1 /* 2 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 * 5 * STREAMS Crypto Module 6 * 7 * This module is used to facilitate Kerberos encryption 8 * operations for the telnet daemon and rlogin daemon. 9 * Because the Solaris telnet and rlogin daemons run mostly 10 * in-kernel via 'telmod' and 'rlmod', this module must be 11 * pushed on the STREAM *below* telmod or rlmod. 12 * 13 * Parts of the 3DES key derivation code are covered by the 14 * following copyright. 15 * 16 * Copyright (C) 1998 by the FundsXpress, INC. 17 * 18 * All rights reserved. 19 * 20 * Export of this software from the United States of America may require 21 * a specific license from the United States Government. It is the 22 * responsibility of any person or organization contemplating export to 23 * obtain such a license before exporting. 24 * 25 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 26 * distribute this software and its documentation for any purpose and 27 * without fee is hereby granted, provided that the above copyright 28 * notice appear in all copies and that both that copyright notice and 29 * this permission notice appear in supporting documentation, and that 30 * the name of FundsXpress. not be used in advertising or publicity pertaining 31 * to distribution of the software without specific, written prior 32 * permission. FundsXpress makes no representations about the suitability of 33 * this software for any purpose. It is provided "as is" without express 34 * or implied warranty. 35 * 36 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 37 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 38 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 39 */ 40 41 #include <sys/types.h> 42 #include <sys/sysmacros.h> 43 #include <sys/errno.h> 44 #include <sys/debug.h> 45 #include <sys/time.h> 46 #include <sys/stropts.h> 47 #include <sys/stream.h> 48 #include <sys/strsubr.h> 49 #include <sys/strlog.h> 50 #include <sys/cmn_err.h> 51 #include <sys/conf.h> 52 #include <sys/sunddi.h> 53 #include <sys/kmem.h> 54 #include <sys/strsun.h> 55 #include <sys/random.h> 56 #include <sys/types.h> 57 #include <sys/byteorder.h> 58 #include <sys/cryptmod.h> 59 #include <sys/crc32.h> 60 #include <sys/policy.h> 61 62 #include <sys/crypto/api.h> 63 64 /* 65 * Function prototypes. 66 */ 67 static int cryptmodopen(queue_t *, dev_t *, int, int, cred_t *); 68 static void cryptmodrput(queue_t *, mblk_t *); 69 static void cryptmodwput(queue_t *, mblk_t *); 70 static int cryptmodclose(queue_t *); 71 static int cryptmodwsrv(queue_t *); 72 static int cryptmodrsrv(queue_t *); 73 74 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp); 75 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp); 76 77 #define CRYPTMOD_ID 5150 78 79 #define CFB_BLKSZ 8 80 81 #define K5CLENGTH 5 82 83 static struct module_info cryptmod_minfo = { 84 CRYPTMOD_ID, /* mi_idnum */ 85 "cryptmod", /* mi_idname */ 86 0, /* mi_minpsz */ 87 INFPSZ, /* mi_maxpsz */ 88 65536, /* mi_hiwat */ 89 1024 /* mi_lowat */ 90 }; 91 92 static struct qinit cryptmod_rinit = { 93 (int (*)())cryptmodrput, /* qi_putp */ 94 cryptmodrsrv, /* qi_svc */ 95 cryptmodopen, /* qi_qopen */ 96 cryptmodclose, /* qi_qclose */ 97 NULL, /* qi_qadmin */ 98 &cryptmod_minfo, /* qi_minfo */ 99 NULL /* qi_mstat */ 100 }; 101 102 static struct qinit cryptmod_winit = { 103 (int (*)())cryptmodwput, /* qi_putp */ 104 cryptmodwsrv, /* qi_srvp */ 105 NULL, /* qi_qopen */ 106 NULL, /* qi_qclose */ 107 NULL, /* qi_qadmin */ 108 &cryptmod_minfo, /* qi_minfo */ 109 NULL /* qi_mstat */ 110 }; 111 112 static struct streamtab cryptmod_info = { 113 &cryptmod_rinit, /* st_rdinit */ 114 &cryptmod_winit, /* st_wrinit */ 115 NULL, /* st_muxrinit */ 116 NULL /* st_muxwinit */ 117 }; 118 119 typedef struct { 120 uint_t hash_len; 121 uint_t confound_len; 122 int (*hashfunc)(); 123 } hash_info_t; 124 125 #define MAX_CKSUM_LEN 20 126 #define CONFOUNDER_LEN 8 127 128 #define SHA1_HASHSIZE 20 129 #define MD5_HASHSIZE 16 130 #define CRC32_HASHSIZE 4 131 #define MSGBUF_SIZE 4096 132 #define CONFOUNDER_BYTES 128 133 134 135 static int crc32_calc(uchar_t *, uchar_t *, uint_t); 136 static int md5_calc(uchar_t *, uchar_t *, uint_t); 137 static int sha1_calc(uchar_t *, uchar_t *, uint_t); 138 139 static hash_info_t null_hash = {0, 0, NULL}; 140 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc}; 141 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc}; 142 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc}; 143 144 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID; 145 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID; 146 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID; 147 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID; 148 149 static int kef_crypt(struct cipher_data_t *, void *, 150 crypto_data_format_t, size_t, int); 151 static mblk_t * 152 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *, 153 mblk_t *, hash_info_t *); 154 static mblk_t * 155 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *, 156 mblk_t *, hash_info_t *); 157 158 static int 159 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int); 160 161 /* 162 * This is the loadable module wrapper. 163 */ 164 #include <sys/modctl.h> 165 166 static struct fmodsw fsw = { 167 "cryptmod", 168 &cryptmod_info, 169 D_MP | D_MTQPAIR 170 }; 171 172 /* 173 * Module linkage information for the kernel. 174 */ 175 static struct modlstrmod modlstrmod = { 176 &mod_strmodops, 177 "STREAMS encryption module", 178 &fsw 179 }; 180 181 static struct modlinkage modlinkage = { 182 MODREV_1, 183 &modlstrmod, 184 NULL 185 }; 186 187 int 188 _init(void) 189 { 190 return (mod_install(&modlinkage)); 191 } 192 193 int 194 _fini(void) 195 { 196 return (mod_remove(&modlinkage)); 197 } 198 199 int 200 _info(struct modinfo *modinfop) 201 { 202 return (mod_info(&modlinkage, modinfop)); 203 } 204 205 static void 206 cleanup(struct cipher_data_t *cd) 207 { 208 if (cd->key != NULL) { 209 bzero(cd->key, cd->keylen); 210 kmem_free(cd->key, cd->keylen); 211 cd->key = NULL; 212 } 213 214 if (cd->ckey != NULL) { 215 /* 216 * ckey is a crypto_key_t structure which references 217 * "cd->key" for its raw key data. Since that was already 218 * cleared out, we don't need another "bzero" here. 219 */ 220 kmem_free(cd->ckey, sizeof (crypto_key_t)); 221 cd->ckey = NULL; 222 } 223 224 if (cd->block != NULL) { 225 kmem_free(cd->block, cd->blocklen); 226 cd->block = NULL; 227 } 228 229 if (cd->saveblock != NULL) { 230 kmem_free(cd->saveblock, cd->blocklen); 231 cd->saveblock = NULL; 232 } 233 234 if (cd->ivec != NULL) { 235 kmem_free(cd->ivec, cd->ivlen); 236 cd->ivec = NULL; 237 } 238 239 if (cd->d_encr_key.ck_data != NULL) { 240 bzero(cd->d_encr_key.ck_data, cd->keylen); 241 kmem_free(cd->d_encr_key.ck_data, cd->keylen); 242 } 243 244 if (cd->d_hmac_key.ck_data != NULL) { 245 bzero(cd->d_hmac_key.ck_data, cd->keylen); 246 kmem_free(cd->d_hmac_key.ck_data, cd->keylen); 247 } 248 249 if (cd->enc_tmpl != NULL) 250 (void) crypto_destroy_ctx_template(cd->enc_tmpl); 251 252 if (cd->hmac_tmpl != NULL) 253 (void) crypto_destroy_ctx_template(cd->hmac_tmpl); 254 255 if (cd->ctx != NULL) { 256 crypto_cancel_ctx(cd->ctx); 257 cd->ctx = NULL; 258 } 259 } 260 261 /* ARGSUSED */ 262 static int 263 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp) 264 { 265 struct tmodinfo *tmi; 266 ASSERT(rq); 267 268 if (sflag != MODOPEN) 269 return (EINVAL); 270 271 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, 272 "cryptmodopen: opening module(PID %d)", 273 ddi_get_pid())); 274 275 if (rq->q_ptr != NULL) { 276 cmn_err(CE_WARN, "cryptmodopen: already opened"); 277 return (0); 278 } 279 280 /* 281 * Allocate and initialize per-Stream structure. 282 */ 283 tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo), 284 KM_SLEEP); 285 286 tmi->enc_data.method = CRYPT_METHOD_NONE; 287 tmi->dec_data.method = CRYPT_METHOD_NONE; 288 289 tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY); 290 291 rq->q_ptr = WR(rq)->q_ptr = tmi; 292 293 sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC); 294 md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC); 295 sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1); 296 md5_hash_mech = crypto_mech2id(SUN_CKM_MD5); 297 298 qprocson(rq); 299 300 return (0); 301 } 302 303 static int 304 cryptmodclose(queue_t *rq) 305 { 306 struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr; 307 ASSERT(tmi); 308 309 qprocsoff(rq); 310 311 cleanup(&tmi->enc_data); 312 cleanup(&tmi->dec_data); 313 314 kmem_free(tmi, sizeof (struct tmodinfo)); 315 rq->q_ptr = WR(rq)->q_ptr = NULL; 316 317 return (0); 318 } 319 320 /* 321 * plaintext_offset 322 * 323 * Calculate exactly how much space is needed in front 324 * of the "plaintext" in an mbuf so it can be positioned 325 * 1 time instead of potentially moving the data multiple 326 * times. 327 */ 328 static int 329 plaintext_offset(struct cipher_data_t *cd) 330 { 331 int headspace = 0; 332 333 /* 4 byte length prepended to all RCMD msgs */ 334 if (ANY_RCMD_MODE(cd->option_mask)) 335 headspace += RCMD_LEN_SZ; 336 337 /* RCMD V2 mode adds an additional 4 byte plaintext length */ 338 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2) 339 headspace += RCMD_LEN_SZ; 340 341 /* Need extra space for hash and counfounder */ 342 switch (cd->method) { 343 case CRYPT_METHOD_DES_CBC_NULL: 344 headspace += null_hash.hash_len + null_hash.confound_len; 345 break; 346 case CRYPT_METHOD_DES_CBC_CRC: 347 headspace += crc32_hash.hash_len + crc32_hash.confound_len; 348 break; 349 case CRYPT_METHOD_DES_CBC_MD5: 350 headspace += md5_hash.hash_len + md5_hash.confound_len; 351 break; 352 case CRYPT_METHOD_DES3_CBC_SHA1: 353 headspace += sha1_hash.confound_len; 354 break; 355 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 356 headspace += md5_hash.hash_len + md5_hash.confound_len; 357 break; 358 case CRYPT_METHOD_AES128: 359 case CRYPT_METHOD_AES256: 360 headspace += DEFAULT_AES_BLOCKLEN; 361 break; 362 case CRYPT_METHOD_DES_CFB: 363 case CRYPT_METHOD_NONE: 364 break; 365 } 366 367 return (headspace); 368 } 369 /* 370 * encrypt_size 371 * 372 * Calculate the resulting size when encrypting 'plainlen' bytes 373 * of data. 374 */ 375 static size_t 376 encrypt_size(struct cipher_data_t *cd, size_t plainlen) 377 { 378 size_t cipherlen; 379 380 switch (cd->method) { 381 case CRYPT_METHOD_DES_CBC_NULL: 382 cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len + 383 plainlen, 8); 384 break; 385 case CRYPT_METHOD_DES_CBC_MD5: 386 cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len + 387 md5_hash.confound_len + 388 plainlen, 8); 389 break; 390 case CRYPT_METHOD_DES_CBC_CRC: 391 cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len + 392 crc32_hash.confound_len + 393 plainlen, 8); 394 break; 395 case CRYPT_METHOD_DES3_CBC_SHA1: 396 cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len + 397 plainlen, 8) + 398 sha1_hash.hash_len; 399 break; 400 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 401 cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len + 402 plainlen, 1) + md5_hash.hash_len; 403 break; 404 case CRYPT_METHOD_AES128: 405 case CRYPT_METHOD_AES256: 406 /* No roundup for AES-CBC-CTS */ 407 cipherlen = DEFAULT_AES_BLOCKLEN + plainlen + 408 AES_TRUNCATED_HMAC_LEN; 409 break; 410 case CRYPT_METHOD_DES_CFB: 411 case CRYPT_METHOD_NONE: 412 cipherlen = plainlen; 413 break; 414 } 415 416 return (cipherlen); 417 } 418 419 /* 420 * des_cfb_encrypt 421 * 422 * Encrypt the mblk data using DES with cipher feedback. 423 * 424 * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit 425 * vector, D[n] is the nth chunk of 64 bits of data to encrypt 426 * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted 427 * (decrypted) data, then: 428 * 429 * V[0] = DES(V[i], key) 430 * O[n] = D[n] <exclusive or > V[n] 431 * V[n+1] = DES(O[n], key) 432 * 433 * The size of the message being encrypted does not change in this 434 * algorithm, num_bytes in == num_bytes out. 435 */ 436 static mblk_t * 437 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 438 { 439 int savedbytes; 440 char *iptr, *optr, *lastoutput; 441 442 lastoutput = optr = (char *)mp->b_rptr; 443 iptr = (char *)mp->b_rptr; 444 savedbytes = tmi->enc_data.bytes % CFB_BLKSZ; 445 446 while (iptr < (char *)mp->b_wptr) { 447 /* 448 * Do DES-ECB. 449 * The first time this runs, the 'tmi->enc_data.block' will 450 * contain the initialization vector that should have been 451 * passed in with the SETUP ioctl. 452 * 453 * V[n] = DES(V[n-1], key) 454 */ 455 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { 456 int retval = 0; 457 retval = kef_crypt(&tmi->enc_data, 458 tmi->enc_data.block, 459 CRYPTO_DATA_RAW, 460 tmi->enc_data.blocklen, 461 CRYPT_ENCRYPT); 462 463 if (retval != CRYPTO_SUCCESS) { 464 #ifdef DEBUG 465 cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt " 466 "failed - error 0x%0x", retval); 467 #endif 468 mp->b_datap->db_type = M_ERROR; 469 mp->b_rptr = mp->b_datap->db_base; 470 *mp->b_rptr = EIO; 471 mp->b_wptr = mp->b_rptr + sizeof (char); 472 freemsg(mp->b_cont); 473 mp->b_cont = NULL; 474 qreply(WR(q), mp); 475 return (NULL); 476 } 477 } 478 479 /* O[n] = I[n] ^ V[n] */ 480 *(optr++) = *(iptr++) ^ 481 tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ]; 482 483 tmi->enc_data.bytes++; 484 /* 485 * Feedback the encrypted output as the input to next DES call. 486 */ 487 if (!