xref: /illumos-gate/usr/src/uts/common/crypto/io/aes.c (revision 283bfb4d4abcf7382b46f32663005b883ee2e3e0)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * AES provider for the Kernel Cryptographic Framework (KCF)
28  */
29 
30 #include <sys/types.h>
31 #include <sys/systm.h>
32 #include <sys/modctl.h>
33 #include <sys/cmn_err.h>
34 #include <sys/ddi.h>
35 #include <sys/crypto/common.h>
36 #include <sys/crypto/impl.h>
37 #include <sys/crypto/spi.h>
38 #include <sys/sysmacros.h>
39 #include <sys/strsun.h>
40 #include <modes/modes.h>
41 #include <aes/aes_impl.h>
42 
43 extern struct mod_ops mod_cryptoops;
44 
45 /*
46  * Module linkage information for the kernel.
47  */
48 static struct modlcrypto modlcrypto = {
49 	&mod_cryptoops,
50 	"AES Kernel SW Provider"
51 };
52 
53 static struct modlinkage modlinkage = {
54 	MODREV_1,
55 	(void *)&modlcrypto,
56 	NULL
57 };
58 
59 /*
60  * CSPI information (entry points, provider info, etc.)
61  */
62 typedef enum aes_mech_type {
63 	AES_ECB_MECH_INFO_TYPE,		/* SUN_CKM_AES_ECB */
64 	AES_CBC_MECH_INFO_TYPE,		/* SUN_CKM_AES_CBC */
65 	AES_CBC_PAD_MECH_INFO_TYPE,	/* SUN_CKM_AES_CBC_PAD */
66 	AES_CTR_MECH_INFO_TYPE,		/* SUN_CKM_AES_CTR */
67 	AES_CCM_MECH_INFO_TYPE,		/* SUN_CKM_AES_CCM */
68 	AES_GCM_MECH_INFO_TYPE		/* SUN_CKM_AES_GCM */
69 } aes_mech_type_t;
70 
71 /*
72  * The following definitions are to keep EXPORT_SRC happy.
73  */
74 #ifndef AES_MIN_KEY_BYTES
75 #define	AES_MIN_KEY_BYTES		0
76 #endif
77 
78 #ifndef AES_MAX_KEY_BYTES
79 #define	AES_MAX_KEY_BYTES		0
80 #endif
81 
82 /*
83  * Mechanism info structure passed to KCF during registration.
84  */
85 static crypto_mech_info_t aes_mech_info_tab[] = {
86 	/* AES_ECB */
87 	{SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE,
88 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
89 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
90 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
91 	/* AES_CBC */
92 	{SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE,
93 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
94 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
95 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
96 	/* AES_CTR */
97 	{SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE,
98 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
99 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
100 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
101 	/* AES_CCM */
102 	{SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE,
103 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
104 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
105 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
106 	/* AES_GCM */
107 	{SUN_CKM_AES_GCM, AES_GCM_MECH_INFO_TYPE,
108 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
109 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
110 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}
111 };
112 
113 /* operations are in-place if the output buffer is NULL */
114 #define	AES_ARG_INPLACE(input, output)				\
115 	if ((output) == NULL)					\
116 		(output) = (input);
117 
118 static void aes_provider_status(crypto_provider_handle_t, uint_t *);
119 
120 static crypto_control_ops_t aes_control_ops = {
121 	aes_provider_status
122 };
123 
124 static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
125     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
126 static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
127     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
128 static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *,
129     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t);
130 static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *,
131     crypto_mechanism_t *, crypto_key_t *, int, boolean_t);
132 static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *,
133     crypto_req_handle_t);
134 static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *,
135     crypto_req_handle_t);
136 
137 static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
138     crypto_req_handle_t);
139 static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *,
140     crypto_data_t *, crypto_req_handle_t);
141 static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
142     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
143     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
144 
145 static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
146     crypto_req_handle_t);
147 static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *,
148     crypto_data_t *, crypto_req_handle_t);
149 static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
150     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
151     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
152 
153 static crypto_cipher_ops_t aes_cipher_ops = {
154 	aes_encrypt_init,
155 	aes_encrypt,
156 	aes_encrypt_update,
157 	aes_encrypt_final,
158 	aes_encrypt_atomic,
159 	aes_decrypt_init,
160 	aes_decrypt,
161 	aes_decrypt_update,
162 	aes_decrypt_final,
163 	aes_decrypt_atomic
164 };
165 
166 static int aes_create_ctx_template(crypto_provider_handle_t,
167     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
168     size_t *, crypto_req_handle_t);
169 static int aes_free_context(crypto_ctx_t *);
170 
171 static crypto_ctx_ops_t aes_ctx_ops = {
172 	aes_create_ctx_template,
173 	aes_free_context
174 };
175 
176 static crypto_ops_t aes_crypto_ops = {
177 	&aes_control_ops,
178 	NULL,
179 	&aes_cipher_ops,
180 	NULL,
181 	NULL,
182 	NULL,
183 	NULL,
184 	NULL,
185 	NULL,
186 	NULL,
187 	NULL,
188 	NULL,
189 	NULL,
190 	&aes_ctx_ops
191 };
192 
193 static crypto_provider_info_t aes_prov_info = {
194 	CRYPTO_SPI_VERSION_1,
195 	"AES Software Provider",
196 	CRYPTO_SW_PROVIDER,
197 	{&modlinkage},
198 	NULL,
199 	&aes_crypto_ops,
200 	sizeof (aes_mech_info_tab)/sizeof (crypto_mech_info_t),
201 	aes_mech_info_tab
202 };
203 
204 static crypto_kcf_provider_handle_t aes_prov_handle = NULL;
205 
206 int
207 _init(void)
208 {
209 	int ret;
210 
211 	/*
212 	 * Register with KCF. If the registration fails, return error.
