xref: /illumos-gate/usr/src/uts/common/io/cryptmod.c (revision a07094369b21309434206d9b3601d162693466fc)
1 /*
2  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  *
5  * STREAMS Crypto Module
6  *
7  * This module is used to facilitate Kerberos encryption
8  * operations for the telnet daemon and rlogin daemon.
9  * Because the Solaris telnet and rlogin daemons run mostly
10  * in-kernel via 'telmod' and 'rlmod', this module must be
11  * pushed on the STREAM *below* telmod or rlmod.
12  *
13  * Parts of the 3DES key derivation code are covered by the
14  * following copyright.
15  *
16  * Copyright (C) 1998 by the FundsXpress, INC.
17  *
18  * All rights reserved.
19  *
20  * Export of this software from the United States of America may require
21  * a specific license from the United States Government.  It is the
22  * responsibility of any person or organization contemplating export to
23  * obtain such a license before exporting.
24  *
25  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
26  * distribute this software and its documentation for any purpose and
27  * without fee is hereby granted, provided that the above copyright
28  * notice appear in all copies and that both that copyright notice and
29  * this permission notice appear in supporting documentation, and that
30  * the name of FundsXpress. not be used in advertising or publicity pertaining
31  * to distribution of the software without specific, written prior
32  * permission.  FundsXpress makes no representations about the suitability of
33  * this software for any purpose.  It is provided "as is" without express
34  * or implied warranty.
35  *
36  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
37  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
38  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
39  */
40 #pragma ident	"%Z%%M%	%I%	%E% SMI"
41 
42 #include <sys/types.h>
43 #include <sys/sysmacros.h>
44 #include <sys/errno.h>
45 #include <sys/debug.h>
46 #include <sys/time.h>
47 #include <sys/stropts.h>
48 #include <sys/stream.h>
49 #include <sys/strsubr.h>
50 #include <sys/strlog.h>
51 #include <sys/cmn_err.h>
52 #include <sys/conf.h>
53 #include <sys/sunddi.h>
54 #include <sys/kmem.h>
55 #include <sys/strsun.h>
56 #include <sys/random.h>
57 #include <sys/types.h>
58 #include <sys/byteorder.h>
59 #include <sys/cryptmod.h>
60 #include <sys/crc32.h>
61 #include <sys/policy.h>
62 
63 #include <sys/crypto/api.h>
64 
65 #include <sys/strft.h>
66 /*
67  * Function prototypes.
68  */
69 static	int	cryptmodopen(queue_t *, dev_t *, int, int, cred_t *);
70 static  void	cryptmodrput(queue_t *, mblk_t *);
71 static  void	cryptmodwput(queue_t *, mblk_t *);
72 static	int	cryptmodclose(queue_t *);
73 static	int	cryptmodwsrv(queue_t *);
74 static	int	cryptmodrsrv(queue_t *);
75 
76 static mblk_t *do_encrypt(queue_t *q, mblk_t *mp);
77 static mblk_t *do_decrypt(queue_t *q, mblk_t *mp);
78 
79 #define	CRYPTMOD_ID 5150
80 
81 #define	CFB_BLKSZ 8
82 
83 #define	K5CLENGTH 5
84 
85 static struct module_info	cryptmod_minfo = {
86 	CRYPTMOD_ID,	/* mi_idnum */
87 	"cryptmod",	/* mi_idname */
88 	0,		/* mi_minpsz */
89 	INFPSZ,		/* mi_maxpsz */
90 	65536,		/* mi_hiwat */
91 	1024		/* mi_lowat */
92 };
93 
94 static struct qinit	cryptmod_rinit = {
95 	(int (*)())cryptmodrput,	/* qi_putp */
96 	cryptmodrsrv,	/* qi_svc */
97 	cryptmodopen,	/* qi_qopen */
98 	cryptmodclose,	/* qi_qclose */
99 	NULL,		/* qi_qadmin */
100 	&cryptmod_minfo,	/* qi_minfo */
101 	NULL		/* qi_mstat */
102 };
103 
104 static struct qinit	cryptmod_winit = {
105 	(int (*)())cryptmodwput,	/* qi_putp */
106 	cryptmodwsrv,	/* qi_srvp */
107 	NULL,		/* qi_qopen */
108 	NULL,		/* qi_qclose */
109 	NULL,		/* qi_qadmin */
110 	&cryptmod_minfo,	/* qi_minfo */
111 	NULL		/* qi_mstat */
112 };
113 
114 static struct streamtab	cryptmod_info = {
115 	&cryptmod_rinit,	/* st_rdinit */
116 	&cryptmod_winit,	/* st_wrinit */
117 	NULL,	/* st_muxrinit */
118 	NULL	/* st_muxwinit */
119 };
120 
121 typedef struct {
122 	uint_t hash_len;
123 	uint_t confound_len;
124 	int (*hashfunc)();
125 } hash_info_t;
126 
127 #define	MAX_CKSUM_LEN 20
128 #define	CONFOUNDER_LEN 8
129 
130 #define	SHA1_HASHSIZE 20
131 #define	MD5_HASHSIZE 16
132 #define	CRC32_HASHSIZE 4
133 
134 static int crc32_calc(uchar_t *, uchar_t *, uint_t);
135 static int md5_calc(uchar_t *, uchar_t *, uint_t);
136 static int sha1_calc(uchar_t *, uchar_t *, uint_t);
137 
138 static hash_info_t null_hash = {0, 0, NULL};
139 static hash_info_t crc32_hash = {CRC32_HASHSIZE, CONFOUNDER_LEN, crc32_calc};
140 static hash_info_t md5_hash = {MD5_HASHSIZE, CONFOUNDER_LEN, md5_calc};
141 static hash_info_t sha1_hash = {SHA1_HASHSIZE, CONFOUNDER_LEN, sha1_calc};
142 
143 static crypto_mech_type_t sha1_hmac_mech = CRYPTO_MECH_INVALID;
144 static crypto_mech_type_t md5_hmac_mech = CRYPTO_MECH_INVALID;
145 static crypto_mech_type_t sha1_hash_mech = CRYPTO_MECH_INVALID;
146 static crypto_mech_type_t md5_hash_mech = CRYPTO_MECH_INVALID;
147 
148 static int kef_crypt(struct cipher_data_t *, void *,
149 		    crypto_data_format_t, size_t, int);
150 static mblk_t *
151 arcfour_hmac_md5_encrypt(queue_t *, struct tmodinfo *,
152 		mblk_t *, hash_info_t *);
153 static mblk_t *
154 arcfour_hmac_md5_decrypt(queue_t *, struct tmodinfo *,
155 		mblk_t *, hash_info_t *);
156 
157 static int
158 do_hmac(crypto_mech_type_t, crypto_key_t *, char *, int, char *, int);
159 
160 /*
161  * This is the loadable module wrapper.
162  */
163 #include <sys/modctl.h>
164 
165 static struct fmodsw fsw = {
166 	"cryptmod",
167 	&cryptmod_info,
168 	D_MP | D_MTQPAIR
169 };
170 
171 /*
172  * Module linkage information for the kernel.
173  */
174 static struct modlstrmod modlstrmod = {
175 	&mod_strmodops,
176 	"STREAMS encryption module %I%",
177 	&fsw
178 };
179 
180 static struct modlinkage modlinkage = {
181 	MODREV_1,
182 	&modlstrmod,
183 	NULL
184 };
185 
186 int
187 _init(void)
188 {
189 	return (mod_install(&modlinkage));
190 }
191 
192 int
193 _fini(void)
194 {
195 	return (mod_remove(&modlinkage));
196 }
197 
198 int
199 _info(struct modinfo *modinfop)
200 {
201 	return (mod_info(&modlinkage, modinfop));
202 }
203 
204 static void
205 cleanup(struct cipher_data_t *cd)
206 {
207 	if (cd->key != NULL) {
208 		bzero(cd->key, cd->keylen);
209 		kmem_free(cd->key, cd->keylen);
210 		cd->key = NULL;
211 	}
212 
213 	if (cd->ckey != NULL) {
214 		/*
215 		 * ckey is a crypto_key_t structure which references
216 		 * "cd->key" for its raw key data.  Since that was already
217 		 * cleared out, we don't need another "bzero" here.
218 		 */
219 		kmem_free(cd->ckey, sizeof (crypto_key_t));
220 		cd->ckey = NULL;
221 	}
222 
223 	if (cd->block != NULL) {
224 		kmem_free(cd->block, cd->blocklen);
225 		cd->block = NULL;
226 	}
227 
228 	if (cd->saveblock != NULL) {
229 		kmem_free(cd->saveblock, cd->blocklen);
230 		cd->saveblock = NULL;
231 	}
232 
233 	if (cd->ivec != NULL) {
234 		kmem_free(cd->ivec, cd->ivlen);
235 		cd->ivec = NULL;
236 	}
237 
238 	if (cd->d_encr_key.ck_data != NULL) {
239 		bzero(cd->d_encr_key.ck_data, cd->keylen);
240 		kmem_free(cd->d_encr_key.ck_data, cd->keylen);
241 	}
242 
243 	if (cd->d_hmac_key.ck_data != NULL) {
244 		bzero(cd->d_hmac_key.ck_data, cd->keylen);
245 		kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
246 	}
247 
248 	if (cd->enc_tmpl != NULL)
249 		(void) crypto_destroy_ctx_template(cd->enc_tmpl);
250 
251 	if (cd->hmac_tmpl != NULL)
252 		(void) crypto_destroy_ctx_template(cd->hmac_tmpl);
253 
254 	if (cd->ctx != NULL) {
255 		crypto_cancel_ctx(cd->ctx);
256 		cd->ctx = NULL;
257 	}
258 }
259 
260 /* ARGSUSED */
261 static int
262 cryptmodopen(queue_t *rq, dev_t *dev, int oflag, int sflag, cred_t *crp)
263 {
264 	struct tmodinfo	*tmi;
265 	ASSERT(rq);
266 
267 	if (sflag != MODOPEN)
268 		return (EINVAL);
269 
270 	(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
271 			"cryptmodopen: opening module(PID %d)",
272 			ddi_get_pid()));
273 
274 	if (rq->q_ptr != NULL) {
275 		cmn_err(CE_WARN, "cryptmodopen: already opened");
276 		return (0);
277 	}
278 
279 	/*
280 	 * Allocate and initialize per-Stream structure.
281 	 */
282 	tmi = (struct tmodinfo *)kmem_zalloc(sizeof (struct tmodinfo),
283 						KM_SLEEP);
284 
285 	tmi->enc_data.method = CRYPT_METHOD_NONE;
286 	tmi->dec_data.method = CRYPT_METHOD_NONE;
287 
288 	tmi->ready = (CRYPT_READ_READY | CRYPT_WRITE_READY);
289 
290 	rq->q_ptr = WR(rq)->q_ptr = tmi;
291 
292 	sha1_hmac_mech = crypto_mech2id(SUN_CKM_SHA1_HMAC);
293 	md5_hmac_mech = crypto_mech2id(SUN_CKM_MD5_HMAC);
294 	sha1_hash_mech = crypto_mech2id(SUN_CKM_SHA1);
295 	md5_hash_mech = crypto_mech2id(SUN_CKM_MD5);
296 
297 	qprocson(rq);
298 
299 	return (0);
300 }
301 
302 static int
303 cryptmodclose(queue_t *rq)
304 {
305 	struct tmodinfo *tmi = (struct tmodinfo *)rq->q_ptr;
306 	ASSERT(tmi);
307 
308 	qprocsoff(rq);
309 
310 	cleanup(&tmi->enc_data);
311 	cleanup(&tmi->dec_data);
312 
313 	kmem_free(tmi, sizeof (struct tmodinfo));
314 	rq->q_ptr = WR(rq)->q_ptr = NULL;
315 
316 	return (0);
317 }
318 
319 /*
320  * plaintext_offset
321  *
322  * Calculate exactly how much space is needed in front
323  * of the "plaintext" in an mbuf so it can be positioned
324  * 1 time instead of potentially moving the data multiple
325  * times.
326  */
327 static int
328 plaintext_offset(struct cipher_data_t *cd)
329 {
330 	int headspace = 0;
331 
332 	/* 4 byte length prepended to all RCMD msgs */
333 	if (ANY_RCMD_MODE(cd->option_mask))
334 		headspace += RCMD_LEN_SZ;
335 
336 	/* RCMD V2 mode adds an additional 4 byte plaintext length */
337 	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V2)
338 		headspace += RCMD_LEN_SZ;
339 
340 	/* Need extra space for hash and counfounder */
341 	switch (cd->method) {
342 	case CRYPT_METHOD_DES_CBC_NULL:
343 		headspace += null_hash.hash_len + null_hash.confound_len;
344 		break;
345 	case CRYPT_METHOD_DES_CBC_CRC:
346 		headspace += crc32_hash.hash_len + crc32_hash.confound_len;
347 		break;
348 	case CRYPT_METHOD_DES_CBC_MD5:
349 		headspace += md5_hash.hash_len + md5_hash.confound_len;
350 		break;
351 	case CRYPT_METHOD_DES3_CBC_SHA1:
352 		headspace += sha1_hash.confound_len;
353 		break;
354 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
355 		headspace += md5_hash.hash_len + md5_hash.confound_len;
356 		break;
357 	case CRYPT_METHOD_AES128:
358 	case CRYPT_METHOD_AES256:
359 		headspace += DEFAULT_AES_BLOCKLEN;
360 		break;
361 	case CRYPT_METHOD_DES_CFB:
362 	case CRYPT_METHOD_NONE:
363 		break;
364 	}
365 
366 	return (headspace);
367 }
368 /*
369  * encrypt_size
370  *
371  * Calculate the resulting size when encrypting 'plainlen' bytes
372  * of data.
373  */
374 static size_t
375 encrypt_size(struct cipher_data_t *cd, size_t plainlen)
376 {
377 	size_t cipherlen;
378 
379 	switch (cd->method) {
380 	case CRYPT_METHOD_DES_CBC_NULL:
381 		cipherlen = (size_t)P2ROUNDUP(null_hash.hash_len +
382 					    plainlen, 8);
383 		break;
384 	case CRYPT_METHOD_DES_CBC_MD5:
385 		cipherlen = (size_t)P2ROUNDUP(md5_hash.hash_len +
386 					    md5_hash.confound_len +
387 					    plainlen, 8);
388 		break;
389 	case CRYPT_METHOD_DES_CBC_CRC:
390 		cipherlen = (size_t)P2ROUNDUP(crc32_hash.hash_len +
391 					    crc32_hash.confound_len +
392 					    plainlen, 8);
393 		break;
394 	case CRYPT_METHOD_DES3_CBC_SHA1:
395 		cipherlen = (size_t)P2ROUNDUP(sha1_hash.confound_len +
396 					    plainlen, 8) +
397 					    sha1_hash.hash_len;
398 		break;
399 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
400 		cipherlen = (size_t)P2ROUNDUP(md5_hash.confound_len +
401 				plainlen, 1) + md5_hash.hash_len;
402 		break;
403 	case CRYPT_METHOD_AES128:
404 	case CRYPT_METHOD_AES256:
405 		/* No roundup for AES-CBC-CTS */
406 		cipherlen = DEFAULT_AES_BLOCKLEN + plainlen +
407 			AES_TRUNCATED_HMAC_LEN;
408 		break;
409 	case CRYPT_METHOD_DES_CFB:
410 	case CRYPT_METHOD_NONE:
411 		cipherlen = plainlen;
412 		break;
413 	}
414 
415 	return (cipherlen);
416 }
417 
418 /*
419  * des_cfb_encrypt
420  *
421  * Encrypt the mblk data using DES with cipher feedback.
422  *
423  * Given that V[i] is the initial 64 bit vector, V[n] is the nth 64 bit
424  * vector, D[n] is the nth chunk of 64 bits of data to encrypt
425  * (decrypt), and O[n] is the nth chunk of 64 bits of encrypted
426  * (decrypted) data, then:
427  *
428  *  V[0] = DES(V[i], key)
429  *  O[n] = D[n] <exclusive or > V[n]
430  *  V[n+1] = DES(O[n], key)
431  *
432  * The size of the message being encrypted does not change in this
433  * algorithm, num_bytes in == num_bytes out.
434  */
435 static mblk_t *
436 des_cfb_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
437 {
438 	int savedbytes;
439 	char *iptr, *optr, *lastoutput;
440 
441 	lastoutput = optr = (char *)mp->b_rptr;
442 	iptr = (char *)mp->b_rptr;
443 	savedbytes = tmi->enc_data.bytes % CFB_BLKSZ;
444 
445 	while (iptr < (char *)mp->b_wptr) {
446 		/*
447 		 * Do DES-ECB.
448 		 * The first time this runs, the 'tmi->enc_data.block' will
449 		 * contain the initialization vector that should have been
450 		 * passed in with the SETUP ioctl.
451 		 *
452 		 * V[n] = DES(V[n-1], key)
453 		 */
454 		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
455 			int retval = 0;
456 			retval = kef_crypt(&tmi->enc_data,
457 					tmi->enc_data.block,
458 					CRYPTO_DATA_RAW,
459 					tmi->enc_data.blocklen,
460 					CRYPT_ENCRYPT);
461 
462 			if (retval != CRYPTO_SUCCESS) {
463 #ifdef DEBUG
464 				cmn_err(CE_WARN, "des_cfb_encrypt: kef_crypt "
465 					"failed - error 0x%0x", retval);
466 #endif
467 				mp->b_datap->db_type = M_ERROR;
468 				mp->b_rptr = mp->b_datap->db_base;
469 				*mp->b_rptr = EIO;
470 				mp->b_wptr = mp->b_rptr + sizeof (char);
471 				freemsg(mp->b_cont);
472 				mp->b_cont = NULL;
473 				qreply(WR(q), mp);
474 				return (NULL);
475 			}
476 		}
477 
478 		/* O[n] = I[n] ^ V[n] */
479 		*(optr++) = *(iptr++) ^
480 		    tmi->enc_data.block[tmi->enc_data.bytes % CFB_BLKSZ];
481 
482 		tmi->enc_data.bytes++;
483 		/*
484 		 * Feedback the encrypted output as the input to next DES call.
485 		 */
486 		if (!(tmi->enc_data.bytes % CFB_BLKSZ)) {
487 			char *dbptr = tmi->enc_data.block;
488 			/*
489 			 * Get the last bits of input from the previous
490 			 * msg block that we haven't yet used as feedback input.
