1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/errno.h> 28 #include <sys/kmem.h> 29 #include <sys/systm.h> 30 #define _SHA2_IMPL 31 #include <sys/sha2.h> 32 #include <sys/crypto/common.h> 33 #include <sys/cmn_err.h> 34 #ifndef _KERNEL 35 #include <stdlib.h> 36 #include <string.h> 37 #include <strings.h> 38 #include <stdio.h> 39 #include <security/cryptoki.h> 40 #include <cryptoutil.h> 41 #include "softMAC.h" 42 #endif 43 #include <sha2/sha2_impl.h> 44 45 46 /* 47 * fips_sha2_build_context() 48 * 49 * Description: 50 * This function allocates and initializes SHA2 context. 51 */ 52 #ifndef _KERNEL 53 SHA2_CTX * 54 fips_sha2_build_context(CK_MECHANISM_TYPE mechanism) 55 { 56 SHA2_CTX *sha2_context; 57 58 if ((sha2_context = malloc(sizeof (SHA2_CTX))) == NULL) 59 return (NULL); 60 61 switch (mechanism) { 62 case CKM_SHA256: 63 SHA2Init(SHA256, sha2_context); 64 break; 65 66 case CKM_SHA384: 67 SHA2Init(SHA384, sha2_context); 68 break; 69 70 case CKM_SHA512: 71 SHA2Init(SHA512, sha2_context); 72 break; 73 } 74 75 return (sha2_context); 76 } 77 78 #else 79 SHA2_CTX * 80 fips_sha2_build_context(sha2_mech_t mechanism) 81 { 82 SHA2_CTX *sha2_context; 83 84 if ((sha2_context = kmem_zalloc(sizeof (SHA2_CTX), 85 KM_SLEEP)) == NULL) 86 return (NULL); 87 88 switch (mechanism) { 89 case SHA256_TYPE: 90 SHA2Init(SHA256, sha2_context); 91 break; 92 93 case SHA384_TYPE: 94 SHA2Init(SHA384, sha2_context); 95 break; 96 97 case SHA512_TYPE: 98 SHA2Init(SHA512, sha2_context); 99 break; 100 } 101 102 return (sha2_context); 103 } 104 #endif 105 106 /* 107 * fips_sha2_hash() 108 * 109 * Arguments: 110 * sha2_context: pointer to SHA2 context 111 * in: pointer to the input data to be hashed 112 * inlen: length of the input data 113 * out: pointer to the output data after hashing 114 * 115 * Description: 116 * This function calls the low-level SHA2 routines for hashing. 117 * 118 */ 119 int 120 fips_sha2_hash(SHA2_CTX *sha2_context, uchar_t *in, 121 ulong_t inlen, uchar_t *out) 122 { 123 124 if (in != NULL) { 125 SHA2Update((SHA2_CTX *)sha2_context, in, inlen); 126 SHA2Final(out, (SHA2_CTX *)sha2_context); 127 return (CKR_OK); 128 } else { 129 return (CKR_ARGUMENTS_BAD); 130 } 131 } 132 133 #ifndef _KERNEL 134 soft_hmac_ctx_t * 135 fips_sha2_hmac_build_context(CK_MECHANISM_TYPE mechanism, 136 uint8_t *secret_key, 137 unsigned int secret_key_length) 138 { 139 140 soft_hmac_ctx_t *hmac_ctx; 141 142 hmac_ctx = malloc(sizeof (soft_hmac_ctx_t)); 143 144 if (hmac_ctx == NULL) { 145 return (NULL); 146 } 147 148 switch (mechanism) { 149 case CKM_SHA256_HMAC: 150 { 151 uint64_t sha_ipad[SHA256_HMAC_INTS_PER_BLOCK]; 152 uint64_t sha_opad[SHA256_HMAC_INTS_PER_BLOCK]; 153 154 