1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2017 Nexenta Systems, Inc. All rights reserved. 24 * Copyright 2019 Joyent, Inc. 25 */ 26 27 /* 28 * AES provider for the Kernel Cryptographic Framework (KCF) 29 */ 30 31 #include <sys/types.h> 32 #include <sys/systm.h> 33 #include <sys/modctl.h> 34 #include <sys/cmn_err.h> 35 #include <sys/ddi.h> 36 #include <sys/crypto/common.h> 37 #include <sys/crypto/impl.h> 38 #include <sys/crypto/spi.h> 39 #include <sys/sysmacros.h> 40 #include <sys/strsun.h> 41 #include <modes/modes.h> 42 #define _AES_IMPL 43 #include <aes/aes_impl.h> 44 45 extern struct mod_ops mod_cryptoops; 46 47 /* 48 * Module linkage information for the kernel. 49 */ 50 static struct modlcrypto modlcrypto = { 51 &mod_cryptoops, 52 "AES Kernel SW Provider" 53 }; 54 55 static struct modlinkage modlinkage = { 56 MODREV_1, 57 (void *)&modlcrypto, 58 NULL 59 }; 60 61 /* 62 * Mechanism info structure passed to KCF during registration. 63 */ 64 static crypto_mech_info_t aes_mech_info_tab[] = { 65 /* AES_ECB */ 66 {SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE, 67 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 68 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 69 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 70 /* AES_CBC */ 71 {SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE, 72 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 73 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 74 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 75 /* AES_CMAC */ 76 {SUN_CKM_AES_CMAC, AES_CMAC_MECH_INFO_TYPE, 77 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 78 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC | 79 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 80 /* AES_CTR */ 81 {SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE, 82 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 83 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 84 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 85 /* AES_CCM */ 86 {SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE, 87 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 88 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 89 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 90 /* AES_GCM */ 91 {SUN_CKM_AES_GCM, AES_GCM_MECH_INFO_TYPE, 92 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 93 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 94 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 95 /* AES_GMAC */ 96 {SUN_CKM_AES_GMAC, AES_GMAC_MECH_INFO_TYPE, 97 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 98 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 99 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC | 100 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 101 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 102 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES} 103 }; 104 105 /* operations are in-place if the output buffer is NULL */ 106 #define AES_ARG_INPLACE(input, output) \ 107 if ((output) == NULL) \ 108 (output) = (input); 109 110 static void aes_provider_status(crypto_provider_handle_t, uint_t *); 111 112 static crypto_control_ops_t aes_control_ops = { 113 aes_provider_status 114 }; 115 116 static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *, 117 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 118 static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *, 119 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 120 static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *, 121 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t); 122 static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *, 123 crypto_mechanism_t *, crypto_key_t *, int, boolean_t); 124 static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *, 125 crypto_req_handle_t); 126 static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *, 127 crypto_req_handle_t); 128 129 static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 130 crypto_req_handle_t); 131 static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *, 132 crypto_data_t *, crypto_req_handle_t); 133 static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 134 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 135 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 136 137 static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 138 crypto_req_handle_t); 139 static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *, 140 crypto_data_t *, crypto_req_handle_t); 141 static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 142 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 143 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 144 145 static crypto_cipher_ops_t aes_cipher_ops = { 146 aes_encrypt_init, 147 aes_encrypt, 148 aes_encrypt_update, 149 aes_encrypt_final, 150 aes_encrypt_atomic, 151 aes_decrypt_init, 152 aes_decrypt, 153 aes_decrypt_update, 154 aes_decrypt_final, 155 aes_decrypt_atomic 156 }; 157 158 static int aes_mac_init(crypto_ctx_t *, crypto_mechanism_t *, 159 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 160 static int aes_mac(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 161 crypto_req_handle_t); 162 static int aes_mac_update(crypto_ctx_t *, crypto_data_t *, 163 crypto_req_handle_t); 164 static int aes_mac_final(crypto_ctx_t *, crypto_data_t *, 165 crypto_req_handle_t); 166 static int aes_mac_atomic(crypto_provider_handle_t, crypto_session_id_t, 167 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 168 crypto_spi_ctx_template_t, crypto_req_handle_t); 169 static int aes_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 170 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 171 crypto_spi_ctx_template_t, crypto_req_handle_t); 172 173 static crypto_mac_ops_t aes_mac_ops = { 174 aes_mac_init, 175 aes_mac, 176 