xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAESCrypt.c (revision d48be21240dfd051b689384ce2b23479d757f2d8)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
25  * Copyright 2019 Joyent, Inc.
26  * Copyright 2017 Jason King.
27  */
28 
29 #include <pthread.h>
30 #include <stdlib.h>
31 #include <string.h>
32 #include <strings.h>
33 #include <sys/debug.h>
34 #include <sys/types.h>
35 #include <security/cryptoki.h>
36 #include <aes_impl.h>
37 #include <cryptoutil.h>
38 #include "softSession.h"
39 #include "softObject.h"
40 #include "softCrypt.h"
41 #include "softOps.h"
42 
43 /*
44  * Check that the mechanism parameter is present and the correct size if
45  * required and allocate an AES context.
46  */
47 static CK_RV
48 soft_aes_check_mech_param(CK_MECHANISM_PTR mech, aes_ctx_t **ctxp)
49 {
50 	void *(*allocf)(int) = NULL;
51 	size_t param_len = 0;
52 	boolean_t param_req = B_TRUE;
53 
54 	switch (mech->mechanism) {
55 	case CKM_AES_ECB:
56 		param_req = B_FALSE;
57 		allocf = ecb_alloc_ctx;
58 		break;
59 	case CKM_AES_CMAC:
60 		param_req = B_FALSE;
61 		allocf = cmac_alloc_ctx;
62 		break;
63 	case CKM_AES_CMAC_GENERAL:
64 		param_len = sizeof (CK_MAC_GENERAL_PARAMS);
65 		allocf = cmac_alloc_ctx;
66 		break;
67 	case CKM_AES_CBC:
68 	case CKM_AES_CBC_PAD:
69 		param_len = AES_BLOCK_LEN;
70 		allocf = cbc_alloc_ctx;
71 		break;
72 	case CKM_AES_CTR:
73 		param_len = sizeof (CK_AES_CTR_PARAMS);
74 		allocf = ctr_alloc_ctx;
75 		break;
76 	case CKM_AES_CCM:
77 		param_len = sizeof (CK_CCM_PARAMS);
78 		allocf = ccm_alloc_ctx;
79 		break;
80 	case CKM_AES_GCM:
81 		param_len = sizeof (CK_GCM_PARAMS);
82 		allocf = gcm_alloc_ctx;
83 		break;
84 	default:
85 		return (CKR_MECHANISM_INVALID);
86 	}
87 
88 	if (param_req && (mech->pParameter == NULL ||
89 	    mech->ulParameterLen != param_len)) {
90 		return (CKR_MECHANISM_PARAM_INVALID);
91 	}
92 
93 	*ctxp = allocf(0);
94 	if (*ctxp == NULL) {
95 		return (CKR_HOST_MEMORY);
96 	}
97 
98 	return (CKR_OK);
99 }
100 
101 /*
102  * Create an AES key schedule for the given AES context from the given key.
103  * If the key is not sensitive, cache a copy of the key schedule in the
104  * key object and/or use the cached copy of the key schedule.
105  *
106  * Must be called before the init function for a given mode is called.
107  */
108 static CK_RV
109 soft_aes_init_key(aes_ctx_t *aes_ctx, soft_object_t *key_p)
110 {
111 	void *ks = NULL;
112 	size_t size = 0;
113 	CK_RV rv = CKR_OK;
114 
115 	(void) pthread_mutex_lock(&key_p->object_mutex);
116 
117 	/*
118 	 * AES keys should be either 128, 192, or 256 bits long.
119 	 * soft_object_t stores the key size in bytes, so we check those sizes
120 	 * in bytes.
121 	 *
122 	 * While soft_build_secret_key_object() does these same validations for
123 	 * keys created by the user, it may be possible that a key loaded from
124 	 * disk could be invalid or corrupt.  We err on the side of caution
125 	 * and check again that it's the correct size before performing any
126 	 * AES operations.
127 	 */
128 	switch (OBJ_SEC_VALUE_LEN(key_p)) {
129 	case AES_MIN_KEY_BYTES:
130 	case AES_MAX_KEY_BYTES:
131 	case AES_192_KEY_BYTES:
132 		break;
133 	default:
134 		rv = CKR_KEY_SIZE_RANGE;
135 		goto done;
136 	}
137 
138 	ks = aes_alloc_keysched(&size, 0);
139 	if (ks == NULL) {
140 		rv = CKR_HOST_MEMORY;
141 		goto done;
142 	}
143 
144 	/* If this is a sensitive key, always expand the key schedule */
145 	if (key_p->bool_attr_mask & SENSITIVE_BOOL_ON) {
146 		/* aes_init_keysched() requires key length in bits.  */
147 #ifdef	__sparcv9
148 		/* LINTED */
149 		aes_init_keysched(OBJ_SEC_VALUE(key_p), (uint_t)
150 		    (OBJ_SEC_VALUE_LEN(key_p) * NBBY), ks);
151 #else	/* !__sparcv9 */
152 		aes_init_keysched(OBJ_SEC_VALUE(key_p),
153 		    (OBJ_SEC_VALUE_LEN(key_p) * NBBY), ks);
154 #endif	/* __sparcv9 */
155 
156 		goto done;
157 	}
158 
159 	/* If a non-sensitive key and doesn't have a key schedule, create it */
160 	if (OBJ_KEY_SCHED(key_p) == NULL) {
161 		void *obj_ks = NULL;
162 
163 		obj_ks = aes_alloc_keysched(&size, 0);
164 		if (obj_ks == NULL) {
165 			rv = CKR_HOST_MEMORY;
166 			goto done;
167 		}
168 
169 #ifdef	__sparcv9
170 		/* LINTED */
171 		aes_init_keysched(OBJ_SEC_VALUE(key_p),
172 		    (uint_t)(OBJ_SEC_VALUE_LEN(key_p) * 8), obj_ks);
173 #else	/* !__sparcv9 */
174 		aes_init_keysched(OBJ_SEC_VALUE(key_p),
175 		    (OBJ_SEC_VALUE_LEN(key_p) * 8), obj_ks);
176 #endif	/* __sparcv9 */
177 
178 		OBJ_KEY_SCHED_LEN(key_p) = size;
179 		OBJ_KEY_SCHED(key_p) = obj_ks;
180 	}
181 
182 	(void) memcpy(ks, OBJ_KEY_SCHED(key_p), OBJ_KEY_SCHED_LEN(key_p));
183 
184 done:
185 	(void) pthread_mutex_unlock(&key_p->object_mutex);
186 
187 	if (rv == CKR_OK) {
188 		aes_ctx->ac_keysched = ks;
189 		aes_ctx->ac_keysched_len = size;
190 	} else {
191 		freezero(ks, size);
192 	}
193 
194 	return (rv);
195 }
196 
197 /*
198  * Initialize the AES context for the given mode, including allocating and
199  * expanding the key schedule if required.
200  */
201 static CK_RV
202 soft_aes_init_ctx(aes_ctx_t *aes_ctx, CK_MECHANISM_PTR mech_p,
203     boolean_t encrypt)
204 {
205 	int rc = CRYPTO_SUCCESS;
206 
207 	switch (mech_p->mechanism) {
208 	case CKM_AES_ECB:
209 		aes_ctx->ac_flags |= ECB_MODE;
210 		break;
211 	case CKM_AES_CMAC:
212 	case CKM_AES_CMAC_GENERAL:
213 		rc = cmac_init_ctx((cbc_ctx_t *)aes_ctx, AES_BLOCK_LEN);
214 		break;
215 	case CKM_AES_CBC:
216 	case CKM_AES_CBC_PAD:
217 		rc = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mech_p->pParameter,
218 		    mech_p->ulParameterLen, AES_BLOCK_LEN, aes_copy_block64);
219 		break;
220 	case CKM_AES_CTR:
221 	{
222 		/*
223 		 * soft_aes_check_param() verifies this is !NULL and is the
224 		 * correct size.
225 		 */
226 		CK_AES_CTR_PARAMS *pp = (CK_AES_CTR_PARAMS *)mech_p->pParameter;
227 
228 		rc = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits,
229 		    pp->cb, aes_encrypt_block, aes_copy_block);
230 		break;
231 	}
232 	case CKM_AES_CCM: {
233 		CK_CCM_PARAMS *pp = (CK_CCM_PARAMS *)mech_p->pParameter;
234 
235 		/*
236 		 * The illumos ccm mode implementation predates the PKCS#11
237 		 * version that specifies CK_CCM_PARAMS.  As a result, the order
238 		 * and names of the struct members are different, so we must
239 		 * translate.  ccm_init_ctx() does not store a ref ccm_params,
240 		 * so it is safe to allocate on the stack.
