1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 /*
26 * AES provider for the Kernel Cryptographic Framework (KCF)
27 */
28
29 #include <sys/zfs_context.h>
30 #include <sys/crypto/common.h>
31 #include <sys/crypto/impl.h>
32 #include <sys/crypto/spi.h>
33 #include <sys/crypto/icp.h>
34 #include <modes/modes.h>
35 #include <sys/modctl.h>
36 #define _AES_IMPL
37 #include <aes/aes_impl.h>
38 #include <modes/gcm_impl.h>
39
40 #define CRYPTO_PROVIDER_NAME "aes"
41
42 extern struct mod_ops mod_cryptoops;
43
44 /*
45 * Module linkage information for the kernel.
46 */
47 static struct modlcrypto modlcrypto = {
48 &mod_cryptoops,
49 "AES Kernel SW Provider"
50 };
51
52 static struct modlinkage modlinkage = {
53 MODREV_1, { (void *)&modlcrypto, NULL }
54 };
55
56 /*
57 * Mechanism info structure passed to KCF during registration.
58 */
59 static crypto_mech_info_t aes_mech_info_tab[] = {
60 /* AES_ECB */
61 {SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE,
62 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
63 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
64 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
65 /* AES_CBC */
66 {SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE,
67 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
68 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
69 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
70 /* AES_CTR */
71 {SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE,
72 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
73 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
74 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
75 /* AES_CCM */
76 {SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE,
77 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
78 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
79 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
80 /* AES_GCM */
81 {SUN_CKM_AES_GCM, AES_GCM_MECH_INFO_TYPE,
82 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
83 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
84 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
85 /* AES_GMAC */
86 {SUN_CKM_AES_GMAC, AES_GMAC_MECH_INFO_TYPE,
87 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
88 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
89 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC |
90 CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
91 CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
92 AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}
93 };
94
95 static void aes_provider_status(crypto_provider_handle_t, uint_t *);
96
97 static crypto_control_ops_t aes_control_ops = {
98 aes_provider_status
99 };
100
101 static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
102 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
103 static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
104 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
105 static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *,
106 crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t);
107 static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *,
108 crypto_mechanism_t *, crypto_key_t *, int, boolean_t);
109 static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *,
110 crypto_req_handle_t);
111 static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *,
112 crypto_req_handle_t);
113
114 static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
115 crypto_req_handle_t);
116 static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *,
117 crypto_data_t *, crypto_req_handle_t);
118 static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
119 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
120 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
121
122 static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
123 crypto_req_handle_t);
124 static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *,
125 crypto_data_t *, crypto_req_handle_t);
126 static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
127 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
128 crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
129
130 static crypto_cipher_ops_t aes_cipher_ops = {
131 .encrypt_init = aes_encrypt_init,
132 .encrypt = aes_encrypt,
133 .encrypt_update = aes_encrypt_update,
134 .encrypt_final = aes_encrypt_final,
135 .encrypt_atomic = aes_encrypt_atomic,
136 .decrypt_init = aes_decrypt_init,
137 .decrypt = aes_decrypt,
138 .decrypt_update = aes_decrypt_update,
139 .decrypt_final = aes_decrypt_final,
140 .decrypt_atomic = aes_decrypt_atomic
141 };
142
143 static int aes_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
144 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
145 crypto_spi_ctx_template_t, crypto_req_handle_t);
146 static int aes_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
147 crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
148 crypto_spi_ctx_template_t, crypto_req_handle_t);
149
150 static crypto_mac_ops_t aes_mac_ops = {
151 .mac_init = NULL,
152 .mac = NULL,
153 .mac_update = NULL,
154 .mac_final = NULL,
155 .mac_atomic = aes_mac_atomic,
156 .mac_verify_atomic = aes_mac_verify_atomic
157 };
158
159 static int aes_create_ctx_template(crypto_provider_handle_t,
160 crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
161 size_t *, crypto_req_handle_t);
162 static int aes_free_context(crypto_ctx_t *);
163
164 static crypto_ctx_ops_t aes_ctx_ops = {
165 .create_ctx_template = aes_create_ctx_template,
166 .free_context = aes_free_context
167 };
168
169 static crypto_ops_t aes_crypto_ops = {{{{{
170 &aes_control_ops,
171 NULL,
172 &aes_cipher_ops,
173 &aes_mac_ops,
174 NULL,
175 NULL,
176 NULL,
177 NULL,
178 NULL,
179 NULL,
180 NULL,
181 NULL,
182 NULL,
183 &aes_ctx_ops
184 }}}}};
185
186 static crypto_provider_info_t aes_prov_info = {{{{
187 CRYPTO_SPI_VERSION_1,
188 "AES Software Provider",
189 CRYPTO_SW_PROVIDER,
190 NULL,
191 &aes_crypto_ops,
192 sizeof (aes_mech_info_tab)/sizeof (crypto_mech_info_t),
193 aes_mech_info_tab
194 }}}};
195
196 static crypto_kcf_provider_handle_t aes_prov_handle = 0;