aes_mac_update, 177 aes_mac_final, 178 aes_mac_atomic, 179 aes_mac_verify_atomic 180 }; 181 182 static int aes_create_ctx_template(crypto_provider_handle_t, 183 crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, 184 size_t *, crypto_req_handle_t); 185 static int aes_free_context(crypto_ctx_t *); 186 187 static crypto_ctx_ops_t aes_ctx_ops = { 188 aes_create_ctx_template, 189 aes_free_context 190 }; 191 192 static crypto_ops_t aes_crypto_ops = { 193 &aes_control_ops, 194 NULL, 195 &aes_cipher_ops, 196 &aes_mac_ops, 197 NULL, 198 NULL, 199 NULL, 200 NULL, 201 NULL, 202 NULL, 203 NULL, 204 NULL, 205 NULL, 206 &aes_ctx_ops, 207 NULL, 208 NULL, 209 NULL, 210 }; 211 212 static crypto_provider_info_t aes_prov_info = { 213 CRYPTO_SPI_VERSION_4, 214 "AES Software Provider", 215 CRYPTO_SW_PROVIDER, 216 {&modlinkage}, 217 NULL, 218 &aes_crypto_ops, 219 sizeof (aes_mech_info_tab)/sizeof (crypto_mech_info_t), 220 aes_mech_info_tab 221 }; 222 223 static crypto_kcf_provider_handle_t aes_prov_handle = 0; 224 static crypto_data_t null_crypto_data = { CRYPTO_DATA_RAW }; 225 226 int 227 _init(void) 228 { 229 int ret; 230 231 if ((ret = mod_install(&modlinkage)) != 0) 232 return (ret); 233 234 /* Register with KCF. If the registration fails, remove the module. */ 235 if (crypto_register_provider(&aes_prov_info, &aes_prov_handle)) { 236 (void) mod_remove(&modlinkage); 237 return (EACCES); 238 } 239 240 return (0); 241 } 242 243 int 244 _fini(void) 245 { 246 /* Unregister from KCF if module is registered */ 247 if (aes_prov_handle != 0) { 248 if (crypto_unregister_provider(aes_prov_handle)) 249 return (EBUSY); 250 251 aes_prov_handle = 0; 252 } 253 254 return (mod_remove(&modlinkage)); 255 } 256 257 int 258 _info(struct modinfo *modinfop) 259 { 260 return (mod_info(&modlinkage, modinfop)); 261 } 262 263 264 static int 265 aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag) 266 { 267 void *p = NULL; 268 boolean_t param_required = B_TRUE; 269 size_t param_len; 270 void *(*alloc_fun)(int); 271 int rv = CRYPTO_SUCCESS; 272 273 switch (mechanism->cm_type) { 274 case AES_ECB_MECH_INFO_TYPE: 275 param_required = B_FALSE; 276 alloc_fun = ecb_alloc_ctx; 277 break; 278 case AES_CBC_MECH_INFO_TYPE: 279 param_len = AES_BLOCK_LEN; 280 alloc_fun = cbc_alloc_ctx; 281 break; 282 case AES_CMAC_MECH_INFO_TYPE: 283 param_required = B_FALSE; 284 alloc_fun = cmac_alloc_ctx; 285 break; 286 case AES_CTR_MECH_INFO_TYPE: 287 param_len = sizeof (CK_AES_CTR_PARAMS); 288 alloc_fun = ctr_alloc_ctx; 289 break; 290 case AES_CCM_MECH_INFO_TYPE: 291 param_len = sizeof (CK_AES_CCM_PARAMS); 292 alloc_fun = ccm_alloc_ctx; 293 break; 294 case AES_GCM_MECH_INFO_TYPE: 295 param_len = sizeof (CK_AES_GCM_PARAMS); 296 alloc_fun = gcm_alloc_ctx; 297 break; 298 case AES_GMAC_MECH_INFO_TYPE: 299 param_len = sizeof (CK_AES_GMAC_PARAMS); 300 alloc_fun = gmac_alloc_ctx; 301 break; 302 default: 303 rv = CRYPTO_MECHANISM_INVALID; 304 return (rv); 305 } 306 if (param_required && mechanism->cm_param != NULL && 307 mechanism->cm_param_len != param_len) { 308 rv = CRYPTO_MECHANISM_PARAM_INVALID; 309 } 310 if (ctx != NULL) { 311 p = (alloc_fun)(kmflag); 312 *ctx = p; 313 } 314 return (rv); 315 } 316 317 /* 318 * Initialize key schedules for AES 319 */ 320 static int 321 init_keysched(crypto_key_t *key, void *newbie) 322 { 323 /* 324 * Only keys by value are supported by this module. 325 */ 326 switch (key->ck_format) { 327 case CRYPTO_KEY_RAW: 328 if (key->ck_length < AES_MINBITS || 329 key->ck_length > AES_MAXBITS) { 330 return (CRYPTO_KEY_SIZE_RANGE); 331 } 332 333 /* key length must be either 128, 192, or 256 */ 334 if ((key->ck_length & 63) != 0) 335 return (CRYPTO_KEY_SIZE_RANGE); 336 break; 337 default: 338 return (CRYPTO_KEY_TYPE_INCONSISTENT); 339 } 340 341 aes_init_keysched(key->ck_data, key->ck_length, newbie); 342 return (CRYPTO_SUCCESS); 343 } 344 345 /* 346 * KCF software provider control entry points. 347 */ 348 /* ARGSUSED */ 349 static void 350 aes_provider_status(crypto_provider_handle_t provider, uint_t *status) 351 { 352 *status = CRYPTO_PROVIDER_READY; 353 } 354 355 static int 356 aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 357 crypto_key_t *key, crypto_spi_ctx_template_t template, 358 crypto_req_handle_t req) 359 { 360 return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE)); 361 } 362 363 static int 364 aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 365 crypto_key_t *key, crypto_spi_ctx_template_t template, 366 crypto_req_handle_t req) 367 { 368 return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE)); 369 } 370 371 372 373 /* 374 * KCF software provider encrypt entry points. 375 */ 376 static int 377 aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 378 crypto_key_t *key, crypto_spi_ctx_template_t template, 379 crypto_req_handle_t req, boolean_t is_encrypt_init) 380 { 381 aes_ctx_t *aes_ctx; 382 int rv; 383 int kmflag; 384 385 /* 386 * Only keys by value are supported by this module. 387 */ 388 if (key->ck_format != CRYPTO_KEY_RAW) { 389 return (CRYPTO_KEY_TYPE_INCONSISTENT); 390 } 391 392 kmflag = crypto_kmflag(req); 393 if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag)) 394 != CRYPTO_SUCCESS) 395 return (rv); 396 397 rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag, 398 is_encrypt_init); 399 if (rv != CRYPTO_SUCCESS) { 400 crypto_free_mode_ctx(aes_ctx); 401 return (rv); 402 } 403 404 ctx->cc_provider_private = aes_ctx; 405 406 return (CRYPTO_SUCCESS); 407 } 408 409 static int 410 aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 411 crypto_data_t *ciphertext, crypto_req_handle_t req) 412 { 413 int ret = CRYPTO_FAILED; 414 415 aes_ctx_t *aes_ctx; 416 size_t saved_length, saved_offset, length_needed; 417 418 ASSERT(ctx->cc_provider_private != NULL); 419 aes_ctx = ctx->cc_provider_private; 420 421 /* 422 * For block ciphers, plaintext must be a multiple of AES block size. 423 * This test is only valid for ciphers whose blocksize is a power of 2. 