1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27 #include <sys/modctl.h>
28 #include <sys/cmn_err.h>
29 #include <sys/crypto/common.h>
30 #include <sys/crypto/spi.h>
31 #include <sys/strsun.h>
32 #include <sys/systm.h>
33 #include <sys/sysmacros.h>
34 #define _SHA2_IMPL
35 #include <sys/sha2.h>
36 #include <sha2/sha2_impl.h>
37
38 /*
39 * The sha2 module is created with two modlinkages:
40 * - a modlmisc that allows consumers to directly call the entry points
41 * SHA2Init, SHA2Update, and SHA2Final.
42 * - a modlcrypto that allows the module to register with the Kernel
43 * Cryptographic Framework (KCF) as a software provider for the SHA2
44 * mechanisms.
45 */
46
47 static struct modlmisc modlmisc = {
48 &mod_miscops,
49 "SHA2 Message-Digest Algorithm"
50 };
51
52 static struct modlcrypto modlcrypto = {
53 &mod_cryptoops,
54 "SHA2 Kernel SW Provider"
55 };
56
57 static struct modlinkage modlinkage = {
58 MODREV_1, &modlmisc, &modlcrypto, NULL
59 };
60
61 /*
62 * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed
63 * by KCF to one of the entry points.
64 */
65
66 #define PROV_SHA2_CTX(ctx) ((sha2_ctx_t *)(ctx)->cc_provider_private)
67 #define PROV_SHA2_HMAC_CTX(ctx) ((sha2_hmac_ctx_t *)(ctx)->cc_provider_private)
68
69 /* to extract the digest length passed as mechanism parameter */
70 #define PROV_SHA2_GET_DIGEST_LEN(m, len) { \
71 if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t))) \
72 (len) = (uint32_t)*((ulong_t *)(void *)(m)->cm_param); \
73 else { \
74 ulong_t tmp_ulong; \
75 bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t)); \
76 (len) = (uint32_t)tmp_ulong; \
77 } \
78 }
79
80 #define PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) { \
81 SHA2Init(mech, ctx); \
82 SHA2Update(ctx, key, len); \
83 SHA2Final(digest, ctx); \
84 }
85
86 /*
87 * Mechanism info structure passed to KCF during registration.
88 */
89 static crypto_mech_info_t sha2_mech_info_tab[] = {
90 /* SHA256 */
91 {SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE,
92 CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
93 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
94 /* SHA256-HMAC */
95 {SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE,
96 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
97 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
98 CRYPTO_KEYSIZE_UNIT_IN_BYTES},
99 /* SHA256-HMAC GENERAL */
100 {SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE,
101 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
102 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
103 CRYPTO_KEYSIZE_UNIT_IN_BYTES},
104 /* SHA384 */
105 {SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE,
106 CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
107 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
108 /* SHA384-HMAC */
109 {SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE,
110 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
111 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
112 CRYPTO_KEYSIZE_UNIT_IN_BYTES},
113 /* SHA384-HMAC GENERAL */
114 {SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE,
115 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
116 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
117 CRYPTO_KEYSIZE_UNIT_IN_BYTES},
118 /* SHA512 */
119 {SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE,
120 CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
121 0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
122 /* SHA512-HMAC */
123 {SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE,
124 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
125 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
126 CRYPTO_KEYSIZE_UNIT_IN_BYTES},
127 /* SHA512-HMAC GENERAL */
128 {SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE,
129 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
130 SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
131 CRYPTO_KEYSIZE_UNIT_IN_BYTES}
132 };
133
134 static void sha2_provider_status(crypto_provider_handle_t, uint_t *);
135
136 static crypto_control_ops_t sha2_control_ops = {
137 sha2_provider_status
138 };
139
140 static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
141 crypto_req_handle_t);
142 static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
143 crypto_req_handle_t);
144 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *,
145 crypto_req_handle_t);
146 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *,
147 crypto_req_handle_t);
148 static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
149 crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
150 crypto_req_handle_t);
151
152 static crypto_digest_ops_t sha2_digest_ops = {
153 sha2_digest_init,
154 sha2_digest,
155 sha2_digest_update,
156 NULL,
157 sha2_digest_final,
158 sha2_digest_atomic
159 };
160
161 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
162 crypto_spi_ctx_template_t, crypto_req_handle_t);
163 static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *,
164 crypto_req_handle_t);
165 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
166 static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
167 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
168 crypto_spi_ctx_template_t, crypto_req_handle_t);
169 static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
170 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
171 crypto_spi_ctx_template_t, crypto_req_handle_t);
172
173 static crypto_mac_ops_t sha2_mac_ops = {
174 sha2_mac_init,
175 NULL,
176 sha2_mac_update,
177 sha2_mac_final,
178 sha2_mac_atomic,
179 sha2_mac_verify_atomic
180 };
181
182 static int sha2_create_ctx_template(crypto_provider_handle_t,
183 crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
184 size_t *, crypto_req_handle_t);
185 static int sha2_free_context(crypto_ctx_t *);
186
187 static crypto_ctx_ops_t sha2_ctx_ops = {
188 sha2_create_ctx_template,
189 sha2_free_context
190 };
191
192 static void sha2_POST(int *);
193
194 static crypto_fips140_ops_t sha2_fips140_ops = {
195 sha2_POST
196 };
197
198 static crypto_ops_t sha2_crypto_ops = {
199 &sha2_control_ops,
200 &sha2_digest_ops,
201 NULL,
202 &sha2_mac_ops,
203 NULL,
204 NULL,
205 NULL,
206 NULL,
207 NULL,
208 NULL,
209 NULL,
210 NULL,
211 NULL,
212 &sha2_ctx_ops,
213 NULL,
214 NULL,
215 &sha2_fips140_ops
216 };
217
218 static crypto_provider_info_t sha2_prov_info = {
219 CRYPTO_SPI_VERSION_4,
220 "SHA2 Software Provider",
221 CRYPTO_SW_PROVIDER,
222 {&modlinkage},
223 NULL,
224 &sha2_crypto_ops,
225 sizeof (sha2_mech_info_tab)/sizeof (crypto_mech_info_t),
226 sha2_mech_info_tab
227 };
228
229 static crypto_kcf_provider_handle_t sha2_prov_handle = NULL;
230
231 int
_init()232 _init()
233 {
234 int ret;
235
236 if ((ret = mod_install(&modlinkage)) != 0)
237 return (ret);
238
239 /*
240 * Register with KCF. If the registration fails, do not uninstall the
241 * module, since the functionality provided by misc/sha2 should still
242 * be available.
