10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 52530Spwernau * Common Development and Distribution License (the "License"). 62530Spwernau * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 229339SMark.Powers@Sun.COM * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate /* 270Sstevel@tonic-gate * AES provider for the Kernel Cryptographic Framework (KCF) 280Sstevel@tonic-gate */ 290Sstevel@tonic-gate 300Sstevel@tonic-gate #include <sys/types.h> 310Sstevel@tonic-gate #include <sys/systm.h> 320Sstevel@tonic-gate #include <sys/modctl.h> 330Sstevel@tonic-gate #include <sys/cmn_err.h> 340Sstevel@tonic-gate #include <sys/ddi.h> 350Sstevel@tonic-gate #include <sys/crypto/common.h> 367188Smcpowers #include <sys/crypto/impl.h> 370Sstevel@tonic-gate #include <sys/crypto/spi.h> 380Sstevel@tonic-gate #include <sys/sysmacros.h> 390Sstevel@tonic-gate #include <sys/strsun.h> 407188Smcpowers #include <modes/modes.h> 4110500SHai-May.Chao@Sun.COM #define _AES_FIPS_POST 4210500SHai-May.Chao@Sun.COM #define _AES_IMPL 437188Smcpowers #include <aes/aes_impl.h> 440Sstevel@tonic-gate 450Sstevel@tonic-gate extern struct mod_ops mod_cryptoops; 460Sstevel@tonic-gate 470Sstevel@tonic-gate /* 480Sstevel@tonic-gate * Module linkage information for the kernel. 490Sstevel@tonic-gate */ 500Sstevel@tonic-gate static struct modlcrypto modlcrypto = { 510Sstevel@tonic-gate &mod_cryptoops, 525072Smcpowers "AES Kernel SW Provider" 530Sstevel@tonic-gate }; 540Sstevel@tonic-gate 550Sstevel@tonic-gate static struct modlinkage modlinkage = { 560Sstevel@tonic-gate MODREV_1, 570Sstevel@tonic-gate (void *)&modlcrypto, 580Sstevel@tonic-gate NULL 590Sstevel@tonic-gate }; 600Sstevel@tonic-gate 610Sstevel@tonic-gate /* 620Sstevel@tonic-gate * The following definitions are to keep EXPORT_SRC happy. 630Sstevel@tonic-gate */ 642530Spwernau #ifndef AES_MIN_KEY_BYTES 652530Spwernau #define AES_MIN_KEY_BYTES 0 660Sstevel@tonic-gate #endif 670Sstevel@tonic-gate 682530Spwernau #ifndef AES_MAX_KEY_BYTES 692530Spwernau #define AES_MAX_KEY_BYTES 0 700Sstevel@tonic-gate #endif 710Sstevel@tonic-gate 720Sstevel@tonic-gate /* 730Sstevel@tonic-gate * Mechanism info structure passed to KCF during registration. 740Sstevel@tonic-gate */ 750Sstevel@tonic-gate static crypto_mech_info_t aes_mech_info_tab[] = { 760Sstevel@tonic-gate /* AES_ECB */ 770Sstevel@tonic-gate {SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE, 780Sstevel@tonic-gate CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 790Sstevel@tonic-gate CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 802530Spwernau AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 810Sstevel@tonic-gate /* AES_CBC */ 820Sstevel@tonic-gate {SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE, 830Sstevel@tonic-gate CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 840Sstevel@tonic-gate CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 852530Spwernau AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 86904Smcpowers /* AES_CTR */ 87904Smcpowers {SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE, 88904Smcpowers CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 89904Smcpowers CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 904486Sktung AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 914486Sktung /* AES_CCM */ 924486Sktung {SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE, 934486Sktung CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 944486Sktung CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 958005SMark.Powers@Sun.COM AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 968005SMark.Powers@Sun.COM /* AES_GCM */ 978005SMark.Powers@Sun.COM {SUN_CKM_AES_GCM, AES_GCM_MECH_INFO_TYPE, 988005SMark.Powers@Sun.COM CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 998005SMark.Powers@Sun.COM CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 1009339SMark.Powers@Sun.COM AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 1019339SMark.Powers@Sun.COM /* AES_GMAC */ 1029339SMark.Powers@Sun.COM {SUN_CKM_AES_GMAC, AES_GMAC_MECH_INFO_TYPE, 1039339SMark.Powers@Sun.COM CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 1049339SMark.Powers@Sun.COM CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 1059339SMark.Powers@Sun.COM CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC | 1069339SMark.Powers@Sun.COM CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC | 1079339SMark.Powers@Sun.COM CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC, 1082530Spwernau AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES} 1090Sstevel@tonic-gate }; 1100Sstevel@tonic-gate 1110Sstevel@tonic-gate /* operations are in-place if the output buffer is NULL */ 1120Sstevel@tonic-gate #define AES_ARG_INPLACE(input, output) \ 1130Sstevel@tonic-gate if ((output) == NULL) \ 1140Sstevel@tonic-gate (output) = (input); 1150Sstevel@tonic-gate 1160Sstevel@tonic-gate static void aes_provider_status(crypto_provider_handle_t, uint_t *); 1170Sstevel@tonic-gate 1180Sstevel@tonic-gate static crypto_control_ops_t aes_control_ops = { 1190Sstevel@tonic-gate aes_provider_status 1200Sstevel@tonic-gate }; 1210Sstevel@tonic-gate 1224486Sktung static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *, 1234486Sktung crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 1244486Sktung static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *, 1250Sstevel@tonic-gate crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 1264486Sktung static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *, 1274486Sktung crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t); 1280Sstevel@tonic-gate static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *, 1294486Sktung crypto_mechanism_t *, crypto_key_t *, int, boolean_t); 1300Sstevel@tonic-gate static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *, 1310Sstevel@tonic-gate crypto_req_handle_t); 1320Sstevel@tonic-gate static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *, 1330Sstevel@tonic-gate crypto_req_handle_t); 1340Sstevel@tonic-gate 1350Sstevel@tonic-gate static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 1360Sstevel@tonic-gate crypto_req_handle_t); 1370Sstevel@tonic-gate static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *, 1380Sstevel@tonic-gate crypto_data_t *, crypto_req_handle_t); 1390Sstevel@tonic-gate static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 1400Sstevel@tonic-gate crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 1410Sstevel@tonic-gate crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 1420Sstevel@tonic-gate 1430Sstevel@tonic-gate static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 1440Sstevel@tonic-gate crypto_req_handle_t); 1450Sstevel@tonic-gate static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *, 1460Sstevel@tonic-gate crypto_data_t *, crypto_req_handle_t); 1470Sstevel@tonic-gate static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 1480Sstevel@tonic-gate crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 1490Sstevel@tonic-gate crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 1500Sstevel@tonic-gate 1510Sstevel@tonic-gate static crypto_cipher_ops_t aes_cipher_ops = { 1524486Sktung aes_encrypt_init, 1530Sstevel@tonic-gate aes_encrypt, 1540Sstevel@tonic-gate aes_encrypt_update, 1550Sstevel@tonic-gate aes_encrypt_final, 1560Sstevel@tonic-gate aes_encrypt_atomic, 1574486Sktung aes_decrypt_init, 1580Sstevel@tonic-gate aes_decrypt, 1590Sstevel@tonic-gate aes_decrypt_update, 1600Sstevel@tonic-gate aes_decrypt_final, 1610Sstevel@tonic-gate aes_decrypt_atomic 1620Sstevel@tonic-gate }; 1630Sstevel@tonic-gate 1649339SMark.Powers@Sun.COM static int aes_mac_atomic(crypto_provider_handle_t, crypto_session_id_t, 1659339SMark.Powers@Sun.COM crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 1669339SMark.Powers@Sun.COM crypto_spi_ctx_template_t, crypto_req_handle_t); 1679339SMark.Powers@Sun.COM static int aes_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t, 1689339SMark.Powers@Sun.COM crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *, 1699339SMark.Powers@Sun.COM crypto_spi_ctx_template_t, crypto_req_handle_t); 1709339SMark.Powers@Sun.COM 1719339SMark.Powers@Sun.COM static crypto_mac_ops_t aes_mac_ops = { 1729339SMark.Powers@Sun.COM NULL, 1739339SMark.Powers@Sun.COM NULL, 1749339SMark.Powers@Sun.COM NULL, 1759339SMark.Powers@Sun.COM NULL, 1769339SMark.Powers@Sun.COM aes_mac_atomic, 1779339SMark.Powers@Sun.COM aes_mac_verify_atomic 1789339SMark.Powers@Sun.COM }; 1799339SMark.Powers@Sun.COM 1800Sstevel@tonic-gate static int aes_create_ctx_template(crypto_provider_handle_t, 1810Sstevel@tonic-gate crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, 1820Sstevel@tonic-gate size_t *, crypto_req_handle_t); 1830Sstevel@tonic-gate static int aes_free_context(crypto_ctx_t *); 1840Sstevel@tonic-gate 1850Sstevel@tonic-gate static crypto_ctx_ops_t aes_ctx_ops = { 1860Sstevel@tonic-gate aes_create_ctx_template, 1870Sstevel@tonic-gate aes_free_context 1880Sstevel@tonic-gate }; 1890Sstevel@tonic-gate 190*10732SAnthony.Scarpino@Sun.COM static void aes_POST(int *); 191*10732SAnthony.Scarpino@Sun.COM 192*10732SAnthony.Scarpino@Sun.COM static crypto_fips140_ops_t aes_fips140_ops = { 193*10732SAnthony.Scarpino@Sun.COM aes_POST 194*10732SAnthony.Scarpino@Sun.COM }; 195*10732SAnthony.Scarpino@Sun.COM 