xref: /illumos-gate/usr/src/uts/common/io/cryptmod.c (revision 8548bf79039833dba8615afdf63258b2cb122121)
1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  *
5  * STREAMS Crypto Module
6  *
7  * This module is used to facilitate Kerberos encryption
8  * operations for the telnet daemon and rlogin daemon.
9  * Because the Solaris telnet and rlogin daemons run mostly
10  * in-kernel via 'telmod' and 'rlmod', this module must be
11  * pushed on the STREAM *below* telmod or rlmod.
12  *
13  * Parts of the 3DES key derivation code are covered by the
14  * following copyright.
15  *
16  * Copyright (C) 1998 by the FundsXpress, INC.
17  *
18  * All rights reserved.
19  *
20  * Export of this software from the United States of America may require
21  * a specific license from the United States Government.  It is the
22  * responsibility of any person or organization contemplating export to
23  * obtain such a license before exporting.
24  *
25  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
26  * distribute this software and its documentation for any purpose and
27  * without fee is hereby granted, provided that the above copyright
28  * notice appear in all copies and that both that copyright notice and
29  * this permission notice appear in supporting documentation, and that
30  * the name of FundsXpress. not be used in advertising or publicity pertaining
31  * to distribution of the software without specific, written prior
32  * permission.  FundsXpress makes no representations about the suitability of
33  * this software for any purpose.  It is provided "as is" without express
34  * or implied warranty.
35  *
36  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
37  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
38  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
39  */
40 #pragma ident	"%Z%%M%	%I%	%E% SMI"
41 
42 #include <sys/types.h>
43 #include <sys/sysmacros.h>
44 #include <sys/errno.h>
45 #include <sys/debug.h>
46 #include <sys/time.h>
47 #include <sys/stropts.h>
48 #include <sys/stream.h>
49 #include <sys/strsubr.h>
50 #include <sys/strlog.h>
51 #include <sys/cmn_err.h>
52 #include <sys/conf.h>
53 #include <sys/sunddi.h>
54 #include <sys/kmem.h>
55 #include <sys/strsun.h>
56 #include <sys/random.h>
57 #include <sys/types.h>
58 #include <sys/byteorder.h>
59 #include <sys/cryptmod.h>
60 #include <sys/crc32.h>
61 #include <sys/policy.h>
62 
63 #include <sys/crypto/api.h>
64 
65 #include <sys/strft.h>
66 /*
67  * Function prototypes.
68  */
69 static	int	cryptmodopen(queue_t *, dev_t *, int, int, cred_t *);
70 static  void	cryptmodrput(queue_t *, mblk_t *);
71 static  void	cryptmodwput(queue_t *, mblk_t *);
72 static	int	cryptmodclose(queue_t *);
73 static	int	cryptmodwsrv(queue_t *);
74 static	int	cryptmodrsrv(queue_t *);
75 
76 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp);
77 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp);
78 
79 #define	CRYPTMOD_ID 5150
80 
81 #define	CFB_BLKSZ 8
82 
83 #define	K5CLENGTH 5
84 
85 static struct module_info	cryptmod_minfo = {
86 	CRYPTMOD_ID,	/* mi_idnum */
87 	"cryptmod",	/* mi_idname */
88 	0,		/* mi_minpsz */
89 	INFPSZ,		/* mi_maxpsz */
90 	65536,		/* mi_hiwat */
91 	1024		/* mi_lowat */
92 };
93 
94 static struct qinit	cryptmod_rinit = {
95 	(int (*)())cryptmodrput,	/* qi_putp */
96 	cryptmodrsrv,	/* qi_svc */
97 	cryptmodopen,	/* qi_qopen */
98 	cryptmodclose,	/* qi_qclose */
99 	NULL,		/* qi_qadmin */
100 	&cryptmod_minfo,	/* qi_minfo */
101 	NULL		/* qi_mstat */
102 };
103 
104 static struct qinit	cryptmod_winit = {
105 	(int (*)())cryptmodwput,	/* qi_putp */
106 	cryptmodwsrv,	/* qi_srvp */
107 	NULL,		/* qi_qopen */
108 	NULL,		/* qi_qclose */
109 	NULL,		/* qi_qadmin */
110 	&cryptmod_minfo,	/* qi_minfo */
111 	NULL		/* qi_mstat */
112 };
113 
114 static struct streamtab	cryptmod_info = {
115 	&cryptmod_rinit,	/* st_rdinit */
116 	&cryptmod_winit,	/* st_wrinit */
117 	NULL,	/* st_muxrinit */
118 	NULL	/* st_muxwinit */
119 };
120 
121 typedef struct {
122 	uint_t hash_len;
123 	uint_t confound_len;
124 	int (*hashfunc)();
125 } hash_info_t;
126 
127 #define	MAX_CKSUM_LEN 20
128 #define	CONFOUNDER_LEN 8
129 
130 #define	SHA1_HASHSIZE 20
131 #define	MD5_HASHSIZE 16
132 #define	CRC32_HASHSIZE 4
133 #define	MSGBUF_SIZE 4096
134 #define	CONFOUNDER_BYTES 128
135 
136 
137 static int crc32_calc(uchar_t *, uchar_t *, uint_t);
138 static int md5_calc(uchar_t *, uchar_t *, uint_t);
139 static int sha1_calc(uchar_t *, uchar_t *, uint_t);
140 
141 static hash_info_t null_hash = {0, 0, NULL};
142 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc};
143 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc};
144 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc};
145 
146 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID;
147 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID;
148 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID;
149 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID;
150 
151 static int kef_crypt(struct cipher_data_t *, void *,
152 		    crypto_data_format_t, size_t, int);
153 static mblk_t *
154 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *,
155 		mblk_t *, hash_info_t *);
156 static mblk_t *
157 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *,
158 		mblk_t *, hash_info_t *);
159 
160 static int
161 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int);
162 
163 /*
164  * This is the loadable module wrapper.
165  */
166 #include <sys/modctl.h>
167 
168 static struct fmodsw fsw = {
169 	"cryptmod",
170 	&cryptmod_info,
171 	D_MP | D_MTQPAIR
172 };
173 
174 /*
175  * Module linkage information for the kernel.
176  */
177 static struct modlstrmod modlstrmod = {
178 	&mod_strmodops,
179 	"STREAMS encryption module %I%",
180 	&fsw
181 };
182 
183 static struct modlinkage modlinkage = {
184 	MODREV_1,
185 	&modlstrmod,
186 	NULL
187 };
188 
189 int
190 _init(void)
191 {
192 	return (mod_install(&modlinkage));
193 }
194 
195 int
196 _fini(void)
197 {
198 	return (mod_remove(&modlinkage));
199 }
200 
201 int
202 _info(struct modinfo *modinfop)
203 {
204 	return (mod_info(&modlinkage, modinfop));
205 }
206 
207 static void
208 cleanup(struct cipher_data_t *cd)
209 {
210 	if (cd->key != NULL) {
211 		bzero(cd->key, cd->keylen);
212 		kmem_free(cd->key, cd->keylen);
213 		cd->key = NULL;
214 	}
215 
216 	if (cd->ckey != NULL) {
217 		/*
218 		 * ckey is a crypto_key_t structure which references
219 		 * "cd->key" for its raw key data.  Since that was already
220 		 * cleared out, we don't need another "bzero" here.
221 		 */
222 		kmem_free(cd->ckey, sizeof (crypto_key_t));
223 		cd->ckey = NULL;
224 	}
225 
226 	if (cd->block != NULL) {
227 		kmem_free(cd->block, cd->blocklen);
228 		cd->block = NULL;
229 	}
230 
231 	if (cd->saveblock != NULL) {
232 		kmem_free(cd->saveblock, cd->blocklen);
233 		cd->saveblock = NULL;
234 	}
235 
236 	if (cd->ivec != NULL) {
237 		kmem_free(cd->ivec, cd->ivlen);
238 		cd->ivec = NULL;
239 	}
240 
241 	if (cd->d_encr_key.ck_data != NULL) {
242 		bzero(cd->d_encr_key.ck_data, cd->keylen);
243 		kmem_free(cd->d_encr_key.ck_data, cd->keylen);
244 	}
245 
246 	if (cd->d_hmac_key.ck_data != NULL) {
247 		bzero(cd->d_hmac_key.ck_data, cd->keylen);
248 		kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
249 	}
250 
251 	if (cd->enc_tmpl != NULL)
252 		(void) crypto_destroy_ctx_template(cd->enc_tmpl);
253 
254 	if (cd->hmac_tmpl != NULL)
255 		(void) crypto_destroy_ctx_template(cd->hmac_tmpl);
256 
257 	if (cd->ctx != NULL) {
258 		crypto_cancel_ctx(cd->ctx);
259 		cd->ctx = NULL;
260 	}
261 }
262 
263 /* ARGSUSED */
264 static int
265 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp)
266 {
267 	struct tmodinfo	*tmi;
268 	ASSERT(rq);
269 
270 	if (sflag != MODOPEN)
271 		return (EINVAL);
272 
273 	(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
274 			"cryptmodopen: opening module(PID %d)",
275 			ddi_get_pid()));
276 
277 	if (rq->q_ptr != NULL) {
278 		cmn_err(CE_WARN, "cryptmodopen: already opened");
279 		return (0);
280 	}
281 
282 	/*
283 	 * Allocate and initialize per-Stream structure.
284 	 */
285 	tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo),
286 						KM_SLEEP);
287 
288 	tmi->enc_data.method = CRYPT_METHOD_NONE;
289 	tmi->dec_data.method = CRYPT_METHOD_NONE;
290 
291 	tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY);
292 
293 	rq->q_ptr = WR(rq)->q_ptr = tmi;
294 
295 	sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC);
296 	md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC);
297 	sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1);
298 	md5_hash_mech = crypto_mech2id(SUN_CKM_MD5);
299 
300 	qprocson(rq);
301 
302 	return (0);
303 }
304 
305 static int
306 cryptmodclose(queue_t *rq)
307 {
308 	struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr;
309 	ASSERT(tmi);
310 
311 	qprocsoff(rq);
312 
313 	cleanup(&tmi->enc_data);
314 	cleanup(&tmi->dec_data);
315 
316 	kmem_free(tmi, sizeof (struct tmodinfo));
317 	rq->q_ptr = WR(rq)->q_ptr = NULL;
318 
319 	return (0);
320 }
321 
322 /*
323  * plaintext_offset
324  *
325  * Calculate exactly how much space is needed in front
326  * of the "plaintext" in an mbuf so it can be positioned
327  * 1 time instead of potentially moving the data multiple
328  * times.
329  */
330 static int
331 plaintext_offset(struct cipher_data_t *cd)
332 {
333 	int headspace = 0;
334 
335 	/* 4 byte length prepended to all RCMD msgs */
336 	if (ANY_RCMD_MODE(cd->option_mask))
337 		headspace += RCMD_LEN_SZ;
338 
339 	/* RCMD V2 mode adds an additional 4 byte plaintext length */
340 	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2)
341 		headspace += RCMD_LEN_SZ;
342 
343 	/* Need extra space for hash and counfounder */
344 	switch (cd->method) {
345 	case CRYPT_METHOD_DES_CBC_NULL:
346 		headspace += null_hash.hash_len + null_hash.confound_len;
347 		break;
348 	case CRYPT_METHOD_DES_CBC_CRC:
349 		headspace += crc32_hash.hash_len + crc32_hash.confound_len;
350 		break;
351 	case CRYPT_METHOD_DES_CBC_MD5:
352 		headspace += md5_hash.hash_len + md5_hash.confound_len;
353 		break;
354 	case CRYPT_METHOD_DES3_CBC_SHA1:
355 		headspace += sha1_hash.confound_len;
356 		break;
357 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
358 		headspace += md5_hash.hash_len + md5_hash.confound_len;
359 		break;
360 	case CRYPT_METHOD_AES128:
361 	case CRYPT_METHOD_AES256:
362 		headspace += DEFAULT_AES_BLOCKLEN;
363 		break;
364 	case CRYPT_METHOD_DES_CFB:
365 	case CRYPT_METHOD_NONE:
366 		break;
367 	}
368 
369 	return (headspace);
370 }
371 /*
372  * encrypt_size
373  *
374  * Calculate the resulting size when encrypting 'plainlen' bytes
375  * of data.
376  */
377 static size_t
378 encrypt_size(struct cipher_data_t *cd, size_t plainlen)
379 {
380 	size_t cipherlen;
381 
382 	switch (cd->method) {
383 	case CRYPT_METHOD_DES_CBC_NULL:
384 		cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len +
385 					    plainlen, 8);
386 		break;
387 	case CRYPT_METHOD_DES_CBC_MD5:
388 		cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len +
389 					    md5_hash.confound_len +
390 					    plainlen, 8);
391 		break;
392 	case CRYPT_METHOD_DES_CBC_CRC:
393 		cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len +
394 					    crc32_hash.confound_len +
395 					    plainlen, 8);
396 		break;
397 	case CRYPT_METHOD_DES3_CBC_SHA1:
398 		cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len +
399 					    plainlen, 8) +
400 					    sha1_hash.hash_len;
401 		break;
402 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
403 		cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len +
404 				plainlen, 1) + md5_hash.hash_len;
405 		break;
406 	case CRYPT_METHOD_AES128:
407 	case CRYPT_METHOD_AES256:
408 		/* No roundup for AES-CBC-CTS */
409 		cipherlen = DEFAULT_AES_BLOCKLEN + plainlen +
410 			AES_TRUNCATED_HMAC_LEN;
411 		break;
412 	case CRYPT_METHOD_DES_CFB:
413 	case CRYPT_METHOD_NONE:
414 		cipherlen = plainlen;
415 		break;
416 	}
417 
418 	return (cipherlen);
419 }
420 
421 /*
422  * des_cfb_encrypt
423  *
424  * Encrypt the mblk data using DES with cipher feedback.
425  *
426  * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit
427  * vector, D[n] is the nth chunk of 64 bits of data to encrypt
428  * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted
429  * (decrypted) data, then:
430  *
431  *  V[0] = DES(V[i], key)
432  *  O[n] = D[n] <exclusive or > V[n]
433  *  V[n+1] = DES(O[n], key)
434  *
435  * The size of the message being encrypted does not change in this
436  * algorithm, num_bytes in == num_bytes out.
437  */
438 static mblk_t *
439 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
440 {
441 	int savedbytes;
442 	char *iptr, *optr, *lastoutput;
443 
444 	lastoutput = optr = (char *)mp->b_rptr;
445 	iptr = (char *)mp->b_rptr;
446 	savedbytes = tmi->enc_data.bytes % CFB_BLKSZ;
447 
448 	while (iptr < (char *)mp->b_wptr) {
449 		/*
450 		 * Do DES-ECB.
451 		 * The first time this runs, the 'tmi->enc_data.block' will
452 		 * contain the initialization vector that should have been
453 		 * passed in with the SETUP ioctl.
454 		 *
455 		 * V[n] = DES(V[n-1], key)
456 		 */
457 		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
458 			int retval = 0;
459 			retval = kef_crypt(&tmi->enc_data,
460 					tmi->enc_data.block,
461 					CRYPTO_DATA_RAW,
462 					tmi->enc_data.blocklen,
463 					CRYPT_ENCRYPT);
464 
465 			if (retval != CRYPTO_SUCCESS) {
466 #ifdef DEBUG
467 				cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt "
468 					"failed - error 0x%0x", retval);
469 #endif
470 				mp->b_datap->db_type = M_ERROR;
471 				mp->b_rptr = mp->b_datap->db_base;
472 				*mp->b_rptr = EIO;
473 				mp->b_wptr = mp->b_rptr + sizeof (char);
474 				freemsg(mp->b_cont);
475 				mp->b_cont = NULL;
476 				qreply(WR(q), mp);
477 				return (NULL);
478 			}
479 		}
480 
481 		/* O[n] = I[n] ^ V[n] */
482 		*(optr++) = *(iptr++) ^
483 		    tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ];
484 
485 		tmi->enc_data.bytes++;
486 		/*
487 		 * Feedback the encrypted output as the input to next DES call.
488 		 */
489 		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
490 			char *dbptr = tmi->enc_data.block;
491 			/*
492 			 * Get the last bits of input from the previous
493 			 * msg block that we haven't yet used as feedback input.
494 			 */
495 			if (savedbytes > 0) {
496 				bcopy(tmi->enc_data.saveblock,
497 				    dbptr, (size_t)savedbytes);
498 				dbptr += savedbytes;
499 			}
500 
501 			/*
502 			 * Now copy the correct bytes from the current input
503 			 * stream and update the 'lastoutput' ptr
504 			 */
505 			bcopy(lastoutput, dbptr,
506 				(size_t)(CFB_BLKSZ - savedbytes));
507 
508 			lastoutput += (CFB_BLKSZ - savedbytes);
509 			savedbytes = 0;
510 		}
511 	}
512 	/*
513 	 * If there are bytes of input here that we need in the next
514 	 * block to build an ivec, save them off here.