hmac_ctx->hmac_len = SHA256_DIGEST_LENGTH; 155 bzero(sha_ipad, SHA256_HMAC_BLOCK_SIZE); 156 bzero(sha_opad, SHA256_HMAC_BLOCK_SIZE); 157 158 (void) memcpy(sha_ipad, secret_key, secret_key_length); 159 (void) memcpy(sha_opad, secret_key, secret_key_length); 160 161 sha2_hmac_ctx_init(CKM_TO_SHA2(mechanism), 162 &hmac_ctx->hc_ctx_u.sha2_ctx, 163 sha_ipad, sha_opad, 164 SHA256_HMAC_INTS_PER_BLOCK, 165 SHA256_HMAC_BLOCK_SIZE); 166 167 break; 168 } 169 170 case CKM_SHA384_HMAC: 171 { 172 uint64_t sha_ipad[SHA512_HMAC_INTS_PER_BLOCK]; 173 uint64_t sha_opad[SHA512_HMAC_INTS_PER_BLOCK]; 174 175 hmac_ctx->hmac_len = SHA384_DIGEST_LENGTH; 176 bzero(sha_ipad, SHA512_HMAC_BLOCK_SIZE); 177 bzero(sha_opad, SHA512_HMAC_BLOCK_SIZE); 178 179 (void) memcpy(sha_ipad, secret_key, secret_key_length); 180 (void) memcpy(sha_opad, secret_key, secret_key_length); 181 182 sha2_hmac_ctx_init(CKM_TO_SHA2(mechanism), 183 &hmac_ctx->hc_ctx_u.sha2_ctx, 184 sha_ipad, sha_opad, 185 SHA512_HMAC_INTS_PER_BLOCK, 186 SHA512_HMAC_BLOCK_SIZE); 187 break; 188 } 189 190 case CKM_SHA512_HMAC: 191 { 192 uint64_t sha_ipad[SHA512_HMAC_INTS_PER_BLOCK]; 193 uint64_t sha_opad[SHA512_HMAC_INTS_PER_BLOCK]; 194 195 hmac_ctx->hmac_len = SHA512_DIGEST_LENGTH; 196 bzero(sha_ipad, SHA512_HMAC_BLOCK_SIZE); 197 bzero(sha_opad, SHA512_HMAC_BLOCK_SIZE); 198 199 (void) memcpy(sha_ipad, secret_key, secret_key_length); 200 (void) memcpy(sha_opad, secret_key, secret_key_length); 201 202 sha2_hmac_ctx_init(CKM_TO_SHA2(mechanism), 203 &hmac_ctx->hc_ctx_u.sha2_ctx, 204 sha_ipad, sha_opad, 205 SHA512_HMAC_INTS_PER_BLOCK, 206 SHA512_HMAC_BLOCK_SIZE); 207 208 break; 209 } 210 } 211 212 return (hmac_ctx); 213 } 214 215 CK_RV 216 fips_hmac_sha2_hash(unsigned char *hmac_computed, 217 uint8_t *secret_key, 218 unsigned int secret_key_length, 219 uint8_t *message, 220 unsigned int message_length, 221 CK_MECHANISM_TYPE mechanism) 222 { 223 224 soft_hmac_ctx_t *hmac_ctx = NULL; 225 226 hmac_ctx = fips_sha2_hmac_build_context(mechanism, 227 secret_key, secret_key_length); 228 229 if (hmac_ctx == NULL) 230 return (CKR_HOST_MEMORY); 231 232 switch (mechanism) { 233 case CKM_SHA256_HMAC: 234 if (message != NULL) 235 SHA2Update(&(hmac_ctx->hc_ctx_u.sha2_ctx.hc_icontext), 236 message, message_length); 237 238 SOFT_MAC_FINAL_2(SHA256, &(hmac_ctx->hc_ctx_u.sha2_ctx), 239 hmac_computed); 240 break; 241 242 case CKM_SHA384_HMAC: 243 if (message != NULL) 244 SHA2Update(&(hmac_ctx->hc_ctx_u.sha2_ctx.hc_icontext), 245 message, message_length); 246 247 SOFT_MAC_FINAL_2(SHA384, &(hmac_ctx->hc_ctx_u.sha2_ctx), 248 hmac_computed); 249 break; 250 251 case CKM_SHA512_HMAC: 252 if (message != NULL) 253 SHA2Update(&(hmac_ctx->hc_ctx_u.sha2_ctx.hc_icontext), 254 message, message_length); 255 256 SOFT_MAC_FINAL_2(SHA512, &(hmac_ctx->hc_ctx_u.sha2_ctx), 257 hmac_computed); 258 break; 259 } 260 261 free(hmac_ctx); 262 return (CKR_OK); 263 } 264 265 #else 266 267 /* 268 * Initialize a SHA2-HMAC context. 