243 */
244 (void) crypto_register_provider(&sha2_prov_info, &sha2_prov_handle);
245
246 return (0);
247 }
248
249 int
_info(struct modinfo * modinfop)250 _info(struct modinfo *modinfop)
251 {
252 return (mod_info(&modlinkage, modinfop));
253 }
254
255 /*
256 * KCF software provider control entry points.
257 */
258 /* ARGSUSED */
259 static void
sha2_provider_status(crypto_provider_handle_t provider,uint_t * status)260 sha2_provider_status(crypto_provider_handle_t provider, uint_t *status)
261 {
262 *status = CRYPTO_PROVIDER_READY;
263 }
264
265 /*
266 * KCF software provider digest entry points.
267 */
268
269 static int
sha2_digest_init(crypto_ctx_t * ctx,crypto_mechanism_t * mechanism,crypto_req_handle_t req)270 sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
271 crypto_req_handle_t req)
272 {
273
274 /*
275 * Allocate and initialize SHA2 context.
276 */
277 ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t),
278 crypto_kmflag(req));
279 if (ctx->cc_provider_private == NULL)
280 return (CRYPTO_HOST_MEMORY);
281
282 PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type;
283 SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
284
285 return (CRYPTO_SUCCESS);
286 }
287
288 /*
289 * Helper SHA2 digest update function for uio data.
290 */
291 static int
sha2_digest_update_uio(SHA2_CTX * sha2_ctx,crypto_data_t * data)292 sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data)
293 {
294 off_t offset = data->cd_offset;
295 size_t length = data->cd_length;
296 uint_t vec_idx;
297 size_t cur_len;
298
299 /* we support only kernel buffer */
300 if (data->cd_uio->uio_segflg != UIO_SYSSPACE)
301 return (CRYPTO_ARGUMENTS_BAD);
302
303 /*
304 * Jump to the first iovec containing data to be
305 * digested.
306 */
307 for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt &&
308 offset >= data->cd_uio->uio_iov[vec_idx].iov_len;
309 offset -= data->cd_uio->uio_iov[vec_idx++].iov_len)
310 ;
311 if (vec_idx == data->cd_uio->uio_iovcnt) {
312 /*
313 * The caller specified an offset that is larger than the
314 * total size of the buffers it provided.
315 */
316 return (CRYPTO_DATA_LEN_RANGE);
317 }
318
319 /*
320 * Now do the digesting on the iovecs.
321 */
322 while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) {
323 cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len -
324 offset, length);
325
326 SHA2Update(sha2_ctx, (uint8_t *)data->cd_uio->
327 uio_iov[vec_idx].iov_base + offset, cur_len);
328 length -= cur_len;
329 vec_idx++;
330 offset = 0;
331 }
332
333 if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) {
334 /*
335 * The end of the specified iovec's was reached but
336 * the length requested could not be processed, i.e.
337 * The caller requested to digest more data than it provided.
338 */
339 return (CRYPTO_DATA_LEN_RANGE);
340 }
341
342 return (CRYPTO_SUCCESS);
343 }
344
345 /*
346 * Helper SHA2 digest final function for uio data.
347 * digest_len is the length of the desired digest. If digest_len
348 * is smaller than the default SHA2 digest length, the caller
349 * must pass a scratch buffer, digest_scratch, which must
350 * be at least the algorithm's digest length bytes.
351 */
352 static int
sha2_digest_final_uio(SHA2_CTX * sha2_ctx,crypto_data_t * digest,ulong_t digest_len,uchar_t * digest_scratch)353 sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
354 ulong_t digest_len, uchar_t *digest_scratch)
355 {
356 off_t offset = digest->cd_offset;
357 uint_t vec_idx;
358
359 /* we support only kernel buffer */
360 if (digest->cd_uio->uio_segflg != UIO_SYSSPACE)
361 return (CRYPTO_ARGUMENTS_BAD);
362
363 /*
364 * Jump to the first iovec containing ptr to the digest to
365 * be returned.
366 */
367 for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len &&
368 vec_idx < digest->cd_uio->uio_iovcnt;
369 offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len)
370 ;
371 if (vec_idx == digest->cd_uio->uio_iovcnt) {
372 /*
373 * The caller specified an offset that is
374 * larger than the total size of the buffers
375 * it provided.
376 */
377 return (CRYPTO_DATA_LEN_RANGE);
378 }
379
380 if (offset + digest_len <=
381 digest->cd_uio->uio_iov[vec_idx].iov_len) {
382 /*
383 * The computed SHA2 digest will fit in the current
384 * iovec.
385 */
386 if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
387 (digest_len != SHA256_DIGEST_LENGTH)) ||
388 ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
389 (digest_len != SHA512_DIGEST_LENGTH))) {
390 /*
391 * The caller requested a short digest. Digest
392 * into a scratch buffer and return to
393 * the user only what was requested.
394 */
395 SHA2Final(digest_scratch, sha2_ctx);
396
397 bcopy(digest_scratch, (uchar_t *)digest->
398 cd_uio->uio_iov[vec_idx].iov_base + offset,
399 digest_len);
400 } else {
401 SHA2Final((uchar_t *)digest->
402 cd_uio->uio_iov[vec_idx].iov_base + offset,
403 sha2_ctx);
404
405 }
406 } else {
407 /*
408 * The computed digest will be crossing one or more iovec's.
409 * This is bad performance-wise but we need to support it.
410 * Allocate a small scratch buffer on the stack and
411 * copy it piece meal to the specified digest iovec's.
412 */
413 uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
414 off_t scratch_offset = 0;
415 size_t length = digest_len;
416 size_t cur_len;
417
418 SHA2Final(digest_tmp, sha2_ctx);
419
420 while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) {
421 cur_len =
422 MIN(digest->cd_uio->uio_iov[vec_idx].iov_len -
423 offset, length);
424 bcopy(digest_tmp + scratch_offset,
425 digest->cd_uio->uio_iov[vec_idx].iov_base + offset,
426 cur_len);
427
428 length -= cur_len;
429 vec_idx++;
430 scratch_offset += cur_len;
431 offset = 0;
432 }
433
434 if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) {
435 /*
436 * The end of the specified iovec's was reached but
437 * the length requested could not be processed, i.e.
