xref: /illumos-gate/usr/src/common/crypto/modes/ccm.c (revision 533affcbc7fc4d0c8132976ea454aaa715fe2307)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #ifndef _KERNEL
26 #include <strings.h>
27 #include <limits.h>
28 #include <assert.h>
29 #include <security/cryptoki.h>
30 #endif
31 
32 #include <sys/types.h>
33 #include <sys/kmem.h>
34 #include <modes/modes.h>
35 #include <sys/crypto/common.h>
36 #include <sys/crypto/impl.h>
37 #include <sys/byteorder.h>
38 
39 #if defined(__i386) || defined(__amd64)
40 #define	UNALIGNED_POINTERS_PERMITTED
41 #endif
42 
43 /*
44  * Encrypt multiple blocks of data in CCM mode.  Decrypt for CCM mode
45  * is done in another function.
46  */
47 int
48 ccm_mode_encrypt_contiguous_blocks(ccm_ctx_t *ctx, char *data, size_t length,
49     crypto_data_t *out, size_t block_size,
50     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
51     void (*copy_block)(uint8_t *, uint8_t *),
52     void (*xor_block)(uint8_t *, uint8_t *))
53 {
54 	size_t remainder = length;
55 	size_t need;
56 	uint8_t *datap = (uint8_t *)data;
57 	uint8_t *blockp;
58 	uint8_t *lastp;
59 	void *iov_or_mp;
60 	offset_t offset;
61 	uint8_t *out_data_1;
62 	uint8_t *out_data_2;
63 	size_t out_data_1_len;
64 	uint64_t counter;
65 	uint8_t *mac_buf;
66 
67 	if (length + ctx->ccm_remainder_len < block_size) {
68 		/* accumulate bytes here and return */
69 		bcopy(datap,
70 		    (uint8_t *)ctx->ccm_remainder + ctx->ccm_remainder_len,
71 		    length);
72 		ctx->ccm_remainder_len += length;
73 		ctx->ccm_copy_to = datap;
74 		return (CRYPTO_SUCCESS);
75 	}
76 
77 	lastp = (uint8_t *)ctx->ccm_cb;
78 	if (out != NULL)
79 		crypto_init_ptrs(out, &iov_or_mp, &offset);
80 
81 	mac_buf = (uint8_t *)ctx->ccm_mac_buf;
82 
83 	do {
84 		/* Unprocessed data from last call. */
85 		if (ctx->ccm_remainder_len > 0) {
86 			need = block_size - ctx->ccm_remainder_len;
87 
88 			if (need > remainder)
89 				return (CRYPTO_DATA_LEN_RANGE);
90 
91 			bcopy(datap, &((uint8_t *)ctx->ccm_remainder)
92 			    [ctx->ccm_remainder_len], need);
93 
94 			blockp = (uint8_t *)ctx->ccm_remainder;
95 		} else {
96 			blockp = datap;
97 		}
98 
99 		/*
100 		 * do CBC MAC
101 		 *
102 		 * XOR the previous cipher block current clear block.
103 		 * mac_buf always contain previous cipher block.
104 		 */
105 		xor_block(blockp, mac_buf);
106 		encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
107 
108 		/* ccm_cb is the counter block */
109 		encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb,
110 		    (uint8_t *)ctx->ccm_tmp);
111 
112 		lastp = (uint8_t *)ctx->ccm_tmp;
113 
114 		/*
115 		 * Increment counter. Counter bits are confined
116 		 * to the bottom 64 bits of the counter block.
117 		 */
118 		counter = ntohll(ctx->ccm_cb[1] & ctx->ccm_counter_mask);
119 		counter = htonll(counter + 1);
120 		counter &= ctx->ccm_counter_mask;
121 		ctx->ccm_cb[1] =
122 		    (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter;
123 
124 		/*
125 		 * XOR encrypted counter block with the current clear block.
