xref: /freebsd/sys/contrib/openzfs/module/icp/io/sha2_mod.c (revision 924226fba12cc9a228c73b956e1b7fa24c60b055)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/zfs_context.h>
28 #include <sys/crypto/common.h>
29 #include <sys/crypto/spi.h>
30 #include <sys/crypto/icp.h>
31 #define	_SHA2_IMPL
32 #include <sys/sha2.h>
33 #include <sha2/sha2_impl.h>
34 
35 /*
36  * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed
37  * by KCF to one of the entry points.
38  */
39 
40 #define	PROV_SHA2_CTX(ctx)	((sha2_ctx_t *)(ctx)->cc_provider_private)
41 #define	PROV_SHA2_HMAC_CTX(ctx)	((sha2_hmac_ctx_t *)(ctx)->cc_provider_private)
42 
43 /* to extract the digest length passed as mechanism parameter */
44 #define	PROV_SHA2_GET_DIGEST_LEN(m, len) {				\
45 	if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t)))		\
46 		(len) = (uint32_t)*((ulong_t *)(m)->cm_param);	\
47 	else {								\
48 		ulong_t tmp_ulong;					\
49 		memcpy(&tmp_ulong, (m)->cm_param, sizeof (ulong_t));	\
50 		(len) = (uint32_t)tmp_ulong;				\
51 	}								\
52 }
53 
54 #define	PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) {	\
55 	SHA2Init(mech, ctx);				\
56 	SHA2Update(ctx, key, len);			\
57 	SHA2Final(digest, ctx);				\
58 }
59 
60 /*
61  * Mechanism info structure passed to KCF during registration.
62  */
63 static const crypto_mech_info_t sha2_mech_info_tab[] = {
64 	/* SHA256 */
65 	{SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE,
66 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC},
67 	/* SHA256-HMAC */
68 	{SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE,
69 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
70 	/* SHA256-HMAC GENERAL */
71 	{SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE,
72 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
73 	/* SHA384 */
74 	{SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE,
75 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC},
76 	/* SHA384-HMAC */
77 	{SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE,
78 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
79 	/* SHA384-HMAC GENERAL */
80 	{SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE,
81 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
82 	/* SHA512 */
83 	{SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE,
84 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC},
85 	/* SHA512-HMAC */
86 	{SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE,
87 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
88 	/* SHA512-HMAC GENERAL */
89 	{SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE,
90 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC},
91 };
92 
93 static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *);
94 static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *);
95 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *);
96 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *);
97 static int sha2_digest_atomic(crypto_mechanism_t *, crypto_data_t *,
98     crypto_data_t *);
99 
100 static const crypto_digest_ops_t sha2_digest_ops = {
101 	.digest_init = sha2_digest_init,
102 	.digest = sha2_digest,
103 	.digest_update = sha2_digest_update,
104 	.digest_final = sha2_digest_final,
105 	.digest_atomic = sha2_digest_atomic
106 };
107 
108 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
109     crypto_spi_ctx_template_t);
110 static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *);
111 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *);
112 static int sha2_mac_atomic(crypto_mechanism_t *, crypto_key_t *,
113     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t);
114 static int sha2_mac_verify_atomic(crypto_mechanism_t *, crypto_key_t *,
115     crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t);
116 
117 static const crypto_mac_ops_t sha2_mac_ops = {
118 	.mac_init = sha2_mac_init,
119 	.mac = NULL,
120 	.mac_update = sha2_mac_update,
121 	.mac_final = sha2_mac_final,
122 	.mac_atomic = sha2_mac_atomic,
123 	.mac_verify_atomic = sha2_mac_verify_atomic
124 };
125 
126 static int sha2_create_ctx_template(crypto_mechanism_t *, crypto_key_t *,
127     crypto_spi_ctx_template_t *, size_t *);
128 static int sha2_free_context(crypto_ctx_t *);
129 
130 static const crypto_ctx_ops_t sha2_ctx_ops = {
131 	.create_ctx_template = sha2_create_ctx_template,
132 	.free_context = sha2_free_context
133 };
134 
135 static const crypto_ops_t sha2_crypto_ops = {
136 	&sha2_digest_ops,
137 	NULL,
138 	&sha2_mac_ops,
139 	&sha2_ctx_ops,
140 };
141 
142 static const crypto_provider_info_t sha2_prov_info = {
143 	"SHA2 Software Provider",
144 	&sha2_crypto_ops,
145 	sizeof (sha2_mech_info_tab) / sizeof (crypto_mech_info_t),
146 	sha2_mech_info_tab
147 };
148 
149 static crypto_kcf_provider_handle_t sha2_prov_handle = 0;
150 
151 int
152 sha2_mod_init(void)
153 {
154 	int ret;
155 
156 	/*
157 	 * Register with KCF. If the registration fails, log an
158 	 * error but do not uninstall the module, since the functionality
159 	 * provided by misc/sha2 should still be available.
