10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 52530Spwernau * Common Development and Distribution License (the "License"). 62530Spwernau * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*4486Sktung * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 270Sstevel@tonic-gate 280Sstevel@tonic-gate /* 290Sstevel@tonic-gate * AES provider for the Kernel Cryptographic Framework (KCF) 300Sstevel@tonic-gate */ 310Sstevel@tonic-gate 320Sstevel@tonic-gate #include <sys/types.h> 330Sstevel@tonic-gate #include <sys/systm.h> 340Sstevel@tonic-gate #include <sys/modctl.h> 350Sstevel@tonic-gate #include <sys/cmn_err.h> 360Sstevel@tonic-gate #include <sys/ddi.h> 370Sstevel@tonic-gate #include <sys/crypto/common.h> 380Sstevel@tonic-gate #include <sys/crypto/spi.h> 390Sstevel@tonic-gate #include <sys/sysmacros.h> 400Sstevel@tonic-gate #include <sys/strsun.h> 410Sstevel@tonic-gate #include <aes_impl.h> 420Sstevel@tonic-gate #include <aes_cbc_crypt.h> 430Sstevel@tonic-gate 440Sstevel@tonic-gate extern struct mod_ops mod_cryptoops; 450Sstevel@tonic-gate 460Sstevel@tonic-gate /* 470Sstevel@tonic-gate * Module linkage information for the kernel. 480Sstevel@tonic-gate */ 490Sstevel@tonic-gate static struct modlcrypto modlcrypto = { 500Sstevel@tonic-gate &mod_cryptoops, 510Sstevel@tonic-gate "AES Kernel SW Provider %I%" 520Sstevel@tonic-gate }; 530Sstevel@tonic-gate 540Sstevel@tonic-gate static struct modlinkage modlinkage = { 550Sstevel@tonic-gate MODREV_1, 560Sstevel@tonic-gate (void *)&modlcrypto, 570Sstevel@tonic-gate NULL 580Sstevel@tonic-gate }; 590Sstevel@tonic-gate 600Sstevel@tonic-gate /* 610Sstevel@tonic-gate * CSPI information (entry points, provider info, etc.) 620Sstevel@tonic-gate */ 630Sstevel@tonic-gate typedef enum aes_mech_type { 640Sstevel@tonic-gate AES_ECB_MECH_INFO_TYPE, /* SUN_CKM_AES_ECB */ 650Sstevel@tonic-gate AES_CBC_MECH_INFO_TYPE, /* SUN_CKM_AES_CBC */ 66904Smcpowers AES_CBC_PAD_MECH_INFO_TYPE, /* SUN_CKM_AES_CBC_PAD */ 67*4486Sktung AES_CTR_MECH_INFO_TYPE, /* SUN_CKM_AES_CTR */ 68*4486Sktung AES_CCM_MECH_INFO_TYPE /* SUN_CKM_AES_CCM */ 690Sstevel@tonic-gate } aes_mech_type_t; 700Sstevel@tonic-gate 710Sstevel@tonic-gate /* 720Sstevel@tonic-gate * The following definitions are to keep EXPORT_SRC happy. 730Sstevel@tonic-gate */ 742530Spwernau #ifndef AES_MIN_KEY_BYTES 752530Spwernau #define AES_MIN_KEY_BYTES 0 760Sstevel@tonic-gate #endif 770Sstevel@tonic-gate 782530Spwernau #ifndef AES_MAX_KEY_BYTES 792530Spwernau #define AES_MAX_KEY_BYTES 0 800Sstevel@tonic-gate #endif 810Sstevel@tonic-gate 820Sstevel@tonic-gate /* 830Sstevel@tonic-gate * Mechanism info structure passed to KCF during registration. 840Sstevel@tonic-gate */ 850Sstevel@tonic-gate static crypto_mech_info_t aes_mech_info_tab[] = { 860Sstevel@tonic-gate /* AES_ECB */ 870Sstevel@tonic-gate {SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE, 880Sstevel@tonic-gate CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 890Sstevel@tonic-gate CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 902530Spwernau AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 910Sstevel@tonic-gate /* AES_CBC */ 920Sstevel@tonic-gate {SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE, 930Sstevel@tonic-gate CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 940Sstevel@tonic-gate CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 952530Spwernau AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 96904Smcpowers /* AES_CTR */ 97904Smcpowers {SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE, 98904Smcpowers CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 99904Smcpowers CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 100*4486Sktung AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 101*4486Sktung /* AES_CCM */ 102*4486Sktung {SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE, 103*4486Sktung CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 104*4486Sktung CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 1052530Spwernau AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES} 1060Sstevel@tonic-gate }; 1070Sstevel@tonic-gate 1080Sstevel@tonic-gate /* operations are in-place if the output buffer is NULL */ 1090Sstevel@tonic-gate #define AES_ARG_INPLACE(input, output) \ 1100Sstevel@tonic-gate if ((output) == NULL) \ 1110Sstevel@tonic-gate (output) = (input); 1120Sstevel@tonic-gate 1130Sstevel@tonic-gate static void aes_provider_status(crypto_provider_handle_t, uint_t *); 1140Sstevel@tonic-gate 1150Sstevel@tonic-gate static crypto_control_ops_t aes_control_ops = { 1160Sstevel@tonic-gate aes_provider_status 1170Sstevel@tonic-gate }; 1180Sstevel@tonic-gate 119*4486Sktung static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *, 120*4486Sktung crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 121*4486Sktung static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *, 1220Sstevel@tonic-gate crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 123*4486Sktung static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *, 124*4486Sktung crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t); 1250Sstevel@tonic-gate static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *, 126*4486Sktung crypto_mechanism_t *, crypto_key_t *, int, boolean_t); 1270Sstevel@tonic-gate static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *, 1280Sstevel@tonic-gate crypto_req_handle_t); 1290Sstevel@tonic-gate static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *, 1300Sstevel@tonic-gate crypto_req_handle_t); 1310Sstevel@tonic-gate 1320Sstevel@tonic-gate static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 1330Sstevel@tonic-gate crypto_req_handle_t); 1340Sstevel@tonic-gate static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *, 1350Sstevel@tonic-gate crypto_data_t *, crypto_req_handle_t); 1360Sstevel@tonic-gate static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 1370Sstevel@tonic-gate crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 1380Sstevel@tonic-gate crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 1390Sstevel@tonic-gate 1400Sstevel@tonic-gate static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 1410Sstevel@tonic-gate crypto_req_handle_t); 1420Sstevel@tonic-gate static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *, 1430Sstevel@tonic-gate crypto_data_t *, crypto_req_handle_t); 1440Sstevel@tonic-gate static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 1450Sstevel@tonic-gate crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 1460Sstevel@tonic-gate crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 1470Sstevel@tonic-gate 1480Sstevel@tonic-gate static crypto_cipher_ops_t aes_cipher_ops = { 149*4486Sktung aes_encrypt_init, 1500Sstevel@tonic-gate aes_encrypt, 1510Sstevel@tonic-gate aes_encrypt_update, 1520Sstevel@tonic-gate aes_encrypt_final, 1530Sstevel@tonic-gate aes_encrypt_atomic, 154*4486Sktung aes_decrypt_init, 1550Sstevel@tonic-gate aes_decrypt, 1560Sstevel@tonic-gate aes_decrypt_update, 1570Sstevel@tonic-gate aes_decrypt_final, 1580Sstevel@tonic-gate aes_decrypt_atomic 1590Sstevel@tonic-gate }; 1600Sstevel@tonic-gate 1610Sstevel@tonic-gate static int aes_create_ctx_template(crypto_provider_handle_t, 1620Sstevel@tonic-gate crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, 1630Sstevel@tonic-gate size_t *, crypto_req_handle_t); 1640Sstevel@tonic-gate static int aes_free_context(crypto_ctx_t *); 1650Sstevel@tonic-gate 1660Sstevel@tonic-gate static crypto_ctx_ops_t aes_ctx_ops = { 1670Sstevel@tonic-gate aes_create_ctx_template, 1680Sstevel@tonic-gate aes_free_context 1690Sstevel@tonic-gate }; 1700Sstevel@tonic-gate 1710Sstevel@tonic-gate static crypto_ops_t aes_crypto_ops = { 1720Sstevel@tonic-gate &aes_control_ops, 1730Sstevel@tonic-gate NULL, 1740Sstevel@tonic-gate &aes_cipher_ops, 1750Sstevel@tonic-gate NULL, 1760Sstevel@tonic-gate NULL, 1770Sstevel@tonic-gate NULL, 1780Sstevel@tonic-gate NULL, 1790Sstevel@tonic-gate NULL, 1800Sstevel@tonic-gate NULL, 1810Sstevel@tonic-gate NULL, 1820Sstevel@tonic-gate NULL, 1830Sstevel@tonic-gate NULL, 1840Sstevel@tonic-gate NULL, 1850Sstevel@tonic-gate &aes_ctx_ops 1860Sstevel@tonic-gate }; 1870Sstevel@tonic-gate 1880Sstevel@tonic-gate static crypto_provider_info_t aes_prov_info = { 1890Sstevel@tonic-gate CRYPTO_SPI_VERSION_1, 1900Sstevel@tonic-gate "AES Software Provider", 1910Sstevel@tonic-gate CRYPTO_SW_PROVIDER, 1920Sstevel@tonic-gate {&modlinkage}, 1930Sstevel@tonic-gate NULL, 1940Sstevel@tonic-gate &aes_crypto_ops, 1950Sstevel@tonic-gate sizeof (aes_mech_info_tab)/sizeof (crypto_mech_info_t), 1960Sstevel@tonic-gate aes_mech_info_tab 1970Sstevel@tonic-gate }; 1980Sstevel@tonic-gate 1990Sstevel@tonic-gate static crypto_kcf_provider_handle_t aes_prov_handle = NULL; 2000Sstevel@tonic-gate 2010Sstevel@tonic-gate int 2020Sstevel@tonic-gate _init(void) 2030Sstevel@tonic-gate { 2040Sstevel@tonic-gate int ret; 2050Sstevel@tonic-gate 2060Sstevel@tonic-gate /* 2070Sstevel@tonic-gate * Register with KCF. If the registration fails, return error. 