1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <sys/types.h>
27 #include <sys/errno.h>
28 #include <sys/kmem.h>
29 #include <sys/systm.h>
30 #define _SHA2_IMPL
31 #include <sys/sha2.h>
32 #include <sys/crypto/common.h>
33 #include <sys/cmn_err.h>
34 #ifndef _KERNEL
35 #include <stdlib.h>
36 #include <string.h>
37 #include <strings.h>
38 #include <stdio.h>
39 #include <security/cryptoki.h>
40 #include <cryptoutil.h>
41 #include "softMAC.h"
42 #endif
43 #include <sha2/sha2_impl.h>
44
45
46 /*
47 * fips_sha2_build_context()
48 *
49 * Description:
50 * This function allocates and initializes SHA2 context.
51 */
52 #ifndef _KERNEL
53 SHA2_CTX *
fips_sha2_build_context(CK_MECHANISM_TYPE mechanism)54 fips_sha2_build_context(CK_MECHANISM_TYPE mechanism)
55 {
56 SHA2_CTX *sha2_context;
57
58 if ((sha2_context = malloc(sizeof (SHA2_CTX))) == NULL)
59 return (NULL);
60
61 switch (mechanism) {
62 case CKM_SHA256:
63 SHA2Init(SHA256, sha2_context);
64 break;
65
66 case CKM_SHA384:
67 SHA2Init(SHA384, sha2_context);
68 break;
69
70 case CKM_SHA512:
71 SHA2Init(SHA512, sha2_context);
72 break;
73 }
74
75 return (sha2_context);
76 }
77
78 #else
79 SHA2_CTX *
fips_sha2_build_context(sha2_mech_t mechanism)80 fips_sha2_build_context(sha2_mech_t mechanism)
81 {
82 SHA2_CTX *sha2_context;
83
84 if ((sha2_context = kmem_zalloc(sizeof (SHA2_CTX),
85 KM_SLEEP)) == NULL)
86 return (NULL);
87
88 switch (mechanism) {
89 case SHA256_TYPE:
90 SHA2Init(SHA256, sha2_context);
91 break;
92
93 case SHA384_TYPE:
94 SHA2Init(SHA384, sha2_context);
95 break;
96
97 case SHA512_TYPE:
98 SHA2Init(SHA512, sha2_context);
99 break;
100 }
101
102 return (sha2_context);
103 }
104 #endif
105
106 /*
107 * fips_sha2_hash()
108 *
109 * Arguments:
110 * sha2_context: pointer to SHA2 context
111 * in: pointer to the input data to be hashed
112 * inlen: length of the input data
113 * out: pointer to the output data after hashing
114 *
115 * Description:
116 * This function calls the low-level SHA2 routines for hashing.
117 *
118 */
119 int
fips_sha2_hash(SHA2_CTX * sha2_context,uchar_t * in,ulong_t inlen,uchar_t * out)120 fips_sha2_hash(SHA2_CTX *sha2_context, uchar_t *in,
121 ulong_t inlen, uchar_t *out)
122 {
123
124 int rv;
125
126 if (in != NULL) {
127 SHA2Update((SHA2_CTX *)sha2_context, in, inlen);
128 SHA2Final(out, (SHA2_CTX *)sha2_context);
129 rv = CKR_OK;
130 } else {
131 rv = CKR_ARGUMENTS_BAD;
132 }
133
134 if (sha2_context)
135 #ifdef _KERNEL
136 kmem_free(sha2_context, sizeof (SHA2_CTX));
137 #else
138 free(sha2_context);
139 #endif
140 return (rv);
141
142 }
143
144 #ifndef _KERNEL
145 soft_hmac_ctx_t *
fips_sha2_hmac_build_context(CK_MECHANISM_TYPE mechanism,uint8_t * secret_key,unsigned int secret_key_length)146 fips_sha2_hmac_build_context(CK_MECHANISM_TYPE mechanism,
147 uint8_t *secret_key,
148 unsigned int secret_key_length)
149 {
150
151 soft_hmac_ctx_t *hmac_ctx;
152
153 hmac_ctx = malloc(sizeof (soft_hmac_ctx_t));
154
155 if (hmac_ctx == NULL) {
156 return (NULL);
157 }
158
159 switch (mechanism) {
160 case CKM_SHA256_HMAC:
161 {
162 uint64_t sha_ipad[SHA256_HMAC_INTS_PER_BLOCK];
163 uint64_t sha_opad[SHA256_HMAC_INTS_PER_BLOCK];
