1 /* 2 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 * 5 * Copyright (c) 2018, Joyent, Inc. 6 * 7 * STREAMS Crypto Module 8 * 9 * This module is used to facilitate Kerberos encryption 10 * operations for the telnet daemon and rlogin daemon. 11 * Because the Solaris telnet and rlogin daemons run mostly 12 * in-kernel via 'telmod' and 'rlmod', this module must be 13 * pushed on the STREAM *below* telmod or rlmod. 14 * 15 * Parts of the 3DES key derivation code are covered by the 16 * following copyright. 17 * 18 * Copyright (C) 1998 by the FundsXpress, INC. 19 * 20 * All rights reserved. 21 * 22 * Export of this software from the United States of America may require 23 * a specific license from the United States Government. It is the 24 * responsibility of any person or organization contemplating export to 25 * obtain such a license before exporting. 26 * 27 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 28 * distribute this software and its documentation for any purpose and 29 * without fee is hereby granted, provided that the above copyright 30 * notice appear in all copies and that both that copyright notice and 31 * this permission notice appear in supporting documentation, and that 32 * the name of FundsXpress. not be used in advertising or publicity pertaining 33 * to distribution of the software without specific, written prior 34 * permission. FundsXpress makes no representations about the suitability of 35 * this software for any purpose. It is provided "as is" without express 36 * or implied warranty. 37 * 38 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 39 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 40 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 41 */ 42 43 #include <sys/types.h> 44 #include <sys/sysmacros.h> 45 #include <sys/errno.h> 46 #include <sys/debug.h> 47 #include <sys/time.h> 48 #include <sys/stropts.h> 49 #include <sys/stream.h> 50 #include <sys/strsubr.h> 51 #include <sys/strlog.h> 52 #include <sys/cmn_err.h> 53 #include <sys/conf.h> 54 #include <sys/sunddi.h> 55 #include <sys/kmem.h> 56 #include <sys/strsun.h> 57 #include <sys/random.h> 58 #include <sys/types.h> 59 #include <sys/byteorder.h> 60 #include <sys/cryptmod.h> 61 #include <sys/crc32.h> 62 #include <sys/policy.h> 63 64 #include <sys/crypto/api.h> 65 66 /* 67 * Function prototypes. 68 */ 69 static int cryptmodopen(queue_t *, dev_t *, int, int, cred_t *); 70 static void cryptmodrput(queue_t *, mblk_t *); 71 static void cryptmodwput(queue_t *, mblk_t *); 72 static int cryptmodclose(queue_t *, int, cred_t *); 73 static int cryptmodwsrv(queue_t *); 74 static int cryptmodrsrv(queue_t *); 75 76 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp); 77 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp); 78 79 #define CRYPTMOD_ID 5150 80 81 #define CFB_BLKSZ 8 82 83 #define K5CLENGTH 5 84 85 static struct module_info cryptmod_minfo = { 86 CRYPTMOD_ID, /* mi_idnum */ 87 "cryptmod", /* mi_idname */ 88 0, /* mi_minpsz */ 89 INFPSZ, /* mi_maxpsz */ 90 65536, /* mi_hiwat */ 91 1024 /* mi_lowat */ 92 }; 93 94 static struct qinit cryptmod_rinit = { 95 (int (*)())cryptmodrput, /* qi_putp */ 96 cryptmodrsrv, /* qi_svc */ 97 cryptmodopen, /* qi_qopen */ 98 cryptmodclose, /* qi_qclose */ 99 NULL, /* qi_qadmin */ 100 &cryptmod_minfo, /* qi_minfo */ 101 NULL /* qi_mstat */ 102 }; 103 104 static struct qinit cryptmod_winit = { 105 (int (*)())cryptmodwput, /* qi_putp */ 106 cryptmodwsrv, /* qi_srvp */ 107 NULL, /* qi_qopen */ 108 NULL, /* qi_qclose */ 109 NULL, /* qi_qadmin */ 110 &cryptmod_minfo, /* qi_minfo */ 111 NULL /* qi_mstat */ 112 }; 113 114 static struct streamtab cryptmod_info = { 115 &cryptmod_rinit, /* st_rdinit */ 116 &cryptmod_winit, /* st_wrinit */ 117 NULL, /* st_muxrinit */ 118 NULL /* st_muxwinit */ 119 }; 120 121 typedef struct { 122 uint_t hash_len; 123 uint_t confound_len; 124 int (*hashfunc)(); 125 } hash_info_t; 126 127 #define MAX_CKSUM_LEN 20 128 #define CONFOUNDER_LEN 8 129 130 #define SHA1_HASHSIZE 20 131 #define MD5_HASHSIZE 16 132 #define CRC32_HASHSIZE 4 133 #define MSGBUF_SIZE 4096 134 #define CONFOUNDER_BYTES 128 135 136 137 static int crc32_calc(uchar_t *, uchar_t *, uint_t); 138 static int md5_calc(uchar_t *, uchar_t *, uint_t); 139 static int sha1_calc(uchar_t *, uchar_t *, uint_t); 140 141 static hash_info_t null_hash = {0, 0, NULL}; 142 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc}; 143 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc}; 144 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc}; 145 146 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID; 147 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID; 148 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID; 149 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID; 150 151 static int kef_crypt(struct cipher_data_t *, void *, 152 crypto_data_format_t, size_t, int); 153 static mblk_t * 154 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *, 155 mblk_t *, hash_info_t *); 156 static mblk_t * 157 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *, 158 mblk_t *, hash_info_t *); 159 160 static int 161 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int); 162 163 /* 164 * This is the loadable module wrapper. 165 */ 166 #include <sys/modctl.h> 167 168 static struct fmodsw fsw = { 169 "cryptmod", 170 &cryptmod_info, 171 D_MP | D_MTQPAIR 172 }; 173 174 /* 175 * Module linkage information for the kernel. 176 */ 177 static struct modlstrmod modlstrmod = { 178 &mod_strmodops, 179 "STREAMS encryption module", 180 &fsw 181 }; 182 183 static struct modlinkage modlinkage = { 184 MODREV_1, 185 &modlstrmod, 186 NULL 187 }; 188 189 int 190 _init(void) 191 { 192 return (mod_install(&modlinkage)); 193 } 194 195 int 196 _fini(void) 197 { 198 return (mod_remove(&modlinkage)); 199 } 200 201 int 202 _info(struct modinfo *modinfop) 203 { 204 return (mod_info(&modlinkage, modinfop)); 205 } 206 207 static void 208 cleanup(struct cipher_data_t *cd) 209 { 210 if (cd->key != NULL) { 211 bzero(cd->key, cd->keylen); 212 kmem_free(cd->key, cd->keylen); 213 cd->key = NULL; 214 } 215 216 if (cd->ckey != NULL) { 217 /* 218 * ckey is a crypto_key_t structure which references 219 * "cd->key" for its raw key data. Since that was already 220 * cleared out, we don't need another "bzero" here. 221 */ 222 kmem_free(cd->ckey, sizeof (crypto_key_t)); 223 cd->ckey = NULL; 224 } 225 226 if (cd->block != NULL) { 227 kmem_free(cd->block, cd->blocklen); 228 cd->block = NULL; 229 } 230 231 if (cd->saveblock != NULL) { 232 kmem_free(cd->saveblock, cd->blocklen); 233 cd->saveblock = NULL; 234 } 235 236 if (cd->ivec != NULL) { 237 kmem_free(cd->ivec, cd->ivlen); 238 cd->ivec = NULL; 239 } 240 241 if (cd->d_encr_key.ck_data != NULL) { 242 bzero(cd->d_encr_key.ck_data, cd->keylen); 243 kmem_free(cd->d_encr_key.ck_data, cd->keylen); 244 } 245 246 if (cd->d_hmac_key.ck_data != NULL) { 247 bzero(cd->d_hmac_key.ck_data, cd->keylen); 248 kmem_free(cd->d_hmac_key.ck_data, cd->keylen); 249 } 250 251 if (cd->enc_tmpl != NULL) 252 (void) crypto_destroy_ctx_template(cd->enc_tmpl); 253 254 if (cd->hmac_tmpl != NULL) 255 (void) crypto_destroy_ctx_template(cd->hmac_tmpl); 256 257 if (cd->ctx != NULL) { 258 crypto_cancel_ctx(cd->ctx); 259 cd->ctx = NULL; 260 } 261 } 262 263 /* ARGSUSED */ 264 static int 265 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp) 266 { 267 struct tmodinfo *tmi; 268 ASSERT(rq); 269 270 if (sflag != MODOPEN) 271 return (EINVAL); 272 273 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, 274 "cryptmodopen: opening module(PID %d)", 275 ddi_get_pid())); 276 277 if (rq->q_ptr != NULL) { 278 cmn_err(CE_WARN, "cryptmodopen: already opened"); 279 return (0); 280 } 281 282 /* 283 * Allocate and initialize per-Stream structure. 284 */ 285 tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo), 286 KM_SLEEP); 287 288 tmi->enc_data.method = CRYPT_METHOD_NONE; 289 tmi->dec_data.method = CRYPT_METHOD_NONE; 290 291 tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY); 292 293 rq->q_ptr = WR(rq)->q_ptr = tmi; 294 295 sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC); 296 md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC); 297 sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1); 298 md5_hash_mech = crypto_mech2id(SUN_CKM_MD5); 299 300 qprocson(rq); 301 302 return (0); 303 } 304 305 /* ARGSUSED */ 306 static int 307 cryptmodclose(queue_t *rq, int flags __unused, cred_t *credp __unused) 308 { 309 struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr; 310 ASSERT(tmi); 311 312 qprocsoff(rq); 313 314 cleanup(&tmi->enc_data); 315 cleanup(&tmi->dec_data); 316 317 kmem_free(tmi, sizeof (struct tmodinfo)); 318 rq->q_ptr = WR(rq)->q_ptr = NULL; 319 320 return (0); 321 } 322 323 /* 324 * plaintext_offset 325 * 326 * Calculate exactly how much space is needed in front 327 * of the "plaintext" in an mbuf so it can be positioned 328 * 1 time instead of potentially moving the data multiple 329 * times. 330 */ 331 static int 332 plaintext_offset(struct cipher_data_t *cd) 333 { 334 int headspace = 0; 335 336 /* 4 byte length prepended to all RCMD msgs */ 337 if (ANY_RCMD_MODE(cd->option_mask)) 338 headspace += RCMD_LEN_SZ; 339 340 /* RCMD V2 mode adds an additional 4 byte plaintext length */ 341 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2) 342 headspace += RCMD_LEN_SZ; 343 344 /* Need extra space for hash and counfounder */ 345 switch (cd->method) { 346 case CRYPT_METHOD_DES_CBC_NULL: 347 headspace += null_hash.hash_len + null_hash.confound_len; 348 break; 349 case CRYPT_METHOD_DES_CBC_CRC: 350 headspace += crc32_hash.hash_len + crc32_hash.confound_len; 351 break; 352 case CRYPT_METHOD_DES_CBC_MD5: 353 headspace += md5_hash.hash_len + md5_hash.confound_len; 354 break; 355 case CRYPT_METHOD_DES3_CBC_SHA1: 356 headspace += sha1_hash.confound_len; 357 break; 358 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 359 headspace += md5_hash.hash_len + md5_hash.confound_len; 360 break; 361 case CRYPT_METHOD_AES128: 362 case CRYPT_METHOD_AES256: 363 headspace += DEFAULT_AES_BLOCKLEN; 364 break; 365 case CRYPT_METHOD_DES_CFB: 366 case CRYPT_METHOD_NONE: 367 break; 368 } 369 370 return (headspace); 371 } 372 /* 373 * encrypt_size 374 * 375 * Calculate the resulting size when encrypting 'plainlen' bytes 376 * of data. 377 */ 378 static size_t 379 encrypt_size(struct cipher_data_t *cd, size_t plainlen) 380 { 381 size_t cipherlen; 382 383 switch (cd->method) { 384 case CRYPT_METHOD_DES_CBC_NULL: 385 cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len + 386 plainlen, 8); 387 break; 388 case CRYPT_METHOD_DES_CBC_MD5: 389 cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len + 390 md5_hash.confound_len + 391 plainlen, 8); 392 break; 393 case CRYPT_METHOD_DES_CBC_CRC: 394 cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len + 395 crc32_hash.confound_len + 396 plainlen, 8); 397 break; 398 case CRYPT_METHOD_DES3_CBC_SHA1: 399 cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len + 400 plainlen, 8) + 401 sha1_hash.hash_len; 402 break; 403 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 404 cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len + 405 plainlen, 1) + md5_hash.hash_len; 406 break; 407 case CRYPT_METHOD_AES128: 408 case CRYPT_METHOD_AES256: 409 /* No roundup for AES-CBC-CTS */ 410 cipherlen = DEFAULT_AES_BLOCKLEN + plainlen + 411 AES_TRUNCATED_HMAC_LEN; 412 break; 413 case CRYPT_METHOD_DES_CFB: 414 case CRYPT_METHOD_NONE: 415 cipherlen = plainlen; 416 break; 417 } 418 419 return (cipherlen); 420 } 421 422 /* 423 * des_cfb_encrypt 424 * 425 * Encrypt the mblk data using DES with cipher feedback. 426 * 427 * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit 428 * vector, D[n] is the nth chunk of 64 bits of data to encrypt 429 * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted 430 * (decrypted) data, then: 431 * 432 * V[0] = DES(V[i], key) 433 * O[n] = D[n] <exclusive or > V[n] 434 * V[n+1] = DES(O[n], key) 435 * 436 * The size of the message being encrypted does not change in this 437 * algorithm, num_bytes in == num_bytes out. 438 */ 439 static mblk_t * 440 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 441 { 442 int savedbytes; 443 char *iptr, *optr, *lastoutput; 444 445 lastoutput = optr = (char *)mp->b_rptr; 446 iptr = (char *)mp->b_rptr; 447 savedbytes = tmi->enc_data.bytes % CFB_BLKSZ; 448 449 while (iptr < (char *)mp->b_wptr) { 450 /* 451 * Do DES-ECB. 452 * The first time this runs, the 'tmi->enc_data.block' will 453 * contain the initialization vector that should have been 454 * passed in with the SETUP ioctl. 455 * 456 * V[n] = DES(V[n-1], key) 457 */ 458 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { 459 int retval = 0; 460 retval = kef_crypt(&tmi->enc_data, 461 tmi->enc_data.block, 462 CRYPTO_DATA_RAW, 463 tmi->enc_data.blocklen, 464 CRYPT_ENCRYPT); 465 466 if (retval != CRYPTO_SUCCESS) { 467 #ifdef DEBUG 468 cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt " 469 "failed - error 0x%0x", retval); 470 #endif 471 mp->b_datap->db_type = M_ERROR; 472 mp->b_rptr = mp->b_datap->db_base; 473 *mp->b_rptr = EIO; 474 mp->b_wptr = mp->b_rptr + sizeof (char); 475 freemsg(mp->b_cont); 476 mp->b_cont = NULL; 477 qreply(WR(q), mp); 478 return (NULL); 479 } 480 } 481 482 /* O[n] = I[n] ^ V[n] */ 483 *(optr++) = *(iptr++) ^ 484 tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ]; 485 486 tmi->enc_data.bytes++; 487 /* 488 * Feedback the encrypted output as the input to next DES call. 489 */ 490 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { 491 char *dbptr = tmi->enc_data.block; 492 /* 493 * Get the last bits of input from the previous 494 * msg block that we haven't yet used as feedback input. 