xref: /illumos-gate/usr/src/uts/common/crypto/io/sha2_mod.c (revision fec047081731fd77caf46ec0471c501b2cb33894)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/modctl.h>
28 #include <sys/cmn_err.h>
29 #include <sys/crypto/common.h>
30 #include <sys/crypto/spi.h>
31 #include <sys/strsun.h>
32 #include <sys/systm.h>
33 #include <sys/sysmacros.h>
34 #define	_SHA2_IMPL
35 #include <sys/sha2.h>
36 #include <sha2/sha2_impl.h>
37 
38 /*
39  * The sha2 module is created with two modlinkages:
40  * - a modlmisc that allows consumers to directly call the entry points
41  *   SHA2Init, SHA2Update, and SHA2Final.
42  * - a modlcrypto that allows the module to register with the Kernel
43  *   Cryptographic Framework (KCF) as a software provider for the SHA2
44  *   mechanisms.
45  */
46 
47 static struct modlmisc modlmisc = {
48 	&mod_miscops,
49 	"SHA2 Message-Digest Algorithm"
50 };
51 
52 static struct modlcrypto modlcrypto = {
53 	&mod_cryptoops,
54 	"SHA2 Kernel SW Provider"
55 };
56 
57 static struct modlinkage modlinkage = {
58 	MODREV_1, &modlmisc, &modlcrypto, NULL
59 };
60 
61 /*
62  * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed
63  * by KCF to one of the entry points.
64  */
65 
66 #define	PROV_SHA2_CTX(ctx)	((sha2_ctx_t *)(ctx)->cc_provider_private)
67 #define	PROV_SHA2_HMAC_CTX(ctx)	((sha2_hmac_ctx_t *)(ctx)->cc_provider_private)
68 
69 /* to extract the digest length passed as mechanism parameter */
70 #define	PROV_SHA2_GET_DIGEST_LEN(m, len) {				\
71 	if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t)))		\
72 		(len) = (uint32_t)*((ulong_t *)(void *)(m)->cm_param);	\
73 	else {								\
74 		ulong_t tmp_ulong;					\
75 		bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t));	\
76 		(len) = (uint32_t)tmp_ulong;				\
77 	}								\
78 }
79 
80 #define	PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) {	\
81 	SHA2Init(mech, ctx);				\
82 	SHA2Update(ctx, key, len);			\
83 	SHA2Final(digest, ctx);				\
84 }
85 
86 /*
87  * Mechanism info structure passed to KCF during registration.
88  */
89 static crypto_mech_info_t sha2_mech_info_tab[] = {
90 	/* SHA256 */
91 	{SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE,
92 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
93 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
94 	/* SHA256-HMAC */
95 	{SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE,
96 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
97 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
98 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
99 	/* SHA256-HMAC GENERAL */
100 	{SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE,
101 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
102 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
103 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
104 	/* SHA384 */
105 	{SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE,
106 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
107 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
108 	/* SHA384-HMAC */
109 	{SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE,
110 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
111 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
112 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
113 	/* SHA384-HMAC GENERAL */
114 	{SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE,
115 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
116 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
117 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
118 	/* SHA512 */
119 	{SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE,
120 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
121 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
122 	/* SHA512-HMAC */
123 	{SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE,
124 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
125 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
126 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
127 	/* SHA512-HMAC GENERAL */
128 	{SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE,
129 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
130 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
131 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
132 	/* SHA512_224 */
133 	{SUN_CKM_SHA512_224, SHA512_224_MECH_INFO_TYPE,
134 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
135 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
136 	/* SHA512_256 */
137 	{SUN_CKM_SHA512_256, SHA512_256_MECH_INFO_TYPE,
138 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
139 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}
140 };
141 
142 static void sha2_provider_status(crypto_provider_handle_t, uint_t *);
143 
144 static crypto_control_ops_t sha2_control_ops = {
145 	sha2_provider_status
146 };
147 
148 static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
149     crypto_req_handle_t);
150 static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
151     crypto_req_handle_t);
152 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *,
153     crypto_req_handle_t);
154 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *,
155     crypto_req_handle_t);
156 static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
157     crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
158     crypto_req_handle_t);
159 
160 static crypto_digest_ops_t sha2_digest_ops = {
161 	sha2_digest_init,
162 	sha2_digest,
163 	sha2_digest_update,
164 	NULL,
165 	sha2_digest_final,
166 	sha2_digest_atomic
167 };
168 
169 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
170     crypto_spi_ctx_template_t, crypto_req_handle_t);
171 static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *,
172     crypto_req_handle_t);
173 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
174 static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
175     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
176     crypto_spi_ctx_template_t, crypto_req_handle_t);
177 static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
178     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
179     crypto_spi_ctx_template_t, crypto_req_handle_t);
180 
181 static crypto_mac_ops_t sha2_mac_ops = {
182 	sha2_mac_init,
183 	NULL,
184 	sha2_mac_update,
185 	sha2_mac_final,
186 	sha2_mac_atomic,
187 	sha2_mac_verify_atomic
188 };
189 
190 static int sha2_create_ctx_template(crypto_provider_handle_t,
191     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
192     size_t *, crypto_req_handle_t);
193 static int sha2_free_context(crypto_ctx_t *);
194 
195 static crypto_ctx_ops_t sha2_ctx_ops = {
196 	sha2_create_ctx_template,
197 	sha2_free_context
198 };
199 
200 static crypto_ops_t sha2_crypto_ops = {
201 	&sha2_control_ops,
202 	&sha2_digest_ops,
203 	NULL,
204 	&sha2_mac_ops,
205 	NULL,
206 	NULL,
207 	NULL,
208 	NULL,
209 	NULL,
210 	NULL,
211 	NULL,
212 	NULL,
213 	NULL,
214 	&sha2_ctx_ops,
215 	NULL,
216 	NULL,
217 	NULL,
218 };
219 
220 static crypto_provider_info_t sha2_prov_info = {
221 	CRYPTO_SPI_VERSION_4,
222 	"SHA2 Software Provider",
223 	CRYPTO_SW_PROVIDER,
224 	{&modlinkage},
225 	NULL,
226 	&sha2_crypto_ops,
227 	sizeof (sha2_mech_info_tab)/sizeof (crypto_mech_info_t),
228 	sha2_mech_info_tab
229 };
230 
231 static crypto_kcf_provider_handle_t sha2_prov_handle = 0;
232 
233 int
234 _init()
235 {
236 	int ret;
237 
238 	if ((ret = mod_install(&modlinkage)) != 0)
239 		return (ret);
240 
241 	/*
242 	 * Register with KCF. If the registration fails, do not uninstall the
243 	 * module, since the functionality provided by misc/sha2 should still
244 	 * be available.
