1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * Cleaned-up and optimized version of MD5, based on the reference 29 * implementation provided in RFC 1321. See RSA Copyright information 30 * below. 31 * 32 * NOTE: All compiler data was gathered with SC4.2, and verified with SC5.x, 33 * as used to build Solaris 2.7. Hopefully the compiler behavior won't 34 * change for the worse in subsequent Solaris builds. 35 */ 36 37 #pragma ident "%Z%%M% %I% %E% SMI" 38 39 /* 40 * MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm 41 */ 42 43 /* 44 * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All 45 * rights reserved. 46 * 47 * License to copy and use this software is granted provided that it 48 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest 49 * Algorithm" in all material mentioning or referencing this software 50 * or this function. 51 * 52 * License is also granted to make and use derivative works provided 53 * that such works are identified as "derived from the RSA Data 54 * Security, Inc. MD5 Message-Digest Algorithm" in all material 55 * mentioning or referencing the derived work. 56 * 57 * RSA Data Security, Inc. makes no representations concerning either 58 * the merchantability of this software or the suitability of this 59 * software for any particular purpose. It is provided "as is" 60 * without express or implied warranty of any kind. 61 * 62 * These notices must be retained in any copies of any part of this 63 * documentation and/or software. 64 */ 65 66 #include <sys/types.h> 67 #include <sys/md5.h> 68 #include <sys/md5_consts.h> /* MD5_CONST() optimization */ 69 #if !defined(_KERNEL) || defined(_BOOT) 70 #include <strings.h> 71 #endif /* !_KERNEL || _BOOT */ 72 73 #if defined(_KERNEL) && !defined(_BOOT) 74 75 /* 76 * In kernel module, the md5 module is created with two modlinkages: 77 * - a modlmisc that allows consumers to directly call the entry points 78 * MD5Init, MD5Update, and MD5Final. 79 * - a modlcrypto that allows the module to register with the Kernel 80 * Cryptographic Framework (KCF) as a software provider for the MD5 81 * mechanisms. 82 */ 83 84 #include <sys/systm.h> 85 #include <sys/modctl.h> 86 #include <sys/cmn_err.h> 87 #include <sys/ddi.h> 88 #include <sys/crypto/common.h> 89 #include <sys/crypto/spi.h> 90 #include <sys/sysmacros.h> 91 #include <sys/strsun.h> 92 #include <sys/note.h> 93 94 extern struct mod_ops mod_miscops; 95 extern struct mod_ops mod_cryptoops; 96 97 /* 98 * Module linkage information for the kernel. 99 */ 100 101 static struct modlmisc modlmisc = { 102 &mod_miscops, 103 "MD5 Message-Digest Algorithm" 104 }; 105 106 static struct modlcrypto modlcrypto = { 107 &mod_cryptoops, 108 "MD5 Kernel SW Provider 1.17" 109 }; 110 111 static struct modlinkage modlinkage = { 112 MODREV_1, 113 (void *)&modlmisc, 114 (void *)&modlcrypto, 115 NULL 116 }; 117 118 /* 119 * CSPI information (entry points, provider info, etc.) 120 */ 121 122 typedef enum md5_mech_type { 123 MD5_MECH_INFO_TYPE, /* SUN_CKM_MD5 */ 124 MD5_HMAC_MECH_INFO_TYPE, /* SUN_CKM_MD5_HMAC */ 125 MD5_HMAC_GEN_MECH_INFO_TYPE /* SUN_CKM_MD5_HMAC_GENERAL */ 126 } md5_mech_type_t; 127 128 #define MD5_DIGEST_LENGTH 16 /* MD5 digest length in bytes */ 129 #define MD5_HMAC_BLOCK_SIZE 64 /* MD5 block size */ 130 #define MD5_HMAC_MIN_KEY_LEN 8 /* MD5-HMAC min key length in bits */ 131 #define MD5_HMAC_MAX_KEY_LEN INT_MAX /* MD5-HMAC max key length in bits */ 132 #define MD5_HMAC_INTS_PER_BLOCK (MD5_HMAC_BLOCK_SIZE/sizeof (uint32_t)) 133 134 /* 135 * Context for MD5 mechanism. 136 */ 137 typedef struct md5_ctx { 138 md5_mech_type_t mc_mech_type; /* type of context */ 139 MD5_CTX mc_md5_ctx; /* MD5 context */ 140 } md5_ctx_t; 141 142 /* 143 * Context for MD5-HMAC and MD5-HMAC-GENERAL mechanisms. 144 */ 145 typedef struct md5_hmac_ctx { 146 md5_mech_type_t hc_mech_type; /* type of context */ 147 uint32_t hc_digest_len; /* digest len in bytes */ 148 MD5_CTX hc_icontext; /* inner MD5 context */ 149 MD5_CTX hc_ocontext; /* outer MD5 context */ 150 } md5_hmac_ctx_t; 151 152 /* 153 * Macros to access the MD5 or MD5-HMAC contexts from a context passed 154 * by KCF to one of the entry points. 155 */ 156 157 #define PROV_MD5_CTX(ctx) ((md5_ctx_t *)(ctx)->cc_provider_private) 158 #define PROV_MD5_HMAC_CTX(ctx) ((md5_hmac_ctx_t *)(ctx)->cc_provider_private) 159 /* to extract the digest length passed as mechanism parameter */ 160 161 #define PROV_MD5_GET_DIGEST_LEN(m, len) { \ 162 if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t))) \ 163 (len) = (uint32_t)*((ulong_t *)mechanism->cm_param); \ 164 else { \ 165 ulong_t tmp_ulong; \ 166 bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t)); \ 167 (len) = (uint32_t)tmp_ulong; \ 168 } \ 169 } 170 171 #define PROV_MD5_DIGEST_KEY(ctx, key, len, digest) { \ 172 MD5Init(ctx); \ 173 MD5Update(ctx, key, len); \ 174 MD5Final(digest, ctx); \ 175 } 176 177 /* 178 * Mechanism info structure passed to KCF during registration. 179 */ 180 static crypto_mech_info_t md5_mech_info_tab[] = { 181 /* MD5 */ 182 {SUN_CKM_MD5, MD5_MECH_INFO_TYPE, 183 CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC, 184 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS}, 185 /* MD5-HMAC */ 186 {SUN_CKM_MD5_HMAC, MD5_HMAC_MECH_INFO_TYPE, 187 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 188 MD5_HMAC_MIN_KEY_LEN, MD5_HMAC_MAX_KEY_LEN, 189 CRYPTO_KEYSIZE_UNIT_IN_BITS}, 190 /* MD5-HMAC GENERAL */ 191 {SUN_CKM_MD5_HMAC_GENERAL, MD5_HMAC_GEN_MECH_INFO_TYPE, 192 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC, 193 MD5_HMAC_MIN_KEY_LEN, MD5_HMAC_MAX_KEY_LEN, 194 CRYPTO_KEYSIZE_UNIT_IN_BITS} 195 }; 196 197 static void md5_provider_status(crypto_provider_handle_t, uint_t *); 198 199 static crypto_control_ops_t md5_control_ops = { 200 md5_provider_status 201 }; 202 203 static int md5_digest_init(crypto_ctx_t *, crypto_mechanism_t *, 204 crypto_req_handle_t); 205 static int md5_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 206 crypto_req_handle_t); 207 static int md5_digest_update(crypto_ctx_t *, crypto_data_t *, 208 crypto_req_handle_t); 209 static int md5_digest_final(crypto_ctx_t *, crypto_data_t *, 210 crypto_req_handle_t); 211 static int md5_digest_atomic(crypto_provider_handle_t, crypto_session_id_t, 212 crypto_mechanism_t *, crypto_data_t *, crypto_data_t *, 213 crypto_req_handle_t); 214 215 static crypto_digest_ops_t md5_digest_ops = { 216 md5_digest_init, 217 md5_digest, 218 md5_digest_update, 219 NULL, 220 md5_digest_final, 221 md5_digest_atomic 222 }; 223 224 static int md5_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *, 225 crypto_spi_ctx_template_t, crypto_req_handle_t); 226 static int md5_mac_update(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t); 227 static int md5_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t); 228 static int md5_mac_atomic(crypto_provider_handle_t, crypto_session_id_t, 229 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 230 crypto_spi_ctx_template_t, crypto_req_handle_t); 231 static int md5_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 232 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 233 crypto_spi_ctx_template_t, crypto_req_handle_t); 234 235 static crypto_mac_ops_t md5_mac_ops = { 236 md5_mac_init, 237 NULL, 238 md5_mac_update, 239 md5_mac_final, 240 md5_mac_atomic, 241 md5_mac_verify_atomic 242 }; 243 244 static int md5_create_ctx_template(crypto_provider_handle_t, 245 crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, 246 size_t *, crypto_req_handle_t); 247 static int md5_free_context(crypto_ctx_t *); 248 249 static crypto_ctx_ops_t md5_ctx_ops = { 250 md5_create_ctx_template, 251 md5_free_context 252 }; 253 254 static crypto_ops_t md5_crypto_ops = { 255 &md5_control_ops, 256 &md5_digest_ops, 257 NULL, 258 &md5_mac_ops, 259 NULL, 260 NULL, 261 NULL, 262 NULL, 263 NULL, 264 NULL, 265 NULL, 266 NULL, 267 NULL, 268 &md5_ctx_ops 269 }; 270 271 static crypto_provider_info_t md5_prov_info = { 272 CRYPTO_SPI_VERSION_1, 273 "MD5 Software Provider", 274 CRYPTO_SW_PROVIDER, 275 {&modlinkage}, 276 NULL, 277 &md5_crypto_ops, 278 sizeof (md5_mech_info_tab)/sizeof (crypto_mech_info_t), 279 md5_mech_info_tab 280 }; 281 282 static crypto_kcf_provider_handle_t md5_prov_handle = NULL; 283 284 int 285 _init(void) 286 { 287 int ret; 288 289 if ((ret = mod_install(&modlinkage)) != 0) 290 return (ret); 291 292 /* 293 * Register with KCF. If the registration fails, log an 294 * error but do not uninstall the module, since the functionality 295 * provided by misc/md5 should still be available. 296 */ 297 if ((ret = crypto_register_provider(&md5_prov_info, 298 &md5_prov_handle)) != CRYPTO_SUCCESS) 299 cmn_err(CE_WARN, "md5 _init: " 300 "crypto_register_provider() failed (0x%x)", ret); 301 302 return (0); 303 } 304 305 int 306 _fini(void) 307 { 308 int ret; 309 310 /* 311 * Unregister from KCF if previous registration succeeded. 