1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 /*
26 * AES provider for the Kernel Cryptographic Framework (KCF)
27 */
28
29 #include <sys/types.h>
30 #include <sys/systm.h>
31 #include <sys/modctl.h>
32 #include <sys/cmn_err.h>
33 #include <sys/ddi.h>
34 #include <sys/crypto/common.h>
35 #include <sys/crypto/impl.h>
36 #include <sys/crypto/spi.h>
37 #include <sys/sysmacros.h>
38 #include <sys/strsun.h>
39 #include <modes/modes.h>
40 #define _AES_IMPL
41 #include <aes/aes_impl.h>
42
43 extern struct mod_ops mod_cryptoops;
44
45 /*
46 * Module linkage information for the kernel.
47 */
48 static struct modlcrypto modlcrypto = {
49 &mod_cryptoops,
50 "AES Kernel SW Provider"
51 };
52
53 static struct modlinkage modlinkage = {
54 MODREV_1,
55 { (void *)&modlcrypto,
56 NULL }
57 };
58
59 /*
60 * Mechanism info structure passed to KCF during registration.
61 */
62 static crypto_mech_info_t aes_mech_info_tab[] = {
63 /* AES_ECB */
64 {SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE,
65 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
66 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
67 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
68 /* AES_CBC */
69 {SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE,
70 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
71 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
72 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
73 /* AES_CTR */
74 {SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE,
75 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
76 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
77 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
78 /* AES_CCM */
79 {SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE,
80 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
81 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
82 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
83 /* AES_GCM */
84 {SUN_CKM_AES_GCM, AES_GCM_MECH_INFO_TYPE,
85 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
86 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
87 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
88 /* AES_GMAC */
89 {SUN_CKM_AES_GMAC, AES_GMAC_MECH_INFO_TYPE,
90 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
91 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
92 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC |
93 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
94 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
95 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}
96 };
97
98 /* operations are in-place if the output buffer is NULL */
99 #define AES_ARG_INPLACE(input, output) \
100 if ((output) == NULL) \
101 (output) = (input);
102
103 static void aes_provider_status(crypto_provider_handle_t, uint_t *);
104
105 static crypto_control_ops_t aes_control_ops = {
106 aes_provider_status
107 };
108
109 static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
110 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
111 static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
112 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
113 static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *,
114 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t);
115 static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *,
116 crypto_mechanism_t *, crypto_key_t *, int, boolean_t);
117 static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *,
118 crypto_req_handle_t);
119 static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *,
120 crypto_req_handle_t);
121
122 static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
123 crypto_req_handle_t);
124 static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *,
125 crypto_data_t *, crypto_req_handle_t);
126 static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
127 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
128 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
129
130 static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
131 crypto_req_handle_t);
132 static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *,
133 crypto_data_t *, crypto_req_handle_t);
134 static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
135 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
136 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
137
138 static crypto_cipher_ops_t aes_cipher_ops = {
139 aes_encrypt_init,
140 aes_encrypt,
141 aes_encrypt_update,
142 aes_encrypt_final,
143 aes_encrypt_atomic,
144 aes_decrypt_init,
145 aes_decrypt,
146 aes_decrypt_update,
147 aes_decrypt_final,
148 aes_decrypt_atomic
149 };
150
151 static int aes_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
152 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
153 crypto_spi_ctx_template_t, crypto_req_handle_t);
154 static int aes_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
155 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
156 crypto_spi_ctx_template_t, crypto_req_handle_t);
157
158 static crypto_mac_ops_t aes_mac_ops = {
159 NULL,
160 NULL,
161 NULL,
162 NULL,
163 aes_mac_atomic,
164 aes_mac_verify_atomic
165 };
166
167 static int aes_create_ctx_template(crypto_provider_handle_t,
168 crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
169 size_t *, crypto_req_handle_t);
170 static int aes_free_context(crypto_ctx_t *);
171
172 static crypto_ctx_ops_t aes_ctx_ops = {
173 aes_create_ctx_template,
174 aes_free_context
175 };
176
177 static crypto_ops_t aes_crypto_ops = {{{{{{
178 &aes_control_ops,
179 NULL,
180 &aes_cipher_ops,
181 &aes_mac_ops,
182 NULL,
183 NULL,
184 NULL,
185 NULL,
186 NULL,
187 NULL,
188 NULL,
189 NULL,
190 NULL,
191 &aes_ctx_ops }, /* cou_v1 */
192 NULL }, /* cou_v2 */
193 NULL }, /* cou_v3 */
194 NULL } /* cou_v4 */
195 }};
196
197 static crypto_provider_info_t aes_prov_info = {{{{
