xref: /titanic_44/usr/src/uts/common/crypto/api/kcf_digest.c (revision 4a634bb80136cc001d14ab96addd9915105e5223)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/errno.h>
29 #include <sys/types.h>
30 #include <sys/kmem.h>
31 #include <sys/cmn_err.h>
32 #include <sys/sysmacros.h>
33 #include <sys/crypto/common.h>
34 #include <sys/crypto/impl.h>
35 #include <sys/crypto/api.h>
36 #include <sys/crypto/spi.h>
37 #include <sys/crypto/sched_impl.h>
38 
39 #define	CRYPTO_OPS_OFFSET(f)		offsetof(crypto_ops_t, co_##f)
40 #define	CRYPTO_DIGEST_OFFSET(f)		offsetof(crypto_digest_ops_t, f)
41 
42 /*
43  * Message digest routines
44  */
45 
46 /*
47  * The following are the possible returned values common to all the routines
48  * below. The applicability of some of these return values depends on the
49  * presence of the arguments.
50  *
51  *	CRYPTO_SUCCESS:	The operation completed successfully.
52  *	CRYPTO_QUEUED:	A request was submitted successfully. The callback
53  *			routine will be called when the operation is done.
54  *	CRYPTO_MECHANISM_INVALID or CRYPTO_INVALID_MECH_PARAM
55  *			for problems with the 'mech'.
56  *	CRYPTO_INVALID_DATA for bogus 'data'
57  *	CRYPTO_HOST_MEMORY for failure to allocate memory to handle this work.
58  *	CRYPTO_INVALID_CONTEXT: Not a valid context.
59  *	CRYPTO_BUSY:	Cannot process the request now. Schedule a
60  *			crypto_bufcall(), or try later.
61  *	CRYPTO_NOT_SUPPORTED and CRYPTO_MECH_NOT_SUPPORTED:
62  *			No provider is capable of a function or a mechanism.
63  */
64 
65 
66 /*
67  * crypto_digest_prov()
68  *
69  * Arguments:
70  *	pd:	pointer to the descriptor of the provider to use for this
71  *		operation.
72  *	sid:	provider session id.
73  *	mech:	crypto_mechanism_t pointer.
74  *		mech_type is a valid value previously returned by
75  *		crypto_mech2id();
76  *		When the mech's parameter is not NULL, its definition depends
77  *		on the standard definition of the mechanism.
78  *	data:	The message to be digested.
79  *	digest:	Storage for the digest. The length needed depends on the
80  *		mechanism.
81  *	cr:	crypto_call_req_t calling conditions and call back info.
82  *
83  * Description:
84  *	Asynchronously submits a request for, or synchronously performs the
85  *	digesting operation of 'data' on the specified
86  *	provider with the specified session.
87  *	When complete and successful, 'digest' will contain the digest value.
88  *	The caller should hold a reference on the specified provider
89  *	descriptor before calling this function.
90  *
91  * Context:
92  *	Process or interrupt, according to the semantics dictated by the 'cr'.
93  *
94  * Returns:
95  *	See comment in the beginning of the file.
96  */
97 int
98 crypto_digest_prov(crypto_provider_t provider, crypto_session_id_t sid,
99     crypto_mechanism_t *mech, crypto_data_t *data, crypto_data_t *digest,
100     crypto_call_req_t *crq)
101 {
102 	kcf_req_params_t params;
103 	kcf_provider_desc_t *pd = provider;
104 	kcf_provider_desc_t *real_provider = pd;
105 	int rv;
106 
107 	ASSERT(KCF_PROV_REFHELD(pd));
108 
109 	if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) {
110 		rv = kcf_get_hardware_provider(mech->cm_type,
111 		    CRYPTO_MECH_INVALID, CHECK_RESTRICT(crq),
112 		    pd, &real_provider, CRYPTO_FG_DIGEST_ATOMIC);
113 
114 		if (rv != CRYPTO_SUCCESS)
115 			return (rv);
116 	}
117 	KCF_WRAP_DIGEST_OPS_PARAMS(&params, KCF_OP_ATOMIC, sid, mech, NULL,
118 	    data, digest);
119 
120 	/* no crypto context to carry between multiple parts. */
121 	rv = kcf_submit_request(real_provider, NULL, crq, &params, B_FALSE);
122 	if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)
123 		KCF_PROV_REFRELE(real_provider);
124 
125 	return (rv);
126 }
127 
128 /*
129  * Same as crypto_digest_prov(), but relies on the KCF scheduler to
130  * choose a provider. See crypto_digest_prov() comments for more information.
