xref: /illumos-gate/usr/src/uts/common/crypto/io/sha2_mod.c (revision cb7ea99db394f3bd5f4a6c6bf58c8c52df3508f0)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/modctl.h>
28 #include <sys/cmn_err.h>
29 #include <sys/crypto/common.h>
30 #include <sys/crypto/spi.h>
31 #include <sys/strsun.h>
32 #include <sys/systm.h>
33 #include <sys/sysmacros.h>
34 #define	_SHA2_IMPL
35 #include <sys/sha2.h>
36 
37 /*
38  * The sha2 module is created with two modlinkages:
39  * - a modlmisc that allows consumers to directly call the entry points
40  *   SHA2Init, SHA2Update, and SHA2Final.
41  * - a modlcrypto that allows the module to register with the Kernel
42  *   Cryptographic Framework (KCF) as a software provider for the SHA2
43  *   mechanisms.
44  */
45 
46 static struct modlmisc modlmisc = {
47 	&mod_miscops,
48 	"SHA2 Message-Digest Algorithm"
49 };
50 
51 static struct modlcrypto modlcrypto = {
52 	&mod_cryptoops,
53 	"SHA2 Kernel SW Provider"
54 };
55 
56 static struct modlinkage modlinkage = {
57 	MODREV_1, &modlmisc, &modlcrypto, NULL
58 };
59 
60 /*
61  * CSPI information (entry points, provider info, etc.)
62  */
63 
64 /*
65  * Context for SHA2 mechanism.
66  */
67 typedef struct sha2_ctx {
68 	sha2_mech_type_t	sc_mech_type;	/* type of context */
69 	SHA2_CTX		sc_sha2_ctx;	/* SHA2 context */
70 } sha2_ctx_t;
71 
72 /*
73  * Context for SHA2 HMAC and HMAC GENERAL mechanisms.
74  */
75 typedef struct sha2_hmac_ctx {
76 	sha2_mech_type_t	hc_mech_type;	/* type of context */
77 	uint32_t		hc_digest_len;	/* digest len in bytes */
78 	SHA2_CTX		hc_icontext;	/* inner SHA2 context */
79 	SHA2_CTX		hc_ocontext;	/* outer SHA2 context */
80 } sha2_hmac_ctx_t;
81 
82 /*
83  * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed
84  * by KCF to one of the entry points.
85  */
86 
87 #define	PROV_SHA2_CTX(ctx)	((sha2_ctx_t *)(ctx)->cc_provider_private)
88 #define	PROV_SHA2_HMAC_CTX(ctx)	((sha2_hmac_ctx_t *)(ctx)->cc_provider_private)
89 
90 /* to extract the digest length passed as mechanism parameter */
91 #define	PROV_SHA2_GET_DIGEST_LEN(m, len) {				\
92 	if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t)))		\
93 		(len) = (uint32_t)*((ulong_t *)(m)->cm_param);	\
94 	else {								\
95 		ulong_t tmp_ulong;					\
96 		bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t));	\
97 		(len) = (uint32_t)tmp_ulong;				\
98 	}								\
99 }
100 
101 #define	PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) {	\
102 	SHA2Init(mech, ctx);				\
103 	SHA2Update(ctx, key, len);			\
104 	SHA2Final(digest, ctx);				\
105 }
106 
107 /*
108  * Mechanism info structure passed to KCF during registration.
109  */
110 static crypto_mech_info_t sha2_mech_info_tab[] = {
111 	/* SHA256 */
112 	{SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE,
113 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
114 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
115 	/* SHA256-HMAC */
116 	{SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE,
117 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
118 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
119 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
120 	/* SHA256-HMAC GENERAL */
121 	{SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE,
122 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
123 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
124 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
125 	/* SHA384 */
126 	{SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE,
127 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
128 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
129 	/* SHA384-HMAC */
130 	{SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE,
131 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
132 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
133 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
134 	/* SHA384-HMAC GENERAL */
135 	{SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE,
136 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
137 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
138 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
139 	/* SHA512 */
140 	{SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE,
141 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
142 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
143 	/* SHA512-HMAC */
144 	{SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE,
145 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
146 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
147 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
148 	/* SHA512-HMAC GENERAL */
149 	{SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE,
150 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
151 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
152 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES}
153 };
154 
155 static void sha2_provider_status(crypto_provider_handle_t, uint_t *);
156 
157 static crypto_control_ops_t sha2_control_ops = {
158 	sha2_provider_status
159 };
160 
161 static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
162     crypto_req_handle_t);
163 static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
164     crypto_req_handle_t);
165 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *,
166     crypto_req_handle_t);
167 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *,
168     crypto_req_handle_t);
169 static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
170     crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
171     crypto_req_handle_t);
172 
173 static crypto_digest_ops_t sha2_digest_ops = {
174 	sha2_digest_init,
175 	sha2_digest,
176 	sha2_digest_update,
177 	NULL,
178 	sha2_digest_final,
179 	sha2_digest_atomic
180 };
181 
182 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
183     crypto_spi_ctx_template_t, crypto_req_handle_t);
184 static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *,
185     crypto_req_handle_t);
186 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
187 static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
188     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
189     crypto_spi_ctx_template_t, crypto_req_handle_t);
190 static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
191     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
192     crypto_spi_ctx_template_t, crypto_req_handle_t);
193 
194 static crypto_mac_ops_t sha2_mac_ops = {
195 	sha2_mac_init,
196 	NULL,
197 	sha2_mac_update,
198 	sha2_mac_final,
199 	sha2_mac_atomic,
200 	sha2_mac_verify_atomic
201 };
202 
203 static int sha2_create_ctx_template(crypto_provider_handle_t,
204     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
205     size_t *, crypto_req_handle_t);
206 static int sha2_free_context(crypto_ctx_t *);
207 
208 static crypto_ctx_ops_t sha2_ctx_ops = {
209 	sha2_create_ctx_template,
210 	sha2_free_context
211 };
212 
213 static crypto_ops_t sha2_crypto_ops = {
214 	&sha2_control_ops,
215 	&sha2_digest_ops,
216 	NULL,
217 	&sha2_mac_ops,
218 	NULL,
219 	NULL,
220 	NULL,
221 	NULL,
222 	NULL,
223 	NULL,
224 	NULL,
225 	NULL,
226 	NULL,
227 	&sha2_ctx_ops
228 };
229 
230 static crypto_provider_info_t sha2_prov_info = {
231 	CRYPTO_SPI_VERSION_1,
232 	"SHA2 Software Provider",
233 	CRYPTO_SW_PROVIDER,
234 	{&modlinkage},
235 	NULL,
236 	&sha2_crypto_ops,
237 	sizeof (sha2_mech_info_tab)/sizeof (crypto_mech_info_t),
238 	sha2_mech_info_tab
239 };
240 
241 static crypto_kcf_provider_handle_t sha2_prov_handle = NULL;
242 
243 int
244 _init()
245 {
246 	int ret;
247 
248 	if ((ret = mod_install(&modlinkage)) != 0)
249 		return (ret);
250 
251 	/*
252 	 * Register with KCF. If the registration fails, log an
253 	 * error but do not uninstall the module, since the functionality
254 	 * provided by misc/sha2 should still be available.
