xref: /illumos-gate/usr/src/uts/common/crypto/io/aes.c (revision 69a119caa6570c7077699161b7c28b6ee9f8b0f4)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 /*
26  * AES provider for the Kernel Cryptographic Framework (KCF)
27  */
28 
29 #include <sys/types.h>
30 #include <sys/systm.h>
31 #include <sys/modctl.h>
32 #include <sys/cmn_err.h>
33 #include <sys/ddi.h>
34 #include <sys/crypto/common.h>
35 #include <sys/crypto/impl.h>
36 #include <sys/crypto/spi.h>
37 #include <sys/sysmacros.h>
38 #include <sys/strsun.h>
39 #include <modes/modes.h>
40 #define	_AES_IMPL
41 #include <aes/aes_impl.h>
42 
43 extern struct mod_ops mod_cryptoops;
44 
45 /*
46  * Module linkage information for the kernel.
47  */
48 static struct modlcrypto modlcrypto = {
49 	&mod_cryptoops,
50 	"AES Kernel SW Provider"
51 };
52 
53 static struct modlinkage modlinkage = {
54 	MODREV_1,
55 	(void *)&modlcrypto,
56 	NULL
57 };
58 
59 /*
60  * The following definitions are to keep EXPORT_SRC happy.
61  */
62 #ifndef AES_MIN_KEY_BYTES
63 #define	AES_MIN_KEY_BYTES		0
64 #endif
65 
66 #ifndef AES_MAX_KEY_BYTES
67 #define	AES_MAX_KEY_BYTES		0
68 #endif
69 
70 /*
71  * Mechanism info structure passed to KCF during registration.
72  */
73 static crypto_mech_info_t aes_mech_info_tab[] = {
74 	/* AES_ECB */
75 	{SUN_CKM_AES_ECB, AES_ECB_MECH_INFO_TYPE,
76 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
77 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
78 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
79 	/* AES_CBC */
80 	{SUN_CKM_AES_CBC, AES_CBC_MECH_INFO_TYPE,
81 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
82 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
83 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
84 	/* AES_CTR */
85 	{SUN_CKM_AES_CTR, AES_CTR_MECH_INFO_TYPE,
86 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
87 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
88 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
89 	/* AES_CCM */
90 	{SUN_CKM_AES_CCM, AES_CCM_MECH_INFO_TYPE,
91 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
92 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
93 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
94 	/* AES_GCM */
95 	{SUN_CKM_AES_GCM, AES_GCM_MECH_INFO_TYPE,
96 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
97 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
98 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
99 	/* AES_GMAC */
100 	{SUN_CKM_AES_GMAC, AES_GMAC_MECH_INFO_TYPE,
101 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
102 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC |
103 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC |
104 	    CRYPTO_FG_SIGN | CRYPTO_FG_SIGN_ATOMIC |
105 	    CRYPTO_FG_VERIFY | CRYPTO_FG_VERIFY_ATOMIC,
106 	    AES_MIN_KEY_BYTES, AES_MAX_KEY_BYTES, CRYPTO_KEYSIZE_UNIT_IN_BYTES}
107 };
108 
109 /* operations are in-place if the output buffer is NULL */
110 #define	AES_ARG_INPLACE(input, output)				\
111 	if ((output) == NULL)					\
112 		(output) = (input);
113 
114 static void aes_provider_status(crypto_provider_handle_t, uint_t *);
115 
116 static crypto_control_ops_t aes_control_ops = {
117 	aes_provider_status
118 };
119 
120 static int aes_encrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
121     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
122 static int aes_decrypt_init(crypto_ctx_t *, crypto_mechanism_t *,
123     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
124 static int aes_common_init(crypto_ctx_t *, crypto_mechanism_t *,
125     crypto_key_t *, crypto_spi_ctx_template_t, crypto_req_handle_t, boolean_t);
126 static int aes_common_init_ctx(aes_ctx_t *, crypto_spi_ctx_template_t *,
127     crypto_mechanism_t *, crypto_key_t *, int, boolean_t);
128 static int aes_encrypt_final(crypto_ctx_t *, crypto_data_t *,
129     crypto_req_handle_t);
130 static int aes_decrypt_final(crypto_ctx_t *, crypto_data_t *,
131     crypto_req_handle_t);
132 
133 static int aes_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
134     crypto_req_handle_t);
135 static int aes_encrypt_update(crypto_ctx_t *, crypto_data_t *,
136     crypto_data_t *, crypto_req_handle_t);
137 static int aes_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
138     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
139     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
140 
141 static int aes_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
142     crypto_req_handle_t);
143 static int aes_decrypt_update(crypto_ctx_t *, crypto_data_t *,
144     crypto_data_t *, crypto_req_handle_t);
145 static int aes_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
146     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
147     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
148 
149 static crypto_cipher_ops_t aes_cipher_ops = {
150 	aes_encrypt_init,
151 	aes_encrypt,
152 	aes_encrypt_update,
153 	aes_encrypt_final,
154 	aes_encrypt_atomic,
155 	aes_decrypt_init,
156 	aes_decrypt,
157 	aes_decrypt_update,
158 	aes_decrypt_final,
159 	aes_decrypt_atomic
160 };
161 
162 static int aes_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
163     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
164     crypto_spi_ctx_template_t, crypto_req_handle_t);
165 static int aes_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
166     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
167     crypto_spi_ctx_template_t, crypto_req_handle_t);
168 
169 static crypto_mac_ops_t aes_mac_ops = {
170 	NULL,
171 	NULL,
172 	NULL,
173 	NULL,
174 	aes_mac_atomic,
175 	aes_mac_verify_atomic
176 };
177 
178 static int aes_create_ctx_template(crypto_provider_handle_t,
179     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
180     size_t *, crypto_req_handle_t);
181 static int aes_free_context(crypto_ctx_t *);
182 
183 static crypto_ctx_ops_t aes_ctx_ops = {
184 	aes_create_ctx_template,
185 	aes_free_context
186 };
187 
188 static crypto_ops_t aes_crypto_ops = {
189 	&aes_control_ops,
190 	NULL,
191 	&aes_cipher_ops,
