xref: /titanic_50/usr/src/uts/common/crypto/io/sha2_mod.c (revision 24db46411fd54f70c35b94bb952eb7ba040e43b4)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <sys/modctl.h>
30 #include <sys/cmn_err.h>
31 #include <sys/crypto/common.h>
32 #include <sys/crypto/spi.h>
33 #include <sys/strsun.h>
34 #include <sys/systm.h>
35 #include <sys/sysmacros.h>
36 #define	_SHA2_IMPL
37 #include <sys/sha2.h>
38 
39 /*
40  * The sha2 module is created with two modlinkages:
41  * - a modlmisc that allows consumers to directly call the entry points
42  *   SHA2Init, SHA2Update, and SHA2Final.
43  * - a modlcrypto that allows the module to register with the Kernel
44  *   Cryptographic Framework (KCF) as a software provider for the SHA2
45  *   mechanisms.
46  */
47 
48 static struct modlmisc modlmisc = {
49 	&mod_miscops,
50 	"SHA2 Message-Digest Algorithm"
51 };
52 
53 static struct modlcrypto modlcrypto = {
54 	&mod_cryptoops,
55 	"SHA2 Kernel SW Provider %I%"
56 };
57 
58 static struct modlinkage modlinkage = {
59 	MODREV_1, &modlmisc, &modlcrypto, NULL
60 };
61 
62 /*
63  * CSPI information (entry points, provider info, etc.)
64  */
65 
66 /*
67  * Context for SHA2 mechanism.
68  */
69 typedef struct sha2_ctx {
70 	sha2_mech_type_t	sc_mech_type;	/* type of context */
71 	SHA2_CTX		sc_sha2_ctx;	/* SHA2 context */
72 } sha2_ctx_t;
73 
74 /*
75  * Context for SHA2 HMAC and HMAC GENERAL mechanisms.
76  */
77 typedef struct sha2_hmac_ctx {
78 	sha2_mech_type_t	hc_mech_type;	/* type of context */
79 	uint32_t		hc_digest_len;	/* digest len in bytes */
80 	SHA2_CTX		hc_icontext;	/* inner SHA2 context */
81 	SHA2_CTX		hc_ocontext;	/* outer SHA2 context */
82 } sha2_hmac_ctx_t;
83 
84 /*
85  * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed
86  * by KCF to one of the entry points.
87  */
88 
89 #define	PROV_SHA2_CTX(ctx)	((sha2_ctx_t *)(ctx)->cc_provider_private)
90 #define	PROV_SHA2_HMAC_CTX(ctx)	((sha2_hmac_ctx_t *)(ctx)->cc_provider_private)
91 
92 /* to extract the digest length passed as mechanism parameter */
93 #define	PROV_SHA2_GET_DIGEST_LEN(m, len) {				\
94 	if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t)))		\
95 		(len) = (uint32_t)*((ulong_t *)(m)->cm_param);	\
96 	else {								\
97 		ulong_t tmp_ulong;					\
98 		bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t));	\
99 		(len) = (uint32_t)tmp_ulong;				\
100 	}								\
101 }
102 
103 #define	PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) {	\
104 	SHA2Init(mech, ctx);				\
105 	SHA2Update(ctx, key, len);			\
106 	SHA2Final(digest, ctx);				\
107 }
108 
109 /*
110  * Mechanism info structure passed to KCF during registration.
111  */
112 static crypto_mech_info_t sha2_mech_info_tab[] = {
113 	/* SHA256 */
114 	{SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE,
115 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
116 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
117 	/* SHA256-HMAC */
118 	{SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE,
119 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
120 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
121 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
122 	/* SHA256-HMAC GENERAL */
123 	{SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE,
124 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
125 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
126 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
127 	/* SHA384 */
128 	{SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE,
129 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
130 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
131 	/* SHA384-HMAC */
132 	{SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE,
133 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
134 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
135 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
136 	/* SHA384-HMAC GENERAL */
137 	{SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE,
138 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
139 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
140 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
141 	/* SHA512 */
142 	{SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE,
143 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
144 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
145 	/* SHA512-HMAC */
146 	{SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE,
147 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
148 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
149 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
150 	/* SHA512-HMAC GENERAL */
151 	{SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE,
152 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
153 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
154 	    CRYPTO_KEYSIZE_UNIT_IN_BITS}
155 };
156 
157 static void sha2_provider_status(crypto_provider_handle_t, uint_t *);
158 
159 static crypto_control_ops_t sha2_control_ops = {
160 	sha2_provider_status
161 };
162 
163 static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
164     crypto_req_handle_t);
165 static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
166     crypto_req_handle_t);
167 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *,
168     crypto_req_handle_t);
169 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *,
170     crypto_req_handle_t);
171 static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
172     crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
173     crypto_req_handle_t);
174 
175 static crypto_digest_ops_t sha2_digest_ops = {
176 	sha2_digest_init,
177 	sha2_digest,
178 	sha2_digest_update,
179 	NULL,
180 	sha2_digest_final,
181 	sha2_digest_atomic
182 };
183 
184 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
185     crypto_spi_ctx_template_t, crypto_req_handle_t);
186 static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *,
187     crypto_req_handle_t);
188 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
189 static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
190     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
191     crypto_spi_ctx_template_t, crypto_req_handle_t);
192 static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
193     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
194     crypto_spi_ctx_template_t, crypto_req_handle_t);
195 
196 static crypto_mac_ops_t sha2_mac_ops = {
197 	sha2_mac_init,
198 	NULL,
199 	sha2_mac_update,
200 	sha2_mac_final,
201 	sha2_mac_atomic,
202 	sha2_mac_verify_atomic
203 };
204 
205 static int sha2_create_ctx_template(crypto_provider_handle_t,
206     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
207     size_t *, crypto_req_handle_t);
208 static int sha2_free_context(crypto_ctx_t *);
209 
210 static crypto_ctx_ops_t sha2_ctx_ops = {
211 	sha2_create_ctx_template,
212 	sha2_free_context
213 };
214 
215 static crypto_ops_t sha2_crypto_ops = {
216 	&sha2_control_ops,
217 	&sha2_digest_ops,
218 	NULL,
219 	&sha2_mac_ops,
220 	NULL,
221 	NULL,
222 	NULL,
223 	NULL,
224 	NULL,
225 	NULL,
226 	NULL,
227 	NULL,
228 	NULL,
229 	&sha2_ctx_ops
230 };
231 
232 static crypto_provider_info_t sha2_prov_info = {
233 	CRYPTO_SPI_VERSION_1,
234 	"SHA2 Software Provider",
235 	CRYPTO_SW_PROVIDER,
236 	{&modlinkage},
237 	NULL,
238 	&sha2_crypto_ops,
239 	sizeof (sha2_mech_info_tab)/sizeof (crypto_mech_info_t),
240 	sha2_mech_info_tab
241 };
242 
243 static crypto_kcf_provider_handle_t sha2_prov_handle = NULL;
244 
245 int
246 _init()
247 {
248 	int ret;
249 
250 	if ((ret = mod_install(&modlinkage)) != 0)
251 		return (ret);
252 
253 	/*
254 	 * Register with KCF. If the registration fails, log an
255 	 * error but do not uninstall the module, since the functionality
256 	 * provided by misc/sha2 should still be available.