241 		 */
242 		CK_AES_CCM_PARAMS ccm_params = {
243 			.ulMACSize = pp->ulMACLen,
244 			.ulNonceSize = pp->ulNonceLen,
245 			.ulAuthDataSize = pp->ulAADLen,
246 			.ulDataSize = pp->ulDataLen,
247 			.nonce = pp->pNonce,
248 			.authData = pp->pAAD
249 		};
250 
251 		rc = ccm_init_ctx((ccm_ctx_t *)aes_ctx, (char *)&ccm_params, 0,
252 		    encrypt, AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
253 		break;
254 	}
255 	case CKM_AES_GCM:
256 		/*
257 		 * Similar to the ccm mode implementation, the gcm mode also
258 		 * predates PKCS#11 2.40, however in this instance
259 		 * CK_AES_GCM_PARAMS and CK_GCM_PARAMS are identical except
260 		 * for the member names, so we can just pass it along.
261 		 */
262 		rc = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mech_p->pParameter,
263 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
264 		    aes_xor_block);
265 		break;
266 	}
267 
268 	return (crypto2pkcs11_error_number(rc));
269 }
270 
271 /*
272  * Allocate context for the active encryption or decryption operation, and
273  * generate AES key schedule to speed up the operation.
274  */
275 CK_RV
276 soft_aes_crypt_init_common(soft_session_t *session_p,
277     CK_MECHANISM_PTR pMechanism, soft_object_t *key_p,
278     boolean_t encrypt)
279 {
280 	aes_ctx_t *aes_ctx = NULL;
281 	CK_RV rv = CKR_OK;
282 
283 	if (key_p->key_type != CKK_AES)
284 		return (CKR_KEY_TYPE_INCONSISTENT);
285 
286 	/* C_{Encrypt,Decrypt}Init() validate pMechanism != NULL */
287 	rv = soft_aes_check_mech_param(pMechanism, &aes_ctx);
288 	if (rv != CKR_OK) {
289 		goto done;
290 	}
291 
292 	rv = soft_aes_init_key(aes_ctx, key_p);
293 	if (rv != CKR_OK) {
294 		goto done;
295 	}
296 
297 	rv = soft_aes_init_ctx(aes_ctx, pMechanism, encrypt);
298 	if (rv != CKR_OK) {
299 		goto done;
300 	}
301 
302 	(void) pthread_mutex_lock(&session_p->session_mutex);
303 	if (encrypt) {
304 		/* Called by C_EncryptInit. */
305 		session_p->encrypt.context = aes_ctx;
306 		session_p->encrypt.mech.mechanism = pMechanism->mechanism;
307 	} else {
308 		/* Called by C_DecryptInit. */
309 		session_p->decrypt.context = aes_ctx;
310 		session_p->decrypt.mech.mechanism = pMechanism->mechanism;
311 	}
312 	(void) pthread_mutex_unlock(&session_p->session_mutex);
313 
314 done:
315 	if (rv != CKR_OK) {
316 		soft_aes_free_ctx(aes_ctx);
317 	}
318 
319 	return (rv);
320 }
321 
322 
323 CK_RV
324 soft_aes_encrypt(soft_session_t *session_p, CK_BYTE_PTR pData,
325     CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
326     CK_ULONG_PTR pulEncryptedDataLen)
327 {
328 	aes_ctx_t *aes_ctx = session_p->encrypt.context;
329 	CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism;
330 	size_t length_needed;
331 	size_t remainder;
332 	int rc = CRYPTO_SUCCESS;
333 	CK_RV rv = CKR_OK;
334 	crypto_data_t out = {
335 		.cd_format = CRYPTO_DATA_RAW,
336 		.cd_offset = 0,
337 		.cd_length = *pulEncryptedDataLen,
338 		.cd_raw.iov_base = (char *)pEncryptedData,
339 		.cd_raw.iov_len = *pulEncryptedDataLen
340 	};
341 
342 	/*
343 	 * A bit unusual, but it's permissible for ccm and gcm modes to not
344 	 * encrypt any data.  This ends up being equivalent to CKM_AES_CMAC
345 	 * or CKM_AES_GMAC of the additional authenticated data (AAD).
346 	 */
347 	if ((pData == NULL || ulDataLen == 0) &&
348 	    !(aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|CMAC_MODE))) {
349 		return (CKR_ARGUMENTS_BAD);
350 	}
351 
352 	remainder = ulDataLen % AES_BLOCK_LEN;
353 
354 	/*
355 	 * CTR, CCM, CMAC, and GCM modes do not require the plaintext
356 	 * to be a multiple of the AES block size. CKM_AES_CBC_PAD as the
357 	 * name suggests pads it's output, so it can also accept any
358 	 * size plaintext.
359 	 */
360 	switch (mech) {
361 	case CKM_AES_CBC_PAD:
362 	case CKM_AES_CMAC:
363 	case CKM_AES_CMAC_GENERAL:
364 	case CKM_AES_CTR:
365 	case CKM_AES_CCM:
366 	case CKM_AES_GCM:
367 		break;
368 	default:
369 		if (remainder != 0) {
370 			rv = CKR_DATA_LEN_RANGE;
371 			goto cleanup;
372 		}
373 	}
374 
375 	switch (mech) {
376 	case CKM_AES_CCM:
377 		length_needed = ulDataLen + aes_ctx->ac_mac_len;
378 		break;
379 	case CKM_AES_GCM:
380 		length_needed = ulDataLen + aes_ctx->ac_tag_len;
381 		break;
382 	case CKM_AES_CMAC:
383 	case CKM_AES_CMAC_GENERAL:
384 		length_needed = AES_BLOCK_LEN;
385 		break;
386 	case CKM_AES_CBC_PAD:
387 		/* CKM_AES_CBC_PAD always adds 1..AES_BLOCK_LEN of padding */
388 		length_needed = ulDataLen + AES_BLOCK_LEN - remainder;
389 		break;
390 	default:
391 		length_needed = ulDataLen;
392 		break;
393 	}
394 
395 	if (pEncryptedData == NULL) {
396 		/*
397 		 * The application can ask for the size of the output buffer
398 		 * with a NULL output buffer (pEncryptedData).
399 		 * C_Encrypt() guarantees pulEncryptedDataLen != NULL.
400 		 */
401 		*pulEncryptedDataLen = length_needed;
402 		return (CKR_OK);
403 	}
404 
405 	if (*pulEncryptedDataLen < length_needed) {
406 		*pulEncryptedDataLen = length_needed;
407 		return (CKR_BUFFER_TOO_SMALL);
408 	}
409 
410 	if (ulDataLen > 0) {
411 		rv = soft_aes_encrypt_update(session_p, pData, ulDataLen,
412 		    pEncryptedData, pulEncryptedDataLen);
413 
414 		if (rv != CKR_OK) {
415 			rv = CKR_FUNCTION_FAILED;
416 			goto cleanup;
417 		}
418 
419 		/*
420 		 * Some modes (e.g. CCM and GCM) will append data such as a MAC
421 		 * to the ciphertext after the plaintext has been encrypted.
422 		 * Update out to reflect the amount of data in pEncryptedData
423 		 * after encryption.
424 		 */
425 		out.cd_offset = *pulEncryptedDataLen;
426 	}
427 
428 	switch (mech) {
429 	case CKM_AES_CBC_PAD: {
430 		/*
431 		 * aes_encrypt_contiguous_blocks() accumulates plaintext
432 		 * in aes_ctx until it has at least one full block of
433 		 * plaintext.  Any partial blocks of data remaining after
434 		 * encrypting are left for subsequent calls to
435 		 * aes_encrypt_contiguous_blocks().  If the input happened
436 		 * to be an exact multiple of AES_BLOCK_LEN, we must still
437 		 * append a block of padding (a full block in that case) so
438 		 * that the correct amount of padding to remove is known
439 		 * during decryption.
440 		 *
441 		 * soft_add_pkcs7_padding() is a bit overkill -- we just
442 		 * create a block filled with the pad amount using memset(),
443 		 * and encrypt 'amt' bytes of the block to pad out the input.
