1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or https://opensource.org/licenses/CDDL-1.0. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/zfs_context.h> 27 #include <modes/modes.h> 28 #include <sys/crypto/common.h> 29 #include <sys/crypto/impl.h> 30 31 #ifdef HAVE_EFFICIENT_UNALIGNED_ACCESS 32 #include <sys/byteorder.h> 33 #define UNALIGNED_POINTERS_PERMITTED 34 #endif 35 36 /* 37 * Encrypt multiple blocks of data in CCM mode. Decrypt for CCM mode 38 * is done in another function. 39 */ 40 int 41 ccm_mode_encrypt_contiguous_blocks(ccm_ctx_t *ctx, char *data, size_t length, 42 crypto_data_t *out, size_t block_size, 43 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 44 void (*copy_block)(uint8_t *, uint8_t *), 45 void (*xor_block)(uint8_t *, uint8_t *)) 46 { 47 size_t remainder = length; 48 size_t need = 0; 49 uint8_t *datap = (uint8_t *)data; 50 uint8_t *blockp; 51 uint8_t *lastp; 52 void *iov_or_mp; 53 offset_t offset; 54 uint8_t *out_data_1; 55 uint8_t *out_data_2; 56 size_t out_data_1_len; 57 uint64_t counter; 58 uint8_t *mac_buf; 59 60 if (length + ctx->ccm_remainder_len < block_size) { 61 /* accumulate bytes here and return */ 62 memcpy((uint8_t *)ctx->ccm_remainder + ctx->ccm_remainder_len, 63 datap, 64 length); 65 ctx->ccm_remainder_len += length; 66 ctx->ccm_copy_to = datap; 67 return (CRYPTO_SUCCESS); 68 } 69 70 lastp = (uint8_t *)ctx->ccm_cb; 71 crypto_init_ptrs(out, &iov_or_mp, &offset); 72 73 mac_buf = (uint8_t *)ctx->ccm_mac_buf; 74 75 do { 76 /* Unprocessed data from last call. */ 77 if (ctx->ccm_remainder_len > 0) { 78 need = block_size - ctx->ccm_remainder_len; 79 80 if (need > remainder) 81 return (CRYPTO_DATA_LEN_RANGE); 82 83 memcpy(&((uint8_t *)ctx->ccm_remainder) 84 [ctx->ccm_remainder_len], datap, need); 85 86 blockp = (uint8_t *)ctx->ccm_remainder; 87 } else { 88 blockp = datap; 89 } 90 91 /* 92 * do CBC MAC 93 * 94 * XOR the previous cipher block current clear block. 95 * mac_buf always contain previous cipher block. 96 */ 97 xor_block(blockp, mac_buf); 98 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 99 100 /* ccm_cb is the counter block */ 101 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, 102 (uint8_t *)ctx->ccm_tmp); 103 104 lastp = (uint8_t *)ctx->ccm_tmp; 105 106 /* 107 * Increment counter. Counter bits are confined 108 * to the bottom 64 bits of the counter block. 109 */ 110 #ifdef _ZFS_LITTLE_ENDIAN 111 counter = ntohll(ctx->ccm_cb[1] & ctx->ccm_counter_mask); 112 counter = htonll(counter + 1); 113 #else 114 counter = ctx->ccm_cb[1] & ctx->ccm_counter_mask; 115 counter++; 116 #endif /* _ZFS_LITTLE_ENDIAN */ 117 counter &= ctx->ccm_counter_mask; 118 ctx->ccm_cb[1] = 119 (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter; 120 121 /* 122 * XOR encrypted counter block with the current clear block. 