424 */ 425 if (((aes_ctx->ac_flags & (CMAC_MODE|CTR_MODE|CCM_MODE| 426 GCM_MODE|GMAC_MODE)) == 0) && 427 (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 428 return (CRYPTO_DATA_LEN_RANGE); 429 430 AES_ARG_INPLACE(plaintext, ciphertext); 431 432 /* 433 * We need to just return the length needed to store the output. 434 * We should not destroy the context for the following case. 435 */ 436 switch (aes_ctx->ac_flags & (CMAC_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) { 437 case CCM_MODE: 438 length_needed = plaintext->cd_length + aes_ctx->ac_mac_len; 439 break; 440 case GCM_MODE: 441 length_needed = plaintext->cd_length + aes_ctx->ac_tag_len; 442 break; 443 case CMAC_MODE: 444 length_needed = AES_BLOCK_LEN; 445 break; 446 case GMAC_MODE: 447 if (plaintext->cd_length != 0) 448 return (CRYPTO_ARGUMENTS_BAD); 449 450 length_needed = aes_ctx->ac_tag_len; 451 break; 452 default: 453 length_needed = plaintext->cd_length; 454 } 455 456 if (ciphertext->cd_length < length_needed) { 457 ciphertext->cd_length = length_needed; 458 return (CRYPTO_BUFFER_TOO_SMALL); 459 } 460 461 saved_length = ciphertext->cd_length; 462 saved_offset = ciphertext->cd_offset; 463 464 /* 465 * Do an update on the specified input data. 466 */ 467 ret = aes_encrypt_update(ctx, plaintext, ciphertext, req); 468 if (ret != CRYPTO_SUCCESS) { 469 return (ret); 470 } 471 472 /* 473 * For CCM mode, aes_ccm_encrypt_final() will take care of any 474 * left-over unprocessed data, and compute the MAC 475 */ 476 if (aes_ctx->ac_flags & CCM_MODE) { 477 /* 478 * ccm_encrypt_final() will compute the MAC and append 479 * it to existing ciphertext. So, need to adjust the left over 480 * length value accordingly 481 */ 482 483 /* order of following 2 lines MUST not be reversed */ 484 ciphertext->cd_offset = ciphertext->cd_length; 485 ciphertext->cd_length = saved_length - ciphertext->cd_length; 486 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, ciphertext, 487 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 488 if (ret != CRYPTO_SUCCESS) { 489 return (ret); 490 } 491 492 if (plaintext != ciphertext) { 493 ciphertext->cd_length = 494 ciphertext->cd_offset - saved_offset; 495 } 496 ciphertext->cd_offset = saved_offset; 497 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 498 /* 499 * gcm_encrypt_final() will compute the MAC and append 500 * it to existing ciphertext. So, need to adjust the left over 501 * length value accordingly 502 */ 503 504 /* order of following 2 lines MUST not be reversed */ 505 ciphertext->cd_offset = ciphertext->cd_length; 506 ciphertext->cd_length = saved_length - ciphertext->cd_length; 507 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, ciphertext, 508 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 509 aes_xor_block); 510 if (ret != CRYPTO_SUCCESS) { 511 return (ret); 512 } 513 514 if (plaintext != ciphertext) { 515 ciphertext->cd_length = 516 ciphertext->cd_offset - saved_offset; 517 } 518 ciphertext->cd_offset = saved_offset; 519 } else if (aes_ctx->ac_flags & CMAC_MODE) { 520 /* cmac_update doesn't store data */ 521 ciphertext->cd_length = saved_length; 522 ret = cmac_mode_final((cbc_ctx_t *)aes_ctx, ciphertext, 523 aes_encrypt_block, aes_xor_block); 524 aes_ctx->ac_remainder_len = 0; 525 } 526 527 ASSERT(aes_ctx->ac_remainder_len == 0); 528 (void) aes_free_context(ctx); 529 530 return (ret); 531 } 532 533 534 static int 535 aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 536 crypto_data_t *plaintext, crypto_req_handle_t req) 537 { 538 int ret = CRYPTO_FAILED; 539 540 aes_ctx_t *aes_ctx; 541 off_t saved_offset; 542 size_t saved_length, length_needed; 543 544 ASSERT(ctx->cc_provider_private != NULL); 545 aes_ctx = ctx->cc_provider_private; 546 547 /* 548 * For block ciphers, plaintext must be a multiple of AES block size. 549 * This test is only valid for ciphers whose blocksize is a power of 2. 550 */ 551 if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) 552 == 0) && (ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) { 553 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 554 } 555 556 AES_ARG_INPLACE(ciphertext, plaintext); 557 558 /* 559 * Return length needed to store the output. 560 * Do not destroy context when plaintext buffer is too small. 561 * 562 * CCM: plaintext is MAC len smaller than cipher text 563 * GCM: plaintext is TAG len smaller than cipher text 564 * GMAC: plaintext length must be zero 565 */ 566 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) { 567 case CCM_MODE: 568 length_needed = aes_ctx->ac_processed_data_len; 569 break; 570 case GCM_MODE: 571 length_needed = ciphertext->cd_length - aes_ctx->ac_tag_len; 572 break; 573 case GMAC_MODE: 574 if (plaintext->cd_length != 0) 575 return (CRYPTO_ARGUMENTS_BAD); 576 577 length_needed = 0; 578 break; 579 default: 580 length_needed = ciphertext->cd_length; 581 } 582 583 if (plaintext->cd_length < length_needed) { 584 plaintext->cd_length = length_needed; 585 return (CRYPTO_BUFFER_TOO_SMALL); 586 } 587 588 saved_offset = plaintext->cd_offset; 589 saved_length = plaintext->cd_length; 590 591 /* 592 * Do an update on the specified input data. 593 */ 594 ret = aes_decrypt_update(ctx, ciphertext, plaintext, req); 595 if (ret != CRYPTO_SUCCESS) { 596 goto cleanup; 597 } 598 599 if (aes_ctx->ac_flags & CCM_MODE) { 600 ASSERT(aes_ctx->ac_processed_data_len == aes_ctx->ac_data_len); 601 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len); 602 603 /* order of following 2 lines MUST not be reversed */ 604 plaintext->cd_offset = plaintext->cd_length; 605 plaintext->cd_length = saved_length - plaintext->cd_length; 606 607 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, plaintext, 608 