126 		 */
127 		xor_block(blockp, lastp);
128 
129 		ctx->ccm_processed_data_len += block_size;
130 
131 		if (out == NULL) {
132 			if (ctx->ccm_remainder_len > 0) {
133 				bcopy(blockp, ctx->ccm_copy_to,
134 				    ctx->ccm_remainder_len);
135 				bcopy(blockp + ctx->ccm_remainder_len, datap,
136 				    need);
137 			}
138 		} else {
139 			crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
140 			    &out_data_1_len, &out_data_2, block_size);
141 
142 			/* copy block to where it belongs */
143 			if (out_data_1_len == block_size) {
144 				copy_block(lastp, out_data_1);
145 			} else {
146 				bcopy(lastp, out_data_1, out_data_1_len);
147 				if (out_data_2 != NULL) {
148 					bcopy(lastp + out_data_1_len,
149 					    out_data_2,
150 					    block_size - out_data_1_len);
151 				}
152 			}
153 			/* update offset */
154 			out->cd_offset += block_size;
155 		}
156 
157 		/* Update pointer to next block of data to be processed. */
158 		if (ctx->ccm_remainder_len != 0) {
159 			datap += need;
160 			ctx->ccm_remainder_len = 0;
161 		} else {
162 			datap += block_size;
163 		}
164 
165 		remainder = (size_t)&data[length] - (size_t)datap;
166 
167 		/* Incomplete last block. */
168 		if (remainder > 0 && remainder < block_size) {
169 			bcopy(datap, ctx->ccm_remainder, remainder);
170 			ctx->ccm_remainder_len = remainder;
171 			ctx->ccm_copy_to = datap;
172 			goto out;
173 		}
174 		ctx->ccm_copy_to = NULL;
175 
176 	} while (remainder > 0);
177 
178 out:
179 	return (CRYPTO_SUCCESS);
180 }
181 
182 void
183 calculate_ccm_mac(ccm_ctx_t *ctx, uint8_t *ccm_mac,
184     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *))
185 {
186 	uint64_t counter;
187 	uint8_t *counterp, *mac_buf;
188 	int i;
189 
190 	mac_buf = (uint8_t *)ctx->ccm_mac_buf;
191 
192 	/* first counter block start with index 0 */
193 	counter = 0;
194 	ctx->ccm_cb[1] = (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter;
195 
196 	counterp = (uint8_t *)ctx->ccm_tmp;
197 	encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, counterp);
198 
199 	/* calculate XOR of MAC with first counter block */
200 	for (i = 0; i < ctx->ccm_mac_len; i++) {
201 		ccm_mac[i] = mac_buf[i] ^ counterp[i];
202 	}
203 }
204 
205 /* ARGSUSED */
206 int
207 ccm_encrypt_final(ccm_ctx_t *ctx, crypto_data_t *out, size_t block_size,
208     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
209     void (*xor_block)(uint8_t *, uint8_t *))
210 {
211 	uint8_t *lastp, *mac_buf, *ccm_mac_p, *macp;
212 	void *iov_or_mp;
213 	offset_t offset;
214 	uint8_t *out_data_1;
215 	uint8_t *out_data_2;
216 	size_t out_data_1_len;
217 	int i;
218 
219 	if (out->cd_length < (ctx->ccm_remainder_len + ctx->ccm_mac_len)) {
220 		return (CRYPTO_DATA_LEN_RANGE);
221 	}
222 
223 	/*
224 	 * When we get here, the number of bytes of payload processed
225 	 * plus whatever data remains, if any,
226 	 * should be the same as the number of bytes that's being
227 	 * passed in the argument during init time.
228 	 */
229 	if ((ctx->ccm_processed_data_len + ctx->ccm_remainder_len)
230 	    != (ctx->ccm_data_len)) {
231 		return (CRYPTO_DATA_LEN_RANGE);
232 	}
233 
234 	mac_buf = (uint8_t *)ctx->ccm_mac_buf;
235 
236 	if (ctx->ccm_remainder_len > 0) {
237 
238 		/* ccm_mac_input_buf is not used for encryption */
239 		macp = (uint8_t *)ctx->ccm_mac_input_buf;
240 		bzero(macp, block_size);
241 
242 		/* copy remainder to temporary buffer */
243 		bcopy(ctx->ccm_remainder, macp, ctx->ccm_remainder_len);
244 
245 		/* calculate the CBC MAC */
246 		xor_block(macp, mac_buf);
247 		encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
248 
249 		/* calculate the counter mode */
250 		lastp = (uint8_t *)ctx->ccm_tmp;
251 		encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, lastp);
252 
253 		/* XOR with counter block */
254 		for (i = 0; i < ctx->ccm_remainder_len; i++) {
255 			macp[i] ^= lastp[i];
256 		}
257 		ctx->ccm_processed_data_len += ctx->ccm_remainder_len;
258 	}
259 
260 	/* Calculate the CCM MAC */
261 	ccm_mac_p = (uint8_t *)ctx->ccm_tmp;
262 	calculate_ccm_mac(ctx, ccm_mac_p, encrypt_block);
263 
