1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #ifndef _KERNEL 26 #include <strings.h> 27 #include <limits.h> 28 #include <assert.h> 29 #include <security/cryptoki.h> 30 #endif 31 32 #include <sys/types.h> 33 #include <sys/kmem.h> 34 #include <modes/modes.h> 35 #include <sys/crypto/common.h> 36 #include <sys/crypto/impl.h> 37 #include <sys/byteorder.h> 38 39 #if defined(__i386) || defined(__amd64) 40 #define UNALIGNED_POINTERS_PERMITTED 41 #endif 42 43 /* 44 * Encrypt multiple blocks of data in CCM mode. Decrypt for CCM mode 45 * is done in another function. 46 */ 47 int 48 ccm_mode_encrypt_contiguous_blocks(ccm_ctx_t *ctx, char *data, size_t length, 49 crypto_data_t *out, size_t block_size, 50 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 51 void (*copy_block)(uint8_t *, uint8_t *), 52 void (*xor_block)(uint8_t *, uint8_t *)) 53 { 54 size_t remainder = length; 55 size_t need; 56 uint8_t *datap = (uint8_t *)data; 57 uint8_t *blockp; 58 uint8_t *lastp; 59 void *iov_or_mp; 60 offset_t offset; 61 uint8_t *out_data_1; 62 uint8_t *out_data_2; 63 size_t out_data_1_len; 64 uint64_t counter; 65 uint8_t *mac_buf; 66 67 if (length + ctx->ccm_remainder_len < block_size) { 68 /* accumulate bytes here and return */ 69 bcopy(datap, 70 (uint8_t *)ctx->ccm_remainder + ctx->ccm_remainder_len, 71 length); 72 ctx->ccm_remainder_len += length; 73 ctx->ccm_copy_to = datap; 74 return (CRYPTO_SUCCESS); 75 } 76 77 lastp = (uint8_t *)ctx->ccm_cb; 78 if (out != NULL) 79 crypto_init_ptrs(out, &iov_or_mp, &offset); 80 81 mac_buf = (uint8_t *)ctx->ccm_mac_buf; 82 83 do { 84 /* Unprocessed data from last call. */ 85 if (ctx->ccm_remainder_len > 0) { 86 need = block_size - ctx->ccm_remainder_len; 87 88 if (need > remainder) 89 return (CRYPTO_DATA_LEN_RANGE); 90 91 bcopy(datap, &((uint8_t *)ctx->ccm_remainder) 92 [ctx->ccm_remainder_len], need); 93 94 blockp = (uint8_t *)ctx->ccm_remainder; 95 } else { 96 blockp = datap; 97 } 98 99 /* 100 * do CBC MAC 101 * 102 * XOR the previous cipher block current clear block. 103 * mac_buf always contain previous cipher block. 104 */ 105 xor_block(blockp, mac_buf); 106 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 107 108 /* ccm_cb is the counter block */ 109 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, 110 (uint8_t *)ctx->ccm_tmp); 111 112 lastp = (uint8_t *)ctx->ccm_tmp; 113 114 /* 115 * Increment counter. Counter bits are confined 116 * to the bottom 64 bits of the counter block. 117 */ 118 counter = ntohll(ctx->ccm_cb[1] & ctx->ccm_counter_mask); 119 counter = htonll(counter + 1); 120 counter &= ctx->ccm_counter_mask; 121 ctx->ccm_cb[1] = 122 (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter; 123 124 /* 125 * XOR encrypted counter block with the current clear block. 