xref: /freebsd/sys/contrib/openzfs/module/icp/io/sha2_mod.c (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or https://opensource.org/licenses/CDDL-1.0.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/zfs_context.h>
28 #include <sys/crypto/common.h>
29 #include <sys/crypto/spi.h>
30 #include <sys/crypto/icp.h>
31 #include <sys/sha2.h>
32 #include <sha2/sha2_impl.h>
33 
34 /*
35  * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed
36  * by KCF to one of the entry points.
37  */
38 
39 #define	PROV_SHA2_CTX(ctx)	((sha2_ctx_t *)(ctx)->cc_provider_private)
40 #define	PROV_SHA2_HMAC_CTX(ctx)	((sha2_hmac_ctx_t *)(ctx)->cc_provider_private)
41 
42 /* to extract the digest length passed as mechanism parameter */
43 #define	PROV_SHA2_GET_DIGEST_LEN(m, len) {				\
44 	if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t)))		\
45 		(len) = (uint32_t)*((ulong_t *)(m)->cm_param);	\
46 	else {								\
47 		ulong_t tmp_ulong;					\
48 		memcpy(&tmp_ulong, (m)->cm_param, sizeof (ulong_t));	\
49 		(len) = (uint32_t)tmp_ulong;				\
50 	}								\
51 }
52 
53 #define	PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) {	\
54 	SHA2Init(mech, ctx);				\
55 	SHA2Update(ctx, key, len);			\
56 	SHA2Final(digest, ctx);				\
57 }
58 
59 /*
60  * Mechanism info structure passed to KCF during registration.
61  */
62 static const crypto_mech_info_t sha2_mech_info_tab[] = {
63 	/* SHA256 */
64 	{SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE,
65 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC},
66 	/* SHA256-HMAC */
67 	{SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE,
68 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
69 	/* SHA256-HMAC GENERAL */
70 	{SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE,
71 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
72 	/* SHA384 */
73 	{SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE,
74 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC},
75 	/* SHA384-HMAC */
76 	{SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE,
77 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
78 	/* SHA384-HMAC GENERAL */
79 	{SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE,
80 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
81 	/* SHA512 */
82 	{SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE,
83 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC},
84 	/* SHA512-HMAC */
85 	{SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE,
86 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
87 	/* SHA512-HMAC GENERAL */
88 	{SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE,
89 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
90 };
91 
92 static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *);
93 static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *);
94 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *);
95 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *);
96 static int sha2_digest_atomic(crypto_mechanism_t *, crypto_data_t *,
97     crypto_data_t *);
98 
99 static const crypto_digest_ops_t sha2_digest_ops = {
100 	.digest_init = sha2_digest_init,
101 	.digest = sha2_digest,
102 	.digest_update = sha2_digest_update,
103 	.digest_final = sha2_digest_final,
104 	.digest_atomic = sha2_digest_atomic
105 };
106 
107 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
108     crypto_spi_ctx_template_t);
109 static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *);
110 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *);
111 static int sha2_mac_atomic(crypto_mechanism_t *, crypto_key_t *,
112     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t);
113 static int sha2_mac_verify_atomic(crypto_mechanism_t *, crypto_key_t *,
114     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t);
115 
116 static const crypto_mac_ops_t sha2_mac_ops = {
117 	.mac_init = sha2_mac_init,
118 	.mac = NULL,
119 	.mac_update = sha2_mac_update,
120 	.mac_final = sha2_mac_final,
121 	.mac_atomic = sha2_mac_atomic,
122 	.mac_verify_atomic = sha2_mac_verify_atomic
123 };
124 
125 static int sha2_create_ctx_template(crypto_mechanism_t *, crypto_key_t *,
126     crypto_spi_ctx_template_t *, size_t *);
127 static int sha2_free_context(crypto_ctx_t *);
128 
129 static const crypto_ctx_ops_t sha2_ctx_ops = {
130 	.create_ctx_template = sha2_create_ctx_template,
131 	.free_context = sha2_free_context
132 };
133 
134 static const crypto_ops_t sha2_crypto_ops = {
135 	&sha2_digest_ops,
136 	NULL,
137 	&sha2_mac_ops,
138 	&sha2_ctx_ops,
139 };
140 
141 static const crypto_provider_info_t sha2_prov_info = {
142 	"SHA2 Software Provider",
143 	&sha2_crypto_ops,
144 	sizeof (sha2_mech_info_tab) / sizeof (crypto_mech_info_t),
145 	sha2_mech_info_tab
146 };
147 
148 static crypto_kcf_provider_handle_t sha2_prov_handle = 0;
149 
150 int
151 sha2_mod_init(void)
152 {
153 	int ret;
154 
155 	/*
156 	 * Register with KCF. If the registration fails, log an
157 	 * error but do not uninstall the module, since the functionality
158 	 * provided by misc/sha2 should still be available.
