xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAESCrypt.c (revision 6e6c7d67bf5ba2efa13619acd59395d0f278ee75)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
25  */
26 
27 #include <pthread.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <strings.h>
31 #include <sys/types.h>
32 #include <security/cryptoki.h>
33 #include <aes_impl.h>
34 #include "softSession.h"
35 #include "softObject.h"
36 #include "softCrypt.h"
37 #include "softOps.h"
38 
39 /*
40  * Allocate context for the active encryption or decryption operation, and
41  * generate AES key schedule to speed up the operation.
42  */
43 CK_RV
44 soft_aes_crypt_init_common(soft_session_t *session_p,
45     CK_MECHANISM_PTR pMechanism, soft_object_t *key_p,
46     boolean_t encrypt)
47 {
48 	size_t size;
49 	soft_aes_ctx_t *soft_aes_ctx;
50 
51 	soft_aes_ctx = calloc(1, sizeof (soft_aes_ctx_t));
52 	if (soft_aes_ctx == NULL) {
53 		return (CKR_HOST_MEMORY);
54 	}
55 
56 	soft_aes_ctx->key_sched = aes_alloc_keysched(&size, 0);
57 
58 	if (soft_aes_ctx->key_sched == NULL) {
59 		free(soft_aes_ctx);
60 		return (CKR_HOST_MEMORY);
61 	}
62 
63 	soft_aes_ctx->keysched_len = size;
64 
65 	(void) pthread_mutex_lock(&session_p->session_mutex);
66 	if (encrypt) {
67 		/* Called by C_EncryptInit. */
68 		session_p->encrypt.context = soft_aes_ctx;
69 		session_p->encrypt.mech.mechanism = pMechanism->mechanism;
70 	} else {
71 		/* Called by C_DecryptInit. */
72 		session_p->decrypt.context = soft_aes_ctx;
73 		session_p->decrypt.mech.mechanism = pMechanism->mechanism;
74 	}
75 	(void) pthread_mutex_unlock(&session_p->session_mutex);
76 
77 	/*
78 	 * If this is a non-sensitive key and it does NOT have
79 	 * a key schedule yet, then allocate one and expand it.
80 	 * Otherwise, if it's a non-sensitive key, and it DOES have
81 	 * a key schedule already attached to it, just copy the
82 	 * pre-expanded schedule to the context and avoid the
83 	 * extra key schedule expansion operation.
84 	 */
85 	if (!(key_p->bool_attr_mask & SENSITIVE_BOOL_ON)) {
86 		if (OBJ_KEY_SCHED(key_p) == NULL) {
87 			void *ks;
88 
89 			(void) pthread_mutex_lock(&key_p->object_mutex);
90 			if (OBJ_KEY_SCHED(key_p) == NULL) {
91 				ks = aes_alloc_keysched(&size, 0);
92 				if (ks == NULL) {
93 					(void) pthread_mutex_unlock(
94 					    &key_p->object_mutex);
95 					free(soft_aes_ctx);
96 					return (CKR_HOST_MEMORY);
97 				}
98 #ifdef	__sparcv9
99 				/* LINTED */
100 				aes_init_keysched(OBJ_SEC_VALUE(key_p), (uint_t)
101 				    (OBJ_SEC_VALUE_LEN(key_p) * 8), ks);
102 #else	/* !__sparcv9 */
103 				aes_init_keysched(OBJ_SEC_VALUE(key_p),
104 				    (OBJ_SEC_VALUE_LEN(key_p) * 8), ks);
105 #endif	/* __sparcv9 */
106 				OBJ_KEY_SCHED_LEN(key_p) = size;
107 				OBJ_KEY_SCHED(key_p) = ks;
108 			}
109 			(void) pthread_mutex_unlock(&key_p->object_mutex);
110 		}
111 		(void) memcpy(soft_aes_ctx->key_sched, OBJ_KEY_SCHED(key_p),
112 		    OBJ_KEY_SCHED_LEN(key_p));
113 		soft_aes_ctx->keysched_len = OBJ_KEY_SCHED_LEN(key_p);
114 	} else {
115 		/*
116 		 * Initialize key schedule for AES. aes_init_keysched()
117 		 * requires key length in bits.
118 		 */
119 #ifdef	__sparcv9
120 		/* LINTED */
121 		aes_init_keysched(OBJ_SEC_VALUE(key_p), (uint_t)
122 		    (OBJ_SEC_VALUE_LEN(key_p) * 8), soft_aes_ctx->key_sched);
123 #else	/* !__sparcv9 */
124 		aes_init_keysched(OBJ_SEC_VALUE(key_p),
125 		    (OBJ_SEC_VALUE_LEN(key_p) * 8), soft_aes_ctx->key_sched);
126 #endif	/* __sparcv9 */
127 	}
128 	return (CKR_OK);
129 }
130 
131 
132 /*
133  * soft_aes_encrypt_common()
134  *
135  * Arguments:
136  *      session_p:	pointer to soft_session_t struct
137  *	pData:		pointer to the input data to be encrypted
138  *	ulDataLen:	length of the input data
139  *	pEncrypted:	pointer to the output data after encryption
140  *	pulEncryptedLen: pointer to the length of the output data
141  *	update:		boolean flag indicates caller is soft_encrypt
142  *			or soft_encrypt_update
143  *
144  * Description:
145  *      This function calls the corresponding encrypt routine based
146  *	on the mechanism.