(tmi->enc_data.bytes % CFB_BLKSZ)) { 488 char *dbptr = tmi->enc_data.block; 489 /* 490 * Get the last bits of input from the previous 491 * msg block that we haven't yet used as feedback input. 492 */ 493 if (savedbytes > 0) { 494 bcopy(tmi->enc_data.saveblock, 495 dbptr, (size_t)savedbytes); 496 dbptr += savedbytes; 497 } 498 499 /* 500 * Now copy the correct bytes from the current input 501 * stream and update the 'lastoutput' ptr 502 */ 503 bcopy(lastoutput, dbptr, 504 (size_t)(CFB_BLKSZ - savedbytes)); 505 506 lastoutput += (CFB_BLKSZ - savedbytes); 507 savedbytes = 0; 508 } 509 } 510 /* 511 * If there are bytes of input here that we need in the next 512 * block to build an ivec, save them off here. 513 */ 514 if (lastoutput < optr) { 515 bcopy(lastoutput, 516 tmi->enc_data.saveblock + savedbytes, 517 (uint_t)(optr - lastoutput)); 518 } 519 return (mp); 520 } 521 522 /* 523 * des_cfb_decrypt 524 * 525 * Decrypt the data in the mblk using DES in Cipher Feedback mode 526 * 527 * # bytes in == # bytes out, no padding, confounding, or hashing 528 * is added. 529 * 530 */ 531 static mblk_t * 532 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 533 { 534 uint_t len; 535 uint_t savedbytes; 536 char *iptr; 537 char *lastinput; 538 uint_t cp; 539 540 len = MBLKL(mp); 541 542 /* decrypted output goes into the new data buffer */ 543 lastinput = iptr = (char *)mp->b_rptr; 544 545 savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen; 546 547 /* 548 * Save the input CFB_BLKSZ bytes at a time. 549 * We are trying to decrypt in-place, but need to keep 550 * a small sliding window of encrypted text to be 551 * used to construct the feedback buffer. 552 */ 553 cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len : 554 tmi->dec_data.blocklen - savedbytes); 555 556 bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp); 557 savedbytes += cp; 558 559 lastinput += cp; 560 561 while (iptr < (char *)mp->b_wptr) { 562 /* 563 * Do DES-ECB. 564 * The first time this runs, the 'tmi->dec_data.block' will 565 * contain the initialization vector that should have been 566 * passed in with the SETUP ioctl. 567 */ 568 if (!(tmi->dec_data.bytes % CFB_BLKSZ)) { 569 int retval; 570 retval = kef_crypt(&tmi->dec_data, 571 tmi->dec_data.block, 572 CRYPTO_DATA_RAW, 573 tmi->dec_data.blocklen, 574 CRYPT_ENCRYPT); 575 576 if (retval != CRYPTO_SUCCESS) { 577 #ifdef DEBUG 578 cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt " 579 "failed - status 0x%0x", retval); 580 #endif 581 mp->b_datap->db_type = M_ERROR; 582 mp->b_rptr = mp->b_datap->db_base; 583 *mp->b_rptr = EIO; 584 mp->b_wptr = mp->b_rptr + sizeof (char); 585 freemsg(mp->b_cont); 586 mp->b_cont = NULL; 587 qreply(WR(q), mp); 588 return (NULL); 589 } 590 } 591 592 /* 593 * To decrypt, XOR the input with the output from the DES call 594 */ 595 *(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes % 596 CFB_BLKSZ]; 597 598 tmi->dec_data.bytes++; 599 600 /* 601 * Feedback the encrypted input for next DES call. 602 */ 603 if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) { 604 char *dbptr = tmi->dec_data.block; 605 /* 606 * Get the last bits of input from the previous block 607 * that we haven't yet processed. 608 */ 609 if (savedbytes > 0) { 610 bcopy(tmi->dec_data.saveblock, 611 dbptr, savedbytes); 612 dbptr += savedbytes; 613 } 614 615 savedbytes = 0; 616 617 /* 618 * This block makes sure that our local 619 * buffer of input data is full and can 620 * be accessed from the beginning. 621 */ 622 if (lastinput < (char *)mp->b_wptr) { 623 624 /* How many bytes are left in the mblk? */ 625 cp = (((char *)mp->b_wptr - lastinput) > 626 tmi->dec_data.blocklen ? 627 tmi->dec_data.blocklen : 628 (char *)mp->b_wptr - lastinput); 629 630 /* copy what we need */ 631 bcopy(lastinput, tmi->dec_data.saveblock, 632 cp); 633 634 lastinput += cp; 635 savedbytes = cp; 636 } 637 } 638 } 639 640 return (mp); 641 } 642 643 /* 644 * crc32_calc 645 * 646 * Compute a CRC32 checksum on the input 647 */ 648 static int 649 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len) 650 { 651 uint32_t crc; 652 653 CRC32(crc, input, len, 0, crc32_table); 654 655 buf[0] = (uchar_t)(crc & 0xff); 656 buf[1] = (uchar_t)((crc >> 8) & 0xff); 657 buf[2] = (uchar_t)((crc >> 16) & 0xff); 658 buf[3] = (uchar_t)((crc >> 24) & 0xff); 659 660 return (CRYPTO_SUCCESS); 661 } 662 663 static int 664 kef_digest(crypto_mech_type_t digest_type, 665 uchar_t *input, uint_t inlen, 666 uchar_t *output, uint_t hashlen) 667 { 668 iovec_t v1, v2; 669 crypto_data_t d1, d2; 670 crypto_mechanism_t mech; 671 int rv; 672 673 mech.cm_type = digest_type; 674 mech.cm_param = 0; 675 mech.cm_param_len = 0; 676 677 v1.iov_base = (void *)input; 678 v1.iov_len = inlen; 679 680 d1.cd_format = CRYPTO_DATA_RAW; 681 d1.cd_offset = 0; 682 d1.cd_length = v1.iov_len; 683 d1.cd_raw = v1; 684 685 v2.iov_base = (void *)output; 686 v2.iov_len = hashlen; 687 688 d2.cd_format = CRYPTO_DATA_RAW; 689 d2.cd_offset = 0; 690 d2.cd_length = v2.iov_len; 691 d2.cd_raw = v2; 692 693 rv = crypto_digest(&mech, &d1, &d2, NULL); 694 695 return (rv); 696 } 697 698 /* 699 * sha1_calc 700 * 701 * Get a SHA1 hash on the input data. 702 */ 703 static int 704 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen) 705 { 706 int rv; 707 708 rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE); 709 710 return (rv); 711 } 712 713 /* 714 * Get an MD5 hash on the input data. 715 * md5_calc 716 * 717 */ 718 static int 719 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen) 720 { 721 int rv; 722 723 rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE); 724 725 return (rv); 726 } 727 728 /* 729 * nfold 730 * duplicate the functionality of the krb5_nfold function from 731 * the userland kerberos mech. 732 * This is needed to derive keys for use with 3DES/SHA1-HMAC 733 * ciphers. 734 */ 735 static void 736 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out) 737 { 738 int a, b, c, lcm; 739 int byte, i, msbit; 740 741 inbits >>= 3; 742 outbits >>= 3; 743 744 /* first compute lcm(n,k) */ 745 a = outbits; 746 b = inbits; 747 748 while (b != 0) { 749 c = b; 750 b = a%b; 751 a = c; 752 } 753 754 lcm = outbits*inbits/a; 755 756 /* now do the real work */ 757 758 bzero(out, outbits); 759 byte = 0; 760 761 /* 762 * Compute the msbit in k which gets added into this byte 763 * first, start with the msbit in the first, unrotated byte 764 * then, for each byte, shift to the right for each repetition 765 * last, pick out the correct byte within that shifted repetition 766 */ 767 for (i = lcm-1; i >= 0; i--) { 768 msbit = (((inbits<<3)-1) 769 +(((inbits<<3)+13)*(i/inbits)) 770 +((inbits-(i%inbits))<<3)) %(inbits<<3); 771 772 /* pull out the byte value itself */ 773 byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)| 774 (in[((inbits)-(msbit>>3))%inbits])) 775 >>((msbit&7)+1))&0xff; 776 777 /* do the addition */ 778 byte += out[i%outbits]; 779 out[i%outbits] = byte&0xff; 780 781 byte >>= 8; 782 } 783 784 /* if there's a carry bit left over, add it back in */ 785 if (byte) { 786 for (i = outbits-1; i >= 0; i--) { 787 /* do the addition */ 788 byte += out[i]; 789 out[i] = byte&0xff; 790 791 /* keep around the carry bit, if any */ 792 byte >>= 8; 793 } 794 } 795 } 796 797 #define smask(step) ((1<<step)-1) 798 #define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step))) 799 #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1) 800 801 /* 802 * Duplicate the functionality of the "dk_derive_key" function 803 * in the Kerberos mechanism. 804 */ 805 static int 806 derive_key(struct cipher_data_t *cdata, uchar_t *constdata, 807 int constlen, char *dkey, int keybytes, 808 int blocklen) 809 { 810 int rv = 0; 811 int n = 0, i; 812 char *inblock; 813 char *rawkey; 814 char *zeroblock; 815 char *saveblock; 816 817 inblock = kmem_zalloc(blocklen, KM_SLEEP); 818 rawkey = kmem_zalloc(keybytes, KM_SLEEP); 819 zeroblock = kmem_zalloc(blocklen, KM_SLEEP); 820 821 if (constlen == blocklen) 822 bcopy(constdata, inblock, blocklen); 823 else 824 nfold(constlen * 8, constdata, 825 blocklen * 8, (uchar_t *)inblock); 826 827 /* 828 * zeroblock is an IV of all 0's. 829 * 830 * The "block" section of the cdata record is used as the 831 * IV for crypto operations in the kef_crypt function. 832 * 833 * We use 'block' as a generic IV data buffer because it 834 * is attached to the stream state data and thus can 835 * be used to hold information that must carry over 836 * from processing of one mblk to another. 837 * 838 * Here, we save the current IV and replace it with 839 * and empty IV (all 0's) for use when deriving the 840 * keys. Once the key derivation is done, we swap the 841 * old IV back into place. 842 */ 843 saveblock = cdata->block; 844 cdata->block = zeroblock; 845 846 while (n < keybytes) { 847 rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW, 848 blocklen, CRYPT_ENCRYPT); 849 if (rv != CRYPTO_SUCCESS) { 850 /* put the original IV block back in place */ 851 cdata->block = saveblock; 852 cmn_err(CE_WARN, "failed to derive a key: %0x", rv); 853 goto cleanup; 854 } 855 856 if (keybytes - n < blocklen) { 857 bcopy(inblock, rawkey+n, (keybytes-n)); 858 break; 859 } 860 bcopy(inblock, rawkey+n, blocklen); 861 n += blocklen; 862 } 863 /* put the original IV block back in place */ 864 cdata->block = saveblock; 865 866 /* finally, make the key */ 867 if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) { 868 /* 869 * 3DES key derivation requires that we make sure the 870 * key has the proper parity. 871 */ 872 for (i = 0; i < 3; i++) { 873 bcopy(rawkey+(i*7), dkey+(i*8), 7); 874 875 /* 'dkey' is our derived key output buffer */ 876 dkey[i*8+7] = (((dkey[i*8]&1)<<1) | 877 ((dkey[i*8+1]&1)<<2) | 878 ((dkey[i*8+2]&1)<<3) | 879 ((dkey[i*8+3]&1)<<4) | 880 ((dkey[i*8+4]&1)<<5) | 881 ((dkey[i*8+5]&1)<<6) | 882 ((dkey[i*8+6]&1)<<7)); 883 884 for (n = 0; n < 8; n++) { 885 dkey[i*8 + n] &= 0xfe; 886 dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]); 887 } 888 } 889 } else if (IS_AES_METHOD(cdata->method)) { 890 bcopy(rawkey, dkey, keybytes); 891 } 892 cleanup: 893 kmem_free(inblock, blocklen); 894 kmem_free(zeroblock, blocklen); 895 kmem_free(rawkey, keybytes); 896 return (rv); 897 } 898 899 /* 900 * create_derived_keys 901 * 902 * Algorithm for deriving a new key and an HMAC key 903 * before computing the 3DES-SHA1-HMAC operation on the plaintext 904 * This algorithm matches the work done by Kerberos mechanism 905 * in userland. 906 */ 907 static int 908 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage, 909 crypto_key_t *enckey, crypto_key_t *hmackey) 910 { 911 uchar_t constdata[K5CLENGTH]; 912 int keybytes; 913 int rv; 914 915 constdata[0] = (usage>>24)&0xff; 916 constdata[1] = (usage>>16)&0xff; 917 constdata[2] = (usage>>8)&0xff; 918 constdata[3] = usage & 0xff; 919 /* Use "0xAA" for deriving encryption key */ 920 constdata[4] = 0xAA; /* from MIT Kerberos code */ 921 922 enckey->ck_length = cdata->keylen * 8; 923 enckey->ck_format = CRYPTO_KEY_RAW; 924 enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); 925 926 switch (cdata->method) { 927 case CRYPT_METHOD_DES_CFB: 928 case CRYPT_METHOD_DES_CBC_NULL: 929 case CRYPT_METHOD_DES_CBC_MD5: 930 case CRYPT_METHOD_DES_CBC_CRC: 931 keybytes = 8; 932 break; 933 case CRYPT_METHOD_DES3_CBC_SHA1: 934 keybytes = CRYPT_DES3_KEYBYTES; 935 break; 936 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 937 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 938 keybytes = CRYPT_ARCFOUR_KEYBYTES; 939 break; 940 case CRYPT_METHOD_AES128: 941 keybytes = CRYPT_AES128_KEYBYTES; 942 break; 943 case CRYPT_METHOD_AES256: 944 keybytes = CRYPT_AES256_KEYBYTES; 945 break; 946 } 947 948 /* derive main crypto key */ 949 rv = derive_key(cdata, constdata, sizeof (constdata), 950 enckey->ck_data, keybytes, cdata->blocklen); 951 952 if (rv == CRYPTO_SUCCESS) { 953 954 /* Use "0x55" for deriving mac key */ 955 constdata[4] = 0x55; 956 957 hmackey->ck_length = cdata->keylen * 8; 958 hmackey->ck_format = CRYPTO_KEY_RAW; 959 hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP); 960 961 rv = derive_key(cdata, constdata, sizeof (constdata), 962 hmackey->ck_data, keybytes, 963 cdata->blocklen); 964 } else { 965 cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv); 966 } 967 968 return (rv); 969 } 970 971 /* 972 * Compute 3-DES crypto and HMAC. 973 */ 974 static int 975 kef_decr_hmac(struct cipher_data_t *cdata, 976 mblk_t *mp, int length, 977 char *hmac, int hmaclen) 978 { 979 int rv = CRYPTO_FAILED; 980 981 crypto_mechanism_t encr_mech; 982 crypto_mechanism_t mac_mech; 983 crypto_data_t dd; 984 crypto_data_t mac; 985 iovec_t v1; 986 987 ASSERT(cdata != NULL); 988 ASSERT(mp != NULL); 989 ASSERT(hmac != NULL); 990 991 bzero(&dd, sizeof (dd)); 992 dd.cd_format = CRYPTO_DATA_MBLK; 993 dd.cd_offset = 0; 994 dd.cd_length = length; 995 dd.cd_mp = mp; 996 997 v1.iov_base = hmac; 998 v1.iov_len = hmaclen; 999 1000 mac.cd_format = CRYPTO_DATA_RAW; 1001 mac.cd_offset = 0; 1002 mac.cd_length = hmaclen; 1003 mac.cd_raw = v1; 1004 1005 /* 1006 * cdata->block holds the IVEC 1007 */ 1008 encr_mech.cm_type = cdata->mech_type; 1009 encr_mech.cm_param = cdata->block; 1010 1011 if (cdata->block != NULL) 1012 encr_mech.cm_param_len = cdata->blocklen; 1013 else 1014 encr_mech.cm_param_len = 0; 1015 1016 rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key, 1017 cdata->enc_tmpl, NULL, NULL); 1018 if (rv != CRYPTO_SUCCESS) { 1019 cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv); 1020 return (rv); 1021 } 1022 1023 mac_mech.cm_type = sha1_hmac_mech; 1024 mac_mech.cm_param = NULL; 1025 mac_mech.cm_param_len = 0; 1026 1027 /* 1028 * Compute MAC of the plaintext decrypted above. 