257 	 */
258 	if ((ret = crypto_register_provider(&sha2_prov_info,
259 	    &sha2_prov_handle)) != CRYPTO_SUCCESS)
260 		cmn_err(CE_WARN, "sha2 _init: "
261 		    "crypto_register_provider() failed (0x%x)", ret);
262 
263 	return (0);
264 }
265 
266 int
267 _info(struct modinfo *modinfop)
268 {
269 	return (mod_info(&modlinkage, modinfop));
270 }
271 
272 /*
273  * KCF software provider control entry points.
274  */
275 /* ARGSUSED */
276 static void
277 sha2_provider_status(crypto_provider_handle_t provider, uint_t *status)
278 {
279 	*status = CRYPTO_PROVIDER_READY;
280 }
281 
282 /*
283  * KCF software provider digest entry points.
284  */
285 
286 static int
287 sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
288     crypto_req_handle_t req)
289 {
290 
291 	/*
292 	 * Allocate and initialize SHA2 context.
293 	 */
294 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t),
295 	    crypto_kmflag(req));
296 	if (ctx->cc_provider_private == NULL)
297 		return (CRYPTO_HOST_MEMORY);
298 
299 	PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type;
300 	SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
301 
302 	return (CRYPTO_SUCCESS);
303 }
304 
305 /*
306  * Helper SHA2 digest update function for uio data.
307  */
308 static int
309 sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data)
310 {
311 	off_t offset = data->cd_offset;
312 	size_t length = data->cd_length;
313 	uint_t vec_idx;
314 	size_t cur_len;
315 
316 	/* we support only kernel buffer */
317 	if (data->cd_uio->uio_segflg != UIO_SYSSPACE)
318 		return (CRYPTO_ARGUMENTS_BAD);
319 
320 	/*
321 	 * Jump to the first iovec containing data to be
322 	 * digested.
323 	 */
324 	for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt &&
325 	    offset >= data->cd_uio->uio_iov[vec_idx].iov_len;
326 	    offset -= data->cd_uio->uio_iov[vec_idx++].iov_len);
327 	if (vec_idx == data->cd_uio->uio_iovcnt) {
328 		/*
329 		 * The caller specified an offset that is larger than the
330 		 * total size of the buffers it provided.
331 		 */
332 		return (CRYPTO_DATA_LEN_RANGE);
333 	}
334 
335 	/*
336 	 * Now do the digesting on the iovecs.
337 	 */
338 	while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) {
339 		cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len -
340 		    offset, length);
341 
342 		SHA2Update(sha2_ctx, (uint8_t *)data->cd_uio->
343 		    uio_iov[vec_idx].iov_base + offset, cur_len);
344 		length -= cur_len;
345 		vec_idx++;
346 		offset = 0;
347 	}
348 
349 	if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) {
350 		/*
351 		 * The end of the specified iovec's was reached but
352 		 * the length requested could not be processed, i.e.
353 		 * The caller requested to digest more data than it provided.
354 		 */
355 		return (CRYPTO_DATA_LEN_RANGE);
356 	}
357 
358 	return (CRYPTO_SUCCESS);
359 }
360 
361 /*
362  * Helper SHA2 digest final function for uio data.
363  * digest_len is the length of the desired digest. If digest_len
364  * is smaller than the default SHA2 digest length, the caller
365  * must pass a scratch buffer, digest_scratch, which must
366  * be at least the algorithm's digest length bytes.
367  */
368 static int
369 sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
370     ulong_t digest_len, uchar_t *digest_scratch)
371 {
372 	off_t offset = digest->cd_offset;
373 	uint_t vec_idx;
374 
375 	/* we support only kernel buffer */
376 	if (digest->cd_uio->uio_segflg != UIO_SYSSPACE)
377 		return (CRYPTO_ARGUMENTS_BAD);
378 
379 	/*
380 	 * Jump to the first iovec containing ptr to the digest to
381 	 * be returned.
382 	 */
383 	for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len &&
384 	    vec_idx < digest->cd_uio->uio_iovcnt;
385 	    offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len);
386 	if (vec_idx == digest->cd_uio->uio_iovcnt) {
387 		/*
388 		 * The caller specified an offset that is
389 		 * larger than the total size of the buffers
390 		 * it provided.
391 		 */
392 		return (CRYPTO_DATA_LEN_RANGE);
393 	}
394 
395 	if (offset + digest_len <=
396 	    digest->cd_uio->uio_iov[vec_idx].iov_len) {
397 		/*
398 		 * The computed SHA2 digest will fit in the current
399 		 * iovec.
400 		 */
401 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
402 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
403 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
404 			(digest_len != SHA512_DIGEST_LENGTH))) {
405 			/*
406 			 * The caller requested a short digest. Digest
407 			 * into a scratch buffer and return to
408 			 * the user only what was requested.
409 			 */
410 			SHA2Final(digest_scratch, sha2_ctx);
411 
412 			bcopy(digest_scratch, (uchar_t *)digest->
413 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
414 			    digest_len);
415 		} else {
416 			SHA2Final((uchar_t *)digest->
417 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
418 			    sha2_ctx);
419 
420 		}
421 	} else {
422 		/*
423 		 * The computed digest will be crossing one or more iovec's.
424 		 * This is bad performance-wise but we need to support it.
425 		 * Allocate a small scratch buffer on the stack and
426 		 * copy it piece meal to the specified digest iovec's.