2080Sstevel@tonic-gate */ 2090Sstevel@tonic-gate if ((ret = crypto_register_provider(&aes_prov_info, 2100Sstevel@tonic-gate &aes_prov_handle)) != CRYPTO_SUCCESS) { 2110Sstevel@tonic-gate cmn_err(CE_WARN, "%s _init: crypto_register_provider()" 2120Sstevel@tonic-gate "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret); 2130Sstevel@tonic-gate return (EACCES); 2140Sstevel@tonic-gate } 2150Sstevel@tonic-gate 2160Sstevel@tonic-gate if ((ret = mod_install(&modlinkage)) != 0) { 2170Sstevel@tonic-gate int rv; 2180Sstevel@tonic-gate 2190Sstevel@tonic-gate ASSERT(aes_prov_handle != NULL); 2200Sstevel@tonic-gate /* We should not return if the unregister returns busy. */ 2210Sstevel@tonic-gate while ((rv = crypto_unregister_provider(aes_prov_handle)) 2220Sstevel@tonic-gate == CRYPTO_BUSY) { 2230Sstevel@tonic-gate cmn_err(CE_WARN, 2240Sstevel@tonic-gate "%s _init: crypto_unregister_provider() " 2250Sstevel@tonic-gate "failed (0x%x). Retrying.", 2260Sstevel@tonic-gate CRYPTO_PROVIDER_NAME, rv); 2270Sstevel@tonic-gate /* wait 10 seconds and try again. */ 2280Sstevel@tonic-gate delay(10 * drv_usectohz(1000000)); 2290Sstevel@tonic-gate } 2300Sstevel@tonic-gate } 2310Sstevel@tonic-gate 2320Sstevel@tonic-gate return (ret); 2330Sstevel@tonic-gate } 2340Sstevel@tonic-gate 2350Sstevel@tonic-gate int 2360Sstevel@tonic-gate _fini(void) 2370Sstevel@tonic-gate { 2380Sstevel@tonic-gate int ret; 2390Sstevel@tonic-gate 2400Sstevel@tonic-gate /* 2410Sstevel@tonic-gate * Unregister from KCF if previous registration succeeded. 2420Sstevel@tonic-gate */ 2430Sstevel@tonic-gate if (aes_prov_handle != NULL) { 2440Sstevel@tonic-gate if ((ret = crypto_unregister_provider(aes_prov_handle)) != 2450Sstevel@tonic-gate CRYPTO_SUCCESS) { 2460Sstevel@tonic-gate cmn_err(CE_WARN, 2470Sstevel@tonic-gate "%s _fini: crypto_unregister_provider() " 2480Sstevel@tonic-gate "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret); 2490Sstevel@tonic-gate return (EBUSY); 2500Sstevel@tonic-gate } 2510Sstevel@tonic-gate aes_prov_handle = NULL; 2520Sstevel@tonic-gate } 2530Sstevel@tonic-gate 2540Sstevel@tonic-gate return (mod_remove(&modlinkage)); 2550Sstevel@tonic-gate } 2560Sstevel@tonic-gate 2570Sstevel@tonic-gate int 2580Sstevel@tonic-gate _info(struct modinfo *modinfop) 2590Sstevel@tonic-gate { 2600Sstevel@tonic-gate return (mod_info(&modlinkage, modinfop)); 2610Sstevel@tonic-gate } 2620Sstevel@tonic-gate 2630Sstevel@tonic-gate 264991Smcpowers static int 265991Smcpowers aes_check_mech_param(crypto_mechanism_t *mechanism) 266991Smcpowers { 267991Smcpowers int rv = CRYPTO_SUCCESS; 268991Smcpowers 269991Smcpowers switch (mechanism->cm_type) { 270991Smcpowers case AES_ECB_MECH_INFO_TYPE: 271991Smcpowers /* no parameter */ 272991Smcpowers break; 273991Smcpowers case AES_CBC_MECH_INFO_TYPE: 2741010Smcpowers if (mechanism->cm_param != NULL && 275991Smcpowers mechanism->cm_param_len != AES_BLOCK_LEN) 276991Smcpowers rv = CRYPTO_MECHANISM_PARAM_INVALID; 277991Smcpowers break; 278991Smcpowers case AES_CTR_MECH_INFO_TYPE: 2791010Smcpowers if (mechanism->cm_param != NULL && 280991Smcpowers mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) 281991Smcpowers rv = CRYPTO_MECHANISM_PARAM_INVALID; 282991Smcpowers break; 283*4486Sktung case AES_CCM_MECH_INFO_TYPE: 284*4486Sktung if (mechanism->cm_param != NULL && 285*4486Sktung mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) 286*4486Sktung rv = CRYPTO_MECHANISM_PARAM_INVALID; 287*4486Sktung break; 288991Smcpowers default: 289991Smcpowers rv = CRYPTO_MECHANISM_INVALID; 290991Smcpowers } 291991Smcpowers return (rv); 292991Smcpowers } 293991Smcpowers 2941010Smcpowers /* EXPORT DELETE START */ 2951010Smcpowers 2960Sstevel@tonic-gate /* 2970Sstevel@tonic-gate * Initialize key schedules for AES 2980Sstevel@tonic-gate */ 2990Sstevel@tonic-gate static int 3000Sstevel@tonic-gate init_keysched(crypto_key_t *key, void *newbie) 3010Sstevel@tonic-gate { 3020Sstevel@tonic-gate /* 3030Sstevel@tonic-gate * Only keys by value are supported by this module. 3040Sstevel@tonic-gate */ 3050Sstevel@tonic-gate switch (key->ck_format) { 3060Sstevel@tonic-gate case CRYPTO_KEY_RAW: 3070Sstevel@tonic-gate if (key->ck_length < AES_MINBITS || 3080Sstevel@tonic-gate key->ck_length > AES_MAXBITS) { 3090Sstevel@tonic-gate return (CRYPTO_KEY_SIZE_RANGE); 3100Sstevel@tonic-gate } 3110Sstevel@tonic-gate 3120Sstevel@tonic-gate /* key length must be either 128, 192, or 256 */ 3130Sstevel@tonic-gate if ((key->ck_length & 63) != 0) 3140Sstevel@tonic-gate return (CRYPTO_KEY_SIZE_RANGE); 3150Sstevel@tonic-gate break; 3160Sstevel@tonic-gate default: 3170Sstevel@tonic-gate return (CRYPTO_KEY_TYPE_INCONSISTENT); 3180Sstevel@tonic-gate } 3190Sstevel@tonic-gate 3200Sstevel@tonic-gate aes_init_keysched(key->ck_data, key->ck_length, newbie); 3210Sstevel@tonic-gate return (CRYPTO_SUCCESS); 3220Sstevel@tonic-gate } 3230Sstevel@tonic-gate 3240Sstevel@tonic-gate /* EXPORT DELETE END */ 3250Sstevel@tonic-gate 3260Sstevel@tonic-gate /* 3270Sstevel@tonic-gate * KCF software provider control entry points. 3280Sstevel@tonic-gate */ 3290Sstevel@tonic-gate /* ARGSUSED */ 3300Sstevel@tonic-gate static void 3310Sstevel@tonic-gate aes_provider_status(crypto_provider_handle_t provider, uint_t *status) 3320Sstevel@tonic-gate { 3330Sstevel@tonic-gate *status = CRYPTO_PROVIDER_READY; 3340Sstevel@tonic-gate } 3350Sstevel@tonic-gate 336*4486Sktung static int 337*4486Sktung aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 338*4486Sktung crypto_key_t *key, crypto_spi_ctx_template_t template, 339*4486Sktung crypto_req_handle_t req) { 340*4486Sktung return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE)); 341*4486Sktung } 342*4486Sktung 343*4486Sktung static int 344*4486Sktung aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 345*4486Sktung crypto_key_t *key, crypto_spi_ctx_template_t template, 346*4486Sktung crypto_req_handle_t req) { 347*4486Sktung return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE)); 348*4486Sktung } 349*4486Sktung 350*4486Sktung 351*4486Sktung 3520Sstevel@tonic-gate /* 3530Sstevel@tonic-gate * KCF software provider encrypt entry points. 3540Sstevel@tonic-gate */ 3550Sstevel@tonic-gate static int 3560Sstevel@tonic-gate aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 3570Sstevel@tonic-gate crypto_key_t *key, crypto_spi_ctx_template_t template, 358*4486Sktung crypto_req_handle_t req, boolean_t is_encrypt_init) 3590Sstevel@tonic-gate { 3600Sstevel@tonic-gate 3610Sstevel@tonic-gate /* EXPORT DELETE START */ 3620Sstevel@tonic-gate 3630Sstevel@tonic-gate aes_ctx_t *aes_ctx; 3640Sstevel@tonic-gate int rv; 3650Sstevel@tonic-gate int kmflag; 3660Sstevel@tonic-gate 3670Sstevel@tonic-gate /* 3680Sstevel@tonic-gate * Only keys by value are supported by this module. 3690Sstevel@tonic-gate */ 3700Sstevel@tonic-gate if (key->ck_format != CRYPTO_KEY_RAW) { 3710Sstevel@tonic-gate return (CRYPTO_KEY_TYPE_INCONSISTENT); 3720Sstevel@tonic-gate } 3730Sstevel@tonic-gate 374991Smcpowers if ((rv = aes_check_mech_param(mechanism)) != CRYPTO_SUCCESS) 375991Smcpowers return (rv); 3760Sstevel@tonic-gate 3770Sstevel@tonic-gate /* 3780Sstevel@tonic-gate * Allocate an AES context. 