xref: /illumos-gate/usr/src/uts/common/crypto/io/sha2_mod.c (revision b1d7ec75953cd517f5b7c3d9cb427ff8ec5d7d07)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/modctl.h>
28 #include <sys/cmn_err.h>
29 #include <sys/crypto/common.h>
30 #include <sys/crypto/spi.h>
31 #include <sys/strsun.h>
32 #include <sys/systm.h>
33 #include <sys/sysmacros.h>
34 #define	_SHA2_IMPL
35 #include <sys/sha2.h>
36 #include <sha2/sha2_impl.h>
37 
38 /*
39  * The sha2 module is created with two modlinkages:
40  * - a modlmisc that allows consumers to directly call the entry points
41  *   SHA2Init, SHA2Update, and SHA2Final.
42  * - a modlcrypto that allows the module to register with the Kernel
43  *   Cryptographic Framework (KCF) as a software provider for the SHA2
44  *   mechanisms.
45  */
46 
47 static struct modlmisc modlmisc = {
48 	&mod_miscops,
49 	"SHA2 Message-Digest Algorithm"
50 };
51 
52 static struct modlcrypto modlcrypto = {
53 	&mod_cryptoops,
54 	"SHA2 Kernel SW Provider"
55 };
56 
57 static struct modlinkage modlinkage = {
58 	MODREV_1, &modlmisc, &modlcrypto, NULL
59 };
60 
61 /*
62  * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed
63  * by KCF to one of the entry points.
64  */
65 
66 #define	PROV_SHA2_CTX(ctx)	((sha2_ctx_t *)(ctx)->cc_provider_private)
67 #define	PROV_SHA2_HMAC_CTX(ctx)	((sha2_hmac_ctx_t *)(ctx)->cc_provider_private)
68 
69 /* to extract the digest length passed as mechanism parameter */
70 #define	PROV_SHA2_GET_DIGEST_LEN(m, len) {				\
71 	if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t)))		\
72 		(len) = (uint32_t)*((ulong_t *)(void *)(m)->cm_param);	\
73 	else {								\
74 		ulong_t tmp_ulong;					\
75 		bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t));	\
76 		(len) = (uint32_t)tmp_ulong;				\
77 	}								\
78 }
79 
80 #define	PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) {	\
81 	SHA2Init(mech, ctx);				\
82 	SHA2Update(ctx, key, len);			\
83 	SHA2Final(digest, ctx);				\
84 }
85 
86 /*
87  * Mechanism info structure passed to KCF during registration.
88  */
89 static crypto_mech_info_t sha2_mech_info_tab[] = {
90 	/* SHA256 */
91 	{SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE,
92 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
93 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
94 	/* SHA256-HMAC */
95 	{SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE,
96 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
97 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
98 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
99 	/* SHA256-HMAC GENERAL */
100 	{SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE,
101 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
102 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
103 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
104 	/* SHA384 */
105 	{SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE,
106 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
107 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
108 	/* SHA384-HMAC */
109 	{SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE,
110 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
111 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
112 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
113 	/* SHA384-HMAC GENERAL */
114 	{SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE,
115 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
116 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
117 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
118 	/* SHA512 */
119 	{SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE,
120 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
121 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
122 	/* SHA512-HMAC */
123 	{SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE,
124 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
125 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
126 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
127 	/* SHA512-HMAC GENERAL */
128 	{SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE,
129 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
130 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
131 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES}
132 };
133 
134 static void sha2_provider_status(crypto_provider_handle_t, uint_t *);
135 
136 static crypto_control_ops_t sha2_control_ops = {
137 	sha2_provider_status
138 };
139 
140 static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
141     crypto_req_handle_t);
142 static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
143     crypto_req_handle_t);
144 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *,
145     crypto_req_handle_t);
146 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *,
147     crypto_req_handle_t);
148 static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
149     crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
150     crypto_req_handle_t);
151 
152 static crypto_digest_ops_t sha2_digest_ops = {
153 	sha2_digest_init,
154 	sha2_digest,
155 	sha2_digest_update,
156 	NULL,
157 	sha2_digest_final,
158 	sha2_digest_atomic
159 };
160 
161 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
162     crypto_spi_ctx_template_t, crypto_req_handle_t);
163 static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *,
164     crypto_req_handle_t);
165 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
166 static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
167     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
168     crypto_spi_ctx_template_t, crypto_req_handle_t);
169 static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
170     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
171     crypto_spi_ctx_template_t, crypto_req_handle_t);
172 
173 static crypto_mac_ops_t sha2_mac_ops = {
174 	sha2_mac_init,
175 	NULL,
176 	sha2_mac_update,
177 	sha2_mac_final,
178 	sha2_mac_atomic,
179 	sha2_mac_verify_atomic
180 };
181 
182 static int sha2_create_ctx_template(crypto_provider_handle_t,
183     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
184     size_t *, crypto_req_handle_t);
185 static int sha2_free_context(crypto_ctx_t *);
186 
187 static crypto_ctx_ops_t sha2_ctx_ops = {
188 	sha2_create_ctx_template,
189 	sha2_free_context
190 };
191 
192 static void sha2_POST(int *);
193 
194 static crypto_fips140_ops_t sha2_fips140_ops = {
195 	sha2_POST
196 };
197 
198 static crypto_ops_t sha2_crypto_ops = {
199 	&sha2_control_ops,
200 	&sha2_digest_ops,
201 	NULL,
202 	&sha2_mac_ops,
203 	NULL,
204 	NULL,
205 	NULL,
206 	NULL,
207 	NULL,
208 	NULL,
209 	NULL,
210 	NULL,
211 	NULL,
212 	&sha2_ctx_ops,
213 	NULL,
214 	NULL,
215 	&sha2_fips140_ops
216 };
217 
218 static crypto_provider_info_t sha2_prov_info = {
219 	CRYPTO_SPI_VERSION_4,
220 	"SHA2 Software Provider",
221 	CRYPTO_SW_PROVIDER,
222 	{&modlinkage},
223 	NULL,
224 	&sha2_crypto_ops,
225 	sizeof (sha2_mech_info_tab)/sizeof (crypto_mech_info_t),
226 	sha2_mech_info_tab
227 };
228 
229 static crypto_kcf_provider_handle_t sha2_prov_handle = NULL;
230 
231 int
232 _init()
233 {
234 	int ret;
235 
236 	if ((ret = mod_install(&modlinkage)) != 0)
237 		return (ret);
238 
239 	/*
240 	 * Register with KCF. If the registration fails, do not uninstall the
241 	 * module, since the functionality provided by misc/sha2 should still
242 	 * be available.
