xref: /illumos-gate/usr/src/uts/common/des/des_crypt.c (revision 1bff1300cebf1ea8e11ce928b10e208097e67f24)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  *
21  */
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*	Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T	*/
28 /*	  All Rights Reserved	*/
29 
30 /*
31  * Portions of this source code were derived from Berkeley 4.3 BSD
32  * under license from the Regents of the University of California.
33  */
34 
35 /*
36  * des_crypt.c, DES encryption library routines
37  */
38 
39 #include <sys/errno.h>
40 #include <sys/modctl.h>
41 
42 #include <sys/systm.h>
43 #include <sys/cmn_err.h>
44 #include <sys/ddi.h>
45 #include <sys/crypto/common.h>
46 #include <sys/crypto/spi.h>
47 #include <sys/sysmacros.h>
48 #include <sys/strsun.h>
49 #include <sys/note.h>
50 #include <modes/modes.h>
51 #define	_DES_IMPL
52 #include <des/des_impl.h>
53 
54 #include <sys/types.h>
55 #include <rpc/des_crypt.h>
56 #include <des/des.h>
57 
58 #ifdef sun_hardware
59 #include <sys/ioctl.h>
60 #ifdef _KERNEL
61 #include <sys/conf.h>
62 static int g_desfd = -1;
63 #define	getdesfd()	(cdevsw[11].d_open(0, 0) ? -1 : 0)
64 #define	ioctl(a, b, c)	(cdevsw[11].d_ioctl(0, b, c, 0) ? -1 : 0)
65 #else
66 #define	getdesfd()	(open("/dev/des", 0, 0))
67 #endif	/* _KERNEL */
68 #endif	/* sun */
69 
70 static int common_crypt(char *key, char *buf, size_t len,
71     unsigned int mode, struct desparams *desp);
72 
73 extern int _des_crypt(char *buf, size_t len, struct desparams *desp);
74 
75 extern struct mod_ops mod_cryptoops;
76 
77 /*
78  * Module linkage information for the kernel.
79  */
80 static struct modlmisc modlmisc = {
81 	&mod_miscops,
82 	"des encryption",
83 };
84 
85 static struct modlcrypto modlcrypto = {
86 	&mod_cryptoops,
87 	"DES Kernel SW Provider"
88 };
89 
90 static struct modlinkage modlinkage = {
91 	MODREV_1,
92 	&modlmisc,
93 	&modlcrypto,
94 	NULL
95 };
96 
97 #define	DES_MIN_KEY_LEN		DES_MINBYTES
98 #define	DES_MAX_KEY_LEN		DES_MAXBYTES
99 #define	DES3_MIN_KEY_LEN	DES3_MAXBYTES	/* no CKK_DES2 support */
100 #define	DES3_MAX_KEY_LEN	DES3_MAXBYTES
101 
102 #ifndef DES_MIN_KEY_LEN
103 #define	DES_MIN_KEY_LEN		0
104 #endif
105 
106 #ifndef DES_MAX_KEY_LEN
107 #define	DES_MAX_KEY_LEN		0
108 #endif
109 
110 #ifndef DES3_MIN_KEY_LEN
111 #define	DES3_MIN_KEY_LEN	0
112 #endif
113 
114 #ifndef DES3_MAX_KEY_LEN
115 #define	DES3_MAX_KEY_LEN	0
116 #endif
117 
118 
119 /*
120  * Mechanism info structure passed to KCF during registration.
121  */
122 static crypto_mech_info_t des_mech_info_tab[] = {
123 	/* DES_ECB */
124 	{SUN_CKM_DES_ECB, DES_ECB_MECH_INFO_TYPE,
125 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
126 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
127 	    DES_MIN_KEY_LEN, DES_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
128 	/* DES_CBC */
129 	{SUN_CKM_DES_CBC, DES_CBC_MECH_INFO_TYPE,
130 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
131 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
132 	    DES_MIN_KEY_LEN, DES_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
133 	/* DES3_ECB */
134 	{SUN_CKM_DES3_ECB, DES3_ECB_MECH_INFO_TYPE,
135 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
136 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
137 	    DES3_MIN_KEY_LEN, DES3_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BYTES},
138 	/* DES3_CBC */
139 	{SUN_CKM_DES3_CBC, DES3_CBC_MECH_INFO_TYPE,
140 	    CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_ATOMIC |
141 	    CRYPTO_FG_DECRYPT | CRYPTO_FG_DECRYPT_ATOMIC,
142 	    DES3_MIN_KEY_LEN, DES3_MAX_KEY_LEN, CRYPTO_KEYSIZE_UNIT_IN_BYTES}
143 };
144 
145 /* operations are in-place if the output buffer is NULL */
146 #define	DES_ARG_INPLACE(input, output)				\
147 	if ((output) == NULL)					\
148 		(output) = (input);
149 
150 static void des_provider_status(crypto_provider_handle_t, uint_t *);
151 
152 static crypto_control_ops_t des_control_ops = {
153 	des_provider_status
154 };
155 
156 static int
157 des_common_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
158     crypto_spi_ctx_template_t, crypto_req_handle_t);
159 static int des_common_init_ctx(des_ctx_t *, crypto_spi_ctx_template_t *,
160     crypto_mechanism_t *, crypto_key_t *, des_strength_t, int);
161 static int des_encrypt_final(crypto_ctx_t *, crypto_data_t *,
