1734b6a94Sdarrenm /*
2734b6a94Sdarrenm * CDDL HEADER START
3734b6a94Sdarrenm *
4734b6a94Sdarrenm * The contents of this file are subject to the terms of the
5734b6a94Sdarrenm * Common Development and Distribution License (the "License").
6734b6a94Sdarrenm * You may not use this file except in compliance with the License.
7734b6a94Sdarrenm *
8734b6a94Sdarrenm * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9734b6a94Sdarrenm * or http://www.opensolaris.org/os/licensing.
10734b6a94Sdarrenm * See the License for the specific language governing permissions
11734b6a94Sdarrenm * and limitations under the License.
12734b6a94Sdarrenm *
13734b6a94Sdarrenm * When distributing Covered Code, include this CDDL HEADER in each
14734b6a94Sdarrenm * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15734b6a94Sdarrenm * If applicable, add the following below this CDDL HEADER, with the
16734b6a94Sdarrenm * fields enclosed by brackets "[]" replaced with your own identifying
17734b6a94Sdarrenm * information: Portions Copyright [yyyy] [name of copyright owner]
18734b6a94Sdarrenm *
19734b6a94Sdarrenm * CDDL HEADER END
20734b6a94Sdarrenm */
21734b6a94Sdarrenm
22734b6a94Sdarrenm /*
23d3b2efc7SAnthony Scarpino * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
24734b6a94Sdarrenm * Use is subject to license terms.
25734b6a94Sdarrenm */
26734b6a94Sdarrenm
27734b6a94Sdarrenm #include <sys/modctl.h>
28734b6a94Sdarrenm #include <sys/cmn_err.h>
29734b6a94Sdarrenm #include <sys/crypto/common.h>
30734b6a94Sdarrenm #include <sys/crypto/spi.h>
31734b6a94Sdarrenm #include <sys/strsun.h>
32734b6a94Sdarrenm #include <sys/systm.h>
33734b6a94Sdarrenm #include <sys/sysmacros.h>
34734b6a94Sdarrenm #define _SHA2_IMPL
35734b6a94Sdarrenm #include <sys/sha2.h>
36b5a2d845SHai-May Chao #include <sha2/sha2_impl.h>
37734b6a94Sdarrenm
38734b6a94Sdarrenm /*
39734b6a94Sdarrenm * The sha2 module is created with two modlinkages:
40734b6a94Sdarrenm * - a modlmisc that allows consumers to directly call the entry points
41734b6a94Sdarrenm * SHA2Init, SHA2Update, and SHA2Final.
42734b6a94Sdarrenm * - a modlcrypto that allows the module to register with the Kernel
43734b6a94Sdarrenm * Cryptographic Framework (KCF) as a software provider for the SHA2
44734b6a94Sdarrenm * mechanisms.
45734b6a94Sdarrenm */
46734b6a94Sdarrenm
47734b6a94Sdarrenm static struct modlmisc modlmisc = {
48734b6a94Sdarrenm &mod_miscops,
49734b6a94Sdarrenm "SHA2 Message-Digest Algorithm"
50734b6a94Sdarrenm };
51734b6a94Sdarrenm
52734b6a94Sdarrenm static struct modlcrypto modlcrypto = {
53734b6a94Sdarrenm &mod_cryptoops,
54d2b32306Smcpowers "SHA2 Kernel SW Provider"
55734b6a94Sdarrenm };
56734b6a94Sdarrenm
57734b6a94Sdarrenm static struct modlinkage modlinkage = {
58734b6a94Sdarrenm MODREV_1, &modlmisc, &modlcrypto, NULL
59734b6a94Sdarrenm };
60734b6a94Sdarrenm
61734b6a94Sdarrenm /*
62734b6a94Sdarrenm * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed
63734b6a94Sdarrenm * by KCF to one of the entry points.
64734b6a94Sdarrenm */
65734b6a94Sdarrenm
66734b6a94Sdarrenm #define PROV_SHA2_CTX(ctx) ((sha2_ctx_t *)(ctx)->cc_provider_private)
67734b6a94Sdarrenm #define PROV_SHA2_HMAC_CTX(ctx) ((sha2_hmac_ctx_t *)(ctx)->cc_provider_private)
68734b6a94Sdarrenm
69734b6a94Sdarrenm /* to extract the digest length passed as mechanism parameter */
70734b6a94Sdarrenm #define PROV_SHA2_GET_DIGEST_LEN(m, len) { \
71734b6a94Sdarrenm if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t))) \
728de5c4f4SDan OpenSolaris Anderson (len) = (uint32_t)*((ulong_t *)(void *)(m)->cm_param); \
73734b6a94Sdarrenm else { \
74734b6a94Sdarrenm ulong_t tmp_ulong; \
75734b6a94Sdarrenm bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t)); \
76734b6a94Sdarrenm (len) = (uint32_t)tmp_ulong; \
77734b6a94Sdarrenm } \
78734b6a94Sdarrenm }
79734b6a94Sdarrenm
80734b6a94Sdarrenm #define PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) { \
81734b6a94Sdarrenm SHA2Init(mech, ctx); \
82734b6a94Sdarrenm SHA2Update(ctx, key, len); \
83734b6a94Sdarrenm SHA2Final(digest, ctx); \
84734b6a94Sdarrenm }
85734b6a94Sdarrenm
86734b6a94Sdarrenm /*
87734b6a94Sdarrenm * Mechanism info structure passed to KCF during registration.
88734b6a94Sdarrenm */
89734b6a94Sdarrenm static crypto_mech_info_t sha2_mech_info_tab[] = {
90734b6a94Sdarrenm /* SHA256 */
91734b6a94Sdarrenm {SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE,
92734b6a94Sdarrenm CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
93734b6a94Sdarrenm 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
94734b6a94Sdarrenm /* SHA256-HMAC */
95734b6a94Sdarrenm {SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE,
96734b6a94Sdarrenm CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
97734b6a94Sdarrenm SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
985b675b31SVladimir Kotal CRYPTO_KEYSIZE_UNIT_IN_BYTES},
99734b6a94Sdarrenm /* SHA256-HMAC GENERAL */
100734b6a94Sdarrenm {SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE,
101734b6a94Sdarrenm CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
102734b6a94Sdarrenm SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
1035b675b31SVladimir Kotal CRYPTO_KEYSIZE_UNIT_IN_BYTES},
104734b6a94Sdarrenm /* SHA384 */
105734b6a94Sdarrenm {SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE,
106734b6a94Sdarrenm CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
107734b6a94Sdarrenm 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
108734b6a94Sdarrenm /* SHA384-HMAC */
109734b6a94Sdarrenm {SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE,
110734b6a94Sdarrenm CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
111734b6a94Sdarrenm SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
1125b675b31SVladimir Kotal CRYPTO_KEYSIZE_UNIT_IN_BYTES},
113734b6a94Sdarrenm /* SHA384-HMAC GENERAL */
114734b6a94Sdarrenm {SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE,
115734b6a94Sdarrenm CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
116734b6a94Sdarrenm SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
1175b675b31SVladimir Kotal CRYPTO_KEYSIZE_UNIT_IN_BYTES},
118734b6a94Sdarrenm /* SHA512 */
119734b6a94Sdarrenm {SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE,
120734b6a94Sdarrenm CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
121734b6a94Sdarrenm 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
122734b6a94Sdarrenm /* SHA512-HMAC */
123734b6a94Sdarrenm {SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE,
124734b6a94Sdarrenm CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
125734b6a94Sdarrenm SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
1265b675b31SVladimir Kotal CRYPTO_KEYSIZE_UNIT_IN_BYTES},
127734b6a94Sdarrenm /* SHA512-HMAC GENERAL */
128734b6a94Sdarrenm {SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE,
129734b6a94Sdarrenm CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
130734b6a94Sdarrenm SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
131*05204290SJason King CRYPTO_KEYSIZE_UNIT_IN_BYTES},
132*05204290SJason King /* SHA512_224 */
133*05204290SJason King {SUN_CKM_SHA512_224, SHA512_224_MECH_INFO_TYPE,
134*05204290SJason King CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
135*05204290SJason King 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
136*05204290SJason King /* SHA512_256 */
137*05204290SJason King {SUN_CKM_SHA512_256, SHA512_256_MECH_INFO_TYPE,
138*05204290SJason King CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
139*05204290SJason King 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}
140734b6a94Sdarrenm };
141734b6a94Sdarrenm
142734b6a94Sdarrenm static void sha2_provider_status(crypto_provider_handle_t, uint_t *);
143734b6a94Sdarrenm
144734b6a94Sdarrenm static crypto_control_ops_t sha2_control_ops = {
145734b6a94Sdarrenm sha2_provider_status
146734b6a94Sdarrenm };
147734b6a94Sdarrenm
148734b6a94Sdarrenm static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
149734b6a94Sdarrenm crypto_req_handle_t);
150734b6a94Sdarrenm static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
151734b6a94Sdarrenm crypto_req_handle_t);
152734b6a94Sdarrenm static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *,
153734b6a94Sdarrenm crypto_req_handle_t);
154734b6a94Sdarrenm static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *,
155734b6a94Sdarrenm crypto_req_handle_t);
156734b6a94Sdarrenm static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
157734b6a94Sdarrenm crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
158734b6a94Sdarrenm crypto_req_handle_t);
159734b6a94Sdarrenm
160734b6a94Sdarrenm static crypto_digest_ops_t sha2_digest_ops = {
161734b6a94Sdarrenm sha2_digest_init,
162734b6a94Sdarrenm sha2_digest,
163734b6a94Sdarrenm sha2_digest_update,
164734b6a94Sdarrenm NULL,
165734b6a94Sdarrenm sha2_digest_final,
166734b6a94Sdarrenm sha2_digest_atomic
167734b6a94Sdarrenm };
168734b6a94Sdarrenm
169734b6a94Sdarrenm static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
170734b6a94Sdarrenm crypto_spi_ctx_template_t, crypto_req_handle_t);
171734b6a94Sdarrenm static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *,
172734b6a94Sdarrenm crypto_req_handle_t);
173734b6a94Sdarrenm static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
174734b6a94Sdarrenm static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
175734b6a94Sdarrenm crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
176734b6a94Sdarrenm crypto_spi_ctx_template_t, crypto_req_handle_t);
177734b6a94Sdarrenm static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
178734b6a94Sdarrenm crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
179734b6a94Sdarrenm crypto_spi_ctx_template_t, crypto_req_handle_t);
180734b6a94Sdarrenm
181734b6a94Sdarrenm static crypto_mac_ops_t sha2_mac_ops = {
182734b6a94Sdarrenm sha2_mac_init,
183734b6a94Sdarrenm NULL,
184734b6a94Sdarrenm sha2_mac_update,
185734b6a94Sdarrenm sha2_mac_final,
186734b6a94Sdarrenm sha2_mac_atomic,
187734b6a94Sdarrenm sha2_mac_verify_atomic
188734b6a94Sdarrenm };
189734b6a94Sdarrenm
190734b6a94Sdarrenm static int sha2_create_ctx_template(crypto_provider_handle_t,
191734b6a94Sdarrenm crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
192734b6a94Sdarrenm size_t *, crypto_req_handle_t);
193734b6a94Sdarrenm static int sha2_free_context(crypto_ctx_t *);
194734b6a94Sdarrenm
195734b6a94Sdarrenm static crypto_ctx_ops_t sha2_ctx_ops = {
196734b6a94Sdarrenm sha2_create_ctx_template,
197734b6a94Sdarrenm sha2_free_context
198734b6a94Sdarrenm };
199734b6a94Sdarrenm
200734b6a94Sdarrenm static crypto_ops_t sha2_crypto_ops = {
201734b6a94Sdarrenm &sha2_control_ops,
202734b6a94Sdarrenm &sha2_digest_ops,
203734b6a94Sdarrenm NULL,
204734b6a94Sdarrenm &sha2_mac_ops,
205734b6a94Sdarrenm NULL,
206734b6a94Sdarrenm NULL,
207734b6a94Sdarrenm NULL,
208734b6a94Sdarrenm NULL,
209734b6a94Sdarrenm NULL,
210734b6a94Sdarrenm NULL,
211734b6a94Sdarrenm NULL,
212734b6a94Sdarrenm NULL,
213734b6a94Sdarrenm NULL,
21473556491SAnthony Scarpino &sha2_ctx_ops,
21573556491SAnthony Scarpino NULL,
21673556491SAnthony Scarpino NULL,
2176ea3c060SGarrett D'Amore NULL,
218734b6a94Sdarrenm };
219734b6a94Sdarrenm
220734b6a94Sdarrenm static crypto_provider_info_t sha2_prov_info = {
22173556491SAnthony Scarpino CRYPTO_SPI_VERSION_4,
222734b6a94Sdarrenm "SHA2 Software Provider",
223734b6a94Sdarrenm CRYPTO_SW_PROVIDER,
224734b6a94Sdarrenm {&modlinkage},
225734b6a94Sdarrenm NULL,
226734b6a94Sdarrenm &sha2_crypto_ops,
227734b6a94Sdarrenm sizeof (sha2_mech_info_tab)/sizeof (crypto_mech_info_t),
228734b6a94Sdarrenm sha2_mech_info_tab
229734b6a94Sdarrenm };
230734b6a94Sdarrenm
231d659c726SToomas Soome static crypto_kcf_provider_handle_t sha2_prov_handle = 0;
232734b6a94Sdarrenm
233734b6a94Sdarrenm int
_init()234734b6a94Sdarrenm _init()
235734b6a94Sdarrenm {
236734b6a94Sdarrenm int ret;
237734b6a94Sdarrenm
238734b6a94Sdarrenm if ((ret = mod_install(&modlinkage)) != 0)
239734b6a94Sdarrenm return (ret);
240734b6a94Sdarrenm
241734b6a94Sdarrenm /*
242d3b2efc7SAnthony Scarpino * Register with KCF. If the registration fails, do not uninstall the
243d3b2efc7SAnthony Scarpino * module, since the functionality provided by misc/sha2 should still
244d3b2efc7SAnthony Scarpino * be available.