1960Sstevel@tonic-gate static crypto_ops_t aes_crypto_ops = { 1970Sstevel@tonic-gate &aes_control_ops, 1980Sstevel@tonic-gate NULL, 1990Sstevel@tonic-gate &aes_cipher_ops, 2009339SMark.Powers@Sun.COM &aes_mac_ops, 2010Sstevel@tonic-gate NULL, 2020Sstevel@tonic-gate NULL, 2030Sstevel@tonic-gate NULL, 2040Sstevel@tonic-gate NULL, 2050Sstevel@tonic-gate NULL, 2060Sstevel@tonic-gate NULL, 2070Sstevel@tonic-gate NULL, 2080Sstevel@tonic-gate NULL, 2090Sstevel@tonic-gate NULL, 210*10732SAnthony.Scarpino@Sun.COM &aes_ctx_ops, 211*10732SAnthony.Scarpino@Sun.COM NULL, 212*10732SAnthony.Scarpino@Sun.COM NULL, 213*10732SAnthony.Scarpino@Sun.COM &aes_fips140_ops 2140Sstevel@tonic-gate }; 2150Sstevel@tonic-gate 2160Sstevel@tonic-gate static crypto_provider_info_t aes_prov_info = { 217*10732SAnthony.Scarpino@Sun.COM CRYPTO_SPI_VERSION_4, 2180Sstevel@tonic-gate "AES Software Provider", 2190Sstevel@tonic-gate CRYPTO_SW_PROVIDER, 2200Sstevel@tonic-gate {&modlinkage}, 2210Sstevel@tonic-gate NULL, 2220Sstevel@tonic-gate &aes_crypto_ops, 2230Sstevel@tonic-gate sizeof (aes_mech_info_tab)/sizeof (crypto_mech_info_t), 2240Sstevel@tonic-gate aes_mech_info_tab 2250Sstevel@tonic-gate }; 2260Sstevel@tonic-gate 2270Sstevel@tonic-gate static crypto_kcf_provider_handle_t aes_prov_handle = NULL; 2289339SMark.Powers@Sun.COM static crypto_data_t null_crypto_data = { CRYPTO_DATA_RAW }; 2290Sstevel@tonic-gate 2300Sstevel@tonic-gate int 2310Sstevel@tonic-gate _init(void) 2320Sstevel@tonic-gate { 2330Sstevel@tonic-gate int ret; 2340Sstevel@tonic-gate 2350Sstevel@tonic-gate /* 2360Sstevel@tonic-gate * Register with KCF. If the registration fails, return error. 2370Sstevel@tonic-gate */ 2380Sstevel@tonic-gate if ((ret = crypto_register_provider(&aes_prov_info, 2390Sstevel@tonic-gate &aes_prov_handle)) != CRYPTO_SUCCESS) { 2400Sstevel@tonic-gate cmn_err(CE_WARN, "%s _init: crypto_register_provider()" 2410Sstevel@tonic-gate "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret); 2420Sstevel@tonic-gate return (EACCES); 2430Sstevel@tonic-gate } 2440Sstevel@tonic-gate 2450Sstevel@tonic-gate if ((ret = mod_install(&modlinkage)) != 0) { 2460Sstevel@tonic-gate int rv; 2470Sstevel@tonic-gate 2480Sstevel@tonic-gate ASSERT(aes_prov_handle != NULL); 2490Sstevel@tonic-gate /* We should not return if the unregister returns busy. */ 2500Sstevel@tonic-gate while ((rv = crypto_unregister_provider(aes_prov_handle)) 2510Sstevel@tonic-gate == CRYPTO_BUSY) { 2520Sstevel@tonic-gate cmn_err(CE_WARN, 2530Sstevel@tonic-gate "%s _init: crypto_unregister_provider() " 2540Sstevel@tonic-gate "failed (0x%x). Retrying.", 2550Sstevel@tonic-gate CRYPTO_PROVIDER_NAME, rv); 2560Sstevel@tonic-gate /* wait 10 seconds and try again. */ 2570Sstevel@tonic-gate delay(10 * drv_usectohz(1000000)); 2580Sstevel@tonic-gate } 2590Sstevel@tonic-gate } 2600Sstevel@tonic-gate 2610Sstevel@tonic-gate return (ret); 2620Sstevel@tonic-gate } 2630Sstevel@tonic-gate 2640Sstevel@tonic-gate int 2650Sstevel@tonic-gate _fini(void) 2660Sstevel@tonic-gate { 2670Sstevel@tonic-gate int ret; 2680Sstevel@tonic-gate 2690Sstevel@tonic-gate /* 2700Sstevel@tonic-gate * Unregister from KCF if previous registration succeeded. 2710Sstevel@tonic-gate */ 2720Sstevel@tonic-gate if (aes_prov_handle != NULL) { 2730Sstevel@tonic-gate if ((ret = crypto_unregister_provider(aes_prov_handle)) != 2740Sstevel@tonic-gate CRYPTO_SUCCESS) { 2750Sstevel@tonic-gate cmn_err(CE_WARN, 2760Sstevel@tonic-gate "%s _fini: crypto_unregister_provider() " 2770Sstevel@tonic-gate "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret); 2780Sstevel@tonic-gate return (EBUSY); 2790Sstevel@tonic-gate } 2800Sstevel@tonic-gate aes_prov_handle = NULL; 2810Sstevel@tonic-gate } 2820Sstevel@tonic-gate 2830Sstevel@tonic-gate return (mod_remove(&modlinkage)); 2840Sstevel@tonic-gate } 2850Sstevel@tonic-gate 2860Sstevel@tonic-gate int 2870Sstevel@tonic-gate _info(struct modinfo *modinfop) 2880Sstevel@tonic-gate { 2890Sstevel@tonic-gate return (mod_info(&modlinkage, modinfop)); 2900Sstevel@tonic-gate } 2910Sstevel@tonic-gate 2920Sstevel@tonic-gate 293991Smcpowers static int 2947188Smcpowers aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag) 295991Smcpowers { 2967188Smcpowers void *p = NULL; 2979339SMark.Powers@Sun.COM boolean_t param_required = B_TRUE; 2989339SMark.Powers@Sun.COM size_t param_len; 2999339SMark.Powers@Sun.COM void *(*alloc_fun)(int); 300991Smcpowers int rv = CRYPTO_SUCCESS; 301991Smcpowers 302991Smcpowers switch (mechanism->cm_type) { 303991Smcpowers case AES_ECB_MECH_INFO_TYPE: 3049339SMark.Powers@Sun.COM param_required = B_FALSE; 3059339SMark.Powers@Sun.COM alloc_fun = ecb_alloc_ctx; 306991Smcpowers break; 307991Smcpowers case AES_CBC_MECH_INFO_TYPE: 3089339SMark.Powers@Sun.COM param_len = AES_BLOCK_LEN; 3099339SMark.Powers@Sun.COM alloc_fun = cbc_alloc_ctx; 310991Smcpowers break; 311991Smcpowers case AES_CTR_MECH_INFO_TYPE: 3129339SMark.Powers@Sun.COM param_len = sizeof (CK_AES_CTR_PARAMS); 3139339SMark.Powers@Sun.COM alloc_fun = ctr_alloc_ctx; 314991Smcpowers break; 3154486Sktung case AES_CCM_MECH_INFO_TYPE: 3169339SMark.Powers@Sun.COM param_len = sizeof (CK_AES_CCM_PARAMS); 3179339SMark.Powers@Sun.COM alloc_fun = ccm_alloc_ctx; 3184486Sktung break; 3198005SMark.Powers@Sun.COM case AES_GCM_MECH_INFO_TYPE: 3209339SMark.Powers@Sun.COM param_len = sizeof (CK_AES_GCM_PARAMS); 3219339SMark.Powers@Sun.COM alloc_fun = gcm_alloc_ctx; 3229339SMark.Powers@Sun.COM break; 3239339SMark.Powers@Sun.COM case AES_GMAC_MECH_INFO_TYPE: 3249339SMark.Powers@Sun.COM param_len = sizeof (CK_AES_GMAC_PARAMS); 3259339SMark.Powers@Sun.COM alloc_fun = gmac_alloc_ctx; 3268005SMark.Powers@Sun.COM break; 327991Smcpowers default: 328991Smcpowers rv = CRYPTO_MECHANISM_INVALID; 329991Smcpowers } 3309339SMark.Powers@Sun.COM if (param_required && mechanism->cm_param != NULL && 3319339SMark.Powers@Sun.COM mechanism->cm_param_len != param_len) { 3329339SMark.Powers@Sun.COM rv = CRYPTO_MECHANISM_PARAM_INVALID; 3339339SMark.Powers@Sun.COM } 3349339SMark.Powers@Sun.COM if (ctx != NULL) { 3359339SMark.Powers@Sun.COM p = (alloc_fun)(kmflag); 3367188Smcpowers *ctx = p; 3379339SMark.Powers@Sun.COM } 338991Smcpowers return (rv); 339991Smcpowers } 340991Smcpowers 3411010Smcpowers /* EXPORT DELETE START */ 3421010Smcpowers 3430Sstevel@tonic-gate /* 3440Sstevel@tonic-gate * Initialize key schedules for AES 3450Sstevel@tonic-gate */ 3460Sstevel@tonic-gate static int 3470Sstevel@tonic-gate init_keysched(crypto_key_t *key, void *newbie) 3480Sstevel@tonic-gate { 3490Sstevel@tonic-gate /* 3500Sstevel@tonic-gate * Only keys by value are supported by this module. 3510Sstevel@tonic-gate */ 3520Sstevel@tonic-gate switch (key->ck_format) { 3530Sstevel@tonic-gate case CRYPTO_KEY_RAW: 3540Sstevel@tonic-gate if (key->ck_length < AES_MINBITS || 3550Sstevel@tonic-gate key->ck_length > AES_MAXBITS) { 3560Sstevel@tonic-gate return (CRYPTO_KEY_SIZE_RANGE); 3570Sstevel@tonic-gate } 3580Sstevel@tonic-gate 3590Sstevel@tonic-gate /* key length must be either 128, 192, or 256 */ 3600Sstevel@tonic-gate if ((key->ck_length & 63) != 0) 3610Sstevel@tonic-gate return (CRYPTO_KEY_SIZE_RANGE); 3620Sstevel@tonic-gate break; 3630Sstevel@tonic-gate default: 3640Sstevel@tonic-gate return (CRYPTO_KEY_TYPE_INCONSISTENT); 3650Sstevel@tonic-gate } 3660Sstevel@tonic-gate 3670Sstevel@tonic-gate aes_init_keysched(key->ck_data, key->ck_length, newbie); 3680Sstevel@tonic-gate return (CRYPTO_SUCCESS); 3690Sstevel@tonic-gate } 3700Sstevel@tonic-gate 3710Sstevel@tonic-gate /* EXPORT DELETE END */ 3720Sstevel@tonic-gate 3730Sstevel@tonic-gate /* 3740Sstevel@tonic-gate * KCF software provider control entry points. 3750Sstevel@tonic-gate */ 3760Sstevel@tonic-gate /* ARGSUSED */ 3770Sstevel@tonic-gate static void 3780Sstevel@tonic-gate aes_provider_status(crypto_provider_handle_t provider, uint_t *status) 3790Sstevel@tonic-gate { 3800Sstevel@tonic-gate *status = CRYPTO_PROVIDER_READY; 3810Sstevel@tonic-gate } 3820Sstevel@tonic-gate 3834486Sktung static int 3844486Sktung aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 3854486Sktung crypto_key_t *key, crypto_spi_ctx_template_t template, 3864486Sktung crypto_req_handle_t req) { 3874486Sktung return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE)); 3884486Sktung } 3894486Sktung 3904486Sktung static int 3914486Sktung aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 3924486Sktung crypto_key_t *key, crypto_spi_ctx_template_t template, 3934486Sktung crypto_req_handle_t req) { 3944486Sktung return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE)); 3954486Sktung } 3964486Sktung 3974486Sktung 3984486Sktung 3990Sstevel@tonic-gate /* 4000Sstevel@tonic-gate * KCF software provider encrypt entry points. 4010Sstevel@tonic-gate */ 4020Sstevel@tonic-gate static int 4030Sstevel@tonic-gate aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 4040Sstevel@tonic-gate crypto_key_t *key, crypto_spi_ctx_template_t template, 4054486Sktung crypto_req_handle_t req, boolean_t is_encrypt_init) 4060Sstevel@tonic-gate { 4070Sstevel@tonic-gate 4080Sstevel@tonic-gate /* EXPORT DELETE START */ 4090Sstevel@tonic-gate 4100Sstevel@tonic-gate aes_ctx_t *aes_ctx; 4110Sstevel@tonic-gate int rv; 4120Sstevel@tonic-gate int kmflag; 4130Sstevel@tonic-gate 4140Sstevel@tonic-gate /* 4150Sstevel@tonic-gate * Only keys by value are supported by this module. 