198 CRYPTO_SPI_VERSION_4,
199 "AES Software Provider",
200 CRYPTO_SW_PROVIDER,
201 {&modlinkage},
202 NULL,
203 &aes_crypto_ops,
204 sizeof (aes_mech_info_tab)/sizeof (crypto_mech_info_t),
205 aes_mech_info_tab
206 }}}};
207
208 static crypto_kcf_provider_handle_t aes_prov_handle = NULL;
209 static crypto_data_t null_crypto_data = { CRYPTO_DATA_RAW };
210
211 int
212 _init(void)
213 {
214 int ret;
215
216 if ((ret = mod_install(&modlinkage)) != 0)
217 return (ret);
218
219 /* Register with KCF. If the registration fails, remove the module. */
220 if (crypto_register_provider(&aes_prov_info, &aes_prov_handle)) {
221 (void) mod_remove(&modlinkage);
222 return (EACCES);
223 }
224
225 return (0);
226 }
227
228 int
229 _fini(void)
230 {
231 /* Unregister from KCF if module is registered */
232 if (aes_prov_handle != NULL) {
233 if (crypto_unregister_provider(aes_prov_handle))
234 return (EBUSY);
235
236 aes_prov_handle = NULL;
237 }
238
239 return (mod_remove(&modlinkage));
240 }
241
242 int
243 _info(struct modinfo *modinfop)
244 {
245 return (mod_info(&modlinkage, modinfop));
246 }
247
248
249 static int
250 aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag)
251 {
252 void *p = NULL;
253 boolean_t param_required = B_TRUE;
254 size_t param_len;
255 void *(*alloc_fun)(int);
256 int rv = CRYPTO_SUCCESS;
257
258 switch (mechanism->cm_type) {
259 case AES_ECB_MECH_INFO_TYPE:
260 param_required = B_FALSE;
261 alloc_fun = ecb_alloc_ctx;
262 break;
263 case AES_CBC_MECH_INFO_TYPE:
264 param_len = AES_BLOCK_LEN;
265 alloc_fun = cbc_alloc_ctx;
266 break;
267 case AES_CTR_MECH_INFO_TYPE:
268 param_len = sizeof (CK_AES_CTR_PARAMS);
269 alloc_fun = ctr_alloc_ctx;
270 break;
271 case AES_CCM_MECH_INFO_TYPE:
272 param_len = sizeof (CK_AES_CCM_PARAMS);
273 alloc_fun = ccm_alloc_ctx;
274 break;
275 case AES_GCM_MECH_INFO_TYPE:
276 param_len = sizeof (CK_AES_GCM_PARAMS);
277 alloc_fun = gcm_alloc_ctx;
278 break;
279 case AES_GMAC_MECH_INFO_TYPE:
280 param_len = sizeof (CK_AES_GMAC_PARAMS);
281 alloc_fun = gmac_alloc_ctx;
282 break;
283 default:
284 rv = CRYPTO_MECHANISM_INVALID;
285 return (rv);
286 }
287 if (param_required && mechanism->cm_param != NULL &&
288 mechanism->cm_param_len != param_len) {
289 rv = CRYPTO_MECHANISM_PARAM_INVALID;
290 }
291 if (ctx != NULL) {
292 p = (alloc_fun)(kmflag);
293 *ctx = p;
294 }
295 return (rv);
296 }
297
298 /*
299 * Initialize key schedules for AES
300 */
301 static int
302 init_keysched(crypto_key_t *key, void *newbie)
303 {
304 /*
305 * Only keys by value are supported by this module.
306 */
307 switch (key->ck_format) {
308 case CRYPTO_KEY_RAW:
309 if (key->ck_length < AES_MINBITS ||
310 key->ck_length > AES_MAXBITS) {
311 return (CRYPTO_KEY_SIZE_RANGE);
312 }
313
314 /* key length must be either 128, 192, or 256 */
315 if ((key->ck_length & 63) != 0)
316 return (CRYPTO_KEY_SIZE_RANGE);
317 break;
318 default:
319 return (CRYPTO_KEY_TYPE_INCONSISTENT);
320 }
321
322 aes_init_keysched(key->ck_data, key->ck_length, newbie);
323 return (CRYPTO_SUCCESS);
324 }
325
326 /*
327 * KCF software provider control entry points.
328 */
329 /* ARGSUSED */
330 static void
331 aes_provider_status(crypto_provider_handle_t provider, uint_t *status)
332 {
333 *status = CRYPTO_PROVIDER_READY;
334 }
335
336 static int
337 aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
338 crypto_key_t *key, crypto_spi_ctx_template_t template,
339 crypto_req_handle_t req) {
340 return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE));
341 }
342
343 static int
344 aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
345 crypto_key_t *key, crypto_spi_ctx_template_t template,
346 crypto_req_handle_t req) {
347 return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE));
348 }
349
350
351
352 /*
353 * KCF software provider encrypt entry points.
354 */
355 static int
356 aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
357 crypto_key_t *key, crypto_spi_ctx_template_t template,
358 crypto_req_handle_t req, boolean_t is_encrypt_init)
359 {
360 aes_ctx_t *aes_ctx;
361 int rv;
362 int kmflag;
363
364 /*
365 * Only keys by value are supported by this module.
366 */
367 if (key->ck_format != CRYPTO_KEY_RAW) {
368 return (CRYPTO_KEY_TYPE_INCONSISTENT);
369 }
370
371 kmflag = crypto_kmflag(req);
372 if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag))
373 != CRYPTO_SUCCESS)
374 return (rv);
375
376 rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag,
377 is_encrypt_init);
378 if (rv != CRYPTO_SUCCESS) {
379 crypto_free_mode_ctx(aes_ctx);
380 return (rv);
381 }
382
383 ctx->cc_provider_private = aes_ctx;
384
385 return (CRYPTO_SUCCESS);
386 }
387
388 static void
389 aes_copy_block64(uint8_t *in, uint64_t *out)
390 {
391 if (IS_P2ALIGNED(in, sizeof (uint64_t))) {
392 /* LINTED: pointer alignment */
393 out[0] = *(uint64_t *)&in[0];
394 /* LINTED: pointer alignment */
395 out[1] = *(uint64_t *)&in[8];
396 } else {
397 uint8_t *iv8 = (uint8_t *)&out[0];
398
399 AES_COPY_BLOCK(in, iv8);
400 }
401 }
402
403
404 static int
405 aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
406 crypto_data_t *ciphertext, crypto_req_handle_t req)
407 {
408 int ret = CRYPTO_FAILED;
409
410 aes_ctx_t *aes_ctx;
411 size_t saved_length, saved_offset, length_needed;
412
413 ASSERT(ctx->cc_provider_private != NULL);
414 aes_ctx = ctx->cc_provider_private;
415
416 /*
417 * For block ciphers, plaintext must be a multiple of AES block size.
418 * This test is only valid for ciphers whose blocksize is a power of 2.
419 */
420 if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
421 == 0) && (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
422 return (CRYPTO_DATA_LEN_RANGE);
423
424 AES_ARG_INPLACE(plaintext, ciphertext);
425
426 /*
427 * We need to just return the length needed to store the output.