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 609 aes_xor_block); 610 if (ret == CRYPTO_SUCCESS) { 611 if (plaintext != ciphertext) { 612 plaintext->cd_length = 613 plaintext->cd_offset - saved_offset; 614 } 615 } else { 616 plaintext->cd_length = saved_length; 617 } 618 619 plaintext->cd_offset = saved_offset; 620 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 621 /* order of following 2 lines MUST not be reversed */ 622 plaintext->cd_offset = plaintext->cd_length; 623 plaintext->cd_length = saved_length - plaintext->cd_length; 624 625 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, plaintext, 626 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 627 if (ret == CRYPTO_SUCCESS) { 628 if (plaintext != ciphertext) { 629 plaintext->cd_length = 630 plaintext->cd_offset - saved_offset; 631 } 632 } else { 633 plaintext->cd_length = saved_length; 634 } 635 636 plaintext->cd_offset = saved_offset; 637 } 638 639 ASSERT(aes_ctx->ac_remainder_len == 0); 640 641 cleanup: 642 (void) aes_free_context(ctx); 643 644 return (ret); 645 } 646 647 648 /* ARGSUSED */ 649 static int 650 aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext, 651 crypto_data_t *ciphertext, crypto_req_handle_t req) 652 { 653 off_t saved_offset; 654 size_t saved_length, out_len; 655 int ret = CRYPTO_SUCCESS; 656 aes_ctx_t *aes_ctx; 657 658 ASSERT(ctx->cc_provider_private != NULL); 659 aes_ctx = ctx->cc_provider_private; 660 661 AES_ARG_INPLACE(plaintext, ciphertext); 662 663 /* 664 * CTR mode does not accumulate plaintext across xx_update() calls -- 665 * it always outputs the same number of bytes as the input (so 666 * ac_remainder_len is always 0). Other modes _do_ accumulate 667 * plaintext, and output only full blocks. For non-CTR modes, adjust 668 * the output size to reflect this. 669 */ 670 out_len = plaintext->cd_length + aes_ctx->ac_remainder_len; 671 if ((aes_ctx->ac_flags & CTR_MODE) == 0) 672 out_len &= ~(AES_BLOCK_LEN - 1); 673 674 /* 675 * return length needed to store the output. 676 * CMAC stores its output in a local buffer until *_final. 677 */ 678 if ((aes_ctx->ac_flags & CMAC_MODE) == 0 && 679 ciphertext->cd_length < out_len) { 680 ciphertext->cd_length = out_len; 681 return (CRYPTO_BUFFER_TOO_SMALL); 682 } 683 684 saved_offset = ciphertext->cd_offset; 685 saved_length = ciphertext->cd_length; 686 687 /* 688 * Do the AES update on the specified input data. 689 */ 690 switch (plaintext->cd_format) { 691 case CRYPTO_DATA_RAW: 692 ret = crypto_update_iov(ctx->cc_provider_private, 693 plaintext, ciphertext, aes_encrypt_contiguous_blocks, 694 aes_copy_block64); 695 break; 696 case CRYPTO_DATA_UIO: 697 ret = crypto_update_uio(ctx->cc_provider_private, 698 plaintext, ciphertext, aes_encrypt_contiguous_blocks, 699 aes_copy_block64); 700 break; 701 case CRYPTO_DATA_MBLK: 702 ret = crypto_update_mp(ctx->cc_provider_private, 703 plaintext, ciphertext, aes_encrypt_contiguous_blocks, 704 aes_copy_block64); 705 break; 706 default: 707 ret = CRYPTO_ARGUMENTS_BAD; 708 } 709 710 if (ret == CRYPTO_SUCCESS) { 711 if (plaintext != ciphertext) { 712 ciphertext->cd_length = 713 ciphertext->cd_offset - saved_offset; 714 } 715 } else { 716 ciphertext->cd_length = saved_length; 717 } 718 ciphertext->cd_offset = saved_offset; 719 720 return (ret); 721 } 722 723 724 static int 725 aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 726 crypto_data_t *plaintext, crypto_req_handle_t req) 727 { 728 off_t saved_offset; 729 size_t saved_length, out_len; 730 int ret = CRYPTO_SUCCESS; 731 aes_ctx_t *aes_ctx; 732 733 ASSERT(ctx->cc_provider_private != NULL); 734 aes_ctx = ctx->cc_provider_private; 735 736 AES_ARG_INPLACE(ciphertext, plaintext); 737 738 /* 739 * Adjust the number of bytes that will hold the plaintext (out_len). 740 * CCM, GCM, and GMAC mechanisms never return plaintext for update 741 * operations, so we set out_len to 0 for those. 742 * 743 * CTR mode does not accumulate any ciphertext across xx_decrypt 744 * calls, and always outputs as many bytes of plaintext as 745 * ciphertext. 746 * 747 * The remaining mechanisms output full blocks of plaintext, so 748 * we round out_len down to the closest multiple of AES_BLOCK_LEN. 749 */ 750 out_len = aes_ctx->ac_remainder_len + ciphertext->cd_length; 751 if ((aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) != 0) { 752 out_len = 0; 753 } else if ((aes_ctx->ac_flags & CTR_MODE) == 0) { 754 out_len &= ~(AES_BLOCK_LEN - 1); 755 } 756 757 /* return length needed to store the output */ 758 if (plaintext->cd_length < out_len) { 759 plaintext->cd_length = out_len; 760 return (CRYPTO_BUFFER_TOO_SMALL); 761 } 762 763 saved_offset = plaintext->cd_offset; 764 saved_length = plaintext->cd_length; 765 766 if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) 767 gcm_set_kmflag((gcm_ctx_t *)aes_ctx, crypto_kmflag(req)); 768 769 /* 770 * Do the AES update on the specified input data. 771 */ 772 switch (ciphertext->cd_format) { 773 case CRYPTO_DATA_RAW: 774 ret = crypto_update_iov(ctx->cc_provider_private, 775 ciphertext, plaintext, aes_decrypt_contiguous_blocks, 776 aes_copy_block64); 777 break; 778 case CRYPTO_DATA_UIO: 779 ret = crypto_update_uio(ctx->cc_provider_private, 780 ciphertext, plaintext, aes_decrypt_contiguous_blocks, 781 aes_copy_block64); 782 break; 783 case CRYPTO_DATA_MBLK: 784 ret = crypto_update_mp(ctx->cc_provider_private, 785 ciphertext, plaintext, aes_decrypt_contiguous_blocks, 786 aes_copy_block64); 787 break; 788 default: 789 ret = CRYPTO_ARGUMENTS_BAD; 790 } 791 792 if (ret == CRYPTO_SUCCESS) { 793 if (ciphertext != plaintext) 794 plaintext->cd_length = 795 plaintext->cd_offset - saved_offset; 796 } else { 797 plaintext->cd_length = saved_length; 798 } 799 plaintext->cd_offset = saved_offset; 800 801 802 return (ret); 803 } 804 805 /* ARGSUSED */ 806 static int 807 aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data, 808 crypto_req_handle_t req) 809 { 810 aes_ctx_t *aes_ctx; 811 int ret; 812 813 ASSERT(ctx->cc_provider_private != NULL); 814 aes_ctx = ctx->cc_provider_private; 815 816 if (data->cd_format != CRYPTO_DATA_RAW && 817 data->cd_format != CRYPTO_DATA_UIO && 818 data->cd_format != CRYPTO_DATA_MBLK) { 819 return (CRYPTO_ARGUMENTS_BAD); 820 } 821 822 if (aes_ctx->ac_flags & CCM_MODE) { 823 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, data, 824 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 825 if (ret != CRYPTO_SUCCESS) { 826 return (ret); 827 } 828 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 829 size_t saved_offset = data->cd_offset; 830 831 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, data, 832 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 833 aes_xor_block); 834 if (ret != CRYPTO_SUCCESS) { 835 return (ret); 836 } 837 data->cd_length = data->cd_offset - saved_offset; 838 data->cd_offset = saved_offset; 839 } else if (aes_ctx->ac_flags & CMAC_MODE) { 840 ret = cmac_mode_final((cbc_ctx_t *)aes_ctx, data, 841 aes_encrypt_block, aes_xor_block); 842 if (ret != CRYPTO_SUCCESS) 843 return (ret); 844 data->cd_length = AES_BLOCK_LEN; 845 } else if ((aes_ctx->ac_flags & CTR_MODE) == 0) { 846 /* 847 * There must be no unprocessed plaintext. 848 * This happens if the length of the last data is 849 * not a multiple of the AES block length. 850 */ 851 if (aes_ctx->ac_remainder_len > 0) { 852 return (CRYPTO_DATA_LEN_RANGE); 853 } 854 data->cd_length = 0; 855 } 856 857 (void) aes_free_context(ctx); 858 859 return (CRYPTO_SUCCESS); 860 } 861 862 /* ARGSUSED */ 863 static int 864 aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data, 865 crypto_req_handle_t req) 866 { 867 aes_ctx_t *aes_ctx; 868 int ret; 869 off_t saved_offset; 870 size_t saved_length; 871 872 ASSERT(ctx->cc_provider_private != NULL); 873 aes_ctx = ctx->cc_provider_private; 874 875 if (data->cd_format != CRYPTO_DATA_RAW && 876 data->cd_format != CRYPTO_DATA_UIO && 877 data->cd_format != CRYPTO_DATA_MBLK) { 878 return (CRYPTO_ARGUMENTS_BAD); 879 } 880 881 /* 882 * There must be no unprocessed ciphertext. 883 * This happens if the length of the last ciphertext is 884 * not a multiple of the AES block length. 885 * 886 * For CTR mode, ac_remainder_len is always zero (we never 887 * accumulate ciphertext across update calls with CTR mode). 888 */ 889 if (aes_ctx->ac_remainder_len > 0 && 890 (aes_ctx->ac_flags & CTR_MODE) == 0) { 891 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 892 } 893 894 if (aes_ctx->ac_flags & CCM_MODE) { 895 /* 896 * This is where all the plaintext is returned, make sure 897 * the plaintext buffer is big enough 898 */ 899 size_t pt_len = aes_ctx->ac_data_len; 900 if (data->cd_length < pt_len) { 901 data->cd_length = pt_len; 902 return (CRYPTO_BUFFER_TOO_SMALL); 903 } 904 905 ASSERT(aes_ctx->ac_processed_data_len == pt_len); 906 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len); 907 saved_offset = data->cd_offset; 908 saved_length = data->cd_length; 909 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, data, 910 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 911 aes_xor_block); 912 if (ret == CRYPTO_SUCCESS) { 913 data->cd_length = data->cd_offset - saved_offset; 914 } else { 915 data->cd_length = saved_length; 916 } 917 918 data->cd_offset = saved_offset; 919 if (ret != CRYPTO_SUCCESS) { 920 return (ret); 921 } 922 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 923 /* 924 * This is where all the plaintext is returned, make sure 925 * the plaintext buffer is big enough 926 */ 927 gcm_ctx_t *ctx = (gcm_ctx_t *)aes_ctx; 928 size_t pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len; 929 930 if (data->cd_length < pt_len) { 931 data->cd_length = pt_len; 932 return (CRYPTO_BUFFER_TOO_SMALL); 933 } 934 935 saved_offset = data->cd_offset; 936 saved_length = data->cd_length; 937 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, data, 938 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 939 if (ret == CRYPTO_SUCCESS) { 940 data->cd_length = data->cd_offset - saved_offset; 941 } else { 942 data->cd_length = saved_length; 943 } 944 945 data->cd_offset = saved_offset; 946 if (ret != CRYPTO_SUCCESS) { 947 return (ret); 948 } 949 } 950 951 952 if ((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) { 953 data->cd_length = 0; 954 } 955 956 (void) aes_free_context(ctx); 957 958 return (CRYPTO_SUCCESS); 959 } 960 961 /* ARGSUSED */ 962 static int 963 aes_encrypt_atomic(crypto_provider_handle_t provider, 964 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 965 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 966 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 967 { 968 aes_ctx_t aes_ctx; /* on the stack */ 969 off_t saved_offset; 970 size_t saved_length; 971 size_t length_needed; 972 int ret; 973 974 AES_ARG_INPLACE(plaintext, ciphertext); 975 976 /* 977 * CTR, CCM, CMAC, GCM, and GMAC modes do not require that plaintext 978 * be a multiple of AES block size. 979 */ 980 switch (mechanism->cm_type) { 981 case AES_CTR_MECH_INFO_TYPE: 982 case AES_CCM_MECH_INFO_TYPE: 983 case AES_GCM_MECH_INFO_TYPE: 984 case AES_GMAC_MECH_INFO_TYPE: 985 case AES_CMAC_MECH_INFO_TYPE: 986 break; 987 default: 988 if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 989 return (CRYPTO_DATA_LEN_RANGE); 990 } 991 992 if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS) 993 return (ret); 994 995 bzero(&aes_ctx, sizeof (aes_ctx_t)); 996 997 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, 998 crypto_kmflag(req), B_TRUE); 999 if (ret != CRYPTO_SUCCESS) 1000 return (ret); 1001 1002 switch (mechanism->cm_type) { 1003 case AES_CCM_MECH_INFO_TYPE: 1004 length_needed = plaintext->cd_length + aes_ctx.ac_mac_len; 1005 break; 1006 case