xref: /titanic_52/usr/src/uts/common/crypto/io/sha2_mod.c (revision 9e86db79b7d1bbc5f2f04e99954cbd5eae0e22bb)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/modctl.h>
28 #include <sys/cmn_err.h>
29 #include <sys/crypto/common.h>
30 #include <sys/crypto/spi.h>
31 #include <sys/strsun.h>
32 #include <sys/systm.h>
33 #include <sys/sysmacros.h>
34 #define	_SHA2_IMPL
35 #include <sys/sha2.h>
36 #include <sha2/sha2_impl.h>
37 
38 /*
39  * The sha2 module is created with two modlinkages:
40  * - a modlmisc that allows consumers to directly call the entry points
41  *   SHA2Init, SHA2Update, and SHA2Final.
42  * - a modlcrypto that allows the module to register with the Kernel
43  *   Cryptographic Framework (KCF) as a software provider for the SHA2
44  *   mechanisms.
45  */
46 
47 static struct modlmisc modlmisc = {
48 	&mod_miscops,
49 	"SHA2 Message-Digest Algorithm"
50 };
51 
52 static struct modlcrypto modlcrypto = {
53 	&mod_cryptoops,
54 	"SHA2 Kernel SW Provider"
55 };
56 
57 static struct modlinkage modlinkage = {
58 	MODREV_1, &modlmisc, &modlcrypto, NULL
59 };
60 
61 /*
62  * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed
63  * by KCF to one of the entry points.
64  */
65 
66 #define	PROV_SHA2_CTX(ctx)	((sha2_ctx_t *)(ctx)->cc_provider_private)
67 #define	PROV_SHA2_HMAC_CTX(ctx)	((sha2_hmac_ctx_t *)(ctx)->cc_provider_private)
68 
69 /* to extract the digest length passed as mechanism parameter */
70 #define	PROV_SHA2_GET_DIGEST_LEN(m, len) {				\
71 	if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t)))		\
72 		(len) = (uint32_t)*((ulong_t *)(m)->cm_param);	\
73 	else {								\
74 		ulong_t tmp_ulong;					\
75 		bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t));	\
76 		(len) = (uint32_t)tmp_ulong;				\
77 	}								\
78 }
79 
80 #define	PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) {	\
81 	SHA2Init(mech, ctx);				\
82 	SHA2Update(ctx, key, len);			\
83 	SHA2Final(digest, ctx);				\
84 }
85 
86 /*
87  * Mechanism info structure passed to KCF during registration.
88  */
89 static crypto_mech_info_t sha2_mech_info_tab[] = {
90 	/* SHA256 */
91 	{SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE,
92 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
93 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
94 	/* SHA256-HMAC */
95 	{SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE,
96 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
97 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
98 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
99 	/* SHA256-HMAC GENERAL */
100 	{SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE,
101 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
102 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
103 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
104 	/* SHA384 */
105 	{SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE,
106 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
107 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
108 	/* SHA384-HMAC */
109 	{SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE,
110 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
111 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
112 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
113 	/* SHA384-HMAC GENERAL */
114 	{SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE,
115 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
116 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
117 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
118 	/* SHA512 */
119 	{SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE,
120 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
121 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
122 	/* SHA512-HMAC */
123 	{SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE,
124 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
125 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
126 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES},
127 	/* SHA512-HMAC GENERAL */
128 	{SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE,
129 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
130 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
131 	    CRYPTO_KEYSIZE_UNIT_IN_BYTES}
132 };
133 
134 static void sha2_provider_status(crypto_provider_handle_t, uint_t *);
135 
136 static crypto_control_ops_t sha2_control_ops = {
137 	sha2_provider_status
138 };
139 
140 static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
141     crypto_req_handle_t);
142 static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
143     crypto_req_handle_t);
144 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *,
145     crypto_req_handle_t);
146 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *,
147     crypto_req_handle_t);
148 static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
149     crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
150     crypto_req_handle_t);
151 
152 static crypto_digest_ops_t sha2_digest_ops = {
153 	sha2_digest_init,
154 	sha2_digest,
155 	sha2_digest_update,
156 	NULL,
157 	sha2_digest_final,
158 	sha2_digest_atomic
159 };
160 
161 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
162     crypto_spi_ctx_template_t, crypto_req_handle_t);
163 static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *,
164     crypto_req_handle_t);
165 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
166 static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
167     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
168     crypto_spi_ctx_template_t, crypto_req_handle_t);
169 static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
170     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
171     crypto_spi_ctx_template_t, crypto_req_handle_t);
172 
173 static crypto_mac_ops_t sha2_mac_ops = {
174 	sha2_mac_init,
175 	NULL,
176 	sha2_mac_update,
177 	sha2_mac_final,
178 	sha2_mac_atomic,
179 	sha2_mac_verify_atomic
180 };
181 
182 static int sha2_create_ctx_template(crypto_provider_handle_t,
183     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
184     size_t *, crypto_req_handle_t);
185 static int sha2_free_context(crypto_ctx_t *);
186 
187 static crypto_ctx_ops_t sha2_ctx_ops = {
188 	sha2_create_ctx_template,
189 	sha2_free_context
190 };
191 
192 static crypto_ops_t sha2_crypto_ops = {
193 	&sha2_control_ops,
194 	&sha2_digest_ops,
195 	NULL,
196 	&sha2_mac_ops,
197 	NULL,
198 	NULL,
199 	NULL,
200 	NULL,
201 	NULL,
202 	NULL,
203 	NULL,
204 	NULL,
205 	NULL,
206 	&sha2_ctx_ops
207 };
208 
209 static crypto_provider_info_t sha2_prov_info = {
210 	CRYPTO_SPI_VERSION_1,
211 	"SHA2 Software Provider",
212 	CRYPTO_SW_PROVIDER,
213 	{&modlinkage},
214 	NULL,
215 	&sha2_crypto_ops,
216 	sizeof (sha2_mech_info_tab)/sizeof (crypto_mech_info_t),
217 	sha2_mech_info_tab
218 };
219 
220 static crypto_kcf_provider_handle_t sha2_prov_handle = NULL;
221 
222 int
223 _init()
224 {
225 	int ret;
226 
227 	if ((ret = mod_install(&modlinkage)) != 0)
228 		return (ret);
229 
230 	/*
231 	 * Register with KCF. If the registration fails, log an
232 	 * error but do not uninstall the module, since the functionality
233 	 * provided by misc/sha2 should still be available.
