1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  * Copyright (c) 2018, Joyent, Inc.
26  */
27 
28 #include <pthread.h>
29 #include <sys/md5.h>
30 #include <sys/sha1.h>
31 #include <sys/sha2.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <strings.h>
35 #include <sys/types.h>
36 #include <security/cryptoki.h>
37 #include "softObject.h"
38 #include "softOps.h"
39 #include "softSession.h"
40 #include "softMAC.h"
41 
42 /*
43  * IPAD = 0x36 repeated 48 times for ssl md5, repeated 40 times for ssl sha1
44  * OPAD = 0x5C repeated 48 times for SSL md5, repeated 40 times for ssl sha1
45  */
46 const uint32_t md5_ssl_ipad[] = {
47 	0x36363636, 0x36363636, 0x36363636, 0x36363636, 0x36363636,
48 	0x36363636, 0x36363636, 0x36363636, 0x36363636, 0x36363636,
49 	0x36363636, 0x36363636};
50 const uint32_t sha1_ssl_ipad[] = {
51 	0x36363636, 0x36363636, 0x36363636, 0x36363636, 0x36363636,
52 	0x36363636, 0x36363636, 0x36363636, 0x36363636, 0x36363636};
53 const uint32_t md5_ssl_opad[] = {
54 	0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c,
55 	0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c,
56 	0x5c5c5c5c, 0x5c5c5c5c};
57 const uint32_t sha1_ssl_opad[] = {
58 	0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c,
59 	0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c, 0x5c5c5c5c};
60 
61 /*
62  * Allocate and initialize a HMAC context, and save the context pointer in
63  * the session struct. For General-length HMAC, checks the length in the
64  * parameter to see if it is in the right range.
65  */
66 CK_RV
soft_hmac_sign_verify_init_common(soft_session_t * session_p,CK_MECHANISM_PTR pMechanism,soft_object_t * key_p,boolean_t sign_op)67 soft_hmac_sign_verify_init_common(soft_session_t *session_p,
68     CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, boolean_t sign_op)
69 {
70 
71 	soft_hmac_ctx_t *hmac_ctx;
72 	CK_RV rv = CKR_OK;
73 
74 	if ((key_p->class != CKO_SECRET_KEY) ||
75 	    (key_p->key_type != CKK_GENERIC_SECRET)) {
76 		return (CKR_KEY_TYPE_INCONSISTENT);
77 	}
78 
79 	hmac_ctx = malloc(sizeof (soft_hmac_ctx_t));
80 
81 	if (hmac_ctx == NULL) {
82 		return (CKR_HOST_MEMORY);
83 	}
84 
85 	switch (pMechanism->mechanism) {
86 	case CKM_MD5_HMAC:
87 		hmac_ctx->hmac_len = MD5_HASH_SIZE;
88 		break;
89 
90 	case CKM_SHA_1_HMAC:
91 		hmac_ctx->hmac_len = SHA1_HASH_SIZE;
92 		break;
93 
94 	case CKM_SHA256_HMAC:
95 		hmac_ctx->hmac_len = SHA256_DIGEST_LENGTH;
96 		break;
97 
98 	case CKM_SHA384_HMAC:
99 		hmac_ctx->hmac_len = SHA384_DIGEST_LENGTH;
100 		break;
101 
102 	case CKM_SHA512_HMAC:
103 		hmac_ctx->hmac_len = SHA512_DIGEST_LENGTH;
104 		break;
105 
106 	case CKM_MD5_HMAC_GENERAL:
107 	case CKM_SSL3_MD5_MAC:
108 		if ((pMechanism->ulParameterLen !=
109 		    sizeof (CK_MAC_GENERAL_PARAMS)) &&
110 		    (*(CK_MAC_GENERAL_PARAMS *)pMechanism->pParameter >
111 		    MD5_HASH_SIZE)) {
112 				free(hmac_ctx);
113 				return (CKR_MECHANISM_PARAM_INVALID);
114 			}
115 		hmac_ctx->hmac_len = *((CK_MAC_GENERAL_PARAMS_PTR)
116 		    pMechanism->pParameter);
117 		break;
118 
119 	case CKM_SSL3_SHA1_MAC:
120 	case CKM_SHA_1_HMAC_GENERAL:
121 		if ((pMechanism->ulParameterLen !=
122 		    sizeof (CK_MAC_GENERAL_PARAMS)) &&
123 		    (*(CK_MAC_GENERAL_PARAMS *)pMechanism->pParameter >
124 		    SHA1_HASH_SIZE)) {
125 			free(hmac_ctx);
126 			return (CKR_MECHANISM_PARAM_INVALID);
127 		}
128 		hmac_ctx->hmac_len = *((CK_MAC_GENERAL_PARAMS_PTR)
129 		    pMechanism->pParameter);
130 		break;
131 
132 	case CKM_SHA256_HMAC_GENERAL:
133 		if ((pMechanism->ulParameterLen !=
134 		    sizeof (CK_MAC_GENERAL_PARAMS)) &&
135 		    (*(CK_MAC_GENERAL_PARAMS *)pMechanism->pParameter >
136 		    SHA256_DIGEST_LENGTH)) {
137 			free(hmac_ctx);
138 			return (CKR_MECHANISM_PARAM_INVALID);
139 		}
140 		hmac_ctx->hmac_len = *((CK_MAC_GENERAL_PARAMS_PTR)
141 		    pMechanism->pParameter);
142 		break;
143 
144 	case CKM_SHA384_HMAC_GENERAL:
145 	case CKM_SHA512_HMAC_GENERAL:
146 		if ((pMechanism->ulParameterLen !=
147 		    sizeof (CK_MAC_GENERAL_PARAMS)) &&
148 		    (*(CK_MAC_GENERAL_PARAMS *)pMechanism->pParameter >
149 		    SHA512_DIGEST_LENGTH)) {
150 			free(hmac_ctx);
151 			return (CKR_MECHANISM_PARAM_INVALID);
152 		}
153 
154 		hmac_ctx->hmac_len = *((CK_MAC_GENERAL_PARAMS_PTR)
155 		    pMechanism->pParameter);
156 		break;
157 
158 	}
159 
160 
161 	/* Initialize a MAC context. */
162 	rv = mac_init_ctx(session_p, key_p, hmac_ctx, pMechanism->mechanism);
163 	if (rv != CKR_OK)
164 		return (rv);
165 
166 	(void) pthread_mutex_lock(&session_p->session_mutex);
167 
168 	if (sign_op) {
169 		session_p->sign.mech.mechanism = pMechanism->mechanism;
170 		session_p->sign.context = hmac_ctx;
171 	} else {
172 		session_p->verify.mech.mechanism = pMechanism->mechanism;
173 		session_p->verify.context = hmac_ctx;
174 	}
175 
176 	(void) pthread_mutex_unlock(&session_p->session_mutex);
177 
178 	return (CKR_OK);
179 }
180 
181 
182 /*
183  * Initialize a HMAC context.