438 * The caller requested to digest more data than it
439 * provided.
440 */
441 return (CRYPTO_DATA_LEN_RANGE);
442 }
443 }
444
445 return (CRYPTO_SUCCESS);
446 }
447
448 /*
449 * Helper SHA2 digest update for mblk's.
450 */
451 static int
sha2_digest_update_mblk(SHA2_CTX * sha2_ctx,crypto_data_t * data)452 sha2_digest_update_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *data)
453 {
454 off_t offset = data->cd_offset;
455 size_t length = data->cd_length;
456 mblk_t *mp;
457 size_t cur_len;
458
459 /*
460 * Jump to the first mblk_t containing data to be digested.
461 */
462 for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
463 offset -= MBLKL(mp), mp = mp->b_cont)
464 ;
465 if (mp == NULL) {
466 /*
467 * The caller specified an offset that is larger than the
468 * total size of the buffers it provided.
469 */
470 return (CRYPTO_DATA_LEN_RANGE);
471 }
472
473 /*
474 * Now do the digesting on the mblk chain.
475 */
476 while (mp != NULL && length > 0) {
477 cur_len = MIN(MBLKL(mp) - offset, length);
478 SHA2Update(sha2_ctx, mp->b_rptr + offset, cur_len);
479 length -= cur_len;
480 offset = 0;
481 mp = mp->b_cont;
482 }
483
484 if (mp == NULL && length > 0) {
485 /*
486 * The end of the mblk was reached but the length requested
487 * could not be processed, i.e. The caller requested
488 * to digest more data than it provided.
489 */
490 return (CRYPTO_DATA_LEN_RANGE);
491 }
492
493 return (CRYPTO_SUCCESS);
494 }
495
496 /*
497 * Helper SHA2 digest final for mblk's.
498 * digest_len is the length of the desired digest. If digest_len
499 * is smaller than the default SHA2 digest length, the caller
500 * must pass a scratch buffer, digest_scratch, which must
501 * be at least the algorithm's digest length bytes.
502 */
503 static int
sha2_digest_final_mblk(SHA2_CTX * sha2_ctx,crypto_data_t * digest,ulong_t digest_len,uchar_t * digest_scratch)504 sha2_digest_final_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
505 ulong_t digest_len, uchar_t *digest_scratch)
506 {
507 off_t offset = digest->cd_offset;
508 mblk_t *mp;
509
510 /*
511 * Jump to the first mblk_t that will be used to store the digest.
512 */
513 for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp);
514 offset -= MBLKL(mp), mp = mp->b_cont)
515 ;
516 if (mp == NULL) {
517 /*
518 * The caller specified an offset that is larger than the
519 * total size of the buffers it provided.
520 */
521 return (CRYPTO_DATA_LEN_RANGE);
522 }
523
524 if (offset + digest_len <= MBLKL(mp)) {
525 /*
526 * The computed SHA2 digest will fit in the current mblk.
527 * Do the SHA2Final() in-place.
528 */
529 if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
530 (digest_len != SHA256_DIGEST_LENGTH)) ||
531 ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
532 (digest_len != SHA512_DIGEST_LENGTH))) {
533 /*
534 * The caller requested a short digest. Digest
535 * into a scratch buffer and return to
536 * the user only what was requested.
537 */
538 SHA2Final(digest_scratch, sha2_ctx);
539 bcopy(digest_scratch, mp->b_rptr + offset, digest_len);
540 } else {
541 SHA2Final(mp->b_rptr + offset, sha2_ctx);
542 }
543 } else {
544 /*
545 * The computed digest will be crossing one or more mblk's.
546 * This is bad performance-wise but we need to support it.
547 * Allocate a small scratch buffer on the stack and
548 * copy it piece meal to the specified digest iovec's.
549 */
550 uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
551 off_t scratch_offset = 0;
552 size_t length = digest_len;
553 size_t cur_len;
554
555 SHA2Final(digest_tmp, sha2_ctx);
556
557 while (mp != NULL && length > 0) {
558 cur_len = MIN(MBLKL(mp) - offset, length);
559 bcopy(digest_tmp + scratch_offset,
560 mp->b_rptr + offset, cur_len);
561
562 length -= cur_len;
563 mp = mp->b_cont;
564 scratch_offset += cur_len;
565 offset = 0;
566 }
567
568 if (mp == NULL && length > 0) {
569 /*
570 * The end of the specified mblk was reached but
571 * the length requested could not be processed, i.e.
572 * The caller requested to digest more data than it
573 * provided.
574 */
575 return (CRYPTO_DATA_LEN_RANGE);
576 }
577 }
578
579 return (CRYPTO_SUCCESS);
580 }
581
582 /* ARGSUSED */
583 static int
sha2_digest(crypto_ctx_t * ctx,crypto_data_t * data,crypto_data_t * digest,crypto_req_handle_t req)584 sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
585 crypto_req_handle_t req)
586 {
587 int ret = CRYPTO_SUCCESS;
588 uint_t sha_digest_len;
589
590 ASSERT(ctx->cc_provider_private != NULL);
591
592 switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
593 case SHA256_MECH_INFO_TYPE:
594 sha_digest_len = SHA256_DIGEST_LENGTH;
595 break;
596 case SHA384_MECH_INFO_TYPE:
597 sha_digest_len = SHA384_DIGEST_LENGTH;
598 break;
599 case SHA512_MECH_INFO_TYPE:
600 sha_digest_len = SHA512_DIGEST_LENGTH;
601 break;
602 default:
603 return (CRYPTO_MECHANISM_INVALID);
604 }
605
606 /*
607 * We need to just return the length needed to store the output.
608 * We should not destroy the context for the following cases.
609 */
610 if ((digest->cd_length == 0) ||
611 (digest->cd_length < sha_digest_len)) {
612 digest->cd_length = sha_digest_len;
613 return (CRYPTO_BUFFER_TOO_SMALL);
614 }
615
616 /*
617 * Do the SHA2 update on the specified input data.