3790Sstevel@tonic-gate */ 3800Sstevel@tonic-gate kmflag = crypto_kmflag(req); 3810Sstevel@tonic-gate if ((aes_ctx = kmem_zalloc(sizeof (aes_ctx_t), kmflag)) == NULL) 3820Sstevel@tonic-gate return (CRYPTO_HOST_MEMORY); 3830Sstevel@tonic-gate 384*4486Sktung rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag, 385*4486Sktung is_encrypt_init); 3860Sstevel@tonic-gate if (rv != CRYPTO_SUCCESS) { 3870Sstevel@tonic-gate kmem_free(aes_ctx, sizeof (aes_ctx_t)); 3880Sstevel@tonic-gate return (rv); 3890Sstevel@tonic-gate } 3900Sstevel@tonic-gate 3910Sstevel@tonic-gate ctx->cc_provider_private = aes_ctx; 3920Sstevel@tonic-gate 3930Sstevel@tonic-gate /* EXPORT DELETE END */ 3940Sstevel@tonic-gate 3950Sstevel@tonic-gate return (CRYPTO_SUCCESS); 3960Sstevel@tonic-gate } 3970Sstevel@tonic-gate 3980Sstevel@tonic-gate /* 3990Sstevel@tonic-gate * Helper AES encrypt update function for iov input data. 4000Sstevel@tonic-gate */ 4010Sstevel@tonic-gate static int 4020Sstevel@tonic-gate aes_cipher_update_iov(aes_ctx_t *aes_ctx, crypto_data_t *input, 4030Sstevel@tonic-gate crypto_data_t *output, int (*cipher)(aes_ctx_t *, caddr_t, size_t, 4040Sstevel@tonic-gate crypto_data_t *)) 4050Sstevel@tonic-gate { 4060Sstevel@tonic-gate int rv; 4070Sstevel@tonic-gate /* EXPORT DELETE START */ 4080Sstevel@tonic-gate 4090Sstevel@tonic-gate if (input->cd_miscdata != NULL) { 4100Sstevel@tonic-gate if (IS_P2ALIGNED(input->cd_miscdata, sizeof (uint64_t))) { 4110Sstevel@tonic-gate /* LINTED: pointer alignment */ 4120Sstevel@tonic-gate aes_ctx->ac_iv[0] = *(uint64_t *)input->cd_miscdata; 4130Sstevel@tonic-gate /* LINTED: pointer alignment */ 4140Sstevel@tonic-gate aes_ctx->ac_iv[1] = *(uint64_t *)&input->cd_miscdata[8]; 4150Sstevel@tonic-gate } else { 4160Sstevel@tonic-gate uint8_t *miscdata8 = (uint8_t *)&input->cd_miscdata[0]; 4170Sstevel@tonic-gate uint8_t *iv8 = (uint8_t *)&aes_ctx->ac_iv[0]; 4180Sstevel@tonic-gate 4190Sstevel@tonic-gate AES_COPY_BLOCK(miscdata8, iv8); 4200Sstevel@tonic-gate } 4210Sstevel@tonic-gate } 4220Sstevel@tonic-gate 4230Sstevel@tonic-gate if (input->cd_raw.iov_len < input->cd_length) 4240Sstevel@tonic-gate return (CRYPTO_ARGUMENTS_BAD); 4250Sstevel@tonic-gate 4260Sstevel@tonic-gate rv = (cipher)(aes_ctx, input->cd_raw.iov_base + input->cd_offset, 4270Sstevel@tonic-gate input->cd_length, (input == output) ? NULL : output); 4280Sstevel@tonic-gate 4290Sstevel@tonic-gate /* EXPORT DELETE END */ 4300Sstevel@tonic-gate 4310Sstevel@tonic-gate return (rv); 4320Sstevel@tonic-gate } 4330Sstevel@tonic-gate 4340Sstevel@tonic-gate /* 4350Sstevel@tonic-gate * Helper AES encrypt update function for uio input data. 4360Sstevel@tonic-gate */ 4370Sstevel@tonic-gate static int 4380Sstevel@tonic-gate aes_cipher_update_uio(aes_ctx_t *aes_ctx, crypto_data_t *input, 4390Sstevel@tonic-gate crypto_data_t *output, int (*cipher)(aes_ctx_t *, caddr_t, size_t, 4400Sstevel@tonic-gate crypto_data_t *)) 4410Sstevel@tonic-gate { 4420Sstevel@tonic-gate /* EXPORT DELETE START */ 4430Sstevel@tonic-gate uio_t *uiop = input->cd_uio; 4440Sstevel@tonic-gate off_t offset = input->cd_offset; 4450Sstevel@tonic-gate size_t length = input->cd_length; 4460Sstevel@tonic-gate uint_t vec_idx; 4470Sstevel@tonic-gate size_t cur_len; 4480Sstevel@tonic-gate 4490Sstevel@tonic-gate if (input->cd_miscdata != NULL) { 4500Sstevel@tonic-gate if (IS_P2ALIGNED(input->cd_miscdata, sizeof (uint64_t))) { 4510Sstevel@tonic-gate /* LINTED: pointer alignment */ 4520Sstevel@tonic-gate aes_ctx->ac_iv[0] = *(uint64_t *)input->cd_miscdata; 4530Sstevel@tonic-gate /* LINTED: pointer alignment */ 4540Sstevel@tonic-gate aes_ctx->ac_iv[1] = *(uint64_t *)&input->cd_miscdata[8]; 4550Sstevel@tonic-gate } else { 4560Sstevel@tonic-gate uint8_t *miscdata8 = (uint8_t *)&input->cd_miscdata[0]; 4570Sstevel@tonic-gate uint8_t *iv8 = (uint8_t *)&aes_ctx->ac_iv[0]; 4580Sstevel@tonic-gate 4590Sstevel@tonic-gate AES_COPY_BLOCK(miscdata8, iv8); 4600Sstevel@tonic-gate } 4610Sstevel@tonic-gate } 4620Sstevel@tonic-gate 4630Sstevel@tonic-gate if (input->cd_uio->uio_segflg != UIO_SYSSPACE) { 4640Sstevel@tonic-gate return (CRYPTO_ARGUMENTS_BAD); 4650Sstevel@tonic-gate } 4660Sstevel@tonic-gate 4670Sstevel@tonic-gate /* 4680Sstevel@tonic-gate * Jump to the first iovec containing data to be 4690Sstevel@tonic-gate * processed. 4700Sstevel@tonic-gate */ 4710Sstevel@tonic-gate for (vec_idx = 0; vec_idx < uiop->uio_iovcnt && 4720Sstevel@tonic-gate offset >= uiop->uio_iov[vec_idx].iov_len; 473*4486Sktung offset -= uiop->uio_iov[vec_idx++].iov_len) 474*4486Sktung ; 4750Sstevel@tonic-gate if (vec_idx == uiop->uio_iovcnt) { 4760Sstevel@tonic-gate /* 4770Sstevel@tonic-gate * The caller specified an offset that is larger than the 4780Sstevel@tonic-gate * total size of the buffers it provided. 4790Sstevel@tonic-gate */ 4800Sstevel@tonic-gate return (CRYPTO_DATA_LEN_RANGE); 4810Sstevel@tonic-gate } 4820Sstevel@tonic-gate 4830Sstevel@tonic-gate /* 4840Sstevel@tonic-gate * Now process the iovecs. 4850Sstevel@tonic-gate */ 4860Sstevel@tonic-gate while (vec_idx < uiop->uio_iovcnt && length > 0) { 4870Sstevel@tonic-gate cur_len = MIN(uiop->uio_iov[vec_idx].iov_len - 4880Sstevel@tonic-gate offset, length); 4890Sstevel@tonic-gate 4900Sstevel@tonic-gate (cipher)(aes_ctx, uiop->uio_iov[vec_idx].iov_base + offset, 4910Sstevel@tonic-gate cur_len, (input == output) ? NULL : output); 4920Sstevel@tonic-gate 4930Sstevel@tonic-gate length -= cur_len; 4940Sstevel@tonic-gate vec_idx++; 4950Sstevel@tonic-gate offset = 0; 4960Sstevel@tonic-gate } 4970Sstevel@tonic-gate 4980Sstevel@tonic-gate if (vec_idx == uiop->uio_iovcnt && length > 0) { 4990Sstevel@tonic-gate /* 5000Sstevel@tonic-gate * The end of the specified iovec's was reached but 5010Sstevel@tonic-gate * the length requested could not be processed, i.e. 5020Sstevel@tonic-gate * The caller requested to digest more data than it provided. 5030Sstevel@tonic-gate */ 5040Sstevel@tonic-gate 5050Sstevel@tonic-gate return (CRYPTO_DATA_LEN_RANGE); 5060Sstevel@tonic-gate } 5070Sstevel@tonic-gate 5080Sstevel@tonic-gate /* EXPORT DELETE END */ 5090Sstevel@tonic-gate 5100Sstevel@tonic-gate return (CRYPTO_SUCCESS); 5110Sstevel@tonic-gate } 5120Sstevel@tonic-gate 5130Sstevel@tonic-gate /* 5140Sstevel@tonic-gate * Helper AES encrypt update function for mblk input data. 5150Sstevel@tonic-gate */ 5160Sstevel@tonic-gate static int 5170Sstevel@tonic-gate aes_cipher_update_mp(aes_ctx_t *aes_ctx, crypto_data_t *input, 5180Sstevel@tonic-gate crypto_data_t *output, int (*cipher)(aes_ctx_t *, caddr_t, size_t, 5190Sstevel@tonic-gate crypto_data_t *)) 5200Sstevel@tonic-gate { 5210Sstevel@tonic-gate /* EXPORT DELETE START */ 5220Sstevel@tonic-gate off_t offset = input->cd_offset; 5230Sstevel@tonic-gate size_t length = input->cd_length; 5240Sstevel@tonic-gate mblk_t *mp; 5250Sstevel@tonic-gate size_t cur_len; 5260Sstevel@tonic-gate 5270Sstevel@tonic-gate if (input->cd_miscdata != NULL) { 5280Sstevel@tonic-gate if (IS_P2ALIGNED(input->cd_miscdata, sizeof (uint64_t))) { 5290Sstevel@tonic-gate /* LINTED: pointer alignment */ 5300Sstevel@tonic-gate aes_ctx->ac_iv[0] = *(uint64_t *)input->cd_miscdata; 5310Sstevel@tonic-gate /* LINTED: pointer alignment */ 5320Sstevel@tonic-gate aes_ctx->ac_iv[1] = *(uint64_t *)&input->cd_miscdata[8]; 5330Sstevel@tonic-gate } else { 5340Sstevel@tonic-gate uint8_t *miscdata8 = (uint8_t *)&input->cd_miscdata[0]; 5350Sstevel@tonic-gate uint8_t *iv8 = (uint8_t *)&aes_ctx->ac_iv[0]; 5360Sstevel@tonic-gate 5370Sstevel@tonic-gate AES_COPY_BLOCK(miscdata8, iv8); 5380Sstevel@tonic-gate } 5390Sstevel@tonic-gate } 5400Sstevel@tonic-gate 5410Sstevel@tonic-gate /* 5420Sstevel@tonic-gate * Jump to the first mblk_t containing data to be processed. 5430Sstevel@tonic-gate */ 5440Sstevel@tonic-gate for (mp = input->cd_mp; mp != NULL && offset >= MBLKL(mp); 545*4486Sktung offset -= MBLKL(mp), mp = mp->b_cont) 546*4486Sktung ; 5470Sstevel@tonic-gate if (mp == NULL) { 5480Sstevel@tonic-gate /* 5490Sstevel@tonic-gate * The caller specified an offset that is larger than the 5500Sstevel@tonic-gate * total size of the buffers it provided. 5510Sstevel@tonic-gate */ 5520Sstevel@tonic-gate return (CRYPTO_DATA_LEN_RANGE); 5530Sstevel@tonic-gate } 5540Sstevel@tonic-gate 5550Sstevel@tonic-gate /* 5560Sstevel@tonic-gate * Now do the processing on the mblk chain. 5570Sstevel@tonic-gate */ 5580Sstevel@tonic-gate while (mp != NULL && length > 0) { 5590Sstevel@tonic-gate cur_len = MIN(MBLKL(mp) - offset, length); 5600Sstevel@tonic-gate (cipher)(aes_ctx, (char *)(mp->b_rptr + offset), cur_len, 5610Sstevel@tonic-gate (input == output) ? NULL : output); 5620Sstevel@tonic-gate 5630Sstevel@tonic-gate length -= cur_len; 5640Sstevel@tonic-gate offset = 0; 5650Sstevel@tonic-gate mp = mp->b_cont; 5660Sstevel@tonic-gate } 5670Sstevel@tonic-gate 5680Sstevel@tonic-gate if (mp == NULL && length > 0) { 5690Sstevel@tonic-gate /* 5700Sstevel@tonic-gate * The end of the mblk was reached but the length requested 5710Sstevel@tonic-gate * could not be processed, i.e. The caller requested 5720Sstevel@tonic-gate * to digest more data than it provided. 