10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 52530Spwernau * Common Development and Distribution License (the "License"). 62530Spwernau * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 224486Sktung * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 270Sstevel@tonic-gate 280Sstevel@tonic-gate /* 290Sstevel@tonic-gate * AES provider for the Kernel Cryptographic Framework (KCF) 300Sstevel@tonic-gate */ 310Sstevel@tonic-gate 320Sstevel@tonic-gate #include <sys/types.h> 330Sstevel@tonic-gate #include <sys/systm.h> 340Sstevel@tonic-gate #include <sys/modctl.h> 350Sstevel@tonic-gate #include <sys/cmn_err.h> 360Sstevel@tonic-gate #include <sys/ddi.h> 370Sstevel@tonic-gate #include <sys/crypto/common.h> 380Sstevel@tonic-gate #include <sys/crypto/spi.h> 390Sstevel@tonic-gate #include <sys/sysmacros.h> 400Sstevel@tonic-gate #include <sys/strsun.h> 410Sstevel@tonic-gate #include <aes_impl.h> 420Sstevel@tonic-gate #include <aes_cbc_crypt.h> 430Sstevel@tonic-gate 440Sstevel@tonic-gate extern struct mod_ops mod_cryptoops; 450Sstevel@tonic-gate 460Sstevel@tonic-gate /* 470Sstevel@tonic-gate * Module linkage information for the kernel. 480Sstevel@tonic-gate */ 490Sstevel@tonic-gate static struct modlcrypto modlcrypto = { 500Sstevel@tonic-gate &mod_cryptoops, 510Sstevel@tonic-gate "AES Kernel SW Provider %I%" 520Sstevel@tonic-gate }; 530Sstevel@tonic-gate 540Sstevel@tonic-gate static struct modlinkage modlinkage = { 550Sstevel@tonic-gate MODREV_1, 560Sstevel@tonic-gate (void *)&modlcrypto, 570Sstevel@tonic-gate NULL 580Sstevel@tonic-gate }; 590Sstevel@tonic-gate 600Sstevel@tonic-gate /* 610Sstevel@tonic-gate * CSPI information (entry points, provider info, etc.) 620Sstevel@tonic-gate */ 630Sstevel@tonic-gate typedef enum aes_mech_type { 640Sstevel@tonic-gate AES_ECB_MECH_INFO_TYPE, /* SUN_CKM_AES_ECB */ 650Sstevel@tonic-gate AES_CBC_MECH_INFO_TYPE, /* SUN_CKM_AES_CBC */ 66904Smcpowers AES_CBC_PAD_MECH_INFO_TYPE, /* SUN_CKM_AES_CBC_PAD */ 674486Sktung AES_CTR_MECH_INFO_TYPE, /* SUN_CKM_AES_CTR */ 684486Sktung AES_CCM_MECH_INFO_TYPE /* SUN_CKM_AES_CCM */ 690Sstevel@tonic-gate } aes_mech_type_t; 700Sstevel@tonic-gate 710Sstevel@tonic-gate /* 720Sstevel@tonic-gate * The following definitions are to keep EXPORT_SRC happy. 730Sstevel@tonic-gate */ 742530Spwernau #ifndef AES_MIN_KEY_BYTES 752530Spwernau #define AES_MIN_KEY_BYTES 0 760Sstevel@tonic-gate #endif 770Sstevel@tonic-gate 782530Spwernau #ifndef AES_MAX_KEY_BYTES 792530Spwernau #define AES_MAX_KEY_BYTES 0 800Sstevel@tonic-gate #endif 810Sstevel@tonic-gate 820Sstevel@tonic-gate /* 830Sstevel@tonic-gate * Mechanism info structure passed to KCF during registration. 840Sstevel@tonic-gate */ 850Sstevel@tonic-gate static crypto_mech_info_t aes_mech_info_tab[] = { 860Sstevel@tonic-gate /* AES_ECB */ 870Sstevel@tonic-gate {SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE, 880Sstevel@tonic-gate CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 890Sstevel@tonic-gate CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 902530Spwernau AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 910Sstevel@tonic-gate /* AES_CBC */ 920Sstevel@tonic-gate {SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE, 930Sstevel@tonic-gate CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 940Sstevel@tonic-gate CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 952530Spwernau AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 96904Smcpowers /* AES_CTR */ 97904Smcpowers {SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE, 98904Smcpowers CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 99904Smcpowers CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 1004486Sktung AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}, 1014486Sktung /* AES_CCM */ 1024486Sktung {SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE, 1034486Sktung CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 1044486Sktung CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC, 1052530Spwernau AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES} 1060Sstevel@tonic-gate }; 1070Sstevel@tonic-gate 1080Sstevel@tonic-gate /* operations are in-place if the output buffer is NULL */ 1090Sstevel@tonic-gate #define AES_ARG_INPLACE(input, output) \ 1100Sstevel@tonic-gate if ((output) == NULL) \ 1110Sstevel@tonic-gate (output) = (input); 1120Sstevel@tonic-gate 1130Sstevel@tonic-gate static void aes_provider_status(crypto_provider_handle_t, uint_t *); 1140Sstevel@tonic-gate 1150Sstevel@tonic-gate static crypto_control_ops_t aes_control_ops = { 1160Sstevel@tonic-gate aes_provider_status 1170Sstevel@tonic-gate }; 1180Sstevel@tonic-gate 1194486Sktung static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *, 1204486Sktung crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 1214486Sktung static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *, 1220Sstevel@tonic-gate crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 1234486Sktung static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *, 1244486Sktung crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t); 1250Sstevel@tonic-gate static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *, 1264486Sktung crypto_mechanism_t *, crypto_key_t *, int, boolean_t); 1270Sstevel@tonic-gate static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *, 1280Sstevel@tonic-gate crypto_req_handle_t); 1290Sstevel@tonic-gate static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *, 1300Sstevel@tonic-gate crypto_req_handle_t); 1310Sstevel@tonic-gate 1320Sstevel@tonic-gate static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 1330Sstevel@tonic-gate crypto_req_handle_t); 1340Sstevel@tonic-gate static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *, 1350Sstevel@tonic-gate crypto_data_t *, crypto_req_handle_t); 1360Sstevel@tonic-gate static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 1370Sstevel@tonic-gate crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 1380Sstevel@tonic-gate crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 1390Sstevel@tonic-gate 1400Sstevel@tonic-gate static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *, 1410Sstevel@tonic-gate crypto_req_handle_t); 1420Sstevel@tonic-gate static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *, 1430Sstevel@tonic-gate crypto_data_t *, crypto_req_handle_t); 1440Sstevel@tonic-gate static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t, 1450Sstevel@tonic-gate crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 1460Sstevel@tonic-gate crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t); 1470Sstevel@tonic-gate 1480Sstevel@tonic-gate static crypto_cipher_ops_t aes_cipher_ops = { 1494486Sktung aes_encrypt_init, 1500Sstevel@tonic-gate aes_encrypt, 1510Sstevel@tonic-gate aes_encrypt_update, 1520Sstevel@tonic-gate aes_encrypt_final, 1530Sstevel@tonic-gate aes_encrypt_atomic, 1544486Sktung aes_decrypt_init, 1550Sstevel@tonic-gate aes_decrypt, 1560Sstevel@tonic-gate aes_decrypt_update, 1570Sstevel@tonic-gate aes_decrypt_final, 1580Sstevel@tonic-gate aes_decrypt_atomic 1590Sstevel@tonic-gate }; 1600Sstevel@tonic-gate 1610Sstevel@tonic-gate static int aes_create_ctx_template(crypto_provider_handle_t, 1620Sstevel@tonic-gate crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *, 1630Sstevel@tonic-gate size_t *, crypto_req_handle_t); 1640Sstevel@tonic-gate static int aes_free_context(crypto_ctx_t *); 1650Sstevel@tonic-gate 1660Sstevel@tonic-gate static crypto_ctx_ops_t aes_ctx_ops = { 1670Sstevel@tonic-gate aes_create_ctx_template, 1680Sstevel@tonic-gate aes_free_context 1690Sstevel@tonic-gate }; 1700Sstevel@tonic-gate 1710Sstevel@tonic-gate static crypto_ops_t aes_crypto_ops = { 1720Sstevel@tonic-gate &aes_control_ops, 1730Sstevel@tonic-gate NULL, 1740Sstevel@tonic-gate &aes_cipher_ops, 1750Sstevel@tonic-gate NULL, 1760Sstevel@tonic-gate NULL, 1770Sstevel@tonic-gate NULL, 1780Sstevel@tonic-gate NULL, 1790Sstevel@tonic-gate NULL, 1800Sstevel@tonic-gate NULL, 1810Sstevel@tonic-gate NULL, 1820Sstevel@tonic-gate NULL, 1830Sstevel@tonic-gate NULL, 1840Sstevel@tonic-gate NULL, 1850Sstevel@tonic-gate &aes_ctx_ops 1860Sstevel@tonic-gate }; 1870Sstevel@tonic-gate 1880Sstevel@tonic-gate static crypto_provider_info_t aes_prov_info = { 1890Sstevel@tonic-gate CRYPTO_SPI_VERSION_1, 1900Sstevel@tonic-gate "AES Software Provider", 1910Sstevel@tonic-gate CRYPTO_SW_PROVIDER, 1920Sstevel@tonic-gate {&modlinkage}, 1930Sstevel@tonic-gate NULL, 1940Sstevel@tonic-gate &aes_crypto_ops, 1950Sstevel@tonic-gate sizeof (aes_mech_info_tab)/sizeof (crypto_mech_info_t), 1960Sstevel@tonic-gate aes_mech_info_tab 1970Sstevel@tonic-gate }; 1980Sstevel@tonic-gate 1990Sstevel@tonic-gate static crypto_kcf_provider_handle_t aes_prov_handle = NULL; 2000Sstevel@tonic-gate 2010Sstevel@tonic-gate int 2020Sstevel@tonic-gate _init(void) 2030Sstevel@tonic-gate { 2040Sstevel@tonic-gate int ret; 2050Sstevel@tonic-gate 2060Sstevel@tonic-gate /* 2070Sstevel@tonic-gate * Register with KCF. If the registration fails, return error. 