618 */
619 switch (data->cd_format) {
620 case CRYPTO_DATA_RAW:
621 SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
622 (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
623 data->cd_length);
624 break;
625 case CRYPTO_DATA_UIO:
626 ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
627 data);
628 break;
629 case CRYPTO_DATA_MBLK:
630 ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
631 data);
632 break;
633 default:
634 ret = CRYPTO_ARGUMENTS_BAD;
635 }
636
637 if (ret != CRYPTO_SUCCESS) {
638 /* the update failed, free context and bail */
639 kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
640 ctx->cc_provider_private = NULL;
641 digest->cd_length = 0;
642 return (ret);
643 }
644
645 /*
646 * Do a SHA2 final, must be done separately since the digest
647 * type can be different than the input data type.
648 */
649 switch (digest->cd_format) {
650 case CRYPTO_DATA_RAW:
651 SHA2Final((unsigned char *)digest->cd_raw.iov_base +
652 digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
653 break;
654 case CRYPTO_DATA_UIO:
655 ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
656 digest, sha_digest_len, NULL);
657 break;
658 case CRYPTO_DATA_MBLK:
659 ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
660 digest, sha_digest_len, NULL);
661 break;
662 default:
663 ret = CRYPTO_ARGUMENTS_BAD;
664 }
665
666 /* all done, free context and return */
667
668 if (ret == CRYPTO_SUCCESS)
669 digest->cd_length = sha_digest_len;
670 else
671 digest->cd_length = 0;
672
673 kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
674 ctx->cc_provider_private = NULL;
675 return (ret);
676 }
677
678 /* ARGSUSED */
679 static int
sha2_digest_update(crypto_ctx_t * ctx,crypto_data_t * data,crypto_req_handle_t req)680 sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
681 crypto_req_handle_t req)
682 {
683 int ret = CRYPTO_SUCCESS;
684
685 ASSERT(ctx->cc_provider_private != NULL);
686
687 /*
688 * Do the SHA2 update on the specified input data.
689 */
690 switch (data->cd_format) {
691 case CRYPTO_DATA_RAW:
692 SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
693 (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
694 data->cd_length);
695 break;
696 case CRYPTO_DATA_UIO:
697 ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
698 data);
699 break;
700 case CRYPTO_DATA_MBLK:
701 ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
702 data);
703 break;
704 default:
705 ret = CRYPTO_ARGUMENTS_BAD;
706 }
707
708 return (ret);
709 }
710
711 /* ARGSUSED */
712 static int
sha2_digest_final(crypto_ctx_t * ctx,crypto_data_t * digest,crypto_req_handle_t req)713 sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
714 crypto_req_handle_t req)
715 {
716 int ret = CRYPTO_SUCCESS;
717 uint_t sha_digest_len;
718
719 ASSERT(ctx->cc_provider_private != NULL);
720
721 switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
722 case SHA256_MECH_INFO_TYPE:
723 sha_digest_len = SHA256_DIGEST_LENGTH;
724 break;
725 case SHA384_MECH_INFO_TYPE:
726 sha_digest_len = SHA384_DIGEST_LENGTH;
727 break;
728 case SHA512_MECH_INFO_TYPE:
729 sha_digest_len = SHA512_DIGEST_LENGTH;
730 break;
731 default:
732 return (CRYPTO_MECHANISM_INVALID);
733 }
734
735 /*
736 * We need to just return the length needed to store the output.
737 * We should not destroy the context for the following cases.
738 */
739 if ((digest->cd_length == 0) ||
740 (digest->cd_length < sha_digest_len)) {
741 digest->cd_length = sha_digest_len;
742 return (CRYPTO_BUFFER_TOO_SMALL);
743 }
744
745 /*
746 * Do a SHA2 final.
747 */
748 switch (digest->cd_format) {
749 case CRYPTO_DATA_RAW:
750 SHA2Final((unsigned char *)digest->cd_raw.iov_base +
751 digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
752 break;
753 case CRYPTO_DATA_UIO:
754 ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
755 digest, sha_digest_len, NULL);
756 break;
757 case CRYPTO_DATA_MBLK:
758 ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
759 digest, sha_digest_len, NULL);
760 break;
761 default:
762 ret = CRYPTO_ARGUMENTS_BAD;
763 }
764
765 /* all done, free context and return */
766
767 if (ret == CRYPTO_SUCCESS)
768 digest->cd_length = sha_digest_len;
769 else
770 digest->cd_length = 0;
771
772 kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
773 ctx->cc_provider_private = NULL;
774
775 return (ret);
776 }
777
778 /* ARGSUSED */
779 static int
sha2_digest_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_data_t * data,crypto_data_t * digest,crypto_req_handle_t req)780 sha2_digest_atomic(crypto_provider_handle_t provider,
781 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
782 crypto_data_t *data, crypto_data_t *digest,
783 crypto_req_handle_t req)
784 {
785 int ret = CRYPTO_SUCCESS;
786 SHA2_CTX sha2_ctx;
787 uint32_t sha_digest_len;
788
789 /*
790 * Do the SHA inits.
791 */
792
793 SHA2Init(mechanism->cm_type, &sha2_ctx);
794
795 switch (data->cd_format) {
796 case CRYPTO_DATA_RAW:
797 SHA2Update(&sha2_ctx, (uint8_t *)data->
798 cd_raw.iov_base + data->cd_offset, data->cd_length);
799 break;
800 case CRYPTO_DATA_UIO:
801 ret = sha2_digest_update_uio(&sha2_ctx, data);
802 break;
803 case CRYPTO_DATA_MBLK:
804 ret = sha2_digest_update_mblk(&sha2_ctx, data);
805 break;
806 default:
807 ret = CRYPTO_ARGUMENTS_BAD;
808 }
809
810 /*
811 * Do the SHA updates on the specified input data.
812 */
813
814 if (ret != CRYPTO_SUCCESS) {
815 /* the update failed, bail */
816 digest->cd_length = 0;
817 return (ret);
818 }
819
820 if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
821 sha_digest_len = SHA256_DIGEST_LENGTH;
822 else
823 sha_digest_len = SHA512_DIGEST_LENGTH;
824
825 /*
826 * Do a SHA2 final, must be done separately since the digest
827 * type can be different than the input data type.
828 */
829 switch (digest->cd_format) {
830 case CRYPTO_DATA_RAW:
831 SHA2Final((unsigned char *)digest->cd_raw.iov_base +
832 digest->cd_offset, &sha2_ctx);
833 break;
834 case CRYPTO_DATA_UIO:
835 ret = sha2_digest_final_uio(&sha2_ctx, digest,
836 sha_digest_len, NULL);
837 break;
838 case CRYPTO_DATA_MBLK:
839 ret = sha2_digest_final_mblk(&sha2_ctx, digest,
840 sha_digest_len, NULL);
841 break;
842 default:
843 ret = CRYPTO_ARGUMENTS_BAD;
844 }
845
846 if (ret == CRYPTO_SUCCESS)
847 digest->cd_length = sha_digest_len;
848 else
849 digest->cd_length = 0;
850
851 return (ret);
852 }
853
854 /*
855 * KCF software provider mac entry points.