495 */ 496 if (savedbytes > 0) { 497 bcopy(tmi->enc_data.saveblock, 498 dbptr, (size_t)savedbytes); 499 dbptr += savedbytes; 500 } 501 502 /* 503 * Now copy the correct bytes from the current input 504 * stream and update the 'lastoutput' ptr 505 */ 506 bcopy(lastoutput, dbptr, 507 (size_t)(CFB_BLKSZ - savedbytes)); 508 509 lastoutput += (CFB_BLKSZ - savedbytes); 510 savedbytes = 0; 511 } 512 } 513 /* 514 * If there are bytes of input here that we need in the next 515 * block to build an ivec, save them off here. 516 */ 517 if (lastoutput < optr) { 518 bcopy(lastoutput, 519 tmi->enc_data.saveblock + savedbytes, 520 (uint_t)(optr - lastoutput)); 521 } 522 return (mp); 523 } 524 525 /* 526 * des_cfb_decrypt 527 * 528 * Decrypt the data in the mblk using DES in Cipher Feedback mode 529 * 530 * # bytes in == # bytes out, no padding, confounding, or hashing 531 * is added. 532 * 533 */ 534 static mblk_t * 535 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 536 { 537 uint_t len; 538 uint_t savedbytes; 539 char *iptr; 540 char *lastinput; 541 uint_t cp; 542 543 len = MBLKL(mp); 544 545 /* decrypted output goes into the new data buffer */ 546 lastinput = iptr = (char *)mp->b_rptr; 547 548 savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen; 549 550 /* 551 * Save the input CFB_BLKSZ bytes at a time. 552 * We are trying to decrypt in-place, but need to keep 553 * a small sliding window of encrypted text to be 554 * used to construct the feedback buffer. 555 */ 556 cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len : 557 tmi->dec_data.blocklen - savedbytes); 558 559 bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp); 560 savedbytes += cp; 561 562 lastinput += cp; 563 564 while (iptr < (char *)mp->b_wptr) { 565 /* 566 * Do DES-ECB. 567 * The first time this runs, the 'tmi->dec_data.block' will 568 * contain the initialization vector that should have been 569 * passed in with the SETUP ioctl. 570 */ 571 if (!(tmi->dec_data.bytes % CFB_BLKSZ)) { 572 int retval; 573 retval = kef_crypt(&tmi->dec_data, 574 tmi->dec_data.block, 575 CRYPTO_DATA_RAW, 576 tmi->dec_data.blocklen, 577 CRYPT_ENCRYPT); 578 579 if (retval != CRYPTO_SUCCESS) { 580 #ifdef DEBUG 581 cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt " 582 "failed - status 0x%0x", retval); 583 #endif 584 mp->b_datap->db_type = M_ERROR; 585 mp->b_rptr = mp->b_datap->db_base; 586 *mp->b_rptr = EIO; 587 mp->b_wptr = mp->b_rptr + sizeof (char); 588 freemsg(mp->b_cont); 589 mp->b_cont = NULL; 590 qreply(WR(q), mp); 591 return (NULL); 592 } 593 } 594 595 /* 596 * To decrypt, XOR the input with the output from the DES call 597 */ 598 *(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes % 599 CFB_BLKSZ]; 600 601 tmi->dec_data.bytes++; 602 603 /* 604 * Feedback the encrypted input for next DES call. 605 */ 606 if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) { 607 char *dbptr = tmi->dec_data.block; 608 /* 609 * Get the last bits of input from the previous block 610 * that we haven't yet processed. 611 */ 612 if (savedbytes > 0) { 613 bcopy(tmi->dec_data.saveblock, 614 dbptr, savedbytes); 615 dbptr += savedbytes; 616 } 617 618 savedbytes = 0; 619 620 /* 621 * This block makes sure that our local 622 * buffer of input data is full and can 623 * be accessed from the beginning. 624 */ 625 if (lastinput < (char *)mp->b_wptr) { 626 627 /* How many bytes are left in the mblk? */ 628 cp = (((char *)mp->b_wptr - lastinput) > 629 tmi->dec_data.blocklen ? 630 tmi->dec_data.blocklen : 631 (char *)mp->b_wptr - lastinput); 632 633 /* copy what we need */ 634 bcopy(lastinput, tmi->dec_data.saveblock, 635 cp); 636 637 lastinput += cp; 638 savedbytes = cp; 639 } 640 } 641 } 642 643 return (mp); 644 } 645 646 /* 647 * crc32_calc 648 * 649 * Compute a CRC32 checksum on the input 650 */ 651 static int 652 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len) 653 { 654 uint32_t crc; 655 656 CRC32(crc, input, len, 0, crc32_table); 657 658 buf[0] = (uchar_t)(crc & 0xff); 659 buf[1] = (uchar_t)((crc >> 8) & 0xff); 660 buf[2] = (uchar_t)((crc >> 16) & 0xff); 661 buf[3] = (uchar_t)((crc >> 24) & 0xff); 662 663 return (CRYPTO_SUCCESS); 664 } 665 666 static int 667 kef_digest(crypto_mech_type_t digest_type, 668 uchar_t *input, uint_t inlen, 669 uchar_t *output, uint_t hashlen) 670 { 671 iovec_t v1, v2; 672 crypto_data_t d1, d2; 673 crypto_mechanism_t mech; 674 int rv; 675 676 mech.cm_type = digest_type; 677 mech.cm_param = 0; 678 mech.cm_param_len = 0; 679 680 v1.iov_base = (void *)input; 681 v1.iov_len = inlen; 682 683 d1.cd_format = CRYPTO_DATA_RAW; 684 d1.cd_offset = 0; 685 d1.cd_length = v1.iov_len; 686 d1.cd_raw = v1; 687 688 v2.iov_base = (void *)output; 689 v2.iov_len = hashlen; 690 691 d2.cd_format = CRYPTO_DATA_RAW; 692 d2.cd_offset = 0; 693 d2.cd_length = v2.iov_len; 694 d2.cd_raw = v2; 695 696 rv = crypto_digest(&mech, &d1, &d2, NULL); 697 698 return (rv); 699 } 700 701 /* 702 * sha1_calc 703 * 704 * Get a SHA1 hash on the input data. 705 */ 706 static int 707 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen) 708 { 709 int rv; 710 711 rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE); 712 713 return (rv); 714 } 715 716 /* 717 * Get an MD5 hash on the input data. 718 * md5_calc 719 * 720 */ 721 static int 722 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen) 723 { 724 int rv; 725 726 rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE); 727 728 return (rv); 729 } 730 731 /* 732 * nfold 733 * duplicate the functionality of the krb5_nfold function from 734 * the userland kerberos mech. 735 * This is needed to derive keys for use with 3DES/SHA1-HMAC 736 * ciphers. 737 */ 738 static void 739 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out) 740 { 741 int a, b, c, lcm; 742 int byte, i, msbit; 743 744 inbits >>= 3; 745 outbits >>= 3; 746 747 /* first compute lcm(n,k) */ 748 a = outbits; 749 b = inbits; 750 751 while (b != 0) { 752 c = b; 753 b = a%b; 754 a = c; 755 } 756 757 lcm = outbits*inbits/a; 758 759 /* now do the real work */ 760 761 bzero(out, outbits); 762 byte = 0; 763 764 /* 765 * Compute the msbit in k which gets added into this byte 766 * first, start with the msbit in the first, unrotated byte 767 * then, for each byte, shift to the right for each repetition 768 * last, pick out the correct byte within that shifted repetition 769 */ 770 for (i = lcm-1; i >= 0; i--) { 771 msbit = (((inbits<<3)-1) 772 +(((inbits<<3)+13)*(i/inbits)) 773 +((inbits-(i%inbits))<<3)) %(inbits<<3); 774 775 /* pull out the byte value itself */ 776 byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)| 777 (in[((inbits)-(msbit>>3))%inbits])) 778 >>((msbit&7)+1))&0xff; 779 780 /* do the addition */ 781 byte += out[i%outbits]; 782 out[i%outbits] = byte&0xff; 783 784 byte >>= 8; 785 } 786 787 /* if there's a carry bit left over, add it back in */ 788 if (byte) { 789 for (i = outbits-1; i >= 0; i--) { 790 /* do the addition */ 791 byte += out[i]; 792 out[i] = byte&0xff; 793 794 /* keep around the carry bit, if any */ 795 byte >>= 8; 796 } 797 } 798 } 799 800 #define smask(step) ((1<<step)-1) 801 #define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step))) 802 #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1) 803 804 /* 805 * Duplicate the functionality of the "dk_derive_key" function 806 * in the Kerberos mechanism. 807 */ 808 static int 809 derive_key(struct cipher_data_t *cdata, uchar_t *constdata, 810 int constlen, char *dkey, int keybytes, 811 int blocklen) 812 { 813 int rv = 0; 814 int n = 0, i; 815 char *inblock; 816 char *rawkey; 817 char *zeroblock; 818 char *saveblock; 819 820 inblock = kmem_zalloc(blocklen, KM_SLEEP); 821 rawkey = kmem_zalloc(keybytes, KM_SLEEP); 822 zeroblock = kmem_zalloc(blocklen, KM_SLEEP); 823 824 if (constlen == blocklen) 825 bcopy(constdata, inblock, blocklen); 826 else 827 nfold(constlen * 8, constdata, 828 blocklen * 8, (uchar_t *)inblock); 829 830 /* 831 * zeroblock is an IV of all 0's. 832 * 833 * The "block" section of the cdata record is used as the 834 * IV for crypto operations in the kef_crypt function. 835 * 836 * We use 'block' as a generic IV data buffer because it 837 * is attached to the stream state data and thus can 838 * be used to hold information that must carry over 839 * from processing of one mblk to another. 840 * 841 * Here, we save the current IV and replace it with 842 * and empty IV (all 0's) for use when deriving the 843 * keys. Once the key derivation is done, we swap the 844 * old IV back into place. 845 */ 846 saveblock = cdata->block; 847 cdata->block = zeroblock; 848 849 while (n < keybytes) { 850 rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW, 851 blocklen, CRYPT_ENCRYPT); 852 if (rv != CRYPTO_SUCCESS) { 853 /* put the original IV block back in place */ 854 cdata->block = saveblock; 855 cmn_err(CE_WARN, "failed to derive a key: %0x", rv); 856 goto cleanup; 857 } 858 859 if (keybytes - n < blocklen) { 860 bcopy(inblock, rawkey+n, (keybytes-n)); 861 break; 862 } 863 bcopy(inblock, rawkey+n, blocklen); 864 n += blocklen; 865 } 866 /* put the original IV block back in place */ 867 cdata->block = saveblock; 868 869 /* finally, make the key */ 870 if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) { 871 /* 872 * 3DES key derivation requires that we make sure the 873 * key has the proper parity. 874 */ 875 for (i = 0; i < 3; i++) { 876 bcopy(rawkey+(i*7), dkey+(i*8), 7); 877 878 /* 'dkey' is our derived key output buffer */ 879 dkey[i*8+7] = (((dkey[i*8]&1)<<1) | 880 ((dkey[i*8+1]&1)<<2) | 881 ((dkey[i*8+2]&1)<<3) | 882 ((dkey[i*8+3]&1)<<4) | 883 ((dkey[i*8+4]&1)<<5) | 884 ((dkey[i*8+5]&1)<<6) | 885 ((dkey[i*8+6]&1)<<7)); 886 887 for (n = 0; n < 8; n++) { 888 dkey[i*8 + n] &= 0xfe; 889 dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]); 890 } 891 } 892 } else if (IS_AES_METHOD(cdata->method)) { 893 bcopy(rawkey, dkey, keybytes); 894 } 895 cleanup: 896 kmem_free(inblock, blocklen); 897 kmem_free(zeroblock, blocklen); 898 kmem_free(rawkey, keybytes); 899 return (rv); 900 } 901 902 /* 903 * create_derived_keys 904 * 905 * Algorithm for deriving a new key and an HMAC key 906 * before computing the 3DES-SHA1-HMAC operation on the plaintext 907 * This algorithm matches the work done by Kerberos mechanism 908 * in userland. 909 */ 910 static int 911 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage, 912 crypto_key_t *enckey, crypto_key_t *hmackey) 913 { 914 uchar_t constdata[K5CLENGTH]; 915 int keybytes; 916 int rv; 917 918 constdata[0] = (usage>>24)&0xff; 919 constdata[1] = (usage>>16)&0xff; 920 constdata[2] = (usage>>8)&0xff; 921 constdata[3] = usage & 0xff; 922 /* Use "0xAA" for deriving encryption key */ 923 constdata[4] = 0xAA; /* from MIT Kerberos code */ 924 925 enckey->ck_length = cdata->keylen * 8; 926 enckey->ck_format = CRYPTO_KEY_RAW; 927 enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); 928 929 switch (cdata->method) { 930 case CRYPT_METHOD_DES_CFB: 931 case CRYPT_METHOD_DES_CBC_NULL: 932 case CRYPT_METHOD_DES_CBC_MD5: 933 case CRYPT_METHOD_DES_CBC_CRC: 934 keybytes = 8; 935 break; 936 case CRYPT_METHOD_DES3_CBC_SHA1: 937 keybytes = CRYPT_DES3_KEYBYTES; 938 break; 939 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 940 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 941 keybytes = CRYPT_ARCFOUR_KEYBYTES; 942 break; 943 case CRYPT_METHOD_AES128: 944 keybytes = CRYPT_AES128_KEYBYTES; 945 break; 946 case CRYPT_METHOD_AES256: 947 keybytes = CRYPT_AES256_KEYBYTES; 948 break; 949 } 950 951 /* derive main crypto key */ 952 rv = derive_key(cdata, constdata, sizeof (constdata), 953 enckey->ck_data, keybytes, cdata->blocklen); 954 955 if (rv == CRYPTO_SUCCESS) { 956 957 /* Use "0x55" for deriving mac key */ 958 constdata[4] = 0x55; 959 960 hmackey->ck_length = cdata->keylen * 8; 961 hmackey->ck_format = CRYPTO_KEY_RAW; 962 hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); 963 964 rv = derive_key(cdata, constdata, sizeof (constdata), 965 hmackey->ck_data, keybytes, 966 cdata->blocklen); 967 } else { 968 cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv); 969 } 970 971 return (rv); 972 } 973 974 /* 975 * Compute 3-DES crypto and HMAC. 976 */ 977 static int 978 kef_decr_hmac(struct cipher_data_t *cdata, 979 mblk_t *mp, int length, 980 char *hmac, int hmaclen) 981 { 982 int rv = CRYPTO_FAILED; 983 984 crypto_mechanism_t encr_mech; 985 crypto_mechanism_t mac_mech; 986 crypto_data_t dd; 987 crypto_data_t mac; 988 iovec_t v1; 989 990 ASSERT(cdata != NULL); 991 ASSERT(mp != NULL); 992 ASSERT(hmac != NULL); 993 994 bzero(&dd, sizeof (dd)); 995 dd.cd_format = CRYPTO_DATA_MBLK; 996 dd.cd_offset = 0; 997 dd.cd_length = length; 998 dd.cd_mp = mp; 999 1000 v1.iov_base = hmac; 1001 v1.iov_len = hmaclen; 1002 1003 mac.cd_format = CRYPTO_DATA_RAW; 1004 mac.cd_offset = 0; 1005 mac.cd_length = hmaclen; 1006 mac.cd_raw = v1; 1007 1008 /* 1009 * cdata->block holds the IVEC 1010 */ 1011 encr_mech.cm_type = cdata->mech_type; 1012 encr_mech.cm_param = cdata->block; 1013 1014 if (cdata->block != NULL) 1015 encr_mech.cm_param_len = cdata->blocklen; 1016 else 1017 encr_mech.cm_param_len = 0; 1018 1019 rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key, 1020 cdata->enc_tmpl, NULL, NULL); 1021 if (rv != CRYPTO_SUCCESS) { 1022 cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv); 1023 return (rv); 1024 } 1025 1026 mac_mech.cm_type = sha1_hmac_mech; 1027 mac_mech.cm_param = NULL; 1028 mac_mech.cm_param_len = 0; 1029 1030 /* 1031 * Compute MAC of the plaintext decrypted above. 