160 	 */
161 	if ((ret = crypto_register_provider(&sha2_prov_info,
162 	    &sha2_prov_handle)) != CRYPTO_SUCCESS)
163 		cmn_err(CE_WARN, "sha2 _init: "
164 		    "crypto_register_provider() failed (0x%x)", ret);
165 
166 	return (0);
167 }
168 
169 int
170 sha2_mod_fini(void)
171 {
172 	int ret = 0;
173 
174 	if (sha2_prov_handle != 0) {
175 		if ((ret = crypto_unregister_provider(sha2_prov_handle)) !=
176 		    CRYPTO_SUCCESS) {
177 			cmn_err(CE_WARN,
178 			    "sha2 _fini: crypto_unregister_provider() "
179 			    "failed (0x%x)", ret);
180 			return (EBUSY);
181 		}
182 		sha2_prov_handle = 0;
183 	}
184 
185 	return (ret);
186 }
187 
188 /*
189  * KCF software provider digest entry points.
190  */
191 
192 static int
193 sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism)
194 {
195 
196 	/*
197 	 * Allocate and initialize SHA2 context.
198 	 */
199 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t), KM_SLEEP);
200 	if (ctx->cc_provider_private == NULL)
201 		return (CRYPTO_HOST_MEMORY);
202 
203 	PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type;
204 	SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
205 
206 	return (CRYPTO_SUCCESS);
207 }
208 
209 /*
210  * Helper SHA2 digest update function for uio data.
211  */
212 static int
213 sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data)
214 {
215 	off_t offset = data->cd_offset;
216 	size_t length = data->cd_length;
217 	uint_t vec_idx = 0;
218 	size_t cur_len;
219 
220 	/* we support only kernel buffer */
221 	if (zfs_uio_segflg(data->cd_uio) != UIO_SYSSPACE)
222 		return (CRYPTO_ARGUMENTS_BAD);
223 
224 	/*
225 	 * Jump to the first iovec containing data to be
226 	 * digested.
227 	 */
228 	offset = zfs_uio_index_at_offset(data->cd_uio, offset, &vec_idx);
229 	if (vec_idx == zfs_uio_iovcnt(data->cd_uio)) {
230 		/*
231 		 * The caller specified an offset that is larger than the
232 		 * total size of the buffers it provided.
233 		 */
234 		return (CRYPTO_DATA_LEN_RANGE);
235 	}
236 
237 	/*
238 	 * Now do the digesting on the iovecs.
239 	 */
240 	while (vec_idx < zfs_uio_iovcnt(data->cd_uio) && length > 0) {
241 		cur_len = MIN(zfs_uio_iovlen(data->cd_uio, vec_idx) -
242 		    offset, length);
243 
244 		SHA2Update(sha2_ctx, (uint8_t *)zfs_uio_iovbase(data->cd_uio,
245 		    vec_idx) + offset, cur_len);
246 		length -= cur_len;
247 		vec_idx++;
248 		offset = 0;
249 	}
250 
251 	if (vec_idx == zfs_uio_iovcnt(data->cd_uio) && length > 0) {
252 		/*
253 		 * The end of the specified iovec's was reached but
254 		 * the length requested could not be processed, i.e.
255 		 * The caller requested to digest more data than it provided.
256 		 */
257 		return (CRYPTO_DATA_LEN_RANGE);
258 	}
259 
260 	return (CRYPTO_SUCCESS);
261 }
262 
263 /*
264  * Helper SHA2 digest final function for uio data.
265  * digest_len is the length of the desired digest. If digest_len
266  * is smaller than the default SHA2 digest length, the caller
267  * must pass a scratch buffer, digest_scratch, which must
268  * be at least the algorithm's digest length bytes.
269  */
270 static int
271 sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
272     ulong_t digest_len, uchar_t *digest_scratch)
273 {
274 	off_t offset = digest->cd_offset;
275 	uint_t vec_idx = 0;
276 
277 	/* we support only kernel buffer */
278 	if (zfs_uio_segflg(digest->cd_uio) != UIO_SYSSPACE)
279 		return (CRYPTO_ARGUMENTS_BAD);
280 
281 	/*
282 	 * Jump to the first iovec containing ptr to the digest to
283 	 * be returned.
284 	 */
285 	offset = zfs_uio_index_at_offset(digest->cd_uio, offset, &vec_idx);
286 	if (vec_idx == zfs_uio_iovcnt(digest->cd_uio)) {
287 		/*
288 		 * The caller specified an offset that is
289 		 * larger than the total size of the buffers
290 		 * it provided.
291 		 */
292 		return (CRYPTO_DATA_LEN_RANGE);
293 	}
294 
295 	if (offset + digest_len <=
296 	    zfs_uio_iovlen(digest->cd_uio, vec_idx)) {
297 		/*
298 		 * The computed SHA2 digest will fit in the current
299 		 * iovec.
300 		 */
301 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
302 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
303 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
304 		    (digest_len != SHA512_DIGEST_LENGTH))) {
305 			/*
306 			 * The caller requested a short digest. Digest
307 			 * into a scratch buffer and return to
308 			 * the user only what was requested.
309 			 */
310 			SHA2Final(digest_scratch, sha2_ctx);
311 
312 			memcpy((uchar_t *)
313 			    zfs_uio_iovbase(digest->cd_uio, vec_idx) + offset,
314 			    digest_scratch, digest_len);
315 		} else {
316 			SHA2Final((uchar_t *)zfs_uio_iovbase(digest->
317 			    cd_uio, vec_idx) + offset,
318 			    sha2_ctx);
319 
320 		}
321 	} else {
322 		/*
323 		 * The computed digest will be crossing one or more iovec's.