5730Sstevel@tonic-gate */ 5740Sstevel@tonic-gate return (CRYPTO_DATA_LEN_RANGE); 5750Sstevel@tonic-gate } 5760Sstevel@tonic-gate 5770Sstevel@tonic-gate /* EXPORT DELETE END */ 5780Sstevel@tonic-gate 5790Sstevel@tonic-gate return (CRYPTO_SUCCESS); 5800Sstevel@tonic-gate } 5810Sstevel@tonic-gate 5820Sstevel@tonic-gate /* ARGSUSED */ 5830Sstevel@tonic-gate static int 5840Sstevel@tonic-gate aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 5850Sstevel@tonic-gate crypto_data_t *ciphertext, crypto_req_handle_t req) 5860Sstevel@tonic-gate { 5870Sstevel@tonic-gate int ret = CRYPTO_FAILED; 5880Sstevel@tonic-gate 5890Sstevel@tonic-gate /* EXPORT DELETE START */ 5900Sstevel@tonic-gate 5910Sstevel@tonic-gate aes_ctx_t *aes_ctx; 592*4486Sktung size_t saved_length, saved_offset, length_needed; 5930Sstevel@tonic-gate 5940Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 5950Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 5960Sstevel@tonic-gate 597904Smcpowers /* 598904Smcpowers * For block ciphers, plaintext must be a multiple of AES block size. 599904Smcpowers * This test is only valid for ciphers whose blocksize is a power of 2. 600*4486Sktung * Even though AES CCM mode is a block cipher, it does not 601*4486Sktung * require the plaintext to be a multiple of AES block size. 602*4486Sktung * The length requirement for AES CCM mode has already been checked 603*4486Sktung * at init time 604904Smcpowers */ 605904Smcpowers if (((aes_ctx->ac_flags & AES_CTR_MODE) == 0) && 606*4486Sktung ((aes_ctx->ac_flags & AES_CCM_MODE) == 0) && 607904Smcpowers (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 608904Smcpowers return (CRYPTO_DATA_LEN_RANGE); 609904Smcpowers 6100Sstevel@tonic-gate AES_ARG_INPLACE(plaintext, ciphertext); 6110Sstevel@tonic-gate 6120Sstevel@tonic-gate /* 6130Sstevel@tonic-gate * We need to just return the length needed to store the output. 6140Sstevel@tonic-gate * We should not destroy the context for the following case. 6150Sstevel@tonic-gate */ 616*4486Sktung if (aes_ctx->ac_flags & AES_CCM_MODE) { 617*4486Sktung length_needed = plaintext->cd_length + aes_ctx->ac_ccm_mac_len; 618*4486Sktung } else { 619*4486Sktung length_needed = plaintext->cd_length; 620*4486Sktung } 621*4486Sktung 622*4486Sktung if (ciphertext->cd_length < length_needed) { 623*4486Sktung ciphertext->cd_length = length_needed; 6240Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 6250Sstevel@tonic-gate } 6260Sstevel@tonic-gate 627*4486Sktung saved_length = ciphertext->cd_length; 628*4486Sktung saved_offset = ciphertext->cd_offset; 629*4486Sktung 6300Sstevel@tonic-gate /* 6310Sstevel@tonic-gate * Do an update on the specified input data. 6320Sstevel@tonic-gate */ 6330Sstevel@tonic-gate ret = aes_encrypt_update(ctx, plaintext, ciphertext, req); 634*4486Sktung if (ret != CRYPTO_SUCCESS) { 635*4486Sktung return (ret); 636*4486Sktung } 637*4486Sktung 638*4486Sktung /* 639*4486Sktung * For CCM mode, aes_ccm_encrypt_final() will take care of any 640*4486Sktung * left-over unprocessed data, and compute the MAC 641*4486Sktung */ 642*4486Sktung if (aes_ctx->ac_flags & AES_CCM_MODE) { 643*4486Sktung /* 644*4486Sktung * aes_ccm_encrypt_final() will compute the MAC and append 645*4486Sktung * it to existing ciphertext. So, need to adjust the left over 646*4486Sktung * length value accordingly 647*4486Sktung */ 648*4486Sktung 649*4486Sktung /* order of following 2 lines MUST not be reversed */ 650*4486Sktung ciphertext->cd_offset = ciphertext->cd_length; 651*4486Sktung ciphertext->cd_length = saved_length - ciphertext->cd_length; 652*4486Sktung ret = aes_ccm_encrypt_final(aes_ctx, ciphertext); 653*4486Sktung if (ret != CRYPTO_SUCCESS) { 654*4486Sktung return (ret); 655*4486Sktung } 656*4486Sktung 657*4486Sktung if (plaintext != ciphertext) { 658*4486Sktung ciphertext->cd_length = 659*4486Sktung ciphertext->cd_offset - saved_offset; 660*4486Sktung } 661*4486Sktung ciphertext->cd_offset = saved_offset; 662*4486Sktung } 663*4486Sktung 6640Sstevel@tonic-gate ASSERT(aes_ctx->ac_remainder_len == 0); 6650Sstevel@tonic-gate (void) aes_free_context(ctx); 6660Sstevel@tonic-gate 6670Sstevel@tonic-gate /* EXPORT DELETE END */ 6680Sstevel@tonic-gate 6690Sstevel@tonic-gate /* LINTED */ 6700Sstevel@tonic-gate return (ret); 6710Sstevel@tonic-gate } 6720Sstevel@tonic-gate 6730Sstevel@tonic-gate /* ARGSUSED */ 6740Sstevel@tonic-gate static int 6750Sstevel@tonic-gate aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 6760Sstevel@tonic-gate crypto_data_t *plaintext, crypto_req_handle_t req) 6770Sstevel@tonic-gate { 6780Sstevel@tonic-gate int ret = CRYPTO_FAILED; 6790Sstevel@tonic-gate 6800Sstevel@tonic-gate /* EXPORT DELETE START */ 6810Sstevel@tonic-gate 6820Sstevel@tonic-gate aes_ctx_t *aes_ctx; 683*4486Sktung off_t saved_offset; 684*4486Sktung size_t saved_length; 6850Sstevel@tonic-gate 6860Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 6870Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 6880Sstevel@tonic-gate 689904Smcpowers /* 690*4486Sktung * For block ciphers, plaintext must be a multiple of AES block size. 691904Smcpowers * This test is only valid for ciphers whose blocksize is a power of 2. 692*4486Sktung * Even though AES CCM mode is a block cipher, it does not 693*4486Sktung * require the plaintext to be a multiple of AES block size. 694*4486Sktung * The length requirement for AES CCM mode has already been checked 695*4486Sktung * at init time 696904Smcpowers */ 697904Smcpowers if (((aes_ctx->ac_flags & AES_CTR_MODE) == 0) && 698*4486Sktung ((aes_ctx->ac_flags & AES_CCM_MODE) == 0) && 699*4486Sktung (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 700*4486Sktung return (CRYPTO_DATA_LEN_RANGE); 701904Smcpowers 7020Sstevel@tonic-gate AES_ARG_INPLACE(ciphertext, plaintext); 7030Sstevel@tonic-gate 7040Sstevel@tonic-gate /* 7050Sstevel@tonic-gate * We need to just return the length needed to store the output. 7060Sstevel@tonic-gate * We should not destroy the context for the following case. 707*4486Sktung * 708*4486Sktung * For AES CCM mode, size of the plaintext will be MAC_SIZE 709*4486Sktung * smaller than size of the cipher text. 7100Sstevel@tonic-gate */ 711*4486Sktung if (aes_ctx->ac_flags & AES_CCM_MODE) { 712*4486Sktung if (plaintext->cd_length < aes_ctx->ac_ccm_data_len) { 713*4486Sktung plaintext->cd_length = - aes_ctx->ac_ccm_data_len; 714*4486Sktung return (CRYPTO_BUFFER_TOO_SMALL); 715*4486Sktung } 716*4486Sktung saved_offset = plaintext->cd_offset; 717*4486Sktung saved_length = plaintext->cd_length; 718*4486Sktung } else if (plaintext->cd_length < ciphertext->cd_length) { 7190Sstevel@tonic-gate plaintext->cd_length = ciphertext->cd_length; 7200Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 7210Sstevel@tonic-gate } 7220Sstevel@tonic-gate 7230Sstevel@tonic-gate /* 7240Sstevel@tonic-gate * Do an update on the specified input data. 7250Sstevel@tonic-gate */ 7260Sstevel@tonic-gate ret = aes_decrypt_update(ctx, ciphertext, plaintext, req); 727*4486Sktung if (ret != CRYPTO_SUCCESS) { 728*4486Sktung goto cleanup; 729*4486Sktung } 730*4486Sktung 731*4486Sktung if (aes_ctx->ac_flags & AES_CCM_MODE) { 732*4486Sktung ASSERT(aes_ctx->ac_ccm_processed_data_len 733*4486Sktung == aes_ctx->ac_ccm_data_len); 734*4486Sktung ASSERT(aes_ctx->ac_ccm_processed_mac_len 735*4486Sktung == aes_ctx->ac_ccm_mac_len); 736*4486Sktung 737*4486Sktung /* order of following 2 lines MUST not be reversed */ 738*4486Sktung plaintext->cd_offset = plaintext->cd_length; 739*4486Sktung plaintext->cd_length = saved_length - plaintext->cd_length; 740*4486Sktung 741*4486Sktung ret = aes_ccm_decrypt_final(aes_ctx, plaintext); 742*4486Sktung if (ret == CRYPTO_SUCCESS) { 743*4486Sktung if (plaintext != ciphertext) { 744*4486Sktung plaintext->cd_length = 745*4486Sktung plaintext->cd_offset - saved_offset; 746*4486Sktung } 747*4486Sktung } else { 748*4486Sktung plaintext->cd_length = saved_length; 749*4486Sktung } 750*4486Sktung 751*4486Sktung plaintext->cd_offset = saved_offset; 752*4486Sktung } 753*4486Sktung 7540Sstevel@tonic-gate ASSERT(aes_ctx->ac_remainder_len == 0); 755*4486Sktung 756*4486Sktung cleanup: 757*4486Sktung if (aes_ctx->ac_ccm_pt_buf) { 758*4486Sktung kmem_free(aes_ctx->ac_ccm_pt_buf, aes_ctx->ac_ccm_data_len); 759*4486Sktung } 7600Sstevel@tonic-gate (void) aes_free_context(ctx); 7610Sstevel@tonic-gate 7620Sstevel@tonic-gate /* EXPORT DELETE END */ 7630Sstevel@tonic-gate 7640Sstevel@tonic-gate /* LINTED */ 7650Sstevel@tonic-gate return (ret); 7660Sstevel@tonic-gate } 7670Sstevel@tonic-gate 7680Sstevel@tonic-gate /* ARGSUSED */ 7690Sstevel@tonic-gate static int 7700Sstevel@tonic-gate aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext, 