192 	&aes_mac_ops,
193 	NULL,
194 	NULL,
195 	NULL,
196 	NULL,
197 	NULL,
198 	NULL,
199 	NULL,
200 	NULL,
201 	NULL,
202 	&aes_ctx_ops,
203 	NULL,
204 	NULL,
205 	NULL,
206 };
207 
208 static crypto_provider_info_t aes_prov_info = {
209 	CRYPTO_SPI_VERSION_4,
210 	"AES Software Provider",
211 	CRYPTO_SW_PROVIDER,
212 	{&modlinkage},
213 	NULL,
214 	&aes_crypto_ops,
215 	sizeof (aes_mech_info_tab)/sizeof (crypto_mech_info_t),
216 	aes_mech_info_tab
217 };
218 
219 static crypto_kcf_provider_handle_t aes_prov_handle = NULL;
220 static crypto_data_t null_crypto_data = { CRYPTO_DATA_RAW };
221 
222 int
223 _init(void)
224 {
225 	int ret;
226 
227 	if ((ret = mod_install(&modlinkage)) != 0)
228 		return (ret);
229 
230 	/* Register with KCF.  If the registration fails, remove the module. */
231 	if (crypto_register_provider(&aes_prov_info, &aes_prov_handle)) {
232 		(void) mod_remove(&modlinkage);
233 		return (EACCES);
234 	}
235 
236 	return (0);
237 }
238 
239 int
240 _fini(void)
241 {
242 	/* Unregister from KCF if module is registered */
243 	if (aes_prov_handle != NULL) {
244 		if (crypto_unregister_provider(aes_prov_handle))
245 			return (EBUSY);
246 
247 		aes_prov_handle = NULL;
248 	}
249 
250 	return (mod_remove(&modlinkage));
251 }
252 
253 int
254 _info(struct modinfo *modinfop)
255 {
256 	return (mod_info(&modlinkage, modinfop));
257 }
258 
259 
260 static int
261 aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag)
262 {
263 	void *p = NULL;
264 	boolean_t param_required = B_TRUE;
265 	size_t param_len;
266 	void *(*alloc_fun)(int);
267 	int rv = CRYPTO_SUCCESS;
268 
269 	switch (mechanism->cm_type) {
270 	case AES_ECB_MECH_INFO_TYPE:
271 		param_required = B_FALSE;
272 		alloc_fun = ecb_alloc_ctx;
273 		break;
274 	case AES_CBC_MECH_INFO_TYPE:
275 		param_len = AES_BLOCK_LEN;
276 		alloc_fun = cbc_alloc_ctx;
277 		break;
278 	case AES_CTR_MECH_INFO_TYPE:
279 		param_len = sizeof (CK_AES_CTR_PARAMS);
280 		alloc_fun = ctr_alloc_ctx;
281 		break;
282 	case AES_CCM_MECH_INFO_TYPE:
283 		param_len = sizeof (CK_AES_CCM_PARAMS);
284 		alloc_fun = ccm_alloc_ctx;
285 		break;
286 	case AES_GCM_MECH_INFO_TYPE:
287 		param_len = sizeof (CK_AES_GCM_PARAMS);
288 		alloc_fun = gcm_alloc_ctx;
289 		break;
290 	case AES_GMAC_MECH_INFO_TYPE:
291 		param_len = sizeof (CK_AES_GMAC_PARAMS);
292 		alloc_fun = gmac_alloc_ctx;
293 		break;
294 	default:
295 		rv = CRYPTO_MECHANISM_INVALID;
296 		return (rv);
297 	}
298 	if (param_required && mechanism->cm_param != NULL &&
299 	    mechanism->cm_param_len != param_len) {
300 		rv = CRYPTO_MECHANISM_PARAM_INVALID;
301 	}
302 	if (ctx != NULL) {
303 		p = (alloc_fun)(kmflag);
304 		*ctx = p;
305 	}
306 	return (rv);
307 }
308 
309 /*
310  * Initialize key schedules for AES
311  */
312 static int
313 init_keysched(crypto_key_t *key, void *newbie)
314 {
315 	/*
316 	 * Only keys by value are supported by this module.
317 	 */
318 	switch (key->ck_format) {
319 	case CRYPTO_KEY_RAW:
320 		if (key->ck_length < AES_MINBITS ||
321 		    key->ck_length > AES_MAXBITS) {
322 			return (CRYPTO_KEY_SIZE_RANGE);
323 		}
324 
325 		/* key length must be either 128, 192, or 256 */
326 		if ((key->ck_length & 63) != 0)
327 			return (CRYPTO_KEY_SIZE_RANGE);
328 		break;
329 	default:
330 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
331 	}
332 
333 	aes_init_keysched(key->ck_data, key->ck_length, newbie);
334 	return (CRYPTO_SUCCESS);
335 }
336 
337 /*
338  * KCF software provider control entry points.
339  */
340 /* ARGSUSED */
341 static void
342 aes_provider_status(crypto_provider_handle_t provider, uint_t *status)
343 {
344 	*status = CRYPTO_PROVIDER_READY;
345 }
346 
347 static int
348 aes_encrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
349     crypto_key_t *key, crypto_spi_ctx_template_t template,
350     crypto_req_handle_t req) {
351 	return (aes_common_init(ctx, mechanism, key, template, req, B_TRUE));
352 }
353 
354 static int
355 aes_decrypt_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
356     crypto_key_t *key, crypto_spi_ctx_template_t template,
357     crypto_req_handle_t req) {
358 	return (aes_common_init(ctx, mechanism, key, template, req, B_FALSE));
359 }
360 
361 
362 
363 /*
364  * KCF software provider encrypt entry points.
365  */
366 static int
367 aes_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
368     crypto_key_t *key, crypto_spi_ctx_template_t template,
369     crypto_req_handle_t req, boolean_t is_encrypt_init)
370 {
371 	aes_ctx_t *aes_ctx;
372 	int rv;
373 	int kmflag;
374 
375 	/*
376 	 * Only keys by value are supported by this module.
377 	 */
378 	if (key->ck_format != CRYPTO_KEY_RAW) {
379 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
380 	}
381 
382 	kmflag = crypto_kmflag(req);
383 	if ((rv = aes_check_mech_param(mechanism, &aes_ctx, kmflag))
384 	    != CRYPTO_SUCCESS)
385 		return (rv);
386 
387 	rv = aes_common_init_ctx(aes_ctx, template, mechanism, key, kmflag,
388 	    is_encrypt_init);
389 	if (rv != CRYPTO_SUCCESS) {
390 		crypto_free_mode_ctx(aes_ctx);
391 		return (rv);
392 	}
393 
394 	ctx->cc_provider_private = aes_ctx;
395 
396 	return (CRYPTO_SUCCESS);
397 }
398 
399 static void
400 aes_copy_block64(uint8_t *in, uint64_t *out)
401 {
402 	if (IS_P2ALIGNED(in, sizeof (uint64_t))) {
403 		/* LINTED: pointer alignment */
404 		out[0] = *(uint64_t *)&in[0];
405 		/* LINTED: pointer alignment */
406 		out[1] = *(uint64_t *)&in[8];
407 	} else {
408 		uint8_t *iv8 = (uint8_t *)&out[0];
409 
410 		AES_COPY_BLOCK(in, iv8);
411 	}
412 }
413 
414 
415 static int
416 aes_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
417     crypto_data_t *ciphertext, crypto_req_handle_t req)
418 {
419 	int ret = CRYPTO_FAILED;
420 
421 	aes_ctx_t *aes_ctx;
422 	size_t saved_length, saved_offset, length_needed;
423 
424 	ASSERT(ctx->cc_provider_private != NULL);
425 	aes_ctx = ctx->cc_provider_private;
426 
427 	/*
428 	 * For block ciphers, plaintext must be a multiple of AES block size.
429 	 * This test is only valid for ciphers whose blocksize is a power of 2.