123 */ 124 xor_block(blockp, lastp); 125 126 ctx->ccm_processed_data_len += block_size; 127 128 crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1, 129 &out_data_1_len, &out_data_2, block_size); 130 131 /* copy block to where it belongs */ 132 if (out_data_1_len == block_size) { 133 copy_block(lastp, out_data_1); 134 } else { 135 memcpy(out_data_1, lastp, out_data_1_len); 136 if (out_data_2 != NULL) { 137 memcpy(out_data_2, 138 lastp + out_data_1_len, 139 block_size - out_data_1_len); 140 } 141 } 142 /* update offset */ 143 out->cd_offset += block_size; 144 145 /* Update pointer to next block of data to be processed. */ 146 if (ctx->ccm_remainder_len != 0) { 147 datap += need; 148 ctx->ccm_remainder_len = 0; 149 } else { 150 datap += block_size; 151 } 152 153 remainder = (size_t)&data[length] - (size_t)datap; 154 155 /* Incomplete last block. */ 156 if (remainder > 0 && remainder < block_size) { 157 memcpy(ctx->ccm_remainder, datap, remainder); 158 ctx->ccm_remainder_len = remainder; 159 ctx->ccm_copy_to = datap; 160 goto out; 161 } 162 ctx->ccm_copy_to = NULL; 163 164 } while (remainder > 0); 165 166 out: 167 return (CRYPTO_SUCCESS); 168 } 169 170 void 171 calculate_ccm_mac(ccm_ctx_t *ctx, uint8_t *ccm_mac, 172 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *)) 173 { 174 uint64_t counter; 175 uint8_t *counterp, *mac_buf; 176 int i; 177 178 mac_buf = (uint8_t *)ctx->ccm_mac_buf; 179 180 /* first counter block start with index 0 */ 181 counter = 0; 182 ctx->ccm_cb[1] = (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter; 183 184 counterp = (uint8_t *)ctx->ccm_tmp; 185 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, counterp); 186 187 /* calculate XOR of MAC with first counter block */ 188 for (i = 0; i < ctx->ccm_mac_len; i++) { 189 ccm_mac[i] = mac_buf[i] ^ counterp[i]; 190 } 191 } 192 193 int 194 ccm_encrypt_final(ccm_ctx_t *ctx, crypto_data_t *out, size_t block_size, 195 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 196 void (*xor_block)(uint8_t *, uint8_t *)) 197 { 198 uint8_t *lastp, *mac_buf, *ccm_mac_p, *macp = NULL; 199 void *iov_or_mp; 200 offset_t offset; 201 uint8_t *out_data_1; 202 uint8_t *out_data_2; 203 size_t out_data_1_len; 204 int i; 205 206 if (out->cd_length < (ctx->ccm_remainder_len + ctx->ccm_mac_len)) { 207 return (CRYPTO_DATA_LEN_RANGE); 208 } 209 210 /* 211 * When we get here, the number of bytes of payload processed 212 * plus whatever data remains, if any, 213 * should be the same as the number of bytes that's being 214 * passed in the argument during init time. 215 */ 216 if ((ctx->ccm_processed_data_len + ctx->ccm_remainder_len) 217 != (ctx->ccm_data_len)) { 218 return (CRYPTO_DATA_LEN_RANGE); 219 } 220 221 mac_buf = (uint8_t *)ctx->ccm_mac_buf; 222 223 if (ctx->ccm_remainder_len > 0) { 224 225 /* ccm_mac_input_buf is not used for encryption */ 226 macp = (uint8_t *)ctx->ccm_mac_input_buf; 227 memset(macp, 0, block_size); 228 229 /* copy remainder to temporary buffer */ 230 memcpy(macp, ctx->ccm_remainder, ctx->ccm_remainder_len); 231 232 /* calculate the CBC MAC */ 233 xor_block(macp, mac_buf); 234 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 235 236 /* calculate the counter mode */ 237 lastp = (uint8_t *)ctx->ccm_tmp; 238 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, lastp); 239 240 /* XOR with counter block */ 241 for (i = 0; i < ctx->ccm_remainder_len; i++) { 242 macp[i] ^= lastp[i]; 243 } 244 ctx->ccm_processed_data_len += ctx->ccm_remainder_len; 245 } 246 247 /* Calculate the CCM MAC */ 248 ccm_mac_p = (uint8_t *)ctx->ccm_tmp; 249 calculate_ccm_mac(ctx, ccm_mac_p, encrypt_block); 250 251 crypto_init_ptrs(out, &iov_or_mp, &offset); 252 crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1, 253 &out_data_1_len, &out_data_2, 254 ctx->ccm_remainder_len + ctx->ccm_mac_len); 255 256 if (ctx->ccm_remainder_len > 0) { 257 /* copy temporary block to where it belongs */ 258 if (out_data_2 == NULL) { 259 /* everything will fit in out_data_1 */ 260 memcpy(out_data_1, macp, ctx->ccm_remainder_len); 261 memcpy(out_data_1 + ctx->ccm_remainder_len, ccm_mac_p, 262 ctx->ccm_mac_len); 263 } else { 264 if (out_data_1_len < ctx->ccm_remainder_len) { 265 size_t data_2_len_used; 266 267 memcpy(out_data_1, macp, out_data_1_len); 268 269 data_2_len_used = ctx->ccm_remainder_len 270 - out_data_1_len; 271 272 memcpy(out_data_2, 273 (uint8_t *)macp + out_data_1_len, 274 data_2_len_used); 275 memcpy(out_data_2 + data_2_len_used, 276 ccm_mac_p, 277 ctx->ccm_mac_len); 278 } else { 279 memcpy(out_data_1, macp, out_data_1_len); 280 if (out_data_1_len == ctx->ccm_remainder_len) { 281 /* mac will be in out_data_2 */ 282 memcpy(out_data_2, ccm_mac_p, 283 ctx->ccm_mac_len); 284 } else { 285 size_t len_not_used = out_data_1_len - 286 ctx->ccm_remainder_len; 287 /* 288 * part of mac in will be in 289 * out_data_1, part of the mac will be 290 * in out_data_2 291 */ 292 memcpy(out_data_1 + 293 ctx->ccm_remainder_len, 294 ccm_mac_p, len_not_used); 295 memcpy(out_data_2, 296 ccm_mac_p + len_not_used, 297 ctx->ccm_mac_len - len_not_used); 298 299 } 300 } 301 } 302 } else { 303 /* copy block to where it belongs */ 304 memcpy(out_data_1, ccm_mac_p, out_data_1_len); 305 if (out_data_2 != NULL) { 306 memcpy(out_data_2, ccm_mac_p + out_data_1_len, 307 block_size - out_data_1_len); 308 } 309 } 310 out->cd_offset += ctx->ccm_remainder_len + ctx->ccm_mac_len; 311 ctx->ccm_remainder_len = 0; 312 return (CRYPTO_SUCCESS); 313 } 314 315 /* 316 * This will only deal with decrypting the last block of the input that 317 * might not be a multiple of block length. 318 */ 319 static void 320 ccm_decrypt_incomplete_block(ccm_ctx_t *ctx, 321 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *)) 322 { 323 uint8_t *datap, *outp, *counterp; 324 int i; 325 326 datap = (uint8_t *)ctx->ccm_remainder; 327 outp = &((ctx->ccm_pt_buf)[ctx->ccm_processed_data_len]); 328 329 counterp = (uint8_t *)ctx->ccm_tmp; 330 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, counterp); 331 332 /* XOR with counter block */ 333 for (i = 0; i < ctx->ccm_remainder_len; i++) { 334 outp[i] = datap[i] ^ counterp[i]; 335 } 336 } 337 338 /* 339 * This will decrypt the cipher text. However, the plaintext won't be 340 * returned to the caller. It will be returned when decrypt_final() is 341 * called if the MAC matches 342 */ 343 int 344 ccm_mode_decrypt_contiguous_blocks(ccm_ctx_t *ctx, char *data, size_t length, 345 crypto_data_t *out, size_t block_size, 346 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 347 void (*copy_block)(uint8_t *, uint8_t *), 348 void (*xor_block)(uint8_t *, uint8_t *)) 349 { 350 (void) out; 351 size_t remainder = length; 352 size_t need = 0; 353 uint8_t *datap = (uint8_t *)data; 354 uint8_t *blockp; 