1 /*
2 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 *
5 * Copyright (c) 2018, Joyent, Inc.
6 *
7 * STREAMS Crypto Module
8 *
9 * This module is used to facilitate Kerberos encryption
10 * operations for the telnet daemon and rlogin daemon.
11 * Because the Solaris telnet and rlogin daemons run mostly
12 * in-kernel via 'telmod' and 'rlmod', this module must be
13 * pushed on the STREAM *below* telmod or rlmod.
14 *
15 * Parts of the 3DES key derivation code are covered by the
16 * following copyright.
17 *
18 * Copyright (C) 1998 by the FundsXpress, INC.
19 *
20 * All rights reserved.
21 *
22 * Export of this software from the United States of America may require
23 * a specific license from the United States Government. It is the
24 * responsibility of any person or organization contemplating export to
25 * obtain such a license before exporting.
26 *
27 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
28 * distribute this software and its documentation for any purpose and
29 * without fee is hereby granted, provided that the above copyright
30 * notice appear in all copies and that both that copyright notice and
31 * this permission notice appear in supporting documentation, and that
32 * the name of FundsXpress. not be used in advertising or publicity pertaining
33 * to distribution of the software without specific, written prior
34 * permission. FundsXpress makes no representations about the suitability of
35 * this software for any purpose. It is provided "as is" without express
36 * or implied warranty.
37 *
38 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
39 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
40 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
41 */
42
43 #include <sys/types.h>
44 #include <sys/sysmacros.h>
45 #include <sys/errno.h>
46 #include <sys/debug.h>
47 #include <sys/time.h>
48 #include <sys/stropts.h>
49 #include <sys/stream.h>
50 #include <sys/strsubr.h>
51 #include <sys/strlog.h>
52 #include <sys/cmn_err.h>
53 #include <sys/conf.h>
54 #include <sys/sunddi.h>
55 #include <sys/kmem.h>
56 #include <sys/strsun.h>
57 #include <sys/random.h>
58 #include <sys/types.h>
59 #include <sys/byteorder.h>
60 #include <sys/cryptmod.h>
61 #include <sys/crc32.h>
62 #include <sys/policy.h>
63
64 #include <sys/crypto/api.h>
65
66 /*
67 * Function prototypes.
68 */
69 static int cryptmodopen(queue_t *, dev_t *, int, int, cred_t *);
70 static int cryptmodrput(queue_t *, mblk_t *);
71 static int cryptmodwput(queue_t *, mblk_t *);
72 static int cryptmodclose(queue_t *, int, cred_t *);
73 static int cryptmodwsrv(queue_t *);
74 static int cryptmodrsrv(queue_t *);
75
76 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp);
77 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp);
78
79 #define CRYPTMOD_ID 5150
80
81 #define CFB_BLKSZ 8
82
83 #define K5CLENGTH 5
84
85 static struct module_info cryptmod_minfo = {
86 CRYPTMOD_ID, /* mi_idnum */
87 "cryptmod", /* mi_idname */
88 0, /* mi_minpsz */
89 INFPSZ, /* mi_maxpsz */
90 65536, /* mi_hiwat */
91 1024 /* mi_lowat */
92 };
93
94 static struct qinit cryptmod_rinit = {
95 cryptmodrput, /* qi_putp */
96 cryptmodrsrv, /* qi_svc */
97 cryptmodopen, /* qi_qopen */
98 cryptmodclose, /* qi_qclose */
99 NULL, /* qi_qadmin */
100 &cryptmod_minfo, /* qi_minfo */
101 NULL /* qi_mstat */
102 };
103
104 static struct qinit cryptmod_winit = {
105 cryptmodwput, /* qi_putp */
106 cryptmodwsrv, /* qi_srvp */
107 NULL, /* qi_qopen */
108 NULL, /* qi_qclose */
109 NULL, /* qi_qadmin */
110 &cryptmod_minfo, /* qi_minfo */
111 NULL /* qi_mstat */
112 };
113
114 static struct streamtab cryptmod_info = {
115 &cryptmod_rinit, /* st_rdinit */
116 &cryptmod_winit, /* st_wrinit */
117 NULL, /* st_muxrinit */
118 NULL /* st_muxwinit */
119 };
120
121 typedef struct {
122 uint_t hash_len;
123 uint_t confound_len;
124 int (*hashfunc)();
125 } hash_info_t;
126
127 #define MAX_CKSUM_LEN 20
128 #define CONFOUNDER_LEN 8
129
130 #define SHA1_HASHSIZE 20
131 #define MD5_HASHSIZE 16
132 #define CRC32_HASHSIZE 4
133 #define MSGBUF_SIZE 4096
134 #define CONFOUNDER_BYTES 128
135
136
137 static int crc32_calc(uchar_t *, uchar_t *, uint_t);
138 static int md5_calc(uchar_t *, uchar_t *, uint_t);
139 static int sha1_calc(uchar_t *, uchar_t *, uint_t);
140
141 static hash_info_t null_hash = {0, 0, NULL};
142 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc};
143 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc};
144 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc};
145
146 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID;
147 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID;
148 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID;
149 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID;
150
151 static int kef_crypt(struct cipher_data_t *, void *,
152 crypto_data_format_t, size_t, int);
153 static mblk_t *
154 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *,
155 mblk_t *, hash_info_t *);
156 static mblk_t *
157 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *,
158 mblk_t *, hash_info_t *);
159
160 static int
161 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int);
162
163 /*
164 * This is the loadable module wrapper.
165 */
166 #include <sys/modctl.h>
167
168 static struct fmodsw fsw = {
169 "cryptmod",
170 &cryptmod_info,
171 D_MP | D_MTQPAIR
172 };
173
174 /*
175 * Module linkage information for the kernel.
176 */
177 static struct modlstrmod modlstrmod = {
178 &mod_strmodops,
179 "STREAMS encryption module",
180 &fsw
181 };
182
183 static struct modlinkage modlinkage = {
184 MODREV_1,
185 &modlstrmod,
186 NULL
187 };
188
189 int
_init(void)190 _init(void)
191 {
192 return (mod_install(&modlinkage));
193 }
194
195 int
_fini(void)196 _fini(void)
197 {
198 return (mod_remove(&modlinkage));
199 }
200
201 int
_info(struct modinfo * modinfop)202 _info(struct modinfo *modinfop)
203 {
204 return (mod_info(&modlinkage, modinfop));
205 }
206
207 static void
cleanup(struct cipher_data_t * cd)208 cleanup(struct cipher_data_t *cd)
209 {
210 if (cd->key != NULL) {
211 bzero(cd->key, cd->keylen);
212 kmem_free(cd->key, cd->keylen);
213 cd->key = NULL;
214 }
215
216 if (cd->ckey != NULL) {
217 /*
218 * ckey is a crypto_key_t structure which references
219 * "cd->key" for its raw key data. Since that was already
220 * cleared out, we don't need another "bzero" here.
221 */
222 kmem_free(cd->ckey, sizeof (crypto_key_t));
223 cd->ckey = NULL;
224 }
225
226 if (cd->block != NULL) {
227 kmem_free(cd->block, cd->blocklen);
228 cd->block = NULL;
229 }
230
231 if (cd->saveblock != NULL) {
232 kmem_free(cd->saveblock, cd->blocklen);
233 cd->saveblock = NULL;
234 }
235
236 if (cd->ivec != NULL) {
237 kmem_free(cd->ivec, cd->ivlen);
238 cd->ivec = NULL;
239 }
240
241 if (cd->d_encr_key.ck_data != NULL) {
242 bzero(cd->d_encr_key.ck_data, cd->keylen);
243 kmem_free(cd->d_encr_key.ck_data, cd->keylen);
244 }
245
246 if (cd->d_hmac_key.ck_data != NULL) {
247 bzero(cd->d_hmac_key.ck_data, cd->keylen);
248 kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
249 }
250
251 if (cd->enc_tmpl != NULL)
252 (void) crypto_destroy_ctx_template(cd->enc_tmpl);
253
254 if (cd->hmac_tmpl != NULL)
255 (void) crypto_destroy_ctx_template(cd->hmac_tmpl);
256
257 if (cd->ctx != NULL) {
258 crypto_cancel_ctx(cd->ctx);
259 cd->ctx = NULL;
260 }
261 }
262
263 /* ARGSUSED */
264 static int
cryptmodopen(queue_t * rq,dev_t * dev,int oflag,int sflag,cred_t * crp)265 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp)
266 {
267 struct tmodinfo *tmi;
268 ASSERT(rq);
269
270 if (sflag != MODOPEN)
271 return (EINVAL);
272
273 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
274 "cryptmodopen: opening module(PID %d)",
275 ddi_get_pid()));
276
277 if (rq->q_ptr != NULL) {
278 cmn_err(CE_WARN, "cryptmodopen: already opened");
279 return (0);
280 }
281
282 /*
283 * Allocate and initialize per-Stream structure.
284 */
285 tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo),
286 KM_SLEEP);
287
288 tmi->enc_data.method = CRYPT_METHOD_NONE;
289 tmi->dec_data.method = CRYPT_METHOD_NONE;
290
291 tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY);
292
293 rq->q_ptr = WR(rq)->q_ptr = tmi;
294
295 sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC);
296 md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC);
297 sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1);
298 md5_hash_mech = crypto_mech2id(SUN_CKM_MD5);
299
300 qprocson(rq);
301
302 return (0);
303 }
304
305 /* ARGSUSED */
306 static int
cryptmodclose(queue_t * rq,int flags __unused,cred_t * credp __unused)307 cryptmodclose(queue_t *rq, int flags __unused, cred_t *credp __unused)
308 {
309 struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr;
310 ASSERT(tmi);
311
312 qprocsoff(rq);
313
314 cleanup(&tmi->enc_data);
315 cleanup(&tmi->dec_data);
316
317 kmem_free(tmi, sizeof (struct tmodinfo));
318 rq->q_ptr = WR(rq)->q_ptr = NULL;
319
320 return (0);
321 }
322
323 /*
324 * plaintext_offset
325 *
326 * Calculate exactly how much space is needed in front
327 * of the "plaintext" in an mbuf so it can be positioned
328 * 1 time instead of potentially moving the data multiple
329 * times.
330 */
331 static int
plaintext_offset(struct cipher_data_t * cd)332 plaintext_offset(struct cipher_data_t *cd)
333 {
334 int headspace = 0;
335
336 /* 4 byte length prepended to all RCMD msgs */
337 if (ANY_RCMD_MODE(cd->option_mask))
338 headspace += RCMD_LEN_SZ;
339
340 /* RCMD V2 mode adds an additional 4 byte plaintext length */
341 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2)
342 headspace += RCMD_LEN_SZ;
343
344 /* Need extra space for hash and counfounder */
345 switch (cd->method) {
346 case CRYPT_METHOD_DES_CBC_NULL:
347 headspace += null_hash.hash_len + null_hash.confound_len;
348 break;
349 case CRYPT_METHOD_DES_CBC_CRC:
350 headspace += crc32_hash.hash_len + crc32_hash.confound_len;
351 break;
352 case CRYPT_METHOD_DES_CBC_MD5:
353 headspace += md5_hash.hash_len + md5_hash.confound_len;
354 break;
355 case CRYPT_METHOD_DES3_CBC_SHA1:
356 headspace += sha1_hash.confound_len;
357 break;
358 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
359 headspace += md5_hash.hash_len + md5_hash.confound_len;
360 break;
361 case CRYPT_METHOD_AES128:
362 case CRYPT_METHOD_AES256:
363 headspace += DEFAULT_AES_BLOCKLEN;
364 break;
365 case CRYPT_METHOD_DES_CFB:
366 case CRYPT_METHOD_NONE:
367 break;
368 }
369
370 return (headspace);
371 }
372 /*
373 * encrypt_size
374 *
375 * Calculate the resulting size when encrypting 'plainlen' bytes
376 * of data.
377 */
378 static size_t
encrypt_size(struct cipher_data_t * cd,size_t plainlen)379 encrypt_size(struct cipher_data_t *cd, size_t plainlen)
380 {
381 size_t cipherlen;
382
383 switch (cd->method) {
384 case CRYPT_METHOD_DES_CBC_NULL:
385 cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len +
386 plainlen, 8);
387 break;
388 case CRYPT_METHOD_DES_CBC_MD5:
389 cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len +
390 md5_hash.confound_len +
391 plainlen, 8);
392 break;
393 case CRYPT_METHOD_DES_CBC_CRC:
394 cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len +
395 crc32_hash.confound_len +
396 plainlen, 8);
397 break;
398 case CRYPT_METHOD_DES3_CBC_SHA1:
399 cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len +
400 plainlen, 8) +
401 sha1_hash.hash_len;
402 break;
403 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
404 cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len +
405 plainlen, 1) + md5_hash.hash_len;
406 break;
407 case CRYPT_METHOD_AES128:
408 case CRYPT_METHOD_AES256:
409 /* No roundup for AES-CBC-CTS */
410 cipherlen = DEFAULT_AES_BLOCKLEN + plainlen +
411 AES_TRUNCATED_HMAC_LEN;
412 break;
413 case CRYPT_METHOD_DES_CFB:
414 case CRYPT_METHOD_NONE:
415 cipherlen = plainlen;
416 break;
417 }
418
419 return (cipherlen);
420 }
421
422 /*
423 * des_cfb_encrypt
424 *
425 * Encrypt the mblk data using DES with cipher feedback.
426 *
427 * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit
428 * vector, D[n] is the nth chunk of 64 bits of data to encrypt
429 * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted
430 * (decrypted) data, then:
431 *
432 * V[0] = DES(V[i], key)
433 * O[n] = D[n] <exclusive or > V[n]
434 * V[n+1] = DES(O[n], key)
435 *
436 * The size of the message being encrypted does not change in this
437 * algorithm, num_bytes in == num_bytes out.
438 */
439 static mblk_t *
des_cfb_encrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp)440 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
441 {
442 int savedbytes;
443 char *iptr, *optr, *lastoutput;
444
445 lastoutput = optr = (char *)mp->b_rptr;
446 iptr = (char *)mp->b_rptr;
447 savedbytes = tmi->enc_data.bytes % CFB_BLKSZ;
448
449 while (iptr < (char *)mp->b_wptr) {
450 /*
451 * Do DES-ECB.
452 * The first time this runs, the 'tmi->enc_data.block' will
453 * contain the initialization vector that should have been
454 * passed in with the SETUP ioctl.
455 *
456 * V[n] = DES(V[n-1], key)
457 */
458 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
459 int retval = 0;
460 retval = kef_crypt(&tmi->enc_data,
461 tmi->enc_data.block,
462 CRYPTO_DATA_RAW,
463 tmi->enc_data.blocklen,
464 CRYPT_ENCRYPT);
465
466 if (retval != CRYPTO_SUCCESS) {
467 #ifdef DEBUG
468 cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt "
469 "failed - error 0x%0x", retval);
470 #endif
471 mp->b_datap->db_type = M_ERROR;
472 mp->b_rptr = mp->b_datap->db_base;
473 *mp->b_rptr = EIO;
474 mp->b_wptr = mp->b_rptr + sizeof (char);
475 freemsg(mp->b_cont);
476 mp->b_cont = NULL;
477 qreply(WR(q), mp);
478 return (NULL);
479 }
480 }
481
482 /* O[n] = I[n] ^ V[n] */
483 *(optr++) = *(iptr++) ^
484 tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ];
485
486 tmi->enc_data.bytes++;
487 /*
488 * Feedback the encrypted output as the input to next DES call.
489 */
490 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
491 char *dbptr = tmi->enc_data.block;
492 /*
493 * Get the last bits of input from the previous
494 * msg block that we haven't yet used as feedback input.
495 */
496 if (savedbytes > 0) {
497 bcopy(tmi->enc_data.saveblock,
498 dbptr, (size_t)savedbytes);
499 dbptr += savedbytes;
500 }
501
502 /*
503 * Now copy the correct bytes from the current input
504 * stream and update the 'lastoutput' ptr
505 */
506 bcopy(lastoutput, dbptr,
507 (size_t)(CFB_BLKSZ - savedbytes));
508
509 lastoutput += (CFB_BLKSZ - savedbytes);
510 savedbytes = 0;
511 }
512 }
513 /*
514 * If there are bytes of input here that we need in the next
515 * block to build an ivec, save them off here.
