1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 24 * Copyright 2014 Nexenta Systems, Inc. All rights reserved. 25 * Copyright 2019 Joyent, Inc. 26 * Copyright 2017 Jason King. 27 * Copyright 2025 RackTop Systems, Inc. 28 */ 29 30 #include <pthread.h> 31 #include <stdlib.h> 32 #include <string.h> 33 #include <strings.h> 34 #include <sys/debug.h> 35 #include <sys/types.h> 36 #include <security/cryptoki.h> 37 #include <aes_impl.h> 38 #include <cryptoutil.h> 39 #include "softSession.h" 40 #include "softObject.h" 41 #include "softCrypt.h" 42 #include "softOps.h" 43 44 /* 45 * Check that the mechanism parameter is present and the correct size if 46 * required and allocate an AES context. 47 */ 48 static CK_RV 49 soft_aes_check_mech_param(CK_MECHANISM_PTR mech, aes_ctx_t **ctxp) 50 { 51 void *(*allocf)(int) = NULL; 52 size_t param_len = 0; 53 boolean_t param_req = B_TRUE; 54 55 switch (mech->mechanism) { 56 case CKM_AES_ECB: 57 param_req = B_FALSE; 58 allocf = ecb_alloc_ctx; 59 break; 60 case CKM_AES_CMAC: 61 param_req = B_FALSE; 62 allocf = cmac_alloc_ctx; 63 break; 64 case CKM_AES_CMAC_GENERAL: 65 param_len = sizeof (CK_MAC_GENERAL_PARAMS); 66 allocf = cmac_alloc_ctx; 67 break; 68 case CKM_AES_CBC: 69 case CKM_AES_CBC_PAD: 70 param_len = AES_BLOCK_LEN; 71 allocf = cbc_alloc_ctx; 72 break; 73 case CKM_AES_CTR: 74 param_len = sizeof (CK_AES_CTR_PARAMS); 75 allocf = ctr_alloc_ctx; 76 break; 77 case CKM_AES_CCM: 78 param_len = sizeof (CK_CCM_PARAMS); 79 allocf = ccm_alloc_ctx; 80 break; 81 case CKM_AES_GCM: 82 param_len = sizeof (CK_GCM_PARAMS); 83 allocf = gcm_alloc_ctx; 84 break; 85 default: 86 return (CKR_MECHANISM_INVALID); 87 } 88 89 if (param_req && (mech->pParameter == NULL || 90 mech->ulParameterLen != param_len)) { 91 return (CKR_MECHANISM_PARAM_INVALID); 92 } 93 94 *ctxp = allocf(0); 95 if (*ctxp == NULL) { 96 return (CKR_HOST_MEMORY); 97 } 98 99 return (CKR_OK); 100 } 101 102 /* 103 * Create an AES key schedule for the given AES context from the given key. 104 * If the key is not sensitive, cache a copy of the key schedule in the 105 * key object and/or use the cached copy of the key schedule. 106 * 107 * Must be called before the init function for a given mode is called. 108 */ 109 static CK_RV 110 soft_aes_init_key(aes_ctx_t *aes_ctx, soft_object_t *key_p) 111 { 112 void *ks = NULL; 113 size_t size = 0; 114 CK_RV rv = CKR_OK; 115 116 (void) pthread_mutex_lock(&key_p->object_mutex); 117 118 /* 119 * AES keys should be either 128, 192, or 256 bits long. 120 * soft_object_t stores the key size in bytes, so we check those sizes 121 * in bytes. 122 * 123 * While soft_build_secret_key_object() does these same validations for 124 * keys created by the user, it may be possible that a key loaded from 125 * disk could be invalid or corrupt. We err on the side of caution 126 * and check again that it's the correct size before performing any 127 * AES operations. 128 */ 129 switch (OBJ_SEC_VALUE_LEN(key_p)) { 130 case AES_MIN_KEY_BYTES: 131 case AES_MAX_KEY_BYTES: 132 case AES_192_KEY_BYTES: 133 break; 134 default: 135 rv = CKR_KEY_SIZE_RANGE; 136 goto done; 137 } 138 139 ks = aes_alloc_keysched(&size, 0); 140 if (ks == NULL) { 141 rv = CKR_HOST_MEMORY; 142 goto done; 143 } 144 145 /* If this is a sensitive key, always expand the key schedule */ 146 if (key_p->bool_attr_mask & SENSITIVE_BOOL_ON) { 147 /* aes_init_keysched() requires key length in bits. */ 148 #ifdef __sparcv9 149 /* LINTED */ 150 aes_init_keysched(OBJ_SEC_VALUE(key_p), (uint_t) 151 (OBJ_SEC_VALUE_LEN(key_p) * NBBY), ks); 152 #else /* !__sparcv9 */ 153 aes_init_keysched(OBJ_SEC_VALUE(key_p), 154 (OBJ_SEC_VALUE_LEN(key_p) * NBBY), ks); 155 #endif /* __sparcv9 */ 156 157 goto done; 158 } 159 160 /* If a non-sensitive key and doesn't have a key schedule, create it */ 161 if (OBJ_KEY_SCHED(key_p) == NULL) { 162 void *obj_ks = NULL; 163 164 obj_ks = aes_alloc_keysched(&size, 0); 165 if (obj_ks == NULL) { 166 rv = CKR_HOST_MEMORY; 167 goto done; 168 } 169 170 #ifdef __sparcv9 171 /* LINTED */ 172 aes_init_keysched(OBJ_SEC_VALUE(key_p), 173 (uint_t)(OBJ_SEC_VALUE_LEN(key_p) * 8), obj_ks); 174 #else /* !__sparcv9 */ 175 aes_init_keysched(OBJ_SEC_VALUE(key_p), 176 (OBJ_SEC_VALUE_LEN(key_p) * 8), obj_ks); 177 #endif /* __sparcv9 */ 178 179 OBJ_KEY_SCHED_LEN(key_p) = size; 180 OBJ_KEY_SCHED(key_p) = obj_ks; 181 } 182 183 (void) memcpy(ks, OBJ_KEY_SCHED(key_p), OBJ_KEY_SCHED_LEN(key_p)); 184 185 done: 186 (void) pthread_mutex_unlock(&key_p->object_mutex); 187 188 if (rv == CKR_OK) { 189 aes_ctx->ac_keysched = ks; 190 aes_ctx->ac_keysched_len = size; 191 } else { 192 freezero(ks, size); 193 } 194 195 return (rv); 196 } 197 198 /* 199 * Initialize the AES context for the given mode, including allocating and 200 * expanding the key schedule if required. 201 */ 202 static CK_RV 203 soft_aes_init_ctx(aes_ctx_t *aes_ctx, CK_MECHANISM_PTR mech_p, 204 boolean_t encrypt) 205 { 206 int rc = CRYPTO_SUCCESS; 207 208 switch (mech_p->mechanism) { 209 case CKM_AES_ECB: 210 aes_ctx->ac_flags |= ECB_MODE; 211 break; 212 case CKM_AES_CMAC: 213 case CKM_AES_CMAC_GENERAL: 214 rc = cmac_init_ctx((cbc_ctx_t *)aes_ctx, AES_BLOCK_LEN); 215 break; 216 case CKM_AES_CBC: 217 case CKM_AES_CBC_PAD: 218 rc = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mech_p->pParameter, 219 mech_p->ulParameterLen, AES_BLOCK_LEN, aes_copy_block64); 220 break; 221 case CKM_AES_CTR: 222 { 223 /* 224 * soft_aes_check_param() verifies this is !NULL and is the 225 * correct size. 226 */ 227 CK_AES_CTR_PARAMS *pp = (CK_AES_CTR_PARAMS *)mech_p->pParameter; 228 229 rc = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits, 230 pp->cb, aes_encrypt_block, aes_copy_block); 231 break; 232 } 233 case CKM_AES_CCM: { 234 CK_CCM_PARAMS *pp = (CK_CCM_PARAMS *)mech_p->pParameter; 235 236 /* 237 * The illumos ccm mode implementation predates the PKCS#11 238 * version that specifies CK_CCM_PARAMS. As a result, the order 239 * and names of the struct members are different, so we must 240 * translate. ccm_init_ctx() does not store a ref ccm_params, 241 * so it is safe to allocate on the stack. 