255 	 */
256 	if ((ret = crypto_register_provider(&sha2_prov_info,
257 	    &sha2_prov_handle)) != CRYPTO_SUCCESS)
258 		cmn_err(CE_WARN, "sha2 _init: "
259 		    "crypto_register_provider() failed (0x%x)", ret);
260 
261 	return (0);
262 }
263 
264 int
265 _info(struct modinfo *modinfop)
266 {
267 	return (mod_info(&modlinkage, modinfop));
268 }
269 
270 /*
271  * KCF software provider control entry points.
272  */
273 /* ARGSUSED */
274 static void
275 sha2_provider_status(crypto_provider_handle_t provider, uint_t *status)
276 {
277 	*status = CRYPTO_PROVIDER_READY;
278 }
279 
280 /*
281  * KCF software provider digest entry points.
282  */
283 
284 static int
285 sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
286     crypto_req_handle_t req)
287 {
288 
289 	/*
290 	 * Allocate and initialize SHA2 context.
291 	 */
292 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t),
293 	    crypto_kmflag(req));
294 	if (ctx->cc_provider_private == NULL)
295 		return (CRYPTO_HOST_MEMORY);
296 
297 	PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type;
298 	SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
299 
300 	return (CRYPTO_SUCCESS);
301 }
302 
303 /*
304  * Helper SHA2 digest update function for uio data.
305  */
306 static int
307 sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data)
308 {
309 	off_t offset = data->cd_offset;
310 	size_t length = data->cd_length;
311 	uint_t vec_idx;
312 	size_t cur_len;
313 
314 	/* we support only kernel buffer */
315 	if (data->cd_uio->uio_segflg != UIO_SYSSPACE)
316 		return (CRYPTO_ARGUMENTS_BAD);
317 
318 	/*
319 	 * Jump to the first iovec containing data to be
320 	 * digested.
321 	 */
322 	for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt &&
323 	    offset >= data->cd_uio->uio_iov[vec_idx].iov_len;
324 	    offset -= data->cd_uio->uio_iov[vec_idx++].iov_len)
325 		;
326 	if (vec_idx == data->cd_uio->uio_iovcnt) {
327 		/*
328 		 * The caller specified an offset that is larger than the
329 		 * total size of the buffers it provided.
330 		 */
331 		return (CRYPTO_DATA_LEN_RANGE);
332 	}
333 
334 	/*
335 	 * Now do the digesting on the iovecs.
336 	 */
337 	while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) {
338 		cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len -
339 		    offset, length);
340 
341 		SHA2Update(sha2_ctx, (uint8_t *)data->cd_uio->
342 		    uio_iov[vec_idx].iov_base + offset, cur_len);
343 		length -= cur_len;
344 		vec_idx++;
345 		offset = 0;
346 	}
347 
348 	if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) {
349 		/*
350 		 * The end of the specified iovec's was reached but
351 		 * the length requested could not be processed, i.e.
352 		 * The caller requested to digest more data than it provided.
353 		 */
354 		return (CRYPTO_DATA_LEN_RANGE);
355 	}
356 
357 	return (CRYPTO_SUCCESS);
358 }
359 
360 /*
361  * Helper SHA2 digest final function for uio data.
362  * digest_len is the length of the desired digest. If digest_len
363  * is smaller than the default SHA2 digest length, the caller
364  * must pass a scratch buffer, digest_scratch, which must
365  * be at least the algorithm's digest length bytes.
366  */
367 static int
368 sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
369     ulong_t digest_len, uchar_t *digest_scratch)
370 {
371 	off_t offset = digest->cd_offset;
372 	uint_t vec_idx;
373 
374 	/* we support only kernel buffer */
375 	if (digest->cd_uio->uio_segflg != UIO_SYSSPACE)
376 		return (CRYPTO_ARGUMENTS_BAD);
377 
378 	/*
379 	 * Jump to the first iovec containing ptr to the digest to
380 	 * be returned.
381 	 */
382 	for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len &&
383 	    vec_idx < digest->cd_uio->uio_iovcnt;
384 	    offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len)
385 		;
386 	if (vec_idx == digest->cd_uio->uio_iovcnt) {
387 		/*
388 		 * The caller specified an offset that is
389 		 * larger than the total size of the buffers
390 		 * it provided.
391 		 */
392 		return (CRYPTO_DATA_LEN_RANGE);
393 	}
394 
395 	if (offset + digest_len <=
396 	    digest->cd_uio->uio_iov[vec_idx].iov_len) {
397 		/*
398 		 * The computed SHA2 digest will fit in the current
399 		 * iovec.
400 		 */
401 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
402 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
403 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
404 		    (digest_len != SHA512_DIGEST_LENGTH))) {
405 			/*
406 			 * The caller requested a short digest. Digest
407 			 * into a scratch buffer and return to
408 			 * the user only what was requested.
409 			 */
410 			SHA2Final(digest_scratch, sha2_ctx);
411 
412 			bcopy(digest_scratch, (uchar_t *)digest->
413 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
414 			    digest_len);
415 		} else {
416 			SHA2Final((uchar_t *)digest->
417 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
418 			    sha2_ctx);
419 
420 		}
421 	} else {
422 		/*
423 		 * The computed digest will be crossing one or more iovec's.
424 		 * This is bad performance-wise but we need to support it.
425 		 * Allocate a small scratch buffer on the stack and
426 		 * copy it piece meal to the specified digest iovec's.