430 	 */
431 	if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
432 	    == 0) && (plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
433 		return (CRYPTO_DATA_LEN_RANGE);
434 
435 	AES_ARG_INPLACE(plaintext, ciphertext);
436 
437 	/*
438 	 * We need to just return the length needed to store the output.
439 	 * We should not destroy the context for the following case.
440 	 */
441 	switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
442 	case CCM_MODE:
443 		length_needed = plaintext->cd_length + aes_ctx->ac_mac_len;
444 		break;
445 	case GCM_MODE:
446 		length_needed = plaintext->cd_length + aes_ctx->ac_tag_len;
447 		break;
448 	case GMAC_MODE:
449 		if (plaintext->cd_length != 0)
450 			return (CRYPTO_ARGUMENTS_BAD);
451 
452 		length_needed = aes_ctx->ac_tag_len;
453 		break;
454 	default:
455 		length_needed = plaintext->cd_length;
456 	}
457 
458 	if (ciphertext->cd_length < length_needed) {
459 		ciphertext->cd_length = length_needed;
460 		return (CRYPTO_BUFFER_TOO_SMALL);
461 	}
462 
463 	saved_length = ciphertext->cd_length;
464 	saved_offset = ciphertext->cd_offset;
465 
466 	/*
467 	 * Do an update on the specified input data.
468 	 */
469 	ret = aes_encrypt_update(ctx, plaintext, ciphertext, req);
470 	if (ret != CRYPTO_SUCCESS) {
471 		return (ret);
472 	}
473 
474 	/*
475 	 * For CCM mode, aes_ccm_encrypt_final() will take care of any
476 	 * left-over unprocessed data, and compute the MAC
477 	 */
478 	if (aes_ctx->ac_flags & CCM_MODE) {
479 		/*
480 		 * ccm_encrypt_final() will compute the MAC and append
481 		 * it to existing ciphertext. So, need to adjust the left over
482 		 * length value accordingly
483 		 */
484 
485 		/* order of following 2 lines MUST not be reversed */
486 		ciphertext->cd_offset = ciphertext->cd_length;
487 		ciphertext->cd_length = saved_length - ciphertext->cd_length;
488 		ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, ciphertext,
489 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
490 		if (ret != CRYPTO_SUCCESS) {
491 			return (ret);
492 		}
493 
494 		if (plaintext != ciphertext) {
495 			ciphertext->cd_length =
496 			    ciphertext->cd_offset - saved_offset;
497 		}
498 		ciphertext->cd_offset = saved_offset;
499 	} else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
500 		/*
501 		 * gcm_encrypt_final() will compute the MAC and append
502 		 * it to existing ciphertext. So, need to adjust the left over
503 		 * length value accordingly
504 		 */
505 
506 		/* order of following 2 lines MUST not be reversed */
507 		ciphertext->cd_offset = ciphertext->cd_length;
508 		ciphertext->cd_length = saved_length - ciphertext->cd_length;
509 		ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, ciphertext,
510 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
511 		    aes_xor_block);
512 		if (ret != CRYPTO_SUCCESS) {
513 			return (ret);
514 		}
515 
516 		if (plaintext != ciphertext) {
517 			ciphertext->cd_length =
518 			    ciphertext->cd_offset - saved_offset;
519 		}
520 		ciphertext->cd_offset = saved_offset;
521 	}
522 
523 	ASSERT(aes_ctx->ac_remainder_len == 0);
524 	(void) aes_free_context(ctx);
525 
526 	return (ret);
527 }
528 
529 
530 static int
531 aes_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
532     crypto_data_t *plaintext, crypto_req_handle_t req)
533 {
534 	int ret = CRYPTO_FAILED;
535 
536 	aes_ctx_t *aes_ctx;
537 	off_t saved_offset;
538 	size_t saved_length, length_needed;
539 
540 	ASSERT(ctx->cc_provider_private != NULL);
541 	aes_ctx = ctx->cc_provider_private;
542 
543 	/*
544 	 * For block ciphers, plaintext must be a multiple of AES block size.
545 	 * This test is only valid for ciphers whose blocksize is a power of 2.
546 	 */
547 	if (((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE))
548 	    == 0) && (ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0) {
549 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
550 	}
551 
552 	AES_ARG_INPLACE(ciphertext, plaintext);
553 
554 	/*
555 	 * Return length needed to store the output.
556 	 * Do not destroy context when plaintext buffer is too small.
557 	 *
558 	 * CCM:  plaintext is MAC len smaller than cipher text
559 	 * GCM:  plaintext is TAG len smaller than cipher text
560 	 * GMAC: plaintext length must be zero
561 	 */
562 	switch (aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) {
563 	case CCM_MODE:
564 		length_needed = aes_ctx->ac_processed_data_len;
565 		break;
566 	case GCM_MODE:
567 		length_needed = ciphertext->cd_length - aes_ctx->ac_tag_len;
568 		break;
569 	case GMAC_MODE:
570 		if (plaintext->cd_length != 0)
571 			return (CRYPTO_ARGUMENTS_BAD);
572 
573 		length_needed = 0;
574 		break;
575 	default:
576 		length_needed = ciphertext->cd_length;
577 	}
578 
579 	if (plaintext->cd_length < length_needed) {
580 		plaintext->cd_length = length_needed;
581 		return (CRYPTO_BUFFER_TOO_SMALL);
582 	}
583 
584 	saved_offset = plaintext->cd_offset;
585 	saved_length = plaintext->cd_length;
586 
587 	/*
588 	 * Do an update on the specified input data.