4160Sstevel@tonic-gate */ 4170Sstevel@tonic-gate if (key->ck_format != CRYPTO_KEY_RAW) { 4180Sstevel@tonic-gate return (CRYPTO_KEY_TYPE_INCONSISTENT); 4190Sstevel@tonic-gate } 4200Sstevel@tonic-gate 4217188Smcpowers kmflag = crypto_kmflag(req); 4227188Smcpowers if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag)) 4237188Smcpowers != CRYPTO_SUCCESS) 424991Smcpowers return (rv); 4250Sstevel@tonic-gate 4264486Sktung rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag, 4274486Sktung is_encrypt_init); 4280Sstevel@tonic-gate if (rv != CRYPTO_SUCCESS) { 4297188Smcpowers crypto_free_mode_ctx(aes_ctx); 4300Sstevel@tonic-gate return (rv); 4310Sstevel@tonic-gate } 4320Sstevel@tonic-gate 4330Sstevel@tonic-gate ctx->cc_provider_private = aes_ctx; 4340Sstevel@tonic-gate 4350Sstevel@tonic-gate /* EXPORT DELETE END */ 4360Sstevel@tonic-gate 4370Sstevel@tonic-gate return (CRYPTO_SUCCESS); 4380Sstevel@tonic-gate } 4390Sstevel@tonic-gate 4407188Smcpowers static void 4417188Smcpowers aes_copy_block64(uint8_t *in, uint64_t *out) 4420Sstevel@tonic-gate { 4437188Smcpowers if (IS_P2ALIGNED(in, sizeof (uint64_t))) { 4447188Smcpowers /* LINTED: pointer alignment */ 4457188Smcpowers out[0] = *(uint64_t *)&in[0]; 4467188Smcpowers /* LINTED: pointer alignment */ 4477188Smcpowers out[1] = *(uint64_t *)&in[8]; 4487188Smcpowers } else { 4497188Smcpowers uint8_t *iv8 = (uint8_t *)&out[0]; 4500Sstevel@tonic-gate 4517188Smcpowers AES_COPY_BLOCK(in, iv8); 4520Sstevel@tonic-gate } 4530Sstevel@tonic-gate } 4540Sstevel@tonic-gate 4559392Sopensolaris@drydog.com 4560Sstevel@tonic-gate static int 4570Sstevel@tonic-gate aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 4580Sstevel@tonic-gate crypto_data_t *ciphertext, crypto_req_handle_t req) 4590Sstevel@tonic-gate { 4600Sstevel@tonic-gate int ret = CRYPTO_FAILED; 4610Sstevel@tonic-gate 4620Sstevel@tonic-gate /* EXPORT DELETE START */ 4630Sstevel@tonic-gate 4640Sstevel@tonic-gate aes_ctx_t *aes_ctx; 4654486Sktung size_t saved_length, saved_offset, length_needed; 4660Sstevel@tonic-gate 4670Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 4680Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 4690Sstevel@tonic-gate 470904Smcpowers /* 471904Smcpowers * For block ciphers, plaintext must be a multiple of AES block size. 472904Smcpowers * This test is only valid for ciphers whose blocksize is a power of 2. 473904Smcpowers */ 4749339SMark.Powers@Sun.COM if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) 4759339SMark.Powers@Sun.COM == 0) && (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 476904Smcpowers return (CRYPTO_DATA_LEN_RANGE); 477904Smcpowers 4780Sstevel@tonic-gate AES_ARG_INPLACE(plaintext, ciphertext); 4790Sstevel@tonic-gate 4800Sstevel@tonic-gate /* 4810Sstevel@tonic-gate * We need to just return the length needed to store the output. 4820Sstevel@tonic-gate * We should not destroy the context for the following case. 4830Sstevel@tonic-gate */ 4849339SMark.Powers@Sun.COM switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) { 4859339SMark.Powers@Sun.COM case CCM_MODE: 4867188Smcpowers length_needed = plaintext->cd_length + aes_ctx->ac_mac_len; 4879339SMark.Powers@Sun.COM break; 4889339SMark.Powers@Sun.COM case GCM_MODE: 4898195SMark.Powers@Sun.COM length_needed = plaintext->cd_length + aes_ctx->ac_tag_len; 4909339SMark.Powers@Sun.COM break; 4919339SMark.Powers@Sun.COM case GMAC_MODE: 4929339SMark.Powers@Sun.COM if (plaintext->cd_length != 0) 4939339SMark.Powers@Sun.COM return (CRYPTO_ARGUMENTS_BAD); 4949339SMark.Powers@Sun.COM 4959339SMark.Powers@Sun.COM length_needed = aes_ctx->ac_tag_len; 4969339SMark.Powers@Sun.COM break; 4979339SMark.Powers@Sun.COM default: 4984486Sktung length_needed = plaintext->cd_length; 4994486Sktung } 5004486Sktung 5014486Sktung if (ciphertext->cd_length < length_needed) { 5024486Sktung ciphertext->cd_length = length_needed; 5030Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 5040Sstevel@tonic-gate } 5050Sstevel@tonic-gate 5064486Sktung saved_length = ciphertext->cd_length; 5074486Sktung saved_offset = ciphertext->cd_offset; 5084486Sktung 5090Sstevel@tonic-gate /* 5100Sstevel@tonic-gate * Do an update on the specified input data. 5110Sstevel@tonic-gate */ 5120Sstevel@tonic-gate ret = aes_encrypt_update(ctx, plaintext, ciphertext, req); 5134486Sktung if (ret != CRYPTO_SUCCESS) { 5144486Sktung return (ret); 5154486Sktung } 5164486Sktung 5174486Sktung /* 5184486Sktung * For CCM mode, aes_ccm_encrypt_final() will take care of any 5194486Sktung * left-over unprocessed data, and compute the MAC 5204486Sktung */ 5217188Smcpowers if (aes_ctx->ac_flags & CCM_MODE) { 5224486Sktung /* 5238005SMark.Powers@Sun.COM * ccm_encrypt_final() will compute the MAC and append 5244486Sktung * it to existing ciphertext. So, need to adjust the left over 5254486Sktung * length value accordingly 5264486Sktung */ 5274486Sktung 5284486Sktung /* order of following 2 lines MUST not be reversed */ 5294486Sktung ciphertext->cd_offset = ciphertext->cd_length; 5304486Sktung ciphertext->cd_length = saved_length - ciphertext->cd_length; 5317188Smcpowers ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, ciphertext, 5327188Smcpowers AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 5334486Sktung if (ret != CRYPTO_SUCCESS) { 5344486Sktung return (ret); 5354486Sktung } 5364486Sktung 5374486Sktung if (plaintext != ciphertext) { 5384486Sktung ciphertext->cd_length = 5394486Sktung ciphertext->cd_offset - saved_offset; 5404486Sktung } 5414486Sktung ciphertext->cd_offset = saved_offset; 5429339SMark.Powers@Sun.COM } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 5438005SMark.Powers@Sun.COM /* 5448005SMark.Powers@Sun.COM * gcm_encrypt_final() will compute the MAC and append 5458005SMark.Powers@Sun.COM * it to existing ciphertext. So, need to adjust the left over 5468005SMark.Powers@Sun.COM * length value accordingly 5478005SMark.Powers@Sun.COM */ 5488005SMark.Powers@Sun.COM 5498005SMark.Powers@Sun.COM /* order of following 2 lines MUST not be reversed */ 5508005SMark.Powers@Sun.COM ciphertext->cd_offset = ciphertext->cd_length; 5518005SMark.Powers@Sun.COM ciphertext->cd_length = saved_length - ciphertext->cd_length; 5528005SMark.Powers@Sun.COM ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, ciphertext, 5538005SMark.Powers@Sun.COM AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 5548005SMark.Powers@Sun.COM aes_xor_block); 5558005SMark.Powers@Sun.COM if (ret != CRYPTO_SUCCESS) { 5568005SMark.Powers@Sun.COM return (ret); 5578005SMark.Powers@Sun.COM } 5588005SMark.Powers@Sun.COM 5598005SMark.Powers@Sun.COM if (plaintext != ciphertext) { 5608005SMark.Powers@Sun.COM ciphertext->cd_length = 5618005SMark.Powers@Sun.COM ciphertext->cd_offset - saved_offset; 5628005SMark.Powers@Sun.COM } 5638005SMark.Powers@Sun.COM ciphertext->cd_offset = saved_offset; 5644486Sktung } 5654486Sktung 5660Sstevel@tonic-gate ASSERT(aes_ctx->ac_remainder_len == 0); 5670Sstevel@tonic-gate (void) aes_free_context(ctx); 5680Sstevel@tonic-gate 5690Sstevel@tonic-gate /* EXPORT DELETE END */ 5700Sstevel@tonic-gate 5710Sstevel@tonic-gate return (ret); 5720Sstevel@tonic-gate } 5730Sstevel@tonic-gate 5749392Sopensolaris@drydog.com 5750Sstevel@tonic-gate static int 5760Sstevel@tonic-gate aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 5770Sstevel@tonic-gate crypto_data_t *plaintext, crypto_req_handle_t req) 5780Sstevel@tonic-gate { 5790Sstevel@tonic-gate int ret = CRYPTO_FAILED; 5800Sstevel@tonic-gate 5810Sstevel@tonic-gate /* EXPORT DELETE START */ 5820Sstevel@tonic-gate 5830Sstevel@tonic-gate aes_ctx_t *aes_ctx; 5844486Sktung off_t saved_offset; 5859339SMark.Powers@Sun.COM size_t saved_length, length_needed; 5860Sstevel@tonic-gate 5870Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 5880Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 5890Sstevel@tonic-gate 590904Smcpowers /* 5914486Sktung * For block ciphers, plaintext must be a multiple of AES block size. 592904Smcpowers * This test is only valid for ciphers whose blocksize is a power of 2. 593904Smcpowers */ 5949339SMark.Powers@Sun.COM if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) 5959339SMark.Powers@Sun.COM == 0) && (ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) { 5964558Sktung return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 5974558Sktung } 598904Smcpowers 5990Sstevel@tonic-gate AES_ARG_INPLACE(ciphertext, plaintext); 6000Sstevel@tonic-gate 6010Sstevel@tonic-gate /* 6029339SMark.Powers@Sun.COM * Return length needed to store the output. 6039339SMark.Powers@Sun.COM * Do not destroy context when plaintext buffer is too small. 