324 		 * This is bad performance-wise but we need to support it.
325 		 * Allocate a small scratch buffer on the stack and
326 		 * copy it piece meal to the specified digest iovec's.
327 		 */
328 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
329 		off_t scratch_offset = 0;
330 		size_t length = digest_len;
331 		size_t cur_len;
332 
333 		SHA2Final(digest_tmp, sha2_ctx);
334 
335 		while (vec_idx < zfs_uio_iovcnt(digest->cd_uio) && length > 0) {
336 			cur_len =
337 			    MIN(zfs_uio_iovlen(digest->cd_uio, vec_idx) -
338 			    offset, length);
339 			memcpy(
340 			    zfs_uio_iovbase(digest->cd_uio, vec_idx) + offset,
341 			    digest_tmp + scratch_offset,
342 			    cur_len);
343 
344 			length -= cur_len;
345 			vec_idx++;
346 			scratch_offset += cur_len;
347 			offset = 0;
348 		}
349 
350 		if (vec_idx == zfs_uio_iovcnt(digest->cd_uio) && length > 0) {
351 			/*
352 			 * The end of the specified iovec's was reached but
353 			 * the length requested could not be processed, i.e.
354 			 * The caller requested to digest more data than it
355 			 * provided.
356 			 */
357 			return (CRYPTO_DATA_LEN_RANGE);
358 		}
359 	}
360 
361 	return (CRYPTO_SUCCESS);
362 }
363 
364 static int
365 sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest)
366 {
367 	int ret = CRYPTO_SUCCESS;
368 	uint_t sha_digest_len;
369 
370 	ASSERT(ctx->cc_provider_private != NULL);
371 
372 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
373 	case SHA256_MECH_INFO_TYPE:
374 		sha_digest_len = SHA256_DIGEST_LENGTH;
375 		break;
376 	case SHA384_MECH_INFO_TYPE:
377 		sha_digest_len = SHA384_DIGEST_LENGTH;
378 		break;
379 	case SHA512_MECH_INFO_TYPE:
380 		sha_digest_len = SHA512_DIGEST_LENGTH;
381 		break;
382 	default:
383 		return (CRYPTO_MECHANISM_INVALID);
384 	}
385 
386 	/*
387 	 * We need to just return the length needed to store the output.
388 	 * We should not destroy the context for the following cases.
389 	 */
390 	if ((digest->cd_length == 0) ||
391 	    (digest->cd_length < sha_digest_len)) {
392 		digest->cd_length = sha_digest_len;
393 		return (CRYPTO_BUFFER_TOO_SMALL);
394 	}
395 
396 	/*
397 	 * Do the SHA2 update on the specified input data.
398 	 */
399 	switch (data->cd_format) {
400 	case CRYPTO_DATA_RAW:
401 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
402 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
403 		    data->cd_length);
404 		break;
405 	case CRYPTO_DATA_UIO:
406 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
407 		    data);
408 		break;
409 	default:
410 		ret = CRYPTO_ARGUMENTS_BAD;
411 	}
412 
413 	if (ret != CRYPTO_SUCCESS) {
414 		/* the update failed, free context and bail */
415 		kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
416 		ctx->cc_provider_private = NULL;
417 		digest->cd_length = 0;
418 		return (ret);
419 	}
420 
421 	/*
422 	 * Do a SHA2 final, must be done separately since the digest
423 	 * type can be different than the input data type.
424 	 */
425 	switch (digest->cd_format) {
426 	case CRYPTO_DATA_RAW:
427 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
428 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
429 		break;
430 	case CRYPTO_DATA_UIO:
431 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
432 		    digest, sha_digest_len, NULL);
433 		break;
434 	default:
435 		ret = CRYPTO_ARGUMENTS_BAD;
436 	}
437 
438 	/* all done, free context and return */
439 
440 	if (ret == CRYPTO_SUCCESS)
441 		digest->cd_length = sha_digest_len;
442 	else
443 		digest->cd_length = 0;
444 
445 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
446 	ctx->cc_provider_private = NULL;
447 	return (ret);
448 }
449 
450 static int
451 sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data)
452 {
453 	int ret = CRYPTO_SUCCESS;
454 
455 	ASSERT(ctx->cc_provider_private != NULL);
456 
457 	/*
458 	 * Do the SHA2 update on the specified input data.
459 	 */
460 	switch (data->cd_format) {
461 	case CRYPTO_DATA_RAW:
462 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
463 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
464 		    data->cd_length);
465 		break;
466 	case CRYPTO_DATA_UIO:
467 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
468 		    data);
469 		break;
470 	default:
471 		ret = CRYPTO_ARGUMENTS_BAD;
472 	}
473 
474 	return (ret);
475 }
476 
477 static int
478 sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest)
479 {
480 	int ret = CRYPTO_SUCCESS;
481 	uint_t sha_digest_len;
482 
483 	ASSERT(ctx->cc_provider_private != NULL);
484 
485 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
486 	case SHA256_MECH_INFO_TYPE:
487 		sha_digest_len = SHA256_DIGEST_LENGTH;
488 		break;
489 	case SHA384_MECH_INFO_TYPE:
490 		sha_digest_len = SHA384_DIGEST_LENGTH;
491 		break;
492 	case SHA512_MECH_INFO_TYPE:
493 		sha_digest_len = SHA512_DIGEST_LENGTH;
494 		break;
495 	default:
496 		return (CRYPTO_MECHANISM_INVALID);
497 	}
498 
499 	/*
500 	 * We need to just return the length needed to store the output.