355 uint8_t *cbp; 356 uint64_t counter; 357 size_t pt_len, total_decrypted_len, mac_len, pm_len, pd_len; 358 uint8_t *resultp; 359 360 361 pm_len = ctx->ccm_processed_mac_len; 362 363 if (pm_len > 0) { 364 uint8_t *tmp; 365 /* 366 * all ciphertext has been processed, just waiting for 367 * part of the value of the mac 368 */ 369 if ((pm_len + length) > ctx->ccm_mac_len) { 370 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 371 } 372 tmp = (uint8_t *)ctx->ccm_mac_input_buf; 373 374 memcpy(tmp + pm_len, datap, length); 375 376 ctx->ccm_processed_mac_len += length; 377 return (CRYPTO_SUCCESS); 378 } 379 380 /* 381 * If we decrypt the given data, what total amount of data would 382 * have been decrypted? 383 */ 384 pd_len = ctx->ccm_processed_data_len; 385 total_decrypted_len = pd_len + length + ctx->ccm_remainder_len; 386 387 if (total_decrypted_len > 388 (ctx->ccm_data_len + ctx->ccm_mac_len)) { 389 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 390 } 391 392 pt_len = ctx->ccm_data_len; 393 394 if (total_decrypted_len > pt_len) { 395 /* 396 * part of the input will be the MAC, need to isolate that 397 * to be dealt with later. The left-over data in 398 * ccm_remainder_len from last time will not be part of the 399 * MAC. Otherwise, it would have already been taken out 400 * when this call is made last time. 401 */ 402 size_t pt_part = pt_len - pd_len - ctx->ccm_remainder_len; 403 404 mac_len = length - pt_part; 405 406 ctx->ccm_processed_mac_len = mac_len; 407 memcpy(ctx->ccm_mac_input_buf, data + pt_part, mac_len); 408 409 if (pt_part + ctx->ccm_remainder_len < block_size) { 410 /* 411 * since this is last of the ciphertext, will 412 * just decrypt with it here 413 */ 414 memcpy(&((uint8_t *)ctx->ccm_remainder) 415 [ctx->ccm_remainder_len], datap, pt_part); 416 ctx->ccm_remainder_len += pt_part; 417 ccm_decrypt_incomplete_block(ctx, encrypt_block); 418 ctx->ccm_processed_data_len += ctx->ccm_remainder_len; 419 ctx->ccm_remainder_len = 0; 420 return (CRYPTO_SUCCESS); 421 } else { 422 /* let rest of the code handle this */ 423 length = pt_part; 424 } 425 } else if (length + ctx->ccm_remainder_len < block_size) { 426 /* accumulate bytes here and return */ 427 memcpy((uint8_t *)ctx->ccm_remainder + ctx->ccm_remainder_len, 428 datap, 429 length); 430 ctx->ccm_remainder_len += length; 431 ctx->ccm_copy_to = datap; 432 return (CRYPTO_SUCCESS); 433 } 434 435 do { 436 /* Unprocessed data from last call. */ 437 if (ctx->ccm_remainder_len > 0) { 438 need = block_size - ctx->ccm_remainder_len; 439 440 if (need > remainder) 441 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 442 443 memcpy(&((uint8_t *)ctx->ccm_remainder) 444 [ctx->ccm_remainder_len], datap, need); 445 446 blockp = (uint8_t *)ctx->ccm_remainder; 447 } else { 448 blockp = datap; 449 } 450 451 /* Calculate the counter mode, ccm_cb is the counter block */ 452 cbp = (uint8_t *)ctx->ccm_tmp; 453 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, cbp); 454 455 /* 456 * Increment counter. 