428 * We should not destroy the context for the following case.
429 */
430 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
431 case CCM_MODE:
432 length_needed = plaintext->cd_length + aes_ctx->ac_mac_len;
433 break;
434 case GCM_MODE:
435 length_needed = plaintext->cd_length + aes_ctx->ac_tag_len;
436 break;
437 case GMAC_MODE:
438 if (plaintext->cd_length != 0)
439 return (CRYPTO_ARGUMENTS_BAD);
440
441 length_needed = aes_ctx->ac_tag_len;
442 break;
443 default:
444 length_needed = plaintext->cd_length;
445 }
446
447 if (ciphertext->cd_length < length_needed) {
448 ciphertext->cd_length = length_needed;
449 return (CRYPTO_BUFFER_TOO_SMALL);
450 }
451
452 saved_length = ciphertext->cd_length;
453 saved_offset = ciphertext->cd_offset;
454
455 /*
456 * Do an update on the specified input data.
457 */
458 ret = aes_encrypt_update(ctx, plaintext, ciphertext, req);
459 if (ret != CRYPTO_SUCCESS) {
460 return (ret);
461 }
462
463 /*
464 * For CCM mode, aes_ccm_encrypt_final() will take care of any
465 * left-over unprocessed data, and compute the MAC
466 */
467 if (aes_ctx->ac_flags & CCM_MODE) {
468 /*
469 * ccm_encrypt_final() will compute the MAC and append
470 * it to existing ciphertext. So, need to adjust the left over
471 * length value accordingly
472 */
473
474 /* order of following 2 lines MUST not be reversed */
475 ciphertext->cd_offset = ciphertext->cd_length;
476 ciphertext->cd_length = saved_length - ciphertext->cd_length;
477 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, ciphertext,
478 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
479 if (ret != CRYPTO_SUCCESS) {
480 return (ret);
481 }
482
483 if (plaintext != ciphertext) {
484 ciphertext->cd_length =
485 ciphertext->cd_offset - saved_offset;
486 }
487 ciphertext->cd_offset = saved_offset;
488 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
489 /*
490 * gcm_encrypt_final() will compute the MAC and append
491 * it to existing ciphertext. So, need to adjust the left over
492 * length value accordingly
493 */
494
495 /* order of following 2 lines MUST not be reversed */
496 ciphertext->cd_offset = ciphertext->cd_length;
497 ciphertext->cd_length = saved_length - ciphertext->cd_length;
498 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, ciphertext,
499 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
500 aes_xor_block);
501 if (ret != CRYPTO_SUCCESS) {
502 return (ret);
503 }
504
505 if (plaintext != ciphertext) {
506 ciphertext->cd_length =
507 ciphertext->cd_offset - saved_offset;
508 }
509 ciphertext->cd_offset = saved_offset;
510 }
511
512 ASSERT(aes_ctx->ac_remainder_len == 0);
513 (void) aes_free_context(ctx);
514
515 return (ret);
516 }
517
518
519 static int
520 aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
521 crypto_data_t *plaintext, crypto_req_handle_t req)
522 {
523 int ret = CRYPTO_FAILED;
524
525 aes_ctx_t *aes_ctx;
526 off_t saved_offset;
527 size_t saved_length, length_needed;
528
529 ASSERT(ctx->cc_provider_private != NULL);
530 aes_ctx = ctx->cc_provider_private;
531
532 /*
533 * For block ciphers, plaintext must be a multiple of AES block size.
534 * This test is only valid for ciphers whose blocksize is a power of 2.
535 */
536 if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
537 == 0) && (ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) {
538 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
539 }
540
541 AES_ARG_INPLACE(ciphertext, plaintext);
542
543 /*
544 * Return length needed to store the output.
545 * Do not destroy context when plaintext buffer is too small.
546 *
547 * CCM: plaintext is MAC len smaller than cipher text
548 * GCM: plaintext is TAG len smaller than cipher text
549 * GMAC: plaintext length must be zero
550 */
551 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
552 case CCM_MODE:
553 length_needed = aes_ctx->ac_processed_data_len;
554 break;
555 case GCM_MODE:
556 length_needed = ciphertext->cd_length - aes_ctx->ac_tag_len;
557 break;
558 case GMAC_MODE:
559 if (plaintext->cd_length != 0)
560 return (CRYPTO_ARGUMENTS_BAD);
561
562 length_needed = 0;
563 break;
564 default:
565 length_needed = ciphertext->cd_length;
566 }
567
568 if (plaintext->cd_length < length_needed) {
569 plaintext->cd_length = length_needed;
570 return (CRYPTO_BUFFER_TOO_SMALL);
571 }
572
573 saved_offset = plaintext->cd_offset;
574 saved_length = plaintext->cd_length;
575
576 /*
577 * Do an update on the specified input data.
