1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or https://opensource.org/licenses/CDDL-1.0. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * AES provider for the Kernel Cryptographic Framework (KCF) 27 */ 28 29 #include <sys/zfs_context.h> 30 #include <sys/crypto/common.h> 31 #include <sys/crypto/impl.h> 32 #include <sys/crypto/spi.h> 33 #include <sys/crypto/icp.h> 34 #include <modes/modes.h> 35 #define _AES_IMPL 36 #include <aes/aes_impl.h> 37 #include <modes/gcm_impl.h> 38 39 /* 40 * Mechanism info structure passed to KCF during registration. 41 */ 42 static const crypto_mech_info_t aes_mech_info_tab[] = { 43 /* AES_ECB */ 44 {SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE, 45 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 46 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC}, 47 /* AES_CBC */ 48 {SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE, 49 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 50 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC}, 51 /* AES_CTR */ 52 {SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE, 53 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 54 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC}, 55 /* AES_CCM */ 56 {SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE, 57 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 58 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC}, 59 /* AES_GCM */ 60 {SUN_CKM_AES_GCM, AES_GCM_MECH_INFO_TYPE, 61 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 62 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC}, 63 /* AES_GMAC */ 64 {SUN_CKM_AES_GMAC, AES_GMAC_MECH_INFO_TYPE, 65 CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC | 66 CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC | 67 CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC}, 68 }; 69 70 static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *, 71 crypto_key_t *, crypto_spi_ctx_template_t); 72 static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *, 73 crypto_key_t *, crypto_spi_ctx_template_t); 74 static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *, 75 crypto_key_t *, crypto_spi_ctx_template_t, boolean_t); 76 static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *, 77 crypto_mechanism_t *, crypto_key_t *, int, boolean_t); 78 static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *); 79 static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *); 80 81 static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); 82 static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *, 83 crypto_data_t *); 84 static int aes_encrypt_atomic(crypto_mechanism_t *, crypto_key_t *, 85 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); 86 87 static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *); 88 static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *, 89 crypto_data_t *); 90 static int aes_decrypt_atomic(crypto_mechanism_t *, crypto_key_t *, 91 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); 92 93 static const crypto_cipher_ops_t aes_cipher_ops = { 94 .encrypt_init = aes_encrypt_init, 95 .encrypt = aes_encrypt, 96 .encrypt_update = aes_encrypt_update, 97 .encrypt_final = aes_encrypt_final, 98 .encrypt_atomic = aes_encrypt_atomic, 99 .decrypt_init = aes_decrypt_init, 100 .decrypt = aes_decrypt, 101 .decrypt_update = aes_decrypt_update, 102 .decrypt_final = aes_decrypt_final, 103 .decrypt_atomic = aes_decrypt_atomic 104 }; 105 106 static int aes_mac_atomic(crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, 107 crypto_data_t *, crypto_spi_ctx_template_t); 108 static int aes_mac_verify_atomic(crypto_mechanism_t *, crypto_key_t *, 109 crypto_data_t *, crypto_data_t *, crypto_spi_ctx_template_t); 110 111 static const crypto_mac_ops_t aes_mac_ops = { 112 .mac_init = NULL, 113 .mac = NULL, 114 .mac_update = NULL, 115 .mac_final = NULL, 116 .mac_atomic = aes_mac_atomic, 117 .mac_verify_atomic = aes_mac_verify_atomic 118 }; 119 120 static int aes_create_ctx_template(crypto_mechanism_t *, crypto_key_t *, 121 crypto_spi_ctx_template_t *, size_t *); 122 static int aes_free_context(crypto_ctx_t *); 123 124 static const crypto_ctx_ops_t aes_ctx_ops = { 125 .create_ctx_template = aes_create_ctx_template, 126 .free_context = aes_free_context 127 }; 128 129 static const crypto_ops_t aes_crypto_ops = { 130 NULL, 131 &aes_cipher_ops, 132 &aes_mac_ops, 133 &aes_ctx_ops, 134 }; 135 136 static const crypto_provider_info_t aes_prov_info = { 137 "AES Software Provider", 138 &aes_crypto_ops, 139 sizeof (aes_mech_info_tab) / sizeof (crypto_mech_info_t), 140 aes_mech_info_tab 141 }; 142 143 static crypto_kcf_provider_handle_t aes_prov_handle = 0; 144 static crypto_data_t null_crypto_data = { CRYPTO_DATA_RAW }; 145 146 int 147 aes_mod_init(void) 148 { 149 /* Determine the fastest available implementation. */ 150 aes_impl_init(); 