1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 24 * Copyright 2014 Nexenta Systems, Inc. All rights reserved. 25 * Copyright 2019 Joyent, Inc. 26 * Copyright 2017 Jason King. 27 */ 28 29 #include <pthread.h> 30 #include <stdlib.h> 31 #include <string.h> 32 #include <strings.h> 33 #include <sys/debug.h> 34 #include <sys/types.h> 35 #include <security/cryptoki.h> 36 #include <aes_impl.h> 37 #include <cryptoutil.h> 38 #include "softSession.h" 39 #include "softObject.h" 40 #include "softCrypt.h" 41 #include "softOps.h" 42 43 /* 44 * Check that the mechanism parameter is present and the correct size if 45 * required and allocate an AES context. 46 */ 47 static CK_RV 48 soft_aes_check_mech_param(CK_MECHANISM_PTR mech, aes_ctx_t **ctxp) 49 { 50 void *(*allocf)(int) = NULL; 51 size_t param_len = 0; 52 boolean_t param_req = B_TRUE; 53 54 switch (mech->mechanism) { 55 case CKM_AES_ECB: 56 param_req = B_FALSE; 57 allocf = ecb_alloc_ctx; 58 break; 59 case CKM_AES_CMAC: 60 param_req = B_FALSE; 61 allocf = cmac_alloc_ctx; 62 break; 63 case CKM_AES_CMAC_GENERAL: 64 param_len = sizeof (CK_MAC_GENERAL_PARAMS); 65 allocf = cmac_alloc_ctx; 66 break; 67 case CKM_AES_CBC: 68 case CKM_AES_CBC_PAD: 69 param_len = AES_BLOCK_LEN; 70 allocf = cbc_alloc_ctx; 71 break; 72 case CKM_AES_CTR: 73 param_len = sizeof (CK_AES_CTR_PARAMS); 74 allocf = ctr_alloc_ctx; 75 break; 76 case CKM_AES_CCM: 77 param_len = sizeof (CK_CCM_PARAMS); 78 allocf = ccm_alloc_ctx; 79 break; 80 case CKM_AES_GCM: 81 param_len = sizeof (CK_GCM_PARAMS); 82 allocf = gcm_alloc_ctx; 83 break; 84 default: 85 return (CKR_MECHANISM_INVALID); 86 } 87 88 if (param_req && (mech->pParameter == NULL || 89 mech->ulParameterLen != param_len)) { 90 return (CKR_MECHANISM_PARAM_INVALID); 91 } 92 93 *ctxp = allocf(0); 94 if (*ctxp == NULL) { 95 return (CKR_HOST_MEMORY); 96 } 97 98 return (CKR_OK); 99 } 100 101 /* 102 * Create an AES key schedule for the given AES context from the given key. 103 * If the key is not sensitive, cache a copy of the key schedule in the 104 * key object and/or use the cached copy of the key schedule. 105 * 106 * Must be called before the init function for a given mode is called. 107 */ 108 static CK_RV 109 soft_aes_init_key(aes_ctx_t *aes_ctx, soft_object_t *key_p) 110 { 111 void *ks = NULL; 112 size_t size = 0; 113 CK_RV rv = CKR_OK; 114 115 (void) pthread_mutex_lock(&key_p->object_mutex); 116 117 /* 118 * AES keys should be either 128, 192, or 256 bits long. 119 * soft_object_t stores the key size in bytes, so we check those sizes 120 * in bytes. 121 * 122 * While soft_build_secret_key_object() does these same validations for 123 * keys created by the user, it may be possible that a key loaded from 124 * disk could be invalid or corrupt. We err on the side of caution 125 * and check again that it's the correct size before performing any 126 * AES operations. 127 */ 128 switch (OBJ_SEC_VALUE_LEN(key_p)) { 129 case AES_MIN_KEY_BYTES: 130 case AES_MAX_KEY_BYTES: 131 case AES_192_KEY_BYTES: 132 break; 133 default: 134 rv = CKR_KEY_SIZE_RANGE; 135 goto done; 136 } 137 138 ks = aes_alloc_keysched(&size, 0); 139 if (ks == NULL) { 140 rv = CKR_HOST_MEMORY; 141 goto done; 142 } 143 144 /* If this is a sensitive key, always expand the key schedule */ 145 if (key_p->bool_attr_mask & SENSITIVE_BOOL_ON) { 146 /* aes_init_keysched() requires key length in bits. */ 147 #ifdef __sparcv9 148 /* LINTED */ 149 aes_init_keysched(OBJ_SEC_VALUE(key_p), (uint_t) 150 (OBJ_SEC_VALUE_LEN(key_p) * NBBY), ks); 151 #else /* !__sparcv9 */ 152 aes_init_keysched(OBJ_SEC_VALUE(key_p), 153 (OBJ_SEC_VALUE_LEN(key_p) * NBBY), ks); 154 #endif /* __sparcv9 */ 155 156 goto done; 157 } 158 159 /* If a non-sensitive key and doesn't have a key schedule, create it */ 160 if (OBJ_KEY_SCHED(key_p) == NULL) { 161 void *obj_ks = NULL; 162 163 obj_ks = aes_alloc_keysched(&size, 0); 164 if (obj_ks == NULL) { 165 rv = CKR_HOST_MEMORY; 166 goto done; 167 } 168 169 #ifdef __sparcv9 170 /* LINTED */ 171 aes_init_keysched(OBJ_SEC_VALUE(key_p), 172 (uint_t)(OBJ_SEC_VALUE_LEN(key_p) * 8), obj_ks); 173 #else /* !__sparcv9 */ 174 aes_init_keysched(OBJ_SEC_VALUE(key_p), 175 (OBJ_SEC_VALUE_LEN(key_p) * 8), obj_ks); 176 #endif /* __sparcv9 */ 177 178 OBJ_KEY_SCHED_LEN(key_p) = size; 179 OBJ_KEY_SCHED(key_p) = obj_ks; 180 } 181 182 (void) memcpy(ks, OBJ_KEY_SCHED(key_p), OBJ_KEY_SCHED_LEN(key_p)); 183 184 done: 185 (void) pthread_mutex_unlock(&key_p->object_mutex); 186 187 if (rv == CKR_OK) { 188 aes_ctx->ac_keysched = ks; 189 aes_ctx->ac_keysched_len = size; 190 } else { 191 freezero(ks, size); 192 } 193 194 return (rv); 195 } 196 197 /* 198 * Initialize the AES context for the given mode, including allocating and 199 * expanding the key schedule if required. 200 */ 201 static CK_RV 202 soft_aes_init_ctx(aes_ctx_t *aes_ctx, CK_MECHANISM_PTR mech_p, 203 boolean_t encrypt) 204 { 205 int rc = CRYPTO_SUCCESS; 206 207 switch (mech_p->mechanism) { 208 case CKM_AES_ECB: 209 aes_ctx->ac_flags |= ECB_MODE; 210 break; 211 case CKM_AES_CMAC: 212 case CKM_AES_CMAC_GENERAL: 213 rc = cmac_init_ctx((cbc_ctx_t *)aes_ctx, AES_BLOCK_LEN); 214 break; 215 case CKM_AES_CBC: 216 case CKM_AES_CBC_PAD: 217 rc = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mech_p->pParameter, 218 mech_p->ulParameterLen, AES_BLOCK_LEN, aes_copy_block64); 219 break; 220 case CKM_AES_CTR: 221 { 222 /* 223 * soft_aes_check_param() verifies this is !NULL and is the 224 * correct size. 225 */ 226 CK_AES_CTR_PARAMS *pp = (CK_AES_CTR_PARAMS *)mech_p->pParameter; 227 228 rc = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits, 229 pp->cb, aes_copy_block); 230 break; 231 } 232 case CKM_AES_CCM: { 233 CK_CCM_PARAMS *pp = (CK_CCM_PARAMS *)mech_p->pParameter; 234 235 /* 236 * The illumos ccm mode implementation predates the PKCS#11 237 * version that specifies CK_CCM_PARAMS. As a result, the order 238 * and names of the struct members are different, so we must 239 * translate. ccm_init_ctx() does not store a ref ccm_params, 240 * so it is safe to allocate on the stack. 