501 	 * We should not destroy the context for the following cases.
502 	 */
503 	if ((digest->cd_length == 0) ||
504 	    (digest->cd_length < sha_digest_len)) {
505 		digest->cd_length = sha_digest_len;
506 		return (CRYPTO_BUFFER_TOO_SMALL);
507 	}
508 
509 	/*
510 	 * Do a SHA2 final.
511 	 */
512 	switch (digest->cd_format) {
513 	case CRYPTO_DATA_RAW:
514 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
515 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
516 		break;
517 	case CRYPTO_DATA_UIO:
518 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
519 		    digest, sha_digest_len, NULL);
520 		break;
521 	default:
522 		ret = CRYPTO_ARGUMENTS_BAD;
523 	}
524 
525 	/* all done, free context and return */
526 
527 	if (ret == CRYPTO_SUCCESS)
528 		digest->cd_length = sha_digest_len;
529 	else
530 		digest->cd_length = 0;
531 
532 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
533 	ctx->cc_provider_private = NULL;
534 
535 	return (ret);
536 }
537 
538 static int
539 sha2_digest_atomic(crypto_mechanism_t *mechanism, crypto_data_t *data,
540     crypto_data_t *digest)
541 {
542 	int ret = CRYPTO_SUCCESS;
543 	SHA2_CTX sha2_ctx;
544 	uint32_t sha_digest_len;
545 
546 	/*
547 	 * Do the SHA inits.
548 	 */
549 
550 	SHA2Init(mechanism->cm_type, &sha2_ctx);
551 
552 	switch (data->cd_format) {
553 	case CRYPTO_DATA_RAW:
554 		SHA2Update(&sha2_ctx, (uint8_t *)data->
555 		    cd_raw.iov_base + data->cd_offset, data->cd_length);
556 		break;
557 	case CRYPTO_DATA_UIO:
558 		ret = sha2_digest_update_uio(&sha2_ctx, data);
559 		break;
560 	default:
561 		ret = CRYPTO_ARGUMENTS_BAD;
562 	}
563 
564 	/*
565 	 * Do the SHA updates on the specified input data.
566 	 */
567 
568 	if (ret != CRYPTO_SUCCESS) {
569 		/* the update failed, bail */
570 		digest->cd_length = 0;
571 		return (ret);
572 	}
573 
574 	if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
575 		sha_digest_len = SHA256_DIGEST_LENGTH;
576 	else
577 		sha_digest_len = SHA512_DIGEST_LENGTH;
578 
579 	/*
580 	 * Do a SHA2 final, must be done separately since the digest
581 	 * type can be different than the input data type.
582 	 */
583 	switch (digest->cd_format) {
584 	case CRYPTO_DATA_RAW:
585 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
586 		    digest->cd_offset, &sha2_ctx);
587 		break;
588 	case CRYPTO_DATA_UIO:
589 		ret = sha2_digest_final_uio(&sha2_ctx, digest,
590 		    sha_digest_len, NULL);
591 		break;
592 	default:
593 		ret = CRYPTO_ARGUMENTS_BAD;
594 	}
595 
596 	if (ret == CRYPTO_SUCCESS)
597 		digest->cd_length = sha_digest_len;
598 	else
599 		digest->cd_length = 0;
600 
601 	return (ret);
602 }
603 
604 /*
605  * KCF software provider mac entry points.
606  *
607  * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text))
608  *
609  * Init:
610  * The initialization routine initializes what we denote
611  * as the inner and outer contexts by doing
612  * - for inner context: SHA2(key XOR ipad)
613  * - for outer context: SHA2(key XOR opad)
614  *
615  * Update:
616  * Each subsequent SHA2 HMAC update will result in an
617  * update of the inner context with the specified data.
618  *
619  * Final:
620  * The SHA2 HMAC final will do a SHA2 final operation on the
621  * inner context, and the resulting digest will be used
622  * as the data for an update on the outer context. Last
623  * but not least, a SHA2 final on the outer context will
624  * be performed to obtain the SHA2 HMAC digest to return
625  * to the user.
626  */
627 
628 /*
629  * Initialize a SHA2-HMAC context.