197 static crypto_data_t null_crypto_data = { CRYPTO_DATA_RAW };
198
199 int
aes_mod_init(void)200 aes_mod_init(void)
201 {
202 int ret;
203
204 /* Determine the fastest available implementation. */
205 aes_impl_init();
206 gcm_impl_init();
207
208 if ((ret = mod_install(&modlinkage)) != 0)
209 return (ret);
210
211 /* Register with KCF. If the registration fails, remove the module. */
212 if (crypto_register_provider(&aes_prov_info, &aes_prov_handle)) {
213 (void) mod_remove(&modlinkage);
214 return (EACCES);
215 }
216
217 return (0);
218 }
219
220 int
aes_mod_fini(void)221 aes_mod_fini(void)
222 {
223 /* Unregister from KCF if module is registered */
224 if (aes_prov_handle != 0) {
225 if (crypto_unregister_provider(aes_prov_handle))
226 return (EBUSY);
227
228 aes_prov_handle = 0;
229 }
230
231 return (mod_remove(&modlinkage));
232 }
233
234 static int
aes_check_mech_param(crypto_mechanism_t * mechanism,aes_ctx_t ** ctx,int kmflag)235 aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag)
236 {
237 void *p = NULL;
238 boolean_t param_required = B_TRUE;
239 size_t param_len;
240 void *(*alloc_fun)(int);
241 int rv = CRYPTO_SUCCESS;
242
243 switch (mechanism->cm_type) {
244 case AES_ECB_MECH_INFO_TYPE:
245 param_required = B_FALSE;
246 alloc_fun = ecb_alloc_ctx;
247 break;
248 case AES_CBC_MECH_INFO_TYPE:
249 param_len = AES_BLOCK_LEN;
250 alloc_fun = cbc_alloc_ctx;
251 break;
252 case AES_CTR_MECH_INFO_TYPE:
253 param_len = sizeof (CK_AES_CTR_PARAMS);
254 alloc_fun = ctr_alloc_ctx;
255 break;
256 case AES_CCM_MECH_INFO_TYPE:
257 param_len = sizeof (CK_AES_CCM_PARAMS);
258 alloc_fun = ccm_alloc_ctx;
259 break;
260 case AES_GCM_MECH_INFO_TYPE:
261 param_len = sizeof (CK_AES_GCM_PARAMS);
262 alloc_fun = gcm_alloc_ctx;
263 break;
264 case AES_GMAC_MECH_INFO_TYPE:
265 param_len = sizeof (CK_AES_GMAC_PARAMS);
266 alloc_fun = gmac_alloc_ctx;
267 break;
268 default:
269 rv = CRYPTO_MECHANISM_INVALID;
270 return (rv);
271 }
272 if (param_required && mechanism->cm_param != NULL &&
273 mechanism->cm_param_len != param_len) {
274 rv = CRYPTO_MECHANISM_PARAM_INVALID;
275 }
276 if (ctx != NULL) {
277 p = (alloc_fun)(kmflag);
278 *ctx = p;
279 }
280 return (rv);
281 }
282
283 /*
284 * Initialize key schedules for AES
285 */
286 static int
init_keysched(crypto_key_t * key,void * newbie)287 init_keysched(crypto_key_t *key, void *newbie)
288 {
289 /*
290 * Only keys by value are supported by this module.
291 */
292 switch (key->ck_format) {
293 case CRYPTO_KEY_RAW:
294 if (key->ck_length < AES_MINBITS ||
295 key->ck_length > AES_MAXBITS) {
296 return (CRYPTO_KEY_SIZE_RANGE);
297 }
298
299 /* key length must be either 128, 192, or 256 */
300 if ((key->ck_length & 63) != 0)
301 return (CRYPTO_KEY_SIZE_RANGE);
302 break;
303 default:
304 return (CRYPTO_KEY_TYPE_INCONSISTENT);
305 }
306
307 aes_init_keysched(key->ck_data, key->ck_length, newbie);
308 return (CRYPTO_SUCCESS);
309 }
310
311 /*
312 * KCF software provider control entry points.
313 */
314 /* ARGSUSED */
315 static void
aes_provider_status(crypto_provider_handle_t provider,uint_t * status)316 aes_provider_status(crypto_provider_handle_t provider, uint_t *status)
317 {
318 *status = CRYPTO_PROVIDER_READY;
319 }
320
321 static int
aes_encrypt_init(crypto_ctx_t * ctx,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_spi_ctx_template_t template,crypto_req_handle_t req)322 aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
323 crypto_key_t *key, crypto_spi_ctx_template_t template,
324 crypto_req_handle_t req)
325 {
326 return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE));
327 }
328
329 static int
aes_decrypt_init(crypto_ctx_t * ctx,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_spi_ctx_template_t template,crypto_req_handle_t req)330 aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
331 crypto_key_t *key, crypto_spi_ctx_template_t template,
332 crypto_req_handle_t req)
333 {
334 return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE));
335 }
336
337
338
339 /*
340 * KCF software provider encrypt entry points.
341 */
342 static int
aes_common_init(crypto_ctx_t * ctx,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_spi_ctx_template_t template,crypto_req_handle_t req,boolean_t is_encrypt_init)343 aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
344 crypto_key_t *key, crypto_spi_ctx_template_t template,
345 crypto_req_handle_t req, boolean_t is_encrypt_init)
346 {
347 aes_ctx_t *aes_ctx;
348 int rv;
349 int kmflag;
350
351 /*
352 * Only keys by value are supported by this module.
353 */
354 if (key->ck_format != CRYPTO_KEY_RAW) {
355 return (CRYPTO_KEY_TYPE_INCONSISTENT);
356 }
357
358 kmflag = crypto_kmflag(req);
359 if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag))
360 != CRYPTO_SUCCESS)
361 return (rv);
362
363 rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag,
364 is_encrypt_init);
365 if (rv != CRYPTO_SUCCESS) {
366 crypto_free_mode_ctx(aes_ctx);
367 return (rv);
368 }
369
370 ctx->cc_provider_private = aes_ctx;
371
372 return (CRYPTO_SUCCESS);
373 }
374
375 static void
aes_copy_block64(uint8_t * in,uint64_t * out)376 aes_copy_block64(uint8_t *in, uint64_t *out)
377 {
378 if (IS_P2ALIGNED(in, sizeof (uint64_t))) {
379 /* LINTED: pointer alignment */
380 out[0] = *(uint64_t *)&in[0];
381 /* LINTED: pointer alignment */
382 out[1] = *(uint64_t *)&in[8];
383 } else {
384 uint8_t *iv8 = (uint8_t *)&out[0];
385
386 AES_COPY_BLOCK(in, iv8);
387 }
388 }
389
390
391 static int
aes_encrypt(crypto_ctx_t * ctx,crypto_data_t * plaintext,crypto_data_t * ciphertext,crypto_req_handle_t req)392 aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
393 crypto_data_t *ciphertext, crypto_req_handle_t req)
394 {
395 int ret = CRYPTO_FAILED;
396
397 aes_ctx_t *aes_ctx;
398 size_t saved_length, saved_offset, length_needed;
399
400 ASSERT(ctx->cc_provider_private != NULL);
401 aes_ctx = ctx->cc_provider_private;
402
403 /*
404 * For block ciphers, plaintext must be a multiple of AES block size.
405 * This test is only valid for ciphers whose blocksize is a power of 2.