491 			 */
492 			if (savedbytes > 0) {
493 				bcopy(tmi->enc_data.saveblock,
494 				    dbptr, (size_t)savedbytes);
495 				dbptr += savedbytes;
496 			}
497 
498 			/*
499 			 * Now copy the correct bytes from the current input
500 			 * stream and update the 'lastoutput' ptr
501 			 */
502 			bcopy(lastoutput, dbptr,
503 				(size_t)(CFB_BLKSZ - savedbytes));
504 
505 			lastoutput += (CFB_BLKSZ - savedbytes);
506 			savedbytes = 0;
507 		}
508 	}
509 	/*
510 	 * If there are bytes of input here that we need in the next
511 	 * block to build an ivec, save them off here.
512 	 */
513 	if (lastoutput < optr) {
514 		bcopy(lastoutput,
515 		    tmi->enc_data.saveblock + savedbytes,
516 		    (uint_t)(optr - lastoutput));
517 	}
518 	return (mp);
519 }
520 
521 /*
522  * des_cfb_decrypt
523  *
524  * Decrypt the data in the mblk using DES in Cipher Feedback mode
525  *
526  * # bytes in == # bytes out, no padding, confounding, or hashing
527  * is added.
528  *
529  */
530 static mblk_t *
531 des_cfb_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
532 {
533 	uint_t len;
534 	uint_t savedbytes;
535 	char *iptr;
536 	char *lastinput;
537 	uint_t cp;
538 
539 	len = MBLKL(mp);
540 
541 	/* decrypted output goes into the new data buffer */
542 	lastinput = iptr = (char *)mp->b_rptr;
543 
544 	savedbytes = tmi->dec_data.bytes % tmi->dec_data.blocklen;
545 
546 	/*
547 	 * Save the input CFB_BLKSZ bytes at a time.
548 	 * We are trying to decrypt in-place, but need to keep
549 	 * a small sliding window of encrypted text to be
550 	 * used to construct the feedback buffer.
551 	 */
552 	cp = ((tmi->dec_data.blocklen - savedbytes) > len ? len :
553 		tmi->dec_data.blocklen - savedbytes);
554 
555 	bcopy(lastinput, tmi->dec_data.saveblock + savedbytes, cp);
556 	savedbytes += cp;
557 
558 	lastinput += cp;
559 
560 	while (iptr < (char *)mp->b_wptr) {
561 		/*
562 		 * Do DES-ECB.
563 		 * The first time this runs, the 'tmi->dec_data.block' will
564 		 * contain the initialization vector that should have been
565 		 * passed in with the SETUP ioctl.
566 		 */
567 		if (!(tmi->dec_data.bytes % CFB_BLKSZ)) {
568 			int retval;
569 			retval = kef_crypt(&tmi->dec_data,
570 					tmi->dec_data.block,
571 					CRYPTO_DATA_RAW,
572 					tmi->dec_data.blocklen,
573 					CRYPT_ENCRYPT);
574 
575 			if (retval != CRYPTO_SUCCESS) {
576 #ifdef DEBUG
577 				cmn_err(CE_WARN, "des_cfb_decrypt: kef_crypt "
578 					"failed - status 0x%0x", retval);
579 #endif
580 				mp->b_datap->db_type = M_ERROR;
581 				mp->b_rptr = mp->b_datap->db_base;
582 				*mp->b_rptr = EIO;
583 				mp->b_wptr = mp->b_rptr + sizeof (char);
584 				freemsg(mp->b_cont);
585 				mp->b_cont = NULL;
586 				qreply(WR(q), mp);
587 				return (NULL);
588 			}
589 		}
590 
591 		/*
592 		 * To decrypt, XOR the input with the output from the DES call
593 		 */
594 		*(iptr++) ^= tmi->dec_data.block[tmi->dec_data.bytes %
595 				CFB_BLKSZ];
596 
597 		tmi->dec_data.bytes++;
598 
599 		/*
600 		 * Feedback the encrypted input for next DES call.
601 		 */
602 		if (!(tmi->dec_data.bytes % tmi->dec_data.blocklen)) {
603 			char *dbptr = tmi->dec_data.block;
604 			/*
605 			 * Get the last bits of input from the previous block
606 			 * that we haven't yet processed.
607 			 */
608 			if (savedbytes > 0) {
609 				bcopy(tmi->dec_data.saveblock,
610 				    dbptr, savedbytes);
611 				dbptr += savedbytes;
612 			}
613 
614 			savedbytes = 0;
615 
616 			/*
617 			 * This block makes sure that our local
618 			 * buffer of input data is full and can
619 			 * be accessed from the beginning.
620 			 */
621 			if (lastinput < (char *)mp->b_wptr) {
622 
623 				/* How many bytes are left in the mblk? */
624 				cp = (((char *)mp->b_wptr - lastinput) >
625 					tmi->dec_data.blocklen ?
626 					tmi->dec_data.blocklen :
627 					(char *)mp->b_wptr - lastinput);
628 
629 				/* copy what we need */
630 				bcopy(lastinput, tmi->dec_data.saveblock,
631 					cp);
632 
633 				lastinput += cp;
634 				savedbytes = cp;
635 			}
636 		}
637 	}
638 
639 	return (mp);
640 }
641 
642 /*
643  * crc32_calc
644  *
645  * Compute a CRC32 checksum on the input
646  */
647 static int
648 crc32_calc(uchar_t *buf, uchar_t *input, uint_t len)
649 {
650 	uint32_t crc;
651 
652 	CRC32(crc, input, len, 0, crc32_table);
653 
654 	buf[0] = (uchar_t)(crc & 0xff);
655 	buf[1] = (uchar_t)((crc >> 8) & 0xff);
656 	buf[2] = (uchar_t)((crc >> 16) & 0xff);
657 	buf[3] = (uchar_t)((crc >> 24) & 0xff);
658 
659 	return (CRYPTO_SUCCESS);
660 }
661 
662 static int
663 kef_digest(crypto_mech_type_t digest_type,
664 	uchar_t *input, uint_t inlen,
665 	uchar_t *output, uint_t hashlen)
666 {
667 	iovec_t v1, v2;
668 	crypto_data_t d1, d2;
669 	crypto_mechanism_t mech;
670 	int rv;
671 
672 	mech.cm_type = digest_type;
673 	mech.cm_param = 0;
674 	mech.cm_param_len = 0;
675 
676 	v1.iov_base = (void *)input;
677 	v1.iov_len = inlen;
678 
679 	d1.cd_format = CRYPTO_DATA_RAW;
680 	d1.cd_offset = 0;
681 	d1.cd_length = v1.iov_len;
682 	d1.cd_raw = v1;
683 
684 	v2.iov_base = (void *)output;
685 	v2.iov_len = hashlen;
686 
687 	d2.cd_format = CRYPTO_DATA_RAW;
688 	d2.cd_offset = 0;
689 	d2.cd_length = v2.iov_len;
690 	d2.cd_raw = v2;
691 
692 	rv = crypto_digest(&mech, &d1, &d2, NULL);
693 
694 	return (rv);
695 }
696 
697 /*
698  * sha1_calc
699  *
700  * Get a SHA1 hash on the input data.
701  */
702 static int
703 sha1_calc(uchar_t *output, uchar_t *input, uint_t inlen)
704 {
705 	int rv;
706 
707 	rv = kef_digest(sha1_hash_mech, input, inlen, output, SHA1_HASHSIZE);
708 
709 	return (rv);
710 }
711 
712 /*
713  * Get an MD5 hash on the input data.
714  * md5_calc
715  *
716  */
717 static int
718 md5_calc(uchar_t *output, uchar_t *input, uint_t inlen)
719 {
720 	int rv;
721 
722 	rv = kef_digest(md5_hash_mech, input, inlen, output, MD5_HASHSIZE);
723 
724 	return (rv);
725 }
726 
727 /*
728  * nfold
729  * duplicate the functionality of the krb5_nfold function from
730  * the userland kerberos mech.
731  * This is needed to derive keys for use with 3DES/SHA1-HMAC
732  * ciphers.
733  */
734 static void
735 nfold(int inbits, uchar_t *in, int outbits, uchar_t *out)
736 {
737 	int a, b, c, lcm;
738 	int byte, i, msbit;
739 
740 	inbits >>= 3;
741 	outbits >>= 3;
742 
743 	/* first compute lcm(n,k) */
744 	a = outbits;
745 	b = inbits;
746 
747 	while (b != 0) {
748 		c = b;
749 		b = a%b;
750 		a = c;
751 	}
752 
753 	lcm = outbits*inbits/a;
754 
755 	/* now do the real work */
756 
757 	bzero(out, outbits);
758 	byte = 0;
759 
760 	/*
761 	 * Compute the msbit in k which gets added into this byte
762 	 * first, start with the msbit in the first, unrotated byte
763 	 * then, for each byte, shift to the right for each repetition
764 	 * last, pick out the correct byte within that shifted repetition
765 	 */
766 	for (i = lcm-1; i >= 0; i--) {
767 		msbit = (((inbits<<3)-1)
768 			+(((inbits<<3)+13)*(i/inbits))
769 			+((inbits-(i%inbits))<<3)) %(inbits<<3);
770 
771 		/* pull out the byte value itself */
772 		byte += (((in[((inbits-1)-(msbit>>3))%inbits]<<8)|
773 			(in[((inbits)-(msbit>>3))%inbits]))
774 			>>((msbit&7)+1))&0xff;
775 
776 		/* do the addition */
777 		byte += out[i%outbits];
778 		out[i%outbits] = byte&0xff;
779 
780 		byte >>= 8;
781 	}
782 
783 	/* if there's a carry bit left over, add it back in */
784 	if (byte) {
785 		for (i = outbits-1; i >= 0; i--) {
786 			/* do the addition */
787 			byte += out[i];
788 			out[i] = byte&0xff;
789 
790 			/* keep around the carry bit, if any */
791 			byte >>= 8;
792 		}
793 	}
794 }
795 
796 #define	smask(step) ((1<<step)-1)
797 #define	pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
798 #define	parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
799 
800 /*
801  * Duplicate the functionality of the "dk_derive_key" function
802  * in the Kerberos mechanism.
803  */
804 static int
805 derive_key(struct cipher_data_t *cdata, uchar_t *constdata,
806 	int constlen, char *dkey, int keybytes,
807 	int blocklen)
808 {
809 	int rv = 0;
810 	int n = 0, i;
811 	char *inblock;
812 	char *rawkey;
813 	char *zeroblock;
814 	char *saveblock;
815 
816 	inblock = kmem_zalloc(blocklen, KM_SLEEP);
817 	rawkey = kmem_zalloc(keybytes, KM_SLEEP);
818 	zeroblock = kmem_zalloc(blocklen, KM_SLEEP);
819 
820 	if (constlen == blocklen)
821 		bcopy(constdata, inblock, blocklen);
822 	else
823 		nfold(constlen * 8, constdata,
824 			blocklen * 8, (uchar_t *)inblock);
825 
826 	/*
827 	 * zeroblock is an IV of all 0's.
828 	 *
829 	 * The "block" section of the cdata record is used as the
830 	 * IV for crypto operations in the kef_crypt function.
831 	 *
832 	 * We use 'block' as a generic IV data buffer because it
833 	 * is attached to the stream state data and thus can
834 	 * be used to hold information that must carry over
835 	 * from processing of one mblk to another.
836 	 *
837 	 * Here, we save the current IV and replace it with
838 	 * and empty IV (all 0's) for use when deriving the
839 	 * keys.  Once the key derivation is done, we swap the
840 	 * old IV back into place.
841 	 */
842 	saveblock = cdata->block;
843 	cdata->block = zeroblock;
844 
845 	while (n < keybytes) {
846 		rv = kef_crypt(cdata, inblock, CRYPTO_DATA_RAW,
847 				blocklen, CRYPT_ENCRYPT);
848 		if (rv != CRYPTO_SUCCESS) {
849 			/* put the original IV block back in place */
850 			cdata->block = saveblock;
851 			cmn_err(CE_WARN, "failed to derive a key: %0x", rv);
852 			goto cleanup;
853 		}
854 
855 		if (keybytes - n < blocklen) {
856 			bcopy(inblock, rawkey+n, (keybytes-n));
857 			break;
858 		}
859 		bcopy(inblock, rawkey+n, blocklen);
860 		n += blocklen;
861 	}
862 	/* put the original IV block back in place */
863 	cdata->block = saveblock;
864 
865 	/* finally, make the key */
866 	if (cdata->method == CRYPT_METHOD_DES3_CBC_SHA1) {
867 		/*
868 		 * 3DES key derivation requires that we make sure the
869 		 * key has the proper parity.
870 		 */
871 		for (i = 0; i < 3; i++) {
872 			bcopy(rawkey+(i*7), dkey+(i*8), 7);
873 
874 			/* 'dkey' is our derived key output buffer */
875 			dkey[i*8+7] = (((dkey[i*8]&1)<<1) |
876 					((dkey[i*8+1]&1)<<2) |
877 					((dkey[i*8+2]&1)<<3) |
878 					((dkey[i*8+3]&1)<<4) |
879 					((dkey[i*8+4]&1)<<5) |
880 					((dkey[i*8+5]&1)<<6) |
881 					((dkey[i*8+6]&1)<<7));
882 
883 			for (n = 0; n < 8; n++) {
884 				dkey[i*8 + n] &=  0xfe;
885 				dkey[i*8 + n] |= 1^parity_char(dkey[i*8 + n]);
886 			}
887 		}
888 	} else if (IS_AES_METHOD(cdata->method)) {
889 		bcopy(rawkey, dkey, keybytes);
890 	}
891 cleanup:
892 	kmem_free(inblock, blocklen);
893 	kmem_free(zeroblock, blocklen);
894 	kmem_free(rawkey, keybytes);
895 	return (rv);
896 }
897 
898 /*
899  * create_derived_keys
900  *
901  * Algorithm for deriving a new key and an HMAC key
902  * before computing the 3DES-SHA1-HMAC operation on the plaintext
903  * This algorithm matches the work done by Kerberos mechanism
904  * in userland.
905  */
906 static int
907 create_derived_keys(struct cipher_data_t *cdata, uint32_t usage,
908 		crypto_key_t *enckey, crypto_key_t *hmackey)
909 {
910 	uchar_t constdata[K5CLENGTH];
911 	int keybytes;
912 	int rv;
913 
914 	constdata[0] = (usage>>24)&0xff;
915 	constdata[1] = (usage>>16)&0xff;
916 	constdata[2] = (usage>>8)&0xff;
917 	constdata[3] = usage & 0xff;
918 	/* Use "0xAA" for deriving encryption key */
919 	constdata[4] = 0xAA; /* from MIT Kerberos code */
920 
921 	enckey->ck_length = cdata->keylen * 8;
922 	enckey->ck_format = CRYPTO_KEY_RAW;
923 	enckey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
924 
925 	switch (cdata->method) {
926 		case CRYPT_METHOD_DES_CFB:
927 		case CRYPT_METHOD_DES_CBC_NULL:
928 		case CRYPT_METHOD_DES_CBC_MD5:
929 		case CRYPT_METHOD_DES_CBC_CRC:
930 			keybytes = 8;
931 			break;
932 		case CRYPT_METHOD_DES3_CBC_SHA1:
933 			keybytes = CRYPT_DES3_KEYBYTES;
934 			break;
935 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
936 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
937 			keybytes = CRYPT_ARCFOUR_KEYBYTES;
938 			break;
939 		case CRYPT_METHOD_AES128:
940 			keybytes = CRYPT_AES128_KEYBYTES;
941 			break;
942 		case CRYPT_METHOD_AES256:
943 			keybytes = CRYPT_AES256_KEYBYTES;
944 			break;
945 	}
946 
947 	/* derive main crypto key */
948 	rv = derive_key(cdata, constdata, sizeof (constdata),
949 		enckey->ck_data, keybytes, cdata->blocklen);
950 
951 	if (rv == CRYPTO_SUCCESS) {
952 
953 		/* Use "0x55" for deriving mac key */
954 		constdata[4] = 0x55;
955 
956 		hmackey->ck_length = cdata->keylen * 8;
957 		hmackey->ck_format = CRYPTO_KEY_RAW;
958 		hmackey->ck_data = kmem_zalloc(cdata->keylen, KM_SLEEP);
959 
960 		rv = derive_key(cdata, constdata, sizeof (constdata),
961 				hmackey->ck_data, keybytes,
962 				cdata->blocklen);
963 	} else {
964 		cmn_err(CE_WARN, "failed to derive crypto key: %02x", rv);
965 	}
966 
967 	return (rv);
968 }
969 
970 /*
971  * Compute 3-DES crypto and HMAC.
972  */
973 static int
974 kef_decr_hmac(struct cipher_data_t *cdata,
975 	mblk_t *mp, int length,
976 	char *hmac, int hmaclen)
977 {
978 	int rv = CRYPTO_FAILED;
979 
980 	crypto_mechanism_t encr_mech;
981 	crypto_mechanism_t mac_mech;
982 	crypto_data_t dd;
983 	crypto_data_t mac;
984 	iovec_t v1;
985 
986 	ASSERT(cdata != NULL);
987 	ASSERT(mp != NULL);
988 	ASSERT(hmac != NULL);
989 
990 	bzero(&dd, sizeof (dd));
991 	dd.cd_format = CRYPTO_DATA_MBLK;
992 	dd.cd_offset = 0;
993 	dd.cd_length = length;
994 	dd.cd_mp = mp;
995 
996 	v1.iov_base = hmac;
997 	v1.iov_len = hmaclen;
998 
999 	mac.cd_format = CRYPTO_DATA_RAW;
1000 	mac.cd_offset = 0;
1001 	mac.cd_length = hmaclen;
1002 	mac.cd_raw = v1;
1003 
1004 	/*
1005 	 * cdata->block holds the IVEC
1006 	 */
1007 	encr_mech.cm_type = cdata->mech_type;
1008 	encr_mech.cm_param = cdata->block;
1009 
1010 	if (cdata->block != NULL)
1011 		encr_mech.cm_param_len = cdata->blocklen;
1012 	else
1013 		encr_mech.cm_param_len = 0;
1014 
1015 	rv = crypto_decrypt(&encr_mech, &dd, &cdata->d_encr_key,
1016 			cdata->enc_tmpl, NULL, NULL);
1017 	if (rv != CRYPTO_SUCCESS) {
1018 		cmn_err(CE_WARN, "crypto_decrypt failed: %0x", rv);
1019 		return (rv);
1020 	}
1021 
1022 	mac_mech.cm_type = sha1_hmac_mech;
1023 	mac_mech.cm_param = NULL;
1024 	mac_mech.cm_param_len = 0;
1025 
1026 	/*
1027 	 * Compute MAC of the plaintext decrypted above.