2080Sstevel@tonic-gate */ 2090Sstevel@tonic-gate if ((ret = crypto_register_provider(&aes_prov_info, 2100Sstevel@tonic-gate &aes_prov_handle)) != CRYPTO_SUCCESS) { 2110Sstevel@tonic-gate cmn_err(CE_WARN, "%s _init: crypto_register_provider()" 2120Sstevel@tonic-gate "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret); 2130Sstevel@tonic-gate return (EACCES); 2140Sstevel@tonic-gate } 2150Sstevel@tonic-gate 2160Sstevel@tonic-gate if ((ret = mod_install(&modlinkage)) != 0) { 2170Sstevel@tonic-gate int rv; 2180Sstevel@tonic-gate 2190Sstevel@tonic-gate ASSERT(aes_prov_handle != NULL); 2200Sstevel@tonic-gate /* We should not return if the unregister returns busy. */ 2210Sstevel@tonic-gate while ((rv = crypto_unregister_provider(aes_prov_handle)) 2220Sstevel@tonic-gate == CRYPTO_BUSY) { 2230Sstevel@tonic-gate cmn_err(CE_WARN, 2240Sstevel@tonic-gate "%s _init: crypto_unregister_provider() " 2250Sstevel@tonic-gate "failed (0x%x). Retrying.", 2260Sstevel@tonic-gate CRYPTO_PROVIDER_NAME, rv); 2270Sstevel@tonic-gate /* wait 10 seconds and try again. */ 2280Sstevel@tonic-gate delay(10 * drv_usectohz(1000000)); 2290Sstevel@tonic-gate } 2300Sstevel@tonic-gate } 2310Sstevel@tonic-gate 2320Sstevel@tonic-gate return (ret); 2330Sstevel@tonic-gate } 2340Sstevel@tonic-gate 2350Sstevel@tonic-gate int 2360Sstevel@tonic-gate _fini(void) 2370Sstevel@tonic-gate { 2380Sstevel@tonic-gate int ret; 2390Sstevel@tonic-gate 2400Sstevel@tonic-gate /* 2410Sstevel@tonic-gate * Unregister from KCF if previous registration succeeded. 2420Sstevel@tonic-gate */ 2430Sstevel@tonic-gate if (aes_prov_handle != NULL) { 2440Sstevel@tonic-gate if ((ret = crypto_unregister_provider(aes_prov_handle)) != 2450Sstevel@tonic-gate CRYPTO_SUCCESS) { 2460Sstevel@tonic-gate cmn_err(CE_WARN, 2470Sstevel@tonic-gate "%s _fini: crypto_unregister_provider() " 2480Sstevel@tonic-gate "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret); 2490Sstevel@tonic-gate return (EBUSY); 2500Sstevel@tonic-gate } 2510Sstevel@tonic-gate aes_prov_handle = NULL; 2520Sstevel@tonic-gate } 2530Sstevel@tonic-gate 2540Sstevel@tonic-gate return (mod_remove(&modlinkage)); 2550Sstevel@tonic-gate } 2560Sstevel@tonic-gate 2570Sstevel@tonic-gate int 2580Sstevel@tonic-gate _info(struct modinfo *modinfop) 2590Sstevel@tonic-gate { 2600Sstevel@tonic-gate return (mod_info(&modlinkage, modinfop)); 2610Sstevel@tonic-gate } 2620Sstevel@tonic-gate 2630Sstevel@tonic-gate 264991Smcpowers static int 265991Smcpowers aes_check_mech_param(crypto_mechanism_t *mechanism) 266991Smcpowers { 267991Smcpowers int rv = CRYPTO_SUCCESS; 268991Smcpowers 269991Smcpowers switch (mechanism->cm_type) { 270991Smcpowers case AES_ECB_MECH_INFO_TYPE: 271991Smcpowers /* no parameter */ 272991Smcpowers break; 273991Smcpowers case AES_CBC_MECH_INFO_TYPE: 2741010Smcpowers if (mechanism->cm_param != NULL && 275991Smcpowers mechanism->cm_param_len != AES_BLOCK_LEN) 276991Smcpowers rv = CRYPTO_MECHANISM_PARAM_INVALID; 277991Smcpowers break; 278991Smcpowers case AES_CTR_MECH_INFO_TYPE: 2791010Smcpowers if (mechanism->cm_param != NULL && 280991Smcpowers mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) 281991Smcpowers rv = CRYPTO_MECHANISM_PARAM_INVALID; 282991Smcpowers break; 2834486Sktung case AES_CCM_MECH_INFO_TYPE: 2844486Sktung if (mechanism->cm_param != NULL && 2854486Sktung mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) 2864486Sktung rv = CRYPTO_MECHANISM_PARAM_INVALID; 2874486Sktung break; 288991Smcpowers default: 289991Smcpowers rv = CRYPTO_MECHANISM_INVALID; 290991Smcpowers } 291991Smcpowers return (rv); 292991Smcpowers } 293991Smcpowers 2941010Smcpowers /* EXPORT DELETE START */ 2951010Smcpowers 2960Sstevel@tonic-gate /* 2970Sstevel@tonic-gate * Initialize key schedules for AES 2980Sstevel@tonic-gate */ 2990Sstevel@tonic-gate static int 3000Sstevel@tonic-gate init_keysched(crypto_key_t *key, void *newbie) 3010Sstevel@tonic-gate { 3020Sstevel@tonic-gate /* 3030Sstevel@tonic-gate * Only keys by value are supported by this module. 3040Sstevel@tonic-gate */ 3050Sstevel@tonic-gate switch (key->ck_format) { 3060Sstevel@tonic-gate case CRYPTO_KEY_RAW: 3070Sstevel@tonic-gate if (key->ck_length < AES_MINBITS || 3080Sstevel@tonic-gate key->ck_length > AES_MAXBITS) { 3090Sstevel@tonic-gate return (CRYPTO_KEY_SIZE_RANGE); 3100Sstevel@tonic-gate } 3110Sstevel@tonic-gate 3120Sstevel@tonic-gate /* key length must be either 128, 192, or 256 */ 3130Sstevel@tonic-gate if ((key->ck_length & 63) != 0) 3140Sstevel@tonic-gate return (CRYPTO_KEY_SIZE_RANGE); 3150Sstevel@tonic-gate break; 3160Sstevel@tonic-gate default: 3170Sstevel@tonic-gate return (CRYPTO_KEY_TYPE_INCONSISTENT); 3180Sstevel@tonic-gate } 3190Sstevel@tonic-gate 3200Sstevel@tonic-gate aes_init_keysched(key->ck_data, key->ck_length, newbie); 3210Sstevel@tonic-gate return (CRYPTO_SUCCESS); 3220Sstevel@tonic-gate } 3230Sstevel@tonic-gate 3240Sstevel@tonic-gate /* EXPORT DELETE END */ 3250Sstevel@tonic-gate 3260Sstevel@tonic-gate /* 3270Sstevel@tonic-gate * KCF software provider control entry points. 3280Sstevel@tonic-gate */ 3290Sstevel@tonic-gate /* ARGSUSED */ 3300Sstevel@tonic-gate static void 3310Sstevel@tonic-gate aes_provider_status(crypto_provider_handle_t provider, uint_t *status) 3320Sstevel@tonic-gate { 3330Sstevel@tonic-gate *status = CRYPTO_PROVIDER_READY; 3340Sstevel@tonic-gate } 3350Sstevel@tonic-gate 3364486Sktung static int 3374486Sktung aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 3384486Sktung crypto_key_t *key, crypto_spi_ctx_template_t template, 3394486Sktung crypto_req_handle_t req) { 3404486Sktung return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE)); 3414486Sktung } 3424486Sktung 3434486Sktung static int 3444486Sktung aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 3454486Sktung crypto_key_t *key, crypto_spi_ctx_template_t template, 3464486Sktung crypto_req_handle_t req) { 3474486Sktung return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE)); 3484486Sktung } 3494486Sktung 3504486Sktung 3514486Sktung 3520Sstevel@tonic-gate /* 3530Sstevel@tonic-gate * KCF software provider encrypt entry points. 3540Sstevel@tonic-gate */ 3550Sstevel@tonic-gate static int 3560Sstevel@tonic-gate aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 3570Sstevel@tonic-gate crypto_key_t *key, crypto_spi_ctx_template_t template, 3584486Sktung crypto_req_handle_t req, boolean_t is_encrypt_init) 3590Sstevel@tonic-gate { 3600Sstevel@tonic-gate 3610Sstevel@tonic-gate /* EXPORT DELETE START */ 3620Sstevel@tonic-gate 3630Sstevel@tonic-gate aes_ctx_t *aes_ctx; 3640Sstevel@tonic-gate int rv; 3650Sstevel@tonic-gate int kmflag; 3660Sstevel@tonic-gate 3670Sstevel@tonic-gate /* 3680Sstevel@tonic-gate * Only keys by value are supported by this module. 3690Sstevel@tonic-gate */ 3700Sstevel@tonic-gate if (key->ck_format != CRYPTO_KEY_RAW) { 3710Sstevel@tonic-gate return (CRYPTO_KEY_TYPE_INCONSISTENT); 3720Sstevel@tonic-gate } 3730Sstevel@tonic-gate 374991Smcpowers if ((rv = aes_check_mech_param(mechanism)) != CRYPTO_SUCCESS) 375991Smcpowers return (rv); 3760Sstevel@tonic-gate 3770Sstevel@tonic-gate /* 3780Sstevel@tonic-gate * Allocate an AES context. 