xref: /illumos-gate/usr/src/uts/common/crypto/io/aes.c (revision 635216b673cf196ac523ff2a7ab715717e553292)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * AES provider for the Kernel Cryptographic Framework (KCF)
28  */
29 
30 #include <sys/types.h>
31 #include <sys/systm.h>
32 #include <sys/modctl.h>
33 #include <sys/cmn_err.h>
34 #include <sys/ddi.h>
35 #include <sys/crypto/common.h>
36 #include <sys/crypto/impl.h>
37 #include <sys/crypto/spi.h>
38 #include <sys/sysmacros.h>
39 #include <sys/strsun.h>
40 #include <modes/modes.h>
41 #define	_AES_FIPS_POST
42 #define	_AES_IMPL
43 #include <aes/aes_impl.h>
44 
45 extern struct mod_ops mod_cryptoops;
46 
47 /*
48  * Module linkage information for the kernel.
49  */
50 static struct modlcrypto modlcrypto = {
51 	&mod_cryptoops,
52 	"AES Kernel SW Provider"
53 };
54 
55 static struct modlinkage modlinkage = {
56 	MODREV_1,
57 	(void *)&modlcrypto,
58 	NULL
59 };
60 
61 /*
62  * The following definitions are to keep EXPORT_SRC happy.
63  */
64 #ifndef AES_MIN_KEY_BYTES
65 #define	AES_MIN_KEY_BYTES		0
66 #endif
67 
68 #ifndef AES_MAX_KEY_BYTES
69 #define	AES_MAX_KEY_BYTES		0
70 #endif
71 
72 /*
73  * Mechanism info structure passed to KCF during registration.
74  */
75 static crypto_mech_info_t aes_mech_info_tab[] = {
76 	/* AES_ECB */
77 	{SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE,
78 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
79 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
80 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
81 	/* AES_CBC */
82 	{SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE,
83 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
84 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
85 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
86 	/* AES_CTR */
87 	{SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE,
88 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
89 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
90 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
91 	/* AES_CCM */
92 	{SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE,
93 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
94 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
95 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
96 	/* AES_GCM */
97 	{SUN_CKM_AES_GCM, AES_GCM_MECH_INFO_TYPE,
98 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
99 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
100 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
101 	/* AES_GMAC */
102 	{SUN_CKM_AES_GMAC, AES_GMAC_MECH_INFO_TYPE,
103 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
104 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
105 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC |
106 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
107 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
108 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}
109 };
110 
111 /* operations are in-place if the output buffer is NULL */
112 #define	AES_ARG_INPLACE(input, output)				\
113 	if ((output) == NULL)					\
114 		(output) = (input);
115 
116 static void aes_provider_status(crypto_provider_handle_t, uint_t *);
117 
118 static crypto_control_ops_t aes_control_ops = {
119 	aes_provider_status
120 };
121 
122 static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
123     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
124 static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
125     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
126 static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *,
127     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t);
128 static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *,
129     crypto_mechanism_t *, crypto_key_t *, int, boolean_t);
130 static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *,
131     crypto_req_handle_t);
132 static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *,
133     crypto_req_handle_t);
134 
135 static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
136     crypto_req_handle_t);
137 static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *,
138     crypto_data_t *, crypto_req_handle_t);
139 static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
140     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
141     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
142 
143 static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
144     crypto_req_handle_t);
145 static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *,
146     crypto_data_t *, crypto_req_handle_t);
147 static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
148     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
149     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
150 
151 static crypto_cipher_ops_t aes_cipher_ops = {
152 	aes_encrypt_init,
153 	aes_encrypt,
154 	aes_encrypt_update,
155 	aes_encrypt_final,
156 	aes_encrypt_atomic,
157 	aes_decrypt_init,
158 	aes_decrypt,
159 	aes_decrypt_update,
160 	aes_decrypt_final,
161 	aes_decrypt_atomic
162 };
163 
164 static int aes_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
165     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
166     crypto_spi_ctx_template_t, crypto_req_handle_t);
167 static int aes_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
168     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
169     crypto_spi_ctx_template_t, crypto_req_handle_t);
170 
171 static crypto_mac_ops_t aes_mac_ops = {
172 	NULL,
173 	NULL,
174 	NULL,
175 	NULL,
176 	aes_mac_atomic,
177 	aes_mac_verify_atomic
178 };
179 
180 static int aes_create_ctx_template(crypto_provider_handle_t,
181     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
182     size_t *, crypto_req_handle_t);
183 static int aes_free_context(crypto_ctx_t *);
184 
185 static crypto_ctx_ops_t aes_ctx_ops = {
186 	aes_create_ctx_template,
187 	aes_free_context
188 };
189 
190 static void aes_POST(int *);
191 
192 static crypto_fips140_ops_t aes_fips140_ops = {
193 	aes_POST
194 };
195 
196 static crypto_ops_t aes_crypto_ops = {
197 	&aes_control_ops,
198 	NULL,
199 	&aes_cipher_ops,
200 	&aes_mac_ops,
201 	NULL,
202 	NULL,
203 	NULL,
204 	NULL,
205 	NULL,
206 	NULL,
207 	NULL,
208 	NULL,
209 	NULL,
210 	&aes_ctx_ops,
211 	NULL,
212 	NULL,
213 	&aes_fips140_ops
214 };
215 
216 static crypto_provider_info_t aes_prov_info = {
217 	CRYPTO_SPI_VERSION_4,
218 	"AES Software Provider",
219 	CRYPTO_SW_PROVIDER,
220 	{&modlinkage},
221 	NULL,
222 	&aes_crypto_ops,
223 	sizeof (aes_mech_info_tab)/sizeof (crypto_mech_info_t),
224 	aes_mech_info_tab
225 };
226 
227 static crypto_kcf_provider_handle_t aes_prov_handle = NULL;
228 static crypto_data_t null_crypto_data = { CRYPTO_DATA_RAW };
229 
230 int
231 _init(void)
232 {
233 	int ret;
234 
235 	/*
236 	 * Register with KCF. If the registration fails, return error.
237 	 */
238 	if ((ret = crypto_register_provider(&aes_prov_info,
239 	    &aes_prov_handle)) != CRYPTO_SUCCESS) {
240 		cmn_err(CE_WARN, "%s _init: crypto_register_provider()"
241 		    "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret);
242 		return (EACCES);
243 	}
244 
245 	if ((ret = mod_install(&modlinkage)) != 0) {
246 		int rv;
247 
248 		ASSERT(aes_prov_handle != NULL);
249 		/* We should not return if the unregister returns busy. */
250 		while ((rv = crypto_unregister_provider(aes_prov_handle))
251 		    == CRYPTO_BUSY) {
252 			cmn_err(CE_WARN,
253 			    "%s _init: crypto_unregister_provider() "
254 			    "failed (0x%x). Retrying.",
255 			    CRYPTO_PROVIDER_NAME, rv);
256 			/* wait 10 seconds and try again. */
257 			delay(10 * drv_usectohz(1000000));
258 		}
259 	}
260 
261 	return (ret);
262 }
263 
264 int
265 _fini(void)
266 {
267 	int ret;
268 
269 	/*
270 	 * Unregister from KCF if previous registration succeeded.