515 	 */
516 	if (lastoutput < optr) {
517 		bcopy(lastoutput,
518 		    tmi->enc_data.saveblock + savedbytes,
519 		    (uint_t)(optr - lastoutput));
520 	}
521 	return (mp);
522 }
523 
524 /*
525  * des_cfb_decrypt
526  *
527  * Decrypt the data in the mblk using DES in Cipher Feedback mode
528  *
529  * # bytes in == # bytes out, no padding, confounding, or hashing
530  * is added.
531  *
532  */
533 static mblk_t *
534 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
535 {
536 	uint_t len;
537 	uint_t savedbytes;
538 	char *iptr;
539 	char *lastinput;
540 	uint_t cp;
541 
542 	len = MBLKL(mp);
543 
544 	/* decrypted output goes into the new data buffer */
545 	lastinput = iptr = (char *)mp->b_rptr;
546 
547 	savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen;
548 
549 	/*
550 	 * Save the input CFB_BLKSZ bytes at a time.
551 	 * We are trying to decrypt in-place, but need to keep
552 	 * a small sliding window of encrypted text to be
553 	 * used to construct the feedback buffer.
554 	 */
555 	cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len :
556 		tmi->dec_data.blocklen - savedbytes);
557 
558 	bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp);
559 	savedbytes += cp;
560 
561 	lastinput += cp;
562 
563 	while (iptr < (char *)mp->b_wptr) {
564 		/*
565 		 * Do DES-ECB.
566 		 * The first time this runs, the 'tmi->dec_data.block' will
567 		 * contain the initialization vector that should have been
568 		 * passed in with the SETUP ioctl.
569 		 */
570 		if (!(tmi->dec_data.bytes % CFB_BLKSZ)) {
571 			int retval;
572 			retval = kef_crypt(&tmi->dec_data,
573 					tmi->dec_data.block,
574 					CRYPTO_DATA_RAW,
575 					tmi->dec_data.blocklen,
576 					CRYPT_ENCRYPT);
577 
578 			if (retval != CRYPTO_SUCCESS) {
579 #ifdef DEBUG
580 				cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt "
581 					"failed - status 0x%0x", retval);
582 #endif
583 				mp->b_datap->db_type = M_ERROR;
584 				mp->b_rptr = mp->b_datap->db_base;
585 				*mp->b_rptr = EIO;
586 				mp->b_wptr = mp->b_rptr + sizeof (char);
587 				freemsg(mp->b_cont);
588 				mp->b_cont = NULL;
589 				qreply(WR(q), mp);
590 				return (NULL);
591 			}
592 		}
593 
594 		/*
595 		 * To decrypt, XOR the input with the output from the DES call
596 		 */
597 		*(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes %
598 				CFB_BLKSZ];
599 
600 		tmi->dec_data.bytes++;
601 
602 		/*
603 		 * Feedback the encrypted input for next DES call.
604 		 */
605 		if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) {
606 			char *dbptr = tmi->dec_data.block;
607 			/*
608 			 * Get the last bits of input from the previous block
609 			 * that we haven't yet processed.
610 			 */
611 			if (savedbytes > 0) {
612 				bcopy(tmi->dec_data.saveblock,
613 				    dbptr, savedbytes);
614 				dbptr += savedbytes;
615 			}
616 
617 			savedbytes = 0;
618 
619 			/*
620 			 * This block makes sure that our local
621 			 * buffer of input data is full and can
622 			 * be accessed from the beginning.
623 			 */
624 			if (lastinput < (char *)mp->b_wptr) {
625 
626 				/* How many bytes are left in the mblk? */
627 				cp = (((char *)mp->b_wptr - lastinput) >
628 					tmi->dec_data.blocklen ?
629 					tmi->dec_data.blocklen :
630 					(char *)mp->b_wptr - lastinput);
631 
632 				/* copy what we need */
633 				bcopy(lastinput, tmi->dec_data.saveblock,
634 					cp);
635 
636 				lastinput += cp;
637 				savedbytes = cp;
638 			}
639 		}
640 	}
641 
642 	return (mp);
643 }
644 
645 /*
646  * crc32_calc
647  *
648  * Compute a CRC32 checksum on the input
649  */
650 static int
651 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len)
652 {
653 	uint32_t crc;
654 
655 	CRC32(crc, input, len, 0, crc32_table);
656 
657 	buf[0] = (uchar_t)(crc & 0xff);
658 	buf[1] = (uchar_t)((crc >> 8) & 0xff);
659 	buf[2] = (uchar_t)((crc >> 16) & 0xff);
660 	buf[3] = (uchar_t)((crc >> 24) & 0xff);
661 
662 	return (CRYPTO_SUCCESS);
663 }
664 
665 static int
666 kef_digest(crypto_mech_type_t digest_type,
667 	uchar_t *input, uint_t inlen,
668 	uchar_t *output, uint_t hashlen)
669 {
670 	iovec_t v1, v2;
671 	crypto_data_t d1, d2;
672 	crypto_mechanism_t mech;
673 	int rv;
674 
675 	mech.cm_type = digest_type;
676 	mech.cm_param = 0;
677 	mech.cm_param_len = 0;
678 
679 	v1.iov_base = (void *)input;
680 	v1.iov_len = inlen;
681 
682 	d1.cd_format = CRYPTO_DATA_RAW;
683 	d1.cd_offset = 0;
684 	d1.cd_length = v1.iov_len;
685 	d1.cd_raw = v1;
686 
687 	v2.iov_base = (void *)output;
688 	v2.iov_len = hashlen;
689 
690 	d2.cd_format = CRYPTO_DATA_RAW;
691 	d2.cd_offset = 0;
692 	d2.cd_length = v2.iov_len;
693 	d2.cd_raw = v2;
694 
695 	rv = crypto_digest(&mech, &d1, &d2, NULL);
696 
697 	return (rv);
698 }
699 
700 /*
701  * sha1_calc
702  *
703  * Get a SHA1 hash on the input data.
704  */
705 static int
706 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen)
707 {
708 	int rv;
709 
710 	rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE);
711 
712 	return (rv);
713 }
714 
715 /*
716  * Get an MD5 hash on the input data.
717  * md5_calc
718  *
719  */
720 static int
721 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen)
722 {
723 	int rv;
724 
725 	rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE);
726 
727 	return (rv);
728 }
729 
730 /*
731  * nfold
732  * duplicate the functionality of the krb5_nfold function from
733  * the userland kerberos mech.
734  * This is needed to derive keys for use with 3DES/SHA1-HMAC
735  * ciphers.
736  */
737 static void
738 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out)
739 {
740 	int a, b, c, lcm;
741 	int byte, i, msbit;
742 
743 	inbits >>= 3;
744 	outbits >>= 3;
745 
746 	/* first compute lcm(n,k) */
747 	a = outbits;
748 	b = inbits;
749 
750 	while (b != 0) {
751 		c = b;
752 		b = a%b;
753 		a = c;
754 	}
755 
756 	lcm = outbits*inbits/a;
757 
758 	/* now do the real work */
759 
760 	bzero(out, outbits);
761 	byte = 0;
762 
763 	/*
764 	 * Compute the msbit in k which gets added into this byte
765 	 * first, start with the msbit in the first, unrotated byte
766 	 * then, for each byte, shift to the right for each repetition
767 	 * last, pick out the correct byte within that shifted repetition
768 	 */
769 	for (i = lcm-1; i >= 0; i--) {
770 		msbit = (((inbits<<3)-1)
771 			+(((inbits<<3)+13)*(i/inbits))
772 			+((inbits-(i%inbits))<<3)) %(inbits<<3);
773 
774 		/* pull out the byte value itself */
775 		byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)|
776 			(in[((inbits)-(msbit>>3))%inbits]))
777 			>>((msbit&7)+1))&0xff;
778 
779 		/* do the addition */
780 		byte += out[i%outbits];
781 		out[i%outbits] = byte&0xff;
782 
783 		byte >>= 8;
784 	}
785 
786 	/* if there's a carry bit left over, add it back in */
787 	if (byte) {
788 		for (i = outbits-1; i >= 0; i--) {
789 			/* do the addition */
790 			byte += out[i];
791 			out[i] = byte&0xff;
792 
793 			/* keep around the carry bit, if any */
794 			byte >>= 8;
795 		}
796 	}
797 }
798 
799 #define	smask(step) ((1<<step)-1)
800 #define	pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
801 #define	parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
802 
803 /*
804  * Duplicate the functionality of the "dk_derive_key" function
805  * in the Kerberos mechanism.
806  */
807 static int
808 derive_key(struct cipher_data_t *cdata, uchar_t *constdata,
809 	int constlen, char *dkey, int keybytes,
810 	int blocklen)
811 {
812 	int rv = 0;
813 	int n = 0, i;
814 	char *inblock;
815 	char *rawkey;
816 	char *zeroblock;
817 	char *saveblock;
818 
819 	inblock = kmem_zalloc(blocklen, KM_SLEEP);
820 	rawkey = kmem_zalloc(keybytes, KM_SLEEP);
821 	zeroblock = kmem_zalloc(blocklen, KM_SLEEP);
822 
823 	if (constlen == blocklen)
824 		bcopy(constdata, inblock, blocklen);
825 	else
826 		nfold(constlen * 8, constdata,
827 			blocklen * 8, (uchar_t *)inblock);
828 
829 	/*
830 	 * zeroblock is an IV of all 0's.
831 	 *
832 	 * The "block" section of the cdata record is used as the
833 	 * IV for crypto operations in the kef_crypt function.
834 	 *
835 	 * We use 'block' as a generic IV data buffer because it
836 	 * is attached to the stream state data and thus can
837 	 * be used to hold information that must carry over
838 	 * from processing of one mblk to another.
839 	 *
840 	 * Here, we save the current IV and replace it with
841 	 * and empty IV (all 0's) for use when deriving the
842 	 * keys.  Once the key derivation is done, we swap the
843 	 * old IV back into place.
844 	 */
845 	saveblock = cdata->block;
846 	cdata->block = zeroblock;
847 
848 	while (n < keybytes) {
849 		rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW,
850 				blocklen, CRYPT_ENCRYPT);
851 		if (rv != CRYPTO_SUCCESS) {
852 			/* put the original IV block back in place */
853 			cdata->block = saveblock;
854 			cmn_err(CE_WARN, "failed to derive a key: %0x", rv);
855 			goto cleanup;
856 		}
857 
858 		if (keybytes - n < blocklen) {
859 			bcopy(inblock, rawkey+n, (keybytes-n));
860 			break;
861 		}
862 		bcopy(inblock, rawkey+n, blocklen);
863 		n += blocklen;
864 	}
865 	/* put the original IV block back in place */
866 	cdata->block = saveblock;
867 
868 	/* finally, make the key */
869 	if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) {
870 		/*
871 		 * 3DES key derivation requires that we make sure the
872 		 * key has the proper parity.
873 		 */
874 		for (i = 0; i < 3; i++) {
875 			bcopy(rawkey+(i*7), dkey+(i*8), 7);
876 
877 			/* 'dkey' is our derived key output buffer */
878 			dkey[i*8+7] = (((dkey[i*8]&1)<<1) |
879 					((dkey[i*8+1]&1)<<2) |
880 					((dkey[i*8+2]&1)<<3) |
881 					((dkey[i*8+3]&1)<<4) |
882 					((dkey[i*8+4]&1)<<5) |
883 					((dkey[i*8+5]&1)<<6) |
884 					((dkey[i*8+6]&1)<<7));
885 
886 			for (n = 0; n < 8; n++) {
887 				dkey[i*8 + n] &=  0xfe;
888 				dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]);
889 			}
890 		}
891 	} else if (IS_AES_METHOD(cdata->method)) {
892 		bcopy(rawkey, dkey, keybytes);
893 	}
894 cleanup:
895 	kmem_free(inblock, blocklen);
896 	kmem_free(zeroblock, blocklen);
897 	kmem_free(rawkey, keybytes);
898 	return (rv);
899 }
900 
901 /*
902  * create_derived_keys
903  *
904  * Algorithm for deriving a new key and an HMAC key
905  * before computing the 3DES-SHA1-HMAC operation on the plaintext
906  * This algorithm matches the work done by Kerberos mechanism
907  * in userland.
908  */
909 static int
910 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage,
911 		crypto_key_t *enckey, crypto_key_t *hmackey)
912 {
913 	uchar_t constdata[K5CLENGTH];
914 	int keybytes;
915 	int rv;
916 
917 	constdata[0] = (usage>>24)&0xff;
918 	constdata[1] = (usage>>16)&0xff;
919 	constdata[2] = (usage>>8)&0xff;
920 	constdata[3] = usage & 0xff;
921 	/* Use "0xAA" for deriving encryption key */
922 	constdata[4] = 0xAA; /* from MIT Kerberos code */
923 
924 	enckey->ck_length = cdata->keylen * 8;
925 	enckey->ck_format = CRYPTO_KEY_RAW;
926 	enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
927 
928 	switch (cdata->method) {
929 		case CRYPT_METHOD_DES_CFB:
930 		case CRYPT_METHOD_DES_CBC_NULL:
931 		case CRYPT_METHOD_DES_CBC_MD5:
932 		case CRYPT_METHOD_DES_CBC_CRC:
933 			keybytes = 8;
934 			break;
935 		case CRYPT_METHOD_DES3_CBC_SHA1:
936 			keybytes = CRYPT_DES3_KEYBYTES;
937 			break;
938 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
939 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
940 			keybytes = CRYPT_ARCFOUR_KEYBYTES;
941 			break;
942 		case CRYPT_METHOD_AES128:
943 			keybytes = CRYPT_AES128_KEYBYTES;
944 			break;
945 		case CRYPT_METHOD_AES256:
946 			keybytes = CRYPT_AES256_KEYBYTES;
947 			break;
948 	}
949 
950 	/* derive main crypto key */
951 	rv = derive_key(cdata, constdata, sizeof (constdata),
952 		enckey->ck_data, keybytes, cdata->blocklen);
953 
954 	if (rv == CRYPTO_SUCCESS) {
955 
956 		/* Use "0x55" for deriving mac key */
957 		constdata[4] = 0x55;
958 
959 		hmackey->ck_length = cdata->keylen * 8;
960 		hmackey->ck_format = CRYPTO_KEY_RAW;
961 		hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
962 
963 		rv = derive_key(cdata, constdata, sizeof (constdata),
964 				hmackey->ck_data, keybytes,
965 				cdata->blocklen);
966 	} else {
967 		cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv);
968 	}
969 
970 	return (rv);
971 }
972 
973 /*
974  * Compute 3-DES crypto and HMAC.
975  */
976 static int
977 kef_decr_hmac(struct cipher_data_t *cdata,
978 	mblk_t *mp, int length,
979 	char *hmac, int hmaclen)
980 {
981 	int rv = CRYPTO_FAILED;
982 
983 	crypto_mechanism_t encr_mech;
984 	crypto_mechanism_t mac_mech;
985 	crypto_data_t dd;
986 	crypto_data_t mac;
987 	iovec_t v1;
988 
989 	ASSERT(cdata != NULL);
990 	ASSERT(mp != NULL);
991 	ASSERT(hmac != NULL);
992 
993 	bzero(&dd, sizeof (dd));
994 	dd.cd_format = CRYPTO_DATA_MBLK;
995 	dd.cd_offset = 0;
996 	dd.cd_length = length;
997 	dd.cd_mp = mp;
998 
999 	v1.iov_base = hmac;
1000 	v1.iov_len = hmaclen;
1001 
1002 	mac.cd_format = CRYPTO_DATA_RAW;
1003 	mac.cd_offset = 0;
1004 	mac.cd_length = hmaclen;
1005 	mac.cd_raw = v1;
1006 
1007 	/*
1008 	 * cdata->block holds the IVEC
1009 	 */
1010 	encr_mech.cm_type = cdata->mech_type;
1011 	encr_mech.cm_param = cdata->block;
1012 
1013 	if (cdata->block != NULL)
1014 		encr_mech.cm_param_len = cdata->blocklen;
1015 	else
1016 		encr_mech.cm_param_len = 0;
1017 
1018 	rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key,
1019 			cdata->enc_tmpl, NULL, NULL);
1020 	if (rv != CRYPTO_SUCCESS) {
1021 		cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv);
1022 		return (rv);
1023 	}
1024 
1025 	mac_mech.cm_type = sha1_hmac_mech;
1026 	mac_mech.cm_param = NULL;
1027 	mac_mech.cm_param_len = 0;
1028 
1029 	/*
1030 	 * Compute MAC of the plaintext decrypted above.
