1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _KERNEL 27 #include <strings.h> 28 #include <limits.h> 29 #include <assert.h> 30 #include <security/cryptoki.h> 31 #endif 32 33 #include <sys/types.h> 34 #include <modes/modes.h> 35 #include <sys/crypto/common.h> 36 #include <sys/crypto/impl.h> 37 #include <sys/byteorder.h> 38 39 /* 40 * Encrypt and decrypt multiple blocks of data in counter mode. 41 */ 42 int 43 ctr_mode_contiguous_blocks(ctr_ctx_t *ctx, char *data, size_t length, 44 crypto_data_t *out, size_t block_size, 45 int (*cipher)(const void *ks, const uint8_t *pt, uint8_t *ct), 46 void (*xor_block)(uint8_t *, uint8_t *)) 47 { 48 size_t remainder = length; 49 size_t need; 50 uint8_t *datap = (uint8_t *)data; 51 uint8_t *blockp; 52 uint8_t *lastp; 53 void *iov_or_mp; 54 offset_t offset; 55 uint8_t *out_data_1; 56 uint8_t *out_data_2; 57 size_t out_data_1_len; 58 uint64_t lower_counter, upper_counter; 59 60 if (length + ctx->ctr_remainder_len < block_size) { 61 /* accumulate bytes here and return */ 62 bcopy(datap, 63 (uint8_t *)ctx->ctr_remainder + ctx->ctr_remainder_len, 64 length); 65 ctx->ctr_remainder_len += length; 66 ctx->ctr_copy_to = datap; 67 return (CRYPTO_SUCCESS); 68 } 69 70 lastp = (uint8_t *)ctx->ctr_cb; 71 if (out != NULL) 72 crypto_init_ptrs(out, &iov_or_mp, &offset); 73 74 do { 75 /* Unprocessed data from last call. */ 76 if (ctx->ctr_remainder_len > 0) { 77 need = block_size - ctx->ctr_remainder_len; 78 79 if (need > remainder) 80 return (CRYPTO_DATA_LEN_RANGE); 81 82 bcopy(datap, &((uint8_t *)ctx->ctr_remainder) 83 [ctx->ctr_remainder_len], need); 84 85 blockp = (uint8_t *)ctx->ctr_remainder; 86 } else { 87 blockp = datap; 88 } 89 90 /* ctr_cb is the counter block */ 91 cipher(ctx->ctr_keysched, (uint8_t *)ctx->ctr_cb, 92 (uint8_t *)ctx->ctr_tmp); 93 94 lastp = (uint8_t *)ctx->ctr_tmp; 95 96 /* 97 * Increment Counter. 98 */ 99 lower_counter = ntohll(ctx->ctr_cb[1] & ctx->ctr_lower_mask); 100 lower_counter = htonll(lower_counter + 1); 101 lower_counter &= ctx->ctr_lower_mask; 102 ctx->ctr_cb[1] = (ctx->ctr_cb[1] & ~(ctx->ctr_lower_mask)) | 103 lower_counter; 104 105 /* wrap around */ 106 if (lower_counter == 0) { 107 upper_counter = 108 ntohll(ctx->ctr_cb[0] & ctx->ctr_upper_mask); 109 upper_counter = htonll(upper_counter + 1); 110 upper_counter &= ctx->ctr_upper_mask; 111 ctx->ctr_cb[0] = 112 (ctx->ctr_cb[0] & ~(ctx->ctr_upper_mask)) | 113 upper_counter; 114 } 115 116 /* 117 * XOR encrypted counter block with the current clear block. 118 */ 119 xor_block(blockp, lastp); 120 121 if (out == NULL) { 122 if (ctx->ctr_remainder_len > 0) { 123 bcopy(lastp, ctx->ctr_copy_to, 124 ctx->ctr_remainder_len); 125 bcopy(lastp + ctx->ctr_remainder_len, datap, 126 need); 127 } 128 } else { 129 crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1, 130 &out_data_1_len, &out_data_2, block_size); 131 132 /* copy block to where it belongs */ 133 bcopy(lastp, out_data_1, out_data_1_len); 134 if (out_data_2 != NULL) { 135 bcopy(lastp + out_data_1_len, out_data_2, 136 block_size - out_data_1_len); 137 } 138 /* update offset */ 139 out->cd_offset += block_size; 140 } 141 142 /* Update pointer to next block of data to be processed. */ 143 if (ctx->ctr_remainder_len != 0) { 144 datap += need; 145 ctx->ctr_remainder_len = 0; 146 } else { 147 datap += block_size; 148 } 149 150 remainder = (size_t)&data[length] - (size_t)datap; 151 152 /* Incomplete last block. */ 153 if (remainder > 0 && remainder < block_size) { 154 bcopy(datap, ctx->ctr_remainder, remainder); 155 ctx->ctr_remainder_len = remainder; 156 ctx->ctr_copy_to = datap; 157 goto out; 158 } 159 ctx->ctr_copy_to = NULL; 160 161 } while (remainder > 0); 162 163 out: 164 return (CRYPTO_SUCCESS); 165 } 166 167 int 168 ctr_mode_final(ctr_ctx_t *ctx, crypto_data_t *out, 169 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *)) 170 { 171 uint8_t *lastp; 172 void *iov_or_mp; 173 offset_t offset; 174 uint8_t *out_data_1; 175 uint8_t *out_data_2; 176 size_t out_data_1_len; 177 uint8_t *p; 178 int i; 179 180 if (out->cd_length < ctx->ctr_remainder_len) 181 return (CRYPTO_DATA_LEN_RANGE); 182 183 encrypt_block(ctx->ctr_keysched, (uint8_t *)ctx->ctr_cb, 184 (uint8_t *)ctx->ctr_tmp); 185 186 lastp = (uint8_t *)ctx->ctr_tmp; 187 p = (uint8_t *)ctx->ctr_remainder; 188 for (i = 0; i < ctx->ctr_remainder_len; i++) { 189 p[i] ^= lastp[i]; 190 } 191 192 crypto_init_ptrs(out, &iov_or_mp, &offset); 193 crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1, 194 &out_data_1_len, &out_data_2, ctx->ctr_remainder_len); 195 196 bcopy(p, out_data_1, out_data_1_len); 197 if (out_data_2 != NULL) { 198 bcopy((uint8_t *)p + out_data_1_len, 199 out_data_2, ctx->ctr_remainder_len - out_data_1_len); 200 } 201 out->cd_offset += ctx->ctr_remainder_len; 202 ctx->ctr_remainder_len = 0; 203 return (CRYPTO_SUCCESS); 204 } 205 206 int 207 ctr_init_ctx(ctr_ctx_t *ctr_ctx, ulong_t count, uint8_t *cb, 208 void (*copy_block)(uint8_t *, uint8_t *)) 209 { 210 uint64_t upper_mask = 0; 211 uint64_t lower_mask = 0; 212 213 if (count == 0 || count > 128) { 214 return (CRYPTO_MECHANISM_PARAM_INVALID); 215 } 216 /* upper 64 bits of the mask */ 217 if (count >= 64) { 218 count -= 64; 219 upper_mask = (count == 64) ? UINT64_MAX : (1ULL << count) - 1; 220 lower_mask = UINT64_MAX; 221 } else { 222 /* now the lower 63 bits */ 223 lower_mask = (1ULL << count) - 1; 224 } 225 ctr_ctx->ctr_lower_mask = htonll(lower_mask); 226 ctr_ctx->ctr_upper_mask = htonll(upper_mask); 227 228 copy_block(cb, (uchar_t *)ctr_ctx->ctr_cb); 229 ctr_ctx->ctr_lastp = (uint8_t *)&ctr_ctx->ctr_cb[0]; 230 ctr_ctx->ctr_flags |= CTR_MODE; 231 return (CRYPTO_SUCCESS); 232 } 233 234 /* ARGSUSED */ 235 void * 236 ctr_alloc_ctx(int kmflag) 237 { 238 ctr_ctx_t *ctr_ctx; 239 240 #ifdef _KERNEL 241 if ((ctr_ctx = kmem_zalloc(sizeof (ctr_ctx_t), kmflag)) == NULL) 242 #else 243 if ((ctr_ctx = calloc(1, sizeof (ctr_ctx_t))) == NULL) 244 #endif 245 return (NULL); 246 247 ctr_ctx->ctr_flags = CTR_MODE; 248 return (ctr_ctx); 249 }