271 	 */
272 	if (aes_prov_handle != NULL) {
273 		if ((ret = crypto_unregister_provider(aes_prov_handle)) !=
274 		    CRYPTO_SUCCESS) {
275 			cmn_err(CE_WARN,
276 			    "%s _fini: crypto_unregister_provider() "
277 			    "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret);
278 			return (EBUSY);
279 		}
280 		aes_prov_handle = NULL;
281 	}
282 
283 	return (mod_remove(&modlinkage));
284 }
285 
286 int
287 _info(struct modinfo *modinfop)
288 {
289 	return (mod_info(&modlinkage, modinfop));
290 }
291 
292 
293 static int
294 aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag)
295 {
296 	void *p = NULL;
297 	boolean_t param_required = B_TRUE;
298 	size_t param_len;
299 	void *(*alloc_fun)(int);
300 	int rv = CRYPTO_SUCCESS;
301 
302 	switch (mechanism->cm_type) {
303 	case AES_ECB_MECH_INFO_TYPE:
304 		param_required = B_FALSE;
305 		alloc_fun = ecb_alloc_ctx;
306 		break;
307 	case AES_CBC_MECH_INFO_TYPE:
308 		param_len = AES_BLOCK_LEN;
309 		alloc_fun = cbc_alloc_ctx;
310 		break;
311 	case AES_CTR_MECH_INFO_TYPE:
312 		param_len = sizeof (CK_AES_CTR_PARAMS);
313 		alloc_fun = ctr_alloc_ctx;
314 		break;
315 	case AES_CCM_MECH_INFO_TYPE:
316 		param_len = sizeof (CK_AES_CCM_PARAMS);
317 		alloc_fun = ccm_alloc_ctx;
318 		break;
319 	case AES_GCM_MECH_INFO_TYPE:
320 		param_len = sizeof (CK_AES_GCM_PARAMS);
321 		alloc_fun = gcm_alloc_ctx;
322 		break;
323 	case AES_GMAC_MECH_INFO_TYPE:
324 		param_len = sizeof (CK_AES_GMAC_PARAMS);
325 		alloc_fun = gmac_alloc_ctx;
326 		break;
327 	default:
328 		rv = CRYPTO_MECHANISM_INVALID;
329 	}
330 	if (param_required && mechanism->cm_param != NULL &&
331 	    mechanism->cm_param_len != param_len) {
332 		rv = CRYPTO_MECHANISM_PARAM_INVALID;
333 	}
334 	if (ctx != NULL) {
335 		p = (alloc_fun)(kmflag);
336 		*ctx = p;
337 	}
338 	return (rv);
339 }
340 
341 /* EXPORT DELETE START */
342 
343 /*
344  * Initialize key schedules for AES
345  */
346 static int
347 init_keysched(crypto_key_t *key, void *newbie)
348 {
349 	/*
350 	 * Only keys by value are supported by this module.
351 	 */
352 	switch (key->ck_format) {
353 	case CRYPTO_KEY_RAW:
354 		if (key->ck_length < AES_MINBITS ||
355 		    key->ck_length > AES_MAXBITS) {
356 			return (CRYPTO_KEY_SIZE_RANGE);
357 		}
358 
359 		/* key length must be either 128, 192, or 256 */
360 		if ((key->ck_length & 63) != 0)
361 			return (CRYPTO_KEY_SIZE_RANGE);
362 		break;
363 	default:
364 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
365 	}
366 
367 	aes_init_keysched(key->ck_data, key->ck_length, newbie);
368 	return (CRYPTO_SUCCESS);
369 }
370 
371 /* EXPORT DELETE END */
372 
373 /*
374  * KCF software provider control entry points.
375  */
376 /* ARGSUSED */
377 static void
378 aes_provider_status(crypto_provider_handle_t provider, uint_t *status)
379 {
380 	*status = CRYPTO_PROVIDER_READY;
381 }
382 
383 static int
384 aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
385     crypto_key_t *key, crypto_spi_ctx_template_t template,
386     crypto_req_handle_t req) {
387 	return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE));
388 }
389 
390 static int
391 aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
392     crypto_key_t *key, crypto_spi_ctx_template_t template,
393     crypto_req_handle_t req) {
394 	return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE));
395 }
396 
397 
398 
399 /*
400  * KCF software provider encrypt entry points.
401  */
402 static int
403 aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
404     crypto_key_t *key, crypto_spi_ctx_template_t template,
405     crypto_req_handle_t req, boolean_t is_encrypt_init)
406 {
407 
408 /* EXPORT DELETE START */
409 
410 	aes_ctx_t *aes_ctx;
411 	int rv;
412 	int kmflag;
413 
414 	/*
415 	 * Only keys by value are supported by this module.
416 	 */
417 	if (key->ck_format != CRYPTO_KEY_RAW) {
418 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
419 	}
420 
421 	kmflag = crypto_kmflag(req);
422 	if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag))
423 	    != CRYPTO_SUCCESS)
424 		return (rv);
425 
426 	rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag,
427 	    is_encrypt_init);
428 	if (rv != CRYPTO_SUCCESS) {
429 		crypto_free_mode_ctx(aes_ctx);
430 		return (rv);
431 	}
432 
433 	ctx->cc_provider_private = aes_ctx;
434 
435 /* EXPORT DELETE END */
436 
437 	return (CRYPTO_SUCCESS);
438 }
439 
440 static void
441 aes_copy_block64(uint8_t *in, uint64_t *out)
442 {
443 	if (IS_P2ALIGNED(in, sizeof (uint64_t))) {
444 		/* LINTED: pointer alignment */
445 		out[0] = *(uint64_t *)&in[0];
446 		/* LINTED: pointer alignment */
447 		out[1] = *(uint64_t *)&in[8];
448 	} else {
449 		uint8_t *iv8 = (uint8_t *)&out[0];
450 
451 		AES_COPY_BLOCK(in, iv8);
452 	}
453 }
454 
455 
456 static int
457 aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
458     crypto_data_t *ciphertext, crypto_req_handle_t req)
459 {
460 	int ret = CRYPTO_FAILED;
461 
462 /* EXPORT DELETE START */
463 
464 	aes_ctx_t *aes_ctx;
465 	size_t saved_length, saved_offset, length_needed;
466 
467 	ASSERT(ctx->cc_provider_private != NULL);
468 	aes_ctx = ctx->cc_provider_private;
469 
470 	/*
471 	 * For block ciphers, plaintext must be a multiple of AES block size.