245734b6a94Sdarrenm */
246d3b2efc7SAnthony Scarpino (void) crypto_register_provider(&sha2_prov_info, &sha2_prov_handle);
247734b6a94Sdarrenm
248734b6a94Sdarrenm return (0);
249734b6a94Sdarrenm }
250734b6a94Sdarrenm
251734b6a94Sdarrenm int
_info(struct modinfo * modinfop)252734b6a94Sdarrenm _info(struct modinfo *modinfop)
253734b6a94Sdarrenm {
254734b6a94Sdarrenm return (mod_info(&modlinkage, modinfop));
255734b6a94Sdarrenm }
256734b6a94Sdarrenm
257734b6a94Sdarrenm /*
258734b6a94Sdarrenm * KCF software provider control entry points.
259734b6a94Sdarrenm */
260734b6a94Sdarrenm /* ARGSUSED */
261734b6a94Sdarrenm static void
sha2_provider_status(crypto_provider_handle_t provider,uint_t * status)262734b6a94Sdarrenm sha2_provider_status(crypto_provider_handle_t provider, uint_t *status)
263734b6a94Sdarrenm {
264734b6a94Sdarrenm *status = CRYPTO_PROVIDER_READY;
265734b6a94Sdarrenm }
266734b6a94Sdarrenm
267734b6a94Sdarrenm /*
268734b6a94Sdarrenm * KCF software provider digest entry points.
269734b6a94Sdarrenm */
270734b6a94Sdarrenm
271734b6a94Sdarrenm static int
sha2_digest_init(crypto_ctx_t * ctx,crypto_mechanism_t * mechanism,crypto_req_handle_t req)272734b6a94Sdarrenm sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
273734b6a94Sdarrenm crypto_req_handle_t req)
274734b6a94Sdarrenm {
275734b6a94Sdarrenm
276734b6a94Sdarrenm /*
277734b6a94Sdarrenm * Allocate and initialize SHA2 context.
278734b6a94Sdarrenm */
279734b6a94Sdarrenm ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t),
280734b6a94Sdarrenm crypto_kmflag(req));
281734b6a94Sdarrenm if (ctx->cc_provider_private == NULL)
282734b6a94Sdarrenm return (CRYPTO_HOST_MEMORY);
283734b6a94Sdarrenm
284734b6a94Sdarrenm PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type;
285734b6a94Sdarrenm SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
286734b6a94Sdarrenm
287734b6a94Sdarrenm return (CRYPTO_SUCCESS);
288734b6a94Sdarrenm }
289734b6a94Sdarrenm
290734b6a94Sdarrenm /*
291734b6a94Sdarrenm * Helper SHA2 digest update function for uio data.
292734b6a94Sdarrenm */
293734b6a94Sdarrenm static int
sha2_digest_update_uio(SHA2_CTX * sha2_ctx,crypto_data_t * data)294734b6a94Sdarrenm sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data)
295734b6a94Sdarrenm {
296734b6a94Sdarrenm off_t offset = data->cd_offset;
297734b6a94Sdarrenm size_t length = data->cd_length;
298734b6a94Sdarrenm uint_t vec_idx;
299734b6a94Sdarrenm size_t cur_len;
300734b6a94Sdarrenm
301734b6a94Sdarrenm /* we support only kernel buffer */
302734b6a94Sdarrenm if (data->cd_uio->uio_segflg != UIO_SYSSPACE)
303734b6a94Sdarrenm return (CRYPTO_ARGUMENTS_BAD);
304734b6a94Sdarrenm
305734b6a94Sdarrenm /*
306734b6a94Sdarrenm * Jump to the first iovec containing data to be
307734b6a94Sdarrenm * digested.
308734b6a94Sdarrenm */
309734b6a94Sdarrenm for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt &&
310734b6a94Sdarrenm offset >= data->cd_uio->uio_iov[vec_idx].iov_len;
311d2b32306Smcpowers offset -= data->cd_uio->uio_iov[vec_idx++].iov_len)
312d2b32306Smcpowers ;
313734b6a94Sdarrenm if (vec_idx == data->cd_uio->uio_iovcnt) {
314734b6a94Sdarrenm /*
315734b6a94Sdarrenm * The caller specified an offset that is larger than the
316734b6a94Sdarrenm * total size of the buffers it provided.
317734b6a94Sdarrenm */
318734b6a94Sdarrenm return (CRYPTO_DATA_LEN_RANGE);
319734b6a94Sdarrenm }
320734b6a94Sdarrenm
321734b6a94Sdarrenm /*
322734b6a94Sdarrenm * Now do the digesting on the iovecs.
323734b6a94Sdarrenm */
324734b6a94Sdarrenm while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) {
325734b6a94Sdarrenm cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len -
326734b6a94Sdarrenm offset, length);
327734b6a94Sdarrenm
328734b6a94Sdarrenm SHA2Update(sha2_ctx, (uint8_t *)data->cd_uio->
329734b6a94Sdarrenm uio_iov[vec_idx].iov_base + offset, cur_len);
330734b6a94Sdarrenm length -= cur_len;
331734b6a94Sdarrenm vec_idx++;
332734b6a94Sdarrenm offset = 0;
333734b6a94Sdarrenm }
334734b6a94Sdarrenm
335734b6a94Sdarrenm if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) {
336734b6a94Sdarrenm /*
337734b6a94Sdarrenm * The end of the specified iovec's was reached but
338734b6a94Sdarrenm * the length requested could not be processed, i.e.
339734b6a94Sdarrenm * The caller requested to digest more data than it provided.
340734b6a94Sdarrenm */
341734b6a94Sdarrenm return (CRYPTO_DATA_LEN_RANGE);
342734b6a94Sdarrenm }
343734b6a94Sdarrenm
344734b6a94Sdarrenm return (CRYPTO_SUCCESS);
345734b6a94Sdarrenm }
346734b6a94Sdarrenm
347734b6a94Sdarrenm /*
348734b6a94Sdarrenm * Helper SHA2 digest final function for uio data.
349734b6a94Sdarrenm * digest_len is the length of the desired digest. If digest_len
350734b6a94Sdarrenm * is smaller than the default SHA2 digest length, the caller
351734b6a94Sdarrenm * must pass a scratch buffer, digest_scratch, which must
352734b6a94Sdarrenm * be at least the algorithm's digest length bytes.
353734b6a94Sdarrenm */
354734b6a94Sdarrenm static int
sha2_digest_final_uio(SHA2_CTX * sha2_ctx,crypto_data_t * digest,ulong_t digest_len,uchar_t * digest_scratch)355734b6a94Sdarrenm sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
356734b6a94Sdarrenm ulong_t digest_len, uchar_t *digest_scratch)
357734b6a94Sdarrenm {
358734b6a94Sdarrenm off_t offset = digest->cd_offset;
359734b6a94Sdarrenm uint_t vec_idx;
360734b6a94Sdarrenm
361734b6a94Sdarrenm /* we support only kernel buffer */
362734b6a94Sdarrenm if (digest->cd_uio->uio_segflg != UIO_SYSSPACE)
363734b6a94Sdarrenm return (CRYPTO_ARGUMENTS_BAD);
364734b6a94Sdarrenm
365734b6a94Sdarrenm /*
366734b6a94Sdarrenm * Jump to the first iovec containing ptr to the digest to
367734b6a94Sdarrenm * be returned.
368734b6a94Sdarrenm */
369734b6a94Sdarrenm for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len &&
370734b6a94Sdarrenm vec_idx < digest->cd_uio->uio_iovcnt;
371d2b32306Smcpowers offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len)
372d2b32306Smcpowers ;
373734b6a94Sdarrenm if (vec_idx == digest->cd_uio->uio_iovcnt) {
374734b6a94Sdarrenm /*
375734b6a94Sdarrenm * The caller specified an offset that is
376734b6a94Sdarrenm * larger than the total size of the buffers
377734b6a94Sdarrenm * it provided.
378734b6a94Sdarrenm */
379734b6a94Sdarrenm return (CRYPTO_DATA_LEN_RANGE);
380734b6a94Sdarrenm }
381734b6a94Sdarrenm
382734b6a94Sdarrenm if (offset + digest_len <=
383734b6a94Sdarrenm digest->cd_uio->uio_iov[vec_idx].iov_len) {
384734b6a94Sdarrenm /*
385734b6a94Sdarrenm * The computed SHA2 digest will fit in the current
386734b6a94Sdarrenm * iovec.
387734b6a94Sdarrenm */
388734b6a94Sdarrenm if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
389734b6a94Sdarrenm (digest_len != SHA256_DIGEST_LENGTH)) ||
390734b6a94Sdarrenm ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
391734b6a94Sdarrenm (digest_len != SHA512_DIGEST_LENGTH))) {
392734b6a94Sdarrenm /*
393734b6a94Sdarrenm * The caller requested a short digest. Digest
394734b6a94Sdarrenm * into a scratch buffer and return to
395734b6a94Sdarrenm * the user only what was requested.
396734b6a94Sdarrenm */
397734b6a94Sdarrenm SHA2Final(digest_scratch, sha2_ctx);
398734b6a94Sdarrenm
399734b6a94Sdarrenm bcopy(digest_scratch, (uchar_t *)digest->
400734b6a94Sdarrenm cd_uio->uio_iov[vec_idx].iov_base + offset,
401734b6a94Sdarrenm digest_len);
402734b6a94Sdarrenm } else {
403734b6a94Sdarrenm SHA2Final((uchar_t *)digest->
404734b6a94Sdarrenm cd_uio->uio_iov[vec_idx].iov_base + offset,
405734b6a94Sdarrenm sha2_ctx);
406734b6a94Sdarrenm
407734b6a94Sdarrenm }
408734b6a94Sdarrenm } else {
409734b6a94Sdarrenm /*
410734b6a94Sdarrenm * The computed digest will be crossing one or more iovec's.
411734b6a94Sdarrenm * This is bad performance-wise but we need to support it.
412734b6a94Sdarrenm * Allocate a small scratch buffer on the stack and
413734b6a94Sdarrenm * copy it piece meal to the specified digest iovec's.