245 	 */
246 	(void) crypto_register_provider(&sha2_prov_info, &sha2_prov_handle);
247 
248 	return (0);
249 }
250 
251 int
252 _info(struct modinfo *modinfop)
253 {
254 	return (mod_info(&modlinkage, modinfop));
255 }
256 
257 /*
258  * KCF software provider control entry points.
259  */
260 /* ARGSUSED */
261 static void
262 sha2_provider_status(crypto_provider_handle_t provider, uint_t *status)
263 {
264 	*status = CRYPTO_PROVIDER_READY;
265 }
266 
267 /*
268  * KCF software provider digest entry points.
269  */
270 
271 static int
272 sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
273     crypto_req_handle_t req)
274 {
275 
276 	/*
277 	 * Allocate and initialize SHA2 context.
278 	 */
279 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t),
280 	    crypto_kmflag(req));
281 	if (ctx->cc_provider_private == NULL)
282 		return (CRYPTO_HOST_MEMORY);
283 
284 	PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type;
285 	SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
286 
287 	return (CRYPTO_SUCCESS);
288 }
289 
290 /*
291  * Helper SHA2 digest update function for uio data.
292  */
293 static int
294 sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data)
295 {
296 	off_t offset = data->cd_offset;
297 	size_t length = data->cd_length;
298 	uint_t vec_idx;
299 	size_t cur_len;
300 
301 	/* we support only kernel buffer */
302 	if (data->cd_uio->uio_segflg != UIO_SYSSPACE)
303 		return (CRYPTO_ARGUMENTS_BAD);
304 
305 	/*
306 	 * Jump to the first iovec containing data to be
307 	 * digested.
308 	 */
309 	for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt &&
310 	    offset >= data->cd_uio->uio_iov[vec_idx].iov_len;
311 	    offset -= data->cd_uio->uio_iov[vec_idx++].iov_len)
312 		;
313 	if (vec_idx == data->cd_uio->uio_iovcnt) {
314 		/*
315 		 * The caller specified an offset that is larger than the
316 		 * total size of the buffers it provided.
317 		 */
318 		return (CRYPTO_DATA_LEN_RANGE);
319 	}
320 
321 	/*
322 	 * Now do the digesting on the iovecs.
323 	 */
324 	while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) {
325 		cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len -
326 		    offset, length);
327 
328 		SHA2Update(sha2_ctx, (uint8_t *)data->cd_uio->
329 		    uio_iov[vec_idx].iov_base + offset, cur_len);
330 		length -= cur_len;
331 		vec_idx++;
332 		offset = 0;
333 	}
334 
335 	if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) {
336 		/*
337 		 * The end of the specified iovec's was reached but
338 		 * the length requested could not be processed, i.e.
339 		 * The caller requested to digest more data than it provided.
340 		 */
341 		return (CRYPTO_DATA_LEN_RANGE);
342 	}
343 
344 	return (CRYPTO_SUCCESS);
345 }
346 
347 /*
348  * Helper SHA2 digest final function for uio data.
349  * digest_len is the length of the desired digest. If digest_len
350  * is smaller than the default SHA2 digest length, the caller
351  * must pass a scratch buffer, digest_scratch, which must
352  * be at least the algorithm's digest length bytes.
353  */
354 static int
355 sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
356     ulong_t digest_len, uchar_t *digest_scratch)
357 {
358 	off_t offset = digest->cd_offset;
359 	uint_t vec_idx;
360 
361 	/* we support only kernel buffer */
362 	if (digest->cd_uio->uio_segflg != UIO_SYSSPACE)
363 		return (CRYPTO_ARGUMENTS_BAD);
364 
365 	/*
366 	 * Jump to the first iovec containing ptr to the digest to
367 	 * be returned.
368 	 */
369 	for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len &&
370 	    vec_idx < digest->cd_uio->uio_iovcnt;
371 	    offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len)
372 		;
373 	if (vec_idx == digest->cd_uio->uio_iovcnt) {
374 		/*
375 		 * The caller specified an offset that is
376 		 * larger than the total size of the buffers
377 		 * it provided.
378 		 */
379 		return (CRYPTO_DATA_LEN_RANGE);
380 	}
381 
382 	if (offset + digest_len <=
383 	    digest->cd_uio->uio_iov[vec_idx].iov_len) {
384 		/*
385 		 * The computed SHA2 digest will fit in the current
386 		 * iovec.
387 		 */
388 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
389 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
390 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
391 		    (digest_len != SHA512_DIGEST_LENGTH))) {
392 			/*
393 			 * The caller requested a short digest. Digest
394 			 * into a scratch buffer and return to
395 			 * the user only what was requested.
396 			 */
397 			SHA2Final(digest_scratch, sha2_ctx);
398 
399 			bcopy(digest_scratch, (uchar_t *)digest->
400 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
401 			    digest_len);
402 		} else {
403 			SHA2Final((uchar_t *)digest->
404 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
405 			    sha2_ctx);
406 
407 		}
408 	} else {
409 		/*
410 		 * The computed digest will be crossing one or more iovec's.
411 		 * This is bad performance-wise but we need to support it.
412 		 * Allocate a small scratch buffer on the stack and
413 		 * copy it piece meal to the specified digest iovec's.
414 		 */
415 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
416 		off_t scratch_offset = 0;
417 		size_t length = digest_len;
418 		size_t cur_len;
419 
420 		SHA2Final(digest_tmp, sha2_ctx);
421 
422 		while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) {
423 			cur_len =
424 			    MIN(digest->cd_uio->uio_iov[vec_idx].iov_len -
425 			    offset, length);
426 			bcopy(digest_tmp + scratch_offset,
427 			    digest->cd_uio->uio_iov[vec_idx].iov_base + offset,
428 			    cur_len);
429 
430 			length -= cur_len;
431 			vec_idx++;
432 			scratch_offset += cur_len;
433 			offset = 0;
434 		}
435 
436 		if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) {
437 			/*
438 			 * The end of the specified iovec's was reached but
439 			 * the length requested could not be processed, i.e.
440 			 * The caller requested to digest more data than it
441 			 * provided.
442 			 */
443 			return (CRYPTO_DATA_LEN_RANGE);
444 		}
445 	}
446 
447 	return (CRYPTO_SUCCESS);
448 }
449 
450 /*
451  * Helper SHA2 digest update for mblk's.