472 	 * This test is only valid for ciphers whose blocksize is a power of 2.
473 	 */
474 	if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
475 	    == 0) && (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
476 		return (CRYPTO_DATA_LEN_RANGE);
477 
478 	AES_ARG_INPLACE(plaintext, ciphertext);
479 
480 	/*
481 	 * We need to just return the length needed to store the output.
482 	 * We should not destroy the context for the following case.
483 	 */
484 	switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
485 	case CCM_MODE:
486 		length_needed = plaintext->cd_length + aes_ctx->ac_mac_len;
487 		break;
488 	case GCM_MODE:
489 		length_needed = plaintext->cd_length + aes_ctx->ac_tag_len;
490 		break;
491 	case GMAC_MODE:
492 		if (plaintext->cd_length != 0)
493 			return (CRYPTO_ARGUMENTS_BAD);
494 
495 		length_needed = aes_ctx->ac_tag_len;
496 		break;
497 	default:
498 		length_needed = plaintext->cd_length;
499 	}
500 
501 	if (ciphertext->cd_length < length_needed) {
502 		ciphertext->cd_length = length_needed;
503 		return (CRYPTO_BUFFER_TOO_SMALL);
504 	}
505 
506 	saved_length = ciphertext->cd_length;
507 	saved_offset = ciphertext->cd_offset;
508 
509 	/*
510 	 * Do an update on the specified input data.
511 	 */
512 	ret = aes_encrypt_update(ctx, plaintext, ciphertext, req);
513 	if (ret != CRYPTO_SUCCESS) {
514 		return (ret);
515 	}
516 
517 	/*
518 	 * For CCM mode, aes_ccm_encrypt_final() will take care of any
519 	 * left-over unprocessed data, and compute the MAC
520 	 */
521 	if (aes_ctx->ac_flags & CCM_MODE) {
522 		/*
523 		 * ccm_encrypt_final() will compute the MAC and append
524 		 * it to existing ciphertext. So, need to adjust the left over
525 		 * length value accordingly
526 		 */
527 
528 		/* order of following 2 lines MUST not be reversed */
529 		ciphertext->cd_offset = ciphertext->cd_length;
530 		ciphertext->cd_length = saved_length - ciphertext->cd_length;
531 		ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, ciphertext,
532 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
533 		if (ret != CRYPTO_SUCCESS) {
534 			return (ret);
535 		}
536 
537 		if (plaintext != ciphertext) {
538 			ciphertext->cd_length =
539 			    ciphertext->cd_offset - saved_offset;
540 		}
541 		ciphertext->cd_offset = saved_offset;
542 	} else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
543 		/*
544 		 * gcm_encrypt_final() will compute the MAC and append
545 		 * it to existing ciphertext. So, need to adjust the left over
546 		 * length value accordingly
547 		 */
548 
549 		/* order of following 2 lines MUST not be reversed */
550 		ciphertext->cd_offset = ciphertext->cd_length;
551 		ciphertext->cd_length = saved_length - ciphertext->cd_length;
552 		ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, ciphertext,
553 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
554 		    aes_xor_block);
555 		if (ret != CRYPTO_SUCCESS) {
556 			return (ret);
557 		}
558 
559 		if (plaintext != ciphertext) {
560 			ciphertext->cd_length =
561 			    ciphertext->cd_offset - saved_offset;
562 		}
563 		ciphertext->cd_offset = saved_offset;
564 	}
565 
566 	ASSERT(aes_ctx->ac_remainder_len == 0);
567 	(void) aes_free_context(ctx);
568 
569 /* EXPORT DELETE END */
570 
571 	return (ret);
572 }
573 
574 
575 static int
576 aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
577     crypto_data_t *plaintext, crypto_req_handle_t req)
578 {
579 	int ret = CRYPTO_FAILED;
580 
581 /* EXPORT DELETE START */
582 
583 	aes_ctx_t *aes_ctx;
584 	off_t saved_offset;
585 	size_t saved_length, length_needed;
586 
587 	ASSERT(ctx->cc_provider_private != NULL);
588 	aes_ctx = ctx->cc_provider_private;
589 
590 	/*
591 	 * For block ciphers, plaintext must be a multiple of AES block size.
592 	 * This test is only valid for ciphers whose blocksize is a power of 2.
593 	 */
594 	if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
595 	    == 0) && (ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) {
596 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
597 	}
598 
599 	AES_ARG_INPLACE(ciphertext, plaintext);
600 
601 	/*
602 	 * Return length needed to store the output.
603 	 * Do not destroy context when plaintext buffer is too small.
604 	 *
605 	 * CCM:  plaintext is MAC len smaller than cipher text
606 	 * GCM:  plaintext is TAG len smaller than cipher text
607 	 * GMAC: plaintext length must be zero
608 	 */
609 	switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
610 	case CCM_MODE:
611 		length_needed = aes_ctx->ac_processed_data_len;
612 		break;
613 	case GCM_MODE:
614 		length_needed = ciphertext->cd_length - aes_ctx->ac_tag_len;
615 		break;
616 	case GMAC_MODE:
617 		if (plaintext->cd_length != 0)
618 			return (CRYPTO_ARGUMENTS_BAD);
619 
620 		length_needed = 0;
621 		break;
622 	default:
623 		length_needed = ciphertext->cd_length;
624 	}
625 
626 	if (plaintext->cd_length < length_needed) {
627 		plaintext->cd_length = length_needed;
628 		return (CRYPTO_BUFFER_TOO_SMALL);
629 	}
630 
631 	saved_offset = plaintext->cd_offset;
632 	saved_length = plaintext->cd_length;
633 
634 	/*
635 	 * Do an update on the specified input data.