264 	crypto_init_ptrs(out, &iov_or_mp, &offset);
265 	crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1,
266 	    &out_data_1_len, &out_data_2,
267 	    ctx->ccm_remainder_len + ctx->ccm_mac_len);
268 
269 	if (ctx->ccm_remainder_len > 0) {
270 
271 		/* copy temporary block to where it belongs */
272 		if (out_data_2 == NULL) {
273 			/* everything will fit in out_data_1 */
274 			bcopy(macp, out_data_1, ctx->ccm_remainder_len);
275 			bcopy(ccm_mac_p, out_data_1 + ctx->ccm_remainder_len,
276 			    ctx->ccm_mac_len);
277 		} else {
278 
279 			if (out_data_1_len < ctx->ccm_remainder_len) {
280 
281 				size_t data_2_len_used;
282 
283 				bcopy(macp, out_data_1, out_data_1_len);
284 
285 				data_2_len_used = ctx->ccm_remainder_len
286 				    - out_data_1_len;
287 
288 				bcopy((uint8_t *)macp + out_data_1_len,
289 				    out_data_2, data_2_len_used);
290 				bcopy(ccm_mac_p, out_data_2 + data_2_len_used,
291 				    ctx->ccm_mac_len);
292 			} else {
293 				bcopy(macp, out_data_1, out_data_1_len);
294 				if (out_data_1_len == ctx->ccm_remainder_len) {
295 					/* mac will be in out_data_2 */
296 					bcopy(ccm_mac_p, out_data_2,
297 					    ctx->ccm_mac_len);
298 				} else {
299 					size_t len_not_used = out_data_1_len -
300 					    ctx->ccm_remainder_len;
301 					/*
302 					 * part of mac in will be in
303 					 * out_data_1, part of the mac will be
304 					 * in out_data_2
305 					 */
306 					bcopy(ccm_mac_p,
307 					    out_data_1 + ctx->ccm_remainder_len,
308 					    len_not_used);
309 					bcopy(ccm_mac_p + len_not_used,
310 					    out_data_2,
311 					    ctx->ccm_mac_len - len_not_used);
312 
313 				}
314 			}
315 		}
316 	} else {
317 		/* copy block to where it belongs */
318 		bcopy(ccm_mac_p, out_data_1, out_data_1_len);
319 		if (out_data_2 != NULL) {
320 			bcopy(ccm_mac_p + out_data_1_len, out_data_2,
321 			    block_size - out_data_1_len);
322 		}
323 	}
324 	out->cd_offset += ctx->ccm_remainder_len + ctx->ccm_mac_len;
325 	ctx->ccm_remainder_len = 0;
326 	return (CRYPTO_SUCCESS);
327 }
328 
329 /*
330  * This will only deal with decrypting the last block of the input that
331  * might not be a multiple of block length.
332  */
333 void
334 ccm_decrypt_incomplete_block(ccm_ctx_t *ctx,
335     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *))
336 {
337 	uint8_t *datap, *outp, *counterp;
338 	int i;
339 
340 	datap = (uint8_t *)ctx->ccm_remainder;
341 	outp = &((ctx->ccm_pt_buf)[ctx->ccm_processed_data_len]);
342 
343 	counterp = (uint8_t *)ctx->ccm_tmp;
344 	encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, counterp);
345 
346 	/* XOR with counter block */
347 	for (i = 0; i < ctx->ccm_remainder_len; i++) {
348 		outp[i] = datap[i] ^ counterp[i];
349 	}
350 }
351 
352 /*
353  * This will decrypt the cipher text.  However, the plaintext won't be
354  * returned to the caller.  It will be returned when decrypt_final() is
355  * called if the MAC matches
356  */
357 /* ARGSUSED */
358 int
359 ccm_mode_decrypt_contiguous_blocks(ccm_ctx_t *ctx, char *data, size_t length,
360     crypto_data_t *out, size_t block_size,
361     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
362     void (*copy_block)(uint8_t *, uint8_t *),
363     void (*xor_block)(uint8_t *, uint8_t *))
364 {
365 	size_t remainder = length;
366 	size_t need;
367 	uint8_t *datap = (uint8_t *)data;
368 	uint8_t *blockp;
369 	uint8_t *cbp;
370 	uint64_t counter;
371 	size_t pt_len, total_decrypted_len, mac_len, pm_len, pd_len;
372 	uint8_t *resultp;
373 
374 
375 	pm_len = ctx->ccm_processed_mac_len;
376 
377 	if (pm_len > 0) {
378 		uint8_t *tmp;
379 		/*
380 		 * all ciphertext has been processed, just waiting for
381 		 * part of the value of the mac
382 		 */
383 		if ((pm_len + length) > ctx->ccm_mac_len) {
384 			return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
385 		}
386 		tmp = (uint8_t *)ctx->ccm_mac_input_buf;
387 
388 		bcopy(datap, tmp + pm_len, length);
389 
390 		ctx->ccm_processed_mac_len += length;
391 		return (CRYPTO_SUCCESS);
392 	}
393 
394 	/*
395 	 * If we decrypt the given data, what total amount of data would
396 	 * have been decrypted?