312 */ 313 if (md5_prov_handle != NULL) { 314 if ((ret = crypto_unregister_provider(md5_prov_handle)) != 315 CRYPTO_SUCCESS) { 316 cmn_err(CE_WARN, "md5 _fini: " 317 "crypto_unregister_provider() failed (0x%x)", ret); 318 return (EBUSY); 319 } 320 md5_prov_handle = NULL; 321 } 322 323 return (mod_remove(&modlinkage)); 324 } 325 326 int 327 _info(struct modinfo *modinfop) 328 { 329 return (mod_info(&modlinkage, modinfop)); 330 } 331 #endif /* _KERNEL && !_BOOT */ 332 333 static void Encode(uint8_t *, uint32_t *, size_t); 334 static void MD5Transform(uint32_t, uint32_t, uint32_t, uint32_t, MD5_CTX *, 335 const uint8_t [64]); 336 337 static uint8_t PADDING[64] = { 0x80, /* all zeros */ }; 338 339 /* 340 * F, G, H and I are the basic MD5 functions. 341 */ 342 #define F(b, c, d) (((b) & (c)) | ((~b) & (d))) 343 #define G(b, c, d) (((b) & (d)) | ((c) & (~d))) 344 #define H(b, c, d) ((b) ^ (c) ^ (d)) 345 #define I(b, c, d) ((c) ^ ((b) | (~d))) 346 347 /* 348 * ROTATE_LEFT rotates x left n bits. 349 */ 350 #define ROTATE_LEFT(x, n) \ 351 (((x) << (n)) | ((x) >> ((sizeof (x) << 3) - (n)))) 352 353 /* 354 * FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. 355 * Rotation is separate from addition to prevent recomputation. 356 */ 357 358 #define FF(a, b, c, d, x, s, ac) { \ 359 (a) += F((b), (c), (d)) + (x) + ((unsigned long long)(ac)); \ 360 (a) = ROTATE_LEFT((a), (s)); \ 361 (a) += (b); \ 362 } 363 364 #define GG(a, b, c, d, x, s, ac) { \ 365 (a) += G((b), (c), (d)) + (x) + ((unsigned long long)(ac)); \ 366 (a) = ROTATE_LEFT((a), (s)); \ 367 (a) += (b); \ 368 } 369 370 #define HH(a, b, c, d, x, s, ac) { \ 371 (a) += H((b), (c), (d)) + (x) + ((unsigned long long)(ac)); \ 372 (a) = ROTATE_LEFT((a), (s)); \ 373 (a) += (b); \ 374 } 375 376 #define II(a, b, c, d, x, s, ac) { \ 377 (a) += I((b), (c), (d)) + (x) + ((unsigned long long)(ac)); \ 378 (a) = ROTATE_LEFT((a), (s)); \ 379 (a) += (b); \ 380 } 381 382 /* 383 * Loading 32-bit constants on a RISC is expensive since it involves both a 384 * `sethi' and an `or'. thus, we instead have the compiler generate `ld's to 385 * load the constants from an array called `md5_consts'. however, on intel 386 * (and other CISC processors), it is cheaper to load the constant 387 * directly. thus, the c code in MD5Transform() uses the macro MD5_CONST() 388 * which either expands to a constant or an array reference, depending on the 389 * architecture the code is being compiled for. 390 * 391 * Right now, i386 and amd64 are the CISC exceptions. 392 * If we get another CISC ISA, we'll have to change the ifdef. 393 */ 394 395 /* 396 * Using the %asi register to achieve little endian loads - register 397 * is set using a inline template. 398 * 399 * Saves a few arithmetic ops as can now use an immediate offset with the 400 * lduwa instructions. 401 */ 402 403 extern void set_little(uint32_t); 404 extern uint32_t get_little(); 405 406 #if defined(__i386) || defined(__amd64) 407 408 #define MD5_CONST(x) (MD5_CONST_ ## x) 409 #define MD5_CONST_e(x) MD5_CONST(x) 410 #define MD5_CONST_o(x) MD5_CONST(x) 411 412 #else 413 /* 414 * sparc/RISC optimization: 415 * 416 * while it is somewhat counter-intuitive, on sparc (and presumably other RISC 417 * machines), it is more efficient to place all the constants used in this 418 * function in an array and load the values out of the array than to manually 419 * load the constants. this is because setting a register to a 32-bit value 420 * takes two ops in most cases: a `sethi' and an `or', but loading a 32-bit 421 * value from memory only takes one `ld' (or `lduw' on v9). while this 422 * increases memory usage, the compiler can find enough other things to do 423 * while waiting to keep the pipeline does not stall. additionally, it is 424 * likely that many of these constants are cached so that later accesses do 425 * not even go out to the bus. 426 * 427 * this array is declared `static' to keep the compiler from having to 428 * bcopy() this array onto the stack frame of MD5Transform() each time it is 429 * called -- which is unacceptably expensive. 430 * 431 * the `const' is to ensure that callers are good citizens and do not try to 432 * munge the array. since these routines are going to be called from inside 433 * multithreaded kernelland, this is a good safety check. -- `constants' will 434 * end up in .rodata. 435 * 436 * unfortunately, loading from an array in this manner hurts performance under 437 * intel (and presumably other CISC machines). so, there is a macro, 438 * MD5_CONST(), used in MD5Transform(), that either expands to a reference to 439 * this array, or to the actual constant, depending on what platform this code 440 * is compiled for. 441 */ 442 443 #ifdef sun4v 444 445 /* 446 * Going to load these consts in 8B chunks, so need to enforce 8B alignment 447 */ 448 449 /* CSTYLED */ 450 #pragma align 64 (md5_consts) 451 452 #endif /* sun4v */ 453 454 static const uint32_t md5_consts[] = { 455 MD5_CONST_0, MD5_CONST_1, MD5_CONST_2, MD5_CONST_3, 456 MD5_CONST_4, MD5_CONST_5, MD5_CONST_6, MD5_CONST_7, 457 MD5_CONST_8, MD5_CONST_9, MD5_CONST_10, MD5_CONST_11, 458 MD5_CONST_12, MD5_CONST_13, MD5_CONST_14, MD5_CONST_15, 459 MD5_CONST_16, MD5_CONST_17, MD5_CONST_18, MD5_CONST_19, 460 MD5_CONST_20, MD5_CONST_21, MD5_CONST_22, MD5_CONST_23, 461 MD5_CONST_24, MD5_CONST_25, MD5_CONST_26, MD5_CONST_27, 462 MD5_CONST_28, MD5_CONST_29, MD5_CONST_30, MD5_CONST_31, 463 MD5_CONST_32, MD5_CONST_33, MD5_CONST_34, MD5_CONST_35, 464 MD5_CONST_36, MD5_CONST_37, MD5_CONST_38, MD5_CONST_39, 465 MD5_CONST_40, MD5_CONST_41, MD5_CONST_42, MD5_CONST_43, 466 MD5_CONST_44, MD5_CONST_45, MD5_CONST_46, MD5_CONST_47, 467 MD5_CONST_48, MD5_CONST_49, MD5_CONST_50, MD5_CONST_51, 468 MD5_CONST_52, MD5_CONST_53, MD5_CONST_54, MD5_CONST_55, 469 MD5_CONST_56, MD5_CONST_57, MD5_CONST_58, MD5_CONST_59, 470 MD5_CONST_60, MD5_CONST_61, MD5_CONST_62, MD5_CONST_63 471 }; 472 473 474 #ifdef sun4v 475 /* 476 * To reduce the number of loads, load consts in 64-bit 477 * chunks and then split. 478 * 479 * No need to mask upper 32-bits, as just interested in 480 * low 32-bits (saves an & operation and means that this 481 * optimization doesn't increases the icount. 482 */ 483 #define MD5_CONST_e(x) (md5_consts64[x/2] >> 32) 484 #define MD5_CONST_o(x) (md5_consts64[x/2]) 485 486 #else 487 488 #define MD5_CONST_e(x) (md5_consts[x]) 489 #define MD5_CONST_o(x) (md5_consts[x]) 490 491 #endif /* sun4v */ 492 493 #endif 494 495 /* 496 * MD5Init() 497 * 498 * purpose: initializes the md5 context and begins and md5 digest operation 499 * input: MD5_CTX * : the context to initialize. 500 * output: void 501 */ 502 503 void 504 MD5Init(MD5_CTX *ctx) 505 { 506 ctx->count[0] = ctx->count[1] = 0; 507 508 /* load magic initialization constants */ 509 ctx->state[0] = MD5_INIT_CONST_1; 510 ctx->state[1] = MD5_INIT_CONST_2; 511 ctx->state[2] = MD5_INIT_CONST_3; 512 ctx->state[3] = MD5_INIT_CONST_4; 513 } 514 515 /* 516 * MD5Update() 517 * 518 * purpose: continues an md5 digest operation, using the message block 519 * to update the context. 520 * input: MD5_CTX * : the context to update 521 * uint8_t * : the message block 522 * uint32_t : the length of the message block in bytes 523 * output: void 524 * 525 * MD5 crunches in 64-byte blocks. All numeric constants here are related to 526 * that property of MD5. 527 */ 528 529 void 530 MD5Update(MD5_CTX *ctx, const void *inpp, unsigned int input_len) 531 { 532 uint32_t i, buf_index, buf_len; 533 #ifdef sun4v 534 uint32_t old_asi; 535 #endif /* sun4v */ 536 const unsigned char *input = (const unsigned char *)inpp; 537 538 /* compute (number of bytes computed so far) mod 64 */ 539 buf_index = (ctx->count[0] >> 3) & 0x3F; 540 541 /* update number of bits hashed into this MD5 computation so far */ 542 if ((ctx->count[0] += (input_len << 3)) < (input_len << 3)) 543 ctx->count[1]++; 544 ctx->count[1] += (input_len >> 29); 545 546 buf_len = 64 - buf_index; 547 548 /* transform as many times as possible */ 549 i = 0; 550 if (input_len >= buf_len) { 551 552 /* 553 * general optimization: 554 * 555 * only do initial bcopy() and MD5Transform() if 556 * buf_index != 0. if buf_index == 0, we're just 557 * wasting our time doing the bcopy() since there 558 * wasn't any data left over from a previous call to 559 * MD5Update(). 560 */ 561 562 #ifdef sun4v 563 /* 564 * For N1 use %asi register. However, costly to repeatedly set 565 * in MD5Transform. Therefore, set once here. 566 * Should probably restore the old value afterwards... 