243 	 */
244 	(void) crypto_register_provider(&sha2_prov_info, &sha2_prov_handle);
245 
246 	return (0);
247 }
248 
249 int
250 _info(struct modinfo *modinfop)
251 {
252 	return (mod_info(&modlinkage, modinfop));
253 }
254 
255 /*
256  * KCF software provider control entry points.
257  */
258 /* ARGSUSED */
259 static void
260 sha2_provider_status(crypto_provider_handle_t provider, uint_t *status)
261 {
262 	*status = CRYPTO_PROVIDER_READY;
263 }
264 
265 /*
266  * KCF software provider digest entry points.
267  */
268 
269 static int
270 sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
271     crypto_req_handle_t req)
272 {
273 
274 	/*
275 	 * Allocate and initialize SHA2 context.
276 	 */
277 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t),
278 	    crypto_kmflag(req));
279 	if (ctx->cc_provider_private == NULL)
280 		return (CRYPTO_HOST_MEMORY);
281 
282 	PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type;
283 	SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
284 
285 	return (CRYPTO_SUCCESS);
286 }
287 
288 /*
289  * Helper SHA2 digest update function for uio data.
290  */
291 static int
292 sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data)
293 {
294 	off_t offset = data->cd_offset;
295 	size_t length = data->cd_length;
296 	uint_t vec_idx;
297 	size_t cur_len;
298 
299 	/* we support only kernel buffer */
300 	if (data->cd_uio->uio_segflg != UIO_SYSSPACE)
301 		return (CRYPTO_ARGUMENTS_BAD);
302 
303 	/*
304 	 * Jump to the first iovec containing data to be
305 	 * digested.
306 	 */
307 	for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt &&
308 	    offset >= data->cd_uio->uio_iov[vec_idx].iov_len;
309 	    offset -= data->cd_uio->uio_iov[vec_idx++].iov_len)
310 		;
311 	if (vec_idx == data->cd_uio->uio_iovcnt) {
312 		/*
313 		 * The caller specified an offset that is larger than the
314 		 * total size of the buffers it provided.
315 		 */
316 		return (CRYPTO_DATA_LEN_RANGE);
317 	}
318 
319 	/*
320 	 * Now do the digesting on the iovecs.
321 	 */
322 	while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) {
323 		cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len -
324 		    offset, length);
325 
326 		SHA2Update(sha2_ctx, (uint8_t *)data->cd_uio->
327 		    uio_iov[vec_idx].iov_base + offset, cur_len);
328 		length -= cur_len;
329 		vec_idx++;
330 		offset = 0;
331 	}
332 
333 	if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) {
334 		/*
335 		 * The end of the specified iovec's was reached but
336 		 * the length requested could not be processed, i.e.
337 		 * The caller requested to digest more data than it provided.
338 		 */
339 		return (CRYPTO_DATA_LEN_RANGE);
340 	}
341 
342 	return (CRYPTO_SUCCESS);
343 }
344 
345 /*
346  * Helper SHA2 digest final function for uio data.
347  * digest_len is the length of the desired digest. If digest_len
348  * is smaller than the default SHA2 digest length, the caller
349  * must pass a scratch buffer, digest_scratch, which must
350  * be at least the algorithm's digest length bytes.
351  */
352 static int
353 sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
354     ulong_t digest_len, uchar_t *digest_scratch)
355 {
356 	off_t offset = digest->cd_offset;
357 	uint_t vec_idx;
358 
359 	/* we support only kernel buffer */
360 	if (digest->cd_uio->uio_segflg != UIO_SYSSPACE)
361 		return (CRYPTO_ARGUMENTS_BAD);
362 
363 	/*
364 	 * Jump to the first iovec containing ptr to the digest to
365 	 * be returned.
366 	 */
367 	for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len &&
368 	    vec_idx < digest->cd_uio->uio_iovcnt;
369 	    offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len)
370 		;
371 	if (vec_idx == digest->cd_uio->uio_iovcnt) {
372 		/*
373 		 * The caller specified an offset that is
374 		 * larger than the total size of the buffers
375 		 * it provided.
376 		 */
377 		return (CRYPTO_DATA_LEN_RANGE);
378 	}
379 
380 	if (offset + digest_len <=
381 	    digest->cd_uio->uio_iov[vec_idx].iov_len) {
382 		/*
383 		 * The computed SHA2 digest will fit in the current
384 		 * iovec.
385 		 */
386 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
387 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
388 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
389 		    (digest_len != SHA512_DIGEST_LENGTH))) {
390 			/*
391 			 * The caller requested a short digest. Digest
392 			 * into a scratch buffer and return to
393 			 * the user only what was requested.
394 			 */
395 			SHA2Final(digest_scratch, sha2_ctx);
396 
397 			bcopy(digest_scratch, (uchar_t *)digest->
398 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
399 			    digest_len);
400 		} else {
401 			SHA2Final((uchar_t *)digest->
402 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
403 			    sha2_ctx);
404 
405 		}
406 	} else {
407 		/*
408 		 * The computed digest will be crossing one or more iovec's.
409 		 * This is bad performance-wise but we need to support it.
410 		 * Allocate a small scratch buffer on the stack and
411 		 * copy it piece meal to the specified digest iovec's.
412 		 */
413 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
414 		off_t scratch_offset = 0;
415 		size_t length = digest_len;
416 		size_t cur_len;
417 
418 		SHA2Final(digest_tmp, sha2_ctx);
419 
420 		while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) {
421 			cur_len =
422 			    MIN(digest->cd_uio->uio_iov[vec_idx].iov_len -
423 			    offset, length);
424 			bcopy(digest_tmp + scratch_offset,
425 			    digest->cd_uio->uio_iov[vec_idx].iov_base + offset,
426 			    cur_len);
427 
428 			length -= cur_len;
429 			vec_idx++;
430 			scratch_offset += cur_len;
431 			offset = 0;
432 		}
433 
434 		if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) {
435 			/*
436 			 * The end of the specified iovec's was reached but
437 			 * the length requested could not be processed, i.e.