242 */ 243 CK_AES_CCM_PARAMS ccm_params = { 244 .ulMACSize = pp->ulMACLen, 245 .ulNonceSize = pp->ulNonceLen, 246 .ulAuthDataSize = pp->ulAADLen, 247 .ulDataSize = pp->ulDataLen, 248 .nonce = pp->pNonce, 249 .authData = pp->pAAD 250 }; 251 252 rc = ccm_init_ctx((ccm_ctx_t *)aes_ctx, (char *)&ccm_params, 0, 253 encrypt, AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 254 break; 255 } 256 case CKM_AES_GCM: 257 /* 258 * Similar to the ccm mode implementation, the gcm mode also 259 * predates PKCS#11 2.40, however in this instance 260 * CK_AES_GCM_PARAMS and CK_GCM_PARAMS are identical except 261 * for the member names, so we can just pass it along. 262 */ 263 rc = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mech_p->pParameter, 264 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 265 aes_xor_block); 266 break; 267 } 268 269 return (crypto2pkcs11_error_number(rc)); 270 } 271 272 /* 273 * Allocate context for the active encryption or decryption operation, and 274 * generate AES key schedule to speed up the operation. 275 */ 276 CK_RV 277 soft_aes_crypt_init_common(soft_session_t *session_p, 278 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, 279 boolean_t encrypt) 280 { 281 aes_ctx_t *aes_ctx = NULL; 282 CK_RV rv = CKR_OK; 283 284 if (key_p->key_type != CKK_AES) 285 return (CKR_KEY_TYPE_INCONSISTENT); 286 287 /* C_{Encrypt,Decrypt}Init() validate pMechanism != NULL */ 288 rv = soft_aes_check_mech_param(pMechanism, &aes_ctx); 289 if (rv != CKR_OK) { 290 goto done; 291 } 292 293 rv = soft_aes_init_key(aes_ctx, key_p); 294 if (rv != CKR_OK) { 295 goto done; 296 } 297 298 rv = soft_aes_init_ctx(aes_ctx, pMechanism, encrypt); 299 if (rv != CKR_OK) { 300 goto done; 301 } 302 303 (void) pthread_mutex_lock(&session_p->session_mutex); 304 if (encrypt) { 305 /* Called by C_EncryptInit. */ 306 session_p->encrypt.context = aes_ctx; 307 session_p->encrypt.mech.mechanism = pMechanism->mechanism; 308 } else { 309 /* Called by C_DecryptInit. */ 310 session_p->decrypt.context = aes_ctx; 311 session_p->decrypt.mech.mechanism = pMechanism->mechanism; 312 } 313 (void) pthread_mutex_unlock(&session_p->session_mutex); 314 315 done: 316 if (rv != CKR_OK) { 317 soft_aes_free_ctx(aes_ctx); 318 } 319 320 return (rv); 321 } 322 323 324 CK_RV 325 soft_aes_encrypt(soft_session_t *session_p, CK_BYTE_PTR pData, 326 CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, 327 CK_ULONG_PTR pulEncryptedDataLen) 328 { 329 aes_ctx_t *aes_ctx = session_p->encrypt.context; 330 CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism; 331 size_t length_needed; 332 size_t remainder; 333 int rc = CRYPTO_SUCCESS; 334 CK_RV rv = CKR_OK; 335 crypto_data_t out = { 336 .cd_format = CRYPTO_DATA_RAW, 337 .cd_offset = 0, 338 .cd_length = *pulEncryptedDataLen, 339 .cd_raw.iov_base = (char *)pEncryptedData, 340 .cd_raw.iov_len = *pulEncryptedDataLen 341 }; 342 343 /* 344 * A bit unusual, but it's permissible for ccm and gcm modes to not 345 * encrypt any data. This ends up being equivalent to CKM_AES_CMAC 346 * or CKM_AES_GMAC of the additional authenticated data (AAD). 347 */ 348 if ((pData == NULL || ulDataLen == 0) && 349 !(aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|CMAC_MODE))) { 350 return (CKR_ARGUMENTS_BAD); 351 } 352 353 remainder = ulDataLen % AES_BLOCK_LEN; 354 355 /* 356 * CTR, CCM, CMAC, and GCM modes do not require the plaintext 357 * to be a multiple of the AES block size. CKM_AES_CBC_PAD as the 358 * name suggests pads it's output, so it can also accept any 359 * size plaintext. 360 */ 361 switch (mech) { 362 case CKM_AES_CBC_PAD: 363 case CKM_AES_CMAC: 364 case CKM_AES_CMAC_GENERAL: 365 case CKM_AES_CTR: 366 case CKM_AES_CCM: 367 case CKM_AES_GCM: 368 break; 369 default: 370 if (remainder != 0) { 371 rv = CKR_DATA_LEN_RANGE; 372 goto cleanup; 373 } 374 } 375 376 switch (mech) { 377 case CKM_AES_CCM: 378 length_needed = ulDataLen + aes_ctx->ac_mac_len; 379 break; 380 case CKM_AES_GCM: 381 length_needed = ulDataLen + aes_ctx->ac_tag_len; 382 break; 383 case CKM_AES_CMAC: 384 case CKM_AES_CMAC_GENERAL: 385 length_needed = AES_BLOCK_LEN; 386 break; 387 case CKM_AES_CBC_PAD: 388 /* CKM_AES_CBC_PAD always adds 1..AES_BLOCK_LEN of padding */ 389 length_needed = ulDataLen + AES_BLOCK_LEN - remainder; 390 break; 391 default: 392 length_needed = ulDataLen; 393 break; 394 } 395 396 if (pEncryptedData == NULL) { 397 /* 398 * The application can ask for the size of the output buffer 399 * with a NULL output buffer (pEncryptedData). 400 * C_Encrypt() guarantees pulEncryptedDataLen != NULL. 401 */ 402 *pulEncryptedDataLen = length_needed; 403 return (CKR_OK); 404 } 405 406 if (*pulEncryptedDataLen < length_needed) { 407 *pulEncryptedDataLen = length_needed; 408 return (CKR_BUFFER_TOO_SMALL); 409 } 410 411 if (ulDataLen > 0) { 412 rv = soft_aes_encrypt_update(session_p, pData, ulDataLen, 413 pEncryptedData, pulEncryptedDataLen); 414 415 if (rv != CKR_OK) { 416 rv = CKR_FUNCTION_FAILED; 417 goto cleanup; 418 } 419 420 /* 421 * Some modes (e.g. CCM and GCM) will append data such as a MAC 422 * to the ciphertext after the plaintext has been encrypted. 423 * Update out to reflect the amount of data in pEncryptedData 424 * after encryption. 425 */ 426 out.cd_offset = *pulEncryptedDataLen; 427 } 428 429 switch (mech) { 430 case CKM_AES_CBC_PAD: { 431 /* 432 * aes_encrypt_contiguous_blocks() accumulates plaintext 433 * in aes_ctx until it has at least one full block of 434 * plaintext. Any partial blocks of data remaining after 435 * encrypting are left for subsequent calls to 436 * aes_encrypt_contiguous_blocks(). If the input happened 437 * to be an exact multiple of AES_BLOCK_LEN, we must still 438 * append a block of padding (a full block in that case) so 439 * that the correct amount of padding to remove is known 440 * during decryption. 441 * 442 * soft_add_pkcs7_padding() is a bit overkill -- we just 443 * create a block filled with the pad amount using memset(), 444 * and encrypt 'amt' bytes of the block to pad out the input. 