6044486Sktung * 6059339SMark.Powers@Sun.COM * CCM: plaintext is MAC len smaller than cipher text 6069339SMark.Powers@Sun.COM * GCM: plaintext is TAG len smaller than cipher text 6079339SMark.Powers@Sun.COM * GMAC: plaintext length must be zero 6080Sstevel@tonic-gate */ 6099339SMark.Powers@Sun.COM switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) { 6109339SMark.Powers@Sun.COM case CCM_MODE: 6119339SMark.Powers@Sun.COM length_needed = aes_ctx->ac_processed_data_len; 6129339SMark.Powers@Sun.COM break; 6139339SMark.Powers@Sun.COM case GCM_MODE: 6149339SMark.Powers@Sun.COM length_needed = ciphertext->cd_length - aes_ctx->ac_tag_len; 6159339SMark.Powers@Sun.COM break; 6169339SMark.Powers@Sun.COM case GMAC_MODE: 6179339SMark.Powers@Sun.COM if (plaintext->cd_length != 0) 6189339SMark.Powers@Sun.COM return (CRYPTO_ARGUMENTS_BAD); 6198005SMark.Powers@Sun.COM 6209339SMark.Powers@Sun.COM length_needed = 0; 6219339SMark.Powers@Sun.COM break; 6229339SMark.Powers@Sun.COM default: 6239339SMark.Powers@Sun.COM length_needed = ciphertext->cd_length; 6249339SMark.Powers@Sun.COM } 6259339SMark.Powers@Sun.COM 6269339SMark.Powers@Sun.COM if (plaintext->cd_length < length_needed) { 6279339SMark.Powers@Sun.COM plaintext->cd_length = length_needed; 6280Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 6290Sstevel@tonic-gate } 6300Sstevel@tonic-gate 6319339SMark.Powers@Sun.COM saved_offset = plaintext->cd_offset; 6329339SMark.Powers@Sun.COM saved_length = plaintext->cd_length; 6339339SMark.Powers@Sun.COM 6340Sstevel@tonic-gate /* 6350Sstevel@tonic-gate * Do an update on the specified input data. 6360Sstevel@tonic-gate */ 6370Sstevel@tonic-gate ret = aes_decrypt_update(ctx, ciphertext, plaintext, req); 6384486Sktung if (ret != CRYPTO_SUCCESS) { 6394486Sktung goto cleanup; 6404486Sktung } 6414486Sktung 6427188Smcpowers if (aes_ctx->ac_flags & CCM_MODE) { 6437188Smcpowers ASSERT(aes_ctx->ac_processed_data_len == aes_ctx->ac_data_len); 6447188Smcpowers ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len); 6454486Sktung 6464486Sktung /* order of following 2 lines MUST not be reversed */ 6474486Sktung plaintext->cd_offset = plaintext->cd_length; 6484486Sktung plaintext->cd_length = saved_length - plaintext->cd_length; 6494486Sktung 6507188Smcpowers ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, plaintext, 6517188Smcpowers AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 6527188Smcpowers aes_xor_block); 6534486Sktung if (ret == CRYPTO_SUCCESS) { 6544486Sktung if (plaintext != ciphertext) { 6554486Sktung plaintext->cd_length = 6564486Sktung plaintext->cd_offset - saved_offset; 6574486Sktung } 6584486Sktung } else { 6594486Sktung plaintext->cd_length = saved_length; 6604486Sktung } 6614486Sktung 6624486Sktung plaintext->cd_offset = saved_offset; 6639339SMark.Powers@Sun.COM } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 6648005SMark.Powers@Sun.COM /* order of following 2 lines MUST not be reversed */ 6658005SMark.Powers@Sun.COM plaintext->cd_offset = plaintext->cd_length; 6668005SMark.Powers@Sun.COM plaintext->cd_length = saved_length - plaintext->cd_length; 6678005SMark.Powers@Sun.COM 6688005SMark.Powers@Sun.COM ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, plaintext, 6698005SMark.Powers@Sun.COM AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 6708005SMark.Powers@Sun.COM if (ret == CRYPTO_SUCCESS) { 6718005SMark.Powers@Sun.COM if (plaintext != ciphertext) { 6728005SMark.Powers@Sun.COM plaintext->cd_length = 6738005SMark.Powers@Sun.COM plaintext->cd_offset - saved_offset; 6748005SMark.Powers@Sun.COM } 6758005SMark.Powers@Sun.COM } else { 6768005SMark.Powers@Sun.COM plaintext->cd_length = saved_length; 6778005SMark.Powers@Sun.COM } 6788005SMark.Powers@Sun.COM 6798005SMark.Powers@Sun.COM plaintext->cd_offset = saved_offset; 6804486Sktung } 6814486Sktung 6820Sstevel@tonic-gate ASSERT(aes_ctx->ac_remainder_len == 0); 6834486Sktung 6844486Sktung cleanup: 6850Sstevel@tonic-gate (void) aes_free_context(ctx); 6860Sstevel@tonic-gate 6870Sstevel@tonic-gate /* EXPORT DELETE END */ 6880Sstevel@tonic-gate 6890Sstevel@tonic-gate return (ret); 6900Sstevel@tonic-gate } 6910Sstevel@tonic-gate 6929392Sopensolaris@drydog.com 6930Sstevel@tonic-gate /* ARGSUSED */ 6940Sstevel@tonic-gate static int 6950Sstevel@tonic-gate aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext, 6960Sstevel@tonic-gate crypto_data_t *ciphertext, crypto_req_handle_t req) 6970Sstevel@tonic-gate { 6980Sstevel@tonic-gate off_t saved_offset; 6990Sstevel@tonic-gate size_t saved_length, out_len; 7000Sstevel@tonic-gate int ret = CRYPTO_SUCCESS; 701904Smcpowers aes_ctx_t *aes_ctx; 7020Sstevel@tonic-gate 7030Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 7047188Smcpowers aes_ctx = ctx->cc_provider_private; 7050Sstevel@tonic-gate 7060Sstevel@tonic-gate AES_ARG_INPLACE(plaintext, ciphertext); 7070Sstevel@tonic-gate 7080Sstevel@tonic-gate /* compute number of bytes that will hold the ciphertext */ 7097188Smcpowers out_len = aes_ctx->ac_remainder_len; 7100Sstevel@tonic-gate out_len += plaintext->cd_length; 7110Sstevel@tonic-gate out_len &= ~(AES_BLOCK_LEN - 1); 7120Sstevel@tonic-gate 7130Sstevel@tonic-gate /* return length needed to store the output */ 7140Sstevel@tonic-gate if (ciphertext->cd_length < out_len) { 7150Sstevel@tonic-gate ciphertext->cd_length = out_len; 7160Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 7170Sstevel@tonic-gate } 7180Sstevel@tonic-gate 7190Sstevel@tonic-gate saved_offset = ciphertext->cd_offset; 7200Sstevel@tonic-gate saved_length = ciphertext->cd_length; 7210Sstevel@tonic-gate 7220Sstevel@tonic-gate /* 7230Sstevel@tonic-gate * Do the AES update on the specified input data. 7240Sstevel@tonic-gate */ 7250Sstevel@tonic-gate switch (plaintext->cd_format) { 7260Sstevel@tonic-gate case CRYPTO_DATA_RAW: 7277188Smcpowers ret = crypto_update_iov(ctx->cc_provider_private, 7287188Smcpowers plaintext, ciphertext, aes_encrypt_contiguous_blocks, 7297188Smcpowers aes_copy_block64); 7300Sstevel@tonic-gate break; 7310Sstevel@tonic-gate case CRYPTO_DATA_UIO: 7327188Smcpowers ret = crypto_update_uio(ctx->cc_provider_private, 7337188Smcpowers plaintext, ciphertext, aes_encrypt_contiguous_blocks, 7347188Smcpowers aes_copy_block64); 7350Sstevel@tonic-gate break; 7360Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 7377188Smcpowers ret = crypto_update_mp(ctx->cc_provider_private, 7387188Smcpowers plaintext, ciphertext, aes_encrypt_contiguous_blocks, 7397188Smcpowers aes_copy_block64); 7400Sstevel@tonic-gate break; 7410Sstevel@tonic-gate default: 7420Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 7430Sstevel@tonic-gate } 7440Sstevel@tonic-gate 745904Smcpowers /* 746904Smcpowers * Since AES counter mode is a stream cipher, we call 7477188Smcpowers * ctr_mode_final() to pick up any remaining bytes. 748904Smcpowers * It is an internal function that does not destroy 749904Smcpowers * the context like *normal* final routines. 750904Smcpowers */ 7517188Smcpowers if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) { 7527188Smcpowers ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, 7537188Smcpowers ciphertext, aes_encrypt_block); 754904Smcpowers } 755904Smcpowers 7560Sstevel@tonic-gate if (ret == CRYPTO_SUCCESS) { 7570Sstevel@tonic-gate if (plaintext != ciphertext) 7580Sstevel@tonic-gate ciphertext->cd_length = 7590Sstevel@tonic-gate ciphertext->cd_offset - saved_offset; 7600Sstevel@tonic-gate } else { 7610Sstevel@tonic-gate ciphertext->cd_length = saved_length; 7620Sstevel@tonic-gate } 7630Sstevel@tonic-gate ciphertext->cd_offset = saved_offset; 7640Sstevel@tonic-gate 7650Sstevel@tonic-gate return (ret); 7660Sstevel@tonic-gate } 7670Sstevel@tonic-gate 7689392Sopensolaris@drydog.com 7690Sstevel@tonic-gate static int 7700Sstevel@tonic-gate aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 7710Sstevel@tonic-gate crypto_data_t *plaintext, crypto_req_handle_t req) 7720Sstevel@tonic-gate { 7730Sstevel@tonic-gate off_t saved_offset; 7740Sstevel@tonic-gate size_t saved_length, out_len; 7750Sstevel@tonic-gate int ret = CRYPTO_SUCCESS; 776904Smcpowers aes_ctx_t *aes_ctx; 7770Sstevel@tonic-gate 7780Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 7797188Smcpowers aes_ctx = ctx->cc_provider_private; 7800Sstevel@tonic-gate 7810Sstevel@tonic-gate AES_ARG_INPLACE(ciphertext, plaintext); 7820Sstevel@tonic-gate 7838005SMark.Powers@Sun.COM /* 7848005SMark.Powers@Sun.COM * Compute number of bytes that will hold the plaintext. 7859339SMark.Powers@Sun.COM * This is not necessary for CCM, GCM, and GMAC since these 7869339SMark.Powers@Sun.COM * mechanisms never return plaintext for update operations. 7878005SMark.Powers@Sun.COM */ 7889339SMark.Powers@Sun.COM if ((aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) { 7898005SMark.Powers@Sun.COM out_len = aes_ctx->ac_remainder_len; 7908005SMark.Powers@Sun.COM out_len += ciphertext->cd_length; 7918005SMark.Powers@Sun.COM out_len &= ~(AES_BLOCK_LEN - 1); 7920Sstevel@tonic-gate 7938005SMark.Powers@Sun.COM /* return length needed to store the output */ 7948005SMark.Powers@Sun.COM if (plaintext->cd_length < out_len) { 7958005SMark.Powers@Sun.COM plaintext->cd_length = out_len; 7968005SMark.Powers@Sun.COM return (CRYPTO_BUFFER_TOO_SMALL); 7978005SMark.Powers@Sun.COM } 7980Sstevel@tonic-gate } 7990Sstevel@tonic-gate 8000Sstevel@tonic-gate saved_offset = plaintext->cd_offset; 8010Sstevel@tonic-gate saved_length = plaintext->cd_length; 8020Sstevel@tonic-gate 8039339SMark.Powers@Sun.COM if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) 8048005SMark.Powers@Sun.COM gcm_set_kmflag((gcm_ctx_t *)aes_ctx, crypto_kmflag(req)); 8058005SMark.Powers@Sun.COM 8060Sstevel@tonic-gate /* 8070Sstevel@tonic-gate * Do the AES update on the specified input data. 8080Sstevel@tonic-gate */ 8090Sstevel@tonic-gate switch (ciphertext->cd_format) { 8100Sstevel@tonic-gate case CRYPTO_DATA_RAW: 8117188Smcpowers ret = crypto_update_iov(ctx->cc_provider_private, 8127188Smcpowers ciphertext, plaintext, aes_decrypt_contiguous_blocks, 8137188Smcpowers aes_copy_block64); 8140Sstevel@tonic-gate break; 8150Sstevel@tonic-gate case CRYPTO_DATA_UIO: 8167188Smcpowers ret = crypto_update_uio(ctx->cc_provider_private, 8177188Smcpowers ciphertext, plaintext, aes_decrypt_contiguous_blocks, 8187188Smcpowers aes_copy_block64); 8190Sstevel@tonic-gate break; 8200Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 8217188Smcpowers ret = crypto_update_mp(ctx->cc_provider_private, 8227188Smcpowers ciphertext, plaintext, aes_decrypt_contiguous_blocks, 8237188Smcpowers aes_copy_block64); 8240Sstevel@tonic-gate break; 8250Sstevel@tonic-gate default: 8260Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 8270Sstevel@tonic-gate } 8280Sstevel@tonic-gate 829904Smcpowers /* 830904Smcpowers * Since AES counter mode is a stream cipher, we call 8317188Smcpowers * ctr_mode_final() to pick up any remaining bytes. 