162     crypto_req_handle_t);
163 static int des_decrypt_final(crypto_ctx_t *, crypto_data_t *,
164     crypto_req_handle_t);
165 
166 static int des_encrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
167     crypto_req_handle_t);
168 static int des_encrypt_update(crypto_ctx_t *, crypto_data_t *,
169     crypto_data_t *, crypto_req_handle_t);
170 static int des_encrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
171     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
172     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
173 
174 static int des_decrypt(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
175     crypto_req_handle_t);
176 static int des_decrypt_update(crypto_ctx_t *, crypto_data_t *,
177     crypto_data_t *, crypto_req_handle_t);
178 static int des_decrypt_atomic(crypto_provider_handle_t, crypto_session_id_t,
179     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *,
180     crypto_data_t *, crypto_spi_ctx_template_t, crypto_req_handle_t);
181 
182 static crypto_cipher_ops_t des_cipher_ops = {
183 	des_common_init,
184 	des_encrypt,
185 	des_encrypt_update,
186 	des_encrypt_final,
187 	des_encrypt_atomic,
188 	des_common_init,
189 	des_decrypt,
190 	des_decrypt_update,
191 	des_decrypt_final,
192 	des_decrypt_atomic
193 };
194 
195 static int des_create_ctx_template(crypto_provider_handle_t,
196     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
197     size_t *, crypto_req_handle_t);
198 static int des_free_context(crypto_ctx_t *);
199 
200 static crypto_ctx_ops_t des_ctx_ops = {
201 	des_create_ctx_template,
202 	des_free_context
203 };
204 
205 static int des_key_check(crypto_provider_handle_t, crypto_mechanism_t *,
206     crypto_key_t *);
207 
208 static crypto_key_ops_t des_key_ops = {
209 	NULL,
210 	NULL,
211 	NULL,
212 	NULL,
213 	NULL,
214 	des_key_check
215 };
216 
217 static crypto_ops_t des_crypto_ops = {
218 	&des_control_ops,
219 	NULL,
220 	&des_cipher_ops,
221 	NULL,
222 	NULL,
223 	NULL,
224 	NULL,
225 	NULL,
226 	NULL,
227 	NULL,
228 	NULL,
229 	&des_key_ops,
230 	NULL,
231 	&des_ctx_ops,
232 	NULL,
233 	NULL,
234 	NULL
235 };
236 
237 static crypto_provider_info_t des_prov_info = {
238 	CRYPTO_SPI_VERSION_4,
239 	"DES Software Provider",
240 	CRYPTO_SW_PROVIDER,
241 	{&modlinkage},
242 	NULL,
243 	&des_crypto_ops,
244 	sizeof (des_mech_info_tab)/sizeof (crypto_mech_info_t),
245 	des_mech_info_tab
246 };
247 
248 static crypto_kcf_provider_handle_t des_prov_handle = 0;
249 
250 int
251 _init(void)
252 {
253 	int ret;
254 
255 	if ((ret = mod_install(&modlinkage)) != 0)
256 		return (ret);
257 
258 	/*
259 	 * Register with KCF. If the registration fails, kcf will log an
260 	 * error but do not uninstall the module, since the functionality
261 	 * provided by misc/des should still be available.
262 	 *
263 	 */
264 	(void) crypto_register_provider(&des_prov_info, &des_prov_handle);
265 
266 	return (0);
267 }
268 
269 
270 int
271 _info(struct modinfo *modinfop)
272 {
273 	return (mod_info(&modlinkage, modinfop));
274 }
275 
276 /*
277  * Copy 8 bytes
278  */
279 #define	COPY8(src, dst) { \
280 	char *a = (char *)dst; \
281 	char *b = (char *)src; \
282 	*a++ = *b++; *a++ = *b++; *a++ = *b++; *a++ = *b++; \
283 	*a++ = *b++; *a++ = *b++; *a++ = *b++; *a++ = *b++; \
284 }
285 
286 /*
287  * Copy multiple of 8 bytes
288  */
289 #define	DESCOPY(src, dst, len) { \
290 	char *a = (char *)dst; \
291 	char *b = (char *)src; \
292 	int i; \
293 	for (i = (size_t)len; i > 0; i -= 8) { \
294 		*a++ = *b++; *a++ = *b++; *a++ = *b++; *a++ = *b++; \
295 		*a++ = *b++; *a++ = *b++; *a++ = *b++; *a++ = *b++; \
296 	} \
297 }
298 
299 /*
300  * CBC mode encryption
301  */
302 /* ARGSUSED */
303 int
304 cbc_crypt(char *key, char *buf, size_t len, unsigned int mode, char *ivec)
305 {
306 	int err = 0;
307 	struct desparams dp;
308 
309 	dp.des_mode = CBC;
310 	COPY8(ivec, dp.des_ivec);
311 	err = common_crypt(key, buf, len, mode, &dp);
312 	COPY8(dp.des_ivec, ivec);
313 	return (err);
314 }
315 
316 
317 /*
318  * ECB mode encryption
319  */
320 /* ARGSUSED */
321 int
322 ecb_crypt(char *key, char *buf, size_t len, unsigned int mode)
323 {
324 	int err = 0;
325 	struct desparams dp;
326 
327 	dp.des_mode = ECB;
328 	err = common_crypt(key, buf, len, mode, &dp);
329 	return (err);