241 */ 242 CK_AES_CCM_PARAMS ccm_params = { 243 .ulMACSize = pp->ulMACLen, 244 .ulNonceSize = pp->ulNonceLen, 245 .ulAuthDataSize = pp->ulAADLen, 246 .ulDataSize = pp->ulDataLen, 247 .nonce = pp->pNonce, 248 .authData = pp->pAAD 249 }; 250 251 rc = ccm_init_ctx((ccm_ctx_t *)aes_ctx, (char *)&ccm_params, 0, 252 encrypt, AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 253 break; 254 } 255 case CKM_AES_GCM: 256 /* 257 * Similar to the ccm mode implementation, the gcm mode also 258 * predates PKCS#11 2.40, however in this instance 259 * CK_AES_GCM_PARAMS and CK_GCM_PARAMS are identical except 260 * for the member names, so we can just pass it along. 261 */ 262 rc = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mech_p->pParameter, 263 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 264 aes_xor_block); 265 break; 266 } 267 268 return (crypto2pkcs11_error_number(rc)); 269 } 270 271 /* 272 * Allocate context for the active encryption or decryption operation, and 273 * generate AES key schedule to speed up the operation. 274 */ 275 CK_RV 276 soft_aes_crypt_init_common(soft_session_t *session_p, 277 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, 278 boolean_t encrypt) 279 { 280 aes_ctx_t *aes_ctx = NULL; 281 CK_RV rv = CKR_OK; 282 283 if (key_p->key_type != CKK_AES) 284 return (CKR_KEY_TYPE_INCONSISTENT); 285 286 /* C_{Encrypt,Decrypt}Init() validate pMechanism != NULL */ 287 rv = soft_aes_check_mech_param(pMechanism, &aes_ctx); 288 if (rv != CKR_OK) { 289 goto done; 290 } 291 292 rv = soft_aes_init_key(aes_ctx, key_p); 293 if (rv != CKR_OK) { 294 goto done; 295 } 296 297 rv = soft_aes_init_ctx(aes_ctx, pMechanism, encrypt); 298 if (rv != CKR_OK) { 299 goto done; 300 } 301 302 (void) pthread_mutex_lock(&session_p->session_mutex); 303 if (encrypt) { 304 /* Called by C_EncryptInit. */ 305 session_p->encrypt.context = aes_ctx; 306 session_p->encrypt.mech.mechanism = pMechanism->mechanism; 307 } else { 308 /* Called by C_DecryptInit. */ 309 session_p->decrypt.context = aes_ctx; 310 session_p->decrypt.mech.mechanism = pMechanism->mechanism; 311 } 312 (void) pthread_mutex_unlock(&session_p->session_mutex); 313 314 done: 315 if (rv != CKR_OK) { 316 soft_aes_free_ctx(aes_ctx); 317 } 318 319 return (rv); 320 } 321 322 323 CK_RV 324 soft_aes_encrypt(soft_session_t *session_p, CK_BYTE_PTR pData, 325 CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, 326 CK_ULONG_PTR pulEncryptedDataLen) 327 { 328 aes_ctx_t *aes_ctx = session_p->encrypt.context; 329 CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism; 330 size_t length_needed; 331 size_t remainder; 332 int rc = CRYPTO_SUCCESS; 333 CK_RV rv = CKR_OK; 334 crypto_data_t out = { 335 .cd_format = CRYPTO_DATA_RAW, 336 .cd_offset = 0, 337 .cd_length = *pulEncryptedDataLen, 338 .cd_raw.iov_base = (char *)pEncryptedData, 339 .cd_raw.iov_len = *pulEncryptedDataLen 340 }; 341 342 /* 343 * A bit unusual, but it's permissible for ccm and gcm modes to not 344 * encrypt any data. This ends up being equivalent to CKM_AES_CMAC 345 * or CKM_AES_GMAC of the additional authenticated data (AAD). 346 */ 347 if ((pData == NULL || ulDataLen == 0) && 348 !(aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|CMAC_MODE))) { 349 return (CKR_ARGUMENTS_BAD); 350 } 351 352 remainder = ulDataLen % AES_BLOCK_LEN; 353 354 /* 355 * CTR, CCM, CMAC, and GCM modes do not require the plaintext 356 * to be a multiple of the AES block size. CKM_AES_CBC_PAD as the 357 * name suggests pads it's output, so it can also accept any 358 * size plaintext. 359 */ 360 switch (mech) { 361 case CKM_AES_CBC_PAD: 362 case CKM_AES_CMAC: 363 case CKM_AES_CMAC_GENERAL: 364 case CKM_AES_CTR: 365 case CKM_AES_CCM: 366 case CKM_AES_GCM: 367 break; 368 default: 369 if (remainder != 0) { 370 rv = CKR_DATA_LEN_RANGE; 371 goto cleanup; 372 } 373 } 374 375 switch (mech) { 376 case CKM_AES_CCM: 377 length_needed = ulDataLen + aes_ctx->ac_mac_len; 378 break; 379 case CKM_AES_GCM: 380 length_needed = ulDataLen + aes_ctx->ac_tag_len; 381 break; 382 case CKM_AES_CMAC: 383 case CKM_AES_CMAC_GENERAL: 384 length_needed = AES_BLOCK_LEN; 385 break; 386 case CKM_AES_CBC_PAD: 387 /* CKM_AES_CBC_PAD always adds 1..AES_BLOCK_LEN of padding */ 388 length_needed = ulDataLen + AES_BLOCK_LEN - remainder; 389 break; 390 default: 391 length_needed = ulDataLen; 392 break; 393 } 394 395 if (pEncryptedData == NULL) { 396 /* 397 * The application can ask for the size of the output buffer 398 * with a NULL output buffer (pEncryptedData). 399 * C_Encrypt() guarantees pulEncryptedDataLen != NULL. 400 */ 401 *pulEncryptedDataLen = length_needed; 402 return (CKR_OK); 403 } 404 405 if (*pulEncryptedDataLen < length_needed) { 406 *pulEncryptedDataLen = length_needed; 407 return (CKR_BUFFER_TOO_SMALL); 408 } 409 410 if (ulDataLen > 0) { 411 rv = soft_aes_encrypt_update(session_p, pData, ulDataLen, 412 pEncryptedData, pulEncryptedDataLen); 413 414 if (rv != CKR_OK) { 415 rv = CKR_FUNCTION_FAILED; 416 goto cleanup; 417 } 418 419 /* 420 * Some modes (e.g. CCM and GCM) will append data such as a MAC 421 * to the ciphertext after the plaintext has been encrypted. 422 * Update out to reflect the amount of data in pEncryptedData 423 * after encryption. 424 */ 425 out.cd_offset = *pulEncryptedDataLen; 426 } 427 428 switch (mech) { 429 case CKM_AES_CBC_PAD: { 430 /* 431 * aes_encrypt_contiguous_blocks() accumulates plaintext 432 * in aes_ctx until it has at least one full block of 433 * plaintext. Any partial blocks of data remaining after 434 * encrypting are left for subsequent calls to 435 * aes_encrypt_contiguous_blocks(). If the input happened 436 * to be an exact multiple of AES_BLOCK_LEN, we must still 437 * append a block of padding (a full block in that case) so 438 * that the correct amount of padding to remove is known 439 * during decryption. 440 * 441 * soft_add_pkcs7_padding() is a bit overkill -- we just 442 * create a block filled with the pad amount using memset(), 443 * and encrypt 'amt' bytes of the block to pad out the input. 