213 	 */
214 	if ((ret = crypto_register_provider(&aes_prov_info,
215 	    &aes_prov_handle)) != CRYPTO_SUCCESS) {
216 		cmn_err(CE_WARN, "%s _init: crypto_register_provider()"
217 		    "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret);
218 		return (EACCES);
219 	}
220 
221 	if ((ret = mod_install(&modlinkage)) != 0) {
222 		int rv;
223 
224 		ASSERT(aes_prov_handle != NULL);
225 		/* We should not return if the unregister returns busy. */
226 		while ((rv = crypto_unregister_provider(aes_prov_handle))
227 		    == CRYPTO_BUSY) {
228 			cmn_err(CE_WARN,
229 			    "%s _init: crypto_unregister_provider() "
230 			    "failed (0x%x). Retrying.",
231 			    CRYPTO_PROVIDER_NAME, rv);
232 			/* wait 10 seconds and try again. */
233 			delay(10 * drv_usectohz(1000000));
234 		}
235 	}
236 
237 	return (ret);
238 }
239 
240 int
241 _fini(void)
242 {
243 	int ret;
244 
245 	/*
246 	 * Unregister from KCF if previous registration succeeded.
247 	 */
248 	if (aes_prov_handle != NULL) {
249 		if ((ret = crypto_unregister_provider(aes_prov_handle)) !=
250 		    CRYPTO_SUCCESS) {
251 			cmn_err(CE_WARN,
252 			    "%s _fini: crypto_unregister_provider() "
253 			    "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret);
254 			return (EBUSY);
255 		}
256 		aes_prov_handle = NULL;
257 	}
258 
259 	return (mod_remove(&modlinkage));
260 }
261 
262 int
263 _info(struct modinfo *modinfop)
264 {
265 	return (mod_info(&modlinkage, modinfop));
266 }
267 
268 
269 static int
270 aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag)
271 {
272 	void *p = NULL;
273 	int rv = CRYPTO_SUCCESS;
274 
275 	switch (mechanism->cm_type) {
276 	case AES_ECB_MECH_INFO_TYPE:
277 		/* no parameter */
278 		if (ctx != NULL)
279 			p = ecb_alloc_ctx(kmflag);
280 		break;
281 	case AES_CBC_MECH_INFO_TYPE:
282 		if (mechanism->cm_param != NULL &&
283 		    mechanism->cm_param_len != AES_BLOCK_LEN) {
284 			rv = CRYPTO_MECHANISM_PARAM_INVALID;
285 			break;
286 		}
287 		if (ctx != NULL)
288 			p = cbc_alloc_ctx(kmflag);
289 		break;
290 	case AES_CTR_MECH_INFO_TYPE:
291 		if (mechanism->cm_param != NULL &&
292 		    mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) {
293 			rv = CRYPTO_MECHANISM_PARAM_INVALID;
294 			break;
295 		}
296 		if (ctx != NULL)
297 			p = ctr_alloc_ctx(kmflag);
298 		break;
299 	case AES_CCM_MECH_INFO_TYPE:
300 		if (mechanism->cm_param != NULL &&
301 		    mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) {
302 			rv = CRYPTO_MECHANISM_PARAM_INVALID;
303 			break;
304 		}
305 		if (ctx != NULL)
306 			p = ccm_alloc_ctx(kmflag);
307 		break;
308 	case AES_GCM_MECH_INFO_TYPE:
309 		if (mechanism->cm_param != NULL &&
310 		    mechanism->cm_param_len != sizeof (CK_AES_GCM_PARAMS)) {
311 			rv = CRYPTO_MECHANISM_PARAM_INVALID;
312 			break;
313 		}
314 		if (ctx != NULL)
315 			p = gcm_alloc_ctx(kmflag);
316 		break;
317 	default:
318 		rv = CRYPTO_MECHANISM_INVALID;
319 	}
320 	if (ctx != NULL)
321 		*ctx = p;
322 
323 	return (rv);
324 }
325 
326 /* EXPORT DELETE START */
327 
328 /*
329  * Initialize key schedules for AES
330  */
331 static int
332 init_keysched(crypto_key_t *key, void *newbie)
333 {
334 	/*
335 	 * Only keys by value are supported by this module.
336 	 */
337 	switch (key->ck_format) {
338 	case CRYPTO_KEY_RAW:
339 		if (key->ck_length < AES_MINBITS ||
340 		    key->ck_length > AES_MAXBITS) {
341 			return (CRYPTO_KEY_SIZE_RANGE);
342 		}
343 
344 		/* key length must be either 128, 192, or 256 */
345 		if ((key->ck_length & 63) != 0)
346 			return (CRYPTO_KEY_SIZE_RANGE);
347 		break;
348 	default:
349 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
350 	}
351 
352 	aes_init_keysched(key->ck_data, key->ck_length, newbie);
353 	return (CRYPTO_SUCCESS);
354 }
355 
356 /* EXPORT DELETE END */
357 
358 /*
359  * KCF software provider control entry points.
360  */
361 /* ARGSUSED */
362 static void
363 aes_provider_status(crypto_provider_handle_t provider, uint_t *status)
364 {
365 	*status = CRYPTO_PROVIDER_READY;
366 }
367 
368 static int
369 aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
370     crypto_key_t *key, crypto_spi_ctx_template_t template,
371     crypto_req_handle_t req) {
372 	return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE));
373 }
374 
375 static int
376 aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
377     crypto_key_t *key, crypto_spi_ctx_template_t template,
378     crypto_req_handle_t req) {
379 	return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE));
380 }
381 
382 
383 
384 /*
385  * KCF software provider encrypt entry points.
386  */
387 static int
388 aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
389     crypto_key_t *key, crypto_spi_ctx_template_t template,
390     crypto_req_handle_t req, boolean_t is_encrypt_init)
391 {
392 
393 /* EXPORT DELETE START */
394 
395 	aes_ctx_t *aes_ctx;
396 	int rv;
397 	int kmflag;
398 
399 	/*
400 	 * Only keys by value are supported by this module.