1031 	 */
1032 	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1033 			cdata->hmac_tmpl, &mac, NULL);
1034 
1035 	if (rv != CRYPTO_SUCCESS) {
1036 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1037 	}
1038 
1039 	return (rv);
1040 }
1041 
1042 /*
1043  * Compute 3-DES crypto and HMAC.
1044  */
1045 static int
1046 kef_encr_hmac(struct cipher_data_t *cdata,
1047 	mblk_t *mp, int length,
1048 	char *hmac, int hmaclen)
1049 {
1050 	int rv = CRYPTO_FAILED;
1051 
1052 	crypto_mechanism_t encr_mech;
1053 	crypto_mechanism_t mac_mech;
1054 	crypto_data_t dd;
1055 	crypto_data_t mac;
1056 	iovec_t v1;
1057 
1058 	ASSERT(cdata != NULL);
1059 	ASSERT(mp != NULL);
1060 	ASSERT(hmac != NULL);
1061 
1062 	bzero(&dd, sizeof (dd));
1063 	dd.cd_format = CRYPTO_DATA_MBLK;
1064 	dd.cd_offset = 0;
1065 	dd.cd_length = length;
1066 	dd.cd_mp = mp;
1067 
1068 	v1.iov_base = hmac;
1069 	v1.iov_len = hmaclen;
1070 
1071 	mac.cd_format = CRYPTO_DATA_RAW;
1072 	mac.cd_offset = 0;
1073 	mac.cd_length = hmaclen;
1074 	mac.cd_raw = v1;
1075 
1076 	/*
1077 	 * cdata->block holds the IVEC
1078 	 */
1079 	encr_mech.cm_type = cdata->mech_type;
1080 	encr_mech.cm_param = cdata->block;
1081 
1082 	if (cdata->block != NULL)
1083 		encr_mech.cm_param_len = cdata->blocklen;
1084 	else
1085 		encr_mech.cm_param_len = 0;
1086 
1087 	mac_mech.cm_type = sha1_hmac_mech;
1088 	mac_mech.cm_param = NULL;
1089 	mac_mech.cm_param_len = 0;
1090 
1091 	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1092 			cdata->hmac_tmpl, &mac, NULL);
1093 
1094 	if (rv != CRYPTO_SUCCESS) {
1095 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1096 		return (rv);
1097 	}
1098 
1099 	rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key,
1100 			cdata->enc_tmpl, NULL, NULL);
1101 	if (rv != CRYPTO_SUCCESS) {
1102 		cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv);
1103 	}
1104 
1105 	return (rv);
1106 }
1107 
1108 /*
1109  * kef_crypt
1110  *
1111  * Use the Kernel encryption framework to provide the
1112  * crypto operations for the indicated data.
1113  */
1114 static int
1115 kef_crypt(struct cipher_data_t *cdata,
1116 	void *indata, crypto_data_format_t fmt,
1117 	size_t length, int mode)
1118 {
1119 	int rv = CRYPTO_FAILED;
1120 
1121 	crypto_mechanism_t mech;
1122 	crypto_key_t crkey;
1123 	iovec_t v1;
1124 	crypto_data_t d1;
1125 
1126 	ASSERT(cdata != NULL);
1127 	ASSERT(indata != NULL);
1128 	ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK);
1129 
1130 	bzero(&crkey, sizeof (crkey));
1131 	bzero(&d1, sizeof (d1));
1132 
1133 	crkey.ck_format = CRYPTO_KEY_RAW;
1134 	crkey.ck_data =  cdata->key;
1135 
1136 	/* keys are measured in bits, not bytes, so multiply by 8 */
1137 	crkey.ck_length = cdata->keylen * 8;
1138 
1139 	if (fmt == CRYPTO_DATA_RAW) {
1140 		v1.iov_base = (char *)indata;
1141 		v1.iov_len = length;
1142 	}
1143 
1144 	d1.cd_format = fmt;
1145 	d1.cd_offset = 0;
1146 	d1.cd_length = length;
1147 	if (fmt == CRYPTO_DATA_RAW)
1148 		d1.cd_raw = v1;
1149 	else if (fmt == CRYPTO_DATA_MBLK)
1150 		d1.cd_mp = (mblk_t *)indata;
1151 
1152 	mech.cm_type = cdata->mech_type;
1153 	mech.cm_param = cdata->block;
1154 	/*
1155 	 * cdata->block holds the IVEC
1156 	 */
1157 	if (cdata->block != NULL)
1158 		mech.cm_param_len = cdata->blocklen;
1159 	else
1160 		mech.cm_param_len = 0;
1161 
1162 	/*
1163 	 * encrypt and decrypt in-place
1164 	 */
1165 	if (mode == CRYPT_ENCRYPT)
1166 		rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1167 	else
1168 		rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1169 
1170 	if (rv != CRYPTO_SUCCESS) {
1171 		cmn_err(CE_WARN, "%s returned error %08x",
1172 			(mode == CRYPT_ENCRYPT ? "crypto_encrypt" :
1173 				"crypto_decrypt"), rv);
1174 		return (CRYPTO_FAILED);
1175 	}
1176 
1177 	return (rv);
1178 }
1179 
1180 static int
1181 do_hmac(crypto_mech_type_t mech,
1182 	crypto_key_t *key,
1183 	char *data, int datalen,
1184 	char *hmac, int hmaclen)
1185 {
1186 	int rv = 0;
1187 	crypto_mechanism_t mac_mech;
1188 	crypto_data_t dd;
1189 	crypto_data_t mac;
1190 	iovec_t vdata, vmac;
1191 
1192 	mac_mech.cm_type = mech;
1193 	mac_mech.cm_param = NULL;
1194 	mac_mech.cm_param_len = 0;
1195 
1196 	vdata.iov_base = data;
1197 	vdata.iov_len = datalen;
1198 
1199 	bzero(&dd, sizeof (dd));
1200 	dd.cd_format = CRYPTO_DATA_RAW;
1201 	dd.cd_offset = 0;
1202 	dd.cd_length = datalen;
1203 	dd.cd_raw = vdata;
1204 
1205 	vmac.iov_base = hmac;
1206 	vmac.iov_len = hmaclen;
1207 
1208 	mac.cd_format = CRYPTO_DATA_RAW;
1209 	mac.cd_offset = 0;
1210 	mac.cd_length = hmaclen;
1211 	mac.cd_raw = vmac;
1212 
1213 	/*
1214 	 * Compute MAC of the plaintext decrypted above.
1215 	 */
1216 	rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL);
1217 
1218 	if (rv != CRYPTO_SUCCESS) {
1219 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1220 	}
1221 
1222 	return (rv);
1223 }
1224 
1225 #define	XOR_BLOCK(src, dst) \
1226 	(dst)[0] ^= (src)[0]; \
1227 	(dst)[1] ^= (src)[1]; \
1228 	(dst)[2] ^= (src)[2]; \
1229 	(dst)[3] ^= (src)[3]; \
1230 	(dst)[4] ^= (src)[4]; \
1231 	(dst)[5] ^= (src)[5]; \
1232 	(dst)[6] ^= (src)[6]; \
1233 	(dst)[7] ^= (src)[7]; \
1234 	(dst)[8] ^= (src)[8]; \
1235 	(dst)[9] ^= (src)[9]; \
1236 	(dst)[10] ^= (src)[10]; \
1237 	(dst)[11] ^= (src)[11]; \
1238 	(dst)[12] ^= (src)[12]; \
1239 	(dst)[13] ^= (src)[13]; \
1240 	(dst)[14] ^= (src)[14]; \
1241 	(dst)[15] ^= (src)[15]
1242 
1243 #define	xorblock(x, y) XOR_BLOCK(y, x)
1244 
1245 static int
1246 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length)
1247 {
1248 	int result = CRYPTO_SUCCESS;
1249 	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1250 	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1251 	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1252 	int nblocks = 0, blockno;
1253 	crypto_data_t ct, pt;
1254 	crypto_mechanism_t mech;
1255 
1256 	mech.cm_type = tmi->enc_data.mech_type;
1257 	if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) {
1258 		bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1259 		mech.cm_param = tmi->enc_data.ivec;
1260 		mech.cm_param_len = tmi->enc_data.ivlen;
1261 	} else {
1262 		bzero(tmp, sizeof (tmp));
1263 		mech.cm_param = NULL;
1264 		mech.cm_param_len = 0;
1265 	}
1266 
1267 	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1268 
1269 	bzero(&ct, sizeof (crypto_data_t));
1270 	bzero(&pt, sizeof (crypto_data_t));
1271 
1272 	if (nblocks == 1) {
1273 		pt.cd_format = CRYPTO_DATA_RAW;
1274 		pt.cd_length = length;
1275 		pt.cd_raw.iov_base = (char *)plain;
1276 		pt.cd_raw.iov_len = length;
1277 
1278 		result = crypto_encrypt(&mech, &pt,
1279 			&tmi->enc_data.d_encr_key, NULL, NULL, NULL);
1280 
1281 		if (result != CRYPTO_SUCCESS) {
1282 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1283 				"crypto_encrypt failed: %0x", result);
1284 		}
1285 	} else {
1286 		size_t nleft;
1287 
1288 		ct.cd_format = CRYPTO_DATA_RAW;
1289 		ct.cd_offset = 0;
1290 		ct.cd_length = DEFAULT_AES_BLOCKLEN;
1291 
1292 		pt.cd_format = CRYPTO_DATA_RAW;
1293 		pt.cd_offset = 0;
1294 		pt.cd_length = DEFAULT_AES_BLOCKLEN;
1295 
1296 		result = crypto_encrypt_init(&mech,
1297 				&tmi->enc_data.d_encr_key,
1298 				tmi->enc_data.enc_tmpl,
1299 				&tmi->enc_data.ctx, NULL);
1300 
1301 		if (result != CRYPTO_SUCCESS) {
1302 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1303 				"crypto_encrypt_init failed: %0x", result);
1304 			goto cleanup;
1305 		}
1306 
1307 		for (blockno = 0; blockno < nblocks - 2; blockno++) {
1308 			xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN);
1309 
1310 			pt.cd_raw.iov_base = (char *)tmp;
1311 			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1312 
1313 			ct.cd_raw.iov_base = (char *)plain +
1314 				blockno * DEFAULT_AES_BLOCKLEN;
1315 			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1316 
1317 			result = crypto_encrypt_update(tmi->enc_data.ctx,
1318 					&pt, &ct, NULL);
1319 
1320 			if (result != CRYPTO_SUCCESS) {
1321 				cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1322 					"crypto_encrypt_update failed: %0x",
1323 					result);
1324 				goto cleanup;
1325 			}
1326 			/* copy result over original bytes */
1327 			/* make another copy for the next XOR step */
1328 			bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN,
1329 				tmp, DEFAULT_AES_BLOCKLEN);
1330 		}
1331 		/* XOR cipher text from n-3 with plain text from n-2 */
1332 		xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1333 
1334 		pt.cd_raw.iov_base = (char *)tmp;
1335 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1336 
1337 		ct.cd_raw.iov_base = (char *)tmp2;
1338 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1339 
1340 		/* encrypt XOR-ed block N-2 */
1341 		result = crypto_encrypt_update(tmi->enc_data.ctx,
1342 				&pt, &ct, NULL);
1343 		if (result != CRYPTO_SUCCESS) {
1344 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1345 				"crypto_encrypt_update(2) failed: %0x",
1346 				result);
1347 			goto cleanup;
1348 		}
1349 		nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN;
1350 
1351 		bzero(tmp3, sizeof (tmp3));
1352 		/* Save final plaintext bytes from n-1 */
1353 		bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1354 			nleft);
1355 
1356 		/* Overwrite n-1 with cipher text from n-2 */
1357 		bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1358 			nleft);
1359 
1360 		bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN);
1361 		/* XOR cipher text from n-1 with plain text from n-1 */
1362 		xorblock(tmp, tmp3);
1363 
1364 		pt.cd_raw.iov_base = (char *)tmp;
1365 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1366 
1367 		ct.cd_raw.iov_base = (char *)tmp2;
1368 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1369 
1370 		/* encrypt block N-2 */
1371 		result = crypto_encrypt_update(tmi->enc_data.ctx,
1372 			&pt, &ct, NULL);
1373 
1374 		if (result != CRYPTO_SUCCESS) {
1375 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1376 				"crypto_encrypt_update(3) failed: %0x",
1377 				result);
1378 			goto cleanup;
1379 		}
1380 
1381 		bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1382 			DEFAULT_AES_BLOCKLEN);
1383 
1384 
1385 		ct.cd_raw.iov_base = (char *)tmp2;
1386 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1387 
1388 		/*
1389 		 * Ignore the output on the final step.
1390 		 */
1391 		result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL);
1392 		if (result != CRYPTO_SUCCESS) {
1393 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1394 				"crypto_encrypt_final(3) failed: %0x",
1395 				result);
1396 		}
1397 		tmi->enc_data.ctx = NULL;
1398 	}
1399 cleanup:
1400 	bzero(tmp, sizeof (tmp));
1401 	bzero(tmp2, sizeof (tmp));
1402 	bzero(tmp3, sizeof (tmp));
1403 	bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
1404 	return (result);
1405 }
1406 
1407 static int
1408 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length)
1409 {
1410 	int result = CRYPTO_SUCCESS;
1411 	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1412 	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1413 	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1414 	int nblocks = 0, blockno;
1415 	crypto_data_t ct, pt;
1416 	crypto_mechanism_t mech;
1417 
1418 	mech.cm_type = tmi->enc_data.mech_type;
1419 
1420 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1421 	    tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) {
1422 		bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1423 		mech.cm_param = tmi->dec_data.ivec;
1424 		mech.cm_param_len = tmi->dec_data.ivlen;
1425 	} else {
1426 		bzero(tmp, sizeof (tmp));
1427 		mech.cm_param_len = 0;
1428 		mech.cm_param = NULL;
1429 	}
1430 	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1431 
1432 	bzero(&pt, sizeof (pt));
1433 	bzero(&ct, sizeof (ct));
1434 
1435 	if (nblocks == 1) {
1436 		ct.cd_format = CRYPTO_DATA_RAW;
1437 		ct.cd_length = length;
1438 		ct.cd_raw.iov_base = (char *)buff;
1439 		ct.cd_raw.iov_len = length;
1440 
1441 		result = crypto_decrypt(&mech, &ct,
1442 			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1443 
1444 		if (result != CRYPTO_SUCCESS) {
1445 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1446 				"crypto_decrypt failed: %0x", result);
1447 			goto cleanup;
1448 		}
1449 	} else {
1450 		ct.cd_format = CRYPTO_DATA_RAW;
1451 		ct.cd_offset = 0;
1452 		ct.cd_length = DEFAULT_AES_BLOCKLEN;
1453 
1454 		pt.cd_format = CRYPTO_DATA_RAW;
1455 		pt.cd_offset = 0;
1456 		pt.cd_length = DEFAULT_AES_BLOCKLEN;
1457 
1458 		result = crypto_encrypt_init(&mech,
1459 				&tmi->dec_data.d_encr_key,
1460 				tmi->dec_data.enc_tmpl,
1461 				&tmi->dec_data.ctx, NULL);
1462 
1463 		if (result != CRYPTO_SUCCESS) {
1464 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1465 				"crypto_decrypt_init failed: %0x", result);
1466 			goto cleanup;
1467 		}
1468 		for (blockno = 0; blockno < nblocks - 2; blockno++) {
1469 			ct.cd_raw.iov_base = (char *)buff +
1470 				(blockno * DEFAULT_AES_BLOCKLEN);
1471 			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1472 
1473 			pt.cd_raw.iov_base = (char *)tmp2;
1474 			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1475 
1476 			/*
1477 			 * Save the input to the decrypt so it can
1478 			 * be used later for an XOR operation
1479 			 */
1480 			bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN),
1481 				tmi->dec_data.block, DEFAULT_AES_BLOCKLEN);
1482 
1483 			result = crypto_decrypt_update(tmi->dec_data.ctx,
1484 					&ct, &pt, NULL);
1485 			if (result != CRYPTO_SUCCESS) {
1486 				cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1487 					"crypto_decrypt_update(1) error - "
1488 					"result = 0x%08x", result);
1489 				goto cleanup;
1490 			}
1491 			xorblock(tmp2, tmp);
1492 			bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN,
1493 				DEFAULT_AES_BLOCKLEN);
1494 			/*
1495 			 * The original cipher text is used as the xor
1496 			 * for the next block, save it here.