1028 	 */
1029 	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1030 			cdata->hmac_tmpl, &mac, NULL);
1031 
1032 	if (rv != CRYPTO_SUCCESS) {
1033 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1034 	}
1035 
1036 	return (rv);
1037 }
1038 
1039 /*
1040  * Compute 3-DES crypto and HMAC.
1041  */
1042 static int
1043 kef_encr_hmac(struct cipher_data_t *cdata,
1044 	mblk_t *mp, int length,
1045 	char *hmac, int hmaclen)
1046 {
1047 	int rv = CRYPTO_FAILED;
1048 
1049 	crypto_mechanism_t encr_mech;
1050 	crypto_mechanism_t mac_mech;
1051 	crypto_data_t dd;
1052 	crypto_data_t mac;
1053 	iovec_t v1;
1054 
1055 	ASSERT(cdata != NULL);
1056 	ASSERT(mp != NULL);
1057 	ASSERT(hmac != NULL);
1058 
1059 	bzero(&dd, sizeof (dd));
1060 	dd.cd_format = CRYPTO_DATA_MBLK;
1061 	dd.cd_offset = 0;
1062 	dd.cd_length = length;
1063 	dd.cd_mp = mp;
1064 
1065 	v1.iov_base = hmac;
1066 	v1.iov_len = hmaclen;
1067 
1068 	mac.cd_format = CRYPTO_DATA_RAW;
1069 	mac.cd_offset = 0;
1070 	mac.cd_length = hmaclen;
1071 	mac.cd_raw = v1;
1072 
1073 	/*
1074 	 * cdata->block holds the IVEC
1075 	 */
1076 	encr_mech.cm_type = cdata->mech_type;
1077 	encr_mech.cm_param = cdata->block;
1078 
1079 	if (cdata->block != NULL)
1080 		encr_mech.cm_param_len = cdata->blocklen;
1081 	else
1082 		encr_mech.cm_param_len = 0;
1083 
1084 	mac_mech.cm_type = sha1_hmac_mech;
1085 	mac_mech.cm_param = NULL;
1086 	mac_mech.cm_param_len = 0;
1087 
1088 	rv = crypto_mac(&mac_mech, &dd, &cdata->d_hmac_key,
1089 			cdata->hmac_tmpl, &mac, NULL);
1090 
1091 	if (rv != CRYPTO_SUCCESS) {
1092 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1093 		return (rv);
1094 	}
1095 
1096 	rv = crypto_encrypt(&encr_mech, &dd, &cdata->d_encr_key,
1097 			cdata->enc_tmpl, NULL, NULL);
1098 	if (rv != CRYPTO_SUCCESS) {
1099 		cmn_err(CE_WARN, "crypto_encrypt failed: %0x", rv);
1100 	}
1101 
1102 	return (rv);
1103 }
1104 
1105 /*
1106  * kef_crypt
1107  *
1108  * Use the Kernel encryption framework to provide the
1109  * crypto operations for the indicated data.
1110  */
1111 static int
1112 kef_crypt(struct cipher_data_t *cdata,
1113 	void *indata, crypto_data_format_t fmt,
1114 	size_t length, int mode)
1115 {
1116 	int rv = CRYPTO_FAILED;
1117 
1118 	crypto_mechanism_t mech;
1119 	crypto_key_t crkey;
1120 	iovec_t v1;
1121 	crypto_data_t d1;
1122 
1123 	ASSERT(cdata != NULL);
1124 	ASSERT(indata != NULL);
1125 	ASSERT(fmt == CRYPTO_DATA_RAW || fmt == CRYPTO_DATA_MBLK);
1126 
1127 	bzero(&crkey, sizeof (crkey));
1128 	bzero(&d1, sizeof (d1));
1129 
1130 	crkey.ck_format = CRYPTO_KEY_RAW;
1131 	crkey.ck_data =  cdata->key;
1132 
1133 	/* keys are measured in bits, not bytes, so multiply by 8 */
1134 	crkey.ck_length = cdata->keylen * 8;
1135 
1136 	if (fmt == CRYPTO_DATA_RAW) {
1137 		v1.iov_base = (char *)indata;
1138 		v1.iov_len = length;
1139 	}
1140 
1141 	d1.cd_format = fmt;
1142 	d1.cd_offset = 0;
1143 	d1.cd_length = length;
1144 	if (fmt == CRYPTO_DATA_RAW)
1145 		d1.cd_raw = v1;
1146 	else if (fmt == CRYPTO_DATA_MBLK)
1147 		d1.cd_mp = (mblk_t *)indata;
1148 
1149 	mech.cm_type = cdata->mech_type;
1150 	mech.cm_param = cdata->block;
1151 	/*
1152 	 * cdata->block holds the IVEC
1153 	 */
1154 	if (cdata->block != NULL)
1155 		mech.cm_param_len = cdata->blocklen;
1156 	else
1157 		mech.cm_param_len = 0;
1158 
1159 	/*
1160 	 * encrypt and decrypt in-place
1161 	 */
1162 	if (mode == CRYPT_ENCRYPT)
1163 		rv = crypto_encrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1164 	else
1165 		rv = crypto_decrypt(&mech, &d1, &crkey, NULL, NULL, NULL);
1166 
1167 	if (rv != CRYPTO_SUCCESS) {
1168 		cmn_err(CE_WARN, "%s returned error %08x",
1169 			(mode == CRYPT_ENCRYPT ? "crypto_encrypt" :
1170 				"crypto_decrypt"), rv);
1171 		return (CRYPTO_FAILED);
1172 	}
1173 
1174 	return (rv);
1175 }
1176 
1177 static int
1178 do_hmac(crypto_mech_type_t mech,
1179 	crypto_key_t *key,
1180 	char *data, int datalen,
1181 	char *hmac, int hmaclen)
1182 {
1183 	int rv = 0;
1184 	crypto_mechanism_t mac_mech;
1185 	crypto_data_t dd;
1186 	crypto_data_t mac;
1187 	iovec_t vdata, vmac;
1188 
1189 	mac_mech.cm_type = mech;
1190 	mac_mech.cm_param = NULL;
1191 	mac_mech.cm_param_len = 0;
1192 
1193 	vdata.iov_base = data;
1194 	vdata.iov_len = datalen;
1195 
1196 	bzero(&dd, sizeof (dd));
1197 	dd.cd_format = CRYPTO_DATA_RAW;
1198 	dd.cd_offset = 0;
1199 	dd.cd_length = datalen;
1200 	dd.cd_raw = vdata;
1201 
1202 	vmac.iov_base = hmac;
1203 	vmac.iov_len = hmaclen;
1204 
1205 	mac.cd_format = CRYPTO_DATA_RAW;
1206 	mac.cd_offset = 0;
1207 	mac.cd_length = hmaclen;
1208 	mac.cd_raw = vmac;
1209 
1210 	/*
1211 	 * Compute MAC of the plaintext decrypted above.
1212 	 */
1213 	rv = crypto_mac(&mac_mech, &dd, key, NULL, &mac, NULL);
1214 
1215 	if (rv != CRYPTO_SUCCESS) {
1216 		cmn_err(CE_WARN, "crypto_mac failed: %0x", rv);
1217 	}
1218 
1219 	return (rv);
1220 }
1221 
1222 #define	XOR_BLOCK(src, dst) \
1223 	(dst)[0] ^= (src)[0]; \
1224 	(dst)[1] ^= (src)[1]; \
1225 	(dst)[2] ^= (src)[2]; \
1226 	(dst)[3] ^= (src)[3]; \
1227 	(dst)[4] ^= (src)[4]; \
1228 	(dst)[5] ^= (src)[5]; \
1229 	(dst)[6] ^= (src)[6]; \
1230 	(dst)[7] ^= (src)[7]; \
1231 	(dst)[8] ^= (src)[8]; \
1232 	(dst)[9] ^= (src)[9]; \
1233 	(dst)[10] ^= (src)[10]; \
1234 	(dst)[11] ^= (src)[11]; \
1235 	(dst)[12] ^= (src)[12]; \
1236 	(dst)[13] ^= (src)[13]; \
1237 	(dst)[14] ^= (src)[14]; \
1238 	(dst)[15] ^= (src)[15]
1239 
1240 #define	xorblock(x, y) XOR_BLOCK(y, x)
1241 
1242 static int
1243 aes_cbc_cts_encrypt(struct tmodinfo *tmi, uchar_t *plain, size_t length)
1244 {
1245 	int result = CRYPTO_SUCCESS;
1246 	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1247 	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1248 	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1249 	int nblocks = 0, blockno;
1250 	crypto_data_t ct, pt;
1251 	crypto_mechanism_t mech;
1252 
1253 	mech.cm_type = tmi->enc_data.mech_type;
1254 	if (tmi->enc_data.ivlen > 0 && tmi->enc_data.ivec != NULL) {
1255 		bcopy(tmi->enc_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1256 		mech.cm_param = tmi->enc_data.ivec;
1257 		mech.cm_param_len = tmi->enc_data.ivlen;
1258 	} else {
1259 		bzero(tmp, sizeof (tmp));
1260 		mech.cm_param = NULL;
1261 		mech.cm_param_len = 0;
1262 	}
1263 
1264 	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1265 
1266 	bzero(&ct, sizeof (crypto_data_t));
1267 	bzero(&pt, sizeof (crypto_data_t));
1268 
1269 	if (nblocks == 1) {
1270 		pt.cd_format = CRYPTO_DATA_RAW;
1271 		pt.cd_length = length;
1272 		pt.cd_raw.iov_base = (char *)plain;
1273 		pt.cd_raw.iov_len = length;
1274 
1275 		result = crypto_encrypt(&mech, &pt,
1276 			&tmi->enc_data.d_encr_key, NULL, NULL, NULL);
1277 
1278 		if (result != CRYPTO_SUCCESS) {
1279 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1280 				"crypto_encrypt failed: %0x", result);
1281 		}
1282 	} else {
1283 		size_t nleft;
1284 
1285 		ct.cd_format = CRYPTO_DATA_RAW;
1286 		ct.cd_offset = 0;
1287 		ct.cd_length = DEFAULT_AES_BLOCKLEN;
1288 
1289 		pt.cd_format = CRYPTO_DATA_RAW;
1290 		pt.cd_offset = 0;
1291 		pt.cd_length = DEFAULT_AES_BLOCKLEN;
1292 
1293 		result = crypto_encrypt_init(&mech,
1294 				&tmi->enc_data.d_encr_key,
1295 				tmi->enc_data.enc_tmpl,
1296 				&tmi->enc_data.ctx, NULL);
1297 
1298 		if (result != CRYPTO_SUCCESS) {
1299 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1300 				"crypto_encrypt_init failed: %0x", result);
1301 			goto cleanup;
1302 		}
1303 
1304 		for (blockno = 0; blockno < nblocks - 2; blockno++) {
1305 			xorblock(tmp, plain + blockno * DEFAULT_AES_BLOCKLEN);
1306 
1307 			pt.cd_raw.iov_base = (char *)tmp;
1308 			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1309 
1310 			ct.cd_raw.iov_base = (char *)plain +
1311 				blockno * DEFAULT_AES_BLOCKLEN;
1312 			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1313 
1314 			result = crypto_encrypt_update(tmi->enc_data.ctx,
1315 					&pt, &ct, NULL);
1316 
1317 			if (result != CRYPTO_SUCCESS) {
1318 				cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1319 					"crypto_encrypt_update failed: %0x",
1320 					result);
1321 				goto cleanup;
1322 			}
1323 			/* copy result over original bytes */
1324 			/* make another copy for the next XOR step */
1325 			bcopy(plain + blockno * DEFAULT_AES_BLOCKLEN,
1326 				tmp, DEFAULT_AES_BLOCKLEN);
1327 		}
1328 		/* XOR cipher text from n-3 with plain text from n-2 */
1329 		xorblock(tmp, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1330 
1331 		pt.cd_raw.iov_base = (char *)tmp;
1332 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1333 
1334 		ct.cd_raw.iov_base = (char *)tmp2;
1335 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1336 
1337 		/* encrypt XOR-ed block N-2 */
1338 		result = crypto_encrypt_update(tmi->enc_data.ctx,
1339 				&pt, &ct, NULL);
1340 		if (result != CRYPTO_SUCCESS) {
1341 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1342 				"crypto_encrypt_update(2) failed: %0x",
1343 				result);
1344 			goto cleanup;
1345 		}
1346 		nleft = length - (nblocks - 1) * DEFAULT_AES_BLOCKLEN;
1347 
1348 		bzero(tmp3, sizeof (tmp3));
1349 		/* Save final plaintext bytes from n-1 */
1350 		bcopy(plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1351 			nleft);
1352 
1353 		/* Overwrite n-1 with cipher text from n-2 */
1354 		bcopy(tmp2, plain + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1355 			nleft);
1356 
1357 		bcopy(tmp2, tmp, DEFAULT_AES_BLOCKLEN);
1358 		/* XOR cipher text from n-1 with plain text from n-1 */
1359 		xorblock(tmp, tmp3);
1360 
1361 		pt.cd_raw.iov_base = (char *)tmp;
1362 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1363 
1364 		ct.cd_raw.iov_base = (char *)tmp2;
1365 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1366 
1367 		/* encrypt block N-2 */
1368 		result = crypto_encrypt_update(tmi->enc_data.ctx,
1369 			&pt, &ct, NULL);
1370 
1371 		if (result != CRYPTO_SUCCESS) {
1372 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1373 				"crypto_encrypt_update(3) failed: %0x",
1374 				result);
1375 			goto cleanup;
1376 		}
1377 
1378 		bcopy(tmp2, plain + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1379 			DEFAULT_AES_BLOCKLEN);
1380 
1381 
1382 		ct.cd_raw.iov_base = (char *)tmp2;
1383 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1384 
1385 		/*
1386 		 * Ignore the output on the final step.
1387 		 */
1388 		result = crypto_encrypt_final(tmi->enc_data.ctx, &ct, NULL);
1389 		if (result != CRYPTO_SUCCESS) {
1390 			cmn_err(CE_WARN, "aes_cbc_cts_encrypt: "
1391 				"crypto_encrypt_final(3) failed: %0x",
1392 				result);
1393 		}
1394 		tmi->enc_data.ctx = NULL;
1395 	}
1396 cleanup:
1397 	bzero(tmp, sizeof (tmp));
1398 	bzero(tmp2, sizeof (tmp));
1399 	bzero(tmp3, sizeof (tmp));
1400 	bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
1401 	return (result);
1402 }
1403 
1404 static int
1405 aes_cbc_cts_decrypt(struct tmodinfo *tmi, uchar_t *buff, size_t length)
1406 {
1407 	int result = CRYPTO_SUCCESS;
1408 	unsigned char tmp[DEFAULT_AES_BLOCKLEN];
1409 	unsigned char tmp2[DEFAULT_AES_BLOCKLEN];
1410 	unsigned char tmp3[DEFAULT_AES_BLOCKLEN];
1411 	int nblocks = 0, blockno;
1412 	crypto_data_t ct, pt;
1413 	crypto_mechanism_t mech;
1414 
1415 	mech.cm_type = tmi->enc_data.mech_type;
1416 
1417 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1418 	    tmi->dec_data.ivlen > 0 && tmi->dec_data.ivec != NULL) {
1419 		bcopy(tmi->dec_data.ivec, tmp, DEFAULT_AES_BLOCKLEN);
1420 		mech.cm_param = tmi->dec_data.ivec;
1421 		mech.cm_param_len = tmi->dec_data.ivlen;
1422 	} else {
1423 		bzero(tmp, sizeof (tmp));
1424 		mech.cm_param_len = 0;
1425 		mech.cm_param = NULL;
1426 	}
1427 	nblocks = (length + DEFAULT_AES_BLOCKLEN - 1) / DEFAULT_AES_BLOCKLEN;
1428 
1429 	bzero(&pt, sizeof (pt));
1430 	bzero(&ct, sizeof (ct));
1431 
1432 	if (nblocks == 1) {
1433 		ct.cd_format = CRYPTO_DATA_RAW;
1434 		ct.cd_length = length;
1435 		ct.cd_raw.iov_base = (char *)buff;
1436 		ct.cd_raw.iov_len = length;
1437 
1438 		result = crypto_decrypt(&mech, &ct,
1439 			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1440 
1441 		if (result != CRYPTO_SUCCESS) {
1442 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1443 				"crypto_decrypt failed: %0x", result);
1444 			goto cleanup;
1445 		}
1446 	} else {
1447 		ct.cd_format = CRYPTO_DATA_RAW;
1448 		ct.cd_offset = 0;
1449 		ct.cd_length = DEFAULT_AES_BLOCKLEN;
1450 
1451 		pt.cd_format = CRYPTO_DATA_RAW;
1452 		pt.cd_offset = 0;
1453 		pt.cd_length = DEFAULT_AES_BLOCKLEN;
1454 
1455 		result = crypto_encrypt_init(&mech,
1456 				&tmi->dec_data.d_encr_key,
1457 				tmi->dec_data.enc_tmpl,
1458 				&tmi->dec_data.ctx, NULL);
1459 
1460 		if (result != CRYPTO_SUCCESS) {
1461 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1462 				"crypto_decrypt_init failed: %0x", result);
1463 			goto cleanup;
1464 		}
1465 		for (blockno = 0; blockno < nblocks - 2; blockno++) {
1466 			ct.cd_raw.iov_base = (char *)buff +
1467 				(blockno * DEFAULT_AES_BLOCKLEN);
1468 			ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1469 
1470 			pt.cd_raw.iov_base = (char *)tmp2;
1471 			pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1472 
1473 			/*
1474 			 * Save the input to the decrypt so it can
1475 			 * be used later for an XOR operation
1476 			 */
1477 			bcopy(buff + (blockno * DEFAULT_AES_BLOCKLEN),
1478 				tmi->dec_data.block, DEFAULT_AES_BLOCKLEN);
1479 
1480 			result = crypto_decrypt_update(tmi->dec_data.ctx,
1481 					&ct, &pt, NULL);
1482 			if (result != CRYPTO_SUCCESS) {
1483 				cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1484 					"crypto_decrypt_update(1) error - "
1485 					"result = 0x%08x", result);
1486 				goto cleanup;
1487 			}
1488 			xorblock(tmp2, tmp);
1489 			bcopy(tmp2, buff + blockno * DEFAULT_AES_BLOCKLEN,
1490 				DEFAULT_AES_BLOCKLEN);
1491 			/*
1492 			 * The original cipher text is used as the xor
1493 			 * for the next block, save it here.
