1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/modctl.h> 30 #include <sys/cmn_err.h> 31 #include <sys/crypto/common.h> 32 #include <sys/crypto/spi.h> 33 #include <sys/strsun.h> 34 #include <sys/systm.h> 35 #include <sys/sysmacros.h> 36 #define _SHA2_IMPL 37 #include <sys/sha2.h> 38 39 /* 40 * The sha2 module is created with two modlinkages: 41 * - a modlmisc that allows consumers to directly call the entry points 42 * SHA2Init, SHA2Update, and SHA2Final. 43 * - a modlcrypto that allows the module to register with the Kernel 44 * Cryptographic Framework (KCF) as a software provider for the SHA2 45 * mechanisms. 46 */ 47 48 static struct modlmisc modlmisc = { 49 &mod_miscops, 50 "SHA2 Message-Digest Algorithm" 51 }; 52 53 static struct modlcrypto modlcrypto = { 54 &mod_cryptoops, 55 "SHA2 Kernel SW Provider %I%" 56 }; 57 58 static struct modlinkage modlinkage = { 59 MODREV_1, &modlmisc, &modlcrypto, NULL 60 }; 61 62 /* 63 * CSPI information (entry points, provider info, etc.) 64 */ 65 66 /* 67 * Context for SHA2 mechanism. 68 */ 69 typedef struct sha2_ctx { 70 sha2_mech_type_t sc_mech_type; /* type of context */ 71 SHA2_CTX sc_sha2_ctx; /* SHA2 context */ 72 } sha2_ctx_t; 73 74 /* 75 * Context for SHA2 HMAC and HMAC GENERAL mechanisms. 76 */ 77 typedef struct sha2_hmac_ctx { 78 sha2_mech_type_t hc_mech_type; /* type of context */ 79 uint32_t hc_digest_len; /* digest len in bytes */ 80 SHA2_CTX hc_icontext; /* inner SHA2 context */ 81 SHA2_CTX hc_ocontext; /* outer SHA2 context */ 82 } sha2_hmac_ctx_t; 83 84 /* 85 * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed 86 * by KCF to one of the entry points. 87 */ 88 89 #define PROV_SHA2_CTX(ctx) ((sha2_ctx_t *)(ctx)->cc_provider_private) 90 #define PROV_SHA2_HMAC_CTX(ctx) ((sha2_hmac_ctx_t *)(ctx)->cc_provider_private) 91 92 /* to extract the digest length passed as mechanism parameter */ 93 #define PROV_SHA2_GET_DIGEST_LEN(m, len) { \ 94 if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t))) \ 95 (len) = (uint32_t)*((ulong_t *)(m)->cm_param); \ 96 else { \ 97 ulong_t tmp_ulong; \ 98 bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t)); \ 99 (len) = (uint32_t)tmp_ulong; \ 100 } \ 101 } 102 103 #define PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) { \ 104 SHA2Init(mech, ctx); \ 105 SHA2Update(ctx, key, len); \ 106 SHA2Final(digest, ctx); \ 107 } 108 109 /* 110 * Mechanism info structure passed to KCF during registration. 111 */ 112 static crypto_mech_info_t sha2_mech_info_tab[] = { 113 /* SHA256 */ 114 {SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE, 115 CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, 116 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 117 /* SHA256-HMAC */ 118 {SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE, 119 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 120 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 121 CRYPTO_KEYSIZE_UNIT_IN_BITS}, 122 /* SHA256-HMAC GENERAL */ 123 {SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE, 124 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 125 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 126 CRYPTO_KEYSIZE_UNIT_IN_BITS}, 127 /* SHA384 */ 128 {SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE, 129 CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, 130 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 131 /* SHA384-HMAC */ 132 {SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE, 133 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 134 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 135 CRYPTO_KEYSIZE_UNIT_IN_BITS}, 136 /* SHA384-HMAC GENERAL */ 137 {SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE, 138 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 139 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 140 CRYPTO_KEYSIZE_UNIT_IN_BITS}, 141 /* SHA512 */ 142 {SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE, 143 CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, 144 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 145 /* SHA512-HMAC */ 146 {SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE, 147 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 148 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 149 CRYPTO_KEYSIZE_UNIT_IN_BITS}, 150 /* SHA512-HMAC GENERAL */ 151 {SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE, 152 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 153 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN, 154 CRYPTO_KEYSIZE_UNIT_IN_BITS} 155 }; 156 157 static void sha2_provider_status(crypto_provider_handle_t, uint_t *); 158 159 static crypto_control_ops_t sha2_control_ops = { 160 sha2_provider_status 161 }; 162 163 static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *, 164 crypto_req_handle_t); 165 static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 166 crypto_req_handle_t); 167 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *, 168 crypto_req_handle_t); 169 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *, 170 crypto_req_handle_t); 171 static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t, 172 crypto_mechanism_t *, crypto_data_t *, crypto_data_t *, 173 crypto_req_handle_t); 174 175 static crypto_digest_ops_t sha2_digest_ops = { 176 sha2_digest_init, 177 sha2_digest, 178 sha2_digest_update, 179 NULL, 180 sha2_digest_final, 181 sha2_digest_atomic 182 }; 183 184 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, 185 crypto_spi_ctx_template_t, crypto_req_handle_t); 186 static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *, 187 crypto_req_handle_t); 188 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t); 189 static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t, 190 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 191 crypto_spi_ctx_template_t, crypto_req_handle_t); 192 static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 193 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 194 