427 		 */
428 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
429 		off_t scratch_offset = 0;
430 		size_t length = digest_len;
431 		size_t cur_len;
432 
433 		SHA2Final(digest_tmp, sha2_ctx);
434 
435 		while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) {
436 			cur_len =
437 			    MIN(digest->cd_uio->uio_iov[vec_idx].iov_len -
438 				    offset, length);
439 			bcopy(digest_tmp + scratch_offset,
440 			    digest->cd_uio->uio_iov[vec_idx].iov_base + offset,
441 			    cur_len);
442 
443 			length -= cur_len;
444 			vec_idx++;
445 			scratch_offset += cur_len;
446 			offset = 0;
447 		}
448 
449 		if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) {
450 			/*
451 			 * The end of the specified iovec's was reached but
452 			 * the length requested could not be processed, i.e.
453 			 * The caller requested to digest more data than it
454 			 * provided.
455 			 */
456 			return (CRYPTO_DATA_LEN_RANGE);
457 		}
458 	}
459 
460 	return (CRYPTO_SUCCESS);
461 }
462 
463 /*
464  * Helper SHA2 digest update for mblk's.
465  */
466 static int
467 sha2_digest_update_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *data)
468 {
469 	off_t offset = data->cd_offset;
470 	size_t length = data->cd_length;
471 	mblk_t *mp;
472 	size_t cur_len;
473 
474 	/*
475 	 * Jump to the first mblk_t containing data to be digested.
476 	 */
477 	for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
478 	    offset -= MBLKL(mp), mp = mp->b_cont);
479 	if (mp == NULL) {
480 		/*
481 		 * The caller specified an offset that is larger than the
482 		 * total size of the buffers it provided.
483 		 */
484 		return (CRYPTO_DATA_LEN_RANGE);
485 	}
486 
487 	/*
488 	 * Now do the digesting on the mblk chain.
489 	 */
490 	while (mp != NULL && length > 0) {
491 		cur_len = MIN(MBLKL(mp) - offset, length);
492 		SHA2Update(sha2_ctx, mp->b_rptr + offset, cur_len);
493 		length -= cur_len;
494 		offset = 0;
495 		mp = mp->b_cont;
496 	}
497 
498 	if (mp == NULL && length > 0) {
499 		/*
500 		 * The end of the mblk was reached but the length requested
501 		 * could not be processed, i.e. The caller requested
502 		 * to digest more data than it provided.
503 		 */
504 		return (CRYPTO_DATA_LEN_RANGE);
505 	}
506 
507 	return (CRYPTO_SUCCESS);
508 }
509 
510 /*
511  * Helper SHA2 digest final for mblk's.
512  * digest_len is the length of the desired digest. If digest_len
513  * is smaller than the default SHA2 digest length, the caller
514  * must pass a scratch buffer, digest_scratch, which must
515  * be at least the algorithm's digest length bytes.
516  */
517 static int
518 sha2_digest_final_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
519     ulong_t digest_len, uchar_t *digest_scratch)
520 {
521 	off_t offset = digest->cd_offset;
522 	mblk_t *mp;
523 
524 	/*
525 	 * Jump to the first mblk_t that will be used to store the digest.
526 	 */
527 	for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp);
528 	    offset -= MBLKL(mp), mp = mp->b_cont);
529 	if (mp == NULL) {
530 		/*
531 		 * The caller specified an offset that is larger than the
532 		 * total size of the buffers it provided.
533 		 */
534 		return (CRYPTO_DATA_LEN_RANGE);
535 	}
536 
537 	if (offset + digest_len <= MBLKL(mp)) {
538 		/*
539 		 * The computed SHA2 digest will fit in the current mblk.
540 		 * Do the SHA2Final() in-place.
541 		 */
542 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
543 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
544 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
545 			(digest_len != SHA512_DIGEST_LENGTH))) {
546 			/*
547 			 * The caller requested a short digest. Digest
548 			 * into a scratch buffer and return to
549 			 * the user only what was requested.
550 			 */
551 			SHA2Final(digest_scratch, sha2_ctx);
552 			bcopy(digest_scratch, mp->b_rptr + offset, digest_len);
553 		} else {
554 			SHA2Final(mp->b_rptr + offset, sha2_ctx);
555 		}
556 	} else {
557 		/*
558 		 * The computed digest will be crossing one or more mblk's.
559 		 * This is bad performance-wise but we need to support it.
560 		 * Allocate a small scratch buffer on the stack and
561 		 * copy it piece meal to the specified digest iovec's.
562 		 */
563 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
564 		off_t scratch_offset = 0;
565 		size_t length = digest_len;
566 		size_t cur_len;
567 
568 		SHA2Final(digest_tmp, sha2_ctx);
569 
570 		while (mp != NULL && length > 0) {
571 			cur_len = MIN(MBLKL(mp) - offset, length);
572 			bcopy(digest_tmp + scratch_offset,
573 			    mp->b_rptr + offset, cur_len);
574 
575 			length -= cur_len;
576 			mp = mp->b_cont;
577 			scratch_offset += cur_len;
578 			offset = 0;
579 		}
580 
581 		if (mp == NULL && length > 0) {
582 			/*
583 			 * The end of the specified mblk was reached but
584 			 * the length requested could not be processed, i.e.
585 			 * The caller requested to digest more data than it
586 			 * provided.
587 			 */
588 			return (CRYPTO_DATA_LEN_RANGE);
589 		}
590 	}
591 
592 	return (CRYPTO_SUCCESS);
593 }
594 
595 /* ARGSUSED */
596 static int
597 sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
598     crypto_req_handle_t req)
599 {
600 	int ret = CRYPTO_SUCCESS;
601 	uint_t sha_digest_len;
602 
603 	ASSERT(ctx->cc_provider_private != NULL);
604 
605 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
606 	case SHA256_MECH_INFO_TYPE:
607 		sha_digest_len = SHA256_DIGEST_LENGTH;
608 		break;
609 	case SHA384_MECH_INFO_TYPE:
610 		sha_digest_len = SHA384_DIGEST_LENGTH;
611 		break;
612 	case SHA512_MECH_INFO_TYPE:
613 		sha_digest_len = SHA512_DIGEST_LENGTH;
614 		break;
615 	default:
616 		return (CRYPTO_MECHANISM_INVALID);
617 	}
618 
619 	/*
620 	 * We need to just return the length needed to store the output.
621 	 * We should not destroy the context for the following cases.