636 	 */
637 	ret = aes_decrypt_update(ctx, ciphertext, plaintext, req);
638 	if (ret != CRYPTO_SUCCESS) {
639 		goto cleanup;
640 	}
641 
642 	if (aes_ctx->ac_flags & CCM_MODE) {
643 		ASSERT(aes_ctx->ac_processed_data_len == aes_ctx->ac_data_len);
644 		ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
645 
646 		/* order of following 2 lines MUST not be reversed */
647 		plaintext->cd_offset = plaintext->cd_length;
648 		plaintext->cd_length = saved_length - plaintext->cd_length;
649 
650 		ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, plaintext,
651 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
652 		    aes_xor_block);
653 		if (ret == CRYPTO_SUCCESS) {
654 			if (plaintext != ciphertext) {
655 				plaintext->cd_length =
656 				    plaintext->cd_offset - saved_offset;
657 			}
658 		} else {
659 			plaintext->cd_length = saved_length;
660 		}
661 
662 		plaintext->cd_offset = saved_offset;
663 	} else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
664 		/* order of following 2 lines MUST not be reversed */
665 		plaintext->cd_offset = plaintext->cd_length;
666 		plaintext->cd_length = saved_length - plaintext->cd_length;
667 
668 		ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, plaintext,
669 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
670 		if (ret == CRYPTO_SUCCESS) {
671 			if (plaintext != ciphertext) {
672 				plaintext->cd_length =
673 				    plaintext->cd_offset - saved_offset;
674 			}
675 		} else {
676 			plaintext->cd_length = saved_length;
677 		}
678 
679 		plaintext->cd_offset = saved_offset;
680 	}
681 
682 	ASSERT(aes_ctx->ac_remainder_len == 0);
683 
684 cleanup:
685 	(void) aes_free_context(ctx);
686 
687 /* EXPORT DELETE END */
688 
689 	return (ret);
690 }
691 
692 
693 /* ARGSUSED */
694 static int
695 aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext,
696     crypto_data_t *ciphertext, crypto_req_handle_t req)
697 {
698 	off_t saved_offset;
699 	size_t saved_length, out_len;
700 	int ret = CRYPTO_SUCCESS;
701 	aes_ctx_t *aes_ctx;
702 
703 	ASSERT(ctx->cc_provider_private != NULL);
704 	aes_ctx = ctx->cc_provider_private;
705 
706 	AES_ARG_INPLACE(plaintext, ciphertext);
707 
708 	/* compute number of bytes that will hold the ciphertext */
709 	out_len = aes_ctx->ac_remainder_len;
710 	out_len += plaintext->cd_length;
711 	out_len &= ~(AES_BLOCK_LEN - 1);
712 
713 	/* return length needed to store the output */
714 	if (ciphertext->cd_length < out_len) {
715 		ciphertext->cd_length = out_len;
716 		return (CRYPTO_BUFFER_TOO_SMALL);
717 	}
718 
719 	saved_offset = ciphertext->cd_offset;
720 	saved_length = ciphertext->cd_length;
721 
722 	/*
723 	 * Do the AES update on the specified input data.
724 	 */
725 	switch (plaintext->cd_format) {
726 	case CRYPTO_DATA_RAW:
727 		ret = crypto_update_iov(ctx->cc_provider_private,
728 		    plaintext, ciphertext, aes_encrypt_contiguous_blocks,
729 		    aes_copy_block64);
730 		break;
731 	case CRYPTO_DATA_UIO:
732 		ret = crypto_update_uio(ctx->cc_provider_private,
733 		    plaintext, ciphertext, aes_encrypt_contiguous_blocks,
734 		    aes_copy_block64);
735 		break;
736 	case CRYPTO_DATA_MBLK:
737 		ret = crypto_update_mp(ctx->cc_provider_private,
738 		    plaintext, ciphertext, aes_encrypt_contiguous_blocks,
739 		    aes_copy_block64);
740 		break;
741 	default:
742 		ret = CRYPTO_ARGUMENTS_BAD;
743 	}
744 
745 	/*
746 	 * Since AES counter mode is a stream cipher, we call
747 	 * ctr_mode_final() to pick up any remaining bytes.
748 	 * It is an internal function that does not destroy
749 	 * the context like *normal* final routines.
750 	 */
751 	if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
752 		ret = ctr_mode_final((ctr_ctx_t *)aes_ctx,
753 		    ciphertext, aes_encrypt_block);
754 	}
755 
756 	if (ret == CRYPTO_SUCCESS) {
757 		if (plaintext != ciphertext)
758 			ciphertext->cd_length =
759 			    ciphertext->cd_offset - saved_offset;
760 	} else {
761 		ciphertext->cd_length = saved_length;
762 	}
763 	ciphertext->cd_offset = saved_offset;
764 
765 	return (ret);
766 }
767 
768 
769 static int
770 aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
771     crypto_data_t *plaintext, crypto_req_handle_t req)
772 {
773 	off_t saved_offset;
774 	size_t saved_length, out_len;
775 	int ret = CRYPTO_SUCCESS;
776 	aes_ctx_t *aes_ctx;
777 
778 	ASSERT(ctx->cc_provider_private != NULL);
779 	aes_ctx = ctx->cc_provider_private;
780 
781 	AES_ARG_INPLACE(ciphertext, plaintext);
782 
783 	/*
784 	 * Compute number of bytes that will hold the plaintext.
785 	 * This is not necessary for CCM, GCM, and GMAC since these
786 	 * mechanisms never return plaintext for update operations.
787 	 */
788 	if ((aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
789 		out_len = aes_ctx->ac_remainder_len;
790 		out_len += ciphertext->cd_length;
791 		out_len &= ~(AES_BLOCK_LEN - 1);
792 
793 		/* return length needed to store the output */
794 		if (plaintext->cd_length < out_len) {
795 			plaintext->cd_length = out_len;
796 			return (CRYPTO_BUFFER_TOO_SMALL);
797 		}
798 	}
799 
800 	saved_offset = plaintext->cd_offset;
801 	saved_length = plaintext->cd_length;
802 
803 	if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE))
804 		gcm_set_kmflag((gcm_ctx_t *)aes_ctx, crypto_kmflag(req));
805 
806 	/*
807 	 * Do the AES update on the specified input data.
808 	 */
809 	switch (ciphertext->cd_format) {
810 	case CRYPTO_DATA_RAW:
811 		ret = crypto_update_iov(ctx->cc_provider_private,
812 		    ciphertext, plaintext, aes_decrypt_contiguous_blocks,
813 		    aes_copy_block64);
814 		break;
815 	case CRYPTO_DATA_UIO:
816 		ret = crypto_update_uio(ctx->cc_provider_private,
817 		    ciphertext, plaintext, aes_decrypt_contiguous_blocks,
818 		    aes_copy_block64);
819 		break;
820 	case CRYPTO_DATA_MBLK:
821 		ret = crypto_update_mp(ctx->cc_provider_private,
822 		    ciphertext, plaintext, aes_decrypt_contiguous_blocks,
823 		    aes_copy_block64);
824 		break;
825 	default:
826 		ret = CRYPTO_ARGUMENTS_BAD;
827 	}
828 
829 	/*
830 	 * Since AES counter mode is a stream cipher, we call
831 	 * ctr_mode_final() to pick up any remaining bytes.
832 	 * It is an internal function that does not destroy
833 	 * the context like *normal* final routines.