330 }
331 
332 
333 
334 /*
335  * Common code to cbc_crypt() & ecb_crypt()
336  */
337 static int
338 common_crypt(char *key, char *buf, size_t len, unsigned int mode,
339     struct desparams *desp)
340 {
341 	int desdev;
342 
343 	if ((len % 8) != 0 || len > DES_MAXDATA)
344 		return (DESERR_BADPARAM);
345 
346 	desp->des_dir =
347 	    ((mode & DES_DIRMASK) == DES_ENCRYPT) ? ENCRYPT : DECRYPT;
348 
349 	desdev = mode & DES_DEVMASK;
350 	COPY8(key, desp->des_key);
351 
352 #ifdef sun_hardware
353 	if (desdev == DES_HW) {
354 		int res;
355 
356 		if (g_desfd < 0 &&
357 		    (g_desfd == -1 || (g_desfd = getdesfd()) < 0))
358 				goto software;	/* no hardware device */
359 
360 		/*
361 		 * hardware
362 		 */
363 		desp->des_len = len;
364 		if (len <= DES_QUICKLEN) {
365 			DESCOPY(buf, desp->des_data, len);
366 			res = ioctl(g_desfd, DESIOCQUICK, (char *)desp);
367 			DESCOPY(desp->des_data, buf, len);
368 		} else {
369 			desp->des_buf = (uchar_t *)buf;
370 			res = ioctl(g_desfd, DESIOCBLOCK, (char *)desp);
371 		}
372 		return (res == 0 ? DESERR_NONE : DESERR_HWERROR);
373 	}
374 software:
375 #endif
376 	/*
377 	 * software
378 	 */
379 	if (!_des_crypt(buf, len, desp))
380 		return (DESERR_HWERROR);
381 
382 	return (desdev == DES_SW ? DESERR_NONE : DESERR_NOHWDEVICE);
383 }
384 
385 /*
386  * Initialize key schedules for DES and DES3
387  */
388 static int
389 init_keysched(crypto_key_t *key, void *newbie, des_strength_t strength)
390 {
391 	uint8_t corrected_key[DES3_KEYSIZE];
392 
393 	/*
394 	 * Only keys by value are supported by this module.
395 	 */
396 	switch (key->ck_format) {
397 	case CRYPTO_KEY_RAW:
398 		if (strength == DES && key->ck_length != DES_MAXBITS)
399 			return (CRYPTO_KEY_SIZE_RANGE);
400 		if (strength == DES3 && key->ck_length != DES3_MAXBITS)
401 			return (CRYPTO_KEY_SIZE_RANGE);
402 		break;
403 	default:
404 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
405 	}
406 
407 	/*
408 	 * Fix parity bits.
409 	 * Initialize key schedule even if key is weak.
410 	 */
411 	if (key->ck_data == NULL)
412 		return (CRYPTO_ARGUMENTS_BAD);
413 
414 	des_parity_fix(key->ck_data, strength, corrected_key);
415 	des_init_keysched(corrected_key, strength, newbie);
416 	return (CRYPTO_SUCCESS);
417 }
418 
419 /*
420  * KCF software provider control entry points.
421  */
422 /* ARGSUSED */
423 static void
424 des_provider_status(crypto_provider_handle_t provider, uint_t *status)
425 {
426 	*status = CRYPTO_PROVIDER_READY;
427 }
428 
429 /*
430  * KCF software provider encrypt entry points.
431  */
432 static int
433 des_common_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
434     crypto_key_t *key, crypto_spi_ctx_template_t template,
435     crypto_req_handle_t req)
436 {
437 
438 	des_strength_t strength;
439 	des_ctx_t *des_ctx = NULL;
440 	int rv;
441 	int kmflag;
442 
443 	/*
444 	 * Only keys by value are supported by this module.
445 	 */
446 	if (key->ck_format != CRYPTO_KEY_RAW) {
447 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
448 	}
449 
450 	kmflag = crypto_kmflag(req);
451 	/* Check mechanism type and parameter length */
452 	switch (mechanism->cm_type) {
453 	case DES_ECB_MECH_INFO_TYPE:
454 		des_ctx = ecb_alloc_ctx(kmflag);
455 		/* FALLTHRU */
456 	case DES_CBC_MECH_INFO_TYPE:
457 		if (mechanism->cm_param != NULL &&
458 		    mechanism->cm_param_len != DES_BLOCK_LEN)
459 			return (CRYPTO_MECHANISM_PARAM_INVALID);
460 		if (key->ck_length != DES_MAXBITS)
461 			return (CRYPTO_KEY_SIZE_RANGE);
462 		strength = DES;
463 		if (des_ctx == NULL)
464 			des_ctx = cbc_alloc_ctx(kmflag);
465 		break;
466 	case DES3_ECB_MECH_INFO_TYPE:
467 		des_ctx = ecb_alloc_ctx(kmflag);
468 		/* FALLTHRU */
469 	case DES3_CBC_MECH_INFO_TYPE:
470 		if (mechanism->cm_param != NULL &&
471 		    mechanism->cm_param_len != DES_BLOCK_LEN)
472 			return (CRYPTO_MECHANISM_PARAM_INVALID);
473 		if (key->ck_length != DES3_MAXBITS)
474 			return (CRYPTO_KEY_SIZE_RANGE);
475 		strength = DES3;
476 		if (des_ctx == NULL)
477 			des_ctx = cbc_alloc_ctx(kmflag);
478 		break;
479 	default:
480 		return (CRYPTO_MECHANISM_INVALID);
481 	}
482 
483 	if ((rv = des_common_init_ctx(des_ctx, template, mechanism, key,
484 	    strength, kmflag)) != CRYPTO_SUCCESS) {
485 		crypto_free_mode_ctx(des_ctx);
486 		return (rv);
487 	}
488 