151 gcm_impl_init(); 152 153 /* Register with KCF. If the registration fails, remove the module. */ 154 if (crypto_register_provider(&aes_prov_info, &aes_prov_handle)) 155 return (EACCES); 156 157 return (0); 158 } 159 160 int 161 aes_mod_fini(void) 162 { 163 /* Unregister from KCF if module is registered */ 164 if (aes_prov_handle != 0) { 165 if (crypto_unregister_provider(aes_prov_handle)) 166 return (EBUSY); 167 168 aes_prov_handle = 0; 169 } 170 171 return (0); 172 } 173 174 static int 175 aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx) 176 { 177 void *p = NULL; 178 boolean_t param_required = B_TRUE; 179 size_t param_len; 180 void *(*alloc_fun)(int); 181 int rv = CRYPTO_SUCCESS; 182 183 switch (mechanism->cm_type) { 184 case AES_ECB_MECH_INFO_TYPE: 185 param_required = B_FALSE; 186 alloc_fun = ecb_alloc_ctx; 187 break; 188 case AES_CBC_MECH_INFO_TYPE: 189 param_len = AES_BLOCK_LEN; 190 alloc_fun = cbc_alloc_ctx; 191 break; 192 case AES_CTR_MECH_INFO_TYPE: 193 param_len = sizeof (CK_AES_CTR_PARAMS); 194 alloc_fun = ctr_alloc_ctx; 195 break; 196 case AES_CCM_MECH_INFO_TYPE: 197 param_len = sizeof (CK_AES_CCM_PARAMS); 198 alloc_fun = ccm_alloc_ctx; 199 break; 200 case AES_GCM_MECH_INFO_TYPE: 201 param_len = sizeof (CK_AES_GCM_PARAMS); 202 alloc_fun = gcm_alloc_ctx; 203 break; 204 case AES_GMAC_MECH_INFO_TYPE: 205 param_len = sizeof (CK_AES_GMAC_PARAMS); 206 alloc_fun = gmac_alloc_ctx; 207 break; 208 default: 209 rv = CRYPTO_MECHANISM_INVALID; 210 return (rv); 211 } 212 if (param_required && mechanism->cm_param != NULL && 213 mechanism->cm_param_len != param_len) { 214 rv = CRYPTO_MECHANISM_PARAM_INVALID; 215 } 216 if (ctx != NULL) { 217 p = (alloc_fun)(KM_SLEEP); 218 *ctx = p; 219 } 220 return (rv); 221 } 222 223 /* 224 * Initialize key schedules for AES 225 */ 226 static int 227 init_keysched(crypto_key_t *key, void *newbie) 228 { 229 if (key->ck_length < AES_MINBITS || 230 key->ck_length > AES_MAXBITS) { 231 return (CRYPTO_KEY_SIZE_RANGE); 232 } 233 234 /* key length must be either 128, 192, or 256 */ 235 if ((key->ck_length & 63) != 0) 236 return (CRYPTO_KEY_SIZE_RANGE); 237 238 aes_init_keysched(key->ck_data, key->ck_length, newbie); 239 return (CRYPTO_SUCCESS); 240 } 241 242 static int 243 aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 244 crypto_key_t *key, crypto_spi_ctx_template_t template) 245 { 246 return (aes_common_init(ctx, mechanism, key, template, B_TRUE)); 247 } 248 249 static int 250 aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 251 crypto_key_t *key, crypto_spi_ctx_template_t template) 252 { 253 return (aes_common_init(ctx, mechanism, key, template, B_FALSE)); 254 } 255 256 257 258 /* 259 * KCF software provider encrypt entry points. 260 */ 261 static int 262 aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, 263 crypto_key_t *key, crypto_spi_ctx_template_t template, 264 boolean_t is_encrypt_init) 265 { 266 aes_ctx_t *aes_ctx; 267 int rv; 268 269 if ((rv = aes_check_mech_param(mechanism, &aes_ctx)) 270 != CRYPTO_SUCCESS) 271 return (rv); 272 273 rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, KM_SLEEP, 274 is_encrypt_init); 275 if (rv != CRYPTO_SUCCESS) { 276 crypto_free_mode_ctx(aes_ctx); 277 return (rv); 278 } 279 280 ctx->cc_provider_private = aes_ctx; 281 282 return (CRYPTO_SUCCESS); 283 } 284 285 static void 286 aes_copy_block64(uint8_t *in, uint64_t *out) 287 { 288 if (IS_P2ALIGNED(in, sizeof (uint64_t))) { 289 /* LINTED: pointer alignment */ 290 out[0] = *(uint64_t *)&in[0]; 291 /* LINTED: pointer alignment */ 292 out[1] = *(uint64_t *)&in[8]; 293 } else { 294 uint8_t *iv8 = (uint8_t *)&out[0]; 295 296 AES_COPY_BLOCK(in, iv8); 297 } 298 } 299 300 301 static int 302 aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext, 303 crypto_data_t *ciphertext) 304 { 305 int ret = CRYPTO_FAILED; 306 307 aes_ctx_t *aes_ctx; 308 size_t saved_length, saved_offset, length_needed; 309 310 ASSERT(ctx->cc_provider_private != NULL); 311 aes_ctx = ctx->cc_provider_private; 312 313 /* 314 * For block ciphers, plaintext must be a multiple of AES block size. 315 * This test is only valid for ciphers whose blocksize is a power of 2. 316 */ 317 if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) 318 == 0) && (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 319 return (CRYPTO_DATA_LEN_RANGE); 320 321 ASSERT(ciphertext != NULL); 322 323 /* 324 * We need to just return the length needed to store the output. 