832904Smcpowers * It is an internal function that does not destroy 833904Smcpowers * the context like *normal* final routines. 834904Smcpowers */ 8357188Smcpowers if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) { 8367188Smcpowers ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, plaintext, 8377188Smcpowers aes_encrypt_block); 8387188Smcpowers if (ret == CRYPTO_DATA_LEN_RANGE) 8397188Smcpowers ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE; 840904Smcpowers } 841904Smcpowers 8420Sstevel@tonic-gate if (ret == CRYPTO_SUCCESS) { 8430Sstevel@tonic-gate if (ciphertext != plaintext) 8440Sstevel@tonic-gate plaintext->cd_length = 8450Sstevel@tonic-gate plaintext->cd_offset - saved_offset; 8460Sstevel@tonic-gate } else { 8470Sstevel@tonic-gate plaintext->cd_length = saved_length; 8480Sstevel@tonic-gate } 8490Sstevel@tonic-gate plaintext->cd_offset = saved_offset; 8500Sstevel@tonic-gate 851904Smcpowers 8520Sstevel@tonic-gate return (ret); 8530Sstevel@tonic-gate } 8540Sstevel@tonic-gate 8550Sstevel@tonic-gate /* ARGSUSED */ 8560Sstevel@tonic-gate static int 8570Sstevel@tonic-gate aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data, 8580Sstevel@tonic-gate crypto_req_handle_t req) 8590Sstevel@tonic-gate { 8600Sstevel@tonic-gate 8610Sstevel@tonic-gate /* EXPORT DELETE START */ 8620Sstevel@tonic-gate 8630Sstevel@tonic-gate aes_ctx_t *aes_ctx; 864904Smcpowers int ret; 8650Sstevel@tonic-gate 8660Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 8670Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 8680Sstevel@tonic-gate 869904Smcpowers if (data->cd_format != CRYPTO_DATA_RAW && 870904Smcpowers data->cd_format != CRYPTO_DATA_UIO && 871904Smcpowers data->cd_format != CRYPTO_DATA_MBLK) { 872904Smcpowers return (CRYPTO_ARGUMENTS_BAD); 873904Smcpowers } 874904Smcpowers 8757188Smcpowers if (aes_ctx->ac_flags & CTR_MODE) { 8764486Sktung if (aes_ctx->ac_remainder_len > 0) { 8777188Smcpowers ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data, 8787188Smcpowers aes_encrypt_block); 879904Smcpowers if (ret != CRYPTO_SUCCESS) 880904Smcpowers return (ret); 881904Smcpowers } 8827188Smcpowers } else if (aes_ctx->ac_flags & CCM_MODE) { 8837188Smcpowers ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, data, 8847188Smcpowers AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 8854486Sktung if (ret != CRYPTO_SUCCESS) { 8864486Sktung return (ret); 8874486Sktung } 8889339SMark.Powers@Sun.COM } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 8898005SMark.Powers@Sun.COM size_t saved_offset = data->cd_offset; 8908005SMark.Powers@Sun.COM 8918005SMark.Powers@Sun.COM ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, data, 8928005SMark.Powers@Sun.COM AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 8938005SMark.Powers@Sun.COM aes_xor_block); 8948005SMark.Powers@Sun.COM if (ret != CRYPTO_SUCCESS) { 8958005SMark.Powers@Sun.COM return (ret); 8968005SMark.Powers@Sun.COM } 8978005SMark.Powers@Sun.COM data->cd_length = data->cd_offset - saved_offset; 8988005SMark.Powers@Sun.COM data->cd_offset = saved_offset; 8994486Sktung } else { 9004486Sktung /* 9014486Sktung * There must be no unprocessed plaintext. 9024486Sktung * This happens if the length of the last data is 9034486Sktung * not a multiple of the AES block length. 9044486Sktung */ 9054486Sktung if (aes_ctx->ac_remainder_len > 0) { 9064486Sktung return (CRYPTO_DATA_LEN_RANGE); 9074486Sktung } 9084558Sktung data->cd_length = 0; 909904Smcpowers } 910904Smcpowers 9110Sstevel@tonic-gate (void) aes_free_context(ctx); 9120Sstevel@tonic-gate 9130Sstevel@tonic-gate /* EXPORT DELETE END */ 9140Sstevel@tonic-gate 9150Sstevel@tonic-gate return (CRYPTO_SUCCESS); 9160Sstevel@tonic-gate } 9170Sstevel@tonic-gate 9180Sstevel@tonic-gate /* ARGSUSED */ 9190Sstevel@tonic-gate static int 9200Sstevel@tonic-gate aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data, 9210Sstevel@tonic-gate crypto_req_handle_t req) 9220Sstevel@tonic-gate { 9230Sstevel@tonic-gate 9240Sstevel@tonic-gate /* EXPORT DELETE START */ 9250Sstevel@tonic-gate 9260Sstevel@tonic-gate aes_ctx_t *aes_ctx; 927904Smcpowers int ret; 9284486Sktung off_t saved_offset; 9294486Sktung size_t saved_length; 9300Sstevel@tonic-gate 9310Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 9320Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 9330Sstevel@tonic-gate 934904Smcpowers if (data->cd_format != CRYPTO_DATA_RAW && 935904Smcpowers data->cd_format != CRYPTO_DATA_UIO && 936904Smcpowers data->cd_format != CRYPTO_DATA_MBLK) { 937904Smcpowers return (CRYPTO_ARGUMENTS_BAD); 938904Smcpowers } 939904Smcpowers 9400Sstevel@tonic-gate /* 9410Sstevel@tonic-gate * There must be no unprocessed ciphertext. 9420Sstevel@tonic-gate * This happens if the length of the last ciphertext is 9430Sstevel@tonic-gate * not a multiple of the AES block length. 9440Sstevel@tonic-gate */ 945904Smcpowers if (aes_ctx->ac_remainder_len > 0) { 9467188Smcpowers if ((aes_ctx->ac_flags & CTR_MODE) == 0) 947904Smcpowers return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 948904Smcpowers else { 9497188Smcpowers ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data, 9507188Smcpowers aes_encrypt_block); 9517188Smcpowers if (ret == CRYPTO_DATA_LEN_RANGE) 9527188Smcpowers ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE; 953904Smcpowers if (ret != CRYPTO_SUCCESS) 954904Smcpowers return (ret); 955904Smcpowers } 956904Smcpowers } 957904Smcpowers 9587188Smcpowers if (aes_ctx->ac_flags & CCM_MODE) { 9594486Sktung /* 9604486Sktung * This is where all the plaintext is returned, make sure 9614486Sktung * the plaintext buffer is big enough 9624486Sktung */ 9637188Smcpowers size_t pt_len = aes_ctx->ac_data_len; 9644486Sktung if (data->cd_length < pt_len) { 9654486Sktung data->cd_length = pt_len; 9664486Sktung return (CRYPTO_BUFFER_TOO_SMALL); 9674486Sktung } 9684486Sktung 9697188Smcpowers ASSERT(aes_ctx->ac_processed_data_len == pt_len); 9707188Smcpowers ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len); 9714486Sktung saved_offset = data->cd_offset; 9724486Sktung saved_length = data->cd_length; 9737188Smcpowers ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, data, 9747188Smcpowers AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 9757188Smcpowers aes_xor_block); 9764486Sktung if (ret == CRYPTO_SUCCESS) { 9774486Sktung data->cd_length = data->cd_offset - saved_offset; 9784486Sktung } else { 9794486Sktung data->cd_length = saved_length; 9804486Sktung } 9814486Sktung 9824486Sktung data->cd_offset = saved_offset; 9834486Sktung if (ret != CRYPTO_SUCCESS) { 9844486Sktung return (ret); 9854486Sktung } 9869339SMark.Powers@Sun.COM } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 9878005SMark.Powers@Sun.COM /* 9888005SMark.Powers@Sun.COM * This is where all the plaintext is returned, make sure 9898005SMark.Powers@Sun.COM * the plaintext buffer is big enough 9908005SMark.Powers@Sun.COM */ 9918005SMark.Powers@Sun.COM gcm_ctx_t *ctx = (gcm_ctx_t *)aes_ctx; 9928005SMark.Powers@Sun.COM size_t pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len; 9938005SMark.Powers@Sun.COM 9948005SMark.Powers@Sun.COM if (data->cd_length < pt_len) { 9958005SMark.Powers@Sun.COM data->cd_length = pt_len; 9968005SMark.Powers@Sun.COM return (CRYPTO_BUFFER_TOO_SMALL); 9978005SMark.Powers@Sun.COM } 9988005SMark.Powers@Sun.COM 9998005SMark.Powers@Sun.COM saved_offset = data->cd_offset; 10008005SMark.Powers@Sun.COM saved_length = data->cd_length; 10018005SMark.Powers@Sun.COM ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, data, 10028005SMark.Powers@Sun.COM AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 10038005SMark.Powers@Sun.COM if (ret == CRYPTO_SUCCESS) { 10048005SMark.Powers@Sun.COM data->cd_length = data->cd_offset - saved_offset; 10058005SMark.Powers@Sun.COM } else { 10068005SMark.Powers@Sun.COM data->cd_length = saved_length; 10078005SMark.Powers@Sun.COM } 10088005SMark.Powers@Sun.COM 10098005SMark.Powers@Sun.COM data->cd_offset = saved_offset; 10108005SMark.Powers@Sun.COM if (ret != CRYPTO_SUCCESS) { 10118005SMark.Powers@Sun.COM return (ret); 10128005SMark.Powers@Sun.COM } 10134486Sktung } 10144486Sktung 10154486Sktung 10169339SMark.Powers@Sun.COM if ((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) { 1017904Smcpowers data->cd_length = 0; 10184558Sktung } 10190Sstevel@tonic-gate 10200Sstevel@tonic-gate (void) aes_free_context(ctx); 10210Sstevel@tonic-gate 10220Sstevel@tonic-gate /* EXPORT