444 */ 445 char block[AES_BLOCK_LEN]; 446 size_t amt = AES_BLOCK_LEN - remainder; 447 448 VERIFY3U(remainder, ==, aes_ctx->ac_remainder_len); 449 450 (void) memset(block, amt & 0xff, sizeof (block)); 451 rc = aes_encrypt_contiguous_blocks(aes_ctx, block, amt, &out); 452 rv = crypto2pkcs11_error_number(rc); 453 explicit_bzero(block, sizeof (block)); 454 break; 455 } 456 case CKM_AES_CCM: 457 rc = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, &out, 458 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 459 rv = crypto2pkcs11_error_number(rc); 460 break; 461 case CKM_AES_GCM: 462 rc = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, &out, 463 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 464 aes_xor_block); 465 rv = crypto2pkcs11_error_number(rc); 466 break; 467 case CKM_AES_CMAC: 468 case CKM_AES_CMAC_GENERAL: 469 rc = cmac_mode_final((cbc_ctx_t *)aes_ctx, &out, 470 aes_encrypt_block, aes_xor_block); 471 rv = crypto2pkcs11_error_number(rc); 472 aes_ctx->ac_remainder_len = 0; 473 break; 474 case CKM_AES_CTR: 475 /* 476 * As CKM_AES_CTR is a stream cipher, ctr_mode_final is always 477 * invoked in the xx_update() functions, so we do not need to 478 * call it again here. 479 */ 480 break; 481 case CKM_AES_ECB: 482 case CKM_AES_CBC: 483 /* 484 * These mechanisms do not have nor require a xx_final function. 485 */ 486 break; 487 default: 488 rv = CKR_MECHANISM_INVALID; 489 break; 490 } 491 492 cleanup: 493 switch (rv) { 494 case CKR_OK: 495 *pulEncryptedDataLen = out.cd_offset; 496 break; 497 case CKR_BUFFER_TOO_SMALL: 498 /* *pulEncryptedDataLen was set earlier */ 499 break; 500 default: 501 /* something else failed */ 502 *pulEncryptedDataLen = 0; 503 break; 504 } 505 506 (void) pthread_mutex_lock(&session_p->session_mutex); 507 soft_aes_free_ctx(aes_ctx); 508 session_p->encrypt.context = NULL; 509 (void) pthread_mutex_unlock(&session_p->session_mutex); 510 511 return (rv); 512 } 513 514 static CK_RV 515 soft_aes_cbc_pad_decrypt(aes_ctx_t *aes_ctx, CK_BYTE_PTR pEncryptedData, 516 CK_ULONG ulEncryptedDataLen, crypto_data_t *out_orig) 517 { 518 aes_ctx_t *ctx = aes_ctx; 519 uint8_t *buf = NULL; 520 uint8_t *outbuf = (uint8_t *)out_orig->cd_raw.iov_base; 521 crypto_data_t out = *out_orig; 522 size_t i; 523 int rc; 524 CK_RV rv = CKR_OK; 525 uint8_t pad_len; 526 boolean_t speculate = B_FALSE; 527 528 /* 529 * Just a query for the output size. When the output buffer is 530 * NULL, we are allowed to return a size slightly larger than 531 * necessary. We know the output will never be larger than the 532 * input ciphertext, so we use that as an estimate. 533 */ 534 if (out_orig->cd_raw.iov_base == NULL) { 535 out_orig->cd_length = ulEncryptedDataLen; 536 return (CKR_OK); 537 } 538 539 /* 540 * The output plaintext size will be 1..AES_BLOCK_LEN bytes 541 * smaller than the input ciphertext. However we cannot know 542 * exactly how much smaller until we decrypt the entire 543 * input ciphertext. If we are unsure we have enough output buffer 544 * space, we have to allocate our own memory to hold the output, 545 * then see if we have enough room to hold the result. 546 * 547 * Unfortunately, having an output buffer that's too small does 548 * not terminate the operation, nor are we allowed to return 549 * partial results. Therefore we must also duplicate the initial 550 * aes_ctx so that this can potentially be run again. 551 */ 552 if (out_orig->cd_length < ulEncryptedDataLen) { 553 void *ks = malloc(aes_ctx->ac_keysched_len); 554 555 ctx = malloc(sizeof (*aes_ctx)); 556 buf = malloc(ulEncryptedDataLen); 557 if (ks == NULL || ctx == NULL || buf == NULL) { 558 free(ks); 559 free(ctx); 560 free(buf); 561 return (CKR_HOST_MEMORY); 562 } 563 564 bcopy(aes_ctx, ctx, sizeof (*ctx)); 565 bcopy(aes_ctx->ac_keysched, ks, aes_ctx->ac_keysched_len); 566 ctx->ac_keysched = ks; 567 568 out.cd_length = ulEncryptedDataLen; 569 out.cd_raw.iov_base = (char *)buf; 570 out.cd_raw.iov_len = ulEncryptedDataLen; 571 outbuf = buf; 572 573 speculate = B_TRUE; 574 } 575 576 rc = aes_decrypt_contiguous_blocks(ctx, (char *)pEncryptedData, 577 ulEncryptedDataLen, &out); 578 if (rc != CRYPTO_SUCCESS) { 579 out_orig->cd_offset = 0; 580 rv = CKR_FUNCTION_FAILED; 581 goto done; 582 } 583 584 /* 585 * RFC5652 6.3 The amount of padding must be 586 * block_sz - (len mod block_size). This means 587 * the amount of padding must always be in the 588 * range [1..block_size]. 589 */ 590 pad_len = outbuf[ulEncryptedDataLen - 1]; 591 if (pad_len == 0 || pad_len > AES_BLOCK_LEN) { 592 rv = CKR_ENCRYPTED_DATA_INVALID; 593 goto done; 594 } 595 out.cd_offset -= pad_len; 596 597 /* 598 * Verify pad values, trying to do so in as close to constant 599 * time as possible. 600 */ 601 for (i = ulEncryptedDataLen - pad_len; i < ulEncryptedDataLen; i++) { 602 if (outbuf[i] != pad_len) { 603 rv = CKR_ENCRYPTED_DATA_INVALID; 604 } 605 } 606 if (rv != CKR_OK) { 607 goto done; 608 } 609 610 if (speculate) { 611 if (out.cd_offset <= out_orig->cd_length) { 612 bcopy(out.cd_raw.iov_base, out_orig->cd_raw.iov_base, 613 out.cd_offset); 614 } else { 615 rv = CKR_BUFFER_TOO_SMALL; 616 } 617 } 618 619 /* 620 * No matter what, we report the exact size required. 621 */ 622 out_orig->cd_offset = out.cd_offset; 623 624 done: 625 freezero(buf, ulEncryptedDataLen); 626 if (ctx != aes_ctx) { 627 VERIFY(speculate); 628 soft_aes_free_ctx(ctx); 629 } 630 631 return (rv); 632 } 633 634 CK_RV 635 soft_aes_decrypt(soft_session_t *session_p, CK_BYTE_PTR pEncryptedData, 636 CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) 637 { 638 aes_ctx_t *aes_ctx = session_p->decrypt.context; 639 CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism; 640 size_t length_needed; 641 size_t remainder; 642 int rc = CRYPTO_SUCCESS; 643 CK_RV rv = CKR_OK; 644 crypto_data_t out = { 645 .cd_format = CRYPTO_DATA_RAW, 646 .cd_offset = 0, 647 .cd_length = *pulDataLen, 648 .cd_raw.iov_base = (char *)pData, 649 .cd_raw.iov_len = *pulDataLen 650 }; 651 652 /* 653 * A bit unusual, but it's permissible for ccm and gcm modes to not 654 * decrypt any data. This ends up being equivalent to CKM_AES_CMAC 655 * or CKM_AES_GMAC of the additional authenticated data (AAD). 656 */ 657 if ((pEncryptedData == NULL || ulEncryptedDataLen == 0) && 658 !