xref: /illumos-gate/usr/src/uts/common/io/cryptmod.c (revision 3d393ee6c37fa10ac512ed6d36109ad616dc7c1a)
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  *
5  * STREAMS Crypto Module
6  *
7  * This module is used to facilitate Kerberos encryption
8  * operations for the telnet daemon and rlogin daemon.
9  * Because the Solaris telnet and rlogin daemons run mostly
10  * in-kernel via 'telmod' and 'rlmod', this module must be
11  * pushed on the STREAM *below* telmod or rlmod.
12  *
13  * Parts of the 3DES key derivation code are covered by the
14  * following copyright.
15  *
16  * Copyright (C) 1998 by the FundsXpress, INC.
17  *
18  * All rights reserved.
19  *
20  * Export of this software from the United States of America may require
21  * a specific license from the United States Government.  It is the
22  * responsibility of any person or organization contemplating export to
23  * obtain such a license before exporting.
24  *
25  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
26  * distribute this software and its documentation for any purpose and
27  * without fee is hereby granted, provided that the above copyright
28  * notice appear in all copies and that both that copyright notice and
29  * this permission notice appear in supporting documentation, and that
30  * the name of FundsXpress. not be used in advertising or publicity pertaining
31  * to distribution of the software without specific, written prior
32  * permission.  FundsXpress makes no representations about the suitability of
33  * this software for any purpose.  It is provided "as is" without express
34  * or implied warranty.
35  *
36  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
37  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
38  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
39  */
40 
41 #include <sys/types.h>
42 #include <sys/sysmacros.h>
43 #include <sys/errno.h>
44 #include <sys/debug.h>
45 #include <sys/time.h>
46 #include <sys/stropts.h>
47 #include <sys/stream.h>
48 #include <sys/strsubr.h>
49 #include <sys/strlog.h>
50 #include <sys/cmn_err.h>
51 #include <sys/conf.h>
52 #include <sys/sunddi.h>
53 #include <sys/kmem.h>
54 #include <sys/strsun.h>
55 #include <sys/random.h>
56 #include <sys/types.h>
57 #include <sys/byteorder.h>
58 #include <sys/cryptmod.h>
59 #include <sys/crc32.h>
60 #include <sys/policy.h>
61 
62 #include <sys/crypto/api.h>
63 
64 #include <sys/strft.h>
65 /*
66  * Function prototypes.
67  */
68 static	int	cryptmodopen(queue_t *, dev_t *, int, int, cred_t *);
69 static  void	cryptmodrput(queue_t *, mblk_t *);
70 static  void	cryptmodwput(queue_t *, mblk_t *);
71 static	int	cryptmodclose(queue_t *);
72 static	int	cryptmodwsrv(queue_t *);
73 static	int	cryptmodrsrv(queue_t *);
74 
75 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp);
76 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp);
77 
78 #define	CRYPTMOD_ID 5150
79 
80 #define	CFB_BLKSZ 8
81 
82 #define	K5CLENGTH 5
83 
84 static struct module_info	cryptmod_minfo = {
85 	CRYPTMOD_ID,	/* mi_idnum */
86 	"cryptmod",	/* mi_idname */
87 	0,		/* mi_minpsz */
88 	INFPSZ,		/* mi_maxpsz */
89 	65536,		/* mi_hiwat */
90 	1024		/* mi_lowat */
91 };
92 
93 static struct qinit	cryptmod_rinit = {
94 	(int (*)())cryptmodrput,	/* qi_putp */
95 	cryptmodrsrv,	/* qi_svc */
96 	cryptmodopen,	/* qi_qopen */
97 	cryptmodclose,	/* qi_qclose */
98 	NULL,		/* qi_qadmin */
99 	&cryptmod_minfo,	/* qi_minfo */
100 	NULL		/* qi_mstat */
101 };
102 
103 static struct qinit	cryptmod_winit = {
104 	(int (*)())cryptmodwput,	/* qi_putp */
105 	cryptmodwsrv,	/* qi_srvp */
106 	NULL,		/* qi_qopen */
107 	NULL,		/* qi_qclose */
108 	NULL,		/* qi_qadmin */
109 	&cryptmod_minfo,	/* qi_minfo */
110 	NULL		/* qi_mstat */
111 };
112 
113 static struct streamtab	cryptmod_info = {
114 	&cryptmod_rinit,	/* st_rdinit */
115 	&cryptmod_winit,	/* st_wrinit */
116 	NULL,	/* st_muxrinit */
117 	NULL	/* st_muxwinit */
118 };
119 
120 typedef struct {
121 	uint_t hash_len;
122 	uint_t confound_len;
123 	int (*hashfunc)();
124 } hash_info_t;
125 
126 #define	MAX_CKSUM_LEN 20
127 #define	CONFOUNDER_LEN 8
128 
129 #define	SHA1_HASHSIZE 20
130 #define	MD5_HASHSIZE 16
131 #define	CRC32_HASHSIZE 4
132 #define	MSGBUF_SIZE 4096
133 #define	CONFOUNDER_BYTES 128
134 
135 
136 static int crc32_calc(uchar_t *, uchar_t *, uint_t);
137 static int md5_calc(uchar_t *, uchar_t *, uint_t);
138 static int sha1_calc(uchar_t *, uchar_t *, uint_t);
139 
140 static hash_info_t null_hash = {0, 0, NULL};
141 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc};
142 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc};
143 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc};
144 
145 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID;
146 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID;
147 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID;
148 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID;
149 
150 static int kef_crypt(struct cipher_data_t *, void *,
151 		    crypto_data_format_t, size_t, int);
152 static mblk_t *
153 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *,
154 		mblk_t *, hash_info_t *);
155 static mblk_t *
156 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *,
157 		mblk_t *, hash_info_t *);
158 
159 static int
160 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int);
161 
162 /*
163  * This is the loadable module wrapper.
164  */
165 #include <sys/modctl.h>
166 
167 static struct fmodsw fsw = {
168 	"cryptmod",
169 	&cryptmod_info,
170 	D_MP | D_MTQPAIR
171 };
172 
173 /*
174  * Module linkage information for the kernel.
175  */
176 static struct modlstrmod modlstrmod = {
177 	&mod_strmodops,
178 	"STREAMS encryption module",
179 	&fsw
180 };
181 
182 static struct modlinkage modlinkage = {
183 	MODREV_1,
184 	&modlstrmod,
185 	NULL
186 };
187 
188 int
189 _init(void)
190 {
191 	return (mod_install(&modlinkage));
192 }
193 
194 int
195 _fini(void)
196 {
197 	return (mod_remove(&modlinkage));
198 }
199 
200 int
201 _info(struct modinfo *modinfop)
202 {
203 	return (mod_info(&modlinkage, modinfop));
204 }
205 
206 static void
207 cleanup(struct cipher_data_t *cd)
208 {
209 	if (cd->key != NULL) {
210 		bzero(cd->key, cd->keylen);
211 		kmem_free(cd->key, cd->keylen);
212 		cd->key = NULL;
213 	}
214 
215 	if (cd->ckey != NULL) {
216 		/*
217 		 * ckey is a crypto_key_t structure which references
218 		 * "cd->key" for its raw key data.  Since that was already
219 		 * cleared out, we don't need another "bzero" here.
220 		 */
221 		kmem_free(cd->ckey, sizeof (crypto_key_t));
222 		cd->ckey = NULL;
223 	}
224 
225 	if (cd->block != NULL) {
226 		kmem_free(cd->block, cd->blocklen);
227 		cd->block = NULL;
228 	}
229 
230 	if (cd->saveblock != NULL) {
231 		kmem_free(cd->saveblock, cd->blocklen);
232 		cd->saveblock = NULL;
233 	}
234 
235 	if (cd->ivec != NULL) {
236 		kmem_free(cd->ivec, cd->ivlen);
237 		cd->ivec = NULL;
238 	}
239 
240 	if (cd->d_encr_key.ck_data != NULL) {
241 		bzero(cd->d_encr_key.ck_data, cd->keylen);
242 		kmem_free(cd->d_encr_key.ck_data, cd->keylen);
243 	}
244 
245 	if (cd->d_hmac_key.ck_data != NULL) {
246 		bzero(cd->d_hmac_key.ck_data, cd->keylen);
247 		kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
248 	}
249 
250 	if (cd->enc_tmpl != NULL)
251 		(void) crypto_destroy_ctx_template(cd->enc_tmpl);
252 
253 	if (cd->hmac_tmpl != NULL)
254 		(void) crypto_destroy_ctx_template(cd->hmac_tmpl);
255 
256 	if (cd->ctx != NULL) {
257 		crypto_cancel_ctx(cd->ctx);
258 		cd->ctx = NULL;
259 	}
260 }
261 
262 /* ARGSUSED */
263 static int
264 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp)
265 {
266 	struct tmodinfo	*tmi;
267 	ASSERT(rq);
268 
269 	if (sflag != MODOPEN)
270 		return (EINVAL);
271 
272 	(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
273 			"cryptmodopen: opening module(PID %d)",
274 			ddi_get_pid()));
275 
276 	if (rq->q_ptr != NULL) {
277 		cmn_err(CE_WARN, "cryptmodopen: already opened");
278 		return (0);
279 	}
280 
281 	/*
282 	 * Allocate and initialize per-Stream structure.
283 	 */
284 	tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo),
285 						KM_SLEEP);
286 
287 	tmi->enc_data.method = CRYPT_METHOD_NONE;
288 	tmi->dec_data.method = CRYPT_METHOD_NONE;
289 
290 	tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY);
291 
292 	rq->q_ptr = WR(rq)->q_ptr = tmi;
293 
294 	sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC);
295 	md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC);
296 	sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1);
297 	md5_hash_mech = crypto_mech2id(SUN_CKM_MD5);
298 
299 	qprocson(rq);
300 
301 	return (0);
302 }
303 
304 static int
305 cryptmodclose(queue_t *rq)
306 {
307 	struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr;
308 	ASSERT(tmi);
309 
310 	qprocsoff(rq);
311 
312 	cleanup(&tmi->enc_data);
313 	cleanup(&tmi->dec_data);
314 
315 	kmem_free(tmi, sizeof (struct tmodinfo));
316 	rq->q_ptr = WR(rq)->q_ptr = NULL;
317 
318 	return (0);
319 }
320 
321 /*
322  * plaintext_offset
323  *
324  * Calculate exactly how much space is needed in front
325  * of the "plaintext" in an mbuf so it can be positioned
326  * 1 time instead of potentially moving the data multiple
327  * times.
328  */
329 static int
330 plaintext_offset(struct cipher_data_t *cd)
331 {
332 	int headspace = 0;
333 
334 	/* 4 byte length prepended to all RCMD msgs */
335 	if (ANY_RCMD_MODE(cd->option_mask))
336 		headspace += RCMD_LEN_SZ;
337 
338 	/* RCMD V2 mode adds an additional 4 byte plaintext length */
339 	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2)
340 		headspace += RCMD_LEN_SZ;
341 
342 	/* Need extra space for hash and counfounder */
343 	switch (cd->method) {
344 	case CRYPT_METHOD_DES_CBC_NULL:
345 		headspace += null_hash.hash_len + null_hash.confound_len;
346 		break;
347 	case CRYPT_METHOD_DES_CBC_CRC:
348 		headspace += crc32_hash.hash_len + crc32_hash.confound_len;
349 		break;
350 	case CRYPT_METHOD_DES_CBC_MD5:
351 		headspace += md5_hash.hash_len + md5_hash.confound_len;
352 		break;
353 	case CRYPT_METHOD_DES3_CBC_SHA1:
354 		headspace += sha1_hash.confound_len;
355 		break;
356 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
357 		headspace += md5_hash.hash_len + md5_hash.confound_len;
358 		break;
359 	case CRYPT_METHOD_AES128:
360 	case CRYPT_METHOD_AES256:
361 		headspace += DEFAULT_AES_BLOCKLEN;
362 		break;
363 	case CRYPT_METHOD_DES_CFB:
364 	case CRYPT_METHOD_NONE:
365 		break;
366 	}
367 
368 	return (headspace);
369 }
370 /*
371  * encrypt_size
372  *
373  * Calculate the resulting size when encrypting 'plainlen' bytes
374  * of data.
375  */
376 static size_t
377 encrypt_size(struct cipher_data_t *cd, size_t plainlen)
378 {
379 	size_t cipherlen;
380 
381 	switch (cd->method) {
382 	case CRYPT_METHOD_DES_CBC_NULL:
383 		cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len +
384 					    plainlen, 8);
385 		break;
386 	case CRYPT_METHOD_DES_CBC_MD5:
387 		cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len +
388 					    md5_hash.confound_len +
389 					    plainlen, 8);
390 		break;
391 	case CRYPT_METHOD_DES_CBC_CRC:
392 		cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len +
393 					    crc32_hash.confound_len +
394 					    plainlen, 8);
395 		break;
396 	case CRYPT_METHOD_DES3_CBC_SHA1:
397 		cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len +
398 					    plainlen, 8) +
399 					    sha1_hash.hash_len;
400 		break;
401 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
402 		cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len +
403 				plainlen, 1) + md5_hash.hash_len;
404 		break;
405 	case CRYPT_METHOD_AES128:
406 	case CRYPT_METHOD_AES256:
407 		/* No roundup for AES-CBC-CTS */
408 		cipherlen = DEFAULT_AES_BLOCKLEN + plainlen +
409 			AES_TRUNCATED_HMAC_LEN;
410 		break;
411 	case CRYPT_METHOD_DES_CFB:
412 	case CRYPT_METHOD_NONE:
413 		cipherlen = plainlen;
414 		break;
415 	}
416 
417 	return (cipherlen);
418 }
419 
420 /*
421  * des_cfb_encrypt
422  *
423  * Encrypt the mblk data using DES with cipher feedback.
424  *
425  * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit
426  * vector, D[n] is the nth chunk of 64 bits of data to encrypt
427  * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted
428  * (decrypted) data, then:
429  *
430  *  V[0] = DES(V[i], key)
431  *  O[n] = D[n] <exclusive or > V[n]
432  *  V[n+1] = DES(O[n], key)
433  *
434  * The size of the message being encrypted does not change in this
435  * algorithm, num_bytes in == num_bytes out.
436  */
437 static mblk_t *
438 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
439 {
440 	int savedbytes;
441 	char *iptr, *optr, *lastoutput;
442 
443 	lastoutput = optr = (char *)mp->b_rptr;
444 	iptr = (char *)mp->b_rptr;
445 	savedbytes = tmi->enc_data.bytes % CFB_BLKSZ;
446 
447 	while (iptr < (char *)mp->b_wptr) {
448 		/*
449 		 * Do DES-ECB.
450 		 * The first time this runs, the 'tmi->enc_data.block' will
451 		 * contain the initialization vector that should have been
452 		 * passed in with the SETUP ioctl.
453 		 *
454 		 * V[n] = DES(V[n-1], key)
455 		 */
456 		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
457 			int retval = 0;
458 			retval = kef_crypt(&tmi->enc_data,
459 					tmi->enc_data.block,
460 					CRYPTO_DATA_RAW,
461 					tmi->enc_data.blocklen,
462 					CRYPT_ENCRYPT);
463 
464 			if (retval != CRYPTO_SUCCESS) {
465 #ifdef DEBUG
466 				cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt "
467 					"failed - error 0x%0x", retval);
468 #endif
469 				mp->b_datap->db_type = M_ERROR;
470 				mp->b_rptr = mp->b_datap->db_base;
471 				*mp->b_rptr = EIO;
472 				mp->b_wptr = mp->b_rptr + sizeof (char);
473 				freemsg(mp->b_cont);
474 				mp->b_cont = NULL;
475 				qreply(WR(q), mp);
476 				return (NULL);
477 			}
478 		}
479 
480 		/* O[n] = I[n] ^ V[n] */
481 		*(optr++) = *(iptr++) ^
482 		    tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ];
483 
484 		tmi->enc_data.bytes++;
485 		/*
486 		 * Feedback the encrypted output as the input to next DES call.
487 		 */
488 		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
489 			char *dbptr = tmi->enc_data.block;
490 			/*
491 			 * Get the last bits of input from the previous
492 			 * msg block that we haven't yet used as feedback input.
493 			 */
494 			if (savedbytes > 0) {
495 				bcopy(tmi->enc_data.saveblock,
496 				    dbptr, (size_t)savedbytes);
497 				dbptr += savedbytes;
498 			}
499 
500 			/*
501 			 * Now copy the correct bytes from the current input
502 			 * stream and update the 'lastoutput' ptr
503 			 */
504 			bcopy(lastoutput, dbptr,
505 				(size_t)(CFB_BLKSZ - savedbytes));
506 
507 			lastoutput += (CFB_BLKSZ - savedbytes);
508 			savedbytes = 0;
509 		}
510 	}
511 	/*
512 	 * If there are bytes of input here that we need in the next
513 	 * block to build an ivec, save them off here.