DELETE END */ 10230Sstevel@tonic-gate 10240Sstevel@tonic-gate return (CRYPTO_SUCCESS); 10250Sstevel@tonic-gate } 10260Sstevel@tonic-gate 10270Sstevel@tonic-gate /* ARGSUSED */ 10280Sstevel@tonic-gate static int 10290Sstevel@tonic-gate aes_encrypt_atomic(crypto_provider_handle_t provider, 10300Sstevel@tonic-gate crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 10310Sstevel@tonic-gate crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 10320Sstevel@tonic-gate crypto_spi_ctx_template_t template, crypto_req_handle_t req) 10330Sstevel@tonic-gate { 10340Sstevel@tonic-gate aes_ctx_t aes_ctx; /* on the stack */ 10350Sstevel@tonic-gate off_t saved_offset; 10360Sstevel@tonic-gate size_t saved_length; 10378195SMark.Powers@Sun.COM size_t length_needed; 10380Sstevel@tonic-gate int ret; 10390Sstevel@tonic-gate 10400Sstevel@tonic-gate AES_ARG_INPLACE(plaintext, ciphertext); 10410Sstevel@tonic-gate 10428195SMark.Powers@Sun.COM /* 10439339SMark.Powers@Sun.COM * CTR, CCM, GCM, and GMAC modes do not require that plaintext 10448195SMark.Powers@Sun.COM * be a multiple of AES block size. 10458195SMark.Powers@Sun.COM */ 10468195SMark.Powers@Sun.COM switch (mechanism->cm_type) { 10478195SMark.Powers@Sun.COM case AES_CTR_MECH_INFO_TYPE: 10488195SMark.Powers@Sun.COM case AES_CCM_MECH_INFO_TYPE: 10498195SMark.Powers@Sun.COM case AES_GCM_MECH_INFO_TYPE: 10509339SMark.Powers@Sun.COM case AES_GMAC_MECH_INFO_TYPE: 10518195SMark.Powers@Sun.COM break; 10528195SMark.Powers@Sun.COM default: 1053904Smcpowers if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 1054904Smcpowers return (CRYPTO_DATA_LEN_RANGE); 1055904Smcpowers } 10560Sstevel@tonic-gate 10577188Smcpowers if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS) 1058991Smcpowers return (ret); 10590Sstevel@tonic-gate 10600Sstevel@tonic-gate bzero(&aes_ctx, sizeof (aes_ctx_t)); 10610Sstevel@tonic-gate 10620Sstevel@tonic-gate ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, 10634486Sktung crypto_kmflag(req), B_TRUE); 10640Sstevel@tonic-gate if (ret != CRYPTO_SUCCESS) 10650Sstevel@tonic-gate return (ret); 10660Sstevel@tonic-gate 10678195SMark.Powers@Sun.COM switch (mechanism->cm_type) { 10688195SMark.Powers@Sun.COM case AES_CCM_MECH_INFO_TYPE: 10698195SMark.Powers@Sun.COM length_needed = plaintext->cd_length + aes_ctx.ac_mac_len; 10708195SMark.Powers@Sun.COM break; 10719339SMark.Powers@Sun.COM case AES_GMAC_MECH_INFO_TYPE: 10729339SMark.Powers@Sun.COM if (plaintext->cd_length != 0) 10739339SMark.Powers@Sun.COM return (CRYPTO_ARGUMENTS_BAD); 10749339SMark.Powers@Sun.COM /* FALLTHRU */ 10758195SMark.Powers@Sun.COM case AES_GCM_MECH_INFO_TYPE: 10768195SMark.Powers@Sun.COM length_needed = plaintext->cd_length + aes_ctx.ac_tag_len; 10778195SMark.Powers@Sun.COM break; 10788195SMark.Powers@Sun.COM default: 10798195SMark.Powers@Sun.COM length_needed = plaintext->cd_length; 10804486Sktung } 10814486Sktung 10828195SMark.Powers@Sun.COM /* return size of buffer needed to store output */ 10838195SMark.Powers@Sun.COM if (ciphertext->cd_length < length_needed) { 10848195SMark.Powers@Sun.COM ciphertext->cd_length = length_needed; 10858195SMark.Powers@Sun.COM ret = CRYPTO_BUFFER_TOO_SMALL; 10868195SMark.Powers@Sun.COM goto out; 10878195SMark.Powers@Sun.COM } 10884486Sktung 10890Sstevel@tonic-gate saved_offset = ciphertext->cd_offset; 10900Sstevel@tonic-gate saved_length = ciphertext->cd_length; 10910Sstevel@tonic-gate 10920Sstevel@tonic-gate /* 10930Sstevel@tonic-gate * Do an update on the specified input data. 10940Sstevel@tonic-gate */ 10950Sstevel@tonic-gate switch (plaintext->cd_format) { 10960Sstevel@tonic-gate case CRYPTO_DATA_RAW: 10977188Smcpowers ret = crypto_update_iov(&aes_ctx, plaintext, ciphertext, 10987188Smcpowers aes_encrypt_contiguous_blocks, aes_copy_block64); 10990Sstevel@tonic-gate break; 11000Sstevel@tonic-gate case CRYPTO_DATA_UIO: 11017188Smcpowers ret = crypto_update_uio(&aes_ctx, plaintext, ciphertext, 11027188Smcpowers aes_encrypt_contiguous_blocks, aes_copy_block64); 11030Sstevel@tonic-gate break; 11040Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 11057188Smcpowers ret = crypto_update_mp(&aes_ctx, plaintext, ciphertext, 11067188Smcpowers aes_encrypt_contiguous_blocks, aes_copy_block64); 11070Sstevel@tonic-gate break; 11080Sstevel@tonic-gate default: 11090Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 11100Sstevel@tonic-gate } 11110Sstevel@tonic-gate 1112904Smcpowers if (ret == CRYPTO_SUCCESS) { 11134486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 11147188Smcpowers ret = ccm_encrypt_final((ccm_ctx_t *)&aes_ctx, 11157188Smcpowers ciphertext, AES_BLOCK_LEN, aes_encrypt_block, 11167188Smcpowers aes_xor_block); 11174486Sktung if (ret != CRYPTO_SUCCESS) 11184486Sktung goto out; 1119904Smcpowers ASSERT(aes_ctx.ac_remainder_len == 0); 11209339SMark.Powers@Sun.COM } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE || 11219339SMark.Powers@Sun.COM mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) { 11228005SMark.Powers@Sun.COM ret = gcm_encrypt_final((gcm_ctx_t *)&aes_ctx, 11238005SMark.Powers@Sun.COM ciphertext, AES_BLOCK_LEN, aes_encrypt_block, 11248005SMark.Powers@Sun.COM aes_copy_block, aes_xor_block); 11258005SMark.Powers@Sun.COM if (ret != CRYPTO_SUCCESS) 11268005SMark.Powers@Sun.COM goto out; 11278005SMark.Powers@Sun.COM ASSERT(aes_ctx.ac_remainder_len == 0); 11284486Sktung } else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) { 1129904Smcpowers if (aes_ctx.ac_remainder_len > 0) { 11307188Smcpowers ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx, 11317188Smcpowers ciphertext, aes_encrypt_block); 1132904Smcpowers if (ret != CRYPTO_SUCCESS) 1133904Smcpowers goto out; 1134904Smcpowers } 11354486Sktung } else { 11364486Sktung ASSERT(aes_ctx.ac_remainder_len == 0); 11374486Sktung } 11384486Sktung 11394486Sktung if (plaintext != ciphertext) { 11404486Sktung ciphertext->cd_length = 11414486Sktung ciphertext->cd_offset - saved_offset; 1142904Smcpowers } 1143904Smcpowers } else { 1144904Smcpowers ciphertext->cd_length = saved_length; 1145904Smcpowers } 1146904Smcpowers ciphertext->cd_offset = saved_offset; 1147904Smcpowers 1148904Smcpowers out: 11497188Smcpowers if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 11500Sstevel@tonic-gate bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 11510Sstevel@tonic-gate kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 11520Sstevel@tonic-gate } 11530Sstevel@tonic-gate 11540Sstevel@tonic-gate return (ret); 11550Sstevel@tonic-gate } 11560Sstevel@tonic-gate 11570Sstevel@tonic-gate /* ARGSUSED */ 11580Sstevel@tonic-gate static int 11590Sstevel@tonic-gate aes_decrypt_atomic(crypto_provider_handle_t provider, 11600Sstevel@tonic-gate crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 11610Sstevel@tonic-gate crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 11620Sstevel@tonic-gate crypto_spi_ctx_template_t template, crypto_req_handle_t req) 11630Sstevel@tonic-gate { 11640Sstevel@tonic-gate aes_ctx_t aes_ctx; /* on the stack */ 11650Sstevel@tonic-gate off_t saved_offset; 11660Sstevel@tonic-gate size_t saved_length; 11678195SMark.Powers@Sun.COM size_t length_needed; 11680Sstevel@tonic-gate int ret; 11690Sstevel@tonic-gate 11700Sstevel@tonic-gate AES_ARG_INPLACE(ciphertext, plaintext); 11710Sstevel@tonic-gate 11724486Sktung /* 11739339SMark.Powers@Sun.COM * CCM, GCM, CTR, and GMAC modes do not require that ciphertext 11748195SMark.Powers@Sun.COM * be a multiple of AES block size. 11754486Sktung */ 11768195SMark.Powers@Sun.COM switch (mechanism->cm_type) { 11778195SMark.Powers@Sun.COM case AES_CTR_MECH_INFO_TYPE: 11788195SMark.Powers@Sun.COM case AES_CCM_MECH_INFO_TYPE: 11798195SMark.Powers@Sun.COM case AES_GCM_MECH_INFO_TYPE: 11809339SMark.Powers@Sun.COM case AES_GMAC_MECH_INFO_TYPE: 11818195SMark.Powers@Sun.COM break; 11828195SMark.Powers@Sun.COM default: 11838195SMark.Powers@Sun.COM if ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 11848195SMark.Powers@Sun.COM return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 11850Sstevel@tonic-gate } 11860Sstevel@tonic-gate 11877188Smcpowers if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS) 1188991Smcpowers return (ret); 11890Sstevel@tonic-gate 11900Sstevel@tonic-gate bzero(&aes_ctx, sizeof (aes_ctx_t)); 11910Sstevel@tonic-gate 11920Sstevel@tonic-gate ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, 11934486Sktung crypto_kmflag(req), B_FALSE); 11940Sstevel@tonic-gate if (ret != CRYPTO_SUCCESS) 11950Sstevel@tonic-gate return (ret); 11960Sstevel@tonic-gate 11978195SMark.Powers@Sun.COM switch (mechanism->cm_type) { 11988195SMark.Powers@Sun.COM case AES_CCM_MECH_INFO_TYPE: 11998195SMark.Powers@Sun.COM length_needed = aes_ctx.ac_data_len; 12008195SMark.Powers@Sun.COM break; 12018195SMark.Powers@Sun.COM case AES_GCM_MECH_INFO_TYPE: 12028195SMark.Powers@Sun.COM length_needed = ciphertext->cd_length - aes_ctx.ac_tag_len; 12038195SMark.Powers@Sun.COM break; 12049339SMark.Powers@Sun.COM case AES_GMAC_MECH_INFO_TYPE: 12059339SMark.Powers@Sun.COM if (plaintext->cd_length != 0) 12069339SMark.Powers@Sun.COM return (CRYPTO_ARGUMENTS_BAD); 12079339SMark.Powers@Sun.COM length_needed = 0; 12089339SMark.Powers@Sun.COM break; 12098195SMark.Powers@Sun.COM default: 12108195SMark.Powers@Sun.COM length_needed = ciphertext->cd_length; 12118195SMark.Powers@Sun.COM } 