147  *
148  * Returns:
149  *      CKR_OK: success
150  *      CKR_BUFFER_TOO_SMALL: the output buffer provided by application
151  *			      is too small
152  *	CKR_FUNCTION_FAILED: encrypt function failed
153  *	CKR_DATA_LEN_RANGE: the input data is not a multiple of blocksize
154  */
155 CK_RV
156 soft_aes_encrypt_common(soft_session_t *session_p, CK_BYTE_PTR pData,
157     CK_ULONG ulDataLen, CK_BYTE_PTR pEncrypted,
158     CK_ULONG_PTR pulEncryptedLen, boolean_t update)
159 {
160 
161 	int rc = 0;
162 	CK_RV rv = CKR_OK;
163 	soft_aes_ctx_t *soft_aes_ctx =
164 	    (soft_aes_ctx_t *)session_p->encrypt.context;
165 	aes_ctx_t *aes_ctx;
166 	CK_MECHANISM_TYPE mechanism = session_p->encrypt.mech.mechanism;
167 	CK_BYTE *in_buf = NULL;
168 	CK_BYTE *out_buf = NULL;
169 	CK_ULONG out_len;
170 	CK_ULONG total_len;
171 	CK_ULONG remain;
172 
173 	if (mechanism == CKM_AES_CTR)
174 		goto do_encryption;
175 
176 	/*
177 	 * AES only takes input length that is a multiple of blocksize
178 	 * for C_Encrypt function with the mechanism CKM_AES_ECB or
179 	 * CKM_AES_CBC.
180 	 *
181 	 * AES allows any input length for C_Encrypt function with the
182 	 * mechanism CKM_AES_CBC_PAD and for C_EncryptUpdate function.
183 	 */
184 	if ((!update) && (mechanism != CKM_AES_CBC_PAD) &&
185 	    (mechanism != CKM_AES_CMAC)) {
186 		if ((ulDataLen % AES_BLOCK_LEN) != 0) {
187 			rv = CKR_DATA_LEN_RANGE;
188 			goto cleanup;
189 		}
190 	}
191 
192 	if (!update) {
193 		/*
194 		 * Called by C_Encrypt
195 		 */
196 		if (mechanism == CKM_AES_CBC_PAD) {
197 			/*
198 			 * For CKM_AES_CBC_PAD, compute output length to
199 			 * count for the padding. If the length of input
200 			 * data is a multiple of blocksize, then make output
201 			 * length to be the sum of the input length and
202 			 * one blocksize. Otherwise, output length will
203 			 * be rounded up to the next multiple of blocksize.
204 			 */
205 			out_len = AES_BLOCK_LEN *
206 			    (ulDataLen / AES_BLOCK_LEN + 1);
207 		} else if (mechanism == CKM_AES_CMAC) {
208 			out_len = AES_BLOCK_LEN;
209 		} else {
210 			/*
211 			 * For non-padding mode, the output length will
212 			 * be same as the input length.
213 			 */
214 			out_len = ulDataLen;
215 		}
216 
217 		/*
218 		 * If application asks for the length of the output buffer
219 		 * to hold the ciphertext?
220 		 */
221 		if (pEncrypted == NULL) {
222 			*pulEncryptedLen = out_len;
223 			return (CKR_OK);
224 		}
225 
226 		/* Is the application-supplied buffer large enough? */
227 		if (*pulEncryptedLen < out_len) {
228 			*pulEncryptedLen = out_len;
229 			return (CKR_BUFFER_TOO_SMALL);
230 		}
231 
232 		/* Encrypt pad bytes in a separate operation */
233 		if (mechanism == CKM_AES_CBC_PAD) {
234 			out_len -= AES_BLOCK_LEN;
235 		}
236 
237 		in_buf = pData;
238 		out_buf = pEncrypted;
239 	} else {
240 		/*
241 		 * Called by C_EncryptUpdate
242 		 *
243 		 * Add the lengths of last remaining data and current
244 		 * plaintext together to get the total input length.
245 		 */
246 		total_len = soft_aes_ctx->remain_len + ulDataLen;
247 
248 		/*
249 		 * If the total input length is less than one blocksize,
250 		 * or if the total input length is just one blocksize and
251 		 * the mechanism is CKM_AES_CBC_PAD, we will need to delay
252 		 * encryption until when more data comes in next
253 		 * C_EncryptUpdate or when C_EncryptFinal is called.
254 		 */
255 		out_buf = pEncrypted;
256 
257 		/*
258 		 * We prefer to let the underlying implementation of CMAC handle
259 		 * the storing of extra bytes, and no data is output until
260 		 * *_final, so skip that part of the following validation.
261 		 */
262 		if (mechanism == CKM_AES_CMAC) {
263 			if (pEncrypted == NULL) {
264 				*pulEncryptedLen = ulDataLen;
265 				return (CKR_OK);
266 			}
267 
268 			remain = 0;
269 			in_buf = pData;
270 			goto do_encryption;
271 		}
272 
273 		if ((total_len < AES_BLOCK_LEN) ||
274 		    ((mechanism == CKM_AES_CBC_PAD) &&
275 		    (total_len == AES_BLOCK_LEN))) {
276 			if (pEncrypted != NULL) {
277 				/*
278 				 * Save input data and its length in
279 				 * the remaining buffer of AES context.