325 * We should not destroy the context for the following case. 326 */ 327 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) { 328 case CCM_MODE: 329 length_needed = plaintext->cd_length + aes_ctx->ac_mac_len; 330 break; 331 case GCM_MODE: 332 length_needed = plaintext->cd_length + aes_ctx->ac_tag_len; 333 break; 334 case GMAC_MODE: 335 if (plaintext->cd_length != 0) 336 return (CRYPTO_ARGUMENTS_BAD); 337 338 length_needed = aes_ctx->ac_tag_len; 339 break; 340 default: 341 length_needed = plaintext->cd_length; 342 } 343 344 if (ciphertext->cd_length < length_needed) { 345 ciphertext->cd_length = length_needed; 346 return (CRYPTO_BUFFER_TOO_SMALL); 347 } 348 349 saved_length = ciphertext->cd_length; 350 saved_offset = ciphertext->cd_offset; 351 352 /* 353 * Do an update on the specified input data. 354 */ 355 ret = aes_encrypt_update(ctx, plaintext, ciphertext); 356 if (ret != CRYPTO_SUCCESS) { 357 return (ret); 358 } 359 360 /* 361 * For CCM mode, aes_ccm_encrypt_final() will take care of any 362 * left-over unprocessed data, and compute the MAC 363 */ 364 if (aes_ctx->ac_flags & CCM_MODE) { 365 /* 366 * ccm_encrypt_final() will compute the MAC and append 367 * it to existing ciphertext. So, need to adjust the left over 368 * length value accordingly 369 */ 370 371 /* order of following 2 lines MUST not be reversed */ 372 ciphertext->cd_offset = ciphertext->cd_length; 373 ciphertext->cd_length = saved_length - ciphertext->cd_length; 374 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, ciphertext, 375 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 376 if (ret != CRYPTO_SUCCESS) { 377 return (ret); 378 } 379 380 if (plaintext != ciphertext) { 381 ciphertext->cd_length = 382 ciphertext->cd_offset - saved_offset; 383 } 384 ciphertext->cd_offset = saved_offset; 385 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 386 /* 387 * gcm_encrypt_final() will compute the MAC and append 388 * it to existing ciphertext. So, need to adjust the left over 389 * length value accordingly 390 */ 391 392 /* order of following 2 lines MUST not be reversed */ 393 ciphertext->cd_offset = ciphertext->cd_length; 394 ciphertext->cd_length = saved_length - ciphertext->cd_length; 395 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, ciphertext, 396 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 397 aes_xor_block); 398 if (ret != CRYPTO_SUCCESS) { 399 return (ret); 400 } 401 402 if (plaintext != ciphertext) { 403 ciphertext->cd_length = 404 ciphertext->cd_offset - saved_offset; 405 } 406 ciphertext->cd_offset = saved_offset; 407 } 408 409 ASSERT(aes_ctx->ac_remainder_len == 0); 410 (void) aes_free_context(ctx); 411 412 return (ret); 413 } 414 415 416 static int 417 aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 418 crypto_data_t *plaintext) 419 { 420 int ret = CRYPTO_FAILED; 421 422 aes_ctx_t *aes_ctx; 423 off_t saved_offset; 424 size_t saved_length, length_needed; 425 426 ASSERT(ctx->cc_provider_private != NULL); 427 aes_ctx = ctx->cc_provider_private; 428 429 /* 430 * For block ciphers, plaintext must be a multiple of AES block size. 431 * This test is only valid for ciphers whose blocksize is a power of 2. 432 */ 433 if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) 434 == 0) && (ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) { 435 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 436 } 437 438 ASSERT(plaintext != NULL); 439 440 /* 441 * Return length needed to store the output. 442 * Do not destroy context when plaintext buffer is too small. 443 * 444 * CCM: plaintext is MAC len smaller than cipher text 445 * GCM: plaintext is TAG len smaller than cipher text 446 * GMAC: plaintext length must be zero 447 */ 448 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) { 449 case CCM_MODE: 450 length_needed = aes_ctx->ac_processed_data_len; 451 break; 452 case GCM_MODE: 453 length_needed = ciphertext->cd_length - aes_ctx->ac_tag_len; 454 break; 455 case GMAC_MODE: 456 if (plaintext->cd_length != 0) 457 return (CRYPTO_ARGUMENTS_BAD); 458 459 length_needed = 0; 460 break; 461 default: 462 length_needed = ciphertext->cd_length; 463 } 464 465 if (plaintext->cd_length < length_needed) { 466 plaintext->cd_length = length_needed; 467 return (CRYPTO_BUFFER_TOO_SMALL); 468 } 469 470 saved_offset = plaintext->cd_offset; 471 saved_length = plaintext->cd_length; 472 473 /* 474 * Do an update on the specified input data. 475 */ 476 ret = aes_decrypt_update(ctx, ciphertext, plaintext); 477 if (ret != CRYPTO_SUCCESS) { 478 goto cleanup; 479 } 480 481 if (aes_ctx->ac_flags & CCM_MODE) { 482 ASSERT(aes_ctx->ac_processed_data_len == aes_ctx->ac_data_len); 483 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len); 484 485 /* order of following 2 lines MUST not be reversed */ 486 plaintext->cd_offset = plaintext->cd_length; 487 plaintext->cd_length = saved_length - plaintext->cd_length; 488 489 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, plaintext, 490 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 491 aes_xor_block); 492 if (ret == CRYPTO_SUCCESS) { 493 if (plaintext != ciphertext) { 494 plaintext->cd_length = 495 plaintext->cd_offset - saved_offset; 496 } 497 } else { 498 plaintext->cd_length = saved_length; 499 } 500 501 plaintext->cd_offset = saved_offset; 502 