1032 */ 1033 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, 1034 cdata->hmac_tmpl, &mac, NULL); 1035 1036 if (rv != CRYPTO_SUCCESS) { 1037 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1038 } 1039 1040 return (rv); 1041 } 1042 1043 /* 1044 * Compute 3-DES crypto and HMAC. 1045 */ 1046 static int 1047 kef_encr_hmac(struct cipher_data_t *cdata, 1048 mblk_t *mp, int length, 1049 char *hmac, int hmaclen) 1050 { 1051 int rv = CRYPTO_FAILED; 1052 1053 crypto_mechanism_t encr_mech; 1054 crypto_mechanism_t mac_mech; 1055 crypto_data_t dd; 1056 crypto_data_t mac; 1057 iovec_t v1; 1058 1059 ASSERT(cdata != NULL); 1060 ASSERT(mp != NULL); 1061 ASSERT(hmac != NULL); 1062 1063 bzero(&dd, sizeof (dd)); 1064 dd.cd_format = CRYPTO_DATA_MBLK; 1065 dd.cd_offset = 0; 1066 dd.cd_length = length; 1067 dd.cd_mp = mp; 1068 1069 v1.iov_base = hmac; 1070 v1.iov_len = hmaclen; 1071 1072 mac.cd_format = CRYPTO_DATA_RAW; 1073 mac.cd_offset = 0; 1074 mac.cd_length = hmaclen; 1075 mac.cd_raw = v1; 1076 1077 /* 1078 * cdata->block holds the IVEC 1079 */ 1080 encr_mech.cm_type = cdata->mech_type; 1081 encr_mech.cm_param = cdata->block; 1082 1083 if (cdata->block != NULL) 1084 encr_mech.cm_param_len = cdata->blocklen; 1085 else 1086 encr_mech.cm_param_len = 0; 1087 1088 mac_mech.cm_type = sha1_hmac_mech; 1089 mac_mech.cm_param = NULL; 1090 mac_mech.cm_param_len = 0; 1091 1092 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, 1093 cdata->hmac_tmpl, &mac, NULL); 1094 1095 if (rv != CRYPTO_SUCCESS) { 1096 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1097 return (rv); 1098 } 1099 1100 rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key, 1101 cdata->enc_tmpl, NULL, NULL); 1102 if (rv != CRYPTO_SUCCESS) { 1103 cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv); 1104 } 1105 1106 return (rv); 1107 } 1108 1109 /* 1110 * kef_crypt 1111 * 1112 * Use the Kernel encryption framework to provide the 1113 * crypto operations for the indicated data. 1114 */ 1115 static int 1116 kef_crypt(struct cipher_data_t *cdata, 1117 void *indata, crypto_data_format_t fmt, 1118 size_t length, int mode) 1119 { 1120 int rv = CRYPTO_FAILED; 1121 1122 crypto_mechanism_t mech; 1123 crypto_key_t crkey; 1124 iovec_t v1; 1125 crypto_data_t d1; 1126 1127 ASSERT(cdata != NULL); 1128 ASSERT(indata != NULL); 1129 ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK); 1130 1131 bzero(&crkey, sizeof (crkey)); 1132 bzero(&d1, sizeof (d1)); 1133 1134 crkey.ck_format = CRYPTO_KEY_RAW; 1135 crkey.ck_data = cdata->key; 1136 1137 /* keys are measured in bits, not bytes, so multiply by 8 */ 1138 crkey.ck_length = cdata->keylen * 8; 1139 1140 if (fmt == CRYPTO_DATA_RAW) { 1141 v1.iov_base = (char *)indata; 1142 v1.iov_len = length; 1143 } 1144 1145 d1.cd_format = fmt; 1146 d1.cd_offset = 0; 1147 d1.cd_length = length; 1148 if (fmt == CRYPTO_DATA_RAW) 1149 d1.cd_raw = v1; 1150 else if (fmt == CRYPTO_DATA_MBLK) 1151 d1.cd_mp = (mblk_t *)indata; 1152 1153 mech.cm_type = cdata->mech_type; 1154 mech.cm_param = cdata->block; 1155 /* 1156 * cdata->block holds the IVEC 1157 */ 1158 if (cdata->block != NULL) 1159 mech.cm_param_len = cdata->blocklen; 1160 else 1161 mech.cm_param_len = 0; 1162 1163 /* 1164 * encrypt and decrypt in-place 1165 */ 1166 if (mode == CRYPT_ENCRYPT) 1167 rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL); 1168 else 1169 rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL); 1170 1171 if (rv != CRYPTO_SUCCESS) { 1172 cmn_err(CE_WARN, "%s returned error %08x", 1173 (mode == CRYPT_ENCRYPT ? "crypto_encrypt" : 1174 "crypto_decrypt"), rv); 1175 return (CRYPTO_FAILED); 1176 } 1177 1178 return (rv); 1179 } 1180 1181 static int 1182 do_hmac(crypto_mech_type_t mech, 1183 crypto_key_t *key, 1184 char *data, int datalen, 1185 char *hmac, int hmaclen) 1186 { 1187 int rv = 0; 1188 crypto_mechanism_t mac_mech; 1189 crypto_data_t dd; 1190 crypto_data_t mac; 1191 iovec_t vdata, vmac; 1192 1193 mac_mech.cm_type = mech; 1194 mac_mech.cm_param = NULL; 1195 mac_mech.cm_param_len = 0; 1196 1197 vdata.iov_base = data; 1198 vdata.iov_len = datalen; 1199 1200 bzero(&dd, sizeof (dd)); 1201 dd.cd_format = CRYPTO_DATA_RAW; 1202 dd.cd_offset = 0; 1203 dd.cd_length = datalen; 1204 dd.cd_raw = vdata; 1205 1206 vmac.iov_base = hmac; 1207 vmac.iov_len = hmaclen; 1208 1209 mac.cd_format = CRYPTO_DATA_RAW; 1210 mac.cd_offset = 0; 1211 mac.cd_length = hmaclen; 1212 mac.cd_raw = vmac; 1213 1214 /* 1215 * Compute MAC of the plaintext decrypted above. 1216 */ 1217 rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL); 1218 1219 if (rv != CRYPTO_SUCCESS) { 1220 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1221 } 1222 1223 return (rv); 1224 } 1225 1226 #define XOR_BLOCK(src, dst) \ 1227 (dst)[0] ^= (src)[0]; \ 1228 (dst)[1] ^= (src)[1]; \ 1229 (dst)[2] ^= (src)[2]; \ 1230 (dst)[3] ^= (src)[3]; \ 1231 (dst)[4] ^= (src)[4]; \ 1232 (dst)[5] ^= (src)[5]; \ 1233 (dst)[6] ^= (src)[6]; \ 1234 (dst)[7] ^= (src)[7]; \ 1235 (dst)[8] ^= (src)[8]; \ 1236 (dst)[9] ^= (src)[9]; \ 1237 (dst)[10] ^= (src)[10]; \ 1238 (dst)[11] ^= (src)[11]; \ 1239 (dst)[12] ^= (src)[12]; \ 1240 (dst)[13] ^= (src)[13]; \ 1241 (dst)[14] ^= (src)[14]; \ 1242 (dst)[15] ^= (src)[15] 1243 1244 #define xorblock(x, y) XOR_BLOCK(y, x) 1245 1246 static int 1247 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length) 1248 { 1249 int result = CRYPTO_SUCCESS; 1250 unsigned char tmp[DEFAULT_AES_BLOCKLEN]; 1251 unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; 1252 unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; 1253 int nblocks = 0, blockno; 1254 crypto_data_t ct, pt; 1255 crypto_mechanism_t mech; 1256 1257 mech.cm_type = tmi->enc_data.mech_type; 1258 if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) { 1259 bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); 1260 } else { 1261 bzero(tmp, sizeof (tmp)); 1262 } 1263 mech.cm_param = NULL; 1264 mech.cm_param_len = 0; 1265 1266 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; 1267 1268 bzero(&ct, sizeof (crypto_data_t)); 1269 bzero(&pt, sizeof (crypto_data_t)); 1270 1271 if (nblocks == 1) { 1272 pt.cd_format = CRYPTO_DATA_RAW; 1273 pt.cd_length = length; 1274 pt.cd_raw.iov_base = (char *)plain; 1275 pt.cd_raw.iov_len = length; 1276 1277 result = crypto_encrypt(&mech, &pt, 1278 &tmi->enc_data.d_encr_key, NULL, NULL, NULL); 1279 1280 if (result != CRYPTO_SUCCESS) { 1281 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1282 "crypto_encrypt failed: %0x", result); 1283 } 1284 } else { 1285 size_t nleft; 1286 1287 ct.cd_format = CRYPTO_DATA_RAW; 1288 ct.cd_offset = 0; 1289 ct.cd_length = DEFAULT_AES_BLOCKLEN; 1290 1291 pt.cd_format = CRYPTO_DATA_RAW; 1292 pt.cd_offset = 0; 1293 pt.cd_length = DEFAULT_AES_BLOCKLEN; 1294 1295 result = crypto_encrypt_init(&mech, 1296 &tmi->enc_data.d_encr_key, 1297 tmi->enc_data.enc_tmpl, 1298 &tmi->enc_data.ctx, NULL); 1299 1300 if (result != CRYPTO_SUCCESS) { 1301 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1302 "crypto_encrypt_init failed: %0x", result); 1303 goto cleanup; 1304 } 1305 1306 for (blockno = 0; blockno < nblocks - 2; blockno++) { 1307 xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN); 1308 1309 pt.cd_raw.iov_base = (char *)tmp; 1310 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1311 1312 ct.cd_raw.iov_base = (char *)plain + 1313 blockno * DEFAULT_AES_BLOCKLEN; 1314 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1315 1316 result = crypto_encrypt_update(tmi->enc_data.ctx, 1317 &pt, &ct, NULL); 1318 1319 if (result != CRYPTO_SUCCESS) { 1320 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1321 "crypto_encrypt_update failed: %0x", 1322 result); 1323 goto cleanup; 1324 } 1325 /* copy result over original bytes */ 1326 /* make another copy for the next XOR step */ 1327 bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN, 1328 tmp, DEFAULT_AES_BLOCKLEN); 1329 } 1330 /* XOR cipher text from n-3 with plain text from n-2 */ 1331 xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN); 1332 1333 pt.cd_raw.iov_base = (char *)tmp; 1334 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1335 1336 ct.cd_raw.iov_base = (char *)tmp2; 1337 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1338 1339 /* encrypt XOR-ed block N-2 */ 1340 result = crypto_encrypt_update(tmi->enc_data.ctx, 1341 &pt, &ct, NULL); 1342 if (result != CRYPTO_SUCCESS) { 1343 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1344 "crypto_encrypt_update(2) failed: %0x", 1345 result); 1346 goto cleanup; 1347 } 1348 nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN; 1349 1350 bzero(tmp3, sizeof (tmp3)); 1351 /* Save final plaintext bytes from n-1 */ 1352 bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, 1353 nleft); 1354 1355 /* Overwrite n-1 with cipher text from n-2 */ 1356 bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, 1357 nleft); 1358 1359 bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN); 1360 /* XOR cipher text from n-1 with plain text from n-1 */ 1361 xorblock(tmp, tmp3); 1362 1363 pt.cd_raw.iov_base = (char *)tmp; 1364 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1365 1366 ct.cd_raw.iov_base = (char *)tmp2; 1367 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1368 1369 /* encrypt block N-2 */ 1370 result = crypto_encrypt_update(tmi->enc_data.ctx, 1371 &pt, &ct, NULL); 1372 1373 if (result != CRYPTO_SUCCESS) { 1374 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1375 "crypto_encrypt_update(3) failed: %0x", 1376 result); 1377 goto cleanup; 1378 } 1379 1380 bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1381 DEFAULT_AES_BLOCKLEN); 1382 1383 1384 ct.cd_raw.iov_base = (char *)tmp2; 1385 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1386 1387 /* 1388 * Ignore the output on the final step. 1389 */ 1390 result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL); 1391 if (result != CRYPTO_SUCCESS) { 1392 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1393 "crypto_encrypt_final(3) failed: %0x", 1394 result); 1395 } 1396 tmi->enc_data.ctx = NULL; 1397 } 1398 cleanup: 1399 bzero(tmp, sizeof (tmp)); 1400 bzero(tmp2, sizeof (tmp)); 1401 bzero(tmp3, sizeof (tmp)); 1402 bzero(tmi->enc_data.block, tmi->enc_data.blocklen); 1403 return (result); 1404 } 1405 1406 static int 1407 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length) 1408 { 1409 int result = CRYPTO_SUCCESS; 1410 unsigned char tmp[DEFAULT_AES_BLOCKLEN]; 1411 unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; 1412 unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; 1413 int nblocks = 0, blockno; 1414 crypto_data_t ct, pt; 1415 crypto_mechanism_t mech; 1416 1417 mech.cm_type = tmi->enc_data.mech_type; 1418 1419 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1420 tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) { 1421 bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); 1422 } else { 1423 bzero(tmp, sizeof (tmp)); 1424 } 1425 mech.cm_param_len = 0; 1426 mech.cm_param = NULL; 1427 1428 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; 1429 1430 bzero(&pt, sizeof (pt)); 1431 bzero(&ct, sizeof (ct)); 1432 1433 if (nblocks == 1) { 1434 ct.cd_format = CRYPTO_DATA_RAW; 1435 ct.cd_length = length; 1436 ct.cd_raw.iov_base = (char *)buff; 1437 ct.cd_raw.iov_len = length; 1438 1439 result = crypto_decrypt(&mech, &ct, 1440 &tmi->dec_data.d_encr_key, NULL, NULL, NULL); 1441 1442 if (result != CRYPTO_SUCCESS) { 1443 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1444 "crypto_decrypt failed: %0x", result); 1445 goto cleanup; 1446 } 1447 } else { 1448 ct.cd_format = CRYPTO_DATA_RAW; 1449 ct.cd_offset = 0; 1450 ct.cd_length = DEFAULT_AES_BLOCKLEN; 1451 1452 pt.cd_format = CRYPTO_DATA_RAW; 1453 pt.cd_offset = 0; 1454 pt.cd_length = DEFAULT_AES_BLOCKLEN; 1455 1456 result = crypto_decrypt_init(&mech, 1457 &tmi->dec_data.d_encr_key, 1458 tmi->dec_data.enc_tmpl, 1459 &tmi->dec_data.ctx, NULL); 1460 1461 if (result != CRYPTO_SUCCESS) { 1462 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1463 "crypto_decrypt_init failed: %0x", result); 1464 goto cleanup; 1465 } 1466 for (blockno = 0; blockno < nblocks - 2; blockno++) { 1467 ct.cd_raw.iov_base = (char *)buff + 1468 (blockno * DEFAULT_AES_BLOCKLEN); 1469 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1470 1471 pt.cd_raw.iov_base = (char *)tmp2; 1472 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1473 1474 /* 1475 * Save the input to the decrypt so it can 1476 * be used later for an XOR operation 1477 */ 1478 bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN), 1479 tmi->dec_data.block, DEFAULT_AES_BLOCKLEN); 1480 1481 result = crypto_decrypt_update(tmi->dec_data.ctx, 1482 &ct, &pt, NULL); 1483 if (result != CRYPTO_SUCCESS) { 1484 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1485 "crypto_decrypt_update(1) error - " 1486 "result = 0x%08x", result); 