630  */
631 static void
632 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
633 {
634 	uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)] = {0};
635 	uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)] = {0};
636 	int i, block_size, blocks_per_int64;
637 
638 	/* Determine the block size */
639 	if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
640 		block_size = SHA256_HMAC_BLOCK_SIZE;
641 		blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t);
642 	} else {
643 		block_size = SHA512_HMAC_BLOCK_SIZE;
644 		blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t);
645 	}
646 
647 	(void) memset(ipad, 0, block_size);
648 	(void) memset(opad, 0, block_size);
649 
650 	if (keyval != NULL) {
651 		(void) memcpy(ipad, keyval, length_in_bytes);
652 		(void) memcpy(opad, keyval, length_in_bytes);
653 	} else {
654 		ASSERT0(length_in_bytes);
655 	}
656 
657 	/* XOR key with ipad (0x36) and opad (0x5c) */
658 	for (i = 0; i < blocks_per_int64; i ++) {
659 		ipad[i] ^= 0x3636363636363636;
660 		opad[i] ^= 0x5c5c5c5c5c5c5c5c;
661 	}
662 
663 	/* perform SHA2 on ipad */
664 	SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext);
665 	SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
666 
667 	/* perform SHA2 on opad */
668 	SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext);
669 	SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
670 }
671 
672 /*
673  */
674 static int
675 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
676     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template)
677 {
678 	int ret = CRYPTO_SUCCESS;
679 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
680 	uint_t sha_digest_len, sha_hmac_block_size;
681 
682 	/*
683 	 * Set the digest length and block size to values appropriate to the
684 	 * mechanism
685 	 */
686 	switch (mechanism->cm_type) {
687 	case SHA256_HMAC_MECH_INFO_TYPE:
688 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
689 		sha_digest_len = SHA256_DIGEST_LENGTH;
690 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
691 		break;
692 	case SHA384_HMAC_MECH_INFO_TYPE:
693 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
694 	case SHA512_HMAC_MECH_INFO_TYPE:
695 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
696 		sha_digest_len = SHA512_DIGEST_LENGTH;
697 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
698 		break;
699 	default:
700 		return (CRYPTO_MECHANISM_INVALID);
701 	}
702 
703 	ctx->cc_provider_private =
704 	    kmem_alloc(sizeof (sha2_hmac_ctx_t), KM_SLEEP);
705 	if (ctx->cc_provider_private == NULL)
706 		return (CRYPTO_HOST_MEMORY);
707 
708 	PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
709 	if (ctx_template != NULL) {
710 		/* reuse context template */
711 		memcpy(PROV_SHA2_HMAC_CTX(ctx), ctx_template,
712 		    sizeof (sha2_hmac_ctx_t));
713 	} else {
714 		/* no context template, compute context */
715 		if (keylen_in_bytes > sha_hmac_block_size) {
716 			uchar_t digested_key[SHA512_DIGEST_LENGTH];
717 			sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
718 
719 			/*
720 			 * Hash the passed-in key to get a smaller key.
721 			 * The inner context is used since it hasn't been
722 			 * initialized yet.
723 			 */
724 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
725 			    &hmac_ctx->hc_icontext,
726 			    key->ck_data, keylen_in_bytes, digested_key);
727 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
728 			    digested_key, sha_digest_len);
729 		} else {
730 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
731 			    key->ck_data, keylen_in_bytes);
732 		}
733 	}
734 
735 	/*
736 	 * Get the mechanism parameters, if applicable.
737 	 */
738 	if (mechanism->cm_type % 3 == 2) {
739 		if (mechanism->cm_param == NULL ||
740 		    mechanism->cm_param_len != sizeof (ulong_t))
741 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
742 		PROV_SHA2_GET_DIGEST_LEN(mechanism,
743 		    PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len);
744 		if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len)
745 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
746 	}
747 
748 	if (ret != CRYPTO_SUCCESS) {
749 		memset(ctx->cc_provider_private, 0, sizeof (sha2_hmac_ctx_t));
750 		kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
751 		ctx->cc_provider_private = NULL;
752 	}
753 
754 	return (ret);
755 }
756 
757 static int
758 sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data)
759 {
760 	int ret = CRYPTO_SUCCESS;
761 
762 	ASSERT(ctx->cc_provider_private != NULL);
763 
764 	/*
765 	 * Do a SHA2 update of the inner context using the specified
766 	 * data.
767 	 */
768 	switch (data->cd_format) {
769 	case CRYPTO_DATA_RAW:
770 		SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext,
771 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
772 		    data->cd_length);
773 		break;
774 	case CRYPTO_DATA_UIO:
775 		ret = sha2_digest_update_uio(
776 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
777 		break;
778 	default:
779 		ret = CRYPTO_ARGUMENTS_BAD;
780 	}
781 
782 	return (ret);
783 }
784 
785 static int
786 sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac)
787 {
788 	int ret = CRYPTO_SUCCESS;
789 	uchar_t digest[SHA512_DIGEST_LENGTH];
790 	uint32_t digest_len, sha_digest_len;
791 
792 	ASSERT(ctx->cc_provider_private != NULL);
793 
794 	/* Set the digest lengths to values appropriate to the mechanism */
795 	switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) {
796 	case SHA256_HMAC_MECH_INFO_TYPE:
797 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
798 		break;
799 	case SHA384_HMAC_MECH_INFO_TYPE:
800 		sha_digest_len = digest_len = SHA384_DIGEST_LENGTH;
801 		break;
802 	case SHA512_HMAC_MECH_INFO_TYPE:
803 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
804 		break;
805 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
806 		sha_digest_len = SHA256_DIGEST_LENGTH;
807 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
808 		break;
809 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
810 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
811 		sha_digest_len = SHA512_DIGEST_LENGTH;
812 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
813 		break;
814 	default:
815 		return (CRYPTO_ARGUMENTS_BAD);
816 	}
817 
818 	/*
819 	 * We need to just return the length needed to store the output.