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 503 /* order of following 2 lines MUST not be reversed */ 504 plaintext->cd_offset = plaintext->cd_length; 505 plaintext->cd_length = saved_length - plaintext->cd_length; 506 507 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, plaintext, 508 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 509 if (ret == CRYPTO_SUCCESS) { 510 if (plaintext != ciphertext) { 511 plaintext->cd_length = 512 plaintext->cd_offset - saved_offset; 513 } 514 } else { 515 plaintext->cd_length = saved_length; 516 } 517 518 plaintext->cd_offset = saved_offset; 519 } 520 521 ASSERT(aes_ctx->ac_remainder_len == 0); 522 523 cleanup: 524 (void) aes_free_context(ctx); 525 526 return (ret); 527 } 528 529 530 static int 531 aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext, 532 crypto_data_t *ciphertext) 533 { 534 off_t saved_offset; 535 size_t saved_length, out_len; 536 int ret = CRYPTO_SUCCESS; 537 aes_ctx_t *aes_ctx; 538 539 ASSERT(ctx->cc_provider_private != NULL); 540 aes_ctx = ctx->cc_provider_private; 541 542 ASSERT(ciphertext != NULL); 543 544 /* compute number of bytes that will hold the ciphertext */ 545 out_len = aes_ctx->ac_remainder_len; 546 out_len += plaintext->cd_length; 547 out_len &= ~(AES_BLOCK_LEN - 1); 548 549 /* return length needed to store the output */ 550 if (ciphertext->cd_length < out_len) { 551 ciphertext->cd_length = out_len; 552 return (CRYPTO_BUFFER_TOO_SMALL); 553 } 554 555 saved_offset = ciphertext->cd_offset; 556 saved_length = ciphertext->cd_length; 557 558 /* 559 * Do the AES update on the specified input data. 560 */ 561 switch (plaintext->cd_format) { 562 case CRYPTO_DATA_RAW: 563 ret = crypto_update_iov(ctx->cc_provider_private, 564 plaintext, ciphertext, aes_encrypt_contiguous_blocks); 565 break; 566 case CRYPTO_DATA_UIO: 567 ret = crypto_update_uio(ctx->cc_provider_private, 568 plaintext, ciphertext, aes_encrypt_contiguous_blocks); 569 break; 570 default: 571 ret = CRYPTO_ARGUMENTS_BAD; 572 } 573 574 /* 575 * Since AES counter mode is a stream cipher, we call 576 * ctr_mode_final() to pick up any remaining bytes. 577 * It is an internal function that does not destroy 578 * the context like *normal* final routines. 579 */ 580 if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) { 581 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, 582 ciphertext, aes_encrypt_block); 583 } 584 585 if (ret == CRYPTO_SUCCESS) { 586 if (plaintext != ciphertext) 587 ciphertext->cd_length = 588 ciphertext->cd_offset - saved_offset; 589 } else { 590 ciphertext->cd_length = saved_length; 591 } 592 ciphertext->cd_offset = saved_offset; 593 594 return (ret); 595 } 596 597 598 static int 599 aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext, 600 crypto_data_t *plaintext) 601 { 602 off_t saved_offset; 603 size_t saved_length, out_len; 604 int ret = CRYPTO_SUCCESS; 605 aes_ctx_t *aes_ctx; 606 607 ASSERT(ctx->cc_provider_private != NULL); 608 aes_ctx = ctx->cc_provider_private; 609 610 ASSERT(plaintext != NULL); 611 612 /* 613 * Compute number of bytes that will hold the plaintext. 614 * This is not necessary for CCM, GCM, and GMAC since these 615 * mechanisms never return plaintext for update operations. 616 */ 617 if ((aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) { 618 out_len = aes_ctx->ac_remainder_len; 619 out_len += ciphertext->cd_length; 620 out_len &= ~(AES_BLOCK_LEN - 1); 621 622 /* return length needed to store the output */ 623 if (plaintext->cd_length < out_len) { 624 plaintext->cd_length = out_len; 625 return (CRYPTO_BUFFER_TOO_SMALL); 626 } 627 } 628 629 saved_offset = plaintext->cd_offset; 630 saved_length = plaintext->cd_length; 631 632 /* 633 * Do the AES update on the specified input data. 634 */ 635 switch (ciphertext->cd_format) { 636 case CRYPTO_DATA_RAW: 637 ret = crypto_update_iov(ctx->cc_provider_private, 638 ciphertext, plaintext, aes_decrypt_contiguous_blocks); 639 break; 640 case CRYPTO_DATA_UIO: 641 ret = crypto_update_uio(ctx->cc_provider_private, 642 ciphertext, plaintext, aes_decrypt_contiguous_blocks); 643 break; 644 default: 645 ret = CRYPTO_ARGUMENTS_BAD; 646 } 647 648 /* 649 * Since AES counter mode is a stream cipher, we call 650 * ctr_mode_final() to pick up any remaining bytes. 651 * It is an internal function that does not destroy 652 * the context like *normal* final routines. 