427 		 */
428 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
429 		off_t scratch_offset = 0;
430 		size_t length = digest_len;
431 		size_t cur_len;
432 
433 		SHA2Final(digest_tmp, sha2_ctx);
434 
435 		while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) {
436 			cur_len =
437 			    MIN(digest->cd_uio->uio_iov[vec_idx].iov_len -
438 			    offset, length);
439 			bcopy(digest_tmp + scratch_offset,
440 			    digest->cd_uio->uio_iov[vec_idx].iov_base + offset,
441 			    cur_len);
442 
443 			length -= cur_len;
444 			vec_idx++;
445 			scratch_offset += cur_len;
446 			offset = 0;
447 		}
448 
449 		if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) {
450 			/*
451 			 * The end of the specified iovec's was reached but
452 			 * the length requested could not be processed, i.e.
453 			 * The caller requested to digest more data than it
454 			 * provided.
455 			 */
456 			return (CRYPTO_DATA_LEN_RANGE);
457 		}
458 	}
459 
460 	return (CRYPTO_SUCCESS);
461 }
462 
463 /*
464  * Helper SHA2 digest update for mblk's.
465  */
466 static int
467 sha2_digest_update_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *data)
468 {
469 	off_t offset = data->cd_offset;
470 	size_t length = data->cd_length;
471 	mblk_t *mp;
472 	size_t cur_len;
473 
474 	/*
475 	 * Jump to the first mblk_t containing data to be digested.
476 	 */
477 	for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
478 	    offset -= MBLKL(mp), mp = mp->b_cont)
479 		;
480 	if (mp == NULL) {
481 		/*
482 		 * The caller specified an offset that is larger than the
483 		 * total size of the buffers it provided.
484 		 */
485 		return (CRYPTO_DATA_LEN_RANGE);
486 	}
487 
488 	/*
489 	 * Now do the digesting on the mblk chain.
490 	 */
491 	while (mp != NULL && length > 0) {
492 		cur_len = MIN(MBLKL(mp) - offset, length);
493 		SHA2Update(sha2_ctx, mp->b_rptr + offset, cur_len);
494 		length -= cur_len;
495 		offset = 0;
496 		mp = mp->b_cont;
497 	}
498 
499 	if (mp == NULL && length > 0) {
500 		/*
501 		 * The end of the mblk was reached but the length requested
502 		 * could not be processed, i.e. The caller requested
503 		 * to digest more data than it provided.
504 		 */
505 		return (CRYPTO_DATA_LEN_RANGE);
506 	}
507 
508 	return (CRYPTO_SUCCESS);
509 }
510 
511 /*
512  * Helper SHA2 digest final for mblk's.
513  * digest_len is the length of the desired digest. If digest_len
514  * is smaller than the default SHA2 digest length, the caller
515  * must pass a scratch buffer, digest_scratch, which must
516  * be at least the algorithm's digest length bytes.
517  */
518 static int
519 sha2_digest_final_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
520     ulong_t digest_len, uchar_t *digest_scratch)
521 {
522 	off_t offset = digest->cd_offset;
523 	mblk_t *mp;
524 
525 	/*
526 	 * Jump to the first mblk_t that will be used to store the digest.
527 	 */
528 	for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp);
529 	    offset -= MBLKL(mp), mp = mp->b_cont)
530 		;
531 	if (mp == NULL) {
532 		/*
533 		 * The caller specified an offset that is larger than the
534 		 * total size of the buffers it provided.
535 		 */
536 		return (CRYPTO_DATA_LEN_RANGE);
537 	}
538 
539 	if (offset + digest_len <= MBLKL(mp)) {
540 		/*
541 		 * The computed SHA2 digest will fit in the current mblk.
542 		 * Do the SHA2Final() in-place.
543 		 */
544 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
545 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
546 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
547 		    (digest_len != SHA512_DIGEST_LENGTH))) {
548 			/*
549 			 * The caller requested a short digest. Digest
550 			 * into a scratch buffer and return to
551 			 * the user only what was requested.
552 			 */
553 			SHA2Final(digest_scratch, sha2_ctx);
554 			bcopy(digest_scratch, mp->b_rptr + offset, digest_len);
555 		} else {
556 			SHA2Final(mp->b_rptr + offset, sha2_ctx);
557 		}
558 	} else {
559 		/*
560 		 * The computed digest will be crossing one or more mblk's.
561 		 * This is bad performance-wise but we need to support it.
562 		 * Allocate a small scratch buffer on the stack and
563 		 * copy it piece meal to the specified digest iovec's.
564 		 */
565 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
566 		off_t scratch_offset = 0;
567 		size_t length = digest_len;
568 		size_t cur_len;
569 
570 		SHA2Final(digest_tmp, sha2_ctx);
571 
572 		while (mp != NULL && length > 0) {
573 			cur_len = MIN(MBLKL(mp) - offset, length);
574 			bcopy(digest_tmp + scratch_offset,
575 			    mp->b_rptr + offset, cur_len);
576 
577 			length -= cur_len;
578 			mp = mp->b_cont;
579 			scratch_offset += cur_len;
580 			offset = 0;
581 		}
582 
583 		if (mp == NULL && length > 0) {
584 			/*
585 			 * The end of the specified mblk was reached but
586 			 * the length requested could not be processed, i.e.
587 			 * The caller requested to digest more data than it
588 			 * provided.
589 			 */
590 			return (CRYPTO_DATA_LEN_RANGE);
591 		}
592 	}
593 
594 	return (CRYPTO_SUCCESS);
595 }
596 
597 /* ARGSUSED */
598 static int
599 sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
600     crypto_req_handle_t req)
601 {
602 	int ret = CRYPTO_SUCCESS;
603 	uint_t sha_digest_len;
604 
605 	ASSERT(ctx->cc_provider_private != NULL);
606 
607 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
608 	case SHA256_MECH_INFO_TYPE:
609 		sha_digest_len = SHA256_DIGEST_LENGTH;
610 		break;
611 	case SHA384_MECH_INFO_TYPE:
612 		sha_digest_len = SHA384_DIGEST_LENGTH;
613 		break;
614 	case SHA512_MECH_INFO_TYPE:
615 		sha_digest_len = SHA512_DIGEST_LENGTH;
616 		break;
617 	default:
618 		return (CRYPTO_MECHANISM_INVALID);
619 	}
620 
621 	/*
622 	 * We need to just return the length needed to store the output.
623 	 * We should not destroy the context for the following cases.