406 */
407 if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
408 == 0) && (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
409 return (CRYPTO_DATA_LEN_RANGE);
410
411 ASSERT(ciphertext != NULL);
412
413 /*
414 * We need to just return the length needed to store the output.
415 * We should not destroy the context for the following case.
416 */
417 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
418 case CCM_MODE:
419 length_needed = plaintext->cd_length + aes_ctx->ac_mac_len;
420 break;
421 case GCM_MODE:
422 length_needed = plaintext->cd_length + aes_ctx->ac_tag_len;
423 break;
424 case GMAC_MODE:
425 if (plaintext->cd_length != 0)
426 return (CRYPTO_ARGUMENTS_BAD);
427
428 length_needed = aes_ctx->ac_tag_len;
429 break;
430 default:
431 length_needed = plaintext->cd_length;
432 }
433
434 if (ciphertext->cd_length < length_needed) {
435 ciphertext->cd_length = length_needed;
436 return (CRYPTO_BUFFER_TOO_SMALL);
437 }
438
439 saved_length = ciphertext->cd_length;
440 saved_offset = ciphertext->cd_offset;
441
442 /*
443 * Do an update on the specified input data.
444 */
445 ret = aes_encrypt_update(ctx, plaintext, ciphertext, req);
446 if (ret != CRYPTO_SUCCESS) {
447 return (ret);
448 }
449
450 /*
451 * For CCM mode, aes_ccm_encrypt_final() will take care of any
452 * left-over unprocessed data, and compute the MAC
453 */
454 if (aes_ctx->ac_flags & CCM_MODE) {
455 /*
456 * ccm_encrypt_final() will compute the MAC and append
457 * it to existing ciphertext. So, need to adjust the left over
458 * length value accordingly
459 */
460
461 /* order of following 2 lines MUST not be reversed */
462 ciphertext->cd_offset = ciphertext->cd_length;
463 ciphertext->cd_length = saved_length - ciphertext->cd_length;
464 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, ciphertext,
465 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
466 if (ret != CRYPTO_SUCCESS) {
467 return (ret);
468 }
469
470 if (plaintext != ciphertext) {
471 ciphertext->cd_length =
472 ciphertext->cd_offset - saved_offset;
473 }
474 ciphertext->cd_offset = saved_offset;
475 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
476 /*
477 * gcm_encrypt_final() will compute the MAC and append
478 * it to existing ciphertext. So, need to adjust the left over
479 * length value accordingly
480 */
481
482 /* order of following 2 lines MUST not be reversed */
483 ciphertext->cd_offset = ciphertext->cd_length;
484 ciphertext->cd_length = saved_length - ciphertext->cd_length;
485 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, ciphertext,
486 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
487 aes_xor_block);
488 if (ret != CRYPTO_SUCCESS) {
489 return (ret);
490 }
491
492 if (plaintext != ciphertext) {
493 ciphertext->cd_length =
494 ciphertext->cd_offset - saved_offset;
495 }
496 ciphertext->cd_offset = saved_offset;
497 }
498
499 ASSERT(aes_ctx->ac_remainder_len == 0);
500 (void) aes_free_context(ctx);
501
502 return (ret);
503 }
504
505
506 static int
aes_decrypt(crypto_ctx_t * ctx,crypto_data_t * ciphertext,crypto_data_t * plaintext,crypto_req_handle_t req)507 aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
508 crypto_data_t *plaintext, crypto_req_handle_t req)
509 {
510 int ret = CRYPTO_FAILED;
511
512 aes_ctx_t *aes_ctx;
513 off_t saved_offset;
514 size_t saved_length, length_needed;
515
516 ASSERT(ctx->cc_provider_private != NULL);
517 aes_ctx = ctx->cc_provider_private;
518
519 /*
520 * For block ciphers, plaintext must be a multiple of AES block size.
521 * This test is only valid for ciphers whose blocksize is a power of 2.
522 */
523 if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
524 == 0) && (ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) {
525 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
526 }
527
528 ASSERT(plaintext != NULL);
529
530 /*
531 * Return length needed to store the output.
532 * Do not destroy context when plaintext buffer is too small.
533 *
534 * CCM: plaintext is MAC len smaller than cipher text
535 * GCM: plaintext is TAG len smaller than cipher text
536 * GMAC: plaintext length must be zero
537 */
538 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
539 case CCM_MODE:
540 length_needed = aes_ctx->ac_processed_data_len;
541 break;
542 case GCM_MODE:
543 length_needed = ciphertext->cd_length - aes_ctx->ac_tag_len;
544 break;
545 case GMAC_MODE:
546 if (plaintext->cd_length != 0)
547 return (CRYPTO_ARGUMENTS_BAD);
548
549 length_needed = 0;
550 break;
551 default:
552 length_needed = ciphertext->cd_length;
553 }
554
555 if (plaintext->cd_length < length_needed) {
556 plaintext->cd_length = length_needed;
557 return (CRYPTO_BUFFER_TOO_SMALL);
558 }
559
560 saved_offset = plaintext->cd_offset;
561 saved_length = plaintext->cd_length;
562
563 /*
564 * Do an update on the specified input data.