401 	 */
402 	if (key->ck_format != CRYPTO_KEY_RAW) {
403 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
404 	}
405 
406 	kmflag = crypto_kmflag(req);
407 	if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag))
408 	    != CRYPTO_SUCCESS)
409 		return (rv);
410 
411 	rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag,
412 	    is_encrypt_init);
413 	if (rv != CRYPTO_SUCCESS) {
414 		crypto_free_mode_ctx(aes_ctx);
415 		return (rv);
416 	}
417 
418 	ctx->cc_provider_private = aes_ctx;
419 
420 /* EXPORT DELETE END */
421 
422 	return (CRYPTO_SUCCESS);
423 }
424 
425 static void
426 aes_copy_block64(uint8_t *in, uint64_t *out)
427 {
428 	if (IS_P2ALIGNED(in, sizeof (uint64_t))) {
429 		/* LINTED: pointer alignment */
430 		out[0] = *(uint64_t *)&in[0];
431 		/* LINTED: pointer alignment */
432 		out[1] = *(uint64_t *)&in[8];
433 	} else {
434 		uint8_t *iv8 = (uint8_t *)&out[0];
435 
436 		AES_COPY_BLOCK(in, iv8);
437 	}
438 }
439 
440 /* ARGSUSED */
441 static int
442 aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
443     crypto_data_t *ciphertext, crypto_req_handle_t req)
444 {
445 	int ret = CRYPTO_FAILED;
446 
447 /* EXPORT DELETE START */
448 
449 	aes_ctx_t *aes_ctx;
450 	size_t saved_length, saved_offset, length_needed;
451 
452 	ASSERT(ctx->cc_provider_private != NULL);
453 	aes_ctx = ctx->cc_provider_private;
454 
455 	/*
456 	 * For block ciphers, plaintext must be a multiple of AES block size.
457 	 * This test is only valid for ciphers whose blocksize is a power of 2.
458 	 * Even though AES CCM mode is a block cipher, it does not
459 	 * require the plaintext to be a multiple of AES block size.
460 	 * The length requirement for AES CCM mode has already been checked
461 	 * at init time
462 	 */
463 	if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE)) == 0) &&
464 	    (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
465 		return (CRYPTO_DATA_LEN_RANGE);
466 
467 	AES_ARG_INPLACE(plaintext, ciphertext);
468 
469 	/*
470 	 * We need to just return the length needed to store the output.
471 	 * We should not destroy the context for the following case.
472 	 */
473 	if (aes_ctx->ac_flags & CCM_MODE) {
474 		length_needed = plaintext->cd_length + aes_ctx->ac_mac_len;
475 	} else if (aes_ctx->ac_flags & GCM_MODE) {
476 		length_needed = plaintext->cd_length + aes_ctx->ac_tag_len;
477 	} else {
478 		length_needed = plaintext->cd_length;
479 	}
480 
481 	if (ciphertext->cd_length < length_needed) {
482 		ciphertext->cd_length = length_needed;
483 		return (CRYPTO_BUFFER_TOO_SMALL);
484 	}
485 
486 	saved_length = ciphertext->cd_length;
487 	saved_offset = ciphertext->cd_offset;
488 
489 	/*
490 	 * Do an update on the specified input data.
491 	 */
492 	ret = aes_encrypt_update(ctx, plaintext, ciphertext, req);
493 	if (ret != CRYPTO_SUCCESS) {
494 		return (ret);
495 	}
496 
497 	/*
498 	 * For CCM mode, aes_ccm_encrypt_final() will take care of any
499 	 * left-over unprocessed data, and compute the MAC
500 	 */
501 	if (aes_ctx->ac_flags & CCM_MODE) {
502 		/*
503 		 * ccm_encrypt_final() will compute the MAC and append
504 		 * it to existing ciphertext. So, need to adjust the left over
505 		 * length value accordingly
506 		 */
507 
508 		/* order of following 2 lines MUST not be reversed */
509 		ciphertext->cd_offset = ciphertext->cd_length;
510 		ciphertext->cd_length = saved_length - ciphertext->cd_length;
511 		ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, ciphertext,
512 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
513 		if (ret != CRYPTO_SUCCESS) {
514 			return (ret);
515 		}
516 
517 		if (plaintext != ciphertext) {
518 			ciphertext->cd_length =
519 			    ciphertext->cd_offset - saved_offset;
520 		}
521 		ciphertext->cd_offset = saved_offset;
522 	} else if (aes_ctx->ac_flags & GCM_MODE) {
523 		/*
524 		 * gcm_encrypt_final() will compute the MAC and append
525 		 * it to existing ciphertext. So, need to adjust the left over
526 		 * length value accordingly
527 		 */
528 
529 		/* order of following 2 lines MUST not be reversed */
530 		ciphertext->cd_offset = ciphertext->cd_length;
531 		ciphertext->cd_length = saved_length - ciphertext->cd_length;
532 		ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, ciphertext,
533 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
534 		    aes_xor_block);
535 		if (ret != CRYPTO_SUCCESS) {
536 			return (ret);
537 		}
538 
539 		if (plaintext != ciphertext) {
540 			ciphertext->cd_length =
541 			    ciphertext->cd_offset - saved_offset;
542 		}
543 		ciphertext->cd_offset = saved_offset;
544 	}
545 
546 	ASSERT(aes_ctx->ac_remainder_len == 0);
547 	(void) aes_free_context(ctx);
548 
549 /* EXPORT DELETE END */
550 
551 	/* LINTED */
552 	return (ret);
553 }
554 
555 /* ARGSUSED */
556 static int
557 aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
558     crypto_data_t *plaintext, crypto_req_handle_t req)
559 {
560 	int ret = CRYPTO_FAILED;
561 
562 /* EXPORT DELETE START */
563 
564 	aes_ctx_t *aes_ctx;
565 	off_t saved_offset;
566 	size_t saved_length;
567 
568 	ASSERT(ctx->cc_provider_private != NULL);
569 	aes_ctx = ctx->cc_provider_private;
570 
571 	/*
572 	 * For block ciphers, plaintext must be a multiple of AES block size.
573 	 * This test is only valid for ciphers whose blocksize is a power of 2.
574 	 * Even though AES CCM mode is a block cipher, it does not
575 	 * require the plaintext to be a multiple of AES block size.
576 	 * The length requirement for AES CCM mode has already been checked
577 	 * at init time
578 	 */
579 	if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE)) == 0) &&
580 	    (ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) {
581 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
582 	}
583 
584 	AES_ARG_INPLACE(ciphertext, plaintext);
585 
586 	/*
587 	 * We need to just return the length needed to store the output.
588 	 * We should not destroy the context for the following case.
589 	 *
590 	 * For AES CCM mode, size of the plaintext will be MAC_SIZE
591 	 * smaller than size of the cipher text.