159 	 */
160 	if ((ret = crypto_register_provider(&sha2_prov_info,
161 	    &sha2_prov_handle)) != CRYPTO_SUCCESS)
162 		cmn_err(CE_WARN, "sha2 _init: "
163 		    "crypto_register_provider() failed (0x%x)", ret);
164 
165 	return (0);
166 }
167 
168 int
169 sha2_mod_fini(void)
170 {
171 	int ret = 0;
172 
173 	if (sha2_prov_handle != 0) {
174 		if ((ret = crypto_unregister_provider(sha2_prov_handle)) !=
175 		    CRYPTO_SUCCESS) {
176 			cmn_err(CE_WARN,
177 			    "sha2 _fini: crypto_unregister_provider() "
178 			    "failed (0x%x)", ret);
179 			return (EBUSY);
180 		}
181 		sha2_prov_handle = 0;
182 	}
183 
184 	return (ret);
185 }
186 
187 /*
188  * KCF software provider digest entry points.
189  */
190 
191 static int
192 sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism)
193 {
194 
195 	/*
196 	 * Allocate and initialize SHA2 context.
197 	 */
198 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t), KM_SLEEP);
199 	if (ctx->cc_provider_private == NULL)
200 		return (CRYPTO_HOST_MEMORY);
201 
202 	PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type;
203 	SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
204 
205 	return (CRYPTO_SUCCESS);
206 }
207 
208 /*
209  * Helper SHA2 digest update function for uio data.
210  */
211 static int
212 sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data)
213 {
214 	off_t offset = data->cd_offset;
215 	size_t length = data->cd_length;
216 	uint_t vec_idx = 0;
217 	size_t cur_len;
218 
219 	/* we support only kernel buffer */
220 	if (zfs_uio_segflg(data->cd_uio) != UIO_SYSSPACE)
221 		return (CRYPTO_ARGUMENTS_BAD);
222 
223 	/*
224 	 * Jump to the first iovec containing data to be
225 	 * digested.
226 	 */
227 	offset = zfs_uio_index_at_offset(data->cd_uio, offset, &vec_idx);
228 	if (vec_idx == zfs_uio_iovcnt(data->cd_uio)) {
229 		/*
230 		 * The caller specified an offset that is larger than the
231 		 * total size of the buffers it provided.
232 		 */
233 		return (CRYPTO_DATA_LEN_RANGE);
234 	}
235 
236 	/*
237 	 * Now do the digesting on the iovecs.
238 	 */
239 	while (vec_idx < zfs_uio_iovcnt(data->cd_uio) && length > 0) {
240 		cur_len = MIN(zfs_uio_iovlen(data->cd_uio, vec_idx) -
241 		    offset, length);
242 
243 		SHA2Update(sha2_ctx, (uint8_t *)zfs_uio_iovbase(data->cd_uio,
244 		    vec_idx) + offset, cur_len);
245 		length -= cur_len;
246 		vec_idx++;
247 		offset = 0;
248 	}
249 
250 	if (vec_idx == zfs_uio_iovcnt(data->cd_uio) && length > 0) {
251 		/*
252 		 * The end of the specified iovec's was reached but
253 		 * the length requested could not be processed, i.e.
254 		 * The caller requested to digest more data than it provided.
255 		 */
256 		return (CRYPTO_DATA_LEN_RANGE);
257 	}
258 
259 	return (CRYPTO_SUCCESS);
260 }
261 
262 /*
263  * Helper SHA2 digest final function for uio data.
264  * digest_len is the length of the desired digest. If digest_len
265  * is smaller than the default SHA2 digest length, the caller
266  * must pass a scratch buffer, digest_scratch, which must
267  * be at least the algorithm's digest length bytes.
268  */
269 static int
270 sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
271     ulong_t digest_len, uchar_t *digest_scratch)
272 {
273 	off_t offset = digest->cd_offset;
274 	uint_t vec_idx = 0;
275 
276 	/* we support only kernel buffer */
277 	if (zfs_uio_segflg(digest->cd_uio) != UIO_SYSSPACE)
278 		return (CRYPTO_ARGUMENTS_BAD);
279 
280 	/*
281 	 * Jump to the first iovec containing ptr to the digest to
282 	 * be returned.
283 	 */
284 	offset = zfs_uio_index_at_offset(digest->cd_uio, offset, &vec_idx);
285 	if (vec_idx == zfs_uio_iovcnt(digest->cd_uio)) {
286 		/*
287 		 * The caller specified an offset that is
288 		 * larger than the total size of the buffers
289 		 * it provided.
290 		 */
291 		return (CRYPTO_DATA_LEN_RANGE);
292 	}
293 
294 	if (offset + digest_len <=
295 	    zfs_uio_iovlen(digest->cd_uio, vec_idx)) {
296 		/*
297 		 * The computed SHA2 digest will fit in the current
298 		 * iovec.
299 		 */
300 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
301 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
302 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
303 		    (digest_len != SHA512_DIGEST_LENGTH))) {
304 			/*
305 			 * The caller requested a short digest. Digest
306 			 * into a scratch buffer and return to
307 			 * the user only what was requested.
308 			 */
309 			SHA2Final(digest_scratch, sha2_ctx);
310 
311 			memcpy((uchar_t *)
312 			    zfs_uio_iovbase(digest->cd_uio, vec_idx) + offset,
313 			    digest_scratch, digest_len);
314 		} else {
315 			SHA2Final((uchar_t *)zfs_uio_iovbase(digest->
316 			    cd_uio, vec_idx) + offset,
317 			    sha2_ctx);
318 
319 		}
320 	} else {
321 		/*
322 		 * The computed digest will be crossing one or more iovec's.
