xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAESCrypt.c (revision 698f4ab6008be205f4362675967638572eef4f21)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
25  * Copyright 2019 Joyent, Inc.
26  * Copyright 2017 Jason King.
27  */
28 
29 #include <pthread.h>
30 #include <stdlib.h>
31 #include <string.h>
32 #include <strings.h>
33 #include <sys/debug.h>
34 #include <sys/types.h>
35 #include <security/cryptoki.h>
36 #include <aes_impl.h>
37 #include <cryptoutil.h>
38 #include "softSession.h"
39 #include "softObject.h"
40 #include "softCrypt.h"
41 #include "softOps.h"
42 
43 /*
44  * Check that the mechanism parameter is present and the correct size if
45  * required and allocate an AES context.
46  */
47 static CK_RV
48 soft_aes_check_mech_param(CK_MECHANISM_PTR mech, aes_ctx_t **ctxp)
49 {
50 	void *(*allocf)(int) = NULL;
51 	size_t param_len = 0;
52 	boolean_t param_req = B_TRUE;
53 
54 	switch (mech->mechanism) {
55 	case CKM_AES_ECB:
56 		param_req = B_FALSE;
57 		allocf = ecb_alloc_ctx;
58 		break;
59 	case CKM_AES_CMAC:
60 		param_req = B_FALSE;
61 		allocf = cmac_alloc_ctx;
62 		break;
63 	case CKM_AES_CMAC_GENERAL:
64 		param_len = sizeof (CK_MAC_GENERAL_PARAMS);
65 		allocf = cmac_alloc_ctx;
66 		break;
67 	case CKM_AES_CBC:
68 	case CKM_AES_CBC_PAD:
69 		param_len = AES_BLOCK_LEN;
70 		allocf = cbc_alloc_ctx;
71 		break;
72 	case CKM_AES_CTR:
73 		param_len = sizeof (CK_AES_CTR_PARAMS);
74 		allocf = ctr_alloc_ctx;
75 		break;
76 	case CKM_AES_CCM:
77 		param_len = sizeof (CK_CCM_PARAMS);
78 		allocf = ccm_alloc_ctx;
79 		break;
80 	case CKM_AES_GCM:
81 		param_len = sizeof (CK_GCM_PARAMS);
82 		allocf = gcm_alloc_ctx;
83 		break;
84 	default:
85 		return (CKR_MECHANISM_INVALID);
86 	}
87 
88 	if (param_req && (mech->pParameter == NULL ||
89 	    mech->ulParameterLen != param_len)) {
90 		return (CKR_MECHANISM_PARAM_INVALID);
91 	}
92 
93 	*ctxp = allocf(0);
94 	if (*ctxp == NULL) {
95 		return (CKR_HOST_MEMORY);
96 	}
97 
98 	return (CKR_OK);
99 }
100 
101 /*
102  * Create an AES key schedule for the given AES context from the given key.
103  * If the key is not sensitive, cache a copy of the key schedule in the
104  * key object and/or use the cached copy of the key schedule.
105  *
106  * Must be called before the init function for a given mode is called.
107  */
108 static CK_RV
109 soft_aes_init_key(aes_ctx_t *aes_ctx, soft_object_t *key_p)
110 {
111 	void *ks = NULL;
112 	size_t size = 0;
113 	CK_RV rv = CKR_OK;
114 
115 	(void) pthread_mutex_lock(&key_p->object_mutex);
116 
117 	/*
118 	 * AES keys should be either 128, 192, or 256 bits long.
119 	 * soft_object_t stores the key size in bytes, so we check those sizes
120 	 * in bytes.
121 	 *
122 	 * While soft_build_secret_key_object() does these same validations for
123 	 * keys created by the user, it may be possible that a key loaded from
124 	 * disk could be invalid or corrupt.  We err on the side of caution
125 	 * and check again that it's the correct size before performing any
126 	 * AES operations.
127 	 */
128 	switch (OBJ_SEC_VALUE_LEN(key_p)) {
129 	case AES_MIN_KEY_BYTES:
130 	case AES_MAX_KEY_BYTES:
131 	case AES_192_KEY_BYTES:
132 		break;
133 	default:
134 		rv = CKR_KEY_SIZE_RANGE;
135 		goto done;
136 	}
137 
138 	ks = aes_alloc_keysched(&size, 0);
139 	if (ks == NULL) {
140 		rv = CKR_HOST_MEMORY;
141 		goto done;
142 	}
143 
144 	/* If this is a sensitive key, always expand the key schedule */
145 	if (key_p->bool_attr_mask & SENSITIVE_BOOL_ON) {
146 		/* aes_init_keysched() requires key length in bits.  */
147 #ifdef	__sparcv9
148 		/* LINTED */
149 		aes_init_keysched(OBJ_SEC_VALUE(key_p), (uint_t)
150 		    (OBJ_SEC_VALUE_LEN(key_p) * NBBY), ks);
151 #else	/* !__sparcv9 */
152 		aes_init_keysched(OBJ_SEC_VALUE(key_p),
153 		    (OBJ_SEC_VALUE_LEN(key_p) * NBBY), ks);
154 #endif	/* __sparcv9 */
155 
156 		goto done;
157 	}
158 
159 	/* If a non-sensitive key and doesn't have a key schedule, create it */
160 	if (OBJ_KEY_SCHED(key_p) == NULL) {
161 		void *obj_ks = NULL;
162 
163 		obj_ks = aes_alloc_keysched(&size, 0);
164 		if (obj_ks == NULL) {
165 			rv = CKR_HOST_MEMORY;
166 			goto done;
167 		}
168 
169 #ifdef	__sparcv9
170 		/* LINTED */
171 		aes_init_keysched(OBJ_SEC_VALUE(key_p),
172 		    (uint_t)(OBJ_SEC_VALUE_LEN(key_p) * 8), obj_ks);
173 #else	/* !__sparcv9 */
174 		aes_init_keysched(OBJ_SEC_VALUE(key_p),
175 		    (OBJ_SEC_VALUE_LEN(key_p) * 8), obj_ks);
176 #endif	/* __sparcv9 */
177 
178 		OBJ_KEY_SCHED_LEN(key_p) = size;
179 		OBJ_KEY_SCHED(key_p) = obj_ks;
180 	}
181 
182 	(void) memcpy(ks, OBJ_KEY_SCHED(key_p), OBJ_KEY_SCHED_LEN(key_p));
183 
184 done:
185 	(void) pthread_mutex_unlock(&key_p->object_mutex);
186 
187 	if (rv == CKR_OK) {
188 		aes_ctx->ac_keysched = ks;
189 		aes_ctx->ac_keysched_len = size;
190 	} else {
191 		freezero(ks, size);
192 	}
193 
194 	return (rv);
195 }
196 
197 /*
198  * Initialize the AES context for the given mode, including allocating and
199  * expanding the key schedule if required.
200  */
201 static CK_RV
202 soft_aes_init_ctx(aes_ctx_t *aes_ctx, CK_MECHANISM_PTR mech_p,
203     boolean_t encrypt)
204 {
205 	int rc = CRYPTO_SUCCESS;
206 
207 	switch (mech_p->mechanism) {
208 	case CKM_AES_ECB:
209 		aes_ctx->ac_flags |= ECB_MODE;
210 		break;
211 	case CKM_AES_CMAC:
212 	case CKM_AES_CMAC_GENERAL:
213 		rc = cmac_init_ctx((cbc_ctx_t *)aes_ctx, AES_BLOCK_LEN);
214 		break;
215 	case CKM_AES_CBC:
216 	case CKM_AES_CBC_PAD:
217 		rc = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mech_p->pParameter,
218 		    mech_p->ulParameterLen, AES_BLOCK_LEN, aes_copy_block64);
219 		break;
220 	case CKM_AES_CTR:
221 	{
222 		/*
223 		 * soft_aes_check_param() verifies this is !NULL and is the
224 		 * correct size.
225 		 */
226 		CK_AES_CTR_PARAMS *pp = (CK_AES_CTR_PARAMS *)mech_p->pParameter;
227 
228 		rc = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits,
229 		    pp->cb, aes_copy_block);
230 		break;
231 	}
232 	case CKM_AES_CCM: {
233 		CK_CCM_PARAMS *pp = (CK_CCM_PARAMS *)mech_p->pParameter;
234 
235 		/*
236 		 * The illumos ccm mode implementation predates the PKCS#11
237 		 * version that specifies CK_CCM_PARAMS.  As a result, the order
238 		 * and names of the struct members are different, so we must
239 		 * translate.  ccm_init_ctx() does not store a ref ccm_params,
240 		 * so it is safe to allocate on the stack.