653 */ 654 if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) { 655 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, plaintext, 656 aes_encrypt_block); 657 if (ret == CRYPTO_DATA_LEN_RANGE) 658 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE; 659 } 660 661 if (ret == CRYPTO_SUCCESS) { 662 if (ciphertext != plaintext) 663 plaintext->cd_length = 664 plaintext->cd_offset - saved_offset; 665 } else { 666 plaintext->cd_length = saved_length; 667 } 668 plaintext->cd_offset = saved_offset; 669 670 671 return (ret); 672 } 673 674 static int 675 aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data) 676 { 677 aes_ctx_t *aes_ctx; 678 int ret; 679 680 ASSERT(ctx->cc_provider_private != NULL); 681 aes_ctx = ctx->cc_provider_private; 682 683 if (data->cd_format != CRYPTO_DATA_RAW && 684 data->cd_format != CRYPTO_DATA_UIO) { 685 return (CRYPTO_ARGUMENTS_BAD); 686 } 687 688 if (aes_ctx->ac_flags & CTR_MODE) { 689 if (aes_ctx->ac_remainder_len > 0) { 690 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data, 691 aes_encrypt_block); 692 if (ret != CRYPTO_SUCCESS) 693 return (ret); 694 } 695 } else if (aes_ctx->ac_flags & CCM_MODE) { 696 ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, data, 697 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 698 if (ret != CRYPTO_SUCCESS) { 699 return (ret); 700 } 701 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 702 size_t saved_offset = data->cd_offset; 703 704 ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, data, 705 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 706 aes_xor_block); 707 if (ret != CRYPTO_SUCCESS) { 708 return (ret); 709 } 710 data->cd_length = data->cd_offset - saved_offset; 711 data->cd_offset = saved_offset; 712 } else { 713 /* 714 * There must be no unprocessed plaintext. 715 * This happens if the length of the last data is 716 * not a multiple of the AES block length. 717 */ 718 if (aes_ctx->ac_remainder_len > 0) { 719 return (CRYPTO_DATA_LEN_RANGE); 720 } 721 data->cd_length = 0; 722 } 723 724 (void) aes_free_context(ctx); 725 726 return (CRYPTO_SUCCESS); 727 } 728 729 static int 730 aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data) 731 { 732 aes_ctx_t *aes_ctx; 733 int ret; 734 off_t saved_offset; 735 size_t saved_length; 736 737 ASSERT(ctx->cc_provider_private != NULL); 738 aes_ctx = ctx->cc_provider_private; 739 740 if (data->cd_format != CRYPTO_DATA_RAW && 741 data->cd_format != CRYPTO_DATA_UIO) { 742 return (CRYPTO_ARGUMENTS_BAD); 743 } 744 745 /* 746 * There must be no unprocessed ciphertext. 747 * This happens if the length of the last ciphertext is 748 * not a multiple of the AES block length. 749 */ 750 if (aes_ctx->ac_remainder_len > 0) { 751 if ((aes_ctx->ac_flags & CTR_MODE) == 0) 752 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 753 else { 754 ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data, 755 aes_encrypt_block); 756 if (ret == CRYPTO_DATA_LEN_RANGE) 757 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE; 758 if (ret != CRYPTO_SUCCESS) 759 return (ret); 760 } 761 } 762 763 if (aes_ctx->ac_flags & CCM_MODE) { 764 /* 765 * This is where all the plaintext is returned, make sure 766 * the plaintext buffer is big enough 767 */ 768 size_t pt_len = aes_ctx->ac_data_len; 769 if (data->cd_length < pt_len) { 770 data->cd_length = pt_len; 771 return (CRYPTO_BUFFER_TOO_SMALL); 772 } 773 774 ASSERT(aes_ctx->ac_processed_data_len == pt_len); 775 ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len); 776 saved_offset = data->cd_offset; 777 saved_length = data->cd_length; 778 ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, data, 779 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 780 aes_xor_block); 781 if (ret == CRYPTO_SUCCESS) { 782 data->cd_length = data->cd_offset - saved_offset; 783 } else { 784 data->cd_length = saved_length; 785 } 786 787 data->cd_offset = saved_offset; 788 if (ret != CRYPTO_SUCCESS) { 789 return (ret); 790 } 791 } else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) { 792 /* 793 * This is where all the plaintext is returned, make sure 794 * the plaintext buffer is big enough 795 */ 796 gcm_ctx_t *ctx = (gcm_ctx_t *)aes_ctx; 797 size_t pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len; 798 799 if (data->cd_length < pt_len) { 800 data->cd_length = pt_len; 801 return (CRYPTO_BUFFER_TOO_SMALL); 802 } 803 804 saved_offset = data->cd_offset; 805 saved_length = data->cd_length; 806 ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, data, 807 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 808 if (ret == CRYPTO_SUCCESS) { 809 data->cd_length = data->cd_offset - saved_offset; 810 } else { 811 data->cd_length = saved_length; 812 } 813 814 data->cd_offset = saved_offset; 815 if (ret != CRYPTO_SUCCESS) { 816 return (ret); 817 } 818 } 819 820 821 if ((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) { 822 data->cd_length = 0; 823 } 824 825 (void) aes_free_context(ctx); 826 827 return (CRYPTO_SUCCESS); 828 } 829 830 static int 831 aes_encrypt_atomic(crypto_mechanism_t *mechanism, 832 crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext, 833 crypto_spi_ctx_template_t template) 834 { 835 aes_ctx_t aes_ctx = {{{{0}}}}; 836 off_t saved_offset; 837 size_t saved_length; 838 size_t length_needed; 839 int ret; 840 841 ASSERT(ciphertext != NULL); 842 843 /* 844 * CTR, CCM, GCM, and GMAC modes do not require that plaintext 845 * be a multiple of AES block size. 846 */ 847 switch (mechanism->cm_type) { 848 case AES_CTR_MECH_INFO_TYPE: 849 case AES_CCM_MECH_INFO_TYPE: 850 case AES_GCM_MECH_INFO_TYPE: 851 case AES_GMAC_MECH_INFO_TYPE: 852 break; 853 default: 854 if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 855 return (CRYPTO_DATA_LEN_RANGE); 856 } 857 858 if ((ret = aes_check_mech_param(mechanism, NULL)) != CRYPTO_SUCCESS) 859 return (ret); 860 861 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, 862 KM_SLEEP, B_TRUE); 863 if (ret != CRYPTO_SUCCESS) 864 return (ret); 865 866 switch (mechanism->cm_type) { 867 case AES_CCM_MECH_INFO_TYPE: 868 length_needed = plaintext->cd_length + aes_ctx.ac_mac_len; 869 break; 870 case AES_GMAC_MECH_INFO_TYPE: 871 if (plaintext->cd_length != 0) 872 return (CRYPTO_ARGUMENTS_BAD); 873 zfs_fallthrough; 874 case AES_GCM_MECH_INFO_TYPE: 875 length_needed = plaintext->cd_length + aes_ctx.ac_tag_len; 876 break; 877 default: 878 length_needed = plaintext->cd_length; 879 } 880 881 /* return size of buffer needed to store output */ 882 if (ciphertext->cd_length < length_needed) { 883 ciphertext->cd_length = length_needed; 884 ret = CRYPTO_BUFFER_TOO_SMALL; 885 goto out; 886 } 887 888 saved_offset = ciphertext->cd_offset; 889 saved_length = ciphertext->cd_length; 890 891 /* 892 * Do an update on the specified input data. 893 */ 894 switch (plaintext->cd_format) { 895 case CRYPTO_DATA_RAW: 896 ret = crypto_update_iov(&aes_ctx, plaintext, ciphertext, 897 aes_encrypt_contiguous_blocks); 898 break; 899 case CRYPTO_DATA_UIO: 900 ret = crypto_update_uio(&aes_ctx, plaintext, ciphertext, 901 aes_encrypt_contiguous_blocks); 902 break; 903 default: 904 ret = CRYPTO_ARGUMENTS_BAD; 905 } 906 907 if (ret == CRYPTO_SUCCESS) { 908 if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 909 ret = ccm_encrypt_final((ccm_ctx_t *)&aes_ctx, 910 ciphertext, AES_BLOCK_LEN, aes_encrypt_block, 911 aes_xor_block); 912 if (ret != CRYPTO_SUCCESS) 913 goto out; 914 ASSERT(aes_ctx.ac_remainder_len == 0); 915 } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE || 916 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) { 917 ret = gcm_encrypt_final((gcm_ctx_t *)&aes_ctx, 918 ciphertext, AES_BLOCK_LEN, aes_encrypt_block, 919 aes_copy_block, aes_xor_block); 920 if (ret != CRYPTO_SUCCESS) 921 goto out; 922 ASSERT(aes_ctx.ac_remainder_len == 0); 923 } else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) { 924 if (aes_ctx.ac_remainder_len > 0) { 925 ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx, 926 ciphertext, aes_encrypt_block); 927 if (ret != CRYPTO_SUCCESS) 928 goto out; 929 } 930 } else { 931 ASSERT(aes_ctx.ac_remainder_len == 0); 932 } 933 934 if (plaintext != ciphertext) { 935 ciphertext->cd_length = 936 ciphertext->cd_offset - saved_offset; 937 } 938 } else { 939 ciphertext->cd_length = saved_length; 940 } 941 ciphertext->cd_offset = saved_offset; 942 943 out: 944 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 945 memset(aes_ctx.ac_keysched, 0, aes_ctx.ac_keysched_len); 946 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 947 } 948 if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) { 949 gcm_clear_ctx((gcm_ctx_t *)&aes_ctx); 950 } 951 return (ret); 952 } 953 954 static int 955 aes_decrypt_atomic(crypto_mechanism_t *mechanism, 956 crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext, 957 crypto_spi_ctx_template_t template) 958 { 959 aes_ctx_t aes_ctx = {{{{0}}}}; 960 off_t saved_offset; 961 size_t saved_length; 962 size_t length_needed; 963 int ret; 964 965 ASSERT(plaintext != NULL); 966 967 /* 968 * CCM, GCM, CTR, and GMAC modes do not require that ciphertext 969 * be a multiple of AES block size. 970 */ 971 switch (mechanism->cm_type) { 972 case AES_CTR_MECH_INFO_TYPE: 973 case AES_CCM_MECH_INFO_TYPE: 974 case AES_GCM_MECH_INFO_TYPE: 975 case AES_GMAC_MECH_INFO_TYPE: 976 break; 977 default: 978 if ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) 979 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 980 } 981 982 if ((ret = aes_check_mech_param(mechanism, NULL)) != CRYPTO_SUCCESS) 983 return (ret); 984 985 ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key, 986 KM_SLEEP, B_FALSE); 987 if (ret != CRYPTO_SUCCESS) 988 return (ret); 989 990 switch (mechanism->cm_type) { 991 case AES_CCM_MECH_INFO_TYPE: 992 length_needed = aes_ctx.ac_data_len; 993 break; 994 case AES_GCM_MECH_INFO_TYPE: 995 length_needed = ciphertext->cd_length - aes_ctx.ac_tag_len; 996 break; 997 case AES_GMAC_MECH_INFO_TYPE: 998 if (plaintext->cd_length != 0) 999 return (CRYPTO_ARGUMENTS_BAD); 1000 length_needed = 0; 1001 break; 1002 default: 1003 length_needed = ciphertext->cd_length; 1004 } 1005 1006 /* return size of buffer needed to store output */ 1007 if (plaintext->cd_length < length_needed) { 1008 