crypto_spi_ctx_template_t, crypto_req_handle_t); 195 196 static crypto_mac_ops_t sha2_mac_ops = { 197 sha2_mac_init, 198 NULL, 199 sha2_mac_update, 200 sha2_mac_final, 201 sha2_mac_atomic, 202 sha2_mac_verify_atomic 203 }; 204 205 static int sha2_create_ctx_template(crypto_provider_handle_t, 206 crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, 207 size_t *, crypto_req_handle_t); 208 static int sha2_free_context(crypto_ctx_t *); 209 210 static crypto_ctx_ops_t sha2_ctx_ops = { 211 sha2_create_ctx_template, 212 sha2_free_context 213 }; 214 215 static crypto_ops_t sha2_crypto_ops = { 216 &sha2_control_ops, 217 &sha2_digest_ops, 218 NULL, 219 &sha2_mac_ops, 220 NULL, 221 NULL, 222 NULL, 223 NULL, 224 NULL, 225 NULL, 226 NULL, 227 NULL, 228 NULL, 229 &sha2_ctx_ops 230 }; 231 232 static crypto_provider_info_t sha2_prov_info = { 233 CRYPTO_SPI_VERSION_1, 234 "SHA2 Software Provider", 235 CRYPTO_SW_PROVIDER, 236 {&modlinkage}, 237 NULL, 238 &sha2_crypto_ops, 239 sizeof (sha2_mech_info_tab)/sizeof (crypto_mech_info_t), 240 sha2_mech_info_tab 241 }; 242 243 static crypto_kcf_provider_handle_t sha2_prov_handle = NULL; 244 245 int 246 _init() 247 { 248 int ret; 249 250 if ((ret = mod_install(&modlinkage)) != 0) 251 return (ret); 252 253 /* 254 * Register with KCF. If the registration fails, log an 255 * error but do not uninstall the module, since the functionality 256 * provided by misc/sha2 should still be available. 257 */ 258 if ((ret = crypto_register_provider(&sha2_prov_info, 259 &sha2_prov_handle)) != CRYPTO_SUCCESS) 260 cmn_err(CE_WARN, "sha2 _init: " 261 "crypto_register_provider() failed (0x%x)", ret); 262 263 return (0); 264 } 265 266 int 267 _info(struct modinfo *modinfop) 268 { 269 return (mod_info(&modlinkage, modinfop)); 270 } 271 272 /* 273 * KCF software provider control entry points. 274 */ 275 /* ARGSUSED */ 276 static void 277 sha2_provider_status(crypto_provider_handle_t provider, uint_t *status) 278 { 279 *status = CRYPTO_PROVIDER_READY; 280 } 281 282 /* 283 * KCF software provider digest entry points. 284 */ 285 286 static int 287 sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 288 crypto_req_handle_t req) 289 { 290 291 /* 292 * Allocate and initialize SHA2 context. 293 */ 294 ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t), 295 crypto_kmflag(req)); 296 if (ctx->cc_provider_private == NULL) 297 return (CRYPTO_HOST_MEMORY); 298 299 PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type; 300 SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx); 301 302 return (CRYPTO_SUCCESS); 303 } 304 305 /* 306 * Helper SHA2 digest update function for uio data. 307 */ 308 static int 309 sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data) 310 { 311 off_t offset = data->cd_offset; 312 size_t length = data->cd_length; 313 uint_t vec_idx; 314 size_t cur_len; 315 316 /* we support only kernel buffer */ 317 if (data->cd_uio->uio_segflg != UIO_SYSSPACE) 318 return (CRYPTO_ARGUMENTS_BAD); 319 320 /* 321 * Jump to the first iovec containing data to be 322 * digested. 323 */ 324 for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt && 325 offset >= data->cd_uio->uio_iov[vec_idx].iov_len; 326 offset -= data->cd_uio->uio_iov[vec_idx++].iov_len); 327 if (vec_idx == data->cd_uio->uio_iovcnt) { 328 /* 329 * The caller specified an offset that is larger than the 330 * total size of the buffers it provided. 331 */ 332 return (CRYPTO_DATA_LEN_RANGE); 333 } 334 335 /* 336 * Now do the digesting on the iovecs. 337 */ 338 while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) { 339 cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len - 340 offset, length); 341 342 SHA2Update(sha2_ctx, (uint8_t *)data->cd_uio-> 343 uio_iov[vec_idx].iov_base + offset, cur_len); 344 length -= cur_len; 345 vec_idx++; 346 offset = 0; 347 } 348 349 if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) { 350 /* 351 * The end of the specified iovec's was reached but 352 * the length requested could not be processed, i.e. 353 * The caller requested to digest more data than it provided. 354 */ 355 return (CRYPTO_DATA_LEN_RANGE); 356 } 357 358 return (CRYPTO_SUCCESS); 359 } 360 361 /* 362 * Helper SHA2 digest final function for uio data. 363 * digest_len is the length of the desired digest. If digest_len 364 * is smaller than the default SHA2 digest length, the caller 365 * must pass a scratch buffer, digest_scratch, which must 366 * be at least the algorithm's digest length bytes. 367 */ 368 static int 369 sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest, 370 ulong_t digest_len, uchar_t *digest_scratch) 371 { 372 off_t offset = digest->cd_offset; 373 uint_t vec_idx; 374 375 /* we support only kernel buffer */ 376 if (digest->cd_uio->uio_segflg != UIO_SYSSPACE) 377 return (CRYPTO_ARGUMENTS_BAD); 378 379 /* 380 * Jump to the first iovec containing ptr to the digest to 381 * be returned. 382 */ 383 for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len && 384 vec_idx < digest->cd_uio->uio_iovcnt; 385 offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len); 386 if (vec_idx == digest->cd_uio->uio_iovcnt) { 387 /* 388 * The caller specified an offset that is 389 * larger than the total size of the buffers 390 * it provided. 391 */ 392 return (CRYPTO_DATA_LEN_RANGE); 393 } 394 395 if (offset + digest_len <= 396 digest->cd_uio->uio_iov[vec_idx].iov_len) { 397 /* 398 * The computed SHA2 digest will fit in the current 399 * iovec. 400 */ 401 if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) && 402 (digest_len != SHA256_DIGEST_LENGTH)) || 403 ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) && 404 (digest_len != SHA512_DIGEST_LENGTH))) { 405 /* 406 * The caller requested a short digest. Digest 407 * into a scratch buffer and return to 408 * the user only what was requested. 