565 */
566 ret = aes_decrypt_update(ctx, ciphertext, plaintext, req);
567 if (ret != CRYPTO_SUCCESS) {
568 goto cleanup;
569 }
570
571 if (aes_ctx->ac_flags & CCM_MODE) {
572 ASSERT(aes_ctx->ac_processed_data_len == aes_ctx->ac_data_len);
573 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
574
575 /* order of following 2 lines MUST not be reversed */
576 plaintext->cd_offset = plaintext->cd_length;
577 plaintext->cd_length = saved_length - plaintext->cd_length;
578
579 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, plaintext,
580 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
581 aes_xor_block);
582 if (ret == CRYPTO_SUCCESS) {
583 if (plaintext != ciphertext) {
584 plaintext->cd_length =
585 plaintext->cd_offset - saved_offset;
586 }
587 } else {
588 plaintext->cd_length = saved_length;
589 }
590
591 plaintext->cd_offset = saved_offset;
592 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
593 /* order of following 2 lines MUST not be reversed */
594 plaintext->cd_offset = plaintext->cd_length;
595 plaintext->cd_length = saved_length - plaintext->cd_length;
596
597 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, plaintext,
598 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
599 if (ret == CRYPTO_SUCCESS) {
600 if (plaintext != ciphertext) {
601 plaintext->cd_length =
602 plaintext->cd_offset - saved_offset;
603 }
604 } else {
605 plaintext->cd_length = saved_length;
606 }
607
608 plaintext->cd_offset = saved_offset;
609 }
610
611 ASSERT(aes_ctx->ac_remainder_len == 0);
612
613 cleanup:
614 (void) aes_free_context(ctx);
615
616 return (ret);
617 }
618
619
620 /* ARGSUSED */
621 static int
aes_encrypt_update(crypto_ctx_t * ctx,crypto_data_t * plaintext,crypto_data_t * ciphertext,crypto_req_handle_t req)622 aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext,
623 crypto_data_t *ciphertext, crypto_req_handle_t req)
624 {
625 off_t saved_offset;
626 size_t saved_length, out_len;
627 int ret = CRYPTO_SUCCESS;
628 aes_ctx_t *aes_ctx;
629
630 ASSERT(ctx->cc_provider_private != NULL);
631 aes_ctx = ctx->cc_provider_private;
632
633 ASSERT(ciphertext != NULL);
634
635 /* compute number of bytes that will hold the ciphertext */
636 out_len = aes_ctx->ac_remainder_len;
637 out_len += plaintext->cd_length;
638 out_len &= ~(AES_BLOCK_LEN - 1);
639
640 /* return length needed to store the output */
641 if (ciphertext->cd_length < out_len) {
642 ciphertext->cd_length = out_len;
643 return (CRYPTO_BUFFER_TOO_SMALL);
644 }
645
646 saved_offset = ciphertext->cd_offset;
647 saved_length = ciphertext->cd_length;
648
649 /*
650 * Do the AES update on the specified input data.
651 */
652 switch (plaintext->cd_format) {
653 case CRYPTO_DATA_RAW:
654 ret = crypto_update_iov(ctx->cc_provider_private,
655 plaintext, ciphertext, aes_encrypt_contiguous_blocks,
656 aes_copy_block64);
657 break;
658 case CRYPTO_DATA_UIO:
659 ret = crypto_update_uio(ctx->cc_provider_private,
660 plaintext, ciphertext, aes_encrypt_contiguous_blocks,
661 aes_copy_block64);
662 break;
663 default:
664 ret = CRYPTO_ARGUMENTS_BAD;
665 }
666
667 /*
668 * Since AES counter mode is a stream cipher, we call
669 * ctr_mode_final() to pick up any remaining bytes.
670 * It is an internal function that does not destroy
671 * the context like *normal* final routines.
672 */
673 if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
674 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx,
675 ciphertext, aes_encrypt_block);
676 }
677
678 if (ret == CRYPTO_SUCCESS) {
679 if (plaintext != ciphertext)
680 ciphertext->cd_length =
681 ciphertext->cd_offset - saved_offset;
682 } else {
683 ciphertext->cd_length = saved_length;
684 }
685 ciphertext->cd_offset = saved_offset;
686
687 return (ret);
688 }
689
690
691 static int
aes_decrypt_update(crypto_ctx_t * ctx,crypto_data_t * ciphertext,crypto_data_t * plaintext,crypto_req_handle_t req)692 aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
693 crypto_data_t *plaintext, crypto_req_handle_t req)
694 {
695 off_t saved_offset;
696 size_t saved_length, out_len;
697 int ret = CRYPTO_SUCCESS;
698 aes_ctx_t *aes_ctx;
699
700 ASSERT(ctx->cc_provider_private != NULL);
701 aes_ctx = ctx->cc_provider_private;
702
703 ASSERT(plaintext != NULL);
704
705 /*
706 * Compute number of bytes that will hold the plaintext.
707 * This is not necessary for CCM, GCM, and GMAC since these
708 * mechanisms never return plaintext for update operations.
709 */
710 if ((aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
711 out_len = aes_ctx->ac_remainder_len;
712 out_len += ciphertext->cd_length;
713 out_len &= ~(AES_BLOCK_LEN - 1);
714
715 /* return length needed to store the output */
716 if (plaintext->cd_length < out_len) {
717 plaintext->cd_length = out_len;
718 return (CRYPTO_BUFFER_TOO_SMALL);
719 }
720 }
721
722 saved_offset = plaintext->cd_offset;
723 saved_length = plaintext->cd_length;
724
725 if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE))
726 gcm_set_kmflag((gcm_ctx_t *)aes_ctx, crypto_kmflag(req));
727
728 /*
729 * Do the AES update on the specified input data.
730 */
731 switch (ciphertext->cd_format) {
732 case CRYPTO_DATA_RAW:
733 ret = crypto_update_iov(ctx->cc_provider_private,
734 ciphertext, plaintext, aes_decrypt_contiguous_blocks,
735 aes_copy_block64);
736 break;
737 case CRYPTO_DATA_UIO:
738 ret = crypto_update_uio(ctx->cc_provider_private,
739 ciphertext, plaintext, aes_decrypt_contiguous_blocks,
740 aes_copy_block64);
741 break;
742 default:
743 ret = CRYPTO_ARGUMENTS_BAD;
744 }
745
746 /*
747 * Since AES counter mode is a stream cipher, we call
748 * ctr_mode_final() to pick up any remaining bytes.
749 * It is an internal function that does not destroy
750 * the context like *normal* final routines.