241 		 */
242 		CK_AES_CCM_PARAMS ccm_params = {
243 			.ulMACSize = pp->ulMACLen,
244 			.ulNonceSize = pp->ulNonceLen,
245 			.ulAuthDataSize = pp->ulAADLen,
246 			.ulDataSize = pp->ulDataLen,
247 			.nonce = pp->pNonce,
248 			.authData = pp->pAAD
249 		};
250 
251 		rc = ccm_init_ctx((ccm_ctx_t *)aes_ctx, (char *)&ccm_params, 0,
252 		    encrypt, AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
253 		break;
254 	}
255 	case CKM_AES_GCM:
256 		/*
257 		 * Similar to the ccm mode implementation, the gcm mode also
258 		 * predates PKCS#11 2.40, however in this instance
259 		 * CK_AES_GCM_PARAMS and CK_GCM_PARAMS are identical except
260 		 * for the member names, so we can just pass it along.
261 		 */
262 		rc = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mech_p->pParameter,
263 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
264 		    aes_xor_block);
265 		break;
266 	}
267 
268 	return (crypto2pkcs11_error_number(rc));
269 }
270 
271 /*
272  * Allocate context for the active encryption or decryption operation, and
273  * generate AES key schedule to speed up the operation.
274  */
275 CK_RV
276 soft_aes_crypt_init_common(soft_session_t *session_p,
277     CK_MECHANISM_PTR pMechanism, soft_object_t *key_p,
278     boolean_t encrypt)
279 {
280 	aes_ctx_t *aes_ctx = NULL;
281 	CK_RV rv = CKR_OK;
282 
283 	if (key_p->key_type != CKK_AES)
284 		return (CKR_KEY_TYPE_INCONSISTENT);
285 
286 	/* C_{Encrypt,Decrypt}Init() validate pMechanism != NULL */
287 	rv = soft_aes_check_mech_param(pMechanism, &aes_ctx);
288 	if (rv != CKR_OK) {
289 		goto done;
290 	}
291 
292 	rv = soft_aes_init_key(aes_ctx, key_p);
293 	if (rv != CKR_OK) {
294 		goto done;
295 	}
296 
297 	rv = soft_aes_init_ctx(aes_ctx, pMechanism, encrypt);
298 	if (rv != CKR_OK) {
299 		goto done;
300 	}
301 
302 	(void) pthread_mutex_lock(&session_p->session_mutex);
303 	if (encrypt) {
304 		/* Called by C_EncryptInit. */
305 		session_p->encrypt.context = aes_ctx;
306 		session_p->encrypt.mech.mechanism = pMechanism->mechanism;
307 	} else {
308 		/* Called by C_DecryptInit. */
309 		session_p->decrypt.context = aes_ctx;
310 		session_p->decrypt.mech.mechanism = pMechanism->mechanism;
311 	}
312 	(void) pthread_mutex_unlock(&session_p->session_mutex);
313 
314 done:
315 	if (rv != CKR_OK) {
316 		soft_aes_free_ctx(aes_ctx);
317 	}
318 
319 	return (rv);
320 }
321 
322 
323 CK_RV
324 soft_aes_encrypt(soft_session_t *session_p, CK_BYTE_PTR pData,
325     CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
326     CK_ULONG_PTR pulEncryptedDataLen)
327 {
328 	aes_ctx_t *aes_ctx = session_p->encrypt.context;
329 	CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism;
330 	size_t length_needed;
331 	size_t remainder;
332 	int rc = CRYPTO_SUCCESS;
333 	CK_RV rv = CKR_OK;
334 	crypto_data_t out = {
335 		.cd_format = CRYPTO_DATA_RAW,
336 		.cd_offset = 0,
337 		.cd_length = *pulEncryptedDataLen,
338 		.cd_raw.iov_base = (char *)pEncryptedData,
339 		.cd_raw.iov_len = *pulEncryptedDataLen
340 	};
341 
342 	/*
343 	 * A bit unusual, but it's permissible for ccm and gcm modes to not
344 	 * encrypt any data.  This ends up being equivalent to CKM_AES_CMAC
345 	 * or CKM_AES_GMAC of the additional authenticated data (AAD).
346 	 */
347 	if ((pData == NULL || ulDataLen == 0) &&
348 	    !(aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|CMAC_MODE))) {
349 		return (CKR_ARGUMENTS_BAD);
350 	}
351 
352 	remainder = ulDataLen % AES_BLOCK_LEN;
353 
354 	/*
355 	 * CTR, CCM, CMAC, and GCM modes do not require the plaintext
356 	 * to be a multiple of the AES block size. CKM_AES_CBC_PAD as the
357 	 * name suggests pads it's output, so it can also accept any
358 	 * size plaintext.
359 	 */
360 	switch (mech) {
361 	case CKM_AES_CBC_PAD:
362 	case CKM_AES_CMAC:
363 	case CKM_AES_CMAC_GENERAL:
364 	case CKM_AES_CTR:
365 	case CKM_AES_CCM:
366 	case CKM_AES_GCM:
367 		break;
368 	default:
369 		if (remainder != 0) {
370 			rv = CKR_DATA_LEN_RANGE;
371 			goto cleanup;
372 		}
373 	}
374 
375 	switch (mech) {
376 	case CKM_AES_CCM:
377 		length_needed = ulDataLen + aes_ctx->ac_mac_len;
378 		break;
379 	case CKM_AES_GCM:
380 		length_needed = ulDataLen + aes_ctx->ac_tag_len;
381 		break;
382 	case CKM_AES_CMAC:
383 	case CKM_AES_CMAC_GENERAL:
384 		length_needed = AES_BLOCK_LEN;
385 		break;
386 	case CKM_AES_CBC_PAD:
387 		/* CKM_AES_CBC_PAD always adds 1..AES_BLOCK_LEN of padding */
388 		length_needed = ulDataLen + AES_BLOCK_LEN - remainder;
389 		break;
390 	default:
391 		length_needed = ulDataLen;
392 		break;
393 	}
394 
395 	if (pEncryptedData == NULL) {
396 		/*
397 		 * The application can ask for the size of the output buffer
398 		 * with a NULL output buffer (pEncryptedData).
399 		 * C_Encrypt() guarantees pulEncryptedDataLen != NULL.
400 		 */
401 		*pulEncryptedDataLen = length_needed;
402 		return (CKR_OK);
403 	}
404 
405 	if (*pulEncryptedDataLen < length_needed) {
406 		*pulEncryptedDataLen = length_needed;
407 		return (CKR_BUFFER_TOO_SMALL);
408 	}
409 
410 	if (ulDataLen > 0) {
411 		rv = soft_aes_encrypt_update(session_p, pData, ulDataLen,
412 		    pEncryptedData, pulEncryptedDataLen);
413 
414 		if (rv != CKR_OK) {
415 			rv = CKR_FUNCTION_FAILED;
416 			goto cleanup;
417 		}
418 
419 		/*
420 		 * Some modes (e.g. CCM and GCM) will append data such as a MAC
421 		 * to the ciphertext after the plaintext has been encrypted.
422 		 * Update out to reflect the amount of data in pEncryptedData
423 		 * after encryption.
424 		 */
425 		out.cd_offset = *pulEncryptedDataLen;
426 	}
427 
428 	switch (mech) {
429 	case CKM_AES_CBC_PAD: {
430 		/*
431 		 * aes_encrypt_contiguous_blocks() accumulates plaintext
432 		 * in aes_ctx until it has at least one full block of
433 		 * plaintext.  Any partial blocks of data remaining after
434 		 * encrypting are left for subsequent calls to
435 		 * aes_encrypt_contiguous_blocks().  If the input happened
436 		 * to be an exact multiple of AES_BLOCK_LEN, we must still
437 		 * append a block of padding (a full block in that case) so
438 		 * that the correct amount of padding to remove is known
439 		 * during decryption.
440 		 *
441 		 * soft_add_pkcs7_padding() is a bit overkill -- we just
442 		 * create a block filled with the pad amount using memset(),
443 		 * and encrypt 'amt' bytes of the block to pad out the input.
