, &sigptr, tmp_data))
1640 	    != CRYPTO_SUCCESS)
1641 		return (rv);
1642 
1643 	rv = core_rsa_encrypt(key, sigptr, modulus_len, plain_data, kmflag, 1);
1644 	if (rv != CRYPTO_SUCCESS)
1645 		return (rv);
1646 
1647 	data_len = modulus_len;
1648 
1649 	if (mech_type == RSA_PKCS_MECH_INFO_TYPE) {
1650 		/*
1651 		 * Strip off the encoded padding bytes in front of the
1652 		 * recovered data, then compare the recovered data with
1653 		 * the original data.
1654 		 */
1655 		rv = soft_verify_rsa_pkcs_decode(plain_data, &data_len);
1656 		if (rv != CRYPTO_SUCCESS)
1657 			return (rv);
1658 	}
1659 
1660 	if (data->cd_length < data_len) {
1661 		data->cd_length = data_len;
1662 		return (CRYPTO_BUFFER_TOO_SMALL);
1663 	}
1664 
1665 	if ((rv = crypto_put_output_data(plain_data + modulus_len - data_len,
1666 	    data, data_len)) != CRYPTO_SUCCESS)
1667 		return (rv);
1668 	data->cd_length = data_len;
1669 
1670 /* EXPORT DELETE END */
1671 
1672 	return (rv);
1673 }
1674 
1675 /* ARGSUSED */
1676 static int
1677 rsa_verify_recover(crypto_ctx_t *ctx, crypto_data_t *signature,
1678     crypto_data_t *data, crypto_req_handle_t req)
1679 {
1680 	int rv;
1681 	rsa_ctx_t *ctxp;
1682 
1683 	ASSERT(ctx->cc_provider_private != NULL);
1684 	ctxp = ctx->cc_provider_private;
1685 
1686 	/* See the comments on KM_SLEEP flag in rsa_encrypt() */
1687 	rv = rsa_verify_recover_common(ctxp->mech_type, ctxp->key,
1688 	    signature, data, KM_SLEEP);
1689 
1690 	if (rv != CRYPTO_BUFFER_TOO_SMALL)
1691 		(void) rsa_free_context(ctx);
1692 
1693 	return (rv);
1694 }
1695 
1696 /* ARGSUSED */
1697 static int
1698 rsa_verify_recover_atomic(crypto_provider_handle_t provider,
1699     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1700     crypto_key_t *key, crypto_data_t *signature, crypto_data_t *data,
1701     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1702 {
1703 	int rv;
1704 
1705 	if ((rv = check_mech_and_key(mechanism, key)) != CRYPTO_SUCCESS)
1706 		return (rv);
1707 
1708 	return (rsa_verify_recover_common(mechanism->cm_type, key,
1709 	    signature, data, crypto_kmflag(req)));
1710 }
1711