409 */ 410 SHA2Final(digest_scratch, sha2_ctx); 411 412 bcopy(digest_scratch, (uchar_t *)digest-> 413 cd_uio->uio_iov[vec_idx].iov_base + offset, 414 digest_len); 415 } else { 416 SHA2Final((uchar_t *)digest-> 417 cd_uio->uio_iov[vec_idx].iov_base + offset, 418 sha2_ctx); 419 420 } 421 } else { 422 /* 423 * The computed digest will be crossing one or more iovec's. 424 * This is bad performance-wise but we need to support it. 425 * Allocate a small scratch buffer on the stack and 426 * copy it piece meal to the specified digest iovec's. 427 */ 428 uchar_t digest_tmp[SHA512_DIGEST_LENGTH]; 429 off_t scratch_offset = 0; 430 size_t length = digest_len; 431 size_t cur_len; 432 433 SHA2Final(digest_tmp, sha2_ctx); 434 435 while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) { 436 cur_len = 437 MIN(digest->cd_uio->uio_iov[vec_idx].iov_len - 438 offset, length); 439 bcopy(digest_tmp + scratch_offset, 440 digest->cd_uio->uio_iov[vec_idx].iov_base + offset, 441 cur_len); 442 443 length -= cur_len; 444 vec_idx++; 445 scratch_offset += cur_len; 446 offset = 0; 447 } 448 449 if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) { 450 /* 451 * The end of the specified iovec's was reached but 452 * the length requested could not be processed, i.e. 453 * The caller requested to digest more data than it 454 * provided. 455 */ 456 return (CRYPTO_DATA_LEN_RANGE); 457 } 458 } 459 460 return (CRYPTO_SUCCESS); 461 } 462 463 /* 464 * Helper SHA2 digest update for mblk's. 465 */ 466 static int 467 sha2_digest_update_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *data) 468 { 469 off_t offset = data->cd_offset; 470 size_t length = data->cd_length; 471 mblk_t *mp; 472 size_t cur_len; 473 474 /* 475 * Jump to the first mblk_t containing data to be digested. 476 */ 477 for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp); 478 offset -= MBLKL(mp), mp = mp->b_cont); 479 if (mp == NULL) { 480 /* 481 * The caller specified an offset that is larger than the 482 * total size of the buffers it provided. 483 */ 484 return (CRYPTO_DATA_LEN_RANGE); 485 } 486 487 /* 488 * Now do the digesting on the mblk chain. 489 */ 490 while (mp != NULL && length > 0) { 491 cur_len = MIN(MBLKL(mp) - offset, length); 492 SHA2Update(sha2_ctx, mp->b_rptr + offset, cur_len); 493 length -= cur_len; 494 offset = 0; 495 mp = mp->b_cont; 496 } 497 498 if (mp == NULL && length > 0) { 499 /* 500 * The end of the mblk was reached but the length requested 501 * could not be processed, i.e. The caller requested 502 * to digest more data than it provided. 503 */ 504 return (CRYPTO_DATA_LEN_RANGE); 505 } 506 507 return (CRYPTO_SUCCESS); 508 } 509 510 /* 511 * Helper SHA2 digest final for mblk's. 512 * digest_len is the length of the desired digest. If digest_len 513 * is smaller than the default SHA2 digest length, the caller 514 * must pass a scratch buffer, digest_scratch, which must 515 * be at least the algorithm's digest length bytes. 516 */ 517 static int 518 sha2_digest_final_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *digest, 519 ulong_t digest_len, uchar_t *digest_scratch) 520 { 521 off_t offset = digest->cd_offset; 522 mblk_t *mp; 523 524 /* 525 * Jump to the first mblk_t that will be used to store the digest. 526 */ 527 for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp); 528 offset -= MBLKL(mp), mp = mp->b_cont); 529 if (mp == NULL) { 530 /* 531 * The caller specified an offset that is larger than the 532 * total size of the buffers it provided. 533 */ 534 return (CRYPTO_DATA_LEN_RANGE); 535 } 536 537 if (offset + digest_len <= MBLKL(mp)) { 538 /* 539 * The computed SHA2 digest will fit in the current mblk. 540 * Do the SHA2Final() in-place. 541 */ 542 if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) && 543 (digest_len != SHA256_DIGEST_LENGTH)) || 544 ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) && 545 (digest_len != SHA512_DIGEST_LENGTH))) { 546 /* 547 * The caller requested a short digest. Digest 548 * into a scratch buffer and return to 549 * the user only what was requested. 550 */ 551 SHA2Final(digest_scratch, sha2_ctx); 552 bcopy(digest_scratch, mp->b_rptr + offset, digest_len); 553 } else { 554 SHA2Final(mp->b_rptr + offset, sha2_ctx); 555 } 556 } else { 557 /* 558 * The computed digest will be crossing one or more mblk's. 559 * This is bad performance-wise but we need to support it. 560 * Allocate a small scratch buffer on the stack and 561 * copy it piece meal to the specified digest iovec's. 562 */ 563 uchar_t digest_tmp[SHA512_DIGEST_LENGTH]; 564 off_t scratch_offset = 0; 565 size_t length = digest_len; 566 size_t cur_len; 567 568 SHA2Final(digest_tmp, sha2_ctx); 569 570 while (mp != NULL && length > 0) { 571 cur_len = MIN(MBLKL(mp) - offset, length); 572 bcopy(digest_tmp + scratch_offset, 573 mp->b_rptr + offset, cur_len); 574 575 length -= cur_len; 576 mp = mp->b_cont; 577 scratch_offset += cur_len; 578 offset = 0; 579 } 580 581 if (mp == NULL && length > 0) { 582 /* 583 * The end of the specified mblk was reached but 584 * the length requested could not be processed, i.e. 585 * The caller requested to digest more data than it 586 * provided. 587 */ 588 return (CRYPTO_DATA_LEN_RANGE); 589 } 590 } 591 592 return (CRYPTO_SUCCESS); 593 } 594 595 /* ARGSUSED */ 596 static int 597 sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest, 598 crypto_req_handle_t req) 599 { 600 int ret = CRYPTO_SUCCESS; 601 uint_t sha_digest_len; 602 603 ASSERT(ctx->cc_provider_private != NULL); 604 605 switch (PROV_SHA2_CTX(ctx)->sc_mech_type) { 606 case SHA256_MECH_INFO_TYPE: 607 sha_digest_len = SHA256_DIGEST_LENGTH; 608 break; 609 case SHA384_MECH_INFO_TYPE: 610 sha_digest_len = SHA384_DIGEST_LENGTH; 611 break; 612 case SHA512_MECH_INFO_TYPE: 613 sha_digest_len = SHA512_DIGEST_LENGTH; 614 break; 615 default: 616 return (CRYPTO_MECHANISM_INVALID); 617 } 618 619 /* 620 * We need to just return the length needed to store the output. 621 * We should not destroy the context for the following cases. 