514 	 */
515 	if (lastoutput < optr) {
516 		bcopy(lastoutput,
517 		    tmi->enc_data.saveblock + savedbytes,
518 		    (uint_t)(optr - lastoutput));
519 	}
520 	return (mp);
521 }
522 
523 /*
524  * des_cfb_decrypt
525  *
526  * Decrypt the data in the mblk using DES in Cipher Feedback mode
527  *
528  * # bytes in == # bytes out, no padding, confounding, or hashing
529  * is added.
530  *
531  */
532 static mblk_t *
533 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
534 {
535 	uint_t len;
536 	uint_t savedbytes;
537 	char *iptr;
538 	char *lastinput;
539 	uint_t cp;
540 
541 	len = MBLKL(mp);
542 
543 	/* decrypted output goes into the new data buffer */
544 	lastinput = iptr = (char *)mp->b_rptr;
545 
546 	savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen;
547 
548 	/*
549 	 * Save the input CFB_BLKSZ bytes at a time.
550 	 * We are trying to decrypt in-place, but need to keep
551 	 * a small sliding window of encrypted text to be
552 	 * used to construct the feedback buffer.
553 	 */
554 	cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len :
555 		tmi->dec_data.blocklen - savedbytes);
556 
557 	bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp);
558 	savedbytes += cp;
559 
560 	lastinput += cp;
561 
562 	while (iptr < (char *)mp->b_wptr) {
563 		/*
564 		 * Do DES-ECB.
565 		 * The first time this runs, the 'tmi->dec_data.block' will
566 		 * contain the initialization vector that should have been
567 		 * passed in with the SETUP ioctl.
568 		 */
569 		if (!(tmi->dec_data.bytes % CFB_BLKSZ)) {
570 			int retval;
571 			retval = kef_crypt(&tmi->dec_data,
572 					tmi->dec_data.block,
573 					CRYPTO_DATA_RAW,
574 					tmi->dec_data.blocklen,
575 					CRYPT_ENCRYPT);
576 
577 			if (retval != CRYPTO_SUCCESS) {
578 #ifdef DEBUG
579 				cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt "
580 					"failed - status 0x%0x", retval);
581 #endif
582 				mp->b_datap->db_type = M_ERROR;
583 				mp->b_rptr = mp->b_datap->db_base;
584 				*mp->b_rptr = EIO;
585 				mp->b_wptr = mp->b_rptr + sizeof (char);
586 				freemsg(mp->b_cont);
587 				mp->b_cont = NULL;
588 				qreply(WR(q), mp);
589 				return (NULL);
590 			}
591 		}
592 
593 		/*
594 		 * To decrypt, XOR the input with the output from the DES call
595 		 */
596 		*(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes %
597 				CFB_BLKSZ];
598 
599 		tmi->dec_data.bytes++;
600 
601 		/*
602 		 * Feedback the encrypted input for next DES call.
603 		 */
604 		if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) {
605 			char *dbptr = tmi->dec_data.block;
606 			/*
607 			 * Get the last bits of input from the previous block
608 			 * that we haven't yet processed.
609 			 */
610 			if (savedbytes > 0) {
611 				bcopy(tmi->dec_data.saveblock,
612 				    dbptr, savedbytes);
613 				dbptr += savedbytes;
614 			}
615 
616 			savedbytes = 0;
617 
618 			/*
619 			 * This block makes sure that our local
620 			 * buffer of input data is full and can
621 			 * be accessed from the beginning.
622 			 */
623 			if (lastinput < (char *)mp->b_wptr) {
624 
625 				/* How many bytes are left in the mblk? */
626 				cp = (((char *)mp->b_wptr - lastinput) >
627 					tmi->dec_data.blocklen ?
628 					tmi->dec_data.blocklen :
629 					(char *)mp->b_wptr - lastinput);
630 
631 				/* copy what we need */
632 				bcopy(lastinput, tmi->dec_data.saveblock,
633 					cp);
634 
635 				lastinput += cp;
636 				savedbytes = cp;
637 			}
638 		}
639 	}
640 
641 	return (mp);
642 }
643 
644 /*
645  * crc32_calc
646  *
647  * Compute a CRC32 checksum on the input
648  */
649 static int
650 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len)
651 {
652 	uint32_t crc;
653 
654 	CRC32(crc, input, len, 0, crc32_table);
655 
656 	buf[0] = (uchar_t)(crc & 0xff);
657 	buf[1] = (uchar_t)((crc >> 8) & 0xff);
658 	buf[2] = (uchar_t)((crc >> 16) & 0xff);
659 	buf[3] = (uchar_t)((crc >> 24) & 0xff);
660 
661 	return (CRYPTO_SUCCESS);
662 }
663 
664 static int
665 kef_digest(crypto_mech_type_t digest_type,
666 	uchar_t *input, uint_t inlen,
667 	uchar_t *output, uint_t hashlen)
668 {
669 	iovec_t v1, v2;
670 	crypto_data_t d1, d2;
671 	crypto_mechanism_t mech;
672 	int rv;
673 
674 	mech.cm_type = digest_type;
675 	mech.cm_param = 0;
676 	mech.cm_param_len = 0;
677 
678 	v1.iov_base = (void *)input;
679 	v1.iov_len = inlen;
680 
681 	d1.cd_format = CRYPTO_DATA_RAW;
682 	d1.cd_offset = 0;
683 	d1.cd_length = v1.iov_len;
684 	d1.cd_raw = v1;
685 
686 	v2.iov_base = (void *)output;
687 	v2.iov_len = hashlen;
688 
689 	d2.cd_format = CRYPTO_DATA_RAW;
690 	d2.cd_offset = 0;
691 	d2.cd_length = v2.iov_len;
692 	d2.cd_raw = v2;
693 
694 	rv = crypto_digest(&mech, &d1, &d2, NULL);
695 
696 	return (rv);
697 }
698 
699 /*
700  * sha1_calc
701  *
702  * Get a SHA1 hash on the input data.
703  */
704 static int
705 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen)
706 {
707 	int rv;
708 
709 	rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE);
710 
711 	return (rv);
712 }
713 
714 /*
715  * Get an MD5 hash on the input data.
716  * md5_calc
717  *
718  */
719 static int
720 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen)
721 {
722 	int rv;
723 
724 	rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE);
725 
726 	return (rv);
727 }
728 
729 /*
730  * nfold
731  * duplicate the functionality of the krb5_nfold function from
732  * the userland kerberos mech.
733  * This is needed to derive keys for use with 3DES/SHA1-HMAC
734  * ciphers.
735  */
736 static void
737 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out)
738 {
739 	int a, b, c, lcm;
740 	int byte, i, msbit;
741 
742 	inbits >>= 3;
743 	outbits >>= 3;
744 
745 	/* first compute lcm(n,k) */
746 	a = outbits;
747 	b = inbits;
748 
749 	while (b != 0) {
750 		c = b;
751 		b = a%b;
752 		a = c;
753 	}
754 
755 	lcm = outbits*inbits/a;
756 
757 	/* now do the real work */
758 
759 	bzero(out, outbits);
760 	byte = 0;
761 
762 	/*
763 	 * Compute the msbit in k which gets added into this byte
764 	 * first, start with the msbit in the first, unrotated byte
765 	 * then, for each byte, shift to the right for each repetition
766 	 * last, pick out the correct byte within that shifted repetition
767 	 */
768 	for (i = lcm-1; i >= 0; i--) {
769 		msbit = (((inbits<<3)-1)
770 			+(((inbits<<3)+13)*(i/inbits))
771 			+((inbits-(i%inbits))<<3)) %(inbits<<3);
772 
773 		/* pull out the byte value itself */
774 		byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)|
775 			(in[((inbits)-(msbit>>3))%inbits]))
776 			>>((msbit&7)+1))&0xff;
777 
778 		/* do the addition */
779 		byte += out[i%outbits];
780 		out[i%outbits] = byte&0xff;
781 
782 		byte >>= 8;
783 	}
784 
785 	/* if there's a carry bit left over, add it back in */
786 	if (byte) {
787 		for (i = outbits-1; i >= 0; i--) {
788 			/* do the addition */
789 			byte += out[i];
790 			out[i] = byte&0xff;
791 
792 			/* keep around the carry bit, if any */
793 			byte >>= 8;
794 		}
795 	}
796 }
797 
798 #define	smask(step) ((1<<step)-1)
799 #define	pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
800 #define	parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
801 
802 /*
803  * Duplicate the functionality of the "dk_derive_key" function
804  * in the Kerberos mechanism.
805  */
806 static int
807 derive_key(struct cipher_data_t *cdata, uchar_t *constdata,
808 	int constlen, char *dkey, int keybytes,
809 	int blocklen)
810 {
811 	int rv = 0;
812 	int n = 0, i;
813 	char *inblock;
814 	char *rawkey;
815 	char *zeroblock;
816 	char *saveblock;
817 
818 	inblock = kmem_zalloc(blocklen, KM_SLEEP);
819 	rawkey = kmem_zalloc(keybytes, KM_SLEEP);
820 	zeroblock = kmem_zalloc(blocklen, KM_SLEEP);
821 
822 	if (constlen == blocklen)
823 		bcopy(constdata, inblock, blocklen);
824 	else
825 		nfold(constlen * 8, constdata,
826 			blocklen * 8, (uchar_t *)inblock);
827 
828 	/*
829 	 * zeroblock is an IV of all 0's.
830 	 *
831 	 * The "block" section of the cdata record is used as the
832 	 * IV for crypto operations in the kef_crypt function.
833 	 *
834 	 * We use 'block' as a generic IV data buffer because it
835 	 * is attached to the stream state data and thus can
836 	 * be used to hold information that must carry over
837 	 * from processing of one mblk to another.
838 	 *
839 	 * Here, we save the current IV and replace it with
840 	 * and empty IV (all 0's) for use when deriving the
841 	 * keys.  Once the key derivation is done, we swap the
842 	 * old IV back into place.
843 	 */
844 	saveblock = cdata->block;
845 	cdata->block = zeroblock;
846 
847 	while (n < keybytes) {
848 		rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW,
849 				blocklen, CRYPT_ENCRYPT);
850 		if (rv != CRYPTO_SUCCESS) {
851 			/* put the original IV block back in place */
852 			cdata->block = saveblock;
853 			cmn_err(CE_WARN, "failed to derive a key: %0x", rv);
854 			goto cleanup;
855 		}
856 
857 		if (keybytes - n < blocklen) {
858 			bcopy(inblock, rawkey+n, (keybytes-n));
859 			break;
860 		}
861 		bcopy(inblock, rawkey+n, blocklen);
862 		n += blocklen;
863 	}
864 	/* put the original IV block back in place */
865 	cdata->block = saveblock;
866 
867 	/* finally, make the key */
868 	if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) {
869 		/*
870 		 * 3DES key derivation requires that we make sure the
871 		 * key has the proper parity.
872 		 */
873 		for (i = 0; i < 3; i++) {
874 			bcopy(rawkey+(i*7), dkey+(i*8), 7);
875 
876 			/* 'dkey' is our derived key output buffer */
877 			dkey[i*8+7] = (((dkey[i*8]&1)<<1) |
878 					((dkey[i*8+1]&1)<<2) |
879 					((dkey[i*8+2]&1)<<3) |
880 					((dkey[i*8+3]&1)<<4) |
881 					((dkey[i*8+4]&1)<<5) |
882 					((dkey[i*8+5]&1)<<6) |
883 					((dkey[i*8+6]&1)<<7));
884 
885 			for (n = 0; n < 8; n++) {
886 				dkey[i*8 + n] &=  0xfe;
887 				dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]);
888 			}
889 		}
890 	} else if (IS_AES_METHOD(cdata->method)) {
891 		bcopy(rawkey, dkey, keybytes);
892 	}
893 cleanup:
894 	kmem_free(inblock, blocklen);
895 	kmem_free(zeroblock, blocklen);
896 	kmem_free(rawkey, keybytes);
897 	return (rv);
898 }
899 
900 /*
901  * create_derived_keys
902  *
903  * Algorithm for deriving a new key and an HMAC key
904  * before computing the 3DES-SHA1-HMAC operation on the plaintext
905  * This algorithm matches the work done by Kerberos mechanism
906  * in userland.
907  */
908 static int
909 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage,
910 		crypto_key_t *enckey, crypto_key_t *hmackey)
911 {
912 	uchar_t constdata[K5CLENGTH];
913 	int keybytes;
914 	int rv;
915 
916 	constdata[0] = (usage>>24)&0xff;
917 	constdata[1] = (usage>>16)&0xff;
918 	constdata[2] = (usage>>8)&0xff;
919 	constdata[3] = usage & 0xff;
920 	/* Use "0xAA" for deriving encryption key */
921 	constdata[4] = 0xAA; /* from MIT Kerberos code */
922 
923 	enckey->ck_length = cdata->keylen * 8;
924 	enckey->ck_format = CRYPTO_KEY_RAW;
925 	enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
926 
927 	switch (cdata->method) {
928 		case CRYPT_METHOD_DES_CFB:
929 		case CRYPT_METHOD_DES_CBC_NULL:
930 		case CRYPT_METHOD_DES_CBC_MD5:
931 		case CRYPT_METHOD_DES_CBC_CRC:
932 			keybytes = 8;
933 			break;
934 		case CRYPT_METHOD_DES3_CBC_SHA1:
935 			keybytes = CRYPT_DES3_KEYBYTES;
936 			break;
937 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
938 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
939 			keybytes = CRYPT_ARCFOUR_KEYBYTES;
940 			break;
941 		case CRYPT_METHOD_AES128:
942 			keybytes = CRYPT_AES128_KEYBYTES;
943 			break;
944 		case CRYPT_METHOD_AES256:
945 			keybytes = CRYPT_AES256_KEYBYTES;
946 			break;
947 	}
948 
949 	/* derive main crypto key */
950 	rv = derive_key(cdata, constdata, sizeof (constdata),
951 		enckey->ck_data, keybytes, cdata->blocklen);
952 
953 	if (rv == CRYPTO_SUCCESS) {
954 
955 		/* Use "0x55" for deriving mac key */
956 		constdata[4] = 0x55;
957 
958 		hmackey->ck_length = cdata->keylen * 8;
959 		hmackey->ck_format = CRYPTO_KEY_RAW;
960 		hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
961 
962 		rv = derive_key(cdata, constdata, sizeof (constdata),
963 				hmackey->ck_data, keybytes,
964 				cdata->blocklen);
965 	} else {
966 		cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv);
967 	}
968 
969 	return (rv);
970 }
971 
972 /*
973  * Compute 3-DES crypto and HMAC.
974  */
975 static int
976 kef_decr_hmac(struct cipher_data_t *cdata,
977 	mblk_t *mp, int length,
978 	char *hmac, int hmaclen)
979 {
980 	int rv = CRYPTO_FAILED;
981 
982 	crypto_mechanism_t encr_mech;
983 	crypto_mechanism_t mac_mech;
984 	crypto_data_t dd;
985 	crypto_data_t mac;
986 	iovec_t v1;
987 
988 	ASSERT(cdata != NULL);
989 	ASSERT(mp != NULL);
990 	ASSERT(hmac != NULL);
991 
992 	bzero(&dd, sizeof (dd));
993 	dd.cd_format = CRYPTO_DATA_MBLK;
994 	dd.cd_offset = 0;
995 	dd.cd_length = length;
996 	dd.cd_mp = mp;
997 
998 	v1.iov_base = hmac;
999 	v1.iov_len = hmaclen;
1000 
1001 	mac.cd_format = CRYPTO_DATA_RAW;
1002 	mac.cd_offset = 0;
1003 	mac.cd_length = hmaclen;
1004 	mac.cd_raw = v1;
1005 
1006 	/*
1007 	 * cdata->block holds the IVEC
1008 	 */
1009 	encr_mech.cm_type = cdata->mech_type;
1010 	encr_mech.cm_param = cdata->block;
1011 
1012 	if (cdata->block != NULL)
1013 		encr_mech.cm_param_len = cdata->blocklen;
1014 	else
1015 		encr_mech.cm_param_len = 0;
1016 
1017 	rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key,
1018 			cdata->enc_tmpl, NULL, NULL);
1019 	if (rv != CRYPTO_SUCCESS) {
1020 		cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv);
1021 		return (rv);
1022 	}
1023 
1024 	mac_mech.cm_type = sha1_hmac_mech;
1025 	mac_mech.cm_param = NULL;
1026 	mac_mech.cm_param_len = 0;
1027 
1028 	/*
1029 	 * Compute MAC of the plaintext decrypted above.