578 */
579 ret = aes_decrypt_update(ctx, ciphertext, plaintext, req);
580 if (ret != CRYPTO_SUCCESS) {
581 goto cleanup;
582 }
583
584 if (aes_ctx->ac_flags & CCM_MODE) {
585 ASSERT(aes_ctx->ac_processed_data_len == aes_ctx->ac_data_len);
586 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
587
588 /* order of following 2 lines MUST not be reversed */
589 plaintext->cd_offset = plaintext->cd_length;
590 plaintext->cd_length = saved_length - plaintext->cd_length;
591
592 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, plaintext,
593 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
594 aes_xor_block);
595 if (ret == CRYPTO_SUCCESS) {
596 if (plaintext != ciphertext) {
597 plaintext->cd_length =
598 plaintext->cd_offset - saved_offset;
599 }
600 } else {
601 plaintext->cd_length = saved_length;
602 }
603
604 plaintext->cd_offset = saved_offset;
605 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
606 /* order of following 2 lines MUST not be reversed */
607 plaintext->cd_offset = plaintext->cd_length;
608 plaintext->cd_length = saved_length - plaintext->cd_length;
609
610 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, plaintext,
611 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
612 if (ret == CRYPTO_SUCCESS) {
613 if (plaintext != ciphertext) {
614 plaintext->cd_length =
615 plaintext->cd_offset - saved_offset;
616 }
617 } else {
618 plaintext->cd_length = saved_length;
619 }
620
621 plaintext->cd_offset = saved_offset;
622 }
623
624 ASSERT(aes_ctx->ac_remainder_len == 0);
625
626 cleanup:
627 (void) aes_free_context(ctx);
628
629 return (ret);
630 }
631
632
633 /* ARGSUSED */
634 static int
635 aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext,
636 crypto_data_t *ciphertext, crypto_req_handle_t req)
637 {
638 off_t saved_offset;
639 size_t saved_length, out_len;
640 int ret = CRYPTO_SUCCESS;
641 aes_ctx_t *aes_ctx;
642
643 ASSERT(ctx->cc_provider_private != NULL);
644 aes_ctx = ctx->cc_provider_private;
645
646 AES_ARG_INPLACE(plaintext, ciphertext);
647
648 /* compute number of bytes that will hold the ciphertext */
649 out_len = aes_ctx->ac_remainder_len;
650 out_len += plaintext->cd_length;
651 out_len &= ~(AES_BLOCK_LEN - 1);
652
653 /* return length needed to store the output */
654 if (ciphertext->cd_length < out_len) {
655 ciphertext->cd_length = out_len;
656 return (CRYPTO_BUFFER_TOO_SMALL);
657 }
658
659 saved_offset = ciphertext->cd_offset;
660 saved_length = ciphertext->cd_length;
661
662 /*
663 * Do the AES update on the specified input data.
664 */
665 switch (plaintext->cd_format) {
666 case CRYPTO_DATA_RAW:
667 ret = crypto_update_iov(ctx->cc_provider_private,
668 plaintext, ciphertext, aes_encrypt_contiguous_blocks,
669 aes_copy_block64);
670 break;
671 case CRYPTO_DATA_UIO:
672 ret = crypto_update_uio(ctx->cc_provider_private,
673 plaintext, ciphertext, aes_encrypt_contiguous_blocks,
674 aes_copy_block64);
675 break;
676 case CRYPTO_DATA_MBLK:
677 ret = crypto_update_mp(ctx->cc_provider_private,
678 plaintext, ciphertext, aes_encrypt_contiguous_blocks,
679 aes_copy_block64);
680 break;
681 default:
682 ret = CRYPTO_ARGUMENTS_BAD;
683 }
684
685 /*
686 * Since AES counter mode is a stream cipher, we call
687 * ctr_mode_final() to pick up any remaining bytes.
688 * It is an internal function that does not destroy
689 * the context like *normal* final routines.
690 */
691 if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
692 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx,
693 ciphertext, aes_encrypt_block);
694 }
695
696 if (ret == CRYPTO_SUCCESS) {
697 if (plaintext != ciphertext)
698 ciphertext->cd_length =
699 ciphertext->cd_offset - saved_offset;
700 } else {
701 ciphertext->cd_length = saved_length;
702 }
703 ciphertext->cd_offset = saved_offset;
704
705 return (ret);
706 }
707
708
709 static int
710 aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
711 crypto_data_t *plaintext, crypto_req_handle_t req)
712 {
713 off_t saved_offset;
714 size_t saved_length, out_len;
715 int ret = CRYPTO_SUCCESS;
716 aes_ctx_t *aes_ctx;
717
718 ASSERT(ctx->cc_provider_private != NULL);
719 aes_ctx = ctx->cc_provider_private;
720
721 AES_ARG_INPLACE(ciphertext, plaintext);
722
723 /*
724 * Compute number of bytes that will hold the plaintext.
725 * This is not necessary for CCM, GCM, and GMAC since these
726 * mechanisms never return plaintext for update operations.
727 */
728 if ((aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
729 out_len = aes_ctx->ac_remainder_len;
730 out_len += ciphertext->cd_length;
731 out_len &= ~(AES_BLOCK_LEN - 1);
732
733 /* return length needed to store the output */
734 if (plaintext->cd_length < out_len) {
735 plaintext->cd_length = out_len;
736 return (CRYPTO_BUFFER_TOO_SMALL);
737 }
738 }
739
740 saved_offset = plaintext->cd_offset;
741 saved_length = plaintext->cd_length;
742
743 if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE))
744 gcm_set_kmflag((gcm_ctx_t *)aes_ctx, crypto_kmflag(req));
745
746 /*
747 * Do the AES update on the specified input data.
748 */
749 switch (ciphertext->cd_format) {
750 case CRYPTO_DATA_RAW:
751 ret = crypto_update_iov(ctx->cc_provider_private,
752 ciphertext, plaintext, aes_decrypt_contiguous_blocks,
753 aes_copy_block64);
754 break;
755 case CRYPTO_DATA_UIO:
756 ret = crypto_update_uio(ctx->cc_provider_private,
757 ciphertext, plaintext, aes_decrypt_contiguous_blocks,
758 aes_copy_block64);
759 break;
760 case CRYPTO_DATA_MBLK:
761 ret = crypto_update_mp(ctx->cc_provider_private,
762 ciphertext, plaintext, aes_decrypt_contiguous_blocks,
763 aes_copy_block64);
764 break;
765 default:
766 ret = CRYPTO_ARGUMENTS_BAD;
767 }
768
769 /*
770 * Since AES counter mode is a stream cipher, we call
771 * ctr_mode_final() to pick up any remaining bytes.
772 * It is an internal function that does not destroy
773 * the context like *normal* final routines.