1029 */ 1030 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, 1031 cdata->hmac_tmpl, &mac, NULL); 1032 1033 if (rv != CRYPTO_SUCCESS) { 1034 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1035 } 1036 1037 return (rv); 1038 } 1039 1040 /* 1041 * Compute 3-DES crypto and HMAC. 1042 */ 1043 static int 1044 kef_encr_hmac(struct cipher_data_t *cdata, 1045 mblk_t *mp, int length, 1046 char *hmac, int hmaclen) 1047 { 1048 int rv = CRYPTO_FAILED; 1049 1050 crypto_mechanism_t encr_mech; 1051 crypto_mechanism_t mac_mech; 1052 crypto_data_t dd; 1053 crypto_data_t mac; 1054 iovec_t v1; 1055 1056 ASSERT(cdata != NULL); 1057 ASSERT(mp != NULL); 1058 ASSERT(hmac != NULL); 1059 1060 bzero(&dd, sizeof (dd)); 1061 dd.cd_format = CRYPTO_DATA_MBLK; 1062 dd.cd_offset = 0; 1063 dd.cd_length = length; 1064 dd.cd_mp = mp; 1065 1066 v1.iov_base = hmac; 1067 v1.iov_len = hmaclen; 1068 1069 mac.cd_format = CRYPTO_DATA_RAW; 1070 mac.cd_offset = 0; 1071 mac.cd_length = hmaclen; 1072 mac.cd_raw = v1; 1073 1074 /* 1075 * cdata->block holds the IVEC 1076 */ 1077 encr_mech.cm_type = cdata->mech_type; 1078 encr_mech.cm_param = cdata->block; 1079 1080 if (cdata->block != NULL) 1081 encr_mech.cm_param_len = cdata->blocklen; 1082 else 1083 encr_mech.cm_param_len = 0; 1084 1085 mac_mech.cm_type = sha1_hmac_mech; 1086 mac_mech.cm_param = NULL; 1087 mac_mech.cm_param_len = 0; 1088 1089 rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key, 1090 cdata->hmac_tmpl, &mac, NULL); 1091 1092 if (rv != CRYPTO_SUCCESS) { 1093 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1094 return (rv); 1095 } 1096 1097 rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key, 1098 cdata->enc_tmpl, NULL, NULL); 1099 if (rv != CRYPTO_SUCCESS) { 1100 cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv); 1101 } 1102 1103 return (rv); 1104 } 1105 1106 /* 1107 * kef_crypt 1108 * 1109 * Use the Kernel encryption framework to provide the 1110 * crypto operations for the indicated data. 1111 */ 1112 static int 1113 kef_crypt(struct cipher_data_t *cdata, 1114 void *indata, crypto_data_format_t fmt, 1115 size_t length, int mode) 1116 { 1117 int rv = CRYPTO_FAILED; 1118 1119 crypto_mechanism_t mech; 1120 crypto_key_t crkey; 1121 iovec_t v1; 1122 crypto_data_t d1; 1123 1124 ASSERT(cdata != NULL); 1125 ASSERT(indata != NULL); 1126 ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK); 1127 1128 bzero(&crkey, sizeof (crkey)); 1129 bzero(&d1, sizeof (d1)); 1130 1131 crkey.ck_format = CRYPTO_KEY_RAW; 1132 crkey.ck_data = cdata->key; 1133 1134 /* keys are measured in bits, not bytes, so multiply by 8 */ 1135 crkey.ck_length = cdata->keylen * 8; 1136 1137 if (fmt == CRYPTO_DATA_RAW) { 1138 v1.iov_base = (char *)indata; 1139 v1.iov_len = length; 1140 } 1141 1142 d1.cd_format = fmt; 1143 d1.cd_offset = 0; 1144 d1.cd_length = length; 1145 if (fmt == CRYPTO_DATA_RAW) 1146 d1.cd_raw = v1; 1147 else if (fmt == CRYPTO_DATA_MBLK) 1148 d1.cd_mp = (mblk_t *)indata; 1149 1150 mech.cm_type = cdata->mech_type; 1151 mech.cm_param = cdata->block; 1152 /* 1153 * cdata->block holds the IVEC 1154 */ 1155 if (cdata->block != NULL) 1156 mech.cm_param_len = cdata->blocklen; 1157 else 1158 mech.cm_param_len = 0; 1159 1160 /* 1161 * encrypt and decrypt in-place 1162 */ 1163 if (mode == CRYPT_ENCRYPT) 1164 rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL); 1165 else 1166 rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL); 1167 1168 if (rv != CRYPTO_SUCCESS) { 1169 cmn_err(CE_WARN, "%s returned error %08x", 1170 (mode == CRYPT_ENCRYPT ? "crypto_encrypt" : 1171 "crypto_decrypt"), rv); 1172 return (CRYPTO_FAILED); 1173 } 1174 1175 return (rv); 1176 } 1177 1178 static int 1179 do_hmac(crypto_mech_type_t mech, 1180 crypto_key_t *key, 1181 char *data, int datalen, 1182 char *hmac, int hmaclen) 1183 { 1184 int rv = 0; 1185 crypto_mechanism_t mac_mech; 1186 crypto_data_t dd; 1187 crypto_data_t mac; 1188 iovec_t vdata, vmac; 1189 1190 mac_mech.cm_type = mech; 1191 mac_mech.cm_param = NULL; 1192 mac_mech.cm_param_len = 0; 1193 1194 vdata.iov_base = data; 1195 vdata.iov_len = datalen; 1196 1197 bzero(&dd, sizeof (dd)); 1198 dd.cd_format = CRYPTO_DATA_RAW; 1199 dd.cd_offset = 0; 1200 dd.cd_length = datalen; 1201 dd.cd_raw = vdata; 1202 1203 vmac.iov_base = hmac; 1204 vmac.iov_len = hmaclen; 1205 1206 mac.cd_format = CRYPTO_DATA_RAW; 1207 mac.cd_offset = 0; 1208 mac.cd_length = hmaclen; 1209 mac.cd_raw = vmac; 1210 1211 /* 1212 * Compute MAC of the plaintext decrypted above. 1213 */ 1214 rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL); 1215 1216 if (rv != CRYPTO_SUCCESS) { 1217 cmn_err(CE_WARN, "crypto_mac failed: %0x", rv); 1218 } 1219 1220 return (rv); 1221 } 1222 1223 #define XOR_BLOCK(src, dst) \ 1224 (dst)[0] ^= (src)[0]; \ 1225 (dst)[1] ^= (src)[1]; \ 1226 (dst)[2] ^= (src)[2]; \ 1227 (dst)[3] ^= (src)[3]; \ 1228 (dst)[4] ^= (src)[4]; \ 1229 (dst)[5] ^= (src)[5]; \ 1230 (dst)[6] ^= (src)[6]; \ 1231 (dst)[7] ^= (src)[7]; \ 1232 (dst)[8] ^= (src)[8]; \ 1233 (dst)[9] ^= (src)[9]; \ 1234 (dst)[10] ^= (src)[10]; \ 1235 (dst)[11] ^= (src)[11]; \ 1236 (dst)[12] ^= (src)[12]; \ 1237 (dst)[13] ^= (src)[13]; \ 1238 (dst)[14] ^= (src)[14]; \ 1239 (dst)[15] ^= (src)[15] 1240 1241 #define xorblock(x, y) XOR_BLOCK(y, x) 1242 1243 static int 1244 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length) 1245 { 1246 int result = CRYPTO_SUCCESS; 1247 unsigned char tmp[DEFAULT_AES_BLOCKLEN]; 1248 unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; 1249 unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; 1250 int nblocks = 0, blockno; 1251 crypto_data_t ct, pt; 1252 crypto_mechanism_t mech; 1253 1254 mech.cm_type = tmi->enc_data.mech_type; 1255 if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) { 1256 bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); 1257 } else { 1258 bzero(tmp, sizeof (tmp)); 1259 } 1260 mech.cm_param = NULL; 1261 mech.cm_param_len = 0; 1262 1263 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; 1264 1265 bzero(&ct, sizeof (crypto_data_t)); 1266 bzero(&pt, sizeof (crypto_data_t)); 1267 1268 if (nblocks == 1) { 1269 pt.cd_format = CRYPTO_DATA_RAW; 1270 pt.cd_length = length; 1271 pt.cd_raw.iov_base = (char *)plain; 1272 pt.cd_raw.iov_len = length; 1273 1274 result = crypto_encrypt(&mech, &pt, 1275 &tmi->enc_data.d_encr_key, NULL, NULL, NULL); 1276 1277 if (result != CRYPTO_SUCCESS) { 1278 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1279 "crypto_encrypt failed: %0x", result); 1280 } 1281 } else { 1282 size_t nleft; 1283 1284 ct.cd_format = CRYPTO_DATA_RAW; 1285 ct.cd_offset = 0; 1286 ct.cd_length = DEFAULT_AES_BLOCKLEN; 1287 1288 pt.cd_format = CRYPTO_DATA_RAW; 1289 pt.cd_offset = 0; 1290 pt.cd_length = DEFAULT_AES_BLOCKLEN; 1291 1292 result = crypto_encrypt_init(&mech, 1293 &tmi->enc_data.d_encr_key, 1294 tmi->enc_data.enc_tmpl, 1295 &tmi->enc_data.ctx, NULL); 1296 1297 if (result != CRYPTO_SUCCESS) { 1298 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1299 "crypto_encrypt_init failed: %0x", result); 1300 goto cleanup; 1301 } 1302 1303 for (blockno = 0; blockno < nblocks - 2; blockno++) { 1304 xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN); 1305 1306 pt.cd_raw.iov_base = (char *)tmp; 1307 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1308 1309 ct.cd_raw.iov_base = (char *)plain + 1310 blockno * DEFAULT_AES_BLOCKLEN; 1311 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1312 1313 result = crypto_encrypt_update(tmi->enc_data.ctx, 1314 &pt, &ct, NULL); 1315 1316 if (result != CRYPTO_SUCCESS) { 1317 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1318 "crypto_encrypt_update failed: %0x", 1319 result); 1320 goto cleanup; 1321 } 1322 /* copy result over original bytes */ 1323 /* make another copy for the next XOR step */ 1324 bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN, 1325 tmp, DEFAULT_AES_BLOCKLEN); 1326 } 1327 /* XOR cipher text from n-3 with plain text from n-2 */ 1328 xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN); 1329 1330 pt.cd_raw.iov_base = (char *)tmp; 1331 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1332 1333 ct.cd_raw.iov_base = (char *)tmp2; 1334 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1335 1336 /* encrypt XOR-ed block N-2 */ 1337 result = crypto_encrypt_update(tmi->enc_data.ctx, 1338 &pt, &ct, NULL); 1339 if (result != CRYPTO_SUCCESS) { 1340 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1341 "crypto_encrypt_update(2) failed: %0x", 1342 result); 1343 goto cleanup; 1344 } 1345 nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN; 1346 1347 bzero(tmp3, sizeof (tmp3)); 1348 /* Save final plaintext bytes from n-1 */ 1349 bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, 1350 nleft); 1351 1352 /* Overwrite n-1 with cipher text from n-2 */ 1353 bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, 1354 nleft); 1355 1356 bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN); 1357 /* XOR cipher text from n-1 with plain text from n-1 */ 1358 xorblock(tmp, tmp3); 1359 1360 pt.cd_raw.iov_base = (char *)tmp; 1361 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1362 1363 ct.cd_raw.iov_base = (char *)tmp2; 1364 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1365 1366 /* encrypt block N-2 */ 1367 result = crypto_encrypt_update(tmi->enc_data.ctx, 1368 &pt, &ct, NULL); 1369 1370 if (result != CRYPTO_SUCCESS) { 1371 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1372 "crypto_encrypt_update(3) failed: %0x", 1373 result); 1374 goto cleanup; 1375 } 1376 1377 bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1378 DEFAULT_AES_BLOCKLEN); 1379 1380 1381 ct.cd_raw.iov_base = (char *)tmp2; 1382 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1383 1384 /* 1385 * Ignore the output on the final step. 1386 */ 1387 result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL); 1388 if (result != CRYPTO_SUCCESS) { 1389 cmn_err(CE_WARN, "aes_cbc_cts_encrypt: " 1390 "crypto_encrypt_final(3) failed: %0x", 1391 result); 1392 } 1393 tmi->enc_data.ctx = NULL; 1394 } 1395 cleanup: 1396 bzero(tmp, sizeof (tmp)); 1397 bzero(tmp2, sizeof (tmp)); 1398 bzero(tmp3, sizeof (tmp)); 1399 bzero(tmi->enc_data.block, tmi->enc_data.blocklen); 1400 return (result); 1401 } 1402 1403 static int 1404 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length) 1405 { 1406 int result = CRYPTO_SUCCESS; 1407 unsigned char tmp[DEFAULT_AES_BLOCKLEN]; 1408 unsigned char tmp2[DEFAULT_AES_BLOCKLEN]; 1409 unsigned char tmp3[DEFAULT_AES_BLOCKLEN]; 1410 int nblocks = 0, blockno; 1411 crypto_data_t ct, pt; 1412 crypto_mechanism_t mech; 1413 1414 mech.cm_type = tmi->enc_data.mech_type; 1415 1416 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1417 tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) { 1418 bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN); 1419 } else { 1420 bzero(tmp, sizeof (tmp)); 1421 } 1422 mech.cm_param_len = 0; 1423 mech.cm_param = NULL; 1424 1425 nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN; 1426 1427 bzero(&pt, sizeof (pt)); 1428 bzero(&ct, sizeof (ct)); 1429 1430 if (nblocks == 1) { 1431 ct.cd_format = CRYPTO_DATA_RAW; 1432 ct.cd_length = length; 1433 ct.cd_raw.iov_base = (char *)buff; 1434 ct.cd_raw.iov_len = length; 1435 1436 result = crypto_decrypt(&mech, &ct, 1437 &tmi->dec_data.d_encr_key, NULL, NULL, NULL); 1438 1439 if (result != CRYPTO_SUCCESS) { 1440 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1441 "crypto_decrypt failed: %0x", result); 1442 goto cleanup; 1443 } 1444 } else { 1445 ct.cd_format = CRYPTO_DATA_RAW; 1446 ct.cd_offset = 0; 1447 ct.cd_length = DEFAULT_AES_BLOCKLEN; 1448 1449 pt.cd_format = CRYPTO_DATA_RAW; 1450 pt.cd_offset = 0; 1451 pt.cd_length = DEFAULT_AES_BLOCKLEN; 1452 1453 result = crypto_decrypt_init(&mech, 1454 &tmi->dec_data.d_encr_key, 1455 tmi->dec_data.enc_tmpl, 1456 &tmi->dec_data.ctx, NULL); 1457 1458 if (result != CRYPTO_SUCCESS) { 1459 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1460 "crypto_decrypt_init failed: %0x", result); 1461 goto cleanup; 1462 } 1463 for (blockno = 0; blockno < nblocks - 2; blockno++) { 1464 ct.cd_raw.iov_base = (char *)buff + 1465 (blockno * DEFAULT_AES_BLOCKLEN); 1466 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1467 1468 pt.cd_raw.iov_base = (char *)tmp2; 1469 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1470 1471 /* 1472 * Save the input to the decrypt so it can 1473 * be used later for an XOR operation 1474 */ 1475 bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN), 1476 tmi->dec_data.block, DEFAULT_AES_BLOCKLEN); 1477 1478 result = crypto_decrypt_update(tmi->dec_data.ctx, 1479 &ct, &pt, NULL); 1480 if (result != CRYPTO_SUCCESS) { 1481 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1482 "crypto_decrypt_update(1) error - " 1483 "result = 0x%08x", result); 1484 goto cleanup; 1485 } 1486 xorblock(tmp2, tmp); 1487 bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN, 1488 