397 	 */
398 	pd_len = ctx->ccm_processed_data_len;
399 	total_decrypted_len = pd_len + length + ctx->ccm_remainder_len;
400 
401 	if (total_decrypted_len >
402 	    (ctx->ccm_data_len + ctx->ccm_mac_len)) {
403 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
404 	}
405 
406 	pt_len = ctx->ccm_data_len;
407 
408 	if (total_decrypted_len > pt_len) {
409 		/*
410 		 * part of the input will be the MAC, need to isolate that
411 		 * to be dealt with later.  The left-over data in
412 		 * ccm_remainder_len from last time will not be part of the
413 		 * MAC.  Otherwise, it would have already been taken out
414 		 * when this call is made last time.
415 		 */
416 		size_t pt_part = pt_len - pd_len - ctx->ccm_remainder_len;
417 
418 		mac_len = length - pt_part;
419 
420 		ctx->ccm_processed_mac_len = mac_len;
421 		bcopy(data + pt_part, ctx->ccm_mac_input_buf, mac_len);
422 
423 		if (pt_part + ctx->ccm_remainder_len < block_size) {
424 			/*
425 			 * since this is last of the ciphertext, will
426 			 * just decrypt with it here
427 			 */
428 			bcopy(datap, &((uint8_t *)ctx->ccm_remainder)
429 			    [ctx->ccm_remainder_len], pt_part);
430 			ctx->ccm_remainder_len += pt_part;
431 			ccm_decrypt_incomplete_block(ctx, encrypt_block);
432 			ctx->ccm_processed_data_len += ctx->ccm_remainder_len;
433 			ctx->ccm_remainder_len = 0;
434 			return (CRYPTO_SUCCESS);
435 		} else {
436 			/* let rest of the code handle this */
437 			length = pt_part;
438 		}
439 	} else if (length + ctx->ccm_remainder_len < block_size) {
440 			/* accumulate bytes here and return */
441 		bcopy(datap,
442 		    (uint8_t *)ctx->ccm_remainder + ctx->ccm_remainder_len,
443 		    length);
444 		ctx->ccm_remainder_len += length;
445 		ctx->ccm_copy_to = datap;
446 		return (CRYPTO_SUCCESS);
447 	}
448 
449 	do {
450 		/* Unprocessed data from last call. */
451 		if (ctx->ccm_remainder_len > 0) {
452 			need = block_size - ctx->ccm_remainder_len;
453 
454 			if (need > remainder)
455 				return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
456 
457 			bcopy(datap, &((uint8_t *)ctx->ccm_remainder)
458 			    [ctx->ccm_remainder_len], need);
459 
460 			blockp = (uint8_t *)ctx->ccm_remainder;
461 		} else {
462 			blockp = datap;
463 		}
464 
465 		/* Calculate the counter mode, ccm_cb is the counter block */
466 		cbp = (uint8_t *)ctx->ccm_tmp;
467 		encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, cbp);
468 
469 		/*
470 		 * Increment counter.