280 				 */
281 				(void) memcpy(soft_aes_ctx->data +
282 				    soft_aes_ctx->remain_len, pData, ulDataLen);
283 				soft_aes_ctx->remain_len += ulDataLen;
284 			}
285 
286 			/* Set encrypted data length to 0. */
287 			*pulEncryptedLen = 0;
288 			return (CKR_OK);
289 		}
290 
291 		/* Compute the length of remaing data. */
292 		remain = total_len % AES_BLOCK_LEN;
293 
294 		/*
295 		 * Make sure that the output length is a multiple of
296 		 * blocksize.
297 		 */
298 		out_len = total_len - remain;
299 
300 		/*
301 		 * If application asks for the length of the output buffer
302 		 * to hold the ciphertext?
303 		 */
304 		if (pEncrypted == NULL) {
305 			*pulEncryptedLen = out_len;
306 			return (CKR_OK);
307 		}
308 
309 		/* Is the application-supplied buffer large enough? */
310 		if (*pulEncryptedLen < out_len) {
311 			*pulEncryptedLen = out_len;
312 			return (CKR_BUFFER_TOO_SMALL);
313 		}
314 
315 		if (soft_aes_ctx->remain_len != 0) {
316 			/*
317 			 * Copy last remaining data and current input data
318 			 * to the output buffer.
319 			 */
320 			(void) memmove(pEncrypted + soft_aes_ctx->remain_len,
321 			    pData, out_len - soft_aes_ctx->remain_len);
322 			(void) memcpy(pEncrypted, soft_aes_ctx->data,
323 			    soft_aes_ctx->remain_len);
324 			bzero(soft_aes_ctx->data, soft_aes_ctx->remain_len);
325 
326 			in_buf = pEncrypted;
327 		} else {
328 			in_buf = pData;
329 		}
330 	}
331 
332 do_encryption:
333 	/*
334 	 * Begin Encryption now.
335 	 */
336 	switch (mechanism) {
337 
338 	case CKM_AES_ECB:
339 	{
340 
341 		ulong_t i;
342 		uint8_t *tmp_inbuf;
343 		uint8_t *tmp_outbuf;
344 
345 		for (i = 0; i < out_len; i += AES_BLOCK_LEN) {
346 			tmp_inbuf = &in_buf[i];
347 			tmp_outbuf = &out_buf[i];
348 			/* Crunch one block of data for AES. */
349 			(void) aes_encrypt_block(soft_aes_ctx->key_sched,
350 			    tmp_inbuf, tmp_outbuf);
351 		}
352 
353 		if (update) {
354 			/*
355 			 * For encrypt update, if there is a remaining
356 			 * data, save it and its length in the context.
357 			 */
358 			if (remain != 0)
359 				(void) memcpy(soft_aes_ctx->data, pData +
360 				    (ulDataLen - remain), remain);
361 			soft_aes_ctx->remain_len = remain;
362 		}
363 
364 		*pulEncryptedLen = out_len;
365 
366 		break;
367 	}
368 
369 	case CKM_AES_CMAC:
370 		out_len = ulDataLen;
371 		/*FALLTHRU*/
372 	case CKM_AES_CBC:
373 	case CKM_AES_CBC_PAD:
374 	{
375 		crypto_data_t out;
376 
377 		out.cd_format = CRYPTO_DATA_RAW;
378 		out.cd_offset = 0;
379 		out.cd_length = out_len;
380 		out.cd_raw.iov_base = (char *)out_buf;
381 		out.cd_raw.iov_len = out_len;
382 
383 		/* Encrypt multiple blocks of data. */
384 		rc = aes_encrypt_contiguous_blocks(
385 		    (aes_ctx_t *)soft_aes_ctx->aes_cbc,
386 		    (char *)in_buf, out_len, &out);
387 
388 		if (rc != 0)
389 			goto encrypt_failed;
390 
391 		if (update) {
392 			/*
393 			 * For encrypt update, if there is remaining data,
394 			 * save it and its length in the context.
395 			 */
396 			if (remain != 0)
397 				(void) memcpy(soft_aes_ctx->data, pData +
398 				    (ulDataLen - remain), remain);
399 			soft_aes_ctx->remain_len = remain;
400 		} else if (mechanism == CKM_AES_CBC_PAD) {
401 			/*
402 			 * Save the remainder of the input
403 			 * block in a temporary block because
404 			 * we dont want to overrun the buffer
405 			 * by tacking on pad bytes.