126 */ 127 xor_block(blockp, lastp); 128 129 ctx->ccm_processed_data_len += block_size; 130 131 if (out == NULL) { 132 if (ctx->ccm_remainder_len > 0) { 133 bcopy(blockp, ctx->ccm_copy_to, 134 ctx->ccm_remainder_len); 135 bcopy(blockp + ctx->ccm_remainder_len, datap, 136 need); 137 } 138 } else { 139 crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1, 140 &out_data_1_len, &out_data_2, block_size); 141 142 /* copy block to where it belongs */ 143 if (out_data_1_len == block_size) { 144 copy_block(lastp, out_data_1); 145 } else { 146 bcopy(lastp, out_data_1, out_data_1_len); 147 if (out_data_2 != NULL) { 148 bcopy(lastp + out_data_1_len, 149 out_data_2, 150 block_size - out_data_1_len); 151 } 152 } 153 /* update offset */ 154 out->cd_offset += block_size; 155 } 156 157 /* Update pointer to next block of data to be processed. */ 158 if (ctx->ccm_remainder_len != 0) { 159 datap += need; 160 ctx->ccm_remainder_len = 0; 161 } else { 162 datap += block_size; 163 } 164 165 remainder = (size_t)&data[length] - (size_t)datap; 166 167 /* Incomplete last block. */ 168 if (remainder > 0 && remainder < block_size) { 169 bcopy(datap, ctx->ccm_remainder, remainder); 170 ctx->ccm_remainder_len = remainder; 171 ctx->ccm_copy_to = datap; 172 goto out; 173 } 174 ctx->ccm_copy_to = NULL; 175 176 } while (remainder > 0); 177 178 out: 179 return (CRYPTO_SUCCESS); 180 } 181 182 void 183 calculate_ccm_mac(ccm_ctx_t *ctx, uint8_t *ccm_mac, 184 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *)) 185 { 186 uint64_t counter; 187 uint8_t *counterp, *mac_buf; 188 int i; 189 190 mac_buf = (uint8_t *)ctx->ccm_mac_buf; 191 192 /* first counter block start with index 0 */ 193 counter = 0; 194 ctx->ccm_cb[1] = (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter; 195 196 counterp = (uint8_t *)ctx->ccm_tmp; 197 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, counterp); 198 199 /* calculate XOR of MAC with first counter block */ 200 for (i = 0; i < ctx->ccm_mac_len; i++) { 201 ccm_mac[i] = mac_buf[i] ^ counterp[i]; 202 } 203 } 204 205 /* ARGSUSED */ 206 int 207 ccm_encrypt_final(ccm_ctx_t *ctx, crypto_data_t *out, size_t block_size, 208 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 209 void (*xor_block)(uint8_t *, uint8_t *)) 210 { 211 uint8_t *lastp, *mac_buf, *ccm_mac_p, *macp; 212 void *iov_or_mp; 213 offset_t offset; 214 uint8_t *out_data_1; 215 uint8_t *out_data_2; 216 size_t out_data_1_len; 217 int i; 218 219 if (out->cd_length < (ctx->ccm_remainder_len + ctx->ccm_mac_len)) { 220 return (CRYPTO_DATA_LEN_RANGE); 221 } 222 223 /* 224 * When we get here, the number of bytes of payload processed 225 * plus whatever data remains, if any, 226 * should be the same as the number of bytes that's being 227 * passed in the argument during init time. 228 */ 229 if ((ctx->ccm_processed_data_len + ctx->ccm_remainder_len) 230 != (ctx->ccm_data_len)) { 231 return (CRYPTO_DATA_LEN_RANGE); 232 } 233 234 mac_buf = (uint8_t *)ctx->ccm_mac_buf; 235 236 if (ctx->ccm_remainder_len > 0) { 237 238 /* ccm_mac_input_buf is not used for encryption */ 239 macp = (uint8_t *)ctx->ccm_mac_input_buf; 240 bzero(macp, block_size); 241 242 /* copy remainder to temporary buffer */ 243 bcopy(ctx->ccm_remainder, macp, ctx->ccm_remainder_len); 244 245 /* calculate the CBC MAC */ 246 xor_block(macp, mac_buf); 247 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 248 249 /* calculate the counter mode */ 250 lastp = (uint8_t *)ctx->ccm_tmp; 251 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, lastp); 252 253 /* XOR with counter block */ 254 for (i = 0; i < ctx->ccm_remainder_len; i++) { 255 macp[i] ^= lastp[i]; 256 } 257 ctx->ccm_processed_data_len += ctx->ccm_remainder_len; 258 } 259 260 /* Calculate the CCM MAC */ 261 ccm_mac_p = (uint8_t *)ctx->ccm_tmp; 262 calculate_ccm_mac(ctx, ccm_mac_p, encrypt_block); 263 264 crypto_init_ptrs(out, &iov_or_mp, &offset); 265 crypto_get_ptrs(out, &iov_or_mp, &offset, &out_data_1, 266 &out_data_1_len, &out_data_2, 267 ctx->ccm_remainder_len + ctx->ccm_mac_len); 268 269 if (ctx->ccm_remainder_len > 0) { 270 271 /* copy temporary block to where it belongs */ 272 if (out_data_2 == NULL) { 273 /* everything will fit in out_data_1 */ 274 bcopy(macp, out_data_1, ctx->ccm_remainder_len); 275 bcopy(ccm_mac_p, out_data_1 + ctx->ccm_remainder_len, 276 ctx->ccm_mac_len); 277 } else { 278 279 if (out_data_1_len < ctx->ccm_remainder_len) { 280 281 size_t data_2_len_used; 282 283 bcopy(macp, out_data_1, out_data_1_len); 284 285 data_2_len_used = ctx->ccm_remainder_len 286 - out_data_1_len; 287 288 bcopy((uint8_t *)macp + out_data_1_len, 289 out_data_2, data_2_len_used); 290 bcopy(ccm_mac_p, out_data_2 + data_2_len_used, 291 ctx->ccm_mac_len); 292 } else { 293 bcopy(macp, out_data_1, out_data_1_len); 294 if (out_data_1_len == ctx->ccm_remainder_len) { 295 /* mac will be in out_data_2 */ 296 bcopy(ccm_mac_p, out_data_2, 297 ctx->ccm_mac_len); 298 } else { 299 size_t len_not_used = out_data_1_len - 300 ctx->ccm_remainder_len; 301 /* 302 * part of mac in will be in 303 * out_data_1, part of the mac will be 304 * in out_data_2 305 */ 306 bcopy(ccm_mac_p, 307 out_data_1 + ctx->ccm_remainder_len, 308 len_not_used); 309 bcopy(ccm_mac_p + len_not_used, 310 out_data_2, 311 ctx->ccm_mac_len - len_not_used); 312 313 } 314 } 315 } 316 } else { 317 /* copy block to where it belongs */ 318 bcopy(ccm_mac_p, out_data_1, out_data_1_len); 319 if (out_data_2 != NULL) { 320 bcopy(ccm_mac_p + out_data_1_len, out_data_2, 321 block_size - out_data_1_len); 322 } 323 } 324 out->cd_offset += ctx->ccm_remainder_len + ctx->ccm_mac_len; 325 ctx->ccm_remainder_len = 0; 326 return (CRYPTO_SUCCESS); 327 } 328 329 /* 330 * This will only deal with decrypting the last block of the input that 331 * might not be a multiple of block length. 332 */ 333 void 334 ccm_decrypt_incomplete_block(ccm_ctx_t *ctx, 335 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *)) 336 { 337 uint8_t *datap, *outp, *counterp; 338 int i; 339 340 datap = (uint8_t *)ctx->ccm_remainder; 341 outp = &((ctx->ccm_pt_buf)[ctx->ccm_processed_data_len]); 342 343 counterp = (uint8_t *)ctx->ccm_tmp; 344 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, counterp); 345 346 /* XOR with counter block */ 347 for (i = 0; i < ctx->ccm_remainder_len; i++) { 348 outp[i] = datap[i] ^ counterp[i]; 349 } 350 } 351 352 /* 353 * This will decrypt the cipher text. However, the plaintext won't be 354 * returned to the caller. It will be returned when decrypt_final() is 355 * called if the MAC matches 356 */ 357 /* ARGSUSED */ 358 int 359 ccm_mode_decrypt_contiguous_blocks(ccm_ctx_t *ctx, char *data, size_t length, 360 crypto_data_t *out, size_t block_size, 361 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 362 void (*copy_block)(uint8_t *, uint8_t *), 363 void (*xor_block)(uint8_t *, uint8_t *)) 364 { 365 size_t