1497 			 */
1498 			bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN);
1499 		}
1500 		ct.cd_raw.iov_base = (char *)buff +
1501 			((nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1502 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1503 		pt.cd_raw.iov_base = (char *)tmp2;
1504 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1505 
1506 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1507 				&ct, &pt, NULL);
1508 		if (result != CRYPTO_SUCCESS) {
1509 			cmn_err(CE_WARN,
1510 				"aes_cbc_cts_decrypt: "
1511 				"crypto_decrypt_update(2) error -"
1512 				" result = 0x%08x", result);
1513 			goto cleanup;
1514 		}
1515 		bzero(tmp3, sizeof (tmp3));
1516 		bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1517 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1518 
1519 		xorblock(tmp2, tmp3);
1520 		bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1521 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1522 
1523 		/* 2nd to last block ... */
1524 		bcopy(tmp3, tmp2,
1525 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1526 
1527 		ct.cd_raw.iov_base = (char *)tmp2;
1528 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1529 		pt.cd_raw.iov_base = (char *)tmp3;
1530 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1531 
1532 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1533 				&ct, &pt, NULL);
1534 		if (result != CRYPTO_SUCCESS) {
1535 			cmn_err(CE_WARN,
1536 				"aes_cbc_cts_decrypt: "
1537 				"crypto_decrypt_update(3) error - "
1538 				"result = 0x%08x", result);
1539 			goto cleanup;
1540 		}
1541 		xorblock(tmp3, tmp);
1542 
1543 
1544 		/* Finally, update the 2nd to last block and we are done. */
1545 		bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1546 			DEFAULT_AES_BLOCKLEN);
1547 
1548 		/* Do Final step, but ignore output */
1549 		pt.cd_raw.iov_base = (char *)tmp2;
1550 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1551 		result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL);
1552 		if (result != CRYPTO_SUCCESS) {
1553 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1554 				"crypto_decrypt_final error - "
1555 				"result = 0x%0x", result);
1556 		}
1557 		tmi->dec_data.ctx = NULL;
1558 	}
1559 
1560 cleanup:
1561 	bzero(tmp, sizeof (tmp));
1562 	bzero(tmp2, sizeof (tmp));
1563 	bzero(tmp3, sizeof (tmp));
1564 	bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
1565 	return (result);
1566 }
1567 
1568 /*
1569  * AES decrypt
1570  *
1571  * format of ciphertext when using AES
1572  *  +-------------+------------+------------+
1573  *  |  confounder | msg-data   |  hmac      |
1574  *  +-------------+------------+------------+
1575  */
1576 static mblk_t *
1577 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1578 	hash_info_t *hash)
1579 {
1580 	int result;
1581 	size_t enclen;
1582 	size_t inlen;
1583 	uchar_t hmacbuff[64];
1584 	uchar_t tmpiv[DEFAULT_AES_BLOCKLEN];
1585 
1586 	inlen = (size_t)MBLKL(mp);
1587 
1588 	enclen = inlen - AES_TRUNCATED_HMAC_LEN;
1589 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1590 		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) {
1591 		int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) /
1592 				DEFAULT_AES_BLOCKLEN;
1593 		bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2),
1594 			tmpiv, DEFAULT_AES_BLOCKLEN);
1595 	}
1596 
1597 	/* AES Decrypt */
1598 	result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen);
1599 
1600 	if (result != CRYPTO_SUCCESS) {
1601 		cmn_err(CE_WARN,
1602 			"aes_decrypt:  aes_cbc_cts_decrypt "
1603 			"failed - error %0x", result);
1604 		goto cleanup;
1605 	}
1606 
1607 	/* Verify the HMAC */
1608 	result = do_hmac(sha1_hmac_mech,
1609 			&tmi->dec_data.d_hmac_key,
1610 			(char *)mp->b_rptr, enclen,
1611 			(char *)hmacbuff, hash->hash_len);
1612 
1613 	if (result != CRYPTO_SUCCESS) {
1614 		cmn_err(CE_WARN,
1615 			"aes_decrypt:  do_hmac failed - error %0x", result);
1616 		goto cleanup;
1617 	}
1618 
1619 	if (bcmp(hmacbuff, mp->b_rptr + enclen,
1620 		AES_TRUNCATED_HMAC_LEN) != 0) {
1621 		result = -1;
1622 		cmn_err(CE_WARN, "aes_decrypt: checksum verification failed");
1623 		goto cleanup;
1624 	}
1625 
1626 	/* truncate the mblk at the end of the decrypted text */
1627 	mp->b_wptr = mp->b_rptr + enclen;
1628 
1629 	/* Adjust the beginning of the buffer to skip the confounder */
1630 	mp->b_rptr += DEFAULT_AES_BLOCKLEN;
1631 
1632 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1633 		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0)
1634 		bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN);
1635 
1636 cleanup:
1637 	if (result != CRYPTO_SUCCESS) {
1638 		mp->b_datap->db_type = M_ERROR;
1639 		mp->b_rptr = mp->b_datap->db_base;
1640 		*mp->b_rptr = EIO;
1641 		mp->b_wptr = mp->b_rptr + sizeof (char);
1642 		freemsg(mp->b_cont);
1643 		mp->b_cont = NULL;
1644 		qreply(WR(q), mp);
1645 		return (NULL);
1646 	}
1647 	return (mp);
1648 }
1649 
1650 /*
1651  * AES encrypt
1652  *
1653  * format of ciphertext when using AES
1654  *  +-------------+------------+------------+
1655  *  |  confounder | msg-data   |  hmac      |
1656  *  +-------------+------------+------------+
1657  */
1658 static mblk_t *
1659 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1660 	hash_info_t *hash)
1661 {
1662 	int result;
1663 	size_t cipherlen;
1664 	size_t inlen;
1665 	uchar_t hmacbuff[64];
1666 
1667 	inlen = (size_t)MBLKL(mp);
1668 
1669 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
1670 
1671 	ASSERT(MBLKSIZE(mp) >= cipherlen);
1672 
1673 	/*
1674 	 * Shift the rptr back enough to insert the confounder.
1675 	 */
1676 	mp->b_rptr -= DEFAULT_AES_BLOCKLEN;
1677 
1678 	/* Get random data for confounder */
1679 	(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
1680 		DEFAULT_AES_BLOCKLEN);
1681 
1682 	/*
1683 	 * Because we encrypt in-place, we need to calculate
1684 	 * the HMAC of the plaintext now, then stick it on
1685 	 * the end of the ciphertext down below.
1686 	 */
1687 	result = do_hmac(sha1_hmac_mech,
1688 			&tmi->enc_data.d_hmac_key,
1689 			(char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen,
1690 			(char *)hmacbuff, hash->hash_len);
1691 
1692 	if (result != CRYPTO_SUCCESS) {
1693 		cmn_err(CE_WARN, "aes_encrypt:  do_hmac failed - error %0x",
1694 			result);
1695 		goto cleanup;
1696 	}
1697 	/* Encrypt using AES-CBC-CTS */
1698 	result = aes_cbc_cts_encrypt(tmi, mp->b_rptr,
1699 		inlen + DEFAULT_AES_BLOCKLEN);
1700 
1701 	if (result != CRYPTO_SUCCESS) {
1702 		cmn_err(CE_WARN, "aes_encrypt:  aes_cbc_cts_encrypt "
1703 			"failed - error %0x", result);
1704 		goto cleanup;
1705 	}
1706 
1707 	/* copy the truncated HMAC to the end of the mblk */
1708 	bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen,
1709 		AES_TRUNCATED_HMAC_LEN);
1710 
1711 	mp->b_wptr = mp->b_rptr + cipherlen;
1712 
1713 	/*
1714 	 * The final block of cipher text (not the HMAC) is used
1715 	 * as the next IV.
1716 	 */
1717 	if (tmi->enc_data.ivec_usage != IVEC_NEVER &&
1718 	    tmi->enc_data.ivec != NULL) {
1719 		int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) /
1720 			DEFAULT_AES_BLOCKLEN;
1721 
1722 		bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1723 			tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN);
1724 	}
1725 
1726 cleanup:
1727 	if (result != CRYPTO_SUCCESS) {
1728 		mp->b_datap->db_type = M_ERROR;
1729 		mp->b_rptr = mp->b_datap->db_base;
1730 		*mp->b_rptr = EIO;
1731 		mp->b_wptr = mp->b_rptr + sizeof (char);
1732 		freemsg(mp->b_cont);
1733 		mp->b_cont = NULL;
1734 		qreply(WR(q), mp);
1735 		return (NULL);
1736 	}
1737 	return (mp);
1738 }
1739 
1740 /*
1741  * ARCFOUR-HMAC-MD5 decrypt
1742  *
1743  * format of ciphertext when using ARCFOUR-HMAC-MD5
1744  *  +-----------+------------+------------+
1745  *  |  hmac     | confounder |  msg-data  |
1746  *  +-----------+------------+------------+
1747  *
1748  */
1749 static mblk_t *
1750 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1751 			hash_info_t *hash)
1752 {
1753 	int result;
1754 	size_t cipherlen;
1755 	size_t inlen;
1756 	size_t saltlen;
1757 	crypto_key_t k1, k2;
1758 	crypto_data_t indata;
1759 	iovec_t v1;
1760 	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1761 				0xab, 0xab, 0xab, 0xab };
1762 	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1763 	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1764 	uchar_t cksum[MD5_HASHSIZE];
1765 	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1766 	crypto_mechanism_t mech;
1767 	int usage;
1768 
1769 	/* The usage constant is 1026 for all "old" rcmd mode operations */
1770 	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
1771 		usage = RCMDV1_USAGE;
1772 	else
1773 		usage = ARCFOUR_DECRYPT_USAGE;
1774 
1775 	/*
1776 	 * The size at this point should be the size of
1777 	 * all the plaintext plus the optional plaintext length
1778 	 * needed for RCMD V2 mode.  There should also be room
1779 	 * at the head of the mblk for the confounder and hash info.
1780 	 */
1781 	inlen = (size_t)MBLKL(mp);
1782 
1783 	/*
1784 	 * The cipherlen does not include the HMAC at the
1785 	 * head of the buffer.
1786 	 */
1787 	cipherlen = inlen - hash->hash_len;
1788 
1789 	ASSERT(MBLKSIZE(mp) >= cipherlen);
1790 	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1791 		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
1792 		saltdata[9] = 0;
1793 		saltdata[10] = usage & 0xff;
1794 		saltdata[11] = (usage >> 8) & 0xff;
1795 		saltdata[12] = (usage >> 16) & 0xff;
1796 		saltdata[13] = (usage >> 24) & 0xff;
1797 		saltlen = 14;
1798 	} else {
1799 		saltdata[0] = usage & 0xff;
1800 		saltdata[1] = (usage >> 8) & 0xff;
1801 		saltdata[2] = (usage >> 16) & 0xff;
1802 		saltdata[3] = (usage >> 24) & 0xff;
1803 		saltlen = 4;
1804 	}
1805 	/*
1806 	 * Use the salt value to create a key to be used
1807 	 * for subsequent HMAC operations.
1808 	 */
1809 	result = do_hmac(md5_hmac_mech,
1810 			tmi->dec_data.ckey,
1811 			(char *)saltdata, saltlen,
1812 			(char *)k1data, sizeof (k1data));
1813 	if (result != CRYPTO_SUCCESS) {
1814 		cmn_err(CE_WARN,
1815 			"arcfour_hmac_md5_decrypt:  do_hmac(k1)"
1816 			"failed - error %0x", result);
1817 		goto cleanup;
1818 	}
1819 	bcopy(k1data, k2data, sizeof (k1data));
1820 
1821 	/*
1822 	 * For the neutered MS RC4 encryption type,
1823 	 * set the trailing 9 bytes to 0xab per the
1824 	 * RC4-HMAC spec.
1825 	 */
1826 	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1827 		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
1828 	}
1829 
1830 	mech.cm_type = tmi->dec_data.mech_type;
1831 	mech.cm_param = NULL;
1832 	mech.cm_param_len = 0;
1833 
1834 	/*
1835 	 * If we have not yet initialized the decryption key,
1836 	 * context, and template, do it now.
1837 	 */
1838 	if (tmi->dec_data.ctx == NULL ||
1839 	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
1840 		k1.ck_format = CRYPTO_KEY_RAW;
1841 		k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8;
1842 		k1.ck_data = k1data;
1843 
1844 		tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW;
1845 		tmi->dec_data.d_encr_key.ck_length = k1.ck_length;
1846 		if (tmi->dec_data.d_encr_key.ck_data == NULL)
1847 			tmi->dec_data.d_encr_key.ck_data = kmem_zalloc(
1848 				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
1849 
1850 		/*
1851 		 * HMAC operation creates the encryption
1852 		 * key to be used for the decrypt operations.
1853 		 */
1854 		result = do_hmac(md5_hmac_mech, &k1,
1855 			(char *)mp->b_rptr, hash->hash_len,
1856 			(char *)tmi->dec_data.d_encr_key.ck_data,
1857 			CRYPT_ARCFOUR_KEYBYTES);
1858 
1859 
1860 		if (result != CRYPTO_SUCCESS) {
1861 			cmn_err(CE_WARN,
1862 				"arcfour_hmac_md5_decrypt:  do_hmac(k3)"
1863 				"failed - error %0x", result);
1864 			goto cleanup;
1865 		}
1866 	}
1867 
1868 	tmi->dec_data.enc_tmpl = NULL;
1869 
1870 	if (tmi->dec_data.ctx == NULL &&
1871 	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
1872 		/*
1873 		 * Only create a template if we are doing
1874 		 * chaining from block to block.
1875 		 */
1876 		result = crypto_create_ctx_template(&mech,
1877 			&tmi->dec_data.d_encr_key,
1878 			&tmi->dec_data.enc_tmpl,
1879 			KM_SLEEP);
1880 		if (result == CRYPTO_NOT_SUPPORTED) {
1881 			tmi->dec_data.enc_tmpl = NULL;
1882 		} else if (result != CRYPTO_SUCCESS) {
1883 			cmn_err(CE_WARN,
1884 				"arcfour_hmac_md5_decrypt:  "
1885 				"failed to create dec template "
1886 				"for RC4 encrypt: %0x", result);
1887 			goto cleanup;
1888 		}
1889 
1890 		result = crypto_decrypt_init(&mech,
1891 			&tmi->dec_data.d_encr_key,
1892 			tmi->dec_data.enc_tmpl,
1893 			&tmi->dec_data.ctx, NULL);
1894 
1895 		if (result != CRYPTO_SUCCESS) {
1896 			cmn_err(CE_WARN, "crypto_decrypt_init failed:"
1897 				" %0x", result);
1898 			goto cleanup;
1899 		}
1900 	}
1901 
1902 	/* adjust the rptr so we don't decrypt the original hmac field */
1903 
1904 	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
1905 	v1.iov_len = cipherlen;
1906 
1907 	indata.cd_format = CRYPTO_DATA_RAW;
1908 	indata.cd_offset = 0;
1909 	indata.cd_length = cipherlen;
1910 	indata.cd_raw = v1;
1911 
1912 	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
1913 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1914 			&indata, NULL, NULL);
1915 	else
1916 		result = crypto_decrypt(&mech, &indata,
1917 			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1918 
1919 	if (result != CRYPTO_SUCCESS) {
1920 		cmn_err(CE_WARN, "crypto_decrypt_update failed:"
1921 			" %0x", result);
1922 		goto cleanup;
1923 	}
1924 
1925 	k2.ck_format = CRYPTO_KEY_RAW;
1926 	k2.ck_length = sizeof (k2data) * 8;
1927 	k2.ck_data = k2data;
1928 
1929 	result = do_hmac(md5_hmac_mech,
1930 			&k2,
1931 			(char *)mp->b_rptr + hash->hash_len, cipherlen,
1932 			(char *)cksum, hash->hash_len);
1933 
1934 	if (result != CRYPTO_SUCCESS) {
1935 		cmn_err(CE_WARN,
1936 			"arcfour_hmac_md5_decrypt:  do_hmac(k2)"
1937 			"failed - error %0x", result);
1938 		goto cleanup;
1939 	}
1940 
1941 	if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) {
1942 		cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed");
1943 		result = -1;
1944 		goto cleanup;
1945 	}
1946 
1947 	/*
1948 	 * adjust the start of the mblk to skip over the
1949 	 * hash and confounder.