774 */
775 if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
776 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, plaintext,
777 aes_encrypt_block);
778 if (ret == CRYPTO_DATA_LEN_RANGE)
779 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
780 }
781
782 if (ret == CRYPTO_SUCCESS) {
783 if (ciphertext != plaintext)
784 plaintext->cd_length =
785 plaintext->cd_offset - saved_offset;
786 } else {
787 plaintext->cd_length = saved_length;
788 }
789 plaintext->cd_offset = saved_offset;
790
791
792 return (ret);
793 }
794
795 /* ARGSUSED */
796 static int
797 aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
798 crypto_req_handle_t req)
799 {
800 aes_ctx_t *aes_ctx;
801 int ret;
802
803 ASSERT(ctx->cc_provider_private != NULL);
804 aes_ctx = ctx->cc_provider_private;
805
806 if (data->cd_format != CRYPTO_DATA_RAW &&
807 data->cd_format != CRYPTO_DATA_UIO &&
808 data->cd_format != CRYPTO_DATA_MBLK) {
809 return (CRYPTO_ARGUMENTS_BAD);
810 }
811
812 if (aes_ctx->ac_flags & CTR_MODE) {
813 if (aes_ctx->ac_remainder_len > 0) {
814 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
815 aes_encrypt_block);
816 if (ret != CRYPTO_SUCCESS)
817 return (ret);
818 }
819 } else if (aes_ctx->ac_flags & CCM_MODE) {
820 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, data,
821 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
822 if (ret != CRYPTO_SUCCESS) {
823 return (ret);
824 }
825 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
826 size_t saved_offset = data->cd_offset;
827
828 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, data,
829 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
830 aes_xor_block);
831 if (ret != CRYPTO_SUCCESS) {
832 return (ret);
833 }
834 data->cd_length = data->cd_offset - saved_offset;
835 data->cd_offset = saved_offset;
836 } else {
837 /*
838 * There must be no unprocessed plaintext.
839 * This happens if the length of the last data is
840 * not a multiple of the AES block length.
841 */
842 if (aes_ctx->ac_remainder_len > 0) {
843 return (CRYPTO_DATA_LEN_RANGE);
844 }
845 data->cd_length = 0;
846 }
847
848 (void) aes_free_context(ctx);
849
850 return (CRYPTO_SUCCESS);
851 }
852
853 /* ARGSUSED */
854 static int
855 aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
856 crypto_req_handle_t req)
857 {
858 aes_ctx_t *aes_ctx;
859 int ret;
860 off_t saved_offset;
861 size_t saved_length;
862
863 ASSERT(ctx->cc_provider_private != NULL);
864 aes_ctx = ctx->cc_provider_private;
865
866 if (data->cd_format != CRYPTO_DATA_RAW &&
867 data->cd_format != CRYPTO_DATA_UIO &&
868 data->cd_format != CRYPTO_DATA_MBLK) {
869 return (CRYPTO_ARGUMENTS_BAD);
870 }
871
872 /*
873 * There must be no unprocessed ciphertext.
874 * This happens if the length of the last ciphertext is
875 * not a multiple of the AES block length.
876 */
877 if (aes_ctx->ac_remainder_len > 0) {
878 if ((aes_ctx->ac_flags & CTR_MODE) == 0)
879 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
880 else {
881 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
882 aes_encrypt_block);
883 if (ret == CRYPTO_DATA_LEN_RANGE)
884 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
885 if (ret != CRYPTO_SUCCESS)
886 return (ret);
887 }
888 }
889
890 if (aes_ctx->ac_flags & CCM_MODE) {
891 /*
892 * This is where all the plaintext is returned, make sure
893 * the plaintext buffer is big enough
894 */
895 size_t pt_len = aes_ctx->ac_data_len;
896 if (data->cd_length < pt_len) {
897 data->cd_length = pt_len;
898 return (CRYPTO_BUFFER_TOO_SMALL);
899 }
900
901 ASSERT(aes_ctx->ac_processed_data_len == pt_len);
902 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
903 saved_offset = data->cd_offset;
904 saved_length = data->cd_length;
905 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, data,
906 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
907 aes_xor_block);
908 if (ret == CRYPTO_SUCCESS) {
909 data->cd_length = data->cd_offset - saved_offset;
910 } else {
911 data->cd_length = saved_length;
912 }
913
914 data->cd_offset = saved_offset;
915 if (ret != CRYPTO_SUCCESS) {
916 return (ret);
917 }
918 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
919 /*
920 * This is where all the plaintext is returned, make sure
921 * the plaintext buffer is big enough
922 */
923 gcm_ctx_t *ctx = (gcm_ctx_t *)aes_ctx;
924 size_t pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len;
925
926 if (data->cd_length < pt_len) {
927 data->cd_length = pt_len;
928 return (CRYPTO_BUFFER_TOO_SMALL);
929 }
930
931 saved_offset = data->cd_offset;
932 saved_length = data->cd_length;
933 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, data,
934 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
935 if (ret == CRYPTO_SUCCESS) {
936 data->cd_length = data->cd_offset - saved_offset;
937 } else {
938 data->cd_length = saved_length;
939 }
940
941 data->cd_offset = saved_offset;
942 if (ret != CRYPTO_SUCCESS) {
943 return (ret);
944 }
945 }
946
947
948 if ((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
949 data->cd_length = 0;
950 }
951
952 (void) aes_free_context(ctx);
953
954 return (CRYPTO_SUCCESS);
955 }
956
957 /* ARGSUSED */
958 static int
959 aes_encrypt_atomic(crypto_provider_handle_t provider,
960 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
961 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
962 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
963 {
964 aes_ctx_t aes_ctx; /* on the stack */
965 off_t saved_offset;
966 size_t saved_length;
967 size_t length_needed;
968 int ret;
969
970 AES_ARG_INPLACE(plaintext, ciphertext);
971
972 /*
973 * CTR, CCM, GCM, and GMAC modes do not require that plaintext
974 * be a multiple of AES block size.