remainder = length; 366 size_t need; 367 uint8_t *datap = (uint8_t *)data; 368 uint8_t *blockp; 369 uint8_t *cbp; 370 uint64_t counter; 371 size_t pt_len, total_decrypted_len, mac_len, pm_len, pd_len; 372 uint8_t *resultp; 373 374 375 pm_len = ctx->ccm_processed_mac_len; 376 377 if (pm_len > 0) { 378 uint8_t *tmp; 379 /* 380 * all ciphertext has been processed, just waiting for 381 * part of the value of the mac 382 */ 383 if ((pm_len + length) > ctx->ccm_mac_len) { 384 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 385 } 386 tmp = (uint8_t *)ctx->ccm_mac_input_buf; 387 388 bcopy(datap, tmp + pm_len, length); 389 390 ctx->ccm_processed_mac_len += length; 391 return (CRYPTO_SUCCESS); 392 } 393 394 /* 395 * If we decrypt the given data, what total amount of data would 396 * have been decrypted? 397 */ 398 pd_len = ctx->ccm_processed_data_len; 399 total_decrypted_len = pd_len + length + ctx->ccm_remainder_len; 400 401 if (total_decrypted_len > 402 (ctx->ccm_data_len + ctx->ccm_mac_len)) { 403 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 404 } 405 406 pt_len = ctx->ccm_data_len; 407 408 if (total_decrypted_len > pt_len) { 409 /* 410 * part of the input will be the MAC, need to isolate that 411 * to be dealt with later. The left-over data in 412 * ccm_remainder_len from last time will not be part of the 413 * MAC. Otherwise, it would have already been taken out 414 * when this call is made last time. 415 */ 416 size_t pt_part = pt_len - pd_len - ctx->ccm_remainder_len; 417 418 mac_len = length - pt_part; 419 420 ctx->ccm_processed_mac_len = mac_len; 421 bcopy(data + pt_part, ctx->ccm_mac_input_buf, mac_len); 422 423 if (pt_part + ctx->ccm_remainder_len < block_size) { 424 /* 425 * since this is last of the ciphertext, will 426 * just decrypt with it here 427 */ 428 bcopy(datap, &((uint8_t *)ctx->ccm_remainder) 429 [ctx->ccm_remainder_len], pt_part); 430 ctx->ccm_remainder_len += pt_part; 431 ccm_decrypt_incomplete_block(ctx, encrypt_block); 432 ctx->ccm_processed_data_len += ctx->ccm_remainder_len; 433 ctx->ccm_remainder_len = 0; 434 return (CRYPTO_SUCCESS); 435 } else { 436 /* let rest of the code handle this */ 437 length = pt_part; 438 } 439 } else if (length + ctx->ccm_remainder_len < block_size) { 440 /* accumulate bytes here and return */ 441 bcopy(datap, 442 (uint8_t *)ctx->ccm_remainder + ctx->ccm_remainder_len, 443 length); 444 ctx->ccm_remainder_len += length; 445 ctx->ccm_copy_to = datap; 446 return (CRYPTO_SUCCESS); 447 } 448 449 do { 450 /* Unprocessed data from last call. */ 451 if (ctx->ccm_remainder_len > 0) { 452 need = block_size - ctx->ccm_remainder_len; 453 454 if (need > remainder) 455 return (CRYPTO_ENCRYPTED_DATA_LEN_RANGE); 456 457 bcopy(datap, &((uint8_t *)ctx->ccm_remainder) 458 [ctx->ccm_remainder_len], need); 459 460 blockp = (uint8_t *)ctx->ccm_remainder; 461 } else { 462 blockp = datap; 463 } 464 465 /* Calculate the counter mode, ccm_cb is the counter block */ 466 cbp = (uint8_t *)ctx->ccm_tmp; 467 encrypt_block(ctx->ccm_keysched, (uint8_t *)ctx->ccm_cb, cbp); 468 469 /* 470 * Increment counter. 