164
165 hmac_ctx->hmac_len = SHA256_DIGEST_LENGTH;
166 bzero(sha_ipad, SHA256_HMAC_BLOCK_SIZE);
167 bzero(sha_opad, SHA256_HMAC_BLOCK_SIZE);
168
169 (void) memcpy(sha_ipad, secret_key, secret_key_length);
170 (void) memcpy(sha_opad, secret_key, secret_key_length);
171
172 sha2_hmac_ctx_init(CKM_TO_SHA2(mechanism),
173 &hmac_ctx->hc_ctx_u.sha2_ctx,
174 sha_ipad, sha_opad,
175 SHA256_HMAC_INTS_PER_BLOCK,
176 SHA256_HMAC_BLOCK_SIZE);
177
178 break;
179 }
180
181 case CKM_SHA384_HMAC:
182 {
183 uint64_t sha_ipad[SHA512_HMAC_INTS_PER_BLOCK];
184 uint64_t sha_opad[SHA512_HMAC_INTS_PER_BLOCK];
185
186 hmac_ctx->hmac_len = SHA384_DIGEST_LENGTH;
187 bzero(sha_ipad, SHA512_HMAC_BLOCK_SIZE);
188 bzero(sha_opad, SHA512_HMAC_BLOCK_SIZE);
189
190 (void) memcpy(sha_ipad, secret_key, secret_key_length);
191 (void) memcpy(sha_opad, secret_key, secret_key_length);
192
193 sha2_hmac_ctx_init(CKM_TO_SHA2(mechanism),
194 &hmac_ctx->hc_ctx_u.sha2_ctx,
195 sha_ipad, sha_opad,
196 SHA512_HMAC_INTS_PER_BLOCK,
197 SHA512_HMAC_BLOCK_SIZE);
198 break;
199 }
200
201 case CKM_SHA512_HMAC:
202 {
203 uint64_t sha_ipad[SHA512_HMAC_INTS_PER_BLOCK];
204 uint64_t sha_opad[SHA512_HMAC_INTS_PER_BLOCK];
205
206 hmac_ctx->hmac_len = SHA512_DIGEST_LENGTH;
207 bzero(sha_ipad, SHA512_HMAC_BLOCK_SIZE);
208 bzero(sha_opad, SHA512_HMAC_BLOCK_SIZE);
209
210 (void) memcpy(sha_ipad, secret_key, secret_key_length);
211 (void) memcpy(sha_opad, secret_key, secret_key_length);
212
213 sha2_hmac_ctx_init(CKM_TO_SHA2(mechanism),
214 &hmac_ctx->hc_ctx_u.sha2_ctx,
215 sha_ipad, sha_opad,
216 SHA512_HMAC_INTS_PER_BLOCK,
217 SHA512_HMAC_BLOCK_SIZE);
218
219 break;
220 }
221 }
222
223 return (hmac_ctx);
224 }
225
226 CK_RV
fips_hmac_sha2_hash(unsigned char * hmac_computed,uint8_t * secret_key,unsigned int secret_key_length,uint8_t * message,unsigned int message_length,CK_MECHANISM_TYPE mechanism)227 fips_hmac_sha2_hash(unsigned char *hmac_computed,
228 uint8_t *secret_key,
229 unsigned int secret_key_length,
230 uint8_t *message,
231 unsigned int message_length,
232 CK_MECHANISM_TYPE mechanism)
233 {
234
235 soft_hmac_ctx_t *hmac_ctx = NULL;
236
237 hmac_ctx = fips_sha2_hmac_build_context(mechanism,
238 secret_key, secret_key_length);
239
240 if (hmac_ctx == NULL)
241 return (CKR_HOST_MEMORY);
242
243 switch (mechanism) {
244 case CKM_SHA256_HMAC:
245 if (message != NULL)
246 SHA2Update(&(hmac_ctx->hc_ctx_u.sha2_ctx.hc_icontext),
247 message, message_length);
248
249 SOFT_MAC_FINAL_2(SHA256, &(hmac_ctx->hc_ctx_u.sha2_ctx),
250 hmac_computed);
251 break;
252
253 case CKM_SHA384_HMAC:
254 if (message != NULL)
255 SHA2Update(&(hmac_ctx->hc_ctx_u.sha2_ctx.hc_icontext),
256 message, message_length);
257
258 SOFT_MAC_FINAL_2(SHA384, &(hmac_ctx->hc_ctx_u.sha2_ctx),
259 hmac_computed);
260 break;
261
262 case CKM_SHA512_HMAC:
263 if (message != NULL)
264 SHA2Update(&(hmac_ctx->hc_ctx_u.sha2_ctx.hc_icontext),
265 message, message_length);
266
267 SOFT_MAC_FINAL_2(SHA512, &(hmac_ctx->hc_ctx_u.sha2_ctx),
268 hmac_computed);
269 break;
270 }
271
272 free(hmac_ctx);
273 return (CKR_OK);
274 }
275
276 #else
277
278 /*
279 * Initialize a SHA2-HMAC context.