622 	 */
623 	if ((digest->cd_length == 0) ||
624 	    (digest->cd_length < sha_digest_len)) {
625 		digest->cd_length = sha_digest_len;
626 		return (CRYPTO_BUFFER_TOO_SMALL);
627 	}
628 
629 	/*
630 	 * Do the SHA2 update on the specified input data.
631 	 */
632 	switch (data->cd_format) {
633 	case CRYPTO_DATA_RAW:
634 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
635 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
636 		    data->cd_length);
637 		break;
638 	case CRYPTO_DATA_UIO:
639 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
640 		    data);
641 		break;
642 	case CRYPTO_DATA_MBLK:
643 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
644 		    data);
645 		break;
646 	default:
647 		ret = CRYPTO_ARGUMENTS_BAD;
648 	}
649 
650 	if (ret != CRYPTO_SUCCESS) {
651 		/* the update failed, free context and bail */
652 		kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
653 		ctx->cc_provider_private = NULL;
654 		digest->cd_length = 0;
655 		return (ret);
656 	}
657 
658 	/*
659 	 * Do a SHA2 final, must be done separately since the digest
660 	 * type can be different than the input data type.
661 	 */
662 	switch (digest->cd_format) {
663 	case CRYPTO_DATA_RAW:
664 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
665 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
666 		break;
667 	case CRYPTO_DATA_UIO:
668 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
669 		    digest, sha_digest_len, NULL);
670 		break;
671 	case CRYPTO_DATA_MBLK:
672 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
673 		    digest, sha_digest_len, NULL);
674 		break;
675 	default:
676 		ret = CRYPTO_ARGUMENTS_BAD;
677 	}
678 
679 	/* all done, free context and return */
680 
681 	if (ret == CRYPTO_SUCCESS)
682 		digest->cd_length = sha_digest_len;
683 	else
684 		digest->cd_length = 0;
685 
686 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
687 	ctx->cc_provider_private = NULL;
688 	return (ret);
689 }
690 
691 /* ARGSUSED */
692 static int
693 sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
694     crypto_req_handle_t req)
695 {
696 	int ret = CRYPTO_SUCCESS;
697 
698 	ASSERT(ctx->cc_provider_private != NULL);
699 
700 	/*
701 	 * Do the SHA2 update on the specified input data.
702 	 */
703 	switch (data->cd_format) {
704 	case CRYPTO_DATA_RAW:
705 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
706 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
707 		    data->cd_length);
708 		break;
709 	case CRYPTO_DATA_UIO:
710 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
711 		    data);
712 		break;
713 	case CRYPTO_DATA_MBLK:
714 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
715 		    data);
716 		break;
717 	default:
718 		ret = CRYPTO_ARGUMENTS_BAD;
719 	}
720 
721 	return (ret);
722 }
723 
724 /* ARGSUSED */
725 static int
726 sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
727     crypto_req_handle_t req)
728 {
729 	int ret = CRYPTO_SUCCESS;
730 	uint_t sha_digest_len;
731 
732 	ASSERT(ctx->cc_provider_private != NULL);
733 
734 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
735 	case SHA256_MECH_INFO_TYPE:
736 		sha_digest_len = SHA256_DIGEST_LENGTH;
737 		break;
738 	case SHA384_MECH_INFO_TYPE:
739 		sha_digest_len = SHA384_DIGEST_LENGTH;
740 		break;
741 	case SHA512_MECH_INFO_TYPE:
742 		sha_digest_len = SHA512_DIGEST_LENGTH;
743 		break;
744 	default:
745 		return (CRYPTO_MECHANISM_INVALID);
746 	}
747 
748 	/*
749 	 * We need to just return the length needed to store the output.
750 	 * We should not destroy the context for the following cases.
751 	 */
752 	if ((digest->cd_length == 0) ||
753 	    (digest->cd_length < sha_digest_len)) {
754 		digest->cd_length = sha_digest_len;
755 		return (CRYPTO_BUFFER_TOO_SMALL);
756 	}
757 
758 	/*
759 	 * Do a SHA2 final.
760 	 */
761 	switch (digest->cd_format) {
762 	case CRYPTO_DATA_RAW:
763 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
764 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
765 		break;
766 	case CRYPTO_DATA_UIO:
767 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
768 		    digest, sha_digest_len, NULL);
769 		break;
770 	case CRYPTO_DATA_MBLK:
771 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
772 		    digest, sha_digest_len, NULL);
773 		break;
774 	default:
775 		ret = CRYPTO_ARGUMENTS_BAD;
776 	}
777 
778 	/* all done, free context and return */
779 
780 	if (ret == CRYPTO_SUCCESS)
781 		digest->cd_length = sha_digest_len;
782 	else
783 		digest->cd_length = 0;
784 
785 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
786 	ctx->cc_provider_private = NULL;
787 
788 	return (ret);
789 }
790 
791 /* ARGSUSED */
792 static int
793 sha2_digest_atomic(crypto_provider_handle_t provider,
794     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
795     crypto_data_t *data, crypto_data_t *digest,
796     crypto_req_handle_t req)
797 {
798 	int ret = CRYPTO_SUCCESS;
799 	SHA2_CTX sha2_ctx;
800 	uint32_t sha_digest_len;
801 
802 	/*
803 	 * Do the SHA inits.
804 	 */
805 
806 	SHA2Init(mechanism->cm_type, &sha2_ctx);
807 
808 	switch (data->cd_format) {
809 	case CRYPTO_DATA_RAW:
810 		SHA2Update(&sha2_ctx, (uint8_t *)data->
811 		    cd_raw.iov_base + data->cd_offset, data->cd_length);
812 		break;
813 	case CRYPTO_DATA_UIO:
814 		ret = sha2_digest_update_uio(&sha2_ctx, data);
815 		break;
816 	case CRYPTO_DATA_MBLK:
817 		ret = sha2_digest_update_mblk(&sha2_ctx, data);
818 		break;
819 	default:
820 		ret = CRYPTO_ARGUMENTS_BAD;
821 	}
822 
823 	/*
824 	 * Do the SHA updates on the specified input data.
825 	 */
826 
827 	if (ret != CRYPTO_SUCCESS) {
828 		/* the update failed, bail */
829 		digest->cd_length = 0;
830 		return (ret);
831 	}
832 
833 	if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
834 		sha_digest_len = SHA256_DIGEST_LENGTH;
835 	else
836 		sha_digest_len = SHA512_DIGEST_LENGTH;
837 
838 	/*
839 	 * Do a SHA2 final, must be done separately since the digest
840 	 * type can be different than the input data type.