589 	 */
590 	ret = aes_decrypt_update(ctx, ciphertext, plaintext, req);
591 	if (ret != CRYPTO_SUCCESS) {
592 		goto cleanup;
593 	}
594 
595 	if (aes_ctx->ac_flags & CCM_MODE) {
596 		ASSERT(aes_ctx->ac_processed_data_len == aes_ctx->ac_data_len);
597 		ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
598 
599 		/* order of following 2 lines MUST not be reversed */
600 		plaintext->cd_offset = plaintext->cd_length;
601 		plaintext->cd_length = saved_length - plaintext->cd_length;
602 
603 		ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, plaintext,
604 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
605 		    aes_xor_block);
606 		if (ret == CRYPTO_SUCCESS) {
607 			if (plaintext != ciphertext) {
608 				plaintext->cd_length =
609 				    plaintext->cd_offset - saved_offset;
610 			}
611 		} else {
612 			plaintext->cd_length = saved_length;
613 		}
614 
615 		plaintext->cd_offset = saved_offset;
616 	} else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
617 		/* order of following 2 lines MUST not be reversed */
618 		plaintext->cd_offset = plaintext->cd_length;
619 		plaintext->cd_length = saved_length - plaintext->cd_length;
620 
621 		ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, plaintext,
622 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
623 		if (ret == CRYPTO_SUCCESS) {
624 			if (plaintext != ciphertext) {
625 				plaintext->cd_length =
626 				    plaintext->cd_offset - saved_offset;
627 			}
628 		} else {
629 			plaintext->cd_length = saved_length;
630 		}
631 
632 		plaintext->cd_offset = saved_offset;
633 	}
634 
635 	ASSERT(aes_ctx->ac_remainder_len == 0);
636 
637 cleanup:
638 	(void) aes_free_context(ctx);
639 
640 	return (ret);
641 }
642 
643 
644 /* ARGSUSED */
645 static int
646 aes_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext,
647     crypto_data_t *ciphertext, crypto_req_handle_t req)
648 {
649 	off_t saved_offset;
650 	size_t saved_length, out_len;
651 	int ret = CRYPTO_SUCCESS;
652 	aes_ctx_t *aes_ctx;
653 
654 	ASSERT(ctx->cc_provider_private != NULL);
655 	aes_ctx = ctx->cc_provider_private;
656 
657 	AES_ARG_INPLACE(plaintext, ciphertext);
658 
659 	/* compute number of bytes that will hold the ciphertext */
660 	out_len = aes_ctx->ac_remainder_len;
661 	out_len += plaintext->cd_length;
662 	out_len &= ~(AES_BLOCK_LEN - 1);
663 
664 	/* return length needed to store the output */
665 	if (ciphertext->cd_length < out_len) {
666 		ciphertext->cd_length = out_len;
667 		return (CRYPTO_BUFFER_TOO_SMALL);
668 	}
669 
670 	saved_offset = ciphertext->cd_offset;
671 	saved_length = ciphertext->cd_length;
672 
673 	/*
674 	 * Do the AES update on the specified input data.
675 	 */
676 	switch (plaintext->cd_format) {
677 	case CRYPTO_DATA_RAW:
678 		ret = crypto_update_iov(ctx->cc_provider_private,
679 		    plaintext, ciphertext, aes_encrypt_contiguous_blocks,
680 		    aes_copy_block64);
681 		break;
682 	case CRYPTO_DATA_UIO:
683 		ret = crypto_update_uio(ctx->cc_provider_private,
684 		    plaintext, ciphertext, aes_encrypt_contiguous_blocks,
685 		    aes_copy_block64);
686 		break;
687 	case CRYPTO_DATA_MBLK:
688 		ret = crypto_update_mp(ctx->cc_provider_private,
689 		    plaintext, ciphertext, aes_encrypt_contiguous_blocks,
690 		    aes_copy_block64);
691 		break;
692 	default:
693 		ret = CRYPTO_ARGUMENTS_BAD;
694 	}
695 
696 	/*
697 	 * Since AES counter mode is a stream cipher, we call
698 	 * ctr_mode_final() to pick up any remaining bytes.
699 	 * It is an internal function that does not destroy
700 	 * the context like *normal* final routines.
701 	 */
702 	if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
703 		ret = ctr_mode_final((ctr_ctx_t *)aes_ctx,
704 		    ciphertext, aes_encrypt_block);
705 	}
706 
707 	if (ret == CRYPTO_SUCCESS) {
708 		if (plaintext != ciphertext)
709 			ciphertext->cd_length =
710 			    ciphertext->cd_offset - saved_offset;
711 	} else {
712 		ciphertext->cd_length = saved_length;
713 	}
714 	ciphertext->cd_offset = saved_offset;
715 
716 	return (ret);
717 }
718 
719 
720 static int
721 aes_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
722     crypto_data_t *plaintext, crypto_req_handle_t req)
723 {
724 	off_t saved_offset;
725 	size_t saved_length, out_len;
726 	int ret = CRYPTO_SUCCESS;
727 	aes_ctx_t *aes_ctx;
728 
729 	ASSERT(ctx->cc_provider_private != NULL);
730 	aes_ctx = ctx->cc_provider_private;
731 
732 	AES_ARG_INPLACE(ciphertext, plaintext);
733 
734 	/*
735 	 * Compute number of bytes that will hold the plaintext.
736 	 * This is not necessary for CCM, GCM, and GMAC since these
737 	 * mechanisms never return plaintext for update operations.
738 	 */
739 	if ((aes_ctx->ac_flags & (CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
740 		out_len = aes_ctx->ac_remainder_len;
741 		out_len += ciphertext->cd_length;
742 		out_len &= ~(AES_BLOCK_LEN - 1);
743 
744 		/* return length needed to store the output */
745 		if (plaintext->cd_length < out_len) {
746 			plaintext->cd_length = out_len;
747 			return (CRYPTO_BUFFER_TOO_SMALL);
748 		}
749 	}
750 
751 	saved_offset = plaintext->cd_offset;
752 	saved_length = plaintext->cd_length;
753 
754 	if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE))
755 		gcm_set_kmflag((gcm_ctx_t *)aes_ctx, crypto_kmflag(req));
756 
757 	/*
758 	 * Do the AES update on the specified input data.
759 	 */
760 	switch (ciphertext->cd_format) {
761 	case CRYPTO_DATA_RAW:
762 		ret = crypto_update_iov(ctx->cc_provider_private,
763 		    ciphertext, plaintext, aes_decrypt_contiguous_blocks,
764 		    aes_copy_block64);
765 		break;
766 	case CRYPTO_DATA_UIO:
767 		ret = crypto_update_uio(ctx->cc_provider_private,
768 		    ciphertext, plaintext, aes_decrypt_contiguous_blocks,
769 		    aes_copy_block64);
770 		break;
771 	case CRYPTO_DATA_MBLK:
772 		ret = crypto_update_mp(ctx->cc_provider_private,
773 		    ciphertext, plaintext, aes_decrypt_contiguous_blocks,
774 		    aes_copy_block64);
775 		break;
776 	default:
777 		ret = CRYPTO_ARGUMENTS_BAD;
778 	}
779 
780 	/*
781 	 * Since AES counter mode is a stream cipher, we call
782 	 * ctr_mode_final() to pick up any remaining bytes.
783 	 * It is an internal function that does not destroy
784 	 * the context like *normal* final routines.