622 */ 623 if ((digest->cd_length == 0) || 624 (digest->cd_length < sha_digest_len)) { 625 digest->cd_length = sha_digest_len; 626 return (CRYPTO_BUFFER_TOO_SMALL); 627 } 628 629 /* 630 * Do the SHA2 update on the specified input data. 631 */ 632 switch (data->cd_format) { 633 case CRYPTO_DATA_RAW: 634 SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 635 (uint8_t *)data->cd_raw.iov_base + data->cd_offset, 636 data->cd_length); 637 break; 638 case CRYPTO_DATA_UIO: 639 ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 640 data); 641 break; 642 case CRYPTO_DATA_MBLK: 643 ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 644 data); 645 break; 646 default: 647 ret = CRYPTO_ARGUMENTS_BAD; 648 } 649 650 if (ret != CRYPTO_SUCCESS) { 651 /* the update failed, free context and bail */ 652 kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t)); 653 ctx->cc_provider_private = NULL; 654 digest->cd_length = 0; 655 return (ret); 656 } 657 658 /* 659 * Do a SHA2 final, must be done separately since the digest 660 * type can be different than the input data type. 661 */ 662 switch (digest->cd_format) { 663 case CRYPTO_DATA_RAW: 664 SHA2Final((unsigned char *)digest->cd_raw.iov_base + 665 digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx); 666 break; 667 case CRYPTO_DATA_UIO: 668 ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 669 digest, sha_digest_len, NULL); 670 break; 671 case CRYPTO_DATA_MBLK: 672 ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 673 digest, sha_digest_len, NULL); 674 break; 675 default: 676 ret = CRYPTO_ARGUMENTS_BAD; 677 } 678 679 /* all done, free context and return */ 680 681 if (ret == CRYPTO_SUCCESS) 682 digest->cd_length = sha_digest_len; 683 else 684 digest->cd_length = 0; 685 686 kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t)); 687 ctx->cc_provider_private = NULL; 688 return (ret); 689 } 690 691 /* ARGSUSED */ 692 static int 693 sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data, 694 crypto_req_handle_t req) 695 { 696 int ret = CRYPTO_SUCCESS; 697 698 ASSERT(ctx->cc_provider_private != NULL); 699 700 /* 701 * Do the SHA2 update on the specified input data. 702 */ 703 switch (data->cd_format) { 704 case CRYPTO_DATA_RAW: 705 SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 706 (uint8_t *)data->cd_raw.iov_base + data->cd_offset, 707 data->cd_length); 708 break; 709 case CRYPTO_DATA_UIO: 710 ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 711 data); 712 break; 713 case CRYPTO_DATA_MBLK: 714 ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 715 data); 716 break; 717 default: 718 ret = CRYPTO_ARGUMENTS_BAD; 719 } 720 721 return (ret); 722 } 723 724 /* ARGSUSED */ 725 static int 726 sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest, 727 crypto_req_handle_t req) 728 { 729 int ret = CRYPTO_SUCCESS; 730 uint_t sha_digest_len; 731 732 ASSERT(ctx->cc_provider_private != NULL); 733 734 switch (PROV_SHA2_CTX(ctx)->sc_mech_type) { 735 case SHA256_MECH_INFO_TYPE: 736 sha_digest_len = SHA256_DIGEST_LENGTH; 737 break; 738 case SHA384_MECH_INFO_TYPE: 739 sha_digest_len = SHA384_DIGEST_LENGTH; 740 break; 741 case SHA512_MECH_INFO_TYPE: 742 sha_digest_len = SHA512_DIGEST_LENGTH; 743 break; 744 default: 745 return (CRYPTO_MECHANISM_INVALID); 746 } 747 748 /* 749 * We need to just return the length needed to store the output. 750 * We should not destroy the context for the following cases. 751 */ 752 if ((digest->cd_length == 0) || 753 (digest->cd_length < sha_digest_len)) { 754 digest->cd_length = sha_digest_len; 755 return (CRYPTO_BUFFER_TOO_SMALL); 756 } 757 758 /* 759 * Do a SHA2 final. 760 */ 761 switch (digest->cd_format) { 762 case CRYPTO_DATA_RAW: 763 SHA2Final((unsigned char *)digest->cd_raw.iov_base + 764 digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx); 765 break; 766 case CRYPTO_DATA_UIO: 767 ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 768 digest, sha_digest_len, NULL); 769 break; 770 case CRYPTO_DATA_MBLK: 771 ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx, 772 digest, sha_digest_len, NULL); 773 break; 774 default: 775 ret = CRYPTO_ARGUMENTS_BAD; 776 } 777 778 /* all done, free context and return */ 779 780 if (ret == CRYPTO_SUCCESS) 781 digest->cd_length = sha_digest_len; 782 else 783 digest->cd_length = 0; 784 785 kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t)); 786 ctx->cc_provider_private = NULL; 787 788 return (ret); 789 } 790 791 /* ARGSUSED */ 792 static int 793 sha2_digest_atomic(crypto_provider_handle_t provider, 794 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 795 crypto_data_t *data, crypto_data_t *digest, 796 crypto_req_handle_t req) 797 { 798 int ret = CRYPTO_SUCCESS; 799 SHA2_CTX sha2_ctx; 800 uint32_t sha_digest_len; 801 802 /* 803 * Do the SHA inits. 804 */ 805 806 SHA2Init(mechanism->cm_type, &sha2_ctx); 807 808 switch (data->cd_format) { 809 case CRYPTO_DATA_RAW: 810 SHA2Update(&sha2_ctx, (uint8_t *)data-> 811 cd_raw.iov_base + data->cd_offset, data->cd_length); 812 break; 813 case CRYPTO_DATA_UIO: 814 ret = sha2_digest_update_uio(&sha2_ctx, data); 815 break; 816 case CRYPTO_DATA_MBLK: 817 ret = sha2_digest_update_mblk(&sha2_ctx, data); 818 break; 819 default: 820 ret = CRYPTO_ARGUMENTS_BAD; 821 } 822 823 /* 824 * Do the SHA updates on the specified input data. 825 */ 826 827 if (ret != CRYPTO_SUCCESS) { 828 /* the update failed, bail */ 829 digest->cd_length = 0; 830 return (ret); 831 } 832 833 if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) 834 sha_digest_len = SHA256_DIGEST_LENGTH; 835 else 836 sha_digest_len = SHA512_DIGEST_LENGTH; 837 838 /* 839 * Do a SHA2 final, must be done separately since the digest 840 * type can be different than the input data type. 841 */ 842 switch (digest->cd_format) { 843 case CRYPTO_DATA_RAW: 844 SHA2Final((unsigned char *)digest->cd_raw.iov_base + 845 digest->cd_offset, &sha2_ctx); 846 break; 847 case CRYPTO_DATA_UIO: 848 ret = sha2_digest_final_uio(&sha2_ctx, digest, 849 sha_digest_len, NULL); 850 break; 851 case CRYPTO_DATA_MBLK: 852 ret = sha2_digest_final_mblk(&sha2_ctx, digest, 853 sha_digest_len, NULL); 854 break; 855 default: 856 ret = CRYPTO_ARGUMENTS_BAD; 857 } 858 859 if (ret == CRYPTO_SUCCESS) 860 digest->cd_length = sha_digest_len; 861 else 862 digest->cd_length = 0; 863 864 return (ret); 865 } 866 867 /* 868 * KCF software provider mac entry points. 