489 	ctx->cc_provider_private = des_ctx;
490 
491 	return (CRYPTO_SUCCESS);
492 }
493 
494 static void
495 des_copy_block64(uint8_t *in, uint64_t *out)
496 {
497 	if (IS_P2ALIGNED(in, sizeof (uint64_t))) {
498 		/* LINTED: pointer alignment */
499 		out[0] = *(uint64_t *)&in[0];
500 	} else {
501 		uint64_t tmp64;
502 
503 #ifdef _BIG_ENDIAN
504 		tmp64 = (((uint64_t)in[0] << 56) |
505 		    ((uint64_t)in[1] << 48) |
506 		    ((uint64_t)in[2] << 40) |
507 		    ((uint64_t)in[3] << 32) |
508 		    ((uint64_t)in[4] << 24) |
509 		    ((uint64_t)in[5] << 16) |
510 		    ((uint64_t)in[6] << 8) |
511 		    (uint64_t)in[7]);
512 #else
513 		tmp64 = (((uint64_t)in[7] << 56) |
514 		    ((uint64_t)in[6] << 48) |
515 		    ((uint64_t)in[5] << 40) |
516 		    ((uint64_t)in[4] << 32) |
517 		    ((uint64_t)in[3] << 24) |
518 		    ((uint64_t)in[2] << 16) |
519 		    ((uint64_t)in[1] << 8) |
520 		    (uint64_t)in[0]);
521 #endif /* _BIG_ENDIAN */
522 
523 		out[0] = tmp64;
524 	}
525 }
526 
527 /* ARGSUSED */
528 static int
529 des_encrypt(crypto_ctx_t *ctx, crypto_data_t *plaintext,
530     crypto_data_t *ciphertext, crypto_req_handle_t req)
531 {
532 	int ret;
533 
534 	des_ctx_t *des_ctx;
535 
536 	/*
537 	 * Plaintext must be a multiple of the block size.
538 	 * This test only works for non-padded mechanisms
539 	 * when blocksize is 2^N.
540 	 */
541 	if ((plaintext->cd_length & (DES_BLOCK_LEN - 1)) != 0)
542 		return (CRYPTO_DATA_LEN_RANGE);
543 
544 	ASSERT(ctx->cc_provider_private != NULL);
545 	des_ctx = ctx->cc_provider_private;
546 
547 	DES_ARG_INPLACE(plaintext, ciphertext);
548 
549 	/*
550 	 * We need to just return the length needed to store the output.
551 	 * We should not destroy the context for the following case.
552 	 */
553 	if (ciphertext->cd_length < plaintext->cd_length) {
554 		ciphertext->cd_length = plaintext->cd_length;
555 		return (CRYPTO_BUFFER_TOO_SMALL);
556 	}
557 
558 	/*
559 	 * Do an update on the specified input data.
560 	 */
561 	ret = des_encrypt_update(ctx, plaintext, ciphertext, req);
562 	ASSERT(des_ctx->dc_remainder_len == 0);
563 	(void) des_free_context(ctx);
564 
565 	/* LINTED */
566 	return (ret);
567 }
568 
569 /* ARGSUSED */
570 static int
571 des_decrypt(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
572     crypto_data_t *plaintext, crypto_req_handle_t req)
573 {
574 	int ret;
575 
576 	des_ctx_t *des_ctx;
577 
578 	/*
579 	 * Ciphertext must be a multiple of the block size.
580 	 * This test only works for non-padded mechanisms
581 	 * when blocksize is 2^N.
582 	 */
583 	if ((ciphertext->cd_length & (DES_BLOCK_LEN - 1)) != 0)
584 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
585 
586 	ASSERT(ctx->cc_provider_private != NULL);
587 	des_ctx = ctx->cc_provider_private;
588 
589 	DES_ARG_INPLACE(ciphertext, plaintext);
590 
591 	/*
592 	 * We need to just return the length needed to store the output.
593 	 * We should not destroy the context for the following case.
594 	 */
595 	if (plaintext->cd_length < ciphertext->cd_length) {
596 		plaintext->cd_length = ciphertext->cd_length;
597 		return (CRYPTO_BUFFER_TOO_SMALL);
598 	}
599 
600 	/*
601 	 * Do an update on the specified input data.
602 	 */
603 	ret = des_decrypt_update(ctx, ciphertext, plaintext, req);
604 	ASSERT(des_ctx->dc_remainder_len == 0);
605 	(void) des_free_context(ctx);
606 
607 	/* LINTED */
608 	return (ret);
609 }
610 
611 /* ARGSUSED */
612 static int
613 des_encrypt_update(crypto_ctx_t *ctx, crypto_data_t *plaintext,
614     crypto_data_t *ciphertext, crypto_req_handle_t req)
615 {
616 	off_t saved_offset;
617 	size_t saved_length, out_len;
618 	int ret = CRYPTO_SUCCESS;
619 
620 	ASSERT(ctx->cc_provider_private != NULL);
621 
622 	DES_ARG_INPLACE(plaintext, ciphertext);
623 
624 	/* compute number of bytes that will hold the ciphertext */
625 	out_len = ((des_ctx_t *)ctx->cc_provider_private)->dc_remainder_len;
626 	out_len += plaintext->cd_length;
627 	out_len &= ~(DES_BLOCK_LEN - 1);
628 
629 	/* return length needed to store the output */
630 	if (ciphertext->cd_length < out_len) {
631 		ciphertext->cd_length = out_len;
632 		return (CRYPTO_BUFFER_TOO_SMALL);
633 	}
634 
635 	saved_offset = ciphertext->cd_offset;
636 	saved_length = ciphertext->cd_length;
637 
638 	/*
639 	 * Do the DES update on the specified input data.