452  */
453 static int
454 sha2_digest_update_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *data)
455 {
456 	off_t offset = data->cd_offset;
457 	size_t length = data->cd_length;
458 	mblk_t *mp;
459 	size_t cur_len;
460 
461 	/*
462 	 * Jump to the first mblk_t containing data to be digested.
463 	 */
464 	for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
465 	    offset -= MBLKL(mp), mp = mp->b_cont)
466 		;
467 	if (mp == NULL) {
468 		/*
469 		 * The caller specified an offset that is larger than the
470 		 * total size of the buffers it provided.
471 		 */
472 		return (CRYPTO_DATA_LEN_RANGE);
473 	}
474 
475 	/*
476 	 * Now do the digesting on the mblk chain.
477 	 */
478 	while (mp != NULL && length > 0) {
479 		cur_len = MIN(MBLKL(mp) - offset, length);
480 		SHA2Update(sha2_ctx, mp->b_rptr + offset, cur_len);
481 		length -= cur_len;
482 		offset = 0;
483 		mp = mp->b_cont;
484 	}
485 
486 	if (mp == NULL && length > 0) {
487 		/*
488 		 * The end of the mblk was reached but the length requested
489 		 * could not be processed, i.e. The caller requested
490 		 * to digest more data than it provided.
491 		 */
492 		return (CRYPTO_DATA_LEN_RANGE);
493 	}
494 
495 	return (CRYPTO_SUCCESS);
496 }
497 
498 /*
499  * Helper SHA2 digest final for mblk's.
500  * digest_len is the length of the desired digest. If digest_len
501  * is smaller than the default SHA2 digest length, the caller
502  * must pass a scratch buffer, digest_scratch, which must
503  * be at least the algorithm's digest length bytes.
504  */
505 static int
506 sha2_digest_final_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
507     ulong_t digest_len, uchar_t *digest_scratch)
508 {
509 	off_t offset = digest->cd_offset;
510 	mblk_t *mp;
511 
512 	/*
513 	 * Jump to the first mblk_t that will be used to store the digest.
514 	 */
515 	for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp);
516 	    offset -= MBLKL(mp), mp = mp->b_cont)
517 		;
518 	if (mp == NULL) {
519 		/*
520 		 * The caller specified an offset that is larger than the
521 		 * total size of the buffers it provided.
522 		 */
523 		return (CRYPTO_DATA_LEN_RANGE);
524 	}
525 
526 	if (offset + digest_len <= MBLKL(mp)) {
527 		/*
528 		 * The computed SHA2 digest will fit in the current mblk.
529 		 * Do the SHA2Final() in-place.
530 		 */
531 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
532 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
533 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
534 		    (digest_len != SHA512_DIGEST_LENGTH))) {
535 			/*
536 			 * The caller requested a short digest. Digest
537 			 * into a scratch buffer and return to
538 			 * the user only what was requested.
539 			 */
540 			SHA2Final(digest_scratch, sha2_ctx);
541 			bcopy(digest_scratch, mp->b_rptr + offset, digest_len);
542 		} else {
543 			SHA2Final(mp->b_rptr + offset, sha2_ctx);
544 		}
545 	} else {
546 		/*
547 		 * The computed digest will be crossing one or more mblk's.
548 		 * This is bad performance-wise but we need to support it.
549 		 * Allocate a small scratch buffer on the stack and
550 		 * copy it piece meal to the specified digest iovec's.
551 		 */
552 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
553 		off_t scratch_offset = 0;
554 		size_t length = digest_len;
555 		size_t cur_len;
556 
557 		SHA2Final(digest_tmp, sha2_ctx);
558 
559 		while (mp != NULL && length > 0) {
560 			cur_len = MIN(MBLKL(mp) - offset, length);
561 			bcopy(digest_tmp + scratch_offset,
562 			    mp->b_rptr + offset, cur_len);
563 
564 			length -= cur_len;
565 			mp = mp->b_cont;
566 			scratch_offset += cur_len;
567 			offset = 0;
568 		}
569 
570 		if (mp == NULL && length > 0) {
571 			/*
572 			 * The end of the specified mblk was reached but
573 			 * the length requested could not be processed, i.e.
574 			 * The caller requested to digest more data than it
575 			 * provided.
576 			 */
577 			return (CRYPTO_DATA_LEN_RANGE);
578 		}
579 	}
580 
581 	return (CRYPTO_SUCCESS);
582 }
583 
584 /* ARGSUSED */
585 static int
586 sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
587     crypto_req_handle_t req)
588 {
589 	int ret = CRYPTO_SUCCESS;
590 	uint_t sha_digest_len;
591 
592 	ASSERT(ctx->cc_provider_private != NULL);
593 
594 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
595 	case SHA256_MECH_INFO_TYPE:
596 		sha_digest_len = SHA256_DIGEST_LENGTH;
597 		break;
598 	case SHA384_MECH_INFO_TYPE:
599 		sha_digest_len = SHA384_DIGEST_LENGTH;
600 		break;
601 	case SHA512_MECH_INFO_TYPE:
602 		sha_digest_len = SHA512_DIGEST_LENGTH;
603 		break;
604 	case SHA512_224_MECH_INFO_TYPE:
605 		sha_digest_len = SHA512_224_DIGEST_LENGTH;
606 		break;
607 	case SHA512_256_MECH_INFO_TYPE:
608 		sha_digest_len = SHA512_256_DIGEST_LENGTH;
609 		break;
610 	default:
611 		return (CRYPTO_MECHANISM_INVALID);
612 	}
613 
614 	/*
615 	 * We need to just return the length needed to store the output.
616 	 * We should not destroy the context for the following cases.
617 	 */
618 	if ((digest->cd_length == 0) ||
619 	    (digest->cd_length < sha_digest_len)) {
620 		digest->cd_length = sha_digest_len;
621 		return (CRYPTO_BUFFER_TOO_SMALL);
622 	}
623 
624 	/*
625 	 * Do the SHA2 update on the specified input data.
626 	 */
627 	switch (data->cd_format) {
628 	case CRYPTO_DATA_RAW:
629 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
630 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
631 		    data->cd_length);
632 		break;
633 	case CRYPTO_DATA_UIO:
634 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
635 		    data);
636 		break;
637 	case CRYPTO_DATA_MBLK:
638 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
639 		    data);
640 		break;
641 	default:
642 		ret = CRYPTO_ARGUMENTS_BAD;
643 	}
644 
645 	if (ret != CRYPTO_SUCCESS) {
646 		/* the update failed, free context and bail */
647 		kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
648 		ctx->cc_provider_private = NULL;
649 		digest->cd_length = 0;
650 		return (ret);
651 	}
652 
653 	/*
654 	 * Do a SHA2 final, must be done separately since the digest
655 	 * type can be different than the input data type.