414734b6a94Sdarrenm */
415734b6a94Sdarrenm uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
416734b6a94Sdarrenm off_t scratch_offset = 0;
417734b6a94Sdarrenm size_t length = digest_len;
418734b6a94Sdarrenm size_t cur_len;
419734b6a94Sdarrenm
420734b6a94Sdarrenm SHA2Final(digest_tmp, sha2_ctx);
421734b6a94Sdarrenm
422734b6a94Sdarrenm while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) {
423734b6a94Sdarrenm cur_len =
424734b6a94Sdarrenm MIN(digest->cd_uio->uio_iov[vec_idx].iov_len -
425734b6a94Sdarrenm offset, length);
426734b6a94Sdarrenm bcopy(digest_tmp + scratch_offset,
427734b6a94Sdarrenm digest->cd_uio->uio_iov[vec_idx].iov_base + offset,
428734b6a94Sdarrenm cur_len);
429734b6a94Sdarrenm
430734b6a94Sdarrenm length -= cur_len;
431734b6a94Sdarrenm vec_idx++;
432734b6a94Sdarrenm scratch_offset += cur_len;
433734b6a94Sdarrenm offset = 0;
434734b6a94Sdarrenm }
435734b6a94Sdarrenm
436734b6a94Sdarrenm if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) {
437734b6a94Sdarrenm /*
438734b6a94Sdarrenm * The end of the specified iovec's was reached but
439734b6a94Sdarrenm * the length requested could not be processed, i.e.
440734b6a94Sdarrenm * The caller requested to digest more data than it
441734b6a94Sdarrenm * provided.
442734b6a94Sdarrenm */
443734b6a94Sdarrenm return (CRYPTO_DATA_LEN_RANGE);
444734b6a94Sdarrenm }
445734b6a94Sdarrenm }
446734b6a94Sdarrenm
447734b6a94Sdarrenm return (CRYPTO_SUCCESS);
448734b6a94Sdarrenm }
449734b6a94Sdarrenm
450734b6a94Sdarrenm /*
451734b6a94Sdarrenm * Helper SHA2 digest update for mblk's.
452734b6a94Sdarrenm */
453734b6a94Sdarrenm static int
sha2_digest_update_mblk(SHA2_CTX * sha2_ctx,crypto_data_t * data)454734b6a94Sdarrenm sha2_digest_update_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *data)
455734b6a94Sdarrenm {
456734b6a94Sdarrenm off_t offset = data->cd_offset;
457734b6a94Sdarrenm size_t length = data->cd_length;
458734b6a94Sdarrenm mblk_t *mp;
459734b6a94Sdarrenm size_t cur_len;
460734b6a94Sdarrenm
461734b6a94Sdarrenm /*
462734b6a94Sdarrenm * Jump to the first mblk_t containing data to be digested.
463734b6a94Sdarrenm */
464734b6a94Sdarrenm for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
465d2b32306Smcpowers offset -= MBLKL(mp), mp = mp->b_cont)
466d2b32306Smcpowers ;
467734b6a94Sdarrenm if (mp == NULL) {
468734b6a94Sdarrenm /*
469734b6a94Sdarrenm * The caller specified an offset that is larger than the
470734b6a94Sdarrenm * total size of the buffers it provided.
471734b6a94Sdarrenm */
472734b6a94Sdarrenm return (CRYPTO_DATA_LEN_RANGE);
473734b6a94Sdarrenm }
474734b6a94Sdarrenm
475734b6a94Sdarrenm /*
476734b6a94Sdarrenm * Now do the digesting on the mblk chain.
477734b6a94Sdarrenm */
478734b6a94Sdarrenm while (mp != NULL && length > 0) {
479734b6a94Sdarrenm cur_len = MIN(MBLKL(mp) - offset, length);
480734b6a94Sdarrenm SHA2Update(sha2_ctx, mp->b_rptr + offset, cur_len);
481734b6a94Sdarrenm length -= cur_len;
482734b6a94Sdarrenm offset = 0;
483734b6a94Sdarrenm mp = mp->b_cont;
484734b6a94Sdarrenm }
485734b6a94Sdarrenm
486734b6a94Sdarrenm if (mp == NULL && length > 0) {
487734b6a94Sdarrenm /*
488734b6a94Sdarrenm * The end of the mblk was reached but the length requested
489734b6a94Sdarrenm * could not be processed, i.e. The caller requested
490734b6a94Sdarrenm * to digest more data than it provided.
491734b6a94Sdarrenm */
492734b6a94Sdarrenm return (CRYPTO_DATA_LEN_RANGE);
493734b6a94Sdarrenm }
494734b6a94Sdarrenm
495734b6a94Sdarrenm return (CRYPTO_SUCCESS);
496734b6a94Sdarrenm }
497734b6a94Sdarrenm
498734b6a94Sdarrenm /*
499734b6a94Sdarrenm * Helper SHA2 digest final for mblk's.
500734b6a94Sdarrenm * digest_len is the length of the desired digest. If digest_len
501734b6a94Sdarrenm * is smaller than the default SHA2 digest length, the caller
502734b6a94Sdarrenm * must pass a scratch buffer, digest_scratch, which must
503734b6a94Sdarrenm * be at least the algorithm's digest length bytes.
504734b6a94Sdarrenm */
505734b6a94Sdarrenm static int
sha2_digest_final_mblk(SHA2_CTX * sha2_ctx,crypto_data_t * digest,ulong_t digest_len,uchar_t * digest_scratch)506734b6a94Sdarrenm sha2_digest_final_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
507734b6a94Sdarrenm ulong_t digest_len, uchar_t *digest_scratch)
508734b6a94Sdarrenm {
509734b6a94Sdarrenm off_t offset = digest->cd_offset;
510734b6a94Sdarrenm mblk_t *mp;
511734b6a94Sdarrenm
512734b6a94Sdarrenm /*
513734b6a94Sdarrenm * Jump to the first mblk_t that will be used to store the digest.
514734b6a94Sdarrenm */
515734b6a94Sdarrenm for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp);
516d2b32306Smcpowers offset -= MBLKL(mp), mp = mp->b_cont)
517d2b32306Smcpowers ;
518734b6a94Sdarrenm if (mp == NULL) {
519734b6a94Sdarrenm /*
520734b6a94Sdarrenm * The caller specified an offset that is larger than the
521734b6a94Sdarrenm * total size of the buffers it provided.
522734b6a94Sdarrenm */
523734b6a94Sdarrenm return (CRYPTO_DATA_LEN_RANGE);
524734b6a94Sdarrenm }
525734b6a94Sdarrenm
526734b6a94Sdarrenm if (offset + digest_len <= MBLKL(mp)) {
527734b6a94Sdarrenm /*
528734b6a94Sdarrenm * The computed SHA2 digest will fit in the current mblk.
529734b6a94Sdarrenm * Do the SHA2Final() in-place.
530734b6a94Sdarrenm */
531734b6a94Sdarrenm if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
532734b6a94Sdarrenm (digest_len != SHA256_DIGEST_LENGTH)) ||
533734b6a94Sdarrenm ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
534734b6a94Sdarrenm (digest_len != SHA512_DIGEST_LENGTH))) {
535734b6a94Sdarrenm /*
536734b6a94Sdarrenm * The caller requested a short digest. Digest
537734b6a94Sdarrenm * into a scratch buffer and return to
538734b6a94Sdarrenm * the user only what was requested.
539734b6a94Sdarrenm */
540734b6a94Sdarrenm SHA2Final(digest_scratch, sha2_ctx);
541734b6a94Sdarrenm bcopy(digest_scratch, mp->b_rptr + offset, digest_len);
542734b6a94Sdarrenm } else {
543734b6a94Sdarrenm SHA2Final(mp->b_rptr + offset, sha2_ctx);
544734b6a94Sdarrenm }
545734b6a94Sdarrenm } else {
546734b6a94Sdarrenm /*
547734b6a94Sdarrenm * The computed digest will be crossing one or more mblk's.
548734b6a94Sdarrenm * This is bad performance-wise but we need to support it.
549734b6a94Sdarrenm * Allocate a small scratch buffer on the stack and
550734b6a94Sdarrenm * copy it piece meal to the specified digest iovec's.
551734b6a94Sdarrenm */
552734b6a94Sdarrenm uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
553734b6a94Sdarrenm off_t scratch_offset = 0;
554734b6a94Sdarrenm size_t length = digest_len;
555734b6a94Sdarrenm size_t cur_len;
556734b6a94Sdarrenm
557734b6a94Sdarrenm SHA2Final(digest_tmp, sha2_ctx);
558734b6a94Sdarrenm
559734b6a94Sdarrenm while (mp != NULL && length > 0) {
560734b6a94Sdarrenm cur_len = MIN(MBLKL(mp) - offset, length);
561734b6a94Sdarrenm bcopy(digest_tmp + scratch_offset,
562734b6a94Sdarrenm mp->b_rptr + offset, cur_len);
563734b6a94Sdarrenm
564734b6a94Sdarrenm length -= cur_len;
565734b6a94Sdarrenm mp = mp->b_cont;
566734b6a94Sdarrenm scratch_offset += cur_len;
567734b6a94Sdarrenm offset = 0;
568734b6a94Sdarrenm }
569734b6a94Sdarrenm
570734b6a94Sdarrenm if (mp == NULL && length > 0) {
571734b6a94Sdarrenm /*
572734b6a94Sdarrenm * The end of the specified mblk was reached but
573734b6a94Sdarrenm * the length requested could not be processed, i.e.
574734b6a94Sdarrenm * The caller requested to digest more data than it
575734b6a94Sdarrenm * provided.
576734b6a94Sdarrenm */
577734b6a94Sdarrenm return (CRYPTO_DATA_LEN_RANGE);
578734b6a94Sdarrenm }
579734b6a94Sdarrenm }
580734b6a94Sdarrenm
581734b6a94Sdarrenm return (CRYPTO_SUCCESS);
582734b6a94Sdarrenm }
583734b6a94Sdarrenm
584734b6a94Sdarrenm /* ARGSUSED */
585734b6a94Sdarrenm static int
sha2_digest(crypto_ctx_t * ctx,crypto_data_t * data,crypto_data_t * digest,crypto_req_handle_t req)586734b6a94Sdarrenm sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
587734b6a94Sdarrenm crypto_req_handle_t req)
588734b6a94Sdarrenm {
589734b6a94Sdarrenm int ret = CRYPTO_SUCCESS;
590734b6a94Sdarrenm uint_t sha_digest_len;
591734b6a94Sdarrenm
592734b6a94Sdarrenm ASSERT(ctx->cc_provider_private != NULL);
593734b6a94Sdarrenm
594734b6a94Sdarrenm switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
595734b6a94Sdarrenm case SHA256_MECH_INFO_TYPE:
596734b6a94Sdarrenm sha_digest_len = SHA256_DIGEST_LENGTH;
597734b6a94Sdarrenm break;
598734b6a94Sdarrenm case SHA384_MECH_INFO_TYPE:
599734b6a94Sdarrenm sha_digest_len = SHA384_DIGEST_LENGTH;
600734b6a94Sdarrenm break;
601734b6a94Sdarrenm case SHA512_MECH_INFO_TYPE:
602734b6a94Sdarrenm sha_digest_len = SHA512_DIGEST_LENGTH;
603734b6a94Sdarrenm break;
604*05204290SJason King case SHA512_224_MECH_INFO_TYPE:
605*05204290SJason King sha_digest_len = SHA512_224_DIGEST_LENGTH;
606*05204290SJason King break;
607*05204290SJason King case SHA512_256_MECH_INFO_TYPE:
608*05204290SJason King sha_digest_len = SHA512_256_DIGEST_LENGTH;
609*05204290SJason King break;
610734b6a94Sdarrenm default:
611734b6a94Sdarrenm return (CRYPTO_MECHANISM_INVALID);
612734b6a94Sdarrenm }
613734b6a94Sdarrenm
614734b6a94Sdarrenm /*
615734b6a94Sdarrenm * We need to just return the length needed to store the output.
616734b6a94Sdarrenm * We should not destroy the context for the following cases.
617734b6a94Sdarrenm */
618734b6a94Sdarrenm if ((digest->cd_length == 0) ||
619734b6a94Sdarrenm (digest->cd_length < sha_digest_len)) {
620734b6a94Sdarrenm digest->cd_length = sha_digest_len;
621734b6a94Sdarrenm return (CRYPTO_BUFFER_TOO_SMALL);
622734b6a94Sdarrenm }
623734b6a94Sdarrenm
624734b6a94Sdarrenm /*
625734b6a94Sdarrenm * Do the SHA2 update on the specified input data.