269 */ 270 void 271 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes) 272 { 273 uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)]; 274 uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)]; 275 int i, block_size, blocks_per_int64; 276 277 /* Determine the block size */ 278 if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) { 279 block_size = SHA256_HMAC_BLOCK_SIZE; 280 blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t); 281 } else { 282 block_size = SHA512_HMAC_BLOCK_SIZE; 283 blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t); 284 } 285 286 (void) bzero(ipad, block_size); 287 (void) bzero(opad, block_size); 288 (void) bcopy(keyval, ipad, length_in_bytes); 289 (void) bcopy(keyval, opad, length_in_bytes); 290 291 /* XOR key with ipad (0x36) and opad (0x5c) */ 292 for (i = 0; i < blocks_per_int64; i ++) { 293 ipad[i] ^= 0x3636363636363636; 294 opad[i] ^= 0x5c5c5c5c5c5c5c5c; 295 } 296 297 /* perform SHA2 on ipad */ 298 SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext); 299 SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size); 300 301 /* perform SHA2 on opad */ 302 SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext); 303 SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size); 304 305 } 306 307 sha2_hmac_ctx_t * 308 fips_sha2_hmac_build_context(sha2_mech_t mechanism, 309 uint8_t *secret_key, 310 unsigned int secret_key_length) 311 { 312 sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl; 313 314 /* 315 * Allocate and initialize SHA2 context. 316 */ 317 sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t), 318 KM_SLEEP); 319 if (sha2_hmac_ctx_tmpl == NULL) 320 return (NULL); 321 322 switch (mechanism) { 323 case SHA256_TYPE: 324 sha2_hmac_ctx_tmpl->hc_mech_type = 325 SHA256_HMAC_MECH_INFO_TYPE; 326 break; 327 328 case SHA384_TYPE: 329 sha2_hmac_ctx_tmpl->hc_mech_type = 330 SHA384_HMAC_MECH_INFO_TYPE; 331 break; 332 333 case SHA512_TYPE: 334 sha2_hmac_ctx_tmpl->hc_mech_type = 335 SHA512_HMAC_MECH_INFO_TYPE; 336 break; 337 } 338 339 /* 340 * initialize ctx->hc_icontext and ctx->hc_ocontext 341 */ 342 sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, secret_key, 343 secret_key_length); 344 345 return (sha2_hmac_ctx_tmpl); 346 } 347 348 void 349 fips_hmac_sha2_hash(sha2_hmac_ctx_t *sha2_hmac_ctx, 350 uint8_t *message, 351 uint32_t message_len, 352 uint8_t *hmac_computed, 353 sha2_mech_t mechanism) 354 355 { 356 357 SHA2Update(&((sha2_hmac_ctx)->hc_icontext), message, 