820 	 * We should not destroy the context for the following cases.
821 	 */
822 	if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
823 		mac->cd_length = digest_len;
824 		return (CRYPTO_BUFFER_TOO_SMALL);
825 	}
826 
827 	/*
828 	 * Do a SHA2 final on the inner context.
829 	 */
830 	SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext);
831 
832 	/*
833 	 * Do a SHA2 update on the outer context, feeding the inner
834 	 * digest as data.
835 	 */
836 	SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest,
837 	    sha_digest_len);
838 
839 	/*
840 	 * Do a SHA2 final on the outer context, storing the computing
841 	 * digest in the users buffer.
842 	 */
843 	switch (mac->cd_format) {
844 	case CRYPTO_DATA_RAW:
845 		if (digest_len != sha_digest_len) {
846 			/*
847 			 * The caller requested a short digest. Digest
848 			 * into a scratch buffer and return to
849 			 * the user only what was requested.
850 			 */
851 			SHA2Final(digest,
852 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
853 			memcpy((unsigned char *)mac->cd_raw.iov_base +
854 			    mac->cd_offset, digest, digest_len);
855 		} else {
856 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
857 			    mac->cd_offset,
858 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
859 		}
860 		break;
861 	case CRYPTO_DATA_UIO:
862 		ret = sha2_digest_final_uio(
863 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
864 		    digest_len, digest);
865 		break;
866 	default:
867 		ret = CRYPTO_ARGUMENTS_BAD;
868 	}
869 
870 	if (ret == CRYPTO_SUCCESS)
871 		mac->cd_length = digest_len;
872 	else
873 		mac->cd_length = 0;
874 
875 	memset(ctx->cc_provider_private, 0, sizeof (sha2_hmac_ctx_t));
876 	kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
877 	ctx->cc_provider_private = NULL;
878 
879 	return (ret);
880 }
881 
882 #define	SHA2_MAC_UPDATE(data, ctx, ret) {				\
883 	switch (data->cd_format) {					\
884 	case CRYPTO_DATA_RAW:						\
885 		SHA2Update(&(ctx).hc_icontext,				\
886 		    (uint8_t *)data->cd_raw.iov_base +			\
887 		    data->cd_offset, data->cd_length);			\
888 		break;							\
889 	case CRYPTO_DATA_UIO:						\
890 		ret = sha2_digest_update_uio(&(ctx).hc_icontext, data);	\
891 		break;							\
892 	default:							\
893 		ret = CRYPTO_ARGUMENTS_BAD;				\
894 	}								\
895 }
896 
897 static int
898 sha2_mac_atomic(crypto_mechanism_t *mechanism,
899     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
900     crypto_spi_ctx_template_t ctx_template)
901 {
902 	int ret = CRYPTO_SUCCESS;
903 	uchar_t digest[SHA512_DIGEST_LENGTH];
904 	sha2_hmac_ctx_t sha2_hmac_ctx;
905 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
906 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
907 
908 	/*
909 	 * Set the digest length and block size to values appropriate to the
910 	 * mechanism
911 	 */
912 	switch (mechanism->cm_type) {
913 	case SHA256_HMAC_MECH_INFO_TYPE:
914 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
915 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
916 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
917 		break;
918 	case SHA384_HMAC_MECH_INFO_TYPE:
919 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
920 	case SHA512_HMAC_MECH_INFO_TYPE:
921 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
922 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
923 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
924 		break;
925 	default:
926 		return (CRYPTO_MECHANISM_INVALID);
927 	}
928 
929 	if (ctx_template != NULL) {
930 		/* reuse context template */
931 		memcpy(&sha2_hmac_ctx, ctx_template, sizeof (sha2_hmac_ctx_t));
932 	} else {
933 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
934 		/* no context template, initialize context */
935 		if (keylen_in_bytes > sha_hmac_block_size) {
936 			/*
937 			 * Hash the passed-in key to get a smaller key.
938 			 * The inner context is used since it hasn't been
939 			 * initialized yet.
940 			 */
941 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
942 			    &sha2_hmac_ctx.hc_icontext,
943 			    key->ck_data, keylen_in_bytes, digest);
944 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
945 			    sha_digest_len);
946 		} else {
947 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
948 			    keylen_in_bytes);
949 		}
950 	}
951 
952 	/* get the mechanism parameters, if applicable */
953 	if ((mechanism->cm_type % 3) == 2) {
954 		if (mechanism->cm_param == NULL ||
955 		    mechanism->cm_param_len != sizeof (ulong_t)) {
956 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
957 			goto bail;
958 		}
959 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
960 		if (digest_len > sha_digest_len) {
961 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
962 			goto bail;
963 		}
964 	}
965 
966 	/* do a SHA2 update of the inner context using the specified data */
967 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
968 	if (ret != CRYPTO_SUCCESS)
969 		/* the update failed, free context and bail */
970 		goto bail;
971 
972 	/*
973 	 * Do a SHA2 final on the inner context.
974 	 */
975 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
976 
977 	/*
978 	 * Do an SHA2 update on the outer context, feeding the inner
979 	 * digest as data.
980 	 *
981 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
982 	 * bytes of the inner hash value.