856 *
857 * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text))
858 *
859 * Init:
860 * The initialization routine initializes what we denote
861 * as the inner and outer contexts by doing
862 * - for inner context: SHA2(key XOR ipad)
863 * - for outer context: SHA2(key XOR opad)
864 *
865 * Update:
866 * Each subsequent SHA2 HMAC update will result in an
867 * update of the inner context with the specified data.
868 *
869 * Final:
870 * The SHA2 HMAC final will do a SHA2 final operation on the
871 * inner context, and the resulting digest will be used
872 * as the data for an update on the outer context. Last
873 * but not least, a SHA2 final on the outer context will
874 * be performed to obtain the SHA2 HMAC digest to return
875 * to the user.
876 */
877
878 /*
879 * Initialize a SHA2-HMAC context.
880 */
881 static void
sha2_mac_init_ctx(sha2_hmac_ctx_t * ctx,void * keyval,uint_t length_in_bytes)882 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
883 {
884 uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
885 uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
886 int i, block_size, blocks_per_int64;
887
888 /* Determine the block size */
889 if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
890 block_size = SHA256_HMAC_BLOCK_SIZE;
891 blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t);
892 } else {
893 block_size = SHA512_HMAC_BLOCK_SIZE;
894 blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t);
895 }
896
897 (void) bzero(ipad, block_size);
898 (void) bzero(opad, block_size);
899 (void) bcopy(keyval, ipad, length_in_bytes);
900 (void) bcopy(keyval, opad, length_in_bytes);
901
902 /* XOR key with ipad (0x36) and opad (0x5c) */
903 for (i = 0; i < blocks_per_int64; i ++) {
904 ipad[i] ^= 0x3636363636363636;
905 opad[i] ^= 0x5c5c5c5c5c5c5c5c;
906 }
907
908 /* perform SHA2 on ipad */
909 SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext);
910 SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
911
912 /* perform SHA2 on opad */
913 SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext);
914 SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
915
916 }
917
918 /*
919 */
920 static int
sha2_mac_init(crypto_ctx_t * ctx,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_spi_ctx_template_t ctx_template,crypto_req_handle_t req)921 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
922 crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
923 crypto_req_handle_t req)
924 {
925 int ret = CRYPTO_SUCCESS;
926 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
927 uint_t sha_digest_len, sha_hmac_block_size;
928
929 /*
930 * Set the digest length and block size to values appropriate to the
931 * mechanism
932 */
933 switch (mechanism->cm_type) {
934 case SHA256_HMAC_MECH_INFO_TYPE:
935 case SHA256_HMAC_GEN_MECH_INFO_TYPE:
936 sha_digest_len = SHA256_DIGEST_LENGTH;
937 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
938 break;
939 case SHA384_HMAC_MECH_INFO_TYPE:
940 case SHA384_HMAC_GEN_MECH_INFO_TYPE:
941 case SHA512_HMAC_MECH_INFO_TYPE:
942 case SHA512_HMAC_GEN_MECH_INFO_TYPE:
943 sha_digest_len = SHA512_DIGEST_LENGTH;
944 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
945 break;
946 default:
947 return (CRYPTO_MECHANISM_INVALID);
948 }
949
950 if (key->ck_format != CRYPTO_KEY_RAW)
951 return (CRYPTO_ARGUMENTS_BAD);
952
953 ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t),
954 crypto_kmflag(req));
955 if (ctx->cc_provider_private == NULL)
956 return (CRYPTO_HOST_MEMORY);
957
958 PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
959 if (ctx_template != NULL) {
960 /* reuse context template */
961 bcopy(ctx_template, PROV_SHA2_HMAC_CTX(ctx),
962 sizeof (sha2_hmac_ctx_t));
963 } else {
964 /* no context template, compute context */
965 if (keylen_in_bytes > sha_hmac_block_size) {
966 uchar_t digested_key[SHA512_DIGEST_LENGTH];
967 sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
968
969 /*
970 * Hash the passed-in key to get a smaller key.
971 * The inner context is used since it hasn't been
972 * initialized yet.
973 */
974 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
975 &hmac_ctx->hc_icontext,
976 key->ck_data, keylen_in_bytes, digested_key);
977 sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
978 digested_key, sha_digest_len);
979 } else {
980 sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
981 key->ck_data, keylen_in_bytes);
982 }
983 }
984
985 /*
986 * Get the mechanism parameters, if applicable.
987 */
988 if (mechanism->cm_type % 3 == 2) {
989 if (mechanism->cm_param == NULL ||
990 mechanism->cm_param_len != sizeof (ulong_t))
991 ret = CRYPTO_MECHANISM_PARAM_INVALID;
992 PROV_SHA2_GET_DIGEST_LEN(mechanism,
993 PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len);
994 if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len)
995 ret = CRYPTO_MECHANISM_PARAM_INVALID;
996 }
997
998 if (ret != CRYPTO_SUCCESS) {
999 bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1000 kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1001 ctx->cc_provider_private = NULL;
1002 }
1003
1004 return (ret);
1005 }
1006
1007 /* ARGSUSED */
1008 static int
sha2_mac_update(crypto_ctx_t * ctx,crypto_data_t * data,crypto_req_handle_t req)1009 sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data,
1010 crypto_req_handle_t req)
1011 {
1012 int ret = CRYPTO_SUCCESS;
1013
1014 ASSERT(ctx->cc_provider_private != NULL);
1015
1016 /*
1017 * Do a SHA2 update of the inner context using the specified
1018 * data.