751 */
752 if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
753 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, plaintext,
754 aes_encrypt_block);
755 if (ret == CRYPTO_DATA_LEN_RANGE)
756 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
757 }
758
759 if (ret == CRYPTO_SUCCESS) {
760 if (ciphertext != plaintext)
761 plaintext->cd_length =
762 plaintext->cd_offset - saved_offset;
763 } else {
764 plaintext->cd_length = saved_length;
765 }
766 plaintext->cd_offset = saved_offset;
767
768
769 return (ret);
770 }
771
772 /* ARGSUSED */
773 static int
aes_encrypt_final(crypto_ctx_t * ctx,crypto_data_t * data,crypto_req_handle_t req)774 aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
775 crypto_req_handle_t req)
776 {
777 aes_ctx_t *aes_ctx;
778 int ret;
779
780 ASSERT(ctx->cc_provider_private != NULL);
781 aes_ctx = ctx->cc_provider_private;
782
783 if (data->cd_format != CRYPTO_DATA_RAW &&
784 data->cd_format != CRYPTO_DATA_UIO) {
785 return (CRYPTO_ARGUMENTS_BAD);
786 }
787
788 if (aes_ctx->ac_flags & CTR_MODE) {
789 if (aes_ctx->ac_remainder_len > 0) {
790 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
791 aes_encrypt_block);
792 if (ret != CRYPTO_SUCCESS)
793 return (ret);
794 }
795 } else if (aes_ctx->ac_flags & CCM_MODE) {
796 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, data,
797 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
798 if (ret != CRYPTO_SUCCESS) {
799 return (ret);
800 }
801 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
802 size_t saved_offset = data->cd_offset;
803
804 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, data,
805 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
806 aes_xor_block);
807 if (ret != CRYPTO_SUCCESS) {
808 return (ret);
809 }
810 data->cd_length = data->cd_offset - saved_offset;
811 data->cd_offset = saved_offset;
812 } else {
813 /*
814 * There must be no unprocessed plaintext.
815 * This happens if the length of the last data is
816 * not a multiple of the AES block length.
817 */
818 if (aes_ctx->ac_remainder_len > 0) {
819 return (CRYPTO_DATA_LEN_RANGE);
820 }
821 data->cd_length = 0;
822 }
823
824 (void) aes_free_context(ctx);
825
826 return (CRYPTO_SUCCESS);
827 }
828
829 /* ARGSUSED */
830 static int
aes_decrypt_final(crypto_ctx_t * ctx,crypto_data_t * data,crypto_req_handle_t req)831 aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
832 crypto_req_handle_t req)
833 {
834 aes_ctx_t *aes_ctx;
835 int ret;
836 off_t saved_offset;
837 size_t saved_length;
838
839 ASSERT(ctx->cc_provider_private != NULL);
840 aes_ctx = ctx->cc_provider_private;
841
842 if (data->cd_format != CRYPTO_DATA_RAW &&
843 data->cd_format != CRYPTO_DATA_UIO) {
844 return (CRYPTO_ARGUMENTS_BAD);
845 }
846
847 /*
848 * There must be no unprocessed ciphertext.
849 * This happens if the length of the last ciphertext is
850 * not a multiple of the AES block length.
851 */
852 if (aes_ctx->ac_remainder_len > 0) {
853 if ((aes_ctx->ac_flags & CTR_MODE) == 0)
854 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
855 else {
856 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
857 aes_encrypt_block);
858 if (ret == CRYPTO_DATA_LEN_RANGE)
859 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
860 if (ret != CRYPTO_SUCCESS)
861 return (ret);
862 }
863 }
864
865 if (aes_ctx->ac_flags & CCM_MODE) {
866 /*
867 * This is where all the plaintext is returned, make sure
868 * the plaintext buffer is big enough
869 */
870 size_t pt_len = aes_ctx->ac_data_len;
871 if (data->cd_length < pt_len) {
872 data->cd_length = pt_len;
873 return (CRYPTO_BUFFER_TOO_SMALL);
874 }
875
876 ASSERT(aes_ctx->ac_processed_data_len == pt_len);
877 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
878 saved_offset = data->cd_offset;
879 saved_length = data->cd_length;
880 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, data,
881 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
882 aes_xor_block);
883 if (ret == CRYPTO_SUCCESS) {
884 data->cd_length = data->cd_offset - saved_offset;
885 } else {
886 data->cd_length = saved_length;
887 }
888
889 data->cd_offset = saved_offset;
890 if (ret != CRYPTO_SUCCESS) {
891 return (ret);
892 }
893 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
894 /*
895 * This is where all the plaintext is returned, make sure
896 * the plaintext buffer is big enough
897 */
898 gcm_ctx_t *ctx = (gcm_ctx_t *)aes_ctx;
899 size_t pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len;
900
901 if (data->cd_length < pt_len) {
902 data->cd_length = pt_len;
903 return (CRYPTO_BUFFER_TOO_SMALL);
904 }
905
906 saved_offset = data->cd_offset;
907 saved_length = data->cd_length;
908 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, data,
909 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
910 if (ret == CRYPTO_SUCCESS) {
911 data->cd_length = data->cd_offset - saved_offset;
912 } else {
913 data->cd_length = saved_length;
914 }
915
916 data->cd_offset = saved_offset;
917 if (ret != CRYPTO_SUCCESS) {
918 return (ret);
919 }
920 }
921
922
923 if ((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
924 data->cd_length = 0;
925 }
926
927 (void) aes_free_context(ctx);
928
929 return (CRYPTO_SUCCESS);
930 }
931
932 /* ARGSUSED */
933 static int
aes_encrypt_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * plaintext,crypto_data_t * ciphertext,crypto_spi_ctx_template_t template,crypto_req_handle_t req)934 aes_encrypt_atomic(crypto_provider_handle_t provider,
935 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
936 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
937 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
938 {
939 aes_ctx_t aes_ctx; /* on the stack */
940 off_t saved_offset;
941 size_t saved_length;
942 size_t length_needed;
943 int ret;
944
945 ASSERT(ciphertext != NULL);
946
947 /*
948 * CTR, CCM, GCM, and GMAC modes do not require that plaintext
949 * be a multiple of AES block size.