12128195SMark.Powers@Sun.COM 12138195SMark.Powers@Sun.COM /* return size of buffer needed to store output */ 12148195SMark.Powers@Sun.COM if (plaintext->cd_length < length_needed) { 12158195SMark.Powers@Sun.COM plaintext->cd_length = length_needed; 12168195SMark.Powers@Sun.COM ret = CRYPTO_BUFFER_TOO_SMALL; 12178195SMark.Powers@Sun.COM goto out; 12184486Sktung } 12194486Sktung 12200Sstevel@tonic-gate saved_offset = plaintext->cd_offset; 12210Sstevel@tonic-gate saved_length = plaintext->cd_length; 12220Sstevel@tonic-gate 12239339SMark.Powers@Sun.COM if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE || 12249339SMark.Powers@Sun.COM mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) 12258005SMark.Powers@Sun.COM gcm_set_kmflag((gcm_ctx_t *)&aes_ctx, crypto_kmflag(req)); 12268005SMark.Powers@Sun.COM 12270Sstevel@tonic-gate /* 12280Sstevel@tonic-gate * Do an update on the specified input data. 12290Sstevel@tonic-gate */ 12300Sstevel@tonic-gate switch (ciphertext->cd_format) { 12310Sstevel@tonic-gate case CRYPTO_DATA_RAW: 12327188Smcpowers ret = crypto_update_iov(&aes_ctx, ciphertext, plaintext, 12337188Smcpowers aes_decrypt_contiguous_blocks, aes_copy_block64); 12340Sstevel@tonic-gate break; 12350Sstevel@tonic-gate case CRYPTO_DATA_UIO: 12367188Smcpowers ret = crypto_update_uio(&aes_ctx, ciphertext, plaintext, 12377188Smcpowers aes_decrypt_contiguous_blocks, aes_copy_block64); 12380Sstevel@tonic-gate break; 12390Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 12407188Smcpowers ret = crypto_update_mp(&aes_ctx, ciphertext, plaintext, 12417188Smcpowers aes_decrypt_contiguous_blocks, aes_copy_block64); 12420Sstevel@tonic-gate break; 12430Sstevel@tonic-gate default: 12440Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 12450Sstevel@tonic-gate } 12460Sstevel@tonic-gate 1247904Smcpowers if (ret == CRYPTO_SUCCESS) { 12484486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 12497188Smcpowers ASSERT(aes_ctx.ac_processed_data_len 12507188Smcpowers == aes_ctx.ac_data_len); 12517188Smcpowers ASSERT(aes_ctx.ac_processed_mac_len 12527188Smcpowers == aes_ctx.ac_mac_len); 12537188Smcpowers ret = ccm_decrypt_final((ccm_ctx_t *)&aes_ctx, 12547188Smcpowers plaintext, AES_BLOCK_LEN, aes_encrypt_block, 12557188Smcpowers aes_copy_block, aes_xor_block); 12564486Sktung ASSERT(aes_ctx.ac_remainder_len == 0); 12574486Sktung if ((ret == CRYPTO_SUCCESS) && 12584486Sktung (ciphertext != plaintext)) { 12594486Sktung plaintext->cd_length = 12604486Sktung plaintext->cd_offset - saved_offset; 12614486Sktung } else { 12624486Sktung plaintext->cd_length = saved_length; 12634486Sktung } 12649339SMark.Powers@Sun.COM } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE || 12659339SMark.Powers@Sun.COM mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) { 12668005SMark.Powers@Sun.COM ret = gcm_decrypt_final((gcm_ctx_t *)&aes_ctx, 12678005SMark.Powers@Sun.COM plaintext, AES_BLOCK_LEN, aes_encrypt_block, 12688005SMark.Powers@Sun.COM aes_xor_block); 12698005SMark.Powers@Sun.COM ASSERT(aes_ctx.ac_remainder_len == 0); 12708005SMark.Powers@Sun.COM if ((ret == CRYPTO_SUCCESS) && 12718005SMark.Powers@Sun.COM (ciphertext != plaintext)) { 12728005SMark.Powers@Sun.COM plaintext->cd_length = 12738005SMark.Powers@Sun.COM plaintext->cd_offset - saved_offset; 12748005SMark.Powers@Sun.COM } else { 12758005SMark.Powers@Sun.COM plaintext->cd_length = saved_length; 12768005SMark.Powers@Sun.COM } 12774486Sktung } else if (mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) { 1278904Smcpowers ASSERT(aes_ctx.ac_remainder_len == 0); 1279904Smcpowers if (ciphertext != plaintext) 1280904Smcpowers plaintext->cd_length = 1281904Smcpowers plaintext->cd_offset - saved_offset; 1282904Smcpowers } else { 1283904Smcpowers if (aes_ctx.ac_remainder_len > 0) { 12847188Smcpowers ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx, 12857188Smcpowers plaintext, aes_encrypt_block); 12867188Smcpowers if (ret == CRYPTO_DATA_LEN_RANGE) 12877188Smcpowers ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE; 1288904Smcpowers if (ret != CRYPTO_SUCCESS) 1289904Smcpowers goto out; 1290904Smcpowers } 1291904Smcpowers if (ciphertext != plaintext) 1292904Smcpowers plaintext->cd_length = 1293904Smcpowers plaintext->cd_offset - saved_offset; 1294904Smcpowers } 1295904Smcpowers } else { 1296904Smcpowers plaintext->cd_length = saved_length; 1297904Smcpowers } 1298904Smcpowers plaintext->cd_offset = saved_offset; 1299904Smcpowers 1300904Smcpowers out: 13017188Smcpowers if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 13020Sstevel@tonic-gate bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 13030Sstevel@tonic-gate kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 13040Sstevel@tonic-gate } 13050Sstevel@tonic-gate 13067188Smcpowers if (aes_ctx.ac_flags & CCM_MODE) { 13077188Smcpowers if (aes_ctx.ac_pt_buf != NULL) { 13087188Smcpowers kmem_free(aes_ctx.ac_pt_buf, aes_ctx.ac_data_len); 13097188Smcpowers } 13109339SMark.Powers@Sun.COM } else if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) { 13118005SMark.Powers@Sun.COM if (((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf != NULL) { 13128005SMark.Powers@Sun.COM kmem_free(((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf, 13138005SMark.Powers@Sun.COM ((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf_len); 13148005SMark.Powers@Sun.COM } 13154486Sktung } 13164486Sktung 13170Sstevel@tonic-gate return (ret); 13180Sstevel@tonic-gate } 13190Sstevel@tonic-gate 13200Sstevel@tonic-gate /* 13210Sstevel@tonic-gate * KCF software provider context template entry points. 13220Sstevel@tonic-gate */ 13230Sstevel@tonic-gate /* ARGSUSED */ 13240Sstevel@tonic-gate static int 13250Sstevel@tonic-gate aes_create_ctx_template(crypto_provider_handle_t provider, 13260Sstevel@tonic-gate crypto_mechanism_t *mechanism, crypto_key_t *key, 13270Sstevel@tonic-gate crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req) 13280Sstevel@tonic-gate { 13290Sstevel@tonic-gate 13300Sstevel@tonic-gate /* EXPORT DELETE START */ 13310Sstevel@tonic-gate 13320Sstevel@tonic-gate void *keysched; 13330Sstevel@tonic-gate size_t size; 13340Sstevel@tonic-gate int rv; 13350Sstevel@tonic-gate 1336991Smcpowers if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE && 1337991Smcpowers mechanism->cm_type != AES_CBC_MECH_INFO_TYPE && 13384486Sktung mechanism->cm_type != AES_CTR_MECH_INFO_TYPE && 13399339SMark.Powers@Sun.COM mechanism->cm_type != AES_CCM_MECH_INFO_TYPE && 13409339SMark.Powers@Sun.COM mechanism->cm_type != AES_GCM_MECH_INFO_TYPE && 13419339SMark.Powers@Sun.COM mechanism->cm_type != AES_GMAC_MECH_INFO_TYPE) 13420Sstevel@tonic-gate return (CRYPTO_MECHANISM_INVALID); 13430Sstevel@tonic-gate 13440Sstevel@tonic-gate if ((keysched = aes_alloc_keysched(&size, 13450Sstevel@tonic-gate crypto_kmflag(req))) == NULL) { 13460Sstevel@tonic-gate return (CRYPTO_HOST_MEMORY); 13470Sstevel@tonic-gate } 13480Sstevel@tonic-gate 13490Sstevel@tonic-gate /* 13500Sstevel@tonic-gate * Initialize key schedule. Key length information is stored 13510Sstevel@tonic-gate * in the key. 13520Sstevel@tonic-gate */ 13530Sstevel@tonic-gate if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) { 13540Sstevel@tonic-gate bzero(keysched, size); 13550Sstevel@tonic-gate kmem_free(keysched, size); 13560Sstevel@tonic-gate return (rv); 13570Sstevel@tonic-gate } 13580Sstevel@tonic-gate 13590Sstevel@tonic-gate *tmpl = keysched; 13600Sstevel@tonic-gate *tmpl_size = size; 13610Sstevel@tonic-gate 13620Sstevel@tonic-gate /* EXPORT DELETE END */ 13630Sstevel@tonic-gate 13640Sstevel@tonic-gate return (CRYPTO_SUCCESS); 13650Sstevel@tonic-gate } 13660Sstevel@tonic-gate 13679392Sopensolaris@drydog.com 13680Sstevel@tonic-gate static int 13690Sstevel@tonic-gate aes_free_context(crypto_ctx_t *ctx) 13700Sstevel@tonic-gate { 13710Sstevel@tonic-gate 13720Sstevel@tonic-gate /* EXPORT DELETE START */ 13730Sstevel@tonic-gate 13740Sstevel@tonic-gate aes_ctx_t *aes_ctx = ctx->cc_provider_private; 13750Sstevel@tonic-gate 13760Sstevel@tonic-gate if (aes_ctx != NULL) { 13777188Smcpowers if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 13780Sstevel@tonic-gate ASSERT(aes_ctx->ac_keysched_len != 0); 13790Sstevel@tonic-gate bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len); 13800Sstevel@tonic-gate kmem_free(aes_ctx->ac_keysched, 13810Sstevel@tonic-gate aes_ctx->ac_keysched_len); 13820Sstevel@tonic-gate } 13837188Smcpowers crypto_free_mode_ctx(aes_ctx); 13840Sstevel@tonic-gate ctx->cc_provider_private = NULL; 13850Sstevel@tonic-gate } 13860Sstevel@tonic-gate 13870Sstevel@tonic-gate /* EXPORT DELETE END */ 13880Sstevel@tonic-gate 13890Sstevel@tonic-gate return (CRYPTO_SUCCESS); 13900Sstevel@tonic-gate } 13910Sstevel@tonic-gate 13929392Sopensolaris@drydog.com 13930Sstevel@tonic-gate static int 13940Sstevel@tonic-gate aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template, 13954486Sktung crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag, 13964486Sktung boolean_t is_encrypt_init) 13970Sstevel@tonic-gate { 13980Sstevel@tonic-gate int rv = CRYPTO_SUCCESS; 13990Sstevel@tonic-gate 14000Sstevel@tonic-gate /* EXPORT DELETE START */ 14010Sstevel@tonic-gate 14020Sstevel@tonic-gate void *keysched; 14030Sstevel@tonic-gate size_t size; 1404904Smcpowers 1405904Smcpowers if (template == NULL) { 1406904Smcpowers if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL) 1407904Smcpowers return (CRYPTO_HOST_MEMORY); 1408904Smcpowers /* 1409904Smcpowers * Initialize key schedule. 