1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/modctl.h> 30 #include <sys/cmn_err.h> 31 #include <sys/crypto/common.h> 32 #include <sys/crypto/spi.h> 33 #include <sys/strsun.h> 34 #include <sys/systm.h> 35 #include <sys/sysmacros.h> 36 #define _SHA2_IMPL 37 #include <sys/sha2.h> 38 39 /* 40 * The sha2 module is created with two modlinkages: 41 * - a modlmisc that allows consumers to directly call the entry points 42 * SHA2Init, SHA2Update, and SHA2Final. 43 * - a modlcrypto that allows the module to register with the Kernel 44 * Cryptographic Framework (KCF) as a software provider for the SHA2 45 * mechanisms. 46 */ 47 48 static struct modlmisc modlmisc = { 49 &mod_miscops, 50 "SHA2 Message-Digest Algorithm" 51 }; 52 53 static struct modlcrypto modlcrypto = { 54 &mod_cryptoops, 55 "SHA2 Kernel SW Provider" 56 }; 57 58 static struct modlinkage modlinkage = { 59 MODREV_1, &modlmisc, &modlcrypto, NULL 60 }; 61 62 /* 63 * CSPI information (entry points, provider info, etc.) 64 */ 65 66 /* 67 * Context for SHA2 mechanism. 68 */ 69 typedef struct sha2_ctx { 70 sha2_mech_type_t sc_mech_type; /* type of context */ 71 SHA2_CTX sc_sha2_ctx; /* SHA2 context */ 72 } sha2_ctx_t; 73 74 /* 75 * Context for SHA2 HMAC and HMAC GENERAL mechanisms. 76 */ 77 typedef struct sha2_hmac_ctx { 78 sha2_mech_type_t hc_mech_type; /* type of context */ 79 uint32_t hc_digest_len; /* digest len in bytes */ 80 SHA2_CTX hc_icontext; /* inner SHA2 context */ 81 SHA2_CTX hc_ocontext; /* outer SHA2 context */ 82 } sha2_hmac_ctx_t; 83 84 /* 85 * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed 86 * by KCF to one of the entry points. 87 */ 88 89 #define PROV_SHA2_CTX(ctx) ((sha2_ctx_t *)(ctx)->cc_provider_private) 90 #define PROV_SHA2_HMAC_CTX(ctx) ((sha2_hmac_ctx_t *)(ctx)->cc_provider_private) 91 92 /* to extract the digest length passed as mechanism parameter */ 93 #define PROV_SHA2_GET_DIGEST_LEN(m, len) { \ 94 if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t))) \ 95 (len) = (uint32_t)*((ulong_t *)(m)->cm_param); \ 96 else { \ 97 ulong_t tmp_ulong; \ 98 bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t)); \ 99 (len) = (uint32_t)tmp_ulong; \ 100 } \ 101 } 102 103 #define PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) { \ 104 SHA2Init(mech, ctx); \ 105 SHA2Update(ctx, key, len); \ 106 SHA2Final(digest, ctx); \ 107 } 108 109 /* 110 * Mechanism info structure passed to KCF during registration. 111 */ 112 static crypto_mech_info_t sha2_mech_info_tab[] = { 113 /* SHA256 */ 114 {SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE, 115 CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, 116 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 117 /* SHA256-HMAC */ 118 {SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE, 119 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 120 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 121 CRYPTO_KEYSIZE_UNIT_IN_BITS}, 122 /* SHA256-HMAC GENERAL */ 123 {SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE, 124 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 125 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 126 CRYPTO_KEYSIZE_UNIT_IN_BITS}, 127 /* SHA384 */ 128 {SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE, 129 CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, 130 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 131 /* SHA384-HMAC */ 132 {SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE, 133 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 134 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 135 CRYPTO_KEYSIZE_UNIT_IN_BITS}, 136 /* SHA384-HMAC GENERAL */ 137 {SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE, 138 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 139 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 140 CRYPTO_KEYSIZE_UNIT_IN_BITS}, 141 /* SHA512 */ 142 {SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE, 143 CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, 144 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 145 /* SHA512-HMAC */ 146 {SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE, 147 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 148 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 149 CRYPTO_KEYSIZE_UNIT_IN_BITS}, 150 /* SHA512-HMAC GENERAL */ 151 {SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE, 152 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 153 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 154 CRYPTO_KEYSIZE_UNIT_IN_BITS} 155 }; 156 157 static void sha2_provider_status(crypto_provider_handle_t, uint_t *); 158 159 static crypto_control_ops_t sha2_control_ops = { 160 sha2_provider_status 161 }; 162 163 static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *, 164 crypto_req_handle_t); 165 static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 166 crypto_req_handle_t); 167 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *, 168 crypto_req_handle_t); 169 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *, 170 crypto_req_handle_t); 171 static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t, 172 crypto_mechanism_t *, crypto_data_t *, crypto_data_t *, 173 crypto_req_handle_t); 174 175 static crypto_digest_ops_t sha2_digest_ops = { 176 sha2_digest_init, 177 sha2_digest, 178 sha2_digest_update, 179 NULL, 180 sha2_digest_final, 181 sha2_digest_atomic 182 }; 183 184 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, 185 crypto_spi_ctx_template_t, crypto_req_handle_t); 186 static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *, 187 crypto_req_handle_t); 188 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t); 189 static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t, 190 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 191 crypto_spi_ctx_template_t, crypto_req_handle_t); 192 static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 193 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 194 crypto_spi_ctx_template_t, crypto_req_handle_t); 195 196 static crypto_mac_ops_t