567 */ 568 old_asi = get_little(); 569 set_little(0x88); 570 #endif /* sun4v */ 571 572 if (buf_index) { 573 bcopy(input, &ctx->buf_un.buf8[buf_index], buf_len); 574 575 MD5Transform(ctx->state[0], ctx->state[1], 576 ctx->state[2], ctx->state[3], ctx, 577 ctx->buf_un.buf8); 578 579 i = buf_len; 580 } 581 582 for (; i + 63 < input_len; i += 64) 583 MD5Transform(ctx->state[0], ctx->state[1], 584 ctx->state[2], ctx->state[3], ctx, &input[i]); 585 586 587 #ifdef sun4v 588 /* 589 * Restore old %ASI value 590 */ 591 set_little(old_asi); 592 #endif /* sun4v */ 593 594 /* 595 * general optimization: 596 * 597 * if i and input_len are the same, return now instead 598 * of calling bcopy(), since the bcopy() in this 599 * case will be an expensive nop. 600 */ 601 602 if (input_len == i) 603 return; 604 605 buf_index = 0; 606 } 607 608 /* buffer remaining input */ 609 bcopy(&input[i], &ctx->buf_un.buf8[buf_index], input_len - i); 610 } 611 612 /* 613 * MD5Final() 614 * 615 * purpose: ends an md5 digest operation, finalizing the message digest and 616 * zeroing the context. 617 * input: uint8_t * : a buffer to store the digest in 618 * MD5_CTX * : the context to finalize, save, and zero 619 * output: void 620 */ 621 622 void 623 MD5Final(unsigned char *digest, MD5_CTX *ctx) 624 { 625 uint8_t bitcount_le[sizeof (ctx->count)]; 626 uint32_t index = (ctx->count[0] >> 3) & 0x3f; 627 628 /* store bit count, little endian */ 629 Encode(bitcount_le, ctx->count, sizeof (bitcount_le)); 630 631 /* pad out to 56 mod 64 */ 632 MD5Update(ctx, PADDING, ((index < 56) ? 56 : 120) - index); 633 634 /* append length (before padding) */ 635 MD5Update(ctx, bitcount_le, sizeof (bitcount_le)); 636 637 /* store state in digest */ 638 Encode(digest, ctx->state, sizeof (ctx->state)); 639 } 640 641 #ifndef _KERNEL 642 643 void 644 md5_calc(unsigned char *output, unsigned char *input, unsigned int inlen) 645 { 646 MD5_CTX context; 647 648 MD5Init(&context); 649 MD5Update(&context, input, inlen); 650 MD5Final(output, &context); 651 } 652 653 #endif /* !_KERNEL */ 654 655 /* 656 * Little-endian optimization: I don't need to do any weirdness. On 657 * some little-endian boxen, I'll have to do alignment checks, but I can do 658 * that below. 659 */ 660 661 #ifdef _LITTLE_ENDIAN 662 663 #if !defined(__i386) && !defined(__amd64) 664 /* 665 * i386 and amd64 don't require aligned 4-byte loads. The symbol 666 * _MD5_CHECK_ALIGNMENT indicates below whether the MD5Transform function 667 * requires alignment checking. 668 */ 669 #define _MD5_CHECK_ALIGNMENT 670 #endif /* !__i386 && !__amd64 */ 671 672 #define LOAD_LITTLE_32(addr) (*(uint32_t *)(addr)) 673 674 /* 675 * sparc v9/v8plus optimization: 676 * 677 * on the sparc v9/v8plus, we can load data little endian. however, since 678 * the compiler doesn't have direct support for little endian, we 679 * link to an assembly-language routine `load_little_32' to do 680 * the magic. note that special care must be taken to ensure the 681 * address is 32-bit aligned -- in the interest of speed, we don't 682 * check to make sure, since careful programming can guarantee this 683 * for us. 684 */ 685 686 #elif defined(sun4u) 687 688 /* Define alignment check because we can 4-byte load as little endian. */ 689 #define _MD5_CHECK_ALIGNMENT 690 691 extern uint32_t load_little_32(uint32_t *); 692 #define LOAD_LITTLE_32(addr) load_little_32((uint32_t *)(addr)) 693 694 #ifdef sun4v 695 696 /* 697 * For N1 want to minimize number of arithmetic operations. This is best 698 * achieved by using the %asi register to specify ASI for the lduwa operations. 699 * Also, have a separate inline template for each word, so can utilize the 700 * immediate offset in lduwa, without relying on the compiler to do the right 701 * thing. 702 * 703 * Moving to 64-bit loads might also be beneficial. 704 */ 705 706 extern uint32_t load_little_32_0(uint32_t *); 707 extern uint32_t load_little_32_1(uint32_t *); 708 extern uint32_t load_little_32_2(uint32_t *); 709 extern uint32_t load_little_32_3(uint32_t *); 710 extern uint32_t load_little_32_4(uint32_t *); 711 extern uint32_t load_little_32_5(uint32_t *); 712 extern uint32_t load_little_32_6(uint32_t *); 713 extern uint32_t load_little_32_7(uint32_t *); 714 extern uint32_t load_little_32_8(uint32_t *); 715 extern uint32_t load_little_32_9(uint32_t *); 716 extern uint32_t load_little_32_a(uint32_t *); 717 extern uint32_t load_little_32_b(uint32_t *); 718 extern uint32_t load_little_32_c(uint32_t *); 719 extern uint32_t load_little_32_d(uint32_t *); 720 extern uint32_t load_little_32_e(uint32_t *); 721 extern uint32_t load_little_32_f(uint32_t *); 722 #define LOAD_LITTLE_32_0(addr) load_little_32_0((uint32_t *)(addr)) 723 #define LOAD_LITTLE_32_1(addr) load_little_32_1((uint32_t *)(addr)) 724 #define LOAD_LITTLE_32_2(addr) load_little_32_2((uint32_t *)(addr)) 725 #define LOAD_LITTLE_32_3(addr) load_little_32_3((uint32_t *)(addr)) 726 #define LOAD_LITTLE_32_4(addr) load_little_32_4((uint32_t *)(addr)) 727 #define LOAD_LITTLE_32_5(addr) load_little_32_5((uint32_t *)(addr)) 728 #define LOAD_LITTLE_32_6(addr) load_little_32_6((uint32_t *)(addr)) 729 #define LOAD_LITTLE_32_7(addr) load_little_32_7((uint32_t *)(addr)) 730 #define LOAD_LITTLE_32_8(addr) load_little_32_8((uint32_t *)(addr)) 731 #define LOAD_LITTLE_32_9(addr) load_little_32_9((uint32_t *)(addr)) 732 #define LOAD_LITTLE_32_a(addr) load_little_32_a((uint32_t *)(addr)) 733 #define LOAD_LITTLE_32_b(addr) load_little_32_b((uint32_t *)(addr)) 734 #define LOAD_LITTLE_32_c(addr) load_little_32_c((uint32_t *)(addr)) 735 #define LOAD_LITTLE_32_d(addr) load_little_32_d((uint32_t *)(addr)) 736 #define LOAD_LITTLE_32_e(addr) load_little_32_e((uint32_t *)(addr)) 737 #define LOAD_LITTLE_32_f(addr) load_little_32_f((uint32_t *)(addr)) 738 #endif /* sun4v */ 739 740 /* Placate lint */ 741 #if defined(__lint) 742 uint32_t 743 load_little_32(uint32_t *addr) 744 { 745 return (*addr); 746 } 747 #endif 748 749 #else /* big endian -- will work on little endian, but slowly */ 750 751 /* Since we do byte operations, we don't have to check for alignment. */ 752 #define LOAD_LITTLE_32(addr) \ 753 ((addr)[0] | ((addr)[1] << 8) | ((addr)[2] << 16) | ((addr)[3] << 24)) 754 #endif 755 756 /* 757 * sparc register window optimization: 758 * 759 * `a', `b', `c', and `d' are passed into MD5Transform explicitly 760 * since it increases the number of registers available to the 761 * compiler. under this scheme, these variables can be held in 762 * %i0 - %i3, which leaves more local and out registers available. 763 */ 764 765 /* 766 * MD5Transform() 767 * 768 * purpose: md5 transformation -- updates the digest based on `block' 769 * input: uint32_t : bytes 1 - 4 of the digest 770 * uint32_t : bytes 5 - 8 of the digest 771 * uint32_t : bytes 9 - 12 of the digest 772 * uint32_t : bytes 12 - 16 of the digest 773 * MD5_CTX * : the context to update 774 * uint8_t [64]: the block to use to update the digest 775 * output: void 776 */ 777 778 static void 779 MD5Transform(uint32_t a, uint32_t b, uint32_t c, uint32_t d, 780 MD5_CTX *ctx, const uint8_t block[64]) 781 { 782 /* 783 * general optimization: 784 * 785 * use individual integers instead of using an array. this is a 786 * win, although the amount it wins by seems to vary quite a bit. 787 */ 788 789 register uint32_t x_0, x_1, x_2, x_3, x_4, x_5, x_6, x_7; 790 register uint32_t x_8, x_9, x_10, x_11, x_12, x_13, x_14, x_15; 791 #ifdef sun4v 792 unsigned long long *md5_consts64; 793 794 md5_consts64 = (unsigned long long *) md5_consts; 795 #endif /* sun4v */ 796 797 /* 798 * general optimization: 799 * 800 * the compiler (at least SC4.2/5.x) generates better code if 801 * variable use is localized. in this case, swapping the integers in 802 * this order allows `x_0 'to be swapped nearest to its first use in 803 * FF(), and likewise for `x_1' and up. note that the compiler 804 * prefers this to doing each swap right before the FF() that 805 * uses it. 806 */ 807 808 /* 809 * sparc v9/v8plus optimization: 810 * 811 * if `block' is already aligned on a 4-byte boundary, use the 812 * optimized load_little_32() directly. otherwise, bcopy() 813 * into a buffer that *is* aligned on a 4-byte boundary and 814 * then do the load_little_32() on that buffer. benchmarks 815 * have shown that using the bcopy() is better than loading 816 * the bytes individually and doing the endian-swap by hand. 817 * 818 * even though it's quite tempting to assign to do: 819 * 820 * blk = bcopy(blk, ctx->buf_un.buf32, sizeof (ctx->buf_un.buf32)); 821 * 822 * and only have one set of LOAD_LITTLE_32()'s, the compiler (at least 823 * SC4.2/5.x) *does not* like that, so please resist the urge. 824 */ 825 826 #ifdef _MD5_CHECK_ALIGNMENT 827 if ((uintptr_t)block & 0x3) { /* not 4-byte aligned? */ 828 bcopy(block, ctx->buf_un.buf32, sizeof (ctx->buf_un.buf32)); 829 830 #ifdef sun4v 831 x_15 = LOAD_LITTLE_32_f(ctx->buf_un.buf32); 832 x_14 = LOAD_LITTLE_32_e(ctx->buf_un.buf32); 833 x_13 = LOAD_LITTLE_32_d(ctx->buf_un.buf32); 834 x_12 = LOAD_LITTLE_32_c(ctx->buf_un.buf32); 835 x_11 = LOAD_LITTLE_32_b(ctx->buf_un.buf32); 836 x_10 = LOAD_LITTLE_32_a(ctx->buf_un.buf32); 837 x_9 = LOAD_LITTLE_32_9(ctx->buf_un.buf32); 838 x_8 = LOAD_LITTLE_32_8(ctx->buf_un.buf32); 