983 	 */
984 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
985 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
986 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
987 		    SHA384_DIGEST_LENGTH);
988 	else
989 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
990 
991 	/*
992 	 * Do a SHA2 final on the outer context, storing the computed
993 	 * digest in the users buffer.
994 	 */
995 	switch (mac->cd_format) {
996 	case CRYPTO_DATA_RAW:
997 		if (digest_len != sha_digest_len) {
998 			/*
999 			 * The caller requested a short digest. Digest
1000 			 * into a scratch buffer and return to
1001 			 * the user only what was requested.
1002 			 */
1003 			SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1004 			memcpy((unsigned char *)mac->cd_raw.iov_base +
1005 			    mac->cd_offset, digest, digest_len);
1006 		} else {
1007 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1008 			    mac->cd_offset, &sha2_hmac_ctx.hc_ocontext);
1009 		}
1010 		break;
1011 	case CRYPTO_DATA_UIO:
1012 		ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac,
1013 		    digest_len, digest);
1014 		break;
1015 	default:
1016 		ret = CRYPTO_ARGUMENTS_BAD;
1017 	}
1018 
1019 	if (ret == CRYPTO_SUCCESS) {
1020 		mac->cd_length = digest_len;
1021 		return (CRYPTO_SUCCESS);
1022 	}
1023 bail:
1024 	memset(&sha2_hmac_ctx, 0, sizeof (sha2_hmac_ctx_t));
1025 	mac->cd_length = 0;
1026 	return (ret);
1027 }
1028 
1029 static int
1030 sha2_mac_verify_atomic(crypto_mechanism_t *mechanism,
1031     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1032     crypto_spi_ctx_template_t ctx_template)
1033 {
1034 	int ret = CRYPTO_SUCCESS;
1035 	uchar_t digest[SHA512_DIGEST_LENGTH];
1036 	sha2_hmac_ctx_t sha2_hmac_ctx;
1037 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1038 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1039 
1040 	/*
1041 	 * Set the digest length and block size to values appropriate to the
1042 	 * mechanism
1043 	 */
1044 	switch (mechanism->cm_type) {
1045 	case SHA256_HMAC_MECH_INFO_TYPE:
1046 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1047 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1048 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1049 		break;
1050 	case SHA384_HMAC_MECH_INFO_TYPE:
1051 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1052 	case SHA512_HMAC_MECH_INFO_TYPE:
1053 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1054 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1055 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1056 		break;
1057 	default:
1058 		return (CRYPTO_MECHANISM_INVALID);
1059 	}
1060 
1061 	if (ctx_template != NULL) {
1062 		/* reuse context template */
1063 		memcpy(&sha2_hmac_ctx, ctx_template, sizeof (sha2_hmac_ctx_t));
1064 	} else {
1065 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1066 		/* no context template, initialize context */
1067 		if (keylen_in_bytes > sha_hmac_block_size) {
1068 			/*
1069 			 * Hash the passed-in key to get a smaller key.
1070 			 * The inner context is used since it hasn't been
1071 			 * initialized yet.
1072 			 */
1073 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1074 			    &sha2_hmac_ctx.hc_icontext,
1075 			    key->ck_data, keylen_in_bytes, digest);
1076 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1077 			    sha_digest_len);
1078 		} else {
1079 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1080 			    keylen_in_bytes);
1081 		}
1082 	}
1083 
1084 	/* get the mechanism parameters, if applicable */
1085 	if (mechanism->cm_type % 3 == 2) {
1086 		if (mechanism->cm_param == NULL ||
1087 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1088 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1089 			goto bail;
1090 		}
1091 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1092 		if (digest_len > sha_digest_len) {
1093 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1094 			goto bail;
1095 		}
1096 	}
1097 
1098 	if (mac->cd_length != digest_len) {
1099 		ret = CRYPTO_INVALID_MAC;
1100 		goto bail;
1101 	}
1102 
1103 	/* do a SHA2 update of the inner context using the specified data */
1104 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1105 	if (ret != CRYPTO_SUCCESS)
1106 		/* the update failed, free context and bail */
1107 		goto bail;
1108 
1109 	/* do a SHA2 final on the inner context */
1110 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1111 
1112 	/*
1113 	 * Do an SHA2 update on the outer context, feeding the inner
1114 	 * digest as data.
1115 	 *
1116 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1117 	 * bytes of the inner hash value.
1118 	 */
1119 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1120 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1121 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1122 		    SHA384_DIGEST_LENGTH);
1123 	else
1124 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1125 
1126 	/*
1127 	 * Do a SHA2 final on the outer context, storing the computed
1128 	 * digest in the users buffer.
1129 	 */
1130 	SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1131 
1132 	/*
1133 	 * Compare the computed digest against the expected digest passed
1134 	 * as argument.