184  */
185 CK_RV
mac_init_ctx(soft_session_t * session_p,soft_object_t * key,soft_hmac_ctx_t * ctx,CK_MECHANISM_TYPE mech)186 mac_init_ctx(soft_session_t *session_p, soft_object_t *key,
187     soft_hmac_ctx_t *ctx, CK_MECHANISM_TYPE mech)
188 {
189 	CK_RV rv = CKR_OK;
190 
191 	switch (mech) {
192 	case CKM_SSL3_MD5_MAC:
193 	{
194 		CK_BYTE md5_ipad[MD5_SSL_PAD_AND_KEY_SIZE];
195 		CK_BYTE md5_opad[MD5_SSL_PAD_AND_KEY_SIZE];
196 
197 		if (OBJ_SEC(key)->sk_value_len > MD5_SSL_PAD_AND_KEY_SIZE) {
198 			return (CKR_KEY_SIZE_RANGE);
199 		}
200 
201 		bzero(md5_ipad, MD5_SSL_PAD_AND_KEY_SIZE);
202 		bzero(md5_opad, MD5_SSL_PAD_AND_KEY_SIZE);
203 
204 		/* SSL MAC is HASH(key + opad + HASH(key + ipad + data)) */
205 		(void) memcpy(md5_ipad, OBJ_SEC(key)->sk_value,
206 		    OBJ_SEC(key)->sk_value_len);
207 		(void) memcpy(&md5_ipad[OBJ_SEC(key)->sk_value_len],
208 		    md5_ssl_ipad, MD5_SSL_PAD_SIZE);
209 		(void) memcpy(md5_opad, OBJ_SEC(key)->sk_value,
210 		    OBJ_SEC(key)->sk_value_len);
211 		(void) memcpy(&md5_opad[OBJ_SEC(key)->sk_value_len],
212 		    md5_ssl_opad, MD5_SSL_PAD_SIZE);
213 
214 		SOFT_MAC_INIT_CTX(MD5, &(ctx->hc_ctx_u.md5_ctx),
215 		    md5_ipad, md5_opad, MD5_SSL_PAD_AND_KEY_SIZE);
216 
217 		break;
218 	}
219 	case CKM_MD5_HMAC_GENERAL:
220 	case CKM_MD5_HMAC:
221 	{
222 		uint32_t md5_ipad[MD5_HMAC_INTS_PER_BLOCK];
223 		uint32_t md5_opad[MD5_HMAC_INTS_PER_BLOCK];
224 		CK_MECHANISM digest_mech;
225 		CK_ULONG hash_len = MD5_HASH_SIZE;
226 
227 		bzero(md5_ipad, MD5_HMAC_BLOCK_SIZE);
228 		bzero(md5_opad, MD5_HMAC_BLOCK_SIZE);
229 
230 		if (OBJ_SEC(key)->sk_value_len > MD5_HMAC_BLOCK_SIZE) {
231 			/*
232 			 * Hash the key when it is longer than 64 bytes.
233 			 */
234 			digest_mech.mechanism = CKM_MD5;
235 			digest_mech.pParameter = NULL_PTR;
236 			digest_mech.ulParameterLen = 0;
237 			rv = soft_digest_init_internal(session_p, &digest_mech);
238 			if (rv != CKR_OK)
239 				return (rv);
240 			rv = soft_digest(session_p, OBJ_SEC(key)->sk_value,
241 			    OBJ_SEC(key)->sk_value_len, (CK_BYTE_PTR)md5_ipad,
242 			    &hash_len);
243 			session_p->digest.flags = 0;
244 			if (rv != CKR_OK)
245 				return (rv);
246 			(void) memcpy(md5_opad, md5_ipad, hash_len);
247 		} else {
248 			(void) memcpy(md5_ipad, OBJ_SEC(key)->sk_value,
249 			    OBJ_SEC(key)->sk_value_len);
250 			(void) memcpy(md5_opad, OBJ_SEC(key)->sk_value,
251 			    OBJ_SEC(key)->sk_value_len);
252 		}
253 
254 		md5_hmac_ctx_init(&ctx->hc_ctx_u.md5_ctx, md5_ipad, md5_opad);
255 		break;
256 	}
257 
258 	case CKM_SSL3_SHA1_MAC:
259 	{
260 		CK_BYTE sha1_ipad[SHA1_SSL_PAD_AND_KEY_SIZE];
261 		CK_BYTE sha1_opad[SHA1_SSL_PAD_AND_KEY_SIZE];