785 	 */
786 	if ((aes_ctx->ac_flags & CTR_MODE) && (aes_ctx->ac_remainder_len > 0)) {
787 		ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, plaintext,
788 		    aes_encrypt_block);
789 		if (ret == CRYPTO_DATA_LEN_RANGE)
790 			ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
791 	}
792 
793 	if (ret == CRYPTO_SUCCESS) {
794 		if (ciphertext != plaintext)
795 			plaintext->cd_length =
796 			    plaintext->cd_offset - saved_offset;
797 	} else {
798 		plaintext->cd_length = saved_length;
799 	}
800 	plaintext->cd_offset = saved_offset;
801 
802 
803 	return (ret);
804 }
805 
806 /* ARGSUSED */
807 static int
808 aes_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
809     crypto_req_handle_t req)
810 {
811 	aes_ctx_t *aes_ctx;
812 	int ret;
813 
814 	ASSERT(ctx->cc_provider_private != NULL);
815 	aes_ctx = ctx->cc_provider_private;
816 
817 	if (data->cd_format != CRYPTO_DATA_RAW &&
818 	    data->cd_format != CRYPTO_DATA_UIO &&
819 	    data->cd_format != CRYPTO_DATA_MBLK) {
820 		return (CRYPTO_ARGUMENTS_BAD);
821 	}
822 
823 	if (aes_ctx->ac_flags & CTR_MODE) {
824 		if (aes_ctx->ac_remainder_len > 0) {
825 			ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
826 			    aes_encrypt_block);
827 			if (ret != CRYPTO_SUCCESS)
828 				return (ret);
829 		}
830 	} else if (aes_ctx->ac_flags & CCM_MODE) {
831 		ret = ccm_encrypt_final((ccm_ctx_t *)aes_ctx, data,
832 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
833 		if (ret != CRYPTO_SUCCESS) {
834 			return (ret);
835 		}
836 	} else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
837 		size_t saved_offset = data->cd_offset;
838 
839 		ret = gcm_encrypt_final((gcm_ctx_t *)aes_ctx, data,
840 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
841 		    aes_xor_block);
842 		if (ret != CRYPTO_SUCCESS) {
843 			return (ret);
844 		}
845 		data->cd_length = data->cd_offset - saved_offset;
846 		data->cd_offset = saved_offset;
847 	} else {
848 		/*
849 		 * There must be no unprocessed plaintext.
850 		 * This happens if the length of the last data is
851 		 * not a multiple of the AES block length.
852 		 */
853 		if (aes_ctx->ac_remainder_len > 0) {
854 			return (CRYPTO_DATA_LEN_RANGE);
855 		}
856 		data->cd_length = 0;
857 	}
858 
859 	(void) aes_free_context(ctx);
860 
861 	return (CRYPTO_SUCCESS);
862 }
863 
864 /* ARGSUSED */
865 static int
866 aes_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *data,
867     crypto_req_handle_t req)
868 {
869 	aes_ctx_t *aes_ctx;
870 	int ret;
871 	off_t saved_offset;
872 	size_t saved_length;
873 
874 	ASSERT(ctx->cc_provider_private != NULL);
875 	aes_ctx = ctx->cc_provider_private;
876 
877 	if (data->cd_format != CRYPTO_DATA_RAW &&
878 	    data->cd_format != CRYPTO_DATA_UIO &&
879 	    data->cd_format != CRYPTO_DATA_MBLK) {
880 		return (CRYPTO_ARGUMENTS_BAD);
881 	}
882 
883 	/*
884 	 * There must be no unprocessed ciphertext.
885 	 * This happens if the length of the last ciphertext is
886 	 * not a multiple of the AES block length.
887 	 */
888 	if (aes_ctx->ac_remainder_len > 0) {
889 		if ((aes_ctx->ac_flags & CTR_MODE) == 0)
890 			return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
891 		else {
892 			ret = ctr_mode_final((ctr_ctx_t *)aes_ctx, data,
893 			    aes_encrypt_block);
894 			if (ret == CRYPTO_DATA_LEN_RANGE)
895 				ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
896 			if (ret != CRYPTO_SUCCESS)
897 				return (ret);
898 		}
899 	}
900 
901 	if (aes_ctx->ac_flags & CCM_MODE) {
902 		/*
903 		 * This is where all the plaintext is returned, make sure
904 		 * the plaintext buffer is big enough
905 		 */
906 		size_t pt_len = aes_ctx->ac_data_len;
907 		if (data->cd_length < pt_len) {
908 			data->cd_length = pt_len;
909 			return (CRYPTO_BUFFER_TOO_SMALL);
910 		}
911 
912 		ASSERT(aes_ctx->ac_processed_data_len == pt_len);
913 		ASSERT(aes_ctx->ac_processed_mac_len == aes_ctx->ac_mac_len);
914 		saved_offset = data->cd_offset;
915 		saved_length = data->cd_length;
916 		ret = ccm_decrypt_final((ccm_ctx_t *)aes_ctx, data,
917 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
918 		    aes_xor_block);
919 		if (ret == CRYPTO_SUCCESS) {
920 			data->cd_length = data->cd_offset - saved_offset;
921 		} else {
922 			data->cd_length = saved_length;
923 		}
924 
925 		data->cd_offset = saved_offset;
926 		if (ret != CRYPTO_SUCCESS) {
927 			return (ret);
928 		}
929 	} else if (aes_ctx->ac_flags & (GCM_MODE|GMAC_MODE)) {
930 		/*
931 		 * This is where all the plaintext is returned, make sure
932 		 * the plaintext buffer is big enough
933 		 */
934 		gcm_ctx_t *ctx = (gcm_ctx_t *)aes_ctx;
935 		size_t pt_len = ctx->gcm_processed_data_len - ctx->gcm_tag_len;
936 
937 		if (data->cd_length < pt_len) {
938 			data->cd_length = pt_len;
939 			return (CRYPTO_BUFFER_TOO_SMALL);
940 		}
941 
942 		saved_offset = data->cd_offset;
943 		saved_length = data->cd_length;
944 		ret = gcm_decrypt_final((gcm_ctx_t *)aes_ctx, data,
945 		    AES_BLOCK_LEN, aes_encrypt_block, aes_xor_block);
946 		if (ret == CRYPTO_SUCCESS) {
947 			data->cd_length = data->cd_offset - saved_offset;
948 		} else {
949 			data->cd_length = saved_length;
950 		}
951 
952 		data->cd_offset = saved_offset;
953 		if (ret != CRYPTO_SUCCESS) {
954 			return (ret);
955 		}
956 	}
957 
958 
959 	if ((aes_ctx->ac_flags & (CTR_MODE|CCM_MODE|GCM_MODE|GMAC_MODE)) == 0) {
960 		data->cd_length = 0;
961 	}
962 
963 	(void) aes_free_context(ctx);
964 
965 	return (CRYPTO_SUCCESS);
966 }
967 
968 /* ARGSUSED */
969 static int
970 aes_encrypt_atomic(crypto_provider_handle_t provider,
971     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
972     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
973     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
974 {
975 	aes_ctx_t aes_ctx;	/* on the stack */
976 	off_t saved_offset;
977 	size_t saved_length;
978 	size_t length_needed;
979 	int ret;
980 
981 	AES_ARG_INPLACE(plaintext, ciphertext);
982 
983 	/*
984 	 * CTR, CCM, GCM, and GMAC modes do not require that plaintext
985 	 * be a multiple of AES block size.