626734b6a94Sdarrenm */
627734b6a94Sdarrenm switch (data->cd_format) {
628734b6a94Sdarrenm case CRYPTO_DATA_RAW:
629734b6a94Sdarrenm SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
630734b6a94Sdarrenm (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
631734b6a94Sdarrenm data->cd_length);
632734b6a94Sdarrenm break;
633734b6a94Sdarrenm case CRYPTO_DATA_UIO:
634734b6a94Sdarrenm ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
635734b6a94Sdarrenm data);
636734b6a94Sdarrenm break;
637734b6a94Sdarrenm case CRYPTO_DATA_MBLK:
638734b6a94Sdarrenm ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
639734b6a94Sdarrenm data);
640734b6a94Sdarrenm break;
641734b6a94Sdarrenm default:
642734b6a94Sdarrenm ret = CRYPTO_ARGUMENTS_BAD;
643734b6a94Sdarrenm }
644734b6a94Sdarrenm
645734b6a94Sdarrenm if (ret != CRYPTO_SUCCESS) {
646734b6a94Sdarrenm /* the update failed, free context and bail */
647734b6a94Sdarrenm kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
648734b6a94Sdarrenm ctx->cc_provider_private = NULL;
649734b6a94Sdarrenm digest->cd_length = 0;
650734b6a94Sdarrenm return (ret);
651734b6a94Sdarrenm }
652734b6a94Sdarrenm
653734b6a94Sdarrenm /*
654734b6a94Sdarrenm * Do a SHA2 final, must be done separately since the digest
655734b6a94Sdarrenm * type can be different than the input data type.
656734b6a94Sdarrenm */
657734b6a94Sdarrenm switch (digest->cd_format) {
658734b6a94Sdarrenm case CRYPTO_DATA_RAW:
659734b6a94Sdarrenm SHA2Final((unsigned char *)digest->cd_raw.iov_base +
660734b6a94Sdarrenm digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
661734b6a94Sdarrenm break;
662734b6a94Sdarrenm case CRYPTO_DATA_UIO:
663734b6a94Sdarrenm ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
664734b6a94Sdarrenm digest, sha_digest_len, NULL);
665734b6a94Sdarrenm break;
666734b6a94Sdarrenm case CRYPTO_DATA_MBLK:
667734b6a94Sdarrenm ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
668734b6a94Sdarrenm digest, sha_digest_len, NULL);
669734b6a94Sdarrenm break;
670734b6a94Sdarrenm default:
671734b6a94Sdarrenm ret = CRYPTO_ARGUMENTS_BAD;
672734b6a94Sdarrenm }
673734b6a94Sdarrenm
674734b6a94Sdarrenm /* all done, free context and return */
675734b6a94Sdarrenm
676734b6a94Sdarrenm if (ret == CRYPTO_SUCCESS)
677734b6a94Sdarrenm digest->cd_length = sha_digest_len;
678734b6a94Sdarrenm else
679734b6a94Sdarrenm digest->cd_length = 0;
680734b6a94Sdarrenm
681734b6a94Sdarrenm kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
682734b6a94Sdarrenm ctx->cc_provider_private = NULL;
683734b6a94Sdarrenm return (ret);
684734b6a94Sdarrenm }
685734b6a94Sdarrenm
686734b6a94Sdarrenm /* ARGSUSED */
687734b6a94Sdarrenm static int
sha2_digest_update(crypto_ctx_t * ctx,crypto_data_t * data,crypto_req_handle_t req)688734b6a94Sdarrenm sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
689734b6a94Sdarrenm crypto_req_handle_t req)
690734b6a94Sdarrenm {
691734b6a94Sdarrenm int ret = CRYPTO_SUCCESS;
692734b6a94Sdarrenm
693734b6a94Sdarrenm ASSERT(ctx->cc_provider_private != NULL);
694734b6a94Sdarrenm
695734b6a94Sdarrenm /*
696734b6a94Sdarrenm * Do the SHA2 update on the specified input data.
697734b6a94Sdarrenm */
698734b6a94Sdarrenm switch (data->cd_format) {
699734b6a94Sdarrenm case CRYPTO_DATA_RAW:
700734b6a94Sdarrenm SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
701734b6a94Sdarrenm (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
702734b6a94Sdarrenm data->cd_length);
703734b6a94Sdarrenm break;
704734b6a94Sdarrenm case CRYPTO_DATA_UIO:
705734b6a94Sdarrenm ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
706734b6a94Sdarrenm data);
707734b6a94Sdarrenm break;
708734b6a94Sdarrenm case CRYPTO_DATA_MBLK:
709734b6a94Sdarrenm ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
710734b6a94Sdarrenm data);
711734b6a94Sdarrenm break;
712734b6a94Sdarrenm default:
713734b6a94Sdarrenm ret = CRYPTO_ARGUMENTS_BAD;
714734b6a94Sdarrenm }
715734b6a94Sdarrenm
716734b6a94Sdarrenm return (ret);
717734b6a94Sdarrenm }
718734b6a94Sdarrenm
719734b6a94Sdarrenm /* ARGSUSED */
720734b6a94Sdarrenm static int
sha2_digest_final(crypto_ctx_t * ctx,crypto_data_t * digest,crypto_req_handle_t req)721734b6a94Sdarrenm sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
722734b6a94Sdarrenm crypto_req_handle_t req)
723734b6a94Sdarrenm {
724734b6a94Sdarrenm int ret = CRYPTO_SUCCESS;
725734b6a94Sdarrenm uint_t sha_digest_len;
726734b6a94Sdarrenm
727734b6a94Sdarrenm ASSERT(ctx->cc_provider_private != NULL);
728734b6a94Sdarrenm
729734b6a94Sdarrenm switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
730734b6a94Sdarrenm case SHA256_MECH_INFO_TYPE:
731734b6a94Sdarrenm sha_digest_len = SHA256_DIGEST_LENGTH;
732734b6a94Sdarrenm break;
733734b6a94Sdarrenm case SHA384_MECH_INFO_TYPE:
734734b6a94Sdarrenm sha_digest_len = SHA384_DIGEST_LENGTH;
735734b6a94Sdarrenm break;
736734b6a94Sdarrenm case SHA512_MECH_INFO_TYPE:
737734b6a94Sdarrenm sha_digest_len = SHA512_DIGEST_LENGTH;
738734b6a94Sdarrenm break;
739*05204290SJason King case SHA512_224_MECH_INFO_TYPE:
740*05204290SJason King sha_digest_len = SHA512_224_DIGEST_LENGTH;
741*05204290SJason King break;
742*05204290SJason King case SHA512_256_MECH_INFO_TYPE:
743*05204290SJason King sha_digest_len = SHA512_256_DIGEST_LENGTH;
744*05204290SJason King break;
745734b6a94Sdarrenm default:
746734b6a94Sdarrenm return (CRYPTO_MECHANISM_INVALID);
747734b6a94Sdarrenm }
748734b6a94Sdarrenm
749734b6a94Sdarrenm /*
750734b6a94Sdarrenm * We need to just return the length needed to store the output.
751734b6a94Sdarrenm * We should not destroy the context for the following cases.
752734b6a94Sdarrenm */
753734b6a94Sdarrenm if ((digest->cd_length == 0) ||
754734b6a94Sdarrenm (digest->cd_length < sha_digest_len)) {
755734b6a94Sdarrenm digest->cd_length = sha_digest_len;
756734b6a94Sdarrenm return (CRYPTO_BUFFER_TOO_SMALL);
757734b6a94Sdarrenm }
758734b6a94Sdarrenm
759734b6a94Sdarrenm /*
760734b6a94Sdarrenm * Do a SHA2 final.
761734b6a94Sdarrenm */
762734b6a94Sdarrenm switch (digest->cd_format) {
763734b6a94Sdarrenm case CRYPTO_DATA_RAW:
764734b6a94Sdarrenm SHA2Final((unsigned char *)digest->cd_raw.iov_base +
765734b6a94Sdarrenm digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
766734b6a94Sdarrenm break;
767734b6a94Sdarrenm case CRYPTO_DATA_UIO:
768734b6a94Sdarrenm ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
769734b6a94Sdarrenm digest, sha_digest_len, NULL);
770734b6a94Sdarrenm break;
771734b6a94Sdarrenm case CRYPTO_DATA_MBLK:
772734b6a94Sdarrenm ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
773734b6a94Sdarrenm digest, sha_digest_len, NULL);
774734b6a94Sdarrenm break;
775734b6a94Sdarrenm default:
776734b6a94Sdarrenm ret = CRYPTO_ARGUMENTS_BAD;
777734b6a94Sdarrenm }
778734b6a94Sdarrenm
779734b6a94Sdarrenm /* all done, free context and return */
780734b6a94Sdarrenm
781734b6a94Sdarrenm if (ret == CRYPTO_SUCCESS)
782734b6a94Sdarrenm digest->cd_length = sha_digest_len;
783734b6a94Sdarrenm else
784734b6a94Sdarrenm digest->cd_length = 0;
785734b6a94Sdarrenm
786734b6a94Sdarrenm kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
787734b6a94Sdarrenm ctx->cc_provider_private = NULL;
788734b6a94Sdarrenm
789734b6a94Sdarrenm return (ret);
790734b6a94Sdarrenm }
791734b6a94Sdarrenm
792734b6a94Sdarrenm /* ARGSUSED */
793734b6a94Sdarrenm static int
sha2_digest_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_data_t * data,crypto_data_t * digest,crypto_req_handle_t req)794734b6a94Sdarrenm sha2_digest_atomic(crypto_provider_handle_t provider,
795734b6a94Sdarrenm crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
796734b6a94Sdarrenm crypto_data_t *data, crypto_data_t *digest,
797734b6a94Sdarrenm crypto_req_handle_t req)
798734b6a94Sdarrenm {
799734b6a94Sdarrenm int ret = CRYPTO_SUCCESS;
800734b6a94Sdarrenm SHA2_CTX sha2_ctx;
801734b6a94Sdarrenm uint32_t sha_digest_len;
802734b6a94Sdarrenm
803734b6a94Sdarrenm /*
804734b6a94Sdarrenm * Do the SHA inits.
805734b6a94Sdarrenm */
806734b6a94Sdarrenm
807734b6a94Sdarrenm SHA2Init(mechanism->cm_type, &sha2_ctx);
808734b6a94Sdarrenm
809734b6a94Sdarrenm switch (data->cd_format) {
810734b6a94Sdarrenm case CRYPTO_DATA_RAW:
811734b6a94Sdarrenm SHA2Update(&sha2_ctx, (uint8_t *)data->
812734b6a94Sdarrenm cd_raw.iov_base + data->cd_offset, data->cd_length);
813734b6a94Sdarrenm break;
814734b6a94Sdarrenm case CRYPTO_DATA_UIO:
815734b6a94Sdarrenm ret = sha2_digest_update_uio(&sha2_ctx, data);
816734b6a94Sdarrenm break;
817734b6a94Sdarrenm case CRYPTO_DATA_MBLK:
818734b6a94Sdarrenm ret = sha2_digest_update_mblk(&sha2_ctx, data);
819734b6a94Sdarrenm break;
820734b6a94Sdarrenm default:
821734b6a94Sdarrenm ret = CRYPTO_ARGUMENTS_BAD;
822734b6a94Sdarrenm }
823734b6a94Sdarrenm
824734b6a94Sdarrenm /*
825734b6a94Sdarrenm * Do the SHA updates on the specified input data.
826734b6a94Sdarrenm */
827734b6a94Sdarrenm
828734b6a94Sdarrenm if (ret != CRYPTO_SUCCESS) {
829734b6a94Sdarrenm /* the update failed, bail */
830734b6a94Sdarrenm digest->cd_length = 0;
831734b6a94Sdarrenm return (ret);
832734b6a94Sdarrenm }
833734b6a94Sdarrenm
834734b6a94Sdarrenm if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
835734b6a94Sdarrenm sha_digest_len = SHA256_DIGEST_LENGTH;
836734b6a94Sdarrenm else
837734b6a94Sdarrenm sha_digest_len = SHA512_DIGEST_LENGTH;
838734b6a94Sdarrenm
839734b6a94Sdarrenm /*
840734b6a94Sdarrenm * Do a SHA2 final, must be done separately since the digest
841734b6a94Sdarrenm * type can be different than the input data type.