624 	 */
625 	if ((digest->cd_length == 0) ||
626 	    (digest->cd_length < sha_digest_len)) {
627 		digest->cd_length = sha_digest_len;
628 		return (CRYPTO_BUFFER_TOO_SMALL);
629 	}
630 
631 	/*
632 	 * Do the SHA2 update on the specified input data.
633 	 */
634 	switch (data->cd_format) {
635 	case CRYPTO_DATA_RAW:
636 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
637 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
638 		    data->cd_length);
639 		break;
640 	case CRYPTO_DATA_UIO:
641 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
642 		    data);
643 		break;
644 	case CRYPTO_DATA_MBLK:
645 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
646 		    data);
647 		break;
648 	default:
649 		ret = CRYPTO_ARGUMENTS_BAD;
650 	}
651 
652 	if (ret != CRYPTO_SUCCESS) {
653 		/* the update failed, free context and bail */
654 		kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
655 		ctx->cc_provider_private = NULL;
656 		digest->cd_length = 0;
657 		return (ret);
658 	}
659 
660 	/*
661 	 * Do a SHA2 final, must be done separately since the digest
662 	 * type can be different than the input data type.
663 	 */
664 	switch (digest->cd_format) {
665 	case CRYPTO_DATA_RAW:
666 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
667 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
668 		break;
669 	case CRYPTO_DATA_UIO:
670 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
671 		    digest, sha_digest_len, NULL);
672 		break;
673 	case CRYPTO_DATA_MBLK:
674 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
675 		    digest, sha_digest_len, NULL);
676 		break;
677 	default:
678 		ret = CRYPTO_ARGUMENTS_BAD;
679 	}
680 
681 	/* all done, free context and return */
682 
683 	if (ret == CRYPTO_SUCCESS)
684 		digest->cd_length = sha_digest_len;
685 	else
686 		digest->cd_length = 0;
687 
688 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
689 	ctx->cc_provider_private = NULL;
690 	return (ret);
691 }
692 
693 /* ARGSUSED */
694 static int
695 sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
696     crypto_req_handle_t req)
697 {
698 	int ret = CRYPTO_SUCCESS;
699 
700 	ASSERT(ctx->cc_provider_private != NULL);
701 
702 	/*
703 	 * Do the SHA2 update on the specified input data.
704 	 */
705 	switch (data->cd_format) {
706 	case CRYPTO_DATA_RAW:
707 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
708 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
709 		    data->cd_length);
710 		break;
711 	case CRYPTO_DATA_UIO:
712 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
713 		    data);
714 		break;
715 	case CRYPTO_DATA_MBLK:
716 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
717 		    data);
718 		break;
719 	default:
720 		ret = CRYPTO_ARGUMENTS_BAD;
721 	}
722 
723 	return (ret);
724 }
725 
726 /* ARGSUSED */
727 static int
728 sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
729     crypto_req_handle_t req)
730 {
731 	int ret = CRYPTO_SUCCESS;
732 	uint_t sha_digest_len;
733 
734 	ASSERT(ctx->cc_provider_private != NULL);
735 
736 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
737 	case SHA256_MECH_INFO_TYPE:
738 		sha_digest_len = SHA256_DIGEST_LENGTH;
739 		break;
740 	case SHA384_MECH_INFO_TYPE:
741 		sha_digest_len = SHA384_DIGEST_LENGTH;
742 		break;
743 	case SHA512_MECH_INFO_TYPE:
744 		sha_digest_len = SHA512_DIGEST_LENGTH;
745 		break;
746 	default:
747 		return (CRYPTO_MECHANISM_INVALID);
748 	}
749 
750 	/*
751 	 * We need to just return the length needed to store the output.
752 	 * We should not destroy the context for the following cases.
753 	 */
754 	if ((digest->cd_length == 0) ||
755 	    (digest->cd_length < sha_digest_len)) {
756 		digest->cd_length = sha_digest_len;
757 		return (CRYPTO_BUFFER_TOO_SMALL);
758 	}
759 
760 	/*
761 	 * Do a SHA2 final.
762 	 */
763 	switch (digest->cd_format) {
764 	case CRYPTO_DATA_RAW:
765 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
766 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
767 		break;
768 	case CRYPTO_DATA_UIO:
769 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
770 		    digest, sha_digest_len, NULL);
771 		break;
772 	case CRYPTO_DATA_MBLK:
773 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
774 		    digest, sha_digest_len, NULL);
775 		break;
776 	default:
777 		ret = CRYPTO_ARGUMENTS_BAD;
778 	}
779 
780 	/* all done, free context and return */
781 
782 	if (ret == CRYPTO_SUCCESS)
783 		digest->cd_length = sha_digest_len;
784 	else
785 		digest->cd_length = 0;
786 
787 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
788 	ctx->cc_provider_private = NULL;
789 
790 	return (ret);
791 }
792 
793 /* ARGSUSED */
794 static int
795 sha2_digest_atomic(crypto_provider_handle_t provider,
796     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
797     crypto_data_t *data, crypto_data_t *digest,
798     crypto_req_handle_t req)
799 {
800 	int ret = CRYPTO_SUCCESS;
801 	SHA2_CTX sha2_ctx;
802 	uint32_t sha_digest_len;
803 
804 	/*
805 	 * Do the SHA inits.
806 	 */
807 
808 	SHA2Init(mechanism->cm_type, &sha2_ctx);
809 
810 	switch (data->cd_format) {
811 	case CRYPTO_DATA_RAW:
812 		SHA2Update(&sha2_ctx, (uint8_t *)data->
813 		    cd_raw.iov_base + data->cd_offset, data->cd_length);
814 		break;
815 	case CRYPTO_DATA_UIO:
816 		ret = sha2_digest_update_uio(&sha2_ctx, data);
817 		break;
818 	case CRYPTO_DATA_MBLK:
819 		ret = sha2_digest_update_mblk(&sha2_ctx, data);
820 		break;
821 	default:
822 		ret = CRYPTO_ARGUMENTS_BAD;
823 	}
824 
825 	/*
826 	 * Do the SHA updates on the specified input data.
827 	 */
828 
829 	if (ret != CRYPTO_SUCCESS) {
830 		/* the update failed, bail */
831 		digest->cd_length = 0;
832 		return (ret);
833 	}
834 
835 	if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
836 		sha_digest_len = SHA256_DIGEST_LENGTH;
837 	else
838 		sha_digest_len = SHA512_DIGEST_LENGTH;
839 
840 	/*
841 	 * Do a SHA2 final, must be done separately since the digest
842 	 * type can be different than the input data type.