131  */
132 int
133 crypto_digest(crypto_mechanism_t *mech, crypto_data_t *data,
134     crypto_data_t *digest, crypto_call_req_t *crq)
135 {
136 	int error;
137 	kcf_provider_desc_t *pd;
138 	kcf_req_params_t params;
139 	kcf_prov_tried_t *list = NULL;
140 
141 retry:
142 	/* The pd is returned held */
143 	if ((pd = kcf_get_mech_provider(mech->cm_type, NULL, &error, list,
144 	    CRYPTO_FG_DIGEST_ATOMIC, CHECK_RESTRICT(crq),
145 	    data->cd_length)) == NULL) {
146 		if (list != NULL)
147 			kcf_free_triedlist(list);
148 		return (error);
149 	}
150 
151 	/* The fast path for SW providers. */
152 	if (CHECK_FASTPATH(crq, pd)) {
153 		crypto_mechanism_t lmech;
154 
155 		lmech = *mech;
156 		KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech);
157 		error = KCF_PROV_DIGEST_ATOMIC(pd, pd->pd_sid, &lmech, data,
158 		    digest, KCF_SWFP_RHNDL(crq));
159 		KCF_PROV_INCRSTATS(pd, error);
160 	} else {
161 		if (pd->pd_prov_type == CRYPTO_HW_PROVIDER &&
162 		    (pd->pd_flags & CRYPTO_HASH_NO_UPDATE) &&
163 		    (data->cd_length > pd->pd_hash_limit)) {
164 			error = CRYPTO_BUFFER_TOO_BIG;
165 		} else {
166 			KCF_WRAP_DIGEST_OPS_PARAMS(&params, KCF_OP_ATOMIC,
167 			    pd->pd_sid, mech, NULL, data, digest);
168 
169 			/* no crypto context to carry between multiple parts. */
170 			error = kcf_submit_request(pd, NULL, crq, &params,
171 			    B_FALSE);
172 		}
173 	}
174 
175 	if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED &&
176 	    IS_RECOVERABLE(error)) {
177 		/* Add pd to the linked list of providers tried. */
178 		if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL)
179 			goto retry;
180 	}
181 
182 	if (list != NULL)
183 		kcf_free_triedlist(list);
184 
185 	KCF_PROV_REFRELE(pd);
186 	return (error);
187 }
188 
189 /*
190  * crypto_digest_init_prov()
191  *
192  *	pd:	pointer to the descriptor of the provider to use for this
193  *		operation.
194  *	sid:	provider session id.
195  *	mech:	crypto_mechanism_t pointer.
196  *		mech_type is a valid value previously returned by
197  *		crypto_mech2id();
198  *		When the mech's parameter is not NULL, its definition depends
199  *		on the standard definition of the mechanism.
200  *	ctxp:	Pointer to a crypto_context_t.
201  *	cr:	crypto_call_req_t calling conditions and call back info.
202  *
203  * Description:
204  *	Asynchronously submits a request for, or synchronously performs the
205  *	initialization of a message digest operation on the specified
206  *	provider with the specified session.
207  *	When complete and successful, 'ctxp' will contain a crypto_context_t
208  *	valid for later calls to digest_update() and digest_final().
209  *	The caller should hold a reference on the specified provider
210  *	descriptor before calling this function.
211  */
212 int
213 crypto_digest_init_prov(crypto_provider_t provider, crypto_session_id_t sid,
214     crypto_mechanism_t *mech, crypto_context_t *ctxp, crypto_call_req_t  *crq)
215 {
216 	int error;
217 	crypto_ctx_t *ctx;
218 	kcf_req_params_t params;
219 	kcf_provider_desc_t *pd = provider;
220 	kcf_provider_desc_t *real_provider = pd;
221 
222 	ASSERT(KCF_PROV_REFHELD(pd));
223 
224 	if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) {
225 		error = kcf_get_hardware_provider(mech->cm_type,
226 		    CRYPTO_MECH_INVALID, CHECK_RESTRICT(crq), pd,
227 		    &real_provider, CRYPTO_FG_DIGEST);
228 
229 		if (error != CRYPTO_SUCCESS)
230 			return (error);
231 	}
232 
233 	/* Allocate and initialize the canonical context */
234 	if ((ctx = kcf_new_ctx(crq, real_provider, sid)) == NULL) {
235 		if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)
236 			KCF_PROV_REFRELE(real_provider);
237 		return (CRYPTO_HOST_MEMORY);
238 	}
239 
240 	/* The fast path for SW providers. */
241 	if (CHECK_FASTPATH(crq, pd)) {
242 		crypto_mechanism_t lmech;
243 
244 		lmech = *mech;
245 		KCF_SET_PROVIDER_MECHNUM(mech->cm_type, real_provider, &lmech);
246 		error = KCF_PROV_DIGEST_INIT(real_provider, ctx, &lmech,
247 		    KCF_SWFP_RHNDL(crq));
248 		KCF_PROV_INCRSTATS(pd, error);
249 	} else {
250 		KCF_WRAP_DIGEST_OPS_PARAMS(&params, KCF_OP_INIT, sid,
251 		    mech, NULL, NULL, NULL);
252 		error = kcf_submit_request(real_provider, ctx, crq, &params,
253 		    B_FALSE);
254 	}
255 
256 	if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER)
257 		KCF_PROV_REFRELE(real_provider);
258 
259 	if ((error == CRYPTO_SUCCESS) || (error == CRYPTO_QUEUED))
260 		*ctxp = (crypto_context_t)ctx;
261 	else {
262 		/* Release the hold done in kcf_new_ctx(). */
263 		KCF_CONTEXT_REFRELE((kcf_context_t *)ctx->cc_framework_private);
264 	}
265 
266 	return (error);
267 }
268 
269 
270 /*
271  * Same as crypto_digest_init_prov(), but relies on the KCF scheduler
272  * to choose a provider. See crypto_digest_init_prov() comments for
273  * more information.