406 			 */
407 			CK_BYTE tmpblock[AES_BLOCK_LEN];
408 			(void) memcpy(tmpblock, in_buf + out_len,
409 			    ulDataLen - out_len);
410 			soft_add_pkcs7_padding(tmpblock +
411 			    (ulDataLen - out_len),
412 			    AES_BLOCK_LEN, ulDataLen - out_len);
413 
414 			out.cd_offset = out_len;
415 			out.cd_length = AES_BLOCK_LEN;
416 			out.cd_raw.iov_base = (char *)out_buf;
417 			out.cd_raw.iov_len = out_len + AES_BLOCK_LEN;
418 
419 			/* Encrypt last block containing pad bytes. */
420 			rc = aes_encrypt_contiguous_blocks(
421 			    (aes_ctx_t *)soft_aes_ctx->aes_cbc,
422 			    (char *)tmpblock, AES_BLOCK_LEN, &out);
423 
424 			out_len += AES_BLOCK_LEN;
425 		} else if (mechanism == CKM_AES_CMAC) {
426 			out.cd_length = AES_BLOCK_LEN;
427 			out.cd_raw.iov_base = (char *)out_buf;
428 			out.cd_raw.iov_len = AES_BLOCK_LEN;
429 
430 			rc = cmac_mode_final(soft_aes_ctx->aes_cbc, &out,
431 			    aes_encrypt_block, aes_xor_block);
432 		}
433 
434 		if (rc == 0) {
435 			*pulEncryptedLen = out_len;
436 			break;
437 		}
438 encrypt_failed:
439 		*pulEncryptedLen = 0;
440 		rv = CKR_FUNCTION_FAILED;
441 		goto cleanup;
442 	}
443 	case CKM_AES_CTR:
444 	{
445 		crypto_data_t out;
446 
447 		out.cd_format = CRYPTO_DATA_RAW;
448 		out.cd_offset = 0;
449 		out.cd_length = *pulEncryptedLen;
450 		out.cd_raw.iov_base = (char *)pEncrypted;
451 		out.cd_raw.iov_len = *pulEncryptedLen;
452 
453 		rc = aes_encrypt_contiguous_blocks(soft_aes_ctx->aes_cbc,
454 		    (char *)pData, ulDataLen, &out);
455 
456 		if (rc != 0) {
457 			*pulEncryptedLen = 0;
458 			rv = CKR_FUNCTION_FAILED;
459 			goto cleanup;
460 		}
461 		/*
462 		 * Since AES counter mode is a stream cipher, we call
463 		 * aes_counter_final() to pick up any remaining bytes.
464 		 * It is an internal function that does not destroy
465 		 * the context like *normal* final routines.
466 		 */
467 		if (((aes_ctx_t *)soft_aes_ctx->aes_cbc)->ac_remainder_len > 0)
468 			rc = ctr_mode_final(soft_aes_ctx->aes_cbc, &out,
469 			    aes_encrypt_block);
470 
471 		/*
472 		 * Even though success means we've encrypted all of the input,
473 		 * we should still behave like the other functions and return
474 		 * the encrypted length in pulEncryptedLen
475 		 */
476 		*pulEncryptedLen = ulDataLen;
477 	}
478 	} /* end switch */
479 
480 	if (update)
481 		return (CKR_OK);
482 
483 	/*
484 	 * The following code will be executed if the caller is
485 	 * soft_encrypt() or an error occurred. The encryption
486 	 * operation will be terminated so we need to do some cleanup.
487 	 */
488 cleanup:
489 	(void) pthread_mutex_lock(&session_p->session_mutex);
490 	aes_ctx = (aes_ctx_t *)soft_aes_ctx->aes_cbc;
491 	if (aes_ctx != NULL) {
492 		bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len);
493 		free(soft_aes_ctx->aes_cbc);
494 	}
495 
496 	bzero(soft_aes_ctx->key_sched, soft_aes_ctx->keysched_len);
497 	free(soft_aes_ctx->key_sched);
498 	free(session_p->encrypt.context);
499 	session_p->encrypt.context = NULL;
500 	(void) pthread_mutex_unlock(&session_p->session_mutex);
501 
502 	return (rv);
503 }
504 
505 
506 /*
507  * soft_aes_decrypt_common()
508  *
509  * Arguments:
510  *      session_p:	pointer to soft_session_t struct
511  *	pEncrypted:	pointer to the input data to be decrypted
512  *	ulEncryptedLen:	length of the input data
513  *	pData:		pointer to the output data
514  *	pulDataLen:	pointer to the length of the output data
515  *	Update:		boolean flag indicates caller is soft_decrypt
516  *			or soft_decrypt_update
517  *
518  * Description:
519  *      This function calls the corresponding decrypt routine based
520  *	on the mechanism.
521  *
522  * Returns:
523  *      CKR_OK: success
524  *      CKR_BUFFER_TOO_SMALL: the output buffer provided by application
525  *			      is too small
526  *	CKR_ENCRYPTED_DATA_LEN_RANGE: the input data is not a multiple
527  *				      of blocksize
528  *	CKR_FUNCTION_FAILED: decrypt function failed
529  */
530 CK_RV
531 soft_aes_decrypt_common(soft_session_t *session_p, CK_BYTE_PTR pEncrypted,
532     CK_ULONG ulEncryptedLen, CK_BYTE_PTR pData,
533     CK_ULONG_PTR pulDataLen, boolean_t update)
534 {
535 
536 	int rc = 0;
537 	CK_RV rv = CKR_OK;
538 	soft_aes_ctx_t *soft_aes_ctx =
539 	    (soft_aes_ctx_t *)session_p->decrypt.context;
540 	aes_ctx_t *aes_ctx;
541 	CK_MECHANISM_TYPE mechanism = session_p->decrypt.mech.mechanism;
542 	CK_BYTE *in_buf = NULL;
543 	CK_BYTE *out_buf = NULL;
544 	CK_ULONG out_len;
545 	CK_ULONG total_len;
546 	CK_ULONG remain;
547 
548 	if (mechanism == CKM_AES_CTR)
549 		goto do_decryption;
550 
551 	/*
552 	 * AES only takes input length that is a multiple of 16 bytes
553 	 * for C_Decrypt function with the mechanism CKM_AES_ECB,
554 	 * CKM_AES_CBC or CKM_AES_CBC_PAD.