234 	 */
235 	if ((ret = crypto_register_provider(&sha2_prov_info,
236 	    &sha2_prov_handle)) != CRYPTO_SUCCESS)
237 		cmn_err(CE_WARN, "sha2 _init: "
238 		    "crypto_register_provider() failed (0x%x)", ret);
239 
240 	return (0);
241 }
242 
243 int
244 _info(struct modinfo *modinfop)
245 {
246 	return (mod_info(&modlinkage, modinfop));
247 }
248 
249 /*
250  * KCF software provider control entry points.
251  */
252 /* ARGSUSED */
253 static void
254 sha2_provider_status(crypto_provider_handle_t provider, uint_t *status)
255 {
256 	*status = CRYPTO_PROVIDER_READY;
257 }
258 
259 /*
260  * KCF software provider digest entry points.
261  */
262 
263 static int
264 sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
265     crypto_req_handle_t req)
266 {
267 
268 	/*
269 	 * Allocate and initialize SHA2 context.
270 	 */
271 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t),
272 	    crypto_kmflag(req));
273 	if (ctx->cc_provider_private == NULL)
274 		return (CRYPTO_HOST_MEMORY);
275 
276 	PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type;
277 	SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
278 
279 	return (CRYPTO_SUCCESS);
280 }
281 
282 /*
283  * Helper SHA2 digest update function for uio data.
284  */
285 static int
286 sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data)
287 {
288 	off_t offset = data->cd_offset;
289 	size_t length = data->cd_length;
290 	uint_t vec_idx;
291 	size_t cur_len;
292 
293 	/* we support only kernel buffer */
294 	if (data->cd_uio->uio_segflg != UIO_SYSSPACE)
295 		return (CRYPTO_ARGUMENTS_BAD);
296 
297 	/*
298 	 * Jump to the first iovec containing data to be
299 	 * digested.
300 	 */
301 	for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt &&
302 	    offset >= data->cd_uio->uio_iov[vec_idx].iov_len;
303 	    offset -= data->cd_uio->uio_iov[vec_idx++].iov_len)
304 		;
305 	if (vec_idx == data->cd_uio->uio_iovcnt) {
306 		/*
307 		 * The caller specified an offset that is larger than the
308 		 * total size of the buffers it provided.
309 		 */
310 		return (CRYPTO_DATA_LEN_RANGE);
311 	}
312 
313 	/*
314 	 * Now do the digesting on the iovecs.
315 	 */
316 	while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) {
317 		cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len -
318 		    offset, length);
319 
320 		SHA2Update(sha2_ctx, (uint8_t *)data->cd_uio->
321 		    uio_iov[vec_idx].iov_base + offset, cur_len);
322 		length -= cur_len;
323 		vec_idx++;
324 		offset = 0;
325 	}
326 
327 	if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) {
328 		/*
329 		 * The end of the specified iovec's was reached but
330 		 * the length requested could not be processed, i.e.
331 		 * The caller requested to digest more data than it provided.
332 		 */
333 		return (CRYPTO_DATA_LEN_RANGE);
334 	}
335 
336 	return (CRYPTO_SUCCESS);
337 }
338 
339 /*
340  * Helper SHA2 digest final function for uio data.
341  * digest_len is the length of the desired digest. If digest_len
342  * is smaller than the default SHA2 digest length, the caller
343  * must pass a scratch buffer, digest_scratch, which must
344  * be at least the algorithm's digest length bytes.
345  */
346 static int
347 sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
348     ulong_t digest_len, uchar_t *digest_scratch)
349 {
350 	off_t offset = digest->cd_offset;
351 	uint_t vec_idx;
352 
353 	/* we support only kernel buffer */
354 	if (digest->cd_uio->uio_segflg != UIO_SYSSPACE)
355 		return (CRYPTO_ARGUMENTS_BAD);
356 
357 	/*
358 	 * Jump to the first iovec containing ptr to the digest to
359 	 * be returned.
360 	 */
361 	for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len &&
362 	    vec_idx < digest->cd_uio->uio_iovcnt;
363 	    offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len)
364 		;
365 	if (vec_idx == digest->cd_uio->uio_iovcnt) {
366 		/*
367 		 * The caller specified an offset that is
368 		 * larger than the total size of the buffers
369 		 * it provided.
370 		 */
371 		return (CRYPTO_DATA_LEN_RANGE);
372 	}
373 
374 	if (offset + digest_len <=
375 	    digest->cd_uio->uio_iov[vec_idx].iov_len) {
376 		/*
377 		 * The computed SHA2 digest will fit in the current
378 		 * iovec.
379 		 */
380 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
381 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
382 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
383 		    (digest_len != SHA512_DIGEST_LENGTH))) {
384 			/*
385 			 * The caller requested a short digest. Digest
386 			 * into a scratch buffer and return to
387 			 * the user only what was requested.
388 			 */
389 			SHA2Final(digest_scratch, sha2_ctx);
390 
391 			bcopy(digest_scratch, (uchar_t *)digest->
392 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
393 			    digest_len);
394 		} else {
395 			SHA2Final((uchar_t *)digest->
396 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
397 			    sha2_ctx);
398 
399 		}
400 	} else {
401 		/*
402 		 * The computed digest will be crossing one or more iovec's.
403 		 * This is bad performance-wise but we need to support it.
404 		 * Allocate a small scratch buffer on the stack and
405 		 * copy it piece meal to the specified digest iovec's.
406 		 */
407 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
408 		off_t scratch_offset = 0;
409 		size_t length = digest_len;
410 		size_t cur_len;
411 
412 		SHA2Final(digest_tmp, sha2_ctx);
413 
414 		while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) {
415 			cur_len =
416 			    MIN(digest->cd_uio->uio_iov[vec_idx].iov_len -
417 			    offset, length);
418 			bcopy(digest_tmp + scratch_offset,
419 			    digest->cd_uio->uio_iov[vec_idx].iov_base + offset,
420 			    cur_len);
421 
422 			length -= cur_len;
423 			vec_idx++;
424 			scratch_offset += cur_len;
425 			offset = 0;
426 		}
427 
428 		if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) {
429 			/*
430 			 * The end of the specified iovec's was reached but
431 			 * the length requested could not be processed, i.e.