950 */
951 switch (mechanism->cm_type) {
952 case AES_CTR_MECH_INFO_TYPE:
953 case AES_CCM_MECH_INFO_TYPE:
954 case AES_GCM_MECH_INFO_TYPE:
955 case AES_GMAC_MECH_INFO_TYPE:
956 break;
957 default:
958 if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
959 return (CRYPTO_DATA_LEN_RANGE);
960 }
961
962 if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
963 return (ret);
964
965 bzero(&aes_ctx, sizeof (aes_ctx_t));
966
967 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
968 crypto_kmflag(req), B_TRUE);
969 if (ret != CRYPTO_SUCCESS)
970 return (ret);
971
972 switch (mechanism->cm_type) {
973 case AES_CCM_MECH_INFO_TYPE:
974 length_needed = plaintext->cd_length + aes_ctx.ac_mac_len;
975 break;
976 case AES_GMAC_MECH_INFO_TYPE:
977 if (plaintext->cd_length != 0)
978 return (CRYPTO_ARGUMENTS_BAD);
979 /* FALLTHRU */
980 case AES_GCM_MECH_INFO_TYPE:
981 length_needed = plaintext->cd_length + aes_ctx.ac_tag_len;
982 break;
983 default:
984 length_needed = plaintext->cd_length;
985 }
986
987 /* return size of buffer needed to store output */
988 if (ciphertext->cd_length < length_needed) {
989 ciphertext->cd_length = length_needed;
990 ret = CRYPTO_BUFFER_TOO_SMALL;
991 goto out;
992 }
993
994 saved_offset = ciphertext->cd_offset;
995 saved_length = ciphertext->cd_length;
996
997 /*
998 * Do an update on the specified input data.
999 */
1000 switch (plaintext->cd_format) {
1001 case CRYPTO_DATA_RAW:
1002 ret = crypto_update_iov(&aes_ctx, plaintext, ciphertext,
1003 aes_encrypt_contiguous_blocks, aes_copy_block64);
1004 break;
1005 case CRYPTO_DATA_UIO:
1006 ret = crypto_update_uio(&aes_ctx, plaintext, ciphertext,
1007 aes_encrypt_contiguous_blocks, aes_copy_block64);
1008 break;
1009 default:
1010 ret = CRYPTO_ARGUMENTS_BAD;
1011 }
1012
1013 if (ret == CRYPTO_SUCCESS) {
1014 if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1015 ret = ccm_encrypt_final((ccm_ctx_t *)&aes_ctx,
1016 ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1017 aes_xor_block);
1018 if (ret != CRYPTO_SUCCESS)
1019 goto out;
1020 ASSERT(aes_ctx.ac_remainder_len == 0);
1021 } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1022 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
1023 ret = gcm_encrypt_final((gcm_ctx_t *)&aes_ctx,
1024 ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1025 aes_copy_block, aes_xor_block);
1026 if (ret != CRYPTO_SUCCESS)
1027 goto out;
1028 ASSERT(aes_ctx.ac_remainder_len == 0);
1029 } else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) {
1030 if (aes_ctx.ac_remainder_len > 0) {
1031 ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1032 ciphertext, aes_encrypt_block);
1033 if (ret != CRYPTO_SUCCESS)
1034 goto out;
1035 }
1036 } else {
1037 ASSERT(aes_ctx.ac_remainder_len == 0);
1038 }
1039
1040 if (plaintext != ciphertext) {
1041 ciphertext->cd_length =
1042 ciphertext->cd_offset - saved_offset;
1043 }
1044 } else {
1045 ciphertext->cd_length = saved_length;
1046 }
1047 ciphertext->cd_offset = saved_offset;
1048
1049 out:
1050 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1051 bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1052 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1053 }
1054 #ifdef CAN_USE_GCM_ASM
1055 if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE) &&
1056 ((gcm_ctx_t *)&aes_ctx)->gcm_Htable != NULL) {
1057
1058 gcm_ctx_t *ctx = (gcm_ctx_t *)&aes_ctx;
1059
1060 bzero(ctx->gcm_Htable, ctx->gcm_htab_len);
1061 kmem_free(ctx->gcm_Htable, ctx->gcm_htab_len);
1062 }
1063 #endif
1064
1065 return (ret);
1066 }
1067
1068 /* ARGSUSED */
1069 static int
aes_decrypt_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * ciphertext,crypto_data_t * plaintext,crypto_spi_ctx_template_t template,crypto_req_handle_t req)1070 aes_decrypt_atomic(crypto_provider_handle_t provider,
1071 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1072 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
1073 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1074 {
1075 aes_ctx_t aes_ctx; /* on the stack */
1076 off_t saved_offset;
1077 size_t saved_length;
1078 size_t length_needed;
1079 int ret;
1080
1081 ASSERT(plaintext != NULL);
1082
1083 /*
1084 * CCM, GCM, CTR, and GMAC modes do not require that ciphertext
1085 * be a multiple of AES block size.
1086 */
1087 switch (mechanism->cm_type) {
1088 case AES_CTR_MECH_INFO_TYPE:
1089 case AES_CCM_MECH_INFO_TYPE:
1090 case AES_GCM_MECH_INFO_TYPE:
1091 case AES_GMAC_MECH_INFO_TYPE:
1092 break;
1093 default:
1094 if ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
1095 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
1096 }
1097
1098 if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
1099 return (ret);
1100
1101 bzero(&aes_ctx, sizeof (aes_ctx_t));
1102
1103 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
1104 crypto_kmflag(req), B_FALSE);
1105 if (ret != CRYPTO_SUCCESS)
1106 return (ret);
1107
1108 switch (mechanism->cm_type) {
1109 case AES_CCM_MECH_INFO_TYPE:
1110 length_needed = aes_ctx.ac_data_len;
1111 break;
1112 case AES_GCM_MECH_INFO_TYPE:
1113 length_needed = ciphertext->cd_length - aes_ctx.ac_tag_len;
1114 break;
1115 case AES_GMAC_MECH_INFO_TYPE:
1116 if (plaintext->cd_length != 0)
1117 return (CRYPTO_ARGUMENTS_BAD);
1118 length_needed = 0;
1119 break;
1120 default:
1121 length_needed = ciphertext->cd_length;
1122 }
1123
1124 /* return size of buffer needed to store output */
1125 if (plaintext->cd_length < length_needed) {
1126 plaintext->cd_length = length_needed;
1127 ret = CRYPTO_BUFFER_TOO_SMALL;
1128 goto out;
1129 }
1130
1131 saved_offset = plaintext->cd_offset;
1132 saved_length = plaintext->cd_length;
1133
1134 if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1135 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE)
1136 gcm_set_kmflag((gcm_ctx_t *)&aes_ctx, crypto_kmflag(req));
1137
1138 /*
1139 * Do an update on the specified input data.