358 message_len); 359 SHA2Final(hmac_computed, &((sha2_hmac_ctx)->hc_icontext)); 360 361 switch (mechanism) { 362 case SHA256_TYPE: 363 SHA2Update(&((sha2_hmac_ctx)->hc_ocontext), 364 hmac_computed, SHA256_DIGEST_LENGTH); 365 break; 366 367 case SHA384_TYPE: 368 SHA2Update(&((sha2_hmac_ctx)->hc_ocontext), 369 hmac_computed, SHA384_DIGEST_LENGTH); 370 break; 371 372 case SHA512_TYPE: 373 SHA2Update(&((sha2_hmac_ctx)->hc_ocontext), 374 hmac_computed, SHA512_DIGEST_LENGTH); 375 break; 376 } 377 378 SHA2Final(hmac_computed, &((sha2_hmac_ctx)->hc_ocontext)); 379 } 380 381 #endif 382 383 /* 384 * SHA2 Power-On SelfTest(s). 385 */ 386 int 387 fips_sha2_post(void) 388 { 389 390 /* 391 * SHA-256 Known Hash Message (512-bits). 392 * Source from NIST SHA256ShortMsg (Len = 512) 393 */ 394 static uint8_t sha256_known_hash_message[] = { 395 0x35, 0x92, 0xec, 0xfd, 0x1e, 0xac, 0x61, 0x8f, 396 0xd3, 0x90, 0xe7, 0xa9, 0xc2, 0x4b, 0x65, 0x65, 397 0x32, 0x50, 0x93, 0x67, 0xc2, 0x1a, 0x0e, 0xac, 398 0x12, 0x12, 0xac, 0x83, 0xc0, 0xb2, 0x0c, 0xd8, 399 0x96, 0xeb, 0x72, 0xb8, 0x01, 0xc4, 0xd2, 0x12, 400 0xc5, 0x45, 0x2b, 0xbb, 0xf0, 0x93, 0x17, 0xb5, 401 0x0c, 0x5c, 0x9f, 0xb1, 0x99, 0x75, 0x53, 0xd2, 402 0xbb, 0xc2, 0x9b, 0xb4, 0x2f, 0x57, 0x48, 0xad 403 }; 404 405 /* known SHA256 Digest Message (32 bytes) */ 406 static uint8_t known_sha256_digest[] = { 407 0x10, 0x5a, 0x60, 0x86, 0x58, 0x30, 0xac, 0x3a, 408 0x37, 0x1d, 0x38, 0x43, 0x32, 0x4d, 0x4b, 0xb5, 409 0xfa, 0x8e, 0xc0, 0xe0, 0x2d, 0xda, 0xa3, 0x89, 410 0xad, 0x8d, 0xa4, 0xf1, 0x02, 0x15, 0xc4, 0x54 411 }; 412 413 /* 414 * SHA-384 Known Hash Message (512-bits). 415 * Source from NIST SHA384ShortMsg (Len = 512) 416 */ 417 static uint8_t sha384_known_hash_message[] = { 418 0x58, 0xbe, 0xab, 0xf9, 0x79, 0xab, 0x35, 0xab, 419 0xba, 0x29, 0x37, 0x6d, 0x5d, 0xc2, 0x27, 0xab, 420 0xb3, 0xd2, 0xff, 0x4d, 0x90, 0x30, 0x49, 0x82, 421 0xfc, 0x10, 0x79, 0xbc, 0x2b, 0x28, 0x80, 0xfc, 422 0xb0, 0x12, 0x9e, 0x4f, 0xed, 0xf2, 0x78, 0x98, 423 0xce, 0x58, 0x6a, 0x91, 0xb7, 0x68, 0x1e, 0x0d, 424 0xba, 0x38, 0x5e, 0x80, 0x0e, 0x79, 0x26, 0xc0, 425 0xbc, 0x5a, 0xfe, 0x0d, 0x9c, 0xa9, 0x86, 0x50 426 }; 427 428 /* known SHA384 Digest Message (48 bytes) */ 429 static uint8_t known_sha384_digest[] = { 430 0xa0, 0x88, 0x8e, 0x1c, 0x4d, 0x7e, 0x80, 0xcb, 431 0xaa, 0xaf, 0xa8, 0xbb, 0x1c, 0xa1, 0xca, 0x91, 432 0x2a, 0x93, 0x21, 0x75, 0xc2, 0xef, 0x98, 0x2c, 433 0xe1, 0xf1, 0x23, 0xa8, 0xc1, 0xae, 0xe9, 0x63, 434 0x5a, 0xd7, 0x5b, 0xe5, 0x25, 0x90, 0xa9, 0x24, 435 0xbe, 0xd3, 0xf5, 0xec, 0x36, 0xc3, 0x56, 0x90 436 }; 437 438 /* 439 * SHA-512 Known Hash Message (512-bits). 