457 * Counter bits are confined to the bottom 64 bits 458 */ 459 #ifdef _ZFS_LITTLE_ENDIAN 460 counter = ntohll(ctx->ccm_cb[1] & ctx->ccm_counter_mask); 461 counter = htonll(counter + 1); 462 #else 463 counter = ctx->ccm_cb[1] & ctx->ccm_counter_mask; 464 counter++; 465 #endif /* _ZFS_LITTLE_ENDIAN */ 466 counter &= ctx->ccm_counter_mask; 467 ctx->ccm_cb[1] = 468 (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter; 469 470 /* XOR with the ciphertext */ 471 xor_block(blockp, cbp); 472 473 /* Copy the plaintext to the "holding buffer" */ 474 resultp = (uint8_t *)ctx->ccm_pt_buf + 475 ctx->ccm_processed_data_len; 476 copy_block(cbp, resultp); 477 478 ctx->ccm_processed_data_len += block_size; 479 480 ctx->ccm_lastp = blockp; 481 482 /* Update pointer to next block of data to be processed. */ 483 if (ctx->ccm_remainder_len != 0) { 484 datap += need; 485 ctx->ccm_remainder_len = 0; 486 } else { 487 datap += block_size; 488 } 489 490 remainder = (size_t)&data[length] - (size_t)datap; 491 492 /* Incomplete last block */ 493 if (remainder > 0 && remainder < block_size) { 494 memcpy(ctx->ccm_remainder, datap, remainder); 495 ctx->ccm_remainder_len = remainder; 496 ctx->ccm_copy_to = datap; 497 if (ctx->ccm_processed_mac_len > 0) { 498 /* 499 * not expecting anymore ciphertext, just 500 * compute plaintext for the remaining input 501 */ 502 ccm_decrypt_incomplete_block(ctx, 503 encrypt_block); 504 ctx->ccm_processed_data_len += remainder; 505 ctx->ccm_remainder_len = 0; 506 } 507 goto out; 508 } 509 ctx->ccm_copy_to = NULL; 510 511 } while (remainder > 0); 512 513 out: 514 return (CRYPTO_SUCCESS); 515 } 516 517 int 518 ccm_decrypt_final(ccm_ctx_t *ctx, crypto_data_t *out, size_t block_size, 519 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 520 void (*copy_block)(uint8_t *, uint8_t *), 521 void (*xor_block)(uint8_t *, uint8_t *)) 522 { 523 size_t mac_remain, pt_len; 524 uint8_t *pt, *mac_buf, *macp, *ccm_mac_p; 525 int rv; 526 527 pt_len = ctx->ccm_data_len; 528 529 /* Make sure output buffer can fit all of the plaintext */ 530 if (out->cd_length < pt_len) { 531 return (CRYPTO_DATA_LEN_RANGE); 532 } 533 534 pt = ctx->ccm_pt_buf; 535 mac_remain = ctx->ccm_processed_data_len; 536 mac_buf = (uint8_t *)ctx->ccm_mac_buf; 537 538 macp = (uint8_t *)ctx->ccm_tmp; 539 540 while (mac_remain > 0) { 541 if (mac_remain < block_size) { 542 memset(macp, 0, block_size); 543 memcpy(macp, pt, mac_remain); 544 mac_remain = 0; 545 } else { 546 copy_block(pt, macp); 547 mac_remain -= block_size; 548 pt += block_size; 549 } 550 551 /* calculate the CBC MAC */ 552 xor_block(macp, mac_buf); 553 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 554 } 555 556 /* Calculate the CCM MAC */ 557 ccm_mac_p = (uint8_t *)ctx->ccm_tmp; 558 calculate_ccm_mac((ccm_ctx_t *)ctx, ccm_mac_p, encrypt_block); 559 560 /* compare the input CCM MAC value with what we calculated */ 561 if (memcmp(ctx->ccm_mac_input_buf, ccm_mac_p, ctx->ccm_mac_len)) { 562 /* They don't match */ 563 return (CRYPTO_INVALID_MAC); 564 } else { 565 rv = crypto_put_output_data(ctx->ccm_pt_buf, out, pt_len); 566 if (rv != CRYPTO_SUCCESS) 567 return (rv); 568 out->cd_offset += pt_len; 569 } 570 return (CRYPTO_SUCCESS); 571 } 572 573 static int 574 ccm_validate_args(CK_AES_CCM_PARAMS *ccm_param, boolean_t is_encrypt_init) 575 { 576 size_t macSize, nonceSize; 577 uint8_t