555 	 *
556 	 * AES allows any input length for C_DecryptUpdate function.
557 	 */
558 	if (!update) {
559 		/*
560 		 * Called by C_Decrypt
561 		 */
562 		if ((ulEncryptedLen % AES_BLOCK_LEN) != 0) {
563 			rv = CKR_ENCRYPTED_DATA_LEN_RANGE;
564 			goto cleanup;
565 		}
566 
567 		/*
568 		 * If application asks for the length of the output buffer
569 		 * to hold the plaintext?
570 		 */
571 		if (pData == NULL) {
572 			*pulDataLen = ulEncryptedLen;
573 			return (CKR_OK);
574 		}
575 
576 		/* Is the application-supplied buffer large enough? */
577 		if (mechanism != CKM_AES_CBC_PAD) {
578 			if (*pulDataLen < ulEncryptedLen) {
579 				*pulDataLen = ulEncryptedLen;
580 				return (CKR_BUFFER_TOO_SMALL);
581 			}
582 			out_len = ulEncryptedLen;
583 		} else {
584 			/*
585 			 * For CKM_AES_CBC_PAD, we don't know how
586 			 * many bytes for padding at this time, so
587 			 * we'd assume one block was padded.
588 			 */
589 			if (*pulDataLen < (ulEncryptedLen - AES_BLOCK_LEN)) {
590 				*pulDataLen = ulEncryptedLen - AES_BLOCK_LEN;
591 				return (CKR_BUFFER_TOO_SMALL);
592 			}
593 			out_len = ulEncryptedLen - AES_BLOCK_LEN;
594 		}
595 		in_buf = pEncrypted;
596 		out_buf = pData;
597 	} else {
598 		/*
599 		 *  Called by C_DecryptUpdate
600 		 *
601 		 * Add the lengths of last remaining data and current
602 		 * input data together to get the total input length.
603 		 */
604 		total_len = soft_aes_ctx->remain_len + ulEncryptedLen;
605 
606 		/*
607 		 * If the total input length is less than one blocksize,
608 		 * or if the total input length is just one blocksize and
609 		 * the mechanism is CKM_AES_CBC_PAD, we will need to delay
610 		 * decryption until when more data comes in next
611 		 * C_DecryptUpdate or when C_DecryptFinal is called.
612 		 */
613 		if ((total_len < AES_BLOCK_LEN) ||
614 		    ((mechanism == CKM_AES_CBC_PAD) &&
615 		    (total_len == AES_BLOCK_LEN))) {
616 			if (pData != NULL) {
617 				/*
618 				 * Save input data and its length in
619 				 * the remaining buffer of AES context.
620 				 */
621 				(void) memcpy(soft_aes_ctx->data +
622 				    soft_aes_ctx->remain_len,
623 				    pEncrypted, ulEncryptedLen);
624 				soft_aes_ctx->remain_len += ulEncryptedLen;
625 			}
626 
627 			/* Set output data length to 0. */
628 			*pulDataLen = 0;
629 			return (CKR_OK);
630 		}
631 
632 		/* Compute the length of remaing data. */
633 		remain = total_len % AES_BLOCK_LEN;
634 
635 		/*
636 		 * Make sure that the output length is a multiple of
637 		 * blocksize.
638 		 */
639 		out_len = total_len - remain;
640 
641 		if (mechanism == CKM_AES_CBC_PAD) {
642 			/*
643 			 * If the input data length is a multiple of
644 			 * blocksize, then save the last block of input
645 			 * data in the remaining buffer. C_DecryptFinal
646 			 * will handle this last block of data.
647 			 */
648 			if (remain == 0) {
649 				remain = AES_BLOCK_LEN;
650 				out_len -= AES_BLOCK_LEN;
651 			}
652 		}
653 
654 		/*
655 		 * If application asks for the length of the output buffer
656 		 * to hold the plaintext?
657 		 */
658 		if (pData == NULL) {
659 			*pulDataLen = out_len;
660 			return (CKR_OK);
661 		}
662 
663 		/*
664 		 * Is the application-supplied buffer large enough?
665 		 */
666 		if (*pulDataLen < out_len) {
667 			*pulDataLen = out_len;
668 			return (CKR_BUFFER_TOO_SMALL);
669 		}
670 
671 		if (soft_aes_ctx->remain_len != 0) {
672 			/*
673 			 * Copy last remaining data and current input data
674 			 * to the output buffer.
675 			 */
676 			(void) memmove(pData + soft_aes_ctx->remain_len,
677 			    pEncrypted, out_len - soft_aes_ctx->remain_len);
678 			(void) memcpy(pData, soft_aes_ctx->data,
679 			    soft_aes_ctx->remain_len);
680 			bzero(soft_aes_ctx->data, soft_aes_ctx->remain_len);
681 
682 			in_buf = pData;
683 		} else {
684 			in_buf = pEncrypted;
685 		}
686 		out_buf = pData;
687 	}
688 
689 do_decryption:
690 	/*
691 	 * Begin Decryption.