1950 	 */
1951 	mp->b_rptr += hash->hash_len + hash->confound_len;
1952 
1953 cleanup:
1954 	bzero(k1data, sizeof (k1data));
1955 	bzero(k2data, sizeof (k2data));
1956 	bzero(cksum, sizeof (cksum));
1957 	bzero(saltdata, sizeof (saltdata));
1958 	if (result != CRYPTO_SUCCESS) {
1959 		mp->b_datap->db_type = M_ERROR;
1960 		mp->b_rptr = mp->b_datap->db_base;
1961 		*mp->b_rptr = EIO;
1962 		mp->b_wptr = mp->b_rptr + sizeof (char);
1963 		freemsg(mp->b_cont);
1964 		mp->b_cont = NULL;
1965 		qreply(WR(q), mp);
1966 		return (NULL);
1967 	}
1968 	return (mp);
1969 }
1970 
1971 /*
1972  * ARCFOUR-HMAC-MD5 encrypt
1973  *
1974  * format of ciphertext when using ARCFOUR-HMAC-MD5
1975  *  +-----------+------------+------------+
1976  *  |  hmac     | confounder |  msg-data  |
1977  *  +-----------+------------+------------+
1978  *
1979  */
1980 static mblk_t *
1981 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1982 			hash_info_t *hash)
1983 {
1984 	int result;
1985 	size_t cipherlen;
1986 	size_t inlen;
1987 	size_t saltlen;
1988 	crypto_key_t k1, k2;
1989 	crypto_data_t indata;
1990 	iovec_t v1;
1991 	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1992 				0xab, 0xab, 0xab, 0xab };
1993 	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1994 	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1995 	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1996 	crypto_mechanism_t mech;
1997 	int usage;
1998 
1999 	/* The usage constant is 1026 for all "old" rcmd mode operations */
2000 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
2001 		usage = RCMDV1_USAGE;
2002 	else
2003 		usage = ARCFOUR_ENCRYPT_USAGE;
2004 
2005 	mech.cm_type = tmi->enc_data.mech_type;
2006 	mech.cm_param = NULL;
2007 	mech.cm_param_len = 0;
2008 
2009 	/*
2010 	 * The size at this point should be the size of
2011 	 * all the plaintext plus the optional plaintext length
2012 	 * needed for RCMD V2 mode.  There should also be room
2013 	 * at the head of the mblk for the confounder and hash info.
2014 	 */
2015 	inlen = (size_t)MBLKL(mp);
2016 
2017 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
2018 
2019 	ASSERT(MBLKSIZE(mp) >= cipherlen);
2020 
2021 	/*
2022 	 * Shift the rptr back enough to insert
2023 	 * the confounder and hash.
2024 	 */
2025 	mp->b_rptr -= (hash->confound_len + hash->hash_len);
2026 
2027 	/* zero out the hash area */
2028 	bzero(mp->b_rptr, (size_t)hash->hash_len);
2029 
2030 	if (cipherlen > inlen) {
2031 		bzero(mp->b_wptr, MBLKTAIL(mp));
2032 	}
2033 
2034 	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2035 		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
2036 		saltdata[9] = 0;
2037 		saltdata[10] = usage & 0xff;
2038 		saltdata[11] = (usage >> 8) & 0xff;
2039 		saltdata[12] = (usage >> 16) & 0xff;
2040 		saltdata[13] = (usage >> 24) & 0xff;
2041 		saltlen = 14;
2042 	} else {
2043 		saltdata[0] = usage & 0xff;
2044 		saltdata[1] = (usage >> 8) & 0xff;
2045 		saltdata[2] = (usage >> 16) & 0xff;
2046 		saltdata[3] = (usage >> 24) & 0xff;
2047 		saltlen = 4;
2048 	}
2049 	/*
2050 	 * Use the salt value to create a key to be used
2051 	 * for subsequent HMAC operations.
2052 	 */
2053 	result = do_hmac(md5_hmac_mech,
2054 			tmi->enc_data.ckey,
2055 			(char *)saltdata, saltlen,
2056 			(char *)k1data, sizeof (k1data));
2057 	if (result != CRYPTO_SUCCESS) {
2058 		cmn_err(CE_WARN,
2059 			"arcfour_hmac_md5_encrypt:  do_hmac(k1)"
2060 			"failed - error %0x", result);
2061 		goto cleanup;
2062 	}
2063 
2064 	bcopy(k1data, k2data, sizeof (k2data));
2065 
2066 	/*
2067 	 * For the neutered MS RC4 encryption type,
2068 	 * set the trailing 9 bytes to 0xab per the
2069 	 * RC4-HMAC spec.
2070 	 */
2071 	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2072 		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
2073 	}
2074 
2075 	/*
2076 	 * Get the confounder bytes.
2077 	 */
2078 	(void) random_get_pseudo_bytes(
2079 			(uint8_t *)(mp->b_rptr + hash->hash_len),
2080 			(size_t)hash->confound_len);
2081 
2082 	k2.ck_data = k2data;
2083 	k2.ck_format = CRYPTO_KEY_RAW;
2084 	k2.ck_length = sizeof (k2data) * 8;
2085 
2086 	/*
2087 	 * This writes the HMAC to the hash area in the
2088 	 * mblk.  The key used is the one just created by
2089 	 * the previous HMAC operation.
2090 	 * The data being processed is the confounder bytes
2091 	 * PLUS the input plaintext.
2092 	 */
2093 	result = do_hmac(md5_hmac_mech, &k2,
2094 			(char *)mp->b_rptr + hash->hash_len,
2095 			hash->confound_len + inlen,
2096 			(char *)mp->b_rptr, hash->hash_len);
2097 	if (result != CRYPTO_SUCCESS) {
2098 		cmn_err(CE_WARN,
2099 			"arcfour_hmac_md5_encrypt:  do_hmac(k2)"
2100 			"failed - error %0x", result);
2101 		goto cleanup;
2102 	}
2103 	/*
2104 	 * Because of the odd way that MIT uses RC4 keys
2105 	 * on the rlogin stream, we only need to create
2106 	 * this key once.
2107 	 * However, if using "old" rcmd mode, we need to do
2108 	 * it every time.
2109 	 */
2110 	if (tmi->enc_data.ctx == NULL ||
2111 	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
2112 		crypto_key_t *key = &tmi->enc_data.d_encr_key;
2113 
2114 		k1.ck_data = k1data;
2115 		k1.ck_format = CRYPTO_KEY_RAW;
2116 		k1.ck_length = sizeof (k1data) * 8;
2117 
2118 		key->ck_format = CRYPTO_KEY_RAW;
2119 		key->ck_length = k1.ck_length;
2120 		if (key->ck_data == NULL)
2121 			key->ck_data = kmem_zalloc(
2122 				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
2123 
2124 		/*
2125 		 * The final HMAC operation creates the encryption
2126 		 * key to be used for the encrypt operation.
2127 		 */
2128 		result = do_hmac(md5_hmac_mech, &k1,
2129 			(char *)mp->b_rptr, hash->hash_len,
2130 			(char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES);
2131 
2132 		if (result != CRYPTO_SUCCESS) {
2133 			cmn_err(CE_WARN,
2134 				"arcfour_hmac_md5_encrypt:  do_hmac(k3)"
2135 				"failed - error %0x", result);
2136 			goto cleanup;
2137 		}
2138 	}
2139 
2140 	/*
2141 	 * If the context has not been initialized, do it now.
2142 	 */
2143 	if (tmi->enc_data.ctx == NULL &&
2144 	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
2145 		/*
2146 		 * Only create a template if we are doing
2147 		 * chaining from block to block.
2148 		 */
2149 		result = crypto_create_ctx_template(&mech,
2150 				&tmi->enc_data.d_encr_key,
2151 				&tmi->enc_data.enc_tmpl,
2152 				KM_SLEEP);
2153 		if (result == CRYPTO_NOT_SUPPORTED) {
2154 			tmi->enc_data.enc_tmpl = NULL;
2155 		} else if (result != CRYPTO_SUCCESS) {
2156 			cmn_err(CE_WARN, "failed to create enc template "
2157 				"for RC4 encrypt: %0x", result);
2158 			goto cleanup;
2159 		}
2160 
2161 		result = crypto_encrypt_init(&mech,
2162 					&tmi->enc_data.d_encr_key,
2163 					tmi->enc_data.enc_tmpl,
2164 					&tmi->enc_data.ctx, NULL);
2165 		if (result != CRYPTO_SUCCESS) {
2166 			cmn_err(CE_WARN, "crypto_encrypt_init failed:"
2167 				" %0x", result);
2168 			goto cleanup;
2169 		}
2170 	}
2171 	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
2172 	v1.iov_len = hash->confound_len + inlen;
2173 
2174 	indata.cd_format = CRYPTO_DATA_RAW;
2175 	indata.cd_offset = 0;
2176 	indata.cd_length = hash->confound_len + inlen;
2177 	indata.cd_raw = v1;
2178 
2179 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2180 		result = crypto_encrypt_update(tmi->enc_data.ctx,
2181 			&indata, NULL, NULL);
2182 	else
2183 		result = crypto_encrypt(&mech, &indata,
2184 			&tmi->enc_data.d_encr_key, NULL,
2185 			NULL, NULL);
2186 
2187 	if (result != CRYPTO_SUCCESS) {
2188 		cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x",
2189 			result);
2190 	}
2191 
2192 cleanup:
2193 	bzero(k1data, sizeof (k1data));
2194 	bzero(k2data, sizeof (k2data));
2195 	bzero(saltdata, sizeof (saltdata));
2196 	if (result != CRYPTO_SUCCESS) {
2197 		mp->b_datap->db_type = M_ERROR;
2198 		mp->b_rptr = mp->b_datap->db_base;
2199 		*mp->b_rptr = EIO;
2200 		mp->b_wptr = mp->b_rptr + sizeof (char);
2201 		freemsg(mp->b_cont);
2202 		mp->b_cont = NULL;
2203 		qreply(WR(q), mp);
2204 		return (NULL);
2205 	}
2206 	return (mp);
2207 }
2208 
2209 /*
2210  * DES-CBC-[HASH] encrypt
2211  *
2212  * Needed to support userland apps that must support Kerberos V5
2213  * encryption DES-CBC encryption modes.
2214  *
2215  * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2216  *
2217  * format of ciphertext for DES-CBC functions, per RFC1510 is:
2218  *  +-----------+----------+-------------+-----+
2219  *  |confounder |  cksum   |   msg-data  | pad |
2220  *  +-----------+----------+-------------+-----+
2221  *
2222  * format of ciphertext when using DES3-SHA1-HMAC
2223  *  +-----------+----------+-------------+-----+
2224  *  |confounder |  msg-data  |   hmac    | pad |
2225  *  +-----------+----------+-------------+-----+
2226  *
2227  *  The confounder is 8 bytes of random data.
2228  *  The cksum depends on the hash being used.
2229  *   4 bytes for CRC32
2230  *  16 bytes for MD5
2231  *  20 bytes for SHA1
2232  *   0 bytes for RAW
2233  *
2234  */
2235 static mblk_t *
2236 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2237 {
2238 	int result;
2239 	size_t cipherlen;
2240 	size_t inlen;
2241 	size_t plainlen;
2242 
2243 	/*
2244 	 * The size at this point should be the size of
2245 	 * all the plaintext plus the optional plaintext length
2246 	 * needed for RCMD V2 mode.  There should also be room
2247 	 * at the head of the mblk for the confounder and hash info.
2248 	 */
2249 	inlen = (size_t)MBLKL(mp);
2250 
2251 	/*
2252 	 * The output size will be a multiple of 8 because this algorithm
2253 	 * only works on 8 byte chunks.
2254 	 */
2255 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
2256 
2257 	ASSERT(MBLKSIZE(mp) >= cipherlen);
2258 
2259 	if (cipherlen > inlen) {
2260 		bzero(mp->b_wptr, MBLKTAIL(mp));
2261 	}
2262 
2263 	/*
2264 	 * Shift the rptr back enough to insert
2265 	 * the confounder and hash.
2266 	 */
2267 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2268 		mp->b_rptr -= hash->confound_len;
2269 	} else {
2270 		mp->b_rptr -= (hash->confound_len + hash->hash_len);
2271 
2272 		/* zero out the hash area */
2273 		bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len);
2274 	}
2275 
2276 	/* get random confounder from our friend, the 'random' module */
2277 	if (hash->confound_len > 0) {
2278 		(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
2279 				    (size_t)hash->confound_len);
2280 	}
2281 
2282 	/*
2283 	 * For 3DES we calculate an HMAC later.
2284 	 */
2285 	if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) {
2286 		/* calculate chksum of confounder + input */
2287 		if (hash->hash_len > 0 && hash->hashfunc != NULL) {
2288 			uchar_t cksum[MAX_CKSUM_LEN];
2289 
2290 			result = hash->hashfunc(cksum, mp->b_rptr,
2291 				cipherlen);
2292 			if (result != CRYPTO_SUCCESS) {
2293 				goto failure;
2294 			}
2295 
2296 			/* put hash in place right after the confounder */
2297 			bcopy(cksum, (mp->b_rptr + hash->confound_len),
2298 			    (size_t)hash->hash_len);
2299 		}
2300 	}
2301 	/*
2302 	 * In order to support the "old" Kerberos RCMD protocol,
2303 	 * we must use the IVEC 3 different ways:
2304 	 *   IVEC_REUSE = keep using the same IV each time, this is
2305 	 *		ugly and insecure, but necessary for
2306 	 *		backwards compatibility with existing MIT code.
2307 	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
2308 	 *		was setup (see setup_crypto routine).
2309 	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2310 	 */
2311 	if (tmi->enc_data.ivec_usage == IVEC_NEVER) {
2312 		bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
2313 	} else if (tmi->enc_data.ivec_usage == IVEC_REUSE) {
2314 		bcopy(tmi->enc_data.ivec, tmi->enc_data.block,
2315 		    tmi->enc_data.blocklen);
2316 	}
2317 
2318 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2319 		/*
2320 		 * The input length already included the hash size,
2321 		 * don't include this in the plaintext length
2322 		 * calculations.
2323 		 */
2324 		plainlen = cipherlen - hash->hash_len;
2325 
2326 		mp->b_wptr = mp->b_rptr + plainlen;
2327 
2328 		result = kef_encr_hmac(&tmi->enc_data,
2329 			(void *)mp, (size_t)plainlen,
2330 			(char *)(mp->b_rptr + plainlen),
2331 			hash->hash_len);
2332 	} else {
2333 		ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp));
2334 		mp->b_wptr = mp->b_rptr + cipherlen;
2335 		result = kef_crypt(&tmi->enc_data, (void *)mp,
2336 			CRYPTO_DATA_MBLK, (size_t)cipherlen,
2337 			CRYPT_ENCRYPT);
2338 	}
2339 failure:
2340 	if (result != CRYPTO_SUCCESS) {
2341 #ifdef DEBUG
2342 		cmn_err(CE_WARN,
2343 			"des_cbc_encrypt: kef_crypt encrypt "
2344 			"failed (len: %ld) - error %0x",
2345 			cipherlen, result);
2346 #endif
2347 		mp->b_datap->db_type = M_ERROR;
2348 		mp->b_rptr = mp->b_datap->db_base;
2349 		*mp->b_rptr = EIO;
2350 		mp->b_wptr = mp->b_rptr + sizeof (char);
2351 		freemsg(mp->b_cont);
2352 		mp->b_cont = NULL;
2353 		qreply(WR(q), mp);
2354 		return (NULL);
2355 	} else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) {
2356 		/*
2357 		 * Because we are using KEF, we must manually
2358 		 * update our IV.
2359 		 */
2360 		bcopy(mp->b_wptr - tmi->enc_data.ivlen,
2361 			tmi->enc_data.block, tmi->enc_data.ivlen);
2362 	}
2363 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2364 		mp->b_wptr = mp->b_rptr + cipherlen;
2365 	}
2366 
2367 	return (mp);
2368 }
2369 
2370 /*
2371  * des_cbc_decrypt
2372  *
2373  *
2374  * Needed to support userland apps that must support Kerberos V5
2375  * encryption DES-CBC decryption modes.
2376  *
2377  * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2378  *
2379  * format of ciphertext for DES-CBC functions, per RFC1510 is:
2380  *  +-----------+----------+-------------+-----+
2381  *  |confounder |  cksum   |   msg-data  | pad |
2382  *  +-----------+----------+-------------+-----+
2383  *
2384  * format of ciphertext when using DES3-SHA1-HMAC
2385  *  +-----------+----------+-------------+-----+
2386  *  |confounder |  msg-data  |   hmac    | pad |
2387  *  +-----------+----------+-------------+-----+
2388  *
2389  *  The confounder is 8 bytes of random data.
2390  *  The cksum depends on the hash being used.
2391  *   4 bytes for CRC32
2392  *  16 bytes for MD5
2393  *  20 bytes for SHA1
2394  *   0 bytes for RAW
2395  *
2396  */
2397 static mblk_t *
2398 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2399 {
2400 	uint_t inlen, datalen;
2401 	int result = 0;
2402 	uchar_t *optr = NULL;
2403 	uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN];
2404 	uchar_t nextiv[DEFAULT_DES_BLOCKLEN];
2405 
2406 	/* Compute adjusted size */
2407 	inlen = MBLKL(mp);
2408 
2409 	optr = mp->b_rptr;
2410 
2411 	/*
2412 	 * In order to support the "old" Kerberos RCMD protocol,
2413 	 * we must use the IVEC 3 different ways:
2414 	 *   IVEC_REUSE = keep using the same IV each time, this is
2415 	 *		ugly and insecure, but necessary for
2416 	 *		backwards compatibility with existing MIT code.
2417 	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
2418 	 *		was setup (see setup_crypto routine).