440 * Source from NIST SHA512ShortMsg (Len = 512) 441 */ 442 static uint8_t sha512_known_hash_message[] = { 443 0x09, 0x5c, 0x7f, 0x30, 0x82, 0x4f, 0xc9, 0x28, 444 0x58, 0xcc, 0x93, 0x47, 0xc0, 0x85, 0xd5, 0x78, 445 0x88, 0x5f, 0xf3, 0x61, 0x4d, 0xd3, 0x8e, 0xe7, 446 0xee, 0x94, 0xa0, 0xf4, 0x40, 0x72, 0xc8, 0x77, 447 0x04, 0x7e, 0xe2, 0xad, 0x16, 0x6f, 0xdb, 0xa0, 448 0xe7, 0x44, 0xc3, 0xed, 0x2c, 0x2b, 0x24, 0xc9, 449 0xd8, 0xa2, 0x93, 0x46, 0x48, 0xdc, 0x84, 0xd3, 450 0xbe, 0x66, 0x63, 0x02, 0x11, 0x0a, 0xe0, 0x8f 451 }; 452 453 /* known SHA512 Digest Message (64 bytes) */ 454 static uint8_t known_sha512_digest[] = { 455 0xd5, 0xcd, 0xaf, 0x83, 0xbb, 0x4a, 0x27, 0xea, 456 0xad, 0x8d, 0x8f, 0x18, 0xe4, 0xbe, 0xe9, 0xc2, 457 0x5b, 0xe9, 0x49, 0xa7, 0x61, 0xa0, 0xfd, 0x0f, 458 0xb2, 0x28, 0x4c, 0xab, 0x14, 0x3c, 0xad, 0x60, 459 0xbe, 0xb5, 0x68, 0x87, 0x34, 0xb2, 0xf8, 0x1e, 460 0x9e, 0x2d, 0x64, 0x0b, 0x42, 0x5f, 0xd3, 0x2c, 461 0xcb, 0x3d, 0x20, 0xd0, 0x2d, 0x63, 0xc2, 0xc9, 462 0x4c, 0x03, 0xab, 0x3d, 0x9e, 0x7d, 0x9b, 0x4a 463 }; 464 465 /* SHA-2 HMAC Test Vectors */ 466 467 /* 468 * SHA-256 HMAC Known Hash Message (512-bits). 469 */ 470 static uint8_t sha256_hmac_known_hash_message[] = { 471 0x54, 0x68, 0x65, 0x20, 0x74, 0x65, 0x73, 0x74, 472 0x20, 0x6D, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 473 0x20, 0x66, 0x6F, 0x72, 0x20, 0x74, 0x68, 0x65, 474 0x20, 0x4D, 0x44, 0x32, 0x2C, 0x20, 0x4D, 0x44, 475 0x35, 0x2C, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x53, 476 0x48, 0x41, 0x2D, 0x31, 0x20, 0x68, 0x61, 0x73, 477 0x68, 0x69, 0x6E, 0x67, 0x20, 0x61, 0x6C, 0x67, 478 0x6F, 0x72, 0x69, 0x74, 0x68, 0x6D, 0x73, 0x2E 479 }; 480 481 static uint8_t sha256_hmac_known_secret_key[] = { 482 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 483 0x74, 0x68, 0x65, 0x20, 0x53, 0x48, 0x41, 0x2D, 484 0x32, 0x35, 0x36, 0x20, 0x48, 0x4D, 0x41, 0x43, 485 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x20, 486 0x6B, 0x65, 0x79, 0x21 487 }; 488 489 static uint8_t sha256_hmac_known_secret_key_length 490 = sizeof (sha256_hmac_known_secret_key); 491 492 493 /* known SHA256 hmac (32 bytes) */ 494 static uint8_t known_sha256_hmac[] = { 495 0x02, 0x87, 0x21, 0x93, 0x84, 0x8a, 0x35, 0xae, 496 0xdb, 0xb6, 0x79, 0x26, 0x96, 0xf0, 0x50, 0xeb, 497 0x33, 0x49, 0x57, 0xf1, 0xb2, 0x32, 0xd3, 0x63, 498 0x03, 0x65, 0x57, 0xa2, 0xba, 0xa2, 0x5f, 0x35 499 }; 500 501 /* 502 * SHA-384 HMAC Known Hash Message (512-bits). 