sha2_mac_ops = { 197 sha2_mac_init, 198 NULL, 199 sha2_mac_update, 200 sha2_mac_final, 201 sha2_mac_atomic, 202 sha2_mac_verify_atomic 203 }; 204 205 static int sha2_create_ctx_template(crypto_provider_handle_t, 206 crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, 207 size_t *, crypto_req_handle_t); 208 static int sha2_free_context(crypto_ctx_t *); 209 210 static crypto_ctx_ops_t sha2_ctx_ops = { 211 sha2_create_ctx_template, 212 sha2_free_context 213 }; 214 215 static crypto_ops_t sha2_crypto_ops = { 216 &sha2_control_ops, 217 &sha2_digest_ops, 218 NULL, 219 &sha2_mac_ops, 220 NULL, 221 NULL, 222 NULL, 223 NULL, 224 NULL, 225 NULL, 226 NULL, 227 NULL, 228 NULL, 229 &sha2_ctx_ops 230 }; 231 232 static crypto_provider_info_t sha2_prov_info = { 233 CRYPTO_SPI_VERSION_1, 234 "SHA2 Software Provider", 235 CRYPTO_SW_PROVIDER, 236 {&modlinkage}, 237 NULL, 238 &sha2_crypto_ops, 239 sizeof (sha2_mech_info_tab)/sizeof (crypto_mech_info_t), 240 sha2_mech_info_tab 241 }; 242 243 static crypto_kcf_provider_handle_t sha2_prov_handle = NULL; 244 245 int 246 _init() 247 { 248 int ret; 249 250 if ((ret = mod_install(&modlinkage)) != 0) 251 return (ret); 252 253 /* 254 * Register with KCF. If the registration fails, log an 255 * error but do not uninstall the module, since the functionality 256 * provided by misc/sha2 should still be available. 257 */ 258 if ((ret = crypto_register_provider(&sha2_prov_info, 259 &sha2_prov_handle)) != CRYPTO_SUCCESS) 260 cmn_err(CE_WARN, "sha2 _init: " 261 "crypto_register_provider() failed (0x%x)", ret); 262 263 return (0); 264 } 265 266 int 267 _info(struct modinfo *modinfop) 268 { 269 return (mod_info(&modlinkage, modinfop)); 270 } 271 272 /* 273 * KCF software provider control entry points. 274 */ 275 /* ARGSUSED */ 276 static void 277 sha2_provider_status(crypto_provider_handle_t provider, uint_t *status) 278 { 279 *status = CRYPTO_PROVIDER_READY; 280 } 281 282 /* 283 * KCF software provider digest entry points. 284 */ 285 286 static int 287 sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 288 crypto_req_handle_t req) 289 { 290 291 /* 292 * Allocate and initialize SHA2 context. 293 */ 294 ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t), 295 crypto_kmflag(req)); 296 if (ctx->cc_provider_private == NULL) 297 return (CRYPTO_HOST_MEMORY); 298 299 PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type; 300 SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx); 301 302 return (CRYPTO_SUCCESS); 303 } 304 305 /* 306 * Helper SHA2 digest update function for uio data. 307 */ 308 static int 309 sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data) 310 { 311 off_t offset = data->cd_offset; 312 size_t length = data->cd_length; 313 uint_t vec_idx; 314 size_t cur_len; 315 316 /* we support only kernel buffer */ 317 if (data->cd_uio->uio_segflg != UIO_SYSSPACE) 318 return (CRYPTO_ARGUMENTS_BAD); 319 320 /* 321 * Jump to the first iovec containing data to be 322 * digested. 323 */ 324 for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt && 325 offset >= data->cd_uio->uio_iov[vec_idx].iov_len; 326 offset -= data->cd_uio->uio_iov[vec_idx++].iov_len) 327 ; 328 if (vec_idx == data->cd_uio->uio_iovcnt) { 329 /* 330 * The caller specified an offset that is larger than the 331 * total size of the buffers it provided. 332 */ 333 return (CRYPTO_DATA_LEN_RANGE); 334 } 335 336 /* 337 * Now do the digesting on the iovecs. 338 */ 339 while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) { 340 cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len - 341 offset, length); 342 343 SHA2Update(sha2_ctx, (uint8_t *)data->cd_uio-> 344 uio_iov[vec_idx].iov_base + offset, cur_len); 345 length -= cur_len; 346 vec_idx++; 347 offset = 0; 348 } 349 350 if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) { 351 /* 352 * The end of the specified iovec's was reached but 353 * the length requested could not be processed, i.e. 354 * The caller requested to digest more data than it provided. 355 */ 356 return (CRYPTO_DATA_LEN_RANGE); 357 } 358 359 return (CRYPTO_SUCCESS); 360 } 361 362 /* 363 * Helper SHA2 digest final function for uio data. 364 * digest_len is the length of the desired digest. If digest_len 365 * is smaller than the default SHA2 digest length, the caller 366 * must pass a scratch buffer, digest_scratch, which must 367 * be at least the algorithm's digest length bytes. 368 */ 369 static int 370 sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest, 371 ulong_t digest_len, uchar_t *digest_scratch) 372 { 373 off_t offset = digest->cd_offset; 374 uint_t vec_idx; 375 376 /* we support only kernel buffer */ 377 if (digest->cd_uio->uio_segflg != UIO_SYSSPACE) 378 return (CRYPTO_ARGUMENTS_BAD); 379 380 /* 381 * Jump to the first iovec containing ptr to the digest to 382 * be returned. 383 */ 384 for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len && 385 vec_idx < digest->cd_uio->uio_iovcnt; 386 offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len) 387 ; 388 if (vec_idx == digest->cd_uio->uio_iovcnt) { 389 /* 390 * The caller specified an offset that is 391 * larger than the total size of the buffers 392 * it provided. 393 */ 394 return (CRYPTO_DATA_LEN_RANGE); 395 } 396 397 if (offset + digest_len <= 398 digest->cd_uio->uio_iov[vec_idx].iov_len) { 399 /* 400 * The computed SHA2 digest will fit in the current 401 * iovec. 402 */ 403 if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) && 404 (digest_len != SHA256_DIGEST_LENGTH)) || 405 ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) && 406 (digest_len != SHA512_DIGEST_LENGTH))) { 407 /* 408 * The caller requested a short digest. Digest 409 * into a scratch buffer and return to 410 * the user only what was requested. 