262 
263 		if (OBJ_SEC(key)->sk_value_len > SHA1_HMAC_BLOCK_SIZE) {
264 			return (CKR_KEY_SIZE_RANGE);
265 		}
266 
267 		bzero(sha1_ipad, SHA1_SSL_PAD_AND_KEY_SIZE);
268 		bzero(sha1_opad, SHA1_SSL_PAD_AND_KEY_SIZE);
269 
270 		/* SSL MAC is HASH(key + opad + HASH(key + ipad + data)) */
271 		(void) memcpy(sha1_ipad, OBJ_SEC(key)->sk_value,
272 		    OBJ_SEC(key)->sk_value_len);
273 		(void) memcpy(&sha1_ipad[OBJ_SEC(key)->sk_value_len],
274 		    sha1_ssl_ipad, SHA1_SSL_PAD_SIZE);
275 		(void) memcpy(sha1_opad, OBJ_SEC(key)->sk_value,
276 		    OBJ_SEC(key)->sk_value_len);
277 		(void) memcpy(&sha1_opad[OBJ_SEC(key)->sk_value_len],
278 		    sha1_ssl_opad, SHA1_SSL_PAD_SIZE);
279 
280 		SOFT_MAC_INIT_CTX(SHA1, &(ctx->hc_ctx_u.sha1_ctx),
281 		    sha1_ipad, sha1_opad, SHA1_SSL_PAD_AND_KEY_SIZE);
282 
283 		break;
284 	}
285 	case CKM_SHA_1_HMAC_GENERAL:
286 	case CKM_SHA_1_HMAC:
287 	{
288 		uint32_t sha1_ipad[SHA1_HMAC_INTS_PER_BLOCK];
289 		uint32_t sha1_opad[SHA1_HMAC_INTS_PER_BLOCK];
290 		CK_MECHANISM digest_mech;
291 		CK_ULONG hash_len = SHA1_HASH_SIZE;
292 
293 		bzero(sha1_ipad, SHA1_HMAC_BLOCK_SIZE);
294 		bzero(sha1_opad, SHA1_HMAC_BLOCK_SIZE);
295 
296 		if (OBJ_SEC(key)->sk_value_len > SHA1_HMAC_BLOCK_SIZE) {
297 			/*
298 			 * Hash the key when it is longer than 64 bytes.
299 			 */
300 			digest_mech.mechanism = CKM_SHA_1;
301 			digest_mech.pParameter = NULL_PTR;
302 			digest_mech.ulParameterLen = 0;
303 			rv = soft_digest_init_internal(session_p, &digest_mech);
304 			if (rv != CKR_OK)
305 				return (rv);
306 			rv = soft_digest(session_p, OBJ_SEC(key)->sk_value,
307 			    OBJ_SEC(key)->sk_value_len, (CK_BYTE_PTR)sha1_ipad,
308 			    &hash_len);
309 			session_p->digest.flags = 0;
310 			if (rv != CKR_OK)
311 				return (rv);
312 			(void) memcpy(sha1_opad, sha1_ipad, hash_len);
313 		} else {
314 			(void) memcpy(sha1_ipad, OBJ_SEC(key)->sk_value,
315 			    OBJ_SEC(key)->sk_value_len);
316 			(void) memcpy(sha1_opad, OBJ_SEC(key)->sk_value,
317 			    OBJ_SEC(key)->sk_value_len);
318 		}
319 
320 		sha1_hmac_ctx_init(&ctx->hc_ctx_u.sha1_ctx, sha1_ipad,
321 		    sha1_opad);
322 
323 		break;
324 	}
325 	case CKM_SHA256_HMAC:
326 	case CKM_SHA256_HMAC_GENERAL:
327 	{
328 		uint64_t sha_ipad[SHA256_HMAC_INTS_PER_BLOCK];
329 		uint64_t sha_opad[SHA256_HMAC_INTS_PER_BLOCK];
330 		CK_MECHANISM digest_mech;
331 		CK_ULONG hash_len = SHA256_DIGEST_LENGTH;
332 
333 		bzero(sha_ipad, SHA256_HMAC_BLOCK_SIZE);
334 		bzero(sha_opad, SHA256_HMAC_BLOCK_SIZE);
335 
336 		if (OBJ_SEC(key)->sk_value_len > SHA256_HMAC_BLOCK_SIZE) {
337 			/*
338 			 * Hash the key when it is longer than 64 bytes.