841 	 */
842 	switch (digest->cd_format) {
843 	case CRYPTO_DATA_RAW:
844 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
845 		    digest->cd_offset, &sha2_ctx);
846 		break;
847 	case CRYPTO_DATA_UIO:
848 		ret = sha2_digest_final_uio(&sha2_ctx, digest,
849 		    sha_digest_len, NULL);
850 		break;
851 	case CRYPTO_DATA_MBLK:
852 		ret = sha2_digest_final_mblk(&sha2_ctx, digest,
853 		    sha_digest_len, NULL);
854 		break;
855 	default:
856 		ret = CRYPTO_ARGUMENTS_BAD;
857 	}
858 
859 	if (ret == CRYPTO_SUCCESS)
860 		digest->cd_length = sha_digest_len;
861 	else
862 		digest->cd_length = 0;
863 
864 	return (ret);
865 }
866 
867 /*
868  * KCF software provider mac entry points.
869  *
870  * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text))
871  *
872  * Init:
873  * The initialization routine initializes what we denote
874  * as the inner and outer contexts by doing
875  * - for inner context: SHA2(key XOR ipad)
876  * - for outer context: SHA2(key XOR opad)
877  *
878  * Update:
879  * Each subsequent SHA2 HMAC update will result in an
880  * update of the inner context with the specified data.
881  *
882  * Final:
883  * The SHA2 HMAC final will do a SHA2 final operation on the
884  * inner context, and the resulting digest will be used
885  * as the data for an update on the outer context. Last
886  * but not least, a SHA2 final on the outer context will
887  * be performed to obtain the SHA2 HMAC digest to return
888  * to the user.
889  */
890 
891 /*
892  * Initialize a SHA2-HMAC context.
893  */
894 static void
895 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
896 {
897 	uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
898 	uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
899 	int i, block_size, blocks_per_int64;
900 
901 	/* Determine the block size */
902 	if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
903 		block_size = SHA256_HMAC_BLOCK_SIZE;
904 		blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t);
905 	} else {
906 		block_size = SHA512_HMAC_BLOCK_SIZE;
907 		blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t);
908 	}
909 
910 	(void) bzero(ipad, block_size);
911 	(void) bzero(opad, block_size);
912 	(void) bcopy(keyval, ipad, length_in_bytes);
913 	(void) bcopy(keyval, opad, length_in_bytes);
914 
915 	/* XOR key with ipad (0x36) and opad (0x5c) */
916 	for (i = 0; i < blocks_per_int64; i ++) {
917 		ipad[i] ^= 0x3636363636363636;
918 		opad[i] ^= 0x5c5c5c5c5c5c5c5c;
919 	}
920 
921 	/* perform SHA2 on ipad */
922 	SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext);
923 	SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
924 
925 	/* perform SHA2 on opad */
926 	SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext);
927 	SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
928 
929 }
930 
931 /*
932  */
933 static int
934 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
935     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
936     crypto_req_handle_t req)
937 {
938 	int ret = CRYPTO_SUCCESS;
939 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
940 	uint_t sha_digest_len, sha_hmac_block_size;
941 
942 	/*
943 	 * Set the digest length and block size to values approriate to the
944 	 * mechanism
945 	 */
946 	switch (mechanism->cm_type) {
947 	case SHA256_HMAC_MECH_INFO_TYPE:
948 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
949 		sha_digest_len = SHA256_DIGEST_LENGTH;
950 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
951 		break;
952 	case SHA384_HMAC_MECH_INFO_TYPE:
953 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
954 	case SHA512_HMAC_MECH_INFO_TYPE:
955 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
956 		sha_digest_len = SHA512_DIGEST_LENGTH;
957 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
958 		break;
959 	default:
960 		return (CRYPTO_MECHANISM_INVALID);
961 	}
962 
963 	if (key->ck_format != CRYPTO_KEY_RAW)
964 		return (CRYPTO_ARGUMENTS_BAD);
965 
966 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t),
967 	    crypto_kmflag(req));
968 	if (ctx->cc_provider_private == NULL)
969 		return (CRYPTO_HOST_MEMORY);
970 
971 	PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
972 	if (ctx_template != NULL) {
973 		/* reuse context template */
974 		bcopy(ctx_template, PROV_SHA2_HMAC_CTX(ctx),
975 		    sizeof (sha2_hmac_ctx_t));
976 	} else {
977 		/* no context template, compute context */
978 		if (keylen_in_bytes > sha_hmac_block_size) {
979 			uchar_t digested_key[SHA512_DIGEST_LENGTH];
980 			sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
981 
982 			/*
983 			 * Hash the passed-in key to get a smaller key.
984 			 * The inner context is used since it hasn't been
985 			 * initialized yet.
986 			 */
987 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
988 			    &hmac_ctx->hc_icontext,
989 			    key->ck_data, keylen_in_bytes, digested_key);
990 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
991 			    digested_key, sha_digest_len);
992 		} else {
993 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
994 			    key->ck_data, keylen_in_bytes);
995 		}
996 	}
997 
998 	/*
999 	 * Get the mechanism parameters, if applicable.
1000 	 */
1001 	if (mechanism->cm_type % 3 == 2) {
1002 		if (mechanism->cm_param == NULL ||
1003 		    mechanism->cm_param_len != sizeof (ulong_t))
1004 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1005 		PROV_SHA2_GET_DIGEST_LEN(mechanism,
1006 		    PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len);
1007 		if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len)
1008 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1009 	}
1010 
1011 	if (ret != CRYPTO_SUCCESS) {
1012 		bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1013 		kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1014 		ctx->cc_provider_private = NULL;
1015 	}
1016 
1017 	return (ret);
1018 }
1019 
1020 /* ARGSUSED */
1021 static int
1022 sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data,
1023     crypto_req_handle_t req)
1024 {
1025 	int ret = CRYPTO_SUCCESS;
1026 
1027 	ASSERT(ctx->cc_provider_private != NULL);
1028 
1029 	/*
1030 	 * Do a SHA2 update of the inner context using the specified
1031 	 * data.