AES_GMAC_MECH_INFO_TYPE: 1007 if (plaintext->cd_length != 0) 1008 return (CRYPTO_ARGUMENTS_BAD); 1009 /* FALLTHRU */ 1010 case AES_GCM_MECH_INFO_TYPE: 1011 length_needed = plaintext->cd_length + aes_ctx.ac_tag_len; 1012 break; 1013 case AES_CMAC_MECH_INFO_TYPE: 1014 length_needed = AES_BLOCK_LEN; 1015 break; 1016 default: 1017 length_needed = plaintext->cd_length; 1018 } 1019 1020 /* return size of buffer needed to store output */ 1021 if (ciphertext->cd_length < length_needed) { 1022 ciphertext->cd_length = length_needed; 1023 ret = CRYPTO_BUFFER_TOO_SMALL; 1024 goto out; 1025 } 1026 1027 saved_offset = ciphertext->cd_offset; 1028 saved_length = ciphertext->cd_length; 1029 1030 /* 1031 * Do an update on the specified input data. 1032 */ 1033 switch (plaintext->cd_format) { 1034 case CRYPTO_DATA_RAW: 1035 ret = crypto_update_iov(&aes_ctx, plaintext, ciphertext, 1036 aes_encrypt_contiguous_blocks, aes_copy_block64); 1037 break; 1038 case CRYPTO_DATA_UIO: 1039 ret = crypto_update_uio(&aes_ctx, plaintext, ciphertext, 1040 aes_encrypt_contiguous_blocks, aes_copy_block64); 1041 break; 1042 case CRYPTO_DATA_MBLK: 1043 ret = crypto_update_mp(&aes_ctx, plaintext, ciphertext, 1044 aes_encrypt_contiguous_blocks, aes_copy_block64); 1045 break; 1046 default: 1047 ret = CRYPTO_ARGUMENTS_BAD; 1048 } 1049 1050 if (ret == CRYPTO_SUCCESS) { 1051 switch (mechanism->cm_type) { 1052 case AES_CCM_MECH_INFO_TYPE: 1053 ret = ccm_encrypt_final((ccm_ctx_t *)&aes_ctx, 1054 ciphertext, AES_BLOCK_LEN, aes_encrypt_block, 1055 aes_xor_block); 1056 if (ret != CRYPTO_SUCCESS) 1057 goto out; 1058 ASSERT3U(aes_ctx.ac_remainder_len, ==, 0); 1059 break; 1060 case AES_GCM_MECH_INFO_TYPE: 1061 case AES_GMAC_MECH_INFO_TYPE: 1062 ret = gcm_encrypt_final((gcm_ctx_t *)&aes_ctx, 1063 ciphertext, AES_BLOCK_LEN, aes_encrypt_block, 1064 aes_copy_block, aes_xor_block); 1065 if (ret != CRYPTO_SUCCESS) 1066 goto out; 1067 ASSERT3U(aes_ctx.ac_remainder_len, ==, 0); 1068 break; 1069 case AES_CTR_MECH_INFO_TYPE: 1070 /* 1071 * Note that this use of the ASSERT3U has a slightly 1072 * different meaning than the other uses in the 1073 * switch statement. The other uses are to ensure 1074 * no unprocessed plaintext remains after encryption 1075 * (and that the input plaintext was an exact multiple 1076 * of AES_BLOCK_LEN). 1077 * 1078 * For CTR mode, it is ensuring that no input 1079 * plaintext was ever segmented and buffered during 1080 * processing (since it's a stream cipher). 1081 */ 1082 ASSERT3U(aes_ctx.ac_remainder_len, ==, 0); 1083 break; 1084 case AES_CMAC_MECH_INFO_TYPE: 1085 ret = cmac_mode_final((cbc_ctx_t *)&aes_ctx, 1086 ciphertext, aes_encrypt_block, 1087 aes_xor_block); 1088 if (ret != CRYPTO_SUCCESS) 1089 goto out; 1090 break; 1091 default: 1092 ASSERT3U(aes_ctx.ac_remainder_len, ==, 0); 1093 break; 1094 } 1095 1096 if (plaintext != ciphertext) { 1097 ciphertext->cd_length = 1098 ciphertext->cd_offset - saved_offset; 1099 } 1100 } else { 1101 ciphertext->cd_length = saved_length; 1102 } 1103 ciphertext->cd_offset = saved_offset; 1104 1105 out: 1106 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 1107 bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 1108 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 1109 } 1110 1111 return (ret); 1112 } 1113 1114 /* ARGSUSED */ 1115 static int 1116 aes_decrypt_atomic(crypto_provider_handle_t provider, 1117 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1118 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 1119 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 1120 { 1121 aes_ctx_t aes_ctx; /* on the stack */ 1122 off_t saved_offset; 1123 size_t saved_length; 1124 size_t length_needed; 1125 int ret; 1126 1127 AES_ARG_INPLACE(ciphertext, plaintext); 1128 1129 /* 1130 * CCM, GCM, CTR, and GMAC modes do not require that ciphertext 1131 * be a multiple of AES block size. 1132 */ 1133 switch (mechanism->cm_type) { 1134 case AES_CTR_MECH_INFO_TYPE: 1135 case AES_CCM_MECH_INFO_TYPE: 1136 case AES_GCM_MECH_INFO_TYPE: 1137 case AES_GMAC_MECH_INFO_TYPE: 1138 break; 1139 default: 1140 if ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 1141 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 1142 } 1143 1144 if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS) 1145 return (ret); 1146 1147 bzero(&aes_ctx, sizeof (aes_ctx_t)); 1148 1149 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, 1150 crypto_kmflag(req), B_FALSE); 1151 if (ret != CRYPTO_SUCCESS) 1152 return (ret); 1153 1154 switch (mechanism->cm_type) { 1155 case AES_CCM_MECH_INFO_TYPE: 1156 length_needed = aes_ctx.ac_data_len; 1157 break; 1158 case AES_GCM_MECH_INFO_TYPE: 1159 length_needed = ciphertext->cd_length - aes_ctx.ac_tag_len; 1160 break; 1161 case AES_GMAC_MECH_INFO_TYPE: 1162 if (plaintext->cd_length != 0) 1163 return (CRYPTO_ARGUMENTS_BAD); 1164 length_needed = 0; 1165 break; 1166 default: 1167 length_needed = ciphertext->cd_length; 1168 } 1169 1170 /* return size of buffer needed to store output */ 1171 if (plaintext->cd_length < length_needed) { 1172 plaintext->cd_length = length_needed; 1173 ret = CRYPTO_BUFFER_TOO_SMALL; 1174 goto out; 1175 } 1176 1177 saved_offset = plaintext->cd_offset; 1178 saved_length = plaintext->cd_length; 1179 1180 if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE || 1181 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) 1182 gcm_set_kmflag((gcm_ctx_t *)&aes_ctx, crypto_kmflag(req)); 1183 1184 /* 1185 * Do an update on the specified input data. 1186 */ 1187 switch (ciphertext->cd_format) { 1188 case CRYPTO_DATA_RAW: 1189 ret = crypto_update_iov(&aes_ctx, ciphertext, plaintext, 1190 aes_decrypt_contiguous_blocks, aes_copy_block64); 1191 break; 1192 case CRYPTO_DATA_UIO: 1193 ret = crypto_update_uio(&aes_ctx, ciphertext, plaintext, 1194 aes_decrypt_contiguous_blocks, aes_copy_block64); 1195 