471 * Counter bits are confined to the bottom 64 bits 472 */ 473 counter = ntohll(ctx->ccm_cb[1] & ctx->ccm_counter_mask); 474 counter = htonll(counter + 1); 475 counter &= ctx->ccm_counter_mask; 476 ctx->ccm_cb[1] = 477 (ctx->ccm_cb[1] & ~(ctx->ccm_counter_mask)) | counter; 478 479 /* XOR with the ciphertext */ 480 xor_block(blockp, cbp); 481 482 /* Copy the plaintext to the "holding buffer" */ 483 resultp = (uint8_t *)ctx->ccm_pt_buf + 484 ctx->ccm_processed_data_len; 485 copy_block(cbp, resultp); 486 487 ctx->ccm_processed_data_len += block_size; 488 489 ctx->ccm_lastp = blockp; 490 491 /* Update pointer to next block of data to be processed. */ 492 if (ctx->ccm_remainder_len != 0) { 493 datap += need; 494 ctx->ccm_remainder_len = 0; 495 } else { 496 datap += block_size; 497 } 498 499 remainder = (size_t)&data[length] - (size_t)datap; 500 501 /* Incomplete last block */ 502 if (remainder > 0 && remainder < block_size) { 503 bcopy(datap, ctx->ccm_remainder, remainder); 504 ctx->ccm_remainder_len = remainder; 505 ctx->ccm_copy_to = datap; 506 if (ctx->ccm_processed_mac_len > 0) { 507 /* 508 * not expecting anymore ciphertext, just 509 * compute plaintext for the remaining input 510 */ 511 ccm_decrypt_incomplete_block(ctx, 512 encrypt_block); 513 ctx->ccm_processed_data_len += remainder; 514 ctx->ccm_remainder_len = 0; 515 } 516 goto out; 517 } 518 ctx->ccm_copy_to = NULL; 519 520 } while (remainder > 0); 521 522 out: 523 return (CRYPTO_SUCCESS); 524 } 525 526 int 527 ccm_decrypt_final(ccm_ctx_t *ctx, crypto_data_t *out, size_t block_size, 528 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 529 void (*copy_block)(uint8_t *, uint8_t *), 530 void (*xor_block)(uint8_t *, uint8_t *)) 531 { 532 size_t mac_remain, pt_len; 533 uint8_t *pt, *mac_buf, *macp, *ccm_mac_p; 534 int rv; 535 536 pt_len = ctx->ccm_data_len; 537 538 /* Make sure output buffer can fit all of the plaintext */ 539 if (out->cd_length < pt_len) { 540 return (CRYPTO_DATA_LEN_RANGE); 541 } 542 543 pt = ctx->ccm_pt_buf; 544 mac_remain = ctx->ccm_processed_data_len; 545 mac_buf = (uint8_t *)ctx->ccm_mac_buf; 546 547 macp = (uint8_t *)ctx->ccm_tmp; 548 549 while (mac_remain > 0) { 550 551 if (mac_remain < block_size) { 552 bzero(macp, block_size); 553 bcopy(pt, macp, mac_remain); 554 mac_remain = 0; 555 } else { 556 copy_block(pt, macp); 557 mac_remain -= block_size; 558 pt += block_size; 559 } 560 561 /* calculate the CBC MAC */ 562 xor_block(macp, mac_buf); 563 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 564 } 565 566 /* Calculate the CCM MAC */ 567 ccm_mac_p = (uint8_t *)ctx->ccm_tmp; 568 calculate_ccm_mac((ccm_ctx_t *)ctx, ccm_mac_p, encrypt_block); 569 570 /* compare the input CCM MAC value with what we calculated */ 571 if (bcmp(ctx->ccm_mac_input_buf, ccm_mac_p, ctx->ccm_mac_len)) { 572 /* They don't match */ 573 return (CRYPTO_INVALID_MAC); 574 } else { 575 rv = crypto_put_output_data(ctx->ccm_pt_buf, out, pt_len); 576 if (rv != CRYPTO_SUCCESS) 577 return (rv); 578 out->cd_offset += pt_len; 579 } 580 return (CRYPTO_SUCCESS); 581 } 582 583 int 584 ccm_validate_args(CK_AES_CCM_PARAMS *ccm_param, boolean_t is_encrypt_init) 585 { 586 size_t macSize, nonceSize; 587 uint8_t q; 588 uint64_t maxValue; 589 590 /* 591 * Check the length of the MAC. The only valid 592 * lengths for the MAC