7710Sstevel@tonic-gate crypto_data_t *ciphertext, crypto_req_handle_t req) 7720Sstevel@tonic-gate { 7730Sstevel@tonic-gate off_t saved_offset; 7740Sstevel@tonic-gate size_t saved_length, out_len; 7750Sstevel@tonic-gate int ret = CRYPTO_SUCCESS; 776904Smcpowers aes_ctx_t *aes_ctx; 7770Sstevel@tonic-gate 7780Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 7790Sstevel@tonic-gate 7800Sstevel@tonic-gate AES_ARG_INPLACE(plaintext, ciphertext); 7810Sstevel@tonic-gate 7820Sstevel@tonic-gate /* compute number of bytes that will hold the ciphertext */ 7830Sstevel@tonic-gate out_len = ((aes_ctx_t *)ctx->cc_provider_private)->ac_remainder_len; 7840Sstevel@tonic-gate out_len += plaintext->cd_length; 7850Sstevel@tonic-gate out_len &= ~(AES_BLOCK_LEN - 1); 7860Sstevel@tonic-gate 7870Sstevel@tonic-gate /* return length needed to store the output */ 7880Sstevel@tonic-gate if (ciphertext->cd_length < out_len) { 7890Sstevel@tonic-gate ciphertext->cd_length = out_len; 7900Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 7910Sstevel@tonic-gate } 7920Sstevel@tonic-gate 7930Sstevel@tonic-gate saved_offset = ciphertext->cd_offset; 7940Sstevel@tonic-gate saved_length = ciphertext->cd_length; 7950Sstevel@tonic-gate 796*4486Sktung 7970Sstevel@tonic-gate /* 7980Sstevel@tonic-gate * Do the AES update on the specified input data. 7990Sstevel@tonic-gate */ 8000Sstevel@tonic-gate switch (plaintext->cd_format) { 8010Sstevel@tonic-gate case CRYPTO_DATA_RAW: 8020Sstevel@tonic-gate ret = aes_cipher_update_iov(ctx->cc_provider_private, 8030Sstevel@tonic-gate plaintext, ciphertext, aes_encrypt_contiguous_blocks); 8040Sstevel@tonic-gate break; 8050Sstevel@tonic-gate case CRYPTO_DATA_UIO: 8060Sstevel@tonic-gate ret = aes_cipher_update_uio(ctx->cc_provider_private, 8070Sstevel@tonic-gate plaintext, ciphertext, aes_encrypt_contiguous_blocks); 8080Sstevel@tonic-gate break; 8090Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 8100Sstevel@tonic-gate ret = aes_cipher_update_mp(ctx->cc_provider_private, 8110Sstevel@tonic-gate plaintext, ciphertext, aes_encrypt_contiguous_blocks); 8120Sstevel@tonic-gate break; 8130Sstevel@tonic-gate default: 8140Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 8150Sstevel@tonic-gate } 8160Sstevel@tonic-gate 817904Smcpowers /* 818904Smcpowers * Since AES counter mode is a stream cipher, we call 819904Smcpowers * aes_counter_final() to pick up any remaining bytes. 820904Smcpowers * It is an internal function that does not destroy 821904Smcpowers * the context like *normal* final routines. 822904Smcpowers */ 823904Smcpowers aes_ctx = ctx->cc_provider_private; 824904Smcpowers if ((aes_ctx->ac_flags & AES_CTR_MODE) && 825904Smcpowers (aes_ctx->ac_remainder_len > 0)) { 826904Smcpowers ret = aes_counter_final(aes_ctx, ciphertext); 827904Smcpowers } 828904Smcpowers 8290Sstevel@tonic-gate if (ret == CRYPTO_SUCCESS) { 8300Sstevel@tonic-gate if (plaintext != ciphertext) 8310Sstevel@tonic-gate ciphertext->cd_length = 8320Sstevel@tonic-gate ciphertext->cd_offset - saved_offset; 8330Sstevel@tonic-gate } else { 8340Sstevel@tonic-gate ciphertext->cd_length = saved_length; 8350Sstevel@tonic-gate } 8360Sstevel@tonic-gate ciphertext->cd_offset = saved_offset; 8370Sstevel@tonic-gate 8380Sstevel@tonic-gate return (ret); 8390Sstevel@tonic-gate } 8400Sstevel@tonic-gate 8410Sstevel@tonic-gate /* ARGSUSED */ 8420Sstevel@tonic-gate static int 8430Sstevel@tonic-gate aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 8440Sstevel@tonic-gate crypto_data_t *plaintext, crypto_req_handle_t req) 8450Sstevel@tonic-gate { 8460Sstevel@tonic-gate off_t saved_offset; 8470Sstevel@tonic-gate size_t saved_length, out_len; 8480Sstevel@tonic-gate int ret = CRYPTO_SUCCESS; 849904Smcpowers aes_ctx_t *aes_ctx; 8500Sstevel@tonic-gate 8510Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 8520Sstevel@tonic-gate 8530Sstevel@tonic-gate AES_ARG_INPLACE(ciphertext, plaintext); 8540Sstevel@tonic-gate 8550Sstevel@tonic-gate /* compute number of bytes that will hold the plaintext */ 8560Sstevel@tonic-gate out_len = ((aes_ctx_t *)ctx->cc_provider_private)->ac_remainder_len; 8570Sstevel@tonic-gate out_len += ciphertext->cd_length; 8580Sstevel@tonic-gate out_len &= ~(AES_BLOCK_LEN - 1); 8590Sstevel@tonic-gate 8600Sstevel@tonic-gate /* return length needed to store the output */ 8610Sstevel@tonic-gate if (plaintext->cd_length < out_len) { 8620Sstevel@tonic-gate plaintext->cd_length = out_len; 8630Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 8640Sstevel@tonic-gate } 8650Sstevel@tonic-gate 8660Sstevel@tonic-gate saved_offset = plaintext->cd_offset; 8670Sstevel@tonic-gate saved_length = plaintext->cd_length; 8680Sstevel@tonic-gate 8690Sstevel@tonic-gate /* 8700Sstevel@tonic-gate * Do the AES update on the specified input data. 8710Sstevel@tonic-gate */ 8720Sstevel@tonic-gate switch (ciphertext->cd_format) { 8730Sstevel@tonic-gate case CRYPTO_DATA_RAW: 8740Sstevel@tonic-gate ret = aes_cipher_update_iov(ctx->cc_provider_private, 8750Sstevel@tonic-gate ciphertext, plaintext, aes_decrypt_contiguous_blocks); 8760Sstevel@tonic-gate break; 8770Sstevel@tonic-gate case CRYPTO_DATA_UIO: 8780Sstevel@tonic-gate ret = aes_cipher_update_uio(ctx->cc_provider_private, 8790Sstevel@tonic-gate ciphertext, plaintext, aes_decrypt_contiguous_blocks); 8800Sstevel@tonic-gate break; 8810Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 8820Sstevel@tonic-gate ret = aes_cipher_update_mp(ctx->cc_provider_private, 8830Sstevel@tonic-gate ciphertext, plaintext, aes_decrypt_contiguous_blocks); 8840Sstevel@tonic-gate break; 8850Sstevel@tonic-gate default: 8860Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 8870Sstevel@tonic-gate } 8880Sstevel@tonic-gate 889904Smcpowers /* 890904Smcpowers * Since AES counter mode is a stream cipher, we call 891904Smcpowers * aes_counter_final() to pick up any remaining bytes. 892904Smcpowers * It is an internal function that does not destroy 893904Smcpowers * the context like *normal* final routines. 894904Smcpowers */ 895904Smcpowers aes_ctx = ctx->cc_provider_private; 896904Smcpowers if ((aes_ctx->ac_flags & AES_CTR_MODE) && 897904Smcpowers (aes_ctx->ac_remainder_len > 0)) { 898904Smcpowers ret = aes_counter_final(aes_ctx, plaintext); 899904Smcpowers } 900904Smcpowers 9010Sstevel@tonic-gate if (ret == CRYPTO_SUCCESS) { 9020Sstevel@tonic-gate if (ciphertext != plaintext) 9030Sstevel@tonic-gate plaintext->cd_length = 9040Sstevel@tonic-gate plaintext->cd_offset - saved_offset; 9050Sstevel@tonic-gate } else { 9060Sstevel@tonic-gate plaintext->cd_length = saved_length; 9070Sstevel@tonic-gate } 9080Sstevel@tonic-gate plaintext->cd_offset = saved_offset; 9090Sstevel@tonic-gate 910904Smcpowers 9110Sstevel@tonic-gate return (ret); 9120Sstevel@tonic-gate } 9130Sstevel@tonic-gate 9140Sstevel@tonic-gate /* ARGSUSED */ 9150Sstevel@tonic-gate static int 9160Sstevel@tonic-gate aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data, 9170Sstevel@tonic-gate crypto_req_handle_t req) 9180Sstevel@tonic-gate { 9190Sstevel@tonic-gate 9200Sstevel@tonic-gate /* EXPORT DELETE START */ 9210Sstevel@tonic-gate 9220Sstevel@tonic-gate aes_ctx_t *aes_ctx; 923904Smcpowers int ret; 9240Sstevel@tonic-gate 9250Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 9260Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 9270Sstevel@tonic-gate 928904Smcpowers if (data->cd_format != CRYPTO_DATA_RAW && 929904Smcpowers data->cd_format != CRYPTO_DATA_UIO && 930904Smcpowers data->cd_format != CRYPTO_DATA_MBLK) { 931904Smcpowers return (CRYPTO_ARGUMENTS_BAD); 932904Smcpowers } 933904Smcpowers 934*4486Sktung if (aes_ctx->ac_flags & AES_CTR_MODE) { 935*4486Sktung if (aes_ctx->ac_remainder_len > 0) { 936904Smcpowers ret = aes_counter_final(aes_ctx, data); 937904Smcpowers if (ret != CRYPTO_SUCCESS) 938904Smcpowers return (ret); 939904Smcpowers } 940*4486Sktung data->cd_length = 0; 941*4486Sktung } else if (aes_ctx->ac_flags & AES_CCM_MODE) { 942*4486Sktung ret = aes_ccm_encrypt_final(aes_ctx, data); 943*4486Sktung if (ret != CRYPTO_SUCCESS) { 944*4486Sktung return (ret); 945*4486Sktung } 946*4486Sktung } else { 947*4486Sktung /* 948*4486Sktung * There must be no unprocessed plaintext. 949*4486Sktung * This happens if the length of the last data is 950*4486Sktung * not a multiple of the AES block length. 