DEFAULT_AES_BLOCKLEN); 1489 /* 1490 * The original cipher text is used as the xor 1491 * for the next block, save it here. 1492 */ 1493 bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN); 1494 } 1495 ct.cd_raw.iov_base = (char *)buff + 1496 ((nblocks - 2) * DEFAULT_AES_BLOCKLEN); 1497 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1498 pt.cd_raw.iov_base = (char *)tmp2; 1499 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1500 1501 result = crypto_decrypt_update(tmi->dec_data.ctx, 1502 &ct, &pt, NULL); 1503 if (result != CRYPTO_SUCCESS) { 1504 cmn_err(CE_WARN, 1505 "aes_cbc_cts_decrypt: " 1506 "crypto_decrypt_update(2) error -" 1507 " result = 0x%08x", result); 1508 goto cleanup; 1509 } 1510 bzero(tmp3, sizeof (tmp3)); 1511 bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3, 1512 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1513 1514 xorblock(tmp2, tmp3); 1515 bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, 1516 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1517 1518 /* 2nd to last block ... */ 1519 bcopy(tmp3, tmp2, 1520 length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN)); 1521 1522 ct.cd_raw.iov_base = (char *)tmp2; 1523 ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1524 pt.cd_raw.iov_base = (char *)tmp3; 1525 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1526 1527 result = crypto_decrypt_update(tmi->dec_data.ctx, 1528 &ct, &pt, NULL); 1529 if (result != CRYPTO_SUCCESS) { 1530 cmn_err(CE_WARN, 1531 "aes_cbc_cts_decrypt: " 1532 "crypto_decrypt_update(3) error - " 1533 "result = 0x%08x", result); 1534 goto cleanup; 1535 } 1536 xorblock(tmp3, tmp); 1537 1538 1539 /* Finally, update the 2nd to last block and we are done. */ 1540 bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1541 DEFAULT_AES_BLOCKLEN); 1542 1543 /* Do Final step, but ignore output */ 1544 pt.cd_raw.iov_base = (char *)tmp2; 1545 pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN; 1546 result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL); 1547 if (result != CRYPTO_SUCCESS) { 1548 cmn_err(CE_WARN, "aes_cbc_cts_decrypt: " 1549 "crypto_decrypt_final error - " 1550 "result = 0x%0x", result); 1551 } 1552 tmi->dec_data.ctx = NULL; 1553 } 1554 1555 cleanup: 1556 bzero(tmp, sizeof (tmp)); 1557 bzero(tmp2, sizeof (tmp)); 1558 bzero(tmp3, sizeof (tmp)); 1559 bzero(tmi->dec_data.block, tmi->dec_data.blocklen); 1560 return (result); 1561 } 1562 1563 /* 1564 * AES decrypt 1565 * 1566 * format of ciphertext when using AES 1567 * +-------------+------------+------------+ 1568 * | confounder | msg-data | hmac | 1569 * +-------------+------------+------------+ 1570 */ 1571 static mblk_t * 1572 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1573 hash_info_t *hash) 1574 { 1575 int result; 1576 size_t enclen; 1577 size_t inlen; 1578 uchar_t hmacbuff[64]; 1579 uchar_t tmpiv[DEFAULT_AES_BLOCKLEN]; 1580 1581 inlen = (size_t)MBLKL(mp); 1582 1583 enclen = inlen - AES_TRUNCATED_HMAC_LEN; 1584 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1585 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) { 1586 int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) / 1587 DEFAULT_AES_BLOCKLEN; 1588 bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2), 1589 tmpiv, DEFAULT_AES_BLOCKLEN); 1590 } 1591 1592 /* AES Decrypt */ 1593 result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen); 1594 1595 if (result != CRYPTO_SUCCESS) { 1596 cmn_err(CE_WARN, 1597 "aes_decrypt: aes_cbc_cts_decrypt " 1598 "failed - error %0x", result); 1599 goto cleanup; 1600 } 1601 1602 /* Verify the HMAC */ 1603 result = do_hmac(sha1_hmac_mech, 1604 &tmi->dec_data.d_hmac_key, 1605 (char *)mp->b_rptr, enclen, 1606 (char *)hmacbuff, hash->hash_len); 1607 1608 if (result != CRYPTO_SUCCESS) { 1609 cmn_err(CE_WARN, 1610 "aes_decrypt: do_hmac failed - error %0x", result); 1611 goto cleanup; 1612 } 1613 1614 if (bcmp(hmacbuff, mp->b_rptr + enclen, 1615 AES_TRUNCATED_HMAC_LEN) != 0) { 1616 result = -1; 1617 cmn_err(CE_WARN, "aes_decrypt: checksum verification failed"); 1618 goto cleanup; 1619 } 1620 1621 /* truncate the mblk at the end of the decrypted text */ 1622 mp->b_wptr = mp->b_rptr + enclen; 1623 1624 /* Adjust the beginning of the buffer to skip the confounder */ 1625 mp->b_rptr += DEFAULT_AES_BLOCKLEN; 1626 1627 if (tmi->dec_data.ivec_usage != IVEC_NEVER && 1628 tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) 1629 bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN); 1630 1631 cleanup: 1632 if (result != CRYPTO_SUCCESS) { 1633 mp->b_datap->db_type = M_ERROR; 1634 mp->b_rptr = mp->b_datap->db_base; 1635 *mp->b_rptr = EIO; 1636 mp->b_wptr = mp->b_rptr + sizeof (char); 1637 freemsg(mp->b_cont); 1638 mp->b_cont = NULL; 1639 qreply(WR(q), mp); 1640 return (NULL); 1641 } 1642 return (mp); 1643 } 1644 1645 /* 1646 * AES encrypt 1647 * 1648 * format of ciphertext when using AES 1649 * +-------------+------------+------------+ 1650 * | confounder | msg-data | hmac | 1651 * +-------------+------------+------------+ 1652 */ 1653 static mblk_t * 1654 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1655 hash_info_t *hash) 1656 { 1657 int result; 1658 size_t cipherlen; 1659 size_t inlen; 1660 uchar_t hmacbuff[64]; 1661 1662 inlen = (size_t)MBLKL(mp); 1663 1664 cipherlen = encrypt_size(&tmi->enc_data, inlen); 1665 1666 ASSERT(MBLKSIZE(mp) >= cipherlen); 1667 1668 /* 1669 * Shift the rptr back enough to insert the confounder. 1670 */ 1671 mp->b_rptr -= DEFAULT_AES_BLOCKLEN; 1672 1673 /* Get random data for confounder */ 1674 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, 1675 DEFAULT_AES_BLOCKLEN); 1676 1677 /* 1678 * Because we encrypt in-place, we need to calculate 1679 * the HMAC of the plaintext now, then stick it on 1680 * the end of the ciphertext down below. 1681 */ 1682 result = do_hmac(sha1_hmac_mech, 1683 &tmi->enc_data.d_hmac_key, 1684 (char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen, 1685 (char *)hmacbuff, hash->hash_len); 1686 1687 if (result != CRYPTO_SUCCESS) { 1688 cmn_err(CE_WARN, "aes_encrypt: do_hmac failed - error %0x", 1689 result); 1690 goto cleanup; 1691 } 1692 /* Encrypt using AES-CBC-CTS */ 1693 result = aes_cbc_cts_encrypt(tmi, mp->b_rptr, 1694 inlen + DEFAULT_AES_BLOCKLEN); 1695 1696 if (result != CRYPTO_SUCCESS) { 1697 cmn_err(CE_WARN, "aes_encrypt: aes_cbc_cts_encrypt " 1698 "failed - error %0x", result); 1699 goto cleanup; 1700 } 1701 1702 /* copy the truncated HMAC to the end of the mblk */ 1703 bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen, 1704 AES_TRUNCATED_HMAC_LEN); 1705 1706 mp->b_wptr = mp->b_rptr + cipherlen; 1707 1708 /* 1709 * The final block of cipher text (not the HMAC) is used 1710 * as the next IV. 1711 */ 1712 if (tmi->enc_data.ivec_usage != IVEC_NEVER && 1713 tmi->enc_data.ivec != NULL) { 1714 int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) / 1715 DEFAULT_AES_BLOCKLEN; 1716 1717 bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN, 1718 tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN); 1719 } 1720 1721 cleanup: 1722 if (result != CRYPTO_SUCCESS) { 1723 mp->b_datap->db_type = M_ERROR; 1724 mp->b_rptr = mp->b_datap->db_base; 1725 *mp->b_rptr = EIO; 1726 mp->b_wptr = mp->b_rptr + sizeof (char); 1727 freemsg(mp->b_cont); 1728 mp->b_cont = NULL; 1729 qreply(WR(q), mp); 1730 return (NULL); 1731 } 1732 return (mp); 1733 } 1734 1735 /* 1736 * ARCFOUR-HMAC-MD5 decrypt 1737 * 1738 * format of ciphertext when using ARCFOUR-HMAC-MD5 1739 * +-----------+------------+------------+ 1740 * | hmac | confounder | msg-data | 1741 * +-----------+------------+------------+ 1742 * 1743 */ 1744 static mblk_t * 1745 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1746 hash_info_t *hash) 1747 { 1748 int result; 1749 size_t cipherlen; 1750 size_t inlen; 1751 size_t saltlen; 1752 crypto_key_t k1, k2; 1753 crypto_data_t indata; 1754 iovec_t v1; 1755 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 1756 0xab, 0xab, 0xab, 0xab }; 1757 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; 1758 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; 1759 uchar_t cksum[MD5_HASHSIZE]; 1760 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; 1761 crypto_mechanism_t mech; 1762 int usage; 1763 1764 bzero(&indata, sizeof (indata)); 1765 1766 /* The usage constant is 1026 for all "old" rcmd mode operations */ 1767 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1) 1768 usage = RCMDV1_USAGE; 1769 else 1770 usage = ARCFOUR_DECRYPT_USAGE; 1771 1772 /* 1773 * The size at this point should be the size of 1774 * all the plaintext plus the optional plaintext length 1775 * needed for RCMD V2 mode. There should also be room 1776 * at the head of the mblk for the confounder and hash info. 1777 */ 1778 inlen = (size_t)MBLKL(mp); 1779 1780 /* 1781 * The cipherlen does not include the HMAC at the 1782 * head of the buffer. 1783 */ 1784 cipherlen = inlen - hash->hash_len; 1785 1786 ASSERT(MBLKSIZE(mp) >= cipherlen); 1787 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 1788 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); 1789 saltdata[9] = 0; 1790 saltdata[10] = usage & 0xff; 1791 saltdata[11] = (usage >> 8) & 0xff; 1792 saltdata[12] = (usage >> 16) & 0xff; 1793 saltdata[13] = (usage >> 24) & 0xff; 1794 saltlen = 14; 1795 } else { 1796 saltdata[0] = usage & 0xff; 1797 saltdata[1] = (usage >> 8) & 0xff; 1798 saltdata[2] = (usage >> 16) & 0xff; 1799 saltdata[3] = (usage >> 24) & 0xff; 1800 saltlen = 4; 1801 } 1802 /* 1803 * Use the salt value to create a key to be used 1804 * for subsequent HMAC operations. 1805 */ 1806 result = do_hmac(md5_hmac_mech, 1807 tmi->dec_data.ckey, 1808 (char *)saltdata, saltlen, 1809 (char *)k1data, sizeof (k1data)); 1810 if (result != CRYPTO_SUCCESS) { 1811 cmn_err(CE_WARN, 1812 "arcfour_hmac_md5_decrypt: do_hmac(k1)" 1813 "failed - error %0x", result); 1814 goto cleanup; 1815 } 1816 bcopy(k1data, k2data, sizeof (k1data)); 1817 1818 /* 1819 * For the neutered MS RC4 encryption type, 1820 * set the trailing 9 bytes to 0xab per the 1821 * RC4-HMAC spec. 1822 */ 1823 if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 1824 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); 1825 } 1826 1827 mech.cm_type = tmi->dec_data.mech_type; 1828 mech.cm_param = NULL; 1829 mech.cm_param_len = 0; 1830 1831 /* 1832 * If we have not yet initialized the decryption key, 1833 * context, and template, do it now. 1834 */ 1835 if (tmi->dec_data.ctx == NULL || 1836 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { 1837 k1.ck_format = CRYPTO_KEY_RAW; 1838 k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8; 1839 k1.ck_data = k1data; 1840 1841 tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW; 1842 tmi->dec_data.d_encr_key.ck_length = k1.ck_length; 1843 if (tmi->dec_data.d_encr_key.ck_data == NULL) 1844 tmi->dec_data.d_encr_key.ck_data = kmem_zalloc( 1845 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); 1846 1847 /* 1848 * HMAC operation creates the encryption 1849 * key to be used for the decrypt operations. 1850 */ 1851 result = do_hmac(md5_hmac_mech, &k1, 1852 (char *)mp->b_rptr, hash->hash_len, 1853 (char *)tmi->dec_data.d_encr_key.ck_data, 1854 CRYPT_ARCFOUR_KEYBYTES); 1855 1856 1857 if (result != CRYPTO_SUCCESS) { 1858 cmn_err(CE_WARN, 1859 "arcfour_hmac_md5_decrypt: do_hmac(k3)" 1860 "failed - error %0x", result); 1861 goto cleanup; 1862 } 1863 } 1864 1865 tmi->dec_data.enc_tmpl = NULL; 1866 1867 if (tmi->dec_data.ctx == NULL && 1868 (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { 1869 /* 1870 * Only create a template if we are doing 1871 * chaining from block to block. 1872 */ 1873 result = crypto_create_ctx_template(&mech, 1874 &tmi->dec_data.d_encr_key, 1875 &tmi->dec_data.enc_tmpl, 1876 KM_SLEEP); 1877 if (result == CRYPTO_NOT_SUPPORTED) { 1878 tmi->dec_data.enc_tmpl = NULL; 1879 } else if (result != CRYPTO_SUCCESS) { 1880 cmn_err(CE_WARN, 1881 "arcfour_hmac_md5_decrypt: " 1882 "failed to create dec template " 1883 "for RC4 encrypt: %0x", result); 1884 goto cleanup; 1885 } 1886 1887 result = crypto_decrypt_init(&mech, 1888 &tmi->dec_data.d_encr_key, 1889 tmi->dec_data.enc_tmpl, 1890 &tmi->dec_data.ctx, NULL); 1891 1892 if (result != CRYPTO_SUCCESS) { 1893 cmn_err(CE_WARN, "crypto_decrypt_init failed:" 1894 " %0x", result); 1895 goto cleanup; 1896 } 1897 } 1898 1899 /* adjust the rptr so we don't decrypt the original hmac field */ 1900 1901 v1.iov_base = (char *)mp->b_rptr + hash->hash_len; 1902 v1.iov_len = cipherlen; 1903 1904 indata.cd_format = CRYPTO_DATA_RAW; 1905 indata.cd_offset = 0; 1906 indata.cd_length = cipherlen; 1907 indata.cd_raw = v1; 1908 1909 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 1910 result = crypto_decrypt_update(tmi->dec_data.ctx, 1911 &indata, NULL, NULL); 1912 else 1913 result = crypto_decrypt(&mech, &indata, 1914 &tmi->dec_data.d_encr_key, NULL, NULL, NULL); 1915 1916 if (result != CRYPTO_SUCCESS) { 1917 cmn_err(CE_WARN, "crypto_decrypt_update failed:" 1918 " %0x", result); 1919 goto cleanup; 1920 } 1921 1922 k2.ck_format = CRYPTO_KEY_RAW; 1923 k2.ck_length = sizeof (k2data) * 8; 1924 k2.ck_data = k2data; 1925 1926 result = do_hmac(md5_hmac_mech, 1927 &k2, 1928 (char *)mp->b_rptr + hash->hash_len, cipherlen, 1929 (char *)cksum, hash->hash_len); 1930 1931 if (result != CRYPTO_SUCCESS) { 1932 cmn_err(CE_WARN, 1933 "arcfour_hmac_md5_decrypt: do_hmac(k2)" 1934 "failed - error %0x", result); 1935 goto cleanup; 1936 } 1937 1938 if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) { 1939 cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed"); 1940 result = -1; 1941 goto cleanup; 1942 } 1943 1944 /* 1945 * adjust the start of the mblk to skip over the 1946 * hash and confounder. 