plaintext->cd_length = length_needed; 1009 ret = CRYPTO_BUFFER_TOO_SMALL; 1010 goto out; 1011 } 1012 1013 saved_offset = plaintext->cd_offset; 1014 saved_length = plaintext->cd_length; 1015 1016 /* 1017 * Do an update on the specified input data. 1018 */ 1019 switch (ciphertext->cd_format) { 1020 case CRYPTO_DATA_RAW: 1021 ret = crypto_update_iov(&aes_ctx, ciphertext, plaintext, 1022 aes_decrypt_contiguous_blocks); 1023 break; 1024 case CRYPTO_DATA_UIO: 1025 ret = crypto_update_uio(&aes_ctx, ciphertext, plaintext, 1026 aes_decrypt_contiguous_blocks); 1027 break; 1028 default: 1029 ret = CRYPTO_ARGUMENTS_BAD; 1030 } 1031 1032 if (ret == CRYPTO_SUCCESS) { 1033 if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) { 1034 ASSERT(aes_ctx.ac_processed_data_len 1035 == aes_ctx.ac_data_len); 1036 ASSERT(aes_ctx.ac_processed_mac_len 1037 == aes_ctx.ac_mac_len); 1038 ret = ccm_decrypt_final((ccm_ctx_t *)&aes_ctx, 1039 plaintext, AES_BLOCK_LEN, aes_encrypt_block, 1040 aes_copy_block, aes_xor_block); 1041 ASSERT(aes_ctx.ac_remainder_len == 0); 1042 if ((ret == CRYPTO_SUCCESS) && 1043 (ciphertext != plaintext)) { 1044 plaintext->cd_length = 1045 plaintext->cd_offset - saved_offset; 1046 } else { 1047 plaintext->cd_length = saved_length; 1048 } 1049 } else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE || 1050 mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) { 1051 ret = gcm_decrypt_final((gcm_ctx_t *)&aes_ctx, 1052 plaintext, AES_BLOCK_LEN, aes_encrypt_block, 1053 aes_xor_block); 1054 ASSERT(aes_ctx.ac_remainder_len == 0); 1055 if ((ret == CRYPTO_SUCCESS) && 1056 (ciphertext != plaintext)) { 1057 plaintext->cd_length = 1058 plaintext->cd_offset - saved_offset; 1059 } else { 1060 plaintext->cd_length = saved_length; 1061 } 1062 } else if (mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) { 1063 ASSERT(aes_ctx.ac_remainder_len == 0); 1064 if (ciphertext != plaintext) 1065 plaintext->cd_length = 1066 plaintext->cd_offset - saved_offset; 1067 } else { 1068 if (aes_ctx.ac_remainder_len > 0) { 1069 ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx, 1070 plaintext, aes_encrypt_block); 1071 if (ret == CRYPTO_DATA_LEN_RANGE) 1072 ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE; 1073 if (ret != CRYPTO_SUCCESS) 1074 goto out; 1075 } 1076 if (ciphertext != plaintext) 1077 plaintext->cd_length = 1078 plaintext->cd_offset - saved_offset; 1079 } 1080 } else { 1081 plaintext->cd_length = saved_length; 1082 } 1083 plaintext->cd_offset = saved_offset; 1084 1085 out: 1086 if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 1087 memset(aes_ctx.ac_keysched, 0, aes_ctx.ac_keysched_len); 1088 kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len); 1089 } 1090 1091 if (aes_ctx.ac_flags & CCM_MODE) { 1092 if (aes_ctx.ac_pt_buf != NULL) { 1093 vmem_free(aes_ctx.ac_pt_buf, aes_ctx.ac_data_len); 1094 } 1095 } else if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) { 1096 gcm_clear_ctx((gcm_ctx_t *)&aes_ctx); 1097 } 1098 1099 return (ret); 1100 } 1101 1102 /* 1103 * KCF software provider context template entry points. 1104 */ 1105 static int 1106 aes_create_ctx_template(crypto_mechanism_t *mechanism, crypto_key_t *key, 1107 crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size) 1108 { 1109 void *keysched; 1110 size_t size; 1111 int rv; 1112 1113 if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE && 1114 mechanism->cm_type != AES_CBC_MECH_INFO_TYPE && 1115 mechanism->cm_type != AES_CTR_MECH_INFO_TYPE && 1116 mechanism->cm_type != AES_CCM_MECH_INFO_TYPE && 1117 mechanism->cm_type != AES_GCM_MECH_INFO_TYPE && 1118 mechanism->cm_type != AES_GMAC_MECH_INFO_TYPE) 1119 return (CRYPTO_MECHANISM_INVALID); 1120 1121 if ((keysched = aes_alloc_keysched(&size, KM_SLEEP)) == NULL) { 1122 return (CRYPTO_HOST_MEMORY); 1123 } 1124 1125 /* 1126 * Initialize key schedule. Key length information is stored 1127 * in the key. 1128 */ 1129 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) { 1130 memset(keysched, 0, size); 1131 kmem_free(keysched, size); 1132 return (rv); 1133 } 1134 1135 *tmpl = keysched; 1136 *tmpl_size = size; 1137 1138 return (CRYPTO_SUCCESS); 1139 } 1140 1141 1142 static int 1143 aes_free_context(crypto_ctx_t *ctx) 1144 { 1145 aes_ctx_t *aes_ctx = ctx->cc_provider_private; 1146 1147 if (aes_ctx != NULL) { 1148 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 1149 ASSERT(aes_ctx->ac_keysched_len != 0); 1150 memset(aes_ctx->ac_keysched, 0, 1151 aes_ctx->ac_keysched_len); 1152 kmem_free(aes_ctx->ac_keysched, 1153 aes_ctx->ac_keysched_len); 1154 } 1155 crypto_free_mode_ctx(aes_ctx); 1156 ctx->cc_provider_private = NULL; 1157 } 1158 1159 return (CRYPTO_SUCCESS); 1160 } 1161 1162 1163 static int 1164 aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template, 1165 crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag, 1166 boolean_t is_encrypt_init) 1167 { 1168 int rv = CRYPTO_SUCCESS; 1169 void *keysched; 1170 size_t size = 0; 1171 1172 if (template == NULL) { 1173 if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL) 1174 return (CRYPTO_HOST_MEMORY); 1175 /* 1176 * Initialize key schedule. 