656 	 */
657 	switch (digest->cd_format) {
658 	case CRYPTO_DATA_RAW:
659 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
660 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
661 		break;
662 	case CRYPTO_DATA_UIO:
663 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
664 		    digest, sha_digest_len, NULL);
665 		break;
666 	case CRYPTO_DATA_MBLK:
667 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
668 		    digest, sha_digest_len, NULL);
669 		break;
670 	default:
671 		ret = CRYPTO_ARGUMENTS_BAD;
672 	}
673 
674 	/* all done, free context and return */
675 
676 	if (ret == CRYPTO_SUCCESS)
677 		digest->cd_length = sha_digest_len;
678 	else
679 		digest->cd_length = 0;
680 
681 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
682 	ctx->cc_provider_private = NULL;
683 	return (ret);
684 }
685 
686 /* ARGSUSED */
687 static int
688 sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
689     crypto_req_handle_t req)
690 {
691 	int ret = CRYPTO_SUCCESS;
692 
693 	ASSERT(ctx->cc_provider_private != NULL);
694 
695 	/*
696 	 * Do the SHA2 update on the specified input data.
697 	 */
698 	switch (data->cd_format) {
699 	case CRYPTO_DATA_RAW:
700 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
701 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
702 		    data->cd_length);
703 		break;
704 	case CRYPTO_DATA_UIO:
705 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
706 		    data);
707 		break;
708 	case CRYPTO_DATA_MBLK:
709 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
710 		    data);
711 		break;
712 	default:
713 		ret = CRYPTO_ARGUMENTS_BAD;
714 	}
715 
716 	return (ret);
717 }
718 
719 /* ARGSUSED */
720 static int
721 sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
722     crypto_req_handle_t req)
723 {
724 	int ret = CRYPTO_SUCCESS;
725 	uint_t sha_digest_len;
726 
727 	ASSERT(ctx->cc_provider_private != NULL);
728 
729 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
730 	case SHA256_MECH_INFO_TYPE:
731 		sha_digest_len = SHA256_DIGEST_LENGTH;
732 		break;
733 	case SHA384_MECH_INFO_TYPE:
734 		sha_digest_len = SHA384_DIGEST_LENGTH;
735 		break;
736 	case SHA512_MECH_INFO_TYPE:
737 		sha_digest_len = SHA512_DIGEST_LENGTH;
738 		break;
739 	case SHA512_224_MECH_INFO_TYPE:
740 		sha_digest_len = SHA512_224_DIGEST_LENGTH;
741 		break;
742 	case SHA512_256_MECH_INFO_TYPE:
743 		sha_digest_len = SHA512_256_DIGEST_LENGTH;
744 		break;
745 	default:
746 		return (CRYPTO_MECHANISM_INVALID);
747 	}
748 
749 	/*
750 	 * We need to just return the length needed to store the output.
751 	 * We should not destroy the context for the following cases.
752 	 */
753 	if ((digest->cd_length == 0) ||
754 	    (digest->cd_length < sha_digest_len)) {
755 		digest->cd_length = sha_digest_len;
756 		return (CRYPTO_BUFFER_TOO_SMALL);
757 	}
758 
759 	/*
760 	 * Do a SHA2 final.
761 	 */
762 	switch (digest->cd_format) {
763 	case CRYPTO_DATA_RAW:
764 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
765 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
766 		break;
767 	case CRYPTO_DATA_UIO:
768 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
769 		    digest, sha_digest_len, NULL);
770 		break;
771 	case CRYPTO_DATA_MBLK:
772 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
773 		    digest, sha_digest_len, NULL);
774 		break;
775 	default:
776 		ret = CRYPTO_ARGUMENTS_BAD;
777 	}
778 
779 	/* all done, free context and return */
780 
781 	if (ret == CRYPTO_SUCCESS)
782 		digest->cd_length = sha_digest_len;
783 	else
784 		digest->cd_length = 0;
785 
786 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
787 	ctx->cc_provider_private = NULL;
788 
789 	return (ret);
790 }
791 
792 /* ARGSUSED */
793 static int
794 sha2_digest_atomic(crypto_provider_handle_t provider,
795     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
796     crypto_data_t *data, crypto_data_t *digest,
797     crypto_req_handle_t req)
798 {
799 	int ret = CRYPTO_SUCCESS;
800 	SHA2_CTX sha2_ctx;
801 	uint32_t sha_digest_len;
802 
803 	/*
804 	 * Do the SHA inits.
805 	 */
806 
807 	SHA2Init(mechanism->cm_type, &sha2_ctx);
808 
809 	switch (data->cd_format) {
810 	case CRYPTO_DATA_RAW:
811 		SHA2Update(&sha2_ctx, (uint8_t *)data->
812 		    cd_raw.iov_base + data->cd_offset, data->cd_length);
813 		break;
814 	case CRYPTO_DATA_UIO:
815 		ret = sha2_digest_update_uio(&sha2_ctx, data);
816 		break;
817 	case CRYPTO_DATA_MBLK:
818 		ret = sha2_digest_update_mblk(&sha2_ctx, data);
819 		break;
820 	default:
821 		ret = CRYPTO_ARGUMENTS_BAD;
822 	}
823 
824 	/*
825 	 * Do the SHA updates on the specified input data.
826 	 */
827 
828 	if (ret != CRYPTO_SUCCESS) {
829 		/* the update failed, bail */
830 		digest->cd_length = 0;
831 		return (ret);
832 	}
833 
834 	if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
835 		sha_digest_len = SHA256_DIGEST_LENGTH;
836 	else
837 		sha_digest_len = SHA512_DIGEST_LENGTH;
838 
839 	/*
840 	 * Do a SHA2 final, must be done separately since the digest
841 	 * type can be different than the input data type.
842 	 */
843 	switch (digest->cd_format) {
844 	case CRYPTO_DATA_RAW:
845 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
846 		    digest->cd_offset, &sha2_ctx);
847 		break;
848 	case CRYPTO_DATA_UIO:
849 		ret = sha2_digest_final_uio(&sha2_ctx, digest,
850 		    sha_digest_len, NULL);
851 		break;
852 	case CRYPTO_DATA_MBLK:
853 		ret = sha2_digest_final_mblk(&sha2_ctx, digest,
854 		    sha_digest_len, NULL);
855 		break;
856 	default:
857 		ret = CRYPTO_ARGUMENTS_BAD;
858 	}
859 
860 	if (ret == CRYPTO_SUCCESS)
861 		digest->cd_length = sha_digest_len;
862 	else
863 		digest->cd_length = 0;
864 
865 	return (ret);
866 }
867 
868 /*
869  * KCF software provider mac entry points.