1494 			 */
1495 			bcopy(tmi->dec_data.block, tmp, DEFAULT_AES_BLOCKLEN);
1496 		}
1497 		ct.cd_raw.iov_base = (char *)buff +
1498 			((nblocks - 2) * DEFAULT_AES_BLOCKLEN);
1499 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1500 		pt.cd_raw.iov_base = (char *)tmp2;
1501 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1502 
1503 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1504 				&ct, &pt, NULL);
1505 		if (result != CRYPTO_SUCCESS) {
1506 			cmn_err(CE_WARN,
1507 				"aes_cbc_cts_decrypt: "
1508 				"crypto_decrypt_update(2) error -"
1509 				" result = 0x%08x", result);
1510 			goto cleanup;
1511 		}
1512 		bzero(tmp3, sizeof (tmp3));
1513 		bcopy(buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN, tmp3,
1514 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1515 
1516 		xorblock(tmp2, tmp3);
1517 		bcopy(tmp2, buff + (nblocks - 1) * DEFAULT_AES_BLOCKLEN,
1518 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1519 
1520 		/* 2nd to last block ... */
1521 		bcopy(tmp3, tmp2,
1522 			length - ((nblocks - 1) * DEFAULT_AES_BLOCKLEN));
1523 
1524 		ct.cd_raw.iov_base = (char *)tmp2;
1525 		ct.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1526 		pt.cd_raw.iov_base = (char *)tmp3;
1527 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1528 
1529 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1530 				&ct, &pt, NULL);
1531 		if (result != CRYPTO_SUCCESS) {
1532 			cmn_err(CE_WARN,
1533 				"aes_cbc_cts_decrypt: "
1534 				"crypto_decrypt_update(3) error - "
1535 				"result = 0x%08x", result);
1536 			goto cleanup;
1537 		}
1538 		xorblock(tmp3, tmp);
1539 
1540 
1541 		/* Finally, update the 2nd to last block and we are done. */
1542 		bcopy(tmp3, buff + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1543 			DEFAULT_AES_BLOCKLEN);
1544 
1545 		/* Do Final step, but ignore output */
1546 		pt.cd_raw.iov_base = (char *)tmp2;
1547 		pt.cd_raw.iov_len = DEFAULT_AES_BLOCKLEN;
1548 		result = crypto_decrypt_final(tmi->dec_data.ctx, &pt, NULL);
1549 		if (result != CRYPTO_SUCCESS) {
1550 			cmn_err(CE_WARN, "aes_cbc_cts_decrypt: "
1551 				"crypto_decrypt_final error - "
1552 				"result = 0x%0x", result);
1553 		}
1554 		tmi->dec_data.ctx = NULL;
1555 	}
1556 
1557 cleanup:
1558 	bzero(tmp, sizeof (tmp));
1559 	bzero(tmp2, sizeof (tmp));
1560 	bzero(tmp3, sizeof (tmp));
1561 	bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
1562 	return (result);
1563 }
1564 
1565 /*
1566  * AES decrypt
1567  *
1568  * format of ciphertext when using AES
1569  *  +-------------+------------+------------+
1570  *  |  confounder | msg-data   |  hmac      |
1571  *  +-------------+------------+------------+
1572  */
1573 static mblk_t *
1574 aes_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1575 	hash_info_t *hash)
1576 {
1577 	int result;
1578 	size_t enclen;
1579 	size_t inlen;
1580 	uchar_t hmacbuff[64];
1581 	uchar_t tmpiv[DEFAULT_AES_BLOCKLEN];
1582 
1583 	inlen = (size_t)MBLKL(mp);
1584 
1585 	enclen = inlen - AES_TRUNCATED_HMAC_LEN;
1586 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1587 		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0) {
1588 		int nblocks = (enclen + DEFAULT_AES_BLOCKLEN - 1) /
1589 				DEFAULT_AES_BLOCKLEN;
1590 		bcopy(mp->b_rptr + DEFAULT_AES_BLOCKLEN * (nblocks - 2),
1591 			tmpiv, DEFAULT_AES_BLOCKLEN);
1592 	}
1593 
1594 	/* AES Decrypt */
1595 	result = aes_cbc_cts_decrypt(tmi, mp->b_rptr, enclen);
1596 
1597 	if (result != CRYPTO_SUCCESS) {
1598 		cmn_err(CE_WARN,
1599 			"aes_decrypt:  aes_cbc_cts_decrypt "
1600 			"failed - error %0x", result);
1601 		goto cleanup;
1602 	}
1603 
1604 	/* Verify the HMAC */
1605 	result = do_hmac(sha1_hmac_mech,
1606 			&tmi->dec_data.d_hmac_key,
1607 			(char *)mp->b_rptr, enclen,
1608 			(char *)hmacbuff, hash->hash_len);
1609 
1610 	if (result != CRYPTO_SUCCESS) {
1611 		cmn_err(CE_WARN,
1612 			"aes_decrypt:  do_hmac failed - error %0x", result);
1613 		goto cleanup;
1614 	}
1615 
1616 	if (bcmp(hmacbuff, mp->b_rptr + enclen,
1617 		AES_TRUNCATED_HMAC_LEN) != 0) {
1618 		result = -1;
1619 		cmn_err(CE_WARN, "aes_decrypt: checksum verification failed");
1620 		goto cleanup;
1621 	}
1622 
1623 	/* truncate the mblk at the end of the decrypted text */
1624 	mp->b_wptr = mp->b_rptr + enclen;
1625 
1626 	/* Adjust the beginning of the buffer to skip the confounder */
1627 	mp->b_rptr += DEFAULT_AES_BLOCKLEN;
1628 
1629 	if (tmi->dec_data.ivec_usage != IVEC_NEVER &&
1630 		tmi->dec_data.ivec != NULL && tmi->dec_data.ivlen > 0)
1631 		bcopy(tmpiv, tmi->dec_data.ivec, DEFAULT_AES_BLOCKLEN);
1632 
1633 cleanup:
1634 	if (result != CRYPTO_SUCCESS) {
1635 		mp->b_datap->db_type = M_ERROR;
1636 		mp->b_rptr = mp->b_datap->db_base;
1637 		*mp->b_rptr = EIO;
1638 		mp->b_wptr = mp->b_rptr + sizeof (char);
1639 		freemsg(mp->b_cont);
1640 		mp->b_cont = NULL;
1641 		qreply(WR(q), mp);
1642 		return (NULL);
1643 	}
1644 	return (mp);
1645 }
1646 
1647 /*
1648  * AES encrypt
1649  *
1650  * format of ciphertext when using AES
1651  *  +-------------+------------+------------+
1652  *  |  confounder | msg-data   |  hmac      |
1653  *  +-------------+------------+------------+
1654  */
1655 static mblk_t *
1656 aes_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1657 	hash_info_t *hash)
1658 {
1659 	int result;
1660 	size_t cipherlen;
1661 	size_t inlen;
1662 	uchar_t hmacbuff[64];
1663 
1664 	inlen = (size_t)MBLKL(mp);
1665 
1666 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
1667 
1668 	ASSERT(MBLKSIZE(mp) >= cipherlen);
1669 
1670 	/*
1671 	 * Shift the rptr back enough to insert the confounder.
1672 	 */
1673 	mp->b_rptr -= DEFAULT_AES_BLOCKLEN;
1674 
1675 	/* Get random data for confounder */
1676 	(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
1677 		DEFAULT_AES_BLOCKLEN);
1678 
1679 	/*
1680 	 * Because we encrypt in-place, we need to calculate
1681 	 * the HMAC of the plaintext now, then stick it on
1682 	 * the end of the ciphertext down below.
1683 	 */
1684 	result = do_hmac(sha1_hmac_mech,
1685 			&tmi->enc_data.d_hmac_key,
1686 			(char *)mp->b_rptr, DEFAULT_AES_BLOCKLEN + inlen,
1687 			(char *)hmacbuff, hash->hash_len);
1688 
1689 	if (result != CRYPTO_SUCCESS) {
1690 		cmn_err(CE_WARN, "aes_encrypt:  do_hmac failed - error %0x",
1691 			result);
1692 		goto cleanup;
1693 	}
1694 	/* Encrypt using AES-CBC-CTS */
1695 	result = aes_cbc_cts_encrypt(tmi, mp->b_rptr,
1696 		inlen + DEFAULT_AES_BLOCKLEN);
1697 
1698 	if (result != CRYPTO_SUCCESS) {
1699 		cmn_err(CE_WARN, "aes_encrypt:  aes_cbc_cts_encrypt "
1700 			"failed - error %0x", result);
1701 		goto cleanup;
1702 	}
1703 
1704 	/* copy the truncated HMAC to the end of the mblk */
1705 	bcopy(hmacbuff, mp->b_rptr + DEFAULT_AES_BLOCKLEN + inlen,
1706 		AES_TRUNCATED_HMAC_LEN);
1707 
1708 	mp->b_wptr = mp->b_rptr + cipherlen;
1709 
1710 	/*
1711 	 * The final block of cipher text (not the HMAC) is used
1712 	 * as the next IV.
1713 	 */
1714 	if (tmi->enc_data.ivec_usage != IVEC_NEVER &&
1715 	    tmi->enc_data.ivec != NULL) {
1716 		int nblocks = (inlen + 2 * DEFAULT_AES_BLOCKLEN - 1) /
1717 			DEFAULT_AES_BLOCKLEN;
1718 
1719 		bcopy(mp->b_rptr + (nblocks - 2) * DEFAULT_AES_BLOCKLEN,
1720 			tmi->enc_data.ivec, DEFAULT_AES_BLOCKLEN);
1721 	}
1722 
1723 cleanup:
1724 	if (result != CRYPTO_SUCCESS) {
1725 		mp->b_datap->db_type = M_ERROR;
1726 		mp->b_rptr = mp->b_datap->db_base;
1727 		*mp->b_rptr = EIO;
1728 		mp->b_wptr = mp->b_rptr + sizeof (char);
1729 		freemsg(mp->b_cont);
1730 		mp->b_cont = NULL;
1731 		qreply(WR(q), mp);
1732 		return (NULL);
1733 	}
1734 	return (mp);
1735 }
1736 
1737 /*
1738  * ARCFOUR-HMAC-MD5 decrypt
1739  *
1740  * format of ciphertext when using ARCFOUR-HMAC-MD5
1741  *  +-----------+------------+------------+
1742  *  |  hmac     | confounder |  msg-data  |
1743  *  +-----------+------------+------------+
1744  *
1745  */
1746 static mblk_t *
1747 arcfour_hmac_md5_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1748 			hash_info_t *hash)
1749 {
1750 	int result;
1751 	size_t cipherlen;
1752 	size_t inlen;
1753 	size_t saltlen;
1754 	crypto_key_t k1, k2;
1755 	crypto_data_t indata;
1756 	iovec_t v1;
1757 	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1758 				0xab, 0xab, 0xab, 0xab };
1759 	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1760 	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1761 	uchar_t cksum[MD5_HASHSIZE];
1762 	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1763 	crypto_mechanism_t mech;
1764 	int usage;
1765 
1766 	/* The usage constant is 1026 for all "old" rcmd mode operations */
1767 	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
1768 		usage = RCMDV1_USAGE;
1769 	else
1770 		usage = ARCFOUR_DECRYPT_USAGE;
1771 
1772 	/*
1773 	 * The size at this point should be the size of
1774 	 * all the plaintext plus the optional plaintext length
1775 	 * needed for RCMD V2 mode.  There should also be room
1776 	 * at the head of the mblk for the confounder and hash info.
1777 	 */
1778 	inlen = (size_t)MBLKL(mp);
1779 
1780 	/*
1781 	 * The cipherlen does not include the HMAC at the
1782 	 * head of the buffer.
1783 	 */
1784 	cipherlen = inlen - hash->hash_len;
1785 
1786 	ASSERT(MBLKSIZE(mp) >= cipherlen);
1787 	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1788 		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
1789 		saltdata[9] = 0;
1790 		saltdata[10] = usage & 0xff;
1791 		saltdata[11] = (usage >> 8) & 0xff;
1792 		saltdata[12] = (usage >> 16) & 0xff;
1793 		saltdata[13] = (usage >> 24) & 0xff;
1794 		saltlen = 14;
1795 	} else {
1796 		saltdata[0] = usage & 0xff;
1797 		saltdata[1] = (usage >> 8) & 0xff;
1798 		saltdata[2] = (usage >> 16) & 0xff;
1799 		saltdata[3] = (usage >> 24) & 0xff;
1800 		saltlen = 4;
1801 	}
1802 	/*
1803 	 * Use the salt value to create a key to be used
1804 	 * for subsequent HMAC operations.
1805 	 */
1806 	result = do_hmac(md5_hmac_mech,
1807 			tmi->dec_data.ckey,
1808 			(char *)saltdata, saltlen,
1809 			(char *)k1data, sizeof (k1data));
1810 	if (result != CRYPTO_SUCCESS) {
1811 		cmn_err(CE_WARN,
1812 			"arcfour_hmac_md5_decrypt:  do_hmac(k1)"
1813 			"failed - error %0x", result);
1814 		goto cleanup;
1815 	}
1816 	bcopy(k1data, k2data, sizeof (k1data));
1817 
1818 	/*
1819 	 * For the neutered MS RC4 encryption type,
1820 	 * set the trailing 9 bytes to 0xab per the
1821 	 * RC4-HMAC spec.
1822 	 */
1823 	if (tmi->dec_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
1824 		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
1825 	}
1826 
1827 	mech.cm_type = tmi->dec_data.mech_type;
1828 	mech.cm_param = NULL;
1829 	mech.cm_param_len = 0;
1830 
1831 	/*
1832 	 * If we have not yet initialized the decryption key,
1833 	 * context, and template, do it now.
1834 	 */
1835 	if (tmi->dec_data.ctx == NULL ||
1836 	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
1837 		k1.ck_format = CRYPTO_KEY_RAW;
1838 		k1.ck_length = CRYPT_ARCFOUR_KEYBYTES * 8;
1839 		k1.ck_data = k1data;
1840 
1841 		tmi->dec_data.d_encr_key.ck_format = CRYPTO_KEY_RAW;
1842 		tmi->dec_data.d_encr_key.ck_length = k1.ck_length;
1843 		if (tmi->dec_data.d_encr_key.ck_data == NULL)
1844 			tmi->dec_data.d_encr_key.ck_data = kmem_zalloc(
1845 				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
1846 
1847 		/*
1848 		 * HMAC operation creates the encryption
1849 		 * key to be used for the decrypt operations.
1850 		 */
1851 		result = do_hmac(md5_hmac_mech, &k1,
1852 			(char *)mp->b_rptr, hash->hash_len,
1853 			(char *)tmi->dec_data.d_encr_key.ck_data,
1854 			CRYPT_ARCFOUR_KEYBYTES);
1855 
1856 
1857 		if (result != CRYPTO_SUCCESS) {
1858 			cmn_err(CE_WARN,
1859 				"arcfour_hmac_md5_decrypt:  do_hmac(k3)"
1860 				"failed - error %0x", result);
1861 			goto cleanup;
1862 		}
1863 	}
1864 
1865 	tmi->dec_data.enc_tmpl = NULL;
1866 
1867 	if (tmi->dec_data.ctx == NULL &&
1868 	    (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
1869 		/*
1870 		 * Only create a template if we are doing
1871 		 * chaining from block to block.
1872 		 */
1873 		result = crypto_create_ctx_template(&mech,
1874 			&tmi->dec_data.d_encr_key,
1875 			&tmi->dec_data.enc_tmpl,
1876 			KM_SLEEP);
1877 		if (result == CRYPTO_NOT_SUPPORTED) {
1878 			tmi->dec_data.enc_tmpl = NULL;
1879 		} else if (result != CRYPTO_SUCCESS) {
1880 			cmn_err(CE_WARN,
1881 				"arcfour_hmac_md5_decrypt:  "
1882 				"failed to create dec template "
1883 				"for RC4 encrypt: %0x", result);
1884 			goto cleanup;
1885 		}
1886 
1887 		result = crypto_decrypt_init(&mech,
1888 			&tmi->dec_data.d_encr_key,
1889 			tmi->dec_data.enc_tmpl,
1890 			&tmi->dec_data.ctx, NULL);
1891 
1892 		if (result != CRYPTO_SUCCESS) {
1893 			cmn_err(CE_WARN, "crypto_decrypt_init failed:"
1894 				" %0x", result);
1895 			goto cleanup;
1896 		}
1897 	}
1898 
1899 	/* adjust the rptr so we don't decrypt the original hmac field */
1900 
1901 	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
1902 	v1.iov_len = cipherlen;
1903 
1904 	indata.cd_format = CRYPTO_DATA_RAW;
1905 	indata.cd_offset = 0;
1906 	indata.cd_length = cipherlen;
1907 	indata.cd_raw = v1;
1908 
1909 	if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
1910 		result = crypto_decrypt_update(tmi->dec_data.ctx,
1911 			&indata, NULL, NULL);
1912 	else
1913 		result = crypto_decrypt(&mech, &indata,
1914 			&tmi->dec_data.d_encr_key, NULL, NULL, NULL);
1915 
1916 	if (result != CRYPTO_SUCCESS) {
1917 		cmn_err(CE_WARN, "crypto_decrypt_update failed:"
1918 			" %0x", result);
1919 		goto cleanup;
1920 	}
1921 
1922 	k2.ck_format = CRYPTO_KEY_RAW;
1923 	k2.ck_length = sizeof (k2data) * 8;
1924 	k2.ck_data = k2data;
1925 
1926 	result = do_hmac(md5_hmac_mech,
1927 			&k2,
1928 			(char *)mp->b_rptr + hash->hash_len, cipherlen,
1929 			(char *)cksum, hash->hash_len);
1930 
1931 	if (result != CRYPTO_SUCCESS) {
1932 		cmn_err(CE_WARN,
1933 			"arcfour_hmac_md5_decrypt:  do_hmac(k2)"
1934 			"failed - error %0x", result);
1935 		goto cleanup;
1936 	}
1937 
1938 	if (bcmp(cksum, mp->b_rptr, hash->hash_len) != 0) {
1939 		cmn_err(CE_WARN, "arcfour_decrypt HMAC comparison failed");
1940 		result = -1;
1941 		goto cleanup;
1942 	}
1943 
1944 	/*
1945 	 * adjust the start of the mblk to skip over the
1946 	 * hash and confounder.