1947 */ 1948 mp->b_rptr += hash->hash_len + hash->confound_len; 1949 1950 cleanup: 1951 bzero(k1data, sizeof (k1data)); 1952 bzero(k2data, sizeof (k2data)); 1953 bzero(cksum, sizeof (cksum)); 1954 bzero(saltdata, sizeof (saltdata)); 1955 if (result != CRYPTO_SUCCESS) { 1956 mp->b_datap->db_type = M_ERROR; 1957 mp->b_rptr = mp->b_datap->db_base; 1958 *mp->b_rptr = EIO; 1959 mp->b_wptr = mp->b_rptr + sizeof (char); 1960 freemsg(mp->b_cont); 1961 mp->b_cont = NULL; 1962 qreply(WR(q), mp); 1963 return (NULL); 1964 } 1965 return (mp); 1966 } 1967 1968 /* 1969 * ARCFOUR-HMAC-MD5 encrypt 1970 * 1971 * format of ciphertext when using ARCFOUR-HMAC-MD5 1972 * +-----------+------------+------------+ 1973 * | hmac | confounder | msg-data | 1974 * +-----------+------------+------------+ 1975 * 1976 */ 1977 static mblk_t * 1978 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, 1979 hash_info_t *hash) 1980 { 1981 int result; 1982 size_t cipherlen; 1983 size_t inlen; 1984 size_t saltlen; 1985 crypto_key_t k1, k2; 1986 crypto_data_t indata; 1987 iovec_t v1; 1988 uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab, 1989 0xab, 0xab, 0xab, 0xab }; 1990 uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES]; 1991 uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES]; 1992 uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES]; 1993 crypto_mechanism_t mech; 1994 int usage; 1995 1996 bzero(&indata, sizeof (indata)); 1997 1998 /* The usage constant is 1026 for all "old" rcmd mode operations */ 1999 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1) 2000 usage = RCMDV1_USAGE; 2001 else 2002 usage = ARCFOUR_ENCRYPT_USAGE; 2003 2004 mech.cm_type = tmi->enc_data.mech_type; 2005 mech.cm_param = NULL; 2006 mech.cm_param_len = 0; 2007 2008 /* 2009 * The size at this point should be the size of 2010 * all the plaintext plus the optional plaintext length 2011 * needed for RCMD V2 mode. There should also be room 2012 * at the head of the mblk for the confounder and hash info. 2013 */ 2014 inlen = (size_t)MBLKL(mp); 2015 2016 cipherlen = encrypt_size(&tmi->enc_data, inlen); 2017 2018 ASSERT(MBLKSIZE(mp) >= cipherlen); 2019 2020 /* 2021 * Shift the rptr back enough to insert 2022 * the confounder and hash. 2023 */ 2024 mp->b_rptr -= (hash->confound_len + hash->hash_len); 2025 2026 /* zero out the hash area */ 2027 bzero(mp->b_rptr, (size_t)hash->hash_len); 2028 2029 if (cipherlen > inlen) { 2030 bzero(mp->b_wptr, MBLKTAIL(mp)); 2031 } 2032 2033 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 2034 bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT)); 2035 saltdata[9] = 0; 2036 saltdata[10] = usage & 0xff; 2037 saltdata[11] = (usage >> 8) & 0xff; 2038 saltdata[12] = (usage >> 16) & 0xff; 2039 saltdata[13] = (usage >> 24) & 0xff; 2040 saltlen = 14; 2041 } else { 2042 saltdata[0] = usage & 0xff; 2043 saltdata[1] = (usage >> 8) & 0xff; 2044 saltdata[2] = (usage >> 16) & 0xff; 2045 saltdata[3] = (usage >> 24) & 0xff; 2046 saltlen = 4; 2047 } 2048 /* 2049 * Use the salt value to create a key to be used 2050 * for subsequent HMAC operations. 2051 */ 2052 result = do_hmac(md5_hmac_mech, 2053 tmi->enc_data.ckey, 2054 (char *)saltdata, saltlen, 2055 (char *)k1data, sizeof (k1data)); 2056 if (result != CRYPTO_SUCCESS) { 2057 cmn_err(CE_WARN, 2058 "arcfour_hmac_md5_encrypt: do_hmac(k1)" 2059 "failed - error %0x", result); 2060 goto cleanup; 2061 } 2062 2063 bcopy(k1data, k2data, sizeof (k2data)); 2064 2065 /* 2066 * For the neutered MS RC4 encryption type, 2067 * set the trailing 9 bytes to 0xab per the 2068 * RC4-HMAC spec. 2069 */ 2070 if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) { 2071 bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp)); 2072 } 2073 2074 /* 2075 * Get the confounder bytes. 2076 */ 2077 (void) random_get_pseudo_bytes( 2078 (uint8_t *)(mp->b_rptr + hash->hash_len), 2079 (size_t)hash->confound_len); 2080 2081 k2.ck_data = k2data; 2082 k2.ck_format = CRYPTO_KEY_RAW; 2083 k2.ck_length = sizeof (k2data) * 8; 2084 2085 /* 2086 * This writes the HMAC to the hash area in the 2087 * mblk. The key used is the one just created by 2088 * the previous HMAC operation. 2089 * The data being processed is the confounder bytes 2090 * PLUS the input plaintext. 2091 */ 2092 result = do_hmac(md5_hmac_mech, &k2, 2093 (char *)mp->b_rptr + hash->hash_len, 2094 hash->confound_len + inlen, 2095 (char *)mp->b_rptr, hash->hash_len); 2096 if (result != CRYPTO_SUCCESS) { 2097 cmn_err(CE_WARN, 2098 "arcfour_hmac_md5_encrypt: do_hmac(k2)" 2099 "failed - error %0x", result); 2100 goto cleanup; 2101 } 2102 /* 2103 * Because of the odd way that MIT uses RC4 keys 2104 * on the rlogin stream, we only need to create 2105 * this key once. 2106 * However, if using "old" rcmd mode, we need to do 2107 * it every time. 2108 */ 2109 if (tmi->enc_data.ctx == NULL || 2110 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) { 2111 crypto_key_t *key = &tmi->enc_data.d_encr_key; 2112 2113 k1.ck_data = k1data; 2114 k1.ck_format = CRYPTO_KEY_RAW; 2115 k1.ck_length = sizeof (k1data) * 8; 2116 2117 key->ck_format = CRYPTO_KEY_RAW; 2118 key->ck_length = k1.ck_length; 2119 if (key->ck_data == NULL) 2120 key->ck_data = kmem_zalloc( 2121 CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP); 2122 2123 /* 2124 * The final HMAC operation creates the encryption 2125 * key to be used for the encrypt operation. 2126 */ 2127 result = do_hmac(md5_hmac_mech, &k1, 2128 (char *)mp->b_rptr, hash->hash_len, 2129 (char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES); 2130 2131 if (result != CRYPTO_SUCCESS) { 2132 cmn_err(CE_WARN, 2133 "arcfour_hmac_md5_encrypt: do_hmac(k3)" 2134 "failed - error %0x", result); 2135 goto cleanup; 2136 } 2137 } 2138 2139 /* 2140 * If the context has not been initialized, do it now. 2141 */ 2142 if (tmi->enc_data.ctx == NULL && 2143 (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) { 2144 /* 2145 * Only create a template if we are doing 2146 * chaining from block to block. 2147 */ 2148 result = crypto_create_ctx_template(&mech, 2149 &tmi->enc_data.d_encr_key, 2150 &tmi->enc_data.enc_tmpl, 2151 KM_SLEEP); 2152 if (result == CRYPTO_NOT_SUPPORTED) { 2153 tmi->enc_data.enc_tmpl = NULL; 2154 } else if (result != CRYPTO_SUCCESS) { 2155 cmn_err(CE_WARN, "failed to create enc template " 2156 "for RC4 encrypt: %0x", result); 2157 goto cleanup; 2158 } 2159 2160 result = crypto_encrypt_init(&mech, 2161 &tmi->enc_data.d_encr_key, 2162 tmi->enc_data.enc_tmpl, 2163 &tmi->enc_data.ctx, NULL); 2164 if (result != CRYPTO_SUCCESS) { 2165 cmn_err(CE_WARN, "crypto_encrypt_init failed:" 2166 " %0x", result); 2167 goto cleanup; 2168 } 2169 } 2170 v1.iov_base = (char *)mp->b_rptr + hash->hash_len; 2171 v1.iov_len = hash->confound_len + inlen; 2172 2173 indata.cd_format = CRYPTO_DATA_RAW; 2174 indata.cd_offset = 0; 2175 indata.cd_length = hash->confound_len + inlen; 2176 indata.cd_raw = v1; 2177 2178 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 2179 result = crypto_encrypt_update(tmi->enc_data.ctx, 2180 &indata, NULL, NULL); 2181 else 2182 result = crypto_encrypt(&mech, &indata, 2183 &tmi->enc_data.d_encr_key, NULL, 2184 NULL, NULL); 2185 2186 if (result != CRYPTO_SUCCESS) { 2187 cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x", 2188 result); 2189 } 2190 2191 cleanup: 2192 bzero(k1data, sizeof (k1data)); 2193 bzero(k2data, sizeof (k2data)); 2194 bzero(saltdata, sizeof (saltdata)); 2195 if (result != CRYPTO_SUCCESS) { 2196 mp->b_datap->db_type = M_ERROR; 2197 mp->b_rptr = mp->b_datap->db_base; 2198 *mp->b_rptr = EIO; 2199 mp->b_wptr = mp->b_rptr + sizeof (char); 2200 freemsg(mp->b_cont); 2201 mp->b_cont = NULL; 2202 qreply(WR(q), mp); 2203 return (NULL); 2204 } 2205 return (mp); 2206 } 2207 2208 /* 2209 * DES-CBC-[HASH] encrypt 2210 * 2211 * Needed to support userland apps that must support Kerberos V5 2212 * encryption DES-CBC encryption modes. 2213 * 2214 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 2215 * 2216 * format of ciphertext for DES-CBC functions, per RFC1510 is: 2217 * +-----------+----------+-------------+-----+ 2218 * |confounder | cksum | msg-data | pad | 2219 * +-----------+----------+-------------+-----+ 2220 * 2221 * format of ciphertext when using DES3-SHA1-HMAC 2222 * +-----------+----------+-------------+-----+ 2223 * |confounder | msg-data | hmac | pad | 2224 * +-----------+----------+-------------+-----+ 2225 * 2226 * The confounder is 8 bytes of random data. 2227 * The cksum depends on the hash being used. 2228 * 4 bytes for CRC32 2229 * 16 bytes for MD5 2230 * 20 bytes for SHA1 2231 * 0 bytes for RAW 2232 * 2233 */ 2234 static mblk_t * 2235 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) 2236 { 2237 int result; 2238 size_t cipherlen; 2239 size_t inlen; 2240 size_t plainlen; 2241 2242 /* 2243 * The size at this point should be the size of 2244 * all the plaintext plus the optional plaintext length 2245 * needed for RCMD V2 mode. There should also be room 2246 * at the head of the mblk for the confounder and hash info. 2247 */ 2248 inlen = (size_t)MBLKL(mp); 2249 2250 /* 2251 * The output size will be a multiple of 8 because this algorithm 2252 * only works on 8 byte chunks. 2253 */ 2254 cipherlen = encrypt_size(&tmi->enc_data, inlen); 2255 2256 ASSERT(MBLKSIZE(mp) >= cipherlen); 2257 2258 if (cipherlen > inlen) { 2259 bzero(mp->b_wptr, MBLKTAIL(mp)); 2260 } 2261 2262 /* 2263 * Shift the rptr back enough to insert 2264 * the confounder and hash. 2265 */ 2266 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2267 mp->b_rptr -= hash->confound_len; 2268 } else { 2269 mp->b_rptr -= (hash->confound_len + hash->hash_len); 2270 2271 /* zero out the hash area */ 2272 bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len); 2273 } 2274 2275 /* get random confounder from our friend, the 'random' module */ 2276 if (hash->confound_len > 0) { 2277 (void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr, 2278 (size_t)hash->confound_len); 2279 } 2280 2281 /* 2282 * For 3DES we calculate an HMAC later. 2283 */ 2284 if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) { 2285 /* calculate chksum of confounder + input */ 2286 if (hash->hash_len > 0 && hash->hashfunc != NULL) { 2287 uchar_t cksum[MAX_CKSUM_LEN]; 2288 2289 result = hash->hashfunc(cksum, mp->b_rptr, 2290 cipherlen); 2291 if (result != CRYPTO_SUCCESS) { 2292 goto failure; 2293 } 2294 2295 /* put hash in place right after the confounder */ 2296 bcopy(cksum, (mp->b_rptr + hash->confound_len), 2297 (size_t)hash->hash_len); 2298 } 2299 } 2300 /* 2301 * In order to support the "old" Kerberos RCMD protocol, 2302 * we must use the IVEC 3 different ways: 2303 * IVEC_REUSE = keep using the same IV each time, this is 2304 * ugly and insecure, but necessary for 2305 * backwards compatibility with existing MIT code. 2306 * IVEC_ONETIME = Use the ivec as initialized when the crypto 2307 * was setup (see setup_crypto routine). 2308 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). 2309 */ 2310 if (tmi->enc_data.ivec_usage == IVEC_NEVER) { 2311 bzero(tmi->enc_data.block, tmi->enc_data.blocklen); 2312 } else if (tmi->enc_data.ivec_usage == IVEC_REUSE) { 2313 bcopy(tmi->enc_data.ivec, tmi->enc_data.block, 2314 tmi->enc_data.blocklen); 2315 } 2316 2317 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2318 /* 2319 * The input length already included the hash size, 2320 * don't include this in the plaintext length 2321 * calculations. 2322 */ 2323 plainlen = cipherlen - hash->hash_len; 2324 2325 mp->b_wptr = mp->b_rptr + plainlen; 2326 2327 result = kef_encr_hmac(&tmi->enc_data, 2328 (void *)mp, (size_t)plainlen, 2329 (char *)(mp->b_rptr + plainlen), 2330 hash->hash_len); 2331 } else { 2332 ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp)); 2333 mp->b_wptr = mp->b_rptr + cipherlen; 2334 result = kef_crypt(&tmi->enc_data, (void *)mp, 2335 CRYPTO_DATA_MBLK, (size_t)cipherlen, 2336 CRYPT_ENCRYPT); 2337 } 2338 failure: 2339 if (result != CRYPTO_SUCCESS) { 2340 #ifdef DEBUG 2341 cmn_err(CE_WARN, 2342 "des_cbc_encrypt: kef_crypt encrypt " 2343 "failed (len: %ld) - error %0x", 2344 cipherlen, result); 2345 #endif 2346 mp->b_datap->db_type = M_ERROR; 2347 mp->b_rptr = mp->b_datap->db_base; 2348 *mp->b_rptr = EIO; 2349 mp->b_wptr = mp->b_rptr + sizeof (char); 2350 freemsg(mp->b_cont); 2351 mp->b_cont = NULL; 2352 qreply(WR(q), mp); 2353 return (NULL); 2354 } else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) { 2355 /* 2356 * Because we are using KEF, we must manually 2357 * update our IV. 2358 */ 2359 bcopy(mp->b_wptr - tmi->enc_data.ivlen, 2360 tmi->enc_data.block, tmi->enc_data.ivlen); 2361 } 2362 if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2363 mp->b_wptr = mp->b_rptr + cipherlen; 2364 } 2365 2366 return (mp); 2367 } 2368 2369 /* 2370 * des_cbc_decrypt 2371 * 2372 * 2373 * Needed to support userland apps that must support Kerberos V5 2374 * encryption DES-CBC decryption modes. 