are: 4, 6, 8, 10, 12, 14, 16 593 */ 594 macSize = ccm_param->ulMACSize; 595 if ((macSize < 4) || (macSize > 16) || ((macSize % 2) != 0)) { 596 return (CRYPTO_MECHANISM_PARAM_INVALID); 597 } 598 599 /* Check the nonce length. Valid values are 7, 8, 9, 10, 11, 12, 13 */ 600 nonceSize = ccm_param->ulNonceSize; 601 if ((nonceSize < 7) || (nonceSize > 13)) { 602 return (CRYPTO_MECHANISM_PARAM_INVALID); 603 } 604 605 /* q is the length of the field storing the length, in bytes */ 606 q = (uint8_t)((15 - nonceSize) & 0xFF); 607 608 609 /* 610 * If it is decrypt, need to make sure size of ciphertext is at least 611 * bigger than MAC len 612 */ 613 if ((!is_encrypt_init) && (ccm_param->ulDataSize < macSize)) { 614 return (CRYPTO_MECHANISM_PARAM_INVALID); 615 } 616 617 /* 618 * Check to make sure the length of the payload is within the 619 * range of values allowed by q 620 */ 621 if (q < 8) { 622 maxValue = (1ULL << (q * 8)) - 1; 623 } else { 624 maxValue = ULONG_MAX; 625 } 626 627 if (ccm_param->ulDataSize > maxValue) { 628 return (CRYPTO_MECHANISM_PARAM_INVALID); 629 } 630 return (CRYPTO_SUCCESS); 631 } 632 633 /* 634 * Format the first block used in CBC-MAC (B0) and the initial counter 635 * block based on formatting functions and counter generation functions 636 * specified in RFC 3610 and NIST publication 800-38C, appendix A 637 * 638 * b0 is the first block used in CBC-MAC 639 * cb0 is the first counter block 640 * 641 * It's assumed that the arguments b0 and cb0 are preallocated AES blocks 642 * 643 */ 644 static void 645 ccm_format_initial_blocks(uchar_t *nonce, ulong_t nonceSize, 646 ulong_t authDataSize, uint8_t *b0, ccm_ctx_t *aes_ctx) 647 { 648 uint64_t payloadSize; 649 uint8_t t, q, have_adata = 0; 650 size_t limit; 651 int i, j, k; 652 uint64_t mask = 0; 653 uint8_t *cb; 654 655 q = (uint8_t)((15 - nonceSize) & 0xFF); 656 t = (uint8_t)((aes_ctx->ccm_mac_len) & 0xFF); 657 658 /* Construct the first octet of b0 */ 659 if (authDataSize > 0) { 660 have_adata = 1; 661 } 662 b0[0] = (have_adata << 6) | (((t - 2) / 2) << 3) | (q - 1); 663 664 /* copy the nonce value into b0 */ 665 bcopy(nonce, &(b0[1]), nonceSize); 666 667 /* store the length of the payload into b0 */ 668 bzero(&(b0[1+nonceSize]), q); 669 670 payloadSize = aes_ctx->ccm_data_len; 671 limit = 8 < q ? 8 : q; 672 673 for (i = 0, j = 0, k = 15; i < limit; i++, j += 8, k--) { 674 b0[k] = (uint8_t)((payloadSize >> j) & 0xFF); 675 } 676 677 /* format the counter block */ 678 679 cb = (uint8_t *)aes_ctx->ccm_cb; 680 681 cb[0] = 0x07 & (q-1); /* first byte */ 682 683 /* copy the nonce value into the counter block */ 684 bcopy(nonce, &(cb[1]), nonceSize); 685 686 bzero(&(cb[1+nonceSize]), q); 687 688 /* Create the mask for the counter field based on the size of nonce */ 689 q <<= 3; 690 while (q-- > 0) { 691 mask |= (1ULL << q); 692 } 693 694 aes_ctx->ccm_counter_mask = htonll(mask); 695 696 /* 697 * During calculation, we start using counter block 1, we will 698 * set it up right here. 699 * We can just set the last byte to have the value 1, because 700 * even with the biggest nonce of 13, the last byte of the 701 * counter block will be used for the counter value. 