1947 	 */
1948 	mp->b_rptr += hash->hash_len + hash->confound_len;
1949 
1950 cleanup:
1951 	bzero(k1data, sizeof (k1data));
1952 	bzero(k2data, sizeof (k2data));
1953 	bzero(cksum, sizeof (cksum));
1954 	bzero(saltdata, sizeof (saltdata));
1955 	if (result != CRYPTO_SUCCESS) {
1956 		mp->b_datap->db_type = M_ERROR;
1957 		mp->b_rptr = mp->b_datap->db_base;
1958 		*mp->b_rptr = EIO;
1959 		mp->b_wptr = mp->b_rptr + sizeof (char);
1960 		freemsg(mp->b_cont);
1961 		mp->b_cont = NULL;
1962 		qreply(WR(q), mp);
1963 		return (NULL);
1964 	}
1965 	return (mp);
1966 }
1967 
1968 /*
1969  * ARCFOUR-HMAC-MD5 encrypt
1970  *
1971  * format of ciphertext when using ARCFOUR-HMAC-MD5
1972  *  +-----------+------------+------------+
1973  *  |  hmac     | confounder |  msg-data  |
1974  *  +-----------+------------+------------+
1975  *
1976  */
1977 static mblk_t *
1978 arcfour_hmac_md5_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp,
1979 			hash_info_t *hash)
1980 {
1981 	int result;
1982 	size_t cipherlen;
1983 	size_t inlen;
1984 	size_t saltlen;
1985 	crypto_key_t k1, k2;
1986 	crypto_data_t indata;
1987 	iovec_t v1;
1988 	uchar_t ms_exp[9] = {0xab, 0xab, 0xab, 0xab, 0xab,
1989 				0xab, 0xab, 0xab, 0xab };
1990 	uchar_t k1data[CRYPT_ARCFOUR_KEYBYTES];
1991 	uchar_t k2data[CRYPT_ARCFOUR_KEYBYTES];
1992 	uchar_t saltdata[CRYPT_ARCFOUR_KEYBYTES];
1993 	crypto_mechanism_t mech;
1994 	int usage;
1995 
1996 	/* The usage constant is 1026 for all "old" rcmd mode operations */
1997 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)
1998 		usage = RCMDV1_USAGE;
1999 	else
2000 		usage = ARCFOUR_ENCRYPT_USAGE;
2001 
2002 	mech.cm_type = tmi->enc_data.mech_type;
2003 	mech.cm_param = NULL;
2004 	mech.cm_param_len = 0;
2005 
2006 	/*
2007 	 * The size at this point should be the size of
2008 	 * all the plaintext plus the optional plaintext length
2009 	 * needed for RCMD V2 mode.  There should also be room
2010 	 * at the head of the mblk for the confounder and hash info.
2011 	 */
2012 	inlen = (size_t)MBLKL(mp);
2013 
2014 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
2015 
2016 	ASSERT(MBLKSIZE(mp) >= cipherlen);
2017 
2018 	/*
2019 	 * Shift the rptr back enough to insert
2020 	 * the confounder and hash.
2021 	 */
2022 	mp->b_rptr -= (hash->confound_len + hash->hash_len);
2023 
2024 	/* zero out the hash area */
2025 	bzero(mp->b_rptr, (size_t)hash->hash_len);
2026 
2027 	if (cipherlen > inlen) {
2028 		bzero(mp->b_wptr, MBLKTAIL(mp));
2029 	}
2030 
2031 	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2032 		bcopy(ARCFOUR_EXP_SALT, saltdata, strlen(ARCFOUR_EXP_SALT));
2033 		saltdata[9] = 0;
2034 		saltdata[10] = usage & 0xff;
2035 		saltdata[11] = (usage >> 8) & 0xff;
2036 		saltdata[12] = (usage >> 16) & 0xff;
2037 		saltdata[13] = (usage >> 24) & 0xff;
2038 		saltlen = 14;
2039 	} else {
2040 		saltdata[0] = usage & 0xff;
2041 		saltdata[1] = (usage >> 8) & 0xff;
2042 		saltdata[2] = (usage >> 16) & 0xff;
2043 		saltdata[3] = (usage >> 24) & 0xff;
2044 		saltlen = 4;
2045 	}
2046 	/*
2047 	 * Use the salt value to create a key to be used
2048 	 * for subsequent HMAC operations.
2049 	 */
2050 	result = do_hmac(md5_hmac_mech,
2051 			tmi->enc_data.ckey,
2052 			(char *)saltdata, saltlen,
2053 			(char *)k1data, sizeof (k1data));
2054 	if (result != CRYPTO_SUCCESS) {
2055 		cmn_err(CE_WARN,
2056 			"arcfour_hmac_md5_encrypt:  do_hmac(k1)"
2057 			"failed - error %0x", result);
2058 		goto cleanup;
2059 	}
2060 
2061 	bcopy(k1data, k2data, sizeof (k2data));
2062 
2063 	/*
2064 	 * For the neutered MS RC4 encryption type,
2065 	 * set the trailing 9 bytes to 0xab per the
2066 	 * RC4-HMAC spec.
2067 	 */
2068 	if (tmi->enc_data.method == CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP) {
2069 		bcopy((void *)&k1data[7], ms_exp, sizeof (ms_exp));
2070 	}
2071 
2072 	/*
2073 	 * Get the confounder bytes.
2074 	 */
2075 	(void) random_get_pseudo_bytes(
2076 			(uint8_t *)(mp->b_rptr + hash->hash_len),
2077 			(size_t)hash->confound_len);
2078 
2079 	k2.ck_data = k2data;
2080 	k2.ck_format = CRYPTO_KEY_RAW;
2081 	k2.ck_length = sizeof (k2data) * 8;
2082 
2083 	/*
2084 	 * This writes the HMAC to the hash area in the
2085 	 * mblk.  The key used is the one just created by
2086 	 * the previous HMAC operation.
2087 	 * The data being processed is the confounder bytes
2088 	 * PLUS the input plaintext.
2089 	 */
2090 	result = do_hmac(md5_hmac_mech, &k2,
2091 			(char *)mp->b_rptr + hash->hash_len,
2092 			hash->confound_len + inlen,
2093 			(char *)mp->b_rptr, hash->hash_len);
2094 	if (result != CRYPTO_SUCCESS) {
2095 		cmn_err(CE_WARN,
2096 			"arcfour_hmac_md5_encrypt:  do_hmac(k2)"
2097 			"failed - error %0x", result);
2098 		goto cleanup;
2099 	}
2100 	/*
2101 	 * Because of the odd way that MIT uses RC4 keys
2102 	 * on the rlogin stream, we only need to create
2103 	 * this key once.
2104 	 * However, if using "old" rcmd mode, we need to do
2105 	 * it every time.
2106 	 */
2107 	if (tmi->enc_data.ctx == NULL ||
2108 	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V1)) {
2109 		crypto_key_t *key = &tmi->enc_data.d_encr_key;
2110 
2111 		k1.ck_data = k1data;
2112 		k1.ck_format = CRYPTO_KEY_RAW;
2113 		k1.ck_length = sizeof (k1data) * 8;
2114 
2115 		key->ck_format = CRYPTO_KEY_RAW;
2116 		key->ck_length = k1.ck_length;
2117 		if (key->ck_data == NULL)
2118 			key->ck_data = kmem_zalloc(
2119 				CRYPT_ARCFOUR_KEYBYTES, KM_SLEEP);
2120 
2121 		/*
2122 		 * The final HMAC operation creates the encryption
2123 		 * key to be used for the encrypt operation.
2124 		 */
2125 		result = do_hmac(md5_hmac_mech, &k1,
2126 			(char *)mp->b_rptr, hash->hash_len,
2127 			(char *)key->ck_data, CRYPT_ARCFOUR_KEYBYTES);
2128 
2129 		if (result != CRYPTO_SUCCESS) {
2130 			cmn_err(CE_WARN,
2131 				"arcfour_hmac_md5_encrypt:  do_hmac(k3)"
2132 				"failed - error %0x", result);
2133 			goto cleanup;
2134 		}
2135 	}
2136 
2137 	/*
2138 	 * If the context has not been initialized, do it now.
2139 	 */
2140 	if (tmi->enc_data.ctx == NULL &&
2141 	    (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)) {
2142 		/*
2143 		 * Only create a template if we are doing
2144 		 * chaining from block to block.
2145 		 */
2146 		result = crypto_create_ctx_template(&mech,
2147 				&tmi->enc_data.d_encr_key,
2148 				&tmi->enc_data.enc_tmpl,
2149 				KM_SLEEP);
2150 		if (result == CRYPTO_NOT_SUPPORTED) {
2151 			tmi->enc_data.enc_tmpl = NULL;
2152 		} else if (result != CRYPTO_SUCCESS) {
2153 			cmn_err(CE_WARN, "failed to create enc template "
2154 				"for RC4 encrypt: %0x", result);
2155 			goto cleanup;
2156 		}
2157 
2158 		result = crypto_encrypt_init(&mech,
2159 					&tmi->enc_data.d_encr_key,
2160 					tmi->enc_data.enc_tmpl,
2161 					&tmi->enc_data.ctx, NULL);
2162 		if (result != CRYPTO_SUCCESS) {
2163 			cmn_err(CE_WARN, "crypto_encrypt_init failed:"
2164 				" %0x", result);
2165 			goto cleanup;
2166 		}
2167 	}
2168 	v1.iov_base = (char *)mp->b_rptr + hash->hash_len;
2169 	v1.iov_len = hash->confound_len + inlen;
2170 
2171 	indata.cd_format = CRYPTO_DATA_RAW;
2172 	indata.cd_offset = 0;
2173 	indata.cd_length = hash->confound_len + inlen;
2174 	indata.cd_raw = v1;
2175 
2176 	if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2177 		result = crypto_encrypt_update(tmi->enc_data.ctx,
2178 			&indata, NULL, NULL);
2179 	else
2180 		result = crypto_encrypt(&mech, &indata,
2181 			&tmi->enc_data.d_encr_key, NULL,
2182 			NULL, NULL);
2183 
2184 	if (result != CRYPTO_SUCCESS) {
2185 		cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%0x",
2186 			result);
2187 	}
2188 
2189 cleanup:
2190 	bzero(k1data, sizeof (k1data));
2191 	bzero(k2data, sizeof (k2data));
2192 	bzero(saltdata, sizeof (saltdata));
2193 	if (result != CRYPTO_SUCCESS) {
2194 		mp->b_datap->db_type = M_ERROR;
2195 		mp->b_rptr = mp->b_datap->db_base;
2196 		*mp->b_rptr = EIO;
2197 		mp->b_wptr = mp->b_rptr + sizeof (char);
2198 		freemsg(mp->b_cont);
2199 		mp->b_cont = NULL;
2200 		qreply(WR(q), mp);
2201 		return (NULL);
2202 	}
2203 	return (mp);
2204 }
2205 
2206 /*
2207  * DES-CBC-[HASH] encrypt
2208  *
2209  * Needed to support userland apps that must support Kerberos V5
2210  * encryption DES-CBC encryption modes.
2211  *
2212  * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2213  *
2214  * format of ciphertext for DES-CBC functions, per RFC1510 is:
2215  *  +-----------+----------+-------------+-----+
2216  *  |confounder |  cksum   |   msg-data  | pad |
2217  *  +-----------+----------+-------------+-----+
2218  *
2219  * format of ciphertext when using DES3-SHA1-HMAC
2220  *  +-----------+----------+-------------+-----+
2221  *  |confounder |  msg-data  |   hmac    | pad |
2222  *  +-----------+----------+-------------+-----+
2223  *
2224  *  The confounder is 8 bytes of random data.
2225  *  The cksum depends on the hash being used.
2226  *   4 bytes for CRC32
2227  *  16 bytes for MD5
2228  *  20 bytes for SHA1
2229  *   0 bytes for RAW
2230  *
2231  */
2232 static mblk_t *
2233 des_cbc_encrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2234 {
2235 	int result;
2236 	size_t cipherlen;
2237 	size_t inlen;
2238 	size_t plainlen;
2239 
2240 	/*
2241 	 * The size at this point should be the size of
2242 	 * all the plaintext plus the optional plaintext length
2243 	 * needed for RCMD V2 mode.  There should also be room
2244 	 * at the head of the mblk for the confounder and hash info.
2245 	 */
2246 	inlen = (size_t)MBLKL(mp);
2247 
2248 	/*
2249 	 * The output size will be a multiple of 8 because this algorithm
2250 	 * only works on 8 byte chunks.
2251 	 */
2252 	cipherlen = encrypt_size(&tmi->enc_data, inlen);
2253 
2254 	ASSERT(MBLKSIZE(mp) >= cipherlen);
2255 
2256 	if (cipherlen > inlen) {
2257 		bzero(mp->b_wptr, MBLKTAIL(mp));
2258 	}
2259 
2260 	/*
2261 	 * Shift the rptr back enough to insert
2262 	 * the confounder and hash.
2263 	 */
2264 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2265 		mp->b_rptr -= hash->confound_len;
2266 	} else {
2267 		mp->b_rptr -= (hash->confound_len + hash->hash_len);
2268 
2269 		/* zero out the hash area */
2270 		bzero(mp->b_rptr + hash->confound_len, (size_t)hash->hash_len);
2271 	}
2272 
2273 	/* get random confounder from our friend, the 'random' module */
2274 	if (hash->confound_len > 0) {
2275 		(void) random_get_pseudo_bytes((uint8_t *)mp->b_rptr,
2276 				    (size_t)hash->confound_len);
2277 	}
2278 
2279 	/*
2280 	 * For 3DES we calculate an HMAC later.
2281 	 */
2282 	if (tmi->enc_data.method != CRYPT_METHOD_DES3_CBC_SHA1) {
2283 		/* calculate chksum of confounder + input */
2284 		if (hash->hash_len > 0 && hash->hashfunc != NULL) {
2285 			uchar_t cksum[MAX_CKSUM_LEN];
2286 
2287 			result = hash->hashfunc(cksum, mp->b_rptr,
2288 				cipherlen);
2289 			if (result != CRYPTO_SUCCESS) {
2290 				goto failure;
2291 			}
2292 
2293 			/* put hash in place right after the confounder */
2294 			bcopy(cksum, (mp->b_rptr + hash->confound_len),
2295 			    (size_t)hash->hash_len);
2296 		}
2297 	}
2298 	/*
2299 	 * In order to support the "old" Kerberos RCMD protocol,
2300 	 * we must use the IVEC 3 different ways:
2301 	 *   IVEC_REUSE = keep using the same IV each time, this is
2302 	 *		ugly and insecure, but necessary for
2303 	 *		backwards compatibility with existing MIT code.
2304 	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
2305 	 *		was setup (see setup_crypto routine).
2306 	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2307 	 */
2308 	if (tmi->enc_data.ivec_usage == IVEC_NEVER) {
2309 		bzero(tmi->enc_data.block, tmi->enc_data.blocklen);
2310 	} else if (tmi->enc_data.ivec_usage == IVEC_REUSE) {
2311 		bcopy(tmi->enc_data.ivec, tmi->enc_data.block,
2312 		    tmi->enc_data.blocklen);
2313 	}
2314 
2315 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2316 		/*
2317 		 * The input length already included the hash size,
2318 		 * don't include this in the plaintext length
2319 		 * calculations.
2320 		 */
2321 		plainlen = cipherlen - hash->hash_len;
2322 
2323 		mp->b_wptr = mp->b_rptr + plainlen;
2324 
2325 		result = kef_encr_hmac(&tmi->enc_data,
2326 			(void *)mp, (size_t)plainlen,
2327 			(char *)(mp->b_rptr + plainlen),
2328 			hash->hash_len);
2329 	} else {
2330 		ASSERT(mp->b_rptr + cipherlen <= DB_LIM(mp));
2331 		mp->b_wptr = mp->b_rptr + cipherlen;
2332 		result = kef_crypt(&tmi->enc_data, (void *)mp,
2333 			CRYPTO_DATA_MBLK, (size_t)cipherlen,
2334 			CRYPT_ENCRYPT);
2335 	}
2336 failure:
2337 	if (result != CRYPTO_SUCCESS) {
2338 #ifdef DEBUG
2339 		cmn_err(CE_WARN,
2340 			"des_cbc_encrypt: kef_crypt encrypt "
2341 			"failed (len: %ld) - error %0x",
2342 			cipherlen, result);
2343 #endif
2344 		mp->b_datap->db_type = M_ERROR;
2345 		mp->b_rptr = mp->b_datap->db_base;
2346 		*mp->b_rptr = EIO;
2347 		mp->b_wptr = mp->b_rptr + sizeof (char);
2348 		freemsg(mp->b_cont);
2349 		mp->b_cont = NULL;
2350 		qreply(WR(q), mp);
2351 		return (NULL);
2352 	} else if (tmi->enc_data.ivec_usage == IVEC_ONETIME) {
2353 		/*
2354 		 * Because we are using KEF, we must manually
2355 		 * update our IV.
2356 		 */
2357 		bcopy(mp->b_wptr - tmi->enc_data.ivlen,
2358 			tmi->enc_data.block, tmi->enc_data.ivlen);
2359 	}
2360 	if (tmi->enc_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2361 		mp->b_wptr = mp->b_rptr + cipherlen;
2362 	}
2363 
2364 	return (mp);
2365 }
2366 
2367 /*
2368  * des_cbc_decrypt
2369  *
2370  *
2371  * Needed to support userland apps that must support Kerberos V5
2372  * encryption DES-CBC decryption modes.
2373  *
2374  * The HASH values supported are RAW(NULL), MD5, CRC32, and SHA1
2375  *
2376  * format of ciphertext for DES-CBC functions, per RFC1510 is:
2377  *  +-----------+----------+-------------+-----+
2378  *  |confounder |  cksum   |   msg-data  | pad |
2379  *  +-----------+----------+-------------+-----+
2380  *
2381  * format of ciphertext when using DES3-SHA1-HMAC
2382  *  +-----------+----------+-------------+-----+
2383  *  |confounder |  msg-data  |   hmac    | pad |
2384  *  +-----------+----------+-------------+-----+
2385  *
2386  *  The confounder is 8 bytes of random data.