951*4486Sktung */ 952*4486Sktung if (aes_ctx->ac_remainder_len > 0) { 953*4486Sktung return (CRYPTO_DATA_LEN_RANGE); 954*4486Sktung } 955904Smcpowers } 956904Smcpowers 9570Sstevel@tonic-gate (void) aes_free_context(ctx); 9580Sstevel@tonic-gate 9590Sstevel@tonic-gate /* EXPORT DELETE END */ 9600Sstevel@tonic-gate 9610Sstevel@tonic-gate return (CRYPTO_SUCCESS); 9620Sstevel@tonic-gate } 9630Sstevel@tonic-gate 9640Sstevel@tonic-gate /* ARGSUSED */ 9650Sstevel@tonic-gate static int 9660Sstevel@tonic-gate aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data, 9670Sstevel@tonic-gate crypto_req_handle_t req) 9680Sstevel@tonic-gate { 9690Sstevel@tonic-gate 9700Sstevel@tonic-gate /* EXPORT DELETE START */ 9710Sstevel@tonic-gate 9720Sstevel@tonic-gate aes_ctx_t *aes_ctx; 973904Smcpowers int ret; 974*4486Sktung off_t saved_offset; 975*4486Sktung size_t saved_length; 9760Sstevel@tonic-gate 9770Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 9780Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 9790Sstevel@tonic-gate 980904Smcpowers if (data->cd_format != CRYPTO_DATA_RAW && 981904Smcpowers data->cd_format != CRYPTO_DATA_UIO && 982904Smcpowers data->cd_format != CRYPTO_DATA_MBLK) { 983904Smcpowers return (CRYPTO_ARGUMENTS_BAD); 984904Smcpowers } 985904Smcpowers 9860Sstevel@tonic-gate /* 9870Sstevel@tonic-gate * There must be no unprocessed ciphertext. 9880Sstevel@tonic-gate * This happens if the length of the last ciphertext is 9890Sstevel@tonic-gate * not a multiple of the AES block length. 9900Sstevel@tonic-gate */ 991904Smcpowers if (aes_ctx->ac_remainder_len > 0) { 992904Smcpowers if ((aes_ctx->ac_flags & AES_CTR_MODE) == 0) 993904Smcpowers return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 994904Smcpowers else { 995904Smcpowers ret = aes_counter_final(aes_ctx, data); 996904Smcpowers if (ret != CRYPTO_SUCCESS) 997904Smcpowers return (ret); 998904Smcpowers } 999904Smcpowers } 1000904Smcpowers 1001*4486Sktung if (aes_ctx->ac_flags & AES_CCM_MODE) { 1002*4486Sktung /* 1003*4486Sktung * This is where all the plaintext is returned, make sure 1004*4486Sktung * the plaintext buffer is big enough 1005*4486Sktung */ 1006*4486Sktung size_t pt_len = aes_ctx->ac_ccm_data_len; 1007*4486Sktung if (data->cd_length < pt_len) { 1008*4486Sktung data->cd_length = pt_len; 1009*4486Sktung return (CRYPTO_BUFFER_TOO_SMALL); 1010*4486Sktung } 1011*4486Sktung 1012*4486Sktung ASSERT(aes_ctx->ac_ccm_processed_data_len == pt_len); 1013*4486Sktung ASSERT(aes_ctx->ac_ccm_processed_mac_len 1014*4486Sktung == aes_ctx->ac_ccm_mac_len); 1015*4486Sktung saved_offset = data->cd_offset; 1016*4486Sktung saved_length = data->cd_length; 1017*4486Sktung ret = aes_ccm_decrypt_final(aes_ctx, data); 1018*4486Sktung if (ret == CRYPTO_SUCCESS) { 1019*4486Sktung data->cd_length = data->cd_offset - saved_offset; 1020*4486Sktung } else { 1021*4486Sktung data->cd_length = saved_length; 1022*4486Sktung } 1023*4486Sktung 1024*4486Sktung data->cd_offset = saved_offset; 1025*4486Sktung if (ret != CRYPTO_SUCCESS) { 1026*4486Sktung return (ret); 1027*4486Sktung } 1028*4486Sktung } 1029*4486Sktung 1030*4486Sktung 1031904Smcpowers if ((aes_ctx->ac_flags & AES_CTR_MODE) == 0) 1032904Smcpowers data->cd_length = 0; 10330Sstevel@tonic-gate 1034*4486Sktung if (aes_ctx->ac_ccm_pt_buf != NULL) { 1035*4486Sktung kmem_free(aes_ctx->ac_ccm_pt_buf, aes_ctx->ac_ccm_data_len); 1036*4486Sktung } 1037*4486Sktung 10380Sstevel@tonic-gate (void) aes_free_context(ctx); 10390Sstevel@tonic-gate 10400Sstevel@tonic-gate /* EXPORT DELETE END */ 10410Sstevel@tonic-gate 10420Sstevel@tonic-gate return (CRYPTO_SUCCESS); 10430Sstevel@tonic-gate } 10440Sstevel@tonic-gate 10450Sstevel@tonic-gate /* ARGSUSED */ 10460Sstevel@tonic-gate static int 10470Sstevel@tonic-gate aes_encrypt_atomic(crypto_provider_handle_t provider, 10480Sstevel@tonic-gate crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 10490Sstevel@tonic-gate crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 10500Sstevel@tonic-gate crypto_spi_ctx_template_t template, crypto_req_handle_t req) 10510Sstevel@tonic-gate { 10520Sstevel@tonic-gate aes_ctx_t aes_ctx; /* on the stack */ 10530Sstevel@tonic-gate off_t saved_offset; 10540Sstevel@tonic-gate size_t saved_length; 10550Sstevel@tonic-gate int ret; 10560Sstevel@tonic-gate 10570Sstevel@tonic-gate AES_ARG_INPLACE(plaintext, ciphertext); 10580Sstevel@tonic-gate 1059*4486Sktung if ((mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) && 1060*4486Sktung (mechanism->cm_type != AES_CCM_MECH_INFO_TYPE)) { 1061904Smcpowers /* 1062904Smcpowers * Plaintext must be a multiple of AES block size. 1063904Smcpowers * This test only works for non-padded mechanisms 1064904Smcpowers * when blocksize is 2^N. 1065904Smcpowers */ 1066904Smcpowers if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 1067904Smcpowers return (CRYPTO_DATA_LEN_RANGE); 1068904Smcpowers } 10690Sstevel@tonic-gate 10700Sstevel@tonic-gate /* return length needed to store the output */ 10710Sstevel@tonic-gate if (ciphertext->cd_length < plaintext->cd_length) { 10720Sstevel@tonic-gate ciphertext->cd_length = plaintext->cd_length; 10730Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 10740Sstevel@tonic-gate } 10750Sstevel@tonic-gate 1076991Smcpowers if ((ret = aes_check_mech_param(mechanism)) != CRYPTO_SUCCESS) 1077991Smcpowers return (ret); 10780Sstevel@tonic-gate 10790Sstevel@tonic-gate bzero(&aes_ctx, sizeof (aes_ctx_t)); 10800Sstevel@tonic-gate 10810Sstevel@tonic-gate ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, 1082*4486Sktung crypto_kmflag(req), B_TRUE); 10830Sstevel@tonic-gate if (ret != CRYPTO_SUCCESS) 10840Sstevel@tonic-gate return (ret); 10850Sstevel@tonic-gate 1086*4486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 1087*4486Sktung size_t length_needed 1088*4486Sktung = plaintext->cd_length + aes_ctx.ac_ccm_mac_len; 1089*4486Sktung if (ciphertext->cd_length < length_needed) { 1090*4486Sktung ciphertext->cd_length = length_needed; 1091*4486Sktung return (CRYPTO_BUFFER_TOO_SMALL); 1092*4486Sktung } 1093*4486Sktung } 1094*4486Sktung 1095*4486Sktung 10960Sstevel@tonic-gate saved_offset = ciphertext->cd_offset; 10970Sstevel@tonic-gate saved_length = ciphertext->cd_length; 10980Sstevel@tonic-gate 10990Sstevel@tonic-gate /* 11000Sstevel@tonic-gate * Do an update on the specified input data. 11010Sstevel@tonic-gate */ 11020Sstevel@tonic-gate switch (plaintext->cd_format) { 11030Sstevel@tonic-gate case CRYPTO_DATA_RAW: 11040Sstevel@tonic-gate ret = aes_cipher_update_iov(&aes_ctx, plaintext, ciphertext, 11050Sstevel@tonic-gate aes_encrypt_contiguous_blocks); 11060Sstevel@tonic-gate break; 11070Sstevel@tonic-gate case CRYPTO_DATA_UIO: 11080Sstevel@tonic-gate ret = aes_cipher_update_uio(&aes_ctx, plaintext, ciphertext, 11090Sstevel@tonic-gate aes_encrypt_contiguous_blocks); 11100Sstevel@tonic-gate break; 11110Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 11120Sstevel@tonic-gate ret = aes_cipher_update_mp(&aes_ctx, plaintext, ciphertext, 11130Sstevel@tonic-gate aes_encrypt_contiguous_blocks); 11140Sstevel@tonic-gate break; 11150Sstevel@tonic-gate default: 11160Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 11170Sstevel@tonic-gate } 11180Sstevel@tonic-gate 1119904Smcpowers if (ret == CRYPTO_SUCCESS) { 1120*4486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 1121*4486Sktung ret = aes_ccm_encrypt_final(&aes_ctx, ciphertext); 1122*4486Sktung if (ret != CRYPTO_SUCCESS) 1123*4486Sktung goto out; 1124904Smcpowers ASSERT(aes_ctx.ac_remainder_len == 0); 1125*4486Sktung } else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) { 1126904Smcpowers if (aes_ctx.ac_remainder_len > 0) { 1127904Smcpowers ret = aes_counter_final(&aes_ctx, ciphertext); 1128904Smcpowers if (ret != CRYPTO_SUCCESS) 1129904Smcpowers goto out; 1130904Smcpowers } 1131*4486Sktung } else { 1132*4486Sktung ASSERT(aes_ctx.ac_remainder_len == 0); 1133*4486Sktung } 1134*4486Sktung 1135*4486Sktung if (plaintext != ciphertext) { 1136*4486Sktung ciphertext->cd_length = 1137*4486Sktung ciphertext->cd_offset - saved_offset; 1138904Smcpowers } 1139904Smcpowers } else { 1140904Smcpowers ciphertext->cd_length = saved_length; 1141904Smcpowers } 1142904Smcpowers ciphertext->cd_offset = saved_offset; 1143904Smcpowers 1144904Smcpowers out: 11450Sstevel@tonic-gate if (aes_ctx.ac_flags & AES_PROVIDER_OWNS_KEY_SCHEDULE) { 11460Sstevel@tonic-gate bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 11470Sstevel@tonic-gate kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 11480Sstevel@tonic-gate } 11490Sstevel@tonic-gate 11500Sstevel@tonic-gate return (ret); 11510Sstevel@tonic-gate } 11520Sstevel@tonic-gate 