445 */ 446 char block[AES_BLOCK_LEN]; 447 size_t amt = AES_BLOCK_LEN - remainder; 448 449 VERIFY3U(remainder, ==, aes_ctx->ac_remainder_len); 450 451 (void) memset(block, amt & 0xff, sizeof (block)); 452 rc = aes_encrypt_contiguous_blocks(aes_ctx, block, amt, &out); 453 rv = crypto2pkcs11_error_number(rc); 454 explicit_bzero(block, sizeof (block)); 455 break; 456 } 457 case CKM_AES_CCM: 458 rc = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, &out, 459 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 460 rv = crypto2pkcs11_error_number(rc); 461 break; 462 case CKM_AES_GCM: 463 rc = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, &out, 464 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 465 aes_xor_block); 466 rv = crypto2pkcs11_error_number(rc); 467 break; 468 case CKM_AES_CMAC: 469 case CKM_AES_CMAC_GENERAL: 470 rc = cmac_mode_final((cbc_ctx_t *)aes_ctx, &out, 471 aes_encrypt_block, aes_xor_block); 472 rv = crypto2pkcs11_error_number(rc); 473 aes_ctx->ac_remainder_len = 0; 474 break; 475 case CKM_AES_CTR: 476 /* 477 * As CKM_AES_CTR is a stream cipher, ctr_mode_final is always 478 * invoked in the xx_update() functions, so we do not need to 479 * call it again here. 480 */ 481 break; 482 case CKM_AES_ECB: 483 case CKM_AES_CBC: 484 /* 485 * These mechanisms do not have nor require a xx_final function. 486 */ 487 break; 488 default: 489 rv = CKR_MECHANISM_INVALID; 490 break; 491 } 492 493 cleanup: 494 switch (rv) { 495 case CKR_OK: 496 *pulEncryptedDataLen = out.cd_offset; 497 break; 498 case CKR_BUFFER_TOO_SMALL: 499 /* *pulEncryptedDataLen was set earlier */ 500 break; 501 default: 502 /* something else failed */ 503 *pulEncryptedDataLen = 0; 504 break; 505 } 506 507 (void) pthread_mutex_lock(&session_p->session_mutex); 508 soft_aes_free_ctx(aes_ctx); 509 session_p->encrypt.context = NULL; 510 (void) pthread_mutex_unlock(&session_p->session_mutex); 511 512 return (rv); 513 } 514 515 static CK_RV 516 soft_aes_cbc_pad_decrypt(aes_ctx_t *aes_ctx, CK_BYTE_PTR pEncryptedData, 517 CK_ULONG ulEncryptedDataLen, crypto_data_t *out_orig) 518 { 519 aes_ctx_t *ctx = aes_ctx; 520 uint8_t *buf = NULL; 521 uint8_t *outbuf = (uint8_t *)out_orig->cd_raw.iov_base; 522 crypto_data_t out = *out_orig; 523 size_t i; 524 int rc; 525 CK_RV rv = CKR_OK; 526 uint8_t pad_len; 527 boolean_t speculate = B_FALSE; 528 529 /* 530 * Just a query for the output size. When the output buffer is 531 * NULL, we are allowed to return a size slightly larger than 532 * necessary. We know the output will never be larger than the 533 * input ciphertext, so we use that as an estimate. 534 */ 535 if (out_orig->cd_raw.iov_base == NULL) { 536 out_orig->cd_length = ulEncryptedDataLen; 537 return (CKR_OK); 538 } 539 540 /* 541 * The output plaintext size will be 1..AES_BLOCK_LEN bytes 542 * smaller than the input ciphertext. However we cannot know 543 * exactly how much smaller until we decrypt the entire 544 * input ciphertext. If we are unsure we have enough output buffer 545 * space, we have to allocate our own memory to hold the output, 546 * then see if we have enough room to hold the result. 547 * 548 * Unfortunately, having an output buffer that's too small does 549 * not terminate the operation, nor are we allowed to return 550 * partial results. Therefore we must also duplicate the initial 551 * aes_ctx so that this can potentially be run again. 552 */ 553 if (out_orig->cd_length < ulEncryptedDataLen) { 554 void *ks = malloc(aes_ctx->ac_keysched_len); 555 556 ctx = malloc(sizeof (*aes_ctx)); 557 buf = malloc(ulEncryptedDataLen); 558 if (ks == NULL || ctx == NULL || buf == NULL) { 559 free(ks); 560 free(ctx); 561 free(buf); 562 return (CKR_HOST_MEMORY); 563 } 564 565 bcopy(aes_ctx, ctx, sizeof (*ctx)); 566 bcopy(aes_ctx->ac_keysched, ks, aes_ctx->ac_keysched_len); 567 ctx->ac_keysched = ks; 568 569 out.cd_length = ulEncryptedDataLen; 570 out.cd_raw.iov_base = (char *)buf; 571 out.cd_raw.iov_len = ulEncryptedDataLen; 572 outbuf = buf; 573 574 speculate = B_TRUE; 575 } 576 577 rc = aes_decrypt_contiguous_blocks(ctx, (char *)pEncryptedData, 578 ulEncryptedDataLen, &out); 579 if (rc != CRYPTO_SUCCESS) { 580 out_orig->cd_offset = 0; 581 rv = CKR_FUNCTION_FAILED; 582 goto done; 583 } 584 585 /* 586 * RFC5652 6.3 The amount of padding must be 587 * block_sz - (len mod block_size). This means 588 * the amount of padding must always be in the 589 * range [1..block_size]. 590 */ 591 pad_len = outbuf[ulEncryptedDataLen - 1]; 592 if (pad_len == 0 || pad_len > AES_BLOCK_LEN) { 593 rv = CKR_ENCRYPTED_DATA_INVALID; 594 goto done; 595 } 596 out.cd_offset -= pad_len; 597 598 /* 599 * Verify pad values, trying to do so in as close to constant 600 * time as possible. 601 */ 602 for (i = ulEncryptedDataLen - pad_len; i < ulEncryptedDataLen; i++) { 603 if (outbuf[i] != pad_len) { 604 rv = CKR_ENCRYPTED_DATA_INVALID; 605 } 606 } 607 if (rv != CKR_OK) { 608 goto done; 609 } 610 611 if (speculate) { 612 if (out.cd_offset <= out_orig->cd_length) { 613 bcopy(out.cd_raw.iov_base, out_orig->cd_raw.iov_base, 614 out.cd_offset); 615 } else { 616 rv = CKR_BUFFER_TOO_SMALL; 617 } 618 } 619 620 /* 621 * No matter what, we report the exact size required. 622 */ 623 out_orig->cd_offset = out.cd_offset; 624 625 done: 626 freezero(buf, ulEncryptedDataLen); 627 if (ctx != aes_ctx) { 628 VERIFY(speculate); 629 soft_aes_free_ctx(ctx); 630 } 631 632 return (rv); 633 } 634 635 CK_RV 636 soft_aes_decrypt(soft_session_t *session_p, CK_BYTE_PTR pEncryptedData, 637 CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) 638 { 639 aes_ctx_t *aes_ctx = session_p->decrypt.context; 640 CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism; 641 size_t length_needed; 642 size_t remainder; 643 int rc = CRYPTO_SUCCESS; 644 CK_RV rv = CKR_OK; 645 crypto_data_t out = { 646 .cd_format = CRYPTO_DATA_RAW, 647 .cd_offset = 0, 648 .cd_length = *pulDataLen, 649 .cd_raw.iov_base = (char *)pData, 650 .cd_raw.iov_len = *pulDataLen 651 }; 652 653 /* 654 * A bit unusual, but it's permissible for ccm and gcm modes to not 655 * decrypt any data. This ends up being equivalent to CKM_AES_CMAC 656 * or CKM_AES_GMAC of the additional authenticated data (AAD). 657 */ 658 if ((pEncryptedData == NULL || ulEncryptedDataLen == 0) && 659 !