411 */ 412 SHA2Final(digest_scratch, sha2_ctx); 413 414 bcopy(digest_scratch, (uchar_t *)digest-> 415 cd_uio->uio_iov[vec_idx].iov_base + offset, 416 digest_len); 417 } else { 418 SHA2Final((uchar_t *)digest-> 419 cd_uio->uio_iov[vec_idx].iov_base + offset, 420 sha2_ctx); 421 422 } 423 } else { 424 /* 425 * The computed digest will be crossing one or more iovec's. 426 * This is bad performance-wise but we need to support it. 427 * Allocate a small scratch buffer on the stack and 428 * copy it piece meal to the specified digest iovec's. 429 */ 430 uchar_t digest_tmp[SHA512_DIGEST_LENGTH]; 431 off_t scratch_offset = 0; 432 size_t length = digest_len; 433 size_t cur_len; 434 435 SHA2Final(digest_tmp, sha2_ctx); 436 437 while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) { 438 cur_len = 439 MIN(digest->cd_uio->uio_iov[vec_idx].iov_len - 440 offset, length); 441 bcopy(digest_tmp + scratch_offset, 442 digest->cd_uio->uio_iov[vec_idx].iov_base + offset, 443 cur_len); 444 445 length -= cur_len; 446 vec_idx++; 447 scratch_offset += cur_len; 448 offset = 0; 449 } 450 451 if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) { 452 /* 453 * The end of the specified iovec's was reached but 454 * the length requested could not be processed, i.e. 455 * The caller requested to digest more data than it 456 * provided. 457 */ 458 return (CRYPTO_DATA_LEN_RANGE); 459 } 460 } 461 462 return (CRYPTO_SUCCESS); 463 } 464 465 /* 466 * Helper SHA2 digest update for mblk's. 467 */ 468 static int 469 sha2_digest_update_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *data) 470 { 471 off_t offset = data->cd_offset; 472 size_t length = data->cd_length; 473 mblk_t *mp; 474 size_t cur_len; 475 476 /* 477 * Jump to the first mblk_t containing data to be digested. 478 */ 479 for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp); 480 offset -= MBLKL(mp), mp = mp->b_cont) 481 ; 482 if (mp == NULL) { 483 /* 484 * The caller specified an offset that is larger than the 485 * total size of the buffers it provided. 486 */ 487 return (CRYPTO_DATA_LEN_RANGE); 488 } 489 490 /* 491 * Now do the digesting on the mblk chain. 492 */ 493 while (mp != NULL && length > 0) { 494 cur_len = MIN(MBLKL(mp) - offset, length); 495 SHA2Update(sha2_ctx, mp->b_rptr + offset, cur_len); 496 length -= cur_len; 497 offset = 0; 498 mp = mp->b_cont; 499 } 500 501 if (mp == NULL && length > 0) { 502 /* 503 * The end of the mblk was reached but the length requested 504 * could not be processed, i.e. The caller requested 505 * to digest more data than it provided. 506 */ 507 return (CRYPTO_DATA_LEN_RANGE); 508 } 509 510 return (CRYPTO_SUCCESS); 511 } 512 513 /* 514 * Helper SHA2 digest final for mblk's. 515 * digest_len is the length of the desired digest. If digest_len 516 * is smaller than the default SHA2 digest length, the caller 517 * must pass a scratch buffer, digest_scratch, which must 518 * be at least the algorithm's digest length bytes. 519 */ 520 static int 521 sha2_digest_final_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *digest, 522 ulong_t digest_len, uchar_t *digest_scratch) 523 { 524 off_t offset = digest->cd_offset; 525 mblk_t *mp; 526 527 /* 528 * Jump to the first mblk_t that will be used to store the digest. 529 */ 530 for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp); 531 offset -= MBLKL(mp), mp = mp->b_cont) 532 ; 533 if (mp == NULL) { 534 /* 535 * The caller specified an offset that is larger than the 536 * total size of the buffers it provided. 537 */ 538 return (CRYPTO_DATA_LEN_RANGE); 539 } 540 541 if (offset + digest_len <= MBLKL(mp)) { 542 /* 543 * The computed SHA2 digest will fit in the current mblk. 544 * Do the SHA2Final() in-place. 545 */ 546 if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) && 547 (digest_len != SHA256_DIGEST_LENGTH)) || 548 ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) && 549 (digest_len != SHA512_DIGEST_LENGTH))) { 550 /* 551 * The caller requested a short digest. Digest 552 * into a scratch buffer and return to 553 * the user only what was requested. 554 */ 555 SHA2Final(digest_scratch, sha2_ctx); 556 bcopy(digest_scratch, mp->b_rptr + offset, digest_len); 557 } else { 558 SHA2Final(mp->b_rptr + offset, sha2_ctx); 559 } 560 } else { 561 /* 562 * The computed digest will be crossing one or more mblk's. 563 * This is bad performance-wise but we need to support it. 564 * Allocate a small scratch buffer on the stack and 565 * copy it piece meal to the specified digest iovec's. 566 */ 567 uchar_t digest_tmp[SHA512_DIGEST_LENGTH]; 568 off_t scratch_offset = 0; 569 size_t length = digest_len; 570 size_t cur_len; 571 572 SHA2Final(digest_tmp, sha2_ctx); 573 574 while (mp != NULL && length > 0) { 575 cur_len = MIN(MBLKL(mp) - offset, length); 576 bcopy(digest_tmp + scratch_offset, 577 mp->b_rptr + offset, cur_len); 578 579 length -= cur_len; 580 mp = mp->b_cont; 581 scratch_offset += cur_len; 582 offset = 0; 583 } 584 585 if (mp == NULL && length > 0) { 586 /* 587 * The end of the specified mblk was reached but 588 * the length requested could not be processed, i.e. 589 * The caller requested to digest more data than it 590 * provided. 591 */ 592 return (CRYPTO_DATA_LEN_RANGE); 593 } 594 } 595 596 return (CRYPTO_SUCCESS); 597 } 598 599 /* ARGSUSED */ 600 static int 601 sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest, 602 crypto_req_handle_t req) 603 { 604 int ret = CRYPTO_SUCCESS; 605 uint_t sha_digest_len; 606 607 ASSERT(ctx->cc_provider_private != NULL); 608 609 switch (PROV_SHA2_CTX(ctx)->sc_mech_type) { 610 case SHA256_MECH_INFO_TYPE: 611 sha_digest_len = SHA256_DIGEST_LENGTH; 612 break; 613 case SHA384_MECH_INFO_TYPE: 614 sha_digest_len = SHA384_DIGEST_LENGTH; 615 break; 616 case SHA512_MECH_INFO_TYPE: 617 sha_digest_len = SHA512_DIGEST_LENGTH; 618 break; 619 default: 620 return (CRYPTO_MECHANISM_INVALID); 621 } 622 623 /* 624 * We need to just return the length needed to store the output. 625 * We should not destroy the context for the following cases. 