444 		 */
445 		char block[AES_BLOCK_LEN];
446 		size_t amt = AES_BLOCK_LEN - remainder;
447 
448 		VERIFY3U(remainder, ==, aes_ctx->ac_remainder_len);
449 
450 		(void) memset(block, amt & 0xff, sizeof (block));
451 		rc = aes_encrypt_contiguous_blocks(aes_ctx, block, amt, &out);
452 		rv = crypto2pkcs11_error_number(rc);
453 		explicit_bzero(block, sizeof (block));
454 		break;
455 	}
456 	case CKM_AES_CCM:
457 		rc = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, &out,
458 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
459 		rv = crypto2pkcs11_error_number(rc);
460 		break;
461 	case CKM_AES_GCM:
462 		rc = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, &out,
463 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
464 		    aes_xor_block);
465 		rv = crypto2pkcs11_error_number(rc);
466 		break;
467 	case CKM_AES_CMAC:
468 	case CKM_AES_CMAC_GENERAL:
469 		rc = cmac_mode_final((cbc_ctx_t *)aes_ctx, &out,
470 		    aes_encrypt_block, aes_xor_block);
471 		rv = crypto2pkcs11_error_number(rc);
472 		aes_ctx->ac_remainder_len = 0;
473 		break;
474 	case CKM_AES_CTR:
475 		/*
476 		 * As CKM_AES_CTR is a stream cipher, ctr_mode_final is always
477 		 * invoked in the xx_update() functions, so we do not need to
478 		 * call it again here.
479 		 */
480 		break;
481 	case CKM_AES_ECB:
482 	case CKM_AES_CBC:
483 		/*
484 		 * These mechanisms do not have nor require a xx_final function.
485 		 */
486 		break;
487 	default:
488 		rv = CKR_MECHANISM_INVALID;
489 		break;
490 	}
491 
492 cleanup:
493 	switch (rv) {
494 	case CKR_OK:
495 		*pulEncryptedDataLen = out.cd_offset;
496 		break;
497 	case CKR_BUFFER_TOO_SMALL:
498 		/* *pulEncryptedDataLen was set earlier */
499 		break;
500 	default:
501 		/* something else failed */
502 		*pulEncryptedDataLen = 0;
503 		break;
504 	}
505 
506 	(void) pthread_mutex_lock(&session_p->session_mutex);
507 	soft_aes_free_ctx(aes_ctx);
508 	session_p->encrypt.context = NULL;
509 	(void) pthread_mutex_unlock(&session_p->session_mutex);
510 
511 	return (rv);
512 }
513 
514 static CK_RV
515 soft_aes_cbc_pad_decrypt(aes_ctx_t *aes_ctx, CK_BYTE_PTR pEncryptedData,
516     CK_ULONG ulEncryptedDataLen, crypto_data_t *out_orig)
517 {
518 	aes_ctx_t *ctx = aes_ctx;
519 	uint8_t *buf = NULL;
520 	uint8_t *outbuf = (uint8_t *)out_orig->cd_raw.iov_base;
521 	crypto_data_t out = *out_orig;
522 	size_t i;
523 	int rc;
524 	CK_RV rv = CKR_OK;
525 	uint8_t pad_len;
526 	boolean_t speculate = B_FALSE;
527 
528 	/*
529 	 * Just a query for the output size.  When the output buffer is
530 	 * NULL, we are allowed to return a size slightly larger than
531 	 * necessary.  We know the output will never be larger than the
532 	 * input ciphertext, so we use that as an estimate.
533 	 */
534 	if (out_orig->cd_raw.iov_base == NULL) {
535 		out_orig->cd_length = ulEncryptedDataLen;
536 		return (CKR_OK);
537 	}
538 
539 	/*
540 	 * The output plaintext size will be 1..AES_BLOCK_LEN bytes
541 	 * smaller than the input ciphertext.  However we cannot know
542 	 * exactly how much smaller until we decrypt the entire
543 	 * input ciphertext.  If we are unsure we have enough output buffer
544 	 * space, we have to allocate our own memory to hold the output,
545 	 * then see if we have enough room to hold the result.
546 	 *
547 	 * Unfortunately, having an output buffer that's too small does
548 	 * not terminate the operation, nor are we allowed to return
549 	 * partial results.  Therefore we must also duplicate the initial
550 	 * aes_ctx so that this can potentially be run again.
551 	 */
552 	if (out_orig->cd_length < ulEncryptedDataLen) {
553 		void *ks = malloc(aes_ctx->ac_keysched_len);
554 
555 		ctx = malloc(sizeof (*aes_ctx));
556 		buf = malloc(ulEncryptedDataLen);
557 		if (ks == NULL || ctx == NULL || buf == NULL) {
558 			free(ks);
559 			free(ctx);
560 			free(buf);
561 			return (CKR_HOST_MEMORY);
562 		}
563 
564 		bcopy(aes_ctx, ctx, sizeof (*ctx));
565 		bcopy(aes_ctx->ac_keysched, ks, aes_ctx->ac_keysched_len);
566 		ctx->ac_keysched = ks;
567 
568 		out.cd_length = ulEncryptedDataLen;
569 		out.cd_raw.iov_base = (char *)buf;
570 		out.cd_raw.iov_len = ulEncryptedDataLen;
571 		outbuf = buf;
572 
573 		speculate = B_TRUE;
574 	}
575 
576 	rc = aes_decrypt_contiguous_blocks(ctx, (char *)pEncryptedData,
577 	    ulEncryptedDataLen, &out);
578 	if (rc != CRYPTO_SUCCESS) {
579 		out_orig->cd_offset = 0;
580 		rv = CKR_FUNCTION_FAILED;
581 		goto done;
582 	}
583 
584 	/*
585 	 * RFC5652 6.3 The amount of padding must be
586 	 * block_sz - (len mod block_size).  This means
587 	 * the amount of padding must always be in the
588 	 * range [1..block_size].
589 	 */
590 	pad_len = outbuf[ulEncryptedDataLen - 1];
591 	if (pad_len == 0 || pad_len > AES_BLOCK_LEN) {
592 		rv = CKR_ENCRYPTED_DATA_INVALID;
593 		goto done;
594 	}
595 	out.cd_offset -= pad_len;
596 
597 	/*
598 	 * Verify pad values, trying to do so in as close to constant
599 	 * time as possible.
600 	 */
601 	for (i = ulEncryptedDataLen - pad_len; i < ulEncryptedDataLen; i++) {
602 		if (outbuf[i] != pad_len) {
603 			rv = CKR_ENCRYPTED_DATA_INVALID;
604 		}
605 	}
606 	if (rv != CKR_OK) {
607 		goto done;
608 	}
609 
610 	if (speculate) {
611 		if (out.cd_offset <= out_orig->cd_length) {
612 			bcopy(out.cd_raw.iov_base, out_orig->cd_raw.iov_base,
613 			    out.cd_offset);
614 		} else {
615 			rv = CKR_BUFFER_TOO_SMALL;
616 		}
617 	}
618 
619 	/*
620 	 * No matter what, we report the exact size required.
621 	 */
622 	out_orig->cd_offset = out.cd_offset;
623 
624 done:
625 	freezero(buf, ulEncryptedDataLen);
626 	if (ctx != aes_ctx) {
627 		VERIFY(speculate);
628 		soft_aes_free_ctx(ctx);
629 	}
630 
631 	return (rv);
632 }
633 
634 CK_RV
635 soft_aes_decrypt(soft_session_t *session_p, CK_BYTE_PTR pEncryptedData,
636     CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
637 {
638 	aes_ctx_t *aes_ctx = session_p->decrypt.context;
639 	CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism;
640 	size_t length_needed;
641 	size_t remainder;
642 	int rc = CRYPTO_SUCCESS;
643 	CK_RV rv = CKR_OK;
644 	crypto_data_t out = {
645 		.cd_format = CRYPTO_DATA_RAW,
646 		.cd_offset = 0,
647 		.cd_length = *pulDataLen,
648 		.cd_raw.iov_base = (char *)pData,
649 		.cd_raw.iov_len = *pulDataLen
650 	};
651 
652 	/*
653 	 * A bit unusual, but it's permissible for ccm and gcm modes to not
654 	 * decrypt any data.  This ends up being equivalent to CKM_AES_CMAC
655 	 * or CKM_AES_GMAC of the additional authenticated data (AAD).