432 			 * The caller requested to digest more data than it
433 			 * provided.
434 			 */
435 			return (CRYPTO_DATA_LEN_RANGE);
436 		}
437 	}
438 
439 	return (CRYPTO_SUCCESS);
440 }
441 
442 /*
443  * Helper SHA2 digest update for mblk's.
444  */
445 static int
446 sha2_digest_update_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *data)
447 {
448 	off_t offset = data->cd_offset;
449 	size_t length = data->cd_length;
450 	mblk_t *mp;
451 	size_t cur_len;
452 
453 	/*
454 	 * Jump to the first mblk_t containing data to be digested.
455 	 */
456 	for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
457 	    offset -= MBLKL(mp), mp = mp->b_cont)
458 		;
459 	if (mp == NULL) {
460 		/*
461 		 * The caller specified an offset that is larger than the
462 		 * total size of the buffers it provided.
463 		 */
464 		return (CRYPTO_DATA_LEN_RANGE);
465 	}
466 
467 	/*
468 	 * Now do the digesting on the mblk chain.
469 	 */
470 	while (mp != NULL && length > 0) {
471 		cur_len = MIN(MBLKL(mp) - offset, length);
472 		SHA2Update(sha2_ctx, mp->b_rptr + offset, cur_len);
473 		length -= cur_len;
474 		offset = 0;
475 		mp = mp->b_cont;
476 	}
477 
478 	if (mp == NULL && length > 0) {
479 		/*
480 		 * The end of the mblk was reached but the length requested
481 		 * could not be processed, i.e. The caller requested
482 		 * to digest more data than it provided.
483 		 */
484 		return (CRYPTO_DATA_LEN_RANGE);
485 	}
486 
487 	return (CRYPTO_SUCCESS);
488 }
489 
490 /*
491  * Helper SHA2 digest final for mblk's.
492  * digest_len is the length of the desired digest. If digest_len
493  * is smaller than the default SHA2 digest length, the caller
494  * must pass a scratch buffer, digest_scratch, which must
495  * be at least the algorithm's digest length bytes.
496  */
497 static int
498 sha2_digest_final_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
499     ulong_t digest_len, uchar_t *digest_scratch)
500 {
501 	off_t offset = digest->cd_offset;
502 	mblk_t *mp;
503 
504 	/*
505 	 * Jump to the first mblk_t that will be used to store the digest.
506 	 */
507 	for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp);
508 	    offset -= MBLKL(mp), mp = mp->b_cont)
509 		;
510 	if (mp == NULL) {
511 		/*
512 		 * The caller specified an offset that is larger than the
513 		 * total size of the buffers it provided.
514 		 */
515 		return (CRYPTO_DATA_LEN_RANGE);
516 	}
517 
518 	if (offset + digest_len <= MBLKL(mp)) {
519 		/*
520 		 * The computed SHA2 digest will fit in the current mblk.
521 		 * Do the SHA2Final() in-place.
522 		 */
523 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
524 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
525 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
526 		    (digest_len != SHA512_DIGEST_LENGTH))) {
527 			/*
528 			 * The caller requested a short digest. Digest
529 			 * into a scratch buffer and return to
530 			 * the user only what was requested.
531 			 */
532 			SHA2Final(digest_scratch, sha2_ctx);
533 			bcopy(digest_scratch, mp->b_rptr + offset, digest_len);
534 		} else {
535 			SHA2Final(mp->b_rptr + offset, sha2_ctx);
536 		}
537 	} else {
538 		/*
539 		 * The computed digest will be crossing one or more mblk's.
540 		 * This is bad performance-wise but we need to support it.
541 		 * Allocate a small scratch buffer on the stack and
542 		 * copy it piece meal to the specified digest iovec's.
543 		 */
544 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
545 		off_t scratch_offset = 0;
546 		size_t length = digest_len;
547 		size_t cur_len;
548 
549 		SHA2Final(digest_tmp, sha2_ctx);
550 
551 		while (mp != NULL && length > 0) {
552 			cur_len = MIN(MBLKL(mp) - offset, length);
553 			bcopy(digest_tmp + scratch_offset,
554 			    mp->b_rptr + offset, cur_len);
555 
556 			length -= cur_len;
557 			mp = mp->b_cont;
558 			scratch_offset += cur_len;
559 			offset = 0;
560 		}
561 
562 		if (mp == NULL && length > 0) {
563 			/*
564 			 * The end of the specified mblk was reached but
565 			 * the length requested could not be processed, i.e.
566 			 * The caller requested to digest more data than it
567 			 * provided.
568 			 */
569 			return (CRYPTO_DATA_LEN_RANGE);
570 		}
571 	}
572 
573 	return (CRYPTO_SUCCESS);
574 }
575 
576 /* ARGSUSED */
577 static int
578 sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
579     crypto_req_handle_t req)
580 {
581 	int ret = CRYPTO_SUCCESS;
582 	uint_t sha_digest_len;
583 
584 	ASSERT(ctx->cc_provider_private != NULL);
585 
586 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
587 	case SHA256_MECH_INFO_TYPE:
588 		sha_digest_len = SHA256_DIGEST_LENGTH;
589 		break;
590 	case SHA384_MECH_INFO_TYPE:
591 		sha_digest_len = SHA384_DIGEST_LENGTH;
592 		break;
593 	case SHA512_MECH_INFO_TYPE:
594 		sha_digest_len = SHA512_DIGEST_LENGTH;
595 		break;
596 	default:
597 		return (CRYPTO_MECHANISM_INVALID);
598 	}
599 
600 	/*
601 	 * We need to just return the length needed to store the output.
602 	 * We should not destroy the context for the following cases.
603 	 */
604 	if ((digest->cd_length == 0) ||
605 	    (digest->cd_length < sha_digest_len)) {
606 		digest->cd_length = sha_digest_len;
607 		return (CRYPTO_BUFFER_TOO_SMALL);
608 	}
609 
610 	/*
611 	 * Do the SHA2 update on the specified input data.