323 		 * This is bad performance-wise but we need to support it.
324 		 * Allocate a small scratch buffer on the stack and
325 		 * copy it piece meal to the specified digest iovec's.
326 		 */
327 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
328 		off_t scratch_offset = 0;
329 		size_t length = digest_len;
330 		size_t cur_len;
331 
332 		SHA2Final(digest_tmp, sha2_ctx);
333 
334 		while (vec_idx < zfs_uio_iovcnt(digest->cd_uio) && length > 0) {
335 			cur_len =
336 			    MIN(zfs_uio_iovlen(digest->cd_uio, vec_idx) -
337 			    offset, length);
338 			memcpy(
339 			    zfs_uio_iovbase(digest->cd_uio, vec_idx) + offset,
340 			    digest_tmp + scratch_offset,
341 			    cur_len);
342 
343 			length -= cur_len;
344 			vec_idx++;
345 			scratch_offset += cur_len;
346 			offset = 0;
347 		}
348 
349 		if (vec_idx == zfs_uio_iovcnt(digest->cd_uio) && length > 0) {
350 			/*
351 			 * The end of the specified iovec's was reached but
352 			 * the length requested could not be processed, i.e.
353 			 * The caller requested to digest more data than it
354 			 * provided.
355 			 */
356 			return (CRYPTO_DATA_LEN_RANGE);
357 		}
358 	}
359 
360 	return (CRYPTO_SUCCESS);
361 }
362 
363 static int
364 sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest)
365 {
366 	int ret = CRYPTO_SUCCESS;
367 	uint_t sha_digest_len;
368 
369 	ASSERT(ctx->cc_provider_private != NULL);
370 
371 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
372 	case SHA256_MECH_INFO_TYPE:
373 		sha_digest_len = SHA256_DIGEST_LENGTH;
374 		break;
375 	case SHA384_MECH_INFO_TYPE:
376 		sha_digest_len = SHA384_DIGEST_LENGTH;
377 		break;
378 	case SHA512_MECH_INFO_TYPE:
379 		sha_digest_len = SHA512_DIGEST_LENGTH;
380 		break;
381 	default:
382 		return (CRYPTO_MECHANISM_INVALID);
383 	}
384 
385 	/*
386 	 * We need to just return the length needed to store the output.
387 	 * We should not destroy the context for the following cases.
388 	 */
389 	if ((digest->cd_length == 0) ||
390 	    (digest->cd_length < sha_digest_len)) {
391 		digest->cd_length = sha_digest_len;
392 		return (CRYPTO_BUFFER_TOO_SMALL);
393 	}
394 
395 	/*
396 	 * Do the SHA2 update on the specified input data.
397 	 */
398 	switch (data->cd_format) {
399 	case CRYPTO_DATA_RAW:
400 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
401 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
402 		    data->cd_length);
403 		break;
404 	case CRYPTO_DATA_UIO:
405 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
406 		    data);
407 		break;
408 	default:
409 		ret = CRYPTO_ARGUMENTS_BAD;
410 	}
411 
412 	if (ret != CRYPTO_SUCCESS) {
413 		/* the update failed, free context and bail */
414 		kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
415 		ctx->cc_provider_private = NULL;
416 		digest->cd_length = 0;
417 		return (ret);
418 	}
419 
420 	/*
421 	 * Do a SHA2 final, must be done separately since the digest
422 	 * type can be different than the input data type.
423 	 */
424 	switch (digest->cd_format) {
425 	case CRYPTO_DATA_RAW:
426 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
427 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
428 		break;
429 	case CRYPTO_DATA_UIO:
430 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
431 		    digest, sha_digest_len, NULL);
432 		break;
433 	default:
434 		ret = CRYPTO_ARGUMENTS_BAD;
435 	}
436 
437 	/* all done, free context and return */
438 
439 	if (ret == CRYPTO_SUCCESS)
440 		digest->cd_length = sha_digest_len;
441 	else
442 		digest->cd_length = 0;
443 
444 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
445 	ctx->cc_provider_private = NULL;
446 	return (ret);
447 }
448 
449 static int
450 sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data)
451 {
452 	int ret = CRYPTO_SUCCESS;
453 
454 	ASSERT(ctx->cc_provider_private != NULL);
455 
456 	/*
457 	 * Do the SHA2 update on the specified input data.
458 	 */
459 	switch (data->cd_format) {
460 	case CRYPTO_DATA_RAW:
461 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
462 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
463 		    data->cd_length);
464 		break;
465 	case CRYPTO_DATA_UIO:
466 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
467 		    data);
468 		break;
469 	default:
470 		ret = CRYPTO_ARGUMENTS_BAD;
471 	}
472 
473 	return (ret);
474 }
475 
476 static int
477 sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest)
478 {
479 	int ret = CRYPTO_SUCCESS;
480 	uint_t sha_digest_len;
481 
482 	ASSERT(ctx->cc_provider_private != NULL);
483 
484 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
485 	case SHA256_MECH_INFO_TYPE:
486 		sha_digest_len = SHA256_DIGEST_LENGTH;
487 		break;
488 	case SHA384_MECH_INFO_TYPE:
489 		sha_digest_len = SHA384_DIGEST_LENGTH;
490 		break;
491 	case SHA512_MECH_INFO_TYPE:
492 		sha_digest_len = SHA512_DIGEST_LENGTH;
493 		break;
494 	default:
495 		return (CRYPTO_MECHANISM_INVALID);
496 	}
497 
498 	/*
499 	 * We need to just return the length needed to store the output.