869 * 870 * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text)) 871 * 872 * Init: 873 * The initialization routine initializes what we denote 874 * as the inner and outer contexts by doing 875 * - for inner context: SHA2(key XOR ipad) 876 * - for outer context: SHA2(key XOR opad) 877 * 878 * Update: 879 * Each subsequent SHA2 HMAC update will result in an 880 * update of the inner context with the specified data. 881 * 882 * Final: 883 * The SHA2 HMAC final will do a SHA2 final operation on the 884 * inner context, and the resulting digest will be used 885 * as the data for an update on the outer context. Last 886 * but not least, a SHA2 final on the outer context will 887 * be performed to obtain the SHA2 HMAC digest to return 888 * to the user. 889 */ 890 891 /* 892 * Initialize a SHA2-HMAC context. 893 */ 894 static void 895 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes) 896 { 897 uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)]; 898 uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)]; 899 int i, block_size, blocks_per_int64; 900 901 /* Determine the block size */ 902 if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) { 903 block_size = SHA256_HMAC_BLOCK_SIZE; 904 blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t); 905 } else { 906 block_size = SHA512_HMAC_BLOCK_SIZE; 907 blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t); 908 } 909 910 (void) bzero(ipad, block_size); 911 (void) bzero(opad, block_size); 912 (void) bcopy(keyval, ipad, length_in_bytes); 913 (void) bcopy(keyval, opad, length_in_bytes); 914 915 /* XOR key with ipad (0x36) and opad (0x5c) */ 916 for (i = 0; i < blocks_per_int64; i ++) { 917 ipad[i] ^= 0x3636363636363636; 918 opad[i] ^= 0x5c5c5c5c5c5c5c5c; 919 } 920 921 /* perform SHA2 on ipad */ 922 SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext); 923 SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size); 924 925 /* perform SHA2 on opad */ 926 SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext); 927 SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size); 928 929 } 930 931 /* 932 */ 933 static int 934 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 935 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, 936 crypto_req_handle_t req) 937 { 938 int ret = CRYPTO_SUCCESS; 939 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 940 uint_t sha_digest_len, sha_hmac_block_size; 941 942 /* 943 * Set the digest length and block size to values approriate to the 944 * mechanism 945 */ 946 switch (mechanism->cm_type) { 947 case SHA256_HMAC_MECH_INFO_TYPE: 948 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 949 sha_digest_len = SHA256_DIGEST_LENGTH; 950 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE; 951 break; 952 case SHA384_HMAC_MECH_INFO_TYPE: 953 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 954 case SHA512_HMAC_MECH_INFO_TYPE: 955 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 956 sha_digest_len = SHA512_DIGEST_LENGTH; 957 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE; 958 break; 959 default: 960 return (CRYPTO_MECHANISM_INVALID); 961 } 962 963 if (key->ck_format != CRYPTO_KEY_RAW) 964 return (CRYPTO_ARGUMENTS_BAD); 965 966 ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t), 967 crypto_kmflag(req)); 968 if (ctx->cc_provider_private == NULL) 969 return (CRYPTO_HOST_MEMORY); 970 971 if (ctx_template != NULL) { 972 /* reuse context template */ 973 bcopy(ctx_template, PROV_SHA2_HMAC_CTX(ctx), 974 sizeof (sha2_hmac_ctx_t)); 975 } else { 976 /* no context template, compute context */ 977 if (keylen_in_bytes > sha_hmac_block_size) { 978 uchar_t digested_key[SHA512_DIGEST_LENGTH]; 979 sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private; 980 981 /* 982 * Hash the passed-in key to get a smaller key. 983 * The inner context is used since it hasn't been 984 * initialized yet. 985 */ 986 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3, 987 &hmac_ctx->hc_icontext, 988 key->ck_data, keylen_in_bytes, digested_key); 989 sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx), 990 digested_key, sha_digest_len); 991 } else { 992 sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx), 993 key->ck_data, keylen_in_bytes); 994 } 995 } 996 997 /* 998 * Get the mechanism parameters, if applicable. 999 */ 1000 PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type; 1001 if (mechanism->cm_type % 3 == 2) { 1002 if (mechanism->cm_param == NULL || 1003 mechanism->cm_param_len != sizeof (ulong_t)) 1004 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1005 PROV_SHA2_GET_DIGEST_LEN(mechanism, 1006 PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len); 1007 if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len) 1008 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1009 } 1010 1011 if (ret != CRYPTO_SUCCESS) { 1012 bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t)); 1013 kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t)); 1014 ctx->cc_provider_private = NULL; 1015 } 1016 1017 return (ret); 1018 } 1019 1020 /* ARGSUSED */ 1021 static int 1022 sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data, 1023 crypto_req_handle_t req) 1024 { 1025 int ret = CRYPTO_SUCCESS; 1026 1027 ASSERT(ctx->cc_provider_private != NULL); 1028 1029 /* 1030 * Do a SHA2 update of the inner context using the specified 1031 * data. 1032 */ 1033 switch (data->cd_format) { 1034 case CRYPTO_DATA_RAW: 1035 SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, 1036 (uint8_t *)data->cd_raw.iov_base + data->cd_offset, 1037 data->cd_length); 1038 break; 1039 case CRYPTO_DATA_UIO: 1040 ret = sha2_digest_update_uio( 1041 &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data); 1042 break; 1043 case CRYPTO_DATA_MBLK: 1044 ret = sha2_digest_update_mblk( 1045 &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data); 1046 break; 1047 default: 1048 ret = CRYPTO_ARGUMENTS_BAD; 1049 } 1050 1051 return (ret); 1052 } 1053 1054 /* ARGSUSED */ 1055 static int 1056 sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req) 1057 { 1058 int ret = CRYPTO_SUCCESS; 1059 uchar_t digest[SHA512_DIGEST_LENGTH]; 1060 uint32_t digest_len, sha_digest_len; 1061 1062 ASSERT(ctx->cc_provider_private != NULL); 1063 1064 /* Set the digest lengths to values approriate to the mechanism */ 1065 switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) { 1066 case SHA256_HMAC_MECH_INFO_TYPE: 1067 sha_digest_len = digest_len = SHA256_DIGEST_LENGTH; 1068 break; 1069 case SHA384_HMAC_MECH_INFO_TYPE: 1070 case SHA512_HMAC_MECH_INFO_TYPE: 1071 sha_digest_len = digest_len = SHA512_DIGEST_LENGTH; 1072 break; 1073 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 1074 sha_digest_len = SHA256_DIGEST_LENGTH; 1075 digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len; 1076 break; 1077 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 1078 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 1079 sha_digest_len = SHA512_DIGEST_LENGTH; 1080 digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len; 1081 break; 1082 } 1083 1084 /* 1085 * We need to just return the length needed to store the output. 1086 * We should not destroy the context for the following cases. 1087 */ 1088 if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) { 1089 mac->cd_length = digest_len; 1090 return (CRYPTO_BUFFER_TOO_SMALL); 1091 } 1092 1093 /* 1094 * Do a SHA2 final on the inner context. 1095 */ 1096 SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext); 1097 1098 /* 1099 * Do a SHA2 update on the outer context, feeding the inner 1100 * digest as data. 1101 */ 1102 SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest, 1103 sha_digest_len); 1104 1105 /* 1106 * Do a SHA2 final on the outer context, storing the computing 1107 * digest in the users buffer. 1108 */ 1109 switch (mac->cd_format) { 1110 case CRYPTO_DATA_RAW: 1111 if (digest_len != sha_digest_len) { 1112 /* 1113 * The caller requested a short digest. Digest 1114 * into a scratch buffer and return to 1115 * the user only what was requested. 1116 */ 1117 SHA2Final(digest, 1118 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext); 1119 bcopy(digest, (unsigned char *)mac->cd_raw.iov_base + 1120 mac->cd_offset, digest_len); 1121 } else { 1122 SHA2Final((unsigned char *)mac->cd_raw.iov_base + 1123 mac->cd_offset, 1124 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext); 1125 } 1126 break; 1127 case CRYPTO_DATA_UIO: 1128 ret = sha2_digest_final_uio( 1129 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac, 1130 digest_len, digest); 1131 break; 1132 case CRYPTO_DATA_MBLK: 1133 ret = sha2_digest_final_mblk( 1134 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac, 1135 digest_len, digest); 1136 break; 1137 default: 1138 ret = CRYPTO_ARGUMENTS_BAD; 1139 } 1140 1141 if (ret == CRYPTO_SUCCESS) 1142 mac->cd_length = digest_len; 1143 else 1144 mac->cd_length = 0; 1145 1146 bzero(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, sizeof (sha2_hmac_ctx_t)); 1147 kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t)); 1148 ctx->cc_provider_private = NULL; 1149 1150 return (ret); 1151 } 1152 1153 #define SHA2_MAC_UPDATE(data, ctx, ret) { \ 1154 switch (data->cd_format) { \ 1155 case CRYPTO_DATA_RAW: \ 1156 SHA2Update(&(ctx).hc_icontext, \ 1157 (uint8_t *)data->cd_raw.iov_base + \ 1158 data->cd_offset, data->cd_length); \ 1159 break; \ 1160 case CRYPTO_DATA_UIO: \ 1161 ret = sha2_digest_update_uio(&(ctx).hc_icontext, data); \ 1162 break; \ 1163 case CRYPTO_DATA_MBLK: \ 1164 ret = sha2_digest_update_mblk(&(ctx).hc_icontext, \ 1165 data); \ 1166 break; \ 1167 default: \ 1168 ret = CRYPTO_ARGUMENTS_BAD; \ 1169 } \ 1170 } 1171 1172 /* ARGSUSED */ 1173 static int 1174 sha2_mac_atomic(crypto_provider_handle_t provider, 1175 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1176 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, 1177 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1178 { 1179 int ret = CRYPTO_SUCCESS; 1180 uchar_t digest[SHA512_DIGEST_LENGTH]; 1181 sha2_hmac_ctx_t sha2_hmac_ctx; 1182 uint32_t sha_digest_len, digest_len, sha_hmac_block_size; 1183 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 1184 1185 /* 1186 * Set the digest length and block size to values approriate to the 1187 * mechanism 1188 */ 1189 switch (mechanism->cm_type) { 1190 case SHA256_HMAC_MECH_INFO_TYPE: 1191 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 1192 sha_digest_len = digest_len = SHA256_DIGEST_LENGTH; 1193 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE; 1194 break; 1195 case SHA384_HMAC_MECH_INFO_TYPE: 1196 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 1197 case SHA512_HMAC_MECH_INFO_TYPE: 1198 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 1199 sha_digest_len = digest_len = SHA512_DIGEST_LENGTH; 1200 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE; 1201 break; 1202 default: 1203 return (CRYPTO_MECHANISM_INVALID); 1204 } 1205 1206 /* Add support for key by attributes (RFE 4706552) */ 1207 if (key->ck_format != CRYPTO_KEY_RAW) 1208 return (CRYPTO_ARGUMENTS_BAD); 1209 1210 if (ctx_template != NULL) { 1211 /* reuse context template */ 1212 bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); 1213 } else { 1214 sha2_hmac_ctx.hc_mech_type = mechanism->cm_type; 1215 /* no context template, initialize context */ 1216 if (keylen_in_bytes > sha_hmac_block_size) { 1217 /* 1218 * Hash the passed-in key to get a smaller key. 1219 * The inner context is used since it hasn't been 1220 * initialized yet. 1221 */ 1222 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3, 1223 &sha2_hmac_ctx.hc_icontext, 1224 key->ck_data, keylen_in_bytes, digest); 1225 sha2_mac_init_ctx(&sha2_hmac_ctx, digest, 1226 sha_digest_len); 1227 } else { 1228 sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data, 1229 keylen_in_bytes); 1230 } 1231 } 1232 1233 /* get the mechanism parameters, if applicable */ 1234 if ((mechanism->cm_type % 3) == 2) { 1235 if (mechanism->cm_param == NULL || 1236 mechanism->cm_param_len != sizeof (ulong_t)) { 1237 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1238 goto bail; 1239 } 1240 PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len); 1241 if (digest_len > sha_digest_len) { 1242 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1243 goto bail; 1244 } 1245 } 1246 1247 /* do a SHA2 update of the inner context using the specified data */ 1248 SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret); 1249 if (ret != CRYPTO_SUCCESS) 1250 /* the update failed, free context and bail */ 1251 goto bail; 1252 1253 /* 1254 * Do a SHA2 final on the inner context. 