656 	 */
657 	if ((pEncryptedData == NULL || ulEncryptedDataLen == 0) &&
658 	    !(aes_ctx->ac_flags & (CCM_MODE|GCM_MODE))) {
659 		return (CKR_ARGUMENTS_BAD);
660 	}
661 
662 	remainder = ulEncryptedDataLen % AES_BLOCK_LEN;
663 
664 	/*
665 	 * CTR, CCM, CMAC, and GCM modes do not require the ciphertext
666 	 * to be a multiple of the AES block size.  Note that while
667 	 * CKM_AES_CBC_PAD accepts an arbitrary sized plaintext, the
668 	 * ciphertext is always a multiple of the AES block size
669 	 */
670 	switch (mech) {
671 	case CKM_AES_CMAC:
672 	case CKM_AES_CMAC_GENERAL:
673 	case CKM_AES_CTR:
674 	case CKM_AES_CCM:
675 	case CKM_AES_GCM:
676 		break;
677 	default:
678 		if (remainder != 0) {
679 			rv = CKR_DATA_LEN_RANGE;
680 			goto cleanup;
681 		}
682 	}
683 
684 	if (mech == CKM_AES_CBC_PAD) {
685 		rv = soft_aes_cbc_pad_decrypt(aes_ctx, pEncryptedData,
686 		    ulEncryptedDataLen, &out);
687 		if (pData == NULL || rv == CKR_BUFFER_TOO_SMALL) {
688 			*pulDataLen = out.cd_offset;
689 			return (rv);
690 		}
691 		goto cleanup;
692 	}
693 
694 	switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE)) {
695 	case CCM_MODE:
696 		length_needed = aes_ctx->ac_processed_data_len;
697 		break;
698 	case GCM_MODE:
699 		length_needed = ulEncryptedDataLen - aes_ctx->ac_tag_len;
700 		break;
701 	default:
702 		/*
703 		 * Note: for CKM_AES_CBC_PAD, we cannot know exactly how much
704 		 * space is needed for the plaintext until after we decrypt it.
705 		 * However, it is permissible to return a value 'somewhat'
706 		 * larger than necessary (PKCS#11 Base Specification, sec 5.2).
707 		 *
708 		 * Since CKM_AES_CBC_PAD adds at most AES_BLOCK_LEN bytes to
709 		 * the plaintext, we report the ciphertext length as the
710 		 * required plaintext length.  This means we specify at most
711 		 * AES_BLOCK_LEN additional bytes of memory for the plaintext.
712 		 *
713 		 * This behavior is slightly different from the earlier
714 		 * version of this code which returned the value of
715 		 * (ulEncryptedDataLen - AES_BLOCK_LEN), which was only ever
716 		 * correct when the original plaintext was already a multiple
717 		 * of AES_BLOCK_LEN (i.e. when AES_BLOCK_LEN of padding was
718 		 * added).  This should not be a concern for existing
719 		 * consumers -- if they were previously using the value of
720 		 * *pulDataLen to size the outbut buffer, the resulting
721 		 * plaintext would be truncated anytime the original plaintext
722 		 * wasn't a multiple of AES_BLOCK_LEN.  No consumer should
723 		 * be relying on such wrong behavior.  More likely they are
724 		 * using the size of the ciphertext or larger for the
725 		 * buffer to hold the decrypted plaintext (which is always
726 		 * acceptable).
727 		 */
728 		length_needed = ulEncryptedDataLen;
729 	}
730 
731 	if (pData == NULL) {
732 		/*
733 		 * The application can ask for the size of the output buffer
734 		 * with a NULL output buffer (pData).
735 		 * C_Decrypt() guarantees pulDataLen != NULL.
736 		 */
737 		*pulDataLen = length_needed;
738 		return (CKR_OK);
739 	}
740 
741 	if (*pulDataLen < length_needed) {
742 		*pulDataLen = length_needed;
743 		return (CKR_BUFFER_TOO_SMALL);
744 	}
745 
746 	if (ulEncryptedDataLen > 0) {
747 		rv = soft_aes_decrypt_update(session_p, pEncryptedData,
748 		    ulEncryptedDataLen, pData, pulDataLen);
749 	}
750 
751 	if (rv != CKR_OK) {
752 		rv = CKR_FUNCTION_FAILED;
753 		goto cleanup;
754 	}
755 
756 	/*
757 	 * Some modes (e.g. CCM and GCM) will output additional data
758 	 * after the plaintext (such as the MAC).  Update out to
759 	 * reflect the amount of data in pData for the _final() functions.
760 	 */
761 	out.cd_offset = *pulDataLen;
762 
763 	/*
764 	 * As CKM_AES_CTR is a stream cipher, ctr_mode_final is always
765 	 * invoked in the _update() functions, so we do not need to call it
766 	 * here.
767 	 */
768 	if (aes_ctx->ac_flags & CCM_MODE) {
769 		ASSERT3U(aes_ctx->ac_processed_data_len, ==,
770 		    aes_ctx->ac_data_len);
771 		ASSERT3U(aes_ctx->ac_processed_mac_len, ==,
772 		    aes_ctx->ac_mac_len);
773 
774 		rc = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, &out,
775 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
776 		    aes_xor_block);
777 		rv = crypto2pkcs11_error_number(rc);
778 	} else if (aes_ctx->ac_flags & GCM_MODE) {
779 		rc = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, &out,
780 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
781 		rv = crypto2pkcs11_error_number(rc);
782 	}
783 
784 cleanup:
785 	if (rv == CKR_OK) {
786 		*pulDataLen = out.cd_offset;
787 	} else {
788 		*pulDataLen = 0;
789 	}
790 
791 	(void) pthread_mutex_lock(&session_p->session_mutex);
792 	soft_aes_free_ctx(aes_ctx);
793 	session_p->decrypt.context = NULL;
794 	(void) pthread_mutex_unlock(&session_p->session_mutex);
795 
796 	return (rv);
797 }
798 
799 CK_RV
800 soft_aes_encrypt_update(soft_session_t *session_p, CK_BYTE_PTR pData,
801     CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
802     CK_ULONG_PTR pulEncryptedDataLen)
803 {
804 	aes_ctx_t *aes_ctx = session_p->encrypt.context;
805 	crypto_data_t out = {
806 		.cd_format = CRYPTO_DATA_RAW,
807 		.cd_offset = 0,
808 		.cd_length = *pulEncryptedDataLen,
809 		.cd_raw.iov_base = (char *)pEncryptedData,
810 		.cd_raw.iov_len = *pulEncryptedDataLen
811 	};
812 	CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism;
813 	CK_RV rv = CKR_OK;
814 	size_t out_len = aes_ctx->ac_remainder_len + ulDataLen;
815 	int rc;
816 
817 	/* Check size of the output buffer */
818 	if (aes_ctx->ac_flags & CMAC_MODE) {
819 		/*
820 		 * The underlying CMAC implementation handles the storing of
821 		 * extra bytes and does not output any data until *_final,
822 		 * so do not bother looking at the size of the output
823 		 * buffer at this time.
824 		 */
825 		if (pData == NULL) {
826 			*pulEncryptedDataLen = 0;
827 			return (CKR_OK);
828 		}
829 	} else {
830 		/*
831 		 * The number of complete blocks we can encrypt right now.
832 		 * The underlying implementation will buffer any remaining data
833 		 * until the next *_update call.
834 		 */
835 		out_len &= ~(AES_BLOCK_LEN - 1);
836 
837 		if (pEncryptedData == NULL) {
838 			*pulEncryptedDataLen = out_len;
839 			return (CKR_OK);
840 		}
841 
842 		if (*pulEncryptedDataLen < out_len) {
843 			*pulEncryptedDataLen = out_len;
844 			return (CKR_BUFFER_TOO_SMALL);
845 		}
846 	}
847 
848 	rc = aes_encrypt_contiguous_blocks(aes_ctx, (char *)pData, ulDataLen,
849 	    &out);
850 
851 	/*
852 	 * Since out.cd_offset is set to 0 initially and the underlying
853 	 * implementation increments out.cd_offset by the amount of output
854 	 * written, so we can just use the value as the amount written.