843 	 */
844 	switch (digest->cd_format) {
845 	case CRYPTO_DATA_RAW:
846 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
847 		    digest->cd_offset, &sha2_ctx);
848 		break;
849 	case CRYPTO_DATA_UIO:
850 		ret = sha2_digest_final_uio(&sha2_ctx, digest,
851 		    sha_digest_len, NULL);
852 		break;
853 	case CRYPTO_DATA_MBLK:
854 		ret = sha2_digest_final_mblk(&sha2_ctx, digest,
855 		    sha_digest_len, NULL);
856 		break;
857 	default:
858 		ret = CRYPTO_ARGUMENTS_BAD;
859 	}
860 
861 	if (ret == CRYPTO_SUCCESS)
862 		digest->cd_length = sha_digest_len;
863 	else
864 		digest->cd_length = 0;
865 
866 	return (ret);
867 }
868 
869 /*
870  * KCF software provider mac entry points.
871  *
872  * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text))
873  *
874  * Init:
875  * The initialization routine initializes what we denote
876  * as the inner and outer contexts by doing
877  * - for inner context: SHA2(key XOR ipad)
878  * - for outer context: SHA2(key XOR opad)
879  *
880  * Update:
881  * Each subsequent SHA2 HMAC update will result in an
882  * update of the inner context with the specified data.
883  *
884  * Final:
885  * The SHA2 HMAC final will do a SHA2 final operation on the
886  * inner context, and the resulting digest will be used
887  * as the data for an update on the outer context. Last
888  * but not least, a SHA2 final on the outer context will
889  * be performed to obtain the SHA2 HMAC digest to return
890  * to the user.
891  */
892 
893 /*
894  * Initialize a SHA2-HMAC context.
895  */
896 static void
897 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
898 {
899 	uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
900 	uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
901 	int i, block_size, blocks_per_int64;
902 
903 	/* Determine the block size */
904 	if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
905 		block_size = SHA256_HMAC_BLOCK_SIZE;
906 		blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t);
907 	} else {
908 		block_size = SHA512_HMAC_BLOCK_SIZE;
909 		blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t);
910 	}
911 
912 	(void) bzero(ipad, block_size);
913 	(void) bzero(opad, block_size);
914 	(void) bcopy(keyval, ipad, length_in_bytes);
915 	(void) bcopy(keyval, opad, length_in_bytes);
916 
917 	/* XOR key with ipad (0x36) and opad (0x5c) */
918 	for (i = 0; i < blocks_per_int64; i ++) {
919 		ipad[i] ^= 0x3636363636363636;
920 		opad[i] ^= 0x5c5c5c5c5c5c5c5c;
921 	}
922 
923 	/* perform SHA2 on ipad */
924 	SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext);
925 	SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
926 
927 	/* perform SHA2 on opad */
928 	SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext);
929 	SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
930 
931 }
932 
933 /*
934  */
935 static int
936 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
937     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
938     crypto_req_handle_t req)
939 {
940 	int ret = CRYPTO_SUCCESS;
941 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
942 	uint_t sha_digest_len, sha_hmac_block_size;
943 
944 	/*
945 	 * Set the digest length and block size to values approriate to the
946 	 * mechanism
947 	 */
948 	switch (mechanism->cm_type) {
949 	case SHA256_HMAC_MECH_INFO_TYPE:
950 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
951 		sha_digest_len = SHA256_DIGEST_LENGTH;
952 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
953 		break;
954 	case SHA384_HMAC_MECH_INFO_TYPE:
955 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
956 	case SHA512_HMAC_MECH_INFO_TYPE:
957 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
958 		sha_digest_len = SHA512_DIGEST_LENGTH;
959 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
960 		break;
961 	default:
962 		return (CRYPTO_MECHANISM_INVALID);
963 	}
964 
965 	if (key->ck_format != CRYPTO_KEY_RAW)
966 		return (CRYPTO_ARGUMENTS_BAD);
967 
968 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t),
969 	    crypto_kmflag(req));
970 	if (ctx->cc_provider_private == NULL)
971 		return (CRYPTO_HOST_MEMORY);
972 
973 	PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
974 	if (ctx_template != NULL) {
975 		/* reuse context template */
976 		bcopy(ctx_template, PROV_SHA2_HMAC_CTX(ctx),
977 		    sizeof (sha2_hmac_ctx_t));
978 	} else {
979 		/* no context template, compute context */
980 		if (keylen_in_bytes > sha_hmac_block_size) {
981 			uchar_t digested_key[SHA512_DIGEST_LENGTH];
982 			sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
983 
984 			/*
985 			 * Hash the passed-in key to get a smaller key.
986 			 * The inner context is used since it hasn't been
987 			 * initialized yet.
988 			 */
989 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
990 			    &hmac_ctx->hc_icontext,
991 			    key->ck_data, keylen_in_bytes, digested_key);
992 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
993 			    digested_key, sha_digest_len);
994 		} else {
995 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
996 			    key->ck_data, keylen_in_bytes);
997 		}
998 	}
999 
1000 	/*
1001 	 * Get the mechanism parameters, if applicable.
1002 	 */
1003 	if (mechanism->cm_type % 3 == 2) {
1004 		if (mechanism->cm_param == NULL ||
1005 		    mechanism->cm_param_len != sizeof (ulong_t))
1006 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1007 		PROV_SHA2_GET_DIGEST_LEN(mechanism,
1008 		    PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len);
1009 		if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len)
1010 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1011 	}
1012 
1013 	if (ret != CRYPTO_SUCCESS) {
1014 		bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1015 		kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1016 		ctx->cc_provider_private = NULL;
1017 	}
1018 
1019 	return (ret);
1020 }
1021 
1022 /* ARGSUSED */
1023 static int
1024 sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data,
1025     crypto_req_handle_t req)
1026 {
1027 	int ret = CRYPTO_SUCCESS;
1028 
1029 	ASSERT(ctx->cc_provider_private != NULL);
1030 
1031 	/*
1032 	 * Do a SHA2 update of the inner context using the specified
1033 	 * data.