2375 * 2376 * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1 2377 * 2378 * format of ciphertext for DES-CBC functions, per RFC1510 is: 2379 * +-----------+----------+-------------+-----+ 2380 * |confounder | cksum | msg-data | pad | 2381 * +-----------+----------+-------------+-----+ 2382 * 2383 * format of ciphertext when using DES3-SHA1-HMAC 2384 * +-----------+----------+-------------+-----+ 2385 * |confounder | msg-data | hmac | pad | 2386 * +-----------+----------+-------------+-----+ 2387 * 2388 * The confounder is 8 bytes of random data. 2389 * The cksum depends on the hash being used. 2390 * 4 bytes for CRC32 2391 * 16 bytes for MD5 2392 * 20 bytes for SHA1 2393 * 0 bytes for RAW 2394 * 2395 */ 2396 static mblk_t * 2397 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash) 2398 { 2399 uint_t inlen, datalen; 2400 int result = 0; 2401 uchar_t *optr = NULL; 2402 uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN]; 2403 uchar_t nextiv[DEFAULT_DES_BLOCKLEN]; 2404 2405 /* Compute adjusted size */ 2406 inlen = MBLKL(mp); 2407 2408 optr = mp->b_rptr; 2409 2410 /* 2411 * In order to support the "old" Kerberos RCMD protocol, 2412 * we must use the IVEC 3 different ways: 2413 * IVEC_REUSE = keep using the same IV each time, this is 2414 * ugly and insecure, but necessary for 2415 * backwards compatibility with existing MIT code. 2416 * IVEC_ONETIME = Use the ivec as initialized when the crypto 2417 * was setup (see setup_crypto routine). 2418 * IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk). 2419 */ 2420 if (tmi->dec_data.ivec_usage == IVEC_NEVER) 2421 bzero(tmi->dec_data.block, tmi->dec_data.blocklen); 2422 else if (tmi->dec_data.ivec_usage == IVEC_REUSE) 2423 bcopy(tmi->dec_data.ivec, tmi->dec_data.block, 2424 tmi->dec_data.blocklen); 2425 2426 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2427 /* 2428 * Do not decrypt the HMAC at the end 2429 */ 2430 int decrypt_len = inlen - hash->hash_len; 2431 2432 /* 2433 * Move the wptr so the mblk appears to end 2434 * BEFORE the HMAC section. 2435 */ 2436 mp->b_wptr = mp->b_rptr + decrypt_len; 2437 2438 /* 2439 * Because we are using KEF, we must manually update our 2440 * IV. 2441 */ 2442 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2443 bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen, 2444 nextiv, tmi->dec_data.ivlen); 2445 } 2446 2447 result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len, 2448 (char *)newcksum, hash->hash_len); 2449 } else { 2450 /* 2451 * Because we are using KEF, we must manually update our 2452 * IV. 2453 */ 2454 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2455 bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv, 2456 tmi->dec_data.ivlen); 2457 } 2458 result = kef_crypt(&tmi->dec_data, (void *)mp, 2459 CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT); 2460 } 2461 if (result != CRYPTO_SUCCESS) { 2462 #ifdef DEBUG 2463 cmn_err(CE_WARN, 2464 "des_cbc_decrypt: kef_crypt decrypt " 2465 "failed - error %0x", result); 2466 #endif 2467 mp->b_datap->db_type = M_ERROR; 2468 mp->b_rptr = mp->b_datap->db_base; 2469 *mp->b_rptr = EIO; 2470 mp->b_wptr = mp->b_rptr + sizeof (char); 2471 freemsg(mp->b_cont); 2472 mp->b_cont = NULL; 2473 qreply(WR(q), mp); 2474 return (NULL); 2475 } 2476 2477 /* 2478 * Manually update the IV, KEF does not track this for us. 2479 */ 2480 if (tmi->dec_data.ivec_usage == IVEC_ONETIME) { 2481 bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen); 2482 } 2483 2484 /* Verify the checksum(if necessary) */ 2485 if (hash->hash_len > 0) { 2486 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) { 2487 bcopy(mp->b_rptr + inlen - hash->hash_len, cksum, 2488 hash->hash_len); 2489 } else { 2490 bcopy(optr + hash->confound_len, cksum, hash->hash_len); 2491 2492 /* zero the cksum in the buffer */ 2493 ASSERT(optr + hash->confound_len + hash->hash_len <= 2494 DB_LIM(mp)); 2495 bzero(optr + hash->confound_len, hash->hash_len); 2496 2497 /* calculate MD5 chksum of confounder + input */ 2498 if (hash->hashfunc) { 2499 (void) hash->hashfunc(newcksum, optr, inlen); 2500 } 2501 } 2502 2503 if (bcmp(cksum, newcksum, hash->hash_len)) { 2504 #ifdef DEBUG 2505 cmn_err(CE_WARN, "des_cbc_decrypt: checksum " 2506 "verification failed"); 2507 #endif 2508 mp->b_datap->db_type = M_ERROR; 2509 mp->b_rptr = mp->b_datap->db_base; 2510 *mp->b_rptr = EIO; 2511 mp->b_wptr = mp->b_rptr + sizeof (char); 2512 freemsg(mp->b_cont); 2513 mp->b_cont = NULL; 2514 qreply(WR(q), mp); 2515 return (NULL); 2516 } 2517 } 2518 2519 datalen = inlen - hash->confound_len - hash->hash_len; 2520 2521 /* Move just the decrypted input into place if necessary */ 2522 if (hash->confound_len > 0 || hash->hash_len > 0) { 2523 if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) 2524 mp->b_rptr += hash->confound_len; 2525 else 2526 mp->b_rptr += hash->confound_len + hash->hash_len; 2527 } 2528 2529 ASSERT(mp->b_rptr + datalen <= DB_LIM(mp)); 2530 mp->b_wptr = mp->b_rptr + datalen; 2531 2532 return (mp); 2533 } 2534 2535 static mblk_t * 2536 do_decrypt(queue_t *q, mblk_t *mp) 2537 { 2538 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 2539 mblk_t *outmp; 2540 2541 switch (tmi->dec_data.method) { 2542 case CRYPT_METHOD_DES_CFB: 2543 outmp = des_cfb_decrypt(q, tmi, mp); 2544 break; 2545 case CRYPT_METHOD_NONE: 2546 outmp = mp; 2547 break; 2548 case CRYPT_METHOD_DES_CBC_NULL: 2549 outmp = des_cbc_decrypt(q, tmi, mp, &null_hash); 2550 break; 2551 case CRYPT_METHOD_DES_CBC_MD5: 2552 outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash); 2553 break; 2554 case CRYPT_METHOD_DES_CBC_CRC: 2555 outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash); 2556 break; 2557 case CRYPT_METHOD_DES3_CBC_SHA1: 2558 outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash); 2559 break; 2560 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2561 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2562 outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash); 2563 break; 2564 case CRYPT_METHOD_AES128: 2565 case CRYPT_METHOD_AES256: 2566 outmp = aes_decrypt(q, tmi, mp, &sha1_hash); 2567 break; 2568 } 2569 return (outmp); 2570 } 2571 2572 /* 2573 * do_encrypt 2574 * 2575 * Generic encryption routine for a single message block. 2576 * The input mblk may be replaced by some encrypt routines 2577 * because they add extra data in some cases that may exceed 2578 * the input mblk_t size limit. 2579 */ 2580 static mblk_t * 2581 do_encrypt(queue_t *q, mblk_t *mp) 2582 { 2583 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 2584 mblk_t *outmp; 2585 2586 switch (tmi->enc_data.method) { 2587 case CRYPT_METHOD_DES_CFB: 2588 outmp = des_cfb_encrypt(q, tmi, mp); 2589 break; 2590 case CRYPT_METHOD_DES_CBC_NULL: 2591 outmp = des_cbc_encrypt(q, tmi, mp, &null_hash); 2592 break; 2593 case CRYPT_METHOD_DES_CBC_MD5: 2594 outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash); 2595 break; 2596 case CRYPT_METHOD_DES_CBC_CRC: 2597 outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash); 2598 break; 2599 case CRYPT_METHOD_DES3_CBC_SHA1: 2600 outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash); 2601 break; 2602 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2603 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2604 outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash); 2605 break; 2606 case CRYPT_METHOD_AES128: 2607 case CRYPT_METHOD_AES256: 2608 outmp = aes_encrypt(q, tmi, mp, &sha1_hash); 2609 break; 2610 case CRYPT_METHOD_NONE: 2611 outmp = mp; 2612 break; 2613 } 2614 return (outmp); 2615 } 2616 2617 /* 2618 * setup_crypto 2619 * 2620 * This takes the data from the CRYPTIOCSETUP ioctl 2621 * and sets up a cipher_data_t structure for either 2622 * encryption or decryption. This is where the 2623 * key and initialization vector data get stored 2624 * prior to beginning any crypto functions. 2625 * 2626 * Special note: 2627 * Some applications(e.g. telnetd) have ability to switch 2628 * crypto on/off periodically. Thus, the application may call 2629 * the CRYPTIOCSETUP ioctl many times for the same stream. 2630 * If the CRYPTIOCSETUP is called with 0 length key or ivec fields 2631 * assume that the key, block, and saveblock fields that are already 2632 * set from a previous CRIOCSETUP call are still valid. This helps avoid 2633 * a rekeying error that could occur if we overwrite these fields 2634 * with each CRYPTIOCSETUP call. 2635 * In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off 2636 * without resetting the original crypto parameters. 2637 * 2638 */ 2639 static int 2640 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt) 2641 { 2642 uint_t newblocklen; 2643 uint32_t enc_usage = 0, dec_usage = 0; 2644 int rv; 2645 2646 /* 2647 * Initial sanity checks 2648 */ 2649 if (!CR_METHOD_OK(ci->crypto_method)) { 2650 cmn_err(CE_WARN, "Illegal crypto method (%d)", 2651 ci->crypto_method); 2652 return (EINVAL); 2653 } 2654 if (!CR_OPTIONS_OK(ci->option_mask)) { 2655 cmn_err(CE_WARN, "Illegal crypto options (%d)", 2656 ci->option_mask); 2657 return (EINVAL); 2658 } 2659 if (!CR_IVUSAGE_OK(ci->ivec_usage)) { 2660 cmn_err(CE_WARN, "Illegal ivec usage value (%d)", 2661 ci->ivec_usage); 2662 return (EINVAL); 2663 } 2664 2665 cd->method = ci->crypto_method; 2666 cd->bytes = 0; 2667 2668 if (ci->keylen > 0) { 2669 if (cd->key != NULL) { 2670 kmem_free(cd->key, cd->keylen); 2671 cd->key = NULL; 2672 cd->keylen = 0; 2673 } 2674 /* 2675 * cd->key holds the copy of the raw key bytes passed in 2676 * from the userland app. 2677 */ 2678 cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP); 2679 2680 cd->keylen = ci->keylen; 2681 bcopy(ci->key, cd->key, (size_t)ci->keylen); 2682 } 2683 2684 /* 2685 * Configure the block size based on the type of cipher. 2686 */ 2687 switch (cd->method) { 2688 case CRYPT_METHOD_NONE: 2689 newblocklen = 0; 2690 break; 2691 case CRYPT_METHOD_DES_CFB: 2692 newblocklen = DEFAULT_DES_BLOCKLEN; 2693 cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB); 2694 break; 2695 case CRYPT_METHOD_DES_CBC_NULL: 2696 case CRYPT_METHOD_DES_CBC_MD5: 2697 case CRYPT_METHOD_DES_CBC_CRC: 2698 newblocklen = DEFAULT_DES_BLOCKLEN; 2699 cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC); 2700 break; 2701 case CRYPT_METHOD_DES3_CBC_SHA1: 2702 newblocklen = DEFAULT_DES_BLOCKLEN; 2703 cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC); 2704 /* 3DES always uses the old usage constant */ 2705 enc_usage = RCMDV1_USAGE; 2706 dec_usage = RCMDV1_USAGE; 2707 break; 2708 case CRYPT_METHOD_ARCFOUR_HMAC_MD5: 2709 case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP: 2710 newblocklen = 0; 2711 cd->mech_type = crypto_mech2id(SUN_CKM_RC4); 2712 break; 2713 case CRYPT_METHOD_AES128: 2714 case CRYPT_METHOD_AES256: 2715 newblocklen = DEFAULT_AES_BLOCKLEN; 2716 cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB); 2717 enc_usage = AES_ENCRYPT_USAGE; 2718 dec_usage = AES_DECRYPT_USAGE; 2719 break; 2720 } 2721 if (cd->mech_type == CRYPTO_MECH_INVALID) { 2722 return (CRYPTO_FAILED); 2723 } 2724 2725 /* 2726 * If RC4, initialize the master crypto key used by 2727 * the RC4 algorithm to derive the final encrypt and decrypt keys. 2728 */ 2729 if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) { 2730 /* 2731 * cd->ckey is a kernel crypto key structure used as the 2732 * master key in the RC4-HMAC crypto operations. 2733 */ 2734 if (cd->ckey == NULL) { 2735 cd->ckey = (crypto_key_t *)kmem_zalloc( 2736 sizeof (crypto_key_t), KM_SLEEP); 2737 } 2738 2739 cd->ckey->ck_format = CRYPTO_KEY_RAW; 2740 cd->ckey->ck_data = cd->key; 2741 2742 /* key length for EF is measured in bits */ 2743 cd->ckey->ck_length = cd->keylen * 8; 2744 } 2745 2746 /* 2747 * cd->block and cd->saveblock are used as temporary storage for 2748 * data that must be carried over between encrypt/decrypt operations 2749 * in some of the "feedback" modes. 2750 */ 2751 if (newblocklen != cd->blocklen) { 2752 if (cd->block != NULL) { 2753 kmem_free(cd->block, cd->blocklen); 2754 cd->block = NULL; 2755 } 2756 2757 if (cd->saveblock != NULL) { 2758 kmem_free(cd->saveblock, cd->blocklen); 2759 cd->saveblock = NULL; 2760 } 2761 2762 cd->blocklen = newblocklen; 2763 if (cd->blocklen) { 2764 cd->block = (char *)kmem_zalloc((size_t)cd->blocklen, 2765 KM_SLEEP); 2766 } 2767 2768 if (cd->method == CRYPT_METHOD_DES_CFB) 2769 cd->saveblock = (char *)kmem_zalloc(cd->blocklen, 2770 KM_SLEEP); 2771 else 2772 cd->saveblock = NULL; 2773 } 2774 2775 if (ci->iveclen != cd->ivlen) { 2776 if (cd->ivec != NULL) { 2777 kmem_free(cd->ivec, cd->ivlen); 2778 cd->ivec = NULL; 2779 } 2780 if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) { 2781 cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen, 2782 KM_SLEEP); 2783 cd->ivlen = ci->iveclen; 2784 } else { 2785 cd->ivlen = 0; 2786 cd->ivec = NULL; 2787 } 2788 } 2789 cd->option_mask = ci->option_mask; 2790 2791 /* 2792 * Old protocol requires a static 'usage' value for 2793 * deriving keys. Yuk. 2794 */ 2795 if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) { 2796 enc_usage = dec_usage = RCMDV1_USAGE; 2797 } 2798 2799 if (cd->ivlen > cd->blocklen) { 2800 cmn_err(CE_WARN, "setup_crypto: IV longer than block size"); 2801 return (EINVAL); 2802 } 2803 2804 /* 2805 * If we are using an IVEC "correctly" (i.e. set it once) 2806 * copy it here. 2807 */ 2808 if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL) 2809 bcopy(ci->ivec, cd->block, (size_t)cd->ivlen); 2810 2811 cd->ivec_usage = ci->ivec_usage; 2812 if (cd->ivec != NULL) { 2813 /* Save the original IVEC in case we need it later */ 2814 bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen); 2815 } 2816 /* 2817 * Special handling for 3DES-SHA1-HMAC and AES crypto: 2818 * generate derived keys and context templates 2819 * for better performance. 