870  *
871  * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text))
872  *
873  * Init:
874  * The initialization routine initializes what we denote
875  * as the inner and outer contexts by doing
876  * - for inner context: SHA2(key XOR ipad)
877  * - for outer context: SHA2(key XOR opad)
878  *
879  * Update:
880  * Each subsequent SHA2 HMAC update will result in an
881  * update of the inner context with the specified data.
882  *
883  * Final:
884  * The SHA2 HMAC final will do a SHA2 final operation on the
885  * inner context, and the resulting digest will be used
886  * as the data for an update on the outer context. Last
887  * but not least, a SHA2 final on the outer context will
888  * be performed to obtain the SHA2 HMAC digest to return
889  * to the user.
890  */
891 
892 /*
893  * Initialize a SHA2-HMAC context.
894  */
895 static void
896 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
897 {
898 	uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
899 	uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
900 	int i, block_size, blocks_per_int64;
901 
902 	/* Determine the block size */
903 	if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
904 		block_size = SHA256_HMAC_BLOCK_SIZE;
905 		blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t);
906 	} else {
907 		block_size = SHA512_HMAC_BLOCK_SIZE;
908 		blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t);
909 	}
910 
911 	(void) bzero(ipad, block_size);
912 	(void) bzero(opad, block_size);
913 	(void) bcopy(keyval, ipad, length_in_bytes);
914 	(void) bcopy(keyval, opad, length_in_bytes);
915 
916 	/* XOR key with ipad (0x36) and opad (0x5c) */
917 	for (i = 0; i < blocks_per_int64; i ++) {
918 		ipad[i] ^= 0x3636363636363636;
919 		opad[i] ^= 0x5c5c5c5c5c5c5c5c;
920 	}
921 
922 	/* perform SHA2 on ipad */
923 	SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext);
924 	SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
925 
926 	/* perform SHA2 on opad */
927 	SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext);
928 	SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
929 
930 }
931 
932 static boolean_t
933 sha2_is_general_hmech(const crypto_mechanism_t *mechanism)
934 {
935 	switch (mechanism->cm_type) {
936 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
937 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
938 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
939 		return (B_TRUE);
940 	default:
941 		return (B_FALSE);
942 	}
943 }
944 
945 /*
946  */
947 static int
948 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
949     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
950     crypto_req_handle_t req)
951 {
952 	int ret = CRYPTO_SUCCESS;
953 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
954 	uint_t sha_digest_len, sha_hmac_block_size;
955 
956 	/*
957 	 * Set the digest length and block size to values appropriate to the
958 	 * mechanism
959 	 */
960 	switch (mechanism->cm_type) {
961 	case SHA256_HMAC_MECH_INFO_TYPE:
962 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
963 		sha_digest_len = SHA256_DIGEST_LENGTH;
964 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
965 		break;
966 	case SHA384_HMAC_MECH_INFO_TYPE:
967 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
968 	case SHA512_HMAC_MECH_INFO_TYPE:
969 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
970 		sha_digest_len = SHA512_DIGEST_LENGTH;
971 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
972 		break;
973 	default:
974 		return (CRYPTO_MECHANISM_INVALID);
975 	}
976 
977 	if (key->ck_format != CRYPTO_KEY_RAW)
978 		return (CRYPTO_ARGUMENTS_BAD);
979 
980 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t),
981 	    crypto_kmflag(req));
982 	if (ctx->cc_provider_private == NULL)
983 		return (CRYPTO_HOST_MEMORY);
984 
985 	PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
986 	if (ctx_template != NULL) {
987 		/* reuse context template */
988 		bcopy(ctx_template, PROV_SHA2_HMAC_CTX(ctx),
989 		    sizeof (sha2_hmac_ctx_t));
990 	} else {
991 		/* no context template, compute context */
992 		if (keylen_in_bytes > sha_hmac_block_size) {
993 			uchar_t digested_key[SHA512_DIGEST_LENGTH];
994 			sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
995 
996 			/*
997 			 * Hash the passed-in key to get a smaller key.
998 			 * The inner context is used since it hasn't been
999 			 * initialized yet.
1000 			 */
1001 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1002 			    &hmac_ctx->hc_icontext,
1003 			    key->ck_data, keylen_in_bytes, digested_key);
1004 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
1005 			    digested_key, sha_digest_len);
1006 		} else {
1007 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
1008 			    key->ck_data, keylen_in_bytes);
1009 		}
1010 	}
1011 
1012 	/*
1013 	 * Get the mechanism parameters, if applicable.
1014 	 */
1015 	if (sha2_is_general_hmech(mechanism)) {
1016 		if (mechanism->cm_param == NULL ||
1017 		    mechanism->cm_param_len != sizeof (ulong_t))
1018 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1019 		PROV_SHA2_GET_DIGEST_LEN(mechanism,
1020 		    PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len);
1021 		if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len)
1022 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1023 	}
1024 
1025 	if (ret != CRYPTO_SUCCESS) {
1026 		bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1027 		kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1028 		ctx->cc_provider_private = NULL;
1029 	}
1030 
1031 	return (ret);
1032 }
1033 
1034 /* ARGSUSED */
1035 static int
1036 sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data,
1037     crypto_req_handle_t req)
1038 {
1039 	int ret = CRYPTO_SUCCESS;
1040 
1041 	ASSERT(ctx->cc_provider_private != NULL);
1042 
1043 	/*
1044 	 * Do a SHA2 update of the inner context using the specified
1045 	 * data.