839 x_7 = LOAD_LITTLE_32_7(ctx->buf_un.buf32); 840 x_6 = LOAD_LITTLE_32_6(ctx->buf_un.buf32); 841 x_5 = LOAD_LITTLE_32_5(ctx->buf_un.buf32); 842 x_4 = LOAD_LITTLE_32_4(ctx->buf_un.buf32); 843 x_3 = LOAD_LITTLE_32_3(ctx->buf_un.buf32); 844 x_2 = LOAD_LITTLE_32_2(ctx->buf_un.buf32); 845 x_1 = LOAD_LITTLE_32_1(ctx->buf_un.buf32); 846 x_0 = LOAD_LITTLE_32_0(ctx->buf_un.buf32); 847 #else 848 x_15 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 15); 849 x_14 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 14); 850 x_13 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 13); 851 x_12 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 12); 852 x_11 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 11); 853 x_10 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 10); 854 x_9 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 9); 855 x_8 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 8); 856 x_7 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 7); 857 x_6 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 6); 858 x_5 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 5); 859 x_4 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 4); 860 x_3 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 3); 861 x_2 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 2); 862 x_1 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 1); 863 x_0 = LOAD_LITTLE_32(ctx->buf_un.buf32 + 0); 864 #endif /* sun4v */ 865 } else 866 #endif 867 { 868 869 #ifdef sun4v 870 x_15 = LOAD_LITTLE_32_f(block); 871 x_14 = LOAD_LITTLE_32_e(block); 872 x_13 = LOAD_LITTLE_32_d(block); 873 x_12 = LOAD_LITTLE_32_c(block); 874 x_11 = LOAD_LITTLE_32_b(block); 875 x_10 = LOAD_LITTLE_32_a(block); 876 x_9 = LOAD_LITTLE_32_9(block); 877 x_8 = LOAD_LITTLE_32_8(block); 878 x_7 = LOAD_LITTLE_32_7(block); 879 x_6 = LOAD_LITTLE_32_6(block); 880 x_5 = LOAD_LITTLE_32_5(block); 881 x_4 = LOAD_LITTLE_32_4(block); 882 x_3 = LOAD_LITTLE_32_3(block); 883 x_2 = LOAD_LITTLE_32_2(block); 884 x_1 = LOAD_LITTLE_32_1(block); 885 x_0 = LOAD_LITTLE_32_0(block); 886 #else 887 x_15 = LOAD_LITTLE_32(block + 60); 888 x_14 = LOAD_LITTLE_32(block + 56); 889 x_13 = LOAD_LITTLE_32(block + 52); 890 x_12 = LOAD_LITTLE_32(block + 48); 891 x_11 = LOAD_LITTLE_32(block + 44); 892 x_10 = LOAD_LITTLE_32(block + 40); 893 x_9 = LOAD_LITTLE_32(block + 36); 894 x_8 = LOAD_LITTLE_32(block + 32); 895 x_7 = LOAD_LITTLE_32(block + 28); 896 x_6 = LOAD_LITTLE_32(block + 24); 897 x_5 = LOAD_LITTLE_32(block + 20); 898 x_4 = LOAD_LITTLE_32(block + 16); 899 x_3 = LOAD_LITTLE_32(block + 12); 900 x_2 = LOAD_LITTLE_32(block + 8); 901 x_1 = LOAD_LITTLE_32(block + 4); 902 x_0 = LOAD_LITTLE_32(block + 0); 903 #endif /* sun4v */ 904 } 905 906 /* round 1 */ 907 FF(a, b, c, d, x_0, MD5_SHIFT_11, MD5_CONST_e(0)); /* 1 */ 908 FF(d, a, b, c, x_1, MD5_SHIFT_12, MD5_CONST_o(1)); /* 2 */ 909 FF(c, d, a, b, x_2, MD5_SHIFT_13, MD5_CONST_e(2)); /* 3 */ 910 FF(b, c, d, a, x_3, MD5_SHIFT_14, MD5_CONST_o(3)); /* 4 */ 911 FF(a, b, c, d, x_4, MD5_SHIFT_11, MD5_CONST_e(4)); /* 5 */ 912 FF(d, a, b, c, x_5, MD5_SHIFT_12, MD5_CONST_o(5)); /* 6 */ 913 FF(c, d, a, b, x_6, MD5_SHIFT_13, MD5_CONST_e(6)); /* 7 */ 914 FF(b, c, d, a, x_7, MD5_SHIFT_14, MD5_CONST_o(7)); /* 8 */ 915 FF(a, b, c, d, x_8, MD5_SHIFT_11, MD5_CONST_e(8)); /* 9 */ 916 FF(d, a, b, c, x_9, MD5_SHIFT_12, MD5_CONST_o(9)); /* 10 */ 917 FF(c, d, a, b, x_10, MD5_SHIFT_13, MD5_CONST_e(10)); /* 11 */ 918 FF(b, c, d, a, x_11, MD5_SHIFT_14, MD5_CONST_o(11)); /* 12 */ 919 FF(a, b, c, d, x_12, MD5_SHIFT_11, MD5_CONST_e(12)); /* 13 */ 920 FF(d, a, b, c, x_13, MD5_SHIFT_12, MD5_CONST_o(13)); /* 14 */ 921 FF(c, d, a, b, x_14, MD5_SHIFT_13, MD5_CONST_e(14)); /* 15 */ 922 FF(b, c, d, a, x_15, MD5_SHIFT_14, MD5_CONST_o(15)); /* 16 */ 923 924 /* round 2 */ 925 GG(a, b, c, d, x_1, MD5_SHIFT_21, MD5_CONST_e(16)); /* 17 */ 926 GG(d, a, b, c, x_6, MD5_SHIFT_22, MD5_CONST_o(17)); /* 18 */ 927 GG(c, d, a, b, x_11, MD5_SHIFT_23, MD5_CONST_e(18)); /* 19 */ 928 GG(b, c, d, a, x_0, MD5_SHIFT_24, MD5_CONST_o(19)); /* 20 */ 929 GG(a, b, c, d, x_5, MD5_SHIFT_21, MD5_CONST_e(20)); /* 21 */ 930 GG(d, a, b, c, x_10, MD5_SHIFT_22, MD5_CONST_o(21)); /* 22 */ 931 GG(c, d, a, b, x_15, MD5_SHIFT_23, MD5_CONST_e(22)); /* 23 */ 932 GG(b, c, d, a, x_4, MD5_SHIFT_24, MD5_CONST_o(23)); /* 24 */ 933 GG(a, b, c, d, x_9, MD5_SHIFT_21, MD5_CONST_e(24)); /* 25 */ 934 GG(d, a, b, c, x_14, MD5_SHIFT_22, MD5_CONST_o(25)); /* 26 */ 935 GG(c, d, a, b, x_3, MD5_SHIFT_23, MD5_CONST_e(26)); /* 27 */ 936 GG(b, c, d, a, x_8, MD5_SHIFT_24, MD5_CONST_o(27)); /* 28 */ 937 GG(a, b, c, d, x_13, MD5_SHIFT_21, MD5_CONST_e(28)); /* 29 */ 938 GG(d, a, b, c, x_2, MD5_SHIFT_22, MD5_CONST_o(29)); /* 30 */ 939 GG(c, d, a, b, x_7, MD5_SHIFT_23, MD5_CONST_e(30)); /* 31 */ 940 GG(b, c, d, a, x_12, MD5_SHIFT_24, MD5_CONST_o(31)); /* 32 */ 941 942 /* round 3 */ 943 HH(a, b, c, d, x_5, MD5_SHIFT_31, MD5_CONST_e(32)); /* 33 */ 944 HH(d, a, b, c, x_8, MD5_SHIFT_32, MD5_CONST_o(33)); /* 34 */ 945 HH(c, d, a, b, x_11, MD5_SHIFT_33, MD5_CONST_e(34)); /* 35 */ 946 HH(b, c, d, a, x_14, MD5_SHIFT_34, MD5_CONST_o(35)); /* 36 */ 947 HH(a, b, c, d, x_1, MD5_SHIFT_31, MD5_CONST_e(36)); /* 37 */ 948 HH(d, a, b, c, x_4, MD5_SHIFT_32, MD5_CONST_o(37)); /* 38 */ 949 HH(c, d, a, b, x_7, MD5_SHIFT_33, MD5_CONST_e(38)); /* 39 */ 950 HH(b, c, d, a, x_10, MD5_SHIFT_34, MD5_CONST_o(39)); /* 40 */ 951 HH(a, b, c, d, x_13, MD5_SHIFT_31, MD5_CONST_e(40)); /* 41 */ 952 HH(d, a, b, c, x_0, MD5_SHIFT_32, MD5_CONST_o(41)); /* 42 */ 953 HH(c, d, a, b, x_3, MD5_SHIFT_33, MD5_CONST_e(42)); /* 43 */ 954 HH(b, c, d, a, x_6, MD5_SHIFT_34, MD5_CONST_o(43)); /* 44 */ 955 HH(a, b, c, d, x_9, MD5_SHIFT_31, MD5_CONST_e(44)); /* 45 */ 956 HH(d, a, b, c, x_12, MD5_SHIFT_32, MD5_CONST_o(45)); /* 46 */ 957 HH(c, d, a, b, x_15, MD5_SHIFT_33, MD5_CONST_e(46)); /* 47 */ 958 HH(b, c, d, a, x_2, MD5_SHIFT_34, MD5_CONST_o(47)); /* 48 */ 959 960 /* round 4 */ 961 II(a, b, c, d, x_0, MD5_SHIFT_41, MD5_CONST_e(48)); /* 49 */ 962 II(d, a, b, c, x_7, MD5_SHIFT_42, MD5_CONST_o(49)); /* 50 */ 963 II(c, d, a, b, x_14, MD5_SHIFT_43, MD5_CONST_e(50)); /* 51 */ 964 II(b, c, d, a, x_5, MD5_SHIFT_44, MD5_CONST_o(51)); /* 52 */ 965 II(a, b, c, d, x_12, MD5_SHIFT_41, MD5_CONST_e(52)); /* 53 */ 966 II(d, a, b, c, x_3, MD5_SHIFT_42, MD5_CONST_o(53)); /* 54 */ 967 II(c, d, a, b, x_10, MD5_SHIFT_43, MD5_CONST_e(54)); /* 55 */ 968 II(b, c, d, a, x_1, MD5_SHIFT_44, MD5_CONST_o(55)); /* 56 */ 969 II(a, b, c, d, x_8, MD5_SHIFT_41, MD5_CONST_e(56)); /* 57 */ 970 II(d, a, b, c, x_15, MD5_SHIFT_42, MD5_CONST_o(57)); /* 58 */ 971 II(c, d, a, b, x_6, MD5_SHIFT_43, MD5_CONST_e(58)); /* 59 */ 972 II(b, c, d, a, x_13, MD5_SHIFT_44, MD5_CONST_o(59)); /* 60 */ 973 II(a, b, c, d, x_4, MD5_SHIFT_41, MD5_CONST_e(60)); /* 61 */ 974 II(d, a, b, c, x_11, MD5_SHIFT_42, MD5_CONST_o(61)); /* 62 */ 975 II(c, d, a, b, x_2, MD5_SHIFT_43, MD5_CONST_e(62)); /* 63 */ 976 II(b, c, d, a, x_9, MD5_SHIFT_44, MD5_CONST_o(63)); /* 64 */ 977 978 ctx->state[0] += a; 979 ctx->state[1] += b; 980 ctx->state[2] += c; 981 ctx->state[3] += d; 982 983 /* 984 * zeroize sensitive information -- compiler will optimize 985 * this out if everything is kept in registers 986 */ 987 988 x_0 = x_1 = x_2 = x_3 = x_4 = x_5 = x_6 = x_7 = x_8 = 0; 989 x_9 = x_10 = x_11 = x_12 = x_13 = x_14 = x_15 = 0; 990 } 991 992 /* 993 * devpro compiler optimization: 994 * 995 * the compiler can generate better code if it knows that `input' and 996 * `output' do not point to the same source. there is no portable 997 * way to tell the compiler this, but the devpro compiler recognizes the 998 * `_Restrict' keyword to indicate this condition. use it if possible. 999 */ 1000 1001 #if defined(__RESTRICT) && !defined(__GNUC__) 1002 #define restrict _Restrict 1003 #else 1004 #define restrict /* nothing */ 1005 #endif 1006 1007 /* 1008 * Encode() 1009 * 1010 * purpose: to convert a list of numbers from big endian to little endian 1011 * input: uint8_t * : place to store the converted little endian numbers 1012 * uint32_t * : place to get numbers to convert from 1013 * size_t : the length of the input in bytes 1014 * output: void 1015 */ 1016 1017 static void 1018 Encode(uint8_t *restrict output, uint32_t *restrict input, size_t input_len) 1019 { 1020 size_t i, j; 1021 1022 for (i = 0, j = 0; j < input_len; i++, j += sizeof (uint32_t)) { 1023 1024 #ifdef _LITTLE_ENDIAN 1025 1026 #ifdef _MD5_CHECK_ALIGNMENT 1027 if ((uintptr_t)output & 0x3) /* Not 4-byte aligned */ 1028 bcopy(input + i, output + j, 4); 1029 else *(uint32_t *)(output + j) = input[i]; 1030 #else 1031 *(uint32_t *)(output + j) = input[i]; 1032 #endif /* _MD5_CHECK_ALIGNMENT */ 1033 1034 #else /* big endian -- will work on little endian, but slowly */ 1035 1036 output[j] = input[i] & 0xff; 1037 output[j + 1] = (input[i] >> 8) & 0xff; 1038 output[j + 2] = (input[i] >> 16) & 0xff; 1039 output[j + 3] = (input[i] >> 24) & 0xff; 1040 #endif 1041 } 1042 } 1043 1044 #if defined(_KERNEL) && !defined(_BOOT) 1045 1046 /* 1047 * KCF software provider control entry points. 