444 		 */
445 		char block[AES_BLOCK_LEN];
446 		size_t amt = AES_BLOCK_LEN - remainder;
447 
448 		VERIFY3U(remainder, ==, aes_ctx->ac_remainder_len);
449 
450 		(void) memset(block, amt & 0xff, sizeof (block));
451 		rc = aes_encrypt_contiguous_blocks(aes_ctx, block, amt, &out);
452 		rv = crypto2pkcs11_error_number(rc);
453 		explicit_bzero(block, sizeof (block));
454 		break;
455 	}
456 	case CKM_AES_CCM:
457 		rc = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, &out,
458 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
459 		rv = crypto2pkcs11_error_number(rc);
460 		break;
461 	case CKM_AES_GCM:
462 		rc = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, &out,
463 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
464 		    aes_xor_block);
465 		rv = crypto2pkcs11_error_number(rc);
466 		break;
467 	case CKM_AES_CMAC:
468 	case CKM_AES_CMAC_GENERAL:
469 		rc = cmac_mode_final((cbc_ctx_t *)aes_ctx, &out,
470 		    aes_encrypt_block, aes_xor_block);
471 		rv = crypto2pkcs11_error_number(rc);
472 		aes_ctx->ac_remainder_len = 0;
473 		break;
474 	case CKM_AES_CTR:
475 		/*
476 		 * As CKM_AES_CTR is a stream cipher, ctr_mode_final is always
477 		 * invoked in the xx_update() functions, so we do not need to
478 		 * call it again here.
479 		 */
480 		break;
481 	case CKM_AES_ECB:
482 	case CKM_AES_CBC:
483 		/*
484 		 * These mechanisms do not have nor require a xx_final function.
485 		 */
486 		break;
487 	default:
488 		rv = CKR_MECHANISM_INVALID;
489 		break;
490 	}
491 
492 cleanup:
493 	switch (rv) {
494 	case CKR_OK:
495 		*pulEncryptedDataLen = out.cd_offset;
496 		break;
497 	case CKR_BUFFER_TOO_SMALL:
498 		/* *pulEncryptedDataLen was set earlier */
499 		break;
500 	default:
501 		/* something else failed */
502 		*pulEncryptedDataLen = 0;
503 		break;
504 	}
505 
506 	(void) pthread_mutex_lock(&session_p->session_mutex);
507 	soft_aes_free_ctx(aes_ctx);
508 	session_p->encrypt.context = NULL;
509 	(void) pthread_mutex_unlock(&session_p->session_mutex);
510 
511 	return (rv);
512 }
513 
514 static CK_RV
515 soft_aes_cbc_pad_decrypt(aes_ctx_t *aes_ctx, CK_BYTE_PTR pEncryptedData,
516     CK_ULONG ulEncryptedDataLen, crypto_data_t *out_orig)
517 {
518 	aes_ctx_t *ctx = aes_ctx;
519 	uint8_t *buf = NULL;
520 	uint8_t *outbuf = (uint8_t *)out_orig->cd_raw.iov_base;
521 	crypto_data_t out = *out_orig;
522 	size_t i;
523 	int rc;
524 	CK_RV rv = CKR_OK;
525 	uint8_t pad_len;
526 	boolean_t speculate = B_FALSE;
527 
528 	/*
529 	 * Just a query for the output size.  When the output buffer is
530 	 * NULL, we are allowed to return a size slightly larger than
531 	 * necessary.  We know the output will never be larger than the
532 	 * input ciphertext, so we use that as an estimate.
533 	 */
534 	if (out_orig->cd_raw.iov_base == NULL) {
535 		out_orig->cd_length = ulEncryptedDataLen;
536 		return (CKR_OK);
537 	}
538 
539 	/*
540 	 * The output plaintext size will be 1..AES_BLOCK_LEN bytes
541 	 * smaller than the input ciphertext.  However we cannot know
542 	 * exactly how much smaller until we decrypt the entire
543 	 * input ciphertext.  If we are unsure we have enough output buffer
544 	 * space, we have to allocate our own memory to hold the output,
545 	 * then see if we have enough room to hold the result.
546 	 *
547 	 * Unfortunately, having an output buffer that's too small does
548 	 * not terminate the operation, nor are we allowed to return
549 	 * partial results.  Therefore we must also duplicate the initial
550 	 * aes_ctx so that this can potentially be run again.
551 	 */
552 	if (out_orig->cd_length < ulEncryptedDataLen) {
553 		void *ks = malloc(aes_ctx->ac_keysched_len);
554 
555 		ctx = malloc(sizeof (*aes_ctx));
556 		buf = malloc(ulEncryptedDataLen);
557 		if (ks == NULL || ctx == NULL || buf == NULL) {
558 			free(ks);
559 			free(ctx);
560 			free(buf);
561 			return (CKR_HOST_MEMORY);
562 		}
563 
564 		bcopy(aes_ctx, ctx, sizeof (*ctx));
565 		bcopy(aes_ctx->ac_keysched, ks, aes_ctx->ac_keysched_len);
566 		ctx->ac_keysched = ks;
567 
568 		out.cd_length = ulEncryptedDataLen;
569 		out.cd_raw.iov_base = (char *)buf;
570 		out.cd_raw.iov_len = ulEncryptedDataLen;
571 		outbuf = buf;
572 
573 		speculate = B_TRUE;
574 	}
575 
576 	rc = aes_decrypt_contiguous_blocks(ctx, (char *)pEncryptedData,
577 	    ulEncryptedDataLen, &out);
578 	if (rc != CRYPTO_SUCCESS) {
579 		out_orig->cd_offset = 0;
580 		rv = CKR_FUNCTION_FAILED;
581 		goto done;
582 	}
583 
584 	/*
585 	 * RFC5652 6.3 The amount of padding must be
586 	 * block_sz - (len mod block_size).  This means
587 	 * the amount of padding must always be in the
588 	 * range [1..block_size].
589 	 */
590 	pad_len = outbuf[ulEncryptedDataLen - 1];
591 	if (pad_len == 0 || pad_len > AES_BLOCK_LEN) {
592 		rv = CKR_ENCRYPTED_DATA_INVALID;
593 		goto done;
594 	}
595 	out.cd_offset -= pad_len;
596 
597 	/*
598 	 * Verify pad values, trying to do so in as close to constant
599 	 * time as possible.
600 	 */
601 	for (i = ulEncryptedDataLen - pad_len; i < ulEncryptedDataLen; i++) {
602 		if (outbuf[i] != pad_len) {
603 			rv = CKR_ENCRYPTED_DATA_INVALID;
604 		}
605 	}
606 	if (rv != CKR_OK) {
607 		goto done;
608 	}
609 
610 	if (speculate) {
611 		if (out.cd_offset <= out_orig->cd_length) {
612 			bcopy(out.cd_raw.iov_base, out_orig->cd_raw.iov_base,
613 			    out.cd_offset);
614 		} else {
615 			rv = CKR_BUFFER_TOO_SMALL;
616 		}
617 	}
618 
619 	/*
620 	 * No matter what, we report the exact size required.
621 	 */
622 	out_orig->cd_offset = out.cd_offset;
623 
624 done:
625 	freezero(buf, ulEncryptedDataLen);
626 	if (ctx != aes_ctx) {
627 		VERIFY(speculate);
628 		soft_aes_free_ctx(ctx);
629 	}
630 
631 	return (rv);
632 }
633 
634 CK_RV
635 soft_aes_decrypt(soft_session_t *session_p, CK_BYTE_PTR pEncryptedData,
636     CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
637 {
638 	aes_ctx_t *aes_ctx = session_p->decrypt.context;
639 	CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism;
640 	size_t length_needed;
641 	size_t remainder;
642 	int rc = CRYPTO_SUCCESS;
643 	CK_RV rv = CKR_OK;
644 	crypto_data_t out = {
645 		.cd_format = CRYPTO_DATA_RAW,
646 		.cd_offset = 0,
647 		.cd_length = *pulDataLen,
648 		.cd_raw.iov_base = (char *)pData,
649 		.cd_raw.iov_len = *pulDataLen
650 	};
651 
652 	/*
653 	 * A bit unusual, but it's permissible for ccm and gcm modes to not
654 	 * decrypt any data.  This ends up being equivalent to CKM_AES_CMAC
655 	 * or CKM_AES_GMAC of the additional authenticated data (AAD).