1030 	 */
1031 	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1032 			cdata->hmac_tmpl, &mac, NULL);
1033 
1034 	if (rv != CRYPTO_SUCCESS) {
1035 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1036 	}
1037 
1038 	return (rv);
1039 }
1040 
1041 /*
1042  * Compute 3-DES crypto and HMAC.
1043  */
1044 static int
1045 kef_encr_hmac(struct cipher_data_t *cdata,
1046 	mblk_t *mp, int length,
1047 	char *hmac, int hmaclen)
1048 {
1049 	int rv = CRYPTO_FAILED;
1050 
1051 	crypto_mechanism_t encr_mech;
1052 	crypto_mechanism_t mac_mech;
1053 	crypto_data_t dd;
1054 	crypto_data_t mac;
1055 	iovec_t v1;
1056 
1057 	ASSERT(cdata != NULL);
1058 	ASSERT(mp != NULL);
1059 	ASSERT(hmac != NULL);
1060 
1061 	bzero(&dd, sizeof (dd));
1062 	dd.cd_format = CRYPTO_DATA_MBLK;
1063 	dd.cd_offset = 0;
1064 	dd.cd_length = length;
1065 	dd.cd_mp = mp;
1066 
1067 	v1.iov_base = hmac;
1068 	v1.iov_len = hmaclen;
1069 
1070 	mac.cd_format = CRYPTO_DATA_RAW;
1071 	mac.cd_offset = 0;
1072 	mac.cd_length = hmaclen;
1073 	mac.cd_raw = v1;
1074 
1075 	/*
1076 	 * cdata->block holds the IVEC
1077 	 */
1078 	encr_mech.cm_type = cdata->mech_type;
1079 	encr_mech.cm_param = cdata->block;
1080 
1081 	if (cdata->block != NULL)
1082 		encr_mech.cm_param_len = cdata->blocklen;
1083 	else
1084 		encr_mech.cm_param_len = 0;
1085 
1086 	mac_mech.cm_type = sha1_hmac_mech;
1087 	mac_mech.cm_param = NULL;
1088 	mac_mech.cm_param_len = 0;
1089 
1090 	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1091 			cdata->hmac_tmpl, &mac, NULL);
1092 
1093 	if (rv != CRYPTO_SUCCESS) {
1094 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1095 		return (rv);
1096 	}
1097 
1098 	rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key,
1099 			cdata->enc_tmpl, NULL, NULL);
1100 	if (rv != CRYPTO_SUCCESS) {
1101 		cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv);
1102 	}
1103 
1104 	return (rv);
1105 }
1106 
1107 /*
1108  * kef_crypt
1109  *
1110  * Use the Kernel encryption framework to provide the
1111  * crypto operations for the indicated data.
1112  */
1113 static int
1114 kef_crypt(struct cipher_data_t *cdata,
1115 	void *indata, crypto_data_format_t fmt,
1116 	size_t length, int mode)
1117 {
1118 	int rv = CRYPTO_FAILED;
1119 
1120 	crypto_mechanism_t mech;
1121 	crypto_key_t crkey;
1122 	iovec_t v1;
1123 	crypto_data_t d1;
1124 
1125 	ASSERT(cdata != NULL);
1126 	ASSERT(indata != NULL);
1127 	ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK);
1128 
1129 	bzero(&crkey, sizeof (crkey));
1130 	bzero(&d1, sizeof (d1));
1131 
1132 	crkey.ck_format = CRYPTO_KEY_RAW;
1133 	crkey.ck_data =  cdata->key;
1134 
1135 	/* keys are measured in bits, not bytes, so multiply by 8 */
1136 	crkey.ck_length = cdata->keylen * 8;
1137 
1138 	if (fmt == CRYPTO_DATA_RAW) {
1139 		v1.iov_base = (char *)indata;
1140 		v1.iov_len = length;
1141 	}
1142 
1143 	d1.cd_format = fmt;
1144 	d1.cd_offset = 0;
1145 	d1.cd_length = length;
1146 	if (fmt == CRYPTO_DATA_RAW)
1147 		d1.cd_raw = v1;
1148 	else if (fmt == CRYPTO_DATA_MBLK)
1149 		d1.cd_mp = (mblk_t *)indata;
1150 
1151 	mech.cm_type = cdata->mech_type;
1152 	mech.cm_param = cdata->block;
1153 	/*
1154 	 * cdata->block holds the IVEC
1155 	 */
1156 	if (cdata->block != NULL)
1157 		mech.cm_param_len = cdata->blocklen;
1158 	else
1159 		mech.cm_param_len = 0;
1160 
1161 	/*
1162 	 * encrypt and decrypt in-place
1163 	 */
1164 	if (mode == CRYPT_ENCRYPT)
1165 		rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1166 	else
1167 		rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1168 
1169 	if (rv != CRYPTO_SUCCESS) {
1170 		cmn_err(CE_WARN, "%s returned error %08x",
1171 			(mode == CRYPT_ENCRYPT ? "crypto_encrypt" :
1172 				"crypto_decrypt"), rv);
1173 		return (CRYPTO_FAILED);
1174 	}
1175 
1176 	return (rv);
1177 }
1178 
1179 static int
1180 do_hmac(crypto_mech_type_t mech,
1181 	crypto_key_t *key,
1182 	char *data, int datalen,
1183 	char *hmac, int hmaclen)
1184 {
1185 	int rv = 0;
1186 	crypto_mechanism_t mac_mech;
1187 	crypto_data_t dd;
1188 	crypto_data_t mac;
1189 	iovec_t vdata, vmac;
1190 
1191 	mac_mech.cm_type = mech;
1192 	mac_mech.cm_param = NULL;
1193 	mac_mech.cm_param_len = 0;
1194 
1195 	vdata.iov_base = data;
1196 	vdata.iov_len = datalen;
1197 
1198 	bzero(&dd, sizeof (dd));
1199 	dd.cd_format = CRYPTO_DATA_RAW;
1200 	dd.cd_offset = 0;
1201 	dd.cd_length = datalen;
1202 	dd.cd_raw = vdata;
1203 
1204 	vmac.iov_base = hmac;
1205 	vmac.iov_len = hmaclen;
1206 
1207 	mac.cd_format = CRYPTO_DATA_RAW;
1208 	mac.cd_offset = 0;
1209 	mac.cd_length = hmaclen;
1210 	mac.cd_raw = vmac;
1211 
1212 	/*
1213 	 * Compute MAC of the plaintext decrypted above.
1214 	 */
1215 	rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL);
1216 
1217 	if (rv != CRYPTO_SUCCESS) {
1218 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1219 	}
1220 
1221 	return (rv);
1222 }
1223 
1224 #define	XOR_BLOCK(src, dst) \
1225 	(dst)[0] ^= (src)[0]; \
1226 	(dst)[1] ^= (src)[1]; \
1227 	(dst)[2] ^= (src)[2]; \
1228 	(dst)[3] ^= (src)[3]; \
1229 	(dst)[4] ^= (src)[4]; \
1230 	(dst)[5] ^= (src)[5]; \
1231 	(dst)[6] ^= (src)[6]; \
1232 	(dst)[7] ^= (src)[7]; \
1233 	(dst)[8] ^= (src)[8]; \
1234 	(dst)[9] ^= (src)[9]; \
1235 	(dst)[10] ^= (src)[10]; \
1236 	(dst)[11] ^= (src)[11]; \
1237 	(dst)[12] ^= (src)[12]; \
1238 	(dst)[13] ^= (src)[13]; \
1239 	(dst)[14] ^= (src)[14]; \
1240 	(dst)[15] ^= (src)[15]
1241 
1242 #define	xorblock(x, y) XOR_BLOCK(y, x)
1243 
1244 static int
1245 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length)
1246 {
1247 	int result = CRYPTO_SUCCESS;
1248 	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1249 	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1250 	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1251 	int nblocks = 0, blockno;
1252 	crypto_data_t ct, pt;
1253 	crypto_mechanism_t mech;
1254 
1255 	mech.cm_type = tmi->enc_data.mech_type;
1256 	if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) {
1257 		bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1258 	} else {
1259 		bzero(tmp, sizeof (tmp));
1260 	}
1261 	mech.cm_param = NULL;
1262 	mech.cm_param_len = 0;
1263 
1264 	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1265 
1266 	bzero(&ct, sizeof (crypto_data_t));
1267 	bzero(&pt, sizeof (crypto_data_t));
1268 
1269 	if (nblocks == 1) {
1270 		pt.cd_format = CRYPTO_DATA_RAW;
1271 		pt.cd_length = length;
1272 		pt.cd_raw.iov_base = (char *)plain;
1273 		pt.cd_raw.iov_len = length;
1274 
1275 		result = crypto_encrypt(&mech, &pt,
1276 			&tmi->enc_data.d_encr_key, NULL, NULL, NULL);
1277 
1278 		if (result != CRYPTO_SUCCESS) {
1279 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1280 				"crypto_encrypt failed: %0x", result);
1281 		}
1282 	} else {
1283 		size_t nleft;
1284 
1285 		ct.cd_format = CRYPTO_DATA_RAW;
1286 		ct.cd_offset = 0;
1287 		ct.cd_length = DEFAULT_AES_BLOCKLEN;
1288 
1289 		pt.cd_format = CRYPTO_DATA_RAW;
1290 		pt.cd_offset = 0;
1291 		pt.cd_length = DEFAULT_AES_BLOCKLEN;
1292 
1293 		result = crypto_encrypt_init(&mech,
1294 				&tmi->enc_data.d_encr_key,
1295 				tmi->enc_data.enc_tmpl,
1296 				&tmi->enc_data.ctx, NULL);
1297 
1298 		if (result != CRYPTO_SUCCESS) {
1299 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1300 				"crypto_encrypt_init failed: %0x", result);
1301 			goto cleanup;
1302 		}
1303 
1304 		for (blockno = 0; blockno < nblocks - 2; blockno++) {
1305 			xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN);
1306 
1307 			pt.cd_raw.iov_base = (char *)tmp;
1308 			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1309 
1310 			ct.cd_raw.iov_base = (char *)plain +
1311 				blockno * DEFAULT_AES_BLOCKLEN;
1312 			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1313 
1314 			result = crypto_encrypt_update(tmi->enc_data.ctx,
1315 					&pt, &ct, NULL);
1316 
1317 			if (result != CRYPTO_SUCCESS) {
1318 				cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1319 					"crypto_encrypt_update failed: %0x",
1320 					result);
1321 				goto cleanup;
1322 			}
1323 			/* copy result over original bytes */
1324 			/* make another copy for the next XOR step */
1325 			bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN,
1326 				tmp, DEFAULT_AES_BLOCKLEN);
1327 		}
1328 		/* XOR cipher text from n-3 with plain text from n-2 */
1329 		xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1330 
1331 		pt.cd_raw.iov_base = (char *)tmp;
1332 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1333 
1334 		ct.cd_raw.iov_base = (char *)tmp2;
1335 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1336 
1337 		/* encrypt XOR-ed block N-2 */
1338 		result = crypto_encrypt_update(tmi->enc_data.ctx,
1339 				&pt, &ct, NULL);
1340 		if (result != CRYPTO_SUCCESS) {
1341 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1342 				"crypto_encrypt_update(2) failed: %0x",
1343 				result);
1344 			goto cleanup;
1345 		}
1346 		nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN;
1347 
1348 		bzero(tmp3, sizeof (tmp3));
1349 		/* Save final plaintext bytes from n-1 */
1350 		bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1351 			nleft);
1352 
1353 		/* Overwrite n-1 with cipher text from n-2 */
1354 		bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1355 			nleft);
1356 
1357 		bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN);
1358 		/* XOR cipher text from n-1 with plain text from n-1 */
1359 		xorblock(tmp, tmp3);
1360 
1361 		pt.cd_raw.iov_base = (char *)tmp;
1362 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1363 
1364 		ct.cd_raw.iov_base = (char *)tmp2;
1365 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1366 
1367 		/* encrypt block N-2 */
1368 		result = crypto_encrypt_update(tmi->enc_data.ctx,
1369 			&pt, &ct, NULL);
1370 
1371 		if (result != CRYPTO_SUCCESS) {
1372 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1373 				"crypto_encrypt_update(3) failed: %0x",
1374 				result);
1375 			goto cleanup;
1376 		}
1377 
1378 		bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1379 			DEFAULT_AES_BLOCKLEN);
1380 
1381 
1382 		ct.cd_raw.iov_base = (char *)tmp2;
1383 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1384 
1385 		/*
1386 		 * Ignore the output on the final step.
1387 		 */
1388 		result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL);
1389 		if (result != CRYPTO_SUCCESS) {
1390 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1391 				"crypto_encrypt_final(3) failed: %0x",
1392 				result);
1393 		}
1394 		tmi->enc_data.ctx = NULL;
1395 	}
1396 cleanup:
1397 	bzero(tmp, sizeof (tmp));
1398 	bzero(tmp2, sizeof (tmp));
1399 	bzero(tmp3, sizeof (tmp));
1400 	bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
1401 	return (result);
1402 }
1403 
1404 static int
1405 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length)
1406 {
1407 	int result = CRYPTO_SUCCESS;
1408 	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1409 	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1410 	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1411 	int nblocks = 0, blockno;
1412 	crypto_data_t ct, pt;
1413 	crypto_mechanism_t mech;
1414 
1415 	mech.cm_type = tmi->enc_data.mech_type;
1416 
1417 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1418 	    tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) {
1419 		bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1420 	} else {
1421 		bzero(tmp, sizeof (tmp));
1422 	}
1423 	mech.cm_param_len = 0;
1424 	mech.cm_param = NULL;
1425 
1426 	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1427 
1428 	bzero(&pt, sizeof (pt));
1429 	bzero(&ct, sizeof (ct));
1430 
1431 	if (nblocks == 1) {
1432 		ct.cd_format = CRYPTO_DATA_RAW;
1433 		ct.cd_length = length;
1434 		ct.cd_raw.iov_base = (char *)buff;
1435 		ct.cd_raw.iov_len = length;
1436 
1437 		result = crypto_decrypt(&mech, &ct,
1438 			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1439 
1440 		if (result != CRYPTO_SUCCESS) {
1441 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1442 				"crypto_decrypt failed: %0x", result);
1443 			goto cleanup;
1444 		}
1445 	} else {
1446 		ct.cd_format = CRYPTO_DATA_RAW;
1447 		ct.cd_offset = 0;
1448 		ct.cd_length = DEFAULT_AES_BLOCKLEN;
1449 
1450 		pt.cd_format = CRYPTO_DATA_RAW;
1451 		pt.cd_offset = 0;
1452 		pt.cd_length = DEFAULT_AES_BLOCKLEN;
1453 
1454 		result = crypto_decrypt_init(&mech,
1455 				&tmi->dec_data.d_encr_key,
1456 				tmi->dec_data.enc_tmpl,
1457 				&tmi->dec_data.ctx, NULL);
1458 
1459 		if (result != CRYPTO_SUCCESS) {
1460 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1461 				"crypto_decrypt_init failed: %0x", result);
1462 			goto cleanup;
1463 		}
1464 		for (blockno = 0; blockno < nblocks - 2; blockno++) {
1465 			ct.cd_raw.iov_base = (char *)buff +
1466 				(blockno * DEFAULT_AES_BLOCKLEN);
1467 			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1468 
1469 			pt.cd_raw.iov_base = (char *)tmp2;
1470 			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1471 
1472 			/*
1473 			 * Save the input to the decrypt so it can
1474 			 * be used later for an XOR operation
1475 			 */
1476 			bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN),
1477 				tmi->dec_data.block, DEFAULT_AES_BLOCKLEN);
1478 
1479 			result = crypto_decrypt_update(tmi->dec_data.ctx,
1480 					&ct, &pt, NULL);
1481 			if (result != CRYPTO_SUCCESS) {
1482 				cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1483 					"crypto_decrypt_update(1) error - "
1484 					"result = 0x%08x", result);
1485 				goto cleanup;
1486 			}
1487 			xorblock(tmp2, tmp);
1488 			bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN,
1489 				DEFAULT_AES_BLOCKLEN);
1490 			/*
1491 			 * The original cipher text is used as the xor
1492 			 * for the next block, save it here.