592 	 */
593 	if (aes_ctx->ac_flags & CCM_MODE) {
594 		if (plaintext->cd_length < aes_ctx->ac_processed_data_len) {
595 			plaintext->cd_length = aes_ctx->ac_processed_data_len;
596 			return (CRYPTO_BUFFER_TOO_SMALL);
597 		}
598 		saved_offset = plaintext->cd_offset;
599 		saved_length = plaintext->cd_length;
600 	} else if (aes_ctx->ac_flags & GCM_MODE) {
601 		size_t pt_len = ciphertext->cd_length - aes_ctx->ac_tag_len;
602 
603 		if (plaintext->cd_length < pt_len) {
604 			plaintext->cd_length = pt_len;
605 			return (CRYPTO_BUFFER_TOO_SMALL);
606 		}
607 		saved_offset = plaintext->cd_offset;
608 		saved_length = plaintext->cd_length;
609 	} else if (plaintext->cd_length < ciphertext->cd_length) {
610 		plaintext->cd_length = ciphertext->cd_length;
611 		return (CRYPTO_BUFFER_TOO_SMALL);
612 	}
613 
614 	/*
615 	 * Do an update on the specified input data.
616 	 */
617 	ret = aes_decrypt_update(ctx, ciphertext, plaintext, req);
618 	if (ret != CRYPTO_SUCCESS) {
619 		goto cleanup;
620 	}
621 
622 	if (aes_ctx->ac_flags & CCM_MODE) {
623 		ASSERT(aes_ctx->ac_processed_data_len == aes_ctx->ac_data_len);
624 		ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
625 
626 		/* order of following 2 lines MUST not be reversed */
627 		plaintext->cd_offset = plaintext->cd_length;
628 		plaintext->cd_length = saved_length - plaintext->cd_length;
629 
630 		ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, plaintext,
631 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
632 		    aes_xor_block);
633 		if (ret == CRYPTO_SUCCESS) {
634 			if (plaintext != ciphertext) {
635 				plaintext->cd_length =
636 				    plaintext->cd_offset - saved_offset;
637 			}
638 		} else {
639 			plaintext->cd_length = saved_length;
640 		}
641 
642 		plaintext->cd_offset = saved_offset;
643 	} else if (aes_ctx->ac_flags & GCM_MODE) {
644 		/* order of following 2 lines MUST not be reversed */
645 		plaintext->cd_offset = plaintext->cd_length;
646 		plaintext->cd_length = saved_length - plaintext->cd_length;
647 
648 		ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, plaintext,
649 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
650 		if (ret == CRYPTO_SUCCESS) {
651 			if (plaintext != ciphertext) {
652 				plaintext->cd_length =
653 				    plaintext->cd_offset - saved_offset;
654 			}
655 		} else {
656 			plaintext->cd_length = saved_length;
657 		}
658 
659 		plaintext->cd_offset = saved_offset;
660 	}
661 
662 	ASSERT(aes_ctx->ac_remainder_len == 0);
663 
664 cleanup:
665 	(void) aes_free_context(ctx);
666 
667 /* EXPORT DELETE END */
668 
669 	/* LINTED */
670 	return (ret);
671 }
672 
673 /* ARGSUSED */
674 static int
675 aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext,
676     crypto_data_t *ciphertext, crypto_req_handle_t req)
677 {
678 	off_t saved_offset;
679 	size_t saved_length, out_len;
680 	int ret = CRYPTO_SUCCESS;
681 	aes_ctx_t *aes_ctx;
682 
683 	ASSERT(ctx->cc_provider_private != NULL);
684 	aes_ctx = ctx->cc_provider_private;
685 
686 	AES_ARG_INPLACE(plaintext, ciphertext);
687 
688 	/* compute number of bytes that will hold the ciphertext */
689 	out_len = aes_ctx->ac_remainder_len;
690 	out_len += plaintext->cd_length;
691 	out_len &= ~(AES_BLOCK_LEN - 1);
692 
693 	/* return length needed to store the output */
694 	if (ciphertext->cd_length < out_len) {
695 		ciphertext->cd_length = out_len;
696 		return (CRYPTO_BUFFER_TOO_SMALL);
697 	}
698 
699 	saved_offset = ciphertext->cd_offset;
700 	saved_length = ciphertext->cd_length;
701 
702 
703 	/*
704 	 * Do the AES update on the specified input data.
705 	 */
706 	switch (plaintext->cd_format) {
707 	case CRYPTO_DATA_RAW:
708 		ret = crypto_update_iov(ctx->cc_provider_private,
709 		    plaintext, ciphertext, aes_encrypt_contiguous_blocks,
710 		    aes_copy_block64);
711 		break;
712 	case CRYPTO_DATA_UIO:
713 		ret = crypto_update_uio(ctx->cc_provider_private,
714 		    plaintext, ciphertext, aes_encrypt_contiguous_blocks,
715 		    aes_copy_block64);
716 		break;
717 	case CRYPTO_DATA_MBLK:
718 		ret = crypto_update_mp(ctx->cc_provider_private,
719 		    plaintext, ciphertext, aes_encrypt_contiguous_blocks,
720 		    aes_copy_block64);
721 		break;
722 	default:
723 		ret = CRYPTO_ARGUMENTS_BAD;
724 	}
725 
726 	/*
727 	 * Since AES counter mode is a stream cipher, we call
728 	 * ctr_mode_final() to pick up any remaining bytes.
729 	 * It is an internal function that does not destroy
730 	 * the context like *normal* final routines.
731 	 */
732 	if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
733 		ret = ctr_mode_final((ctr_ctx_t *)aes_ctx,
734 		    ciphertext, aes_encrypt_block);
735 	}
736 
737 	if (ret == CRYPTO_SUCCESS) {
738 		if (plaintext != ciphertext)
739 			ciphertext->cd_length =
740 			    ciphertext->cd_offset - saved_offset;
741 	} else {
742 		ciphertext->cd_length = saved_length;
743 	}
744 	ciphertext->cd_offset = saved_offset;
745 
746 	return (ret);
747 }
748 
749 /* ARGSUSED */
750 static int
751 aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
752     crypto_data_t *plaintext, crypto_req_handle_t req)
753 {
754 	off_t saved_offset;
755 	size_t saved_length, out_len;
756 	int ret = CRYPTO_SUCCESS;
757 	aes_ctx_t *aes_ctx;
758 
759 	ASSERT(ctx->cc_provider_private != NULL);
760 	aes_ctx = ctx->cc_provider_private;
761 
762 	AES_ARG_INPLACE(ciphertext, plaintext);
763 
764 	/*
765 	 * Compute number of bytes that will hold the plaintext.