274  */
275 int
276 crypto_digest_init(crypto_mechanism_t *mech, crypto_context_t *ctxp,
277     crypto_call_req_t  *crq)
278 {
279 	int error;
280 	kcf_provider_desc_t *pd;
281 	kcf_prov_tried_t *list = NULL;
282 
283 retry:
284 	/* The pd is returned held */
285 	if ((pd = kcf_get_mech_provider(mech->cm_type, NULL, &error,
286 	    list, CRYPTO_FG_DIGEST, CHECK_RESTRICT(crq), 0)) == NULL) {
287 		if (list != NULL)
288 			kcf_free_triedlist(list);
289 		return (error);
290 	}
291 
292 	if (pd->pd_prov_type == CRYPTO_HW_PROVIDER &&
293 	    (pd->pd_flags & CRYPTO_HASH_NO_UPDATE)) {
294 		/*
295 		 * The hardware provider has limited digest support.
296 		 * So, we fallback early here to using a software provider.
297 		 *
298 		 * XXX - need to enhance to do the fallback later in
299 		 * crypto_digest_update() if the size of accumulated input data
300 		 * exceeds the maximum size digestable by hardware provider.
301 		 */
302 		error = CRYPTO_BUFFER_TOO_BIG;
303 	} else {
304 		error = crypto_digest_init_prov(pd, pd->pd_sid,
305 		    mech, ctxp, crq);
306 	}
307 
308 	if (error != CRYPTO_SUCCESS && error != CRYPTO_QUEUED &&
309 	    IS_RECOVERABLE(error)) {
310 		/* Add pd to the linked list of providers tried. */
311 		if (kcf_insert_triedlist(&list, pd, KCF_KMFLAG(crq)) != NULL)
312 			goto retry;
313 	}
314 
315 	if (list != NULL)
316 		kcf_free_triedlist(list);
317 	KCF_PROV_REFRELE(pd);
318 	return (error);
319 }
320 
321 /*
322  * crypto_digest_update()
323  *
324  * Arguments:
325  *	context: A crypto_context_t initialized by digest_init().
326  *	data:	The part of message to be digested.
327  *	cr:	crypto_call_req_t calling conditions and call back info.
328  *
329  * Description:
330  *	Asynchronously submits a request for, or synchronously performs a
331  *	part of a message digest operation.
332  *
333  * Context:
334  *	Process or interrupt, according to the semantics dictated by the 'cr'.
335  *
336  * Returns:
337  *	See comment in the beginning of the file.
338  */
339 int
340 crypto_digest_update(crypto_context_t context, crypto_data_t *data,
341     crypto_call_req_t *cr)
342 {
343 	crypto_ctx_t *ctx = (crypto_ctx_t *)context;
344 	kcf_context_t *kcf_ctx;
345 	kcf_provider_desc_t *pd;
346 	int error;
347 	kcf_req_params_t params;
348 
349 	if ((ctx == NULL) ||
350 	    ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) ||
351 	    ((pd = kcf_ctx->kc_prov_desc) == NULL)) {
352 		return (CRYPTO_INVALID_CONTEXT);
353 	}
354 
355 	ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER);
356 
357 	/* The fast path for SW providers. */
358 	if (CHECK_FASTPATH(cr, pd)) {
359 		error = KCF_PROV_DIGEST_UPDATE(pd, ctx, data, NULL);
360 		KCF_PROV_INCRSTATS(pd, error);
361 	} else {
362 		KCF_WRAP_DIGEST_OPS_PARAMS(&params, KCF_OP_UPDATE,
363 		    ctx->cc_session, NULL, NULL, data, NULL);
364 		error = kcf_submit_request(pd, ctx, cr, &params, B_FALSE);
365 	}
366 
367 	return (error);
368 }
369 
370 /*
371  * crypto_digest_final()
372  *
373  * Arguments:
374  *	context: A crypto_context_t initialized by digest_init().
375  *	digest:	The storage for the digest.