834 	 */
835 	if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
836 		ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, plaintext,
837 		    aes_encrypt_block);
838 		if (ret == CRYPTO_DATA_LEN_RANGE)
839 			ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
840 	}
841 
842 	if (ret == CRYPTO_SUCCESS) {
843 		if (ciphertext != plaintext)
844 			plaintext->cd_length =
845 			    plaintext->cd_offset - saved_offset;
846 	} else {
847 		plaintext->cd_length = saved_length;
848 	}
849 	plaintext->cd_offset = saved_offset;
850 
851 
852 	return (ret);
853 }
854 
855 /* ARGSUSED */
856 static int
857 aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
858     crypto_req_handle_t req)
859 {
860 
861 /* EXPORT DELETE START */
862 
863 	aes_ctx_t *aes_ctx;
864 	int ret;
865 
866 	ASSERT(ctx->cc_provider_private != NULL);
867 	aes_ctx = ctx->cc_provider_private;
868 
869 	if (data->cd_format != CRYPTO_DATA_RAW &&
870 	    data->cd_format != CRYPTO_DATA_UIO &&
871 	    data->cd_format != CRYPTO_DATA_MBLK) {
872 		return (CRYPTO_ARGUMENTS_BAD);
873 	}
874 
875 	if (aes_ctx->ac_flags & CTR_MODE) {
876 		if (aes_ctx->ac_remainder_len > 0) {
877 			ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
878 			    aes_encrypt_block);
879 			if (ret != CRYPTO_SUCCESS)
880 				return (ret);
881 		}
882 	} else if (aes_ctx->ac_flags & CCM_MODE) {
883 		ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, data,
884 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
885 		if (ret != CRYPTO_SUCCESS) {
886 			return (ret);
887 		}
888 	} else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
889 		size_t saved_offset = data->cd_offset;
890 
891 		ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, data,
892 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
893 		    aes_xor_block);
894 		if (ret != CRYPTO_SUCCESS) {
895 			return (ret);
896 		}
897 		data->cd_length = data->cd_offset - saved_offset;
898 		data->cd_offset = saved_offset;
899 	} else {
900 		/*
901 		 * There must be no unprocessed plaintext.
902 		 * This happens if the length of the last data is
903 		 * not a multiple of the AES block length.
904 		 */
905 		if (aes_ctx->ac_remainder_len > 0) {
906 			return (CRYPTO_DATA_LEN_RANGE);
907 		}
908 		data->cd_length = 0;
909 	}
910 
911 	(void) aes_free_context(ctx);
912 
913 /* EXPORT DELETE END */
914 
915 	return (CRYPTO_SUCCESS);
916 }
917 
918 /* ARGSUSED */
919 static int
920 aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
921     crypto_req_handle_t req)
922 {
923 
924 /* EXPORT DELETE START */
925 
926 	aes_ctx_t *aes_ctx;
927 	int ret;
928 	off_t saved_offset;
929 	size_t saved_length;
930 
931 	ASSERT(ctx->cc_provider_private != NULL);
932 	aes_ctx = ctx->cc_provider_private;
933 
934 	if (data->cd_format != CRYPTO_DATA_RAW &&
935 	    data->cd_format != CRYPTO_DATA_UIO &&
936 	    data->cd_format != CRYPTO_DATA_MBLK) {
937 		return (CRYPTO_ARGUMENTS_BAD);
938 	}
939 
940 	/*
941 	 * There must be no unprocessed ciphertext.
942 	 * This happens if the length of the last ciphertext is
943 	 * not a multiple of the AES block length.
944 	 */
945 	if (aes_ctx->ac_remainder_len > 0) {
946 		if ((aes_ctx->ac_flags & CTR_MODE) == 0)
947 			return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
948 		else {
949 			ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
950 			    aes_encrypt_block);
951 			if (ret == CRYPTO_DATA_LEN_RANGE)
952 				ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
953 			if (ret != CRYPTO_SUCCESS)
954 				return (ret);
955 		}
956 	}
957 
958 	if (aes_ctx->ac_flags & CCM_MODE) {
959 		/*
960 		 * This is where all the plaintext is returned, make sure
961 		 * the plaintext buffer is big enough
962 		 */
963 		size_t pt_len = aes_ctx->ac_data_len;
964 		if (data->cd_length < pt_len) {
965 			data->cd_length = pt_len;
966 			return (CRYPTO_BUFFER_TOO_SMALL);
967 		}
968 
969 		ASSERT(aes_ctx->ac_processed_data_len == pt_len);
970 		ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
971 		saved_offset = data->cd_offset;
972 		saved_length = data->cd_length;
973 		ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, data,
974 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
975 		    aes_xor_block);
976 		if (ret == CRYPTO_SUCCESS) {
977 			data->cd_length = data->cd_offset - saved_offset;
978 		} else {
979 			data->cd_length = saved_length;
980 		}
981 
982 		data->cd_offset = saved_offset;
983 		if (ret != CRYPTO_SUCCESS) {
984 			return (ret);
985 		}
986 	} else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
987 		/*
988 		 * This is where all the plaintext is returned, make sure
989 		 * the plaintext buffer is big enough
990 		 */
991 		gcm_ctx_t *ctx = (gcm_ctx_t *)aes_ctx;
992 		size_t pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len;
993 
994 		if (data->cd_length < pt_len) {
995 			data->cd_length = pt_len;
996 			return (CRYPTO_BUFFER_TOO_SMALL);
997 		}
998 
999 		saved_offset = data->cd_offset;
1000 		saved_length = data->cd_length;
1001 		ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, data,
1002 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
1003 		if (ret == CRYPTO_SUCCESS) {
1004 			data->cd_length = data->cd_offset - saved_offset;
1005 		} else {
1006 			data->cd_length = saved_length;
1007 		}
1008 
1009 		data->cd_offset = saved_offset;
1010 		if (ret != CRYPTO_SUCCESS) {
1011 			return (ret);
1012 		}
1013 	}
1014 
1015 
1016 	if ((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
1017 		data->cd_length = 0;
1018 	}
1019 
1020 	(void) aes_free_context(ctx);
1021 
1022 /* EXPORT DELETE END */
1023 
1024 	return (CRYPTO_SUCCESS);
1025 }
1026 
1027 /* ARGSUSED */
1028 static int
1029 aes_encrypt_atomic(crypto_provider_handle_t provider,
1030     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1031     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
1032     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1033 {
1034 	aes_ctx_t aes_ctx;	/* on the stack */
1035 	off_t saved_offset;
1036 	size_t saved_length;
1037 	size_t length_needed;
1038 	int ret;
1039 
1040 	AES_ARG_INPLACE(plaintext, ciphertext);
1041 
1042 	/*
1043 	 * CTR, CCM, GCM, and GMAC modes do not require that plaintext
1044 	 * be a multiple of AES block size.