702 */ 703 cb[15] = 0x01; 704 } 705 706 /* 707 * Encode the length of the associated data as 708 * specified in RFC 3610 and NIST publication 800-38C, appendix A 709 */ 710 static void 711 encode_adata_len(ulong_t auth_data_len, uint8_t *encoded, size_t *encoded_len) 712 { 713 #ifdef UNALIGNED_POINTERS_PERMITTED 714 uint32_t *lencoded_ptr; 715 #ifdef _LP64 716 uint64_t *llencoded_ptr; 717 #endif 718 #endif /* UNALIGNED_POINTERS_PERMITTED */ 719 720 if (auth_data_len < ((1ULL<<16) - (1ULL<<8))) { 721 /* 0 < a < (2^16-2^8) */ 722 *encoded_len = 2; 723 encoded[0] = (auth_data_len & 0xff00) >> 8; 724 encoded[1] = auth_data_len & 0xff; 725 726 } else if ((auth_data_len >= ((1ULL<<16) - (1ULL<<8))) && 727 (auth_data_len < (1ULL << 31))) { 728 /* (2^16-2^8) <= a < 2^32 */ 729 *encoded_len = 6; 730 encoded[0] = 0xff; 731 encoded[1] = 0xfe; 732 #ifdef UNALIGNED_POINTERS_PERMITTED 733 lencoded_ptr = (uint32_t *)(void *)&encoded[2]; 734 *lencoded_ptr = htonl(auth_data_len); 735 #else 736 encoded[2] = (auth_data_len & 0xff000000) >> 24; 737 encoded[3] = (auth_data_len & 0xff0000) >> 16; 738 encoded[4] = (auth_data_len & 0xff00) >> 8; 739 encoded[5] = auth_data_len & 0xff; 740 #endif /* UNALIGNED_POINTERS_PERMITTED */ 741 742 #ifdef _LP64 743 } else { 744 /* 2^32 <= a < 2^64 */ 745 *encoded_len = 10; 746 encoded[0] = 0xff; 747 encoded[1] = 0xff; 748 #ifdef UNALIGNED_POINTERS_PERMITTED 749 llencoded_ptr = (uint64_t *)(void *)&encoded[2]; 750 *llencoded_ptr = htonl(auth_data_len); 751 #else 752 encoded[2] = (auth_data_len & 0xff00000000000000) >> 56; 753 encoded[3] = (auth_data_len & 0xff000000000000) >> 48; 754 encoded[4] = (auth_data_len & 0xff0000000000) >> 40; 755 encoded[5] = (auth_data_len & 0xff00000000) >> 32; 756 encoded[6] = (auth_data_len & 0xff000000) >> 24; 757 encoded[7] = (auth_data_len & 0xff0000) >> 16; 758 encoded[8] = (auth_data_len & 0xff00) >> 8; 759 encoded[9] = auth_data_len & 0xff; 760 #endif /* UNALIGNED_POINTERS_PERMITTED */ 761 #endif /* _LP64 */ 762 } 763 } 764 765 /* 766 * The following function should be call at encrypt or decrypt init time 767 * for AES CCM mode. 768 */ 769 int 770 ccm_init(ccm_ctx_t *ctx, unsigned char *nonce, size_t nonce_len, 771 unsigned char *auth_data, size_t auth_data_len, size_t block_size, 772 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 773 void (*xor_block)(uint8_t *, uint8_t *)) 774 { 775 uint8_t *mac_buf, *datap, *ivp, *authp; 776 size_t remainder, processed; 777 uint8_t encoded_a[10]; /* max encoded auth data length is 10 octets */ 778 size_t encoded_a_len = 0; 779 780 mac_buf = (uint8_t *)&(ctx->ccm_mac_buf); 781 782 /* 783 * Format the 1st block for CBC-MAC and construct the 784 * 1st counter block. 785 * 786 * aes_ctx->ccm_iv is used for storing the counter block 787 * mac_buf will store b0 at this time. 788 */ 789 ccm_format_initial_blocks(nonce, nonce_len, 790 auth_data_len, mac_buf, ctx); 791 792 /* The IV for CBC MAC for AES CCM mode is always zero */ 793 ivp = (uint8_t *)ctx->ccm_tmp; 794 bzero(ivp, block_size); 795 796 xor_block(ivp, mac_buf); 797 798 /* encrypt the nonce */ 799 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 800 801 /* take care of the associated data, if any */ 802 if (auth_data_len == 0) { 