11530Sstevel@tonic-gate /* ARGSUSED */ 11540Sstevel@tonic-gate static int 11550Sstevel@tonic-gate aes_decrypt_atomic(crypto_provider_handle_t provider, 11560Sstevel@tonic-gate crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 11570Sstevel@tonic-gate crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 11580Sstevel@tonic-gate crypto_spi_ctx_template_t template, crypto_req_handle_t req) 11590Sstevel@tonic-gate { 11600Sstevel@tonic-gate aes_ctx_t aes_ctx; /* on the stack */ 11610Sstevel@tonic-gate off_t saved_offset; 11620Sstevel@tonic-gate size_t saved_length; 11630Sstevel@tonic-gate int ret; 11640Sstevel@tonic-gate 11650Sstevel@tonic-gate AES_ARG_INPLACE(ciphertext, plaintext); 11660Sstevel@tonic-gate 1167*4486Sktung /* 1168*4486Sktung * For block ciphers, ciphertext must be a multiple of AES block size. 1169*4486Sktung * This test is only valid for non-padded mechanisms 1170*4486Sktung * when blocksize is 2^N 1171*4486Sktung * Even though AES CCM mode is a block cipher, it does not 1172*4486Sktung * require the plaintext to be a multiple of AES block size. 1173*4486Sktung * The length requirement for AES CCM mode will be checked 1174*4486Sktung * at init time 1175*4486Sktung */ 1176*4486Sktung if ((mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) && 1177*4486Sktung (mechanism->cm_type != AES_CCM_MECH_INFO_TYPE) && 1178*4486Sktung ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0)) 1179*4486Sktung return (CRYPTO_DATA_LEN_RANGE); 11800Sstevel@tonic-gate 1181*4486Sktung /* 1182*4486Sktung * return length needed to store the output, length requirement 1183*4486Sktung * for AES CCM mode can not be determined until later 1184*4486Sktung */ 1185*4486Sktung if ((plaintext->cd_length < ciphertext->cd_length) && 1186*4486Sktung (mechanism->cm_type != AES_CCM_MECH_INFO_TYPE)) { 11870Sstevel@tonic-gate plaintext->cd_length = ciphertext->cd_length; 11880Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 11890Sstevel@tonic-gate } 11900Sstevel@tonic-gate 1191*4486Sktung 1192991Smcpowers if ((ret = aes_check_mech_param(mechanism)) != CRYPTO_SUCCESS) 1193991Smcpowers return (ret); 11940Sstevel@tonic-gate 11950Sstevel@tonic-gate bzero(&aes_ctx, sizeof (aes_ctx_t)); 11960Sstevel@tonic-gate 11970Sstevel@tonic-gate ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, 1198*4486Sktung crypto_kmflag(req), B_FALSE); 11990Sstevel@tonic-gate if (ret != CRYPTO_SUCCESS) 12000Sstevel@tonic-gate return (ret); 12010Sstevel@tonic-gate 1202*4486Sktung /* check length requirement for AES CCM mode now */ 1203*4486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 1204*4486Sktung if (plaintext->cd_length < aes_ctx.ac_ccm_data_len) { 1205*4486Sktung plaintext->cd_length = aes_ctx.ac_ccm_data_len; 1206*4486Sktung ret = CRYPTO_BUFFER_TOO_SMALL; 1207*4486Sktung goto out; 1208*4486Sktung } 1209*4486Sktung } 1210*4486Sktung 12110Sstevel@tonic-gate saved_offset = plaintext->cd_offset; 12120Sstevel@tonic-gate saved_length = plaintext->cd_length; 12130Sstevel@tonic-gate 12140Sstevel@tonic-gate /* 12150Sstevel@tonic-gate * Do an update on the specified input data. 12160Sstevel@tonic-gate */ 12170Sstevel@tonic-gate switch (ciphertext->cd_format) { 12180Sstevel@tonic-gate case CRYPTO_DATA_RAW: 12190Sstevel@tonic-gate ret = aes_cipher_update_iov(&aes_ctx, ciphertext, plaintext, 12200Sstevel@tonic-gate aes_decrypt_contiguous_blocks); 12210Sstevel@tonic-gate break; 12220Sstevel@tonic-gate case CRYPTO_DATA_UIO: 12230Sstevel@tonic-gate ret = aes_cipher_update_uio(&aes_ctx, ciphertext, plaintext, 12240Sstevel@tonic-gate aes_decrypt_contiguous_blocks); 12250Sstevel@tonic-gate break; 12260Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 12270Sstevel@tonic-gate ret = aes_cipher_update_mp(&aes_ctx, ciphertext, plaintext, 12280Sstevel@tonic-gate aes_decrypt_contiguous_blocks); 12290Sstevel@tonic-gate break; 12300Sstevel@tonic-gate default: 12310Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 12320Sstevel@tonic-gate } 12330Sstevel@tonic-gate 1234904Smcpowers if (ret == CRYPTO_SUCCESS) { 1235*4486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 1236*4486Sktung ASSERT(aes_ctx.ac_ccm_processed_data_len 1237*4486Sktung == aes_ctx.ac_ccm_data_len); 1238*4486Sktung ASSERT(aes_ctx.ac_ccm_processed_mac_len 1239*4486Sktung == aes_ctx.ac_ccm_mac_len); 1240*4486Sktung ret = aes_ccm_decrypt_final(&aes_ctx, plaintext); 1241*4486Sktung ASSERT(aes_ctx.ac_remainder_len == 0); 1242*4486Sktung if ((ret == CRYPTO_SUCCESS) && 1243*4486Sktung (ciphertext != plaintext)) { 1244*4486Sktung plaintext->cd_length = 1245*4486Sktung plaintext->cd_offset - saved_offset; 1246*4486Sktung } else { 1247*4486Sktung plaintext->cd_length = saved_length; 1248*4486Sktung } 1249*4486Sktung } else if (mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) { 1250904Smcpowers ASSERT(aes_ctx.ac_remainder_len == 0); 1251904Smcpowers if (ciphertext != plaintext) 1252904Smcpowers plaintext->cd_length = 1253904Smcpowers plaintext->cd_offset - saved_offset; 1254904Smcpowers } else { 1255904Smcpowers if (aes_ctx.ac_remainder_len > 0) { 1256904Smcpowers ret = aes_counter_final(&aes_ctx, plaintext); 1257904Smcpowers if (ret != CRYPTO_SUCCESS) 1258904Smcpowers goto out; 1259904Smcpowers } 1260904Smcpowers if (ciphertext != plaintext) 1261904Smcpowers plaintext->cd_length = 1262904Smcpowers plaintext->cd_offset - saved_offset; 1263904Smcpowers } 1264904Smcpowers } else { 1265904Smcpowers plaintext->cd_length = saved_length; 1266904Smcpowers } 1267904Smcpowers plaintext->cd_offset = saved_offset; 1268904Smcpowers 1269904Smcpowers out: 12700Sstevel@tonic-gate if (aes_ctx.ac_flags & AES_PROVIDER_OWNS_KEY_SCHEDULE) { 12710Sstevel@tonic-gate bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 12720Sstevel@tonic-gate kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 12730Sstevel@tonic-gate } 12740Sstevel@tonic-gate 1275*4486Sktung if (aes_ctx.ac_ccm_pt_buf != NULL) { 1276*4486Sktung kmem_free(aes_ctx.ac_ccm_pt_buf, aes_ctx.ac_ccm_data_len); 1277*4486Sktung } 1278*4486Sktung 12790Sstevel@tonic-gate return (ret); 12800Sstevel@tonic-gate } 12810Sstevel@tonic-gate 12820Sstevel@tonic-gate /* 12830Sstevel@tonic-gate * KCF software provider context template entry points. 12840Sstevel@tonic-gate */ 12850Sstevel@tonic-gate /* ARGSUSED */ 12860Sstevel@tonic-gate static int 12870Sstevel@tonic-gate aes_create_ctx_template(crypto_provider_handle_t provider, 12880Sstevel@tonic-gate crypto_mechanism_t *mechanism, crypto_key_t *key, 12890Sstevel@tonic-gate crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req) 12900Sstevel@tonic-gate { 12910Sstevel@tonic-gate 12920Sstevel@tonic-gate /* EXPORT DELETE START */ 12930Sstevel@tonic-gate 12940Sstevel@tonic-gate void *keysched; 12950Sstevel@tonic-gate size_t size; 12960Sstevel@tonic-gate int rv; 12970Sstevel@tonic-gate 1298991Smcpowers if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE && 1299991Smcpowers mechanism->cm_type != AES_CBC_MECH_INFO_TYPE && 1300*4486Sktung mechanism->cm_type != AES_CTR_MECH_INFO_TYPE && 1301*4486Sktung mechanism->cm_type != AES_CCM_MECH_INFO_TYPE) 13020Sstevel@tonic-gate return (CRYPTO_MECHANISM_INVALID); 13030Sstevel@tonic-gate 13040Sstevel@tonic-gate if ((keysched = aes_alloc_keysched(&size, 13050Sstevel@tonic-gate crypto_kmflag(req))) == NULL) { 13060Sstevel@tonic-gate return (CRYPTO_HOST_MEMORY); 13070Sstevel@tonic-gate } 13080Sstevel@tonic-gate 13090Sstevel@tonic-gate /* 13100Sstevel@tonic-gate * Initialize key schedule. Key length information is stored 13110Sstevel@tonic-gate * in the key. 13120Sstevel@tonic-gate */ 13130Sstevel@tonic-gate if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) { 13140Sstevel@tonic-gate bzero(keysched, size); 13150Sstevel@tonic-gate kmem_free(keysched, size); 13160Sstevel@tonic-gate return (rv); 13170Sstevel@tonic-gate } 13180Sstevel@tonic-gate 13190Sstevel@tonic-gate *tmpl = keysched; 13200Sstevel@tonic-gate *tmpl_size = size; 13210Sstevel@tonic-gate 13220Sstevel@tonic-gate /* EXPORT DELETE END */ 13230Sstevel@tonic-gate 13240Sstevel@tonic-gate return (CRYPTO_SUCCESS); 13250Sstevel@tonic-gate } 13260Sstevel@tonic-gate 13270Sstevel@tonic-gate /* ARGSUSED */ 13280Sstevel@tonic-gate static int 13290Sstevel@tonic-gate aes_free_context(crypto_ctx_t *ctx) 13300Sstevel@tonic-gate { 13310Sstevel@tonic-gate 13320Sstevel@tonic-gate /* EXPORT DELETE START */ 13330Sstevel@tonic-gate 13340Sstevel@tonic-gate aes_ctx_t *aes_ctx = ctx->cc_provider_private; 13350Sstevel@tonic-gate 13360Sstevel@tonic-gate