break; 1196 case CRYPTO_DATA_MBLK: 1197 ret = crypto_update_mp(&aes_ctx, ciphertext, plaintext, 1198 aes_decrypt_contiguous_blocks, aes_copy_block64); 1199 break; 1200 default: 1201 ret = CRYPTO_ARGUMENTS_BAD; 1202 } 1203 1204 if (ret == CRYPTO_SUCCESS) { 1205 switch (mechanism->cm_type) { 1206 case AES_CCM_MECH_INFO_TYPE: 1207 ASSERT(aes_ctx.ac_processed_data_len 1208 == aes_ctx.ac_data_len); 1209 ASSERT(aes_ctx.ac_processed_mac_len 1210 == aes_ctx.ac_mac_len); 1211 ret = ccm_decrypt_final((ccm_ctx_t *)&aes_ctx, 1212 plaintext, AES_BLOCK_LEN, aes_encrypt_block, 1213 aes_copy_block, aes_xor_block); 1214 ASSERT3U(aes_ctx.ac_remainder_len, ==, 0); 1215 if ((ret == CRYPTO_SUCCESS) && 1216 (ciphertext != plaintext)) { 1217 plaintext->cd_length = 1218 plaintext->cd_offset - saved_offset; 1219 } else { 1220 plaintext->cd_length = saved_length; 1221 } 1222 break; 1223 case AES_GCM_MECH_INFO_TYPE: 1224 case AES_GMAC_MECH_INFO_TYPE: 1225 ret = gcm_decrypt_final((gcm_ctx_t *)&aes_ctx, 1226 plaintext, AES_BLOCK_LEN, aes_encrypt_block, 1227 aes_xor_block); 1228 ASSERT3U(aes_ctx.ac_remainder_len, ==, 0); 1229 if ((ret == CRYPTO_SUCCESS) && 1230 (ciphertext != plaintext)) { 1231 plaintext->cd_length = 1232 plaintext->cd_offset - saved_offset; 1233 } else { 1234 plaintext->cd_length = saved_length; 1235 } 1236 break; 1237 case AES_CTR_MECH_INFO_TYPE: 1238 if (ciphertext != plaintext) { 1239 plaintext->cd_length = 1240 plaintext->cd_offset - saved_offset; 1241 } 1242 break; 1243 default: 1244 ASSERT3U(aes_ctx.ac_remainder_len, ==, 0); 1245 if (ciphertext != plaintext) { 1246 plaintext->cd_length = 1247 plaintext->cd_offset - saved_offset; 1248 } 1249 break; 1250 } 1251 } else { 1252 plaintext->cd_length = saved_length; 1253 } 1254 plaintext->cd_offset = saved_offset; 1255 1256 out: 1257 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 1258 bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 1259 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 1260 } 1261 1262 if (aes_ctx.ac_flags & CCM_MODE) { 1263 if (aes_ctx.ac_pt_buf != NULL) { 1264 kmem_free(aes_ctx.ac_pt_buf, aes_ctx.ac_data_len); 1265 } 1266 } else if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) { 1267 if (((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf != NULL) { 1268 kmem_free(((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf, 1269 ((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf_len); 1270 } 1271 } 1272 1273 return (ret); 1274 } 1275 1276 /* 1277 * KCF software provider context template entry points. 1278 */ 1279 /* ARGSUSED */ 1280 static int 1281 aes_create_ctx_template(crypto_provider_handle_t provider, 1282 crypto_mechanism_t *mechanism, crypto_key_t *key, 1283 crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req) 1284 { 1285 void *keysched; 1286 size_t size; 1287 int rv; 1288 1289 if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE && 1290 mechanism->cm_type != AES_CBC_MECH_INFO_TYPE && 1291 mechanism->cm_type != AES_CMAC_MECH_INFO_TYPE && 1292 mechanism->cm_type != AES_CTR_MECH_INFO_TYPE && 1293 mechanism->cm_type != AES_CCM_MECH_INFO_TYPE && 1294 mechanism->cm_type != AES_GCM_MECH_INFO_TYPE && 1295 mechanism->cm_type != AES_GMAC_MECH_INFO_TYPE) 1296 return (CRYPTO_MECHANISM_INVALID); 1297 1298 if ((keysched = aes_alloc_keysched(&size, 1299 crypto_kmflag(req))) == NULL) { 1300 return (CRYPTO_HOST_MEMORY); 1301 } 1302 1303 /* 1304 * Initialize key schedule. Key length information is stored 1305 * in the key. 1306 */ 1307 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) { 1308 bzero(keysched, size); 1309 kmem_free(keysched, size); 1310 return (rv); 1311 } 1312 1313 *tmpl = keysched; 1314 *tmpl_size = size; 1315 1316 return (CRYPTO_SUCCESS); 1317 } 1318 1319 1320 static int 1321 aes_free_context(crypto_ctx_t *ctx) 1322 { 1323 aes_ctx_t *aes_ctx = ctx->cc_provider_private; 1324 1325 if (aes_ctx != NULL) { 1326 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 1327 ASSERT(aes_ctx->ac_keysched_len != 0); 1328 bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len); 1329 kmem_free(aes_ctx->ac_keysched, 1330 aes_ctx->ac_keysched_len); 1331 } 1332 crypto_free_mode_ctx(aes_ctx); 1333 ctx->cc_provider_private = NULL; 1334 } 1335 1336 return (CRYPTO_SUCCESS); 1337 } 1338 1339 1340 static int 1341 aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template, 1342 crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag, 1343 boolean_t is_encrypt_init) 1344 { 1345 int rv = CRYPTO_SUCCESS; 1346 void *keysched; 1347 size_t size; 1348 1349 if (template == NULL) { 1350 if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL) 1351 return (CRYPTO_HOST_MEMORY); 1352 /* 1353 * Initialize key schedule. 1354 * Key length is stored in the key. 1355 */ 1356 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) { 1357 kmem_free(keysched, size); 1358 return (rv); 1359 } 1360 1361 aes_ctx->ac_flags |= PROVIDER_OWNS_KEY_SCHEDULE; 1362 aes_ctx->ac_keysched_len = size; 1363 } else { 1364 keysched = template; 1365 } 1366 aes_ctx->ac_keysched = keysched; 1367 1368 switch (mechanism->cm_type) { 1369 case AES_CBC_MECH_INFO_TYPE: 1370 rv = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mechanism->cm_param, 1371 mechanism->cm_param_len, AES_BLOCK_LEN, aes_copy_block64); 1372 break; 1373 case AES_CMAC_MECH_INFO_TYPE: 1374 rv = cmac_init_ctx((cbc_ctx_t *)aes_ctx, AES_BLOCK_LEN); 1375 break; 1376 case AES_CTR_MECH_INFO_TYPE: { 1377 CK_AES_CTR_PARAMS *pp; 1378 1379 if (mechanism->cm_param == NULL || 1380 mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) { 1381 return (CRYPTO_MECHANISM_PARAM_INVALID); 1382 } 1383 pp = (CK_AES_CTR_PARAMS *)(void *)mechanism->cm_param; 1384 rv = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits, 1385 pp->cb, aes_encrypt_block, aes_copy_block); 1386 break; 1387 } 1388 case AES_CCM_MECH_INFO_TYPE: 