1045 	 */
1046 	switch (mechanism->cm_type) {
1047 	case AES_CTR_MECH_INFO_TYPE:
1048 	case AES_CCM_MECH_INFO_TYPE:
1049 	case AES_GCM_MECH_INFO_TYPE:
1050 	case AES_GMAC_MECH_INFO_TYPE:
1051 		break;
1052 	default:
1053 		if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
1054 			return (CRYPTO_DATA_LEN_RANGE);
1055 	}
1056 
1057 	if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
1058 		return (ret);
1059 
1060 	bzero(&aes_ctx, sizeof (aes_ctx_t));
1061 
1062 	ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
1063 	    crypto_kmflag(req), B_TRUE);
1064 	if (ret != CRYPTO_SUCCESS)
1065 		return (ret);
1066 
1067 	switch (mechanism->cm_type) {
1068 	case AES_CCM_MECH_INFO_TYPE:
1069 		length_needed = plaintext->cd_length + aes_ctx.ac_mac_len;
1070 		break;
1071 	case AES_GMAC_MECH_INFO_TYPE:
1072 		if (plaintext->cd_length != 0)
1073 			return (CRYPTO_ARGUMENTS_BAD);
1074 		/* FALLTHRU */
1075 	case AES_GCM_MECH_INFO_TYPE:
1076 		length_needed = plaintext->cd_length + aes_ctx.ac_tag_len;
1077 		break;
1078 	default:
1079 		length_needed = plaintext->cd_length;
1080 	}
1081 
1082 	/* return size of buffer needed to store output */
1083 	if (ciphertext->cd_length < length_needed) {
1084 		ciphertext->cd_length = length_needed;
1085 		ret = CRYPTO_BUFFER_TOO_SMALL;
1086 		goto out;
1087 	}
1088 
1089 	saved_offset = ciphertext->cd_offset;
1090 	saved_length = ciphertext->cd_length;
1091 
1092 	/*
1093 	 * Do an update on the specified input data.
1094 	 */
1095 	switch (plaintext->cd_format) {
1096 	case CRYPTO_DATA_RAW:
1097 		ret = crypto_update_iov(&aes_ctx, plaintext, ciphertext,
1098 		    aes_encrypt_contiguous_blocks, aes_copy_block64);
1099 		break;
1100 	case CRYPTO_DATA_UIO:
1101 		ret = crypto_update_uio(&aes_ctx, plaintext, ciphertext,
1102 		    aes_encrypt_contiguous_blocks, aes_copy_block64);
1103 		break;
1104 	case CRYPTO_DATA_MBLK:
1105 		ret = crypto_update_mp(&aes_ctx, plaintext, ciphertext,
1106 		    aes_encrypt_contiguous_blocks, aes_copy_block64);
1107 		break;
1108 	default:
1109 		ret = CRYPTO_ARGUMENTS_BAD;
1110 	}
1111 
1112 	if (ret == CRYPTO_SUCCESS) {
1113 		if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1114 			ret = ccm_encrypt_final((ccm_ctx_t *)&aes_ctx,
1115 			    ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1116 			    aes_xor_block);
1117 			if (ret != CRYPTO_SUCCESS)
1118 				goto out;
1119 			ASSERT(aes_ctx.ac_remainder_len == 0);
1120 		} else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1121 		    mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
1122 			ret = gcm_encrypt_final((gcm_ctx_t *)&aes_ctx,
1123 			    ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1124 			    aes_copy_block, aes_xor_block);
1125 			if (ret != CRYPTO_SUCCESS)
1126 				goto out;
1127 			ASSERT(aes_ctx.ac_remainder_len == 0);
1128 		} else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) {
1129 			if (aes_ctx.ac_remainder_len > 0) {
1130 				ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1131 				    ciphertext, aes_encrypt_block);
1132 				if (ret != CRYPTO_SUCCESS)
1133 					goto out;
1134 			}
1135 		} else {
1136 			ASSERT(aes_ctx.ac_remainder_len == 0);
1137 		}
1138 
1139 		if (plaintext != ciphertext) {
1140 			ciphertext->cd_length =
1141 			    ciphertext->cd_offset - saved_offset;
1142 		}
1143 	} else {
1144 		ciphertext->cd_length = saved_length;
1145 	}
1146 	ciphertext->cd_offset = saved_offset;
1147 
1148 out:
1149 	if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1150 		bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1151 		kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1152 	}
1153 
1154 	return (ret);
1155 }
1156 
1157 /* ARGSUSED */
1158 static int
1159 aes_decrypt_atomic(crypto_provider_handle_t provider,
1160     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1161     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
1162     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1163 {
1164 	aes_ctx_t aes_ctx;	/* on the stack */
1165 	off_t saved_offset;
1166 	size_t saved_length;
1167 	size_t length_needed;
1168 	int ret;
1169 
1170 	AES_ARG_INPLACE(ciphertext, plaintext);
1171 
1172 	/*
1173 	 * CCM, GCM, CTR, and GMAC modes do not require that ciphertext
1174 	 * be a multiple of AES block size.
1175 	 */
1176 	switch (mechanism->cm_type) {
1177 	case AES_CTR_MECH_INFO_TYPE:
1178 	case AES_CCM_MECH_INFO_TYPE:
1179 	case AES_GCM_MECH_INFO_TYPE:
1180 	case AES_GMAC_MECH_INFO_TYPE:
1181 		break;
1182 	default:
1183 		if ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
1184 			return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
1185 	}
1186 
1187 	if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
1188 		return (ret);
1189 
1190 	bzero(&aes_ctx, sizeof (aes_ctx_t));
1191 
1192 	ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
1193 	    crypto_kmflag(req), B_FALSE);
1194 	if (ret != CRYPTO_SUCCESS)
1195 		return (ret);
1196 
1197 	switch (mechanism->cm_type) {
1198 	case AES_CCM_MECH_INFO_TYPE:
1199 		length_needed = aes_ctx.ac_data_len;
1200 		break;
1201 	case AES_GCM_MECH_INFO_TYPE:
1202 		length_needed = ciphertext->cd_length - aes_ctx.ac_tag_len;
1203 		break;
1204 	case AES_GMAC_MECH_INFO_TYPE:
1205 		if (plaintext->cd_length != 0)
1206 			return (CRYPTO_ARGUMENTS_BAD);
1207 		length_needed = 0;
1208 		break;
1209 	default:
1210 		length_needed = ciphertext->cd_length;
1211 	}
1212 
1213 	/* return size of buffer needed to store output */
1214 	if (plaintext->cd_length < length_needed) {
1215 		plaintext->cd_length = length_needed;
1216 		ret = CRYPTO_BUFFER_TOO_SMALL;
1217 		goto out;
1218 	}
1219 
1220 	saved_offset = plaintext->cd_offset;
1221 	saved_length = plaintext->cd_length;
1222 
1223 	if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1224 	    mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE)
1225 		gcm_set_kmflag((gcm_ctx_t *)&aes_ctx, crypto_kmflag(req));
1226 
1227 	/*
1228 	 * Do an update on the specified input data.