1140 */
1141 switch (ciphertext->cd_format) {
1142 case CRYPTO_DATA_RAW:
1143 ret = crypto_update_iov(&aes_ctx, ciphertext, plaintext,
1144 aes_decrypt_contiguous_blocks, aes_copy_block64);
1145 break;
1146 case CRYPTO_DATA_UIO:
1147 ret = crypto_update_uio(&aes_ctx, ciphertext, plaintext,
1148 aes_decrypt_contiguous_blocks, aes_copy_block64);
1149 break;
1150 default:
1151 ret = CRYPTO_ARGUMENTS_BAD;
1152 }
1153
1154 if (ret == CRYPTO_SUCCESS) {
1155 if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1156 ASSERT(aes_ctx.ac_processed_data_len
1157 == aes_ctx.ac_data_len);
1158 ASSERT(aes_ctx.ac_processed_mac_len
1159 == aes_ctx.ac_mac_len);
1160 ret = ccm_decrypt_final((ccm_ctx_t *)&aes_ctx,
1161 plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1162 aes_copy_block, aes_xor_block);
1163 ASSERT(aes_ctx.ac_remainder_len == 0);
1164 if ((ret == CRYPTO_SUCCESS) &&
1165 (ciphertext != plaintext)) {
1166 plaintext->cd_length =
1167 plaintext->cd_offset - saved_offset;
1168 } else {
1169 plaintext->cd_length = saved_length;
1170 }
1171 } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1172 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
1173 ret = gcm_decrypt_final((gcm_ctx_t *)&aes_ctx,
1174 plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1175 aes_xor_block);
1176 ASSERT(aes_ctx.ac_remainder_len == 0);
1177 if ((ret == CRYPTO_SUCCESS) &&
1178 (ciphertext != plaintext)) {
1179 plaintext->cd_length =
1180 plaintext->cd_offset - saved_offset;
1181 } else {
1182 plaintext->cd_length = saved_length;
1183 }
1184 } else if (mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) {
1185 ASSERT(aes_ctx.ac_remainder_len == 0);
1186 if (ciphertext != plaintext)
1187 plaintext->cd_length =
1188 plaintext->cd_offset - saved_offset;
1189 } else {
1190 if (aes_ctx.ac_remainder_len > 0) {
1191 ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1192 plaintext, aes_encrypt_block);
1193 if (ret == CRYPTO_DATA_LEN_RANGE)
1194 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
1195 if (ret != CRYPTO_SUCCESS)
1196 goto out;
1197 }
1198 if (ciphertext != plaintext)
1199 plaintext->cd_length =
1200 plaintext->cd_offset - saved_offset;
1201 }
1202 } else {
1203 plaintext->cd_length = saved_length;
1204 }
1205 plaintext->cd_offset = saved_offset;
1206
1207 out:
1208 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1209 bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1210 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1211 }
1212
1213 if (aes_ctx.ac_flags & CCM_MODE) {
1214 if (aes_ctx.ac_pt_buf != NULL) {
1215 vmem_free(aes_ctx.ac_pt_buf, aes_ctx.ac_data_len);
1216 }
1217 } else if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) {
1218 if (((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf != NULL) {
1219 vmem_free(((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf,
1220 ((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf_len);
1221 }
1222 #ifdef CAN_USE_GCM_ASM
1223 if (((gcm_ctx_t *)&aes_ctx)->gcm_Htable != NULL) {
1224 gcm_ctx_t *ctx = (gcm_ctx_t *)&aes_ctx;
1225
1226 bzero(ctx->gcm_Htable, ctx->gcm_htab_len);
1227 kmem_free(ctx->gcm_Htable, ctx->gcm_htab_len);
1228 }
1229 #endif
1230 }
1231
1232 return (ret);
1233 }
1234
1235 /*
1236 * KCF software provider context template entry points.
1237 */
1238 /* ARGSUSED */
1239 static int
aes_create_ctx_template(crypto_provider_handle_t provider,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_spi_ctx_template_t * tmpl,size_t * tmpl_size,crypto_req_handle_t req)1240 aes_create_ctx_template(crypto_provider_handle_t provider,
1241 crypto_mechanism_t *mechanism, crypto_key_t *key,
1242 crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req)
1243 {
1244 void *keysched;
1245 size_t size;
1246 int rv;
1247
1248 if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE &&
1249 mechanism->cm_type != AES_CBC_MECH_INFO_TYPE &&
1250 mechanism->cm_type != AES_CTR_MECH_INFO_TYPE &&
1251 mechanism->cm_type != AES_CCM_MECH_INFO_TYPE &&
1252 mechanism->cm_type != AES_GCM_MECH_INFO_TYPE &&
1253 mechanism->cm_type != AES_GMAC_MECH_INFO_TYPE)
1254 return (CRYPTO_MECHANISM_INVALID);
1255
1256 if ((keysched = aes_alloc_keysched(&size,
1257 crypto_kmflag(req))) == NULL) {
1258 return (CRYPTO_HOST_MEMORY);
1259 }
1260
1261 /*
1262 * Initialize key schedule. Key length information is stored
1263 * in the key.
1264 */
1265 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1266 bzero(keysched, size);
1267 kmem_free(keysched, size);
1268 return (rv);
1269 }
1270
1271 *tmpl = keysched;
1272 *tmpl_size = size;
1273
1274 return (CRYPTO_SUCCESS);
1275 }
1276
1277
1278 static int
aes_free_context(crypto_ctx_t * ctx)1279 aes_free_context(crypto_ctx_t *ctx)
1280 {
1281 aes_ctx_t *aes_ctx = ctx->cc_provider_private;
1282
1283 if (aes_ctx != NULL) {
1284 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1285 ASSERT(aes_ctx->ac_keysched_len != 0);
1286 bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len);
1287 kmem_free(aes_ctx->ac_keysched,
1288 aes_ctx->ac_keysched_len);
1289 }
1290 crypto_free_mode_ctx(aes_ctx);
1291 ctx->cc_provider_private = NULL;
1292 }
1293
1294 return (CRYPTO_SUCCESS);
1295 }
1296
1297
1298 static int
aes_common_init_ctx(aes_ctx_t * aes_ctx,crypto_spi_ctx_template_t * template,crypto_mechanism_t * mechanism,crypto_key_t * key,int kmflag,boolean_t is_encrypt_init)1299 aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template,
1300 crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag,
1301 boolean_t is_encrypt_init)
1302 {
1303 int rv = CRYPTO_SUCCESS;
1304 void *keysched;
1305 size_t size = 0;
1306
1307 if (template == NULL) {
1308 if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL)
1309 return (CRYPTO_HOST_MEMORY);
1310 /*
1311 * Initialize key schedule.