if (aes_ctx != NULL) { 13370Sstevel@tonic-gate if (aes_ctx->ac_flags & AES_PROVIDER_OWNS_KEY_SCHEDULE) { 13380Sstevel@tonic-gate ASSERT(aes_ctx->ac_keysched_len != 0); 13390Sstevel@tonic-gate bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len); 13400Sstevel@tonic-gate kmem_free(aes_ctx->ac_keysched, 13410Sstevel@tonic-gate aes_ctx->ac_keysched_len); 13420Sstevel@tonic-gate } 13430Sstevel@tonic-gate kmem_free(aes_ctx, sizeof (aes_ctx_t)); 13440Sstevel@tonic-gate ctx->cc_provider_private = NULL; 13450Sstevel@tonic-gate } 13460Sstevel@tonic-gate 13470Sstevel@tonic-gate /* EXPORT DELETE END */ 13480Sstevel@tonic-gate 13490Sstevel@tonic-gate return (CRYPTO_SUCCESS); 13500Sstevel@tonic-gate } 13510Sstevel@tonic-gate 13520Sstevel@tonic-gate /* ARGSUSED */ 13530Sstevel@tonic-gate static int 13540Sstevel@tonic-gate aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template, 1355*4486Sktung crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag, 1356*4486Sktung boolean_t is_encrypt_init) 13570Sstevel@tonic-gate { 13580Sstevel@tonic-gate int rv = CRYPTO_SUCCESS; 13590Sstevel@tonic-gate 13600Sstevel@tonic-gate /* EXPORT DELETE START */ 13610Sstevel@tonic-gate 13620Sstevel@tonic-gate void *keysched; 13630Sstevel@tonic-gate size_t size; 1364*4486Sktung CK_AES_CCM_PARAMS *ccm_param = NULL; 13650Sstevel@tonic-gate 1366904Smcpowers aes_ctx->ac_flags = 0; 13670Sstevel@tonic-gate 13680Sstevel@tonic-gate if (mechanism->cm_type == AES_CBC_MECH_INFO_TYPE) { 13690Sstevel@tonic-gate /* 1370904Smcpowers * Copy 128-bit IV into context. 13710Sstevel@tonic-gate * 13720Sstevel@tonic-gate * If cm_param == NULL then the IV comes from the 13730Sstevel@tonic-gate * cd_miscdata field in the crypto_data structure. 13740Sstevel@tonic-gate */ 13750Sstevel@tonic-gate if (mechanism->cm_param != NULL) { 13760Sstevel@tonic-gate ASSERT(mechanism->cm_param_len == AES_BLOCK_LEN); 13770Sstevel@tonic-gate if (IS_P2ALIGNED(mechanism->cm_param, 13780Sstevel@tonic-gate sizeof (uint64_t))) { 13790Sstevel@tonic-gate uint64_t *param64; 13800Sstevel@tonic-gate param64 = (uint64_t *)mechanism->cm_param; 13810Sstevel@tonic-gate 13820Sstevel@tonic-gate aes_ctx->ac_iv[0] = *param64++; 13830Sstevel@tonic-gate aes_ctx->ac_iv[1] = *param64; 13840Sstevel@tonic-gate } else { 13850Sstevel@tonic-gate uint8_t *iv8; 13860Sstevel@tonic-gate uint8_t *p8; 13870Sstevel@tonic-gate iv8 = (uint8_t *)&aes_ctx->ac_iv; 13880Sstevel@tonic-gate p8 = (uint8_t *)&mechanism->cm_param[0]; 13890Sstevel@tonic-gate 13900Sstevel@tonic-gate iv8[0] = p8[0]; 13910Sstevel@tonic-gate iv8[1] = p8[1]; 13920Sstevel@tonic-gate iv8[2] = p8[2]; 13930Sstevel@tonic-gate iv8[3] = p8[3]; 13940Sstevel@tonic-gate iv8[4] = p8[4]; 13950Sstevel@tonic-gate iv8[5] = p8[5]; 13960Sstevel@tonic-gate iv8[6] = p8[6]; 13970Sstevel@tonic-gate iv8[7] = p8[7]; 13980Sstevel@tonic-gate iv8[8] = p8[8]; 13990Sstevel@tonic-gate iv8[9] = p8[9]; 14000Sstevel@tonic-gate iv8[10] = p8[10]; 14010Sstevel@tonic-gate iv8[11] = p8[11]; 14020Sstevel@tonic-gate iv8[12] = p8[12]; 14030Sstevel@tonic-gate iv8[13] = p8[13]; 14040Sstevel@tonic-gate iv8[14] = p8[14]; 14050Sstevel@tonic-gate iv8[15] = p8[15]; 14060Sstevel@tonic-gate } 14070Sstevel@tonic-gate } 14080Sstevel@tonic-gate 14090Sstevel@tonic-gate aes_ctx->ac_lastp = (uint8_t *)&aes_ctx->ac_iv[0]; 14100Sstevel@tonic-gate aes_ctx->ac_flags |= AES_CBC_MODE; 1411904Smcpowers 1412904Smcpowers } else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) { 1413904Smcpowers if (mechanism->cm_param != NULL) { 1414904Smcpowers CK_AES_CTR_PARAMS *pp; 1415904Smcpowers uint64_t mask = 0; 1416904Smcpowers ulong_t count; 1417904Smcpowers uint8_t *iv8; 1418904Smcpowers uint8_t *p8; 1419904Smcpowers 14201172Smcpowers /* XXX what to do about miscdata */ 1421904Smcpowers pp = (CK_AES_CTR_PARAMS *)mechanism->cm_param; 1422904Smcpowers count = pp->ulCounterBits; 1423904Smcpowers if (count == 0 || count > 64) { 1424904Smcpowers return (CRYPTO_MECHANISM_PARAM_INVALID); 1425904Smcpowers } 1426904Smcpowers while (count-- > 0) 1427904Smcpowers mask |= (1ULL << count); 14281172Smcpowers #ifdef _LITTLE_ENDIAN 14291172Smcpowers p8 = (uint8_t *)&mask; 14301172Smcpowers mask = (((uint64_t)p8[0] << 56) | 14311172Smcpowers ((uint64_t)p8[1] << 48) | 14321172Smcpowers ((uint64_t)p8[2] << 40) | 14331172Smcpowers ((uint64_t)p8[3] << 32) | 14341172Smcpowers ((uint64_t)p8[4] << 24) | 14351172Smcpowers ((uint64_t)p8[5] << 16) | 14361172Smcpowers ((uint64_t)p8[6] << 8) | 14371172Smcpowers (uint64_t)p8[7]); 14381172Smcpowers #endif 14391172Smcpowers aes_ctx->ac_counter_mask = mask; 1440904Smcpowers 14411172Smcpowers iv8 = (uint8_t *)&aes_ctx->ac_iv; 14421172Smcpowers p8 = (uint8_t *)&pp->cb[0]; 1443904Smcpowers 1444904Smcpowers iv8[0] = p8[0]; 1445904Smcpowers iv8[1] = p8[1]; 1446904Smcpowers iv8[2] = p8[2]; 1447904Smcpowers iv8[3] = p8[3]; 1448904Smcpowers iv8[4] = p8[4]; 1449904Smcpowers iv8[5] = p8[5]; 1450904Smcpowers iv8[6] = p8[6]; 1451904Smcpowers iv8[7] = p8[7]; 1452904Smcpowers iv8[8] = p8[8]; 1453904Smcpowers iv8[9] = p8[9]; 1454904Smcpowers iv8[10] = p8[10]; 1455904Smcpowers iv8[11] = p8[11]; 1456904Smcpowers iv8[12] = p8[12]; 1457904Smcpowers iv8[13] = p8[13]; 1458904Smcpowers iv8[14] = p8[14]; 1459904Smcpowers iv8[15] = p8[15]; 1460904Smcpowers } else { 1461904Smcpowers return (CRYPTO_MECHANISM_PARAM_INVALID); 1462904Smcpowers } 1463904Smcpowers 1464904Smcpowers aes_ctx->ac_lastp = (uint8_t *)&aes_ctx->ac_iv[0]; 1465904Smcpowers aes_ctx->ac_flags |= AES_CTR_MODE; 1466*4486Sktung } else if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 1467*4486Sktung if (mechanism->cm_param != NULL) { 1468*4486Sktung int rc; 1469*4486Sktung 1470*4486Sktung ccm_param = (CK_AES_CCM_PARAMS *)mechanism->cm_param; 1471*4486Sktung 1472*4486Sktung if ((rc = aes_ccm_validate_args(ccm_param, 1473*4486Sktung is_encrypt_init)) != 0) { 1474*4486Sktung return (rc); 1475*4486Sktung } 1476*4486Sktung 1477*4486Sktung aes_ctx->ac_ccm_mac_len = ccm_param->ulMACSize; 1478*4486Sktung if (is_encrypt_init) { 1479*4486Sktung aes_ctx->ac_ccm_data_len 1480*4486Sktung = ccm_param->ulDataSize; 1481*4486Sktung } else { 1482*4486Sktung aes_ctx->ac_ccm_data_len = 1483*4486Sktung ccm_param->ulDataSize 1484*4486Sktung - aes_ctx->ac_ccm_mac_len; 1485*4486Sktung aes_ctx->ac_ccm_processed_mac_len = 0; 1486*4486Sktung } 1487*4486Sktung aes_ctx->ac_ccm_processed_data_len = 0; 1488*4486Sktung 1489*4486Sktung aes_ctx->ac_flags |= AES_CCM_MODE; 1490*4486Sktung } else { 1491*4486Sktung return (CRYPTO_MECHANISM_PARAM_INVALID); 1492*4486Sktung } 1493904Smcpowers } else { 1494904Smcpowers aes_ctx->ac_flags |= AES_ECB_MODE; 1495904Smcpowers } 1496904Smcpowers 1497904Smcpowers if (template == NULL) { 1498904Smcpowers if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL) 1499904Smcpowers return (CRYPTO_HOST_MEMORY); 1500904Smcpowers /* 1501904Smcpowers * Initialize key schedule. 1502904Smcpowers * Key length is stored in the key. 1503904Smcpowers */ 1504*4486Sktung if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) { 1505904Smcpowers kmem_free(keysched, size); 1506*4486Sktung return (rv); 1507*4486Sktung } 1508904Smcpowers 1509904Smcpowers aes_ctx->ac_flags |= AES_PROVIDER_OWNS_KEY_SCHEDULE; 1510904Smcpowers aes_ctx->ac_keysched_len = size; 1511904Smcpowers } else { 1512904Smcpowers keysched = template; 15130Sstevel@tonic-gate } 15140Sstevel@tonic-gate aes_ctx->ac_keysched = keysched; 15150Sstevel@tonic-gate 1516*4486Sktung /* process the nonce and associated data if it is AES CCM mode */ 1517*4486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 1518*4486Sktung if (aes_ccm_init(aes_ctx, ccm_param->nonce, 1519*4486Sktung ccm_param->ulNonceSize, ccm_param->authData, 1520*4486Sktung ccm_param->ulAuthDataSize) != 0) { 1521*4486Sktung bzero(keysched, size); 1522*4486Sktung kmem_free(keysched, size); 1523*4486Sktung return (CRYPTO_MECHANISM_PARAM_INVALID); 1524*4486Sktung } 1525*4486Sktung if (!is_encrypt_init) { 1526*4486Sktung /* allocate buffer for storing decrypted plaintext */ 1527*4486Sktung aes_ctx->ac_ccm_pt_buf = 1528*4486Sktung kmem_alloc(aes_ctx->ac_ccm_data_len, kmflag); 1529*4486Sktung if (aes_ctx->ac_ccm_pt_buf == NULL) { 1530*4486Sktung bzero(keysched, size); 1531*4486Sktung kmem_free(keysched, size); 1532*4486Sktung return (CRYPTO_HOST_MEMORY); 1533*4486Sktung } 1534*4486Sktung } 1535*4486Sktung } 1536*4486Sktung 15370Sstevel@tonic-gate /* EXPORT DELETE END */ 15380Sstevel@tonic-gate 15390Sstevel@tonic-gate return (rv); 15400Sstevel@tonic-gate } 1541