280 */
281 void
sha2_mac_init_ctx(sha2_hmac_ctx_t * ctx,void * keyval,uint_t length_in_bytes)282 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
283 {
284 uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
285 uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
286 int i, block_size, blocks_per_int64;
287
288 /* Determine the block size */
289 if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
290 block_size = SHA256_HMAC_BLOCK_SIZE;
291 blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t);
292 } else {
293 block_size = SHA512_HMAC_BLOCK_SIZE;
294 blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t);
295 }
296
297 (void) bzero(ipad, block_size);
298 (void) bzero(opad, block_size);
299 (void) bcopy(keyval, ipad, length_in_bytes);
300 (void) bcopy(keyval, opad, length_in_bytes);
301
302 /* XOR key with ipad (0x36) and opad (0x5c) */
303 for (i = 0; i < blocks_per_int64; i ++) {
304 ipad[i] ^= 0x3636363636363636;
305 opad[i] ^= 0x5c5c5c5c5c5c5c5c;
306 }
307
308 /* perform SHA2 on ipad */
309 SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext);
310 SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
311
312 /* perform SHA2 on opad */
313 SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext);
314 SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
315
316 }
317
318 sha2_hmac_ctx_t *
fips_sha2_hmac_build_context(sha2_mech_t mechanism,uint8_t * secret_key,unsigned int secret_key_length)319 fips_sha2_hmac_build_context(sha2_mech_t mechanism,
320 uint8_t *secret_key,
321 unsigned int secret_key_length)
322 {
323 sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
324
325 /*
326 * Allocate and initialize SHA2 context.
327 */
328 sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t),
329 KM_SLEEP);
330 if (sha2_hmac_ctx_tmpl == NULL)
331 return (NULL);
332
333 switch (mechanism) {
334 case SHA256_TYPE:
335 sha2_hmac_ctx_tmpl->hc_mech_type =
336 SHA256_HMAC_MECH_INFO_TYPE;
337 break;
338
339 case SHA384_TYPE:
340 sha2_hmac_ctx_tmpl->hc_mech_type =
341 SHA384_HMAC_MECH_INFO_TYPE;
342 break;
343
344 case SHA512_TYPE:
345 sha2_hmac_ctx_tmpl->hc_mech_type =
346 SHA512_HMAC_MECH_INFO_TYPE;
347 break;
348 }
349
350 /*
351 * initialize ctx->hc_icontext and ctx->hc_ocontext
352 */
353 sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, secret_key,
354 secret_key_length);
355
356 return (sha2_hmac_ctx_tmpl);
357 }
358
359 void
fips_hmac_sha2_hash(sha2_hmac_ctx_t * sha2_hmac_ctx,uint8_t * message,uint32_t message_len,uint8_t * hmac_computed,sha2_mech_t mechanism)360 fips_hmac_sha2_hash(sha2_hmac_ctx_t *sha2_hmac_ctx,
361 uint8_t *message,
362 uint32_t message_len,
363 uint8_t *hmac_computed,
364 sha2_mech_t mechanism)
365
366 {
367
368 SHA2Update(&((sha2_hmac_ctx)->hc_icontext), message,
369 message_len);
370 SHA2Final(hmac_computed, &((sha2_hmac_ctx)->hc_icontext));
371
372 switch (mechanism) {
373 case SHA256_TYPE:
374 SHA2Update(&((sha2_hmac_ctx)->hc_ocontext),
375 hmac_computed, SHA256_DIGEST_LENGTH);
376 break;
377
378 case SHA384_TYPE:
379 SHA2Update(&((sha2_hmac_ctx)->hc_ocontext),
380 hmac_computed, SHA384_DIGEST_LENGTH);
381 break;
382
383 case SHA512_TYPE:
384 SHA2Update(&((sha2_hmac_ctx)->hc_ocontext),
385 hmac_computed, SHA512_DIGEST_LENGTH);
386 break;
387 }
388
389 SHA2Final(hmac_computed, &((sha2_hmac_ctx)->hc_ocontext));
390
391 kmem_free(sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
392 }
393
394 #endif
395
396 /*
397 * SHA2 Power-On SelfTest(s).