500 	 * We should not destroy the context for the following cases.
501 	 */
502 	if ((digest->cd_length == 0) ||
503 	    (digest->cd_length < sha_digest_len)) {
504 		digest->cd_length = sha_digest_len;
505 		return (CRYPTO_BUFFER_TOO_SMALL);
506 	}
507 
508 	/*
509 	 * Do a SHA2 final.
510 	 */
511 	switch (digest->cd_format) {
512 	case CRYPTO_DATA_RAW:
513 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
514 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
515 		break;
516 	case CRYPTO_DATA_UIO:
517 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
518 		    digest, sha_digest_len, NULL);
519 		break;
520 	default:
521 		ret = CRYPTO_ARGUMENTS_BAD;
522 	}
523 
524 	/* all done, free context and return */
525 
526 	if (ret == CRYPTO_SUCCESS)
527 		digest->cd_length = sha_digest_len;
528 	else
529 		digest->cd_length = 0;
530 
531 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
532 	ctx->cc_provider_private = NULL;
533 
534 	return (ret);
535 }
536 
537 static int
538 sha2_digest_atomic(crypto_mechanism_t *mechanism, crypto_data_t *data,
539     crypto_data_t *digest)
540 {
541 	int ret = CRYPTO_SUCCESS;
542 	SHA2_CTX sha2_ctx;
543 	uint32_t sha_digest_len;
544 
545 	/*
546 	 * Do the SHA inits.
547 	 */
548 
549 	SHA2Init(mechanism->cm_type, &sha2_ctx);
550 
551 	switch (data->cd_format) {
552 	case CRYPTO_DATA_RAW:
553 		SHA2Update(&sha2_ctx, (uint8_t *)data->
554 		    cd_raw.iov_base + data->cd_offset, data->cd_length);
555 		break;
556 	case CRYPTO_DATA_UIO:
557 		ret = sha2_digest_update_uio(&sha2_ctx, data);
558 		break;
559 	default:
560 		ret = CRYPTO_ARGUMENTS_BAD;
561 	}
562 
563 	/*
564 	 * Do the SHA updates on the specified input data.
565 	 */
566 
567 	if (ret != CRYPTO_SUCCESS) {
568 		/* the update failed, bail */
569 		digest->cd_length = 0;
570 		return (ret);
571 	}
572 
573 	if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
574 		sha_digest_len = SHA256_DIGEST_LENGTH;
575 	else
576 		sha_digest_len = SHA512_DIGEST_LENGTH;
577 
578 	/*
579 	 * Do a SHA2 final, must be done separately since the digest
580 	 * type can be different than the input data type.
581 	 */
582 	switch (digest->cd_format) {
583 	case CRYPTO_DATA_RAW:
584 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
585 		    digest->cd_offset, &sha2_ctx);
586 		break;
587 	case CRYPTO_DATA_UIO:
588 		ret = sha2_digest_final_uio(&sha2_ctx, digest,
589 		    sha_digest_len, NULL);
590 		break;
591 	default:
592 		ret = CRYPTO_ARGUMENTS_BAD;
593 	}
594 
595 	if (ret == CRYPTO_SUCCESS)
596 		digest->cd_length = sha_digest_len;
597 	else
598 		digest->cd_length = 0;
599 
600 	return (ret);
601 }
602 
603 /*
604  * KCF software provider mac entry points.
605  *
606  * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text))
607  *
608  * Init:
609  * The initialization routine initializes what we denote
610  * as the inner and outer contexts by doing
611  * - for inner context: SHA2(key XOR ipad)
612  * - for outer context: SHA2(key XOR opad)
613  *
614  * Update:
615  * Each subsequent SHA2 HMAC update will result in an
616  * update of the inner context with the specified data.
617  *
618  * Final:
619  * The SHA2 HMAC final will do a SHA2 final operation on the
620  * inner context, and the resulting digest will be used
621  * as the data for an update on the outer context. Last
622  * but not least, a SHA2 final on the outer context will
623  * be performed to obtain the SHA2 HMAC digest to return
624  * to the user.
625  */
626 
627 /*
628  * Initialize a SHA2-HMAC context.