612 	 */
613 	switch (data->cd_format) {
614 	case CRYPTO_DATA_RAW:
615 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
616 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
617 		    data->cd_length);
618 		break;
619 	case CRYPTO_DATA_UIO:
620 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
621 		    data);
622 		break;
623 	case CRYPTO_DATA_MBLK:
624 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
625 		    data);
626 		break;
627 	default:
628 		ret = CRYPTO_ARGUMENTS_BAD;
629 	}
630 
631 	if (ret != CRYPTO_SUCCESS) {
632 		/* the update failed, free context and bail */
633 		kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
634 		ctx->cc_provider_private = NULL;
635 		digest->cd_length = 0;
636 		return (ret);
637 	}
638 
639 	/*
640 	 * Do a SHA2 final, must be done separately since the digest
641 	 * type can be different than the input data type.
642 	 */
643 	switch (digest->cd_format) {
644 	case CRYPTO_DATA_RAW:
645 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
646 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
647 		break;
648 	case CRYPTO_DATA_UIO:
649 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
650 		    digest, sha_digest_len, NULL);
651 		break;
652 	case CRYPTO_DATA_MBLK:
653 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
654 		    digest, sha_digest_len, NULL);
655 		break;
656 	default:
657 		ret = CRYPTO_ARGUMENTS_BAD;
658 	}
659 
660 	/* all done, free context and return */
661 
662 	if (ret == CRYPTO_SUCCESS)
663 		digest->cd_length = sha_digest_len;
664 	else
665 		digest->cd_length = 0;
666 
667 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
668 	ctx->cc_provider_private = NULL;
669 	return (ret);
670 }
671 
672 /* ARGSUSED */
673 static int
674 sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
675     crypto_req_handle_t req)
676 {
677 	int ret = CRYPTO_SUCCESS;
678 
679 	ASSERT(ctx->cc_provider_private != NULL);
680 
681 	/*
682 	 * Do the SHA2 update on the specified input data.
683 	 */
684 	switch (data->cd_format) {
685 	case CRYPTO_DATA_RAW:
686 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
687 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
688 		    data->cd_length);
689 		break;
690 	case CRYPTO_DATA_UIO:
691 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
692 		    data);
693 		break;
694 	case CRYPTO_DATA_MBLK:
695 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
696 		    data);
697 		break;
698 	default:
699 		ret = CRYPTO_ARGUMENTS_BAD;
700 	}
701 
702 	return (ret);
703 }
704 
705 /* ARGSUSED */
706 static int
707 sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
708     crypto_req_handle_t req)
709 {
710 	int ret = CRYPTO_SUCCESS;
711 	uint_t sha_digest_len;
712 
713 	ASSERT(ctx->cc_provider_private != NULL);
714 
715 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
716 	case SHA256_MECH_INFO_TYPE:
717 		sha_digest_len = SHA256_DIGEST_LENGTH;
718 		break;
719 	case SHA384_MECH_INFO_TYPE:
720 		sha_digest_len = SHA384_DIGEST_LENGTH;
721 		break;
722 	case SHA512_MECH_INFO_TYPE:
723 		sha_digest_len = SHA512_DIGEST_LENGTH;
724 		break;
725 	default:
726 		return (CRYPTO_MECHANISM_INVALID);
727 	}
728 
729 	/*
730 	 * We need to just return the length needed to store the output.
731 	 * We should not destroy the context for the following cases.
732 	 */
733 	if ((digest->cd_length == 0) ||
734 	    (digest->cd_length < sha_digest_len)) {
735 		digest->cd_length = sha_digest_len;
736 		return (CRYPTO_BUFFER_TOO_SMALL);
737 	}
738 
739 	/*
740 	 * Do a SHA2 final.
741 	 */
742 	switch (digest->cd_format) {
743 	case CRYPTO_DATA_RAW:
744 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
745 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
746 		break;
747 	case CRYPTO_DATA_UIO:
748 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
749 		    digest, sha_digest_len, NULL);
750 		break;
751 	case CRYPTO_DATA_MBLK:
752 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
753 		    digest, sha_digest_len, NULL);
754 		break;
755 	default:
756 		ret = CRYPTO_ARGUMENTS_BAD;
757 	}
758 
759 	/* all done, free context and return */
760 
761 	if (ret == CRYPTO_SUCCESS)
762 		digest->cd_length = sha_digest_len;
763 	else
764 		digest->cd_length = 0;
765 
766 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
767 	ctx->cc_provider_private = NULL;
768 
769 	return (ret);
770 }
771 
772 /* ARGSUSED */
773 static int
774 sha2_digest_atomic(crypto_provider_handle_t provider,
775     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
776     crypto_data_t *data, crypto_data_t *digest,
777     crypto_req_handle_t req)
778 {
779 	int ret = CRYPTO_SUCCESS;
780 	SHA2_CTX sha2_ctx;
781 	uint32_t sha_digest_len;
782 
783 	/*
784 	 * Do the SHA inits.
785 	 */
786 
787 	SHA2Init(mechanism->cm_type, &sha2_ctx);
788 
789 	switch (data->cd_format) {
790 	case CRYPTO_DATA_RAW:
791 		SHA2Update(&sha2_ctx, (uint8_t *)data->
792 		    cd_raw.iov_base + data->cd_offset, data->cd_length);
793 		break;
794 	case CRYPTO_DATA_UIO:
795 		ret = sha2_digest_update_uio(&sha2_ctx, data);
796 		break;
797 	case CRYPTO_DATA_MBLK:
798 		ret = sha2_digest_update_mblk(&sha2_ctx, data);
799 		break;
800 	default:
801 		ret = CRYPTO_ARGUMENTS_BAD;
802 	}
803 
804 	/*
805 	 * Do the SHA updates on the specified input data.
806 	 */
807 
808 	if (ret != CRYPTO_SUCCESS) {
809 		/* the update failed, bail */
810 		digest->cd_length = 0;
811 		return (ret);
812 	}
813 
814 	if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
815 		sha_digest_len = SHA256_DIGEST_LENGTH;
816 	else
817 		sha_digest_len = SHA512_DIGEST_LENGTH;
818 
819 	/*
820 	 * Do a SHA2 final, must be done separately since the digest
821 	 * type can be different than the input data type.
822 	 */
823 	switch (digest->cd_format) {
824 	case CRYPTO_DATA_RAW:
825 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
826 		    digest->cd_offset, &sha2_ctx);
827 		break;
828 	case CRYPTO_DATA_UIO:
829 		ret = sha2_digest_final_uio(&sha2_ctx, digest,
830 		    sha_digest_len, NULL);
831 		break;
832 	case CRYPTO_DATA_MBLK:
833 		ret = sha2_digest_final_mblk(&sha2_ctx, digest,
834 		    sha_digest_len, NULL);
835 		break;
836 	default:
837 		ret = CRYPTO_ARGUMENTS_BAD;
838 	}
839 
840 	if (ret == CRYPTO_SUCCESS)
841 		digest->cd_length = sha_digest_len;
842 	else
843 		digest->cd_length = 0;
844 
845 	return (ret);
846 }
847 
848 /*
849  * KCF software provider mac entry points.