975 */
976 switch (mechanism->cm_type) {
977 case AES_CTR_MECH_INFO_TYPE:
978 case AES_CCM_MECH_INFO_TYPE:
979 case AES_GCM_MECH_INFO_TYPE:
980 case AES_GMAC_MECH_INFO_TYPE:
981 break;
982 default:
983 if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
984 return (CRYPTO_DATA_LEN_RANGE);
985 }
986
987 if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
988 return (ret);
989
990 bzero(&aes_ctx, sizeof (aes_ctx_t));
991
992 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
993 crypto_kmflag(req), B_TRUE);
994 if (ret != CRYPTO_SUCCESS)
995 return (ret);
996
997 switch (mechanism->cm_type) {
998 case AES_CCM_MECH_INFO_TYPE:
999 length_needed = plaintext->cd_length + aes_ctx.ac_mac_len;
1000 break;
1001 case AES_GMAC_MECH_INFO_TYPE:
1002 if (plaintext->cd_length != 0)
1003 return (CRYPTO_ARGUMENTS_BAD);
1004 /* FALLTHRU */
1005 case AES_GCM_MECH_INFO_TYPE:
1006 length_needed = plaintext->cd_length + aes_ctx.ac_tag_len;
1007 break;
1008 default:
1009 length_needed = plaintext->cd_length;
1010 }
1011
1012 /* return size of buffer needed to store output */
1013 if (ciphertext->cd_length < length_needed) {
1014 ciphertext->cd_length = length_needed;
1015 ret = CRYPTO_BUFFER_TOO_SMALL;
1016 goto out;
1017 }
1018
1019 saved_offset = ciphertext->cd_offset;
1020 saved_length = ciphertext->cd_length;
1021
1022 /*
1023 * Do an update on the specified input data.
1024 */
1025 switch (plaintext->cd_format) {
1026 case CRYPTO_DATA_RAW:
1027 ret = crypto_update_iov(&aes_ctx, plaintext, ciphertext,
1028 aes_encrypt_contiguous_blocks, aes_copy_block64);
1029 break;
1030 case CRYPTO_DATA_UIO:
1031 ret = crypto_update_uio(&aes_ctx, plaintext, ciphertext,
1032 aes_encrypt_contiguous_blocks, aes_copy_block64);
1033 break;
1034 case CRYPTO_DATA_MBLK:
1035 ret = crypto_update_mp(&aes_ctx, plaintext, ciphertext,
1036 aes_encrypt_contiguous_blocks, aes_copy_block64);
1037 break;
1038 default:
1039 ret = CRYPTO_ARGUMENTS_BAD;
1040 }
1041
1042 if (ret == CRYPTO_SUCCESS) {
1043 if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1044 ret = ccm_encrypt_final((ccm_ctx_t *)&aes_ctx,
1045 ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1046 aes_xor_block);
1047 if (ret != CRYPTO_SUCCESS)
1048 goto out;
1049 ASSERT(aes_ctx.ac_remainder_len == 0);
1050 } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1051 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
1052 ret = gcm_encrypt_final((gcm_ctx_t *)&aes_ctx,
1053 ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1054 aes_copy_block, aes_xor_block);
1055 if (ret != CRYPTO_SUCCESS)
1056 goto out;
1057 ASSERT(aes_ctx.ac_remainder_len == 0);
1058 } else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) {
1059 if (aes_ctx.ac_remainder_len > 0) {
1060 ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1061 ciphertext, aes_encrypt_block);
1062 if (ret != CRYPTO_SUCCESS)
1063 goto out;
1064 }
1065 } else {
1066 ASSERT(aes_ctx.ac_remainder_len == 0);
1067 }
1068
1069 if (plaintext != ciphertext) {
1070 ciphertext->cd_length =
1071 ciphertext->cd_offset - saved_offset;
1072 }
1073 } else {
1074 ciphertext->cd_length = saved_length;
1075 }
1076 ciphertext->cd_offset = saved_offset;
1077
1078 out:
1079 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1080 bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1081 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1082 }
1083
1084 return (ret);
1085 }
1086
1087 /* ARGSUSED */
1088 static int
1089 aes_decrypt_atomic(crypto_provider_handle_t provider,
1090 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1091 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
1092 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1093 {
1094 aes_ctx_t aes_ctx; /* on the stack */
1095 off_t saved_offset;
1096 size_t saved_length;
1097 size_t length_needed;
1098 int ret;
1099
1100 AES_ARG_INPLACE(ciphertext, plaintext);
1101
1102 /*
1103 * CCM, GCM, CTR, and GMAC modes do not require that ciphertext
1104 * be a multiple of AES block size.
1105 */
1106 switch (mechanism->cm_type) {
1107 case AES_CTR_MECH_INFO_TYPE:
1108 case AES_CCM_MECH_INFO_TYPE:
1109 case AES_GCM_MECH_INFO_TYPE:
1110 case AES_GMAC_MECH_INFO_TYPE:
1111 break;
1112 default:
1113 if ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
1114 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
1115 }
1116
1117 if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
1118 return (ret);
1119
1120 bzero(&aes_ctx, sizeof (aes_ctx_t));
1121
1122 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
1123 crypto_kmflag(req), B_FALSE);
1124 if (ret != CRYPTO_SUCCESS)
1125 return (ret);
1126
1127 switch (mechanism->cm_type) {
1128 case AES_CCM_MECH_INFO_TYPE:
1129 length_needed = aes_ctx.ac_data_len;
1130 break;
1131 case AES_GCM_MECH_INFO_TYPE:
1132 length_needed = ciphertext->cd_length - aes_ctx.ac_tag_len;
1133 break;
1134 case AES_GMAC_MECH_INFO_TYPE:
1135 if (plaintext->cd_length != 0)
1136 return (CRYPTO_ARGUMENTS_BAD);
1137 length_needed = 0;
1138 break;
1139 default:
1140 length_needed = ciphertext->cd_length;
1141 }
1142
1143 /* return size of buffer needed to store output */
1144 if (plaintext->cd_length < length_needed) {
1145 plaintext->cd_length = length_needed;
1146 ret = CRYPTO_BUFFER_TOO_SMALL;
1147 goto out;
1148 }
1149
1150 saved_offset = plaintext->cd_offset;
1151 saved_length = plaintext->cd_length;
1152
1153 if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1154 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE)
1155 gcm_set_kmflag((gcm_ctx_t *)&aes_ctx, crypto_kmflag(req));
1156
1157 /*
1158 * Do an update on the specified input data.