1255 */ 1256 SHA2Final(digest, &sha2_hmac_ctx.hc_icontext); 1257 1258 /* 1259 * Do an SHA2 update on the outer context, feeding the inner 1260 * digest as data. 1261 * 1262 * Make sure that SHA384 is handled special because 1263 * it cannot feed a 60-byte inner hash to the outer 1264 */ 1265 if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE || 1266 mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE) 1267 SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, 1268 SHA384_DIGEST_LENGTH); 1269 else 1270 SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len); 1271 1272 /* 1273 * Do a SHA2 final on the outer context, storing the computed 1274 * digest in the users buffer. 1275 */ 1276 switch (mac->cd_format) { 1277 case CRYPTO_DATA_RAW: 1278 if (digest_len != sha_digest_len) { 1279 /* 1280 * The caller requested a short digest. Digest 1281 * into a scratch buffer and return to 1282 * the user only what was requested. 1283 */ 1284 SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext); 1285 bcopy(digest, (unsigned char *)mac->cd_raw.iov_base + 1286 mac->cd_offset, digest_len); 1287 } else { 1288 SHA2Final((unsigned char *)mac->cd_raw.iov_base + 1289 mac->cd_offset, &sha2_hmac_ctx.hc_ocontext); 1290 } 1291 break; 1292 case CRYPTO_DATA_UIO: 1293 ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac, 1294 digest_len, digest); 1295 break; 1296 case CRYPTO_DATA_MBLK: 1297 ret = sha2_digest_final_mblk(&sha2_hmac_ctx.hc_ocontext, mac, 1298 digest_len, digest); 1299 break; 1300 default: 1301 ret = CRYPTO_ARGUMENTS_BAD; 1302 } 1303 1304 if (ret == CRYPTO_SUCCESS) { 1305 mac->cd_length = digest_len; 1306 return (CRYPTO_SUCCESS); 1307 } 1308 bail: 1309 bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); 1310 mac->cd_length = 0; 1311 return (ret); 1312 } 1313 1314 /* ARGSUSED */ 1315 static int 1316 sha2_mac_verify_atomic(crypto_provider_handle_t provider, 1317 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1318 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, 1319 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1320 { 1321 int ret = CRYPTO_SUCCESS; 1322 uchar_t digest[SHA512_DIGEST_LENGTH]; 1323 sha2_hmac_ctx_t sha2_hmac_ctx; 1324 uint32_t sha_digest_len, digest_len, sha_hmac_block_size; 1325 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 1326 1327 /* 1328 * Set the digest length and block size to values approriate to the 1329 * mechanism 1330 */ 1331 switch (mechanism->cm_type) { 1332 case SHA256_HMAC_MECH_INFO_TYPE: 1333 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 1334 sha_digest_len = digest_len = SHA256_DIGEST_LENGTH; 1335 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE; 1336 break; 1337 case SHA384_HMAC_MECH_INFO_TYPE: 1338 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 1339 case SHA512_HMAC_MECH_INFO_TYPE: 1340 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 1341 sha_digest_len = digest_len = SHA512_DIGEST_LENGTH; 1342 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE; 1343 break; 1344 default: 1345 return (CRYPTO_MECHANISM_INVALID); 1346 } 1347 1348 /* Add support for key by attributes (RFE 4706552) */ 1349 if (key->ck_format != CRYPTO_KEY_RAW) 1350 return (CRYPTO_ARGUMENTS_BAD); 1351 1352 if (ctx_template != NULL) { 1353 /* reuse context template */ 1354 bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); 1355 } else { 1356 /* no context template, initialize context */ 1357 if (keylen_in_bytes > sha_hmac_block_size) { 1358 /* 1359 * Hash the passed-in key to get a smaller key. 1360 * The inner context is used since it hasn't been 1361 * initialized yet. 1362 */ 1363 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3, 1364 &sha2_hmac_ctx.hc_icontext, 1365 key->ck_data, keylen_in_bytes, digest); 1366 sha2_mac_init_ctx(&sha2_hmac_ctx, digest, 1367 sha_digest_len); 1368 } else { 1369 sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data, 1370 keylen_in_bytes); 1371 } 1372 } 1373 1374 /* get the mechanism parameters, if applicable */ 1375 if (mechanism->cm_type % 3 == 2) { 1376 if (mechanism->cm_param == NULL || 1377 mechanism->cm_param_len != sizeof (ulong_t)) { 1378 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1379 goto bail; 1380 } 1381 PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len); 1382 if (digest_len > sha_digest_len) { 1383 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1384 goto bail; 1385 } 1386 } 1387 1388 if (mac->cd_length != digest_len) { 1389 ret = CRYPTO_INVALID_MAC; 1390 goto bail; 1391 } 1392 1393 /* do a SHA2 update of the inner context using the specified data */ 1394 SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret); 1395 if (ret != CRYPTO_SUCCESS) 1396 /* the update failed, free context and bail */ 1397 goto bail; 1398 1399 /* do a SHA2 final on the inner context */ 1400 SHA2Final(digest, &sha2_hmac_ctx.hc_icontext); 1401 1402 /* 1403 * Do an SHA2 update on the outer context, feeding the inner 1404 * digest as data. 1405 */ 1406 SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len); 1407 1408 /* 1409 * Do a SHA2 final on the outer context, storing the computed 1410 * digest in the users buffer. 