1046 	 */
1047 	switch (data->cd_format) {
1048 	case CRYPTO_DATA_RAW:
1049 		SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext,
1050 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1051 		    data->cd_length);
1052 		break;
1053 	case CRYPTO_DATA_UIO:
1054 		ret = sha2_digest_update_uio(
1055 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1056 		break;
1057 	case CRYPTO_DATA_MBLK:
1058 		ret = sha2_digest_update_mblk(
1059 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1060 		break;
1061 	default:
1062 		ret = CRYPTO_ARGUMENTS_BAD;
1063 	}
1064 
1065 	return (ret);
1066 }
1067 
1068 /* ARGSUSED */
1069 static int
1070 sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req)
1071 {
1072 	int ret = CRYPTO_SUCCESS;
1073 	uchar_t digest[SHA512_DIGEST_LENGTH];
1074 	uint32_t digest_len, sha_digest_len;
1075 
1076 	ASSERT(ctx->cc_provider_private != NULL);
1077 
1078 	/* Set the digest lengths to values appropriate to the mechanism */
1079 	switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) {
1080 	case SHA256_HMAC_MECH_INFO_TYPE:
1081 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1082 		break;
1083 	case SHA384_HMAC_MECH_INFO_TYPE:
1084 		sha_digest_len = digest_len = SHA384_DIGEST_LENGTH;
1085 		break;
1086 	case SHA512_HMAC_MECH_INFO_TYPE:
1087 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1088 		break;
1089 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1090 		sha_digest_len = SHA256_DIGEST_LENGTH;
1091 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1092 		break;
1093 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1094 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1095 		sha_digest_len = SHA512_DIGEST_LENGTH;
1096 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1097 		break;
1098 	}
1099 
1100 	/*
1101 	 * We need to just return the length needed to store the output.
1102 	 * We should not destroy the context for the following cases.
1103 	 */
1104 	if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
1105 		mac->cd_length = digest_len;
1106 		return (CRYPTO_BUFFER_TOO_SMALL);
1107 	}
1108 
1109 	/*
1110 	 * Do a SHA2 final on the inner context.
1111 	 */
1112 	SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext);
1113 
1114 	/*
1115 	 * Do a SHA2 update on the outer context, feeding the inner
1116 	 * digest as data.
1117 	 */
1118 	SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest,
1119 	    sha_digest_len);
1120 
1121 	/*
1122 	 * Do a SHA2 final on the outer context, storing the computing
1123 	 * digest in the users buffer.
1124 	 */
1125 	switch (mac->cd_format) {
1126 	case CRYPTO_DATA_RAW:
1127 		if (digest_len != sha_digest_len) {
1128 			/*
1129 			 * The caller requested a short digest. Digest
1130 			 * into a scratch buffer and return to
1131 			 * the user only what was requested.
1132 			 */
1133 			SHA2Final(digest,
1134 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1135 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1136 			    mac->cd_offset, digest_len);
1137 		} else {
1138 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1139 			    mac->cd_offset,
1140 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1141 		}
1142 		break;
1143 	case CRYPTO_DATA_UIO:
1144 		ret = sha2_digest_final_uio(
1145 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1146 		    digest_len, digest);
1147 		break;
1148 	case CRYPTO_DATA_MBLK:
1149 		ret = sha2_digest_final_mblk(
1150 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1151 		    digest_len, digest);
1152 		break;
1153 	default:
1154 		ret = CRYPTO_ARGUMENTS_BAD;
1155 	}
1156 
1157 	if (ret == CRYPTO_SUCCESS)
1158 		mac->cd_length = digest_len;
1159 	else
1160 		mac->cd_length = 0;
1161 
1162 	bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1163 	kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1164 	ctx->cc_provider_private = NULL;
1165 
1166 	return (ret);
1167 }
1168 
1169 #define	SHA2_MAC_UPDATE(data, ctx, ret) {				\
1170 	switch (data->cd_format) {					\
1171 	case CRYPTO_DATA_RAW:						\
1172 		SHA2Update(&(ctx).hc_icontext,				\
1173 		    (uint8_t *)data->cd_raw.iov_base +			\
1174 		    data->cd_offset, data->cd_length);			\
1175 		break;							\
1176 	case CRYPTO_DATA_UIO:						\
1177 		ret = sha2_digest_update_uio(&(ctx).hc_icontext, data);	\
1178 		break;							\
1179 	case CRYPTO_DATA_MBLK:						\
1180 		ret = sha2_digest_update_mblk(&(ctx).hc_icontext,	\
1181 		    data);						\
1182 		break;							\
1183 	default:							\
1184 		ret = CRYPTO_ARGUMENTS_BAD;				\
1185 	}								\
1186 }
1187 
1188 /* ARGSUSED */
1189 static int
1190 sha2_mac_atomic(crypto_provider_handle_t provider,
1191     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1192     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1193     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1194 {
1195 	int ret = CRYPTO_SUCCESS;
1196 	uchar_t digest[SHA512_DIGEST_LENGTH];
1197 	sha2_hmac_ctx_t sha2_hmac_ctx;
1198 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1199 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1200 
1201 	/*
1202 	 * Set the digest length and block size to values appropriate to the
1203 	 * mechanism
1204 	 */
1205 	switch (mechanism->cm_type) {
1206 	case SHA256_HMAC_MECH_INFO_TYPE:
1207 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1208 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1209 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1210 		break;
1211 	case SHA384_HMAC_MECH_INFO_TYPE:
1212 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1213 	case SHA512_HMAC_MECH_INFO_TYPE:
1214 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1215 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1216 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1217 		break;
1218 	default:
1219 		return (CRYPTO_MECHANISM_INVALID);
1220 	}
1221 
1222 	/* Add support for key by attributes (RFE 4706552) */
1223 	if (key->ck_format != CRYPTO_KEY_RAW)
1224 		return (CRYPTO_ARGUMENTS_BAD);
1225 
1226 	if (ctx_template != NULL) {
1227 		/* reuse context template */
1228 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1229 	} else {
1230 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1231 		/* no context template, initialize context */
1232 		if (keylen_in_bytes > sha_hmac_block_size) {
1233 			/*
1234 			 * Hash the passed-in key to get a smaller key.
1235 			 * The inner context is used since it hasn't been
1236 			 * initialized yet.
1237 			 */
1238 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1239 			    &sha2_hmac_ctx.hc_icontext,
1240 			    key->ck_data, keylen_in_bytes, digest);
1241 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1242 			    sha_digest_len);
1243 		} else {
1244 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1245 			    keylen_in_bytes);
1246 		}
1247 	}
1248 
1249 	/* get the mechanism parameters, if applicable */
1250 	if (sha2_is_general_hmech(mechanism)) {
1251 		if (mechanism->cm_param == NULL ||
1252 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1253 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1254 			goto bail;
1255 		}
1256 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1257 		if (digest_len > sha_digest_len) {
1258 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1259 			goto bail;
1260 		}
1261 	}
1262 
1263 	/* do a SHA2 update of the inner context using the specified data */
1264 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1265 	if (ret != CRYPTO_SUCCESS)
1266 		/* the update failed, free context and bail */
1267 		goto bail;
1268 
1269 	/*
1270 	 * Do a SHA2 final on the inner context.