1034 	 */
1035 	switch (data->cd_format) {
1036 	case CRYPTO_DATA_RAW:
1037 		SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext,
1038 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1039 		    data->cd_length);
1040 		break;
1041 	case CRYPTO_DATA_UIO:
1042 		ret = sha2_digest_update_uio(
1043 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1044 		break;
1045 	case CRYPTO_DATA_MBLK:
1046 		ret = sha2_digest_update_mblk(
1047 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1048 		break;
1049 	default:
1050 		ret = CRYPTO_ARGUMENTS_BAD;
1051 	}
1052 
1053 	return (ret);
1054 }
1055 
1056 /* ARGSUSED */
1057 static int
1058 sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req)
1059 {
1060 	int ret = CRYPTO_SUCCESS;
1061 	uchar_t digest[SHA512_DIGEST_LENGTH];
1062 	uint32_t digest_len, sha_digest_len;
1063 
1064 	ASSERT(ctx->cc_provider_private != NULL);
1065 
1066 	/* Set the digest lengths to values approriate to the mechanism */
1067 	switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) {
1068 	case SHA256_HMAC_MECH_INFO_TYPE:
1069 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1070 		break;
1071 	case SHA384_HMAC_MECH_INFO_TYPE:
1072 		sha_digest_len = digest_len = SHA384_DIGEST_LENGTH;
1073 		break;
1074 	case SHA512_HMAC_MECH_INFO_TYPE:
1075 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1076 		break;
1077 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1078 		sha_digest_len = SHA256_DIGEST_LENGTH;
1079 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1080 		break;
1081 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1082 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1083 		sha_digest_len = SHA512_DIGEST_LENGTH;
1084 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1085 		break;
1086 	}
1087 
1088 	/*
1089 	 * We need to just return the length needed to store the output.
1090 	 * We should not destroy the context for the following cases.
1091 	 */
1092 	if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
1093 		mac->cd_length = digest_len;
1094 		return (CRYPTO_BUFFER_TOO_SMALL);
1095 	}
1096 
1097 	/*
1098 	 * Do a SHA2 final on the inner context.
1099 	 */
1100 	SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext);
1101 
1102 	/*
1103 	 * Do a SHA2 update on the outer context, feeding the inner
1104 	 * digest as data.
1105 	 */
1106 	SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest,
1107 	    sha_digest_len);
1108 
1109 	/*
1110 	 * Do a SHA2 final on the outer context, storing the computing
1111 	 * digest in the users buffer.
1112 	 */
1113 	switch (mac->cd_format) {
1114 	case CRYPTO_DATA_RAW:
1115 		if (digest_len != sha_digest_len) {
1116 			/*
1117 			 * The caller requested a short digest. Digest
1118 			 * into a scratch buffer and return to
1119 			 * the user only what was requested.
1120 			 */
1121 			SHA2Final(digest,
1122 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1123 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1124 			    mac->cd_offset, digest_len);
1125 		} else {
1126 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1127 			    mac->cd_offset,
1128 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1129 		}
1130 		break;
1131 	case CRYPTO_DATA_UIO:
1132 		ret = sha2_digest_final_uio(
1133 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1134 		    digest_len, digest);
1135 		break;
1136 	case CRYPTO_DATA_MBLK:
1137 		ret = sha2_digest_final_mblk(
1138 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1139 		    digest_len, digest);
1140 		break;
1141 	default:
1142 		ret = CRYPTO_ARGUMENTS_BAD;
1143 	}
1144 
1145 	if (ret == CRYPTO_SUCCESS)
1146 		mac->cd_length = digest_len;
1147 	else
1148 		mac->cd_length = 0;
1149 
1150 	bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1151 	kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1152 	ctx->cc_provider_private = NULL;
1153 
1154 	return (ret);
1155 }
1156 
1157 #define	SHA2_MAC_UPDATE(data, ctx, ret) {				\
1158 	switch (data->cd_format) {					\
1159 	case CRYPTO_DATA_RAW:						\
1160 		SHA2Update(&(ctx).hc_icontext,				\
1161 		    (uint8_t *)data->cd_raw.iov_base +			\
1162 		    data->cd_offset, data->cd_length);			\
1163 		break;							\
1164 	case CRYPTO_DATA_UIO:						\
1165 		ret = sha2_digest_update_uio(&(ctx).hc_icontext, data);	\
1166 		break;							\
1167 	case CRYPTO_DATA_MBLK:						\
1168 		ret = sha2_digest_update_mblk(&(ctx).hc_icontext,	\
1169 		    data);						\
1170 		break;							\
1171 	default:							\
1172 		ret = CRYPTO_ARGUMENTS_BAD;				\
1173 	}								\
1174 }
1175 
1176 /* ARGSUSED */
1177 static int
1178 sha2_mac_atomic(crypto_provider_handle_t provider,
1179     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1180     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1181     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1182 {
1183 	int ret = CRYPTO_SUCCESS;
1184 	uchar_t digest[SHA512_DIGEST_LENGTH];
1185 	sha2_hmac_ctx_t sha2_hmac_ctx;
1186 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1187 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1188 
1189 	/*
1190 	 * Set the digest length and block size to values approriate to the
1191 	 * mechanism
1192 	 */
1193 	switch (mechanism->cm_type) {
1194 	case SHA256_HMAC_MECH_INFO_TYPE:
1195 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1196 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1197 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1198 		break;
1199 	case SHA384_HMAC_MECH_INFO_TYPE:
1200 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1201 	case SHA512_HMAC_MECH_INFO_TYPE:
1202 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1203 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1204 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1205 		break;
1206 	default:
1207 		return (CRYPTO_MECHANISM_INVALID);
1208 	}
1209 
1210 	/* Add support for key by attributes (RFE 4706552) */
1211 	if (key->ck_format != CRYPTO_KEY_RAW)
1212 		return (CRYPTO_ARGUMENTS_BAD);
1213 
1214 	if (ctx_template != NULL) {
1215 		/* reuse context template */
1216 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1217 	} else {
1218 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1219 		/* no context template, initialize context */
1220 		if (keylen_in_bytes > sha_hmac_block_size) {
1221 			/*
1222 			 * Hash the passed-in key to get a smaller key.
1223 			 * The inner context is used since it hasn't been
1224 			 * initialized yet.