2419 	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2420 	 */
2421 	if (tmi->dec_data.ivec_usage == IVEC_NEVER)
2422 		bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
2423 	else if (tmi->dec_data.ivec_usage == IVEC_REUSE)
2424 		bcopy(tmi->dec_data.ivec, tmi->dec_data.block,
2425 		    tmi->dec_data.blocklen);
2426 
2427 	if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2428 		/*
2429 		 * Do not decrypt the HMAC at the end
2430 		 */
2431 		int decrypt_len = inlen - hash->hash_len;
2432 
2433 		/*
2434 		 * Move the wptr so the mblk appears to end
2435 		 * BEFORE the HMAC section.
2436 		 */
2437 		mp->b_wptr = mp->b_rptr + decrypt_len;
2438 
2439 		/*
2440 		 * Because we are using KEF, we must manually update our
2441 		 * IV.
2442 		 */
2443 		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2444 			bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen,
2445 				nextiv, tmi->dec_data.ivlen);
2446 		}
2447 
2448 		result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len,
2449 			(char *)newcksum, hash->hash_len);
2450 	} else {
2451 		/*
2452 		 * Because we are using KEF, we must manually update our
2453 		 * IV.
2454 		 */
2455 		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2456 			bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv,
2457 				tmi->dec_data.ivlen);
2458 		}
2459 		result = kef_crypt(&tmi->dec_data, (void *)mp,
2460 			CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT);
2461 	}
2462 	if (result != CRYPTO_SUCCESS) {
2463 #ifdef DEBUG
2464 		cmn_err(CE_WARN,
2465 			"des_cbc_decrypt: kef_crypt decrypt "
2466 			"failed - error %0x", result);
2467 #endif
2468 		mp->b_datap->db_type = M_ERROR;
2469 		mp->b_rptr = mp->b_datap->db_base;
2470 		*mp->b_rptr = EIO;
2471 		mp->b_wptr = mp->b_rptr + sizeof (char);
2472 		freemsg(mp->b_cont);
2473 		mp->b_cont = NULL;
2474 		qreply(WR(q), mp);
2475 		return (NULL);
2476 	}
2477 
2478 	/*
2479 	 * Manually update the IV, KEF does not track this for us.
2480 	 */
2481 	if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2482 		bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen);
2483 	}
2484 
2485 	/* Verify the checksum(if necessary) */
2486 	if (hash->hash_len > 0) {
2487 		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2488 			bcopy(mp->b_rptr + inlen - hash->hash_len, cksum,
2489 				hash->hash_len);
2490 		} else {
2491 			bcopy(optr + hash->confound_len, cksum, hash->hash_len);
2492 
2493 			/* zero the cksum in the buffer */
2494 			ASSERT(optr + hash->confound_len + hash->hash_len <=
2495 				DB_LIM(mp));
2496 			bzero(optr + hash->confound_len, hash->hash_len);
2497 
2498 			/* calculate MD5 chksum of confounder + input */
2499 			if (hash->hashfunc) {
2500 				(void) hash->hashfunc(newcksum, optr, inlen);
2501 			}
2502 		}
2503 
2504 		if (bcmp(cksum, newcksum, hash->hash_len)) {
2505 #ifdef DEBUG
2506 			cmn_err(CE_WARN, "des_cbc_decrypt: checksum "
2507 				"verification failed");
2508 #endif
2509 			mp->b_datap->db_type = M_ERROR;
2510 			mp->b_rptr = mp->b_datap->db_base;
2511 			*mp->b_rptr = EIO;
2512 			mp->b_wptr = mp->b_rptr + sizeof (char);
2513 			freemsg(mp->b_cont);
2514 			mp->b_cont = NULL;
2515 			qreply(WR(q), mp);
2516 			return (NULL);
2517 		}
2518 	}
2519 
2520 	datalen = inlen - hash->confound_len - hash->hash_len;
2521 
2522 	/* Move just the decrypted input into place if necessary */
2523 	if (hash->confound_len > 0 || hash->hash_len > 0) {
2524 		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1)
2525 			mp->b_rptr += hash->confound_len;
2526 		else
2527 			mp->b_rptr += hash->confound_len + hash->hash_len;
2528 	}
2529 
2530 	ASSERT(mp->b_rptr + datalen <= DB_LIM(mp));
2531 	mp->b_wptr = mp->b_rptr + datalen;
2532 
2533 	return (mp);
2534 }
2535 
2536 static mblk_t *
2537 do_decrypt(queue_t *q, mblk_t *mp)
2538 {
2539 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2540 	mblk_t *outmp;
2541 
2542 	switch (tmi->dec_data.method) {
2543 	case CRYPT_METHOD_DES_CFB:
2544 		outmp = des_cfb_decrypt(q, tmi, mp);
2545 		break;
2546 	case CRYPT_METHOD_NONE:
2547 		outmp = mp;
2548 		break;
2549 	case CRYPT_METHOD_DES_CBC_NULL:
2550 		outmp = des_cbc_decrypt(q, tmi, mp, &null_hash);
2551 		break;
2552 	case CRYPT_METHOD_DES_CBC_MD5:
2553 		outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash);
2554 		break;
2555 	case CRYPT_METHOD_DES_CBC_CRC:
2556 		outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash);
2557 		break;
2558 	case CRYPT_METHOD_DES3_CBC_SHA1:
2559 		outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash);
2560 		break;
2561 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2562 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2563 		outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash);
2564 		break;
2565 	case CRYPT_METHOD_AES128:
2566 	case CRYPT_METHOD_AES256:
2567 		outmp = aes_decrypt(q, tmi, mp, &sha1_hash);
2568 		break;
2569 	}
2570 	return (outmp);
2571 }
2572 
2573 /*
2574  * do_encrypt
2575  *
2576  * Generic encryption routine for a single message block.
2577  * The input mblk may be replaced by some encrypt routines
2578  * because they add extra data in some cases that may exceed
2579  * the input mblk_t size limit.
2580  */
2581 static mblk_t *
2582 do_encrypt(queue_t *q, mblk_t *mp)
2583 {
2584 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2585 	mblk_t *outmp;
2586 
2587 	switch (tmi->enc_data.method) {
2588 	case CRYPT_METHOD_DES_CFB:
2589 		outmp = des_cfb_encrypt(q, tmi, mp);
2590 		break;
2591 	case CRYPT_METHOD_DES_CBC_NULL:
2592 		outmp = des_cbc_encrypt(q, tmi, mp, &null_hash);
2593 		break;
2594 	case CRYPT_METHOD_DES_CBC_MD5:
2595 		outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash);
2596 		break;
2597 	case CRYPT_METHOD_DES_CBC_CRC:
2598 		outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash);
2599 		break;
2600 	case CRYPT_METHOD_DES3_CBC_SHA1:
2601 		outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash);
2602 		break;
2603 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2604 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2605 		outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash);
2606 		break;
2607 	case CRYPT_METHOD_AES128:
2608 	case CRYPT_METHOD_AES256:
2609 		outmp = aes_encrypt(q, tmi, mp, &sha1_hash);
2610 		break;
2611 	case CRYPT_METHOD_NONE:
2612 		outmp = mp;
2613 		break;
2614 	}
2615 	return (outmp);
2616 }
2617 
2618 /*
2619  * setup_crypto
2620  *
2621  * This takes the data from the CRYPTIOCSETUP ioctl
2622  * and sets up a cipher_data_t structure for either
2623  * encryption or decryption.  This is where the
2624  * key and initialization vector data get stored
2625  * prior to beginning any crypto functions.
2626  *
2627  * Special note:
2628  *   Some applications(e.g. telnetd) have ability to switch
2629  * crypto on/off periodically.  Thus, the application may call
2630  * the CRYPTIOCSETUP ioctl many times for the same stream.
2631  * If the CRYPTIOCSETUP is called with 0 length key or ivec fields
2632  * assume that the key, block, and saveblock fields that are already
2633  * set from a previous CRIOCSETUP call are still valid.  This helps avoid
2634  * a rekeying error that could occur if we overwrite these fields
2635  * with each CRYPTIOCSETUP call.
2636  *   In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off
2637  * without resetting the original crypto parameters.
2638  *
2639  */
2640 static int
2641 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt)
2642 {
2643 	uint_t newblocklen;
2644 	uint32_t enc_usage = 0, dec_usage = 0;
2645 	int rv;
2646 
2647 	/*
2648 	 * Initial sanity checks
2649 	 */
2650 	if (!CR_METHOD_OK(ci->crypto_method)) {
2651 		cmn_err(CE_WARN, "Illegal crypto method (%d)",
2652 			ci->crypto_method);
2653 		return (EINVAL);
2654 	}
2655 	if (!CR_OPTIONS_OK(ci->option_mask)) {
2656 		cmn_err(CE_WARN, "Illegal crypto options (%d)",
2657 			ci->option_mask);
2658 		return (EINVAL);
2659 	}
2660 	if (!CR_IVUSAGE_OK(ci->ivec_usage)) {
2661 		cmn_err(CE_WARN, "Illegal ivec usage value (%d)",
2662 			ci->ivec_usage);
2663 		return (EINVAL);
2664 	}
2665 
2666 	cd->method = ci->crypto_method;
2667 	cd->bytes = 0;
2668 
2669 	if (ci->keylen > 0) {
2670 		if (cd->key != NULL) {
2671 			kmem_free(cd->key, cd->keylen);
2672 			cd->key = NULL;
2673 			cd->keylen = 0;
2674 		}
2675 		/*
2676 		 * cd->key holds the copy of the raw key bytes passed in
2677 		 * from the userland app.
2678 		 */
2679 		cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP);
2680 
2681 		cd->keylen = ci->keylen;
2682 		bcopy(ci->key, cd->key, (size_t)ci->keylen);
2683 	}
2684 
2685 	/*
2686 	 * Configure the block size based on the type of cipher.
2687 	 */
2688 	switch (cd->method) {
2689 		case CRYPT_METHOD_NONE:
2690 			newblocklen = 0;
2691 			break;
2692 		case CRYPT_METHOD_DES_CFB:
2693 			newblocklen = DEFAULT_DES_BLOCKLEN;
2694 			cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB);
2695 			break;
2696 		case CRYPT_METHOD_DES_CBC_NULL:
2697 		case CRYPT_METHOD_DES_CBC_MD5:
2698 		case CRYPT_METHOD_DES_CBC_CRC:
2699 			newblocklen = DEFAULT_DES_BLOCKLEN;
2700 			cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC);
2701 			break;
2702 		case CRYPT_METHOD_DES3_CBC_SHA1:
2703 			newblocklen = DEFAULT_DES_BLOCKLEN;
2704 			cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC);
2705 			/* 3DES always uses the old usage constant */
2706 			enc_usage = RCMDV1_USAGE;
2707 			dec_usage = RCMDV1_USAGE;
2708 			break;
2709 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2710 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2711 			newblocklen = 0;
2712 			cd->mech_type = crypto_mech2id(SUN_CKM_RC4);
2713 			break;
2714 		case CRYPT_METHOD_AES128:
2715 		case CRYPT_METHOD_AES256:
2716 			newblocklen = DEFAULT_AES_BLOCKLEN;
2717 			cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB);
2718 			enc_usage = AES_ENCRYPT_USAGE;
2719 			dec_usage = AES_DECRYPT_USAGE;
2720 			break;
2721 	}
2722 	if (cd->mech_type == CRYPTO_MECH_INVALID) {
2723 		return (CRYPTO_FAILED);
2724 	}
2725 
2726 	/*
2727 	 * If RC4, initialize the master crypto key used by
2728 	 * the RC4 algorithm to derive the final encrypt and decrypt keys.
2729 	 */
2730 	if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) {
2731 		/*
2732 		 * cd->ckey is a kernel crypto key structure used as the
2733 		 * master key in the RC4-HMAC crypto operations.
2734 		 */
2735 		if (cd->ckey == NULL) {
2736 			cd->ckey = (crypto_key_t *)kmem_zalloc(
2737 				sizeof (crypto_key_t), KM_SLEEP);
2738 		}
2739 
2740 		cd->ckey->ck_format = CRYPTO_KEY_RAW;
2741 		cd->ckey->ck_data = cd->key;
2742 
2743 		/* key length for EF is measured in bits */
2744 		cd->ckey->ck_length = cd->keylen * 8;
2745 	}
2746 
2747 	/*
2748 	 * cd->block and cd->saveblock are used as temporary storage for
2749 	 * data that must be carried over between encrypt/decrypt operations
2750 	 * in some of the "feedback" modes.
2751 	 */
2752 	if (newblocklen != cd->blocklen) {
2753 		if (cd->block != NULL) {
2754 			kmem_free(cd->block, cd->blocklen);
2755 			cd->block = NULL;
2756 		}
2757 
2758 		if (cd->saveblock != NULL) {
2759 			kmem_free(cd->saveblock, cd->blocklen);
2760 			cd->saveblock = NULL;
2761 		}
2762 
2763 		cd->blocklen = newblocklen;
2764 		if (cd->blocklen) {
2765 			cd->block = (char *)kmem_zalloc((size_t)cd->blocklen,
2766 				KM_SLEEP);
2767 		}
2768 
2769 		if (cd->method == CRYPT_METHOD_DES_CFB)
2770 			cd->saveblock = (char *)kmem_zalloc(cd->blocklen,
2771 						KM_SLEEP);
2772 		else
2773 			cd->saveblock = NULL;
2774 	}
2775 
2776 	if (ci->iveclen != cd->ivlen) {
2777 		if (cd->ivec != NULL) {
2778 			kmem_free(cd->ivec, cd->ivlen);
2779 			cd->ivec = NULL;
2780 		}
2781 		if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) {
2782 			cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen,
2783 						KM_SLEEP);
2784 			cd->ivlen = ci->iveclen;
2785 		} else {
2786 			cd->ivlen = 0;
2787 			cd->ivec = NULL;
2788 		}
2789 	}
2790 	cd->option_mask = ci->option_mask;
2791 
2792 	/*
2793 	 * Old protocol requires a static 'usage' value for
2794 	 * deriving keys.  Yuk.
2795 	 */
2796 	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) {
2797 		enc_usage = dec_usage = RCMDV1_USAGE;
2798 	}
2799 
2800 	if (cd->ivlen > cd->blocklen) {
2801 		cmn_err(CE_WARN, "setup_crypto: IV longer than block size");
2802 		return (EINVAL);
2803 	}
2804 
2805 	/*
2806 	 * If we are using an IVEC "correctly" (i.e. set it once)
2807 	 * copy it here.
2808 	 */
2809 	if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL)
2810 		bcopy(ci->ivec, cd->block, (size_t)cd->ivlen);
2811 
2812 	cd->ivec_usage = ci->ivec_usage;
2813 	if (cd->ivec != NULL) {
2814 		/* Save the original IVEC in case we need it later */
2815 		bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen);
2816 	}
2817 	/*
2818 	 * Special handling for 3DES-SHA1-HMAC and AES crypto:
2819 	 * generate derived keys and context templates
2820 	 * for better performance.
2821 	 */
2822 	if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 ||
2823 	    IS_AES_METHOD(cd->method)) {
2824 		crypto_mechanism_t enc_mech;
2825 		crypto_mechanism_t hmac_mech;
2826 
2827 		if (cd->d_encr_key.ck_data != NULL) {
2828 			bzero(cd->d_encr_key.ck_data, cd->keylen);
2829 			kmem_free(cd->d_encr_key.ck_data, cd->keylen);
2830 		}
2831 
2832 		if (cd->d_hmac_key.ck_data != NULL) {
2833 			bzero(cd->d_hmac_key.ck_data, cd->keylen);
2834 			kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
2835 		}
2836 
2837 		if (cd->enc_tmpl != NULL)
2838 			(void) crypto_destroy_ctx_template(cd->enc_tmpl);
2839 
2840 		if (cd->hmac_tmpl != NULL)
2841 			(void) crypto_destroy_ctx_template(cd->hmac_tmpl);
2842 
2843 		enc_mech.cm_type = cd->mech_type;
2844 		enc_mech.cm_param = cd->ivec;
2845 		enc_mech.cm_param_len = cd->ivlen;
2846 
2847 		hmac_mech.cm_type = sha1_hmac_mech;
2848 		hmac_mech.cm_param = NULL;
2849 		hmac_mech.cm_param_len = 0;
2850 
2851 		/*
2852 		 * Create the derived keys.