1271 	 */
1272 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1273 
1274 	/*
1275 	 * Do an SHA2 update on the outer context, feeding the inner
1276 	 * digest as data.
1277 	 *
1278 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1279 	 * bytes of the inner hash value.
1280 	 */
1281 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1282 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1283 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1284 		    SHA384_DIGEST_LENGTH);
1285 	else
1286 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1287 
1288 	/*
1289 	 * Do a SHA2 final on the outer context, storing the computed
1290 	 * digest in the users buffer.
1291 	 */
1292 	switch (mac->cd_format) {
1293 	case CRYPTO_DATA_RAW:
1294 		if (digest_len != sha_digest_len) {
1295 			/*
1296 			 * The caller requested a short digest. Digest
1297 			 * into a scratch buffer and return to
1298 			 * the user only what was requested.
1299 			 */
1300 			SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1301 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1302 			    mac->cd_offset, digest_len);
1303 		} else {
1304 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1305 			    mac->cd_offset, &sha2_hmac_ctx.hc_ocontext);
1306 		}
1307 		break;
1308 	case CRYPTO_DATA_UIO:
1309 		ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac,
1310 		    digest_len, digest);
1311 		break;
1312 	case CRYPTO_DATA_MBLK:
1313 		ret = sha2_digest_final_mblk(&sha2_hmac_ctx.hc_ocontext, mac,
1314 		    digest_len, digest);
1315 		break;
1316 	default:
1317 		ret = CRYPTO_ARGUMENTS_BAD;
1318 	}
1319 
1320 	if (ret == CRYPTO_SUCCESS) {
1321 		mac->cd_length = digest_len;
1322 		return (CRYPTO_SUCCESS);
1323 	}
1324 bail:
1325 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1326 	mac->cd_length = 0;
1327 	return (ret);
1328 }
1329 
1330 /* ARGSUSED */
1331 static int
1332 sha2_mac_verify_atomic(crypto_provider_handle_t provider,
1333     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1334     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1335     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1336 {
1337 	int ret = CRYPTO_SUCCESS;
1338 	uchar_t digest[SHA512_DIGEST_LENGTH];
1339 	sha2_hmac_ctx_t sha2_hmac_ctx;
1340 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1341 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1342 
1343 	/*
1344 	 * Set the digest length and block size to values appropriate to the
1345 	 * mechanism
1346 	 */
1347 	switch (mechanism->cm_type) {
1348 	case SHA256_HMAC_MECH_INFO_TYPE:
1349 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1350 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1351 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1352 		break;
1353 	case SHA384_HMAC_MECH_INFO_TYPE:
1354 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1355 	case SHA512_HMAC_MECH_INFO_TYPE:
1356 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1357 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1358 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1359 		break;
1360 	default:
1361 		return (CRYPTO_MECHANISM_INVALID);
1362 	}
1363 
1364 	/* Add support for key by attributes (RFE 4706552) */
1365 	if (key->ck_format != CRYPTO_KEY_RAW)
1366 		return (CRYPTO_ARGUMENTS_BAD);
1367 
1368 	if (ctx_template != NULL) {
1369 		/* reuse context template */
1370 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1371 	} else {
1372 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1373 		/* no context template, initialize context */
1374 		if (keylen_in_bytes > sha_hmac_block_size) {
1375 			/*
1376 			 * Hash the passed-in key to get a smaller key.
1377 			 * The inner context is used since it hasn't been
1378 			 * initialized yet.
1379 			 */
1380 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1381 			    &sha2_hmac_ctx.hc_icontext,
1382 			    key->ck_data, keylen_in_bytes, digest);
1383 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1384 			    sha_digest_len);
1385 		} else {
1386 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1387 			    keylen_in_bytes);
1388 		}
1389 	}
1390 
1391 	/* get the mechanism parameters, if applicable */
1392 	if (sha2_is_general_hmech(mechanism)) {
1393 		if (mechanism->cm_param == NULL ||
1394 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1395 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1396 			goto bail;
1397 		}
1398 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1399 		if (digest_len > sha_digest_len) {
1400 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1401 			goto bail;
1402 		}
1403 	}
1404 
1405 	if (mac->cd_length != digest_len) {
1406 		ret = CRYPTO_INVALID_MAC;
1407 		goto bail;
1408 	}
1409 
1410 	/* do a SHA2 update of the inner context using the specified data */
1411 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1412 	if (ret != CRYPTO_SUCCESS)
1413 		/* the update failed, free context and bail */
1414 		goto bail;
1415 
1416 	/* do a SHA2 final on the inner context */
1417 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1418 
1419 	/*
1420 	 * Do an SHA2 update on the outer context, feeding the inner
1421 	 * digest as data.
1422 	 *
1423 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1424 	 * bytes of the inner hash value.
1425 	 */
1426 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1427 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1428 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1429 		    SHA384_DIGEST_LENGTH);
1430 	else
1431 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1432 
1433 	/*
1434 	 * Do a SHA2 final on the outer context, storing the computed
1435 	 * digest in the users buffer.
1436 	 */
1437 	SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1438 
1439 	/*
1440 	 * Compare the computed digest against the expected digest passed
1441 	 * as argument.
1442 	 */
1443 
1444 	switch (mac->cd_format) {
1445 
1446 	case CRYPTO_DATA_RAW:
1447 		if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
1448 		    mac->cd_offset, digest_len) != 0)
1449 			ret = CRYPTO_INVALID_MAC;
1450 		break;
1451 
1452 	case CRYPTO_DATA_UIO: {
1453 		off_t offset = mac->cd_offset;
1454 		uint_t vec_idx;
1455 		off_t scratch_offset = 0;
1456 		size_t length = digest_len;
1457 		size_t cur_len;
1458 
1459 		/* we support only kernel buffer */
1460 		if (mac->cd_uio->uio_segflg != UIO_SYSSPACE)
1461 			return (CRYPTO_ARGUMENTS_BAD);
1462 
1463 		/* jump to the first iovec containing the expected digest */
1464 		for (vec_idx = 0;
1465 		    offset >= mac->cd_uio->uio_iov[vec_idx].iov_len &&
1466 		    vec_idx < mac->cd_uio->uio_iovcnt;
1467 		    offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len)
1468 			;
1469 		if (vec_idx == mac->cd_uio->uio_iovcnt) {
1470 			/*
1471 			 * The caller specified an offset that is
1472 			 * larger than the total size of the buffers
1473 			 * it provided.