398 */
399 int
fips_sha2_post(void)400 fips_sha2_post(void)
401 {
402
403 /*
404 * SHA-256 Known Hash Message (512-bits).
405 * Source from NIST SHA256ShortMsg (Len = 512)
406 */
407 static uint8_t sha256_known_hash_message[] = {
408 0x35, 0x92, 0xec, 0xfd, 0x1e, 0xac, 0x61, 0x8f,
409 0xd3, 0x90, 0xe7, 0xa9, 0xc2, 0x4b, 0x65, 0x65,
410 0x32, 0x50, 0x93, 0x67, 0xc2, 0x1a, 0x0e, 0xac,
411 0x12, 0x12, 0xac, 0x83, 0xc0, 0xb2, 0x0c, 0xd8,
412 0x96, 0xeb, 0x72, 0xb8, 0x01, 0xc4, 0xd2, 0x12,
413 0xc5, 0x45, 0x2b, 0xbb, 0xf0, 0x93, 0x17, 0xb5,
414 0x0c, 0x5c, 0x9f, 0xb1, 0x99, 0x75, 0x53, 0xd2,
415 0xbb, 0xc2, 0x9b, 0xb4, 0x2f, 0x57, 0x48, 0xad
416 };
417
418 /* known SHA256 Digest Message (32 bytes) */
419 static uint8_t known_sha256_digest[] = {
420 0x10, 0x5a, 0x60, 0x86, 0x58, 0x30, 0xac, 0x3a,
421 0x37, 0x1d, 0x38, 0x43, 0x32, 0x4d, 0x4b, 0xb5,
422 0xfa, 0x8e, 0xc0, 0xe0, 0x2d, 0xda, 0xa3, 0x89,
423 0xad, 0x8d, 0xa4, 0xf1, 0x02, 0x15, 0xc4, 0x54
424 };
425
426 /*
427 * SHA-384 Known Hash Message (512-bits).
428 * Source from NIST SHA384ShortMsg (Len = 512)
429 */
430 static uint8_t sha384_known_hash_message[] = {
431 0x58, 0xbe, 0xab, 0xf9, 0x79, 0xab, 0x35, 0xab,
432 0xba, 0x29, 0x37, 0x6d, 0x5d, 0xc2, 0x27, 0xab,
433 0xb3, 0xd2, 0xff, 0x4d, 0x90, 0x30, 0x49, 0x82,
434 0xfc, 0x10, 0x79, 0xbc, 0x2b, 0x28, 0x80, 0xfc,
435 0xb0, 0x12, 0x9e, 0x4f, 0xed, 0xf2, 0x78, 0x98,
436 0xce, 0x58, 0x6a, 0x91, 0xb7, 0x68, 0x1e, 0x0d,
437 0xba, 0x38, 0x5e, 0x80, 0x0e, 0x79, 0x26, 0xc0,
438 0xbc, 0x5a, 0xfe, 0x0d, 0x9c, 0xa9, 0x86, 0x50
439 };
440
441 /* known SHA384 Digest Message (48 bytes) */
442 static uint8_t known_sha384_digest[] = {
443 0xa0, 0x88, 0x8e, 0x1c, 0x4d, 0x7e, 0x80, 0xcb,
444 0xaa, 0xaf, 0xa8, 0xbb, 0x1c, 0xa1, 0xca, 0x91,
445 0x2a, 0x93, 0x21, 0x75, 0xc2, 0xef, 0x98, 0x2c,
446 0xe1, 0xf1, 0x23, 0xa8, 0xc1, 0xae, 0xe9, 0x63,
447 0x5a, 0xd7, 0x5b, 0xe5, 0x25, 0x90, 0xa9, 0x24,
448 0xbe, 0xd3, 0xf5, 0xec, 0x36, 0xc3, 0x56, 0x90
449 };
450
451 /*
452 * SHA-512 Known Hash Message (512-bits).