471 		 * Counter bits are confined to the bottom 64 bits
472 		 */
473 		counter = ntohll(ctx->ccm_cb[1] & ctx->ccm_counter_mask);
474 		counter = htonll(counter + 1);
475 		counter &= ctx->ccm_counter_mask;
476 		ctx->ccm_cb[1] =
477 		    (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter;
478 
479 		/* XOR with the ciphertext */
480 		xor_block(blockp, cbp);
481 
482 		/* Copy the plaintext to the "holding buffer" */
483 		resultp = (uint8_t *)ctx->ccm_pt_buf +
484 		    ctx->ccm_processed_data_len;
485 		copy_block(cbp, resultp);
486 
487 		ctx->ccm_processed_data_len += block_size;
488 
489 		ctx->ccm_lastp = blockp;
490 
491 		/* Update pointer to next block of data to be processed. */
492 		if (ctx->ccm_remainder_len != 0) {
493 			datap += need;
494 			ctx->ccm_remainder_len = 0;
495 		} else {
496 			datap += block_size;
497 		}
498 
499 		remainder = (size_t)&data[length] - (size_t)datap;
500 
501 		/* Incomplete last block */
502 		if (remainder > 0 && remainder < block_size) {
503 			bcopy(datap, ctx->ccm_remainder, remainder);
504 			ctx->ccm_remainder_len = remainder;
505 			ctx->ccm_copy_to = datap;
506 			if (ctx->ccm_processed_mac_len > 0) {
507 				/*
508 				 * not expecting anymore ciphertext, just
509 				 * compute plaintext for the remaining input
510 				 */
511 				ccm_decrypt_incomplete_block(ctx,
512 				    encrypt_block);
513 				ctx->ccm_processed_data_len += remainder;
514 				ctx->ccm_remainder_len = 0;
515 			}
516 			goto out;
517 		}
518 		ctx->ccm_copy_to = NULL;
519 
520 	} while (remainder > 0);
521 
522 out:
523 	return (CRYPTO_SUCCESS);
524 }
525 
526 int
527 ccm_decrypt_final(ccm_ctx_t *ctx, crypto_data_t *out, size_t block_size,
528     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
529     void (*copy_block)(uint8_t *, uint8_t *),
530     void (*xor_block)(uint8_t *, uint8_t *))
531 {
532 	size_t mac_remain, pt_len;
533 	uint8_t *pt, *mac_buf, *macp, *ccm_mac_p;
534 	int rv;
535 
536 	pt_len = ctx->ccm_data_len;
537 
538 	/* Make sure output buffer can fit all of the plaintext */
539 	if (out->cd_length < pt_len) {
540 		return (CRYPTO_DATA_LEN_RANGE);
541 	}
542 
543 	pt = ctx->ccm_pt_buf;
544 	mac_remain = ctx->ccm_processed_data_len;
545 	mac_buf = (uint8_t *)ctx->ccm_mac_buf;
546 
547 	macp = (uint8_t *)ctx->ccm_tmp;
548 
549 	while (mac_remain > 0) {
550 
551 		if (mac_remain < block_size) {
552 			bzero(macp, block_size);
553 			bcopy(pt, macp, mac_remain);
554 			mac_remain = 0;
555 		} else {
556 			copy_block(pt, macp);
557 			mac_remain -= block_size;
558 			pt += block_size;
559 		}
560 
561 		/* calculate the CBC MAC */
562 		xor_block(macp, mac_buf);
563 		encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
564 	}
565 
566 	/* Calculate the CCM MAC */
567 	ccm_mac_p = (uint8_t *)ctx->ccm_tmp;
568 	calculate_ccm_mac((ccm_ctx_t *)ctx, ccm_mac_p, encrypt_block);
569 
570 	/* compare the input CCM MAC value with what we calculated */
571 	if (bcmp(ctx->ccm_mac_input_buf, ccm_mac_p, ctx->ccm_mac_len)) {
572 		/* They don't match */
573 		return (CRYPTO_INVALID_MAC);
574 	} else {
575 		rv = crypto_put_output_data(ctx->ccm_pt_buf, out, pt_len);
576 		if (rv != CRYPTO_SUCCESS)
577 			return (rv);
578 		out->cd_offset += pt_len;
579 	}
580 	return (CRYPTO_SUCCESS);
581 }
582 
583 int
584 ccm_validate_args(CK_AES_CCM_PARAMS *ccm_param, boolean_t is_encrypt_init)
585 {
586 	size_t macSize, nonceSize;