842734b6a94Sdarrenm */
843734b6a94Sdarrenm switch (digest->cd_format) {
844734b6a94Sdarrenm case CRYPTO_DATA_RAW:
845734b6a94Sdarrenm SHA2Final((unsigned char *)digest->cd_raw.iov_base +
846734b6a94Sdarrenm digest->cd_offset, &sha2_ctx);
847734b6a94Sdarrenm break;
848734b6a94Sdarrenm case CRYPTO_DATA_UIO:
849734b6a94Sdarrenm ret = sha2_digest_final_uio(&sha2_ctx, digest,
850734b6a94Sdarrenm sha_digest_len, NULL);
851734b6a94Sdarrenm break;
852734b6a94Sdarrenm case CRYPTO_DATA_MBLK:
853734b6a94Sdarrenm ret = sha2_digest_final_mblk(&sha2_ctx, digest,
854734b6a94Sdarrenm sha_digest_len, NULL);
855734b6a94Sdarrenm break;
856734b6a94Sdarrenm default:
857734b6a94Sdarrenm ret = CRYPTO_ARGUMENTS_BAD;
858734b6a94Sdarrenm }
859734b6a94Sdarrenm
860734b6a94Sdarrenm if (ret == CRYPTO_SUCCESS)
861734b6a94Sdarrenm digest->cd_length = sha_digest_len;
862734b6a94Sdarrenm else
863734b6a94Sdarrenm digest->cd_length = 0;
864734b6a94Sdarrenm
865734b6a94Sdarrenm return (ret);
866734b6a94Sdarrenm }
867734b6a94Sdarrenm
868734b6a94Sdarrenm /*
869734b6a94Sdarrenm * KCF software provider mac entry points.
870734b6a94Sdarrenm *
871734b6a94Sdarrenm * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text))
872734b6a94Sdarrenm *
873734b6a94Sdarrenm * Init:
874734b6a94Sdarrenm * The initialization routine initializes what we denote
875734b6a94Sdarrenm * as the inner and outer contexts by doing
876734b6a94Sdarrenm * - for inner context: SHA2(key XOR ipad)
877734b6a94Sdarrenm * - for outer context: SHA2(key XOR opad)
878734b6a94Sdarrenm *
879734b6a94Sdarrenm * Update:
880734b6a94Sdarrenm * Each subsequent SHA2 HMAC update will result in an
881734b6a94Sdarrenm * update of the inner context with the specified data.
882734b6a94Sdarrenm *
883734b6a94Sdarrenm * Final:
884734b6a94Sdarrenm * The SHA2 HMAC final will do a SHA2 final operation on the
885734b6a94Sdarrenm * inner context, and the resulting digest will be used
886734b6a94Sdarrenm * as the data for an update on the outer context. Last
887734b6a94Sdarrenm * but not least, a SHA2 final on the outer context will
888734b6a94Sdarrenm * be performed to obtain the SHA2 HMAC digest to return
889734b6a94Sdarrenm * to the user.
890734b6a94Sdarrenm */
891734b6a94Sdarrenm
892734b6a94Sdarrenm /*
893734b6a94Sdarrenm * Initialize a SHA2-HMAC context.
894734b6a94Sdarrenm */
895734b6a94Sdarrenm static void
sha2_mac_init_ctx(sha2_hmac_ctx_t * ctx,void * keyval,uint_t length_in_bytes)896734b6a94Sdarrenm sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
897734b6a94Sdarrenm {
898734b6a94Sdarrenm uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
899734b6a94Sdarrenm uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
900734b6a94Sdarrenm int i, block_size, blocks_per_int64;
901734b6a94Sdarrenm
902734b6a94Sdarrenm /* Determine the block size */
903734b6a94Sdarrenm if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
904734b6a94Sdarrenm block_size = SHA256_HMAC_BLOCK_SIZE;
905734b6a94Sdarrenm blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t);
906734b6a94Sdarrenm } else {
907734b6a94Sdarrenm block_size = SHA512_HMAC_BLOCK_SIZE;
908734b6a94Sdarrenm blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t);
909734b6a94Sdarrenm }
910734b6a94Sdarrenm
911734b6a94Sdarrenm (void) bzero(ipad, block_size);
912734b6a94Sdarrenm (void) bzero(opad, block_size);
913734b6a94Sdarrenm (void) bcopy(keyval, ipad, length_in_bytes);
914734b6a94Sdarrenm (void) bcopy(keyval, opad, length_in_bytes);
915734b6a94Sdarrenm
916734b6a94Sdarrenm /* XOR key with ipad (0x36) and opad (0x5c) */
917734b6a94Sdarrenm for (i = 0; i < blocks_per_int64; i ++) {
918734b6a94Sdarrenm ipad[i] ^= 0x3636363636363636;
919734b6a94Sdarrenm opad[i] ^= 0x5c5c5c5c5c5c5c5c;
920734b6a94Sdarrenm }
921734b6a94Sdarrenm
922734b6a94Sdarrenm /* perform SHA2 on ipad */
923734b6a94Sdarrenm SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext);
924734b6a94Sdarrenm SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
925734b6a94Sdarrenm
926734b6a94Sdarrenm /* perform SHA2 on opad */
927734b6a94Sdarrenm SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext);
928734b6a94Sdarrenm SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
929734b6a94Sdarrenm
930734b6a94Sdarrenm }
931734b6a94Sdarrenm
932*05204290SJason King static boolean_t
sha2_is_general_hmech(const crypto_mechanism_t * mechanism)933*05204290SJason King sha2_is_general_hmech(const crypto_mechanism_t *mechanism)
934*05204290SJason King {
935*05204290SJason King switch (mechanism->cm_type) {
936*05204290SJason King case SHA256_HMAC_GEN_MECH_INFO_TYPE:
937*05204290SJason King case SHA384_HMAC_GEN_MECH_INFO_TYPE:
938*05204290SJason King case SHA512_HMAC_GEN_MECH_INFO_TYPE:
939*05204290SJason King return (B_TRUE);
940*05204290SJason King default:
941*05204290SJason King return (B_FALSE);
942*05204290SJason King }
943*05204290SJason King }
944*05204290SJason King
945734b6a94Sdarrenm /*
946734b6a94Sdarrenm */
947734b6a94Sdarrenm static int
sha2_mac_init(crypto_ctx_t * ctx,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_spi_ctx_template_t ctx_template,crypto_req_handle_t req)948734b6a94Sdarrenm sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
949734b6a94Sdarrenm crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
950734b6a94Sdarrenm crypto_req_handle_t req)
951734b6a94Sdarrenm {
952734b6a94Sdarrenm int ret = CRYPTO_SUCCESS;
953734b6a94Sdarrenm uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
954734b6a94Sdarrenm uint_t sha_digest_len, sha_hmac_block_size;
955734b6a94Sdarrenm
956734b6a94Sdarrenm /*
9578de5c4f4SDan OpenSolaris Anderson * Set the digest length and block size to values appropriate to the
958734b6a94Sdarrenm * mechanism
959734b6a94Sdarrenm */
960734b6a94Sdarrenm switch (mechanism->cm_type) {
961734b6a94Sdarrenm case SHA256_HMAC_MECH_INFO_TYPE:
962734b6a94Sdarrenm case SHA256_HMAC_GEN_MECH_INFO_TYPE:
963734b6a94Sdarrenm sha_digest_len = SHA256_DIGEST_LENGTH;
964734b6a94Sdarrenm sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
965734b6a94Sdarrenm break;
966734b6a94Sdarrenm case SHA384_HMAC_MECH_INFO_TYPE:
967734b6a94Sdarrenm case SHA384_HMAC_GEN_MECH_INFO_TYPE:
968734b6a94Sdarrenm case SHA512_HMAC_MECH_INFO_TYPE:
969734b6a94Sdarrenm case SHA512_HMAC_GEN_MECH_INFO_TYPE:
970734b6a94Sdarrenm sha_digest_len = SHA512_DIGEST_LENGTH;
971734b6a94Sdarrenm sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
972734b6a94Sdarrenm break;
973734b6a94Sdarrenm default:
974734b6a94Sdarrenm return (CRYPTO_MECHANISM_INVALID);
975734b6a94Sdarrenm }
976734b6a94Sdarrenm
977734b6a94Sdarrenm if (key->ck_format != CRYPTO_KEY_RAW)
978734b6a94Sdarrenm return (CRYPTO_ARGUMENTS_BAD);
979734b6a94Sdarrenm
980734b6a94Sdarrenm ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t),
981734b6a94Sdarrenm crypto_kmflag(req));
982734b6a94Sdarrenm if (ctx->cc_provider_private == NULL)
983734b6a94Sdarrenm return (CRYPTO_HOST_MEMORY);
984734b6a94Sdarrenm
985ba5f469cSkrishna PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
986734b6a94Sdarrenm if (ctx_template != NULL) {
987734b6a94Sdarrenm /* reuse context template */
988734b6a94Sdarrenm bcopy(ctx_template, PROV_SHA2_HMAC_CTX(ctx),
989734b6a94Sdarrenm sizeof (sha2_hmac_ctx_t));
990734b6a94Sdarrenm } else {
991734b6a94Sdarrenm /* no context template, compute context */
992734b6a94Sdarrenm if (keylen_in_bytes > sha_hmac_block_size) {
993734b6a94Sdarrenm uchar_t digested_key[SHA512_DIGEST_LENGTH];
994734b6a94Sdarrenm sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
995734b6a94Sdarrenm
996734b6a94Sdarrenm /*
997734b6a94Sdarrenm * Hash the passed-in key to get a smaller key.
998734b6a94Sdarrenm * The inner context is used since it hasn't been
999734b6a94Sdarrenm * initialized yet.
1000734b6a94Sdarrenm */
1001734b6a94Sdarrenm PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1002734b6a94Sdarrenm &hmac_ctx->hc_icontext,
1003734b6a94Sdarrenm key->ck_data, keylen_in_bytes, digested_key);
1004734b6a94Sdarrenm sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
1005734b6a94Sdarrenm digested_key, sha_digest_len);
1006734b6a94Sdarrenm } else {
1007734b6a94Sdarrenm sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
1008734b6a94Sdarrenm key->ck_data, keylen_in_bytes);
1009734b6a94Sdarrenm }
1010734b6a94Sdarrenm }
1011734b6a94Sdarrenm
1012734b6a94Sdarrenm /*
1013734b6a94Sdarrenm * Get the mechanism parameters, if applicable.
1014734b6a94Sdarrenm */
1015*05204290SJason King if (sha2_is_general_hmech(mechanism)) {
1016734b6a94Sdarrenm if (mechanism->cm_param == NULL ||
1017734b6a94Sdarrenm mechanism->cm_param_len != sizeof (ulong_t))
1018734b6a94Sdarrenm ret = CRYPTO_MECHANISM_PARAM_INVALID;
1019734b6a94Sdarrenm PROV_SHA2_GET_DIGEST_LEN(mechanism,
1020734b6a94Sdarrenm PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len);
1021734b6a94Sdarrenm if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len)
1022734b6a94Sdarrenm ret = CRYPTO_MECHANISM_PARAM_INVALID;
1023734b6a94Sdarrenm }
1024734b6a94Sdarrenm
1025734b6a94Sdarrenm if (ret != CRYPTO_SUCCESS) {
1026734b6a94Sdarrenm bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1027734b6a94Sdarrenm kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1028734b6a94Sdarrenm ctx->cc_provider_private = NULL;
1029734b6a94Sdarrenm }
1030734b6a94Sdarrenm
1031734b6a94Sdarrenm return (ret);
1032734b6a94Sdarrenm }
1033734b6a94Sdarrenm
1034734b6a94Sdarrenm /* ARGSUSED */
1035734b6a94Sdarrenm static int
sha2_mac_update(crypto_ctx_t * ctx,crypto_data_t * data,crypto_req_handle_t req)1036734b6a94Sdarrenm sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data,
1037734b6a94Sdarrenm crypto_req_handle_t req)
1038734b6a94Sdarrenm {
1039734b6a94Sdarrenm int ret = CRYPTO_SUCCESS;
1040734b6a94Sdarrenm
1041734b6a94Sdarrenm ASSERT(ctx->cc_provider_private != NULL);
1042734b6a94Sdarrenm
1043734b6a94Sdarrenm /*
1044734b6a94Sdarrenm * Do a SHA2 update of the inner context using the specified
1045734b6a94Sdarrenm * data.