(aes_ctx->ac_flags & (CCM_MODE|GCM_MODE))) { 659 return (CKR_ARGUMENTS_BAD); 660 } 661 662 remainder = ulEncryptedDataLen % AES_BLOCK_LEN; 663 664 /* 665 * CTR, CCM, CMAC, and GCM modes do not require the ciphertext 666 * to be a multiple of the AES block size. Note that while 667 * CKM_AES_CBC_PAD accepts an arbitrary sized plaintext, the 668 * ciphertext is always a multiple of the AES block size 669 */ 670 switch (mech) { 671 case CKM_AES_CMAC: 672 case CKM_AES_CMAC_GENERAL: 673 case CKM_AES_CTR: 674 case CKM_AES_CCM: 675 case CKM_AES_GCM: 676 break; 677 default: 678 if (remainder != 0) { 679 rv = CKR_DATA_LEN_RANGE; 680 goto cleanup; 681 } 682 } 683 684 if (mech == CKM_AES_CBC_PAD) { 685 rv = soft_aes_cbc_pad_decrypt(aes_ctx, pEncryptedData, 686 ulEncryptedDataLen, &out); 687 if (pData == NULL || rv == CKR_BUFFER_TOO_SMALL) { 688 *pulDataLen = out.cd_offset; 689 return (rv); 690 } 691 goto cleanup; 692 } 693 694 switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE)) { 695 case CCM_MODE: 696 length_needed = aes_ctx->ac_processed_data_len; 697 break; 698 case GCM_MODE: 699 length_needed = ulEncryptedDataLen - aes_ctx->ac_tag_len; 700 break; 701 default: 702 /* 703 * Note: for CKM_AES_CBC_PAD, we cannot know exactly how much 704 * space is needed for the plaintext until after we decrypt it. 705 * However, it is permissible to return a value 'somewhat' 706 * larger than necessary (PKCS#11 Base Specification, sec 5.2). 707 * 708 * Since CKM_AES_CBC_PAD adds at most AES_BLOCK_LEN bytes to 709 * the plaintext, we report the ciphertext length as the 710 * required plaintext length. This means we specify at most 711 * AES_BLOCK_LEN additional bytes of memory for the plaintext. 712 * 713 * This behavior is slightly different from the earlier 714 * version of this code which returned the value of 715 * (ulEncryptedDataLen - AES_BLOCK_LEN), which was only ever 716 * correct when the original plaintext was already a multiple 717 * of AES_BLOCK_LEN (i.e. when AES_BLOCK_LEN of padding was 718 * added). This should not be a concern for existing 719 * consumers -- if they were previously using the value of 720 * *pulDataLen to size the outbut buffer, the resulting 721 * plaintext would be truncated anytime the original plaintext 722 * wasn't a multiple of AES_BLOCK_LEN. No consumer should 723 * be relying on such wrong behavior. More likely they are 724 * using the size of the ciphertext or larger for the 725 * buffer to hold the decrypted plaintext (which is always 726 * acceptable). 727 */ 728 length_needed = ulEncryptedDataLen; 729 } 730 731 if (pData == NULL) { 732 /* 733 * The application can ask for the size of the output buffer 734 * with a NULL output buffer (pData). 735 * C_Decrypt() guarantees pulDataLen != NULL. 736 */ 737 *pulDataLen = length_needed; 738 return (CKR_OK); 739 } 740 741 if (*pulDataLen < length_needed) { 742 *pulDataLen = length_needed; 743 return (CKR_BUFFER_TOO_SMALL); 744 } 745 746 if (ulEncryptedDataLen > 0) { 747 rv = soft_aes_decrypt_update(session_p, pEncryptedData, 748 ulEncryptedDataLen, pData, pulDataLen); 749 } 750 751 if (rv != CKR_OK) { 752 rv = CKR_FUNCTION_FAILED; 753 goto cleanup; 754 } 755 756 /* 757 * Some modes (e.g. CCM and GCM) will output additional data 758 * after the plaintext (such as the MAC). Update out to 759 * reflect the amount of data in pData for the _final() functions. 760 */ 761 out.cd_offset = *pulDataLen; 762 763 /* 764 * As CKM_AES_CTR is a stream cipher, ctr_mode_final is always 765 * invoked in the _update() functions, so we do not need to call it 766 * here. 767 */ 768 if (aes_ctx->ac_flags & CCM_MODE) { 769 ASSERT3U(aes_ctx->ac_processed_data_len, ==, 770 aes_ctx->ac_data_len); 771 ASSERT3U(aes_ctx->ac_processed_mac_len, ==, 772 aes_ctx->ac_mac_len); 773 774 rc = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, &out, 775 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 776 aes_xor_block); 777 rv = crypto2pkcs11_error_number(rc); 778 } else if (aes_ctx->ac_flags & GCM_MODE) { 779 rc = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, &out, 780 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 781 rv = crypto2pkcs11_error_number(rc); 782 } 783 784 cleanup: 785 if (rv == CKR_OK) { 786 *pulDataLen = out.cd_offset; 787 } else { 788 *pulDataLen = 0; 789 } 790 791 (void) pthread_mutex_lock(&session_p->session_mutex); 792 soft_aes_free_ctx(aes_ctx); 793 session_p->decrypt.context = NULL; 794 (void) pthread_mutex_unlock(&session_p->session_mutex); 795 796 return (rv); 797 } 798 799 CK_RV 800 soft_aes_encrypt_update(soft_session_t *session_p, CK_BYTE_PTR pData, 801 CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, 802 CK_ULONG_PTR pulEncryptedDataLen) 803 { 804 aes_ctx_t *aes_ctx = session_p->encrypt.context; 805 crypto_data_t out = { 806 .cd_format = CRYPTO_DATA_RAW, 807 .cd_offset = 0, 808 .cd_length = *pulEncryptedDataLen, 809 .cd_raw.iov_base = (char *)pEncryptedData, 810 .cd_raw.iov_len = *pulEncryptedDataLen 811 }; 812 CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism; 813 CK_RV rv = CKR_OK; 814 size_t out_len = aes_ctx->ac_remainder_len + ulDataLen; 815 int rc; 816 817 /* Check size of the output buffer */ 818 if (aes_ctx->ac_flags & CMAC_MODE) { 819 /* 820 * The underlying CMAC implementation handles the storing of 821 * extra bytes and does not output any data until *_final, 822 * so do not bother looking at the size of the output 823 * buffer at this time. 824 */ 825 if (pData == NULL) { 826 *pulEncryptedDataLen = 0; 827 return (CKR_OK); 828 } 829 } else { 830 /* 831 * The number of complete blocks we can encrypt right now. 832 * The underlying implementation will buffer any remaining data 833 * until the next *_update call. 834 */ 835 out_len &= ~(AES_BLOCK_LEN - 1); 836 837 if (pEncryptedData == NULL) { 838 *pulEncryptedDataLen = out_len; 839 return (CKR_OK); 840 } 841 842 if (*pulEncryptedDataLen < out_len) { 843 *pulEncryptedDataLen = out_len; 844 return (CKR_BUFFER_TOO_SMALL); 845 } 846 } 847 848 rc = aes_encrypt_contiguous_blocks(aes_ctx, (char *)pData, ulDataLen, 849 &out); 850 851 /* 852 * Since out.cd_offset is set to 0 initially and the underlying 853 * implementation increments out.cd_offset by the amount of output 854 * written, so we can just use the value as the amount written. 