656 	 */
657 	if ((pEncryptedData == NULL || ulEncryptedDataLen == 0) &&
658 	    !(aes_ctx->ac_flags & (CCM_MODE|GCM_MODE))) {
659 		return (CKR_ARGUMENTS_BAD);
660 	}
661 
662 	remainder = ulEncryptedDataLen % AES_BLOCK_LEN;
663 
664 	/*
665 	 * CTR, CCM, CMAC, and GCM modes do not require the ciphertext
666 	 * to be a multiple of the AES block size.  Note that while
667 	 * CKM_AES_CBC_PAD accepts an arbitrary sized plaintext, the
668 	 * ciphertext is always a multiple of the AES block size
669 	 */
670 	switch (mech) {
671 	case CKM_AES_CMAC:
672 	case CKM_AES_CMAC_GENERAL:
673 	case CKM_AES_CTR:
674 	case CKM_AES_CCM:
675 	case CKM_AES_GCM:
676 		break;
677 	default:
678 		if (remainder != 0) {
679 			rv = CKR_DATA_LEN_RANGE;
680 			goto cleanup;
681 		}
682 	}
683 
684 	if (mech == CKM_AES_CBC_PAD) {
685 		rv = soft_aes_cbc_pad_decrypt(aes_ctx, pEncryptedData,
686 		    ulEncryptedDataLen, &out);
687 		if (pData == NULL || rv == CKR_BUFFER_TOO_SMALL) {
688 			*pulDataLen = out.cd_offset;
689 			return (rv);
690 		}
691 		goto cleanup;
692 	}
693 
694 	switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE)) {
695 	case CCM_MODE:
696 		length_needed = aes_ctx->ac_processed_data_len;
697 		break;
698 	case GCM_MODE:
699 		length_needed = ulEncryptedDataLen - aes_ctx->ac_tag_len;
700 		break;
701 	default:
702 		/*
703 		 * Note: for CKM_AES_CBC_PAD, we cannot know exactly how much
704 		 * space is needed for the plaintext until after we decrypt it.
705 		 * However, it is permissible to return a value 'somewhat'
706 		 * larger than necessary (PKCS#11 Base Specification, sec 5.2).
707 		 *
708 		 * Since CKM_AES_CBC_PAD adds at most AES_BLOCK_LEN bytes to
709 		 * the plaintext, we report the ciphertext length as the
710 		 * required plaintext length.  This means we specify at most
711 		 * AES_BLOCK_LEN additional bytes of memory for the plaintext.
712 		 *
713 		 * This behavior is slightly different from the earlier
714 		 * version of this code which returned the value of
715 		 * (ulEncryptedDataLen - AES_BLOCK_LEN), which was only ever
716 		 * correct when the original plaintext was already a multiple
717 		 * of AES_BLOCK_LEN (i.e. when AES_BLOCK_LEN of padding was
718 		 * added).  This should not be a concern for existing
719 		 * consumers -- if they were previously using the value of
720 		 * *pulDataLen to size the outbut buffer, the resulting
721 		 * plaintext would be truncated anytime the original plaintext
722 		 * wasn't a multiple of AES_BLOCK_LEN.  No consumer should
723 		 * be relying on such wrong behavior.  More likely they are
724 		 * using the size of the ciphertext or larger for the
725 		 * buffer to hold the decrypted plaintext (which is always
726 		 * acceptable).
727 		 */
728 		length_needed = ulEncryptedDataLen;
729 	}
730 
731 	if (pData == NULL) {
732 		/*
733 		 * The application can ask for the size of the output buffer
734 		 * with a NULL output buffer (pData).
735 		 * C_Decrypt() guarantees pulDataLen != NULL.
736 		 */
737 		*pulDataLen = length_needed;
738 		return (CKR_OK);
739 	}
740 
741 	if (*pulDataLen < length_needed) {
742 		*pulDataLen = length_needed;
743 		return (CKR_BUFFER_TOO_SMALL);
744 	}
745 
746 	if (ulEncryptedDataLen > 0) {
747 		rv = soft_aes_decrypt_update(session_p, pEncryptedData,
748 		    ulEncryptedDataLen, pData, pulDataLen);
749 	}
750 
751 	if (rv != CKR_OK) {
752 		rv = CKR_FUNCTION_FAILED;
753 		goto cleanup;
754 	}
755 
756 	/*
757 	 * Some modes (e.g. CCM and GCM) will output additional data
758 	 * after the plaintext (such as the MAC).  Update out to
759 	 * reflect the amount of data in pData for the _final() functions.
760 	 */
761 	out.cd_offset = *pulDataLen;
762 
763 	/*
764 	 * As CKM_AES_CTR is a stream cipher, ctr_mode_final is always
765 	 * invoked in the _update() functions, so we do not need to call it
766 	 * here.
767 	 */
768 	if (aes_ctx->ac_flags & CCM_MODE) {
769 		ASSERT3U(aes_ctx->ac_processed_data_len, ==,
770 		    aes_ctx->ac_data_len);
771 		ASSERT3U(aes_ctx->ac_processed_mac_len, ==,
772 		    aes_ctx->ac_mac_len);
773 
774 		rc = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, &out,
775 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
776 		    aes_xor_block);
777 		rv = crypto2pkcs11_error_number(rc);
778 	} else if (aes_ctx->ac_flags & GCM_MODE) {
779 		rc = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, &out,
780 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
781 		rv = crypto2pkcs11_error_number(rc);
782 	}
783 
784 cleanup:
785 	if (rv == CKR_OK) {
786 		*pulDataLen = out.cd_offset;
787 	} else {
788 		*pulDataLen = 0;
789 	}
790 
791 	(void) pthread_mutex_lock(&session_p->session_mutex);
792 	soft_aes_free_ctx(aes_ctx);
793 	session_p->decrypt.context = NULL;
794 	(void) pthread_mutex_unlock(&session_p->session_mutex);
795 
796 	return (rv);
797 }
798 
799 CK_RV
800 soft_aes_encrypt_update(soft_session_t *session_p, CK_BYTE_PTR pData,
801     CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
802     CK_ULONG_PTR pulEncryptedDataLen)
803 {
804 	aes_ctx_t *aes_ctx = session_p->encrypt.context;
805 	crypto_data_t out = {
806 		.cd_format = CRYPTO_DATA_RAW,
807 		.cd_offset = 0,
808 		.cd_length = *pulEncryptedDataLen,
809 		.cd_raw.iov_base = (char *)pEncryptedData,
810 		.cd_raw.iov_len = *pulEncryptedDataLen
811 	};
812 	CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism;
813 	CK_RV rv = CKR_OK;
814 	size_t out_len;
815 	int rc;
816 
817 	/*
818 	 * If pData is NULL, we should have zero bytes to process, and
819 	 * the aes_encrypt_contiguous_blocks() call will be an effective no-op.
820 	 */
821 	IMPLY(pData == NULL, ulDataLen == 0);
822 
823 	/* Check size of the output buffer */
824 	switch (mech) {
825 	case CKM_AES_CMAC:
826 		/*
827 		 * The underlying CMAC implementation handles the storing of
828 		 * extra bytes and does not output any data until *_final,
829 		 * so do not bother looking at the size of the output
830 		 * buffer at this time.
831 		 */
832 		out_len = 0;
833 		break;
834 	case CKM_AES_CTR:
835 		/*
836 		 * CTR mode is a stream cipher, so we always output exactly as
837 		 * much ciphertext as input plaintext
838 		 */
839 		out_len = ulDataLen;
840 		break;
841 	default:
842 		out_len = aes_ctx->ac_remainder_len + ulDataLen;
843 
844 		/*
845 		 * The number of complete blocks we can encrypt right now.
846 		 * The underlying implementation will buffer any remaining data
847 		 * until the next *_update call.
848 		 */
849 		out_len &= ~(AES_BLOCK_LEN - 1);
850 		break;
851 	}
852 
853 	if (pEncryptedData == NULL) {
854 		*pulEncryptedDataLen = out_len;
855 		return (CKR_OK);
856 	}
857 
858 	if (*pulEncryptedDataLen < out_len) {
859 		*pulEncryptedDataLen = out_len;
860 		return (CKR_BUFFER_TOO_SMALL);
861 	}
862 
863 	rc = aes_encrypt_contiguous_blocks(aes_ctx, (char *)pData, ulDataLen,
864 	    &out);
865 
866 	/*
867 	 * Since out.cd_offset is set to 0 initially and the underlying
868 	 * implementation increments out.cd_offset by the amount of output
869 	 * written, so we can just use the value as the amount written.