1019 */
1020 switch (data->cd_format) {
1021 case CRYPTO_DATA_RAW:
1022 SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext,
1023 (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1024 data->cd_length);
1025 break;
1026 case CRYPTO_DATA_UIO:
1027 ret = sha2_digest_update_uio(
1028 &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1029 break;
1030 case CRYPTO_DATA_MBLK:
1031 ret = sha2_digest_update_mblk(
1032 &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1033 break;
1034 default:
1035 ret = CRYPTO_ARGUMENTS_BAD;
1036 }
1037
1038 return (ret);
1039 }
1040
1041 /* ARGSUSED */
1042 static int
sha2_mac_final(crypto_ctx_t * ctx,crypto_data_t * mac,crypto_req_handle_t req)1043 sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req)
1044 {
1045 int ret = CRYPTO_SUCCESS;
1046 uchar_t digest[SHA512_DIGEST_LENGTH];
1047 uint32_t digest_len, sha_digest_len;
1048
1049 ASSERT(ctx->cc_provider_private != NULL);
1050
1051 /* Set the digest lengths to values appropriate to the mechanism */
1052 switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) {
1053 case SHA256_HMAC_MECH_INFO_TYPE:
1054 sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1055 break;
1056 case SHA384_HMAC_MECH_INFO_TYPE:
1057 sha_digest_len = digest_len = SHA384_DIGEST_LENGTH;
1058 break;
1059 case SHA512_HMAC_MECH_INFO_TYPE:
1060 sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1061 break;
1062 case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1063 sha_digest_len = SHA256_DIGEST_LENGTH;
1064 digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1065 break;
1066 case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1067 case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1068 sha_digest_len = SHA512_DIGEST_LENGTH;
1069 digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1070 break;
1071 }
1072
1073 /*
1074 * We need to just return the length needed to store the output.
1075 * We should not destroy the context for the following cases.
1076 */
1077 if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
1078 mac->cd_length = digest_len;
1079 return (CRYPTO_BUFFER_TOO_SMALL);
1080 }
1081
1082 /*
1083 * Do a SHA2 final on the inner context.
1084 */
1085 SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext);
1086
1087 /*
1088 * Do a SHA2 update on the outer context, feeding the inner
1089 * digest as data.
1090 */
1091 SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest,
1092 sha_digest_len);
1093
1094 /*
1095 * Do a SHA2 final on the outer context, storing the computing
1096 * digest in the users buffer.
1097 */
1098 switch (mac->cd_format) {
1099 case CRYPTO_DATA_RAW:
1100 if (digest_len != sha_digest_len) {
1101 /*
1102 * The caller requested a short digest. Digest
1103 * into a scratch buffer and return to
1104 * the user only what was requested.
1105 */
1106 SHA2Final(digest,
1107 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1108 bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1109 mac->cd_offset, digest_len);
1110 } else {
1111 SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1112 mac->cd_offset,
1113 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1114 }
1115 break;
1116 case CRYPTO_DATA_UIO:
1117 ret = sha2_digest_final_uio(
1118 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1119 digest_len, digest);
1120 break;
1121 case CRYPTO_DATA_MBLK:
1122 ret = sha2_digest_final_mblk(
1123 &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1124 digest_len, digest);
1125 break;
1126 default:
1127 ret = CRYPTO_ARGUMENTS_BAD;
1128 }
1129
1130 if (ret == CRYPTO_SUCCESS)
1131 mac->cd_length = digest_len;
1132 else
1133 mac->cd_length = 0;
1134
1135 bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1136 kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1137 ctx->cc_provider_private = NULL;
1138
1139 return (ret);
1140 }
1141
1142 #define SHA2_MAC_UPDATE(data, ctx, ret) { \
1143 switch (data->cd_format) { \
1144 case CRYPTO_DATA_RAW: \
1145 SHA2Update(&(ctx).hc_icontext, \
1146 (uint8_t *)data->cd_raw.iov_base + \
1147 data->cd_offset, data->cd_length); \
1148 break; \
1149 case CRYPTO_DATA_UIO: \
1150 ret = sha2_digest_update_uio(&(ctx).hc_icontext, data); \
1151 break; \
1152 case CRYPTO_DATA_MBLK: \
1153 ret = sha2_digest_update_mblk(&(ctx).hc_icontext, \
1154 data); \
1155 break; \
1156 default: \
1157 ret = CRYPTO_ARGUMENTS_BAD; \
1158 } \
1159 }
1160
1161 /* ARGSUSED */
1162 static int
sha2_mac_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * data,crypto_data_t * mac,crypto_spi_ctx_template_t ctx_template,crypto_req_handle_t req)1163 sha2_mac_atomic(crypto_provider_handle_t provider,
1164 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1165 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1166 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1167 {
1168 int ret = CRYPTO_SUCCESS;
1169 uchar_t digest[SHA512_DIGEST_LENGTH];
1170 sha2_hmac_ctx_t sha2_hmac_ctx;
1171 uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1172 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1173
1174 /*
1175 * Set the digest length and block size to values appropriate to the
1176 * mechanism
1177 */
1178 switch (mechanism->cm_type) {
1179 case SHA256_HMAC_MECH_INFO_TYPE:
1180 case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1181 sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1182 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1183 break;
1184 case SHA384_HMAC_MECH_INFO_TYPE:
1185 case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1186 case SHA512_HMAC_MECH_INFO_TYPE:
1187 case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1188 sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1189 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1190 break;
1191 default:
1192 return (CRYPTO_MECHANISM_INVALID);
1193 }
1194
1195 /* Add support for key by attributes (RFE 4706552) */
1196 if (key->ck_format != CRYPTO_KEY_RAW)
1197 return (CRYPTO_ARGUMENTS_BAD);
1198
1199 if (ctx_template != NULL) {
1200 /* reuse context template */
1201 bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1202 } else {
1203 sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1204 /* no context template, initialize context */
1205 if (keylen_in_bytes > sha_hmac_block_size) {
1206 /*
1207 * Hash the passed-in key to get a smaller key.
1208 * The inner context is used since it hasn't been
1209 * initialized yet.
1210 */
1211 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1212 &sha2_hmac_ctx.hc_icontext,
1213 key->ck_data, keylen_in_bytes, digest);
1214 sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1215 sha_digest_len);
1216 } else {
1217 sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1218 keylen_in_bytes);
1219 }
1220 }
1221
1222 /* get the mechanism parameters, if applicable */
1223 if ((mechanism->cm_type % 3) == 2) {
1224 if (mechanism->cm_param == NULL ||
1225 mechanism->cm_param_len != sizeof (ulong_t)) {
1226 ret = CRYPTO_MECHANISM_PARAM_INVALID;
1227 goto bail;
1228 }
1229 PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1230 if (digest_len > sha_digest_len) {
1231 ret = CRYPTO_MECHANISM_PARAM_INVALID;
1232 goto bail;
1233 }
1234 }
1235
1236 /* do a SHA2 update of the inner context using the specified data */
1237 SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1238 if (ret != CRYPTO_SUCCESS)
1239 /* the update failed, free context and bail */
1240 goto bail;
1241
1242 /*
1243 * Do a SHA2 final on the inner context.