2387  *  The cksum depends on the hash being used.
2388  *   4 bytes for CRC32
2389  *  16 bytes for MD5
2390  *  20 bytes for SHA1
2391  *   0 bytes for RAW
2392  *
2393  */
2394 static mblk_t *
2395 des_cbc_decrypt(queue_t *q, struct tmodinfo *tmi, mblk_t *mp, hash_info_t *hash)
2396 {
2397 	uint_t inlen, datalen;
2398 	int result = 0;
2399 	uchar_t *optr = NULL;
2400 	uchar_t cksum[MAX_CKSUM_LEN], newcksum[MAX_CKSUM_LEN];
2401 	uchar_t nextiv[DEFAULT_DES_BLOCKLEN];
2402 
2403 	/* Compute adjusted size */
2404 	inlen = MBLKL(mp);
2405 
2406 	optr = mp->b_rptr;
2407 
2408 	/*
2409 	 * In order to support the "old" Kerberos RCMD protocol,
2410 	 * we must use the IVEC 3 different ways:
2411 	 *   IVEC_REUSE = keep using the same IV each time, this is
2412 	 *		ugly and insecure, but necessary for
2413 	 *		backwards compatibility with existing MIT code.
2414 	 *   IVEC_ONETIME = Use the ivec as initialized when the crypto
2415 	 *		was setup (see setup_crypto routine).
2416 	 *   IVEC_NEVER = never use an IVEC, use a bunch of 0's as the IV (yuk).
2417 	 */
2418 	if (tmi->dec_data.ivec_usage == IVEC_NEVER)
2419 		bzero(tmi->dec_data.block, tmi->dec_data.blocklen);
2420 	else if (tmi->dec_data.ivec_usage == IVEC_REUSE)
2421 		bcopy(tmi->dec_data.ivec, tmi->dec_data.block,
2422 		    tmi->dec_data.blocklen);
2423 
2424 	if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2425 		/*
2426 		 * Do not decrypt the HMAC at the end
2427 		 */
2428 		int decrypt_len = inlen - hash->hash_len;
2429 
2430 		/*
2431 		 * Move the wptr so the mblk appears to end
2432 		 * BEFORE the HMAC section.
2433 		 */
2434 		mp->b_wptr = mp->b_rptr + decrypt_len;
2435 
2436 		/*
2437 		 * Because we are using KEF, we must manually update our
2438 		 * IV.
2439 		 */
2440 		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2441 			bcopy(mp->b_rptr + decrypt_len - tmi->dec_data.ivlen,
2442 				nextiv, tmi->dec_data.ivlen);
2443 		}
2444 
2445 		result = kef_decr_hmac(&tmi->dec_data, mp, decrypt_len,
2446 			(char *)newcksum, hash->hash_len);
2447 	} else {
2448 		/*
2449 		 * Because we are using KEF, we must manually update our
2450 		 * IV.
2451 		 */
2452 		if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2453 			bcopy(mp->b_wptr - tmi->enc_data.ivlen, nextiv,
2454 				tmi->dec_data.ivlen);
2455 		}
2456 		result = kef_crypt(&tmi->dec_data, (void *)mp,
2457 			CRYPTO_DATA_MBLK, (size_t)inlen, CRYPT_DECRYPT);
2458 	}
2459 	if (result != CRYPTO_SUCCESS) {
2460 #ifdef DEBUG
2461 		cmn_err(CE_WARN,
2462 			"des_cbc_decrypt: kef_crypt decrypt "
2463 			"failed - error %0x", result);
2464 #endif
2465 		mp->b_datap->db_type = M_ERROR;
2466 		mp->b_rptr = mp->b_datap->db_base;
2467 		*mp->b_rptr = EIO;
2468 		mp->b_wptr = mp->b_rptr + sizeof (char);
2469 		freemsg(mp->b_cont);
2470 		mp->b_cont = NULL;
2471 		qreply(WR(q), mp);
2472 		return (NULL);
2473 	}
2474 
2475 	/*
2476 	 * Manually update the IV, KEF does not track this for us.
2477 	 */
2478 	if (tmi->dec_data.ivec_usage == IVEC_ONETIME) {
2479 		bcopy(nextiv, tmi->dec_data.block, tmi->dec_data.ivlen);
2480 	}
2481 
2482 	/* Verify the checksum(if necessary) */
2483 	if (hash->hash_len > 0) {
2484 		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1) {
2485 			bcopy(mp->b_rptr + inlen - hash->hash_len, cksum,
2486 				hash->hash_len);
2487 		} else {
2488 			bcopy(optr + hash->confound_len, cksum, hash->hash_len);
2489 
2490 			/* zero the cksum in the buffer */
2491 			ASSERT(optr + hash->confound_len + hash->hash_len <=
2492 				DB_LIM(mp));
2493 			bzero(optr + hash->confound_len, hash->hash_len);
2494 
2495 			/* calculate MD5 chksum of confounder + input */
2496 			if (hash->hashfunc) {
2497 				(void) hash->hashfunc(newcksum, optr, inlen);
2498 			}
2499 		}
2500 
2501 		if (bcmp(cksum, newcksum, hash->hash_len)) {
2502 #ifdef DEBUG
2503 			cmn_err(CE_WARN, "des_cbc_decrypt: checksum "
2504 				"verification failed");
2505 #endif
2506 			mp->b_datap->db_type = M_ERROR;
2507 			mp->b_rptr = mp->b_datap->db_base;
2508 			*mp->b_rptr = EIO;
2509 			mp->b_wptr = mp->b_rptr + sizeof (char);
2510 			freemsg(mp->b_cont);
2511 			mp->b_cont = NULL;
2512 			qreply(WR(q), mp);
2513 			return (NULL);
2514 		}
2515 	}
2516 
2517 	datalen = inlen - hash->confound_len - hash->hash_len;
2518 
2519 	/* Move just the decrypted input into place if necessary */
2520 	if (hash->confound_len > 0 || hash->hash_len > 0) {
2521 		if (tmi->dec_data.method == CRYPT_METHOD_DES3_CBC_SHA1)
2522 			mp->b_rptr += hash->confound_len;
2523 		else
2524 			mp->b_rptr += hash->confound_len + hash->hash_len;
2525 	}
2526 
2527 	ASSERT(mp->b_rptr + datalen <= DB_LIM(mp));
2528 	mp->b_wptr = mp->b_rptr + datalen;
2529 
2530 	return (mp);
2531 }
2532 
2533 static mblk_t *
2534 do_decrypt(queue_t *q, mblk_t *mp)
2535 {
2536 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2537 	mblk_t *outmp;
2538 
2539 	switch (tmi->dec_data.method) {
2540 	case CRYPT_METHOD_DES_CFB:
2541 		outmp = des_cfb_decrypt(q, tmi, mp);
2542 		break;
2543 	case CRYPT_METHOD_NONE:
2544 		outmp = mp;
2545 		break;
2546 	case CRYPT_METHOD_DES_CBC_NULL:
2547 		outmp = des_cbc_decrypt(q, tmi, mp, &null_hash);
2548 		break;
2549 	case CRYPT_METHOD_DES_CBC_MD5:
2550 		outmp = des_cbc_decrypt(q, tmi, mp, &md5_hash);
2551 		break;
2552 	case CRYPT_METHOD_DES_CBC_CRC:
2553 		outmp = des_cbc_decrypt(q, tmi, mp, &crc32_hash);
2554 		break;
2555 	case CRYPT_METHOD_DES3_CBC_SHA1:
2556 		outmp = des_cbc_decrypt(q, tmi, mp, &sha1_hash);
2557 		break;
2558 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2559 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2560 		outmp = arcfour_hmac_md5_decrypt(q, tmi, mp, &md5_hash);
2561 		break;
2562 	case CRYPT_METHOD_AES128:
2563 	case CRYPT_METHOD_AES256:
2564 		outmp = aes_decrypt(q, tmi, mp, &sha1_hash);
2565 		break;
2566 	}
2567 	return (outmp);
2568 }
2569 
2570 /*
2571  * do_encrypt
2572  *
2573  * Generic encryption routine for a single message block.
2574  * The input mblk may be replaced by some encrypt routines
2575  * because they add extra data in some cases that may exceed
2576  * the input mblk_t size limit.
2577  */
2578 static mblk_t *
2579 do_encrypt(queue_t *q, mblk_t *mp)
2580 {
2581 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
2582 	mblk_t *outmp;
2583 
2584 	switch (tmi->enc_data.method) {
2585 	case CRYPT_METHOD_DES_CFB:
2586 		outmp = des_cfb_encrypt(q, tmi, mp);
2587 		break;
2588 	case CRYPT_METHOD_DES_CBC_NULL:
2589 		outmp = des_cbc_encrypt(q, tmi, mp, &null_hash);
2590 		break;
2591 	case CRYPT_METHOD_DES_CBC_MD5:
2592 		outmp = des_cbc_encrypt(q, tmi, mp, &md5_hash);
2593 		break;
2594 	case CRYPT_METHOD_DES_CBC_CRC:
2595 		outmp = des_cbc_encrypt(q, tmi, mp, &crc32_hash);
2596 		break;
2597 	case CRYPT_METHOD_DES3_CBC_SHA1:
2598 		outmp = des_cbc_encrypt(q, tmi, mp, &sha1_hash);
2599 		break;
2600 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2601 	case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2602 		outmp = arcfour_hmac_md5_encrypt(q, tmi, mp, &md5_hash);
2603 		break;
2604 	case CRYPT_METHOD_AES128:
2605 	case CRYPT_METHOD_AES256:
2606 		outmp = aes_encrypt(q, tmi, mp, &sha1_hash);
2607 		break;
2608 	case CRYPT_METHOD_NONE:
2609 		outmp = mp;
2610 		break;
2611 	}
2612 	return (outmp);
2613 }
2614 
2615 /*
2616  * setup_crypto
2617  *
2618  * This takes the data from the CRYPTIOCSETUP ioctl
2619  * and sets up a cipher_data_t structure for either
2620  * encryption or decryption.  This is where the
2621  * key and initialization vector data get stored
2622  * prior to beginning any crypto functions.
2623  *
2624  * Special note:
2625  *   Some applications(e.g. telnetd) have ability to switch
2626  * crypto on/off periodically.  Thus, the application may call
2627  * the CRYPTIOCSETUP ioctl many times for the same stream.
2628  * If the CRYPTIOCSETUP is called with 0 length key or ivec fields
2629  * assume that the key, block, and saveblock fields that are already
2630  * set from a previous CRIOCSETUP call are still valid.  This helps avoid
2631  * a rekeying error that could occur if we overwrite these fields
2632  * with each CRYPTIOCSETUP call.
2633  *   In short, sometimes, CRYPTIOCSETUP is used to simply toggle on/off
2634  * without resetting the original crypto parameters.
2635  *
2636  */
2637 static int
2638 setup_crypto(struct cr_info_t *ci, struct cipher_data_t *cd, int encrypt)
2639 {
2640 	uint_t newblocklen;
2641 	uint32_t enc_usage = 0, dec_usage = 0;
2642 	int rv;
2643 
2644 	/*
2645 	 * Initial sanity checks
2646 	 */
2647 	if (!CR_METHOD_OK(ci->crypto_method)) {
2648 		cmn_err(CE_WARN, "Illegal crypto method (%d)",
2649 			ci->crypto_method);
2650 		return (EINVAL);
2651 	}
2652 	if (!CR_OPTIONS_OK(ci->option_mask)) {
2653 		cmn_err(CE_WARN, "Illegal crypto options (%d)",
2654 			ci->option_mask);
2655 		return (EINVAL);
2656 	}
2657 	if (!CR_IVUSAGE_OK(ci->ivec_usage)) {
2658 		cmn_err(CE_WARN, "Illegal ivec usage value (%d)",
2659 			ci->ivec_usage);
2660 		return (EINVAL);
2661 	}
2662 
2663 	cd->method = ci->crypto_method;
2664 	cd->bytes = 0;
2665 
2666 	if (ci->keylen > 0) {
2667 		if (cd->key != NULL) {
2668 			kmem_free(cd->key, cd->keylen);
2669 			cd->key = NULL;
2670 			cd->keylen = 0;
2671 		}
2672 		/*
2673 		 * cd->key holds the copy of the raw key bytes passed in
2674 		 * from the userland app.
2675 		 */
2676 		cd->key = (char *)kmem_alloc((size_t)ci->keylen, KM_SLEEP);
2677 
2678 		cd->keylen = ci->keylen;
2679 		bcopy(ci->key, cd->key, (size_t)ci->keylen);
2680 	}
2681 
2682 	/*
2683 	 * Configure the block size based on the type of cipher.
2684 	 */
2685 	switch (cd->method) {
2686 		case CRYPT_METHOD_NONE:
2687 			newblocklen = 0;
2688 			break;
2689 		case CRYPT_METHOD_DES_CFB:
2690 			newblocklen = DEFAULT_DES_BLOCKLEN;
2691 			cd->mech_type = crypto_mech2id(SUN_CKM_DES_ECB);
2692 			break;
2693 		case CRYPT_METHOD_DES_CBC_NULL:
2694 		case CRYPT_METHOD_DES_CBC_MD5:
2695 		case CRYPT_METHOD_DES_CBC_CRC:
2696 			newblocklen = DEFAULT_DES_BLOCKLEN;
2697 			cd->mech_type = crypto_mech2id(SUN_CKM_DES_CBC);
2698 			break;
2699 		case CRYPT_METHOD_DES3_CBC_SHA1:
2700 			newblocklen = DEFAULT_DES_BLOCKLEN;
2701 			cd->mech_type = crypto_mech2id(SUN_CKM_DES3_CBC);
2702 			/* 3DES always uses the old usage constant */
2703 			enc_usage = RCMDV1_USAGE;
2704 			dec_usage = RCMDV1_USAGE;
2705 			break;
2706 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5:
2707 		case CRYPT_METHOD_ARCFOUR_HMAC_MD5_EXP:
2708 			newblocklen = 0;
2709 			cd->mech_type = crypto_mech2id(SUN_CKM_RC4);
2710 			break;
2711 		case CRYPT_METHOD_AES128:
2712 		case CRYPT_METHOD_AES256:
2713 			newblocklen = DEFAULT_AES_BLOCKLEN;
2714 			cd->mech_type = crypto_mech2id(SUN_CKM_AES_ECB);
2715 			enc_usage = AES_ENCRYPT_USAGE;
2716 			dec_usage = AES_DECRYPT_USAGE;
2717 			break;
2718 	}
2719 	if (cd->mech_type == CRYPTO_MECH_INVALID) {
2720 		return (CRYPTO_FAILED);
2721 	}
2722 
2723 	/*
2724 	 * If RC4, initialize the master crypto key used by
2725 	 * the RC4 algorithm to derive the final encrypt and decrypt keys.
2726 	 */
2727 	if (cd->keylen > 0 && IS_RC4_METHOD(cd->method)) {
2728 		/*
2729 		 * cd->ckey is a kernel crypto key structure used as the
2730 		 * master key in the RC4-HMAC crypto operations.
2731 		 */
2732 		if (cd->ckey == NULL) {
2733 			cd->ckey = (crypto_key_t *)kmem_zalloc(
2734 				sizeof (crypto_key_t), KM_SLEEP);
2735 		}
2736 
2737 		cd->ckey->ck_format = CRYPTO_KEY_RAW;
2738 		cd->ckey->ck_data = cd->key;
2739 
2740 		/* key length for EF is measured in bits */
2741 		cd->ckey->ck_length = cd->keylen * 8;
2742 	}
2743 
2744 	/*
2745 	 * cd->block and cd->saveblock are used as temporary storage for
2746 	 * data that must be carried over between encrypt/decrypt operations
2747 	 * in some of the "feedback" modes.
2748 	 */
2749 	if (newblocklen != cd->blocklen) {
2750 		if (cd->block != NULL) {
2751 			kmem_free(cd->block, cd->blocklen);
2752 			cd->block = NULL;
2753 		}
2754 
2755 		if (cd->saveblock != NULL) {
2756 			kmem_free(cd->saveblock, cd->blocklen);
2757 			cd->saveblock = NULL;
2758 		}
2759 
2760 		cd->blocklen = newblocklen;
2761 		if (cd->blocklen) {
2762 			cd->block = (char *)kmem_zalloc((size_t)cd->blocklen,
2763 				KM_SLEEP);
2764 		}
2765 
2766 		if (cd->method == CRYPT_METHOD_DES_CFB)
2767 			cd->saveblock = (char *)kmem_zalloc(cd->blocklen,
2768 						KM_SLEEP);
2769 		else
2770 			cd->saveblock = NULL;
2771 	}
2772 
2773 	if (ci->iveclen != cd->ivlen) {
2774 		if (cd->ivec != NULL) {
2775 			kmem_free(cd->ivec, cd->ivlen);
2776 			cd->ivec = NULL;
2777 		}
2778 		if (ci->ivec_usage != IVEC_NEVER && ci->iveclen > 0) {
2779 			cd->ivec = (char *)kmem_zalloc((size_t)ci->iveclen,
2780 						KM_SLEEP);
2781 			cd->ivlen = ci->iveclen;
2782 		} else {
2783 			cd->ivlen = 0;
2784 			cd->ivec = NULL;
2785 		}
2786 	}
2787 	cd->option_mask = ci->option_mask;
2788 
2789 	/*
2790 	 * Old protocol requires a static 'usage' value for
2791 	 * deriving keys.  Yuk.
2792 	 */
2793 	if (cd->option_mask & CRYPTOPT_RCMD_MODE_V1) {
2794 		enc_usage = dec_usage = RCMDV1_USAGE;
2795 	}
2796 
2797 	if (cd->ivlen > cd->blocklen) {
2798 		cmn_err(CE_WARN, "setup_crypto: IV longer than block size");
2799 		return (EINVAL);
2800 	}
2801 
2802 	/*
2803 	 * If we are using an IVEC "correctly" (i.e. set it once)
2804 	 * copy it here.
2805 	 */
2806 	if (ci->ivec_usage == IVEC_ONETIME && cd->block != NULL)
2807 		bcopy(ci->ivec, cd->block, (size_t)cd->ivlen);
2808 
2809 	cd->ivec_usage = ci->ivec_usage;
2810 	if (cd->ivec != NULL) {
2811 		/* Save the original IVEC in case we need it later */
2812 		bcopy(ci->ivec, cd->ivec, (size_t)cd->ivlen);
2813 	}
2814 	/*
2815 	 * Special handling for 3DES-SHA1-HMAC and AES crypto:
2816 	 * generate derived keys and context templates
2817 	 * for better performance.