766 	 * This is not necessary for CCM and GCM since these mechanisms
767 	 * never return plaintext for update operations.
768 	 */
769 	if ((aes_ctx->ac_flags & (CCM_MODE|GCM_MODE)) == 0) {
770 		out_len = aes_ctx->ac_remainder_len;
771 		out_len += ciphertext->cd_length;
772 		out_len &= ~(AES_BLOCK_LEN - 1);
773 
774 		/* return length needed to store the output */
775 		if (plaintext->cd_length < out_len) {
776 			plaintext->cd_length = out_len;
777 			return (CRYPTO_BUFFER_TOO_SMALL);
778 		}
779 	}
780 
781 	saved_offset = plaintext->cd_offset;
782 	saved_length = plaintext->cd_length;
783 
784 	if (aes_ctx->ac_flags & GCM_MODE)
785 		gcm_set_kmflag((gcm_ctx_t *)aes_ctx, crypto_kmflag(req));
786 
787 	/*
788 	 * Do the AES update on the specified input data.
789 	 */
790 	switch (ciphertext->cd_format) {
791 	case CRYPTO_DATA_RAW:
792 		ret = crypto_update_iov(ctx->cc_provider_private,
793 		    ciphertext, plaintext, aes_decrypt_contiguous_blocks,
794 		    aes_copy_block64);
795 		break;
796 	case CRYPTO_DATA_UIO:
797 		ret = crypto_update_uio(ctx->cc_provider_private,
798 		    ciphertext, plaintext, aes_decrypt_contiguous_blocks,
799 		    aes_copy_block64);
800 		break;
801 	case CRYPTO_DATA_MBLK:
802 		ret = crypto_update_mp(ctx->cc_provider_private,
803 		    ciphertext, plaintext, aes_decrypt_contiguous_blocks,
804 		    aes_copy_block64);
805 		break;
806 	default:
807 		ret = CRYPTO_ARGUMENTS_BAD;
808 	}
809 
810 	/*
811 	 * Since AES counter mode is a stream cipher, we call
812 	 * ctr_mode_final() to pick up any remaining bytes.
813 	 * It is an internal function that does not destroy
814 	 * the context like *normal* final routines.
815 	 */
816 	if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
817 		ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, plaintext,
818 		    aes_encrypt_block);
819 		if (ret == CRYPTO_DATA_LEN_RANGE)
820 			ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
821 	}
822 
823 	if (ret == CRYPTO_SUCCESS) {
824 		if (ciphertext != plaintext)
825 			plaintext->cd_length =
826 			    plaintext->cd_offset - saved_offset;
827 	} else {
828 		plaintext->cd_length = saved_length;
829 	}
830 	plaintext->cd_offset = saved_offset;
831 
832 
833 	return (ret);
834 }
835 
836 /* ARGSUSED */
837 static int
838 aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
839     crypto_req_handle_t req)
840 {
841 
842 /* EXPORT DELETE START */
843 
844 	aes_ctx_t *aes_ctx;
845 	int ret;
846 
847 	ASSERT(ctx->cc_provider_private != NULL);
848 	aes_ctx = ctx->cc_provider_private;
849 
850 	if (data->cd_format != CRYPTO_DATA_RAW &&
851 	    data->cd_format != CRYPTO_DATA_UIO &&
852 	    data->cd_format != CRYPTO_DATA_MBLK) {
853 		return (CRYPTO_ARGUMENTS_BAD);
854 	}
855 
856 	if (aes_ctx->ac_flags & CTR_MODE) {
857 		if (aes_ctx->ac_remainder_len > 0) {
858 			ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
859 			    aes_encrypt_block);
860 			if (ret != CRYPTO_SUCCESS)
861 				return (ret);
862 		}
863 	} else if (aes_ctx->ac_flags & CCM_MODE) {
864 		ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, data,
865 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
866 		if (ret != CRYPTO_SUCCESS) {
867 			return (ret);
868 		}
869 	} else if (aes_ctx->ac_flags & GCM_MODE) {
870 		size_t saved_offset = data->cd_offset;
871 
872 		ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, data,
873 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
874 		    aes_xor_block);
875 		if (ret != CRYPTO_SUCCESS) {
876 			return (ret);
877 		}
878 		data->cd_length = data->cd_offset - saved_offset;
879 		data->cd_offset = saved_offset;
880 	} else {
881 		/*
882 		 * There must be no unprocessed plaintext.
883 		 * This happens if the length of the last data is
884 		 * not a multiple of the AES block length.
885 		 */
886 		if (aes_ctx->ac_remainder_len > 0) {
887 			return (CRYPTO_DATA_LEN_RANGE);
888 		}
889 		data->cd_length = 0;
890 	}
891 
892 	(void) aes_free_context(ctx);
893 
894 /* EXPORT DELETE END */
895 
896 	return (CRYPTO_SUCCESS);
897 }
898 
899 /* ARGSUSED */
900 static int
901 aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
902     crypto_req_handle_t req)
903 {
904 
905 /* EXPORT DELETE START */
906 
907 	aes_ctx_t *aes_ctx;
908 	int ret;
909 	off_t saved_offset;
910 	size_t saved_length;
911 
912 	ASSERT(ctx->cc_provider_private != NULL);
913 	aes_ctx = ctx->cc_provider_private;
914 
915 	if (data->cd_format != CRYPTO_DATA_RAW &&
916 	    data->cd_format != CRYPTO_DATA_UIO &&
917 	    data->cd_format != CRYPTO_DATA_MBLK) {
918 		return (CRYPTO_ARGUMENTS_BAD);
919 	}
920 
921 	/*
922 	 * There must be no unprocessed ciphertext.
923 	 * This happens if the length of the last ciphertext is
924 	 * not a multiple of the AES block length.