1032 	 */
1033 	switch (data->cd_format) {
1034 	case CRYPTO_DATA_RAW:
1035 		SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext,
1036 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1037 		    data->cd_length);
1038 		break;
1039 	case CRYPTO_DATA_UIO:
1040 		ret = sha2_digest_update_uio(
1041 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1042 		break;
1043 	case CRYPTO_DATA_MBLK:
1044 		ret = sha2_digest_update_mblk(
1045 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1046 		break;
1047 	default:
1048 		ret = CRYPTO_ARGUMENTS_BAD;
1049 	}
1050 
1051 	return (ret);
1052 }
1053 
1054 /* ARGSUSED */
1055 static int
1056 sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req)
1057 {
1058 	int ret = CRYPTO_SUCCESS;
1059 	uchar_t digest[SHA512_DIGEST_LENGTH];
1060 	uint32_t digest_len, sha_digest_len;
1061 
1062 	ASSERT(ctx->cc_provider_private != NULL);
1063 
1064 	/* Set the digest lengths to values approriate to the mechanism */
1065 	switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) {
1066 	case SHA256_HMAC_MECH_INFO_TYPE:
1067 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1068 		break;
1069 	case SHA384_HMAC_MECH_INFO_TYPE:
1070 		sha_digest_len = digest_len = SHA384_DIGEST_LENGTH;
1071 		break;
1072 	case SHA512_HMAC_MECH_INFO_TYPE:
1073 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1074 		break;
1075 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1076 		sha_digest_len = SHA256_DIGEST_LENGTH;
1077 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1078 		break;
1079 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1080 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1081 		sha_digest_len = SHA512_DIGEST_LENGTH;
1082 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1083 		break;
1084 	}
1085 
1086 	/*
1087 	 * We need to just return the length needed to store the output.
1088 	 * We should not destroy the context for the following cases.
1089 	 */
1090 	if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
1091 		mac->cd_length = digest_len;
1092 		return (CRYPTO_BUFFER_TOO_SMALL);
1093 	}
1094 
1095 	/*
1096 	 * Do a SHA2 final on the inner context.
1097 	 */
1098 	SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext);
1099 
1100 	/*
1101 	 * Do a SHA2 update on the outer context, feeding the inner
1102 	 * digest as data.
1103 	 */
1104 	SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest,
1105 	    sha_digest_len);
1106 
1107 	/*
1108 	 * Do a SHA2 final on the outer context, storing the computing
1109 	 * digest in the users buffer.
1110 	 */
1111 	switch (mac->cd_format) {
1112 	case CRYPTO_DATA_RAW:
1113 		if (digest_len != sha_digest_len) {
1114 			/*
1115 			 * The caller requested a short digest. Digest
1116 			 * into a scratch buffer and return to
1117 			 * the user only what was requested.
1118 			 */
1119 			SHA2Final(digest,
1120 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1121 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1122 			    mac->cd_offset, digest_len);
1123 		} else {
1124 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1125 			    mac->cd_offset,
1126 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1127 		}
1128 		break;
1129 	case CRYPTO_DATA_UIO:
1130 		ret = sha2_digest_final_uio(
1131 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1132 		    digest_len, digest);
1133 		break;
1134 	case CRYPTO_DATA_MBLK:
1135 		ret = sha2_digest_final_mblk(
1136 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1137 		    digest_len, digest);
1138 		break;
1139 	default:
1140 		ret = CRYPTO_ARGUMENTS_BAD;
1141 	}
1142 
1143 	if (ret == CRYPTO_SUCCESS)
1144 		mac->cd_length = digest_len;
1145 	else
1146 		mac->cd_length = 0;
1147 
1148 	bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1149 	kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1150 	ctx->cc_provider_private = NULL;
1151 
1152 	return (ret);
1153 }
1154 
1155 #define	SHA2_MAC_UPDATE(data, ctx, ret) {				\
1156 	switch (data->cd_format) {					\
1157 	case CRYPTO_DATA_RAW:						\
1158 		SHA2Update(&(ctx).hc_icontext,				\
1159 		    (uint8_t *)data->cd_raw.iov_base +			\
1160 		    data->cd_offset, data->cd_length);			\
1161 		break;							\
1162 	case CRYPTO_DATA_UIO:						\
1163 		ret = sha2_digest_update_uio(&(ctx).hc_icontext, data);	\
1164 		break;							\
1165 	case CRYPTO_DATA_MBLK:						\
1166 		ret = sha2_digest_update_mblk(&(ctx).hc_icontext,	\
1167 		    data);						\
1168 		break;							\
1169 	default:							\
1170 		ret = CRYPTO_ARGUMENTS_BAD;				\
1171 	}								\
1172 }
1173 
1174 /* ARGSUSED */
1175 static int
1176 sha2_mac_atomic(crypto_provider_handle_t provider,
1177     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1178     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1179     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1180 {
1181 	int ret = CRYPTO_SUCCESS;
1182 	uchar_t digest[SHA512_DIGEST_LENGTH];
1183 	sha2_hmac_ctx_t sha2_hmac_ctx;
1184 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1185 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1186 
1187 	/*
1188 	 * Set the digest length and block size to values approriate to the
1189 	 * mechanism
1190 	 */
1191 	switch (mechanism->cm_type) {
1192 	case SHA256_HMAC_MECH_INFO_TYPE:
1193 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1194 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1195 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1196 		break;
1197 	case SHA384_HMAC_MECH_INFO_TYPE:
1198 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1199 	case SHA512_HMAC_MECH_INFO_TYPE:
1200 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1201 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1202 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1203 		break;
1204 	default:
1205 		return (CRYPTO_MECHANISM_INVALID);
1206 	}
1207 
1208 	/* Add support for key by attributes (RFE 4706552) */
1209 	if (key->ck_format != CRYPTO_KEY_RAW)
1210 		return (CRYPTO_ARGUMENTS_BAD);
1211 
1212 	if (ctx_template != NULL) {
1213 		/* reuse context template */
1214 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1215 	} else {
1216 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1217 		/* no context template, initialize context */
1218 		if (keylen_in_bytes > sha_hmac_block_size) {
1219 			/*
1220 			 * Hash the passed-in key to get a smaller key.
1221 			 * The inner context is used since it hasn't been
1222 			 * initialized yet.