438 			 * The caller requested to digest more data than it
439 			 * provided.
440 			 */
441 			return (CRYPTO_DATA_LEN_RANGE);
442 		}
443 	}
444 
445 	return (CRYPTO_SUCCESS);
446 }
447 
448 /*
449  * Helper SHA2 digest update for mblk's.
450  */
451 static int
452 sha2_digest_update_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *data)
453 {
454 	off_t offset = data->cd_offset;
455 	size_t length = data->cd_length;
456 	mblk_t *mp;
457 	size_t cur_len;
458 
459 	/*
460 	 * Jump to the first mblk_t containing data to be digested.
461 	 */
462 	for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
463 	    offset -= MBLKL(mp), mp = mp->b_cont)
464 		;
465 	if (mp == NULL) {
466 		/*
467 		 * The caller specified an offset that is larger than the
468 		 * total size of the buffers it provided.
469 		 */
470 		return (CRYPTO_DATA_LEN_RANGE);
471 	}
472 
473 	/*
474 	 * Now do the digesting on the mblk chain.
475 	 */
476 	while (mp != NULL && length > 0) {
477 		cur_len = MIN(MBLKL(mp) - offset, length);
478 		SHA2Update(sha2_ctx, mp->b_rptr + offset, cur_len);
479 		length -= cur_len;
480 		offset = 0;
481 		mp = mp->b_cont;
482 	}
483 
484 	if (mp == NULL && length > 0) {
485 		/*
486 		 * The end of the mblk was reached but the length requested
487 		 * could not be processed, i.e. The caller requested
488 		 * to digest more data than it provided.
489 		 */
490 		return (CRYPTO_DATA_LEN_RANGE);
491 	}
492 
493 	return (CRYPTO_SUCCESS);
494 }
495 
496 /*
497  * Helper SHA2 digest final for mblk's.
498  * digest_len is the length of the desired digest. If digest_len
499  * is smaller than the default SHA2 digest length, the caller
500  * must pass a scratch buffer, digest_scratch, which must
501  * be at least the algorithm's digest length bytes.
502  */
503 static int
504 sha2_digest_final_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
505     ulong_t digest_len, uchar_t *digest_scratch)
506 {
507 	off_t offset = digest->cd_offset;
508 	mblk_t *mp;
509 
510 	/*
511 	 * Jump to the first mblk_t that will be used to store the digest.
512 	 */
513 	for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp);
514 	    offset -= MBLKL(mp), mp = mp->b_cont)
515 		;
516 	if (mp == NULL) {
517 		/*
518 		 * The caller specified an offset that is larger than the
519 		 * total size of the buffers it provided.
520 		 */
521 		return (CRYPTO_DATA_LEN_RANGE);
522 	}
523 
524 	if (offset + digest_len <= MBLKL(mp)) {
525 		/*
526 		 * The computed SHA2 digest will fit in the current mblk.
527 		 * Do the SHA2Final() in-place.
528 		 */
529 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
530 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
531 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
532 		    (digest_len != SHA512_DIGEST_LENGTH))) {
533 			/*
534 			 * The caller requested a short digest. Digest
535 			 * into a scratch buffer and return to
536 			 * the user only what was requested.
537 			 */
538 			SHA2Final(digest_scratch, sha2_ctx);
539 			bcopy(digest_scratch, mp->b_rptr + offset, digest_len);
540 		} else {
541 			SHA2Final(mp->b_rptr + offset, sha2_ctx);
542 		}
543 	} else {
544 		/*
545 		 * The computed digest will be crossing one or more mblk's.
546 		 * This is bad performance-wise but we need to support it.
547 		 * Allocate a small scratch buffer on the stack and
548 		 * copy it piece meal to the specified digest iovec's.
549 		 */
550 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
551 		off_t scratch_offset = 0;
552 		size_t length = digest_len;
553 		size_t cur_len;
554 
555 		SHA2Final(digest_tmp, sha2_ctx);
556 
557 		while (mp != NULL && length > 0) {
558 			cur_len = MIN(MBLKL(mp) - offset, length);
559 			bcopy(digest_tmp + scratch_offset,
560 			    mp->b_rptr + offset, cur_len);
561 
562 			length -= cur_len;
563 			mp = mp->b_cont;
564 			scratch_offset += cur_len;
565 			offset = 0;
566 		}
567 
568 		if (mp == NULL && length > 0) {
569 			/*
570 			 * The end of the specified mblk was reached but
571 			 * the length requested could not be processed, i.e.
572 			 * The caller requested to digest more data than it
573 			 * provided.
574 			 */
575 			return (CRYPTO_DATA_LEN_RANGE);
576 		}
577 	}
578 
579 	return (CRYPTO_SUCCESS);
580 }
581 
582 /* ARGSUSED */
583 static int
584 sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
585     crypto_req_handle_t req)
586 {
587 	int ret = CRYPTO_SUCCESS;
588 	uint_t sha_digest_len;
589 
590 	ASSERT(ctx->cc_provider_private != NULL);
591 
592 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
593 	case SHA256_MECH_INFO_TYPE:
594 		sha_digest_len = SHA256_DIGEST_LENGTH;
595 		break;
596 	case SHA384_MECH_INFO_TYPE:
597 		sha_digest_len = SHA384_DIGEST_LENGTH;
598 		break;
599 	case SHA512_MECH_INFO_TYPE:
600 		sha_digest_len = SHA512_DIGEST_LENGTH;
601 		break;
602 	default:
603 		return (CRYPTO_MECHANISM_INVALID);
604 	}
605 
606 	/*
607 	 * We need to just return the length needed to store the output.
608 	 * We should not destroy the context for the following cases.
609 	 */
610 	if ((digest->cd_length == 0) ||
611 	    (digest->cd_length < sha_digest_len)) {
612 		digest->cd_length = sha_digest_len;
613 		return (CRYPTO_BUFFER_TOO_SMALL);
614 	}
615 
616 	/*
617 	 * Do the SHA2 update on the specified input data.