855 */ 856 *pulEncryptedDataLen = out.cd_offset; 857 858 if (rc != CRYPTO_SUCCESS) { 859 return (CKR_FUNCTION_FAILED); 860 } 861 862 /* 863 * Since AES counter mode is a stream cipher, we call ctr_mode_final() 864 * to pick up any remaining bytes. It is an internal function that 865 * does not destroy the context like *normal* final routines. 866 */ 867 if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) { 868 rc = ctr_mode_final((ctr_ctx_t *)aes_ctx, &out, 869 aes_encrypt_block); 870 } 871 rv = crypto2pkcs11_error_number(rc); 872 873 return (rv); 874 } 875 876 CK_RV 877 soft_aes_decrypt_update(soft_session_t *session_p, CK_BYTE_PTR pEncryptedData, 878 CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) 879 { 880 aes_ctx_t *aes_ctx = session_p->decrypt.context; 881 uint8_t *buffer_block = NULL; 882 crypto_data_t out = { 883 .cd_format = CRYPTO_DATA_RAW, 884 .cd_offset = 0, 885 .cd_length = *pulDataLen, 886 .cd_raw.iov_base = (char *)pData, 887 .cd_raw.iov_len = *pulDataLen 888 }; 889 CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism; 890 CK_RV rv = CKR_OK; 891 size_t in_len = ulEncryptedDataLen; 892 size_t out_len; 893 int rc = CRYPTO_SUCCESS; 894 895 switch (mech) { 896 case CKM_AES_CCM: 897 case CKM_AES_GCM: 898 out_len = 0; 899 break; 900 case CKM_AES_CBC_PAD: 901 /* 902 * For CKM_AES_CBC_PAD, we use the existing code for CBC 903 * mode in libsoftcrypto (which itself uses the code in 904 * usr/src/common/crypto/modes for CBC mode). For 905 * non-padding AES CBC mode, aes_decrypt_contiguous_blocks() 906 * will accumulate ciphertext in aes_ctx->ac_remainder until 907 * there is at least AES_BLOCK_LEN bytes of ciphertext available 908 * to decrypt. At that point, as many blocks of AES_BLOCK_LEN 909 * sized ciphertext blocks are decrypted. Any remainder is 910 * copied into aes_ctx->ac_remainder for decryption in 911 * subsequent calls to aes_decrypt_contiguous_blocks(). 912 * 913 * When PKCS#7 padding is used, the buffering 914 * aes_decrypt_contigous_blocks() performs is insufficient. 915 * PKCS#7 padding always adds [1..AES_BLOCK_LEN] bytes of 916 * padding to plaintext, so the resulting ciphertext is always 917 * larger than the input plaintext. However we cannot know 918 * which block is the final block (and needs its padding 919 * stripped) until C_DecryptFinal() is called. Additionally, 920 * it is permissible for a caller to use buffers sized to the 921 * output plaintext -- i.e. smaller than the input ciphertext. 922 * This leads to a more complicated buffering/accumulation 923 * strategy than what aes_decrypt_contiguous_blocks() provides 924 * us. 925 * 926 * Our buffering strategy works as follows: 927 * For each call to C_DecryptUpdate, we calculate the 928 * total amount of ciphertext available (buffered plus what's 929 * passed in) as the initial output size (out_len). Based 930 * on the value of out_len, there are three possibilties: 931 * 932 * 1. We have less than AES_BLOCK_LEN + 1 bytes of 933 * ciphertext available. Accumulate the ciphertext in 934 * aes_ctx->ac_remainder. Note that while we could let 935 * aes_decrypt_contiguous_blocks() buffer the input for us 936 * when we have less than AES_BLOCK_LEN bytes, we would still 937 * need to buffer when we have exactly AES_BLOCK_LEN 938 * bytes available, so we just handle both situations with 939 * one if clause. 940 * 941 * 2. We have at least AES_BLOCK_LEN + 1 bytes of 942 * ciphertext, and the total amount available is also an 943 * exact multiple of AES_BLOCK_LEN. We cannot know if the 944 * last block of input is the final block (yet), but we 945 * are an exact multiple of AES_BLOCK_LEN, and we have 946 * at least AES_BLOCK_LEN + 1 bytes available, therefore 947 * there must be at least 2 * AES_BLOCK_LEN bytes of input 948 * ciphertext available. It also means there's at least one 949 * full block of input ciphertext that can be decrypted. We 950 * reduce the size of the input (in_len) given to 951 * aes_decrypt_contiguous_bytes() by AES_BLOCK_LEN to prevent 952 * it from decrypting the last full block of data. 953 * aes_decrypt_contiguous_blocks() will when decrypt any 954 * buffered data in aex_ctx->ac_remainder, and then any 955 * input data passed. Since we have an exact multiple of 956 * AES_BLOCK_LEN, aes_ctx->ac_remainder will be empty 957 * (aes_ctx->ac_remainder_len == 0), once 958 * aes_decrypt_contiguout_block() completes, and we can 959 * copy the last block of data into aes_ctx->ac_remainder. 960 * 961 * 3. We have at least AES_BLOCK_LEN + 1 bytes of 962 * ciphertext, but the total amount available is not an 963 * exact multiple of AES_BLOCK_LEN. We decrypt all of 964 * full blocks of data we have. The remainder will be 965 * less than AES_BLOCK_LEN bytes. We let 966 * aes_decrypt_contiguous_blocks() buffer the remainder 967 * for us since it would normally do this anyway. Since there 968 * is a remainder, the full blocks that are present cannot 969 * be the last block, so we can safey decrypt all of them. 970 * 971 * Some things to note: 972 * - The above semantics will cause aes_ctx->ac_remainder to 973 * never accumulate more than AES_BLOCK_LEN bytes of 974 * ciphertext. Once we reach at least AES_BLOCK_LEN + 1 bytes, 975 * we will decrypt the contents of aes_ctx->ac_remainder by one 976 * of the last two scenarios described above. 977 * 978 * - We must always end up with AES_BLOCK_LEN bytes of data 979 * in aes_ctx->ac_remainder when C_DecryptFinal() is called. 980 * The first and third scenarios above may leave 981 * aes_ctx->ac_remainder with less than AES_BLOCK_LEN bytes, 982 * however the total size of the input ciphertext that's 983 * been decrypted must end up a multiple of AES_BLOCK_LEN. 984 * Therefore, we can always assume when there is a 985 * remainder that more data is coming. If we do end up 986 * with a remainder that's not AES_BLOCK_LEN bytes long 987 * when C_DecryptFinal() is called, the input is assumed 988 * invalid and we return CKR_DATA_LEN_RANGE (see 989 * soft_aes_decrypt_final()). 990 */ 991 992 VERIFY3U(aes_ctx->ac_remainder_len, <=, AES_BLOCK_LEN); 993 if (in_len >= SIZE_MAX - AES_BLOCK_LEN) 994 return (CKR_ENCRYPTED_DATA_LEN_RANGE); 995 996 out_len = aes_ctx->ac_remainder_len + in_len; 997 998 if (out_len <= AES_BLOCK_LEN) { 999 /* 1000 * The first scenario detailed above, accumulate 1001 * ciphertext in ac_remainder_len and return. 