q; 578 uint64_t maxValue; 579 580 /* 581 * Check the length of the MAC. The only valid 582 * lengths for the MAC are: 4, 6, 8, 10, 12, 14, 16 583 */ 584 macSize = ccm_param->ulMACSize; 585 if ((macSize < 4) || (macSize > 16) || ((macSize % 2) != 0)) { 586 return (CRYPTO_MECHANISM_PARAM_INVALID); 587 } 588 589 /* Check the nonce length. Valid values are 7, 8, 9, 10, 11, 12, 13 */ 590 nonceSize = ccm_param->ulNonceSize; 591 if ((nonceSize < 7) || (nonceSize > 13)) { 592 return (CRYPTO_MECHANISM_PARAM_INVALID); 593 } 594 595 /* q is the length of the field storing the length, in bytes */ 596 q = (uint8_t)((15 - nonceSize) & 0xFF); 597 598 599 /* 600 * If it is decrypt, need to make sure size of ciphertext is at least 601 * bigger than MAC len 602 */ 603 if ((!is_encrypt_init) && (ccm_param->ulDataSize < macSize)) { 604 return (CRYPTO_MECHANISM_PARAM_INVALID); 605 } 606 607 /* 608 * Check to make sure the length of the payload is within the 609 * range of values allowed by q 610 */ 611 if (q < 8) { 612 maxValue = (1ULL << (q * 8)) - 1; 613 } else { 614 maxValue = ULONG_MAX; 615 } 616 617 if (ccm_param->ulDataSize > maxValue) { 618 return (CRYPTO_MECHANISM_PARAM_INVALID); 619 } 620 return (CRYPTO_SUCCESS); 621 } 622 623 /* 624 * Format the first block used in CBC-MAC (B0) and the initial counter 625 * block based on formatting functions and counter generation functions 626 * specified in RFC 3610 and NIST publication 800-38C, appendix A 627 * 628 * b0 is the first block used in CBC-MAC 629 * cb0 is the first counter block 630 * 631 * It's assumed that the arguments b0 and cb0 are preallocated AES blocks 632 * 633 */ 634 static void 635 ccm_format_initial_blocks(uchar_t *nonce, ulong_t nonceSize, 636 ulong_t authDataSize, uint8_t *b0, ccm_ctx_t *aes_ctx) 637 { 638 uint64_t payloadSize; 639 uint8_t t, q, have_adata = 0; 640 size_t limit; 641 int i, j, k; 642 uint64_t mask = 0; 643 uint8_t *cb; 644 645 q = (uint8_t)((15 - nonceSize) & 0xFF); 646 t = (uint8_t)((aes_ctx->ccm_mac_len) & 0xFF); 647 648 /* Construct the first octet of b0 */ 649 if (authDataSize > 0) { 650 have_adata = 1; 651 } 652 b0[0] = (have_adata << 6) | (((t - 2) / 2) << 3) | (q - 1); 653 654 /* copy the nonce value into b0 */ 655 memcpy(&(b0[1]), nonce, nonceSize); 656 657 /* store the length of the payload into b0 */ 658 memset(&(b0[1+nonceSize]), 0, q); 659 660 payloadSize = aes_ctx->ccm_data_len; 661 limit = 8 < q ? 8 : q; 662 663 for (i = 0, j = 0, k = 15; i < limit; i++, j += 8, k--) { 664 b0[k] = (uint8_t)((payloadSize >> j) & 0xFF); 665 } 666 667 /* format the counter block */ 668 669 cb = (uint8_t *)aes_ctx->ccm_cb; 670 671 cb[0] = 0x07 & (q-1); /* first byte */ 672 673 /* copy the nonce value into the counter block */ 674 memcpy(&(cb[1]), nonce, nonceSize); 675 676 memset(&(cb[1+nonceSize]), 0, q); 677 678 /* Create the mask for the counter field based on the size of nonce */ 679 q <<= 3; 680 while (q-- > 0) { 681 mask |= (1ULL << q); 682 } 683 684 #ifdef _ZFS_LITTLE_ENDIAN 685 mask = htonll(mask); 686 #endif 687 aes_ctx->ccm_counter_mask = mask; 688 689 /* 690 * During calculation, we start using counter block 1, we will 691 * set it up right here. 692 * We can just set the last byte to have the value 1, because 693 * even with the biggest nonce of 13, the last byte of the 694 * counter block will be used for the counter value. 