626 */ 627 if ((digest->cd_length == 0) || 628 (digest->cd_length < sha_digest_len)) { 629 digest->cd_length = sha_digest_len; 630 return (CRYPTO_BUFFER_TOO_SMALL); 631 } 632 633 /* 634 * Do the SHA2 update on the specified input data. 635 */ 636 switch (data->cd_format) { 637 case CRYPTO_DATA_RAW: 638 SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 639 (uint8_t *)data->cd_raw.iov_base + data->cd_offset, 640 data->cd_length); 641 break; 642 case CRYPTO_DATA_UIO: 643 ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 644 data); 645 break; 646 case CRYPTO_DATA_MBLK: 647 ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 648 data); 649 break; 650 default: 651 ret = CRYPTO_ARGUMENTS_BAD; 652 } 653 654 if (ret != CRYPTO_SUCCESS) { 655 /* the update failed, free context and bail */ 656 kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t)); 657 ctx->cc_provider_private = NULL; 658 digest->cd_length = 0; 659 return (ret); 660 } 661 662 /* 663 * Do a SHA2 final, must be done separately since the digest 664 * type can be different than the input data type. 665 */ 666 switch (digest->cd_format) { 667 case CRYPTO_DATA_RAW: 668 SHA2Final((unsigned char *)digest->cd_raw.iov_base + 669 digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx); 670 break; 671 case CRYPTO_DATA_UIO: 672 ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 673 digest, sha_digest_len, NULL); 674 break; 675 case CRYPTO_DATA_MBLK: 676 ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 677 digest, sha_digest_len, NULL); 678 break; 679 default: 680 ret = CRYPTO_ARGUMENTS_BAD; 681 } 682 683 /* all done, free context and return */ 684 685 if (ret == CRYPTO_SUCCESS) 686 digest->cd_length = sha_digest_len; 687 else 688 digest->cd_length = 0; 689 690 kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t)); 691 ctx->cc_provider_private = NULL; 692 return (ret); 693 } 694 695 /* ARGSUSED */ 696 static int 697 sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data, 698 crypto_req_handle_t req) 699 { 700 int ret = CRYPTO_SUCCESS; 701 702 ASSERT(ctx->cc_provider_private != NULL); 703 704 /* 705 * Do the SHA2 update on the specified input data. 706 */ 707 switch (data->cd_format) { 708 case CRYPTO_DATA_RAW: 709 SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 710 (uint8_t *)data->cd_raw.iov_base + data->cd_offset, 711 data->cd_length); 712 break; 713 case CRYPTO_DATA_UIO: 714 ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 715 data); 716 break; 717 case CRYPTO_DATA_MBLK: 718 ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 719 data); 720 break; 721 default: 722 ret = CRYPTO_ARGUMENTS_BAD; 723 } 724 725 return (ret); 726 } 727 728 /* ARGSUSED */ 729 static int 730 sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest, 731 crypto_req_handle_t req) 732 { 733 int ret = CRYPTO_SUCCESS; 734 uint_t sha_digest_len; 735 736 ASSERT(ctx->cc_provider_private != NULL); 737 738 switch (PROV_SHA2_CTX(ctx)->sc_mech_type) { 739 case SHA256_MECH_INFO_TYPE: 740 sha_digest_len = SHA256_DIGEST_LENGTH; 741 break; 742 case SHA384_MECH_INFO_TYPE: 743 sha_digest_len = SHA384_DIGEST_LENGTH; 744 break; 745 case SHA512_MECH_INFO_TYPE: 746 sha_digest_len = SHA512_DIGEST_LENGTH; 747 break; 748 default: 749 return (CRYPTO_MECHANISM_INVALID); 750 } 751 752 /* 753 * We need to just return the length needed to store the output. 754 * We should not destroy the context for the following cases. 755 */ 756 if ((digest->cd_length == 0) || 757 (digest->cd_length < sha_digest_len)) { 758 digest->cd_length = sha_digest_len; 759 return (CRYPTO_BUFFER_TOO_SMALL); 760 } 761 762 /* 763 * Do a SHA2 final. 764 */ 765 switch (digest->cd_format) { 766 case CRYPTO_DATA_RAW: 767 SHA2Final((unsigned char *)digest->cd_raw.iov_base + 768 digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx); 769 break; 770 case CRYPTO_DATA_UIO: 771 ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 772 digest, sha_digest_len, NULL); 773 break; 774 case CRYPTO_DATA_MBLK: 775 ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 776 digest, sha_digest_len, NULL); 777 break; 778 default: 779 ret = CRYPTO_ARGUMENTS_BAD; 780 } 781 782 /* all done, free context and return */ 783 784 if (ret == CRYPTO_SUCCESS) 785 digest->cd_length = sha_digest_len; 786 else 787 digest->cd_length = 0; 788 789 kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t)); 790 ctx->cc_provider_private = NULL; 791 792 return (ret); 793 } 794 795 /* ARGSUSED */ 796 static int 797 sha2_digest_atomic(crypto_provider_handle_t provider, 798 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 799 crypto_data_t *data, crypto_data_t *digest, 800 crypto_req_handle_t req) 801 { 802 int ret = CRYPTO_SUCCESS; 803 SHA2_CTX sha2_ctx; 804 uint32_t sha_digest_len; 805 806 /* 807 * Do the SHA inits. 808 */ 809 810 SHA2Init(mechanism->cm_type, &sha2_ctx); 811 812 switch (data->cd_format) { 813 case CRYPTO_DATA_RAW: 814 SHA2Update(&sha2_ctx, (uint8_t *)data-> 815 cd_raw.iov_base + data->cd_offset, data->cd_length); 816 break; 817 case CRYPTO_DATA_UIO: 818 ret = sha2_digest_update_uio(&sha2_ctx, data); 819 break; 820 case CRYPTO_DATA_MBLK: 821 ret = sha2_digest_update_mblk(&sha2_ctx, data); 822 break; 823 default: 824 ret = CRYPTO_ARGUMENTS_BAD; 825 } 826 827 /* 828 * Do the SHA updates on the specified input data. 829 */ 830 831 if (ret != CRYPTO_SUCCESS) { 832 /* the update failed, bail */ 833 digest->cd_length = 0; 834 return (ret); 835 } 836 837 if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) 838 sha_digest_len = SHA256_DIGEST_LENGTH; 839 else 840 sha_digest_len = SHA512_DIGEST_LENGTH; 841 842 /* 843 * Do a SHA2 final, must be done separately since the digest 844 * type can be different than the input data type. 845 */ 846 switch (digest->cd_format) { 847 case CRYPTO_DATA_RAW: 848 SHA2Final((unsigned char *)digest->cd_raw.iov_base + 849 digest->cd_offset, &sha2_ctx); 850 break; 851 case CRYPTO_DATA_UIO: 852 ret = sha2_digest_final_uio(&sha2_ctx, digest, 853 sha_digest_len, NULL); 854 break; 855 case CRYPTO_DATA_MBLK: 856 ret = sha2_digest_final_mblk(&sha2_ctx, digest, 857 sha_digest_len, NULL); 858 break; 859 default: 860 ret = CRYPTO_ARGUMENTS_BAD; 861 } 862 863 if (ret == CRYPTO_SUCCESS) 864 digest->cd_length = sha_digest_len; 865 else 866 digest->cd_length = 0; 867 868 return (ret); 869 } 870 871 /* 872 * KCF software provider mac entry points. 