1389 if (mechanism->cm_param == NULL || 1390 mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) { 1391 return (CRYPTO_MECHANISM_PARAM_INVALID); 1392 } 1393 rv = ccm_init_ctx((ccm_ctx_t *)aes_ctx, mechanism->cm_param, 1394 kmflag, is_encrypt_init, AES_BLOCK_LEN, aes_encrypt_block, 1395 aes_xor_block); 1396 break; 1397 case AES_GCM_MECH_INFO_TYPE: 1398 if (mechanism->cm_param == NULL || 1399 mechanism->cm_param_len != sizeof (CK_AES_GCM_PARAMS)) { 1400 return (CRYPTO_MECHANISM_PARAM_INVALID); 1401 } 1402 rv = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param, 1403 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 1404 aes_xor_block); 1405 break; 1406 case AES_GMAC_MECH_INFO_TYPE: 1407 if (mechanism->cm_param == NULL || 1408 mechanism->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) { 1409 return (CRYPTO_MECHANISM_PARAM_INVALID); 1410 } 1411 rv = gmac_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param, 1412 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 1413 aes_xor_block); 1414 break; 1415 case AES_ECB_MECH_INFO_TYPE: 1416 aes_ctx->ac_flags |= ECB_MODE; 1417 } 1418 1419 if (rv != CRYPTO_SUCCESS) { 1420 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 1421 bzero(keysched, size); 1422 kmem_free(keysched, size); 1423 } 1424 } 1425 1426 return (rv); 1427 } 1428 1429 static int 1430 process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data, 1431 CK_AES_GCM_PARAMS *gcm_params) 1432 { 1433 /* LINTED: pointer alignment */ 1434 CK_AES_GMAC_PARAMS *params = (CK_AES_GMAC_PARAMS *)mech->cm_param; 1435 1436 if (mech->cm_type != AES_GMAC_MECH_INFO_TYPE) 1437 return (CRYPTO_MECHANISM_INVALID); 1438 1439 if (mech->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) 1440 return (CRYPTO_MECHANISM_PARAM_INVALID); 1441 1442 if (params->pIv == NULL) 1443 return (CRYPTO_MECHANISM_PARAM_INVALID); 1444 1445 gcm_params->pIv = params->pIv; 1446 gcm_params->ulIvLen = AES_GMAC_IV_LEN; 1447 gcm_params->ulTagBits = AES_GMAC_TAG_BITS; 1448 1449 if (data == NULL) 1450 return (CRYPTO_SUCCESS); 1451 1452 if (data->cd_format != CRYPTO_DATA_RAW) 1453 return (CRYPTO_ARGUMENTS_BAD); 1454 1455 gcm_params->pAAD = (uchar_t *)data->cd_raw.iov_base; 1456 gcm_params->ulAADLen = data->cd_length; 1457 return (CRYPTO_SUCCESS); 1458 } 1459 1460 static int 1461 aes_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 1462 crypto_key_t *key, crypto_spi_ctx_template_t template, 1463 crypto_req_handle_t req) 1464 { 1465 return (aes_encrypt_init(ctx, mechanism, 1466 key, template, req)); 1467 } 1468 1469 static int 1470 aes_mac(crypto_ctx_t *ctx, crypto_data_t *plaintext, crypto_data_t *ciphertext, 1471 crypto_req_handle_t req) 1472 { 1473 return (aes_encrypt(ctx, plaintext, ciphertext, req)); 1474 } 1475 1476 static int 1477 aes_mac_update(crypto_ctx_t *ctx, crypto_data_t *data, 1478 crypto_req_handle_t req) 1479 { 1480 crypto_data_t out; 1481 uint8_t block[AES_BLOCK_LEN]; 1482 out.cd_format = CRYPTO_DATA_RAW; 1483 out.cd_offset = 0; 1484 out.cd_length = sizeof (block); 1485 out.cd_miscdata = NULL; 1486 out.cd_raw.iov_base = (void *)block; 1487 out.cd_raw.iov_len = sizeof (block); 1488 1489 return (aes_encrypt_update(ctx, data, &out, req)); 1490 } 1491 1492 static int 1493 aes_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req) 1494 { 1495 return (aes_encrypt_final(ctx, mac, req)); 1496 } 1497 1498 static int 1499 aes_mac_atomic(crypto_provider_handle_t provider, 1500 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1501 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, 1502 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 1503 { 1504 CK_AES_GCM_PARAMS gcm_params; 1505 crypto_mechanism_t gcm_mech; 1506 int rv; 1507 1508 if (mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) { 1509 if ((rv = process_gmac_mech(mechanism, data, &gcm_params)) 1510 != CRYPTO_SUCCESS) 1511 return (rv); 1512 1513 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE; 1514 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); 1515 gcm_mech.cm_param = (char *)&gcm_params; 1516 1517 return (aes_encrypt_atomic(provider, session_id, &gcm_mech, 1518 key, &null_crypto_data, mac, template, req)); 1519 } 1520 /* CMAC */ 1521 return (aes_encrypt_atomic(provider, session_id, mechanism, 1522 key, data, mac, template, req)); 1523 } 1524 1525 static int 1526 aes_mac_verify_atomic(crypto_provider_handle_t provider, 1527 crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 1528 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, 1529 crypto_spi_ctx_template_t template, crypto_req_handle_t req) 1530 { 1531 CK_AES_GCM_PARAMS gcm_params; 1532 crypto_mechanism_t gcm_mech; 1533 crypto_data_t data_mac; 1534 char buf[AES_BLOCK_LEN]; 1535 int rv; 1536 1537 if (mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) { 1538 if ((rv = process_gmac_mech(mechanism, data, &gcm_params)) 1539 != CRYPTO_SUCCESS) 1540 return (rv); 1541 1542 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE; 1543 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); 1544 gcm_mech.cm_param = (char *)&gcm_params; 1545 1546 return (aes_decrypt_atomic(provider, session_id, &gcm_mech, 1547 key, mac, &null_crypto_data, template, req)); 1548 } 1549 1550 /* CMAC */ 1551 1552 data_mac.cd_format = CRYPTO_DATA_RAW; 1553 data_mac.cd_offset = 0; 1554 data_mac.cd_length = AES_BLOCK_LEN; 1555 data_mac.cd_miscdata = NULL; 1556 data_mac.cd_raw.iov_base = (void *) buf; 1557 data_mac.cd_raw.iov_len = AES_BLOCK_LEN; 1558 1559 rv = aes_encrypt_atomic(provider, session_id, &gcm_mech, 1560 key, data, &data_mac, template, req); 1561 1562 if (rv != CRYPTO_SUCCESS) 1563 return (rv); 1564 1565 /* should use get_input_data for mac? */ 1566 if (bcmp(buf, mac->cd_raw.iov_base + mac->cd_offset, 1567 AES_BLOCK_LEN) != 0) 1568 return (CRYPTO_INVALID_MAC); 1569 1570 return (CRYPTO_SUCCESS); 1571 }