4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or https://opensource.org/licenses/CDDL-1.0.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #include <sys/zfs_context.h>
27 #include <sys/crypto/common.h>
28 #include <sys/crypto/impl.h>
29 #include <sys/crypto/api.h>
30 #include <sys/crypto/spi.h>
31 #include <sys/crypto/sched_impl.h>
34 * Message authentication codes routines.
38 * The following are the possible returned values common to all the routines
39 * below. The applicability of some of these return values depends on the
40 * presence of the arguments.
42 * CRYPTO_SUCCESS: The operation completed successfully.
43 * CRYPTO_INVALID_MECH_NUMBER, CRYPTO_INVALID_MECH_PARAM, or
44 * CRYPTO_INVALID_MECH for problems with the 'mech'.
45 * CRYPTO_INVALID_DATA for bogus 'data'
46 * CRYPTO_HOST_MEMORY for failure to allocate memory to handle this work.
47 * CRYPTO_INVALID_CONTEXT: Not a valid context.
48 * CRYPTO_BUSY: Cannot process the request now. Try later.
49 * CRYPTO_NOT_SUPPORTED and CRYPTO_MECH_NOT_SUPPORTED: No provider is
50 * capable of a function or a mechanism.
51 * CRYPTO_INVALID_KEY: bogus 'key' argument.
52 * CRYPTO_INVALID_MAC: bogus 'mac' argument.
59 * mech: crypto_mechanism_t pointer.
60 * mech_type is a valid value previously returned by
62 * When the mech's parameter is not NULL, its definition depends
63 * on the standard definition of the mechanism.
64 * key: pointer to a crypto_key_t structure.
65 * data: The message to compute the MAC for.
66 * mac: Storage for the MAC. The length needed depends on the mechanism.
67 * tmpl: a crypto_ctx_template_t, opaque template of a context of a
68 * MAC with the 'mech' using 'key'. 'tmpl' is created by
69 * a previous call to crypto_create_ctx_template().
72 * Asynchronously submits a request for, or synchronously performs a
73 * single-part message authentication of 'data' with the mechanism
74 * 'mech', using * the key 'key', on the specified provider with
75 * the specified session id.
76 * When complete and successful, 'mac' will contain the message
77 * authentication code.
78 * Relies on the KCF scheduler to choose a provider.
81 * See comment in the beginning of the file.
84 crypto_mac(crypto_mechanism_t
*mech
, crypto_data_t
*data
,
85 crypto_key_t
*key
, crypto_ctx_template_t tmpl
, crypto_data_t
*mac
)
89 kcf_provider_desc_t
*pd
;
90 kcf_ctx_template_t
*ctx_tmpl
;
91 crypto_spi_ctx_template_t spi_ctx_tmpl
= NULL
;
92 kcf_prov_tried_t
*list
= NULL
;
95 /* The pd is returned held */
96 if ((pd
= kcf_get_mech_provider(mech
->cm_type
, &me
, &error
,
97 list
, CRYPTO_FG_MAC_ATOMIC
)) == NULL
) {
99 kcf_free_triedlist(list
);
103 if (((ctx_tmpl
= (kcf_ctx_template_t
*)tmpl
) != NULL
))
104 spi_ctx_tmpl
= ctx_tmpl
->ct_prov_tmpl
;
106 crypto_mechanism_t lmech
= *mech
;
107 KCF_SET_PROVIDER_MECHNUM(mech
->cm_type
, pd
, &lmech
);
108 error
= KCF_PROV_MAC_ATOMIC(pd
, &lmech
, key
, data
,
111 if (error
!= CRYPTO_SUCCESS
&& IS_RECOVERABLE(error
)) {
112 /* Add pd to the linked list of providers tried. */
113 if (kcf_insert_triedlist(&list
, pd
, KM_SLEEP
) != NULL
)
118 kcf_free_triedlist(list
);
120 KCF_PROV_REFRELE(pd
);
125 * crypto_mac_init_prov()
128 * pd: pointer to the descriptor of the provider to use for this
130 * mech: crypto_mechanism_t pointer.
131 * mech_type is a valid value previously returned by
133 * When the mech's parameter is not NULL, its definition depends
134 * on the standard definition of the mechanism.
135 * key: pointer to a crypto_key_t structure.
136 * tmpl: a crypto_ctx_template_t, opaque template of a context of a
137 * MAC with the 'mech' using 'key'. 'tmpl' is created by
138 * a previous call to crypto_create_ctx_template().
139 * ctxp: Pointer to a crypto_context_t.
142 * Asynchronously submits a request for, or synchronously performs the
143 * initialization of a MAC operation on the specified provider with
144 * the specified session.
145 * When possible and applicable, will internally use the pre-computed MAC
146 * context from the context template, tmpl.
147 * When complete and successful, 'ctxp' will contain a crypto_context_t
148 * valid for later calls to mac_update() and mac_final().
149 * The caller should hold a reference on the specified provider
150 * descriptor before calling this function.
153 * See comment in the beginning of the file.