1487 goto cleanup; 1488 } 1489 xorblock(tmp2, tmp); 1490 bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN, 1491 DEFAULT_AES_BLOCKLEN); 1492 /* 1493 * The original cipher text is used as the xor 1494 * for the next block, save it here. 1495 */ 1496 bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN); 1497 } 1498 ct.cd_raw.iov_base = (char *)buff + 1499 ((nblocks - 2) * DEFAULT_AES_BLOCKLEN); 1500 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1501 pt.cd_raw.iov_base = (char *)tmp2; 1502 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1503 1504 result = crypto_decrypt_update(tmi->dec_data.ctx, 1505 &ct, &pt, NULL); 1506 if (result != CRYPTO_SUCCESS) { 1507 cmn_err(CE_WARN, 1508 "aes_cbc_cts_decrypt: " 1509 "crypto_decrypt_update(2) error -" 1510 " result = 0x%08x", result); 1511 goto cleanup; 1512 } 1513 bzero(tmp3, sizeof (tmp3)); 1514 bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, 1515 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1516 1517 xorblock(tmp2, tmp3); 1518 bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, 1519 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1520 1521 /* 2nd to last block ... */ 1522 bcopy(tmp3, tmp2, 1523 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1524 1525 ct.cd_raw.iov_base = (char *)tmp2; 1526 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1527 pt.cd_raw.iov_base = (char *)tmp3; 1528 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1529 1530 result = crypto_decrypt_update(tmi->dec_data.ctx, 1531 &ct, &pt, NULL); 1532 if (result != CRYPTO_SUCCESS) { 1533 cmn_err(CE_WARN, 1534 "aes_cbc_cts_decrypt: " 1535 "crypto_decrypt_update(3) error - " 1536 "result = 0x%08x", result); 1537 goto cleanup; 1538 } 1539 xorblock(tmp3, tmp); 1540 1541 1542 /* Finally, update the 2nd to last block and we are done. */ 1543 bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1544 DEFAULT_AES_BLOCKLEN); 1545 1546 /* Do Final step, but ignore output */ 1547 pt.cd_raw.iov_base = (char *)tmp2; 1548 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1549 result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL); 1550 if (result != CRYPTO_SUCCESS) { 1551 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1552 "crypto_decrypt_final error - " 1553 "result = 0x%0x", result); 1554 } 1555 tmi->dec_data.ctx = NULL; 1556 } 1557 1558 cleanup: 1559 bzero(tmp, sizeof (tmp)); 1560 bzero(tmp2, sizeof (tmp)); 1561 bzero(tmp3, sizeof (tmp)); 1562 bzero(tmi->dec_data.block, tmi->dec_data.blocklen); 1563 return (result); 1564 } 1565 1566 /* 1567 * AES decrypt 1568 * 1569 * format of ciphertext when using AES 1570 * +-------------+------------+------------+ 1571 * | confounder | msg-data | hmac | 1572 * +-------------+------------+------------+ 1573 */ 1574 static mblk_t * 1575 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1576 hash_info_t *hash) 1577 { 1578 int result; 1579 size_t enclen; 1580 size_t inlen; 1581 uchar_t hmacbuff[64]; 1582 uchar_t tmpiv[DEFAULT_AES_BLOCKLEN]; 1583 1584 inlen = (size_t)MBLKL(mp); 1585 1586 enclen = inlen - AES_TRUNCATED_HMAC_LEN; 1587 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1588 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) { 1589 int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) / 1590 DEFAULT_AES_BLOCKLEN; 1591 bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2), 1592 tmpiv, DEFAULT_AES_BLOCKLEN); 1593 } 1594 1595 /* AES Decrypt */ 1596 result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen); 1597 1598 if (result != CRYPTO_SUCCESS) { 1599 cmn_err(CE_WARN, 1600 "aes_decrypt: aes_cbc_cts_decrypt " 1601 "failed - error %0x", result); 1602 goto cleanup; 1603 } 1604 1605 /* Verify the HMAC */ 1606 result = do_hmac(sha1_hmac_mech, 1607 &tmi->dec_data.d_hmac_key, 1608 (char *)mp->b_rptr, enclen, 1609 (char *)hmacbuff, hash->hash_len); 1610 1611 if (result != CRYPTO_SUCCESS) { 1612 cmn_err(CE_WARN, 1613 "aes_decrypt: do_hmac failed - error %0x", result); 1614 goto cleanup; 1615 } 1616 1617 if (bcmp(hmacbuff, mp->b_rptr + enclen, 1618 AES_TRUNCATED_HMAC_LEN) != 0) { 1619 result = -1; 1620 cmn_err(CE_WARN, "aes_decrypt: checksum verification failed"); 1621 goto cleanup; 1622 } 1623 1624 /* truncate the mblk at the end of the decrypted text */ 1625 mp->b_wptr = mp->b_rptr + enclen; 1626 1627 /* Adjust the beginning of the buffer to skip the confounder */ 1628 mp->b_rptr += DEFAULT_AES_BLOCKLEN; 1629 1630 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1631 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) 1632 bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN); 1633 1634 cleanup: 1635 if (result != CRYPTO_SUCCESS) { 1636 mp->b_datap->db_type = M_ERROR; 1637 mp->b_rptr = mp->b_datap->db_base; 1638 *mp->b_rptr = EIO; 1639 mp->b_wptr = mp->b_rptr + sizeof (char); 1640 freemsg(mp->b_cont); 1641 mp->b_cont = NULL; 1642 qreply(WR(q), mp); 1643 return (NULL); 1644 } 1645 return (mp); 1646 } 1647 1648 /* 1649 * AES encrypt 1650 * 1651 * format of ciphertext when using AES 1652 * +-------------+------------+------------+ 1653 * | confounder | msg-data | hmac | 1654 * +-------------+------------+------------+ 1655 */ 1656 static mblk_t * 1657 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1658 hash_info_t *hash) 1659 { 1660 int result; 1661 size_t cipherlen; 1662 size_t inlen; 1663 uchar_t hmacbuff[64]; 1664 1665 inlen = (size_t)MBLKL(mp); 1666 1667 cipherlen = encrypt_size(&tmi->enc_data, inlen); 1668 1669 ASSERT(MBLKSIZE(mp) >= cipherlen); 1670 1671 /* 1672 * Shift the rptr back enough to insert the confounder. 1673 */ 1674 mp->b_rptr -= DEFAULT_AES_BLOCKLEN; 1675 1676 /* Get random data for confounder */ 1677 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, 1678 DEFAULT_AES_BLOCKLEN); 1679 1680 /* 1681 * Because we encrypt in-place, we need to calculate 1682 * the HMAC of the plaintext now, then stick it on 1683 * the end of the ciphertext down below. 1684 */ 1685 result = do_hmac(sha1_hmac_mech, 1686 &tmi->enc_data.d_hmac_key, 1687 (char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen, 1688 (char *)hmacbuff, hash->hash_len); 1689 1690 if (result != CRYPTO_SUCCESS) { 1691 cmn_err(CE_WARN, "aes_encrypt: do_hmac failed - error %0x", 1692 result); 1693 goto cleanup; 1694 } 1695 /* Encrypt using AES-CBC-CTS */ 1696 result = aes_cbc_cts_encrypt(tmi, mp->b_rptr, 1697 inlen + DEFAULT_AES_BLOCKLEN); 1698 1699 if (result != CRYPTO_SUCCESS) { 1700 cmn_err(CE_WARN, "aes_encrypt: aes_cbc_cts_encrypt " 1701 "failed - error %0x", result); 1702 goto cleanup; 1703 } 1704 1705 /* copy the truncated HMAC to the end of the mblk */ 1706 bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen, 1707 AES_TRUNCATED_HMAC_LEN); 1708 1709 mp->b_wptr = mp->b_rptr + cipherlen; 1710 1711 /* 1712 * The final block of cipher text (not the HMAC) is used 1713 * as the next IV. 1714 */ 1715 if (tmi->enc_data.ivec_usage != IVEC_NEVER && 1716 tmi->enc_data.ivec != NULL) { 1717 int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) / 1718 DEFAULT_AES_BLOCKLEN; 1719 1720 bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1721 tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN); 1722 } 1723 1724 cleanup: 1725 if (result != CRYPTO_SUCCESS) { 1726 mp->b_datap->db_type = M_ERROR; 1727 mp->b_rptr = mp->b_datap->db_base; 1728 *mp->b_rptr = EIO; 1729 mp->b_wptr = mp->b_rptr + sizeof (char); 1730 freemsg(mp->b_cont); 1731 mp->b_cont = NULL; 1732 qreply(WR(q), mp); 1733 return (NULL); 1734 } 1735 return (mp); 1736 } 1737 1738 /* 1739 * ARCFOUR-HMAC-MD5 decrypt 1740 * 1741 * format of ciphertext when using ARCFOUR-HMAC-MD5 1742 * +-----------+------------+------------+ 1743 * | hmac | confounder | msg-data | 1744 * +-----------+------------+------------+ 1745 * 1746 */ 1747 static mblk_t * 1748 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1749 hash_info_t *hash) 1750 { 1751 int result; 1752 size_t cipherlen; 1753 size_t inlen; 1754 size_t saltlen; 1755 crypto_key_t k1, k2; 1756 crypto_data_t indata; 1757 iovec_t v1; 1758 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 1759 0xab, 0xab, 0xab, 0xab }; 1760 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; 1761 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; 1762 uchar_t cksum[MD5_HASHSIZE]; 1763 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; 1764 crypto_mechanism_t mech; 1765 int usage; 1766 1767 bzero(&indata, sizeof (indata)); 1768 1769 /* The usage constant is 1026 for all "old" rcmd mode operations */ 1770 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1) 1771 usage = RCMDV1_USAGE; 1772 else 1773 usage = ARCFOUR_DECRYPT_USAGE; 1774 1775 /* 1776 * The size at this point should be the size of 1777 * all the plaintext plus the optional plaintext length 1778 * needed for RCMD V2 mode. There should also be room 1779 * at the head of the mblk for the confounder and hash info. 1780 */ 1781 inlen = (size_t)MBLKL(mp); 1782 1783 /* 1784 * The cipherlen does not include the HMAC at the 1785 * head of the buffer. 1786 */ 1787 cipherlen = inlen - hash->hash_len; 1788 1789 ASSERT(MBLKSIZE(mp) >= cipherlen); 1790 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 1791 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); 1792 saltdata[9] = 0; 1793 saltdata[10] = usage & 0xff; 1794 saltdata[11] = (usage >> 8) & 0xff; 1795 saltdata[12] = (usage >> 16) & 0xff; 1796 saltdata[13] = (usage >> 24) & 0xff; 1797 saltlen = 14; 1798 } else { 1799 saltdata[0] = usage & 0xff; 1800 saltdata[1] = (usage >> 8) & 0xff; 1801 saltdata[2] = (usage >> 16) & 0xff; 1802 saltdata[3] = (usage >> 24) & 0xff; 1803 saltlen = 4; 1804 } 1805 /* 1806 * Use the salt value to create a key to be used 1807 * for subsequent HMAC operations. 1808 */ 1809 result = do_hmac(md5_hmac_mech, 1810 tmi->dec_data.ckey, 1811 (char *)saltdata, saltlen, 1812 (char *)k1data, sizeof (k1data)); 1813 if (result != CRYPTO_SUCCESS) { 1814 cmn_err(CE_WARN, 1815 "arcfour_hmac_md5_decrypt: do_hmac(k1)" 1816 "failed - error %0x", result); 1817 goto cleanup; 1818 } 1819 bcopy(k1data, k2data, sizeof (k1data)); 1820 1821 /* 1822 * For the neutered MS RC4 encryption type, 1823 * set the trailing 9 bytes to 0xab per the 1824 * RC4-HMAC spec. 1825 */ 1826 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 1827 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); 1828 } 1829 1830 mech.cm_type = tmi->dec_data.mech_type; 1831 mech.cm_param = NULL; 1832 mech.cm_param_len = 0; 1833 1834 /* 1835 * If we have not yet initialized the decryption key, 1836 * context, and template, do it now. 1837 */ 1838 if (tmi->dec_data.ctx == NULL || 1839 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { 1840 k1.ck_format = CRYPTO_KEY_RAW; 1841 k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8; 1842 k1.ck_data = k1data; 1843 1844 tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW; 1845 tmi->dec_data.d_encr_key.ck_length = k1.ck_length; 1846 if (tmi->dec_data.d_encr_key.ck_data == NULL) 1847 tmi->dec_data.d_encr_key.ck_data = kmem_zalloc( 1848 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); 1849 1850 /* 1851 * HMAC operation creates the encryption 1852 * key to be used for the decrypt operations. 1853 */ 1854 result = do_hmac(md5_hmac_mech, &k1, 1855 (char *)mp->b_rptr, hash->hash_len, 1856 (char *)tmi->dec_data.d_encr_key.ck_data, 1857 CRYPT_ARCFOUR_KEYBYTES); 1858 1859 1860 if (result != CRYPTO_SUCCESS) { 1861 cmn_err(CE_WARN, 1862 "arcfour_hmac_md5_decrypt: do_hmac(k3)" 1863 "failed - error %0x", result); 1864 goto cleanup; 1865 } 1866 } 1867 1868 tmi->dec_data.enc_tmpl = NULL; 1869 1870 if (tmi->dec_data.ctx == NULL && 1871 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { 1872 /* 1873 * Only create a template if we are doing 1874 * chaining from block to block. 1875 */ 1876 result = crypto_create_ctx_template(&mech, 1877 &tmi->dec_data.d_encr_key, 1878 &tmi->dec_data.enc_tmpl, 1879 KM_SLEEP); 1880 if (result == CRYPTO_NOT_SUPPORTED) { 1881 tmi->dec_data.enc_tmpl = NULL; 1882 } else if (result != CRYPTO_SUCCESS) { 1883 cmn_err(CE_WARN, 1884 "arcfour_hmac_md5_decrypt: " 1885 "failed to create dec template " 1886 "for RC4 encrypt: %0x", result); 1887 goto cleanup; 1888 } 1889 1890 result = crypto_decrypt_init(&mech, 1891 &tmi->dec_data.d_encr_key, 1892 tmi->dec_data.enc_tmpl, 1893 &tmi->dec_data.ctx, NULL); 1894 1895 if (result != CRYPTO_SUCCESS) { 1896 cmn_err(CE_WARN, "crypto_decrypt_init failed:" 1897 " %0x", result); 1898 goto cleanup; 1899 } 1900 } 1901 1902 /* adjust the rptr so we don't decrypt the original hmac field */ 1903 1904 v1.iov_base = (char *)mp->b_rptr + hash->hash_len; 1905 v1.iov_len = cipherlen; 1906 1907 indata.cd_format = CRYPTO_DATA_RAW; 1908 indata.cd_offset = 0; 1909 indata.cd_length = cipherlen; 1910 indata.cd_raw = v1; 1911 1912 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 1913 result = crypto_decrypt_update(tmi->dec_data.ctx, 1914 &indata, NULL, NULL); 1915 else 1916 result = crypto_decrypt(&mech, &indata, 1917 &tmi->dec_data.d_encr_key, NULL, NULL, NULL); 1918 1919 if (result != CRYPTO_SUCCESS) { 1920 cmn_err(CE_WARN, "crypto_decrypt_update failed:" 1921 " %0x", result); 1922 goto cleanup; 1923 } 1924 1925 k2.ck_format = CRYPTO_KEY_RAW; 1926 k2.ck_length = sizeof (k2data) * 8; 1927 k2.ck_data = k2data; 1928 1929 result = do_hmac(md5_hmac_mech, 1930 &k2, 1931 (char *)mp->b_rptr + hash->hash_len, cipherlen, 1932 (char *)cksum, hash->hash_len); 1933 1934 if (result != CRYPTO_SUCCESS) { 1935 cmn_err(CE_WARN, 1936 "arcfour_hmac_md5_decrypt: do_hmac(k2)" 1937 "failed - error %0x", result); 1938 goto cleanup; 1939 } 1940 1941 if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) { 1942 cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed"); 1943 result = -1; 1944 goto cleanup; 1945 } 1946 1947 /* 1948 * adjust the start of the mblk to skip over the 1949 * hash and confounder. 