1493 			 */
1494 			bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN);
1495 		}
1496 		ct.cd_raw.iov_base = (char *)buff +
1497 			((nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1498 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1499 		pt.cd_raw.iov_base = (char *)tmp2;
1500 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1501 
1502 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1503 				&ct, &pt, NULL);
1504 		if (result != CRYPTO_SUCCESS) {
1505 			cmn_err(CE_WARN,
1506 				"aes_cbc_cts_decrypt: "
1507 				"crypto_decrypt_update(2) error -"
1508 				" result = 0x%08x", result);
1509 			goto cleanup;
1510 		}
1511 		bzero(tmp3, sizeof (tmp3));
1512 		bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1513 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1514 
1515 		xorblock(tmp2, tmp3);
1516 		bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1517 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1518 
1519 		/* 2nd to last block ... */
1520 		bcopy(tmp3, tmp2,
1521 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1522 
1523 		ct.cd_raw.iov_base = (char *)tmp2;
1524 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1525 		pt.cd_raw.iov_base = (char *)tmp3;
1526 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1527 
1528 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1529 				&ct, &pt, NULL);
1530 		if (result != CRYPTO_SUCCESS) {
1531 			cmn_err(CE_WARN,
1532 				"aes_cbc_cts_decrypt: "
1533 				"crypto_decrypt_update(3) error - "
1534 				"result = 0x%08x", result);
1535 			goto cleanup;
1536 		}
1537 		xorblock(tmp3, tmp);
1538 
1539 
1540 		/* Finally, update the 2nd to last block and we are done. */
1541 		bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1542 			DEFAULT_AES_BLOCKLEN);
1543 
1544 		/* Do Final step, but ignore output */
1545 		pt.cd_raw.iov_base = (char *)tmp2;
1546 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1547 		result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL);
1548 		if (result != CRYPTO_SUCCESS) {
1549 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1550 				"crypto_decrypt_final error - "
1551 				"result = 0x%0x", result);
1552 		}
1553 		tmi->dec_data.ctx = NULL;
1554 	}
1555 
1556 cleanup:
1557 	bzero(tmp, sizeof (tmp));
1558 	bzero(tmp2, sizeof (tmp));
1559 	bzero(tmp3, sizeof (tmp));
1560 	bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
1561 	return (result);
1562 }
1563 
1564 /*
1565  * AES decrypt
1566  *
1567  * format of ciphertext when using AES
1568  *  +-------------+------------+------------+
1569  *  |  confounder | msg-data   |  hmac      |
1570  *  +-------------+------------+------------+
1571  */
1572 static mblk_t *
1573 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1574 	hash_info_t *hash)
1575 {
1576 	int result;
1577 	size_t enclen;
1578 	size_t inlen;
1579 	uchar_t hmacbuff[64];
1580 	uchar_t tmpiv[DEFAULT_AES_BLOCKLEN];
1581 
1582 	inlen = (size_t)MBLKL(mp);
1583 
1584 	enclen = inlen - AES_TRUNCATED_HMAC_LEN;
1585 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1586 		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) {
1587 		int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) /
1588 				DEFAULT_AES_BLOCKLEN;
1589 		bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2),
1590 			tmpiv, DEFAULT_AES_BLOCKLEN);
1591 	}
1592 
1593 	/* AES Decrypt */
1594 	result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen);
1595 
1596 	if (result != CRYPTO_SUCCESS) {
1597 		cmn_err(CE_WARN,
1598 			"aes_decrypt:  aes_cbc_cts_decrypt "
1599 			"failed - error %0x", result);
1600 		goto cleanup;
1601 	}
1602 
1603 	/* Verify the HMAC */
1604 	result = do_hmac(sha1_hmac_mech,
1605 			&tmi->dec_data.d_hmac_key,
1606 			(char *)mp->b_rptr, enclen,
1607 			(char *)hmacbuff, hash->hash_len);
1608 
1609 	if (result != CRYPTO_SUCCESS) {
1610 		cmn_err(CE_WARN,
1611 			"aes_decrypt:  do_hmac failed - error %0x", result);
1612 		goto cleanup;
1613 	}
1614 
1615 	if (bcmp(hmacbuff, mp->b_rptr + enclen,
1616 		AES_TRUNCATED_HMAC_LEN) != 0) {
1617 		result = -1;
1618 		cmn_err(CE_WARN, "aes_decrypt: checksum verification failed");
1619 		goto cleanup;
1620 	}
1621 
1622 	/* truncate the mblk at the end of the decrypted text */
1623 	mp->b_wptr = mp->b_rptr + enclen;
1624 
1625 	/* Adjust the beginning of the buffer to skip the confounder */
1626 	mp->b_rptr += DEFAULT_AES_BLOCKLEN;
1627 
1628 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1629 		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0)
1630 		bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN);
1631 
1632 cleanup:
1633 	if (result != CRYPTO_SUCCESS) {
1634 		mp->b_datap->db_type = M_ERROR;
1635 		mp->b_rptr = mp->b_datap->db_base;
1636 		*mp->b_rptr = EIO;
1637 		mp->b_wptr = mp->b_rptr + sizeof (char);
1638 		freemsg(mp->b_cont);
1639 		mp->b_cont = NULL;
1640 		qreply(WR(q), mp);
1641 		return (NULL);
1642 	}
1643 	return (mp);
1644 }
1645 
1646 /*
1647  * AES encrypt
1648  *
1649  * format of ciphertext when using AES
1650  *  +-------------+------------+------------+
1651  *  |  confounder | msg-data   |  hmac      |
1652  *  +-------------+------------+------------+
1653  */
1654 static mblk_t *
1655 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1656 	hash_info_t *hash)
1657 {
1658 	int result;
1659 	size_t cipherlen;
1660 	size_t inlen;
1661 	uchar_t hmacbuff[64];
1662 
1663 	inlen = (size_t)MBLKL(mp);
1664 
1665 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
1666 
1667 	ASSERT(MBLKSIZE(mp) >= cipherlen);
1668 
1669 	/*
1670 	 * Shift the rptr back enough to insert the confounder.
1671 	 */
1672 	mp->b_rptr -= DEFAULT_AES_BLOCKLEN;
1673 
1674 	/* Get random data for confounder */
1675 	(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
1676 		DEFAULT_AES_BLOCKLEN);
1677 
1678 	/*
1679 	 * Because we encrypt in-place, we need to calculate
1680 	 * the HMAC of the plaintext now, then stick it on
1681 	 * the end of the ciphertext down below.
1682 	 */
1683 	result = do_hmac(sha1_hmac_mech,
1684 			&tmi->enc_data.d_hmac_key,
1685 			(char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen,
1686 			(char *)hmacbuff, hash->hash_len);
1687 
1688 	if (result != CRYPTO_SUCCESS) {
1689 		cmn_err(CE_WARN, "aes_encrypt:  do_hmac failed - error %0x",
1690 			result);
1691 		goto cleanup;
1692 	}
1693 	/* Encrypt using AES-CBC-CTS */
1694 	result = aes_cbc_cts_encrypt(tmi, mp->b_rptr,
1695 		inlen + DEFAULT_AES_BLOCKLEN);
1696 
1697 	if (result != CRYPTO_SUCCESS) {
1698 		cmn_err(CE_WARN, "aes_encrypt:  aes_cbc_cts_encrypt "
1699 			"failed - error %0x", result);
1700 		goto cleanup;
1701 	}
1702 
1703 	/* copy the truncated HMAC to the end of the mblk */
1704 	bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen,
1705 		AES_TRUNCATED_HMAC_LEN);
1706 
1707 	mp->b_wptr = mp->b_rptr + cipherlen;
1708 
1709 	/*
1710 	 * The final block of cipher text (not the HMAC) is used
1711 	 * as the next IV.
1712 	 */
1713 	if (tmi->enc_data.ivec_usage != IVEC_NEVER &&
1714 	    tmi->enc_data.ivec != NULL) {
1715 		int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) /
1716 			DEFAULT_AES_BLOCKLEN;
1717 
1718 		bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1719 			tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN);
1720 	}
1721 
1722 cleanup:
1723 	if (result != CRYPTO_SUCCESS) {
1724 		mp->b_datap->db_type = M_ERROR;
1725 		mp->b_rptr = mp->b_datap->db_base;
1726 		*mp->b_rptr = EIO;
1727 		mp->b_wptr = mp->b_rptr + sizeof (char);
1728 		freemsg(mp->b_cont);
1729 		mp->b_cont = NULL;
1730 		qreply(WR(q), mp);
1731 		return (NULL);
1732 	}
1733 	return (mp);
1734 }
1735 
1736 /*
1737  * ARCFOUR-HMAC-MD5 decrypt
1738  *
1739  * format of ciphertext when using ARCFOUR-HMAC-MD5
1740  *  +-----------+------------+------------+
1741  *  |  hmac     | confounder |  msg-data  |
1742  *  +-----------+------------+------------+
1743  *
1744  */
1745 static mblk_t *
1746 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1747 			hash_info_t *hash)
1748 {
1749 	int result;
1750 	size_t cipherlen;
1751 	size_t inlen;
1752 	size_t saltlen;
1753 	crypto_key_t k1, k2;
1754 	crypto_data_t indata;
1755 	iovec_t v1;
1756 	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1757 				0xab, 0xab, 0xab, 0xab };
1758 	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1759 	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1760 	uchar_t cksum[MD5_HASHSIZE];
1761 	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1762 	crypto_mechanism_t mech;
1763 	int usage;
1764 
1765 	/* The usage constant is 1026 for all "old" rcmd mode operations */
1766 	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
1767 		usage = RCMDV1_USAGE;
1768 	else
1769 		usage = ARCFOUR_DECRYPT_USAGE;
1770 
1771 	/*
1772 	 * The size at this point should be the size of
1773 	 * all the plaintext plus the optional plaintext length
1774 	 * needed for RCMD V2 mode.  There should also be room
1775 	 * at the head of the mblk for the confounder and hash info.
1776 	 */
1777 	inlen = (size_t)MBLKL(mp);
1778 
1779 	/*
1780 	 * The cipherlen does not include the HMAC at the
1781 	 * head of the buffer.
1782 	 */
1783 	cipherlen = inlen - hash->hash_len;
1784 
1785 	ASSERT(MBLKSIZE(mp) >= cipherlen);
1786 	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1787 		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
1788 		saltdata[9] = 0;
1789 		saltdata[10] = usage & 0xff;
1790 		saltdata[11] = (usage >> 8) & 0xff;
1791 		saltdata[12] = (usage >> 16) & 0xff;
1792 		saltdata[13] = (usage >> 24) & 0xff;
1793 		saltlen = 14;
1794 	} else {
1795 		saltdata[0] = usage & 0xff;
1796 		saltdata[1] = (usage >> 8) & 0xff;
1797 		saltdata[2] = (usage >> 16) & 0xff;
1798 		saltdata[3] = (usage >> 24) & 0xff;
1799 		saltlen = 4;
1800 	}
1801 	/*
1802 	 * Use the salt value to create a key to be used
1803 	 * for subsequent HMAC operations.
1804 	 */
1805 	result = do_hmac(md5_hmac_mech,
1806 			tmi->dec_data.ckey,
1807 			(char *)saltdata, saltlen,
1808 			(char *)k1data, sizeof (k1data));
1809 	if (result != CRYPTO_SUCCESS) {
1810 		cmn_err(CE_WARN,
1811 			"arcfour_hmac_md5_decrypt:  do_hmac(k1)"
1812 			"failed - error %0x", result);
1813 		goto cleanup;
1814 	}
1815 	bcopy(k1data, k2data, sizeof (k1data));
1816 
1817 	/*
1818 	 * For the neutered MS RC4 encryption type,
1819 	 * set the trailing 9 bytes to 0xab per the
1820 	 * RC4-HMAC spec.
1821 	 */
1822 	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1823 		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
1824 	}
1825 
1826 	mech.cm_type = tmi->dec_data.mech_type;
1827 	mech.cm_param = NULL;
1828 	mech.cm_param_len = 0;
1829 
1830 	/*
1831 	 * If we have not yet initialized the decryption key,
1832 	 * context, and template, do it now.
1833 	 */
1834 	if (tmi->dec_data.ctx == NULL ||
1835 	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
1836 		k1.ck_format = CRYPTO_KEY_RAW;
1837 		k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8;
1838 		k1.ck_data = k1data;
1839 
1840 		tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW;
1841 		tmi->dec_data.d_encr_key.ck_length = k1.ck_length;
1842 		if (tmi->dec_data.d_encr_key.ck_data == NULL)
1843 			tmi->dec_data.d_encr_key.ck_data = kmem_zalloc(
1844 				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
1845 
1846 		/*
1847 		 * HMAC operation creates the encryption
1848 		 * key to be used for the decrypt operations.
1849 		 */
1850 		result = do_hmac(md5_hmac_mech, &k1,
1851 			(char *)mp->b_rptr, hash->hash_len,
1852 			(char *)tmi->dec_data.d_encr_key.ck_data,
1853 			CRYPT_ARCFOUR_KEYBYTES);
1854 
1855 
1856 		if (result != CRYPTO_SUCCESS) {
1857 			cmn_err(CE_WARN,
1858 				"arcfour_hmac_md5_decrypt:  do_hmac(k3)"
1859 				"failed - error %0x", result);
1860 			goto cleanup;
1861 		}
1862 	}
1863 
1864 	tmi->dec_data.enc_tmpl = NULL;
1865 
1866 	if (tmi->dec_data.ctx == NULL &&
1867 	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
1868 		/*
1869 		 * Only create a template if we are doing
1870 		 * chaining from block to block.
1871 		 */
1872 		result = crypto_create_ctx_template(&mech,
1873 			&tmi->dec_data.d_encr_key,
1874 			&tmi->dec_data.enc_tmpl,
1875 			KM_SLEEP);
1876 		if (result == CRYPTO_NOT_SUPPORTED) {
1877 			tmi->dec_data.enc_tmpl = NULL;
1878 		} else if (result != CRYPTO_SUCCESS) {
1879 			cmn_err(CE_WARN,
1880 				"arcfour_hmac_md5_decrypt:  "
1881 				"failed to create dec template "
1882 				"for RC4 encrypt: %0x", result);
1883 			goto cleanup;
1884 		}
1885 
1886 		result = crypto_decrypt_init(&mech,
1887 			&tmi->dec_data.d_encr_key,
1888 			tmi->dec_data.enc_tmpl,
1889 			&tmi->dec_data.ctx, NULL);
1890 
1891 		if (result != CRYPTO_SUCCESS) {
1892 			cmn_err(CE_WARN, "crypto_decrypt_init failed:"
1893 				" %0x", result);
1894 			goto cleanup;
1895 		}
1896 	}
1897 
1898 	/* adjust the rptr so we don't decrypt the original hmac field */
1899 
1900 	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
1901 	v1.iov_len = cipherlen;
1902 
1903 	indata.cd_format = CRYPTO_DATA_RAW;
1904 	indata.cd_offset = 0;
1905 	indata.cd_length = cipherlen;
1906 	indata.cd_raw = v1;
1907 
1908 	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
1909 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1910 			&indata, NULL, NULL);
1911 	else
1912 		result = crypto_decrypt(&mech, &indata,
1913 			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1914 
1915 	if (result != CRYPTO_SUCCESS) {
1916 		cmn_err(CE_WARN, "crypto_decrypt_update failed:"
1917 			" %0x", result);
1918 		goto cleanup;
1919 	}
1920 
1921 	k2.ck_format = CRYPTO_KEY_RAW;
1922 	k2.ck_length = sizeof (k2data) * 8;
1923 	k2.ck_data = k2data;
1924 
1925 	result = do_hmac(md5_hmac_mech,
1926 			&k2,
1927 			(char *)mp->b_rptr + hash->hash_len, cipherlen,
1928 			(char *)cksum, hash->hash_len);
1929 
1930 	if (result != CRYPTO_SUCCESS) {
1931 		cmn_err(CE_WARN,
1932 			"arcfour_hmac_md5_decrypt:  do_hmac(k2)"
1933 			"failed - error %0x", result);
1934 		goto cleanup;
1935 	}
1936 
1937 	if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) {
1938 		cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed");
1939 		result = -1;
1940 		goto cleanup;
1941 	}
1942 
1943 	/*
1944 	 * adjust the start of the mblk to skip over the
1945 	 * hash and confounder.