618 	 */
619 	switch (data->cd_format) {
620 	case CRYPTO_DATA_RAW:
621 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
622 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
623 		    data->cd_length);
624 		break;
625 	case CRYPTO_DATA_UIO:
626 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
627 		    data);
628 		break;
629 	case CRYPTO_DATA_MBLK:
630 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
631 		    data);
632 		break;
633 	default:
634 		ret = CRYPTO_ARGUMENTS_BAD;
635 	}
636 
637 	if (ret != CRYPTO_SUCCESS) {
638 		/* the update failed, free context and bail */
639 		kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
640 		ctx->cc_provider_private = NULL;
641 		digest->cd_length = 0;
642 		return (ret);
643 	}
644 
645 	/*
646 	 * Do a SHA2 final, must be done separately since the digest
647 	 * type can be different than the input data type.
648 	 */
649 	switch (digest->cd_format) {
650 	case CRYPTO_DATA_RAW:
651 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
652 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
653 		break;
654 	case CRYPTO_DATA_UIO:
655 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
656 		    digest, sha_digest_len, NULL);
657 		break;
658 	case CRYPTO_DATA_MBLK:
659 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
660 		    digest, sha_digest_len, NULL);
661 		break;
662 	default:
663 		ret = CRYPTO_ARGUMENTS_BAD;
664 	}
665 
666 	/* all done, free context and return */
667 
668 	if (ret == CRYPTO_SUCCESS)
669 		digest->cd_length = sha_digest_len;
670 	else
671 		digest->cd_length = 0;
672 
673 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
674 	ctx->cc_provider_private = NULL;
675 	return (ret);
676 }
677 
678 /* ARGSUSED */
679 static int
680 sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
681     crypto_req_handle_t req)
682 {
683 	int ret = CRYPTO_SUCCESS;
684 
685 	ASSERT(ctx->cc_provider_private != NULL);
686 
687 	/*
688 	 * Do the SHA2 update on the specified input data.
689 	 */
690 	switch (data->cd_format) {
691 	case CRYPTO_DATA_RAW:
692 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
693 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
694 		    data->cd_length);
695 		break;
696 	case CRYPTO_DATA_UIO:
697 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
698 		    data);
699 		break;
700 	case CRYPTO_DATA_MBLK:
701 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
702 		    data);
703 		break;
704 	default:
705 		ret = CRYPTO_ARGUMENTS_BAD;
706 	}
707 
708 	return (ret);
709 }
710 
711 /* ARGSUSED */
712 static int
713 sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
714     crypto_req_handle_t req)
715 {
716 	int ret = CRYPTO_SUCCESS;
717 	uint_t sha_digest_len;
718 
719 	ASSERT(ctx->cc_provider_private != NULL);
720 
721 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
722 	case SHA256_MECH_INFO_TYPE:
723 		sha_digest_len = SHA256_DIGEST_LENGTH;
724 		break;
725 	case SHA384_MECH_INFO_TYPE:
726 		sha_digest_len = SHA384_DIGEST_LENGTH;
727 		break;
728 	case SHA512_MECH_INFO_TYPE:
729 		sha_digest_len = SHA512_DIGEST_LENGTH;
730 		break;
731 	default:
732 		return (CRYPTO_MECHANISM_INVALID);
733 	}
734 
735 	/*
736 	 * We need to just return the length needed to store the output.
737 	 * We should not destroy the context for the following cases.
738 	 */
739 	if ((digest->cd_length == 0) ||
740 	    (digest->cd_length < sha_digest_len)) {
741 		digest->cd_length = sha_digest_len;
742 		return (CRYPTO_BUFFER_TOO_SMALL);
743 	}
744 
745 	/*
746 	 * Do a SHA2 final.
747 	 */
748 	switch (digest->cd_format) {
749 	case CRYPTO_DATA_RAW:
750 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
751 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
752 		break;
753 	case CRYPTO_DATA_UIO:
754 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
755 		    digest, sha_digest_len, NULL);
756 		break;
757 	case CRYPTO_DATA_MBLK:
758 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
759 		    digest, sha_digest_len, NULL);
760 		break;
761 	default:
762 		ret = CRYPTO_ARGUMENTS_BAD;
763 	}
764 
765 	/* all done, free context and return */
766 
767 	if (ret == CRYPTO_SUCCESS)
768 		digest->cd_length = sha_digest_len;
769 	else
770 		digest->cd_length = 0;
771 
772 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
773 	ctx->cc_provider_private = NULL;
774 
775 	return (ret);
776 }
777 
778 /* ARGSUSED */
779 static int
780 sha2_digest_atomic(crypto_provider_handle_t provider,
781     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
782     crypto_data_t *data, crypto_data_t *digest,
783     crypto_req_handle_t req)
784 {
785 	int ret = CRYPTO_SUCCESS;
786 	SHA2_CTX sha2_ctx;
787 	uint32_t sha_digest_len;
788 
789 	/*
790 	 * Do the SHA inits.
791 	 */
792 
793 	SHA2Init(mechanism->cm_type, &sha2_ctx);
794 
795 	switch (data->cd_format) {
796 	case CRYPTO_DATA_RAW:
797 		SHA2Update(&sha2_ctx, (uint8_t *)data->
798 		    cd_raw.iov_base + data->cd_offset, data->cd_length);
799 		break;
800 	case CRYPTO_DATA_UIO:
801 		ret = sha2_digest_update_uio(&sha2_ctx, data);
802 		break;
803 	case CRYPTO_DATA_MBLK:
804 		ret = sha2_digest_update_mblk(&sha2_ctx, data);
805 		break;
806 	default:
807 		ret = CRYPTO_ARGUMENTS_BAD;
808 	}
809 
810 	/*
811 	 * Do the SHA updates on the specified input data.
812 	 */
813 
814 	if (ret != CRYPTO_SUCCESS) {
815 		/* the update failed, bail */
816 		digest->cd_length = 0;
817 		return (ret);
818 	}
819 
820 	if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
821 		sha_digest_len = SHA256_DIGEST_LENGTH;
822 	else
823 		sha_digest_len = SHA512_DIGEST_LENGTH;
824 
825 	/*
826 	 * Do a SHA2 final, must be done separately since the digest
827 	 * type can be different than the input data type.
828 	 */
829 	switch (digest->cd_format) {
830 	case CRYPTO_DATA_RAW:
831 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
832 		    digest->cd_offset, &sha2_ctx);
833 		break;
834 	case CRYPTO_DATA_UIO:
835 		ret = sha2_digest_final_uio(&sha2_ctx, digest,
836 		    sha_digest_len, NULL);
837 		break;
838 	case CRYPTO_DATA_MBLK:
839 		ret = sha2_digest_final_mblk(&sha2_ctx, digest,
840 		    sha_digest_len, NULL);
841 		break;
842 	default:
843 		ret = CRYPTO_ARGUMENTS_BAD;
844 	}
845 
846 	if (ret == CRYPTO_SUCCESS)
847 		digest->cd_length = sha_digest_len;
848 	else
849 		digest->cd_length = 0;
850 
851 	return (ret);
852 }
853 
854 /*
855  * KCF software provider mac entry points.