1002 */ 1003 uint8_t *dest = (uint8_t *)aes_ctx->ac_remainder + 1004 aes_ctx->ac_remainder_len; 1005 1006 bcopy(pEncryptedData, dest, in_len); 1007 aes_ctx->ac_remainder_len += in_len; 1008 *pulDataLen = 0; 1009 1010 /* 1011 * Since we aren't writing an output, and are returning 1012 * here, we don't need to adjust out_len -- we never 1013 * reach the output buffer size checks after the 1014 * switch statement. 1015 */ 1016 return (CKR_OK); 1017 } else if (out_len % AES_BLOCK_LEN == 0) { 1018 /* 1019 * The second scenario decribed above. The total amount 1020 * available is a multiple of AES_BLOCK_LEN, and 1021 * we have more than one block. We reduce the 1022 * input size (in_len) by AES_BLOCK_LEN. We also 1023 * reduce the output size (out_len) by AES_BLOCK_LEN 1024 * for the output buffer size checks that follow 1025 * the switch statement. In certain situations, 1026 * PKCS#11 requires this to be an exact value, so 1027 * the size check cannot occur for CKM_AES_CBC_PAD 1028 * until after we've determine which scenario we 1029 * have. 1030 * 1031 * Because we never accumulate more than AES_BLOCK_LEN 1032 * bytes in aes_ctx->ac_remainder, when we are in 1033 * this scenario, the following VERIFYs should always 1034 * be true (and serve as a final safeguard against 1035 * underflow). 1036 */ 1037 VERIFY3U(in_len, >=, AES_BLOCK_LEN); 1038 1039 buffer_block = pEncryptedData + in_len - AES_BLOCK_LEN; 1040 1041 in_len -= AES_BLOCK_LEN; 1042 1043 /* 1044 * This else clause explicity checks 1045 * out_len > AES_BLOCK_LEN, so this is also safe. 1046 */ 1047 out_len -= AES_BLOCK_LEN; 1048 } else { 1049 /* 1050 * The third scenario above. We have at least 1051 * AES_BLOCK_LEN + 1 bytes, but the total amount of 1052 * input ciphertext available is not an exact 1053 * multiple of AES_BLOCK_LEN. Let 1054 * aes_decrypt_contiguous_blocks() handle the 1055 * buffering of the remainder. Update the 1056 * output size to reflect the actual amount of output 1057 * we want to emit for the checks after the switch 1058 * statement. 1059 */ 1060 out_len &= ~(AES_BLOCK_LEN - 1); 1061 } 1062 break; 1063 default: 1064 out_len = aes_ctx->ac_remainder_len + in_len; 1065 out_len &= ~(AES_BLOCK_LEN - 1); 1066 break; 1067 } 1068 1069 /* 1070 * C_DecryptUpdate() verifies that pulDataLen is not NULL prior 1071 * to calling soft_decrypt_common() (which calls us). 1072 */ 1073 1074 if (pData == NULL) { 1075 /* 1076 * If the output buffer (pData) is NULL, that means the 1077 * caller is inquiring about the size buffer needed to 1078 * complete the C_DecryptUpdate() request. While we are 1079 * permitted to set *pulDataLen to an estimated value that can 1080 * be 'slightly' larger than the actual value required, 1081 * since we know the exact size we need, we stick with the 1082 * exact size. 1083 */ 1084 *pulDataLen = out_len; 1085 return (CKR_OK); 1086 } 1087 1088 if (*pulDataLen < out_len) { 1089 /* 1090 * Not an inquiry, but the output buffer isn't large enough. 1091 * PKCS#11 requires that this scenario not fail fatally (as 1092 * well as return a different error value). This situation 1093 * also requires us to set *pulDataLen to the _exact_ size 1094 * required. 1095 */ 1096 *pulDataLen = out_len; 1097 return (CKR_BUFFER_TOO_SMALL); 1098 } 1099 1100 rc = aes_decrypt_contiguous_blocks(aes_ctx, (char *)pEncryptedData, 1101 in_len, &out); 1102 1103 if (rc != CRYPTO_SUCCESS) { 1104 rv = CKR_FUNCTION_FAILED; 1105 goto done; 1106 } 1107 1108 *pulDataLen = out.cd_offset; 1109 1110 switch (mech) { 1111 case CKM_AES_CTR: 1112 if (aes_ctx->ac_remainder_len == 0) { 1113 break; 1114 } 1115 rc = ctr_mode_final((ctr_ctx_t *)aes_ctx, &out, 1116 aes_encrypt_block); 1117 rv = crypto2pkcs11_error_number(rc); 1118 break; 1119 case CKM_AES_CBC_PAD: 1120 if (buffer_block == NULL) { 1121 break; 1122 } 1123 1124 VERIFY0(aes_ctx->ac_remainder_len); 1125 1126 /* 1127 * We had multiple blocks of data to decrypt with nothing 1128 * left over and deferred decrypting the last block of data. 1129 * Copy it into aes_ctx->ac_remainder to decrypt on the 1130 * next update call (or final). 1131 */ 1132 bcopy(buffer_block, aes_ctx->ac_remainder, AES_BLOCK_LEN); 1133 aes_ctx->ac_remainder_len = AES_BLOCK_LEN; 1134 break; 1135 } 1136 1137 done: 1138 return (rv); 1139 } 1140 1141 CK_RV 1142 soft_aes_encrypt_final(soft_session_t *session_p, 1143 CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen) 1144 { 1145 aes_ctx_t *aes_ctx = session_p->encrypt.context; 1146 crypto_data_t data = { 1147 .cd_format = CRYPTO_DATA_RAW, 1148 .cd_offset = 0, 1149 .cd_length = *pulLastEncryptedPartLen, 1150 .cd_raw.iov_base = (char *)pLastEncryptedPart, 1151 .cd_raw.iov_len = *pulLastEncryptedPartLen 1152 }; 1153 CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism; 1154 CK_RV rv = CKR_OK; 1155 size_t out_len; 1156 int rc = CRYPTO_SUCCESS; 1157 1158 switch (mech) { 1159 case CKM_AES_CBC_PAD: 1160 /* 1161 * We always add 1..AES_BLOCK_LEN of padding to the input 1162 * plaintext to round up to a multiple of AES_BLOCK_LEN. 1163 * During encryption, we never output a partially encrypted 1164 * block (that is the amount encrypted by each call of 1165 * C_EncryptUpdate() is always either 0 or n * AES_BLOCK_LEN). 1166 * As a result, at the end of the encryption operation, we 1167 * output AES_BLOCK_LEN bytes of data -- this could be a full 1168 * block of padding, or a combination of data + padding. 1169 */ 1170 out_len = AES_BLOCK_LEN; 1171 break; 1172 case CKM_AES_CTR: 1173 out_len = aes_ctx->ac_remainder_len; 1174 break; 1175 case CKM_AES_CCM: 1176 out_len = aes_ctx->ac_remainder_len + 1177 aes_ctx->acu.acu_ccm.ccm_mac_len; 1178 break; 1179 case CKM_AES_GCM: 1180 out_len = aes_ctx->ac_remainder_len + 1181 aes_ctx->acu.acu_gcm.gcm_tag_len; 1182 break; 1183 case CKM_AES_CMAC: 1184 case CKM_AES_CMAC_GENERAL: 1185 out_len = AES_BLOCK_LEN; 1186 break; 1187 default: 1188 /* 1189 * Everything other AES mechansism requires full blocks of 1190 * input. If the input was not an exact multiple of 1191 * AES_BLOCK_LEN, it is a fatal error. 