1411 */ 1412 SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext); 1413 1414 /* 1415 * Compare the computed digest against the expected digest passed 1416 * as argument. 1417 */ 1418 1419 switch (mac->cd_format) { 1420 1421 case CRYPTO_DATA_RAW: 1422 if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base + 1423 mac->cd_offset, digest_len) != 0) 1424 ret = CRYPTO_INVALID_MAC; 1425 break; 1426 1427 case CRYPTO_DATA_UIO: { 1428 off_t offset = mac->cd_offset; 1429 uint_t vec_idx; 1430 off_t scratch_offset = 0; 1431 size_t length = digest_len; 1432 size_t cur_len; 1433 1434 /* we support only kernel buffer */ 1435 if (mac->cd_uio->uio_segflg != UIO_SYSSPACE) 1436 return (CRYPTO_ARGUMENTS_BAD); 1437 1438 /* jump to the first iovec containing the expected digest */ 1439 for (vec_idx = 0; 1440 offset >= mac->cd_uio->uio_iov[vec_idx].iov_len && 1441 vec_idx < mac->cd_uio->uio_iovcnt; 1442 offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len); 1443 if (vec_idx == mac->cd_uio->uio_iovcnt) { 1444 /* 1445 * The caller specified an offset that is 1446 * larger than the total size of the buffers 1447 * it provided. 1448 */ 1449 ret = CRYPTO_DATA_LEN_RANGE; 1450 break; 1451 } 1452 1453 /* do the comparison of computed digest vs specified one */ 1454 while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) { 1455 cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len - 1456 offset, length); 1457 1458 if (bcmp(digest + scratch_offset, 1459 mac->cd_uio->uio_iov[vec_idx].iov_base + offset, 1460 cur_len) != 0) { 1461 ret = CRYPTO_INVALID_MAC; 1462 break; 1463 } 1464 1465 length -= cur_len; 1466 vec_idx++; 1467 scratch_offset += cur_len; 1468 offset = 0; 1469 } 1470 break; 1471 } 1472 1473 case CRYPTO_DATA_MBLK: { 1474 off_t offset = mac->cd_offset; 1475 mblk_t *mp; 1476 off_t scratch_offset = 0; 1477 size_t length = digest_len; 1478 size_t cur_len; 1479 1480 /* jump to the first mblk_t containing the expected digest */ 1481 for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp); 1482 offset -= MBLKL(mp), mp = mp->b_cont); 1483 if (mp == NULL) { 1484 /* 1485 * The caller specified an offset that is larger than 1486 * the total size of the buffers it provided. 1487 */ 1488 ret = CRYPTO_DATA_LEN_RANGE; 1489 break; 1490 } 1491 1492 while (mp != NULL && length > 0) { 1493 cur_len = MIN(MBLKL(mp) - offset, length); 1494 if (bcmp(digest + scratch_offset, 1495 mp->b_rptr + offset, cur_len) != 0) { 1496 ret = CRYPTO_INVALID_MAC; 1497 break; 1498 } 1499 1500 length -= cur_len; 1501 mp = mp->b_cont; 1502 scratch_offset += cur_len; 1503 offset = 0; 1504 } 1505 break; 1506 } 1507 1508 default: 1509 ret = CRYPTO_ARGUMENTS_BAD; 1510 } 1511 1512 return (ret); 1513 bail: 1514 bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t)); 1515 mac->cd_length = 0; 1516 return (ret); 1517 } 1518 1519 /* 1520 * KCF software provider context management entry points. 1521 */ 1522 1523 /* ARGSUSED */ 1524 static int 1525 sha2_create_ctx_template(crypto_provider_handle_t provider, 1526 crypto_mechanism_t *mechanism, crypto_key_t *key, 1527 crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size, 1528 crypto_req_handle_t req) 1529 { 1530 sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl; 1531 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 1532 uint32_t sha_digest_len, sha_hmac_block_size; 1533 1534 /* 1535 * Set the digest length and block size to values approriate to the 1536 * mechanism 1537 */ 1538 switch (mechanism->cm_type) { 1539 case SHA256_HMAC_MECH_INFO_TYPE: 1540 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 1541 sha_digest_len = SHA256_DIGEST_LENGTH; 1542 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE; 1543 break; 1544 case SHA384_HMAC_MECH_INFO_TYPE: 1545 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 1546 case SHA512_HMAC_MECH_INFO_TYPE: 1547 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 1548 sha_digest_len = SHA512_DIGEST_LENGTH; 1549 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE; 1550 break; 1551 default: 1552 return (CRYPTO_MECHANISM_INVALID); 1553 } 1554 1555 /* Add support for key by attributes (RFE 4706552) */ 1556 if (key->ck_format != CRYPTO_KEY_RAW) 1557 return (CRYPTO_ARGUMENTS_BAD); 1558 1559 /* 1560 * Allocate and initialize SHA2 context. 1561 */ 1562 sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t), 1563 crypto_kmflag(req)); 1564 if (sha2_hmac_ctx_tmpl == NULL) 1565 return (CRYPTO_HOST_MEMORY); 1566 1567 sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type; 1568 1569 if (keylen_in_bytes > sha_hmac_block_size) { 1570 uchar_t digested_key[SHA512_DIGEST_LENGTH]; 1571 1572 /* 1573 * Hash the passed-in key to get a smaller key. 1574 * The inner context is used since it hasn't been 1575 * initialized yet. 1576 */ 1577 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3, 1578 &sha2_hmac_ctx_tmpl->hc_icontext, 1579 key->ck_data, keylen_in_bytes, digested_key); 1580 sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key, 1581 sha_digest_len); 1582 } else { 1583 sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data, 1584 keylen_in_bytes); 1585 } 1586 1587 *ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl; 1588 *ctx_template_size = sizeof (sha2_hmac_ctx_t); 1589 1590 return (CRYPTO_SUCCESS); 1591 } 1592 1593 static int 1594 sha2_free_context(crypto_ctx_t *ctx) 1595 { 1596 uint_t ctx_len; 1597 1598 if (ctx->cc_provider_private == NULL) 1599 return (CRYPTO_SUCCESS); 1600 1601 /* 1602 * We have to free either SHA2 or SHA2-HMAC contexts, which 1603 * have different lengths. 1604 * 1605 * Note: Below is dependent on the mechanism ordering. 1606 */ 1607 1608 if (PROV_SHA2_CTX(ctx)->sc_mech_type % 3 == 0) 1609 ctx_len = sizeof (sha2_ctx_t); 1610 else 1611 ctx_len = sizeof (sha2_hmac_ctx_t); 1612 1613 bzero(ctx->cc_provider_private, ctx_len); 1614 kmem_free(ctx->cc_provider_private, ctx_len); 1615 ctx->cc_provider_private = NULL; 1616 1617 return (CRYPTO_SUCCESS); 1618 } 1619