453 * Source from NIST SHA512ShortMsg (Len = 512)
454 */
455 static uint8_t sha512_known_hash_message[] = {
456 0x09, 0x5c, 0x7f, 0x30, 0x82, 0x4f, 0xc9, 0x28,
457 0x58, 0xcc, 0x93, 0x47, 0xc0, 0x85, 0xd5, 0x78,
458 0x88, 0x5f, 0xf3, 0x61, 0x4d, 0xd3, 0x8e, 0xe7,
459 0xee, 0x94, 0xa0, 0xf4, 0x40, 0x72, 0xc8, 0x77,
460 0x04, 0x7e, 0xe2, 0xad, 0x16, 0x6f, 0xdb, 0xa0,
461 0xe7, 0x44, 0xc3, 0xed, 0x2c, 0x2b, 0x24, 0xc9,
462 0xd8, 0xa2, 0x93, 0x46, 0x48, 0xdc, 0x84, 0xd3,
463 0xbe, 0x66, 0x63, 0x02, 0x11, 0x0a, 0xe0, 0x8f
464 };
465
466 /* known SHA512 Digest Message (64 bytes) */
467 static uint8_t known_sha512_digest[] = {
468 0xd5, 0xcd, 0xaf, 0x83, 0xbb, 0x4a, 0x27, 0xea,
469 0xad, 0x8d, 0x8f, 0x18, 0xe4, 0xbe, 0xe9, 0xc2,
470 0x5b, 0xe9, 0x49, 0xa7, 0x61, 0xa0, 0xfd, 0x0f,
471 0xb2, 0x28, 0x4c, 0xab, 0x14, 0x3c, 0xad, 0x60,
472 0xbe, 0xb5, 0x68, 0x87, 0x34, 0xb2, 0xf8, 0x1e,
473 0x9e, 0x2d, 0x64, 0x0b, 0x42, 0x5f, 0xd3, 0x2c,
474 0xcb, 0x3d, 0x20, 0xd0, 0x2d, 0x63, 0xc2, 0xc9,
475 0x4c, 0x03, 0xab, 0x3d, 0x9e, 0x7d, 0x9b, 0x4a
476 };
477
478 /* SHA-2 HMAC Test Vectors */
479
480 /*
481 * SHA-256 HMAC Known Hash Message (512-bits).
482 */
483 static uint8_t sha256_hmac_known_hash_message[] = {
484 0x54, 0x68, 0x65, 0x20, 0x74, 0x65, 0x73, 0x74,
485 0x20, 0x6D, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
486 0x20, 0x66, 0x6F, 0x72, 0x20, 0x74, 0x68, 0x65,
487 0x20, 0x4D, 0x44, 0x32, 0x2C, 0x20, 0x4D, 0x44,
488 0x35, 0x2C, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x53,
489 0x48, 0x41, 0x2D, 0x31, 0x20, 0x68, 0x61, 0x73,
490 0x68, 0x69, 0x6E, 0x67, 0x20, 0x61, 0x6C, 0x67,
491 0x6F, 0x72, 0x69, 0x74, 0x68, 0x6D, 0x73, 0x2E
492 };
493
494 static uint8_t sha256_hmac_known_secret_key[] = {
495 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
496 0x74, 0x68, 0x65, 0x20, 0x53, 0x48, 0x41, 0x2D,
497 0x32, 0x35, 0x36, 0x20, 0x48, 0x4D, 0x41, 0x43,
498 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x20,
499 0x6B, 0x65, 0x79, 0x21
500 };
501
502 static uint8_t sha256_hmac_known_secret_key_length
503 = sizeof (sha256_hmac_known_secret_key);
504
505
506 /* known SHA256 hmac (32 bytes) */
507 static uint8_t known_sha256_hmac[] = {
508 0x02, 0x87, 0x21, 0x93, 0x84, 0x8a, 0x35, 0xae,
509 0xdb, 0xb6, 0x79, 0x26, 0x96, 0xf0, 0x50, 0xeb,
510 0x33, 0x49, 0x57, 0xf1, 0xb2, 0x32, 0xd3, 0x63,
511 0x03, 0x65, 0x57, 0xa2, 0xba, 0xa2, 0x5f, 0x35
512 };
513
514 /*
515 * SHA-384 HMAC Known Hash Message (512-bits).