2853 		 */
2854 		rv = create_derived_keys(cd,
2855 			(encrypt ? enc_usage : dec_usage),
2856 			&cd->d_encr_key, &cd->d_hmac_key);
2857 
2858 		if (rv != CRYPTO_SUCCESS) {
2859 			cmn_err(CE_WARN, "failed to create derived "
2860 				"keys: %0x", rv);
2861 			return (CRYPTO_FAILED);
2862 		}
2863 
2864 		rv = crypto_create_ctx_template(&enc_mech,
2865 					&cd->d_encr_key,
2866 					&cd->enc_tmpl, KM_SLEEP);
2867 		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2868 			cd->enc_tmpl = NULL;
2869 		} else if (rv != CRYPTO_SUCCESS) {
2870 			cmn_err(CE_WARN, "failed to create enc template "
2871 				"for d_encr_key: %0x", rv);
2872 			return (CRYPTO_FAILED);
2873 		}
2874 
2875 		rv = crypto_create_ctx_template(&hmac_mech,
2876 				&cd->d_hmac_key,
2877 				&cd->hmac_tmpl, KM_SLEEP);
2878 		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2879 			cd->hmac_tmpl = NULL;
2880 		} else if (rv != CRYPTO_SUCCESS) {
2881 			cmn_err(CE_WARN, "failed to create hmac template:"
2882 				" %0x", rv);
2883 			return (CRYPTO_FAILED);
2884 		}
2885 	} else if (IS_RC4_METHOD(cd->method)) {
2886 		bzero(&cd->d_encr_key, sizeof (crypto_key_t));
2887 		bzero(&cd->d_hmac_key, sizeof (crypto_key_t));
2888 		cd->ctx = NULL;
2889 		cd->enc_tmpl = NULL;
2890 		cd->hmac_tmpl = NULL;
2891 	}
2892 
2893 	/* Final sanity checks, make sure no fields are NULL */
2894 	if (cd->method != CRYPT_METHOD_NONE) {
2895 		if (cd->block == NULL && cd->blocklen > 0) {
2896 #ifdef DEBUG
2897 			cmn_err(CE_WARN,
2898 				"setup_crypto: IV block not allocated");
2899 #endif
2900 			return (ENOMEM);
2901 		}
2902 		if (cd->key == NULL && cd->keylen > 0) {
2903 #ifdef DEBUG
2904 			cmn_err(CE_WARN,
2905 				"setup_crypto: key block not allocated");
2906 #endif
2907 			return (ENOMEM);
2908 		}
2909 		if (cd->method == CRYPT_METHOD_DES_CFB &&
2910 		    cd->saveblock == NULL && cd->blocklen > 0) {
2911 #ifdef DEBUG
2912 			cmn_err(CE_WARN,
2913 				"setup_crypto: save block not allocated");
2914 #endif
2915 			return (ENOMEM);
2916 		}
2917 		if (cd->ivec == NULL && cd->ivlen > 0) {
2918 #ifdef DEBUG
2919 			cmn_err(CE_WARN,
2920 				"setup_crypto: IV not allocated");
2921 #endif
2922 			return (ENOMEM);
2923 		}
2924 	}
2925 	return (0);
2926 }
2927 
2928 /*
2929  * RCMDS require a 4 byte, clear text
2930  * length field before each message.
2931  * Add it now.
2932  */
2933 static mblk_t *
2934 mklenmp(mblk_t *bp, uint32_t len)
2935 {
2936 	mblk_t *lenmp;
2937 	uchar_t *ucp;
2938 
2939 	if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) {
2940 		lenmp = allocb(4, BPRI_MED);
2941 		if (lenmp != NULL) {
2942 			lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp);
2943 			linkb(lenmp, bp);
2944 			bp = lenmp;
2945 		}
2946 	}
2947 	ucp = bp->b_rptr;
2948 	*--ucp = len;
2949 	*--ucp = len >> 8;
2950 	*--ucp = len >> 16;
2951 	*--ucp = len >> 24;
2952 
2953 	bp->b_rptr = ucp;
2954 
2955 	return (bp);
2956 }
2957 
2958 static mblk_t *
2959 encrypt_block(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, size_t plainlen)
2960 {
2961 	mblk_t *newmp;
2962 	size_t headspace;
2963 
2964 	mblk_t *cbp;
2965 	size_t cipherlen;
2966 	size_t extra = 0;
2967 	uint32_t ptlen = (uint32_t)plainlen;
2968 	/*
2969 	 * If we are using the "NEW" RCMD mode,
2970 	 * add 4 bytes to the plaintext for the
2971 	 * plaintext length that gets prepended
2972 	 * before encrypting.
2973 	 */
2974 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2975 		ptlen += 4;
2976 
2977 	cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen);
2978 
2979 	/*
2980 	 * if we must allocb, then make sure its enough
2981 	 * to hold the length field so we dont have to allocb
2982 	 * again down below in 'mklenmp'
2983 	 */
2984 	if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) {
2985 		extra = sizeof (uint32_t);
2986 	}
2987 
2988 	/*
2989 	 * Calculate how much space is needed in front of
2990 	 * the data.
2991 	 */
2992 	headspace = plaintext_offset(&tmi->enc_data);
2993 
2994 	/*
2995 	 * If the current block is too small, reallocate
2996 	 * one large enough to hold the hdr, tail, and
2997 	 * ciphertext.
2998 	 */
2999 	if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) {
3000 		int sz = P2ROUNDUP(cipherlen+extra, 8);
3001 
3002 		cbp = allocb_tmpl(sz, mp);
3003 		if (cbp == NULL) {
3004 			cmn_err(CE_WARN,
3005 				"allocb (%d bytes) failed", sz);
3006 				return (NULL);
3007 		}
3008 
3009 		cbp->b_cont = mp->b_cont;
3010 
3011 		/*
3012 		 * headspace includes the length fields needed
3013 		 * for the RCMD modes (v1 == 4 bytes, V2 = 8)
3014 		 */
3015 		cbp->b_rptr = DB_BASE(cbp) + headspace;
3016 
3017 		ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen, 8)
3018 			<= DB_LIM(cbp));
3019 
3020 		bcopy(mp->b_rptr, cbp->b_rptr, plainlen);
3021 		cbp->b_wptr = cbp->b_rptr + plainlen;
3022 
3023 		freeb(mp);
3024 	} else {
3025 		size_t extra = 0;
3026 		cbp = mp;
3027 
3028 		/*
3029 		 * Some ciphers add HMAC after the final block
3030 		 * of the ciphertext, not at the beginning like the
3031 		 * 1-DES ciphers.
3032 		 */
3033 		if (tmi->enc_data.method ==
3034 			CRYPT_METHOD_DES3_CBC_SHA1 ||
3035 		    IS_AES_METHOD(tmi->enc_data.method)) {
3036 			extra = sha1_hash.hash_len;
3037 		}
3038 
3039 		/*
3040 		 * Make sure the rptr is positioned correctly so that
3041 		 * routines later do not have to shift this data around
3042 		 */
3043 		if ((cbp->b_rptr + P2ROUNDUP(plainlen + extra, 8) >
3044 			DB_LIM(cbp)) ||
3045 			(cbp->b_rptr - headspace < DB_BASE(cbp))) {
3046 			ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace,
3047 				plainlen);
3048 			cbp->b_rptr = DB_BASE(cbp) + headspace;
3049 			cbp->b_wptr = cbp->b_rptr + plainlen;
3050 		}
3051 	}
3052 
3053 	ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp));
3054 	ASSERT(cbp->b_wptr <= DB_LIM(cbp));
3055 
3056 	/*
3057 	 * If using RCMD_MODE_V2 (new rcmd mode), prepend
3058 	 * the plaintext length before the actual plaintext.
3059 	 */
3060 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) {
3061 		cbp->b_rptr -= RCMD_LEN_SZ;
3062 
3063 		/* put plaintext length at head of buffer */
3064 		*(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff);
3065 		*(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff);
3066 		*(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff);
3067 		*(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff);
3068 	}
3069 
3070 	newmp = do_encrypt(q, cbp);
3071 
3072 	if (newmp != NULL &&
3073 	    (tmi->enc_data.option_mask &
3074 	    (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) {
3075 		mblk_t *lp;
3076 		/*
3077 		 * Add length field, required when this is
3078 		 * used to encrypt "r*" commands(rlogin, rsh)
3079 		 * with Kerberos.
3080 		 */
3081 		lp = mklenmp(newmp, plainlen);
3082 
3083 		if (lp == NULL) {
3084 			freeb(newmp);
3085 			return (NULL);
3086 		} else {
3087 			newmp = lp;
3088 		}
3089 	}
3090 	return (newmp);
3091 }
3092 
3093 /*
3094  * encrypt_msgb
3095  *
3096  * encrypt a single message. This routine adds the
3097  * RCMD overhead bytes when necessary.
3098  */
3099 static mblk_t *
3100 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
3101 {
3102 	size_t plainlen, outlen;
3103 	mblk_t *newmp = NULL;
3104 
3105 	/* If not encrypting, do nothing */
3106 	if (tmi->enc_data.method == CRYPT_METHOD_NONE) {
3107 		return (mp);
3108 	}
3109 
3110 	plainlen = MBLKL(mp);
3111 	if (plainlen == 0)
3112 		return (NULL);
3113 
3114 	/*
3115 	 * If the block is too big, we encrypt in 4K chunks so that
3116 	 * older rlogin clients do not choke on the larger buffers.
3117 	 */
3118 	while ((plainlen = MBLKL(mp)) > MSGBUF_SIZE) {
3119 		mblk_t *mp1 = NULL;
3120 		outlen = MSGBUF_SIZE;
3121 		/*
3122 		 * Allocate a new buffer that is only 4K bytes, the
3123 		 * extra bytes are for crypto overhead.
3124 		 */
3125 		mp1 = allocb(outlen + CONFOUNDER_BYTES, BPRI_MED);
3126 		if (mp1 == NULL) {
3127 			cmn_err(CE_WARN,
3128 				"allocb (%d bytes) failed",
3129 				(int)(outlen + CONFOUNDER_BYTES));
3130 			return (NULL);
3131 		}
3132 		/* Copy the next 4K bytes from the old block. */
3133 		bcopy(mp->b_rptr, mp1->b_rptr, outlen);
3134 		mp1->b_wptr = mp1->b_rptr + outlen;
3135 		/* Advance the old block. */
3136 		mp->b_rptr += outlen;
3137 
3138 		/* encrypt the new block */
3139 		newmp = encrypt_block(q, tmi, mp1, outlen);
3140 		if (newmp == NULL)
3141 			return (NULL);
3142 
3143 		putnext(q, newmp);
3144 	}
3145 	newmp = NULL;
3146 	/* If there is data left (< MSGBUF_SIZE), encrypt it. */
3147 	if ((plainlen = MBLKL(mp)) > 0)
3148 		newmp = encrypt_block(q, tmi, mp, plainlen);
3149 
3150 	return (newmp);
3151 }
3152 
3153 /*
3154  * cryptmodwsrv
3155  *
3156  * Service routine for the write queue.
3157  *
3158  * Because data may be placed in the queue to hold between
3159  * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed.
3160  */
3161 static int
3162 cryptmodwsrv(queue_t *q)
3163 {
3164 	mblk_t *mp;
3165 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3166 
3167 	while ((mp = getq(q)) != NULL) {
3168 		switch (mp->b_datap->db_type) {
3169 		default:
3170 			/*
3171 			 * wput does not queue anything > QPCTL
3172 			 */
3173 			if (!canputnext(q) ||
3174 			    !(tmi->ready & CRYPT_WRITE_READY)) {
3175 				if (!putbq(q, mp)) {
3176 					freemsg(mp);
3177 				}
3178 				return (0);
3179 			}
3180 			putnext(q, mp);
3181 			break;
3182 		case M_DATA:
3183 			if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) {
3184 				mblk_t *bp;
3185 				mblk_t *newmsg = NULL;
3186 
3187 				/*
3188 				 * If multiple msgs, concat into 1
3189 				 * to minimize crypto operations later.
3190 				 */
3191 				if (mp->b_cont != NULL) {
3192 					bp = msgpullup(mp, -1);
3193 					if (bp != NULL) {
3194 						freemsg(mp);
3195 						mp = bp;
3196 					}
3197 				}
3198 				newmsg = encrypt_msgb(q, tmi, mp);
3199 				if (newmsg != NULL)
3200 					putnext(q, newmsg);
3201 			} else {
3202 				if (!putbq(q, mp)) {
3203 					freemsg(mp);
3204 				}
3205 				return (0);
3206 			}
3207 			break;
3208 		}
3209 	}
3210 	return (0);
3211 }
3212 
3213 static void
3214 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir)
3215 {
3216 	mblk_t *newmp = NULL;
3217 	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3218 
3219 	if (dir == CRYPT_ENCRYPT) {
3220 		tmi->ready |= CRYPT_WRITE_READY;
3221 		(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
3222 				"start_stream: restart ENCRYPT/WRITE q"));
3223 
3224 		enableok(wq);
3225 		qenable(wq);
3226 	} else if (dir == CRYPT_DECRYPT) {
3227 		/*
3228 		 * put any extra data in the RD
3229 		 * queue to be processed and
3230 		 * sent back up.
3231 		 */
3232 		newmp = mp->b_cont;
3233 		mp->b_cont = NULL;
3234 
3235 		tmi->ready |= CRYPT_READ_READY;
3236 		(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3237 				SL_TRACE|SL_NOTE,
3238 				"start_stream: restart "
3239 				"DECRYPT/READ q"));
3240 
3241 		if (newmp != NULL)
3242 			if (!putbq(RD(wq), newmp))
3243 				freemsg(newmp);
3244 
3245 		enableok(RD(wq));
3246 		qenable(RD(wq));
3247 	}
3248 
3249 	miocack(wq, mp, 0, 0);
3250 }
3251 
3252 /*
3253  * Write-side put procedure.  Its main task is to detect ioctls and
3254  * FLUSH operations.  Other message types are passed on through.
3255  */
3256 static void
3257 cryptmodwput(queue_t *wq, mblk_t *mp)
3258 {
3259 	struct iocblk *iocp;
3260 	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3261 	int ret, err;
3262 
3263 	switch (mp->b_datap->db_type) {
3264 	case M_DATA:
3265 		if (wq->q_first == NULL && canputnext(wq) &&
3266 		    (tmi->ready & CRYPT_WRITE_READY) &&
3267 		    tmi->enc_data.method == CRYPT_METHOD_NONE) {
3268 			putnext(wq, mp);
3269 			return;
3270 		}
3271 		/* else, put it in the service queue */
3272 		if (!putq(wq, mp)) {
3273 			freemsg(mp);
3274 		}
3275 		break;
3276 	case M_FLUSH:
3277 		if (*mp->b_rptr & FLUSHW) {
3278 			flushq(wq, FLUSHDATA);
3279 		}
3280 		putnext(wq, mp);
3281 		break;
3282 	case M_IOCTL:
3283 		iocp = (struct iocblk *)mp->b_rptr;
3284 		switch (iocp->ioc_cmd) {
3285 		case CRYPTIOCSETUP:
3286 			ret = 0;
3287 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3288 					SL_TRACE | SL_NOTE,
3289 					"wput: got CRYPTIOCSETUP "
3290 					"ioctl(%d)", iocp->ioc_cmd));
3291 
3292 			if ((err = miocpullup(mp,
3293 					sizeof (struct cr_info_t))) != 0) {
3294 				cmn_err(CE_WARN,
3295 				"wput: miocpullup failed for cr_info_t");
3296 				miocnak(wq, mp, 0, err);
3297 			} else {
3298 				struct cr_info_t *ci;
3299 				ci = (struct cr_info_t *)mp->b_cont->b_rptr;
3300 
3301 				if (ci->direction_mask & CRYPT_ENCRYPT) {
3302 				    ret = setup_crypto(ci, &tmi->enc_data, 1);
3303 				}
3304 
3305 				if (ret == 0 &&
3306 				    (ci->direction_mask & CRYPT_DECRYPT)) {
3307 				    ret = setup_crypto(ci, &tmi->dec_data, 0);
3308 				}
3309 				if (ret == 0 &&
3310 				    (ci->direction_mask & CRYPT_DECRYPT) &&
3311 				    ANY_RCMD_MODE(tmi->dec_data.option_mask)) {
3312 					bzero(&tmi->rcmd_state,
3313 					    sizeof (tmi->rcmd_state));
3314 				}
3315 				if (ret == 0) {
3316 					miocack(wq, mp, 0, 0);
3317 				} else {
3318 					cmn_err(CE_WARN,
3319 						"wput: setup_crypto failed");
3320 					miocnak(wq, mp, 0, ret);
3321 				}
3322 				(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3323 						SL_TRACE|SL_NOTE,
3324 						"wput: done with SETUP "
3325 						"ioctl"));
3326 			}
3327 			break;
3328 		case CRYPTIOCSTOP:
3329 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3330 					SL_TRACE|SL_NOTE,
3331 					"wput: got CRYPTIOCSTOP "
3332 					"ioctl(%d)", iocp->ioc_cmd));
3333 
3334 			if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) {
3335 				cmn_err(CE_WARN,
3336 					"wput: CRYPTIOCSTOP ioctl wrong "
3337 					"size (%d should be %d)",
3338 					(int)iocp->ioc_count,
3339 					(int)sizeof (uint32_t));
3340 				miocnak(wq, mp, 0, err);
3341 			} else {
3342 				uint32_t *stopdir;
3343 
3344 				stopdir = (uint32_t *)mp->b_cont->b_rptr;
3345 				if (!CR_DIRECTION_OK(*stopdir)) {
3346 					miocnak(wq, mp, 0, EINVAL);
3347 					return;
3348 				}
3349 
3350 				/* disable the queues until further notice */
3351 				if (*stopdir & CRYPT_ENCRYPT) {
3352 					noenable(wq);
3353 					tmi->ready &= ~CRYPT_WRITE_READY;
3354 				}
3355 				if (*stopdir & CRYPT_DECRYPT) {
3356 					noenable(RD(wq));
3357 					tmi->ready &= ~CRYPT_READ_READY;
3358 				}
3359 
3360 				miocack(wq, mp, 0, 0);
3361 			}
3362 			break;
3363 		case CRYPTIOCSTARTDEC:
3364 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3365 					SL_TRACE|SL_NOTE,
3366 					"wput: got CRYPTIOCSTARTDEC "
3367 					"ioctl(%d)", iocp->ioc_cmd));
3368 
3369 			start_stream(wq, mp, CRYPT_DECRYPT);
3370 			break;
3371 		case CRYPTIOCSTARTENC:
3372 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3373 					SL_TRACE|SL_NOTE,
3374 					"wput: got CRYPTIOCSTARTENC "
3375 					"ioctl(%d)", iocp->ioc_cmd));
3376 
3377 			start_stream(wq, mp, CRYPT_ENCRYPT);
3378 			break;
3379 		default:
3380 			putnext(wq, mp);
3381 			break;
3382 		}
3383 		break;
3384 	default:
3385 		if (queclass(mp) < QPCTL) {
3386 			if (wq->q_first != NULL || !canputnext(wq)) {
3387 				if (!putq(wq, mp))
3388 					freemsg(mp);
3389 				return;
3390 			}
3391 		}
3392 		putnext(wq, mp);
3393 		break;
3394 	}
3395 }
3396 
3397 /*
3398  * decrypt_rcmd_mblks
3399  *
3400  * Because kerberized r* commands(rsh, rlogin, etc)
3401  * use a 4 byte length field to indicate the # of
3402  * PLAINTEXT bytes that are encrypted in the field
3403  * that follows, we must parse out each message and
3404  * break out the length fields prior to sending them
3405  * upstream to our Solaris r* clients/servers which do
3406  * NOT understand this format.