3790Sstevel@tonic-gate */ 3800Sstevel@tonic-gate kmflag = crypto_kmflag(req); 3810Sstevel@tonic-gate if ((aes_ctx = kmem_zalloc(sizeof (aes_ctx_t), kmflag)) == NULL) 3820Sstevel@tonic-gate return (CRYPTO_HOST_MEMORY); 3830Sstevel@tonic-gate 3844486Sktung rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag, 3854486Sktung is_encrypt_init); 3860Sstevel@tonic-gate if (rv != CRYPTO_SUCCESS) { 3870Sstevel@tonic-gate kmem_free(aes_ctx, sizeof (aes_ctx_t)); 3880Sstevel@tonic-gate return (rv); 3890Sstevel@tonic-gate } 3900Sstevel@tonic-gate 3910Sstevel@tonic-gate ctx->cc_provider_private = aes_ctx; 3920Sstevel@tonic-gate 3930Sstevel@tonic-gate /* EXPORT DELETE END */ 3940Sstevel@tonic-gate 3950Sstevel@tonic-gate return (CRYPTO_SUCCESS); 3960Sstevel@tonic-gate } 3970Sstevel@tonic-gate 3980Sstevel@tonic-gate /* 3990Sstevel@tonic-gate * Helper AES encrypt update function for iov input data. 4000Sstevel@tonic-gate */ 4010Sstevel@tonic-gate static int 4020Sstevel@tonic-gate aes_cipher_update_iov(aes_ctx_t *aes_ctx, crypto_data_t *input, 4030Sstevel@tonic-gate crypto_data_t *output, int (*cipher)(aes_ctx_t *, caddr_t, size_t, 4040Sstevel@tonic-gate crypto_data_t *)) 4050Sstevel@tonic-gate { 4060Sstevel@tonic-gate int rv; 4070Sstevel@tonic-gate /* EXPORT DELETE START */ 4080Sstevel@tonic-gate 4090Sstevel@tonic-gate if (input->cd_miscdata != NULL) { 4100Sstevel@tonic-gate if (IS_P2ALIGNED(input->cd_miscdata, sizeof (uint64_t))) { 4110Sstevel@tonic-gate /* LINTED: pointer alignment */ 4120Sstevel@tonic-gate aes_ctx->ac_iv[0] = *(uint64_t *)input->cd_miscdata; 4130Sstevel@tonic-gate /* LINTED: pointer alignment */ 4140Sstevel@tonic-gate aes_ctx->ac_iv[1] = *(uint64_t *)&input->cd_miscdata[8]; 4150Sstevel@tonic-gate } else { 4160Sstevel@tonic-gate uint8_t *miscdata8 = (uint8_t *)&input->cd_miscdata[0]; 4170Sstevel@tonic-gate uint8_t *iv8 = (uint8_t *)&aes_ctx->ac_iv[0]; 4180Sstevel@tonic-gate 4190Sstevel@tonic-gate AES_COPY_BLOCK(miscdata8, iv8); 4200Sstevel@tonic-gate } 4210Sstevel@tonic-gate } 4220Sstevel@tonic-gate 4230Sstevel@tonic-gate if (input->cd_raw.iov_len < input->cd_length) 4240Sstevel@tonic-gate return (CRYPTO_ARGUMENTS_BAD); 4250Sstevel@tonic-gate 4260Sstevel@tonic-gate rv = (cipher)(aes_ctx, input->cd_raw.iov_base + input->cd_offset, 4270Sstevel@tonic-gate input->cd_length, (input == output) ? NULL : output); 4280Sstevel@tonic-gate 4290Sstevel@tonic-gate /* EXPORT DELETE END */ 4300Sstevel@tonic-gate 4310Sstevel@tonic-gate return (rv); 4320Sstevel@tonic-gate } 4330Sstevel@tonic-gate 4340Sstevel@tonic-gate /* 4350Sstevel@tonic-gate * Helper AES encrypt update function for uio input data. 4360Sstevel@tonic-gate */ 4370Sstevel@tonic-gate static int 4380Sstevel@tonic-gate aes_cipher_update_uio(aes_ctx_t *aes_ctx, crypto_data_t *input, 4390Sstevel@tonic-gate crypto_data_t *output, int (*cipher)(aes_ctx_t *, caddr_t, size_t, 4400Sstevel@tonic-gate crypto_data_t *)) 4410Sstevel@tonic-gate { 4420Sstevel@tonic-gate /* EXPORT DELETE START */ 4430Sstevel@tonic-gate uio_t *uiop = input->cd_uio; 4440Sstevel@tonic-gate off_t offset = input->cd_offset; 4450Sstevel@tonic-gate size_t length = input->cd_length; 4460Sstevel@tonic-gate uint_t vec_idx; 4470Sstevel@tonic-gate size_t cur_len; 4480Sstevel@tonic-gate 4490Sstevel@tonic-gate if (input->cd_miscdata != NULL) { 4500Sstevel@tonic-gate if (IS_P2ALIGNED(input->cd_miscdata, sizeof (uint64_t))) { 4510Sstevel@tonic-gate /* LINTED: pointer alignment */ 4520Sstevel@tonic-gate aes_ctx->ac_iv[0] = *(uint64_t *)input->cd_miscdata; 4530Sstevel@tonic-gate /* LINTED: pointer alignment */ 4540Sstevel@tonic-gate aes_ctx->ac_iv[1] = *(uint64_t *)&input->cd_miscdata[8]; 4550Sstevel@tonic-gate } else { 4560Sstevel@tonic-gate uint8_t *miscdata8 = (uint8_t *)&input->cd_miscdata[0]; 4570Sstevel@tonic-gate uint8_t *iv8 = (uint8_t *)&aes_ctx->ac_iv[0]; 4580Sstevel@tonic-gate 4590Sstevel@tonic-gate AES_COPY_BLOCK(miscdata8, iv8); 4600Sstevel@tonic-gate } 4610Sstevel@tonic-gate } 4620Sstevel@tonic-gate 4630Sstevel@tonic-gate if (input->cd_uio->uio_segflg != UIO_SYSSPACE) { 4640Sstevel@tonic-gate return (CRYPTO_ARGUMENTS_BAD); 4650Sstevel@tonic-gate } 4660Sstevel@tonic-gate 4670Sstevel@tonic-gate /* 4680Sstevel@tonic-gate * Jump to the first iovec containing data to be 4690Sstevel@tonic-gate * processed. 4700Sstevel@tonic-gate */ 4710Sstevel@tonic-gate for (vec_idx = 0; vec_idx < uiop->uio_iovcnt && 4720Sstevel@tonic-gate offset >= uiop->uio_iov[vec_idx].iov_len; 4734486Sktung offset -= uiop->uio_iov[vec_idx++].iov_len) 4744486Sktung ; 4750Sstevel@tonic-gate if (vec_idx == uiop->uio_iovcnt) { 4760Sstevel@tonic-gate /* 4770Sstevel@tonic-gate * The caller specified an offset that is larger than the 4780Sstevel@tonic-gate * total size of the buffers it provided. 4790Sstevel@tonic-gate */ 4800Sstevel@tonic-gate return (CRYPTO_DATA_LEN_RANGE); 4810Sstevel@tonic-gate } 4820Sstevel@tonic-gate 4830Sstevel@tonic-gate /* 4840Sstevel@tonic-gate * Now process the iovecs. 4850Sstevel@tonic-gate */ 4860Sstevel@tonic-gate while (vec_idx < uiop->uio_iovcnt && length > 0) { 4870Sstevel@tonic-gate cur_len = MIN(uiop->uio_iov[vec_idx].iov_len - 4880Sstevel@tonic-gate offset, length); 4890Sstevel@tonic-gate 4900Sstevel@tonic-gate (cipher)(aes_ctx, uiop->uio_iov[vec_idx].iov_base + offset, 4910Sstevel@tonic-gate cur_len, (input == output) ? NULL : output); 4920Sstevel@tonic-gate 4930Sstevel@tonic-gate length -= cur_len; 4940Sstevel@tonic-gate vec_idx++; 4950Sstevel@tonic-gate offset = 0; 4960Sstevel@tonic-gate } 4970Sstevel@tonic-gate 4980Sstevel@tonic-gate if (vec_idx == uiop->uio_iovcnt && length > 0) { 4990Sstevel@tonic-gate /* 5000Sstevel@tonic-gate * The end of the specified iovec's was reached but 5010Sstevel@tonic-gate * the length requested could not be processed, i.e. 5020Sstevel@tonic-gate * The caller requested to digest more data than it provided. 5030Sstevel@tonic-gate */ 5040Sstevel@tonic-gate 5050Sstevel@tonic-gate return (CRYPTO_DATA_LEN_RANGE); 5060Sstevel@tonic-gate } 5070Sstevel@tonic-gate 5080Sstevel@tonic-gate /* EXPORT DELETE END */ 5090Sstevel@tonic-gate 5100Sstevel@tonic-gate return (CRYPTO_SUCCESS); 5110Sstevel@tonic-gate } 5120Sstevel@tonic-gate 5130Sstevel@tonic-gate /* 5140Sstevel@tonic-gate * Helper AES encrypt update function for mblk input data. 5150Sstevel@tonic-gate */ 5160Sstevel@tonic-gate static int 5170Sstevel@tonic-gate aes_cipher_update_mp(aes_ctx_t *aes_ctx, crypto_data_t *input, 5180Sstevel@tonic-gate crypto_data_t *output, int (*cipher)(aes_ctx_t *, caddr_t, size_t, 5190Sstevel@tonic-gate crypto_data_t *)) 5200Sstevel@tonic-gate { 5210Sstevel@tonic-gate /* EXPORT DELETE START */ 5220Sstevel@tonic-gate off_t offset = input->cd_offset; 5230Sstevel@tonic-gate size_t length = input->cd_length; 5240Sstevel@tonic-gate mblk_t *mp; 5250Sstevel@tonic-gate size_t cur_len; 5260Sstevel@tonic-gate 5270Sstevel@tonic-gate if (input->cd_miscdata != NULL) { 5280Sstevel@tonic-gate if (IS_P2ALIGNED(input->cd_miscdata, sizeof (uint64_t))) { 5290Sstevel@tonic-gate /* LINTED: pointer alignment */ 5300Sstevel@tonic-gate aes_ctx->ac_iv[0] = *(uint64_t *)input->cd_miscdata; 5310Sstevel@tonic-gate /* LINTED: pointer alignment */ 5320Sstevel@tonic-gate aes_ctx->ac_iv[1] = *(uint64_t *)&input->cd_miscdata[8]; 5330Sstevel@tonic-gate } else { 5340Sstevel@tonic-gate uint8_t *miscdata8 = (uint8_t *)&input->cd_miscdata[0]; 5350Sstevel@tonic-gate uint8_t *iv8 = (uint8_t *)&aes_ctx->ac_iv[0]; 5360Sstevel@tonic-gate 5370Sstevel@tonic-gate AES_COPY_BLOCK(miscdata8, iv8); 5380Sstevel@tonic-gate } 5390Sstevel@tonic-gate } 5400Sstevel@tonic-gate 5410Sstevel@tonic-gate /* 5420Sstevel@tonic-gate * Jump to the first mblk_t containing data to be processed. 5430Sstevel@tonic-gate */ 5440Sstevel@tonic-gate for (mp = input->cd_mp; mp != NULL && offset >= MBLKL(mp); 5454486Sktung offset -= MBLKL(mp), mp = mp->b_cont) 5464486Sktung ; 5470Sstevel@tonic-gate if (mp == NULL) { 5480Sstevel@tonic-gate /* 5490Sstevel@tonic-gate * The caller specified an offset that is larger than the 5500Sstevel@tonic-gate * total size of the buffers it provided. 5510Sstevel@tonic-gate */ 5520Sstevel@tonic-gate return (CRYPTO_DATA_LEN_RANGE); 5530Sstevel@tonic-gate } 5540Sstevel@tonic-gate 5550Sstevel@tonic-gate /* 5560Sstevel@tonic-gate * Now do the processing on the mblk chain. 5570Sstevel@tonic-gate */ 5580Sstevel@tonic-gate while (mp != NULL && length > 0) { 5590Sstevel@tonic-gate cur_len = MIN(MBLKL(mp) - offset, length); 5600Sstevel@tonic-gate (cipher)(aes_ctx, (char *)(mp->b_rptr + offset), cur_len, 5610Sstevel@tonic-gate (input == output) ? NULL : output); 5620Sstevel@tonic-gate 5630Sstevel@tonic-gate length -= cur_len; 5640Sstevel@tonic-gate offset = 0; 5650Sstevel@tonic-gate mp = mp->b_cont; 5660Sstevel@tonic-gate } 5670Sstevel@tonic-gate 5680Sstevel@tonic-gate if (mp == NULL && length > 0) { 5690Sstevel@tonic-gate /* 5700Sstevel@tonic-gate * The end of the mblk was reached but the length requested 5710Sstevel@tonic-gate * could not be processed, i.e. The caller requested 5720Sstevel@tonic-gate * to digest more data than it provided. 