856  *
857  * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text))
858  *
859  * Init:
860  * The initialization routine initializes what we denote
861  * as the inner and outer contexts by doing
862  * - for inner context: SHA2(key XOR ipad)
863  * - for outer context: SHA2(key XOR opad)
864  *
865  * Update:
866  * Each subsequent SHA2 HMAC update will result in an
867  * update of the inner context with the specified data.
868  *
869  * Final:
870  * The SHA2 HMAC final will do a SHA2 final operation on the
871  * inner context, and the resulting digest will be used
872  * as the data for an update on the outer context. Last
873  * but not least, a SHA2 final on the outer context will
874  * be performed to obtain the SHA2 HMAC digest to return
875  * to the user.
876  */
877 
878 /*
879  * Initialize a SHA2-HMAC context.
880  */
881 static void
882 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
883 {
884 	uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
885 	uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
886 	int i, block_size, blocks_per_int64;
887 
888 	/* Determine the block size */
889 	if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
890 		block_size = SHA256_HMAC_BLOCK_SIZE;
891 		blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t);
892 	} else {
893 		block_size = SHA512_HMAC_BLOCK_SIZE;
894 		blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t);
895 	}
896 
897 	(void) bzero(ipad, block_size);
898 	(void) bzero(opad, block_size);
899 	(void) bcopy(keyval, ipad, length_in_bytes);
900 	(void) bcopy(keyval, opad, length_in_bytes);
901 
902 	/* XOR key with ipad (0x36) and opad (0x5c) */
903 	for (i = 0; i < blocks_per_int64; i ++) {
904 		ipad[i] ^= 0x3636363636363636;
905 		opad[i] ^= 0x5c5c5c5c5c5c5c5c;
906 	}
907 
908 	/* perform SHA2 on ipad */
909 	SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext);
910 	SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
911 
912 	/* perform SHA2 on opad */
913 	SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext);
914 	SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
915 
916 }
917 
918 /*
919  */
920 static int
921 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
922     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
923     crypto_req_handle_t req)
924 {
925 	int ret = CRYPTO_SUCCESS;
926 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
927 	uint_t sha_digest_len, sha_hmac_block_size;
928 
929 	/*
930 	 * Set the digest length and block size to values appropriate to the
931 	 * mechanism
932 	 */
933 	switch (mechanism->cm_type) {
934 	case SHA256_HMAC_MECH_INFO_TYPE:
935 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
936 		sha_digest_len = SHA256_DIGEST_LENGTH;
937 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
938 		break;
939 	case SHA384_HMAC_MECH_INFO_TYPE:
940 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
941 	case SHA512_HMAC_MECH_INFO_TYPE:
942 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
943 		sha_digest_len = SHA512_DIGEST_LENGTH;
944 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
945 		break;
946 	default:
947 		return (CRYPTO_MECHANISM_INVALID);
948 	}
949 
950 	if (key->ck_format != CRYPTO_KEY_RAW)
951 		return (CRYPTO_ARGUMENTS_BAD);
952 
953 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t),
954 	    crypto_kmflag(req));
955 	if (ctx->cc_provider_private == NULL)
956 		return (CRYPTO_HOST_MEMORY);
957 
958 	PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
959 	if (ctx_template != NULL) {
960 		/* reuse context template */
961 		bcopy(ctx_template, PROV_SHA2_HMAC_CTX(ctx),
962 		    sizeof (sha2_hmac_ctx_t));
963 	} else {
964 		/* no context template, compute context */
965 		if (keylen_in_bytes > sha_hmac_block_size) {
966 			uchar_t digested_key[SHA512_DIGEST_LENGTH];
967 			sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
968 
969 			/*
970 			 * Hash the passed-in key to get a smaller key.
971 			 * The inner context is used since it hasn't been
972 			 * initialized yet.
973 			 */
974 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
975 			    &hmac_ctx->hc_icontext,
976 			    key->ck_data, keylen_in_bytes, digested_key);
977 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
978 			    digested_key, sha_digest_len);
979 		} else {
980 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
981 			    key->ck_data, keylen_in_bytes);
982 		}
983 	}
984 
985 	/*
986 	 * Get the mechanism parameters, if applicable.
987 	 */
988 	if (mechanism->cm_type % 3 == 2) {
989 		if (mechanism->cm_param == NULL ||
990 		    mechanism->cm_param_len != sizeof (ulong_t))
991 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
992 		PROV_SHA2_GET_DIGEST_LEN(mechanism,
993 		    PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len);
994 		if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len)
995 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
996 	}
997 
998 	if (ret != CRYPTO_SUCCESS) {
999 		bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1000 		kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1001 		ctx->cc_provider_private = NULL;
1002 	}
1003 
1004 	return (ret);
1005 }
1006 
1007 /* ARGSUSED */
1008 static int
1009 sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data,
1010     crypto_req_handle_t req)
1011 {
1012 	int ret = CRYPTO_SUCCESS;
1013 
1014 	ASSERT(ctx->cc_provider_private != NULL);
1015 
1016 	/*
1017 	 * Do a SHA2 update of the inner context using the specified
1018 	 * data.