339 			 */
340 			digest_mech.mechanism = CKM_SHA256;
341 			digest_mech.pParameter = NULL_PTR;
342 			digest_mech.ulParameterLen = 0;
343 			rv = soft_digest_init_internal(session_p, &digest_mech);
344 			if (rv != CKR_OK)
345 				return (rv);
346 			rv = soft_digest(session_p, OBJ_SEC(key)->sk_value,
347 			    OBJ_SEC(key)->sk_value_len, (CK_BYTE_PTR)sha_ipad,
348 			    &hash_len);
349 			session_p->digest.flags = 0;
350 			if (rv != CKR_OK)
351 				return (rv);
352 			(void) memcpy(sha_opad, sha_ipad, hash_len);
353 		} else {
354 			(void) memcpy(sha_ipad, OBJ_SEC(key)->sk_value,
355 			    OBJ_SEC(key)->sk_value_len);
356 			(void) memcpy(sha_opad, OBJ_SEC(key)->sk_value,
357 			    OBJ_SEC(key)->sk_value_len);
358 		}
359 
360 		sha2_hmac_ctx_init(CKM_TO_SHA2(mech), &ctx->hc_ctx_u.sha2_ctx,
361 		    sha_ipad, sha_opad, SHA256_HMAC_INTS_PER_BLOCK,
362 		    SHA256_HMAC_BLOCK_SIZE);
363 
364 		break;
365 	}
366 	case CKM_SHA384_HMAC:
367 	case CKM_SHA384_HMAC_GENERAL:
368 	{
369 		uint64_t sha_ipad[SHA512_HMAC_INTS_PER_BLOCK];
370 		uint64_t sha_opad[SHA512_HMAC_INTS_PER_BLOCK];
371 		CK_MECHANISM digest_mech;
372 		CK_ULONG hash_len = SHA384_DIGEST_LENGTH;
373 
374 		bzero(sha_ipad, SHA512_HMAC_BLOCK_SIZE);
375 		bzero(sha_opad, SHA512_HMAC_BLOCK_SIZE);
376 
377 		if (OBJ_SEC(key)->sk_value_len > SHA512_HMAC_BLOCK_SIZE) {
378 			/*
379 			 * Hash the key when it is longer than 64 bytes.
380 			 */
381 			digest_mech.mechanism = CKM_SHA384;
382 			digest_mech.pParameter = NULL_PTR;
383 			digest_mech.ulParameterLen = 0;
384 			rv = soft_digest_init_internal(session_p, &digest_mech);
385 			if (rv != CKR_OK)
386 				return (rv);
387 			rv = soft_digest(session_p, OBJ_SEC(key)->sk_value,
388 			    OBJ_SEC(key)->sk_value_len, (CK_BYTE_PTR)sha_ipad,
389 			    &hash_len);
390 			session_p->digest.flags = 0;
391 			if (rv != CKR_OK)
392 				return (rv);
393 			(void) memcpy(sha_opad, sha_ipad, hash_len);
394 		} else {
395 			(void) memcpy(sha_ipad, OBJ_SEC(key)->sk_value,
396 			    OBJ_SEC(key)->sk_value_len);
397 			(void) memcpy(sha_opad, OBJ_SEC(key)->sk_value,
398 			    OBJ_SEC(key)->sk_value_len);
399 		}
400 
401 		sha2_hmac_ctx_init(CKM_TO_SHA2(mech), &ctx->hc_ctx_u.sha2_ctx,
402 		    sha_ipad, sha_opad, SHA512_HMAC_INTS_PER_BLOCK,
403 		    SHA512_HMAC_BLOCK_SIZE);
404 
405 		break;
406 	}
407 	case CKM_SHA512_HMAC:
408 	case CKM_SHA512_HMAC_GENERAL:
409 	{
410 		uint64_t sha_ipad[SHA512_HMAC_INTS_PER_BLOCK];
411 		uint64_t sha_opad[SHA512_HMAC_INTS_PER_BLOCK];
412 		CK_MECHANISM digest_mech;
413 		CK_ULONG hash_len = SHA512_DIGEST_LENGTH;
414 
415 		bzero(sha_ipad, SHA512_HMAC_BLOCK_SIZE);
416 		bzero(sha_opad, SHA512_HMAC_BLOCK_SIZE);
417 
418 		if (OBJ_SEC(key)->sk_value_len > SHA512_HMAC_BLOCK_SIZE) {
419 			/*
420 			 * Hash the key when it is longer than 64 bytes.