855 	 */
856 	*pulEncryptedDataLen = out.cd_offset;
857 
858 	if (rc != CRYPTO_SUCCESS) {
859 		return (CKR_FUNCTION_FAILED);
860 	}
861 
862 	/*
863 	 * Since AES counter mode is a stream cipher, we call ctr_mode_final()
864 	 * to pick up any remaining bytes.  It is an internal function that
865 	 * does not destroy the context like *normal* final routines.
866 	 */
867 	if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
868 		rc = ctr_mode_final((ctr_ctx_t *)aes_ctx, &out,
869 		    aes_encrypt_block);
870 	}
871 	rv = crypto2pkcs11_error_number(rc);
872 
873 	return (rv);
874 }
875 
876 CK_RV
877 soft_aes_decrypt_update(soft_session_t *session_p, CK_BYTE_PTR pEncryptedData,
878     CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
879 {
880 	aes_ctx_t *aes_ctx = session_p->decrypt.context;
881 	uint8_t *buffer_block = NULL;
882 	crypto_data_t out = {
883 		.cd_format = CRYPTO_DATA_RAW,
884 		.cd_offset = 0,
885 		.cd_length = *pulDataLen,
886 		.cd_raw.iov_base = (char *)pData,
887 		.cd_raw.iov_len = *pulDataLen
888 	};
889 	CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism;
890 	CK_RV rv = CKR_OK;
891 	size_t in_len = ulEncryptedDataLen;
892 	size_t out_len;
893 	int rc = CRYPTO_SUCCESS;
894 
895 	switch (mech) {
896 	case CKM_AES_CCM:
897 	case CKM_AES_GCM:
898 		out_len = 0;
899 		break;
900 	case CKM_AES_CBC_PAD:
901 		/*
902 		 * For CKM_AES_CBC_PAD, we use the existing code for CBC
903 		 * mode in libsoftcrypto (which itself uses the code in
904 		 * usr/src/common/crypto/modes for CBC mode).  For
905 		 * non-padding AES CBC mode, aes_decrypt_contiguous_blocks()
906 		 * will accumulate ciphertext in aes_ctx->ac_remainder until
907 		 * there is at least AES_BLOCK_LEN bytes of ciphertext available
908 		 * to decrypt.  At that point, as many blocks of AES_BLOCK_LEN
909 		 * sized ciphertext blocks are decrypted.  Any remainder is
910 		 * copied into aes_ctx->ac_remainder for decryption in
911 		 * subsequent calls to aes_decrypt_contiguous_blocks().
912 		 *
913 		 * When PKCS#7 padding is used, the buffering
914 		 * aes_decrypt_contigous_blocks() performs is insufficient.
915 		 * PKCS#7 padding always adds [1..AES_BLOCK_LEN] bytes of
916 		 * padding to plaintext, so the resulting ciphertext is always
917 		 * larger than the input plaintext.  However we cannot know
918 		 * which block is the final block (and needs its padding
919 		 * stripped) until C_DecryptFinal() is called.  Additionally,
920 		 * it is permissible for a caller to use buffers sized to the
921 		 * output plaintext -- i.e. smaller than the input ciphertext.
922 		 * This leads to a more complicated buffering/accumulation
923 		 * strategy than what aes_decrypt_contiguous_blocks() provides
924 		 * us.
925 		 *
926 		 * Our buffering strategy works as follows:
927 		 *  For each call to C_DecryptUpdate, we calculate the
928 		 *  total amount of ciphertext available (buffered plus what's
929 		 *  passed in) as the initial output size (out_len). Based
930 		 *  on the value of out_len, there are three possibilties:
931 		 *
932 		 *  1. We have less than AES_BLOCK_LEN + 1 bytes of
933 		 *  ciphertext available. Accumulate the ciphertext in
934 		 *  aes_ctx->ac_remainder. Note that while we could let
935 		 *  aes_decrypt_contiguous_blocks() buffer the input for us
936 		 *  when we have less than AES_BLOCK_LEN bytes, we would still
937 		 *  need to buffer when we have exactly AES_BLOCK_LEN
938 		 *  bytes available, so we just handle both situations with
939 		 *  one if clause.
940 		 *
941 		 *  2. We have at least AES_BLOCK_LEN + 1 bytes of
942 		 *  ciphertext, and the total amount available is also an
943 		 *  exact multiple of AES_BLOCK_LEN. We cannot know if the
944 		 *  last block of input is the final block (yet), but we
945 		 *  are an exact multiple of AES_BLOCK_LEN, and we have
946 		 *  at least AES_BLOCK_LEN + 1 bytes available, therefore
947 		 *  there must be at least 2 * AES_BLOCK_LEN bytes of input
948 		 *  ciphertext available. It also means there's at least one
949 		 *  full block of input ciphertext that can be decrypted. We
950 		 *  reduce the size of the input (in_len) given to
951 		 *  aes_decrypt_contiguous_bytes() by AES_BLOCK_LEN to prevent
952 		 *  it from decrypting the last full block of data.
953 		 *  aes_decrypt_contiguous_blocks() will when decrypt any
954 		 *  buffered data in aex_ctx->ac_remainder, and then any
955 		 *  input data passed. Since we have an exact multiple of
956 		 *  AES_BLOCK_LEN, aes_ctx->ac_remainder will be empty
957 		 *  (aes_ctx->ac_remainder_len == 0), once
958 		 *  aes_decrypt_contiguout_block() completes, and we can
959 		 *  copy the last block of data into aes_ctx->ac_remainder.
960 		 *
961 		 *  3. We have at least AES_BLOCK_LEN + 1 bytes of
962 		 *  ciphertext, but the total amount available is not an
963 		 *  exact multiple of AES_BLOCK_LEN. We decrypt all of
964 		 *  full blocks of data we have. The remainder will be
965 		 *  less than AES_BLOCK_LEN bytes. We let
966 		 *  aes_decrypt_contiguous_blocks() buffer the remainder
967 		 *  for us since it would normally do this anyway. Since there
968 		 *  is a remainder, the full blocks that are present cannot
969 		 *  be the last block, so we can safey decrypt all of them.
970 		 *
971 		 * Some things to note:
972 		 *  - The above semantics will cause aes_ctx->ac_remainder to
973 		 *  never accumulate more than AES_BLOCK_LEN bytes of
974 		 *  ciphertext. Once we reach at least AES_BLOCK_LEN + 1 bytes,
975 		 *  we will decrypt the contents of aes_ctx->ac_remainder by one
976 		 *  of the last two scenarios described above.
977 		 *
978 		 *  - We must always end up with AES_BLOCK_LEN bytes of data
979 		 *  in aes_ctx->ac_remainder when C_DecryptFinal() is called.
980 		 *  The first and third scenarios above may leave
981 		 *  aes_ctx->ac_remainder with less than AES_BLOCK_LEN bytes,
982 		 *  however the total size of the input ciphertext that's
983 		 *  been decrypted must end up a multiple of AES_BLOCK_LEN.
984 		 *  Therefore, we can always assume when there is a
985 		 *  remainder that more data is coming.  If we do end up
986 		 *  with a remainder that's not AES_BLOCK_LEN bytes long
987 		 *  when C_DecryptFinal() is called, the input is assumed
988 		 *  invalid and we return CKR_DATA_LEN_RANGE (see
989 		 *  soft_aes_decrypt_final()).
990 		 */
991 
992 		VERIFY3U(aes_ctx->ac_remainder_len, <=, AES_BLOCK_LEN);
993 		if (in_len >= SIZE_MAX - AES_BLOCK_LEN)
994 			return (CKR_ENCRYPTED_DATA_LEN_RANGE);
995 
996 		out_len = aes_ctx->ac_remainder_len + in_len;
997 
998 		if (out_len <= AES_BLOCK_LEN) {
999 			/*
1000 			 * The first scenario detailed above, accumulate
1001 			 * ciphertext in ac_remainder_len and return.
1002 			 */
1003 			uint8_t *dest = (uint8_t *)aes_ctx->ac_remainder +
1004 			    aes_ctx->ac_remainder_len;
1005 
1006 			bcopy(pEncryptedData, dest, in_len);
1007 			aes_ctx->ac_remainder_len += in_len;
1008 			*pulDataLen = 0;
1009 
1010 			/*
1011 			 * Since we aren't writing an output, and are returning
1012 			 * here, we don't need to adjust out_len -- we never
1013 			 * reach the output buffer size checks after the
1014 			 * switch statement.