516 */
517 if (lastoutput < optr) {
518 bcopy(lastoutput,
519 tmi->enc_data.saveblock + savedbytes,
520 (uint_t)(optr - lastoutput));
521 }
522 return (mp);
523 }
524
525 /*
526 * des_cfb_decrypt
527 *
528 * Decrypt the data in the mblk using DES in Cipher Feedback mode
529 *
530 * # bytes in == # bytes out, no padding, confounding, or hashing
531 * is added.
532 *
533 */
534 static mblk_t *
des_cfb_decrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp)535 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
536 {
537 uint_t len;
538 uint_t savedbytes;
539 char *iptr;
540 char *lastinput;
541 uint_t cp;
542
543 len = MBLKL(mp);
544
545 /* decrypted output goes into the new data buffer */
546 lastinput = iptr = (char *)mp->b_rptr;
547
548 savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen;
549
550 /*
551 * Save the input CFB_BLKSZ bytes at a time.
552 * We are trying to decrypt in-place, but need to keep
553 * a small sliding window of encrypted text to be
554 * used to construct the feedback buffer.
555 */
556 cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len :
557 tmi->dec_data.blocklen - savedbytes);
558
559 bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp);
560 savedbytes += cp;
561
562 lastinput += cp;
563
564 while (iptr < (char *)mp->b_wptr) {
565 /*
566 * Do DES-ECB.
567 * The first time this runs, the 'tmi->dec_data.block' will
568 * contain the initialization vector that should have been
569 * passed in with the SETUP ioctl.
570 */
571 if (!(tmi->dec_data.bytes % CFB_BLKSZ)) {
572 int retval;
573 retval = kef_crypt(&tmi->dec_data,
574 tmi->dec_data.block,
575 CRYPTO_DATA_RAW,
576 tmi->dec_data.blocklen,
577 CRYPT_ENCRYPT);
578
579 if (retval != CRYPTO_SUCCESS) {
580 #ifdef DEBUG
581 cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt "
582 "failed - status 0x%0x", retval);
583 #endif
584 mp->b_datap->db_type = M_ERROR;
585 mp->b_rptr = mp->b_datap->db_base;
586 *mp->b_rptr = EIO;
587 mp->b_wptr = mp->b_rptr + sizeof (char);
588 freemsg(mp->b_cont);
589 mp->b_cont = NULL;
590 qreply(WR(q), mp);
591 return (NULL);
592 }
593 }
594
595 /*
596 * To decrypt, XOR the input with the output from the DES call
597 */
598 *(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes %
599 CFB_BLKSZ];
600
601 tmi->dec_data.bytes++;
602
603 /*
604 * Feedback the encrypted input for next DES call.
605 */
606 if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) {
607 char *dbptr = tmi->dec_data.block;
608 /*
609 * Get the last bits of input from the previous block
610 * that we haven't yet processed.
611 */
612 if (savedbytes > 0) {
613 bcopy(tmi->dec_data.saveblock,
614 dbptr, savedbytes);
615 dbptr += savedbytes;
616 }
617
618 savedbytes = 0;
619
620 /*
621 * This block makes sure that our local
622 * buffer of input data is full and can
623 * be accessed from the beginning.
624 */
625 if (lastinput < (char *)mp->b_wptr) {
626
627 /* How many bytes are left in the mblk? */
628 cp = (((char *)mp->b_wptr - lastinput) >
629 tmi->dec_data.blocklen ?
630 tmi->dec_data.blocklen :
631 (char *)mp->b_wptr - lastinput);
632
633 /* copy what we need */
634 bcopy(lastinput, tmi->dec_data.saveblock,
635 cp);
636
637 lastinput += cp;
638 savedbytes = cp;
639 }
640 }
641 }
642
643 return (mp);
644 }
645
646 /*
647 * crc32_calc
648 *
649 * Compute a CRC32 checksum on the input
650 */
651 static int
crc32_calc(uchar_t * buf,uchar_t * input,uint_t len)652 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len)
653 {
654 uint32_t crc;
655
656 CRC32(crc, input, len, 0, crc32_table);
657
658 buf[0] = (uchar_t)(crc & 0xff);
659 buf[1] = (uchar_t)((crc >> 8) & 0xff);
660 buf[2] = (uchar_t)((crc >> 16) & 0xff);
661 buf[3] = (uchar_t)((crc >> 24) & 0xff);
662
663 return (CRYPTO_SUCCESS);
664 }
665
666 static int
kef_digest(crypto_mech_type_t digest_type,uchar_t * input,uint_t inlen,uchar_t * output,uint_t hashlen)667 kef_digest(crypto_mech_type_t digest_type,
668 uchar_t *input, uint_t inlen,
669 uchar_t *output, uint_t hashlen)
670 {
671 iovec_t v1, v2;
672 crypto_data_t d1, d2;
673 crypto_mechanism_t mech;
674 int rv;
675
676 mech.cm_type = digest_type;
677 mech.cm_param = 0;
678 mech.cm_param_len = 0;
679
680 v1.iov_base = (void *)input;
681 v1.iov_len = inlen;
682
683 d1.cd_format = CRYPTO_DATA_RAW;
684 d1.cd_offset = 0;
685 d1.cd_length = v1.iov_len;
686 d1.cd_raw = v1;
687
688 v2.iov_base = (void *)output;
689 v2.iov_len = hashlen;
690
691 d2.cd_format = CRYPTO_DATA_RAW;
692 d2.cd_offset = 0;
693 d2.cd_length = v2.iov_len;
694 d2.cd_raw = v2;
695
696 rv = crypto_digest(&mech, &d1, &d2, NULL);
697
698 return (rv);
699 }
700
701 /*
702 * sha1_calc
703 *
704 * Get a SHA1 hash on the input data.
705 */
706 static int
sha1_calc(uchar_t * output,uchar_t * input,uint_t inlen)707 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen)
708 {
709 int rv;
710
711 rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE);
712
713 return (rv);
714 }
715
716 /*
717 * Get an MD5 hash on the input data.
718 * md5_calc
719 *
720 */
721 static int
md5_calc(uchar_t * output,uchar_t * input,uint_t inlen)722 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen)
723 {
724 int rv;
725
726 rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE);
727
728 return (rv);
729 }
730
731 /*
732 * nfold
733 * duplicate the functionality of the krb5_nfold function from
734 * the userland kerberos mech.
735 * This is needed to derive keys for use with 3DES/SHA1-HMAC
736 * ciphers.
737 */
738 static void
nfold(int inbits,uchar_t * in,int outbits,uchar_t * out)739 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out)
740 {
741 int a, b, c, lcm;
742 int byte, i, msbit;
743
744 inbits >>= 3;
745 outbits >>= 3;
746
747 /* first compute lcm(n,k) */
748 a = outbits;
749 b = inbits;
750
751 while (b != 0) {
752 c = b;
753 b = a%b;
754 a = c;
755 }
756
757 lcm = outbits*inbits/a;
758
759 /* now do the real work */
760
761 bzero(out, outbits);
762 byte = 0;
763
764 /*
765 * Compute the msbit in k which gets added into this byte
766 * first, start with the msbit in the first, unrotated byte
767 * then, for each byte, shift to the right for each repetition
768 * last, pick out the correct byte within that shifted repetition
769 */
770 for (i = lcm-1; i >= 0; i--) {
771 msbit = (((inbits<<3)-1)
772 +(((inbits<<3)+13)*(i/inbits))
773 +((inbits-(i%inbits))<<3)) %(inbits<<3);
774
775 /* pull out the byte value itself */
776 byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)|
777 (in[((inbits)-(msbit>>3))%inbits]))
778 >>((msbit&7)+1))&0xff;
779
780 /* do the addition */
781 byte += out[i%outbits];
782 out[i%outbits] = byte&0xff;
783
784 byte >>= 8;
785 }
786
787 /* if there's a carry bit left over, add it back in */
788 if (byte) {
789 for (i = outbits-1; i >= 0; i--) {
790 /* do the addition */
791 byte += out[i];
792 out[i] = byte&0xff;
793
794 /* keep around the carry bit, if any */
795 byte >>= 8;
796 }
797 }
798 }
799
800 #define smask(step) ((1<<step)-1)
801 #define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
802 #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
803
804 /*
805 * Duplicate the functionality of the "dk_derive_key" function
806 * in the Kerberos mechanism.
807 */
808 static int
derive_key(struct cipher_data_t * cdata,uchar_t * constdata,int constlen,char * dkey,int keybytes,int blocklen)809 derive_key(struct cipher_data_t *cdata, uchar_t *constdata,
810 int constlen, char *dkey, int keybytes,
811 int blocklen)
812 {
813 int rv = 0;
814 int n = 0, i;
815 char *inblock;
816 char *rawkey;
817 char *zeroblock;
818 char *saveblock;
819
820 inblock = kmem_zalloc(blocklen, KM_SLEEP);
821 rawkey = kmem_zalloc(keybytes, KM_SLEEP);
822 zeroblock = kmem_zalloc(blocklen, KM_SLEEP);
823
824 if (constlen == blocklen)
825 bcopy(constdata, inblock, blocklen);
826 else
827 nfold(constlen * 8, constdata,
828 blocklen * 8, (uchar_t *)inblock);
829
830 /*
831 * zeroblock is an IV of all 0's.
832 *
833 * The "block" section of the cdata record is used as the
834 * IV for crypto operations in the kef_crypt function.
835 *
836 * We use 'block' as a generic IV data buffer because it
837 * is attached to the stream state data and thus can
838 * be used to hold information that must carry over
839 * from processing of one mblk to another.
840 *
841 * Here, we save the current IV and replace it with
842 * and empty IV (all 0's) for use when deriving the
843 * keys. Once the key derivation is done, we swap the
844 * old IV back into place.
845 */
846 saveblock = cdata->block;
847 cdata->block = zeroblock;
848
849 while (n < keybytes) {
850 rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW,
851 blocklen, CRYPT_ENCRYPT);
852 if (rv != CRYPTO_SUCCESS) {
853 /* put the original IV block back in place */
854 cdata->block = saveblock;
855 cmn_err(CE_WARN, "failed to derive a key: %0x", rv);
856 goto cleanup;
857 }
858
859 if (keybytes - n < blocklen) {
860 bcopy(inblock, rawkey+n, (keybytes-n));
861 break;
862 }
863 bcopy(inblock, rawkey+n, blocklen);
864 n += blocklen;
865 }
866 /* put the original IV block back in place */
867 cdata->block = saveblock;
868
869 /* finally, make the key */
870 if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) {
871 /*
872 * 3DES key derivation requires that we make sure the
873 * key has the proper parity.
874 */
875 for (i = 0; i < 3; i++) {
876 bcopy(rawkey+(i*7), dkey+(i*8), 7);
877
878 /* 'dkey' is our derived key output buffer */
879 dkey[i*8+7] = (((dkey[i*8]&1)<<1) |
880 ((dkey[i*8+1]&1)<<2) |
881 ((dkey[i*8+2]&1)<<3) |
882 ((dkey[i*8+3]&1)<<4) |
883 ((dkey[i*8+4]&1)<<5) |
884 ((dkey[i*8+5]&1)<<6) |
885 ((dkey[i*8+6]&1)<<7));
886
887 for (n = 0; n < 8; n++) {
888 dkey[i*8 + n] &= 0xfe;
889 dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]);
890 }
891 }
892 } else if (IS_AES_METHOD(cdata->method)) {
893 bcopy(rawkey, dkey, keybytes);
894 }
895 cleanup:
896 kmem_free(inblock, blocklen);
897 kmem_free(zeroblock, blocklen);
898 kmem_free(rawkey, keybytes);
899 return (rv);
900 }
901
902 /*
903 * create_derived_keys
904 *
905 * Algorithm for deriving a new key and an HMAC key
906 * before computing the 3DES-SHA1-HMAC operation on the plaintext
907 * This algorithm matches the work done by Kerberos mechanism
908 * in userland.
909 */
910 static int
create_derived_keys(struct cipher_data_t * cdata,uint32_t usage,crypto_key_t * enckey,crypto_key_t * hmackey)911 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage,
912 crypto_key_t *enckey, crypto_key_t *hmackey)
913 {
914 uchar_t constdata[K5CLENGTH];
915 int keybytes;
916 int rv;
917
918 constdata[0] = (usage>>24)&0xff;
919 constdata[1] = (usage>>16)&0xff;
920 constdata[2] = (usage>>8)&0xff;
921 constdata[3] = usage & 0xff;
922 /* Use "0xAA" for deriving encryption key */
923 constdata[4] = 0xAA; /* from MIT Kerberos code */
924
925 enckey->ck_length = cdata->keylen * 8;
926 enckey->ck_format = CRYPTO_KEY_RAW;
927 enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
928
929 switch (cdata->method) {
930 case CRYPT_METHOD_DES_CFB:
931 case CRYPT_METHOD_DES_CBC_NULL:
932 case CRYPT_METHOD_DES_CBC_MD5:
933 case CRYPT_METHOD_DES_CBC_CRC:
934 keybytes = 8;
935 break;
936 case CRYPT_METHOD_DES3_CBC_SHA1:
937 keybytes = CRYPT_DES3_KEYBYTES;
938 break;
939 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
940 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
941 keybytes = CRYPT_ARCFOUR_KEYBYTES;
942 break;
943 case CRYPT_METHOD_AES128:
944 keybytes = CRYPT_AES128_KEYBYTES;
945 break;
946 case CRYPT_METHOD_AES256:
947 keybytes = CRYPT_AES256_KEYBYTES;
948 break;
949 }
950
951 /* derive main crypto key */
952 rv = derive_key(cdata, constdata, sizeof (constdata),
953 enckey->ck_data, keybytes, cdata->blocklen);
954
955 if (rv == CRYPTO_SUCCESS) {
956
957 /* Use "0x55" for deriving mac key */
958 constdata[4] = 0x55;
959
960 hmackey->ck_length = cdata->keylen * 8;
961 hmackey->ck_format = CRYPTO_KEY_RAW;
962 hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
963
964 rv = derive_key(cdata, constdata, sizeof (constdata),
965 hmackey->ck_data, keybytes,
966 cdata->blocklen);
967 } else {
968 cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv);
969 }
970
971 return (rv);
972 }
973
974 /*
975 * Compute 3-DES crypto and HMAC.
976 */
977 static int
kef_decr_hmac(struct cipher_data_t * cdata,mblk_t * mp,int length,char * hmac,int hmaclen)978 kef_decr_hmac(struct cipher_data_t *cdata,
979 mblk_t *mp, int length,
980 char *hmac, int hmaclen)
981 {
982 int rv = CRYPTO_FAILED;
983
984 crypto_mechanism_t encr_mech;
985 crypto_mechanism_t mac_mech;
986 crypto_data_t dd;
987 crypto_data_t mac;
988 iovec_t v1;
989
990 ASSERT(cdata != NULL);
991 ASSERT(mp != NULL);
992 ASSERT(hmac != NULL);
993
994 bzero(&dd, sizeof (dd));
995 dd.cd_format = CRYPTO_DATA_MBLK;
996 dd.cd_offset = 0;
997 dd.cd_length = length;
998 dd.cd_mp = mp;
999
1000 v1.iov_base = hmac;
1001 v1.iov_len = hmaclen;
1002
1003 mac.cd_format = CRYPTO_DATA_RAW;
1004 mac.cd_offset = 0;
1005 mac.cd_length = hmaclen;
1006 mac.cd_raw = v1;
1007
1008 /*
1009 * cdata->block holds the IVEC
1010 */
1011 encr_mech.cm_type = cdata->mech_type;
1012 encr_mech.cm_param = cdata->block;
1013
1014 if (cdata->block != NULL)
1015 encr_mech.cm_param_len = cdata->blocklen;
1016 else
1017 encr_mech.cm_param_len = 0;
1018
1019 rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key,
1020 cdata->enc_tmpl, NULL, NULL);
1021 if (rv != CRYPTO_SUCCESS) {
1022 cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv);
1023 return (rv);
1024 }
1025
1026 mac_mech.cm_type = sha1_hmac_mech;
1027 mac_mech.cm_param = NULL;
1028 mac_mech.cm_param_len = 0;
1029
1030 /*
1031 * Compute MAC of the plaintext decrypted above.