(aes_ctx->ac_flags & (CCM_MODE|GCM_MODE))) { 660 return (CKR_ARGUMENTS_BAD); 661 } 662 663 remainder = ulEncryptedDataLen % AES_BLOCK_LEN; 664 665 /* 666 * CTR, CCM, CMAC, and GCM modes do not require the ciphertext 667 * to be a multiple of the AES block size. Note that while 668 * CKM_AES_CBC_PAD accepts an arbitrary sized plaintext, the 669 * ciphertext is always a multiple of the AES block size 670 */ 671 switch (mech) { 672 case CKM_AES_CMAC: 673 case CKM_AES_CMAC_GENERAL: 674 case CKM_AES_CTR: 675 case CKM_AES_CCM: 676 case CKM_AES_GCM: 677 break; 678 default: 679 if (remainder != 0) { 680 rv = CKR_DATA_LEN_RANGE; 681 goto cleanup; 682 } 683 } 684 685 if (mech == CKM_AES_CBC_PAD) { 686 rv = soft_aes_cbc_pad_decrypt(aes_ctx, pEncryptedData, 687 ulEncryptedDataLen, &out); 688 if (pData == NULL || rv == CKR_BUFFER_TOO_SMALL) { 689 *pulDataLen = out.cd_offset; 690 return (rv); 691 } 692 goto cleanup; 693 } 694 695 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE)) { 696 case CCM_MODE: 697 length_needed = aes_ctx->ac_processed_data_len; 698 break; 699 case GCM_MODE: 700 length_needed = ulEncryptedDataLen - aes_ctx->ac_tag_len; 701 break; 702 default: 703 /* 704 * Note: for CKM_AES_CBC_PAD, we cannot know exactly how much 705 * space is needed for the plaintext until after we decrypt it. 706 * However, it is permissible to return a value 'somewhat' 707 * larger than necessary (PKCS#11 Base Specification, sec 5.2). 708 * 709 * Since CKM_AES_CBC_PAD adds at most AES_BLOCK_LEN bytes to 710 * the plaintext, we report the ciphertext length as the 711 * required plaintext length. This means we specify at most 712 * AES_BLOCK_LEN additional bytes of memory for the plaintext. 713 * 714 * This behavior is slightly different from the earlier 715 * version of this code which returned the value of 716 * (ulEncryptedDataLen - AES_BLOCK_LEN), which was only ever 717 * correct when the original plaintext was already a multiple 718 * of AES_BLOCK_LEN (i.e. when AES_BLOCK_LEN of padding was 719 * added). This should not be a concern for existing 720 * consumers -- if they were previously using the value of 721 * *pulDataLen to size the outbut buffer, the resulting 722 * plaintext would be truncated anytime the original plaintext 723 * wasn't a multiple of AES_BLOCK_LEN. No consumer should 724 * be relying on such wrong behavior. More likely they are 725 * using the size of the ciphertext or larger for the 726 * buffer to hold the decrypted plaintext (which is always 727 * acceptable). 728 */ 729 length_needed = ulEncryptedDataLen; 730 } 731 732 if (pData == NULL) { 733 /* 734 * The application can ask for the size of the output buffer 735 * with a NULL output buffer (pData). 736 * C_Decrypt() guarantees pulDataLen != NULL. 737 */ 738 *pulDataLen = length_needed; 739 return (CKR_OK); 740 } 741 742 if (*pulDataLen < length_needed) { 743 *pulDataLen = length_needed; 744 return (CKR_BUFFER_TOO_SMALL); 745 } 746 747 if (ulEncryptedDataLen > 0) { 748 rv = soft_aes_decrypt_update(session_p, pEncryptedData, 749 ulEncryptedDataLen, pData, pulDataLen); 750 } 751 752 if (rv != CKR_OK) { 753 rv = CKR_FUNCTION_FAILED; 754 goto cleanup; 755 } 756 757 /* 758 * Some modes (e.g. CCM and GCM) will output additional data 759 * after the plaintext (such as the MAC). Update out to 760 * reflect the amount of data in pData for the _final() functions. 761 */ 762 out.cd_offset = *pulDataLen; 763 764 /* 765 * As CKM_AES_CTR is a stream cipher, ctr_mode_final is always 766 * invoked in the _update() functions, so we do not need to call it 767 * here. 768 */ 769 if (aes_ctx->ac_flags & CCM_MODE) { 770 ASSERT3U(aes_ctx->ac_processed_data_len, ==, 771 aes_ctx->ac_data_len); 772 ASSERT3U(aes_ctx->ac_processed_mac_len, ==, 773 aes_ctx->ac_mac_len); 774 775 rc = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, &out, 776 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 777 aes_xor_block); 778 rv = crypto2pkcs11_error_number(rc); 779 } else if (aes_ctx->ac_flags & GCM_MODE) { 780 rc = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, &out, 781 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 782 rv = crypto2pkcs11_error_number(rc); 783 } 784 785 cleanup: 786 if (rv == CKR_OK) { 787 *pulDataLen = out.cd_offset; 788 } else { 789 *pulDataLen = 0; 790 } 791 792 (void) pthread_mutex_lock(&session_p->session_mutex); 793 soft_aes_free_ctx(aes_ctx); 794 session_p->decrypt.context = NULL; 795 (void) pthread_mutex_unlock(&session_p->session_mutex); 796 797 return (rv); 798 } 799 800 CK_RV 801 soft_aes_encrypt_update(soft_session_t *session_p, CK_BYTE_PTR pData, 802 CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, 803 CK_ULONG_PTR pulEncryptedDataLen) 804 { 805 aes_ctx_t *aes_ctx = session_p->encrypt.context; 806 crypto_data_t out = { 807 .cd_format = CRYPTO_DATA_RAW, 808 .cd_offset = 0, 809 .cd_length = *pulEncryptedDataLen, 810 .cd_raw.iov_base = (char *)pEncryptedData, 811 .cd_raw.iov_len = *pulEncryptedDataLen 812 }; 813 CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism; 814 CK_RV rv = CKR_OK; 815 size_t out_len; 816 int rc; 817 818 /* 819 * If pData is NULL, we should have zero bytes to process, and 820 * the aes_encrypt_contiguous_blocks() call will be an effective no-op. 821 */ 822 IMPLY(pData == NULL, ulDataLen == 0); 823 824 /* Check size of the output buffer */ 825 switch (mech) { 826 case CKM_AES_CMAC: 827 /* 828 * The underlying CMAC implementation handles the storing of 829 * extra bytes and does not output any data until *_final, 830 * so do not bother looking at the size of the output 831 * buffer at this time. 832 */ 833 out_len = 0; 834 break; 835 case CKM_AES_CTR: 836 /* 837 * CTR mode is a stream cipher, so we always output exactly as 838 * much ciphertext as input plaintext 839 */ 840 out_len = ulDataLen; 841 break; 842 default: 843 out_len = aes_ctx->ac_remainder_len + ulDataLen; 844 845 /* 846 * The number of complete blocks we can encrypt right now. 847 * The underlying implementation will buffer any remaining data 848 * until the next *_update call. 849 */ 850 out_len &= ~(AES_BLOCK_LEN - 1); 851 break; 852 } 853 854 if (pEncryptedData == NULL) { 855 *pulEncryptedDataLen = out_len; 856 return (CKR_OK); 857 } 858 859 if (*pulEncryptedDataLen < out_len) { 860 *pulEncryptedDataLen = out_len; 861 return (CKR_BUFFER_TOO_SMALL); 862 } 863 864 rc = aes_encrypt_contiguous_blocks(aes_ctx, (char *)pData, ulDataLen, 865 &out); 866 867 /* 868 * Since out.cd_offset is set to 0 initially and the underlying 869 * implementation increments out.cd_offset by the amount of output 870 * written, so we can just use the value as the amount written. 