850  *
851  * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text))
852  *
853  * Init:
854  * The initialization routine initializes what we denote
855  * as the inner and outer contexts by doing
856  * - for inner context: SHA2(key XOR ipad)
857  * - for outer context: SHA2(key XOR opad)
858  *
859  * Update:
860  * Each subsequent SHA2 HMAC update will result in an
861  * update of the inner context with the specified data.
862  *
863  * Final:
864  * The SHA2 HMAC final will do a SHA2 final operation on the
865  * inner context, and the resulting digest will be used
866  * as the data for an update on the outer context. Last
867  * but not least, a SHA2 final on the outer context will
868  * be performed to obtain the SHA2 HMAC digest to return
869  * to the user.
870  */
871 
872 /*
873  * Initialize a SHA2-HMAC context.
874  */
875 static void
876 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
877 {
878 	uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
879 	uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
880 	int i, block_size, blocks_per_int64;
881 
882 	/* Determine the block size */
883 	if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
884 		block_size = SHA256_HMAC_BLOCK_SIZE;
885 		blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t);
886 	} else {
887 		block_size = SHA512_HMAC_BLOCK_SIZE;
888 		blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t);
889 	}
890 
891 	(void) bzero(ipad, block_size);
892 	(void) bzero(opad, block_size);
893 	(void) bcopy(keyval, ipad, length_in_bytes);
894 	(void) bcopy(keyval, opad, length_in_bytes);
895 
896 	/* XOR key with ipad (0x36) and opad (0x5c) */
897 	for (i = 0; i < blocks_per_int64; i ++) {
898 		ipad[i] ^= 0x3636363636363636;
899 		opad[i] ^= 0x5c5c5c5c5c5c5c5c;
900 	}
901 
902 	/* perform SHA2 on ipad */
903 	SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext);
904 	SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
905 
906 	/* perform SHA2 on opad */
907 	SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext);
908 	SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
909 
910 }
911 
912 /*
913  */
914 static int
915 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
916     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
917     crypto_req_handle_t req)
918 {
919 	int ret = CRYPTO_SUCCESS;
920 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
921 	uint_t sha_digest_len, sha_hmac_block_size;
922 
923 	/*
924 	 * Set the digest length and block size to values approriate to the
925 	 * mechanism
926 	 */
927 	switch (mechanism->cm_type) {
928 	case SHA256_HMAC_MECH_INFO_TYPE:
929 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
930 		sha_digest_len = SHA256_DIGEST_LENGTH;
931 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
932 		break;
933 	case SHA384_HMAC_MECH_INFO_TYPE:
934 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
935 	case SHA512_HMAC_MECH_INFO_TYPE:
936 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
937 		sha_digest_len = SHA512_DIGEST_LENGTH;
938 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
939 		break;
940 	default:
941 		return (CRYPTO_MECHANISM_INVALID);
942 	}
943 
944 	if (key->ck_format != CRYPTO_KEY_RAW)
945 		return (CRYPTO_ARGUMENTS_BAD);
946 
947 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t),
948 	    crypto_kmflag(req));
949 	if (ctx->cc_provider_private == NULL)
950 		return (CRYPTO_HOST_MEMORY);
951 
952 	PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
953 	if (ctx_template != NULL) {
954 		/* reuse context template */
955 		bcopy(ctx_template, PROV_SHA2_HMAC_CTX(ctx),
956 		    sizeof (sha2_hmac_ctx_t));
957 	} else {
958 		/* no context template, compute context */
959 		if (keylen_in_bytes > sha_hmac_block_size) {
960 			uchar_t digested_key[SHA512_DIGEST_LENGTH];
961 			sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
962 
963 			/*
964 			 * Hash the passed-in key to get a smaller key.
965 			 * The inner context is used since it hasn't been
966 			 * initialized yet.
967 			 */
968 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
969 			    &hmac_ctx->hc_icontext,
970 			    key->ck_data, keylen_in_bytes, digested_key);
971 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
972 			    digested_key, sha_digest_len);
973 		} else {
974 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
975 			    key->ck_data, keylen_in_bytes);
976 		}
977 	}
978 
979 	/*
980 	 * Get the mechanism parameters, if applicable.
981 	 */
982 	if (mechanism->cm_type % 3 == 2) {
983 		if (mechanism->cm_param == NULL ||
984 		    mechanism->cm_param_len != sizeof (ulong_t))
985 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
986 		PROV_SHA2_GET_DIGEST_LEN(mechanism,
987 		    PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len);
988 		if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len)
989 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
990 	}
991 
992 	if (ret != CRYPTO_SUCCESS) {
993 		bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
994 		kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
995 		ctx->cc_provider_private = NULL;
996 	}
997 
998 	return (ret);
999 }
1000 
1001 /* ARGSUSED */
1002 static int
1003 sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data,
1004     crypto_req_handle_t req)
1005 {
1006 	int ret = CRYPTO_SUCCESS;
1007 
1008 	ASSERT(ctx->cc_provider_private != NULL);
1009 
1010 	/*
1011 	 * Do a SHA2 update of the inner context using the specified
1012 	 * data.