1192 */ 1193 if (aes_ctx->ac_remainder_len > 0) { 1194 rv = CKR_DATA_LEN_RANGE; 1195 goto done; 1196 } 1197 out_len = 0; 1198 } 1199 1200 if (*pulLastEncryptedPartLen < out_len || pLastEncryptedPart == NULL) { 1201 *pulLastEncryptedPartLen = out_len; 1202 return ((pLastEncryptedPart == NULL) ? 1203 CKR_OK : CKR_BUFFER_TOO_SMALL); 1204 } 1205 1206 switch (mech) { 1207 case CKM_AES_CBC_PAD: { 1208 char block[AES_BLOCK_LEN] = { 0 }; 1209 size_t padlen = AES_BLOCK_LEN - aes_ctx->ac_remainder_len; 1210 1211 if (padlen == 0) { 1212 padlen = AES_BLOCK_LEN; 1213 } 1214 1215 (void) memset(block, padlen & 0xff, sizeof (block)); 1216 rc = aes_encrypt_contiguous_blocks(aes_ctx, block, 1217 padlen, &data); 1218 explicit_bzero(block, sizeof (block)); 1219 break; 1220 } 1221 case CKM_AES_CTR: 1222 if (aes_ctx->ac_remainder_len == 0) { 1223 break; 1224 } 1225 1226 rc = ctr_mode_final((ctr_ctx_t *)aes_ctx, &data, 1227 aes_encrypt_block); 1228 break; 1229 case CKM_AES_CCM: 1230 rc = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, &data, 1231 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 1232 break; 1233 case CKM_AES_GCM: 1234 rc = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, &data, 1235 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 1236 aes_xor_block); 1237 break; 1238 case CKM_AES_CMAC: 1239 case CKM_AES_CMAC_GENERAL: 1240 rc = cmac_mode_final((cbc_ctx_t *)aes_ctx, &data, 1241 aes_encrypt_block, aes_xor_block); 1242 break; 1243 default: 1244 break; 1245 } 1246 rv = crypto2pkcs11_error_number(rc); 1247 1248 done: 1249 if (rv == CKR_OK) { 1250 *pulLastEncryptedPartLen = data.cd_offset; 1251 } 1252 1253 soft_aes_free_ctx(aes_ctx); 1254 session_p->encrypt.context = NULL; 1255 return (rv); 1256 } 1257 1258 CK_RV 1259 soft_aes_decrypt_final(soft_session_t *session_p, CK_BYTE_PTR pLastPart, 1260 CK_ULONG_PTR pulLastPartLen) 1261 { 1262 aes_ctx_t *aes_ctx = session_p->decrypt.context; 1263 CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism; 1264 CK_RV rv = CKR_OK; 1265 int rc = CRYPTO_SUCCESS; 1266 size_t out_len; 1267 crypto_data_t out = { 1268 .cd_format = CRYPTO_DATA_RAW, 1269 .cd_offset = 0, 1270 .cd_length = *pulLastPartLen, 1271 .cd_raw.iov_base = (char *)pLastPart, 1272 .cd_raw.iov_len = *pulLastPartLen 1273 }; 1274 1275 switch (mech) { 1276 case CKM_AES_CBC_PAD: 1277 /* 1278 * PKCS#11 requires that a caller can discover the size of 1279 * the output buffer required by calling 1280 * C_DecryptFinal(hSession, NULL, &len) which sets 1281 * *pulLastPartLen to the size required. However, it also 1282 * allows if one calls C_DecryptFinal with a buffer (i.e. 1283 * pLastPart != NULL) that is too small, to return 1284 * CKR_BUFFER_TOO_SMALL with *pulLastPartLen set to the 1285 * _exact_ size required (when pLastPart is NULL, the 1286 * implementation is allowed to set a 'sightly' larger 1287 * value than is strictly necessary. In either case, the 1288 * caller is allowed to retry the operation (the operation 1289 * is not terminated). 1290 * 1291 * With PKCS#7 padding, we cannot determine the exact size of 1292 * the output until we decrypt the final block. As such, the 1293 * first time for a given decrypt operation we are called, 1294 * we decrypt the final block and stash it in the aes_ctx 1295 * remainder block. On any subsequent calls in the 1296 * current decrypt operation, we then can use the decrypted 1297 * block as necessary to provide the correct semantics. 1298 * 1299 * The cleanup of aes_ctx when the operation terminates 1300 * will take care of clearing out aes_ctx->ac_remainder_len. 1301 */ 1302 if ((aes_ctx->ac_flags & P11_DECRYPTED) == 0) { 1303 uint8_t block[AES_BLOCK_LEN] = { 0 }; 1304 crypto_data_t block_out = { 1305 .cd_format = CRYPTO_DATA_RAW, 1306 .cd_offset = 0, 1307 .cd_length = sizeof (block), 1308 .cd_raw.iov_base = (char *)block, 1309 .cd_raw.iov_len = sizeof (block) 1310 }; 1311 size_t amt, i; 1312 uint8_t pad_len; 1313 1314 if (aes_ctx->ac_remainder_len != AES_BLOCK_LEN) { 1315 return (CKR_DATA_LEN_RANGE); 1316 } 1317 1318 rc = aes_decrypt_contiguous_blocks(aes_ctx, 1319 (char *)block, 0, &block_out); 1320 if (rc != CRYPTO_SUCCESS) { 1321 explicit_bzero(block, sizeof (block)); 1322 return (CKR_FUNCTION_FAILED); 1323 } 1324 1325 pad_len = block[AES_BLOCK_LEN - 1]; 1326 1327 /* 1328 * RFC5652 6.3 The amount of padding must be 1329 * block_sz - (len mod block_size). This means 1330 * the amount of padding must always be in the 1331 * range [1..block_size]. 1332 */ 1333 if (pad_len == 0 || pad_len > AES_BLOCK_LEN) { 1334 rv = CKR_ENCRYPTED_DATA_INVALID; 1335 explicit_bzero(block, sizeof (block)); 1336 goto done; 1337 } 1338 amt = AES_BLOCK_LEN - pad_len; 1339 1340 /* 1341 * Verify the padding is correct. Try to do so 1342 * in as constant a time as possible. 1343 */ 1344 for (i = amt; i < AES_BLOCK_LEN; i++) { 1345 if (block[i] != pad_len) { 1346 rv = CKR_ENCRYPTED_DATA_INVALID; 1347 } 1348 } 1349 if (rv != CKR_OK) { 1350 explicit_bzero(block, sizeof (block)); 1351 goto done; 1352 } 1353 1354 bcopy(block, aes_ctx->ac_remainder, amt); 1355 explicit_bzero(block, sizeof (block)); 1356 1357 aes_ctx->ac_flags |= P11_DECRYPTED; 1358 aes_ctx->ac_remainder_len = amt; 1359 } 1360 1361 out_len = aes_ctx->ac_remainder_len; 1362 break; 1363 case CKM_AES_CTR: 1364 out_len = aes_ctx->ac_remainder_len; 1365 break; 1366 case CKM_AES_CCM: 1367 out_len = aes_ctx->ac_data_len; 1368 break; 1369 case CKM_AES_GCM: 1370 out_len = aes_ctx->acu.acu_gcm.gcm_processed_data_len - 1371 aes_ctx->acu.acu_gcm.gcm_tag_len; 1372 break; 1373 default: 1374 /* 1375 * The remaining mechanims require an exact multiple of 1376 * AES_BLOCK_LEN of ciphertext. Any other value is an error. 