1950 */ 1951 mp->b_rptr += hash->hash_len + hash->confound_len; 1952 1953 cleanup: 1954 bzero(k1data, sizeof (k1data)); 1955 bzero(k2data, sizeof (k2data)); 1956 bzero(cksum, sizeof (cksum)); 1957 bzero(saltdata, sizeof (saltdata)); 1958 if (result != CRYPTO_SUCCESS) { 1959 mp->b_datap->db_type = M_ERROR; 1960 mp->b_rptr = mp->b_datap->db_base; 1961 *mp->b_rptr = EIO; 1962 mp->b_wptr = mp->b_rptr + sizeof (char); 1963 freemsg(mp->b_cont); 1964 mp->b_cont = NULL; 1965 qreply(WR(q), mp); 1966 return (NULL); 1967 } 1968 return (mp); 1969 } 1970 1971 /* 1972 * ARCFOUR-HMAC-MD5 encrypt 1973 * 1974 * format of ciphertext when using ARCFOUR-HMAC-MD5 1975 * +-----------+------------+------------+ 1976 * | hmac | confounder | msg-data | 1977 * +-----------+------------+------------+ 1978 * 1979 */ 1980 static mblk_t * 1981 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1982 hash_info_t *hash) 1983 { 1984 int result; 1985 size_t cipherlen; 1986 size_t inlen; 1987 size_t saltlen; 1988 crypto_key_t k1, k2; 1989 crypto_data_t indata; 1990 iovec_t v1; 1991 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 1992 0xab, 0xab, 0xab, 0xab }; 1993 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; 1994 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; 1995 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; 1996 crypto_mechanism_t mech; 1997 int usage; 1998 1999 bzero(&indata, sizeof (indata)); 2000 2001 /* The usage constant is 1026 for all "old" rcmd mode operations */ 2002 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1) 2003 usage = RCMDV1_USAGE; 2004 else 2005 usage = ARCFOUR_ENCRYPT_USAGE; 2006 2007 mech.cm_type = tmi->enc_data.mech_type; 2008 mech.cm_param = NULL; 2009 mech.cm_param_len = 0; 2010 2011 /* 2012 * The size at this point should be the size of 2013 * all the plaintext plus the optional plaintext length 2014 * needed for RCMD V2 mode. There should also be room 2015 * at the head of the mblk for the confounder and hash info. 2016 */ 2017 inlen = (size_t)MBLKL(mp); 2018 2019 cipherlen = encrypt_size(&tmi->enc_data, inlen); 2020 2021 ASSERT(MBLKSIZE(mp) >= cipherlen); 2022 2023 /* 2024 * Shift the rptr back enough to insert 2025 * the confounder and hash. 2026 */ 2027 mp->b_rptr -= (hash->confound_len + hash->hash_len); 2028 2029 /* zero out the hash area */ 2030 bzero(mp->b_rptr, (size_t)hash->hash_len); 2031 2032 if (cipherlen > inlen) { 2033 bzero(mp->b_wptr, MBLKTAIL(mp)); 2034 } 2035 2036 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 2037 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); 2038 saltdata[9] = 0; 2039 saltdata[10] = usage & 0xff; 2040 saltdata[11] = (usage >> 8) & 0xff; 2041 saltdata[12] = (usage >> 16) & 0xff; 2042 saltdata[13] = (usage >> 24) & 0xff; 2043 saltlen = 14; 2044 } else { 2045 saltdata[0] = usage & 0xff; 2046 saltdata[1] = (usage >> 8) & 0xff; 2047 saltdata[2] = (usage >> 16) & 0xff; 2048 saltdata[3] = (usage >> 24) & 0xff; 2049 saltlen = 4; 2050 } 2051 /* 2052 * Use the salt value to create a key to be used 2053 * for subsequent HMAC operations. 2054 */ 2055 result = do_hmac(md5_hmac_mech, 2056 tmi->enc_data.ckey, 2057 (char *)saltdata, saltlen, 2058 (char *)k1data, sizeof (k1data)); 2059 if (result != CRYPTO_SUCCESS) { 2060 cmn_err(CE_WARN, 2061 "arcfour_hmac_md5_encrypt: do_hmac(k1)" 2062 "failed - error %0x", result); 2063 goto cleanup; 2064 } 2065 2066 bcopy(k1data, k2data, sizeof (k2data)); 2067 2068 /* 2069 * For the neutered MS RC4 encryption type, 2070 * set the trailing 9 bytes to 0xab per the 2071 * RC4-HMAC spec. 2072 */ 2073 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 2074 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); 2075 } 2076 2077 /* 2078 * Get the confounder bytes. 2079 */ 2080 (void) random_get_pseudo_bytes( 2081 (uint8_t *)(mp->b_rptr + hash->hash_len), 2082 (size_t)hash->confound_len); 2083 2084 k2.ck_data = k2data; 2085 k2.ck_format = CRYPTO_KEY_RAW; 2086 k2.ck_length = sizeof (k2data) * 8; 2087 2088 /* 2089 * This writes the HMAC to the hash area in the 2090 * mblk. The key used is the one just created by 2091 * the previous HMAC operation. 2092 * The data being processed is the confounder bytes 2093 * PLUS the input plaintext. 2094 */ 2095 result = do_hmac(md5_hmac_mech, &k2, 2096 (char *)mp->b_rptr + hash->hash_len, 2097 hash->confound_len + inlen, 2098 (char *)mp->b_rptr, hash->hash_len); 2099 if (result != CRYPTO_SUCCESS) { 2100 cmn_err(CE_WARN, 2101 "arcfour_hmac_md5_encrypt: do_hmac(k2)" 2102 "failed - error %0x", result); 2103 goto cleanup; 2104 } 2105 /* 2106 * Because of the odd way that MIT uses RC4 keys 2107 * on the rlogin stream, we only need to create 2108 * this key once. 2109 * However, if using "old" rcmd mode, we need to do 2110 * it every time. 2111 */ 2112 if (tmi->enc_data.ctx == NULL || 2113 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { 2114 crypto_key_t *key = &tmi->enc_data.d_encr_key; 2115 2116 k1.ck_data = k1data; 2117 k1.ck_format = CRYPTO_KEY_RAW; 2118 k1.ck_length = sizeof (k1data) * 8; 2119 2120 key->ck_format = CRYPTO_KEY_RAW; 2121 key->ck_length = k1.ck_length; 2122 if (key->ck_data == NULL) 2123 key->ck_data = kmem_zalloc( 2124 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); 2125 2126 /* 2127 * The final HMAC operation creates the encryption 2128 * key to be used for the encrypt operation. 2129 */ 2130 result = do_hmac(md5_hmac_mech, &k1, 2131 (char *)mp->b_rptr, hash->hash_len, 2132 (char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES); 2133 2134 if (result != CRYPTO_SUCCESS) { 2135 cmn_err(CE_WARN, 2136 "arcfour_hmac_md5_encrypt: do_hmac(k3)" 2137 "failed - error %0x", result); 2138 goto cleanup; 2139 } 2140 } 2141 2142 /* 2143 * If the context has not been initialized, do it now. 2144 */ 2145 if (tmi->enc_data.ctx == NULL && 2146 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { 2147 /* 2148 * Only create a template if we are doing 2149 * chaining from block to block. 2150 */ 2151 result = crypto_create_ctx_template(&mech, 2152 &tmi->enc_data.d_encr_key, 2153 &tmi->enc_data.enc_tmpl, 2154 KM_SLEEP); 2155 if (result == CRYPTO_NOT_SUPPORTED) { 2156 tmi->enc_data.enc_tmpl = NULL; 2157 } else if (result != CRYPTO_SUCCESS) { 2158 cmn_err(CE_WARN, "failed to create enc template " 2159 "for RC4 encrypt: %0x", result); 2160 goto cleanup; 2161 } 2162 2163 result = crypto_encrypt_init(&mech, 2164 &tmi->enc_data.d_encr_key, 2165 tmi->enc_data.enc_tmpl, 2166 &tmi->enc_data.ctx, NULL); 2167 if (result != CRYPTO_SUCCESS) { 2168 cmn_err(CE_WARN, "crypto_encrypt_init failed:" 2169 " %0x", result); 2170 goto cleanup; 2171 } 2172 } 2173 v1.iov_base = (char *)mp->b_rptr + hash->hash_len; 2174 v1.iov_len = hash->confound_len + inlen; 2175 2176 indata.cd_format = CRYPTO_DATA_RAW; 2177 indata.cd_offset = 0; 2178 indata.cd_length = hash->confound_len + inlen; 2179 indata.cd_raw = v1; 2180 2181 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 2182 result = crypto_encrypt_update(tmi->enc_data.ctx, 2183 &indata, NULL, NULL); 2184 else 2185 result = crypto_encrypt(&mech, &indata, 2186 &tmi->enc_data.d_encr_key, NULL, 2187 NULL, NULL); 2188 2189 if (result != CRYPTO_SUCCESS) { 2190 cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x", 2191 result); 2192 } 2193 2194 cleanup: 2195 bzero(k1data, sizeof (k1data)); 2196 bzero(k2data, sizeof (k2data)); 2197 bzero(saltdata, sizeof (saltdata)); 2198 if (result != CRYPTO_SUCCESS) { 2199 mp->b_datap->db_type = M_ERROR; 2200 mp->b_rptr = mp->b_datap->db_base; 2201 *mp->b_rptr = EIO; 2202 mp->b_wptr = mp->b_rptr + sizeof (char); 2203 freemsg(mp->b_cont); 2204 mp->b_cont = NULL; 2205 qreply(WR(q), mp); 2206 return (NULL); 2207 } 2208 return (mp); 2209 } 2210 2211 /* 2212 * DES-CBC-[HASH] encrypt 2213 * 2214 * Needed to support userland apps that must support Kerberos V5 2215 * encryption DES-CBC encryption modes. 2216 * 2217 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 2218 * 2219 * format of ciphertext for DES-CBC functions, per RFC1510 is: 2220 * +-----------+----------+-------------+-----+ 2221 * |confounder | cksum | msg-data | pad | 2222 * +-----------+----------+-------------+-----+ 2223 * 2224 * format of ciphertext when using DES3-SHA1-HMAC 2225 * +-----------+----------+-------------+-----+ 2226 * |confounder | msg-data | hmac | pad | 2227 * +-----------+----------+-------------+-----+ 2228 * 2229 * The confounder is 8 bytes of random data. 2230 * The cksum depends on the hash being used. 2231 * 4 bytes for CRC32 2232 * 16 bytes for MD5 2233 * 20 bytes for SHA1 2234 * 0 bytes for RAW 2235 * 2236 */ 2237 static mblk_t * 2238 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) 2239 { 2240 int result; 2241 size_t cipherlen; 2242 size_t inlen; 2243 size_t plainlen; 2244 2245 /* 2246 * The size at this point should be the size of 2247 * all the plaintext plus the optional plaintext length 2248 * needed for RCMD V2 mode. There should also be room 2249 * at the head of the mblk for the confounder and hash info. 2250 */ 2251 inlen = (size_t)MBLKL(mp); 2252 2253 /* 2254 * The output size will be a multiple of 8 because this algorithm 2255 * only works on 8 byte chunks. 2256 */ 2257 cipherlen = encrypt_size(&tmi->enc_data, inlen); 2258 2259 ASSERT(MBLKSIZE(mp) >= cipherlen); 2260 2261 if (cipherlen > inlen) { 2262 bzero(mp->b_wptr, MBLKTAIL(mp)); 2263 } 2264 2265 /* 2266 * Shift the rptr back enough to insert 2267 * the confounder and hash. 2268 */ 2269 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2270 mp->b_rptr -= hash->confound_len; 2271 } else { 2272 mp->b_rptr -= (hash->confound_len + hash->hash_len); 2273 2274 /* zero out the hash area */ 2275 bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len); 2276 } 2277 2278 /* get random confounder from our friend, the 'random' module */ 2279 if (hash->confound_len > 0) { 2280 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, 2281 (size_t)hash->confound_len); 2282 } 2283 2284 /* 2285 * For 3DES we calculate an HMAC later. 2286 */ 2287 if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) { 2288 /* calculate chksum of confounder + input */ 2289 if (hash->hash_len > 0 && hash->hashfunc != NULL) { 2290 uchar_t cksum[MAX_CKSUM_LEN]; 2291 2292 result = hash->hashfunc(cksum, mp->b_rptr, 2293 cipherlen); 2294 if (result != CRYPTO_SUCCESS) { 2295 goto failure; 2296 } 2297 2298 /* put hash in place right after the confounder */ 2299 bcopy(cksum, (mp->b_rptr + hash->confound_len), 2300 (size_t)hash->hash_len); 2301 } 2302 } 2303 /* 2304 * In order to support the "old" Kerberos RCMD protocol, 2305 * we must use the IVEC 3 different ways: 2306 * IVEC_REUSE = keep using the same IV each time, this is 2307 * ugly and insecure, but necessary for 2308 * backwards compatibility with existing MIT code. 2309 * IVEC_ONETIME = Use the ivec as initialized when the crypto 2310 * was setup (see setup_crypto routine). 2311 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). 2312 */ 2313 if (tmi->enc_data.ivec_usage == IVEC_NEVER) { 2314 bzero(tmi->enc_data.block, tmi->enc_data.blocklen); 2315 } else if (tmi->enc_data.ivec_usage == IVEC_REUSE) { 2316 bcopy(tmi->enc_data.ivec, tmi->enc_data.block, 2317 tmi->enc_data.blocklen); 2318 } 2319 2320 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2321 /* 2322 * The input length already included the hash size, 2323 * don't include this in the plaintext length 2324 * calculations. 2325 */ 2326 plainlen = cipherlen - hash->hash_len; 2327 2328 mp->b_wptr = mp->b_rptr + plainlen; 2329 2330 result = kef_encr_hmac(&tmi->enc_data, 2331 (void *)mp, (size_t)plainlen, 2332 (char *)(mp->b_rptr + plainlen), 2333 hash->hash_len); 2334 } else { 2335 ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp)); 2336 mp->b_wptr = mp->b_rptr + cipherlen; 2337 result = kef_crypt(&tmi->enc_data, (void *)mp, 2338 CRYPTO_DATA_MBLK, (size_t)cipherlen, 2339 CRYPT_ENCRYPT); 2340 } 2341 failure: 2342 if (result != CRYPTO_SUCCESS) { 2343 #ifdef DEBUG 2344 cmn_err(CE_WARN, 2345 "des_cbc_encrypt: kef_crypt encrypt " 2346 "failed (len: %ld) - error %0x", 2347 cipherlen, result); 2348 #endif 2349 mp->b_datap->db_type = M_ERROR; 2350 mp->b_rptr = mp->b_datap->db_base; 2351 *mp->b_rptr = EIO; 2352 mp->b_wptr = mp->b_rptr + sizeof (char); 2353 freemsg(mp->b_cont); 2354 mp->b_cont = NULL; 2355 qreply(WR(q), mp); 2356 return (NULL); 2357 } else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) { 2358 /* 2359 * Because we are using KEF, we must manually 2360 * update our IV. 2361 */ 2362 bcopy(mp->b_wptr - tmi->enc_data.ivlen, 2363 tmi->enc_data.block, tmi->enc_data.ivlen); 2364 } 2365 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2366 mp->b_wptr = mp->b_rptr + cipherlen; 2367 } 2368 2369 return (mp); 2370 } 2371 2372 /* 2373 * des_cbc_decrypt 2374 * 2375 * 2376 * Needed to support userland apps that must support Kerberos V5 2377 * encryption DES-CBC decryption modes. 