1013 	 */
1014 	switch (data->cd_format) {
1015 	case CRYPTO_DATA_RAW:
1016 		SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext,
1017 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1018 		    data->cd_length);
1019 		break;
1020 	case CRYPTO_DATA_UIO:
1021 		ret = sha2_digest_update_uio(
1022 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1023 		break;
1024 	case CRYPTO_DATA_MBLK:
1025 		ret = sha2_digest_update_mblk(
1026 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1027 		break;
1028 	default:
1029 		ret = CRYPTO_ARGUMENTS_BAD;
1030 	}
1031 
1032 	return (ret);
1033 }
1034 
1035 /* ARGSUSED */
1036 static int
1037 sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req)
1038 {
1039 	int ret = CRYPTO_SUCCESS;
1040 	uchar_t digest[SHA512_DIGEST_LENGTH];
1041 	uint32_t digest_len, sha_digest_len;
1042 
1043 	ASSERT(ctx->cc_provider_private != NULL);
1044 
1045 	/* Set the digest lengths to values approriate to the mechanism */
1046 	switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) {
1047 	case SHA256_HMAC_MECH_INFO_TYPE:
1048 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1049 		break;
1050 	case SHA384_HMAC_MECH_INFO_TYPE:
1051 		sha_digest_len = digest_len = SHA384_DIGEST_LENGTH;
1052 		break;
1053 	case SHA512_HMAC_MECH_INFO_TYPE:
1054 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1055 		break;
1056 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1057 		sha_digest_len = SHA256_DIGEST_LENGTH;
1058 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1059 		break;
1060 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1061 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1062 		sha_digest_len = SHA512_DIGEST_LENGTH;
1063 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1064 		break;
1065 	}
1066 
1067 	/*
1068 	 * We need to just return the length needed to store the output.
1069 	 * We should not destroy the context for the following cases.
1070 	 */
1071 	if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
1072 		mac->cd_length = digest_len;
1073 		return (CRYPTO_BUFFER_TOO_SMALL);
1074 	}
1075 
1076 	/*
1077 	 * Do a SHA2 final on the inner context.
1078 	 */
1079 	SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext);
1080 
1081 	/*
1082 	 * Do a SHA2 update on the outer context, feeding the inner
1083 	 * digest as data.
1084 	 */
1085 	SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest,
1086 	    sha_digest_len);
1087 
1088 	/*
1089 	 * Do a SHA2 final on the outer context, storing the computing
1090 	 * digest in the users buffer.
1091 	 */
1092 	switch (mac->cd_format) {
1093 	case CRYPTO_DATA_RAW:
1094 		if (digest_len != sha_digest_len) {
1095 			/*
1096 			 * The caller requested a short digest. Digest
1097 			 * into a scratch buffer and return to
1098 			 * the user only what was requested.
1099 			 */
1100 			SHA2Final(digest,
1101 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1102 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1103 			    mac->cd_offset, digest_len);
1104 		} else {
1105 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1106 			    mac->cd_offset,
1107 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1108 		}
1109 		break;
1110 	case CRYPTO_DATA_UIO:
1111 		ret = sha2_digest_final_uio(
1112 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1113 		    digest_len, digest);
1114 		break;
1115 	case CRYPTO_DATA_MBLK:
1116 		ret = sha2_digest_final_mblk(
1117 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1118 		    digest_len, digest);
1119 		break;
1120 	default:
1121 		ret = CRYPTO_ARGUMENTS_BAD;
1122 	}
1123 
1124 	if (ret == CRYPTO_SUCCESS)
1125 		mac->cd_length = digest_len;
1126 	else
1127 		mac->cd_length = 0;
1128 
1129 	bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1130 	kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1131 	ctx->cc_provider_private = NULL;
1132 
1133 	return (ret);
1134 }
1135 
1136 #define	SHA2_MAC_UPDATE(data, ctx, ret) {				\
1137 	switch (data->cd_format) {					\
1138 	case CRYPTO_DATA_RAW:						\
1139 		SHA2Update(&(ctx).hc_icontext,				\
1140 		    (uint8_t *)data->cd_raw.iov_base +			\
1141 		    data->cd_offset, data->cd_length);			\
1142 		break;							\
1143 	case CRYPTO_DATA_UIO:						\
1144 		ret = sha2_digest_update_uio(&(ctx).hc_icontext, data);	\
1145 		break;							\
1146 	case CRYPTO_DATA_MBLK:						\
1147 		ret = sha2_digest_update_mblk(&(ctx).hc_icontext,	\
1148 		    data);						\
1149 		break;							\
1150 	default:							\
1151 		ret = CRYPTO_ARGUMENTS_BAD;				\
1152 	}								\
1153 }
1154 
1155 /* ARGSUSED */
1156 static int
1157 sha2_mac_atomic(crypto_provider_handle_t provider,
1158     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1159     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1160     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1161 {
1162 	int ret = CRYPTO_SUCCESS;
1163 	uchar_t digest[SHA512_DIGEST_LENGTH];
1164 	sha2_hmac_ctx_t sha2_hmac_ctx;
1165 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1166 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1167 
1168 	/*
1169 	 * Set the digest length and block size to values approriate to the
1170 	 * mechanism
1171 	 */
1172 	switch (mechanism->cm_type) {
1173 	case SHA256_HMAC_MECH_INFO_TYPE:
1174 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1175 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1176 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1177 		break;
1178 	case SHA384_HMAC_MECH_INFO_TYPE:
1179 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1180 	case SHA512_HMAC_MECH_INFO_TYPE:
1181 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1182 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1183 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1184 		break;
1185 	default:
1186 		return (CRYPTO_MECHANISM_INVALID);
1187 	}
1188 
1189 	/* Add support for key by attributes (RFE 4706552) */
1190 	if (key->ck_format != CRYPTO_KEY_RAW)
1191 		return (CRYPTO_ARGUMENTS_BAD);
1192 
1193 	if (ctx_template != NULL) {
1194 		/* reuse context template */
1195 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1196 	} else {
1197 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1198 		/* no context template, initialize context */
1199 		if (keylen_in_bytes > sha_hmac_block_size) {
1200 			/*
1201 			 * Hash the passed-in key to get a smaller key.
1202 			 * The inner context is used since it hasn't been
1203 			 * initialized yet.
1204 			 */
1205 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1206 			    &sha2_hmac_ctx.hc_icontext,
1207 			    key->ck_data, keylen_in_bytes, digest);
1208 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1209 			    sha_digest_len);
1210 		} else {
1211 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1212 			    keylen_in_bytes);
1213 		}
1214 	}
1215 
1216 	/* get the mechanism parameters, if applicable */
1217 	if ((mechanism->cm_type % 3) == 2) {
1218 		if (mechanism->cm_param == NULL ||
1219 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1220 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1221 			goto bail;
1222 		}
1223 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1224 		if (digest_len > sha_digest_len) {
1225 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1226 			goto bail;
1227 		}
1228 	}
1229 
1230 	/* do a SHA2 update of the inner context using the specified data */
1231 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1232 	if (ret != CRYPTO_SUCCESS)
1233 		/* the update failed, free context and bail */
1234 		goto bail;
1235 
1236 	/*
1237 	 * Do a SHA2 final on the inner context.