925 	 */
926 	if (aes_ctx->ac_remainder_len > 0) {
927 		if ((aes_ctx->ac_flags & CTR_MODE) == 0)
928 			return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
929 		else {
930 			ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
931 			    aes_encrypt_block);
932 			if (ret == CRYPTO_DATA_LEN_RANGE)
933 				ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
934 			if (ret != CRYPTO_SUCCESS)
935 				return (ret);
936 		}
937 	}
938 
939 	if (aes_ctx->ac_flags & CCM_MODE) {
940 		/*
941 		 * This is where all the plaintext is returned, make sure
942 		 * the plaintext buffer is big enough
943 		 */
944 		size_t pt_len = aes_ctx->ac_data_len;
945 		if (data->cd_length < pt_len) {
946 			data->cd_length = pt_len;
947 			return (CRYPTO_BUFFER_TOO_SMALL);
948 		}
949 
950 		ASSERT(aes_ctx->ac_processed_data_len == pt_len);
951 		ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
952 		saved_offset = data->cd_offset;
953 		saved_length = data->cd_length;
954 		ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, data,
955 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
956 		    aes_xor_block);
957 		if (ret == CRYPTO_SUCCESS) {
958 			data->cd_length = data->cd_offset - saved_offset;
959 		} else {
960 			data->cd_length = saved_length;
961 		}
962 
963 		data->cd_offset = saved_offset;
964 		if (ret != CRYPTO_SUCCESS) {
965 			return (ret);
966 		}
967 	} else if (aes_ctx->ac_flags & GCM_MODE) {
968 		/*
969 		 * This is where all the plaintext is returned, make sure
970 		 * the plaintext buffer is big enough
971 		 */
972 		gcm_ctx_t *ctx = (gcm_ctx_t *)aes_ctx;
973 		size_t pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len;
974 
975 		if (data->cd_length < pt_len) {
976 			data->cd_length = pt_len;
977 			return (CRYPTO_BUFFER_TOO_SMALL);
978 		}
979 
980 		saved_offset = data->cd_offset;
981 		saved_length = data->cd_length;
982 		ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, data,
983 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
984 		if (ret == CRYPTO_SUCCESS) {
985 			data->cd_length = data->cd_offset - saved_offset;
986 		} else {
987 			data->cd_length = saved_length;
988 		}
989 
990 		data->cd_offset = saved_offset;
991 		if (ret != CRYPTO_SUCCESS) {
992 			return (ret);
993 		}
994 	}
995 
996 
997 	if ((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE)) == 0) {
998 		data->cd_length = 0;
999 	}
1000 
1001 	(void) aes_free_context(ctx);
1002 
1003 /* EXPORT DELETE END */
1004 
1005 	return (CRYPTO_SUCCESS);
1006 }
1007 
1008 /* ARGSUSED */
1009 static int
1010 aes_encrypt_atomic(crypto_provider_handle_t provider,
1011     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1012     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
1013     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1014 {
1015 	aes_ctx_t aes_ctx;	/* on the stack */
1016 	off_t saved_offset;
1017 	size_t saved_length;
1018 	size_t length_needed;
1019 	int ret;
1020 
1021 	AES_ARG_INPLACE(plaintext, ciphertext);
1022 
1023 	/*
1024 	 * CTR, CCM, and GCM modes do not require that ciphertext
1025 	 * be a multiple of AES block size.
1026 	 */
1027 	switch (mechanism->cm_type) {
1028 	case AES_CTR_MECH_INFO_TYPE:
1029 	case AES_CCM_MECH_INFO_TYPE:
1030 	case AES_GCM_MECH_INFO_TYPE:
1031 		break;
1032 	default:
1033 		if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
1034 			return (CRYPTO_DATA_LEN_RANGE);
1035 	}
1036 
1037 	if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
1038 		return (ret);
1039 
1040 	bzero(&aes_ctx, sizeof (aes_ctx_t));
1041 
1042 	ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
1043 	    crypto_kmflag(req), B_TRUE);
1044 	if (ret != CRYPTO_SUCCESS)
1045 		return (ret);
1046 
1047 	switch (mechanism->cm_type) {
1048 	case AES_CCM_MECH_INFO_TYPE:
1049 		length_needed = plaintext->cd_length + aes_ctx.ac_mac_len;
1050 		break;
1051 	case AES_GCM_MECH_INFO_TYPE:
1052 		length_needed = plaintext->cd_length + aes_ctx.ac_tag_len;
1053 		break;
1054 	default:
1055 		length_needed = plaintext->cd_length;
1056 	}
1057 
1058 	/* return size of buffer needed to store output */
1059 	if (ciphertext->cd_length < length_needed) {
1060 		ciphertext->cd_length = length_needed;
1061 		ret = CRYPTO_BUFFER_TOO_SMALL;
1062 		goto out;
1063 	}
1064 
1065 	saved_offset = ciphertext->cd_offset;
1066 	saved_length = ciphertext->cd_length;
1067 
1068 	/*
1069 	 * Do an update on the specified input data.
1070 	 */
1071 	switch (plaintext->cd_format) {
1072 	case CRYPTO_DATA_RAW:
1073 		ret = crypto_update_iov(&aes_ctx, plaintext, ciphertext,
1074 		    aes_encrypt_contiguous_blocks, aes_copy_block64);
1075 		break;
1076 	case CRYPTO_DATA_UIO:
1077 		ret = crypto_update_uio(&aes_ctx, plaintext, ciphertext,
1078 		    aes_encrypt_contiguous_blocks, aes_copy_block64);
1079 		break;
1080 	case CRYPTO_DATA_MBLK:
1081 		ret = crypto_update_mp(&aes_ctx, plaintext, ciphertext,
1082 		    aes_encrypt_contiguous_blocks, aes_copy_block64);
1083 		break;
1084 	default:
1085 		ret = CRYPTO_ARGUMENTS_BAD;
1086 	}
1087 
1088 	if (ret == CRYPTO_SUCCESS) {
1089 		if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1090 			ret = ccm_encrypt_final((ccm_ctx_t *)&aes_ctx,
1091 			    ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1092 			    aes_xor_block);
1093 			if (ret != CRYPTO_SUCCESS)
1094 				goto out;
1095 			ASSERT(aes_ctx.ac_remainder_len == 0);
1096 		} else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE) {
1097 			ret = gcm_encrypt_final((gcm_ctx_t *)&aes_ctx,
1098 			    ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1099 			    aes_copy_block, aes_xor_block);
1100 			if (ret != CRYPTO_SUCCESS)
1101 				goto out;
1102 			ASSERT(aes_ctx.ac_remainder_len == 0);
1103 		} else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) {
1104 			if (aes_ctx.ac_remainder_len > 0) {
1105 				ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1106 				    ciphertext, aes_encrypt_block);
1107 				if (ret != CRYPTO_SUCCESS)
1108 					goto out;
1109 			}
1110 		} else {
1111 			ASSERT(aes_ctx.ac_remainder_len == 0);
1112 		}
1113 
1114 		if (plaintext != ciphertext) {
1115 			ciphertext->cd_length =
1116 			    ciphertext->cd_offset - saved_offset;
1117 		}
1118 	} else {
1119 		ciphertext->cd_length = saved_length;
1120 	}
1121 	ciphertext->cd_offset = saved_offset;
1122 
1123 out:
1124 	if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1125 		bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1126 		kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1127 	}
1128 
1129 	return (ret);
1130 }
1131 
1132 /* ARGSUSED */
1133 static int
1134 aes_decrypt_atomic(crypto_provider_handle_t provider,
1135     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1136     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
1137     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1138 {
1139 	aes_ctx_t aes_ctx;	/* on the stack */
1140 	off_t saved_offset;
1141 	size_t saved_length;
1142 	size_t length_needed;
1143 	int ret;
1144 
1145 	AES_ARG_INPLACE(ciphertext, plaintext);
1146 
1147 	/*
1148 	 * CCM, GCM, and CTR modes do not require that ciphertext
1149 	 * be a multiple of AES block size.