2820 */ 2821 if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 || 2822 IS_AES_METHOD(cd->method)) { 2823 crypto_mechanism_t enc_mech; 2824 crypto_mechanism_t hmac_mech; 2825 2826 if (cd->d_encr_key.ck_data != NULL) { 2827 bzero(cd->d_encr_key.ck_data, cd->keylen); 2828 kmem_free(cd->d_encr_key.ck_data, cd->keylen); 2829 } 2830 2831 if (cd->d_hmac_key.ck_data != NULL) { 2832 bzero(cd->d_hmac_key.ck_data, cd->keylen); 2833 kmem_free(cd->d_hmac_key.ck_data, cd->keylen); 2834 } 2835 2836 if (cd->enc_tmpl != NULL) 2837 (void) crypto_destroy_ctx_template(cd->enc_tmpl); 2838 2839 if (cd->hmac_tmpl != NULL) 2840 (void) crypto_destroy_ctx_template(cd->hmac_tmpl); 2841 2842 enc_mech.cm_type = cd->mech_type; 2843 enc_mech.cm_param = cd->ivec; 2844 enc_mech.cm_param_len = cd->ivlen; 2845 2846 hmac_mech.cm_type = sha1_hmac_mech; 2847 hmac_mech.cm_param = NULL; 2848 hmac_mech.cm_param_len = 0; 2849 2850 /* 2851 * Create the derived keys. 2852 */ 2853 rv = create_derived_keys(cd, 2854 (encrypt ? enc_usage : dec_usage), 2855 &cd->d_encr_key, &cd->d_hmac_key); 2856 2857 if (rv != CRYPTO_SUCCESS) { 2858 cmn_err(CE_WARN, "failed to create derived " 2859 "keys: %0x", rv); 2860 return (CRYPTO_FAILED); 2861 } 2862 2863 rv = crypto_create_ctx_template(&enc_mech, 2864 &cd->d_encr_key, 2865 &cd->enc_tmpl, KM_SLEEP); 2866 if (rv == CRYPTO_MECH_NOT_SUPPORTED) { 2867 cd->enc_tmpl = NULL; 2868 } else if (rv != CRYPTO_SUCCESS) { 2869 cmn_err(CE_WARN, "failed to create enc template " 2870 "for d_encr_key: %0x", rv); 2871 return (CRYPTO_FAILED); 2872 } 2873 2874 rv = crypto_create_ctx_template(&hmac_mech, 2875 &cd->d_hmac_key, 2876 &cd->hmac_tmpl, KM_SLEEP); 2877 if (rv == CRYPTO_MECH_NOT_SUPPORTED) { 2878 cd->hmac_tmpl = NULL; 2879 } else if (rv != CRYPTO_SUCCESS) { 2880 cmn_err(CE_WARN, "failed to create hmac template:" 2881 " %0x", rv); 2882 return (CRYPTO_FAILED); 2883 } 2884 } else if (IS_RC4_METHOD(cd->method)) { 2885 bzero(&cd->d_encr_key, sizeof (crypto_key_t)); 2886 bzero(&cd->d_hmac_key, sizeof (crypto_key_t)); 2887 cd->ctx = NULL; 2888 cd->enc_tmpl = NULL; 2889 cd->hmac_tmpl = NULL; 2890 } 2891 2892 /* Final sanity checks, make sure no fields are NULL */ 2893 if (cd->method != CRYPT_METHOD_NONE) { 2894 if (cd->block == NULL && cd->blocklen > 0) { 2895 #ifdef DEBUG 2896 cmn_err(CE_WARN, 2897 "setup_crypto: IV block not allocated"); 2898 #endif 2899 return (ENOMEM); 2900 } 2901 if (cd->key == NULL && cd->keylen > 0) { 2902 #ifdef DEBUG 2903 cmn_err(CE_WARN, 2904 "setup_crypto: key block not allocated"); 2905 #endif 2906 return (ENOMEM); 2907 } 2908 if (cd->method == CRYPT_METHOD_DES_CFB && 2909 cd->saveblock == NULL && cd->blocklen > 0) { 2910 #ifdef DEBUG 2911 cmn_err(CE_WARN, 2912 "setup_crypto: save block not allocated"); 2913 #endif 2914 return (ENOMEM); 2915 } 2916 if (cd->ivec == NULL && cd->ivlen > 0) { 2917 #ifdef DEBUG 2918 cmn_err(CE_WARN, 2919 "setup_crypto: IV not allocated"); 2920 #endif 2921 return (ENOMEM); 2922 } 2923 } 2924 return (0); 2925 } 2926 2927 /* 2928 * RCMDS require a 4 byte, clear text 2929 * length field before each message. 2930 * Add it now. 2931 */ 2932 static mblk_t * 2933 mklenmp(mblk_t *bp, uint32_t len) 2934 { 2935 mblk_t *lenmp; 2936 uchar_t *ucp; 2937 2938 if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) { 2939 lenmp = allocb(4, BPRI_MED); 2940 if (lenmp != NULL) { 2941 lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp); 2942 linkb(lenmp, bp); 2943 bp = lenmp; 2944 } 2945 } 2946 ucp = bp->b_rptr; 2947 *--ucp = len; 2948 *--ucp = len >> 8; 2949 *--ucp = len >> 16; 2950 *--ucp = len >> 24; 2951 2952 bp->b_rptr = ucp; 2953 2954 return (bp); 2955 } 2956 2957 static mblk_t * 2958 encrypt_block(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, size_t plainlen) 2959 { 2960 mblk_t *newmp; 2961 size_t headspace; 2962 2963 mblk_t *cbp; 2964 size_t cipherlen; 2965 size_t extra = 0; 2966 uint32_t ptlen = (uint32_t)plainlen; 2967 /* 2968 * If we are using the "NEW" RCMD mode, 2969 * add 4 bytes to the plaintext for the 2970 * plaintext length that gets prepended 2971 * before encrypting. 2972 */ 2973 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 2974 ptlen += 4; 2975 2976 cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen); 2977 2978 /* 2979 * if we must allocb, then make sure its enough 2980 * to hold the length field so we dont have to allocb 2981 * again down below in 'mklenmp' 2982 */ 2983 if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) { 2984 extra = sizeof (uint32_t); 2985 } 2986 2987 /* 2988 * Calculate how much space is needed in front of 2989 * the data. 2990 */ 2991 headspace = plaintext_offset(&tmi->enc_data); 2992 2993 /* 2994 * If the current block is too small, reallocate 2995 * one large enough to hold the hdr, tail, and 2996 * ciphertext. 2997 */ 2998 if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) { 2999 int sz = P2ROUNDUP(cipherlen+extra, 8); 3000 3001 cbp = allocb_tmpl(sz, mp); 3002 if (cbp == NULL) { 3003 cmn_err(CE_WARN, 3004 "allocb (%d bytes) failed", sz); 3005 return (NULL); 3006 } 3007 3008 cbp->b_cont = mp->b_cont; 3009 3010 /* 3011 * headspace includes the length fields needed 3012 * for the RCMD modes (v1 == 4 bytes, V2 = 8) 3013 */ 3014 ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen+headspace, 8) 3015 <= DB_LIM(cbp)); 3016 3017 cbp->b_rptr = DB_BASE(cbp) + headspace; 3018 bcopy(mp->b_rptr, cbp->b_rptr, plainlen); 3019 cbp->b_wptr = cbp->b_rptr + plainlen; 3020 3021 freeb(mp); 3022 } else { 3023 size_t extra = 0; 3024 cbp = mp; 3025 3026 /* 3027 * Some ciphers add HMAC after the final block 3028 * of the ciphertext, not at the beginning like the 3029 * 1-DES ciphers. 3030 */ 3031 if (tmi->enc_data.method == 3032 CRYPT_METHOD_DES3_CBC_SHA1 || 3033 IS_AES_METHOD(tmi->enc_data.method)) { 3034 extra = sha1_hash.hash_len; 3035 } 3036 3037 /* 3038 * Make sure the rptr is positioned correctly so that 3039 * routines later do not have to shift this data around 3040 */ 3041 if ((cbp->b_rptr + P2ROUNDUP(cipherlen + extra, 8) > 3042 DB_LIM(cbp)) || 3043 (cbp->b_rptr - headspace < DB_BASE(cbp))) { 3044 ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace, 3045 plainlen); 3046 cbp->b_rptr = DB_BASE(cbp) + headspace; 3047 cbp->b_wptr = cbp->b_rptr + plainlen; 3048 } 3049 } 3050 3051 ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp)); 3052 ASSERT(cbp->b_wptr <= DB_LIM(cbp)); 3053 3054 /* 3055 * If using RCMD_MODE_V2 (new rcmd mode), prepend 3056 * the plaintext length before the actual plaintext. 3057 */ 3058 if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) { 3059 cbp->b_rptr -= RCMD_LEN_SZ; 3060 3061 /* put plaintext length at head of buffer */ 3062 *(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff); 3063 *(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff); 3064 *(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff); 3065 *(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff); 3066 } 3067 3068 newmp = do_encrypt(q, cbp); 3069 3070 if (newmp != NULL && 3071 (tmi->enc_data.option_mask & 3072 (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) { 3073 mblk_t *lp; 3074 /* 3075 * Add length field, required when this is 3076 * used to encrypt "r*" commands(rlogin, rsh) 3077 * with Kerberos. 3078 */ 3079 lp = mklenmp(newmp, plainlen); 3080 3081 if (lp == NULL) { 3082 freeb(newmp); 3083 return (NULL); 3084 } else { 3085 newmp = lp; 3086 } 3087 } 3088 return (newmp); 3089 } 3090 3091 /* 3092 * encrypt_msgb 3093 * 3094 * encrypt a single message. This routine adds the 3095 * RCMD overhead bytes when necessary. 3096 */ 3097 static mblk_t * 3098 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp) 3099 { 3100 size_t plainlen, outlen; 3101 mblk_t *newmp = NULL; 3102 3103 /* If not encrypting, do nothing */ 3104 if (tmi->enc_data.method == CRYPT_METHOD_NONE) { 3105 return (mp); 3106 } 3107 3108 plainlen = MBLKL(mp); 3109 if (plainlen == 0) 3110 return (NULL); 3111 3112 /* 3113 * If the block is too big, we encrypt in 4K chunks so that 3114 * older rlogin clients do not choke on the larger buffers. 3115 */ 3116 while ((plainlen = MBLKL(mp)) > MSGBUF_SIZE) { 3117 mblk_t *mp1 = NULL; 3118 outlen = MSGBUF_SIZE; 3119 /* 3120 * Allocate a new buffer that is only 4K bytes, the 3121 * extra bytes are for crypto overhead. 3122 */ 3123 mp1 = allocb(outlen + CONFOUNDER_BYTES, BPRI_MED); 3124 if (mp1 == NULL) { 3125 cmn_err(CE_WARN, 3126 "allocb (%d bytes) failed", 3127 (int)(outlen + CONFOUNDER_BYTES)); 3128 return (NULL); 3129 } 3130 /* Copy the next 4K bytes from the old block. */ 3131 bcopy(mp->b_rptr, mp1->b_rptr, outlen); 3132 mp1->b_wptr = mp1->b_rptr + outlen; 3133 /* Advance the old block. */ 3134 mp->b_rptr += outlen; 3135 3136 /* encrypt the new block */ 3137 newmp = encrypt_block(q, tmi, mp1, outlen); 3138 if (newmp == NULL) 3139 return (NULL); 3140 3141 putnext(q, newmp); 3142 } 3143 newmp = NULL; 3144 /* If there is data left (< MSGBUF_SIZE), encrypt it. */ 3145 if ((plainlen = MBLKL(mp)) > 0) 3146 newmp = encrypt_block(q, tmi, mp, plainlen); 3147 3148 return (newmp); 3149 } 3150 3151 /* 3152 * cryptmodwsrv 3153 * 3154 * Service routine for the write queue. 3155 * 3156 * Because data may be placed in the queue to hold between 3157 * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed. 3158 */ 3159 static int 3160 cryptmodwsrv(queue_t *q) 3161 { 3162 mblk_t *mp; 3163 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3164 3165 while ((mp = getq(q)) != NULL) { 3166 switch (mp->b_datap->db_type) { 3167 default: 3168 /* 3169 * wput does not queue anything > QPCTL 3170 */ 3171 if (!canputnext(q) || 3172 !(tmi->ready & CRYPT_WRITE_READY)) { 3173 if (!putbq(q, mp)) { 3174 freemsg(mp); 3175 } 3176 return (0); 3177 } 3178 putnext(q, mp); 3179 break; 3180 case M_DATA: 3181 if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) { 3182 mblk_t *bp; 3183 mblk_t *newmsg = NULL; 3184 3185 /* 3186 * If multiple msgs, concat into 1 3187 * to minimize crypto operations later. 3188 */ 3189 if (mp->b_cont != NULL) { 3190 bp = msgpullup(mp, -1); 3191 if (bp != NULL) { 3192 freemsg(mp); 3193 mp = bp; 3194 } 3195 } 3196 newmsg = encrypt_msgb(q, tmi, mp); 3197 if (newmsg != NULL) 3198 putnext(q, newmsg); 3199 } else { 3200 if (!putbq(q, mp)) { 3201 freemsg(mp); 3202 } 3203 return (0); 3204 } 3205 break; 3206 } 3207 } 3208 return (0); 3209 } 3210 3211 static void 3212 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir) 3213 { 3214 mblk_t *newmp = NULL; 3215 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; 3216 3217 if (dir == CRYPT_ENCRYPT) { 3218 tmi->ready |= CRYPT_WRITE_READY; 3219 (void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE, 3220 "start_stream: restart ENCRYPT/WRITE q")); 3221 3222 enableok(wq); 3223 qenable(wq); 3224 } else if (dir == CRYPT_DECRYPT) { 3225 /* 3226 * put any extra data in the RD 3227 * queue to be processed and 3228 * sent back up. 3229 */ 3230 newmp = mp->b_cont; 3231 mp->b_cont = NULL; 3232 3233 tmi->ready |= CRYPT_READ_READY; 3234 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3235 SL_TRACE|SL_NOTE, 3236 "start_stream: restart " 3237 "DECRYPT/READ q")); 3238 3239 if (newmp != NULL) 3240 if (!putbq(RD(wq), newmp)) 3241 freemsg(newmp); 3242 3243 enableok(RD(wq)); 3244 qenable(RD(wq)); 3245 } 3246 3247 miocack(wq, mp, 0, 0); 3248 } 3249 3250 /* 3251 * Write-side put procedure. Its main task is to detect ioctls and 3252 * FLUSH operations. Other message types are passed on through. 