1048 */ 1049 /* ARGSUSED */ 1050 static void 1051 md5_provider_status(crypto_provider_handle_t provider, uint_t *status) 1052 { 1053 *status = CRYPTO_PROVIDER_READY; 1054 } 1055 1056 /* 1057 * KCF software provider digest entry points. 1058 */ 1059 1060 static int 1061 md5_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 1062 crypto_req_handle_t req) 1063 { 1064 if (mechanism->cm_type != MD5_MECH_INFO_TYPE) 1065 return (CRYPTO_MECHANISM_INVALID); 1066 1067 /* 1068 * Allocate and initialize MD5 context. 1069 */ 1070 ctx->cc_provider_private = kmem_alloc(sizeof (md5_ctx_t), 1071 crypto_kmflag(req)); 1072 if (ctx->cc_provider_private == NULL) 1073 return (CRYPTO_HOST_MEMORY); 1074 1075 PROV_MD5_CTX(ctx)->mc_mech_type = MD5_MECH_INFO_TYPE; 1076 MD5Init(&PROV_MD5_CTX(ctx)->mc_md5_ctx); 1077 1078 return (CRYPTO_SUCCESS); 1079 } 1080 1081 /* 1082 * Helper MD5 digest update function for uio data. 1083 */ 1084 static int 1085 md5_digest_update_uio(MD5_CTX *md5_ctx, crypto_data_t *data) 1086 { 1087 off_t offset = data->cd_offset; 1088 size_t length = data->cd_length; 1089 uint_t vec_idx; 1090 size_t cur_len; 1091 1092 /* we support only kernel buffer */ 1093 if (data->cd_uio->uio_segflg != UIO_SYSSPACE) 1094 return (CRYPTO_ARGUMENTS_BAD); 1095 1096 /* 1097 * Jump to the first iovec containing data to be 1098 * digested. 1099 */ 1100 for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt && 1101 offset >= data->cd_uio->uio_iov[vec_idx].iov_len; 1102 offset -= data->cd_uio->uio_iov[vec_idx++].iov_len); 1103 if (vec_idx == data->cd_uio->uio_iovcnt) { 1104 /* 1105 * The caller specified an offset that is larger than the 1106 * total size of the buffers it provided. 1107 */ 1108 return (CRYPTO_DATA_LEN_RANGE); 1109 } 1110 1111 /* 1112 * Now do the digesting on the iovecs. 1113 */ 1114 while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) { 1115 cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len - 1116 offset, length); 1117 1118 MD5Update(md5_ctx, data->cd_uio->uio_iov[vec_idx].iov_base + 1119 offset, cur_len); 1120 1121 length -= cur_len; 1122 vec_idx++; 1123 offset = 0; 1124 } 1125 1126 if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) { 1127 /* 1128 * The end of the specified iovec's was reached but 1129 * the length requested could not be processed, i.e. 1130 * The caller requested to digest more data than it provided. 1131 */ 1132 return (CRYPTO_DATA_LEN_RANGE); 1133 } 1134 1135 return (CRYPTO_SUCCESS); 1136 } 1137 1138 /* 1139 * Helper MD5 digest final function for uio data. 1140 * digest_len is the length of the desired digest. If digest_len 1141 * is smaller than the default MD5 digest length, the caller 1142 * must pass a scratch buffer, digest_scratch, which must 1143 * be at least MD5_DIGEST_LENGTH bytes. 1144 */ 1145 static int 1146 md5_digest_final_uio(MD5_CTX *md5_ctx, crypto_data_t *digest, 1147 ulong_t digest_len, uchar_t *digest_scratch) 1148 { 1149 off_t offset = digest->cd_offset; 1150 uint_t vec_idx; 1151 1152 /* we support only kernel buffer */ 1153 if (digest->cd_uio->uio_segflg != UIO_SYSSPACE) 1154 return (CRYPTO_ARGUMENTS_BAD); 1155 1156 /* 1157 * Jump to the first iovec containing ptr to the digest to 1158 * be returned. 1159 */ 1160 for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len && 1161 vec_idx < digest->cd_uio->uio_iovcnt; 1162 offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len); 1163 if (vec_idx == digest->cd_uio->uio_iovcnt) { 1164 /* 1165 * The caller specified an offset that is 1166 * larger than the total size of the buffers 1167 * it provided. 1168 */ 1169 return (CRYPTO_DATA_LEN_RANGE); 1170 } 1171 1172 if (offset + digest_len <= 1173 digest->cd_uio->uio_iov[vec_idx].iov_len) { 1174 /* 1175 * The computed MD5 digest will fit in the current 1176 * iovec. 1177 */ 1178 if (digest_len != MD5_DIGEST_LENGTH) { 1179 /* 1180 * The caller requested a short digest. Digest 1181 * into a scratch buffer and return to 1182 * the user only what was requested. 1183 */ 1184 MD5Final(digest_scratch, md5_ctx); 1185 bcopy(digest_scratch, (uchar_t *)digest-> 1186 cd_uio->uio_iov[vec_idx].iov_base + offset, 1187 digest_len); 1188 } else { 1189 MD5Final((uchar_t *)digest-> 1190 cd_uio->uio_iov[vec_idx].iov_base + offset, 1191 md5_ctx); 1192 } 1193 } else { 1194 /* 1195 * The computed digest will be crossing one or more iovec's. 1196 * This is bad performance-wise but we need to support it. 1197 * Allocate a small scratch buffer on the stack and 1198 * copy it piece meal to the specified digest iovec's. 1199 */ 1200 uchar_t digest_tmp[MD5_DIGEST_LENGTH]; 1201 off_t scratch_offset = 0; 1202 size_t length = digest_len; 1203 size_t cur_len; 1204 1205 MD5Final(digest_tmp, md5_ctx); 1206 1207 while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) { 1208 cur_len = MIN(digest->cd_uio->uio_iov[vec_idx].iov_len - 1209 offset, length); 1210 bcopy(digest_tmp + scratch_offset, 1211 digest->cd_uio->uio_iov[vec_idx].iov_base + offset, 1212 cur_len); 1213 1214 length -= cur_len; 1215 vec_idx++; 1216 scratch_offset += cur_len; 1217 offset = 0; 1218 } 1219 1220 if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) { 1221 /* 1222 * The end of the specified iovec's was reached but 1223 * the length requested could not be processed, i.e. 1224 * The caller requested to digest more data than it 1225 * provided. 1226 */ 1227 return (CRYPTO_DATA_LEN_RANGE); 1228 } 1229 } 1230 1231 return (CRYPTO_SUCCESS); 1232 } 1233 1234 /* 1235 * Helper MD5 digest update for mblk's. 1236 */ 1237 static int 1238 md5_digest_update_mblk(MD5_CTX *md5_ctx, crypto_data_t *data) 1239 { 1240 off_t offset = data->cd_offset; 1241 size_t length = data->cd_length; 1242 mblk_t *mp; 1243 size_t cur_len; 1244 1245 /* 1246 * Jump to the first mblk_t containing data to be digested. 1247 */ 1248 for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp); 1249 offset -= MBLKL(mp), mp = mp->b_cont); 1250 if (mp == NULL) { 1251 /* 1252 * The caller specified an offset that is larger than the 1253 * total size of the buffers it provided. 1254 */ 1255 return (CRYPTO_DATA_LEN_RANGE); 1256 } 1257 1258 /* 1259 * Now do the digesting on the mblk chain. 1260 */ 1261 while (mp != NULL && length > 0) { 1262 cur_len = MIN(MBLKL(mp) - offset, length); 1263 MD5Update(md5_ctx, mp->b_rptr + offset, cur_len); 1264 length -= cur_len; 1265 offset = 0; 1266 mp = mp->b_cont; 1267 } 1268 1269 if (mp == NULL && length > 0) { 1270 /* 1271 * The end of the mblk was reached but the length requested 1272 * could not be processed, i.e. The caller requested 1273 * to digest more data than it provided. 1274 */ 1275 return (CRYPTO_DATA_LEN_RANGE); 1276 } 1277 1278 return (CRYPTO_SUCCESS); 1279 } 1280 1281 /* 1282 * Helper MD5 digest final for mblk's. 1283 * digest_len is the length of the desired digest. If digest_len 1284 * is smaller than the default MD5 digest length, the caller 1285 * must pass a scratch buffer, digest_scratch, which must 1286 * be at least MD5_DIGEST_LENGTH bytes. 1287 */ 1288 static int 1289 md5_digest_final_mblk(MD5_CTX *md5_ctx, crypto_data_t *digest, 1290 ulong_t digest_len, uchar_t *digest_scratch) 1291 { 1292 off_t offset = digest->cd_offset; 1293 mblk_t *mp; 1294 1295 /* 1296 * Jump to the first mblk_t that will be used to store the digest. 1297 */ 1298 for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp); 1299 offset -= MBLKL(mp), mp = mp->b_cont); 1300 if (mp == NULL) { 1301 /* 1302 * The caller specified an offset that is larger than the 1303 * total size of the buffers it provided. 1304 */ 1305 return (CRYPTO_DATA_LEN_RANGE); 1306 } 1307 1308 if (offset + digest_len <= MBLKL(mp)) { 1309 /* 1310 * The computed MD5 digest will fit in the current mblk. 1311 * Do the MD5Final() in-place. 1312 */ 1313 if (digest_len != MD5_DIGEST_LENGTH) { 1314 /* 1315 * The caller requested a short digest. Digest 1316 * into a scratch buffer and return to 1317 * the user only what was requested. 1318 */ 1319 MD5Final(digest_scratch, md5_ctx); 1320 bcopy(digest_scratch, mp->b_rptr + offset, digest_len); 1321 } else { 1322 MD5Final(mp->b_rptr + offset, md5_ctx); 1323 } 1324 } else { 1325 /* 1326 * The computed digest will be crossing one or more mblk's. 1327 * This is bad performance-wise but we need to support it. 1328 * Allocate a small scratch buffer on the stack and 1329 * copy it piece meal to the specified digest iovec's. 1330 */ 1331 uchar_t digest_tmp[MD5_DIGEST_LENGTH]; 1332 off_t scratch_offset = 0; 1333 size_t length = digest_len; 1334 size_t cur_len; 1335 1336 MD5Final(digest_tmp, md5_ctx); 1337 1338 while (mp != NULL && length > 0) { 1339 cur_len = MIN(MBLKL(mp) - offset, length); 1340 bcopy(digest_tmp + scratch_offset, 1341 mp->b_rptr + offset, cur_len); 1342 1343 length -= cur_len; 1344 mp = mp->b_cont; 1345 scratch_offset += cur_len; 1346 offset = 0; 1347 } 1348 1349 if (mp == NULL && length > 0) { 1350 /* 1351 * The end of the specified mblk was reached but 1352 * the length requested could not be processed, i.e. 1353 * The caller requested to digest more data than it 1354 * provided. 