1150 	 */
1151 	switch (mechanism->cm_type) {
1152 	case AES_CTR_MECH_INFO_TYPE:
1153 	case AES_CCM_MECH_INFO_TYPE:
1154 	case AES_GCM_MECH_INFO_TYPE:
1155 		break;
1156 	default:
1157 		if ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
1158 			return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
1159 	}
1160 
1161 	if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
1162 		return (ret);
1163 
1164 	bzero(&aes_ctx, sizeof (aes_ctx_t));
1165 
1166 	ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
1167 	    crypto_kmflag(req), B_FALSE);
1168 	if (ret != CRYPTO_SUCCESS)
1169 		return (ret);
1170 
1171 	switch (mechanism->cm_type) {
1172 	case AES_CCM_MECH_INFO_TYPE:
1173 		length_needed = aes_ctx.ac_data_len;
1174 		break;
1175 	case AES_GCM_MECH_INFO_TYPE:
1176 		length_needed = ciphertext->cd_length - aes_ctx.ac_tag_len;
1177 		break;
1178 	default:
1179 		length_needed = ciphertext->cd_length;
1180 	}
1181 
1182 	/* return size of buffer needed to store output */
1183 	if (plaintext->cd_length < length_needed) {
1184 		plaintext->cd_length = length_needed;
1185 		ret = CRYPTO_BUFFER_TOO_SMALL;
1186 		goto out;
1187 	}
1188 
1189 	saved_offset = plaintext->cd_offset;
1190 	saved_length = plaintext->cd_length;
1191 
1192 	if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE)
1193 		gcm_set_kmflag((gcm_ctx_t *)&aes_ctx, crypto_kmflag(req));
1194 
1195 	/*
1196 	 * Do an update on the specified input data.
1197 	 */
1198 	switch (ciphertext->cd_format) {
1199 	case CRYPTO_DATA_RAW:
1200 		ret = crypto_update_iov(&aes_ctx, ciphertext, plaintext,
1201 		    aes_decrypt_contiguous_blocks, aes_copy_block64);
1202 		break;
1203 	case CRYPTO_DATA_UIO:
1204 		ret = crypto_update_uio(&aes_ctx, ciphertext, plaintext,
1205 		    aes_decrypt_contiguous_blocks, aes_copy_block64);
1206 		break;
1207 	case CRYPTO_DATA_MBLK:
1208 		ret = crypto_update_mp(&aes_ctx, ciphertext, plaintext,
1209 		    aes_decrypt_contiguous_blocks, aes_copy_block64);
1210 		break;
1211 	default:
1212 		ret = CRYPTO_ARGUMENTS_BAD;
1213 	}
1214 
1215 	if (ret == CRYPTO_SUCCESS) {
1216 		if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1217 			ASSERT(aes_ctx.ac_processed_data_len
1218 			    == aes_ctx.ac_data_len);
1219 			ASSERT(aes_ctx.ac_processed_mac_len
1220 			    == aes_ctx.ac_mac_len);
1221 			ret = ccm_decrypt_final((ccm_ctx_t *)&aes_ctx,
1222 			    plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1223 			    aes_copy_block, aes_xor_block);
1224 			ASSERT(aes_ctx.ac_remainder_len == 0);
1225 			if ((ret == CRYPTO_SUCCESS) &&
1226 			    (ciphertext != plaintext)) {
1227 				plaintext->cd_length =
1228 				    plaintext->cd_offset - saved_offset;
1229 			} else {
1230 				plaintext->cd_length = saved_length;
1231 			}
1232 		} else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE) {
1233 			ret = gcm_decrypt_final((gcm_ctx_t *)&aes_ctx,
1234 			    plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1235 			    aes_xor_block);
1236 			ASSERT(aes_ctx.ac_remainder_len == 0);
1237 			if ((ret == CRYPTO_SUCCESS) &&
1238 			    (ciphertext != plaintext)) {
1239 				plaintext->cd_length =
1240 				    plaintext->cd_offset - saved_offset;
1241 			} else {
1242 				plaintext->cd_length = saved_length;
1243 			}
1244 		} else if (mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) {
1245 			ASSERT(aes_ctx.ac_remainder_len == 0);
1246 			if (ciphertext != plaintext)
1247 				plaintext->cd_length =
1248 				    plaintext->cd_offset - saved_offset;
1249 		} else {
1250 			if (aes_ctx.ac_remainder_len > 0) {
1251 				ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1252 				    plaintext, aes_encrypt_block);
1253 				if (ret == CRYPTO_DATA_LEN_RANGE)
1254 					ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
1255 				if (ret != CRYPTO_SUCCESS)
1256 					goto out;
1257 			}
1258 			if (ciphertext != plaintext)
1259 				plaintext->cd_length =
1260 				    plaintext->cd_offset - saved_offset;
1261 		}
1262 	} else {
1263 		plaintext->cd_length = saved_length;
1264 	}
1265 	plaintext->cd_offset = saved_offset;
1266 
1267 out:
1268 	if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1269 		bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1270 		kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1271 	}
1272 
1273 	if (aes_ctx.ac_flags & CCM_MODE) {
1274 		if (aes_ctx.ac_pt_buf != NULL) {
1275 			kmem_free(aes_ctx.ac_pt_buf, aes_ctx.ac_data_len);
1276 		}
1277 	} else if (aes_ctx.ac_flags & GCM_MODE) {
1278 		if (((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf != NULL) {
1279 			kmem_free(((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf,
1280 			    ((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf_len);
1281 		}
1282 	}
1283 
1284 	return (ret);
1285 }
1286 
1287 /*
1288  * KCF software provider context template entry points.