1032 */
1033 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1034 cdata->hmac_tmpl, &mac, NULL);
1035
1036 if (rv != CRYPTO_SUCCESS) {
1037 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1038 }
1039
1040 return (rv);
1041 }
1042
1043 /*
1044 * Compute 3-DES crypto and HMAC.
1045 */
1046 static int
kef_encr_hmac(struct cipher_data_t * cdata,mblk_t * mp,int length,char * hmac,int hmaclen)1047 kef_encr_hmac(struct cipher_data_t *cdata,
1048 mblk_t *mp, int length,
1049 char *hmac, int hmaclen)
1050 {
1051 int rv = CRYPTO_FAILED;
1052
1053 crypto_mechanism_t encr_mech;
1054 crypto_mechanism_t mac_mech;
1055 crypto_data_t dd;
1056 crypto_data_t mac;
1057 iovec_t v1;
1058
1059 ASSERT(cdata != NULL);
1060 ASSERT(mp != NULL);
1061 ASSERT(hmac != NULL);
1062
1063 bzero(&dd, sizeof (dd));
1064 dd.cd_format = CRYPTO_DATA_MBLK;
1065 dd.cd_offset = 0;
1066 dd.cd_length = length;
1067 dd.cd_mp = mp;
1068
1069 v1.iov_base = hmac;
1070 v1.iov_len = hmaclen;
1071
1072 mac.cd_format = CRYPTO_DATA_RAW;
1073 mac.cd_offset = 0;
1074 mac.cd_length = hmaclen;
1075 mac.cd_raw = v1;
1076
1077 /*
1078 * cdata->block holds the IVEC
1079 */
1080 encr_mech.cm_type = cdata->mech_type;
1081 encr_mech.cm_param = cdata->block;
1082
1083 if (cdata->block != NULL)
1084 encr_mech.cm_param_len = cdata->blocklen;
1085 else
1086 encr_mech.cm_param_len = 0;
1087
1088 mac_mech.cm_type = sha1_hmac_mech;
1089 mac_mech.cm_param = NULL;
1090 mac_mech.cm_param_len = 0;
1091
1092 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1093 cdata->hmac_tmpl, &mac, NULL);
1094
1095 if (rv != CRYPTO_SUCCESS) {
1096 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1097 return (rv);
1098 }
1099
1100 rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key,
1101 cdata->enc_tmpl, NULL, NULL);
1102 if (rv != CRYPTO_SUCCESS) {
1103 cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv);
1104 }
1105
1106 return (rv);
1107 }
1108
1109 /*
1110 * kef_crypt
1111 *
1112 * Use the Kernel encryption framework to provide the
1113 * crypto operations for the indicated data.
1114 */
1115 static int
kef_crypt(struct cipher_data_t * cdata,void * indata,crypto_data_format_t fmt,size_t length,int mode)1116 kef_crypt(struct cipher_data_t *cdata,
1117 void *indata, crypto_data_format_t fmt,
1118 size_t length, int mode)
1119 {
1120 int rv = CRYPTO_FAILED;
1121
1122 crypto_mechanism_t mech;
1123 crypto_key_t crkey;
1124 iovec_t v1;
1125 crypto_data_t d1;
1126
1127 ASSERT(cdata != NULL);
1128 ASSERT(indata != NULL);
1129 ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK);
1130
1131 bzero(&crkey, sizeof (crkey));
1132 bzero(&d1, sizeof (d1));
1133
1134 crkey.ck_format = CRYPTO_KEY_RAW;
1135 crkey.ck_data = cdata->key;
1136
1137 /* keys are measured in bits, not bytes, so multiply by 8 */
1138 crkey.ck_length = cdata->keylen * 8;
1139
1140 if (fmt == CRYPTO_DATA_RAW) {
1141 v1.iov_base = (char *)indata;
1142 v1.iov_len = length;
1143 }
1144
1145 d1.cd_format = fmt;
1146 d1.cd_offset = 0;
1147 d1.cd_length = length;
1148 if (fmt == CRYPTO_DATA_RAW)
1149 d1.cd_raw = v1;
1150 else if (fmt == CRYPTO_DATA_MBLK)
1151 d1.cd_mp = (mblk_t *)indata;
1152
1153 mech.cm_type = cdata->mech_type;
1154 mech.cm_param = cdata->block;
1155 /*
1156 * cdata->block holds the IVEC
1157 */
1158 if (cdata->block != NULL)
1159 mech.cm_param_len = cdata->blocklen;
1160 else
1161 mech.cm_param_len = 0;
1162
1163 /*
1164 * encrypt and decrypt in-place
1165 */
1166 if (mode == CRYPT_ENCRYPT)
1167 rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1168 else
1169 rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1170
1171 if (rv != CRYPTO_SUCCESS) {
1172 cmn_err(CE_WARN, "%s returned error %08x",
1173 (mode == CRYPT_ENCRYPT ? "crypto_encrypt" :
1174 "crypto_decrypt"), rv);
1175 return (CRYPTO_FAILED);
1176 }
1177
1178 return (rv);
1179 }
1180
1181 static int
do_hmac(crypto_mech_type_t mech,crypto_key_t * key,char * data,int datalen,char * hmac,int hmaclen)1182 do_hmac(crypto_mech_type_t mech,
1183 crypto_key_t *key,
1184 char *data, int datalen,
1185 char *hmac, int hmaclen)
1186 {
1187 int rv = 0;
1188 crypto_mechanism_t mac_mech;
1189 crypto_data_t dd;
1190 crypto_data_t mac;
1191 iovec_t vdata, vmac;
1192
1193 mac_mech.cm_type = mech;
1194 mac_mech.cm_param = NULL;
1195 mac_mech.cm_param_len = 0;
1196
1197 vdata.iov_base = data;
1198 vdata.iov_len = datalen;
1199
1200 bzero(&dd, sizeof (dd));
1201 dd.cd_format = CRYPTO_DATA_RAW;
1202 dd.cd_offset = 0;
1203 dd.cd_length = datalen;
1204 dd.cd_raw = vdata;
1205
1206 vmac.iov_base = hmac;
1207 vmac.iov_len = hmaclen;
1208
1209 mac.cd_format = CRYPTO_DATA_RAW;
1210 mac.cd_offset = 0;
1211 mac.cd_length = hmaclen;
1212 mac.cd_raw = vmac;
1213
1214 /*
1215 * Compute MAC of the plaintext decrypted above.
1216 */
1217 rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL);
1218
1219 if (rv != CRYPTO_SUCCESS) {
1220 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1221 }
1222
1223 return (rv);
1224 }
1225
1226 #define XOR_BLOCK(src, dst) \
1227 (dst)[0] ^= (src)[0]; \
1228 (dst)[1] ^= (src)[1]; \
1229 (dst)[2] ^= (src)[2]; \
1230 (dst)[3] ^= (src)[3]; \
1231 (dst)[4] ^= (src)[4]; \
1232 (dst)[5] ^= (src)[5]; \
1233 (dst)[6] ^= (src)[6]; \
1234 (dst)[7] ^= (src)[7]; \
1235 (dst)[8] ^= (src)[8]; \
1236 (dst)[9] ^= (src)[9]; \
1237 (dst)[10] ^= (src)[10]; \
1238 (dst)[11] ^= (src)[11]; \
1239 (dst)[12] ^= (src)[12]; \
1240 (dst)[13] ^= (src)[13]; \
1241 (dst)[14] ^= (src)[14]; \
1242 (dst)[15] ^= (src)[15]
1243
1244 #define xorblock(x, y) XOR_BLOCK(y, x)
1245
1246 static int
aes_cbc_cts_encrypt(struct tmodinfo * tmi,uchar_t * plain,size_t length)1247 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length)
1248 {
1249 int result = CRYPTO_SUCCESS;
1250 unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1251 unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1252 unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1253 int nblocks = 0, blockno;
1254 crypto_data_t ct, pt;
1255 crypto_mechanism_t mech;
1256
1257 mech.cm_type = tmi->enc_data.mech_type;
1258 if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) {
1259 bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1260 } else {
1261 bzero(tmp, sizeof (tmp));
1262 }
1263 mech.cm_param = NULL;
1264 mech.cm_param_len = 0;
1265
1266 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1267
1268 bzero(&ct, sizeof (crypto_data_t));
1269 bzero(&pt, sizeof (crypto_data_t));
1270
1271 if (nblocks == 1) {
1272 pt.cd_format = CRYPTO_DATA_RAW;
1273 pt.cd_length = length;
1274 pt.cd_raw.iov_base = (char *)plain;
1275 pt.cd_raw.iov_len = length;
1276
1277 result = crypto_encrypt(&mech, &pt,
1278 &tmi->enc_data.d_encr_key, NULL, NULL, NULL);
1279
1280 if (result != CRYPTO_SUCCESS) {
1281 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1282 "crypto_encrypt failed: %0x", result);
1283 }
1284 } else {
1285 size_t nleft;
1286
1287 ct.cd_format = CRYPTO_DATA_RAW;
1288 ct.cd_offset = 0;
1289 ct.cd_length = DEFAULT_AES_BLOCKLEN;
1290
1291 pt.cd_format = CRYPTO_DATA_RAW;
1292 pt.cd_offset = 0;
1293 pt.cd_length = DEFAULT_AES_BLOCKLEN;
1294
1295 result = crypto_encrypt_init(&mech,
1296 &tmi->enc_data.d_encr_key,
1297 tmi->enc_data.enc_tmpl,
1298 &tmi->enc_data.ctx, NULL);
1299
1300 if (result != CRYPTO_SUCCESS) {
1301 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1302 "crypto_encrypt_init failed: %0x", result);
1303 goto cleanup;
1304 }
1305
1306 for (blockno = 0; blockno < nblocks - 2; blockno++) {
1307 xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN);
1308
1309 pt.cd_raw.iov_base = (char *)tmp;
1310 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1311
1312 ct.cd_raw.iov_base = (char *)plain +
1313 blockno * DEFAULT_AES_BLOCKLEN;
1314 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1315
1316 result = crypto_encrypt_update(tmi->enc_data.ctx,
1317 &pt, &ct, NULL);
1318
1319 if (result != CRYPTO_SUCCESS) {
1320 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1321 "crypto_encrypt_update failed: %0x",
1322 result);
1323 goto cleanup;
1324 }
1325 /* copy result over original bytes */
1326 /* make another copy for the next XOR step */
1327 bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN,
1328 tmp, DEFAULT_AES_BLOCKLEN);
1329 }
1330 /* XOR cipher text from n-3 with plain text from n-2 */
1331 xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1332
1333 pt.cd_raw.iov_base = (char *)tmp;
1334 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1335
1336 ct.cd_raw.iov_base = (char *)tmp2;
1337 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1338
1339 /* encrypt XOR-ed block N-2 */
1340 result = crypto_encrypt_update(tmi->enc_data.ctx,
1341 &pt, &ct, NULL);
1342 if (result != CRYPTO_SUCCESS) {
1343 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1344 "crypto_encrypt_update(2) failed: %0x",
1345 result);
1346 goto cleanup;
1347 }
1348 nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN;
1349
1350 bzero(tmp3, sizeof (tmp3));
1351 /* Save final plaintext bytes from n-1 */
1352 bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1353 nleft);
1354
1355 /* Overwrite n-1 with cipher text from n-2 */
1356 bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1357 nleft);
1358
1359 bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN);
1360 /* XOR cipher text from n-1 with plain text from n-1 */
1361 xorblock(tmp, tmp3);
1362
1363 pt.cd_raw.iov_base = (char *)tmp;
1364 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1365
1366 ct.cd_raw.iov_base = (char *)tmp2;
1367 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1368
1369 /* encrypt block N-2 */
1370 result = crypto_encrypt_update(tmi->enc_data.ctx,
1371 &pt, &ct, NULL);
1372
1373 if (result != CRYPTO_SUCCESS) {
1374 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1375 "crypto_encrypt_update(3) failed: %0x",
1376 result);
1377 goto cleanup;
1378 }
1379
1380 bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1381 DEFAULT_AES_BLOCKLEN);
1382
1383
1384 ct.cd_raw.iov_base = (char *)tmp2;
1385 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1386
1387 /*
1388 * Ignore the output on the final step.
1389 */
1390 result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL);
1391 if (result != CRYPTO_SUCCESS) {
1392 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1393 "crypto_encrypt_final(3) failed: %0x",
1394 result);
1395 }
1396 tmi->enc_data.ctx = NULL;
1397 }
1398 cleanup:
1399 bzero(tmp, sizeof (tmp));
1400 bzero(tmp2, sizeof (tmp));
1401 bzero(tmp3, sizeof (tmp));
1402 bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
1403 return (result);
1404 }
1405
1406 static int
aes_cbc_cts_decrypt(struct tmodinfo * tmi,uchar_t * buff,size_t length)1407 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length)
1408 {
1409 int result = CRYPTO_SUCCESS;
1410 unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1411 unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1412 unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1413 int nblocks = 0, blockno;
1414 crypto_data_t ct, pt;
1415 crypto_mechanism_t mech;
1416
1417 mech.cm_type = tmi->enc_data.mech_type;
1418
1419 if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1420 tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) {
1421 bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1422 } else {
1423 bzero(tmp, sizeof (tmp));
1424 }
1425 mech.cm_param_len = 0;
1426 mech.cm_param = NULL;
1427
1428 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1429
1430 bzero(&pt, sizeof (pt));
1431 bzero(&ct, sizeof (ct));
1432
1433 if (nblocks == 1) {
1434 ct.cd_format = CRYPTO_DATA_RAW;
1435 ct.cd_length = length;
1436 ct.cd_raw.iov_base = (char *)buff;
1437 ct.cd_raw.iov_len = length;
1438
1439 result = crypto_decrypt(&mech, &ct,
1440 &tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1441
1442 if (result != CRYPTO_SUCCESS) {
1443 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1444 "crypto_decrypt failed: %0x", result);
1445 goto cleanup;
1446 }
1447 } else {
1448 ct.cd_format = CRYPTO_DATA_RAW;
1449 ct.cd_offset = 0;
1450 ct.cd_length = DEFAULT_AES_BLOCKLEN;
1451
1452 pt.cd_format = CRYPTO_DATA_RAW;
1453 pt.cd_offset = 0;
1454 pt.cd_length = DEFAULT_AES_BLOCKLEN;
1455
1456 result = crypto_decrypt_init(&mech,
1457 &tmi->dec_data.d_encr_key,
1458 tmi->dec_data.enc_tmpl,
1459 &tmi->dec_data.ctx, NULL);
1460
1461 if (result != CRYPTO_SUCCESS) {
1462 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1463 "crypto_decrypt_init failed: %0x", result);
1464 goto cleanup;
1465 }
1466 for (blockno = 0; blockno < nblocks - 2; blockno++) {
1467 ct.cd_raw.iov_base = (char *)buff +
1468 (blockno * DEFAULT_AES_BLOCKLEN);
1469 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1470
1471 pt.cd_raw.iov_base = (char *)tmp2;
1472 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1473
1474 /*
1475 * Save the input to the decrypt so it can
1476 * be used later for an XOR operation
1477 */
1478 bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN),
1479 tmi->dec_data.block, DEFAULT_AES_BLOCKLEN);
1480
1481 result = crypto_decrypt_update(tmi->dec_data.ctx,
1482 &ct, &pt, NULL);
1483 if (result != CRYPTO_SUCCESS) {
1484 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1485 "crypto_decrypt_update(1) error - "
1486 "result = 0x%08x", result);
1487 goto cleanup;
1488 }
1489 xorblock(tmp2, tmp);
1490 bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN,
1491 DEFAULT_AES_BLOCKLEN);
1492 /*
1493 * The original cipher text is used as the xor
1494 * for the next block, save it here.