692 	 */
693 	switch (mechanism) {
694 
695 	case CKM_AES_ECB:
696 	{
697 
698 		ulong_t i;
699 		uint8_t *tmp_inbuf;
700 		uint8_t *tmp_outbuf;
701 
702 		for (i = 0; i < out_len; i += AES_BLOCK_LEN) {
703 			tmp_inbuf = &in_buf[i];
704 			tmp_outbuf = &out_buf[i];
705 			/* Crunch one block of data for AES. */
706 			(void) aes_decrypt_block(soft_aes_ctx->key_sched,
707 			    tmp_inbuf, tmp_outbuf);
708 		}
709 
710 		if (update) {
711 			/*
712 			 * For decrypt update, if there is a remaining
713 			 * data, save it and its length in the context.
714 			 */
715 			if (remain != 0)
716 				(void) memcpy(soft_aes_ctx->data, pEncrypted +
717 				    (ulEncryptedLen - remain), remain);
718 			soft_aes_ctx->remain_len = remain;
719 		}
720 
721 		*pulDataLen = out_len;
722 
723 		break;
724 	}
725 
726 	case CKM_AES_CBC:
727 	case CKM_AES_CBC_PAD:
728 	{
729 		crypto_data_t out;
730 		CK_ULONG rem_len;
731 		uint8_t last_block[AES_BLOCK_LEN];
732 
733 		out.cd_format = CRYPTO_DATA_RAW;
734 		out.cd_offset = 0;
735 		out.cd_length = out_len;
736 		out.cd_raw.iov_base = (char *)out_buf;
737 		out.cd_raw.iov_len = out_len;
738 
739 		/* Decrypt multiple blocks of data. */
740 		rc = aes_decrypt_contiguous_blocks(
741 		    (aes_ctx_t *)soft_aes_ctx->aes_cbc,
742 		    (char *)in_buf, out_len, &out);
743 
744 		if (rc != 0)
745 			goto decrypt_failed;
746 
747 		if ((mechanism == CKM_AES_CBC_PAD) && (!update)) {
748 			/* Decrypt last block containing pad bytes. */
749 			out.cd_offset = 0;
750 			out.cd_length = AES_BLOCK_LEN;
751 			out.cd_raw.iov_base = (char *)last_block;
752 			out.cd_raw.iov_len = AES_BLOCK_LEN;
753 
754 			/* Decrypt last block containing pad bytes. */
755 			rc = aes_decrypt_contiguous_blocks(
756 			    (aes_ctx_t *)soft_aes_ctx->aes_cbc,
757 			    (char *)in_buf + out_len, AES_BLOCK_LEN, &out);
758 
759 			if (rc != 0)
760 				goto decrypt_failed;
761 
762 			/*
763 			 * Remove padding bytes after decryption of
764 			 * ciphertext block to produce the original
765 			 * plaintext.
766 			 */
767 			rv = soft_remove_pkcs7_padding(last_block,
768 			    AES_BLOCK_LEN, &rem_len);
769 			if (rv == CKR_OK) {
770 				if (rem_len != 0)
771 					(void) memcpy(out_buf + out_len,
772 					    last_block, rem_len);
773 				*pulDataLen = out_len + rem_len;
774 			} else {
775 				*pulDataLen = 0;
776 				goto cleanup;
777 			}
778 		} else {
779 			*pulDataLen = out_len;
780 		}
781 
782 		if (update) {
783 			/*
784 			 * For decrypt update, if there is remaining data,
785 			 * save it and its length in the context.
786 			 */
787 			if (remain != 0)
788 				(void) memcpy(soft_aes_ctx->data, pEncrypted +
789 				    (ulEncryptedLen - remain), remain);
790 			soft_aes_ctx->remain_len = remain;
791 		}
792 
793 		if (rc == 0)
794 			break;
795 decrypt_failed:
796 		*pulDataLen = 0;
797 		rv = CKR_FUNCTION_FAILED;
798 		goto cleanup;
799 	}
800 	case CKM_AES_CTR:
801 	{
802 		crypto_data_t out;
803 
804 		out.cd_format = CRYPTO_DATA_RAW;
805 		out.cd_offset = 0;
806 		out.cd_length = *pulDataLen;
807 		out.cd_raw.iov_base = (char *)pData;
808 		out.cd_raw.iov_len = *pulDataLen;
809 
810 		rc = aes_decrypt_contiguous_blocks(soft_aes_ctx->aes_cbc,
811 		    (char *)pEncrypted, ulEncryptedLen, &out);
812 
813 		if (rc != 0) {
814 			*pulDataLen = 0;
815 			rv = CKR_FUNCTION_FAILED;
816 			goto cleanup;
817 		}
818 
819 		/*
820 		 * Since AES counter mode is a stream cipher, we call
821 		 * aes_counter_final() to pick up any remaining bytes.
822 		 * It is an internal function that does not destroy
823 		 * the context like *normal* final routines.
824 		 */
825 		if (((aes_ctx_t *)soft_aes_ctx->aes_cbc)->ac_remainder_len
826 		    > 0) {
827 			rc = ctr_mode_final(soft_aes_ctx->aes_cbc, &out,
828 			    aes_encrypt_block);
829 			if (rc == CRYPTO_DATA_LEN_RANGE)
830 				rc = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
831 		}
832 
833 		/*
834 		 * Even though success means we've decrypted all of the input,
835 		 * we should still behave like the other functions and return
836 		 * the decrypted length in pulDataLen
837 		 */
838 		*pulDataLen = ulEncryptedLen;
839 
840 	}
841 	} /* end switch */
842 
843 	if (update)
844 		return (CKR_OK);
845 
846 	/*
847 	 * The following code will be executed if the caller is
848 	 * soft_decrypt() or an error occurred. The decryption
849 	 * operation will be terminated so we need to do some cleanup.