1377 */ 1378 if (aes_ctx->ac_remainder_len > 0) { 1379 rv = CKR_DATA_LEN_RANGE; 1380 goto done; 1381 } 1382 out_len = 0; 1383 break; 1384 } 1385 1386 if (*pulLastPartLen < out_len || pLastPart == NULL) { 1387 *pulLastPartLen = out_len; 1388 return ((pLastPart == NULL) ? CKR_OK : CKR_BUFFER_TOO_SMALL); 1389 } 1390 1391 switch (mech) { 1392 case CKM_AES_CBC_PAD: 1393 *pulLastPartLen = out_len; 1394 if (out_len == 0) { 1395 break; 1396 } 1397 bcopy(aes_ctx->ac_remainder, pLastPart, out_len); 1398 out.cd_offset += out_len; 1399 break; 1400 case CKM_AES_CCM: 1401 ASSERT3U(aes_ctx->ac_processed_data_len, ==, out_len); 1402 ASSERT3U(aes_ctx->ac_processed_mac_len, ==, 1403 aes_ctx->ac_mac_len); 1404 1405 rc = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, &out, 1406 AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block, 1407 aes_xor_block); 1408 break; 1409 case CKM_AES_GCM: 1410 rc = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, &out, 1411 AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block); 1412 break; 1413 default: 1414 break; 1415 } 1416 1417 VERIFY3U(out.cd_offset, ==, out_len); 1418 rv = crypto2pkcs11_error_number(rc); 1419 1420 done: 1421 if (rv == CKR_OK) { 1422 *pulLastPartLen = out.cd_offset; 1423 } 1424 1425 soft_aes_free_ctx(aes_ctx); 1426 session_p->decrypt.context = NULL; 1427 1428 return (rv); 1429 } 1430 1431 /* 1432 * Allocate and initialize AES contexts for sign and verify operations 1433 * (including the underlying encryption context needed to sign or verify) -- 1434 * called by C_SignInit() and C_VerifyInit() to perform the CKM_AES_* MAC 1435 * mechanisms. For general-length AES MAC, also validate the MAC length. 1436 */ 1437 CK_RV 1438 soft_aes_sign_verify_init_common(soft_session_t *session_p, 1439 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, boolean_t sign_op) 1440 { 1441 soft_aes_sign_ctx_t *ctx = NULL; 1442 /* For AES CMAC (the only AES MAC currently), iv is always 0 */ 1443 CK_BYTE iv[AES_BLOCK_LEN] = { 0 }; 1444 CK_MECHANISM encrypt_mech = { 1445 .mechanism = CKM_AES_CMAC, 1446 .pParameter = iv, 1447 .ulParameterLen = sizeof (iv) 1448 }; 1449 CK_RV rv; 1450 size_t mac_len = AES_BLOCK_LEN; 1451 1452 if (key_p->key_type != CKK_AES) 1453 return (CKR_KEY_TYPE_INCONSISTENT); 1454 1455 /* C_{Sign,Verify}Init() validate pMechanism != NULL */ 1456 if (pMechanism->mechanism == CKM_AES_CMAC_GENERAL) { 1457 if (pMechanism->pParameter == NULL) { 1458 return (CKR_MECHANISM_PARAM_INVALID); 1459 } 1460 1461 mac_len = *(CK_MAC_GENERAL_PARAMS *)pMechanism->pParameter; 1462 1463 if (mac_len > AES_BLOCK_LEN) { 1464 return (CKR_MECHANISM_PARAM_INVALID); 1465 } 1466 } 1467 1468 ctx = calloc(1, sizeof (*ctx)); 1469 if (ctx == NULL) { 1470 return (CKR_HOST_MEMORY); 1471 } 1472 1473 rv = soft_aes_check_mech_param(pMechanism, &ctx->aes_ctx); 1474 if (rv != CKR_OK) { 1475 soft_aes_free_ctx(ctx->aes_ctx); 1476 goto done; 1477 } 1478 1479 if ((rv = soft_encrypt_init_internal(session_p, &encrypt_mech, 1480 key_p)) != CKR_OK) { 1481 soft_aes_free_ctx(ctx->aes_ctx); 1482 goto done; 1483 } 1484 1485 ctx->mac_len = mac_len; 1486 1487 (void) pthread_mutex_lock(&session_p->session_mutex); 1488 1489 if (sign_op) { 1490 session_p->sign.context = ctx; 1491 session_p->sign.mech.mechanism = pMechanism->mechanism; 1492 } else { 1493 session_p->verify.context = ctx; 1494 session_p->verify.mech.mechanism = pMechanism->mechanism; 1495 } 1496 1497 (void) pthread_mutex_unlock(&session_p->session_mutex); 1498 1499 done: 1500 if (rv != CKR_OK) { 1501 soft_aes_free_ctx(ctx->aes_ctx); 1502 free(ctx); 1503 } 1504 1505 return (rv); 1506 } 1507 1508 CK_RV 1509 soft_aes_sign_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData, 1510 CK_ULONG ulDataLen, CK_BYTE_PTR pSigned, CK_ULONG_PTR pulSignedLen, 1511 boolean_t sign_op, boolean_t Final) 1512 { 1513 soft_aes_sign_ctx_t *soft_aes_ctx_sign_verify; 1514 CK_RV rv; 1515 CK_BYTE *pEncrypted = NULL; 1516 CK_ULONG ulEncryptedLen = AES_BLOCK_LEN; 1517 CK_BYTE last_block[AES_BLOCK_LEN]; 1518 1519 if (sign_op) { 1520 soft_aes_ctx_sign_verify = 1521 (soft_aes_sign_ctx_t *)session_p->sign.context; 1522 1523 if (soft_aes_ctx_sign_verify->mac_len == 0) { 1524 *pulSignedLen = 0; 1525 goto clean_exit; 1526 } 1527 1528 /* Application asks for the length of the output buffer. */ 1529 if (pSigned == NULL) { 1530 *pulSignedLen = soft_aes_ctx_sign_verify->mac_len; 1531 return (CKR_OK); 1532 } 1533 1534 /* Is the application-supplied buffer large enough? */ 1535 if (*pulSignedLen < soft_aes_ctx_sign_verify->mac_len) { 1536 *pulSignedLen = soft_aes_ctx_sign_verify->mac_len; 1537 return (CKR_BUFFER_TOO_SMALL); 1538 } 1539 } else { 1540 soft_aes_ctx_sign_verify = 1541 (soft_aes_sign_ctx_t *)session_p->verify.context; 1542 } 1543 1544 if (Final) { 1545 rv = soft_encrypt_final(session_p, last_block, 1546 &ulEncryptedLen); 1547 } else { 1548 rv = soft_encrypt(session_p, pData, ulDataLen, 1549 last_block, &ulEncryptedLen); 1550 } 1551 1552 if (rv == CKR_OK) { 1553 *pulSignedLen = soft_aes_ctx_sign_verify->mac_len; 1554 1555 /* the leftmost mac_len bytes of last_block is our MAC */ 1556 (void) memcpy(pSigned, last_block, *pulSignedLen); 1557 } 1558 1559 clean_exit: 1560 1561 (void) pthread_mutex_lock(&session_p->session_mutex); 1562 1563 /* soft_encrypt_common() has freed the encrypt context */ 1564 if (sign_op) { 1565 free(session_p->sign.context); 1566 session_p->sign.context = NULL; 1567 } else { 1568 free(session_p->verify.context); 1569 session_p->verify.context = NULL; 1570 } 1571 session_p->encrypt.flags = 0; 1572 1573 (void) pthread_mutex_unlock(&session_p->session_mutex); 1574 1575 if (pEncrypted) { 1576 free(pEncrypted); 1577 } 1578 1579 return (rv); 1580 } 1581 1582 /* 1583 * Called by soft_sign_update() 1584 */ 1585 CK_RV 1586 soft_aes_mac_sign_verify_update(soft_session_t *session_p, CK_BYTE_PTR pPart, 1587 CK_ULONG ulPartLen) 1588 { 1589 CK_BYTE buf[AES_BLOCK_LEN]; 1590 CK_ULONG ulEncryptedLen = AES_BLOCK_LEN; 1591 CK_RV rv; 1592 1593 rv = soft_encrypt_update(session_p, pPart, ulPartLen, 1594 buf, &ulEncryptedLen); 1595 explicit_bzero(buf, sizeof (buf)); 1596 1597 return (rv); 1598 } 1599 1600 void 1601 soft_aes_free_ctx(aes_ctx_t *ctx) 1602 { 1603 size_t len = 0; 1604 1605 if (ctx == NULL) 1606 return; 1607 1608 if (ctx->ac_flags & ECB_MODE) { 1609 len = sizeof (ecb_ctx_t); 1610 } else if (ctx->ac_flags & (CBC_MODE|CMAC_MODE)) { 1611 len = sizeof (cbc_ctx_t); 1612 } else if (ctx->ac_flags & CTR_MODE) { 1613 len = sizeof (ctr_ctx_t); 1614 } else if (ctx->ac_flags & CCM_MODE) { 1615 len = sizeof (ccm_ctx_t); 1616 } else if (ctx->ac_flags & GCM_MODE) { 1617 len = sizeof (gcm_ctx_t); 1618 } 1619 1620 freezero(ctx->ac_keysched, ctx->ac_keysched_len); 1621 freezero(ctx, len); 1622 } 1623