156 crypto_mac_init_prov(kcf_provider_desc_t
*pd
,
157 crypto_mechanism_t
*mech
, crypto_key_t
*key
, crypto_spi_ctx_template_t tmpl
,
158 crypto_context_t
*ctxp
)
162 kcf_provider_desc_t
*real_provider
= pd
;
164 ASSERT(KCF_PROV_REFHELD(pd
));
166 /* Allocate and initialize the canonical context */
167 if ((ctx
= kcf_new_ctx(real_provider
)) == NULL
)
168 return (CRYPTO_HOST_MEMORY
);
170 crypto_mechanism_t lmech
= *mech
;
171 KCF_SET_PROVIDER_MECHNUM(mech
->cm_type
, real_provider
, &lmech
);
172 rv
= KCF_PROV_MAC_INIT(real_provider
, ctx
, &lmech
, key
, tmpl
);
174 if (rv
== CRYPTO_SUCCESS
)
175 *ctxp
= (crypto_context_t
)ctx
;
177 /* Release the hold done in kcf_new_ctx(). */
178 KCF_CONTEXT_REFRELE((kcf_context_t
*)ctx
->cc_framework_private
);
185 * Same as crypto_mac_init_prov(), but relies on the KCF scheduler to
186 * choose a provider. See crypto_mac_init_prov() comments for more
190 crypto_mac_init(crypto_mechanism_t
*mech
, crypto_key_t
*key
,
191 crypto_ctx_template_t tmpl
, crypto_context_t
*ctxp
)
194 kcf_mech_entry_t
*me
;
195 kcf_provider_desc_t
*pd
;
196 kcf_ctx_template_t
*ctx_tmpl
;
197 crypto_spi_ctx_template_t spi_ctx_tmpl
= NULL
;
198 kcf_prov_tried_t
*list
= NULL
;
201 /* The pd is returned held */
202 if ((pd
= kcf_get_mech_provider(mech
->cm_type
, &me
, &error
,
203 list
, CRYPTO_FG_MAC
)) == NULL
) {
205 kcf_free_triedlist(list
);
210 * Check the validity of the context template
211 * It is very rare that the generation number mis-matches, so
212 * is acceptable to fail here, and let the consumer recover by
213 * freeing this tmpl and create a new one for the key and new provider
216 if (((ctx_tmpl
= (kcf_ctx_template_t
*)tmpl
) != NULL
))
217 spi_ctx_tmpl
= ctx_tmpl
->ct_prov_tmpl
;
219 error
= crypto_mac_init_prov(pd
, mech
, key
,
221 if (error
!= CRYPTO_SUCCESS
&& IS_RECOVERABLE(error
)) {
222 /* Add pd to the linked list of providers tried. */
223 if (kcf_insert_triedlist(&list
, pd
, KM_SLEEP
) != NULL
)
228 kcf_free_triedlist(list
);
230 KCF_PROV_REFRELE(pd
);
235 * crypto_mac_update()
238 * context: A crypto_context_t initialized by mac_init().
239 * data: The message part to be MAC'ed
242 * Synchronously performs a part of a MAC operation.
245 * See comment in the beginning of the file.
248 crypto_mac_update(crypto_context_t context
, crypto_data_t
*data
)
250 crypto_ctx_t
*ctx
= (crypto_ctx_t
*)context
;
251 kcf_context_t
*kcf_ctx
;
252 kcf_provider_desc_t
*pd
;
255 ((kcf_ctx
= (kcf_context_t
*)ctx
->cc_framework_private
) == NULL
) ||
256 ((pd
= kcf_ctx
->kc_prov_desc
) == NULL
)) {
257 return (CRYPTO_INVALID_CONTEXT
);
260 return (KCF_PROV_MAC_UPDATE(pd
, ctx
, data
));
267 * context: A crypto_context_t initialized by mac_init().
268 * mac: Storage for the message authentication code.
271 * Synchronously performs a part of a message authentication operation.
274 * See comment in the beginning of the file.
277 crypto_mac_final(crypto_context_t context
, crypto_data_t
*mac
)
279 crypto_ctx_t
*ctx
= (crypto_ctx_t
*)context
;
280 kcf_context_t
*kcf_ctx
;
281 kcf_provider_desc_t
*pd
;
284 ((kcf_ctx
= (kcf_context_t
*)ctx
->cc_framework_private
) == NULL
) ||
285 ((pd
= kcf_ctx
->kc_prov_desc
) == NULL
)) {
286 return (CRYPTO_INVALID_CONTEXT
);
289 int rv
= KCF_PROV_MAC_FINAL(pd
, ctx
, mac
);
291 /* Release the hold done in kcf_new_ctx() during init step. */
292 KCF_CONTEXT_COND_RELEASE(rv
, kcf_ctx
);
297 EXPORT_SYMBOL(crypto_mac
);
298 EXPORT_SYMBOL(crypto_mac_init
);
299 EXPORT_SYMBOL(crypto_mac_update
);
300 EXPORT_SYMBOL(crypto_mac_final
);