1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #include <sys/types.h>
26 #include <sys/param.h>
27 #include <sys/errno.h>
28 #include <sys/kmem.h>
29 #include <sys/systm.h>
30 #include <sys/sha1.h>
31 #include <sys/crypto/common.h>
32 #include <sys/cmn_err.h>
33 #ifndef _KERNEL
34 #include <stdlib.h>
35 #include <string.h>
36 #include <strings.h>
37 #include <stdio.h>
38 #include <security/cryptoki.h>
39 #include <cryptoutil.h>
40 #include "softMAC.h"
41 #endif
42 #include <sha1/sha1_impl.h>
43 #define _SHA1_FIPS_POST
44 #include <fips/fips_test_vectors.h>
45
46 /*
47 * fips_sha1_build_context()
48 *
49 * Description:
50 * This function allocates and initializes SHA1 context
51 * context.
52 */
53 SHA1_CTX *
fips_sha1_build_context(void)54 fips_sha1_build_context(void)
55 {
56 SHA1_CTX *sha1_context;
57
58
59 #ifndef _KERNEL
60 if ((sha1_context = malloc(sizeof (SHA1_CTX))) == NULL)
61 #else
62 if ((sha1_context = kmem_zalloc(sizeof (SHA1_CTX),
63 KM_SLEEP)) == NULL)
64 #endif
65 return (NULL);
66
67 SHA1Init(sha1_context);
68
69 return (sha1_context);
70
71 }
72
73 /*
74 * fips_sha1_hash()
75 *
76 * Arguments:
77 * sha1_context: pointer to SHA1 context
78 * in: pointer to the input data to be hashed
79 * inlen: length of the input data
80 * out: pointer to the output data after hashing
81 *
82 * Description:
83 * This function calls the low-level SHA1 routines for hashing.
84 *
85 */
86 int
fips_sha1_hash(SHA1_CTX * sha1_context,uchar_t * in,ulong_t inlen,uchar_t * out)87 fips_sha1_hash(SHA1_CTX *sha1_context, uchar_t *in, ulong_t inlen, uchar_t *out)
88 {
89
90 int rv;
91
92 if (in != NULL) {
93 #ifdef __sparcv9
94 SHA1Update((SHA1_CTX *)sha1_context, in, (uint_t)inlen);
95 #else /* !__sparcv9 */
96 SHA1Update((SHA1_CTX *)sha1_context, in, inlen);
97 #endif /* __sparcv9 */
98 SHA1Final(out, (SHA1_CTX *)sha1_context);
99 rv = CKR_OK;
100 } else
101 rv = CKR_ARGUMENTS_BAD;
102
103 if (sha1_context)
104 #ifdef _KERNEL
105 kmem_free(sha1_context, sizeof (SHA1_CTX));
106 #else
107 free(sha1_context);
108 #endif
109 return (rv);
110 }
111
112
113 #ifndef _KERNEL
114 soft_hmac_ctx_t *
fips_sha1_hmac_build_context(uint8_t * secret_key,unsigned int secret_key_length)115 fips_sha1_hmac_build_context(uint8_t *secret_key,
116 unsigned int secret_key_length)
117 {
118
119 soft_hmac_ctx_t *hmac_ctx;
120 uint32_t sha1_ipad[SHA1_HMAC_INTS_PER_BLOCK];
121 uint32_t sha1_opad[SHA1_HMAC_INTS_PER_BLOCK];
122
123 hmac_ctx = malloc(sizeof (soft_hmac_ctx_t));
124
125 if (hmac_ctx == NULL) {
126 return (NULL);
127 }
128
129 hmac_ctx->hmac_len = SHA1_HASH_SIZE;
130 bzero(sha1_ipad, SHA1_HMAC_BLOCK_SIZE);
131 bzero(sha1_opad, SHA1_HMAC_BLOCK_SIZE);
132
133 (void) memcpy(sha1_ipad, secret_key, secret_key_length);
134 (void) memcpy(sha1_opad, secret_key, secret_key_length);
135
136 sha1_hmac_ctx_init(&hmac_ctx->hc_ctx_u.sha1_ctx, sha1_ipad,
137 sha1_opad);
138
139 return (hmac_ctx);
140
141 }
142
143 CK_RV