640 	 */
641 	switch (plaintext->cd_format) {
642 	case CRYPTO_DATA_RAW:
643 		ret = crypto_update_iov(ctx->cc_provider_private,
644 		    plaintext, ciphertext, des_encrypt_contiguous_blocks,
645 		    des_copy_block64);
646 		break;
647 	case CRYPTO_DATA_UIO:
648 		ret = crypto_update_uio(ctx->cc_provider_private,
649 		    plaintext, ciphertext, des_encrypt_contiguous_blocks,
650 		    des_copy_block64);
651 		break;
652 	case CRYPTO_DATA_MBLK:
653 		ret = crypto_update_mp(ctx->cc_provider_private,
654 		    plaintext, ciphertext, des_encrypt_contiguous_blocks,
655 		    des_copy_block64);
656 		break;
657 	default:
658 		ret = CRYPTO_ARGUMENTS_BAD;
659 	}
660 
661 	if (ret == CRYPTO_SUCCESS) {
662 		if (plaintext != ciphertext)
663 			ciphertext->cd_length =
664 			    ciphertext->cd_offset - saved_offset;
665 	} else {
666 		ciphertext->cd_length = saved_length;
667 	}
668 	ciphertext->cd_offset = saved_offset;
669 
670 	return (ret);
671 }
672 
673 /* ARGSUSED */
674 static int
675 des_decrypt_update(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
676     crypto_data_t *plaintext, crypto_req_handle_t req)
677 {
678 	off_t saved_offset;
679 	size_t saved_length, out_len;
680 	int ret = CRYPTO_SUCCESS;
681 
682 	ASSERT(ctx->cc_provider_private != NULL);
683 
684 	DES_ARG_INPLACE(ciphertext, plaintext);
685 
686 	/* compute number of bytes that will hold the plaintext */
687 	out_len = ((des_ctx_t *)ctx->cc_provider_private)->dc_remainder_len;
688 	out_len += ciphertext->cd_length;
689 	out_len &= ~(DES_BLOCK_LEN - 1);
690 
691 	/* return length needed to store the output */
692 	if (plaintext->cd_length < out_len) {
693 		plaintext->cd_length = out_len;
694 		return (CRYPTO_BUFFER_TOO_SMALL);
695 	}
696 
697 	saved_offset = plaintext->cd_offset;
698 	saved_length = plaintext->cd_length;
699 
700 	/*
701 	 * Do the DES update on the specified input data.
702 	 */
703 	switch (ciphertext->cd_format) {
704 	case CRYPTO_DATA_RAW:
705 		ret = crypto_update_iov(ctx->cc_provider_private,
706 		    ciphertext, plaintext, des_decrypt_contiguous_blocks,
707 		    des_copy_block64);
708 		break;
709 	case CRYPTO_DATA_UIO:
710 		ret = crypto_update_uio(ctx->cc_provider_private,
711 		    ciphertext, plaintext, des_decrypt_contiguous_blocks,
712 		    des_copy_block64);
713 		break;
714 	case CRYPTO_DATA_MBLK:
715 		ret = crypto_update_mp(ctx->cc_provider_private,
716 		    ciphertext, plaintext, des_decrypt_contiguous_blocks,
717 		    des_copy_block64);
718 		break;
719 	default:
720 		ret = CRYPTO_ARGUMENTS_BAD;
721 	}
722 
723 	if (ret == CRYPTO_SUCCESS) {
724 		if (ciphertext != plaintext)
725 			plaintext->cd_length =
726 			    plaintext->cd_offset - saved_offset;
727 	} else {
728 		plaintext->cd_length = saved_length;
729 	}
730 	plaintext->cd_offset = saved_offset;
731 
732 	return (ret);
733 }
734 
735 /* ARGSUSED */
736 static int
737 des_encrypt_final(crypto_ctx_t *ctx, crypto_data_t *ciphertext,
738     crypto_req_handle_t req)
739 {
740 	des_ctx_t *des_ctx;
741 
742 	ASSERT(ctx->cc_provider_private != NULL);
743 	des_ctx = ctx->cc_provider_private;
744 
745 	/*
746 	 * There must be no unprocessed plaintext.
747 	 * This happens if the length of the last data is
748 	 * not a multiple of the DES block length.
749 	 */
750 	if (des_ctx->dc_remainder_len > 0)
751 		return (CRYPTO_DATA_LEN_RANGE);
752 
753 	(void) des_free_context(ctx);
754 	ciphertext->cd_length = 0;
755 
756 	return (CRYPTO_SUCCESS);
757 }
758 
759 /* ARGSUSED */
760 static int
761 des_decrypt_final(crypto_ctx_t *ctx, crypto_data_t *plaintext,
762     crypto_req_handle_t req)
763 {
764 	des_ctx_t *des_ctx;
765 
766 	ASSERT(ctx->cc_provider_private != NULL);
767 	des_ctx = ctx->cc_provider_private;
768 
769 	/*
770 	 * There must be no unprocessed ciphertext.