587 	uint8_t q;
588 	uint64_t maxValue;
589 
590 	/*
591 	 * Check the length of the MAC.  The only valid
592 	 * lengths for the MAC are: 4, 6, 8, 10, 12, 14, 16
593 	 */
594 	macSize = ccm_param->ulMACSize;
595 	if ((macSize < 4) || (macSize > 16) || ((macSize % 2) != 0)) {
596 		return (CRYPTO_MECHANISM_PARAM_INVALID);
597 	}
598 
599 	/* Check the nonce length.  Valid values are 7, 8, 9, 10, 11, 12, 13 */
600 	nonceSize = ccm_param->ulNonceSize;
601 	if ((nonceSize < 7) || (nonceSize > 13)) {
602 		return (CRYPTO_MECHANISM_PARAM_INVALID);
603 	}
604 
605 	/* q is the length of the field storing the length, in bytes */
606 	q = (uint8_t)((15 - nonceSize) & 0xFF);
607 
608 
609 	/*
610 	 * If it is decrypt, need to make sure size of ciphertext is at least
611 	 * bigger than MAC len
612 	 */
613 	if ((!is_encrypt_init) && (ccm_param->ulDataSize < macSize)) {
614 		return (CRYPTO_MECHANISM_PARAM_INVALID);
615 	}
616 
617 	/*
618 	 * Check to make sure the length of the payload is within the
619 	 * range of values allowed by q
620 	 */
621 	if (q < 8) {
622 		maxValue = (1ULL << (q * 8)) - 1;
623 	} else {
624 		maxValue = ULONG_MAX;
625 	}
626 
627 	if (ccm_param->ulDataSize > maxValue) {
628 		return (CRYPTO_MECHANISM_PARAM_INVALID);
629 	}
630 	return (CRYPTO_SUCCESS);
631 }
632 
633 /*
634  * Format the first block used in CBC-MAC (B0) and the initial counter
635  * block based on formatting functions and counter generation functions
636  * specified in RFC 3610 and NIST publication 800-38C, appendix A
637  *
638  * b0 is the first block used in CBC-MAC
639  * cb0 is the first counter block
640  *
641  * It's assumed that the arguments b0 and cb0 are preallocated AES blocks
642  *
643  */
644 static void
645 ccm_format_initial_blocks(uchar_t *nonce, ulong_t nonceSize,
646     ulong_t authDataSize, uint8_t *b0, ccm_ctx_t *aes_ctx)
647 {
648 	uint64_t payloadSize;
649 	uint8_t t, q, have_adata = 0;
650 	size_t limit;
651 	int i, j, k;
652 	uint64_t mask = 0;
653 	uint8_t *cb;
654 
655 	q = (uint8_t)((15 - nonceSize) & 0xFF);
656 	t = (uint8_t)((aes_ctx->ccm_mac_len) & 0xFF);
657 
658 	/* Construct the first octet of b0 */
659 	if (authDataSize > 0) {
660 		have_adata = 1;
661 	}
662 	b0[0] = (have_adata << 6) | (((t - 2)  / 2) << 3) | (q - 1);
663 
664 	/* copy the nonce value into b0 */
665 	bcopy(nonce, &(b0[1]), nonceSize);
666 
667 	/* store the length of the payload into b0 */
668 	bzero(&(b0[1+nonceSize]), q);
669 
670 	payloadSize = aes_ctx->ccm_data_len;
671 	limit = 8 < q ? 8 : q;
672 
673 	for (i = 0, j = 0, k = 15; i < limit; i++, j += 8, k--) {
674 		b0[k] = (uint8_t)((payloadSize >> j) & 0xFF);
675 	}
676 
677 	/* format the counter block */
678 
679 	cb = (uint8_t *)aes_ctx->ccm_cb;
680 
681 	cb[0] = 0x07 & (q-1); /* first byte */
682 
683 	/* copy the nonce value into the counter block */
684 	bcopy(nonce, &(cb[1]), nonceSize);
685 
686 	bzero(&(cb[1+nonceSize]), q);
687 
688 	/* Create the mask for the counter field based on the size of nonce */
689 	q <<= 3;
690 	while (q-- > 0) {
691 		mask |= (1ULL << q);
692 	}
693 
694 	aes_ctx->ccm_counter_mask = htonll(mask);
695 
696 	/*
697 	 * During calculation, we start using counter block 1, we will
698 	 * set it up right here.
699 	 * We can just set the last byte to have the value 1, because
700 	 * even with the biggest nonce of 13, the last byte of the
701 	 * counter block will be used for the counter value.