2818 	 */
2819 	if (cd->method == CRYPT_METHOD_DES3_CBC_SHA1 ||
2820 	    IS_AES_METHOD(cd->method)) {
2821 		crypto_mechanism_t enc_mech;
2822 		crypto_mechanism_t hmac_mech;
2823 
2824 		if (cd->d_encr_key.ck_data != NULL) {
2825 			bzero(cd->d_encr_key.ck_data, cd->keylen);
2826 			kmem_free(cd->d_encr_key.ck_data, cd->keylen);
2827 		}
2828 
2829 		if (cd->d_hmac_key.ck_data != NULL) {
2830 			bzero(cd->d_hmac_key.ck_data, cd->keylen);
2831 			kmem_free(cd->d_hmac_key.ck_data, cd->keylen);
2832 		}
2833 
2834 		if (cd->enc_tmpl != NULL)
2835 			(void) crypto_destroy_ctx_template(cd->enc_tmpl);
2836 
2837 		if (cd->hmac_tmpl != NULL)
2838 			(void) crypto_destroy_ctx_template(cd->hmac_tmpl);
2839 
2840 		enc_mech.cm_type = cd->mech_type;
2841 		enc_mech.cm_param = cd->ivec;
2842 		enc_mech.cm_param_len = cd->ivlen;
2843 
2844 		hmac_mech.cm_type = sha1_hmac_mech;
2845 		hmac_mech.cm_param = NULL;
2846 		hmac_mech.cm_param_len = 0;
2847 
2848 		/*
2849 		 * Create the derived keys.
2850 		 */
2851 		rv = create_derived_keys(cd,
2852 			(encrypt ? enc_usage : dec_usage),
2853 			&cd->d_encr_key, &cd->d_hmac_key);
2854 
2855 		if (rv != CRYPTO_SUCCESS) {
2856 			cmn_err(CE_WARN, "failed to create derived "
2857 				"keys: %0x", rv);
2858 			return (CRYPTO_FAILED);
2859 		}
2860 
2861 		rv = crypto_create_ctx_template(&enc_mech,
2862 					&cd->d_encr_key,
2863 					&cd->enc_tmpl, KM_SLEEP);
2864 		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2865 			cd->enc_tmpl = NULL;
2866 		} else if (rv != CRYPTO_SUCCESS) {
2867 			cmn_err(CE_WARN, "failed to create enc template "
2868 				"for d_encr_key: %0x", rv);
2869 			return (CRYPTO_FAILED);
2870 		}
2871 
2872 		rv = crypto_create_ctx_template(&hmac_mech,
2873 				&cd->d_hmac_key,
2874 				&cd->hmac_tmpl, KM_SLEEP);
2875 		if (rv == CRYPTO_MECH_NOT_SUPPORTED) {
2876 			cd->hmac_tmpl = NULL;
2877 		} else if (rv != CRYPTO_SUCCESS) {
2878 			cmn_err(CE_WARN, "failed to create hmac template:"
2879 				" %0x", rv);
2880 			return (CRYPTO_FAILED);
2881 		}
2882 	} else if (IS_RC4_METHOD(cd->method)) {
2883 		bzero(&cd->d_encr_key, sizeof (crypto_key_t));
2884 		bzero(&cd->d_hmac_key, sizeof (crypto_key_t));
2885 		cd->ctx = NULL;
2886 		cd->enc_tmpl = NULL;
2887 		cd->hmac_tmpl = NULL;
2888 	}
2889 
2890 	/* Final sanity checks, make sure no fields are NULL */
2891 	if (cd->method != CRYPT_METHOD_NONE) {
2892 		if (cd->block == NULL && cd->blocklen > 0) {
2893 #ifdef DEBUG
2894 			cmn_err(CE_WARN,
2895 				"setup_crypto: IV block not allocated");
2896 #endif
2897 			return (ENOMEM);
2898 		}
2899 		if (cd->key == NULL && cd->keylen > 0) {
2900 #ifdef DEBUG
2901 			cmn_err(CE_WARN,
2902 				"setup_crypto: key block not allocated");
2903 #endif
2904 			return (ENOMEM);
2905 		}
2906 		if (cd->method == CRYPT_METHOD_DES_CFB &&
2907 		    cd->saveblock == NULL && cd->blocklen > 0) {
2908 #ifdef DEBUG
2909 			cmn_err(CE_WARN,
2910 				"setup_crypto: save block not allocated");
2911 #endif
2912 			return (ENOMEM);
2913 		}
2914 		if (cd->ivec == NULL && cd->ivlen > 0) {
2915 #ifdef DEBUG
2916 			cmn_err(CE_WARN,
2917 				"setup_crypto: IV not allocated");
2918 #endif
2919 			return (ENOMEM);
2920 		}
2921 	}
2922 	return (0);
2923 }
2924 
2925 /*
2926  * RCMDS require a 4 byte, clear text
2927  * length field before each message.
2928  * Add it now.
2929  */
2930 static mblk_t *
2931 mklenmp(mblk_t *bp, uint32_t len)
2932 {
2933 	mblk_t *lenmp;
2934 	uchar_t *ucp;
2935 
2936 	if (bp->b_rptr - 4 < DB_BASE(bp) || DB_REF(bp) > 1) {
2937 		lenmp = allocb(4, BPRI_MED);
2938 		if (lenmp != NULL) {
2939 			lenmp->b_rptr = lenmp->b_wptr = DB_LIM(lenmp);
2940 			linkb(lenmp, bp);
2941 			bp = lenmp;
2942 		}
2943 	}
2944 	ucp = bp->b_rptr;
2945 	*--ucp = len;
2946 	*--ucp = len >> 8;
2947 	*--ucp = len >> 16;
2948 	*--ucp = len >> 24;
2949 
2950 	bp->b_rptr = ucp;
2951 
2952 	return (bp);
2953 }
2954 
2955 /*
2956  * encrypt_msgb
2957  *
2958  * encrypt a single message. This routine adds the
2959  * RCMD overhead bytes when necessary.
2960  */
2961 static mblk_t *
2962 encrypt_msgb(queue_t *q, struct tmodinfo *tmi, mblk_t *mp)
2963 {
2964 	mblk_t *newmp;
2965 	size_t plainlen;
2966 	size_t headspace;
2967 
2968 	if (tmi->enc_data.method == CRYPT_METHOD_NONE) {
2969 		return (mp);
2970 	}
2971 
2972 	/*
2973 	 * process message
2974 	 */
2975 	newmp = NULL;
2976 	if ((plainlen = MBLKL(mp)) > 0) {
2977 		mblk_t *cbp;
2978 		size_t cipherlen;
2979 		size_t extra = 0;
2980 		uint32_t ptlen = (uint32_t)plainlen;
2981 
2982 		/*
2983 		 * If we are using the "NEW" RCMD mode,
2984 		 * add 4 bytes to the plaintext for the
2985 		 * plaintext length that gets prepended
2986 		 * before encrypting.
2987 		 */
2988 		if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
2989 			ptlen += 4;
2990 
2991 		cipherlen = encrypt_size(&tmi->enc_data, (size_t)ptlen);
2992 
2993 		/*
2994 		 * if we must allocb, then make sure its enough
2995 		 * to hold the length field so we dont have to allocb
2996 		 * again down below in 'mklenmp'
2997 		 */
2998 		if (ANY_RCMD_MODE(tmi->enc_data.option_mask)) {
2999 			extra = sizeof (uint32_t);
3000 		}
3001 
3002 		/*
3003 		 * Calculate how much space is needed in front of
3004 		 * the data.
3005 		 */
3006 		headspace = plaintext_offset(&tmi->enc_data);
3007 
3008 		/*
3009 		 * If the current block is too small, reallocate
3010 		 * one large enough to hold the hdr, tail, and
3011 		 * ciphertext.
3012 		 */
3013 		if ((cipherlen + extra >= MBLKSIZE(mp)) || DB_REF(mp) > 1) {
3014 			int sz = P2ROUNDUP(cipherlen+extra, 8);
3015 
3016 			cbp = allocb_tmpl(sz, mp);
3017 			if (cbp == NULL) {
3018 				cmn_err(CE_WARN,
3019 					"allocb (%d bytes) failed", sz);
3020 					return (NULL);
3021 			}
3022 
3023 			cbp->b_cont = mp->b_cont;
3024 
3025 			/*
3026 			 * headspace includes the length fields needed
3027 			 * for the RCMD modes (v1 == 4 bytes, V2 = 8)
3028 			 */
3029 			cbp->b_rptr = DB_BASE(cbp) + headspace;
3030 
3031 			ASSERT(cbp->b_rptr + P2ROUNDUP(plainlen, 8)
3032 				<= DB_LIM(cbp));
3033 
3034 			bcopy(mp->b_rptr, cbp->b_rptr, plainlen);
3035 			cbp->b_wptr = cbp->b_rptr + plainlen;
3036 
3037 			freeb(mp);
3038 		} else {
3039 			size_t extra = 0;
3040 			cbp = mp;
3041 
3042 			/*
3043 			 * Some ciphers add HMAC after the final block
3044 			 * of the ciphertext, not at the beginning like the
3045 			 * 1-DES ciphers.
3046 			 */
3047 			if (tmi->enc_data.method ==
3048 				CRYPT_METHOD_DES3_CBC_SHA1 ||
3049 			    IS_AES_METHOD(tmi->enc_data.method)) {
3050 				extra = sha1_hash.hash_len;
3051 			}
3052 
3053 			/*
3054 			 * Make sure the rptr is positioned correctly so that
3055 			 * routines later do not have to shift this data around
3056 			 */
3057 			if ((cbp->b_rptr + P2ROUNDUP(plainlen + extra, 8) >
3058 				DB_LIM(cbp)) ||
3059 				(cbp->b_rptr - headspace < DB_BASE(cbp))) {
3060 				ovbcopy(cbp->b_rptr, DB_BASE(cbp) + headspace,
3061 					plainlen);
3062 				cbp->b_rptr = DB_BASE(cbp) + headspace;
3063 				cbp->b_wptr = cbp->b_rptr + plainlen;
3064 			}
3065 		}
3066 
3067 		ASSERT(cbp->b_rptr - headspace >= DB_BASE(cbp));
3068 		ASSERT(cbp->b_wptr <= DB_LIM(cbp));
3069 
3070 		/*
3071 		 * If using RCMD_MODE_V2 (new rcmd mode), prepend
3072 		 * the plaintext length before the actual plaintext.
3073 		 */
3074 		if (tmi->enc_data.option_mask & CRYPTOPT_RCMD_MODE_V2) {
3075 			cbp->b_rptr -= RCMD_LEN_SZ;
3076 
3077 			/* put plaintext length at head of buffer */
3078 			*(cbp->b_rptr + 3) = (uchar_t)(plainlen & 0xff);
3079 			*(cbp->b_rptr + 2) = (uchar_t)((plainlen >> 8) & 0xff);
3080 			*(cbp->b_rptr + 1) = (uchar_t)((plainlen >> 16) & 0xff);
3081 			*(cbp->b_rptr) = (uchar_t)((plainlen >> 24) & 0xff);
3082 		}
3083 
3084 		newmp = do_encrypt(q, cbp);
3085 
3086 		if (newmp != NULL &&
3087 		    (tmi->enc_data.option_mask &
3088 		    (CRYPTOPT_RCMD_MODE_V1 | CRYPTOPT_RCMD_MODE_V2))) {
3089 			mblk_t *lp;
3090 			/*
3091 			 * Add length field, required when this is
3092 			 * used to encrypt "r*" commands(rlogin, rsh)
3093 			 * with Kerberos.
3094 			 */
3095 			lp = mklenmp(newmp, plainlen);
3096 
3097 			if (lp == NULL) {
3098 				freeb(newmp);
3099 				return (NULL);
3100 			} else {
3101 				newmp = lp;
3102 			}
3103 		}
3104 	} else {
3105 		freeb(mp);
3106 	}
3107 
3108 	return (newmp);
3109 }
3110 
3111 /*
3112  * cryptmodwsrv
3113  *
3114  * Service routine for the write queue.
3115  *
3116  * Because data may be placed in the queue to hold between
3117  * the CRYPTIOCSTOP and CRYPTIOCSTART ioctls, the service routine is needed.
3118  */
3119 static int
3120 cryptmodwsrv(queue_t *q)
3121 {
3122 	mblk_t *mp;
3123 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3124 
3125 	while ((mp = getq(q)) != NULL) {
3126 		switch (mp->b_datap->db_type) {
3127 		default:
3128 			/*
3129 			 * wput does not queue anything > QPCTL
3130 			 */
3131 			if (!canputnext(q) ||
3132 			    !(tmi->ready & CRYPT_WRITE_READY)) {
3133 				if (!putbq(q, mp)) {
3134 					freemsg(mp);
3135 				}
3136 				return (0);
3137 			}
3138 			putnext(q, mp);
3139 			break;
3140 		case M_DATA:
3141 			if (canputnext(q) && (tmi->ready & CRYPT_WRITE_READY)) {
3142 				mblk_t *bp;
3143 				mblk_t *newmsg = NULL;
3144 
3145 				/*
3146 				 * If multiple msgs, concat into 1
3147 				 * to minimize crypto operations later.
3148 				 */
3149 				if (mp->b_cont != NULL) {
3150 					bp = msgpullup(mp, -1);
3151 					if (bp != NULL) {
3152 						freemsg(mp);
3153 						mp = bp;
3154 					}
3155 				}
3156 				newmsg = encrypt_msgb(q, tmi, mp);
3157 				if (newmsg != NULL)
3158 					putnext(q, newmsg);
3159 			} else {
3160 				if (!putbq(q, mp)) {
3161 					freemsg(mp);
3162 				}
3163 				return (0);
3164 			}
3165 			break;
3166 		}
3167 	}
3168 	return (0);
3169 }
3170 
3171 static void
3172 start_stream(queue_t *wq, mblk_t *mp, uchar_t dir)
3173 {
3174 	mblk_t *newmp = NULL;
3175 	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3176 
3177 	if (dir == CRYPT_ENCRYPT) {
3178 		tmi->ready |= CRYPT_WRITE_READY;
3179 		(void) (STRLOG(CRYPTMOD_ID, 0, 5, SL_TRACE|SL_NOTE,
3180 				"start_stream: restart ENCRYPT/WRITE q"));
3181 
3182 		enableok(wq);
3183 		qenable(wq);
3184 	} else if (dir == CRYPT_DECRYPT) {
3185 		/*
3186 		 * put any extra data in the RD
3187 		 * queue to be processed and
3188 		 * sent back up.
3189 		 */
3190 		newmp = mp->b_cont;
3191 		mp->b_cont = NULL;
3192 
3193 		tmi->ready |= CRYPT_READ_READY;
3194 		(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3195 				SL_TRACE|SL_NOTE,
3196 				"start_stream: restart "
3197 				"DECRYPT/READ q"));
3198 
3199 		if (newmp != NULL)
3200 			if (!putbq(RD(wq), newmp))
3201 				freemsg(newmp);
3202 
3203 		enableok(RD(wq));
3204 		qenable(RD(wq));
3205 	}
3206 
3207 	miocack(wq, mp, 0, 0);
3208 }
3209 
3210 /*
3211  * Write-side put procedure.  Its main task is to detect ioctls and
3212  * FLUSH operations.  Other message types are passed on through.