871 */ 872 *pulEncryptedDataLen = out.cd_offset; 873 874 if (rc != CRYPTO_SUCCESS) { 875 return (CKR_FUNCTION_FAILED); 876 } 877 878 rv = crypto2pkcs11_error_number(rc); 879 880 return (rv); 881 } 882 883 CK_RV 884 soft_aes_decrypt_update(soft_session_t *session_p, CK_BYTE_PTR pEncryptedData, 885 CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) 886 { 887 aes_ctx_t *aes_ctx = session_p->decrypt.context; 888 uint8_t *buffer_block = NULL; 889 crypto_data_t out = { 890 .cd_format = CRYPTO_DATA_RAW, 891 .cd_offset = 0, 892 .cd_length = *pulDataLen, 893 .cd_raw.iov_base = (char *)pData, 894 .cd_raw.iov_len = *pulDataLen 895 }; 896 CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism; 897 CK_RV rv = CKR_OK; 898 size_t in_len = ulEncryptedDataLen; 899 size_t out_len; 900 int rc = CRYPTO_SUCCESS; 901 902 switch (mech) { 903 case CKM_AES_CCM: 904 case CKM_AES_GCM: 905 out_len = 0; 906 break; 907 case CKM_AES_CBC_PAD: 908 /* 909 * For CKM_AES_CBC_PAD, we use the existing code for CBC 910 * mode in libsoftcrypto (which itself uses the code in 911 * usr/src/common/crypto/modes for CBC mode). For 912 * non-padding AES CBC mode, aes_decrypt_contiguous_blocks() 913 * will accumulate ciphertext in aes_ctx->ac_remainder until 914 * there is at least AES_BLOCK_LEN bytes of ciphertext available 915 * to decrypt. At that point, as many blocks of AES_BLOCK_LEN 916 * sized ciphertext blocks are decrypted. Any remainder is 917 * copied into aes_ctx->ac_remainder for decryption in 918 * subsequent calls to aes_decrypt_contiguous_blocks(). 919 * 920 * When PKCS#7 padding is used, the buffering 921 * aes_decrypt_contigous_blocks() performs is insufficient. 922 * PKCS#7 padding always adds [1..AES_BLOCK_LEN] bytes of 923 * padding to plaintext, so the resulting ciphertext is always 924 * larger than the input plaintext. However we cannot know 925 * which block is the final block (and needs its padding 926 * stripped) until C_DecryptFinal() is called. Additionally, 927 * it is permissible for a caller to use buffers sized to the 928 * output plaintext -- i.e. smaller than the input ciphertext. 929 * This leads to a more complicated buffering/accumulation 930 * strategy than what aes_decrypt_contiguous_blocks() provides 931 * us. 932 * 933 * Our buffering strategy works as follows: 934 * For each call to C_DecryptUpdate, we calculate the 935 * total amount of ciphertext available (buffered plus what's 936 * passed in) as the initial output size (out_len). Based 937 * on the value of out_len, there are three possibilties: 938 * 939 * 1. We have less than AES_BLOCK_LEN + 1 bytes of 940 * ciphertext available. Accumulate the ciphertext in 941 * aes_ctx->ac_remainder. Note that while we could let 942 * aes_decrypt_contiguous_blocks() buffer the input for us 943 * when we have less than AES_BLOCK_LEN bytes, we would still 944 * need to buffer when we have exactly AES_BLOCK_LEN 945 * bytes available, so we just handle both situations with 946 * one if clause. 947 * 948 * 2. We have at least AES_BLOCK_LEN + 1 bytes of 949 * ciphertext, and the total amount available is also an 950 * exact multiple of AES_BLOCK_LEN. We cannot know if the 951 * last block of input is the final block (yet), but we 952 * are an exact multiple of AES_BLOCK_LEN, and we have 953 * at least AES_BLOCK_LEN + 1 bytes available, therefore 954 * there must be at least 2 * AES_BLOCK_LEN bytes of input 955 * ciphertext available. It also means there's at least one 956 * full block of input ciphertext that can be decrypted. We 957 * reduce the size of the input (in_len) given to 958 * aes_decrypt_contiguous_bytes() by AES_BLOCK_LEN to prevent 959 * it from decrypting the last full block of data. 960 * aes_decrypt_contiguous_blocks() will when decrypt any 961 * buffered data in aex_ctx->ac_remainder, and then any 962 * input data passed. Since we have an exact multiple of 963 * AES_BLOCK_LEN, aes_ctx->ac_remainder will be empty 964 * (aes_ctx->ac_remainder_len == 0), once 965 * aes_decrypt_contiguout_block() completes, and we can 966 * copy the last block of data into aes_ctx->ac_remainder. 967 * 968 * 3. We have at least AES_BLOCK_LEN + 1 bytes of 969 * ciphertext, but the total amount available is not an 970 * exact multiple of AES_BLOCK_LEN. We decrypt all of 971 * full blocks of data we have. The remainder will be 972 * less than AES_BLOCK_LEN bytes. We let 973 * aes_decrypt_contiguous_blocks() buffer the remainder 974 * for us since it would normally do this anyway. Since there 975 * is a remainder, the full blocks that are present cannot 976 * be the last block, so we can safey decrypt all of them. 977 * 978 * Some things to note: 979 * - The above semantics will cause aes_ctx->ac_remainder to 980 * never accumulate more than AES_BLOCK_LEN bytes of 981 * ciphertext. Once we reach at least AES_BLOCK_LEN + 1 bytes, 982 * we will decrypt the contents of aes_ctx->ac_remainder by one 983 * of the last two scenarios described above. 984 * 985 * - We must always end up with AES_BLOCK_LEN bytes of data 986 * in aes_ctx->ac_remainder when C_DecryptFinal() is called. 987 * The first and third scenarios above may leave 988 * aes_ctx->ac_remainder with less than AES_BLOCK_LEN bytes, 989 * however the total size of the input ciphertext that's 990 * been decrypted must end up a multiple of AES_BLOCK_LEN. 991 * Therefore, we can always assume when there is a 992 * remainder that more data is coming. If we do end up 993 * with a remainder that's not AES_BLOCK_LEN bytes long 994 * when C_DecryptFinal() is called, the input is assumed 995 * invalid and we return CKR_DATA_LEN_RANGE (see 996 * soft_aes_decrypt_final()). 997 */ 998 999 VERIFY3U(aes_ctx->ac_remainder_len, <=, AES_BLOCK_LEN); 1000 if (in_len >= SIZE_MAX - AES_BLOCK_LEN) 1001 return (CKR_ENCRYPTED_DATA_LEN_RANGE); 1002 1003 out_len = aes_ctx->ac_remainder_len + in_len; 1004 1005 if (out_len <= AES_BLOCK_LEN) { 1006 /* 1007 * The first scenario detailed above, accumulate 1008 * ciphertext in ac_remainder_len and return. 1009 */ 1010 uint8_t *dest = (uint8_t *)aes_ctx->ac_remainder + 1011 aes_ctx->ac_remainder_len; 1012 1013 bcopy(pEncryptedData, dest, in_len); 1014 aes_ctx->ac_remainder_len += in_len; 1015 *pulDataLen = 0; 1016 1017 /* 1018 * Since we aren't writing an output, and are returning 1019 * here, we don't need to adjust out_len -- we never 1020 * reach the output buffer size checks after the 1021 * switch statement. 