1223 			 */
1224 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1225 			    &sha2_hmac_ctx.hc_icontext,
1226 			    key->ck_data, keylen_in_bytes, digest);
1227 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1228 			    sha_digest_len);
1229 		} else {
1230 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1231 			    keylen_in_bytes);
1232 		}
1233 	}
1234 
1235 	/* get the mechanism parameters, if applicable */
1236 	if ((mechanism->cm_type % 3) == 2) {
1237 		if (mechanism->cm_param == NULL ||
1238 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1239 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1240 			goto bail;
1241 		}
1242 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1243 		if (digest_len > sha_digest_len) {
1244 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1245 			goto bail;
1246 		}
1247 	}
1248 
1249 	/* do a SHA2 update of the inner context using the specified data */
1250 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1251 	if (ret != CRYPTO_SUCCESS)
1252 		/* the update failed, free context and bail */
1253 		goto bail;
1254 
1255 	/*
1256 	 * Do a SHA2 final on the inner context.
1257 	 */
1258 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1259 
1260 	/*
1261 	 * Do an SHA2 update on the outer context, feeding the inner
1262 	 * digest as data.
1263 	 *
1264 	 * Make sure that SHA384 is handled special because
1265 	 * it cannot feed a 60-byte inner hash to the outer
1266 	 */
1267 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1268 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1269 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1270 		    SHA384_DIGEST_LENGTH);
1271 	else
1272 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1273 
1274 	/*
1275 	 * Do a SHA2 final on the outer context, storing the computed
1276 	 * digest in the users buffer.
1277 	 */
1278 	switch (mac->cd_format) {
1279 	case CRYPTO_DATA_RAW:
1280 		if (digest_len != sha_digest_len) {
1281 			/*
1282 			 * The caller requested a short digest. Digest
1283 			 * into a scratch buffer and return to
1284 			 * the user only what was requested.
1285 			 */
1286 			SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1287 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1288 			    mac->cd_offset, digest_len);
1289 		} else {
1290 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1291 			    mac->cd_offset, &sha2_hmac_ctx.hc_ocontext);
1292 		}
1293 		break;
1294 	case CRYPTO_DATA_UIO:
1295 		ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac,
1296 		    digest_len, digest);
1297 		break;
1298 	case CRYPTO_DATA_MBLK:
1299 		ret = sha2_digest_final_mblk(&sha2_hmac_ctx.hc_ocontext, mac,
1300 		    digest_len, digest);
1301 		break;
1302 	default:
1303 		ret = CRYPTO_ARGUMENTS_BAD;
1304 	}
1305 
1306 	if (ret == CRYPTO_SUCCESS) {
1307 		mac->cd_length = digest_len;
1308 		return (CRYPTO_SUCCESS);
1309 	}
1310 bail:
1311 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1312 	mac->cd_length = 0;
1313 	return (ret);
1314 }
1315 
1316 /* ARGSUSED */
1317 static int
1318 sha2_mac_verify_atomic(crypto_provider_handle_t provider,
1319     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1320     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1321     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1322 {
1323 	int ret = CRYPTO_SUCCESS;
1324 	uchar_t digest[SHA512_DIGEST_LENGTH];
1325 	sha2_hmac_ctx_t sha2_hmac_ctx;
1326 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1327 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1328 
1329 	/*
1330 	 * Set the digest length and block size to values approriate to the
1331 	 * mechanism
1332 	 */
1333 	switch (mechanism->cm_type) {
1334 	case SHA256_HMAC_MECH_INFO_TYPE:
1335 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1336 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1337 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1338 		break;
1339 	case SHA384_HMAC_MECH_INFO_TYPE:
1340 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1341 	case SHA512_HMAC_MECH_INFO_TYPE:
1342 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1343 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1344 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1345 		break;
1346 	default:
1347 		return (CRYPTO_MECHANISM_INVALID);
1348 	}
1349 
1350 	/* Add support for key by attributes (RFE 4706552) */
1351 	if (key->ck_format != CRYPTO_KEY_RAW)
1352 		return (CRYPTO_ARGUMENTS_BAD);
1353 
1354 	if (ctx_template != NULL) {
1355 		/* reuse context template */
1356 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1357 	} else {
1358 		/* no context template, initialize context */
1359 		if (keylen_in_bytes > sha_hmac_block_size) {
1360 			/*
1361 			 * Hash the passed-in key to get a smaller key.
1362 			 * The inner context is used since it hasn't been
1363 			 * initialized yet.
1364 			 */
1365 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1366 			    &sha2_hmac_ctx.hc_icontext,
1367 			    key->ck_data, keylen_in_bytes, digest);
1368 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1369 			    sha_digest_len);
1370 		} else {
1371 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1372 			    keylen_in_bytes);
1373 		}
1374 	}
1375 
1376 	/* get the mechanism parameters, if applicable */
1377 	if (mechanism->cm_type % 3 == 2) {
1378 		if (mechanism->cm_param == NULL ||
1379 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1380 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1381 			goto bail;
1382 		}
1383 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1384 		if (digest_len > sha_digest_len) {
1385 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1386 			goto bail;
1387 		}
1388 	}
1389 
1390 	if (mac->cd_length != digest_len) {
1391 		ret = CRYPTO_INVALID_MAC;
1392 		goto bail;
1393 	}
1394 
1395 	/* do a SHA2 update of the inner context using the specified data */
1396 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1397 	if (ret != CRYPTO_SUCCESS)
1398 		/* the update failed, free context and bail */
1399 		goto bail;
1400 
1401 	/* do a SHA2 final on the inner context */
1402 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1403 
1404 	/*
1405 	 * Do an SHA2 update on the outer context, feeding the inner
1406 	 * digest as data.
1407 	 */
1408 	SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1409 
1410 	/*
1411 	 * Do a SHA2 final on the outer context, storing the computed
1412 	 * digest in the users buffer.
1413 	 */
1414 	SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1415 
1416 	/*
1417 	 * Compare the computed digest against the expected digest passed
1418 	 * as argument.
1419 	 */
1420 
1421 	switch (mac->cd_format) {
1422 
1423 	case CRYPTO_DATA_RAW:
1424 		if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
1425 		    mac->cd_offset, digest_len) != 0)
1426 			ret = CRYPTO_INVALID_MAC;
1427 		break;
1428 
1429 	case CRYPTO_DATA_UIO: {
1430 		off_t offset = mac->cd_offset;
1431 		uint_t vec_idx;
1432 		off_t scratch_offset = 0;
1433 		size_t length = digest_len;
1434 		size_t cur_len;
1435 
1436 		/* we support only kernel buffer */
1437 		if (mac->cd_uio->uio_segflg != UIO_SYSSPACE)
1438 			return (CRYPTO_ARGUMENTS_BAD);
1439 
1440 		/* jump to the first iovec containing the expected digest */
1441 		for (vec_idx = 0;
1442 		    offset >= mac->cd_uio->uio_iov[vec_idx].iov_len &&
1443 		    vec_idx < mac->cd_uio->uio_iovcnt;
1444 		    offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len);
1445 		if (vec_idx == mac->cd_uio->uio_iovcnt) {
1446 			/*
1447 			 * The caller specified an offset that is
1448 			 * larger than the total size of the buffers
1449 			 * it provided.