1015 			 */
1016 			return (CKR_OK);
1017 		} else if (out_len % AES_BLOCK_LEN == 0) {
1018 			/*
1019 			 * The second scenario decribed above. The total amount
1020 			 * available is a multiple of AES_BLOCK_LEN, and
1021 			 * we have more than one block.  We reduce the
1022 			 * input size (in_len) by AES_BLOCK_LEN. We also
1023 			 * reduce the output size (out_len) by AES_BLOCK_LEN
1024 			 * for the output buffer size checks that follow
1025 			 * the switch statement. In certain situations,
1026 			 * PKCS#11 requires this to be an exact value, so
1027 			 * the size check cannot occur for CKM_AES_CBC_PAD
1028 			 * until after we've determine which scenario we
1029 			 * have.
1030 			 *
1031 			 * Because we never accumulate more than AES_BLOCK_LEN
1032 			 * bytes in aes_ctx->ac_remainder, when we are in
1033 			 * this scenario, the following VERIFYs should always
1034 			 * be true (and serve as a final safeguard against
1035 			 * underflow).
1036 			 */
1037 			VERIFY3U(in_len, >=, AES_BLOCK_LEN);
1038 
1039 			buffer_block = pEncryptedData + in_len - AES_BLOCK_LEN;
1040 
1041 			in_len -= AES_BLOCK_LEN;
1042 
1043 			/*
1044 			 * This else clause explicity checks
1045 			 * out_len > AES_BLOCK_LEN, so this is also safe.
1046 			 */
1047 			out_len -= AES_BLOCK_LEN;
1048 		} else {
1049 			/*
1050 			 * The third scenario above.  We have at least
1051 			 * AES_BLOCK_LEN + 1 bytes, but the total amount of
1052 			 * input ciphertext available is not an exact
1053 			 * multiple of AES_BLOCK_LEN.  Let
1054 			 * aes_decrypt_contiguous_blocks() handle the
1055 			 * buffering of the remainder.  Update the
1056 			 * output size to reflect the actual amount of output
1057 			 * we want to emit for the checks after the switch
1058 			 * statement.
1059 			 */
1060 			out_len &= ~(AES_BLOCK_LEN - 1);
1061 		}
1062 		break;
1063 	default:
1064 		out_len = aes_ctx->ac_remainder_len + in_len;
1065 		out_len &= ~(AES_BLOCK_LEN - 1);
1066 		break;
1067 	}
1068 
1069 	/*
1070 	 * C_DecryptUpdate() verifies that pulDataLen is not NULL prior
1071 	 * to calling soft_decrypt_common() (which calls us).
1072 	 */
1073 
1074 	if (pData == NULL) {
1075 		/*
1076 		 * If the output buffer (pData) is NULL, that means the
1077 		 * caller is inquiring about the size buffer needed to
1078 		 * complete the C_DecryptUpdate() request.  While we are
1079 		 * permitted to set *pulDataLen to an estimated value that can
1080 		 * be 'slightly' larger than the actual value required,
1081 		 * since we know the exact size we need, we stick with the
1082 		 * exact size.
1083 		 */
1084 		*pulDataLen = out_len;
1085 		return (CKR_OK);
1086 	}
1087 
1088 	if (*pulDataLen < out_len) {
1089 		/*
1090 		 * Not an inquiry, but the output buffer isn't large enough.
1091 		 * PKCS#11 requires that this scenario not fail fatally (as
1092 		 * well as return a different error value). This situation
1093 		 * also requires us to set *pulDataLen to the _exact_ size
1094 		 * required.
1095 		 */
1096 		*pulDataLen = out_len;
1097 		return (CKR_BUFFER_TOO_SMALL);
1098 	}
1099 
1100 	rc = aes_decrypt_contiguous_blocks(aes_ctx, (char *)pEncryptedData,
1101 	    in_len, &out);
1102 
1103 	if (rc != CRYPTO_SUCCESS) {
1104 		rv = CKR_FUNCTION_FAILED;
1105 		goto done;
1106 	}
1107 
1108 	*pulDataLen = out.cd_offset;
1109 
1110 	switch (mech) {
1111 	case CKM_AES_CTR:
1112 		if (aes_ctx->ac_remainder_len == 0) {
1113 			break;
1114 		}
1115 		rc = ctr_mode_final((ctr_ctx_t *)aes_ctx, &out,
1116 		    aes_encrypt_block);
1117 		rv = crypto2pkcs11_error_number(rc);
1118 		break;
1119 	case CKM_AES_CBC_PAD:
1120 		if (buffer_block == NULL) {
1121 			break;
1122 		}
1123 
1124 		VERIFY0(aes_ctx->ac_remainder_len);
1125 
1126 		/*
1127 		 * We had multiple blocks of data to decrypt with nothing
1128 		 * left over and deferred decrypting the last block of data.
1129 		 * Copy it into aes_ctx->ac_remainder to decrypt on the
1130 		 * next update call (or final).
1131 		 */
1132 		bcopy(buffer_block, aes_ctx->ac_remainder, AES_BLOCK_LEN);
1133 		aes_ctx->ac_remainder_len = AES_BLOCK_LEN;
1134 		break;
1135 	}
1136 
1137 done:
1138 	return (rv);
1139 }
1140 
1141 CK_RV
1142 soft_aes_encrypt_final(soft_session_t *session_p,
1143     CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen)
1144 {
1145 	aes_ctx_t *aes_ctx = session_p->encrypt.context;
1146 	crypto_data_t data = {
1147 		.cd_format = CRYPTO_DATA_RAW,
1148 		.cd_offset = 0,
1149 		.cd_length = *pulLastEncryptedPartLen,
1150 		.cd_raw.iov_base = (char *)pLastEncryptedPart,
1151 		.cd_raw.iov_len = *pulLastEncryptedPartLen
1152 	};
1153 	CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism;
1154 	CK_RV rv = CKR_OK;
1155 	size_t out_len;
1156 	int rc = CRYPTO_SUCCESS;
1157 
1158 	switch (mech) {
1159 	case CKM_AES_CBC_PAD:
1160 		/*
1161 		 * We always add 1..AES_BLOCK_LEN of padding to the input
1162 		 * plaintext to round up to a multiple of AES_BLOCK_LEN.
1163 		 * During encryption, we never output a partially encrypted
1164 		 * block (that is the amount encrypted by each call of
1165 		 * C_EncryptUpdate() is always either 0 or n * AES_BLOCK_LEN).
1166 		 * As a result, at the end of the encryption operation, we
1167 		 * output AES_BLOCK_LEN bytes of data -- this could be a full
1168 		 * block of padding, or a combination of data + padding.
1169 		 */
1170 		out_len = AES_BLOCK_LEN;
1171 		break;
1172 	case CKM_AES_CTR:
1173 		out_len = aes_ctx->ac_remainder_len;
1174 		break;
1175 	case CKM_AES_CCM:
1176 		out_len = aes_ctx->ac_remainder_len +
1177 		    aes_ctx->acu.acu_ccm.ccm_mac_len;
1178 		break;
1179 	case CKM_AES_GCM:
1180 		out_len = aes_ctx->ac_remainder_len +
1181 		    aes_ctx->acu.acu_gcm.gcm_tag_len;
1182 		break;
1183 	case CKM_AES_CMAC:
1184 	case CKM_AES_CMAC_GENERAL:
1185 		out_len = AES_BLOCK_LEN;
1186 		break;
1187 	default:
1188 		/*
1189 		 * Everything other AES mechansism requires full blocks of
1190 		 * input.  If the input was not an exact multiple of
1191 		 * AES_BLOCK_LEN, it is a fatal error.
1192 		 */
1193 		if (aes_ctx->ac_remainder_len > 0) {
1194 			rv = CKR_DATA_LEN_RANGE;
1195 			goto done;
1196 		}
1197 		out_len = 0;
1198 	}
1199 
1200 	if (*pulLastEncryptedPartLen < out_len || pLastEncryptedPart == NULL) {
1201 		*pulLastEncryptedPartLen = out_len;
1202 		return ((pLastEncryptedPart == NULL) ?