5730Sstevel@tonic-gate */ 5740Sstevel@tonic-gate return (CRYPTO_DATA_LEN_RANGE); 5750Sstevel@tonic-gate } 5760Sstevel@tonic-gate 5770Sstevel@tonic-gate /* EXPORT DELETE END */ 5780Sstevel@tonic-gate 5790Sstevel@tonic-gate return (CRYPTO_SUCCESS); 5800Sstevel@tonic-gate } 5810Sstevel@tonic-gate 5820Sstevel@tonic-gate /* ARGSUSED */ 5830Sstevel@tonic-gate static int 5840Sstevel@tonic-gate aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 5850Sstevel@tonic-gate crypto_data_t *ciphertext, crypto_req_handle_t req) 5860Sstevel@tonic-gate { 5870Sstevel@tonic-gate int ret = CRYPTO_FAILED; 5880Sstevel@tonic-gate 5890Sstevel@tonic-gate /* EXPORT DELETE START */ 5900Sstevel@tonic-gate 5910Sstevel@tonic-gate aes_ctx_t *aes_ctx; 5924486Sktung size_t saved_length, saved_offset, length_needed; 5930Sstevel@tonic-gate 5940Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 5950Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 5960Sstevel@tonic-gate 597904Smcpowers /* 598904Smcpowers * For block ciphers, plaintext must be a multiple of AES block size. 599904Smcpowers * This test is only valid for ciphers whose blocksize is a power of 2. 6004486Sktung * Even though AES CCM mode is a block cipher, it does not 6014486Sktung * require the plaintext to be a multiple of AES block size. 6024486Sktung * The length requirement for AES CCM mode has already been checked 6034486Sktung * at init time 604904Smcpowers */ 605904Smcpowers if (((aes_ctx->ac_flags & AES_CTR_MODE) == 0) && 6064486Sktung ((aes_ctx->ac_flags & AES_CCM_MODE) == 0) && 607904Smcpowers (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 608904Smcpowers return (CRYPTO_DATA_LEN_RANGE); 609904Smcpowers 6100Sstevel@tonic-gate AES_ARG_INPLACE(plaintext, ciphertext); 6110Sstevel@tonic-gate 6120Sstevel@tonic-gate /* 6130Sstevel@tonic-gate * We need to just return the length needed to store the output. 6140Sstevel@tonic-gate * We should not destroy the context for the following case. 6150Sstevel@tonic-gate */ 6164486Sktung if (aes_ctx->ac_flags & AES_CCM_MODE) { 6174486Sktung length_needed = plaintext->cd_length + aes_ctx->ac_ccm_mac_len; 6184486Sktung } else { 6194486Sktung length_needed = plaintext->cd_length; 6204486Sktung } 6214486Sktung 6224486Sktung if (ciphertext->cd_length < length_needed) { 6234486Sktung ciphertext->cd_length = length_needed; 6240Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 6250Sstevel@tonic-gate } 6260Sstevel@tonic-gate 6274486Sktung saved_length = ciphertext->cd_length; 6284486Sktung saved_offset = ciphertext->cd_offset; 6294486Sktung 6300Sstevel@tonic-gate /* 6310Sstevel@tonic-gate * Do an update on the specified input data. 6320Sstevel@tonic-gate */ 6330Sstevel@tonic-gate ret = aes_encrypt_update(ctx, plaintext, ciphertext, req); 6344486Sktung if (ret != CRYPTO_SUCCESS) { 6354486Sktung return (ret); 6364486Sktung } 6374486Sktung 6384486Sktung /* 6394486Sktung * For CCM mode, aes_ccm_encrypt_final() will take care of any 6404486Sktung * left-over unprocessed data, and compute the MAC 6414486Sktung */ 6424486Sktung if (aes_ctx->ac_flags & AES_CCM_MODE) { 6434486Sktung /* 6444486Sktung * aes_ccm_encrypt_final() will compute the MAC and append 6454486Sktung * it to existing ciphertext. So, need to adjust the left over 6464486Sktung * length value accordingly 6474486Sktung */ 6484486Sktung 6494486Sktung /* order of following 2 lines MUST not be reversed */ 6504486Sktung ciphertext->cd_offset = ciphertext->cd_length; 6514486Sktung ciphertext->cd_length = saved_length - ciphertext->cd_length; 6524486Sktung ret = aes_ccm_encrypt_final(aes_ctx, ciphertext); 6534486Sktung if (ret != CRYPTO_SUCCESS) { 6544486Sktung return (ret); 6554486Sktung } 6564486Sktung 6574486Sktung if (plaintext != ciphertext) { 6584486Sktung ciphertext->cd_length = 6594486Sktung ciphertext->cd_offset - saved_offset; 6604486Sktung } 6614486Sktung ciphertext->cd_offset = saved_offset; 6624486Sktung } 6634486Sktung 6640Sstevel@tonic-gate ASSERT(aes_ctx->ac_remainder_len == 0); 6650Sstevel@tonic-gate (void) aes_free_context(ctx); 6660Sstevel@tonic-gate 6670Sstevel@tonic-gate /* EXPORT DELETE END */ 6680Sstevel@tonic-gate 6690Sstevel@tonic-gate /* LINTED */ 6700Sstevel@tonic-gate return (ret); 6710Sstevel@tonic-gate } 6720Sstevel@tonic-gate 6730Sstevel@tonic-gate /* ARGSUSED */ 6740Sstevel@tonic-gate static int 6750Sstevel@tonic-gate aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 6760Sstevel@tonic-gate crypto_data_t *plaintext, crypto_req_handle_t req) 6770Sstevel@tonic-gate { 6780Sstevel@tonic-gate int ret = CRYPTO_FAILED; 6790Sstevel@tonic-gate 6800Sstevel@tonic-gate /* EXPORT DELETE START */ 6810Sstevel@tonic-gate 6820Sstevel@tonic-gate aes_ctx_t *aes_ctx; 6834486Sktung off_t saved_offset; 6844486Sktung size_t saved_length; 6850Sstevel@tonic-gate 6860Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 6870Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 6880Sstevel@tonic-gate 689904Smcpowers /* 6904486Sktung * For block ciphers, plaintext must be a multiple of AES block size. 691904Smcpowers * This test is only valid for ciphers whose blocksize is a power of 2. 6924486Sktung * Even though AES CCM mode is a block cipher, it does not 6934486Sktung * require the plaintext to be a multiple of AES block size. 6944486Sktung * The length requirement for AES CCM mode has already been checked 6954486Sktung * at init time 696904Smcpowers */ 697904Smcpowers if (((aes_ctx->ac_flags & AES_CTR_MODE) == 0) && 6984486Sktung ((aes_ctx->ac_flags & AES_CCM_MODE) == 0) && 699*4558Sktung (ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) { 700*4558Sktung return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 701*4558Sktung } 702904Smcpowers 7030Sstevel@tonic-gate AES_ARG_INPLACE(ciphertext, plaintext); 7040Sstevel@tonic-gate 7050Sstevel@tonic-gate /* 7060Sstevel@tonic-gate * We need to just return the length needed to store the output. 7070Sstevel@tonic-gate * We should not destroy the context for the following case. 7084486Sktung * 7094486Sktung * For AES CCM mode, size of the plaintext will be MAC_SIZE 7104486Sktung * smaller than size of the cipher text. 7110Sstevel@tonic-gate */ 7124486Sktung if (aes_ctx->ac_flags & AES_CCM_MODE) { 7134486Sktung if (plaintext->cd_length < aes_ctx->ac_ccm_data_len) { 7144495Sktung plaintext->cd_length = aes_ctx->ac_ccm_data_len; 7154486Sktung return (CRYPTO_BUFFER_TOO_SMALL); 7164486Sktung } 7174486Sktung saved_offset = plaintext->cd_offset; 7184486Sktung saved_length = plaintext->cd_length; 7194486Sktung } else if (plaintext->cd_length < ciphertext->cd_length) { 7200Sstevel@tonic-gate plaintext->cd_length = ciphertext->cd_length; 7210Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 7220Sstevel@tonic-gate } 7230Sstevel@tonic-gate 7240Sstevel@tonic-gate /* 7250Sstevel@tonic-gate * Do an update on the specified input data. 7260Sstevel@tonic-gate */ 7270Sstevel@tonic-gate ret = aes_decrypt_update(ctx, ciphertext, plaintext, req); 7284486Sktung if (ret != CRYPTO_SUCCESS) { 7294486Sktung goto cleanup; 7304486Sktung } 7314486Sktung 7324486Sktung if (aes_ctx->ac_flags & AES_CCM_MODE) { 7334486Sktung ASSERT(aes_ctx->ac_ccm_processed_data_len 7344486Sktung == aes_ctx->ac_ccm_data_len); 7354486Sktung ASSERT(aes_ctx->ac_ccm_processed_mac_len 7364486Sktung == aes_ctx->ac_ccm_mac_len); 7374486Sktung 7384486Sktung /* order of following 2 lines MUST not be reversed */ 7394486Sktung plaintext->cd_offset = plaintext->cd_length; 7404486Sktung plaintext->cd_length = saved_length - plaintext->cd_length; 7414486Sktung 7424486Sktung ret = aes_ccm_decrypt_final(aes_ctx, plaintext); 7434486Sktung if (ret == CRYPTO_SUCCESS) { 7444486Sktung if (plaintext != ciphertext) { 7454486Sktung plaintext->cd_length = 7464486Sktung plaintext->cd_offset - saved_offset; 7474486Sktung } 7484486Sktung } else { 7494486Sktung plaintext->cd_length = saved_length; 7504486Sktung } 7514486Sktung 7524486Sktung plaintext->cd_offset = saved_offset; 7534486Sktung } 7544486Sktung 7550Sstevel@tonic-gate ASSERT(aes_ctx->ac_remainder_len == 0); 7564486Sktung 7574486Sktung cleanup: 7584486Sktung if (aes_ctx->ac_ccm_pt_buf) { 7594486Sktung kmem_free(aes_ctx->ac_ccm_pt_buf, aes_ctx->ac_ccm_data_len); 7604486Sktung } 7610Sstevel@tonic-gate (void) aes_free_context(ctx); 7620Sstevel@tonic-gate 7630Sstevel@tonic-gate /* EXPORT DELETE END */ 7640Sstevel@tonic-gate 7650Sstevel@tonic-gate /* LINTED */ 7660Sstevel@tonic-gate return (ret); 7670Sstevel@tonic-gate } 7680Sstevel@tonic-gate 7690Sstevel@tonic-gate /* ARGSUSED */ 7700Sstevel@tonic-gate static int 7710Sstevel@tonic-gate aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext, 