1229 	 */
1230 	switch (ciphertext->cd_format) {
1231 	case CRYPTO_DATA_RAW:
1232 		ret = crypto_update_iov(&aes_ctx, ciphertext, plaintext,
1233 		    aes_decrypt_contiguous_blocks, aes_copy_block64);
1234 		break;
1235 	case CRYPTO_DATA_UIO:
1236 		ret = crypto_update_uio(&aes_ctx, ciphertext, plaintext,
1237 		    aes_decrypt_contiguous_blocks, aes_copy_block64);
1238 		break;
1239 	case CRYPTO_DATA_MBLK:
1240 		ret = crypto_update_mp(&aes_ctx, ciphertext, plaintext,
1241 		    aes_decrypt_contiguous_blocks, aes_copy_block64);
1242 		break;
1243 	default:
1244 		ret = CRYPTO_ARGUMENTS_BAD;
1245 	}
1246 
1247 	if (ret == CRYPTO_SUCCESS) {
1248 		if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1249 			ASSERT(aes_ctx.ac_processed_data_len
1250 			    == aes_ctx.ac_data_len);
1251 			ASSERT(aes_ctx.ac_processed_mac_len
1252 			    == aes_ctx.ac_mac_len);
1253 			ret = ccm_decrypt_final((ccm_ctx_t *)&aes_ctx,
1254 			    plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1255 			    aes_copy_block, aes_xor_block);
1256 			ASSERT(aes_ctx.ac_remainder_len == 0);
1257 			if ((ret == CRYPTO_SUCCESS) &&
1258 			    (ciphertext != plaintext)) {
1259 				plaintext->cd_length =
1260 				    plaintext->cd_offset - saved_offset;
1261 			} else {
1262 				plaintext->cd_length = saved_length;
1263 			}
1264 		} else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1265 		    mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
1266 			ret = gcm_decrypt_final((gcm_ctx_t *)&aes_ctx,
1267 			    plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1268 			    aes_xor_block);
1269 			ASSERT(aes_ctx.ac_remainder_len == 0);
1270 			if ((ret == CRYPTO_SUCCESS) &&
1271 			    (ciphertext != plaintext)) {
1272 				plaintext->cd_length =
1273 				    plaintext->cd_offset - saved_offset;
1274 			} else {
1275 				plaintext->cd_length = saved_length;
1276 			}
1277 		} else if (mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) {
1278 			ASSERT(aes_ctx.ac_remainder_len == 0);
1279 			if (ciphertext != plaintext)
1280 				plaintext->cd_length =
1281 				    plaintext->cd_offset - saved_offset;
1282 		} else {
1283 			if (aes_ctx.ac_remainder_len > 0) {
1284 				ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1285 				    plaintext, aes_encrypt_block);
1286 				if (ret == CRYPTO_DATA_LEN_RANGE)
1287 					ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
1288 				if (ret != CRYPTO_SUCCESS)
1289 					goto out;
1290 			}
1291 			if (ciphertext != plaintext)
1292 				plaintext->cd_length =
1293 				    plaintext->cd_offset - saved_offset;
1294 		}
1295 	} else {
1296 		plaintext->cd_length = saved_length;
1297 	}
1298 	plaintext->cd_offset = saved_offset;
1299 
1300 out:
1301 	if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1302 		bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1303 		kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1304 	}
1305 
1306 	if (aes_ctx.ac_flags & CCM_MODE) {
1307 		if (aes_ctx.ac_pt_buf != NULL) {
1308 			kmem_free(aes_ctx.ac_pt_buf, aes_ctx.ac_data_len);
1309 		}
1310 	} else if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) {
1311 		if (((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf != NULL) {
1312 			kmem_free(((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf,
1313 			    ((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf_len);
1314 		}
1315 	}
1316 
1317 	return (ret);
1318 }
1319 
1320 /*
1321  * KCF software provider context template entry points.
1322  */
1323 /* ARGSUSED */
1324 static int
1325 aes_create_ctx_template(crypto_provider_handle_t provider,
1326     crypto_mechanism_t *mechanism, crypto_key_t *key,
1327     crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req)
1328 {
1329 
1330 /* EXPORT DELETE START */
1331 
1332 	void *keysched;
1333 	size_t size;
1334 	int rv;
1335 
1336 	if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE &&
1337 	    mechanism->cm_type != AES_CBC_MECH_INFO_TYPE &&
1338 	    mechanism->cm_type != AES_CTR_MECH_INFO_TYPE &&
1339 	    mechanism->cm_type != AES_CCM_MECH_INFO_TYPE &&
1340 	    mechanism->cm_type != AES_GCM_MECH_INFO_TYPE &&
1341 	    mechanism->cm_type != AES_GMAC_MECH_INFO_TYPE)
1342 		return (CRYPTO_MECHANISM_INVALID);
1343 
1344 	if ((keysched = aes_alloc_keysched(&size,
1345 	    crypto_kmflag(req))) == NULL) {
1346 		return (CRYPTO_HOST_MEMORY);
1347 	}
1348 
1349 	/*
1350 	 * Initialize key schedule.  Key length information is stored
1351 	 * in the key.
1352 	 */
1353 	if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1354 		bzero(keysched, size);
1355 		kmem_free(keysched, size);
1356 		return (rv);
1357 	}
1358 
1359 	*tmpl = keysched;
1360 	*tmpl_size = size;
1361 
1362 /* EXPORT DELETE END */
1363 
1364 	return (CRYPTO_SUCCESS);
1365 }
1366 
1367 
1368 static int
1369 aes_free_context(crypto_ctx_t *ctx)
1370 {
1371 
1372 /* EXPORT DELETE START */
1373 
1374 	aes_ctx_t *aes_ctx = ctx->cc_provider_private;
1375 
1376 	if (aes_ctx != NULL) {
1377 		if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1378 			ASSERT(aes_ctx->ac_keysched_len != 0);
1379 			bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len);
1380 			kmem_free(aes_ctx->ac_keysched,
1381 			    aes_ctx->ac_keysched_len);
1382 		}
1383 		crypto_free_mode_ctx(aes_ctx);
1384 		ctx->cc_provider_private = NULL;
1385 	}
1386 
1387 /* EXPORT DELETE END */
1388 
1389 	return (CRYPTO_SUCCESS);
1390 }
1391 
1392 
1393 static int
1394 aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template,
1395     crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag,
1396     boolean_t is_encrypt_init)
1397 {
1398 	int rv = CRYPTO_SUCCESS;
1399 
1400 /* EXPORT DELETE START */
1401 
1402 	void *keysched;
1403 	size_t size;
1404 
1405 	if (template == NULL) {
1406 		if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL)
1407 			return (CRYPTO_HOST_MEMORY);
1408 		/*
1409 		 * Initialize key schedule.