503 * Source from NIST HMAC.txt (Count = 15, Klen = 16, Tlen = 48) 504 */ 505 static uint8_t sha384_hmac_known_secret_key[] = { 506 0x01, 0xac, 0x59, 0xf4, 0x2f, 0x8b, 0xb9, 0x1d, 507 0x1b, 0xd1, 0x0f, 0xe6, 0x99, 0x0d, 0x7a, 0x87 508 }; 509 510 static uint8_t sha384_hmac_known_secret_key_length 511 = sizeof (sha384_hmac_known_secret_key); 512 513 static uint8_t sha384_hmac_known_hash_message[] = { 514 0x3c, 0xaf, 0x18, 0xc4, 0x76, 0xed, 0xd5, 0x61, 515 0x5f, 0x34, 0x3a, 0xc7, 0xb7, 0xd3, 0xa9, 0xda, 516 0x9e, 0xfa, 0xde, 0x75, 0x56, 0x72, 0xd5, 0xba, 517 0x4b, 0x8a, 0xe8, 0xa7, 0x50, 0x55, 0x39, 0xea, 518 0x2c, 0x12, 0x4f, 0xf7, 0x55, 0xec, 0x04, 0x57, 519 0xfb, 0xe4, 0x9e, 0x43, 0x48, 0x0b, 0x3c, 0x71, 520 0xe7, 0xf4, 0x74, 0x2e, 0xc3, 0x69, 0x3a, 0xad, 521 0x11, 0x5d, 0x03, 0x9f, 0x90, 0x22, 0x2b, 0x03, 522 0x0f, 0xdc, 0x94, 0x40, 0x31, 0x36, 0x91, 0x71, 523 0x6d, 0x53, 0x02, 0x00, 0x58, 0x08, 0xc0, 0x76, 524 0x27, 0x48, 0x3b, 0x91, 0x6f, 0xdf, 0x61, 0x98, 525 0x30, 0x63, 0xc2, 0xeb, 0x12, 0x68, 0xf2, 0xde, 526 0xee, 0xf4, 0x2f, 0xc7, 0x90, 0x33, 0x44, 0x56, 527 0xbc, 0x6b, 0xad, 0x25, 0x6e, 0x31, 0xfc, 0x90, 528 0x66, 0xde, 0x7c, 0xc7, 0xe4, 0x3d, 0x13, 0x21, 529 0xb1, 0x86, 0x6d, 0xb4, 0x5e, 0x90, 0x56, 0x22 530 }; 531 532 /* known SHA384 hmac (48 bytes) */ 533 static uint8_t known_sha384_hmac[] = { 534 0x19, 0x85, 0xfa, 0x21, 0x63, 0xa5, 0x94, 0x3f, 535 0xc5, 0xd9, 0x2f, 0x1f, 0xe8, 0x83, 0x12, 0x15, 536 0xe7, 0xe9, 0x1f, 0x0b, 0xff, 0x53, 0x32, 0xbc, 537 0x71, 0x3a, 0x07, 0x2b, 0xdb, 0x3a, 0x8f, 0x9e, 538 0x5c, 0x51, 0x57, 0x46, 0x3a, 0x3b, 0xfe, 0xb3, 539 0x62, 0x31, 0x41, 0x6e, 0x65, 0x97, 0x3e, 0x64 540 }; 541 542 /* 543 * SHA-512 HMAC Known Hash Message (512-bits). 544 * Source from NIST HMAC.txt (Count = 30, Klen = 20, Tlen = 64) 545 */ 546 static uint8_t sha512_hmac_known_secret_key[] = { 547 0xa7, 0x36, 0xf2, 0x74, 0xfd, 0xa6, 0x8e, 0x1b, 548 0xd5, 0xf9, 0x47, 0x1e, 0x85, 0xfd, 0x41, 0x5d, 549 0x7f, 0x2b, 0xa1, 0xbc 550 }; 551 552 static uint8_t sha512_hmac_known_secret_key_length 553 = sizeof (sha512_hmac_known_secret_key); 554 555 static uint8_t sha512_hmac_known_hash_message[] = { 556 0xa6, 0xcc, 0xc3, 0x55, 0x2c, 0x33, 0xe9, 0x17, 557 0x8b, 0x6b, 0x82, 0xc6, 0x53, 0xd6, 0x3d, 0xe2, 558 0x54, 0x0f, 0x17, 0x08, 0x07, 0xc3, 0xd9, 0x6a, 559 0x2a, 0xc2, 0xe2, 0x7d, 0xab, 0x55, 0x26, 0xf1, 560 0xc7, 0xd3, 0x77, 0xe6, 0x73, 0x6f, 0x04, 0x5d, 561 0xfb, 0x54, 0x1f, 0xec, 0xe9, 0xf4, 0x43, 0xb7, 562 0x28, 0x9c, 0x55, 0x9b, 0x69, 0x4c, 0x2a, 0xac, 563 0xc6, 0xc7, 0x4a, 0xe2, 0xa5, 0xe6, 0xf3, 0x0f, 564 0xe0, 0x31, 0x61, 0x14, 0x23, 0xb0, 0x4d, 0x55, 565 0x95, 0xff, 0xb4, 0x6a, 0xba, 0xa1, 0xd9, 0x18, 566 0x98, 0x96, 0x8d, 0x7f, 0x18, 0x30, 0xae, 0x94, 567 0xb0, 0x22, 0xee, 0xd2, 0x3f, 0xda, 0xd5, 0x2d, 568 0x38, 0x11, 0x0a, 0x48, 0x03, 0xa0, 0xce, 0xe7, 569 0xa0, 0x95, 0xc9, 0xa7, 0x8e, 0x86, 0x09, 0xed, 570 0xeb, 0x25, 0x48, 0x1c, 0xdc, 0x15, 0x6d, 0x0b, 571 0x2f, 0xfc, 0x56, 0xb6, 0x3f, 0xda, 0xd5, 0x33 572 }; 573 574 /* known