1474 			 */
1475 			ret = CRYPTO_DATA_LEN_RANGE;
1476 			break;
1477 		}
1478 
1479 		/* do the comparison of computed digest vs specified one */
1480 		while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) {
1481 			cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len -
1482 			    offset, length);
1483 
1484 			if (bcmp(digest + scratch_offset,
1485 			    mac->cd_uio->uio_iov[vec_idx].iov_base + offset,
1486 			    cur_len) != 0) {
1487 				ret = CRYPTO_INVALID_MAC;
1488 				break;
1489 			}
1490 
1491 			length -= cur_len;
1492 			vec_idx++;
1493 			scratch_offset += cur_len;
1494 			offset = 0;
1495 		}
1496 		break;
1497 	}
1498 
1499 	case CRYPTO_DATA_MBLK: {
1500 		off_t offset = mac->cd_offset;
1501 		mblk_t *mp;
1502 		off_t scratch_offset = 0;
1503 		size_t length = digest_len;
1504 		size_t cur_len;
1505 
1506 		/* jump to the first mblk_t containing the expected digest */
1507 		for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp);
1508 		    offset -= MBLKL(mp), mp = mp->b_cont)
1509 			;
1510 		if (mp == NULL) {
1511 			/*
1512 			 * The caller specified an offset that is larger than
1513 			 * the total size of the buffers it provided.
1514 			 */
1515 			ret = CRYPTO_DATA_LEN_RANGE;
1516 			break;
1517 		}
1518 
1519 		while (mp != NULL && length > 0) {
1520 			cur_len = MIN(MBLKL(mp) - offset, length);
1521 			if (bcmp(digest + scratch_offset,
1522 			    mp->b_rptr + offset, cur_len) != 0) {
1523 				ret = CRYPTO_INVALID_MAC;
1524 				break;
1525 			}
1526 
1527 			length -= cur_len;
1528 			mp = mp->b_cont;
1529 			scratch_offset += cur_len;
1530 			offset = 0;
1531 		}
1532 		break;
1533 	}
1534 
1535 	default:
1536 		ret = CRYPTO_ARGUMENTS_BAD;
1537 	}
1538 
1539 	return (ret);
1540 bail:
1541 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1542 	mac->cd_length = 0;
1543 	return (ret);
1544 }
1545 
1546 /*
1547  * KCF software provider context management entry points.
1548  */
1549 
1550 /* ARGSUSED */
1551 static int
1552 sha2_create_ctx_template(crypto_provider_handle_t provider,
1553     crypto_mechanism_t *mechanism, crypto_key_t *key,
1554     crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
1555     crypto_req_handle_t req)
1556 {
1557 	sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
1558 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1559 	uint32_t sha_digest_len, sha_hmac_block_size;
1560 
1561 	/*
1562 	 * Set the digest length and block size to values appropriate to the
1563 	 * mechanism
1564 	 */
1565 	switch (mechanism->cm_type) {
1566 	case SHA256_HMAC_MECH_INFO_TYPE:
1567 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1568 		sha_digest_len = SHA256_DIGEST_LENGTH;
1569 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1570 		break;
1571 	case SHA384_HMAC_MECH_INFO_TYPE:
1572 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1573 	case SHA512_HMAC_MECH_INFO_TYPE:
1574 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1575 		sha_digest_len = SHA512_DIGEST_LENGTH;
1576 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1577 		break;
1578 	default:
1579 		return (CRYPTO_MECHANISM_INVALID);
1580 	}
1581 
1582 	/* Add support for key by attributes (RFE 4706552) */
1583 	if (key->ck_format != CRYPTO_KEY_RAW)
1584 		return (CRYPTO_ARGUMENTS_BAD);
1585 
1586 	/*
1587 	 * Allocate and initialize SHA2 context.
1588 	 */
1589 	sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t),
1590 	    crypto_kmflag(req));
1591 	if (sha2_hmac_ctx_tmpl == NULL)
1592 		return (CRYPTO_HOST_MEMORY);
1593 
1594 	sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
1595 
1596 	if (keylen_in_bytes > sha_hmac_block_size) {
1597 		uchar_t digested_key[SHA512_DIGEST_LENGTH];
1598 
1599 		/*
1600 		 * Hash the passed-in key to get a smaller key.
1601 		 * The inner context is used since it hasn't been
1602 		 * initialized yet.
1603 		 */
1604 		PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1605 		    &sha2_hmac_ctx_tmpl->hc_icontext,
1606 		    key->ck_data, keylen_in_bytes, digested_key);
1607 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key,
1608 		    sha_digest_len);
1609 	} else {
1610 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data,
1611 		    keylen_in_bytes);
1612 	}
1613 
1614 	*ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl;
1615 	*ctx_template_size = sizeof (sha2_hmac_ctx_t);
1616 
1617 	return (CRYPTO_SUCCESS);
1618 }
1619 
1620 static int
1621 sha2_free_context(crypto_ctx_t *ctx)
1622 {
1623 	uint_t ctx_len;
1624 
1625 	if (ctx->cc_provider_private == NULL)
1626 		return (CRYPTO_SUCCESS);
1627 
1628 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
1629 	case SHA256_MECH_INFO_TYPE:
1630 	case SHA384_MECH_INFO_TYPE:
1631 	case SHA512_MECH_INFO_TYPE:
1632 	case SHA512_224_MECH_INFO_TYPE:
1633 	case SHA512_256_MECH_INFO_TYPE:
1634 		ctx_len = sizeof (sha2_ctx_t);
1635 		break;
1636 	case SHA256_HMAC_MECH_INFO_TYPE:
1637 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1638 	case SHA384_HMAC_MECH_INFO_TYPE:
1639 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1640 	case SHA512_HMAC_MECH_INFO_TYPE:
1641 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1642 		ctx_len = sizeof (sha2_hmac_ctx_t);
1643 		break;
1644 	default:
1645 		/*
1646 		 * If we get here, someone forgot to update the above list
1647 		 * when adding a new mechanism.  Without the correct ctx_len
1648 		 * we will corrupt the heap when calling kmem_free, so panic
1649 		 * now and make it easier to identify the problem.
1650 		 */
1651 		panic("Unknown SHA2 mechanism %d",
1652 		    PROV_SHA2_CTX(ctx)->sc_mech_type);
1653 	}
1654 
1655 	bzero(ctx->cc_provider_private, ctx_len);
1656 	kmem_free(ctx->cc_provider_private, ctx_len);
1657 	ctx->cc_provider_private = NULL;
1658 
1659 	return (CRYPTO_SUCCESS);
1660 }
1661