1289  */
1290 /* ARGSUSED */
1291 static int
1292 aes_create_ctx_template(crypto_provider_handle_t provider,
1293     crypto_mechanism_t *mechanism, crypto_key_t *key,
1294     crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req)
1295 {
1296 
1297 /* EXPORT DELETE START */
1298 
1299 	void *keysched;
1300 	size_t size;
1301 	int rv;
1302 
1303 	if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE &&
1304 	    mechanism->cm_type != AES_CBC_MECH_INFO_TYPE &&
1305 	    mechanism->cm_type != AES_CTR_MECH_INFO_TYPE &&
1306 	    mechanism->cm_type != AES_CCM_MECH_INFO_TYPE)
1307 		return (CRYPTO_MECHANISM_INVALID);
1308 
1309 	if ((keysched = aes_alloc_keysched(&size,
1310 	    crypto_kmflag(req))) == NULL) {
1311 		return (CRYPTO_HOST_MEMORY);
1312 	}
1313 
1314 	/*
1315 	 * Initialize key schedule.  Key length information is stored
1316 	 * in the key.
1317 	 */
1318 	if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1319 		bzero(keysched, size);
1320 		kmem_free(keysched, size);
1321 		return (rv);
1322 	}
1323 
1324 	*tmpl = keysched;
1325 	*tmpl_size = size;
1326 
1327 /* EXPORT DELETE END */
1328 
1329 	return (CRYPTO_SUCCESS);
1330 }
1331 
1332 /* ARGSUSED */
1333 static int
1334 aes_free_context(crypto_ctx_t *ctx)
1335 {
1336 
1337 /* EXPORT DELETE START */
1338 
1339 	aes_ctx_t *aes_ctx = ctx->cc_provider_private;
1340 
1341 	if (aes_ctx != NULL) {
1342 		if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1343 			ASSERT(aes_ctx->ac_keysched_len != 0);
1344 			bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len);
1345 			kmem_free(aes_ctx->ac_keysched,
1346 			    aes_ctx->ac_keysched_len);
1347 		}
1348 		crypto_free_mode_ctx(aes_ctx);
1349 		ctx->cc_provider_private = NULL;
1350 	}
1351 
1352 /* EXPORT DELETE END */
1353 
1354 	return (CRYPTO_SUCCESS);
1355 }
1356 
1357 /* ARGSUSED */
1358 static int
1359 aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template,
1360     crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag,
1361     boolean_t is_encrypt_init)
1362 {
1363 	int rv = CRYPTO_SUCCESS;
1364 
1365 /* EXPORT DELETE START */
1366 
1367 	void *keysched;
1368 	size_t size;
1369 
1370 	if (template == NULL) {
1371 		if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL)
1372 			return (CRYPTO_HOST_MEMORY);
1373 		/*
1374 		 * Initialize key schedule.
1375 		 * Key length is stored in the key.
1376 		 */
1377 		if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1378 			kmem_free(keysched, size);
1379 			return (rv);
1380 		}
1381 
1382 		aes_ctx->ac_flags |= PROVIDER_OWNS_KEY_SCHEDULE;
1383 		aes_ctx->ac_keysched_len = size;
1384 	} else {
1385 		keysched = template;
1386 	}
1387 	aes_ctx->ac_keysched = keysched;
1388 
1389 	switch (mechanism->cm_type) {
1390 	case AES_CBC_MECH_INFO_TYPE:
1391 		rv = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mechanism->cm_param,
1392 		    mechanism->cm_param_len, AES_BLOCK_LEN, aes_copy_block64);
1393 		break;
1394 	case AES_CTR_MECH_INFO_TYPE: {
1395 		CK_AES_CTR_PARAMS *pp;
1396 
1397 		if (mechanism->cm_param == NULL ||
1398 		    mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) {
1399 			return (CRYPTO_MECHANISM_PARAM_INVALID);
1400 		}
1401 		pp = (CK_AES_CTR_PARAMS *)mechanism->cm_param;
1402 		rv = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits,
1403 		    pp->cb, aes_copy_block);
1404 		break;
1405 	}
1406 	case AES_CCM_MECH_INFO_TYPE:
1407 		if (mechanism->cm_param == NULL ||
1408 		    mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) {
1409 			return (CRYPTO_MECHANISM_PARAM_INVALID);
1410 		}
1411 		rv = ccm_init_ctx((ccm_ctx_t *)aes_ctx, mechanism->cm_param,
1412 		    kmflag, is_encrypt_init, AES_BLOCK_LEN, aes_encrypt_block,
1413 		    aes_xor_block);
1414 		break;
1415 	case AES_GCM_MECH_INFO_TYPE:
1416 		if (mechanism->cm_param == NULL ||
1417 		    mechanism->cm_param_len != sizeof (CK_AES_GCM_PARAMS)) {
1418 			return (CRYPTO_MECHANISM_PARAM_INVALID);
1419 		}
1420 		rv = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1421 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1422 		    aes_xor_block);
1423 		break;
1424 	case AES_ECB_MECH_INFO_TYPE:
1425 		aes_ctx->ac_flags |= ECB_MODE;
1426 	}
1427 
1428 	if (rv != CRYPTO_SUCCESS) {
1429 		if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1430 			bzero(keysched, size);
1431 			kmem_free(keysched, size);
1432 		}
1433 	}
1434 
1435 /* EXPORT DELETE END */
1436 
1437 	return (rv);
1438 }
1439