702 	 */
703 	cb[15] = 0x01;
704 }
705 
706 /*
707  * Encode the length of the associated data as
708  * specified in RFC 3610 and NIST publication 800-38C, appendix A
709  */
710 static void
711 encode_adata_len(ulong_t auth_data_len, uint8_t *encoded, size_t *encoded_len)
712 {
713 #ifdef UNALIGNED_POINTERS_PERMITTED
714 	uint32_t	*lencoded_ptr;
715 #ifdef _LP64
716 	uint64_t	*llencoded_ptr;
717 #endif
718 #endif	/* UNALIGNED_POINTERS_PERMITTED */
719 
720 	if (auth_data_len < ((1ULL<<16) - (1ULL<<8))) {
721 		/* 0 < a < (2^16-2^8) */
722 		*encoded_len = 2;
723 		encoded[0] = (auth_data_len & 0xff00) >> 8;
724 		encoded[1] = auth_data_len & 0xff;
725 
726 	} else if ((auth_data_len >= ((1ULL<<16) - (1ULL<<8))) &&
727 	    (auth_data_len < (1ULL << 31))) {
728 		/* (2^16-2^8) <= a < 2^32 */
729 		*encoded_len = 6;
730 		encoded[0] = 0xff;
731 		encoded[1] = 0xfe;
732 #ifdef UNALIGNED_POINTERS_PERMITTED
733 		lencoded_ptr = (uint32_t *)(void *)&encoded[2];
734 		*lencoded_ptr = htonl(auth_data_len);
735 #else
736 		encoded[2] = (auth_data_len & 0xff000000) >> 24;
737 		encoded[3] = (auth_data_len & 0xff0000) >> 16;
738 		encoded[4] = (auth_data_len & 0xff00) >> 8;
739 		encoded[5] = auth_data_len & 0xff;
740 #endif	/* UNALIGNED_POINTERS_PERMITTED */
741 
742 #ifdef _LP64
743 	} else {
744 		/* 2^32 <= a < 2^64 */
745 		*encoded_len = 10;
746 		encoded[0] = 0xff;
747 		encoded[1] = 0xff;
748 #ifdef UNALIGNED_POINTERS_PERMITTED
749 		llencoded_ptr = (uint64_t *)(void *)&encoded[2];
750 		*llencoded_ptr = htonl(auth_data_len);
751 #else
752 		encoded[2] = (auth_data_len & 0xff00000000000000) >> 56;
753 		encoded[3] = (auth_data_len & 0xff000000000000) >> 48;
754 		encoded[4] = (auth_data_len & 0xff0000000000) >> 40;
755 		encoded[5] = (auth_data_len & 0xff00000000) >> 32;
756 		encoded[6] = (auth_data_len & 0xff000000) >> 24;
757 		encoded[7] = (auth_data_len & 0xff0000) >> 16;
758 		encoded[8] = (auth_data_len & 0xff00) >> 8;
759 		encoded[9] = auth_data_len & 0xff;
760 #endif	/* UNALIGNED_POINTERS_PERMITTED */
761 #endif	/* _LP64 */
762 	}
763 }
764 
765 /*
766  * The following function should be call at encrypt or decrypt init time
767  * for AES CCM mode.
768  */
769 int
770 ccm_init(ccm_ctx_t *ctx, unsigned char *nonce, size_t nonce_len,
771     unsigned char *auth_data, size_t auth_data_len, size_t block_size,
772     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
773     void (*xor_block)(uint8_t *, uint8_t *))
774 {
775 	uint8_t *mac_buf, *datap, *ivp, *authp;
776 	size_t remainder, processed;
777 	uint8_t encoded_a[10]; /* max encoded auth data length is 10 octets */
778 	size_t encoded_a_len = 0;
779 
780 	mac_buf = (uint8_t *)&(ctx->ccm_mac_buf);
781 
782 	/*
783 	 * Format the 1st block for CBC-MAC and construct the
784 	 * 1st counter block.
785 	 *
786 	 * aes_ctx->ccm_iv is used for storing the counter block
787 	 * mac_buf will store b0 at this time.