771 	 * This happens if the length of the last ciphertext is
772 	 * not a multiple of the DES block length.
773 	 */
774 	if (des_ctx->dc_remainder_len > 0)
775 		return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE);
776 
777 	(void) des_free_context(ctx);
778 	plaintext->cd_length = 0;
779 
780 	return (CRYPTO_SUCCESS);
781 }
782 
783 /* ARGSUSED */
784 static int
785 des_encrypt_atomic(crypto_provider_handle_t provider,
786     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
787     crypto_key_t *key, crypto_data_t *plaintext, crypto_data_t *ciphertext,
788     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
789 {
790 	int ret;
791 
792 	des_ctx_t des_ctx;		/* on the stack */
793 	des_strength_t strength;
794 	off_t saved_offset;
795 	size_t saved_length;
796 
797 	DES_ARG_INPLACE(plaintext, ciphertext);
798 
799 	/*
800 	 * Plaintext must be a multiple of the block size.
801 	 * This test only works for non-padded mechanisms
802 	 * when blocksize is 2^N.
803 	 */
804 	if ((plaintext->cd_length & (DES_BLOCK_LEN - 1)) != 0)
805 		return (CRYPTO_DATA_LEN_RANGE);
806 
807 	/* return length needed to store the output */
808 	if (ciphertext->cd_length < plaintext->cd_length) {
809 		ciphertext->cd_length = plaintext->cd_length;
810 		return (CRYPTO_BUFFER_TOO_SMALL);
811 	}
812 
813 	/* Check mechanism type and parameter length */
814 	switch (mechanism->cm_type) {
815 	case DES_ECB_MECH_INFO_TYPE:
816 	case DES_CBC_MECH_INFO_TYPE:
817 		if (mechanism->cm_param_len > 0 &&
818 		    mechanism->cm_param_len != DES_BLOCK_LEN)
819 			return (CRYPTO_MECHANISM_PARAM_INVALID);
820 		if (key->ck_length != DES_MINBITS)
821 			return (CRYPTO_KEY_SIZE_RANGE);
822 		strength = DES;
823 		break;
824 	case DES3_ECB_MECH_INFO_TYPE:
825 	case DES3_CBC_MECH_INFO_TYPE:
826 		if (mechanism->cm_param_len > 0 &&
827 		    mechanism->cm_param_len != DES_BLOCK_LEN)
828 			return (CRYPTO_MECHANISM_PARAM_INVALID);
829 		if (key->ck_length != DES3_MAXBITS)
830 			return (CRYPTO_KEY_SIZE_RANGE);
831 		strength = DES3;
832 		break;
833 	default:
834 		return (CRYPTO_MECHANISM_INVALID);
835 	}
836 
837 	bzero(&des_ctx, sizeof (des_ctx_t));
838 
839 	if ((ret = des_common_init_ctx(&des_ctx, template, mechanism, key,
840 	    strength, crypto_kmflag(req))) != CRYPTO_SUCCESS) {
841 		return (ret);
842 	}
843 
844 	saved_offset = ciphertext->cd_offset;
845 	saved_length = ciphertext->cd_length;
846 
847 	/*
848 	 * Do the update on the specified input data.
849 	 */
850 	switch (plaintext->cd_format) {
851 	case CRYPTO_DATA_RAW:
852 		ret = crypto_update_iov(&des_ctx, plaintext, ciphertext,
853 		    des_encrypt_contiguous_blocks, des_copy_block64);
854 		break;
855 	case CRYPTO_DATA_UIO:
856 		ret = crypto_update_uio(&des_ctx, plaintext, ciphertext,
857 		    des_encrypt_contiguous_blocks, des_copy_block64);
858 		break;
859 	case CRYPTO_DATA_MBLK:
860 		ret = crypto_update_mp(&des_ctx, plaintext, ciphertext,
861 		    des_encrypt_contiguous_blocks, des_copy_block64);
862 		break;
863 	default:
864 		ret = CRYPTO_ARGUMENTS_BAD;
865 	}
866 
867 	if (des_ctx.dc_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
868 		bzero(des_ctx.dc_keysched, des_ctx.dc_keysched_len);
869 		kmem_free(des_ctx.dc_keysched, des_ctx.dc_keysched_len);
870 	}
871 
872 	if (ret == CRYPTO_SUCCESS) {
873 		ASSERT(des_ctx.dc_remainder_len == 0);
874 		if (plaintext != ciphertext)
875 			ciphertext->cd_length =
876 			    ciphertext->cd_offset - saved_offset;
877 	} else {
878 		ciphertext->cd_length = saved_length;
879 	}
880 	ciphertext->cd_offset = saved_offset;
881 
882 	/* LINTED */
883 	return (ret);
884 }
885 
886 /* ARGSUSED */
887 static int
888 des_decrypt_atomic(crypto_provider_handle_t provider,
889     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
890     crypto_key_t *key, crypto_data_t *ciphertext, crypto_data_t *plaintext,
891     crypto_spi_ctx_template_t template, crypto_req_handle_t req)
892 {
893 	int ret;
894 
895 	des_ctx_t des_ctx;	/* on the stack */
896 	des_strength_t strength;
897 	off_t saved_offset;
898 	size_t saved_length;
899 
900 	DES_ARG_INPLACE(ciphertext, plaintext);
901 
902 	/*
903 	 * Ciphertext must be a multiple of the block size.