516 * Source from NIST HMAC.txt (Count = 15, Klen = 16, Tlen = 48)
517 */
518 static uint8_t sha384_hmac_known_secret_key[] = {
519 0x01, 0xac, 0x59, 0xf4, 0x2f, 0x8b, 0xb9, 0x1d,
520 0x1b, 0xd1, 0x0f, 0xe6, 0x99, 0x0d, 0x7a, 0x87
521 };
522
523 static uint8_t sha384_hmac_known_secret_key_length
524 = sizeof (sha384_hmac_known_secret_key);
525
526 static uint8_t sha384_hmac_known_hash_message[] = {
527 0x3c, 0xaf, 0x18, 0xc4, 0x76, 0xed, 0xd5, 0x61,
528 0x5f, 0x34, 0x3a, 0xc7, 0xb7, 0xd3, 0xa9, 0xda,
529 0x9e, 0xfa, 0xde, 0x75, 0x56, 0x72, 0xd5, 0xba,
530 0x4b, 0x8a, 0xe8, 0xa7, 0x50, 0x55, 0x39, 0xea,
531 0x2c, 0x12, 0x4f, 0xf7, 0x55, 0xec, 0x04, 0x57,
532 0xfb, 0xe4, 0x9e, 0x43, 0x48, 0x0b, 0x3c, 0x71,
533 0xe7, 0xf4, 0x74, 0x2e, 0xc3, 0x69, 0x3a, 0xad,
534 0x11, 0x5d, 0x03, 0x9f, 0x90, 0x22, 0x2b, 0x03,
535 0x0f, 0xdc, 0x94, 0x40, 0x31, 0x36, 0x91, 0x71,
536 0x6d, 0x53, 0x02, 0x00, 0x58, 0x08, 0xc0, 0x76,
537 0x27, 0x48, 0x3b, 0x91, 0x6f, 0xdf, 0x61, 0x98,
538 0x30, 0x63, 0xc2, 0xeb, 0x12, 0x68, 0xf2, 0xde,
539 0xee, 0xf4, 0x2f, 0xc7, 0x90, 0x33, 0x44, 0x56,
540 0xbc, 0x6b, 0xad, 0x25, 0x6e, 0x31, 0xfc, 0x90,
541 0x66, 0xde, 0x7c, 0xc7, 0xe4, 0x3d, 0x13, 0x21,
542 0xb1, 0x86, 0x6d, 0xb4, 0x5e, 0x90, 0x56, 0x22
543 };
544
545 /* known SHA384 hmac (48 bytes) */
546 static uint8_t known_sha384_hmac[] = {
547 0x19, 0x85, 0xfa, 0x21, 0x63, 0xa5, 0x94, 0x3f,
548 0xc5, 0xd9, 0x2f, 0x1f, 0xe8, 0x83, 0x12, 0x15,
549 0xe7, 0xe9, 0x1f, 0x0b, 0xff, 0x53, 0x32, 0xbc,
550 0x71, 0x3a, 0x07, 0x2b, 0xdb, 0x3a, 0x8f, 0x9e,
551 0x5c, 0x51, 0x57, 0x46, 0x3a, 0x3b, 0xfe, 0xb3,
552 0x62, 0x31, 0x41, 0x6e, 0x65, 0x97, 0x3e, 0x64
553 };
554
555 /*
556 * SHA-512 HMAC Known Hash Message (512-bits).
557 * Source from NIST HMAC.txt (Count = 30, Klen = 20, Tlen = 64)
558 */
559 static uint8_t sha512_hmac_known_secret_key[] = {
560 0xa7, 0x36, 0xf2, 0x74, 0xfd, 0xa6, 0x8e, 0x1b,
561 0xd5, 0xf9, 0x47, 0x1e, 0x85, 0xfd, 0x41, 0x5d,
562 0x7f, 0x2b, 0xa1, 0xbc
563 };
564
565 static uint8_t sha512_hmac_known_secret_key_length
566 = sizeof (sha512_hmac_known_secret_key);
567
568 static uint8_t sha512_hmac_known_hash_message[] = {
569 0xa6, 0xcc, 0xc3, 0x55, 0x2c, 0x33, 0xe9, 0x17,
570 0x8b, 0x6b, 0x82, 0xc6, 0x53, 0xd6, 0x3d, 0xe2,
571 0x54, 0x0f, 0x17, 0x08, 0x07, 0xc3, 0xd9, 0x6a,
572 0x2a, 0xc2, 0xe2, 0x7d, 0xab, 0x55, 0x26, 0xf1,
573 0xc7, 0xd3, 0x77, 0xe6, 0x73, 0x6f, 0x04, 0x5d,
574 0xfb, 0x54, 0x1f, 0xec, 0xe9, 0xf4, 0x43, 0xb7,
575 0x28, 0x9c, 0x55, 0x9b, 0x69, 0x4c, 0x2a, 0xac,
576 0xc6, 0xc7, 0x4a, 0xe2, 0xa5, 0xe6, 0xf3, 0x0f,
577 0xe0, 0x31, 0x61, 0x14, 0x23, 0xb0, 0x4d, 0x55,
578 0x95, 0xff, 0xb4, 0x6a, 0xba, 0xa1, 0xd9, 0x18,
579 0x98, 0x96, 0x8d, 0x7f, 0x18, 0x30, 0xae, 0x94,
580 0xb0, 0x22, 0xee, 0xd2, 0x3f, 0xda, 0xd5, 0x2d,
581 0x38, 0x11, 0x0a, 0x48, 0x03, 0xa0, 0xce, 0xe7,