629  */
630 static void
631 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
632 {
633 	uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)] = {0};
634 	uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)] = {0};
635 	int i, block_size, blocks_per_int64;
636 
637 	/* Determine the block size */
638 	if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
639 		block_size = SHA256_HMAC_BLOCK_SIZE;
640 		blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t);
641 	} else {
642 		block_size = SHA512_HMAC_BLOCK_SIZE;
643 		blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t);
644 	}
645 
646 	(void) memset(ipad, 0, block_size);
647 	(void) memset(opad, 0, block_size);
648 
649 	if (keyval != NULL) {
650 		(void) memcpy(ipad, keyval, length_in_bytes);
651 		(void) memcpy(opad, keyval, length_in_bytes);
652 	} else {
653 		ASSERT0(length_in_bytes);
654 	}
655 
656 	/* XOR key with ipad (0x36) and opad (0x5c) */
657 	for (i = 0; i < blocks_per_int64; i ++) {
658 		ipad[i] ^= 0x3636363636363636;
659 		opad[i] ^= 0x5c5c5c5c5c5c5c5c;
660 	}
661 
662 	/* perform SHA2 on ipad */
663 	SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext);
664 	SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
665 
666 	/* perform SHA2 on opad */
667 	SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext);
668 	SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
669 }
670 
671 /*
672  */
673 static int
674 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
675     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template)
676 {
677 	int ret = CRYPTO_SUCCESS;
678 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
679 	uint_t sha_digest_len, sha_hmac_block_size;
680 
681 	/*
682 	 * Set the digest length and block size to values appropriate to the
683 	 * mechanism
684 	 */
685 	switch (mechanism->cm_type) {
686 	case SHA256_HMAC_MECH_INFO_TYPE:
687 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
688 		sha_digest_len = SHA256_DIGEST_LENGTH;
689 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
690 		break;
691 	case SHA384_HMAC_MECH_INFO_TYPE:
692 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
693 	case SHA512_HMAC_MECH_INFO_TYPE:
694 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
695 		sha_digest_len = SHA512_DIGEST_LENGTH;
696 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
697 		break;
698 	default:
699 		return (CRYPTO_MECHANISM_INVALID);
700 	}
701 
702 	ctx->cc_provider_private =
703 	    kmem_alloc(sizeof (sha2_hmac_ctx_t), KM_SLEEP);
704 	if (ctx->cc_provider_private == NULL)
705 		return (CRYPTO_HOST_MEMORY);
706 
707 	PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
708 	if (ctx_template != NULL) {
709 		/* reuse context template */
710 		memcpy(PROV_SHA2_HMAC_CTX(ctx), ctx_template,
711 		    sizeof (sha2_hmac_ctx_t));
712 	} else {
713 		/* no context template, compute context */
714 		if (keylen_in_bytes > sha_hmac_block_size) {
715 			uchar_t digested_key[SHA512_DIGEST_LENGTH];
716 			sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
717 
718 			/*
719 			 * Hash the passed-in key to get a smaller key.
720 			 * The inner context is used since it hasn't been
721 			 * initialized yet.
722 			 */
723 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
724 			    &hmac_ctx->hc_icontext,
725 			    key->ck_data, keylen_in_bytes, digested_key);
726 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
727 			    digested_key, sha_digest_len);
728 		} else {
729 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
730 			    key->ck_data, keylen_in_bytes);
731 		}
732 	}
733 
734 	/*
735 	 * Get the mechanism parameters, if applicable.
736 	 */
737 	if (mechanism->cm_type % 3 == 2) {
738 		if (mechanism->cm_param == NULL ||
739 		    mechanism->cm_param_len != sizeof (ulong_t)) {
740 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
741 		} else {
742 			PROV_SHA2_GET_DIGEST_LEN(mechanism,
743 			    PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len);
744 			if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len >
745 			    sha_digest_len)
746 				ret = CRYPTO_MECHANISM_PARAM_INVALID;
747 		}
748 	}
749 
750 	if (ret != CRYPTO_SUCCESS) {
751 		memset(ctx->cc_provider_private, 0, sizeof (sha2_hmac_ctx_t));
752 		kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
753 		ctx->cc_provider_private = NULL;
754 	}
755 
756 	return (ret);
757 }
758 
759 static int
760 sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data)
761 {
762 	int ret = CRYPTO_SUCCESS;
763 
764 	ASSERT(ctx->cc_provider_private != NULL);
765 
766 	/*
767 	 * Do a SHA2 update of the inner context using the specified
768 	 * data.
769 	 */
770 	switch (data->cd_format) {
771 	case CRYPTO_DATA_RAW:
772 		SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext,
773 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
774 		    data->cd_length);
775 		break;
776 	case CRYPTO_DATA_UIO:
777 		ret = sha2_digest_update_uio(
778 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
779 		break;
780 	default:
781 		ret = CRYPTO_ARGUMENTS_BAD;
782 	}
783 
784 	return (ret);
785 }
786 
787 static int
788 sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac)
789 {
790 	int ret = CRYPTO_SUCCESS;
791 	uchar_t digest[SHA512_DIGEST_LENGTH];
792 	uint32_t digest_len, sha_digest_len;
793 
794 	ASSERT(ctx->cc_provider_private != NULL);
795 
796 	/* Set the digest lengths to values appropriate to the mechanism */
797 	switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) {
798 	case SHA256_HMAC_MECH_INFO_TYPE:
799 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
800 		break;
801 	case SHA384_HMAC_MECH_INFO_TYPE:
802 		sha_digest_len = digest_len = SHA384_DIGEST_LENGTH;
803 		break;
804 	case SHA512_HMAC_MECH_INFO_TYPE:
805 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
806 		break;
807 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
808 		sha_digest_len = SHA256_DIGEST_LENGTH;
809 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
810 		break;
811 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
812 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
813 		sha_digest_len = SHA512_DIGEST_LENGTH;
814 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
815 		break;
816 	default:
817 		return (CRYPTO_ARGUMENTS_BAD);
818 	}
819 
820 	/*
821 	 * We need to just return the length needed to store the output.