870 	 */
871 	*pulEncryptedDataLen = out.cd_offset;
872 
873 	if (rc != CRYPTO_SUCCESS) {
874 		return (CKR_FUNCTION_FAILED);
875 	}
876 
877 	rv = crypto2pkcs11_error_number(rc);
878 
879 	return (rv);
880 }
881 
882 CK_RV
883 soft_aes_decrypt_update(soft_session_t *session_p, CK_BYTE_PTR pEncryptedData,
884     CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
885 {
886 	aes_ctx_t *aes_ctx = session_p->decrypt.context;
887 	uint8_t *buffer_block = NULL;
888 	crypto_data_t out = {
889 		.cd_format = CRYPTO_DATA_RAW,
890 		.cd_offset = 0,
891 		.cd_length = *pulDataLen,
892 		.cd_raw.iov_base = (char *)pData,
893 		.cd_raw.iov_len = *pulDataLen
894 	};
895 	CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism;
896 	CK_RV rv = CKR_OK;
897 	size_t in_len = ulEncryptedDataLen;
898 	size_t out_len;
899 	int rc = CRYPTO_SUCCESS;
900 
901 	switch (mech) {
902 	case CKM_AES_CCM:
903 	case CKM_AES_GCM:
904 		out_len = 0;
905 		break;
906 	case CKM_AES_CBC_PAD:
907 		/*
908 		 * For CKM_AES_CBC_PAD, we use the existing code for CBC
909 		 * mode in libsoftcrypto (which itself uses the code in
910 		 * usr/src/common/crypto/modes for CBC mode).  For
911 		 * non-padding AES CBC mode, aes_decrypt_contiguous_blocks()
912 		 * will accumulate ciphertext in aes_ctx->ac_remainder until
913 		 * there is at least AES_BLOCK_LEN bytes of ciphertext available
914 		 * to decrypt.  At that point, as many blocks of AES_BLOCK_LEN
915 		 * sized ciphertext blocks are decrypted.  Any remainder is
916 		 * copied into aes_ctx->ac_remainder for decryption in
917 		 * subsequent calls to aes_decrypt_contiguous_blocks().
918 		 *
919 		 * When PKCS#7 padding is used, the buffering
920 		 * aes_decrypt_contigous_blocks() performs is insufficient.
921 		 * PKCS#7 padding always adds [1..AES_BLOCK_LEN] bytes of
922 		 * padding to plaintext, so the resulting ciphertext is always
923 		 * larger than the input plaintext.  However we cannot know
924 		 * which block is the final block (and needs its padding
925 		 * stripped) until C_DecryptFinal() is called.  Additionally,
926 		 * it is permissible for a caller to use buffers sized to the
927 		 * output plaintext -- i.e. smaller than the input ciphertext.
928 		 * This leads to a more complicated buffering/accumulation
929 		 * strategy than what aes_decrypt_contiguous_blocks() provides
930 		 * us.
931 		 *
932 		 * Our buffering strategy works as follows:
933 		 *  For each call to C_DecryptUpdate, we calculate the
934 		 *  total amount of ciphertext available (buffered plus what's
935 		 *  passed in) as the initial output size (out_len). Based
936 		 *  on the value of out_len, there are three possibilties:
937 		 *
938 		 *  1. We have less than AES_BLOCK_LEN + 1 bytes of
939 		 *  ciphertext available. Accumulate the ciphertext in
940 		 *  aes_ctx->ac_remainder. Note that while we could let
941 		 *  aes_decrypt_contiguous_blocks() buffer the input for us
942 		 *  when we have less than AES_BLOCK_LEN bytes, we would still
943 		 *  need to buffer when we have exactly AES_BLOCK_LEN
944 		 *  bytes available, so we just handle both situations with
945 		 *  one if clause.
946 		 *
947 		 *  2. We have at least AES_BLOCK_LEN + 1 bytes of
948 		 *  ciphertext, and the total amount available is also an
949 		 *  exact multiple of AES_BLOCK_LEN. We cannot know if the
950 		 *  last block of input is the final block (yet), but we
951 		 *  are an exact multiple of AES_BLOCK_LEN, and we have
952 		 *  at least AES_BLOCK_LEN + 1 bytes available, therefore
953 		 *  there must be at least 2 * AES_BLOCK_LEN bytes of input
954 		 *  ciphertext available. It also means there's at least one
955 		 *  full block of input ciphertext that can be decrypted. We
956 		 *  reduce the size of the input (in_len) given to
957 		 *  aes_decrypt_contiguous_bytes() by AES_BLOCK_LEN to prevent
958 		 *  it from decrypting the last full block of data.
959 		 *  aes_decrypt_contiguous_blocks() will when decrypt any
960 		 *  buffered data in aex_ctx->ac_remainder, and then any
961 		 *  input data passed. Since we have an exact multiple of
962 		 *  AES_BLOCK_LEN, aes_ctx->ac_remainder will be empty
963 		 *  (aes_ctx->ac_remainder_len == 0), once
964 		 *  aes_decrypt_contiguout_block() completes, and we can
965 		 *  copy the last block of data into aes_ctx->ac_remainder.
966 		 *
967 		 *  3. We have at least AES_BLOCK_LEN + 1 bytes of
968 		 *  ciphertext, but the total amount available is not an
969 		 *  exact multiple of AES_BLOCK_LEN. We decrypt all of
970 		 *  full blocks of data we have. The remainder will be
971 		 *  less than AES_BLOCK_LEN bytes. We let
972 		 *  aes_decrypt_contiguous_blocks() buffer the remainder
973 		 *  for us since it would normally do this anyway. Since there
974 		 *  is a remainder, the full blocks that are present cannot
975 		 *  be the last block, so we can safey decrypt all of them.
976 		 *
977 		 * Some things to note:
978 		 *  - The above semantics will cause aes_ctx->ac_remainder to
979 		 *  never accumulate more than AES_BLOCK_LEN bytes of
980 		 *  ciphertext. Once we reach at least AES_BLOCK_LEN + 1 bytes,
981 		 *  we will decrypt the contents of aes_ctx->ac_remainder by one
982 		 *  of the last two scenarios described above.
983 		 *
984 		 *  - We must always end up with AES_BLOCK_LEN bytes of data
985 		 *  in aes_ctx->ac_remainder when C_DecryptFinal() is called.
986 		 *  The first and third scenarios above may leave
987 		 *  aes_ctx->ac_remainder with less than AES_BLOCK_LEN bytes,
988 		 *  however the total size of the input ciphertext that's
989 		 *  been decrypted must end up a multiple of AES_BLOCK_LEN.
990 		 *  Therefore, we can always assume when there is a
991 		 *  remainder that more data is coming.  If we do end up
992 		 *  with a remainder that's not AES_BLOCK_LEN bytes long
993 		 *  when C_DecryptFinal() is called, the input is assumed
994 		 *  invalid and we return CKR_DATA_LEN_RANGE (see
995 		 *  soft_aes_decrypt_final()).
996 		 */
997 
998 		VERIFY3U(aes_ctx->ac_remainder_len, <=, AES_BLOCK_LEN);
999 		if (in_len >= SIZE_MAX - AES_BLOCK_LEN)
1000 			return (CKR_ENCRYPTED_DATA_LEN_RANGE);
1001 
1002 		out_len = aes_ctx->ac_remainder_len + in_len;
1003 
1004 		if (out_len <= AES_BLOCK_LEN) {
1005 			/*
1006 			 * The first scenario detailed above, accumulate
1007 			 * ciphertext in ac_remainder_len and return.
1008 			 */
1009 			uint8_t *dest = (uint8_t *)aes_ctx->ac_remainder +
1010 			    aes_ctx->ac_remainder_len;
1011 
1012 			bcopy(pEncryptedData, dest, in_len);
1013 			aes_ctx->ac_remainder_len += in_len;
1014 			*pulDataLen = 0;
1015 
1016 			/*
1017 			 * Since we aren't writing an output, and are returning
1018 			 * here, we don't need to adjust out_len -- we never
1019 			 * reach the output buffer size checks after the
1020 			 * switch statement.