1225 			 */
1226 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1227 			    &sha2_hmac_ctx.hc_icontext,
1228 			    key->ck_data, keylen_in_bytes, digest);
1229 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1230 			    sha_digest_len);
1231 		} else {
1232 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1233 			    keylen_in_bytes);
1234 		}
1235 	}
1236 
1237 	/* get the mechanism parameters, if applicable */
1238 	if ((mechanism->cm_type % 3) == 2) {
1239 		if (mechanism->cm_param == NULL ||
1240 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1241 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1242 			goto bail;
1243 		}
1244 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1245 		if (digest_len > sha_digest_len) {
1246 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1247 			goto bail;
1248 		}
1249 	}
1250 
1251 	/* do a SHA2 update of the inner context using the specified data */
1252 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1253 	if (ret != CRYPTO_SUCCESS)
1254 		/* the update failed, free context and bail */
1255 		goto bail;
1256 
1257 	/*
1258 	 * Do a SHA2 final on the inner context.
1259 	 */
1260 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1261 
1262 	/*
1263 	 * Do an SHA2 update on the outer context, feeding the inner
1264 	 * digest as data.
1265 	 *
1266 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1267 	 * bytes of the inner hash value.
1268 	 */
1269 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1270 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1271 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1272 		    SHA384_DIGEST_LENGTH);
1273 	else
1274 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1275 
1276 	/*
1277 	 * Do a SHA2 final on the outer context, storing the computed
1278 	 * digest in the users buffer.
1279 	 */
1280 	switch (mac->cd_format) {
1281 	case CRYPTO_DATA_RAW:
1282 		if (digest_len != sha_digest_len) {
1283 			/*
1284 			 * The caller requested a short digest. Digest
1285 			 * into a scratch buffer and return to
1286 			 * the user only what was requested.
1287 			 */
1288 			SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1289 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1290 			    mac->cd_offset, digest_len);
1291 		} else {
1292 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1293 			    mac->cd_offset, &sha2_hmac_ctx.hc_ocontext);
1294 		}
1295 		break;
1296 	case CRYPTO_DATA_UIO:
1297 		ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac,
1298 		    digest_len, digest);
1299 		break;
1300 	case CRYPTO_DATA_MBLK:
1301 		ret = sha2_digest_final_mblk(&sha2_hmac_ctx.hc_ocontext, mac,
1302 		    digest_len, digest);
1303 		break;
1304 	default:
1305 		ret = CRYPTO_ARGUMENTS_BAD;
1306 	}
1307 
1308 	if (ret == CRYPTO_SUCCESS) {
1309 		mac->cd_length = digest_len;
1310 		return (CRYPTO_SUCCESS);
1311 	}
1312 bail:
1313 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1314 	mac->cd_length = 0;
1315 	return (ret);
1316 }
1317 
1318 /* ARGSUSED */
1319 static int
1320 sha2_mac_verify_atomic(crypto_provider_handle_t provider,
1321     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1322     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1323     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1324 {
1325 	int ret = CRYPTO_SUCCESS;
1326 	uchar_t digest[SHA512_DIGEST_LENGTH];
1327 	sha2_hmac_ctx_t sha2_hmac_ctx;
1328 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1329 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1330 
1331 	/*
1332 	 * Set the digest length and block size to values approriate to the
1333 	 * mechanism
1334 	 */
1335 	switch (mechanism->cm_type) {
1336 	case SHA256_HMAC_MECH_INFO_TYPE:
1337 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1338 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1339 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1340 		break;
1341 	case SHA384_HMAC_MECH_INFO_TYPE:
1342 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1343 	case SHA512_HMAC_MECH_INFO_TYPE:
1344 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1345 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1346 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1347 		break;
1348 	default:
1349 		return (CRYPTO_MECHANISM_INVALID);
1350 	}
1351 
1352 	/* Add support for key by attributes (RFE 4706552) */
1353 	if (key->ck_format != CRYPTO_KEY_RAW)
1354 		return (CRYPTO_ARGUMENTS_BAD);
1355 
1356 	if (ctx_template != NULL) {
1357 		/* reuse context template */
1358 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1359 	} else {
1360 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1361 		/* no context template, initialize context */
1362 		if (keylen_in_bytes > sha_hmac_block_size) {
1363 			/*
1364 			 * Hash the passed-in key to get a smaller key.
1365 			 * The inner context is used since it hasn't been
1366 			 * initialized yet.
1367 			 */
1368 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1369 			    &sha2_hmac_ctx.hc_icontext,
1370 			    key->ck_data, keylen_in_bytes, digest);
1371 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1372 			    sha_digest_len);
1373 		} else {
1374 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1375 			    keylen_in_bytes);
1376 		}
1377 	}
1378 
1379 	/* get the mechanism parameters, if applicable */
1380 	if (mechanism->cm_type % 3 == 2) {
1381 		if (mechanism->cm_param == NULL ||
1382 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1383 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1384 			goto bail;
1385 		}
1386 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1387 		if (digest_len > sha_digest_len) {
1388 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1389 			goto bail;
1390 		}
1391 	}
1392 
1393 	if (mac->cd_length != digest_len) {
1394 		ret = CRYPTO_INVALID_MAC;
1395 		goto bail;
1396 	}
1397 
1398 	/* do a SHA2 update of the inner context using the specified data */
1399 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1400 	if (ret != CRYPTO_SUCCESS)
1401 		/* the update failed, free context and bail */
1402 		goto bail;
1403 
1404 	/* do a SHA2 final on the inner context */
1405 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1406 
1407 	/*
1408 	 * Do an SHA2 update on the outer context, feeding the inner
1409 	 * digest as data.
1410 	 *
1411 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1412 	 * bytes of the inner hash value.
1413 	 */
1414 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1415 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1416 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1417 		    SHA384_DIGEST_LENGTH);
1418 	else
1419 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1420 
1421 	/*
1422 	 * Do a SHA2 final on the outer context, storing the computed
1423 	 * digest in the users buffer.
1424 	 */
1425 	SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1426 
1427 	/*
1428 	 * Compare the computed digest against the expected digest passed
1429 	 * as argument.
1430 	 */
1431 
1432 	switch (mac->cd_format) {
1433 
1434 	case CRYPTO_DATA_RAW:
1435 		if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
1436 		    mac->cd_offset, digest_len) != 0)
1437 			ret = CRYPTO_INVALID_MAC;
1438 		break;
1439 
1440 	case CRYPTO_DATA_UIO: {
1441 		off_t offset = mac->cd_offset;
1442 		uint_t vec_idx;
1443 		off_t scratch_offset = 0;
1444 		size_t length = digest_len;
1445 		size_t cur_len;
1446 
1447 		/* we support only kernel buffer */
1448 		if (mac->cd_uio->uio_segflg != UIO_SYSSPACE)
1449 			return (CRYPTO_ARGUMENTS_BAD);
1450 
1451 		/* jump to the first iovec containing the expected digest */
1452 		for (vec_idx = 0;
1453 		    offset >= mac->cd_uio->uio_iov[vec_idx].iov_len &&
1454 		    vec_idx < mac->cd_uio->uio_iovcnt;
1455 		    offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len)
1456 			;
1457 		if (vec_idx == mac->cd_uio->uio_iovcnt) {
1458 			/*
1459 			 * The caller specified an offset that is
1460 			 * larger than the total size of the buffers
1461 			 * it provided.