376  *	cr:	crypto_call_req_t calling conditions and call back info.
377  *
378  * Description:
379  *	Asynchronously submits a request for, or synchronously performs the
380  *	final part of a message digest operation.
381  *
382  * Context:
383  *	Process or interrupt, according to the semantics dictated by the 'cr'.
384  *
385  * Returns:
386  *	See comment in the beginning of the file.
387  */
388 int
389 crypto_digest_final(crypto_context_t context, crypto_data_t *digest,
390     crypto_call_req_t *cr)
391 {
392 	crypto_ctx_t *ctx = (crypto_ctx_t *)context;
393 	kcf_context_t *kcf_ctx;
394 	kcf_provider_desc_t *pd;
395 	int error;
396 	kcf_req_params_t params;
397 
398 	if ((ctx == NULL) ||
399 	    ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) ||
400 	    ((pd = kcf_ctx->kc_prov_desc) == NULL)) {
401 		return (CRYPTO_INVALID_CONTEXT);
402 	}
403 
404 	ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER);
405 
406 	/* The fast path for SW providers. */
407 	if (CHECK_FASTPATH(cr, pd)) {
408 		error = KCF_PROV_DIGEST_FINAL(pd, ctx, digest, NULL);
409 		KCF_PROV_INCRSTATS(pd, error);
410 	} else {
411 		KCF_WRAP_DIGEST_OPS_PARAMS(&params, KCF_OP_FINAL,
412 		    ctx->cc_session, NULL, NULL, NULL, digest);
413 		error = kcf_submit_request(pd, ctx, cr, &params, B_FALSE);
414 	}
415 
416 	/* Release the hold done in kcf_new_ctx() during init step. */
417 	KCF_CONTEXT_COND_RELEASE(error, kcf_ctx);
418 	return (error);
419 }
420 
421 /*
422  * Performs a digest update on the specified key. Note that there is
423  * no k-API crypto_digest_key() equivalent of this function.
424  */
425 int
426 crypto_digest_key_prov(crypto_context_t context, crypto_key_t *key,
427     crypto_call_req_t *cr)
428 {
429 	crypto_ctx_t *ctx = (crypto_ctx_t *)context;
430 	kcf_context_t *kcf_ctx;
431 	kcf_provider_desc_t *pd;
432 	int error;
433 	kcf_req_params_t params;
434 
435 	if ((ctx == NULL) ||
436 	    ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) ||
437 	    ((pd = kcf_ctx->kc_prov_desc) == NULL)) {
438 		return (CRYPTO_INVALID_CONTEXT);
439 	}
440 
441 	ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER);
442 
443 	/* The fast path for SW providers. */
444 	if (CHECK_FASTPATH(cr, pd)) {
445 		error = KCF_PROV_DIGEST_KEY(pd, ctx, key, NULL);
446 		KCF_PROV_INCRSTATS(pd, error);
447 	} else {
448 		KCF_WRAP_DIGEST_OPS_PARAMS(&params, KCF_OP_DIGEST_KEY,
449 		    ctx->cc_session, NULL, key, NULL, NULL);
450 		error = kcf_submit_request(pd, ctx, cr, &params, B_FALSE);
451 	}
452 
453 	return (error);
454 }
455 
456 /*
457  * See comments for crypto_digest_update() and crypto_digest_final().
458  */
459 int
460 crypto_digest_single(crypto_context_t context, crypto_data_t *data,
461     crypto_data_t *digest, crypto_call_req_t *cr)
462 {
463 	crypto_ctx_t *ctx = (crypto_ctx_t *)context;
464 	kcf_context_t *kcf_ctx;
465 	kcf_provider_desc_t *pd;
466 	int error;
467 	kcf_req_params_t params;
468 
469 	if ((ctx == NULL) ||
470 	    ((kcf_ctx = (kcf_context_t *)ctx->cc_framework_private) == NULL) ||
471 	    ((pd = kcf_ctx->kc_prov_desc) == NULL)) {
472 		return (CRYPTO_INVALID_CONTEXT);
473 	}
474 
475 
476 	/* The fast path for SW providers. */
477 	if (CHECK_FASTPATH(cr, pd)) {
478 		error = KCF_PROV_DIGEST(pd, ctx, data, digest, NULL);
479 		KCF_PROV_INCRSTATS(pd, error);
480 	} else {
481 		KCF_WRAP_DIGEST_OPS_PARAMS(&params, KCF_OP_SINGLE, pd->pd_sid,
482 		    NULL, NULL, data, digest);
483 		error = kcf_submit_request(pd, ctx, cr, &params, B_FALSE);
484 	}
485 
486 	/* Release the hold done in kcf_new_ctx() during init step. */
487 	KCF_CONTEXT_COND_RELEASE(error, kcf_ctx);
488 	return (error);
489 }
490