1022 */ 1023 return (CKR_OK); 1024 } else if (out_len % AES_BLOCK_LEN == 0) { 1025 /* 1026 * The second scenario decribed above. The total amount 1027 * available is a multiple of AES_BLOCK_LEN, and 1028 * we have more than one block. We reduce the 1029 * input size (in_len) by AES_BLOCK_LEN. We also 1030 * reduce the output size (out_len) by AES_BLOCK_LEN 1031 * for the output buffer size checks that follow 1032 * the switch statement. In certain situations, 1033 * PKCS#11 requires this to be an exact value, so 1034 * the size check cannot occur for CKM_AES_CBC_PAD 1035 * until after we've determine which scenario we 1036 * have. 1037 * 1038 * Because we never accumulate more than AES_BLOCK_LEN 1039 * bytes in aes_ctx->ac_remainder, when we are in 1040 * this scenario, the following VERIFYs should always 1041 * be true (and serve as a final safeguard against 1042 * underflow). 1043 */ 1044 VERIFY3U(in_len, >=, AES_BLOCK_LEN); 1045 1046 buffer_block = pEncryptedData + in_len - AES_BLOCK_LEN; 1047 1048 in_len -= AES_BLOCK_LEN; 1049 1050 /* 1051 * This else clause explicity checks 1052 * out_len > AES_BLOCK_LEN, so this is also safe. 1053 */ 1054 out_len -= AES_BLOCK_LEN; 1055 } else { 1056 /* 1057 * The third scenario above. We have at least 1058 * AES_BLOCK_LEN + 1 bytes, but the total amount of 1059 * input ciphertext available is not an exact 1060 * multiple of AES_BLOCK_LEN. Let 1061 * aes_decrypt_contiguous_blocks() handle the 1062 * buffering of the remainder. Update the 1063 * output size to reflect the actual amount of output 1064 * we want to emit for the checks after the switch 1065 * statement. 1066 */ 1067 out_len &= ~(AES_BLOCK_LEN - 1); 1068 } 1069 break; 1070 case CKM_AES_CTR: 1071 /* 1072 * CKM_AES_CTR is a stream cipher, so we always output 1073 * exactly as much output plaintext as input ciphertext 1074 */ 1075 out_len = in_len; 1076 break; 1077 default: 1078 out_len = aes_ctx->ac_remainder_len + in_len; 1079 out_len &= ~(AES_BLOCK_LEN - 1); 1080 break; 1081 } 1082 1083 /* 1084 * C_DecryptUpdate() verifies that pulDataLen is not NULL prior 1085 * to calling soft_decrypt_common() (which calls us). 1086 */ 1087 1088 if (pData == NULL) { 1089 /* 1090 * If the output buffer (pData) is NULL, that means the 1091 * caller is inquiring about the size buffer needed to 1092 * complete the C_DecryptUpdate() request. While we are 1093 * permitted to set *pulDataLen to an estimated value that can 1094 * be 'slightly' larger than the actual value required, 1095 * since we know the exact size we need, we stick with the 1096 * exact size. 1097 */ 1098 *pulDataLen = out_len; 1099 return (CKR_OK); 1100 } 1101 1102 if (*pulDataLen < out_len) { 1103 /* 1104 * Not an inquiry, but the output buffer isn't large enough. 1105 * PKCS#11 requires that this scenario not fail fatally (as 1106 * well as return a different error value). This situation 1107 * also requires us to set *pulDataLen to the _exact_ size 1108 * required. 1109 */ 1110 *pulDataLen = out_len; 1111 return (CKR_BUFFER_TOO_SMALL); 1112 } 1113 1114 rc = aes_decrypt_contiguous_blocks(aes_ctx, (char *)pEncryptedData, 1115 in_len, &out); 1116 1117 if (rc != CRYPTO_SUCCESS) { 1118 rv = CKR_FUNCTION_FAILED; 1119 goto done; 1120 } 1121 1122 *pulDataLen = out.cd_offset; 1123 1124 switch (mech) { 1125 case CKM_AES_CBC_PAD: 1126 if (buffer_block == NULL) { 1127 break; 1128 } 1129 1130 VERIFY0(aes_ctx->ac_remainder_len); 1131 1132 /* 1133 * We had multiple blocks of data to decrypt with nothing 1134 * left over and deferred decrypting the last block of data. 1135 * Copy it into aes_ctx->ac_remainder to decrypt on the 1136 * next update call (or final). 1137 */ 1138 bcopy(buffer_block, aes_ctx->ac_remainder, AES_BLOCK_LEN); 1139 aes_ctx->ac_remainder_len = AES_BLOCK_LEN; 1140 break; 1141 } 1142 1143 done: 1144 return (rv); 1145 } 1146 1147 CK_RV 1148 soft_aes_encrypt_final(soft_session_t *session_p, 1149 CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen) 1150 { 1151 aes_ctx_t *aes_ctx = session_p->encrypt.context; 1152 crypto_data_t data = { 1153 .cd_format = CRYPTO_DATA_RAW, 1154 .cd_offset = 0, 1155 .cd_length = *pulLastEncryptedPartLen, 1156 .cd_raw.iov_base = (char *)pLastEncryptedPart, 1157 .cd_raw.iov_len = *pulLastEncryptedPartLen 1158 }; 1159 CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism; 1160 CK_RV rv = CKR_OK; 1161 size_t out_len; 1162 int rc = CRYPTO_SUCCESS; 1163 1164 switch (mech) { 1165 case CKM_AES_CBC_PAD: 1166 /* 1167 * We always add 1..AES_BLOCK_LEN of padding to the input 1168 * plaintext to round up to a multiple of AES_BLOCK_LEN. 1169 * During encryption, we never output a partially encrypted 1170 * block (that is the amount encrypted by each call of 1171 * C_EncryptUpdate() is always either 0 or n * AES_BLOCK_LEN). 1172 * As a result, at the end of the encryption operation, we 1173 * output AES_BLOCK_LEN bytes of data -- this could be a full 1174 * block of padding, or a combination of data + padding. 1175 */ 1176 out_len = AES_BLOCK_LEN; 1177 break; 1178 case CKM_AES_CTR: 1179 /* 1180 * Since CKM_AES_CTR is a stream cipher, we never buffer any 1181 * input, so we always have 0 remaining bytes of output. 1182 */ 1183 out_len = 0; 1184 break; 1185 case CKM_AES_CCM: 1186 out_len = aes_ctx->ac_remainder_len + 1187 aes_ctx->acu.acu_ccm.ccm_mac_len; 1188 break; 1189 case CKM_AES_GCM: 1190 out_len = aes_ctx->ac_remainder_len + 1191 aes_ctx->acu.acu_gcm.gcm_tag_len; 1192 break; 1193 case CKM_AES_CMAC: 1194 case CKM_AES_CMAC_GENERAL: 1195 out_len = AES_BLOCK_LEN; 1196 break; 1197 default: 1198 /* 1199 * Everything other AES mechansism requires full blocks of 1200 * input. If the input was not an exact multiple of 1201 * AES_BLOCK_LEN, it is a fatal error. 1202 */ 1203 if (aes_ctx->ac_remainder_len > 0) { 1204 rv = CKR_DATA_LEN_RANGE; 1205 goto done; 1206 } 1207 out_len = 0; 1208 } 1209 1210 if (*pulLastEncryptedPartLen < out_len || pLastEncryptedPart == NULL) { 1211 *pulLastEncryptedPartLen = out_len; 1212 return ((pLastEncryptedPart == NULL) ? 