1946 	 */
1947 	mp->b_rptr += hash->hash_len + hash->confound_len;
1948 
1949 cleanup:
1950 	bzero(k1data, sizeof (k1data));
1951 	bzero(k2data, sizeof (k2data));
1952 	bzero(cksum, sizeof (cksum));
1953 	bzero(saltdata, sizeof (saltdata));
1954 	if (result != CRYPTO_SUCCESS) {
1955 		mp->b_datap->db_type = M_ERROR;
1956 		mp->b_rptr = mp->b_datap->db_base;
1957 		*mp->b_rptr = EIO;
1958 		mp->b_wptr = mp->b_rptr + sizeof (char);
1959 		freemsg(mp->b_cont);
1960 		mp->b_cont = NULL;
1961 		qreply(WR(q), mp);
1962 		return (NULL);
1963 	}
1964 	return (mp);
1965 }
1966 
1967 /*
1968  * ARCFOUR-HMAC-MD5 encrypt
1969  *
1970  * format of ciphertext when using ARCFOUR-HMAC-MD5
1971  *  +-----------+------------+------------+
1972  *  |  hmac     | confounder |  msg-data  |
1973  *  +-----------+------------+------------+
1974  *
1975  */
1976 static mblk_t *
1977 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1978 			hash_info_t *hash)
1979 {
1980 	int result;
1981 	size_t cipherlen;
1982 	size_t inlen;
1983 	size_t saltlen;
1984 	crypto_key_t k1, k2;
1985 	crypto_data_t indata;
1986 	iovec_t v1;
1987 	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1988 				0xab, 0xab, 0xab, 0xab };
1989 	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1990 	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1991 	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1992 	crypto_mechanism_t mech;
1993 	int usage;
1994 
1995 	bzero(&indata, sizeof (indata));
1996 
1997 	/* The usage constant is 1026 for all "old" rcmd mode operations */
1998 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
1999 		usage = RCMDV1_USAGE;
2000 	else
2001 		usage = ARCFOUR_ENCRYPT_USAGE;
2002 
2003 	mech.cm_type = tmi->enc_data.mech_type;
2004 	mech.cm_param = NULL;
2005 	mech.cm_param_len = 0;
2006 
2007 	/*
2008 	 * The size at this point should be the size of
2009 	 * all the plaintext plus the optional plaintext length
2010 	 * needed for RCMD V2 mode.  There should also be room
2011 	 * at the head of the mblk for the confounder and hash info.
2012 	 */
2013 	inlen = (size_t)MBLKL(mp);
2014 
2015 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
2016 
2017 	ASSERT(MBLKSIZE(mp) >= cipherlen);
2018 
2019 	/*
2020 	 * Shift the rptr back enough to insert
2021 	 * the confounder and hash.
2022 	 */
2023 	mp->b_rptr -= (hash->confound_len + hash->hash_len);
2024 
2025 	/* zero out the hash area */
2026 	bzero(mp->b_rptr, (size_t)hash->hash_len);
2027 
2028 	if (cipherlen > inlen) {
2029 		bzero(mp->b_wptr, MBLKTAIL(mp));
2030 	}
2031 
2032 	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2033 		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
2034 		saltdata[9] = 0;
2035 		saltdata[10] = usage & 0xff;
2036 		saltdata[11] = (usage >> 8) & 0xff;
2037 		saltdata[12] = (usage >> 16) & 0xff;
2038 		saltdata[13] = (usage >> 24) & 0xff;
2039 		saltlen = 14;
2040 	} else {
2041 		saltdata[0] = usage & 0xff;
2042 		saltdata[1] = (usage >> 8) & 0xff;
2043 		saltdata[2] = (usage >> 16) & 0xff;
2044 		saltdata[3] = (usage >> 24) & 0xff;
2045 		saltlen = 4;
2046 	}
2047 	/*
2048 	 * Use the salt value to create a key to be used
2049 	 * for subsequent HMAC operations.
2050 	 */
2051 	result = do_hmac(md5_hmac_mech,
2052 			tmi->enc_data.ckey,
2053 			(char *)saltdata, saltlen,
2054 			(char *)k1data, sizeof (k1data));
2055 	if (result != CRYPTO_SUCCESS) {
2056 		cmn_err(CE_WARN,
2057 			"arcfour_hmac_md5_encrypt:  do_hmac(k1)"
2058 			"failed - error %0x", result);
2059 		goto cleanup;
2060 	}
2061 
2062 	bcopy(k1data, k2data, sizeof (k2data));
2063 
2064 	/*
2065 	 * For the neutered MS RC4 encryption type,
2066 	 * set the trailing 9 bytes to 0xab per the
2067 	 * RC4-HMAC spec.
2068 	 */
2069 	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2070 		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
2071 	}
2072 
2073 	/*
2074 	 * Get the confounder bytes.
2075 	 */
2076 	(void) random_get_pseudo_bytes(
2077 			(uint8_t *)(mp->b_rptr + hash->hash_len),
2078 			(size_t)hash->confound_len);
2079 
2080 	k2.ck_data = k2data;
2081 	k2.ck_format = CRYPTO_KEY_RAW;
2082 	k2.ck_length = sizeof (k2data) * 8;
2083 
2084 	/*
2085 	 * This writes the HMAC to the hash area in the
2086 	 * mblk.  The key used is the one just created by
2087 	 * the previous HMAC operation.
2088 	 * The data being processed is the confounder bytes
2089 	 * PLUS the input plaintext.
2090 	 */
2091 	result = do_hmac(md5_hmac_mech, &k2,
2092 			(char *)mp->b_rptr + hash->hash_len,
2093 			hash->confound_len + inlen,
2094 			(char *)mp->b_rptr, hash->hash_len);
2095 	if (result != CRYPTO_SUCCESS) {
2096 		cmn_err(CE_WARN,
2097 			"arcfour_hmac_md5_encrypt:  do_hmac(k2)"
2098 			"failed - error %0x", result);
2099 		goto cleanup;
2100 	}
2101 	/*
2102 	 * Because of the odd way that MIT uses RC4 keys
2103 	 * on the rlogin stream, we only need to create
2104 	 * this key once.
2105 	 * However, if using "old" rcmd mode, we need to do
2106 	 * it every time.
2107 	 */
2108 	if (tmi->enc_data.ctx == NULL ||
2109 	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
2110 		crypto_key_t *key = &tmi->enc_data.d_encr_key;
2111 
2112 		k1.ck_data = k1data;
2113 		k1.ck_format = CRYPTO_KEY_RAW;
2114 		k1.ck_length = sizeof (k1data) * 8;
2115 
2116 		key->ck_format = CRYPTO_KEY_RAW;
2117 		key->ck_length = k1.ck_length;
2118 		if (key->ck_data == NULL)
2119 			key->ck_data = kmem_zalloc(
2120 				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
2121 
2122 		/*
2123 		 * The final HMAC operation creates the encryption
2124 		 * key to be used for the encrypt operation.
2125 		 */
2126 		result = do_hmac(md5_hmac_mech, &k1,
2127 			(char *)mp->b_rptr, hash->hash_len,
2128 			(char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES);
2129 
2130 		if (result != CRYPTO_SUCCESS) {
2131 			cmn_err(CE_WARN,
2132 				"arcfour_hmac_md5_encrypt:  do_hmac(k3)"
2133 				"failed - error %0x", result);
2134 			goto cleanup;
2135 		}
2136 	}
2137 
2138 	/*
2139 	 * If the context has not been initialized, do it now.
2140 	 */
2141 	if (tmi->enc_data.ctx == NULL &&
2142 	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
2143 		/*
2144 		 * Only create a template if we are doing
2145 		 * chaining from block to block.
2146 		 */
2147 		result = crypto_create_ctx_template(&mech,
2148 				&tmi->enc_data.d_encr_key,
2149 				&tmi->enc_data.enc_tmpl,
2150 				KM_SLEEP);
2151 		if (result == CRYPTO_NOT_SUPPORTED) {
2152 			tmi->enc_data.enc_tmpl = NULL;
2153 		} else if (result != CRYPTO_SUCCESS) {
2154 			cmn_err(CE_WARN, "failed to create enc template "
2155 				"for RC4 encrypt: %0x", result);
2156 			goto cleanup;
2157 		}
2158 
2159 		result = crypto_encrypt_init(&mech,
2160 					&tmi->enc_data.d_encr_key,
2161 					tmi->enc_data.enc_tmpl,
2162 					&tmi->enc_data.ctx, NULL);
2163 		if (result != CRYPTO_SUCCESS) {
2164 			cmn_err(CE_WARN, "crypto_encrypt_init failed:"
2165 				" %0x", result);
2166 			goto cleanup;
2167 		}
2168 	}
2169 	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
2170 	v1.iov_len = hash->confound_len + inlen;
2171 
2172 	indata.cd_format = CRYPTO_DATA_RAW;
2173 	indata.cd_offset = 0;
2174 	indata.cd_length = hash->confound_len + inlen;
2175 	indata.cd_raw = v1;
2176 
2177 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2178 		result = crypto_encrypt_update(tmi->enc_data.ctx,
2179 			&indata, NULL, NULL);
2180 	else
2181 		result = crypto_encrypt(&mech, &indata,
2182 			&tmi->enc_data.d_encr_key, NULL,
2183 			NULL, NULL);
2184 
2185 	if (result != CRYPTO_SUCCESS) {
2186 		cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x",
2187 			result);
2188 	}
2189 
2190 cleanup:
2191 	bzero(k1data, sizeof (k1data));
2192 	bzero(k2data, sizeof (k2data));
2193 	bzero(saltdata, sizeof (saltdata));
2194 	if (result != CRYPTO_SUCCESS) {
2195 		mp->b_datap->db_type = M_ERROR;
2196 		mp->b_rptr = mp->b_datap->db_base;
2197 		*mp->b_rptr = EIO;
2198 		mp->b_wptr = mp->b_rptr + sizeof (char);
2199 		freemsg(mp->b_cont);
2200 		mp->b_cont = NULL;
2201 		qreply(WR(q), mp);
2202 		return (NULL);
2203 	}
2204 	return (mp);
2205 }
2206 
2207 /*
2208  * DES-CBC-[HASH] encrypt
2209  *
2210  * Needed to support userland apps that must support Kerberos V5
2211  * encryption DES-CBC encryption modes.
2212  *
2213  * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2214  *
2215  * format of ciphertext for DES-CBC functions, per RFC1510 is:
2216  *  +-----------+----------+-------------+-----+
2217  *  |confounder |  cksum   |   msg-data  | pad |
2218  *  +-----------+----------+-------------+-----+
2219  *
2220  * format of ciphertext when using DES3-SHA1-HMAC
2221  *  +-----------+----------+-------------+-----+
2222  *  |confounder |  msg-data  |   hmac    | pad |
2223  *  +-----------+----------+-------------+-----+
2224  *
2225  *  The confounder is 8 bytes of random data.
2226  *  The cksum depends on the hash being used.
2227  *   4 bytes for CRC32
2228  *  16 bytes for MD5
2229  *  20 bytes for SHA1
2230  *   0 bytes for RAW
2231  *
2232  */
2233 static mblk_t *
2234 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2235 {
2236 	int result;
2237 	size_t cipherlen;
2238 	size_t inlen;
2239 	size_t plainlen;
2240 
2241 	/*
2242 	 * The size at this point should be the size of
2243 	 * all the plaintext plus the optional plaintext length
2244 	 * needed for RCMD V2 mode.  There should also be room
2245 	 * at the head of the mblk for the confounder and hash info.
2246 	 */
2247 	inlen = (size_t)MBLKL(mp);
2248 
2249 	/*
2250 	 * The output size will be a multiple of 8 because this algorithm
2251 	 * only works on 8 byte chunks.
2252 	 */
2253 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
2254 
2255 	ASSERT(MBLKSIZE(mp) >= cipherlen);
2256 
2257 	if (cipherlen > inlen) {
2258 		bzero(mp->b_wptr, MBLKTAIL(mp));
2259 	}
2260 
2261 	/*
2262 	 * Shift the rptr back enough to insert
2263 	 * the confounder and hash.
2264 	 */
2265 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2266 		mp->b_rptr -= hash->confound_len;
2267 	} else {
2268 		mp->b_rptr -= (hash->confound_len + hash->hash_len);
2269 
2270 		/* zero out the hash area */
2271 		bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len);
2272 	}
2273 
2274 	/* get random confounder from our friend, the 'random' module */
2275 	if (hash->confound_len > 0) {
2276 		(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
2277 				    (size_t)hash->confound_len);
2278 	}
2279 
2280 	/*
2281 	 * For 3DES we calculate an HMAC later.
2282 	 */
2283 	if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) {
2284 		/* calculate chksum of confounder + input */
2285 		if (hash->hash_len > 0 && hash->hashfunc != NULL) {
2286 			uchar_t cksum[MAX_CKSUM_LEN];
2287 
2288 			result = hash->hashfunc(cksum, mp->b_rptr,
2289 				cipherlen);
2290 			if (result != CRYPTO_SUCCESS) {
2291 				goto failure;
2292 			}
2293 
2294 			/* put hash in place right after the confounder */
2295 			bcopy(cksum, (mp->b_rptr + hash->confound_len),
2296 			    (size_t)hash->hash_len);
2297 		}
2298 	}
2299 	/*
2300 	 * In order to support the "old" Kerberos RCMD protocol,
2301 	 * we must use the IVEC 3 different ways:
2302 	 *   IVEC_REUSE = keep using the same IV each time, this is
2303 	 *		ugly and insecure, but necessary for
2304 	 *		backwards compatibility with existing MIT code.
2305 	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
2306 	 *		was setup (see setup_crypto routine).
2307 	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2308 	 */
2309 	if (tmi->enc_data.ivec_usage == IVEC_NEVER) {
2310 		bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
2311 	} else if (tmi->enc_data.ivec_usage == IVEC_REUSE) {
2312 		bcopy(tmi->enc_data.ivec, tmi->enc_data.block,
2313 		    tmi->enc_data.blocklen);
2314 	}
2315 
2316 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2317 		/*
2318 		 * The input length already included the hash size,
2319 		 * don't include this in the plaintext length
2320 		 * calculations.
2321 		 */
2322 		plainlen = cipherlen - hash->hash_len;
2323 
2324 		mp->b_wptr = mp->b_rptr + plainlen;
2325 
2326 		result = kef_encr_hmac(&tmi->enc_data,
2327 			(void *)mp, (size_t)plainlen,
2328 			(char *)(mp->b_rptr + plainlen),
2329 			hash->hash_len);
2330 	} else {
2331 		ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp));
2332 		mp->b_wptr = mp->b_rptr + cipherlen;
2333 		result = kef_crypt(&tmi->enc_data, (void *)mp,
2334 			CRYPTO_DATA_MBLK, (size_t)cipherlen,
2335 			CRYPT_ENCRYPT);
2336 	}
2337 failure:
2338 	if (result != CRYPTO_SUCCESS) {
2339 #ifdef DEBUG
2340 		cmn_err(CE_WARN,
2341 			"des_cbc_encrypt: kef_crypt encrypt "
2342 			"failed (len: %ld) - error %0x",
2343 			cipherlen, result);
2344 #endif
2345 		mp->b_datap->db_type = M_ERROR;
2346 		mp->b_rptr = mp->b_datap->db_base;
2347 		*mp->b_rptr = EIO;
2348 		mp->b_wptr = mp->b_rptr + sizeof (char);
2349 		freemsg(mp->b_cont);
2350 		mp->b_cont = NULL;
2351 		qreply(WR(q), mp);
2352 		return (NULL);
2353 	} else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) {
2354 		/*
2355 		 * Because we are using KEF, we must manually
2356 		 * update our IV.
2357 		 */
2358 		bcopy(mp->b_wptr - tmi->enc_data.ivlen,
2359 			tmi->enc_data.block, tmi->enc_data.ivlen);
2360 	}
2361 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2362 		mp->b_wptr = mp->b_rptr + cipherlen;
2363 	}
2364 
2365 	return (mp);
2366 }
2367 
2368 /*
2369  * des_cbc_decrypt
2370  *
2371  *
2372  * Needed to support userland apps that must support Kerberos V5
2373  * encryption DES-CBC decryption modes.
2374  *
2375  * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2376  *
2377  * format of ciphertext for DES-CBC functions, per RFC1510 is:
2378  *  +-----------+----------+-------------+-----+
2379  *  |confounder |  cksum   |   msg-data  | pad |
2380  *  +-----------+----------+-------------+-----+
2381  *
2382  * format of ciphertext when using DES3-SHA1-HMAC
2383  *  +-----------+----------+-------------+-----+
2384  *  |confounder |  msg-data  |   hmac    | pad |
2385  *  +-----------+----------+-------------+-----+
2386  *
2387  *  The confounder is 8 bytes of random data.
2388  *  The cksum depends on the hash being used.
2389  *   4 bytes for CRC32
2390  *  16 bytes for MD5
2391  *  20 bytes for SHA1
2392  *   0 bytes for RAW
2393  *
2394  */
2395 static mblk_t *
2396 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2397 {
2398 	uint_t inlen, datalen;
2399 	int result = 0;
2400 	uchar_t *optr = NULL;
2401 	uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN];
2402 	uchar_t nextiv[DEFAULT_DES_BLOCKLEN];
2403 
2404 	/* Compute adjusted size */
2405 	inlen = MBLKL(mp);
2406 
2407 	optr = mp->b_rptr;
2408 
2409 	/*
2410 	 * In order to support the "old" Kerberos RCMD protocol,
2411 	 * we must use the IVEC 3 different ways:
2412 	 *   IVEC_REUSE = keep using the same IV each time, this is
2413 	 *		ugly and insecure, but necessary for
2414 	 *		backwards compatibility with existing MIT code.
2415 	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
2416 	 *		was setup (see setup_crypto routine).