421 			 */
422 			digest_mech.mechanism = CKM_SHA512;
423 			digest_mech.pParameter = NULL_PTR;
424 			digest_mech.ulParameterLen = 0;
425 			rv = soft_digest_init_internal(session_p, &digest_mech);
426 			if (rv != CKR_OK)
427 				return (rv);
428 			rv = soft_digest(session_p, OBJ_SEC(key)->sk_value,
429 			    OBJ_SEC(key)->sk_value_len, (CK_BYTE_PTR)sha_ipad,
430 			    &hash_len);
431 			session_p->digest.flags = 0;
432 			if (rv != CKR_OK)
433 				return (rv);
434 			(void) memcpy(sha_opad, sha_ipad, hash_len);
435 		} else {
436 			(void) memcpy(sha_ipad, OBJ_SEC(key)->sk_value,
437 			    OBJ_SEC(key)->sk_value_len);
438 			(void) memcpy(sha_opad, OBJ_SEC(key)->sk_value,
439 			    OBJ_SEC(key)->sk_value_len);
440 		}
441 
442 		sha2_hmac_ctx_init(CKM_TO_SHA2(mech), &ctx->hc_ctx_u.sha2_ctx,
443 		    sha_ipad, sha_opad, SHA512_HMAC_INTS_PER_BLOCK,
444 		    SHA512_HMAC_BLOCK_SIZE);
445 
446 		break;
447 	}
448 	}
449 	return (rv);
450 }
451 
452 
453 /*
454  * Called by soft_sign(), soft_sign_final(), soft_verify() or
455  * soft_verify_final().
456  */
457 CK_RV
soft_hmac_sign_verify_common(soft_session_t * session_p,CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pSigned,CK_ULONG_PTR pulSignedLen,boolean_t sign_op)458 soft_hmac_sign_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData,
459     CK_ULONG ulDataLen, CK_BYTE_PTR pSigned, CK_ULONG_PTR pulSignedLen,
460     boolean_t sign_op)
461 {
462 
463 	soft_hmac_ctx_t	*hmac_ctx;
464 	CK_MECHANISM_TYPE	mechanism;
465 #ifdef	__sparcv9
466 	/* LINTED */
467 	uint_t datalen = (uint_t)ulDataLen;
468 #else	/* __sparcv9 */
469 	uint_t datalen = ulDataLen;
470 #endif	/* __sparcv9 */
471 
472 	if (sign_op) {
473 		hmac_ctx = (soft_hmac_ctx_t *)session_p->sign.context;
474 		mechanism = session_p->sign.mech.mechanism;
475 
476 		/*
477 		 * If application asks for the length of the output buffer
478 		 * to hold the signature?
479 		 */
480 		if (pSigned == NULL) {
481 			*pulSignedLen = hmac_ctx->hmac_len;
482 			return (CKR_OK);
483 		}
484 
485 		/* Is the application-supplied buffer large enough? */
486 		if (*pulSignedLen < hmac_ctx->hmac_len) {
487 			*pulSignedLen = hmac_ctx->hmac_len;
488 			return (CKR_BUFFER_TOO_SMALL);
489 		}
490 	} else {
491 		hmac_ctx = (soft_hmac_ctx_t *)session_p->verify.context;
492 		mechanism = session_p->verify.mech.mechanism;
493 	}