695 */ 696 cb[15] = 0x01; 697 } 698 699 /* 700 * Encode the length of the associated data as 701 * specified in RFC 3610 and NIST publication 800-38C, appendix A 702 */ 703 static void 704 encode_adata_len(ulong_t auth_data_len, uint8_t *encoded, size_t *encoded_len) 705 { 706 #ifdef UNALIGNED_POINTERS_PERMITTED 707 uint32_t *lencoded_ptr; 708 #ifdef _LP64 709 uint64_t *llencoded_ptr; 710 #endif 711 #endif /* UNALIGNED_POINTERS_PERMITTED */ 712 713 if (auth_data_len < ((1ULL<<16) - (1ULL<<8))) { 714 /* 0 < a < (2^16-2^8) */ 715 *encoded_len = 2; 716 encoded[0] = (auth_data_len & 0xff00) >> 8; 717 encoded[1] = auth_data_len & 0xff; 718 719 } else if ((auth_data_len >= ((1ULL<<16) - (1ULL<<8))) && 720 (auth_data_len < (1ULL << 31))) { 721 /* (2^16-2^8) <= a < 2^32 */ 722 *encoded_len = 6; 723 encoded[0] = 0xff; 724 encoded[1] = 0xfe; 725 #ifdef UNALIGNED_POINTERS_PERMITTED 726 lencoded_ptr = (uint32_t *)&encoded[2]; 727 *lencoded_ptr = htonl(auth_data_len); 728 #else 729 encoded[2] = (auth_data_len & 0xff000000) >> 24; 730 encoded[3] = (auth_data_len & 0xff0000) >> 16; 731 encoded[4] = (auth_data_len & 0xff00) >> 8; 732 encoded[5] = auth_data_len & 0xff; 733 #endif /* UNALIGNED_POINTERS_PERMITTED */ 734 735 #ifdef _LP64 736 } else { 737 /* 2^32 <= a < 2^64 */ 738 *encoded_len = 10; 739 encoded[0] = 0xff; 740 encoded[1] = 0xff; 741 #ifdef UNALIGNED_POINTERS_PERMITTED 742 llencoded_ptr = (uint64_t *)&encoded[2]; 743 *llencoded_ptr = htonl(auth_data_len); 744 #else 745 encoded[2] = (auth_data_len & 0xff00000000000000) >> 56; 746 encoded[3] = (auth_data_len & 0xff000000000000) >> 48; 747 encoded[4] = (auth_data_len & 0xff0000000000) >> 40; 748 encoded[5] = (auth_data_len & 0xff00000000) >> 32; 749 encoded[6] = (auth_data_len & 0xff000000) >> 24; 750 encoded[7] = (auth_data_len & 0xff0000) >> 16; 751 encoded[8] = (auth_data_len & 0xff00) >> 8; 752 encoded[9] = auth_data_len & 0xff; 753 #endif /* UNALIGNED_POINTERS_PERMITTED */ 754 #endif /* _LP64 */ 755 } 756 } 757 758 static int 759 ccm_init(ccm_ctx_t *ctx, unsigned char *nonce, size_t nonce_len, 760 unsigned char *auth_data, size_t auth_data_len, size_t block_size, 761 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 762 void (*xor_block)(uint8_t *, uint8_t *)) 763 { 764 uint8_t *mac_buf, *datap, *ivp, *authp; 765 size_t remainder, processed; 766 uint8_t encoded_a[10]; /* max encoded auth data length is 10 octets */ 767 size_t encoded_a_len = 0; 768 769 mac_buf = (uint8_t *)&(ctx->ccm_mac_buf); 770 771 /* 772 * Format the 1st block for CBC-MAC and construct the 773 * 1st counter block. 