2417 	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2418 	 */
2419 	if (tmi->dec_data.ivec_usage == IVEC_NEVER)
2420 		bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
2421 	else if (tmi->dec_data.ivec_usage == IVEC_REUSE)
2422 		bcopy(tmi->dec_data.ivec, tmi->dec_data.block,
2423 		    tmi->dec_data.blocklen);
2424 
2425 	if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2426 		/*
2427 		 * Do not decrypt the HMAC at the end
2428 		 */
2429 		int decrypt_len = inlen - hash->hash_len;
2430 
2431 		/*
2432 		 * Move the wptr so the mblk appears to end
2433 		 * BEFORE the HMAC section.
2434 		 */
2435 		mp->b_wptr = mp->b_rptr + decrypt_len;
2436 
2437 		/*
2438 		 * Because we are using KEF, we must manually update our
2439 		 * IV.
2440 		 */
2441 		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2442 			bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen,
2443 				nextiv, tmi->dec_data.ivlen);
2444 		}
2445 
2446 		result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len,
2447 			(char *)newcksum, hash->hash_len);
2448 	} else {
2449 		/*
2450 		 * Because we are using KEF, we must manually update our
2451 		 * IV.
2452 		 */
2453 		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2454 			bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv,
2455 				tmi->dec_data.ivlen);
2456 		}
2457 		result = kef_crypt(&tmi->dec_data, (void *)mp,
2458 			CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT);
2459 	}
2460 	if (result != CRYPTO_SUCCESS) {
2461 #ifdef DEBUG
2462 		cmn_err(CE_WARN,
2463 			"des_cbc_decrypt: kef_crypt decrypt "
2464 			"failed - error %0x", result);
2465 #endif
2466 		mp->b_datap->db_type = M_ERROR;
2467 		mp->b_rptr = mp->b_datap->db_base;
2468 		*mp->b_rptr = EIO;
2469 		mp->b_wptr = mp->b_rptr + sizeof (char);
2470 		freemsg(mp->b_cont);
2471 		mp->b_cont = NULL;
2472 		qreply(WR(q), mp);
2473 		return (NULL);
2474 	}
2475 
2476 	/*
2477 	 * Manually update the IV, KEF does not track this for us.
2478 	 */
2479 	if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2480 		bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen);
2481 	}
2482 
2483 	/* Verify the checksum(if necessary) */
2484 	if (hash->hash_len > 0) {
2485 		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2486 			bcopy(mp->b_rptr + inlen - hash->hash_len, cksum,
2487 				hash->hash_len);
2488 		} else {
2489 			bcopy(optr + hash->confound_len, cksum, hash->hash_len);
2490 
2491 			/* zero the cksum in the buffer */
2492 			ASSERT(optr + hash->confound_len + hash->hash_len <=
2493 				DB_LIM(mp));
2494 			bzero(optr + hash->confound_len, hash->hash_len);
2495 
2496 			/* calculate MD5 chksum of confounder + input */
2497 			if (hash->hashfunc) {
2498 				(void) hash->hashfunc(newcksum, optr, inlen);
2499 			}
2500 		}
2501 
2502 		if (bcmp(cksum, newcksum, hash->hash_len)) {
2503 #ifdef DEBUG
2504 			cmn_err(CE_WARN, "des_cbc_decrypt: checksum "
2505 				"verification failed");
2506 #endif
2507 			mp->b_datap->db_type = M_ERROR;
2508 			mp->b_rptr = mp->b_datap->db_base;
2509 			*mp->b_rptr = EIO;
2510 			mp->b_wptr = mp->b_rptr + sizeof (char);
2511 			freemsg(mp->b_cont);
2512 			mp->b_cont = NULL;
2513 			qreply(WR(q), mp);
2514 			return (NULL);
2515 		}
2516 	}
2517 
2518 	datalen = inlen - hash->confound_len - hash->hash_len;
2519 
2520 	/* Move just the decrypted input into place if necessary */
2521 	if (hash->confound_len > 0 || hash->hash_len > 0) {
2522 		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1)
2523 			mp->b_rptr += hash->confound_len;
2524 		else
2525 			mp->b_rptr += hash->confound_len + hash->hash_len;
2526 	}
2527 
2528 	ASSERT(mp->b_rptr + datalen <= DB_LIM(mp));
2529 	mp->b_wptr = mp->b_rptr + datalen;
2530 
2531 	return (mp);
2532 }
2533 
2534 static mblk_t *
2535 do_decrypt(queue_t *q, mblk_t *mp)
2536 {
2537 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2538 	mblk_t *outmp;
2539 
2540 	switch (tmi->dec_data.method) {
2541 	case CRYPT_METHOD_DES_CFB:
2542 		outmp = des_cfb_decrypt(q, tmi, mp);
2543 		break;
2544 	case CRYPT_METHOD_NONE:
2545 		outmp = mp;
2546 		break;
2547 	case CRYPT_METHOD_DES_CBC_NULL:
2548 		outmp = des_cbc_decrypt(q, tmi, mp, &null_hash);
2549 		break;
2550 	case CRYPT_METHOD_DES_CBC_MD5:
2551 		outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash);
2552 		break;
2553 	case CRYPT_METHOD_DES_CBC_CRC:
2554 		outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash);
2555 		break;
2556 	case CRYPT_METHOD_DES3_CBC_SHA1:
2557 		outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash);
2558 		break;
2559 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2560 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2561 		outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash);
2562 		break;
2563 	case CRYPT_METHOD_AES128:
2564 	case CRYPT_METHOD_AES256:
2565 		outmp = aes_decrypt(q, tmi, mp, &sha1_hash);
2566 		break;
2567 	}
2568 	return (outmp);
2569 }
2570 
2571 /*
2572  * do_encrypt
2573  *
2574  * Generic encryption routine for a single message block.
2575  * The input mblk may be replaced by some encrypt routines
2576  * because they add extra data in some cases that may exceed
2577  * the input mblk_t size limit.
2578  */
2579 static mblk_t *
2580 do_encrypt(queue_t *q, mblk_t *mp)
2581 {
2582 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2583 	mblk_t *outmp;
2584 
2585 	switch (tmi->enc_data.method) {
2586 	case CRYPT_METHOD_DES_CFB:
2587 		outmp = des_cfb_encrypt(q, tmi, mp);
2588 		break;
2589 	case CRYPT_METHOD_DES_CBC_NULL:
2590 		outmp = des_cbc_encrypt(q, tmi, mp, &null_hash);
2591 		break;
2592 	case CRYPT_METHOD_DES_CBC_MD5:
2593 		outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash);
2594 		break;
2595 	case CRYPT_METHOD_DES_CBC_CRC:
2596 		outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash);
2597 		break;
2598 	case CRYPT_METHOD_DES3_CBC_SHA1:
2599 		outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash);
2600 		break;
2601 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2602 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2603 		outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash);
2604 		break;
2605 	case CRYPT_METHOD_AES128:
2606 	case CRYPT_METHOD_AES256:
2607 		outmp = aes_encrypt(q, tmi, mp, &sha1_hash);
2608 		break;
2609 	case CRYPT_METHOD_NONE:
2610 		outmp = mp;
2611 		break;
2612 	}
2613 	return (outmp);
2614 }
2615 
2616 /*
2617  * setup_crypto
2618  *
2619  * This takes the data from the CRYPTIOCSETUP ioctl
2620  * and sets up a cipher_data_t structure for either
2621  * encryption or decryption.  This is where the
2622  * key and initialization vector data get stored
2623  * prior to beginning any crypto functions.
2624  *
2625  * Special note:
2626  *   Some applications(e.g. telnetd) have ability to switch
2627  * crypto on/off periodically.  Thus, the application may call
2628  * the CRYPTIOCSETUP ioctl many times for the same stream.
2629  * If the CRYPTIOCSETUP is called with 0 length key or ivec fields
2630  * assume that the key, block, and saveblock fields that are already
2631  * set from a previous CRIOCSETUP call are still valid.  This helps avoid
2632  * a rekeying error that could occur if we overwrite these fields
2633  * with each CRYPTIOCSETUP call.
2634  *   In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off
2635  * without resetting the original crypto parameters.
2636  *
2637  */
2638 static int
2639 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt)
2640 {
2641 	uint_t newblocklen;
2642 	uint32_t enc_usage = 0, dec_usage = 0;
2643 	int rv;
2644 
2645 	/*
2646 	 * Initial sanity checks
2647 	 */
2648 	if (!CR_METHOD_OK(ci->crypto_method)) {
2649 		cmn_err(CE_WARN, "Illegal crypto method (%d)",
2650 			ci->crypto_method);
2651 		return (EINVAL);
2652 	}
2653 	if (!CR_OPTIONS_OK(ci->option_mask)) {
2654 		cmn_err(CE_WARN, "Illegal crypto options (%d)",
2655 			ci->option_mask);
2656 		return (EINVAL);
2657 	}
2658 	if (!CR_IVUSAGE_OK(ci->ivec_usage)) {
2659 		cmn_err(CE_WARN, "Illegal ivec usage value (%d)",
2660 			ci->ivec_usage);
2661 		return (EINVAL);
2662 	}
2663 
2664 	cd->method = ci->crypto_method;
2665 	cd->bytes = 0;
2666 
2667 	if (ci->keylen > 0) {
2668 		if (cd->key != NULL) {
2669 			kmem_free(cd->key, cd->keylen);
2670 			cd->key = NULL;
2671 			cd->keylen = 0;
2672 		}
2673 		/*
2674 		 * cd->key holds the copy of the raw key bytes passed in
2675 		 * from the userland app.
2676 		 */
2677 		cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP);
2678 
2679 		cd->keylen = ci->keylen;
2680 		bcopy(ci->key, cd->key, (size_t)ci->keylen);
2681 	}
2682 
2683 	/*
2684 	 * Configure the block size based on the type of cipher.
2685 	 */
2686 	switch (cd->method) {
2687 		case CRYPT_METHOD_NONE:
2688 			newblocklen = 0;
2689 			break;
2690 		case CRYPT_METHOD_DES_CFB:
2691 			newblocklen = DEFAULT_DES_BLOCKLEN;
2692 			cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB);
2693 			break;
2694 		case CRYPT_METHOD_DES_CBC_NULL:
2695 		case CRYPT_METHOD_DES_CBC_MD5:
2696 		case CRYPT_METHOD_DES_CBC_CRC:
2697 			newblocklen = DEFAULT_DES_BLOCKLEN;
2698 			cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC);
2699 			break;
2700 		case CRYPT_METHOD_DES3_CBC_SHA1:
2701 			newblocklen = DEFAULT_DES_BLOCKLEN;
2702 			cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC);
2703 			/* 3DES always uses the old usage constant */
2704 			enc_usage = RCMDV1_USAGE;
2705 			dec_usage = RCMDV1_USAGE;
2706 			break;
2707 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2708 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2709 			newblocklen = 0;
2710 			cd->mech_type = crypto_mech2id(SUN_CKM_RC4);
2711 			break;
2712 		case CRYPT_METHOD_AES128:
2713 		case CRYPT_METHOD_AES256:
2714 			newblocklen = DEFAULT_AES_BLOCKLEN;
2715 			cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB);
2716 			enc_usage = AES_ENCRYPT_USAGE;
2717 			dec_usage = AES_DECRYPT_USAGE;
2718 			break;
2719 	}
2720 	if (cd->mech_type == CRYPTO_MECH_INVALID) {
2721 		return (CRYPTO_FAILED);
2722 	}
2723 
2724 	/*
2725 	 * If RC4, initialize the master crypto key used by
2726 	 * the RC4 algorithm to derive the final encrypt and decrypt keys.
2727 	 */
2728 	if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) {
2729 		/*
2730 		 * cd->ckey is a kernel crypto key structure used as the
2731 		 * master key in the RC4-HMAC crypto operations.
2732 		 */
2733 		if (cd->ckey == NULL) {
2734 			cd->ckey = (crypto_key_t *)kmem_zalloc(
2735 				sizeof (crypto_key_t), KM_SLEEP);
2736 		}
2737 
2738 		cd->ckey->ck_format = CRYPTO_KEY_RAW;
2739 		cd->ckey->ck_data = cd->key;
2740 
2741 		/* key length for EF is measured in bits */
2742 		cd->ckey->ck_length = cd->keylen * 8;
2743 	}
2744 
2745 	/*
2746 	 * cd->block and cd->saveblock are used as temporary storage for
2747 	 * data that must be carried over between encrypt/decrypt operations
2748 	 * in some of the "feedback" modes.
2749 	 */
2750 	if (newblocklen != cd->blocklen) {
2751 		if (cd->block != NULL) {
2752 			kmem_free(cd->block, cd->blocklen);
2753 			cd->block = NULL;
2754 		}
2755 
2756 		if (cd->saveblock != NULL) {
2757 			kmem_free(cd->saveblock, cd->blocklen);
2758 			cd->saveblock = NULL;
2759 		}
2760 
2761 		cd->blocklen = newblocklen;
2762 		if (cd->blocklen) {
2763 			cd->block = (char *)kmem_zalloc((size_t)cd->blocklen,
2764 				KM_SLEEP);
2765 		}
2766 
2767 		if (cd->method == CRYPT_METHOD_DES_CFB)
2768 			cd->saveblock = (char *)kmem_zalloc(cd->blocklen,
2769 						KM_SLEEP);
2770 		else
2771 			cd->saveblock = NULL;
2772 	}
2773 
2774 	if (ci->iveclen != cd->ivlen) {
2775 		if (cd->ivec != NULL) {
2776 			kmem_free(cd->ivec, cd->ivlen);
2777 			cd->ivec = NULL;
2778 		}
2779 		if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) {
2780 			cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen,
2781 						KM_SLEEP);
2782 			cd->ivlen = ci->iveclen;
2783 		} else {
2784 			cd->ivlen = 0;
2785 			cd->ivec = NULL;
2786 		}
2787 	}
2788 	cd->option_mask = ci->option_mask;
2789 
2790 	/*
2791 	 * Old protocol requires a static 'usage' value for
2792 	 * deriving keys.  Yuk.
2793 	 */
2794 	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) {
2795 		enc_usage = dec_usage = RCMDV1_USAGE;
2796 	}
2797 
2798 	if (cd->ivlen > cd->blocklen) {
2799 		cmn_err(CE_WARN, "setup_crypto: IV longer than block size");
2800 		return (EINVAL);
2801 	}
2802 
2803 	/*
2804 	 * If we are using an IVEC "correctly" (i.e. set it once)
2805 	 * copy it here.
2806 	 */
2807 	if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL)
2808 		bcopy(ci->ivec, cd->block, (size_t)cd->ivlen);
2809 
2810 	cd->ivec_usage = ci->ivec_usage;
2811 	if (cd->ivec != NULL) {
2812 		/* Save the original IVEC in case we need it later */
2813 		bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen);
2814 	}
2815 	/*
2816 	 * Special handling for 3DES-SHA1-HMAC and AES crypto:
2817 	 * generate derived keys and context templates
2818 	 * for better performance.
2819 	 */
2820 	if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 ||
2821 	    IS_AES_METHOD(cd->method)) {
2822 		crypto_mechanism_t enc_mech;
2823 		crypto_mechanism_t hmac_mech;
2824 
2825 		if (cd->d_encr_key.ck_data != NULL) {
2826 			bzero(cd->d_encr_key.ck_data, cd->keylen);
2827 			kmem_free(cd->d_encr_key.ck_data, cd->keylen);
2828 		}
2829 
2830 		if (cd->d_hmac_key.ck_data != NULL) {
2831 			bzero(cd->d_hmac_key.ck_data, cd->keylen);
2832 			kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
2833 		}
2834 
2835 		if (cd->enc_tmpl != NULL)
2836 			(void) crypto_destroy_ctx_template(cd->enc_tmpl);
2837 
2838 		if (cd->hmac_tmpl != NULL)
2839 			(void) crypto_destroy_ctx_template(cd->hmac_tmpl);
2840 
2841 		enc_mech.cm_type = cd->mech_type;
2842 		enc_mech.cm_param = cd->ivec;
2843 		enc_mech.cm_param_len = cd->ivlen;
2844 
2845 		hmac_mech.cm_type = sha1_hmac_mech;
2846 		hmac_mech.cm_param = NULL;
2847 		hmac_mech.cm_param_len = 0;
2848 
2849 		/*
2850 		 * Create the derived keys.