1021 			 */
1022 			return (CKR_OK);
1023 		} else if (out_len % AES_BLOCK_LEN == 0) {
1024 			/*
1025 			 * The second scenario decribed above. The total amount
1026 			 * available is a multiple of AES_BLOCK_LEN, and
1027 			 * we have more than one block.  We reduce the
1028 			 * input size (in_len) by AES_BLOCK_LEN. We also
1029 			 * reduce the output size (out_len) by AES_BLOCK_LEN
1030 			 * for the output buffer size checks that follow
1031 			 * the switch statement. In certain situations,
1032 			 * PKCS#11 requires this to be an exact value, so
1033 			 * the size check cannot occur for CKM_AES_CBC_PAD
1034 			 * until after we've determine which scenario we
1035 			 * have.
1036 			 *
1037 			 * Because we never accumulate more than AES_BLOCK_LEN
1038 			 * bytes in aes_ctx->ac_remainder, when we are in
1039 			 * this scenario, the following VERIFYs should always
1040 			 * be true (and serve as a final safeguard against
1041 			 * underflow).
1042 			 */
1043 			VERIFY3U(in_len, >=, AES_BLOCK_LEN);
1044 
1045 			buffer_block = pEncryptedData + in_len - AES_BLOCK_LEN;
1046 
1047 			in_len -= AES_BLOCK_LEN;
1048 
1049 			/*
1050 			 * This else clause explicity checks
1051 			 * out_len > AES_BLOCK_LEN, so this is also safe.
1052 			 */
1053 			out_len -= AES_BLOCK_LEN;
1054 		} else {
1055 			/*
1056 			 * The third scenario above.  We have at least
1057 			 * AES_BLOCK_LEN + 1 bytes, but the total amount of
1058 			 * input ciphertext available is not an exact
1059 			 * multiple of AES_BLOCK_LEN.  Let
1060 			 * aes_decrypt_contiguous_blocks() handle the
1061 			 * buffering of the remainder.  Update the
1062 			 * output size to reflect the actual amount of output
1063 			 * we want to emit for the checks after the switch
1064 			 * statement.
1065 			 */
1066 			out_len &= ~(AES_BLOCK_LEN - 1);
1067 		}
1068 		break;
1069 	case CKM_AES_CTR:
1070 		/*
1071 		 * CKM_AES_CTR is a stream cipher, so we always output
1072 		 * exactly as much output plaintext as input ciphertext
1073 		 */
1074 		out_len = in_len;
1075 		break;
1076 	default:
1077 		out_len = aes_ctx->ac_remainder_len + in_len;
1078 		out_len &= ~(AES_BLOCK_LEN - 1);
1079 		break;
1080 	}
1081 
1082 	/*
1083 	 * C_DecryptUpdate() verifies that pulDataLen is not NULL prior
1084 	 * to calling soft_decrypt_common() (which calls us).
1085 	 */
1086 
1087 	if (pData == NULL) {
1088 		/*
1089 		 * If the output buffer (pData) is NULL, that means the
1090 		 * caller is inquiring about the size buffer needed to
1091 		 * complete the C_DecryptUpdate() request.  While we are
1092 		 * permitted to set *pulDataLen to an estimated value that can
1093 		 * be 'slightly' larger than the actual value required,
1094 		 * since we know the exact size we need, we stick with the
1095 		 * exact size.
1096 		 */
1097 		*pulDataLen = out_len;
1098 		return (CKR_OK);
1099 	}
1100 
1101 	if (*pulDataLen < out_len) {
1102 		/*
1103 		 * Not an inquiry, but the output buffer isn't large enough.
1104 		 * PKCS#11 requires that this scenario not fail fatally (as
1105 		 * well as return a different error value). This situation
1106 		 * also requires us to set *pulDataLen to the _exact_ size
1107 		 * required.
1108 		 */
1109 		*pulDataLen = out_len;
1110 		return (CKR_BUFFER_TOO_SMALL);
1111 	}
1112 
1113 	rc = aes_decrypt_contiguous_blocks(aes_ctx, (char *)pEncryptedData,
1114 	    in_len, &out);
1115 
1116 	if (rc != CRYPTO_SUCCESS) {
1117 		rv = CKR_FUNCTION_FAILED;
1118 		goto done;
1119 	}
1120 
1121 	*pulDataLen = out.cd_offset;
1122 
1123 	switch (mech) {
1124 	case CKM_AES_CBC_PAD:
1125 		if (buffer_block == NULL) {
1126 			break;
1127 		}
1128 
1129 		VERIFY0(aes_ctx->ac_remainder_len);
1130 
1131 		/*
1132 		 * We had multiple blocks of data to decrypt with nothing
1133 		 * left over and deferred decrypting the last block of data.
1134 		 * Copy it into aes_ctx->ac_remainder to decrypt on the
1135 		 * next update call (or final).
1136 		 */
1137 		bcopy(buffer_block, aes_ctx->ac_remainder, AES_BLOCK_LEN);
1138 		aes_ctx->ac_remainder_len = AES_BLOCK_LEN;
1139 		break;
1140 	}
1141 
1142 done:
1143 	return (rv);
1144 }
1145 
1146 CK_RV
1147 soft_aes_encrypt_final(soft_session_t *session_p,
1148     CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen)
1149 {
1150 	aes_ctx_t *aes_ctx = session_p->encrypt.context;
1151 	crypto_data_t data = {
1152 		.cd_format = CRYPTO_DATA_RAW,
1153 		.cd_offset = 0,
1154 		.cd_length = *pulLastEncryptedPartLen,
1155 		.cd_raw.iov_base = (char *)pLastEncryptedPart,
1156 		.cd_raw.iov_len = *pulLastEncryptedPartLen
1157 	};
1158 	CK_MECHANISM_TYPE mech = session_p->encrypt.mech.mechanism;
1159 	CK_RV rv = CKR_OK;
1160 	size_t out_len;
1161 	int rc = CRYPTO_SUCCESS;
1162 
1163 	switch (mech) {
1164 	case CKM_AES_CBC_PAD:
1165 		/*
1166 		 * We always add 1..AES_BLOCK_LEN of padding to the input
1167 		 * plaintext to round up to a multiple of AES_BLOCK_LEN.
1168 		 * During encryption, we never output a partially encrypted
1169 		 * block (that is the amount encrypted by each call of
1170 		 * C_EncryptUpdate() is always either 0 or n * AES_BLOCK_LEN).
1171 		 * As a result, at the end of the encryption operation, we
1172 		 * output AES_BLOCK_LEN bytes of data -- this could be a full
1173 		 * block of padding, or a combination of data + padding.
1174 		 */
1175 		out_len = AES_BLOCK_LEN;
1176 		break;
1177 	case CKM_AES_CTR:
1178 		/*
1179 		 * Since CKM_AES_CTR is a stream cipher, we never buffer any
1180 		 * input, so we always have 0 remaining bytes of output.
1181 		 */
1182 		out_len = 0;
1183 		break;
1184 	case CKM_AES_CCM:
1185 		out_len = aes_ctx->ac_remainder_len +
1186 		    aes_ctx->acu.acu_ccm.ccm_mac_len;
1187 		break;
1188 	case CKM_AES_GCM:
1189 		out_len = aes_ctx->ac_remainder_len +
1190 		    aes_ctx->acu.acu_gcm.gcm_tag_len;
1191 		break;
1192 	case CKM_AES_CMAC:
1193 	case CKM_AES_CMAC_GENERAL:
1194 		out_len = AES_BLOCK_LEN;
1195 		break;
1196 	default:
1197 		/*
1198 		 * Everything other AES mechansism requires full blocks of
1199 		 * input.  If the input was not an exact multiple of
1200 		 * AES_BLOCK_LEN, it is a fatal error.
1201 		 */
1202 		if (aes_ctx->ac_remainder_len > 0) {
1203 			rv = CKR_DATA_LEN_RANGE;
1204 			goto done;
1205 		}
1206 		out_len = 0;
1207 	}
1208 
1209 	if (*pulLastEncryptedPartLen < out_len || pLastEncryptedPart == NULL) {
1210 		*pulLastEncryptedPartLen = out_len;
1211 		return ((pLastEncryptedPart == NULL) ?