904 	 * This test only works for non-padded mechanisms
905 	 * when blocksize is 2^N.
906 	 */
907 	if ((ciphertext->cd_length & (DES_BLOCK_LEN - 1)) != 0)
908 		return (CRYPTO_DATA_LEN_RANGE);
909 
910 	/* return length needed to store the output */
911 	if (plaintext->cd_length < ciphertext->cd_length) {
912 		plaintext->cd_length = ciphertext->cd_length;
913 		return (CRYPTO_BUFFER_TOO_SMALL);
914 	}
915 
916 	/* Check mechanism type and parameter length */
917 	switch (mechanism->cm_type) {
918 	case DES_ECB_MECH_INFO_TYPE:
919 	case DES_CBC_MECH_INFO_TYPE:
920 		if (mechanism->cm_param_len > 0 &&
921 		    mechanism->cm_param_len != DES_BLOCK_LEN)
922 			return (CRYPTO_MECHANISM_PARAM_INVALID);
923 		if (key->ck_length != DES_MINBITS)
924 			return (CRYPTO_KEY_SIZE_RANGE);
925 		strength = DES;
926 		break;
927 	case DES3_ECB_MECH_INFO_TYPE:
928 	case DES3_CBC_MECH_INFO_TYPE:
929 		if (mechanism->cm_param_len > 0 &&
930 		    mechanism->cm_param_len != DES_BLOCK_LEN)
931 			return (CRYPTO_MECHANISM_PARAM_INVALID);
932 		if (key->ck_length != DES3_MAXBITS)
933 			return (CRYPTO_KEY_SIZE_RANGE);
934 		strength = DES3;
935 		break;
936 	default:
937 		return (CRYPTO_MECHANISM_INVALID);
938 	}
939 
940 	bzero(&des_ctx, sizeof (des_ctx_t));
941 
942 	if ((ret = des_common_init_ctx(&des_ctx, template, mechanism, key,
943 	    strength, crypto_kmflag(req))) != CRYPTO_SUCCESS) {
944 		return (ret);
945 	}
946 
947 	saved_offset = plaintext->cd_offset;
948 	saved_length = plaintext->cd_length;
949 
950 	/*
951 	 * Do the update on the specified input data.
952 	 */
953 	switch (ciphertext->cd_format) {
954 	case CRYPTO_DATA_RAW:
955 		ret = crypto_update_iov(&des_ctx, ciphertext, plaintext,
956 		    des_decrypt_contiguous_blocks, des_copy_block64);
957 		break;
958 	case CRYPTO_DATA_UIO:
959 		ret = crypto_update_uio(&des_ctx, ciphertext, plaintext,
960 		    des_decrypt_contiguous_blocks, des_copy_block64);
961 		break;
962 	case CRYPTO_DATA_MBLK:
963 		ret = crypto_update_mp(&des_ctx, ciphertext, plaintext,
964 		    des_decrypt_contiguous_blocks, des_copy_block64);
965 		break;
966 	default:
967 		ret = CRYPTO_ARGUMENTS_BAD;
968 	}
969 
970 	if (des_ctx.dc_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
971 		bzero(des_ctx.dc_keysched, des_ctx.dc_keysched_len);
972 		kmem_free(des_ctx.dc_keysched, des_ctx.dc_keysched_len);
973 	}
974 
975 	if (ret == CRYPTO_SUCCESS) {
976 		ASSERT(des_ctx.dc_remainder_len == 0);
977 		if (ciphertext != plaintext)
978 			plaintext->cd_length =
979 			    plaintext->cd_offset - saved_offset;
980 	} else {
981 		plaintext->cd_length = saved_length;
982 	}
983 	plaintext->cd_offset = saved_offset;
984 
985 	/* LINTED */
986 	return (ret);
987 }
988 
989 /*
990  * KCF software provider context template entry points.
991  */
992 /* ARGSUSED */
993 static int
994 des_create_ctx_template(crypto_provider_handle_t provider,
995     crypto_mechanism_t *mechanism, crypto_key_t *key,
996     crypto_spi_ctx_template_t *tmpl, size_t *tmpl_size, crypto_req_handle_t req)
997 {
998 
999 	des_strength_t strength;
1000 	void *keysched;
1001 	size_t size;
1002 	int rv;
1003 
1004 	switch (mechanism->cm_type) {
1005 	case DES_ECB_MECH_INFO_TYPE:
1006 		strength = DES;
1007 		break;
1008 	case DES_CBC_MECH_INFO_TYPE:
1009 		strength = DES;
1010 		break;
1011 	case DES3_ECB_MECH_INFO_TYPE:
1012 		strength = DES3;
1013 		break;
1014 	case DES3_CBC_MECH_INFO_TYPE:
1015 		strength = DES3;
1016 		break;
1017 	default:
1018 		return (CRYPTO_MECHANISM_INVALID);
1019 	}
1020 
1021 	if ((keysched = des_alloc_keysched(&size, strength,
1022 	    crypto_kmflag(req))) == NULL) {
1023 		return (CRYPTO_HOST_MEMORY);
1024 	}
1025 
1026 	/*
1027 	 * Initialize key schedule.  Key length information is stored
1028 	 * in the key.