3253 */ 3254 static void 3255 cryptmodwput(queue_t *wq, mblk_t *mp) 3256 { 3257 struct iocblk *iocp; 3258 struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr; 3259 int ret, err; 3260 3261 switch (mp->b_datap->db_type) { 3262 case M_DATA: 3263 if (wq->q_first == NULL && canputnext(wq) && 3264 (tmi->ready & CRYPT_WRITE_READY) && 3265 tmi->enc_data.method == CRYPT_METHOD_NONE) { 3266 putnext(wq, mp); 3267 return; 3268 } 3269 /* else, put it in the service queue */ 3270 if (!putq(wq, mp)) { 3271 freemsg(mp); 3272 } 3273 break; 3274 case M_FLUSH: 3275 if (*mp->b_rptr & FLUSHW) { 3276 flushq(wq, FLUSHDATA); 3277 } 3278 putnext(wq, mp); 3279 break; 3280 case M_IOCTL: 3281 iocp = (struct iocblk *)mp->b_rptr; 3282 switch (iocp->ioc_cmd) { 3283 case CRYPTIOCSETUP: 3284 ret = 0; 3285 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3286 SL_TRACE | SL_NOTE, 3287 "wput: got CRYPTIOCSETUP " 3288 "ioctl(%d)", iocp->ioc_cmd)); 3289 3290 if ((err = miocpullup(mp, 3291 sizeof (struct cr_info_t))) != 0) { 3292 cmn_err(CE_WARN, 3293 "wput: miocpullup failed for cr_info_t"); 3294 miocnak(wq, mp, 0, err); 3295 } else { 3296 struct cr_info_t *ci; 3297 ci = (struct cr_info_t *)mp->b_cont->b_rptr; 3298 3299 if (ci->direction_mask & CRYPT_ENCRYPT) { 3300 ret = setup_crypto(ci, &tmi->enc_data, 1); 3301 } 3302 3303 if (ret == 0 && 3304 (ci->direction_mask & CRYPT_DECRYPT)) { 3305 ret = setup_crypto(ci, &tmi->dec_data, 0); 3306 } 3307 if (ret == 0 && 3308 (ci->direction_mask & CRYPT_DECRYPT) && 3309 ANY_RCMD_MODE(tmi->dec_data.option_mask)) { 3310 bzero(&tmi->rcmd_state, 3311 sizeof (tmi->rcmd_state)); 3312 } 3313 if (ret == 0) { 3314 miocack(wq, mp, 0, 0); 3315 } else { 3316 cmn_err(CE_WARN, 3317 "wput: setup_crypto failed"); 3318 miocnak(wq, mp, 0, ret); 3319 } 3320 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3321 SL_TRACE|SL_NOTE, 3322 "wput: done with SETUP " 3323 "ioctl")); 3324 } 3325 break; 3326 case CRYPTIOCSTOP: 3327 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3328 SL_TRACE|SL_NOTE, 3329 "wput: got CRYPTIOCSTOP " 3330 "ioctl(%d)", iocp->ioc_cmd)); 3331 3332 if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) { 3333 cmn_err(CE_WARN, 3334 "wput: CRYPTIOCSTOP ioctl wrong " 3335 "size (%d should be %d)", 3336 (int)iocp->ioc_count, 3337 (int)sizeof (uint32_t)); 3338 miocnak(wq, mp, 0, err); 3339 } else { 3340 uint32_t *stopdir; 3341 3342 stopdir = (uint32_t *)mp->b_cont->b_rptr; 3343 if (!CR_DIRECTION_OK(*stopdir)) { 3344 miocnak(wq, mp, 0, EINVAL); 3345 return; 3346 } 3347 3348 /* disable the queues until further notice */ 3349 if (*stopdir & CRYPT_ENCRYPT) { 3350 noenable(wq); 3351 tmi->ready &= ~CRYPT_WRITE_READY; 3352 } 3353 if (*stopdir & CRYPT_DECRYPT) { 3354 noenable(RD(wq)); 3355 tmi->ready &= ~CRYPT_READ_READY; 3356 } 3357 3358 miocack(wq, mp, 0, 0); 3359 } 3360 break; 3361 case CRYPTIOCSTARTDEC: 3362 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3363 SL_TRACE|SL_NOTE, 3364 "wput: got CRYPTIOCSTARTDEC " 3365 "ioctl(%d)", iocp->ioc_cmd)); 3366 3367 start_stream(wq, mp, CRYPT_DECRYPT); 3368 break; 3369 case CRYPTIOCSTARTENC: 3370 (void) (STRLOG(CRYPTMOD_ID, 0, 5, 3371 SL_TRACE|SL_NOTE, 3372 "wput: got CRYPTIOCSTARTENC " 3373 "ioctl(%d)", iocp->ioc_cmd)); 3374 3375 start_stream(wq, mp, CRYPT_ENCRYPT); 3376 break; 3377 default: 3378 putnext(wq, mp); 3379 break; 3380 } 3381 break; 3382 default: 3383 if (queclass(mp) < QPCTL) { 3384 if (wq->q_first != NULL || !canputnext(wq)) { 3385 if (!putq(wq, mp)) 3386 freemsg(mp); 3387 return; 3388 } 3389 } 3390 putnext(wq, mp); 3391 break; 3392 } 3393 } 3394 3395 /* 3396 * decrypt_rcmd_mblks 3397 * 3398 * Because kerberized r* commands(rsh, rlogin, etc) 3399 * use a 4 byte length field to indicate the # of 3400 * PLAINTEXT bytes that are encrypted in the field 3401 * that follows, we must parse out each message and 3402 * break out the length fields prior to sending them 3403 * upstream to our Solaris r* clients/servers which do 3404 * NOT understand this format. 3405 * 3406 * Kerberized/encrypted message format: 3407 * ------------------------------- 3408 * | XXXX | N bytes of ciphertext| 3409 * ------------------------------- 3410 * 3411 * Where: XXXX = number of plaintext bytes that were encrypted in 3412 * to make the ciphertext field. This is done 3413 * because we are using a cipher that pads out to 3414 * an 8 byte boundary. We only want the application 3415 * layer to see the correct number of plain text bytes, 3416 * not plaintext + pad. So, after we decrypt, we 3417 * must trim the output block down to the intended 3418 * plaintext length and eliminate the pad bytes. 3419 * 3420 * This routine takes the entire input message, breaks it into 3421 * a new message that does not contain these length fields and 3422 * returns a message consisting of mblks filled with just ciphertext. 3423 * 3424 */ 3425 static mblk_t * 3426 decrypt_rcmd_mblks(queue_t *q, mblk_t *mp) 3427 { 3428 mblk_t *newmp = NULL; 3429 size_t msglen; 3430 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3431 3432 msglen = msgsize(mp); 3433 3434 /* 3435 * If we need the length field, get it here. 3436 * Test the "plaintext length" indicator. 3437 */ 3438 if (tmi->rcmd_state.pt_len == 0) { 3439 uint32_t elen; 3440 int tocopy; 3441 mblk_t *nextp; 3442 3443 /* 3444 * Make sure we have recieved all 4 bytes of the 3445 * length field. 3446 */ 3447 while (mp != NULL) { 3448 ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t)); 3449 3450 tocopy = sizeof (uint32_t) - 3451 tmi->rcmd_state.cd_len; 3452 if (tocopy > msglen) 3453 tocopy = msglen; 3454 3455 ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp)); 3456 bcopy(mp->b_rptr, 3457 (char *)(&tmi->rcmd_state.next_len + 3458 tmi->rcmd_state.cd_len), tocopy); 3459 3460 tmi->rcmd_state.cd_len += tocopy; 3461 3462 if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) { 3463 tmi->rcmd_state.next_len = 3464 ntohl(tmi->rcmd_state.next_len); 3465 break; 3466 } 3467 3468 nextp = mp->b_cont; 3469 mp->b_cont = NULL; 3470 freeb(mp); 3471 mp = nextp; 3472 } 3473 3474 if (mp == NULL) { 3475 return (NULL); 3476 } 3477 /* 3478 * recalculate the msglen now that we've read the 3479 * length and adjusted the bufptr (b_rptr). 3480 */ 3481 msglen -= tocopy; 3482 mp->b_rptr += tocopy; 3483 3484 tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len; 3485 3486 if (tmi->rcmd_state.pt_len <= 0) { 3487 /* 3488 * Return an IO error to break the connection. there 3489 * is no way to recover from this. Usually it means 3490 * the app has incorrectly requested decryption on 3491 * a non-encrypted stream, thus the "pt_len" field 3492 * is negative. 3493 */ 3494 mp->b_datap->db_type = M_ERROR; 3495 mp->b_rptr = mp->b_datap->db_base; 3496 *mp->b_rptr = EIO; 3497 mp->b_wptr = mp->b_rptr + sizeof (char); 3498 3499 freemsg(mp->b_cont); 3500 mp->b_cont = NULL; 3501 qreply(WR(q), mp); 3502 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; 3503 return (NULL); 3504 } 3505 3506 /* 3507 * If this is V2 mode, then the encrypted data is actually 3508 * 4 bytes bigger than the indicated len because the plaintext 3509 * length is encrypted for an additional security check, but 3510 * its not counted as part of the overall length we just read. 3511 * Strange and confusing, but true. 3512 */ 3513 3514 if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2) 3515 elen = tmi->rcmd_state.pt_len + 4; 3516 else 3517 elen = tmi->rcmd_state.pt_len; 3518 3519 tmi->rcmd_state.cd_len = encrypt_size(&tmi->dec_data, elen); 3520 3521 /* 3522 * Allocate an mblk to hold the cipher text until it is 3523 * all ready to be processed. 3524 */ 3525 tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len, 3526 BPRI_HI); 3527 if (tmi->rcmd_state.c_msg == NULL) { 3528 #ifdef DEBUG 3529 cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed " 3530 "for %d bytes", 3531 (int)tmi->rcmd_state.cd_len); 3532 #endif 3533 /* 3534 * Return an IO error to break the connection. 3535 */ 3536 mp->b_datap->db_type = M_ERROR; 3537 mp->b_rptr = mp->b_datap->db_base; 3538 *mp->b_rptr = EIO; 3539 mp->b_wptr = mp->b_rptr + sizeof (char); 3540 freemsg(mp->b_cont); 3541 mp->b_cont = NULL; 3542 tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0; 3543 qreply(WR(q), mp); 3544 return (NULL); 3545 } 3546 } 3547 3548 /* 3549 * If this entire message was just the length field, 3550 * free and return. The actual data will probably be next. 3551 */ 3552 if (msglen == 0) { 3553 freemsg(mp); 3554 return (NULL); 3555 } 3556 3557 /* 3558 * Copy as much of the cipher text as possible into 3559 * the new msgb (c_msg). 3560 * 3561 * Logic: if we got some bytes (msglen) and we still 3562 * "need" some bytes (len-rcvd), get them here. 3563 */ 3564 ASSERT(tmi->rcmd_state.c_msg != NULL); 3565 if (msglen > 0 && 3566 (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) { 3567 mblk_t *bp, *nextp; 3568 size_t n; 3569 3570 /* 3571 * Walk the mblks and copy just as many bytes as we need 3572 * for this particular block of cipher text. 3573 */ 3574 bp = mp; 3575 while (bp != NULL) { 3576 size_t needed; 3577 size_t tocopy; 3578 n = MBLKL(bp); 3579 3580 needed = tmi->rcmd_state.cd_len - 3581 MBLKL(tmi->rcmd_state.c_msg); 3582 3583 tocopy = (needed >= n ? n : needed); 3584 3585 ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp)); 3586 ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <= 3587 DB_LIM(tmi->rcmd_state.c_msg)); 3588 3589 /* Copy to end of new mblk */ 3590 bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr, 3591 tocopy); 3592 3593 tmi->rcmd_state.c_msg->b_wptr += tocopy; 3594 3595 bp->b_rptr += tocopy; 3596 3597 nextp = bp->b_cont; 3598 3599 /* 3600 * If we used this whole block, free it and 3601 * move on. 3602 */ 3603 if (!MBLKL(bp)) { 3604 freeb(bp); 3605 bp = NULL; 3606 } 3607 3608 /* If we got what we needed, stop the loop */ 3609 if (MBLKL(tmi->rcmd_state.c_msg) == 3610 tmi->rcmd_state.cd_len) { 3611 /* 3612 * If there is more data in the message, 3613 * its for another block of cipher text, 3614 * put it back in the queue for next time. 3615 */ 3616 if (bp) { 3617 if (!putbq(q, bp)) 3618 freemsg(bp); 3619 } else if (nextp != NULL) { 3620 /* 3621 * If there is more, put it back in the 3622 * queue for another pass thru. 3623 */ 3624 if (!putbq(q, nextp)) 3625 freemsg(nextp); 3626 } 3627 break; 3628 } 3629 bp = nextp; 3630 } 3631 } 3632 /* 3633 * Finally, if we received all the cipher text data for 3634 * this message, decrypt it into a new msg and send it up 3635 * to the app. 3636 */ 3637 if (tmi->rcmd_state.pt_len > 0 && 3638 MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) { 3639 mblk_t *bp; 3640 mblk_t *newbp; 3641 3642 /* 3643 * Now we can use our msg that we created when the 3644 * initial message boundary was detected. 3645 */ 3646 bp = tmi->rcmd_state.c_msg; 3647 tmi->rcmd_state.c_msg = NULL; 3648 3649 newbp = do_decrypt(q, bp); 3650 if (newbp != NULL) { 3651 bp = newbp; 3652 /* 3653 * If using RCMD_MODE_V2 ("new" mode), 3654 * look at the 4 byte plaintext length that 3655 * was just decrypted and compare with the 3656 * original pt_len value that was received. 3657 */ 3658 if (tmi->dec_data.option_mask & 3659 CRYPTOPT_RCMD_MODE_V2) { 3660 uint32_t pt_len2; 3661 3662 pt_len2 = *(uint32_t *)bp->b_rptr; 3663 pt_len2 = ntohl(pt_len2); 3664 /* 3665 * Make sure the 2 pt len fields agree. 3666 */ 3667 if (pt_len2 != tmi->rcmd_state.pt_len) { 3668 cmn_err(CE_WARN, 3669 "Inconsistent length fields" 3670 " received %d != %d", 3671 (int)tmi->rcmd_state.pt_len, 3672 (int)pt_len2); 3673 bp->b_datap->db_type = M_ERROR; 3674 bp->b_rptr = bp->b_datap->db_base; 3675 *bp->b_rptr = EIO; 3676 bp->b_wptr = bp->b_rptr + sizeof (char); 3677 freemsg(bp->b_cont); 3678 bp->b_cont = NULL; 3679 tmi->rcmd_state.cd_len = 0; 3680 qreply(WR(q), bp); 3681 return (NULL); 3682 } 3683 bp->b_rptr += sizeof (uint32_t); 3684 } 3685 3686 /* 3687 * Trim the decrypted block the length originally 3688 * indicated by the sender. This is to remove any 3689 * padding bytes that the sender added to satisfy 3690 * requirements of the crypto algorithm. 3691 */ 3692 bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len; 3693 3694 newmp = bp; 3695 3696 /* 3697 * Reset our state to indicate we are ready 3698 * for a new message. 3699 */ 3700 tmi->rcmd_state.pt_len = 0; 3701 tmi->rcmd_state.cd_len = 0; 3702 } else { 3703 #ifdef DEBUG 3704 cmn_err(CE_WARN, 3705 "decrypt_rcmd: do_decrypt on %d bytes failed", 3706 (int)tmi->rcmd_state.cd_len); 3707 #endif 3708 /* 3709 * do_decrypt already handled failures, just 3710 * return NULL. 3711 */ 3712 tmi->rcmd_state.pt_len = 0; 3713 tmi->rcmd_state.cd_len = 0; 3714 return (NULL); 3715 } 3716 } 3717 3718 /* 3719 * return the new message with the 'length' fields removed 3720 */ 3721 return (newmp); 3722 } 3723 3724 /* 3725 * cryptmodrsrv 3726 * 3727 * Read queue service routine 3728 * Necessary because if the ready flag is not set 3729 * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data 3730 * must remain on queue and not be passed along. 3731 */ 3732 static int 3733 cryptmodrsrv(queue_t *q) 3734 { 3735 mblk_t *mp, *bp; 3736 struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr; 3737 3738 while ((mp = getq(q)) != NULL) { 3739 switch (mp->b_datap->db_type) { 3740 case M_DATA: 3741 if (canputnext(q) && tmi->ready & CRYPT_READ_READY) { 3742 /* 3743 * Process "rcmd" messages differently because 3744 * they contain a 4 byte plaintext length 3745 * id that needs to be removed. 3746 */ 3747 if (tmi->dec_data.method != CRYPT_METHOD_NONE && 3748 (tmi->dec_data.option_mask & 3749 (CRYPTOPT_RCMD_MODE_V1 | 3750 CRYPTOPT_RCMD_MODE_V2))) { 3751 mp = decrypt_rcmd_mblks(q, mp); 3752 if (mp) 3753 putnext(q, mp); 3754 continue; 3755 } 3756 if ((bp = msgpullup(mp, -1)) != NULL) { 3757 freemsg(mp); 3758 if (MBLKL(bp) > 0) { 3759 mp = do_decrypt(q, bp); 3760 if (mp != NULL) 3761 putnext(q, mp); 3762 } 3763 } 3764 } else { 3765 if (!putbq(q, mp)) { 3766 freemsg(mp); 3767 } 3768 return (0); 3769 } 3770 break; 3771 default: 3772 /* 3773 * rput does not queue anything > QPCTL, so we don't 3774 * need to check for it here. 3775 */ 3776 if (!canputnext(q)) { 3777 if (!putbq(q, mp)) 3778 freemsg(mp); 3779 return (0); 3780 } 3781 putnext(q, mp); 3782 break; 3783 } 3784 } 3785 return (0); 3786 } 3787 3788 3789 /* 3790 * Read-side put procedure. 3791 */ 3792 static void 3793 cryptmodrput(queue_t *rq, mblk_t *mp) 3794 { 3795 switch (mp->b_datap->db_type) { 3796 case M_DATA: 3797 if (!putq(rq, mp)) { 3798 freemsg(mp); 3799 } 3800 break; 3801 case M_FLUSH: 3802 if (*mp->b_rptr & FLUSHR) { 3803 flushq(rq, FLUSHALL); 3804 } 3805 putnext(rq, mp); 3806 break; 3807 default: 3808 if (queclass(mp) < QPCTL) { 3809 if (rq->q_first != NULL || !canputnext(rq)) { 3810 if (!putq(rq, mp)) 3811 freemsg(mp); 3812 return; 3813 } 3814 } 3815 putnext(rq, mp); 3816 break; 3817 } 3818 } 3819