582 0xa0, 0x95, 0xc9, 0xa7, 0x8e, 0x86, 0x09, 0xed,
583 0xeb, 0x25, 0x48, 0x1c, 0xdc, 0x15, 0x6d, 0x0b,
584 0x2f, 0xfc, 0x56, 0xb6, 0x3f, 0xda, 0xd5, 0x33
585 };
586
587 /* known SHA512 hmac (64 bytes) */
588 static uint8_t known_sha512_hmac[] = {
589 0xf7, 0x18, 0x03, 0x43, 0x1e, 0x07, 0xa5, 0xa6,
590 0xe5, 0xfd, 0x4a, 0xe4, 0xcf, 0xc2, 0x75, 0x3b,
591 0xc8, 0x0d, 0x26, 0xe1, 0x67, 0x23, 0xd9, 0xe8,
592 0x8b, 0x40, 0x5a, 0x02, 0x34, 0x8e, 0xf4, 0xb9,
593 0x67, 0x92, 0xc9, 0x9c, 0xed, 0x64, 0xdc, 0x70,
594 0xea, 0x47, 0x53, 0x78, 0xb7, 0x46, 0x6a, 0xc2,
595 0xca, 0xf4, 0xa4, 0x20, 0xb0, 0x1f, 0xf6, 0x1e,
596 0x72, 0xc5, 0xb5, 0xee, 0x8e, 0xaa, 0xd4, 0xd4
597 };
598
599 /* SHA-2 variables. */
600 uint8_t sha256_computed_digest[SHA256_DIGEST_LENGTH];
601 uint8_t sha384_computed_digest[SHA384_DIGEST_LENGTH];
602 uint8_t sha512_computed_digest[SHA512_DIGEST_LENGTH];
603
604 uint8_t hmac_computed[SHA512_DIGEST_LENGTH];
605 SHA2_CTX *sha2_context = NULL;
606
607 #ifdef _KERNEL
608 sha2_hmac_ctx_t *sha2_hmac_ctx;
609 #endif
610
611 int rv;
612
613 /*
614 * SHA-2 Known Answer Hashing Test.
615 */
616
617 /* SHA-256 POST */
618
619 #ifdef _KERNEL
620 sha2_context = fips_sha2_build_context(SHA256_TYPE);
621 #else
622 sha2_context = fips_sha2_build_context(CKM_SHA256);
623 #endif
624
625 if (sha2_context == NULL)
626 return (CKR_HOST_MEMORY);
627
628 rv = fips_sha2_hash(sha2_context,
629 sha256_known_hash_message,
630 FIPS_KNOWN_HMAC_MESSAGE_LENGTH,
631 sha256_computed_digest);
632
633 if ((rv != CKR_OK) ||
634 (memcmp(sha256_computed_digest, known_sha256_digest,
635 SHA256_DIGEST_LENGTH) != 0))
636 return (CKR_DEVICE_ERROR);
637
638 /* SHA-384 POST */
639
640 #ifdef _KERNEL
641 sha2_context = fips_sha2_build_context(SHA384_TYPE);
642 #else
643 sha2_context = fips_sha2_build_context(CKM_SHA384);
644 #endif
645
646 if (sha2_context == NULL)
647 return (CKR_HOST_MEMORY);
648
649 rv = fips_sha2_hash(sha2_context,
650 sha384_known_hash_message,
651 FIPS_KNOWN_HMAC_MESSAGE_LENGTH,
652 sha384_computed_digest);
653
654 if ((rv != CKR_OK) ||
655 (memcmp(sha384_computed_digest, known_sha384_digest,
656 SHA384_DIGEST_LENGTH) != 0))
657 return (CKR_DEVICE_ERROR);
658
659 /* SHA-512 POST */
660
661 #ifdef _KERNEL
662 sha2_context = fips_sha2_build_context(SHA512_TYPE);
663 #else
664 sha2_context = fips_sha2_build_context(CKM_SHA512);
665 #endif
666
667 if (sha2_context == NULL)
668 return (CKR_HOST_MEMORY);
669
670 rv = fips_sha2_hash(sha2_context,
671 sha512_known_hash_message,
672 FIPS_KNOWN_HMAC_MESSAGE_LENGTH,
673 sha512_computed_digest);
674
675 if ((rv != CKR_OK) ||
676 (memcmp(sha512_computed_digest, known_sha512_digest,
677 SHA512_DIGEST_LENGTH) != 0))
678 return (CKR_DEVICE_ERROR);
679
680 /*
681 * SHA-2 HMAC Known Answer Hashing Test.