3407  *
3408  * Kerberized/encrypted message format:
3409  * -------------------------------
3410  * | XXXX | N bytes of ciphertext|
3411  * -------------------------------
3412  *
3413  * Where: XXXX = number of plaintext bytes that were encrypted in
3414  *               to make the ciphertext field.  This is done
3415  *               because we are using a cipher that pads out to
3416  *               an 8 byte boundary.  We only want the application
3417  *               layer to see the correct number of plain text bytes,
3418  *               not plaintext + pad.  So, after we decrypt, we
3419  *               must trim the output block down to the intended
3420  *               plaintext length and eliminate the pad bytes.
3421  *
3422  * This routine takes the entire input message, breaks it into
3423  * a new message that does not contain these length fields and
3424  * returns a message consisting of mblks filled with just ciphertext.
3425  *
3426  */
3427 static mblk_t *
3428 decrypt_rcmd_mblks(queue_t *q, mblk_t *mp)
3429 {
3430 	mblk_t *newmp = NULL;
3431 	size_t msglen;
3432 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3433 
3434 	msglen = msgsize(mp);
3435 
3436 	/*
3437 	 * If we need the length field, get it here.
3438 	 * Test the "plaintext length" indicator.
3439 	 */
3440 	if (tmi->rcmd_state.pt_len == 0) {
3441 		uint32_t elen;
3442 		int tocopy;
3443 		mblk_t *nextp;
3444 
3445 		/*
3446 		 * Make sure we have recieved all 4 bytes of the
3447 		 * length field.
3448 		 */
3449 		while (mp != NULL) {
3450 			ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t));
3451 
3452 			tocopy = sizeof (uint32_t) -
3453 				tmi->rcmd_state.cd_len;
3454 			if (tocopy > msglen)
3455 				tocopy = msglen;
3456 
3457 			ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp));
3458 			bcopy(mp->b_rptr,
3459 				(char *)(&tmi->rcmd_state.next_len +
3460 					tmi->rcmd_state.cd_len), tocopy);
3461 
3462 			tmi->rcmd_state.cd_len += tocopy;
3463 
3464 			if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) {
3465 				tmi->rcmd_state.next_len =
3466 					ntohl(tmi->rcmd_state.next_len);
3467 				break;
3468 			}
3469 
3470 			nextp = mp->b_cont;
3471 			mp->b_cont = NULL;
3472 			freeb(mp);
3473 			mp = nextp;
3474 		}
3475 
3476 		if (mp == NULL) {
3477 			return (NULL);
3478 		}
3479 		/*
3480 		 * recalculate the msglen now that we've read the
3481 		 * length and adjusted the bufptr (b_rptr).
3482 		 */
3483 		msglen -= tocopy;
3484 		mp->b_rptr += tocopy;
3485 
3486 		tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len;
3487 
3488 		if (tmi->rcmd_state.pt_len <= 0) {
3489 			/*
3490 			 * Return an IO error to break the connection. there
3491 			 * is no way to recover from this.  Usually it means
3492 			 * the app has incorrectly requested decryption on
3493 			 * a non-encrypted stream, thus the "pt_len" field
3494 			 * is negative.
3495 			 */
3496 			mp->b_datap->db_type = M_ERROR;
3497 			mp->b_rptr = mp->b_datap->db_base;
3498 			*mp->b_rptr = EIO;
3499 			mp->b_wptr = mp->b_rptr + sizeof (char);
3500 
3501 			freemsg(mp->b_cont);
3502 			mp->b_cont = NULL;
3503 			qreply(WR(q), mp);
3504 			tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3505 			return (NULL);
3506 		}
3507 
3508 		/*
3509 		 * If this is V2 mode, then the encrypted data is actually
3510 		 * 4 bytes bigger than the indicated len because the plaintext
3511 		 * length is encrypted for an additional security check, but
3512 		 * its not counted as part of the overall length we just read.
3513 		 * Strange and confusing, but true.
3514 		 */
3515 
3516 		if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
3517 			elen = tmi->rcmd_state.pt_len + 4;
3518 		else
3519 			elen = tmi->rcmd_state.pt_len;
3520 
3521 		tmi->rcmd_state.cd_len  = encrypt_size(&tmi->dec_data, elen);
3522 
3523 		/*
3524 		 * Allocate an mblk to hold the cipher text until it is
3525 		 * all ready to be processed.
3526 		 */
3527 		tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len,
3528 						BPRI_HI);
3529 		if (tmi->rcmd_state.c_msg == NULL) {
3530 #ifdef DEBUG
3531 			cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed "
3532 				"for %d bytes",
3533 				(int)tmi->rcmd_state.cd_len);
3534 #endif
3535 			/*
3536 			 * Return an IO error to break the connection.
3537 			 */
3538 			mp->b_datap->db_type = M_ERROR;
3539 			mp->b_rptr = mp->b_datap->db_base;
3540 			*mp->b_rptr = EIO;
3541 			mp->b_wptr = mp->b_rptr + sizeof (char);
3542 			freemsg(mp->b_cont);
3543 			mp->b_cont = NULL;
3544 			tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3545 			qreply(WR(q), mp);
3546 			return (NULL);
3547 		}
3548 	}
3549 
3550 	/*
3551 	 * If this entire message was just the length field,
3552 	 * free and return.  The actual data will probably be next.
3553 	 */
3554 	if (msglen == 0) {
3555 		freemsg(mp);
3556 		return (NULL);
3557 	}
3558 
3559 	/*
3560 	 * Copy as much of the cipher text as possible into
3561 	 * the new msgb (c_msg).
3562 	 *
3563 	 * Logic:  if we got some bytes (msglen) and we still
3564 	 * 	"need" some bytes (len-rcvd), get them here.
3565 	 */
3566 	ASSERT(tmi->rcmd_state.c_msg != NULL);
3567 	if (msglen > 0 &&
3568 	    (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) {
3569 		mblk_t *bp, *nextp;
3570 		size_t n;
3571 
3572 		/*
3573 		 * Walk the mblks and copy just as many bytes as we need
3574 		 * for this particular block of cipher text.
3575 		 */
3576 		bp = mp;
3577 		while (bp != NULL) {
3578 			size_t needed;
3579 			size_t tocopy;
3580 			n = MBLKL(bp);
3581 
3582 			needed = tmi->rcmd_state.cd_len -
3583 				MBLKL(tmi->rcmd_state.c_msg);
3584 
3585 			tocopy = (needed >= n ? n : needed);
3586 
3587 			ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp));
3588 			ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <=
3589 				DB_LIM(tmi->rcmd_state.c_msg));
3590 
3591 			/* Copy to end of new mblk */
3592 			bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr,
3593 				tocopy);
3594 
3595 			tmi->rcmd_state.c_msg->b_wptr += tocopy;
3596 
3597 			bp->b_rptr += tocopy;
3598 
3599 			nextp = bp->b_cont;
3600 
3601 			/*
3602 			 * If we used this whole block, free it and
3603 			 * move on.
3604 			 */
3605 			if (!MBLKL(bp)) {
3606 				freeb(bp);
3607 				bp = NULL;
3608 			}
3609 
3610 			/* If we got what we needed, stop the loop */
3611 			if (MBLKL(tmi->rcmd_state.c_msg) ==
3612 			    tmi->rcmd_state.cd_len) {
3613 				/*
3614 				 * If there is more data in the message,
3615 				 * its for another block of cipher text,
3616 				 * put it back in the queue for next time.
3617 				 */
3618 				if (bp) {
3619 					if (!putbq(q, bp))
3620 						freemsg(bp);
3621 				} else if (nextp != NULL) {
3622 					/*
3623 					 * If there is more, put it back in the
3624 					 * queue for another pass thru.
3625 					 */
3626 					if (!putbq(q, nextp))
3627 						freemsg(nextp);
3628 				}
3629 				break;
3630 			}
3631 			bp = nextp;
3632 		}
3633 	}
3634 	/*
3635 	 * Finally, if we received all the cipher text data for
3636 	 * this message, decrypt it into a new msg and send it up
3637 	 * to the app.
3638 	 */
3639 	if (tmi->rcmd_state.pt_len > 0 &&
3640 	    MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) {
3641 		mblk_t *bp;
3642 		mblk_t *newbp;
3643 
3644 		/*
3645 		 * Now we can use our msg that we created when the
3646 		 * initial message boundary was detected.
3647 		 */
3648 		bp = tmi->rcmd_state.c_msg;
3649 		tmi->rcmd_state.c_msg = NULL;
3650 
3651 		newbp = do_decrypt(q, bp);
3652 		if (newbp != NULL) {
3653 			bp = newbp;
3654 			/*
3655 			 * If using RCMD_MODE_V2 ("new" mode),
3656 			 * look at the 4 byte plaintext length that
3657 			 * was just decrypted and compare with the
3658 			 * original pt_len value that was received.
3659 			 */
3660 			if (tmi->dec_data.option_mask &
3661 			    CRYPTOPT_RCMD_MODE_V2) {
3662 				uint32_t pt_len2;
3663 
3664 				pt_len2 = *(uint32_t *)bp->b_rptr;
3665 				pt_len2 = ntohl(pt_len2);
3666 				/*
3667 				 * Make sure the 2 pt len fields agree.
3668 				 */
3669 				if (pt_len2 != tmi->rcmd_state.pt_len) {
3670 					cmn_err(CE_WARN,
3671 						"Inconsistent length fields"
3672 						" received %d != %d",
3673 						(int)tmi->rcmd_state.pt_len,
3674 						(int)pt_len2);
3675 					bp->b_datap->db_type = M_ERROR;
3676 					bp->b_rptr = bp->b_datap->db_base;
3677 					*bp->b_rptr = EIO;
3678 					bp->b_wptr = bp->b_rptr + sizeof (char);
3679 					freemsg(bp->b_cont);
3680 					bp->b_cont = NULL;
3681 					tmi->rcmd_state.cd_len = 0;
3682 					qreply(WR(q), bp);
3683 					return (NULL);
3684 				}
3685 				bp->b_rptr += sizeof (uint32_t);
3686 			}
3687 
3688 			/*
3689 			 * Trim the decrypted block the length originally
3690 			 * indicated by the sender.  This is to remove any
3691 			 * padding bytes that the sender added to satisfy
3692 			 * requirements of the crypto algorithm.
3693 			 */
3694 			bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len;
3695 
3696 			newmp = bp;
3697 
3698 			/*
3699 			 * Reset our state to indicate we are ready
3700 			 * for a new message.
3701 			 */
3702 			tmi->rcmd_state.pt_len = 0;
3703 			tmi->rcmd_state.cd_len = 0;
3704 		} else {
3705 #ifdef DEBUG
3706 			cmn_err(CE_WARN,
3707 				"decrypt_rcmd: do_decrypt on %d bytes failed",
3708 				(int)tmi->rcmd_state.cd_len);
3709 #endif
3710 			/*
3711 			 * do_decrypt already handled failures, just
3712 			 * return NULL.
3713 			 */
3714 			tmi->rcmd_state.pt_len = 0;
3715 			tmi->rcmd_state.cd_len = 0;
3716 			return (NULL);
3717 		}
3718 	}
3719 
3720 	/*
3721 	 * return the new message with the 'length' fields removed
3722 	 */
3723 	return (newmp);
3724 }
3725 
3726 /*
3727  * cryptmodrsrv
3728  *
3729  * Read queue service routine
3730  * Necessary because if the ready flag is not set
3731  * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data
3732  * must remain on queue and not be passed along.
3733  */
3734 static int
3735 cryptmodrsrv(queue_t *q)
3736 {
3737 	mblk_t *mp, *bp;
3738 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3739 
3740 	while ((mp = getq(q)) != NULL) {
3741 		switch (mp->b_datap->db_type) {
3742 		case M_DATA:
3743 			if (canputnext(q) && tmi->ready & CRYPT_READ_READY) {
3744 				/*
3745 				 * Process "rcmd" messages differently because
3746 				 * they contain a 4 byte plaintext length
3747 				 * id that needs to be removed.
3748 				 */
3749 				if (tmi->dec_data.method != CRYPT_METHOD_NONE &&
3750 				    (tmi->dec_data.option_mask &
3751 				    (CRYPTOPT_RCMD_MODE_V1 |
3752 				    CRYPTOPT_RCMD_MODE_V2))) {
3753 					mp = decrypt_rcmd_mblks(q, mp);
3754 					if (mp)
3755 						putnext(q, mp);
3756 					continue;
3757 				}
3758 				if ((bp = msgpullup(mp, -1)) != NULL) {
3759 					freemsg(mp);
3760 					if (MBLKL(bp) > 0) {
3761 						mp = do_decrypt(q, bp);
3762 						if (mp != NULL)
3763 							putnext(q, mp);
3764 					}
3765 				}
3766 			} else {
3767 				if (!putbq(q, mp)) {
3768 					freemsg(mp);
3769 				}
3770 				return (0);
3771 			}
3772 			break;
3773 		default:
3774 			/*
3775 			 * rput does not queue anything > QPCTL, so we don't
3776 			 * need to check for it here.
3777 			 */
3778 			if (!canputnext(q)) {
3779 				if (!putbq(q, mp))
3780 					freemsg(mp);
3781 				return (0);
3782 			}
3783 			putnext(q, mp);
3784 			break;
3785 		}
3786 	}
3787 	return (0);
3788 }
3789 
3790 
3791 /*
3792  * Read-side put procedure.
3793  */
3794 static void
3795 cryptmodrput(queue_t *rq, mblk_t *mp)
3796 {
3797 	switch (mp->b_datap->db_type) {
3798 	case M_DATA:
3799 		if (!putq(rq, mp)) {
3800 			freemsg(mp);
3801 		}
3802 		break;
3803 	case M_FLUSH:
3804 		if (*mp->b_rptr & FLUSHR) {
3805 			flushq(rq, FLUSHALL);
3806 		}
3807 		putnext(rq, mp);
3808 		break;
3809 	default:
3810 		if (queclass(mp) < QPCTL) {
3811 			if (rq->q_first != NULL || !canputnext(rq)) {
3812 				if (!putq(rq, mp))
3813 					freemsg(mp);
3814 				return;
3815 			}
3816 		}
3817 		putnext(rq, mp);
3818 		break;
3819 	}
3820 }
3821