1238 	 */
1239 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1240 
1241 	/*
1242 	 * Do an SHA2 update on the outer context, feeding the inner
1243 	 * digest as data.
1244 	 *
1245 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1246 	 * bytes of the inner hash value.
1247 	 */
1248 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1249 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1250 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1251 		    SHA384_DIGEST_LENGTH);
1252 	else
1253 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1254 
1255 	/*
1256 	 * Do a SHA2 final on the outer context, storing the computed
1257 	 * digest in the users buffer.
1258 	 */
1259 	switch (mac->cd_format) {
1260 	case CRYPTO_DATA_RAW:
1261 		if (digest_len != sha_digest_len) {
1262 			/*
1263 			 * The caller requested a short digest. Digest
1264 			 * into a scratch buffer and return to
1265 			 * the user only what was requested.
1266 			 */
1267 			SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1268 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1269 			    mac->cd_offset, digest_len);
1270 		} else {
1271 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1272 			    mac->cd_offset, &sha2_hmac_ctx.hc_ocontext);
1273 		}
1274 		break;
1275 	case CRYPTO_DATA_UIO:
1276 		ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac,
1277 		    digest_len, digest);
1278 		break;
1279 	case CRYPTO_DATA_MBLK:
1280 		ret = sha2_digest_final_mblk(&sha2_hmac_ctx.hc_ocontext, mac,
1281 		    digest_len, digest);
1282 		break;
1283 	default:
1284 		ret = CRYPTO_ARGUMENTS_BAD;
1285 	}
1286 
1287 	if (ret == CRYPTO_SUCCESS) {
1288 		mac->cd_length = digest_len;
1289 		return (CRYPTO_SUCCESS);
1290 	}
1291 bail:
1292 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1293 	mac->cd_length = 0;
1294 	return (ret);
1295 }
1296 
1297 /* ARGSUSED */
1298 static int
1299 sha2_mac_verify_atomic(crypto_provider_handle_t provider,
1300     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1301     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1302     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1303 {
1304 	int ret = CRYPTO_SUCCESS;
1305 	uchar_t digest[SHA512_DIGEST_LENGTH];
1306 	sha2_hmac_ctx_t sha2_hmac_ctx;
1307 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1308 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1309 
1310 	/*
1311 	 * Set the digest length and block size to values approriate to the
1312 	 * mechanism
1313 	 */
1314 	switch (mechanism->cm_type) {
1315 	case SHA256_HMAC_MECH_INFO_TYPE:
1316 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1317 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1318 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1319 		break;
1320 	case SHA384_HMAC_MECH_INFO_TYPE:
1321 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1322 	case SHA512_HMAC_MECH_INFO_TYPE:
1323 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1324 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1325 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1326 		break;
1327 	default:
1328 		return (CRYPTO_MECHANISM_INVALID);
1329 	}
1330 
1331 	/* Add support for key by attributes (RFE 4706552) */
1332 	if (key->ck_format != CRYPTO_KEY_RAW)
1333 		return (CRYPTO_ARGUMENTS_BAD);
1334 
1335 	if (ctx_template != NULL) {
1336 		/* reuse context template */
1337 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1338 	} else {
1339 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1340 		/* no context template, initialize context */
1341 		if (keylen_in_bytes > sha_hmac_block_size) {
1342 			/*
1343 			 * Hash the passed-in key to get a smaller key.
1344 			 * The inner context is used since it hasn't been
1345 			 * initialized yet.
1346 			 */
1347 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1348 			    &sha2_hmac_ctx.hc_icontext,
1349 			    key->ck_data, keylen_in_bytes, digest);
1350 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1351 			    sha_digest_len);
1352 		} else {
1353 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1354 			    keylen_in_bytes);
1355 		}
1356 	}
1357 
1358 	/* get the mechanism parameters, if applicable */
1359 	if (mechanism->cm_type % 3 == 2) {
1360 		if (mechanism->cm_param == NULL ||
1361 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1362 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1363 			goto bail;
1364 		}
1365 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1366 		if (digest_len > sha_digest_len) {
1367 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1368 			goto bail;
1369 		}
1370 	}
1371 
1372 	if (mac->cd_length != digest_len) {
1373 		ret = CRYPTO_INVALID_MAC;
1374 		goto bail;
1375 	}
1376 
1377 	/* do a SHA2 update of the inner context using the specified data */
1378 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1379 	if (ret != CRYPTO_SUCCESS)
1380 		/* the update failed, free context and bail */
1381 		goto bail;
1382 
1383 	/* do a SHA2 final on the inner context */
1384 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1385 
1386 	/*
1387 	 * Do an SHA2 update on the outer context, feeding the inner
1388 	 * digest as data.
1389 	 *
1390 	 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1391 	 * bytes of the inner hash value.
1392 	 */
1393 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1394 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1395 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1396 		    SHA384_DIGEST_LENGTH);
1397 	else
1398 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1399 
1400 	/*
1401 	 * Do a SHA2 final on the outer context, storing the computed
1402 	 * digest in the users buffer.
1403 	 */
1404 	SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1405 
1406 	/*
1407 	 * Compare the computed digest against the expected digest passed
1408 	 * as argument.
1409 	 */
1410 
1411 	switch (mac->cd_format) {
1412 
1413 	case CRYPTO_DATA_RAW:
1414 		if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
1415 		    mac->cd_offset, digest_len) != 0)
1416 			ret = CRYPTO_INVALID_MAC;
1417 		break;
1418 
1419 	case CRYPTO_DATA_UIO: {
1420 		off_t offset = mac->cd_offset;
1421 		uint_t vec_idx;
1422 		off_t scratch_offset = 0;
1423 		size_t length = digest_len;
1424 		size_t cur_len;
1425 
1426 		/* we support only kernel buffer */
1427 		if (mac->cd_uio->uio_segflg != UIO_SYSSPACE)
1428 			return (CRYPTO_ARGUMENTS_BAD);
1429 
1430 		/* jump to the first iovec containing the expected digest */
1431 		for (vec_idx = 0;
1432 		    offset >= mac->cd_uio->uio_iov[vec_idx].iov_len &&
1433 		    vec_idx < mac->cd_uio->uio_iovcnt;
1434 		    offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len)
1435 			;
1436 		if (vec_idx == mac->cd_uio->uio_iovcnt) {
1437 			/*
1438 			 * The caller specified an offset that is
1439 			 * larger than the total size of the buffers
1440 			 * it provided.