1203 		    CKR_OK : CKR_BUFFER_TOO_SMALL);
1204 	}
1205 
1206 	switch (mech) {
1207 	case CKM_AES_CBC_PAD: {
1208 		char block[AES_BLOCK_LEN] = { 0 };
1209 		size_t padlen = AES_BLOCK_LEN - aes_ctx->ac_remainder_len;
1210 
1211 		if (padlen == 0) {
1212 			padlen = AES_BLOCK_LEN;
1213 		}
1214 
1215 		(void) memset(block, padlen & 0xff, sizeof (block));
1216 		rc = aes_encrypt_contiguous_blocks(aes_ctx, block,
1217 		    padlen, &data);
1218 		explicit_bzero(block, sizeof (block));
1219 		break;
1220 	}
1221 	case CKM_AES_CTR:
1222 		if (aes_ctx->ac_remainder_len == 0) {
1223 			break;
1224 		}
1225 
1226 		rc = ctr_mode_final((ctr_ctx_t *)aes_ctx, &data,
1227 		    aes_encrypt_block);
1228 		break;
1229 	case CKM_AES_CCM:
1230 		rc = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, &data,
1231 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
1232 		break;
1233 	case CKM_AES_GCM:
1234 		rc = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, &data,
1235 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1236 		    aes_xor_block);
1237 		break;
1238 	case CKM_AES_CMAC:
1239 	case CKM_AES_CMAC_GENERAL:
1240 		rc = cmac_mode_final((cbc_ctx_t *)aes_ctx, &data,
1241 		    aes_encrypt_block, aes_xor_block);
1242 		break;
1243 	default:
1244 		break;
1245 	}
1246 	rv = crypto2pkcs11_error_number(rc);
1247 
1248 done:
1249 	if (rv == CKR_OK) {
1250 		*pulLastEncryptedPartLen = data.cd_offset;
1251 	}
1252 
1253 	soft_aes_free_ctx(aes_ctx);
1254 	session_p->encrypt.context = NULL;
1255 	return (rv);
1256 }
1257 
1258 CK_RV
1259 soft_aes_decrypt_final(soft_session_t *session_p, CK_BYTE_PTR pLastPart,
1260     CK_ULONG_PTR pulLastPartLen)
1261 {
1262 	aes_ctx_t *aes_ctx = session_p->decrypt.context;
1263 	CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism;
1264 	CK_RV rv = CKR_OK;
1265 	int rc = CRYPTO_SUCCESS;
1266 	size_t out_len;
1267 	crypto_data_t out = {
1268 		.cd_format = CRYPTO_DATA_RAW,
1269 		.cd_offset = 0,
1270 		.cd_length = *pulLastPartLen,
1271 		.cd_raw.iov_base = (char *)pLastPart,
1272 		.cd_raw.iov_len = *pulLastPartLen
1273 	};
1274 
1275 	switch (mech) {
1276 	case CKM_AES_CBC_PAD:
1277 		/*
1278 		 * PKCS#11 requires that a caller can discover the size of
1279 		 * the output buffer required by calling
1280 		 * C_DecryptFinal(hSession, NULL, &len) which sets
1281 		 * *pulLastPartLen to the size required.  However, it also
1282 		 * allows if one calls C_DecryptFinal with a buffer (i.e.
1283 		 * pLastPart != NULL) that is too small, to return
1284 		 * CKR_BUFFER_TOO_SMALL with *pulLastPartLen set to the
1285 		 * _exact_ size required (when pLastPart is NULL, the
1286 		 * implementation is allowed to set a 'sightly' larger
1287 		 * value than is strictly necessary.  In either case, the
1288 		 * caller is allowed to retry the operation (the operation
1289 		 * is not terminated).
1290 		 *
1291 		 * With PKCS#7 padding, we cannot determine the exact size of
1292 		 * the output until we decrypt the final block.  As such, the
1293 		 * first time for a given decrypt operation we are called,
1294 		 * we decrypt the final block and stash it in the aes_ctx
1295 		 * remainder block.  On any subsequent calls in the
1296 		 * current decrypt operation, we then can use the decrypted
1297 		 * block as necessary to provide the correct semantics.
1298 		 *
1299 		 * The cleanup of aes_ctx when the operation terminates
1300 		 * will take care of clearing out aes_ctx->ac_remainder_len.
1301 		 */
1302 		if ((aes_ctx->ac_flags & P11_DECRYPTED) == 0) {
1303 			uint8_t block[AES_BLOCK_LEN] = { 0 };
1304 			crypto_data_t block_out = {
1305 				.cd_format = CRYPTO_DATA_RAW,
1306 				.cd_offset = 0,
1307 				.cd_length = sizeof (block),
1308 				.cd_raw.iov_base = (char *)block,
1309 				.cd_raw.iov_len = sizeof (block)
1310 			};
1311 			size_t amt, i;
1312 			uint8_t pad_len;
1313 
1314 			if (aes_ctx->ac_remainder_len != AES_BLOCK_LEN) {
1315 				return (CKR_DATA_LEN_RANGE);
1316 			}
1317 
1318 			rc = aes_decrypt_contiguous_blocks(aes_ctx,
1319 			    (char *)block, 0, &block_out);
1320 			if (rc != CRYPTO_SUCCESS) {
1321 				explicit_bzero(block, sizeof (block));
1322 				return (CKR_FUNCTION_FAILED);
1323 			}
1324 
1325 			pad_len = block[AES_BLOCK_LEN - 1];
1326 
1327 			/*
1328 			 * RFC5652 6.3 The amount of padding must be
1329 			 * block_sz - (len mod block_size).  This means
1330 			 * the amount of padding must always be in the
1331 			 * range [1..block_size].
1332 			 */
1333 			if (pad_len == 0 || pad_len > AES_BLOCK_LEN) {
1334 				rv = CKR_ENCRYPTED_DATA_INVALID;
1335 				explicit_bzero(block, sizeof (block));
1336 				goto done;
1337 			}
1338 			amt = AES_BLOCK_LEN - pad_len;
1339 
1340 			/*
1341 			 * Verify the padding is correct.  Try to do so
1342 			 * in as constant a time as possible.
1343 			 */
1344 			for (i = amt; i < AES_BLOCK_LEN; i++) {
1345 				if (block[i] != pad_len) {
1346 					rv = CKR_ENCRYPTED_DATA_INVALID;
1347 				}
1348 			}
1349 			if (rv != CKR_OK) {
1350 				explicit_bzero(block, sizeof (block));
1351 				goto done;
1352 			}
1353 
1354 			bcopy(block, aes_ctx->ac_remainder, amt);
1355 			explicit_bzero(block, sizeof (block));
1356 
1357 			aes_ctx->ac_flags |= P11_DECRYPTED;
1358 			aes_ctx->ac_remainder_len = amt;
1359 		}
1360 
1361 		out_len = aes_ctx->ac_remainder_len;
1362 		break;
1363 	case CKM_AES_CTR:
1364 		out_len = aes_ctx->ac_remainder_len;
1365 		break;
1366 	case CKM_AES_CCM:
1367 		out_len = aes_ctx->ac_data_len;
1368 		break;
1369 	case CKM_AES_GCM:
1370 		out_len = aes_ctx->acu.acu_gcm.gcm_processed_data_len -
1371 		    aes_ctx->acu.acu_gcm.gcm_tag_len;
1372 		break;
1373 	default:
1374 		/*
1375 		 * The remaining mechanims require an exact multiple of
1376 		 * AES_BLOCK_LEN of ciphertext.  Any other value is an error.
1377 		 */
1378 		if (aes_ctx->ac_remainder_len > 0) {
1379 			rv = CKR_DATA_LEN_RANGE;
1380 			goto done;
1381 		}
1382 		out_len = 0;
1383 		break;
1384 	}
1385 
1386 	if (*pulLastPartLen < out_len || pLastPart == NULL) {
1387 		*pulLastPartLen = out_len;
1388 		return ((pLastPart == NULL) ? CKR_OK : CKR_BUFFER_TOO_SMALL);
1389 	}
1390 
1391 	switch (mech) {
1392 	case CKM_AES_CBC_PAD:
1393 		*pulLastPartLen = out_len;
1394 		if (out_len == 0) {
1395 			break;
1396 		}
1397 		bcopy(aes_ctx->ac_remainder, pLastPart, out_len);
1398 		out.cd_offset += out_len;
1399 		break;
1400 	case CKM_AES_CCM:
1401 		ASSERT3U(aes_ctx->ac_processed_data_len, ==, out_len);
1402 		ASSERT3U(aes_ctx->ac_processed_mac_len, ==,
1403 		    aes_ctx->ac_mac_len);
1404 
1405 		rc = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, &out,
1406 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1407 		    aes_xor_block);
1408 		break;
1409 	case CKM_AES_GCM:
1410 		rc = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, &out,
1411 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
1412 		break;
1413 	default:
1414 		break;
1415 	}
1416 
1417 	VERIFY3U(out.cd_offset, ==, out_len);
1418 	rv = crypto2pkcs11_error_number(rc);
1419 
1420 done:
1421 	if (rv == CKR_OK) {
1422 		*pulLastPartLen = out.cd_offset;
1423 	}
1424 
1425 	soft_aes_free_ctx(aes_ctx);
1426 	session_p->decrypt.context = NULL;
1427 
1428 	return (rv);
1429 }
1430 
1431 /*
1432  * Allocate and initialize AES contexts for sign and verify operations
1433  * (including the underlying encryption context needed to sign or verify) --
1434  * called by C_SignInit() and C_VerifyInit() to perform the CKM_AES_* MAC
1435  * mechanisms. For general-length AES MAC, also validate the MAC length.