1462 			 */
1463 			ret = CRYPTO_DATA_LEN_RANGE;
1464 			break;
1465 		}
1466 
1467 		/* do the comparison of computed digest vs specified one */
1468 		while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) {
1469 			cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len -
1470 			    offset, length);
1471 
1472 			if (bcmp(digest + scratch_offset,
1473 			    mac->cd_uio->uio_iov[vec_idx].iov_base + offset,
1474 			    cur_len) != 0) {
1475 				ret = CRYPTO_INVALID_MAC;
1476 				break;
1477 			}
1478 
1479 			length -= cur_len;
1480 			vec_idx++;
1481 			scratch_offset += cur_len;
1482 			offset = 0;
1483 		}
1484 		break;
1485 	}
1486 
1487 	case CRYPTO_DATA_MBLK: {
1488 		off_t offset = mac->cd_offset;
1489 		mblk_t *mp;
1490 		off_t scratch_offset = 0;
1491 		size_t length = digest_len;
1492 		size_t cur_len;
1493 
1494 		/* jump to the first mblk_t containing the expected digest */
1495 		for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp);
1496 		    offset -= MBLKL(mp), mp = mp->b_cont)
1497 			;
1498 		if (mp == NULL) {
1499 			/*
1500 			 * The caller specified an offset that is larger than
1501 			 * the total size of the buffers it provided.
1502 			 */
1503 			ret = CRYPTO_DATA_LEN_RANGE;
1504 			break;
1505 		}
1506 
1507 		while (mp != NULL && length > 0) {
1508 			cur_len = MIN(MBLKL(mp) - offset, length);
1509 			if (bcmp(digest + scratch_offset,
1510 			    mp->b_rptr + offset, cur_len) != 0) {
1511 				ret = CRYPTO_INVALID_MAC;
1512 				break;
1513 			}
1514 
1515 			length -= cur_len;
1516 			mp = mp->b_cont;
1517 			scratch_offset += cur_len;
1518 			offset = 0;
1519 		}
1520 		break;
1521 	}
1522 
1523 	default:
1524 		ret = CRYPTO_ARGUMENTS_BAD;
1525 	}
1526 
1527 	return (ret);
1528 bail:
1529 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1530 	mac->cd_length = 0;
1531 	return (ret);
1532 }
1533 
1534 /*
1535  * KCF software provider context management entry points.
1536  */
1537 
1538 /* ARGSUSED */
1539 static int
1540 sha2_create_ctx_template(crypto_provider_handle_t provider,
1541     crypto_mechanism_t *mechanism, crypto_key_t *key,
1542     crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
1543     crypto_req_handle_t req)
1544 {
1545 	sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
1546 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1547 	uint32_t sha_digest_len, sha_hmac_block_size;
1548 
1549 	/*
1550 	 * Set the digest length and block size to values approriate to the
1551 	 * mechanism
1552 	 */
1553 	switch (mechanism->cm_type) {
1554 	case SHA256_HMAC_MECH_INFO_TYPE:
1555 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1556 		sha_digest_len = SHA256_DIGEST_LENGTH;
1557 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1558 		break;
1559 	case SHA384_HMAC_MECH_INFO_TYPE:
1560 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1561 	case SHA512_HMAC_MECH_INFO_TYPE:
1562 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1563 		sha_digest_len = SHA512_DIGEST_LENGTH;
1564 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1565 		break;
1566 	default:
1567 		return (CRYPTO_MECHANISM_INVALID);
1568 	}
1569 
1570 	/* Add support for key by attributes (RFE 4706552) */
1571 	if (key->ck_format != CRYPTO_KEY_RAW)
1572 		return (CRYPTO_ARGUMENTS_BAD);
1573 
1574 	/*
1575 	 * Allocate and initialize SHA2 context.
1576 	 */
1577 	sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t),
1578 	    crypto_kmflag(req));
1579 	if (sha2_hmac_ctx_tmpl == NULL)
1580 		return (CRYPTO_HOST_MEMORY);
1581 
1582 	sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
1583 
1584 	if (keylen_in_bytes > sha_hmac_block_size) {
1585 		uchar_t digested_key[SHA512_DIGEST_LENGTH];
1586 
1587 		/*
1588 		 * Hash the passed-in key to get a smaller key.
1589 		 * The inner context is used since it hasn't been
1590 		 * initialized yet.
1591 		 */
1592 		PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1593 		    &sha2_hmac_ctx_tmpl->hc_icontext,
1594 		    key->ck_data, keylen_in_bytes, digested_key);
1595 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key,
1596 		    sha_digest_len);
1597 	} else {
1598 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data,
1599 		    keylen_in_bytes);
1600 	}
1601 
1602 	*ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl;
1603 	*ctx_template_size = sizeof (sha2_hmac_ctx_t);
1604 
1605 	return (CRYPTO_SUCCESS);
1606 }
1607 
1608 static int
1609 sha2_free_context(crypto_ctx_t *ctx)
1610 {
1611 	uint_t ctx_len;
1612 
1613 	if (ctx->cc_provider_private == NULL)
1614 		return (CRYPTO_SUCCESS);
1615 
1616 	/*
1617 	 * We have to free either SHA2 or SHA2-HMAC contexts, which
1618 	 * have different lengths.
1619 	 *
1620 	 * Note: Below is dependent on the mechanism ordering.
1621 	 */
1622 
1623 	if (PROV_SHA2_CTX(ctx)->sc_mech_type % 3 == 0)
1624 		ctx_len = sizeof (sha2_ctx_t);
1625 	else
1626 		ctx_len = sizeof (sha2_hmac_ctx_t);
1627 
1628 	bzero(ctx->cc_provider_private, ctx_len);
1629 	kmem_free(ctx->cc_provider_private, ctx_len);
1630 	ctx->cc_provider_private = NULL;
1631 
1632 	return (CRYPTO_SUCCESS);
1633 }
1634