2851 		 */
2852 		rv = create_derived_keys(cd,
2853 			(encrypt ? enc_usage : dec_usage),
2854 			&cd->d_encr_key, &cd->d_hmac_key);
2855 
2856 		if (rv != CRYPTO_SUCCESS) {
2857 			cmn_err(CE_WARN, "failed to create derived "
2858 				"keys: %0x", rv);
2859 			return (CRYPTO_FAILED);
2860 		}
2861 
2862 		rv = crypto_create_ctx_template(&enc_mech,
2863 					&cd->d_encr_key,
2864 					&cd->enc_tmpl, KM_SLEEP);
2865 		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2866 			cd->enc_tmpl = NULL;
2867 		} else if (rv != CRYPTO_SUCCESS) {
2868 			cmn_err(CE_WARN, "failed to create enc template "
2869 				"for d_encr_key: %0x", rv);
2870 			return (CRYPTO_FAILED);
2871 		}
2872 
2873 		rv = crypto_create_ctx_template(&hmac_mech,
2874 				&cd->d_hmac_key,
2875 				&cd->hmac_tmpl, KM_SLEEP);
2876 		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2877 			cd->hmac_tmpl = NULL;
2878 		} else if (rv != CRYPTO_SUCCESS) {
2879 			cmn_err(CE_WARN, "failed to create hmac template:"
2880 				" %0x", rv);
2881 			return (CRYPTO_FAILED);
2882 		}
2883 	} else if (IS_RC4_METHOD(cd->method)) {
2884 		bzero(&cd->d_encr_key, sizeof (crypto_key_t));
2885 		bzero(&cd->d_hmac_key, sizeof (crypto_key_t));
2886 		cd->ctx = NULL;
2887 		cd->enc_tmpl = NULL;
2888 		cd->hmac_tmpl = NULL;
2889 	}
2890 
2891 	/* Final sanity checks, make sure no fields are NULL */
2892 	if (cd->method != CRYPT_METHOD_NONE) {
2893 		if (cd->block == NULL && cd->blocklen > 0) {
2894 #ifdef DEBUG
2895 			cmn_err(CE_WARN,
2896 				"setup_crypto: IV block not allocated");
2897 #endif
2898 			return (ENOMEM);
2899 		}
2900 		if (cd->key == NULL && cd->keylen > 0) {
2901 #ifdef DEBUG
2902 			cmn_err(CE_WARN,
2903 				"setup_crypto: key block not allocated");
2904 #endif
2905 			return (ENOMEM);
2906 		}
2907 		if (cd->method == CRYPT_METHOD_DES_CFB &&
2908 		    cd->saveblock == NULL && cd->blocklen > 0) {
2909 #ifdef DEBUG
2910 			cmn_err(CE_WARN,
2911 				"setup_crypto: save block not allocated");
2912 #endif
2913 			return (ENOMEM);
2914 		}
2915 		if (cd->ivec == NULL && cd->ivlen > 0) {
2916 #ifdef DEBUG
2917 			cmn_err(CE_WARN,
2918 				"setup_crypto: IV not allocated");
2919 #endif
2920 			return (ENOMEM);
2921 		}
2922 	}
2923 	return (0);
2924 }
2925 
2926 /*
2927  * RCMDS require a 4 byte, clear text
2928  * length field before each message.
2929  * Add it now.
2930  */
2931 static mblk_t *
2932 mklenmp(mblk_t *bp, uint32_t len)
2933 {
2934 	mblk_t *lenmp;
2935 	uchar_t *ucp;
2936 
2937 	if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) {
2938 		lenmp = allocb(4, BPRI_MED);
2939 		if (lenmp != NULL) {
2940 			lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp);
2941 			linkb(lenmp, bp);
2942 			bp = lenmp;
2943 		}
2944 	}
2945 	ucp = bp->b_rptr;
2946 	*--ucp = len;
2947 	*--ucp = len >> 8;
2948 	*--ucp = len >> 16;
2949 	*--ucp = len >> 24;
2950 
2951 	bp->b_rptr = ucp;
2952 
2953 	return (bp);
2954 }
2955 
2956 static mblk_t *
2957 encrypt_block(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, size_t plainlen)
2958 {
2959 	mblk_t *newmp;
2960 	size_t headspace;
2961 
2962 	mblk_t *cbp;
2963 	size_t cipherlen;
2964 	size_t extra = 0;
2965 	uint32_t ptlen = (uint32_t)plainlen;
2966 	/*
2967 	 * If we are using the "NEW" RCMD mode,
2968 	 * add 4 bytes to the plaintext for the
2969 	 * plaintext length that gets prepended
2970 	 * before encrypting.
2971 	 */
2972 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2973 		ptlen += 4;
2974 
2975 	cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen);
2976 
2977 	/*
2978 	 * if we must allocb, then make sure its enough
2979 	 * to hold the length field so we dont have to allocb
2980 	 * again down below in 'mklenmp'
2981 	 */
2982 	if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) {
2983 		extra = sizeof (uint32_t);
2984 	}
2985 
2986 	/*
2987 	 * Calculate how much space is needed in front of
2988 	 * the data.
2989 	 */
2990 	headspace = plaintext_offset(&tmi->enc_data);
2991 
2992 	/*
2993 	 * If the current block is too small, reallocate
2994 	 * one large enough to hold the hdr, tail, and
2995 	 * ciphertext.
2996 	 */
2997 	if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) {
2998 		int sz = P2ROUNDUP(cipherlen+extra, 8);
2999 
3000 		cbp = allocb_tmpl(sz, mp);
3001 		if (cbp == NULL) {
3002 			cmn_err(CE_WARN,
3003 				"allocb (%d bytes) failed", sz);
3004 				return (NULL);
3005 		}
3006 
3007 		cbp->b_cont = mp->b_cont;
3008 
3009 		/*
3010 		 * headspace includes the length fields needed
3011 		 * for the RCMD modes (v1 == 4 bytes, V2 = 8)
3012 		 */
3013 		ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen+headspace, 8)
3014 			<= DB_LIM(cbp));
3015 
3016 		cbp->b_rptr = DB_BASE(cbp) + headspace;
3017 		bcopy(mp->b_rptr, cbp->b_rptr, plainlen);
3018 		cbp->b_wptr = cbp->b_rptr + plainlen;
3019 
3020 		freeb(mp);
3021 	} else {
3022 		size_t extra = 0;
3023 		cbp = mp;
3024 
3025 		/*
3026 		 * Some ciphers add HMAC after the final block
3027 		 * of the ciphertext, not at the beginning like the
3028 		 * 1-DES ciphers.
3029 		 */
3030 		if (tmi->enc_data.method ==
3031 			CRYPT_METHOD_DES3_CBC_SHA1 ||
3032 		    IS_AES_METHOD(tmi->enc_data.method)) {
3033 			extra = sha1_hash.hash_len;
3034 		}
3035 
3036 		/*
3037 		 * Make sure the rptr is positioned correctly so that
3038 		 * routines later do not have to shift this data around
3039 		 */
3040 		if ((cbp->b_rptr + P2ROUNDUP(cipherlen + extra, 8) >
3041 			DB_LIM(cbp)) ||
3042 			(cbp->b_rptr - headspace < DB_BASE(cbp))) {
3043 			ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace,
3044 				plainlen);
3045 			cbp->b_rptr = DB_BASE(cbp) + headspace;
3046 			cbp->b_wptr = cbp->b_rptr + plainlen;
3047 		}
3048 	}
3049 
3050 	ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp));
3051 	ASSERT(cbp->b_wptr <= DB_LIM(cbp));
3052 
3053 	/*
3054 	 * If using RCMD_MODE_V2 (new rcmd mode), prepend
3055 	 * the plaintext length before the actual plaintext.
3056 	 */
3057 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) {
3058 		cbp->b_rptr -= RCMD_LEN_SZ;
3059 
3060 		/* put plaintext length at head of buffer */
3061 		*(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff);
3062 		*(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff);
3063 		*(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff);
3064 		*(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff);
3065 	}
3066 
3067 	newmp = do_encrypt(q, cbp);
3068 
3069 	if (newmp != NULL &&
3070 	    (tmi->enc_data.option_mask &
3071 	    (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) {
3072 		mblk_t *lp;
3073 		/*
3074 		 * Add length field, required when this is
3075 		 * used to encrypt "r*" commands(rlogin, rsh)
3076 		 * with Kerberos.
3077 		 */
3078 		lp = mklenmp(newmp, plainlen);
3079 
3080 		if (lp == NULL) {
3081 			freeb(newmp);
3082 			return (NULL);
3083 		} else {
3084 			newmp = lp;
3085 		}
3086 	}
3087 	return (newmp);
3088 }
3089 
3090 /*
3091  * encrypt_msgb
3092  *
3093  * encrypt a single message. This routine adds the
3094  * RCMD overhead bytes when necessary.
3095  */
3096 static mblk_t *
3097 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
3098 {
3099 	size_t plainlen, outlen;
3100 	mblk_t *newmp = NULL;
3101 
3102 	/* If not encrypting, do nothing */
3103 	if (tmi->enc_data.method == CRYPT_METHOD_NONE) {
3104 		return (mp);
3105 	}
3106 
3107 	plainlen = MBLKL(mp);
3108 	if (plainlen == 0)
3109 		return (NULL);
3110 
3111 	/*
3112 	 * If the block is too big, we encrypt in 4K chunks so that
3113 	 * older rlogin clients do not choke on the larger buffers.
3114 	 */
3115 	while ((plainlen = MBLKL(mp)) > MSGBUF_SIZE) {
3116 		mblk_t *mp1 = NULL;
3117 		outlen = MSGBUF_SIZE;
3118 		/*
3119 		 * Allocate a new buffer that is only 4K bytes, the
3120 		 * extra bytes are for crypto overhead.
3121 		 */
3122 		mp1 = allocb(outlen + CONFOUNDER_BYTES, BPRI_MED);
3123 		if (mp1 == NULL) {
3124 			cmn_err(CE_WARN,
3125 				"allocb (%d bytes) failed",
3126 				(int)(outlen + CONFOUNDER_BYTES));
3127 			return (NULL);
3128 		}
3129 		/* Copy the next 4K bytes from the old block. */
3130 		bcopy(mp->b_rptr, mp1->b_rptr, outlen);
3131 		mp1->b_wptr = mp1->b_rptr + outlen;
3132 		/* Advance the old block. */
3133 		mp->b_rptr += outlen;
3134 
3135 		/* encrypt the new block */
3136 		newmp = encrypt_block(q, tmi, mp1, outlen);
3137 		if (newmp == NULL)
3138 			return (NULL);
3139 
3140 		putnext(q, newmp);
3141 	}
3142 	newmp = NULL;
3143 	/* If there is data left (< MSGBUF_SIZE), encrypt it. */
3144 	if ((plainlen = MBLKL(mp)) > 0)
3145 		newmp = encrypt_block(q, tmi, mp, plainlen);
3146 
3147 	return (newmp);
3148 }
3149 
3150 /*
3151  * cryptmodwsrv
3152  *
3153  * Service routine for the write queue.
3154  *
3155  * Because data may be placed in the queue to hold between
3156  * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed.
3157  */
3158 static int
3159 cryptmodwsrv(queue_t *q)
3160 {
3161 	mblk_t *mp;
3162 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3163 
3164 	while ((mp = getq(q)) != NULL) {
3165 		switch (mp->b_datap->db_type) {
3166 		default:
3167 			/*
3168 			 * wput does not queue anything > QPCTL
3169 			 */
3170 			if (!canputnext(q) ||
3171 			    !(tmi->ready & CRYPT_WRITE_READY)) {
3172 				if (!putbq(q, mp)) {
3173 					freemsg(mp);
3174 				}
3175 				return (0);
3176 			}
3177 			putnext(q, mp);
3178 			break;
3179 		case M_DATA:
3180 			if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) {
3181 				mblk_t *bp;
3182 				mblk_t *newmsg = NULL;
3183 
3184 				/*
3185 				 * If multiple msgs, concat into 1
3186 				 * to minimize crypto operations later.
3187 				 */
3188 				if (mp->b_cont != NULL) {
3189 					bp = msgpullup(mp, -1);
3190 					if (bp != NULL) {
3191 						freemsg(mp);
3192 						mp = bp;
3193 					}
3194 				}
3195 				newmsg = encrypt_msgb(q, tmi, mp);
3196 				if (newmsg != NULL)
3197 					putnext(q, newmsg);
3198 			} else {
3199 				if (!putbq(q, mp)) {
3200 					freemsg(mp);
3201 				}
3202 				return (0);
3203 			}
3204 			break;
3205 		}
3206 	}
3207 	return (0);
3208 }
3209 
3210 static void
3211 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir)
3212 {
3213 	mblk_t *newmp = NULL;
3214 	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3215 
3216 	if (dir == CRYPT_ENCRYPT) {
3217 		tmi->ready |= CRYPT_WRITE_READY;
3218 		(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
3219 				"start_stream: restart ENCRYPT/WRITE q"));
3220 
3221 		enableok(wq);
3222 		qenable(wq);
3223 	} else if (dir == CRYPT_DECRYPT) {
3224 		/*
3225 		 * put any extra data in the RD
3226 		 * queue to be processed and
3227 		 * sent back up.
3228 		 */
3229 		newmp = mp->b_cont;
3230 		mp->b_cont = NULL;
3231 
3232 		tmi->ready |= CRYPT_READ_READY;
3233 		(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3234 				SL_TRACE|SL_NOTE,
3235 				"start_stream: restart "
3236 				"DECRYPT/READ q"));
3237 
3238 		if (newmp != NULL)
3239 			if (!putbq(RD(wq), newmp))
3240 				freemsg(newmp);
3241 
3242 		enableok(RD(wq));
3243 		qenable(RD(wq));
3244 	}
3245 
3246 	miocack(wq, mp, 0, 0);
3247 }
3248 
3249 /*
3250  * Write-side put procedure.  Its main task is to detect ioctls and
3251  * FLUSH operations.  Other message types are passed on through.
3252  */
3253 static void
3254 cryptmodwput(queue_t *wq, mblk_t *mp)
3255 {
3256 	struct iocblk *iocp;
3257 	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3258 	int ret, err;
3259 
3260 	switch (mp->b_datap->db_type) {
3261 	case M_DATA:
3262 		if (wq->q_first == NULL && canputnext(wq) &&
3263 		    (tmi->ready & CRYPT_WRITE_READY) &&
3264 		    tmi->enc_data.method == CRYPT_METHOD_NONE) {
3265 			putnext(wq, mp);
3266 			return;
3267 		}
3268 		/* else, put it in the service queue */
3269 		if (!putq(wq, mp)) {
3270 			freemsg(mp);
3271 		}
3272 		break;
3273 	case M_FLUSH:
3274 		if (*mp->b_rptr & FLUSHW) {
3275 			flushq(wq, FLUSHDATA);
3276 		}
3277 		putnext(wq, mp);
3278 		break;
3279 	case M_IOCTL:
3280 		iocp = (struct iocblk *)mp->b_rptr;
3281 		switch (iocp->ioc_cmd) {
3282 		case CRYPTIOCSETUP:
3283 			ret = 0;
3284 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3285 					SL_TRACE | SL_NOTE,
3286 					"wput: got CRYPTIOCSETUP "
3287 					"ioctl(%d)", iocp->ioc_cmd));
3288 
3289 			if ((err = miocpullup(mp,
3290 					sizeof (struct cr_info_t))) != 0) {
3291 				cmn_err(CE_WARN,
3292 				"wput: miocpullup failed for cr_info_t");
3293 				miocnak(wq, mp, 0, err);
3294 			} else {
3295 				struct cr_info_t *ci;
3296 				ci = (struct cr_info_t *)mp->b_cont->b_rptr;
3297 
3298 				if (ci->direction_mask & CRYPT_ENCRYPT) {
3299 				    ret = setup_crypto(ci, &tmi->enc_data, 1);
3300 				}
3301 
3302 				if (ret == 0 &&
3303 				    (ci->direction_mask & CRYPT_DECRYPT)) {
3304 				    ret = setup_crypto(ci, &tmi->dec_data, 0);
3305 				}
3306 				if (ret == 0 &&
3307 				    (ci->direction_mask & CRYPT_DECRYPT) &&
3308 				    ANY_RCMD_MODE(tmi->dec_data.option_mask)) {
3309 					bzero(&tmi->rcmd_state,
3310 					    sizeof (tmi->rcmd_state));
3311 				}
3312 				if (ret == 0) {
3313 					miocack(wq, mp, 0, 0);
3314 				} else {
3315 					cmn_err(CE_WARN,
3316 						"wput: setup_crypto failed");
3317 					miocnak(wq, mp, 0, ret);
3318 				}
3319 				(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3320 						SL_TRACE|SL_NOTE,
3321 						"wput: done with SETUP "
3322 						"ioctl"));
3323 			}
3324 			break;
3325 		case CRYPTIOCSTOP:
3326 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3327 					SL_TRACE|SL_NOTE,
3328 					"wput: got CRYPTIOCSTOP "
3329 					"ioctl(%d)", iocp->ioc_cmd));
3330 
3331 			if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) {
3332 				cmn_err(CE_WARN,
3333 					"wput: CRYPTIOCSTOP ioctl wrong "
3334 					"size (%d should be %d)",
3335 					(int)iocp->ioc_count,
3336 					(int)sizeof (uint32_t));
3337 				miocnak(wq, mp, 0, err);
3338 			} else {
3339 				uint32_t *stopdir;
3340 
3341 				stopdir = (uint32_t *)mp->b_cont->b_rptr;
3342 				if (!CR_DIRECTION_OK(*stopdir)) {
3343 					miocnak(wq, mp, 0, EINVAL);
3344 					return;
3345 				}
3346 
3347 				/* disable the queues until further notice */
3348 				if (*stopdir & CRYPT_ENCRYPT) {
3349 					noenable(wq);
3350 					tmi->ready &= ~CRYPT_WRITE_READY;
3351 				}
3352 				if (*stopdir & CRYPT_DECRYPT) {
3353 					noenable(RD(wq));
3354 					tmi->ready &= ~CRYPT_READ_READY;
3355 				}
3356 
3357 				miocack(wq, mp, 0, 0);
3358 			}
3359 			break;
3360 		case CRYPTIOCSTARTDEC:
3361 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3362 					SL_TRACE|SL_NOTE,
3363 					"wput: got CRYPTIOCSTARTDEC "
3364 					"ioctl(%d)", iocp->ioc_cmd));
3365 
3366 			start_stream(wq, mp, CRYPT_DECRYPT);
3367 			break;
3368 		case CRYPTIOCSTARTENC:
3369 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3370 					SL_TRACE|SL_NOTE,
3371 					"wput: got CRYPTIOCSTARTENC "
3372 					"ioctl(%d)", iocp->ioc_cmd));
3373 
3374 			start_stream(wq, mp, CRYPT_ENCRYPT);
3375 			break;
3376 		default:
3377 			putnext(wq, mp);
3378 			break;
3379 		}
3380 		break;
3381 	default:
3382 		if (queclass(mp) < QPCTL) {
3383 			if (wq->q_first != NULL || !canputnext(wq)) {
3384 				if (!putq(wq, mp))
3385 					freemsg(mp);
3386 				return;
3387 			}
3388 		}
3389 		putnext(wq, mp);
3390 		break;
3391 	}
3392 }
3393 
3394 /*
3395  * decrypt_rcmd_mblks
3396  *
3397  * Because kerberized r* commands(rsh, rlogin, etc)
3398  * use a 4 byte length field to indicate the # of
3399  * PLAINTEXT bytes that are encrypted in the field
3400  * that follows, we must parse out each message and
3401  * break out the length fields prior to sending them
3402  * upstream to our Solaris r* clients/servers which do
3403  * NOT understand this format.