1450 			 */
1451 			ret = CRYPTO_DATA_LEN_RANGE;
1452 			break;
1453 		}
1454 
1455 		/* do the comparison of computed digest vs specified one */
1456 		while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) {
1457 			cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len -
1458 			    offset, length);
1459 
1460 			if (bcmp(digest + scratch_offset,
1461 			    mac->cd_uio->uio_iov[vec_idx].iov_base + offset,
1462 			    cur_len) != 0) {
1463 				ret = CRYPTO_INVALID_MAC;
1464 				break;
1465 			}
1466 
1467 			length -= cur_len;
1468 			vec_idx++;
1469 			scratch_offset += cur_len;
1470 			offset = 0;
1471 		}
1472 		break;
1473 	}
1474 
1475 	case CRYPTO_DATA_MBLK: {
1476 		off_t offset = mac->cd_offset;
1477 		mblk_t *mp;
1478 		off_t scratch_offset = 0;
1479 		size_t length = digest_len;
1480 		size_t cur_len;
1481 
1482 		/* jump to the first mblk_t containing the expected digest */
1483 		for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp);
1484 		    offset -= MBLKL(mp), mp = mp->b_cont);
1485 		if (mp == NULL) {
1486 			/*
1487 			 * The caller specified an offset that is larger than
1488 			 * the total size of the buffers it provided.
1489 			 */
1490 			ret = CRYPTO_DATA_LEN_RANGE;
1491 			break;
1492 		}
1493 
1494 		while (mp != NULL && length > 0) {
1495 			cur_len = MIN(MBLKL(mp) - offset, length);
1496 			if (bcmp(digest + scratch_offset,
1497 			    mp->b_rptr + offset, cur_len) != 0) {
1498 				ret = CRYPTO_INVALID_MAC;
1499 				break;
1500 			}
1501 
1502 			length -= cur_len;
1503 			mp = mp->b_cont;
1504 			scratch_offset += cur_len;
1505 			offset = 0;
1506 		}
1507 		break;
1508 	}
1509 
1510 	default:
1511 		ret = CRYPTO_ARGUMENTS_BAD;
1512 	}
1513 
1514 	return (ret);
1515 bail:
1516 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1517 	mac->cd_length = 0;
1518 	return (ret);
1519 }
1520 
1521 /*
1522  * KCF software provider context management entry points.
1523  */
1524 
1525 /* ARGSUSED */
1526 static int
1527 sha2_create_ctx_template(crypto_provider_handle_t provider,
1528     crypto_mechanism_t *mechanism, crypto_key_t *key,
1529     crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
1530     crypto_req_handle_t req)
1531 {
1532 	sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
1533 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1534 	uint32_t sha_digest_len, sha_hmac_block_size;
1535 
1536 	/*
1537 	 * Set the digest length and block size to values approriate to the
1538 	 * mechanism
1539 	 */
1540 	switch (mechanism->cm_type) {
1541 	case SHA256_HMAC_MECH_INFO_TYPE:
1542 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1543 		sha_digest_len = SHA256_DIGEST_LENGTH;
1544 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1545 		break;
1546 	case SHA384_HMAC_MECH_INFO_TYPE:
1547 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1548 	case SHA512_HMAC_MECH_INFO_TYPE:
1549 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1550 		sha_digest_len = SHA512_DIGEST_LENGTH;
1551 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1552 		break;
1553 	default:
1554 		return (CRYPTO_MECHANISM_INVALID);
1555 	}
1556 
1557 	/* Add support for key by attributes (RFE 4706552) */
1558 	if (key->ck_format != CRYPTO_KEY_RAW)
1559 		return (CRYPTO_ARGUMENTS_BAD);
1560 
1561 	/*
1562 	 * Allocate and initialize SHA2 context.
1563 	 */
1564 	sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t),
1565 	    crypto_kmflag(req));
1566 	if (sha2_hmac_ctx_tmpl == NULL)
1567 		return (CRYPTO_HOST_MEMORY);
1568 
1569 	sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
1570 
1571 	if (keylen_in_bytes > sha_hmac_block_size) {
1572 		uchar_t digested_key[SHA512_DIGEST_LENGTH];
1573 
1574 		/*
1575 		 * Hash the passed-in key to get a smaller key.
1576 		 * The inner context is used since it hasn't been
1577 		 * initialized yet.
1578 		 */
1579 		PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1580 		    &sha2_hmac_ctx_tmpl->hc_icontext,
1581 		    key->ck_data, keylen_in_bytes, digested_key);
1582 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key,
1583 		    sha_digest_len);
1584 	} else {
1585 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data,
1586 		    keylen_in_bytes);
1587 	}
1588 
1589 	*ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl;
1590 	*ctx_template_size = sizeof (sha2_hmac_ctx_t);
1591 
1592 	return (CRYPTO_SUCCESS);
1593 }
1594 
1595 static int
1596 sha2_free_context(crypto_ctx_t *ctx)
1597 {
1598 	uint_t ctx_len;
1599 
1600 	if (ctx->cc_provider_private == NULL)
1601 		return (CRYPTO_SUCCESS);
1602 
1603 	/*
1604 	 * We have to free either SHA2 or SHA2-HMAC contexts, which
1605 	 * have different lengths.
1606 	 *
1607 	 * Note: Below is dependent on the mechanism ordering.
1608 	 */
1609 
1610 	if (PROV_SHA2_CTX(ctx)->sc_mech_type % 3 == 0)
1611 		ctx_len = sizeof (sha2_ctx_t);
1612 	else
1613 		ctx_len = sizeof (sha2_hmac_ctx_t);
1614 
1615 	bzero(ctx->cc_provider_private, ctx_len);
1616 	kmem_free(ctx->cc_provider_private, ctx_len);
1617 	ctx->cc_provider_private = NULL;
1618 
1619 	return (CRYPTO_SUCCESS);
1620 }
1621