1495 */
1496 bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN);
1497 }
1498 ct.cd_raw.iov_base = (char *)buff +
1499 ((nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1500 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1501 pt.cd_raw.iov_base = (char *)tmp2;
1502 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1503
1504 result = crypto_decrypt_update(tmi->dec_data.ctx,
1505 &ct, &pt, NULL);
1506 if (result != CRYPTO_SUCCESS) {
1507 cmn_err(CE_WARN,
1508 "aes_cbc_cts_decrypt: "
1509 "crypto_decrypt_update(2) error -"
1510 " result = 0x%08x", result);
1511 goto cleanup;
1512 }
1513 bzero(tmp3, sizeof (tmp3));
1514 bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1515 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1516
1517 xorblock(tmp2, tmp3);
1518 bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1519 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1520
1521 /* 2nd to last block ... */
1522 bcopy(tmp3, tmp2,
1523 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1524
1525 ct.cd_raw.iov_base = (char *)tmp2;
1526 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1527 pt.cd_raw.iov_base = (char *)tmp3;
1528 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1529
1530 result = crypto_decrypt_update(tmi->dec_data.ctx,
1531 &ct, &pt, NULL);
1532 if (result != CRYPTO_SUCCESS) {
1533 cmn_err(CE_WARN,
1534 "aes_cbc_cts_decrypt: "
1535 "crypto_decrypt_update(3) error - "
1536 "result = 0x%08x", result);
1537 goto cleanup;
1538 }
1539 xorblock(tmp3, tmp);
1540
1541
1542 /* Finally, update the 2nd to last block and we are done. */
1543 bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1544 DEFAULT_AES_BLOCKLEN);
1545
1546 /* Do Final step, but ignore output */
1547 pt.cd_raw.iov_base = (char *)tmp2;
1548 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1549 result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL);
1550 if (result != CRYPTO_SUCCESS) {
1551 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1552 "crypto_decrypt_final error - "
1553 "result = 0x%0x", result);
1554 }
1555 tmi->dec_data.ctx = NULL;
1556 }
1557
1558 cleanup:
1559 bzero(tmp, sizeof (tmp));
1560 bzero(tmp2, sizeof (tmp));
1561 bzero(tmp3, sizeof (tmp));
1562 bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
1563 return (result);
1564 }
1565
1566 /*
1567 * AES decrypt
1568 *
1569 * format of ciphertext when using AES
1570 * +-------------+------------+------------+
1571 * | confounder | msg-data | hmac |
1572 * +-------------+------------+------------+
1573 */
1574 static mblk_t *
aes_decrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)1575 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1576 hash_info_t *hash)
1577 {
1578 int result;
1579 size_t enclen;
1580 size_t inlen;
1581 uchar_t hmacbuff[64];
1582 uchar_t tmpiv[DEFAULT_AES_BLOCKLEN];
1583
1584 inlen = (size_t)MBLKL(mp);
1585
1586 enclen = inlen - AES_TRUNCATED_HMAC_LEN;
1587 if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1588 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) {
1589 int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) /
1590 DEFAULT_AES_BLOCKLEN;
1591 bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2),
1592 tmpiv, DEFAULT_AES_BLOCKLEN);
1593 }
1594
1595 /* AES Decrypt */
1596 result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen);
1597
1598 if (result != CRYPTO_SUCCESS) {
1599 cmn_err(CE_WARN,
1600 "aes_decrypt: aes_cbc_cts_decrypt "
1601 "failed - error %0x", result);
1602 goto cleanup;
1603 }
1604
1605 /* Verify the HMAC */
1606 result = do_hmac(sha1_hmac_mech,
1607 &tmi->dec_data.d_hmac_key,
1608 (char *)mp->b_rptr, enclen,
1609 (char *)hmacbuff, hash->hash_len);
1610
1611 if (result != CRYPTO_SUCCESS) {
1612 cmn_err(CE_WARN,
1613 "aes_decrypt: do_hmac failed - error %0x", result);
1614 goto cleanup;
1615 }
1616
1617 if (bcmp(hmacbuff, mp->b_rptr + enclen,
1618 AES_TRUNCATED_HMAC_LEN) != 0) {
1619 result = -1;
1620 cmn_err(CE_WARN, "aes_decrypt: checksum verification failed");
1621 goto cleanup;
1622 }
1623
1624 /* truncate the mblk at the end of the decrypted text */
1625 mp->b_wptr = mp->b_rptr + enclen;
1626
1627 /* Adjust the beginning of the buffer to skip the confounder */
1628 mp->b_rptr += DEFAULT_AES_BLOCKLEN;
1629
1630 if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1631 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0)
1632 bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN);
1633
1634 cleanup:
1635 if (result != CRYPTO_SUCCESS) {
1636 mp->b_datap->db_type = M_ERROR;
1637 mp->b_rptr = mp->b_datap->db_base;
1638 *mp->b_rptr = EIO;
1639 mp->b_wptr = mp->b_rptr + sizeof (char);
1640 freemsg(mp->b_cont);
1641 mp->b_cont = NULL;
1642 qreply(WR(q), mp);
1643 return (NULL);
1644 }
1645 return (mp);
1646 }
1647
1648 /*
1649 * AES encrypt
1650 *
1651 * format of ciphertext when using AES
1652 * +-------------+------------+------------+
1653 * | confounder | msg-data | hmac |
1654 * +-------------+------------+------------+
1655 */
1656 static mblk_t *
aes_encrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)1657 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1658 hash_info_t *hash)
1659 {
1660 int result;
1661 size_t cipherlen;
1662 size_t inlen;
1663 uchar_t hmacbuff[64];
1664
1665 inlen = (size_t)MBLKL(mp);
1666
1667 cipherlen = encrypt_size(&tmi->enc_data, inlen);
1668
1669 ASSERT(MBLKSIZE(mp) >= cipherlen);
1670
1671 /*
1672 * Shift the rptr back enough to insert the confounder.
1673 */
1674 mp->b_rptr -= DEFAULT_AES_BLOCKLEN;
1675
1676 /* Get random data for confounder */
1677 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
1678 DEFAULT_AES_BLOCKLEN);
1679
1680 /*
1681 * Because we encrypt in-place, we need to calculate
1682 * the HMAC of the plaintext now, then stick it on
1683 * the end of the ciphertext down below.
1684 */
1685 result = do_hmac(sha1_hmac_mech,
1686 &tmi->enc_data.d_hmac_key,
1687 (char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen,
1688 (char *)hmacbuff, hash->hash_len);
1689
1690 if (result != CRYPTO_SUCCESS) {
1691 cmn_err(CE_WARN, "aes_encrypt: do_hmac failed - error %0x",
1692 result);
1693 goto cleanup;
1694 }
1695 /* Encrypt using AES-CBC-CTS */
1696 result = aes_cbc_cts_encrypt(tmi, mp->b_rptr,
1697 inlen + DEFAULT_AES_BLOCKLEN);
1698
1699 if (result != CRYPTO_SUCCESS) {
1700 cmn_err(CE_WARN, "aes_encrypt: aes_cbc_cts_encrypt "
1701 "failed - error %0x", result);
1702 goto cleanup;
1703 }
1704
1705 /* copy the truncated HMAC to the end of the mblk */
1706 bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen,
1707 AES_TRUNCATED_HMAC_LEN);
1708
1709 mp->b_wptr = mp->b_rptr + cipherlen;
1710
1711 /*
1712 * The final block of cipher text (not the HMAC) is used
1713 * as the next IV.
1714 */
1715 if (tmi->enc_data.ivec_usage != IVEC_NEVER &&
1716 tmi->enc_data.ivec != NULL) {
1717 int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) /
1718 DEFAULT_AES_BLOCKLEN;
1719
1720 bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1721 tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN);
1722 }
1723
1724 cleanup:
1725 if (result != CRYPTO_SUCCESS) {
1726 mp->b_datap->db_type = M_ERROR;
1727 mp->b_rptr = mp->b_datap->db_base;
1728 *mp->b_rptr = EIO;
1729 mp->b_wptr = mp->b_rptr + sizeof (char);
1730 freemsg(mp->b_cont);
1731 mp->b_cont = NULL;
1732 qreply(WR(q), mp);
1733 return (NULL);
1734 }
1735 return (mp);
1736 }
1737
1738 /*
1739 * ARCFOUR-HMAC-MD5 decrypt
1740 *
1741 * format of ciphertext when using ARCFOUR-HMAC-MD5
1742 * +-----------+------------+------------+
1743 * | hmac | confounder | msg-data |
1744 * +-----------+------------+------------+
1745 *
1746 */
1747 static mblk_t *
arcfour_hmac_md5_decrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)1748 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1749 hash_info_t *hash)
1750 {
1751 int result;
1752 size_t cipherlen;
1753 size_t inlen;
1754 size_t saltlen;
1755 crypto_key_t k1, k2;
1756 crypto_data_t indata;
1757 iovec_t v1;
1758 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1759 0xab, 0xab, 0xab, 0xab };
1760 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1761 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1762 uchar_t cksum[MD5_HASHSIZE];
1763 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1764 crypto_mechanism_t mech;
1765 int usage;
1766
1767 bzero(&indata, sizeof (indata));
1768
1769 /* The usage constant is 1026 for all "old" rcmd mode operations */
1770 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
1771 usage = RCMDV1_USAGE;
1772 else
1773 usage = ARCFOUR_DECRYPT_USAGE;
1774
1775 /*
1776 * The size at this point should be the size of
1777 * all the plaintext plus the optional plaintext length
1778 * needed for RCMD V2 mode. There should also be room
1779 * at the head of the mblk for the confounder and hash info.
1780 */
1781 inlen = (size_t)MBLKL(mp);
1782
1783 /*
1784 * The cipherlen does not include the HMAC at the
1785 * head of the buffer.
1786 */
1787 cipherlen = inlen - hash->hash_len;
1788
1789 ASSERT(MBLKSIZE(mp) >= cipherlen);
1790 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1791 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
1792 saltdata[9] = 0;
1793 saltdata[10] = usage & 0xff;
1794 saltdata[11] = (usage >> 8) & 0xff;
1795 saltdata[12] = (usage >> 16) & 0xff;
1796 saltdata[13] = (usage >> 24) & 0xff;
1797 saltlen = 14;
1798 } else {
1799 saltdata[0] = usage & 0xff;
1800 saltdata[1] = (usage >> 8) & 0xff;
1801 saltdata[2] = (usage >> 16) & 0xff;
1802 saltdata[3] = (usage >> 24) & 0xff;
1803 saltlen = 4;
1804 }
1805 /*
1806 * Use the salt value to create a key to be used
1807 * for subsequent HMAC operations.
1808 */
1809 result = do_hmac(md5_hmac_mech,
1810 tmi->dec_data.ckey,
1811 (char *)saltdata, saltlen,
1812 (char *)k1data, sizeof (k1data));
1813 if (result != CRYPTO_SUCCESS) {
1814 cmn_err(CE_WARN,
1815 "arcfour_hmac_md5_decrypt: do_hmac(k1)"
1816 "failed - error %0x", result);
1817 goto cleanup;
1818 }
1819 bcopy(k1data, k2data, sizeof (k1data));
1820
1821 /*
1822 * For the neutered MS RC4 encryption type,
1823 * set the trailing 9 bytes to 0xab per the
1824 * RC4-HMAC spec.
1825 */
1826 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1827 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
1828 }
1829
1830 mech.cm_type = tmi->dec_data.mech_type;
1831 mech.cm_param = NULL;
1832 mech.cm_param_len = 0;
1833
1834 /*
1835 * If we have not yet initialized the decryption key,
1836 * context, and template, do it now.
1837 */
1838 if (tmi->dec_data.ctx == NULL ||
1839 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
1840 k1.ck_format = CRYPTO_KEY_RAW;
1841 k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8;
1842 k1.ck_data = k1data;
1843
1844 tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW;
1845 tmi->dec_data.d_encr_key.ck_length = k1.ck_length;
1846 if (tmi->dec_data.d_encr_key.ck_data == NULL)
1847 tmi->dec_data.d_encr_key.ck_data = kmem_zalloc(
1848 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
1849
1850 /*
1851 * HMAC operation creates the encryption
1852 * key to be used for the decrypt operations.
1853 */
1854 result = do_hmac(md5_hmac_mech, &k1,
1855 (char *)mp->b_rptr, hash->hash_len,
1856 (char *)tmi->dec_data.d_encr_key.ck_data,
1857 CRYPT_ARCFOUR_KEYBYTES);
1858
1859
1860 if (result != CRYPTO_SUCCESS) {
1861 cmn_err(CE_WARN,
1862 "arcfour_hmac_md5_decrypt: do_hmac(k3)"
1863 "failed - error %0x", result);
1864 goto cleanup;
1865 }
1866 }
1867
1868 tmi->dec_data.enc_tmpl = NULL;
1869
1870 if (tmi->dec_data.ctx == NULL &&
1871 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
1872 /*
1873 * Only create a template if we are doing
1874 * chaining from block to block.
1875 */
1876 result = crypto_create_ctx_template(&mech,
1877 &tmi->dec_data.d_encr_key,
1878 &tmi->dec_data.enc_tmpl,
1879 KM_SLEEP);
1880 if (result == CRYPTO_NOT_SUPPORTED) {
1881 tmi->dec_data.enc_tmpl = NULL;
1882 } else if (result != CRYPTO_SUCCESS) {
1883 cmn_err(CE_WARN,
1884 "arcfour_hmac_md5_decrypt: "
1885 "failed to create dec template "
1886 "for RC4 encrypt: %0x", result);
1887 goto cleanup;
1888 }
1889
1890 result = crypto_decrypt_init(&mech,
1891 &tmi->dec_data.d_encr_key,
1892 tmi->dec_data.enc_tmpl,
1893 &tmi->dec_data.ctx, NULL);
1894
1895 if (result != CRYPTO_SUCCESS) {
1896 cmn_err(CE_WARN, "crypto_decrypt_init failed:"
1897 " %0x", result);
1898 goto cleanup;
1899 }
1900 }
1901
1902 /* adjust the rptr so we don't decrypt the original hmac field */
1903
1904 v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
1905 v1.iov_len = cipherlen;
1906
1907 indata.cd_format = CRYPTO_DATA_RAW;
1908 indata.cd_offset = 0;
1909 indata.cd_length = cipherlen;
1910 indata.cd_raw = v1;
1911
1912 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
1913 result = crypto_decrypt_update(tmi->dec_data.ctx,
1914 &indata, NULL, NULL);
1915 else
1916 result = crypto_decrypt(&mech, &indata,
1917 &tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1918
1919 if (result != CRYPTO_SUCCESS) {
1920 cmn_err(CE_WARN, "crypto_decrypt_update failed:"
1921 " %0x", result);
1922 goto cleanup;
1923 }
1924
1925 k2.ck_format = CRYPTO_KEY_RAW;
1926 k2.ck_length = sizeof (k2data) * 8;
1927 k2.ck_data = k2data;
1928
1929 result = do_hmac(md5_hmac_mech,
1930 &k2,
1931 (char *)mp->b_rptr + hash->hash_len, cipherlen,
1932 (char *)cksum, hash->hash_len);
1933
1934 if (result != CRYPTO_SUCCESS) {
1935 cmn_err(CE_WARN,
1936 "arcfour_hmac_md5_decrypt: do_hmac(k2)"
1937 "failed - error %0x", result);
1938 goto cleanup;
1939 }
1940
1941 if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) {
1942 cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed");
1943 result = -1;
1944 goto cleanup;
1945 }
1946
1947 /*
1948 * adjust the start of the mblk to skip over the
1949 * hash and confounder.