873 * 874 * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text)) 875 * 876 * Init: 877 * The initialization routine initializes what we denote 878 * as the inner and outer contexts by doing 879 * - for inner context: SHA2(key XOR ipad) 880 * - for outer context: SHA2(key XOR opad) 881 * 882 * Update: 883 * Each subsequent SHA2 HMAC update will result in an 884 * update of the inner context with the specified data. 885 * 886 * Final: 887 * The SHA2 HMAC final will do a SHA2 final operation on the 888 * inner context, and the resulting digest will be used 889 * as the data for an update on the outer context. Last 890 * but not least, a SHA2 final on the outer context will 891 * be performed to obtain the SHA2 HMAC digest to return 892 * to the user. 893 */ 894 895 /* 896 * Initialize a SHA2-HMAC context. 897 */ 898 static void 899 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes) 900 { 901 uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)]; 902 uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)]; 903 int i, block_size, blocks_per_int64; 904 905 /* Determine the block size */ 906 if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) { 907 block_size = SHA256_HMAC_BLOCK_SIZE; 908 blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t); 909 } else { 910 block_size = SHA512_HMAC_BLOCK_SIZE; 911 blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t); 912 } 913 914 (void) bzero(ipad, block_size); 915 (void) bzero(opad, block_size); 916 (void) bcopy(keyval, ipad, length_in_bytes); 917 (void) bcopy(keyval, opad, length_in_bytes); 918 919 /* XOR key with ipad (0x36) and opad (0x5c) */ 920 for (i = 0; i < blocks_per_int64; i ++) { 921 ipad[i] ^= 0x3636363636363636; 922 opad[i] ^= 0x5c5c5c5c5c5c5c5c; 923 } 924 925 /* perform SHA2 on ipad */ 926 SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext); 927 SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size); 928 929 /* perform SHA2 on opad */ 930 SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext); 931 SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size); 932 933 } 934 935 /* 936 */ 937 static int 938 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 939 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, 940 crypto_req_handle_t req) 941 { 942 int ret = CRYPTO_SUCCESS; 943 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 944 uint_t sha_digest_len, sha_hmac_block_size; 945 946 /* 947 * Set the digest length and block size to values approriate to the 948 * mechanism 949 */ 950 switch (mechanism->cm_type) { 951 case SHA256_HMAC_MECH_INFO_TYPE: 952 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 953 sha_digest_len = SHA256_DIGEST_LENGTH; 954 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE; 955 break; 956 case SHA384_HMAC_MECH_INFO_TYPE: 957 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 958 case SHA512_HMAC_MECH_INFO_TYPE: 959 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 960 sha_digest_len = SHA512_DIGEST_LENGTH; 961 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE; 962 break; 963 default: 964 return (CRYPTO_MECHANISM_INVALID); 965 } 966 967 if (key->ck_format != CRYPTO_KEY_RAW) 968 return (CRYPTO_ARGUMENTS_BAD); 969 970 ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t), 971 crypto_kmflag(req)); 972 if (ctx->cc_provider_private == NULL) 973 return (CRYPTO_HOST_MEMORY); 974 975 PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type; 976 if (ctx_template != NULL) { 977 /* reuse context template */ 978 bcopy(ctx_template, PROV_SHA2_HMAC_CTX(ctx), 979 sizeof (sha2_hmac_ctx_t)); 980 } else { 981 /* no context template, compute context */ 982 if (keylen_in_bytes > sha_hmac_block_size) { 983 uchar_t digested_key[SHA512_DIGEST_LENGTH]; 984 sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private; 985 986 /* 987 * Hash the passed-in key to get a smaller key. 988 * The inner context is used since it hasn't been 989 * initialized yet. 990 */ 991 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3, 992 &hmac_ctx->hc_icontext, 993 key->ck_data, keylen_in_bytes, digested_key); 994 sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx), 995 digested_key, sha_digest_len); 996 } else { 997 sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx), 998 key->ck_data, keylen_in_bytes); 999 } 1000 } 1001 1002 /* 1003 * Get the mechanism parameters, if applicable. 1004 */ 1005 if (mechanism->cm_type % 3 == 2) { 1006 if (mechanism->cm_param == NULL || 1007 mechanism->cm_param_len != sizeof (ulong_t)) 1008 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1009 PROV_SHA2_GET_DIGEST_LEN(mechanism, 1010 PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len); 1011 if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len) 1012 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1013 } 1014 1015 if (ret != CRYPTO_SUCCESS) { 1016 bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t)); 1017 kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t)); 1018 ctx->cc_provider_private = NULL; 1019 } 1020 1021 return (ret); 1022 } 1023 1024 /* ARGSUSED */ 1025 static int 1026 sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data, 1027 crypto_req_handle_t req) 1028 { 1029 int ret = CRYPTO_SUCCESS; 1030 1031 ASSERT(ctx->cc_provider_private != NULL); 1032 1033 /* 1034 * Do a SHA2 update of the inner context using the specified 1035 * data. 1036 */ 1037 switch (data->cd_format) { 1038 case CRYPTO_DATA_RAW: 1039 SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, 1040 (uint8_t *)data->cd_raw.iov_base + data->cd_offset, 1041 data->cd_length); 1042 break; 1043 case CRYPTO_DATA_UIO: 1044 ret = sha2_digest_update_uio( 1045 &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data); 1046 break; 1047 case CRYPTO_DATA_MBLK: 1048 ret = sha2_digest_update_mblk( 1049 &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data); 1050 break; 1051 default: 1052 ret = CRYPTO_ARGUMENTS_BAD; 1053 } 1054 1055 return (ret); 1056 } 1057 1058 /* ARGSUSED */ 1059 static int 1060 sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req) 1061 { 1062 int ret = CRYPTO_SUCCESS; 1063 uchar_t digest[SHA512_DIGEST_LENGTH]; 1064 uint32_t digest_len, sha_digest_len; 1065 1066 ASSERT(ctx->cc_provider_private != NULL); 1067 1068 /* Set the digest lengths to values approriate to the mechanism */ 1069 switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) { 1070 case SHA256_HMAC_MECH_INFO_TYPE: 1071 sha_digest_len = digest_len = SHA256_DIGEST_LENGTH; 1072 break; 1073 case SHA384_HMAC_MECH_INFO_TYPE: 1074 sha_digest_len = digest_len = SHA384_DIGEST_LENGTH; 1075 break; 1076 case SHA512_HMAC_MECH_INFO_TYPE: 1077 sha_digest_len = digest_len = SHA512_DIGEST_LENGTH; 1078 break; 1079 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 1080 sha_digest_len = SHA256_DIGEST_LENGTH; 1081 digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len; 1082 break; 1083 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 1084 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 1085 sha_digest_len = SHA512_DIGEST_LENGTH; 1086 digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len; 1087 break; 1088 } 1089 1090 /* 1091 * We need to just return the length needed to store the output. 1092 * We should not destroy the context for the following cases. 1093 */ 1094 if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) { 1095 mac->cd_length = digest_len; 1096 return (CRYPTO_BUFFER_TOO_SMALL); 1097 } 1098 1099 /* 1100 * Do a SHA2 final on the inner context. 1101 */ 1102 SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext); 1103 1104 /* 1105 * Do a SHA2 update on the outer context, feeding the inner 1106 * digest as data. 1107 */ 1108 SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest, 1109 sha_digest_len); 1110 1111 /* 1112 * Do a SHA2 final on the outer context, storing the computing 1113 * digest in the users buffer. 1114 */ 1115 switch (mac->cd_format) { 1116 case CRYPTO_DATA_RAW: 1117 if (digest_len != sha_digest_len) { 1118 /* 1119 * The caller requested a short digest. Digest 1120 * into a scratch buffer and return to 1121 * the user only what was requested. 1122 */ 1123 SHA2Final(digest, 1124 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext); 1125 bcopy(digest, (unsigned char *)mac->cd_raw.iov_base + 1126 mac->cd_offset, digest_len); 1127 } else { 1128 SHA2Final((unsigned char *)mac->cd_raw.iov_base + 1129 mac->cd_offset, 1130 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext); 1131 } 1132 break; 1133 case CRYPTO_DATA_UIO: 1134 ret = sha2_digest_final_uio( 1135 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac, 1136 digest_len, digest); 1137 break; 1138 case CRYPTO_DATA_MBLK: 1139 ret = sha2_digest_final_mblk( 1140 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac, 1141 digest_len, digest); 1142 break; 1143 default: 1144 ret = CRYPTO_ARGUMENTS_BAD; 1145 } 1146 1147 if (ret == CRYPTO_SUCCESS) 1148 mac->cd_length = digest_len; 1149 else 1150 mac->cd_length = 0; 1151 1152 bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t)); 1153 kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t)); 1154 ctx->cc_provider_private = NULL; 1155 1156 return (ret); 1157 } 1158 1159 #define SHA2_MAC_UPDATE(data, ctx, ret) { \ 1160 switch (data->cd_format) { \ 1161 case CRYPTO_DATA_RAW: \ 1162 SHA2Update(&(ctx).hc_icontext, \ 1163 (uint8_t *)data->cd_raw.iov_base + \ 1164 data->cd_offset, data->cd_length); \ 1165 break; \ 1166 case CRYPTO_DATA_UIO: \ 1167 ret = sha2_digest_update_uio(&(ctx).hc_icontext, data); \ 1168 break; \ 1169 case CRYPTO_DATA_MBLK: \ 1170 ret = sha2_digest_update_mblk(&(ctx).hc_icontext, \ 1171 data); \ 1172 break; \ 1173 default: \ 1174 ret = CRYPTO_ARGUMENTS_BAD; \ 1175 } \ 1176 } 1177 1178 /* ARGSUSED */ 1179 static int 1180 sha2_mac_atomic(crypto_provider_handle_t provider, 1181 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1182 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, 1183 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1184 { 1185 int ret = CRYPTO_SUCCESS; 1186 uchar_t digest[SHA512_DIGEST_LENGTH]; 1187 sha2_hmac_ctx_t sha2_hmac_ctx; 1188 uint32_t sha_digest_len, digest_len, sha_hmac_block_size; 1189 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 1190 1191 /* 1192 * Set the digest length and block size to values approriate to the 1193 * mechanism 1194 */ 1195 switch (mechanism->cm_type) { 1196 case SHA256_HMAC_MECH_INFO_TYPE: 1197 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 1198 sha_digest_len = digest_len = SHA256_DIGEST_LENGTH; 1199 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE; 1200 break; 1201 case SHA384_HMAC_MECH_INFO_TYPE: 1202 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 1203 case SHA512_HMAC_MECH_INFO_TYPE: 1204 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 1205 sha_digest_len = digest_len = SHA512_DIGEST_LENGTH; 1206 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE; 1207 break; 1208 default: 1209 return (CRYPTO_MECHANISM_INVALID); 1210 } 1211 1212 /* Add support for key by attributes (RFE 4706552) */ 1213 if (key->ck_format != CRYPTO_KEY_RAW) 1214 return (CRYPTO_ARGUMENTS_BAD); 1215 1216 if (ctx_template != NULL) { 1217 /* reuse context template */ 1218 bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); 1219 } else { 1220 sha2_hmac_ctx.hc_mech_type = mechanism->cm_type; 1221 /* no context template, initialize context */ 1222 if (keylen_in_bytes > sha_hmac_block_size) { 1223 /* 1224 * Hash the passed-in key to get a smaller key. 1225 * The inner context is used since it hasn't been 1226 * initialized yet. 1227 */ 1228 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3, 1229 &sha2_hmac_ctx.hc_icontext, 1230 key->ck_data, keylen_in_bytes, digest); 1231 sha2_mac_init_ctx(&sha2_hmac_ctx, digest, 1232 sha_digest_len); 1233 } else { 1234 sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data, 1235 keylen_in_bytes); 1236 } 1237 } 1238 1239 /* get the mechanism parameters, if applicable */ 1240 if ((mechanism->cm_type % 3) == 2) { 1241 if (mechanism->cm_param == NULL || 1242 mechanism->cm_param_len != sizeof (ulong_t)) { 1243 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1244 goto bail; 1245 } 1246 PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len); 1247 if (digest_len > sha_digest_len) { 1248 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1249 goto bail; 1250 } 1251 } 1252 1253 /* do a SHA2 update of the inner context using the specified data */ 1254 SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret); 1255 if (ret != CRYPTO_SUCCESS) 1256 /* the update failed, free context and bail */ 1257 goto bail; 1258 1259 /* 1260 * Do a SHA2 final on the inner context. 