2378 * 2379 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 2380 * 2381 * format of ciphertext for DES-CBC functions, per RFC1510 is: 2382 * +-----------+----------+-------------+-----+ 2383 * |confounder | cksum | msg-data | pad | 2384 * +-----------+----------+-------------+-----+ 2385 * 2386 * format of ciphertext when using DES3-SHA1-HMAC 2387 * +-----------+----------+-------------+-----+ 2388 * |confounder | msg-data | hmac | pad | 2389 * +-----------+----------+-------------+-----+ 2390 * 2391 * The confounder is 8 bytes of random data. 2392 * The cksum depends on the hash being used. 2393 * 4 bytes for CRC32 2394 * 16 bytes for MD5 2395 * 20 bytes for SHA1 2396 * 0 bytes for RAW 2397 * 2398 */ 2399 static mblk_t * 2400 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) 2401 { 2402 uint_t inlen, datalen; 2403 int result = 0; 2404 uchar_t *optr = NULL; 2405 uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN]; 2406 uchar_t nextiv[DEFAULT_DES_BLOCKLEN]; 2407 2408 /* Compute adjusted size */ 2409 inlen = MBLKL(mp); 2410 2411 optr = mp->b_rptr; 2412 2413 /* 2414 * In order to support the "old" Kerberos RCMD protocol, 2415 * we must use the IVEC 3 different ways: 2416 * IVEC_REUSE = keep using the same IV each time, this is 2417 * ugly and insecure, but necessary for 2418 * backwards compatibility with existing MIT code. 2419 * IVEC_ONETIME = Use the ivec as initialized when the crypto 2420 * was setup (see setup_crypto routine). 2421 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). 2422 */ 2423 if (tmi->dec_data.ivec_usage == IVEC_NEVER) 2424 bzero(tmi->dec_data.block, tmi->dec_data.blocklen); 2425 else if (tmi->dec_data.ivec_usage == IVEC_REUSE) 2426 bcopy(tmi->dec_data.ivec, tmi->dec_data.block, 2427 tmi->dec_data.blocklen); 2428 2429 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2430 /* 2431 * Do not decrypt the HMAC at the end 2432 */ 2433 int decrypt_len = inlen - hash->hash_len; 2434 2435 /* 2436 * Move the wptr so the mblk appears to end 2437 * BEFORE the HMAC section. 2438 */ 2439 mp->b_wptr = mp->b_rptr + decrypt_len; 2440 2441 /* 2442 * Because we are using KEF, we must manually update our 2443 * IV. 2444 */ 2445 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2446 bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen, 2447 nextiv, tmi->dec_data.ivlen); 2448 } 2449 2450 result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len, 2451 (char *)newcksum, hash->hash_len); 2452 } else { 2453 /* 2454 * Because we are using KEF, we must manually update our 2455 * IV. 2456 */ 2457 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2458 bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv, 2459 tmi->dec_data.ivlen); 2460 } 2461 result = kef_crypt(&tmi->dec_data, (void *)mp, 2462 CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT); 2463 } 2464 if (result != CRYPTO_SUCCESS) { 2465 #ifdef DEBUG 2466 cmn_err(CE_WARN, 2467 "des_cbc_decrypt: kef_crypt decrypt " 2468 "failed - error %0x", result); 2469 #endif 2470 mp->b_datap->db_type = M_ERROR; 2471 mp->b_rptr = mp->b_datap->db_base; 2472 *mp->b_rptr = EIO; 2473 mp->b_wptr = mp->b_rptr + sizeof (char); 2474 freemsg(mp->b_cont); 2475 mp->b_cont = NULL; 2476 qreply(WR(q), mp); 2477 return (NULL); 2478 } 2479 2480 /* 2481 * Manually update the IV, KEF does not track this for us. 2482 */ 2483 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2484 bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen); 2485 } 2486 2487 /* Verify the checksum(if necessary) */ 2488 if (hash->hash_len > 0) { 2489 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2490 bcopy(mp->b_rptr + inlen - hash->hash_len, cksum, 2491 hash->hash_len); 2492 } else { 2493 bcopy(optr + hash->confound_len, cksum, hash->hash_len); 2494 2495 /* zero the cksum in the buffer */ 2496 ASSERT(optr + hash->confound_len + hash->hash_len <= 2497 DB_LIM(mp)); 2498 bzero(optr + hash->confound_len, hash->hash_len); 2499 2500 /* calculate MD5 chksum of confounder + input */ 2501 if (hash->hashfunc) { 2502 (void) hash->hashfunc(newcksum, optr, inlen); 2503 } 2504 } 2505 2506 if (bcmp(cksum, newcksum, hash->hash_len)) { 2507 #ifdef DEBUG 2508 cmn_err(CE_WARN, "des_cbc_decrypt: checksum " 2509 "verification failed"); 2510 #endif 2511 mp->b_datap->db_type = M_ERROR; 2512 mp->b_rptr = mp->b_datap->db_base; 2513 *mp->b_rptr = EIO; 2514 mp->b_wptr = mp->b_rptr + sizeof (char); 2515 freemsg(mp->b_cont); 2516 mp->b_cont = NULL; 2517 qreply(WR(q), mp); 2518 return (NULL); 2519 } 2520 } 2521 2522 datalen = inlen - hash->confound_len - hash->hash_len; 2523 2524 /* Move just the decrypted input into place if necessary */ 2525 if (hash->confound_len > 0 || hash->hash_len > 0) { 2526 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) 2527 mp->b_rptr += hash->confound_len; 2528 else 2529 mp->b_rptr += hash->confound_len + hash->hash_len; 2530 } 2531 2532 ASSERT(mp->b_rptr + datalen <= DB_LIM(mp)); 2533 mp->b_wptr = mp->b_rptr + datalen; 2534 2535 return (mp); 2536 } 2537 2538 static mblk_t * 2539 do_decrypt(queue_t *q, mblk_t *mp) 2540 { 2541 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 2542 mblk_t *outmp; 2543 2544 switch (tmi->dec_data.method) { 2545 case CRYPT_METHOD_DES_CFB: 2546 outmp = des_cfb_decrypt(q, tmi, mp); 2547 break; 2548 case CRYPT_METHOD_NONE: 2549 outmp = mp; 2550 break; 2551 case CRYPT_METHOD_DES_CBC_NULL: 2552 outmp = des_cbc_decrypt(q, tmi, mp, &null_hash); 2553 break; 2554 case CRYPT_METHOD_DES_CBC_MD5: 2555 outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash); 2556 break; 2557 case CRYPT_METHOD_DES_CBC_CRC: 2558 outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash); 2559 break; 2560 case CRYPT_METHOD_DES3_CBC_SHA1: 2561 outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash); 2562 break; 2563 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2564 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2565 outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash); 2566 break; 2567 case CRYPT_METHOD_AES128: 2568 case CRYPT_METHOD_AES256: 2569 outmp = aes_decrypt(q, tmi, mp, &sha1_hash); 2570 break; 2571 } 2572 return (outmp); 2573 } 2574 2575 /* 2576 * do_encrypt 2577 * 2578 * Generic encryption routine for a single message block. 2579 * The input mblk may be replaced by some encrypt routines 2580 * because they add extra data in some cases that may exceed 2581 * the input mblk_t size limit. 2582 */ 2583 static mblk_t * 2584 do_encrypt(queue_t *q, mblk_t *mp) 2585 { 2586 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 2587 mblk_t *outmp; 2588 2589 switch (tmi->enc_data.method) { 2590 case CRYPT_METHOD_DES_CFB: 2591 outmp = des_cfb_encrypt(q, tmi, mp); 2592 break; 2593 case CRYPT_METHOD_DES_CBC_NULL: 2594 outmp = des_cbc_encrypt(q, tmi, mp, &null_hash); 2595 break; 2596 case CRYPT_METHOD_DES_CBC_MD5: 2597 outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash); 2598 break; 2599 case CRYPT_METHOD_DES_CBC_CRC: 2600 outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash); 2601 break; 2602 case CRYPT_METHOD_DES3_CBC_SHA1: 2603 outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash); 2604 break; 2605 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2606 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2607 outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash); 2608 break; 2609 case CRYPT_METHOD_AES128: 2610 case CRYPT_METHOD_AES256: 2611 outmp = aes_encrypt(q, tmi, mp, &sha1_hash); 2612 break; 2613 case CRYPT_METHOD_NONE: 2614 outmp = mp; 2615 break; 2616 } 2617 return (outmp); 2618 } 2619 2620 /* 2621 * setup_crypto 2622 * 2623 * This takes the data from the CRYPTIOCSETUP ioctl 2624 * and sets up a cipher_data_t structure for either 2625 * encryption or decryption. This is where the 2626 * key and initialization vector data get stored 2627 * prior to beginning any crypto functions. 2628 * 2629 * Special note: 2630 * Some applications(e.g. telnetd) have ability to switch 2631 * crypto on/off periodically. Thus, the application may call 2632 * the CRYPTIOCSETUP ioctl many times for the same stream. 2633 * If the CRYPTIOCSETUP is called with 0 length key or ivec fields 2634 * assume that the key, block, and saveblock fields that are already 2635 * set from a previous CRIOCSETUP call are still valid. This helps avoid 2636 * a rekeying error that could occur if we overwrite these fields 2637 * with each CRYPTIOCSETUP call. 2638 * In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off 2639 * without resetting the original crypto parameters. 2640 * 2641 */ 2642 static int 2643 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt) 2644 { 2645 uint_t newblocklen; 2646 uint32_t enc_usage = 0, dec_usage = 0; 2647 int rv; 2648 2649 /* 2650 * Initial sanity checks 2651 */ 2652 if (!CR_METHOD_OK(ci->crypto_method)) { 2653 cmn_err(CE_WARN, "Illegal crypto method (%d)", 2654 ci->crypto_method); 2655 return (EINVAL); 2656 } 2657 if (!CR_OPTIONS_OK(ci->option_mask)) { 2658 cmn_err(CE_WARN, "Illegal crypto options (%d)", 2659 ci->option_mask); 2660 return (EINVAL); 2661 } 2662 if (!CR_IVUSAGE_OK(ci->ivec_usage)) { 2663 cmn_err(CE_WARN, "Illegal ivec usage value (%d)", 2664 ci->ivec_usage); 2665 return (EINVAL); 2666 } 2667 2668 cd->method = ci->crypto_method; 2669 cd->bytes = 0; 2670 2671 if (ci->keylen > 0) { 2672 if (cd->key != NULL) { 2673 kmem_free(cd->key, cd->keylen); 2674 cd->key = NULL; 2675 cd->keylen = 0; 2676 } 2677 /* 2678 * cd->key holds the copy of the raw key bytes passed in 2679 * from the userland app. 2680 */ 2681 cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP); 2682 2683 cd->keylen = ci->keylen; 2684 bcopy(ci->key, cd->key, (size_t)ci->keylen); 2685 } 2686 2687 /* 2688 * Configure the block size based on the type of cipher. 2689 */ 2690 switch (cd->method) { 2691 case CRYPT_METHOD_NONE: 2692 newblocklen = 0; 2693 break; 2694 case CRYPT_METHOD_DES_CFB: 2695 newblocklen = DEFAULT_DES_BLOCKLEN; 2696 cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB); 2697 break; 2698 case CRYPT_METHOD_DES_CBC_NULL: 2699 case CRYPT_METHOD_DES_CBC_MD5: 2700 case CRYPT_METHOD_DES_CBC_CRC: 2701 newblocklen = DEFAULT_DES_BLOCKLEN; 2702 cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC); 2703 break; 2704 case CRYPT_METHOD_DES3_CBC_SHA1: 2705 newblocklen = DEFAULT_DES_BLOCKLEN; 2706 cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC); 2707 /* 3DES always uses the old usage constant */ 2708 enc_usage = RCMDV1_USAGE; 2709 dec_usage = RCMDV1_USAGE; 2710 break; 2711 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2712 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2713 newblocklen = 0; 2714 cd->mech_type = crypto_mech2id(SUN_CKM_RC4); 2715 break; 2716 case CRYPT_METHOD_AES128: 2717 case CRYPT_METHOD_AES256: 2718 newblocklen = DEFAULT_AES_BLOCKLEN; 2719 cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB); 2720 enc_usage = AES_ENCRYPT_USAGE; 2721 dec_usage = AES_DECRYPT_USAGE; 2722 break; 2723 } 2724 if (cd->mech_type == CRYPTO_MECH_INVALID) { 2725 return (CRYPTO_FAILED); 2726 } 2727 2728 /* 2729 * If RC4, initialize the master crypto key used by 2730 * the RC4 algorithm to derive the final encrypt and decrypt keys. 2731 */ 2732 if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) { 2733 /* 2734 * cd->ckey is a kernel crypto key structure used as the 2735 * master key in the RC4-HMAC crypto operations. 2736 */ 2737 if (cd->ckey == NULL) { 2738 cd->ckey = (crypto_key_t *)kmem_zalloc( 2739 sizeof (crypto_key_t), KM_SLEEP); 2740 } 2741 2742 cd->ckey->ck_format = CRYPTO_KEY_RAW; 2743 cd->ckey->ck_data = cd->key; 2744 2745 /* key length for EF is measured in bits */ 2746 cd->ckey->ck_length = cd->keylen * 8; 2747 } 2748 2749 /* 2750 * cd->block and cd->saveblock are used as temporary storage for 2751 * data that must be carried over between encrypt/decrypt operations 2752 * in some of the "feedback" modes. 2753 */ 2754 if (newblocklen != cd->blocklen) { 2755 if (cd->block != NULL) { 2756 kmem_free(cd->block, cd->blocklen); 2757 cd->block = NULL; 2758 } 2759 2760 if (cd->saveblock != NULL) { 2761 kmem_free(cd->saveblock, cd->blocklen); 2762 cd->saveblock = NULL; 2763 } 2764 2765 cd->blocklen = newblocklen; 2766 if (cd->blocklen) { 2767 cd->block = (char *)kmem_zalloc((size_t)cd->blocklen, 2768 KM_SLEEP); 2769 } 2770 2771 if (cd->method == CRYPT_METHOD_DES_CFB) 2772 cd->saveblock = (char *)kmem_zalloc(cd->blocklen, 2773 KM_SLEEP); 2774 else 2775 cd->saveblock = NULL; 2776 } 2777 2778 if (ci->iveclen != cd->ivlen) { 2779 if (cd->ivec != NULL) { 2780 kmem_free(cd->ivec, cd->ivlen); 2781 cd->ivec = NULL; 2782 } 2783 if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) { 2784 cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen, 2785 KM_SLEEP); 2786 cd->ivlen = ci->iveclen; 2787 } else { 2788 cd->ivlen = 0; 2789 cd->ivec = NULL; 2790 } 2791 } 2792 cd->option_mask = ci->option_mask; 2793 2794 /* 2795 * Old protocol requires a static 'usage' value for 2796 * deriving keys. Yuk. 2797 */ 2798 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) { 2799 enc_usage = dec_usage = RCMDV1_USAGE; 2800 } 2801 2802 if (cd->ivlen > cd->blocklen) { 2803 cmn_err(CE_WARN, "setup_crypto: IV longer than block size"); 2804 return (EINVAL); 2805 } 2806 2807 /* 2808 * If we are using an IVEC "correctly" (i.e. set it once) 2809 * copy it here. 2810 */ 2811 if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL) 2812 bcopy(ci->ivec, cd->block, (size_t)cd->ivlen); 2813 2814 cd->ivec_usage = ci->ivec_usage; 2815 if (cd->ivec != NULL) { 2816 /* Save the original IVEC in case we need it later */ 2817 bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen); 2818 } 2819 /* 2820 * Special handling for 3DES-SHA1-HMAC and AES crypto: 2821 * generate derived keys and context templates 2822 * for better performance. 