3213  */
3214 static void
3215 cryptmodwput(queue_t *wq, mblk_t *mp)
3216 {
3217 	struct iocblk *iocp;
3218 	struct tmodinfo *tmi = (struct tmodinfo *)wq->q_ptr;
3219 	int ret, err;
3220 
3221 	switch (mp->b_datap->db_type) {
3222 	case M_DATA:
3223 		if (wq->q_first == NULL && canputnext(wq) &&
3224 		    (tmi->ready & CRYPT_WRITE_READY) &&
3225 		    tmi->enc_data.method == CRYPT_METHOD_NONE) {
3226 			putnext(wq, mp);
3227 			return;
3228 		}
3229 		/* else, put it in the service queue */
3230 		if (!putq(wq, mp)) {
3231 			freemsg(mp);
3232 		}
3233 		break;
3234 	case M_FLUSH:
3235 		if (*mp->b_rptr & FLUSHW) {
3236 			flushq(wq, FLUSHDATA);
3237 		}
3238 		putnext(wq, mp);
3239 		break;
3240 	case M_IOCTL:
3241 		iocp = (struct iocblk *)mp->b_rptr;
3242 		switch (iocp->ioc_cmd) {
3243 		case CRYPTIOCSETUP:
3244 			ret = 0;
3245 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3246 					SL_TRACE | SL_NOTE,
3247 					"wput: got CRYPTIOCSETUP "
3248 					"ioctl(%d)", iocp->ioc_cmd));
3249 
3250 			if ((err = miocpullup(mp,
3251 					sizeof (struct cr_info_t))) != 0) {
3252 				cmn_err(CE_WARN,
3253 				"wput: miocpullup failed for cr_info_t");
3254 				miocnak(wq, mp, 0, err);
3255 			} else {
3256 				struct cr_info_t *ci;
3257 				ci = (struct cr_info_t *)mp->b_cont->b_rptr;
3258 
3259 				if (ci->direction_mask & CRYPT_ENCRYPT) {
3260 				    ret = setup_crypto(ci, &tmi->enc_data, 1);
3261 				}
3262 
3263 				if (ret == 0 &&
3264 				    (ci->direction_mask & CRYPT_DECRYPT)) {
3265 				    ret = setup_crypto(ci, &tmi->dec_data, 0);
3266 				}
3267 				if (ret == 0 &&
3268 				    (ci->direction_mask & CRYPT_DECRYPT) &&
3269 				    ANY_RCMD_MODE(tmi->dec_data.option_mask)) {
3270 					bzero(&tmi->rcmd_state,
3271 					    sizeof (tmi->rcmd_state));
3272 				}
3273 				if (ret == 0) {
3274 					miocack(wq, mp, 0, 0);
3275 				} else {
3276 					cmn_err(CE_WARN,
3277 						"wput: setup_crypto failed");
3278 					miocnak(wq, mp, 0, ret);
3279 				}
3280 				(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3281 						SL_TRACE|SL_NOTE,
3282 						"wput: done with SETUP "
3283 						"ioctl"));
3284 			}
3285 			break;
3286 		case CRYPTIOCSTOP:
3287 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3288 					SL_TRACE|SL_NOTE,
3289 					"wput: got CRYPTIOCSTOP "
3290 					"ioctl(%d)", iocp->ioc_cmd));
3291 
3292 			if ((err = miocpullup(mp, sizeof (uint32_t))) != 0) {
3293 				cmn_err(CE_WARN,
3294 					"wput: CRYPTIOCSTOP ioctl wrong "
3295 					"size (%d should be %d)",
3296 					(int)iocp->ioc_count,
3297 					(int)sizeof (uint32_t));
3298 				miocnak(wq, mp, 0, err);
3299 			} else {
3300 				uint32_t *stopdir;
3301 
3302 				stopdir = (uint32_t *)mp->b_cont->b_rptr;
3303 				if (!CR_DIRECTION_OK(*stopdir)) {
3304 					miocnak(wq, mp, 0, EINVAL);
3305 					return;
3306 				}
3307 
3308 				/* disable the queues until further notice */
3309 				if (*stopdir & CRYPT_ENCRYPT) {
3310 					noenable(wq);
3311 					tmi->ready &= ~CRYPT_WRITE_READY;
3312 				}
3313 				if (*stopdir & CRYPT_DECRYPT) {
3314 					noenable(RD(wq));
3315 					tmi->ready &= ~CRYPT_READ_READY;
3316 				}
3317 
3318 				miocack(wq, mp, 0, 0);
3319 			}
3320 			break;
3321 		case CRYPTIOCSTARTDEC:
3322 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3323 					SL_TRACE|SL_NOTE,
3324 					"wput: got CRYPTIOCSTARTDEC "
3325 					"ioctl(%d)", iocp->ioc_cmd));
3326 
3327 			start_stream(wq, mp, CRYPT_DECRYPT);
3328 			break;
3329 		case CRYPTIOCSTARTENC:
3330 			(void) (STRLOG(CRYPTMOD_ID, 0, 5,
3331 					SL_TRACE|SL_NOTE,
3332 					"wput: got CRYPTIOCSTARTENC "
3333 					"ioctl(%d)", iocp->ioc_cmd));
3334 
3335 			start_stream(wq, mp, CRYPT_ENCRYPT);
3336 			break;
3337 		default:
3338 			putnext(wq, mp);
3339 			break;
3340 		}
3341 		break;
3342 	default:
3343 		if (queclass(mp) < QPCTL) {
3344 			if (wq->q_first != NULL || !canputnext(wq)) {
3345 				if (!putq(wq, mp))
3346 					freemsg(mp);
3347 				return;
3348 			}
3349 		}
3350 		putnext(wq, mp);
3351 		break;
3352 	}
3353 }
3354 
3355 /*
3356  * decrypt_rcmd_mblks
3357  *
3358  * Because kerberized r* commands(rsh, rlogin, etc)
3359  * use a 4 byte length field to indicate the # of
3360  * PLAINTEXT bytes that are encrypted in the field
3361  * that follows, we must parse out each message and
3362  * break out the length fields prior to sending them
3363  * upstream to our Solaris r* clients/servers which do
3364  * NOT understand this format.
3365  *
3366  * Kerberized/encrypted message format:
3367  * -------------------------------
3368  * | XXXX | N bytes of ciphertext|
3369  * -------------------------------
3370  *
3371  * Where: XXXX = number of plaintext bytes that were encrypted in
3372  *               to make the ciphertext field.  This is done
3373  *               because we are using a cipher that pads out to
3374  *               an 8 byte boundary.  We only want the application
3375  *               layer to see the correct number of plain text bytes,
3376  *               not plaintext + pad.  So, after we decrypt, we
3377  *               must trim the output block down to the intended
3378  *               plaintext length and eliminate the pad bytes.
3379  *
3380  * This routine takes the entire input message, breaks it into
3381  * a new message that does not contain these length fields and
3382  * returns a message consisting of mblks filled with just ciphertext.
3383  *
3384  */
3385 static mblk_t *
3386 decrypt_rcmd_mblks(queue_t *q, mblk_t *mp)
3387 {
3388 	mblk_t *newmp = NULL;
3389 	size_t msglen;
3390 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3391 
3392 	msglen = msgsize(mp);
3393 
3394 	/*
3395 	 * If we need the length field, get it here.
3396 	 * Test the "plaintext length" indicator.
3397 	 */
3398 	if (tmi->rcmd_state.pt_len == 0) {
3399 		uint32_t elen;
3400 		int tocopy;
3401 		mblk_t *nextp;
3402 
3403 		/*
3404 		 * Make sure we have recieved all 4 bytes of the
3405 		 * length field.
3406 		 */
3407 		while (mp != NULL) {
3408 			ASSERT(tmi->rcmd_state.cd_len < sizeof (uint32_t));
3409 
3410 			tocopy = sizeof (uint32_t) -
3411 				tmi->rcmd_state.cd_len;
3412 			if (tocopy > msglen)
3413 				tocopy = msglen;
3414 
3415 			ASSERT(mp->b_rptr + tocopy <= DB_LIM(mp));
3416 			bcopy(mp->b_rptr,
3417 				(char *)(&tmi->rcmd_state.next_len +
3418 					tmi->rcmd_state.cd_len), tocopy);
3419 
3420 			tmi->rcmd_state.cd_len += tocopy;
3421 
3422 			if (tmi->rcmd_state.cd_len >= sizeof (uint32_t)) {
3423 				tmi->rcmd_state.next_len =
3424 					ntohl(tmi->rcmd_state.next_len);
3425 				break;
3426 			}
3427 
3428 			nextp = mp->b_cont;
3429 			mp->b_cont = NULL;
3430 			freeb(mp);
3431 			mp = nextp;
3432 		}
3433 
3434 		if (mp == NULL) {
3435 			return (NULL);
3436 		}
3437 		/*
3438 		 * recalculate the msglen now that we've read the
3439 		 * length and adjusted the bufptr (b_rptr).
3440 		 */
3441 		msglen -= tocopy;
3442 		mp->b_rptr += tocopy;
3443 
3444 		tmi->rcmd_state.pt_len = tmi->rcmd_state.next_len;
3445 
3446 		if (tmi->rcmd_state.pt_len <= 0) {
3447 			/*
3448 			 * Return an IO error to break the connection. there
3449 			 * is no way to recover from this.  Usually it means
3450 			 * the app has incorrectly requested decryption on
3451 			 * a non-encrypted stream, thus the "pt_len" field
3452 			 * is negative.
3453 			 */
3454 			mp->b_datap->db_type = M_ERROR;
3455 			mp->b_rptr = mp->b_datap->db_base;
3456 			*mp->b_rptr = EIO;
3457 			mp->b_wptr = mp->b_rptr + sizeof (char);
3458 
3459 			freemsg(mp->b_cont);
3460 			mp->b_cont = NULL;
3461 			qreply(WR(q), mp);
3462 			tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3463 			return (NULL);
3464 		}
3465 
3466 		/*
3467 		 * If this is V2 mode, then the encrypted data is actually
3468 		 * 4 bytes bigger than the indicated len because the plaintext
3469 		 * length is encrypted for an additional security check, but
3470 		 * its not counted as part of the overall length we just read.
3471 		 * Strange and confusing, but true.
3472 		 */
3473 
3474 		if (tmi->dec_data.option_mask & CRYPTOPT_RCMD_MODE_V2)
3475 			elen = tmi->rcmd_state.pt_len + 4;
3476 		else
3477 			elen = tmi->rcmd_state.pt_len;
3478 
3479 		tmi->rcmd_state.cd_len  = encrypt_size(&tmi->dec_data, elen);
3480 
3481 		/*
3482 		 * Allocate an mblk to hold the cipher text until it is
3483 		 * all ready to be processed.
3484 		 */
3485 		tmi->rcmd_state.c_msg = allocb(tmi->rcmd_state.cd_len,
3486 						BPRI_HI);
3487 		if (tmi->rcmd_state.c_msg == NULL) {
3488 #ifdef DEBUG
3489 			cmn_err(CE_WARN, "decrypt_rcmd_msgb: allocb failed "
3490 				"for %d bytes",
3491 				(int)tmi->rcmd_state.cd_len);
3492 #endif
3493 			/*
3494 			 * Return an IO error to break the connection.
3495 			 */
3496 			mp->b_datap->db_type = M_ERROR;
3497 			mp->b_rptr = mp->b_datap->db_base;
3498 			*mp->b_rptr = EIO;
3499 			mp->b_wptr = mp->b_rptr + sizeof (char);
3500 			freemsg(mp->b_cont);
3501 			mp->b_cont = NULL;
3502 			tmi->rcmd_state.cd_len = tmi->rcmd_state.pt_len = 0;
3503 			qreply(WR(q), mp);
3504 			return (NULL);
3505 		}
3506 	}
3507 
3508 	/*
3509 	 * If this entire message was just the length field,
3510 	 * free and return.  The actual data will probably be next.
3511 	 */
3512 	if (msglen == 0) {
3513 		freemsg(mp);
3514 		return (NULL);
3515 	}
3516 
3517 	/*
3518 	 * Copy as much of the cipher text as possible into
3519 	 * the new msgb (c_msg).
3520 	 *
3521 	 * Logic:  if we got some bytes (msglen) and we still
3522 	 * 	"need" some bytes (len-rcvd), get them here.
3523 	 */
3524 	ASSERT(tmi->rcmd_state.c_msg != NULL);
3525 	if (msglen > 0 &&
3526 	    (tmi->rcmd_state.cd_len > MBLKL(tmi->rcmd_state.c_msg))) {
3527 		mblk_t *bp, *nextp;
3528 		size_t n;
3529 
3530 		/*
3531 		 * Walk the mblks and copy just as many bytes as we need
3532 		 * for this particular block of cipher text.
3533 		 */
3534 		bp = mp;
3535 		while (bp != NULL) {
3536 			size_t needed;
3537 			size_t tocopy;
3538 			n = MBLKL(bp);
3539 
3540 			needed = tmi->rcmd_state.cd_len -
3541 				MBLKL(tmi->rcmd_state.c_msg);
3542 
3543 			tocopy = (needed >= n ? n : needed);
3544 
3545 			ASSERT(bp->b_rptr + tocopy <= DB_LIM(bp));
3546 			ASSERT(tmi->rcmd_state.c_msg->b_wptr + tocopy <=
3547 				DB_LIM(tmi->rcmd_state.c_msg));
3548 
3549 			/* Copy to end of new mblk */
3550 			bcopy(bp->b_rptr, tmi->rcmd_state.c_msg->b_wptr,
3551 				tocopy);
3552 
3553 			tmi->rcmd_state.c_msg->b_wptr += tocopy;
3554 
3555 			bp->b_rptr += tocopy;
3556 
3557 			nextp = bp->b_cont;
3558 
3559 			/*
3560 			 * If we used this whole block, free it and
3561 			 * move on.
3562 			 */
3563 			if (!MBLKL(bp)) {
3564 				freeb(bp);
3565 				bp = NULL;
3566 			}
3567 
3568 			/* If we got what we needed, stop the loop */
3569 			if (MBLKL(tmi->rcmd_state.c_msg) ==
3570 			    tmi->rcmd_state.cd_len) {
3571 				/*
3572 				 * If there is more data in the message,
3573 				 * its for another block of cipher text,
3574 				 * put it back in the queue for next time.
3575 				 */
3576 				if (bp) {
3577 					if (!putbq(q, bp))
3578 						freemsg(bp);
3579 				} else if (nextp != NULL) {
3580 					/*
3581 					 * If there is more, put it back in the
3582 					 * queue for another pass thru.
3583 					 */
3584 					if (!putbq(q, nextp))
3585 						freemsg(nextp);
3586 				}
3587 				break;
3588 			}
3589 			bp = nextp;
3590 		}
3591 	}
3592 	/*
3593 	 * Finally, if we received all the cipher text data for
3594 	 * this message, decrypt it into a new msg and send it up
3595 	 * to the app.
3596 	 */
3597 	if (tmi->rcmd_state.pt_len > 0 &&
3598 	    MBLKL(tmi->rcmd_state.c_msg) == tmi->rcmd_state.cd_len) {
3599 		mblk_t *bp;
3600 		mblk_t *newbp;
3601 
3602 		/*
3603 		 * Now we can use our msg that we created when the
3604 		 * initial message boundary was detected.
3605 		 */
3606 		bp = tmi->rcmd_state.c_msg;
3607 		tmi->rcmd_state.c_msg = NULL;
3608 
3609 		newbp = do_decrypt(q, bp);
3610 		if (newbp != NULL) {
3611 			bp = newbp;
3612 			/*
3613 			 * If using RCMD_MODE_V2 ("new" mode),
3614 			 * look at the 4 byte plaintext length that
3615 			 * was just decrypted and compare with the
3616 			 * original pt_len value that was received.
3617 			 */
3618 			if (tmi->dec_data.option_mask &
3619 			    CRYPTOPT_RCMD_MODE_V2) {
3620 				uint32_t pt_len2;
3621 
3622 				pt_len2 = *(uint32_t *)bp->b_rptr;
3623 				pt_len2 = ntohl(pt_len2);
3624 				/*
3625 				 * Make sure the 2 pt len fields agree.
3626 				 */
3627 				if (pt_len2 != tmi->rcmd_state.pt_len) {
3628 					cmn_err(CE_WARN,
3629 						"Inconsistent length fields"
3630 						" received %d != %d",
3631 						(int)tmi->rcmd_state.pt_len,
3632 						(int)pt_len2);
3633 					bp->b_datap->db_type = M_ERROR;
3634 					bp->b_rptr = bp->b_datap->db_base;
3635 					*bp->b_rptr = EIO;
3636 					bp->b_wptr = bp->b_rptr + sizeof (char);
3637 					freemsg(bp->b_cont);
3638 					bp->b_cont = NULL;
3639 					tmi->rcmd_state.cd_len = 0;
3640 					qreply(WR(q), bp);
3641 					return (NULL);
3642 				}
3643 				bp->b_rptr += sizeof (uint32_t);
3644 			}
3645 
3646 			/*
3647 			 * Trim the decrypted block the length originally
3648 			 * indicated by the sender.  This is to remove any
3649 			 * padding bytes that the sender added to satisfy
3650 			 * requirements of the crypto algorithm.
3651 			 */
3652 			bp->b_wptr = bp->b_rptr + tmi->rcmd_state.pt_len;
3653 
3654 			newmp = bp;
3655 
3656 			/*
3657 			 * Reset our state to indicate we are ready
3658 			 * for a new message.
3659 			 */
3660 			tmi->rcmd_state.pt_len = 0;
3661 			tmi->rcmd_state.cd_len = 0;
3662 		} else {
3663 #ifdef DEBUG
3664 			cmn_err(CE_WARN,
3665 				"decrypt_rcmd: do_decrypt on %d bytes failed",
3666 				(int)tmi->rcmd_state.cd_len);
3667 #endif
3668 			/*
3669 			 * do_decrypt already handled failures, just
3670 			 * return NULL.
3671 			 */
3672 			tmi->rcmd_state.pt_len = 0;
3673 			tmi->rcmd_state.cd_len = 0;
3674 			return (NULL);
3675 		}
3676 	}
3677 
3678 	/*
3679 	 * return the new message with the 'length' fields removed
3680 	 */
3681 	return (newmp);
3682 }
3683 
3684 /*
3685  * cryptmodrsrv
3686  *
3687  * Read queue service routine
3688  * Necessary because if the ready flag is not set
3689  * (via CRYPTIOCSTOP/CRYPTIOCSTART ioctls) then the data
3690  * must remain on queue and not be passed along.
3691  */
3692 static int
3693 cryptmodrsrv(queue_t *q)
3694 {
3695 	mblk_t *mp, *bp;
3696 	struct tmodinfo *tmi = (struct tmodinfo *)q->q_ptr;
3697 
3698 	while ((mp = getq(q)) != NULL) {
3699 		switch (mp->b_datap->db_type) {
3700 		case M_DATA:
3701 			if (canputnext(q) && tmi->ready & CRYPT_READ_READY) {
3702 				/*
3703 				 * Process "rcmd" messages differently because
3704 				 * they contain a 4 byte plaintext length
3705 				 * id that needs to be removed.
3706 				 */
3707 				if (tmi->dec_data.method != CRYPT_METHOD_NONE &&
3708 				    (tmi->dec_data.option_mask &
3709 				    (CRYPTOPT_RCMD_MODE_V1 |
3710 				    CRYPTOPT_RCMD_MODE_V2))) {
3711 					mp = decrypt_rcmd_mblks(q, mp);
3712 					if (mp)
3713 						putnext(q, mp);
3714 					continue;
3715 				}
3716 				if ((bp = msgpullup(mp, -1)) != NULL) {
3717 					freemsg(mp);
3718 					if (MBLKL(bp) > 0) {
3719 						mp = do_decrypt(q, bp);
3720 						if (mp != NULL)
3721 							putnext(q, mp);
3722 					}
3723 				}
3724 			} else {
3725 				if (!putbq(q, mp)) {
3726 					freemsg(mp);
3727 				}
3728 				return (0);
3729 			}
3730 			break;
3731 		default:
3732 			/*
3733 			 * rput does not queue anything > QPCTL, so we don't
3734 			 * need to check for it here.
3735 			 */
3736 			if (!canputnext(q)) {
3737 				if (!putbq(q, mp))
3738 					freemsg(mp);
3739 				return (0);
3740 			}
3741 			putnext(q, mp);
3742 			break;
3743 		}
3744 	}
3745 	return (0);
3746 }
3747 
3748 
3749 /*
3750  * Read-side put procedure.
3751  */
3752 static void
3753 cryptmodrput(queue_t *rq, mblk_t *mp)
3754 {
3755 	switch (mp->b_datap->db_type) {
3756 	case M_DATA:
3757 		if (!putq(rq, mp)) {
3758 			freemsg(mp);
3759 		}
3760 		break;
3761 	case M_FLUSH:
3762 		if (*mp->b_rptr & FLUSHR) {
3763 			flushq(rq, FLUSHALL);
3764 		}
3765 		putnext(rq, mp);
3766 		break;
3767 	default:
3768 		if (queclass(mp) < QPCTL) {
3769 			if (rq->q_first != NULL || !canputnext(rq)) {
3770 				if (!putq(rq, mp))
3771 					freemsg(mp);
3772 				return;
3773 			}
3774 		}
3775 		putnext(rq, mp);
3776 		break;
3777 	}
3778 }
3779