986 	 */
987 	switch (mechanism->cm_type) {
988 	case AES_CTR_MECH_INFO_TYPE:
989 	case AES_CCM_MECH_INFO_TYPE:
990 	case AES_GCM_MECH_INFO_TYPE:
991 	case AES_GMAC_MECH_INFO_TYPE:
992 		break;
993 	default:
994 		if ((plaintext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
995 			return (CRYPTO_DATA_LEN_RANGE);
996 	}
997 
998 	if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
999 		return (ret);
1000 
1001 	bzero(&aes_ctx, sizeof (aes_ctx_t));
1002 
1003 	ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
1004 	    crypto_kmflag(req), B_TRUE);
1005 	if (ret != CRYPTO_SUCCESS)
1006 		return (ret);
1007 
1008 	switch (mechanism->cm_type) {
1009 	case AES_CCM_MECH_INFO_TYPE:
1010 		length_needed = plaintext->cd_length + aes_ctx.ac_mac_len;
1011 		break;
1012 	case AES_GMAC_MECH_INFO_TYPE:
1013 		if (plaintext->cd_length != 0)
1014 			return (CRYPTO_ARGUMENTS_BAD);
1015 		/* FALLTHRU */
1016 	case AES_GCM_MECH_INFO_TYPE:
1017 		length_needed = plaintext->cd_length + aes_ctx.ac_tag_len;
1018 		break;
1019 	default:
1020 		length_needed = plaintext->cd_length;
1021 	}
1022 
1023 	/* return size of buffer needed to store output */
1024 	if (ciphertext->cd_length < length_needed) {
1025 		ciphertext->cd_length = length_needed;
1026 		ret = CRYPTO_BUFFER_TOO_SMALL;
1027 		goto out;
1028 	}
1029 
1030 	saved_offset = ciphertext->cd_offset;
1031 	saved_length = ciphertext->cd_length;
1032 
1033 	/*
1034 	 * Do an update on the specified input data.
1035 	 */
1036 	switch (plaintext->cd_format) {
1037 	case CRYPTO_DATA_RAW:
1038 		ret = crypto_update_iov(&aes_ctx, plaintext, ciphertext,
1039 		    aes_encrypt_contiguous_blocks, aes_copy_block64);
1040 		break;
1041 	case CRYPTO_DATA_UIO:
1042 		ret = crypto_update_uio(&aes_ctx, plaintext, ciphertext,
1043 		    aes_encrypt_contiguous_blocks, aes_copy_block64);
1044 		break;
1045 	case CRYPTO_DATA_MBLK:
1046 		ret = crypto_update_mp(&aes_ctx, plaintext, ciphertext,
1047 		    aes_encrypt_contiguous_blocks, aes_copy_block64);
1048 		break;
1049 	default:
1050 		ret = CRYPTO_ARGUMENTS_BAD;
1051 	}
1052 
1053 	if (ret == CRYPTO_SUCCESS) {
1054 		if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1055 			ret = ccm_encrypt_final((ccm_ctx_t *)&aes_ctx,
1056 			    ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1057 			    aes_xor_block);
1058 			if (ret != CRYPTO_SUCCESS)
1059 				goto out;
1060 			ASSERT(aes_ctx.ac_remainder_len == 0);
1061 		} else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1062 		    mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
1063 			ret = gcm_encrypt_final((gcm_ctx_t *)&aes_ctx,
1064 			    ciphertext, AES_BLOCK_LEN, aes_encrypt_block,
1065 			    aes_copy_block, aes_xor_block);
1066 			if (ret != CRYPTO_SUCCESS)
1067 				goto out;
1068 			ASSERT(aes_ctx.ac_remainder_len == 0);
1069 		} else if (mechanism->cm_type == AES_CTR_MECH_INFO_TYPE) {
1070 			if (aes_ctx.ac_remainder_len > 0) {
1071 				ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1072 				    ciphertext, aes_encrypt_block);
1073 				if (ret != CRYPTO_SUCCESS)
1074 					goto out;
1075 			}
1076 		} else {
1077 			ASSERT(aes_ctx.ac_remainder_len == 0);
1078 		}
1079 
1080 		if (plaintext != ciphertext) {
1081 			ciphertext->cd_length =
1082 			    ciphertext->cd_offset - saved_offset;
1083 		}
1084 	} else {
1085 		ciphertext->cd_length = saved_length;
1086 	}
1087 	ciphertext->cd_offset = saved_offset;
1088 
1089 out:
1090 	if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1091 		bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1092 		kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1093 	}
1094 
1095 	return (ret);
1096 }
1097 
1098 /* ARGSUSED */
1099 static int
1100 aes_decrypt_atomic(crypto_provider_handle_t provider,
1101     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1102     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
1103     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1104 {
1105 	aes_ctx_t aes_ctx;	/* on the stack */
1106 	off_t saved_offset;
1107 	size_t saved_length;
1108 	size_t length_needed;
1109 	int ret;
1110 
1111 	AES_ARG_INPLACE(ciphertext, plaintext);
1112 
1113 	/*
1114 	 * CCM, GCM, CTR, and GMAC modes do not require that ciphertext
1115 	 * be a multiple of AES block size.
1116 	 */
1117 	switch (mechanism->cm_type) {
1118 	case AES_CTR_MECH_INFO_TYPE:
1119 	case AES_CCM_MECH_INFO_TYPE:
1120 	case AES_GCM_MECH_INFO_TYPE:
1121 	case AES_GMAC_MECH_INFO_TYPE:
1122 		break;
1123 	default:
1124 		if ((ciphertext->cd_length & (AES_BLOCK_LEN - 1)) != 0)
1125 			return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
1126 	}
1127 
1128 	if ((ret = aes_check_mech_param(mechanism, NULL, 0)) != CRYPTO_SUCCESS)
1129 		return (ret);
1130 
1131 	bzero(&aes_ctx, sizeof (aes_ctx_t));
1132 
1133 	ret = aes_common_init_ctx(&aes_ctx, template, mechanism, key,
1134 	    crypto_kmflag(req), B_FALSE);
1135 	if (ret != CRYPTO_SUCCESS)
1136 		return (ret);
1137 
1138 	switch (mechanism->cm_type) {
1139 	case AES_CCM_MECH_INFO_TYPE:
1140 		length_needed = aes_ctx.ac_data_len;
1141 		break;
1142 	case AES_GCM_MECH_INFO_TYPE:
1143 		length_needed = ciphertext->cd_length - aes_ctx.ac_tag_len;
1144 		break;
1145 	case AES_GMAC_MECH_INFO_TYPE:
1146 		if (plaintext->cd_length != 0)
1147 			return (CRYPTO_ARGUMENTS_BAD);
1148 		length_needed = 0;
1149 		break;
1150 	default:
1151 		length_needed = ciphertext->cd_length;
1152 	}
1153 
1154 	/* return size of buffer needed to store output */
1155 	if (plaintext->cd_length < length_needed) {
1156 		plaintext->cd_length = length_needed;
1157 		ret = CRYPTO_BUFFER_TOO_SMALL;
1158 		goto out;
1159 	}
1160 
1161 	saved_offset = plaintext->cd_offset;
1162 	saved_length = plaintext->cd_length;
1163 
1164 	if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1165 	    mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE)
1166 		gcm_set_kmflag((gcm_ctx_t *)&aes_ctx, crypto_kmflag(req));
1167 
1168 	/*
1169 	 * Do an update on the specified input data.