7720Sstevel@tonic-gate crypto_data_t *ciphertext, crypto_req_handle_t req) 7730Sstevel@tonic-gate { 7740Sstevel@tonic-gate off_t saved_offset; 7750Sstevel@tonic-gate size_t saved_length, out_len; 7760Sstevel@tonic-gate int ret = CRYPTO_SUCCESS; 777904Smcpowers aes_ctx_t *aes_ctx; 7780Sstevel@tonic-gate 7790Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 7800Sstevel@tonic-gate 7810Sstevel@tonic-gate AES_ARG_INPLACE(plaintext, ciphertext); 7820Sstevel@tonic-gate 7830Sstevel@tonic-gate /* compute number of bytes that will hold the ciphertext */ 7840Sstevel@tonic-gate out_len = ((aes_ctx_t *)ctx->cc_provider_private)->ac_remainder_len; 7850Sstevel@tonic-gate out_len += plaintext->cd_length; 7860Sstevel@tonic-gate out_len &= ~(AES_BLOCK_LEN - 1); 7870Sstevel@tonic-gate 7880Sstevel@tonic-gate /* return length needed to store the output */ 7890Sstevel@tonic-gate if (ciphertext->cd_length < out_len) { 7900Sstevel@tonic-gate ciphertext->cd_length = out_len; 7910Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 7920Sstevel@tonic-gate } 7930Sstevel@tonic-gate 7940Sstevel@tonic-gate saved_offset = ciphertext->cd_offset; 7950Sstevel@tonic-gate saved_length = ciphertext->cd_length; 7960Sstevel@tonic-gate 7974486Sktung 7980Sstevel@tonic-gate /* 7990Sstevel@tonic-gate * Do the AES update on the specified input data. 8000Sstevel@tonic-gate */ 8010Sstevel@tonic-gate switch (plaintext->cd_format) { 8020Sstevel@tonic-gate case CRYPTO_DATA_RAW: 8030Sstevel@tonic-gate ret = aes_cipher_update_iov(ctx->cc_provider_private, 8040Sstevel@tonic-gate plaintext, ciphertext, aes_encrypt_contiguous_blocks); 8050Sstevel@tonic-gate break; 8060Sstevel@tonic-gate case CRYPTO_DATA_UIO: 8070Sstevel@tonic-gate ret = aes_cipher_update_uio(ctx->cc_provider_private, 8080Sstevel@tonic-gate plaintext, ciphertext, aes_encrypt_contiguous_blocks); 8090Sstevel@tonic-gate break; 8100Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 8110Sstevel@tonic-gate ret = aes_cipher_update_mp(ctx->cc_provider_private, 8120Sstevel@tonic-gate plaintext, ciphertext, aes_encrypt_contiguous_blocks); 8130Sstevel@tonic-gate break; 8140Sstevel@tonic-gate default: 8150Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 8160Sstevel@tonic-gate } 8170Sstevel@tonic-gate 818904Smcpowers /* 819904Smcpowers * Since AES counter mode is a stream cipher, we call 820904Smcpowers * aes_counter_final() to pick up any remaining bytes. 821904Smcpowers * It is an internal function that does not destroy 822904Smcpowers * the context like *normal* final routines. 823904Smcpowers */ 824904Smcpowers aes_ctx = ctx->cc_provider_private; 825904Smcpowers if ((aes_ctx->ac_flags & AES_CTR_MODE) && 826904Smcpowers (aes_ctx->ac_remainder_len > 0)) { 827904Smcpowers ret = aes_counter_final(aes_ctx, ciphertext); 828904Smcpowers } 829904Smcpowers 8300Sstevel@tonic-gate if (ret == CRYPTO_SUCCESS) { 8310Sstevel@tonic-gate if (plaintext != ciphertext) 8320Sstevel@tonic-gate ciphertext->cd_length = 8330Sstevel@tonic-gate ciphertext->cd_offset - saved_offset; 8340Sstevel@tonic-gate } else { 8350Sstevel@tonic-gate ciphertext->cd_length = saved_length; 8360Sstevel@tonic-gate } 8370Sstevel@tonic-gate ciphertext->cd_offset = saved_offset; 8380Sstevel@tonic-gate 8390Sstevel@tonic-gate return (ret); 8400Sstevel@tonic-gate } 8410Sstevel@tonic-gate 8420Sstevel@tonic-gate /* ARGSUSED */ 8430Sstevel@tonic-gate static int 8440Sstevel@tonic-gate aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 8450Sstevel@tonic-gate crypto_data_t *plaintext, crypto_req_handle_t req) 8460Sstevel@tonic-gate { 8470Sstevel@tonic-gate off_t saved_offset; 8480Sstevel@tonic-gate size_t saved_length, out_len; 8490Sstevel@tonic-gate int ret = CRYPTO_SUCCESS; 850904Smcpowers aes_ctx_t *aes_ctx; 8510Sstevel@tonic-gate 8520Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 8530Sstevel@tonic-gate 8540Sstevel@tonic-gate AES_ARG_INPLACE(ciphertext, plaintext); 8550Sstevel@tonic-gate 8560Sstevel@tonic-gate /* compute number of bytes that will hold the plaintext */ 8570Sstevel@tonic-gate out_len = ((aes_ctx_t *)ctx->cc_provider_private)->ac_remainder_len; 8580Sstevel@tonic-gate out_len += ciphertext->cd_length; 8590Sstevel@tonic-gate out_len &= ~(AES_BLOCK_LEN - 1); 8600Sstevel@tonic-gate 8610Sstevel@tonic-gate /* return length needed to store the output */ 8620Sstevel@tonic-gate if (plaintext->cd_length < out_len) { 8630Sstevel@tonic-gate plaintext->cd_length = out_len; 8640Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 8650Sstevel@tonic-gate } 8660Sstevel@tonic-gate 8670Sstevel@tonic-gate saved_offset = plaintext->cd_offset; 8680Sstevel@tonic-gate saved_length = plaintext->cd_length; 8690Sstevel@tonic-gate 8700Sstevel@tonic-gate /* 8710Sstevel@tonic-gate * Do the AES update on the specified input data. 8720Sstevel@tonic-gate */ 8730Sstevel@tonic-gate switch (ciphertext->cd_format) { 8740Sstevel@tonic-gate case CRYPTO_DATA_RAW: 8750Sstevel@tonic-gate ret = aes_cipher_update_iov(ctx->cc_provider_private, 8760Sstevel@tonic-gate ciphertext, plaintext, aes_decrypt_contiguous_blocks); 8770Sstevel@tonic-gate break; 8780Sstevel@tonic-gate case CRYPTO_DATA_UIO: 8790Sstevel@tonic-gate ret = aes_cipher_update_uio(ctx->cc_provider_private, 8800Sstevel@tonic-gate ciphertext, plaintext, aes_decrypt_contiguous_blocks); 8810Sstevel@tonic-gate break; 8820Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 8830Sstevel@tonic-gate ret = aes_cipher_update_mp(ctx->cc_provider_private, 8840Sstevel@tonic-gate ciphertext, plaintext, aes_decrypt_contiguous_blocks); 8850Sstevel@tonic-gate break; 8860Sstevel@tonic-gate default: 8870Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 8880Sstevel@tonic-gate } 8890Sstevel@tonic-gate 890904Smcpowers /* 891904Smcpowers * Since AES counter mode is a stream cipher, we call 892904Smcpowers * aes_counter_final() to pick up any remaining bytes. 893904Smcpowers * It is an internal function that does not destroy 894904Smcpowers * the context like *normal* final routines. 895904Smcpowers */ 896904Smcpowers aes_ctx = ctx->cc_provider_private; 897904Smcpowers if ((aes_ctx->ac_flags & AES_CTR_MODE) && 898904Smcpowers (aes_ctx->ac_remainder_len > 0)) { 899904Smcpowers ret = aes_counter_final(aes_ctx, plaintext); 900904Smcpowers } 901904Smcpowers 9020Sstevel@tonic-gate if (ret == CRYPTO_SUCCESS) { 9030Sstevel@tonic-gate if (ciphertext != plaintext) 9040Sstevel@tonic-gate plaintext->cd_length = 9050Sstevel@tonic-gate plaintext->cd_offset - saved_offset; 9060Sstevel@tonic-gate } else { 9070Sstevel@tonic-gate plaintext->cd_length = saved_length; 9080Sstevel@tonic-gate } 9090Sstevel@tonic-gate plaintext->cd_offset = saved_offset; 9100Sstevel@tonic-gate 911904Smcpowers 9120Sstevel@tonic-gate return (ret); 9130Sstevel@tonic-gate } 9140Sstevel@tonic-gate 9150Sstevel@tonic-gate /* ARGSUSED */ 9160Sstevel@tonic-gate static int 9170Sstevel@tonic-gate aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data, 9180Sstevel@tonic-gate crypto_req_handle_t req) 9190Sstevel@tonic-gate { 9200Sstevel@tonic-gate 9210Sstevel@tonic-gate /* EXPORT DELETE START */ 9220Sstevel@tonic-gate 9230Sstevel@tonic-gate aes_ctx_t *aes_ctx; 924904Smcpowers int ret; 9250Sstevel@tonic-gate 9260Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 9270Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 9280Sstevel@tonic-gate 929904Smcpowers if (data->cd_format != CRYPTO_DATA_RAW && 930904Smcpowers data->cd_format != CRYPTO_DATA_UIO && 931904Smcpowers data->cd_format != CRYPTO_DATA_MBLK) { 932904Smcpowers return (CRYPTO_ARGUMENTS_BAD); 933904Smcpowers } 934904Smcpowers 9354486Sktung if (aes_ctx->ac_flags & AES_CTR_MODE) { 9364486Sktung if (aes_ctx->ac_remainder_len > 0) { 937904Smcpowers ret = aes_counter_final(aes_ctx, data); 938904Smcpowers if (ret != CRYPTO_SUCCESS) 939904Smcpowers return (ret); 940904Smcpowers } 9414486Sktung } else if (aes_ctx->ac_flags & AES_CCM_MODE) { 9424486Sktung ret = aes_ccm_encrypt_final(aes_ctx, data); 9434486Sktung if (ret != CRYPTO_SUCCESS) { 9444486Sktung return (ret); 9454486Sktung } 9464486Sktung } else { 9474486Sktung /* 9484486Sktung * There must be no unprocessed plaintext. 9494486Sktung * This happens if the length of the last data is 9504486Sktung * not a multiple of the AES block length. 