2823 */ 2824 if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 || 2825 IS_AES_METHOD(cd->method)) { 2826 crypto_mechanism_t enc_mech; 2827 crypto_mechanism_t hmac_mech; 2828 2829 if (cd->d_encr_key.ck_data != NULL) { 2830 bzero(cd->d_encr_key.ck_data, cd->keylen); 2831 kmem_free(cd->d_encr_key.ck_data, cd->keylen); 2832 } 2833 2834 if (cd->d_hmac_key.ck_data != NULL) { 2835 bzero(cd->d_hmac_key.ck_data, cd->keylen); 2836 kmem_free(cd->d_hmac_key.ck_data, cd->keylen); 2837 } 2838 2839 if (cd->enc_tmpl != NULL) 2840 (void) crypto_destroy_ctx_template(cd->enc_tmpl); 2841 2842 if (cd->hmac_tmpl != NULL) 2843 (void) crypto_destroy_ctx_template(cd->hmac_tmpl); 2844 2845 enc_mech.cm_type = cd->mech_type; 2846 enc_mech.cm_param = cd->ivec; 2847 enc_mech.cm_param_len = cd->ivlen; 2848 2849 hmac_mech.cm_type = sha1_hmac_mech; 2850 hmac_mech.cm_param = NULL; 2851 hmac_mech.cm_param_len = 0; 2852 2853 /* 2854 * Create the derived keys. 2855 */ 2856 rv = create_derived_keys(cd, 2857 (encrypt ? enc_usage : dec_usage), 2858 &cd->d_encr_key, &cd->d_hmac_key); 2859 2860 if (rv != CRYPTO_SUCCESS) { 2861 cmn_err(CE_WARN, "failed to create derived " 2862 "keys: %0x", rv); 2863 return (CRYPTO_FAILED); 2864 } 2865 2866 rv = crypto_create_ctx_template(&enc_mech, 2867 &cd->d_encr_key, 2868 &cd->enc_tmpl, KM_SLEEP); 2869 if (rv == CRYPTO_MECH_NOT_SUPPORTED) { 2870 cd->enc_tmpl = NULL; 2871 } else if (rv != CRYPTO_SUCCESS) { 2872 cmn_err(CE_WARN, "failed to create enc template " 2873 "for d_encr_key: %0x", rv); 2874 return (CRYPTO_FAILED); 2875 } 2876 2877 rv = crypto_create_ctx_template(&hmac_mech, 2878 &cd->d_hmac_key, 2879 &cd->hmac_tmpl, KM_SLEEP); 2880 if (rv == CRYPTO_MECH_NOT_SUPPORTED) { 2881 cd->hmac_tmpl = NULL; 2882 } else if (rv != CRYPTO_SUCCESS) { 2883 cmn_err(CE_WARN, "failed to create hmac template:" 2884 " %0x", rv); 2885 return (CRYPTO_FAILED); 2886 } 2887 } else if (IS_RC4_METHOD(cd->method)) { 2888 bzero(&cd->d_encr_key, sizeof (crypto_key_t)); 2889 bzero(&cd->d_hmac_key, sizeof (crypto_key_t)); 2890 cd->ctx = NULL; 2891 cd->enc_tmpl = NULL; 2892 cd->hmac_tmpl = NULL; 2893 } 2894 2895 /* Final sanity checks, make sure no fields are NULL */ 2896 if (cd->method != CRYPT_METHOD_NONE) { 2897 if (cd->block == NULL && cd->blocklen > 0) { 2898 #ifdef DEBUG 2899 cmn_err(CE_WARN, 2900 "setup_crypto: IV block not allocated"); 2901 #endif 2902 return (ENOMEM); 2903 } 2904 if (cd->key == NULL && cd->keylen > 0) { 2905 #ifdef DEBUG 2906 cmn_err(CE_WARN, 2907 "setup_crypto: key block not allocated"); 2908 #endif 2909 return (ENOMEM); 2910 } 2911 if (cd->method == CRYPT_METHOD_DES_CFB && 2912 cd->saveblock == NULL && cd->blocklen > 0) { 2913 #ifdef DEBUG 2914 cmn_err(CE_WARN, 2915 "setup_crypto: save block not allocated"); 2916 #endif 2917 return (ENOMEM); 2918 } 2919 if (cd->ivec == NULL && cd->ivlen > 0) { 2920 #ifdef DEBUG 2921 cmn_err(CE_WARN, 2922 "setup_crypto: IV not allocated"); 2923 #endif 2924 return (ENOMEM); 2925 } 2926 } 2927 return (0); 2928 } 2929 2930 /* 2931 * RCMDS require a 4 byte, clear text 2932 * length field before each message. 2933 * Add it now. 2934 */ 2935 static mblk_t * 2936 mklenmp(mblk_t *bp, uint32_t len) 2937 { 2938 mblk_t *lenmp; 2939 uchar_t *ucp; 2940 2941 if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) { 2942 lenmp = allocb(4, BPRI_MED); 2943 if (lenmp != NULL) { 2944 lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp); 2945 linkb(lenmp, bp); 2946 bp = lenmp; 2947 } 2948 } 2949 ucp = bp->b_rptr; 2950 *--ucp = len; 2951 *--ucp = len >> 8; 2952 *--ucp = len >> 16; 2953 *--ucp = len >> 24; 2954 2955 bp->b_rptr = ucp; 2956 2957 return (bp); 2958 } 2959 2960 static mblk_t * 2961 encrypt_block(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, size_t plainlen) 2962 { 2963 mblk_t *newmp; 2964 size_t headspace; 2965 2966 mblk_t *cbp; 2967 size_t cipherlen; 2968 size_t extra = 0; 2969 uint32_t ptlen = (uint32_t)plainlen; 2970 /* 2971 * If we are using the "NEW" RCMD mode, 2972 * add 4 bytes to the plaintext for the 2973 * plaintext length that gets prepended 2974 * before encrypting. 2975 */ 2976 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 2977 ptlen += 4; 2978 2979 cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen); 2980 2981 /* 2982 * if we must allocb, then make sure its enough 2983 * to hold the length field so we dont have to allocb 2984 * again down below in 'mklenmp' 2985 */ 2986 if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) { 2987 extra = sizeof (uint32_t); 2988 } 2989 2990 /* 2991 * Calculate how much space is needed in front of 2992 * the data. 2993 */ 2994 headspace = plaintext_offset(&tmi->enc_data); 2995 2996 /* 2997 * If the current block is too small, reallocate 2998 * one large enough to hold the hdr, tail, and 2999 * ciphertext. 3000 */ 3001 if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) { 3002 int sz = P2ROUNDUP(cipherlen+extra, 8); 3003 3004 cbp = allocb_tmpl(sz, mp); 3005 if (cbp == NULL) { 3006 cmn_err(CE_WARN, 3007 "allocb (%d bytes) failed", sz); 3008 return (NULL); 3009 } 3010 3011 cbp->b_cont = mp->b_cont; 3012 3013 /* 3014 * headspace includes the length fields needed 3015 * for the RCMD modes (v1 == 4 bytes, V2 = 8) 3016 */ 3017 ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen+headspace, 8) 3018 <= DB_LIM(cbp)); 3019 3020 cbp->b_rptr = DB_BASE(cbp) + headspace; 3021 bcopy(mp->b_rptr, cbp->b_rptr, plainlen); 3022 cbp->b_wptr = cbp->b_rptr + plainlen; 3023 3024 freeb(mp); 3025 } else { 3026 size_t extra = 0; 3027 cbp = mp; 3028 3029 /* 3030 * Some ciphers add HMAC after the final block 3031 * of the ciphertext, not at the beginning like the 3032 * 1-DES ciphers. 3033 */ 3034 if (tmi->enc_data.method == 3035 CRYPT_METHOD_DES3_CBC_SHA1 || 3036 IS_AES_METHOD(tmi->enc_data.method)) { 3037 extra = sha1_hash.hash_len; 3038 } 3039 3040 /* 3041 * Make sure the rptr is positioned correctly so that 3042 * routines later do not have to shift this data around 3043 */ 3044 if ((cbp->b_rptr + P2ROUNDUP(cipherlen + extra, 8) > 3045 DB_LIM(cbp)) || 3046 (cbp->b_rptr - headspace < DB_BASE(cbp))) { 3047 ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace, 3048 plainlen); 3049 cbp->b_rptr = DB_BASE(cbp) + headspace; 3050 cbp->b_wptr = cbp->b_rptr + plainlen; 3051 } 3052 } 3053 3054 ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp)); 3055 ASSERT(cbp->b_wptr <= DB_LIM(cbp)); 3056 3057 /* 3058 * If using RCMD_MODE_V2 (new rcmd mode), prepend 3059 * the plaintext length before the actual plaintext. 3060 */ 3061 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) { 3062 cbp->b_rptr -= RCMD_LEN_SZ; 3063 3064 /* put plaintext length at head of buffer */ 3065 *(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff); 3066 *(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff); 3067 *(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff); 3068 *(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff); 3069 } 3070 3071 newmp = do_encrypt(q, cbp); 3072 3073 if (newmp != NULL && 3074 (tmi->enc_data.option_mask & 3075 (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) { 3076 mblk_t *lp; 3077 /* 3078 * Add length field, required when this is 3079 * used to encrypt "r*" commands(rlogin, rsh) 3080 * with Kerberos. 3081 */ 3082 lp = mklenmp(newmp, plainlen); 3083 3084 if (lp == NULL) { 3085 freeb(newmp); 3086 return (NULL); 3087 } else { 3088 newmp = lp; 3089 } 3090 } 3091 return (newmp); 3092 } 3093 3094 /* 3095 * encrypt_msgb 3096 * 3097 * encrypt a single message. This routine adds the 3098 * RCMD overhead bytes when necessary. 3099 */ 3100 static mblk_t * 3101 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 3102 { 3103 size_t plainlen, outlen; 3104 mblk_t *newmp = NULL; 3105 3106 /* If not encrypting, do nothing */ 3107 if (tmi->enc_data.method == CRYPT_METHOD_NONE) { 3108 return (mp); 3109 } 3110 3111 plainlen = MBLKL(mp); 3112 if (plainlen == 0) 3113 return (NULL); 3114 3115 /* 3116 * If the block is too big, we encrypt in 4K chunks so that 3117 * older rlogin clients do not choke on the larger buffers. 3118 */ 3119 while ((plainlen = MBLKL(mp)) > MSGBUF_SIZE) { 3120 mblk_t *mp1 = NULL; 3121 outlen = MSGBUF_SIZE; 3122 /* 3123 * Allocate a new buffer that is only 4K bytes, the 3124 * extra bytes are for crypto overhead. 3125 */ 3126 mp1 = allocb(outlen + CONFOUNDER_BYTES, BPRI_MED); 3127 if (mp1 == NULL) { 3128 cmn_err(CE_WARN, 3129 "allocb (%d bytes) failed", 3130 (int)(outlen + CONFOUNDER_BYTES)); 3131 return (NULL); 3132 } 3133 /* Copy the next 4K bytes from the old block. */ 3134 bcopy(mp->b_rptr, mp1->b_rptr, outlen); 3135 mp1->b_wptr = mp1->b_rptr + outlen; 3136 /* Advance the old block. */ 3137 mp->b_rptr += outlen; 3138 3139 /* encrypt the new block */ 3140 newmp = encrypt_block(q, tmi, mp1, outlen); 3141 if (newmp == NULL) 3142 return (NULL); 3143 3144 putnext(q, newmp); 3145 } 3146 newmp = NULL; 3147 /* If there is data left (< MSGBUF_SIZE), encrypt it. */ 3148 if ((plainlen = MBLKL(mp)) > 0) 3149 newmp = encrypt_block(q, tmi, mp, plainlen); 3150 3151 return (newmp); 3152 } 3153 3154 /* 3155 * cryptmodwsrv 3156 * 3157 * Service routine for the write queue. 3158 * 3159 * Because data may be placed in the queue to hold between 3160 * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed. 3161 */ 3162 static int 3163 cryptmodwsrv(queue_t *q) 3164 { 3165 mblk_t *mp; 3166 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3167 3168 while ((mp = getq(q)) != NULL) { 3169 switch (mp->b_datap->db_type) { 3170 default: 3171 /* 3172 * wput does not queue anything > QPCTL 3173 */ 3174 if (!canputnext(q) || 3175 !(tmi->ready & CRYPT_WRITE_READY)) { 3176 if (!putbq(q, mp)) { 3177 freemsg(mp); 3178 } 3179 return (0); 3180 } 3181 putnext(q, mp); 3182 break; 3183 case M_DATA: 3184 if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) { 3185 mblk_t *bp; 3186 mblk_t *newmsg = NULL; 3187 3188 /* 3189 * If multiple msgs, concat into 1 3190 * to minimize crypto operations later. 3191 */ 3192 if (mp->b_cont != NULL) { 3193 bp = msgpullup(mp, -1); 3194 if (bp != NULL) { 3195 freemsg(mp); 3196 mp = bp; 3197 } 3198 } 3199 newmsg = encrypt_msgb(q, tmi, mp); 3200 if (newmsg != NULL) 3201 putnext(q, newmsg); 3202 } else { 3203 if (!putbq(q, mp)) { 3204 freemsg(mp); 3205 } 3206 return (0); 3207 } 3208 break; 3209 } 3210 } 3211 return (0); 3212 } 3213 3214 static void 3215 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir) 3216 { 3217 mblk_t *newmp = NULL; 3218 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; 3219 3220 if (dir == CRYPT_ENCRYPT) { 3221 tmi->ready |= CRYPT_WRITE_READY; 3222 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, 3223 "start_stream: restart ENCRYPT/WRITE q")); 3224 3225 enableok(wq); 3226 qenable(wq); 3227 } else if (dir == CRYPT_DECRYPT) { 3228 /* 3229 * put any extra data in the RD 3230 * queue to be processed and 3231 * sent back up. 3232 */ 3233 newmp = mp->b_cont; 3234 mp->b_cont = NULL; 3235 3236 tmi->ready |= CRYPT_READ_READY; 3237 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3238 SL_TRACE|SL_NOTE, 3239 "start_stream: restart " 3240 "DECRYPT/READ q")); 3241 3242 if (newmp != NULL) 3243 if (!putbq(RD(wq), newmp)) 3244 freemsg(newmp); 3245 3246 enableok(RD(wq)); 3247 qenable(RD(wq)); 3248 } 3249 3250 miocack(wq, mp, 0, 0); 3251 } 3252 3253 /* 3254 * Write-side put procedure. Its main task is to detect ioctls and 3255 * FLUSH operations. Other message types are passed on through. 