1950 */
1951 mp->b_rptr += hash->hash_len + hash->confound_len;
1952
1953 cleanup:
1954 bzero(k1data, sizeof (k1data));
1955 bzero(k2data, sizeof (k2data));
1956 bzero(cksum, sizeof (cksum));
1957 bzero(saltdata, sizeof (saltdata));
1958 if (result != CRYPTO_SUCCESS) {
1959 mp->b_datap->db_type = M_ERROR;
1960 mp->b_rptr = mp->b_datap->db_base;
1961 *mp->b_rptr = EIO;
1962 mp->b_wptr = mp->b_rptr + sizeof (char);
1963 freemsg(mp->b_cont);
1964 mp->b_cont = NULL;
1965 qreply(WR(q), mp);
1966 return (NULL);
1967 }
1968 return (mp);
1969 }
1970
1971 /*
1972 * ARCFOUR-HMAC-MD5 encrypt
1973 *
1974 * format of ciphertext when using ARCFOUR-HMAC-MD5
1975 * +-----------+------------+------------+
1976 * | hmac | confounder | msg-data |
1977 * +-----------+------------+------------+
1978 *
1979 */
1980 static mblk_t *
arcfour_hmac_md5_encrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)1981 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1982 hash_info_t *hash)
1983 {
1984 int result;
1985 size_t cipherlen;
1986 size_t inlen;
1987 size_t saltlen;
1988 crypto_key_t k1, k2;
1989 crypto_data_t indata;
1990 iovec_t v1;
1991 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1992 0xab, 0xab, 0xab, 0xab };
1993 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1994 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1995 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1996 crypto_mechanism_t mech;
1997 int usage;
1998
1999 bzero(&indata, sizeof (indata));
2000
2001 /* The usage constant is 1026 for all "old" rcmd mode operations */
2002 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
2003 usage = RCMDV1_USAGE;
2004 else
2005 usage = ARCFOUR_ENCRYPT_USAGE;
2006
2007 mech.cm_type = tmi->enc_data.mech_type;
2008 mech.cm_param = NULL;
2009 mech.cm_param_len = 0;
2010
2011 /*
2012 * The size at this point should be the size of
2013 * all the plaintext plus the optional plaintext length
2014 * needed for RCMD V2 mode. There should also be room
2015 * at the head of the mblk for the confounder and hash info.
2016 */
2017 inlen = (size_t)MBLKL(mp);
2018
2019 cipherlen = encrypt_size(&tmi->enc_data, inlen);
2020
2021 ASSERT(MBLKSIZE(mp) >= cipherlen);
2022
2023 /*
2024 * Shift the rptr back enough to insert
2025 * the confounder and hash.
2026 */
2027 mp->b_rptr -= (hash->confound_len + hash->hash_len);
2028
2029 /* zero out the hash area */
2030 bzero(mp->b_rptr, (size_t)hash->hash_len);
2031
2032 if (cipherlen > inlen) {
2033 bzero(mp->b_wptr, MBLKTAIL(mp));
2034 }
2035
2036 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2037 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
2038 saltdata[9] = 0;
2039 saltdata[10] = usage & 0xff;
2040 saltdata[11] = (usage >> 8) & 0xff;
2041 saltdata[12] = (usage >> 16) & 0xff;
2042 saltdata[13] = (usage >> 24) & 0xff;
2043 saltlen = 14;
2044 } else {
2045 saltdata[0] = usage & 0xff;
2046 saltdata[1] = (usage >> 8) & 0xff;
2047 saltdata[2] = (usage >> 16) & 0xff;
2048 saltdata[3] = (usage >> 24) & 0xff;
2049 saltlen = 4;
2050 }
2051 /*
2052 * Use the salt value to create a key to be used
2053 * for subsequent HMAC operations.
2054 */
2055 result = do_hmac(md5_hmac_mech,
2056 tmi->enc_data.ckey,
2057 (char *)saltdata, saltlen,
2058 (char *)k1data, sizeof (k1data));
2059 if (result != CRYPTO_SUCCESS) {
2060 cmn_err(CE_WARN,
2061 "arcfour_hmac_md5_encrypt: do_hmac(k1)"
2062 "failed - error %0x", result);
2063 goto cleanup;
2064 }
2065
2066 bcopy(k1data, k2data, sizeof (k2data));
2067
2068 /*
2069 * For the neutered MS RC4 encryption type,
2070 * set the trailing 9 bytes to 0xab per the
2071 * RC4-HMAC spec.
2072 */
2073 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2074 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
2075 }
2076
2077 /*
2078 * Get the confounder bytes.
2079 */
2080 (void) random_get_pseudo_bytes(
2081 (uint8_t *)(mp->b_rptr + hash->hash_len),
2082 (size_t)hash->confound_len);
2083
2084 k2.ck_data = k2data;
2085 k2.ck_format = CRYPTO_KEY_RAW;
2086 k2.ck_length = sizeof (k2data) * 8;
2087
2088 /*
2089 * This writes the HMAC to the hash area in the
2090 * mblk. The key used is the one just created by
2091 * the previous HMAC operation.
2092 * The data being processed is the confounder bytes
2093 * PLUS the input plaintext.
2094 */
2095 result = do_hmac(md5_hmac_mech, &k2,
2096 (char *)mp->b_rptr + hash->hash_len,
2097 hash->confound_len + inlen,
2098 (char *)mp->b_rptr, hash->hash_len);
2099 if (result != CRYPTO_SUCCESS) {
2100 cmn_err(CE_WARN,
2101 "arcfour_hmac_md5_encrypt: do_hmac(k2)"
2102 "failed - error %0x", result);
2103 goto cleanup;
2104 }
2105 /*
2106 * Because of the odd way that MIT uses RC4 keys
2107 * on the rlogin stream, we only need to create
2108 * this key once.
2109 * However, if using "old" rcmd mode, we need to do
2110 * it every time.
2111 */
2112 if (tmi->enc_data.ctx == NULL ||
2113 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
2114 crypto_key_t *key = &tmi->enc_data.d_encr_key;
2115
2116 k1.ck_data = k1data;
2117 k1.ck_format = CRYPTO_KEY_RAW;
2118 k1.ck_length = sizeof (k1data) * 8;
2119
2120 key->ck_format = CRYPTO_KEY_RAW;
2121 key->ck_length = k1.ck_length;
2122 if (key->ck_data == NULL)
2123 key->ck_data = kmem_zalloc(
2124 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
2125
2126 /*
2127 * The final HMAC operation creates the encryption
2128 * key to be used for the encrypt operation.
2129 */
2130 result = do_hmac(md5_hmac_mech, &k1,
2131 (char *)mp->b_rptr, hash->hash_len,
2132 (char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES);
2133
2134 if (result != CRYPTO_SUCCESS) {
2135 cmn_err(CE_WARN,
2136 "arcfour_hmac_md5_encrypt: do_hmac(k3)"
2137 "failed - error %0x", result);
2138 goto cleanup;
2139 }
2140 }
2141
2142 /*
2143 * If the context has not been initialized, do it now.
2144 */
2145 if (tmi->enc_data.ctx == NULL &&
2146 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
2147 /*
2148 * Only create a template if we are doing
2149 * chaining from block to block.
2150 */
2151 result = crypto_create_ctx_template(&mech,
2152 &tmi->enc_data.d_encr_key,
2153 &tmi->enc_data.enc_tmpl,
2154 KM_SLEEP);
2155 if (result == CRYPTO_NOT_SUPPORTED) {
2156 tmi->enc_data.enc_tmpl = NULL;
2157 } else if (result != CRYPTO_SUCCESS) {
2158 cmn_err(CE_WARN, "failed to create enc template "
2159 "for RC4 encrypt: %0x", result);
2160 goto cleanup;
2161 }
2162
2163 result = crypto_encrypt_init(&mech,
2164 &tmi->enc_data.d_encr_key,
2165 tmi->enc_data.enc_tmpl,
2166 &tmi->enc_data.ctx, NULL);
2167 if (result != CRYPTO_SUCCESS) {
2168 cmn_err(CE_WARN, "crypto_encrypt_init failed:"
2169 " %0x", result);
2170 goto cleanup;
2171 }
2172 }
2173 v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
2174 v1.iov_len = hash->confound_len + inlen;
2175
2176 indata.cd_format = CRYPTO_DATA_RAW;
2177 indata.cd_offset = 0;
2178 indata.cd_length = hash->confound_len + inlen;
2179 indata.cd_raw = v1;
2180
2181 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2182 result = crypto_encrypt_update(tmi->enc_data.ctx,
2183 &indata, NULL, NULL);
2184 else
2185 result = crypto_encrypt(&mech, &indata,
2186 &tmi->enc_data.d_encr_key, NULL,
2187 NULL, NULL);
2188
2189 if (result != CRYPTO_SUCCESS) {
2190 cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x",
2191 result);
2192 }
2193
2194 cleanup:
2195 bzero(k1data, sizeof (k1data));
2196 bzero(k2data, sizeof (k2data));
2197 bzero(saltdata, sizeof (saltdata));
2198 if (result != CRYPTO_SUCCESS) {
2199 mp->b_datap->db_type = M_ERROR;
2200 mp->b_rptr = mp->b_datap->db_base;
2201 *mp->b_rptr = EIO;
2202 mp->b_wptr = mp->b_rptr + sizeof (char);
2203 freemsg(mp->b_cont);
2204 mp->b_cont = NULL;
2205 qreply(WR(q), mp);
2206 return (NULL);
2207 }
2208 return (mp);
2209 }
2210
2211 /*
2212 * DES-CBC-[HASH] encrypt
2213 *
2214 * Needed to support userland apps that must support Kerberos V5
2215 * encryption DES-CBC encryption modes.
2216 *
2217 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2218 *
2219 * format of ciphertext for DES-CBC functions, per RFC1510 is:
2220 * +-----------+----------+-------------+-----+
2221 * |confounder | cksum | msg-data | pad |
2222 * +-----------+----------+-------------+-----+
2223 *
2224 * format of ciphertext when using DES3-SHA1-HMAC
2225 * +-----------+----------+-------------+-----+
2226 * |confounder | msg-data | hmac | pad |
2227 * +-----------+----------+-------------+-----+
2228 *
2229 * The confounder is 8 bytes of random data.
2230 * The cksum depends on the hash being used.
2231 * 4 bytes for CRC32
2232 * 16 bytes for MD5
2233 * 20 bytes for SHA1
2234 * 0 bytes for RAW
2235 *
2236 */
2237 static mblk_t *
des_cbc_encrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)2238 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2239 {
2240 int result;
2241 size_t cipherlen;
2242 size_t inlen;
2243 size_t plainlen;
2244
2245 /*
2246 * The size at this point should be the size of
2247 * all the plaintext plus the optional plaintext length
2248 * needed for RCMD V2 mode. There should also be room
2249 * at the head of the mblk for the confounder and hash info.
2250 */
2251 inlen = (size_t)MBLKL(mp);
2252
2253 /*
2254 * The output size will be a multiple of 8 because this algorithm
2255 * only works on 8 byte chunks.
2256 */
2257 cipherlen = encrypt_size(&tmi->enc_data, inlen);
2258
2259 ASSERT(MBLKSIZE(mp) >= cipherlen);
2260
2261 if (cipherlen > inlen) {
2262 bzero(mp->b_wptr, MBLKTAIL(mp));
2263 }
2264
2265 /*
2266 * Shift the rptr back enough to insert
2267 * the confounder and hash.
2268 */
2269 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2270 mp->b_rptr -= hash->confound_len;
2271 } else {
2272 mp->b_rptr -= (hash->confound_len + hash->hash_len);
2273
2274 /* zero out the hash area */
2275 bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len);
2276 }
2277
2278 /* get random confounder from our friend, the 'random' module */
2279 if (hash->confound_len > 0) {
2280 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
2281 (size_t)hash->confound_len);
2282 }
2283
2284 /*
2285 * For 3DES we calculate an HMAC later.
2286 */
2287 if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) {
2288 /* calculate chksum of confounder + input */
2289 if (hash->hash_len > 0 && hash->hashfunc != NULL) {
2290 uchar_t cksum[MAX_CKSUM_LEN];
2291
2292 result = hash->hashfunc(cksum, mp->b_rptr,
2293 cipherlen);
2294 if (result != CRYPTO_SUCCESS) {
2295 goto failure;
2296 }
2297
2298 /* put hash in place right after the confounder */
2299 bcopy(cksum, (mp->b_rptr + hash->confound_len),
2300 (size_t)hash->hash_len);
2301 }
2302 }
2303 /*
2304 * In order to support the "old" Kerberos RCMD protocol,
2305 * we must use the IVEC 3 different ways:
2306 * IVEC_REUSE = keep using the same IV each time, this is
2307 * ugly and insecure, but necessary for
2308 * backwards compatibility with existing MIT code.
2309 * IVEC_ONETIME = Use the ivec as initialized when the crypto
2310 * was setup (see setup_crypto routine).
2311 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2312 */
2313 if (tmi->enc_data.ivec_usage == IVEC_NEVER) {
2314 bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
2315 } else if (tmi->enc_data.ivec_usage == IVEC_REUSE) {
2316 bcopy(tmi->enc_data.ivec, tmi->enc_data.block,
2317 tmi->enc_data.blocklen);
2318 }
2319
2320 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2321 /*
2322 * The input length already included the hash size,
2323 * don't include this in the plaintext length
2324 * calculations.
2325 */
2326 plainlen = cipherlen - hash->hash_len;
2327
2328 mp->b_wptr = mp->b_rptr + plainlen;
2329
2330 result = kef_encr_hmac(&tmi->enc_data,
2331 (void *)mp, (size_t)plainlen,
2332 (char *)(mp->b_rptr + plainlen),
2333 hash->hash_len);
2334 } else {
2335 ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp));
2336 mp->b_wptr = mp->b_rptr + cipherlen;
2337 result = kef_crypt(&tmi->enc_data, (void *)mp,
2338 CRYPTO_DATA_MBLK, (size_t)cipherlen,
2339 CRYPT_ENCRYPT);
2340 }
2341 failure:
2342 if (result != CRYPTO_SUCCESS) {
2343 #ifdef DEBUG
2344 cmn_err(CE_WARN,
2345 "des_cbc_encrypt: kef_crypt encrypt "
2346 "failed (len: %ld) - error %0x",
2347 cipherlen, result);
2348 #endif
2349 mp->b_datap->db_type = M_ERROR;
2350 mp->b_rptr = mp->b_datap->db_base;
2351 *mp->b_rptr = EIO;
2352 mp->b_wptr = mp->b_rptr + sizeof (char);
2353 freemsg(mp->b_cont);
2354 mp->b_cont = NULL;
2355 qreply(WR(q), mp);
2356 return (NULL);
2357 } else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) {
2358 /*
2359 * Because we are using KEF, we must manually
2360 * update our IV.
2361 */
2362 bcopy(mp->b_wptr - tmi->enc_data.ivlen,
2363 tmi->enc_data.block, tmi->enc_data.ivlen);
2364 }
2365 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2366 mp->b_wptr = mp->b_rptr + cipherlen;
2367 }
2368
2369 return (mp);
2370 }
2371
2372 /*
2373 * des_cbc_decrypt
2374 *
2375 *
2376 * Needed to support userland apps that must support Kerberos V5
2377 * encryption DES-CBC decryption modes.
2378 *
2379 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2380 *
2381 * format of ciphertext for DES-CBC functions, per RFC1510 is:
2382 * +-----------+----------+-------------+-----+
2383 * |confounder | cksum | msg-data | pad |
2384 * +-----------+----------+-------------+-----+
2385 *
2386 * format of ciphertext when using DES3-SHA1-HMAC
2387 * +-----------+----------+-------------+-----+
2388 * |confounder | msg-data | hmac | pad |
2389 * +-----------+----------+-------------+-----+
2390 *
2391 * The confounder is 8 bytes of random data.
2392 * The cksum depends on the hash being used.
2393 * 4 bytes for CRC32
2394 * 16 bytes for MD5
2395 * 20 bytes for SHA1
2396 * 0 bytes for RAW
2397 *
2398 */
2399 static mblk_t *
des_cbc_decrypt(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,hash_info_t * hash)2400 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2401 {
2402 uint_t inlen, datalen;
2403 int result = 0;
2404 uchar_t *optr = NULL;
2405 uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN];
2406 uchar_t nextiv[DEFAULT_DES_BLOCKLEN];
2407
2408 /* Compute adjusted size */
2409 inlen = MBLKL(mp);
2410
2411 optr = mp->b_rptr;
2412
2413 /*
2414 * In order to support the "old" Kerberos RCMD protocol,
2415 * we must use the IVEC 3 different ways:
2416 * IVEC_REUSE = keep using the same IV each time, this is
2417 * ugly and insecure, but necessary for
2418 * backwards compatibility with existing MIT code.