SHA512 hmac (64 bytes) */ 575 static uint8_t known_sha512_hmac[] = { 576 0xf7, 0x18, 0x03, 0x43, 0x1e, 0x07, 0xa5, 0xa6, 577 0xe5, 0xfd, 0x4a, 0xe4, 0xcf, 0xc2, 0x75, 0x3b, 578 0xc8, 0x0d, 0x26, 0xe1, 0x67, 0x23, 0xd9, 0xe8, 579 0x8b, 0x40, 0x5a, 0x02, 0x34, 0x8e, 0xf4, 0xb9, 580 0x67, 0x92, 0xc9, 0x9c, 0xed, 0x64, 0xdc, 0x70, 581 0xea, 0x47, 0x53, 0x78, 0xb7, 0x46, 0x6a, 0xc2, 582 0xca, 0xf4, 0xa4, 0x20, 0xb0, 0x1f, 0xf6, 0x1e, 583 0x72, 0xc5, 0xb5, 0xee, 0x8e, 0xaa, 0xd4, 0xd4 584 }; 585 586 /* SHA-2 variables. */ 587 uint8_t sha256_computed_digest[SHA256_DIGEST_LENGTH]; 588 uint8_t sha384_computed_digest[SHA384_DIGEST_LENGTH]; 589 uint8_t sha512_computed_digest[SHA512_DIGEST_LENGTH]; 590 591 uint8_t hmac_computed[SHA512_DIGEST_LENGTH]; 592 SHA2_CTX *sha2_context = NULL; 593 594 #ifdef _KERNEL 595 sha2_hmac_ctx_t *sha2_hmac_ctx; 596 #endif 597 598 int rv; 599 600 /* 601 * SHA-2 Known Answer Hashing Test. 602 */ 603 604 /* SHA-256 POST */ 605 606 #ifdef _KERNEL 607 sha2_context = fips_sha2_build_context(SHA256_TYPE); 608 #else 609 sha2_context = fips_sha2_build_context(CKM_SHA256); 610 #endif 611 612 if (sha2_context == NULL) 613 return (CKR_HOST_MEMORY); 614 615 rv = fips_sha2_hash(sha2_context, 616 sha256_known_hash_message, 617 FIPS_KNOWN_HMAC_MESSAGE_LENGTH, 618 sha256_computed_digest); 619 620 if ((rv != CKR_OK) || 621 (memcmp(sha256_computed_digest, known_sha256_digest, 622 SHA256_DIGEST_LENGTH) != 0)) 623 return (CKR_DEVICE_ERROR); 624 625 /* SHA-384 POST */ 626 627 #ifdef _KERNEL 628 sha2_context = fips_sha2_build_context(SHA384_TYPE); 629 #else 630 sha2_context = fips_sha2_build_context(CKM_SHA384); 631 #endif 632 633 if (sha2_context == NULL) 634 return (CKR_HOST_MEMORY); 635 636 rv = fips_sha2_hash(sha2_context, 637 sha384_known_hash_message, 638 FIPS_KNOWN_HMAC_MESSAGE_LENGTH, 639 sha384_computed_digest); 640 641 if ((rv != CKR_OK) || 642 (memcmp(sha384_computed_digest, known_sha384_digest, 643 SHA384_DIGEST_LENGTH) != 0)) 644 return (CKR_DEVICE_ERROR); 645 646 /* SHA-512 POST */ 647 648 #ifdef _KERNEL 649 sha2_context = fips_sha2_build_context(SHA512_TYPE); 650 #else 651 sha2_context = fips_sha2_build_context(CKM_SHA512); 652 #endif 653 654 if (sha2_context == NULL) 655 return (CKR_HOST_MEMORY); 656 657 rv = fips_sha2_hash(sha2_context, 658 sha512_known_hash_message, 659 FIPS_KNOWN_HMAC_MESSAGE_LENGTH, 660 sha512_computed_digest); 661 662 if ((rv != CKR_OK) || 663 (memcmp(sha512_computed_digest, known_sha512_digest, 664 SHA512_DIGEST_LENGTH) != 0)) 665 return (CKR_DEVICE_ERROR); 666 667 /* 668 * SHA-2 HMAC Known Answer Hashing Test. 669 */ 670 671 /* HMAC SHA-256 POST */ 672 673 #ifdef _KERNEL 674 sha2_hmac_ctx = fips_sha2_hmac_build_context( 