1019 	 */
1020 	switch (data->cd_format) {
1021 	case CRYPTO_DATA_RAW:
1022 		SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext,
1023 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1024 		    data->cd_length);
1025 		break;
1026 	case CRYPTO_DATA_UIO:
1027 		ret = sha2_digest_update_uio(
1028 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1029 		break;
1030 	case CRYPTO_DATA_MBLK:
1031 		ret = sha2_digest_update_mblk(
1032 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1033 		break;
1034 	default:
1035 		ret = CRYPTO_ARGUMENTS_BAD;
1036 	}
1037 
1038 	return (ret);
1039 }
1040 
1041 /* ARGSUSED */
1042 static int
1043 sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req)
1044 {
1045 	int ret = CRYPTO_SUCCESS;
1046 	uchar_t digest[SHA512_DIGEST_LENGTH];
1047 	uint32_t digest_len, sha_digest_len;
1048 
1049 	ASSERT(ctx->cc_provider_private != NULL);
1050 
1051 	/* Set the digest lengths to values appropriate to the mechanism */
1052 	switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) {
1053 	case SHA256_HMAC_MECH_INFO_TYPE:
1054 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1055 		break;
1056 	case SHA384_HMAC_MECH_INFO_TYPE:
1057 		sha_digest_len = digest_len = SHA384_DIGEST_LENGTH;
1058 		break;
1059 	case SHA512_HMAC_MECH_INFO_TYPE:
1060 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1061 		break;
1062 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1063 		sha_digest_len = SHA256_DIGEST_LENGTH;
1064 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1065 		break;
1066 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1067 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1068 		sha_digest_len = SHA512_DIGEST_LENGTH;
1069 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1070 		break;
1071 	}
1072 
1073 	/*
1074 	 * We need to just return the length needed to store the output.
1075 	 * We should not destroy the context for the following cases.
1076 	 */
1077 	if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
1078 		mac->cd_length = digest_len;
1079 		return (CRYPTO_BUFFER_TOO_SMALL);
1080 	}
1081 
1082 	/*
1083 	 * Do a SHA2 final on the inner context.
1084 	 */
1085 	SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext);
1086 
1087 	/*
1088 	 * Do a SHA2 update on the outer context, feeding the inner
1089 	 * digest as data.
1090 	 */
1091 	SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest,
1092 	    sha_digest_len);
1093 
1094 	/*
1095 	 * Do a SHA2 final on the outer context, storing the computing
1096 	 * digest in the users buffer.
1097 	 */
1098 	switch (mac->cd_format) {
1099 	case CRYPTO_DATA_RAW:
1100 		if (digest_len != sha_digest_len) {
1101 			/*
1102 			 * The caller requested a short digest. Digest
1103 			 * into a scratch buffer and return to
1104 			 * the user only what was requested.
1105 			 */
1106 			SHA2Final(digest,
1107 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1108 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1109 			    mac->cd_offset, digest_len);
1110 		} else {
1111 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1112 			    mac->cd_offset,
1113 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1114 		}
1115 		break;
1116 	case CRYPTO_DATA_UIO:
1117 		ret = sha2_digest_final_uio(
1118 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1119 		    digest_len, digest);
1120 		break;
1121 	case CRYPTO_DATA_MBLK:
1122 		ret = sha2_digest_final_mblk(
1123 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1124 		    digest_len, digest);
1125 		break;
1126 	default:
1127 		ret = CRYPTO_ARGUMENTS_BAD;
1128 	}
1129 
1130 	if (ret == CRYPTO_SUCCESS)
1131 		mac->cd_length = digest_len;
1132 	else
1133 		mac->cd_length = 0;
1134 
1135 	bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1136 	kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1137 	ctx->cc_provider_private = NULL;
1138 
1139 	return (ret);
1140 }
1141 
1142 #define	SHA2_MAC_UPDATE(data, ctx, ret) {				\
1143 	switch (data->cd_format) {					\
1144 	case CRYPTO_DATA_RAW:						\
1145 		SHA2Update(&(ctx).hc_icontext,				\
1146 		    (uint8_t *)data->cd_raw.iov_base +			\
1147 		    data->cd_offset, data->cd_length);			\
1148 		break;							\
1149 	case CRYPTO_DATA_UIO:						\
1150 		ret = sha2_digest_update_uio(&(ctx).hc_icontext, data);	\
1151 		break;							\
1152 	case CRYPTO_DATA_MBLK:						\
1153 		ret = sha2_digest_update_mblk(&(ctx).hc_icontext,	\
1154 		    data);						\
1155 		break;							\
1156 	default:							\
1157 		ret = CRYPTO_ARGUMENTS_BAD;				\
1158 	}								\
1159 }
1160 
1161 /* ARGSUSED */
1162 static int
1163 sha2_mac_atomic(crypto_provider_handle_t provider,
1164     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1165     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1166     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1167 {
1168 	int ret = CRYPTO_SUCCESS;
1169 	uchar_t digest[SHA512_DIGEST_LENGTH];
1170 	sha2_hmac_ctx_t sha2_hmac_ctx;
1171 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1172 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1173 
1174 	/*
1175 	 * Set the digest length and block size to values appropriate to the
1176 	 * mechanism
1177 	 */
1178 	switch (mechanism->cm_type) {
1179 	case SHA256_HMAC_MECH_INFO_TYPE:
1180 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1181 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1182 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1183 		break;
1184 	case SHA384_HMAC_MECH_INFO_TYPE:
1185 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1186 	case SHA512_HMAC_MECH_INFO_TYPE:
1187 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1188 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1189 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1190 		break;
1191 	default:
1192 		return (CRYPTO_MECHANISM_INVALID);
1193 	}
1194 
1195 	/* Add support for key by attributes (RFE 4706552) */
1196 	if (key->ck_format != CRYPTO_KEY_RAW)
1197 		return (CRYPTO_ARGUMENTS_BAD);
1198 
1199 	if (ctx_template != NULL) {
1200 		/* reuse context template */
1201 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1202 	} else {
1203 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1204 		/* no context template, initialize context */
1205 		if (keylen_in_bytes > sha_hmac_block_size) {
1206 			/*
1207 			 * Hash the passed-in key to get a smaller key.
1208 			 * The inner context is used since it hasn't been
1209 			 * initialized yet.
1210 			 */
1211 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1212 			    &sha2_hmac_ctx.hc_icontext,
1213 			    key->ck_data, keylen_in_bytes, digest);
1214 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1215 			    sha_digest_len);
1216 		} else {
1217 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1218 			    keylen_in_bytes);
1219 		}
1220 	}
1221 
1222 	/* get the mechanism parameters, if applicable */
1223 	if ((mechanism->cm_type % 3) == 2) {
1224 		if (mechanism->cm_param == NULL ||
1225 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1226 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1227 			goto bail;
1228 		}
1229 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1230 		if (digest_len > sha_digest_len) {
1231 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1232 			goto bail;
1233 		}
1234 	}
1235 
1236 	/* do a SHA2 update of the inner context using the specified data */
1237 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1238 	if (ret != CRYPTO_SUCCESS)
1239 		/* the update failed, free context and bail */
1240 		goto bail;
1241 
1242 	/*
1243 	 * Do a SHA2 final on the inner context.