2419 * IVEC_ONETIME = Use the ivec as initialized when the crypto
2420 * was setup (see setup_crypto routine).
2421 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2422 */
2423 if (tmi->dec_data.ivec_usage == IVEC_NEVER)
2424 bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
2425 else if (tmi->dec_data.ivec_usage == IVEC_REUSE)
2426 bcopy(tmi->dec_data.ivec, tmi->dec_data.block,
2427 tmi->dec_data.blocklen);
2428
2429 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2430 /*
2431 * Do not decrypt the HMAC at the end
2432 */
2433 int decrypt_len = inlen - hash->hash_len;
2434
2435 /*
2436 * Move the wptr so the mblk appears to end
2437 * BEFORE the HMAC section.
2438 */
2439 mp->b_wptr = mp->b_rptr + decrypt_len;
2440
2441 /*
2442 * Because we are using KEF, we must manually update our
2443 * IV.
2444 */
2445 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2446 bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen,
2447 nextiv, tmi->dec_data.ivlen);
2448 }
2449
2450 result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len,
2451 (char *)newcksum, hash->hash_len);
2452 } else {
2453 /*
2454 * Because we are using KEF, we must manually update our
2455 * IV.
2456 */
2457 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2458 bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv,
2459 tmi->dec_data.ivlen);
2460 }
2461 result = kef_crypt(&tmi->dec_data, (void *)mp,
2462 CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT);
2463 }
2464 if (result != CRYPTO_SUCCESS) {
2465 #ifdef DEBUG
2466 cmn_err(CE_WARN,
2467 "des_cbc_decrypt: kef_crypt decrypt "
2468 "failed - error %0x", result);
2469 #endif
2470 mp->b_datap->db_type = M_ERROR;
2471 mp->b_rptr = mp->b_datap->db_base;
2472 *mp->b_rptr = EIO;
2473 mp->b_wptr = mp->b_rptr + sizeof (char);
2474 freemsg(mp->b_cont);
2475 mp->b_cont = NULL;
2476 qreply(WR(q), mp);
2477 return (NULL);
2478 }
2479
2480 /*
2481 * Manually update the IV, KEF does not track this for us.
2482 */
2483 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2484 bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen);
2485 }
2486
2487 /* Verify the checksum(if necessary) */
2488 if (hash->hash_len > 0) {
2489 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2490 bcopy(mp->b_rptr + inlen - hash->hash_len, cksum,
2491 hash->hash_len);
2492 } else {
2493 bcopy(optr + hash->confound_len, cksum, hash->hash_len);
2494
2495 /* zero the cksum in the buffer */
2496 ASSERT(optr + hash->confound_len + hash->hash_len <=
2497 DB_LIM(mp));
2498 bzero(optr + hash->confound_len, hash->hash_len);
2499
2500 /* calculate MD5 chksum of confounder + input */
2501 if (hash->hashfunc) {
2502 (void) hash->hashfunc(newcksum, optr, inlen);
2503 }
2504 }
2505
2506 if (bcmp(cksum, newcksum, hash->hash_len)) {
2507 #ifdef DEBUG
2508 cmn_err(CE_WARN, "des_cbc_decrypt: checksum "
2509 "verification failed");
2510 #endif
2511 mp->b_datap->db_type = M_ERROR;
2512 mp->b_rptr = mp->b_datap->db_base;
2513 *mp->b_rptr = EIO;
2514 mp->b_wptr = mp->b_rptr + sizeof (char);
2515 freemsg(mp->b_cont);
2516 mp->b_cont = NULL;
2517 qreply(WR(q), mp);
2518 return (NULL);
2519 }
2520 }
2521
2522 datalen = inlen - hash->confound_len - hash->hash_len;
2523
2524 /* Move just the decrypted input into place if necessary */
2525 if (hash->confound_len > 0 || hash->hash_len > 0) {
2526 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1)
2527 mp->b_rptr += hash->confound_len;
2528 else
2529 mp->b_rptr += hash->confound_len + hash->hash_len;
2530 }
2531
2532 ASSERT(mp->b_rptr + datalen <= DB_LIM(mp));
2533 mp->b_wptr = mp->b_rptr + datalen;
2534
2535 return (mp);
2536 }
2537
2538 static mblk_t *
do_decrypt(queue_t * q,mblk_t * mp)2539 do_decrypt(queue_t *q, mblk_t *mp)
2540 {
2541 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2542 mblk_t *outmp;
2543
2544 switch (tmi->dec_data.method) {
2545 case CRYPT_METHOD_DES_CFB:
2546 outmp = des_cfb_decrypt(q, tmi, mp);
2547 break;
2548 case CRYPT_METHOD_NONE:
2549 outmp = mp;
2550 break;
2551 case CRYPT_METHOD_DES_CBC_NULL:
2552 outmp = des_cbc_decrypt(q, tmi, mp, &null_hash);
2553 break;
2554 case CRYPT_METHOD_DES_CBC_MD5:
2555 outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash);
2556 break;
2557 case CRYPT_METHOD_DES_CBC_CRC:
2558 outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash);
2559 break;
2560 case CRYPT_METHOD_DES3_CBC_SHA1:
2561 outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash);
2562 break;
2563 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2564 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2565 outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash);
2566 break;
2567 case CRYPT_METHOD_AES128:
2568 case CRYPT_METHOD_AES256:
2569 outmp = aes_decrypt(q, tmi, mp, &sha1_hash);
2570 break;
2571 }
2572 return (outmp);
2573 }
2574
2575 /*
2576 * do_encrypt
2577 *
2578 * Generic encryption routine for a single message block.
2579 * The input mblk may be replaced by some encrypt routines
2580 * because they add extra data in some cases that may exceed
2581 * the input mblk_t size limit.
2582 */
2583 static mblk_t *
do_encrypt(queue_t * q,mblk_t * mp)2584 do_encrypt(queue_t *q, mblk_t *mp)
2585 {
2586 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2587 mblk_t *outmp;
2588
2589 switch (tmi->enc_data.method) {
2590 case CRYPT_METHOD_DES_CFB:
2591 outmp = des_cfb_encrypt(q, tmi, mp);
2592 break;
2593 case CRYPT_METHOD_DES_CBC_NULL:
2594 outmp = des_cbc_encrypt(q, tmi, mp, &null_hash);
2595 break;
2596 case CRYPT_METHOD_DES_CBC_MD5:
2597 outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash);
2598 break;
2599 case CRYPT_METHOD_DES_CBC_CRC:
2600 outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash);
2601 break;
2602 case CRYPT_METHOD_DES3_CBC_SHA1:
2603 outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash);
2604 break;
2605 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2606 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2607 outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash);
2608 break;
2609 case CRYPT_METHOD_AES128:
2610 case CRYPT_METHOD_AES256:
2611 outmp = aes_encrypt(q, tmi, mp, &sha1_hash);
2612 break;
2613 case CRYPT_METHOD_NONE:
2614 outmp = mp;
2615 break;
2616 }
2617 return (outmp);
2618 }
2619
2620 /*
2621 * setup_crypto
2622 *
2623 * This takes the data from the CRYPTIOCSETUP ioctl
2624 * and sets up a cipher_data_t structure for either
2625 * encryption or decryption. This is where the
2626 * key and initialization vector data get stored
2627 * prior to beginning any crypto functions.
2628 *
2629 * Special note:
2630 * Some applications(e.g. telnetd) have ability to switch
2631 * crypto on/off periodically. Thus, the application may call
2632 * the CRYPTIOCSETUP ioctl many times for the same stream.
2633 * If the CRYPTIOCSETUP is called with 0 length key or ivec fields
2634 * assume that the key, block, and saveblock fields that are already
2635 * set from a previous CRIOCSETUP call are still valid. This helps avoid
2636 * a rekeying error that could occur if we overwrite these fields
2637 * with each CRYPTIOCSETUP call.
2638 * In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off
2639 * without resetting the original crypto parameters.
2640 *
2641 */
2642 static int
setup_crypto(struct cr_info_t * ci,struct cipher_data_t * cd,int encrypt)2643 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt)
2644 {
2645 uint_t newblocklen;
2646 uint32_t enc_usage = 0, dec_usage = 0;
2647 int rv;
2648
2649 /*
2650 * Initial sanity checks
2651 */
2652 if (!CR_METHOD_OK(ci->crypto_method)) {
2653 cmn_err(CE_WARN, "Illegal crypto method (%d)",
2654 ci->crypto_method);
2655 return (EINVAL);
2656 }
2657 if (!CR_OPTIONS_OK(ci->option_mask)) {
2658 cmn_err(CE_WARN, "Illegal crypto options (%d)",
2659 ci->option_mask);
2660 return (EINVAL);
2661 }
2662 if (!CR_IVUSAGE_OK(ci->ivec_usage)) {
2663 cmn_err(CE_WARN, "Illegal ivec usage value (%d)",
2664 ci->ivec_usage);
2665 return (EINVAL);
2666 }
2667
2668 cd->method = ci->crypto_method;
2669 cd->bytes = 0;
2670
2671 if (ci->keylen > 0) {
2672 if (cd->key != NULL) {
2673 kmem_free(cd->key, cd->keylen);
2674 cd->key = NULL;
2675 cd->keylen = 0;
2676 }
2677 /*
2678 * cd->key holds the copy of the raw key bytes passed in
2679 * from the userland app.
2680 */
2681 cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP);
2682
2683 cd->keylen = ci->keylen;
2684 bcopy(ci->key, cd->key, (size_t)ci->keylen);
2685 }
2686
2687 /*
2688 * Configure the block size based on the type of cipher.
2689 */
2690 switch (cd->method) {
2691 case CRYPT_METHOD_NONE:
2692 newblocklen = 0;
2693 break;
2694 case CRYPT_METHOD_DES_CFB:
2695 newblocklen = DEFAULT_DES_BLOCKLEN;
2696 cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB);
2697 break;
2698 case CRYPT_METHOD_DES_CBC_NULL:
2699 case CRYPT_METHOD_DES_CBC_MD5:
2700 case CRYPT_METHOD_DES_CBC_CRC:
2701 newblocklen = DEFAULT_DES_BLOCKLEN;
2702 cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC);
2703 break;
2704 case CRYPT_METHOD_DES3_CBC_SHA1:
2705 newblocklen = DEFAULT_DES_BLOCKLEN;
2706 cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC);
2707 /* 3DES always uses the old usage constant */
2708 enc_usage = RCMDV1_USAGE;
2709 dec_usage = RCMDV1_USAGE;
2710 break;
2711 case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2712 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2713 newblocklen = 0;
2714 cd->mech_type = crypto_mech2id(SUN_CKM_RC4);
2715 break;
2716 case CRYPT_METHOD_AES128:
2717 case CRYPT_METHOD_AES256:
2718 newblocklen = DEFAULT_AES_BLOCKLEN;
2719 cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB);
2720 enc_usage = AES_ENCRYPT_USAGE;
2721 dec_usage = AES_DECRYPT_USAGE;
2722 break;
2723 }
2724 if (cd->mech_type == CRYPTO_MECH_INVALID) {
2725 return (CRYPTO_FAILED);
2726 }
2727
2728 /*
2729 * If RC4, initialize the master crypto key used by
2730 * the RC4 algorithm to derive the final encrypt and decrypt keys.
2731 */
2732 if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) {
2733 /*
2734 * cd->ckey is a kernel crypto key structure used as the
2735 * master key in the RC4-HMAC crypto operations.
2736 */
2737 if (cd->ckey == NULL) {
2738 cd->ckey = (crypto_key_t *)kmem_zalloc(
2739 sizeof (crypto_key_t), KM_SLEEP);
2740 }
2741
2742 cd->ckey->ck_format = CRYPTO_KEY_RAW;
2743 cd->ckey->ck_data = cd->key;
2744
2745 /* key length for EF is measured in bits */
2746 cd->ckey->ck_length = cd->keylen * 8;
2747 }
2748
2749 /*
2750 * cd->block and cd->saveblock are used as temporary storage for
2751 * data that must be carried over between encrypt/decrypt operations
2752 * in some of the "feedback" modes.
2753 */
2754 if (newblocklen != cd->blocklen) {
2755 if (cd->block != NULL) {
2756 kmem_free(cd->block, cd->blocklen);
2757 cd->block = NULL;
2758 }
2759
2760 if (cd->saveblock != NULL) {
2761 kmem_free(cd->saveblock, cd->blocklen);
2762 cd->saveblock = NULL;
2763 }
2764
2765 cd->blocklen = newblocklen;
2766 if (cd->blocklen) {
2767 cd->block = (char *)kmem_zalloc((size_t)cd->blocklen,
2768 KM_SLEEP);
2769 }
2770
2771 if (cd->method == CRYPT_METHOD_DES_CFB)
2772 cd->saveblock = (char *)kmem_zalloc(cd->blocklen,
2773 KM_SLEEP);
2774 else
2775 cd->saveblock = NULL;
2776 }
2777
2778 if (ci->iveclen != cd->ivlen) {
2779 if (cd->ivec != NULL) {
2780 kmem_free(cd->ivec, cd->ivlen);
2781 cd->ivec = NULL;
2782 }
2783 if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) {
2784 cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen,
2785 KM_SLEEP);
2786 cd->ivlen = ci->iveclen;
2787 } else {
2788 cd->ivlen = 0;
2789 cd->ivec = NULL;
2790 }
2791 }
2792 cd->option_mask = ci->option_mask;
2793
2794 /*
2795 * Old protocol requires a static 'usage' value for
2796 * deriving keys. Yuk.
2797 */
2798 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) {
2799 enc_usage = dec_usage = RCMDV1_USAGE;
2800 }
2801
2802 if (cd->ivlen > cd->blocklen) {
2803 cmn_err(CE_WARN, "setup_crypto: IV longer than block size");
2804 return (EINVAL);
2805 }
2806
2807 /*
2808 * If we are using an IVEC "correctly" (i.e. set it once)
2809 * copy it here.
2810 */
2811 if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL)
2812 bcopy(ci->ivec, cd->block, (size_t)cd->ivlen);
2813
2814 cd->ivec_usage = ci->ivec_usage;
2815 if (cd->ivec != NULL) {
2816 /* Save the original IVEC in case we need it later */
2817 bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen);
2818 }
2819 /*
2820 * Special handling for 3DES-SHA1-HMAC and AES crypto:
2821 * generate derived keys and context templates
2822 * for better performance.
2823 */
2824 if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 ||
2825 IS_AES_METHOD(cd->method)) {
2826 crypto_mechanism_t enc_mech;
2827 crypto_mechanism_t hmac_mech;
2828
2829 if (cd->d_encr_key.ck_data != NULL) {
2830 bzero(cd->d_encr_key.ck_data, cd->keylen);
2831 kmem_free(cd->d_encr_key.ck_data, cd->keylen);
2832 }
2833
2834 if (cd->d_hmac_key.ck_data != NULL) {
2835 bzero(cd->d_hmac_key.ck_data, cd->keylen);
2836 kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
2837 }
2838
2839 if (cd->enc_tmpl != NULL)
2840 (void) crypto_destroy_ctx_template(cd->enc_tmpl);
2841
2842 if (cd->hmac_tmpl != NULL)
2843 (void) crypto_destroy_ctx_template(cd->hmac_tmpl);
2844
2845 enc_mech.cm_type = cd->mech_type;
2846 enc_mech.cm_param = cd->ivec;
2847 enc_mech.cm_param_len = cd->ivlen;
2848
2849 hmac_mech.cm_type = sha1_hmac_mech;
2850 hmac_mech.cm_param = NULL;
2851 hmac_mech.cm_param_len = 0;
2852
2853 /*
2854 * Create the derived keys.