1312 * Key length is stored in the key.
1313 */
1314 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1315 kmem_free(keysched, size);
1316 return (rv);
1317 }
1318
1319 aes_ctx->ac_flags |= PROVIDER_OWNS_KEY_SCHEDULE;
1320 aes_ctx->ac_keysched_len = size;
1321 } else {
1322 keysched = template;
1323 }
1324 aes_ctx->ac_keysched = keysched;
1325
1326 switch (mechanism->cm_type) {
1327 case AES_CBC_MECH_INFO_TYPE:
1328 rv = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mechanism->cm_param,
1329 mechanism->cm_param_len, AES_BLOCK_LEN, aes_copy_block64);
1330 break;
1331 case AES_CTR_MECH_INFO_TYPE: {
1332 CK_AES_CTR_PARAMS *pp;
1333
1334 if (mechanism->cm_param == NULL ||
1335 mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) {
1336 return (CRYPTO_MECHANISM_PARAM_INVALID);
1337 }
1338 pp = (CK_AES_CTR_PARAMS *)(void *)mechanism->cm_param;
1339 rv = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits,
1340 pp->cb, aes_copy_block);
1341 break;
1342 }
1343 case AES_CCM_MECH_INFO_TYPE:
1344 if (mechanism->cm_param == NULL ||
1345 mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) {
1346 return (CRYPTO_MECHANISM_PARAM_INVALID);
1347 }
1348 rv = ccm_init_ctx((ccm_ctx_t *)aes_ctx, mechanism->cm_param,
1349 kmflag, is_encrypt_init, AES_BLOCK_LEN, aes_encrypt_block,
1350 aes_xor_block);
1351 break;
1352 case AES_GCM_MECH_INFO_TYPE:
1353 if (mechanism->cm_param == NULL ||
1354 mechanism->cm_param_len != sizeof (CK_AES_GCM_PARAMS)) {
1355 return (CRYPTO_MECHANISM_PARAM_INVALID);
1356 }
1357 rv = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1358 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1359 aes_xor_block);
1360 break;
1361 case AES_GMAC_MECH_INFO_TYPE:
1362 if (mechanism->cm_param == NULL ||
1363 mechanism->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) {
1364 return (CRYPTO_MECHANISM_PARAM_INVALID);
1365 }
1366 rv = gmac_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1367 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1368 aes_xor_block);
1369 break;
1370 case AES_ECB_MECH_INFO_TYPE:
1371 aes_ctx->ac_flags |= ECB_MODE;
1372 }
1373
1374 if (rv != CRYPTO_SUCCESS) {
1375 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1376 bzero(keysched, size);
1377 kmem_free(keysched, size);
1378 }
1379 }
1380
1381 return (rv);
1382 }
1383
1384 static int
process_gmac_mech(crypto_mechanism_t * mech,crypto_data_t * data,CK_AES_GCM_PARAMS * gcm_params)1385 process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data,
1386 CK_AES_GCM_PARAMS *gcm_params)
1387 {
1388 /* LINTED: pointer alignment */
1389 CK_AES_GMAC_PARAMS *params = (CK_AES_GMAC_PARAMS *)mech->cm_param;
1390
1391 if (mech->cm_type != AES_GMAC_MECH_INFO_TYPE)
1392 return (CRYPTO_MECHANISM_INVALID);
1393
1394 if (mech->cm_param_len != sizeof (CK_AES_GMAC_PARAMS))
1395 return (CRYPTO_MECHANISM_PARAM_INVALID);
1396
1397 if (params->pIv == NULL)
1398 return (CRYPTO_MECHANISM_PARAM_INVALID);
1399
1400 gcm_params->pIv = params->pIv;
1401 gcm_params->ulIvLen = AES_GMAC_IV_LEN;
1402 gcm_params->ulTagBits = AES_GMAC_TAG_BITS;
1403
1404 if (data == NULL)
1405 return (CRYPTO_SUCCESS);
1406
1407 if (data->cd_format != CRYPTO_DATA_RAW)
1408 return (CRYPTO_ARGUMENTS_BAD);
1409
1410 gcm_params->pAAD = (uchar_t *)data->cd_raw.iov_base;
1411 gcm_params->ulAADLen = data->cd_length;
1412 return (CRYPTO_SUCCESS);
1413 }
1414
1415 static int
aes_mac_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * data,crypto_data_t * mac,crypto_spi_ctx_template_t template,crypto_req_handle_t req)1416 aes_mac_atomic(crypto_provider_handle_t provider,
1417 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1418 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1419 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1420 {
1421 CK_AES_GCM_PARAMS gcm_params;
1422 crypto_mechanism_t gcm_mech;
1423 int rv;
1424
1425 if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1426 != CRYPTO_SUCCESS)
1427 return (rv);
1428
1429 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1430 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1431 gcm_mech.cm_param = (char *)&gcm_params;
1432
1433 return (aes_encrypt_atomic(provider, session_id, &gcm_mech,
1434 key, &null_crypto_data, mac, template, req));
1435 }
1436
1437 static int
aes_mac_verify_atomic(crypto_provider_handle_t provider,crypto_session_id_t session_id,crypto_mechanism_t * mechanism,crypto_key_t * key,crypto_data_t * data,crypto_data_t * mac,crypto_spi_ctx_template_t template,crypto_req_handle_t req)1438 aes_mac_verify_atomic(crypto_provider_handle_t provider,
1439 crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1440 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1441 crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1442 {
1443 CK_AES_GCM_PARAMS gcm_params;
1444 crypto_mechanism_t gcm_mech;
1445 int rv;
1446
1447 if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1448 != CRYPTO_SUCCESS)
1449 return (rv);
1450
1451 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1452 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1453 gcm_mech.cm_param = (char *)&gcm_params;
1454
1455 return (aes_decrypt_atomic(provider, session_id, &gcm_mech,
1456 key, mac, &null_crypto_data, template, req));
1457 }
1458