1244 	 */
1245 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1246 
1247 	/*
1248 	 * Do an SHA2 update on the outer context, feeding the inner
1249 	 * digest as data.
1250 	 *
1251 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1252 	 * bytes of the inner hash value.
1253 	 */
1254 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1255 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1256 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1257 		    SHA384_DIGEST_LENGTH);
1258 	else
1259 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1260 
1261 	/*
1262 	 * Do a SHA2 final on the outer context, storing the computed
1263 	 * digest in the users buffer.
1264 	 */
1265 	switch (mac->cd_format) {
1266 	case CRYPTO_DATA_RAW:
1267 		if (digest_len != sha_digest_len) {
1268 			/*
1269 			 * The caller requested a short digest. Digest
1270 			 * into a scratch buffer and return to
1271 			 * the user only what was requested.
1272 			 */
1273 			SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1274 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1275 			    mac->cd_offset, digest_len);
1276 		} else {
1277 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1278 			    mac->cd_offset, &sha2_hmac_ctx.hc_ocontext);
1279 		}
1280 		break;
1281 	case CRYPTO_DATA_UIO:
1282 		ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac,
1283 		    digest_len, digest);
1284 		break;
1285 	case CRYPTO_DATA_MBLK:
1286 		ret = sha2_digest_final_mblk(&sha2_hmac_ctx.hc_ocontext, mac,
1287 		    digest_len, digest);
1288 		break;
1289 	default:
1290 		ret = CRYPTO_ARGUMENTS_BAD;
1291 	}
1292 
1293 	if (ret == CRYPTO_SUCCESS) {
1294 		mac->cd_length = digest_len;
1295 		return (CRYPTO_SUCCESS);
1296 	}
1297 bail:
1298 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1299 	mac->cd_length = 0;
1300 	return (ret);
1301 }
1302 
1303 /* ARGSUSED */
1304 static int
1305 sha2_mac_verify_atomic(crypto_provider_handle_t provider,
1306     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1307     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1308     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1309 {
1310 	int ret = CRYPTO_SUCCESS;
1311 	uchar_t digest[SHA512_DIGEST_LENGTH];
1312 	sha2_hmac_ctx_t sha2_hmac_ctx;
1313 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1314 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1315 
1316 	/*
1317 	 * Set the digest length and block size to values appropriate to the
1318 	 * mechanism
1319 	 */
1320 	switch (mechanism->cm_type) {
1321 	case SHA256_HMAC_MECH_INFO_TYPE:
1322 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1323 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1324 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1325 		break;
1326 	case SHA384_HMAC_MECH_INFO_TYPE:
1327 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1328 	case SHA512_HMAC_MECH_INFO_TYPE:
1329 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1330 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1331 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1332 		break;
1333 	default:
1334 		return (CRYPTO_MECHANISM_INVALID);
1335 	}
1336 
1337 	/* Add support for key by attributes (RFE 4706552) */
1338 	if (key->ck_format != CRYPTO_KEY_RAW)
1339 		return (CRYPTO_ARGUMENTS_BAD);
1340 
1341 	if (ctx_template != NULL) {
1342 		/* reuse context template */
1343 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1344 	} else {
1345 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1346 		/* no context template, initialize context */
1347 		if (keylen_in_bytes > sha_hmac_block_size) {
1348 			/*
1349 			 * Hash the passed-in key to get a smaller key.
1350 			 * The inner context is used since it hasn't been
1351 			 * initialized yet.
1352 			 */
1353 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1354 			    &sha2_hmac_ctx.hc_icontext,
1355 			    key->ck_data, keylen_in_bytes, digest);
1356 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1357 			    sha_digest_len);
1358 		} else {
1359 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1360 			    keylen_in_bytes);
1361 		}
1362 	}
1363 
1364 	/* get the mechanism parameters, if applicable */
1365 	if (mechanism->cm_type % 3 == 2) {
1366 		if (mechanism->cm_param == NULL ||
1367 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1368 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1369 			goto bail;
1370 		}
1371 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1372 		if (digest_len > sha_digest_len) {
1373 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1374 			goto bail;
1375 		}
1376 	}
1377 
1378 	if (mac->cd_length != digest_len) {
1379 		ret = CRYPTO_INVALID_MAC;
1380 		goto bail;
1381 	}
1382 
1383 	/* do a SHA2 update of the inner context using the specified data */
1384 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1385 	if (ret != CRYPTO_SUCCESS)
1386 		/* the update failed, free context and bail */
1387 		goto bail;
1388 
1389 	/* do a SHA2 final on the inner context */
1390 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1391 
1392 	/*
1393 	 * Do an SHA2 update on the outer context, feeding the inner
1394 	 * digest as data.
1395 	 *
1396 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1397 	 * bytes of the inner hash value.
1398 	 */
1399 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1400 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1401 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1402 		    SHA384_DIGEST_LENGTH);
1403 	else
1404 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1405 
1406 	/*
1407 	 * Do a SHA2 final on the outer context, storing the computed
1408 	 * digest in the users buffer.
1409 	 */
1410 	SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1411 
1412 	/*
1413 	 * Compare the computed digest against the expected digest passed
1414 	 * as argument.
1415 	 */
1416 
1417 	switch (mac->cd_format) {
1418 
1419 	case CRYPTO_DATA_RAW:
1420 		if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
1421 		    mac->cd_offset, digest_len) != 0)
1422 			ret = CRYPTO_INVALID_MAC;
1423 		break;
1424 
1425 	case CRYPTO_DATA_UIO: {
1426 		off_t offset = mac->cd_offset;
1427 		uint_t vec_idx;
1428 		off_t scratch_offset = 0;
1429 		size_t length = digest_len;
1430 		size_t cur_len;
1431 
1432 		/* we support only kernel buffer */
1433 		if (mac->cd_uio->uio_segflg != UIO_SYSSPACE)
1434 			return (CRYPTO_ARGUMENTS_BAD);
1435 
1436 		/* jump to the first iovec containing the expected digest */
1437 		for (vec_idx = 0;
1438 		    offset >= mac->cd_uio->uio_iov[vec_idx].iov_len &&
1439 		    vec_idx < mac->cd_uio->uio_iovcnt;
1440 		    offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len)
1441 			;
1442 		if (vec_idx == mac->cd_uio->uio_iovcnt) {
1443 			/*
1444 			 * The caller specified an offset that is
1445 			 * larger than the total size of the buffers
1446 			 * it provided.