2855 */
2856 rv = create_derived_keys(cd,
2857 (encrypt ? enc_usage : dec_usage),
2858 &cd->d_encr_key, &cd->d_hmac_key);
2859
2860 if (rv != CRYPTO_SUCCESS) {
2861 cmn_err(CE_WARN, "failed to create derived "
2862 "keys: %0x", rv);
2863 return (CRYPTO_FAILED);
2864 }
2865
2866 rv = crypto_create_ctx_template(&enc_mech,
2867 &cd->d_encr_key,
2868 &cd->enc_tmpl, KM_SLEEP);
2869 if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2870 cd->enc_tmpl = NULL;
2871 } else if (rv != CRYPTO_SUCCESS) {
2872 cmn_err(CE_WARN, "failed to create enc template "
2873 "for d_encr_key: %0x", rv);
2874 return (CRYPTO_FAILED);
2875 }
2876
2877 rv = crypto_create_ctx_template(&hmac_mech,
2878 &cd->d_hmac_key,
2879 &cd->hmac_tmpl, KM_SLEEP);
2880 if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2881 cd->hmac_tmpl = NULL;
2882 } else if (rv != CRYPTO_SUCCESS) {
2883 cmn_err(CE_WARN, "failed to create hmac template:"
2884 " %0x", rv);
2885 return (CRYPTO_FAILED);
2886 }
2887 } else if (IS_RC4_METHOD(cd->method)) {
2888 bzero(&cd->d_encr_key, sizeof (crypto_key_t));
2889 bzero(&cd->d_hmac_key, sizeof (crypto_key_t));
2890 cd->ctx = NULL;
2891 cd->enc_tmpl = NULL;
2892 cd->hmac_tmpl = NULL;
2893 }
2894
2895 /* Final sanity checks, make sure no fields are NULL */
2896 if (cd->method != CRYPT_METHOD_NONE) {
2897 if (cd->block == NULL && cd->blocklen > 0) {
2898 #ifdef DEBUG
2899 cmn_err(CE_WARN,
2900 "setup_crypto: IV block not allocated");
2901 #endif
2902 return (ENOMEM);
2903 }
2904 if (cd->key == NULL && cd->keylen > 0) {
2905 #ifdef DEBUG
2906 cmn_err(CE_WARN,
2907 "setup_crypto: key block not allocated");
2908 #endif
2909 return (ENOMEM);
2910 }
2911 if (cd->method == CRYPT_METHOD_DES_CFB &&
2912 cd->saveblock == NULL && cd->blocklen > 0) {
2913 #ifdef DEBUG
2914 cmn_err(CE_WARN,
2915 "setup_crypto: save block not allocated");
2916 #endif
2917 return (ENOMEM);
2918 }
2919 if (cd->ivec == NULL && cd->ivlen > 0) {
2920 #ifdef DEBUG
2921 cmn_err(CE_WARN,
2922 "setup_crypto: IV not allocated");
2923 #endif
2924 return (ENOMEM);
2925 }
2926 }
2927 return (0);
2928 }
2929
2930 /*
2931 * RCMDS require a 4 byte, clear text
2932 * length field before each message.
2933 * Add it now.
2934 */
2935 static mblk_t *
mklenmp(mblk_t * bp,uint32_t len)2936 mklenmp(mblk_t *bp, uint32_t len)
2937 {
2938 mblk_t *lenmp;
2939 uchar_t *ucp;
2940
2941 if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) {
2942 lenmp = allocb(4, BPRI_MED);
2943 if (lenmp != NULL) {
2944 lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp);
2945 linkb(lenmp, bp);
2946 bp = lenmp;
2947 }
2948 }
2949 ucp = bp->b_rptr;
2950 *--ucp = len;
2951 *--ucp = len >> 8;
2952 *--ucp = len >> 16;
2953 *--ucp = len >> 24;
2954
2955 bp->b_rptr = ucp;
2956
2957 return (bp);
2958 }
2959
2960 static mblk_t *
encrypt_block(queue_t * q,struct tmodinfo * tmi,mblk_t * mp,size_t plainlen)2961 encrypt_block(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, size_t plainlen)
2962 {
2963 mblk_t *newmp;
2964 size_t headspace;
2965
2966 mblk_t *cbp;
2967 size_t cipherlen;
2968 size_t extra = 0;
2969 uint32_t ptlen = (uint32_t)plainlen;
2970 /*
2971 * If we are using the "NEW" RCMD mode,
2972 * add 4 bytes to the plaintext for the
2973 * plaintext length that gets prepended
2974 * before encrypting.
2975 */
2976 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2977 ptlen += 4;
2978
2979 cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen);
2980
2981 /*
2982 * if we must allocb, then make sure its enough
2983 * to hold the length field so we dont have to allocb
2984 * again down below in 'mklenmp'
2985 */
2986 if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) {
2987 extra = sizeof (uint32_t);
2988 }
2989
2990 /*
2991 * Calculate how much space is needed in front of
2992 * the data.
2993 */
2994 headspace = plaintext_offset(&tmi->enc_data);
2995
2996 /*
2997 * If the current block is too small, reallocate
2998 * one large enough to hold the hdr, tail, and
2999 * ciphertext.
3000 */
3001 if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) {
3002 int sz = P2ROUNDUP(cipherlen+extra, 8);
3003
3004 cbp = allocb_tmpl(sz, mp);
3005 if (cbp == NULL) {
3006 cmn_err(CE_WARN,
3007 "allocb (%d bytes) failed", sz);
3008 return (NULL);
3009 }
3010
3011 cbp->b_cont = mp->b_cont;
3012
3013 /*
3014 * headspace includes the length fields needed
3015 * for the RCMD modes (v1 == 4 bytes, V2 = 8)
3016 */
3017 ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen+headspace, 8)
3018 <= DB_LIM(cbp));
3019
3020 cbp->b_rptr = DB_BASE(cbp) + headspace;
3021 bcopy(mp->b_rptr, cbp->b_rptr, plainlen);
3022 cbp->b_wptr = cbp->b_rptr + plainlen;
3023
3024 freeb(mp);
3025 } else {
3026 size_t extra = 0;
3027 cbp = mp;
3028
3029 /*
3030 * Some ciphers add HMAC after the final block
3031 * of the ciphertext, not at the beginning like the
3032 * 1-DES ciphers.
3033 */
3034 if (tmi->enc_data.method ==
3035 CRYPT_METHOD_DES3_CBC_SHA1 ||
3036 IS_AES_METHOD(tmi->enc_data.method)) {
3037 extra = sha1_hash.hash_len;
3038 }
3039
3040 /*
3041 * Make sure the rptr is positioned correctly so that
3042 * routines later do not have to shift this data around
3043 */
3044 if ((cbp->b_rptr + P2ROUNDUP(cipherlen + extra, 8) >
3045 DB_LIM(cbp)) ||
3046 (cbp->b_rptr - headspace < DB_BASE(cbp))) {
3047 ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace,
3048 plainlen);
3049 cbp->b_rptr = DB_BASE(cbp) + headspace;
3050 cbp->b_wptr = cbp->b_rptr + plainlen;
3051 }
3052 }
3053
3054 ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp));
3055 ASSERT(cbp->b_wptr <= DB_LIM(cbp));
3056
3057 /*
3058 * If using RCMD_MODE_V2 (new rcmd mode), prepend
3059 * the plaintext length before the actual plaintext.
3060 */
3061 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) {
3062 cbp->b_rptr -= RCMD_LEN_SZ;
3063
3064 /* put plaintext length at head of buffer */
3065 *(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff);
3066 *(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff);
3067 *(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff);
3068 *(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff);
3069 }
3070
3071 newmp = do_encrypt(q, cbp);
3072
3073 if (newmp != NULL &&
3074 (tmi->enc_data.option_mask &
3075 (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) {
3076 mblk_t *lp;
3077 /*
3078 * Add length field, required when this is
3079 * used to encrypt "r*" commands(rlogin, rsh)
3080 * with Kerberos.
3081 */
3082 lp = mklenmp(newmp, plainlen);
3083
3084 if (lp == NULL) {
3085 freeb(newmp);
3086 return (NULL);
3087 } else {
3088 newmp = lp;
3089 }
3090 }
3091 return (newmp);
3092 }
3093
3094 /*
3095 * encrypt_msgb
3096 *
3097 * encrypt a single message. This routine adds the
3098 * RCMD overhead bytes when necessary.
3099 */
3100 static mblk_t *
encrypt_msgb(queue_t * q,struct tmodinfo * tmi,mblk_t * mp)3101 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
3102 {
3103 size_t plainlen, outlen;
3104 mblk_t *newmp = NULL;
3105
3106 /* If not encrypting, do nothing */
3107 if (tmi->enc_data.method == CRYPT_METHOD_NONE) {
3108 return (mp);
3109 }
3110
3111 plainlen = MBLKL(mp);
3112 if (plainlen == 0)
3113 return (NULL);
3114
3115 /*
3116 * If the block is too big, we encrypt in 4K chunks so that
3117 * older rlogin clients do not choke on the larger buffers.
3118 */
3119 while ((plainlen = MBLKL(mp)) > MSGBUF_SIZE) {
3120 mblk_t *mp1 = NULL;
3121 outlen = MSGBUF_SIZE;
3122 /*
3123 * Allocate a new buffer that is only 4K bytes, the
3124 * extra bytes are for crypto overhead.
3125 */
3126 mp1 = allocb(outlen + CONFOUNDER_BYTES, BPRI_MED);
3127 if (mp1 == NULL) {
3128 cmn_err(CE_WARN,
3129 "allocb (%d bytes) failed",
3130 (int)(outlen + CONFOUNDER_BYTES));
3131 return (NULL);
3132 }
3133 /* Copy the next 4K bytes from the old block. */
3134 bcopy(mp->b_rptr, mp1->b_rptr, outlen);
3135 mp1->b_wptr = mp1->b_rptr + outlen;
3136 /* Advance the old block. */
3137 mp->b_rptr += outlen;
3138
3139 /* encrypt the new block */
3140 newmp = encrypt_block(q, tmi, mp1, outlen);
3141 if (newmp == NULL)
3142 return (NULL);
3143
3144 putnext(q, newmp);
3145 }
3146 newmp = NULL;
3147 /* If there is data left (< MSGBUF_SIZE), encrypt it. */
3148 if ((plainlen = MBLKL(mp)) > 0)
3149 newmp = encrypt_block(q, tmi, mp, plainlen);
3150
3151 return (newmp);
3152 }
3153
3154 /*
3155 * cryptmodwsrv
3156 *
3157 * Service routine for the write queue.
3158 *
3159 * Because data may be placed in the queue to hold between
3160 * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed.
3161 */
3162 static int
cryptmodwsrv(queue_t * q)3163 cryptmodwsrv(queue_t *q)
3164 {
3165 mblk_t *mp;
3166 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3167
3168 while ((mp = getq(q)) != NULL) {
3169 switch (mp->b_datap->db_type) {
3170 default:
3171 /*
3172 * wput does not queue anything > QPCTL
3173 */
3174 if (!canputnext(q) ||
3175 !(tmi->ready & CRYPT_WRITE_READY)) {
3176 if (!putbq(q, mp)) {
3177 freemsg(mp);
3178 }
3179 return (0);
3180 }
3181 putnext(q, mp);
3182 break;
3183 case M_DATA:
3184 if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) {
3185 mblk_t *bp;
3186 mblk_t *newmsg = NULL;
3187
3188 /*
3189 * If multiple msgs, concat into 1
3190 * to minimize crypto operations later.
3191 */
3192 if (mp->b_cont != NULL) {
3193 bp = msgpullup(mp, -1);
3194 if (bp != NULL) {
3195 freemsg(mp);
3196 mp = bp;
3197 }
3198 }
3199 newmsg = encrypt_msgb(q, tmi, mp);
3200 if (newmsg != NULL)
3201 putnext(q, newmsg);
3202 } else {
3203 if (!putbq(q, mp)) {
3204 freemsg(mp);
3205 }
3206 return (0);
3207 }
3208 break;
3209 }
3210 }
3211 return (0);
3212 }
3213
3214 static void
start_stream(queue_t * wq,mblk_t * mp,uchar_t dir)3215 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir)
3216 {
3217 mblk_t *newmp = NULL;
3218 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3219
3220 if (dir == CRYPT_ENCRYPT) {
3221 tmi->ready |= CRYPT_WRITE_READY;
3222 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
3223 "start_stream: restart ENCRYPT/WRITE q"));
3224
3225 enableok(wq);
3226 qenable(wq);
3227 } else if (dir == CRYPT_DECRYPT) {
3228 /*
3229 * put any extra data in the RD
3230 * queue to be processed and
3231 * sent back up.
3232 */
3233 newmp = mp->b_cont;
3234 mp->b_cont = NULL;
3235
3236 tmi->ready |= CRYPT_READ_READY;
3237 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3238 SL_TRACE|SL_NOTE,
3239 "start_stream: restart "
3240 "DECRYPT/READ q"));
3241
3242 if (newmp != NULL)
3243 if (!putbq(RD(wq), newmp))
3244 freemsg(newmp);
3245
3246 enableok(RD(wq));
3247 qenable(RD(wq));
3248 }
3249
3250 miocack(wq, mp, 0, 0);
3251 }
3252
3253 /*
3254 * Write-side put procedure. Its main task is to detect ioctls and
3255 * FLUSH operations. Other message types are passed on through.
3256 */
3257 static int
cryptmodwput(queue_t * wq,mblk_t * mp)3258 cryptmodwput(queue_t *wq, mblk_t *mp)
3259 {
3260 struct iocblk *iocp;
3261 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3262 int ret, err;
3263
3264 switch (mp->b_datap->db_type) {
3265 case M_DATA:
3266 if (wq->q_first == NULL && canputnext(wq) &&
3267 (tmi->ready & CRYPT_WRITE_READY) &&
3268 tmi->enc_data.method == CRYPT_METHOD_NONE) {
3269 putnext(wq, mp);
3270 return (0);
3271 }
3272 /* else, put it in the service queue */
3273 if (!putq(wq, mp)) {
3274 freemsg(mp);
3275 }
3276 break;
3277 case M_FLUSH:
3278 if (*mp->b_rptr & FLUSHW) {
3279 flushq(wq, FLUSHDATA);
3280 }
3281 putnext(wq, mp);
3282 break;
3283 case M_IOCTL:
3284 iocp = (struct iocblk *)mp->b_rptr;
3285 switch (iocp->ioc_cmd) {
3286 case CRYPTIOCSETUP:
3287 ret = 0;
3288 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3289 SL_TRACE | SL_NOTE,
3290 "wput: got CRYPTIOCSETUP "
3291 "ioctl(%d)", iocp->ioc_cmd));
3292
3293 if ((err = miocpullup(mp,
3294 sizeof (struct cr_info_t))) != 0) {
3295 cmn_err(CE_WARN,
3296 "wput: miocpullup failed for cr_info_t");
3297 miocnak(wq, mp, 0, err);
3298 } else {
3299 struct cr_info_t *ci;
3300 ci = (struct cr_info_t *)mp->b_cont->b_rptr;
3301
3302 if (ci->direction_mask & CRYPT_ENCRYPT) {
3303 ret = setup_crypto(ci, &tmi->enc_data, 1);
3304 }
3305
3306 if (ret == 0 &&
3307 (ci->direction_mask & CRYPT_DECRYPT)) {
3308 ret = setup_crypto(ci, &tmi->dec_data, 0);
3309 }
3310 if (ret == 0 &&
3311 (ci->direction_mask & CRYPT_DECRYPT) &&
3312 ANY_RCMD_MODE(tmi->dec_data.option_mask)) {
3313 bzero(&tmi->rcmd_state,
3314 sizeof (tmi->rcmd_state));
3315 }
3316 if (ret == 0) {
3317 miocack(wq, mp, 0, 0);
3318 } else {
3319 cmn_err(CE_WARN,
3320 "wput: setup_crypto failed");
3321 miocnak(wq, mp, 0, ret);
3322 }
3323 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3324 SL_TRACE|SL_NOTE,
3325 "wput: done with SETUP "
3326 "ioctl"));
3327 }
3328 break;
3329 case CRYPTIOCSTOP:
3330 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3331 SL_TRACE|SL_NOTE,
3332 "wput: got CRYPTIOCSTOP "
3333 "ioctl(%d)", iocp->ioc_cmd));
3334
3335 if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) {
3336 cmn_err(CE_WARN,
3337 "wput: CRYPTIOCSTOP ioctl wrong "
3338 "size (%d should be %d)",
3339 (int)iocp->ioc_count,
3340 (int)sizeof (uint32_t));
3341 miocnak(wq, mp, 0, err);
3342 } else {
3343 uint32_t *stopdir;
3344
3345 stopdir = (uint32_t *)mp->b_cont->b_rptr;
3346 if (!CR_DIRECTION_OK(*stopdir)) {
3347 miocnak(wq, mp, 0, EINVAL);
3348 return (0);
3349 }
3350
3351 /* disable the queues until further notice */
3352 if (*stopdir & CRYPT_ENCRYPT) {
3353 noenable(wq);
3354 tmi->ready &= ~CRYPT_WRITE_READY;
3355 }
3356 if (*stopdir & CRYPT_DECRYPT) {
3357 noenable(RD(wq));
3358 tmi->ready &= ~CRYPT_READ_READY;
3359 }
3360
3361 miocack(wq, mp, 0, 0);
3362 }
3363 break;
3364 case CRYPTIOCSTARTDEC:
3365 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3366 SL_TRACE|SL_NOTE,
3367 "wput: got CRYPTIOCSTARTDEC "
3368 "ioctl(%d)", iocp->ioc_cmd));
3369
3370 start_stream(wq, mp, CRYPT_DECRYPT);
3371 break;
3372 case CRYPTIOCSTARTENC:
3373 (void) (STRLOG(CRYPTMOD_ID, 0, 5,
3374 SL_TRACE|SL_NOTE,
3375 "wput: got CRYPTIOCSTARTENC "
3376 "ioctl(%d)", iocp->ioc_cmd));
3377
3378 start_stream(wq, mp, CRYPT_ENCRYPT);
3379 break;
3380 default:
3381 putnext(wq, mp);
3382 break;
3383 }
3384 break;
3385 default:
3386 if (queclass(mp) < QPCTL) {
3387 if (wq->q_first != NULL || !canputnext(wq)) {
3388 if (!putq(wq, mp))
3389 freemsg(mp);
3390 return (0);
3391 }
3392 }
3393 putnext(wq, mp);
3394 break;
3395 }
3396 return (0);
3397 }
3398
3399 /*
3400 * decrypt_rcmd_mblks
3401 *
3402 * Because kerberized r* commands(rsh, rlogin, etc)
3403 * use a 4 byte length field to indicate the # of
3404 * PLAINTEXT bytes that are encrypted in the field
3405 * that follows, we must parse out each message and
3406 * break out the length fields prior to sending them
3407 * upstream to our Solaris r* clients/servers which do
3408 * NOT understand this format.