fips_hmac_sha1_hash(unsigned char * hmac_computed,uint8_t * secret_key,unsigned int secret_key_length,uint8_t * message,unsigned int message_length)144 fips_hmac_sha1_hash(unsigned char *hmac_computed,
145 uint8_t *secret_key,
146 unsigned int secret_key_length,
147 uint8_t *message,
148 unsigned int message_length)
149 {
150
151 soft_hmac_ctx_t *hmac_ctx = NULL;
152
153 hmac_ctx = fips_sha1_hmac_build_context(secret_key,
154 secret_key_length);
155
156 if (hmac_ctx == NULL)
157 return (CKR_HOST_MEMORY);
158
159 if (message != NULL) {
160 SOFT_MAC_UPDATE(SHA1, &(hmac_ctx->hc_ctx_u.sha1_ctx),
161 message, message_length);
162 }
163
164 SOFT_MAC_FINAL(SHA1, &(hmac_ctx->hc_ctx_u.sha1_ctx), hmac_computed);
165
166 free(hmac_ctx);
167 return (CKR_OK);
168 }
169
170 #else /* _KERNEL */
171
172 /*
173 * Initialize a SHA1-HMAC context.
174 */
175 void
sha1_mac_init_ctx(sha1_hmac_ctx_t * ctx,void * keyval,uint_t length_in_bytes)176 sha1_mac_init_ctx(sha1_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
177 {
178 uint32_t ipad[SHA1_HMAC_INTS_PER_BLOCK];
179 uint32_t opad[SHA1_HMAC_INTS_PER_BLOCK];
180 uint_t i;
181
182 bzero(ipad, SHA1_HMAC_BLOCK_SIZE);
183 bzero(opad, SHA1_HMAC_BLOCK_SIZE);
184
185 bcopy(keyval, ipad, length_in_bytes);
186 bcopy(keyval, opad, length_in_bytes);
187
188 /* XOR key with ipad (0x36) and opad (0x5c) */
189 for (i = 0; i < SHA1_HMAC_INTS_PER_BLOCK; i++) {
190 ipad[i] ^= 0x36363636;
191 opad[i] ^= 0x5c5c5c5c;
192 }
193
194 /* perform SHA1 on ipad */
195 SHA1Init(&ctx->hc_icontext);
196 SHA1Update(&ctx->hc_icontext, (uint8_t *)ipad, SHA1_HMAC_BLOCK_SIZE);
197
198 /* perform SHA1 on opad */
199 SHA1Init(&ctx->hc_ocontext);
200 SHA1Update(&ctx->hc_ocontext, (uint8_t *)opad, SHA1_HMAC_BLOCK_SIZE);
201 }
202
203 sha1_hmac_ctx_t *
fips_sha1_hmac_build_context(uint8_t * secret_key,unsigned int secret_key_length)204 fips_sha1_hmac_build_context(uint8_t *secret_key,
205 unsigned int secret_key_length)
206 {
207 sha1_hmac_ctx_t *sha1_hmac_ctx_tmpl;
208
209
210 /*
211 * Allocate and initialize SHA1 context.
212 */
213 sha1_hmac_ctx_tmpl = kmem_alloc(sizeof (sha1_hmac_ctx_t),
214 KM_SLEEP);
215 if (sha1_hmac_ctx_tmpl == NULL)
216 return (NULL);
217
218 /*
219 * initialize ctx->hc_icontext and ctx->hc_ocontext
220 */
221 sha1_mac_init_ctx(sha1_hmac_ctx_tmpl, secret_key,
222 secret_key_length);
223
224
225 sha1_hmac_ctx_tmpl->hc_mech_type = SHA1_HMAC_MECH_INFO_TYPE;
226
227
228 return (sha1_hmac_ctx_tmpl);
229 }
230
231 void
fips_hmac_sha1_hash(sha1_hmac_ctx_t * sha1_hmac_ctx,uint8_t * message,uint32_t message_len,uint8_t * hmac_computed)232 fips_hmac_sha1_hash(sha1_hmac_ctx_t *sha1_hmac_ctx,
233 uint8_t *message, uint32_t message_len,
234 uint8_t *hmac_computed)
235 {
236
237 /* do a SHA1 update of the inner context using the specified data */
238 SHA1Update(&((sha1_hmac_ctx)->hc_icontext), message,
239 message_len);
240
241 /*
242 * Do a SHA1 final on the inner context.