682 */
683
684 /* HMAC SHA-256 POST */
685
686 #ifdef _KERNEL
687 sha2_hmac_ctx = fips_sha2_hmac_build_context(
688 SHA256_TYPE,
689 sha256_hmac_known_secret_key,
690 sha256_hmac_known_secret_key_length);
691
692 if (sha2_hmac_ctx == NULL)
693 return (CKR_HOST_MEMORY);
694
695 fips_hmac_sha2_hash(sha2_hmac_ctx,
696 sha256_hmac_known_hash_message,
697 FIPS_KNOWN_HMAC_MESSAGE_LENGTH,
698 hmac_computed,
699 SHA256_TYPE);
700
701 if (memcmp(hmac_computed, known_sha256_hmac,
702 SHA256_DIGEST_LENGTH) != 0)
703 return (CKR_DEVICE_ERROR);
704
705 #else
706 rv = fips_hmac_sha2_hash(hmac_computed,
707 sha256_hmac_known_secret_key,
708 sha256_hmac_known_secret_key_length,
709 sha256_hmac_known_hash_message,
710 FIPS_KNOWN_HMAC_MESSAGE_LENGTH,
711 CKM_SHA256_HMAC);
712
713 if ((rv != CKR_OK) ||
714 (memcmp(hmac_computed, known_sha256_hmac,
715 SHA256_DIGEST_LENGTH) != 0))
716 return (CKR_DEVICE_ERROR);
717
718 #endif
719
720 /* HMAC SHA-384 POST */
721
722 #ifdef _KERNEL
723 sha2_hmac_ctx = fips_sha2_hmac_build_context(
724 SHA384_TYPE,
725 sha384_hmac_known_secret_key,
726 sha384_hmac_known_secret_key_length);
727
728 if (sha2_hmac_ctx == NULL)
729 return (CKR_HOST_MEMORY);
730
731 fips_hmac_sha2_hash(sha2_hmac_ctx,
732 sha384_hmac_known_hash_message,
733 sizeof (sha384_hmac_known_hash_message),
734 hmac_computed,
735 SHA384_TYPE);
736
737 if (memcmp(hmac_computed, known_sha384_hmac,
738 SHA384_DIGEST_LENGTH) != 0)
739 return (CKR_DEVICE_ERROR);
740 #else
741 rv = fips_hmac_sha2_hash(hmac_computed,
742 sha384_hmac_known_secret_key,
743 sha384_hmac_known_secret_key_length,
744 sha384_hmac_known_hash_message,
745 sizeof (sha384_hmac_known_hash_message),
746 CKM_SHA384_HMAC);
747
748 if ((rv != CKR_OK) ||
749 (memcmp(hmac_computed, known_sha384_hmac,
750 SHA384_DIGEST_LENGTH) != 0))
751 return (CKR_DEVICE_ERROR);
752
753 #endif
754
755 /* HMAC SHA-512 POST */
756
757 #ifdef _KERNEL
758 sha2_hmac_ctx = fips_sha2_hmac_build_context(
759 SHA512_TYPE,
760 sha512_hmac_known_secret_key,
761 sha512_hmac_known_secret_key_length);
762
763 if (sha2_hmac_ctx == NULL)
764 return (CKR_HOST_MEMORY);
765
766 fips_hmac_sha2_hash(sha2_hmac_ctx,
767 sha512_hmac_known_hash_message,
768 sizeof (sha512_hmac_known_hash_message),
769 hmac_computed,
770 SHA512_TYPE);
771
772 if (memcmp(hmac_computed, known_sha512_hmac,
773 SHA512_DIGEST_LENGTH) != 0)
774 return (CKR_DEVICE_ERROR);
775
776 #else
777 rv = fips_hmac_sha2_hash(hmac_computed,
778 sha512_hmac_known_secret_key,
779 sha512_hmac_known_secret_key_length,
780 sha512_hmac_known_hash_message,
781 sizeof (sha512_hmac_known_hash_message),
782 CKM_SHA512_HMAC);
783
784 if ((rv != CKR_OK) ||
785 (memcmp(hmac_computed, known_sha512_hmac,
786 SHA512_DIGEST_LENGTH) != 0))
787 return (CKR_DEVICE_ERROR);
788
789 #endif
790
791 return (CKR_OK);
792 }
793