9514486Sktung */ 9524486Sktung if (aes_ctx->ac_remainder_len > 0) { 9534486Sktung return (CRYPTO_DATA_LEN_RANGE); 9544486Sktung } 955*4558Sktung data->cd_length = 0; 956904Smcpowers } 957904Smcpowers 9580Sstevel@tonic-gate (void) aes_free_context(ctx); 9590Sstevel@tonic-gate 9600Sstevel@tonic-gate /* EXPORT DELETE END */ 9610Sstevel@tonic-gate 9620Sstevel@tonic-gate return (CRYPTO_SUCCESS); 9630Sstevel@tonic-gate } 9640Sstevel@tonic-gate 9650Sstevel@tonic-gate /* ARGSUSED */ 9660Sstevel@tonic-gate static int 9670Sstevel@tonic-gate aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data, 9680Sstevel@tonic-gate crypto_req_handle_t req) 9690Sstevel@tonic-gate { 9700Sstevel@tonic-gate 9710Sstevel@tonic-gate /* EXPORT DELETE START */ 9720Sstevel@tonic-gate 9730Sstevel@tonic-gate aes_ctx_t *aes_ctx; 974904Smcpowers int ret; 9754486Sktung off_t saved_offset; 9764486Sktung size_t saved_length; 9770Sstevel@tonic-gate 9780Sstevel@tonic-gate ASSERT(ctx->cc_provider_private != NULL); 9790Sstevel@tonic-gate aes_ctx = ctx->cc_provider_private; 9800Sstevel@tonic-gate 981904Smcpowers if (data->cd_format != CRYPTO_DATA_RAW && 982904Smcpowers data->cd_format != CRYPTO_DATA_UIO && 983904Smcpowers data->cd_format != CRYPTO_DATA_MBLK) { 984904Smcpowers return (CRYPTO_ARGUMENTS_BAD); 985904Smcpowers } 986904Smcpowers 9870Sstevel@tonic-gate /* 9880Sstevel@tonic-gate * There must be no unprocessed ciphertext. 9890Sstevel@tonic-gate * This happens if the length of the last ciphertext is 9900Sstevel@tonic-gate * not a multiple of the AES block length. 9910Sstevel@tonic-gate */ 992904Smcpowers if (aes_ctx->ac_remainder_len > 0) { 993904Smcpowers if ((aes_ctx->ac_flags & AES_CTR_MODE) == 0) 994904Smcpowers return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 995904Smcpowers else { 996904Smcpowers ret = aes_counter_final(aes_ctx, data); 997904Smcpowers if (ret != CRYPTO_SUCCESS) 998904Smcpowers return (ret); 999904Smcpowers } 1000904Smcpowers } 1001904Smcpowers 10024486Sktung if (aes_ctx->ac_flags & AES_CCM_MODE) { 10034486Sktung /* 10044486Sktung * This is where all the plaintext is returned, make sure 10054486Sktung * the plaintext buffer is big enough 10064486Sktung */ 10074486Sktung size_t pt_len = aes_ctx->ac_ccm_data_len; 10084486Sktung if (data->cd_length < pt_len) { 10094486Sktung data->cd_length = pt_len; 10104486Sktung return (CRYPTO_BUFFER_TOO_SMALL); 10114486Sktung } 10124486Sktung 10134486Sktung ASSERT(aes_ctx->ac_ccm_processed_data_len == pt_len); 10144486Sktung ASSERT(aes_ctx->ac_ccm_processed_mac_len 10154486Sktung == aes_ctx->ac_ccm_mac_len); 10164486Sktung saved_offset = data->cd_offset; 10174486Sktung saved_length = data->cd_length; 10184486Sktung ret = aes_ccm_decrypt_final(aes_ctx, data); 10194486Sktung if (ret == CRYPTO_SUCCESS) { 10204486Sktung data->cd_length = data->cd_offset - saved_offset; 10214486Sktung } else { 10224486Sktung data->cd_length = saved_length; 10234486Sktung } 10244486Sktung 10254486Sktung data->cd_offset = saved_offset; 10264486Sktung if (ret != CRYPTO_SUCCESS) { 10274486Sktung return (ret); 10284486Sktung } 10294486Sktung } 10304486Sktung 10314486Sktung 1032*4558Sktung if (((aes_ctx->ac_flags & AES_CTR_MODE) == 0) && 1033*4558Sktung ((aes_ctx->ac_flags & AES_CCM_MODE) == 0)) { 1034904Smcpowers data->cd_length = 0; 1035*4558Sktung } 10360Sstevel@tonic-gate 10374486Sktung if (aes_ctx->ac_ccm_pt_buf != NULL) { 10384486Sktung kmem_free(aes_ctx->ac_ccm_pt_buf, aes_ctx->ac_ccm_data_len); 10394486Sktung } 10404486Sktung 10410Sstevel@tonic-gate (void) aes_free_context(ctx); 10420Sstevel@tonic-gate 10430Sstevel@tonic-gate /* EXPORT DELETE END */ 10440Sstevel@tonic-gate 10450Sstevel@tonic-gate return (CRYPTO_SUCCESS); 10460Sstevel@tonic-gate } 10470Sstevel@tonic-gate 10480Sstevel@tonic-gate /* ARGSUSED */ 10490Sstevel@tonic-gate static int 10500Sstevel@tonic-gate aes_encrypt_atomic(crypto_provider_handle_t provider, 10510Sstevel@tonic-gate crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 10520Sstevel@tonic-gate crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 10530Sstevel@tonic-gate crypto_spi_ctx_template_t template, crypto_req_handle_t req) 10540Sstevel@tonic-gate { 10550Sstevel@tonic-gate aes_ctx_t aes_ctx; /* on the stack */ 10560Sstevel@tonic-gate off_t saved_offset; 10570Sstevel@tonic-gate size_t saved_length; 10580Sstevel@tonic-gate int ret; 10590Sstevel@tonic-gate 10600Sstevel@tonic-gate AES_ARG_INPLACE(plaintext, ciphertext); 10610Sstevel@tonic-gate 10624486Sktung if ((mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) && 10634486Sktung (mechanism->cm_type != AES_CCM_MECH_INFO_TYPE)) { 1064904Smcpowers /* 1065904Smcpowers * Plaintext must be a multiple of AES block size. 1066904Smcpowers * This test only works for non-padded mechanisms 1067904Smcpowers * when blocksize is 2^N. 1068904Smcpowers */ 1069904Smcpowers if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 1070904Smcpowers return (CRYPTO_DATA_LEN_RANGE); 1071904Smcpowers } 10720Sstevel@tonic-gate 10730Sstevel@tonic-gate /* return length needed to store the output */ 10740Sstevel@tonic-gate if (ciphertext->cd_length < plaintext->cd_length) { 10750Sstevel@tonic-gate ciphertext->cd_length = plaintext->cd_length; 10760Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 10770Sstevel@tonic-gate } 10780Sstevel@tonic-gate 1079991Smcpowers if ((ret = aes_check_mech_param(mechanism)) != CRYPTO_SUCCESS) 1080991Smcpowers return (ret); 10810Sstevel@tonic-gate 10820Sstevel@tonic-gate bzero(&aes_ctx, sizeof (aes_ctx_t)); 10830Sstevel@tonic-gate 10840Sstevel@tonic-gate ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, 10854486Sktung crypto_kmflag(req), B_TRUE); 10860Sstevel@tonic-gate if (ret != CRYPTO_SUCCESS) 10870Sstevel@tonic-gate return (ret); 10880Sstevel@tonic-gate 10894486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 10904486Sktung size_t length_needed 10914486Sktung = plaintext->cd_length + aes_ctx.ac_ccm_mac_len; 10924486Sktung if (ciphertext->cd_length < length_needed) { 10934486Sktung ciphertext->cd_length = length_needed; 10944486Sktung return (CRYPTO_BUFFER_TOO_SMALL); 10954486Sktung } 10964486Sktung } 10974486Sktung 10984486Sktung 10990Sstevel@tonic-gate saved_offset = ciphertext->cd_offset; 11000Sstevel@tonic-gate saved_length = ciphertext->cd_length; 11010Sstevel@tonic-gate 11020Sstevel@tonic-gate /* 11030Sstevel@tonic-gate * Do an update on the specified input data. 11040Sstevel@tonic-gate */ 11050Sstevel@tonic-gate switch (plaintext->cd_format) { 11060Sstevel@tonic-gate case CRYPTO_DATA_RAW: 11070Sstevel@tonic-gate ret = aes_cipher_update_iov(&aes_ctx, plaintext, ciphertext, 11080Sstevel@tonic-gate aes_encrypt_contiguous_blocks); 11090Sstevel@tonic-gate break; 11100Sstevel@tonic-gate case CRYPTO_DATA_UIO: 11110Sstevel@tonic-gate ret = aes_cipher_update_uio(&aes_ctx, plaintext, ciphertext, 11120Sstevel@tonic-gate aes_encrypt_contiguous_blocks); 11130Sstevel@tonic-gate break; 11140Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 11150Sstevel@tonic-gate ret = aes_cipher_update_mp(&aes_ctx, plaintext, ciphertext, 11160Sstevel@tonic-gate aes_encrypt_contiguous_blocks); 11170Sstevel@tonic-gate break; 11180Sstevel@tonic-gate default: 11190Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 11200Sstevel@tonic-gate } 11210Sstevel@tonic-gate 1122904Smcpowers if (ret == CRYPTO_SUCCESS) { 11234486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 11244486Sktung ret = aes_ccm_encrypt_final(&aes_ctx, ciphertext); 11254486Sktung if (ret != CRYPTO_SUCCESS) 11264486Sktung goto out; 1127904Smcpowers ASSERT(aes_ctx.ac_remainder_len == 0); 11284486Sktung } else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) { 1129904Smcpowers if (aes_ctx.ac_remainder_len > 0) { 1130904Smcpowers ret = aes_counter_final(&aes_ctx, ciphertext); 1131904Smcpowers if (ret != CRYPTO_SUCCESS) 1132904Smcpowers goto out; 1133904Smcpowers } 11344486Sktung } else { 11354486Sktung ASSERT(aes_ctx.ac_remainder_len == 0); 11364486Sktung } 11374486Sktung 11384486Sktung if (plaintext != ciphertext) { 11394486Sktung ciphertext->cd_length = 11404486Sktung ciphertext->cd_offset - saved_offset; 1141904Smcpowers } 1142904Smcpowers } else { 1143904Smcpowers ciphertext->cd_length = saved_length; 1144904Smcpowers } 1145904Smcpowers ciphertext->cd_offset = saved_offset; 1146904Smcpowers 1147904Smcpowers out: 11480Sstevel@tonic-gate if (aes_ctx.ac_flags & AES_PROVIDER_OWNS_KEY_SCHEDULE) { 11490Sstevel@tonic-gate bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 11500Sstevel@tonic-gate kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 11510Sstevel@tonic-gate } 11520Sstevel@tonic-gate 11530Sstevel@tonic-gate return (ret); 11540Sstevel@tonic-gate } 11550Sstevel@tonic-gate 11560Sstevel@tonic-gate /* ARGSUSED */ 11570Sstevel@tonic-gate static int 11580Sstevel@tonic-gate aes_decrypt_atomic(crypto_provider_handle_t provider, 11590Sstevel@tonic-gate crypto_session_id_t session_id, crypto_mechanism_t *mechanism, 11600Sstevel@tonic-gate crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 11610Sstevel@tonic-gate crypto_spi_ctx_template_t template, crypto_req_handle_t req) 11620Sstevel@tonic-gate { 11630Sstevel@tonic-gate aes_ctx_t aes_ctx; /* on the stack */ 11640Sstevel@tonic-gate off_t saved_offset; 11650Sstevel@tonic-gate size_t saved_length; 11660Sstevel@tonic-gate int ret; 11670Sstevel@tonic-gate 11680Sstevel@tonic-gate AES_ARG_INPLACE(ciphertext, plaintext); 11690Sstevel@tonic-gate 11704486Sktung /* 11714486Sktung * For block ciphers, ciphertext must be a multiple of AES block size. 11724486Sktung * This test is only valid for non-padded mechanisms 11734486Sktung * when blocksize is 2^N 11744486Sktung * Even though AES CCM mode is a block cipher, it does not 11754486Sktung * require the plaintext to be a multiple of AES block size. 11764486Sktung * The length requirement for AES CCM mode will be checked 11774486Sktung * at init time 11784486Sktung */ 11794486Sktung if ((mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) && 11804486Sktung (mechanism->cm_type != AES_CCM_MECH_INFO_TYPE) && 11814486Sktung ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0)) 11824486Sktung return (CRYPTO_DATA_LEN_RANGE); 11830Sstevel@tonic-gate 11844486Sktung /* 11854486Sktung * return length needed to store the output, length requirement 11864486Sktung * for AES CCM mode can not be determined until later 11874486Sktung */ 11884486Sktung if ((plaintext->cd_length < ciphertext->cd_length) && 11894486Sktung (mechanism->cm_type != AES_CCM_MECH_INFO_TYPE)) { 11900Sstevel@tonic-gate plaintext->cd_length = ciphertext->cd_length; 11910Sstevel@tonic-gate return (CRYPTO_BUFFER_TOO_SMALL); 11920Sstevel@tonic-gate } 11930Sstevel@tonic-gate 11944486Sktung 1195991Smcpowers if ((ret = aes_check_mech_param(mechanism)) != CRYPTO_SUCCESS) 1196991Smcpowers return (ret); 11970Sstevel@tonic-gate 11980Sstevel@tonic-gate bzero(&aes_ctx, sizeof (aes_ctx_t)); 11990Sstevel@tonic-gate 12000Sstevel@tonic-gate ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, 12014486Sktung crypto_kmflag(req), B_FALSE); 12020Sstevel@tonic-gate if (ret != CRYPTO_SUCCESS) 12030Sstevel@tonic-gate return (ret); 12040Sstevel@tonic-gate 12054486Sktung /* check length requirement for AES CCM mode now */ 12064486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 12074486Sktung if (plaintext->cd_length < aes_ctx.ac_ccm_data_len) { 12084486Sktung plaintext->cd_length = aes_ctx.ac_ccm_data_len; 12094486Sktung ret = CRYPTO_BUFFER_TOO_SMALL; 12104486Sktung goto out; 12114486Sktung } 12124486Sktung } 12134486Sktung 12140Sstevel@tonic-gate saved_offset = plaintext->cd_offset; 12150Sstevel@tonic-gate saved_length = plaintext->cd_length; 12160Sstevel@tonic-gate 12170Sstevel@tonic-gate /* 12180Sstevel@tonic-gate * Do an update on the specified input data. 12190Sstevel@tonic-gate */ 12200Sstevel@tonic-gate switch (ciphertext->cd_format) { 12210Sstevel@tonic-gate case CRYPTO_DATA_RAW: 12220Sstevel@tonic-gate ret = aes_cipher_update_iov(&aes_ctx, ciphertext, plaintext, 12230Sstevel@tonic-gate aes_decrypt_contiguous_blocks); 12240Sstevel@tonic-gate break; 12250Sstevel@tonic-gate case CRYPTO_DATA_UIO: 12260Sstevel@tonic-gate ret = aes_cipher_update_uio(&aes_ctx, ciphertext, plaintext, 12270Sstevel@tonic-gate aes_decrypt_contiguous_blocks); 12280Sstevel@tonic-gate break; 12290Sstevel@tonic-gate case CRYPTO_DATA_MBLK: 12300Sstevel@tonic-gate ret = aes_cipher_update_mp(&aes_ctx, ciphertext, plaintext, 12310Sstevel@tonic-gate aes_decrypt_contiguous_blocks); 12320Sstevel@tonic-gate break; 12330Sstevel@tonic-gate default: 12340Sstevel@tonic-gate ret = CRYPTO_ARGUMENTS_BAD; 12350Sstevel@tonic-gate } 12360Sstevel@tonic-gate 1237904Smcpowers if (ret == CRYPTO_SUCCESS) { 12384486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 12394486Sktung ASSERT(aes_ctx.ac_ccm_processed_data_len 12404486Sktung == aes_ctx.ac_ccm_data_len); 12414486Sktung ASSERT(aes_ctx.ac_ccm_processed_mac_len 12424486Sktung == aes_ctx.ac_ccm_mac_len); 12434486Sktung ret = aes_ccm_decrypt_final(&aes_ctx, plaintext); 12444486Sktung ASSERT(aes_ctx.ac_remainder_len == 0); 12454486Sktung if ((ret == CRYPTO_SUCCESS) && 12464486Sktung (ciphertext != plaintext)) { 12474486Sktung plaintext->cd_length = 12484486Sktung plaintext->cd_offset - saved_offset; 12494486Sktung } else { 12504486Sktung plaintext->cd_length = saved_length; 12514486Sktung } 12524486Sktung } else if (mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) { 1253904Smcpowers ASSERT(aes_ctx.ac_remainder_len == 0); 1254904Smcpowers if (ciphertext != plaintext) 1255904Smcpowers plaintext->cd_length = 1256904Smcpowers plaintext->cd_offset - saved_offset; 1257904Smcpowers } else { 1258904Smcpowers if (aes_ctx.ac_remainder_len > 0) { 1259904Smcpowers ret = aes_counter_final(&aes_ctx, plaintext); 1260904Smcpowers if (ret != CRYPTO_SUCCESS) 1261904Smcpowers goto out; 1262904Smcpowers } 1263904Smcpowers if (ciphertext != plaintext) 1264904Smcpowers plaintext->cd_length = 1265904Smcpowers plaintext->cd_offset - saved_offset; 1266904Smcpowers } 1267904Smcpowers } else { 1268904Smcpowers plaintext->cd_length = saved_length; 1269904Smcpowers } 1270904Smcpowers plaintext->cd_offset = saved_offset; 1271904Smcpowers 1272904Smcpowers out: 12730Sstevel@tonic-gate if (aes_ctx.ac_flags & AES_PROVIDER_OWNS_KEY_SCHEDULE) { 12740Sstevel@tonic-gate bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 12750Sstevel@tonic-gate kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 12760Sstevel@tonic-gate } 12770Sstevel@tonic-gate 12784486Sktung if (aes_ctx.ac_ccm_pt_buf != NULL) { 12794486Sktung kmem_free(aes_ctx.ac_ccm_pt_buf, aes_ctx.ac_ccm_data_len); 12804486Sktung } 12814486Sktung 12820Sstevel@tonic-gate return (ret); 12830Sstevel@tonic-gate } 12840Sstevel@tonic-gate 12850Sstevel@tonic-gate /* 12860Sstevel@tonic-gate * KCF software provider context template entry points. 12870Sstevel@tonic-gate */ 12880Sstevel@tonic-gate /* ARGSUSED */ 12890Sstevel@tonic-gate static int 12900Sstevel@tonic-gate aes_create_ctx_template(crypto_provider_handle_t provider, 12910Sstevel@tonic-gate crypto_mechanism_t *mechanism, crypto_key_t *key, 12920Sstevel@tonic-gate crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req) 12930Sstevel@tonic-gate { 12940Sstevel@tonic-gate 12950Sstevel@tonic-gate /* EXPORT DELETE START */ 12960Sstevel@tonic-gate 12970Sstevel@tonic-gate void *keysched; 12980Sstevel@tonic-gate size_t size; 12990Sstevel@tonic-gate int rv; 13000Sstevel@tonic-gate 1301991Smcpowers if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE && 1302991Smcpowers mechanism->cm_type != AES_CBC_MECH_INFO_TYPE && 13034486Sktung mechanism->cm_type != AES_CTR_MECH_INFO_TYPE && 13044486Sktung mechanism->cm_type != AES_CCM_MECH_INFO_TYPE) 13050Sstevel@tonic-gate return (CRYPTO_MECHANISM_INVALID); 13060Sstevel@tonic-gate 13070Sstevel@tonic-gate if ((keysched = aes_alloc_keysched(&size, 13080Sstevel@tonic-gate crypto_kmflag(req))) == NULL) { 13090Sstevel@tonic-gate return (CRYPTO_HOST_MEMORY); 13100Sstevel@tonic-gate } 13110Sstevel@tonic-gate 13120Sstevel@tonic-gate /* 13130Sstevel@tonic-gate * Initialize key schedule. Key length information is stored 13140Sstevel@tonic-gate * in the key. 13150Sstevel@tonic-gate */ 13160Sstevel@tonic-gate if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) { 13170Sstevel@tonic-gate bzero(keysched, size); 13180Sstevel@tonic-gate kmem_free(keysched, size); 13190Sstevel@tonic-gate return (rv); 13200Sstevel@tonic-gate } 13210Sstevel@tonic-gate 13220Sstevel@tonic-gate *tmpl = keysched; 13230Sstevel@tonic-gate *tmpl_size = size; 13240Sstevel@tonic-gate 13250Sstevel@tonic-gate /* EXPORT DELETE END */ 13260Sstevel@tonic-gate 13270Sstevel@tonic-gate return (CRYPTO_SUCCESS); 13280Sstevel@tonic-gate } 13290Sstevel@tonic-gate 13300Sstevel@tonic-gate /* ARGSUSED */ 13310Sstevel@tonic-gate static int 13320Sstevel@tonic-gate aes_free_context(crypto_ctx_t *ctx) 13330Sstevel@tonic-gate { 13340Sstevel@tonic-gate 13350Sstevel@tonic-gate /* EXPORT DELETE START */ 13360Sstevel@tonic-gate 13370Sstevel@tonic-gate aes_ctx_t *aes_ctx = ctx->cc_provider_private; 13380Sstevel@tonic-gate 