243 */
244 SHA1Final(hmac_computed, &((sha1_hmac_ctx)->hc_icontext));
245
246 /*
247 * Do an SHA1 update on the outer context, feeding the inner
248 * digest as data.
249 */
250 SHA1Update(&((sha1_hmac_ctx)->hc_ocontext), hmac_computed,
251 SHA1_HASH_SIZE);
252
253 /*
254 * Do a SHA1 final on the outer context, storing the computed
255 * digest in the caller's buffer.
256 */
257 SHA1Final(hmac_computed, &((sha1_hmac_ctx)->hc_ocontext));
258
259 kmem_free(sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
260 }
261
262 #endif
263
264 /*
265 * SHA1 Power-On SelfTest(s).
266 */
267 int
fips_sha1_post(void)268 fips_sha1_post(void)
269 {
270 static uint8_t HMAC_known_secret_key_length
271 = sizeof (HMAC_known_secret_key);
272
273 /* SHA-1 variables. */
274 uint8_t sha1_computed_digest[SHA1_DIGEST_LENGTH];
275 uint8_t hmac_computed[SHA1_HMAC_BLOCK_SIZE];
276 SHA1_CTX *sha1_context = NULL;
277
278 #ifdef _KERNEL
279 sha1_hmac_ctx_t *sha1_hmac_ctx = NULL;
280 #endif
281
282 int rv;
283
284 /* SHA-1 Known Answer Hashing Test. */
285 sha1_context = fips_sha1_build_context();
286 if (sha1_context == NULL)
287 return (CKR_HOST_MEMORY);
288
289 rv = fips_sha1_hash(sha1_context, sha1_known_hash_message,
290 FIPS_KNOWN_HMAC_MESSAGE_LENGTH, sha1_computed_digest);
291
292 if ((rv != CKR_OK) ||
293 (memcmp(sha1_computed_digest, sha1_known_digest,
294 SHA1_DIGEST_LENGTH) != 0))
295 return (CKR_DEVICE_ERROR);
296
297 #ifdef _KERNEL
298 /* SHA-1 HMAC Known Answer Hashing Test */
299 sha1_hmac_ctx = fips_sha1_hmac_build_context(HMAC_known_secret_key,
300 HMAC_known_secret_key_length);
301
302 if (sha1_hmac_ctx == NULL)
303 return (CKR_HOST_MEMORY);
304
305 fips_hmac_sha1_hash(sha1_hmac_ctx, hmac_sha1_known_hash_message,
306 sizeof (hmac_sha1_known_hash_message), hmac_computed);
307 #else
308 rv = fips_hmac_sha1_hash(hmac_computed, HMAC_known_secret_key,
309 HMAC_known_secret_key_length, hmac_sha1_known_hash_message,
310 sizeof (hmac_sha1_known_hash_message));
311
312 #endif
313
314 #ifdef _KERNEL
315 if (memcmp(hmac_computed, known_SHA1_hmac,
316 sizeof (known_SHA1_hmac)) != 0)
317 return (CKR_DEVICE_ERROR);
318 #else
319 if ((rv != CKR_OK) ||
320 (memcmp(hmac_computed, known_SHA1_hmac,
321 sizeof (known_SHA1_hmac)) != 0))
322 return (CKR_DEVICE_ERROR);
323 #endif
324
325 return (rv);
326
327 }
328