1355 */ 1356 return (CRYPTO_DATA_LEN_RANGE); 1357 } 1358 } 1359 1360 return (CRYPTO_SUCCESS); 1361 } 1362 1363 /* ARGSUSED */ 1364 static int 1365 md5_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest, 1366 crypto_req_handle_t req) 1367 { 1368 int ret = CRYPTO_SUCCESS; 1369 1370 ASSERT(ctx->cc_provider_private != NULL); 1371 1372 /* 1373 * We need to just return the length needed to store the output. 1374 * We should not destroy the context for the following cases. 1375 */ 1376 if ((digest->cd_length == 0) || 1377 (digest->cd_length < MD5_DIGEST_LENGTH)) { 1378 digest->cd_length = MD5_DIGEST_LENGTH; 1379 return (CRYPTO_BUFFER_TOO_SMALL); 1380 } 1381 1382 /* 1383 * Do the MD5 update on the specified input data. 1384 */ 1385 switch (data->cd_format) { 1386 case CRYPTO_DATA_RAW: 1387 MD5Update(&PROV_MD5_CTX(ctx)->mc_md5_ctx, 1388 data->cd_raw.iov_base + data->cd_offset, 1389 data->cd_length); 1390 break; 1391 case CRYPTO_DATA_UIO: 1392 ret = md5_digest_update_uio(&PROV_MD5_CTX(ctx)->mc_md5_ctx, 1393 data); 1394 break; 1395 case CRYPTO_DATA_MBLK: 1396 ret = md5_digest_update_mblk(&PROV_MD5_CTX(ctx)->mc_md5_ctx, 1397 data); 1398 break; 1399 default: 1400 ret = CRYPTO_ARGUMENTS_BAD; 1401 } 1402 1403 if (ret != CRYPTO_SUCCESS) { 1404 /* the update failed, free context and bail */ 1405 kmem_free(ctx->cc_provider_private, sizeof (md5_ctx_t)); 1406 ctx->cc_provider_private = NULL; 1407 digest->cd_length = 0; 1408 return (ret); 1409 } 1410 1411 /* 1412 * Do an MD5 final, must be done separately since the digest 1413 * type can be different than the input data type. 1414 */ 1415 switch (digest->cd_format) { 1416 case CRYPTO_DATA_RAW: 1417 MD5Final((unsigned char *)digest->cd_raw.iov_base + 1418 digest->cd_offset, &PROV_MD5_CTX(ctx)->mc_md5_ctx); 1419 break; 1420 case CRYPTO_DATA_UIO: 1421 ret = md5_digest_final_uio(&PROV_MD5_CTX(ctx)->mc_md5_ctx, 1422 digest, MD5_DIGEST_LENGTH, NULL); 1423 break; 1424 case CRYPTO_DATA_MBLK: 1425 ret = md5_digest_final_mblk(&PROV_MD5_CTX(ctx)->mc_md5_ctx, 1426 digest, MD5_DIGEST_LENGTH, NULL); 1427 break; 1428 default: 1429 ret = CRYPTO_ARGUMENTS_BAD; 1430 } 1431 1432 /* all done, free context and return */ 1433 1434 if (ret == CRYPTO_SUCCESS) { 1435 digest->cd_length = MD5_DIGEST_LENGTH; 1436 } else { 1437 digest->cd_length = 0; 1438 } 1439 1440 kmem_free(ctx->cc_provider_private, sizeof (md5_ctx_t)); 1441 ctx->cc_provider_private = NULL; 1442 return (ret); 1443 } 1444 1445 /* ARGSUSED */ 1446 static int 1447 md5_digest_update(crypto_ctx_t *ctx, crypto_data_t *data, 1448 crypto_req_handle_t req) 1449 { 1450 int ret = CRYPTO_SUCCESS; 1451 1452 ASSERT(ctx->cc_provider_private != NULL); 1453 1454 /* 1455 * Do the MD5 update on the specified input data. 1456 */ 1457 switch (data->cd_format) { 1458 case CRYPTO_DATA_RAW: 1459 MD5Update(&PROV_MD5_CTX(ctx)->mc_md5_ctx, 1460 data->cd_raw.iov_base + data->cd_offset, 1461 data->cd_length); 1462 break; 1463 case CRYPTO_DATA_UIO: 1464 ret = md5_digest_update_uio(&PROV_MD5_CTX(ctx)->mc_md5_ctx, 1465 data); 1466 break; 1467 case CRYPTO_DATA_MBLK: 1468 ret = md5_digest_update_mblk(&PROV_MD5_CTX(ctx)->mc_md5_ctx, 1469 data); 1470 break; 1471 default: 1472 ret = CRYPTO_ARGUMENTS_BAD; 1473 } 1474 1475 return (ret); 1476 } 1477 1478 /* ARGSUSED */ 1479 static int 1480 md5_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest, 1481 crypto_req_handle_t req) 1482 { 1483 int ret = CRYPTO_SUCCESS; 1484 1485 ASSERT(ctx->cc_provider_private != NULL); 1486 1487 /* 1488 * We need to just return the length needed to store the output. 1489 * We should not destroy the context for the following cases. 1490 */ 1491 if ((digest->cd_length == 0) || 1492 (digest->cd_length < MD5_DIGEST_LENGTH)) { 1493 digest->cd_length = MD5_DIGEST_LENGTH; 1494 return (CRYPTO_BUFFER_TOO_SMALL); 1495 } 1496 1497 /* 1498 * Do an MD5 final. 1499 */ 1500 switch (digest->cd_format) { 1501 case CRYPTO_DATA_RAW: 1502 MD5Final((unsigned char *)digest->cd_raw.iov_base + 1503 digest->cd_offset, &PROV_MD5_CTX(ctx)->mc_md5_ctx); 1504 break; 1505 case CRYPTO_DATA_UIO: 1506 ret = md5_digest_final_uio(&PROV_MD5_CTX(ctx)->mc_md5_ctx, 1507 digest, MD5_DIGEST_LENGTH, NULL); 1508 break; 1509 case CRYPTO_DATA_MBLK: 1510 ret = md5_digest_final_mblk(&PROV_MD5_CTX(ctx)->mc_md5_ctx, 1511 digest, MD5_DIGEST_LENGTH, NULL); 1512 break; 1513 default: 1514 ret = CRYPTO_ARGUMENTS_BAD; 1515 } 1516 1517 /* all done, free context and return */ 1518 1519 if (ret == CRYPTO_SUCCESS) { 1520 digest->cd_length = MD5_DIGEST_LENGTH; 1521 } else { 1522 digest->cd_length = 0; 1523 } 1524 1525 kmem_free(ctx->cc_provider_private, sizeof (md5_ctx_t)); 1526 ctx->cc_provider_private = NULL; 1527 1528 return (ret); 1529 } 1530 1531 /* ARGSUSED */ 1532 static int 1533 md5_digest_atomic(crypto_provider_handle_t provider, 1534 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1535 crypto_data_t *data, crypto_data_t *digest, 1536 crypto_req_handle_t req) 1537 { 1538 int ret = CRYPTO_SUCCESS; 1539 MD5_CTX md5_ctx; 1540 1541 if (mechanism->cm_type != MD5_MECH_INFO_TYPE) 1542 return (CRYPTO_MECHANISM_INVALID); 1543 1544 /* 1545 * Do the MD5 init. 1546 */ 1547 MD5Init(&md5_ctx); 1548 1549 /* 1550 * Do the MD5 update on the specified input data. 1551 */ 1552 switch (data->cd_format) { 1553 case CRYPTO_DATA_RAW: 1554 MD5Update(&md5_ctx, data->cd_raw.iov_base + data->cd_offset, 1555 data->cd_length); 1556 break; 1557 case CRYPTO_DATA_UIO: 1558 ret = md5_digest_update_uio(&md5_ctx, data); 1559 break; 1560 case CRYPTO_DATA_MBLK: 1561 ret = md5_digest_update_mblk(&md5_ctx, data); 1562 break; 1563 default: 1564 ret = CRYPTO_ARGUMENTS_BAD; 1565 } 1566 1567 if (ret != CRYPTO_SUCCESS) { 1568 /* the update failed, bail */ 1569 digest->cd_length = 0; 1570 return (ret); 1571 } 1572 1573 /* 1574 * Do an MD5 final, must be done separately since the digest 1575 * type can be different than the input data type. 1576 */ 1577 switch (digest->cd_format) { 1578 case CRYPTO_DATA_RAW: 1579 MD5Final((unsigned char *)digest->cd_raw.iov_base + 1580 digest->cd_offset, &md5_ctx); 1581 break; 1582 case CRYPTO_DATA_UIO: 1583 ret = md5_digest_final_uio(&md5_ctx, digest, 1584 MD5_DIGEST_LENGTH, NULL); 1585 break; 1586 case CRYPTO_DATA_MBLK: 1587 ret = md5_digest_final_mblk(&md5_ctx, digest, 1588 MD5_DIGEST_LENGTH, NULL); 1589 break; 1590 default: 1591 ret = CRYPTO_ARGUMENTS_BAD; 1592 } 1593 1594 if (ret == CRYPTO_SUCCESS) { 1595 digest->cd_length = MD5_DIGEST_LENGTH; 1596 } else { 1597 digest->cd_length = 0; 1598 } 1599 1600 return (ret); 1601 } 1602 1603 /* 1604 * KCF software provider mac entry points. 1605 * 1606 * MD5 HMAC is: MD5(key XOR opad, MD5(key XOR ipad, text)) 1607 * 1608 * Init: 1609 * The initialization routine initializes what we denote 1610 * as the inner and outer contexts by doing 1611 * - for inner context: MD5(key XOR ipad) 1612 * - for outer context: MD5(key XOR opad) 1613 * 1614 * Update: 1615 * Each subsequent MD5 HMAC update will result in an 1616 * update of the inner context with the specified data. 1617 * 1618 * Final: 1619 * The MD5 HMAC final will do a MD5 final operation on the 1620 * inner context, and the resulting digest will be used 1621 * as the data for an update on the outer context. Last 1622 * but not least, an MD5 final on the outer context will 1623 * be performed to obtain the MD5 HMAC digest to return 1624 * to the user. 1625 */ 1626 1627 /* 1628 * Initialize a MD5-HMAC context. 1629 */ 1630 static void 1631 md5_mac_init_ctx(md5_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes) 1632 { 1633 uint32_t ipad[MD5_HMAC_INTS_PER_BLOCK]; 1634 uint32_t opad[MD5_HMAC_INTS_PER_BLOCK]; 1635 uint_t i; 1636 1637 bzero(ipad, MD5_HMAC_BLOCK_SIZE); 1638 bzero(opad, MD5_HMAC_BLOCK_SIZE); 1639 1640 bcopy(keyval, ipad, length_in_bytes); 1641 bcopy(keyval, opad, length_in_bytes); 1642 1643 /* XOR key with ipad (0x36) and opad (0x5c) */ 1644 for (i = 0; i < MD5_HMAC_INTS_PER_BLOCK; i++) { 1645 ipad[i] ^= 0x36363636; 1646 opad[i] ^= 0x5c5c5c5c; 1647 } 1648 1649 /* perform MD5 on ipad */ 1650 MD5Init(&ctx->hc_icontext); 1651 MD5Update(&ctx->hc_icontext, ipad, MD5_HMAC_BLOCK_SIZE); 1652 1653 /* perform MD5 on opad */ 1654 MD5Init(&ctx->hc_ocontext); 1655 MD5Update(&ctx->hc_ocontext, opad, MD5_HMAC_BLOCK_SIZE); 1656 } 1657 1658 /* 1659 * Initializes a multi-part MAC operation. 