850 	 */
851 cleanup:
852 	(void) pthread_mutex_lock(&session_p->session_mutex);
853 	aes_ctx = (aes_ctx_t *)soft_aes_ctx->aes_cbc;
854 	if (aes_ctx != NULL) {
855 		bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len);
856 		free(soft_aes_ctx->aes_cbc);
857 	}
858 
859 	bzero(soft_aes_ctx->key_sched, soft_aes_ctx->keysched_len);
860 	free(soft_aes_ctx->key_sched);
861 	free(session_p->decrypt.context);
862 	session_p->decrypt.context = NULL;
863 	(void) pthread_mutex_unlock(&session_p->session_mutex);
864 
865 	return (rv);
866 }
867 
868 
869 /*
870  * Allocate and initialize a context for AES CBC mode of operation.
871  */
872 void *
873 aes_cbc_ctx_init(void *key_sched, size_t size, uint8_t *ivec)
874 {
875 
876 	cbc_ctx_t *cbc_ctx;
877 
878 	if ((cbc_ctx = calloc(1, sizeof (cbc_ctx_t))) == NULL)
879 		return (NULL);
880 
881 	cbc_ctx->cbc_keysched = key_sched;
882 	cbc_ctx->cbc_keysched_len = size;
883 
884 	(void) memcpy(&cbc_ctx->cbc_iv[0], ivec, AES_BLOCK_LEN);
885 
886 	cbc_ctx->cbc_lastp = (uint8_t *)cbc_ctx->cbc_iv;
887 	cbc_ctx->cbc_flags |= CBC_MODE;
888 	cbc_ctx->max_remain = AES_BLOCK_LEN;
889 
890 	return (cbc_ctx);
891 }
892 
893 void *
894 aes_cmac_ctx_init(void *key_sched, size_t size)
895 {
896 
897 	cbc_ctx_t *cbc_ctx;
898 
899 	if ((cbc_ctx = calloc(1, sizeof (cbc_ctx_t))) == NULL)
900 		return (NULL);
901 
902 	cbc_ctx->cbc_keysched = key_sched;
903 	cbc_ctx->cbc_keysched_len = size;
904 
905 	cbc_ctx->cbc_lastp = (uint8_t *)cbc_ctx->cbc_iv;
906 	cbc_ctx->cbc_flags |= CMAC_MODE;
907 	cbc_ctx->max_remain = AES_BLOCK_LEN + 1;
908 
909 	return (cbc_ctx);
910 }
911 
912 /*
913  * Allocate and initialize a context for AES CTR mode of operation.
914  */
915 void *
916 aes_ctr_ctx_init(void *key_sched, size_t size, uint8_t *param)
917 {
918 
919 	ctr_ctx_t *ctr_ctx;
920 	CK_AES_CTR_PARAMS *pp;
921 
922 	/* LINTED: pointer alignment */
923 	pp = (CK_AES_CTR_PARAMS *)param;
924 
925 	if ((ctr_ctx = calloc(1, sizeof (ctr_ctx_t))) == NULL)
926 		return (NULL);
927 
928 	ctr_ctx->ctr_keysched = key_sched;
929 	ctr_ctx->ctr_keysched_len = size;
930 
931 	if (ctr_init_ctx(ctr_ctx, pp->ulCounterBits, pp->cb, aes_copy_block)
932 	    != CRYPTO_SUCCESS) {
933 		free(ctr_ctx);
934 		return (NULL);
935 	}
936 
937 	return (ctr_ctx);
938 }
939 
940 /*
941  * Allocate and initialize AES contexts for both signing and encrypting,
942  * saving both context pointers in the session struct. For general-length AES
943  * MAC, check the length in the parameter to see if it is in the right range.