1261 */ 1262 SHA2Final(digest, &sha2_hmac_ctx.hc_icontext); 1263 1264 /* 1265 * Do an SHA2 update on the outer context, feeding the inner 1266 * digest as data. 1267 * 1268 * HMAC-SHA384 needs special handling as the outer hash needs only 48 1269 * bytes of the inner hash value. 1270 */ 1271 if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE || 1272 mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE) 1273 SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, 1274 SHA384_DIGEST_LENGTH); 1275 else 1276 SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len); 1277 1278 /* 1279 * Do a SHA2 final on the outer context, storing the computed 1280 * digest in the users buffer. 1281 */ 1282 switch (mac->cd_format) { 1283 case CRYPTO_DATA_RAW: 1284 if (digest_len != sha_digest_len) { 1285 /* 1286 * The caller requested a short digest. Digest 1287 * into a scratch buffer and return to 1288 * the user only what was requested. 1289 */ 1290 SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext); 1291 bcopy(digest, (unsigned char *)mac->cd_raw.iov_base + 1292 mac->cd_offset, digest_len); 1293 } else { 1294 SHA2Final((unsigned char *)mac->cd_raw.iov_base + 1295 mac->cd_offset, &sha2_hmac_ctx.hc_ocontext); 1296 } 1297 break; 1298 case CRYPTO_DATA_UIO: 1299 ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac, 1300 digest_len, digest); 1301 break; 1302 case CRYPTO_DATA_MBLK: 1303 ret = sha2_digest_final_mblk(&sha2_hmac_ctx.hc_ocontext, mac, 1304 digest_len, digest); 1305 break; 1306 default: 1307 ret = CRYPTO_ARGUMENTS_BAD; 1308 } 1309 1310 if (ret == CRYPTO_SUCCESS) { 1311 mac->cd_length = digest_len; 1312 return (CRYPTO_SUCCESS); 1313 } 1314 bail: 1315 bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); 1316 mac->cd_length = 0; 1317 return (ret); 1318 } 1319 1320 /* ARGSUSED */ 1321 static int 1322 sha2_mac_verify_atomic(crypto_provider_handle_t provider, 1323 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1324 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, 1325 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1326 { 1327 int ret = CRYPTO_SUCCESS; 1328 uchar_t digest[SHA512_DIGEST_LENGTH]; 1329 sha2_hmac_ctx_t sha2_hmac_ctx; 1330 uint32_t sha_digest_len, digest_len, sha_hmac_block_size; 1331 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 1332 1333 /* 1334 * Set the digest length and block size to values approriate to the 1335 * mechanism 1336 */ 1337 switch (mechanism->cm_type) { 1338 case SHA256_HMAC_MECH_INFO_TYPE: 1339 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 1340 sha_digest_len = digest_len = SHA256_DIGEST_LENGTH; 1341 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE; 1342 break; 1343 case SHA384_HMAC_MECH_INFO_TYPE: 1344 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 1345 case SHA512_HMAC_MECH_INFO_TYPE: 1346 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 1347 sha_digest_len = digest_len = SHA512_DIGEST_LENGTH; 1348 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE; 1349 break; 1350 default: 1351 return (CRYPTO_MECHANISM_INVALID); 1352 } 1353 1354 /* Add support for key by attributes (RFE 4706552) */ 1355 if (key->ck_format != CRYPTO_KEY_RAW) 1356 return (CRYPTO_ARGUMENTS_BAD); 1357 1358 if (ctx_template != NULL) { 1359 /* reuse context template */ 1360 bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); 1361 } else { 1362 /* no context template, initialize context */ 1363 if (keylen_in_bytes > sha_hmac_block_size) { 1364 /* 1365 * Hash the passed-in key to get a smaller key. 1366 * The inner context is used since it hasn't been 1367 * initialized yet. 1368 */ 1369 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3, 1370 &sha2_hmac_ctx.hc_icontext, 1371 key->ck_data, keylen_in_bytes, digest); 1372 sha2_mac_init_ctx(&sha2_hmac_ctx, digest, 1373 sha_digest_len); 1374 } else { 1375 sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data, 1376 keylen_in_bytes); 1377 } 1378 } 1379 1380 /* get the mechanism parameters, if applicable */ 1381 if (mechanism->cm_type % 3 == 2) { 1382 if (mechanism->cm_param == NULL || 1383 mechanism->cm_param_len != sizeof (ulong_t)) { 1384 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1385 goto bail; 1386 } 1387 PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len); 1388 if (digest_len > sha_digest_len) { 1389 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1390 goto bail; 1391 } 1392 } 1393 1394 if (mac->cd_length != digest_len) { 1395 ret = CRYPTO_INVALID_MAC; 1396 goto bail; 1397 } 1398 1399 /* do a SHA2 update of the inner context using the specified data */ 1400 SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret); 1401 if (ret != CRYPTO_SUCCESS) 1402 /* the update failed, free context and bail */ 1403 goto bail; 1404 1405 /* do a SHA2 final on the inner context */ 1406 SHA2Final(digest, &sha2_hmac_ctx.hc_icontext); 1407 1408 /* 1409 * Do an SHA2 update on the outer context, feeding the inner 1410 * digest as data. 1411 * 1412 * HMAC-SHA384 needs special handling as the outer hash needs only 48 1413 * bytes of the inner hash value. 1414 */ 1415 if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE || 1416 mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE) 1417 SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, 1418 SHA384_DIGEST_LENGTH); 1419 else 1420 SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len); 1421 1422 /* 1423 * Do a SHA2 final on the outer context, storing the computed 1424 * digest in the users buffer. 