3409 *
3410 * Kerberized/encrypted message format:
3411 * -------------------------------
3412 * | XXXX | N bytes of ciphertext|
3413 * -------------------------------
3414 *
3415 * Where: XXXX = number of plaintext bytes that were encrypted in
3416 * to make the ciphertext field. This is done
3417 * because we are using a cipher that pads out to
3418 * an 8 byte boundary. We only want the application
3419 * layer to see the correct number of plain text bytes,
3420 * not plaintext + pad. So, after we decrypt, we
3421 * must trim the output block down to the intended
3422 * plaintext length and eliminate the pad bytes.
3423 *
3424 * This routine takes the entire input message, breaks it into
3425 * a new message that does not contain these length fields and
3426 * returns a message consisting of mblks filled with just ciphertext.
3427 *
3428 */
3429 static mblk_t *
decrypt_rcmd_mblks(queue_t * q,mblk_t * mp)3430 decrypt_rcmd_mblks(queue_t *q, mblk_t *mp)
3431 {
3432 mblk_t *newmp = NULL;
3433 size_t msglen;
3434 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3435
3436 msglen = msgsize(mp);
3437
3438 /*
3439 * If we need the length field, get it here.
3440 * Test the "plaintext length" indicator.
3441 */
3442 if (tmi->rcmd_state.pt_len == 0) {
3443 uint32_t elen;
3444 int tocopy;
3445 mblk_t *nextp;
3446
3447 /*
3448 * Make sure we have recieved all 4 bytes of the
3449 * length field.
3450 */
3451 while (mp != NULL) {
3452 ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t));
3453
3454 tocopy = sizeof (uint32_t) -
3455 tmi->rcmd_state.cd_len;
3456 if (tocopy > msglen)
3457 tocopy = msglen;
3458
3459 ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp));
3460 bcopy(mp->b_rptr,
3461 (char *)(&tmi->rcmd_state.next_len +
3462 tmi->rcmd_state.cd_len), tocopy);
3463
3464 tmi->rcmd_state.cd_len += tocopy;
3465
3466 if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) {
3467 tmi->rcmd_state.next_len =
3468 ntohl(tmi->rcmd_state.next_len);
3469 break;
3470 }
3471
3472 nextp = mp->b_cont;
3473 mp->b_cont = NULL;
3474 freeb(mp);
3475 mp = nextp;
3476 }
3477
3478 if (mp == NULL) {
3479 return (NULL);
3480 }
3481 /*
3482 * recalculate the msglen now that we've read the
3483 * length and adjusted the bufptr (b_rptr).
3484 */
3485 msglen -= tocopy;
3486 mp->b_rptr += tocopy;
3487
3488 tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len;
3489
3490 if (tmi->rcmd_state.pt_len <= 0) {
3491 /*
3492 * Return an IO error to break the connection. there
3493 * is no way to recover from this. Usually it means
3494 * the app has incorrectly requested decryption on
3495 * a non-encrypted stream, thus the "pt_len" field
3496 * is negative.
3497 */
3498 mp->b_datap->db_type = M_ERROR;
3499 mp->b_rptr = mp->b_datap->db_base;
3500 *mp->b_rptr = EIO;
3501 mp->b_wptr = mp->b_rptr + sizeof (char);
3502
3503 freemsg(mp->b_cont);
3504 mp->b_cont = NULL;
3505 qreply(WR(q), mp);
3506 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3507 return (NULL);
3508 }
3509
3510 /*
3511 * If this is V2 mode, then the encrypted data is actually
3512 * 4 bytes bigger than the indicated len because the plaintext
3513 * length is encrypted for an additional security check, but
3514 * its not counted as part of the overall length we just read.
3515 * Strange and confusing, but true.
3516 */
3517
3518 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
3519 elen = tmi->rcmd_state.pt_len + 4;
3520 else
3521 elen = tmi->rcmd_state.pt_len;
3522
3523 tmi->rcmd_state.cd_len = encrypt_size(&tmi->dec_data, elen);
3524
3525 /*
3526 * Allocate an mblk to hold the cipher text until it is
3527 * all ready to be processed.
3528 */
3529 tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len,
3530 BPRI_HI);
3531 if (tmi->rcmd_state.c_msg == NULL) {
3532 #ifdef DEBUG
3533 cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed "
3534 "for %d bytes",
3535 (int)tmi->rcmd_state.cd_len);
3536 #endif
3537 /*
3538 * Return an IO error to break the connection.
3539 */
3540 mp->b_datap->db_type = M_ERROR;
3541 mp->b_rptr = mp->b_datap->db_base;
3542 *mp->b_rptr = EIO;
3543 mp->b_wptr = mp->b_rptr + sizeof (char);
3544 freemsg(mp->b_cont);
3545 mp->b_cont = NULL;
3546 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3547 qreply(WR(q), mp);
3548 return (NULL);
3549 }
3550 }
3551
3552 /*
3553 * If this entire message was just the length field,
3554 * free and return. The actual data will probably be next.
3555 */
3556 if (msglen == 0) {
3557 freemsg(mp);
3558 return (NULL);
3559 }
3560
3561 /*
3562 * Copy as much of the cipher text as possible into
3563 * the new msgb (c_msg).
3564 *
3565 * Logic: if we got some bytes (msglen) and we still
3566 * "need" some bytes (len-rcvd), get them here.
3567 */
3568 ASSERT(tmi->rcmd_state.c_msg != NULL);
3569 if (msglen > 0 &&
3570 (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) {
3571 mblk_t *bp, *nextp;
3572 size_t n;
3573
3574 /*
3575 * Walk the mblks and copy just as many bytes as we need
3576 * for this particular block of cipher text.
3577 */
3578 bp = mp;
3579 while (bp != NULL) {
3580 size_t needed;
3581 size_t tocopy;
3582 n = MBLKL(bp);
3583
3584 needed = tmi->rcmd_state.cd_len -
3585 MBLKL(tmi->rcmd_state.c_msg);
3586
3587 tocopy = (needed >= n ? n : needed);
3588
3589 ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp));
3590 ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <=
3591 DB_LIM(tmi->rcmd_state.c_msg));
3592
3593 /* Copy to end of new mblk */
3594 bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr,
3595 tocopy);
3596
3597 tmi->rcmd_state.c_msg->b_wptr += tocopy;
3598
3599 bp->b_rptr += tocopy;
3600
3601 nextp = bp->b_cont;
3602
3603 /*
3604 * If we used this whole block, free it and
3605 * move on.
3606 */
3607 if (!MBLKL(bp)) {
3608 freeb(bp);
3609 bp = NULL;
3610 }
3611
3612 /* If we got what we needed, stop the loop */
3613 if (MBLKL(tmi->rcmd_state.c_msg) ==
3614 tmi->rcmd_state.cd_len) {
3615 /*
3616 * If there is more data in the message,
3617 * its for another block of cipher text,
3618 * put it back in the queue for next time.
3619 */
3620 if (bp) {
3621 if (!putbq(q, bp))
3622 freemsg(bp);
3623 } else if (nextp != NULL) {
3624 /*
3625 * If there is more, put it back in the
3626 * queue for another pass thru.
3627 */
3628 if (!putbq(q, nextp))
3629 freemsg(nextp);
3630 }
3631 break;
3632 }
3633 bp = nextp;
3634 }
3635 }
3636 /*
3637 * Finally, if we received all the cipher text data for
3638 * this message, decrypt it into a new msg and send it up
3639 * to the app.
3640 */
3641 if (tmi->rcmd_state.pt_len > 0 &&
3642 MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) {
3643 mblk_t *bp;
3644 mblk_t *newbp;
3645
3646 /*
3647 * Now we can use our msg that we created when the
3648 * initial message boundary was detected.
3649 */
3650 bp = tmi->rcmd_state.c_msg;
3651 tmi->rcmd_state.c_msg = NULL;
3652
3653 newbp = do_decrypt(q, bp);
3654 if (newbp != NULL) {
3655 bp = newbp;
3656 /*
3657 * If using RCMD_MODE_V2 ("new" mode),
3658 * look at the 4 byte plaintext length that
3659 * was just decrypted and compare with the
3660 * original pt_len value that was received.
3661 */
3662 if (tmi->dec_data.option_mask &
3663 CRYPTOPT_RCMD_MODE_V2) {
3664 uint32_t pt_len2;
3665
3666 pt_len2 = *(uint32_t *)bp->b_rptr;
3667 pt_len2 = ntohl(pt_len2);
3668 /*
3669 * Make sure the 2 pt len fields agree.
3670 */
3671 if (pt_len2 != tmi->rcmd_state.pt_len) {
3672 cmn_err(CE_WARN,
3673 "Inconsistent length fields"
3674 " received %d != %d",
3675 (int)tmi->rcmd_state.pt_len,
3676 (int)pt_len2);
3677 bp->b_datap->db_type = M_ERROR;
3678 bp->b_rptr = bp->b_datap->db_base;
3679 *bp->b_rptr = EIO;
3680 bp->b_wptr = bp->b_rptr + sizeof (char);
3681 freemsg(bp->b_cont);
3682 bp->b_cont = NULL;
3683 tmi->rcmd_state.cd_len = 0;
3684 qreply(WR(q), bp);
3685 return (NULL);
3686 }
3687 bp->b_rptr += sizeof (uint32_t);
3688 }
3689
3690 /*
3691 * Trim the decrypted block the length originally
3692 * indicated by the sender. This is to remove any
3693 * padding bytes that the sender added to satisfy
3694 * requirements of the crypto algorithm.
3695 */
3696 bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len;
3697
3698 newmp = bp;
3699
3700 /*
3701 * Reset our state to indicate we are ready
3702 * for a new message.
3703 */
3704 tmi->rcmd_state.pt_len = 0;
3705 tmi->rcmd_state.cd_len = 0;
3706 } else {
3707 #ifdef DEBUG
3708 cmn_err(CE_WARN,
3709 "decrypt_rcmd: do_decrypt on %d bytes failed",
3710 (int)tmi->rcmd_state.cd_len);
3711 #endif
3712 /*
3713 * do_decrypt already handled failures, just
3714 * return NULL.
3715 */
3716 tmi->rcmd_state.pt_len = 0;
3717 tmi->rcmd_state.cd_len = 0;
3718 return (NULL);
3719 }
3720 }
3721
3722 /*
3723 * return the new message with the 'length' fields removed
3724 */
3725 return (newmp);
3726 }
3727
3728 /*
3729 * cryptmodrsrv
3730 *
3731 * Read queue service routine
3732 * Necessary because if the ready flag is not set
3733 * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data
3734 * must remain on queue and not be passed along.
3735 */
3736 static int
cryptmodrsrv(queue_t * q)3737 cryptmodrsrv(queue_t *q)
3738 {
3739 mblk_t *mp, *bp;
3740 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3741
3742 while ((mp = getq(q)) != NULL) {
3743 switch (mp->b_datap->db_type) {
3744 case M_DATA:
3745 if (canputnext(q) && tmi->ready & CRYPT_READ_READY) {
3746 /*
3747 * Process "rcmd" messages differently because
3748 * they contain a 4 byte plaintext length
3749 * id that needs to be removed.
3750 */
3751 if (tmi->dec_data.method != CRYPT_METHOD_NONE &&
3752 (tmi->dec_data.option_mask &
3753 (CRYPTOPT_RCMD_MODE_V1 |
3754 CRYPTOPT_RCMD_MODE_V2))) {
3755 mp = decrypt_rcmd_mblks(q, mp);
3756 if (mp)
3757 putnext(q, mp);
3758 continue;
3759 }
3760 if ((bp = msgpullup(mp, -1)) != NULL) {
3761 freemsg(mp);
3762 if (MBLKL(bp) > 0) {
3763 mp = do_decrypt(q, bp);
3764 if (mp != NULL)
3765 putnext(q, mp);
3766 }
3767 }
3768 } else {
3769 if (!putbq(q, mp)) {
3770 freemsg(mp);
3771 }
3772 return (0);
3773 }
3774 break;
3775 default:
3776 /*
3777 * rput does not queue anything > QPCTL, so we don't
3778 * need to check for it here.
3779 */
3780 if (!canputnext(q)) {
3781 if (!putbq(q, mp))
3782 freemsg(mp);
3783 return (0);
3784 }
3785 putnext(q, mp);
3786 break;
3787 }
3788 }
3789 return (0);
3790 }
3791
3792
3793 /*
3794 * Read-side put procedure.
3795 */
3796 static int
cryptmodrput(queue_t * rq,mblk_t * mp)3797 cryptmodrput(queue_t *rq, mblk_t *mp)
3798 {
3799 switch (mp->b_datap->db_type) {
3800 case M_DATA:
3801 if (!putq(rq, mp)) {
3802 freemsg(mp);
3803 }
3804 break;
3805 case M_FLUSH:
3806 if (*mp->b_rptr & FLUSHR) {
3807 flushq(rq, FLUSHALL);
3808 }
3809 putnext(rq, mp);
3810 break;
3811 default:
3812 if (queclass(mp) < QPCTL) {
3813 if (rq->q_first != NULL || !canputnext(rq)) {
3814 if (!putq(rq, mp))
3815 freemsg(mp);
3816 return (0);
3817 }
3818 }
3819 putnext(rq, mp);
3820 break;
3821 }
3822 return (0);
3823 }
3824