1046734b6a94Sdarrenm */
1047734b6a94Sdarrenm switch (data->cd_format) {
1048734b6a94Sdarrenm case CRYPTO_DATA_RAW:
1049734b6a94Sdarrenm SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext,
1050734b6a94Sdarrenm (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1051734b6a94Sdarrenm data->cd_length);
1052734b6a94Sdarrenm break;
1053734b6a94Sdarrenm case CRYPTO_DATA_UIO:
1054734b6a94Sdarrenm ret = sha2_digest_update_uio(
1055734b6a94Sdarrenm &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1056734b6a94Sdarrenm break;
1057734b6a94Sdarrenm case CRYPTO_DATA_MBLK:
1058734b6a94Sdarrenm ret = sha2_digest_update_mblk(
1059734b6a94Sdarrenm &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1060734b6a94Sdarrenm break;
1061734b6a94Sdarrenm default:
1062734b6a94Sdarrenm ret = CRYPTO_ARGUMENTS_BAD;
1063734b6a94Sdarrenm }
1064734b6a94Sdarrenm
1065734b6a94Sdarrenm return (ret);
1066734b6a94Sdarrenm }
1067734b6a94Sdarrenm
1068734b6a94Sdarrenm /* ARGSUSED */
1069734b6a94Sdarrenm static int
sha2_mac_final(crypto_ctx_t * ctx,crypto_data_t * mac,crypto_req_handle_t req)1070734b6a94Sdarrenm sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req)
1071734b6a94Sdarrenm {
1072734b6a94Sdarrenm int ret = CRYPTO_SUCCESS;
1073734b6a94Sdarrenm uchar_t digest[SHA512_DIGEST_LENGTH];
1074734b6a94Sdarrenm uint32_t digest_len, sha_digest_len;
1075734b6a94Sdarrenm
1076734b6a94Sdarrenm ASSERT(ctx->cc_provider_private != NULL);
1077734b6a94Sdarrenm
10788de5c4f4SDan OpenSolaris Anderson /* Set the digest lengths to values appropriate to the mechanism */
1079734b6a94Sdarrenm switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) {
1080734b6a94Sdarrenm case SHA256_HMAC_MECH_INFO_TYPE:
1081734b6a94Sdarrenm sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1082734b6a94Sdarrenm break;
1083734b6a94Sdarrenm case SHA384_HMAC_MECH_INFO_TYPE:
1084ba5f469cSkrishna sha_digest_len = digest_len = SHA384_DIGEST_LENGTH;
1085ba5f469cSkrishna break;
1086734b6a94Sdarrenm case SHA512_HMAC_MECH_INFO_TYPE:
1087734b6a94Sdarrenm sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1088734b6a94Sdarrenm break;
1089734b6a94Sdarrenm case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1090734b6a94Sdarrenm sha_digest_len = SHA256_DIGEST_LENGTH;
1091734b6a94Sdarrenm digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1092734b6a94Sdarrenm break;
1093734b6a94Sdarrenm case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1094734b6a94Sdarrenm case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1095734b6a94Sdarrenm sha_digest_len = SHA512_DIGEST_LENGTH;
1096734b6a94Sdarrenm digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1097734b6a94Sdarrenm break;
1098734b6a94Sdarrenm }
1099734b6a94Sdarrenm
1100734b6a94Sdarrenm /*
1101734b6a94Sdarrenm * We need to just return the length needed to store the output.
1102734b6a94Sdarrenm * We should not destroy the context for the following cases.
1103734b6a94Sdarrenm */
1104734b6a94Sdarrenm if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
1105734b6a94Sdarrenm mac->cd_length = digest_len;
1106734b6a94Sdarrenm return (CRYPTO_BUFFER_TOO_SMALL);
1107734b6a94Sdarrenm }
1108734b6a94Sdarrenm
1109734b6a94Sdarrenm /*
1110734b6a94Sdarrenm * Do a SHA2 final on the inner context.
1111734b6a94Sdarrenm */
1112734b6a94Sdarrenm SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext);
1113734b6a94Sdarrenm
1114734b6a94Sdarrenm /*
1115734b6a94Sdarrenm * Do a SHA2 update on the outer context, feeding the inner
1116734b6a94Sdarrenm * digest as data.
1117734b6a94Sdarrenm */
1118734b6a94Sdarrenm SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest,
1119734b6a94Sdarrenm sha_digest_len);
1120734b6a94Sdarrenm
1121734b6a94Sdarrenm /*
1122734b6a94Sdarrenm * Do a SHA2 final on the outer context, storing the computing
1123734b6a94Sdarrenm * digest in the users buffer.
1124734b6a94Sdarrenm */
1125734b6a94Sdarrenm switch (mac->cd_format) {
1126734b6a94Sdarrenm case CRYPTO_DATA_RAW:
1127734b6a94Sdarrenm if (digest_len != sha_digest_len) {
1128734b6a94Sdarrenm /*
1129734b6a94Sdarrenm * The caller requested a short digest. Digest
1130734b6a94Sdarrenm * into a scratch buffer and return to
1131734b6a94Sdarrenm * the user only what was requested.
1132734b6a94Sdarrenm */
1133734b6a94Sdarrenm SHA2Final(digest,
1134734b6a94Sdarrenm &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1135734b6a94Sdarrenm bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1136734b6a94Sdarrenm mac->cd_offset, digest_len);
1137734b6a94Sdarrenm } else {
1138734b6a94Sdarrenm SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1139734b6a94Sdarrenm mac->cd_offset,
1140734b6a94Sdarrenm &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1141734b6a94Sdarrenm }
1142734b6a94Sdarrenm break;
1143734b6a94Sdarrenm case CRYPTO_DATA_UIO:
1144734b6a94Sdarrenm ret = sha2_digest_final_uio(
1145734b6a94Sdarrenm &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1146734b6a94Sdarrenm digest_len, digest);
1147734b6a94Sdarrenm break;
1148734b6a94Sdarrenm case CRYPTO_DATA_MBLK:
1149734b6a94Sdarrenm ret = sha2_digest_final_mblk(
1150734b6a94Sdarrenm &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1151734b6a94Sdarrenm digest_len, digest);
1152734b6a94Sdarrenm break;
1153734b6a94Sdarrenm default:
1154734b6a94Sdarrenm ret = CRYPTO_ARGUMENTS_BAD;
1155734b6a94Sdarrenm }
1156734b6a94Sdarrenm
1157734b6a94Sdarrenm if (ret == CRYPTO_SUCCESS)
1158734b6a94Sdarrenm mac->cd_length = digest_len;
1159734b6a94Sdarrenm else
1160734b6a94Sdarrenm mac->cd_length = 0;
1161734b6a94Sdarrenm
1162ba5f469cSkrishna bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1163734b6a94Sdarrenm kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1164734b6a94Sdarrenm ctx->cc_provider_private = NULL;
1165734b6a94Sdarrenm
1166734b6a94Sdarrenm return (ret);
1167734b6a94Sdarrenm }
1168734b6a94Sdarrenm
1169734b6a94Sdarrenm #define SHA2_MAC_UPDATE(data, ctx, ret) { \
1170734b6a94Sdarrenm switch (data->cd_format) { \
1171734b6a94Sdarrenm case CRYPTO_DATA_RAW: \
1172734b6a94Sdarrenm SHA2Update(&(ctx).hc_icontext, \
1173734b6a94Sdarrenm (uint8_t *)data->cd_raw.iov_base + \
1174734b6a94Sdarrenm data->cd_offset, data->cd_length); \
1175734b6a94Sdarrenm break; \
1176734b6a94Sdarrenm case CRYPTO_DATA_UIO: \
1177734b6a94Sdarrenm ret = sha2_digest_update_uio(&(ctx).hc_icontext, data); \
1178734b6a94Sdarrenm break; \
1179734b6a94Sdarrenm case CRYPTO_DATA_MBLK: \
1180734b6a94Sdarrenm ret = sha2_digest_update_mblk(&(ctx).hc_icontext, \
1181734b6a94Sdarrenm data); \
1182734b6a94Sdarrenm break; \
1183734b6a94Sdarrenm default: \
1184734b6a94Sdarrenm ret = CRYPTO_ARGUMENTS_BAD; \
1185734b6a94Sdarrenm } \
1186734b6a94Sdarrenm }
1187734b6a94Sdarrenm
1188734b6a94Sdarrenm /* ARGSUSED */
1189734b6a94Sdarrenm static int
sha2_mac_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * data,crypto_data_t * mac,crypto_spi_ctx_template_t ctx_template,crypto_req_handle_t req)1190734b6a94Sdarrenm sha2_mac_atomic(crypto_provider_handle_t provider,
1191734b6a94Sdarrenm crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1192734b6a94Sdarrenm crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1193734b6a94Sdarrenm crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1194734b6a94Sdarrenm {
1195734b6a94Sdarrenm int ret = CRYPTO_SUCCESS;
1196734b6a94Sdarrenm uchar_t digest[SHA512_DIGEST_LENGTH];
1197734b6a94Sdarrenm sha2_hmac_ctx_t sha2_hmac_ctx;
1198734b6a94Sdarrenm uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1199734b6a94Sdarrenm uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1200734b6a94Sdarrenm
1201734b6a94Sdarrenm /*
12028de5c4f4SDan OpenSolaris Anderson * Set the digest length and block size to values appropriate to the
1203734b6a94Sdarrenm * mechanism
1204734b6a94Sdarrenm */
1205734b6a94Sdarrenm switch (mechanism->cm_type) {
1206734b6a94Sdarrenm case SHA256_HMAC_MECH_INFO_TYPE:
1207734b6a94Sdarrenm case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1208734b6a94Sdarrenm sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1209734b6a94Sdarrenm sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1210734b6a94Sdarrenm break;
1211734b6a94Sdarrenm case SHA384_HMAC_MECH_INFO_TYPE:
1212734b6a94Sdarrenm case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1213734b6a94Sdarrenm case SHA512_HMAC_MECH_INFO_TYPE:
1214734b6a94Sdarrenm case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1215734b6a94Sdarrenm sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1216734b6a94Sdarrenm sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1217734b6a94Sdarrenm break;
1218734b6a94Sdarrenm default:
1219734b6a94Sdarrenm return (CRYPTO_MECHANISM_INVALID);
1220734b6a94Sdarrenm }
1221734b6a94Sdarrenm
1222734b6a94Sdarrenm /* Add support for key by attributes (RFE 4706552) */
1223734b6a94Sdarrenm if (key->ck_format != CRYPTO_KEY_RAW)
1224734b6a94Sdarrenm return (CRYPTO_ARGUMENTS_BAD);
1225734b6a94Sdarrenm
1226734b6a94Sdarrenm if (ctx_template != NULL) {
1227734b6a94Sdarrenm /* reuse context template */
1228734b6a94Sdarrenm bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1229734b6a94Sdarrenm } else {
1230734b6a94Sdarrenm sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1231734b6a94Sdarrenm /* no context template, initialize context */
1232734b6a94Sdarrenm if (keylen_in_bytes > sha_hmac_block_size) {
1233734b6a94Sdarrenm /*
1234734b6a94Sdarrenm * Hash the passed-in key to get a smaller key.
1235734b6a94Sdarrenm * The inner context is used since it hasn't been
1236734b6a94Sdarrenm * initialized yet.