774 * 775 * aes_ctx->ccm_iv is used for storing the counter block 776 * mac_buf will store b0 at this time. 777 */ 778 ccm_format_initial_blocks(nonce, nonce_len, 779 auth_data_len, mac_buf, ctx); 780 781 /* The IV for CBC MAC for AES CCM mode is always zero */ 782 ivp = (uint8_t *)ctx->ccm_tmp; 783 memset(ivp, 0, block_size); 784 785 xor_block(ivp, mac_buf); 786 787 /* encrypt the nonce */ 788 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 789 790 /* take care of the associated data, if any */ 791 if (auth_data_len == 0) { 792 return (CRYPTO_SUCCESS); 793 } 794 795 encode_adata_len(auth_data_len, encoded_a, &encoded_a_len); 796 797 remainder = auth_data_len; 798 799 /* 1st block: it contains encoded associated data, and some data */ 800 authp = (uint8_t *)ctx->ccm_tmp; 801 memset(authp, 0, block_size); 802 memcpy(authp, encoded_a, encoded_a_len); 803 processed = block_size - encoded_a_len; 804 if (processed > auth_data_len) { 805 /* in case auth_data is very small */ 806 processed = auth_data_len; 807 } 808 memcpy(authp+encoded_a_len, auth_data, processed); 809 /* xor with previous buffer */ 810 xor_block(authp, mac_buf); 811 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 812 remainder -= processed; 813 if (remainder == 0) { 814 /* a small amount of associated data, it's all done now */ 815 return (CRYPTO_SUCCESS); 816 } 817 818 do { 819 if (remainder < block_size) { 820 /* 821 * There's not a block full of data, pad rest of 822 * buffer with zero 823 */ 824 memset(authp, 0, block_size); 825 memcpy(authp, &(auth_data[processed]), remainder); 826 datap = (uint8_t *)authp; 827 remainder = 0; 828 } else { 829 datap = (uint8_t *)(&(auth_data[processed])); 830 processed += block_size; 831 remainder -= block_size; 832 } 833 834 xor_block(datap, mac_buf); 835 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 836 837 } while (remainder > 0); 838 839 return (CRYPTO_SUCCESS); 840 } 841 842 /* 843 * The following function should be call at encrypt or decrypt init time 844 * for AES CCM mode. 845 */ 846 int 847 ccm_init_ctx(ccm_ctx_t *ccm_ctx, char *param, int kmflag, 848 boolean_t is_encrypt_init, size_t block_size, 849 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 850 void (*xor_block)(uint8_t *, uint8_t *)) 851 { 852 int rv; 853 CK_AES_CCM_PARAMS *ccm_param; 854 855 if (param != NULL) { 856 ccm_param = (CK_AES_CCM_PARAMS *)param; 857 858 if ((rv = ccm_validate_args(ccm_param, 859 is_encrypt_init)) != 0) { 860 return (rv); 861 } 862 863 ccm_ctx->ccm_mac_len = ccm_param->ulMACSize; 864 if (is_encrypt_init) { 865 ccm_ctx->ccm_data_len = ccm_param->ulDataSize; 866 } else { 867 ccm_ctx->ccm_data_len = 868 ccm_param->ulDataSize - ccm_ctx->ccm_mac_len; 869 ccm_ctx->ccm_processed_mac_len = 0; 870 } 871 ccm_ctx->ccm_processed_data_len = 0; 872 873 ccm_ctx->ccm_flags |= CCM_MODE; 874 } else { 875 return (CRYPTO_MECHANISM_PARAM_INVALID); 876 } 877 878 if (ccm_init(ccm_ctx, ccm_param->nonce, ccm_param->ulNonceSize, 879 ccm_param->authData, ccm_param->ulAuthDataSize, block_size, 880 encrypt_block, xor_block) != 0) { 881 return (CRYPTO_MECHANISM_PARAM_INVALID); 882 } 883 if (!is_encrypt_init) { 884 /* allocate buffer for storing decrypted plaintext */ 885 ccm_ctx->ccm_pt_buf = vmem_alloc(ccm_ctx->ccm_data_len, 886 kmflag); 887 if (ccm_ctx->ccm_pt_buf == NULL) { 888 rv = CRYPTO_HOST_MEMORY; 889 } 890 } 891 return (rv); 892 } 893 894 void * 895 ccm_alloc_ctx(int kmflag) 896 { 897 ccm_ctx_t *ccm_ctx; 898 899 if ((ccm_ctx = kmem_zalloc(sizeof (ccm_ctx_t), kmflag)) == NULL) 900 return (NULL); 901 902 ccm_ctx->ccm_flags = CCM_MODE; 903 return (ccm_ctx); 904 } 905