1212 		    CKR_OK : CKR_BUFFER_TOO_SMALL);
1213 	}
1214 
1215 	switch (mech) {
1216 	case CKM_AES_CBC_PAD: {
1217 		char block[AES_BLOCK_LEN] = { 0 };
1218 		size_t padlen = AES_BLOCK_LEN - aes_ctx->ac_remainder_len;
1219 
1220 		if (padlen == 0) {
1221 			padlen = AES_BLOCK_LEN;
1222 		}
1223 
1224 		(void) memset(block, padlen & 0xff, sizeof (block));
1225 		rc = aes_encrypt_contiguous_blocks(aes_ctx, block,
1226 		    padlen, &data);
1227 		explicit_bzero(block, sizeof (block));
1228 		break;
1229 	}
1230 	case CKM_AES_CTR:
1231 		/*
1232 		 * Since CKM_AES_CTR is a stream cipher, we never
1233 		 * buffer any data, and thus have no remaining data
1234 		 * to output at the end
1235 		 */
1236 		break;
1237 	case CKM_AES_CCM:
1238 		rc = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, &data,
1239 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
1240 		break;
1241 	case CKM_AES_GCM:
1242 		rc = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, &data,
1243 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1244 		    aes_xor_block);
1245 		break;
1246 	case CKM_AES_CMAC:
1247 	case CKM_AES_CMAC_GENERAL:
1248 		rc = cmac_mode_final((cbc_ctx_t *)aes_ctx, &data,
1249 		    aes_encrypt_block, aes_xor_block);
1250 		break;
1251 	default:
1252 		break;
1253 	}
1254 	rv = crypto2pkcs11_error_number(rc);
1255 
1256 done:
1257 	if (rv == CKR_OK) {
1258 		*pulLastEncryptedPartLen = data.cd_offset;
1259 	}
1260 
1261 	soft_aes_free_ctx(aes_ctx);
1262 	session_p->encrypt.context = NULL;
1263 	return (rv);
1264 }
1265 
1266 CK_RV
1267 soft_aes_decrypt_final(soft_session_t *session_p, CK_BYTE_PTR pLastPart,
1268     CK_ULONG_PTR pulLastPartLen)
1269 {
1270 	aes_ctx_t *aes_ctx = session_p->decrypt.context;
1271 	CK_MECHANISM_TYPE mech = session_p->decrypt.mech.mechanism;
1272 	CK_RV rv = CKR_OK;
1273 	int rc = CRYPTO_SUCCESS;
1274 	size_t out_len;
1275 	crypto_data_t out = {
1276 		.cd_format = CRYPTO_DATA_RAW,
1277 		.cd_offset = 0,
1278 		.cd_length = *pulLastPartLen,
1279 		.cd_raw.iov_base = (char *)pLastPart,
1280 		.cd_raw.iov_len = *pulLastPartLen
1281 	};
1282 
1283 	switch (mech) {
1284 	case CKM_AES_CBC_PAD:
1285 		/*
1286 		 * PKCS#11 requires that a caller can discover the size of
1287 		 * the output buffer required by calling
1288 		 * C_DecryptFinal(hSession, NULL, &len) which sets
1289 		 * *pulLastPartLen to the size required.  However, it also
1290 		 * allows if one calls C_DecryptFinal with a buffer (i.e.
1291 		 * pLastPart != NULL) that is too small, to return
1292 		 * CKR_BUFFER_TOO_SMALL with *pulLastPartLen set to the
1293 		 * _exact_ size required (when pLastPart is NULL, the
1294 		 * implementation is allowed to set a 'sightly' larger
1295 		 * value than is strictly necessary.  In either case, the
1296 		 * caller is allowed to retry the operation (the operation
1297 		 * is not terminated).
1298 		 *
1299 		 * With PKCS#7 padding, we cannot determine the exact size of
1300 		 * the output until we decrypt the final block.  As such, the
1301 		 * first time for a given decrypt operation we are called,
1302 		 * we decrypt the final block and stash it in the aes_ctx
1303 		 * remainder block.  On any subsequent calls in the
1304 		 * current decrypt operation, we then can use the decrypted
1305 		 * block as necessary to provide the correct semantics.
1306 		 *
1307 		 * The cleanup of aes_ctx when the operation terminates
1308 		 * will take care of clearing out aes_ctx->ac_remainder_len.
1309 		 */
1310 		if ((aes_ctx->ac_flags & P11_DECRYPTED) == 0) {
1311 			uint8_t block[AES_BLOCK_LEN] = { 0 };
1312 			crypto_data_t block_out = {
1313 				.cd_format = CRYPTO_DATA_RAW,
1314 				.cd_offset = 0,
1315 				.cd_length = sizeof (block),
1316 				.cd_raw.iov_base = (char *)block,
1317 				.cd_raw.iov_len = sizeof (block)
1318 			};
1319 			size_t amt, i;
1320 			uint8_t pad_len;
1321 
1322 			if (aes_ctx->ac_remainder_len != AES_BLOCK_LEN) {
1323 				return (CKR_DATA_LEN_RANGE);
1324 			}
1325 
1326 			rc = aes_decrypt_contiguous_blocks(aes_ctx,
1327 			    (char *)block, 0, &block_out);
1328 			if (rc != CRYPTO_SUCCESS) {
1329 				explicit_bzero(block, sizeof (block));
1330 				return (CKR_FUNCTION_FAILED);
1331 			}
1332 
1333 			pad_len = block[AES_BLOCK_LEN - 1];
1334 
1335 			/*
1336 			 * RFC5652 6.3 The amount of padding must be
1337 			 * block_sz - (len mod block_size).  This means
1338 			 * the amount of padding must always be in the
1339 			 * range [1..block_size].
1340 			 */
1341 			if (pad_len == 0 || pad_len > AES_BLOCK_LEN) {
1342 				rv = CKR_ENCRYPTED_DATA_INVALID;
1343 				explicit_bzero(block, sizeof (block));
1344 				goto done;
1345 			}
1346 			amt = AES_BLOCK_LEN - pad_len;
1347 
1348 			/*
1349 			 * Verify the padding is correct.  Try to do so
1350 			 * in as constant a time as possible.
1351 			 */
1352 			for (i = amt; i < AES_BLOCK_LEN; i++) {
1353 				if (block[i] != pad_len) {
1354 					rv = CKR_ENCRYPTED_DATA_INVALID;
1355 				}
1356 			}
1357 			if (rv != CKR_OK) {
1358 				explicit_bzero(block, sizeof (block));
1359 				goto done;
1360 			}
1361 
1362 			bcopy(block, aes_ctx->ac_remainder, amt);
1363 			explicit_bzero(block, sizeof (block));
1364 
1365 			aes_ctx->ac_flags |= P11_DECRYPTED;
1366 			aes_ctx->ac_remainder_len = amt;
1367 		}
1368 
1369 		out_len = aes_ctx->ac_remainder_len;
1370 		break;
1371 	case CKM_AES_CTR:
1372 		/*
1373 		 * Since CKM_AES_CTR is a stream cipher, we never have
1374 		 * any remaining bytes to output.
1375 		 */
1376 		out_len = 0;
1377 		break;
1378 	case CKM_AES_CCM:
1379 		out_len = aes_ctx->ac_data_len;
1380 		break;
1381 	case CKM_AES_GCM:
1382 		out_len = aes_ctx->acu.acu_gcm.gcm_processed_data_len -
1383 		    aes_ctx->acu.acu_gcm.gcm_tag_len;
1384 		break;
1385 	default:
1386 		/*
1387 		 * The remaining mechanims require an exact multiple of
1388 		 * AES_BLOCK_LEN of ciphertext.  Any other value is an error.
1389 		 */
1390 		if (aes_ctx->ac_remainder_len > 0) {
1391 			rv = CKR_DATA_LEN_RANGE;
1392 			goto done;
1393 		}
1394 		out_len = 0;
1395 		break;
1396 	}
1397 
1398 	if (*pulLastPartLen < out_len || pLastPart == NULL) {
1399 		*pulLastPartLen = out_len;
1400 		return ((pLastPart == NULL) ? CKR_OK : CKR_BUFFER_TOO_SMALL);
1401 	}
1402 
1403 	switch (mech) {
1404 	case CKM_AES_CBC_PAD:
1405 		*pulLastPartLen = out_len;
1406 		if (out_len == 0) {
1407 			break;
1408 		}
1409 		bcopy(aes_ctx->ac_remainder, pLastPart, out_len);
1410 		out.cd_offset += out_len;
1411 		break;
1412 	case CKM_AES_CCM:
1413 		ASSERT3U(aes_ctx->ac_processed_data_len, ==, out_len);
1414 		ASSERT3U(aes_ctx->ac_processed_mac_len, ==,
1415 		    aes_ctx->ac_mac_len);
1416 
1417 		rc = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, &out,
1418 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1419 		    aes_xor_block);
1420 		break;
1421 	case CKM_AES_GCM:
1422 		rc = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, &out,
1423 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
1424 		break;
1425 	default:
1426 		break;
1427 	}
1428 
1429 	VERIFY3U(out.cd_offset, ==, out_len);
1430 	rv = crypto2pkcs11_error_number(rc);
1431 
1432 done:
1433 	if (rv == CKR_OK) {
1434 		*pulLastPartLen = out.cd_offset;
1435 	}
1436 
1437 	soft_aes_free_ctx(aes_ctx);
1438 	session_p->decrypt.context = NULL;
1439 
1440 	return (rv);
1441 }
1442 
1443 /*
1444  * Allocate and initialize AES contexts for sign and verify operations
1445  * (including the underlying encryption context needed to sign or verify) --
1446  * called by C_SignInit() and C_VerifyInit() to perform the CKM_AES_* MAC
1447  * mechanisms. For general-length AES MAC, also validate the MAC length.