822 	 * We should not destroy the context for the following cases.
823 	 */
824 	if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
825 		mac->cd_length = digest_len;
826 		return (CRYPTO_BUFFER_TOO_SMALL);
827 	}
828 
829 	/*
830 	 * Do a SHA2 final on the inner context.
831 	 */
832 	SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext);
833 
834 	/*
835 	 * Do a SHA2 update on the outer context, feeding the inner
836 	 * digest as data.
837 	 */
838 	SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest,
839 	    sha_digest_len);
840 
841 	/*
842 	 * Do a SHA2 final on the outer context, storing the computing
843 	 * digest in the users buffer.
844 	 */
845 	switch (mac->cd_format) {
846 	case CRYPTO_DATA_RAW:
847 		if (digest_len != sha_digest_len) {
848 			/*
849 			 * The caller requested a short digest. Digest
850 			 * into a scratch buffer and return to
851 			 * the user only what was requested.
852 			 */
853 			SHA2Final(digest,
854 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
855 			memcpy((unsigned char *)mac->cd_raw.iov_base +
856 			    mac->cd_offset, digest, digest_len);
857 		} else {
858 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
859 			    mac->cd_offset,
860 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
861 		}
862 		break;
863 	case CRYPTO_DATA_UIO:
864 		ret = sha2_digest_final_uio(
865 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
866 		    digest_len, digest);
867 		break;
868 	default:
869 		ret = CRYPTO_ARGUMENTS_BAD;
870 	}
871 
872 	if (ret == CRYPTO_SUCCESS)
873 		mac->cd_length = digest_len;
874 	else
875 		mac->cd_length = 0;
876 
877 	memset(ctx->cc_provider_private, 0, sizeof (sha2_hmac_ctx_t));
878 	kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
879 	ctx->cc_provider_private = NULL;
880 
881 	return (ret);
882 }
883 
884 #define	SHA2_MAC_UPDATE(data, ctx, ret) {				\
885 	switch (data->cd_format) {					\
886 	case CRYPTO_DATA_RAW:						\
887 		SHA2Update(&(ctx).hc_icontext,				\
888 		    (uint8_t *)data->cd_raw.iov_base +			\
889 		    data->cd_offset, data->cd_length);			\
890 		break;							\
891 	case CRYPTO_DATA_UIO:						\
892 		ret = sha2_digest_update_uio(&(ctx).hc_icontext, data);	\
893 		break;							\
894 	default:							\
895 		ret = CRYPTO_ARGUMENTS_BAD;				\
896 	}								\
897 }
898 
899 static int
900 sha2_mac_atomic(crypto_mechanism_t *mechanism,
901     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
902     crypto_spi_ctx_template_t ctx_template)
903 {
904 	int ret = CRYPTO_SUCCESS;
905 	uchar_t digest[SHA512_DIGEST_LENGTH];
906 	sha2_hmac_ctx_t sha2_hmac_ctx;
907 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
908 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
909 
910 	/*
911 	 * Set the digest length and block size to values appropriate to the
912 	 * mechanism
913 	 */
914 	switch (mechanism->cm_type) {
915 	case SHA256_HMAC_MECH_INFO_TYPE:
916 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
917 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
918 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
919 		break;
920 	case SHA384_HMAC_MECH_INFO_TYPE:
921 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
922 	case SHA512_HMAC_MECH_INFO_TYPE:
923 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
924 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
925 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
926 		break;
927 	default:
928 		return (CRYPTO_MECHANISM_INVALID);
929 	}
930 
931 	if (ctx_template != NULL) {
932 		/* reuse context template */
933 		memcpy(&sha2_hmac_ctx, ctx_template, sizeof (sha2_hmac_ctx_t));
934 	} else {
935 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
936 		/* no context template, initialize context */
937 		if (keylen_in_bytes > sha_hmac_block_size) {
938 			/*
939 			 * Hash the passed-in key to get a smaller key.
940 			 * The inner context is used since it hasn't been
941 			 * initialized yet.
942 			 */
943 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
944 			    &sha2_hmac_ctx.hc_icontext,
945 			    key->ck_data, keylen_in_bytes, digest);
946 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
947 			    sha_digest_len);
948 		} else {
949 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
950 			    keylen_in_bytes);
951 		}
952 	}
953 
954 	/* get the mechanism parameters, if applicable */
955 	if ((mechanism->cm_type % 3) == 2) {
956 		if (mechanism->cm_param == NULL ||
957 		    mechanism->cm_param_len != sizeof (ulong_t)) {
958 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
959 			goto bail;
960 		}
961 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
962 		if (digest_len > sha_digest_len) {
963 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
964 			goto bail;
965 		}
966 	}
967 
968 	/* do a SHA2 update of the inner context using the specified data */
969 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
970 	if (ret != CRYPTO_SUCCESS)
971 		/* the update failed, free context and bail */
972 		goto bail;
973 
974 	/*
975 	 * Do a SHA2 final on the inner context.
976 	 */
977 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
978 
979 	/*
980 	 * Do an SHA2 update on the outer context, feeding the inner
981 	 * digest as data.
982 	 *
983 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
984 	 * bytes of the inner hash value.