1135 	 */
1136 
1137 	switch (mac->cd_format) {
1138 
1139 	case CRYPTO_DATA_RAW:
1140 		if (memcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
1141 		    mac->cd_offset, digest_len) != 0)
1142 			ret = CRYPTO_INVALID_MAC;
1143 		break;
1144 
1145 	case CRYPTO_DATA_UIO: {
1146 		off_t offset = mac->cd_offset;
1147 		uint_t vec_idx = 0;
1148 		off_t scratch_offset = 0;
1149 		size_t length = digest_len;
1150 		size_t cur_len;
1151 
1152 		/* we support only kernel buffer */
1153 		if (zfs_uio_segflg(mac->cd_uio) != UIO_SYSSPACE)
1154 			return (CRYPTO_ARGUMENTS_BAD);
1155 
1156 		/* jump to the first iovec containing the expected digest */
1157 		offset = zfs_uio_index_at_offset(mac->cd_uio, offset, &vec_idx);
1158 		if (vec_idx == zfs_uio_iovcnt(mac->cd_uio)) {
1159 			/*
1160 			 * The caller specified an offset that is
1161 			 * larger than the total size of the buffers
1162 			 * it provided.
1163 			 */
1164 			ret = CRYPTO_DATA_LEN_RANGE;
1165 			break;
1166 		}
1167 
1168 		/* do the comparison of computed digest vs specified one */
1169 		while (vec_idx < zfs_uio_iovcnt(mac->cd_uio) && length > 0) {
1170 			cur_len = MIN(zfs_uio_iovlen(mac->cd_uio, vec_idx) -
1171 			    offset, length);
1172 
1173 			if (memcmp(digest + scratch_offset,
1174 			    zfs_uio_iovbase(mac->cd_uio, vec_idx) + offset,
1175 			    cur_len) != 0) {
1176 				ret = CRYPTO_INVALID_MAC;
1177 				break;
1178 			}
1179 
1180 			length -= cur_len;
1181 			vec_idx++;
1182 			scratch_offset += cur_len;
1183 			offset = 0;
1184 		}
1185 		break;
1186 	}
1187 
1188 	default:
1189 		ret = CRYPTO_ARGUMENTS_BAD;
1190 	}
1191 
1192 	return (ret);
1193 bail:
1194 	memset(&sha2_hmac_ctx, 0, sizeof (sha2_hmac_ctx_t));
1195 	mac->cd_length = 0;
1196 	return (ret);
1197 }
1198 
1199 /*
1200  * KCF software provider context management entry points.
1201  */
1202 
1203 static int
1204 sha2_create_ctx_template(crypto_mechanism_t *mechanism, crypto_key_t *key,
1205     crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size)
1206 {
1207 	sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
1208 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1209 	uint32_t sha_digest_len, sha_hmac_block_size;
1210 
1211 	/*
1212 	 * Set the digest length and block size to values appropriate to the
1213 	 * mechanism
1214 	 */
1215 	switch (mechanism->cm_type) {
1216 	case SHA256_HMAC_MECH_INFO_TYPE:
1217 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1218 		sha_digest_len = SHA256_DIGEST_LENGTH;
1219 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1220 		break;
1221 	case SHA384_HMAC_MECH_INFO_TYPE:
1222 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1223 	case SHA512_HMAC_MECH_INFO_TYPE:
1224 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1225 		sha_digest_len = SHA512_DIGEST_LENGTH;
1226 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1227 		break;
1228 	default:
1229 		return (CRYPTO_MECHANISM_INVALID);
1230 	}
1231 
1232 	/*
1233 	 * Allocate and initialize SHA2 context.
1234 	 */
1235 	sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t), KM_SLEEP);
1236 	if (sha2_hmac_ctx_tmpl == NULL)
1237 		return (CRYPTO_HOST_MEMORY);
1238 
1239 	sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
1240 
1241 	if (keylen_in_bytes > sha_hmac_block_size) {
1242 		uchar_t digested_key[SHA512_DIGEST_LENGTH];
1243 
1244 		/*
1245 		 * Hash the passed-in key to get a smaller key.
1246 		 * The inner context is used since it hasn't been
1247 		 * initialized yet.
1248 		 */
1249 		PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1250 		    &sha2_hmac_ctx_tmpl->hc_icontext,
1251 		    key->ck_data, keylen_in_bytes, digested_key);
1252 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key,
1253 		    sha_digest_len);
1254 	} else {
1255 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data,
1256 		    keylen_in_bytes);
1257 	}
1258 
1259 	*ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl;
1260 	*ctx_template_size = sizeof (sha2_hmac_ctx_t);
1261 
1262 	return (CRYPTO_SUCCESS);
1263 }
1264 
1265 static int
1266 sha2_free_context(crypto_ctx_t *ctx)
1267 {
1268 	uint_t ctx_len;
1269 
1270 	if (ctx->cc_provider_private == NULL)
1271 		return (CRYPTO_SUCCESS);
1272 
1273 	/*
1274 	 * We have to free either SHA2 or SHA2-HMAC contexts, which
1275 	 * have different lengths.
1276 	 *
1277 	 * Note: Below is dependent on the mechanism ordering.
1278 	 */
1279 
1280 	if (PROV_SHA2_CTX(ctx)->sc_mech_type % 3 == 0)
1281 		ctx_len = sizeof (sha2_ctx_t);
1282 	else
1283 		ctx_len = sizeof (sha2_hmac_ctx_t);
1284 
1285 	memset(ctx->cc_provider_private, 0, ctx_len);
1286 	kmem_free(ctx->cc_provider_private, ctx_len);
1287 	ctx->cc_provider_private = NULL;
1288 
1289 	return (CRYPTO_SUCCESS);
1290 }
1291