1213 CKR_OK : CKR_BUFFER_TOO_SMALL); 1214 } 1215 1216 switch (mech) { 1217 case CKM_AES_CBC_PAD: { 1218 char block[AES_BLOCK_LEN] = { 0 }; 1219 size_t padlen = AES_BLOCK_LEN - aes_ctx->ac_remainder_len; 1220 1221 if (padlen == 0) { 1222 padlen = AES_BLOCK_LEN; 1223 } 1224 1225 (void) memset(block, padlen & 0xff, sizeof (block)); 1226 rc = aes_encrypt_contiguous_blocks(aes_ctx, block, 1227 padlen, &data); 1228 explicit_bzero(block, sizeof (block)); 1229 break; 1230 } 1231 case CKM_AES_CTR: 1232 /* 1233 * Since CKM_AES_CTR is a stream cipher, we never 1234 * buffer any data, and thus have no remaining data 1235 * to output at the end 1236 */ 1237 break; 1238 case CKM_AES_CCM: 1239 rc = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, &data, 1240 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 1241 break; 1242 case CKM_AES_GCM: 1243 rc = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, &data, 1244 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 1245 aes_xor_block); 1246 break; 1247 case CKM_AES_CMAC: 1248 case CKM_AES_CMAC_GENERAL: 1249 rc = cmac_mode_final((cbc_ctx_t *)aes_ctx, &data, 1250 aes_encrypt_block, aes_xor_block); 1251 break; 1252 default: 1253 break; 1254 } 1255 rv = crypto2pkcs11_error_number(rc); 1256 1257 done: 1258 if (rv == CKR_OK) { 1259 *pulLastEncryptedPartLen = data.cd_offset; 1260 } 1261 1262 soft_aes_free_ctx(aes_ctx); 1263 session_p->encrypt.context = NULL; 1264 return (rv); 1265 } 1266 1267 CK_RV 1268 soft_aes_decrypt_final(soft_session_t *session_p, CK_BYTE_PTR pLastPart, 1269 CK_ULONG_PTR pulLastPartLen) 1270 { 1271 aes_ctx_t *aes_ctx = session_p->decrypt.context; 1272 CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism; 1273 CK_RV rv = CKR_OK; 1274 int rc = CRYPTO_SUCCESS; 1275 size_t out_len; 1276 crypto_data_t out = { 1277 .cd_format = CRYPTO_DATA_RAW, 1278 .cd_offset = 0, 1279 .cd_length = *pulLastPartLen, 1280 .cd_raw.iov_base = (char *)pLastPart, 1281 .cd_raw.iov_len = *pulLastPartLen 1282 }; 1283 1284 switch (mech) { 1285 case CKM_AES_CBC_PAD: 1286 /* 1287 * PKCS#11 requires that a caller can discover the size of 1288 * the output buffer required by calling 1289 * C_DecryptFinal(hSession, NULL, &len) which sets 1290 * *pulLastPartLen to the size required. However, it also 1291 * allows if one calls C_DecryptFinal with a buffer (i.e. 1292 * pLastPart != NULL) that is too small, to return 1293 * CKR_BUFFER_TOO_SMALL with *pulLastPartLen set to the 1294 * _exact_ size required (when pLastPart is NULL, the 1295 * implementation is allowed to set a 'sightly' larger 1296 * value than is strictly necessary. In either case, the 1297 * caller is allowed to retry the operation (the operation 1298 * is not terminated). 1299 * 1300 * With PKCS#7 padding, we cannot determine the exact size of 1301 * the output until we decrypt the final block. As such, the 1302 * first time for a given decrypt operation we are called, 1303 * we decrypt the final block and stash it in the aes_ctx 1304 * remainder block. On any subsequent calls in the 1305 * current decrypt operation, we then can use the decrypted 1306 * block as necessary to provide the correct semantics. 1307 * 1308 * The cleanup of aes_ctx when the operation terminates 1309 * will take care of clearing out aes_ctx->ac_remainder_len. 1310 */ 1311 if ((aes_ctx->ac_flags & P11_DECRYPTED) == 0) { 1312 uint8_t block[AES_BLOCK_LEN] = { 0 }; 1313 crypto_data_t block_out = { 1314 .cd_format = CRYPTO_DATA_RAW, 1315 .cd_offset = 0, 1316 .cd_length = sizeof (block), 1317 .cd_raw.iov_base = (char *)block, 1318 .cd_raw.iov_len = sizeof (block) 1319 }; 1320 size_t amt, i; 1321 uint8_t pad_len; 1322 1323 if (aes_ctx->ac_remainder_len != AES_BLOCK_LEN) { 1324 return (CKR_DATA_LEN_RANGE); 1325 } 1326 1327 rc = aes_decrypt_contiguous_blocks(aes_ctx, 1328 (char *)block, 0, &block_out); 1329 if (rc != CRYPTO_SUCCESS) { 1330 explicit_bzero(block, sizeof (block)); 1331 return (CKR_FUNCTION_FAILED); 1332 } 1333 1334 pad_len = block[AES_BLOCK_LEN - 1]; 1335 1336 /* 1337 * RFC5652 6.3 The amount of padding must be 1338 * block_sz - (len mod block_size). This means 1339 * the amount of padding must always be in the 1340 * range [1..block_size]. 1341 */ 1342 if (pad_len == 0 || pad_len > AES_BLOCK_LEN) { 1343 rv = CKR_ENCRYPTED_DATA_INVALID; 1344 explicit_bzero(block, sizeof (block)); 1345 goto done; 1346 } 1347 amt = AES_BLOCK_LEN - pad_len; 1348 1349 /* 1350 * Verify the padding is correct. Try to do so 1351 * in as constant a time as possible. 1352 */ 1353 for (i = amt; i < AES_BLOCK_LEN; i++) { 1354 if (block[i] != pad_len) { 1355 rv = CKR_ENCRYPTED_DATA_INVALID; 1356 } 1357 } 1358 if (rv != CKR_OK) { 1359 explicit_bzero(block, sizeof (block)); 1360 goto done; 1361 } 1362 1363 bcopy(block, aes_ctx->ac_remainder, amt); 1364 explicit_bzero(block, sizeof (block)); 1365 1366 aes_ctx->ac_flags |= P11_DECRYPTED; 1367 aes_ctx->ac_remainder_len = amt; 1368 } 1369 1370 out_len = aes_ctx->ac_remainder_len; 1371 break; 1372 case CKM_AES_CTR: 1373 /* 1374 * Since CKM_AES_CTR is a stream cipher, we never have 1375 * any remaining bytes to output. 1376 */ 1377 out_len = 0; 1378 break; 1379 case CKM_AES_CCM: 1380 out_len = aes_ctx->ac_data_len; 1381 break; 1382 case CKM_AES_GCM: 1383 out_len = aes_ctx->acu.acu_gcm.gcm_processed_data_len - 1384 aes_ctx->acu.acu_gcm.gcm_tag_len; 1385 break; 1386 default: 1387 /* 1388 * The remaining mechanims require an exact multiple of 1389 * AES_BLOCK_LEN of ciphertext. Any other value is an error. 1390 */ 1391 if (aes_ctx->ac_remainder_len > 0) { 1392 rv = CKR_DATA_LEN_RANGE; 1393 goto done; 1394 } 1395 out_len = 0; 1396 break; 1397 } 1398 1399 if (*pulLastPartLen < out_len || pLastPart == NULL) { 1400 *pulLastPartLen = out_len; 1401 return ((pLastPart == NULL) ? CKR_OK : CKR_BUFFER_TOO_SMALL); 1402 } 1403 1404 switch (mech) { 1405 case CKM_AES_CBC_PAD: 1406 *pulLastPartLen = out_len; 1407 if (out_len == 0) { 1408 break; 1409 } 1410 bcopy(aes_ctx->ac_remainder, pLastPart, out_len); 1411 out.cd_offset += out_len; 1412 break; 1413 case CKM_AES_CCM: 1414 ASSERT3U(aes_ctx->ac_processed_data_len, ==, out_len); 1415 ASSERT3U(aes_ctx->ac_processed_mac_len, ==, 1416 aes_ctx->ac_mac_len); 1417 1418 rc = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, &out, 1419 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 1420 aes_xor_block); 1421 break; 1422 case CKM_AES_GCM: 1423 rc = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, &out, 1424 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 1425 break; 1426 default: 1427 break; 1428 } 1429 1430 VERIFY3U(out.cd_offset, ==, out_len); 1431 rv = crypto2pkcs11_error_number(rc); 1432 1433 done: 1434 if (rv == CKR_OK) { 1435 *pulLastPartLen = out.cd_offset; 1436 } 1437 1438 soft_aes_free_ctx(aes_ctx); 1439 session_p->decrypt.context = NULL; 1440 1441 return (rv); 1442 } 1443 1444 /* 1445 * Allocate and initialize AES contexts for sign and verify operations 1446 * (including the underlying encryption context needed to sign or verify) -- 1447 * called by C_SignInit() and C_VerifyInit() to perform the CKM_AES_* MAC 1448 * mechanisms. For general-length AES MAC, also validate the MAC length. 