1410 		 * Key length is stored in the key.
1411 		 */
1412 		if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1413 			kmem_free(keysched, size);
1414 			return (rv);
1415 		}
1416 
1417 		aes_ctx->ac_flags |= PROVIDER_OWNS_KEY_SCHEDULE;
1418 		aes_ctx->ac_keysched_len = size;
1419 	} else {
1420 		keysched = template;
1421 	}
1422 	aes_ctx->ac_keysched = keysched;
1423 
1424 	switch (mechanism->cm_type) {
1425 	case AES_CBC_MECH_INFO_TYPE:
1426 		rv = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mechanism->cm_param,
1427 		    mechanism->cm_param_len, AES_BLOCK_LEN, aes_copy_block64);
1428 		break;
1429 	case AES_CTR_MECH_INFO_TYPE: {
1430 		CK_AES_CTR_PARAMS *pp;
1431 
1432 		if (mechanism->cm_param == NULL ||
1433 		    mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) {
1434 			return (CRYPTO_MECHANISM_PARAM_INVALID);
1435 		}
1436 		pp = (CK_AES_CTR_PARAMS *)(void *)mechanism->cm_param;
1437 		rv = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits,
1438 		    pp->cb, aes_copy_block);
1439 		break;
1440 	}
1441 	case AES_CCM_MECH_INFO_TYPE:
1442 		if (mechanism->cm_param == NULL ||
1443 		    mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) {
1444 			return (CRYPTO_MECHANISM_PARAM_INVALID);
1445 		}
1446 		rv = ccm_init_ctx((ccm_ctx_t *)aes_ctx, mechanism->cm_param,
1447 		    kmflag, is_encrypt_init, AES_BLOCK_LEN, aes_encrypt_block,
1448 		    aes_xor_block);
1449 		break;
1450 	case AES_GCM_MECH_INFO_TYPE:
1451 		if (mechanism->cm_param == NULL ||
1452 		    mechanism->cm_param_len != sizeof (CK_AES_GCM_PARAMS)) {
1453 			return (CRYPTO_MECHANISM_PARAM_INVALID);
1454 		}
1455 		rv = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1456 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1457 		    aes_xor_block);
1458 		break;
1459 	case AES_GMAC_MECH_INFO_TYPE:
1460 		if (mechanism->cm_param == NULL ||
1461 		    mechanism->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) {
1462 			return (CRYPTO_MECHANISM_PARAM_INVALID);
1463 		}
1464 		rv = gmac_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1465 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1466 		    aes_xor_block);
1467 		break;
1468 	case AES_ECB_MECH_INFO_TYPE:
1469 		aes_ctx->ac_flags |= ECB_MODE;
1470 	}
1471 
1472 	if (rv != CRYPTO_SUCCESS) {
1473 		if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1474 			bzero(keysched, size);
1475 			kmem_free(keysched, size);
1476 		}
1477 	}
1478 
1479 /* EXPORT DELETE END */
1480 
1481 	return (rv);
1482 }
1483 
1484 static int
1485 process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data,
1486     CK_AES_GCM_PARAMS *gcm_params)
1487 {
1488 	/* LINTED: pointer alignment */
1489 	CK_AES_GMAC_PARAMS *params = (CK_AES_GMAC_PARAMS *)mech->cm_param;
1490 
1491 	if (mech->cm_type != AES_GMAC_MECH_INFO_TYPE)
1492 		return (CRYPTO_MECHANISM_INVALID);
1493 
1494 	if (mech->cm_param_len != sizeof (CK_AES_GMAC_PARAMS))
1495 		return (CRYPTO_MECHANISM_PARAM_INVALID);
1496 
1497 	if (params->pIv == NULL)
1498 		return (CRYPTO_MECHANISM_PARAM_INVALID);
1499 
1500 	gcm_params->pIv = params->pIv;
1501 	gcm_params->ulIvLen = AES_GMAC_IV_LEN;
1502 	gcm_params->ulTagBits = AES_GMAC_TAG_BITS;
1503 
1504 	if (data == NULL)
1505 		return (CRYPTO_SUCCESS);
1506 
1507 	if (data->cd_format != CRYPTO_DATA_RAW)
1508 		return (CRYPTO_ARGUMENTS_BAD);
1509 
1510 	gcm_params->pAAD = (uchar_t *)data->cd_raw.iov_base;
1511 	gcm_params->ulAADLen = data->cd_length;
1512 	return (CRYPTO_SUCCESS);
1513 }
1514 
1515 static int
1516 aes_mac_atomic(crypto_provider_handle_t provider,
1517     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1518     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1519     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1520 {
1521 	CK_AES_GCM_PARAMS gcm_params;
1522 	crypto_mechanism_t gcm_mech;
1523 	int rv;
1524 
1525 	if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1526 	    != CRYPTO_SUCCESS)
1527 		return (rv);
1528 
1529 	gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1530 	gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1531 	gcm_mech.cm_param = (char *)&gcm_params;
1532 
1533 	return (aes_encrypt_atomic(provider, session_id, &gcm_mech,
1534 	    key, &null_crypto_data, mac, template, req));
1535 }
1536 
1537 static int
1538 aes_mac_verify_atomic(crypto_provider_handle_t provider,
1539     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1540     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1541     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1542 {
1543 	CK_AES_GCM_PARAMS gcm_params;
1544 	crypto_mechanism_t gcm_mech;
1545 	int rv;
1546 
1547 	if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1548 	    != CRYPTO_SUCCESS)
1549 		return (rv);
1550 
1551 	gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1552 	gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1553 	gcm_mech.cm_param = (char *)&gcm_params;
1554 
1555 	return (aes_decrypt_atomic(provider, session_id, &gcm_mech,
1556 	    key, mac, &null_crypto_data, template, req));
1557 }
1558 
1559 /*
1560  * AES Power-Up Self-Test
1561  */
1562 void
1563 aes_POST(int *rc)
1564 {
1565 
1566 	int ret;
1567 
1568 	/* AES Power-Up Self-Test for 128-bit key. */
1569 	ret = fips_aes_post(FIPS_AES_128_KEY_SIZE);
1570 
1571 	if (ret != CRYPTO_SUCCESS)
1572 		goto out;
1573 
1574 	/* AES Power-Up Self-Test for 192-bit key. */
1575 	ret = fips_aes_post(FIPS_AES_192_KEY_SIZE);
1576 
1577 	if (ret != CRYPTO_SUCCESS)
1578 		goto out;
1579 
1580 	/* AES Power-Up Self-Test for 256-bit key. */
1581 	ret = fips_aes_post(FIPS_AES_256_KEY_SIZE);
1582 
1583 out:
1584 	*rc = ret;
1585 
1586 }
1587