1244 */
1245 SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1246
1247 /*
1248 * Do an SHA2 update on the outer context, feeding the inner
1249 * digest as data.
1250 *
1251 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1252 * bytes of the inner hash value.
1253 */
1254 if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1255 mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1256 SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1257 SHA384_DIGEST_LENGTH);
1258 else
1259 SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1260
1261 /*
1262 * Do a SHA2 final on the outer context, storing the computed
1263 * digest in the users buffer.
1264 */
1265 switch (mac->cd_format) {
1266 case CRYPTO_DATA_RAW:
1267 if (digest_len != sha_digest_len) {
1268 /*
1269 * The caller requested a short digest. Digest
1270 * into a scratch buffer and return to
1271 * the user only what was requested.
1272 */
1273 SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1274 bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1275 mac->cd_offset, digest_len);
1276 } else {
1277 SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1278 mac->cd_offset, &sha2_hmac_ctx.hc_ocontext);
1279 }
1280 break;
1281 case CRYPTO_DATA_UIO:
1282 ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac,
1283 digest_len, digest);
1284 break;
1285 case CRYPTO_DATA_MBLK:
1286 ret = sha2_digest_final_mblk(&sha2_hmac_ctx.hc_ocontext, mac,
1287 digest_len, digest);
1288 break;
1289 default:
1290 ret = CRYPTO_ARGUMENTS_BAD;
1291 }
1292
1293 if (ret == CRYPTO_SUCCESS) {
1294 mac->cd_length = digest_len;
1295 return (CRYPTO_SUCCESS);
1296 }
1297 bail:
1298 bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1299 mac->cd_length = 0;
1300 return (ret);
1301 }
1302
1303 /* ARGSUSED */
1304 static int
sha2_mac_verify_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * data,crypto_data_t * mac,crypto_spi_ctx_template_t ctx_template,crypto_req_handle_t req)1305 sha2_mac_verify_atomic(crypto_provider_handle_t provider,
1306 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1307 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1308 crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1309 {
1310 int ret = CRYPTO_SUCCESS;
1311 uchar_t digest[SHA512_DIGEST_LENGTH];
1312 sha2_hmac_ctx_t sha2_hmac_ctx;
1313 uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1314 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1315
1316 /*
1317 * Set the digest length and block size to values appropriate to the
1318 * mechanism
1319 */
1320 switch (mechanism->cm_type) {
1321 case SHA256_HMAC_MECH_INFO_TYPE:
1322 case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1323 sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1324 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1325 break;
1326 case SHA384_HMAC_MECH_INFO_TYPE:
1327 case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1328 case SHA512_HMAC_MECH_INFO_TYPE:
1329 case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1330 sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1331 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1332 break;
1333 default:
1334 return (CRYPTO_MECHANISM_INVALID);
1335 }
1336
1337 /* Add support for key by attributes (RFE 4706552) */
1338 if (key->ck_format != CRYPTO_KEY_RAW)
1339 return (CRYPTO_ARGUMENTS_BAD);
1340
1341 if (ctx_template != NULL) {
1342 /* reuse context template */
1343 bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1344 } else {
1345 sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1346 /* no context template, initialize context */
1347 if (keylen_in_bytes > sha_hmac_block_size) {
1348 /*
1349 * Hash the passed-in key to get a smaller key.
1350 * The inner context is used since it hasn't been
1351 * initialized yet.
1352 */
1353 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1354 &sha2_hmac_ctx.hc_icontext,
1355 key->ck_data, keylen_in_bytes, digest);
1356 sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1357 sha_digest_len);
1358 } else {
1359 sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1360 keylen_in_bytes);
1361 }
1362 }
1363
1364 /* get the mechanism parameters, if applicable */
1365 if (mechanism->cm_type % 3 == 2) {
1366 if (mechanism->cm_param == NULL ||
1367 mechanism->cm_param_len != sizeof (ulong_t)) {
1368 ret = CRYPTO_MECHANISM_PARAM_INVALID;
1369 goto bail;
1370 }
1371 PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1372 if (digest_len > sha_digest_len) {
1373 ret = CRYPTO_MECHANISM_PARAM_INVALID;
1374 goto bail;
1375 }
1376 }
1377
1378 if (mac->cd_length != digest_len) {
1379 ret = CRYPTO_INVALID_MAC;
1380 goto bail;
1381 }
1382
1383 /* do a SHA2 update of the inner context using the specified data */
1384 SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1385 if (ret != CRYPTO_SUCCESS)
1386 /* the update failed, free context and bail */
1387 goto bail;
1388
1389 /* do a SHA2 final on the inner context */
1390 SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
1391
1392 /*
1393 * Do an SHA2 update on the outer context, feeding the inner
1394 * digest as data.
1395 *
1396 * HMAC-SHA384 needs special handling as the outer hash needs only 48
1397 * bytes of the inner hash value.
1398 */
1399 if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
1400 mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
1401 SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
1402 SHA384_DIGEST_LENGTH);
1403 else
1404 SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
1405
1406 /*
1407 * Do a SHA2 final on the outer context, storing the computed
1408 * digest in the users buffer.
1409 */
1410 SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
1411
1412 /*
1413 * Compare the computed digest against the expected digest passed
1414 * as argument.
1415 */
1416
1417 switch (mac->cd_format) {
1418
1419 case CRYPTO_DATA_RAW:
1420 if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
1421 mac->cd_offset, digest_len) != 0)
1422 ret = CRYPTO_INVALID_MAC;
1423 break;
1424
1425 case CRYPTO_DATA_UIO: {
1426 off_t offset = mac->cd_offset;
1427 uint_t vec_idx;
1428 off_t scratch_offset = 0;
1429 size_t length = digest_len;
1430 size_t cur_len;
1431
1432 /* we support only kernel buffer */
1433 if (mac->cd_uio->uio_segflg != UIO_SYSSPACE)
1434 return (CRYPTO_ARGUMENTS_BAD);
1435
1436 /* jump to the first iovec containing the expected digest */
1437 for (vec_idx = 0;
1438 offset >= mac->cd_uio->uio_iov[vec_idx].iov_len &&
1439 vec_idx < mac->cd_uio->uio_iovcnt;
1440 offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len)
1441 ;
1442 if (vec_idx == mac->cd_uio->uio_iovcnt) {
1443 /*
1444 * The caller specified an offset that is
1445 * larger than the total size of the buffers
1446 * it provided.