3256 */ 3257 static void 3258 cryptmodwput(queue_t *wq, mblk_t *mp) 3259 { 3260 struct iocblk *iocp; 3261 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; 3262 int ret, err; 3263 3264 switch (mp->b_datap->db_type) { 3265 case M_DATA: 3266 if (wq->q_first == NULL && canputnext(wq) && 3267 (tmi->ready & CRYPT_WRITE_READY) && 3268 tmi->enc_data.method == CRYPT_METHOD_NONE) { 3269 putnext(wq, mp); 3270 return; 3271 } 3272 /* else, put it in the service queue */ 3273 if (!putq(wq, mp)) { 3274 freemsg(mp); 3275 } 3276 break; 3277 case M_FLUSH: 3278 if (*mp->b_rptr & FLUSHW) { 3279 flushq(wq, FLUSHDATA); 3280 } 3281 putnext(wq, mp); 3282 break; 3283 case M_IOCTL: 3284 iocp = (struct iocblk *)mp->b_rptr; 3285 switch (iocp->ioc_cmd) { 3286 case CRYPTIOCSETUP: 3287 ret = 0; 3288 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3289 SL_TRACE | SL_NOTE, 3290 "wput: got CRYPTIOCSETUP " 3291 "ioctl(%d)", iocp->ioc_cmd)); 3292 3293 if ((err = miocpullup(mp, 3294 sizeof (struct cr_info_t))) != 0) { 3295 cmn_err(CE_WARN, 3296 "wput: miocpullup failed for cr_info_t"); 3297 miocnak(wq, mp, 0, err); 3298 } else { 3299 struct cr_info_t *ci; 3300 ci = (struct cr_info_t *)mp->b_cont->b_rptr; 3301 3302 if (ci->direction_mask & CRYPT_ENCRYPT) { 3303 ret = setup_crypto(ci, &tmi->enc_data, 1); 3304 } 3305 3306 if (ret == 0 && 3307 (ci->direction_mask & CRYPT_DECRYPT)) { 3308 ret = setup_crypto(ci, &tmi->dec_data, 0); 3309 } 3310 if (ret == 0 && 3311 (ci->direction_mask & CRYPT_DECRYPT) && 3312 ANY_RCMD_MODE(tmi->dec_data.option_mask)) { 3313 bzero(&tmi->rcmd_state, 3314 sizeof (tmi->rcmd_state)); 3315 } 3316 if (ret == 0) { 3317 miocack(wq, mp, 0, 0); 3318 } else { 3319 cmn_err(CE_WARN, 3320 "wput: setup_crypto failed"); 3321 miocnak(wq, mp, 0, ret); 3322 } 3323 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3324 SL_TRACE|SL_NOTE, 3325 "wput: done with SETUP " 3326 "ioctl")); 3327 } 3328 break; 3329 case CRYPTIOCSTOP: 3330 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3331 SL_TRACE|SL_NOTE, 3332 "wput: got CRYPTIOCSTOP " 3333 "ioctl(%d)", iocp->ioc_cmd)); 3334 3335 if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) { 3336 cmn_err(CE_WARN, 3337 "wput: CRYPTIOCSTOP ioctl wrong " 3338 "size (%d should be %d)", 3339 (int)iocp->ioc_count, 3340 (int)sizeof (uint32_t)); 3341 miocnak(wq, mp, 0, err); 3342 } else { 3343 uint32_t *stopdir; 3344 3345 stopdir = (uint32_t *)mp->b_cont->b_rptr; 3346 if (!CR_DIRECTION_OK(*stopdir)) { 3347 miocnak(wq, mp, 0, EINVAL); 3348 return; 3349 } 3350 3351 /* disable the queues until further notice */ 3352 if (*stopdir & CRYPT_ENCRYPT) { 3353 noenable(wq); 3354 tmi->ready &= ~CRYPT_WRITE_READY; 3355 } 3356 if (*stopdir & CRYPT_DECRYPT) { 3357 noenable(RD(wq)); 3358 tmi->ready &= ~CRYPT_READ_READY; 3359 } 3360 3361 miocack(wq, mp, 0, 0); 3362 } 3363 break; 3364 case CRYPTIOCSTARTDEC: 3365 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3366 SL_TRACE|SL_NOTE, 3367 "wput: got CRYPTIOCSTARTDEC " 3368 "ioctl(%d)", iocp->ioc_cmd)); 3369 3370 start_stream(wq, mp, CRYPT_DECRYPT); 3371 break; 3372 case CRYPTIOCSTARTENC: 3373 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3374 SL_TRACE|SL_NOTE, 3375 "wput: got CRYPTIOCSTARTENC " 3376 "ioctl(%d)", iocp->ioc_cmd)); 3377 3378 start_stream(wq, mp, CRYPT_ENCRYPT); 3379 break; 3380 default: 3381 putnext(wq, mp); 3382 break; 3383 } 3384 break; 3385 default: 3386 if (queclass(mp) < QPCTL) { 3387 if (wq->q_first != NULL || !canputnext(wq)) { 3388 if (!putq(wq, mp)) 3389 freemsg(mp); 3390 return; 3391 } 3392 } 3393 putnext(wq, mp); 3394 break; 3395 } 3396 } 3397 3398 /* 3399 * decrypt_rcmd_mblks 3400 * 3401 * Because kerberized r* commands(rsh, rlogin, etc) 3402 * use a 4 byte length field to indicate the # of 3403 * PLAINTEXT bytes that are encrypted in the field 3404 * that follows, we must parse out each message and 3405 * break out the length fields prior to sending them 3406 * upstream to our Solaris r* clients/servers which do 3407 * NOT understand this format. 3408 * 3409 * Kerberized/encrypted message format: 3410 * ------------------------------- 3411 * | XXXX | N bytes of ciphertext| 3412 * ------------------------------- 3413 * 3414 * Where: XXXX = number of plaintext bytes that were encrypted in 3415 * to make the ciphertext field. This is done 3416 * because we are using a cipher that pads out to 3417 * an 8 byte boundary. We only want the application 3418 * layer to see the correct number of plain text bytes, 3419 * not plaintext + pad. So, after we decrypt, we 3420 * must trim the output block down to the intended 3421 * plaintext length and eliminate the pad bytes. 3422 * 3423 * This routine takes the entire input message, breaks it into 3424 * a new message that does not contain these length fields and 3425 * returns a message consisting of mblks filled with just ciphertext. 3426 * 3427 */ 3428 static mblk_t * 3429 decrypt_rcmd_mblks(queue_t *q, mblk_t *mp) 3430 { 3431 mblk_t *newmp = NULL; 3432 size_t msglen; 3433 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3434 3435 msglen = msgsize(mp); 3436 3437 /* 3438 * If we need the length field, get it here. 3439 * Test the "plaintext length" indicator. 3440 */ 3441 if (tmi->rcmd_state.pt_len == 0) { 3442 uint32_t elen; 3443 int tocopy; 3444 mblk_t *nextp; 3445 3446 /* 3447 * Make sure we have recieved all 4 bytes of the 3448 * length field. 3449 */ 3450 while (mp != NULL) { 3451 ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t)); 3452 3453 tocopy = sizeof (uint32_t) - 3454 tmi->rcmd_state.cd_len; 3455 if (tocopy > msglen) 3456 tocopy = msglen; 3457 3458 ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp)); 3459 bcopy(mp->b_rptr, 3460 (char *)(&tmi->rcmd_state.next_len + 3461 tmi->rcmd_state.cd_len), tocopy); 3462 3463 tmi->rcmd_state.cd_len += tocopy; 3464 3465 if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) { 3466 tmi->rcmd_state.next_len = 3467 ntohl(tmi->rcmd_state.next_len); 3468 break; 3469 } 3470 3471 nextp = mp->b_cont; 3472 mp->b_cont = NULL; 3473 freeb(mp); 3474 mp = nextp; 3475 } 3476 3477 if (mp == NULL) { 3478 return (NULL); 3479 } 3480 /* 3481 * recalculate the msglen now that we've read the 3482 * length and adjusted the bufptr (b_rptr). 3483 */ 3484 msglen -= tocopy; 3485 mp->b_rptr += tocopy; 3486 3487 tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len; 3488 3489 if (tmi->rcmd_state.pt_len <= 0) { 3490 /* 3491 * Return an IO error to break the connection. there 3492 * is no way to recover from this. Usually it means 3493 * the app has incorrectly requested decryption on 3494 * a non-encrypted stream, thus the "pt_len" field 3495 * is negative. 3496 */ 3497 mp->b_datap->db_type = M_ERROR; 3498 mp->b_rptr = mp->b_datap->db_base; 3499 *mp->b_rptr = EIO; 3500 mp->b_wptr = mp->b_rptr + sizeof (char); 3501 3502 freemsg(mp->b_cont); 3503 mp->b_cont = NULL; 3504 qreply(WR(q), mp); 3505 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; 3506 return (NULL); 3507 } 3508 3509 /* 3510 * If this is V2 mode, then the encrypted data is actually 3511 * 4 bytes bigger than the indicated len because the plaintext 3512 * length is encrypted for an additional security check, but 3513 * its not counted as part of the overall length we just read. 3514 * Strange and confusing, but true. 3515 */ 3516 3517 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 3518 elen = tmi->rcmd_state.pt_len + 4; 3519 else 3520 elen = tmi->rcmd_state.pt_len; 3521 3522 tmi->rcmd_state.cd_len = encrypt_size(&tmi->dec_data, elen); 3523 3524 /* 3525 * Allocate an mblk to hold the cipher text until it is 3526 * all ready to be processed. 3527 */ 3528 tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len, 3529 BPRI_HI); 3530 if (tmi->rcmd_state.c_msg == NULL) { 3531 #ifdef DEBUG 3532 cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed " 3533 "for %d bytes", 3534 (int)tmi->rcmd_state.cd_len); 3535 #endif 3536 /* 3537 * Return an IO error to break the connection. 3538 */ 3539 mp->b_datap->db_type = M_ERROR; 3540 mp->b_rptr = mp->b_datap->db_base; 3541 *mp->b_rptr = EIO; 3542 mp->b_wptr = mp->b_rptr + sizeof (char); 3543 freemsg(mp->b_cont); 3544 mp->b_cont = NULL; 3545 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; 3546 qreply(WR(q), mp); 3547 return (NULL); 3548 } 3549 } 3550 3551 /* 3552 * If this entire message was just the length field, 3553 * free and return. The actual data will probably be next. 3554 */ 3555 if (msglen == 0) { 3556 freemsg(mp); 3557 return (NULL); 3558 } 3559 3560 /* 3561 * Copy as much of the cipher text as possible into 3562 * the new msgb (c_msg). 3563 * 3564 * Logic: if we got some bytes (msglen) and we still 3565 * "need" some bytes (len-rcvd), get them here. 3566 */ 3567 ASSERT(tmi->rcmd_state.c_msg != NULL); 3568 if (msglen > 0 && 3569 (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) { 3570 mblk_t *bp, *nextp; 3571 size_t n; 3572 3573 /* 3574 * Walk the mblks and copy just as many bytes as we need 3575 * for this particular block of cipher text. 3576 */ 3577 bp = mp; 3578 while (bp != NULL) { 3579 size_t needed; 3580 size_t tocopy; 3581 n = MBLKL(bp); 3582 3583 needed = tmi->rcmd_state.cd_len - 3584 MBLKL(tmi->rcmd_state.c_msg); 3585 3586 tocopy = (needed >= n ? n : needed); 3587 3588 ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp)); 3589 ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <= 3590 DB_LIM(tmi->rcmd_state.c_msg)); 3591 3592 /* Copy to end of new mblk */ 3593 bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr, 3594 tocopy); 3595 3596 tmi->rcmd_state.c_msg->b_wptr += tocopy; 3597 3598 bp->b_rptr += tocopy; 3599 3600 nextp = bp->b_cont; 3601 3602 /* 3603 * If we used this whole block, free it and 3604 * move on. 3605 */ 3606 if (!MBLKL(bp)) { 3607 freeb(bp); 3608 bp = NULL; 3609 } 3610 3611 /* If we got what we needed, stop the loop */ 3612 if (MBLKL(tmi->rcmd_state.c_msg) == 3613 tmi->rcmd_state.cd_len) { 3614 /* 3615 * If there is more data in the message, 3616 * its for another block of cipher text, 3617 * put it back in the queue for next time. 3618 */ 3619 if (bp) { 3620 if (!putbq(q, bp)) 3621 freemsg(bp); 3622 } else if (nextp != NULL) { 3623 /* 3624 * If there is more, put it back in the 3625 * queue for another pass thru. 3626 */ 3627 if (!putbq(q, nextp)) 3628 freemsg(nextp); 3629 } 3630 break; 3631 } 3632 bp = nextp; 3633 } 3634 } 3635 /* 3636 * Finally, if we received all the cipher text data for 3637 * this message, decrypt it into a new msg and send it up 3638 * to the app. 3639 */ 3640 if (tmi->rcmd_state.pt_len > 0 && 3641 MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) { 3642 mblk_t *bp; 3643 mblk_t *newbp; 3644 3645 /* 3646 * Now we can use our msg that we created when the 3647 * initial message boundary was detected. 3648 */ 3649 bp = tmi->rcmd_state.c_msg; 3650 tmi->rcmd_state.c_msg = NULL; 3651 3652 newbp = do_decrypt(q, bp); 3653 if (newbp != NULL) { 3654 bp = newbp; 3655 /* 3656 * If using RCMD_MODE_V2 ("new" mode), 3657 * look at the 4 byte plaintext length that 3658 * was just decrypted and compare with the 3659 * original pt_len value that was received. 3660 */ 3661 if (tmi->dec_data.option_mask & 3662 CRYPTOPT_RCMD_MODE_V2) { 3663 uint32_t pt_len2; 3664 3665 pt_len2 = *(uint32_t *)bp->b_rptr; 3666 pt_len2 = ntohl(pt_len2); 3667 /* 3668 * Make sure the 2 pt len fields agree. 3669 */ 3670 if (pt_len2 != tmi->rcmd_state.pt_len) { 3671 cmn_err(CE_WARN, 3672 "Inconsistent length fields" 3673 " received %d != %d", 3674 (int)tmi->rcmd_state.pt_len, 3675 (int)pt_len2); 3676 bp->b_datap->db_type = M_ERROR; 3677 bp->b_rptr = bp->b_datap->db_base; 3678 *bp->b_rptr = EIO; 3679 bp->b_wptr = bp->b_rptr + sizeof (char); 3680 freemsg(bp->b_cont); 3681 bp->b_cont = NULL; 3682 tmi->rcmd_state.cd_len = 0; 3683 qreply(WR(q), bp); 3684 return (NULL); 3685 } 3686 bp->b_rptr += sizeof (uint32_t); 3687 } 3688 3689 /* 3690 * Trim the decrypted block the length originally 3691 * indicated by the sender. This is to remove any 3692 * padding bytes that the sender added to satisfy 3693 * requirements of the crypto algorithm. 3694 */ 3695 bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len; 3696 3697 newmp = bp; 3698 3699 /* 3700 * Reset our state to indicate we are ready 3701 * for a new message. 3702 */ 3703 tmi->rcmd_state.pt_len = 0; 3704 tmi->rcmd_state.cd_len = 0; 3705 } else { 3706 #ifdef DEBUG 3707 cmn_err(CE_WARN, 3708 "decrypt_rcmd: do_decrypt on %d bytes failed", 3709 (int)tmi->rcmd_state.cd_len); 3710 #endif 3711 /* 3712 * do_decrypt already handled failures, just 3713 * return NULL. 3714 */ 3715 tmi->rcmd_state.pt_len = 0; 3716 tmi->rcmd_state.cd_len = 0; 3717 return (NULL); 3718 } 3719 } 3720 3721 /* 3722 * return the new message with the 'length' fields removed 3723 */ 3724 return (newmp); 3725 } 3726 3727 /* 3728 * cryptmodrsrv 3729 * 3730 * Read queue service routine 3731 * Necessary because if the ready flag is not set 3732 * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data 3733 * must remain on queue and not be passed along. 3734 */ 3735 static int 3736 cryptmodrsrv(queue_t *q) 3737 { 3738 mblk_t *mp, *bp; 3739 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3740 3741 while ((mp = getq(q)) != NULL) { 3742 switch (mp->b_datap->db_type) { 3743 case M_DATA: 3744 if (canputnext(q) && tmi->ready & CRYPT_READ_READY) { 3745 /* 3746 * Process "rcmd" messages differently because 3747 * they contain a 4 byte plaintext length 3748 * id that needs to be removed. 3749 */ 3750 if (tmi->dec_data.method != CRYPT_METHOD_NONE && 3751 (tmi->dec_data.option_mask & 3752 (CRYPTOPT_RCMD_MODE_V1 | 3753 CRYPTOPT_RCMD_MODE_V2))) { 3754 mp = decrypt_rcmd_mblks(q, mp); 3755 if (mp) 3756 putnext(q, mp); 3757 continue; 3758 } 3759 if ((bp = msgpullup(mp, -1)) != NULL) { 3760 freemsg(mp); 3761 if (MBLKL(bp) > 0) { 3762 mp = do_decrypt(q, bp); 3763 if (mp != NULL) 3764 putnext(q, mp); 3765 } 3766 } 3767 } else { 3768 if (!putbq(q, mp)) { 3769 freemsg(mp); 3770 } 3771 return (0); 3772 } 3773 break; 3774 default: 3775 /* 3776 * rput does not queue anything > QPCTL, so we don't 3777 * need to check for it here. 3778 */ 3779 if (!canputnext(q)) { 3780 if (!putbq(q, mp)) 3781 freemsg(mp); 3782 return (0); 3783 } 3784 putnext(q, mp); 3785 break; 3786 } 3787 } 3788 return (0); 3789 } 3790 3791 3792 /* 3793 * Read-side put procedure. 3794 */ 3795 static void 3796 cryptmodrput(queue_t *rq, mblk_t *mp) 3797 { 3798 switch (mp->b_datap->db_type) { 3799 case M_DATA: 3800 if (!putq(rq, mp)) { 3801 freemsg(mp); 3802 } 3803 break; 3804 case M_FLUSH: 3805 if (*mp->b_rptr & FLUSHR) { 3806 flushq(rq, FLUSHALL); 3807 } 3808 putnext(rq, mp); 3809 break; 3810 default: 3811 if (queclass(mp) < QPCTL) { 3812 if (rq->q_first != NULL || !canputnext(rq)) { 3813 if (!putq(rq, mp)) 3814 freemsg(mp); 3815 return; 3816 } 3817 } 3818 putnext(rq, mp); 3819 break; 3820 } 3821 } 3822