985 	 */
986 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
987 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
988 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
989 		    SHA384_DIGEST_LENGTH);
990 	else
991 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
992 
993 	/*
994 	 * Do a SHA2 final on the outer context, storing the computed
995 	 * digest in the users buffer.
996 	 */
997 	switch (mac->cd_format) {
998 	case CRYPTO_DATA_RAW:
999 		if (digest_len != sha_digest_len) {
1000 			/*
1001 			 * The caller requested a short digest. Digest
1002 			 * into a scratch buffer and return to
1003 			 * the user only what was requested.
1004 			 */
1005 			SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1006 			memcpy((unsigned char *)mac->cd_raw.iov_base +
1007 			    mac->cd_offset, digest, digest_len);
1008 		} else {
1009 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1010 			    mac->cd_offset, &sha2_hmac_ctx.hc_ocontext);
1011 		}
1012 		break;
1013 	case CRYPTO_DATA_UIO:
1014 		ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac,
1015 		    digest_len, digest);
1016 		break;
1017 	default:
1018 		ret = CRYPTO_ARGUMENTS_BAD;
1019 	}
1020 
1021 	if (ret == CRYPTO_SUCCESS) {
1022 		mac->cd_length = digest_len;
1023 		return (CRYPTO_SUCCESS);
1024 	}
1025 bail:
1026 	memset(&sha2_hmac_ctx, 0, sizeof (sha2_hmac_ctx_t));
1027 	mac->cd_length = 0;
1028 	return (ret);
1029 }
1030 
1031 static int
1032 sha2_mac_verify_atomic(crypto_mechanism_t *mechanism,
1033     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1034     crypto_spi_ctx_template_t ctx_template)
1035 {
1036 	int ret = CRYPTO_SUCCESS;
1037 	uchar_t digest[SHA512_DIGEST_LENGTH];
1038 	sha2_hmac_ctx_t sha2_hmac_ctx;
1039 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1040 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1041 
1042 	/*
1043 	 * Set the digest length and block size to values appropriate to the
1044 	 * mechanism
1045 	 */
1046 	switch (mechanism->cm_type) {
1047 	case SHA256_HMAC_MECH_INFO_TYPE:
1048 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1049 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1050 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1051 		break;
1052 	case SHA384_HMAC_MECH_INFO_TYPE:
1053 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1054 	case SHA512_HMAC_MECH_INFO_TYPE:
1055 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1056 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1057 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1058 		break;
1059 	default:
1060 		return (CRYPTO_MECHANISM_INVALID);
1061 	}
1062 
1063 	if (ctx_template != NULL) {
1064 		/* reuse context template */
1065 		memcpy(&sha2_hmac_ctx, ctx_template, sizeof (sha2_hmac_ctx_t));
1066 	} else {
1067 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1068 		/* no context template, initialize context */
1069 		if (keylen_in_bytes > sha_hmac_block_size) {
1070 			/*
1071 			 * Hash the passed-in key to get a smaller key.
1072 			 * The inner context is used since it hasn't been
1073 			 * initialized yet.
1074 			 */
1075 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1076 			    &sha2_hmac_ctx.hc_icontext,
1077 			    key->ck_data, keylen_in_bytes, digest);
1078 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1079 			    sha_digest_len);
1080 		} else {
1081 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1082 			    keylen_in_bytes);
1083 		}
1084 	}
1085 
1086 	/* get the mechanism parameters, if applicable */
1087 	if (mechanism->cm_type % 3 == 2) {
1088 		if (mechanism->cm_param == NULL ||
1089 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1090 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1091 			goto bail;
1092 		}
1093 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1094 		if (digest_len > sha_digest_len) {
1095 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1096 			goto bail;
1097 		}
1098 	}
1099 
1100 	if (mac->cd_length != digest_len) {
1101 		ret = CRYPTO_INVALID_MAC;
1102 		goto bail;
1103 	}
1104 
1105 	/* do a SHA2 update of the inner context using the specified data */
1106 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1107 	if (ret != CRYPTO_SUCCESS)
1108 		/* the update failed, free context and bail */
1109 		goto bail;
1110 
1111 	/* do a SHA2 final on the inner context */
1112 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1113 
1114 	/*
1115 	 * Do an SHA2 update on the outer context, feeding the inner
1116 	 * digest as data.
1117 	 *
1118 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1119 	 * bytes of the inner hash value.
1120 	 */
1121 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1122 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1123 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1124 		    SHA384_DIGEST_LENGTH);
1125 	else
1126 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1127 
1128 	/*
1129 	 * Do a SHA2 final on the outer context, storing the computed
1130 	 * digest in the users buffer.
1131 	 */
1132 	SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1133 
1134 	/*
1135 	 * Compare the computed digest against the expected digest passed
1136 	 * as argument.