1170 	 */
1171 	switch (ciphertext->cd_format) {
1172 	case CRYPTO_DATA_RAW:
1173 		ret = crypto_update_iov(&aes_ctx, ciphertext, plaintext,
1174 		    aes_decrypt_contiguous_blocks, aes_copy_block64);
1175 		break;
1176 	case CRYPTO_DATA_UIO:
1177 		ret = crypto_update_uio(&aes_ctx, ciphertext, plaintext,
1178 		    aes_decrypt_contiguous_blocks, aes_copy_block64);
1179 		break;
1180 	case CRYPTO_DATA_MBLK:
1181 		ret = crypto_update_mp(&aes_ctx, ciphertext, plaintext,
1182 		    aes_decrypt_contiguous_blocks, aes_copy_block64);
1183 		break;
1184 	default:
1185 		ret = CRYPTO_ARGUMENTS_BAD;
1186 	}
1187 
1188 	if (ret == CRYPTO_SUCCESS) {
1189 		if (mechanism->cm_type == AES_CCM_MECH_INFO_TYPE) {
1190 			ASSERT(aes_ctx.ac_processed_data_len
1191 			    == aes_ctx.ac_data_len);
1192 			ASSERT(aes_ctx.ac_processed_mac_len
1193 			    == aes_ctx.ac_mac_len);
1194 			ret = ccm_decrypt_final((ccm_ctx_t *)&aes_ctx,
1195 			    plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1196 			    aes_copy_block, aes_xor_block);
1197 			ASSERT(aes_ctx.ac_remainder_len == 0);
1198 			if ((ret == CRYPTO_SUCCESS) &&
1199 			    (ciphertext != plaintext)) {
1200 				plaintext->cd_length =
1201 				    plaintext->cd_offset - saved_offset;
1202 			} else {
1203 				plaintext->cd_length = saved_length;
1204 			}
1205 		} else if (mechanism->cm_type == AES_GCM_MECH_INFO_TYPE ||
1206 		    mechanism->cm_type == AES_GMAC_MECH_INFO_TYPE) {
1207 			ret = gcm_decrypt_final((gcm_ctx_t *)&aes_ctx,
1208 			    plaintext, AES_BLOCK_LEN, aes_encrypt_block,
1209 			    aes_xor_block);
1210 			ASSERT(aes_ctx.ac_remainder_len == 0);
1211 			if ((ret == CRYPTO_SUCCESS) &&
1212 			    (ciphertext != plaintext)) {
1213 				plaintext->cd_length =
1214 				    plaintext->cd_offset - saved_offset;
1215 			} else {
1216 				plaintext->cd_length = saved_length;
1217 			}
1218 		} else if (mechanism->cm_type != AES_CTR_MECH_INFO_TYPE) {
1219 			ASSERT(aes_ctx.ac_remainder_len == 0);
1220 			if (ciphertext != plaintext)
1221 				plaintext->cd_length =
1222 				    plaintext->cd_offset - saved_offset;
1223 		} else {
1224 			if (aes_ctx.ac_remainder_len > 0) {
1225 				ret = ctr_mode_final((ctr_ctx_t *)&aes_ctx,
1226 				    plaintext, aes_encrypt_block);
1227 				if (ret == CRYPTO_DATA_LEN_RANGE)
1228 					ret = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
1229 				if (ret != CRYPTO_SUCCESS)
1230 					goto out;
1231 			}
1232 			if (ciphertext != plaintext)
1233 				plaintext->cd_length =
1234 				    plaintext->cd_offset - saved_offset;
1235 		}
1236 	} else {
1237 		plaintext->cd_length = saved_length;
1238 	}
1239 	plaintext->cd_offset = saved_offset;
1240 
1241 out:
1242 	if (aes_ctx.ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1243 		bzero(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1244 		kmem_free(aes_ctx.ac_keysched, aes_ctx.ac_keysched_len);
1245 	}
1246 
1247 	if (aes_ctx.ac_flags & CCM_MODE) {
1248 		if (aes_ctx.ac_pt_buf != NULL) {
1249 			kmem_free(aes_ctx.ac_pt_buf, aes_ctx.ac_data_len);
1250 		}
1251 	} else if (aes_ctx.ac_flags & (GCM_MODE|GMAC_MODE)) {
1252 		if (((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf != NULL) {
1253 			kmem_free(((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf,
1254 			    ((gcm_ctx_t *)&aes_ctx)->gcm_pt_buf_len);
1255 		}
1256 	}
1257 
1258 	return (ret);
1259 }
1260 
1261 /*
1262  * KCF software provider context template entry points.
1263  */
1264 /* ARGSUSED */
1265 static int
1266 aes_create_ctx_template(crypto_provider_handle_t provider,
1267     crypto_mechanism_t *mechanism, crypto_key_t *key,
1268     crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req)
1269 {
1270 	void *keysched;
1271 	size_t size;
1272 	int rv;
1273 
1274 	if (mechanism->cm_type != AES_ECB_MECH_INFO_TYPE &&
1275 	    mechanism->cm_type != AES_CBC_MECH_INFO_TYPE &&
1276 	    mechanism->cm_type != AES_CTR_MECH_INFO_TYPE &&
1277 	    mechanism->cm_type != AES_CCM_MECH_INFO_TYPE &&
1278 	    mechanism->cm_type != AES_GCM_MECH_INFO_TYPE &&
1279 	    mechanism->cm_type != AES_GMAC_MECH_INFO_TYPE)
1280 		return (CRYPTO_MECHANISM_INVALID);
1281 
1282 	if ((keysched = aes_alloc_keysched(&size,
1283 	    crypto_kmflag(req))) == NULL) {
1284 		return (CRYPTO_HOST_MEMORY);
1285 	}
1286 
1287 	/*
1288 	 * Initialize key schedule.  Key length information is stored
1289 	 * in the key.
1290 	 */
1291 	if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1292 		bzero(keysched, size);
1293 		kmem_free(keysched, size);
1294 		return (rv);
1295 	}
1296 
1297 	*tmpl = keysched;
1298 	*tmpl_size = size;
1299 
1300 	return (CRYPTO_SUCCESS);
1301 }
1302 
1303 
1304 static int
1305 aes_free_context(crypto_ctx_t *ctx)
1306 {
1307 	aes_ctx_t *aes_ctx = ctx->cc_provider_private;
1308 
1309 	if (aes_ctx != NULL) {
1310 		if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1311 			ASSERT(aes_ctx->ac_keysched_len != 0);
1312 			bzero(aes_ctx->ac_keysched, aes_ctx->ac_keysched_len);
1313 			kmem_free(aes_ctx->ac_keysched,
1314 			    aes_ctx->ac_keysched_len);
1315 		}
1316 		crypto_free_mode_ctx(aes_ctx);
1317 		ctx->cc_provider_private = NULL;
1318 	}
1319 
1320 	return (CRYPTO_SUCCESS);
1321 }
1322 
1323 
1324 static int
1325 aes_common_init_ctx(aes_ctx_t *aes_ctx, crypto_spi_ctx_template_t *template,
1326     crypto_mechanism_t *mechanism, crypto_key_t *key, int kmflag,
1327     boolean_t is_encrypt_init)
1328 {
1329 	int rv = CRYPTO_SUCCESS;
1330 	void *keysched;
1331 	size_t size;
1332 
1333 	if (template == NULL) {
1334 		if ((keysched = aes_alloc_keysched(&size, kmflag)) == NULL)
1335 			return (CRYPTO_HOST_MEMORY);
1336 		/*
1337 		 * Initialize key schedule.