1436  */
1437 CK_RV
1438 soft_aes_sign_verify_init_common(soft_session_t *session_p,
1439     CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, boolean_t sign_op)
1440 {
1441 	soft_aes_sign_ctx_t	*ctx = NULL;
1442 	/* For AES CMAC (the only AES MAC currently), iv is always 0 */
1443 	CK_BYTE		iv[AES_BLOCK_LEN] = { 0 };
1444 	CK_MECHANISM	encrypt_mech = {
1445 		.mechanism = CKM_AES_CMAC,
1446 		.pParameter = iv,
1447 		.ulParameterLen = sizeof (iv)
1448 	};
1449 	CK_RV		rv;
1450 	size_t		mac_len = AES_BLOCK_LEN;
1451 
1452 	if (key_p->key_type != CKK_AES)
1453 		return (CKR_KEY_TYPE_INCONSISTENT);
1454 
1455 	/* C_{Sign,Verify}Init() validate pMechanism != NULL */
1456 	if (pMechanism->mechanism == CKM_AES_CMAC_GENERAL) {
1457 		if (pMechanism->pParameter == NULL) {
1458 			return (CKR_MECHANISM_PARAM_INVALID);
1459 		}
1460 
1461 		mac_len = *(CK_MAC_GENERAL_PARAMS *)pMechanism->pParameter;
1462 
1463 		if (mac_len > AES_BLOCK_LEN) {
1464 			return (CKR_MECHANISM_PARAM_INVALID);
1465 		}
1466 	}
1467 
1468 	ctx = calloc(1, sizeof (*ctx));
1469 	if (ctx == NULL) {
1470 		return (CKR_HOST_MEMORY);
1471 	}
1472 
1473 	rv = soft_aes_check_mech_param(pMechanism, &ctx->aes_ctx);
1474 	if (rv != CKR_OK) {
1475 		soft_aes_free_ctx(ctx->aes_ctx);
1476 		goto done;
1477 	}
1478 
1479 	if ((rv = soft_encrypt_init_internal(session_p, &encrypt_mech,
1480 	    key_p)) != CKR_OK) {
1481 		soft_aes_free_ctx(ctx->aes_ctx);
1482 		goto done;
1483 	}
1484 
1485 	ctx->mac_len = mac_len;
1486 
1487 	(void) pthread_mutex_lock(&session_p->session_mutex);
1488 
1489 	if (sign_op) {
1490 		session_p->sign.context = ctx;
1491 		session_p->sign.mech.mechanism = pMechanism->mechanism;
1492 	} else {
1493 		session_p->verify.context = ctx;
1494 		session_p->verify.mech.mechanism = pMechanism->mechanism;
1495 	}
1496 
1497 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1498 
1499 done:
1500 	if (rv != CKR_OK) {
1501 		soft_aes_free_ctx(ctx->aes_ctx);
1502 		free(ctx);
1503 	}
1504 
1505 	return (rv);
1506 }
1507 
1508 CK_RV
1509 soft_aes_sign_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData,
1510     CK_ULONG ulDataLen, CK_BYTE_PTR pSigned, CK_ULONG_PTR pulSignedLen,
1511     boolean_t sign_op, boolean_t Final)
1512 {
1513 	soft_aes_sign_ctx_t	*soft_aes_ctx_sign_verify;
1514 	CK_RV			rv;
1515 	CK_BYTE			*pEncrypted = NULL;
1516 	CK_ULONG		ulEncryptedLen = AES_BLOCK_LEN;
1517 	CK_BYTE			last_block[AES_BLOCK_LEN];
1518 
1519 	if (sign_op) {
1520 		soft_aes_ctx_sign_verify =
1521 		    (soft_aes_sign_ctx_t *)session_p->sign.context;
1522 
1523 		if (soft_aes_ctx_sign_verify->mac_len == 0) {
1524 			*pulSignedLen = 0;
1525 			goto clean_exit;
1526 		}
1527 
1528 		/* Application asks for the length of the output buffer. */
1529 		if (pSigned == NULL) {
1530 			*pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1531 			return (CKR_OK);
1532 		}
1533 
1534 		/* Is the application-supplied buffer large enough? */
1535 		if (*pulSignedLen < soft_aes_ctx_sign_verify->mac_len) {
1536 			*pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1537 			return (CKR_BUFFER_TOO_SMALL);
1538 		}
1539 	} else {
1540 		soft_aes_ctx_sign_verify =
1541 		    (soft_aes_sign_ctx_t *)session_p->verify.context;
1542 	}
1543 
1544 	if (Final) {
1545 		rv = soft_encrypt_final(session_p, last_block,
1546 		    &ulEncryptedLen);
1547 	} else {
1548 		rv = soft_encrypt(session_p, pData, ulDataLen,
1549 		    last_block, &ulEncryptedLen);
1550 	}
1551 
1552 	if (rv == CKR_OK) {
1553 		*pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1554 
1555 		/* the leftmost mac_len bytes of last_block is our MAC */
1556 		(void) memcpy(pSigned, last_block, *pulSignedLen);
1557 	}
1558 
1559 clean_exit:
1560 
1561 	(void) pthread_mutex_lock(&session_p->session_mutex);
1562 
1563 	/* soft_encrypt_common() has freed the encrypt context */
1564 	if (sign_op) {
1565 		free(session_p->sign.context);
1566 		session_p->sign.context = NULL;
1567 	} else {
1568 		free(session_p->verify.context);
1569 		session_p->verify.context = NULL;
1570 	}
1571 	session_p->encrypt.flags = 0;
1572 
1573 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1574 
1575 	if (pEncrypted) {
1576 		free(pEncrypted);
1577 	}
1578 
1579 	return (rv);
1580 }
1581 
1582 /*
1583  * Called by soft_sign_update()
1584  */
1585 CK_RV
1586 soft_aes_mac_sign_verify_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
1587     CK_ULONG ulPartLen)
1588 {
1589 	CK_BYTE		buf[AES_BLOCK_LEN];
1590 	CK_ULONG	ulEncryptedLen = AES_BLOCK_LEN;
1591 	CK_RV		rv;
1592 
1593 	rv = soft_encrypt_update(session_p, pPart, ulPartLen,
1594 	    buf, &ulEncryptedLen);
1595 	explicit_bzero(buf, sizeof (buf));
1596 
1597 	return (rv);
1598 }
1599 
1600 void
1601 soft_aes_free_ctx(aes_ctx_t *ctx)
1602 {
1603 	size_t len = 0;
1604 
1605 	if (ctx == NULL)
1606 		return;
1607 
1608 	if (ctx->ac_flags & ECB_MODE) {
1609 		len = sizeof (ecb_ctx_t);
1610 	} else if (ctx->ac_flags & (CBC_MODE|CMAC_MODE)) {
1611 		len = sizeof (cbc_ctx_t);
1612 	} else if (ctx->ac_flags & CTR_MODE) {
1613 		len = sizeof (ctr_ctx_t);
1614 	} else if (ctx->ac_flags & CCM_MODE) {
1615 		len = sizeof (ccm_ctx_t);
1616 	} else if (ctx->ac_flags & GCM_MODE) {
1617 		len = sizeof (gcm_ctx_t);
1618 	}
1619 
1620 	freezero(ctx->ac_keysched, ctx->ac_keysched_len);
1621 	freezero(ctx, len);
1622 }
1623