788 	 */
789 	ccm_format_initial_blocks(nonce, nonce_len,
790 	    auth_data_len, mac_buf, ctx);
791 
792 	/* The IV for CBC MAC for AES CCM mode is always zero */
793 	ivp = (uint8_t *)ctx->ccm_tmp;
794 	bzero(ivp, block_size);
795 
796 	xor_block(ivp, mac_buf);
797 
798 	/* encrypt the nonce */
799 	encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
800 
801 	/* take care of the associated data, if any */
802 	if (auth_data_len == 0) {
803 		return (CRYPTO_SUCCESS);
804 	}
805 
806 	encode_adata_len(auth_data_len, encoded_a, &encoded_a_len);
807 
808 	remainder = auth_data_len;
809 
810 	/* 1st block: it contains encoded associated data, and some data */
811 	authp = (uint8_t *)ctx->ccm_tmp;
812 	bzero(authp, block_size);
813 	bcopy(encoded_a, authp, encoded_a_len);
814 	processed = block_size - encoded_a_len;
815 	if (processed > auth_data_len) {
816 		/* in case auth_data is very small */
817 		processed = auth_data_len;
818 	}
819 	bcopy(auth_data, authp+encoded_a_len, processed);
820 	/* xor with previous buffer */
821 	xor_block(authp, mac_buf);
822 	encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
823 	remainder -= processed;
824 	if (remainder == 0) {
825 		/* a small amount of associated data, it's all done now */
826 		return (CRYPTO_SUCCESS);
827 	}
828 
829 	do {
830 		if (remainder < block_size) {
831 			/*
832 			 * There's not a block full of data, pad rest of
833 			 * buffer with zero
834 			 */
835 			bzero(authp, block_size);
836 			bcopy(&(auth_data[processed]), authp, remainder);
837 			datap = (uint8_t *)authp;
838 			remainder = 0;
839 		} else {
840 			datap = (uint8_t *)(&(auth_data[processed]));
841 			processed += block_size;
842 			remainder -= block_size;
843 		}
844 
845 		xor_block(datap, mac_buf);
846 		encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf);
847 
848 	} while (remainder > 0);
849 
850 	return (CRYPTO_SUCCESS);
851 }
852 
853 int
854 ccm_init_ctx(ccm_ctx_t *ccm_ctx, char *param, int kmflag,
855     boolean_t is_encrypt_init, size_t block_size,
856     int (*encrypt_block)(const void *, const uint8_t *, uint8_t *),
857     void (*xor_block)(uint8_t *, uint8_t *))
858 {
859 	int rv;
860 	CK_AES_CCM_PARAMS *ccm_param;
861 
862 	if (param != NULL) {
863 		ccm_param = (CK_AES_CCM_PARAMS *)(void *)param;
864 
865 		if ((rv = ccm_validate_args(ccm_param,
866 		    is_encrypt_init)) != 0) {
867 			return (rv);
868 		}
869 
870 		ccm_ctx->ccm_mac_len = ccm_param->ulMACSize;
871 		if (is_encrypt_init) {
872 			ccm_ctx->ccm_data_len = ccm_param->ulDataSize;
873 		} else {
874 			ccm_ctx->ccm_data_len =
875 			    ccm_param->ulDataSize - ccm_ctx->ccm_mac_len;
876 			ccm_ctx->ccm_processed_mac_len = 0;
877 		}
878 		ccm_ctx->ccm_processed_data_len = 0;
879 
880 		ccm_ctx->ccm_flags |= CCM_MODE;
881 	} else {
882 		rv = CRYPTO_MECHANISM_PARAM_INVALID;
883 		goto out;
884 	}
885 
886 	if (ccm_init(ccm_ctx, ccm_param->nonce, ccm_param->ulNonceSize,
887 	    ccm_param->authData, ccm_param->ulAuthDataSize, block_size,
888 	    encrypt_block, xor_block) != 0) {
889 		rv = CRYPTO_MECHANISM_PARAM_INVALID;
890 		goto out;
891 	}
892 	if (!is_encrypt_init && ccm_ctx->ccm_data_len != 0) {
893 		/* allocate buffer for storing decrypted plaintext */
894 #ifdef _KERNEL
895 		ccm_ctx->ccm_pt_buf = kmem_alloc(ccm_ctx->ccm_data_len,
896 		    kmflag);
897 #else
898 		ccm_ctx->ccm_pt_buf = malloc(ccm_ctx->ccm_data_len);
899 #endif
900 		if (ccm_ctx->ccm_pt_buf == NULL) {
901 			rv = CRYPTO_HOST_MEMORY;
902 		}
903 	}
904 out:
905 	return (rv);
906 }
907 
908 void *
909 ccm_alloc_ctx(int kmflag)
910 {
911 	ccm_ctx_t *ccm_ctx;
912 
913 #ifdef _KERNEL
914 	if ((ccm_ctx = kmem_zalloc(sizeof (ccm_ctx_t), kmflag)) == NULL)
915 #else
916 	if ((ccm_ctx = calloc(1, sizeof (ccm_ctx_t))) == NULL)
917 #endif
918 		return (NULL);
919 
920 	ccm_ctx->ccm_flags = CCM_MODE;
921 	return (ccm_ctx);
922 }
923