1425 */ 1426 SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext); 1427 1428 /* 1429 * Compare the computed digest against the expected digest passed 1430 * as argument. 1431 */ 1432 1433 switch (mac->cd_format) { 1434 1435 case CRYPTO_DATA_RAW: 1436 if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base + 1437 mac->cd_offset, digest_len) != 0) 1438 ret = CRYPTO_INVALID_MAC; 1439 break; 1440 1441 case CRYPTO_DATA_UIO: { 1442 off_t offset = mac->cd_offset; 1443 uint_t vec_idx; 1444 off_t scratch_offset = 0; 1445 size_t length = digest_len; 1446 size_t cur_len; 1447 1448 /* we support only kernel buffer */ 1449 if (mac->cd_uio->uio_segflg != UIO_SYSSPACE) 1450 return (CRYPTO_ARGUMENTS_BAD); 1451 1452 /* jump to the first iovec containing the expected digest */ 1453 for (vec_idx = 0; 1454 offset >= mac->cd_uio->uio_iov[vec_idx].iov_len && 1455 vec_idx < mac->cd_uio->uio_iovcnt; 1456 offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len) 1457 ; 1458 if (vec_idx == mac->cd_uio->uio_iovcnt) { 1459 /* 1460 * The caller specified an offset that is 1461 * larger than the total size of the buffers 1462 * it provided. 1463 */ 1464 ret = CRYPTO_DATA_LEN_RANGE; 1465 break; 1466 } 1467 1468 /* do the comparison of computed digest vs specified one */ 1469 while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) { 1470 cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len - 1471 offset, length); 1472 1473 if (bcmp(digest + scratch_offset, 1474 mac->cd_uio->uio_iov[vec_idx].iov_base + offset, 1475 cur_len) != 0) { 1476 ret = CRYPTO_INVALID_MAC; 1477 break; 1478 } 1479 1480 length -= cur_len; 1481 vec_idx++; 1482 scratch_offset += cur_len; 1483 offset = 0; 1484 } 1485 break; 1486 } 1487 1488 case CRYPTO_DATA_MBLK: { 1489 off_t offset = mac->cd_offset; 1490 mblk_t *mp; 1491 off_t scratch_offset = 0; 1492 size_t length = digest_len; 1493 size_t cur_len; 1494 1495 /* jump to the first mblk_t containing the expected digest */ 1496 for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp); 1497 offset -= MBLKL(mp), mp = mp->b_cont) 1498 ; 1499 if (mp == NULL) { 1500 /* 1501 * The caller specified an offset that is larger than 1502 * the total size of the buffers it provided. 1503 */ 1504 ret = CRYPTO_DATA_LEN_RANGE; 1505 break; 1506 } 1507 1508 while (mp != NULL && length > 0) { 1509 cur_len = MIN(MBLKL(mp) - offset, length); 1510 if (bcmp(digest + scratch_offset, 1511 mp->b_rptr + offset, cur_len) != 0) { 1512 ret = CRYPTO_INVALID_MAC; 1513 break; 1514 } 1515 1516 length -= cur_len; 1517 mp = mp->b_cont; 1518 scratch_offset += cur_len; 1519 offset = 0; 1520 } 1521 break; 1522 } 1523 1524 default: 1525 ret = CRYPTO_ARGUMENTS_BAD; 1526 } 1527 1528 return (ret); 1529 bail: 1530 bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); 1531 mac->cd_length = 0; 1532 return (ret); 1533 } 1534 1535 /* 1536 * KCF software provider context management entry points. 1537 */ 1538 1539 /* ARGSUSED */ 1540 static int 1541 sha2_create_ctx_template(crypto_provider_handle_t provider, 1542 crypto_mechanism_t *mechanism, crypto_key_t *key, 1543 crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size, 1544 crypto_req_handle_t req) 1545 { 1546 sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl; 1547 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 1548 uint32_t sha_digest_len, sha_hmac_block_size; 1549 1550 /* 1551 * Set the digest length and block size to values approriate to the 1552 * mechanism 1553 */ 1554 switch (mechanism->cm_type) { 1555 case SHA256_HMAC_MECH_INFO_TYPE: 1556 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 1557 sha_digest_len = SHA256_DIGEST_LENGTH; 1558 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE; 1559 break; 1560 case SHA384_HMAC_MECH_INFO_TYPE: 1561 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 1562 case SHA512_HMAC_MECH_INFO_TYPE: 1563 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 1564 sha_digest_len = SHA512_DIGEST_LENGTH; 1565 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE; 1566 break; 1567 default: 1568 return (CRYPTO_MECHANISM_INVALID); 1569 } 1570 1571 /* Add support for key by attributes (RFE 4706552) */ 1572 if (key->ck_format != CRYPTO_KEY_RAW) 1573 return (CRYPTO_ARGUMENTS_BAD); 1574 1575 /* 1576 * Allocate and initialize SHA2 context. 1577 */ 1578 sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t), 1579 crypto_kmflag(req)); 1580 if (sha2_hmac_ctx_tmpl == NULL) 1581 return (CRYPTO_HOST_MEMORY); 1582 1583 sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type; 1584 1585 if (keylen_in_bytes > sha_hmac_block_size) { 1586 uchar_t digested_key[SHA512_DIGEST_LENGTH]; 1587 1588 /* 1589 * Hash the passed-in key to get a smaller key. 1590 * The inner context is used since it hasn't been 1591 * initialized yet. 1592 */ 1593 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3, 1594 &sha2_hmac_ctx_tmpl->hc_icontext, 1595 key->ck_data, keylen_in_bytes, digested_key); 1596 sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key, 1597 sha_digest_len); 1598 } else { 1599 sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data, 1600 keylen_in_bytes); 1601 } 1602 1603 *ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl; 1604 *ctx_template_size = sizeof (sha2_hmac_ctx_t); 1605 1606 return (CRYPTO_SUCCESS); 1607 } 1608 1609 static int 1610 sha2_free_context(crypto_ctx_t *ctx) 1611 { 1612 uint_t ctx_len; 1613 1614 if (ctx->cc_provider_private == NULL) 1615 return (CRYPTO_SUCCESS); 1616 1617 /* 1618 * We have to free either SHA2 or SHA2-HMAC contexts, which 1619 * have different lengths. 1620 * 1621 * Note: Below is dependent on the mechanism ordering. 1622 */ 1623 1624 if (PROV_SHA2_CTX(ctx)->sc_mech_type % 3 == 0) 1625 ctx_len = sizeof (sha2_ctx_t); 1626 else 1627 ctx_len = sizeof (sha2_hmac_ctx_t); 1628 1629 bzero(ctx->cc_provider_private, ctx_len); 1630 kmem_free(ctx->cc_provider_private, ctx_len); 1631 ctx->cc_provider_private = NULL; 1632 1633 return (CRYPTO_SUCCESS); 1634 } 1635