1237734b6a94Sdarrenm */
1238734b6a94Sdarrenm PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1239734b6a94Sdarrenm &sha2_hmac_ctx.hc_icontext,
1240734b6a94Sdarrenm key->ck_data, keylen_in_bytes, digest);
1241734b6a94Sdarrenm sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1242734b6a94Sdarrenm sha_digest_len);
1243734b6a94Sdarrenm } else {
1244734b6a94Sdarrenm sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1245734b6a94Sdarrenm keylen_in_bytes);
1246734b6a94Sdarrenm }
1247734b6a94Sdarrenm }
1248734b6a94Sdarrenm
1249734b6a94Sdarrenm /* get the mechanism parameters, if applicable */
1250*05204290SJason King if (sha2_is_general_hmech(mechanism)) {
1251734b6a94Sdarrenm if (mechanism->cm_param == NULL ||
1252734b6a94Sdarrenm mechanism->cm_param_len != sizeof (ulong_t)) {
1253734b6a94Sdarrenm ret = CRYPTO_MECHANISM_PARAM_INVALID;
1254734b6a94Sdarrenm goto bail;
1255734b6a94Sdarrenm }
1256734b6a94Sdarrenm PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1257734b6a94Sdarrenm if (digest_len > sha_digest_len) {
1258734b6a94Sdarrenm ret = CRYPTO_MECHANISM_PARAM_INVALID;
1259734b6a94Sdarrenm goto bail;
1260734b6a94Sdarrenm }
1261734b6a94Sdarrenm }
1262734b6a94Sdarrenm
1263734b6a94Sdarrenm /* do a SHA2 update of the inner context using the specified data */
1264734b6a94Sdarrenm SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1265734b6a94Sdarrenm if (ret != CRYPTO_SUCCESS)
1266734b6a94Sdarrenm /* the update failed, free context and bail */
1267734b6a94Sdarrenm goto bail;
1268734b6a94Sdarrenm
1269734b6a94Sdarrenm /*
1270734b6a94Sdarrenm * Do a SHA2 final on the inner context.
1271734b6a94Sdarrenm */
1272734b6a94Sdarrenm SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1273734b6a94Sdarrenm
1274734b6a94Sdarrenm /*
1275734b6a94Sdarrenm * Do an SHA2 update on the outer context, feeding the inner
1276734b6a94Sdarrenm * digest as data.
1277734b6a94Sdarrenm *
12780358d3a6Sdanmcd * HMAC-SHA384 needs special handling as the outer hash needs only 48
12790358d3a6Sdanmcd * bytes of the inner hash value.
1280734b6a94Sdarrenm */
1281734b6a94Sdarrenm if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1282734b6a94Sdarrenm mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1283734b6a94Sdarrenm SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1284734b6a94Sdarrenm SHA384_DIGEST_LENGTH);
1285734b6a94Sdarrenm else
1286734b6a94Sdarrenm SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1287734b6a94Sdarrenm
1288734b6a94Sdarrenm /*
1289734b6a94Sdarrenm * Do a SHA2 final on the outer context, storing the computed
1290734b6a94Sdarrenm * digest in the users buffer.
1291734b6a94Sdarrenm */
1292734b6a94Sdarrenm switch (mac->cd_format) {
1293734b6a94Sdarrenm case CRYPTO_DATA_RAW:
1294734b6a94Sdarrenm if (digest_len != sha_digest_len) {
1295734b6a94Sdarrenm /*
1296734b6a94Sdarrenm * The caller requested a short digest. Digest
1297734b6a94Sdarrenm * into a scratch buffer and return to
1298734b6a94Sdarrenm * the user only what was requested.
1299734b6a94Sdarrenm */
1300734b6a94Sdarrenm SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1301734b6a94Sdarrenm bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1302734b6a94Sdarrenm mac->cd_offset, digest_len);
1303734b6a94Sdarrenm } else {
1304734b6a94Sdarrenm SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1305734b6a94Sdarrenm mac->cd_offset, &sha2_hmac_ctx.hc_ocontext);
1306734b6a94Sdarrenm }
1307734b6a94Sdarrenm break;
1308734b6a94Sdarrenm case CRYPTO_DATA_UIO:
1309734b6a94Sdarrenm ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac,
1310734b6a94Sdarrenm digest_len, digest);
1311734b6a94Sdarrenm break;
1312734b6a94Sdarrenm case CRYPTO_DATA_MBLK:
1313734b6a94Sdarrenm ret = sha2_digest_final_mblk(&sha2_hmac_ctx.hc_ocontext, mac,
1314734b6a94Sdarrenm digest_len, digest);
1315734b6a94Sdarrenm break;
1316734b6a94Sdarrenm default:
1317734b6a94Sdarrenm ret = CRYPTO_ARGUMENTS_BAD;
1318734b6a94Sdarrenm }
1319734b6a94Sdarrenm
1320734b6a94Sdarrenm if (ret == CRYPTO_SUCCESS) {
1321734b6a94Sdarrenm mac->cd_length = digest_len;
1322734b6a94Sdarrenm return (CRYPTO_SUCCESS);
1323734b6a94Sdarrenm }
1324734b6a94Sdarrenm bail:
1325734b6a94Sdarrenm bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1326734b6a94Sdarrenm mac->cd_length = 0;
1327734b6a94Sdarrenm return (ret);
1328734b6a94Sdarrenm }
1329734b6a94Sdarrenm
1330734b6a94Sdarrenm /* ARGSUSED */
1331734b6a94Sdarrenm static int
sha2_mac_verify_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * data,crypto_data_t * mac,crypto_spi_ctx_template_t ctx_template,crypto_req_handle_t req)1332734b6a94Sdarrenm sha2_mac_verify_atomic(crypto_provider_handle_t provider,
1333734b6a94Sdarrenm crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1334734b6a94Sdarrenm crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1335734b6a94Sdarrenm crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1336734b6a94Sdarrenm {
1337734b6a94Sdarrenm int ret = CRYPTO_SUCCESS;
1338734b6a94Sdarrenm uchar_t digest[SHA512_DIGEST_LENGTH];
1339734b6a94Sdarrenm sha2_hmac_ctx_t sha2_hmac_ctx;
1340734b6a94Sdarrenm uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1341734b6a94Sdarrenm uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1342734b6a94Sdarrenm
1343734b6a94Sdarrenm /*
13448de5c4f4SDan OpenSolaris Anderson * Set the digest length and block size to values appropriate to the
1345734b6a94Sdarrenm * mechanism
1346734b6a94Sdarrenm */
1347734b6a94Sdarrenm switch (mechanism->cm_type) {
1348734b6a94Sdarrenm case SHA256_HMAC_MECH_INFO_TYPE:
1349734b6a94Sdarrenm case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1350734b6a94Sdarrenm sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1351734b6a94Sdarrenm sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1352734b6a94Sdarrenm break;
1353734b6a94Sdarrenm case SHA384_HMAC_MECH_INFO_TYPE:
1354734b6a94Sdarrenm case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1355734b6a94Sdarrenm case SHA512_HMAC_MECH_INFO_TYPE:
1356734b6a94Sdarrenm case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1357734b6a94Sdarrenm sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1358734b6a94Sdarrenm sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1359734b6a94Sdarrenm break;
1360734b6a94Sdarrenm default:
1361734b6a94Sdarrenm return (CRYPTO_MECHANISM_INVALID);
1362734b6a94Sdarrenm }
1363734b6a94Sdarrenm
1364734b6a94Sdarrenm /* Add support for key by attributes (RFE 4706552) */
1365734b6a94Sdarrenm if (key->ck_format != CRYPTO_KEY_RAW)
1366734b6a94Sdarrenm return (CRYPTO_ARGUMENTS_BAD);
1367734b6a94Sdarrenm
1368734b6a94Sdarrenm if (ctx_template != NULL) {
1369734b6a94Sdarrenm /* reuse context template */
1370734b6a94Sdarrenm bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1371734b6a94Sdarrenm } else {
137252aa4e90SMark Powers sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1373734b6a94Sdarrenm /* no context template, initialize context */
1374734b6a94Sdarrenm if (keylen_in_bytes > sha_hmac_block_size) {
1375734b6a94Sdarrenm /*
1376734b6a94Sdarrenm * Hash the passed-in key to get a smaller key.
1377734b6a94Sdarrenm * The inner context is used since it hasn't been
1378734b6a94Sdarrenm * initialized yet.
1379734b6a94Sdarrenm */
1380734b6a94Sdarrenm PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1381734b6a94Sdarrenm &sha2_hmac_ctx.hc_icontext,
1382734b6a94Sdarrenm key->ck_data, keylen_in_bytes, digest);
1383734b6a94Sdarrenm sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1384734b6a94Sdarrenm sha_digest_len);
1385734b6a94Sdarrenm } else {
1386734b6a94Sdarrenm sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1387734b6a94Sdarrenm keylen_in_bytes);
1388734b6a94Sdarrenm }
1389734b6a94Sdarrenm }
1390734b6a94Sdarrenm
1391734b6a94Sdarrenm /* get the mechanism parameters, if applicable */
1392*05204290SJason King if (sha2_is_general_hmech(mechanism)) {
1393734b6a94Sdarrenm if (mechanism->cm_param == NULL ||
1394734b6a94Sdarrenm mechanism->cm_param_len != sizeof (ulong_t)) {
1395734b6a94Sdarrenm ret = CRYPTO_MECHANISM_PARAM_INVALID;
1396734b6a94Sdarrenm goto bail;
1397734b6a94Sdarrenm }
1398734b6a94Sdarrenm PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1399734b6a94Sdarrenm if (digest_len > sha_digest_len) {
1400734b6a94Sdarrenm ret = CRYPTO_MECHANISM_PARAM_INVALID;
1401734b6a94Sdarrenm goto bail;
1402734b6a94Sdarrenm }
1403734b6a94Sdarrenm }
1404734b6a94Sdarrenm
1405734b6a94Sdarrenm if (mac->cd_length != digest_len) {
1406734b6a94Sdarrenm ret = CRYPTO_INVALID_MAC;
1407734b6a94Sdarrenm goto bail;
1408734b6a94Sdarrenm }
1409734b6a94Sdarrenm
1410734b6a94Sdarrenm /* do a SHA2 update of the inner context using the specified data */
1411734b6a94Sdarrenm SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1412734b6a94Sdarrenm if (ret != CRYPTO_SUCCESS)
1413734b6a94Sdarrenm /* the update failed, free context and bail */
1414734b6a94Sdarrenm goto bail;
1415734b6a94Sdarrenm
1416734b6a94Sdarrenm /* do a SHA2 final on the inner context */
1417734b6a94Sdarrenm SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1418734b6a94Sdarrenm
1419734b6a94Sdarrenm /*
1420734b6a94Sdarrenm * Do an SHA2 update on the outer context, feeding the inner
1421734b6a94Sdarrenm * digest as data.
14220358d3a6Sdanmcd *
14230358d3a6Sdanmcd * HMAC-SHA384 needs special handling as the outer hash needs only 48
14240358d3a6Sdanmcd * bytes of the inner hash value.
1425734b6a94Sdarrenm */
14260358d3a6Sdanmcd if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
14270358d3a6Sdanmcd mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
14280358d3a6Sdanmcd SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
14290358d3a6Sdanmcd SHA384_DIGEST_LENGTH);
14300358d3a6Sdanmcd else
1431734b6a94Sdarrenm SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1432734b6a94Sdarrenm
1433734b6a94Sdarrenm /*
1434734b6a94Sdarrenm * Do a SHA2 final on the outer context, storing the computed
1435734b6a94Sdarrenm * digest in the users buffer.
1436734b6a94Sdarrenm */
1437734b6a94Sdarrenm SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1438734b6a94Sdarrenm
1439734b6a94Sdarrenm /*
1440734b6a94Sdarrenm * Compare the computed digest against the expected digest passed
1441734b6a94Sdarrenm * as argument.