803 return (CRYPTO_SUCCESS); 804 } 805 806 encode_adata_len(auth_data_len, encoded_a, &encoded_a_len); 807 808 remainder = auth_data_len; 809 810 /* 1st block: it contains encoded associated data, and some data */ 811 authp = (uint8_t *)ctx->ccm_tmp; 812 bzero(authp, block_size); 813 bcopy(encoded_a, authp, encoded_a_len); 814 processed = block_size - encoded_a_len; 815 if (processed > auth_data_len) { 816 /* in case auth_data is very small */ 817 processed = auth_data_len; 818 } 819 bcopy(auth_data, authp+encoded_a_len, processed); 820 /* xor with previous buffer */ 821 xor_block(authp, mac_buf); 822 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 823 remainder -= processed; 824 if (remainder == 0) { 825 /* a small amount of associated data, it's all done now */ 826 return (CRYPTO_SUCCESS); 827 } 828 829 do { 830 if (remainder < block_size) { 831 /* 832 * There's not a block full of data, pad rest of 833 * buffer with zero 834 */ 835 bzero(authp, block_size); 836 bcopy(&(auth_data[processed]), authp, remainder); 837 datap = (uint8_t *)authp; 838 remainder = 0; 839 } else { 840 datap = (uint8_t *)(&(auth_data[processed])); 841 processed += block_size; 842 remainder -= block_size; 843 } 844 845 xor_block(datap, mac_buf); 846 encrypt_block(ctx->ccm_keysched, mac_buf, mac_buf); 847 848 } while (remainder > 0); 849 850 return (CRYPTO_SUCCESS); 851 } 852 853 int 854 ccm_init_ctx(ccm_ctx_t *ccm_ctx, char *param, int kmflag, 855 boolean_t is_encrypt_init, size_t block_size, 856 int (*encrypt_block)(const void *, const uint8_t *, uint8_t *), 857 void (*xor_block)(uint8_t *, uint8_t *)) 858 { 859 int rv; 860 CK_AES_CCM_PARAMS *ccm_param; 861 862 if (param != NULL) { 863 ccm_param = (CK_AES_CCM_PARAMS *)(void *)param; 864 865 if ((rv = ccm_validate_args(ccm_param, 866 is_encrypt_init)) != 0) { 867 return (rv); 868 } 869 870 ccm_ctx->ccm_mac_len = ccm_param->ulMACSize; 871 if (is_encrypt_init) { 872 ccm_ctx->ccm_data_len = ccm_param->ulDataSize; 873 } else { 874 ccm_ctx->ccm_data_len = 875 ccm_param->ulDataSize - ccm_ctx->ccm_mac_len; 876 ccm_ctx->ccm_processed_mac_len = 0; 877 } 878 ccm_ctx->ccm_processed_data_len = 0; 879 880 ccm_ctx->ccm_flags |= CCM_MODE; 881 } else { 882 rv = CRYPTO_MECHANISM_PARAM_INVALID; 883 goto out; 884 } 885 886 if (ccm_init(ccm_ctx, ccm_param->nonce, ccm_param->ulNonceSize, 887 ccm_param->authData, ccm_param->ulAuthDataSize, block_size, 888 encrypt_block, xor_block) != 0) { 889 rv = CRYPTO_MECHANISM_PARAM_INVALID; 890 goto out; 891 } 892 if (!is_encrypt_init) { 893 /* allocate buffer for storing decrypted plaintext */ 894 #ifdef _KERNEL 895 ccm_ctx->ccm_pt_buf = kmem_alloc(ccm_ctx->ccm_data_len, 896 kmflag); 897 #else 898 ccm_ctx->ccm_pt_buf = malloc(ccm_ctx->ccm_data_len); 899 #endif 900 if (ccm_ctx->ccm_pt_buf == NULL) { 901 rv = CRYPTO_HOST_MEMORY; 902 } 903 } 904 out: 905 return (rv); 906 } 907 908 void * 909 ccm_alloc_ctx(int kmflag) 910 { 911 ccm_ctx_t *ccm_ctx; 912 913 #ifdef _KERNEL 914 if ((ccm_ctx = kmem_zalloc(sizeof (ccm_ctx_t), kmflag)) == NULL) 915 #else 916 if ((ccm_ctx = calloc(1, sizeof (ccm_ctx_t))) == NULL) 917 #endif 918 return (NULL); 919 920 ccm_ctx->ccm_flags = CCM_MODE; 921 return (ccm_ctx); 922 } 923