1447 */
1448 ret = CRYPTO_DATA_LEN_RANGE;
1449 break;
1450 }
1451
1452 /* do the comparison of computed digest vs specified one */
1453 while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) {
1454 cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len -
1455 offset, length);
1456
1457 if (bcmp(digest + scratch_offset,
1458 mac->cd_uio->uio_iov[vec_idx].iov_base + offset,
1459 cur_len) != 0) {
1460 ret = CRYPTO_INVALID_MAC;
1461 break;
1462 }
1463
1464 length -= cur_len;
1465 vec_idx++;
1466 scratch_offset += cur_len;
1467 offset = 0;
1468 }
1469 break;
1470 }
1471
1472 case CRYPTO_DATA_MBLK: {
1473 off_t offset = mac->cd_offset;
1474 mblk_t *mp;
1475 off_t scratch_offset = 0;
1476 size_t length = digest_len;
1477 size_t cur_len;
1478
1479 /* jump to the first mblk_t containing the expected digest */
1480 for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp);
1481 offset -= MBLKL(mp), mp = mp->b_cont)
1482 ;
1483 if (mp == NULL) {
1484 /*
1485 * The caller specified an offset that is larger than
1486 * the total size of the buffers it provided.
1487 */
1488 ret = CRYPTO_DATA_LEN_RANGE;
1489 break;
1490 }
1491
1492 while (mp != NULL && length > 0) {
1493 cur_len = MIN(MBLKL(mp) - offset, length);
1494 if (bcmp(digest + scratch_offset,
1495 mp->b_rptr + offset, cur_len) != 0) {
1496 ret = CRYPTO_INVALID_MAC;
1497 break;
1498 }
1499
1500 length -= cur_len;
1501 mp = mp->b_cont;
1502 scratch_offset += cur_len;
1503 offset = 0;
1504 }
1505 break;
1506 }
1507
1508 default:
1509 ret = CRYPTO_ARGUMENTS_BAD;
1510 }
1511
1512 return (ret);
1513 bail:
1514 bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1515 mac->cd_length = 0;
1516 return (ret);
1517 }
1518
1519 /*
1520 * KCF software provider context management entry points.
1521 */
1522
1523 /* ARGSUSED */
1524 static int
sha2_create_ctx_template(crypto_provider_handle_t provider,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_spi_ctx_template_t * ctx_template,size_t * ctx_template_size,crypto_req_handle_t req)1525 sha2_create_ctx_template(crypto_provider_handle_t provider,
1526 crypto_mechanism_t *mechanism, crypto_key_t *key,
1527 crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
1528 crypto_req_handle_t req)
1529 {
1530 sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
1531 uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1532 uint32_t sha_digest_len, sha_hmac_block_size;
1533
1534 /*
1535 * Set the digest length and block size to values appropriate to the
1536 * mechanism
1537 */
1538 switch (mechanism->cm_type) {
1539 case SHA256_HMAC_MECH_INFO_TYPE:
1540 case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1541 sha_digest_len = SHA256_DIGEST_LENGTH;
1542 sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1543 break;
1544 case SHA384_HMAC_MECH_INFO_TYPE:
1545 case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1546 case SHA512_HMAC_MECH_INFO_TYPE:
1547 case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1548 sha_digest_len = SHA512_DIGEST_LENGTH;
1549 sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1550 break;
1551 default:
1552 return (CRYPTO_MECHANISM_INVALID);
1553 }
1554
1555 /* Add support for key by attributes (RFE 4706552) */
1556 if (key->ck_format != CRYPTO_KEY_RAW)
1557 return (CRYPTO_ARGUMENTS_BAD);
1558
1559 /*
1560 * Allocate and initialize SHA2 context.
1561 */
1562 sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t),
1563 crypto_kmflag(req));
1564 if (sha2_hmac_ctx_tmpl == NULL)
1565 return (CRYPTO_HOST_MEMORY);
1566
1567 sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
1568
1569 if (keylen_in_bytes > sha_hmac_block_size) {
1570 uchar_t digested_key[SHA512_DIGEST_LENGTH];
1571
1572 /*
1573 * Hash the passed-in key to get a smaller key.
1574 * The inner context is used since it hasn't been
1575 * initialized yet.
1576 */
1577 PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1578 &sha2_hmac_ctx_tmpl->hc_icontext,
1579 key->ck_data, keylen_in_bytes, digested_key);
1580 sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key,
1581 sha_digest_len);
1582 } else {
1583 sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data,
1584 keylen_in_bytes);
1585 }
1586
1587 *ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl;
1588 *ctx_template_size = sizeof (sha2_hmac_ctx_t);
1589
1590 return (CRYPTO_SUCCESS);
1591 }
1592
1593 static int
sha2_free_context(crypto_ctx_t * ctx)1594 sha2_free_context(crypto_ctx_t *ctx)
1595 {
1596 uint_t ctx_len;
1597
1598 if (ctx->cc_provider_private == NULL)
1599 return (CRYPTO_SUCCESS);
1600
1601 /*
1602 * We have to free either SHA2 or SHA2-HMAC contexts, which
1603 * have different lengths.
1604 *
1605 * Note: Below is dependent on the mechanism ordering.
1606 */
1607
1608 if (PROV_SHA2_CTX(ctx)->sc_mech_type % 3 == 0)
1609 ctx_len = sizeof (sha2_ctx_t);
1610 else
1611 ctx_len = sizeof (sha2_hmac_ctx_t);
1612
1613 bzero(ctx->cc_provider_private, ctx_len);
1614 kmem_free(ctx->cc_provider_private, ctx_len);
1615 ctx->cc_provider_private = NULL;
1616
1617 return (CRYPTO_SUCCESS);
1618 }
1619
1620 /*
1621 * SHA-2 Power-Up Self-Test
1622 */
1623 void
sha2_POST(int * rc)1624 sha2_POST(int *rc)
1625 {
1626
1627 *rc = fips_sha2_post();
1628
1629 }
1630