494 
495 	switch (mechanism) {
496 
497 	case CKM_SSL3_MD5_MAC:
498 	case CKM_MD5_HMAC_GENERAL:
499 	case CKM_MD5_HMAC:
500 
501 		if (pData != NULL) {
502 			/* Called by soft_sign() or soft_verify(). */
503 			SOFT_MAC_UPDATE(MD5, &(hmac_ctx->hc_ctx_u.md5_ctx),
504 			    pData, datalen);
505 		}
506 		SOFT_MAC_FINAL(MD5, &(hmac_ctx->hc_ctx_u.md5_ctx), pSigned);
507 		break;
508 
509 	case CKM_SSL3_SHA1_MAC:
510 	case CKM_SHA_1_HMAC_GENERAL:
511 	case CKM_SHA_1_HMAC:
512 
513 		if (pData != NULL) {
514 			/* Called by soft_sign() or soft_verify(). */
515 			SOFT_MAC_UPDATE(SHA1, &(hmac_ctx->hc_ctx_u.sha1_ctx),
516 			    pData, datalen);
517 		}
518 		SOFT_MAC_FINAL(SHA1, &(hmac_ctx->hc_ctx_u.sha1_ctx), pSigned);
519 		break;
520 
521 	case CKM_SHA256_HMAC_GENERAL:
522 	case CKM_SHA256_HMAC:
523 		if (pData != NULL)
524 			/* Called by soft_sign() or soft_verify(). */
525 			SHA2Update(&(hmac_ctx->hc_ctx_u.sha2_ctx.hc_icontext),
526 			    pData, datalen);
527 
528 		SOFT_MAC_FINAL_2(SHA256, &(hmac_ctx->hc_ctx_u.sha2_ctx),
529 		    pSigned);
530 		break;
531 
532 	case CKM_SHA384_HMAC_GENERAL:
533 	case CKM_SHA384_HMAC:
534 		if (pData != NULL)
535 			/* Called by soft_sign() or soft_verify(). */
536 			SHA2Update(&(hmac_ctx->hc_ctx_u.sha2_ctx.hc_icontext),
537 			    pData, datalen);
538 
539 		SOFT_MAC_FINAL_2(SHA384, &(hmac_ctx->hc_ctx_u.sha2_ctx),
540 		    pSigned);
541 		hmac_ctx->hmac_len = SHA384_DIGEST_LENGTH;
542 		break;
543 
544 	case CKM_SHA512_HMAC_GENERAL:
545 	case CKM_SHA512_HMAC:
546 
547 		if (pData != NULL)
548 			/* Called by soft_sign() or soft_verify(). */
549 			SHA2Update(&(hmac_ctx->hc_ctx_u.sha2_ctx.hc_icontext),
550 			    pData, datalen);
551 
552 		SOFT_MAC_FINAL_2(SHA512, &(hmac_ctx->hc_ctx_u.sha2_ctx),
553 		    pSigned);
554 	};
555 
556 	*pulSignedLen = hmac_ctx->hmac_len;
557 
558 
559 clean_exit:
560 
561 	(void) pthread_mutex_lock(&session_p->session_mutex);
562 
563 	if (sign_op) {
564 		freezero(session_p->sign.context, sizeof (soft_hmac_ctx_t));
565 		session_p->sign.context = NULL;
566 	} else {
567 		freezero(session_p->verify.context, sizeof (soft_hmac_ctx_t));
568 		session_p->verify.context = NULL;
569 	}
570 
571 	(void) pthread_mutex_unlock(&session_p->session_mutex);
572 
573 	return (CKR_OK);
574 }
575 
576 
577 /*
578  * Called by soft_sign_update() or soft_verify_update().