3404  *
3405  * Kerberized/encrypted message format:
3406  * -------------------------------
3407  * | XXXX | N bytes of ciphertext|
3408  * -------------------------------
3409  *
3410  * Where: XXXX = number of plaintext bytes that were encrypted in
3411  *               to make the ciphertext field.  This is done
3412  *               because we are using a cipher that pads out to
3413  *               an 8 byte boundary.  We only want the application
3414  *               layer to see the correct number of plain text bytes,
3415  *               not plaintext + pad.  So, after we decrypt, we
3416  *               must trim the output block down to the intended
3417  *               plaintext length and eliminate the pad bytes.
3418  *
3419  * This routine takes the entire input message, breaks it into
3420  * a new message that does not contain these length fields and
3421  * returns a message consisting of mblks filled with just ciphertext.
3422  *
3423  */
3424 static mblk_t *
3425 decrypt_rcmd_mblks(queue_t *q, mblk_t *mp)
3426 {
3427 	mblk_t *newmp = NULL;
3428 	size_t msglen;
3429 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3430 
3431 	msglen = msgsize(mp);
3432 
3433 	/*
3434 	 * If we need the length field, get it here.
3435 	 * Test the "plaintext length" indicator.
3436 	 */
3437 	if (tmi->rcmd_state.pt_len == 0) {
3438 		uint32_t elen;
3439 		int tocopy;
3440 		mblk_t *nextp;
3441 
3442 		/*
3443 		 * Make sure we have recieved all 4 bytes of the
3444 		 * length field.
3445 		 */
3446 		while (mp != NULL) {
3447 			ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t));
3448 
3449 			tocopy = sizeof (uint32_t) -
3450 				tmi->rcmd_state.cd_len;
3451 			if (tocopy > msglen)
3452 				tocopy = msglen;
3453 
3454 			ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp));
3455 			bcopy(mp->b_rptr,
3456 				(char *)(&tmi->rcmd_state.next_len +
3457 					tmi->rcmd_state.cd_len), tocopy);
3458 
3459 			tmi->rcmd_state.cd_len += tocopy;
3460 
3461 			if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) {
3462 				tmi->rcmd_state.next_len =
3463 					ntohl(tmi->rcmd_state.next_len);
3464 				break;
3465 			}
3466 
3467 			nextp = mp->b_cont;
3468 			mp->b_cont = NULL;
3469 			freeb(mp);
3470 			mp = nextp;
3471 		}
3472 
3473 		if (mp == NULL) {
3474 			return (NULL);
3475 		}
3476 		/*
3477 		 * recalculate the msglen now that we've read the
3478 		 * length and adjusted the bufptr (b_rptr).
3479 		 */
3480 		msglen -= tocopy;
3481 		mp->b_rptr += tocopy;
3482 
3483 		tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len;
3484 
3485 		if (tmi->rcmd_state.pt_len <= 0) {
3486 			/*
3487 			 * Return an IO error to break the connection. there
3488 			 * is no way to recover from this.  Usually it means
3489 			 * the app has incorrectly requested decryption on
3490 			 * a non-encrypted stream, thus the "pt_len" field
3491 			 * is negative.
3492 			 */
3493 			mp->b_datap->db_type = M_ERROR;
3494 			mp->b_rptr = mp->b_datap->db_base;
3495 			*mp->b_rptr = EIO;
3496 			mp->b_wptr = mp->b_rptr + sizeof (char);
3497 
3498 			freemsg(mp->b_cont);
3499 			mp->b_cont = NULL;
3500 			qreply(WR(q), mp);
3501 			tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3502 			return (NULL);
3503 		}
3504 
3505 		/*
3506 		 * If this is V2 mode, then the encrypted data is actually
3507 		 * 4 bytes bigger than the indicated len because the plaintext
3508 		 * length is encrypted for an additional security check, but
3509 		 * its not counted as part of the overall length we just read.
3510 		 * Strange and confusing, but true.
3511 		 */
3512 
3513 		if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
3514 			elen = tmi->rcmd_state.pt_len + 4;
3515 		else
3516 			elen = tmi->rcmd_state.pt_len;
3517 
3518 		tmi->rcmd_state.cd_len  = encrypt_size(&tmi->dec_data, elen);
3519 
3520 		/*
3521 		 * Allocate an mblk to hold the cipher text until it is
3522 		 * all ready to be processed.
3523 		 */
3524 		tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len,
3525 						BPRI_HI);
3526 		if (tmi->rcmd_state.c_msg == NULL) {
3527 #ifdef DEBUG
3528 			cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed "
3529 				"for %d bytes",
3530 				(int)tmi->rcmd_state.cd_len);
3531 #endif
3532 			/*
3533 			 * Return an IO error to break the connection.
3534 			 */
3535 			mp->b_datap->db_type = M_ERROR;
3536 			mp->b_rptr = mp->b_datap->db_base;
3537 			*mp->b_rptr = EIO;
3538 			mp->b_wptr = mp->b_rptr + sizeof (char);
3539 			freemsg(mp->b_cont);
3540 			mp->b_cont = NULL;
3541 			tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3542 			qreply(WR(q), mp);
3543 			return (NULL);
3544 		}
3545 	}
3546 
3547 	/*
3548 	 * If this entire message was just the length field,
3549 	 * free and return.  The actual data will probably be next.
3550 	 */
3551 	if (msglen == 0) {
3552 		freemsg(mp);
3553 		return (NULL);
3554 	}
3555 
3556 	/*
3557 	 * Copy as much of the cipher text as possible into
3558 	 * the new msgb (c_msg).
3559 	 *
3560 	 * Logic:  if we got some bytes (msglen) and we still
3561 	 * 	"need" some bytes (len-rcvd), get them here.
3562 	 */
3563 	ASSERT(tmi->rcmd_state.c_msg != NULL);
3564 	if (msglen > 0 &&
3565 	    (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) {
3566 		mblk_t *bp, *nextp;
3567 		size_t n;
3568 
3569 		/*
3570 		 * Walk the mblks and copy just as many bytes as we need
3571 		 * for this particular block of cipher text.
3572 		 */
3573 		bp = mp;
3574 		while (bp != NULL) {
3575 			size_t needed;
3576 			size_t tocopy;
3577 			n = MBLKL(bp);
3578 
3579 			needed = tmi->rcmd_state.cd_len -
3580 				MBLKL(tmi->rcmd_state.c_msg);
3581 
3582 			tocopy = (needed >= n ? n : needed);
3583 
3584 			ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp));
3585 			ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <=
3586 				DB_LIM(tmi->rcmd_state.c_msg));
3587 
3588 			/* Copy to end of new mblk */
3589 			bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr,
3590 				tocopy);
3591 
3592 			tmi->rcmd_state.c_msg->b_wptr += tocopy;
3593 
3594 			bp->b_rptr += tocopy;
3595 
3596 			nextp = bp->b_cont;
3597 
3598 			/*
3599 			 * If we used this whole block, free it and
3600 			 * move on.
3601 			 */
3602 			if (!MBLKL(bp)) {
3603 				freeb(bp);
3604 				bp = NULL;
3605 			}
3606 
3607 			/* If we got what we needed, stop the loop */
3608 			if (MBLKL(tmi->rcmd_state.c_msg) ==
3609 			    tmi->rcmd_state.cd_len) {
3610 				/*
3611 				 * If there is more data in the message,
3612 				 * its for another block of cipher text,
3613 				 * put it back in the queue for next time.
3614 				 */
3615 				if (bp) {
3616 					if (!putbq(q, bp))
3617 						freemsg(bp);
3618 				} else if (nextp != NULL) {
3619 					/*
3620 					 * If there is more, put it back in the
3621 					 * queue for another pass thru.
3622 					 */
3623 					if (!putbq(q, nextp))
3624 						freemsg(nextp);
3625 				}
3626 				break;
3627 			}
3628 			bp = nextp;
3629 		}
3630 	}
3631 	/*
3632 	 * Finally, if we received all the cipher text data for
3633 	 * this message, decrypt it into a new msg and send it up
3634 	 * to the app.
3635 	 */
3636 	if (tmi->rcmd_state.pt_len > 0 &&
3637 	    MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) {
3638 		mblk_t *bp;
3639 		mblk_t *newbp;
3640 
3641 		/*
3642 		 * Now we can use our msg that we created when the
3643 		 * initial message boundary was detected.
3644 		 */
3645 		bp = tmi->rcmd_state.c_msg;
3646 		tmi->rcmd_state.c_msg = NULL;
3647 
3648 		newbp = do_decrypt(q, bp);
3649 		if (newbp != NULL) {
3650 			bp = newbp;
3651 			/*
3652 			 * If using RCMD_MODE_V2 ("new" mode),
3653 			 * look at the 4 byte plaintext length that
3654 			 * was just decrypted and compare with the
3655 			 * original pt_len value that was received.
3656 			 */
3657 			if (tmi->dec_data.option_mask &
3658 			    CRYPTOPT_RCMD_MODE_V2) {
3659 				uint32_t pt_len2;
3660 
3661 				pt_len2 = *(uint32_t *)bp->b_rptr;
3662 				pt_len2 = ntohl(pt_len2);
3663 				/*
3664 				 * Make sure the 2 pt len fields agree.
3665 				 */
3666 				if (pt_len2 != tmi->rcmd_state.pt_len) {
3667 					cmn_err(CE_WARN,
3668 						"Inconsistent length fields"
3669 						" received %d != %d",
3670 						(int)tmi->rcmd_state.pt_len,
3671 						(int)pt_len2);
3672 					bp->b_datap->db_type = M_ERROR;
3673 					bp->b_rptr = bp->b_datap->db_base;
3674 					*bp->b_rptr = EIO;
3675 					bp->b_wptr = bp->b_rptr + sizeof (char);
3676 					freemsg(bp->b_cont);
3677 					bp->b_cont = NULL;
3678 					tmi->rcmd_state.cd_len = 0;
3679 					qreply(WR(q), bp);
3680 					return (NULL);
3681 				}
3682 				bp->b_rptr += sizeof (uint32_t);
3683 			}
3684 
3685 			/*
3686 			 * Trim the decrypted block the length originally
3687 			 * indicated by the sender.  This is to remove any
3688 			 * padding bytes that the sender added to satisfy
3689 			 * requirements of the crypto algorithm.
3690 			 */
3691 			bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len;
3692 
3693 			newmp = bp;
3694 
3695 			/*
3696 			 * Reset our state to indicate we are ready
3697 			 * for a new message.
3698 			 */
3699 			tmi->rcmd_state.pt_len = 0;
3700 			tmi->rcmd_state.cd_len = 0;
3701 		} else {
3702 #ifdef DEBUG
3703 			cmn_err(CE_WARN,
3704 				"decrypt_rcmd: do_decrypt on %d bytes failed",
3705 				(int)tmi->rcmd_state.cd_len);
3706 #endif
3707 			/*
3708 			 * do_decrypt already handled failures, just
3709 			 * return NULL.
3710 			 */
3711 			tmi->rcmd_state.pt_len = 0;
3712 			tmi->rcmd_state.cd_len = 0;
3713 			return (NULL);
3714 		}
3715 	}
3716 
3717 	/*
3718 	 * return the new message with the 'length' fields removed
3719 	 */
3720 	return (newmp);
3721 }
3722 
3723 /*
3724  * cryptmodrsrv
3725  *
3726  * Read queue service routine
3727  * Necessary because if the ready flag is not set
3728  * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data
3729  * must remain on queue and not be passed along.
3730  */
3731 static int
3732 cryptmodrsrv(queue_t *q)
3733 {
3734 	mblk_t *mp, *bp;
3735 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3736 
3737 	while ((mp = getq(q)) != NULL) {
3738 		switch (mp->b_datap->db_type) {
3739 		case M_DATA:
3740 			if (canputnext(q) && tmi->ready & CRYPT_READ_READY) {
3741 				/*
3742 				 * Process "rcmd" messages differently because
3743 				 * they contain a 4 byte plaintext length
3744 				 * id that needs to be removed.
3745 				 */
3746 				if (tmi->dec_data.method != CRYPT_METHOD_NONE &&
3747 				    (tmi->dec_data.option_mask &
3748 				    (CRYPTOPT_RCMD_MODE_V1 |
3749 				    CRYPTOPT_RCMD_MODE_V2))) {
3750 					mp = decrypt_rcmd_mblks(q, mp);
3751 					if (mp)
3752 						putnext(q, mp);
3753 					continue;
3754 				}
3755 				if ((bp = msgpullup(mp, -1)) != NULL) {
3756 					freemsg(mp);
3757 					if (MBLKL(bp) > 0) {
3758 						mp = do_decrypt(q, bp);
3759 						if (mp != NULL)
3760 							putnext(q, mp);
3761 					}
3762 				}
3763 			} else {
3764 				if (!putbq(q, mp)) {
3765 					freemsg(mp);
3766 				}
3767 				return (0);
3768 			}
3769 			break;
3770 		default:
3771 			/*
3772 			 * rput does not queue anything > QPCTL, so we don't
3773 			 * need to check for it here.
3774 			 */
3775 			if (!canputnext(q)) {
3776 				if (!putbq(q, mp))
3777 					freemsg(mp);
3778 				return (0);
3779 			}
3780 			putnext(q, mp);
3781 			break;
3782 		}
3783 	}
3784 	return (0);
3785 }
3786 
3787 
3788 /*
3789  * Read-side put procedure.
3790  */
3791 static void
3792 cryptmodrput(queue_t *rq, mblk_t *mp)
3793 {
3794 	switch (mp->b_datap->db_type) {
3795 	case M_DATA:
3796 		if (!putq(rq, mp)) {
3797 			freemsg(mp);
3798 		}
3799 		break;
3800 	case M_FLUSH:
3801 		if (*mp->b_rptr & FLUSHR) {
3802 			flushq(rq, FLUSHALL);
3803 		}
3804 		putnext(rq, mp);
3805 		break;
3806 	default:
3807 		if (queclass(mp) < QPCTL) {
3808 			if (rq->q_first != NULL || !canputnext(rq)) {
3809 				if (!putq(rq, mp))
3810 					freemsg(mp);
3811 				return;
3812 			}
3813 		}
3814 		putnext(rq, mp);
3815 		break;
3816 	}
3817 }
3818