675 SHA256_TYPE, 676 sha256_hmac_known_secret_key, 677 sha256_hmac_known_secret_key_length); 678 679 if (sha2_hmac_ctx == NULL) 680 return (CKR_HOST_MEMORY); 681 682 fips_hmac_sha2_hash(sha2_hmac_ctx, 683 sha256_hmac_known_hash_message, 684 FIPS_KNOWN_HMAC_MESSAGE_LENGTH, 685 hmac_computed, 686 SHA256_TYPE); 687 688 if (memcmp(hmac_computed, known_sha256_hmac, 689 SHA256_DIGEST_LENGTH) != 0) 690 return (CKR_DEVICE_ERROR); 691 692 #else 693 rv = fips_hmac_sha2_hash(hmac_computed, 694 sha256_hmac_known_secret_key, 695 sha256_hmac_known_secret_key_length, 696 sha256_hmac_known_hash_message, 697 FIPS_KNOWN_HMAC_MESSAGE_LENGTH, 698 CKM_SHA256_HMAC); 699 700 if ((rv != CKR_OK) || 701 (memcmp(hmac_computed, known_sha256_hmac, 702 SHA256_DIGEST_LENGTH) != 0)) 703 return (CKR_DEVICE_ERROR); 704 705 #endif 706 707 /* HMAC SHA-384 POST */ 708 709 #ifdef _KERNEL 710 sha2_hmac_ctx = fips_sha2_hmac_build_context( 711 SHA384_TYPE, 712 sha384_hmac_known_secret_key, 713 sha384_hmac_known_secret_key_length); 714 715 if (sha2_hmac_ctx == NULL) 716 return (CKR_HOST_MEMORY); 717 718 fips_hmac_sha2_hash(sha2_hmac_ctx, 719 sha384_hmac_known_hash_message, 720 sizeof (sha384_hmac_known_hash_message), 721 hmac_computed, 722 SHA384_TYPE); 723 724 if (memcmp(hmac_computed, known_sha384_hmac, 725 SHA384_DIGEST_LENGTH) != 0) 726 return (CKR_DEVICE_ERROR); 727 #else 728 rv = fips_hmac_sha2_hash(hmac_computed, 729 sha384_hmac_known_secret_key, 730 sha384_hmac_known_secret_key_length, 731 sha384_hmac_known_hash_message, 732 sizeof (sha384_hmac_known_hash_message), 733 CKM_SHA384_HMAC); 734 735 if ((rv != CKR_OK) || 736 (memcmp(hmac_computed, known_sha384_hmac, 737 SHA384_DIGEST_LENGTH) != 0)) 738 return (CKR_DEVICE_ERROR); 739 740 #endif 741 742 /* HMAC SHA-512 POST */ 743 744 #ifdef _KERNEL 745 sha2_hmac_ctx = fips_sha2_hmac_build_context( 746 SHA512_TYPE, 747 sha512_hmac_known_secret_key, 748 sha512_hmac_known_secret_key_length); 749 750 if (sha2_hmac_ctx == NULL) 751 return (CKR_HOST_MEMORY); 752 753 fips_hmac_sha2_hash(sha2_hmac_ctx, 754 sha512_hmac_known_hash_message, 755 sizeof (sha512_hmac_known_hash_message), 756 hmac_computed, 757 SHA512_TYPE); 758 759 if (memcmp(hmac_computed, known_sha512_hmac, 760 SHA512_DIGEST_LENGTH) != 0) 761 return (CKR_DEVICE_ERROR); 762 763 #else 764 rv = fips_hmac_sha2_hash(hmac_computed, 765 sha512_hmac_known_secret_key, 766 sha512_hmac_known_secret_key_length, 767 sha512_hmac_known_hash_message, 768 sizeof (sha512_hmac_known_hash_message), 769 CKM_SHA512_HMAC); 770 771 if ((rv != CKR_OK) || 772 (memcmp(hmac_computed, known_sha512_hmac, 773 SHA512_DIGEST_LENGTH) != 0)) 774 return (CKR_DEVICE_ERROR); 775 776 #endif 777 778 return (CKR_OK); 779 } 780