1442734b6a94Sdarrenm */
1443734b6a94Sdarrenm
1444734b6a94Sdarrenm switch (mac->cd_format) {
1445734b6a94Sdarrenm
1446734b6a94Sdarrenm case CRYPTO_DATA_RAW:
1447734b6a94Sdarrenm if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
1448734b6a94Sdarrenm mac->cd_offset, digest_len) != 0)
1449734b6a94Sdarrenm ret = CRYPTO_INVALID_MAC;
1450734b6a94Sdarrenm break;
1451734b6a94Sdarrenm
1452734b6a94Sdarrenm case CRYPTO_DATA_UIO: {
1453734b6a94Sdarrenm off_t offset = mac->cd_offset;
1454734b6a94Sdarrenm uint_t vec_idx;
1455734b6a94Sdarrenm off_t scratch_offset = 0;
1456734b6a94Sdarrenm size_t length = digest_len;
1457734b6a94Sdarrenm size_t cur_len;
1458734b6a94Sdarrenm
1459734b6a94Sdarrenm /* we support only kernel buffer */
1460734b6a94Sdarrenm if (mac->cd_uio->uio_segflg != UIO_SYSSPACE)
1461734b6a94Sdarrenm return (CRYPTO_ARGUMENTS_BAD);
1462734b6a94Sdarrenm
1463734b6a94Sdarrenm /* jump to the first iovec containing the expected digest */
1464734b6a94Sdarrenm for (vec_idx = 0;
1465734b6a94Sdarrenm offset >= mac->cd_uio->uio_iov[vec_idx].iov_len &&
1466734b6a94Sdarrenm vec_idx < mac->cd_uio->uio_iovcnt;
1467d2b32306Smcpowers offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len)
1468d2b32306Smcpowers ;
1469734b6a94Sdarrenm if (vec_idx == mac->cd_uio->uio_iovcnt) {
1470734b6a94Sdarrenm /*
1471734b6a94Sdarrenm * The caller specified an offset that is
1472734b6a94Sdarrenm * larger than the total size of the buffers
1473734b6a94Sdarrenm * it provided.
1474734b6a94Sdarrenm */
1475734b6a94Sdarrenm ret = CRYPTO_DATA_LEN_RANGE;
1476734b6a94Sdarrenm break;
1477734b6a94Sdarrenm }
1478734b6a94Sdarrenm
1479734b6a94Sdarrenm /* do the comparison of computed digest vs specified one */
1480734b6a94Sdarrenm while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) {
1481734b6a94Sdarrenm cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len -
1482734b6a94Sdarrenm offset, length);
1483734b6a94Sdarrenm
1484734b6a94Sdarrenm if (bcmp(digest + scratch_offset,
1485734b6a94Sdarrenm mac->cd_uio->uio_iov[vec_idx].iov_base + offset,
1486734b6a94Sdarrenm cur_len) != 0) {
1487734b6a94Sdarrenm ret = CRYPTO_INVALID_MAC;
1488734b6a94Sdarrenm break;
1489734b6a94Sdarrenm }
1490734b6a94Sdarrenm
1491734b6a94Sdarrenm length -= cur_len;
1492734b6a94Sdarrenm vec_idx++;
1493734b6a94Sdarrenm scratch_offset += cur_len;
1494734b6a94Sdarrenm offset = 0;
1495734b6a94Sdarrenm }
1496734b6a94Sdarrenm break;
1497734b6a94Sdarrenm }
1498734b6a94Sdarrenm
1499734b6a94Sdarrenm case CRYPTO_DATA_MBLK: {
1500734b6a94Sdarrenm off_t offset = mac->cd_offset;
1501734b6a94Sdarrenm mblk_t *mp;
1502734b6a94Sdarrenm off_t scratch_offset = 0;
1503734b6a94Sdarrenm size_t length = digest_len;
1504734b6a94Sdarrenm size_t cur_len;
1505734b6a94Sdarrenm
1506734b6a94Sdarrenm /* jump to the first mblk_t containing the expected digest */
1507734b6a94Sdarrenm for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp);
1508d2b32306Smcpowers offset -= MBLKL(mp), mp = mp->b_cont)
1509d2b32306Smcpowers ;
1510734b6a94Sdarrenm if (mp == NULL) {
1511734b6a94Sdarrenm /*
1512734b6a94Sdarrenm * The caller specified an offset that is larger than
1513734b6a94Sdarrenm * the total size of the buffers it provided.
1514734b6a94Sdarrenm */
1515734b6a94Sdarrenm ret = CRYPTO_DATA_LEN_RANGE;
1516734b6a94Sdarrenm break;
1517734b6a94Sdarrenm }
1518734b6a94Sdarrenm
1519734b6a94Sdarrenm while (mp != NULL && length > 0) {
1520734b6a94Sdarrenm cur_len = MIN(MBLKL(mp) - offset, length);
1521734b6a94Sdarrenm if (bcmp(digest + scratch_offset,
1522734b6a94Sdarrenm mp->b_rptr + offset, cur_len) != 0) {
1523734b6a94Sdarrenm ret = CRYPTO_INVALID_MAC;
1524734b6a94Sdarrenm break;
1525734b6a94Sdarrenm }
1526734b6a94Sdarrenm
1527734b6a94Sdarrenm length -= cur_len;
1528734b6a94Sdarrenm mp = mp->b_cont;
1529734b6a94Sdarrenm scratch_offset += cur_len;
1530734b6a94Sdarrenm offset = 0;
1531734b6a94Sdarrenm }
1532734b6a94Sdarrenm break;
1533734b6a94Sdarrenm }
1534734b6a94Sdarrenm
1535734b6a94Sdarrenm default:
1536734b6a94Sdarrenm ret = CRYPTO_ARGUMENTS_BAD;
1537734b6a94Sdarrenm }
1538734b6a94Sdarrenm
1539734b6a94Sdarrenm return (ret);
1540734b6a94Sdarrenm bail:
1541734b6a94Sdarrenm bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1542734b6a94Sdarrenm mac->cd_length = 0;
1543734b6a94Sdarrenm return (ret);
1544734b6a94Sdarrenm }
1545734b6a94Sdarrenm
1546734b6a94Sdarrenm /*
1547734b6a94Sdarrenm * KCF software provider context management entry points.
1548734b6a94Sdarrenm */
1549734b6a94Sdarrenm
1550734b6a94Sdarrenm /* ARGSUSED */
1551734b6a94Sdarrenm static int
sha2_create_ctx_template(crypto_provider_handle_t provider,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_spi_ctx_template_t * ctx_template,size_t * ctx_template_size,crypto_req_handle_t req)1552734b6a94Sdarrenm sha2_create_ctx_template(crypto_provider_handle_t provider,
1553734b6a94Sdarrenm crypto_mechanism_t *mechanism, crypto_key_t *key,
1554734b6a94Sdarrenm crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
1555734b6a94Sdarrenm crypto_req_handle_t req)
1556734b6a94Sdarrenm {
1557734b6a94Sdarrenm sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
1558734b6a94Sdarrenm uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1559734b6a94Sdarrenm uint32_t sha_digest_len, sha_hmac_block_size;
1560734b6a94Sdarrenm
1561734b6a94Sdarrenm /*
15628de5c4f4SDan OpenSolaris Anderson * Set the digest length and block size to values appropriate to the
1563734b6a94Sdarrenm * mechanism
1564734b6a94Sdarrenm */
1565734b6a94Sdarrenm switch (mechanism->cm_type) {
1566734b6a94Sdarrenm case SHA256_HMAC_MECH_INFO_TYPE:
1567734b6a94Sdarrenm case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1568734b6a94Sdarrenm sha_digest_len = SHA256_DIGEST_LENGTH;
1569734b6a94Sdarrenm sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1570734b6a94Sdarrenm break;
1571734b6a94Sdarrenm case SHA384_HMAC_MECH_INFO_TYPE:
1572734b6a94Sdarrenm case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1573734b6a94Sdarrenm case SHA512_HMAC_MECH_INFO_TYPE:
1574734b6a94Sdarrenm case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1575734b6a94Sdarrenm sha_digest_len = SHA512_DIGEST_LENGTH;
1576734b6a94Sdarrenm sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1577734b6a94Sdarrenm break;
1578734b6a94Sdarrenm default:
1579734b6a94Sdarrenm return (CRYPTO_MECHANISM_INVALID);
1580734b6a94Sdarrenm }
1581734b6a94Sdarrenm
1582734b6a94Sdarrenm /* Add support for key by attributes (RFE 4706552) */
1583734b6a94Sdarrenm if (key->ck_format != CRYPTO_KEY_RAW)
1584734b6a94Sdarrenm return (CRYPTO_ARGUMENTS_BAD);
1585734b6a94Sdarrenm
1586734b6a94Sdarrenm /*
1587734b6a94Sdarrenm * Allocate and initialize SHA2 context.
1588734b6a94Sdarrenm */
1589734b6a94Sdarrenm sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t),
1590734b6a94Sdarrenm crypto_kmflag(req));
1591734b6a94Sdarrenm if (sha2_hmac_ctx_tmpl == NULL)
1592734b6a94Sdarrenm return (CRYPTO_HOST_MEMORY);
1593734b6a94Sdarrenm
1594734b6a94Sdarrenm sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
1595734b6a94Sdarrenm
1596734b6a94Sdarrenm if (keylen_in_bytes > sha_hmac_block_size) {
1597734b6a94Sdarrenm uchar_t digested_key[SHA512_DIGEST_LENGTH];
1598734b6a94Sdarrenm
1599734b6a94Sdarrenm /*
1600734b6a94Sdarrenm * Hash the passed-in key to get a smaller key.
1601734b6a94Sdarrenm * The inner context is used since it hasn't been
1602734b6a94Sdarrenm * initialized yet.
1603734b6a94Sdarrenm */
1604734b6a94Sdarrenm PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1605734b6a94Sdarrenm &sha2_hmac_ctx_tmpl->hc_icontext,
1606734b6a94Sdarrenm key->ck_data, keylen_in_bytes, digested_key);
1607734b6a94Sdarrenm sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key,
1608734b6a94Sdarrenm sha_digest_len);
1609734b6a94Sdarrenm } else {
1610734b6a94Sdarrenm sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data,
1611734b6a94Sdarrenm keylen_in_bytes);
1612734b6a94Sdarrenm }
1613734b6a94Sdarrenm
1614734b6a94Sdarrenm *ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl;
1615734b6a94Sdarrenm *ctx_template_size = sizeof (sha2_hmac_ctx_t);
1616734b6a94Sdarrenm
1617734b6a94Sdarrenm return (CRYPTO_SUCCESS);
1618734b6a94Sdarrenm }
1619734b6a94Sdarrenm
1620734b6a94Sdarrenm static int
sha2_free_context(crypto_ctx_t * ctx)1621734b6a94Sdarrenm sha2_free_context(crypto_ctx_t *ctx)
1622734b6a94Sdarrenm {
1623734b6a94Sdarrenm uint_t ctx_len;
1624734b6a94Sdarrenm
1625734b6a94Sdarrenm if (ctx->cc_provider_private == NULL)
1626734b6a94Sdarrenm return (CRYPTO_SUCCESS);
1627734b6a94Sdarrenm
1628*05204290SJason King switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
1629*05204290SJason King case SHA256_MECH_INFO_TYPE:
1630*05204290SJason King case SHA384_MECH_INFO_TYPE:
1631*05204290SJason King case SHA512_MECH_INFO_TYPE:
1632*05204290SJason King case SHA512_224_MECH_INFO_TYPE:
1633*05204290SJason King case SHA512_256_MECH_INFO_TYPE:
1634734b6a94Sdarrenm ctx_len = sizeof (sha2_ctx_t);
1635*05204290SJason King break;
1636*05204290SJason King case SHA256_HMAC_MECH_INFO_TYPE:
1637*05204290SJason King case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1638*05204290SJason King case SHA384_HMAC_MECH_INFO_TYPE:
1639*05204290SJason King case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1640*05204290SJason King case SHA512_HMAC_MECH_INFO_TYPE:
1641*05204290SJason King case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1642734b6a94Sdarrenm ctx_len = sizeof (sha2_hmac_ctx_t);
1643*05204290SJason King break;
1644*05204290SJason King default:
1645*05204290SJason King /*
1646*05204290SJason King * If we get here, someone forgot to update the above list
1647*05204290SJason King * when adding a new mechanism. Without the correct ctx_len
1648*05204290SJason King * we will corrupt the heap when calling kmem_free, so panic
1649*05204290SJason King * now and make it easier to identify the problem.
1650*05204290SJason King */
1651*05204290SJason King panic("Unknown SHA2 mechanism %d",
1652*05204290SJason King PROV_SHA2_CTX(ctx)->sc_mech_type);
1653*05204290SJason King }
1654734b6a94Sdarrenm
1655734b6a94Sdarrenm bzero(ctx->cc_provider_private, ctx_len);
1656734b6a94Sdarrenm kmem_free(ctx->cc_provider_private, ctx_len);
1657734b6a94Sdarrenm ctx->cc_provider_private = NULL;
1658734b6a94Sdarrenm
1659734b6a94Sdarrenm return (CRYPTO_SUCCESS);
1660734b6a94Sdarrenm }
1661