1660 */ 1661 static int 1662 md5_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 1663 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template, 1664 crypto_req_handle_t req) 1665 { 1666 int ret = CRYPTO_SUCCESS; 1667 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 1668 1669 if (mechanism->cm_type != MD5_HMAC_MECH_INFO_TYPE && 1670 mechanism->cm_type != MD5_HMAC_GEN_MECH_INFO_TYPE) 1671 return (CRYPTO_MECHANISM_INVALID); 1672 1673 /* Add support for key by attributes (RFE 4706552) */ 1674 if (key->ck_format != CRYPTO_KEY_RAW) 1675 return (CRYPTO_ARGUMENTS_BAD); 1676 1677 ctx->cc_provider_private = kmem_alloc(sizeof (md5_hmac_ctx_t), 1678 crypto_kmflag(req)); 1679 if (ctx->cc_provider_private == NULL) 1680 return (CRYPTO_HOST_MEMORY); 1681 1682 if (ctx_template != NULL) { 1683 /* reuse context template */ 1684 bcopy(ctx_template, PROV_MD5_HMAC_CTX(ctx), 1685 sizeof (md5_hmac_ctx_t)); 1686 } else { 1687 /* no context template, compute context */ 1688 if (keylen_in_bytes > MD5_HMAC_BLOCK_SIZE) { 1689 uchar_t digested_key[MD5_DIGEST_LENGTH]; 1690 md5_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private; 1691 1692 /* 1693 * Hash the passed-in key to get a smaller key. 1694 * The inner context is used since it hasn't been 1695 * initialized yet. 1696 */ 1697 PROV_MD5_DIGEST_KEY(&hmac_ctx->hc_icontext, 1698 key->ck_data, keylen_in_bytes, digested_key); 1699 md5_mac_init_ctx(PROV_MD5_HMAC_CTX(ctx), 1700 digested_key, MD5_DIGEST_LENGTH); 1701 } else { 1702 md5_mac_init_ctx(PROV_MD5_HMAC_CTX(ctx), 1703 key->ck_data, keylen_in_bytes); 1704 } 1705 } 1706 1707 /* 1708 * Get the mechanism parameters, if applicable. 1709 */ 1710 PROV_MD5_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type; 1711 if (mechanism->cm_type == MD5_HMAC_GEN_MECH_INFO_TYPE) { 1712 if (mechanism->cm_param == NULL || 1713 mechanism->cm_param_len != sizeof (ulong_t)) 1714 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1715 PROV_MD5_GET_DIGEST_LEN(mechanism, 1716 PROV_MD5_HMAC_CTX(ctx)->hc_digest_len); 1717 if (PROV_MD5_HMAC_CTX(ctx)->hc_digest_len > 1718 MD5_DIGEST_LENGTH) 1719 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1720 } 1721 1722 if (ret != CRYPTO_SUCCESS) { 1723 bzero(ctx->cc_provider_private, sizeof (md5_hmac_ctx_t)); 1724 kmem_free(ctx->cc_provider_private, sizeof (md5_hmac_ctx_t)); 1725 ctx->cc_provider_private = NULL; 1726 } 1727 1728 return (ret); 1729 } 1730 1731 1732 /* ARGSUSED */ 1733 static int 1734 md5_mac_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req) 1735 { 1736 int ret = CRYPTO_SUCCESS; 1737 1738 ASSERT(ctx->cc_provider_private != NULL); 1739 1740 /* 1741 * Do an MD5 update of the inner context using the specified 1742 * data. 1743 */ 1744 switch (data->cd_format) { 1745 case CRYPTO_DATA_RAW: 1746 MD5Update(&PROV_MD5_HMAC_CTX(ctx)->hc_icontext, 1747 data->cd_raw.iov_base + data->cd_offset, 1748 data->cd_length); 1749 break; 1750 case CRYPTO_DATA_UIO: 1751 ret = md5_digest_update_uio( 1752 &PROV_MD5_HMAC_CTX(ctx)->hc_icontext, data); 1753 break; 1754 case CRYPTO_DATA_MBLK: 1755 ret = md5_digest_update_mblk( 1756 &PROV_MD5_HMAC_CTX(ctx)->hc_icontext, data); 1757 break; 1758 default: 1759 ret = CRYPTO_ARGUMENTS_BAD; 1760 } 1761 1762 return (ret); 1763 } 1764 1765 /* ARGSUSED */ 1766 static int 1767 md5_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req) 1768 { 1769 int ret = CRYPTO_SUCCESS; 1770 uchar_t digest[MD5_DIGEST_LENGTH]; 1771 uint32_t digest_len = MD5_DIGEST_LENGTH; 1772 1773 ASSERT(ctx->cc_provider_private != NULL); 1774 1775 if (PROV_MD5_HMAC_CTX(ctx)->hc_mech_type == MD5_HMAC_GEN_MECH_INFO_TYPE) 1776 digest_len = PROV_MD5_HMAC_CTX(ctx)->hc_digest_len; 1777 1778 /* 1779 * We need to just return the length needed to store the output. 1780 * We should not destroy the context for the following cases. 1781 */ 1782 if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) { 1783 mac->cd_length = digest_len; 1784 return (CRYPTO_BUFFER_TOO_SMALL); 1785 } 1786 1787 /* 1788 * Do an MD5 final on the inner context. 1789 */ 1790 MD5Final(digest, &PROV_MD5_HMAC_CTX(ctx)->hc_icontext); 1791 1792 /* 1793 * Do an MD5 update on the outer context, feeding the inner 1794 * digest as data. 1795 */ 1796 MD5Update(&PROV_MD5_HMAC_CTX(ctx)->hc_ocontext, digest, 1797 MD5_DIGEST_LENGTH); 1798 1799 /* 1800 * Do an MD5 final on the outer context, storing the computing 1801 * digest in the users buffer. 1802 */ 1803 switch (mac->cd_format) { 1804 case CRYPTO_DATA_RAW: 1805 if (digest_len != MD5_DIGEST_LENGTH) { 1806 /* 1807 * The caller requested a short digest. Digest 1808 * into a scratch buffer and return to 1809 * the user only what was requested. 1810 */ 1811 MD5Final(digest, 1812 &PROV_MD5_HMAC_CTX(ctx)->hc_ocontext); 1813 bcopy(digest, (unsigned char *)mac->cd_raw.iov_base + 1814 mac->cd_offset, digest_len); 1815 } else { 1816 MD5Final((unsigned char *)mac->cd_raw.iov_base + 1817 mac->cd_offset, 1818 &PROV_MD5_HMAC_CTX(ctx)->hc_ocontext); 1819 } 1820 break; 1821 case CRYPTO_DATA_UIO: 1822 ret = md5_digest_final_uio( 1823 &PROV_MD5_HMAC_CTX(ctx)->hc_ocontext, mac, 1824 digest_len, digest); 1825 break; 1826 case CRYPTO_DATA_MBLK: 1827 ret = md5_digest_final_mblk( 1828 &PROV_MD5_HMAC_CTX(ctx)->hc_ocontext, mac, 1829 digest_len, digest); 1830 break; 1831 default: 1832 ret = CRYPTO_ARGUMENTS_BAD; 1833 } 1834 1835 if (ret == CRYPTO_SUCCESS) { 1836 mac->cd_length = digest_len; 1837 } else { 1838 mac->cd_length = 0; 1839 } 1840 1841 bzero(ctx->cc_provider_private, sizeof (md5_hmac_ctx_t)); 1842 kmem_free(ctx->cc_provider_private, sizeof (md5_hmac_ctx_t)); 1843 ctx->cc_provider_private = NULL; 1844 1845 return (ret); 1846 } 1847 1848 #define MD5_MAC_UPDATE(data, ctx, ret) { \ 1849 switch (data->cd_format) { \ 1850 case CRYPTO_DATA_RAW: \ 1851 MD5Update(&(ctx).hc_icontext, \ 1852 data->cd_raw.iov_base + data->cd_offset, \ 1853 data->cd_length); \ 1854 break; \ 1855 case CRYPTO_DATA_UIO: \ 1856 ret = md5_digest_update_uio(&(ctx).hc_icontext, data); \ 1857 break; \ 1858 case CRYPTO_DATA_MBLK: \ 1859 ret = md5_digest_update_mblk(&(ctx).hc_icontext, \ 1860 data); \ 1861 break; \ 1862 default: \ 1863 ret = CRYPTO_ARGUMENTS_BAD; \ 1864 } \ 1865 } 1866 1867 1868 /* ARGSUSED */ 1869 static int 1870 md5_mac_atomic(crypto_provider_handle_t provider, 1871 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1872 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, 1873 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1874 { 1875 int ret = CRYPTO_SUCCESS; 1876 uchar_t digest[MD5_DIGEST_LENGTH]; 1877 md5_hmac_ctx_t md5_hmac_ctx; 1878 uint32_t digest_len = MD5_DIGEST_LENGTH; 1879 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 1880 1881 if (mechanism->cm_type != MD5_HMAC_MECH_INFO_TYPE && 1882 mechanism->cm_type != MD5_HMAC_GEN_MECH_INFO_TYPE) 1883 return (CRYPTO_MECHANISM_INVALID); 1884 1885 /* Add support for key by attributes (RFE 4706552) */ 1886 if (key->ck_format != CRYPTO_KEY_RAW) 1887 return (CRYPTO_ARGUMENTS_BAD); 1888 1889 if (ctx_template != NULL) { 1890 /* reuse context template */ 1891 bcopy(ctx_template, &md5_hmac_ctx, sizeof (md5_hmac_ctx_t)); 1892 } else { 1893 /* no context template, compute context */ 1894 if (keylen_in_bytes > MD5_HMAC_BLOCK_SIZE) { 1895 /* 1896 * Hash the passed-in key to get a smaller key. 1897 * The inner context is used since it hasn't been 1898 * initialized yet. 1899 */ 1900 PROV_MD5_DIGEST_KEY(&md5_hmac_ctx.hc_icontext, 1901 key->ck_data, keylen_in_bytes, digest); 1902 md5_mac_init_ctx(&md5_hmac_ctx, digest, 1903 MD5_DIGEST_LENGTH); 1904 } else { 1905 md5_mac_init_ctx(&md5_hmac_ctx, key->ck_data, 1906 keylen_in_bytes); 1907 } 1908 } 1909 1910 /* 1911 * Get the mechanism parameters, if applicable. 1912 */ 1913 if (mechanism->cm_type == MD5_HMAC_GEN_MECH_INFO_TYPE) { 1914 if (mechanism->cm_param == NULL || 1915 mechanism->cm_param_len != sizeof (ulong_t)) { 1916 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1917 goto bail; 1918 } 1919 PROV_MD5_GET_DIGEST_LEN(mechanism, digest_len); 1920 if (digest_len > MD5_DIGEST_LENGTH) { 1921 ret = CRYPTO_MECHANISM_PARAM_INVALID; 1922 goto bail; 1923 } 1924 } 1925 1926 /* do an MD5 update of the inner context using the specified data */ 1927 MD5_MAC_UPDATE(data, md5_hmac_ctx, ret); 1928 if (ret != CRYPTO_SUCCESS) 1929 /* the update failed, free context and bail */ 1930 goto bail; 1931 1932 /* do an MD5 final on the inner context */ 1933 MD5Final(digest, &md5_hmac_ctx.hc_icontext); 1934 1935 /* 1936 * Do an MD5 update on the outer context, feeding the inner 1937 * digest as data. 1938 */ 1939 MD5Update(&md5_hmac_ctx.hc_ocontext, digest, MD5_DIGEST_LENGTH); 1940 1941 /* 1942 * Do an MD5 final on the outer context, storing the computed 1943 * digest in the users buffer. 1944 */ 1945 switch (mac->cd_format) { 1946 case CRYPTO_DATA_RAW: 1947 if (digest_len != MD5_DIGEST_LENGTH) { 1948 /* 1949 * The caller requested a short digest. Digest 1950 * into a scratch buffer and return to 1951 * the user only what was requested. 