1449 */ 1450 CK_RV 1451 soft_aes_sign_verify_init_common(soft_session_t *session_p, 1452 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, boolean_t sign_op) 1453 { 1454 soft_aes_sign_ctx_t *ctx = NULL; 1455 /* For AES CMAC (the only AES MAC currently), iv is always 0 */ 1456 CK_BYTE iv[AES_BLOCK_LEN] = { 0 }; 1457 CK_MECHANISM encrypt_mech = { 1458 .mechanism = CKM_AES_CMAC, 1459 .pParameter = iv, 1460 .ulParameterLen = sizeof (iv) 1461 }; 1462 CK_RV rv; 1463 size_t mac_len = AES_BLOCK_LEN; 1464 1465 if (key_p->key_type != CKK_AES) 1466 return (CKR_KEY_TYPE_INCONSISTENT); 1467 1468 /* C_{Sign,Verify}Init() validate pMechanism != NULL */ 1469 if (pMechanism->mechanism == CKM_AES_CMAC_GENERAL) { 1470 if (pMechanism->pParameter == NULL) { 1471 return (CKR_MECHANISM_PARAM_INVALID); 1472 } 1473 1474 mac_len = *(CK_MAC_GENERAL_PARAMS *)pMechanism->pParameter; 1475 1476 if (mac_len > AES_BLOCK_LEN) { 1477 return (CKR_MECHANISM_PARAM_INVALID); 1478 } 1479 } 1480 1481 ctx = calloc(1, sizeof (*ctx)); 1482 if (ctx == NULL) { 1483 return (CKR_HOST_MEMORY); 1484 } 1485 1486 rv = soft_aes_check_mech_param(pMechanism, &ctx->aes_ctx); 1487 if (rv != CKR_OK) { 1488 soft_aes_free_ctx(ctx->aes_ctx); 1489 goto done; 1490 } 1491 1492 if ((rv = soft_encrypt_init_internal(session_p, &encrypt_mech, 1493 key_p)) != CKR_OK) { 1494 soft_aes_free_ctx(ctx->aes_ctx); 1495 goto done; 1496 } 1497 1498 ctx->mac_len = mac_len; 1499 1500 (void) pthread_mutex_lock(&session_p->session_mutex); 1501 1502 if (sign_op) { 1503 session_p->sign.context = ctx; 1504 session_p->sign.mech.mechanism = pMechanism->mechanism; 1505 } else { 1506 session_p->verify.context = ctx; 1507 session_p->verify.mech.mechanism = pMechanism->mechanism; 1508 } 1509 1510 (void) pthread_mutex_unlock(&session_p->session_mutex); 1511 1512 done: 1513 if (rv != CKR_OK) { 1514 soft_aes_free_ctx(ctx->aes_ctx); 1515 free(ctx); 1516 } 1517 1518 return (rv); 1519 } 1520 1521 CK_RV 1522 soft_aes_sign_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData, 1523 CK_ULONG ulDataLen, CK_BYTE_PTR pSigned, CK_ULONG_PTR pulSignedLen, 1524 boolean_t sign_op, boolean_t Final) 1525 { 1526 soft_aes_sign_ctx_t *soft_aes_ctx_sign_verify; 1527 CK_RV rv; 1528 CK_BYTE *pEncrypted = NULL; 1529 CK_ULONG ulEncryptedLen = AES_BLOCK_LEN; 1530 CK_BYTE last_block[AES_BLOCK_LEN]; 1531 1532 if (sign_op) { 1533 soft_aes_ctx_sign_verify = 1534 (soft_aes_sign_ctx_t *)session_p->sign.context; 1535 1536 if (soft_aes_ctx_sign_verify->mac_len == 0) { 1537 *pulSignedLen = 0; 1538 goto clean_exit; 1539 } 1540 1541 /* Application asks for the length of the output buffer. */ 1542 if (pSigned == NULL) { 1543 *pulSignedLen = soft_aes_ctx_sign_verify->mac_len; 1544 return (CKR_OK); 1545 } 1546 1547 /* Is the application-supplied buffer large enough? */ 1548 if (*pulSignedLen < soft_aes_ctx_sign_verify->mac_len) { 1549 *pulSignedLen = soft_aes_ctx_sign_verify->mac_len; 1550 return (CKR_BUFFER_TOO_SMALL); 1551 } 1552 } else { 1553 soft_aes_ctx_sign_verify = 1554 (soft_aes_sign_ctx_t *)session_p->verify.context; 1555 } 1556 1557 if (Final) { 1558 rv = soft_encrypt_final(session_p, last_block, 1559 &ulEncryptedLen); 1560 } else { 1561 rv = soft_encrypt(session_p, pData, ulDataLen, 1562 last_block, &ulEncryptedLen); 1563 } 1564 1565 if (rv == CKR_OK) { 1566 *pulSignedLen = soft_aes_ctx_sign_verify->mac_len; 1567 1568 /* the leftmost mac_len bytes of last_block is our MAC */ 1569 (void) memcpy(pSigned, last_block, *pulSignedLen); 1570 } 1571 1572 clean_exit: 1573 1574 (void) pthread_mutex_lock(&session_p->session_mutex); 1575 1576 /* soft_encrypt_common() has freed the encrypt context */ 1577 if (sign_op) { 1578 free(session_p->sign.context); 1579 session_p->sign.context = NULL; 1580 } else { 1581 free(session_p->verify.context); 1582 session_p->verify.context = NULL; 1583 } 1584 session_p->encrypt.flags = 0; 1585 1586 (void) pthread_mutex_unlock(&session_p->session_mutex); 1587 1588 if (pEncrypted) { 1589 free(pEncrypted); 1590 } 1591 1592 return (rv); 1593 } 1594 1595 /* 1596 * Called by soft_sign_update() 1597 */ 1598 CK_RV 1599 soft_aes_mac_sign_verify_update(soft_session_t *session_p, CK_BYTE_PTR pPart, 1600 CK_ULONG ulPartLen) 1601 { 1602 CK_BYTE buf[AES_BLOCK_LEN]; 1603 CK_ULONG ulEncryptedLen = AES_BLOCK_LEN; 1604 CK_RV rv; 1605 1606 rv = soft_encrypt_update(session_p, pPart, ulPartLen, 1607 buf, &ulEncryptedLen); 1608 explicit_bzero(buf, sizeof (buf)); 1609 1610 return (rv); 1611 } 1612 1613 /* 1614 * Compare with crypto_free_mode_ctx() 1615 * in $SRC/common/crypto/modes/modes.c 1616 */ 1617 void 1618 soft_aes_free_ctx(aes_ctx_t *ctx) 1619 { 1620 size_t len = 0; 1621 1622 if (ctx == NULL) 1623 return; 1624 1625 if (ctx->ac_flags & ECB_MODE) { 1626 len = sizeof (ecb_ctx_t); 1627 } else if (ctx->ac_flags & (CBC_MODE|CMAC_MODE)) { 1628 len = sizeof (cbc_ctx_t); 1629 } else if (ctx->ac_flags & CTR_MODE) { 1630 len = sizeof (ctr_ctx_t); 1631 } else if (ctx->ac_flags & CCM_MODE) { 1632 ccm_ctx_t *ccm_ctx = &ctx->acu.acu_ccm; 1633 if (ccm_ctx->ccm_pt_buf != NULL) { 1634 freezero(ccm_ctx->ccm_pt_buf, 1635 ccm_ctx->ccm_data_len); 1636 ccm_ctx->ccm_pt_buf = NULL; 1637 } 1638 len = sizeof (ccm_ctx_t); 1639 } else if (ctx->ac_flags & GCM_MODE) { 1640 gcm_ctx_t *gcm_ctx = &ctx->acu.acu_gcm; 1641 if (gcm_ctx->gcm_pt_buf != NULL) { 1642 freezero(gcm_ctx->gcm_pt_buf, 1643 gcm_ctx->gcm_pt_buf_len); 1644 gcm_ctx->gcm_pt_buf = NULL; 1645 } 1646 len = sizeof (gcm_ctx_t); 1647 } 1648 1649 freezero(ctx->ac_keysched, ctx->ac_keysched_len); 1650 freezero(ctx, len); 1651 } 1652