1338 		 * Key length is stored in the key.
1339 		 */
1340 		if ((rv = init_keysched(key, keysched)) != CRYPTO_SUCCESS) {
1341 			kmem_free(keysched, size);
1342 			return (rv);
1343 		}
1344 
1345 		aes_ctx->ac_flags |= PROVIDER_OWNS_KEY_SCHEDULE;
1346 		aes_ctx->ac_keysched_len = size;
1347 	} else {
1348 		keysched = template;
1349 	}
1350 	aes_ctx->ac_keysched = keysched;
1351 
1352 	switch (mechanism->cm_type) {
1353 	case AES_CBC_MECH_INFO_TYPE:
1354 		rv = cbc_init_ctx((cbc_ctx_t *)aes_ctx, mechanism->cm_param,
1355 		    mechanism->cm_param_len, AES_BLOCK_LEN, aes_copy_block64);
1356 		break;
1357 	case AES_CTR_MECH_INFO_TYPE: {
1358 		CK_AES_CTR_PARAMS *pp;
1359 
1360 		if (mechanism->cm_param == NULL ||
1361 		    mechanism->cm_param_len != sizeof (CK_AES_CTR_PARAMS)) {
1362 			return (CRYPTO_MECHANISM_PARAM_INVALID);
1363 		}
1364 		pp = (CK_AES_CTR_PARAMS *)(void *)mechanism->cm_param;
1365 		rv = ctr_init_ctx((ctr_ctx_t *)aes_ctx, pp->ulCounterBits,
1366 		    pp->cb, aes_copy_block);
1367 		break;
1368 	}
1369 	case AES_CCM_MECH_INFO_TYPE:
1370 		if (mechanism->cm_param == NULL ||
1371 		    mechanism->cm_param_len != sizeof (CK_AES_CCM_PARAMS)) {
1372 			return (CRYPTO_MECHANISM_PARAM_INVALID);
1373 		}
1374 		rv = ccm_init_ctx((ccm_ctx_t *)aes_ctx, mechanism->cm_param,
1375 		    kmflag, is_encrypt_init, AES_BLOCK_LEN, aes_encrypt_block,
1376 		    aes_xor_block);
1377 		break;
1378 	case AES_GCM_MECH_INFO_TYPE:
1379 		if (mechanism->cm_param == NULL ||
1380 		    mechanism->cm_param_len != sizeof (CK_AES_GCM_PARAMS)) {
1381 			return (CRYPTO_MECHANISM_PARAM_INVALID);
1382 		}
1383 		rv = gcm_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1384 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1385 		    aes_xor_block);
1386 		break;
1387 	case AES_GMAC_MECH_INFO_TYPE:
1388 		if (mechanism->cm_param == NULL ||
1389 		    mechanism->cm_param_len != sizeof (CK_AES_GMAC_PARAMS)) {
1390 			return (CRYPTO_MECHANISM_PARAM_INVALID);
1391 		}
1392 		rv = gmac_init_ctx((gcm_ctx_t *)aes_ctx, mechanism->cm_param,
1393 		    AES_BLOCK_LEN, aes_encrypt_block, aes_copy_block,
1394 		    aes_xor_block);
1395 		break;
1396 	case AES_ECB_MECH_INFO_TYPE:
1397 		aes_ctx->ac_flags |= ECB_MODE;
1398 	}
1399 
1400 	if (rv != CRYPTO_SUCCESS) {
1401 		if (aes_ctx->ac_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1402 			bzero(keysched, size);
1403 			kmem_free(keysched, size);
1404 		}
1405 	}
1406 
1407 	return (rv);
1408 }
1409 
1410 static int
1411 process_gmac_mech(crypto_mechanism_t *mech, crypto_data_t *data,
1412     CK_AES_GCM_PARAMS *gcm_params)
1413 {
1414 	/* LINTED: pointer alignment */
1415 	CK_AES_GMAC_PARAMS *params = (CK_AES_GMAC_PARAMS *)mech->cm_param;
1416 
1417 	if (mech->cm_type != AES_GMAC_MECH_INFO_TYPE)
1418 		return (CRYPTO_MECHANISM_INVALID);
1419 
1420 	if (mech->cm_param_len != sizeof (CK_AES_GMAC_PARAMS))
1421 		return (CRYPTO_MECHANISM_PARAM_INVALID);
1422 
1423 	if (params->pIv == NULL)
1424 		return (CRYPTO_MECHANISM_PARAM_INVALID);
1425 
1426 	gcm_params->pIv = params->pIv;
1427 	gcm_params->ulIvLen = AES_GMAC_IV_LEN;
1428 	gcm_params->ulTagBits = AES_GMAC_TAG_BITS;
1429 
1430 	if (data == NULL)
1431 		return (CRYPTO_SUCCESS);
1432 
1433 	if (data->cd_format != CRYPTO_DATA_RAW)
1434 		return (CRYPTO_ARGUMENTS_BAD);
1435 
1436 	gcm_params->pAAD = (uchar_t *)data->cd_raw.iov_base;
1437 	gcm_params->ulAADLen = data->cd_length;
1438 	return (CRYPTO_SUCCESS);
1439 }
1440 
1441 static int
1442 aes_mac_atomic(crypto_provider_handle_t provider,
1443     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1444     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1445     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1446 {
1447 	CK_AES_GCM_PARAMS gcm_params;
1448 	crypto_mechanism_t gcm_mech;
1449 	int rv;
1450 
1451 	if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1452 	    != CRYPTO_SUCCESS)
1453 		return (rv);
1454 
1455 	gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1456 	gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1457 	gcm_mech.cm_param = (char *)&gcm_params;
1458 
1459 	return (aes_encrypt_atomic(provider, session_id, &gcm_mech,
1460 	    key, &null_crypto_data, mac, template, req));
1461 }
1462 
1463 static int
1464 aes_mac_verify_atomic(crypto_provider_handle_t provider,
1465     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1466     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1467     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
1468 {
1469 	CK_AES_GCM_PARAMS gcm_params;
1470 	crypto_mechanism_t gcm_mech;
1471 	int rv;
1472 
1473 	if ((rv = process_gmac_mech(mechanism, data, &gcm_params))
1474 	    != CRYPTO_SUCCESS)
1475 		return (rv);
1476 
1477 	gcm_mech.cm_type = AES_GCM_MECH_INFO_TYPE;
1478 	gcm_mech.cm_param_len = sizeof (CK_AES_GCM_PARAMS);
1479 	gcm_mech.cm_param = (char *)&gcm_params;
1480 
1481 	return (aes_decrypt_atomic(provider, session_id, &gcm_mech,
1482 	    key, mac, &null_crypto_data, template, req));
1483 }
1484