1159 */
1160 switch (ciphertext->cd_format) {
1161 case CRYPTO_DATA_RAW:
1162 ret = crypto_update_iov(&aes_ctx, ciphertext, plaintext,
1163 aes_decrypt_contiguous_blocks, aes_copy_block64);
1164 break;
1165 case CRYPTO_DATA_UIO:
1166 ret = crypto_update_uio(&aes_ctx, ciphertext, plaintext,
1167 aes_decrypt_contiguous_blocks, aes_copy_block64);
1168 break;
1169 case CRYPTO_DATA_MBLK:
1170 ret = crypto_update_mp(&aes_ctx, ciphertext, plaintext,
1171 aes_decrypt_contiguous_blocks, aes_copy_block64);
1172 break;
1173 default:
1174 ret = CRYPTO_ARGUMENTS_BAD;
1175 }
1176
1177 if (ret == CRYPTO_SUCCESS) {
1178 if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1179 ASSERT(aes_ctx.ac_processed_data_len
1180 == aes_ctx.ac_data_len);
1181 ASSERT(aes_ctx.ac_processed_mac_len
1182 == aes_ctx.ac_mac_len);
1183 ret = ccm_decrypt_final((ccm_ctx_t *)&aes_ctx,
1184 plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1185 aes_copy_block, aes_xor_block);
1186 ASSERT(aes_ctx.ac_remainder_len == 0);
1187 if ((ret == CRYPTO_SUCCESS) &&
1188 (ciphertext != plaintext)) {
1189 plaintext->cd_length =
1190 plaintext->cd_offset - saved_offset;
1191 } else {
1192 plaintext->cd_length = saved_length;
1193 }
1194 } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1195 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
1196 ret = gcm_decrypt_final((gcm_ctx_t *)&aes_ctx,
1197 plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1198 aes_xor_block);
1199 ASSERT(aes_ctx.ac_remainder_len == 0);
1200 if ((ret == CRYPTO_SUCCESS) &&
1201 (ciphertext != plaintext)) {
1202 plaintext->cd_length =
1203 plaintext->cd_offset - saved_offset;
1204 } else {
1205 plaintext->cd_length = saved_length;
1206 }
1207 } else if (mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) {
1208 ASSERT(aes_ctx.ac_remainder_len == 0);
1209 if (ciphertext != plaintext)
1210 plaintext->cd_length =
1211 plaintext->cd_offset - saved_offset;
1212 } else {
1213 if (aes_ctx.ac_remainder_len > 0) {
1214 ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1215 plaintext, aes_encrypt_block);
1216 if (ret == CRYPTO_DATA_LEN_RANGE)
1217 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
1218 if (ret != CRYPTO_SUCCESS)
1219 goto out;
1220 }
1221 if (ciphertext != plaintext)
1222 plaintext->cd_length =
1223 plaintext->cd_offset - saved_offset;
1224 }
1225 } else {
1226 plaintext->cd_length = saved_length;
1227 }
1228 plaintext->cd_offset = saved_offset;
1229
1230 out:
1231 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1232 bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1233 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1234 }
1235
1236 if (aes_ctx.ac_flags & CCM_MODE) {
1237 if (aes_ctx.ac_pt_buf != NULL) {
1238 kmem_free(aes_ctx.ac_pt_buf, aes_ctx.ac_data_len);
1239 }
1240 } else if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) {
1241 if (((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf != NULL) {
1242 kmem_free(((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf,
1243 ((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf_len);
1244 }
1245 }
1246
1247 return (ret);
1248 }
1249
1250 /*
1251 * KCF software provider context template entry points.
1252 */
1253 /* ARGSUSED */
1254 static int
1255 aes_create_ctx_template(crypto_provider_handle_t provider,
1256 crypto_mechanism_t *mechanism, crypto_key_t *key,
1257 crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req)
1258 {
1259 void *keysched;
1260 size_t size;
1261 int rv;
1262
1263 if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE &&
1264 mechanism->cm_type != AES_CBC_MECH_INFO_TYPE &&
1265 mechanism->cm_type != AES_CTR_MECH_INFO_TYPE &&
1266 mechanism->cm_type != AES_CCM_MECH_INFO_TYPE &&
1267 mechanism->cm_type != AES_GCM_MECH_INFO_TYPE &&
1268 mechanism->cm_type != AES_GMAC_MECH_INFO_TYPE)
1269 return (CRYPTO_MECHANISM_INVALID);
1270
1271 if ((keysched = aes_alloc_keysched(&size,
1272 crypto_kmflag(req))) == NULL) {
1273 return (CRYPTO_HOST_MEMORY);
1274 }
1275
1276 /*
1277 * Initialize key schedule. Key length information is stored
1278 * in the key.
1279 */
1280 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1281 bzero(keysched, size);
1282 kmem_free(keysched, size);
1283 return (rv);
1284 }
1285
1286 *tmpl = keysched;
1287 *tmpl_size = size;
1288
1289 return (CRYPTO_SUCCESS);
1290 }
1291
1292
1293 static int
1294 aes_free_context(crypto_ctx_t *ctx)
1295 {
1296 aes_ctx_t *aes_ctx = ctx->cc_provider_private;
1297
1298 if (aes_ctx != NULL) {
1299 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1300 ASSERT(aes_ctx->ac_keysched_len != 0);
1301 bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len);
1302 kmem_free(aes_ctx->ac_keysched,
1303 aes_ctx->ac_keysched_len);
1304 }
1305 crypto_free_mode_ctx(aes_ctx);
1306 ctx->cc_provider_private = NULL;
1307 }
1308
1309 return (CRYPTO_SUCCESS);
1310 }
1311
1312
1313 static int
1314 aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template,
1315 crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag,
1316 boolean_t is_encrypt_init)
1317 {
1318 int rv = CRYPTO_SUCCESS;
1319 void *keysched;
1320 size_t size;
1321
1322 if (template == NULL) {
1323 if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL)
1324 return (CRYPTO_HOST_MEMORY);
1325 /*
1326 * Initialize key schedule.