1447 			 */
1448 			ret = CRYPTO_DATA_LEN_RANGE;
1449 			break;
1450 		}
1451 
1452 		/* do the comparison of computed digest vs specified one */
1453 		while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) {
1454 			cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len -
1455 			    offset, length);
1456 
1457 			if (bcmp(digest + scratch_offset,
1458 			    mac->cd_uio->uio_iov[vec_idx].iov_base + offset,
1459 			    cur_len) != 0) {
1460 				ret = CRYPTO_INVALID_MAC;
1461 				break;
1462 			}
1463 
1464 			length -= cur_len;
1465 			vec_idx++;
1466 			scratch_offset += cur_len;
1467 			offset = 0;
1468 		}
1469 		break;
1470 	}
1471 
1472 	case CRYPTO_DATA_MBLK: {
1473 		off_t offset = mac->cd_offset;
1474 		mblk_t *mp;
1475 		off_t scratch_offset = 0;
1476 		size_t length = digest_len;
1477 		size_t cur_len;
1478 
1479 		/* jump to the first mblk_t containing the expected digest */
1480 		for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp);
1481 		    offset -= MBLKL(mp), mp = mp->b_cont)
1482 			;
1483 		if (mp == NULL) {
1484 			/*
1485 			 * The caller specified an offset that is larger than
1486 			 * the total size of the buffers it provided.
1487 			 */
1488 			ret = CRYPTO_DATA_LEN_RANGE;
1489 			break;
1490 		}
1491 
1492 		while (mp != NULL && length > 0) {
1493 			cur_len = MIN(MBLKL(mp) - offset, length);
1494 			if (bcmp(digest + scratch_offset,
1495 			    mp->b_rptr + offset, cur_len) != 0) {
1496 				ret = CRYPTO_INVALID_MAC;
1497 				break;
1498 			}
1499 
1500 			length -= cur_len;
1501 			mp = mp->b_cont;
1502 			scratch_offset += cur_len;
1503 			offset = 0;
1504 		}
1505 		break;
1506 	}
1507 
1508 	default:
1509 		ret = CRYPTO_ARGUMENTS_BAD;
1510 	}
1511 
1512 	return (ret);
1513 bail:
1514 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1515 	mac->cd_length = 0;
1516 	return (ret);
1517 }
1518 
1519 /*
1520  * KCF software provider context management entry points.
1521  */
1522 
1523 /* ARGSUSED */
1524 static int
1525 sha2_create_ctx_template(crypto_provider_handle_t provider,
1526     crypto_mechanism_t *mechanism, crypto_key_t *key,
1527     crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
1528     crypto_req_handle_t req)
1529 {
1530 	sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
1531 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1532 	uint32_t sha_digest_len, sha_hmac_block_size;
1533 
1534 	/*
1535 	 * Set the digest length and block size to values appropriate to the
1536 	 * mechanism
1537 	 */
1538 	switch (mechanism->cm_type) {
1539 	case SHA256_HMAC_MECH_INFO_TYPE:
1540 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1541 		sha_digest_len = SHA256_DIGEST_LENGTH;
1542 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1543 		break;
1544 	case SHA384_HMAC_MECH_INFO_TYPE:
1545 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1546 	case SHA512_HMAC_MECH_INFO_TYPE:
1547 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1548 		sha_digest_len = SHA512_DIGEST_LENGTH;
1549 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1550 		break;
1551 	default:
1552 		return (CRYPTO_MECHANISM_INVALID);
1553 	}
1554 
1555 	/* Add support for key by attributes (RFE 4706552) */
1556 	if (key->ck_format != CRYPTO_KEY_RAW)
1557 		return (CRYPTO_ARGUMENTS_BAD);
1558 
1559 	/*
1560 	 * Allocate and initialize SHA2 context.
1561 	 */
1562 	sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t),
1563 	    crypto_kmflag(req));
1564 	if (sha2_hmac_ctx_tmpl == NULL)
1565 		return (CRYPTO_HOST_MEMORY);
1566 
1567 	sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
1568 
1569 	if (keylen_in_bytes > sha_hmac_block_size) {
1570 		uchar_t digested_key[SHA512_DIGEST_LENGTH];
1571 
1572 		/*
1573 		 * Hash the passed-in key to get a smaller key.
1574 		 * The inner context is used since it hasn't been
1575 		 * initialized yet.
1576 		 */
1577 		PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1578 		    &sha2_hmac_ctx_tmpl->hc_icontext,
1579 		    key->ck_data, keylen_in_bytes, digested_key);
1580 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key,
1581 		    sha_digest_len);
1582 	} else {
1583 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data,
1584 		    keylen_in_bytes);
1585 	}
1586 
1587 	*ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl;
1588 	*ctx_template_size = sizeof (sha2_hmac_ctx_t);
1589 
1590 	return (CRYPTO_SUCCESS);
1591 }
1592 
1593 static int
1594 sha2_free_context(crypto_ctx_t *ctx)
1595 {
1596 	uint_t ctx_len;
1597 
1598 	if (ctx->cc_provider_private == NULL)
1599 		return (CRYPTO_SUCCESS);
1600 
1601 	/*
1602 	 * We have to free either SHA2 or SHA2-HMAC contexts, which
1603 	 * have different lengths.
1604 	 *
1605 	 * Note: Below is dependent on the mechanism ordering.
1606 	 */
1607 
1608 	if (PROV_SHA2_CTX(ctx)->sc_mech_type % 3 == 0)
1609 		ctx_len = sizeof (sha2_ctx_t);
1610 	else
1611 		ctx_len = sizeof (sha2_hmac_ctx_t);
1612 
1613 	bzero(ctx->cc_provider_private, ctx_len);
1614 	kmem_free(ctx->cc_provider_private, ctx_len);
1615 	ctx->cc_provider_private = NULL;
1616 
1617 	return (CRYPTO_SUCCESS);
1618 }
1619 
1620 /*
1621  * SHA-2 Power-Up Self-Test
1622  */
1623 void
1624 sha2_POST(int *rc)
1625 {
1626 
1627 	*rc = fips_sha2_post();
1628 
1629 }
1630