13390Sstevel@tonic-gate if (aes_ctx != NULL) { 13400Sstevel@tonic-gate if (aes_ctx->ac_flags & AES_PROVIDER_OWNS_KEY_SCHEDULE) { 13410Sstevel@tonic-gate ASSERT(aes_ctx->ac_keysched_len != 0); 13420Sstevel@tonic-gate bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len); 13430Sstevel@tonic-gate kmem_free(aes_ctx->ac_keysched, 13440Sstevel@tonic-gate aes_ctx->ac_keysched_len); 13450Sstevel@tonic-gate } 13460Sstevel@tonic-gate kmem_free(aes_ctx, sizeof (aes_ctx_t)); 13470Sstevel@tonic-gate ctx->cc_provider_private = NULL; 13480Sstevel@tonic-gate } 13490Sstevel@tonic-gate 13500Sstevel@tonic-gate /* EXPORT DELETE END */ 13510Sstevel@tonic-gate 13520Sstevel@tonic-gate return (CRYPTO_SUCCESS); 13530Sstevel@tonic-gate } 13540Sstevel@tonic-gate 13550Sstevel@tonic-gate /* ARGSUSED */ 13560Sstevel@tonic-gate static int 13570Sstevel@tonic-gate aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template, 13584486Sktung crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag, 13594486Sktung boolean_t is_encrypt_init) 13600Sstevel@tonic-gate { 13610Sstevel@tonic-gate int rv = CRYPTO_SUCCESS; 13620Sstevel@tonic-gate 13630Sstevel@tonic-gate /* EXPORT DELETE START */ 13640Sstevel@tonic-gate 13650Sstevel@tonic-gate void *keysched; 13660Sstevel@tonic-gate size_t size; 13674486Sktung CK_AES_CCM_PARAMS *ccm_param = NULL; 13680Sstevel@tonic-gate 1369904Smcpowers aes_ctx->ac_flags = 0; 13700Sstevel@tonic-gate 13710Sstevel@tonic-gate if (mechanism->cm_type == AES_CBC_MECH_INFO_TYPE) { 13720Sstevel@tonic-gate /* 1373904Smcpowers * Copy 128-bit IV into context. 13740Sstevel@tonic-gate * 13750Sstevel@tonic-gate * If cm_param == NULL then the IV comes from the 13760Sstevel@tonic-gate * cd_miscdata field in the crypto_data structure. 13770Sstevel@tonic-gate */ 13780Sstevel@tonic-gate if (mechanism->cm_param != NULL) { 13790Sstevel@tonic-gate ASSERT(mechanism->cm_param_len == AES_BLOCK_LEN); 13800Sstevel@tonic-gate if (IS_P2ALIGNED(mechanism->cm_param, 13810Sstevel@tonic-gate sizeof (uint64_t))) { 13820Sstevel@tonic-gate uint64_t *param64; 13830Sstevel@tonic-gate param64 = (uint64_t *)mechanism->cm_param; 13840Sstevel@tonic-gate 13850Sstevel@tonic-gate aes_ctx->ac_iv[0] = *param64++; 13860Sstevel@tonic-gate aes_ctx->ac_iv[1] = *param64; 13870Sstevel@tonic-gate } else { 13880Sstevel@tonic-gate uint8_t *iv8; 13890Sstevel@tonic-gate uint8_t *p8; 13900Sstevel@tonic-gate iv8 = (uint8_t *)&aes_ctx->ac_iv; 13910Sstevel@tonic-gate p8 = (uint8_t *)&mechanism->cm_param[0]; 13920Sstevel@tonic-gate 13930Sstevel@tonic-gate iv8[0] = p8[0]; 13940Sstevel@tonic-gate iv8[1] = p8[1]; 13950Sstevel@tonic-gate iv8[2] = p8[2]; 13960Sstevel@tonic-gate iv8[3] = p8[3]; 13970Sstevel@tonic-gate iv8[4] = p8[4]; 13980Sstevel@tonic-gate iv8[5] = p8[5]; 13990Sstevel@tonic-gate iv8[6] = p8[6]; 14000Sstevel@tonic-gate iv8[7] = p8[7]; 14010Sstevel@tonic-gate iv8[8] = p8[8]; 14020Sstevel@tonic-gate iv8[9] = p8[9]; 14030Sstevel@tonic-gate iv8[10] = p8[10]; 14040Sstevel@tonic-gate iv8[11] = p8[11]; 14050Sstevel@tonic-gate iv8[12] = p8[12]; 14060Sstevel@tonic-gate iv8[13] = p8[13]; 14070Sstevel@tonic-gate iv8[14] = p8[14]; 14080Sstevel@tonic-gate iv8[15] = p8[15]; 14090Sstevel@tonic-gate } 14100Sstevel@tonic-gate } 14110Sstevel@tonic-gate 14120Sstevel@tonic-gate aes_ctx->ac_lastp = (uint8_t *)&aes_ctx->ac_iv[0]; 14130Sstevel@tonic-gate aes_ctx->ac_flags |= AES_CBC_MODE; 1414904Smcpowers 1415904Smcpowers } else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) { 1416904Smcpowers if (mechanism->cm_param != NULL) { 1417904Smcpowers CK_AES_CTR_PARAMS *pp; 1418904Smcpowers uint64_t mask = 0; 1419904Smcpowers ulong_t count; 1420904Smcpowers uint8_t *iv8; 1421904Smcpowers uint8_t *p8; 1422904Smcpowers 14231172Smcpowers /* XXX what to do about miscdata */ 1424904Smcpowers pp = (CK_AES_CTR_PARAMS *)mechanism->cm_param; 1425904Smcpowers count = pp->ulCounterBits; 1426904Smcpowers if (count == 0 || count > 64) { 1427904Smcpowers return (CRYPTO_MECHANISM_PARAM_INVALID); 1428904Smcpowers } 1429904Smcpowers while (count-- > 0) 1430904Smcpowers mask |= (1ULL << count); 14311172Smcpowers #ifdef _LITTLE_ENDIAN 14321172Smcpowers p8 = (uint8_t *)&mask; 14331172Smcpowers mask = (((uint64_t)p8[0] << 56) | 14341172Smcpowers ((uint64_t)p8[1] << 48) | 14351172Smcpowers ((uint64_t)p8[2] << 40) | 14361172Smcpowers ((uint64_t)p8[3] << 32) | 14371172Smcpowers ((uint64_t)p8[4] << 24) | 14381172Smcpowers ((uint64_t)p8[5] << 16) | 14391172Smcpowers ((uint64_t)p8[6] << 8) | 14401172Smcpowers (uint64_t)p8[7]); 14411172Smcpowers #endif 14421172Smcpowers aes_ctx->ac_counter_mask = mask; 1443904Smcpowers 14441172Smcpowers iv8 = (uint8_t *)&aes_ctx->ac_iv; 14451172Smcpowers p8 = (uint8_t *)&pp->cb[0]; 1446904Smcpowers 1447904Smcpowers iv8[0] = p8[0]; 1448904Smcpowers iv8[1] = p8[1]; 1449904Smcpowers iv8[2] = p8[2]; 1450904Smcpowers iv8[3] = p8[3]; 1451904Smcpowers iv8[4] = p8[4]; 1452904Smcpowers iv8[5] = p8[5]; 1453904Smcpowers iv8[6] = p8[6]; 1454904Smcpowers iv8[7] = p8[7]; 1455904Smcpowers iv8[8] = p8[8]; 1456904Smcpowers iv8[9] = p8[9]; 1457904Smcpowers iv8[10] = p8[10]; 1458904Smcpowers iv8[11] = p8[11]; 1459904Smcpowers iv8[12] = p8[12]; 1460904Smcpowers iv8[13] = p8[13]; 1461904Smcpowers iv8[14] = p8[14]; 1462904Smcpowers iv8[15] = p8[15]; 1463904Smcpowers } else { 1464904Smcpowers return (CRYPTO_MECHANISM_PARAM_INVALID); 1465904Smcpowers } 1466904Smcpowers 1467904Smcpowers aes_ctx->ac_lastp = (uint8_t *)&aes_ctx->ac_iv[0]; 1468904Smcpowers aes_ctx->ac_flags |= AES_CTR_MODE; 14694486Sktung } else if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 14704486Sktung if (mechanism->cm_param != NULL) { 14714486Sktung int rc; 14724486Sktung 14734486Sktung ccm_param = (CK_AES_CCM_PARAMS *)mechanism->cm_param; 14744486Sktung 14754486Sktung if ((rc = aes_ccm_validate_args(ccm_param, 14764486Sktung is_encrypt_init)) != 0) { 14774486Sktung return (rc); 14784486Sktung } 14794486Sktung 14804486Sktung aes_ctx->ac_ccm_mac_len = ccm_param->ulMACSize; 14814486Sktung if (is_encrypt_init) { 14824486Sktung aes_ctx->ac_ccm_data_len 14834486Sktung = ccm_param->ulDataSize; 14844486Sktung } else { 14854486Sktung aes_ctx->ac_ccm_data_len = 14864486Sktung ccm_param->ulDataSize 14874486Sktung - aes_ctx->ac_ccm_mac_len; 14884486Sktung aes_ctx->ac_ccm_processed_mac_len = 0; 14894486Sktung } 14904486Sktung aes_ctx->ac_ccm_processed_data_len = 0; 14914486Sktung 14924486Sktung aes_ctx->ac_flags |= AES_CCM_MODE; 14934486Sktung } else { 14944486Sktung return (CRYPTO_MECHANISM_PARAM_INVALID); 14954486Sktung } 1496904Smcpowers } else { 1497904Smcpowers aes_ctx->ac_flags |= AES_ECB_MODE; 1498904Smcpowers } 1499904Smcpowers 1500904Smcpowers if (template == NULL) { 1501904Smcpowers if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL) 1502904Smcpowers return (CRYPTO_HOST_MEMORY); 1503904Smcpowers /* 1504904Smcpowers * Initialize key schedule. 1505904Smcpowers * Key length is stored in the key. 1506904Smcpowers */ 15074486Sktung if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) { 1508904Smcpowers kmem_free(keysched, size); 15094486Sktung return (rv); 15104486Sktung } 1511904Smcpowers 1512904Smcpowers aes_ctx->ac_flags |= AES_PROVIDER_OWNS_KEY_SCHEDULE; 1513904Smcpowers aes_ctx->ac_keysched_len = size; 1514904Smcpowers } else { 1515904Smcpowers keysched = template; 15160Sstevel@tonic-gate } 15170Sstevel@tonic-gate aes_ctx->ac_keysched = keysched; 15180Sstevel@tonic-gate 15194486Sktung /* process the nonce and associated data if it is AES CCM mode */ 15204486Sktung if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 15214486Sktung if (aes_ccm_init(aes_ctx, ccm_param->nonce, 15224486Sktung ccm_param->ulNonceSize, ccm_param->authData, 15234486Sktung ccm_param->ulAuthDataSize) != 0) { 15244486Sktung bzero(keysched, size); 15254486Sktung kmem_free(keysched, size); 15264486Sktung return (CRYPTO_MECHANISM_PARAM_INVALID); 15274486Sktung } 15284486Sktung if (!is_encrypt_init) { 15294486Sktung /* allocate buffer for storing decrypted plaintext */ 15304486Sktung aes_ctx->ac_ccm_pt_buf = 15314486Sktung kmem_alloc(aes_ctx->ac_ccm_data_len, kmflag); 15324486Sktung if (aes_ctx->ac_ccm_pt_buf == NULL) { 15334486Sktung bzero(keysched, size); 15344486Sktung kmem_free(keysched, size); 15354486Sktung return (CRYPTO_HOST_MEMORY); 15364486Sktung } 15374486Sktung } 15384486Sktung } 15394486Sktung 15400Sstevel@tonic-gate /* EXPORT DELETE END */ 15410Sstevel@tonic-gate 15420Sstevel@tonic-gate return (rv); 15430Sstevel@tonic-gate } 1544