1410904Smcpowers * Key length is stored in the key. 1411904Smcpowers */ 14124486Sktung if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) { 1413904Smcpowers kmem_free(keysched, size); 14144486Sktung return (rv); 14154486Sktung } 1416904Smcpowers 14177188Smcpowers aes_ctx->ac_flags |= PROVIDER_OWNS_KEY_SCHEDULE; 1418904Smcpowers aes_ctx->ac_keysched_len = size; 1419904Smcpowers } else { 1420904Smcpowers keysched = template; 14210Sstevel@tonic-gate } 14220Sstevel@tonic-gate aes_ctx->ac_keysched = keysched; 14230Sstevel@tonic-gate 14247188Smcpowers switch (mechanism->cm_type) { 14257188Smcpowers case AES_CBC_MECH_INFO_TYPE: 14267188Smcpowers rv = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mechanism->cm_param, 14277188Smcpowers mechanism->cm_param_len, AES_BLOCK_LEN, aes_copy_block64); 14287188Smcpowers break; 14297188Smcpowers case AES_CTR_MECH_INFO_TYPE: { 14307188Smcpowers CK_AES_CTR_PARAMS *pp; 14317188Smcpowers 14327188Smcpowers if (mechanism->cm_param == NULL || 14337188Smcpowers mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) { 14344486Sktung return (CRYPTO_MECHANISM_PARAM_INVALID); 14354486Sktung } 14369392Sopensolaris@drydog.com pp = (CK_AES_CTR_PARAMS *)(void *)mechanism->cm_param; 14377188Smcpowers rv = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits, 14387188Smcpowers pp->cb, aes_copy_block); 14397188Smcpowers break; 14407188Smcpowers } 14417188Smcpowers case AES_CCM_MECH_INFO_TYPE: 14427188Smcpowers if (mechanism->cm_param == NULL || 14437188Smcpowers mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) { 14447188Smcpowers return (CRYPTO_MECHANISM_PARAM_INVALID); 14457188Smcpowers } 14467188Smcpowers rv = ccm_init_ctx((ccm_ctx_t *)aes_ctx, mechanism->cm_param, 14477188Smcpowers kmflag, is_encrypt_init, AES_BLOCK_LEN, aes_encrypt_block, 14487188Smcpowers aes_xor_block); 14497188Smcpowers break; 14508005SMark.Powers@Sun.COM case AES_GCM_MECH_INFO_TYPE: 14518005SMark.Powers@Sun.COM if (mechanism->cm_param == NULL || 14528005SMark.Powers@Sun.COM mechanism->cm_param_len != sizeof (CK_AES_GCM_PARAMS)) { 14538005SMark.Powers@Sun.COM return (CRYPTO_MECHANISM_PARAM_INVALID); 14548005SMark.Powers@Sun.COM } 14558005SMark.Powers@Sun.COM rv = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param, 14568005SMark.Powers@Sun.COM AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 14578005SMark.Powers@Sun.COM aes_xor_block); 14588005SMark.Powers@Sun.COM break; 14599339SMark.Powers@Sun.COM case AES_GMAC_MECH_INFO_TYPE: 14609339SMark.Powers@Sun.COM if (mechanism->cm_param == NULL || 14619339SMark.Powers@Sun.COM mechanism->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) { 14629339SMark.Powers@Sun.COM return (CRYPTO_MECHANISM_PARAM_INVALID); 14639339SMark.Powers@Sun.COM } 14649339SMark.Powers@Sun.COM rv = gmac_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param, 14659339SMark.Powers@Sun.COM AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 14669339SMark.Powers@Sun.COM aes_xor_block); 14679339SMark.Powers@Sun.COM break; 14687188Smcpowers case AES_ECB_MECH_INFO_TYPE: 14697188Smcpowers aes_ctx->ac_flags |= ECB_MODE; 14707188Smcpowers } 14717188Smcpowers 14727188Smcpowers if (rv != CRYPTO_SUCCESS) { 14737188Smcpowers if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 14747188Smcpowers bzero(keysched, size); 14757188Smcpowers kmem_free(keysched, size); 14764486Sktung } 14774486Sktung } 14784486Sktung 14790Sstevel@tonic-gate /* EXPORT DELETE END */ 14800Sstevel@tonic-gate 14810Sstevel@tonic-gate return (rv); 14820Sstevel@tonic-gate } 14839339SMark.Powers@Sun.COM 14849339SMark.Powers@Sun.COM static int 14859339SMark.Powers@Sun.COM process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data, 14869339SMark.Powers@Sun.COM CK_AES_GCM_PARAMS *gcm_params) 14879339SMark.Powers@Sun.COM { 14889339SMark.Powers@Sun.COM /* LINTED: pointer alignment */ 14899339SMark.Powers@Sun.COM CK_AES_GMAC_PARAMS *params = (CK_AES_GMAC_PARAMS *)mech->cm_param; 14909339SMark.Powers@Sun.COM 14919339SMark.Powers@Sun.COM if (mech->cm_type != AES_GMAC_MECH_INFO_TYPE) 14929339SMark.Powers@Sun.COM return (CRYPTO_MECHANISM_INVALID); 14939339SMark.Powers@Sun.COM 14949339SMark.Powers@Sun.COM if (mech->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) 14959339SMark.Powers@Sun.COM return (CRYPTO_MECHANISM_PARAM_INVALID); 14969339SMark.Powers@Sun.COM 14979339SMark.Powers@Sun.COM if (params->pIv == NULL) 14989339SMark.Powers@Sun.COM return (CRYPTO_MECHANISM_PARAM_INVALID); 14999339SMark.Powers@Sun.COM 15009339SMark.Powers@Sun.COM gcm_params->pIv = params->pIv; 15019339SMark.Powers@Sun.COM gcm_params->ulIvLen = AES_GMAC_IV_LEN; 15029339SMark.Powers@Sun.COM gcm_params->ulTagBits = AES_GMAC_TAG_BITS; 15039339SMark.Powers@Sun.COM 15049339SMark.Powers@Sun.COM if (data == NULL) 15059339SMark.Powers@Sun.COM return (CRYPTO_SUCCESS); 15069339SMark.Powers@Sun.COM 15079339SMark.Powers@Sun.COM if (data->cd_format != CRYPTO_DATA_RAW) 15089339SMark.Powers@Sun.COM return (CRYPTO_ARGUMENTS_BAD); 15099339SMark.Powers@Sun.COM 15109339SMark.Powers@Sun.COM gcm_params->pAAD = (uchar_t *)data->cd_raw.iov_base; 15119339SMark.Powers@Sun.COM gcm_params->ulAADLen = data->cd_length; 15129339SMark.Powers@Sun.COM return (CRYPTO_SUCCESS); 15139339SMark.Powers@Sun.COM } 15149339SMark.Powers@Sun.COM 15159339SMark.Powers@Sun.COM static int 15169339SMark.Powers@Sun.COM aes_mac_atomic(crypto_provider_handle_t provider, 15179339SMark.Powers@Sun.COM crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 15189339SMark.Powers@Sun.COM crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, 15199339SMark.Powers@Sun.COM crypto_spi_ctx_template_t template, crypto_req_handle_t req) 15209339SMark.Powers@Sun.COM { 15219339SMark.Powers@Sun.COM CK_AES_GCM_PARAMS gcm_params; 15229339SMark.Powers@Sun.COM crypto_mechanism_t gcm_mech; 15239339SMark.Powers@Sun.COM int rv; 15249339SMark.Powers@Sun.COM 15259339SMark.Powers@Sun.COM if ((rv = process_gmac_mech(mechanism, data, &gcm_params)) 15269339SMark.Powers@Sun.COM != CRYPTO_SUCCESS) 15279339SMark.Powers@Sun.COM return (rv); 15289339SMark.Powers@Sun.COM 15299339SMark.Powers@Sun.COM gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE; 15309339SMark.Powers@Sun.COM gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); 15319339SMark.Powers@Sun.COM gcm_mech.cm_param = (char *)&gcm_params; 15329339SMark.Powers@Sun.COM 15339339SMark.Powers@Sun.COM return (aes_encrypt_atomic(provider, session_id, &gcm_mech, 15349339SMark.Powers@Sun.COM key, &null_crypto_data, mac, template, req)); 15359339SMark.Powers@Sun.COM } 15369339SMark.Powers@Sun.COM 15379339SMark.Powers@Sun.COM static int 15389339SMark.Powers@Sun.COM aes_mac_verify_atomic(crypto_provider_handle_t provider, 15399339SMark.Powers@Sun.COM crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 15409339SMark.Powers@Sun.COM crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, 15419339SMark.Powers@Sun.COM crypto_spi_ctx_template_t template, crypto_req_handle_t req) 15429339SMark.Powers@Sun.COM { 15439339SMark.Powers@Sun.COM CK_AES_GCM_PARAMS gcm_params; 15449339SMark.Powers@Sun.COM crypto_mechanism_t gcm_mech; 15459339SMark.Powers@Sun.COM int rv; 15469339SMark.Powers@Sun.COM 15479339SMark.Powers@Sun.COM if ((rv = process_gmac_mech(mechanism, data, &gcm_params)) 15489339SMark.Powers@Sun.COM != CRYPTO_SUCCESS) 15499339SMark.Powers@Sun.COM return (rv); 15509339SMark.Powers@Sun.COM 15519339SMark.Powers@Sun.COM gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE; 15529339SMark.Powers@Sun.COM gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); 15539339SMark.Powers@Sun.COM gcm_mech.cm_param = (char *)&gcm_params; 15549339SMark.Powers@Sun.COM 15559339SMark.Powers@Sun.COM return (aes_decrypt_atomic(provider, session_id, &gcm_mech, 15569339SMark.Powers@Sun.COM key, mac, &null_crypto_data, template, req)); 15579339SMark.Powers@Sun.COM } 155810500SHai-May.Chao@Sun.COM 155910500SHai-May.Chao@Sun.COM /* 156010500SHai-May.Chao@Sun.COM * AES Power-Up Self-Test 156110500SHai-May.Chao@Sun.COM */ 156210500SHai-May.Chao@Sun.COM void 156310500SHai-May.Chao@Sun.COM aes_POST(int *rc) 156410500SHai-May.Chao@Sun.COM { 156510500SHai-May.Chao@Sun.COM 156610500SHai-May.Chao@Sun.COM int ret; 156710500SHai-May.Chao@Sun.COM 156810500SHai-May.Chao@Sun.COM /* AES Power-Up Self-Test for 128-bit key. */ 156910500SHai-May.Chao@Sun.COM ret = fips_aes_post(FIPS_AES_128_KEY_SIZE); 157010500SHai-May.Chao@Sun.COM 157110500SHai-May.Chao@Sun.COM if (ret != CRYPTO_SUCCESS) 157210500SHai-May.Chao@Sun.COM goto out; 157310500SHai-May.Chao@Sun.COM 157410500SHai-May.Chao@Sun.COM /* AES Power-Up Self-Test for 192-bit key. */ 157510500SHai-May.Chao@Sun.COM ret = fips_aes_post(FIPS_AES_192_KEY_SIZE); 157610500SHai-May.Chao@Sun.COM 157710500SHai-May.Chao@Sun.COM if (ret != CRYPTO_SUCCESS) 157810500SHai-May.Chao@Sun.COM goto out; 157910500SHai-May.Chao@Sun.COM 158010500SHai-May.Chao@Sun.COM /* AES Power-Up Self-Test for 256-bit key. */ 158110500SHai-May.Chao@Sun.COM ret = fips_aes_post(FIPS_AES_256_KEY_SIZE); 158210500SHai-May.Chao@Sun.COM 158310500SHai-May.Chao@Sun.COM out: 158410500SHai-May.Chao@Sun.COM *rc = ret; 158510500SHai-May.Chao@Sun.COM 158610500SHai-May.Chao@Sun.COM } 1587