1327 * Key length is stored in the key.
1328 */
1329 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1330 kmem_free(keysched, size);
1331 return (rv);
1332 }
1333
1334 aes_ctx->ac_flags |= PROVIDER_OWNS_KEY_SCHEDULE;
1335 aes_ctx->ac_keysched_len = size;
1336 } else {
1337 keysched = template;
1338 }
1339 aes_ctx->ac_keysched = keysched;
1340
1341 switch (mechanism->cm_type) {
1342 case AES_CBC_MECH_INFO_TYPE:
1343 rv = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mechanism->cm_param,
1344 mechanism->cm_param_len, AES_BLOCK_LEN, aes_copy_block64);
1345 break;
1346 case AES_CTR_MECH_INFO_TYPE: {
1347 CK_AES_CTR_PARAMS *pp;
1348
1349 if (mechanism->cm_param == NULL ||
1350 mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) {
1351 return (CRYPTO_MECHANISM_PARAM_INVALID);
1352 }
1353 pp = (CK_AES_CTR_PARAMS *)(void *)mechanism->cm_param;
1354 rv = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits,
1355 pp->cb, aes_copy_block);
1356 break;
1357 }
1358 case AES_CCM_MECH_INFO_TYPE:
1359 if (mechanism->cm_param == NULL ||
1360 mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) {
1361 return (CRYPTO_MECHANISM_PARAM_INVALID);
1362 }
1363 rv = ccm_init_ctx((ccm_ctx_t *)aes_ctx, mechanism->cm_param,
1364 kmflag, is_encrypt_init, AES_BLOCK_LEN, aes_encrypt_block,
1365 aes_xor_block);
1366 break;
1367 case AES_GCM_MECH_INFO_TYPE:
1368 if (mechanism->cm_param == NULL ||
1369 mechanism->cm_param_len != sizeof (CK_AES_GCM_PARAMS)) {
1370 return (CRYPTO_MECHANISM_PARAM_INVALID);
1371 }
1372 rv = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1373 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1374 aes_xor_block);
1375 break;
1376 case AES_GMAC_MECH_INFO_TYPE:
1377 if (mechanism->cm_param == NULL ||
1378 mechanism->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) {
1379 return (CRYPTO_MECHANISM_PARAM_INVALID);
1380 }
1381 rv = gmac_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1382 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1383 aes_xor_block);
1384 break;
1385 case AES_ECB_MECH_INFO_TYPE:
1386 aes_ctx->ac_flags |= ECB_MODE;
1387 }
1388
1389 if (rv != CRYPTO_SUCCESS) {
1390 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1391 bzero(keysched, size);
1392 kmem_free(keysched, size);
1393 }
1394 }
1395
1396 return (rv);
1397 }
1398
1399 static int
1400 process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data,
1401 CK_AES_GCM_PARAMS *gcm_params)
1402 {
1403 /* LINTED: pointer alignment */
1404 CK_AES_GMAC_PARAMS *params = (CK_AES_GMAC_PARAMS *)mech->cm_param;
1405
1406 if (mech->cm_type != AES_GMAC_MECH_INFO_TYPE)
1407 return (CRYPTO_MECHANISM_INVALID);
1408
1409 if (mech->cm_param_len != sizeof (CK_AES_GMAC_PARAMS))
1410 return (CRYPTO_MECHANISM_PARAM_INVALID);
1411
1412 if (params->pIv == NULL)
1413 return (CRYPTO_MECHANISM_PARAM_INVALID);
1414
1415 gcm_params->pIv = params->pIv;
1416 gcm_params->ulIvLen = AES_GMAC_IV_LEN;
1417 gcm_params->ulTagBits = AES_GMAC_TAG_BITS;
1418
1419 if (data == NULL)
1420 return (CRYPTO_SUCCESS);
1421
1422 if (data->cd_format != CRYPTO_DATA_RAW)
1423 return (CRYPTO_ARGUMENTS_BAD);
1424
1425 gcm_params->pAAD = (uchar_t *)data->cd_raw.iov_base;
1426 gcm_params->ulAADLen = data->cd_length;
1427 return (CRYPTO_SUCCESS);
1428 }
1429
1430 static int
1431 aes_mac_atomic(crypto_provider_handle_t provider,
1432 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1433 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1434 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1435 {
1436 CK_AES_GCM_PARAMS gcm_params;
1437 crypto_mechanism_t gcm_mech;
1438 int rv;
1439
1440 if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1441 != CRYPTO_SUCCESS)
1442 return (rv);
1443
1444 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1445 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1446 gcm_mech.cm_param = (char *)&gcm_params;
1447
1448 return (aes_encrypt_atomic(provider, session_id, &gcm_mech,
1449 key, &null_crypto_data, mac, template, req));
1450 }
1451
1452 static int
1453 aes_mac_verify_atomic(crypto_provider_handle_t provider,
1454 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1455 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1456 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1457 {
1458 CK_AES_GCM_PARAMS gcm_params;
1459 crypto_mechanism_t gcm_mech;
1460 int rv;
1461
1462 if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1463 != CRYPTO_SUCCESS)
1464 return (rv);
1465
1466 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1467 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1468 gcm_mech.cm_param = (char *)&gcm_params;
1469
1470 return (aes_decrypt_atomic(provider, session_id, &gcm_mech,
1471 key, mac, &null_crypto_data, template, req));
1472 }