1177 * Key length is stored in the key. 1178 */ 1179 if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) { 1180 kmem_free(keysched, size); 1181 return (rv); 1182 } 1183 1184 aes_ctx->ac_flags |= PROVIDER_OWNS_KEY_SCHEDULE; 1185 aes_ctx->ac_keysched_len = size; 1186 } else { 1187 keysched = template; 1188 } 1189 aes_ctx->ac_keysched = keysched; 1190 1191 switch (mechanism->cm_type) { 1192 case AES_CBC_MECH_INFO_TYPE: 1193 rv = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mechanism->cm_param, 1194 mechanism->cm_param_len, AES_BLOCK_LEN, aes_copy_block64); 1195 break; 1196 case AES_CTR_MECH_INFO_TYPE: { 1197 CK_AES_CTR_PARAMS *pp; 1198 1199 if (mechanism->cm_param == NULL || 1200 mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) { 1201 return (CRYPTO_MECHANISM_PARAM_INVALID); 1202 } 1203 pp = (CK_AES_CTR_PARAMS *)(void *)mechanism->cm_param; 1204 rv = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits, 1205 pp->cb, aes_copy_block); 1206 break; 1207 } 1208 case AES_CCM_MECH_INFO_TYPE: 1209 if (mechanism->cm_param == NULL || 1210 mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) { 1211 return (CRYPTO_MECHANISM_PARAM_INVALID); 1212 } 1213 rv = ccm_init_ctx((ccm_ctx_t *)aes_ctx, mechanism->cm_param, 1214 kmflag, is_encrypt_init, AES_BLOCK_LEN, aes_encrypt_block, 1215 aes_xor_block); 1216 break; 1217 case AES_GCM_MECH_INFO_TYPE: 1218 if (mechanism->cm_param == NULL || 1219 mechanism->cm_param_len != sizeof (CK_AES_GCM_PARAMS)) { 1220 return (CRYPTO_MECHANISM_PARAM_INVALID); 1221 } 1222 rv = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param, 1223 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 1224 aes_xor_block); 1225 break; 1226 case AES_GMAC_MECH_INFO_TYPE: 1227 if (mechanism->cm_param == NULL || 1228 mechanism->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) { 1229 return (CRYPTO_MECHANISM_PARAM_INVALID); 1230 } 1231 rv = gmac_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param, 1232 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 1233 aes_xor_block); 1234 break; 1235 case AES_ECB_MECH_INFO_TYPE: 1236 aes_ctx->ac_flags |= ECB_MODE; 1237 } 1238 1239 if (rv != CRYPTO_SUCCESS) { 1240 if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) { 1241 memset(keysched, 0, size); 1242 kmem_free(keysched, size); 1243 } 1244 } 1245 1246 return (rv); 1247 } 1248 1249 static int 1250 process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data, 1251 CK_AES_GCM_PARAMS *gcm_params) 1252 { 1253 /* LINTED: pointer alignment */ 1254 CK_AES_GMAC_PARAMS *params = (CK_AES_GMAC_PARAMS *)mech->cm_param; 1255 1256 if (mech->cm_type != AES_GMAC_MECH_INFO_TYPE) 1257 return (CRYPTO_MECHANISM_INVALID); 1258 1259 if (mech->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) 1260 return (CRYPTO_MECHANISM_PARAM_INVALID); 1261 1262 if (params->pIv == NULL) 1263 return (CRYPTO_MECHANISM_PARAM_INVALID); 1264 1265 gcm_params->pIv = params->pIv; 1266 gcm_params->ulIvLen = AES_GMAC_IV_LEN; 1267 gcm_params->ulTagBits = AES_GMAC_TAG_BITS; 1268 1269 if (data == NULL) 1270 return (CRYPTO_SUCCESS); 1271 1272 if (data->cd_format != CRYPTO_DATA_RAW) 1273 return (CRYPTO_ARGUMENTS_BAD); 1274 1275 gcm_params->pAAD = (uchar_t *)data->cd_raw.iov_base; 1276 gcm_params->ulAADLen = data->cd_length; 1277 return (CRYPTO_SUCCESS); 1278 } 1279 1280 static int 1281 aes_mac_atomic(crypto_mechanism_t *mechanism, 1282 crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac, 1283 crypto_spi_ctx_template_t template) 1284 { 1285 CK_AES_GCM_PARAMS gcm_params; 1286 crypto_mechanism_t gcm_mech; 1287 int rv; 1288 1289 if ((rv = process_gmac_mech(mechanism, data, &gcm_params)) 1290 != CRYPTO_SUCCESS) 1291 return (rv); 1292 1293 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE; 1294 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); 1295 gcm_mech.cm_param = (char *)&gcm_params; 1296 1297 return (aes_encrypt_atomic(&gcm_mech, 1298 key, &null_crypto_data, mac, template)); 1299 } 1300 1301 static int 1302 aes_mac_verify_atomic(crypto_mechanism_t *mechanism, crypto_key_t *key, 1303 crypto_data_t *data, crypto_data_t *mac, crypto_spi_ctx_template_t template) 1304 { 1305 CK_AES_GCM_PARAMS gcm_params; 1306 crypto_mechanism_t gcm_mech; 1307 int rv; 1308 1309 if ((rv = process_gmac_mech(mechanism, data, &gcm_params)) 1310 != CRYPTO_SUCCESS) 1311 return (rv); 1312 1313 gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE; 1314 gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS); 1315 gcm_mech.cm_param = (char *)&gcm_params; 1316 1317 return (aes_decrypt_atomic(&gcm_mech, 1318 key, mac, &null_crypto_data, template)); 1319 } 1320