1029 	 */
1030 	if ((rv = init_keysched(key, keysched, strength)) != CRYPTO_SUCCESS) {
1031 		bzero(keysched, size);
1032 		kmem_free(keysched, size);
1033 		return (rv);
1034 	}
1035 
1036 	*tmpl = keysched;
1037 	*tmpl_size = size;
1038 
1039 	return (CRYPTO_SUCCESS);
1040 }
1041 
1042 /* ARGSUSED */
1043 static int
1044 des_free_context(crypto_ctx_t *ctx)
1045 {
1046 	des_ctx_t *des_ctx = ctx->cc_provider_private;
1047 
1048 	if (des_ctx != NULL) {
1049 		if (des_ctx->dc_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1050 			ASSERT(des_ctx->dc_keysched_len != 0);
1051 			bzero(des_ctx->dc_keysched, des_ctx->dc_keysched_len);
1052 			kmem_free(des_ctx->dc_keysched,
1053 			    des_ctx->dc_keysched_len);
1054 		}
1055 		crypto_free_mode_ctx(des_ctx);
1056 		ctx->cc_provider_private = NULL;
1057 	}
1058 
1059 	return (CRYPTO_SUCCESS);
1060 }
1061 
1062 /*
1063  * Pass it to des_keycheck() which will
1064  * fix it (parity bits), and check if the fixed key is weak.
1065  */
1066 /* ARGSUSED */
1067 static int
1068 des_key_check(crypto_provider_handle_t pd, crypto_mechanism_t *mech,
1069     crypto_key_t *key)
1070 {
1071 	int expectedkeylen;
1072 	des_strength_t strength;
1073 	uint8_t keydata[DES3_MAX_KEY_LEN];
1074 
1075 	if ((mech == NULL) || (key == NULL))
1076 		return (CRYPTO_ARGUMENTS_BAD);
1077 
1078 	switch (mech->cm_type) {
1079 	case DES_ECB_MECH_INFO_TYPE:
1080 	case DES_CBC_MECH_INFO_TYPE:
1081 		expectedkeylen = DES_MINBITS;
1082 		strength = DES;
1083 		break;
1084 	case DES3_ECB_MECH_INFO_TYPE:
1085 	case DES3_CBC_MECH_INFO_TYPE:
1086 		expectedkeylen = DES3_MAXBITS;
1087 		strength = DES3;
1088 		break;
1089 	default:
1090 		return (CRYPTO_MECHANISM_INVALID);
1091 	}
1092 
1093 	if (key->ck_format != CRYPTO_KEY_RAW)
1094 		return (CRYPTO_KEY_TYPE_INCONSISTENT);
1095 
1096 	if (key->ck_length != expectedkeylen)
1097 		return (CRYPTO_KEY_SIZE_RANGE);
1098 
1099 	bcopy(key->ck_data, keydata, CRYPTO_BITS2BYTES(expectedkeylen));
1100 
1101 	if (des_keycheck(keydata, strength, key->ck_data) == B_FALSE)
1102 		return (CRYPTO_WEAK_KEY);
1103 
1104 	return (CRYPTO_SUCCESS);
1105 }
1106 
1107 /* ARGSUSED */
1108 static int
1109 des_common_init_ctx(des_ctx_t *des_ctx, crypto_spi_ctx_template_t *template,
1110     crypto_mechanism_t *mechanism, crypto_key_t *key, des_strength_t strength,
1111     int kmflag)
1112 {
1113 	int rv = CRYPTO_SUCCESS;
1114 
1115 	void *keysched;
1116 	size_t size;
1117 
1118 	if (template == NULL) {
1119 		if ((keysched = des_alloc_keysched(&size, strength,
1120 		    kmflag)) == NULL)
1121 			return (CRYPTO_HOST_MEMORY);
1122 		/*
1123 		 * Initialize key schedule.
1124 		 * Key length is stored in the key.
1125 		 */
1126 		if ((rv = init_keysched(key, keysched,
1127 		    strength)) != CRYPTO_SUCCESS)
1128 			kmem_free(keysched, size);
1129 
1130 		des_ctx->dc_flags |= PROVIDER_OWNS_KEY_SCHEDULE;
1131 		des_ctx->dc_keysched_len = size;
1132 	} else {
1133 		keysched = template;
1134 	}
1135 	des_ctx->dc_keysched = keysched;
1136 
1137 	if (strength == DES3) {
1138 		des_ctx->dc_flags |= DES3_STRENGTH;
1139 	}
1140 
1141 	switch (mechanism->cm_type) {
1142 	case DES_CBC_MECH_INFO_TYPE:
1143 	case DES3_CBC_MECH_INFO_TYPE:
1144 		rv = cbc_init_ctx((cbc_ctx_t *)des_ctx, mechanism->cm_param,
1145 		    mechanism->cm_param_len, DES_BLOCK_LEN, des_copy_block64);
1146 		break;
1147 	case DES_ECB_MECH_INFO_TYPE:
1148 	case DES3_ECB_MECH_INFO_TYPE:
1149 		des_ctx->dc_flags |= ECB_MODE;
1150 	}
1151 
1152 	if (rv != CRYPTO_SUCCESS) {
1153 		if (des_ctx->dc_flags & PROVIDER_OWNS_KEY_SCHEDULE) {
1154 			bzero(keysched, size);
1155 			kmem_free(keysched, size);
1156 		}
1157 	}
1158 
1159 	return (rv);
1160 }
1161