1448  */
1449 CK_RV
1450 soft_aes_sign_verify_init_common(soft_session_t *session_p,
1451     CK_MECHANISM_PTR pMechanism, soft_object_t *key_p, boolean_t sign_op)
1452 {
1453 	soft_aes_sign_ctx_t	*ctx = NULL;
1454 	/* For AES CMAC (the only AES MAC currently), iv is always 0 */
1455 	CK_BYTE		iv[AES_BLOCK_LEN] = { 0 };
1456 	CK_MECHANISM	encrypt_mech = {
1457 		.mechanism = CKM_AES_CMAC,
1458 		.pParameter = iv,
1459 		.ulParameterLen = sizeof (iv)
1460 	};
1461 	CK_RV		rv;
1462 	size_t		mac_len = AES_BLOCK_LEN;
1463 
1464 	if (key_p->key_type != CKK_AES)
1465 		return (CKR_KEY_TYPE_INCONSISTENT);
1466 
1467 	/* C_{Sign,Verify}Init() validate pMechanism != NULL */
1468 	if (pMechanism->mechanism == CKM_AES_CMAC_GENERAL) {
1469 		if (pMechanism->pParameter == NULL) {
1470 			return (CKR_MECHANISM_PARAM_INVALID);
1471 		}
1472 
1473 		mac_len = *(CK_MAC_GENERAL_PARAMS *)pMechanism->pParameter;
1474 
1475 		if (mac_len > AES_BLOCK_LEN) {
1476 			return (CKR_MECHANISM_PARAM_INVALID);
1477 		}
1478 	}
1479 
1480 	ctx = calloc(1, sizeof (*ctx));
1481 	if (ctx == NULL) {
1482 		return (CKR_HOST_MEMORY);
1483 	}
1484 
1485 	rv = soft_aes_check_mech_param(pMechanism, &ctx->aes_ctx);
1486 	if (rv != CKR_OK) {
1487 		soft_aes_free_ctx(ctx->aes_ctx);
1488 		goto done;
1489 	}
1490 
1491 	if ((rv = soft_encrypt_init_internal(session_p, &encrypt_mech,
1492 	    key_p)) != CKR_OK) {
1493 		soft_aes_free_ctx(ctx->aes_ctx);
1494 		goto done;
1495 	}
1496 
1497 	ctx->mac_len = mac_len;
1498 
1499 	(void) pthread_mutex_lock(&session_p->session_mutex);
1500 
1501 	if (sign_op) {
1502 		session_p->sign.context = ctx;
1503 		session_p->sign.mech.mechanism = pMechanism->mechanism;
1504 	} else {
1505 		session_p->verify.context = ctx;
1506 		session_p->verify.mech.mechanism = pMechanism->mechanism;
1507 	}
1508 
1509 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1510 
1511 done:
1512 	if (rv != CKR_OK) {
1513 		soft_aes_free_ctx(ctx->aes_ctx);
1514 		free(ctx);
1515 	}
1516 
1517 	return (rv);
1518 }
1519 
1520 CK_RV
1521 soft_aes_sign_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData,
1522     CK_ULONG ulDataLen, CK_BYTE_PTR pSigned, CK_ULONG_PTR pulSignedLen,
1523     boolean_t sign_op, boolean_t Final)
1524 {
1525 	soft_aes_sign_ctx_t	*soft_aes_ctx_sign_verify;
1526 	CK_RV			rv;
1527 	CK_BYTE			*pEncrypted = NULL;
1528 	CK_ULONG		ulEncryptedLen = AES_BLOCK_LEN;
1529 	CK_BYTE			last_block[AES_BLOCK_LEN];
1530 
1531 	if (sign_op) {
1532 		soft_aes_ctx_sign_verify =
1533 		    (soft_aes_sign_ctx_t *)session_p->sign.context;
1534 
1535 		if (soft_aes_ctx_sign_verify->mac_len == 0) {
1536 			*pulSignedLen = 0;
1537 			goto clean_exit;
1538 		}
1539 
1540 		/* Application asks for the length of the output buffer. */
1541 		if (pSigned == NULL) {
1542 			*pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1543 			return (CKR_OK);
1544 		}
1545 
1546 		/* Is the application-supplied buffer large enough? */
1547 		if (*pulSignedLen < soft_aes_ctx_sign_verify->mac_len) {
1548 			*pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1549 			return (CKR_BUFFER_TOO_SMALL);
1550 		}
1551 	} else {
1552 		soft_aes_ctx_sign_verify =
1553 		    (soft_aes_sign_ctx_t *)session_p->verify.context;
1554 	}
1555 
1556 	if (Final) {
1557 		rv = soft_encrypt_final(session_p, last_block,
1558 		    &ulEncryptedLen);
1559 	} else {
1560 		rv = soft_encrypt(session_p, pData, ulDataLen,
1561 		    last_block, &ulEncryptedLen);
1562 	}
1563 
1564 	if (rv == CKR_OK) {
1565 		*pulSignedLen = soft_aes_ctx_sign_verify->mac_len;
1566 
1567 		/* the leftmost mac_len bytes of last_block is our MAC */
1568 		(void) memcpy(pSigned, last_block, *pulSignedLen);
1569 	}
1570 
1571 clean_exit:
1572 
1573 	(void) pthread_mutex_lock(&session_p->session_mutex);
1574 
1575 	/* soft_encrypt_common() has freed the encrypt context */
1576 	if (sign_op) {
1577 		free(session_p->sign.context);
1578 		session_p->sign.context = NULL;
1579 	} else {
1580 		free(session_p->verify.context);
1581 		session_p->verify.context = NULL;
1582 	}
1583 	session_p->encrypt.flags = 0;
1584 
1585 	(void) pthread_mutex_unlock(&session_p->session_mutex);
1586 
1587 	if (pEncrypted) {
1588 		free(pEncrypted);
1589 	}
1590 
1591 	return (rv);
1592 }
1593 
1594 /*
1595  * Called by soft_sign_update()
1596  */
1597 CK_RV
1598 soft_aes_mac_sign_verify_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
1599     CK_ULONG ulPartLen)
1600 {
1601 	CK_BYTE		buf[AES_BLOCK_LEN];
1602 	CK_ULONG	ulEncryptedLen = AES_BLOCK_LEN;
1603 	CK_RV		rv;
1604 
1605 	rv = soft_encrypt_update(session_p, pPart, ulPartLen,
1606 	    buf, &ulEncryptedLen);
1607 	explicit_bzero(buf, sizeof (buf));
1608 
1609 	return (rv);
1610 }
1611 
1612 void
1613 soft_aes_free_ctx(aes_ctx_t *ctx)
1614 {
1615 	size_t len = 0;
1616 
1617 	if (ctx == NULL)
1618 		return;
1619 
1620 	if (ctx->ac_flags & ECB_MODE) {
1621 		len = sizeof (ecb_ctx_t);
1622 	} else if (ctx->ac_flags & (CBC_MODE|CMAC_MODE)) {
1623 		len = sizeof (cbc_ctx_t);
1624 	} else if (ctx->ac_flags & CTR_MODE) {
1625 		len = sizeof (ctr_ctx_t);
1626 	} else if (ctx->ac_flags & CCM_MODE) {
1627 		len = sizeof (ccm_ctx_t);
1628 	} else if (ctx->ac_flags & GCM_MODE) {
1629 		len = sizeof (gcm_ctx_t);
1630 	}
1631 
1632 	freezero(ctx->ac_keysched, ctx->ac_keysched_len);
1633 	freezero(ctx, len);
1634 }
1635