1952 */ 1953 MD5Final(digest, &md5_hmac_ctx.hc_ocontext); 1954 bcopy(digest, (unsigned char *)mac->cd_raw.iov_base + 1955 mac->cd_offset, digest_len); 1956 } else { 1957 MD5Final((unsigned char *)mac->cd_raw.iov_base + 1958 mac->cd_offset, &md5_hmac_ctx.hc_ocontext); 1959 } 1960 break; 1961 case CRYPTO_DATA_UIO: 1962 ret = md5_digest_final_uio(&md5_hmac_ctx.hc_ocontext, mac, 1963 digest_len, digest); 1964 break; 1965 case CRYPTO_DATA_MBLK: 1966 ret = md5_digest_final_mblk(&md5_hmac_ctx.hc_ocontext, mac, 1967 digest_len, digest); 1968 break; 1969 default: 1970 ret = CRYPTO_ARGUMENTS_BAD; 1971 } 1972 1973 if (ret == CRYPTO_SUCCESS) { 1974 mac->cd_length = digest_len; 1975 } else { 1976 mac->cd_length = 0; 1977 } 1978 /* Extra paranoia: zeroizing the local context on the stack */ 1979 bzero(&md5_hmac_ctx, sizeof (md5_hmac_ctx_t)); 1980 1981 return (ret); 1982 bail: 1983 bzero(&md5_hmac_ctx, sizeof (md5_hmac_ctx_t)); 1984 mac->cd_length = 0; 1985 return (ret); 1986 } 1987 1988 /* ARGSUSED */ 1989 static int 1990 md5_mac_verify_atomic(crypto_provider_handle_t provider, 1991 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1992 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, 1993 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req) 1994 { 1995 int ret = CRYPTO_SUCCESS; 1996 uchar_t digest[MD5_DIGEST_LENGTH]; 1997 md5_hmac_ctx_t md5_hmac_ctx; 1998 uint32_t digest_len = MD5_DIGEST_LENGTH; 1999 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 2000 2001 if (mechanism->cm_type != MD5_HMAC_MECH_INFO_TYPE && 2002 mechanism->cm_type != MD5_HMAC_GEN_MECH_INFO_TYPE) 2003 return (CRYPTO_MECHANISM_INVALID); 2004 2005 /* Add support for key by attributes (RFE 4706552) */ 2006 if (key->ck_format != CRYPTO_KEY_RAW) 2007 return (CRYPTO_ARGUMENTS_BAD); 2008 2009 if (ctx_template != NULL) { 2010 /* reuse context template */ 2011 bcopy(ctx_template, &md5_hmac_ctx, sizeof (md5_hmac_ctx_t)); 2012 } else { 2013 /* no context template, compute context */ 2014 if (keylen_in_bytes > MD5_HMAC_BLOCK_SIZE) { 2015 /* 2016 * Hash the passed-in key to get a smaller key. 2017 * The inner context is used since it hasn't been 2018 * initialized yet. 2019 */ 2020 PROV_MD5_DIGEST_KEY(&md5_hmac_ctx.hc_icontext, 2021 key->ck_data, keylen_in_bytes, digest); 2022 md5_mac_init_ctx(&md5_hmac_ctx, digest, 2023 MD5_DIGEST_LENGTH); 2024 } else { 2025 md5_mac_init_ctx(&md5_hmac_ctx, key->ck_data, 2026 keylen_in_bytes); 2027 } 2028 } 2029 2030 /* 2031 * Get the mechanism parameters, if applicable. 2032 */ 2033 if (mechanism->cm_type == MD5_HMAC_GEN_MECH_INFO_TYPE) { 2034 if (mechanism->cm_param == NULL || 2035 mechanism->cm_param_len != sizeof (ulong_t)) { 2036 ret = CRYPTO_MECHANISM_PARAM_INVALID; 2037 goto bail; 2038 } 2039 PROV_MD5_GET_DIGEST_LEN(mechanism, digest_len); 2040 if (digest_len > MD5_DIGEST_LENGTH) { 2041 ret = CRYPTO_MECHANISM_PARAM_INVALID; 2042 goto bail; 2043 } 2044 } 2045 2046 if (mac->cd_length != digest_len) { 2047 ret = CRYPTO_INVALID_MAC; 2048 goto bail; 2049 } 2050 2051 /* do an MD5 update of the inner context using the specified data */ 2052 MD5_MAC_UPDATE(data, md5_hmac_ctx, ret); 2053 if (ret != CRYPTO_SUCCESS) 2054 /* the update failed, free context and bail */ 2055 goto bail; 2056 2057 /* do an MD5 final on the inner context */ 2058 MD5Final(digest, &md5_hmac_ctx.hc_icontext); 2059 2060 /* 2061 * Do an MD5 update on the outer context, feeding the inner 2062 * digest as data. 2063 */ 2064 MD5Update(&md5_hmac_ctx.hc_ocontext, digest, MD5_DIGEST_LENGTH); 2065 2066 /* 2067 * Do an MD5 final on the outer context, storing the computed 2068 * digest in the local digest buffer. 2069 */ 2070 MD5Final(digest, &md5_hmac_ctx.hc_ocontext); 2071 2072 /* 2073 * Compare the computed digest against the expected digest passed 2074 * as argument. 2075 */ 2076 switch (mac->cd_format) { 2077 2078 case CRYPTO_DATA_RAW: 2079 if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base + 2080 mac->cd_offset, digest_len) != 0) 2081 ret = CRYPTO_INVALID_MAC; 2082 break; 2083 2084 case CRYPTO_DATA_UIO: { 2085 off_t offset = mac->cd_offset; 2086 uint_t vec_idx; 2087 off_t scratch_offset = 0; 2088 size_t length = digest_len; 2089 size_t cur_len; 2090 2091 /* we support only kernel buffer */ 2092 if (mac->cd_uio->uio_segflg != UIO_SYSSPACE) 2093 return (CRYPTO_ARGUMENTS_BAD); 2094 2095 /* jump to the first iovec containing the expected digest */ 2096 for (vec_idx = 0; 2097 offset >= mac->cd_uio->uio_iov[vec_idx].iov_len && 2098 vec_idx < mac->cd_uio->uio_iovcnt; 2099 offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len); 2100 if (vec_idx == mac->cd_uio->uio_iovcnt) { 2101 /* 2102 * The caller specified an offset that is 2103 * larger than the total size of the buffers 2104 * it provided. 2105 */ 2106 ret = CRYPTO_DATA_LEN_RANGE; 2107 break; 2108 } 2109 2110 /* do the comparison of computed digest vs specified one */ 2111 while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) { 2112 cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len - 2113 offset, length); 2114 2115 if (bcmp(digest + scratch_offset, 2116 mac->cd_uio->uio_iov[vec_idx].iov_base + offset, 2117 cur_len) != 0) { 2118 ret = CRYPTO_INVALID_MAC; 2119 break; 2120 } 2121 2122 length -= cur_len; 2123 vec_idx++; 2124 scratch_offset += cur_len; 2125 offset = 0; 2126 } 2127 break; 2128 } 2129 2130 case CRYPTO_DATA_MBLK: { 2131 off_t offset = mac->cd_offset; 2132 mblk_t *mp; 2133 off_t scratch_offset = 0; 2134 size_t length = digest_len; 2135 size_t cur_len; 2136 2137 /* jump to the first mblk_t containing the expected digest */ 2138 for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp); 2139 offset -= MBLKL(mp), mp = mp->b_cont); 2140 if (mp == NULL) { 2141 /* 2142 * The caller specified an offset that is larger than 2143 * the total size of the buffers it provided. 2144 */ 2145 ret = CRYPTO_DATA_LEN_RANGE; 2146 break; 2147 } 2148 2149 while (mp != NULL && length > 0) { 2150 cur_len = MIN(MBLKL(mp) - offset, length); 2151 if (bcmp(digest + scratch_offset, 2152 mp->b_rptr + offset, cur_len) != 0) { 2153 ret = CRYPTO_INVALID_MAC; 2154 break; 2155 } 2156 2157 length -= cur_len; 2158 mp = mp->b_cont; 2159 scratch_offset += cur_len; 2160 offset = 0; 2161 } 2162 break; 2163 } 2164 2165 default: 2166 ret = CRYPTO_ARGUMENTS_BAD; 2167 } 2168 2169 bzero(&md5_hmac_ctx, sizeof (md5_hmac_ctx_t)); 2170 return (ret); 2171 bail: 2172 bzero(&md5_hmac_ctx, sizeof (md5_hmac_ctx_t)); 2173 mac->cd_length = 0; 2174 return (ret); 2175 } 2176 2177 /* 2178 * KCF software provider context management entry points. 2179 */ 2180 2181 /* ARGSUSED */ 2182 static int 2183 md5_create_ctx_template(crypto_provider_handle_t provider, 2184 crypto_mechanism_t *mechanism, crypto_key_t *key, 2185 crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size, 2186 crypto_req_handle_t req) 2187 { 2188 md5_hmac_ctx_t *md5_hmac_ctx_tmpl; 2189 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length); 2190 2191 if ((mechanism->cm_type != MD5_HMAC_MECH_INFO_TYPE) && 2192 (mechanism->cm_type != MD5_HMAC_GEN_MECH_INFO_TYPE)) 2193 return (CRYPTO_MECHANISM_INVALID); 2194 2195 /* Add support for key by attributes (RFE 4706552) */ 2196 if (key->ck_format != CRYPTO_KEY_RAW) 2197 return (CRYPTO_ARGUMENTS_BAD); 2198 2199 /* 2200 * Allocate and initialize MD5 context. 2201 */ 2202 md5_hmac_ctx_tmpl = kmem_alloc(sizeof (md5_hmac_ctx_t), 2203 crypto_kmflag(req)); 2204 if (md5_hmac_ctx_tmpl == NULL) 2205 return (CRYPTO_HOST_MEMORY); 2206 2207 if (keylen_in_bytes > MD5_HMAC_BLOCK_SIZE) { 2208 uchar_t digested_key[MD5_DIGEST_LENGTH]; 2209 2210 /* 2211 * Hash the passed-in key to get a smaller key. 2212 * The inner context is used since it hasn't been 2213 * initialized yet. 2214 */ 2215 PROV_MD5_DIGEST_KEY(&md5_hmac_ctx_tmpl->hc_icontext, 2216 key->ck_data, keylen_in_bytes, digested_key); 2217 md5_mac_init_ctx(md5_hmac_ctx_tmpl, digested_key, 2218 MD5_DIGEST_LENGTH); 2219 } else { 2220 md5_mac_init_ctx(md5_hmac_ctx_tmpl, key->ck_data, 2221 keylen_in_bytes); 2222 } 2223 2224 md5_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type; 2225 *ctx_template = (crypto_spi_ctx_template_t)md5_hmac_ctx_tmpl; 2226 *ctx_template_size = sizeof (md5_hmac_ctx_t); 2227 2228 return (CRYPTO_SUCCESS); 2229 } 2230 2231 static int 2232 md5_free_context(crypto_ctx_t *ctx) 2233 { 2234 uint_t ctx_len; 2235 md5_mech_type_t mech_type; 2236 2237 if (ctx->cc_provider_private == NULL) 2238 return (CRYPTO_SUCCESS); 2239 2240 /* 2241 * We have to free either MD5 or MD5-HMAC contexts, which 2242 * have different lengths. 2243 */ 2244 2245 mech_type = PROV_MD5_CTX(ctx)->mc_mech_type; 2246 if (mech_type == MD5_MECH_INFO_TYPE) 2247 ctx_len = sizeof (md5_ctx_t); 2248 else { 2249 ASSERT(mech_type == MD5_HMAC_MECH_INFO_TYPE || 2250 mech_type == MD5_HMAC_GEN_MECH_INFO_TYPE); 2251 ctx_len = sizeof (md5_hmac_ctx_t); 2252 } 2253 2254 bzero(ctx->cc_provider_private, ctx_len); 2255 kmem_free(ctx->cc_provider_private, ctx_len); 2256 ctx->cc_provider_private = NULL; 2257 2258 return (CRYPTO_SUCCESS); 2259 } 2260 2261 #endif /* _KERNEL && !_BOOT */ 2262