944  */
945 CK_RV
946 soft_aes_sign_verify_init_common(soft_session_t *session_p,
947     CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, boolean_t sign_op)
948 {
949 	soft_aes_ctx_t	*soft_aes_ctx;
950 	CK_MECHANISM	encrypt_mech;
951 	CK_RV rv;
952 
953 	if (key_p->key_type != CKK_AES) {
954 		return (CKR_KEY_TYPE_INCONSISTENT);
955 	}
956 
957 	/* allocate memory for the sign/verify context */
958 	soft_aes_ctx = malloc(sizeof (soft_aes_ctx_t));
959 	if (soft_aes_ctx == NULL) {
960 		return (CKR_HOST_MEMORY);
961 	}
962 
963 	/* initialization vector is zero for AES CMAC */
964 	bzero(soft_aes_ctx->ivec, AES_BLOCK_LEN);
965 
966 	switch (pMechanism->mechanism) {
967 
968 	case CKM_AES_CMAC_GENERAL:
969 
970 		if (pMechanism->ulParameterLen !=
971 		    sizeof (CK_MAC_GENERAL_PARAMS)) {
972 			free(soft_aes_ctx);
973 			return (CKR_MECHANISM_PARAM_INVALID);
974 		}
975 
976 		if (*(CK_MAC_GENERAL_PARAMS *)pMechanism->pParameter >
977 		    AES_BLOCK_LEN) {
978 			free(soft_aes_ctx);
979 			return (CKR_MECHANISM_PARAM_INVALID);
980 		}
981 
982 		soft_aes_ctx->mac_len = *((CK_MAC_GENERAL_PARAMS_PTR)
983 		    pMechanism->pParameter);
984 
985 		/*FALLTHRU*/
986 	case CKM_AES_CMAC:
987 
988 		/*
989 		 * For non-general AES MAC, output is always block size
990 		 */
991 		if (pMechanism->mechanism == CKM_AES_CMAC) {
992 			soft_aes_ctx->mac_len = AES_BLOCK_LEN;
993 		}
994 
995 		/* allocate a context for AES encryption */
996 		encrypt_mech.mechanism = CKM_AES_CMAC;
997 		encrypt_mech.pParameter = (void *)soft_aes_ctx->ivec;
998 		encrypt_mech.ulParameterLen = AES_BLOCK_LEN;
999 		rv = soft_encrypt_init_internal(session_p, &encrypt_mech,
1000 		    key_p);
1001 		if (rv != CKR_OK) {
1002 			free(soft_aes_ctx);
1003 			return (rv);
1004 		}
1005 
1006 		(void) pthread_mutex_lock(&session_p->session_mutex);
1007 
1008 		if (sign_op) {
1009 			session_p->sign.context = soft_aes_ctx;
1010 			session_p->sign.mech.mechanism = pMechanism->mechanism;
1011 		} else {
1012 			session_p->verify.context = soft_aes_ctx;
1013 			session_p->verify.mech.mechanism =
1014 			    pMechanism->mechanism;
1015 		}
1016 
1017 		(void) pthread_mutex_unlock(&session_p->session_mutex);
1018 
1019 		break;
1020 	}
1021 	return (CKR_OK);
1022 }
1023 
1024 /*
1025  * Called by soft_sign(), soft_sign_final(), soft_verify() or
1026  * soft_verify_final().
1027  */
1028 CK_RV
1029 soft_aes_sign_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData,
1030     CK_ULONG ulDataLen, CK_BYTE_PTR pSigned, CK_ULONG_PTR pulSignedLen,
1031     boolean_t sign_op, boolean_t Final)
1032 {
1033 	soft_aes_ctx_t		*soft_aes_ctx_sign_verify;
1034 	CK_RV			rv;
1035 	CK_BYTE			*pEncrypted = NULL;
1036 	CK_ULONG		ulEncryptedLen = AES_BLOCK_LEN;
1037 	CK_BYTE			last_block[AES_BLOCK_LEN];
1038 
1039 	if (sign_op) {
1040 		soft_aes_ctx_sign_verify =
1041 		    (soft_aes_ctx_t *)session_p->sign.context;
1042 
1043 		if (soft_aes_ctx_sign_verify->mac_len == 0) {
1044 			*pulSignedLen = 0;
1045 			goto clean_exit;
1046 		}
1047 
1048 		/* Application asks for the length of the output buffer. */
1049 		if (pSigned == NULL) {
1050 			*pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1051 			return (CKR_OK);
1052 		}
1053 
1054 		/* Is the application-supplied buffer large enough? */
1055 		if (*pulSignedLen < soft_aes_ctx_sign_verify->mac_len) {
1056 			*pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1057 			return (CKR_BUFFER_TOO_SMALL);
1058 		}
1059 	} else {
1060 		soft_aes_ctx_sign_verify =
1061 		    (soft_aes_ctx_t *)session_p->verify.context;
1062 	}
1063 
1064 	if (Final) {
1065 		rv = soft_encrypt_final(session_p, last_block,
1066 		    &ulEncryptedLen);
1067 	} else {
1068 		rv = soft_encrypt(session_p, pData, ulDataLen,
1069 		    last_block, &ulEncryptedLen);
1070 	}
1071 
1072 	if (rv == CKR_OK) {
1073 		*pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1074 
1075 		/* the leftmost mac_len bytes of last_block is our MAC */
1076 		(void) memcpy(pSigned, last_block, *pulSignedLen);
1077 	}
1078 
1079 clean_exit:
1080 
1081 	(void) pthread_mutex_lock(&session_p->session_mutex);
1082 
1083 	/* soft_encrypt_common() has freed the encrypt context */
1084 	if (sign_op) {
1085 		free(session_p->sign.context);
1086 		session_p->sign.context = NULL;
1087 	} else {
1088 		free(session_p->verify.context);
1089 		session_p->verify.context = NULL;
1090 	}
1091 	session_p->encrypt.flags = 0;
1092 
1093 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1094 
1095 	if (pEncrypted) {
1096 		free(pEncrypted);
1097 	}
1098 
1099 	return (rv);
1100 }
1101 
1102 /*
1103  * Called by soft_sign_update()
1104  */
1105 CK_RV
1106 soft_aes_mac_sign_verify_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
1107     CK_ULONG ulPartLen)
1108 {
1109 	CK_BYTE		buf[AES_BLOCK_LEN];
1110 	CK_ULONG	ulEncryptedLen = AES_BLOCK_LEN;
1111 	CK_RV		rv;
1112 
1113 	rv = soft_encrypt_update(session_p, pPart, ulPartLen,
1114 	    buf, &ulEncryptedLen);
1115 
1116 	return (rv);
1117 }
1118