1137 	 */
1138 
1139 	switch (mac->cd_format) {
1140 
1141 	case CRYPTO_DATA_RAW:
1142 		if (memcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
1143 		    mac->cd_offset, digest_len) != 0)
1144 			ret = CRYPTO_INVALID_MAC;
1145 		break;
1146 
1147 	case CRYPTO_DATA_UIO: {
1148 		off_t offset = mac->cd_offset;
1149 		uint_t vec_idx = 0;
1150 		off_t scratch_offset = 0;
1151 		size_t length = digest_len;
1152 		size_t cur_len;
1153 
1154 		/* we support only kernel buffer */
1155 		if (zfs_uio_segflg(mac->cd_uio) != UIO_SYSSPACE)
1156 			return (CRYPTO_ARGUMENTS_BAD);
1157 
1158 		/* jump to the first iovec containing the expected digest */
1159 		offset = zfs_uio_index_at_offset(mac->cd_uio, offset, &vec_idx);
1160 		if (vec_idx == zfs_uio_iovcnt(mac->cd_uio)) {
1161 			/*
1162 			 * The caller specified an offset that is
1163 			 * larger than the total size of the buffers
1164 			 * it provided.
1165 			 */
1166 			ret = CRYPTO_DATA_LEN_RANGE;
1167 			break;
1168 		}
1169 
1170 		/* do the comparison of computed digest vs specified one */
1171 		while (vec_idx < zfs_uio_iovcnt(mac->cd_uio) && length > 0) {
1172 			cur_len = MIN(zfs_uio_iovlen(mac->cd_uio, vec_idx) -
1173 			    offset, length);
1174 
1175 			if (memcmp(digest + scratch_offset,
1176 			    zfs_uio_iovbase(mac->cd_uio, vec_idx) + offset,
1177 			    cur_len) != 0) {
1178 				ret = CRYPTO_INVALID_MAC;
1179 				break;
1180 			}
1181 
1182 			length -= cur_len;
1183 			vec_idx++;
1184 			scratch_offset += cur_len;
1185 			offset = 0;
1186 		}
1187 		break;
1188 	}
1189 
1190 	default:
1191 		ret = CRYPTO_ARGUMENTS_BAD;
1192 	}
1193 
1194 	return (ret);
1195 bail:
1196 	memset(&sha2_hmac_ctx, 0, sizeof (sha2_hmac_ctx_t));
1197 	mac->cd_length = 0;
1198 	return (ret);
1199 }
1200 
1201 /*
1202  * KCF software provider context management entry points.
1203  */
1204 
1205 static int
1206 sha2_create_ctx_template(crypto_mechanism_t *mechanism, crypto_key_t *key,
1207     crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size)
1208 {
1209 	sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
1210 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1211 	uint32_t sha_digest_len, sha_hmac_block_size;
1212 
1213 	/*
1214 	 * Set the digest length and block size to values appropriate to the
1215 	 * mechanism
1216 	 */
1217 	switch (mechanism->cm_type) {
1218 	case SHA256_HMAC_MECH_INFO_TYPE:
1219 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1220 		sha_digest_len = SHA256_DIGEST_LENGTH;
1221 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1222 		break;
1223 	case SHA384_HMAC_MECH_INFO_TYPE:
1224 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1225 	case SHA512_HMAC_MECH_INFO_TYPE:
1226 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1227 		sha_digest_len = SHA512_DIGEST_LENGTH;
1228 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1229 		break;
1230 	default:
1231 		return (CRYPTO_MECHANISM_INVALID);
1232 	}
1233 
1234 	/*
1235 	 * Allocate and initialize SHA2 context.
1236 	 */
1237 	sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t), KM_SLEEP);
1238 	if (sha2_hmac_ctx_tmpl == NULL)
1239 		return (CRYPTO_HOST_MEMORY);
1240 
1241 	sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
1242 
1243 	if (keylen_in_bytes > sha_hmac_block_size) {
1244 		uchar_t digested_key[SHA512_DIGEST_LENGTH];
1245 
1246 		/*
1247 		 * Hash the passed-in key to get a smaller key.
1248 		 * The inner context is used since it hasn't been
1249 		 * initialized yet.
1250 		 */
1251 		PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1252 		    &sha2_hmac_ctx_tmpl->hc_icontext,
1253 		    key->ck_data, keylen_in_bytes, digested_key);
1254 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key,
1255 		    sha_digest_len);
1256 	} else {
1257 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data,
1258 		    keylen_in_bytes);
1259 	}
1260 
1261 	*ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl;
1262 	*ctx_template_size = sizeof (sha2_hmac_ctx_t);
1263 
1264 	return (CRYPTO_SUCCESS);
1265 }
1266 
1267 static int
1268 sha2_free_context(crypto_ctx_t *ctx)
1269 {
1270 	uint_t ctx_len;
1271 
1272 	if (ctx->cc_provider_private == NULL)
1273 		return (CRYPTO_SUCCESS);
1274 
1275 	/*
1276 	 * We have to free either SHA2 or SHA2-HMAC contexts, which
1277 	 * have different lengths.
1278 	 *
1279 	 * Note: Below is dependent on the mechanism ordering.
1280 	 */
1281 
1282 	if (PROV_SHA2_CTX(ctx)->sc_mech_type % 3 == 0)
1283 		ctx_len = sizeof (sha2_ctx_t);
1284 	else
1285 		ctx_len = sizeof (sha2_hmac_ctx_t);
1286 
1287 	memset(ctx->cc_provider_private, 0, ctx_len);
1288 	kmem_free(ctx->cc_provider_private, ctx_len);
1289 	ctx->cc_provider_private = NULL;
1290 
1291 	return (CRYPTO_SUCCESS);
1292 }
1293