1441 			 */
1442 			ret = CRYPTO_DATA_LEN_RANGE;
1443 			break;
1444 		}
1445 
1446 		/* do the comparison of computed digest vs specified one */
1447 		while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) {
1448 			cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len -
1449 			    offset, length);
1450 
1451 			if (bcmp(digest + scratch_offset,
1452 			    mac->cd_uio->uio_iov[vec_idx].iov_base + offset,
1453 			    cur_len) != 0) {
1454 				ret = CRYPTO_INVALID_MAC;
1455 				break;
1456 			}
1457 
1458 			length -= cur_len;
1459 			vec_idx++;
1460 			scratch_offset += cur_len;
1461 			offset = 0;
1462 		}
1463 		break;
1464 	}
1465 
1466 	case CRYPTO_DATA_MBLK: {
1467 		off_t offset = mac->cd_offset;
1468 		mblk_t *mp;
1469 		off_t scratch_offset = 0;
1470 		size_t length = digest_len;
1471 		size_t cur_len;
1472 
1473 		/* jump to the first mblk_t containing the expected digest */
1474 		for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp);
1475 		    offset -= MBLKL(mp), mp = mp->b_cont)
1476 			;
1477 		if (mp == NULL) {
1478 			/*
1479 			 * The caller specified an offset that is larger than
1480 			 * the total size of the buffers it provided.
1481 			 */
1482 			ret = CRYPTO_DATA_LEN_RANGE;
1483 			break;
1484 		}
1485 
1486 		while (mp != NULL && length > 0) {
1487 			cur_len = MIN(MBLKL(mp) - offset, length);
1488 			if (bcmp(digest + scratch_offset,
1489 			    mp->b_rptr + offset, cur_len) != 0) {
1490 				ret = CRYPTO_INVALID_MAC;
1491 				break;
1492 			}
1493 
1494 			length -= cur_len;
1495 			mp = mp->b_cont;
1496 			scratch_offset += cur_len;
1497 			offset = 0;
1498 		}
1499 		break;
1500 	}
1501 
1502 	default:
1503 		ret = CRYPTO_ARGUMENTS_BAD;
1504 	}
1505 
1506 	return (ret);
1507 bail:
1508 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1509 	mac->cd_length = 0;
1510 	return (ret);
1511 }
1512 
1513 /*
1514  * KCF software provider context management entry points.
1515  */
1516 
1517 /* ARGSUSED */
1518 static int
1519 sha2_create_ctx_template(crypto_provider_handle_t provider,
1520     crypto_mechanism_t *mechanism, crypto_key_t *key,
1521     crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
1522     crypto_req_handle_t req)
1523 {
1524 	sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
1525 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1526 	uint32_t sha_digest_len, sha_hmac_block_size;
1527 
1528 	/*
1529 	 * Set the digest length and block size to values approriate to the
1530 	 * mechanism
1531 	 */
1532 	switch (mechanism->cm_type) {
1533 	case SHA256_HMAC_MECH_INFO_TYPE:
1534 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1535 		sha_digest_len = SHA256_DIGEST_LENGTH;
1536 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1537 		break;
1538 	case SHA384_HMAC_MECH_INFO_TYPE:
1539 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1540 	case SHA512_HMAC_MECH_INFO_TYPE:
1541 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1542 		sha_digest_len = SHA512_DIGEST_LENGTH;
1543 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1544 		break;
1545 	default:
1546 		return (CRYPTO_MECHANISM_INVALID);
1547 	}
1548 
1549 	/* Add support for key by attributes (RFE 4706552) */
1550 	if (key->ck_format != CRYPTO_KEY_RAW)
1551 		return (CRYPTO_ARGUMENTS_BAD);
1552 
1553 	/*
1554 	 * Allocate and initialize SHA2 context.
1555 	 */
1556 	sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t),
1557 	    crypto_kmflag(req));
1558 	if (sha2_hmac_ctx_tmpl == NULL)
1559 		return (CRYPTO_HOST_MEMORY);
1560 
1561 	sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
1562 
1563 	if (keylen_in_bytes > sha_hmac_block_size) {
1564 		uchar_t digested_key[SHA512_DIGEST_LENGTH];
1565 
1566 		/*
1567 		 * Hash the passed-in key to get a smaller key.
1568 		 * The inner context is used since it hasn't been
1569 		 * initialized yet.
1570 		 */
1571 		PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1572 		    &sha2_hmac_ctx_tmpl->hc_icontext,
1573 		    key->ck_data, keylen_in_bytes, digested_key);
1574 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key,
1575 		    sha_digest_len);
1576 	} else {
1577 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data,
1578 		    keylen_in_bytes);
1579 	}
1580 
1581 	*ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl;
1582 	*ctx_template_size = sizeof (sha2_hmac_ctx_t);
1583 
1584 	return (CRYPTO_SUCCESS);
1585 }
1586 
1587 static int
1588 sha2_free_context(crypto_ctx_t *ctx)
1589 {
1590 	uint_t ctx_len;
1591 
1592 	if (ctx->cc_provider_private == NULL)
1593 		return (CRYPTO_SUCCESS);
1594 
1595 	/*
1596 	 * We have to free either SHA2 or SHA2-HMAC contexts, which
1597 	 * have different lengths.
1598 	 *
1599 	 * Note: Below is dependent on the mechanism ordering.
1600 	 */
1601 
1602 	if (PROV_SHA2_CTX(ctx)->sc_mech_type % 3 == 0)
1603 		ctx_len = sizeof (sha2_ctx_t);
1604 	else
1605 		ctx_len = sizeof (sha2_hmac_ctx_t);
1606 
1607 	bzero(ctx->cc_provider_private, ctx_len);
1608 	kmem_free(ctx->cc_provider_private, ctx_len);
1609 	ctx->cc_provider_private = NULL;
1610 
1611 	return (CRYPTO_SUCCESS);
1612 }
1613 
1614 /*
1615  * SHA-2 Power-Up Self-Test
1616  */
1617 void
1618 sha2_POST(int *rc)
1619 {
1620 
1621 	*rc = fips_sha2_post();
1622 
1623 }
1624