579  */
580 CK_RV
soft_hmac_sign_verify_update(soft_session_t * session_p,CK_BYTE_PTR pPart,CK_ULONG ulPartLen,boolean_t sign_op)581 soft_hmac_sign_verify_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
582     CK_ULONG ulPartLen, boolean_t sign_op)
583 {
584 
585 	soft_hmac_ctx_t	*hmac_ctx;
586 	CK_MECHANISM_TYPE	mechanism;
587 #ifdef	__sparcv9
588 	/* LINTED */
589 	uint_t partlen = (uint_t)ulPartLen;
590 #else	/* __sparcv9 */
591 	uint_t partlen = ulPartLen;
592 #endif	/* __sparcv9 */
593 
594 	if (sign_op) {
595 		hmac_ctx = (soft_hmac_ctx_t *)session_p->sign.context;
596 		mechanism = session_p->sign.mech.mechanism;
597 	} else {
598 		hmac_ctx = (soft_hmac_ctx_t *)session_p->verify.context;
599 		mechanism = session_p->verify.mech.mechanism;
600 	}
601 
602 	switch (mechanism) {
603 
604 	case CKM_SSL3_MD5_MAC:
605 	case CKM_MD5_HMAC_GENERAL:
606 	case CKM_MD5_HMAC:
607 
608 		SOFT_MAC_UPDATE(MD5, &(hmac_ctx->hc_ctx_u.md5_ctx), pPart,
609 		    partlen);
610 		break;
611 
612 	case CKM_SSL3_SHA1_MAC:
613 	case CKM_SHA_1_HMAC_GENERAL:
614 	case CKM_SHA_1_HMAC:
615 
616 		SOFT_MAC_UPDATE(SHA1, &(hmac_ctx->hc_ctx_u.sha1_ctx), pPart,
617 		    partlen);
618 
619 		break;
620 
621 	case CKM_SHA256_HMAC_GENERAL:
622 	case CKM_SHA256_HMAC:
623 	case CKM_SHA384_HMAC_GENERAL:
624 	case CKM_SHA384_HMAC:
625 	case CKM_SHA512_HMAC_GENERAL:
626 	case CKM_SHA512_HMAC:
627 
628 		SOFT_MAC_UPDATE(SHA2, &(hmac_ctx->hc_ctx_u.sha2_ctx), pPart,
629 		    partlen);
630 		break;
631 
632 	}
633 	return (CKR_OK);
634 }
635 
636 /*
637  * The following 2 functions expect the MAC key to be alreay copied in
638  * the ipad and opad
639  */
640 void
md5_hmac_ctx_init(md5_hc_ctx_t * md5_hmac_ctx,uint32_t * ipad,uint32_t * opad)641 md5_hmac_ctx_init(md5_hc_ctx_t *md5_hmac_ctx, uint32_t *ipad, uint32_t *opad)
642 {
643 	int i;
644 	/* XOR key with ipad (0x36) and opad (0x5c) */
645 	for (i = 0; i < MD5_HMAC_INTS_PER_BLOCK; i++) {
646 		ipad[i] ^= 0x36363636;
647 		opad[i] ^= 0x5c5c5c5c;
648 	}
649 	SOFT_MAC_INIT_CTX(MD5, md5_hmac_ctx, ipad, opad, MD5_HMAC_BLOCK_SIZE);
650 }
651 
652 void
sha1_hmac_ctx_init(sha1_hc_ctx_t * sha1_hmac_ctx,uint32_t * ipad,uint32_t * opad)653 sha1_hmac_ctx_init(sha1_hc_ctx_t *sha1_hmac_ctx, uint32_t *ipad, uint32_t *opad)
654 {
655 	int i;
656 	/* XOR key with ipad (0x36) and opad (0x5c) */
657 	for (i = 0; i < SHA1_HMAC_INTS_PER_BLOCK; i++) {
658 		ipad[i] ^= 0x36363636;
659 		opad[i] ^= 0x5c5c5c5c;
660 	}
661 	SOFT_MAC_INIT_CTX(SHA1, sha1_hmac_ctx, (const uchar_t *)ipad,
662 	    (const uchar_t *)opad, SHA1_HMAC_BLOCK_SIZE);
663 }
664 
665 
666 void
sha2_hmac_ctx_init(uint_t mech,sha2_hc_ctx_t * ctx,uint64_t * ipad,uint64_t * opad,uint_t blocks_per_int64,uint_t block_size)667 sha2_hmac_ctx_init(uint_t mech, sha2_hc_ctx_t *ctx, uint64_t *ipad,
668     uint64_t *opad, uint_t blocks_per_int64, uint_t block_size)
669 {
670 	int i;
671 
672 	/* XOR key with ipad (0x36) and opad (0x5c) */
673 	for (i = 0; i < blocks_per_int64; i ++) {
674 		ipad[i] ^= 0x3636363636363636ULL;
675 		opad[i] ^= 0x5c5c5c5c5c5c5c5cULL;
676 	}
677 
678 	/* perform SHA2 on ipad */
679 	SHA2Init(mech, &ctx->hc_icontext);
680 	SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
681 
682 	/* perform SHA2 on opad */
683 	SHA2Init(mech, &ctx->hc_ocontext);
684 	SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
685 
686 }
687